From: Greg Kroah-Hartman Date: Sat, 18 Jun 2016 16:57:46 +0000 (-0700) Subject: 3.14-stable patches X-Git-Tag: v3.14.73~29 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=a4de7b3ab9b162118394f3e406d12d6553f25966;p=thirdparty%2Fkernel%2Fstable-queue.git 3.14-stable patches added patches: arm-fix-ptrace_setvfpregs-on-smp-systems.patch crypto-ccp-fix-aes-xts-error-for-request-sizes-above-4096.patch ecryptfs-forbid-opening-files-without-mmap-handler.patch fix-d_walk-non-delayed-__d_free-race.patch kvm-x86-fix-oops-after-invalid-kvm_set_debugregs.patch parisc-fix-pagefault-crash-in-unaligned-__get_user-call.patch powerpc-fix-definition-of-siar-and-sdar-registers.patch powerpc-use-privileged-spr-number-for-mmcr2.patch proc-prevent-stacking-filesystems-on-top.patch wext-fix-32-bit-iwpriv-compatibility-issue-with-64-bit-kernel.patch --- diff --git a/queue-3.14/arm-fix-ptrace_setvfpregs-on-smp-systems.patch b/queue-3.14/arm-fix-ptrace_setvfpregs-on-smp-systems.patch new file mode 100644 index 00000000000..17523d1d281 --- /dev/null +++ b/queue-3.14/arm-fix-ptrace_setvfpregs-on-smp-systems.patch @@ -0,0 +1,41 @@ +From e2dfb4b880146bfd4b6aa8e138c0205407cebbaf Mon Sep 17 00:00:00 2001 +From: Russell King +Date: Mon, 30 May 2016 23:14:56 +0100 +Subject: ARM: fix PTRACE_SETVFPREGS on SMP systems + +From: Russell King + +commit e2dfb4b880146bfd4b6aa8e138c0205407cebbaf upstream. + +PTRACE_SETVFPREGS fails to properly mark the VFP register set to be +reloaded, because it undoes one of the effects of vfp_flush_hwstate(). + +Specifically vfp_flush_hwstate() sets thread->vfpstate.hard.cpu to +an invalid CPU number, but vfp_set() overwrites this with the original +CPU number, thereby rendering the hardware state as apparently "valid", +even though the software state is more recent. + +Fix this by reverting the previous change. + +Fixes: 8130b9d7b9d8 ("ARM: 7308/1: vfp: flush thread hwstate before copying ptrace registers") +Acked-by: Will Deacon +Tested-by: Simon Marchi +Signed-off-by: Russell King +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/kernel/ptrace.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm/kernel/ptrace.c ++++ b/arch/arm/kernel/ptrace.c +@@ -733,8 +733,8 @@ static int vfp_set(struct task_struct *t + if (ret) + return ret; + +- vfp_flush_hwstate(thread); + thread->vfpstate.hard = new_vfp; ++ vfp_flush_hwstate(thread); + + return 0; + } diff --git a/queue-3.14/crypto-ccp-fix-aes-xts-error-for-request-sizes-above-4096.patch b/queue-3.14/crypto-ccp-fix-aes-xts-error-for-request-sizes-above-4096.patch new file mode 100644 index 00000000000..e03569b9473 --- /dev/null +++ b/queue-3.14/crypto-ccp-fix-aes-xts-error-for-request-sizes-above-4096.patch @@ -0,0 +1,67 @@ +From ab6a11a7c8ef47f996974dd3c648c2c0b1a36ab1 Mon Sep 17 00:00:00 2001 +From: Tom Lendacky +Date: Fri, 20 May 2016 17:33:03 -0500 +Subject: crypto: ccp - Fix AES XTS error for request sizes above 4096 + +From: Tom Lendacky + +commit ab6a11a7c8ef47f996974dd3c648c2c0b1a36ab1 upstream. + +The ccp-crypto module for AES XTS support has a bug that can allow requests +greater than 4096 bytes in size to be passed to