From: Greg Kroah-Hartman Date: Tue, 29 Jul 2014 05:06:36 +0000 (-0700) Subject: 3.10-stable patches X-Git-Tag: v3.15.8~20 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=8e0c6305beb39c89e93f3307246c4483c7bb9f32;p=thirdparty%2Fkernel%2Fstable-queue.git 3.10-stable patches added patches: ahci-add-support-for-the-promise-fasttrak-tx8660-sata-hba-ahci-mode.patch blkcg-don-t-call-into-policy-draining-if-root_blkg-is-already-gone.patch coredump-fix-the-setting-of-pf_dumpcore.patch hwmon-smsc47m192-fix-temperature-limit-and-vrm-write-operations.patch input-fix-defuzzing-logic.patch parisc-remove-sa_restorer-define.patch slab_common-do-not-check-for-duplicate-slab-names.patch slab_common-fix-the-check-for-duplicate-slab-names.patch tracing-fix-wraparound-problems-in-uptime-trace-clock.patch x86_32-entry-store-badsys-error-code-in-eax.patch --- diff --git a/queue-3.10/ahci-add-support-for-the-promise-fasttrak-tx8660-sata-hba-ahci-mode.patch b/queue-3.10/ahci-add-support-for-the-promise-fasttrak-tx8660-sata-hba-ahci-mode.patch new file mode 100644 index 00000000000..d51d8a8a4df --- /dev/null +++ b/queue-3.10/ahci-add-support-for-the-promise-fasttrak-tx8660-sata-hba-ahci-mode.patch @@ -0,0 +1,35 @@ +From b32bfc06aefab61acc872dec3222624e6cd867ed Mon Sep 17 00:00:00 2001 +From: Romain Degez +Date: Fri, 11 Jul 2014 18:08:13 +0200 +Subject: ahci: add support for the Promise FastTrak TX8660 SATA HBA (ahci mode) + +From: Romain Degez + +commit b32bfc06aefab61acc872dec3222624e6cd867ed upstream. + +Add support of the Promise FastTrak TX8660 SATA HBA in ahci mode by +registering the board in the ahci_pci_tbl[]. + +Note: this HBA also provide a hardware RAID mode when activated in +BIOS but specific drivers from the manufacturer are required in this +case. + +Signed-off-by: Romain Degez +Tested-by: Romain Degez +Signed-off-by: Tejun Heo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/ata/ahci.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/ata/ahci.c ++++ b/drivers/ata/ahci.c +@@ -455,6 +455,7 @@ static const struct pci_device_id ahci_p + + /* Promise */ + { PCI_VDEVICE(PROMISE, 0x3f20), board_ahci }, /* PDC42819 */ ++ { PCI_VDEVICE(PROMISE, 0x3781), board_ahci }, /* FastTrak TX8660 ahci-mode */ + + /* Asmedia */ + { PCI_VDEVICE(ASMEDIA, 0x0601), board_ahci }, /* ASM1060 */ diff --git a/queue-3.10/blkcg-don-t-call-into-policy-draining-if-root_blkg-is-already-gone.patch b/queue-3.10/blkcg-don-t-call-into-policy-draining-if-root_blkg-is-already-gone.patch new file mode 100644 index 00000000000..8f0b6912aff --- /dev/null +++ b/queue-3.10/blkcg-don-t-call-into-policy-draining-if-root_blkg-is-already-gone.patch @@ -0,0 +1,102 @@ +From 0b462c89e31f7eb6789713437eb551833ee16ff3 Mon Sep 17 00:00:00 2001 +From: Tejun Heo +Date: Sat, 5 Jul 2014 18:43:21 -0400 +Subject: blkcg: don't call into policy draining if root_blkg is already gone + +From: Tejun Heo + +commit 0b462c89e31f7eb6789713437eb551833ee16ff3 upstream. + +While a queue is being destroyed, all the blkgs are destroyed and its +->root_blkg pointer is set to NULL. If someone else starts to drain +while the queue is in this state, the following oops happens. + + NULL pointer dereference at 0000000000000028 + IP: [] blk_throtl_drain+0x84/0x230 + PGD e4a1067 PUD b773067 PMD 0 + Oops: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC + Modules linked in: cfq_iosched(-) [last unloaded: cfq_iosched] + CPU: 1 PID: 537 Comm: bash Not tainted 3.16.0-rc3-work+ #2 + Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 + task: ffff88000e222250 ti: ffff88000efd4000 task.ti: ffff88000efd4000 + RIP: 0010:[] [] blk_throtl_drain+0x84/0x230 + RSP: 0018:ffff88000efd7bf0 EFLAGS: 00010046 + RAX: 0000000000000000 RBX: ffff880015091450 RCX: 0000000000000001 + RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000 + RBP: ffff88000efd7c10 R08: 0000000000000000 R09: 0000000000000001 + R10: ffff88000e222250 R11: 0000000000000000 R12: ffff880015091450 + R13: ffff880015092e00 R14: ffff880015091d70 R15: ffff88001508fc28 + FS: 00007f1332650740(0000) GS:ffff88001fa80000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b + CR2: 0000000000000028 CR3: 0000000009446000 CR4: 00000000000006e0 + Stack: + ffffffff8144e8f6 ffff880015091450 0000000000000000 ffff880015091d80 + ffff88000efd7c28 ffffffff8144ae2f ffff880015091450 ffff88000efd7c58 + ffffffff81427641 ffff880015091450 ffffffff82401f00 ffff880015091450 + Call Trace: + [] blkcg_drain_queue+0x1f/0x60 + [] __blk_drain_queue+0x71/0x180 + [] blk_queue_bypass_start+0x6e/0xb0 + [] blkcg_deactivate_policy+0x38/0x120 + [] blk_throtl_exit+0x34/0x50 + [] blkcg_exit_queue+0x35/0x40 + [] blk_release_queue+0x26/0xd0 + [] kobject_cleanup+0x38/0x70 + [] kobject_put+0x28/0x60 + [] blk_put_queue+0x15/0x20 + [] scsi_device_dev_release_usercontext+0x16b/0x1c0 + [] execute_in_process_context+0x89/0xa0 + [] scsi_device_dev_release+0x1c/0x20 + [] device_release+0x32/0xa0 + [] kobject_cleanup+0x38/0x70 + [] kobject_put+0x28/0x60 + [] put_device+0x17/0x20 + [] __scsi_remove_device+0xa9/0xe0 + [] scsi_remove_device+0x2b/0x40 + [] sdev_store_delete+0x27/0x30 + [] dev_attr_store+0x18/0x30 + [] sysfs_kf_write+0x3e/0x50 + [] kernfs_fop_write+0xe7/0x170 + [] vfs_write+0xaf/0x1d0 + [] SyS_write+0x4d/0xc0 + [] system_call_fastpath+0x16/0x1b + +776687bce42b ("block, blk-mq: draining can't be skipped even if +bypass_depth was non-zero") made it easier to trigger this bug by +making blk_queue_bypass_start() drain even when it loses the first +bypass test to blk_cleanup_queue(); however, the bug has always been +there even before the commit as blk_queue_bypass_start() could race +against queue destruction, win the initial bypass test but perform the +actual draining after blk_cleanup_queue() already destroyed all blkgs. + +Fix it by skippping calling into policy draining if all the blkgs are +already gone. + +Signed-off-by: Tejun Heo +Reported-by: Shirish Pargaonkar +Reported-by: Sasha Levin +Reported-by: Jet Chen +Tested-by: Shirish Pargaonkar +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + block/blk-cgroup.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/block/blk-cgroup.c ++++ b/block/blk-cgroup.c +@@ -876,6 +876,13 @@ void blkcg_drain_queue(struct request_qu + { + lockdep_assert_held(q->queue_lock); + ++ /* ++ * @q could be exiting and already have destroyed all blkgs as ++ * indicated by NULL root_blkg. If so, don't confuse policies. ++ */ ++ if (!q->root_blkg) ++ return; ++ + blk_throtl_drain(q); + } + diff --git a/queue-3.10/coredump-fix-the-setting-of-pf_dumpcore.patch b/queue-3.10/coredump-fix-the-setting-of-pf_dumpcore.patch new file mode 100644 index 00000000000..1ba16e0aab7 --- /dev/null +++ b/queue-3.10/coredump-fix-the-setting-of-pf_dumpcore.patch @@ -0,0 +1,38 @@ +From aed8adb7688d5744cb484226820163af31d2499a Mon Sep 17 00:00:00 2001 +From: Silesh C V +Date: Wed, 23 Jul 2014 13:59:59 -0700 +Subject: coredump: fix the setting of PF_DUMPCORE + +From: Silesh C V + +commit aed8adb7688d5744cb484226820163af31d2499a upstream. + +Commit 079148b919d0 ("coredump: factor out the setting of PF_DUMPCORE") +cleaned up the setting of PF_DUMPCORE by removing it from all the +linux_binfmt->core_dump() and moving it to zap_threads().But this ended +up clearing all the previously set flags. This causes issues during +core generation when tsk->flags is checked again (eg. for PF_USED_MATH +to dump floating point registers). Fix this. + +Signed-off-by: Silesh C V +Acked-by: Oleg Nesterov +Cc: Mandeep Singh Baines +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/coredump.