From: Greg Kroah-Hartman Date: Tue, 23 May 2017 18:37:29 +0000 (+0200) Subject: 4.4-stable patches X-Git-Tag: v3.18.55~12 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=55c904f3505a1dbb13c0d9734b44df2392edf941;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: drivers-char-mem-check-for-address-space-wraparound-with-mmap.patch drm-edid-add-10-bpc-quirk-for-lgd-764-panel-in-hp-zbook-17-g2.patch drm-i915-gvt-disable-access-to-stolen-memory-as-a-guest.patch nfsd-check-for-oversized-nfsv2-v3-arguments.patch nfsd-encoders-mustn-t-use-unitialized-values-in-error-cases.patch nfsd-fix-up-the-supattr_exclcreat-attributes.patch osf_wait4-fix-infoleak.patch pci-fix-pci_mmap_fits-for-have_pci_resource_to_user-platforms.patch pci-freeze-pme-scan-before-suspending-devices.patch tracing-kprobes-enforce-kprobes-teardown-after-testing.patch --- diff --git a/queue-4.4/drivers-char-mem-check-for-address-space-wraparound-with-mmap.patch b/queue-4.4/drivers-char-mem-check-for-address-space-wraparound-with-mmap.patch new file mode 100644 index 00000000000..12ff7d98cd4 --- /dev/null +++ b/queue-4.4/drivers-char-mem-check-for-address-space-wraparound-with-mmap.patch @@ -0,0 +1,40 @@ +From b299cde245b0b76c977f4291162cf668e087b408 Mon Sep 17 00:00:00 2001 +From: Julius Werner +Date: Fri, 12 May 2017 14:42:58 -0700 +Subject: drivers: char: mem: Check for address space wraparound with mmap() + +From: Julius Werner + +commit b299cde245b0b76c977f4291162cf668e087b408 upstream. + +/dev/mem currently allows mmap() mappings that wrap around the end of +the physical address space, which should probably be illegal. It +circumvents the existing STRICT_DEVMEM permission check because the loop +immediately terminates (as the start address is already higher than the +end address). On the x86_64 architecture it will then cause a panic +(from the BUG(start >= end) in arch/x86/mm/pat.c:reserve_memtype()). + +This patch adds an explicit check to make sure offset + size will not +wrap around in the physical address type. + +Signed-off-by: Julius Werner +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/char/mem.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/char/mem.c ++++ b/drivers/char/mem.c +@@ -343,6 +343,11 @@ static const struct vm_operations_struct + static int mmap_mem(struct file *file, struct vm_area_struct *vma) + { + size_t size = vma->vm_end - vma->vm_start; ++ phys_addr_t offset = (phys_addr_t)vma->vm_pgoff << PAGE_SHIFT; ++ ++ /* It's illegal to wrap around the end of the physical address space. */ ++ if (offset + (phys_addr_t)size < offset) ++ return -EINVAL; + + if (!valid_mmap_phys_addr_range(vma->vm_pgoff, size)) + return -EINVAL; diff --git a/queue-4.4/drm-edid-add-10-bpc-quirk-for-lgd-764-panel-in-hp-zbook-17-g2.patch b/queue-4.4/drm-edid-add-10-bpc-quirk-for-lgd-764-panel-in-hp-zbook-17-g2.patch new file mode 100644 index 00000000000..f5a287d2f93 --- /dev/null +++ b/queue-4.4/drm-edid-add-10-bpc-quirk-for-lgd-764-panel-in-hp-zbook-17-g2.patch @@ -0,0 +1,57 @@ +From e345da82bd6bdfa8492f80b3ce4370acfd868d95 Mon Sep 17 00:00:00 2001 +From: Mario Kleiner +Date: Fri, 21 Apr 2017 17:05:08 +0200 +Subject: drm/edid: Add 10 bpc quirk for LGD 764 panel in HP zBook 17 G2 + +From: Mario Kleiner + +commit e345da82bd6bdfa8492f80b3ce4370acfd868d95 upstream. + +The builtin eDP panel in the HP zBook 17 G2 supports 10 bpc, +as advertised by the Laptops product specs and verified via +injecting a fixed edid + photometer measurements, but edid +reports unknown depth, so drivers fall back to 6 bpc. + +Add a quirk to get the full 10 bpc. + +Signed-off-by: Mario Kleiner +Acked-by: Harry Wentland +Signed-off-by: Daniel Vetter +Link: http://patchwork.freedesktop.org/patch/msgid/1492787108-23959-1-git-send-email-mario.kleiner.de@gmail.