From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Fri, 11 Sep 2015 22:40:35 +0000 (-0700)
Subject: 3.14-stable patches
X-Git-Tag: v3.10.88~3
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=027a17b1b5f8b658e489dbe9c2241f9a027549b2;p=thirdparty%2Fkernel%2Fstable-queue.git

3.14-stable patches

added patches:
	arm64-kvm-fix-host-crash-when-injecting-a-fault-into-a-32bit-guest.patch
	arm64-mm-remove-hack-in-mmap-randomize-layout.patch
	scsi-fix-null-pointer-dereference-in-runtime-pm.patch
---

diff --git a/queue-3.14/arm64-kvm-fix-host-crash-when-injecting-a-fault-into-a-32bit-guest.patch b/queue-3.14/arm64-kvm-fix-host-crash-when-injecting-a-fault-into-a-32bit-guest.patch
new file mode 100644
index 00000000000..45e570c89cd
--- /dev/null
+++ b/queue-3.14/arm64-kvm-fix-host-crash-when-injecting-a-fault-into-a-32bit-guest.patch
@@ -0,0 +1,60 @@
+From 126c69a0bd0e441bf6766a5d9bf20de011be9f68 Mon Sep 17 00:00:00 2001
+From: Marc Zyngier <marc.zyngier@arm.com>
+Date: Thu, 27 Aug 2015 16:10:01 +0100
+Subject: arm64: KVM: Fix host crash when injecting a fault into a 32bit guest
+
+From: Marc Zyngier <marc.zyngier@arm.com>
+
+commit 126c69a0bd0e441bf6766a5d9bf20de011be9f68 upstream.
+
+When injecting a fault into a misbehaving 32bit guest, it seems
+rather idiotic to also inject a 64bit fault that is only going
+to corrupt the guest state. This leads to a situation where we
+perform an illegal exception return at EL2 causing the host
+to crash instead of killing the guest.
+
+Just fix the stupid bug that has been there from day 1.
+
+Reported-by: Russell King <rmk+kernel@arm.linux.org.uk>
+Tested-by: Russell King <rmk+kernel@arm.linux.org.uk>
+Signed-off-by: Marc Zyngier <marc.zyngier@arm.com>
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm64/kvm/inject_fault.c |   12 ++++++------
+ 1 file changed, 6 insertions(+), 6 deletions(-)
+
+--- a/arch/arm64/kvm/inject_fault.c
++++ b/arch/arm64/kvm/inject_fault.c
+@@ -168,8 +168,8 @@ void kvm_inject_dabt(struct kvm_vcpu *vc
+ {
+ 	if (!(vcpu->arch.hcr_el2 & HCR_RW))
+ 		inject_abt32(vcpu, false, addr);
+-
+-	inject_abt64(vcpu, false, addr);
++	else
++		inject_abt64(vcpu, false, addr);
+ }
+ 
+ /**
+@@ -184,8 +184,8 @@ void kvm_inject_pabt(struct kvm_vcpu *vc
+ {
+ 	if (!(vcpu->arch.hcr_el2 & HCR_RW))
+ 		inject_abt32(vcpu, true, addr);
+-
+-	inject_abt64(vcpu, true, addr);
++	else
++		inject_abt64(vcpu, true, addr);
+ }
+ 
+ /**
+@@ -198,6 +198,6 @@ void kvm_inject_undefined(struct kvm_vcp
+ {
+ 	if (!(vcpu->arch.hcr_el2 & HCR_RW))
+ 		inject_undef32(vcpu);
+-
+-	inject_undef64(vcpu);
++	else
++		inject_undef64(vcpu);
+ }
diff --git a/queue-3.14/arm64-mm-remove-hack-in-mmap-randomize-layout.patch b/queue-3.14/arm64-mm-remove-hack-in-mmap-randomize-layout.patch
new file mode 100644
index 00000000000..eddf45a95bb
--- /dev/null
+++ b/queue-3.14/arm64-mm-remove-hack-in-mmap-randomize-layout.patch
@@ -0,0 +1,68 @@
+From d6c763afab142a85e4770b4bc2a5f40f256d5c5d Mon Sep 17 00:00:00 2001
+From: Yann Droneaud <ydroneaud@opteya.com>
+Date: Mon, 17 Nov 2014 23:02:19 +0000
+Subject: arm64/mm: Remove hack in mmap randomize layout
+
+From: Yann Droneaud <ydroneaud@opteya.com>
+
+commit d6c763afab142a85e4770b4bc2a5f40f256d5c5d upstream.
