]> git.ipfire.org Git - thirdparty/kernel/stable-queue.git/commitdiff
fixes for 4.14
authorSasha Levin <sashal@kernel.org>
Thu, 27 Feb 2020 03:38:57 +0000 (22:38 -0500)
committerSasha Levin <sashal@kernel.org>
Thu, 27 Feb 2020 03:38:57 +0000 (22:38 -0500)
Signed-off-by: Sasha Levin <sashal@kernel.org>
queue-4.14/kvm-nvmx-don-t-emulate-instructions-in-guest-mode.patch [new file with mode: 0644]
queue-4.14/lib-stackdepot-fix-outdated-comments.patch [new file with mode: 0644]
queue-4.14/lib-stackdepot.c-fix-global-out-of-bounds-in-stack_s.patch [new file with mode: 0644]
queue-4.14/powerpc-tm-fix-clearing-msr-ts-in-current-when-recla.patch [new file with mode: 0644]
queue-4.14/powerpc-tm-fix-endianness-flip-on-trap.patch [new file with mode: 0644]
queue-4.14/powerpc-tm-p9-disable-transactionally-suspended-sigc.patch [new file with mode: 0644]
queue-4.14/serial-8250-check-upf_irq_shared-in-advance.patch [new file with mode: 0644]
queue-4.14/series
queue-4.14/vt-vt_ioctl-fix-race-in-vt_resizex.patch [new file with mode: 0644]
queue-4.14/vt_resizex-get-rid-of-field-by-field-copyin.patch [new file with mode: 0644]

diff --git a/queue-4.14/kvm-nvmx-don-t-emulate-instructions-in-guest-mode.patch b/queue-4.14/kvm-nvmx-don-t-emulate-instructions-in-guest-mode.patch
new file mode 100644 (file)
index 0000000..1bc7b7f
--- /dev/null
@@ -0,0 +1,38 @@
+From d788db432b2cf3fc5703b47465260ae29a14823f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 4 Feb 2020 15:26:29 -0800
+Subject: KVM: nVMX: Don't emulate instructions in guest mode
+
+From: Paolo Bonzini <pbonzini@redhat.com>
+
+[ Upstream commit 07721feee46b4b248402133228235318199b05ec ]
+
+vmx_check_intercept is not yet fully implemented. To avoid emulating
+instructions disallowed by the L1 hypervisor, refuse to emulate
+instructions by default.
+
+Cc: stable@vger.kernel.org
+[Made commit, added commit msg - Oliver]
+Signed-off-by: Oliver Upton <oupton@google.com>
+Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/x86/kvm/vmx.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c
+index a116548a4ade1..fc00fbffcd7fc 100644
+--- a/arch/x86/kvm/vmx.c
++++ b/arch/x86/kvm/vmx.c
+@@ -12325,7 +12325,7 @@ static int vmx_check_intercept(struct kvm_vcpu *vcpu,
+                              struct x86_instruction_info *info,
+                              enum x86_intercept_stage stage)
+ {
+-      return X86EMUL_CONTINUE;
++      return X86EMUL_UNHANDLEABLE;
+ }
+ #ifdef CONFIG_X86_64
+-- 
+2.20.1
+
diff --git a/queue-4.14/lib-stackdepot-fix-outdated-comments.patch b/queue-4.14/lib-stackdepot-fix-outdated-comments.patch
new file mode 100644 (file)
index 0000000..560087f
--- /dev/null
@@ -0,0 +1,47 @@
+From 6c62f4f91e1c58c72add0647e08d3420391ba8b8 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 15 Aug 2019 19:32:46 +0800
+Subject: lib/stackdepot: Fix outdated comments
+
+From: Miles Chen <miles.chen@mediatek.com>
+
+[ Upstream commit ee050dc83bc326ad5ef8ee93bca344819371e7a5 ]
+
+Replace "depot_save_stack" with "stack_depot_save" in code comments because
+depot_save_stack() was replaced in commit c0cfc337264c ("lib/stackdepot:
+Provide functions which operate on plain storage arrays") and removed in
+commit 56d8f079c51a ("lib/stackdepot: Remove obsolete functions")
+
+Signed-off-by: Miles Chen <miles.chen@mediatek.com>
+Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
+Link: https://lkml.kernel.org/r/20190815113246.18478-1-miles.chen@mediatek.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ lib/stackdepot.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/lib/stackdepot.c b/lib/stackdepot.c
+index f87d138e96724..1724cb0d6283f 100644
+--- a/lib/stackdepot.c
++++ b/lib/stackdepot.c
+@@ -96,7 +96,7 @@ static bool init_stack_slab(void **prealloc)
+               stack_slabs[depot_index + 1] = *prealloc;
+               /*
+                * This smp_store_release pairs with smp_load_acquire() from
+-               * |next_slab_inited| above and in depot_save_stack().
++               * |next_slab_inited| above and in stack_depot_save().
+                */
+               smp_store_release(&next_slab_inited, 1);
+       }
+@@ -123,7 +123,7 @@ static struct stack_record *depot_alloc_stack(unsigned long *entries, int size,
+               depot_offset = 0;
+               /*
+                * smp_store_release() here pairs with smp_load_acquire() from
+-               * |next_slab_inited| in depot_save_stack() and
++               * |next_slab_inited| in stack_depot_save() and
+                * init_stack_slab().
+                */
+               if (depot_index + 1 < STACK_ALLOC_MAX_SLABS)
+-- 
+2.20.1
+
diff --git a/queue-4.14/lib-stackdepot.c-fix-global-out-of-bounds-in-stack_s.patch b/queue-4.14/lib-stackdepot.c-fix-global-out-of-bounds-in-stack_s.patch
new file mode 100644 (file)
index 0000000..8970d40
--- /dev/null
@@ -0,0 +1,62 @@
+From 7f151b9e5786194ee9e38b9456d72d09ec9da481 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 20 Feb 2020 20:04:30 -0800
+Subject: lib/stackdepot.c: fix global out-of-bounds in stack_slabs
+
+From: Alexander Potapenko <glider@google.com>
+
+[ Upstream commit 305e519ce48e935702c32241f07d393c3c8fed3e ]
+
+Walter Wu has reported a potential case in which init_stack_slab() is
+called after stack_slabs[STACK_ALLOC_MAX_SLABS - 1] has already been
+initialized.  In that case init_stack_slab() will overwrite
+stack_slabs[STACK_ALLOC_MAX_SLABS], which may result in a memory
+corruption.
