From: Greg Kroah-Hartman Date: Mon, 22 May 2017 16:40:09 +0000 (+0200) Subject: 4.4-stable patches X-Git-Tag: v3.18.55~53 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=9cfcd4fa22ff8556223eaec8f725bb7ffc5d5571;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: ath9k_htc-add-support-of-airties-1eda-2315-ar9271-device.patch ath9k_htc-fix-null-deref-at-probe.patch ima-accept-previously-set-ima_new_file.patch kvm-x86-fix-load-damaged-ssex-mxcsr-register.patch kvm-x86-fix-read-out-of-bounds-vulnerability-in-kvm-pio-emulation.patch regulator-tps65023-fix-inverted-core-enable-logic.patch s390-cputime-fix-incorrect-system-time.patch s390-kdump-add-final-note.patch --- diff --git a/queue-4.4/ath9k_htc-add-support-of-airties-1eda-2315-ar9271-device.patch b/queue-4.4/ath9k_htc-add-support-of-airties-1eda-2315-ar9271-device.patch new file mode 100644 index 00000000000..15c3e65eeaf --- /dev/null +++ b/queue-4.4/ath9k_htc-add-support-of-airties-1eda-2315-ar9271-device.patch @@ -0,0 +1,36 @@ +From 16ff1fb0e32f76a5d285a6f23b82d21aa52813c6 Mon Sep 17 00:00:00 2001 +From: Dmitry Tunin +Date: Wed, 8 Mar 2017 13:52:07 +0200 +Subject: ath9k_htc: Add support of AirTies 1eda:2315 AR9271 device + +From: Dmitry Tunin + +commit 16ff1fb0e32f76a5d285a6f23b82d21aa52813c6 upstream. + +T: Bus=01 Lev=02 Prnt=02 Port=02 Cnt=01 Dev#= 7 Spd=480 MxCh= 0 +D: Ver= 2.00 Cls=ff(vend.) Sub=ff Prot=ff MxPS=64 #Cfgs= 1 +P: Vendor=1eda ProdID=2315 Rev=01.08 +S: Manufacturer=ATHEROS +S: Product=USB2.0 WLAN +S: SerialNumber=12345 +C: #Ifs= 1 Cfg#= 1 Atr=80 MxPwr=500mA +I: If#= 0 Alt= 0 #EPs= 6 Cls=ff(vend.) Sub=00 Prot=00 Driver=(none) + +Signed-off-by: Dmitry Tunin +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/ath/ath9k/hif_usb.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/wireless/ath/ath9k/hif_usb.c ++++ b/drivers/net/wireless/ath/ath9k/hif_usb.c +@@ -37,6 +37,7 @@ static struct usb_device_id ath9k_hif_us + { USB_DEVICE(0x0cf3, 0xb002) }, /* Ubiquiti WifiStation */ + { USB_DEVICE(0x057c, 0x8403) }, /* AVM FRITZ!WLAN 11N v2 USB */ + { USB_DEVICE(0x0471, 0x209e) }, /* Philips (or NXP) PTA01 */ ++ { USB_DEVICE(0x1eda, 0x2315) }, /* AirTies */ + + { USB_DEVICE(0x0cf3, 0x7015), + .driver_info = AR9287_USB }, /* Atheros */ diff --git a/queue-4.4/ath9k_htc-fix-null-deref-at-probe.patch b/queue-4.4/ath9k_htc-fix-null-deref-at-probe.patch new file mode 100644 index 00000000000..78ef2d70e05 --- /dev/null +++ b/queue-4.4/ath9k_htc-fix-null-deref-at-probe.patch @@ -0,0 +1,34 @@ +From ebeb36670ecac36c179b5fb5d5c88ff03ba191ec Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 13 Mar 2017 13:44:20 +0100 +Subject: ath9k_htc: fix NULL-deref at probe + +From: Johan Hovold + +commit ebeb36670ecac36c179b5fb5d5c88ff03ba191ec upstream. + +Make sure to check the number of endpoints to avoid dereferencing a +NULL-pointer or accessing memory beyond the endpoint array should a +malicious device lack the expected endpoints. + +Fixes: 36bcce430657 ("ath9k_htc: Handle storage devices") +Signed-off-by: Johan Hovold +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/ath/ath9k/hif_usb.