From: Sasha Levin Date: Thu, 27 Feb 2020 03:38:57 +0000 (-0500) Subject: fixes for 4.14 X-Git-Tag: v4.4.215~49 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=e769bb6e0aa4d1db74fd4212828b2b0fba687c8c;p=thirdparty%2Fkernel%2Fstable-queue.git fixes for 4.14 Signed-off-by: Sasha Levin --- diff --git a/queue-4.14/kvm-nvmx-don-t-emulate-instructions-in-guest-mode.patch b/queue-4.14/kvm-nvmx-don-t-emulate-instructions-in-guest-mode.patch new file mode 100644 index 00000000000..1bc7b7f0b41 --- /dev/null +++ b/queue-4.14/kvm-nvmx-don-t-emulate-instructions-in-guest-mode.patch @@ -0,0 +1,38 @@ +From d788db432b2cf3fc5703b47465260ae29a14823f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 4 Feb 2020 15:26:29 -0800 +Subject: KVM: nVMX: Don't emulate instructions in guest mode + +From: Paolo Bonzini + +[ Upstream commit 07721feee46b4b248402133228235318199b05ec ] + +vmx_check_intercept is not yet fully implemented. To avoid emulating +instructions disallowed by the L1 hypervisor, refuse to emulate +instructions by default. + +Cc: stable@vger.kernel.org +[Made commit, added commit msg - Oliver] +Signed-off-by: Oliver Upton +Signed-off-by: Paolo Bonzini +Signed-off-by: Sasha Levin +--- + arch/x86/kvm/vmx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/x86/kvm/vmx.c b/arch/x86/kvm/vmx.c +index a116548a4ade1..fc00fbffcd7fc 100644 +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -12325,7 +12325,7 @@ static int vmx_check_intercept(struct kvm_vcpu *vcpu, + struct x86_instruction_info *info, + enum x86_intercept_stage stage) + { +- return X86EMUL_CONTINUE; ++ return X86EMUL_UNHANDLEABLE; + } + + #ifdef CONFIG_X86_64 +-- +2.20.1 + diff --git a/queue-4.14/lib-stackdepot-fix-outdated-comments.patch b/queue-4.14/lib-stackdepot-fix-outdated-comments.patch new file mode 100644 index 00000000000..560087fa7ff --- /dev/null +++ b/queue-4.14/lib-stackdepot-fix-outdated-comments.patch @@ -0,0 +1,47 @@ +From 6c62f4f91e1c58c72add0647e08d3420391ba8b8 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 15 Aug 2019 19:32:46 +0800 +Subject: lib/stackdepot: Fix outdated comments + +From: Miles Chen + +[ Upstream commit ee050dc83bc326ad5ef8ee93bca344819371e7a5 ] + +Replace "depot_save_stack" with "stack_depot_save" in code comments because +depot_save_stack() was replaced in commit c0cfc337264c ("lib/stackdepot: +Provide functions which operate on plain storage arrays") and removed in +commit 56d8f079c51a ("lib/stackdepot: Remove obsolete functions") + +Signed-off-by: Miles Chen +Signed-off-by: Thomas Gleixner +Link: https://lkml.kernel.org/r/20190815113246.18478-1-miles.chen@mediatek.com +Signed-off-by: Sasha Levin +--- + lib/stackdepot.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/lib/stackdepot.c b/lib/stackdepot.c +index f87d138e96724..1724cb0d6283f 100644 +--- a/lib/stackdepot.c ++++ b/lib/stackdepot.c +@@ -96,7 +96,7 @@ static bool init_stack_slab(void **prealloc) + stack_slabs[depot_index + 1] = *prealloc; + /* + * This smp_store_release pairs with smp_load_acquire() from +- * |next_slab_inited| above and in depot_save_stack(). ++ * |next_slab_inited| above and in stack_depot_save(). + */ + smp_store_release(&next_slab_inited, 1); + } +@@ -123,7 +123,7 @@ static struct stack_record *depot_alloc_stack(unsigned long *entries, int size, + depot_offset = 0; + /* + * smp_store_release() here pairs with smp_load_acquire() from +- * |next_slab_inited| in depot_save_stack() and ++ * |next_slab_inited| in stack_depot_save() and + * init_stack_slab(). + */ + if (depot_index + 1 < STACK_ALLOC_MAX_SLABS) +-- +2.20.1 + diff --git a/queue-4.14/lib-stackdepot.c-fix-global-out-of-bounds-in-stack_s.patch b/queue-4.14/lib-stackdepot.c-fix-global-out-of-bounds-in-stack_s.patch new file mode 100644 index 00000000000..8970d4060d9 --- /dev/null +++ b/queue-4.14/lib-stackdepot.c-fix-global-out-of-bounds-in-stack_s.patch @@ -0,0 +1,62 @@ +From 7f151b9e5786194ee9e38b9456d72d09ec9da481 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 20 Feb 2020 20:04:30 -0800 +Subject: lib/stackdepot.c: fix global out-of-bounds in stack_slabs + +From: Alexander Potapenko + +[ Upstream commit 305e519ce48e935702c32241f07d393c3c8fed3e ] + +Walter Wu has reported a potential case in which init_stack_slab() is +called after stack_slabs[STACK_ALLOC_MAX_SLABS - 1] has already been +initialized. In that case init_stack_slab() will overwrite +stack_slabs[STACK_ALLOC_MAX_SLABS], which may result in a memory +corruption. + +Link: http://lkml.kernel.org/r/20200218102950.260263-1-glider@google.com +Fixes: cd11016e5f521 ("mm, kasan: stackdepot implementation. Enable stackdepot for SLAB") +Signed-off-by: Alexander Potapenko +Reported-by: Walter Wu +Cc: Dmitry Vyukov +Cc: Matthias Brugger +Cc: Thomas Gleixner +Cc: Josh Poimboeuf +Cc: Kate Stewart +Cc: Greg Kroah-Hartman +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Sasha Levin +--- + lib/stackdepot.