From: Greg Kroah-Hartman Date: Thu, 11 Oct 2018 06:18:34 +0000 (+0200) Subject: 3.18-stable patches X-Git-Tag: v3.18.124~39 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=30f4c389984bc50f3102bf57f7be2e95781d0f96;p=thirdparty%2Fkernel%2Fstable-queue.git 3.18-stable patches added patches: fbdev-omapfb-fix-omapfb_memory_read-infoleak.patch mac80211-fix-setting-ieee80211_key_flag_rx_mgmt-for-ap-mode-keys.patch pci-reprogram-bridge-prefetch-registers-on-resume.patch pm-core-clear-the-direct_complete-flag-on-errors.patch usb-serial-simple-add-motorola-tetra-mtp6550-id.patch x86-vdso-fix-asm-constraints-on-vdso-syscall-fallbacks.patch x86-vdso-fix-vdso-syscall-fallback-asm-constraint-regression.patch --- diff --git a/queue-3.18/fbdev-omapfb-fix-omapfb_memory_read-infoleak.patch b/queue-3.18/fbdev-omapfb-fix-omapfb_memory_read-infoleak.patch new file mode 100644 index 00000000000..c15347f5978 --- /dev/null +++ b/queue-3.18/fbdev-omapfb-fix-omapfb_memory_read-infoleak.patch @@ -0,0 +1,55 @@ +From 1bafcbf59fed92af58955024452f45430d3898c5 Mon Sep 17 00:00:00 2001 +From: Tomi Valkeinen +Date: Wed, 26 Sep 2018 18:11:22 +0200 +Subject: fbdev/omapfb: fix omapfb_memory_read infoleak + +From: Tomi Valkeinen + +commit 1bafcbf59fed92af58955024452f45430d3898c5 upstream. + +OMAPFB_MEMORY_READ ioctl reads pixels from the LCD's memory and copies +them to a userspace buffer. The code has two issues: + +- The user provided width and height could be large enough to overflow + the calculations +- The copy_to_user() can copy uninitialized memory to the userspace, + which might contain sensitive kernel information. + +Fix these by limiting the width & height parameters, and only copying +the amount of data that we actually received from the LCD. + +Signed-off-by: Tomi Valkeinen +Reported-by: Jann Horn +Cc: stable@vger.kernel.org +Cc: security@kernel.org +Cc: Will Deacon +Cc: Jann Horn +Cc: Tony Lindgren +Signed-off-by: Bartlomiej Zolnierkiewicz +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/video/fbdev/omap2/omapfb/omapfb-ioctl.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/video/fbdev/omap2/omapfb/omapfb-ioctl.c ++++ b/drivers/video/fbdev/omap2/omapfb/omapfb-ioctl.c +@@ -493,6 +493,9 @@ static int omapfb_memory_read(struct fb_ + if (!access_ok(VERIFY_WRITE, mr->buffer, mr->buffer_size)) + return -EFAULT; + ++ if (mr->w > 4096 || mr->h > 4096) ++ return -EINVAL; ++ + if (mr->w * mr->h * 3 > mr->buffer_size) + return -EINVAL; + +@@ -506,7 +509,7 @@ static int omapfb_memory_read(struct fb_ + mr->x, mr->y, mr->w, mr->h); + + if (r > 0) { +- if (copy_to_user(mr->buffer, buf, mr->buffer_size)) ++ if (copy_to_user(mr->buffer, buf, r)) + r = -EFAULT; + } + diff --git a/queue-3.18/mac80211-fix-setting-ieee80211_key_flag_rx_mgmt-for-ap-mode-keys.patch b/queue-3.18/mac80211-fix-setting-ieee80211_key_flag_rx_mgmt-for-ap-mode-keys.patch new file mode 100644 index 00000000000..8d8526a4134 --- /dev/null +++ b/queue-3.18/mac80211-fix-setting-ieee80211_key_flag_rx_mgmt-for-ap-mode-keys.patch @@ -0,0 +1,34 @@ +From 211710ca74adf790b46ab3867fcce8047b573cd1 Mon Sep 17 00:00:00 2001 +From: Felix Fietkau +Date: Sat, 29 Sep 2018 16:01:58 +0200 +Subject: mac80211: fix setting IEEE80211_KEY_FLAG_RX_MGMT for AP mode keys + +From: Felix Fietkau + +commit 211710ca74adf790b46ab3867fcce8047b573cd1 upstream. + +key->sta is only valid after ieee80211_key_link, which is called later +in this function. Because of that, the IEEE80211_KEY_FLAG_RX_MGMT is +never set when management frame protection is enabled. + +Fixes: e548c49e6dc6b ("mac80211: add key flag for management keys") +Cc: stable@vger.kernel.org +Signed-off-by: Felix Fietkau +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + net/mac80211/cfg.