the CCP hardware. The CCP +hardware does not support request sizes larger than 4096, resulting in +incorrect output. The request should actually be handled by the fallback +mechanism instantiated by the ccp-crypto module. + +Add a check to insure the request size is less than or equal to the maximum +supported size and use the fallback mechanism if it is not. + +Signed-off-by: Tom Lendacky +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/crypto/ccp/ccp-crypto-aes-xts.c | 17 ++++++++++++----- + 1 file changed, 12 insertions(+), 5 deletions(-) + +--- a/drivers/crypto/ccp/ccp-crypto-aes-xts.c ++++ b/drivers/crypto/ccp/ccp-crypto-aes-xts.c +@@ -123,6 +123,7 @@ static int ccp_aes_xts_crypt(struct ablk + struct ccp_ctx *ctx = crypto_tfm_ctx(req->base.tfm); + struct ccp_aes_req_ctx *rctx = ablkcipher_request_ctx(req); + unsigned int unit; ++ u32 unit_size; + int ret; + + if (!ctx->u.aes.key_len) +@@ -134,11 +135,17 @@ static int ccp_aes_xts_crypt(struct ablk + if (!req->info) + return -EINVAL; + +- for (unit = 0; unit < ARRAY_SIZE(unit_size_map); unit++) +- if (!(req->nbytes & (unit_size_map[unit].size - 1))) +- break; ++ unit_size = CCP_XTS_AES_UNIT_SIZE__LAST; ++ if (req->nbytes <= unit_size_map[0].size) { ++ for (unit = 0; unit < ARRAY_SIZE(unit_size_map); unit++) { ++ if (!(req->nbytes & (unit_size_map[unit].size - 1))) { ++ unit_size = unit_size_map[unit].value; ++ break; ++ } ++ } ++ } + +- if ((unit_size_map[unit].value == CCP_XTS_AES_UNIT_SIZE__LAST) || ++ if ((unit_size == CCP_XTS_AES_UNIT_SIZE__LAST) || + (ctx->u.aes.key_len != AES_KEYSIZE_128)) { + /* Use the fallback to process the request for any + * unsupported unit sizes or key sizes +@@ -159,7 +166,7 @@ static int ccp_aes_xts_crypt(struct ablk + rctx->cmd.engine = CCP_ENGINE_XTS_AES_128; + rctx->cmd.u.xts.action = (encrypt) ? CCP_AES_ACTION_ENCRYPT + : CCP_AES_ACTION_DECRYPT; +- rctx->cmd.u.xts.unit_size = unit_size_map[unit].value; ++ rctx->cmd.u.xts.unit_size = unit_size; + rctx->cmd.u.xts.key = &ctx->u.aes.key_sg; + rctx->cmd.u.xts.key_len = ctx->u.aes.key_len; + rctx->cmd.u.xts.iv = &rctx->iv_sg; diff --git a/queue-3.14/ecryptfs-forbid-opening-files-without-mmap-handler.patch b/queue-3.14/ecryptfs-forbid-opening-files-without-mmap-handler.patch new file mode 100644 index 00000000000..a855f1c1e9b --- /dev/null +++ b/queue-3.14/ecryptfs-forbid-opening-files-without-mmap-handler.patch @@ -0,0 +1,59 @@ +From 2f36db71009304b3f0b95afacd8eba1f9f046b87 Mon Sep 17 00:00:00 2001 +From: Jann Horn +Date: Wed, 1 Jun 2016 11:55:06 +0200 +Subject: ecryptfs: forbid opening files without mmap handler + +From: Jann Horn + +commit 2f36db71009304b3f0b95afacd8eba1f9f046b87 upstream. + +This prevents users from triggering a stack overflow through a recursive +invocation of pagefault handling that involves mapping procfs files into +virtual memory. + +Signed-off-by: Jann Horn +Acked-by: Tyler Hicks +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ecryptfs/kthread.