+
+Link: http://lkml.kernel.org/r/20200218102950.260263-1-glider@google.com
+Fixes: cd11016e5f521 ("mm, kasan: stackdepot implementation. Enable stackdepot for SLAB")
+Signed-off-by: Alexander Potapenko <glider@google.com>
+Reported-by: Walter Wu <walter-zh.wu@mediatek.com>
+Cc: Dmitry Vyukov <dvyukov@google.com>
+Cc: Matthias Brugger <matthias.bgg@gmail.com>
+Cc: Thomas Gleixner <tglx@linutronix.de>
+Cc: Josh Poimboeuf <jpoimboe@redhat.com>
+Cc: Kate Stewart <kstewart@linuxfoundation.org>
+Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Cc: <stable@vger.kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ lib/stackdepot.c | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/lib/stackdepot.c b/lib/stackdepot.c
+index 1724cb0d6283f..54fe55b6bbc0a 100644
+--- a/lib/stackdepot.c
++++ b/lib/stackdepot.c
+@@ -92,15 +92,19 @@ static bool init_stack_slab(void **prealloc)
+               return true;
+       if (stack_slabs[depot_index] == NULL) {
+               stack_slabs[depot_index] = *prealloc;
++              *prealloc = NULL;
+       } else {
+-              stack_slabs[depot_index + 1] = *prealloc;
++              /* If this is the last depot slab, do not touch the next one. */
++              if (depot_index + 1 < STACK_ALLOC_MAX_SLABS) {
++                      stack_slabs[depot_index + 1] = *prealloc;
++                      *prealloc = NULL;
++              }
+               /*
+                * This smp_store_release pairs with smp_load_acquire() from
+                * |next_slab_inited| above and in stack_depot_save().
+                */
+               smp_store_release(&next_slab_inited, 1);
+       }
+-      *prealloc = NULL;
+       return true;
+ }
+-- 
+2.20.1
+
diff --git a/queue-4.14/powerpc-tm-fix-clearing-msr-ts-in-current-when-recla.patch b/queue-4.14/powerpc-tm-fix-clearing-msr-ts-in-current-when-recla.patch
new file mode 100644 (file)
index 0000000..f9b8bc3
--- /dev/null
@@ -0,0 +1,291 @@
+From 9f33a8fbc669687b55903f534985b8067da7e724 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 11 Feb 2020 00:38:29 -0300
+Subject: powerpc/tm: Fix clearing MSR[TS] in current when reclaiming on signal
+ delivery
+
+From: Gustavo Luiz Duarte <gustavold@linux.ibm.com>
+
+[ Upstream commit 2464cc4c345699adea52c7aef75707207cb8a2f6 ]
+
+After a treclaim, we expect to be in non-transactional state. If we
+don't clear the current thread's MSR[TS] before we get preempted, then
+tm_recheckpoint_new_task() will recheckpoint and we get rescheduled in
+suspended transaction state.
+
+When handling a signal caught in transactional state,
+handle_rt_signal64() calls get_tm_stackpointer() that treclaims the
+transaction using tm_reclaim_current() but without clearing the
+thread's MSR[TS]. This can cause the TM Bad Thing exception below if
+later we pagefault and get preempted trying to access the user's
+sigframe, using __put_user(). Afterwards, when we are rescheduled back
+into do_page_fault() (but now in suspended state since the thread's
+MSR[TS] was not cleared), upon executing 'rfid' after completion of
+the page fault handling, the exception is raised because a transition
+from suspended to non-transactional state is invalid.
+
+  Unexpected TM Bad Thing exception at c00000000000de44 (msr 0x8000000302a03031) tm_scratch=800000010280b033
+  Oops: Unrecoverable exception, sig: 6 [#1]
+  LE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS=2048 NUMA pSeries
+  CPU: 25 PID: 15547 Comm: a.out Not tainted 5.4.0-rc2 #32
+  NIP:  c00000000000de44 LR: c000000000034728 CTR: 0000000000000000
+  REGS: c00000003fe7bd70 TRAP: 0700   Not tainted  (5.4.0-rc2)
+  MSR:  8000000302a03031 <SF,VEC,VSX,FP,ME,IR,DR,LE,TM[SE]>  CR: 44000884  XER: 00000000
+  CFAR: c00000000000dda4 IRQMASK: 0
+  PACATMSCRATCH: 800000010280b033
+  GPR00: c000000000034728 c000000f65a17c80 c000000001662800 00007fffacf3fd78
+  GPR04: 0000000000001000 0000000000001000 0000000000000000 c000000f611f8af0
+  GPR08: 0000000000000000 0000000078006001 0000000000000000 000c000000000000
+  GPR12: c000000f611f84b0 c00000003ffcb200 0000000000000000 0000000000000000
+  GPR16: 0000000000000000 0000000000000000 0000000000000000 0000000000000000
+  GPR20: 0000000000000000 0000000000000000 0000000000000000 c000000f611f8140
+  GPR24: 0000000000000000 00007fffacf3fd68 c000000f65a17d90 c000000f611f7800
+  GPR28: c000000f65a17e90 c000000f65a17e90 c000000001685e18 00007fffacf3f000
+  NIP [c00000000000de44] fast_exception_return+0xf4/0x1b0
+  LR [c000000000034728] handle_rt_signal64+0x78/0xc50
+  Call Trace:
+  [c000000f65a17c80] [c000000000034710] handle_rt_signal64+0x60/0xc50 (unreliable)
+  [c000000f65a17d30] [c000000000023640] do_notify_resume+0x330/0x460
+  [c000000f65a17e20] [c00000000000dcc4] ret_from_except_lite+0x70/0x74
+  Instruction dump:
+  7c4ff120 e8410170 7c5a03a6 38400000 f8410060 e8010070 e8410080 e8610088
+  60000000 60000000 e8810090 e8210078 <4c000024> 48000000 e8610178 88ed0989
+  ---[ end trace 93094aa44b442f87 ]---
+
+The simplified sequence of events that triggers the above exception is:
+
+  ...                          # userspace in NON-TRANSACTIONAL state
+  tbegin                       # userspace in TRANSACTIONAL state
+  signal delivery              # kernelspace in SUSPENDED state
+  handle_rt_signal64()
+    get_tm_stackpointer()
+      treclaim                 # kernelspace in NON-TRANSACTIONAL state
+    __put_user()
+      page fault happens. We will never get back here because of the TM Bad Thing exception.
