From: Greg Kroah-Hartman Date: Thu, 22 Sep 2016 15:42:44 +0000 (+0200) Subject: 4.7-stable patches X-Git-Tag: v4.4.22~10 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=266f5c34656225b848238e38fc1a7aad6840e82b;p=thirdparty%2Fkernel%2Fstable-queue.git 4.7-stable patches added patches: alpha-fix-copy_from_user.patch arc-uaccess-get_user-to-zero-out-dest-in-cause-of-fault.patch asm-generic-make-copy_from_user-zero-the-destination-properly.patch asm-generic-make-get_user-clear-the-destination-on-errors.patch avr32-fix-copy_from_user.patch blackfin-fix-copy_from_user.patch cris-buggered-copy_from_user-copy_to_user-clear_user.patch drm-atmel-hlcdc-fix-vertical-scaling.patch drm-i915-ignore-opregion-panel-type-except-on-select-machines.patch drm-only-use-compat-ioctl-for-addfb2-on-x86-ia64.patch fix-iov_iter_fault_in_readable.patch fix-minor-infoleak-in-get_user_ex.patch frv-fix-clear_user.patch genirq-provide-irq_gc_-lock_irqsave-unlock_irqrestore-helpers.patch hexagon-fix-strncpy_from_user-error-return.patch irqchip-atmel-aic-fix-potential-deadlock-in-xlate.patch kconfig-tinyconfig-provide-whole-choice-blocks-to-avoid-warnings.patch m32r-fix-__get_user.patch metag-copy_from_user-should-zero-the-destination-on-access_ok-failure.patch microblaze-fix-__get_user.patch microblaze-fix-copy_from_user.patch mips-copy_from_user-must-zero-the-destination-on-access_ok-failure.patch mmc-sdhci-st-handle-interconnect-clock.patch mn10300-copy_from_user-should-zero-on-access_ok-failure.patch mn10300-failing-__get_user-and-get_user-should-zero.patch mpssd-fix-buffer-overflow-warning.patch nios2-copy_from_user-should-zero-the-tail-of-destination.patch nios2-fix-__get_user.patch openrisc-fix-copy_from_user.patch parisc-fix-copy_from_user.patch s390-get_user-should-zero-on-failure.patch score-fix-__get_user-get_user.patch score-fix-copy_from_user-and-friends.patch sh-cmpxchg-fix-a-bit-shift-bug-in-big_endian-os.patch sh-fix-copy_from_user.patch sh64-failing-__get_user-should-zero.patch svcauth_gss-revert-64c59a3726f2-remove-unnecessary-allocation.patch --- diff --git a/queue-4.7/alpha-fix-copy_from_user.patch b/queue-4.7/alpha-fix-copy_from_user.patch new file mode 100644 index 00000000000..4ee7f3bfdd0 --- /dev/null +++ b/queue-4.7/alpha-fix-copy_from_user.patch @@ -0,0 +1,61 @@ +From 2561d309dfd1555e781484af757ed0115035ddb3 Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Wed, 17 Aug 2016 16:02:32 -0400 +Subject: alpha: fix copy_from_user() + +From: Al Viro + +commit 2561d309dfd1555e781484af757ed0115035ddb3 upstream. + +it should clear the destination even when access_ok() fails. + +Signed-off-by: Al Viro +Signed-off-by: Greg Kroah-Hartman + +--- + arch/alpha/include/asm/uaccess.h | 19 ++++++++----------- + 1 file changed, 8 insertions(+), 11 deletions(-) + +--- a/arch/alpha/include/asm/uaccess.h ++++ b/arch/alpha/include/asm/uaccess.h +@@ -371,14 +371,6 @@ __copy_tofrom_user_nocheck(void *to, con + return __cu_len; + } + +-extern inline long +-__copy_tofrom_user(void *to, const void *from, long len, const void __user *validate) +-{ +- if (__access_ok((unsigned long)validate, len, get_fs())) +- len = __copy_tofrom_user_nocheck(to, from, len); +- return len; +-} +- + #define __copy_to_user(to, from, n) \ + ({ \ + __chk_user_ptr(to); \ +@@ -393,17 +385,22 @@ __copy_tofrom_user(void *to, const void + #define __copy_to_user_inatomic __copy_to_user + #define __copy_from_user_inatomic __copy_from_user + +- + extern inline long + copy_to_user(void __user *to, const void *from, long n) + { +- return __copy_tofrom_user((__force void *)to, from, n, to); ++ if (likely(__access_ok((unsigned long)to, n, get_fs()))) ++ n = __copy_tofrom_user_nocheck((__force void *)to, from, n); ++ return n; + } + + extern inline long + copy_from_user(void *to, const void __user *from, long n) + { +- return __copy_tofrom_user(to, (__force void *)from, n, from); ++ if (likely(__access_ok((unsigned long)from, n, get_fs()))) ++ n = __copy_tofrom_user_nocheck(to, (__force void *)from, n); ++ else ++ memset(to, 0, n); ++ return n; + } + + extern void __do_clear_user(void); diff --git a/queue-4.7/arc-uaccess-get_user-to-zero-out-dest-in-cause-of-fault.patch b/queue-4.7/arc-uaccess-get_user-to-zero-out-dest-in-cause-of-fault.patch new file mode 100644 index 00000000000..945663fe43a --- /dev/null +++ b/queue-4.7/arc-uaccess-get_user-to-zero-out-dest-in-cause-of-fault.patch @@ -0,0 +1,69 @@ +From 05d9d0b96e53c52a113fd783c0c97c830c8dc7af Mon Sep 17 00:00:00 2001 +From: Vineet Gupta +Date: Fri, 19 Aug 2016 12:10:02 -0700 +Subject: ARC: uaccess: get_user to zero out dest in cause of fault + +From: Vineet Gupta + +commit 05d9d0b96e53c52a113fd783c0c97c830c8dc7af upstream. + +Al reported potential issue with ARC get_user() as it wasn't clearing +out destination pointer in case of fault due to bad address etc. + +Verified using following + +| { +| u32 bogus1 = 0xdeadbeef; +| u64 bogus2 = 0xdead; +| int rc1, rc2; +| +| pr_info("Orig values %x %llx\n", bogus1, bogus2); +| rc1 = get_user(bogus1, (u32 __user *)0x40000000); +| rc2 = get_user(bogus2, (u64 __user *)0x50000000); +| pr_info("access %d %d, new values %x %llx\n", +| rc1, rc2, bogus1, bogus2); +| } + +| [ARCLinux]# insmod /mnt/kernel-module/qtn.ko +| Orig values deadbeef dead +| access -14 -14, new values 0 0 + +Reported-by: Al Viro +Cc: Linus Torvalds +Cc: linux-snps-arc@lists.infradead.org +Cc: linux-kernel@vger.kernel.org +Signed-off-by: Vineet Gupta +Signed-off-by: Al Viro +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arc/include/asm/uaccess.h | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +--- a/arch/arc/include/asm/uaccess.h ++++ b/arch/arc/include/asm/uaccess.h +@@ -83,7 +83,10 @@ + "2: ;nop\n" \ + " .section .fixup, \"ax\"\n" \ + " .align 4\n" \ +- "3: mov %0, %3\n" \ ++ "3: # return -EFAULT\n" \ ++ " mov %0, %3\n" \ ++ " # zero out dst ptr\n" \ ++ " mov %1, 0\n" \ + " j 2b\n" \ + " .previous\n" \ + " .section __ex_table, \"a\"\n" \ +@@ -101,7 +104,11 @@ + "2: ;nop\n" \ + " .section .fixup, \"ax\"\n" \ + " .align 4\n" \ +- "3: mov %0, %3\n" \ ++ "3: # return -EFAULT\n" \ ++ " mov %0, %3\n" \ ++ " # zero out dst ptr\n" \ ++ " mov %1, 0\n" \ ++ " mov %R1, 0\n" \ + " j 2b\n" \ + " .previous\n" \ + " .section __ex_table, \"a\"\n" \ diff --git a/queue-4.7/asm-generic-make-copy_from_user-zero-the-destination-properly.patch b/queue-4.7/asm-generic-make-copy_from_user-zero-the-destination-properly.patch new file mode 100644 index 00000000000..fcef00ee61a --- /dev/null +++ b/queue-4.7/asm-generic-make-copy_from_user-zero-the-destination-properly.patch @@ -0,0 +1,42 @@ +From 2545e5da080b4839dd859e3b09343a884f6ab0e3 Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Wed, 17 Aug 2016 16:36:37 -0400 +Subject: asm-generic: make copy_from_user() zero the destination properly + +From: Al Viro + +commit 2545e5da080b4839dd859e3b09343a884f6ab0e3 upstream. + +... in all cases, including the failing access_ok() + +Note that some architectures using asm-generic/uaccess.h have +__copy_from_user() not zeroing the tail on failure halfway +through. This variant works either way. + +Signed-off-by: Al Viro +Signed-off-by: Greg Kroah-Hartman + +--- + include/asm-generic/uaccess.h | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +--- a/include/asm-generic/uaccess.h ++++ b/include/asm-generic/uaccess.h +@@ -261,11 +261,13 @@ extern int __get_user_bad(void) __attrib + static inline long copy_from_user(void *to, + const void __user * from, unsigned long n) + { ++ unsigned long res = n; + might_fault(); +- if (access_ok(VERIFY_READ, from, n)) +- return __copy_from_user(to, from, n); +- else +- return n; ++ if (likely(access_ok(VERIFY_READ, from, n))) ++ res = __copy_from_user(to, from, n); ++ if (unlikely(res)) ++ memset(to + (n - res), 0, res); ++ return res; + } + + static inline long copy_to_user(void __user *to, diff --git a/queue-4.7/asm-generic-make-get_user-clear-the-destination-on-errors.patch b/queue-4.7/asm-generic-make-get_user-clear-the-destination-on-errors.patch new file mode 100644 index 00000000000..cec6362e5a2 --- /dev/null +++ b/queue-4.7/asm-generic-make-get_user-clear-the-destination-on-errors.patch @@ -0,0 +1,42 @@ +From 9ad18b75c2f6e4a78ce204e79f37781f8815c0fa Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Wed, 17 Aug 2016 23:19:01 -0400 +Subject: asm-generic: make get_user() clear the destination on errors + +From: Al Viro + +commit 9ad18b75c2f6e4a78ce204e79f37781f8815c0fa upstream. + +both for access_ok() failures and for faults halfway through + +Signed-off-by: Al Viro +Signed-off-by: Greg Kroah-Hartman + +--- + include/asm-generic/uaccess.h | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +--- a/include/asm-generic/uaccess.h ++++ b/include/asm-generic/uaccess.h +@@ -230,14 +230,18 @@ extern int __put_user_bad(void) __attrib + might_fault(); \ + access_ok(VERIFY_READ, __p, sizeof(*ptr)) ? \ + __get_user((x), (__typeof__(*(ptr)) *)__p) : \ +- -EFAULT; \ ++ ((x) = (__typeof__(*(ptr)))0,-EFAULT); \ + }) + + #ifndef __get_user_fn + static inline int __get_user_fn(size_t size, const void __user *ptr, void *x) + { +- size = __copy_from_user(x, ptr, size); +- return size ? -EFAULT : size; ++ size_t n = __copy_from_user(x, ptr, size); ++ if (unlikely(n)) { ++ memset(x + (size - n), 0, n); ++ return -EFAULT; ++ } ++ return 0; + } + + #define __get_user_fn(sz, u, k) __get_user_fn(sz, u, k) diff --git a/queue-4.7/avr32-fix-copy_from_user.patch b/queue-4.7/avr32-fix-copy_from_user.patch new file mode 100644 index 00000000000..3570fb1670f --- /dev/null +++ b/queue-4.7/avr32-fix-copy_from_user.patch @@ -0,0 +1,76 @@ +From 8630c32275bac2de6ffb8aea9d9b11663e7ad28e Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Fri, 9 Sep 2016 19:28:23 -0400 +Subject: avr32: fix copy_from_user() + +From: Al Viro + +commit 8630c32275bac2de6ffb8aea9d9b11663e7ad28e upstream. + +really