From: Greg Kroah-Hartman Date: Tue, 16 Oct 2018 13:09:17 +0000 (+0200) Subject: 4.4-stable patches X-Git-Tag: v4.9.134~19 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=f28f77d6e34beb23ca890d7552a8ef86f53acc29;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: ext4-add-corruption-check-in-ext4_xattr_set_entry.patch mach64-detect-the-dot-clock-divider-correctly-on-sparc.patch mm-vmstat.c-fix-outdated-vmstat_text.patch perf-script-python-fix-export-to-postgresql.py-occasional-failure.patch --- diff --git a/queue-4.4/ext4-add-corruption-check-in-ext4_xattr_set_entry.patch b/queue-4.4/ext4-add-corruption-check-in-ext4_xattr_set_entry.patch new file mode 100644 index 00000000000..fdfc2bfd94a --- /dev/null +++ b/queue-4.4/ext4-add-corruption-check-in-ext4_xattr_set_entry.patch @@ -0,0 +1,101 @@ +From 5369a762c882c0b6e9599e4ebbb3a9ba9eee7e2d Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o +Date: Wed, 13 Jun 2018 00:23:11 -0400 +Subject: ext4: add corruption check in ext4_xattr_set_entry() + +From: Theodore Ts'o + +commit 5369a762c882c0b6e9599e4ebbb3a9ba9eee7e2d upstream. + +In theory this should have been caught earlier when the xattr list was +verified, but in case it got missed, it's simple enough to add check +to make sure we don't overrun the xattr buffer. + +This addresses CVE-2018-10879. + +https://bugzilla.kernel.org/show_bug.cgi?id=200001 + +Signed-off-by: Theodore Ts'o +Reviewed-by: Andreas Dilger +[bwh: Backported to 3.16: + - Add inode parameter to ext4_xattr_set_entry() and update callers + - Adjust context] +Signed-off-by: Ben Hutchings +[adjusted for 4.4 context] +Signed-off-by: Daniel Rosenberg +Signed-off-by: Greg Kroah-Hartman +--- + fs/ext4/xattr.c | 22 ++++++++++++++-------- + 1 file changed, 14 insertions(+), 8 deletions(-) + +--- a/fs/ext4/xattr.c ++++ b/fs/ext4/xattr.c +@@ -638,14 +638,20 @@ static size_t ext4_xattr_free_space(stru + } + + static int +-ext4_xattr_set_entry(struct ext4_xattr_info *i, struct ext4_xattr_search *s) ++ext4_xattr_set_entry(struct ext4_xattr_info *i, struct ext4_xattr_search *s, ++ struct inode *inode) + { +- struct ext4_xattr_entry *last; ++ struct ext4_xattr_entry *last, *next; + size_t free, min_offs = s->end - s->base, name_len = strlen(i->name); + + /* Compute min_offs and last. */ + last = s->first; +- for (; !IS_LAST_ENTRY(last); last = EXT4_XATTR_NEXT(last)) { ++ for (; !IS_LAST_ENTRY(last); last = next) { ++ next = EXT4_XATTR_NEXT(last); ++ if ((void *)next >= s->end) { ++ EXT4_ERROR_INODE(inode, "corrupted xattr entries"); ++ return -EFSCORRUPTED; ++ } + if (!last->e_value_block && last->e_value_size) { + size_t offs = le16_to_cpu(last->e_value_offs); + if (offs < min_offs) +@@ -825,7 +831,7 @@ ext4_xattr_block_set(handle_t *handle, s + ce = NULL; + } + ea_bdebug(bs->bh, "modifying in-place"); +- error = ext4_xattr_set_entry(i, s); ++ error = ext4_xattr_set_entry(i, s, inode); + if (!error) { + if (!IS_LAST_ENTRY(s->first)) + ext4_xattr_rehash(header(s->base), +@@ -875,7 +881,7 @@ ext4_xattr_block_set(handle_t *handle, s + s->end = s->base + sb->s_blocksize; + } + +- error = ext4_xattr_set_entry(i, s); ++ error = ext4_xattr_set_entry(i, s, inode); + if (error == -EFSCORRUPTED) + goto bad_block; + if (error) +@@ -1037,7 +1043,7 @@ int ext4_xattr_ibody_inline_set(handle_t + + if (EXT4_I(inode)->i_extra_isize == 0) + return -ENOSPC; +- error = ext4_xattr_set_entry(i, s); ++ error = ext4_xattr_set_entry(i, s, inode); + if (error) { + if (error == -ENOSPC && + ext4_has_inline_data(inode)) { +@@ -1049,7 +1055,7 @@ int ext4_xattr_ibody_inline_set(handle_t + error = ext4_xattr_ibody_find(inode, i, is); + if (error) + return error; +- error = ext4_xattr_set_entry(i, s); ++ error = ext4_xattr_set_entry(i, s, inode); + } + if (error) + return error; +@@ -1075,7 +1081,7 @@ static int ext4_xattr_ibody_set(handle_t + + if (EXT4_I(inode)->i_extra_isize == 0) + return -ENOSPC; +- error = ext4_xattr_set_entry(i, s); ++ error = ext4_xattr_set_entry(i, s, inode); + if (error) + return error; + header = IHDR(inode, ext4_raw_inode(&is->iloc)); diff --git a/queue-4.4/mach64-detect-the-dot-clock-divider-correctly-on-sparc.patch b/queue-4.4/mach64-detect-the-dot-clock-divider-correctly-on-sparc.patch new file mode 100644 index 00000000000..821b0487d6d --- /dev/null +++ b/queue-4.4/mach64-detect-the-dot-clock-divider-correctly-on-sparc.patch @@ -0,0 +1,135 @@ +From 76ebebd2464c5c8a4453c98b6dbf9c95a599e810 Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Fri, 17 Aug 2018 15:19:37 -0400 +Subject: mach64: detect the dot clock divider correctly on sparc +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Mikulas Patocka + +commit 76ebebd2464c5c8a4453c98b6dbf9c95a599e810 upstream. + +On Sun Ultra 5, it happens that the dot clock is not set up properly for +some videomodes. For example, if we set the videomode "r1024x768x60" in +the firmware, Linux would incorrectly set a videomode with refresh rate +180Hz when booting (suprisingly, my LCD monitor can display it, although +display quality is very low). + +The reason is this: Older mach64 cards set the divider in the register +VCLK_POST_DIV. The register has four 2-bit fields (the field that is +actually used is specified in the lowest two bits of the register +CLOCK_CNTL). The 2 bits select divider "1, 2, 4, 8". On newer mach64 cards, +there's another bit added - the top four bits of PLL_EXT_CNTL extend the +divider selection, so we have possible dividers "1, 2, 4, 8, 3, 5, 6, 12". +The Linux driver clears the top four bits of PLL_EXT_CNTL and never sets +them, so it can work regardless if the card supports them. However, the +sparc64 firmware may set these extended dividers during boot - and the +mach64 driver detects incorrect dot clock in this case. + +This patch makes the driver read the additional divider bit from +PLL_EXT_CNTL and calculate the initial refresh rate properly. + +Signed-off-by: Mikulas Patocka +Cc: stable@vger.kernel.org +Acked-by: David S. Miller +Reviewed-by: Ville Syrjälä +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/video/fbdev/aty/atyfb.h | 3 ++- + drivers/video/fbdev/aty/atyfb_base.c | 7 ++++--- + drivers/video/fbdev/aty/mach64_ct.c | 10 +++++----- + 3 files changed, 11 insertions(+), 9 deletions(-) + +--- a/drivers/video/fbdev/aty/atyfb.h ++++ b/drivers/video/fbdev/aty/atyfb.h +@@ -332,6 +332,8 @@ extern const struct aty_pll_ops aty_pll_ + extern void aty_set_pll_ct(const struct fb_info *info, const union aty_pll *pll); + extern u8 aty_ld_pll_ct(int offset, const struct atyfb_par *par); + ++extern const u8 aty_postdividers[8]; ++ + + /* + * Hardware cursor support +@@ -358,7 +360,6 @@ static inline void wait_for_idle(struct + + extern void aty_reset_engine(const struct atyfb_par *par); + extern void aty_init_engine(struct atyfb_par *par, struct fb_info *info); +-extern u8 aty_ld_pll_ct(int offset, const struct atyfb_par *par); + + void atyfb_copyarea(struct fb_info *info, const struct fb_copyarea *area); + void atyfb_fillrect(struct fb_info *info, const struct fb_fillrect *rect); +--- a/drivers/video/fbdev/aty/atyfb_base.c ++++ b/drivers/video/fbdev/aty/atyfb_base.c +@@ -3093,17 +3093,18 @@ static int atyfb_setup_sparc(struct pci_ + /* + * PLL Reference Divider M: + */ +- M = pll_regs[2]; ++ M = pll_regs[PLL_REF_DIV]; + + /* + * PLL Feedback Divider N (Dependent on CLOCK_CNTL): + */ +- N = pll_regs[7 + (clock_cntl & 3)]; ++ N = pll_regs[VCLK0_FB_DIV + (clock_cntl & 3)]; + + /* + * PLL Post Divider P (Dependent on CLOCK_CNTL): + */ +- P = 1 << (pll_regs[6] >> ((clock_cntl & 3) << 1)); ++ P = aty_postdividers[((pll_regs[VCLK_POST_DIV] >> ((clock_cntl & 3) << 1)) & 3) | ++ ((pll_regs[PLL_EXT_CNTL] >> (2 + (clock_cntl & 3))) & 4)]; + + /* + * PLL Divider Q: +--- a/drivers/video/fbdev/aty/mach64_ct.c ++++ b/drivers/video/fbdev/aty/mach64_ct.c +@@ -114,7 +114,7 @@ static void aty_st_pll_ct(int offset, u8 + */ + + #define Maximum_DSP_PRECISION 7 +-static u8 postdividers[] = {1,2,4,8,3}; ++const u8 aty_postdividers[8] = {1,2,4,8,3,5,6,12}; + + static int aty_dsp_gt(const struct fb_info *info, u32 bpp, struct pll_ct *pll) + { +@@ -221,7 +221,7 @@ static int aty_valid_pll_ct(const struct + pll->vclk_post_div += (q < 64*8); + pll->vclk_post_div += (q < 32*8); + } +- pll->vclk_post_div_real = postdividers[pll->vclk_post_div]; ++ pll->vclk_post_div_real = aty_postdividers[pll->vclk_post_div]; + // pll->vclk_post_div <<= 6; + pll->vclk_fb_div = q * pll->vclk_post_div_real / 8; + pllvclk = (1000000 * 2 * pll->vclk_fb_div) / +@@ -512,7 +512,7 @@ static int aty_init_pll_ct(const struct + u8 mclk_fb_div, pll_ext_cntl; + pll->ct.pll_ref_div = aty_ld_pll_ct(PLL_REF_DIV, par); + pll_ext_cntl = aty_ld_pll_ct(PLL_EXT_CNTL, par); +- pll->ct.xclk_post_div_real = postdividers[pll_ext_cntl & 0x07]; ++ pll->ct.xclk_post_div_real = aty_postdividers[pll_ext_cntl & 0x07]; + mclk_fb_div = aty_ld_pll_ct(MCLK_FB_DIV, par); + if (pll_ext_cntl & PLL_MFB_TIMES_4_2B) + mclk_fb_div <<= 1; +@@ -534,7 +534,7 @@ static int aty_init_pll_ct(const struct + xpost_div += (q < 64*8); + xpost_div += (q < 32*8); + } +- pll->ct.xclk_post_div_real = postdividers[xpost_div]; ++ pll->ct.xclk_post_div_real = aty_postdividers[xpost_div]; + pll->ct.mclk_fb_div = q * pll->ct.xclk_post_div_real / 8; + + #ifdef CONFIG_PPC +@@ -583,7 +583,7 @@ static int aty_init_pll_ct(const struct + mpost_div += (q < 64*8); + mpost_div += (q < 32*8); + } +- sclk_post_div_real = postdividers[mpost_div]; ++ sclk_post_div_real = aty_postdividers[mpost_div]; + pll->ct.sclk_fb_div = q * sclk_post_div_real / 8; + pll->ct.spll_cntl2 = mpost_div << 4; + #ifdef DEBUG diff --git a/queue-4.4/mm-vmstat.c-fix-outdated-vmstat_text.patch b/queue-4.4/mm-vmstat.c-fix-outdated-vmstat_text.patch new file mode 100644 index 00000000000..cf3f21b58de --- /dev/null +++ b/queue-4.4/mm-vmstat.c-fix-outdated-vmstat_text.patch @@ -0,0 +1,47 @@ +From 28e2c4bb99aa40f9d5f07ac130cbc4da0ea93079 Mon Sep 17 00:00:00 2001 +From: Jann Horn +Date: Fri, 5 Oct 2018 15:52:03 -0700 +Subject: mm/vmstat.c: fix outdated vmstat_text + +From: Jann Horn + +commit 28e2c4bb99aa40f9d5f07ac130cbc4da0ea93079 upstream. + +7a9cdebdcc17 ("mm: get rid of vmacache_flush_all() entirely") removed the +VMACACHE_FULL_FLUSHES statistics, but didn't remove the corresponding +entry in vmstat_text. This causes an out-of-bounds access in +vmstat_show(). + +Luckily this only affects kernels with CONFIG_DEBUG_VM_VMACACHE=y, which +is probably very rare. + +Link: http://lkml.kernel.org/r/20181001143138.95119-1-jannh@google.com +Fixes: 7a9cdebdcc17 ("mm: get rid of vmacache_flush_all() entirely") +Signed-off-by: Jann Horn +Reviewed-by: Kees Cook +Reviewed-by: Andrew Morton +Acked-by: Michal Hocko +Acked-by: Roman Gushchin +Cc: Davidlohr Bueso +Cc: Oleg Nesterov +Cc: Christoph Lameter +Cc: Kemi Wang +Cc: Andy Lutomirski +Cc: Ingo Molnar +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman + +--- + mm/vmstat.