+
+  page fault handling kicks in and we voluntarily preempt ourselves
+  do_page_fault()
+    __schedule()
+      __switch_to(other_task)
+
+  our task is rescheduled and we recheckpoint because the thread's MSR[TS] was not cleared
+  __switch_to(our_task)
+    switch_to_tm()
+      tm_recheckpoint_new_task()
+        trechkpt                       # kernelspace in SUSPENDED state
+
+  The page fault handling resumes, but now we are in suspended transaction state
+  do_page_fault()    completes
+  rfid     <----- trying to get back where the page fault happened (we were non-transactional back then)
+  TM Bad Thing                 # illegal transition from suspended to non-transactional
+
+This patch fixes that issue by clearing the current thread's MSR[TS]
+just after treclaim in get_tm_stackpointer() so that we stay in
+non-transactional state in case we are preempted. In order to make
+treclaim and clearing the thread's MSR[TS] atomic from a preemption
+perspective when CONFIG_PREEMPT is set, preempt_disable/enable() is
+used. It's also necessary to save the previous value of the thread's
+MSR before get_tm_stackpointer() is called so that it can be exposed
+to the signal handler later in setup_tm_sigcontexts() to inform the
+userspace MSR at the moment of the signal delivery.
+
+Found with tm-signal-context-force-tm kernel selftest.
+
+Fixes: 2b0a576d15e0 ("powerpc: Add new transactional memory state to the signal context")
+Cc: stable@vger.kernel.org # v3.9
+Signed-off-by: Gustavo Luiz Duarte <gustavold@linux.ibm.com>
+Acked-by: Michael Neuling <mikey@neuling.org>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Link: https://lore.kernel.org/r/20200211033831.11165-1-gustavold@linux.ibm.com
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/kernel/signal.c    | 17 +++++++++++++++--
+ arch/powerpc/kernel/signal_32.c | 28 ++++++++++++++--------------
+ arch/powerpc/kernel/signal_64.c | 22 ++++++++++------------
+ 3 files changed, 39 insertions(+), 28 deletions(-)
+
+diff --git a/arch/powerpc/kernel/signal.c b/arch/powerpc/kernel/signal.c
+index 3d7539b90010c..4cb92022315a4 100644
+--- a/arch/powerpc/kernel/signal.c
++++ b/arch/powerpc/kernel/signal.c
+@@ -193,14 +193,27 @@ unsigned long get_tm_stackpointer(struct task_struct *tsk)
+        * normal/non-checkpointed stack pointer.
+        */
++      unsigned long ret = tsk->thread.regs->gpr[1];
++
+ #ifdef CONFIG_PPC_TRANSACTIONAL_MEM
+       BUG_ON(tsk != current);
+       if (MSR_TM_ACTIVE(tsk->thread.regs->msr)) {
++              preempt_disable();
+               tm_reclaim_current(TM_CAUSE_SIGNAL);
+               if (MSR_TM_TRANSACTIONAL(tsk->thread.regs->msr))
+-                      return tsk->thread.ckpt_regs.gpr[1];
++                      ret = tsk->thread.ckpt_regs.gpr[1];
++
++              /*
++               * If we treclaim, we must clear the current thread's TM bits
++               * before re-enabling preemption. Otherwise we might be
++               * preempted and have the live MSR[TS] changed behind our back
++               * (tm_recheckpoint_new_task() would recheckpoint). Besides, we
++               * enter the signal handler in non-transactional state.
++               */
++              tsk->thread.regs->msr &= ~MSR_TS_MASK;
++              preempt_enable();
+       }
+ #endif
+-      return tsk->thread.regs->gpr[1];
++      return ret;
+ }
+diff --git a/arch/powerpc/kernel/signal_32.c b/arch/powerpc/kernel/signal_32.c
+index 7157cb6951512..123299fbb33e4 100644
+--- a/arch/powerpc/kernel/signal_32.c
++++ b/arch/powerpc/kernel/signal_32.c
+@@ -515,19 +515,11 @@ static int save_user_regs(struct pt_regs *regs, struct mcontext __user *frame,
+  */
+ static int save_tm_user_regs(struct pt_regs *regs,
+                            struct mcontext __user *frame,
+-                           struct mcontext __user *tm_frame, int sigret)
++                           struct mcontext __user *tm_frame, int sigret,
++                           unsigned long msr)
+ {
+-      unsigned long msr = regs->msr;
+-
+       WARN_ON(tm_suspend_disabled);
+-      /* Remove TM bits from thread's MSR.  The MSR in the sigcontext
+-       * just indicates to userland that we were doing a transaction, but we
+-       * don't want to return in transactional state.  This also ensures
+-       * that flush_fp_to_thread won't set TIF_RESTORE_TM again.
+-       */
+-      regs->msr &= ~MSR_TS_MASK;
+-
+       /* Save both sets of general registers */
+       if (save_general_regs(&current->thread.ckpt_regs, frame)
+           || save_general_regs(regs, tm_frame))
+@@ -1004,6 +996,10 @@ int handle_rt_signal32(struct ksignal *ksig, sigset_t *oldset,
+       int sigret;
+       unsigned long tramp;
+       struct pt_regs *regs = tsk->thread.regs;
++#ifdef CONFIG_PPC_TRANSACTIONAL_MEM
++      /* Save the thread's msr before get_tm_stackpointer() changes it */
++      unsigned long msr = regs->msr;
++#endif
+       BUG_ON(tsk != current);
+@@ -1036,13 +1032,13 @@ int handle_rt_signal32(struct ksignal *ksig, sigset_t *oldset,
+ #ifdef CONFIG_PPC_TRANSACTIONAL_MEM
+       tm_frame = &rt_sf->uc_transact.uc_mcontext;
+-      if (MSR_TM_ACTIVE(regs->msr)) {
++      if (MSR_TM_ACTIVE(msr)) {
+               if (__put_user((unsigned long)&rt_sf->uc_transact,
+                              &rt_sf->uc.uc_link) ||
+                   __put_user((unsigned long)tm_frame,
+                              &rt_sf->uc_transact.uc_regs))
+                       goto badframe;
+-              if (save_tm_user_regs(regs, frame, tm_frame, sigret))
++              if (save_tm_user_regs(regs, frame, tm_frame, sigret, msr))
+                       goto badframe;
+       }
+       else
+@@ -1449,6 +1445,10 @@ int handle_signal32(struct ksignal *ksig, sigset_t *oldset,
+       int sigret;
+       unsigned long tramp;
