From: Greg Kroah-Hartman Date: Wed, 4 Mar 2015 05:19:06 +0000 (-0800) Subject: 3.10-stable patches X-Git-Tag: v3.10.71~17 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=b18333e9d3b06e2c2ef7c549c4e86225564e5120;p=thirdparty%2Fkernel%2Fstable-queue.git 3.10-stable patches added patches: blk-throttle-check-stats_cpu-before-reading-it-from-sysfs.patch gpio-tps65912-fix-wrong-container_of-arguments.patch jffs2-fix-handling-of-corrupted-summary-length.patch md-raid1-fix-read-balance-when-a-drive-is-write-mostly.patch md-raid5-fix-livelock-when-array-is-both-resyncing-and-degraded.patch metag-fix-kstk_eip-and-kstk_esp-macros.patch x86-mm-aslr-fix-stack-randomization-on-64-bit-systems.patch --- diff --git a/queue-3.10/blk-throttle-check-stats_cpu-before-reading-it-from-sysfs.patch b/queue-3.10/blk-throttle-check-stats_cpu-before-reading-it-from-sysfs.patch new file mode 100644 index 00000000000..2892dc847fa --- /dev/null +++ b/queue-3.10/blk-throttle-check-stats_cpu-before-reading-it-from-sysfs.patch @@ -0,0 +1,121 @@ +From 045c47ca306acf30c740c285a77a4b4bda6be7c5 Mon Sep 17 00:00:00 2001 +From: Thadeu Lima de Souza Cascardo +Date: Mon, 16 Feb 2015 17:16:45 -0200 +Subject: blk-throttle: check stats_cpu before reading it from sysfs + +From: Thadeu Lima de Souza Cascardo + +commit 045c47ca306acf30c740c285a77a4b4bda6be7c5 upstream. + +When reading blkio.throttle.io_serviced in a recently created blkio +cgroup, it's possible to race against the creation of a throttle policy, +which delays the allocation of stats_cpu. + +Like other functions in the throttle code, just checking for a NULL +stats_cpu prevents the following oops caused by that race. + +[ 1117.285199] Unable to handle kernel paging request for data at address 0x7fb4d0020 +[ 1117.285252] Faulting instruction address: 0xc0000000003efa2c +[ 1137.733921] Oops: Kernel access of bad area, sig: 11 [#1] +[ 1137.733945] SMP NR_CPUS=2048 NUMA PowerNV +[ 1137.734025] Modules linked in: bridge stp llc kvm_hv kvm binfmt_misc autofs4 +[ 1137.734102] CPU: 3 PID: 5302 Comm: blkcgroup Not tainted 3.19.0 #5 +[ 1137.734132] task: c000000f1d188b00 ti: c000000f1d210000 task.ti: c000000f1d210000 +[ 1137.734167] NIP: c0000000003efa2c LR: c0000000003ef9f0 CTR: c0000000003ef980 +[ 1137.734202] REGS: c000000f1d213500 TRAP: 0300 Not tainted (3.19.0) +[ 1137.734230] MSR: 9000000000009032 CR: 42008884 XER: 20000000 +[ 1137.734325] CFAR: 0000000000008458 DAR: 00000007fb4d0020 DSISR: 40000000 SOFTE: 0 +GPR00: c0000000003ed3a0 c000000f1d213780 c000000000c59538 0000000000000000 +GPR04: 0000000000000800 0000000000000000 0000000000000000 0000000000000000 +GPR08: ffffffffffffffff 00000007fb4d0020 00000007fb4d0000 c000000000780808 +GPR12: 0000000022000888 c00000000fdc0d80 0000000000000000 0000000000000000 +GPR16: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 +GPR20: 000001003e120200 c000000f1d5b0cc0 0000000000000200 0000000000000000 +GPR24: 0000000000000001 c000000000c269e0 0000000000000020 c000000f1d5b0c80 +GPR28: c000000000ca3a08 c000000000ca3dec c000000f1c667e00 c000000f1d213850 +[ 1137.734886] NIP [c0000000003efa2c] .tg_prfill_cpu_rwstat+0xac/0x180 +[ 1137.734915] LR [c0000000003ef9f0] .tg_prfill_cpu_rwstat+0x70/0x180 +[ 1137.734943] Call Trace: +[ 1137.734952] [c000000f1d213780] [d000000005560520] 0xd000000005560520 (unreliable) +[ 