From: Greg Kroah-Hartman Date: Thu, 24 May 2012 05:05:32 +0000 (-0700) Subject: 3.0-stable patches X-Git-Tag: v3.0.33~41 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=073619388fa6d0673b067a241461d196c3920eb3;p=thirdparty%2Fkernel%2Fstable-queue.git 3.0-stable patches added patches: block-don-t-mark-buffers-beyond-end-of-disk-as-mapped.patch block-fix-buffer-overflow-when-printing-partition-uuids.patch parisc-fix-crash-in-flush_icache_page_asm-on-pa1.1.patch parisc-fix-pa1.1-oops-on-boot.patch parisc-fix-panic-on-prefetch-null-on-pa7300lc.patch tilegx-enable-syscall_wrappers-support.patch --- diff --git a/queue-3.0/block-don-t-mark-buffers-beyond-end-of-disk-as-mapped.patch b/queue-3.0/block-don-t-mark-buffers-beyond-end-of-disk-as-mapped.patch new file mode 100644 index 00000000000..b66ffdf7e42 --- /dev/null +++ b/queue-3.0/block-don-t-mark-buffers-beyond-end-of-disk-as-mapped.patch @@ -0,0 +1,150 @@ +From 080399aaaf3531f5b8761ec0ac30ff98891e8686 Mon Sep 17 00:00:00 2001 +From: Jeff Moyer +Date: Fri, 11 May 2012 16:34:10 +0200 +Subject: block: don't mark buffers beyond end of disk as mapped + +From: Jeff Moyer + +commit 080399aaaf3531f5b8761ec0ac30ff98891e8686 upstream. + +Hi, + +We have a bug report open where a squashfs image mounted on ppc64 would +exhibit errors due to trying to read beyond the end of the disk. It can +easily be reproduced by doing the following: + +[root@ibm-p750e-02-lp3 ~]# ls -l install.img +-rw-r--r-- 1 root root 142032896 Apr 30 16:46 install.img +[root@ibm-p750e-02-lp3 ~]# mount -o loop ./install.img /mnt/test +[root@ibm-p750e-02-lp3 ~]# dd if=/dev/loop0 of=/dev/null +dd: reading `/dev/loop0': Input/output error +277376+0 records in +277376+0 records out +142016512 bytes (142 MB) copied, 0.9465 s, 150 MB/s + +In dmesg, you'll find the following: + +squashfs: version 4.0 (2009/01/31) Phillip Lougher +[ 43.106012] attempt to access beyond end of device +[ 43.106029] loop0: rw=0, want=277410, limit=277408 +[ 43.106039] Buffer I/O error on device loop0, logical block 138704 +[ 43.106053] attempt to access beyond end of device +[ 43.106057] loop0: rw=0, want=277412, limit=277408 +[ 43.106061] Buffer I/O error on device loop0, logical block 138705 +[ 43.106066] attempt to access beyond end of device +[ 43.106070] loop0: rw=0, want=277414, limit=277408 +[ 43.106073] Buffer I/O error on device loop0, logical block 138706 +[ 43.106078] attempt to access beyond end of device +[ 43.106081] loop0: rw=0, want=277416, limit=277408 +[ 43.106085] Buffer I/O error on device loop0, logical block 138707 +[ 43.106089] attempt to access beyond end of device +[ 43.106093] loop0: rw=0, want=277418, limit=277408 +[ 43.106096] Buffer I/O error on device loop0, logical block 138708 +[ 43.106101] attempt to access beyond end of device +[ 43.106104] loop0: rw=0, want=277420, limit=277408 +[ 43.106108] Buffer I/O error on device loop0, logical block 138709 +[ 43.106112] attempt to access beyond end of device +[ 43.106116] loop0: rw=0, want=277422, limit=277408 +[ 43.106120] Buffer I/O error on device loop0, logical block 138710 +[ 43.106124] attempt to access beyond end of device +[ 43.106128] loop0: rw=0, want=277424, limit=277408 +[ 43.106131] Buffer I/O error on device loop0, logical block 138711 +[ 43.106135] attempt to access beyond end of device +[ 43.106139] loop0: rw=0, want=277426, limit=277408 +[ 43.106143] Buffer I/O error on device loop0, logical block 138712 +[ 43.106147] attempt to access beyond end of device +[ 43.106151] loop0: