From 0aa961923934ee5931cc5bcab18179c676bc1e39 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Thu, 5 Nov 2015 16:37:18 -0800 Subject: [PATCH] 3.14-stable patches added patches: asoc-wm8904-correct-number-of-eq-registers.patch drm-i915-restore-lost-dpll-register-write-on-gen2-4.patch drm-nouveau-gem-return-only-valid-domain-when-there-s-only-one.patch drm-radeon-don-t-try-to-recreate-sysfs-entries-on-resume.patch drm-radeon-dpm-don-t-add-pwm-attributes-if-dpm-is-disabled.patch iommu-amd-don-t-clear-dte-flags-when-modifying-it.patch iwlwifi-mvm-fix-d3-firmware-pn-programming.patch iwlwifi-pci-add-a-few-more-pci-subvendor-ids-for-the-7265-series.patch mm-make-sendfile-2-killable.patch powerpc-rtas-validate-rtas.entry-before-calling-enter_rtas.patch x86-setup-extend-low-identity-map-to-cover-whole-kernel-range.patch --- ...m8904-correct-number-of-eq-registers.patch | 32 +++++ ...e-lost-dpll-register-write-on-gen2-4.patch | 42 +++++++ ...y-valid-domain-when-there-s-only-one.patch | 46 ++++++++ ...-to-recreate-sysfs-entries-on-resume.patch | 88 ++++++++++++++ ...dd-pwm-attributes-if-dpm-is-disabled.patch | 41 +++++++ ...-t-clear-dte-flags-when-modifying-it.patch | 47 ++++++++ ...i-mvm-fix-d3-firmware-pn-programming.patch | 44 +++++++ ...ci-subvendor-ids-for-the-7265-series.patch | 34 ++++++ queue-3.14/mm-make-sendfile-2-killable.patch | 70 +++++++++++ ...rtas.entry-before-calling-enter_rtas.patch | 51 ++++++++ queue-3.14/series | 11 ++ ...tity-map-to-cover-whole-kernel-range.patch | 111 ++++++++++++++++++ 12 files changed, 617 insertions(+) create mode 100644 queue-3.14/asoc-wm8904-correct-number-of-eq-registers.patch create mode 100644 queue-3.14/drm-i915-restore-lost-dpll-register-write-on-gen2-4.patch create mode 100644 queue-3.14/drm-nouveau-gem-return-only-valid-domain-when-there-s-only-one.patch create mode 100644 queue-3.14/drm-radeon-don-t-try-to-recreate-sysfs-entries-on-resume.patch create mode 100644 queue-3.14/drm-radeon-dpm-don-t-add-pwm-attributes-if-dpm-is-disabled.patch create mode 100644 queue-3.14/iommu-amd-don-t-clear-dte-flags-when-modifying-it.patch create mode 100644 queue-3.14/iwlwifi-mvm-fix-d3-firmware-pn-programming.patch create mode 100644 queue-3.14/iwlwifi-pci-add-a-few-more-pci-subvendor-ids-for-the-7265-series.patch create mode 100644 queue-3.14/mm-make-sendfile-2-killable.patch create mode 100644 queue-3.14/powerpc-rtas-validate-rtas.entry-before-calling-enter_rtas.patch create mode 100644 queue-3.14/x86-setup-extend-low-identity-map-to-cover-whole-kernel-range.patch diff --git a/queue-3.14/asoc-wm8904-correct-number-of-eq-registers.patch b/queue-3.14/asoc-wm8904-correct-number-of-eq-registers.patch new file mode 100644 index 00000000000..a746b09a651 --- /dev/null +++ b/queue-3.14/asoc-wm8904-correct-number-of-eq-registers.patch @@ -0,0 +1,32 @@ +From 97aff2c03a1e4d343266adadb52313613efb027f Mon Sep 17 00:00:00 2001 +From: Charles Keepax +Date: Tue, 20 Oct 2015 10:25:58 +0100 +Subject: ASoC: wm8904: Correct number of EQ registers + +From: Charles Keepax + +commit 97aff2c03a1e4d343266adadb52313613efb027f upstream. + +There are 24 EQ registers not 25, I suspect this bug came about because +the registers start at EQ1 not zero. The bug is relatively harmless as +the extra register written is an unused one. + +Signed-off-by: Charles Keepax +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + include/sound/wm8904.