+       struct pt_regs *regs = tsk->thread.regs;
++#ifdef CONFIG_PPC_TRANSACTIONAL_MEM
++      /* Save the thread's msr before get_tm_stackpointer() changes it */
++      unsigned long msr = regs->msr;
++#endif
+       BUG_ON(tsk != current);
+@@ -1482,9 +1482,9 @@ int handle_signal32(struct ksignal *ksig, sigset_t *oldset,
+ #ifdef CONFIG_PPC_TRANSACTIONAL_MEM
+       tm_mctx = &frame->mctx_transact;
+-      if (MSR_TM_ACTIVE(regs->msr)) {
++      if (MSR_TM_ACTIVE(msr)) {
+               if (save_tm_user_regs(regs, &frame->mctx, &frame->mctx_transact,
+-                                    sigret))
++                                    sigret, msr))
+                       goto badframe;
+       }
+       else
+diff --git a/arch/powerpc/kernel/signal_64.c b/arch/powerpc/kernel/signal_64.c
+index b203c16d46d4e..71785574aeafb 100644
+--- a/arch/powerpc/kernel/signal_64.c
++++ b/arch/powerpc/kernel/signal_64.c
+@@ -192,7 +192,8 @@ static long setup_sigcontext(struct sigcontext __user *sc,
+ static long setup_tm_sigcontexts(struct sigcontext __user *sc,
+                                struct sigcontext __user *tm_sc,
+                                struct task_struct *tsk,
+-                               int signr, sigset_t *set, unsigned long handler)
++                               int signr, sigset_t *set, unsigned long handler,
++                               unsigned long msr)
+ {
+       /* When CONFIG_ALTIVEC is set, we _always_ setup v_regs even if the
+        * process never used altivec yet (MSR_VEC is zero in pt_regs of
+@@ -207,12 +208,11 @@ static long setup_tm_sigcontexts(struct sigcontext __user *sc,
+       elf_vrreg_t __user *tm_v_regs = sigcontext_vmx_regs(tm_sc);
+ #endif
+       struct pt_regs *regs = tsk->thread.regs;
+-      unsigned long msr = tsk->thread.regs->msr;
+       long err = 0;
+       BUG_ON(tsk != current);
+-      BUG_ON(!MSR_TM_ACTIVE(regs->msr));
++      BUG_ON(!MSR_TM_ACTIVE(msr));
+       WARN_ON(tm_suspend_disabled);
+@@ -222,13 +222,6 @@ static long setup_tm_sigcontexts(struct sigcontext __user *sc,
+        */
+       msr |= tsk->thread.ckpt_regs.msr & (MSR_FP | MSR_VEC | MSR_VSX);
+-      /* Remove TM bits from thread's MSR.  The MSR in the sigcontext
+-       * just indicates to userland that we were doing a transaction, but we
+-       * don't want to return in transactional state.  This also ensures
+-       * that flush_fp_to_thread won't set TIF_RESTORE_TM again.
+-       */
+-      regs->msr &= ~MSR_TS_MASK;
+-
+ #ifdef CONFIG_ALTIVEC
+       err |= __put_user(v_regs, &sc->v_regs);
+       err |= __put_user(tm_v_regs, &tm_sc->v_regs);
+@@ -805,6 +798,10 @@ int handle_rt_signal64(struct ksignal *ksig, sigset_t *set,
+       unsigned long newsp = 0;
+       long err = 0;
+       struct pt_regs *regs = tsk->thread.regs;
++#ifdef CONFIG_PPC_TRANSACTIONAL_MEM
++      /* Save the thread's msr before get_tm_stackpointer() changes it */
++      unsigned long msr = regs->msr;
++#endif
+       BUG_ON(tsk != current);
+@@ -822,7 +819,7 @@ int handle_rt_signal64(struct ksignal *ksig, sigset_t *set,
+       err |= __put_user(0, &frame->uc.uc_flags);
+       err |= __save_altstack(&frame->uc.uc_stack, regs->gpr[1]);
+ #ifdef CONFIG_PPC_TRANSACTIONAL_MEM
+-      if (MSR_TM_ACTIVE(regs->msr)) {
++      if (MSR_TM_ACTIVE(msr)) {
+               /* The ucontext_t passed to userland points to the second
+                * ucontext_t (for transactional state) with its uc_link ptr.
+                */
+@@ -830,7 +827,8 @@ int handle_rt_signal64(struct ksignal *ksig, sigset_t *set,
+               err |= setup_tm_sigcontexts(&frame->uc.uc_mcontext,
+                                           &frame->uc_transact.uc_mcontext,
+                                           tsk, ksig->sig, NULL,
+-                                          (unsigned long)ksig->ka.sa.sa_handler);
++                                          (unsigned long)ksig->ka.sa.sa_handler,
++                                          msr);
+       } else
+ #endif
+       {
+-- 
+2.20.1
+
diff --git a/queue-4.14/powerpc-tm-fix-endianness-flip-on-trap.patch b/queue-4.14/powerpc-tm-fix-endianness-flip-on-trap.patch
new file mode 100644 (file)
index 0000000..7d0ba41
--- /dev/null
@@ -0,0 +1,85 @@
+From a2de7ca4bc5e14efcb3b03f9cb0b02c3da0b8714 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Sun, 31 Dec 2017 18:20:45 -0500
+Subject: powerpc/tm: Fix endianness flip on trap
+
+From: Gustavo Romero <gromero@linux.vnet.ibm.com>
+
+[ Upstream commit 1c200e63d055ec0125e44a5e386b9b78aada7eb3 ]
+
+Currently it's possible that a thread on PPC64 LE has its endianness
+flipped inadvertently to Big-Endian resulting in a crash once the process
+is back from the signal handler.
+
+If giveup_all() is called when regs->msr has the bits MSR.FP and MSR.VEC
+disabled (and hence MSR.VSX disabled too) it returns without calling
+check_if_tm_restore_required() which copies regs->msr to ckpt_regs->msr if
+the process caught a signal whilst in transactional mode. Then once in
+setup_tm_sigcontexts() MSR from ckpt_regs.msr is used, but since
+check_if_tm_restore_required() was not called previuosly, gp_regs[PT_MSR]
+gets a copy of invalid MSR bits as MSR in ckpt_regs was not updated from
+regs->msr and so is zeroed. Later when leaving the signal handler once in
+sys_rt_sigreturn() the TS bits of gp_regs[PT_MSR] are checked to determine
+if restore_tm_sigcontexts() must be called to pull in the correct MSR state
+into the user context. Because TS bits are zeroed
+restore_tm_sigcontexts() is never called and MSR restored from the user
+context on returning from the signal handler has the MSR.LE (the endianness
+bit) forced to zero (Big-Endian). That leads, for instance, to 'nop' being
+treated as an illegal instruction in the following sequence:
+
+       tbegin.