rw=0, want=277428, limit=277408 +[ 43.106154] Buffer I/O error on device loop0, logical block 138713 +[ 43.106158] attempt to access beyond end of device +[ 43.106162] loop0: rw=0, want=277430, limit=277408 +[ 43.106166] attempt to access beyond end of device +[ 43.106169] loop0: rw=0, want=277432, limit=277408 +... +[ 43.106307] attempt to access beyond end of device +[ 43.106311] loop0: rw=0, want=277470, limit=2774 + +Squashfs manages to read in the end block(s) of the disk during the +mount operation. Then, when dd reads the block device, it leads to +block_read_full_page being called with buffers that are beyond end of +disk, but are marked as mapped. Thus, it would end up submitting read +I/O against them, resulting in the errors mentioned above. I fixed the +problem by modifying init_page_buffers to only set the buffer mapped if +it fell inside of i_size. + +Cheers, +Jeff + +Signed-off-by: Jeff Moyer +Acked-by: Nick Piggin + +-- + +Changes from v1->v2: re-used max_block, as suggested by Nick Piggin. +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + fs/block_dev.c | 6 +++--- + fs/buffer.c | 4 +++- + include/linux/fs.h | 1 + + 3 files changed, 7 insertions(+), 4 deletions(-) + +--- a/fs/block_dev.c ++++ b/fs/block_dev.c +@@ -64,7 +64,7 @@ static void bdev_inode_switch_bdi(struct + spin_unlock(&inode_wb_list_lock); + } + +-static sector_t max_block(struct block_device *bdev) ++sector_t blkdev_max_block(struct block_device *bdev) + { + sector_t retval = ~((sector_t)0); + loff_t sz = i_size_read(bdev->bd_inode); +@@ -135,7 +135,7 @@ static int + blkdev_get_block(struct inode *inode, sector_t iblock, + struct buffer_head *bh, int create) + { +- if (iblock >= max_block(I_BDEV(inode))) { ++ if (iblock >= blkdev_max_block(I_BDEV(inode))) { + if (create) + return -EIO; + +@@ -157,7 +157,7 @@ static int + blkdev_get_blocks(struct inode *inode, sector_t iblock, + struct buffer_head *bh, int create) + { +- sector_t end_block = max_block(I_BDEV(inode)); ++ sector_t end_block = blkdev_max_block(I_BDEV(inode)); + unsigned long max_blocks = bh->b_size >> inode->i_blkbits; + + if ((iblock + max_blocks) > end_block) { +--- a/fs/buffer.c ++++ b/fs/buffer.c +@@ -968,6 +968,7 @@ init_page_buffers(struct page *page, str + struct buffer_head *head = page_buffers(page); + struct buffer_head *bh = head; + int uptodate = PageUptodate(page); ++ sector_t end_block = blkdev_max_block(I_BDEV(bdev->bd_inode)); + + do { + if (!buffer_mapped(bh)) { +@@ -976,7 +977,8 @@ init_page_buffers(struct page *page, str + bh->b_blocknr = block; + if (uptodate) + set_buffer_uptodate(bh); +- set_buffer_mapped(bh); ++ if (block < end_block) ++ set_buffer_mapped(bh); + } + block++; + bh = bh->b_this_page; +--- a/include/linux/fs.h ++++ b/include/linux/fs.h +@@ -2029,6 +2029,7 @@ extern void unregister_blkdev(unsigned i + extern struct block_device *bdget(dev_t); + extern struct block_device *bdgrab(struct block_device *bdev); + extern void bd_set_size(struct block_device *, loff_t size); ++extern sector_t blkdev_max_block(struct block_device *bdev); + extern void bd_forget(struct inode *inode); + extern void bdput(struct block_device *); + extern void invalidate_bdev(struct block_device *); diff --git a/queue-3.0/block-fix-buffer-overflow-when-printing-partition-uuids.patch b/queue-3.0/block-fix-buffer-overflow-when-printing-partition-uuids.patch new file mode 100644 index 00000000000..dd83ed4fab0 --- /dev/null +++ b/queue-3.0/block-fix-buffer-overflow-when-printing-partition-uuids.patch @@ -0,0 +1,93 @@ +From 05c69d298c96703741cac9a5cbbf6c53bd55a6e2 Mon Sep 17 00:00:00 2001 +From: Tejun Heo +Date: Tue, 15 May 2012 08:22:04 +0200 +Subject: block: fix buffer overflow when printing partition UUIDs + +From: Tejun Heo + +commit 05c69d298c96703741cac9a5cbbf6c53bd55a6e2 upstream. + +6d1d8050b4bc8 "block, partition: add partition_meta_info to hd_struct" +added part_unpack_uuid() which assumes that the passed in buffer has +enough space for sprintfing "%pU" - 37 characters including '\0'. + +Unfortunately, b5af921ec0233 "init: add support for root devices +specified by partition UUID" supplied 33 bytes buffer to the function +leading to the following panic with stackprotector enabled. + + Kernel panic - not syncing: stack-protector: Kernel stack corrupted in: ffffffff81b14c7e + + [] panic+0xba/0x1c6 + [] ? printk_all_partitions+0x259/0x26xb + [] __stack_chk_fail+0x1b/0x20 + [] printk_all_paritions+0x259/0x26xb + [] mount_block_root+0x1bc/0x27f + [] mount_root+0x57/0x5b + [] prepare_namespace+0x13d/0x176 + [] ? release_tgcred.isra.4+0x330/0x30 + [] kernel_init+0x155/0x15a + [] ? schedule_tail+0x27/0xb0 + [] kernel_thread_helper+0x5/0x10 + [] ? start_kernel+0x3c5/0x3c5 + [] ? gs_change+0x13/0x13 + +Increase the buffer size, remove the dangerous part_unpack_uuid() and +use snprintf() directly from printk_all_partitions(). + +Signed-off-by: Tejun Heo +Reported-by: Szymon Gruszczynski +Cc: Will Drewry +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + block/genhd.c | 10 ++++++---- + include/linux/genhd.h | 6 ------ + 2 files changed, 6 insertions(+), 10 deletions(-) + +--- a/block/genhd.c ++++ b/block/genhd.c +@@ -744,7 +744,7 @@ void __init printk_all_partitions(void) + struct hd_struct *part; + char name_buf[BDEVNAME_SIZE]; + char devt_buf[BDEVT_SIZE]; +- u8 uuid[PARTITION_META_INFO_UUIDLTH * 2 + 1]; ++ char uuid_buf[PARTITION_META_INFO_UUIDLTH * 2 + 5]; + + /* + * Don't show empty devices or things that have been +@@ -763,14 +763,16 @@ void __init printk_all_partitions(void) + while ((part = disk_part_iter_next(&piter))) { + bool is_part0 = part == &disk->part0; + +- uuid[0] = 0; ++ uuid_buf[0] = '\0'; + if (part->info) +- part_unpack_uuid(part->info->uuid, uuid); ++ snprintf(uuid_buf, sizeof(uuid_buf), "%pU", ++ part->info->uuid); + + printk("%s%s %10llu %s %s", is_part0 ? "" : " ", + bdevt_str(part_devt(part), devt_buf), + (unsigned long long)part->nr_sects >> 1, +- disk_name(disk, part->partno, name_buf), uuid); ++ disk_name(disk, part->partno, name_buf), ++ uuid_buf); + if (is_part0) { + if (disk->driverfs_dev != NULL && + disk->driverfs_dev->driver != NULL) +--- a/include/linux/genhd.h ++++ b/include/linux/genhd.h +@@ -221,12 +221,6 @@ static inline void part_pack_uuid(const + } + } + +-static inline char *part_unpack_uuid(const u8 *uuid, char *out) +-{ +- sprintf(out, "%pU", uuid); +- return out; +-} +- + static inline int disk_max_parts(struct gendisk *disk) + { + if (disk->flags & GENHD_FL_EXT_DEVT) diff --git a/queue-3.0/parisc-fix-crash-in-flush_icache_page_asm-on-pa1.1.patch b/queue-3.0/parisc-fix-crash-in-flush_icache_page_asm-on-pa1.1.patch new file mode 100644 index 00000000000..c8383778be2 --- /dev/null +++ b/queue-3.0/parisc-fix-crash-in-flush_icache_page_asm-on-pa1.1.patch @@ -0,0 +1,89 @@ +From 207f583d7179f707f402c36a7bda5ca1fd03ad5b Mon Sep 17 00:00:00 2001 +From: John David Anglin +Date: Wed, 16 May 2012 10:14:52 +0100 +Subject: PARISC: fix crash in flush_icache_page_asm on PA1.1 + +From: John David Anglin + +commit 207f583d7179f707f402c36a7bda5ca1fd03ad5b