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/drm_edid.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/drivers/gpu/drm/drm_edid.c ++++ b/drivers/gpu/drm/drm_edid.c +@@ -75,6 +75,8 @@ + #define EDID_QUIRK_FORCE_12BPC (1 << 9) + /* Force 6bpc */ + #define EDID_QUIRK_FORCE_6BPC (1 << 10) ++/* Force 10bpc */ ++#define EDID_QUIRK_FORCE_10BPC (1 << 11) + + struct detailed_mode_closure { + struct drm_connector *connector; +@@ -117,6 +119,9 @@ static struct edid_quirk { + { "FCM", 13600, EDID_QUIRK_PREFER_LARGE_75 | + EDID_QUIRK_DETAILED_IN_CM }, + ++ /* LGD panel of HP zBook 17 G2, eDP 10 bpc, but reports unknown bpc */ ++ { "LGD", 764, EDID_QUIRK_FORCE_10BPC }, ++ + /* LG Philips LCD LP154W01-A5 */ + { "LPL", 0, EDID_QUIRK_DETAILED_USE_MAXIMUM_SIZE }, + { "LPL", 0x2a00, EDID_QUIRK_DETAILED_USE_MAXIMUM_SIZE }, +@@ -3834,6 +3839,9 @@ int drm_add_edid_modes(struct drm_connec + if (quirks & EDID_QUIRK_FORCE_8BPC) + connector->display_info.bpc = 8; + ++ if (quirks & EDID_QUIRK_FORCE_10BPC) ++ connector->display_info.bpc = 10; ++ + if (quirks & EDID_QUIRK_FORCE_12BPC) + connector->display_info.bpc = 12; + diff --git a/queue-4.4/drm-i915-gvt-disable-access-to-stolen-memory-as-a-guest.patch b/queue-4.4/drm-i915-gvt-disable-access-to-stolen-memory-as-a-guest.patch new file mode 100644 index 00000000000..9c6d7bf4e93 --- /dev/null +++ b/queue-4.4/drm-i915-gvt-disable-access-to-stolen-memory-as-a-guest.patch @@ -0,0 +1,40 @@ +From 04a68a35ce6d7b54749989f943993020f48fed62 Mon Sep 17 00:00:00 2001 +From: Chris Wilson +Date: Wed, 9 Nov 2016 10:39:05 +0000 +Subject: drm/i915/gvt: Disable access to stolen memory as a guest + +From: Chris Wilson + +commit 04a68a35ce6d7b54749989f943993020f48fed62 upstream. + +Explicitly disable stolen memory when running as a guest in a virtual +machine, since the memory is not mediated between clients and reserved +entirely for the host. The actual size should be reported as zero, but +like every other quirk we want to tell the user what is happening. + +Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=99028 +Signed-off-by: Chris Wilson +Cc: Zhenyu Wang +Cc: Joonas Lahtinen +Link: http://patchwork.freedesktop.org/patch/msgid/20161109103905.17860-1-chris@chris-wilson.co.uk +Reviewed-by: Zhenyu Wang +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/i915/i915_gem_stolen.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/gpu/drm/i915/i915_gem_stolen.c ++++ b/drivers/gpu/drm/i915/i915_gem_stolen.c +@@ -405,6 +405,11 @@ int i915_gem_init_stolen(struct drm_devi + + mutex_init(&dev_priv->mm.stolen_lock); + ++ if (intel_vgpu_active(dev_priv)) { ++ DRM_INFO("iGVT-g active, disabling use of stolen memory\n"); ++ return 0; ++ } ++ + #ifdef CONFIG_INTEL_IOMMU + if (intel_iommu_gfx_mapped && INTEL_INFO(dev)->gen < 8) { + DRM_INFO("DMAR active, disabling use of stolen memory\n"); diff --git a/queue-4.4/nfsd-check-for-oversized-nfsv2-v3-arguments.patch b/queue-4.4/nfsd-check-for-oversized-nfsv2-v3-arguments.patch new file mode 100644 index 00000000000..3bf179c1100 --- /dev/null +++ b/queue-4.4/nfsd-check-for-oversized-nfsv2-v3-arguments.patch @@ -0,0 +1,176 @@ +From 51f567777799c9d85a778302b9eb61cf15214a98 Mon Sep 17 00:00:00 2001 +From: "J. Bruce Fields" +Date: Thu, 6 Apr 2017 22:36:31 -0400 +Subject: nfsd: check for oversized NFSv2/v3 arguments +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: J. Bruce Fields + +commit 51f567777799c9d85a778302b9eb61cf15214a98 upstream. + +A client can append random data to the end of an NFSv2 or NFSv3 RPC call +without our complaining; we'll just stop parsing