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/lib/stackdepot.c b/lib/stackdepot.c +index 1724cb0d6283f..54fe55b6bbc0a 100644 +--- a/lib/stackdepot.c ++++ b/lib/stackdepot.c +@@ -92,15 +92,19 @@ static bool init_stack_slab(void **prealloc) + return true; + if (stack_slabs[depot_index] == NULL) { + stack_slabs[depot_index] = *prealloc; ++ *prealloc = NULL; + } else { +- stack_slabs[depot_index + 1] = *prealloc; ++ /* If this is the last depot slab, do not touch the next one. */ ++ if (depot_index + 1 < STACK_ALLOC_MAX_SLABS) { ++ stack_slabs[depot_index + 1] = *prealloc; ++ *prealloc = NULL; ++ } + /* + * This smp_store_release pairs with smp_load_acquire() from + * |next_slab_inited| above and in stack_depot_save(). + */ + smp_store_release(&next_slab_inited, 1); + } +- *prealloc = NULL; + return true; + } + +-- +2.20.1 + diff --git a/queue-4.14/powerpc-tm-fix-clearing-msr-ts-in-current-when-recla.patch b/queue-4.14/powerpc-tm-fix-clearing-msr-ts-in-current-when-recla.patch new file mode 100644 index 00000000000..f9b8bc330d2 --- /dev/null +++ b/queue-4.14/powerpc-tm-fix-clearing-msr-ts-in-current-when-recla.patch @@ -0,0 +1,291 @@ +From 9f33a8fbc669687b55903f534985b8067da7e724 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Feb 2020 00:38:29 -0300 +Subject: powerpc/tm: Fix clearing MSR[TS] in current when reclaiming on signal + delivery + +From: Gustavo Luiz Duarte + +[ Upstream commit 2464cc4c345699adea52c7aef75707207cb8a2f6 ] + +After a treclaim, we expect to be in non-transactional state. If we +don't clear the current thread's MSR[TS] before we get preempted, then +tm_recheckpoint_new_task() will recheckpoint and we get rescheduled in +suspended transaction state. + +When handling a signal caught in transactional state, +handle_rt_signal64() calls get_tm_stackpointer() that treclaims the +transaction using tm_reclaim_current() but without clearing the +thread's MSR[TS]. This can cause the TM Bad Thing exception below if +later we pagefault and get preempted trying to access the user's +sigframe, using __put_user(). Afterwards, when we are rescheduled back +into do_page_fault() (but now in suspended state since the thread's +MSR[TS] was not cleared), upon executing 'rfid' after completion of +the page fault handling, the exception is raised because a transition +from suspended to non-transactional state is invalid. + + Unexpected TM Bad Thing exception at c00000000000de44 (msr 0x8000000302a03031) tm_scratch=800000010280b033 + Oops: Unrecoverable exception, sig: 6 [#1] + LE PAGE_SIZE=64K MMU=Hash SMP NR_CPUS=2048 NUMA pSeries + CPU: 25 PID: 15547 Comm: a.out Not tainted 5.4.0-rc2 #32 + NIP: c00000000000de44 LR: c000000000034728 CTR: 0000000000000000 + REGS: c00000003fe7bd70 TRAP: 0700 Not tainted (5.4.0-rc2) + MSR: 8000000302a03031 CR: 44000884 XER: 00000000 + CFAR: c00000000000dda4 IRQMASK: 0 + PACATMSCRATCH: 800000010280b033 + GPR00: c000000000034728 c000000f65a17c80 c000000001662800 00007fffacf3fd78 + GPR04: 0000000000001000 0000000000001000 0000000000000000 c000000f611f8af0 + GPR08: 0000000000000000 0000000078006001 0000000000000000 000c000000000000 + GPR12: c000000f611f84b0 c00000003ffcb200 0000000000000000 0000000000000000 + GPR16: 0000000000000000 0000000000000000 0000000000000000 0000000000000000 + GPR20: 0000000000000000 0000000000000000 0000000000000000 c000000f611f8140 + GPR24: 0000000000000000 00007fffacf3fd68 c000000f65a17d90 c000000f611f7800 + GPR28: c000000f65a17e90 c000000f65a17e90 c000000001685e18 00007fffacf3f000 + NIP [c00000000000de44] fast_exception_return+0xf4/0x1b0 + LR [c000000000034728] handle_rt_signal64+0x78/0xc50 + Call Trace: + [c000000f65a17c80] [c000000000034710] handle_rt_signal64+0x60/0xc50 (unreliable) + [c000000f65a17d30] [c000000000023640] do_notify_resume+0x330/0x460 + [c000000f65a17e20] [c00000000000dcc4] ret_from_except_lite+0x70/0x74 + Instruction dump: + 7c4ff120 e8410170 7c5a03a6 38400000 f8410060 e8010070 e8410080 e8610088 + 60000000 60000000 e8810090 e8210078 <4c000024> 48000000 e8610178 88ed0989 + ---[ end trace 93094aa44b442f87 ]--- + +The simplified sequence of events that triggers the above exception is: + + ... # userspace in NON-TRANSACTIONAL state + tbegin # userspace in TRANSACTIONAL state + signal delivery # kernelspace in SUSPENDED state + handle_rt_signal64() + get_tm_stackpointer() + treclaim # kernelspace in NON-TRANSACTIONAL state + __put_user() + page fault happens. We will never get back here because of the TM Bad Thing exception. + + page fault handling kicks in and we voluntarily preempt ourselves + do_page_fault() + __schedule() + __switch_to(other_task) + + our task is rescheduled and we recheckpoint because the thread's MSR[TS] was not cleared + __switch_to(our_task) + switch_to_tm() + tm_recheckpoint_new_task() + trechkpt # kernelspace in SUSPENDED state + + The