From: Greg Kroah-Hartman Date: Tue, 23 Jun 2015 03:21:59 +0000 (-0700) Subject: 3.14-stable patches X-Git-Tag: v3.10.82~14 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=0e341e3815d9e0e80b7a9aacee801854db12ca4e;p=thirdparty%2Fkernel%2Fstable-queue.git 3.14-stable patches added patches: crypto-caam-fix-rng-buffer-cache-alignment.patch drm-mgag200-reject-non-character-cell-aligned-mode-widths.patch iser-target-fix-possible-use-after-free.patch tracing-have-filter-check-for-balanced-ops.patch --- diff --git a/queue-3.14/crypto-caam-fix-rng-buffer-cache-alignment.patch b/queue-3.14/crypto-caam-fix-rng-buffer-cache-alignment.patch new file mode 100644 index 00000000000..891329db66f --- /dev/null +++ b/queue-3.14/crypto-caam-fix-rng-buffer-cache-alignment.patch @@ -0,0 +1,42 @@ +From 412c98c1bef65fe7589f1300e93735d96130307c Mon Sep 17 00:00:00 2001 +From: Steve Cornelius +Date: Mon, 15 Jun 2015 16:52:59 -0700 +Subject: crypto: caam - fix RNG buffer cache alignment + +From: Steve Cornelius + +commit 412c98c1bef65fe7589f1300e93735d96130307c upstream. + +The hwrng output buffers (2) are cast inside of a a struct (caam_rng_ctx) +allocated in one DMA-tagged region. While the kernel's heap allocator +should place the overall struct on a cacheline aligned boundary, the 2 +buffers contained within may not necessarily align. Consenquently, the ends +of unaligned buffers may not fully flush, and if so, stale data will be left +behind, resulting in small repeating patterns. + +This fix aligns the buffers inside the struct. + +Note that not all of the data inside caam_rng_ctx necessarily needs to be +DMA-tagged, only the buffers themselves require this. However, a fix would +incur the expense of error-handling bloat in the case of allocation failure. + +Signed-off-by: Steve Cornelius +Signed-off-by: Victoria Milhoan +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/crypto/caam/caamrng.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/crypto/caam/caamrng.c ++++ b/drivers/crypto/caam/caamrng.c +@@ -56,7 +56,7 @@ + + /* Buffer, its dma address and lock */ + struct buf_data { +- u8 buf[RN_BUF_SIZE]; ++ u8 buf[RN_BUF_SIZE] ____cacheline_aligned; + dma_addr_t addr; + struct completion filled; + u32 hw_desc[DESC_JOB_O_LEN]; diff --git a/queue-3.14/drm-mgag200-reject-non-character-cell-aligned-mode-widths.patch b/queue-3.14/drm-mgag200-reject-non-character-cell-aligned-mode-widths.patch new file mode 100644 index 00000000000..e8bbf174e44 --- /dev/null +++ b/queue-3.14/drm-mgag200-reject-non-character-cell-aligned-mode-widths.patch @@ -0,0 +1,33 @@ +From 25161084b1c1b0c29948f6f77266a35f302196b7 Mon Sep 17 00:00:00 2001 +From: Adam Jackson +Date: Mon, 15 Jun 2015 16:16:15 -0400 +Subject: drm/mgag200: Reject non-character-cell-aligned mode widths + +From: Adam Jackson + +commit 25161084b1c1b0c29948f6f77266a35f302196b7 upstream. + +Turns out 1366x768 does not in fact work on this hardware. + +Signed-off-by: Adam Jackson +Signed-off-by: Dave Airlie +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/mgag200/mgag200_mode.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/gpu/drm/mgag200/mgag200_mode.c ++++ b/drivers/gpu/drm/mgag200/mgag200_mode.c +@@ -1529,6 +1529,11 @@ static int mga_vga_mode_valid(struct drm + return MODE_BANDWIDTH; + } + ++ if ((mode->hdisplay % 8) != 0 || (mode->hsync_start % 8) != 0 || ++ (mode->hsync_end % 8) != 0 || (mode->htotal % 8) != 0) { ++ return MODE_H_ILLEGAL; ++ } ++ + if (mode->crtc_hdisplay > 2048 || mode->crtc_hsync_start > 4096 || + mode->crtc_hsync_end > 4096 || mode->crtc_htotal > 4096 || + mode->crtc_vdisplay > 2048 || mode->crtc_vsync_start > 4096 || diff --git a/queue-3.14/iser-target-fix-possible-use-after-free.patch b/queue-3.14/iser-target-fix-possible-use-after-free.patch new file mode 100644 index 00000000000..5b99166b5ca --- /dev/null +++ b/queue-3.14/iser-target-fix-possible-use-after-free.patch @@ -0,0 +1,49 @@ +From 524630d5824c7a75aab568c6bd1423fd748cd3bb Mon Sep 17 00:00:00 2001 +From: Sagi Grimberg +Date: Thu, 4 Jun 2015 19:49:21 +0300 +Subject: iser-target: Fix possible use-after-free + +From: Sagi Grimberg + +commit 524630d5824c7a75aab568c6bd1423fd748cd3bb upstream. + +iser connection termination process happens in 2 stages: +- isert_wait_conn: + - resumes rdma disconnect + - wait for session commands + - wait for flush completions (post a marked wr to signal we are done) + - wait for logout completion + - queue work for connection cleanup (depends on disconnected/timewait + events) +- isert_free_conn + - last reference put on the connection + +In case we are terminating during IOs, we might be posting send/recv +requests after we posted the last work request which might lead +to a use-after-free condition in isert_handle_wc. +After we posted the last wr in isert_wait_conn we are guaranteed that +no successful completions will follow (meaning no new work request posts +may happen) but other flush errors might still come. So before we +put the last reference on the connection, we repeat the process of +posting a marked work request (isert_wait4flush) in order to make sure all +pending completions were flushed. + +Signed-off-by: Sagi Grimberg +Signed-off-by: Jenny Falkovich +Signed-off-by: Nicholas Bellinger +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/ulp/isert/ib_isert.