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/coredump.c ++++ b/fs/coredump.c +@@ -299,7 +299,7 @@ static int zap_threads(struct task_struc + if (unlikely(nr < 0)) + return nr; + +- tsk->flags = PF_DUMPCORE; ++ tsk->flags |= PF_DUMPCORE; + if (atomic_read(&mm->mm_users) == nr + 1) + goto done; + /* diff --git a/queue-3.10/hwmon-smsc47m192-fix-temperature-limit-and-vrm-write-operations.patch b/queue-3.10/hwmon-smsc47m192-fix-temperature-limit-and-vrm-write-operations.patch new file mode 100644 index 00000000000..de1cec2d5ad --- /dev/null +++ b/queue-3.10/hwmon-smsc47m192-fix-temperature-limit-and-vrm-write-operations.patch @@ -0,0 +1,46 @@ +From 043572d5444116b9d9ad8ae763cf069e7accbc30 Mon Sep 17 00:00:00 2001 +From: Guenter Roeck +Date: Fri, 18 Jul 2014 07:31:18 -0700 +Subject: hwmon: (smsc47m192) Fix temperature limit and vrm write operations + +From: Guenter Roeck + +commit 043572d5444116b9d9ad8ae763cf069e7accbc30 upstream. + +Temperature limit clamps are applied after converting the temperature +from milli-degrees C to degrees C, so either the clamp limit needs +to be specified in degrees C, not milli-degrees C, or clamping must +happen before converting to degrees C. Use the latter method to avoid +overflows. + +vrm is an u8, so the written value needs to be limited to [0, 255]. + +Cc: Axel Lin +Signed-off-by: Guenter Roeck +Reviewed-by: Jean Delvare +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hwmon/smsc47m192.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/hwmon/smsc47m192.c ++++ b/drivers/hwmon/smsc47m192.c +@@ -86,7 +86,7 @@ static inline u8 IN_TO_REG(unsigned long + */ + static inline s8 TEMP_TO_REG(int val) + { +- return clamp_val(SCALE(val, 1, 1000), -128000, 127000); ++ return SCALE(clamp_val(val, -128000, 127000), 1, 1000); + } + + static inline int TEMP_FROM_REG(s8 val) +@@ -384,6 +384,8 @@ static ssize_t set_vrm(struct device *de + err = kstrtoul(buf, 10, &val); + if (err) + return err; ++ if (val > 255) ++ return -EINVAL; + + data->vrm = val; + return count; diff --git a/queue-3.10/input-fix-defuzzing-logic.patch b/queue-3.10/input-fix-defuzzing-logic.patch new file mode 100644 index 00000000000..cbe2a20a901 --- /dev/null +++ b/queue-3.10/input-fix-defuzzing-logic.patch @@ -0,0 +1,56 @@ +From 50c5d36dab930b1f1b1e3348b8608aa8b9ee7610 Mon Sep 17 00:00:00 2001 +From: Dmitry Torokhov +Date: Sat, 19 Jul 2014 16:30:31 -0700 +Subject: Input: fix defuzzing logic + +From: Dmitry Torokhov + +commit 50c5d36dab930b1f1b1e3348b8608aa8b9ee7610 upstream. + +We attempt to remove noise from coordinates reported by devices in +input_handle_abs_event(), unfortunately, unless we were dropping the +event altogether, we were ignoring the adjusted value and were passing +on the original value instead. + +Reviewed-by: Andrew de los Reyes +Reviewed-by: Benson Leung +Reviewed-by: David Herrmann +Reviewed-by: Henrik Rydberg +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/input/input.