From b089536a3031492a96793bf19e03623cbac05fbb Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Tue, 24 Mar 2015 14:08:15 +0100 Subject: [PATCH] 3.19-stable patches added patches: crypto-aesni-fix-memory-usage-in-gcm-decryption.patch crypto-arm-aes-update-neon-aes-module-to-latest-openssl-version.patch drivers-rtc-rtc-s3c.c-add-.needs_src_clk-to-s3c6410-rtc-data.patch gadgetfs-use-after-free-in-aio_read.patch ipvs-add-missing-ip_vs_pe_put-in-sync-code.patch ipvs-fix-inability-to-remove-a-mixed-family-rs.patch irqchip-armada-370-xp-fix-chained-per-cpu-interrupts.patch kvm-move-advertising-of-kvm_cap_irqfd-to-common-code.patch libsas-fix-kernel-crash-in-smp_execute_task.patch netfilter-nf_tables-fix-addition-deletion-of-elements-from-commit-abort.patch netfilter-nf_tables-fix-transaction-race-condition.patch netfilter-nft_compat-fix-module-refcount-underflow.patch netfilter-xt_socket-fix-a-stack-corruption-bug.patch of-fix-handling-of-in-options-for-of_find_node_by_path.patch of-handle-both-and-in-path-strings.patch pagemap-do-not-leak-physical-addresses-to-non-privileged-userspace.patch pci-don-t-read-past-the-end-of-sysfs-driver_override-buffer.patch powerpc-iommu-remove-iommu-device-references-via-bus-notifier.patch powerpc-smp-wait-until-secondaries-are-active-online.patch x86-apic-numachip-fix-sibling-map-with-numachip.patch x86-asm-entry-32-fix-user_mode-misuses.patch x86-fpu-avoid-math_state_restore-without-used_math-in-__restore_xstate_sig.patch x86-fpu-drop_fpu-should-not-assume-that-tsk-equals-current.patch x86-vdso-fix-the-build-on-gcc5.patch x86-xen-correct-bug-in-p2m-list-initialization.patch xen-events-avoid-null-pointer-dereference-in-dom0-on-large-machines.patch xen-pciback-limit-guest-control-of-command-register.patch --- ...i-fix-memory-usage-in-gcm-decryption.patch | 65 ++++++++ ...aes-module-to-latest-openssl-version.patch | 124 ++++++++++++++ ...d-.needs_src_clk-to-s3c6410-rtc-data.patch | 50 ++++++ .../gadgetfs-use-after-free-in-aio_read.patch | 81 +++++++++ ...dd-missing-ip_vs_pe_put-in-sync-code.patch | 49 ++++++ ...nability-to-remove-a-mixed-family-rs.patch | 42 +++++ ...70-xp-fix-chained-per-cpu-interrupts.patch | 95 +++++++++++ ...sing-of-kvm_cap_irqfd-to-common-code.patch | 58 +++++++ ...fix-kernel-crash-in-smp_execute_task.patch | 97 +++++++++++ ...letion-of-elements-from-commit-abort.patch | 76 +++++++++ ...ables-fix-transaction-race-condition.patch | 55 +++++++ ...compat-fix-module-refcount-underflow.patch | 61 +++++++ ...xt_socket-fix-a-stack-corruption-bug.patch | 85 ++++++++++ ...-in-options-for-of_find_node_by_path.patch | 72 ++++++++ .../of-handle-both-and-in-path-strings.patch | 51 ++++++ ...ddresses-to-non-privileged-userspace.patch | 45 +++++ ...-end-of-sysfs-driver_override-buffer.patch | 47 ++++++ ...u-device-references-via-bus-notifier.patch | 133 +++++++++++++++ ...-until-secondaries-are-active-online.patch | 61 +++++++ queue-3.19/series | 27 +++ ...machip-fix-sibling-map-with-numachip.patch | 86 ++++++++++ ...6-asm-entry-32-fix-user_mode-misuses.patch | 45 +++++ ...ut-used_math-in-__restore_xstate_sig.patch | 87 ++++++++++ ...d-not-assume-that-tsk-equals-current.patch | 50 ++++++ .../x86-vdso-fix-the-build-on-gcc5.patch | 62 +++++++ ...rrect-bug-in-p2m-list-initialization.patch | 45 +++++ ...ereference-in-dom0-on-large-machines.patch | 65 ++++++++ ...it-guest-control-of-command-register.patch | 154 ++++++++++++++++++ 28 files changed, 1968 insertions(+) create mode 100644 queue-3.19/crypto-aesni-fix-memory-usage-in-gcm-decryption.patch create mode 100644 queue-3.19/crypto-arm-aes-update-neon-aes-module-to-latest-openssl-version.patch create mode 100644 queue-3.19/drivers-rtc-rtc-s3c.c-add-.needs_src_clk-to-s3c6410-rtc-data.patch create mode 100644 queue-3.19/gadgetfs-use-after-free-in-aio_read.patch create mode 100644 queue-3.19/ipvs-add-missing-ip_vs_pe_put-in-sync-code.patch create mode 100644 queue-3.19/ipvs-fix-inability-to-remove-a-mixed-family-rs.patch create mode 100644 queue-3.19/irqchip-armada-370-xp-fix-chained-per-cpu-interrupts.patch create mode 100644 queue-3.19/kvm-move-advertising-of-kvm_cap_irqfd-to-common-code.patch create mode 100644 queue-3.19/libsas-fix-kernel-crash-in-smp_execute_task.patch create mode 100644 queue-3.19/netfilter-nf_tables-fix-addition-deletion-of-elements-from-commit-abort.patch create mode 100644 queue-3.19/netfilter-nf_tables-fix-transaction-race-condition.patch create mode 100644 queue-3.19/netfilter-nft_compat-fix-module-refcount-underflow.patch create mode 100644 queue-3.19/netfilter-xt_socket-fix-a-stack-corruption-bug.patch create mode 100644 queue-3.19/of-fix-handling-of-in-options-for-of_find_node_by_path.patch create mode 100644 queue-3.19/of-handle-both-and-in-path-strings.patch create mode 100644 queue-3.19/pagemap-do-not-leak-physical-addresses-to-non-privileged-userspace.patch create mode 100644 queue-3.19/pci-don-t-read-past-the-end-of-sysfs-driver_override-buffer.patch create mode 100644 queue-3.19/powerpc-iommu-remove-iommu-device-references-via-bus-notifier.patch create mode 100644 queue-3.19/powerpc-smp-wait-until-secondaries-are-active-online.patch create mode 100644 queue-3.19/x86-apic-numachip-fix-sibling-map-with-numachip.patch create mode 100644 queue-3.19/x86-asm-entry-32-fix-user_mode-misuses.patch create mode 100644 queue-3.19/x86-fpu-avoid-math_state_restore-without-used_math-in-__restore_xstate_sig.patch create mode 100644 queue-3.19/x86-fpu-drop_fpu-should-not-assume-that-tsk-equals-current.patch create mode 100644 queue-3.19/x86-vdso-fix-the-build-on-gcc5.patch create mode 100644 queue-3.19/x86-xen-correct-bug-in-p2m-list-initialization.patch create mode 100644 queue-3.19/xen-events-avoid-null-pointer-dereference-in-dom0-on-large-machines.patch create mode 100644 queue-3.19/xen-pciback-limit-guest-control-of-command-register.patch diff --git a/queue-3.19/crypto-aesni-fix-memory-usage-in-gcm-decryption.patch b/queue-3.19/crypto-aesni-fix-memory-usage-in-gcm-decryption.patch new file mode 100644 index 00000000000..c8d29dc1718 --- /dev/null +++ b/queue-3.19/crypto-aesni-fix-memory-usage-in-gcm-decryption.patch @@ -0,0 +1,65 @@ +From ccfe8c3f7e52ae83155cb038753f4c75b774ca8a Mon Sep 17 00:00:00 2001 +From: Stephan Mueller +Date: Thu, 12 Mar 2015 09:17:51 +0100 +Subject: crypto: aesni - fix memory usage in GCM decryption + +From: Stephan Mueller + +commit ccfe8c3f7e52ae83155cb038753f4c75b774ca8a upstream. + +The kernel crypto API logic requires the caller to provide the +length of (ciphertext || authentication tag) as cryptlen for the +AEAD decryption operation. Thus, the cipher implementation must +calculate the size of the plaintext output itself and cannot simply use +cryptlen. + +The RFC4106 GCM decryption operation tries to overwrite cryptlen memory +in req->dst. As the destination buffer for decryption only needs to hold +the plaintext memory but cryptlen references the input buffer holding +(ciphertext || authentication tag), the assumption of the destination +buffer length in RFC4106 GCM operation leads to a too large size. This +patch simply uses the already calculated plaintext size. + +In addition, this patch fixes the offset calculation of the AAD buffer +pointer: as mentioned before, cryptlen already includes the size of the +tag. Thus, the tag does not need to be added. With the addition, the AAD +will be written beyond the already allocated buffer. + +Note, this fixes a kernel crash that can be triggered from user space +via AF_ALG(aead) -- simply use the libkcapi test application +from [1] and update it to use rfc4106-gcm-aes. + +Using [1], the changes were tested using CAVS vectors to demonstrate +that the crypto operation still delivers the right results. + +[1] http://www.chronox.de/libkcapi.html + +CC: Tadeusz Struk +Signed-off-by: Stephan Mueller +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/crypto/aesni-intel_glue.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/x86/crypto/aesni-intel_glue.c ++++ b/arch/x86/crypto/aesni-intel_glue.c +@@ -1133,7 +1133,7 @@ static int __driver_rfc4106_decrypt(stru + src = kmalloc(req->cryptlen + req->assoclen, GFP_ATOMIC); + if (!src) + return -ENOMEM; +- assoc = (src + req->cryptlen + auth_tag_len); ++ assoc = (src + req->cryptlen); + scatterwalk_map_and_copy(src, req->src, 0, req->cryptlen, 0); + scatterwalk_map_and_copy(assoc, req->assoc, 0, + req->assoclen, 0); +@@ -1158,7 +1158,7 @@ static int __driver_rfc4106_decrypt(stru + scatterwalk_done(&src_sg_walk, 0, 0); + scatterwalk_done(&assoc_sg_walk, 0, 0); + } else { +- scatterwalk_map_and_copy(dst, req->dst, 0, req->cryptlen, 1); ++ scatterwalk_map_and_copy(dst, req->dst, 0, tempCipherLen, 1); + kfree(src); + } + return retval; diff --git a/queue-3.19/crypto-arm-aes-update-neon-aes-module-to-latest-openssl-version.patch b/queue-3.19/crypto-arm-aes-update-neon-aes-module-to-latest-openssl-version.patch new file mode 100644 index 00000000000..d486beddfca --- /dev/null +++ b/queue-3.19/crypto-arm-aes-update-neon-aes-module-to-latest-openssl-version.patch @@ -0,0 +1,124 @@ +From 001eabfd54c0cbf9d7d16264ddc8cc0bee67e3ed Mon Sep 17 00:00:00 2001 +From: Ard Biesheuvel +Date: Thu, 26 Feb 2015 07:22:05 +0000 +Subject: crypto: arm/aes update NEON AES module to latest OpenSSL version + +From: Ard Biesheuvel + +commit 001eabfd54c0cbf9d7d16264ddc8cc0bee67e3ed upstream. + +This updates the bit sliced AES module to the latest version in the +upstream OpenSSL repository (e620e5ae37bc). This is needed to fix a +bug in the XTS decryption path, where data chunked in a certain way +could trigger the ciphertext stealing code, which is not supposed to +be active in the kernel build (The kernel implementation of XTS only +supports round multiples of the AES block size of 16 bytes, whereas +the conformant OpenSSL implementation of XTS supports inputs of +arbitrary size by applying ciphertext stealing). This is fixed in +the upstream version by adding the missing #ifndef