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/net/wireless/ath/ath9k/hif_usb.c ++++ b/drivers/net/wireless/ath/ath9k/hif_usb.c +@@ -1217,6 +1217,9 @@ static int send_eject_command(struct usb + u8 bulk_out_ep; + int r; + ++ if (iface_desc->desc.bNumEndpoints < 2) ++ return -ENODEV; ++ + /* Find bulk out endpoint */ + for (r = 1; r >= 0; r--) { + endpoint = &iface_desc->endpoint[r].desc; diff --git a/queue-4.4/ima-accept-previously-set-ima_new_file.patch b/queue-4.4/ima-accept-previously-set-ima_new_file.patch new file mode 100644 index 00000000000..9b6b52e8acd --- /dev/null +++ b/queue-4.4/ima-accept-previously-set-ima_new_file.patch @@ -0,0 +1,52 @@ +From 1ac202e978e18f045006d75bd549612620c6ec3a Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Daniel=20Gl=C3=B6ckner?= +Date: Fri, 24 Feb 2017 15:05:14 +0100 +Subject: ima: accept previously set IMA_NEW_FILE +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Daniel Glöckner + +commit 1ac202e978e18f045006d75bd549612620c6ec3a upstream. + +Modifying the attributes of a file makes ima_inode_post_setattr reset +the IMA cache flags. So if the file, which has just been created, +is opened a second time before the first file descriptor is closed, +verification fails since the security.ima xattr has not been written +yet. We therefore have to look at the IMA_NEW_FILE even if the file +already existed. + +With this patch there should no longer be an error when cat tries to +open testfile: + +$ rm -f testfile +$ ( echo test >&3 ; touch testfile ; cat testfile ) 3>testfile + +A file being new is no reason to accept that it is missing a digital +signature demanded by the policy. + +Signed-off-by: Daniel Glöckner +Signed-off-by: Mimi Zohar +Signed-off-by: Greg Kroah-Hartman + +--- + security/integrity/ima/ima_appraise.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/security/integrity/ima/ima_appraise.c ++++ b/security/integrity/ima/ima_appraise.c +@@ -203,10 +203,11 @@ int ima_appraise_measurement(int func, s + + cause = "missing-hash"; + status = INTEGRITY_NOLABEL; +- if (opened & FILE_CREATED) { ++ if (opened & FILE_CREATED) + iint->flags |= IMA_NEW_FILE; ++ if ((iint->flags & IMA_NEW_FILE) && ++ !(iint->flags & IMA_DIGSIG_REQUIRED)) + status = INTEGRITY_PASS; +- } + goto out; + } + diff --git a/queue-4.4/kvm-x86-fix-load-damaged-ssex-mxcsr-register.patch b/queue-4.4/kvm-x86-fix-load-damaged-ssex-mxcsr-register.patch new file mode 100644 index 00000000000..b7de5b2f427 --- /dev/null +++ b/queue-4.4/kvm-x86-fix-load-damaged-ssex-mxcsr-register.patch @@ -0,0 +1,112 @@ +From a575813bfe4bc15aba511a5e91e61d242bff8b9d Mon Sep 17 00:00:00 2001 +From: Wanpeng Li +Date: Thu, 11 May 2017 02:58:55 -0700 +Subject: KVM: x86: Fix load damaged SSEx MXCSR register +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Wanpeng Li + +commit a575813bfe4bc15aba511a5e91e61d242bff8b9d upstream. + +Reported by syzkaller: + + BUG: unable to handle kernel paging request at ffffffffc07f6a2e + IP: report_bug+0x94/0x120 + PGD 348e12067 + P4D 348e12067 + PUD 348e14067 + PMD 3cbd84067 + PTE 80000003f7e87161 + + Oops: 0003 [#1] SMP + CPU: 2 PID: 7091 Comm: kvm_load_guest_ Tainted: G OE 4.11.0+ #8 + task: ffff92fdfb525400 task.stack: ffffbda6c3d04000 + RIP: 0010:report_bug+0x94/0x120 + RSP: 0018:ffffbda6c3d07b20 EFLAGS: 00010202 + do_trap+0x156/0x170 + do_error_trap+0xa3/0x170 + ? kvm_load_guest_fpu.part.175+0x12a/0x170 [kvm] + ? mark_held_locks+0x79/0xa0 + ? retint_kernel+0x10/0x10 + ? trace_hardirqs_off_thunk+0x1a/0x1c + do_invalid_op+0x20/0x30 + invalid_op+0x1e/0x30 + RIP: 0010:kvm_load_guest_fpu.part.175+0x12a/0x170 [kvm] + ? kvm_load_guest_fpu.part.175+0x1c/0x170 [kvm] + kvm_arch_vcpu_ioctl_run+0xed6/0x1b70 [kvm] + kvm_vcpu_ioctl+0x384/0x780 [kvm] + ? kvm_vcpu_ioctl+0x384/0x780 [kvm] + ? sched_clock+0x13/0x20 + ? __do_page_fault+0x2a0/0x550 + do_vfs_ioctl+0xa4/0x700 + ? up_read+0x1f/0x40 + ? __do_page_fault+0x2a0/0x550 + SyS_ioctl+0x79/0x90 + entry_SYSCALL_64_fastpath+0x23/0xc2 + +SDM mentioned that "The MXCSR has several reserved bits, and attempting to write +a 1 to any of these bits will cause a general-protection exception(#GP) to be +generated". The syzkaller forks' testcase overrides xsave area w/ random values +and steps on the reserved bits of MXCSR register. The damaged MXCSR register +values of guest will be restored to SSEx MXCSR register before vmentry. This +patch fixes it by catching userspace override MXCSR register reserved bits w/ +random values and bails out immediately. + +Reported-by: Andrey Konovalov +Reviewed-by: Paolo Bonzini +Cc: Paolo Bonzini +Cc: Radim Krčmář +Signed-off-by: Wanpeng Li +Signed-off-by: Radim Krčmář +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/fpu/init.c | 1 + + arch/x86/kvm/x86.c | 9 +++++++-- + 2 files changed, 8 insertions(+), 2 deletions(-) + +--- a/arch/x86/kernel/fpu/init.c ++++ b/arch/x86/kernel/fpu/init.c +@@ -96,6 +96,7 @@ static void fpu__init_system_early_gener + * Boot time FPU feature detection code: + */ + unsigned int mxcsr_feature_mask __read_mostly = 0xffffffffu; ++EXPORT_SYMBOL_GPL(mxcsr_feature_mask); + + static void __init fpu__init_system_mxcsr(void) + { +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -3140,11 +3140,14 @@ static void kvm_vcpu_ioctl_x86_get_xsave + } + } + ++#define XSAVE_MXCSR_OFFSET 24 ++ + static int kvm_vcpu_ioctl_x86_set_xsave(struct kvm_vcpu *vcpu, + struct kvm_xsave *guest_xsave) + { + u64 xstate_bv = + *(u64 *)&guest_xsave->region[XSAVE_HDR_OFFSET / sizeof(u32)]; ++ u32 mxcsr = *(u32 *)&guest_xsave->region[XSAVE_MXCSR_OFFSET / sizeof(u32)]; + + if (cpu_has_xsave) { + /* +@@ -3152,11 +3155,13 @@ static int kvm_vcpu_ioctl_x86_set_xsave( + * CPUID leaf 0xD, index 0, EDX:EAX. This is for compatibility + * with old userspace. + */ +- if (xstate_bv & ~kvm_supported_xcr0()) ++ if (xstate_bv & ~kvm_supported_xcr0() || ++ mxcsr & ~mxcsr_feature_mask) + return -EINVAL; + load_xsave(vcpu, (u8 *)guest_xsave->region); + } else { +- if (xstate_bv & ~XFEATURE_MASK_FPSSE) ++ if (xstate_bv & ~XFEATURE_MASK_FPSSE || ++ mxcsr & ~mxcsr_feature_mask) + return -EINVAL; + memcpy(&vcpu->arch.guest_fpu.state.fxsave, + guest_xsave->region, sizeof(struct fxregs_state)); diff --git a/queue-4.4/kvm-x86-fix-read-out-of-bounds-vulnerability-in-kvm-pio-emulation.patch b/queue-4.4/kvm-x86-fix-read-out-of-bounds-vulnerability-in-kvm-pio-emulation.patch new file mode 100644 index 00000000000..0cd9d1b770d --- /dev/null +++ b/queue-4.4/kvm-x86-fix-read-out-of-bounds-vulnerability-in-kvm-pio-emulation.patch @@ -0,0 +1,276 @@ +From cbfc6c9184ce71b52df4b1d82af5afc81a709178 Mon Sep 17 00:00:00 2001 +From: Wanpeng Li +Date: Fri, 19 May 2017 02:46:56 -0700 +Subject: KVM: X86: Fix