1137.734996] [c000000f1d2138a0] [c0000000003ed3a0] .blkcg_print_blkgs+0xe0/0x1a0 +[ 1137.735039] [c000000f1d213960] [c0000000003efb50] .tg_print_cpu_rwstat+0x50/0x70 +[ 1137.735082] [c000000f1d2139e0] [c000000000104b48] .cgroup_seqfile_show+0x58/0x150 +[ 1137.735125] [c000000f1d213a70] [c0000000002749dc] .kernfs_seq_show+0x3c/0x50 +[ 1137.735161] [c000000f1d213ae0] [c000000000218630] .seq_read+0xe0/0x510 +[ 1137.735197] [c000000f1d213bd0] [c000000000275b04] .kernfs_fop_read+0x164/0x200 +[ 1137.735240] [c000000f1d213c80] [c0000000001eb8e0] .__vfs_read+0x30/0x80 +[ 1137.735276] [c000000f1d213cf0] [c0000000001eb9c4] .vfs_read+0x94/0x1b0 +[ 1137.735312] [c000000f1d213d90] [c0000000001ebb38] .SyS_read+0x58/0x100 +[ 1137.735349] [c000000f1d213e30] [c000000000009218] syscall_exit+0x0/0x98 +[ 1137.735383] Instruction dump: +[ 1137.735405] 7c6307b4 7f891800 409d00b8 60000000 60420000 3d420004 392a63b0 786a1f24 +[ 1137.735471] 7d49502a e93e01c8 7d495214 7d2ad214 <7cead02a> e9090008 e9490010 e9290018 + +And here is one code that allows to easily reproduce this, although this +has first been found by running docker. + +void run(pid_t pid) +{ + int n; + int status; + int fd; + char *buffer; + buffer = memalign(BUFFER_ALIGN, BUFFER_SIZE); + n = snprintf(buffer, BUFFER_SIZE, "%d\n", pid); + fd = open(CGPATH "/test/tasks", O_WRONLY); + write(fd, buffer, n); + close(fd); + if (fork() > 0) { + fd = open("/dev/sda", O_RDONLY | O_DIRECT); + read(fd, buffer, 512); + close(fd); + wait(&status); + } else { + fd = open(CGPATH "/test/blkio.throttle.io_serviced", O_RDONLY); + n = read(fd, buffer, BUFFER_SIZE); + close(fd); + } + free(buffer); + exit(0); +} + +void test(void) +{ + int status; + mkdir(CGPATH "/test", 0666); + if (fork() > 0) + wait(&status); + else + run(getpid()); + rmdir(CGPATH "/test"); +} + +int main(int argc, char **argv) +{ + int i; + for (i = 0; i < NR_TESTS; i++) + test(); + return 0; +} + +Reported-by: Ricardo Marin Matinata +Signed-off-by: Thadeu Lima de Souza Cascardo +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + block/blk-throttle.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/block/blk-throttle.c ++++ b/block/blk-throttle.c +@@ -942,6 +942,9 @@ static u64 tg_prfill_cpu_rwstat(struct s + struct blkg_rwstat rwstat = { }, tmp; + int i, cpu; + ++ if (tg->stats_cpu == NULL) ++ return 0; ++ + for_each_possible_cpu(cpu) { + struct tg_stats_cpu *sc = per_cpu_ptr(tg->stats_cpu, cpu); + diff --git a/queue-3.10/gpio-tps65912-fix-wrong-container_of-arguments.patch b/queue-3.10/gpio-tps65912-fix-wrong-container_of-arguments.patch new file mode 100644 index 00000000000..f3d302cefe7 --- /dev/null +++ b/queue-3.10/gpio-tps65912-fix-wrong-container_of-arguments.patch @@ -0,0 +1,67 @@ +From 2f97c20e5f7c3582c7310f65a04465bfb0fd0e85 Mon Sep 17 00:00:00 2001 +From: Nicolas Saenz Julienne +Date: Thu, 19 Feb 2015 01:52:25 +0000 +Subject: gpio: tps65912: fix wrong container_of arguments + +From: Nicolas Saenz Julienne + +commit 2f97c20e5f7c3582c7310f65a04465bfb0fd0e85 upstream. + +The gpio_chip operations receive a pointer the gpio_chip struct which is +contained in the driver's private struct, yet the container_of call in those +functions point to the mfd struct defined in include/linux/mfd/tps65912.h. + +Signed-off-by: Nicolas Saenz Julienne +Signed-off-by: Linus Walleij +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpio/gpio-tps65912.c | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +--- a/drivers/gpio/gpio-tps65912.c ++++ b/drivers/gpio/gpio-tps65912.c +@@ -26,9 +26,12 @@ struct tps65912_gpio_data { + struct gpio_chip gpio_chip; + }; + ++#define to_tgd(gc) container_of(gc, struct tps65912_gpio_data, gpio_chip) ++ + static int tps65912_gpio_get(struct gpio_chip *gc, unsigned offset) + { +- struct tps65912 *tps65912 = container_of(gc, struct tps65912, gpio); ++ struct tps65912_gpio_data *tps65912_gpio = to_tgd(gc); ++ struct tps65912 *tps65912 = tps65912_gpio->tps65912; + int val; + + val = tps65912_reg_read(tps65912, TPS65912_GPIO1 + offset); +@@ -42,7 +45,8 @@ static int tps65912_gpio_get(struct gpio + static void tps65912_gpio_set(struct gpio_chip *gc, unsigned offset, + int value) + { +- struct tps65912 *tps65912 = container_of(gc, struct tps65912, gpio); ++ struct tps65912_gpio_data *tps65912_gpio = to_tgd(gc); ++ struct tps65912 *tps65912 = tps65912_gpio->tps65912; + + if (value) + tps65912_set_bits(tps65912, TPS65912_GPIO1 + offset, +@@ -55,7 +59,8 @@ static void tps65912_gpio_set(struct gpi + static int tps65912_gpio_output(struct gpio_chip *gc, unsigned offset, + int value) + { +- struct tps65912 *tps65912 = container_of(gc, struct tps65912, gpio); ++ struct tps65912_gpio_data *tps65912_gpio = to_tgd(gc); ++ struct tps65912 *tps65912 = tps65912_gpio->tps65912; + + /* Set the initial value */ + tps65912_gpio_set(gc, offset, value); +@@ -66,7 +71,8 @@ static int tps65912_gpio_output(struct g + + static int tps65912_gpio_input(struct gpio_chip *gc, unsigned offset) + { +- struct tps65912 *tps65912 = container_of(gc, struct tps65912, gpio); ++ struct tps65912_gpio_data *tps65912_gpio = to_tgd(gc); ++ struct tps65912 *tps65912 = tps65912_gpio->tps65912; + + return tps65912_clear_bits(tps65912, TPS65912_GPIO1 + offset, + GPIO_CFG_MASK); diff --git a/queue-3.10/jffs2-fix-handling-of-corrupted-summary-length.patch b/queue-3.10/jffs2-fix-handling-of-corrupted-summary-length.patch new file mode 100644 index 00000000000..2412f6d05ce --- /dev/null +++ b/queue-3.10/jffs2-fix-handling-of-corrupted-summary-length.patch @@ -0,0 +1,76 @@ +From 164c24063a3eadee11b46575c5482b2f1417be49 Mon Sep 17 00:00:00 2001 +From: Chen Jie +Date: Tue, 10 Feb 2015 12:49:48 -0800 +Subject: jffs2: fix handling of corrupted summary length + +From: Chen Jie + +commit 164c24063a3eadee11b46575c5482b2f1417be49 upstream. + +sm->offset maybe wrong but magic maybe right, the offset do not have CRC. + +Badness at c00c7580 [verbose debug info unavailable] +NIP: c00c7580 LR: c00c718c CTR: 00000014 +REGS: df07bb40 TRAP: 0700 Not tainted (2.6.34.13-WR4.3.0.0_standard) +MSR: 00029000 CR: 22084f84 XER: 00000000 +TASK = df84d6e0[908] 'mount' THREAD: df07a000 +GPR00: 00000001 df07bbf0 df84d6e0 00000000 00000001 00000000 df07bb58 00000041 +GPR08: 00000041 c0638860 00000000 00000010 22084f88 100636c8 df814ff8 00000000 +GPR16: df84d6e0 dfa558cc c05adb90 00000048 c0452d30 00000000 000240d0 000040d0 +GPR24: 00000014 c05ae734 c05be2e0 00000000 00000001 00000000 00000000 c05ae730 +NIP [c00c7580] __alloc_pages_nodemask+0x4d0/0x638 +LR [c00c718c] __alloc_pages_nodemask+0xdc/0x638 +Call Trace: +[df07bbf0] [c00c718c] __alloc_pages_nodemask+0xdc/0x638 (unreliable) +[df07bc90] [c00c7708] __get_free_pages+0x20/0x48 +[df07bca0] [c00f4a40] __kmalloc+0x15c/0x1ec +[df07bcd0] [c01fc880] jffs2_scan_medium+0xa58/0x14d0 +[df07bd70] [c01ff38c] jffs2_do_mount_fs+0x1f4/0x6b4 +[df07bdb0] [c020144c] jffs2_do_fill_super+0xa8/0x260 +[df07bdd0] [c020230c] jffs2_fill_super+0x104/0x184 +[df07be00] [c0335814] get_sb_mtd_aux+0x9c/0xec +[df07be20] [c033596c] get_sb_mtd+0x84/0x1e8 +[df07be60] [c0201ed0] jffs2_get_sb+0x1c/0x2c +[df07be70] [c0103898] vfs_kern_mount+0x78/0x1e8 +[df07bea0] [c0103a58] do_kern_mount+0x40/0x100 +[df07bec0] [c011fe90] do_mount+0x240/0x890 +[df07bf10] [c0120570] sys_mount+0x90/0xd8 +[df07bf40] [c00110d8] ret_from_syscall+0x0/0x4 + +=== Exception: c01 at 0xff61a34 + LR = 0x100135f0 +Instruction dump: +38800005 38600000 48010f41 4bfffe1c 4bfc2d15 4bfffe8c 72e90200 4082fc28 +3d20c064 39298860 8809000d 68000001 <0f000000> 2f800000 419efc0c 38000001 +mount: mounting /dev/mtdblock3 on /common failed: Input/output error + +Signed-off-by: Chen Jie +Signed-off-by: Andrew Morton +Signed-off-by: David Woodhouse +Signed-off-by: Greg Kroah-Hartman + +--- + fs/jffs2/scan.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/fs/jffs2/scan.c ++++ b/fs/jffs2/scan.c +@@ -510,6 +510,10 @@ static int jffs2_scan_eraseblock (struct + sumlen = c->sector_size - je32_to_cpu(sm->offset); + sumptr = buf + buf_size - sumlen; + ++ /* sm->offset maybe wrong but MAGIC maybe right */ ++ if (sumlen > c->sector_size) ++ goto full_scan; ++ + /* Now, make sure the summary itself is available */ + if (sumlen > buf_size) { + /* Need to kmalloc for this. */ +@@ -544,6 +548,7 @@ static int jffs2_scan_eraseblock (struct + } + } + ++full_scan: + buf_ofs = jeb->offset; + + if (!buf_size) { diff --git a/queue-3.10/md-raid1-fix-read-balance-when-a-drive-is-write-mostly.patch b/queue-3.10/md-raid1-fix-read-balance-when-a-drive-is-write-mostly.patch new file mode 100644 index 00000000000..115c774d642 --- /dev/null +++ b/queue-3.10/md-raid1-fix-read-balance-when-a-drive-is-write-mostly.patch @@ -0,0 +1,63 @@ +From d1901ef099c38afd11add4cfb3312c02ef21ec4a Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Tom=C3=A1=C5=A1=20Hodek?= +Date: Mon, 23 Feb 2015 11:00:38 +1100 +Subject: md/raid1: fix read balance when a drive is write-mostly. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: =?UTF-8?q?Tom=C3=A1=C5=A1=20Hodek?= + +commit d1901ef099c38afd11add4cfb3312c02ef21ec4a upstream. + +When a drive is marked write-mostly it should only be the +target of reads if there is no other option. + +This behaviour was broken by + +commit 9dedf60313fa4dddfd5b9b226a0ef12a512bf9dc + md/raid1: read balance chooses idlest disk for SSD + +which causes a write-mostly device to be *preferred* is some cases. + +Restore correct behaviour by checking and setting +best_dist_disk and best_pending_disk rather than best_disk. + +We only need to test one of these as they are both changed +from -1 or >=0 at the same time. + +As we leave min_pending and best_dist unchanged, any non-write-mostly +device will appear better than the write-mostly device. + +Reported-by: Tomáš Hodek +Reported-by: Dark Penguin +Signed-off-by: NeilBrown +Link: http://marc.info/?l=linux-raid&m=135982797322422 +Fixes: 9dedf60313fa4dddfd5b9b226a0ef12a512bf9dc +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/raid1.