From: Greg Kroah-Hartman Date: Sat, 1 Jun 2013 22:00:26 +0000 (-0700) Subject: 3.9-stable patches X-Git-Tag: v3.0.81~17^2~1 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=7f28cb5bc6af474434185172000493eafb9578f0;p=thirdparty%2Fkernel%2Fstable-queue.git 3.9-stable patches added patches: ib_srpt-call-target_sess_cmd_list_set_waiting-during-shutdown_session.patch iscsi-target-fix-heap-buffer-overflow-on-error.patch nfsv4-fix-a-thinko-in-nfs4_try_open_cached.patch powerpc-32bit-store-temporary-result-in-r0-instead-of-r8.patch powerpc-tm-abort-on-emulation-and-alignment-faults.patch powerpc-tm-fix-userspace-stack-corruption-on-signal-delivery-for-active-transactions.patch powerpc-tm-make-room-for-hypervisor-in-abort-cause-codes.patch powerpc-tm-move-tm-abort-cause-codes-to-uapi.patch powerpc-tm-update-cause-codes-documentation.patch --- diff --git a/queue-3.9/ib_srpt-call-target_sess_cmd_list_set_waiting-during-shutdown_session.patch b/queue-3.9/ib_srpt-call-target_sess_cmd_list_set_waiting-during-shutdown_session.patch new file mode 100644 index 00000000000..7cd28264f25 --- /dev/null +++ b/queue-3.9/ib_srpt-call-target_sess_cmd_list_set_waiting-during-shutdown_session.patch @@ -0,0 +1,94 @@ +From 1d19f7800d643b270b28d0a969c5eca455d54397 Mon Sep 17 00:00:00 2001 +From: Nicholas Bellinger +Date: Wed, 15 May 2013 01:30:01 -0700 +Subject: ib_srpt: Call target_sess_cmd_list_set_waiting during shutdown_session + +From: Nicholas Bellinger + +commit 1d19f7800d643b270b28d0a969c5eca455d54397 upstream. + +Given that srpt_release_channel_work() calls target_wait_for_sess_cmds() +to allow outstanding se_cmd_t->cmd_kref a change to complete, the call +to perform target_sess_cmd_list_set_waiting() needs to happen in +srpt_shutdown_session() + +Also, this patch adds an explicit call to srpt_shutdown_session() within +srpt_drain_channel() so that target_sess_cmd_list_set_waiting() will be +called in the cases where TFO->shutdown_session() is not triggered +directly by TCM. + +Signed-off-by: Nicholas Bellinger +Cc: Joern Engel +Cc: Roland Dreier +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/ulp/srpt/ib_srpt.c | 32 ++++++++++++++++++++++++-------- + drivers/infiniband/ulp/srpt/ib_srpt.h | 1 + + 2 files changed, 25 insertions(+), 8 deletions(-) + +--- a/drivers/infiniband/ulp/srpt/ib_srpt.c ++++ b/drivers/infiniband/ulp/srpt/ib_srpt.c +@@ -2227,6 +2227,27 @@ static void srpt_close_ch(struct srpt_rd + } + + /** ++ * srpt_shutdown_session() - Whether or not a session may be shut down. ++ */ ++static int srpt_shutdown_session(struct se_session *se_sess) ++{ ++ struct srpt_rdma_ch *ch = se_sess->fabric_sess_ptr; ++ unsigned long flags; ++ ++ spin_lock_irqsave(&ch->spinlock, flags); ++ if (ch->in_shutdown) { ++ spin_unlock_irqrestore(&ch->spinlock, flags); ++ return true; ++ } ++ ++ ch->in_shutdown = true; ++ target_sess_cmd_list_set_waiting(se_sess); ++ spin_unlock_irqrestore(&ch->spinlock, flags); ++ ++ return true; ++} ++ ++/** + * srpt_drain_channel() - Drain a channel by resetting the IB queue pair. + * @cm_id: Pointer to the CM ID of the channel to be drained. + * +@@ -2264,6 +2285,9 @@ static void srpt_drain_channel(struct ib + spin_unlock_irq(&sdev->spinlock); + + if (do_reset) { ++ if (ch->sess) ++ srpt_shutdown_session(ch->sess); ++ + ret = srpt_ch_qp_err(ch); + if (ret < 0) + printk(KERN_ERR "Setting queue pair in error state" +@@ -3467,14 +3491,6 @@ static void srpt_release_cmd(struct se_c + } + + /** +- * srpt_shutdown_session() - Whether or not a session may be shut down. +- */ +-static int srpt_shutdown_session(struct se_session *se_sess) +-{ +- return true; +-} +- +-/** + * srpt_close_session() - Forcibly close a session. + * + * Callback function invoked by the TCM core to clean up sessions associated +--- a/drivers/infiniband/ulp/srpt/ib_srpt.h ++++ b/drivers/infiniband/ulp/srpt/ib_srpt.h +@@ -325,6 +325,7 @@ struct srpt_rdma_ch { + u8 sess_name[36]; + struct work_struct release_work; + struct completion *release_done; ++ bool in_shutdown; + }; + + /** diff --git a/queue-3.9/iscsi-target-fix-heap-buffer-overflow-on-error.patch b/queue-3.9/iscsi-target-fix-heap-buffer-overflow-on-error.patch new file mode 100644 index 00000000000..a335e1159fd --- /dev/null +++ b/queue-3.9/iscsi-target-fix-heap-buffer-overflow-on-error.patch @@ -0,0 +1,66 @@ +From cea4dcfdad926a27a18e188720efe0f2c9403456 Mon Sep 17 00:00:00 2001 +From: Kees Cook +Date: Thu, 23 May 2013 10:32:17 -0700 +Subject: iscsi-target: fix heap buffer overflow on error + +From: Kees Cook + +commit cea4dcfdad926a27a18e188720efe0f2c9403456 upstream. + +If a key was larger than 64 bytes, as checked by iscsi_check_key(), the +error response packet, generated by iscsi_add_notunderstood_response(), +would still attempt to copy the entire key into the packet, overflowing +the structure on the heap. + +Remote preauthentication kernel memory corruption was possible if a +target was configured and listening on the network. + +CVE-2013-2850 + +Signed-off-by: Kees Cook +Signed-off-by: Nicholas Bellinger +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/target/iscsi/iscsi_target_parameters.c | 8 +++----- + drivers/target/iscsi/iscsi_target_parameters.h | 4 +++- + 2 files changed, 6 insertions(+), 6 deletions(-) + +--- a/drivers/target/iscsi/iscsi_target_parameters.c ++++ b/drivers/target/iscsi/iscsi_target_parameters.c +@@ -712,9 +712,9 @@ static int iscsi_add_notunderstood_respo + } + INIT_LIST_HEAD(&extra_response->er_list); + +- strncpy(extra_response->key, key, strlen(key) + 1); +- strncpy(extra_response->value, NOTUNDERSTOOD, +- strlen(NOTUNDERSTOOD) + 1); ++ strlcpy(extra_response->key, key, sizeof(extra_response->key)); ++ strlcpy(extra_response->value, NOTUNDERSTOOD, ++ sizeof(extra_response->value)); + + list_add_tail(&extra_response->er_list, + ¶m_list->extra_response_list); +@@ -1583,8 +1583,6 @@ int iscsi_decode_text_input( + + if (phase & PHASE_SECURITY) { + if (iscsi_check_for_auth_key(key) > 0) { +- char *tmpptr = key + strlen(key); +- *tmpptr = '='; + kfree(tmpbuf); + return 1; + } +--- a/drivers/target/iscsi/iscsi_target_parameters.h ++++ b/drivers/target/iscsi/iscsi_target_parameters.h +@@ -1,8 +1,10 @@ + #ifndef ISCSI_PARAMETERS_H + #define ISCSI_PARAMETERS_H + ++#include ++ + struct iscsi_extra_response { +- char key[64]; ++ char key[KEY_MAXLEN]; + char value[32]; + struct list_head er_list; + } ____cacheline_aligned; diff --git a/queue-3.9/nfsv4-fix-a-thinko-in-nfs4_try_open_cached.patch b/queue-3.9/nfsv4-fix-a-thinko-in-nfs4_try_open_cached.patch new file mode 100644 index 00000000000..4a926e7cb8b --- /dev/null +++ b/queue-3.9/nfsv4-fix-a-thinko-in-nfs4_try_open_cached.patch @@ -0,0 +1,30 @@ +From f448badd34700ae728a32ba024249626d49c10e1 Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Wed, 29 May 2013 15:36:40 -0400 +Subject: NFSv4: Fix a thinko in nfs4_try_open_cached + +From: Trond Myklebust + +commit f448badd34700ae728a32ba024249626d49c10e1 upstream. + +We need to pass the full open mode flags to nfs_may_open() when doing +a delegated open. + +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfs/nfs4proc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/nfs/nfs4proc.c ++++ b/fs/nfs/nfs4proc.c +@@ -1022,7 +1022,7 @@ static struct nfs4_state *nfs4_try_open_ + struct nfs4_state *state = opendata->state; + struct nfs_inode *nfsi = NFS_I(state->inode); + struct nfs_delegation *delegation; +- int open_mode = opendata->o_arg.open_flags & (O_EXCL|O_TRUNC); ++ int open_mode = opendata->o_arg.open_flags; + fmode_t fmode = opendata->o_arg.fmode; + nfs4_stateid stateid; + int ret = -EAGAIN; diff --git a/queue-3.9/powerpc-32bit-store-temporary-result-in-r0-instead-of-r8.patch b/queue-3.9/powerpc-32bit-store-temporary-result-in-r0-instead-of-r8.patch new file mode 100644 index 00000000000..aab1fd1e523 --- /dev/null +++ b/queue-3.9/powerpc-32bit-store-temporary-result-in-r0-instead-of-r8.patch @@ -0,0 +1,50 @@ +From f7b3367774f92a688d39ed767f0ae9b93af7873a Mon Sep 17 00:00:00 2001 +From: Priyanka Jain +Date: Fri, 31 May 2013 01:20:02 +0000 +Subject: powerpc/32bit:Store temporary result in r0 instead of r8 + +From: Priyanka Jain + +commit f7b3367774f92a688d39ed767f0ae9b93af7873a upstream. + +Commit a9c4e541ea9b22944da356f2a9258b4eddcc953b +"powerpc/kprobe: Complete kprobe and migrate exception frame" +introduced a regression: + +While returning from exception handling in case of PREEMPT enabled, +_TIF_NEED_RESCHED bit is checked in TI_FLAGS (thread_info flag) of current +task. Only if this bit is set, it should continue with the process of +calling preempt_schedule_irq() to schedule highest priority task if +available. + +Current code assumes that r8 contains TI_FLAGS and check this for +_TIF_NEED_RESCHED, but as r8 is modified in the code which executes before +this check, r8 no longer contains the expected TI_FLAGS information. + +As a result check for comparison with _TIF_NEED_RESCHED was failing even if +NEED_RESCHED bit is set in the current thread_info flag. Due to this, +preempt_schedule_irq() and in turn scheduler was not getting called even if +highest priority task is ready for execution. + +So, store temporary results in r0 instead of r8 to prevent r8 from getting +modified as subsequent code is dependent on its value. + +Signed-off-by: Priyanka Jain +Signed-off-by: Benjamin Herrenschmidt +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/kernel/entry_32.S | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/powerpc/kernel/entry_32.S ++++ b/arch/powerpc/kernel/entry_32.S +@@ -851,7 +851,7 @@ resume_kernel: + /* check current_thread_info, _TIF_EMULATE_STACK_STORE */ + CURRENT_THREAD_INFO(r9, r1) + lwz r8,TI_FLAGS(r9) +- andis. r8,r8,_TIF_EMULATE_STACK_STORE@h ++ andis. r0,r8,_TIF_EMULATE_STACK_STORE@h + beq+ 1f + + addi r8,r1,INT_FRAME_SIZE /* Get the kprobed function entry */ diff --git a/queue-3.9/powerpc-tm-abort-on-emulation-and-alignment-faults.patch b/queue-3.9/powerpc-tm-abort-on-emulation-and-alignment-faults.patch new file mode 100644 index 00000000000..e6f18b27963 --- /dev/null +++ b/queue-3.9/powerpc-tm-abort-on-emulation-and-alignment-faults.patch @@ -0,0 +1,123 @@ +From 6ce6c629fd8254b3177650de99699682ff7f6707 Mon Sep 17 00:00:00 2001 +From: Michael Neuling +Date: Sun, 26 May 2013 18:09:39 +0000 +Subject: powerpc/tm: Abort on emulation and alignment faults + +From: Michael Neuling + +commit 6ce6c629fd8254b3177650de99699682ff7f6707 upstream. + +If we are emulating an instruction inside an active user transaction that +touches memory, the kernel can't emulate it as it operates in transactional +suspend context. We need to abort these transactions and send them back to +userspace for the hardware to rollback. + +We can service these if the user transaction is in suspend mode, since the +kernel will operate in the same suspend context. + +This adds a check to all alignment faults and to specific instruction +emulations (only string instructions for now). If the user process is in an +active (non-suspended) transaction, we abort the transaction go back to +userspace allowing the HW to roll back the transaction and tell the user of the +failure. This also adds new tm abort cause codes to report the reason of the +persistent error to the user. + +Crappy test case here http://neuling.org/devel/junkcode/aligntm.c + +Signed-off-by: Michael Neuling +Signed-off-by: Benjamin Herrenschmidt +Signed-off-by: Greg Kroah-Hartman + +--- + Documentation/powerpc/transactional_memory.txt | 7 ++++-- + arch/powerpc/include/asm/reg.h | 2 + + arch/powerpc/kernel/traps.c | 29 +++++++++++++++++++++++++ + 3 files changed, 36 insertions(+), 2 deletions(-) + +--- a/Documentation/powerpc/transactional_memory.txt ++++ b/Documentation/powerpc/transactional_memory.txt +@@ -180,9 +180,12 @@ kernel aborted a transaction: + transactions for consistency will use this. + TM_CAUSE_SIGNAL Signal delivered. + TM_CAUSE_MISC Currently unused. ++ TM_CAUSE_ALIGNMENT Alignment fault. ++ TM_CAUSE_EMULATE Emulation that touched memory. + +-These can be checked by the user program's abort handler as