at the end of the +expected data and ignore the rest. + +Encoded arguments and replies are stored together in an array of pages, +and if a call is too large it could leave inadequate space for the +reply. This is normally OK because NFS RPC's typically have either +short arguments and long replies (like READ) or long arguments and short +replies (like WRITE). But a client that sends an incorrectly long reply +can violate those assumptions. This was observed to cause crashes. + +So, insist that the argument not be any longer than we expect. + +Also, several operations increment rq_next_page in the decode routine +before checking the argument size, which can leave rq_next_page pointing +well past the end of the page array, causing trouble later in +svc_free_pages. + +As followup we may also want to rewrite the encoding routines to check +more carefully that they aren't running off the end of the page array. + +Reported-by: Tuomas Haanpää +Reported-by: Ari Kauppi +Signed-off-by: J. Bruce Fields +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfsd/nfs3xdr.c | 23 +++++++++++++++++------ + fs/nfsd/nfsxdr.c | 13 ++++++++++--- + include/linux/sunrpc/svc.h | 3 +-- + 3 files changed, 28 insertions(+), 11 deletions(-) + +--- a/fs/nfsd/nfs3xdr.c ++++ b/fs/nfsd/nfs3xdr.c +@@ -334,8 +334,11 @@ nfs3svc_decode_readargs(struct svc_rqst + if (!p) + return 0; + p = xdr_decode_hyper(p, &args->offset); +- + args->count = ntohl(*p++); ++ ++ if (!xdr_argsize_check(rqstp, p)) ++ return 0; ++ + len = min(args->count, max_blocksize); + + /* set up the kvec */ +@@ -349,7 +352,7 @@ nfs3svc_decode_readargs(struct svc_rqst + v++; + } + args->vlen = v; +- return xdr_argsize_check(rqstp, p); ++ return 1; + } + + int +@@ -540,9 +543,11 @@ nfs3svc_decode_readlinkargs(struct svc_r + p = decode_fh(p, &args->fh); + if (!p) + return 0; ++ if (!xdr_argsize_check(rqstp, p)) ++ return 0; + args->buffer = page_address(*(rqstp->rq_next_page++)); + +- return xdr_argsize_check(rqstp, p); ++ return 1; + } + + int +@@ -568,10 +573,14 @@ nfs3svc_decode_readdirargs(struct svc_rq + args->verf = p; p += 2; + args->dircount = ~0; + args->count = ntohl(*p++); ++ ++ if (!xdr_argsize_check(rqstp, p)) ++ return 0; ++ + args->count = min_t(u32, args->count, PAGE_SIZE); + args->buffer = page_address(*(rqstp->rq_next_page++)); + +- return xdr_argsize_check(rqstp, p); ++ return 1; + } + + int +@@ -589,6 +598,9 @@ nfs3svc_decode_readdirplusargs(struct sv + args->dircount = ntohl(*p++); + args->count = ntohl(*p++); + ++ if (!xdr_argsize_check(rqstp, p)) ++ return 0; ++ + len = args->count = min(args->count, max_blocksize); + while (len > 0) { + struct page *p = *(rqstp->rq_next_page++); +@@ -596,8 +608,7 @@ nfs3svc_decode_readdirplusargs(struct sv + args->buffer = page_address(p); + len -= PAGE_SIZE; + } +- +- return xdr_argsize_check(rqstp, p); ++ return 1; + } + + int +--- a/fs/nfsd/nfsxdr.c ++++ b/fs/nfsd/nfsxdr.c +@@ -257,6 +257,9 @@ nfssvc_decode_readargs(struct svc_rqst * + len = args->count = ntohl(*p++); + p++; /* totalcount - unused */ + ++ if (!xdr_argsize_check(rqstp, p)) ++ return 0; ++ + len = min_t(unsigned int, len, NFSSVC_MAXBLKSIZE_V2); + + /* set up somewhere to store response. +@@ -272,7 +275,7 @@ nfssvc_decode_readargs(struct svc_rqst * + v++; + } + args->vlen = v; +- return xdr_argsize_check(rqstp, p); ++ return 1; + } + + int +@@ -362,9 +365,11 @@ nfssvc_decode_readlinkargs(struct svc_rq + p = decode_fh(p, &args->fh); + if (!p) + return 0; ++ if (!xdr_argsize_check(rqstp, p)) ++ return 0; + args->buffer = page_address(*(rqstp->rq_next_page++)); + +- return xdr_argsize_check(rqstp, p); ++ return 1; + } + + int +@@ -402,9 +407,11 @@ nfssvc_decode_readdirargs(struct