From 2cb150169f3a78e70347f579f8477ceef4a54805 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 26 Mar 2012 14:50:01 -0700 Subject: [PATCH] 3.2-stable patches added patches: hwmon-fam15h_power-correct-sign-extension-of-running_avg_capture.patch iommu-amd-fix-section-warning-for-prealloc_protection_domains.patch proc-ns-use-d_set_d_op-api-to-set-dentry-ops-in-proc_ns_instantiate.patch sysctl-protect-poll-in-entries-that-may-go-away.patch x86-32-fix-endless-loop-when-processing-signals-for-kernel-tasks.patch --- ...ign-extension-of-running_avg_capture.patch | 33 +++++++ ...ning-for-prealloc_protection_domains.patch | 36 +++++++ ...et-dentry-ops-in-proc_ns_instantiate.patch | 46 +++++++++ queue-3.2/series | 5 + ...ect-poll-in-entries-that-may-go-away.patch | 95 +++++++++++++++++++ ...-processing-signals-for-kernel-tasks.patch | 82 ++++++++++++++++ 6 files changed, 297 insertions(+) create mode 100644 queue-3.2/hwmon-fam15h_power-correct-sign-extension-of-running_avg_capture.patch create mode 100644 queue-3.2/iommu-amd-fix-section-warning-for-prealloc_protection_domains.patch create mode 100644 queue-3.2/proc-ns-use-d_set_d_op-api-to-set-dentry-ops-in-proc_ns_instantiate.patch create mode 100644 queue-3.2/sysctl-protect-poll-in-entries-that-may-go-away.patch create mode 100644 queue-3.2/x86-32-fix-endless-loop-when-processing-signals-for-kernel-tasks.patch diff --git a/queue-3.2/hwmon-fam15h_power-correct-sign-extension-of-running_avg_capture.patch b/queue-3.2/hwmon-fam15h_power-correct-sign-extension-of-running_avg_capture.patch new file mode 100644 index 00000000000..8868f3abf3e --- /dev/null +++ b/queue-3.2/hwmon-fam15h_power-correct-sign-extension-of-running_avg_capture.patch @@ -0,0 +1,33 @@ +From fc0900cbda9243957d812cd6b4cc87965f9fe75f Mon Sep 17 00:00:00 2001 +From: Andreas Herrmann +Date: Fri, 23 Mar 2012 10:02:17 +0100 +Subject: hwmon: (fam15h_power) Correct sign extension of running_avg_capture + +From: Andreas Herrmann + +commit fc0900cbda9243957d812cd6b4cc87965f9fe75f upstream. + +Wrong bit was used for sign extension which caused wrong end results. +Thanks to Andre for spotting this bug. + +Reported-by: Andre Przywara +Signed-off-by: Andreas Herrmann +Acked-by: Guenter Roeck +Signed-off-by: Jean Delvare +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hwmon/fam15h_power.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/hwmon/fam15h_power.c ++++ b/drivers/hwmon/fam15h_power.c +@@ -60,7 +60,7 @@ static ssize_t show_power(struct device + pci_bus_read_config_dword(f4->bus, PCI_DEVFN(PCI_SLOT(f4->devfn), 5), + REG_TDP_RUNNING_AVERAGE, &val); + running_avg_capture = (val >> 4) & 0x3fffff; +- running_avg_capture = sign_extend32(running_avg_capture, 22); ++ running_avg_capture = sign_extend32(running_avg_capture, 21); + running_avg_range = val & 0xf; + + pci_bus_read_config_dword(f4->bus, PCI_DEVFN(PCI_SLOT(f4->devfn), 5), diff --git a/queue-3.2/iommu-amd-fix-section-warning-for-prealloc_protection_domains.patch b/queue-3.2/iommu-amd-fix-section-warning-for-prealloc_protection_domains.patch new file mode 100644 index 00000000000..4d766b3dc3e --- /dev/null +++ b/queue-3.2/iommu-amd-fix-section-warning-for-prealloc_protection_domains.patch @@ -0,0 +1,36 @@ +From