page fault handling resumes, but now we are in suspended transaction state + do_page_fault() completes + rfid <----- trying to get back where the page fault happened (we were non-transactional back then) + TM Bad Thing # illegal transition from suspended to non-transactional + +This patch fixes that issue by clearing the current thread's MSR[TS] +just after treclaim in get_tm_stackpointer() so that we stay in +non-transactional state in case we are preempted. In order to make +treclaim and clearing the thread's MSR[TS] atomic from a preemption +perspective when CONFIG_PREEMPT is set, preempt_disable/enable() is +used. It's also necessary to save the previous value of the thread's +MSR before get_tm_stackpointer() is called so that it can be exposed +to the signal handler later in setup_tm_sigcontexts() to inform the +userspace MSR at the moment of the signal delivery. + +Found with tm-signal-context-force-tm kernel selftest. + +Fixes: 2b0a576d15e0 ("powerpc: Add new transactional memory state to the signal context") +Cc: stable@vger.kernel.org # v3.9 +Signed-off-by: Gustavo Luiz Duarte +Acked-by: Michael Neuling +Signed-off-by: Michael Ellerman +Link: https://lore.kernel.org/r/20200211033831.11165-1-gustavold@linux.ibm.com +Signed-off-by: Sasha Levin +--- + arch/powerpc/kernel/signal.c | 17 +++++++++++++++-- + arch/powerpc/kernel/signal_32.c | 28 ++++++++++++++-------------- + arch/powerpc/kernel/signal_64.c | 22 ++++++++++------------ + 3 files changed, 39 insertions(+), 28 deletions(-) + +diff --git a/arch/powerpc/kernel/signal.c b/arch/powerpc/kernel/signal.c +index 3d7539b90010c..4cb92022315a4 100644 +--- a/arch/powerpc/kernel/signal.c ++++ b/arch/powerpc/kernel/signal.c +@@ -193,14 +193,27 @@ unsigned long get_tm_stackpointer(struct task_struct *tsk) + * normal/non-checkpointed stack pointer. + */ + ++ unsigned long ret = tsk->thread.regs->gpr[1]; ++ + #ifdef CONFIG_PPC_TRANSACTIONAL_MEM + BUG_ON(tsk != current); + + if (MSR_TM_ACTIVE(tsk->thread.regs->msr)) { ++ preempt_disable(); + tm_reclaim_current(TM_CAUSE_SIGNAL); + if (MSR_TM_TRANSACTIONAL(tsk->thread.regs->msr)) +- return tsk->thread.ckpt_regs.gpr[1]; ++ ret = tsk->thread.ckpt_regs.gpr[1]; ++ ++ /* ++ * If we treclaim, we must clear the current thread's TM bits ++ * before re-enabling preemption. Otherwise we might be ++ * preempted and have the live MSR[TS] changed behind our back ++ * (tm_recheckpoint_new_task() would recheckpoint). Besides, we ++ * enter the signal handler in non-transactional state. ++ */ ++ tsk->thread.regs->msr &= ~MSR_TS_MASK; ++ preempt_enable(); + } + #endif +- return tsk->thread.regs->gpr[1]; ++ return ret; + } +diff --git a/arch/powerpc/kernel/signal_32.c b/arch/powerpc/kernel/signal_32.c +index 7157cb6951512..123299fbb33e4 100644 +--- a/arch/powerpc/kernel/signal_32.c ++++ b/arch/powerpc/kernel/signal_32.c +@@ -515,19 +515,11 @@ static int save_user_regs(struct pt_regs *regs, struct mcontext __user *frame, + */ + static int save_tm_user_regs(struct pt_regs *regs, + struct mcontext __user *frame, +- struct mcontext __user *tm_frame, int sigret) ++ struct mcontext __user *tm_frame, int sigret, ++ unsigned long msr) + { +- unsigned long msr = regs->msr; +- + WARN_ON(tm_suspend_disabled); + +- /* Remove TM bits from thread's MSR. The MSR in the sigcontext +- * just indicates to userland that we were doing a transaction, but we +- * don't want to return in transactional state. This also ensures +- * that flush_fp_to_thread won't set TIF_RESTORE_TM again. +- */ +- regs->msr &= ~MSR_TS_MASK; +- + /* Save both sets of general registers */ + if (save_general_regs(¤t->thread.ckpt_regs, frame) + || save_general_regs(regs, tm_frame)) +@@ -1004,6 +996,10 @@ int handle_rt_signal32(struct ksignal *ksig, sigset_t *oldset, + int sigret; + unsigned long tramp; + struct pt_regs *regs = tsk->thread.regs; ++#ifdef CONFIG_PPC_TRANSACTIONAL_MEM ++ /* Save the thread's msr before get_tm_stackpointer() changes it */ ++ unsigned long msr = regs->msr; ++#endif + + BUG_ON(tsk != current); + +@@ -1036,13 +1032,13 @@ int handle_rt_signal32(struct ksignal *ksig, sigset_t *oldset, + + #ifdef CONFIG_PPC_TRANSACTIONAL_MEM + tm_frame = &rt_sf->uc_transact.uc_mcontext; +- if (MSR_TM_ACTIVE(regs->msr)) { ++ if (MSR_TM_ACTIVE(msr)) { + if (__put_user((unsigned long)&rt_sf->uc_transact, + &rt_sf->uc.uc_link) || + __put_user((unsigned long)tm_frame, + &rt_sf->uc_transact.uc_regs)) + goto badframe; +- if (save_tm_user_regs(regs, frame, tm_frame, sigret)) ++ if (save_tm_user_regs(regs, frame, tm_frame, sigret, msr)) + goto badframe; + } + else +@@ -1449,6 +1445,10 @@ int handle_signal32(struct ksignal *ksig, sigset_t *oldset, + int sigret; + unsigned long tramp; + struct pt_regs *regs = tsk->thread.regs; ++#ifdef CONFIG_PPC_TRANSACTIONAL_MEM ++ /* Save the thread's msr before get_tm_stackpointer() changes it */ ++ unsigned