XTS_CHAIN_TWEAK +around the offending instructions. + +The upstream code also contains the change applied by Russell to +build the code unconditionally, i.e., even if __LINUX_ARM_ARCH__ < 7, +but implemented slightly differently. + +Fixes: e4e7f10bfc40 ("ARM: add support for bit sliced AES using NEON instructions") +Reported-by: Adrian Kotelba +Signed-off-by: Ard Biesheuvel +Tested-by: Milan Broz +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/crypto/aesbs-core.S_shipped | 12 ++++++++---- + arch/arm/crypto/bsaes-armv7.pl | 12 ++++++++---- + 2 files changed, 16 insertions(+), 8 deletions(-) + +--- a/arch/arm/crypto/aesbs-core.S_shipped ++++ b/arch/arm/crypto/aesbs-core.S_shipped +@@ -58,14 +58,18 @@ + # define VFP_ABI_FRAME 0 + # define BSAES_ASM_EXTENDED_KEY + # define XTS_CHAIN_TWEAK +-# define __ARM_ARCH__ 7 ++# define __ARM_ARCH__ __LINUX_ARM_ARCH__ ++# define __ARM_MAX_ARCH__ 7 + #endif + + #ifdef __thumb__ + # define adrl adr + #endif + +-#if __ARM_ARCH__>=7 ++#if __ARM_MAX_ARCH__>=7 ++.arch armv7-a ++.fpu neon ++ + .text + .syntax unified @ ARMv7-capable assembler is expected to handle this + #ifdef __thumb2__ +@@ -74,8 +78,6 @@ + .code 32 + #endif + +-.fpu neon +- + .type _bsaes_decrypt8,%function + .align 4 + _bsaes_decrypt8: +@@ -2095,9 +2097,11 @@ bsaes_xts_decrypt: + vld1.8 {q8}, [r0] @ initial tweak + adr r2, .Lxts_magic + ++#ifndef XTS_CHAIN_TWEAK + tst r9, #0xf @ if not multiple of 16 + it ne @ Thumb2 thing, sanity check in ARM + subne r9, #0x10 @ subtract another 16 bytes ++#endif + subs r9, #0x80 + + blo .Lxts_dec_short +--- a/arch/arm/crypto/bsaes-armv7.pl ++++ b/arch/arm/crypto/bsaes-armv7.pl +@@ -701,14 +701,18 @@ $code.=<<___; + # define VFP_ABI_FRAME 0 + # define BSAES_ASM_EXTENDED_KEY + # define XTS_CHAIN_TWEAK +-# define __ARM_ARCH__ 7 ++# define __ARM_ARCH__ __LINUX_ARM_ARCH__ ++# define __ARM_MAX_ARCH__ 7 + #endif + + #ifdef __thumb__ + # define adrl adr + #endif + +-#if __ARM_ARCH__>=7 ++#if __ARM_MAX_ARCH__>=7 ++.arch armv7-a ++.fpu neon ++ + .text + .syntax unified @ ARMv7-capable assembler is expected to handle this + #ifdef __thumb2__ +@@ -717,8 +721,6 @@ $code.=<<___; + .code 32 + #endif + +-.fpu neon +- + .type _bsaes_decrypt8,%function + .align 4 + _bsaes_decrypt8: +@@ -2076,9 +2078,11 @@ bsaes_xts_decrypt: + vld1.8 {@XMM[8]}, [r0] @ initial tweak + adr $magic, .Lxts_magic + ++#ifndef XTS_CHAIN_TWEAK + tst $len, #0xf @ if not multiple of 16 + it ne @ Thumb2 thing, sanity check in ARM + subne $len, #0x10 @ subtract another 16 bytes ++#endif + subs $len, #0x80 + + blo .Lxts_dec_short diff --git a/queue-3.19/drivers-rtc-rtc-s3c.c-add-.needs_src_clk-to-s3c6410-rtc-data.patch b/queue-3.19/drivers-rtc-rtc-s3c.c-add-.needs_src_clk-to-s3c6410-rtc-data.patch new file mode 100644 index 00000000000..b291b2e8351 --- /dev/null +++ b/queue-3.19/drivers-rtc-rtc-s3c.c-add-.needs_src_clk-to-s3c6410-rtc-data.patch @@ -0,0 +1,50 @@ +From 8792f7772f4f40ffc68bad5f28311205584b734d Mon Sep 17 00:00:00 2001 +From: Javier Martinez Canillas +Date: Thu, 12 Mar 2015 16:25:49 -0700 +Subject: drivers/rtc/rtc-s3c.c: add .needs_src_clk to s3c6410 RTC data + +From: Javier Martinez Canillas + +commit 8792f7772f4f40ffc68bad5f28311205584b734d upstream. + +Commit df9e26d093d3 ("rtc: s3c: add support for RTC of Exynos3250 SoC") +added an "rtc_src" DT property to specify the clock used as a source to +the S3C real-time clock. + +Not all SoCs needs this so commit eaf3a659086e ("drivers/rtc/rtc-s3c.c: +fix initialization failure without rtc source clock") changed to check +the struct s3c_rtc_data .needs_src_clk to conditionally grab the clock. + +But that commit didn't update the data for each IP version so the RTC +broke on the boards that needs a source clock. This is the case of at +least Exynos5250 and Exynos5440 which uses the s3c6410 RTC IP block. + +This commit fixes the S3C rtc on the Exynos5250 Snow and Exynos5420 +Peach Pit and Pi Chromebooks. + +Signed-off-by: Javier Martinez Canillas +Cc: Marek Szyprowski +Cc: Chanwoo Choi +Cc: Doug Anderson +Cc: Olof Johansson +Cc: Kevin Hilman +Cc: Tyler Baker +Cc: Alessandro Zummo +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/rtc/rtc-s3c.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/rtc/rtc-s3c.c ++++ b/drivers/rtc/rtc-s3c.c +@@ -849,6 +849,7 @@ static struct s3c_rtc_data const s3c2443 + + static struct s3c_rtc_data const s3c6410_rtc_data = { + .max_user_freq = 32768, ++ .needs_src_clk = true, + .irq_handler = s3c6410_rtc_irq, + .set_freq = s3c6410_rtc_setfreq, + .enable_tick = s3c6410_rtc_enable_tick, diff --git a/queue-3.19/gadgetfs-use-after-free-in-aio_read.patch b/queue-3.19/gadgetfs-use-after-free-in-aio_read.patch new file mode 100644 index 00000000000..158d2a51b06 --- /dev/null +++ b/queue-3.19/gadgetfs-use-after-free-in-aio_read.patch @@ -0,0 +1,81 @@ +From f01d35a15fa04162a58b95970fc01fa70ec9dacd Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Fri, 6 Feb 2015 02:07:45 -0500 +Subject: gadgetfs: use-after-free in ->aio_read() + +From: Al Viro + +commit f01d35a15fa04162a58b95970fc01fa70ec9dacd upstream. + +AIO_PREAD requests call ->aio_read() with iovec on caller's stack, so if +we are going to access it asynchronously, we'd better get ourselves +a copy - the one on kernel stack of aio_run_iocb() won't be there +anymore. function/f_fs.c take care of doing that, legacy/inode.c +doesn't... + +Signed-off-by: Al Viro +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/gadget/legacy/inode.c | 15 ++++++++++++--- + 1 file changed, 12 insertions(+), 3 deletions(-) + +--- a/drivers/usb/gadget/legacy/inode.c ++++ b/drivers/usb/gadget/legacy/inode.c +@@ -566,7 +566,6 @@ static ssize_t ep_copy_to_user(struct ki + if (total == 0) + break; + } +- + return len; + } + +@@ -585,6 +584,7 @@ static void ep_user_copy_worker(struct w + aio_complete(iocb, ret, ret); + + kfree(priv->buf); ++ kfree(priv->iv); + kfree(priv); + } + +@@ -605,6 +605,7 @@ static void ep_aio_complete(struct usb_e + */ + if (priv->iv == NULL || unlikely(req->actual == 0)) { + kfree(req->buf); ++ kfree(priv->iv); + kfree(priv); + iocb->private = NULL; + /* aio_complete() reports bytes-transferred _and_ faults */ +@@ -640,7 +641,7 @@ ep_aio_rwtail( + struct usb_request *req; + ssize_t value; + +- priv = kmalloc(sizeof *priv, GFP_KERNEL); ++ priv = kzalloc(sizeof *priv, GFP_KERNEL); + if (!priv) { + value = -ENOMEM; + fail: +@@ -649,7 +650,14 @@ fail: + } + iocb->private = priv; + priv->iocb = iocb; +- priv->iv = iv; ++ if (iv) { ++ priv->iv = kmemdup(iv, nr_segs * sizeof(struct iovec), ++ GFP_KERNEL); ++ if (!priv->iv) { ++ kfree(priv); ++ goto fail; ++ } ++ } + priv->nr_segs = nr_segs; + INIT_WORK(&priv->work, ep_user_copy_worker); + +@@ -689,6 +697,7 @@ fail: + mutex_unlock(&epdata->lock); + + if (unlikely(value)) { ++ kfree(priv->iv); + kfree(priv); + put_ep(epdata); + } else diff --git a/queue-3.19/ipvs-add-missing-ip_vs_pe_put-in-sync-code.patch b/queue-3.19/ipvs-add-missing-ip_vs_pe_put-in-sync-code.patch new file mode 100644 index 00000000000..e68ef2d4420 --- /dev/null +++ b/queue-3.19/ipvs-add-missing-ip_vs_pe_put-in-sync-code.patch @@ -0,0 +1,49 @@ +From 528c943f3bb919aef75ab2fff4f00176f09a4019 Mon Sep 17 00:00:00 2001 +From: Julian Anastasov +Date: Sat, 21 Feb 2015 21:03:10 +0200 +Subject: ipvs: add missing ip_vs_pe_put in sync code + +From: Julian Anastasov + +commit 528c943f3bb919aef75ab2fff4f00176f09a4019 upstream. + +ip_vs_conn_fill_param_sync() gets in param.pe a module +reference for persistence engine from __ip_vs_pe_getbyname() +but forgets to put it. Problem occurs in backup for +sync protocol v1 (2.6.39). + +Also, pe_data usually comes in sync messages for +connection templates and ip_vs_conn_new() copies +the pointer only in this case. Make sure pe_data +is not leaked if it comes unexpectedly for normal +connections. Leak can happen only if bogus messages +are sent to backup server. + +Fixes: fe5e7a1efb66 ("IPVS: Backup, Adding Version 1 receive capability") +Signed-off-by: Julian Anastasov +Signed-off-by: Simon Horman +Signed-off-by: Greg Kroah-Hartman + +--- + net/netfilter/ipvs/ip_vs_sync.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/netfilter/ipvs/ip_vs_sync.c ++++ b/net/netfilter/ipvs/ip_vs_sync.c +@@ -896,6 +896,8 @@ static void ip_vs_proc_conn(struct net * + IP_VS_DBG(2, "BACKUP, add new conn. failed\n"); + return; + } ++ if (!(flags & IP_VS_CONN_F_TEMPLATE)) ++ kfree(param->pe_data); + } + + if (opt) +@@ -1169,6 +1171,7 @@ static inline int ip_vs_proc_sync_conn(s + (opt_flags & IPVS_OPT_F_SEQ_DATA ? &opt : NULL) + ); + #endif ++ ip_vs_pe_put(param.pe); + return 0; + /* Error exit */ + out: diff --git a/queue-3.19/ipvs-fix-inability-to-remove-a-mixed-family-rs.patch b/queue-3.19/ipvs-fix-inability-to-remove-a-mixed-family-rs.patch new file mode 100644 index 00000000000..c72f0da4b95 --- /dev/null +++ b/queue-3.19/ipvs-fix-inability-to-remove-a-mixed-family-rs.patch @@ -0,0 +1,42 @@ +From dd3733b3e798daf778a1ec08557f388f00fdc2f6 Mon Sep 17 00:00:00 2001 +From: Alexey Andriyanov +Date: Fri, 6 Feb 2015 22:32:20 +0300 +Subject: ipvs: fix inability to remove a mixed-family RS + +From: Alexey Andriyanov + +commit dd3733b3e798daf778a1ec08557f388f00fdc2f6 upstream. + +The current code prevents any operation with a mixed-family dest +unless IP_VS_CONN_F_TUNNEL flag is set. The problem is that it's impossible +for the client to follow this rule, because ip_vs_genl_parse_dest does +not even read the destination conn_flags when cmd = IPVS_CMD_DEL_DEST +(need_full_dest = 0). + +Also, not every client can pass this flag when removing a dest. ipvsadm, +for example, does not support the "-i" command line option together with +the "-d" option. + +This change disables any checks for mixed-family on IPVS_CMD_DEL_DEST command. + +Signed-off-by: Alexey Andriyanov +Fixes: bc18d37f676f ("ipvs: Allow heterogeneous pools now that we support them") +Acked-by: Julian Anastasov +Signed-off-by: Simon Horman +Signed-off-by: Greg