+       beq     1f
+       trap
+       tend.
+1:     nop
+
+on PPC64 LE machines and the process dies just after returning from the
+signal handler.
+
+PPC64 BE is also affected but in a subtle way since forcing Big-Endian on
+a BE machine does not change the endianness.
+
+This commit fixes the issue described above by ensuring that once in
+setup_tm_sigcontexts() the MSR used is from regs->msr instead of from
+ckpt_regs->msr and by ensuring that we pull in only the MSR.FP, MSR.VEC,
+and MSR.VSX bits from ckpt_regs->msr.
+
+The fix was tested both on LE and BE machines and no regression regarding
+the powerpc/tm selftests was observed.
+
+Signed-off-by: Gustavo Romero <gromero@linux.vnet.ibm.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/kernel/signal_64.c | 8 +++++++-
+ 1 file changed, 7 insertions(+), 1 deletion(-)
+
+diff --git a/arch/powerpc/kernel/signal_64.c b/arch/powerpc/kernel/signal_64.c
+index 2d52fed72e216..b203c16d46d4e 100644
+--- a/arch/powerpc/kernel/signal_64.c
++++ b/arch/powerpc/kernel/signal_64.c
+@@ -207,7 +207,7 @@ static long setup_tm_sigcontexts(struct sigcontext __user *sc,
+       elf_vrreg_t __user *tm_v_regs = sigcontext_vmx_regs(tm_sc);
+ #endif
+       struct pt_regs *regs = tsk->thread.regs;
+-      unsigned long msr = tsk->thread.ckpt_regs.msr;
++      unsigned long msr = tsk->thread.regs->msr;
+       long err = 0;
+       BUG_ON(tsk != current);
+@@ -216,6 +216,12 @@ static long setup_tm_sigcontexts(struct sigcontext __user *sc,
+       WARN_ON(tm_suspend_disabled);
++      /* Restore checkpointed FP, VEC, and VSX bits from ckpt_regs as
++       * it contains the correct FP, VEC, VSX state after we treclaimed
++       * the transaction and giveup_all() was called on reclaiming.
++       */
++      msr |= tsk->thread.ckpt_regs.msr & (MSR_FP | MSR_VEC | MSR_VSX);
++
+       /* Remove TM bits from thread's MSR.  The MSR in the sigcontext
+        * just indicates to userland that we were doing a transaction, but we
+        * don't want to return in transactional state.  This also ensures
+-- 
+2.20.1
+
diff --git a/queue-4.14/powerpc-tm-p9-disable-transactionally-suspended-sigc.patch b/queue-4.14/powerpc-tm-p9-disable-transactionally-suspended-sigc.patch
new file mode 100644 (file)
index 0000000..e31835d
--- /dev/null
@@ -0,0 +1,95 @@
+From c6ba40eb93f22ca21b7099c46f5620cb717f4b5a Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Thu, 12 Oct 2017 21:17:19 +1100
+Subject: powerpc/tm: P9 disable transactionally suspended sigcontexts
+
+From: Michael Neuling <mikey@neuling.org>
+
+[ Upstream commit 92fb8690bd04cb421d987d246deac60eef85d272 ]
+
+Unfortunately userspace can construct a sigcontext which enables
+suspend. Thus userspace can force Linux into a path where trechkpt is
+executed.
+
+This patch blocks this from happening on POWER9 by sanity checking
+sigcontexts passed in.
+
+ptrace doesn't have this problem as only MSR SE and BE can be changed
+via ptrace.
+
+This patch also adds a number of WARN_ON()s in case we ever enter
+suspend when we shouldn't. This should not happen, but if it does the
+symptoms are soft lockup warnings which are not obviously TM related,
+so the WARN_ON()s should make it obvious what's happening.
+
+Signed-off-by: Michael Neuling <mikey@neuling.org>
+Signed-off-by: Cyril Bur <cyrilbur@gmail.com>
+Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ arch/powerpc/kernel/process.c   | 2 ++
+ arch/powerpc/kernel/signal_32.c | 4 ++++
+ arch/powerpc/kernel/signal_64.c | 5 +++++
+ 3 files changed, 11 insertions(+)
+
+diff --git a/arch/powerpc/kernel/process.c b/arch/powerpc/kernel/process.c
+index ba0d4f9a99bac..1615d60cd55cb 100644
+--- a/arch/powerpc/kernel/process.c
++++ b/arch/powerpc/kernel/process.c
+@@ -903,6 +903,8 @@ static inline void tm_reclaim_task(struct task_struct *tsk)
+       if (!MSR_TM_ACTIVE(thr->regs->msr))
+               goto out_and_saveregs;
++      WARN_ON(tm_suspend_disabled);
++
+       TM_DEBUG("--- tm_reclaim on pid %d (NIP=%lx, "
+                "ccr=%lx, msr=%lx, trap=%lx)\n",
+                tsk->pid, thr->regs->nip,
+diff --git a/arch/powerpc/kernel/signal_32.c b/arch/powerpc/kernel/signal_32.c
+index a03fc3109fa55..7157cb6951512 100644
+--- a/arch/powerpc/kernel/signal_32.c
++++ b/arch/powerpc/kernel/signal_32.c
+@@ -519,6 +519,8 @@ static int save_tm_user_regs(struct pt_regs *regs,
+ {
+       unsigned long msr = regs->msr;
++      WARN_ON(tm_suspend_disabled);
++
+       /* Remove TM bits from thread's MSR.  The MSR in the sigcontext
+        * just indicates to userland that we were doing a transaction, but we
+        * don't want to return in transactional state.  This also ensures
+@@ -769,6 +771,8 @@ static long restore_tm_user_regs(struct pt_regs *regs,
+       int i;
+ #endif
++      if (tm_suspend_disabled)
++              return 1;
+       /*
+        * restore general registers but not including MSR or SOFTE. Also
+        * take care of keeping r2 (TLS) intact if not a signal.
