--- /dev/null
+From b32bfc06aefab61acc872dec3222624e6cd867ed Mon Sep 17 00:00:00 2001
+From: Romain Degez <romain.degez@gmail.com>
+Date: Fri, 11 Jul 2014 18:08:13 +0200
+Subject: ahci: add support for the Promise FastTrak TX8660 SATA HBA (ahci mode)
+
+From: Romain Degez <romain.degez@gmail.com>
+
+commit b32bfc06aefab61acc872dec3222624e6cd867ed upstream.
+
+Add support of the Promise FastTrak TX8660 SATA HBA in ahci mode by
+registering the board in the ahci_pci_tbl[].
+
+Note: this HBA also provide a hardware RAID mode when activated in
+BIOS but specific drivers from the manufacturer are required in this
+case.
+
+Signed-off-by: Romain Degez <romain.degez@gmail.com>
+Tested-by: Romain Degez <romain.degez@gmail.com>
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/ata/ahci.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/ata/ahci.c
++++ b/drivers/ata/ahci.c
+@@ -455,6 +455,7 @@ static const struct pci_device_id ahci_p
+
+ /* Promise */
+ { PCI_VDEVICE(PROMISE, 0x3f20), board_ahci }, /* PDC42819 */
++ { PCI_VDEVICE(PROMISE, 0x3781), board_ahci }, /* FastTrak TX8660 ahci-mode */
+
+ /* Asmedia */
+ { PCI_VDEVICE(ASMEDIA, 0x0601), board_ahci }, /* ASM1060 */
--- /dev/null
+From 0b462c89e31f7eb6789713437eb551833ee16ff3 Mon Sep 17 00:00:00 2001
+From: Tejun Heo <tj@kernel.org>
+Date: Sat, 5 Jul 2014 18:43:21 -0400
+Subject: blkcg: don't call into policy draining if root_blkg is already gone
+
+From: Tejun Heo <tj@kernel.org>
+
+commit 0b462c89e31f7eb6789713437eb551833ee16ff3 upstream.
+
+While a queue is being destroyed, all the blkgs are destroyed and its
+->root_blkg pointer is set to NULL. If someone else starts to drain
+while the queue is in this state, the following oops happens.
+
+ NULL pointer dereference at 0000000000000028
+ IP: [<ffffffff8144e944>] blk_throtl_drain+0x84/0x230
+ PGD e4a1067 PUD b773067 PMD 0
+ Oops: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC
+ Modules linked in: cfq_iosched(-) [last unloaded: cfq_iosched]
+ CPU: 1 PID: 537 Comm: bash Not tainted 3.16.0-rc3-work+ #2
+ Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
+ task: ffff88000e222250 ti: ffff88000efd4000 task.ti: ffff88000efd4000
+ RIP: 0010:[<ffffffff8144e944>] [<ffffffff8144e944>] blk_throtl_drain+0x84/0x230
+ RSP: 0018:ffff88000efd7bf0 EFLAGS: 00010046
+ RAX: 0000000000000000 RBX: ffff880015091450 RCX: 0000000000000001
+ RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
+ RBP: ffff88000efd7c10 R08: 0000000000000000 R09: 0000000000000001
+ R10: ffff88000e222250 R11: 0000000000000000 R12: ffff880015091450
+ R13: ffff880015092e00 R14: ffff880015091d70 R15: ffff88001508fc28
+ FS: 00007f1332650740(0000) GS:ffff88001fa80000(0000) knlGS:0000000000000000
+ CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
+ CR2: 0000000000000028 CR3: 0000000009446000 CR4: 00000000000006e0
+ Stack:
+ ffffffff8144e8f6 ffff880015091450 0000000000000000 ffff880015091d80
+ ffff88000efd7c28 ffffffff8144ae2f ffff880015091450 ffff88000efd7c58
+ ffffffff81427641 ffff880015091450 ffffffff82401f00 ffff880015091450