Kroah-Hartman + +--- + net/netfilter/ipvs/ip_vs_ctl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/netfilter/ipvs/ip_vs_ctl.c ++++ b/net/netfilter/ipvs/ip_vs_ctl.c +@@ -3399,7 +3399,7 @@ static int ip_vs_genl_set_cmd(struct sk_ + if (udest.af == 0) + udest.af = svc->af; + +- if (udest.af != svc->af) { ++ if (udest.af != svc->af && cmd != IPVS_CMD_DEL_DEST) { + /* The synchronization protocol is incompatible + * with mixed family services + */ diff --git a/queue-3.19/irqchip-armada-370-xp-fix-chained-per-cpu-interrupts.patch b/queue-3.19/irqchip-armada-370-xp-fix-chained-per-cpu-interrupts.patch new file mode 100644 index 00000000000..ed5644bb840 --- /dev/null +++ b/queue-3.19/irqchip-armada-370-xp-fix-chained-per-cpu-interrupts.patch @@ -0,0 +1,95 @@ +From 5724be8464dceac047c1eaddaa3651cea0ec16ca Mon Sep 17 00:00:00 2001 +From: Maxime Ripard +Date: Tue, 3 Mar 2015 11:27:23 +0100 +Subject: irqchip: armada-370-xp: Fix chained per-cpu interrupts + +From: Maxime Ripard + +commit 5724be8464dceac047c1eaddaa3651cea0ec16ca upstream. + +On the Cortex-A9-based Armada SoCs, the MPIC is not the primary interrupt +controller. Yet, it still has to handle some per-cpu interrupt. + +To do so, it is chained with the GIC using a per-cpu interrupt. However, the +current code only call irq_set_chained_handler, which is called and enable that +interrupt only on the boot CPU, which means that the parent per-CPU interrupt +is never unmasked on the secondary CPUs, preventing the per-CPU interrupt to +actually work as expected. + +This was not seen until now since the only MPIC PPI users were the Marvell +timers that were not working, but not used either since the system use the ARM +TWD by default, and the ethernet controllers, that are faking there interrupts +as SPI, and don't really expect to have interrupts on the secondary cores +anyway. + +Add a CPU notifier that will enable the PPI on the secondary cores when they +are brought up. + +Signed-off-by: Maxime Ripard +Acked-by: Gregory CLEMENT +Link: https://lkml.kernel.org/r/1425378443-28822-1-git-send-email-maxime.ripard@free-electrons.com +Signed-off-by: Jason Cooper +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/irqchip/irq-armada-370-xp.c | 21 ++++++++++++++++++++- + 1 file changed, 20 insertions(+), 1 deletion(-) + +--- a/drivers/irqchip/irq-armada-370-xp.c ++++ b/drivers/irqchip/irq-armada-370-xp.c +@@ -69,6 +69,7 @@ static void __iomem *per_cpu_int_base; + static void __iomem *main_int_base; + static struct irq_domain *armada_370_xp_mpic_domain; + static u32 doorbell_mask_reg; ++static int parent_irq; + #ifdef CONFIG_PCI_MSI + static struct irq_domain *armada_370_xp_msi_domain; + static DECLARE_BITMAP(msi_used, PCI_MSI_DOORBELL_NR); +@@ -356,6 +357,7 @@ static int armada_xp_mpic_secondary_init + { + if (action == CPU_STARTING || action == CPU_STARTING_FROZEN) + armada_xp_mpic_smp_cpu_init(); ++ + return NOTIFY_OK; + } + +@@ -364,6 +366,20 @@ static struct notifier_block armada_370_ + .priority = 100, + }; + ++static int mpic_cascaded_secondary_init(struct notifier_block *nfb, ++ unsigned long action, void *hcpu) ++{ ++ if (action == CPU_STARTING || action == CPU_STARTING_FROZEN) ++ enable_percpu_irq(parent_irq, IRQ_TYPE_NONE); ++ ++ return NOTIFY_OK; ++} ++ ++static struct notifier_block mpic_cascaded_cpu_notifier = { ++ .notifier_call = mpic_cascaded_secondary_init, ++ .priority = 100, ++}; ++ + #endif /* CONFIG_SMP */ + + static struct irq_domain_ops armada_370_xp_mpic_irq_ops = { +@@ -539,7 +555,7 @@ static int __init armada_370_xp_mpic_of_ + struct device_node *parent) + { + struct resource main_int_res, per_cpu_int_res; +- int parent_irq, nr_irqs, i; ++ int nr_irqs, i; + u32 control; + + BUG_ON(of_address_to_resource(node, 0, &main_int_res)); +@@ -587,6 +603,9 @@ static int __init armada_370_xp_mpic_of_ + register_cpu_notifier(&armada_370_xp_mpic_cpu_notifier); + #endif + } else { ++#ifdef CONFIG_SMP ++ register_cpu_notifier(&mpic_cascaded_cpu_notifier); ++#endif + irq_set_chained_handler(parent_irq, + armada_370_xp_mpic_handle_cascade_irq); + } diff --git a/queue-3.19/kvm-move-advertising-of-kvm_cap_irqfd-to-common-code.patch b/queue-3.19/kvm-move-advertising-of-kvm_cap_irqfd-to-common-code.patch new file mode 100644 index 00000000000..2b338621133 --- /dev/null +++ b/queue-3.19/kvm-move-advertising-of-kvm_cap_irqfd-to-common-code.patch @@ -0,0 +1,58 @@ +From dc9be0fac70a2ad86e31a81372bb0bdfb6945353 Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini +Date: Thu, 5 Mar 2015 11:54:46 +0100 +Subject: kvm: move advertising of KVM_CAP_IRQFD to common code + +From: Paolo Bonzini + +commit dc9be0fac70a2ad86e31a81372bb0bdfb6945353 upstream. + +POWER supports irqfds but forgot to advertise them. Some userspace does +not check for the capability, but others check it---thus they work on +x86 and s390 but not POWER. + +To avoid that other architectures in the future make the same mistake, let +common code handle KVM_CAP_IRQFD the same way as KVM_CAP_IRQFD_RESAMPLE. + +Reported-and-tested-by: Greg Kurz +Fixes: 297e21053a52f060944e9f0de4c64fad9bcd72fc +Signed-off-by: Paolo Bonzini +Signed-off-by: Marcelo Tosatti +Signed-off-by: Greg Kroah-Hartman + +--- + arch/s390/kvm/kvm-s390.c | 1 - + arch/x86/kvm/x86.c | 1 - + virt/kvm/kvm_main.c | 1 + + 3 files changed, 1 insertion(+), 2 deletions(-) + +--- a/arch/s390/kvm/kvm-s390.c ++++ b/arch/s390/kvm/kvm-s390.c +@@ -159,7 +159,6 @@ int kvm_vm_ioctl_check_extension(struct + case KVM_CAP_ONE_REG: + case KVM_CAP_ENABLE_CAP: + case KVM_CAP_S390_CSS_SUPPORT: +- case KVM_CAP_IRQFD: + case KVM_CAP_IOEVENTFD: + case KVM_CAP_DEVICE_CTRL: + case KVM_CAP_ENABLE_CAP_VM: +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -2716,7 +2716,6 @@ int kvm_vm_ioctl_check_extension(struct + case KVM_CAP_USER_NMI: + case KVM_CAP_REINJECT_CONTROL: + case KVM_CAP_IRQ_INJECT_STATUS: +- case KVM_CAP_IRQFD: + case KVM_CAP_IOEVENTFD: + case KVM_CAP_IOEVENTFD_NO_LENGTH: + case KVM_CAP_PIT2: +--- a/virt/kvm/kvm_main.c ++++ b/virt/kvm/kvm_main.c +@@ -2416,6 +2416,7 @@ static long kvm_vm_ioctl_check_extension + case KVM_CAP_SIGNAL_MSI: + #endif + #ifdef CONFIG_HAVE_KVM_IRQFD ++ case KVM_CAP_IRQFD: + case KVM_CAP_IRQFD_RESAMPLE: + #endif + case KVM_CAP_CHECK_EXTENSION_VM: diff --git a/queue-3.19/libsas-fix-kernel-crash-in-smp_execute_task.patch b/queue-3.19/libsas-fix-kernel-crash-in-smp_execute_task.patch new file mode 100644 index 00000000000..1c6b4b51361 --- /dev/null +++ b/queue-3.19/libsas-fix-kernel-crash-in-smp_execute_task.patch @@ -0,0 +1,97 @@ +From 6302ce4d80aa82b3fdb5c5cd68e7268037091b47 Mon Sep 17 00:00:00 2001 +From: James Bottomley +Date: Wed, 4 Mar 2015 16:18:33 -0800 +Subject: libsas: Fix Kernel Crash in smp_execute_task + +From: James Bottomley + +commit 6302ce4d80aa82b3fdb5c5cd68e7268037091b47 upstream. + +This crash was reported: + +[ 366.947370] sd 3:0:1:0: [sdb] Spinning up disk.... +[ 368.804046] BUG: unable to handle kernel NULL pointer dereference at (null) +[ 368.804072] IP: [] __mutex_lock_common.isra.7+0x9c/0x15b +[ 368.804098] PGD 0 +[ 368.804114] Oops: 0002 [#1] SMP +[ 368.804143] CPU 1 +[ 368.804151] Modules linked in: sg netconsole s3g(PO) uinput joydev hid_multitouch usbhid hid snd_hda_codec_via cpufreq_userspace cpufreq_powersave cpufreq_stats uhci_hcd cpufreq_conservative snd_hda_intel snd_hda_codec snd_hwdep snd_pcm sdhci_pci snd_page_alloc sdhci snd_timer snd psmouse evdev serio_raw pcspkr soundcore xhci_hcd shpchp s3g_drm(O) mvsas mmc_core ahci libahci drm i2c_core acpi_cpufreq mperf video processor button thermal_sys dm_dmirror exfat_fs exfat_core dm_zcache dm_mod padlock_aes aes_generic padlock_sha iscsi_target_mod target_core_mod configfs sswipe libsas libata scsi_transport_sas picdev via_cputemp hwmon_vid fuse parport_pc ppdev lp parport autofs4 ext4 crc16 mbcache jbd2 sd_mod crc_t10dif usb_storage scsi_mod ehci_hcd usbcore usb_common +[ 368.804749] +[ 368.804764] Pid: 392, comm: kworker/u:3 Tainted: P W O 3.4.87-logicube-ng.22 #1 To be filled by O.E.M. To be filled by O.E.M./EPIA-M920 +[ 368.804802] RIP: 0010:[] [] __mutex_lock_common.isra.7+0x9c/0x15b +[ 368.804827] RSP: 0018:ffff880117001cc0 EFLAGS: 00010246 +[ 368.804842] RAX: 0000000000000000 RBX: ffff8801185030d0 RCX: ffff88008edcb420 +[ 368.804857] RDX: 0000000000000000 RSI: 0000000000000002 RDI: ffff8801185030d4 +[ 368.804873] RBP: ffff8801181531c0 R08: 0000000000000020 R09: 00000000fffffffe +[ 368.804885] R10: 0000000000000000 R11: 0000000000000000 R12: ffff8801185030d4 +[ 368.804899] R13: 0000000000000002 R14: ffff880117001fd8 R15: ffff8801185030d8 +[ 368.804916] FS: 0000000000000000(0000) GS:ffff88011fc80000(0000) knlGS:0000000000000000 +[ 368.804931] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b +[ 368.804946] CR2: 0000000000000000 CR3: 000000000160b000 CR4: 00000000000006e0 +[ 368.804962] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 368.804978] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 +[ 368.804995] Process kworker/u:3 (pid: 392, threadinfo ffff880117000000, task ffff8801181531c0) +[ 368.805009] Stack: +[ 368.805017] ffff8801185030d8 0000000000000000 ffffffff8161ddf0 ffffffff81056f7c +[ 368.805062] 000000000000b503 ffff8801185030d0 ffff880118503000 0000000000000000 +[ 368.805100] ffff8801185030d0 ffff8801188b8000 ffff88008edcb420 ffffffff813583ac +[ 368.805135] Call Trace: +[ 368.805153] [] ? up+0xb/0x33 +[ 368.805168] [] ? mutex_lock+0x16/0x25 +[ 368.805194] [] ? smp_execute_task+0x4e/0x222 [libsas] +[ 368.805217] [] ? sas_find_bcast_dev+0x3c/0x15d [libsas] +[ 368.805240] [] ? sas_find_bcast_dev+0x6f/0x15d [libsas] +[ 368.805264] [] ? sas_ex_revalidate_domain+0x37/0x2ec [libsas] +[ 368.805280] [] ? printk+0x43/0x48 +[ 368.805296] [] ? _raw_spin_unlock_irqrestore+0xc/0xd +[ 368.805318] [] ? sas_revalidate_domain+0x85/0xb6 [libsas] +[ 368.805336] [] ? process_one_work+0x151/0x27c +[ 368.805351] [] ? worker_thread+0xbb/0x152 +[ 368.805366] [] ? manage_workers.isra.29+0x163/0x163 +[ 368.805382] [] ? kthread+0x79/0x81 +[ 368.805399] [] ? kernel_thread_helper+0x4/0x10 +[ 368.805416] [] ? kthread_flush_work_fn+0x9/0x9 +[ 368.805431] [] ? gs_change+0x13/0x13 +[ 368.805442] Code: 83 7d 30 63 7e 04 f3 90 eb ab 4c 8d 63 04 4c 8d 7b 08 4c 89 e7 e8 fa 15 00 00 48 8b 43 10 4c 89 3c 24 48 89 63 10 48 89 44 24 08 <48> 89 20 83 c8 ff 48 89 6c 24 10 87 03 ff c8 74 35 4d 89 ee 41 +[ 368.805851] RIP [] __mutex_lock_common.isra.7+0x9c/0x15b +[ 368.805877] RSP +[ 368.805886] CR2: 0000000000000000 +[ 368.805899] ---[ end trace b720682065d8f4cc ]--- + +It's directly caused by 89d3cf6 [SCSI] libsas: add mutex for SMP task +execution, but shows a deeper cause: expander functions expect to be able to +cast to and treat domain devices as expanders. The correct fix is to only do +expander discover when we know we've got an expander device to avoid wrongly +casting a non-expander device. + +Reported-by: Praveen Murali +Tested-by: Praveen Murali +Signed-off-by: James Bottomley +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/libsas/sas_discover.