From 617642ce5b9921ed0238e43db7718f1ae33aa5a1 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Fri, 22 Sep 2017 14:40:30 +0200 Subject: [PATCH] 3.18-stable patches added patches: bcache-correct-cache_dirty_target-in-__update_writeback_rate.patch bcache-correct-return-value-for-sysfs-attach-errors.patch bcache-fix-bch_hprint-crash-and-improve-output.patch bcache-fix-for-gc-and-write-back-race.patch bcache-fix-leak-of-bdev-reference.patch bcache-initialize-dirty-stripes-in-flash_dev_run.patch media-uvcvideo-prevent-heap-overflow-when-accessing-mapped-controls.patch media-v4l2-compat-ioctl32-fix-timespec-conversion.patch --- ...ty_target-in-__update_writeback_rate.patch | 90 ++++++++++++++ ...return-value-for-sysfs-attach-errors.patch | 45 +++++++ ...-bch_hprint-crash-and-improve-output.patch | 97 +++++++++++++++ ...cache-fix-for-gc-and-write-back-race.patch | 117 ++++++++++++++++++ .../bcache-fix-leak-of-bdev-reference.patch | 34 +++++ ...alize-dirty-stripes-in-flash_dev_run.patch | 94 ++++++++++++++ ...rflow-when-accessing-mapped-controls.patch | 42 +++++++ ...mpat-ioctl32-fix-timespec-conversion.patch | 48 +++++++ queue-3.18/series | 8 ++ 9 files changed, 575 insertions(+) create mode 100644 queue-3.18/bcache-correct-cache_dirty_target-in-__update_writeback_rate.patch create mode 100644 queue-3.18/bcache-correct-return-value-for-sysfs-attach-errors.patch create mode 100644 queue-3.18/bcache-fix-bch_hprint-crash-and-improve-output.patch create mode 100644 queue-3.18/bcache-fix-for-gc-and-write-back-race.patch create mode 100644 queue-3.18/bcache-fix-leak-of-bdev-reference.patch create mode 100644 queue-3.18/bcache-initialize-dirty-stripes-in-flash_dev_run.patch create mode 100644 queue-3.18/media-uvcvideo-prevent-heap-overflow-when-accessing-mapped-controls.patch create mode 100644 queue-3.18/media-v4l2-compat-ioctl32-fix-timespec-conversion.patch diff --git a/queue-3.18/bcache-correct-cache_dirty_target-in-__update_writeback_rate.patch b/queue-3.18/bcache-correct-cache_dirty_target-in-__update_writeback_rate.patch new file mode 100644 index 00000000000..31fd6044a3c --- /dev/null +++ b/queue-3.18/bcache-correct-cache_dirty_target-in-__update_writeback_rate.patch @@ -0,0 +1,90 @@ +From a8394090a9129b40f9d90dcb7f4a49d60c727ca6 Mon Sep 17 00:00:00 2001 +From: Tang Junhui +Date: Wed, 6 Sep 2017 14:25:56 +0800 +Subject: bcache: correct cache_dirty_target in __update_writeback_rate() + +From: Tang Junhui + +commit a8394090a9129b40f9d90dcb7f4a49d60c727ca6 upstream. + +__update_write_rate() uses a Proportion-Differentiation Controller +algorithm to control writeback rate. A dirty target number is used in +this PD controller to control writeback rate. A larger target number +will make the writeback rate smaller, on the versus, a smaller target +number will make the writeback rate larger. + +bcache uses the following steps to calculate the target number, +1) cache_sectors = all-buckets-of-cache-set * buckets-size +2) cache_dirty_target = cache_sectors * cached-device-writeback_percent +3) target = cache_dirty_target * +(sectors-of-cached-device/sectors-of-all-cached-devices-of-this-cache-set) + +The calculation at step 1) for cache_sectors is incorrect, which does +not consider dirty blocks occupied by flash only volume. + +A flash only volume can be took as a bcache device without