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/md/raid1.c ++++ b/drivers/md/raid1.c +@@ -557,7 +557,7 @@ static int read_balance(struct r1conf *c + if (test_bit(WriteMostly, &rdev->flags)) { + /* Don't balance among write-mostly, just + * use the first as a last resort */ +- if (best_disk < 0) { ++ if (best_dist_disk < 0) { + if (is_badblock(rdev, this_sector, sectors, + &first_bad, &bad_sectors)) { + if (first_bad < this_sector) +@@ -566,7 +566,8 @@ static int read_balance(struct r1conf *c + best_good_sectors = first_bad - this_sector; + } else + best_good_sectors = sectors; +- best_disk = disk; ++ best_dist_disk = disk; ++ best_pending_disk = disk; + } + continue; + } diff --git a/queue-3.10/md-raid5-fix-livelock-when-array-is-both-resyncing-and-degraded.patch b/queue-3.10/md-raid5-fix-livelock-when-array-is-both-resyncing-and-degraded.patch new file mode 100644 index 00000000000..3fa6b145fe7 --- /dev/null +++ b/queue-3.10/md-raid5-fix-livelock-when-array-is-both-resyncing-and-degraded.patch @@ -0,0 +1,44 @@ +From 26ac107378c4742978216be1005b7291b799c7b2 Mon Sep 17 00:00:00 2001 +From: NeilBrown +Date: Wed, 18 Feb 2015 11:35:14 +1100 +Subject: md/raid5: Fix livelock when array is both resyncing and degraded. + +From: NeilBrown + +commit 26ac107378c4742978216be1005b7291b799c7b2 upstream. + +Commit a7854487cd7128a30a7f4f5259de9f67d5efb95f: + md: When RAID5 is dirty, force reconstruct-write instead of read-modify-write. + +Causes an RCW cycle to be forced even when the array is degraded. +A degraded array cannot support RCW as that requires reading all data +blocks, and one may be missing. + +Forcing an RCW when it is not possible causes a live-lock and the code +spins, repeatedly deciding to do something that cannot succeed. + +So change the condition to only force RCW on non-degraded arrays. + +Reported-by: Manibalan P +Bisected-by: Jes Sorensen +Tested-by: Jes Sorensen +Signed-off-by: NeilBrown +Fixes: a7854487cd7128a30a7f4f5259de9f67d5efb95f +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/raid5.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/md/raid5.c ++++ b/drivers/md/raid5.c +@@ -2853,7 +2853,8 @@ static void handle_stripe_dirtying(struc + * generate correct data from the parity. + */ + if (conf->max_degraded == 2 || +- (recovery_cp < MaxSector && sh->sector >= recovery_cp)) { ++ (recovery_cp < MaxSector && sh->sector >= recovery_cp && ++ s->failed == 0)) { + /* Calculate the real rcw later - for now make it + * look like rcw is cheaper + */ diff --git a/queue-3.10/metag-fix-kstk_eip-and-kstk_esp-macros.patch b/queue-3.10/metag-fix-kstk_eip-and-kstk_esp-macros.patch new file mode 100644 index 00000000000..4cf590f86cc --- /dev/null +++ b/queue-3.10/metag-fix-kstk_eip-and-kstk_esp-macros.patch @@ -0,0 +1,75 @@ +From c2996cb29bfb73927a79dc96e598a718e843f01a Mon Sep 17 00:00:00 2001 +From: James Hogan +Date: Tue, 24 Feb 2015 12:25:25 +0000 +Subject: metag: Fix KSTK_EIP() and KSTK_ESP() macros + +From: James Hogan + +commit c2996cb29bfb73927a79dc96e598a718e843f01a upstream. + +The KSTK_EIP() and KSTK_ESP() macros should return the user program +counter (PC) and stack pointer (A0StP) of the given task. These are used +to determine which VMA corresponds to the user stack in +/proc//maps, and for the user PC & A0StP in /proc//stat. + +However for Meta the PC & A0StP from the task's kernel context are used, +resulting in broken output. For example in following /proc//maps +output, the 3afff000-3b021000 VMA should be described as the stack: + + # cat /proc/self/maps + ... + 100b0000-100b1000 rwxp 00000000 00:00 0 [heap] + 3afff000-3b021000 rwxp 00000000 00:00 0 + +And in the following /proc//stat output, the PC is in kernel code +(1074234964 = 0x40078654) and the A0StP is in the kernel heap +(1335981392 = 0x4fa17550): + + # cat /proc/self/stat + 51 (cat) R ... 