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/scsi/libsas/sas_discover.c ++++ b/drivers/scsi/libsas/sas_discover.c +@@ -500,6 +500,7 @@ static void sas_revalidate_domain(struct + struct sas_discovery_event *ev = to_sas_discovery_event(work); + struct asd_sas_port *port = ev->port; + struct sas_ha_struct *ha = port->ha; ++ struct domain_device *ddev = port->port_dev; + + /* prevent revalidation from finding sata links in recovery */ + mutex_lock(&ha->disco_mutex); +@@ -514,8 +515,9 @@ static void sas_revalidate_domain(struct + SAS_DPRINTK("REVALIDATING DOMAIN on port %d, pid:%d\n", port->id, + task_pid_nr(current)); + +- if (port->port_dev) +- res = sas_ex_revalidate_domain(port->port_dev); ++ if (ddev && (ddev->dev_type == SAS_FANOUT_EXPANDER_DEVICE || ++ ddev->dev_type == SAS_EDGE_EXPANDER_DEVICE)) ++ res = sas_ex_revalidate_domain(ddev); + + SAS_DPRINTK("done REVALIDATING DOMAIN on port %d, pid:%d, res 0x%x\n", + port->id, task_pid_nr(current), res); diff --git a/queue-3.19/netfilter-nf_tables-fix-addition-deletion-of-elements-from-commit-abort.patch b/queue-3.19/netfilter-nf_tables-fix-addition-deletion-of-elements-from-commit-abort.patch new file mode 100644 index 00000000000..87bd6b470e2 --- /dev/null +++ b/queue-3.19/netfilter-nf_tables-fix-addition-deletion-of-elements-from-commit-abort.patch @@ -0,0 +1,76 @@ +From 02263db00b6cb98701332aa257c07ca549c2324b Mon Sep 17 00:00:00 2001 +From: Pablo Neira Ayuso +Date: Fri, 20 Feb 2015 17:11:10 +0100 +Subject: netfilter: nf_tables: fix addition/deletion of elements from commit/abort + +From: Pablo Neira Ayuso + +commit 02263db00b6cb98701332aa257c07ca549c2324b upstream. + +We have several problems in this path: + +1) There is a use-after-free when removing individual elements from + the commit path. + +2) We have to uninit() the data part of the element from the abort + path to avoid a chain refcount leak. + +3) We have to check for set->flags to see if there's a mapping, instead + of the element flags. + +4) We have to check for !(flags & NFT_SET_ELEM_INTERVAL_END) to skip + elements that are part of the interval that have no data part, so + they don't need to be uninit(). + +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman + +--- + net/netfilter/nf_tables_api.c | 21 ++++++++++++--------- + 1 file changed, 12 insertions(+), 9 deletions(-) + +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -3606,12 +3606,11 @@ static int nf_tables_commit(struct sk_bu + &te->elem, + NFT_MSG_DELSETELEM, 0); + te->set->ops->get(te->set, &te->elem); +- te->set->ops->remove(te->set, &te->elem); + nft_data_uninit(&te->elem.key, NFT_DATA_VALUE); +- if (te->elem.flags & NFT_SET_MAP) { +- nft_data_uninit(&te->elem.data, +- te->set->dtype); +- } ++ if (te->set->flags & NFT_SET_MAP && ++ !(te->elem.flags & NFT_SET_ELEM_INTERVAL_END)) ++ nft_data_uninit(&te->elem.data, te->set->dtype); ++ te->set->ops->remove(te->set, &te->elem); + nft_trans_destroy(trans); + break; + } +@@ -3652,7 +3651,7 @@ static int nf_tables_abort(struct sk_buf + { + struct net *net = sock_net(skb->sk); + struct nft_trans *trans, *next; +- struct nft_set *set; ++ struct nft_trans_elem *te; + + list_for_each_entry_safe(trans, next, &net->nft.commit_list, list) { + switch (trans->msg_type) { +@@ -3713,9 +3712,13 @@ static int nf_tables_abort(struct sk_buf + break; + case NFT_MSG_NEWSETELEM: + nft_trans_elem_set(trans)->nelems--; +- set = nft_trans_elem_set(trans); +- set->ops->get(set, &nft_trans_elem(trans)); +- set->ops->remove(set, &nft_trans_elem(trans)); ++ te = (struct nft_trans_elem *)trans->data; ++ te->set->ops->get(te->set, &te->elem); ++ nft_data_uninit(&te->elem.key, NFT_DATA_VALUE); ++ if (te->set->flags & NFT_SET_MAP && ++ !(te->elem.flags & NFT_SET_ELEM_INTERVAL_END)) ++ nft_data_uninit(&te->elem.data, te->set->dtype); ++ te->set->ops->remove(te->set, &te->elem); + nft_trans_destroy(trans); + break; + case NFT_MSG_DELSETELEM: diff --git a/queue-3.19/netfilter-nf_tables-fix-transaction-race-condition.patch b/queue-3.19/netfilter-nf_tables-fix-transaction-race-condition.patch new file mode 100644 index 00000000000..22113e55723 --- /dev/null +++ b/queue-3.19/netfilter-nf_tables-fix-transaction-race-condition.patch @@ -0,0 +1,55 @@ +From 8670c3a55e91cb27a4b4d4d4c4fa35b0149e1abf Mon Sep 17 00:00:00 2001 +From: Patrick McHardy +Date: Tue, 3 Mar 2015 20:04:18 +0000 +Subject: netfilter: nf_tables: fix transaction race condition + +From: Patrick McHardy + +commit 8670c3a55e91cb27a4b4d4d4c4fa35b0149e1abf upstream. + +A race condition exists in the rule transaction code for rules that +get added and removed within the same transaction. + +The new rule starts out as inactive in the current and active in the +next generation and is inserted into the ruleset. When it is deleted, +it is additionally set to inactive in the next generation as well. + +On commit the next generation is begun, then the actions are finalized. +For the new rule this would mean clearing out the inactive bit for +the previously current, now next generation. + +However nft_rule_clear() clears out the bits for *both* generations, +activating the rule in the current generation, where it should be +deactivated due to being deleted. The rule will thus be active until +the deletion is finalized, removing the rule from the ruleset. + +Similarly, when aborting a transaction for the same case, the undo +of insertion will remove it from the RCU protected rule list, the +deletion will clear out all bits. However until the next RCU +synchronization after all operations have been undone, the rule is +active on CPUs which can still see the rule on the list. + +Generally, there may never be any modifications of the current +generations' inactive bit since this defeats the entire purpose of +atomicity. Change nft_rule_clear() to only touch the next generations +bit to fix this. + +Signed-off-by: Patrick McHardy +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman + +--- + net/netfilter/nf_tables_api.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/netfilter/nf_tables_api.c ++++ b/net/netfilter/nf_tables_api.c +@@ -227,7 +227,7 @@ nft_rule_deactivate_next(struct net *net + + static inline void nft_rule_clear(struct net *net, struct nft_rule *rule) + { +- rule->genmask = 0; ++ rule->genmask &= ~(1 << gencursor_next(net)); + } + + static int diff --git a/queue-3.19/netfilter-nft_compat-fix-module-refcount-underflow.patch b/queue-3.19/netfilter-nft_compat-fix-module-refcount-underflow.patch new file mode 100644 index 00000000000..3829dd62b82 --- /dev/null +++ b/queue-3.19/netfilter-nft_compat-fix-module-refcount-underflow.patch @@ -0,0 +1,61 @@ +From 520aa7414bb590f39d0d1591b06018e60cbc7cf4 Mon Sep 17 00:00:00 2001 +From: Pablo Neira Ayuso +Date: Thu, 12 Feb 2015 22:15:31 +0100 +Subject: netfilter: nft_compat: fix module refcount underflow + +From: Pablo Neira Ayuso + +commit 520aa7414bb590f39d0d1591b06018e60cbc7cf4 upstream. + +Feb 12 18:20:42 nfdev kernel: ------------[ cut here ]------------ +Feb 12 18:20:42 nfdev kernel: WARNING: CPU: 4 PID: 4359 at kernel/module.c:963 module_put+0x9b/0xba() +Feb 12 18:20:42 nfdev kernel: CPU: 4 PID: 4359 Comm: ebtables-compat Tainted: G W 3.19.0-rc6+ #43 +[...] +Feb 12 18:20:42 nfdev kernel: Call Trace: +Feb 12 18:20:42 nfdev kernel: [] dump_stack+0x4c/0x65 +Feb 12 18:20:42 nfdev kernel: [] warn_slowpath_common+0x9c/0xb6 +Feb 12 18:20:42 nfdev kernel: [] ? module_put+0x9b/0xba +Feb 12 18:20:42 nfdev kernel: [] warn_slowpath_null+0x15/0x17 +Feb 12 18:20:42 nfdev kernel: [] module_put+0x9b/0xba +Feb 12 18:20:42 nfdev kernel: [] nft_match_destroy+0x45/0x4c +Feb 12 18:20:42 nfdev kernel: [] nf_tables_rule_destroy+0x28/0x70 + +Reported-by: Arturo Borrero Gonzalez +Signed-off-by: Pablo Neira Ayuso +Tested-by: Arturo Borrero Gonzalez +Signed-off-by: Greg Kroah-Hartman + +--- + net/netfilter/nft_compat.