+ Call Trace:
+ [<ffffffff8144ae2f>] blkcg_drain_queue+0x1f/0x60
+ [<ffffffff81427641>] __blk_drain_queue+0x71/0x180
+ [<ffffffff81429b3e>] blk_queue_bypass_start+0x6e/0xb0
+ [<ffffffff814498b8>] blkcg_deactivate_policy+0x38/0x120
+ [<ffffffff8144ec44>] blk_throtl_exit+0x34/0x50
+ [<ffffffff8144aea5>] blkcg_exit_queue+0x35/0x40
+ [<ffffffff8142d476>] blk_release_queue+0x26/0xd0
+ [<ffffffff81454968>] kobject_cleanup+0x38/0x70
+ [<ffffffff81454848>] kobject_put+0x28/0x60
+ [<ffffffff81427505>] blk_put_queue+0x15/0x20
+ [<ffffffff817d07bb>] scsi_device_dev_release_usercontext+0x16b/0x1c0
+ [<ffffffff810bc339>] execute_in_process_context+0x89/0xa0
+ [<ffffffff817d064c>] scsi_device_dev_release+0x1c/0x20
+ [<ffffffff817930e2>] device_release+0x32/0xa0
+ [<ffffffff81454968>] kobject_cleanup+0x38/0x70
+ [<ffffffff81454848>] kobject_put+0x28/0x60
+ [<ffffffff817934d7>] put_device+0x17/0x20
+ [<ffffffff817d11b9>] __scsi_remove_device+0xa9/0xe0
+ [<ffffffff817d121b>] scsi_remove_device+0x2b/0x40
+ [<ffffffff817d1257>] sdev_store_delete+0x27/0x30
+ [<ffffffff81792ca8>] dev_attr_store+0x18/0x30
+ [<ffffffff8126f75e>] sysfs_kf_write+0x3e/0x50
+ [<ffffffff8126ea87>] kernfs_fop_write+0xe7/0x170
+ [<ffffffff811f5e9f>] vfs_write+0xaf/0x1d0
+ [<ffffffff811f69bd>] SyS_write+0x4d/0xc0
+ [<ffffffff81d24692>] system_call_fastpath+0x16/0x1b
+
+776687bce42b ("block, blk-mq: draining can't be skipped even if
+bypass_depth was non-zero") made it easier to trigger this bug by
+making blk_queue_bypass_start() drain even when it loses the first
+bypass test to blk_cleanup_queue(); however, the bug has always been
+there even before the commit as blk_queue_bypass_start() could race
+against queue destruction, win the initial bypass test but perform the
+actual draining after blk_cleanup_queue() already destroyed all blkgs.
+
+Fix it by skippping calling into policy draining if all the blkgs are
+already gone.
+
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Reported-by: Shirish Pargaonkar <spargaonkar@suse.com>
+Reported-by: Sasha Levin <sasha.levin@oracle.com>
+Reported-by: Jet Chen <jet.chen@intel.com>
+Tested-by: Shirish Pargaonkar <spargaonkar@suse.com>
+Signed-off-by: Jens Axboe <axboe@fb.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ block/blk-cgroup.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/block/blk-cgroup.c
++++ b/block/blk-cgroup.c
+@@ -876,6 +876,13 @@ void blkcg_drain_queue(struct request_qu
+ {
+ lockdep_assert_held(q->queue_lock);
+
++ /*
++ * @q could be exiting and already have destroyed all blkgs as
++ * indicated by NULL root_blkg. If so, don't confuse policies.
++ */
++ if (!q->root_blkg)
++ return;
++
+ blk_throtl_drain(q);
+ }
+
--- /dev/null
+From aed8adb7688d5744cb484226820163af31d2499a Mon Sep 17 00:00:00 2001
+From: Silesh C V <svellattu@mvista.com>
+Date: Wed, 23 Jul 2014 13:59:59 -0700
+Subject: coredump: fix the setting of PF_DUMPCORE
+
+From: Silesh C V <svellattu@mvista.com>
+
+commit aed8adb7688d5744cb484226820163af31d2499a upstream.