1335981392 1074234964 ... + +Fix the definitions of KSTK_EIP() and KSTK_ESP() to use +task_pt_regs(tsk)->ctx rather than (tsk)->thread.kernel_context. This +gets the registers from the user context stored after the thread info at +the base of the kernel stack, which is from the last entry into the +kernel from userland, regardless of where in the kernel the task may +have been interrupted, which results in the following more correct +/proc//maps output: + + # cat /proc/self/maps + ... + 0800b000-08070000 r-xp 00000000 00:02 207 /lib/libuClibc-0.9.34-git.so + ... + 100b0000-100b1000 rwxp 00000000 00:00 0 [heap] + 3afff000-3b021000 rwxp 00000000 00:00 0 [stack] + +And /proc//stat now correctly reports the PC in libuClibc +(134320308 = 0x80190b4) and the A0StP in the [stack] region (989864576 = +0x3b002280): + + # cat /proc/self/stat + 51 (cat) R ... 989864576 134320308 ... + +Reported-by: Alexey Brodkin +Reported-by: Vineet Gupta +Signed-off-by: James Hogan +Cc: linux-metag@vger.kernel.org +Signed-off-by: Greg Kroah-Hartman + +--- + arch/metag/include/asm/processor.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/metag/include/asm/processor.h ++++ b/arch/metag/include/asm/processor.h +@@ -149,8 +149,8 @@ extern void exit_thread(void); + + unsigned long get_wchan(struct task_struct *p); + +-#define KSTK_EIP(tsk) ((tsk)->thread.kernel_context->CurrPC) +-#define KSTK_ESP(tsk) ((tsk)->thread.kernel_context->AX[0].U0) ++#define KSTK_EIP(tsk) (task_pt_regs(tsk)->ctx.CurrPC) ++#define KSTK_ESP(tsk) (task_pt_regs(tsk)->ctx.AX[0].U0) + + #define user_stack_pointer(regs) ((regs)->ctx.AX[0].U0) + diff --git a/queue-3.10/series b/queue-3.10/series index c081b771de2..47b12b03bd1 100644 --- a/queue-3.10/series +++ b/queue-3.10/series @@ -44,3 +44,10 @@ kvm-mips-don-t-leak-fpu-dsp-to-guest.patch kvm-x86-update-masterclock-values-on-tsc-writes.patch hx4700-regulator-declare-full-constraints.patch arm64-compat-fix-siginfo_t-compat_siginfo_t-conversion-on-big-endian.patch +gpio-tps65912-fix-wrong-container_of-arguments.patch +metag-fix-kstk_eip-and-kstk_esp-macros.patch +md-raid5-fix-livelock-when-array-is-both-resyncing-and-degraded.patch +md-raid1-fix-read-balance-when-a-drive-is-write-mostly.patch +jffs2-fix-handling-of-corrupted-summary-length.patch +blk-throttle-check-stats_cpu-before-reading-it-from-sysfs.patch +x86-mm-aslr-fix-stack-randomization-on-64-bit-systems.patch diff --git a/queue-3.10/x86-mm-aslr-fix-stack-randomization-on-64-bit-systems.patch b/queue-3.10/x86-mm-aslr-fix-stack-randomization-on-64-bit-systems.patch new file mode 100644 index 00000000000..bda68d9c75c --- /dev/null +++ b/queue-3.10/x86-mm-aslr-fix-stack-randomization-on-64-bit-systems.patch @@ -0,0 +1,110 @@ +From 4e7c22d447bb6d7e37bfe39ff658486ae78e8d77 Mon Sep 17 00:00:00 2001 +From: Hector Marco-Gisbert +Date: Sat, 14 Feb 2015 09:33:50 -0800 +Subject: x86, mm/ASLR: Fix stack randomization on 64-bit systems + +From: Hector Marco-Gisbert + +commit 4e7c22d447bb6d7e37bfe39ff658486ae78e8d77 upstream. + +The issue is that the stack for processes is not properly randomized on +64 bit architectures due to an integer overflow. + +The affected function is randomize_stack_top() in file +"fs/binfmt_elf.c": + + static unsigned long randomize_stack_top(unsigned long stack_top) + { + unsigned int random_variable = 0; + + if ((current->flags & PF_RANDOMIZE) && + !