From: Greg Kroah-Hartman Date: Tue, 18 Nov 2014 20:02:36 +0000 (-0800) Subject: 3.17-stable patches X-Git-Tag: v3.10.61~29 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=4286cae53b745f0d492742e64c91e164e35ab1b9;p=thirdparty%2Fkernel%2Fstable-queue.git 3.17-stable patches added patches: arm64-__clear_user-handle-exceptions-on-strb.patch arm64-efi-fix-stub-cache-maintenance.patch ata-sata_rcar-disable-dipm-mode-for-r8a7790-es1.patch block-fix-computation-of-merged-request-priority.patch correct-the-race-condition-in-aarch64_insn_patch_text_sync.patch firewire-cdev-prevent-kernel-stack-leaking-into-ioctl-arguments.patch nfs-fix-pnfs-direct-write-memory-leak.patch parisc-use-compat-layer-for-msgctl-shmat-shmctl-and-semtimedop-syscalls.patch scsi-only-re-lock-door-after-eh-on-devices-that-were-reset.patch --- diff --git a/queue-3.17/arm64-__clear_user-handle-exceptions-on-strb.patch b/queue-3.17/arm64-__clear_user-handle-exceptions-on-strb.patch new file mode 100644 index 00000000000..f500fc6f83d --- /dev/null +++ b/queue-3.17/arm64-__clear_user-handle-exceptions-on-strb.patch @@ -0,0 +1,62 @@ +From 97fc15436b36ee3956efad83e22a557991f7d19d Mon Sep 17 00:00:00 2001 +From: Kyle McMartin +Date: Wed, 12 Nov 2014 21:07:44 +0000 +Subject: arm64: __clear_user: handle exceptions on strb +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Kyle McMartin + +commit 97fc15436b36ee3956efad83e22a557991f7d19d upstream. + +ARM64 currently doesn't fix up faults on the single-byte (strb) case of +__clear_user... which means that we can cause a nasty kernel panic as an +ordinary user with any multiple PAGE_SIZE+1 read from /dev/zero. +i.e.: dd if=/dev/zero of=foo ibs=1 count=1 (or ibs=65537, etc.) + +This is a pretty obscure bug in the general case since we'll only +__do_kernel_fault (since there's no extable entry for pc) if the +mmap_sem is contended. However, with CONFIG_DEBUG_VM enabled, we'll +always fault. + +if (!down_read_trylock(&mm->mmap_sem)) { + if (!user_mode(regs) && !search_exception_tables(regs->pc)) + goto no_context; +retry: + down_read(&mm->mmap_sem); +} else { + /* + * The above down_read_trylock() might have succeeded in + * which + * case, we'll have missed the might_sleep() from + * down_read(). + */ + might_sleep(); + if (!user_mode(regs) && !search_exception_tables(regs->pc)) + goto no_context; +} + +Fix that by adding an extable entry for the strb instruction, since it +touches user memory, similar to the other stores in __clear_user. + +Signed-off-by: Kyle McMartin +Reported-by: Miloš Prchlík +Signed-off-by: Catalin Marinas +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/lib/clear_user.S | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm64/lib/clear_user.S ++++ b/arch/arm64/lib/clear_user.S +@@ -46,7 +46,7 @@ USER(9f, strh wzr, [x0], #2 ) + sub x1, x1, #2 + 4: adds x1, x1, #1 + b.mi 5f +- strb wzr, [x0] ++USER(9f, strb wzr, [x0] ) + 5: mov x0, #0 + ret + ENDPROC(__clear_user) diff --git a/queue-3.17/arm64-efi-fix-stub-cache-maintenance.patch b/queue-3.17/arm64-efi-fix-stub-cache-maintenance.patch new file mode 100644 index 00000000000..0ed970f8a52 --- /dev/null +++ b/queue-3.17/arm64-efi-fix-stub-cache-maintenance.patch @@ -0,0 +1,109 @@ +From 9b0b26580a753d4d6bdd2b8b4ca9a8f3f2d39065 Mon Sep 17 00:00:00 2001 +From: Mark Rutland +Date: Thu, 13 Nov 2014 12:22:01 +0000 +Subject: arm64: efi: Fix stub cache maintenance + +From: Mark Rutland + +commit 9b0b26580a753d4d6bdd2b8b4ca9a8f3f2d39065 upstream. + +While