+
+Commit 079148b919d0 ("coredump: factor out the setting of PF_DUMPCORE")
+cleaned up the setting of PF_DUMPCORE by removing it from all the
+linux_binfmt->core_dump() and moving it to zap_threads().But this ended
+up clearing all the previously set flags. This causes issues during
+core generation when tsk->flags is checked again (eg. for PF_USED_MATH
+to dump floating point registers). Fix this.
+
+Signed-off-by: Silesh C V <svellattu@mvista.com>
+Acked-by: Oleg Nesterov <oleg@redhat.com>
+Cc: Mandeep Singh Baines <msb@chromium.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/coredump.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/coredump.c
++++ b/fs/coredump.c
+@@ -299,7 +299,7 @@ static int zap_threads(struct task_struc
+ if (unlikely(nr < 0))
+ return nr;
+
+- tsk->flags = PF_DUMPCORE;
++ tsk->flags |= PF_DUMPCORE;
+ if (atomic_read(&mm->mm_users) == nr + 1)
+ goto done;
+ /*
--- /dev/null
+From 043572d5444116b9d9ad8ae763cf069e7accbc30 Mon Sep 17 00:00:00 2001
+From: Guenter Roeck <linux@roeck-us.net>
+Date: Fri, 18 Jul 2014 07:31:18 -0700
+Subject: hwmon: (smsc47m192) Fix temperature limit and vrm write operations
+
+From: Guenter Roeck <linux@roeck-us.net>
+
+commit 043572d5444116b9d9ad8ae763cf069e7accbc30 upstream.
+
+Temperature limit clamps are applied after converting the temperature
+from milli-degrees C to degrees C, so either the clamp limit needs
+to be specified in degrees C, not milli-degrees C, or clamping must
+happen before converting to degrees C. Use the latter method to avoid
+overflows.
+
+vrm is an u8, so the written value needs to be limited to [0, 255].
+
+Cc: Axel Lin <axel.lin@ingics.com>
+Signed-off-by: Guenter Roeck <linux@roeck-us.net>
+Reviewed-by: Jean Delvare <jdelvare@suse.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/hwmon/smsc47m192.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/drivers/hwmon/smsc47m192.c
++++ b/drivers/hwmon/smsc47m192.c
+@@ -86,7 +86,7 @@ static inline u8 IN_TO_REG(unsigned long
+ */
+ static inline s8 TEMP_TO_REG(int val)
+ {
+- return clamp_val(SCALE(val, 1, 1000), -128000, 127000);
++ return SCALE(clamp_val(val, -128000, 127000), 1, 1000);
+ }
+
+ static inline int TEMP_FROM_REG(s8 val)
+@@ -384,6 +384,8 @@ static ssize_t set_vrm(struct device *de
+ err = kstrtoul(buf, 10, &val);
+ if (err)
+ return err;
++ if (val > 255)
++ return -EINVAL;
+
+ data->vrm = val;
+ return count;
--- /dev/null
+From 50c5d36dab930b1f1b1e3348b8608aa8b9ee7610 Mon Sep 17 00:00:00 2001
+From: Dmitry Torokhov <dtor@chromium.org>
+Date: Sat, 19 Jul 2014 16:30:31 -0700
+Subject: Input: fix defuzzing logic
+
+From: Dmitry Torokhov <dtor@chromium.org>
+
+commit 50c5d36dab930b1f1b1e3348b8608aa8b9ee7610 upstream.
+
+We attempt to remove noise from coordinates reported by devices in
+input_handle_abs_event(), unfortunately, unless we were dropping the
+event altogether, we were ignoring the adjusted value and were passing
+on the original value instead.