TEXASR[0:7]. +- ++These can be checked by the user program's abort handler as TEXASR[0:7]. If ++bit 7 is set, it indicates that the error is consider persistent. For example ++a TM_CAUSE_ALIGNMENT will be persistent while a TM_CAUSE_RESCHED will not.q + + GDB + === +--- a/arch/powerpc/include/asm/reg.h ++++ b/arch/powerpc/include/asm/reg.h +@@ -122,6 +122,8 @@ + #define TM_CAUSE_SYSCALL 0xd8 /* future use */ + #define TM_CAUSE_MISC 0xd6 /* future use */ + #define TM_CAUSE_SIGNAL 0xd4 ++#define TM_CAUSE_ALIGNMENT 0xd2 ++#define TM_CAUSE_EMULATE 0xd0 + + #if defined(CONFIG_PPC_BOOK3S_64) + #define MSR_64BIT MSR_SF +--- a/arch/powerpc/kernel/traps.c ++++ b/arch/powerpc/kernel/traps.c +@@ -52,6 +52,7 @@ + #ifdef CONFIG_PPC64 + #include + #include ++#include + #endif + #include + #include +@@ -913,6 +914,28 @@ static int emulate_isel(struct pt_regs * + return 0; + } + ++#ifdef CONFIG_PPC_TRANSACTIONAL_MEM ++static inline bool tm_abort_check(struct pt_regs *regs, int cause) ++{ ++ /* If we're emulating a load/store in an active transaction, we cannot ++ * emulate it as the kernel operates in transaction suspended context. ++ * We need to abort the transaction. This creates a persistent TM ++ * abort so tell the user what caused it with a new code. ++ */ ++ if (MSR_TM_TRANSACTIONAL(regs->msr)) { ++ tm_enable(); ++ tm_abort(cause); ++ return true; ++ } ++ return false; ++} ++#else ++static inline bool tm_abort_check(struct pt_regs *regs, int reason) ++{ ++ return false; ++} ++#endif ++ + static int emulate_instruction(struct pt_regs *regs) + { + u32 instword; +@@ -952,6 +975,9 @@ static int emulate_instruction(struct pt + + /* Emulate load/store string insn. */ + if ((instword & PPC_INST_STRING_GEN_MASK) == PPC_INST_STRING) { ++ if (tm_abort_check(regs, ++ TM_CAUSE_EMULATE | TM_CAUSE_PERSISTENT)) ++ return -EINVAL; + PPC_WARN_EMULATED(string, regs); + return emulate_string_inst(regs, instword); + } +@@ -1124,6 +1150,9 @@ void alignment_exception(struct pt_regs + if (!arch_irq_disabled_regs(regs)) + local_irq_enable(); + ++ if (tm_abort_check(regs, TM_CAUSE_ALIGNMENT | TM_CAUSE_PERSISTENT)) ++ goto bail; ++ + /* we don't implement logging of alignment exceptions */ + if (!(current->thread.align_ctl & PR_UNALIGN_SIGBUS)) + fixed = fix_alignment(regs); diff --git a/queue-3.9/powerpc-tm-fix-userspace-stack-corruption-on-signal-delivery-for-active-transactions.patch b/queue-3.9/powerpc-tm-fix-userspace-stack-corruption-on-signal-delivery-for-active-transactions.patch new file mode 100644 index 00000000000..95c41d86a4e --- /dev/null +++ b/queue-3.9/powerpc-tm-fix-userspace-stack-corruption-on-signal-delivery-for-active-transactions.patch @@ -0,0 +1,266 @@ +From 2b3f8e87cf99a33fb6faf5026d7147748bbd77b6 Mon Sep 17 00:00:00 2001 +From: Michael Neuling +Date: Sun, 26 May 2013 18:09:41 +0000 +Subject: powerpc/tm: Fix userspace stack corruption on signal delivery for active transactions + +From: Michael Neuling + +commit 2b3f8e87cf99a33fb6faf5026d7147748bbd77b6 upstream. + +When in an active transaction that takes a signal, we need to be careful with +the stack. It's possible that the stack has moved back up after the tbegin. +The obvious case here is when the tbegin is called inside a function that +returns before a tend. In this case, the stack is part of the checkpointed +transactional memory state. If we write over this non transactionally or in +suspend, we are in trouble because if we get a tm abort, the program counter +and stack pointer will be back at the tbegin but our in memory stack won't be +valid anymore. + +To avoid this, when taking a signal in an active transaction, we need to use +the stack pointer from the checkpointed state, rather than the speculated +state. This ensures that the signal context (written tm suspended) will be +written below the stack required for the rollback. The transaction is aborted +becuase of the treclaim, so any memory written between the tbegin and the +signal will be rolled back anyway. + +For signals taken in non-TM or suspended mode, we