efi-entry.S mentions that efi_entry() will have relocated the +kernel image, it actually means that efi_entry will have placed a copy +of the kernel in the appropriate location, and until this is branched to +at the end of efi_entry.S, all instructions are executed from the +original image. + +Thus while the flush in efi_entry.S does ensure that the copy is visible +to noncacheable accesses, it does not guarantee that this is true for +the image instructions are being executed from. This could have +disasterous effects when the MMU and caches are disabled if the image +has not been naturally evicted to the PoC. + +Additionally, due to a missing dsb following the ic ialluis, the new +kernel image is not necessarily clean in the I-cache when it is branched +to, with similar potentially disasterous effects. + +This patch adds additional flushing to ensure that the currently +executing stub text is flushed to the PoC and is thus visible to +noncacheable accesses. As it is placed after the instructions cache +maintenance for the new image and __flush_dcache_area already contains a +dsb, we do not need to add a separate barrier to ensure completion of +the icache maintenance. + +Comments are updated to clarify the situation with regard to the two +images and the maintenance required for both. + +Fixes: 3c7f255039a2ad6ee1e3890505caf0d029b22e29 +Signed-off-by: Mark Rutland +Acked-by: Joel Schopp +Reviewed-by: Roy Franz +Tested-by: Tom Lendacky +Cc: Ard Biesheuvel +Cc: Ian Campbell +Cc: Leif Lindholm +Cc: Mark Salter +Cc: Will Deacon +Signed-off-by: Catalin Marinas +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/kernel/efi-entry.S | 27 +++++++++++++++++++++------ + 1 file changed, 21 insertions(+), 6 deletions(-) + +--- a/arch/arm64/kernel/efi-entry.S ++++ b/arch/arm64/kernel/efi-entry.S +@@ -54,18 +54,17 @@ ENTRY(efi_stub_entry) + b.eq efi_load_fail + + /* +- * efi_entry() will have relocated the kernel image if necessary +- * and we return here with device tree address in x0 and the kernel +- * entry point stored at *image_addr. Save those values in registers +- * which are callee preserved. ++ * efi_entry() will have copied the kernel image if necessary and we ++ * return here with device tree address in x0 and the kernel entry ++ * point stored at *image_addr. Save those values in registers which ++ * are callee preserved. + */ + mov x20, x0 // DTB address + ldr x0, [sp, #16] // relocated _text address + mov x21, x0 + + /* +- * Flush dcache covering current runtime addresses +- * of kernel text/data. Then flush all of icache. ++ * Calculate size of the kernel Image (same for original and copy). + */ + adrp x1, _text + add x1, x1, #:lo12:_text +@@ -73,9 +72,24 @@ ENTRY(efi_stub_entry) + add x2, x2, #:lo12:_edata + sub x1, x2, x1 + ++ /* ++ * Flush the copied Image to the PoC, and ensure it is not shadowed by ++ * stale icache entries from before relocation. ++ */ + bl __flush_dcache_area + ic ialluis + ++ /* ++ * Ensure that the rest of this function (in the original Image) is ++ * visible when the caches are disabled. The I-cache can't have stale ++ * entries for the VA range of the current image, so no maintenance is ++ * necessary. ++ */ ++ adr x0, efi_stub_entry ++ adr x1, efi_stub_entry_end ++ sub x1, x1, x0 ++ bl __flush_dcache_area ++ + /* Turn off Dcache and MMU */ + mrs x0, CurrentEL + cmp x0, #CurrentEL_EL2 +@@ -105,4 +119,5 @@ efi_load_fail: + ldp x29, x30, [sp], #32 + ret + ++efi_stub_entry_end: + ENDPROC(efi_stub_entry) diff --git a/queue-3.17/ata-sata_rcar-disable-dipm-mode-for-r8a7790-es1.patch b/queue-3.17/ata-sata_rcar-disable-dipm-mode-for-r8a7790-es1.patch new file mode 100644 index 00000000000..9c119a4a68e --- /dev/null +++ b/queue-3.17/ata-sata_rcar-disable-dipm-mode-for-r8a7790-es1.patch @@ -0,0 +1,80 @@ +From aa1cf25887099bba68f1f3879c0d394e08b8779f Mon Sep 17 00:00:00 2001 +From: Simon Horman +Date: Mon, 27 Oct 2014 09:14:30 +0900 +Subject: ata: sata_rcar: Disable DIPM mode for r8a7790 ES1 + +From: Simon Horman + +commit aa1cf25887099bba68f1f3879c0d394e08b8779f upstream. + +Unlike other SATA R-Car r8a7790 controllers the r8a7790 ES1 SATA R-Car +controller needs to be run with DIPM disabled. + +Signed-off-by: Simon Horman +Signed-off-by: Tejun Heo +Signed-off-by: Greg Kroah-Hartman + +--- + Documentation/devicetree/bindings/ata/sata_rcar.txt | 3 ++- + drivers/ata/sata_rcar.c | 10 ++++++++++ + 2 files changed, 12 insertions(+), 1 deletion(-) + +--- a/Documentation/devicetree/bindings/ata/sata_rcar.txt ++++ b/Documentation/devicetree/bindings/ata/sata_rcar.txt +@@ -3,7 +3,8 @@ + Required properties: + - compatible : should contain one of the following: + - "renesas,sata-r8a7779" for R-Car H1 +- - "renesas,sata-r8a7790" for R-Car H2 ++ - "renesas,sata-r8a7790-es1" for R-Car H2 ES1 ++ - "renesas,sata-r8a7790" for R-Car H2 other than ES1 + - "renesas,sata-r8a7791" for R-Car M2 + - reg : address and length of the SATA registers; + - interrupts : must consist of one interrupt specifier. +--- a/drivers/ata/sata_rcar.c ++++ b/drivers/ata/sata_rcar.c +@@ -146,6 +146,7 @@ + enum sata_rcar_type { + RCAR_GEN1_SATA, + RCAR_GEN2_SATA, ++ RCAR_R8A7790_ES1_SATA, + }; + + struct sata_rcar_priv { +@@ -763,6 +764,9 @@ static void sata_rcar_setup_port(struct + ap->udma_mask = ATA_UDMA6; + ap->flags |= ATA_FLAG_SATA; + ++ if (priv->type == RCAR_R8A7790_ES1_SATA) ++ ap->flags |= ATA_FLAG_NO_DIPM; ++ + ioaddr->cmd_addr = base + SDATA_REG; + ioaddr->ctl_addr = base + SSDEVCON_REG; + ioaddr->scr_addr = base + SCRSSTS_REG; +@@ -792,6 +796,7 @@ static void sata_rcar_init_controller(st + sata_rcar_gen1_phy_init(priv); + break; + case RCAR_GEN2_SATA: ++ case RCAR_R8A7790_ES1_SATA: + sata_rcar_gen2_phy_init(priv); + break; + default: +@@ -838,6 +843,10 @@ static struct of_device_id sata_rcar_mat + .data = (void *)RCAR_GEN2_SATA + }, + { ++ .compatible = "renesas,sata-r8a7790-es1", ++ .data = (void *)RCAR_R8A7790_ES1_SATA ++ }, ++ { + .compatible = "renesas,sata-r8a7791", + .data = (void *)RCAR_GEN2_SATA + }, +@@ -849,6 +858,7 @@ static const struct platform_device_id s + { "sata_rcar", RCAR_GEN1_SATA }, /* Deprecated by "sata-r8a7779" */ + { "sata-r8a7779", RCAR_GEN1_SATA }, + { "sata-r8a7790", RCAR_GEN2_SATA }, ++ { "sata-r8a7790-es1", RCAR_R8A7790_ES1_SATA }, + { "sata-r8a7791", RCAR_GEN2_SATA }, + { }, + }; diff --git a/queue-3.17/block-fix-computation-of-merged-request-priority.patch b/queue-3.17/block-fix-computation-of-merged-request-priority.patch new file mode 100644 index 00000000000..85b6e1635ee --- /dev/null +++ b/queue-3.17/block-fix-computation-of-merged-request-priority.patch @@ -0,0 +1,50 @@ +From ece9c72accdc45c3a9484dacb1125ce572647288 Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Thu, 30 Oct 2014 20:43:38 +0100 +Subject: block: Fix computation of merged request priority + +From: Jan Kara + +commit ece9c72accdc45c3a9484dacb1125ce572647288 upstream. + +Priority of a merged request is computed by ioprio_best(). If one of the +requests has undefined priority (IOPRIO_CLASS_NONE) and another request +has priority from IOPRIO_CLASS_BE, the function will return the +undefined priority which is wrong. Fix the function to properly return +priority of a request with the defined priority. + +Fixes: d58cdfb89ce0c6bd5f81ae931a984ef298dbda20 +Signed-off-by: Jan Kara +Reviewed-by: Jeff Moyer +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + block/ioprio.c | 14 ++++++++------ + 1 file changed, 8 insertions(+), 6 deletions(-) + +--- a/block/ioprio.c ++++ b/block/ioprio.c +@@ -157,14 +157,16 @@ out: + + int ioprio_best(unsigned short aprio, unsigned short bprio) + { +- unsigned short aclass = IOPRIO_PRIO_CLASS(aprio); +- unsigned short bclass = IOPRIO_PRIO_CLASS(bprio); ++ unsigned short aclass; ++ unsigned short bclass; + +- if (aclass == IOPRIO_CLASS_NONE) +- aclass = IOPRIO_CLASS_BE; +- if (bclass == IOPRIO_CLASS_NONE) +- bclass = IOPRIO_CLASS_BE; ++ if (!ioprio_valid(aprio)) ++ aprio = IOPRIO_PRIO_VALUE(IOPRIO_CLASS_BE, IOPRIO_NORM); ++ if (!ioprio_valid(bprio)) ++ bprio = IOPRIO_PRIO_VALUE(IOPRIO_CLASS_BE, IOPRIO_NORM); + ++ aclass = IOPRIO_PRIO_CLASS(aprio); ++ bclass = IOPRIO_PRIO_CLASS(bprio); + if (aclass == bclass) + return min(aprio, bprio); + if (aclass > bclass) diff --git a/queue-3.17/correct-the-race-condition-in-aarch64_insn_patch_text_sync.patch b/queue-3.17/correct-the-race-condition-in-aarch64_insn_patch_text_sync.patch new file mode 100644 index 00000000000..92427e32993 --- /dev/null +++ b/queue-3.17/correct-the-race-condition-in-aarch64_insn_patch_text_sync.patch @@ -0,0 +1,50 @@ +From 899d5933b2dd2720f2b20b01eaa07871aa6ad096 Mon Sep 17 00:00:00 2001 +From: William Cohen +Date: Tue, 11 Nov 2014 09:41:27 -0500 +Subject: Correct the race condition in aarch64_insn_patch_text_sync() + +From: William Cohen + +commit 899d5933b2dd2720f2b20b01eaa07871aa6ad096 upstream. + +When experimenting with patches to provide kprobes support for aarch64 +smp machines would hang when inserting breakpoints into kernel code. +The hangs were caused by a race condition in the code called by +aarch64_insn_patch_text_sync(). The first processor in the +aarch64_insn_patch_text_cb() function would patch the code while other +processors were still entering the function and incrementing the +cpu_count field. This resulted in some processors never observing the +exit condition and exiting the function. Thus, processors in the +system hung. + +The first processor to enter the patching function performs the +patching and signals that the patching is complete with an increment +of the cpu_count field. When all the processors have incremented the +cpu_count field the cpu_count will be num_cpus_online()+1 and they +will return to normal execution. + +Fixes: ae16480785de arm64: introduce interfaces to hotpatch kernel and module code +Signed-off-by: William Cohen +Acked-by: Will Deacon +Signed-off-by: Catalin Marinas +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm64/kernel/insn.