From 5f88aed2f24069e9dd28c1ce1b1c4be3c840dea8 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 10 Nov 2014 14:57:16 +0900 Subject: [PATCH] 3.14-stable patches added patches: mac80211-fix-typo-in-starting-baserate-for-rts_cts_rate_idx.patch pm-sleep-fix-recovery-during-resuming-from-hibernation.patch posix-timers-fix-stack-info-leak-in-timer_create.patch tty-fix-high-cpu-load-if-tty-is-unreleaseable.patch x86-apic-handle-a-bad-tsc-more-gracefully.patch --- ...arting-baserate-for-rts_cts_rate_idx.patch | 45 +++++++++++ ...ery-during-resuming-from-hibernation.patch | 40 ++++++++++ ...-fix-stack-info-leak-in-timer_create.patch | 45 +++++++++++ queue-3.14/series | 5 ++ ...igh-cpu-load-if-tty-is-unreleaseable.patch | 49 ++++++++++++ ...pic-handle-a-bad-tsc-more-gracefully.patch | 74 +++++++++++++++++++ 6 files changed, 258 insertions(+) create mode 100644 queue-3.14/mac80211-fix-typo-in-starting-baserate-for-rts_cts_rate_idx.patch create mode 100644 queue-3.14/pm-sleep-fix-recovery-during-resuming-from-hibernation.patch create mode 100644 queue-3.14/posix-timers-fix-stack-info-leak-in-timer_create.patch create mode 100644 queue-3.14/tty-fix-high-cpu-load-if-tty-is-unreleaseable.patch create mode 100644 queue-3.14/x86-apic-handle-a-bad-tsc-more-gracefully.patch diff --git a/queue-3.14/mac80211-fix-typo-in-starting-baserate-for-rts_cts_rate_idx.patch b/queue-3.14/mac80211-fix-typo-in-starting-baserate-for-rts_cts_rate_idx.patch new file mode 100644 index 00000000000..2fda3924df3 --- /dev/null +++ b/queue-3.14/mac80211-fix-typo-in-starting-baserate-for-rts_cts_rate_idx.patch @@ -0,0 +1,45 @@ +From c7abf25af0f41be4b50d44c5b185d52eea360cb8 Mon Sep 17 00:00:00 2001 +From: Karl Beldan +Date: Mon, 13 Oct 2014 14:34:41 +0200 +Subject: mac80211: fix typo in starting baserate for rts_cts_rate_idx + +From: Karl Beldan + +commit c7abf25af0f41be4b50d44c5b185d52eea360cb8 upstream. + +It affects non-(V)HT rates and can lead to selecting an rts_cts rate +that is not a basic rate or way superior to the reference rate (ATM +rates[0] used for the 1st attempt of the protected frame data). + +E.g, assuming drivers register growing (bitrate) sorted tables of +ieee80211_rate-s, having : +- rates[0].idx == d'2 and basic_rates == b'10100 +will select rts_cts idx b'10011 & ~d'(BIT(2)-1), i.e. 1, likewise +- rates[0].idx == d'2 and basic_rates == b'10001 +will select rts_cts idx b'10000 +The first is not a basic rate and the second is > rates[0]. + +Also, wrt severity of the addressed misbehavior, ATM we only have one +rts_cts_rate_idx rather than one per rate table entry, so this idx might +still point to bitrates > rates[1..MAX_RATES]. + +Fixes: 5253ffb8c9e1 ("mac80211: always pick a basic rate to tx RTS/CTS for pre-HT rates") +Signed-off-by: Karl Beldan +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + net/mac80211/rate.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/mac80211/rate.c ++++ b/net/mac80211/rate.c +@@ -462,7 +462,7 @@ static void rate_fixup_ratelist(struct i + */ + if (!(rates[0].flags & IEEE80211_TX_RC_MCS)) { + u32 basic_rates = vif->bss_conf.basic_rates; +- s8 baserate = basic_rates ? ffs(basic_rates - 1) : 0; ++ s8 baserate = basic_rates ? ffs(basic_rates) - 1 : 0; + + rate = &sband->bitrates[rates[0].idx]; + diff --git a/queue-3.14/pm-sleep-fix-recovery-during-resuming-from-hibernation.patch b/queue-3.14/pm-sleep-fix-recovery-during-resuming-from-hibernation.patch new file mode 100644 index 00000000000..5c4f9f73f26 --- /dev/null +++ b/queue-3.14/pm-sleep-fix-recovery-during-resuming-from-hibernation.patch @@ -0,0 +1,40 @@ +From 94fb823fcb4892614f57e59601bb9d4920f24711 Mon Sep 17 00:00:00 2001 +From: Imre Deak +Date: Fri, 24 Oct 2014 20:29:10 +0300 +Subject: PM / Sleep: fix recovery during resuming from hibernation + +From: Imre Deak + +commit 94fb823fcb4892614f57e59601bb9d4920f24711 upstream. + +If a device's dev_pm_ops::freeze callback fails during the QUIESCE +phase, we don't rollback things correctly calling the thaw and complete +callbacks. This could leave some devices in a suspended state in case of +an error during resuming from hibernation. + +Signed-off-by: Imre Deak +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/power/hibernate.