ugly, but apparently avr32 compilers turns access_ok() into +something so bad that they want it in assembler. Left that way, +zeroing added in inline wrapper. + +Signed-off-by: Al Viro +Signed-off-by: Greg Kroah-Hartman + +--- + arch/avr32/include/asm/uaccess.h | 11 ++++++++++- + arch/avr32/kernel/avr32_ksyms.c | 2 +- + arch/avr32/lib/copy_user.S | 4 ++-- + 3 files changed, 13 insertions(+), 4 deletions(-) + +--- a/arch/avr32/include/asm/uaccess.h ++++ b/arch/avr32/include/asm/uaccess.h +@@ -74,7 +74,7 @@ extern __kernel_size_t __copy_user(void + + extern __kernel_size_t copy_to_user(void __user *to, const void *from, + __kernel_size_t n); +-extern __kernel_size_t copy_from_user(void *to, const void __user *from, ++extern __kernel_size_t ___copy_from_user(void *to, const void __user *from, + __kernel_size_t n); + + static inline __kernel_size_t __copy_to_user(void __user *to, const void *from, +@@ -88,6 +88,15 @@ static inline __kernel_size_t __copy_fro + { + return __copy_user(to, (const void __force *)from, n); + } ++static inline __kernel_size_t copy_from_user(void *to, ++ const void __user *from, ++ __kernel_size_t n) ++{ ++ size_t res = ___copy_from_user(to, from, n); ++ if (unlikely(res)) ++ memset(to + (n - res), 0, res); ++ return res; ++} + + #define __copy_to_user_inatomic __copy_to_user + #define __copy_from_user_inatomic __copy_from_user +--- a/arch/avr32/kernel/avr32_ksyms.c ++++ b/arch/avr32/kernel/avr32_ksyms.c +@@ -36,7 +36,7 @@ EXPORT_SYMBOL(copy_page); + /* + * Userspace access stuff. + */ +-EXPORT_SYMBOL(copy_from_user); ++EXPORT_SYMBOL(___copy_from_user); + EXPORT_SYMBOL(copy_to_user); + EXPORT_SYMBOL(__copy_user); + EXPORT_SYMBOL(strncpy_from_user); +--- a/arch/avr32/lib/copy_user.S ++++ b/arch/avr32/lib/copy_user.S +@@ -25,11 +25,11 @@ + .align 1 + .global copy_from_user + .type copy_from_user, @function +-copy_from_user: ++___copy_from_user: + branch_if_kernel r8, __copy_user + ret_if_privileged r8, r11, r10, r10 + rjmp __copy_user +- .size copy_from_user, . - copy_from_user ++ .size ___copy_from_user, . - ___copy_from_user + + .global copy_to_user + .type copy_to_user, @function diff --git a/queue-4.7/blackfin-fix-copy_from_user.patch b/queue-4.7/blackfin-fix-copy_from_user.patch new file mode 100644 index 00000000000..0978863677f --- /dev/null +++ b/queue-4.7/blackfin-fix-copy_from_user.patch @@ -0,0 +1,35 @@ +From 8f035983dd826d7e04f67b28acf8e2f08c347e41 Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Fri, 9 Sep 2016 19:16:58 -0400 +Subject: blackfin: fix copy_from_user() + +From: Al Viro + +commit 8f035983dd826d7e04f67b28acf8e2f08c347e41 upstream. + +Signed-off-by: Al Viro +Signed-off-by: Greg Kroah-Hartman + +--- + arch/blackfin/include/asm/uaccess.h | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/arch/blackfin/include/asm/uaccess.h ++++ b/arch/blackfin/include/asm/uaccess.h +@@ -171,11 +171,12 @@ static inline int bad_user_access_length + static inline unsigned long __must_check + copy_from_user(void *to, const void __user *from, unsigned long n) + { +- if (access_ok(VERIFY_READ, from, n)) ++ if (likely(access_ok(VERIFY_READ, from, n))) { + memcpy(to, (const void __force *)from, n); +- else +- return n; +- return 0; ++ return 0; ++ } ++ memset(to, 0, n); ++ return n; + } + + static inline unsigned long __must_check diff --git a/queue-4.7/cris-buggered-copy_from_user-copy_to_user-clear_user.patch b/queue-4.7/cris-buggered-copy_from_user-copy_to_user-clear_user.patch new file mode 100644 index 00000000000..fec55c197b5 --- /dev/null +++ b/queue-4.7/cris-buggered-copy_from_user-copy_to_user-clear_user.patch @@ -0,0 +1,131 @@ +From eb47e0293baaa3044022059f1fa9ff474bfe35cb Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Thu, 18 Aug 2016 19:34:00 -0400 +Subject: cris: buggered copy_from_user/copy_to_user/clear_user + +From: Al Viro + +commit eb47e0293baaa3044022059f1fa9ff474bfe35cb upstream. + +* copy_from_user() on access_ok() failure ought to zero the destination +* none of those primitives should skip the access_ok() check in case of +small constant size. + +Acked-by: Jesper Nilsson +Signed-off-by: Al Viro +Signed-off-by: Greg Kroah-Hartman + +--- + arch/cris/include/asm/uaccess.h | 75 ++++++++++++++++++---------------------- + 1 file changed, 34 insertions(+), 41 deletions(-) + +--- a/arch/cris/include/asm/uaccess.h ++++ b/arch/cris/include/asm/uaccess.h +@@ -194,30 +194,6 @@ extern unsigned long __copy_user(void __ + extern unsigned long __copy_user_zeroing(void *to, const void __user *from, unsigned long n); + extern unsigned long __do_clear_user(void __user *to, unsigned long n); + +-static inline unsigned long +-__generic_copy_to_user(void __user *to, const void *from, unsigned long n) +-{ +- if (access_ok(VERIFY_WRITE, to, n)) +- return __copy_user(to, from, n); +- return n; +-} +- +-static inline unsigned long +-__generic_copy_from_user(void *to, const void __user *from, unsigned long n) +-{ +- if (access_ok(VERIFY_READ, from, n)) +- return __copy_user_zeroing(to, from, n); +- return n; +-} +- +-static inline unsigned long +-__generic_clear_user(void __user *to, unsigned long n) +-{ +- if (access_ok(VERIFY_WRITE, to, n)) +- return __do_clear_user(to, n); +- return n; +-} +- + static inline long + __strncpy_from_user(char *dst, const char __user *src, long count) + { +@@ -282,7 +258,7 @@ __constant_copy_from_user(void *to, cons + else if (n == 24) + __asm_copy_from_user_24(to, from, ret); + else +- ret = __generic_copy_from_user(to, from, n); ++ ret = __copy_user_zeroing(to, from, n); + + return ret; + } +@@ -333,7 +309,7 @@ __constant_copy_to_user(void __user *to, + else if (n == 24) + __asm_copy_to_user_24(to, from, ret); + else +- ret = __generic_copy_to_user(to, from, n); ++ ret = __copy_user(to, from, n); + + return ret; + } +@@ -366,26 +342,43 @@ __constant_clear_user(void __user *to, u + else if (n == 24) + __asm_clear_24(to, ret); + else +- ret = __generic_clear_user(to, n); ++ ret = __do_clear_user(to, n); + + return ret; + } + + +-#define clear_user(to, n) \ +- (__builtin_constant_p(n) ? \ +- __constant_clear_user(to, n) : \ +- __generic_clear_user(to, n)) +- +-#define copy_from_user(to, from, n) \ +- (__builtin_constant_p(n) ? \ +- __constant_copy_from_user(to, from, n) : \ +- __generic_copy_from_user(to, from, n)) +- +-#define copy_to_user(to, from, n) \ +- (__builtin_constant_p(n) ? \ +- __constant_copy_to_user(to, from, n) : \ +- __generic_copy_to_user(to, from, n)) ++static inline size_t clear_user(void __user *to, size_t n) ++{ ++ if (unlikely(!access_ok(VERIFY_WRITE, to, n))) ++ return n; ++ if (__builtin_constant_p(n)) ++ return __constant_clear_user(to, n); ++ else ++ return __do_clear_user(to, n); ++} ++ ++static inline size_t copy_from_user(void *to, const void __user *from, size_t n) ++{ ++ if (unlikely(!access_ok(VERIFY_READ, from, n))) { ++ memset(to, 0, n); ++ return n; ++ } ++ if (__builtin_constant_p(n)) ++ return __constant_copy_from_user(to, from, n); ++ else ++ return __copy_user_zeroing(to, from, n); ++} ++ ++static inline size_t copy_to_user(void __user *to, const void *from, size_t n) ++{ ++ if (unlikely(!access_ok(VERIFY_WRITE, to, n))) ++ return n; ++ if (__builtin_constant_p(n)) ++ return __constant_copy_to_user(to, from, n); ++ else ++ return __copy_user(to, from, n); ++} + + /* We let the __ versions of copy_from/to_user inline, because they're often + * used in fast paths and have only a small space overhead. diff --git a/queue-4.7/drm-atmel-hlcdc-fix-vertical-scaling.patch b/queue-4.7/drm-atmel-hlcdc-fix-vertical-scaling.patch new file mode 100644 index 00000000000..30cb6c19de7 --- /dev/null +++ b/queue-4.7/drm-atmel-hlcdc-fix-vertical-scaling.patch @@ -0,0 +1,51 @@ +From d31ed3f05763644840c654a384eaefa94c097ba2 Mon Sep 17 00:00:00 2001 +From: Jan Leupold +Date: Wed, 6 Jul 2016 13:22:35 +0200 +Subject: drm: atmel-hlcdc: Fix vertical scaling + +From: Jan Leupold + +commit d31ed3f05763644840c654a384eaefa94c097ba2 upstream. + +The code is applying the same scaling for the X and Y components, +thus making the scaling feature only functional when both components +have the same scaling factor. + +Do the s/_w/_h/ replacement where appropriate to fix vertical scaling. + +Signed-off-by: Jan Leupold +Fixes: 1a396789f65a2 ("drm: add Atmel HLCDC Display Controller support") +Signed-off-by: Boris Brezillon +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/atmel-hlcdc/atmel_hlcdc_plane.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- a/drivers/gpu/drm/atmel-hlcdc/atmel_hlcdc_plane.c ++++ b/drivers/gpu/drm/atmel-hlcdc/atmel_hlcdc_plane.c +@@ -320,19 +320,19 @@ atmel_hlcdc_plane_update_pos_and_size(st + u32 *coeff_tab = heo_upscaling_ycoef; + u32 max_memsize; + +- if (state->crtc_w < state->src_w) ++ if (state->crtc_h < state->src_h) + coeff_tab = heo_downscaling_ycoef; + for (i = 0; i < ARRAY_SIZE(heo_upscaling_ycoef); i++) + atmel_hlcdc_layer_update_cfg(&plane->layer, + 33 + i, + 0xffffffff, + coeff_tab[i]); +- factor = ((8 * 256 * state->src_w) - (256 * 4)) / +- state->crtc_w; ++ factor = ((8 * 256 * state->src_h) - (256 * 4)) / ++ state->crtc_h; + factor++; +- max_memsize = ((factor * state->crtc_w) + (256 * 4)) / ++ max_memsize = ((factor * state->crtc_h) + (256 * 4)) / + 2048; +- if (max_memsize > state->src_w) ++ if (max_memsize > state->src_h) + factor--; + factor_reg |= (factor << 16) | 0x80000000; + } diff --git a/queue-4.7/drm-i915-ignore-opregion-panel-type-except-on-select-machines.patch b/queue-4.7/drm-i915-ignore-opregion-panel-type-except-on-select-machines.patch new file mode 100644 index 00000000000..3b82b43003a --- /dev/null +++ b/queue-4.7/drm-i915-ignore-opregion-panel-type-except-on-select-machines.patch @@ -0,0 +1,123 @@ +From ea54ff4008892b46c7a3e6bc8ab8aaec9d198639 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ville=20Syrj=C3=A4l=C3=A4?