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/mac80211/cfg.c ++++ b/net/mac80211/cfg.c +@@ -210,7 +210,7 @@ static int ieee80211_add_key(struct wiph + case NL80211_IFTYPE_AP: + case NL80211_IFTYPE_AP_VLAN: + /* Keys without a station are used for TX only */ +- if (key->sta && test_sta_flag(key->sta, WLAN_STA_MFP)) ++ if (sta && test_sta_flag(sta, WLAN_STA_MFP)) + key->conf.flags |= IEEE80211_KEY_FLAG_RX_MGMT; + break; + case NL80211_IFTYPE_ADHOC: diff --git a/queue-3.18/pci-reprogram-bridge-prefetch-registers-on-resume.patch b/queue-3.18/pci-reprogram-bridge-prefetch-registers-on-resume.patch new file mode 100644 index 00000000000..d9ecde4c481 --- /dev/null +++ b/queue-3.18/pci-reprogram-bridge-prefetch-registers-on-resume.patch @@ -0,0 +1,128 @@ +From 083874549fdfefa629dfa752785e20427dde1511 Mon Sep 17 00:00:00 2001 +From: Daniel Drake +Date: Thu, 27 Sep 2018 15:47:33 -0500 +Subject: PCI: Reprogram bridge prefetch registers on resume + +From: Daniel Drake + +commit 083874549fdfefa629dfa752785e20427dde1511 upstream. + +On 38+ Intel-based ASUS products, the NVIDIA GPU becomes unusable after S3 +suspend/resume. The affected products include multiple generations of +NVIDIA GPUs and Intel SoCs. After resume, nouveau logs many errors such +as: + + fifo: fault 00 [READ] at 0000005555555000 engine 00 [GR] client 04 + [HUB/FE] reason 4a [] on channel -1 [007fa91000 unknown] + DRM: failed to idle channel 0 [DRM] + +Similarly, the NVIDIA proprietary driver also fails after resume (black +screen, 100% CPU usage in Xorg process). We shipped a sample to NVIDIA for +diagnosis, and their response indicated that it's a problem with the parent +PCI bridge (on the Intel SoC), not the GPU. + +Runtime suspend/resume works fine, only S3 suspend is affected. + +We found a workaround: on resume, rewrite the Intel PCI bridge +'Prefetchable Base Upper 32 Bits' register (PCI_PREF_BASE_UPPER32). In the +cases that I checked, this register has value 0 and we just have to rewrite +that value. + +Linux already saves and restores PCI config space during suspend/resume, +but this register was being skipped because upon resume, it already has +value 0 (the correct, pre-suspend value). + +Intel appear to have previously acknowledged this behaviour and the +requirement to rewrite this register: +https://bugzilla.kernel.org/show_bug.cgi?id=116851#c23 + +Based on that, rewrite the prefetch register values even when that appears +unnecessary. + +We have confirmed this solution on all the affected models we have in-hands +(X542UQ, UX533FD, X530UN, V272UN). + +Additionally, this solves an issue where r8169 MSI-X interrupts were broken +after S3 suspend/resume on ASUS X441UAR. This issue was recently worked +around in commit 7bb05b85bc2d ("r8169: don't use MSI-X on RTL8106e"). It +also fixes the same issue on RTL6186evl/8111evl on an Aimfor-tech laptop +that we had not yet patched. I suspect it will also fix the issue that was +worked around in commit 7c53a722459c ("r8169: don't use MSI-X on +RTL8168g"). + +Thomas Martitz reports that this change also solves an issue where the AMD +Radeon Polaris 10 GPU on the HP Zbook 14u G5 is unresponsive after S3 +suspend/resume. + +Link: https://bugzilla.kernel.org/show_bug.cgi?id=201069 +Signed-off-by: Daniel Drake +Signed-off-by: Bjorn Helgaas +Reviewed-by: Rafael J. Wysocki +Reviewed-By: Peter Wu +CC: stable@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pci/pci.c | 27 +++++++++++++++++++-------- + 1 file changed, 19 insertions(+), 8 deletions(-) + +--- a/drivers/pci/pci.c ++++ b/drivers/pci/pci.c +@@ -1023,12 +1023,12 @@ int pci_save_state(struct pci_dev *dev) + EXPORT_SYMBOL(pci_save_state); + + static void pci_restore_config_dword(struct pci_dev *pdev, int offset, +- u32 saved_val, int retry) ++ u32 saved_val, int retry, bool force) + { + u32 val; + + pci_read_config_dword(pdev, offset, &val); +- if (val == saved_val) ++ if (!force && val == saved_val) + return; + + for (;;) { +@@ -1047,25 +1047,36 @@ static void pci_restore_config_dword(str + } + + static void pci_restore_config_space_range(struct pci_dev *pdev, +- int start, int end, int retry) ++ int start, int end, int retry, ++ bool force) + { + int index; + + for (index = end; index >= start; index--) + pci_restore_config_dword(pdev, 4 * index, + pdev->saved_config_space[index], +- retry); ++ retry, force); + } + + static void pci_restore_config_space(struct pci_dev *pdev) + { + if (pdev->hdr_type == PCI_HEADER_TYPE_NORMAL) { +- pci_restore_config_space_range(pdev, 10, 15, 0); ++ pci_restore_config_space_range(pdev, 10, 15, 0, false); + /* Restore BARs before the command register. */ +- pci_restore_config_space_range(pdev, 4, 9, 10); +- pci_restore_config_space_range(pdev, 0, 3, 0); ++ pci_restore_config_space_range(pdev, 4, 9, 10, false); ++ pci_restore_config_space_range(pdev, 0, 3, 0, false); ++ } else if (pdev->hdr_type == PCI_HEADER_TYPE_BRIDGE) { ++ pci_restore_config_space_range(pdev, 12, 15, 0, false); ++ ++ /* ++ * Force rewriting of prefetch registers to avoid S3 resume ++ * issues on Intel PCI bridges that occur when these ++ * registers are not explicitly written. ++ */ ++ pci_restore_config_space_range(pdev, 9, 11, 0, true); ++ pci_restore_config_space_range(pdev, 0, 8, 0, false); + } else { +- pci_restore_config_space_range(pdev, 0, 15, 0); ++ pci_restore_config_space_range(pdev, 0, 15, 0, false); + } + } + diff --git a/queue-3.18/pm-core-clear-the-direct_complete-flag-on-errors.patch b/queue-3.18/pm-core-clear-the-direct_complete-flag-on-errors.patch new file mode 100644 index 00000000000..ab1f5aec25e --- /dev/null +++ b/queue-3.18/pm-core-clear-the-direct_complete-flag-on-errors.patch @@ -0,0 +1,54 @@ +From 69e445ab8b66a9f30519842ef18be555d3ee9b51 Mon Sep 17 00:00:00 2001 +From: "Rafael J. Wysocki" +Date: Thu, 4 Oct 2018 11:08:12 +0200 +Subject: PM / core: Clear the direct_complete flag on errors + +From: Rafael J. Wysocki + +commit 69e445ab8b66a9f30519842ef18be555d3ee9b51 upstream. + +If __device_suspend() runs asynchronously (in which case the device +passed to it is in dpm_suspended_list at that point) and it returns +early on an error or pending wakeup, and the power.direct_complete +flag has been set for the device already, the subsequent +device_resume() will be confused by that and it will call +pm_runtime_enable() incorrectly, as runtime PM has not been +disabled for the device by __device_suspend(). + +To avoid that, clear power.direct_complete if __device_suspend() +is not going to disable runtime PM for the device before returning. + +Fixes: aae4518b3124 (PM / sleep: Mechanism to avoid resuming runtime-suspended devices unnecessarily) +Reported-by: Al Cooper +Tested-by: Al Cooper +Reviewed-by: Ulf Hansson +Cc: 3.16+ # 3.16+ +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/base/power/main.