+
+Since commit 8a0a9bd4db63 ('random: make get_random_int() more
+random'), get_random_int() returns a random value for each call,
+so comment and hack introduced in mmap_rnd() as part of commit
+1d18c47c735e ('arm64: MMU fault handling and page table management')
+are incorrects.
+
+Commit 1d18c47c735e seems to use the same hack introduced by
+commit a5adc91a4b44 ('powerpc: Ensure random space between stack
+and mmaps'), latter copied in commit 5a0efea09f42 ('sparc64: Sharpen
+address space randomization calculations.').
+
+But both architectures were cleaned up as part of commit
+fa8cbaaf5a68 ('powerpc+sparc64/mm: Remove hack in mmap randomize
+layout') as hack is no more needed since commit 8a0a9bd4db63.
+
+So the present patch removes the comment and the hack around
+get_random_int() on AArch64's mmap_rnd().
+
+Cc: David S. Miller <davem@davemloft.net>
+Cc: Anton Blanchard <anton@samba.org>
+Cc: Benjamin Herrenschmidt <benh@kernel.crashing.org>
+Acked-by: Will Deacon <will.deacon@arm.com>
+Acked-by: Dan McGee <dpmcgee@gmail.com>
+Signed-off-by: Yann Droneaud <ydroneaud@opteya.com>
+Signed-off-by: Will Deacon <will.deacon@arm.com>
+Cc: Matthias Brugger <mbrugger@suse.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm64/mm/mmap.c |   12 ++----------
+ 1 file changed, 2 insertions(+), 10 deletions(-)
+
+--- a/arch/arm64/mm/mmap.c
++++ b/arch/arm64/mm/mmap.c
+@@ -47,22 +47,14 @@ static int mmap_is_legacy(void)
+ 	return sysctl_legacy_va_layout;
+ }
+ 
+-/*
+- * Since get_random_int() returns the same value within a 1 jiffy window, we
+- * will almost always get the same randomisation for the stack and mmap
+- * region. This will mean the relative distance between stack and mmap will be
+- * the same.
+- *
+- * To avoid this we can shift the randomness by 1 bit.
+- */
+ static unsigned long mmap_rnd(void)
+ {
+ 	unsigned long rnd = 0;
+ 
+ 	if (current->flags & PF_RANDOMIZE)
+-		rnd = (long)get_random_int() & (STACK_RND_MASK >> 1);
++		rnd = (long)get_random_int() & STACK_RND_MASK;
+ 
+-	return rnd << (PAGE_SHIFT + 1);
++	return rnd << PAGE_SHIFT;
+ }
+ 
+ static unsigned long mmap_base(void)
diff --git a/queue-3.14/scsi-fix-null-pointer-dereference-in-runtime-pm.patch b/queue-3.14/scsi-fix-null-pointer-dereference-in-runtime-pm.patch
new file mode 100644
index 00000000000..1b0f0070877
--- /dev/null
+++ b/queue-3.14/scsi-fix-null-pointer-dereference-in-runtime-pm.patch
@@ -0,0 +1,83 @@
+From 49718f0fb8c9af192b33d8af3a2826db04025371 Mon Sep 17 00:00:00 2001
+From: Alan Stern <stern@rowland.harvard.edu>
+Date: Mon, 17 Aug 2015 11:02:42 -0400
+Subject: SCSI: Fix NULL pointer dereference in runtime PM
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Alan Stern <stern@rowland.harvard.edu>
+
+commit 49718f0fb8c9af192b33d8af3a2826db04025371 upstream.
