From: Greg Kroah-Hartman Date: Wed, 26 Oct 2016 08:44:18 +0000 (+0200) Subject: 4.8-stable patches X-Git-Tag: v4.8.5~10 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=eb4ddaf6151f7ac4bde4ca351b3f45f2900196f4;p=thirdparty%2Fkernel%2Fstable-queue.git 4.8-stable patches added patches: arc-don-t-leak-bits-of-kernel-stack-into-coredump.patch arm64-kvm-vhe-reset-pstate.pan-on-entry-to-el2.patch fs-super.c-fix-race-between-freeze_super-and-thaw_super.patch metag-only-define-atomic_dec_if_positive-conditionally.patch soc-fsl-qe-fix-gpio-save_regs-functions.patch soc-fsl-qe-fix-oops-on-cpm1-and-likely-cpm2.patch --- diff --git a/queue-4.8/arc-don-t-leak-bits-of-kernel-stack-into-coredump.patch b/queue-4.8/arc-don-t-leak-bits-of-kernel-stack-into-coredump.patch new file mode 100644 index 00000000000..05380024406 --- /dev/null +++ b/queue-4.8/arc-don-t-leak-bits-of-kernel-stack-into-coredump.patch @@ -0,0 +1,50 @@ +From 7798bf2140ebcc36eafec6a4194fffd8d585d471 Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Sat, 10 Sep 2016 16:31:04 -0400 +Subject: arc: don't leak bits of kernel stack into coredump + +From: Al Viro + +commit 7798bf2140ebcc36eafec6a4194fffd8d585d471 upstream. + +On faulting sigreturn we do get SIGSEGV, all right, but anything +we'd put into pt_regs could end up in the coredump. And since +__copy_from_user() never zeroed on arc, we'd better bugger off +on its failure without copying random uninitialized bits of +kernel stack into pt_regs... + +Signed-off-by: Al Viro +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arc/kernel/signal.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/arch/arc/kernel/signal.c ++++ b/arch/arc/kernel/signal.c +@@ -107,13 +107,13 @@ static int restore_usr_regs(struct pt_re + struct user_regs_struct uregs; + + err = __copy_from_user(&set, &sf->uc.uc_sigmask, sizeof(set)); +- if (!err) +- set_current_blocked(&set); +- + err |= __copy_from_user(&uregs.scratch, + &(sf->uc.uc_mcontext.regs.scratch), + sizeof(sf->uc.uc_mcontext.regs.scratch)); ++ if (err) ++ return err; + ++ set_current_blocked(&set); + regs->bta = uregs.scratch.bta; + regs->lp_start = uregs.scratch.lp_start; + regs->lp_end = uregs.scratch.lp_end; +@@ -138,7 +138,7 @@ static int restore_usr_regs(struct pt_re + regs->r0 = uregs.scratch.r0; + regs->sp = uregs.scratch.sp; + +- return err; ++ return 0; + } + + static inline int is_do_ss_needed(unsigned int magic) diff --git a/queue-4.8/arm64-kvm-vhe-reset-pstate.pan-on-entry-to-el2.patch b/queue-4.8/arm64-kvm-vhe-reset-pstate.pan-on-entry-to-el2.patch new file mode 100644 index 00000000000..ffeb7549994 --- /dev/null +++ b/queue-4.8/arm64-kvm-vhe-reset-pstate.pan-on-entry-to-el2.patch @@ -0,0 +1,42 @@ +From cb96408da4e11698674abd04aeac941c1bed2038 Mon Sep 17 00:00:00 2001 +From: Vladimir Murzin +Date: Thu, 1 Sep 2016 15:29:03 +0100 +Subject: arm64: KVM: VHE: reset PSTATE.PAN on entry to EL2 + +From: Vladimir Murzin + +commit cb96408da4e11698674abd04aeac941c1bed2038 upstream. + +SCTLR_EL2.SPAN bit controls what happens with the PSTATE.PAN bit on an +exception. However, this bit