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/include/sound/wm8904.h ++++ b/include/sound/wm8904.h +@@ -119,7 +119,7 @@ + #define WM8904_MIC_REGS 2 + #define WM8904_GPIO_REGS 4 + #define WM8904_DRC_REGS 4 +-#define WM8904_EQ_REGS 25 ++#define WM8904_EQ_REGS 24 + + /** + * DRC configurations are specified with a label and a set of register diff --git a/queue-3.14/drm-i915-restore-lost-dpll-register-write-on-gen2-4.patch b/queue-3.14/drm-i915-restore-lost-dpll-register-write-on-gen2-4.patch new file mode 100644 index 00000000000..872f167c024 --- /dev/null +++ b/queue-3.14/drm-i915-restore-lost-dpll-register-write-on-gen2-4.patch @@ -0,0 +1,42 @@ +From 8e7a65aa70bcc1235a44e40ae0da5056525fe081 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ville=20Syrj=C3=A4l=C3=A4?= +Date: Wed, 7 Oct 2015 22:08:24 +0300 +Subject: drm/i915: Restore lost DPLL register write on gen2-4 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: =?UTF-8?q?Ville=20Syrj=C3=A4l=C3=A4?= + +commit 8e7a65aa70bcc1235a44e40ae0da5056525fe081 upstream. + +We accidentally lost the initial DPLL register write in +1c4e02746147 drm/i915: Fix DVO 2x clock enable on 830M + +The "three times for luck" hack probably saved us from a total +disaster. But anyway, bring the initial write back so that the +code actually makes some sense. + +Reported-and-tested-by: Nick Bowler +References: http://mid.gmane.org/CAN_QmVyMaArxYgEcVVsGvsMo7-6ohZr8HmF5VhkkL4i9KOmrhw@mail.gmail.com +Cc: Nick Bowler +Signed-off-by: Ville Syrjälä +Reviewed-by: Daniel Vetter +Signed-off-by: Jani Nikula +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/i915/intel_display.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/gpu/drm/i915/intel_display.c ++++ b/drivers/gpu/drm/i915/intel_display.c +@@ -1451,6 +1451,8 @@ static void i9xx_enable_pll(struct intel + + I915_WRITE(reg, dpll); + ++ I915_WRITE(reg, dpll); ++ + /* Wait for the clocks to stabilize. */ + POSTING_READ(reg); + udelay(150); diff --git a/queue-3.14/drm-nouveau-gem-return-only-valid-domain-when-there-s-only-one.patch b/queue-3.14/drm-nouveau-gem-return-only-valid-domain-when-there-s-only-one.patch new file mode 100644 index 00000000000..53407bb2648 --- /dev/null +++ b/queue-3.14/drm-nouveau-gem-return-only-valid-domain-when-there-s-only-one.patch @@ -0,0 +1,46 @@ +From 2a6c521bb41ce862e43db46f52e7681d33e8d771 Mon Sep 17 00:00:00 2001 +From: Ilia Mirkin +Date: Tue, 20 Oct 2015 01:15:39 -0400 +Subject: drm/nouveau/gem: return only valid domain when there's only one + +From: Ilia Mirkin + +commit 2a6c521bb41ce862e43db46f52e7681d33e8d771 upstream. + +On nv50+, we restrict the valid domains to just the one where the buffer +was originally created. However after the buffer is evicted to system +memory, we might move it back to a different domain that was not +originally valid. When sharing the buffer and retrieving its GEM_INFO +data, we still want the domain that will be valid for this buffer in a +pushbuf, not the one where it currently happens to be. + +This resolves fdo#92504 and several others. These are due to suspend +evicting all buffers, making it more likely that they temporarily end up +in the wrong place. + +Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=92504 +Signed-off-by: Ilia Mirkin +Signed-off-by: Ben Skeggs +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/nouveau/nouveau_gem.