cached +device. All data sectors allocated for it are persistent on cache device +and marked dirty, they are not touched by bcache writeback and garbage +collection code. So data blocks of flash only volume should be ignore +when calculating cache_sectors of cache set. + +Current code does not subtract dirty sectors of flash only volume, which +results a larger target number from the above 3 steps. And in sequence +the cache device's writeback rate is smaller then a correct value, +writeback speed is slower on all cached devices. + +This patch fixes the incorrect slower writeback rate by subtracting +dirty sectors of flash only volumes in __update_writeback_rate(). + +(Commit log composed by Coly Li to pass checkpatch.pl checking) + +Signed-off-by: Tang Junhui +Reviewed-by: Coly Li +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/bcache/writeback.c | 3 ++- + drivers/md/bcache/writeback.h | 19 +++++++++++++++++++ + 2 files changed, 21 insertions(+), 1 deletion(-) + +--- a/drivers/md/bcache/writeback.c ++++ b/drivers/md/bcache/writeback.c +@@ -21,7 +21,8 @@ + static void __update_writeback_rate(struct cached_dev *dc) + { + struct cache_set *c = dc->disk.c; +- uint64_t cache_sectors = c->nbuckets * c->sb.bucket_size; ++ uint64_t cache_sectors = c->nbuckets * c->sb.bucket_size - ++ bcache_flash_devs_sectors_dirty(c); + uint64_t cache_dirty_target = + div_u64(cache_sectors * dc->writeback_percent, 100); + +--- a/drivers/md/bcache/writeback.h ++++ b/drivers/md/bcache/writeback.h +@@ -14,6 +14,25 @@ static inline uint64_t bcache_dev_sector + return ret; + } + ++static inline uint64_t bcache_flash_devs_sectors_dirty(struct cache_set *c) ++{ ++ uint64_t i, ret = 0; ++ ++ mutex_lock(&bch_register_lock); ++ ++ for (i = 0; i < c->nr_uuids; i++) { ++ struct bcache_device *d = c->devices[i]; ++ ++ if (!d || !UUID_FLASH_ONLY(&c->uuids[i])) ++ continue; ++ ret += bcache_dev_sectors_dirty(d); ++ } ++ ++ mutex_unlock(&bch_register_lock); ++ ++ return ret; ++} ++ + static inline unsigned offset_to_stripe(struct bcache_device *d, + uint64_t offset) + { diff --git a/queue-3.18/bcache-correct-return-value-for-sysfs-attach-errors.patch b/queue-3.18/bcache-correct-return-value-for-sysfs-attach-errors.patch new file mode 100644 index 00000000000..672af5bd144 --- /dev/null +++ b/queue-3.18/bcache-correct-return-value-for-sysfs-attach-errors.patch @@ -0,0 +1,45 @@ +From 77fa100f27475d08a569b9d51c17722130f089e7 Mon Sep 17 00:00:00 2001 +From: Tony Asleson +Date: Wed, 6 Sep 2017 14:25:57 +0800 +Subject: bcache: Correct return value for sysfs attach errors + +From: Tony Asleson + +commit 77fa100f27475d08a569b9d51c17722130f089e7 upstream. + +If you encounter any errors in bch_cached_dev_attach it will return +a negative error code. The variable 'v' which stores the result is +unsigned, thus user space sees a very large value returned for bytes +written which can cause incorrect user space behavior. Utilize 1 +signed variable to use throughout the function to preserve error return +capability. + +Signed-off-by: Tony Asleson +Acked-by: Coly Li +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/bcache/sysfs.