has no effect on the PSTATE.PAN when +HCR_EL2.E2H or HCR_EL2.TGE is unset. Thus when VHE is used and +exception taken from a guest PSTATE.PAN bit left unchanged and we +continue with a value guest has set. + +To address that always reset PSTATE.PAN on entry from EL1. + +Fixes: 1f364c8c48a0 ("arm64: VHE: Add support for running Linux in EL2 mode") + +Signed-off-by: Vladimir Murzin +Reviewed-by: James Morse +Acked-by: Marc Zyngier +Signed-off-by: Christoffer Dall +[ rebased for v4.7+ ] +Signed-off-by: Greg Kroah-Hartman + + +--- + arch/arm64/kvm/hyp/entry.S | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/arch/arm64/kvm/hyp/entry.S ++++ b/arch/arm64/kvm/hyp/entry.S +@@ -98,6 +98,8 @@ ENTRY(__guest_exit) + // x4-x29,lr: vcpu regs + // vcpu x0-x3 on the stack + ++ ALTERNATIVE(nop, SET_PSTATE_PAN(1), ARM64_HAS_PAN, CONFIG_ARM64_PAN) ++ + add x2, x0, #VCPU_CONTEXT + + stp x4, x5, [x2, #CPU_XREG_OFFSET(4)] diff --git a/queue-4.8/fs-super.c-fix-race-between-freeze_super-and-thaw_super.patch b/queue-4.8/fs-super.c-fix-race-between-freeze_super-and-thaw_super.patch new file mode 100644 index 00000000000..6a5743af9de --- /dev/null +++ b/queue-4.8/fs-super.c-fix-race-between-freeze_super-and-thaw_super.patch @@ -0,0 +1,49 @@ +From 89f39af129382a40d7cd1f6914617282cfeee28e Mon Sep 17 00:00:00 2001 +From: Oleg Nesterov +Date: Mon, 26 Sep 2016 18:07:48 +0200 +Subject: fs/super.c: fix race between freeze_super() and thaw_super() + +From: Oleg Nesterov + +commit 89f39af129382a40d7cd1f6914617282cfeee28e upstream. + +Change thaw_super() to check frozen != SB_FREEZE_COMPLETE rather than +frozen == SB_UNFROZEN, otherwise it can race with freeze_super() which +drops sb->s_umount after SB_FREEZE_WRITE to preserve the lock ordering. + +In this case thaw_super() will wrongly call s_op->unfreeze_fs() before +it was actually frozen, and call sb_freeze_unlock() which leads to the +unbalanced percpu_up_write(). Unfortunately lockdep can't detect this, +so this triggers misc BUG_ON()'s in kernel/rcu/sync.c. + +Reported-and-tested-by: Nikolay Borisov +Signed-off-by: Oleg Nesterov +Signed-off-by: Al Viro +Signed-off-by: Greg Kroah-Hartman + +--- + fs/super.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/fs/super.c ++++ b/fs/super.c +@@ -1379,8 +1379,8 @@ int freeze_super(struct super_block *sb) + } + } + /* +- * This is just for debugging purposes so that fs can warn if it +- * sees write activity when frozen is set to SB_FREEZE_COMPLETE. ++ * For debugging purposes so that fs can warn if it sees write activity ++ * when frozen is set to SB_FREEZE_COMPLETE, and for thaw_super(). + */ + sb->s_writers.frozen = SB_FREEZE_COMPLETE; + up_write(&sb->s_umount); +@@ -1399,7 +1399,7 @@ int thaw_super(struct super_block *sb) + int error; + + down_write(&sb->s_umount); +- if (sb->s_writers.frozen == SB_UNFROZEN) { ++ if (sb->s_writers.frozen != SB_FREEZE_COMPLETE) { + up_write(&sb->s_umount); + return -EINVAL; + } diff --git a/queue-4.8/metag-only-define-atomic_dec_if_positive-conditionally.patch b/queue-4.8/metag-only-define-atomic_dec_if_positive-conditionally.patch