From: Greg Kroah-Hartman Date: Thu, 18 Aug 2016 10:56:58 +0000 (+0200) Subject: 4.4-stable patches X-Git-Tag: v3.14.77~22 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=43bd85a7a00183386cb07c847cfb965cfc96e7c8;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: arm-dts-sunxi-add-a-startup-delay-for-fixed-regulator-enabled-phys.patch audit-fix-a-double-fetch-in-audit_log_single_execve_arg.patch drm-i915-don-t-complain-about-lack-of-acpi-video-bios.patch iommu-amd-handle-iommu_domain_dma-in-ops-domain_free-call-back.patch iommu-amd-init-unity-mappings-only-for-dma_ops-domains.patch iommu-amd-update-alias-dte-in-update_device_table.patch iommu-exynos-suppress-unbinding-to-prevent-system-failure.patch iommu-vt-d-return-error-code-in-domain_context_mapping_one.patch netlabel-add-address-family-checks-to-netlbl_-sock-req-_delattr.patch w1-omap_hdq-fix-regression.patch --- diff --git a/queue-4.4/arm-dts-sunxi-add-a-startup-delay-for-fixed-regulator-enabled-phys.patch b/queue-4.4/arm-dts-sunxi-add-a-startup-delay-for-fixed-regulator-enabled-phys.patch new file mode 100644 index 00000000000..26fd051e4fc --- /dev/null +++ b/queue-4.4/arm-dts-sunxi-add-a-startup-delay-for-fixed-regulator-enabled-phys.patch @@ -0,0 +1,72 @@ +From fc51b632c7b047c25807023b76f3877aed19c770 Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Sat, 4 Jun 2016 12:58:39 +0200 +Subject: ARM: dts: sunxi: Add a startup delay for fixed regulator enabled phys + +From: Hans de Goede + +commit fc51b632c7b047c25807023b76f3877aed19c770 upstream. + +It seems that recent kernels have a shorter timeout when scanning for +ethernet phys causing us to hit a timeout on boards where the phy's +regulator gets enabled just before scanning, which leads to non working +ethernet. + +A 10ms startup delay seems to be enough to fix it, this commit adds a +20ms startup delay just to be safe. + +This has been tested on a sun4i-a10-a1000 and sun5i-a10s-wobo-i5 board, +both of which have non-working ethernet on recent kernels without this +fix. + +Signed-off-by: Hans de Goede +Signed-off-by: Maxime Ripard +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/boot/dts/sun4i-a10-a1000.dts | 1 + + arch/arm/boot/dts/sun4i-a10-hackberry.dts | 1 + + arch/arm/boot/dts/sun4i-a10-jesurun-q5.dts | 1 + + arch/arm/boot/dts/sun5i-a10s-wobo-i5.dts | 1 + + 4 files changed, 4 insertions(+) + +--- a/arch/arm/boot/dts/sun4i-a10-a1000.dts ++++ b/arch/arm/boot/dts/sun4i-a10-a1000.dts +@@ -84,6 +84,7 @@ + regulator-name = "emac-3v3"; + regulator-min-microvolt = <3300000>; + regulator-max-microvolt = <3300000>; ++ startup-delay-us = <20000>; + enable-active-high; + gpio = <&pio 7 15 GPIO_ACTIVE_HIGH>; + }; +--- a/arch/arm/boot/dts/sun4i-a10-hackberry.dts ++++ b/arch/arm/boot/dts/sun4i-a10-hackberry.dts +@@ -66,6 +66,7 @@ + regulator-name = "emac-3v3"; + regulator-min-microvolt = <3300000>; + regulator-max-microvolt = <3300000>; ++ startup-delay-us = <20000>; + enable-active-high; + gpio = <&pio 7 19 GPIO_ACTIVE_HIGH>; + }; +--- a/arch/arm/boot/dts/sun4i-a10-jesurun-q5.dts ++++ b/arch/arm/boot/dts/sun4i-a10-jesurun-q5.dts +@@ -80,6 +80,7 @@ + regulator-name = "emac-3v3"; + regulator-min-microvolt = <3300000>; + regulator-max-microvolt = <3300000>; ++ startup-delay-us = <20000>; + enable-active-high; + gpio = <&pio 7 19 GPIO_ACTIVE_HIGH>; /* PH19 */ + }; +--- a/arch/arm/boot/dts/sun5i-a10s-wobo-i5.dts ++++ b/arch/arm/boot/dts/sun5i-a10s-wobo-i5.dts +@@ -79,6 +79,7 @@ + regulator-name = "emac-3v3"; + regulator-min-microvolt = <3300000>; + regulator-max-microvolt = <3300000>; ++ startup-delay-us = <20000>; + enable-active-high; + gpio = <&pio 0 2 GPIO_ACTIVE_HIGH>; + }; diff --git a/queue-4.4/audit-fix-a-double-fetch-in-audit_log_single_execve_arg.patch b/queue-4.4/audit-fix-a-double-fetch-in-audit_log_single_execve_arg.patch new file