long msr = regs->msr; ++#endif + + BUG_ON(tsk != current); + +@@ -1482,9 +1482,9 @@ int handle_signal32(struct ksignal *ksig, sigset_t *oldset, + + #ifdef CONFIG_PPC_TRANSACTIONAL_MEM + tm_mctx = &frame->mctx_transact; +- if (MSR_TM_ACTIVE(regs->msr)) { ++ if (MSR_TM_ACTIVE(msr)) { + if (save_tm_user_regs(regs, &frame->mctx, &frame->mctx_transact, +- sigret)) ++ sigret, msr)) + goto badframe; + } + else +diff --git a/arch/powerpc/kernel/signal_64.c b/arch/powerpc/kernel/signal_64.c +index b203c16d46d4e..71785574aeafb 100644 +--- a/arch/powerpc/kernel/signal_64.c ++++ b/arch/powerpc/kernel/signal_64.c +@@ -192,7 +192,8 @@ static long setup_sigcontext(struct sigcontext __user *sc, + static long setup_tm_sigcontexts(struct sigcontext __user *sc, + struct sigcontext __user *tm_sc, + struct task_struct *tsk, +- int signr, sigset_t *set, unsigned long handler) ++ int signr, sigset_t *set, unsigned long handler, ++ unsigned long msr) + { + /* When CONFIG_ALTIVEC is set, we _always_ setup v_regs even if the + * process never used altivec yet (MSR_VEC is zero in pt_regs of +@@ -207,12 +208,11 @@ static long setup_tm_sigcontexts(struct sigcontext __user *sc, + elf_vrreg_t __user *tm_v_regs = sigcontext_vmx_regs(tm_sc); + #endif + struct pt_regs *regs = tsk->thread.regs; +- unsigned long msr = tsk->thread.regs->msr; + long err = 0; + + BUG_ON(tsk != current); + +- BUG_ON(!MSR_TM_ACTIVE(regs->msr)); ++ BUG_ON(!MSR_TM_ACTIVE(msr)); + + WARN_ON(tm_suspend_disabled); + +@@ -222,13 +222,6 @@ static long setup_tm_sigcontexts(struct sigcontext __user *sc, + */ + msr |= tsk->thread.ckpt_regs.msr & (MSR_FP | MSR_VEC | MSR_VSX); + +- /* Remove TM bits from thread's MSR. The MSR in the sigcontext +- * just indicates to userland that we were doing a transaction, but we +- * don't want to return in transactional state. This also ensures +- * that flush_fp_to_thread won't set TIF_RESTORE_TM again. +- */ +- regs->msr &= ~MSR_TS_MASK; +- + #ifdef CONFIG_ALTIVEC + err |= __put_user(v_regs, &sc->v_regs); + err |= __put_user(tm_v_regs, &tm_sc->v_regs); +@@ -805,6 +798,10 @@ int handle_rt_signal64(struct ksignal *ksig, sigset_t *set, + unsigned long newsp = 0; + long err = 0; + struct pt_regs *regs = tsk->thread.regs; ++#ifdef CONFIG_PPC_TRANSACTIONAL_MEM ++ /* Save the thread's msr before get_tm_stackpointer() changes it */ ++ unsigned long msr = regs->msr; ++#endif + + BUG_ON(tsk != current); + +@@ -822,7 +819,7 @@ int handle_rt_signal64(struct ksignal *ksig, sigset_t *set, + err |= __put_user(0, &frame->uc.uc_flags); + err |= __save_altstack(&frame->uc.uc_stack, regs->gpr[1]); + #ifdef CONFIG_PPC_TRANSACTIONAL_MEM +- if (MSR_TM_ACTIVE(regs->msr)) { ++ if (MSR_TM_ACTIVE(msr)) { + /* The ucontext_t passed to userland points to the second + * ucontext_t (for transactional state) with its uc_link ptr. + */ +@@ -830,7 +827,8 @@ int handle_rt_signal64(struct ksignal *ksig, sigset_t *set, + err |= setup_tm_sigcontexts(&frame->uc.uc_mcontext, + &frame->uc_transact.uc_mcontext, + tsk, ksig->sig, NULL, +- (unsigned long)ksig->ka.sa.sa_handler); ++ (unsigned long)ksig->ka.sa.sa_handler, ++ msr); + } else + #endif + { +-- +2.20.1 + diff --git a/queue-4.14/powerpc-tm-fix-endianness-flip-on-trap.patch b/queue-4.14/powerpc-tm-fix-endianness-flip-on-trap.patch new file mode 100644 index 00000000000..7d0ba41eca0 --- /dev/null +++ b/queue-4.14/powerpc-tm-fix-endianness-flip-on-trap.patch @@ -0,0 +1,85 @@ +From a2de7ca4bc5e14efcb3b03f9cb0b02c3da0b8714 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Sun, 31 Dec 2017 18:20:45 -0500 +Subject: powerpc/tm: Fix endianness flip on trap + +From: Gustavo Romero + +[ Upstream commit 1c200e63d055ec0125e44a5e386b9b78aada7eb3 ] + +Currently it's possible that a thread on PPC64 LE has its endianness +flipped inadvertently to Big-Endian resulting in a crash once the process +is back from the signal handler. + +If giveup_all() is called when regs->msr has the bits MSR.FP and MSR.VEC +disabled (and hence MSR.VSX disabled too) it returns without calling +check_if_tm_restore_required() which copies regs->msr to ckpt_regs->msr if +the process caught a signal whilst in transactional mode. Then once in +setup_tm_sigcontexts() MSR from ckpt_regs.msr is used, but since +check_if_tm_restore_required() was not called previuosly, gp_regs[PT_MSR] +gets a copy of invalid MSR bits as MSR in ckpt_regs was not updated from +regs->msr and so is zeroed. Later when leaving the signal handler once in +sys_rt_sigreturn() the TS bits of gp_regs[PT_MSR] are checked to determine +if restore_tm_sigcontexts() must be called to pull in the correct MSR state +into the user context. Because TS bits are zeroed +restore_tm_sigcontexts() is never called and MSR restored from the user +context on returning from the signal handler has the MSR.LE (the endianness +bit) forced to zero (Big-Endian). That leads, for