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/input/input.c ++++ b/drivers/input/input.c +@@ -257,9 +257,10 @@ static int input_handle_abs_event(struct + } + + static int input_get_disposition(struct input_dev *dev, +- unsigned int type, unsigned int code, int value) ++ unsigned int type, unsigned int code, int *pval) + { + int disposition = INPUT_IGNORE_EVENT; ++ int value = *pval; + + switch (type) { + +@@ -357,6 +358,7 @@ static int input_get_disposition(struct + break; + } + ++ *pval = value; + return disposition; + } + +@@ -365,7 +367,7 @@ static void input_handle_event(struct in + { + int disposition; + +- disposition = input_get_disposition(dev, type, code, value); ++ disposition = input_get_disposition(dev, type, code, &value); + + if ((disposition & INPUT_PASS_TO_DEVICE) && dev->event) + dev->event(dev, type, code, value); diff --git a/queue-3.10/parisc-remove-sa_restorer-define.patch b/queue-3.10/parisc-remove-sa_restorer-define.patch new file mode 100644 index 00000000000..85bd22b9d56 --- /dev/null +++ b/queue-3.10/parisc-remove-sa_restorer-define.patch @@ -0,0 +1,32 @@ +From 20dbea494543aefaace874cc3ec93a39b94b1ec4 Mon Sep 17 00:00:00 2001 +From: John David Anglin +Date: Wed, 23 Jul 2014 19:44:12 -0400 +Subject: parisc: Remove SA_RESTORER define + +From: John David Anglin + +commit 20dbea494543aefaace874cc3ec93a39b94b1ec4 upstream. + +The sa_restorer field in struct sigaction is obsolete and no longer in +the parisc implementation. However, the core code assumes the field is +present if SA_RESTORER is defined. So, the define needs to be removed. + +Signed-off-by: John David Anglin +Signed-off-by: Helge Deller +Signed-off-by: Greg Kroah-Hartman + +--- + arch/parisc/include/uapi/asm/signal.h | 2 -- + 1 file changed, 2 deletions(-) + +--- a/arch/parisc/include/uapi/asm/signal.h ++++ b/arch/parisc/include/uapi/asm/signal.h +@@ -69,8 +69,6 @@ + #define SA_NOMASK SA_NODEFER + #define SA_ONESHOT SA_RESETHAND + +-#define SA_RESTORER 0x04000000 /* obsolete -- ignored */ +- + #define MINSIGSTKSZ 2048 + #define SIGSTKSZ 8192 + diff --git a/queue-3.10/series b/queue-3.10/series index f2a817892dc..ddbe28f9ef0 100644 --- a/queue-3.10/series +++ b/queue-3.10/series @@ -5,3 +5,13 @@ block-don-t-assume-last-put-of-shared-tags-is-for-the-host.patch libata-support-the-ata-host-which-implements-a-queue-depth-less-than-32.patch libata-introduce-ata_host-n_tags-to-avoid-oops-on-sas-controllers.patch s390-ptrace-fix-psw-mask-check.patch +ahci-add-support-for-the-promise-fasttrak-tx8660-sata-hba-ahci-mode.patch +blkcg-don-t-call-into-policy-draining-if-root_blkg-is-already-gone.patch +tracing-fix-wraparound-problems-in-uptime-trace-clock.patch +slab_common-do-not-check-for-duplicate-slab-names.patch +slab_common-fix-the-check-for-duplicate-slab-names.patch +input-fix-defuzzing-logic.patch +coredump-fix-the-setting-of-pf_dumpcore.patch +parisc-remove-sa_restorer-define.patch +hwmon-smsc47m192-fix-temperature-limit-and-vrm-write-operations.patch +x86_32-entry-store-badsys-error-code-in-eax.patch diff --git a/queue-3.10/slab_common-do-not-check-for-duplicate-slab-names.patch b/queue-3.10/slab_common-do-not-check-for-duplicate-slab-names.patch new file mode 100644 index 00000000000..e6a108fb69e --- /dev/null +++ b/queue-3.10/slab_common-do-not-check-for-duplicate-slab-names.patch @@ -0,0 +1,69 @@ +From 3e374919b314f20e2a04f641ebc1093d758f66a4 Mon Sep 17 00:00:00 2001 +From: Christoph Lameter +Date: Sat, 21 Sep 2013 21:56:34 +0000 +Subject: slab_common: Do not check for duplicate slab names + +From: Christoph Lameter + +commit 3e374919b314f20e2a04f641ebc1093d758f66a4 upstream. + +SLUB can alias multiple slab kmem_create_requests to one slab cache