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/md/bcache/sysfs.c ++++ b/drivers/md/bcache/sysfs.c +@@ -191,7 +191,7 @@ STORE(__cached_dev) + { + struct cached_dev *dc = container_of(kobj, struct cached_dev, + disk.kobj); +- unsigned v = size; ++ ssize_t v = size; + struct cache_set *c; + struct kobj_uevent_env *env; + +@@ -226,7 +226,7 @@ STORE(__cached_dev) + bch_cached_dev_run(dc); + + if (attr == &sysfs_cache_mode) { +- ssize_t v = bch_read_string_list(buf, bch_cache_modes + 1); ++ v = bch_read_string_list(buf, bch_cache_modes + 1); + + if (v < 0) + return v; diff --git a/queue-3.18/bcache-fix-bch_hprint-crash-and-improve-output.patch b/queue-3.18/bcache-fix-bch_hprint-crash-and-improve-output.patch new file mode 100644 index 00000000000..3a9b5b9078a --- /dev/null +++ b/queue-3.18/bcache-fix-bch_hprint-crash-and-improve-output.patch @@ -0,0 +1,97 @@ +From 9276717b9e297a62d1151a43d1cd286213f68eb7 Mon Sep 17 00:00:00 2001 +From: Michael Lyle +Date: Wed, 6 Sep 2017 14:26:02 +0800 +Subject: bcache: fix bch_hprint crash and improve output + +From: Michael Lyle + +commit 9276717b9e297a62d1151a43d1cd286213f68eb7 upstream. + +Most importantly, solve a crash where %llu was used to format signed +numbers. This would cause a buffer overflow when reading sysfs +writeback_rate_debug, as only 20 bytes were allocated for this and +%llu writes 20 characters plus a null. + +Always use the units mechanism rather than having different output +paths for simplicity. + +Also, correct problems with display output where 1.10 was a larger +number than 1.09, by multiplying by 10 and then dividing by 1024 instead +of dividing by 100. (Remainders of >= 1000 would print as .10). + +Minor changes: Always display the decimal point instead of trying to +omit it based on number of digits shown. Decide what units to use +based on 1000 as a threshold, not 1024 (in other words, always print +at most 3 digits before the decimal point). + +Signed-off-by: Michael Lyle +Reported-by: Dmitry Yu Okunev +Acked-by: Kent Overstreet +Reviewed-by: Coly Li +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/bcache/util.c | 46 +++++++++++++++++++++++++++++++++------------- + 1 file changed, 33 insertions(+), 13 deletions(-) + +--- a/drivers/md/bcache/util.c ++++ b/drivers/md/bcache/util.c +@@ -73,24 +73,44 @@ STRTO_H(strtouint, unsigned int) + STRTO_H(strtoll, long long) + STRTO_H(strtoull, unsigned long long) + ++/** ++ * bch_hprint() - formats @v to human readable string for sysfs. ++ * ++ * @v - signed 64 bit integer ++ * @buf - the (at least 8 byte) buffer to format the result into. ++ * ++ * Returns the number of bytes used by format. ++ */ + ssize_t bch_hprint(char *buf, int64_t v) + { + static const char units[] = "?kMGTPEZY"; +- char dec[4] = ""; +- int u, t = 0; ++ int u = 0, t; + +- for (u = 0; v >= 1024 || v <= -1024; u++) { +- t = v & ~(~0 << 10); +- v >>= 10; +- } ++ uint64_t q; + +- if (!u) +- return sprintf(buf, "%llu", v); +- +- if (v < 100 && v > -100) +- snprintf(dec, sizeof(dec), ".%i", t / 100); +- +- return sprintf(buf, "%lli%s%c", v, dec, units[u]); ++ if (v < 0) ++ q = -v; ++ else ++ q = v; ++ ++ /* For as long as the number is more than 3 digits, but at least ++ * once, shift right / divide by 1024. Keep the remainder for ++ * a digit after the decimal point. ++ */ ++ do { ++ u++; ++ ++ t = q & ~(~0 << 10); ++ q >>= 10; ++ } while (q >= 1000); ++ ++ if (v < 0) ++ /* '-', up to 3 digits, '.', 1 digit, 1 character, null; ++ * yields 8 bytes. ++ */ ++ return sprintf(buf, "-%llu.