read out-of-bounds vulnerability in kvm pio emulation +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Wanpeng Li + +commit cbfc6c9184ce71b52df4b1d82af5afc81a709178 upstream. + +Huawei folks reported a read out-of-bounds vulnerability in kvm pio emulation. + +- "inb" instruction to access PIT Mod/Command register (ioport 0x43, write only, + a read should be ignored) in guest can get a random number. +- "rep insb" instruction to access PIT register port 0x43 can control memcpy() + in emulator_pio_in_emulated() to copy max 0x400 bytes but only read 1 bytes, + which will disclose the unimportant kernel memory in host but no crash. + +The similar test program below can reproduce the read out-of-bounds vulnerability: + +void hexdump(void *mem, unsigned int len) +{ + unsigned int i, j; + + for(i = 0; i < len + ((len % HEXDUMP_COLS) ? (HEXDUMP_COLS - len % HEXDUMP_COLS) : 0); i++) + { + /* print offset */ + if(i % HEXDUMP_COLS == 0) + { + printf("0x%06x: ", i); + } + + /* print hex data */ + if(i < len) + { + printf("%02x ", 0xFF & ((char*)mem)[i]); + } + else /* end of block, just aligning for ASCII dump */ + { + printf(" "); + } + + /* print ASCII dump */ + if(i % HEXDUMP_COLS == (HEXDUMP_COLS - 1)) + { + for(j = i - (HEXDUMP_COLS - 1); j <= i; j++) + { + if(j >= len) /* end of block, not really printing */ + { + putchar(' '); + } + else if(isprint(((char*)mem)[j])) /* printable char */ + { + putchar(0xFF & ((char*)mem)[j]); + } + else /* other char */ + { + putchar('.'); + } + } + putchar('\n'); + } + } +} + +int main(void) +{ + int i; + if (iopl(3)) + { + err(1, "set iopl unsuccessfully\n"); + return -1; + } + static char buf[0x40]; + + /* test ioport 0x40,0x41,0x42,0x43,0x44,0x45 */ + + memset(buf, 0xab, sizeof(buf)); + + asm volatile("push %rdi;"); + asm volatile("mov %0, %%rdi;"::"q"(buf)); + + asm volatile ("mov $0x40, %rdx;"); + asm volatile ("in %dx,%al;"); + asm volatile ("stosb;"); + + asm volatile ("mov $0x41, %rdx;"); + asm volatile ("in %dx,%al;"); + asm volatile ("stosb;"); + + asm volatile ("mov $0x42, %rdx;"); + asm volatile ("in %dx,%al;"); + asm volatile ("stosb;"); + + asm volatile ("mov $0x43, %rdx;"); + asm volatile ("in %dx,%al;"); + asm volatile ("stosb;"); + + asm volatile ("mov $0x44, %rdx;"); + asm volatile ("in %dx,%al;"); + asm volatile ("stosb;"); + + asm volatile ("mov $0x45, %rdx;"); + asm volatile ("in %dx,%al;"); + asm volatile ("stosb;"); + + asm volatile ("pop %rdi;"); + hexdump(buf, 0x40); + + printf("\n"); + + /* ins port 0x40 */ + + memset(buf, 0xab, sizeof(buf)); + + asm volatile("push %rdi;"); + asm volatile("mov %0, %%rdi;"::"q"(buf)); + + asm volatile ("mov $0x20, %rcx;"); + asm volatile ("mov $0x40, %rdx;"); + asm volatile ("rep insb;"); + + asm volatile ("pop %rdi;"); + hexdump(buf, 0x40); + + printf("\n"); + + /* ins port 0x43 */ + + memset(buf, 0xab, sizeof(buf)); + + asm volatile("push %rdi;"); + asm volatile("mov %0, %%rdi;"::"q"(buf)); + + asm volatile ("mov $0x20, %rcx;"); + asm volatile ("mov $0x43, %rdx;"); + asm volatile ("rep insb;"); + + asm volatile ("pop %rdi;"); + hexdump(buf, 0x40); + + printf("\n"); + return 0; +} + +The vcpu->arch.pio_data buffer is used by both in/out instrutions emulation +w/o clear after using which results in some random datas