svc_rqs + args->cookie = ntohl(*p++); + args->count = ntohl(*p++); + args->count = min_t(u32, args->count, PAGE_SIZE); ++ if (!xdr_argsize_check(rqstp, p)) ++ return 0; + args->buffer = page_address(*(rqstp->rq_next_page++)); + +- return xdr_argsize_check(rqstp, p); ++ return 1; + } + + /* +--- a/include/linux/sunrpc/svc.h ++++ b/include/linux/sunrpc/svc.h +@@ -335,8 +335,7 @@ xdr_argsize_check(struct svc_rqst *rqstp + { + char *cp = (char *)p; + struct kvec *vec = &rqstp->rq_arg.head[0]; +- return cp >= (char*)vec->iov_base +- && cp <= (char*)vec->iov_base + vec->iov_len; ++ return cp == (char *)vec->iov_base + vec->iov_len; + } + + static inline int diff --git a/queue-4.4/nfsd-encoders-mustn-t-use-unitialized-values-in-error-cases.patch b/queue-4.4/nfsd-encoders-mustn-t-use-unitialized-values-in-error-cases.patch new file mode 100644 index 00000000000..b46fca5f868 --- /dev/null +++ b/queue-4.4/nfsd-encoders-mustn-t-use-unitialized-values-in-error-cases.patch @@ -0,0 +1,64 @@ +From f961e3f2acae94b727380c0b74e2d3954d0edf79 Mon Sep 17 00:00:00 2001 +From: "J. Bruce Fields" +Date: Fri, 5 May 2017 16:17:57 -0400 +Subject: nfsd: encoders mustn't use unitialized values in error cases + +From: J. Bruce Fields + +commit f961e3f2acae94b727380c0b74e2d3954d0edf79 upstream. + +In error cases, lgp->lg_layout_type may be out of bounds; so we +shouldn't be using it until after the check of nfserr. + +This was seen to crash nfsd threads when the server receives a LAYOUTGET +request with a large layout type. + +GETDEVICEINFO has the same problem. + +Reported-by: Ari Kauppi +Reviewed-by: Christoph Hellwig +Signed-off-by: J. Bruce Fields +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfsd/nfs4xdr.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/fs/nfsd/nfs4xdr.c ++++ b/fs/nfsd/nfs4xdr.c +@@ -4041,8 +4041,7 @@ nfsd4_encode_getdeviceinfo(struct nfsd4_ + struct nfsd4_getdeviceinfo *gdev) + { + struct xdr_stream *xdr = &resp->xdr; +- const struct nfsd4_layout_ops *ops = +- nfsd4_layout_ops[gdev->gd_layout_type]; ++ const struct nfsd4_layout_ops *ops; + u32 starting_len = xdr->buf->len, needed_len; + __be32 *p; + +@@ -4059,6 +4058,7 @@ nfsd4_encode_getdeviceinfo(struct nfsd4_ + + /* If maxcount is 0 then just update notifications */ + if (gdev->gd_maxcount != 0) { ++ ops = nfsd4_layout_ops[gdev->gd_layout_type]; + nfserr = ops->encode_getdeviceinfo(xdr, gdev); + if (nfserr) { + /* +@@ -4111,8 +4111,7 @@ nfsd4_encode_layoutget(struct nfsd4_comp + struct nfsd4_layoutget *lgp) + { + struct xdr_stream *xdr = &resp->xdr; +- const struct nfsd4_layout_ops *ops = +- nfsd4_layout_ops[lgp->lg_layout_type]; ++ const struct nfsd4_layout_ops *ops; + __be32 *p; + + dprintk("%s: err %d\n", __func__, nfserr); +@@ -4135,6 +4134,7 @@ nfsd4_encode_layoutget(struct nfsd4_comp + *p++ = cpu_to_be32(lgp->lg_seg.iomode); + *p++ = cpu_to_be32(lgp->lg_layout_type); + ++ ops = nfsd4_layout_ops[lgp->lg_layout_type]; + nfserr = ops->encode_layoutget(xdr, lgp); + out: + kfree(lgp->lg_content); diff --git a/queue-4.4/nfsd-fix-up-the-supattr_exclcreat-attributes.patch b/queue-4.4/nfsd-fix-up-the-supattr_exclcreat-attributes.patch new file mode 100644 index 00000000000..8b0e479e7ef --- /dev/null +++ b/queue-4.4/nfsd-fix-up-the-supattr_exclcreat-attributes.patch @@ -0,0 +1,41 @@ +From b26b78cb726007533d81fdf90a62e915002ef5c8 Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Tue, 9 May 2017 16:24:59 -0400 +Subject: nfsd: Fix up the "supattr_exclcreat" attributes + +From: Trond Myklebust + +commit b26b78cb726007533d81fdf90a62e915002ef5c8 upstream. + +If an NFSv4 client asks us for the supattr_exclcreat, then we must +not return attributes that are unsupported by this minor version. + +Signed-off-by: Trond Myklebust +Fixes: 75976de6556f ("NFSD: Return word2 bitmask if setting security..,") +Signed-off-by: J. Bruce Fields +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfsd/nfs4xdr.