mode 100644 index 00000000000..4cd129df89b --- /dev/null +++ b/queue-4.4/audit-fix-a-double-fetch-in-audit_log_single_execve_arg.patch @@ -0,0 +1,416 @@ +From 43761473c254b45883a64441dd0bc85a42f3645c Mon Sep 17 00:00:00 2001 +From: Paul Moore +Date: Tue, 19 Jul 2016 17:42:57 -0400 +Subject: audit: fix a double fetch in audit_log_single_execve_arg() + +From: Paul Moore + +commit 43761473c254b45883a64441dd0bc85a42f3645c upstream. + +There is a double fetch problem in audit_log_single_execve_arg() +where we first check the execve(2) argumnets for any "bad" characters +which would require hex encoding and then re-fetch the arguments for +logging in the audit record[1]. Of course this leaves a window of +opportunity for an unsavory application to munge with the data. + +This patch reworks things by only fetching the argument data once[2] +into a buffer where it is scanned and logged into the audit +records(s). In addition to fixing the double fetch, this patch +improves on the original code in a few other ways: better handling +of large arguments which require encoding, stricter record length +checking, and some performance improvements (completely unverified, +but we got rid of some strlen() calls, that's got to be a good +thing). + +As part of the development of this patch, I've also created a basic +regression test for the audit-testsuite, the test can be tracked on +GitHub at the following link: + + * https://github.com/linux-audit/audit-testsuite/issues/25 + +[1] If you pay careful attention, there is actually a triple fetch +problem due to a strnlen_user() call at the top of the function. + +[2] This is a tiny white lie, we do make a call to strnlen_user() +prior to fetching the argument data. I don't like it, but due to the +way the audit record is structured we really have no choice unless we +copy the entire argument at once (which would require a rather +wasteful allocation). The good news is that with this patch the +kernel no longer relies on this strnlen_user() value for anything +beyond recording it in the log, we also update it with a trustworthy +value whenever possible. + +Reported-by: Pengfei Wang +Signed-off-by: Paul Moore +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/auditsc.c | 332 +++++++++++++++++++++++++++---------------------------- + 1 file changed, 164 insertions(+), 168 deletions(-) + +--- a/kernel/auditsc.c ++++ b/kernel/auditsc.c +@@ -73,6 +73,7 @@ + #include + #include + #include ++#include + #include + + #include "audit.h" +@@ -82,7 +83,8 @@ + #define AUDITSC_SUCCESS 1 + #define AUDITSC_FAILURE 2 + +-/* no execve audit message should be longer than this (userspace limits) */ ++/* no execve audit message should be longer than this (userspace limits), ++ * see the note near the top of audit_log_execve_info() about this value */ + #define MAX_EXECVE_AUDIT_LEN 7500 + + /* max length to print of cmdline/proctitle value during audit */ +@@ -988,184 +990,178 @@ static int audit_log_pid_context(struct + return rc; + } + +-/* +- * to_send and len_sent accounting are very loose estimates. We aren't +- * really worried about a hard cap to MAX_EXECVE_AUDIT_LEN so much as being +- * within about 500 bytes (next page boundary) +- * +- * why snprintf? an int is up to 12 digits long. if we just assumed when +- * logging that a[%d]= was going to be 16 characters long we would be wasting +- * space in every audit message. In one 7500 byte message we can log up to +- * about 1000 min size arguments. That comes down to about 50% waste of space +- * if we didn't do the snprintf to find out how long arg_num_len was. +- */ +-static int audit_log_single_execve_arg(struct audit_context *context, +- struct audit_buffer **ab, +- int arg_num, +- size_t *len_sent, +- const char __user *p, +- char *buf) +-{ +- char arg_num_len_buf[12]; +- const char __user *tmp_p = p; +- /* how many digits are in arg_num? 5 is the length of ' a=""' */ +- size_t arg_num_len = snprintf(arg_num_len_buf, 12, "%d", arg_num) + 5; +- size_t len, len_left, to_send; +- size_t max_execve_audit_len = MAX_EXECVE_AUDIT_LEN; +- unsigned int i, has_cntl = 0, too_long = 0; +- int ret; +- +- /* strnlen_user includes the null we don't want to send */ +- len_left = len = strnlen_user(p, MAX_ARG_STRLEN) - 1; ++static void audit_log_execve_info(struct audit_context *context, ++ struct audit_buffer **ab) ++{ ++ long len_max; ++ long len_rem; ++ long len_full; ++ long len_buf; ++ long len_abuf; ++ long len_tmp; ++ bool require_data; ++ bool encode; ++ unsigned int iter; ++ unsigned int arg; ++ char *buf_head; ++ char *buf; ++ const char __user *p = (const char __user *)current->mm->arg_start; + +- /* +- * We just created this mm, if we can't find the strings +- * we just copied into it something is _very_ wrong. Similar +- * for strings that are too long, we should not have created +- * any. +- */ +- if (WARN_ON_ONCE(len < 0 || len > MAX_ARG_STRLEN - 1)) { +- send_sig(SIGKILL, current, 0); +- return -1; ++ /* NOTE: this buffer needs to be large enough to hold all the non-arg ++ * data we put in the audit record for this argument (see the ++ * code below) ... at this point in time 96 is plenty */ ++ char abuf[96]; ++ ++ /* NOTE: we set MAX_EXECVE_AUDIT_LEN to a rather arbitrary limit, the ++ * current value of 7500 is not as important as the fact that it ++ * is less than 8k, a setting of 7500 gives us plenty of wiggle ++ * room if we go over a little bit in the logging below */ ++ WARN_ON_ONCE(MAX_EXECVE_AUDIT_LEN > 7500); ++ len_max = MAX_EXECVE_AUDIT_LEN; ++ ++ /* scratch buffer to hold the userspace args */ ++ buf_head = kmalloc(MAX_EXECVE_AUDIT_LEN + 1, GFP_KERNEL); ++ if (!buf_head) { ++ audit_panic("out of memory for argv string"); ++ return; + } ++ buf = buf_head; ++ ++ audit_log_format(*ab, "argc=%d", context->execve.argc); + +- /* walk the whole argument looking for non-ascii chars */ ++ len_rem = len_max; ++ len_buf = 0; ++ len_full = 0; ++ require_data = true; ++ encode = false; ++ iter = 0; ++ arg = 0; + do { +- if (len_left > MAX_EXECVE_AUDIT_LEN) +- to_send = MAX_EXECVE_AUDIT_LEN; +- else +- to_send = len_left; +- ret = copy_from_user(buf, tmp_p, to_send); +- /* +- * There is no reason for this copy to be short. We just +- * copied them here, and the mm hasn't been exposed to user- +- * space yet. +- */ +- if (ret) { +- WARN_ON(1); +- send_sig(SIGKILL, current, 0); +- return -1; +- } +- buf[to_send] = '\0'; +- has_cntl = audit_string_contains_control(buf, to_send); +- if (has_cntl) { +- /* +- * hex messages get logged as 2 bytes, so we can only +- * send half as much in each message +- */ +- max_execve_audit_len = MAX_EXECVE_AUDIT_LEN / 2; +- break; +- } +- len_left -= to_send; +- tmp_p += to_send; +- } while (len_left > 0); +- +- len_left = len; +- +- if (len > max_execve_audit_len) +- too_long = 1; +- +- /* rewalk the argument actually logging the message */ +- for (i = 0; len_left > 0; i++) { +- int room_left; +- +- if (len_left > max_execve_audit_len) +- to_send = max_execve_audit_len; +- else +- to_send = len_left; +- +- /* do we have space left to send this argument in this ab? */ +- room_left = MAX_EXECVE_AUDIT_LEN - arg_num_len - *len_sent; +- if (has_cntl) +- room_left -= (to_send * 2); +- else +- room_left -= to_send; +- if (room_left < 0) { +- *len_sent = 0; +- audit_log_end(*ab); +- *ab = audit_log_start(context, GFP_KERNEL, AUDIT_EXECVE); +- if (!