are left over in +the buffer. Guest reads port 0x43 will be ignored since it is write only, +however, the function kernel_pio() can't distigush this ignore from successfully +reads data from device's ioport. There is no new data fill the buffer from +port 0x43, however, emulator_pio_in_emulated() will copy the stale data in +the buffer to the guest unconditionally. This patch fixes it by clearing the +buffer before in instruction emulation to avoid to grant guest the stale data +in the buffer. + +In addition, string I/O is not supported for in kernel device. So there is no +iteration to read ioport %RCX times for string I/O. The function kernel_pio() +just reads one round, and then copy the io size * %RCX to the guest unconditionally, +actually it copies the one round ioport data w/ other random datas which are left +over in the vcpu->arch.pio_data buffer to the guest. This patch fixes it by +introducing the string I/O support for in kernel device in order to grant the right +ioport datas to the guest. + +Before the patch: + +0x000000: fe 38 93 93 ff ff ab ab .8...... +0x000008: ab ab ab ab ab ab ab ab ........ +0x000010: ab ab ab ab ab ab ab ab ........ +0x000018: ab ab ab ab ab ab ab ab ........ +0x000020: ab ab ab ab ab ab ab ab ........ +0x000028: ab ab ab ab ab ab ab ab ........ +0x000030: ab ab ab ab ab ab ab ab ........ +0x000038: ab ab ab ab ab ab ab ab ........ + +0x000000: f6 00 00 00 00 00 00 00 ........ +0x000008: 00 00 00 00 00 00 00 00 ........ +0x000010: 00 00 00 00 4d 51 30 30 ....MQ00 +0x000018: 30 30 20 33 20 20 20 20 00 3 +0x000020: ab ab ab ab ab ab ab ab ........ +0x000028: ab ab ab ab ab ab ab ab ........ +0x000030: ab ab ab ab ab ab ab ab ........ +0x000038: ab ab ab ab ab ab ab ab ........ + +0x000000: f6 00 00 00 00 00 00 00 ........ +0x000008: 00 00 00 00 00 00 00 00 ........ +0x000010: 00 00 00 00 4d 51 30 30 ....MQ00 +0x000018: 30 30 20 33 20 20 20 20 00 3 +0x000020: ab ab ab ab ab ab ab ab ........ +0x000028: ab ab ab ab ab ab ab ab ........ +0x000030: ab ab ab ab ab ab ab ab ........ +0x000038: ab ab ab ab ab ab ab ab ........ + +After the patch: + +0x000000: 1e 02 f8 00 ff ff ab ab ........ +0x000008: ab ab ab ab ab ab ab ab ........ +0x000010: ab ab ab ab ab ab ab ab ........ +0x000018: ab ab ab ab ab ab ab ab ........ +0x000020: ab ab ab ab ab ab ab ab ........ +0x000028: ab ab ab ab ab ab ab ab ........ +0x000030: ab ab ab ab ab ab ab ab ........ +0x000038: ab ab ab ab ab ab ab ab ........ + +0x000000: d2 e2 d2 df d2 db d2 d7 ........ +0x000008: d2 d3 d2 cf d2 cb d2 c7 ........ +0x000010: d2 c4 d2 c0 d2 bc d2 b8 ........ +0x000018: d2 b4 d2 b0 d2 ac d2 a8 ........ +0x000020: ab ab ab ab ab ab ab ab ........ +0x000028: ab ab ab ab ab ab ab ab ........ +0x000030: ab ab ab ab ab ab ab ab ........ +0x000038: ab ab ab ab ab ab ab ab ........ + +0x000000: 00 00 00 00 00 00 00 00 ........ +0x000008: 00 00 00 00 00 00 00 00 ........ +0x000010: 00 00 00 00 00 00 00 00 ........ +0x000018: 00 00 00 00 00 00 00 00 ........ +0x000020: ab ab ab ab ab ab ab ab ........ +0x000028: ab ab ab ab ab ab ab ab ........ +0x000030: ab ab ab ab ab ab ab ab ........ +0x000038: ab ab ab ab ab ab ab ab ........ + +Reported-by: Moguofang +Cc: Paolo Bonzini +Cc: Radim Krčmář +Cc: Moguofang +Signed-off-by: Wanpeng Li +Signed-off-by: Radim Krčmář +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/x86.c | 24 +++++++++++++++--------- + 1 file changed, 15 insertions(+), 9 deletions(-) + +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -4608,16 +4608,20 @@ emul_write: + + static int kernel_pio(struct kvm_vcpu *vcpu, void *pd) + { +- /* TODO: String I/O for in kernel device */ +- int r; ++ int r = 0, i; + +- if (vcpu->arch.pio.in) +- r = kvm_io_bus_read(vcpu, KVM_PIO_BUS, vcpu->arch.pio.port, +- vcpu->arch.pio.size, pd); +- else +- r = kvm_io_bus_write(vcpu, KVM_PIO_BUS, +- vcpu->arch.pio.port, vcpu->arch.pio.size, +- pd); ++ for (i = 0; i < vcpu->arch.pio.count; i++) { ++ if (vcpu->arch.pio.in) ++ r = kvm_io_bus_read(vcpu, KVM_PIO_BUS, vcpu->arch.pio.port, ++ vcpu->arch.pio.size, pd); ++ else ++ r = kvm_io_bus_write(vcpu, KVM_PIO_BUS, ++ vcpu->arch.pio.port, vcpu->arch.pio.size, ++ pd); ++ if (r) ++ break; ++ pd += vcpu->arch.pio.size; ++ } + return r; + } + +@@ -4655,6 +4659,8 @@ static int emulator_pio_in_emulated(stru + if (vcpu->arch.pio.count) + goto data_avail; + ++ memset(vcpu->arch.pio_data, 0, size * count); ++ + ret = emulator_pio_in_out(vcpu, size, port, val, count, true); + if (ret) { + data_avail: diff --git a/queue-4.4/regulator-tps65023-fix-inverted-core-enable-logic.patch b/queue-4.4/regulator-tps65023-fix-inverted-core-enable-logic.patch new file mode 100644 index 00000000000..f0a8b7cf644 --- /dev/null +++ b/queue-4.4/regulator-tps65023-fix-inverted-core-enable-logic.patch @@ -0,0 +1,43 @@ +From c90722b54a4f5e21ac59301ed9a6dbaa439bdb16 Mon Sep 17 00:00:00 2001 +From: Richard Cochran +Date: Mon, 17 Apr 2017 10:23:36 +0200 +Subject: regulator: tps65023: Fix inverted core enable logic. + +From: Richard Cochran + +commit c90722b54a4f5e21ac59301ed9a6dbaa439bdb16 upstream. + +Commit 43530b69d758328d3ffe6ab98fd640463e8e3667 ("regulator: Use +regmap_read/write(), regmap_update_bits functions directly") intended +to replace working inline helper functions with standard regmap +calls. However, it also inverted the set/clear logic of the "CORE ADJ +Allowed" bit. That patch was clearly never tested, since without that +bit cleared, the core VDCDC1 voltage output does not react to I2C +configuration changes. + +This patch fixes the issue by clearing the bit as in the original, +correct implementation. Note for stable back porting that, due to +subsequent driver churn, this patch will not apply on every kernel +version. + +Fixes: 43530b69d758 ("regulator: Use regmap_read/write(), regmap_update_bits functions directly") +Signed-off-by: Richard Cochran +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/regulator/tps65023-regulator.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/regulator/tps65023-regulator.c ++++ b/drivers/regulator/tps65023-regulator.c +@@ -311,8 +311,7 @@ static int tps_65023_probe(struct i2c_cl + + /* Enable setting output voltage by I2C */ + regmap_update_bits(tps->regmap, TPS65023_REG_CON_CTRL2, +- TPS65023_REG_CTRL2_CORE_ADJ, +- TPS65023_REG_CTRL2_CORE_ADJ); ++ TPS65023_REG_CTRL2_CORE_ADJ, 0); + + return 0; + } diff --git a/queue-4.4/s390-cputime-fix-incorrect-system-time.patch b/queue-4.4/s390-cputime-fix-incorrect-system-time.patch new file mode 100644 index 