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/kernel/power/hibernate.c ++++ b/kernel/power/hibernate.c +@@ -492,8 +492,14 @@ int hibernation_restore(int platform_mod + error = dpm_suspend_start(PMSG_QUIESCE); + if (!error) { + error = resume_target_kernel(platform_mode); +- dpm_resume_end(PMSG_RECOVER); ++ /* ++ * The above should either succeed and jump to the new kernel, ++ * or return with an error. Otherwise things are just ++ * undefined, so let's be paranoid. ++ */ ++ BUG_ON(!error); + } ++ dpm_resume_end(PMSG_RECOVER); + pm_restore_gfp_mask(); + ftrace_start(); + resume_console(); diff --git a/queue-3.14/posix-timers-fix-stack-info-leak-in-timer_create.patch b/queue-3.14/posix-timers-fix-stack-info-leak-in-timer_create.patch new file mode 100644 index 00000000000..161d0f2207d --- /dev/null +++ b/queue-3.14/posix-timers-fix-stack-info-leak-in-timer_create.patch @@ -0,0 +1,45 @@ +From 6891c4509c792209c44ced55a60f13954cb50ef4 Mon Sep 17 00:00:00 2001 +From: Mathias Krause +Date: Sat, 4 Oct 2014 23:06:39 +0200 +Subject: posix-timers: Fix stack info leak in timer_create() + +From: Mathias Krause + +commit 6891c4509c792209c44ced55a60f13954cb50ef4 upstream. + +If userland creates a timer without specifying a sigevent info, we'll +create one ourself, using a stack local variable. Particularly will we +use the timer ID as sival_int. But as sigev_value is a union containing +a pointer and an int, that assignment will only partially initialize +sigev_value on systems where the size of a pointer is bigger than the +size of an int. On such systems we'll copy the uninitialized stack bytes +from the timer_create() call to userland when the timer actually fires +and we're going to deliver the signal. + +Initialize sigev_value with 0 to plug the stack info leak. + +Found in the PaX patch, written by the PaX Team. + +Fixes: 5a9fa7307285 ("posix-timers: kill ->it_sigev_signo and...") +Signed-off-by: Mathias Krause +Cc: Oleg Nesterov +Cc: Brad Spengler +Cc: PaX Team +Link: http://lkml.kernel.org/r/1412456799-32339-1-git-send-email-minipli@googlemail.com +Signed-off-by: Thomas Gleixner +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/posix-timers.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/kernel/posix-timers.c ++++ b/kernel/posix-timers.c +@@ -634,6 +634,7 @@ SYSCALL_DEFINE3(timer_create, const cloc + goto out; + } + } else { ++ memset(&event.sigev_value, 0, sizeof(event.sigev_value)); + event.sigev_notify = SIGEV_SIGNAL; + event.sigev_signo = SIGALRM; + event.sigev_value.sival_int = new_timer->it_id; diff --git a/queue-3.14/series b/queue-3.14/series index aad80474e6c..aaa59b7217b 100644 --- a/queue-3.14/series +++ b/queue-3.14/series @@ -177,3 +177,8 @@ ext3-don-t-check-quota-format-when-there-are-no-quota-files.patch pci-rename-sysfs-enabled-file-back-to-enable.patch quota-properly-return-errors-from-dquot_writeback_dquots.patch xfs-avoid-false-quotacheck-after-unclean-shutdown.patch +tty-fix-high-cpu-load-if-tty-is-unreleaseable.patch +pm-sleep-fix-recovery-during-resuming-from-hibernation.patch +mac80211-fix-typo-in-starting-baserate-for-rts_cts_rate_idx.patch +posix-timers-fix-stack-info-leak-in-timer_create.patch +x86-apic-handle-a-bad-tsc-more-gracefully.patch diff --git a/queue-3.14/tty-fix-high-cpu-load-if-tty-is-unreleaseable.patch b/queue-3.14/tty-fix-high-cpu-load-if-tty-is-unreleaseable.patch new file mode 100644 index 00000000000..2ef88557525 --- /dev/null +++ b/queue-3.14/tty-fix-high-cpu-load-if-tty-is-unreleaseable.patch @@ -0,0 +1,49 @@ +From 37b164578826406a173ca7c20d9ba7430134d23e Mon Sep 17 00:00:00 2001 +From: Peter Hurley +Date: Thu, 16 Oct 2014 13:51:30 -0400 +Subject: tty: Fix high cpu load if tty is unreleaseable + +From: Peter Hurley + +commit 37b164578826406a173ca7c20d9ba7430134d23e upstream. + +Kernel oops can cause the tty to be unreleaseable (for example, if +n_tty_read() crashes while on the read_wait queue). This will cause +tty_release() to endlessly loop without sleeping. + +Use a killable sleep timeout which grows by 2n+1 jiffies over the interval +[0, 120 secs.) and then jumps to forever (but still killable). + +NB: killable just allows for the task to be rewoken manually, not +to be terminated. + +Signed-off-by: Peter Hurley +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/tty_io.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/drivers/tty/tty_io.c ++++ b/drivers/tty/tty_io.c +@@ -1701,6 +1701,7 @@ int tty_release(struct inode *inode, str + int pty_master, tty_closing, o_tty_closing, do_sleep; + int idx; + char buf[64]; ++ long timeout = 0; + + if (tty_paranoia_check(tty, inode, __func__)) + return 0; +@@ -1785,7 +1786,11 @@ int tty_release(struct inode *inode, str + __func__, tty_name(tty, buf)); + tty_unlock_pair(tty, o_tty); + mutex_unlock(&tty_mutex); +- schedule(); ++ schedule_timeout_killable(timeout); ++ if (timeout < 120 * HZ) ++ timeout = 2 * timeout + 1; ++ else ++ timeout = MAX_SCHEDULE_TIMEOUT; + } + + /* diff --git a/queue-3.14/x86-apic-handle-a-bad-tsc-more-gracefully.patch b/queue-3.14/x86-apic-handle-a-bad-tsc-more-gracefully.patch new file mode 100644 index 00000000000..5b3ddffd0cc --- /dev/null +++ b/queue-3.14/x86-apic-handle-a-bad-tsc-more-gracefully.patch @@ -0,0 +1,74 @@ +From b47dcbdc5161d3d5756f430191e2840d9b855492 Mon Sep 17 00:00:00 2001 +From: Andy Lutomirski +Date: Wed, 15 Oct 2014 10:12:07 -0700 +Subject: x86, apic: Handle a bad TSC more gracefully + +From: Andy Lutomirski + +commit b47dcbdc5161d3d5756f430191e2840d9b855492 upstream. + +If the TSC is unusable or disabled, then this patch fixes: + + - Confusion while trying to clear old APIC interrupts. + - Division by zero and incorrect programming of the TSC deadline + timer. + +This fixes boot if the CPU has a TSC deadline timer but a missing or +broken TSC. The failure to boot can be observed with qemu using +-cpu qemu64,-tsc,+tsc-deadline + +This also happens to me in nested KVM for unknown reasons. +With this patch, I can boot cleanly (although without a TSC). + +Signed-off-by: Andy Lutomirski +Cc: Bandan Das +Link: http://lkml.kernel.org/r/e2fa274e498c33988efac0ba8b7e3120f7f92d78.1413393027.git.luto@amacapital.net +Signed-off-by: Thomas Gleixner +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/apic/apic.c | 4 ++-- + arch/x86/kernel/tsc.c | 5 ++++- + 2 files changed, 6 insertions(+), 3 deletions(-) + +--- a/arch/x86/kernel/apic/apic.c ++++ b/arch/x86/kernel/apic/apic.c +@@ -1290,7 +1290,7 @@ void setup_local_APIC(void) + unsigned int value, queued; + int i, j, acked = 0; + unsigned long long tsc = 0, ntsc; +- long long max_loops = cpu_khz; ++ long long max_loops = cpu_khz ? cpu_khz : 1000000; + + if (cpu_has_tsc) + rdtscll(tsc); +@@ -1387,7 +1387,7 @@ void setup_local_APIC(void) + break; + } + if (queued) { +- if (cpu_has_tsc) { ++ if (cpu_has_tsc && cpu_khz) { + rdtscll(ntsc); + max_loops = (cpu_khz << 10) - (ntsc - tsc); + } else +--- a/arch/x86/kernel/tsc.c ++++ b/arch/x86/kernel/tsc.c +@@ -1173,14 +1173,17 @@ void __init tsc_init(void) + + x86_init.timers.tsc_pre_init(); + +- if (!cpu_has_tsc) ++ if (!cpu_has_tsc) { ++ setup_clear_cpu_cap(X86_FEATURE_TSC_DEADLINE_TIMER); + return; ++ } + + tsc_khz = x86_platform.calibrate_tsc(); + cpu_khz = tsc_khz; + + if (!tsc_khz) { + mark_tsc_unstable("could not calculate TSC khz"); ++ setup_clear_cpu_cap(X86_FEATURE_TSC_DEADLINE_TIMER); + return; + } + -- 2.47.3