+
+Reviewed-by: Andrew de los Reyes <adlr@chromium.org>
+Reviewed-by: Benson Leung <bleung@chromium.org>
+Reviewed-by: David Herrmann <dh.herrmann@gmail.com>
+Reviewed-by: Henrik Rydberg <rydberg@euromail.se>
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/input.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/drivers/input/input.c
++++ b/drivers/input/input.c
+@@ -257,9 +257,10 @@ static int input_handle_abs_event(struct
+ }
+
+ static int input_get_disposition(struct input_dev *dev,
+- unsigned int type, unsigned int code, int value)
++ unsigned int type, unsigned int code, int *pval)
+ {
+ int disposition = INPUT_IGNORE_EVENT;
++ int value = *pval;
+
+ switch (type) {
+
+@@ -357,6 +358,7 @@ static int input_get_disposition(struct
+ break;
+ }
+
++ *pval = value;
+ return disposition;
+ }
+
+@@ -365,7 +367,7 @@ static void input_handle_event(struct in
+ {
+ int disposition;
+
+- disposition = input_get_disposition(dev, type, code, value);
++ disposition = input_get_disposition(dev, type, code, &value);
+
+ if ((disposition & INPUT_PASS_TO_DEVICE) && dev->event)
+ dev->event(dev, type, code, value);
--- /dev/null
+From 20dbea494543aefaace874cc3ec93a39b94b1ec4 Mon Sep 17 00:00:00 2001
+From: John David Anglin <dave.anglin@bell.net>
+Date: Wed, 23 Jul 2014 19:44:12 -0400
+Subject: parisc: Remove SA_RESTORER define
+
+From: John David Anglin <dave.anglin@bell.net>
+
+commit 20dbea494543aefaace874cc3ec93a39b94b1ec4 upstream.
+
+The sa_restorer field in struct sigaction is obsolete and no longer in
+the parisc implementation. However, the core code assumes the field is
+present if SA_RESTORER is defined. So, the define needs to be removed.
+
+Signed-off-by: John David Anglin <dave.anglin@bell.net>
+Signed-off-by: Helge Deller <deller@gmx.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/parisc/include/uapi/asm/signal.h | 2 --
+ 1 file changed, 2 deletions(-)
+
+--- a/arch/parisc/include/uapi/asm/signal.h
++++ b/arch/parisc/include/uapi/asm/signal.h
+@@ -69,8 +69,6 @@
+ #define SA_NOMASK SA_NODEFER
+ #define SA_ONESHOT SA_RESETHAND
+
+-#define SA_RESTORER 0x04000000 /* obsolete -- ignored */
+-
+ #define MINSIGSTKSZ 2048
+ #define SIGSTKSZ 8192
+
libata-support-the-ata-host-which-implements-a-queue-depth-less-than-32.patch
libata-introduce-ata_host-n_tags-to-avoid-oops-on-sas-controllers.patch
s390-ptrace-fix-psw-mask-check.patch
+ahci-add-support-for-the-promise-fasttrak-tx8660-sata-hba-ahci-mode.patch
+blkcg-don-t-call-into-policy-draining-if-root_blkg-is-already-gone.patch
+tracing-fix-wraparound-problems-in-uptime-trace-clock.patch
+slab_common-do-not-check-for-duplicate-slab-names.patch
+slab_common-fix-the-check-for-duplicate-slab-names.patch
+input-fix-defuzzing-logic.patch
+coredump-fix-the-setting-of-pf_dumpcore.patch
+parisc-remove-sa_restorer-define.patch
+hwmon-smsc47m192-fix-temperature-limit-and-vrm-write-operations.patch
+x86_32-entry-store-badsys-error-code-in-eax.patch
--- /dev/null
+From 3e374919b314f20e2a04f641ebc1093d758f66a4 Mon Sep 17 00:00:00 2001
+From: Christoph Lameter <cl@linux.com>
+Date: Sat, 21 Sep 2013 21:56:34 +0000
+Subject: slab_common: Do not check for duplicate slab names
+
+From: Christoph Lameter <cl@linux.com>
+
+commit 3e374919b314f20e2a04f641ebc1093d758f66a4 upstream.
+
+SLUB can alias multiple slab kmem_create_requests to one slab cache to save
+memory and increase the cache hotness. As a result the name of the slab can be
+stale. Only check the name for duplicates if we are in debug mode where we do
+not merge multiple caches.