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +--- a/net/netfilter/nft_compat.c ++++ b/net/netfilter/nft_compat.c +@@ -578,8 +578,12 @@ nft_match_select_ops(const struct nft_ct + struct xt_match *match = nft_match->ops.data; + + if (strcmp(match->name, mt_name) == 0 && +- match->revision == rev && match->family == family) ++ match->revision == rev && match->family == family) { ++ if (!try_module_get(match->me)) ++ return ERR_PTR(-ENOENT); ++ + return &nft_match->ops; ++ } + } + + match = xt_request_find_match(family, mt_name, rev); +@@ -648,8 +652,12 @@ nft_target_select_ops(const struct nft_c + struct xt_target *target = nft_target->ops.data; + + if (strcmp(target->name, tg_name) == 0 && +- target->revision == rev && target->family == family) ++ target->revision == rev && target->family == family) { ++ if (!try_module_get(target->me)) ++ return ERR_PTR(-ENOENT); ++ + return &nft_target->ops; ++ } + } + + target = xt_request_find_target(family, tg_name, rev); diff --git a/queue-3.19/netfilter-xt_socket-fix-a-stack-corruption-bug.patch b/queue-3.19/netfilter-xt_socket-fix-a-stack-corruption-bug.patch new file mode 100644 index 00000000000..dc3e54f7365 --- /dev/null +++ b/queue-3.19/netfilter-xt_socket-fix-a-stack-corruption-bug.patch @@ -0,0 +1,85 @@ +From 78296c97ca1fd3b104f12e1f1fbc06c46635990b Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Sun, 15 Feb 2015 19:03:45 -0800 +Subject: netfilter: xt_socket: fix a stack corruption bug + +From: Eric Dumazet + +commit 78296c97ca1fd3b104f12e1f1fbc06c46635990b upstream. + +As soon as extract_icmp6_fields() returns, its local storage (automatic +variables) is deallocated and can be overwritten. + +Lets add an additional parameter to make sure storage is valid long +enough. + +While we are at it, adds some const qualifiers. + +Signed-off-by: Eric Dumazet +Fixes: b64c9256a9b76 ("tproxy: added IPv6 support to the socket match") +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman + +--- + net/netfilter/xt_socket.c | 21 ++++++++++++--------- + 1 file changed, 12 insertions(+), 9 deletions(-) + +--- a/net/netfilter/xt_socket.c ++++ b/net/netfilter/xt_socket.c +@@ -243,12 +243,13 @@ static int + extract_icmp6_fields(const struct sk_buff *skb, + unsigned int outside_hdrlen, + int *protocol, +- struct in6_addr **raddr, +- struct in6_addr **laddr, ++ const struct in6_addr **raddr, ++ const struct in6_addr **laddr, + __be16 *rport, +- __be16 *lport) ++ __be16 *lport, ++ struct ipv6hdr *ipv6_var) + { +- struct ipv6hdr *inside_iph, _inside_iph; ++ const struct ipv6hdr *inside_iph; + struct icmp6hdr *icmph, _icmph; + __be16 *ports, _ports[2]; + u8 inside_nexthdr; +@@ -263,12 +264,14 @@ extract_icmp6_fields(const struct sk_buf + if (icmph->icmp6_type & ICMPV6_INFOMSG_MASK) + return 1; + +- inside_iph = skb_header_pointer(skb, outside_hdrlen + sizeof(_icmph), sizeof(_inside_iph), &_inside_iph); ++ inside_iph = skb_header_pointer(skb, outside_hdrlen + sizeof(_icmph), ++ sizeof(*ipv6_var), ipv6_var); + if (inside_iph == NULL) + return 1; + inside_nexthdr = inside_iph->nexthdr; + +- inside_hdrlen = ipv6_skip_exthdr(skb, outside_hdrlen + sizeof(_icmph) + sizeof(_inside_iph), ++ inside_hdrlen = ipv6_skip_exthdr(skb, outside_hdrlen + sizeof(_icmph) + ++ sizeof(*ipv6_var), + &inside_nexthdr, &inside_fragoff); + if (inside_hdrlen < 0) + return 1; /* hjm: Packet has no/incomplete transport layer headers. */ +@@ -315,10 +318,10 @@ xt_socket_get_sock_v6(struct net *net, c + static bool + socket_mt6_v1_v2(const struct sk_buff *skb, struct xt_action_param *par) + { +- struct ipv6hdr *iph = ipv6_hdr(skb); ++ struct ipv6hdr ipv6_var, *iph = ipv6_hdr(skb); + struct udphdr _hdr, *hp = NULL; + struct sock *sk = skb->sk; +- struct in6_addr *daddr = NULL, *saddr = NULL; ++ const struct in6_addr *daddr = NULL, *saddr = NULL; + __be16 uninitialized_var(dport), uninitialized_var(sport); + int thoff = 0, uninitialized_var(tproto); + const struct xt_socket_mtinfo1 *info = (struct xt_socket_mtinfo1 *) par->matchinfo; +@@ -342,7 +345,7 @@ socket_mt6_v1_v2(const struct sk_buff *s + + } else if (tproto == IPPROTO_ICMPV6) { + if (extract_icmp6_fields(skb, thoff, &tproto, &saddr, &daddr, +- &sport, &dport)) ++ &sport, &dport, &ipv6_var)) + return false; + } else { + return false; diff --git a/queue-3.19/of-fix-handling-of-in-options-for-of_find_node_by_path.patch b/queue-3.19/of-fix-handling-of-in-options-for-of_find_node_by_path.patch new file mode 100644 index 00000000000..3d980ffb3c7 --- /dev/null +++ b/queue-3.19/of-fix-handling-of-in-options-for-of_find_node_by_path.patch @@ -0,0 +1,72 @@ +From 106937e8ccdcf0f4b95fbf0fe9abd42766cade33 Mon Sep 17 00:00:00 2001 +From: Leif Lindholm +Date: Fri, 6 Mar 2015 16:52:53 +0000 +Subject: of: fix handling of '/' in options for of_find_node_by_path() + +From: Leif Lindholm + +commit 106937e8ccdcf0f4b95fbf0fe9abd42766cade33 upstream. + +Ensure proper handling of paths with appended options (after ':'), +where those options may contain a '/'. + +Fixes: 7914a7c5651a ("of: support passing console options with stdout-path") +Reported-by: Peter Hurley +Signed-off-by: Leif Lindholm +Signed-off-by: Rob Herring +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/of/base.c | 23 +++++++++++++++-------- + 1 file changed, 15 insertions(+), 8 deletions(-) + +--- a/drivers/of/base.c ++++ b/drivers/of/base.c +@@ -714,16 +714,17 @@ static struct device_node *__of_find_nod + const char *path) + { + struct device_node *child; +- int len = strchrnul(path, '/') - path; +- int term; ++ int len; ++ const char *end; + ++ end = strchr(path, ':'); ++ if (!end) ++ end = strchrnul(path, '/'); ++ ++ len = end - path; + if (!len) + return NULL; + +- term = strchrnul(path, ':') - path; +- if (term < len) +- len = term; +- + __for_each_child_of_node(parent, child) { + const char *name = strrchr(child->full_name, '/'); + if (WARN(!name, "malformed device_node %s\n", child->full_name)) +@@ -768,8 +769,12 @@ struct device_node *of_find_node_opts_by + + /* The path could begin with an alias */ + if (*path != '/') { +- char *p = strchrnul(path, '/'); +- int len = separator ? separator - path : p - path; ++ int len; ++ const char *p = separator; ++ ++ if (!p) ++ p = strchrnul(path, '/'); ++ len = p - path; + + /* of_aliases must not be NULL */ + if (!of_aliases) +@@ -794,6 +799,8 @@ struct device_node *of_find_node_opts_by + path++; /* Increment past '/' delimiter */ + np = __of_find_node_by_path(np, path); + path = strchrnul(path, '/'); ++ if (separator && separator < path) ++ break; + } + raw_spin_unlock_irqrestore(&devtree_lock, flags); + return np; diff --git a/queue-3.19/of-handle-both-and-in-path-strings.patch b/queue-3.19/of-handle-both-and-in-path-strings.patch new file mode 100644 index 00000000000..77a03304d1f --- /dev/null +++ b/queue-3.19/of-handle-both-and-in-path-strings.patch @@ -0,0 +1,51 @@ +From 721a09e95c786346b4188863a1cfa3909c76f690 Mon Sep 17 00:00:00 2001 +From: Brian Norris +Date: Tue, 17 Mar 2015 12:30:31 -0700 +Subject: of: handle both '/' and ':' in path strings + +From: Brian Norris + +commit 721a09e95c786346b4188863a1cfa3909c76f690 upstream. + +Commit 106937e8ccdc ("of: fix handling of '/' in options for +of_find_node_by_path()") caused a regression in OF handling of +stdout-path. While it fixes some cases which have '/' after the ':', it +breaks cases where there is more than one '/' *before* the ':'. + +For example, it breaks this boot string + + stdout-path = "/rdb/serial@f040ab00:115200"; + +So rather than doing sequentialized checks (first for '/', then for ':'; +or vice versa), to get the correct behavior we need to check for the +first occurrence of either one of them. + +It so happens that the handy strcspn() helper can do just that. + +Fixes: 106937e8ccdc ("of: fix handling of '/' in options for of_find_node_by_path()") +Signed-off-by: Brian Norris +Acked-by: Leif Lindholm +Signed-off-by: Rob Herring +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/of/base.c | 7 +------ + 1 file changed, 1 insertion(+), 6 deletions(-) + +--- a/drivers/of/base.c ++++ b/drivers/of/base.c +@@ -715,13 +715,8 @@ static struct device_node *__of_find_nod + { + struct device_node *child; + int len; +- const char *end; + +- end = strchr(path, ':'); +- if (!end) +- end = strchrnul(path, '/'); +- +- len = end - path; ++ len = strcspn(path, "/:"); + if (!len) + return NULL; + diff --git a/queue-3.19/pagemap-do-not-leak-physical-addresses-to-non-privileged-userspace.patch b/queue-3.19/pagemap-do-not-leak-physical-addresses-to-non-privileged-userspace.patch new file mode 100644 index 00000000000..df2e4dd5fbd --- /dev/null +++ b/queue-3.19/pagemap-do-not-leak-physical-addresses-to-non-privileged-userspace.patch @@ -0,0 +1,45 @@ +From ab676b7d6fbf4b294bf198fb27ade5b0e865c7ce Mon Sep 17 00:00:00 2001 +From: "Kirill A. Shutemov" +Date: Mon, 9 Mar 2015 23:11:12 +0200 +Subject: pagemap: do not leak physical addresses to non-privileged userspace + +From: "Kirill A. Shutemov" + +commit ab676b7d6fbf4b294bf198fb27ade5b0e865c7ce upstream. + +As pointed by recent post[1] on exploiting DRAM physical imperfection, +/proc/PID/pagemap exposes sensitive information which can be used to do +attacks. + +This disallows anybody without CAP_SYS_ADMIN to read the pagemap. + +[1] http://googleprojectzero.blogspot.com/2015/03/exploiting-dram-rowhammer-bug-to-gain.html + +[ Eventually we might want to do anything more finegrained, but for now + this is the simple model. - Linus ] + +Signed-off-by: Kirill A. Shutemov +Acked-by: Konstantin Khlebnikov +Acked-by: Andy Lutomirski +Cc: Pavel Emelyanov +Cc: Andrew Morton +Cc: Mark Seaborn +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/proc/task_mmu.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/fs/proc/task_mmu.c ++++ b/fs/proc/task_mmu.c +@@ -1326,6 +1326,9 @@ out: + + static int pagemap_open(struct inode *inode, struct file *file) + { ++ /* do not disclose physical addresses: attack vector */ ++ if (!capable(CAP_SYS_ADMIN)) ++ return -EPERM; + pr_warn_once("Bits 55-60 of /proc/PID/pagemap entries are about " + "to stop being page-shift some time soon. See the " + "linux/Documentation/vm/pagemap.txt for details.\n"); diff --git a/queue-3.19/pci-don-t-read-past-the-end-of-sysfs-driver_override-buffer.patch b/queue-3.19/pci-don-t-read-past-the-end-of-sysfs-driver_override-buffer.patch new file mode 100644 index 00000000000..d36827b10b7 --- /dev/null +++ b/queue-3.19/pci-don-t-read-past-the-end-of-sysfs-driver_override-buffer.patch @@ -0,0 +1,47 @@ +From 4efe874aace57dba967624ce1c48322da2447b75 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 4 Feb 2015 17:38:15 -0500 +Subject: PCI: Don't read past the end of sysfs "driver_override" buffer + +From: Sasha Levin + +commit 4efe874aace57dba967624ce1c48322da2447b75 upstream. + +When printing the driver_override parameter when it is 4095 and 4094 bytes +long, the printing code would access invalid memory because we need count+1 +bytes for printing. + +Fixes: 782a985d7af2 ("PCI: Introduce new device binding path using pci_dev.driver_override") +Signed-off-by: Sasha Levin +Signed-off-by: Bjorn Helgaas +Acked-by: Alex Williamson +CC: Konrad Rzeszutek Wilk +CC: Alexander Graf +CC: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pci/pci-sysfs.