= +Date: Tue, 13 Sep 2016 12:22:19 +0300 +Subject: drm/i915: Ignore OpRegion panel type except on select machines +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ville Syrjälä + +commit ea54ff4008892b46c7a3e6bc8ab8aaec9d198639 upstream. + +Turns out +commit a05628195a0d ("drm/i915: Get panel_type from OpRegion panel +details") has regressed quite a few machines. So it looks like we +can't use the panel type from OpRegion on all systems, and yet we +absolutely must use it on some specific systems. + +Despite trying, I was unable to find any automagic way to determine +if the OpRegion panel type is respectable or not. The only glimmer +of hope I had was bit 8 in the SCIC response, but that turned out to +not work either (it was always 0 on both types of systems). + +So, to fix the regressions without breaking the machine we know to need +the OpRegion panel type, let's just add a quirk for this. Only specific +machines known to require the OpRegion panel type will therefore use +it. Everyone else will fall bck to the VBT panel type. + +The only known machine so far is a "Conrac GmbH IX45GM2". The PCI +subsystem ID on this machine is just a generic 8086:2a42, so of no use. +Instead we'll go with a DMI match. + +I suspect we can now also revert +commit aeddda06c1a7 ("drm/i915: Ignore panel type from OpRegion on SKL") +but let's leave that to a separate patch. + +v2: Do the DMI match in the opregion code directly, as dev_priv->quirks + gets populated too late + +Cc: Rob Kramer +Cc: Martin van Es +Cc: Andrea Arcangeli +Cc: Dave Airlie +Cc: Marco Krüger +Cc: Sean Greenslade +Cc: Trudy Tective +Cc: Robin Müller +Cc: Alexander Kobel +Cc: Alexey Shumitsky +Cc: Emil Andersen Lauridsen +Cc: oceans112@gmail.com +Cc: James Hogan +Cc: James Bottomley +References: https://lists.freedesktop.org/archives/intel-gfx/2016-August/105545.html +References: https://lists.freedesktop.org/archives/dri-devel/2016-August/116888.html +References: https://lists.freedesktop.org/archives/intel-gfx/2016-June/098826.html +Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=94825 +Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=97060 +Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=97443 +Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=97363 +Fixes: a05628195a0d ("drm/i915: Get panel_type from OpRegion panel details") +Tested-by: Marco Krüger +Tested-by: Alexey Shumitsky +Tested-by: Sean Greenslade +Tested-by: Emil Andersen Lauridsen +Tested-by: Robin Müller +Tested-by: oceans112@gmail.com +Tested-by: Rob Kramer +Signed-off-by: Ville Syrjälä +Link: http://patchwork.freedesktop.org/patch/msgid/1473758539-21565-1-git-send-email-ville.syrjala@linux.intel.com +References: http://patchwork.freedesktop.org/patch/msgid/1473602239-15855-1-git-send-email-adrienverge@gmail.com +Acked-by: Jani Nikula +(cherry picked from commit c8ebfad7a063fe665417fa0eeb0da7cfe987d8ed) +Signed-off-by: Jani Nikula +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/i915/intel_opregion.c | 27 +++++++++++++++++++++++++++ + 1 file changed, 27 insertions(+) + +--- a/drivers/gpu/drm/i915/intel_opregion.c ++++ b/drivers/gpu/drm/i915/intel_opregion.c +@@ -1013,6 +1013,23 @@ err_out: + return err; + } + ++static int intel_use_opregion_panel_type_callback(const struct dmi_system_id *id) ++{ ++ DRM_INFO("Using panel type from OpRegion on %s\n", id->ident); ++ return 1; ++} ++ ++static const struct dmi_system_id intel_use_opregion_panel_type[] = { ++ { ++ .callback = intel_use_opregion_panel_type_callback, ++ .ident = "Conrac GmbH IX45GM2", ++ .matches = {DMI_MATCH(DMI_SYS_VENDOR, "Conrac GmbH"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "IX45GM2"), ++ }, ++ }, ++ { } ++}; ++ + int + intel_opregion_get_panel_type(struct drm_device *dev) + { +@@ -1038,6 +1055,16 @@ intel_opregion_get_panel_type(struct drm + return -ENODEV; + } + ++ /* ++ * So far we know that some machined must use it, others must not use it. ++ * There doesn't seem to be any way to determine which way to go, except ++ * via a quirk list :( ++ */ ++ if (!dmi_check_system(intel_use_opregion_panel_type)) { ++ DRM_DEBUG_KMS("Ignoring OpRegion panel type (%d)\n", ret - 1); ++ return -ENODEV; ++ } ++ + /* + * FIXME On Dell XPS 13 9350 the OpRegion panel type (0) gives us + * low vswing for eDP, whereas the VBT panel type (2) gives us normal diff --git a/queue-4.7/drm-only-use-compat-ioctl-for-addfb2-on-x86-ia64.patch b/queue-4.7/drm-only-use-compat-ioctl-for-addfb2-on-x86-ia64.patch new file mode 100644 index 00000000000..7a6e466cf8a --- /dev/null +++ b/queue-4.7/drm-only-use-compat-ioctl-for-addfb2-on-x86-ia64.patch @@ -0,0 +1,59 @@ +From 47a66e45d7a7613322549c2475ea9d809baaf514 Mon Sep 17 00:00:00 2001 +From: "Kristian H. Kristensen" +Date: Tue, 13 Sep 2016 14:20:45 -0700 +Subject: drm: Only use compat ioctl for addfb2 on X86/IA64 + +From: Kristian H. Kristensen + +commit 47a66e45d7a7613322549c2475ea9d809baaf514 upstream. + +Similar to struct drm_update_draw, struct drm_mode_fb_cmd2 has an +unaligned 64 bit field (modifier). This get packed differently between +32 bit and 64 bit modes on architectures that can handle unaligned 64 +bit access (X86 and IA64). Other architectures pack the structs the +same and don't need the compat wrapper. Use the same condition for +drm_mode_fb_cmd2 as we use for drm_update_draw. + +Note that only the modifier will be packed differently between compat +and non-compat versions. + +Reviewed-by: Rob Clark +Signed-off-by: Kristian H. Kristensen +[seanpaul added not at bottom of commit msg re: modifier] +Signed-off-by: Sean Paul +Link: http://patchwork.freedesktop.org/patch/msgid/1473801645-116011-1-git-send-email-hoegsberg@chromium.org +Signed-off-by: Dave Airlie +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/drm_ioc32.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/gpu/drm/drm_ioc32.c ++++ b/drivers/gpu/drm/drm_ioc32.c +@@ -1015,6 +1015,7 @@ static int compat_drm_wait_vblank(struct + return 0; + } + ++#if defined(CONFIG_X86) || defined(CONFIG_IA64) + typedef struct drm_mode_fb_cmd232 { + u32 fb_id; + u32 width; +@@ -1071,6 +1072,7 @@ static int compat_drm_mode_addfb2(struct + + return 0; + } ++#endif + + static drm_ioctl_compat_t *drm_compat_ioctls[] = { + [DRM_IOCTL_NR(DRM_IOCTL_VERSION32)] = compat_drm_version, +@@ -1104,7 +1106,9 @@ static drm_ioctl_compat_t *drm_compat_io + [DRM_IOCTL_NR(DRM_IOCTL_UPDATE_DRAW32)] = compat_drm_update_draw, + #endif + [DRM_IOCTL_NR(DRM_IOCTL_WAIT_VBLANK32)] = compat_drm_wait_vblank, ++#if defined(CONFIG_X86) || defined(CONFIG_IA64) + [DRM_IOCTL_NR(DRM_IOCTL_MODE_ADDFB232)] = compat_drm_mode_addfb2, ++#endif + }; + + /** diff --git a/queue-4.7/fix-iov_iter_fault_in_readable.patch b/queue-4.7/fix-iov_iter_fault_in_readable.patch new file mode 100644 index 00000000000..daddc8adb77 --- /dev/null +++ b/queue-4.7/fix-iov_iter_fault_in_readable.patch @@ -0,0 +1,77 @@ +From d4690f1e1cdabb4d61207b6787b1605a0dc0aeab Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Fri, 16 Sep 2016 00:11:45 +0100 +Subject: fix iov_iter_fault_in_readable() + +From: Al Viro + +commit d4690f1e1cdabb4d61207b6787b1605a0dc0aeab upstream. + +... by turning it into what used to be multipages counterpart + +Signed-off-by: Al Viro +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/uio.h | 2 +- + lib/iov_iter.c | 24 ++---------------------- + 2 files changed, 3 insertions(+), 23 deletions(-) + +--- a/include/linux/uio.h ++++ b/include/linux/uio.h +@@ -76,7 +76,7 @@ size_t iov_iter_copy_from_user_atomic(st + struct iov_iter *i, unsigned long offset, size_t bytes); + void iov_iter_advance(struct iov_iter *i, size_t bytes); + int iov_iter_fault_in_readable(struct iov_iter *i, size_t bytes); +-int iov_iter_fault_in_multipages_readable(struct iov_iter *i, size_t bytes); ++#define iov_iter_fault_in_multipages_readable iov_iter_fault_in_readable + size_t iov_iter_single_seg_count(const struct iov_iter *i); + size_t copy_page_to_iter(struct page *page, size_t offset, size_t bytes, + struct iov_iter *i); +--- a/lib/iov_iter.c ++++ b/lib/iov_iter.c +@@ -302,33 +302,13 @@ done: + } + + /* +- * Fault in the first iovec of the given iov_iter, to a maximum length +- * of bytes. Returns 0 on success, or non-zero if the memory could not be +- * accessed (ie. because it is an invalid address). +- * +- * writev-intensive code may want this to prefault several iovecs -- that +- * would be possible (callers must not rely on the fact that _only_ the +- * first iovec will be faulted with the current implementation). +- */ +-int iov_iter_fault_in_readable(struct iov_iter *i, size_t bytes) +-{ +- if (!