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/nouveau/nouveau_gem.c ++++ b/drivers/gpu/drm/nouveau/nouveau_gem.c +@@ -196,11 +196,12 @@ nouveau_gem_info(struct drm_file *file_p + struct nouveau_bo *nvbo = nouveau_gem_object(gem); + struct nouveau_vma *vma; + +- if (nvbo->bo.mem.mem_type == TTM_PL_TT) ++ if (is_power_of_2(nvbo->valid_domains)) ++ rep->domain = nvbo->valid_domains; ++ else if (nvbo->bo.mem.mem_type == TTM_PL_TT) + rep->domain = NOUVEAU_GEM_DOMAIN_GART; + else + rep->domain = NOUVEAU_GEM_DOMAIN_VRAM; +- + rep->offset = nvbo->bo.offset; + if (cli->base.vm) { + vma = nouveau_bo_vma_find(nvbo, cli->base.vm); diff --git a/queue-3.14/drm-radeon-don-t-try-to-recreate-sysfs-entries-on-resume.patch b/queue-3.14/drm-radeon-don-t-try-to-recreate-sysfs-entries-on-resume.patch new file mode 100644 index 00000000000..2e724bda282 --- /dev/null +++ b/queue-3.14/drm-radeon-don-t-try-to-recreate-sysfs-entries-on-resume.patch @@ -0,0 +1,88 @@ +From 49abb26651167c892393cd9f2ad23df429645ed9 Mon Sep 17 00:00:00 2001 +From: Alex Deucher +Date: Fri, 23 Oct 2015 10:38:52 -0400 +Subject: drm/radeon: don't try to recreate sysfs entries on resume + +From: Alex Deucher + +commit 49abb26651167c892393cd9f2ad23df429645ed9 upstream. + +Fixes a harmless error message caused by: +51a4726b04e880fdd9b4e0e58b13f70b0a68a7f5 + +Signed-off-by: Alex Deucher +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/radeon/radeon.h | 1 + + drivers/gpu/drm/radeon/radeon_pm.c | 35 +++++++++++++++++++++-------------- + 2 files changed, 22 insertions(+), 14 deletions(-) + +--- a/drivers/gpu/drm/radeon/radeon.h ++++ b/drivers/gpu/drm/radeon/radeon.h +@@ -1551,6 +1551,7 @@ struct radeon_pm { + struct device *int_hwmon_dev; + /* dpm */ + bool dpm_enabled; ++ bool sysfs_initialized; + struct radeon_dpm dpm; + }; + +--- a/drivers/gpu/drm/radeon/radeon_pm.c ++++ b/drivers/gpu/drm/radeon/radeon_pm.c +@@ -1354,19 +1354,23 @@ int radeon_pm_late_init(struct radeon_de + + if (rdev->pm.pm_method == PM_METHOD_DPM) { + if (rdev->pm.dpm_enabled) { +- ret = device_create_file(rdev->dev, &dev_attr_power_dpm_state); +- if (ret) +- DRM_ERROR("failed to create device file for dpm state\n"); +- ret = device_create_file(rdev->dev, &dev_attr_power_dpm_force_performance_level); +- if (ret) +- DRM_ERROR("failed to create device file for dpm state\n"); +- /* XXX: these are noops for dpm but are here for backwards compat */ +- ret = device_create_file(rdev->dev, &dev_attr_power_profile); +- if (ret) +- DRM_ERROR("failed to create device file for power profile\n"); +- ret = device_create_file(rdev->dev, &dev_attr_power_method); +- if (ret) +- DRM_ERROR("failed to create device file for power method\n"); ++ if (!rdev->pm.sysfs_initialized) { ++ ret = device_create_file(rdev->dev, &dev_attr_power_dpm_state); ++ if (ret) ++ DRM_ERROR("failed to create device file for dpm state\n"); ++ ret = device_create_file(rdev->dev, &dev_attr_power_dpm_force_performance_level); ++ if (ret) ++ DRM_ERROR("failed to create device file for dpm state\n"); ++ /* XXX: these are noops for dpm but are here for backwards compat */ ++ ret = device_create_file(rdev->dev, &dev_attr_power_profile); ++ if (ret) ++ DRM_ERROR("failed to create device file for power profile\n"); ++ ret = device_create_file(rdev->dev, &dev_attr_power_method); ++ if (ret) ++ DRM_ERROR("failed to create device file for power method\n"); ++ if (!ret) ++ rdev->pm.sysfs_initialized = true; ++ } + + mutex_lock(&rdev->pm.mutex); + ret = radeon_dpm_late_enable(rdev); +@@ -1382,7 +1386,8 @@ int radeon_pm_late_init(struct radeon_de + } + } + } else { +- if (rdev->pm.num_power_states > 1) { ++ if ((rdev->pm.num_power_states > 1) && ++ (!rdev->pm.sysfs_initialized)) { + /* where's the best place to put these? */ + ret = device_create_file(rdev->dev, &dev_attr_power_profile); + if (ret) +@@ -1390,6 +1395,8 @@ int radeon_pm_late_init(struct radeon_de + ret = device_create_file(rdev->dev, &dev_attr_power_method); + if (ret) + DRM_ERROR("failed to create device file for power method\n"); ++ if (!ret) ++ rdev->pm.sysfs_initialized = true; + } + } + return ret; diff --git a/queue-3.14/drm-radeon-dpm-don-t-add-pwm-attributes-if-dpm-is-disabled.patch b/queue-3.14/drm-radeon-dpm-don-t-add-pwm-attributes-if-dpm-is-disabled.patch new file mode 100644 index 00000000000..8848a85a9d5 --- /dev/null +++ b/queue-3.14/drm-radeon-dpm-don-t-add-pwm-attributes-if-dpm-is-disabled.patch @@ -0,0 +1,41 @@ +From 2a7d44f47f53fa1be677f44c73d78b1bcf9c05d9 Mon Sep 17 00:00:00 2001 +From: Alex Deucher +Date: Mon, 19 Oct 2015 09:30:42 -0400 +Subject: drm/radeon/dpm: don't add pwm attributes if DPM is disabled + +From: Alex Deucher + +commit 2a7d44f47f53fa1be677f44c73d78b1bcf9c05d9 upstream. + +PWM fan control is only available with DPM. If DPM disabled, +don't expose the PWM fan controls to avoid a crash. + +Bug: +https://bugs.freedesktop.org/show_bug.cgi?id=92524 + +Signed-off-by: Alex Deucher +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/radeon/radeon_pm.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/radeon/radeon_pm.c ++++ b/drivers/gpu/drm/radeon/radeon_pm.c +@@ -613,10 +613,14 @@ static umode_t hwmon_attributes_visible( + struct device *dev = container_of(kobj, struct device, kobj); + struct radeon_device *rdev = dev_get_drvdata(dev); + +- /* Skip limit attributes if DPM is not enabled */ ++ /* Skip attributes if DPM is not enabled */ + if (rdev->pm.pm_method != PM_METHOD_DPM && + (attr == &sensor_dev_attr_temp1_crit.dev_attr.attr || +- attr == &sensor_dev_attr_temp1_crit_hyst.dev_attr.attr)) ++ attr == &sensor_dev_attr_temp1_crit_hyst.dev_attr.attr || ++ attr == &sensor_dev_attr_pwm1.dev_attr.attr || ++ attr == &sensor_dev_attr_pwm1_enable.dev_attr.attr || ++ attr == &sensor_dev_attr_pwm1_max.dev_attr.attr || ++ attr == &sensor_dev_attr_pwm1_min.dev_attr.attr)) + return 0; + + return attr->mode; diff --git a/queue-3.14/iommu-amd-don-t-clear-dte-flags-when-modifying-it.patch b/queue-3.14/iommu-amd-don-t-clear-dte-flags-when-modifying-it.patch new file mode 100644 index 00000000000..75ae3bcac33 --- /dev/null +++ b/queue-3.14/iommu-amd-don-t-clear-dte-flags-when-modifying-it.patch @@ -0,0 +1,47 @@ +From cbf3ccd09d683abf1cacd36e3640872ee912d99b Mon Sep 17 00:00:00 2001 +From: Joerg Roedel +Date: Tue, 20 Oct 2015 14:59:36 +0200 +Subject: iommu/amd: Don't clear DTE flags when modifying it + +From: Joerg Roedel + +commit cbf3ccd09d683abf1cacd36e3640872ee912d99b upstream. + +During device assignment/deassignment the flags in the DTE +get lost, which might cause spurious faults, for example +when the device tries to access the system management range. +Fix this by not clearing the flags with the rest of the DTE. + +Reported-by: G. Richard Bellamy +Tested-by: G. Richard Bellamy +Signed-off-by: Joerg Roedel +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iommu/amd_iommu.c | 4 ++-- + drivers/iommu/amd_iommu_types.h | 1 + + 2 files changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/iommu/amd_iommu.c ++++ b/drivers/iommu/amd_iommu.c +@@ -2152,8 +2152,8 @@ static void set_dte_entry(u16 devid, str + static void clear_dte_entry(u16 devid) + { + /* remove entry from the device table seen by the hardware */ +- amd_iommu_dev_table[devid].data[0] = IOMMU_PTE_P | IOMMU_PTE_TV; +- amd_iommu_dev_table[devid].data[1] = 0; ++ amd_iommu_dev_table[devid].data[0] = IOMMU_PTE_P | IOMMU_PTE_TV; ++ amd_iommu_dev_table[devid].data[1] &= DTE_FLAG_MASK; + + amd_iommu_apply_erratum_63(devid); + } +--- a/drivers/iommu/amd_iommu_types.h ++++ b/drivers/iommu/amd_iommu_types.h +@@ -283,6 +283,7 @@ + #define IOMMU_PTE_IR (1ULL << 61) + #define IOMMU_PTE_IW (1ULL << 62) + ++#define DTE_FLAG_MASK (0x3ffULL << 32) + #define DTE_FLAG_IOTLB (0x01UL << 32) + #define DTE_FLAG_GV (0x01ULL << 55) + #define DTE_GLX_SHIFT (56) diff --git a/queue-3.14/iwlwifi-mvm-fix-d3-firmware-pn-programming.patch b/queue-3.14/iwlwifi-mvm-fix-d3-firmware-pn-programming.patch new file mode 100644 index 00000000000..d4381eaa754 --- /dev/null +++ b/queue-3.14/iwlwifi-mvm-fix-d3-firmware-pn-programming.patch @@ -0,0 +1,44 @@ +From 2cf5eb3ab7bb7f2e3a70edcef236cd62c87db030 Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Tue, 15 Sep 2015 14:36:09 +0200 +Subject: iwlwifi: mvm: fix D3 firmware PN programming + +From: Johannes Berg + +commit 2cf5eb3ab7bb7f2e3a70edcef236cd62c87db030 upstream. + +The code to send the RX PN data (for each TID) to the firmware +has a devastating bug: it overwrites the data for TID 0 with +all the TID data, leaving the remaining TIDs zeroed. This will +allow replays to actually be accepted by the firmware, which +could allow waking up the system. + +Signed-off-by: Johannes Berg +Signed-off-by: Luca Coelho +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/iwlwifi/mvm/d3.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +--- a/drivers/net/wireless/iwlwifi/mvm/d3.c ++++ b/drivers/net/wireless/iwlwifi/mvm/d3.c +@@ -297,12 +297,12 @@ static void iwl_mvm_wowlan_program_keys( + u8 *pn = seq.ccmp.pn; + + ieee80211_get_key_rx_seq(key, i, &seq); +- aes_sc->pn = cpu_to_le64((u64)pn[5] | +- ((u64)pn[4] << 8) | +- ((u64)pn[3] << 16) | +- ((u64)pn[2] << 24) | +- ((u64)pn[1] << 32) | +- ((u64)pn[0] << 40)); ++ aes_sc[i].pn = cpu_to_le64((u64)pn[5] | ++ ((u64)pn[4] << 8) | ++ ((u64)pn[3] << 16) | ++ ((u64)pn[2] << 24) | ++ ((u64)pn[1] << 32) | ++ ((u64)pn[0] << 40)); + } + data->use_rsc_tsc = true; + break; diff --git a/queue-3.14/iwlwifi-pci-add-a-few-more-pci-subvendor-ids-for-the-7265-series.patch b/queue-3.14/iwlwifi-pci-add-a-few-more-pci-subvendor-ids-for-the-7265-series.patch new file mode 100644 index 00000000000..ea71e5c2ba3 --- /dev/null +++ b/queue-3.14/iwlwifi-pci-add-a-few-more-pci-subvendor-ids-for-the-7265-series.patch @@ -0,0 +1,34 @@ +From f08f625876476b6c4a87834dc86e3b927f4697d2 Mon Sep 17 00:00:00 2001 +From: Luca Coelho +Date: Tue, 22 Sep 2015 09:44:39 +0300 +Subject: iwlwifi: pci: add a few more PCI subvendor IDs for the 7265 series + +From: Luca Coelho + +commit f08f625876476b6c4a87834dc86e3b927f4697d2 upstream. + +Add 3 new subdevice IDs for the 0x095A device ID and 2 for the 0x095B +device ID. + +Reported-by: Jeremy +Signed-off-by: Luca Coelho +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/iwlwifi/pcie/drv.