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +--- a/fs/nfsd/nfs4xdr.c ++++ b/fs/nfsd/nfs4xdr.c +@@ -2753,9 +2753,14 @@ out_acl: + } + #endif /* CONFIG_NFSD_PNFS */ + if (bmval2 & FATTR4_WORD2_SUPPATTR_EXCLCREAT) { +- status = nfsd4_encode_bitmap(xdr, NFSD_SUPPATTR_EXCLCREAT_WORD0, +- NFSD_SUPPATTR_EXCLCREAT_WORD1, +- NFSD_SUPPATTR_EXCLCREAT_WORD2); ++ u32 supp[3]; ++ ++ memcpy(supp, nfsd_suppattrs[minorversion], sizeof(supp)); ++ supp[0] &= NFSD_SUPPATTR_EXCLCREAT_WORD0; ++ supp[1] &= NFSD_SUPPATTR_EXCLCREAT_WORD1; ++ supp[2] &= NFSD_SUPPATTR_EXCLCREAT_WORD2; ++ ++ status = nfsd4_encode_bitmap(xdr, supp[0], supp[1], supp[2]); + if (status) + goto out; + } diff --git a/queue-4.4/osf_wait4-fix-infoleak.patch b/queue-4.4/osf_wait4-fix-infoleak.patch new file mode 100644 index 00000000000..7c4742f3ba8 --- /dev/null +++ b/queue-4.4/osf_wait4-fix-infoleak.patch @@ -0,0 +1,33 @@ +From a8c39544a6eb2093c04afd5005b6192bd0e880c6 Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Sun, 14 May 2017 21:47:25 -0400 +Subject: osf_wait4(): fix infoleak + +From: Al Viro + +commit a8c39544a6eb2093c04afd5005b6192bd0e880c6 upstream. + +failing sys_wait4() won't fill struct rusage... + +Signed-off-by: Al Viro +Signed-off-by: Greg Kroah-Hartman + +--- + arch/alpha/kernel/osf_sys.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/arch/alpha/kernel/osf_sys.c ++++ b/arch/alpha/kernel/osf_sys.c +@@ -1188,8 +1188,10 @@ SYSCALL_DEFINE4(osf_wait4, pid_t, pid, i + if (!access_ok(VERIFY_WRITE, ur, sizeof(*ur))) + return -EFAULT; + +- err = 0; +- err |= put_user(status, ustatus); ++ err = put_user(status, ustatus); ++ if (ret < 0) ++ return err ? err : ret; ++ + err |= __put_user(r.ru_utime.tv_sec, &ur->ru_utime.tv_sec); + err |= __put_user(r.ru_utime.tv_usec, &ur->ru_utime.tv_usec); + err |= __put_user(r.ru_stime.tv_sec, &ur->ru_stime.tv_sec); diff --git a/queue-4.4/pci-fix-pci_mmap_fits-for-have_pci_resource_to_user-platforms.patch b/queue-4.4/pci-fix-pci_mmap_fits-for-have_pci_resource_to_user-platforms.patch new file mode 100644 index 00000000000..4b88e8515ef --- /dev/null +++ b/queue-4.4/pci-fix-pci_mmap_fits-for-have_pci_resource_to_user-platforms.patch @@ -0,0 +1,46 @@ +From 6bccc7f426abd640f08d8c75fb22f99483f201b4 Mon Sep 17 00:00:00 2001 +From: David Woodhouse +Date: Wed, 12 Apr 2017 13:25:50 +0100 +Subject: PCI: Fix pci_mmap_fits() for HAVE_PCI_RESOURCE_TO_USER platforms + +From: David Woodhouse + +commit 6bccc7f426abd640f08d8c75fb22f99483f201b4 upstream. + +In the PCI_MMAP_PROCFS case when the address being passed by the user is a +'user visible' resource address based on the bus window, and not the actual +contents of the resource, that's what we need to be checking it against. + +Signed-off-by: David Woodhouse +Signed-off-by: Bjorn Helgaas +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pci/pci-sysfs.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +--- a/drivers/pci/pci-sysfs.c ++++ b/drivers/pci/pci-sysfs.c +@@ -973,15 +973,19 @@ void pci_remove_legacy_files(struct pci_ + int pci_mmap_fits(struct pci_dev *pdev, int resno, struct vm_area_struct *vma, + enum pci_mmap_api mmap_api) + { +- unsigned long nr, start, size, pci_start; ++ unsigned long nr, start, size; ++ resource_size_t pci_start = 0, pci_end; + + if (pci_resource_len(pdev, resno) == 0) + return 0; + nr = vma_pages(vma); + start = vma->vm_pgoff; + size = ((pci_resource_len(pdev, resno) - 1) >> PAGE_SHIFT) + 