From: Greg Kroah-Hartman Date: Sat, 5 Mar 2016 19:24:06 +0000 (-0800) Subject: 3.10-stable patches X-Git-Tag: v3.10.100~17 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=2e42dcabc37a367261be9012cdff44a1f1520035;p=thirdparty%2Fkernel%2Fstable-queue.git 3.10-stable patches added patches: drm-ast-fix-incorrect-register-check-for-dram-width.patch libata-align-ata_device-s-id-on-a-cacheline.patch libata-fix-hdio_get_32bit-ioctl.patch x86-entry-compat-add-missing-clac-to-entry_int80_32.patch --- diff --git a/queue-3.10/drm-ast-fix-incorrect-register-check-for-dram-width.patch b/queue-3.10/drm-ast-fix-incorrect-register-check-for-dram-width.patch new file mode 100644 index 00000000000..aa6fc2f733d --- /dev/null +++ b/queue-3.10/drm-ast-fix-incorrect-register-check-for-dram-width.patch @@ -0,0 +1,34 @@ +From 2d02b8bdba322b527c5f5168ce1ca10c2d982a78 Mon Sep 17 00:00:00 2001 +From: Timothy Pearson +Date: Fri, 26 Feb 2016 15:29:32 -0600 +Subject: drm/ast: Fix incorrect register check for DRAM width + +From: Timothy Pearson + +commit 2d02b8bdba322b527c5f5168ce1ca10c2d982a78 upstream. + +During DRAM initialization on certain ASpeed devices, an incorrect +bit (bit 10) was checked in the "SDRAM Bus Width Status" register +to determine DRAM width. + +Query bit 6 instead in accordance with the Aspeed AST2050 datasheet v1.05. + +Signed-off-by: Timothy Pearson +Signed-off-by: Dave Airlie +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/ast/ast_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/ast/ast_main.c ++++ b/drivers/gpu/drm/ast/ast_main.c +@@ -124,7 +124,7 @@ static int ast_get_dram_info(struct drm_ + } while (ast_read32(ast, 0x10000) != 0x01); + data = ast_read32(ast, 0x10004); + +- if (data & 0x400) ++ if (data & 0x40) + ast->dram_bus_width = 16; + else + ast->dram_bus_width = 32; diff --git a/queue-3.10/libata-align-ata_device-s-id-on-a-cacheline.patch b/queue-3.10/libata-align-ata_device-s-id-on-a-cacheline.patch new file mode 100644 index 00000000000..1e5083a4b6e --- /dev/null +++ b/queue-3.10/libata-align-ata_device-s-id-on-a-cacheline.patch @@ -0,0 +1,39 @@ +From 4ee34ea3a12396f35b26d90a094c75db95080baa Mon Sep 17 00:00:00 2001 +From: Harvey Hunt +Date: Wed, 24 Feb 2016 15:16:43 +0000 +Subject: libata: Align ata_device's id on a cacheline + +From: Harvey Hunt + +commit 4ee34ea3a12396f35b26d90a094c75db95080baa upstream. + +The id buffer in ata_device is a DMA target, but it isn't explicitly +cacheline aligned. Due to this, adjacent fields can be overwritten with +stale data from memory on non coherent architectures. As a result, the +kernel is sometimes unable to communicate with an ATA device. + +Fix this by ensuring that the id buffer is cacheline aligned. + +This issue is similar to that fixed by Commit 84bda12af31f +("libata: align ap->sector_buf"). + +Signed-off-by: Harvey Hunt +Cc: linux-kernel@vger.kernel.org +Signed-off-by: Tejun Heo +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/libata.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/include/linux/libata.h ++++ b/include/linux/libata.h +@@ -666,7 +666,7 @@ struct ata_device { + union { + u16 id[ATA_ID_WORDS]; /* IDENTIFY xxx DEVICE data */ + u32 gscr[SATA_PMP_GSCR_DWORDS]; /* PMP GSCR block */ +- }; ++ } ____cacheline_aligned; + + /* DEVSLP Timing Variables from Identify Device Data Log */ + u8 devslp_timing[ATA_LOG_DEVSLP_SIZE]; diff --git a/queue-3.10/libata-fix-hdio_get_32bit-ioctl.patch b/queue-3.10/libata-fix-hdio_get_32bit-ioctl.patch new file mode 100644 index 00000000000..b33a2e11bde --- /dev/null +++ b/queue-3.10/libata-fix-hdio_get_32bit-ioctl.patch @@ -0,0 +1,96 @@ +From 287e6611ab1eac76c2c5ebf6e345e04c80ca9c61 Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Thu, 11 Feb 2016 14:16:27 +0100 +Subject: libata: fix HDIO_GET_32BIT ioctl + +From: Arnd Bergmann + +commit 287e6611ab1eac76c2c5ebf6e345e04c80ca9c61 upstream. + +As reported by Soohoon Lee, the HDIO_GET_32BIT ioctl does not +work correctly in compat mode with libata. + +I have investigated the issue further and found multiple problems +that all appeared with the same commit that originally introduced +HDIO_GET_32BIT handling in libata back in linux-2.6.8 and presumably +also linux-2.4, as the code uses "copy_to_user(arg, &val, 1)" to copy +a 'long' variable containing either 0 or 1 to user space. + +The problems with this are: + +* On big-endian machines, this will always write a zero because it + stores the wrong byte into user space. + +* In compat mode, the upper three bytes of the variable are updated + by the compat_hdio_ioctl() function, but they now contain + uninitialized stack data. + +* The hdparm tool calling this ioctl uses a 