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +--- a/fs/ecryptfs/kthread.c ++++ b/fs/ecryptfs/kthread.c +@@ -25,6 +25,7 @@ + #include + #include + #include ++#include + #include "ecryptfs_kernel.h" + + struct ecryptfs_open_req { +@@ -147,7 +148,7 @@ int ecryptfs_privileged_open(struct file + flags |= IS_RDONLY(lower_dentry->d_inode) ? O_RDONLY : O_RDWR; + (*lower_file) = dentry_open(&req.path, flags, cred); + if (!IS_ERR(*lower_file)) +- goto out; ++ goto have_file; + if ((flags & O_ACCMODE) == O_RDONLY) { + rc = PTR_ERR((*lower_file)); + goto out; +@@ -165,8 +166,16 @@ int ecryptfs_privileged_open(struct file + mutex_unlock(&ecryptfs_kthread_ctl.mux); + wake_up(&ecryptfs_kthread_ctl.wait); + wait_for_completion(&req.done); +- if (IS_ERR(*lower_file)) ++ if (IS_ERR(*lower_file)) { + rc = PTR_ERR(*lower_file); ++ goto out; ++ } ++have_file: ++ if ((*lower_file)->f_op->mmap == NULL) { ++ fput(*lower_file); ++ *lower_file = NULL; ++ rc = -EMEDIUMTYPE; ++ } + out: + return rc; + } diff --git a/queue-3.14/fix-d_walk-non-delayed-__d_free-race.patch b/queue-3.14/fix-d_walk-non-delayed-__d_free-race.patch new file mode 100644 index 00000000000..e0f1f1d978b --- /dev/null +++ b/queue-3.14/fix-d_walk-non-delayed-__d_free-race.patch @@ -0,0 +1,56 @@ +From 3d56c25e3bb0726a5c5e16fc2d9e38f8ed763085 Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Tue, 7 Jun 2016 21:26:55 -0400 +Subject: fix d_walk()/non-delayed __d_free() race + +From: Al Viro + +commit 3d56c25e3bb0726a5c5e16fc2d9e38f8ed763085 upstream. + +Ascend-to-parent logics in d_walk() depends on all encountered child +dentries not getting freed without an RCU delay. Unfortunately, in +quite a few cases it is not true, with hard-to-hit oopsable race as +the result. + +Fortunately, the fix is simiple; right now the rule is "if it ever +been hashed, freeing must be delayed" and changing it to "if it +ever had a parent, freeing must be delayed" closes that hole and +covers all cases the old rule used to cover. Moreover, pipes and +sockets remain _not_ covered, so we do not introduce RCU delay in +the cases which are the reason for having that delay conditional +in the first place. + +Signed-off-by: Al Viro +Signed-off-by: Greg Kroah-Hartman + +--- + fs/dcache.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/fs/dcache.c ++++ b/fs/dcache.c +@@ -1500,7 +1500,7 @@ struct dentry *d_alloc(struct dentry * p + struct dentry *dentry = __d_alloc(parent->d_sb, name); + if (!dentry) + return NULL; +- ++ dentry->d_flags |= DCACHE_RCUACCESS; + spin_lock(&parent->d_lock); + /* + * don't need child lock because it is not subject +@@ -2352,7 +2352,6 @@ static void __d_rehash(struct dentry * e + { + BUG_ON(!d_unhashed(entry)); + hlist_bl_lock(b); +- entry->d_flags |= DCACHE_RCUACCESS; + hlist_bl_add_head_rcu(&entry->d_hash, b); + hlist_bl_unlock(b); + } +@@ -2536,6 +2535,7 @@ static void __d_move(struct dentry * den + + /* ... and switch the parents */ + if (IS_ROOT(dentry)) { ++ dentry->d_flags |= DCACHE_RCUACCESS; + dentry->d_parent = target->d_parent; + target->d_parent = target; + INIT_LIST_HEAD(&target->d_child); diff --git a/queue-3.14/kvm-x86-fix-oops-after-invalid-kvm_set_debugregs.patch b/queue-3.14/kvm-x86-fix-oops-after-invalid-kvm_set_debugregs.patch new file mode 100644 index 00000000000..57346fe510f --- /dev/null +++ b/queue-3.14/kvm-x86-fix-oops-after-invalid-kvm_set_debugregs.patch @@ -0,0 +1,83 @@ +From d14bdb553f9196169f003058ae1cdabe514470e6 Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini +Date: Wed, 1 Jun 2016 14:09:23 +0200 +Subject: KVM: x86: fix OOPS after invalid KVM_SET_DEBUGREGS +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Paolo Bonzini + +commit d14bdb553f9196169f003058ae1cdabe514470e6 upstream. + +MOV to DR6 or DR7 causes a #GP if an attempt is made to write a 1 to +any of bits 63:32. However, this is not detected at KVM_SET_DEBUGREGS +time, and the next KVM_RUN oopses: + + general protection fault: 0000 [#1] SMP + CPU: 2 PID: 14987 Comm: a.out Not tainted 4.4.9-300.fc23.x86_64 #1 + Hardware name: LENOVO 2325F51/2325F51, BIOS G2ET32WW (1.12 ) 05/30/2012 + [...] + Call Trace: + [] kvm_arch_vcpu_ioctl_run+0x141d/0x14e0 [kvm] + [] kvm_vcpu_ioctl+0x33d/0x620 [kvm] + [] do_vfs_ioctl+0x298/0x480 + [] SyS_ioctl+0x79/0x90 + [] entry_SYSCALL_64_fastpath+0x12/0x71 + Code: 55 83 ff 07 48 89 e5 77 27 89 ff ff 24 fd 90 87 80 81 0f 23 fe 5d c3 0f 23 c6 5d c3 0f 23 ce 5d c3 0f 23 d6 5d c3 0f 23 de 5d c3 <0f> 23 f6 5d c3 0f 0b 66 66 66 66 66 2e 0f 1f 84 00 00 00 00 00 + RIP [] native_set_debugreg+0x2b/0x40 + RSP + +Testcase (beautified/reduced from syzkaller output): + + #include + #include + #include + #include + #include + #include + #include + + long r[8]; + + int main() + { + struct kvm_debugregs dr = { 0 }; + + r[2] = open("/dev/kvm", O_RDONLY); + r[3] = ioctl(r[2], KVM_CREATE_VM, 0); + r[4] = ioctl(r[3], KVM_CREATE_VCPU, 7); + + memcpy(&dr, + "\x5d\x6a\x6b\xe8\x57\x3b\x4b\x7e\xcf\x0d\xa1\x72" + "\xa3\x4a\x29\x0c\xfc\x6d\x44\x00\xa7\x52\xc7\xd8" + "\x00\xdb\x89\x9d\x78\xb5\x54\x6b\x6b\x13\x1c\xe9" + "\x5e\xd3\x0e\x40\x6f\xb4\x66\xf7\x5b\xe3\x36\xcb", + 48); + r[7] = ioctl(r[4], KVM_SET_DEBUGREGS, &dr); + r[6] = ioctl(r[4], KVM_RUN, 0); + } + +Reported-by: Dmitry Vyukov +Signed-off-by: Paolo Bonzini +Signed-off-by: Radim Krčmář +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/x86.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -3029,6 +3029,11 @@ static int kvm_vcpu_ioctl_x86_set_debugr + if (dbgregs->flags) + return -EINVAL; + ++ if (dbgregs->dr6 & ~0xffffffffull) ++ return -EINVAL; ++ if (dbgregs->dr7 & ~0xffffffffull) ++ return -EINVAL; ++ + memcpy(vcpu->arch.db, dbgregs->db, sizeof(vcpu->arch.db)); + vcpu->arch.dr6 = dbgregs->dr6; + kvm_update_dr6(vcpu); diff --git a/queue-3.14/parisc-fix-pagefault-crash-in-unaligned-__get_user-call.patch b/queue-3.14/parisc-fix-pagefault-crash-in-unaligned-__get_user-call.patch new file mode 100644 index 00000000000..a48e1079223 --- /dev/null +++ b/queue-3.14/parisc-fix-pagefault-crash-in-unaligned-__get_user-call.patch @@ -0,0 +1,109 @@ +From 8b78f260887df532da529f225c49195d18fef36b Mon Sep 17 00:00:00 2001 +From: Helge Deller +Date: Sat, 4 Jun 2016 17:21:33 +0200 +Subject: parisc: Fix pagefault crash in unaligned __get_user() call + +From: Helge Deller + +commit 8b78f260887df532da529f225c49195d18fef36b upstream. + +One of the debian buildd servers had this crash in the syslog without +any other