+
+This fixes the following problem reported by Jonathan Brassow:
+
+ The problem with kmem_cache* is this:
+
+ *) Assume CONFIG_SLUB is set
+ 1) kmem_cache_create(name="foo-a")
+ - creates new kmem_cache structure
+ 2) kmem_cache_create(name="foo-b")
+ - If identical cache characteristics, it will be merged with the previously
+ created cache associated with "foo-a". The cache's refcount will be
+ incremented and an alias will be created via sysfs_slab_alias().
+ 3) kmem_cache_destroy(<ptr>)
+ - Attempting to destroy cache associated with "foo-a", but instead the
+ refcount is simply decremented. I don't even think the sysfs aliases are
+ ever removed...
+ 4) kmem_cache_create(name="foo-a")
+ - This FAILS because kmem_cache_sanity_check colides with the existing
+ name ("foo-a") associated with the non-removed cache.
+
+ This is a problem for RAID (specifically dm-raid) because the name used
+ for the kmem_cache_create is ("raid%d-%p", level, mddev). If the cache
+ persists for long enough, the memory address of an old mddev will be
+ reused for a new mddev - causing an identical formulation of the cache
+ name. Even though kmem_cache_destory had long ago been used to delete
+ the old cache, the merging of caches has cause the name and cache of that
+ old instance to be preserved and causes a colision (and thus failure) in
+ kmem_cache_create(). I see this regularly in my testing.
+
+Reported-by: Jonathan Brassow <jbrassow@redhat.com>
+Signed-off-by: Christoph Lameter <cl@linux.com>
+Signed-off-by: Pekka Enberg <penberg@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/slab_common.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/mm/slab_common.c
++++ b/mm/slab_common.c
+@@ -55,6 +55,7 @@ static int kmem_cache_sanity_check(struc
+ continue;
+ }
+
++#if !defined(CONFIG_SLUB) || !defined(CONFIG_SLUB_DEBUG_ON)
+ /*
+ * For simplicity, we won't check this in the list of memcg
+ * caches. We have control over memcg naming, and if there
+@@ -68,6 +69,7 @@ static int kmem_cache_sanity_check(struc
+ s = NULL;
+ return -EINVAL;
+ }
++#endif
+ }
+
+ WARN_ON(strchr(name, ' ')); /* It confuses parsers */
--- /dev/null
+From 694617474e33b8603fc76e090ed7d09376514b1a Mon Sep 17 00:00:00 2001
+From: Mikulas Patocka <mpatocka@redhat.com>
+Date: Tue, 4 Mar 2014 17:13:47 -0500
+Subject: slab_common: fix the check for duplicate slab names
+
+From: Mikulas Patocka <mpatocka@redhat.com>
+
+commit 694617474e33b8603fc76e090ed7d09376514b1a upstream.
+
+The patch 3e374919b314f20e2a04f641ebc1093d758f66a4 is supposed to fix the
+problem where kmem_cache_create incorrectly reports duplicate cache name
+and fails. The problem is described in the header of that patch.
+
+However, the patch doesn't really fix the problem because of these
+reasons:
+
+* the logic to test for debugging is reversed. It was intended to perform
+ the check only if slub debugging is enabled (which implies that caches
+ with the same parameters are not merged). Therefore, there should be
+ #if !defined(CONFIG_SLUB) || defined(CONFIG_SLUB_DEBUG_ON)
+ The current code has the condition reversed and performs the test if
+ debugging is disabled.
+
+* slub debugging may be enabled or disabled based on kernel command line,
+ CONFIG_SLUB_DEBUG_ON is just the default settings. Therefore the test
+ based on definition of CONFIG_SLUB_DEBUG_ON is unreliable.
+
+This patch fixes the problem by removing the test
+"!defined(CONFIG_SLUB_DEBUG_ON)". Therefore, duplicate names are never
+checked if the SLUB allocator is used.
+
+Note to stable kernel maintainers: when backporint this patch, please
+backport also the patch 3e374919b314f20e2a04f641ebc1093d758f66a4.