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/pci/pci-sysfs.c ++++ b/drivers/pci/pci-sysfs.c +@@ -521,7 +521,8 @@ static ssize_t driver_override_store(str + struct pci_dev *pdev = to_pci_dev(dev); + char *driver_override, *old = pdev->driver_override, *cp; + +- if (count > PATH_MAX) ++ /* We need to keep extra room for a newline */ ++ if (count >= (PAGE_SIZE - 1)) + return -EINVAL; + + driver_override = kstrndup(buf, count, GFP_KERNEL); +@@ -549,7 +550,7 @@ static ssize_t driver_override_show(stru + { + struct pci_dev *pdev = to_pci_dev(dev); + +- return sprintf(buf, "%s\n", pdev->driver_override); ++ return snprintf(buf, PAGE_SIZE, "%s\n", pdev->driver_override); + } + static DEVICE_ATTR_RW(driver_override); + diff --git a/queue-3.19/powerpc-iommu-remove-iommu-device-references-via-bus-notifier.patch b/queue-3.19/powerpc-iommu-remove-iommu-device-references-via-bus-notifier.patch new file mode 100644 index 00000000000..bcc49e67163 --- /dev/null +++ b/queue-3.19/powerpc-iommu-remove-iommu-device-references-via-bus-notifier.patch @@ -0,0 +1,133 @@ +From 4ad04e5987115ece5fa8a0cf1dc72fcd4707e33e Mon Sep 17 00:00:00 2001 +From: Nishanth Aravamudan +Date: Sat, 21 Feb 2015 11:00:50 -0800 +Subject: powerpc/iommu: Remove IOMMU device references via bus notifier + +From: Nishanth Aravamudan + +commit 4ad04e5987115ece5fa8a0cf1dc72fcd4707e33e upstream. + +After d905c5df9aef ("PPC: POWERNV: move iommu_add_device earlier"), the +refcnt on the kobject backing the IOMMU group for a PCI device is +elevated by each call to pci_dma_dev_setup_pSeriesLP() (via +set_iommu_table_base_and_group). When we go to dlpar a multi-function +PCI device out: + + iommu_reconfig_notifier -> + iommu_free_table -> + iommu_group_put + BUG_ON(tbl->it_group) + +We trip this BUG_ON, because there are still references on the table, so +it is not freed. Fix this by moving the powernv bus notifier to common +code and calling it for both powernv and pseries. + +Fixes: d905c5df9aef ("PPC: POWERNV: move iommu_add_device earlier") +Signed-off-by: Nishanth Aravamudan +Tested-by: Nishanth Aravamudan +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/include/asm/iommu.h | 6 ++++++ + arch/powerpc/kernel/iommu.c | 26 ++++++++++++++++++++++++++ + arch/powerpc/platforms/powernv/pci.c | 26 -------------------------- + arch/powerpc/platforms/pseries/iommu.c | 2 ++ + 4 files changed, 34 insertions(+), 26 deletions(-) + +--- a/arch/powerpc/include/asm/iommu.h ++++ b/arch/powerpc/include/asm/iommu.h +@@ -113,6 +113,7 @@ extern void iommu_register_group(struct + int pci_domain_number, unsigned long pe_num); + extern int iommu_add_device(struct device *dev); + extern void iommu_del_device(struct device *dev); ++extern int __init tce_iommu_bus_notifier_init(void); + #else + static inline void iommu_register_group(struct iommu_table *tbl, + int pci_domain_number, +@@ -128,6 +129,11 @@ static inline int iommu_add_device(struc + static inline void iommu_del_device(struct device *dev) + { + } ++ ++static inline int __init tce_iommu_bus_notifier_init(void) ++{ ++ return 0; ++} + #endif /* !CONFIG_IOMMU_API */ + + static inline void set_iommu_table_base_and_group(struct device *dev, +--- a/arch/powerpc/kernel/iommu.c ++++ b/arch/powerpc/kernel/iommu.c +@@ -1175,4 +1175,30 @@ void iommu_del_device(struct device *dev + } + EXPORT_SYMBOL_GPL(iommu_del_device); + ++static int tce_iommu_bus_notifier(struct notifier_block *nb, ++ unsigned long action, void *data) ++{ ++ struct device *dev = data; ++ ++ switch (action) { ++ case BUS_NOTIFY_ADD_DEVICE: ++ return iommu_add_device(dev); ++ case BUS_NOTIFY_DEL_DEVICE: ++ if (dev->iommu_group) ++ iommu_del_device(dev); ++ return 0; ++ default: ++ return 0; ++ } ++} ++ ++static struct notifier_block tce_iommu_bus_nb = { ++ .notifier_call = tce_iommu_bus_notifier, ++}; ++ ++int __init tce_iommu_bus_notifier_init(void) ++{ ++ bus_register_notifier(&pci_bus_type, &tce_iommu_bus_nb); ++ return 0; ++} + #endif /* CONFIG_IOMMU_API */ +--- a/arch/powerpc/platforms/powernv/pci.c ++++ b/arch/powerpc/platforms/powernv/pci.c +@@ -866,30 +866,4 @@ void __init pnv_pci_init(void) + #endif + } + +-static int tce_iommu_bus_notifier(struct notifier_block *nb, +- unsigned long action, void *data) +-{ +- struct device *dev = data; +- +- switch (action) { +- case BUS_NOTIFY_ADD_DEVICE: +- return iommu_add_device(dev); +- case BUS_NOTIFY_DEL_DEVICE: +- if (dev->iommu_group) +- iommu_del_device(dev); +- return 0; +- default: +- return 0; +- } +-} +- +-static struct notifier_block tce_iommu_bus_nb = { +- .notifier_call = tce_iommu_bus_notifier, +-}; +- +-static int __init tce_iommu_bus_notifier_init(void) +-{ +- bus_register_notifier(&pci_bus_type, &tce_iommu_bus_nb); +- return 0; +-} + machine_subsys_initcall_sync(powernv, tce_iommu_bus_notifier_init); +--- a/arch/powerpc/platforms/pseries/iommu.c ++++ b/arch/powerpc/platforms/pseries/iommu.c +@@ -1340,3 +1340,5 @@ static int __init disable_multitce(char + } + + __setup("multitce=", disable_multitce); ++ ++machine_subsys_initcall_sync(pseries, tce_iommu_bus_notifier_init); diff --git a/queue-3.19/powerpc-smp-wait-until-secondaries-are-active-online.patch b/queue-3.19/powerpc-smp-wait-until-secondaries-are-active-online.patch new file mode 100644 index 00000000000..ad655378cf6 --- /dev/null +++ b/queue-3.19/powerpc-smp-wait-until-secondaries-are-active-online.patch @@ -0,0 +1,61 @@ +From 875ebe940d77a41682c367ad799b4f39f128d3fa Mon Sep 17 00:00:00 2001 +From: Michael Ellerman +Date: Tue, 24 Feb 2015 17:58:02 +1100 +Subject: powerpc/smp: Wait until secondaries are active & online + +From: Michael Ellerman + +commit 875ebe940d77a41682c367ad799b4f39f128d3fa upstream. + +Anton has a busy ppc64le KVM box where guests sometimes hit the infamous +"kernel BUG at kernel/smpboot.c:134!" issue during boot: + + BUG_ON(td->cpu != smp_processor_id()); + +Basically a per CPU hotplug thread scheduled on the wrong CPU. The oops +output confirms it: + + CPU: 0 + Comm: watchdog/130 + +The problem is that we aren't ensuring the CPU active bit is set for the +secondary before allowing the master to continue on. The master unparks +the secondary CPU's kthreads and the scheduler looks for a CPU to run +on. It calls select_task_rq() and realises the suggested CPU is not in +the cpus_allowed mask. It then ends up in select_fallback_rq(), and +since the active bit isnt't set we choose some other CPU to run on. + +This seems to have been introduced by 6acbfb96976f "sched: Fix hotplug +vs. set_cpus_allowed_ptr()", which changed from setting active before +online to setting active after online. However that was in turn fixing a +bug where other code assumed an active CPU was also online, so we can't +just revert that fix. + +The simplest fix is just to spin waiting for both active & online to be +set. We already have a barrier prior to set_cpu_online() (which also +sets active), to ensure all other setup is completed before online & +active are set. + +Fixes: 6acbfb96976f ("sched: Fix hotplug vs. set_cpus_allowed_ptr()") +Signed-off-by: Michael Ellerman +Signed-off-by: Anton Blanchard +Signed-off-by: Michael Ellerman +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/kernel/smp.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/powerpc/kernel/smp.c ++++ b/arch/powerpc/kernel/smp.c +@@ -555,8 +555,8 @@ int __cpu_up(unsigned int cpu, struct ta + if (smp_ops->give_timebase) + smp_ops->give_timebase(); + +- /* Wait until cpu puts itself in the online map */ +- while (!cpu_online(cpu)) ++ /* Wait until cpu puts itself in the online & active maps */ ++ while (!cpu_online(cpu) || !cpu_active(cpu)) + cpu_relax(); + + return 0; diff --git a/queue-3.19/series b/queue-3.19/series index 4ea0e8342f0..3dcf9f166d8 100644 --- a/queue-3.19/series +++ b/queue-3.19/series @@ -82,3 +82,30 @@ drm-vmwgfx-fix-a-couple-of-lock-dependency-violations.patch drm-don-t-assign-fbs-for-universal-cursor-support-to-files.patch drm-i915-add-dev_to_i915-helper.patch drm-i915-gen4-work-around-hang-during-hibernation.patch +drivers-rtc-rtc-s3c.c-add-.needs_src_clk-to-s3c6410-rtc-data.patch +xen-events-avoid-null-pointer-dereference-in-dom0-on-large-machines.patch +x86-xen-correct-bug-in-p2m-list-initialization.patch +xen-pciback-limit-guest-control-of-command-register.patch +of-fix-handling-of-in-options-for-of_find_node_by_path.patch +of-handle-both-and-in-path-strings.patch +gadgetfs-use-after-free-in-aio_read.patch +libsas-fix-kernel-crash-in-smp_execute_task.patch +pci-don-t-read-past-the-end-of-sysfs-driver_override-buffer.patch +irqchip-armada-370-xp-fix-chained-per-cpu-interrupts.patch +pagemap-do-not-leak-physical-addresses-to-non-privileged-userspace.patch +crypto-arm-aes-update-neon-aes-module-to-latest-openssl-version.patch +crypto-aesni-fix-memory-usage-in-gcm-decryption.patch +x86-fpu-avoid-math_state_restore-without-used_math-in-__restore_xstate_sig.patch +x86-fpu-drop_fpu-should-not-assume-that-tsk-equals-current.patch +kvm-move-advertising-of-kvm_cap_irqfd-to-common-code.patch +x86-vdso-fix-the-build-on-gcc5.patch +x86-asm-entry-32-fix-user_mode-misuses.patch +x86-apic-numachip-fix-sibling-map-with-numachip.patch +powerpc-smp-wait-until-secondaries-are-active-online.patch +powerpc-iommu-remove-iommu-device-references-via-bus-notifier.patch +ipvs-add-missing-ip_vs_pe_put-in-sync-code.patch +ipvs-fix-inability-to-remove-a-mixed-family-rs.patch +netfilter-nft_compat-fix-module-refcount-underflow.patch +netfilter-xt_socket-fix-a-stack-corruption-bug.patch +netfilter-nf_tables-fix-transaction-race-condition.patch +netfilter-nf_tables-fix-addition-deletion-of-elements-from-commit-abort.patch diff --git a/queue-3.19/x86-apic-numachip-fix-sibling-map-with-numachip.patch