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/infiniband/ulp/isert/ib_isert.c ++++ b/drivers/infiniband/ulp/isert/ib_isert.c +@@ -2952,6 +2952,7 @@ static void isert_free_conn(struct iscsi + { + struct isert_conn *isert_conn = conn->context; + ++ isert_wait4flush(isert_conn); + isert_put_conn(isert_conn); + } + diff --git a/queue-3.14/tracing-have-filter-check-for-balanced-ops.patch b/queue-3.14/tracing-have-filter-check-for-balanced-ops.patch new file mode 100644 index 00000000000..e37023e8baf --- /dev/null +++ b/queue-3.14/tracing-have-filter-check-for-balanced-ops.patch @@ -0,0 +1,108 @@ +From 2cf30dc180cea808077f003c5116388183e54f9e Mon Sep 17 00:00:00 2001 +From: Steven Rostedt +Date: Mon, 15 Jun 2015 17:50:25 -0400 +Subject: tracing: Have filter check for balanced ops + +From: Steven Rostedt + +commit 2cf30dc180cea808077f003c5116388183e54f9e upstream. + +When the following filter is used it causes a warning to trigger: + + # cd /sys/kernel/debug/tracing + # echo "((dev==1)blocks==2)" > events/ext4/ext4_truncate_exit/filter +-bash: echo: write error: Invalid argument + # cat events/ext4/ext4_truncate_exit/filter +((dev==1)blocks==2) +^ +parse_error: No error + + ------------[ cut here ]------------ + WARNING: CPU: 2 PID: 1223 at kernel/trace/trace_events_filter.c:1640 replace_preds+0x3c5/0x990() + Modules linked in: bnep lockd grace bluetooth ... + CPU: 3 PID: 1223 Comm: bash Tainted: G W 4.1.0-rc3-test+ #450 + Hardware name: Hewlett-Packard HP Compaq Pro 6300 SFF/339A, BIOS K01 v02.05 05/07/2012 + 0000000000000668 ffff8800c106bc98 ffffffff816ed4f9 ffff88011ead0cf0 + 0000000000000000 ffff8800c106bcd8 ffffffff8107fb07 ffffffff8136b46c + ffff8800c7d81d48 ffff8800d4c2bc00 ffff8800d4d4f920 00000000ffffffea + Call Trace: + [] dump_stack+0x4c/0x6e + [] warn_slowpath_common+0x97/0xe0 + [] ? _kstrtoull+0x2c/0x80 + [] warn_slowpath_null+0x1a/0x20 + [] replace_preds+0x3c5/0x990 + [] create_filter+0x82/0xb0 + [] apply_event_filter+0xd4/0x180 + [] event_filter_write+0x8f/0x120 + [] __vfs_write+0x28/0xe0 + [] ? __sb_start_write+0x53/0xf0 + [] ? security_file_permission+0x30/0xc0 + [] vfs_write+0xb8/0x1b0 + [] SyS_write+0x4f/0xb0 + [] system_call_fastpath+0x12/0x6a + ---[ end trace e11028bd95818dcd ]--- + +Worse yet, reading the error message (the filter again) it says that +there was no error, when there clearly was. The issue is that the +code that checks the input does not check for balanced ops. That is, +having an op between a closed parenthesis and the next token. + +This would only cause a warning, and fail out before doing any real +harm, but it should still not caues a warning, and the error reported +should work: + + # cd /sys/kernel/debug/tracing + # echo "((dev==1)blocks==2)" > events/ext4/ext4_truncate_exit/filter +-bash: echo: write error: Invalid argument + # cat events/ext4/ext4_truncate_exit/filter +((dev==1)blocks==2) +^ +parse_error: Meaningless filter expression + +And give no kernel warning. + +Link: http://lkml.kernel.org/r/20150615175025.7e809215@gandalf.local.home + +Cc: Peter Zijlstra +Cc: Ingo Molnar +Cc: Arnaldo Carvalho de Melo +Reported-by: Vince Weaver +Tested-by: Vince Weaver +Signed-off-by: Steven Rostedt +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/trace/trace_events_filter.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +--- a/kernel/trace/trace_events_filter.c ++++ b/kernel/trace/trace_events_filter.c +@@ -1399,19 +1399,26 @@ static int check_preds(struct filter_par + { + int n_normal_preds = 0, n_logical_preds = 0; + struct postfix_elt *elt; ++ int cnt = 0; + + list_for_each_entry(elt, &ps->postfix, list) { +- if (elt->op == OP_NONE) ++ if (elt->op == OP_NONE) { ++ cnt++; + continue; ++ } + + if (elt->op == OP_AND || elt->op == OP_OR) { + n_logical_preds++; ++ cnt--; + continue; + } ++ if (elt->op != OP_NOT) ++ cnt--; + n_normal_preds++; ++ WARN_ON_ONCE(cnt < 0); + } + +- if (!n_normal_preds || n_logical_preds >= n_normal_preds) { ++ if (cnt != 1 || !n_normal_preds || n_logical_preds >= n_normal_preds) { + parse_error(ps, FILT_ERR_INVALID_FILTER, 0); + return -EINVAL; + }