+
+The routines in scsi_rpm.c assume that if a runtime-PM callback is
+invoked for a SCSI device, it can only mean that the device's driver
+has asked the block layer to handle the runtime power management (by
+calling blk_pm_runtime_init(), which among other things sets q->dev).
+
+However, this assumption turns out to be wrong for things like the ses
+driver.  Normally ses devices are not allowed to do runtime PM, but
+userspace can override this setting.  If this happens, the kernel gets
+a NULL pointer dereference when blk_post_runtime_resume() tries to use
+the uninitialized q->dev pointer.
+
+This patch fixes the problem by calling the block layer's runtime-PM
+routines only if the device's driver really does have a runtime-PM
+callback routine.  Since ses doesn't define any such callbacks, the
+crash won't occur.
+
+This fixes Bugzilla #101371.
+
+Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
+Reported-by: StanisÅaw Pitucha <viraptor@gmail.com>
+Reported-by: Ilan Cohen <ilanco@gmail.com>
+Tested-by: Ilan Cohen <ilanco@gmail.com>
+Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de>
+Signed-off-by: James Bottomley <JBottomley@Odin.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/scsi_pm.c |   22 +++++++++++-----------
+ 1 file changed, 11 insertions(+), 11 deletions(-)
+
+--- a/drivers/scsi/scsi_pm.c
++++ b/drivers/scsi/scsi_pm.c
+@@ -149,15 +149,15 @@ static int sdev_runtime_suspend(struct d
+ {
+ 	const struct dev_pm_ops *pm = dev->driver ? dev->driver->pm : NULL;
+ 	struct scsi_device *sdev = to_scsi_device(dev);
+-	int err;
++	int err = 0;
+ 
+-	err = blk_pre_runtime_suspend(sdev->request_queue);
+-	if (err)
+-		return err;
+-	if (pm && pm->runtime_suspend)
++	if (pm && pm->runtime_suspend) {
++		err = blk_pre_runtime_suspend(sdev->request_queue);
++		if (err)
++			return err;
+ 		err = pm->runtime_suspend(dev);
+-	blk_post_runtime_suspend(sdev->request_queue, err);
+-
++		blk_post_runtime_suspend(sdev->request_queue, err);
++	}
+ 	return err;
+ }
+ 
+@@ -180,11 +180,11 @@ static int sdev_runtime_resume(struct de
+ 	const struct dev_pm_ops *pm = dev->driver ? dev->driver->pm : NULL;
+ 	int err = 0;
+ 
+-	blk_pre_runtime_resume(sdev->request_queue);
+-	if (pm && pm->runtime_resume)
++	if (pm && pm->runtime_resume) {
++		blk_pre_runtime_resume(sdev->request_queue);
+ 		err = pm->runtime_resume(dev);
+-	blk_post_runtime_resume(sdev->request_queue, err);
+-
++		blk_post_runtime_resume(sdev->request_queue, err);
++	}
+ 	return err;
+ }
+ 
diff --git a/queue-3.14/series b/queue-3.14/series
index 265f2733879..80de24ad79f 100644
--- a/queue-3.14/series
+++ b/queue-3.14/series
@@ -13,3 +13,6 @@ libfc-fix-fc_exch_recv_req-error-path.patch
 libfc-fix-fc_fcp_cleanup_each_cmd.patch
 regmap-regcache-rbtree-clean-new-present-bits-on-present-bitmap-resize.patch
 crypto-caam-fix-memory-corruption-in-ahash_final_ctx.patch
+arm64-mm-remove-hack-in-mmap-randomize-layout.patch
+scsi-fix-null-pointer-dereference-in-runtime-pm.patch
+arm64-kvm-fix-host-crash-when-injecting-a-fault-into-a-32bit-guest.patch