new file mode 100644 index 00000000000..ec3e0cc7d4a --- /dev/null +++ b/queue-4.8/metag-only-define-atomic_dec_if_positive-conditionally.patch @@ -0,0 +1,45 @@ +From 35d04077ad96ed33ceea2501f5a4f1eacda77218 Mon Sep 17 00:00:00 2001 +From: Guenter Roeck +Date: Fri, 7 Oct 2016 10:40:59 -0700 +Subject: metag: Only define atomic_dec_if_positive conditionally + +From: Guenter Roeck + +commit 35d04077ad96ed33ceea2501f5a4f1eacda77218 upstream. + +The definition of atomic_dec_if_positive() assumes that +atomic_sub_if_positive() exists, which is only the case if +metag specific atomics are used. This results in the following +build error when trying to build metag1_defconfig. + +kernel/ucount.c: In function 'dec_ucount': +kernel/ucount.c:211: error: + implicit declaration of function 'atomic_sub_if_positive' + +Moving the definition of atomic_dec_if_positive() into the metag +conditional code fixes the problem. + +Fixes: 6006c0d8ce94 ("metag: Atomics, locks and bitops") +Signed-off-by: Guenter Roeck +Signed-off-by: James Hogan +Signed-off-by: Greg Kroah-Hartman + +--- + arch/metag/include/asm/atomic.h | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/arch/metag/include/asm/atomic.h ++++ b/arch/metag/include/asm/atomic.h +@@ -39,11 +39,10 @@ + #define atomic_dec(v) atomic_sub(1, (v)) + + #define atomic_inc_not_zero(v) atomic_add_unless((v), 1, 0) ++#define atomic_dec_if_positive(v) atomic_sub_if_positive(1, v) + + #endif + +-#define atomic_dec_if_positive(v) atomic_sub_if_positive(1, v) +- + #include + + #endif /* __ASM_METAG_ATOMIC_H */ diff --git a/queue-4.8/series b/queue-4.8/series index 759845a2dc8..a323e958d19 100644 --- a/queue-4.8/series +++ b/queue-4.8/series @@ -83,3 +83,9 @@ pnfs-blocklayout-fix-last_write_offset-incorrectly-set-to-page-boundary.patch scsi-fix-use-after-free.patch watchdog-rt2880_wdt-remove-assignment-of-dev-pointer.patch watchdog-mt7621_wdt-remove-assignment-of-dev-pointer.patch +metag-only-define-atomic_dec_if_positive-conditionally.patch +soc-fsl-qe-fix-gpio-save_regs-functions.patch +soc-fsl-qe-fix-oops-on-cpm1-and-likely-cpm2.patch +arm64-kvm-vhe-reset-pstate.pan-on-entry-to-el2.patch +arc-don-t-leak-bits-of-kernel-stack-into-coredump.patch +fs-super.c-fix-race-between-freeze_super-and-thaw_super.patch diff --git a/queue-4.8/soc-fsl-qe-fix-gpio-save_regs-functions.patch b/queue-4.8/soc-fsl-qe-fix-gpio-save_regs-functions.patch new file mode 100644 index 00000000000..cbb69477ed5 --- /dev/null +++ b/queue-4.8/soc-fsl-qe-fix-gpio-save_regs-functions.patch @@ -0,0 +1,37 @@ +From 5dc6f3fedee58efa343e822558fc3e2f0eb2ad1f Mon Sep 17 00:00:00 2001 +From: Christophe Leroy +Date: Tue, 6 Sep 2016 00:52:16 +0200 +Subject: soc/fsl/qe: fix gpio save_regs functions + +From: Christophe Leroy + +commit 5dc6f3fedee58efa343e822558fc3e2f0eb2ad1f upstream. + +of_mm_gpiochip_add_data() calls mm_gc->save_regs() before +setting the data. Therefore ->save_regs() cannot use +gpiochip_get_data() + +An Oops is encountered without this fix. + +fixes: 1e714e54b5ca5 ("powerpc: qe_lib-gpio: use gpiochip data pointer") +Signed-off-by: Christophe Leroy +Reviewed-by: Linus Walleij +Signed-off-by: Scott Wood +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/soc/fsl/qe/gpio.