instance, to 'nop' being +treated as an illegal instruction in the following sequence: + + tbegin. + beq 1f + trap + tend. +1: nop + +on PPC64 LE machines and the process dies just after returning from the +signal handler. + +PPC64 BE is also affected but in a subtle way since forcing Big-Endian on +a BE machine does not change the endianness. + +This commit fixes the issue described above by ensuring that once in +setup_tm_sigcontexts() the MSR used is from regs->msr instead of from +ckpt_regs->msr and by ensuring that we pull in only the MSR.FP, MSR.VEC, +and MSR.VSX bits from ckpt_regs->msr. + +The fix was tested both on LE and BE machines and no regression regarding +the powerpc/tm selftests was observed. + +Signed-off-by: Gustavo Romero +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +--- + arch/powerpc/kernel/signal_64.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/arch/powerpc/kernel/signal_64.c b/arch/powerpc/kernel/signal_64.c +index 2d52fed72e216..b203c16d46d4e 100644 +--- a/arch/powerpc/kernel/signal_64.c ++++ b/arch/powerpc/kernel/signal_64.c +@@ -207,7 +207,7 @@ static long setup_tm_sigcontexts(struct sigcontext __user *sc, + elf_vrreg_t __user *tm_v_regs = sigcontext_vmx_regs(tm_sc); + #endif + struct pt_regs *regs = tsk->thread.regs; +- unsigned long msr = tsk->thread.ckpt_regs.msr; ++ unsigned long msr = tsk->thread.regs->msr; + long err = 0; + + BUG_ON(tsk != current); +@@ -216,6 +216,12 @@ static long setup_tm_sigcontexts(struct sigcontext __user *sc, + + WARN_ON(tm_suspend_disabled); + ++ /* Restore checkpointed FP, VEC, and VSX bits from ckpt_regs as ++ * it contains the correct FP, VEC, VSX state after we treclaimed ++ * the transaction and giveup_all() was called on reclaiming. ++ */ ++ msr |= tsk->thread.ckpt_regs.msr & (MSR_FP | MSR_VEC | MSR_VSX); ++ + /* Remove TM bits from thread's MSR. The MSR in the sigcontext + * just indicates to userland that we were doing a transaction, but we + * don't want to return in transactional state. This also ensures +-- +2.20.1 + diff --git a/queue-4.14/powerpc-tm-p9-disable-transactionally-suspended-sigc.patch b/queue-4.14/powerpc-tm-p9-disable-transactionally-suspended-sigc.patch new file mode 100644 index 00000000000..e31835d82d4 --- /dev/null +++ b/queue-4.14/powerpc-tm-p9-disable-transactionally-suspended-sigc.patch @@ -0,0 +1,95 @@ +From c6ba40eb93f22ca21b7099c46f5620cb717f4b5a Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 12 Oct 2017 21:17:19 +1100 +Subject: powerpc/tm: P9 disable transactionally suspended sigcontexts + +From: Michael Neuling + +[ Upstream commit 92fb8690bd04cb421d987d246deac60eef85d272 ] + +Unfortunately userspace can construct a sigcontext which enables +suspend. Thus userspace can force Linux into a path where trechkpt is +executed. + +This patch blocks this from happening on POWER9 by sanity checking +sigcontexts passed in. + +ptrace doesn't have this problem as only MSR SE and BE can be changed +via ptrace. + +This patch also adds a number of WARN_ON()s in case we ever enter +suspend when we shouldn't. This should not happen, but if it does the +symptoms are soft lockup warnings which are not obviously TM related, +so the WARN_ON()s should make it obvious what's happening. + +Signed-off-by: Michael Neuling +Signed-off-by: Cyril Bur +Signed-off-by: Michael Ellerman +Signed-off-by: Sasha Levin +--- + arch/powerpc/kernel/process.c | 2 ++ + arch/powerpc/kernel/signal_32.c | 4 ++++ + arch/powerpc/kernel/signal_64.c | 5 +++++ + 3 files changed, 11 insertions(+) + +diff --git a/arch/powerpc/kernel/process.c b/arch/powerpc/kernel/process.c +index ba0d4f9a99bac..1615d60cd55cb 100644 +--- a/arch/powerpc/kernel/process.c ++++ b/arch/powerpc/kernel/process.c +@@ -903,6 +903,8 @@ static inline void tm_reclaim_task(struct task_struct *tsk) + if (!MSR_TM_ACTIVE(thr->regs->msr)) + goto out_and_saveregs; + ++ WARN_ON(tm_suspend_disabled); ++ + TM_DEBUG("--- tm_reclaim on pid %d (NIP=%lx, " + "ccr=%lx, msr=%lx, trap=%lx)\n", + tsk->pid, thr->regs->nip, +diff --git a/arch/powerpc/kernel/signal_32.c b/arch/powerpc/kernel/signal_32.c +index a03fc3109fa55..7157cb6951512 100644 +--- a/arch/powerpc/kernel/signal_32.c ++++ b/arch/powerpc/kernel/signal_32.c +@@ -519,6 +519,8 @@ static int save_tm_user_regs(struct pt_regs *regs, + { + unsigned long msr = regs->msr; + ++ WARN_ON(tm_suspend_disabled); ++ + /* Remove TM bits from thread's MSR. The MSR in the sigcontext + * just indicates to userland that we were doing a transaction, but we + * don't want to return in transactional state. This also ensures +@@ -769,6 +771,8 @@ static long restore_tm_user_regs(struct pt_regs *regs, + int i; + #endif + ++ if (tm_suspend_disabled) ++ return 1; + /* + * restore general registers but not including MSR or SOFTE. Also + * take care of keeping r2 (TLS) intact if not a signal. +diff --git