--- /dev/null
+From 5369a762c882c0b6e9599e4ebbb3a9ba9eee7e2d Mon Sep 17 00:00:00 2001
+From: Theodore Ts'o <tytso@mit.edu>
+Date: Wed, 13 Jun 2018 00:23:11 -0400
+Subject: ext4: add corruption check in ext4_xattr_set_entry()
+
+From: Theodore Ts'o <tytso@mit.edu>
+
+commit 5369a762c882c0b6e9599e4ebbb3a9ba9eee7e2d upstream.
+
+In theory this should have been caught earlier when the xattr list was
+verified, but in case it got missed, it's simple enough to add check
+to make sure we don't overrun the xattr buffer.
+
+This addresses CVE-2018-10879.
+
+https://bugzilla.kernel.org/show_bug.cgi?id=200001
+
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Reviewed-by: Andreas Dilger <adilger@dilger.ca>
+[bwh: Backported to 3.16:
+ - Add inode parameter to ext4_xattr_set_entry() and update callers
+ - Adjust context]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+[adjusted for 4.4 context]
+Signed-off-by: Daniel Rosenberg <drosen@google.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ fs/ext4/xattr.c | 22 ++++++++++++++--------
+ 1 file changed, 14 insertions(+), 8 deletions(-)
+
+--- a/fs/ext4/xattr.c
++++ b/fs/ext4/xattr.c
+@@ -638,14 +638,20 @@ static size_t ext4_xattr_free_space(stru
+ }
+
+ static int
+-ext4_xattr_set_entry(struct ext4_xattr_info *i, struct ext4_xattr_search *s)
++ext4_xattr_set_entry(struct ext4_xattr_info *i, struct ext4_xattr_search *s,
++ struct inode *inode)
+ {
+- struct ext4_xattr_entry *last;
++ struct ext4_xattr_entry *last, *next;
+ size_t free, min_offs = s->end - s->base, name_len = strlen(i->name);
+
+ /* Compute min_offs and last. */
+ last = s->first;
+- for (; !IS_LAST_ENTRY(last); last = EXT4_XATTR_NEXT(last)) {
++ for (; !IS_LAST_ENTRY(last); last = next) {
++ next = EXT4_XATTR_NEXT(last);
++ if ((void *)next >= s->end) {
++ EXT4_ERROR_INODE(inode, "corrupted xattr entries");
++ return -EFSCORRUPTED;
++ }
+ if (!last->e_value_block && last->e_value_size) {
+ size_t offs = le16_to_cpu(last->e_value_offs);
+ if (offs < min_offs)
+@@ -825,7 +831,7 @@ ext4_xattr_block_set(handle_t *handle, s
+ ce = NULL;
+ }
+ ea_bdebug(bs->bh, "modifying in-place");
+- error = ext4_xattr_set_entry(i, s);
++ error = ext4_xattr_set_entry(i, s, inode);
+ if (!error) {
+ if (!IS_LAST_ENTRY(s->first))
+ ext4_xattr_rehash(header(s->base),
+@@ -875,7 +881,7 @@ ext4_xattr_block_set(handle_t *handle, s
+ s->end = s->base + sb->s_blocksize;
+ }
+
+- error = ext4_xattr_set_entry(i, s);
++ error = ext4_xattr_set_entry(i, s, inode);
+ if (error == -EFSCORRUPTED)
+ goto bad_block;
+ if (error)
+@@ -1037,7 +1043,7 @@ int ext4_xattr_ibody_inline_set(handle_t
+
+ if (EXT4_I(inode)->i_extra_isize == 0)
+ return -ENOSPC;
+- error = ext4_xattr_set_entry(i, s);
++ error = ext4_xattr_set_entry(i, s, inode);
+ if (error) {
+ if (error == -ENOSPC &&
+ ext4_has_inline_data(inode)) {
+@@ -1049,7 +1055,7 @@ int ext4_xattr_ibody_inline_set(handle_t
+ error = ext4_xattr_ibody_find(inode, i, is);
+ if (error)
+ return error;
+- error = ext4_xattr_set_entry(i, s);
++ error = ext4_xattr_set_entry(i, s, inode);
+ }
+ if (error)
+ return error;
+@@ -1075,7 +1081,7 @@ static int ext4_xattr_ibody_set(handle_t
+
+ if (EXT4_I(inode)->i_extra_isize == 0)
+ return -ENOSPC;
+- error = ext4_xattr_set_entry(i, s);
++ error = ext4_xattr_set_entry(i, s, inode);
+ if (error)
+ return error;
+ header = IHDR(inode, ext4_raw_inode(&is->iloc));
--- /dev/null
+From 76ebebd2464c5c8a4453c98b6dbf9c95a599e810 Mon Sep 17 00:00:00 2001
+From: Mikulas Patocka <mpatocka@redhat.com>
+Date: Fri, 17 Aug 2018 15:19:37 -0400
+Subject: mach64: detect the dot clock divider correctly on sparc
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Mikulas Patocka <mpatocka@redhat.com>
+
+commit 76ebebd2464c5c8a4453c98b6dbf9c95a599e810 upstream.