+diff --git a/arch/powerpc/kernel/signal_64.c b/arch/powerpc/kernel/signal_64.c
+index b75bf6e74209e..2d52fed72e216 100644
+--- a/arch/powerpc/kernel/signal_64.c
++++ b/arch/powerpc/kernel/signal_64.c
+@@ -214,6 +214,8 @@ static long setup_tm_sigcontexts(struct sigcontext __user *sc,
+       BUG_ON(!MSR_TM_ACTIVE(regs->msr));
++      WARN_ON(tm_suspend_disabled);
++
+       /* Remove TM bits from thread's MSR.  The MSR in the sigcontext
+        * just indicates to userland that we were doing a transaction, but we
+        * don't want to return in transactional state.  This also ensures
+@@ -430,6 +432,9 @@ static long restore_tm_sigcontexts(struct task_struct *tsk,
+       BUG_ON(tsk != current);
++      if (tm_suspend_disabled)
++              return -EINVAL;
++
+       /* copy the GPRs */
+       err |= __copy_from_user(regs->gpr, tm_sc->gp_regs, sizeof(regs->gpr));
+       err |= __copy_from_user(&tsk->thread.ckpt_regs, sc->gp_regs,
+-- 
+2.20.1
+
diff --git a/queue-4.14/serial-8250-check-upf_irq_shared-in-advance.patch b/queue-4.14/serial-8250-check-upf_irq_shared-in-advance.patch
new file mode 100644 (file)
index 0000000..f960388
--- /dev/null
@@ -0,0 +1,126 @@
+From 3ceeacbfffe0daea049f784aa84e4f516826f86f Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Tue, 11 Feb 2020 15:55:59 +0200
+Subject: serial: 8250: Check UPF_IRQ_SHARED in advance
+
+From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+
+[ Upstream commit 7febbcbc48fc92e3f33863b32ed715ba4aff18c4 ]
+
+The commit 54e53b2e8081
+  ("tty: serial: 8250: pass IRQ shared flag to UART ports")
+nicely explained the problem:
+
+---8<---8<---
+
+On some systems IRQ lines between multiple UARTs might be shared. If so, the
+irqflags have to be configured accordingly. The reason is: The 8250 port startup
+code performs IRQ tests *before* the IRQ handler for that particular port is
+registered. This is performed in serial8250_do_startup(). This function checks
+whether IRQF_SHARED is configured and only then disables the IRQ line while
+testing.
+
+This test is performed upon each open() of the UART device. Imagine two UARTs
+share the same IRQ line: On is already opened and the IRQ is active. When the
+second UART is opened, the IRQ line has to be disabled while performing IRQ
+tests. Otherwise an IRQ might handler might be invoked, but the IRQ itself
+cannot be handled, because the corresponding handler isn't registered,
+yet. That's because the 8250 code uses a chain-handler and invokes the
+corresponding port's IRQ handling routines himself.
+
+Unfortunately this IRQF_SHARED flag isn't configured for UARTs probed via device
+tree even if the IRQs are shared. This way, the actual and shared IRQ line isn't
+disabled while performing tests and the kernel correctly detects a spurious
+IRQ. So, adding this flag to the DT probe solves the issue.
+
+Note: The UPF_SHARE_IRQ flag is configured unconditionally. Therefore, the
+IRQF_SHARED flag can be set unconditionally as well.
+
+Example stack trace by performing `echo 1 > /dev/ttyS2` on a non-patched system:
+
+|irq 85: nobody cared (try booting with the "irqpoll" option)
+| [...]
+|handlers:
+|[<ffff0000080fc628>] irq_default_primary_handler threaded [<ffff00000855fbb8>] serial8250_interrupt
+|Disabling IRQ #85
+
+---8<---8<---
+
+But unfortunately didn't fix the root cause. Let's try again here by moving
+IRQ flag assignment from serial_link_irq_chain() to serial8250_do_startup().
+
+This should fix the similar issue reported for 8250_pnp case.
+
+Since this change we don't need to have custom solutions in 8250_aspeed_vuart
+and 8250_of drivers, thus, drop them.
+
+Fixes: 1c2f04937b3e ("serial: 8250: add IRQ trigger support")
+Reported-by: Li RongQing <lirongqing@baidu.com>
+Cc: Kurt Kanzenbach <kurt@linutronix.de>
+Cc: Vikram Pandita <vikram.pandita@ti.com>
+Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
+Cc: stable <stable@vger.kernel.org>
+Acked-by: Kurt Kanzenbach <kurt@linutronix.de>
+Link: https://lore.kernel.org/r/20200211135559.85960-1-andriy.shevchenko@linux.intel.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/serial/8250/8250_aspeed_vuart.c | 1 -
+ drivers/tty/serial/8250/8250_core.c         | 5 ++---
+ drivers/tty/serial/8250/8250_port.c         | 4 ++++
+ 3 files changed, 6 insertions(+), 4 deletions(-)
+
+diff --git a/drivers/tty/serial/8250/8250_aspeed_vuart.c b/drivers/tty/serial/8250/8250_aspeed_vuart.c
+index 33a801353114c..0a89df390f248 100644
+--- a/drivers/tty/serial/8250/8250_aspeed_vuart.c
++++ b/drivers/tty/serial/8250/8250_aspeed_vuart.c
+@@ -256,7 +256,6 @@ static int aspeed_vuart_probe(struct platform_device *pdev)
+               port.port.line = rc;
+       port.port.irq = irq_of_parse_and_map(np, 0);
+-      port.port.irqflags = IRQF_SHARED;
+       port.port.iotype = UPIO_MEM;
+       port.port.type = PORT_16550A;
+       port.port.uartclk = clk;
+diff --git a/drivers/tty/serial/8250/8250_core.c b/drivers/tty/serial/8250/8250_core.c
+index c698ebab6d3bd..5017a0f46b826 100644
+--- a/drivers/tty/serial/8250/8250_core.c
++++ b/drivers/tty/serial/8250/8250_core.c
+@@ -181,7 +181,7 @@ static int serial_link_irq_chain(struct uart_8250_port *up)
+       struct hlist_head *h;
+       struct hlist_node *n;
+       struct irq_info *i;
+-      int ret, irq_flags = up->port.flags & UPF_SHARE_IRQ ? IRQF_SHARED : 0;
++      int ret;
+       mutex_lock(&hash_mutex);
+@@ -216,9 +216,8 @@ static int serial_link_irq_chain(struct uart_8250_port *up)
+               INIT_LIST_HEAD(&up->list);
+               i->head = &up->list;
+               spin_unlock_irq(&i->lock);
+-              irq_flags |= up->port.irqflags;
+               ret = request_irq(up->port.irq, serial8250_interrupt,
+-                                irq_flags, up->port.name, i);