(current->personality & ADDR_NO_RANDOMIZE)) { + random_variable = get_random_int() & STACK_RND_MASK; + random_variable <<= PAGE_SHIFT; + } + return PAGE_ALIGN(stack_top) + random_variable; + return PAGE_ALIGN(stack_top) - random_variable; + } + +Note that, it declares the "random_variable" variable as "unsigned int". +Since the result of the shifting operation between STACK_RND_MASK (which +is 0x3fffff on x86_64, 22 bits) and PAGE_SHIFT (which is 12 on x86_64): + + random_variable <<= PAGE_SHIFT; + +then the two leftmost bits are dropped when storing the result in the +"random_variable". This variable shall be at least 34 bits long to hold +the (22+12) result. + +These two dropped bits have an impact on the entropy of process stack. +Concretely, the total stack entropy is reduced by four: from 2^28 to +2^30 (One fourth of expected entropy). + +This patch restores back the entropy by correcting the types involved +in the operations in the functions randomize_stack_top() and +stack_maxrandom_size(). + +The successful fix can be tested with: + + $ for i in `seq 1 10`; do cat /proc/self/maps | grep stack; done + 7ffeda566000-7ffeda587000 rw-p 00000000 00:00 0 [stack] + 7fff5a332000-7fff5a353000 rw-p 00000000 00:00 0 [stack] + 7ffcdb7a1000-7ffcdb7c2000 rw-p 00000000 00:00 0 [stack] + 7ffd5e2c4000-7ffd5e2e5000 rw-p 00000000 00:00 0 [stack] + ... + +Once corrected, the leading bytes should be between 7ffc and 7fff, +rather than always being 7fff. + +Signed-off-by: Hector Marco-Gisbert +Signed-off-by: Ismael Ripoll +[ Rebased, fixed 80 char bugs, cleaned up commit message, added test example and CVE ] +Signed-off-by: Kees Cook +Cc: Linus Torvalds +Cc: Andrew Morton +Cc: Al Viro +Fixes: CVE-2015-1593 +Link: http://lkml.kernel.org/r/20150214173350.GA18393@www.outflux.net +Signed-off-by: Borislav Petkov +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/mm/mmap.c | 6 +++--- + fs/binfmt_elf.c | 5 +++-- + 2 files changed, 6 insertions(+), 5 deletions(-) + +--- a/arch/x86/mm/mmap.c ++++ b/arch/x86/mm/mmap.c +@@ -35,12 +35,12 @@ struct __read_mostly va_alignment va_ali + .flags = -1, + }; + +-static unsigned int stack_maxrandom_size(void) ++static unsigned long stack_maxrandom_size(void) + { +- unsigned int max = 0; ++ unsigned long max = 0; + if ((current->flags & PF_RANDOMIZE) && + !(current->personality & ADDR_NO_RANDOMIZE)) { +- max = ((-1U) & STACK_RND_MASK) << PAGE_SHIFT; ++ max = ((-1UL) & STACK_RND_MASK) << PAGE_SHIFT; + } + + return max; +--- a/fs/binfmt_elf.c ++++ b/fs/binfmt_elf.c +@@ -552,11 +552,12 @@ out: + + static unsigned long randomize_stack_top(unsigned long stack_top) + { +- unsigned int random_variable = 0; ++ unsigned long random_variable = 0; + + if ((current->flags & PF_RANDOMIZE) && + !(current->personality & ADDR_NO_RANDOMIZE)) { +- random_variable = get_random_int() & STACK_RND_MASK; ++ random_variable = (unsigned long) get_random_int(); ++ random_variable &= STACK_RND_MASK; + random_variable <<= PAGE_SHIFT; + } + #ifdef CONFIG_STACK_GROWSUP