+
+On Sun Ultra 5, it happens that the dot clock is not set up properly for
+some videomodes. For example, if we set the videomode "r1024x768x60" in
+the firmware, Linux would incorrectly set a videomode with refresh rate
+180Hz when booting (suprisingly, my LCD monitor can display it, although
+display quality is very low).
+
+The reason is this: Older mach64 cards set the divider in the register
+VCLK_POST_DIV. The register has four 2-bit fields (the field that is
+actually used is specified in the lowest two bits of the register
+CLOCK_CNTL). The 2 bits select divider "1, 2, 4, 8". On newer mach64 cards,
+there's another bit added - the top four bits of PLL_EXT_CNTL extend the
+divider selection, so we have possible dividers "1, 2, 4, 8, 3, 5, 6, 12".
+The Linux driver clears the top four bits of PLL_EXT_CNTL and never sets
+them, so it can work regardless if the card supports them. However, the
+sparc64 firmware may set these extended dividers during boot - and the
+mach64 driver detects incorrect dot clock in this case.
+
+This patch makes the driver read the additional divider bit from
+PLL_EXT_CNTL and calculate the initial refresh rate properly.
+
+Signed-off-by: Mikulas Patocka <mpatocka@redhat.com>
+Cc: stable@vger.kernel.org
+Acked-by: David S. Miller <davem@davemloft.net>
+Reviewed-by: Ville Syrjälä <syrjala@sci.fi>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/video/fbdev/aty/atyfb.h | 3 ++-
+ drivers/video/fbdev/aty/atyfb_base.c | 7 ++++---
+ drivers/video/fbdev/aty/mach64_ct.c | 10 +++++-----
+ 3 files changed, 11 insertions(+), 9 deletions(-)
+
+--- a/drivers/video/fbdev/aty/atyfb.h
++++ b/drivers/video/fbdev/aty/atyfb.h
+@@ -332,6 +332,8 @@ extern const struct aty_pll_ops aty_pll_
+ extern void aty_set_pll_ct(const struct fb_info *info, const union aty_pll *pll);
+ extern u8 aty_ld_pll_ct(int offset, const struct atyfb_par *par);
+
++extern const u8 aty_postdividers[8];
++
+
+ /*
+ * Hardware cursor support
+@@ -358,7 +360,6 @@ static inline void wait_for_idle(struct
+
+ extern void aty_reset_engine(const struct atyfb_par *par);
+ extern void aty_init_engine(struct atyfb_par *par, struct fb_info *info);
+-extern u8 aty_ld_pll_ct(int offset, const struct atyfb_par *par);
+
+ void atyfb_copyarea(struct fb_info *info, const struct fb_copyarea *area);
+ void atyfb_fillrect(struct fb_info *info, const struct fb_fillrect *rect);
+--- a/drivers/video/fbdev/aty/atyfb_base.c
++++ b/drivers/video/fbdev/aty/atyfb_base.c
+@@ -3093,17 +3093,18 @@ static int atyfb_setup_sparc(struct pci_
+ /*
+ * PLL Reference Divider M:
+ */
+- M = pll_regs[2];
++ M = pll_regs[PLL_REF_DIV];
+
+ /*
+ * PLL Feedback Divider N (Dependent on CLOCK_CNTL):
+ */
+- N = pll_regs[7 + (clock_cntl & 3)];
++ N = pll_regs[VCLK0_FB_DIV + (clock_cntl & 3)];