*ab) +- return 0; +- } ++ /* NOTE: we don't ever want to trust this value for anything ++ * serious, but the audit record format insists we ++ * provide an argument length for really long arguments, ++ * e.g. > MAX_EXECVE_AUDIT_LEN, so we have no choice but ++ * to use strncpy_from_user() to obtain this value for ++ * recording in the log, although we don't use it ++ * anywhere here to avoid a double-fetch problem */ ++ if (len_full == 0) ++ len_full = strnlen_user(p, MAX_ARG_STRLEN) - 1; ++ ++ /* read more data from userspace */ ++ if (require_data) { ++ /* can we make more room in the buffer? */ ++ if (buf != buf_head) { ++ memmove(buf_head, buf, len_buf); ++ buf = buf_head; ++ } + +- /* +- * first record needs to say how long the original string was +- * so we can be sure nothing was lost. +- */ +- if ((i == 0) && (too_long)) +- audit_log_format(*ab, " a%d_len=%zu", arg_num, +- has_cntl ? 2*len : len); +- +- /* +- * normally arguments are small enough to fit and we already +- * filled buf above when we checked for control characters +- * so don't bother with another copy_from_user +- */ +- if (len >= max_execve_audit_len) +- ret = copy_from_user(buf, p, to_send); +- else +- ret = 0; +- if (ret) { +- WARN_ON(1); +- send_sig(SIGKILL, current, 0); +- return -1; +- } +- buf[to_send] = '\0'; ++ /* fetch as much as we can of the argument */ ++ len_tmp = strncpy_from_user(&buf_head[len_buf], p, ++ len_max - len_buf); ++ if (len_tmp == -EFAULT) { ++ /* unable to copy from userspace */ ++ send_sig(SIGKILL, current, 0); ++ goto out; ++ } else if (len_tmp == (len_max - len_buf)) { ++ /* buffer is not large enough */ ++ require_data = true; ++ /* NOTE: if we are going to span multiple ++ * buffers force the encoding so we stand ++ * a chance at a sane len_full value and ++ * consistent record encoding */ ++ encode = true; ++ len_full = len_full * 2; ++ p += len_tmp; ++ } else { ++ require_data = false; ++ if (!encode) ++ encode = audit_string_contains_control( ++ buf, len_tmp); ++ /* try to use a trusted value for len_full */ ++ if (len_full < len_max) ++ len_full = (encode ? ++ len_tmp * 2 : len_tmp); ++ p += len_tmp + 1; ++ } ++ len_buf += len_tmp; ++ buf_head[len_buf] = '\0'; + +- /* actually log it */ +- audit_log_format(*ab, " a%d", arg_num); +- if (too_long) +- audit_log_format(*ab, "[%d]", i); +- audit_log_format(*ab, "="); +- if (has_cntl) +- audit_log_n_hex(*ab, buf, to_send); +- else +- audit_log_string(*ab, buf); +- +- p += to_send; +- len_left -= to_send; +- *len_sent += arg_num_len; +- if (has_cntl) +- *len_sent += to_send * 2; +- else +- *len_sent += to_send; +- } +- /* include the null we didn't log */ +- return len + 1; +-} ++ /* length of the buffer in the audit record? */ ++ len_abuf = (encode ? len_buf * 2 : len_buf + 2); ++ } + +-static void audit_log_execve_info(struct audit_context *context, +- struct audit_buffer **ab) +-{ +- int i, len; +- size_t len_sent = 0; +- const char __user *p; +- char *buf; ++ /* write as much as we can to the audit log */ ++ if (len_buf > 0) { ++ /* NOTE: some magic numbers here - basically if we ++ * can't fit a reasonable amount of data into the ++ * existing audit buffer, flush it and start with ++ * a new buffer */ ++ if ((sizeof(abuf) + 8) > len_rem) { ++ len_rem = len_max; ++ audit_log_end(*ab); ++ *ab = audit_log_start(context, ++ GFP_KERNEL, AUDIT_EXECVE); ++ if (!*ab) ++ goto out; ++ } + +- p = (const char __user *)current->mm->arg_start; ++ /* create the non-arg portion of the arg record */ ++ len_tmp = 0; ++ if (require_data || (iter > 0) || ++ ((len_abuf + sizeof(abuf)) > len_rem)) { ++ if (iter == 0) { ++ len_tmp += snprintf(&abuf[len_tmp], ++ sizeof(abuf) - len_tmp, ++ " a%d_len=%lu", ++ arg, len_full); ++ } ++ len_tmp += snprintf(&abuf[len_tmp], ++ sizeof(abuf) - len_tmp, ++ " a%d[%d]=", arg, iter++); ++ } else ++ len_tmp += snprintf(&abuf[len_tmp], ++ sizeof(abuf) - len_tmp, ++ " a%d=", arg); ++ WARN_ON(len_tmp >= sizeof(abuf)); ++ abuf[sizeof(abuf) - 1] = '\0'; ++ ++ /* log the arg in the audit record */ ++ audit_log_format(*ab, "%s", abuf); ++ len_rem -= len_tmp; ++ len_tmp = len_buf; ++ if (encode) { ++ if (len_abuf > len_rem) ++ len_tmp = len_rem / 2; /* encoding */ ++ audit_log_n_hex(*ab, buf, len_tmp); ++ len_rem -= len_tmp * 2; ++ len_abuf -= len_tmp * 2; ++ } else { ++ if (len_abuf > len_rem) ++ len_tmp = len_rem - 2; /* quotes */ ++ audit_log_n_string(*ab, buf, len_tmp); ++ len_rem -= len_tmp + 2; ++ /* don't subtract the "2" because we still need ++ * to add quotes to the remaining string */ ++ len_abuf -= len_tmp; ++ } ++ len_buf -= len_tmp; ++ buf += len_tmp; ++ } + +- audit_log_format(*ab, "argc=%d", context->execve.argc); ++ /* ready to move to the next argument? */ ++ if ((len_buf == 0) && !require_data) { ++ arg++; ++ iter = 0; ++ len_full = 0; ++ require_data = true; ++ encode = false; ++ } ++ } while (arg < context->execve.argc); + +- /* +- * we need some kernel buffer to hold the userspace args. Just +- * allocate one big one rather than allocating one of the right size +- * for every single argument inside audit_log_single_execve_arg() +- * should be <8k allocation so should be pretty safe. +- */ +- buf = kmalloc(MAX_EXECVE_AUDIT_LEN + 1, GFP_KERNEL); +- if (!buf) { +- audit_panic("out of memory for argv string"); +- return; +- } ++ /* NOTE: the caller handles the final audit_log_end() call */ + +- for (i = 0; i < context->execve.argc; i++) { +- len = audit_log_single_execve_arg(context, ab, i, +- &len_sent, p, buf); +- if (len <= 0) +- break; +- p += len; +- } +- kfree(buf); ++out: ++ kfree(buf_head); + } + + static void show_special(struct audit_context *context, int *call_panic) diff --git a/queue-4.4/drm-i915-don-t-complain-about-lack-of-acpi-video-bios.patch b/queue-4.4/drm-i915-don-t-complain-about-lack-of-acpi-video-bios.patch new file mode 100644 index 00000000000..91f71633eb0 --- /dev/null +++ b/queue-4.4/drm-i915-don-t-complain-about-lack-of-acpi-video-bios.patch @@ -0,0 +1,33 @@ +From 78c3d5fa7354774b7c8638033d46c042ebae41fb Mon Sep 17 00:00:00 2001 +From: Daniel Vetter +Date: Fri, 23 Oct 2015 11:00:06 +0200 +Subject: drm/i915: Don't complain about lack of ACPI video bios + +From: Daniel Vetter + +commit 78c3d5fa7354774b7c8638033d46c042ebae41fb upstream. + +Another CI fail we have for no reason. Totally unjustified since +nothing fails at all. + +Signed-off-by: Daniel Vetter +Link: http://patchwork.freedesktop.org/patch/msgid/1445590806-23886-1-git-send-email-daniel.vetter@ffwll.ch +Acked-by: Jani Nikula +Signed-off-by: Daniel Vetter +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/i915/intel_opregion.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/i915/intel_opregion.c ++++ b/drivers/gpu/drm/i915/intel_opregion.c +@@ -682,7 +682,7 @@ static void intel_didl_outputs(struct dr + } + + if (!acpi_video_bus) { +- DRM_ERROR("No ACPI video bus found\n"); ++ DRM_DEBUG_KMS("No ACPI video bus found\n"); + return; + } + diff --git a/queue-4.4/iommu-amd-handle-iommu_domain_dma-in-ops-domain_free-call-back.patch b/queue-4.4/iommu-amd-handle-iommu_domain_dma-in-ops-domain_free-call-back.patch new file mode 100644 index 00000000000..6c7005216c1 --- /dev/null +++ b/queue-4.4/iommu-amd-handle-iommu_domain_dma-in-ops-domain_free-call-back.patch @@ -0,0 +1,64 @@ +From cda7005ba2cbd0744fea343dd5b2aa637eba5b9e Mon Sep 17 00:00:00 2001 +From: Joerg Roedel +Date: Thu, 7 Jul 2016 15:57:04 +0200 +Subject: iommu/amd: Handle IOMMU_DOMAIN_DMA in ops->domain_free call-back + +From: Joerg Roedel + +commit cda7005ba2cbd0744fea343dd5b2aa637eba5b9e upstream. + +This domain type is not yet handled in the +iommu_ops->domain_free() call-back. Fix that. + +Fixes: 0bb6e243d7fb ('iommu/amd: Support IOMMU_DOMAIN_DMA type allocation') +Signed-off-by: Joerg Roedel +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iommu/amd_iommu.c | 27 ++++++++++++++++++--------- + 1 file changed, 18 insertions(+), 9 