b/queue-3.19/x86-apic-numachip-fix-sibling-map-with-numachip.patch new file mode 100644 index 00000000000..2c2fc30afa7 --- /dev/null +++ b/queue-3.19/x86-apic-numachip-fix-sibling-map-with-numachip.patch @@ -0,0 +1,86 @@ +From c8a470cab030bae8f9e6e5cfff72b047b7c627a7 Mon Sep 17 00:00:00 2001 +From: Daniel J Blueman +Date: Thu, 12 Mar 2015 16:55:13 +0100 +Subject: x86/apic/numachip: Fix sibling map with NumaChip + +From: Daniel J Blueman + +commit c8a470cab030bae8f9e6e5cfff72b047b7c627a7 upstream. + +On NumaChip systems, the physical processor ID assignment wasn't +accounting for the number of nodes in AMD multi-module +processors, giving an incorrect sibling map: + + $ cd /sys/devices/system/cpu/cpu29/topology + $ grep . * + core_id:5 + core_siblings:00000000,ff000000 + core_siblings_list:24-31 + physical_package_id:3 + thread_siblings:00000000,30000000 + thread_siblings_list:28-29 + +This fixes it: + + $ cd /sys/devices/system/cpu/cpu29/topology + $ grep . * + core_id:5 + core_siblings:00000000,ffff0000 + core_siblings_list:16-31 + physical_package_id:1 + thread_siblings:00000000,30000000 + thread_siblings_list:28-29 + +Signed-off-by: Daniel J Blueman +Signed-off-by: Borislav Petkov +Cc: H. Peter Anvin +Cc: Steffen Persvold +Cc: Thomas Gleixner +Link: http://lkml.kernel.org/r/1426135950-10110-1-git-send-email-daniel@numascale.com +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/apic/apic_numachip.c | 22 ++++++++++++++++------ + 1 file changed, 16 insertions(+), 6 deletions(-) + +--- a/arch/x86/kernel/apic/apic_numachip.c ++++ b/arch/x86/kernel/apic/apic_numachip.c +@@ -37,10 +37,12 @@ static const struct apic apic_numachip; + static unsigned int get_apic_id(unsigned long x) + { + unsigned long value; +- unsigned int id; ++ unsigned int id = (x >> 24) & 0xff; + +- rdmsrl(MSR_FAM10H_NODE_ID, value); +- id = ((x >> 24) & 0xffU) | ((value << 2) & 0xff00U); ++ if (static_cpu_has_safe(X86_FEATURE_NODEID_MSR)) { ++ rdmsrl(MSR_FAM10H_NODE_ID, value); ++ id |= (value << 2) & 0xff00; ++ } + + return id; + } +@@ -155,10 +157,18 @@ static int __init numachip_probe(void) + + static void fixup_cpu_id(struct cpuinfo_x86 *c, int node) + { +- if (c->phys_proc_id != node) { +- c->phys_proc_id = node; +- per_cpu(cpu_llc_id, smp_processor_id()) = node; ++ u64 val; ++ u32 nodes = 1; ++ ++ this_cpu_write(cpu_llc_id, node); ++ ++ /* Account for nodes per socket in multi-core-module processors */ ++ if (static_cpu_has_safe(X86_FEATURE_NODEID_MSR)) { ++ rdmsrl(MSR_FAM10H_NODE_ID, val); ++ nodes = ((val >> 3) & 7) + 1; + } ++ ++ c->phys_proc_id = node / nodes; + } + + static int __init numachip_system_init(void) diff --git a/queue-3.19/x86-asm-entry-32-fix-user_mode-misuses.patch b/queue-3.19/x86-asm-entry-32-fix-user_mode-misuses.patch new file mode 100644 index 00000000000..0199e3cec92 --- /dev/null +++ b/queue-3.19/x86-asm-entry-32-fix-user_mode-misuses.patch @@ -0,0 +1,45 @@ +From 394838c96013ba414a24ffe7a2a593a9154daadf Mon Sep 17 00:00:00 2001 +From: Andy Lutomirski +Date: Mon, 9 Mar 2015 17:42:31 -0700 +Subject: x86/asm/entry/32: Fix user_mode() misuses + +From: Andy Lutomirski + +commit 394838c96013ba414a24ffe7a2a593a9154daadf upstream. + +The one in do_debug() is probably harmless, but better safe than sorry. + +Signed-off-by: Andy Lutomirski +Cc: Borislav Petkov +Cc: Dave Hansen +Cc: H. Peter Anvin +Cc: Linus Torvalds +Cc: Thomas Gleixner +Link: http://lkml.kernel.org/r/d67deaa9df5458363623001f252d1aee3215d014.1425948056.git.luto@amacapital.net +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/traps.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/x86/kernel/traps.c ++++ b/arch/x86/kernel/traps.c +@@ -300,7 +300,7 @@ dotraplinkage void do_bounds(struct pt_r + goto exit; + conditional_sti(regs); + +- if (!user_mode(regs)) ++ if (!user_mode_vm(regs)) + die("bounds", regs, error_code); + + if (!cpu_feature_enabled(X86_FEATURE_MPX)) { +@@ -566,7 +566,7 @@ dotraplinkage void do_debug(struct pt_re + * then it's very likely the result of an icebp/int01 trap. + * User wants a sigtrap for that. + */ +- if (!dr6 && user_mode(regs)) ++ if (!dr6 && user_mode_vm(regs)) + user_icebp = 1; + + /* Catch kmemcheck conditions first of all! */ diff --git a/queue-3.19/x86-fpu-avoid-math_state_restore-without-used_math-in-__restore_xstate_sig.patch b/queue-3.19/x86-fpu-avoid-math_state_restore-without-used_math-in-__restore_xstate_sig.patch new file mode 100644 index 00000000000..1627e3cf50b --- /dev/null +++ b/queue-3.19/x86-fpu-avoid-math_state_restore-without-used_math-in-__restore_xstate_sig.patch @@ -0,0 +1,87 @@ +From a7c80ebcac3068b1c3cb27d538d29558c30010c8 Mon Sep 17 00:00:00 2001 +From: Oleg Nesterov +Date: Fri, 13 Mar 2015 09:53:09 +0100 +Subject: x86/fpu: Avoid math_state_restore() without used_math() in __restore_xstate_sig() + +From: Oleg Nesterov + +commit a7c80ebcac3068b1c3cb27d538d29558c30010c8 upstream. + +math_state_restore() assumes it is called with irqs disabled, +but this is not true if the caller is __restore_xstate_sig(). + +This means that if ia32_fxstate == T and __copy_from_user() +fails, __restore_xstate_sig() returns with irqs disabled too. + +This triggers: + + BUG: sleeping function called from invalid context at kernel/locking/rwsem.c:41 + dump_stack + ___might_sleep + ? _raw_spin_unlock_irqrestore + __might_sleep + down_read + ? _raw_spin_unlock_irqrestore + print_vma_addr + signal_fault + sys32_rt_sigreturn + +Change __restore_xstate_sig() to call set_used_math() +unconditionally. This avoids enabling and disabling interrupts +in math_state_restore(). If copy_from_user() fails, we can +simply do fpu_finit() by hand. + +[ Note: this is only the first step. math_state_restore() should + not check used_math(), it should set this flag. While + init_fpu() should simply die. ] + +Signed-off-by: Oleg Nesterov +Signed-off-by: Borislav Petkov +Cc: Andy Lutomirski +Cc: Borislav Petkov +Cc: Dave Hansen +Cc: Fenghua Yu +Cc: H. Peter Anvin +Cc: Linus Torvalds +Cc: Pekka Riikonen +Cc: Quentin Casasnovas +Cc: Rik van Riel +Cc: Suresh Siddha +Cc: Thomas Gleixner +Link: http://lkml.kernel.org/r/20150307153844.GB25954@redhat.com +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/xsave.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/arch/x86/kernel/xsave.c ++++ b/arch/x86/kernel/xsave.c +@@ -378,7 +378,7 @@ int __restore_xstate_sig(void __user *bu + * thread's fpu state, reconstruct fxstate from the fsave + * header. Sanitize the copied state etc. + */ +- struct xsave_struct *xsave = &tsk->thread.fpu.state->xsave; ++ struct fpu *fpu = &tsk->thread.fpu; + struct user_i387_ia32_struct env; + int err = 0; + +@@ -392,14 +392,15 @@ int __restore_xstate_sig(void __user *bu + */ + drop_fpu(tsk); + +- if (__copy_from_user(xsave, buf_fx, state_size) || ++ if (__copy_from_user(&fpu->state->xsave, buf_fx, state_size) || + __copy_from_user(&env, buf, sizeof(env))) { ++ fpu_finit(fpu); + err = -1; + } else { + sanitize_restored_xstate(tsk, &env, xstate_bv, fx_only); +- set_used_math(); + } + ++ set_used_math(); + if (use_eager_fpu()) { + preempt_disable(); + math_state_restore(); diff --git a/queue-3.19/x86-fpu-drop_fpu-should-not-assume-that-tsk-equals-current.patch b/queue-3.19/x86-fpu-drop_fpu-should-not-assume-that-tsk-equals-current.patch new file mode 100644 index 00000000000..0b02631e8e2 --- /dev/null +++ b/queue-3.19/x86-fpu-drop_fpu-should-not-assume-that-tsk-equals-current.patch @@ -0,0 +1,50 @@ +From f4c3686386393c120710dd34df2a74183ab805fd Mon Sep 17 00:00:00 2001 +From: Oleg Nesterov +Date: Fri, 13 Mar 2015 09:53:10 +0100 +Subject: x86/fpu: Drop_fpu() should not assume that tsk equals current + +From: Oleg Nesterov + +commit f4c3686386393c120710dd34df2a74183ab805fd upstream. + +drop_fpu() does clear_used_math() and usually this is correct +because tsk == current. + +However switch_fpu_finish()->restore_fpu_checking() is called before +__switch_to() updates the "current_task" variable. If it fails, +we will wrongly clear the PF_USED_MATH flag of the previous task. + +So use clear_stopped_child_used_math() instead. + +Signed-off-by: Oleg Nesterov +Signed-off-by: Borislav Petkov +Reviewed-by: Rik van Riel +Cc: Andy Lutomirski +Cc: Borislav Petkov +Cc: Dave Hansen +Cc: Fenghua Yu +Cc: H. Peter Anvin +Cc: Linus Torvalds +Cc: Pekka Riikonen +Cc: Quentin Casasnovas +Cc: Suresh Siddha +Cc: Thomas Gleixner +Link: http://lkml.kernel.org/r/20150309171041.GB11388@redhat.com +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/include/asm/fpu-internal.