(i->type & (ITER_BVEC|ITER_KVEC))) { +- char __user *buf = i->iov->iov_base + i->iov_offset; +- bytes = min(bytes, i->iov->iov_len - i->iov_offset); +- return fault_in_pages_readable(buf, bytes); +- } +- return 0; +-} +-EXPORT_SYMBOL(iov_iter_fault_in_readable); +- +-/* + * Fault in one or more iovecs of the given iov_iter, to a maximum length of + * bytes. For each iovec, fault in each page that constitutes the iovec. + * + * Return 0 on success, or non-zero if the memory could not be accessed (i.e. + * because it is an invalid address). + */ +-int iov_iter_fault_in_multipages_readable(struct iov_iter *i, size_t bytes) ++int iov_iter_fault_in_readable(struct iov_iter *i, size_t bytes) + { + size_t skip = i->iov_offset; + const struct iovec *iov; +@@ -345,7 +325,7 @@ int iov_iter_fault_in_multipages_readabl + } + return 0; + } +-EXPORT_SYMBOL(iov_iter_fault_in_multipages_readable); ++EXPORT_SYMBOL(iov_iter_fault_in_readable); + + void iov_iter_init(struct iov_iter *i, int direction, + const struct iovec *iov, unsigned long nr_segs, diff --git a/queue-4.7/fix-minor-infoleak-in-get_user_ex.patch b/queue-4.7/fix-minor-infoleak-in-get_user_ex.patch new file mode 100644 index 00000000000..b009b0a0299 --- /dev/null +++ b/queue-4.7/fix-minor-infoleak-in-get_user_ex.patch @@ -0,0 +1,38 @@ +From 1c109fabbd51863475cd12ac206bdd249aee35af Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Thu, 15 Sep 2016 02:35:29 +0100 +Subject: fix minor infoleak in get_user_ex() + +From: Al Viro + +commit 1c109fabbd51863475cd12ac206bdd249aee35af upstream. + +get_user_ex(x, ptr) should zero x on failure. It's not a lot of a leak +(at most we are leaking uninitialized 64bit value off the kernel stack, +and in a fairly constrained situation, at that), but the fix is trivial, +so... + +Signed-off-by: Al Viro +[ This sat in different branch from the uaccess fixes since mid-August ] +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/include/asm/uaccess.h | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/arch/x86/include/asm/uaccess.h ++++ b/arch/x86/include/asm/uaccess.h +@@ -414,7 +414,11 @@ do { \ + #define __get_user_asm_ex(x, addr, itype, rtype, ltype) \ + asm volatile("1: mov"itype" %1,%"rtype"0\n" \ + "2:\n" \ +- _ASM_EXTABLE_EX(1b, 2b) \ ++ ".section .fixup,\"ax\"\n" \ ++ "3:xor"itype" %"rtype"0,%"rtype"0\n" \ ++ " jmp 2b\n" \ ++ ".previous\n" \ ++ _ASM_EXTABLE_EX(1b, 3b) \ + : ltype(x) : "m" (__m(addr))) + + #define __put_user_nocheck(x, ptr, size) \ diff --git a/queue-4.7/frv-fix-clear_user.patch b/queue-4.7/frv-fix-clear_user.patch new file mode 100644 index 00000000000..af0736778fc --- /dev/null +++ b/queue-4.7/frv-fix-clear_user.patch @@ -0,0 +1,50 @@ +From 3b8767a8f00cc6538ba6b1cf0f88502e2fd2eb90 Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Thu, 18 Aug 2016 20:54:02 -0400 +Subject: frv: fix clear_user() + +From: Al Viro + +commit 3b8767a8f00cc6538ba6b1cf0f88502e2fd2eb90 upstream. + +It should check access_ok(). Otherwise a bunch of places turn into +trivially exploitable rootholes. + +Signed-off-by: Al Viro +Signed-off-by: Greg Kroah-Hartman + +--- + arch/frv/include/asm/uaccess.h | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +--- a/arch/frv/include/asm/uaccess.h ++++ b/arch/frv/include/asm/uaccess.h +@@ -263,19 +263,25 @@ do { \ + extern long __memset_user(void *dst, unsigned long count); + extern long __memcpy_user(void *dst, const void *src, unsigned long count); + +-#define clear_user(dst,count) __memset_user(____force(dst), (count)) ++#define __clear_user(dst,count) __memset_user(____force(dst), (count)) + #define __copy_from_user_inatomic(to, from, n) __memcpy_user((to), ____force(from), (n)) + #define __copy_to_user_inatomic(to, from, n) __memcpy_user(____force(to), (from), (n)) + + #else + +-#define clear_user(dst,count) (memset(____force(dst), 0, (count)), 0) ++#define __clear_user(dst,count) (memset(____force(dst), 0, (count)), 0) + #define __copy_from_user_inatomic(to, from, n) (memcpy((to), ____force(from), (n)), 0) + #define __copy_to_user_inatomic(to, from, n) (memcpy(____force(to), (from), (n)), 0) + + #endif + +-#define __clear_user clear_user ++static inline unsigned long __must_check ++clear_user(void __user *to, unsigned long n) ++{ ++ if (likely(__access_ok(to, n))) ++ n = __clear_user(to, n); ++ return n; ++} + + static inline unsigned long __must_check + __copy_to_user(void __user *to, const void *from, unsigned long n) diff --git a/queue-4.7/genirq-provide-irq_gc_-lock_irqsave-unlock_irqrestore-helpers.patch b/queue-4.7/genirq-provide-irq_gc_-lock_irqsave-unlock_irqrestore-helpers.patch new file mode 100644 index 00000000000..5b5fc5173c2 --- /dev/null +++ b/queue-4.7/genirq-provide-irq_gc_-lock_irqsave-unlock_irqrestore-helpers.patch @@ -0,0 +1,53 @@ +From ebf9ff753c041b296241990aef76163bbb2cc9c8 Mon Sep 17 00:00:00 2001 +From: Boris Brezillon +Date: Tue, 13 Sep 2016 15:58:28 +0200 +Subject: genirq: Provide irq_gc_{lock_irqsave,unlock_irqrestore}() helpers + +From: Boris Brezillon + +commit ebf9ff753c041b296241990aef76163bbb2cc9c8 upstream. + +Some irqchip drivers need to take the generic chip lock outside of the +irq context. + +Provide the irq_gc_{lock_irqsave,unlock_irqrestore}() helpers to allow +one to disable irqs while entering a critical section protected by +gc->lock. + +Note that we do not provide optimized version of these helpers for !SMP, +because they are not called from the hot-path. + +[ tglx: Added a comment when these helpers should be [not] used ] + +Signed-off-by: Boris Brezillon +Cc: Jason Cooper +Cc: Marc Zyngier +Cc: Nicolas Ferre +Cc: Alexandre Belloni +Link: http://lkml.kernel.org/r/1473775109-4192-1-git-send-email-boris.brezillon@free-electrons.com +Signed-off-by: Thomas Gleixner +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/irq.h | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/include/linux/irq.h ++++ b/include/linux/irq.h +@@ -933,6 +933,16 @@ static inline void irq_gc_lock(struct ir + static inline void irq_gc_unlock(struct irq_chip_generic *gc) { } + #endif + ++/* ++ * The irqsave variants are for usage in non interrupt code. Do not use ++ * them in irq_chip callbacks. Use irq_gc_lock() instead. ++ */ ++#define irq_gc_lock_irqsave(gc, flags) \ ++ raw_spin_lock_irqsave(&(gc)->lock, flags) ++ ++#define irq_gc_unlock_irqrestore(gc, flags) \ ++ raw_spin_unlock_irqrestore(&(gc)->lock, flags) ++ + static inline void irq_reg_writel(struct irq_chip_generic *gc, + u32 val, int reg_offset) + { diff --git a/queue-4.7/hexagon-fix-strncpy_from_user-error-return.patch b/queue-4.7/hexagon-fix-strncpy_from_user-error-return.patch new file mode 100644 index 00000000000..35b033a9572 --- /dev/null +++ b/queue-4.7/hexagon-fix-strncpy_from_user-error-return.patch @@ -0,0 +1,32 @@ +From f35c1e0671728d1c9abc405d05ef548b5fcb2fc4 Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Thu, 18 Aug 2016 21:16:49 -0400 +Subject: hexagon: fix strncpy_from_user() error return + +From: Al Viro + +commit f35c1e0671728d1c9abc405d05ef548b5fcb2fc4 upstream. + +It's -EFAULT, not -1 (and contrary to the comment in there, +__strnlen_user() can return 0 - on faults). + +Acked-by: Richard Kuo +Signed-off-by: Al Viro +Signed-off-by: Greg Kroah-Hartman + +--- + arch/hexagon/include/asm/uaccess.h | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/arch/hexagon/include/asm/uaccess.h ++++ b/arch/hexagon/include/asm/uaccess.h +@@ -103,7 +103,8 @@ static inline long hexagon_strncpy_from_ + { + long res = __strnlen_user(src, n); + +- /* return from strnlen can't be zero -- that would be rubbish. */ ++ if (unlikely(!res)) ++ return -EFAULT; + + if (res > n) { + copy_from_user(dst, src, n); diff --git a/queue-4.7/irqchip-atmel-aic-fix-potential-deadlock-in-xlate.patch b/queue-4.7/irqchip-atmel-aic-fix-potential-deadlock-in-xlate.patch new file mode 100644 index 00000000000..1a6a5eb5204 --- /dev/null +++ b/queue-4.7/irqchip-atmel-aic-fix-potential-deadlock-in-xlate.patch @@ -0,0 +1,81 @@ +From 5eb0d6eb3fac3daa60d9190eed9fa41cf809c756 Mon Sep 17 00:00:00 2001 +From: Boris Brezillon +Date: Tue, 13 Sep 2016 15:58:29 +0200 +Subject: irqchip/atmel-aic: Fix potential deadlock in ->xlate() + +From: Boris Brezillon + +commit 5eb0d6eb3fac3daa60d9190eed9fa41cf809c756 upstream. + +aic5_irq_domain_xlate() and aic_irq_domain_xlate() take the generic chip +lock without disabling interrupts, which can lead to a deadlock if an +interrupt occurs while the lock is held in one of these functions. + +Replace irq_gc_{lock,unlock}() calls by +irq_gc_{lock_irqsave,unlock_irqrestore}() ones to prevent this bug from +happening. + +Fixes: b1479ebb7720 ("irqchip: atmel-aic: Add atmel AIC/AIC5 drivers") +Signed-off-by: Boris Brezillon +Acked-by: Marc Zyngier +Cc: Jason Cooper +Cc: Nicolas Ferre +Cc: Alexandre Belloni +Link: http://lkml.kernel.org/r/1473775109-4192-2-git-send-email-boris.brezillon@free-electrons.com +Signed-off-by: Thomas Gleixner +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/irqchip/irq-atmel-aic.c | 5 +++-- + drivers/irqchip/irq-atmel-aic5.c | 5 +++-- + 2 files changed, 6 insertions(+), 4 deletions(-) + +--- a/drivers/irqchip/irq-atmel-aic.c ++++ b/drivers/irqchip/irq-atmel-aic.c +@@ -176,6 +176,7 @@ static int aic_irq_domain_xlate(struct i + { + struct irq_domain_chip_generic *dgc = d->gc; + struct irq_chip_generic *gc; ++ unsigned long flags; + unsigned smr; + int idx; + int ret; +@@ -194,11 +195,11 @@ static int aic_irq_domain_xlate(struct i + + gc = dgc->gc[idx]; + +- irq_gc_lock(gc); ++ irq_gc_lock_irqsave(gc, flags); + smr = irq_reg_readl(gc, AT91_AIC_SMR(*out_hwirq)); + aic_common_set_priority(intspec[2], &smr); + irq_reg_writel(gc, smr, AT91_AIC_SMR(*out_hwirq)); +- irq_gc_unlock(gc); ++ irq_gc_unlock_irqrestore(gc, flags); + + return ret; + } +--- a/drivers/irqchip/irq-atmel-aic5.c ++++ b/drivers/irqchip/irq-atmel-aic5.c +@@ -258,6 +258,7 @@ static int aic5_irq_domain_xlate(struct + unsigned int *out_type) + { + struct irq_chip_generic *bgc = irq_get_domain_generic_chip(d, 0); ++ unsigned long flags; + unsigned smr; + int ret; + +@@ -269,12 +270,12 @@ static int aic5_irq_domain_xlate(struct + if (ret) + return ret; + +- irq_gc_lock(bgc); ++ irq_gc_lock_irqsave(bgc, flags); + irq_reg_writel(bgc, *out_hwirq, AT91_AIC5_SSR); + smr = irq_reg_readl(bgc, AT91_AIC5_SMR); + aic_common_set_priority(intspec[2], &smr); + irq_reg_writel(bgc, smr, AT91_AIC5_SMR); +- irq_gc_unlock(bgc); ++ irq_gc_unlock_irqrestore(bgc, flags); + + return ret; + } diff --git a/queue-4.7/kconfig-tinyconfig-provide-whole-choice-blocks-to-avoid-warnings.patch b/queue-4.7/kconfig-tinyconfig-provide-whole-choice-blocks-to-avoid-warnings.patch new file mode 100644 index 00000000000..b8063c16ea6 --- /dev/null +++ b/queue-4.7/kconfig-tinyconfig-provide-whole-choice-blocks-to-avoid-warnings.patch @@ -0,0 +1,71 @@ +From 236dec051078a8691950f56949612b4b74107e48 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Thu, 1 Sep 2016 16:14:47 -0700 +Subject: kconfig: tinyconfig: provide whole choice blocks to avoid warnings + +From: Arnd Bergmann + +commit 236dec051078a8691950f56949612b4b74107e48 upstream. + +Using "make tinyconfig" produces a couple of annoying