%i%c", q, t * 10 / 1024, units[u]); ++ else ++ return sprintf(buf, "%llu.%i%c", q, t * 10 / 1024, units[u]); + } + + ssize_t bch_snprint_string_list(char *buf, size_t size, const char * const list[], diff --git a/queue-3.18/bcache-fix-for-gc-and-write-back-race.patch b/queue-3.18/bcache-fix-for-gc-and-write-back-race.patch new file mode 100644 index 00000000000..8c1a1210781 --- /dev/null +++ b/queue-3.18/bcache-fix-for-gc-and-write-back-race.patch @@ -0,0 +1,117 @@ +From 9baf30972b5568d8b5bc8b3c46a6ec5b58100463 Mon Sep 17 00:00:00 2001 +From: Tang Junhui +Date: Wed, 6 Sep 2017 14:25:59 +0800 +Subject: bcache: fix for gc and write-back race + +From: Tang Junhui + +commit 9baf30972b5568d8b5bc8b3c46a6ec5b58100463 upstream. + +gc and write-back get raced (see the email "bcache get stucked" I sended +before): +gc thread write-back thread +| |bch_writeback_thread() +|bch_gc_thread() | +| |==>read_dirty() +|==>bch_btree_gc() | +|==>btree_root() //get btree root | +| //node write locker | +|==>bch_btree_gc_root() | +| |==>read_dirty_submit() +| |==>write_dirty() +| |==>continue_at(cl, +| | write_dirty_finish, +| | system_wq); +| |==>write_dirty_finish()//excute +| | //in system_wq +| |==>bch_btree_insert() +| |==>bch_btree_map_leaf_nodes() +| |==>__bch_btree_map_nodes() +| |==>btree_root //try to get btree +| | //root node read +| | //lock +| |-----stuck here +|==>bch_btree_set_root() +|==>bch_journal_meta() +|==>bch_journal() +|==>journal_try_write() +|==>journal_write_unlocked() //journal_full(&c->journal) +| //condition satisfied +|==>continue_at(cl, journal_write, system_wq); //try to excute +| //journal_write in system_wq +| //but work queue is excuting +| //write_dirty_finish() +|==>closure_sync(); //wait journal_write execute +| //over and wake up gc, +|-------------stuck here +|==>release root node write locker + +This patch alloc a separate work-queue for write-back thread to avoid such +race. + +(Commit log re-organized by Coly Li to pass checkpatch.pl checking) + +Signed-off-by: Tang Junhui +Acked-by: Coly Li +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/bcache/bcache.h | 1 + + drivers/md/bcache/super.c | 2 ++ + drivers/md/bcache/writeback.c | 9 +++++++-- + 3 files changed, 10 insertions(+), 2 deletions(-) + +--- a/drivers/md/bcache/bcache.h ++++ b/drivers/md/bcache/bcache.h +@@ -348,6 +348,7 @@ struct cached_dev { + /* Limit number of writeback bios in flight */ + struct semaphore in_flight; + struct task_struct *writeback_thread; ++ struct workqueue_struct *writeback_write_wq; + + struct keybuf writeback_keys; + +--- a/drivers/md/bcache/super.c ++++ b/drivers/md/bcache/super.c +@@ -1087,6 +1087,8 @@ static void cached_dev_free(struct closu + cancel_delayed_work_sync(&dc->writeback_rate_update); + if (!IS_ERR_OR_NULL(dc->writeback_thread)) + kthread_stop(dc->writeback_thread); ++ if (dc->writeback_write_wq) ++ destroy_workqueue(dc->writeback_write_wq); + + mutex_lock(&bch_register_lock); + +--- a/drivers/md/bcache/writeback.c ++++ b/drivers/md/bcache/writeback.c +@@ -191,7 +191,7 @@ static void write_dirty(struct closure * + + closure_bio_submit(&io->bio, cl, &io->dc->disk); + +- continue_at(cl, write_dirty_finish, system_wq); ++ continue_at(cl, write_dirty_finish, io->dc->writeback_write_wq); + } + + static void read_dirty_endio(struct bio *bio, int error) +@@ -211,7 +211,7 @@ static void read_dirty_submit(struct clo + + closure_bio_submit(&io->bio, cl, &io->dc->disk); + +- continue_at(cl, write_dirty, system_wq); ++ continue_at(cl, write_dirty, io->dc->writeback_write_wq); + } + + static void read_dirty(struct cached_dev *dc) +@@ -523,6 +523,11 @@ void bch_cached_dev_writeback_init(struc + + int bch_cached_dev_writeback_start(struct cached_dev *dc) + { ++ dc->writeback_write_wq = alloc_workqueue("bcache_writeback_wq", ++ WQ_MEM_RECLAIM, 0); ++ if (!dc->writeback_write_wq) ++ return -ENOMEM; ++ + dc->writeback_thread = kthread_create(bch_writeback_thread, dc, + "bcache_writeback"); + if (IS_ERR(dc->writeback_thread)) diff --git a/queue-3.18/bcache-fix-leak-of-bdev-reference.patch b/queue-3.18/bcache-fix-leak-of-bdev-reference.patch new file mode 100644 index 00000000000..999321c3836 --- /dev/null +++ b/queue-3.18/bcache-fix-leak-of-bdev-reference.patch @@ -0,0 +1,34 @@ +From 4b758df21ee7081ab41448d21d60367efaa625b3 Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Wed, 6 Sep 2017 14:25:51 +0800 +Subject: bcache: Fix leak of bdev reference + +From: Jan Kara + +commit 4b758df21ee7081ab41448d21d60367efaa625b3 upstream. + +If blkdev_get_by_path() in register_bcache() fails, we try to lookup the +block device using lookup_bdev() to detect which situation we are in to +properly report error. However we never drop the reference returned to +us from lookup_bdev(). Fix that. + +Signed-off-by: Jan Kara +Acked-by: Coly Li +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/bcache/super.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/md/bcache/super.c ++++ b/drivers/md/bcache/super.c +@@ -1997,6 +1997,8 @@ static ssize_t register_bcache(struct ko + else + err = "device busy"; + mutex_unlock(&bch_register_lock); ++ if (!IS_ERR(bdev)) ++ bdput(bdev); + if (attr == &ksysfs_register_quiet) + goto out; + } diff --git a/queue-3.18/bcache-initialize-dirty-stripes-in-flash_dev_run.patch b/queue-3.18/bcache-initialize-dirty-stripes-in-flash_dev_run.patch new file mode 100644 index 00000000000..d5fcae6afb3 --- /dev/null +++ b/queue-3.18/bcache-initialize-dirty-stripes-in-flash_dev_run.patch @@ -0,0 +1,94 @@ +From 175206cf9ab63161dec74d9cd7f9992e062491f5 Mon Sep 17 00:00:00 2001 +From: Tang Junhui +Date: Thu, 7 Sep 2017 01:28:53 +0800 +Subject: bcache: initialize dirty stripes in flash_dev_run() + +From: Tang Junhui + +commit 175206cf9ab63161dec74d9cd7f9992e062491f5 upstream. + +bcache uses a Proportion-Differentiation Controller algorithm to control +writeback rate to cached devices. In the PD controller algorithm, dirty +stripes of thin flash device should not be counted in, because flash only +volumes never write back dirty data. + +Currently dirty stripe counter for thin flash device is not initialized +when the thin flash device starts. Which means the following calculation +in PD controller will reference an undefined dirty stripes number, and +all cached devices attached to the same cache set where the thin flash +device lies on may have an inaccurate writeback rate. + +This patch calles bch_sectors_dirty_init() in flash_dev_run(), to +correctly initialize dirty stripe counter when the thin flash device +starts to run. This patch also does following parameter data type change, + -void bch_sectors_dirty_init(struct cached_dev *dc); + +void