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/base/power/main.c ++++ b/drivers/base/power/main.c +@@ -1341,8 +1341,10 @@ static int __device_suspend(struct devic + + dpm_wait_for_children(dev, async); + +- if (async_error) ++ if (async_error) { ++ dev->power.direct_complete = false; + goto Complete; ++ } + + /* + * If a device configured to wake up the system from sleep states +@@ -1354,6 +1356,7 @@ static int __device_suspend(struct devic + pm_wakeup_event(dev, 0); + + if (pm_wakeup_pending()) { ++ dev->power.direct_complete = false; + async_error = -EBUSY; + goto Complete; + } diff --git a/queue-3.18/series b/queue-3.18/series index 134ab3b59b3..0659b5918dc 100644 --- a/queue-3.18/series +++ b/queue-3.18/series @@ -98,3 +98,10 @@ ocfs2-fix-locking-for-res-tracking-and-dlm-tracking_list.patch dm-thin-metadata-fix-__udivdi3-undefined-on-32-bit.patch make-file-credentials-available-to-the-seqfile-interfaces.patch proc-restrict-kernel-stack-dumps-to-root.patch +fbdev-omapfb-fix-omapfb_memory_read-infoleak.patch +x86-vdso-fix-asm-constraints-on-vdso-syscall-fallbacks.patch +x86-vdso-fix-vdso-syscall-fallback-asm-constraint-regression.patch +pci-reprogram-bridge-prefetch-registers-on-resume.patch +mac80211-fix-setting-ieee80211_key_flag_rx_mgmt-for-ap-mode-keys.patch +pm-core-clear-the-direct_complete-flag-on-errors.patch +usb-serial-simple-add-motorola-tetra-mtp6550-id.patch diff --git a/queue-3.18/usb-serial-simple-add-motorola-tetra-mtp6550-id.patch b/queue-3.18/usb-serial-simple-add-motorola-tetra-mtp6550-id.patch new file mode 100644 index 00000000000..e81a9ffea14 --- /dev/null +++ b/queue-3.18/usb-serial-simple-add-motorola-tetra-mtp6550-id.patch @@ -0,0 +1,129 @@ +From f5fad711c06e652f90f581fc7c2caee327c33d31 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 24 Sep 2018 15:28:10 +0200 +Subject: USB: serial: simple: add Motorola Tetra MTP6550 id + +From: Johan Hovold + +commit f5fad711c06e652f90f581fc7c2caee327c33d31 upstream. + +Add device-id for the Motorola Tetra radio MTP6550. + +Bus 001 Device 004: ID 0cad:9012 Motorola CGISS +Device Descriptor: + bLength 18 + bDescriptorType 1 + bcdUSB 2.00 + bDeviceClass 0 (Defined at Interface level) + bDeviceSubClass 0 + bDeviceProtocol 0 + bMaxPacketSize0 64 + idVendor 0x0cad Motorola CGISS + idProduct 0x9012 + bcdDevice 24.16 + iManufacturer 1 Motorola Solutions, Inc. + iProduct 2 TETRA PEI interface + iSerial 0 + bNumConfigurations 1 + Configuration Descriptor: + bLength 9 + bDescriptorType 2 + wTotalLength 55 + bNumInterfaces 2 + bConfigurationValue 1 + iConfiguration 3 Generic Serial config + bmAttributes 0x80 + (Bus Powered) + MaxPower 500mA + Interface Descriptor: + bLength 9 + bDescriptorType 4 + bInterfaceNumber 0 + bAlternateSetting 0 + bNumEndpoints 2 + bInterfaceClass 255 Vendor Specific Class + bInterfaceSubClass 0 + bInterfaceProtocol 0 + iInterface 0 + Endpoint Descriptor: + bLength 7 + bDescriptorType 5 + bEndpointAddress 0x81 EP 1 IN + bmAttributes 2 + Transfer Type Bulk + Synch Type None + Usage Type Data + wMaxPacketSize 0x0200 1x 512 bytes + bInterval 0 + Endpoint Descriptor: + bLength 7 + bDescriptorType 5 + bEndpointAddress 0x01 EP 1 OUT + bmAttributes 2 + Transfer Type Bulk + Synch Type None + Usage Type Data + wMaxPacketSize 0x0200 1x 512 bytes + Interface Descriptor: + bLength 9 + bDescriptorType 4 + bInterfaceNumber 1 + bAlternateSetting 0 + bNumEndpoints 2 + bInterfaceClass 255 Vendor Specific Class + bInterfaceSubClass 0 + bInterfaceProtocol 0 + iInterface 0 + Endpoint Descriptor: + bLength 7 + bDescriptorType 5 + bEndpointAddress 0x82 EP 2 IN + bmAttributes 2 + Transfer Type Bulk + Synch Type None + Usage Type Data + wMaxPacketSize 0x0200 1x 512 bytes + bInterval 0 + Endpoint Descriptor: + bLength 7 + bDescriptorType 5 + bEndpointAddress 0x02 EP 2 OUT + bmAttributes 2 + Transfer Type Bulk + Synch Type None + Usage Type Data + wMaxPacketSize 0x0200 1x 512 bytes + bInterval 0 +Device Qualifier (for other device speed): + bLength 10 + bDescriptorType 6 + bcdUSB 2.00 + bDeviceClass 0 (Defined at Interface level) + bDeviceSubClass 0 + bDeviceProtocol 0 + bMaxPacketSize0 64 + bNumConfigurations 1 +Device Status: 0x0000 + (Bus Powered) + +Reported-by: Hans Hult +Cc: stable +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/usb-serial-simple.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/usb/serial/usb-serial-simple.c ++++ b/drivers/usb/serial/usb-serial-simple.c +@@ -74,7 +74,8 @@ DEVICE(moto_modem, MOTO_IDS); + + /* Motorola Tetra driver */ + #define MOTOROLA_TETRA_IDS() \ +- { USB_DEVICE(0x0cad, 0x9011) } /* Motorola Solutions TETRA PEI */ ++ { USB_DEVICE(0x0cad, 0x9011) }, /* Motorola Solutions TETRA PEI */ \ ++ { USB_DEVICE(0x0cad, 0x9012) } /* MTP6550 */ + DEVICE(motorola_tetra, MOTOROLA_TETRA_IDS); + + /* Novatel Wireless GPS driver */ diff --git a/queue-3.18/x86-vdso-fix-asm-constraints-on-vdso-syscall-fallbacks.patch b/queue-3.18/x86-vdso-fix-asm-constraints-on-vdso-syscall-fallbacks.patch new file mode 100644 index 00000000000..077c06473eb --- /dev/null +++ b/queue-3.18/x86-vdso-fix-asm-constraints-on-vdso-syscall-fallbacks.patch @@ -0,0 +1,107 @@ +From 715bd9d12f84d8f5cc8ad21d888f9bc304a8eb0b Mon Sep 17 00:00:00 2001 +From: Andy Lutomirski +Date: Mon, 1 Oct 2018 12:52:15 -0700 +Subject: x86/vdso: Fix asm constraints on vDSO syscall fallbacks + +From: Andy Lutomirski + +commit 715bd9d12f84d8f5cc8ad21d888f9bc304a8eb0b upstream. + +The syscall fallbacks in the vDSO have incorrect asm constraints. +They are not marked as writing to their outputs -- instead, they are +marked as clobbering "memory", which is useless. In particular, gcc +is smart enough to know that the timespec parameter hasn't escaped, +so a memory clobber doesn't clobber it. And passing a pointer as an +asm *input* does not tell gcc that the pointed-to value is changed. + +Add in the fact that the asm instructions weren't volatile, and gcc +was free to omit them entirely unless their sole output (the return +value) is used. Which it is (phew!), but that stops happening with +some upcoming patches. + +As a trivial example, the following code: + +void test_fallback(struct timespec *ts) +{ + vdso_fallback_gettime(CLOCK_MONOTONIC, ts); +} + +compiles to: + +00000000000000c0 : + c0: c3 retq + +To add insult to injury, the RCX and R11 clobbers on 64-bit +builds were missing. + +The "memory" clobber is also unnecessary -- no ordering with respect to +other memory operations is needed, but that's going to be fixed in a +separate not-for-stable patch. + +Fixes: 2aae950b21e4 ("x86_64: Add vDSO for x86-64 with gettimeofday/clock_gettime/getcpu") +Signed-off-by: Andy Lutomirski +Signed-off-by: Thomas Gleixner +Cc: stable@vger.kernel.org +Link: https://lkml.kernel.org/r/2c0231690551989d2fafa60ed0e7b5cc8b403908.1538422295.git.luto@kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/vdso/vclock_gettime.c | 18 ++++++++++-------- + 1 file changed, 10 insertions(+), 8 deletions(-) + +--- a/arch/x86/vdso/vclock_gettime.c ++++ b/arch/x86/vdso/vclock_gettime.c +@@ -46,8 +46,9 @@ static