1; +- pci_start = (mmap_api == PCI_MMAP_PROCFS) ? +- pci_resource_start(pdev, resno) >> PAGE_SHIFT : 0; ++ if (mmap_api == PCI_MMAP_PROCFS) { ++ pci_resource_to_user(pdev, resno, &pdev->resource[resno], ++ &pci_start, &pci_end); ++ pci_start >>= PAGE_SHIFT; ++ } + if (start >= pci_start && start < pci_start + size && + start + nr <= pci_start + size) + return 1; diff --git a/queue-4.4/pci-freeze-pme-scan-before-suspending-devices.patch b/queue-4.4/pci-freeze-pme-scan-before-suspending-devices.patch new file mode 100644 index 00000000000..9423a399f97 --- /dev/null +++ b/queue-4.4/pci-freeze-pme-scan-before-suspending-devices.patch @@ -0,0 +1,152 @@ +From ea00353f36b64375518662a8ad15e39218a1f324 Mon Sep 17 00:00:00 2001 +From: Lukas Wunner +Date: Tue, 18 Apr 2017 20:44:30 +0200 +Subject: PCI: Freeze PME scan before suspending devices +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Lukas Wunner + +commit ea00353f36b64375518662a8ad15e39218a1f324 upstream. + +Laurent Pinchart reported that the Renesas R-Car H2 Lager board (r8a7790) +crashes during suspend tests. Geert Uytterhoeven managed to reproduce the +issue on an M2-W Koelsch board (r8a7791): + + It occurs when the PME scan runs, once per second. During PME scan, the + PCI host bridge (rcar-pci) registers are accessed while its module clock + has already been disabled, leading to the crash. + +One reproducer is to configure s2ram to use "s2idle" instead of "deep" +suspend: + + # echo 0 > /sys/module/printk/parameters/console_suspend + # echo s2idle > /sys/power/mem_sleep + # echo mem > /sys/power/state + +Another reproducer is to write either "platform" or "processors" to +/sys/power/pm_test. It does not (or is less likely) to happen during full +system suspend ("core" or "none") because system suspend also disables +timers, and thus the workqueue handling PME scans no longer runs. Geert +believes the issue may still happen in the small window between disabling +module clocks and disabling timers: + + # echo 0 > /sys/module/printk/parameters/console_suspend + # echo platform > /sys/power/pm_test # Or "processors" + # echo mem > /sys/power/state + +(Make sure CONFIG_PCI_RCAR_GEN2 and CONFIG_USB_OHCI_HCD_PCI are enabled.) + +Rafael Wysocki agrees that PME scans should be suspended before the host +bridge registers become inaccessible. To that end, queue the task on a +workqueue that gets frozen before devices suspend. + +Rafael notes however that as a result, some wakeup events may be missed if +they are delivered via PME from a device without working IRQ (which hence +must be polled) and occur after the workqueue has been frozen. If that +turns out to be an issue in practice, it may be possible to solve it by +calling pci_pme_list_scan() once directly from one of the host bridge's +pm_ops callbacks. + +Stacktrace for posterity: + + PM: Syncing filesystems ... [ 38.566237] done. + PM: Preparing system for sleep (mem) + Freezing user space processes ... [ 38.579813] (elapsed 0.001 seconds) done. + Freezing remaining freezable tasks ... (elapsed 0.001 seconds) done. + PM: Suspending system (mem) + PM: suspend of devices complete after 152.456 msecs + PM: late suspend of devices complete after 2.809 msecs + PM: noirq suspend of devices complete after 29.863 msecs + suspend debug: Waiting for 5 second(s). + Unhandled fault: asynchronous external abort (0x1211) at 0x00000000 + pgd = c0003000 + [00000000] *pgd=80000040004003, *pmd=00000000 + Internal error: : 1211 [#1] SMP ARM + Modules linked in: + CPU: 1 PID: 20 Comm: kworker/1:1 Not tainted + 4.9.0-rc1-koelsch-00011-g68db9bc814362e7f #3383 + Hardware name: Generic R8A7791 (Flattened Device Tree) + Workqueue: events