From: Greg Kroah-Hartman Date: Wed, 23 Sep 2015 04:55:20 +0000 (-0700) Subject: 3.14-stable patches X-Git-Tag: v4.1.9~46 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=12ee49431cb0778ac53c51b847c6bb8915515722;p=thirdparty%2Fkernel%2Fstable-queue.git 3.14-stable patches added patches: add-radeon-suspend-resume-quirk-for-hp-compaq-dc5750.patch cifs-fix-type-confusion-in-copy-offload-ioctl.patch powerpc-mm-fix-pte_pagesize_index-crash-on-4k-w-64k-hash.patch powerpc-mm-recompute-hash-value-after-a-failed-update.patch powerpc-rtas-introduce-rtas_get_sensor_fast-for-irq-handlers.patch --- diff --git a/queue-3.14/add-radeon-suspend-resume-quirk-for-hp-compaq-dc5750.patch b/queue-3.14/add-radeon-suspend-resume-quirk-for-hp-compaq-dc5750.patch new file mode 100644 index 00000000000..a6fd6e38998 --- /dev/null +++ b/queue-3.14/add-radeon-suspend-resume-quirk-for-hp-compaq-dc5750.patch @@ -0,0 +1,39 @@ +From 09bfda10e6efd7b65bcc29237bee1765ed779657 Mon Sep 17 00:00:00 2001 +From: Jeffery Miller +Date: Tue, 1 Sep 2015 11:23:02 -0400 +Subject: Add radeon suspend/resume quirk for HP Compaq dc5750. + +From: Jeffery Miller + +commit 09bfda10e6efd7b65bcc29237bee1765ed779657 upstream. + +With the radeon driver loaded the HP Compaq dc5750 +Small Form Factor machine fails to resume from suspend. +Adding a quirk similar to other devices avoids +the problem and the system resumes properly. + +Signed-off-by: Jeffery Miller +Signed-off-by: Alex Deucher +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/radeon/radeon_combios.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/drivers/gpu/drm/radeon/radeon_combios.c ++++ b/drivers/gpu/drm/radeon/radeon_combios.c +@@ -3387,6 +3387,14 @@ void radeon_combios_asic_init(struct drm + rdev->pdev->subsystem_device == 0x30ae) + return; + ++ /* quirk for rs4xx HP Compaq dc5750 Small Form Factor to make it resume ++ * - it hangs on resume inside the dynclk 1 table. ++ */ ++ if (rdev->family == CHIP_RS480 && ++ rdev->pdev->subsystem_vendor == 0x103c && ++ rdev->pdev->subsystem_device == 0x280a) ++ return; ++ + /* DYN CLK 1 */ + table = combios_get_table_offset(dev, COMBIOS_DYN_CLK_1_TABLE); + if (table) diff --git a/queue-3.14/cifs-fix-type-confusion-in-copy-offload-ioctl.patch b/queue-3.14/cifs-fix-type-confusion-in-copy-offload-ioctl.patch new file mode 100644 index 00000000000..793d6c63a8b --- /dev/null +++ b/queue-3.14/cifs-fix-type-confusion-in-copy-offload-ioctl.patch @@ -0,0 +1,44 @@ +From 4c17a6d56bb0cad3066a714e94f7185a24b40f49 Mon Sep 17 00:00:00 2001 +From: Jann Horn +Date: Fri, 11 Sep 2015 16:27:27 +0200 +Subject: CIFS: fix type confusion in copy offload ioctl + +From: Jann Horn + +commit 4c17a6d56bb0cad3066a714e94f7185a24b40f49 upstream. + +This might lead to local privilege escalation (code execution as +kernel) for systems where the following conditions are met: + + - CONFIG_CIFS_SMB2 and CONFIG_CIFS_POSIX are enabled + - a cifs filesystem is mounted where: + - the mount option "vers" was used and set to a value >=2.0 + - the attacker has write access to at least one file on the filesystem + +To attack this, an attacker would have to guess the target_tcon +pointer (but guessing wrong doesn't cause a crash, it just returns an +error code) and win a narrow race. + +Signed-off-by: Jann Horn +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman + +--- + fs/cifs/ioctl.