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/net/wireless/iwlwifi/pcie/drv.c ++++ b/drivers/net/wireless/iwlwifi/pcie/drv.c +@@ -396,6 +396,11 @@ static DEFINE_PCI_DEVICE_TABLE(iwl_hw_ca + {IWL_PCI_DEVICE(0x095A, 0x5590, iwl7265_2ac_cfg)}, + {IWL_PCI_DEVICE(0x095B, 0x5290, iwl7265_2ac_cfg)}, + {IWL_PCI_DEVICE(0x095A, 0x5490, iwl7265_2ac_cfg)}, ++ {IWL_PCI_DEVICE(0x095A, 0x5F10, iwl7265_2ac_cfg)}, ++ {IWL_PCI_DEVICE(0x095B, 0x5212, iwl7265_2ac_cfg)}, ++ {IWL_PCI_DEVICE(0x095B, 0x520A, iwl7265_2ac_cfg)}, ++ {IWL_PCI_DEVICE(0x095A, 0x9000, iwl7265_2ac_cfg)}, ++ {IWL_PCI_DEVICE(0x095A, 0x9400, iwl7265_2ac_cfg)}, + #endif /* CONFIG_IWLMVM */ + + {0} diff --git a/queue-3.14/mm-make-sendfile-2-killable.patch b/queue-3.14/mm-make-sendfile-2-killable.patch new file mode 100644 index 00000000000..1ea4ebff3da --- /dev/null +++ b/queue-3.14/mm-make-sendfile-2-killable.patch @@ -0,0 +1,70 @@ +From 296291cdd1629c308114504b850dc343eabc2782 Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Thu, 22 Oct 2015 13:32:21 -0700 +Subject: mm: make sendfile(2) killable + +From: Jan Kara + +commit 296291cdd1629c308114504b850dc343eabc2782 upstream. + +Currently a simple program below issues a sendfile(2) system call which +takes about 62 days to complete in my test KVM instance. + + int fd; + off_t off = 0; + + fd = open("file", O_RDWR | O_TRUNC | O_SYNC | O_CREAT, 0644); + ftruncate(fd, 2); + lseek(fd, 0, SEEK_END); + sendfile(fd, fd, &off, 0xfffffff); + +Now you should not ask kernel to do a stupid stuff like copying 256MB in +2-byte chunks and call fsync(2) after each chunk but if you do, sysadmin +should have a way to stop you. + +We actually do have a check for fatal_signal_pending() in +generic_perform_write() which triggers in this path however because we +always succeed in writing something before the check is done, we return +value > 0 from generic_perform_write() and thus the information about +signal gets lost. + +Fix the problem by doing the signal check before writing anything. That +way generic_perform_write() returns -EINTR, the error gets propagated up +and the sendfile loop terminates early. + +Signed-off-by: Jan Kara +Reported-by: Dmitry Vyukov +Cc: Al Viro +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/filemap.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/mm/filemap.c ++++ b/mm/filemap.c +@@ -2509,6 +2509,11 @@ again: + break; + } + ++ if (fatal_signal_pending(current)) { ++ status = -EINTR; ++ break; ++ } ++ + status = a_ops->write_begin(file, mapping, pos, bytes, flags, + &page, &fsdata); + if (unlikely(status < 0)) +@@ -2546,10 +2551,6 @@ again: + written += copied; + + balance_dirty_pages_ratelimited(mapping); +- if (fatal_signal_pending(current)) { +- status = -EINTR; +- break; +- } + } while (iov_iter_count(i)); + + return written ? written : status; diff --git a/queue-3.14/powerpc-rtas-validate-rtas.entry-before-calling-enter_rtas.patch b/queue-3.14/powerpc-rtas-validate-rtas.entry-before-calling-enter_rtas.patch new file mode 100644 index 00000000000..e96a8d7f3db --- /dev/null +++ b/queue-3.14/powerpc-rtas-validate-rtas.entry-before-calling-enter_rtas.patch @@ -0,0 +1,51 @@ +From 8832317f662c06f5c06e638f57bfe89a71c9b266 Mon Sep 17 00:00:00 2001 +From: Vasant Hegde +Date: Fri, 16 Oct 2015 15:53:29 +0530 +Subject: powerpc/rtas: Validate rtas.entry before calling enter_rtas() + +From: Vasant Hegde + +commit 8832317f662c06f5c06e638f57bfe89a71c9b266 upstream. + +Currently we do not validate rtas.entry before calling enter_rtas(). This +leads to a kernel oops when user space calls rtas system call on a powernv +platform (see below). This patch adds code to validate rtas.entry before +making enter_rtas() call. + + Oops: Exception in kernel mode, sig: 4 [#1] + SMP NR_CPUS=1024 NUMA PowerNV + task: c000000004294b80 ti: c0000007e1a78000 task.ti: c0000007e1a78000 + NIP: 0000000000000000 LR: 0000000000009c14 CTR: c000000000423140 + REGS: c0000007e1a7b920 TRAP: 0e40 Not tainted (3.18.17-340.el7_1.pkvm3_1_0.2400.1.ppc64le) + MSR: 1000000000081000 CR: 00000000 XER: 00000000 + CFAR: c000000000009c0c SOFTE: 0 + NIP [0000000000000000] (null) + LR [0000000000009c14] 0x9c14 + Call Trace: + [c0000007e1a7bba0] [c00000000041a7f4] avc_has_perm_noaudit+0x54/0x110 (unreliable) + [c0000007e1a7bd80] [c00000000002ddc0] ppc_rtas+0x150/0x2d0 + [c0000007e1a7be30] [c000000000009358] syscall_exit+0x0/0x98 + +Fixes: 55190f88789a ("powerpc: Add skeleton PowerNV platform") +Reported-by: NAGESWARA R. SASTRY +Signed-off-by: Vasant Hegde +[mpe: Reword change log, trim oops, and add stable + fixes] +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/kernel/rtas.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/arch/powerpc/kernel/rtas.c ++++ b/arch/powerpc/kernel/rtas.c +@@ -1041,6 +1041,9 @@ asmlinkage int ppc_rtas(struct rtas_args + if (!capable(CAP_SYS_ADMIN)) + return -EPERM; + ++ if (!rtas.entry) ++ return -EINVAL; ++ + if (copy_from_user(&args, uargs, 3 * sizeof(u32)) != 0) + return -EFAULT; + diff --git a/queue-3.14/series b/queue-3.14/series index a53ec4ba942..72f0a1f4072 100644 --- a/queue-3.14/series +++ b/queue-3.14/series @@ -1,3 +1,14 @@ ath9k-declare-required-extra-tx-headroom.patch iwlwifi-dvm-fix-d3-firmware-pn-programming.patch iwlwifi-fix-firmware-filename-for-3160.patch +iwlwifi-mvm-fix-d3-firmware-pn-programming.patch +iwlwifi-pci-add-a-few-more-pci-subvendor-ids-for-the-7265-series.patch +iommu-amd-don-t-clear-dte-flags-when-modifying-it.patch +powerpc-rtas-validate-rtas.entry-before-calling-enter_rtas.patch +asoc-wm8904-correct-number-of-eq-registers.patch +x86-setup-extend-low-identity-map-to-cover-whole-kernel-range.patch +mm-make-sendfile-2-killable.patch +drm-nouveau-gem-return-only-valid-domain-when-there-s-only-one.patch +drm-radeon-dpm-don-t-add-pwm-attributes-if-dpm-is-disabled.patch +drm-i915-restore-lost-dpll-register-write-on-gen2-4.patch +drm-radeon-don-t-try-to-recreate-sysfs-entries-on-resume.patch diff --git a/queue-3.14/x86-setup-extend-low-identity-map-to-cover-whole-kernel-range.patch b/queue-3.14/x86-setup-extend-low-identity-map-to-cover-whole-kernel-range.patch new file mode 100644 index 00000000000..7b6de5ae167 --- /dev/null +++ b/queue-3.14/x86-setup-extend-low-identity-map-to-cover-whole-kernel-range.patch @@ -0,0 +1,111 @@ +From f5f3497cad8c8416a74b9aaceb127908755d020a Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini +Date: Wed, 14 Oct 2015 13:30:45 +0200 +Subject: x86/setup: Extend low identity map to cover whole kernel range + +From: Paolo Bonzini + +commit f5f3497cad8c8416a74b9aaceb127908755d020a upstream. + +On 32-bit systems, the initial_page_table is reused by +efi_call_phys_prolog as an identity map to