deletions(-) + +--- a/drivers/iommu/amd_iommu.c ++++ b/drivers/iommu/amd_iommu.c +@@ -2970,9 +2970,7 @@ static struct iommu_domain *amd_iommu_do + static void amd_iommu_domain_free(struct iommu_domain *dom) + { + struct protection_domain *domain; +- +- if (!dom) +- return; ++ struct dma_ops_domain *dma_dom; + + domain = to_pdomain(dom); + +@@ -2981,13 +2979,24 @@ static void amd_iommu_domain_free(struct + + BUG_ON(domain->dev_cnt != 0); + +- if (domain->mode != PAGE_MODE_NONE) +- free_pagetable(domain); +- +- if (domain->flags & PD_IOMMUV2_MASK) +- free_gcr3_table(domain); ++ if (!dom) ++ return; + +- protection_domain_free(domain); ++ switch (dom->type) { ++ case IOMMU_DOMAIN_DMA: ++ dma_dom = domain->priv; ++ dma_ops_domain_free(dma_dom); ++ break; ++ default: ++ if (domain->mode != PAGE_MODE_NONE) ++ free_pagetable(domain); ++ ++ if (domain->flags & PD_IOMMUV2_MASK) ++ free_gcr3_table(domain); ++ ++ protection_domain_free(domain); ++ break; ++ } + } + + static void amd_iommu_detach_device(struct iommu_domain *dom, diff --git a/queue-4.4/iommu-amd-init-unity-mappings-only-for-dma_ops-domains.patch b/queue-4.4/iommu-amd-init-unity-mappings-only-for-dma_ops-domains.patch new file mode 100644 index 00000000000..6d87c8ed25f --- /dev/null +++ b/queue-4.4/iommu-amd-init-unity-mappings-only-for-dma_ops-domains.patch @@ -0,0 +1,38 @@ +From b548e786ce47017107765bbeb0f100202525ea83 Mon Sep 17 00:00:00 2001 +From: Joerg Roedel +Date: Wed, 13 Jul 2016 12:35:24 +0200 +Subject: iommu/amd: Init unity mappings only for dma_ops domains + +From: Joerg Roedel + +commit b548e786ce47017107765bbeb0f100202525ea83 upstream. + +The default domain for a device might also be +identity-mapped. In this case the kernel would crash when +unity mappings are defined for the device. Fix that by +making sure the domain is a dma_ops domain. + +Fixes: 0bb6e243d7fb ('iommu/amd: Support IOMMU_DOMAIN_DMA type allocation') +Signed-off-by: Joerg Roedel +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iommu/amd_iommu.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/iommu/amd_iommu.c ++++ b/drivers/iommu/amd_iommu.c +@@ -352,9 +352,11 @@ static void init_iommu_group(struct devi + if (!domain) + goto out; + +- dma_domain = to_pdomain(domain)->priv; ++ if (to_pdomain(domain)->flags == PD_DMA_OPS_MASK) { ++ dma_domain = to_pdomain(domain)->priv; ++ init_unity_mappings_for_device(dev, dma_domain); ++ } + +- init_unity_mappings_for_device(dev, dma_domain); + out: + iommu_group_put(group); + } diff --git a/queue-4.4/iommu-amd-update-alias-dte-in-update_device_table.patch b/queue-4.4/iommu-amd-update-alias-dte-in-update_device_table.patch new file mode 100644 index 00000000000..419a66f1493 --- /dev/null +++ b/queue-4.4/iommu-amd-update-alias-dte-in-update_device_table.patch @@ -0,0 +1,41 @@ +From 3254de6bf74fe94c197c9f819fe62a3a3c36f073 Mon Sep 17 00:00:00 2001 +From: Joerg Roedel +Date: Tue, 26 Jul 2016 15:18:54 +0200 +Subject: iommu/amd: Update Alias-DTE in update_device_table() + +From: Joerg Roedel + +commit 3254de6bf74fe94c197c9f819fe62a3a3c36f073 upstream. + +Not doing so might cause IO-Page-Faults when a device uses +an alias request-id and the alias-dte is left in a lower +page-mode which does not cover the address allocated from +the iova-allocator. + +Fixes: 492667dacc0a ('x86/amd-iommu: Remove amd_iommu_pd_table') +Signed-off-by: Joerg Roedel +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iommu/amd_iommu.