information: + + Unaligned handler failed, ret = -2 + clock_adjtime (pid 22578): Unaligned data reference (code 28) + CPU: 1 PID: 22578 Comm: clock_adjtime Tainted: G E 4.5.0-2-parisc64-smp #1 Debian 4.5.4-1 + task: 000000007d9960f8 ti: 00000001bde7c000 task.ti: 00000001bde7c000 + + YZrvWESTHLNXBCVMcbcbcbcbOGFRQPDI + PSW: 00001000000001001111100000001111 Tainted: G E + r00-03 000000ff0804f80f 00000001bde7c2b0 00000000402d2be8 00000001bde7c2b0 + r04-07 00000000409e1fd0 00000000fa6f7fff 00000001bde7c148 00000000fa6f7fff + r08-11 0000000000000000 00000000ffffffff 00000000fac9bb7b 000000000002b4d4 + r12-15 000000000015241c 000000000015242c 000000000000002d 00000000fac9bb7b + r16-19 0000000000028800 0000000000000001 0000000000000070 00000001bde7c218 + r20-23 0000000000000000 00000001bde7c210 0000000000000002 0000000000000000 + r24-27 0000000000000000 0000000000000000 00000001bde7c148 00000000409e1fd0 + r28-31 0000000000000001 00000001bde7c320 00000001bde7c350 00000001bde7c218 + sr00-03 0000000001200000 0000000001200000 0000000000000000 0000000001200000 + sr04-07 0000000000000000 0000000000000000 0000000000000000 0000000000000000 + + IASQ: 0000000000000000 0000000000000000 IAOQ: 00000000402d2e84 00000000402d2e88 + IIR: 0ca0d089 ISR: 0000000001200000 IOR: 00000000fa6f7fff + CPU: 1 CR30: 00000001bde7c000 CR31: ffffffffffffffff + ORIG_R28: 00000002369fe628 + IAOQ[0]: compat_get_timex+0x2dc/0x3c0 + IAOQ[1]: compat_get_timex+0x2e0/0x3c0 + RP(r2): compat_get_timex+0x40/0x3c0 + Backtrace: + [<00000000402d4608>] compat_SyS_clock_adjtime+0x40/0xc0 + [<0000000040205024>] syscall_exit+0x0/0x14 + +This means the userspace program clock_adjtime called the clock_adjtime() +syscall and then crashed inside the compat_get_timex() function. +Syscalls should never crash programs, but instead return EFAULT. + +The IIR register contains the executed instruction, which disassebles +into "ldw 0(sr3,r5),r9". +This load-word instruction is part of __get_user() which tried to read the word +at %r5/IOR (0xfa6f7fff). This means the unaligned handler jumped in. The +unaligned handler is able to emulate all ldw instructions, but it fails if it +fails to read the source e.g. because of page fault. + +The following program reproduces the problem: + +#define _GNU_SOURCE +#include +#include +#include + +int main(void) { + /* allocate 8k */ + char *ptr = mmap(NULL, 2*4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0); + /* free second half (upper 4k) and make it invalid. */ + munmap(ptr+4096, 4096); + /* syscall where first int is unaligned and clobbers into invalid memory region */ + /* syscall should return EFAULT */ + return syscall(__NR_clock_adjtime, 0, ptr+4095); +} + +To fix this issue we simply need to check if the faulting instruction address +is in the exception fixup table when the unaligned handler failed. If it +is, call the fixup routine instead of crashing. + +While looking at the unaligned handler I found another issue as well: The +target register should not be modified if the handler was unsuccessful. + +Signed-off-by: Helge Deller +Signed-off-by: Greg Kroah-Hartman + +--- + arch/parisc/kernel/unaligned.