pci_pme_list_scan + task: eb56e140 task.stack: eb58e000 + PC is at pci_generic_config_read+0x64/0x6c + LR is at rcar_pci_cfg_base+0x64/0x84 + pc : [] lr : [] psr: 600d0093 + sp : eb58fe98 ip : c041d750 fp : 00000008 + r10: c0e2283c r9 : 00000000 r8 : 600d0013 + r7 : 00000008 r6 : eb58fed6 r5 : 00000002 r4 : eb58feb4 + r3 : 00000000 r2 : 00000044 r1 : 00000008 r0 : 00000000 + Flags: nZCv IRQs off FIQs on Mode SVC_32 ISA ARM Segment user + Control: 30c5387d Table: 6a9f6c80 DAC: 55555555 + Process kworker/1:1 (pid: 20, stack limit = 0xeb58e210) + Stack: (0xeb58fe98 to 0xeb590000) + fe80: 00000002 00000044 + fea0: eb6f5800 c041d9b0 eb58feb4 00000008 00000044 00000000 eb78a000 eb78a000 + fec0: 00000044 00000000 eb9aff00 c0424bf0 eb78a000 00000000 eb78a000 c0e22830 + fee0: ea8a6fc0 c0424c5c eaae79c0 c0424ce0 eb55f380 c0e22838 eb9a9800 c0235fbc + ff00: eb55f380 c0e22838 eb55f380 eb9a9800 eb9a9800 eb58e000 eb9a9824 c0e02100 + ff20: eb55f398 c02366c4 eb56e140 eb5631c0 00000000 eb55f380 c023641c 00000000 + ff40: 00000000 00000000 00000000 c023a928 cd105598 00000000 40506a34 eb55f380 + ff60: 00000000 00000000 dead4ead ffffffff ffffffff eb58ff74 eb58ff74 00000000 + ff80: 00000000 dead4ead ffffffff ffffffff eb58ff90 eb58ff90 eb58ffac eb5631c0 + ffa0: c023a844 00000000 00000000 c0206d68 00000000 00000000 00000000 00000000 + ffc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 + ffe0: 00000000 00000000 00000000 00000000 00000013 00000000 3a81336c 10ccd1dd + [] (pci_generic_config_read) from [] + (pci_bus_read_config_word+0x58/0x80) + [] (pci_bus_read_config_word) from [] + (pci_check_pme_status+0x34/0x78) + [] (pci_check_pme_status) from [] (pci_pme_wakeup+0x28/0x54) + [] (pci_pme_wakeup) from [] (pci_pme_list_scan+0x58/0xb4) + [] (pci_pme_list_scan) from [] + (process_one_work+0x1bc/0x308) + [] (process_one_work) from [] (worker_thread+0x2a8/0x3e0) + [] (worker_thread) from [] (kthread+0xe4/0xfc) + [] (kthread) from [] (ret_from_fork+0x14/0x2c) + Code: ea000000 e5903000 f57ff04f e3a00000 (e5843000) + ---[ end trace 667d43ba3aa9e589 ]--- + +Fixes: df17e62e5bff ("PCI: Add support for polling PME state on suspended legacy PCI devices") +Reported-and-tested-by: Laurent Pinchart +Reported-and-tested-by: Geert Uytterhoeven +Signed-off-by: Lukas Wunner +Signed-off-by: Bjorn Helgaas +Reviewed-by: Laurent Pinchart +Acked-by: Rafael J. Wysocki +Cc: Mika Westerberg +Cc: Niklas Söderlund +Cc: Simon Horman +Cc: Yinghai Lu +Cc: Matthew Garrett +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pci/pci.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/drivers/pci/pci.c ++++ b/drivers/pci/pci.c +@@ -1732,8 +1732,8 @@ static void pci_pme_list_scan(struct wor + } + } + if (!list_empty(&pci_pme_list)) +- schedule_delayed_work(&pci_pme_work, +- msecs_to_jiffies(PME_TIMEOUT)); ++ queue_delayed_work(system_freezable_wq, &pci_pme_work, ++ msecs_to_jiffies(PME_TIMEOUT)); + mutex_unlock(&pci_pme_list_mutex); + } + +@@ -1798,8 +1798,9 @@ void pci_pme_active(struct pci_dev *dev, + mutex_lock(&pci_pme_list_mutex); + list_add(&pme_dev->list, &pci_pme_list); + if (list_is_singular(&pci_pme_list)) +- schedule_delayed_work(&pci_pme_work, +- msecs_to_jiffies(PME_TIMEOUT)); ++ queue_delayed_work(system_freezable_wq, ++ &pci_pme_work, ++ msecs_to_jiffies(PME_TIMEOUT)); + mutex_unlock(&pci_pme_list_mutex); + } else { + mutex_lock(&pci_pme_list_mutex); diff --git a/queue-4.4/series b/queue-4.4/series index b796a96a097..71d87fd7385 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -94,3 +94,13 @@ metag-uaccess-check-access_ok-in-strncpy_from_user.patch stackprotector-increase-the-per-task-stack-canary-s-random-range-from-32-bits-to-64-bits-on-64-bit-platforms.patch