warnings that show +up for build test machines all the time: + + .config:966:warning: override: NOHIGHMEM changes choice state + .config:965:warning: override: SLOB changes choice state + .config:963:warning: override: KERNEL_XZ changes choice state + .config:962:warning: override: CC_OPTIMIZE_FOR_SIZE changes choice state + .config:933:warning: override: SLOB changes choice state + .config:930:warning: override: CC_OPTIMIZE_FOR_SIZE changes choice state + .config:870:warning: override: SLOB changes choice state + .config:868:warning: override: KERNEL_XZ changes choice state + .config:867:warning: override: CC_OPTIMIZE_FOR_SIZE changes choice state + +I've made a previous attempt at fixing them and we discussed a number of +alternatives. + +I tried changing the Makefile to use "merge_config.sh -n +$(fragment-list)" but couldn't get that to work properly. + +This is yet another approach, based on the observation that we do want +to see a warning for conflicting 'choice' options, and that we can +simply make them non-conflicting by listing all other options as +disabled. This is a trivial patch that we can apply independent of +plans for other changes. + +Link: http://lkml.kernel.org/r/20160829214952.1334674-2-arnd@arndb.de +Link: https://storage.kernelci.org/mainline/v4.7-rc6/x86-tinyconfig/build.log +https://patchwork.kernel.org/patch/9212749/ +Signed-off-by: Arnd Bergmann +Reviewed-by: Josh Triplett +Reviewed-by: Masahiro Yamada +Acked-by: Ingo Molnar +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/configs/tiny.config | 2 ++ + kernel/configs/tiny.config | 8 ++++++++ + 2 files changed, 10 insertions(+) + +--- a/arch/x86/configs/tiny.config ++++ b/arch/x86/configs/tiny.config +@@ -1 +1,3 @@ + CONFIG_NOHIGHMEM=y ++# CONFIG_HIGHMEM4G is not set ++# CONFIG_HIGHMEM64G is not set +--- a/kernel/configs/tiny.config ++++ b/kernel/configs/tiny.config +@@ -1,4 +1,12 @@ ++# CONFIG_CC_OPTIMIZE_FOR_PERFORMANCE is not set + CONFIG_CC_OPTIMIZE_FOR_SIZE=y ++# CONFIG_KERNEL_GZIP is not set ++# CONFIG_KERNEL_BZIP2 is not set ++# CONFIG_KERNEL_LZMA is not set + CONFIG_KERNEL_XZ=y ++# CONFIG_KERNEL_LZO is not set ++# CONFIG_KERNEL_LZ4 is not set + CONFIG_OPTIMIZE_INLINING=y ++# CONFIG_SLAB is not set ++# CONFIG_SLUB is not set + CONFIG_SLOB=y diff --git a/queue-4.7/m32r-fix-__get_user.patch b/queue-4.7/m32r-fix-__get_user.patch new file mode 100644 index 00000000000..0aaaa2d7895 --- /dev/null +++ b/queue-4.7/m32r-fix-__get_user.patch @@ -0,0 +1,27 @@ +From c90a3bc5061d57e7931a9b7ad14784e1a0ed497d Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Fri, 9 Sep 2016 19:20:13 -0400 +Subject: m32r: fix __get_user() + +From: Al Viro + +commit c90a3bc5061d57e7931a9b7ad14784e1a0ed497d upstream. + +Signed-off-by: Al Viro +Signed-off-by: Greg Kroah-Hartman + +--- + arch/m32r/include/asm/uaccess.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/m32r/include/asm/uaccess.h ++++ b/arch/m32r/include/asm/uaccess.h +@@ -219,7 +219,7 @@ extern int fixup_exception(struct pt_reg + #define __get_user_nocheck(x, ptr, size) \ + ({ \ + long __gu_err = 0; \ +- unsigned long __gu_val; \ ++ unsigned long __gu_val = 0; \ + might_fault(); \ + __get_user_size(__gu_val, (ptr), (size), __gu_err); \ + (x) = (__force __typeof__(*(ptr)))__gu_val; \ diff --git a/queue-4.7/metag-copy_from_user-should-zero-the-destination-on-access_ok-failure.patch b/queue-4.7/metag-copy_from_user-should-zero-the-destination-on-access_ok-failure.patch new file mode 100644 index 00000000000..f0ba8e984f9 --- /dev/null +++ b/queue-4.7/metag-copy_from_user-should-zero-the-destination-on-access_ok-failure.patch @@ -0,0 +1,30 @@ +From 8ae95ed4ae5fc7c3391ed668b2014c9e2079533b Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Thu, 18 Aug 2016 22:08:20 -0400 +Subject: metag: copy_from_user() should zero the destination on access_ok() failure + +From: Al Viro + +commit 8ae95ed4ae5fc7c3391ed668b2014c9e2079533b upstream. + +Acked-by: James Hogan +Signed-off-by: Al Viro +Signed-off-by: Greg Kroah-Hartman + +--- + arch/metag/include/asm/uaccess.h | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/arch/metag/include/asm/uaccess.h ++++ b/arch/metag/include/asm/uaccess.h +@@ -204,8 +204,9 @@ extern unsigned long __must_check __copy + static inline unsigned long + copy_from_user(void *to, const void __user *from, unsigned long n) + { +- if (access_ok(VERIFY_READ, from, n)) ++ if (likely(access_ok(VERIFY_READ, from, n))) + return __copy_user_zeroing(to, from, n); ++ memset(to, 0, n); + return n; + } + diff --git a/queue-4.7/microblaze-fix-__get_user.patch b/queue-4.7/microblaze-fix-__get_user.patch new file mode 100644 index 00000000000..49bd3a91b11 --- /dev/null +++ b/queue-4.7/microblaze-fix-__get_user.patch @@ -0,0 +1,27 @@ +From e98b9e37ae04562d52c96f46b3cf4c2e80222dc1 Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Fri, 9 Sep 2016 19:23:33 -0400 +Subject: microblaze: fix __get_user() + +From: Al Viro + +commit e98b9e37ae04562d52c96f46b3cf4c2e80222dc1 upstream. + +Signed-off-by: Al Viro +Signed-off-by: Greg Kroah-Hartman + +--- + arch/microblaze/include/asm/uaccess.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/microblaze/include/asm/uaccess.h ++++ b/arch/microblaze/include/asm/uaccess.h +@@ -227,7 +227,7 @@ extern long __user_bad(void); + + #define __get_user(x, ptr) \ + ({ \ +- unsigned long __gu_val; \ ++ unsigned long __gu_val = 0; \ + /*unsigned long __gu_ptr = (unsigned long)(ptr);*/ \ + long __gu_err; \ + switch (sizeof(*(ptr))) { \ diff --git a/queue-4.7/microblaze-fix-copy_from_user.patch b/queue-4.7/microblaze-fix-copy_from_user.patch new file mode 100644 index 00000000000..ca35ef4997e --- /dev/null +++ b/queue-4.7/microblaze-fix-copy_from_user.patch @@ -0,0 +1,35 @@ +From d0cf385160c12abd109746cad1f13e3b3e8b50b8 Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Fri, 9 Sep 2016 19:22:34 -0400 +Subject: microblaze: fix copy_from_user() + +From: Al Viro + +commit d0cf385160c12abd109746cad1f13e3b3e8b50b8 upstream. + +Signed-off-by: Al Viro +Signed-off-by: Greg Kroah-Hartman + +--- + arch/microblaze/include/asm/uaccess.h | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/arch/microblaze/include/asm/uaccess.h ++++ b/arch/microblaze/include/asm/uaccess.h +@@ -373,10 +373,13 @@ extern long __user_bad(void); + static inline long copy_from_user(void *to, + const void __user *from, unsigned long n) + { ++ unsigned long res = n; + might_fault(); +- if (access_ok(VERIFY_READ, from, n)) +- return __copy_from_user(to, from, n); +- return n; ++ if (likely(access_ok(VERIFY_READ, from, n))) ++ res = __copy_from_user(to, from, n); ++ if (unlikely(res)) ++ memset(to + (n - res), 0, res); ++ return res; + } + + #define __copy_to_user(to, from, n) \ diff --git a/queue-4.7/mips-copy_from_user-must-zero-the-destination-on-access_ok-failure.patch b/queue-4.7/mips-copy_from_user-must-zero-the-destination-on-access_ok-failure.patch new file mode 100644 index 00000000000..0aae213be41 --- /dev/null +++ b/queue-4.7/mips-copy_from_user-must-zero-the-destination-on-access_ok-failure.patch @@ -0,0 +1,35 @@ +From e69d700535ac43a18032b3c399c69bf4639e89a2 Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Sat, 20 Aug 2016 16:18:53 -0400 +Subject: mips: copy_from_user() must zero the destination on access_ok() failure + +From: Al Viro + +commit e69d700535ac43a18032b3c399c69bf4639e89a2 upstream. + +Signed-off-by: Al Viro +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/include/asm/uaccess.h | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/arch/mips/include/asm/uaccess.h ++++ b/arch/mips/include/asm/uaccess.h +@@ -14,6 +14,7 @@ + #include + #include + #include ++#include + #include + + /* +@@ -1170,6 +1171,8 @@ extern size_t __copy_in_user_eva(void *_ + __cu_len = __invoke_copy_from_user(__cu_to, \ + __cu_from, \ + __cu_len); \ ++ } else { \ ++ memset(__cu_to, 0, __cu_len); \ + } \ + } \ + __cu_len; \ diff --git a/queue-4.7/mmc-sdhci-st-handle-interconnect-clock.patch b/queue-4.7/mmc-sdhci-st-handle-interconnect-clock.patch new file mode 100644 index 00000000000..9627923c3de --- /dev/null +++ b/queue-4.7/mmc-sdhci-st-handle-interconnect-clock.patch @@ -0,0 +1,127 @@ +From 3ae50f4512ce831e8b63eb54ad969417ff30ada7 Mon Sep 17 00:00:00 2001 +From: Lee Jones +Date: Thu, 8 Sep 2016 11:11:36 +0200 +Subject: mmc: sdhci-st: Handle interconnect clock + +From: Lee Jones + +commit 3ae50f4512ce831e8b63eb54ad969417ff30ada7 upstream. + +Some ST platforms contain interconnect (ICN) clocks which must be handed +correctly in order to obtain full functionality of a given IP. In this +case, if the ICN clocks are not handled properly by the ST SDHCI driver +MMC will break and the following output can be observed: + + [ 13.916949] mmc0: Timeout waiting for hardware interrupt. + [ 13.922349] sdhci: =========== REGISTER DUMP (mmc0)=========== + [ 13.928175] sdhci: Sys addr: 0x00000000 | Version: 0x00001002 + [ 13.933999] sdhci: Blk size: 0x00007040 | Blk cnt: 0x00000001 + [ 13.939825] sdhci: Argument: 0x00fffff0 | Trn mode: 0x00000013 + [ 13.945650] sdhci: Present: 0x1fff0206 | Host ctl: 0x00000011 + [ 13.951475] sdhci: Power: 0x0000000f | Blk gap: 0x00000080 + [ 13.957300] sdhci: Wake-up: 0x00000000 | Clock: 0x00003f07 + [ 13.963126] sdhci: Timeout: 0x00000004 | Int stat: 0x00000000 + [ 13.968952] sdhci: Int enab: 0x02ff008b | Sig enab: 0x02ff008b + [ 13.974777] sdhci: AC12 err: 0x00000000 | Slot int: 0x00000000 + [ 13.980602] sdhci: Caps: 0x21ed3281 | Caps_1: 0x00000000 + [ 13.986428] sdhci: Cmd: 0x0000063a | Max curr: 0x00000000 + [ 13.992252] sdhci: Host ctl2: 0x00000000 + [ 13.996166] sdhci: ADMA Err: 0x00000000 | ADMA Ptr: 0x7c048200 + [ 14.001990] sdhci: =========================================== + [ 14.009802] mmc0: Got data interrupt 0x02000000 even though no data operation was in progress. + +A decent point was raised about minimising the use of a local