a/arch/powerpc/kernel/signal_64.c b/arch/powerpc/kernel/signal_64.c +index b75bf6e74209e..2d52fed72e216 100644 +--- a/arch/powerpc/kernel/signal_64.c ++++ b/arch/powerpc/kernel/signal_64.c +@@ -214,6 +214,8 @@ static long setup_tm_sigcontexts(struct sigcontext __user *sc, + + BUG_ON(!MSR_TM_ACTIVE(regs->msr)); + ++ WARN_ON(tm_suspend_disabled); ++ + /* Remove TM bits from thread's MSR. The MSR in the sigcontext + * just indicates to userland that we were doing a transaction, but we + * don't want to return in transactional state. This also ensures +@@ -430,6 +432,9 @@ static long restore_tm_sigcontexts(struct task_struct *tsk, + + BUG_ON(tsk != current); + ++ if (tm_suspend_disabled) ++ return -EINVAL; ++ + /* copy the GPRs */ + err |= __copy_from_user(regs->gpr, tm_sc->gp_regs, sizeof(regs->gpr)); + err |= __copy_from_user(&tsk->thread.ckpt_regs, sc->gp_regs, +-- +2.20.1 + diff --git a/queue-4.14/serial-8250-check-upf_irq_shared-in-advance.patch b/queue-4.14/serial-8250-check-upf_irq_shared-in-advance.patch new file mode 100644 index 00000000000..f960388ab39 --- /dev/null +++ b/queue-4.14/serial-8250-check-upf_irq_shared-in-advance.patch @@ -0,0 +1,126 @@ +From 3ceeacbfffe0daea049f784aa84e4f516826f86f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 11 Feb 2020 15:55:59 +0200 +Subject: serial: 8250: Check UPF_IRQ_SHARED in advance + +From: Andy Shevchenko + +[ Upstream commit 7febbcbc48fc92e3f33863b32ed715ba4aff18c4 ] + +The commit 54e53b2e8081 + ("tty: serial: 8250: pass IRQ shared flag to UART ports") +nicely explained the problem: + +---8<---8<--- + +On some systems IRQ lines between multiple UARTs might be shared. If so, the +irqflags have to be configured accordingly. The reason is: The 8250 port startup +code performs IRQ tests *before* the IRQ handler for that particular port is +registered. This is performed in serial8250_do_startup(). This function checks +whether IRQF_SHARED is configured and only then disables the IRQ line while +testing. + +This test is performed upon each open() of the UART device. Imagine two UARTs +share the same IRQ line: On is already opened and the IRQ is active. When the +second UART is opened, the IRQ line has to be disabled while performing IRQ +tests. Otherwise an IRQ might handler might be invoked, but the IRQ itself +cannot be handled, because the corresponding handler isn't registered, +yet. That's because the 8250 code uses a chain-handler and invokes the +corresponding port's IRQ handling routines himself. + +Unfortunately this IRQF_SHARED flag isn't configured for UARTs probed via device +tree even if the IRQs are shared. This way, the actual and shared IRQ line isn't +disabled while performing tests and the kernel correctly detects a spurious +IRQ. So, adding this flag to the DT probe solves the issue. + +Note: The UPF_SHARE_IRQ flag is configured unconditionally. Therefore, the +IRQF_SHARED flag can be set unconditionally as well. + +Example stack trace by performing `echo 1 > /dev/ttyS2` on a non-patched system: + +|irq 85: nobody cared (try booting with the "irqpoll" option) +| [...] +|handlers: +|[] irq_default_primary_handler threaded [] serial8250_interrupt +|Disabling IRQ #85 + +---8<---8<--- + +But unfortunately didn't fix the root cause. Let's try again here by moving +IRQ flag assignment from serial_link_irq_chain() to serial8250_do_startup(). + +This should fix the similar issue reported for 8250_pnp case. + +Since this change we don't need to have custom solutions in 8250_aspeed_vuart +and 8250_of drivers, thus, drop them. + +Fixes: 1c2f04937b3e ("serial: 8250: add IRQ trigger support") +Reported-by: Li RongQing +Cc: Kurt Kanzenbach +Cc: Vikram Pandita +Signed-off-by: Andy Shevchenko +Cc: stable +Acked-by: Kurt Kanzenbach +Link: https://lore.kernel.org/r/20200211135559.85960-1-andriy.shevchenko@linux.intel.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/serial/8250/8250_aspeed_vuart.c | 1 - + drivers/tty/serial/8250/8250_core.c | 5 ++--- + drivers/tty/serial/8250/8250_port.c | 4 ++++ + 3 files changed, 6 insertions(+), 4 deletions(-) + +diff --git a/drivers/tty/serial/8250/8250_aspeed_vuart.c b/drivers/tty/serial/8250/8250_aspeed_vuart.c +index 33a801353114c..0a89df390f248 100644 +--- a/drivers/tty/serial/8250/8250_aspeed_vuart.c ++++ b/drivers/tty/serial/8250/8250_aspeed_vuart.c +@@ -256,7 +256,6 @@ static int aspeed_vuart_probe(struct platform_device *pdev) + port.port.line = rc; + + port.port.irq = irq_of_parse_and_map(np, 0); +- port.port.irqflags = IRQF_SHARED; + port.port.iotype = UPIO_MEM; + port.port.type = PORT_16550A; + port.port.uartclk = clk; +diff --git a/drivers/tty/serial/8250/8250_core.c b/drivers/tty/serial/8250/8250_core.c +index c698ebab6d3bd..5017a0f46b826 100644 +--- a/drivers/tty/serial/8250/8250_core.c ++++ b/drivers/tty/serial/8250/8250_core.c +@@ -181,7 +181,7 @@ static int serial_link_irq_chain(struct