cebd5fa4d3046d5b43ce1836a0120612822a7fb0 Mon Sep 17 00:00:00 2001 +From: Steffen Persvold +Date: Thu, 15 Mar 2012 15:20:29 +0100 +Subject: iommu/amd: Fix section warning for prealloc_protection_domains + +From: Steffen Persvold + +commit cebd5fa4d3046d5b43ce1836a0120612822a7fb0 upstream. + +Fix the following section warning in drivers/iommu/amd_iommu.c : + +WARNING: vmlinux.o(.text+0x526e77): Section mismatch in reference from the function prealloc_protection_domains() to the function .init.text:alloc_passthrough_domain() +The function prealloc_protection_domains() references +the function __init alloc_passthrough_domain(). +This is often because prealloc_protection_domains lacks a __init +annotation or the annotation of alloc_passthrough_domain is wrong. + +Signed-off-by: Steffen Persvold +Signed-off-by: Joerg Roedel +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iommu/amd_iommu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/iommu/amd_iommu.c ++++ b/drivers/iommu/amd_iommu.c +@@ -2432,7 +2432,7 @@ static int amd_iommu_dma_supported(struc + * we don't need to preallocate the protection domains anymore. + * For now we have to. + */ +-static void prealloc_protection_domains(void) ++static void __init prealloc_protection_domains(void) + { + struct pci_dev *dev = NULL; + struct dma_ops_domain *dma_dom; diff --git a/queue-3.2/proc-ns-use-d_set_d_op-api-to-set-dentry-ops-in-proc_ns_instantiate.patch b/queue-3.2/proc-ns-use-d_set_d_op-api-to-set-dentry-ops-in-proc_ns_instantiate.patch new file mode 100644 index 00000000000..f8e18a55304 --- /dev/null +++ b/queue-3.2/proc-ns-use-d_set_d_op-api-to-set-dentry-ops-in-proc_ns_instantiate.patch @@ -0,0 +1,46 @@ +From 1b26c9b334044cff6d1d2698f2be41bc7d9a0864 Mon Sep 17 00:00:00 2001 +From: Pravin B Shelar +Date: Fri, 23 Mar 2012 15:02:55 -0700 +Subject: proc-ns: use d_set_d_op() API to set dentry ops in proc_ns_instantiate(). + +From: Pravin B Shelar + +commit 1b26c9b334044cff6d1d2698f2be41bc7d9a0864 upstream. + +The namespace cleanup path leaks a dentry which holds a reference count +on a network namespace. Keeping that network namespace from being freed +when the last user goes away. Leaving things like vlan devices in the +leaked network namespace. + +If you use ip netns add for much real work this problem becomes apparent +pretty quickly. It light testing the problem hides because frequently +you simply don't notice the leak. + +Use d_set_d_op() so that DCACHE_OP_* flags are set correctly. + +This issue exists back to 3.0. + +Acked-by: "Eric W. Biederman" +Reported-by: Justin Pettit +Signed-off-by: Pravin B Shelar +Signed-off-by: Jesse Gross +Cc: David Miller +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/proc/namespaces.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/proc/namespaces.c ++++ b/fs/proc/namespaces.c +@@ -54,7 +54,7 @@ static struct dentry *proc_ns_instantiat + ei->ns_ops = ns_ops; + ei->ns = ns; + +- dentry->d_op = &pid_dentry_operations; ++ d_set_d_op(dentry, &pid_dentry_operations); + d_add(dentry, inode); + /* Close the race of the process dying before we return the dentry */ + if (pid_revalidate(dentry, NULL)) diff --git a/queue-3.2/series b/queue-3.2/series index 04c90bffdbb..454abf5dff6 100644 --- a/queue-3.2/series +++ b/queue-3.2/series @@ -98,3 +98,8 @@ sunrpc-we-must-not-use-list_for_each_entry_safe-in-rpc_wake_up.patch usbnet-increase-urb-reference-count-before-usb_unlink_urb.patch usbnet-don-t-clear-urb-dev-in-tx_complete.patch e1000e-avoid-wrong-check-on-tx-hang.patch +x86-32-fix-endless-loop-when-processing-signals-for-kernel-tasks.patch +proc-ns-use-d_set_d_op-api-to-set-dentry-ops-in-proc_ns_instantiate.patch +iommu-amd-fix-section-warning-for-prealloc_protection_domains.patch +sysctl-protect-poll-in-entries-that-may-go-away.patch +hwmon-fam15h_power-correct-sign-extension-of-running_avg_capture.patch diff --git a/queue-3.2/sysctl-protect-poll-in-entries-that-may-go-away.patch b/queue-3.2/sysctl-protect-poll-in-entries-that-may-go-away.patch new file mode 100644 index 00000000000..ef5070d2d48 --- /dev/null +++ b/queue-3.2/sysctl-protect-poll-in-entries-that-may-go-away.patch @@ -0,0 +1,95 @@ +From 4e474a00d7ff746ed177ddae14fa8b2d4bad7a00 Mon Sep 17 00:00:00 2001 +From: Lucas De Marchi +Date: Thu, 22 Mar 2012 14:42:22 -0700 +Subject: sysctl: protect poll() in entries that may go away + +From: Lucas De Marchi + +commit 4e474a00d7ff746ed177ddae14fa8b2d4bad7a00 upstream. + +Protect code accessing ctl_table by grabbing the header with grab_header() +and after releasing with sysctl_head_finish(). This is needed if poll() +is called in entries created by modules: currently only hostname and +domainname support poll(), but this bug may be triggered when/if modules +use it and if user called poll() in a file that doesn't support it. + +Dave Jones reported the following when using a syscall fuzzer while +hibernating/resuming: + +RIP: 0010:[] [] proc_sys_poll+0x4e/0x90 +RAX: 0000000000000145 RBX: ffff88020cab6940 RCX: 0000000000000000 +RDX: ffffffff81233df0 RSI: 6b6b6b6b6b6b6b6b RDI: ffff88020cab6940 +[ ... ] +Code: 00 48 89 fb 48 89 f1 48 8b 40 30 4c 8b 60 e8 b8 45 01 00 00 49 83 +7c 24 28 00 74 2e 49 8b 74 24 30 48 85 f6 74 24 48 85 c9 75 32 <8b> 16 +b8 45 01 00 00 48 63 d2 49 39 d5 74 10 8b 06 48 98 48 89 + +If an entry goes away while we are polling() it, ctl_table may not exist +anymore. + +Reported-by: Dave Jones +Signed-off-by: Lucas De Marchi +Cc: Al Viro +Cc: Linus Torvalds +Cc: Alexey Dobriyan +Signed-off-by: Andrew Morton +Signed-off-by: Eric W. Biederman +Signed-off-by: Greg Kroah-Hartman + +--- + fs/proc/proc_sysctl.c | 17 ++++++++++++++++- + 1 file changed, 16 insertions(+), 1 deletion(-) + +--- a/fs/proc/proc_sysctl.c ++++ b/fs/proc/proc_sysctl.c +@@ -188,20 +188,32 @@ static ssize_t proc_sys_write(struct fil + + static int proc_sys_open(struct inode *inode, struct file *filp) + { ++ struct ctl_table_header *head = grab_header(inode); + struct ctl_table *table = PROC_I(inode)->sysctl_entry; + ++ /* sysctl was unregistered */ ++ if (IS_ERR(head)) ++ return PTR_ERR(head); ++ + if (table->poll) + filp->private_data = proc_sys_poll_event(table->poll); + ++ sysctl_head_finish(head); ++ + return 0; + } + + static unsigned int proc_sys_poll(struct file *filp, poll_table *wait) + { + struct inode *inode = filp->f_path.dentry->d_inode; ++ struct ctl_table_header *head = grab_header(inode); + struct ctl_table *table = PROC_I(inode)->sysctl_entry; +- unsigned long event = (unsigned