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/soc/fsl/qe/gpio.c ++++ b/drivers/soc/fsl/qe/gpio.c +@@ -41,7 +41,8 @@ struct qe_gpio_chip { + + static void qe_gpio_save_regs(struct of_mm_gpio_chip *mm_gc) + { +- struct qe_gpio_chip *qe_gc = gpiochip_get_data(&mm_gc->gc); ++ struct qe_gpio_chip *qe_gc = ++ container_of(mm_gc, struct qe_gpio_chip, mm_gc); + struct qe_pio_regs __iomem *regs = mm_gc->regs; + + qe_gc->cpdata = in_be32(®s->cpdata); diff --git a/queue-4.8/soc-fsl-qe-fix-oops-on-cpm1-and-likely-cpm2.patch b/queue-4.8/soc-fsl-qe-fix-oops-on-cpm1-and-likely-cpm2.patch new file mode 100644 index 00000000000..8618aefa10a --- /dev/null +++ b/queue-4.8/soc-fsl-qe-fix-oops-on-cpm1-and-likely-cpm2.patch @@ -0,0 +1,146 @@ +From 4d486e0083796b54d5aeddd7a5794f897fca1008 Mon Sep 17 00:00:00 2001 +From: Christophe Leroy +Date: Tue, 16 Aug 2016 08:26:20 +0200 +Subject: soc/fsl/qe: fix Oops on CPM1 (and likely CPM2) + +From: Christophe Leroy + +commit 4d486e0083796b54d5aeddd7a5794f897fca1008 upstream. + +Commit 0e6e01ff694ee ("CPM/QE: use genalloc to manage CPM/QE muram") +has changed the way muram is managed. +genalloc uses kmalloc(), hence requires the SLAB to be up and running. + +On powerpc 8xx, cpm_reset() is called early during startup. +cpm_reset() then calls cpm_muram_init() before SLAB is available, +hence the following Oops. + +cpm_reset() cannot be called during initcalls because the CPM is +needed for console. + +This patch removes the call to cpm_muram_init() from cpm_reset(). +cpm_muram_init() will be called from a new function called cpm_init() +which is declared as subsys_initcall, unless cpm_muram_alloc() is +called earlier for the serial console in which case cpm_muram_init() +will be called from there. + +The reason for calling it from two places is that some drivers +(e.g. i2c-cpm) need some of the initialisations done by +cpm_muram_init() but don't call cpm_muram_alloc(). The console +driver calls cpm_muram_alloc() but some platforms might not use +the CPM serial ports for console. + +[ 0.000000] Unable to handle kernel paging request for data at address 0x00000008 +[ 0.000000] Faulting instruction address: 0xc01acce0 +[ 0.000000] Oops: Kernel access of bad area, sig: 11 [#1] +[ 0.000000] PREEMPT CMPC885 +[ 0.000000] CPU: 0 PID: 0 Comm: swapper Not tainted 4.4.14-g0886ed8 #5 +[ 0.000000] task: c05183e0 ti: c0536000 task.ti: c0536000 +[ 0.000000] NIP: c01acce0 LR: c0011068 CTR: 00000000 +[ 0.000000] REGS: c0537e50 TRAP: 0300 Not tainted (4.4.14-s3k-dev-g0886ed8-svn) +[ 0.000000] MSR: 00001032 CR: 28044428 XER: 00000000 +[ 0.000000] DAR: 00000008 DSISR: c0000000 +GPR00: c0011068 c0537f00 c05183e0 00000000 00009000 ffffffff 00000bc0 ffffffff +GPR08: ff003000 ff00b000 ff003bbf 00000000 22044422 100d43a8 00000000 07ff94e8 +GPR16: 00000000 07bb5d70 00000000 07ff81f4 07ff81f4 07ff81f4 00000000 00000000 +GPR24: 07ffb3a0 07fe7628 c0550000 c7ffa190 c0540000 ff003bbf 00000000 00000001 +[ 