to save +memory and increase the cache hotness. As a result the name of the slab can be +stale. Only check the name for duplicates if we are in debug mode where we do +not merge multiple caches. + +This fixes the following problem reported by Jonathan Brassow: + + The problem with kmem_cache* is this: + + *) Assume CONFIG_SLUB is set + 1) kmem_cache_create(name="foo-a") + - creates new kmem_cache structure + 2) kmem_cache_create(name="foo-b") + - If identical cache characteristics, it will be merged with the previously + created cache associated with "foo-a". The cache's refcount will be + incremented and an alias will be created via sysfs_slab_alias(). + 3) kmem_cache_destroy() + - Attempting to destroy cache associated with "foo-a", but instead the + refcount is simply decremented. I don't even think the sysfs aliases are + ever removed... + 4) kmem_cache_create(name="foo-a") + - This FAILS because kmem_cache_sanity_check colides with the existing + name ("foo-a") associated with the non-removed cache. + + This is a problem for RAID (specifically dm-raid) because the name used + for the kmem_cache_create is ("raid%d-%p", level, mddev). If the cache + persists for long enough, the memory address of an old mddev will be + reused for a new mddev - causing an identical formulation of the cache + name. Even though kmem_cache_destory had long ago been used to delete + the old cache, the merging of caches has cause the name and cache of that + old instance to be preserved and causes a colision (and thus failure) in + kmem_cache_create(). I see this regularly in my testing. + +Reported-by: Jonathan Brassow +Signed-off-by: Christoph Lameter +Signed-off-by: Pekka Enberg +Signed-off-by: Greg Kroah-Hartman + +--- + mm/slab_common.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/mm/slab_common.c ++++ b/mm/slab_common.c +@@ -55,6 +55,7 @@ static int kmem_cache_sanity_check(struc + continue; + } + ++#if !defined(CONFIG_SLUB) || !defined(CONFIG_SLUB_DEBUG_ON) + /* + * For simplicity, we won't check this in the list of memcg + * caches. We have control over memcg naming, and if there +@@ -68,6 +69,7 @@ static int kmem_cache_sanity_check(struc + s = NULL; + return -EINVAL; + } ++#endif + } + + WARN_ON(strchr(name, ' ')); /* It confuses parsers */ diff --git a/queue-3.10/slab_common-fix-the-check-for-duplicate-slab-names.patch b/queue-3.10/slab_common-fix-the-check-for-duplicate-slab-names.patch new file mode 100644 index 00000000000..3a82044218d --- /dev/null +++ b/queue-3.10/slab_common-fix-the-check-for-duplicate-slab-names.patch @@ -0,0 +1,55 @@ +From 694617474e33b8603fc76e090ed7d09376514b1a Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Tue, 4 Mar 2014 17:13:47 -0500 +Subject: slab_common: fix the check for duplicate slab names + +From: Mikulas Patocka + +commit 694617474e33b8603fc76e090ed7d09376514b1a upstream. + +The patch 3e374919b314f20e2a04f641ebc1093d758f66a4 is supposed to fix the +problem where kmem_cache_create incorrectly reports duplicate cache name +and fails. The problem is described in the header of that patch. + +However, the patch doesn't really fix the problem because of these +reasons: + +* the logic to test for debugging is reversed. It was intended to perform + the check only if slub debugging is enabled (which implies that caches + with the same parameters are not merged). Therefore, there should be + #if !defined(CONFIG_SLUB) || defined(CONFIG_SLUB_DEBUG_ON) + The current code has the condition reversed and performs the test if + debugging is disabled. + +* slub debugging