+
+ /*
+ * PLL Post Divider P (Dependent on CLOCK_CNTL):
+ */
+- P = 1 << (pll_regs[6] >> ((clock_cntl & 3) << 1));
++ P = aty_postdividers[((pll_regs[VCLK_POST_DIV] >> ((clock_cntl & 3) << 1)) & 3) |
++ ((pll_regs[PLL_EXT_CNTL] >> (2 + (clock_cntl & 3))) & 4)];
+
+ /*
+ * PLL Divider Q:
+--- a/drivers/video/fbdev/aty/mach64_ct.c
++++ b/drivers/video/fbdev/aty/mach64_ct.c
+@@ -114,7 +114,7 @@ static void aty_st_pll_ct(int offset, u8
+ */
+
+ #define Maximum_DSP_PRECISION 7
+-static u8 postdividers[] = {1,2,4,8,3};
++const u8 aty_postdividers[8] = {1,2,4,8,3,5,6,12};
+
+ static int aty_dsp_gt(const struct fb_info *info, u32 bpp, struct pll_ct *pll)
+ {
+@@ -221,7 +221,7 @@ static int aty_valid_pll_ct(const struct
+ pll->vclk_post_div += (q < 64*8);
+ pll->vclk_post_div += (q < 32*8);
+ }
+- pll->vclk_post_div_real = postdividers[pll->vclk_post_div];
++ pll->vclk_post_div_real = aty_postdividers[pll->vclk_post_div];
+ // pll->vclk_post_div <<= 6;
+ pll->vclk_fb_div = q * pll->vclk_post_div_real / 8;
+ pllvclk = (1000000 * 2 * pll->vclk_fb_div) /
+@@ -512,7 +512,7 @@ static int aty_init_pll_ct(const struct
+ u8 mclk_fb_div, pll_ext_cntl;
+ pll->ct.pll_ref_div = aty_ld_pll_ct(PLL_REF_DIV, par);
+ pll_ext_cntl = aty_ld_pll_ct(PLL_EXT_CNTL, par);
+- pll->ct.xclk_post_div_real = postdividers[pll_ext_cntl & 0x07];
++ pll->ct.xclk_post_div_real = aty_postdividers[pll_ext_cntl & 0x07];
+ mclk_fb_div = aty_ld_pll_ct(MCLK_FB_DIV, par);
+ if (pll_ext_cntl & PLL_MFB_TIMES_4_2B)
+ mclk_fb_div <<= 1;
+@@ -534,7 +534,7 @@ static int aty_init_pll_ct(const struct
+ xpost_div += (q < 64*8);
+ xpost_div += (q < 32*8);
+ }
+- pll->ct.xclk_post_div_real = postdividers[xpost_div];
++ pll->ct.xclk_post_div_real = aty_postdividers[xpost_div];
+ pll->ct.mclk_fb_div = q * pll->ct.xclk_post_div_real / 8;
+
+ #ifdef CONFIG_PPC
+@@ -583,7 +583,7 @@ static int aty_init_pll_ct(const struct
+ mpost_div += (q < 64*8);
+ mpost_div += (q < 32*8);
+ }
+- sclk_post_div_real = postdividers[mpost_div];
++ sclk_post_div_real = aty_postdividers[mpost_div];
+ pll->ct.sclk_fb_div = q * sclk_post_div_real / 8;
+ pll->ct.spll_cntl2 = mpost_div << 4;
+ #ifdef DEBUG
--- /dev/null
+From 28e2c4bb99aa40f9d5f07ac130cbc4da0ea93079 Mon Sep 17 00:00:00 2001
+From: Jann Horn <jannh@google.com>
+Date: Fri, 5 Oct 2018 15:52:03 -0700
+Subject: mm/vmstat.c: fix outdated vmstat_text
+
+From: Jann Horn <jannh@google.com>
+
+commit 28e2c4bb99aa40f9d5f07ac130cbc4da0ea93079 upstream.
+
+7a9cdebdcc17 ("mm: get rid of vmacache_flush_all() entirely") removed the
+VMACACHE_FULL_FLUSHES statistics, but didn't remove the corresponding
+entry in vmstat_text. This causes an out-of-bounds access in
+vmstat_show().
+
+Luckily this only affects kernels with CONFIG_DEBUG_VM_VMACACHE=y, which
+is probably very rare.