variable that +we 'could' do without. I've chosen consistency over the possibility of +reducing the local variable count by 1. Thinking that it's more important +for the code to be grouped and authoured in a similar manner/style for +greater maintainability/readability. + +Tested-by: Peter Griffin +Signed-off-by: Lee Jones +Signed-off-by: Ulf Hansson +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mmc/host/sdhci-st.c | 15 ++++++++++++++- + 1 file changed, 14 insertions(+), 1 deletion(-) + +--- a/drivers/mmc/host/sdhci-st.c ++++ b/drivers/mmc/host/sdhci-st.c +@@ -28,6 +28,7 @@ + + struct st_mmc_platform_data { + struct reset_control *rstc; ++ struct clk *icnclk; + void __iomem *top_ioaddr; + }; + +@@ -353,7 +354,7 @@ static int sdhci_st_probe(struct platfor + struct sdhci_host *host; + struct st_mmc_platform_data *pdata; + struct sdhci_pltfm_host *pltfm_host; +- struct clk *clk; ++ struct clk *clk, *icnclk; + int ret = 0; + u16 host_version; + struct resource *res; +@@ -365,6 +366,11 @@ static int sdhci_st_probe(struct platfor + return PTR_ERR(clk); + } + ++ /* ICN clock isn't compulsory, but use it if it's provided. */ ++ icnclk = devm_clk_get(&pdev->dev, "icn"); ++ if (IS_ERR(icnclk)) ++ icnclk = NULL; ++ + rstc = devm_reset_control_get(&pdev->dev, NULL); + if (IS_ERR(rstc)) + rstc = NULL; +@@ -389,6 +395,7 @@ static int sdhci_st_probe(struct platfor + } + + clk_prepare_enable(clk); ++ clk_prepare_enable(icnclk); + + /* Configure the FlashSS Top registers for setting eMMC TX/RX delay */ + res = platform_get_resource_byname(pdev, IORESOURCE_MEM, +@@ -400,6 +407,7 @@ static int sdhci_st_probe(struct platfor + } + + pltfm_host->clk = clk; ++ pdata->icnclk = icnclk; + + /* Configure the Arasan HC inside the flashSS */ + st_mmcss_cconfig(np, host); +@@ -422,6 +430,7 @@ static int sdhci_st_probe(struct platfor + return 0; + + err_out: ++ clk_disable_unprepare(icnclk); + clk_disable_unprepare(clk); + err_of: + sdhci_pltfm_free(pdev); +@@ -442,6 +451,8 @@ static int sdhci_st_remove(struct platfo + + ret = sdhci_pltfm_unregister(pdev); + ++ clk_disable_unprepare(pdata->icnclk); ++ + if (rstc) + reset_control_assert(rstc); + +@@ -462,6 +473,7 @@ static int sdhci_st_suspend(struct devic + if (pdata->rstc) + reset_control_assert(pdata->rstc); + ++ clk_disable_unprepare(pdata->icnclk); + clk_disable_unprepare(pltfm_host->clk); + out: + return ret; +@@ -475,6 +487,7 @@ static int sdhci_st_resume(struct device + struct device_node *np = dev->of_node; + + clk_prepare_enable(pltfm_host->clk); ++ clk_prepare_enable(pdata->icnclk); + + if (pdata->rstc) + reset_control_deassert(pdata->rstc); diff --git a/queue-4.7/mn10300-copy_from_user-should-zero-on-access_ok-failure.patch b/queue-4.7/mn10300-copy_from_user-should-zero-on-access_ok-failure.patch new file mode 100644 index 00000000000..41262a11cf5 --- /dev/null +++ b/queue-4.7/mn10300-copy_from_user-should-zero-on-access_ok-failure.patch @@ -0,0 +1,36 @@ +From ae7cc577ec2a4a6151c9e928fd1f595d953ecef1 Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Sat, 20 Aug 2016 16:33:10 -0400 +Subject: mn10300: copy_from_user() should zero on access_ok() failure... + +From: Al Viro + +commit ae7cc577ec2a4a6151c9e928fd1f595d953ecef1 upstream. + +Signed-off-by: Al Viro +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mn10300/lib/usercopy.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/arch/mn10300/lib/usercopy.c ++++ b/arch/mn10300/lib/usercopy.c +@@ -9,7 +9,7 @@ + * as published by the Free Software Foundation; either version + * 2 of the Licence, or (at your option) any later version. + */ +-#include ++#include + + unsigned long + __generic_copy_to_user(void *to, const void *from, unsigned long n) +@@ -24,6 +24,8 @@ __generic_copy_from_user(void *to, const + { + if (access_ok(VERIFY_READ, from, n)) + __copy_user_zeroing(to, from, n); ++ else ++ memset(to, 0, n); + return n; + } + diff --git a/queue-4.7/mn10300-failing-__get_user-and-get_user-should-zero.patch b/queue-4.7/mn10300-failing-__get_user-and-get_user-should-zero.patch new file mode 100644 index 00000000000..8550277ff13 --- /dev/null +++ b/queue-4.7/mn10300-failing-__get_user-and-get_user-should-zero.patch @@ -0,0 +1,26 @@ +From 43403eabf558d2800b429cd886e996fd555aa542 Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Sat, 20 Aug 2016 16:32:02 -0400 +Subject: mn10300: failing __get_user() and get_user() should zero + +From: Al Viro + +commit 43403eabf558d2800b429cd886e996fd555aa542 upstream. + +Signed-off-by: Al Viro +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mn10300/include/asm/uaccess.h | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/mn10300/include/asm/uaccess.h ++++ b/arch/mn10300/include/asm/uaccess.h +@@ -166,6 +166,7 @@ struct __large_struct { unsigned long bu + "2:\n" \ + " .section .fixup,\"ax\"\n" \ + "3:\n\t" \ ++ " mov 0,%1\n" \ + " mov %3,%0\n" \ + " jmp 2b\n" \ + " .previous\n" \ diff --git a/queue-4.7/mpssd-fix-buffer-overflow-warning.patch b/queue-4.7/mpssd-fix-buffer-overflow-warning.patch new file mode 100644 index 00000000000..af992cb7eb8 --- /dev/null +++ b/queue-4.7/mpssd-fix-buffer-overflow-warning.patch @@ -0,0 +1,46 @@ +From 3610a2add39365a0f153154c60169a66c616d50f Mon Sep 17 00:00:00 2001 +From: Mike Danese +Date: Thu, 19 May 2016 21:54:51 -0700 +Subject: mpssd: fix buffer overflow warning +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Mike Danese + +commit 3610a2add39365a0f153154c60169a66c616d50f upstream. + +The compilation emits a warning in function ‘snprintf’, + inlined from ‘set_cmdline’ at + ../Documentation/mic/mpssd/mpssd.c:1541:9: +/usr/include/x86_64-linux-gnu/bits/stdio2.h:64:10: + warning: call to __builtin___snprintf_chk will always overflow + destination buffer + +This was introduced in commit f4a66c204482 ("misc: mic: Update MIC host +daemon with COSM changes") and is fixed by reverting the changes to the +size argument of these snprintf statements. + +Cc: Ashutosh Dixit +Signed-off-by: Mike Danese +Signed-off-by: Jonathan Corbet +Signed-off-by: Greg Kroah-Hartman + +--- + Documentation/mic/mpssd/mpssd.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/Documentation/mic/mpssd/mpssd.c ++++ b/Documentation/mic/mpssd/mpssd.c +@@ -1538,9 +1538,9 @@ set_cmdline(struct mic_info *mic) + + len = snprintf(buffer, PATH_MAX, + "clocksource=tsc highres=off nohz=off "); +- len += snprintf(buffer + len, PATH_MAX, ++ len += snprintf(buffer + len, PATH_MAX - len, + "cpufreq_on;corec6_off;pc3_off;pc6_off "); +- len += snprintf(buffer + len, PATH_MAX, ++ len += snprintf(buffer + len, PATH_MAX - len, + "ifcfg=static;address,172.31.%d.1;netmask,255.255.255.0", + mic->id + 1); + diff --git a/queue-4.7/nios2-copy_from_user-should-zero-the-tail-of-destination.patch b/queue-4.7/nios2-copy_from_user-should-zero-the-tail-of-destination.patch new file mode 100644 index 00000000000..5231fb3bbdb --- /dev/null +++ b/queue-4.7/nios2-copy_from_user-should-zero-the-tail-of-destination.patch @@ -0,0 +1,34 @@ +From e33d1f6f72cc82fcfc3d1fb20c9e3ad83b1928fa Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Sat, 20 Aug 2016 16:36:36 -0400 +Subject: nios2: copy_from_user() should zero the tail of destination + +From: Al Viro + +commit e33d1f6f72cc82fcfc3d1fb20c9e3ad83b1928fa upstream. + +Signed-off-by: Al Viro +Signed-off-by: Greg Kroah-Hartman + +--- + arch/nios2/include/asm/uaccess.h | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/arch/nios2/include/asm/uaccess.h ++++ b/arch/nios2/include/asm/uaccess.h +@@ -102,9 +102,12 @@ extern long __copy_to_user(void __user * + static inline long copy_from_user(void *to, const void __user *from, + unsigned long n) + { +- if (!access_ok(VERIFY_READ, from, n)) +- return n; +- return __copy_from_user(to, from, n); ++ unsigned long res = n; ++ if (access_ok(VERIFY_READ, from, n)) ++ res = __copy_from_user(to, from, n); ++ if (unlikely(res)) ++ memset(to + (n - res), 0, res); ++ return res; + } + + static inline long copy_to_user(void __user *to, const void *from, diff --git a/queue-4.7/nios2-fix-__get_user.patch b/queue-4.7/nios2-fix-__get_user.patch new file mode 100644 index 00000000000..ffb4b9fd632 --- /dev/null +++ b/queue-4.7/nios2-fix-__get_user.patch @@ -0,0 +1,39 @@ +From 2e29f50ad5e23db37dde9be71410d95d50241ecd Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Sat, 20 Aug 2016 16:39:01 -0400 +Subject: nios2: fix __get_user() + +From: Al Viro + +commit 2e29f50ad5e23db37dde9be71410d95d50241ecd upstream. + +a) should not leave crap on fault +b) should _not_ require access_ok() in any cases. + +Signed-off-by: Al Viro +Signed-off-by: Greg Kroah-Hartman + +--- + arch/nios2/include/asm/uaccess.