+
+Acked-by: David Rientjes <rientjes@google.com>
+Acked-by: Christoph Lameter <cl@linux.com>
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Signed-off-by: Pekka Enberg <penberg@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/slab_common.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/mm/slab_common.c
++++ b/mm/slab_common.c
+@@ -55,7 +55,7 @@ static int kmem_cache_sanity_check(struc
+ continue;
+ }
+
+-#if !defined(CONFIG_SLUB) || !defined(CONFIG_SLUB_DEBUG_ON)
++#if !defined(CONFIG_SLUB)
+ /*
+ * For simplicity, we won't check this in the list of memcg
+ * caches. We have control over memcg naming, and if there
--- /dev/null
+From 58d4e21e50ff3cc57910a8abc20d7e14375d2f61 Mon Sep 17 00:00:00 2001
+From: Tony Luck <tony.luck@intel.com>
+Date: Fri, 18 Jul 2014 11:43:01 -0700
+Subject: tracing: Fix wraparound problems in "uptime" trace clock
+
+From: Tony Luck <tony.luck@intel.com>
+
+commit 58d4e21e50ff3cc57910a8abc20d7e14375d2f61 upstream.
+
+The "uptime" trace clock added in:
+
+ commit 8aacf017b065a805d27467843490c976835eb4a5
+ tracing: Add "uptime" trace clock that uses jiffies
+
+has wraparound problems when the system has been up more
+than 1 hour 11 minutes and 34 seconds. It converts jiffies
+to nanoseconds using:
+ (u64)jiffies_to_usecs(jiffy) * 1000ULL
+but since jiffies_to_usecs() only returns a 32-bit value, it
+truncates at 2^32 microseconds. An additional problem on 32-bit
+systems is that the argument is "unsigned long", so fixing the
+return value only helps until 2^32 jiffies (49.7 days on a HZ=1000
+system).
+
+Avoid these problems by using jiffies_64 as our basis, and
+not converting to nanoseconds (we do convert to clock_t because
+user facing API must not be dependent on internal kernel
+HZ values).
+
+Link: http://lkml.kernel.org/p/99d63c5bfe9b320a3b428d773825a37095bf6a51.1405708254.git.tony.luck@intel.com
+
+Fixes: 8aacf017b065 "tracing: Add "uptime" trace clock that uses jiffies"
+Signed-off-by: Tony Luck <tony.luck@intel.com>
+Signed-off-by: Steven Rostedt <rostedt@goodmis.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/trace/trace.c | 2 +-
+ kernel/trace/trace_clock.c | 9 +++++----
+ 2 files changed, 6 insertions(+), 5 deletions(-)
+
+--- a/kernel/trace/trace.c
++++ b/kernel/trace/trace.c
+@@ -741,7 +741,7 @@ static struct {
+ { trace_clock_local, "local", 1 },
+ { trace_clock_global, "global", 1 },
+ { trace_clock_counter, "counter", 0 },
+- { trace_clock_jiffies, "uptime", 1 },
++ { trace_clock_jiffies, "uptime", 0 },
+ { trace_clock, "perf", 1 },
+ ARCH_TRACE_CLOCKS
+ };
+--- a/kernel/trace/trace_clock.c
++++ b/kernel/trace/trace_clock.c
+@@ -59,13 +59,14 @@ u64 notrace trace_clock(void)
+
+ /*
+ * trace_jiffy_clock(): Simply use jiffies as a clock counter.
++ * Note that this use of jiffies_64 is not completely safe on
++ * 32-bit systems. But the window is tiny, and the effect if
++ * we are affected is that we will have an obviously bogus
++ * timestamp on a trace event - i.e. not life threatening.