upstream. + +As pointed out by serveral people, PA1.1 only has a type 26 instruction +meaning that the space register must be explicitly encoded. Not giving an +explicit space means that the compiler uses the type 24 version which is PA2.0 +only resulting in an illegal instruction crash. + +This regression was caused by + + commit f311847c2fcebd81912e2f0caf8a461dec28db41 + Author: James Bottomley + Date: Wed Dec 22 10:22:11 2010 -0600 + + parisc: flush pages through tmpalias space + +Reported-by: Helge Deller +Signed-off-by: John David Anglin +Signed-off-by: James Bottomley +Signed-off-by: Greg Kroah-Hartman + +--- + arch/parisc/kernel/pacache.S | 38 ++++++++++++++++++++------------------ + 1 file changed, 20 insertions(+), 18 deletions(-) + +--- a/arch/parisc/kernel/pacache.S ++++ b/arch/parisc/kernel/pacache.S +@@ -692,7 +692,7 @@ ENTRY(flush_icache_page_asm) + + /* Purge any old translation */ + +- pitlb (%sr0,%r28) ++ pitlb (%sr4,%r28) + + ldil L%icache_stride, %r1 + ldw R%icache_stride(%r1), %r1 +@@ -706,27 +706,29 @@ ENTRY(flush_icache_page_asm) + sub %r25, %r1, %r25 + + +-1: fic,m %r1(%r28) +- fic,m %r1(%r28) +- fic,m %r1(%r28) +- fic,m %r1(%r28) +- fic,m %r1(%r28) +- fic,m %r1(%r28) +- fic,m %r1(%r28) +- fic,m %r1(%r28) +- fic,m %r1(%r28) +- fic,m %r1(%r28) +- fic,m %r1(%r28) +- fic,m %r1(%r28) +- fic,m %r1(%r28) +- fic,m %r1(%r28) +- fic,m %r1(%r28) ++ /* fic only has the type 26 form on PA1.1, requiring an ++ * explicit space specification, so use %sr4 */ ++1: fic,m %r1(%sr4,%r28) ++ fic,m %r1(%sr4,%r28) ++ fic,m %r1(%sr4,%r28) ++ fic,m %r1(%sr4,%r28) ++ fic,m %r1(%sr4,%r28) ++ fic,m %r1(%sr4,%r28) ++ fic,m %r1(%sr4,%r28) ++ fic,m %r1(%sr4,%r28) ++ fic,m %r1(%sr4,%r28) ++ fic,m %r1(%sr4,%r28) ++ fic,m %r1(%sr4,%r28) ++ fic,m %r1(%sr4,%r28) ++ fic,m %r1(%sr4,%r28) ++ fic,m %r1(%sr4,%r28) ++ fic,m %r1(%sr4,%r28) + cmpb,COND(<<) %r28, %r25,1b +- fic,m %r1(%r28) ++ fic,m %r1(%sr4,%r28) + + sync + bv %r0(%r2) +- pitlb (%sr0,%r25) ++ pitlb (%sr4,%r25) + .exit + + .procend diff --git a/queue-3.0/parisc-fix-pa1.1-oops-on-boot.patch b/queue-3.0/parisc-fix-pa1.1-oops-on-boot.patch new file mode 100644 index 00000000000..6ffc82fda93 --- /dev/null +++ b/queue-3.0/parisc-fix-pa1.1-oops-on-boot.patch @@ -0,0 +1,42 @@ +From 5e185581d7c46ddd33cd9c01106d1fc86efb9376 Mon Sep 17 00:00:00 2001 +From: James Bottomley +Date: Tue, 15 May 2012 11:04:19 +0100 +Subject: PARISC: fix PA1.1 oops on boot + +From: James Bottomley + +commit 5e185581d7c46ddd33cd9c01106d1fc86efb9376 upstream. + +All PA1.1 systems have been oopsing on boot since + +commit f311847c2fcebd81912e2f0caf8a461dec28db41 +Author: James Bottomley +Date: Wed Dec 22 10:22:11 2010 -0600 + + parisc: flush pages through tmpalias space + +because a PA2.0 instruction was accidentally introduced into the PA1.1 TLB +insertion interruption path when it was consolidated with the do_alias macro. +Fix the do_alias macro only to use PA2.0 instructions if compiled for 64 bit. + +Signed-off-by: James Bottomley +Signed-off-by: Greg Kroah-Hartman + +--- + arch/parisc/kernel/entry.S | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/arch/parisc/kernel/entry.S ++++ b/arch/parisc/kernel/entry.S +@@ -581,7 +581,11 @@ + */ + cmpiclr,= 0x01,\tmp,%r0 + ldi (_PAGE_DIRTY|_PAGE_READ|_PAGE_WRITE),\prot ++#ifdef CONFIG_64BIT + depd,z \prot,8,7,\prot ++#else ++ depw,z \prot,8,7,\prot ++#endif + /* + * OK, it is in the temp alias region, check whether "from" or "to". + * Check "subtle" note in pacache.S re: r23/r26. diff --git