uwb-fix-device-quirk-on-big-endian-hosts.patch genirq-fix-chained-interrupt-data-ordering.patch +osf_wait4-fix-infoleak.patch +tracing-kprobes-enforce-kprobes-teardown-after-testing.patch +pci-fix-pci_mmap_fits-for-have_pci_resource_to_user-platforms.patch +pci-freeze-pme-scan-before-suspending-devices.patch +drm-edid-add-10-bpc-quirk-for-lgd-764-panel-in-hp-zbook-17-g2.patch +nfsd-check-for-oversized-nfsv2-v3-arguments.patch +nfsd-encoders-mustn-t-use-unitialized-values-in-error-cases.patch +nfsd-fix-up-the-supattr_exclcreat-attributes.patch +drivers-char-mem-check-for-address-space-wraparound-with-mmap.patch +drm-i915-gvt-disable-access-to-stolen-memory-as-a-guest.patch diff --git a/queue-4.4/tracing-kprobes-enforce-kprobes-teardown-after-testing.patch b/queue-4.4/tracing-kprobes-enforce-kprobes-teardown-after-testing.patch new file mode 100644 index 00000000000..7434fca00e7 --- /dev/null +++ b/queue-4.4/tracing-kprobes-enforce-kprobes-teardown-after-testing.patch @@ -0,0 +1,77 @@ +From 30e7d894c1478c88d50ce94ddcdbd7f9763d9cdd Mon Sep 17 00:00:00 2001 +From: Thomas Gleixner +Date: Wed, 17 May 2017 10:19:49 +0200 +Subject: tracing/kprobes: Enforce kprobes teardown after testing + +From: Thomas Gleixner + +commit 30e7d894c1478c88d50ce94ddcdbd7f9763d9cdd upstream. + +Enabling the tracer selftest triggers occasionally the warning in +text_poke(), which warns when the to be modified page is not marked +reserved. + +The reason is that the tracer selftest installs kprobes on functions marked +__init for testing. These probes are removed after the tests, but that +removal schedules the delayed kprobes_optimizer work, which will do the +actual text poke. If the work is executed after the init text is freed, +then the warning triggers. The bug can be reproduced reliably when the work +delay is increased. + +Flush the optimizer work and wait for the optimizing/unoptimizing lists to +become empty before returning from the kprobes tracer selftest. That +ensures that all operations which were queued due to the probes removal +have completed. + +Link: http://lkml.kernel.org/r/20170516094802.76a468bb@gandalf.local.home + +Signed-off-by: Thomas Gleixner +Acked-by: Masami Hiramatsu +Fixes: 6274de498 ("kprobes: Support delayed unoptimizing") +Signed-off-by: Steven Rostedt (VMware) +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/kprobes.h | 4 +++- + kernel/kprobes.c | 2 +- + kernel/trace/trace_kprobe.c | 5 +++++ + 3 files changed, 9 insertions(+), 2 deletions(-) + +--- a/include/linux/kprobes.h ++++ b/include/linux/kprobes.h +@@ -330,7 +330,9 @@ extern int proc_kprobes_optimization_han + int write, void __user *buffer, + size_t *length, loff_t *ppos); + #endif +- ++extern void wait_for_kprobe_optimizer(void); ++#else ++static inline void wait_for_kprobe_optimizer(void) { } + #endif /* CONFIG_OPTPROBES */ + #ifdef CONFIG_KPROBES_ON_FTRACE + extern void kprobe_ftrace_handler(unsigned long ip, unsigned long parent_ip, +--- a/kernel/kprobes.c ++++ b/kernel/kprobes.c +@@ -563,7 +563,7 @@ static void kprobe_optimizer(struct work + } + + /* Wait for completing optimization and unoptimization */ +-static void wait_for_kprobe_optimizer(void) ++void wait_for_kprobe_optimizer(void) + { + mutex_lock(&kprobe_mutex); + +--- a/kernel/trace/trace_kprobe.c ++++ b/kernel/trace/trace_kprobe.c +@@ -1471,6 +1471,11 @@ static __init int kprobe_trace_self_test + + end: + release_all_trace_kprobes(); ++ /* ++ * Wait for the optimizer work to finish. Otherwise it might fiddle ++ * with probes in already freed __init text. ++ */ ++ wait_for_kprobe_optimizer(); + if (warn) + pr_cont("NG: Some tests are failed. Please check them.\n"); + else