+ */
+ u64 notrace trace_clock_jiffies(void)
+ {
+- u64 jiffy = jiffies - INITIAL_JIFFIES;
+-
+- /* Return nsecs */
+- return (u64)jiffies_to_usecs(jiffy) * 1000ULL;
++ return jiffies_64_to_clock_t(jiffies_64 - INITIAL_JIFFIES);
+ }
+
+ /*
--- /dev/null
+From 8142b215501f8b291a108a202b3a053a265b03dd Mon Sep 17 00:00:00 2001
+From: Sven Wegener <sven.wegener@stealer.net>
+Date: Tue, 22 Jul 2014 10:26:06 +0200
+Subject: x86_32, entry: Store badsys error code in %eax
+
+From: Sven Wegener <sven.wegener@stealer.net>
+
+commit 8142b215501f8b291a108a202b3a053a265b03dd upstream.
+
+Commit 554086d ("x86_32, entry: Do syscall exit work on badsys
+(CVE-2014-4508)") introduced a regression in the x86_32 syscall entry
+code, resulting in syscall() not returning proper errors for undefined
+syscalls on CPUs supporting the sysenter feature.
+
+The following code:
+
+> int result = syscall(666);
+> printf("result=%d errno=%d error=%s\n", result, errno, strerror(errno));
+
+results in:
+
+> result=666 errno=0 error=Success
+
+Obviously, the syscall return value is the called syscall number, but it
+should have been an ENOSYS error. When run under ptrace it behaves
+correctly, which makes it hard to debug in the wild:
+
+> result=-1 errno=38 error=Function not implemented
+
+The %eax register is the return value register. For debugging via ptrace
+the syscall entry code stores the complete register context on the
+stack. The badsys handlers only store the ENOSYS error code in the
+ptrace register set and do not set %eax like a regular syscall handler
+would. The old resume_userspace call chain contains code that clobbers
+%eax and it restores %eax from the ptrace registers afterwards. The same
+goes for the ptrace-enabled call chain. When ptrace is not used, the
+syscall return value is the passed-in syscall number from the untouched
+%eax register.
+
+Use %eax as the return value register in syscall_badsys and
+sysenter_badsys, like a real syscall handler does, and have the caller
+push the value onto the stack for ptrace access.
+
+Signed-off-by: Sven Wegener <sven.wegener@stealer.net>
+Link: http://lkml.kernel.org/r/alpine.LNX.2.11.1407221022380.31021@titan.int.lan.stealer.net
+Reviewed-and-tested-by: Andy Lutomirski <luto@amacapital.net>
+Signed-off-by: H. Peter Anvin <hpa@zytor.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/entry_32.S | 9 +++++----
+ 1 file changed, 5 insertions(+), 4 deletions(-)
+
+--- a/arch/x86/kernel/entry_32.S
++++ b/arch/x86/kernel/entry_32.S
+@@ -436,8 +436,8 @@ sysenter_do_call:
+ cmpl $(NR_syscalls), %eax
+ jae sysenter_badsys
+ call *sys_call_table(,%eax,4)
+- movl %eax,PT_EAX(%esp)
+ sysenter_after_call:
++ movl %eax,PT_EAX(%esp)
+ LOCKDEP_SYS_EXIT
+ DISABLE_INTERRUPTS(CLBR_ANY)
+ TRACE_IRQS_OFF
+@@ -517,6 +517,7 @@ ENTRY(system_call)
+ jae syscall_badsys
+ syscall_call:
+ call *sys_call_table(,%eax,4)
++syscall_after_call:
+ movl %eax,PT_EAX(%esp) # store the return value
+ syscall_exit:
+ LOCKDEP_SYS_EXIT
+@@ -686,12 +687,12 @@ syscall_fault:
+ END(syscall_fault)
+
+ syscall_badsys:
+- movl $-ENOSYS,PT_EAX(%esp)
+- jmp syscall_exit
++ movl $-ENOSYS,%eax
++ jmp syscall_after_call
+ END(syscall_badsys)
+
+ sysenter_badsys:
+- movl $-ENOSYS,PT_EAX(%esp)
++ movl $-ENOSYS,%eax
+ jmp sysenter_after_call
+ END(syscall_badsys)
+ CFI_ENDPROC
projects / thirdparty / kernel / stable-queue.git / commitdiff