bch_sectors_dirty_init(struct bcache_device *); +to call this function conveniently in flash_dev_run(). + +(Commit log is composed by Coly Li) + +Signed-off-by: Tang Junhui +Reviewed-by: Coly Li +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/bcache/super.c | 3 ++- + drivers/md/bcache/writeback.c | 8 ++++---- + drivers/md/bcache/writeback.h | 2 +- + 3 files changed, 7 insertions(+), 6 deletions(-) + +--- a/drivers/md/bcache/super.c ++++ b/drivers/md/bcache/super.c +@@ -1054,7 +1054,7 @@ int bch_cached_dev_attach(struct cached_ + } + + if (BDEV_STATE(&dc->sb) == BDEV_STATE_DIRTY) { +- bch_sectors_dirty_init(dc); ++ bch_sectors_dirty_init(&dc->disk); + atomic_set(&dc->has_dirty, 1); + atomic_inc(&dc->count); + bch_writeback_queue(dc); +@@ -1258,6 +1258,7 @@ static int flash_dev_run(struct cache_se + goto err; + + bcache_device_attach(d, c, u - c->uuids); ++ bch_sectors_dirty_init(d); + bch_flash_dev_request_init(d); + add_disk(d->disk); + +--- a/drivers/md/bcache/writeback.c ++++ b/drivers/md/bcache/writeback.c +@@ -488,17 +488,17 @@ static int sectors_dirty_init_fn(struct + return MAP_CONTINUE; + } + +-void bch_sectors_dirty_init(struct cached_dev *dc) ++void bch_sectors_dirty_init(struct bcache_device *d) + { + struct sectors_dirty_init op; + + bch_btree_op_init(&op.op, -1); +- op.inode = dc->disk.id; ++ op.inode = d->id; + +- bch_btree_map_keys(&op.op, dc->disk.c, &KEY(op.inode, 0, 0), ++ bch_btree_map_keys(&op.op, d->c, &KEY(op.inode, 0, 0), + sectors_dirty_init_fn, 0); + +- dc->disk.sectors_dirty_last = bcache_dev_sectors_dirty(&dc->disk); ++ d->sectors_dirty_last = bcache_dev_sectors_dirty(d); + } + + void bch_cached_dev_writeback_init(struct cached_dev *dc) +--- a/drivers/md/bcache/writeback.h ++++ b/drivers/md/bcache/writeback.h +@@ -85,7 +85,7 @@ static inline void bch_writeback_add(str + + void bcache_dev_sectors_dirty_add(struct cache_set *, unsigned, uint64_t, int); + +-void bch_sectors_dirty_init(struct cached_dev *dc); ++void bch_sectors_dirty_init(struct bcache_device *); + void bch_cached_dev_writeback_init(struct cached_dev *); + int bch_cached_dev_writeback_start(struct cached_dev *); + diff --git a/queue-3.18/media-uvcvideo-prevent-heap-overflow-when-accessing-mapped-controls.patch b/queue-3.18/media-uvcvideo-prevent-heap-overflow-when-accessing-mapped-controls.patch new file mode 100644 index 00000000000..b03ebd826a1 --- /dev/null +++ b/queue-3.18/media-uvcvideo-prevent-heap-overflow-when-accessing-mapped-controls.patch @@ -0,0 +1,42 @@ +From 7e09f7d5c790278ab98e5f2c22307ebe8ad6e8ba Mon Sep 17 00:00:00 2001 +From: Guenter Roeck +Date: Tue, 8 Aug 2017 08:56:21 -0400 +Subject: media: uvcvideo: Prevent heap overflow when accessing mapped controls + +From: Guenter Roeck + +commit 7e09f7d5c790278ab98e5f2c22307ebe8ad6e8ba upstream. + +The size of uvc_control_mapping is user controlled leading to a +potential heap overflow in the uvc driver. This adds a check to verify +the user provided size fits within the bounds of the defined buffer +size. + +Originally-from: Richard Simmons + +Signed-off-by: Guenter Roeck +Reviewed-by: Laurent Pinchart +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/usb/uvc/uvc_ctrl.