may be enabled or disabled based on kernel command line, + CONFIG_SLUB_DEBUG_ON is just the default settings. Therefore the test + based on definition of CONFIG_SLUB_DEBUG_ON is unreliable. + +This patch fixes the problem by removing the test +"!defined(CONFIG_SLUB_DEBUG_ON)". Therefore, duplicate names are never +checked if the SLUB allocator is used. + +Note to stable kernel maintainers: when backporint this patch, please +backport also the patch 3e374919b314f20e2a04f641ebc1093d758f66a4. + +Acked-by: David Rientjes +Acked-by: Christoph Lameter +Signed-off-by: Mikulas Patocka +Signed-off-by: Pekka Enberg +Signed-off-by: Greg Kroah-Hartman + +--- + mm/slab_common.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/mm/slab_common.c ++++ b/mm/slab_common.c +@@ -55,7 +55,7 @@ static int kmem_cache_sanity_check(struc + continue; + } + +-#if !defined(CONFIG_SLUB) || !defined(CONFIG_SLUB_DEBUG_ON) ++#if !defined(CONFIG_SLUB) + /* + * For simplicity, we won't check this in the list of memcg + * caches. We have control over memcg naming, and if there diff --git a/queue-3.10/tracing-fix-wraparound-problems-in-uptime-trace-clock.patch b/queue-3.10/tracing-fix-wraparound-problems-in-uptime-trace-clock.patch new file mode 100644 index 00000000000..963da6cce49 --- /dev/null +++ b/queue-3.10/tracing-fix-wraparound-problems-in-uptime-trace-clock.patch @@ -0,0 +1,73 @@ +From 58d4e21e50ff3cc57910a8abc20d7e14375d2f61 Mon Sep 17 00:00:00 2001 +From: Tony Luck +Date: Fri, 18 Jul 2014 11:43:01 -0700 +Subject: tracing: Fix wraparound problems in "uptime" trace clock + +From: Tony Luck + +commit 58d4e21e50ff3cc57910a8abc20d7e14375d2f61 upstream. + +The "uptime" trace clock added in: + + commit 8aacf017b065a805d27467843490c976835eb4a5 + tracing: Add "uptime" trace clock that uses jiffies + +has wraparound problems when the system has been up more +than 1 hour 11 minutes and 34 seconds. It converts jiffies +to nanoseconds using: + (u64)jiffies_to_usecs(jiffy) * 1000ULL +but since jiffies_to_usecs() only returns a 32-bit value, it +truncates at 2^32 microseconds. An additional problem on 32-bit +systems is that the argument is "unsigned long", so fixing the +return value only helps until 2^32 jiffies (49.7 days on a HZ=1000 +system). + +Avoid these problems by using jiffies_64 as our basis, and +not converting to nanoseconds (we do convert to clock_t because +user facing API must not be dependent on internal kernel +HZ values). + +Link: http://lkml.kernel.org/p/99d63c5bfe9b320a3b428d773825a37095bf6a51.1405708254.git.tony.luck@intel.com + +Fixes: 8aacf017b065 "tracing: Add "uptime" trace clock that uses jiffies" +Signed-off-by: Tony Luck +Signed-off-by: Steven Rostedt +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/trace/trace.c | 2 +- + kernel/trace/trace_clock.c | 9 +++++---- + 2 files changed, 6 insertions(+), 5 deletions(-) + +--- a/kernel/trace/trace.c ++++ b/kernel/trace/trace.c +@@ -741,7 +741,7 @@ static struct { + { trace_clock_local, "local", 1 }, + { trace_clock_global, "global", 1 }, + { trace_clock_counter, "counter", 0 }, +- { trace_clock_jiffies, "uptime", 1 }, ++ { trace_clock_jiffies, "uptime", 0 }, + { trace_clock, "perf", 1 }, + ARCH_TRACE_CLOCKS + }; +--- a/kernel/trace/trace_clock.c ++++ b/kernel/trace/trace_clock.c +@@ -59,13 +59,14 @@ u64 notrace trace_clock(void) + + /* + * trace_jiffy_clock(): Simply use jiffies as a clock counter. ++ * Note that this use of jiffies_64 is not completely safe on ++ * 32-bit systems. But the window is tiny, and the effect if ++ * we are affected is that