uart_8250_port *up) + struct hlist_head *h; + struct hlist_node *n; + struct irq_info *i; +- int ret, irq_flags = up->port.flags & UPF_SHARE_IRQ ? IRQF_SHARED : 0; ++ int ret; + + mutex_lock(&hash_mutex); + +@@ -216,9 +216,8 @@ static int serial_link_irq_chain(struct uart_8250_port *up) + INIT_LIST_HEAD(&up->list); + i->head = &up->list; + spin_unlock_irq(&i->lock); +- irq_flags |= up->port.irqflags; + ret = request_irq(up->port.irq, serial8250_interrupt, +- irq_flags, up->port.name, i); ++ up->port.irqflags, up->port.name, i); + if (ret < 0) + serial_do_unlink(i, up); + } +diff --git a/drivers/tty/serial/8250/8250_port.c b/drivers/tty/serial/8250/8250_port.c +index a73d2bc4b6852..90a93c001e169 100644 +--- a/drivers/tty/serial/8250/8250_port.c ++++ b/drivers/tty/serial/8250/8250_port.c +@@ -2258,6 +2258,10 @@ int serial8250_do_startup(struct uart_port *port) + } + } + ++ /* Check if we need to have shared IRQs */ ++ if (port->irq && (up->port.flags & UPF_SHARE_IRQ)) ++ up->port.irqflags |= IRQF_SHARED; ++ + if (port->irq && !(up->port.flags & UPF_NO_THRE_TEST)) { + unsigned char iir1; + /* +-- +2.20.1 + diff --git a/queue-4.14/series b/queue-4.14/series index 5b49eca1fbf..7a78cf7226d 100644 --- a/queue-4.14/series +++ b/queue-4.14/series @@ -198,3 +198,12 @@ mm-vmscan.c-don-t-round-up-scan-size-for-online-memory-cgroup.patch drm-amdgpu-soc15-fix-xclk-for-raven.patch kvm-x86-don-t-notify-userspace-ioapic-on-edge-triggered-interrupt-eoi.patch xhci-apply-xhci_pme_stuck_quirk-to-intel-comet-lake-platforms.patch +vt_resizex-get-rid-of-field-by-field-copyin.patch +vt-vt_ioctl-fix-race-in-vt_resizex.patch +powerpc-tm-p9-disable-transactionally-suspended-sigc.patch +powerpc-tm-fix-endianness-flip-on-trap.patch +powerpc-tm-fix-clearing-msr-ts-in-current-when-recla.patch +serial-8250-check-upf_irq_shared-in-advance.patch +lib-stackdepot-fix-outdated-comments.patch +lib-stackdepot.c-fix-global-out-of-bounds-in-stack_s.patch +kvm-nvmx-don-t-emulate-instructions-in-guest-mode.patch diff --git a/queue-4.14/vt-vt_ioctl-fix-race-in-vt_resizex.patch b/queue-4.14/vt-vt_ioctl-fix-race-in-vt_resizex.patch new file mode 100644 index 00000000000..6e144d1e661 --- /dev/null +++ b/queue-4.14/vt-vt_ioctl-fix-race-in-vt_resizex.patch @@ -0,0 +1,107 @@ +From 368ec3de669cb9099a9213c17ef5e6f52296face Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 10 Feb 2020 11:07:21 -0800 +Subject: vt: vt_ioctl: fix race in VT_RESIZEX + +From: Eric Dumazet + +[ Upstream commit 6cd1ed50efd88261298577cd92a14f2768eddeeb ] + +We need to make sure vc_cons[i].d is not NULL after grabbing +console_lock(), or risk a crash. + +general protection fault, probably for non-canonical address 0xdffffc0000000068: 0000 [#1] PREEMPT SMP KASAN +KASAN: null-ptr-deref in range [0x0000000000000340-0x0000000000000347] +CPU: 1 PID: 19462 Comm: syz-executor.5 Not tainted 5.5.0-syzkaller #0 +Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 +RIP: 0010:vt_ioctl+0x1f96/0x26d0 drivers/tty/vt/vt_ioctl.c:883 +Code: 74 41 e8 bd a6 84 fd 48 89 d8 48 c1 e8 03 42 80 3c 28 00 0f 85 e4 04 00 00 48 8b 03 48 8d b8 40 03 00 00 48 89 fa 48 c1 ea 03 <42> 0f b6 14 2a 84 d2 74 09 80 fa 03 0f 8e b1 05 00 00 44 89 b8 40 +RSP: 0018:ffffc900086d7bb0 EFLAGS: 00010202 +RAX: 0000000000000000 RBX: ffffffff8c34ee88 RCX: ffffc9001415c000 +RDX: 0000000000000068 RSI: ffffffff83f0e6e3 RDI: 0000000000000340 +RBP: ffffc900086d7cd0 R08: ffff888054ce0100 R09: fffffbfff16a2f6d +R10: ffff888054ce0998 R11: ffff888054ce0100 R12: 000000000000001d +R13: dffffc0000000000 R14: 1ffff920010daf79 R15: 000000000000ff7f +FS: 00007f7d13c12700(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007ffd477e3c38 CR3: 0000000095d0a000 CR4: 00000000001406e0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 +Call Trace: + tty_ioctl+0xa37/0x14f0 drivers/tty/tty_io.c:2660 + vfs_ioctl fs/ioctl.c:47 [inline] + ksys_ioctl+0x123/0x180 fs/ioctl.c:763 + __do_sys_ioctl fs/ioctl.c:772 [inline] + __se_sys_ioctl fs/ioctl.c:770 [inline] + __x64_sys_ioctl+0x73/0xb0 fs/ioctl.c:770 + do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294 + entry_SYSCALL_64_after_hwframe+0x49/0xbe +RIP: 0033:0x45b399 +Code: ad b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 00 66 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 0f 83 7b b6 fb ff c3 66 2e 0f 1f 84 00 00 00 00 +RSP: 002b:00007f7d13c11c78 EFLAGS: 00000246 ORIG_RAX: 0000000000000010 +RAX: ffffffffffffffda RBX: 00007f7d13c126d4 RCX: 000000000045b399 +RDX: 0000000020000080 RSI: 000000000000560a RDI: 0000000000000003 +RBP: 000000000075bf20 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000246 R12: 00000000ffffffff +R13: 0000000000000666 R14: 00000000004c7f04 R15: 000000000075bf2c +Modules linked in: +---[ end trace 80970faf7a67eb77 ]--- +RIP: 0010:vt_ioctl+0x1f96/0x26d0 drivers/tty/vt/vt_ioctl.c:883 +Code: 74 41 e8 bd a6 84 fd 