0.000000] NIP [c01acce0] gen_pool_add_virt+0x14/0xdc +[ 0.000000] LR [c0011068] cpm_muram_init+0xd4/0x18c +[ 0.000000] Call Trace: +[ 0.000000] [c0537f00] [00000200] 0x200 (unreliable) +[ 0.000000] [c0537f20] [c0011068] cpm_muram_init+0xd4/0x18c +[ 0.000000] [c0537f70] [c0494684] cpm_reset+0xb4/0xc8 +[ 0.000000] [c0537f90] [c0494c64] cmpc885_setup_arch+0x10/0x30 +[ 0.000000] [c0537fa0] [c0493cd4] setup_arch+0x130/0x168 +[ 0.000000] [c0537fb0] [c04906bc] start_kernel+0x88/0x380 +[ 0.000000] [c0537ff0] [c0002224] start_here+0x38/0x98 +[ 0.000000] Instruction dump: +[ 0.000000] 91430010 91430014 80010014 83e1000c 7c0803a6 38210010 4e800020 7c0802a6 +[ 0.000000] 9421ffe0 bf61000c 90010024 7c7e1b78 <80630008> 7c9c2378 7cc31c30 3863001f +[ 0.000000] ---[ end trace dc8fa200cb88537f ]--- + +fixes: 0e6e01ff694ee ("CPM/QE: use genalloc to manage CPM/QE muram") +Signed-off-by: Christophe Leroy +[scottwood: Removed some string changes unrelated to bugfix] +Signed-off-by: Scott Wood +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/sysdev/cpm1.c | 2 -- + arch/powerpc/sysdev/cpm2.c | 4 ---- + arch/powerpc/sysdev/cpm_common.c | 15 +++++++++++++++ + drivers/soc/fsl/qe/qe_common.c | 8 ++++++++ + 4 files changed, 23 insertions(+), 6 deletions(-) + +--- a/arch/powerpc/sysdev/cpm1.c ++++ b/arch/powerpc/sysdev/cpm1.c +@@ -233,8 +233,6 @@ void __init cpm_reset(void) + else + out_be32(&siu_conf->sc_sdcr, 1); + immr_unmap(siu_conf); +- +- cpm_muram_init(); + } + + static DEFINE_SPINLOCK(cmd_lock); +--- a/arch/powerpc/sysdev/cpm2.c ++++ b/arch/powerpc/sysdev/cpm2.c +@@ -66,10 +66,6 @@ void __init cpm2_reset(void) + cpm2_immr = ioremap(get_immrbase(), CPM_MAP_SIZE); + #endif + +- /* Reclaim the DP memory for our use. +- */ +- cpm_muram_init(); +- + /* Tell everyone where the comm processor resides. + */ + cpmp = &cpm2_immr->im_cpm; +--- a/arch/powerpc/sysdev/cpm_common.c ++++ b/arch/powerpc/sysdev/cpm_common.c +@@ -37,6 +37,21 @@ + #include + #endif + ++static int __init cpm_init(void) ++{ ++ struct device_node *np; ++ ++ np = of_find_compatible_node(NULL, NULL, "fsl,cpm1"); ++ if (!np) ++ np = of_find_compatible_node(NULL, NULL, "fsl,cpm2"); ++ if (!np) ++ return -ENODEV; ++ cpm_muram_init(); ++ of_node_put(np); ++ return 0; ++} ++subsys_initcall(cpm_init); ++ + #ifdef CONFIG_PPC_EARLY_DEBUG_CPM + static u32 __iomem *cpm_udbg_txdesc; + static u8 __iomem *cpm_udbg_txbuf; +--- a/drivers/soc/fsl/qe/qe_common.c ++++ b/drivers/soc/fsl/qe/qe_common.c +@@ -70,6 +70,11 @@ int cpm_muram_init(void) + } + + muram_pool = gen_pool_create(0, -1); ++ if (!muram_pool) { ++ pr_err("Cannot allocate memory pool for CPM/QE muram"); ++ ret = -ENOMEM; ++ goto out_muram; ++ } + muram_pbase = of_translate_address(np, zero); + if (muram_pbase == (phys_addr_t)OF_BAD_ADDR) { + pr_err("Cannot translate zero through CPM muram node"); +@@ -116,6 +121,9 @@ static unsigned long cpm_muram_alloc_com + struct muram_block *entry; + unsigned long start; + ++ if (!muram_pool && cpm_muram_init()) ++ goto out2; ++ + start = gen_pool_alloc_algo(muram_pool, size, algo, data); + if (!start) + goto out2;