00000000000..1b9b5378f58 --- /dev/null +++ b/queue-4.4/s390-cputime-fix-incorrect-system-time.patch @@ -0,0 +1,95 @@ +From 07a63cbe8bcb6ba72fb989dcab1ec55ec6c36c7e Mon Sep 17 00:00:00 2001 +From: Martin Schwidefsky +Date: Tue, 2 May 2017 13:36:00 +0200 +Subject: s390/cputime: fix incorrect system time + +From: Martin Schwidefsky + +commit 07a63cbe8bcb6ba72fb989dcab1ec55ec6c36c7e upstream. + +git commit c5328901aa1db134 "[S390] entry[64].S improvements" removed +the update of the exit_timer lowcore field from the critical section +cleanup of the .Lsysc_restore/.Lsysc_done and .Lio_restore/.Lio_done +blocks. If the PSW is updated by the critical section cleanup to point to +user space again, the interrupt entry code will do a vtime calculation +after the cleanup completed with an exit_timer value which has *not* been +updated. Due to this incorrect system time deltas are calculated. + +If an interrupt occured with an old PSW between .Lsysc_restore/.Lsysc_done +or .Lio_restore/.Lio_done update __LC_EXIT_TIMER with the system entry +time of the interrupt. + +Tested-by: Christian Borntraeger +Signed-off-by: Martin Schwidefsky +Signed-off-by: Greg Kroah-Hartman + +--- + arch/s390/kernel/entry.S | 21 ++++++++++++++++++--- + 1 file changed, 18 insertions(+), 3 deletions(-) + +--- a/arch/s390/kernel/entry.S ++++ b/arch/s390/kernel/entry.S +@@ -308,6 +308,7 @@ ENTRY(system_call) + lg %r14,__LC_VDSO_PER_CPU + lmg %r0,%r10,__PT_R0(%r11) + mvc __LC_RETURN_PSW(16),__PT_PSW(%r11) ++.Lsysc_exit_timer: + stpt __LC_EXIT_TIMER + mvc __VDSO_ECTG_BASE(16,%r14),__LC_EXIT_TIMER + lmg %r11,%r15,__PT_R11(%r11) +@@ -593,6 +594,7 @@ ENTRY(io_int_handler) + lg %r14,__LC_VDSO_PER_CPU + lmg %r0,%r10,__PT_R0(%r11) + mvc __LC_RETURN_PSW(16),__PT_PSW(%r11) ++.Lio_exit_timer: + stpt __LC_EXIT_TIMER + mvc __VDSO_ECTG_BASE(16,%r14),__LC_EXIT_TIMER + lmg %r11,%r15,__PT_R11(%r11) +@@ -1118,15 +1120,23 @@ cleanup_critical: + br %r14 + + .Lcleanup_sysc_restore: ++ # check if stpt has been executed + clg %r9,BASED(.Lcleanup_sysc_restore_insn) ++ jh 0f ++ mvc __LC_EXIT_TIMER(8),__LC_ASYNC_ENTER_TIMER ++ cghi %r11,__LC_SAVE_AREA_ASYNC + je 0f ++ mvc __LC_EXIT_TIMER(8),__LC_MCCK_ENTER_TIMER ++0: clg %r9,BASED(.Lcleanup_sysc_restore_insn+8) ++ je 1f + lg %r9,24(%r11) # get saved pointer to pt_regs + mvc __LC_RETURN_PSW(16),__PT_PSW(%r9) + mvc 0(64,%r11),__PT_R8(%r9) + lmg %r0,%r7,__PT_R0(%r9) +-0: lmg %r8,%r9,__LC_RETURN_PSW ++1: lmg %r8,%r9,__LC_RETURN_PSW + br %r14 + .Lcleanup_sysc_restore_insn: ++ .quad .Lsysc_exit_timer + .quad .Lsysc_done - 4 + + .Lcleanup_io_tif: +@@ -1134,15 +1144,20 @@ cleanup_critical: + br %r14 + + .Lcleanup_io_restore: ++ # check if stpt has been executed + clg %r9,BASED(.Lcleanup_io_restore_insn) +- je 0f ++ jh 0f ++ mvc __LC_EXIT_TIMER(8),__LC_MCCK_ENTER_TIMER ++0: clg %r9,BASED(.Lcleanup_io_restore_insn+8) ++ je 1f + lg %r9,24(%r11) # get saved r11 pointer to pt_regs + mvc __LC_RETURN_PSW(16),__PT_PSW(%r9) + mvc 0(64,%r11),__PT_R8(%r9) + lmg %r0,%r7,__PT_R0(%r9) +-0: lmg %r8,%r9,__LC_RETURN_PSW ++1: lmg %r8,%r9,__LC_RETURN_PSW + br %r14 + .Lcleanup_io_restore_insn: ++ .quad .Lio_exit_timer + .quad .Lio_done - 4 + + .Lcleanup_idle: diff --git a/queue-4.4/s390-kdump-add-final-note.patch b/queue-4.4/s390-kdump-add-final-note.patch