48 89 d8 48 c1 e8 03 42 80 3c 28 00 0f 85 e4 04 00 00 48 8b 03 48 8d b8 40 03 00 00 48 89 fa 48 c1 ea 03 <42> 0f b6 14 2a 84 d2 74 09 80 fa 03 0f 8e b1 05 00 00 44 89 b8 40 +RSP: 0018:ffffc900086d7bb0 EFLAGS: 00010202 +RAX: 0000000000000000 RBX: ffffffff8c34ee88 RCX: ffffc9001415c000 +RDX: 0000000000000068 RSI: ffffffff83f0e6e3 RDI: 0000000000000340 +RBP: ffffc900086d7cd0 R08: ffff888054ce0100 R09: fffffbfff16a2f6d +R10: ffff888054ce0998 R11: ffff888054ce0100 R12: 000000000000001d +R13: dffffc0000000000 R14: 1ffff920010daf79 R15: 000000000000ff7f +FS: 00007f7d13c12700(0000) GS:ffff8880ae900000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 00007ffd477e3c38 CR3: 0000000095d0a000 CR4: 00000000001406e0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400 + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Eric Dumazet +Cc: stable +Reported-by: syzbot +Link: https://lore.kernel.org/r/20200210190721.200418-1-edumazet@google.com +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Sasha Levin +--- + drivers/tty/vt/vt_ioctl.c | 17 +++++++++++------ + 1 file changed, 11 insertions(+), 6 deletions(-) + +diff --git a/drivers/tty/vt/vt_ioctl.c b/drivers/tty/vt/vt_ioctl.c +index be7990548afef..c320fefab3602 100644 +--- a/drivers/tty/vt/vt_ioctl.c ++++ b/drivers/tty/vt/vt_ioctl.c +@@ -876,15 +876,20 @@ int vt_ioctl(struct tty_struct *tty, + return -EINVAL; + + for (i = 0; i < MAX_NR_CONSOLES; i++) { ++ struct vc_data *vcp; ++ + if (!vc_cons[i].d) + continue; + console_lock(); +- if (v.v_vlin) +- vc_cons[i].d->vc_scan_lines = v.v_vlin; +- if (v.v_clin) +- vc_cons[i].d->vc_font.height = v.v_clin; +- vc_cons[i].d->vc_resize_user = 1; +- vc_resize(vc_cons[i].d, v.v_cols, v.v_rows); ++ vcp = vc_cons[i].d; ++ if (vcp) { ++ if (v.v_vlin) ++ vcp->vc_scan_lines = v.v_vlin; ++ if (v.v_clin) ++ vcp->vc_font.height = v.v_clin; ++ vcp->vc_resize_user = 1; ++ vc_resize(vcp, v.v_cols, v.v_rows); ++ } + console_unlock(); + } + break; +-- +2.20.1 + diff --git a/queue-4.14/vt_resizex-get-rid-of-field-by-field-copyin.patch b/queue-4.14/vt_resizex-get-rid-of-field-by-field-copyin.patch new file mode 100644 index 00000000000..64d65dbbf71 --- /dev/null +++ b/queue-4.14/vt_resizex-get-rid-of-field-by-field-copyin.patch @@ -0,0 +1,108 @@ +From c8005101dcc85f61b848cc3fcdd27ea136a51ba5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Fri, 29 Sep 2017 12:34:13 -0400 +Subject: VT_RESIZEX: get rid of field-by-field copyin + +From: Al Viro + +[ Upstream commit 1b3bce4d6bf839304a90951b4b25a5863533bf2a ] + +Signed-off-by: Al Viro +Signed-off-by: Sasha Levin +--- + drivers/tty/vt/vt_ioctl.c | 68 ++++++++++++++++----------------------- + 1 file changed, 27 insertions(+), 41 deletions(-) + +diff --git a/drivers/tty/vt/vt_ioctl.c b/drivers/tty/vt/vt_ioctl.c +index 7b34b0ddbf0e0..be7990548afef 100644 +--- a/drivers/tty/vt/vt_ioctl.c ++++ b/drivers/tty/vt/vt_ioctl.c +@@ -847,58 +847,44 @@ int vt_ioctl(struct tty_struct *tty, + + case VT_RESIZEX: + { +- struct vt_consize __user *vtconsize = up; +- ushort ll,cc,vlin,clin,vcol,ccol; ++ struct vt_consize v; + if (!perm) + return -EPERM; +- if (!access_ok(VERIFY_READ, vtconsize, +- sizeof(struct vt_consize))) { +- ret = -EFAULT; +- break; +- } ++ if (copy_from_user(&v, up, sizeof(struct vt_consize))) ++ return -EFAULT; + /* FIXME: Should check the copies properly */ +- __get_user(ll, &vtconsize->v_rows); +- __get_user(cc, &vtconsize->v_cols); +- __get_user(vlin, &vtconsize->v_vlin); +- __get_user(clin, &vtconsize->v_clin); +- __get_user(vcol, &vtconsize->v_vcol); +- __get_user(ccol, &vtconsize->v_ccol); +- vlin = vlin ? vlin : vc->vc_scan_lines; +- if (clin) { +- if (ll) { +- if (ll != vlin/clin) { +- /* Parameters don't add up */ +- ret = -EINVAL; +- break; +- } +- } else +- ll = vlin/clin; ++ if (!v.v_vlin) ++ v.v_vlin = vc->vc_scan_lines; ++ if (v.v_clin) { ++ int rows = v.v_vlin/v.v_clin; ++ if (v.v_rows != rows) { ++ if (v.v_rows) /* Parameters don't add up */ ++ return -EINVAL; ++ v.v_rows = rows; ++ } + } +- if (vcol && ccol) { +- if (cc) { +- if (cc != vcol/ccol) { +- ret = -EINVAL; +- break; +- } +- } else +- cc = vcol/ccol; ++ if (v.v_vcol && v.v_ccol) { ++ int cols = v.v_vcol/v.v_ccol; ++ if (v.v_cols != cols) { ++ if (v.v_cols) ++ return -EINVAL; ++ v.v_cols = cols; ++ } + } + +- if (clin > 32) { +- ret = -EINVAL; +- break; +- } +- ++ if (v.v_clin > 32) ++ return -EINVAL; ++ + for (i = 0; i < MAX_NR_CONSOLES; i++) { + if (!vc_cons[i].d) + continue; + console_lock(); +- if (vlin) +- vc_cons[i].d->vc_scan_lines = vlin; +- if (clin) +- vc_cons[i].d->vc_font.height = clin; ++ if (v.v_vlin) ++ vc_cons[i].d->vc_scan_lines = v.v_vlin; ++ if (v.v_clin) ++ vc_cons[i].d->vc_font.height = v.v_clin; + vc_cons[i].d->vc_resize_user = 1; +- vc_resize(vc_cons[i].d, cc, ll); ++ vc_resize(vc_cons[i].d, v.v_cols, v.v_rows); + console_unlock(); + } + break; +-- +2.20.1 +