long)filp->private_data; + unsigned int ret = DEFAULT_POLLMASK; ++ unsigned long event; ++ ++ /* sysctl was unregistered */ ++ if (IS_ERR(head)) ++ return POLLERR | POLLHUP; + + if (!table->proc_handler) + goto out; +@@ -209,6 +221,7 @@ static unsigned int proc_sys_poll(struct + if (!table->poll) + goto out; + ++ event = (unsigned long)filp->private_data; + poll_wait(filp, &table->poll->wait, wait); + + if (event != atomic_read(&table->poll->event)) { +@@ -217,6 +230,8 @@ static unsigned int proc_sys_poll(struct + } + + out: ++ sysctl_head_finish(head); ++ + return ret; + } + diff --git a/queue-3.2/x86-32-fix-endless-loop-when-processing-signals-for-kernel-tasks.patch b/queue-3.2/x86-32-fix-endless-loop-when-processing-signals-for-kernel-tasks.patch new file mode 100644 index 00000000000..4f7e4166f9c --- /dev/null +++ b/queue-3.2/x86-32-fix-endless-loop-when-processing-signals-for-kernel-tasks.patch @@ -0,0 +1,82 @@ +From 29a2e2836ff9ea65a603c89df217f4198973a74f Mon Sep 17 00:00:00 2001 +From: Dmitry Adamushko +Date: Thu, 22 Mar 2012 21:39:25 +0100 +Subject: x86-32: Fix endless loop when processing signals for kernel tasks + +From: Dmitry Adamushko + +commit 29a2e2836ff9ea65a603c89df217f4198973a74f upstream. + +The problem occurs on !CONFIG_VM86 kernels [1] when a kernel-mode task +returns from a system call with a pending signal. + +A real-life scenario is a child of 'khelper' returning from a failed +kernel_execve() in ____call_usermodehelper() [ kernel/kmod.c ]. +kernel_execve() fails due to a pending SIGKILL, which is the result of +"kill -9 -1" (at least, busybox's init does it upon reboot). + +The loop is as follows: + +* syscall_exit_work: + - work_pending: // start_of_the_loop + - work_notify_sig: + - do_notify_resume() + - do_signal() + - if (!user_mode(regs)) return; + - resume_userspace // TIF_SIGPENDING is still set + - work_pending // so we call work_pending => goto + // start_of_the_loop + +More information can be found in another LKML thread: +http://www.serverphorums.com/read.php?12,457826 + +[1] the problem was also seen on MIPS. + +Signed-off-by: Dmitry Adamushko +Link: http://lkml.kernel.org/r/1332448765.2299.68.camel@dimm +Cc: Oleg Nesterov +Cc: Roland McGrath +Cc: Andrew Morton +Signed-off-by: H. Peter Anvin +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/entry_32.S | 17 ++++++++++------- + 1 file changed, 10 insertions(+), 7 deletions(-) + +--- a/arch/x86/kernel/entry_32.S ++++ b/arch/x86/kernel/entry_32.S +@@ -99,12 +99,6 @@ + #endif + .endm + +-#ifdef CONFIG_VM86 +-#define resume_userspace_sig check_userspace +-#else +-#define resume_userspace_sig resume_userspace +-#endif +- + /* + * User gs save/restore + * +@@ -328,10 +322,19 @@ ret_from_exception: + preempt_stop(CLBR_ANY) + ret_from_intr: + GET_THREAD_INFO(%ebp) +-check_userspace: ++resume_userspace_sig: ++#ifdef CONFIG_VM86 + movl PT_EFLAGS(%esp), %eax # mix EFLAGS and CS + movb PT_CS(%esp), %al + andl $(X86_EFLAGS_VM | SEGMENT_RPL_MASK), %eax ++#else ++ /* ++ * We can be coming here from a syscall done in the kernel space, ++ * e.g. a failed kernel_execve(). ++ */ ++ movl PT_CS(%esp), %eax ++ andl $SEGMENT_RPL_MASK, %eax ++#endif + cmpl $USER_RPL, %eax + jb resume_kernel # not returning to v8086 or userspace + -- 2.47.3