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/drivers/iommu/amd_iommu.c ++++ b/drivers/iommu/amd_iommu.c +@@ -2324,8 +2324,15 @@ static void update_device_table(struct p + { + struct iommu_dev_data *dev_data; + +- list_for_each_entry(dev_data, &domain->dev_list, list) ++ list_for_each_entry(dev_data, &domain->dev_list, list) { + set_dte_entry(dev_data->devid, domain, dev_data->ats.enabled); ++ ++ if (dev_data->devid == dev_data->alias) ++ continue; ++ ++ /* There is an alias, update device table entry for it */ ++ set_dte_entry(dev_data->alias, domain, dev_data->ats.enabled); ++ } + } + + static void update_domain(struct protection_domain *domain) diff --git a/queue-4.4/iommu-exynos-suppress-unbinding-to-prevent-system-failure.patch b/queue-4.4/iommu-exynos-suppress-unbinding-to-prevent-system-failure.patch new file mode 100644 index 00000000000..c342ad07ece --- /dev/null +++ b/queue-4.4/iommu-exynos-suppress-unbinding-to-prevent-system-failure.patch @@ -0,0 +1,34 @@ +From b54b874fbaf5e024723e50dfb035a9916d6752b4 Mon Sep 17 00:00:00 2001 +From: Marek Szyprowski +Date: Fri, 20 May 2016 15:48:21 +0200 +Subject: iommu/exynos: Suppress unbinding to prevent system failure + +From: Marek Szyprowski + +commit b54b874fbaf5e024723e50dfb035a9916d6752b4 upstream. + +Removal of IOMMU driver cannot be done reliably, so Exynos IOMMU driver +doesn't support this operation. It is essential for system operation, so +it makes sense to prevent unbinding by disabling bind/unbind sysfs +feature for SYSMMU controller driver to avoid kernel ops or trashing +memory caused by such operation. + +Signed-off-by: Marek Szyprowski +Reviewed-by: Krzysztof Kozlowski +Signed-off-by: Joerg Roedel +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iommu/exynos-iommu.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/iommu/exynos-iommu.c ++++ b/drivers/iommu/exynos-iommu.c +@@ -647,6 +647,7 @@ static struct platform_driver exynos_sys + .name = "exynos-sysmmu", + .of_match_table = sysmmu_of_match, + .pm = &sysmmu_pm_ops, ++ .suppress_bind_attrs = true, + } + }; + diff --git a/queue-4.4/iommu-vt-d-return-error-code-in-domain_context_mapping_one.patch b/queue-4.4/iommu-vt-d-return-error-code-in-domain_context_mapping_one.patch new file mode 100644 index 00000000000..de68e272037 --- /dev/null +++ b/queue-4.4/iommu-vt-d-return-error-code-in-domain_context_mapping_one.patch @@ -0,0 +1,35 @@ +From 5c365d18a73d3979db37006eaacefc0008869c0f Mon Sep 17 00:00:00 2001 +From: Wei Yang +Date: Wed, 13 Jul 2016 13:53:21 +0000 +Subject: iommu/vt-d: Return error code in domain_context_mapping_one() + +From: Wei Yang + +commit 5c365d18a73d3979db37006eaacefc0008869c0f upstream. + +In 'commit <55d940430ab9> ("iommu/vt-d: Get rid of domain->iommu_lock")', +the error handling path is changed a little, which makes the function +always return 0. + +This path fixes this. + +Signed-off-by: Wei Yang +Fixes: 55d940430ab9 ('iommu/vt-d: Get rid of domain->iommu_lock') +Signed-off-by: Joerg Roedel +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iommu/intel-iommu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/iommu/intel-iommu.c ++++ b/drivers/iommu/intel-iommu.c +@@ -2032,7 +2032,7 @@ out_unlock: + spin_unlock(&iommu->lock); + spin_unlock_irqrestore(&device_domain_lock, flags); + +- return 0; ++ return ret; + } + + struct domain_context_mapping_data { diff --git a/queue-4.4/netlabel-add-address-family-checks-to-netlbl_-sock-req-_delattr.patch b/queue-4.4/netlabel-add-address-family-checks-to-netlbl_-sock-req-_delattr.patch new file mode 100644 index 00000000000..26ab0e35270 --- /dev/null +++ b/queue-4.4/netlabel-add-address-family-checks-to-netlbl_-sock-req-_delattr.patch @@ -0,0 +1,51 @@ +From 0e0e36774081534783aa8eeb9f6fbddf98d3c061 Mon Sep 17 00:00:00 2001 +From: Paul Moore +Date: Mon, 6 Jun 2016 15:17:20 -0400 +Subject: netlabel: add address family checks to netlbl_{sock,req}_delattr() + +From: Paul Moore + +commit 0e0e36774081534783aa8eeb9f6fbddf98d3c061 upstream. + +It seems risky to always rely on the caller to ensure the socket's +address family is correct before passing it to the NetLabel kAPI, +especially since we see at least one LSM which didn't. Add address +family checks to the *_delattr() functions to help prevent future +problems. + +Reported-by: Maninder Singh +Signed-off-by: Paul Moore +Signed-off-by: Greg Kroah-Hartman + +--- + net/netlabel/netlabel_kapi.