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/arch/arm64/kernel/insn.c ++++ b/arch/arm64/kernel/insn.c +@@ -156,9 +156,10 @@ static int __kprobes aarch64_insn_patch_ + * which ends with "dsb; isb" pair guaranteeing global + * visibility. + */ +- atomic_set(&pp->cpu_count, -1); ++ /* Notify other processors with an additional increment. */ ++ atomic_inc(&pp->cpu_count); + } else { +- while (atomic_read(&pp->cpu_count) != -1) ++ while (atomic_read(&pp->cpu_count) <= num_online_cpus()) + cpu_relax(); + isb(); + } diff --git a/queue-3.17/firewire-cdev-prevent-kernel-stack-leaking-into-ioctl-arguments.patch b/queue-3.17/firewire-cdev-prevent-kernel-stack-leaking-into-ioctl-arguments.patch new file mode 100644 index 00000000000..c08097042d9 --- /dev/null +++ b/queue-3.17/firewire-cdev-prevent-kernel-stack-leaking-into-ioctl-arguments.patch @@ -0,0 +1,60 @@ +From eaca2d8e75e90a70a63a6695c9f61932609db212 Mon Sep 17 00:00:00 2001 +From: Stefan Richter +Date: Tue, 11 Nov 2014 17:16:44 +0100 +Subject: firewire: cdev: prevent kernel stack leaking into ioctl arguments + +From: Stefan Richter + +commit eaca2d8e75e90a70a63a6695c9f61932609db212 upstream. + +Found by the UC-KLEE tool: A user could supply less input to +firewire-cdev ioctls than write- or write/read-type ioctl handlers +expect. The handlers used data from uninitialized kernel stack then. + +This could partially leak back to the user if the kernel subsequently +generated fw_cdev_event_'s (to be read from the firewire-cdev fd) +which notably would contain the _u64 closure field which many of the +ioctl argument structures contain. + +The fact that the handlers would act on random garbage input is a +lesser issue since all handlers must check their input anyway. + +The fix simply always null-initializes the entire ioctl argument buffer +regardless of the actual length of expected user input. That is, a +runtime overhead of memset(..., 40) is added to each firewirew-cdev +ioctl() call. [Comment from Clemens Ladisch: This part of the stack is +most likely to be already in the cache.] + +Remarks: + - There was never any leak from kernel stack to the ioctl output + buffer itself. IOW, it was not possible to read kernel stack by a + read-type or write/read-type ioctl alone; the leak could at most + happen in combination with read()ing subsequent event data. + - The actual expected minimum user input of each ioctl from + include/uapi/linux/firewire-cdev.h is, in bytes: + [0x00] = 32, [0x05] = 4, [0x0a] = 16, [0x0f] = 20, [0x14] = 16, + [0x01] = 36, [0x06] = 20, [0x0b] = 4, [0x10] = 20, [0x15] = 20, + [0x02] = 20, [0x07] = 4, [0x0c] = 0, [0x11] = 0, [0x16] = 8, + [0x03] = 4, [0x08] = 24, [0x0d] = 20, [0x12] = 36, [0x17] = 12, + [0x04] = 20, [0x09] = 24, [0x0e] = 4, [0x13] = 40, [0x18] = 4. + +Reported-by: David Ramos +Signed-off-by: Stefan Richter +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/firewire/core-cdev.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/firewire/core-cdev.c ++++ b/drivers/firewire/core-cdev.c +@@ -1637,8 +1637,7 @@ static int dispatch_ioctl(struct client + _IOC_SIZE(cmd) > sizeof(buffer)) + return -ENOTTY; + +- if (_IOC_DIR(cmd) == _IOC_READ) +- memset(&buffer, 0, _IOC_SIZE(cmd)); ++ memset(&buffer, 0, sizeof(buffer)); + + if (_IOC_DIR(cmd) & _IOC_WRITE) + if (copy_from_user(&buffer, arg, _IOC_SIZE(cmd))) diff --git a/queue-3.17/nfs-fix-pnfs-direct-write-memory-leak.patch b/queue-3.17/nfs-fix-pnfs-direct-write-memory-leak.patch new file mode 100644 index 00000000000..5b21b7403b4 --- /dev/null +++ b/queue-3.17/nfs-fix-pnfs-direct-write-memory-leak.patch @@ -0,0 +1,60 @@ +From 8c393f9a721c30a030049a680e1bf896669bb279 Mon Sep 17 00:00:00 2001 +From: Peng Tao +Date: Wed, 5 Nov 2014 22:36:50 +0800 +Subject: nfs: fix pnfs direct write memory leak + +From: Peng Tao + +commit 8c393f9a721c30a030049a680e1bf896669bb279 upstream. + +For pNFS direct writes, layout driver may dynamically allocate ds_cinfo.buckets. +So we need to take care