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/mm/vmstat.c ++++ b/mm/vmstat.c +@@ -869,7 +869,6 @@ const char * const vmstat_text[] = { + #ifdef CONFIG_DEBUG_VM_VMACACHE + "vmacache_find_calls", + "vmacache_find_hits", +- "vmacache_full_flushes", + #endif + #endif /* CONFIG_VM_EVENTS_COUNTERS */ + }; diff --git a/queue-4.4/perf-script-python-fix-export-to-postgresql.py-occasional-failure.patch b/queue-4.4/perf-script-python-fix-export-to-postgresql.py-occasional-failure.patch new file mode 100644 index 00000000000..76556812e56 --- /dev/null +++ b/queue-4.4/perf-script-python-fix-export-to-postgresql.py-occasional-failure.patch @@ -0,0 +1,50 @@ +From 25e11700b54c7b6b5ebfc4361981dae12299557b Mon Sep 17 00:00:00 2001 +From: Adrian Hunter +Date: Tue, 11 Sep 2018 14:45:03 +0300 +Subject: perf script python: Fix export-to-postgresql.py occasional failure + +From: Adrian Hunter + +commit 25e11700b54c7b6b5ebfc4361981dae12299557b upstream. + +Occasional export failures were found to be caused by truncating 64-bit +pointers to 32-bits. Fix by explicitly setting types for all ctype +arguments and results. + +Signed-off-by: Adrian Hunter +Cc: Jiri Olsa +Cc: stable@vger.kernel.org +Link: http://lkml.kernel.org/r/20180911114504.28516-2-adrian.hunter@intel.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Greg Kroah-Hartman + +--- + tools/perf/scripts/python/export-to-postgresql.py | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/tools/perf/scripts/python/export-to-postgresql.py ++++ b/tools/perf/scripts/python/export-to-postgresql.py +@@ -205,14 +205,23 @@ from ctypes import * + libpq = CDLL("libpq.so.5") + PQconnectdb = libpq.PQconnectdb + PQconnectdb.restype = c_void_p ++PQconnectdb.argtypes = [ c_char_p ] + PQfinish = libpq.PQfinish ++PQfinish.argtypes = [ c_void_p ] + PQstatus = libpq.PQstatus ++PQstatus.restype = c_int ++PQstatus.argtypes = [ c_void_p ] + PQexec = libpq.PQexec + PQexec.restype = c_void_p ++PQexec.argtypes = [ c_void_p, c_char_p ] + PQresultStatus = libpq.PQresultStatus ++PQresultStatus.restype = c_int ++PQresultStatus.argtypes = [ c_void_p ] + PQputCopyData = libpq.PQputCopyData ++PQputCopyData.restype = c_int + PQputCopyData.argtypes = [ c_void_p, c_void_p, c_int ] + PQputCopyEnd = libpq.PQputCopyEnd ++PQputCopyEnd.restype = c_int + PQputCopyEnd.argtypes = [ c_void_p, c_void_p ] + + sys.path.append(os.environ['PERF_EXEC_PATH'] + \ diff --git a/queue-4.4/series b/queue-4.4/series index fef1335ef19..da1388ca53b 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -7,3 +7,7 @@ stmmac-fix-valid-numbers-of-unicast-filter-entries.patch net-macb-disable-scatter-gather-for-macb-on-sama5d3.patch arm-dts-at91-add-new-compatibility-string-for-macb-on-sama5d3.patch drm-amdgpu-fix-sdma-hqd-destroy-error-on-gfx_v7.patch +ext4-add-corruption-check-in-ext4_xattr_set_entry.patch +mm-vmstat.c-fix-outdated-vmstat_text.patch +mach64-detect-the-dot-clock-divider-correctly-on-sparc.patch +perf-script-python-fix-export-to-postgresql.py-occasional-failure.patch