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/fs/cifs/ioctl.c ++++ b/fs/cifs/ioctl.c +@@ -67,6 +67,12 @@ static long cifs_ioctl_clone(unsigned in + goto out_drop_write; + } + ++ if (src_file.file->f_op->unlocked_ioctl != cifs_ioctl) { ++ rc = -EBADF; ++ cifs_dbg(VFS, "src file seems to be from a different filesystem type\n"); ++ goto out_fput; ++ } ++ + if ((!src_file.file->private_data) || (!dst_file->private_data)) { + rc = -EBADF; + cifs_dbg(VFS, "missing cifsFileInfo on copy range src file\n"); diff --git a/queue-3.14/powerpc-mm-fix-pte_pagesize_index-crash-on-4k-w-64k-hash.patch b/queue-3.14/powerpc-mm-fix-pte_pagesize_index-crash-on-4k-w-64k-hash.patch new file mode 100644 index 00000000000..13a5f02f599 --- /dev/null +++ b/queue-3.14/powerpc-mm-fix-pte_pagesize_index-crash-on-4k-w-64k-hash.patch @@ -0,0 +1,76 @@ +From 74b5037baa2011a2799e2c43adde7d171b072f9e Mon Sep 17 00:00:00 2001 +From: Michael Ellerman +Date: Fri, 7 Aug 2015 16:19:43 +1000 +Subject: powerpc/mm: Fix pte_pagesize_index() crash on 4K w/64K hash + +From: Michael Ellerman + +commit 74b5037baa2011a2799e2c43adde7d171b072f9e upstream. + +The powerpc kernel can be built to have either a 4K PAGE_SIZE or a 64K +PAGE_SIZE. + +However when built with a 4K PAGE_SIZE there is an additional config +option which can be enabled, PPC_HAS_HASH_64K, which means the kernel +also knows how to hash a 64K page even though the base PAGE_SIZE is 4K. + +This is used in one obscure configuration, to support 64K pages for SPU +local store on the Cell processor when the rest of the kernel is using +4K pages. + +In this configuration, pte_pagesize_index() is defined to just pass +through its arguments to get_slice_psize(). However pte_pagesize_index() +is called for both user and kernel addresses, whereas get_slice_psize() +only knows how to handle user addresses. + +This has been broken forever, however until recently it happened to +work. That was because in get_slice_psize() the large kernel address +would cause the right shift of the slice mask to return zero. + +However in commit 7aa0727f3302 ("powerpc/mm: Increase the slice range to +64TB"), the get_slice_psize() code was changed so that instead of a +right shift we do an array lookup based on the address. When passed a +kernel address this means we index way off the end of the slice array +and return random junk. + +That is only fatal if we happen to hit something non-zero, but when we +do return a non-zero value we confuse the MMU code and eventually cause +a check stop. + +This fix is ugly, but simple. When we're called for a kernel address we +return 4K, which is always correct in this configuration, otherwise we +use the slice mask. + +Fixes: 7aa0727f3302 ("powerpc/mm: Increase the slice range to 64TB") +Reported-by: Cyril Bur +Signed-off-by: Michael Ellerman +Reviewed-by: Aneesh Kumar K.V +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/include/asm/pgtable-ppc64.h | 14 +++++++++++++- + 1 file changed, 13 insertions(+), 1 deletion(-) + +--- a/arch/powerpc/include/asm/pgtable-ppc64.h ++++ b/arch/powerpc/include/asm/pgtable-ppc64.h +@@ -135,7 +135,19 @@ + #define pte_iterate_hashed_end() } while(0) + + #ifdef CONFIG_PPC_HAS_HASH_64K +-#define pte_pagesize_index(mm, addr, pte) get_slice_psize(mm, addr) ++/* ++ * We expect this to be called only for user addresses or kernel virtual ++ * addresses other than the linear mapping. ++ */ ++#define pte_pagesize_index(mm, addr, pte) \ ++ ({ \ ++ unsigned int psize; \ ++ if (is_kernel_addr(addr)) \ ++ psize = MMU_PAGE_4K; \ ++ else \ ++ psize = get_slice_psize(mm, addr); \ ++ psize; \ ++ }) + #else + #define pte_pagesize_index(mm, addr, pte) MMU_PAGE_4K + #endif diff --git a/queue-3.14/powerpc-mm-recompute-hash-value-after-a-failed-update.patch