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +--- a/arch/parisc/kernel/unaligned.c ++++ b/arch/parisc/kernel/unaligned.c +@@ -666,7 +666,7 @@ void handle_unaligned(struct pt_regs *re + break; + } + +- if (modify && R1(regs->iir)) ++ if (ret == 0 && modify && R1(regs->iir)) + regs->gr[R1(regs->iir)] = newbase; + + +@@ -677,6 +677,14 @@ void handle_unaligned(struct pt_regs *re + + if (ret) + { ++ /* ++ * The unaligned handler failed. ++ * If we were called by __get_user() or __put_user() jump ++ * to it's exception fixup handler instead of crashing. ++ */ ++ if (!user_mode(regs) && fixup_exception(regs)) ++ return; ++ + printk(KERN_CRIT "Unaligned handler failed, ret = %d\n", ret); + die_if_kernel("Unaligned data reference", regs, 28); + diff --git a/queue-3.14/powerpc-fix-definition-of-siar-and-sdar-registers.patch b/queue-3.14/powerpc-fix-definition-of-siar-and-sdar-registers.patch new file mode 100644 index 00000000000..8dd9667efc5 --- /dev/null +++ b/queue-3.14/powerpc-fix-definition-of-siar-and-sdar-registers.patch @@ -0,0 +1,46 @@ +From d23fac2b27d94aeb7b65536a50d32bfdc21fe01e Mon Sep 17 00:00:00 2001 +From: Thomas Huth +Date: Thu, 12 May 2016 13:26:44 +0200 +Subject: powerpc: Fix definition of SIAR and SDAR registers + +From: Thomas Huth + +commit d23fac2b27d94aeb7b65536a50d32bfdc21fe01e upstream. + +The SIAR and SDAR registers are available twice, one time as SPRs +780 / 781 (unprivileged, but read-only), and one time as the SPRs +796 / 797 (privileged, but read and write). The Linux kernel code +currently uses the unprivileged SPRs - while this is OK for reading, +writing to that register of course does not work. +Since the KVM code tries to write to this register, too (see the mtspr +in book3s_hv_rmhandlers.S), the contents of this register sometimes get +lost for the guests, e.g. during migration of a VM. +To fix this issue, simply switch to the privileged SPR numbers instead. + +Signed-off-by: Thomas Huth +Acked-by: Paul Mackerras +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/include/asm/reg.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/powerpc/include/asm/reg.h ++++ b/arch/powerpc/include/asm/reg.h +@@ -715,13 +715,13 @@ + #define SPRN_PMC6 792 + #define SPRN_PMC7 793 + #define SPRN_PMC8 794 +-#define SPRN_SIAR 780 +-#define SPRN_SDAR 781 + #define SPRN_SIER 784 + #define SIER_SIPR 0x2000000 /* Sampled MSR_PR */ + #define SIER_SIHV 0x1000000 /* Sampled MSR_HV */ + #define SIER_SIAR_VALID 0x0400000 /* SIAR contents valid */ + #define SIER_SDAR_VALID 0x0200000 /* SDAR contents valid */ ++#define SPRN_SIAR 796 ++#define SPRN_SDAR 797 + #define SPRN_TACR 888 + #define SPRN_TCSCR 889 + #define SPRN_CSIGR 890 diff --git a/queue-3.14/powerpc-use-privileged-spr-number-for-mmcr2.patch b/queue-3.14/powerpc-use-privileged-spr-number-for-mmcr2.patch new file mode 100644 index 00000000000..7c75d48221e --- /dev/null +++ b/queue-3.14/powerpc-use-privileged-spr-number-for-mmcr2.patch @@ -0,0 +1,35 @@ +From 8dd75ccb571f3c92c48014b3dabd3d51a115ab41 Mon Sep 17 00:00:00 2001 +From: Thomas Huth +Date: Thu, 12 May 2016 13:29:11 +0200 +Subject: powerpc: Use privileged SPR number for MMCR2 + +From: Thomas Huth + +commit 8dd75ccb571f3c92c48014b3dabd3d51a115ab41 upstream. + +We are already using the privileged versions of MMCR0, MMCR1 +and MMCRA in the kernel, so for MMCR2, we should better use +the privileged versions, too, to be consistent. + +Fixes: 240686c13687 ("powerpc: Initialise PMU related regs on Power8") +Suggested-by: Paul Mackerras +Signed-off-by: Thomas Huth +Acked-by: Paul Mackerras +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/include/asm/reg.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/powerpc/include/asm/reg.h ++++ b/arch/powerpc/include/asm/reg.h +@@ -680,7 +680,7 @@ + #define MMCR0_FCWAIT 0x00000002UL /* freeze counter in WAIT state */ + #define MMCR0_FCHV 0x00000001UL /* freeze conditions in hypervisor mode */ + #define SPRN_MMCR1 798 +-#define SPRN_MMCR2 769 ++#define SPRN_MMCR2 785 + #define SPRN_MMCRA 0x312 + #define MMCRA_SDSYNC 0x80000000UL /* SDAR synced with SIAR */ + #define MMCRA_SDAR_DCACHE_MISS 0x40000000UL diff --git a/queue-3.14/proc-prevent-stacking-filesystems-on-top.patch b/queue-3.14/proc-prevent-stacking-filesystems-on-top.patch new file mode 100644 index 00000000000..4024aab3803 --- /dev/null +++ b/queue-3.14/proc-prevent-stacking-filesystems-on-top.patch @@ -0,0 +1,41 @@ +From e54ad7f1ee263ffa5a2de9c609d58dfa27b21cd9 Mon Sep 17 00:00:00 2001 +From: Jann Horn +Date: Wed, 1 Jun 2016 11:55:05 +0200 +Subject: proc: prevent stacking filesystems on top + +From: Jann Horn + +commit e54ad7f1ee263ffa5a2de9c609d58dfa27b21cd9 upstream. + +This prevents stacking filesystems (ecryptfs and overlayfs) from using +procfs as lower filesystem. There is too much magic going on inside +procfs, and there is no good reason to stack stuff on top of procfs. + +(For example, procfs does access checks in VFS open handlers, and +ecryptfs by design calls open handlers from a kernel thread that doesn't +drop privileges or so.) + +Signed-off-by: Jann Horn +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/proc/root.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/fs/proc/root.c ++++ b/fs/proc/root.c +@@ -122,6 +122,13 @@ static struct dentry *proc_mount(struct + if (IS_ERR(sb)) + return ERR_CAST(sb); + ++ /* ++ * procfs isn't actually a stacking filesystem; however, there is ++ * too much magic going on inside it to permit stacking things on ++ * top of it ++ */ ++ sb->s_stack_depth = FILESYSTEM_MAX_STACK_DEPTH; ++ + if (!proc_parse_options(options, ns)) { + deactivate_locked_super(sb); + return ERR_PTR(-EINVAL); diff --git a/queue-3.14/series b/queue-3.14/series index 22bfb20fb8c..1baaab13633 100644 --- a/queue-3.14/series +++ b/queue-3.14/series @@ -1,3 +1,13 @@ netlink-fix-dump-skb-leak-double-free.patch sfc-on-mc-reset-clear-pio-buffer-linkage-in-txqs.patch tcp-record-tlp-and-er-timer-stats-in-v6-stats.patch +kvm-x86-fix-oops-after-invalid-kvm_set_debugregs.patch +arm-fix-ptrace_setvfpregs-on-smp-systems.patch +crypto-ccp-fix-aes-xts-error-for-request-sizes-above-4096.patch +powerpc-fix-definition-of-siar-and-sdar-registers.patch +powerpc-use-privileged-spr-number-for-mmcr2.patch +parisc-fix-pagefault-crash-in-unaligned-__get_user-call.patch +ecryptfs-forbid-opening-files-without-mmap-handler.patch +wext-fix-32-bit-iwpriv-compatibility-issue-with-64-bit-kernel.patch +proc-prevent-stacking-filesystems-on-top.patch +fix-d_walk-non-delayed-__d_free-race.patch diff --git a/queue-3.14/wext-fix-32-bit-iwpriv-compatibility-issue-with-64-bit-kernel.patch b/queue-3.14/wext-fix-32-bit-iwpriv-compatibility-issue-with-64-bit-kernel.patch new file mode 100644 index 00000000000..34cb3695502 --- /dev/null +++ b/queue-3.14/wext-fix-32-bit-iwpriv-compatibility-issue-with-64-bit-kernel.patch @@ -0,0 +1,68 @@ +From 3d5fdff46c4b2b9534fa2f9fc78e90a48e0ff724 Mon Sep 17 00:00:00 2001 +From: Prasun Maiti +Date: Mon, 6 Jun 2016 20:04:19 +0530 +Subject: wext: Fix 32 bit iwpriv compatibility issue with 64 bit Kernel + +From: Prasun Maiti + +commit 3d5fdff46c4b2b9534fa2f9fc78e90a48e0ff724 upstream. + +iwpriv app uses iw_point structure to send data to Kernel. The iw_point +structure holds a pointer. For compatibility Kernel converts the pointer +as required for WEXT IOCTLs (SIOCIWFIRST to SIOCIWLAST). Some drivers +may use iw_handler_def.private_args to populate iwpriv commands instead +of iw_handler_def.private. For those case, the IOCTLs from +SIOCIWFIRSTPRIV to SIOCIWLASTPRIV will follow the path ndo_do_ioctl(). +Accordingly when the filled up iw_point structure comes from 32 bit +iwpriv to 64 bit Kernel, Kernel will not convert the pointer and sends +it to driver. So, the driver may get the invalid data. + +The pointer conversion for the IOCTLs (SIOCIWFIRSTPRIV to +SIOCIWLASTPRIV), which follow the path ndo_do_ioctl(), is mandatory. +This patch adds pointer conversion from 32 bit to 64 bit and vice versa, +if the ioctl comes from 32 bit iwpriv to 64 bit Kernel. + +Signed-off-by: Prasun Maiti +Signed-off-by: Ujjal Roy +Tested-by: Dibyajyoti Ghosh +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + net/wireless/wext-core.c | 25 +++++++++++++++++++++++-- + 1 file changed, 23 insertions(+), 2 deletions(-) + +--- a/net/wireless/wext-core.c ++++ b/net/wireless/wext-core.c +@@ -954,8 +954,29 @@ static int wireless_process_ioctl(struct + return private(dev, iwr, cmd, info, handler); + } + /* Old driver API : call driver ioctl handler */ +- if (dev->netdev_ops->ndo_do_ioctl) +- return dev->netdev_ops->ndo_do_ioctl(dev, ifr, cmd); ++ if (dev->netdev_ops->ndo_do_ioctl) { ++#ifdef CONFIG_COMPAT ++ if (info->flags & IW_REQUEST_FLAG_COMPAT) { ++ int ret = 0; ++ struct iwreq iwr_lcl; ++ struct compat_iw_point *iwp_compat = (void *) &iwr->u.data; ++ ++ memcpy(&iwr_lcl, iwr, sizeof(struct iwreq)); ++ iwr_lcl.u.data.pointer = compat_ptr(iwp_compat->pointer); ++ iwr_lcl.u.data.length = iwp_compat->length; ++ iwr_lcl.u.data.flags = iwp_compat->flags; ++ ++ ret = dev->netdev_ops->ndo_do_ioctl(dev, (void *) &iwr_lcl, cmd); ++ ++ iwp_compat->pointer = ptr_to_compat(iwr_lcl.u.data.pointer); ++ iwp_compat->length = iwr_lcl.u.data.length; ++ iwp_compat->flags = iwr_lcl.u.data.flags; ++ ++ return ret; ++ } else ++#endif ++ return dev->netdev_ops->ndo_do_ioctl(dev, ifr, cmd); ++ } + return -EOPNOTSUPP; + } +