use the +normal/non-checkpointed stack pointer. + +Tested with 64 and 32 bit signals + +Signed-off-by: Michael Neuling +Signed-off-by: Benjamin Herrenschmidt +Signed-off-by: Greg Kroah-Hartman + +--- + Documentation/powerpc/transactional_memory.txt | 19 +++++++++++ + arch/powerpc/include/asm/processor.h | 13 ++------ + arch/powerpc/include/asm/signal.h | 3 + + arch/powerpc/kernel/signal.c | 40 +++++++++++++++++++++++-- + arch/powerpc/kernel/signal.h | 2 - + arch/powerpc/kernel/signal_32.c | 10 +----- + arch/powerpc/kernel/signal_64.c | 23 ++++---------- + 7 files changed, 74 insertions(+), 36 deletions(-) + +--- a/Documentation/powerpc/transactional_memory.txt ++++ b/Documentation/powerpc/transactional_memory.txt +@@ -147,6 +147,25 @@ Example signal handler: + fix_the_problem(ucp->dar); + } + ++When in an active transaction that takes a signal, we need to be careful with ++the stack. It's possible that the stack has moved back up after the tbegin. ++The obvious case here is when the tbegin is called inside a function that ++returns before a tend. In this case, the stack is part of the checkpointed ++transactional memory state. If we write over this non transactionally or in ++suspend, we are in trouble because if we get a tm abort, the program counter and ++stack pointer will be back at the tbegin but our in memory stack won't be valid ++anymore. ++ ++To avoid this, when taking a signal in an active transaction, we need to use ++the stack pointer from the checkpointed state, rather than the speculated ++state. This ensures that the signal context (written tm suspended) will be ++written below the stack required for the rollback. The transaction is aborted ++becuase of the treclaim, so any memory written between the tbegin and the ++signal will be rolled back anyway. ++ ++For signals taken in non-TM or suspended mode, we use the ++normal/non-checkpointed stack pointer. ++ + + Failure cause codes used by kernel + ================================== +--- a/arch/powerpc/include/asm/processor.h ++++ b/arch/powerpc/include/asm/processor.h +@@ -407,21 +407,16 @@ static inline void prefetchw(const void + #endif + + #ifdef CONFIG_PPC64 +-static inline unsigned long get_clean_sp(struct pt_regs *regs, int is_32) ++static inline unsigned long get_clean_sp(unsigned long sp, int is_32) + { +- unsigned long sp; +- + if (is_32) +- sp = regs->gpr[1] & 0x0ffffffffUL; +- else +- sp = regs->gpr[1]; +- ++ return sp & 0x0ffffffffUL; + return sp; + } + #else +-static inline unsigned long get_clean_sp(struct pt_regs *regs, int is_32) ++static inline unsigned long get_clean_sp(unsigned long sp, int is_32) + { +- return regs->gpr[1]; ++ return sp; + } + #endif + +--- a/arch/powerpc/include/asm/signal.h ++++ b/arch/powerpc/include/asm/signal.h +@@ -3,5 +3,8 @@ + + #define __ARCH_HAS_SA_RESTORER + #include ++#include ++ ++extern unsigned long get_tm_stackpointer(struct pt_regs *regs); + + #endif /* _ASM_POWERPC_SIGNAL_H */ +--- a/arch/powerpc/kernel/signal.c ++++ b/arch/powerpc/kernel/signal.c +@@ -17,6 +17,7 @@ + #include + #include + #include ++#include + + #include "signal.h" + +@@ -29,13 +30,13 @@ int show_unhandled_signals = 0; + /* + * Allocate space for the signal frame + */ +-void __user * get_sigframe(struct k_sigaction *ka, struct pt_regs *regs, ++void __user * get_sigframe(struct k_sigaction *ka, unsigned long sp, + size_t frame_size, int is_32) + { + unsigned long oldsp, newsp; + + /* Default to using normal stack */ +- oldsp = get_clean_sp(regs, is_32); ++ oldsp = get_clean_sp(sp, is_32); + + /* Check for alt stack */ + if ((ka->sa.sa_flags & SA_ONSTACK) && +@@ -170,3 +171,38 @@ void do_notify_resume(struct pt_regs *re + tracehook_notify_resume(regs); + } + } ++ ++unsigned long get_tm_stackpointer(struct pt_regs *regs) ++{ ++ /* When in an active transaction that takes a signal, we need to be ++ * careful with the stack. It's possible that the stack has moved back ++ * up after the tbegin. The obvious case here is when the tbegin is ++ * called inside a function that returns