notrace cycle_t vread_hpet(void) + notrace static long vdso_fallback_gettime(long clock, struct timespec *ts) + { + long ret; +- asm("syscall" : "=a" (ret) : +- "0" (__NR_clock_gettime), "D" (clock), "S" (ts) : "memory"); ++ asm ("syscall" : "=a" (ret), "=m" (*ts) : ++ "0" (__NR_clock_gettime), "D" (clock), "S" (ts) : ++ "memory", "rcx", "r11"); + return ret; + } + +@@ -55,8 +56,9 @@ notrace static long vdso_fallback_gtod(s + { + long ret; + +- asm("syscall" : "=a" (ret) : +- "0" (__NR_gettimeofday), "D" (tv), "S" (tz) : "memory"); ++ asm ("syscall" : "=a" (ret), "=m" (*tv), "=m" (*tz) : ++ "0" (__NR_gettimeofday), "D" (tv), "S" (tz) : ++ "memory", "rcx", "r11"); + return ret; + } + +@@ -136,12 +138,12 @@ notrace static long vdso_fallback_gettim + { + long ret; + +- asm( ++ asm ( + "mov %%ebx, %%edx \n" + "mov %2, %%ebx \n" + "call __kernel_vsyscall \n" + "mov %%edx, %%ebx \n" +- : "=a" (ret) ++ : "=a" (ret), "=m" (*ts) + : "0" (__NR_clock_gettime), "g" (clock), "c" (ts) + : "memory", "edx"); + return ret; +@@ -151,12 +153,12 @@ notrace static long vdso_fallback_gtod(s + { + long ret; + +- asm( ++ asm ( + "mov %%ebx, %%edx \n" + "mov %2, %%ebx \n" + "call __kernel_vsyscall \n" + "mov %%edx, %%ebx \n" +- : "=a" (ret) ++ : "=a" (ret), "=m" (*tv), "=m" (*tz) + : "0" (__NR_gettimeofday), "g" (tv), "c" (tz) + : "memory", "edx"); + return ret; diff --git a/queue-3.18/x86-vdso-fix-vdso-syscall-fallback-asm-constraint-regression.patch b/queue-3.18/x86-vdso-fix-vdso-syscall-fallback-asm-constraint-regression.patch new file mode 100644 index 00000000000..f176e518611 --- /dev/null +++ b/queue-3.18/x86-vdso-fix-vdso-syscall-fallback-asm-constraint-regression.patch @@ -0,0 +1,60 @@ +From 02e425668f5c9deb42787d10001a3b605993ad15 Mon Sep 17 00:00:00 2001 +From: Andy Lutomirski +Date: Wed, 3 Oct 2018 16:23:49 -0700 +Subject: x86/vdso: Fix vDSO syscall fallback asm constraint regression + +From: Andy Lutomirski + +commit 02e425668f5c9deb42787d10001a3b605993ad15 upstream. + +When I added the missing memory outputs, I failed to update the +index of the first argument (ebx) on 32-bit builds, which broke the +fallbacks. Somehow I must have screwed up my testing or gotten +lucky. + +Add another test to cover gettimeofday() as well. + +Signed-off-by: Andy Lutomirski +Cc: Linus Torvalds +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: stable@vger.kernel.org +Fixes: 715bd9d12f84 ("x86/vdso: Fix asm constraints on vDSO syscall fallbacks") +Link: http://lkml.kernel.org/r/21bd45ab04b6d838278fa5bebfa9163eceffa13c.1538608971.git.luto@kernel.org +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/vdso/vclock_gettime.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/arch/x86/vdso/vclock_gettime.c ++++ b/arch/x86/vdso/vclock_gettime.c +@@ -140,11 +140,11 @@ notrace static long vdso_fallback_gettim + + asm ( + "mov %%ebx, %%edx \n" +- "mov %2, %%ebx \n" ++ "mov %[clock], %%ebx \n" + "call __kernel_vsyscall \n" + "mov %%edx, %%ebx \n" + : "=a" (ret), "=m" (*ts) +- : "0" (__NR_clock_gettime), "g" (clock), "c" (ts) ++ : "0" (__NR_clock_gettime), [clock] "g" (clock), "c" (ts) + : "memory", "edx"); + return ret; + } +@@ -155,11 +155,11 @@ notrace static long vdso_fallback_gtod(s + + asm ( + "mov %%ebx, %%edx \n" +- "mov %2, %%ebx \n" ++ "mov %[tv], %%ebx \n" + "call __kernel_vsyscall \n" + "mov %%edx, %%ebx \n" + : "=a" (ret), "=m" (*tv), "=m" (*tz) +- : "0" (__NR_gettimeofday), "g" (tv), "c" (tz) ++ : "0" (__NR_gettimeofday), [tv] "g" (tv), "c" (tz) + : "memory", "edx"); + return ret; + }