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +--- a/net/netlabel/netlabel_kapi.c ++++ b/net/netlabel/netlabel_kapi.c +@@ -824,7 +824,11 @@ socket_setattr_return: + */ + void netlbl_sock_delattr(struct sock *sk) + { +- cipso_v4_sock_delattr(sk); ++ switch (sk->sk_family) { ++ case AF_INET: ++ cipso_v4_sock_delattr(sk); ++ break; ++ } + } + + /** +@@ -987,7 +991,11 @@ req_setattr_return: + */ + void netlbl_req_delattr(struct request_sock *req) + { +- cipso_v4_req_delattr(req); ++ switch (req->rsk_ops->family) { ++ case AF_INET: ++ cipso_v4_req_delattr(req); ++ break; ++ } + } + + /** diff --git a/queue-4.4/series b/queue-4.4/series index 1d3c7ef79db..5414c36c6ee 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -62,3 +62,13 @@ mips-kvm-propagate-kseg0-mapped-tlb-fault-errors.patch nfs-don-t-create-zero-length-requests.patch nfsd-fix-race-between-free_stateid-and-lock.patch nfsd-don-t-return-an-unhashed-lock-stateid-after-taking-mutex.patch +drm-i915-don-t-complain-about-lack-of-acpi-video-bios.patch +iommu-exynos-suppress-unbinding-to-prevent-system-failure.patch +iommu-vt-d-return-error-code-in-domain_context_mapping_one.patch +iommu-amd-handle-iommu_domain_dma-in-ops-domain_free-call-back.patch +iommu-amd-init-unity-mappings-only-for-dma_ops-domains.patch +iommu-amd-update-alias-dte-in-update_device_table.patch +audit-fix-a-double-fetch-in-audit_log_single_execve_arg.patch +arm-dts-sunxi-add-a-startup-delay-for-fixed-regulator-enabled-phys.patch +netlabel-add-address-family-checks-to-netlbl_-sock-req-_delattr.patch +w1-omap_hdq-fix-regression.patch diff --git a/queue-4.4/w1-omap_hdq-fix-regression.patch b/queue-4.4/w1-omap_hdq-fix-regression.patch new file mode 100644 index 00000000000..81825b7f67d --- /dev/null +++ b/queue-4.4/w1-omap_hdq-fix-regression.patch @@ -0,0 +1,52 @@ +From ecfaf0c42fc4306b5ec4bf6be01b66f8fe9a9733 Mon Sep 17 00:00:00 2001 +From: "H. Nikolaus Schaller" +Date: Tue, 2 Aug 2016 14:07:12 -0700 +Subject: w1:omap_hdq: fix regression + +From: H. Nikolaus Schaller + +commit ecfaf0c42fc4306b5ec4bf6be01b66f8fe9a9733 upstream. + +Commit e93762bbf681 ("w1: masters: omap_hdq: add support for 1-wire +mode") added a statement to clear the hdq_irqstatus flags in +hdq_read_byte(). + +If the hdq reading process is scheduled slowly or interrupts are +disabled for a while the hardware read activity might already be +finished on entry of hdq_read_byte(). And hdq_isr() already has set the +hdq_irqstatus to 0x6 (can be seen in debug mode) denoting that both, the +TXCOMPLETE and RXCOMPLETE interrupts occurred in parallel. + +This means there is no need to wait and the hdq_read_byte() can just +read the byte from the hdq controller. + +By resetting hdq_irqstatus to 0 the read process is forced to be always +waiting again (because the if statement always succeeds) but the +hardware will not issue another RXCOMPLETE interrupt. This results in a +false timeout. + +After such a situation the hdq bus hangs. + +Link: http://lkml.kernel.org/r/b724765f87ad276a69625bc19806c8c8844c4590.1469513669.git.hns@goldelico.com +Signed-off-by: H. Nikolaus Schaller +Cc: Evgeniy Polyakov +Cc: Greg Kroah-Hartman +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/w1/masters/omap_hdq.c | 2 -- + 1 file changed, 2 deletions(-) + +--- a/drivers/w1/masters/omap_hdq.c ++++ b/drivers/w1/masters/omap_hdq.c +@@ -390,8 +390,6 @@ static int hdq_read_byte(struct hdq_data + goto out; + } + +- hdq_data->hdq_irqstatus = 0; +- + if (!(hdq_data->hdq_irqstatus & OMAP_HDQ_INT_STATUS_RXCOMPLETE)) { + hdq_reg_merge(hdq_data, OMAP_HDQ_CTRL_STATUS, + OMAP_HDQ_CTRL_STATUS_DIR | OMAP_HDQ_CTRL_STATUS_GO,