a/queue-3.0/parisc-fix-panic-on-prefetch-null-on-pa7300lc.patch b/queue-3.0/parisc-fix-panic-on-prefetch-null-on-pa7300lc.patch new file mode 100644 index 00000000000..87b4b6d9b2a --- /dev/null +++ b/queue-3.0/parisc-fix-panic-on-prefetch-null-on-pa7300lc.patch @@ -0,0 +1,37 @@ +From b3cb8674811d1851bbf1486a73d62b90c119b994 Mon Sep 17 00:00:00 2001 +From: James Bottomley +Date: Wed, 16 May 2012 11:10:27 +0100 +Subject: PARISC: fix panic on prefetch(NULL) on PA7300LC + +From: James Bottomley + +commit b3cb8674811d1851bbf1486a73d62b90c119b994 upstream. + +Due to an errata, the PA7300LC generates a TLB miss interruption even on the +prefetch instruction. This means that prefetch(NULL), which is supposed to be +a nop on linux actually generates a NULL deref fault. Fix this by testing the +address of prefetch against NULL before doing the prefetch. + +Signed-off-by: James Bottomley +Signed-off-by: Greg Kroah-Hartman + +--- + arch/parisc/include/asm/prefetch.h | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/arch/parisc/include/asm/prefetch.h ++++ b/arch/parisc/include/asm/prefetch.h +@@ -21,7 +21,12 @@ + #define ARCH_HAS_PREFETCH + static inline void prefetch(const void *addr) + { +- __asm__("ldw 0(%0), %%r0" : : "r" (addr)); ++ __asm__( ++#ifndef CONFIG_PA20 ++ /* Need to avoid prefetch of NULL on PA7300LC */ ++ " extrw,u,= %0,31,32,%%r0\n" ++#endif ++ " ldw 0(%0), %%r0" : : "r" (addr)); + } + + /* LDD is a PA2.0 addition. */ diff --git a/queue-3.0/series b/queue-3.0/series new file mode 100644 index 00000000000..6e12eff2f87 --- /dev/null +++ b/queue-3.0/series @@ -0,0 +1,6 @@ +tilegx-enable-syscall_wrappers-support.patch +block-fix-buffer-overflow-when-printing-partition-uuids.patch +block-don-t-mark-buffers-beyond-end-of-disk-as-mapped.patch +parisc-fix-pa1.1-oops-on-boot.patch +parisc-fix-crash-in-flush_icache_page_asm-on-pa1.1.patch +parisc-fix-panic-on-prefetch-null-on-pa7300lc.patch diff --git a/queue-3.0/tilegx-enable-syscall_wrappers-support.patch b/queue-3.0/tilegx-enable-syscall_wrappers-support.patch new file mode 100644 index 00000000000..a0dfce138b1 --- /dev/null +++ b/queue-3.0/tilegx-enable-syscall_wrappers-support.patch @@ -0,0 +1,37 @@ +From e6d9668e119af44ae5bcd5f1197174531458afe3 Mon Sep 17 00:00:00 2001 +From: Chris Metcalf +Date: Fri, 18 May 2012 13:33:24 -0400 +Subject: tilegx: enable SYSCALL_WRAPPERS support + +From: Chris Metcalf + +commit e6d9668e119af44ae5bcd5f1197174531458afe3 upstream. + +Some discussion with the glibc mailing lists revealed that this was +necessary for 64-bit platforms with MIPS-like sign-extension rules +for 32-bit values. The original symptom was that passing (uid_t)-1 to +setreuid() was failing in programs linked -pthread because of the "setxid" +mechanism for passing setxid-type function arguments to the syscall code. +SYSCALL_WRAPPERS handles ensuring that all syscall arguments end up with +proper sign-extension and is thus the appropriate fix for this problem. + +On other platforms (s390, powerpc, sparc64, and mips) this was fixed +in 2.6.28.6. The general issue is tracked as CVE-2009-0029. + +Signed-off-by: Chris Metcalf +Signed-off-by: Greg Kroah-Hartman + +--- + arch/tile/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/tile/Kconfig ++++ b/arch/tile/Kconfig +@@ -11,6 +11,7 @@ config TILE + select GENERIC_IRQ_PROBE + select GENERIC_PENDING_IRQ if SMP + select GENERIC_IRQ_SHOW ++ select HAVE_SYSCALL_WRAPPERS if TILEGX + select SYS_HYPERVISOR + + # FIXME: investigate whether we need/want these options.