'static long' variable + to store the result. This means at least the upper bytes are + initialized to zero, but calling another ioctl like HDIO_GET_MULTCOUNT + would fill them with data that remains stale when the low byte + is overwritten. Fortunately libata doesn't implement any of the + affected ioctl commands, so this would only happen when we query + both an IDE and an ATA device in the same command such as + "hdparm -N -c /dev/hda /dev/sda" + +* The libata code for unknown reasons started using ATA_IOC_GET_IO32 + and ATA_IOC_SET_IO32 as aliases for HDIO_GET_32BIT and HDIO_SET_32BIT, + while the ioctl commands that were added later use the normal + HDIO_* names. This is harmless but rather confusing. + +This addresses all four issues by changing the code to use put_user() +on an 'unsigned long' variable in HDIO_GET_32BIT, like the IDE subsystem +does, and by clarifying the names of the ioctl commands. + +Signed-off-by: Arnd Bergmann +Reported-by: Soohoon Lee +Tested-by: Soohoon Lee +Signed-off-by: Tejun Heo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/ata/libata-scsi.c | 11 +++++------ + include/linux/ata.h | 4 ++-- + 2 files changed, 7 insertions(+), 8 deletions(-) + +--- a/drivers/ata/libata-scsi.c ++++ b/drivers/ata/libata-scsi.c +@@ -673,19 +673,18 @@ static int ata_ioc32(struct ata_port *ap + int ata_sas_scsi_ioctl(struct ata_port *ap, struct scsi_device *scsidev, + int cmd, void __user *arg) + { +- int val = -EINVAL, rc = -EINVAL; ++ unsigned long val; ++ int rc = -EINVAL; + unsigned long flags; + + switch (cmd) { +- case ATA_IOC_GET_IO32: ++ case HDIO_GET_32BIT: + spin_lock_irqsave(ap->lock, flags); + val = ata_ioc32(ap); + spin_unlock_irqrestore(ap->lock, flags); +- if (copy_to_user(arg, &val, 1)) +- return -EFAULT; +- return 0; ++ return put_user(val, (unsigned long __user *)arg); + +- case ATA_IOC_SET_IO32: ++ case HDIO_SET_32BIT: + val = (unsigned long) arg; + rc = 0; + spin_lock_irqsave(ap->lock, flags); +--- a/include/linux/ata.h ++++ b/include/linux/ata.h +@@ -477,8 +477,8 @@ enum ata_tf_protocols { + }; + + enum ata_ioctls { +- ATA_IOC_GET_IO32 = 0x309, +- ATA_IOC_SET_IO32 = 0x324, ++ ATA_IOC_GET_IO32 = 0x309, /* HDIO_GET_32BIT */ ++ ATA_IOC_SET_IO32 = 0x324, /* HDIO_SET_32BIT */ + }; + + /* core structures */ diff --git a/queue-3.10/series b/queue-3.10/series index cf9c8c25bc3..4495f3ad8ff 100644 --- a/queue-3.10/series +++ b/queue-3.10/series @@ -1,3 +1,7 @@ locks-fix-unlock-when-fcntl_setlk-races-with-a-close.patch edac-mc_sysfs-fix-freeing-bus-name.patch cifs-fix-smb2-interim-response-processing-for-read-requests.patch +x86-entry-compat-add-missing-clac-to-entry_int80_32.patch +drm-ast-fix-incorrect-register-check-for-dram-width.patch +libata-fix-hdio_get_32bit-ioctl.patch +libata-align-ata_device-s-id-on-a-cacheline.patch diff --git a/queue-3.10/x86-entry-compat-add-missing-clac-to-entry_int80_32.patch b/queue-3.10/x86-entry-compat-add-missing-clac-to-entry_int80_32.patch new file mode 100644 index 00000000000..5b0f16817ba --- /dev/null +++ b/queue-3.10/x86-entry-compat-add-missing-clac-to-entry_int80_32.patch @@ -0,0 +1,48 @@ +From 3d44d51bd339766f0178f0cf2e8d048b4a4872aa Mon Sep 17 00:00:00 2001 +From: Andy Lutomirski +Date: Wed, 24 Feb 2016 12:18:49 -0800 +Subject: x86/entry/compat: Add missing CLAC to entry_INT80_32 + +From: Andy Lutomirski + +commit 3d44d51bd339766f0178f0cf2e8d048b4a4872aa upstream. + +This doesn't seem to fix a regression -- I don't think the CLAC was +ever there. + +I double-checked in a debugger: entries through the int80 gate do +not automatically clear AC. + +Stable maintainers: I can provide a backport to 4.3 and earlier if +needed. This needs to be backported all the way to 3.10. + +Reported-by: Brian Gerst +Signed-off-by: Andy Lutomirski +Cc: Andy Lutomirski +Cc: Borislav Petkov +Cc: Denys Vlasenko +Cc: H. Peter Anvin +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Fixes: 63bcff2a307b ("x86, smap: Add STAC and CLAC instructions to control user space access") +Link: http://lkml.kernel.org/r/b02b7e71ae54074be01fc171cbd4b72517055c0e.1456345086.git.luto@kernel.org +Signed-off-by: Ingo Molnar +[ kamal: backport to 3.10 through 3.19-stable: file rename; context ] +Signed-off-by: Kamal Mostafa +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/ia32/ia32entry.S | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/x86/ia32/ia32entry.S ++++ b/arch/x86/ia32/ia32entry.S +@@ -422,6 +422,7 @@ ENTRY(ia32_syscall) + /*CFI_REL_OFFSET cs,CS-RIP*/ + CFI_REL_OFFSET rip,RIP-RIP + PARAVIRT_ADJUST_EXCEPTION_FRAME ++ ASM_CLAC /* Do this early to minimize exposure */ + SWAPGS + /* + * No need to follow this irqs on/off section: the syscall