before a tend. In this case, ++ * the stack is part of the checkpointed transactional memory state. ++ * If we write over this non transactionally or in suspend, we are in ++ * trouble because if we get a tm abort, the program counter and stack ++ * pointer will be back at the tbegin but our in memory stack won't be ++ * valid anymore. ++ * ++ * To avoid this, when taking a signal in an active transaction, we ++ * need to use the stack pointer from the checkpointed state, rather ++ * than the speculated state. This ensures that the signal context ++ * (written tm suspended) will be written below the stack required for ++ * the rollback. The transaction is aborted becuase of the treclaim, ++ * so any memory written between the tbegin and the signal will be ++ * rolled back anyway. ++ * ++ * For signals taken in non-TM or suspended mode, we use the ++ * normal/non-checkpointed stack pointer. ++ */ ++ ++#ifdef CONFIG_PPC_TRANSACTIONAL_MEM ++ if (MSR_TM_ACTIVE(regs->msr)) { ++ tm_enable(); ++ tm_reclaim(¤t->thread, regs->msr, TM_CAUSE_SIGNAL); ++ if (MSR_TM_TRANSACTIONAL(regs->msr)) ++ return current->thread.ckpt_regs.gpr[1]; ++ } ++#endif ++ return regs->gpr[1]; ++} +--- a/arch/powerpc/kernel/signal.h ++++ b/arch/powerpc/kernel/signal.h +@@ -12,7 +12,7 @@ + + extern void do_notify_resume(struct pt_regs *regs, unsigned long thread_info_flags); + +-extern void __user * get_sigframe(struct k_sigaction *ka, struct pt_regs *regs, ++extern void __user * get_sigframe(struct k_sigaction *ka, unsigned long sp, + size_t frame_size, int is_32); + + extern int handle_signal32(unsigned long sig, struct k_sigaction *ka, +--- a/arch/powerpc/kernel/signal_32.c ++++ b/arch/powerpc/kernel/signal_32.c +@@ -503,12 +503,6 @@ static int save_tm_user_regs(struct pt_r + { + unsigned long msr = regs->msr; + +- /* tm_reclaim rolls back all reg states, updating thread.ckpt_regs, +- * thread.transact_fpr[], thread.transact_vr[], etc. +- */ +- tm_enable(); +- tm_reclaim(¤t->thread, msr, TM_CAUSE_SIGNAL); +- + /* Make sure floating point registers are stored in regs */ + flush_fp_to_thread(current); + +@@ -965,7 +959,7 @@ int handle_rt_signal32(unsigned long sig + + /* Set up Signal Frame */ + /* Put a Real Time Context onto stack */ +- rt_sf = get_sigframe(ka, regs, sizeof(*rt_sf), 1); ++ rt_sf = get_sigframe(ka, get_tm_stackpointer(regs), sizeof(*rt_sf), 1); + addr = rt_sf; + if (unlikely(rt_sf == NULL)) + goto badframe; +@@ -1403,7 +1397,7 @@ int handle_signal32(unsigned long sig, s + unsigned long tramp; + + /* Set up Signal Frame */ +- frame = get_sigframe(ka, regs, sizeof(*frame), 1); ++ frame = get_sigframe(ka, get_tm_stackpointer(regs), sizeof(*frame), 1); + if (unlikely(frame == NULL)) + goto badframe; + sc = (struct sigcontext __user *) &frame->sctx; +--- a/arch/powerpc/kernel/signal_64.c ++++ b/arch/powerpc/kernel/signal_64.c +@@ -154,11 +154,12 @@ static long setup_sigcontext(struct sigc + * As above, but Transactional Memory is in use, so deliver sigcontexts + * containing checkpointed and transactional register states. + * +- * To do this, we treclaim to gather both sets of registers and set up the +- * 'normal' sigcontext registers with rolled-back register values such that a +- * simple signal handler sees a correct checkpointed register state. +- * If interested, a TM-aware sighandler can examine the transactional registers +- * in the 2nd sigcontext to determine the real origin of the signal. ++ * To do this, we treclaim (done before entering here) to gather both sets of ++ * registers and set up the 'normal' sigcontext registers with rolled-back ++ * register values such that a simple signal handler sees a correct ++ * checkpointed register state. If interested, a TM-aware sighandler can ++ * examine the transactional registers in the 2nd sigcontext to determine the ++ * real origin of the signal. + */ + static long setup_tm_sigcontexts(struct sigcontext __user *sc, + struct sigcontext __user *tm_sc, +@@ -184,16 +185,6 @@ static long setup_tm_sigcontexts(struct + + BUG_ON(!MSR_TM_ACTIVE(regs->msr)); + +- /* tm_reclaim rolls back all reg states, saving checkpointed (older) +- * GPRs to thread.ckpt_regs and (if used) FPRs to (newer) +- * thread.transact_fp and/or VRs to (newer) thread.transact_vr. +- * THEN we save out FP/VRs, if necessary, to the checkpointed (older) +- * thread.fr[]/vr[]s. The transactional (newer) GPRs are on the +- * stack, in *regs. +- */ +- tm_enable(); +- tm_reclaim(¤t->thread, msr, TM_CAUSE_SIGNAL); +- + flush_fp_to_thread(current); + + #ifdef CONFIG_ALTIVEC +@@ -711,7 +702,7 @@ int handle_rt_signal64(int signr, struct + unsigned long newsp = 0; + long err = 0; + +- frame = get_sigframe(ka, regs, sizeof(*frame), 0); ++ frame = get_sigframe(ka, get_tm_stackpointer(regs), sizeof(*frame), 0); + if (unlikely(frame == NULL)) + goto badframe; + diff --git a/queue-3.9/powerpc-tm-make-room-for-hypervisor-in-abort-cause-codes.patch b/queue-3.9/powerpc-tm-make-room-for-hypervisor-in-abort-cause-codes.patch new file mode 100644 index 00000000000..7a83d2b2b81 --- /dev/null +++ b/queue-3.9/powerpc-tm-make-room-for-hypervisor-in-abort-cause-codes.patch @@ -0,0 +1,47 @@ +From 35f7097fcedec63fcba1852dbee96f74a2d90878 Mon Sep 17 00:00:00 2001 +From: Michael Neuling +Date: Sun, 26 May 2013 18:09:37 +0000 +Subject: powerpc/tm: Make room for hypervisor in abort cause codes + +From: Michael Neuling + +commit 35f7097fcedec63fcba1852dbee96f74a2d90878 upstream. + +PAPR carves out 0xff-0xe0 for hypervisor use of transactional memory software +abort cause codes. Unfortunately we don't respect this currently. + +Below fixes this to move our cause codes to below this region. + +Signed-off-by: Michael Neuling +Signed-off-by: Benjamin Herrenschmidt +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/include/asm/reg.h | 15 ++++++++------- + 1 file changed, 8 insertions(+), 7 deletions(-) + +--- a/arch/powerpc/include/asm/reg.h ++++ b/arch/powerpc/include/asm/reg.h +@@ -113,14 +113,15 @@ + + /* Reason codes describing kernel causes for transaction aborts. By + convention, bit0 is copied to TEXASR[56] (IBM bit 7) which is set if +- the failure is persistent. ++ the failure is persistent. PAPR saves 0xff-0xe0 for the hypervisor. + */ +-#define TM_CAUSE_RESCHED 0xfe +-#define TM_CAUSE_TLBI 0xfc +-#define TM_CAUSE_FAC_UNAV 0xfa +-#define TM_CAUSE_SYSCALL 0xf9 /* Persistent */ +-#define TM_CAUSE_MISC 0xf6 +-#define TM_CAUSE_SIGNAL 0xf4 ++#define TM_CAUSE_PERSISTENT 0x01 ++#define TM_CAUSE_RESCHED 0xde ++#define TM_CAUSE_TLBI 0xdc ++#define TM_CAUSE_FAC_UNAV 0xda ++#define TM_CAUSE_SYSCALL 0xd8 /* future use */ ++#define TM_CAUSE_MISC 0xd6 /* future use */ ++#define TM_CAUSE_SIGNAL 0xd4 + + #if defined(CONFIG_PPC_BOOK3S_64) + #define MSR_64BIT MSR_SF diff --git a/queue-3.9/powerpc-tm-move-tm-abort-cause-codes-to-uapi.patch b/queue-3.9/powerpc-tm-move-tm-abort-cause-codes-to-uapi.patch new file mode 100644 index 00000000000..b21c7cb56b3 --- /dev/null +++ b/queue-3.9/powerpc-tm-move-tm-abort-cause-codes-to-uapi.patch @@ -0,0 +1,87 @@ +From b75c100ef24894bd2c8b52e123bcc5f191c5d9fd Mon Sep 17 00:00:00 2001 +From: Michael Neuling +Date: Sun, 26 May 2013 18:30:56 +0000 +Subject: powerpc/tm: Move TM abort cause codes to uapi + +From: Michael Neuling + +commit b75c100ef24894bd2c8b52e123bcc5f191c5d9fd upstream. + +These cause codes are usable by userspace, so let's export to uapi. + +Signed-off-by: Michael Neuling +Signed-off-by: Benjamin Herrenschmidt +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/include/asm/reg.h | 14 -------------- + arch/powerpc/include/asm/tm.h | 2 ++ + arch/powerpc/include/uapi/asm/Kbuild | 1 + + arch/powerpc/include/uapi/asm/tm.h | 18 ++++++++++++++++++ + 4 files changed, 21 insertions(+), 14 deletions(-) + +--- a/arch/powerpc/include/asm/reg.h ++++ b/arch/powerpc/include/asm/reg.h +@@ -111,20 +111,6 @@ + #define MSR_TM_TRANSACTIONAL(x) (((x) & MSR_TS_MASK) == MSR_TS_T) + #define MSR_TM_SUSPENDED(x) (((x) & MSR_TS_MASK) == MSR_TS_S) + +-/* Reason codes describing kernel causes for transaction aborts. By +- convention, bit0 is copied to TEXASR[56] (IBM bit 7) which is set if +- the failure is persistent. PAPR saves 0xff-0xe0 for the hypervisor. +-*/ +-#define TM_CAUSE_PERSISTENT 0x01 +-#define TM_CAUSE_RESCHED 0xde +-#define TM_CAUSE_TLBI 0xdc +-#define TM_CAUSE_FAC_UNAV 0xda +-#define TM_CAUSE_SYSCALL 0xd8 /* future use */ +-#define TM_CAUSE_MISC 0xd6 /* future use */ +-#define TM_CAUSE_SIGNAL 0xd4 +-#define TM_CAUSE_ALIGNMENT 0xd2 +-#define TM_CAUSE_EMULATE 0xd0 +- + #if defined(CONFIG_PPC_BOOK3S_64) + #define MSR_64BIT MSR_SF + +--- a/arch/powerpc/include/asm/tm.h ++++ b/arch/powerpc/include/asm/tm.h +@@ -5,6 +5,8 @@ + * Copyright 2012 Matt Evans & Michael Neuling, IBM Corporation. + */ + ++#include ++ + #ifdef CONFIG_PPC_TRANSACTIONAL_MEM + extern void do_load_up_transact_fpu(struct thread_struct *thread); + extern void do_load_up_transact_altivec(struct thread_struct *thread); +--- a/arch/powerpc/include/uapi/asm/Kbuild ++++ b/arch/powerpc/include/uapi/asm/Kbuild +@@ -40,6 +40,7 @@ header-y += statfs.h + header-y += swab.h + header-y += termbits.h + header-y += termios.h ++header-y += tm.h + header-y += types.h + header-y += ucontext.h + header-y += unistd.h +--- /dev/null ++++ b/arch/powerpc/include/uapi/asm/tm.h +@@ -0,0 +1,18 @@ ++#ifndef _ASM_POWERPC_TM_H ++#define _ASM_POWERPC_TM_H ++ ++/* Reason codes describing kernel causes for transaction aborts. By ++ * convention, bit0 is copied to TEXASR[56] (IBM bit 7) which is set if ++ * the failure is persistent. PAPR saves 0xff-0xe0 for the hypervisor. ++ */ ++#define TM_CAUSE_PERSISTENT 0x01 ++#define TM_CAUSE_RESCHED 0xde ++#define TM_CAUSE_TLBI 0xdc ++#define TM_CAUSE_FAC_UNAV 0xda ++#define TM_CAUSE_SYSCALL 0xd8 /* future use */ ++#define TM_CAUSE_MISC 0xd6 /* future use */ ++#define TM_CAUSE_SIGNAL 0xd4 ++#define TM_CAUSE_ALIGNMENT 0xd2 ++#define TM_CAUSE_EMULATE 0xd0 ++ ++#endif diff --git a/queue-3.9/powerpc-tm-update-cause-codes-documentation.patch b/queue-3.9/powerpc-tm-update-cause-codes-documentation.patch new file mode 100644 index 00000000000..d12b7c77812 --- /dev/null +++ b/queue-3.9/powerpc-tm-update-cause-codes-documentation.patch @@ -0,0 +1,27 @@ +From 24b92375dc4ec8a15262e8aaaab60b7404d4b1e7 Mon Sep 17 00:00:00 2001 +From: Michael Neuling +Date: Sun, 26 May 2013 18:09:38 +0000 +Subject: powerpc/tm: Update cause codes documentation + +From: Michael Neuling + +commit 24b92375dc4ec8a15262e8aaaab60b7404d4b1e7 upstream. + +Signed-off-by: Michael Neuling +Signed-off-by: Benjamin Herrenschmidt +Signed-off-by: Greg Kroah-Hartman + +--- + Documentation/powerpc/transactional_memory.txt | 1 + + 1 file changed, 1 insertion(+) + +--- a/Documentation/powerpc/transactional_memory.txt ++++ b/Documentation/powerpc/transactional_memory.txt +@@ -155,6 +155,7 @@ These are defined in , and di + kernel aborted a transaction: + + TM_CAUSE_RESCHED Thread was rescheduled. ++ TM_CAUSE_TLBI Software TLB invalide. + TM_CAUSE_FAC_UNAV FP/VEC/VSX unavailable trap. + TM_CAUSE_SYSCALL Currently unused; future syscalls that must abort + transactions for consistency will use this. diff --git a/queue-3.9/series b/queue-3.9/series index 8d29b907d71..2858efd9a33 100644 --- a/queue-3.9/series +++ b/queue-3.9/series @@ -71,3 +71,12 @@ drm-radeon-fix-typo-in-cu_per_sh-on-verde.patch drm-radeon-fix-card_posted-check-for-newer-asics.patch crypto-caam-fix-inconsistent-assoc-dma-mapping-direction.patch cifs-fix-potential-buffer-overrun-when-composing-a-new-options-string.patch +powerpc-32bit-store-temporary-result-in-r0-instead-of-r8.patch +powerpc-tm-make-room-for-hypervisor-in-abort-cause-codes.patch +powerpc-tm-update-cause-codes-documentation.patch +powerpc-tm-fix-userspace-stack-corruption-on-signal-delivery-for-active-transactions.patch +powerpc-tm-abort-on-emulation-and-alignment-faults.patch +powerpc-tm-move-tm-abort-cause-codes-to-uapi.patch +iscsi-target-fix-heap-buffer-overflow-on-error.patch +ib_srpt-call-target_sess_cmd_list_set_waiting-during-shutdown_session.patch +nfsv4-fix-a-thinko-in-nfs4_try_open_cached.patch