to free them when freeing dreq. + +Ideally this needs to be done inside layout driver where ds_cinfo.buckets +are allocated. But buckets are attached to dreq and reused across LD IO iterations. +So I feel it's OK to free them in the generic layer. + +Signed-off-by: Peng Tao +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfs/direct.c | 1 + + include/linux/nfs_xdr.h | 11 +++++++++++ + 2 files changed, 12 insertions(+) + +--- a/fs/nfs/direct.c ++++ b/fs/nfs/direct.c +@@ -270,6 +270,7 @@ static void nfs_direct_req_free(struct k + { + struct nfs_direct_req *dreq = container_of(kref, struct nfs_direct_req, kref); + ++ nfs_free_pnfs_ds_cinfo(&dreq->ds_cinfo); + if (dreq->l_ctx != NULL) + nfs_put_lock_context(dreq->l_ctx); + if (dreq->ctx != NULL) +--- a/include/linux/nfs_xdr.h ++++ b/include/linux/nfs_xdr.h +@@ -1232,11 +1232,22 @@ struct nfs41_free_stateid_res { + unsigned int status; + }; + ++static inline void ++nfs_free_pnfs_ds_cinfo(struct pnfs_ds_commit_info *cinfo) ++{ ++ kfree(cinfo->buckets); ++} ++ + #else + + struct pnfs_ds_commit_info { + }; + ++static inline void ++nfs_free_pnfs_ds_cinfo(struct pnfs_ds_commit_info *cinfo) ++{ ++} ++ + #endif /* CONFIG_NFS_V4_1 */ + + struct nfs_page; diff --git a/queue-3.17/parisc-use-compat-layer-for-msgctl-shmat-shmctl-and-semtimedop-syscalls.patch b/queue-3.17/parisc-use-compat-layer-for-msgctl-shmat-shmctl-and-semtimedop-syscalls.patch new file mode 100644 index 00000000000..b61ce2e3c99 --- /dev/null +++ b/queue-3.17/parisc-use-compat-layer-for-msgctl-shmat-shmctl-and-semtimedop-syscalls.patch @@ -0,0 +1,90 @@ +From 2fe749f50b0bec07650ef135b29b1f55bf543869 Mon Sep 17 00:00:00 2001 +From: Helge Deller +Date: Mon, 10 Nov 2014 21:46:18 +0100 +Subject: parisc: Use compat layer for msgctl, shmat, shmctl and semtimedop syscalls + +From: Helge Deller + +commit 2fe749f50b0bec07650ef135b29b1f55bf543869 upstream. + +Switch over the msgctl, shmat, shmctl and semtimedop syscalls to use the compat +layer. The problem was found with the debian procenv package, which called + shmctl(0, SHM_INFO, &info); +in which the shmctl syscall then overwrote parts of the surrounding areas on +the stack on which the info variable was stored and thus lead to a segfault +later on. + +Additionally fix the definition of struct shminfo64 to use unsigned longs like +the other architectures. This has no impact on userspace since we only have a +32bit userspace up to now. + +Signed-off-by: Helge Deller +Cc: John David Anglin +Signed-off-by: Greg Kroah-Hartman + +--- + arch/parisc/include/uapi/asm/shmbuf.h | 25 +++++++++---------------- + arch/parisc/kernel/syscall_table.S | 8 ++++---- + 2 files changed, 13 insertions(+), 20 deletions(-) + +--- a/arch/parisc/include/uapi/asm/shmbuf.h ++++ b/arch/parisc/include/uapi/asm/shmbuf.h +@@ -36,23 +36,16 @@ struct shmid64_ds { + unsigned int __unused2; + }; + +-#ifdef CONFIG_64BIT +-/* The 'unsigned int' (formerly 'unsigned long') data types below will +- * ensure that a 32-bit app calling shmctl(*,IPC_INFO,*) will work on +- * a wide kernel, but if some of these values are meant to contain pointers +- * they may need to be 'long long' instead. -PB XXX FIXME +- */ +-#endif + struct shminfo64 { +- unsigned int shmmax; +- unsigned int shmmin; +- unsigned int shmmni; +- unsigned int shmseg; +- unsigned int shmall; +- unsigned int __unused1; +- unsigned int __unused2; +- unsigned int __unused3; +- unsigned int __unused4; ++ unsigned long shmmax; ++ unsigned long shmmin; ++ unsigned long shmmni; ++ unsigned long shmseg; ++ unsigned long shmall; ++ unsigned long __unused1; ++ unsigned long __unused2; ++ unsigned long __unused3; ++ unsigned long __unused4; + }; + + #endif /* _PARISC_SHMBUF_H */ +--- a/arch/parisc/kernel/syscall_table.S ++++ b/arch/parisc/kernel/syscall_table.S +@@ -286,11 +286,11 @@ + ENTRY_COMP(msgsnd) + ENTRY_COMP(msgrcv) + ENTRY_SAME(msgget) /* 190 */ +- ENTRY_SAME(msgctl) +- ENTRY_SAME(shmat) ++ ENTRY_COMP(msgctl) ++ ENTRY_COMP(shmat) + ENTRY_SAME(shmdt) + ENTRY_SAME(shmget) +- ENTRY_SAME(shmctl) /* 195 */ ++ ENTRY_COMP(shmctl) /* 195 */ + ENTRY_SAME(ni_syscall) /* streams1 */ + ENTRY_SAME(ni_syscall) /* streams2 */ + ENTRY_SAME(lstat64) +@@ -323,7 +323,7 @@ + ENTRY_SAME(epoll_ctl) /* 225 */ + ENTRY_SAME(epoll_wait) + ENTRY_SAME(remap_file_pages) +- ENTRY_SAME(semtimedop) ++ ENTRY_COMP(semtimedop) + ENTRY_COMP(mq_open) + ENTRY_SAME(mq_unlink) /* 230 */ + ENTRY_COMP(mq_timedsend) diff --git a/queue-3.17/scsi-only-re-lock-door-after-eh-on-devices-that-were-reset.patch b/queue-3.17/scsi-only-re-lock-door-after-eh-on-devices-that-were-reset.patch new file mode 100644 index 00000000000..387fd6341b2 --- /dev/null +++ b/queue-3.17/scsi-only-re-lock-door-after-eh-on-devices-that-were-reset.patch @@ -0,0 +1,39 @@ +From 48379270fe6808cf4612ee094adc8da2b7a83baa Mon Sep 17 00:00:00 2001 +From: Christoph Hellwig +Date: Mon, 3 Nov 2014 19:36:40 +0100 +Subject: scsi: only re-lock door after EH on devices that were reset + +From: Christoph Hellwig + +commit 48379270fe6808cf4612ee094adc8da2b7a83baa upstream. + +Setups that use the blk-mq I/O path can lock up if a host with a single +device that has its door locked enters EH. Make sure to only send the +command to re-lock the door to devices that actually were reset and thus +might have lost their state. Otherwise the EH code might be get blocked +on blk_get_request as all requests for non-reset devices might be in use. + +Signed-off-by: Christoph Hellwig +Reported-by: Meelis Roos +Tested-by: Meelis Roos +Reviewed-by: Martin K. Petersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/scsi_error.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/scsi/scsi_error.c ++++ b/drivers/scsi/scsi_error.c +@@ -1998,8 +1998,10 @@ static void scsi_restart_operations(stru + * is no point trying to lock the door of an off-line device. + */ + shost_for_each_device(sdev, shost) { +- if (scsi_device_online(sdev) && sdev->locked) ++ if (scsi_device_online(sdev) && sdev->was_reset && sdev->locked) { + scsi_eh_lock_door(sdev); ++ sdev->was_reset = 0; ++ } + } + + /* diff --git a/queue-3.17/series b/queue-3.17/series index 75a49933b1b..875df6f3fb5 100644 --- a/queue-3.17/series +++ b/queue-3.17/series @@ -74,3 +74,12 @@ arm-mvebu-armada-xp-generalize-use-of-i2c-quirk.patch pinctrl-dra-dt-bindings-fix-output-pull-up-down.patch fix-thinko-in-iov_iter_single_seg_count.patch dm-thin-grab-a-virtual-cell-before-looking-up-the-mapping.patch +arm64-__clear_user-handle-exceptions-on-strb.patch +arm64-efi-fix-stub-cache-maintenance.patch +firewire-cdev-prevent-kernel-stack-leaking-into-ioctl-arguments.patch +ata-sata_rcar-disable-dipm-mode-for-r8a7790-es1.patch +nfs-fix-pnfs-direct-write-memory-leak.patch +correct-the-race-condition-in-aarch64_insn_patch_text_sync.patch +scsi-only-re-lock-door-after-eh-on-devices-that-were-reset.patch +parisc-use-compat-layer-for-msgctl-shmat-shmctl-and-semtimedop-syscalls.patch +block-fix-computation-of-merged-request-priority.patch