+
+Link: http://lkml.kernel.org/r/20181001143138.95119-1-jannh@google.com
+Fixes: 7a9cdebdcc17 ("mm: get rid of vmacache_flush_all() entirely")
+Signed-off-by: Jann Horn <jannh@google.com>
+Reviewed-by: Kees Cook <keescook@chromium.org>
+Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
+Acked-by: Michal Hocko <mhocko@suse.com>
+Acked-by: Roman Gushchin <guro@fb.com>
+Cc: Davidlohr Bueso <dave@stgolabs.net>
+Cc: Oleg Nesterov <oleg@redhat.com>
+Cc: Christoph Lameter <clameter@sgi.com>
+Cc: Kemi Wang <kemi.wang@intel.com>
+Cc: Andy Lutomirski <luto@kernel.org>
+Cc: Ingo Molnar <mingo@kernel.org>
+Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ mm/vmstat.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/mm/vmstat.c
++++ b/mm/vmstat.c
+@@ -869,7 +869,6 @@ const char * const vmstat_text[] = {
+ #ifdef CONFIG_DEBUG_VM_VMACACHE
+ "vmacache_find_calls",
+ "vmacache_find_hits",
+- "vmacache_full_flushes",
+ #endif
+ #endif /* CONFIG_VM_EVENTS_COUNTERS */
+ };
--- /dev/null
+From 25e11700b54c7b6b5ebfc4361981dae12299557b Mon Sep 17 00:00:00 2001
+From: Adrian Hunter <adrian.hunter@intel.com>
+Date: Tue, 11 Sep 2018 14:45:03 +0300
+Subject: perf script python: Fix export-to-postgresql.py occasional failure
+
+From: Adrian Hunter <adrian.hunter@intel.com>
+
+commit 25e11700b54c7b6b5ebfc4361981dae12299557b upstream.
+
+Occasional export failures were found to be caused by truncating 64-bit
+pointers to 32-bits. Fix by explicitly setting types for all ctype
+arguments and results.
+
+Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
+Cc: Jiri Olsa <jolsa@redhat.com>
+Cc: stable@vger.kernel.org
+Link: http://lkml.kernel.org/r/20180911114504.28516-2-adrian.hunter@intel.com
+Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ tools/perf/scripts/python/export-to-postgresql.py | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/tools/perf/scripts/python/export-to-postgresql.py
++++ b/tools/perf/scripts/python/export-to-postgresql.py
+@@ -205,14 +205,23 @@ from ctypes import *
+ libpq = CDLL("libpq.so.5")
+ PQconnectdb = libpq.PQconnectdb
+ PQconnectdb.restype = c_void_p
++PQconnectdb.argtypes = [ c_char_p ]
+ PQfinish = libpq.PQfinish
++PQfinish.argtypes = [ c_void_p ]
+ PQstatus = libpq.PQstatus
++PQstatus.restype = c_int
++PQstatus.argtypes = [ c_void_p ]
+ PQexec = libpq.PQexec
+ PQexec.restype = c_void_p
++PQexec.argtypes = [ c_void_p, c_char_p ]
+ PQresultStatus = libpq.PQresultStatus
++PQresultStatus.restype = c_int
++PQresultStatus.argtypes = [ c_void_p ]
+ PQputCopyData = libpq.PQputCopyData
++PQputCopyData.restype = c_int
+ PQputCopyData.argtypes = [ c_void_p, c_void_p, c_int ]
+ PQputCopyEnd = libpq.PQputCopyEnd
++PQputCopyEnd.restype = c_int
+ PQputCopyEnd.argtypes = [ c_void_p, c_void_p ]
+
+ sys.path.append(os.environ['PERF_EXEC_PATH'] + \
net-macb-disable-scatter-gather-for-macb-on-sama5d3.patch
arm-dts-at91-add-new-compatibility-string-for-macb-on-sama5d3.patch
drm-amdgpu-fix-sdma-hqd-destroy-error-on-gfx_v7.patch
+ext4-add-corruption-check-in-ext4_xattr_set_entry.patch
+mm-vmstat.c-fix-outdated-vmstat_text.patch
+mach64-detect-the-dot-clock-divider-correctly-on-sparc.patch
+perf-script-python-fix-export-to-postgresql.py-occasional-failure.patch
projects / thirdparty / kernel / stable-queue.git / commitdiff