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/media/usb/uvc/uvc_ctrl.c ++++ b/drivers/media/usb/uvc/uvc_ctrl.c +@@ -2001,6 +2001,13 @@ int uvc_ctrl_add_mapping(struct uvc_vide + goto done; + } + ++ /* Validate the user-provided bit-size and offset */ ++ if (mapping->size > 32 || ++ mapping->offset + mapping->size > ctrl->info.size * 8) { ++ ret = -EINVAL; ++ goto done; ++ } ++ + list_for_each_entry(map, &ctrl->info.mappings, list) { + if (mapping->id == map->id) { + uvc_trace(UVC_TRACE_CONTROL, "Can't add mapping '%s', " diff --git a/queue-3.18/media-v4l2-compat-ioctl32-fix-timespec-conversion.patch b/queue-3.18/media-v4l2-compat-ioctl32-fix-timespec-conversion.patch new file mode 100644 index 00000000000..6d99eb121df --- /dev/null +++ b/queue-3.18/media-v4l2-compat-ioctl32-fix-timespec-conversion.patch @@ -0,0 +1,48 @@ +From 9c7ba1d7634cef490b85bc64c4091ff004821bfd Mon Sep 17 00:00:00 2001 +From: Daniel Mentz +Date: Wed, 2 Aug 2017 23:42:17 -0400 +Subject: media: v4l2-compat-ioctl32: Fix timespec conversion + +From: Daniel Mentz + +commit 9c7ba1d7634cef490b85bc64c4091ff004821bfd upstream. + +Certain syscalls like recvmmsg support 64 bit timespec values for the +X32 ABI. The helper function compat_put_timespec converts a timespec +value to a 32 bit or 64 bit value depending on what ABI is used. The +v4l2 compat layer, however, is not designed to support 64 bit timespec +values and always uses 32 bit values. Hence, compat_put_timespec must +not be used. + +Without this patch, user space will be provided with bad timestamp +values from the VIDIOC_DQEVENT ioctl. Also, fields of the struct +v4l2_event32 that come immediately after timestamp get overwritten, +namely the field named id. + +Fixes: 81993e81a994 ("compat: Get rid of (get|put)_compat_time(val|spec)") +Cc: H. Peter Anvin +Cc: Laurent Pinchart +Cc: Tiffany Lin +Cc: Ricardo Ribalda Delgado +Cc: Sakari Ailus +Signed-off-by: Daniel Mentz +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/v4l2-core/v4l2-compat-ioctl32.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/media/v4l2-core/v4l2-compat-ioctl32.c ++++ b/drivers/media/v4l2-core/v4l2-compat-ioctl32.c +@@ -747,7 +747,8 @@ static int put_v4l2_event32(struct v4l2_ + copy_to_user(&up->u, &kp->u, sizeof(kp->u)) || + put_user(kp->pending, &up->pending) || + put_user(kp->sequence, &up->sequence) || +- compat_put_timespec(&kp->timestamp, &up->timestamp) || ++ put_user(kp->timestamp.tv_sec, &up->timestamp.tv_sec) || ++ put_user(kp->timestamp.tv_nsec, &up->timestamp.tv_nsec) || + put_user(kp->id, &up->id) || + copy_to_user(up->reserved, kp->reserved, 8 * sizeof(__u32))) + return -EFAULT; diff --git a/queue-3.18/series b/queue-3.18/series index 2028a598bf3..eed61252775 100644 --- a/queue-3.18/series +++ b/queue-3.18/series @@ -31,3 +31,11 @@ ftrace-fix-selftest-goto-location-on-error.patch tracing-apply-trace_clock-changes-to-instance-max-buffer.patch arc-re-enable-mmu-upon-machine-check-exception.patch pci-shpchp-enable-bridge-bus-mastering-if-msi-is-enabled.patch +media-v4l2-compat-ioctl32-fix-timespec-conversion.patch +media-uvcvideo-prevent-heap-overflow-when-accessing-mapped-controls.patch +bcache-initialize-dirty-stripes-in-flash_dev_run.patch +bcache-fix-leak-of-bdev-reference.patch +bcache-correct-cache_dirty_target-in-__update_writeback_rate.patch +bcache-correct-return-value-for-sysfs-attach-errors.patch +bcache-fix-for-gc-and-write-back-race.patch +bcache-fix-bch_hprint-crash-and-improve-output.patch -- 2.47.3