++                                up->port.irqflags, up->port.name, i);
+               if (ret < 0)
+                       serial_do_unlink(i, up);
+       }
+diff --git a/drivers/tty/serial/8250/8250_port.c b/drivers/tty/serial/8250/8250_port.c
+index a73d2bc4b6852..90a93c001e169 100644
+--- a/drivers/tty/serial/8250/8250_port.c
++++ b/drivers/tty/serial/8250/8250_port.c
+@@ -2258,6 +2258,10 @@ int serial8250_do_startup(struct uart_port *port)
+               }
+       }
++      /* Check if we need to have shared IRQs */
++      if (port->irq && (up->port.flags & UPF_SHARE_IRQ))
++              up->port.irqflags |= IRQF_SHARED;
++
+       if (port->irq && !(up->port.flags & UPF_NO_THRE_TEST)) {
+               unsigned char iir1;
+               /*
+-- 
+2.20.1
+
index 5b49eca1fbf54edfe8503289e45c0bc6f4e646ca..7a78cf7226d16554f1cf9c5368c1e61075446e9e 100644 (file)
@@ -198,3 +198,12 @@ mm-vmscan.c-don-t-round-up-scan-size-for-online-memory-cgroup.patch
 drm-amdgpu-soc15-fix-xclk-for-raven.patch
 kvm-x86-don-t-notify-userspace-ioapic-on-edge-triggered-interrupt-eoi.patch
 xhci-apply-xhci_pme_stuck_quirk-to-intel-comet-lake-platforms.patch
+vt_resizex-get-rid-of-field-by-field-copyin.patch
+vt-vt_ioctl-fix-race-in-vt_resizex.patch
+powerpc-tm-p9-disable-transactionally-suspended-sigc.patch
+powerpc-tm-fix-endianness-flip-on-trap.patch
+powerpc-tm-fix-clearing-msr-ts-in-current-when-recla.patch
+serial-8250-check-upf_irq_shared-in-advance.patch
+lib-stackdepot-fix-outdated-comments.patch
+lib-stackdepot.c-fix-global-out-of-bounds-in-stack_s.patch
+kvm-nvmx-don-t-emulate-instructions-in-guest-mode.patch
diff --git a/queue-4.14/vt-vt_ioctl-fix-race-in-vt_resizex.patch b/queue-4.14/vt-vt_ioctl-fix-race-in-vt_resizex.patch
new file mode 100644 (file)
index 0000000..6e144d1
--- /dev/null
@@ -0,0 +1,107 @@
+From 368ec3de669cb9099a9213c17ef5e6f52296face Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Mon, 10 Feb 2020 11:07:21 -0800
+Subject: vt: vt_ioctl: fix race in VT_RESIZEX
+
+From: Eric Dumazet <edumazet@google.com>
+
+[ Upstream commit 6cd1ed50efd88261298577cd92a14f2768eddeeb ]
+
+We need to make sure vc_cons[i].d is not NULL after grabbing
+console_lock(), or risk a crash.
+
+general protection fault, probably for non-canonical address 0xdffffc0000000068: 0000 [#1] PREEMPT SMP KASAN
+KASAN: null-ptr-deref in range [0x0000000000000340-0x0000000000000347]
+CPU: 1 PID: 19462 Comm: syz-executor.5 Not tainted 5.5.0-syzkaller #0
+Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
+RIP: 0010:vt_ioctl+0x1f96/0x26d0 drivers/tty/vt/vt_ioctl.c:883
+Code: 74 41 e8 bd a6 84 fd 48 89 d8 48 c1 e8 03 42 80 3c 28 00 0f 85 e4 04 00 00 48 8b 03 48 8d b8 40 03 00 00 48 89 fa 48 c1 ea 03 <42> 0f b6 14 2a 84 d2 74 09 80 fa 03 0f 8e b1 05 00 00 44 89 b8 40
+RSP: 0018:ffffc900086d7bb0 EFLAGS: 00010202
+RAX: 0000000000000000 RBX: ffffffff8c34ee88 RCX: ffffc9001415c000
+RDX: 0000000000000068 RSI: ffffffff83f0e6e3 RDI: 0000000000000340
+RBP: ffffc900086d7cd0 R08: ffff888054ce0100 R09: fffffbfff16a2f6d
+R10: ffff888054ce0998 R11: ffff888054ce0100 R12: 000000000000001d
+R13: dffffc0000000000 R14: 1ffff920010daf79 R15: 000000000000ff7f
+FS:  00007f7d13c12700(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000
+CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00007ffd477e3c38 CR3: 0000000095d0a000 CR4: 00000000001406e0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+Call Trace:
+ tty_ioctl+0xa37/0x14f0 drivers/tty/tty_io.c:2660
+ vfs_ioctl fs/ioctl.c:47 [inline]
+ ksys_ioctl+0x123/0x180 fs/ioctl.c:763
+ __do_sys_ioctl fs/ioctl.c:772 [inline]
+ __se_sys_ioctl fs/ioctl.c:770 [inline]
+ __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:770
+ do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+RIP: 0033:0x45b399
+Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00
+RSP: 002b:00007f7d13c11c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
+RAX: ffffffffffffffda RBX: 00007f7d13c126d4 RCX: 000000000045b399
+RDX: 0000000020000080 RSI: 000000000000560a RDI: 0000000000000003
+RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000
+R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff
+R13: 0000000000000666 R14: 00000000004c7f04 R15: 000000000075bf2c
+Modules linked in:
+---[ end trace 80970faf7a67eb77 ]---
+RIP: 0010:vt_ioctl+0x1f96/0x26d0 drivers/tty/vt/vt_ioctl.c:883
+Code: 74 41 e8 bd a6 84 fd 48 89 d8 48 c1 e8 03 42 80 3c 28 00 0f 85 e4 04 00 00 48 8b 03 48 8d b8 40 03 00 00 48 89 fa 48 c1 ea 03 <42> 0f b6 14 2a 84 d2 74 09 80 fa 03 0f 8e b1 05 00 00 44 89 b8 40
+RSP: 0018:ffffc900086d7bb0 EFLAGS: 00010202
+RAX: 0000000000000000 RBX: ffffffff8c34ee88 RCX: ffffc9001415c000
+RDX: 0000000000000068 RSI: ffffffff83f0e6e3 RDI: 0000000000000340
+RBP: ffffc900086d7cd0 R08: ffff888054ce0100 R09: fffffbfff16a2f6d
+R10: ffff888054ce0998 R11: ffff888054ce0100 R12: 000000000000001d
+R13: dffffc0000000000 R14: 1ffff920010daf79 R15: 000000000000ff7f
+FS:  00007f7d13c12700(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000
+CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
+CR2: 00007ffd477e3c38 CR3: 0000000095d0a000 CR4: 00000000001406e0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
+
+Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
+Signed-off-by: Eric Dumazet <edumazet@google.com>
+Cc: stable <stable@vger.kernel.org>
+Reported-by: syzbot <syzkaller@googlegroups.com>
+Link: https://lore.kernel.org/r/20200210190721.200418-1-edumazet@google.com
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/vt/vt_ioctl.c | 17 +++++++++++------
+ 1 file changed, 11 insertions(+), 6 deletions(-)
+
+diff --git a/drivers/tty/vt/vt_ioctl.c b/drivers/tty/vt/vt_ioctl.c
+index be7990548afef..c320fefab3602 100644
+--- a/drivers/tty/vt/vt_ioctl.c
++++ b/drivers/tty/vt/vt_ioctl.c
+@@ -876,15 +876,20 @@ int vt_ioctl(struct tty_struct *tty,