b/queue-3.14/powerpc-mm-recompute-hash-value-after-a-failed-update.patch new file mode 100644 index 00000000000..87404aac0c4 --- /dev/null +++ b/queue-3.14/powerpc-mm-recompute-hash-value-after-a-failed-update.patch @@ -0,0 +1,54 @@ +From 36b35d5d807b7e57aff7d08e63de8b17731ee211 Mon Sep 17 00:00:00 2001 +From: "Aneesh Kumar K.V" +Date: Tue, 15 Sep 2015 12:30:08 +0530 +Subject: powerpc/mm: Recompute hash value after a failed update + +From: "Aneesh Kumar K.V" + +commit 36b35d5d807b7e57aff7d08e63de8b17731ee211 upstream. + +If we had secondary hash flag set, we ended up modifying hash value in +the updatepp code path. Hence with a failed updatepp we will be using +a wrong hash value for the following hash insert. Fix this by +recomputing hash before insert. + +Without this patch we can end up with using wrong slot number in linux +pte. That can result in us missing an hash pte update or invalidate +which can cause memory corruption or even machine check. + +Fixes: 6d492ecc6489 ("powerpc/THP: Add code to handle HPTE faults for hugepages") +Signed-off-by: Aneesh Kumar K.V +Reviewed-by: Paul Mackerras +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/mm/hugepage-hash64.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/arch/powerpc/mm/hugepage-hash64.c ++++ b/arch/powerpc/mm/hugepage-hash64.c +@@ -136,7 +136,6 @@ int __hash_page_thp(unsigned long ea, un + BUG_ON(index >= 4096); + + vpn = hpt_vpn(ea, vsid, ssize); +- hash = hpt_hash(vpn, shift, ssize); + hpte_slot_array = get_hpte_slot_array(pmdp); + if (psize == MMU_PAGE_4K) { + /* +@@ -151,6 +150,7 @@ int __hash_page_thp(unsigned long ea, un + valid = hpte_valid(hpte_slot_array, index); + if (valid) { + /* update the hpte bits */ ++ hash = hpt_hash(vpn, shift, ssize); + hidx = hpte_hash_index(hpte_slot_array, index); + if (hidx & _PTEIDX_SECONDARY) + hash = ~hash; +@@ -176,6 +176,7 @@ int __hash_page_thp(unsigned long ea, un + if (!valid) { + unsigned long hpte_group; + ++ hash = hpt_hash(vpn, shift, ssize); + /* insert new entry */ + pa = pmd_pfn(__pmd(old_pmd)) << PAGE_SHIFT; + new_pmd |= _PAGE_HASHPTE; diff --git a/queue-3.14/powerpc-rtas-introduce-rtas_get_sensor_fast-for-irq-handlers.patch b/queue-3.14/powerpc-rtas-introduce-rtas_get_sensor_fast-for-irq-handlers.patch new file mode 100644 index 00000000000..dcefd2561fb --- /dev/null +++ b/queue-3.14/powerpc-rtas-introduce-rtas_get_sensor_fast-for-irq-handlers.patch @@ -0,0 +1,100 @@ +From 1c2cb594441d02815d304cccec9742ff5c707495 Mon Sep 17 00:00:00 2001 +From: Thomas Huth +Date: Fri, 17 Jul 2015 12:46:58 +0200 +Subject: powerpc/rtas: Introduce rtas_get_sensor_fast() for IRQ handlers + +From: Thomas Huth + +commit 1c2cb594441d02815d304cccec9742ff5c707495 upstream. + +The EPOW interrupt handler uses rtas_get_sensor(), which in turn +uses rtas_busy_delay() to wait for RTAS becoming ready in case it +is necessary. But rtas_busy_delay() is annotated with might_sleep() +and thus may not be used by interrupts handlers like the EPOW handler! +This leads to the following BUG when CONFIG_DEBUG_ATOMIC_SLEEP is +enabled: + + BUG: sleeping function called from invalid context at arch/powerpc/kernel/rtas.c:496 + in_atomic(): 1, irqs_disabled(): 1, pid: 0, name: swapper/1 + CPU: 1 PID: 0 Comm: swapper/1 Not tainted 4.2.0-rc2-thuth #6 + Call Trace: + [c00000007ffe7b90] [c000000000807670] dump_stack+0xa0/0xdc (unreliable) + [c00000007ffe7bc0] [c0000000000e1f14] ___might_sleep+0x134/0x180 + [c00000007ffe7c20] [c00000000002aec0] rtas_busy_delay+0x30/0xd0 + [c00000007ffe7c50] [c00000000002bde4] rtas_get_sensor+0x74/0xe0 + [c00000007ffe7ce0] [c000000000083264] ras_epow_interrupt+0x44/0x450 + [c00000007ffe7d90] [c000000000120260] handle_irq_event_percpu+0xa0/0x300 + [c00000007ffe7e70] [c000000000120524] handle_irq_event+0x64/0xc0 + [c00000007ffe7eb0] [c000000000124dbc] handle_fasteoi_irq+0xec/0x260 + [c00000007ffe7ef0] [c00000000011f4f0] generic_handle_irq+0x50/0x80 + [c00000007ffe7f20] [c000000000010f3c] __do_irq+0x8c/0x200 + [c00000007ffe7f90] [c0000000000236cc] call_do_irq+0x14/0x24 + [c00000007e6f39e0] [c000000000011144] do_IRQ+0x94/0x110 + [c00000007e6f3a30] [c000000000002594] hardware_interrupt_common+0x114/0x180 + +Fix this issue by introducing a new rtas_get_sensor_fast() function +that does not use rtas_busy_delay() - and thus can only be used for +sensors that do not cause a BUSY condition - known as "fast" sensors. + +The EPOW sensor is defined to be "fast" in sPAPR - mpe. + +Fixes: 587f83e8dd50 ("powerpc/pseries: Use rtas_get_sensor in RAS code") +Signed-off-by: Thomas Huth +Reviewed-by: Nathan Fontenot +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/include/asm/rtas.h | 1 + + arch/powerpc/kernel/rtas.c | 17 +++++++++++++++++ + arch/powerpc/platforms/pseries/ras.c | 3 ++- + 3 files changed, 20 insertions(+), 1 deletion(-) + +--- a/arch/powerpc/include/asm/rtas.h ++++ b/arch/powerpc/include/asm/rtas.h +@@ -255,6 +255,7 @@ extern void rtas_power_off(void); + extern void rtas_halt(void); + extern void rtas_os_term(char *str); + extern int rtas_get_sensor(int sensor, int index, int *state); ++extern int rtas_get_sensor_fast(int sensor, int index, int *state); + extern int rtas_get_power_level(int powerdomain, int *level); + extern int rtas_set_power_level(int powerdomain, int level, int *setlevel); + extern bool rtas_indicator_present(int token, int *maxindex); +--- a/arch/powerpc/kernel/rtas.c ++++ b/arch/powerpc/kernel/rtas.c +@@ -584,6 +584,23 @@ int rtas_get_sensor(int sensor, int inde + } + EXPORT_SYMBOL(rtas_get_sensor); + ++int rtas_get_sensor_fast(int sensor, int index, int *state) ++{ ++ int token = rtas_token("get-sensor-state"); ++ int rc; ++ ++ if (token == RTAS_UNKNOWN_SERVICE) ++ return -ENOENT; ++ ++ rc = rtas_call(token, 2, 2, state, sensor, index); ++ WARN_ON(rc == RTAS_BUSY || (rc >= RTAS_EXTENDED_DELAY_MIN && ++ rc <= RTAS_EXTENDED_DELAY_MAX)); ++ ++ if (rc < 0) ++ return rtas_error_rc(rc); ++ return rc; ++} ++ + bool rtas_indicator_present(int token, int *maxindex) + { + int proplen, count, i; +--- a/arch/powerpc/platforms/pseries/ras.c ++++ b/arch/powerpc/platforms/pseries/ras.c +@@ -187,7 +187,8 @@ static irqreturn_t ras_epow_interrupt(in + int state; + int critical; + +- status = rtas_get_sensor(EPOW_SENSOR_TOKEN, EPOW_SENSOR_INDEX, &state); ++ status = rtas_get_sensor_fast(EPOW_SENSOR_TOKEN, EPOW_SENSOR_INDEX, ++ &state); + + if (state > 3) + critical = 1; /* Time Critical */ diff --git a/queue-3.14/series b/queue-3.14/series index 38c943d0624..a738d4aa9ba 100644 --- a/queue-3.14/series +++ b/queue-3.14/series @@ -12,3 +12,8 @@ input-synaptics-fix-handling-of-disabling-gesture-mode.patch input-evdev-do-not-report-errors-form-flush.patch alsa-hda-enable-headphone-jack-detect-on-old-fujitsu-laptops.patch alsa-hda-use-alc880_fixup_fujitsu-for-fsc-amilo-m1437.patch +powerpc-mm-fix-pte_pagesize_index-crash-on-4k-w-64k-hash.patch +powerpc-rtas-introduce-rtas_get_sensor_fast-for-irq-handlers.patch +powerpc-mm-recompute-hash-value-after-a-failed-update.patch +cifs-fix-type-confusion-in-copy-offload-ioctl.patch +add-radeon-suspend-resume-quirk-for-hp-compaq-dc5750.patch