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/include/asm/fpu-internal.h ++++ b/arch/x86/include/asm/fpu-internal.h +@@ -368,7 +368,7 @@ static inline void drop_fpu(struct task_ + preempt_disable(); + tsk->thread.fpu_counter = 0; + __drop_fpu(tsk); +- clear_used_math(); ++ clear_stopped_child_used_math(tsk); + preempt_enable(); + } + diff --git a/queue-3.19/x86-vdso-fix-the-build-on-gcc5.patch b/queue-3.19/x86-vdso-fix-the-build-on-gcc5.patch new file mode 100644 index 00000000000..0e06df8ef7c --- /dev/null +++ b/queue-3.19/x86-vdso-fix-the-build-on-gcc5.patch @@ -0,0 +1,62 @@ +From e893286918d2cde3a94850d8f7101cd1039e0c62 Mon Sep 17 00:00:00 2001 +From: Jiri Slaby +Date: Thu, 5 Mar 2015 09:13:31 +0100 +Subject: x86/vdso: Fix the build on GCC5 + +From: Jiri Slaby + +commit e893286918d2cde3a94850d8f7101cd1039e0c62 upstream. + +On gcc5 the kernel does not link: + + ld: .eh_frame_hdr table[4] FDE at 0000000000000648 overlaps table[5] FDE at 0000000000000670. + +Because prior GCC versions always emitted NOPs on ALIGN directives, but +gcc5 started omitting them. + +.LSTARTFDEDLSI1 says: + + /* HACK: The dwarf2 unwind routines will subtract 1 from the + return address to get an address in the middle of the + presumed call instruction. Since we didn't get here via + a call, we need to include the nop before the real start + to make up for it. */ + .long .LSTART_sigreturn-1-. /* PC-relative start address */ + +But commit 69d0627a7f6e ("x86 vDSO: reorder vdso32 code") from 2.6.25 +replaced .org __kernel_vsyscall+32,0x90 by ALIGN right before +__kernel_sigreturn. + +Of course, ALIGN need not generate any NOP in there. Esp. gcc5 collapses +vclock_gettime.o and int80.o together with no generated NOPs as "ALIGN". + +So fix this by adding to that point at least a single NOP and make the +function ALIGN possibly with more NOPs then. + +Kudos for reporting and diagnosing should go to Richard. + +Reported-by: Richard Biener +Signed-off-by: Jiri Slaby +Acked-by: Andy Lutomirski +Cc: Borislav Petkov +Cc: H. Peter Anvin +Cc: Linus Torvalds +Cc: Thomas Gleixner +Link: http://lkml.kernel.org/r/1425543211-12542-1-git-send-email-jslaby@suse.cz +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/vdso/vdso32/sigreturn.S | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/x86/vdso/vdso32/sigreturn.S ++++ b/arch/x86/vdso/vdso32/sigreturn.S +@@ -17,6 +17,7 @@ + .text + .globl __kernel_sigreturn + .type __kernel_sigreturn,@function ++ nop /* this guy is needed for .LSTARTFDEDLSI1 below (watch for HACK) */ + ALIGN + __kernel_sigreturn: + .LSTART_sigreturn: diff --git a/queue-3.19/x86-xen-correct-bug-in-p2m-list-initialization.patch b/queue-3.19/x86-xen-correct-bug-in-p2m-list-initialization.patch new file mode 100644 index 00000000000..29d4db1887f --- /dev/null +++ b/queue-3.19/x86-xen-correct-bug-in-p2m-list-initialization.patch @@ -0,0 +1,45 @@ +From b8f05c8803fce899d79ca66f8d7f348cf15fb40e Mon Sep 17 00:00:00 2001 +From: Juergen Gross +Date: Fri, 27 Feb 2015 15:45:29 +0100 +Subject: x86/xen: correct bug in p2m list initialization + +From: Juergen Gross + +commit b8f05c8803fce899d79ca66f8d7f348cf15fb40e upstream. + +Commit 054954eb051f35e74b75a566a96fe756015352c8 ("xen: switch to +linear virtual mapped sparse p2m list") introduced an error. + +During initialization of the p2m list a p2m identity area mapped by +a complete identity pmd entry has to be split up into smaller chunks +sometimes, if a non-identity pfn is introduced in this area. + +If this non-identity pfn is not at index 0 of a p2m page the new +p2m page needed is initialized with wrong identity entries, as the +identity pfns don't start with the value corresponding to index 0, +but with the initial non-identity pfn. This results in weird wrong +mappings. + +Correct the wrong initialization by starting with the correct pfn. + +Reported-by: Stefan Bader +Signed-off-by: Juergen Gross +Tested-by: Stefan Bader +Signed-off-by: David Vrabel +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/xen/p2m.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/xen/p2m.c ++++ b/arch/x86/xen/p2m.c +@@ -567,7 +567,7 @@ static bool alloc_p2m(unsigned long pfn) + if (p2m_pfn == PFN_DOWN(__pa(p2m_missing))) + p2m_init(p2m); + else +- p2m_init_identity(p2m, pfn); ++ p2m_init_identity(p2m, pfn & ~(P2M_PER_PAGE - 1)); + + spin_lock_irqsave(&p2m_update_lock, flags); + diff --git a/queue-3.19/xen-events-avoid-null-pointer-dereference-in-dom0-on-large-machines.patch b/queue-3.19/xen-events-avoid-null-pointer-dereference-in-dom0-on-large-machines.patch new file mode 100644 index 00000000000..c2ecc5b60da --- /dev/null +++ b/queue-3.19/xen-events-avoid-null-pointer-dereference-in-dom0-on-large-machines.patch @@ -0,0 +1,65 @@ +From 85e40b0539b24518c8bdf63e2605c8522377d00f Mon Sep 17 00:00:00 2001 +From: Juergen Gross +Date: Thu, 26 Feb 2015 06:52:05 +0100 +Subject: xen/events: avoid NULL pointer dereference in dom0 on large machines + +From: Juergen Gross + +commit 85e40b0539b24518c8bdf63e2605c8522377d00f upstream. + +Using the pvops kernel a NULL pointer dereference was detected on a +large machine (144 processors) when booting as dom0 in +evtchn_fifo_unmask() during assignment of a pirq. + +The event channel in question was the first to need a new entry in +event_array[] in events_fifo.c. Unfortunately xen_irq_info_pirq_setup() +is called with evtchn being 0 for a new pirq and the real event channel +number is assigned to the pirq only during __startup_pirq(). + +It is mandatory to call xen_evtchn_port_setup() after assigning the +event channel number to the pirq to make sure all memory needed for the +event channel is allocated. + +Signed-off-by: Juergen Gross +Signed-off-by: David Vrabel +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/xen/events/events_base.c | 18 ++++++++++++------ + 1 file changed, 12 insertions(+), 6 deletions(-) + +--- a/drivers/xen/events/events_base.c ++++ b/drivers/xen/events/events_base.c +@@ -526,20 +526,26 @@ static unsigned int __startup_pirq(unsig + pirq_query_unmask(irq); + + rc = set_evtchn_to_irq(evtchn, irq); +- if (rc != 0) { +- pr_err("irq%d: Failed to set port to irq mapping (%d)\n", +- irq, rc); +- xen_evtchn_close(evtchn); +- return 0; +- } ++ if (rc) ++ goto err; ++ + bind_evtchn_to_cpu(evtchn, 0); + info->evtchn = evtchn; + ++ rc = xen_evtchn_port_setup(info); ++ if (rc) ++ goto err; ++ + out: + unmask_evtchn(evtchn); + eoi_pirq(irq_get_irq_data(irq)); + + return 0; ++ ++err: ++ pr_err("irq%d: Failed to set port to irq mapping (%d)\n", irq, rc); ++ xen_evtchn_close(evtchn); ++ return 0; + } + + static unsigned int startup_pirq(struct irq_data *data) diff --git a/queue-3.19/xen-pciback-limit-guest-control-of-command-register.patch b/queue-3.19/xen-pciback-limit-guest-control-of-command-register.patch new file mode 100644 index 00000000000..89240bc1564 --- /dev/null +++ b/queue-3.19/xen-pciback-limit-guest-control-of-command-register.patch @@ -0,0 +1,154 @@ +From af6fc858a35b90e89ea7a7ee58e66628c55c776b Mon Sep 17 00:00:00 2001 +From: Jan Beulich +Date: Wed, 11 Mar 2015 13:51:17 +0000 +Subject: xen-pciback: limit guest control of command register + +From: Jan Beulich + +commit af6fc858a35b90e89ea7a7ee58e66628c55c776b upstream. + +Otherwise the guest can abuse that control to cause e.g. PCIe +Unsupported Request responses by disabling memory and/or I/O decoding +and subsequently causing (CPU side) accesses to the respective address +ranges, which (depending on system configuration) may be fatal to the +host. + +Note that to alter any of the bits collected together as +PCI_COMMAND_GUEST permissive mode is now required to be enabled +globally or on the specific device. + +This is CVE-2015-2150 / XSA-120. + +Signed-off-by: Jan Beulich +Reviewed-by: Konrad Rzeszutek Wilk +Signed-off-by: David Vrabel +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/xen/xen-pciback/conf_space.c | 2 + drivers/xen/xen-pciback/conf_space.h | 2 + drivers/xen/xen-pciback/conf_space_header.c | 59 ++++++++++++++++++++++------ + 3 files changed, 50 insertions(+), 13 deletions(-) + +--- a/drivers/xen/xen-pciback/conf_space.c ++++ b/drivers/xen/xen-pciback/conf_space.c +@@ -16,7 +16,7 @@ + #include "conf_space.h" + #include "conf_space_quirks.h" + +-static bool permissive; ++bool permissive; + module_param(permissive, bool, 0644); + + /* This is where xen_pcibk_read_config_byte, xen_pcibk_read_config_word, +--- a/drivers/xen/xen-pciback/conf_space.h ++++ b/drivers/xen/xen-pciback/conf_space.h +@@ -64,6 +64,8 @@ struct config_field_entry { + void *data; + }; + ++extern bool permissive; ++ + #define OFFSET(cfg_entry) ((cfg_entry)->base_offset+(cfg_entry)->field->offset) + + /* Add fields to a device - the add_fields macro expects to get a pointer to +--- a/drivers/xen/xen-pciback/conf_space_header.c ++++ b/drivers/xen/xen-pciback/conf_space_header.c +@@ -11,6 +11,10 @@ + #include "pciback.h" + #include "conf_space.h" + ++struct pci_cmd_info { ++ u16 val; ++}; ++ + struct pci_bar_info { + u32 val; + u32 len_val; +@@ -20,22 +24,36 @@ struct pci_bar_info { + #define is_enable_cmd(value) ((value)&(PCI_COMMAND_MEMORY|PCI_COMMAND_IO)) + #define is_master_cmd(value) ((value)&PCI_COMMAND_MASTER) + +-static int command_read(struct pci_dev *dev, int offset, u16 *value, void *data) ++/* Bits guests are allowed to control in permissive mode. */ ++#define PCI_COMMAND_GUEST (PCI_COMMAND_MASTER|PCI_COMMAND_SPECIAL| \ ++ PCI_COMMAND_INVALIDATE|PCI_COMMAND_VGA_PALETTE| \ ++ PCI_COMMAND_WAIT|PCI_COMMAND_FAST_BACK) ++ ++static void *command_init(struct pci_dev *dev, int offset) + { +- int i; +- int ret; ++ struct pci_cmd_info *cmd = kmalloc(sizeof(*cmd), GFP_KERNEL); ++ int err; + +- ret = xen_pcibk_read_config_word(dev, offset, value, data); +- if (!pci_is_enabled(dev)) +- return ret; +- +- for (i = 0; i < PCI_ROM_RESOURCE; i++) { +- if (dev->resource[i].flags & IORESOURCE_IO) +- *value |= PCI_COMMAND_IO; +- if (dev->resource[i].flags & IORESOURCE_MEM) +- *value |= PCI_COMMAND_MEMORY; ++ if (!cmd) ++ return ERR_PTR(-ENOMEM); ++ ++ err = pci_read_config_word(dev, PCI_COMMAND, &cmd->val); ++ if (err) { ++ kfree(cmd); ++ return ERR_PTR(err); + } + ++ return cmd; ++} ++ ++static int command_read(struct pci_dev *dev, int offset, u16 *value, void *data) ++{ ++ int ret = pci_read_config_word(dev, offset, value); ++ const struct pci_cmd_info *cmd = data; ++ ++ *value &= PCI_COMMAND_GUEST; ++ *value |= cmd->val & ~PCI_COMMAND_GUEST; ++ + return ret; + } + +@@ -43,6 +61,8 @@ static int command_write(struct pci_dev + { + struct xen_pcibk_dev_data *dev_data; + int err; ++ u16 val; ++ struct pci_cmd_info *cmd = data; + + dev_data = pci_get_drvdata(dev); + if (!pci_is_enabled(dev) && is_enable_cmd(value)) { +@@ -83,6 +103,19 @@ static int command_write(struct pci_dev + } + } + ++ cmd->val = value; ++ ++ if (!permissive && (!dev_data || !dev_data->permissive)) ++ return 0; ++ ++ /* Only allow the guest to control certain bits. */ ++ err = pci_read_config_word(dev, offset, &val); ++ if (err || val == value) ++ return err; ++ ++ value &= PCI_COMMAND_GUEST; ++ value |= val & ~PCI_COMMAND_GUEST; ++ + return pci_write_config_word(dev, offset, value); + } + +@@ -282,6 +315,8 @@ static const struct config_field header_ + { + .offset = PCI_COMMAND, + .size = 2, ++ .init = command_init, ++ .release = bar_release, + .u.w.read = command_read, + .u.w.write = command_write, + }, -- 2.47.3