+                       return -EINVAL;
+               for (i = 0; i < MAX_NR_CONSOLES; i++) {
++                      struct vc_data *vcp;
++
+                       if (!vc_cons[i].d)
+                               continue;
+                       console_lock();
+-                      if (v.v_vlin)
+-                              vc_cons[i].d->vc_scan_lines = v.v_vlin;
+-                      if (v.v_clin)
+-                              vc_cons[i].d->vc_font.height = v.v_clin;
+-                      vc_cons[i].d->vc_resize_user = 1;
+-                      vc_resize(vc_cons[i].d, v.v_cols, v.v_rows);
++                      vcp = vc_cons[i].d;
++                      if (vcp) {
++                              if (v.v_vlin)
++                                      vcp->vc_scan_lines = v.v_vlin;
++                              if (v.v_clin)
++                                      vcp->vc_font.height = v.v_clin;
++                              vcp->vc_resize_user = 1;
++                              vc_resize(vcp, v.v_cols, v.v_rows);
++                      }
+                       console_unlock();
+               }
+               break;
+-- 
+2.20.1
+
diff --git a/queue-4.14/vt_resizex-get-rid-of-field-by-field-copyin.patch b/queue-4.14/vt_resizex-get-rid-of-field-by-field-copyin.patch
new file mode 100644 (file)
index 0000000..64d65db
--- /dev/null
@@ -0,0 +1,108 @@
+From c8005101dcc85f61b848cc3fcdd27ea136a51ba5 Mon Sep 17 00:00:00 2001
+From: Sasha Levin <sashal@kernel.org>
+Date: Fri, 29 Sep 2017 12:34:13 -0400
+Subject: VT_RESIZEX: get rid of field-by-field copyin
+
+From: Al Viro <viro@zeniv.linux.org.uk>
+
+[ Upstream commit 1b3bce4d6bf839304a90951b4b25a5863533bf2a ]
+
+Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
+Signed-off-by: Sasha Levin <sashal@kernel.org>
+---
+ drivers/tty/vt/vt_ioctl.c | 68 ++++++++++++++++-----------------------
+ 1 file changed, 27 insertions(+), 41 deletions(-)
+
+diff --git a/drivers/tty/vt/vt_ioctl.c b/drivers/tty/vt/vt_ioctl.c
+index 7b34b0ddbf0e0..be7990548afef 100644
+--- a/drivers/tty/vt/vt_ioctl.c
++++ b/drivers/tty/vt/vt_ioctl.c
+@@ -847,58 +847,44 @@ int vt_ioctl(struct tty_struct *tty,
+       case VT_RESIZEX:
+       {
+-              struct vt_consize __user *vtconsize = up;
+-              ushort ll,cc,vlin,clin,vcol,ccol;
++              struct vt_consize v;
+               if (!perm)
+                       return -EPERM;
+-              if (!access_ok(VERIFY_READ, vtconsize,
+-                              sizeof(struct vt_consize))) {
+-                      ret = -EFAULT;
+-                      break;
+-              }
++              if (copy_from_user(&v, up, sizeof(struct vt_consize)))
++                      return -EFAULT;
+               /* FIXME: Should check the copies properly */
+-              __get_user(ll, &vtconsize->v_rows);
+-              __get_user(cc, &vtconsize->v_cols);
+-              __get_user(vlin, &vtconsize->v_vlin);
+-              __get_user(clin, &vtconsize->v_clin);
+-              __get_user(vcol, &vtconsize->v_vcol);
+-              __get_user(ccol, &vtconsize->v_ccol);
+-              vlin = vlin ? vlin : vc->vc_scan_lines;
+-              if (clin) {
+-                      if (ll) {
+-                              if (ll != vlin/clin) {
+-                                      /* Parameters don't add up */
+-                                      ret = -EINVAL;
+-                                      break;
+-                              }
+-                      } else 
+-                              ll = vlin/clin;
++              if (!v.v_vlin)
++                      v.v_vlin = vc->vc_scan_lines;
++              if (v.v_clin) {
++                      int rows = v.v_vlin/v.v_clin;
++                      if (v.v_rows != rows) {
++                              if (v.v_rows) /* Parameters don't add up */
++                                      return -EINVAL;
++                              v.v_rows = rows;
++                      }
+               }
+-              if (vcol && ccol) {
+-                      if (cc) {
+-                              if (cc != vcol/ccol) {
+-                                      ret = -EINVAL;
+-                                      break;
+-                              }
+-                      } else
+-                              cc = vcol/ccol;
++              if (v.v_vcol && v.v_ccol) {
++                      int cols = v.v_vcol/v.v_ccol;
++                      if (v.v_cols != cols) {
++                              if (v.v_cols)
++                                      return -EINVAL;
++                              v.v_cols = cols;
++                      }
+               }
+-              if (clin > 32) {
+-                      ret =  -EINVAL;
+-                      break;
+-              }
+-                  
++              if (v.v_clin > 32)
++                      return -EINVAL;
++
+               for (i = 0; i < MAX_NR_CONSOLES; i++) {
+                       if (!vc_cons[i].d)
+                               continue;
+                       console_lock();
+-                      if (vlin)
+-                              vc_cons[i].d->vc_scan_lines = vlin;
+-                      if (clin)
+-                              vc_cons[i].d->vc_font.height = clin;
++                      if (v.v_vlin)
++                              vc_cons[i].d->vc_scan_lines = v.v_vlin;
++                      if (v.v_clin)
++                              vc_cons[i].d->vc_font.height = v.v_clin;
+                       vc_cons[i].d->vc_resize_user = 1;
+-                      vc_resize(vc_cons[i].d, cc, ll);
++                      vc_resize(vc_cons[i].d, v.v_cols, v.v_rows);
+                       console_unlock();
+               }
+               break;
+-- 
+2.20.1
+