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/nios2/include/asm/uaccess.h ++++ b/arch/nios2/include/asm/uaccess.h +@@ -139,7 +139,7 @@ extern long strnlen_user(const char __us + + #define __get_user_unknown(val, size, ptr, err) do { \ + err = 0; \ +- if (copy_from_user(&(val), ptr, size)) { \ ++ if (__copy_from_user(&(val), ptr, size)) { \ + err = -EFAULT; \ + } \ + } while (0) +@@ -166,7 +166,7 @@ do { \ + ({ \ + long __gu_err = -EFAULT; \ + const __typeof__(*(ptr)) __user *__gu_ptr = (ptr); \ +- unsigned long __gu_val; \ ++ unsigned long __gu_val = 0; \ + __get_user_common(__gu_val, sizeof(*(ptr)), __gu_ptr, __gu_err);\ + (x) = (__force __typeof__(x))__gu_val; \ + __gu_err; \ diff --git a/queue-4.7/openrisc-fix-copy_from_user.patch b/queue-4.7/openrisc-fix-copy_from_user.patch new file mode 100644 index 00000000000..af7021e874e --- /dev/null +++ b/queue-4.7/openrisc-fix-copy_from_user.patch @@ -0,0 +1,77 @@ +From acb2505d0119033a80c85ac8d02dccae41271667 Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Sat, 20 Aug 2016 17:05:21 -0400 +Subject: openrisc: fix copy_from_user() + +From: Al Viro + +commit acb2505d0119033a80c85ac8d02dccae41271667 upstream. + +... that should zero on faults. Also remove the helpful +logics wrt range truncation copied from ppc32. Where it had ever +been needed only in case of copy_from_user() *and* had not been merged +into the mainline until a month after the need had disappeared. +A decade before openrisc went into mainline, I might add... + +Signed-off-by: Al Viro +Signed-off-by: Greg Kroah-Hartman + +--- + arch/openrisc/include/asm/uaccess.h | 33 ++++++++++----------------------- + 1 file changed, 10 insertions(+), 23 deletions(-) + +--- a/arch/openrisc/include/asm/uaccess.h ++++ b/arch/openrisc/include/asm/uaccess.h +@@ -273,28 +273,20 @@ __copy_tofrom_user(void *to, const void + static inline unsigned long + copy_from_user(void *to, const void *from, unsigned long n) + { +- unsigned long over; ++ unsigned long res = n; + +- if (access_ok(VERIFY_READ, from, n)) +- return __copy_tofrom_user(to, from, n); +- if ((unsigned long)from < TASK_SIZE) { +- over = (unsigned long)from + n - TASK_SIZE; +- return __copy_tofrom_user(to, from, n - over) + over; +- } +- return n; ++ if (likely(access_ok(VERIFY_READ, from, n))) ++ n = __copy_tofrom_user(to, from, n); ++ if (unlikely(res)) ++ memset(to + (n - res), 0, res); ++ return res; + } + + static inline unsigned long + copy_to_user(void *to, const void *from, unsigned long n) + { +- unsigned long over; +- +- if (access_ok(VERIFY_WRITE, to, n)) +- return __copy_tofrom_user(to, from, n); +- if ((unsigned long)to < TASK_SIZE) { +- over = (unsigned long)to + n - TASK_SIZE; +- return __copy_tofrom_user(to, from, n - over) + over; +- } ++ if (likely(access_ok(VERIFY_WRITE, to, n))) ++ n = __copy_tofrom_user(to, from, n); + return n; + } + +@@ -303,13 +295,8 @@ extern unsigned long __clear_user(void * + static inline __must_check unsigned long + clear_user(void *addr, unsigned long size) + { +- +- if (access_ok(VERIFY_WRITE, addr, size)) +- return __clear_user(addr, size); +- if ((unsigned long)addr < TASK_SIZE) { +- unsigned long over = (unsigned long)addr + size - TASK_SIZE; +- return __clear_user(addr, size - over) + over; +- } ++ if (likely(access_ok(VERIFY_WRITE, addr, size))) ++ size = __clear_user(addr, size); + return size; + } + diff --git a/queue-4.7/parisc-fix-copy_from_user.patch b/queue-4.7/parisc-fix-copy_from_user.patch new file mode 100644 index 00000000000..0b52df6529b --- /dev/null +++ b/queue-4.7/parisc-fix-copy_from_user.patch @@ -0,0 +1,43 @@ +From aace880feea38875fbc919761b77e5732a3659ef Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Sat, 20 Aug 2016 19:03:37 -0400 +Subject: parisc: fix copy_from_user() + +From: Al Viro + +commit aace880feea38875fbc919761b77e5732a3659ef upstream. + +Signed-off-by: Al Viro +Signed-off-by: Greg Kroah-Hartman + +--- + arch/parisc/include/asm/uaccess.h | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/arch/parisc/include/asm/uaccess.h ++++ b/arch/parisc/include/asm/uaccess.h +@@ -10,6 +10,7 @@ + #include + + #include ++#include + + #define VERIFY_READ 0 + #define VERIFY_WRITE 1 +@@ -221,13 +222,14 @@ static inline unsigned long __must_check + unsigned long n) + { + int sz = __compiletime_object_size(to); +- int ret = -EFAULT; ++ unsigned long ret = n; + + if (likely(sz == -1 || !__builtin_constant_p(n) || sz >= n)) + ret = __copy_from_user(to, from, n); + else + copy_from_user_overflow(); +- ++ if (unlikely(ret)) ++ memset(to + (n - ret), 0, ret); + return ret; + } + diff --git a/queue-4.7/s390-get_user-should-zero-on-failure.patch b/queue-4.7/s390-get_user-should-zero-on-failure.patch new file mode 100644 index 00000000000..2c2ec6c6614 --- /dev/null +++ b/queue-4.7/s390-get_user-should-zero-on-failure.patch @@ -0,0 +1,51 @@ +From fd2d2b191fe75825c4c7a6f12f3fef35aaed7dd7 Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Sun, 21 Aug 2016 22:00:54 -0400 +Subject: s390: get_user() should zero on failure + +From: Al Viro + +commit fd2d2b191fe75825c4c7a6f12f3fef35aaed7dd7 upstream. + +Signed-off-by: Al Viro +Signed-off-by: Greg Kroah-Hartman + +--- + arch/s390/include/asm/uaccess.h | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/arch/s390/include/asm/uaccess.h ++++ b/arch/s390/include/asm/uaccess.h +@@ -209,28 +209,28 @@ int __put_user_bad(void) __attribute__(( + __chk_user_ptr(ptr); \ + switch (sizeof(*(ptr))) { \ + case 1: { \ +- unsigned char __x; \ ++ unsigned char __x = 0; \ + __gu_err = __get_user_fn(&__x, ptr, \ + sizeof(*(ptr))); \ + (x) = *(__force __typeof__(*(ptr)) *) &__x; \ + break; \ + }; \ + case 2: { \ +- unsigned short __x; \ ++ unsigned short __x = 0; \ + __gu_err = __get_user_fn(&__x, ptr, \ + sizeof(*(ptr))); \ + (x) = *(__force __typeof__(*(ptr)) *) &__x; \ + break; \ + }; \ + case 4: { \ +- unsigned int __x; \ ++ unsigned int __x = 0; \ + __gu_err = __get_user_fn(&__x, ptr, \ + sizeof(*(ptr))); \ + (x) = *(__force __typeof__(*(ptr)) *) &__x; \ + break; \ + }; \ + case 8: { \ +- unsigned long long __x; \ ++ unsigned long long __x = 0; \ + __gu_err = __get_user_fn(&__x, ptr, \ + sizeof(*(ptr))); \ + (x) = *(__force __typeof__(*(ptr)) *) &__x; \ diff --git a/queue-4.7/score-fix-__get_user-get_user.patch b/queue-4.7/score-fix-__get_user-get_user.patch new file mode 100644 index 00000000000..3d9de166cdd --- /dev/null +++ b/queue-4.7/score-fix-__get_user-get_user.patch @@ -0,0 +1,47 @@ +From c2f18fa4cbb3ad92e033a24efa27583978ce9600 Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Sun, 21 Aug 2016 22:13:39 -0400 +Subject: score: fix __get_user/get_user + +From: Al Viro + +commit c2f18fa4cbb3ad92e033a24efa27583978ce9600 upstream. + +* should zero on any failure +* __get_user() should use __copy_from_user(), not copy_from_user() + +Signed-off-by: Al Viro +Signed-off-by: Greg Kroah-Hartman + +--- + arch/score/include/asm/uaccess.h | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/arch/score/include/asm/uaccess.h ++++ b/arch/score/include/asm/uaccess.h +@@ -163,7 +163,7 @@ do { \ + __get_user_asm(val, "lw", ptr); \ + break; \ + case 8: \ +- if ((copy_from_user((void *)&val, ptr, 8)) == 0) \ ++ if (__copy_from_user((void *)&val, ptr, 8) == 0) \ + __gu_err = 0; \ + else \ + __gu_err = -EFAULT; \ +@@ -188,6 +188,8 @@ do { \ + \ + if (likely(access_ok(VERIFY_READ, __gu_ptr, size))) \ + __get_user_common((x), size, __gu_ptr); \ ++ else \ ++ (x) = 0; \ + \ + __gu_err; \ + }) +@@ -201,6 +203,7 @@ do { \ + "2:\n" \ + ".section .fixup,\"ax\"\n" \ + "3:li %0, %4\n" \ ++ "li %1, 0\n" \ + "j 2b\n" \ + ".previous\n" \ + ".section __ex_table,\"a\"\n" \ diff --git a/queue-4.7/score-fix-copy_from_user-and-friends.patch b/queue-4.7/score-fix-copy_from_user-and-friends.patch new file mode 100644 index 00000000000..819f087e2d7 --- /dev/null +++ b/queue-4.7/score-fix-copy_from_user-and-friends.patch @@ -0,0 +1,92 @@ +From b615e3c74621e06cd97f86373ca90d43d6d998aa Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Sun, 21 Aug 2016 22:30:44 -0400 +Subject: score: fix copy_from_user() and friends + +From: Al Viro + +commit b615e3c74621e06cd97f86373ca90d43d6d998aa upstream. + +Signed-off-by: Al Viro +Signed-off-by: Greg Kroah-Hartman + +--- + arch/score/include/asm/uaccess.h | 41 +++++++++++++++++++-------------------- + 1 file changed, 20 insertions(+), 21 deletions(-) + +--- a/arch/score/include/asm/uaccess.h ++++ b/arch/score/include/asm/uaccess.h +@@ -301,35 +301,34 @@ extern int __copy_tofrom_user(void *to, + static inline unsigned long + copy_from_user(void *to, const void *from, unsigned long len) + { +- unsigned long over; ++ unsigned long res = len; + +- if (access_ok(VERIFY_READ, from, len)) +- return __copy_tofrom_user(to, from, len); ++ if (likely(access_ok(VERIFY_READ, from, len))) ++ res = __copy_tofrom_user(to, from, len); + +- if ((unsigned long)from < TASK_SIZE) { +- over = (unsigned long)from + len - TASK_SIZE; +- return __copy_tofrom_user(to, from, len - over) + over; +- } +- return len; ++ if (unlikely(res)) ++ memset(to + (len - res), 0, res); ++ ++ return res; + } + + static inline unsigned long + copy_to_user(void *to, const void *from, unsigned long len) + { +- unsigned long over; +- +- if (access_ok(VERIFY_WRITE, to, len)) +- return __copy_tofrom_user(to, from, len); ++ if (likely(access_ok(VERIFY_WRITE, to, len))) ++ len = __copy_tofrom_user(to, from, len); + +- if ((unsigned long)to < TASK_SIZE) { +- over = (unsigned long)to + len - TASK_SIZE; +- return __copy_tofrom_user(to, from, len - over) + over; +- } + return len; + } + +-#define __copy_from_user(to, from, len) \ +- __copy_tofrom_user((to), (from), (len)) ++static inline unsigned long ++__copy_from_user(void *to, const void *from, unsigned long len) ++{ ++ unsigned long left = __copy_tofrom_user(to, from, len); ++ if (unlikely(left)) ++ memset(to + (len - left), 0, left); ++ return left; ++} + + #define __copy_to_user(to, from, len) \ + __copy_tofrom_user((to), (from), (len)) +@@ -343,17 +342,17 @@ __copy_to_user_inatomic(void *to, const + static inline unsigned long + __copy_from_user_inatomic(void *to, const void *from, unsigned long len) + { +- return __copy_from_user(to, from, len); ++ return __copy_tofrom_user(to, from, len); + } + +-#define __copy_in_user(to, from, len) __copy_from_user(to, from, len) ++#define __copy_in_user(to, from, len) __copy_tofrom_user(to, from, len) + + static inline unsigned long + copy_in_user(void *to, const void *from, unsigned long len) + { + if (access_ok(VERIFY_READ, from, len) && + access_ok(VERFITY_WRITE, to, len)) +- return copy_from_user(to, from, len); ++ return __copy_tofrom_user(to, from, len); + } + + /* diff --git a/queue-4.7/series b/queue-4.7/series index bc0eadb9378..8a52ecfe165 100644 --- a/queue-4.7/series +++ b/queue-4.7/series @@ -139,3 +139,40 @@ efi-libstub-use-efi_exit_boot_services-in-fdt.patch x86-efi-use-efi_exit_boot_services.patch powerpc-32-fix-csum_partial_copy_generic.patch powerpc-32-fix-again-csum_partial_copy_generic.patch +mpssd-fix-buffer-overflow-warning.patch +kconfig-tinyconfig-provide-whole-choice-blocks-to-avoid-warnings.patch +drm-atmel-hlcdc-fix-vertical-scaling.patch +drm-i915-ignore-opregion-panel-type-except-on-select-machines.patch +drm-only-use-compat-ioctl-for-addfb2-on-x86-ia64.patch +svcauth_gss-revert-64c59a3726f2-remove-unnecessary-allocation.patch +mmc-sdhci-st-handle-interconnect-clock.patch +genirq-provide-irq_gc_-lock_irqsave-unlock_irqrestore-helpers.patch +irqchip-atmel-aic-fix-potential-deadlock-in-xlate.patch +fix-iov_iter_fault_in_readable.patch +microblaze-fix-__get_user.patch +avr32-fix-copy_from_user.patch +microblaze-fix-copy_from_user.patch +fix-minor-infoleak-in-get_user_ex.patch +mn10300-failing-__get_user-and-get_user-should-zero.patch +m32r-fix-__get_user.patch +sh64-failing-__get_user-should-zero.patch +nios2-fix-__get_user.patch +score-fix-__get_user-get_user.patch +s390-get_user-should-zero-on-failure.patch +arc-uaccess-get_user-to-zero-out-dest-in-cause-of-fault.patch +asm-generic-make-get_user-clear-the-destination-on-errors.patch +frv-fix-clear_user.patch +cris-buggered-copy_from_user-copy_to_user-clear_user.patch +blackfin-fix-copy_from_user.patch +score-fix-copy_from_user-and-friends.patch +sh-fix-copy_from_user.patch +sh-cmpxchg-fix-a-bit-shift-bug-in-big_endian-os.patch +hexagon-fix-strncpy_from_user-error-return.patch +mips-copy_from_user-must-zero-the-destination-on-access_ok-failure.patch +asm-generic-make-copy_from_user-zero-the-destination-properly.patch +alpha-fix-copy_from_user.patch +metag-copy_from_user-should-zero-the-destination-on-access_ok-failure.patch +parisc-fix-copy_from_user.patch +openrisc-fix-copy_from_user.patch +nios2-copy_from_user-should-zero-the-tail-of-destination.patch +mn10300-copy_from_user-should-zero-on-access_ok-failure.patch diff --git a/queue-4.7/sh-cmpxchg-fix-a-bit-shift-bug-in-big_endian-os.patch b/queue-4.7/sh-cmpxchg-fix-a-bit-shift-bug-in-big_endian-os.patch new file mode 100644 index 00000000000..091a0dd4113 --- /dev/null +++ b/queue-4.7/sh-cmpxchg-fix-a-bit-shift-bug-in-big_endian-os.patch @@ -0,0 +1,33 @@ +From ff18143ceed3424b7d6cdb8659b9692fa734f0d8 Mon Sep 17 00:00:00 2001 +From: Pan Xinhui +Date: Wed, 20 Apr 2016 14:41:00 +0800 +Subject: sh: cmpxchg: fix a bit shift bug in big_endian os + +From: Pan Xinhui + +commit ff18143ceed3424b7d6cdb8659b9692fa734f0d8 upstream. + +Correct bitoff in big endian OS. +Current code works correctly for 1 byte but not for 2 bytes. + +Fixes: 3226aad81aa6 ("sh: support 1 and 2 byte xchg") +Signed-off-by: Pan Xinhui +Acked-by: Michael S. Tsirkin +Signed-off-by: Rich Felker +Signed-off-by: Greg Kroah-Hartman + +--- + arch/sh/include/asm/cmpxchg-xchg.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/sh/include/asm/cmpxchg-xchg.h ++++ b/arch/sh/include/asm/cmpxchg-xchg.h +@@ -21,7 +21,7 @@ static inline u32 __xchg_cmpxchg(volatil + int off = (unsigned long)ptr % sizeof(u32); + volatile u32 *p = ptr - off; + #ifdef __BIG_ENDIAN +- int bitoff = (sizeof(u32) - 1 - off) * BITS_PER_BYTE; ++ int bitoff = (sizeof(u32) - size - off) * BITS_PER_BYTE; + #else + int bitoff = off * BITS_PER_BYTE; + #endif diff --git a/queue-4.7/sh-fix-copy_from_user.patch b/queue-4.7/sh-fix-copy_from_user.patch new file mode 100644 index 00000000000..cd8d5439e43 --- /dev/null +++ b/queue-4.7/sh-fix-copy_from_user.patch @@ -0,0 +1,30 @@ +From 6e050503a150b2126620c1a1e9b3a368fcd51eac Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Sun, 21 Aug 2016 23:39:47 -0400 +Subject: sh: fix copy_from_user() + +From: Al Viro + +commit 6e050503a150b2126620c1a1e9b3a368fcd51eac upstream. + +Signed-off-by: Al Viro +Signed-off-by: Greg Kroah-Hartman + +--- + arch/sh/include/asm/uaccess.h | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/arch/sh/include/asm/uaccess.h ++++ b/arch/sh/include/asm/uaccess.h +@@ -151,7 +151,10 @@ copy_from_user(void *to, const void __us + __kernel_size_t __copy_size = (__kernel_size_t) n; + + if (__copy_size && __access_ok(__copy_from, __copy_size)) +- return __copy_user(to, from, __copy_size); ++ __copy_size = __copy_user(to, from, __copy_size); ++ ++ if (unlikely(__copy_size)) ++ memset(to + (n - __copy_size), 0, __copy_size); + + return __copy_size; + } diff --git a/queue-4.7/sh64-failing-__get_user-should-zero.patch b/queue-4.7/sh64-failing-__get_user-should-zero.patch new file mode 100644 index 00000000000..9664f3c0d5b --- /dev/null +++ b/queue-4.7/sh64-failing-__get_user-should-zero.patch @@ -0,0 +1,30 @@ +From c6852389228df9fb3067f94f3b651de2a7921b36 Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Sun, 21 Aug 2016 23:33:47 -0400 +Subject: sh64: failing __get_user() should zero + +From: Al Viro + +commit c6852389228df9fb3067f94f3b651de2a7921b36 upstream. + +It could be done in exception-handling bits in __get_user_b() et.al., +but the surgery involved would take more knowledge of sh64 details +than I have or _want_ to have. + +Signed-off-by: Al Viro +Signed-off-by: Greg Kroah-Hartman + +--- + arch/sh/include/asm/uaccess_64.h | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/sh/include/asm/uaccess_64.h ++++ b/arch/sh/include/asm/uaccess_64.h +@@ -24,6 +24,7 @@ + #define __get_user_size(x,ptr,size,retval) \ + do { \ + retval = 0; \ ++ x = 0; \ + switch (size) { \ + case 1: \ + retval = __get_user_asm_b((void *)&x, \ diff --git a/queue-4.7/svcauth_gss-revert-64c59a3726f2-remove-unnecessary-allocation.patch b/queue-4.7/svcauth_gss-revert-64c59a3726f2-remove-unnecessary-allocation.patch new file mode 100644 index 00000000000..0d8cd44ee5d --- /dev/null +++ b/queue-4.7/svcauth_gss-revert-64c59a3726f2-remove-unnecessary-allocation.patch @@ -0,0 +1,83 @@ +From bf2c4b6f9b74c2ee1dd3c050b181e9b9c86fbcdb Mon Sep 17 00:00:00 2001 +From: Chuck Lever +Date: Thu, 1 Sep 2016 10:50:38 -0400 +Subject: svcauth_gss: Revert 64c59a3726f2 ("Remove unnecessary allocation") + +From: Chuck Lever + +commit bf2c4b6f9b74c2ee1dd3c050b181e9b9c86fbcdb upstream. + +rsc_lookup steals the passed-in memory to avoid doing an allocation of +its own, so we can't just pass in a pointer to memory that someone else +is using. + +If we really want to avoid allocation there then maybe we should +preallocate somwhere, or reference count these handles. + +For now we should revert. + +On occasion I see this on my server: + +kernel: kernel BUG at /home/cel/src/linux/linux-2.6/mm/slub.c:3851! +kernel: invalid opcode: 0000 [#1] SMP +kernel: Modules linked in: cts rpcsec_gss_krb5 sb_edac edac_core x86_pkg_temp_thermal intel_powerclamp coretemp kvm_intel kvm irqbypass crct10dif_pclmul crc32_pclmul ghash_clmulni_intel aesni_intel lrw gf128mul glue_helper ablk_helper cryptd btrfs xor iTCO_wdt iTCO_vendor_support raid6_pq pcspkr i2c_i801 i2c_smbus lpc_ich mfd_core mei_me sg mei shpchp wmi ioatdma ipmi_si ipmi_msghandler acpi_pad acpi_power_meter rpcrdma ib_ipoib rdma_ucm ib_ucm ib_uverbs ib_umad rdma_cm ib_cm iw_cm nfsd nfs_acl lockd grace auth_rpcgss sunrpc ip_tables xfs libcrc32c mlx4_ib mlx4_en ib_core sr_mod cdrom sd_mod ast drm_kms_helper syscopyarea sysfillrect sysimgblt fb_sys_fops ttm drm crc32c_intel igb mlx4_core ahci libahci libata ptp pps_core dca i2c_algo_bit i2c_core dm_mirror dm_region_hash dm_log dm_mod +kernel: CPU: 7 PID: 145 Comm: kworker/7:2 Not tainted 4.8.0-rc4-00006-g9d06b0b #15 +kernel: Hardware name: Supermicro Super Server/X10SRL-F, BIOS 1.0c 09/09/2015 +kernel: Workqueue: events do_cache_clean [sunrpc] +kernel: task: ffff8808541d8000 task.stack: ffff880854344000 +kernel: RIP: 0010:[] [] kfree+0x155/0x180 +kernel: RSP: 0018:ffff880854347d70 EFLAGS: 00010246 +kernel: RAX: ffffea0020fe7660 RBX: ffff88083f9db064 RCX: 146ff0f9d5ec5600 +kernel: RDX: 000077ff80000000 RSI: ffff880853f01500 RDI: ffff88083f9db064 +kernel: RBP: ffff880854347d88 R08: ffff8808594ee000 R09: ffff88087fdd8780 +kernel: R10: 0000000000000000 R11: ffffea0020fe76c0 R12: ffff880853f01500 +kernel: R13: ffffffffa013cf76 R14: ffffffffa013cff0 R15: ffffffffa04253a0 +kernel: FS: 0000000000000000(0000) GS:ffff88087fdc0000(0000) knlGS:0000000000000000 +kernel: CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +kernel: CR2: 00007fed60b020c3 CR3: 0000000001c06000 CR4: 00000000001406e0 +kernel: Stack: +kernel: ffff8808589f2f00 ffff880853f01500 0000000000000001 ffff880854347da0 +kernel: ffffffffa013cf76 ffff8808589f2f00 ffff880854347db8 ffffffffa013d006 +kernel: ffff8808589f2f20 ffff880854347e00 ffffffffa0406f60 0000000057c7044f +kernel: Call Trace: +kernel: [] rsc_free+0x16/0x90 [auth_rpcgss] +kernel: [] rsc_put+0x16/0x30 [auth_rpcgss] +kernel: [] cache_clean+0x2e0/0x300 [sunrpc] +kernel: [] do_cache_clean+0xe/0x70 [sunrpc] +kernel: [] process_one_work+0x1ff/0x3b0 +kernel: [] worker_thread+0x2bc/0x4a0 +kernel: [] ? rescuer_thread+0x3a0/0x3a0 +kernel: [] kthread+0xe4/0xf0 +kernel: [] ret_from_fork+0x1f/0x40 +kernel: [] ? kthread_stop+0x110/0x110 +kernel: Code: f7 ff ff eb 3b 65 8b 05 da 30 e2 7e 89 c0 48 0f a3 05 a0 38 b8 00 0f 92 c0 84 c0 0f 85 d1 fe ff ff 0f 1f 44 00 00 e9 f5 fe ff ff <0f> 0b 49 8b 03 31 f6 f6 c4 40 0f 85 62 ff ff ff e9 61 ff ff ff +kernel: RIP [] kfree+0x155/0x180 +kernel: RSP +kernel: ---[ end trace 3fdec044969def26 ]--- + +It seems to be most common after a server reboot where a client has been +using a Kerberos mount, and reconnects to continue its workload. + +Signed-off-by: Chuck Lever +Signed-off-by: J. Bruce Fields +Signed-off-by: Greg Kroah-Hartman + +--- + net/sunrpc/auth_gss/svcauth_gss.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/net/sunrpc/auth_gss/svcauth_gss.c ++++ b/net/sunrpc/auth_gss/svcauth_gss.c +@@ -569,9 +569,10 @@ gss_svc_searchbyctx(struct cache_detail + struct rsc *found; + + memset(&rsci, 0, sizeof(rsci)); +- rsci.handle.data = handle->data; +- rsci.handle.len = handle->len; ++ if (dup_to_netobj(&rsci.handle, handle->data, handle->len)) ++ return NULL; + found = rsc_lookup(cd, &rsci); ++ rsc_free(&rsci); + if (!found) + return NULL; + if (cache_check(cd, &found->h, NULL))