call +SetVirtualAddressMap. efi_call_phys_prolog takes care of +converting the current CPU's GDT to a physical address too. + +For PAE kernels the identity mapping is achieved by aliasing the +first PDPE for the kernel memory mapping into the first PDPE +of initial_page_table. This makes the EFI stub's trick "just work". + +However, for non-PAE kernels there is no guarantee that the identity +mapping in the initial_page_table extends as far as the GDT; in this +case, accesses to the GDT will cause a page fault (which quickly becomes +a triple fault). Fix this by copying the kernel mappings from +swapper_pg_dir to initial_page_table twice, both at PAGE_OFFSET and at +identity mapping. + +For some reason, this is only reproducible with QEMU's dynamic translation +mode, and not for example with KVM. However, even under KVM one can clearly +see that the page table is bogus: + + $ qemu-system-i386 -pflash OVMF.fd -M q35 vmlinuz0 -s -S -daemonize + $ gdb + (gdb) target remote localhost:1234 + (gdb) hb *0x02858f6f + Hardware assisted breakpoint 1 at 0x2858f6f + (gdb) c + Continuing. + + Breakpoint 1, 0x02858f6f in ?? () + (gdb) monitor info registers + ... + GDT= 0724e000 000000ff + IDT= fffbb000 000007ff + CR0=0005003b CR2=ff896000 CR3=032b7000 CR4=00000690 + ... + +The page directory is sane: + + (gdb) x/4wx 0x32b7000 + 0x32b7000: 0x03398063 0x03399063 0x0339a063 0x0339b063 + (gdb) x/4wx 0x3398000 + 0x3398000: 0x00000163 0x00001163 0x00002163 0x00003163 + (gdb) x/4wx 0x3399000 + 0x3399000: 0x00400003 0x00401003 0x00402003 0x00403003 + +but our particular page directory entry is empty: + + (gdb) x/1wx 0x32b7000 + (0x724e000 >> 22) * 4 + 0x32b7070: 0x00000000 + +[ It appears that you can skate past this issue if you don't receive + any interrupts while the bogus GDT pointer is loaded, or if you avoid + reloading the segment registers in general. + + Andy Lutomirski provides some additional insight: + + "AFAICT it's entirely permissible for the GDTR and/or LDT + descriptor to point to unmapped memory. Any attempt to use them + (segment loads, interrupts, IRET, etc) will try to access that memory + as if the access came from CPL 0 and, if the access fails, will + generate a valid page fault with CR2 pointing into the GDT or + LDT." + + Up until commit 23a0d4e8fa6d ("efi: Disable interrupts around EFI + calls, not in the epilog/prolog calls") interrupts were disabled + around the prolog and epilog calls, and the functional GDT was + re-installed before interrupts were re-enabled. + + Which explains why no one has hit this issue until now. ] + +Signed-off-by: Paolo Bonzini +Reported-by: Laszlo Ersek +Cc: Borislav Petkov +Cc: "H. Peter Anvin" +Cc: Thomas Gleixner +Cc: Ingo Molnar +Cc: Andy Lutomirski +Signed-off-by: Matt Fleming +[ Updated changelog. ] +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/setup.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/arch/x86/kernel/setup.c ++++ b/arch/x86/kernel/setup.c +@@ -1178,6 +1178,14 @@ void __init setup_arch(char **cmdline_p) + clone_pgd_range(initial_page_table + KERNEL_PGD_BOUNDARY, + swapper_pg_dir + KERNEL_PGD_BOUNDARY, + KERNEL_PGD_PTRS); ++ ++ /* ++ * sync back low identity map too. It is used for example ++ * in the 32-bit EFI stub. ++ */ ++ clone_pgd_range(initial_page_table, ++ swapper_pg_dir + KERNEL_PGD_BOUNDARY, ++ KERNEL_PGD_PTRS); + #endif + + tboot_probe(); -- 2.47.2