new file mode 100644 index 00000000000..2079689f645 --- /dev/null +++ b/queue-4.4/s390-kdump-add-final-note.patch @@ -0,0 +1,73 @@ +From dcc00b79fc3d076832f7240de8870f492629b171 Mon Sep 17 00:00:00 2001 +From: Michael Holzheu +Date: Thu, 23 Mar 2017 21:02:54 +0100 +Subject: s390/kdump: Add final note + +From: Michael Holzheu + +commit dcc00b79fc3d076832f7240de8870f492629b171 upstream. + +Since linux v3.14 with commit 38dfac843cb6d7be1 ("vmcore: prevent PT_NOTE +p_memsz overflow during header update") on s390 we get the following +message in the kdump kernel: + + Warning: Exceeded p_memsz, dropping PT_NOTE entry n_namesz=0x6b6b6b6b, + n_descsz=0x6b6b6b6b + +The reason for this is that we don't create a final zero note in +the ELF header which the proc/vmcore code uses to find out the end +of the notes section (see also kernel/kexec_core.c:final_note()). + +It still worked on s390 by chance because we (most of the time?) have the +byte pattern 0x6b6b6b6b after the notes section which also makes the notes +parsing code stop in update_note_header_size_elf64() because 0x6b6b6b6b is +interpreded as note size: + + if ((real_sz + sz) > max_sz) { + pr_warn("Warning: Exceeded p_memsz, dropping P ...); + break; + } + +So fix this and add the missing final note to the ELF header. +We don't have to adjust the memory size for ELF header ("alloc_size") +because the new ELF note still fits into the 0x1000 base memory. + +Signed-off-by: Michael Holzheu +Signed-off-by: Martin Schwidefsky +Signed-off-by: Greg Kroah-Hartman + +--- + arch/s390/kernel/crash_dump.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +--- a/arch/s390/kernel/crash_dump.c ++++ b/arch/s390/kernel/crash_dump.c +@@ -464,6 +464,20 @@ static void *nt_vmcoreinfo(void *ptr) + } + + /* ++ * Initialize final note (needed for /proc/vmcore code) ++ */ ++static void *nt_final(void *ptr) ++{ ++ Elf64_Nhdr *note; ++ ++ note = (Elf64_Nhdr *) ptr; ++ note->n_namesz = 0; ++ note->n_descsz = 0; ++ note->n_type = 0; ++ return PTR_ADD(ptr, sizeof(Elf64_Nhdr)); ++} ++ ++/* + * Initialize ELF header (new kernel) + */ + static void *ehdr_init(Elf64_Ehdr *ehdr, int mem_chunk_cnt) +@@ -553,6 +567,7 @@ static void *notes_init(Elf64_Phdr *phdr + ptr = fill_cpu_elf_notes(ptr, &sa_ext->sa, sa_ext->vx_regs); + } + ptr = nt_vmcoreinfo(ptr); ++ ptr = nt_final(ptr); + memset(phdr, 0, sizeof(*phdr)); + phdr->p_type = PT_NOTE; + phdr->p_offset = notes_offset; diff --git a/queue-4.4/series b/queue-4.4/series index 474876adcda..529bbf0b522 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -18,3 +18,11 @@ dm-space-map-disk-fix-some-book-keeping-in-the-disk-space-map.patch md-update-slab_cache-before-releasing-new-stripes-when-stripes-resizing.patch rtlwifi-rtl8821ae-setup-8812ae-rfe-according-to-device-type.patch mwifiex-pcie-fix-cmd_buf-use-after-free-in-remove-reset.patch +ima-accept-previously-set-ima_new_file.patch +kvm-x86-fix-load-damaged-ssex-mxcsr-register.patch +kvm-x86-fix-read-out-of-bounds-vulnerability-in-kvm-pio-emulation.patch +regulator-tps65023-fix-inverted-core-enable-logic.patch +s390-kdump-add-final-note.patch +s390-cputime-fix-incorrect-system-time.patch +ath9k_htc-add-support-of-airties-1eda-2315-ar9271-device.patch +ath9k_htc-fix-null-deref-at-probe.patch