we will have an obviously bogus ++ * timestamp on a trace event - i.e. not life threatening. + */ + u64 notrace trace_clock_jiffies(void) + { +- u64 jiffy = jiffies - INITIAL_JIFFIES; +- +- /* Return nsecs */ +- return (u64)jiffies_to_usecs(jiffy) * 1000ULL; ++ return jiffies_64_to_clock_t(jiffies_64 - INITIAL_JIFFIES); + } + + /* diff --git a/queue-3.10/x86_32-entry-store-badsys-error-code-in-eax.patch b/queue-3.10/x86_32-entry-store-badsys-error-code-in-eax.patch new file mode 100644 index 00000000000..16958c276d0 --- /dev/null +++ b/queue-3.10/x86_32-entry-store-badsys-error-code-in-eax.patch @@ -0,0 +1,89 @@ +From 8142b215501f8b291a108a202b3a053a265b03dd Mon Sep 17 00:00:00 2001 +From: Sven Wegener +Date: Tue, 22 Jul 2014 10:26:06 +0200 +Subject: x86_32, entry: Store badsys error code in %eax + +From: Sven Wegener + +commit 8142b215501f8b291a108a202b3a053a265b03dd upstream. + +Commit 554086d ("x86_32, entry: Do syscall exit work on badsys +(CVE-2014-4508)") introduced a regression in the x86_32 syscall entry +code, resulting in syscall() not returning proper errors for undefined +syscalls on CPUs supporting the sysenter feature. + +The following code: + +> int result = syscall(666); +> printf("result=%d errno=%d error=%s\n", result, errno, strerror(errno)); + +results in: + +> result=666 errno=0 error=Success + +Obviously, the syscall return value is the called syscall number, but it +should have been an ENOSYS error. When run under ptrace it behaves +correctly, which makes it hard to debug in the wild: + +> result=-1 errno=38 error=Function not implemented + +The %eax register is the return value register. For debugging via ptrace +the syscall entry code stores the complete register context on the +stack. The badsys handlers only store the ENOSYS error code in the +ptrace register set and do not set %eax like a regular syscall handler +would. The old resume_userspace call chain contains code that clobbers +%eax and it restores %eax from the ptrace registers afterwards. The same +goes for the ptrace-enabled call chain. When ptrace is not used, the +syscall return value is the passed-in syscall number from the untouched +%eax register. + +Use %eax as the return value register in syscall_badsys and +sysenter_badsys, like a real syscall handler does, and have the caller +push the value onto the stack for ptrace access. + +Signed-off-by: Sven Wegener +Link: http://lkml.kernel.org/r/alpine.LNX.2.11.1407221022380.31021@titan.int.lan.stealer.net +Reviewed-and-tested-by: Andy Lutomirski +Signed-off-by: H. Peter Anvin +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/entry_32.S | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/arch/x86/kernel/entry_32.S ++++ b/arch/x86/kernel/entry_32.S +@@ -436,8 +436,8 @@ sysenter_do_call: + cmpl $(NR_syscalls), %eax + jae sysenter_badsys + call *sys_call_table(,%eax,4) +- movl %eax,PT_EAX(%esp) + sysenter_after_call: ++ movl %eax,PT_EAX(%esp) + LOCKDEP_SYS_EXIT + DISABLE_INTERRUPTS(CLBR_ANY) + TRACE_IRQS_OFF +@@ -517,6 +517,7 @@ ENTRY(system_call) + jae syscall_badsys + syscall_call: + call *sys_call_table(,%eax,4) ++syscall_after_call: + movl %eax,PT_EAX(%esp) # store the return value + syscall_exit: + LOCKDEP_SYS_EXIT +@@ -686,12 +687,12 @@ syscall_fault: + END(syscall_fault) + + syscall_badsys: +- movl $-ENOSYS,PT_EAX(%esp) +- jmp syscall_exit ++ movl $-ENOSYS,%eax ++ jmp syscall_after_call + END(syscall_badsys) + + sysenter_badsys: +- movl $-ENOSYS,PT_EAX(%esp) ++ movl $-ENOSYS,%eax + jmp sysenter_after_call + END(syscall_badsys) + CFI_ENDPROC