--- /dev/null
+From 2145e15e0557a01b9195d1c7199a1b92cb9be81f Mon Sep 17 00:00:00 2001
+From: Matthew Daley <mattd@bugfuzz.com>
+Date: Mon, 28 Apr 2014 19:05:21 +1200
+Subject: floppy: don't write kernel-only members to FDRAWCMD ioctl output
+
+From: Matthew Daley <mattd@bugfuzz.com>
+
+commit 2145e15e0557a01b9195d1c7199a1b92cb9be81f upstream.
+
+Do not leak kernel-only floppy_raw_cmd structure members to userspace.
+This includes the linked-list pointer and the pointer to the allocated
+DMA space.
+
+Signed-off-by: Matthew Daley <mattd@bugfuzz.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/block/floppy.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/drivers/block/floppy.c
++++ b/drivers/block/floppy.c
+@@ -3058,7 +3058,10 @@ static int raw_cmd_copyout(int cmd, void
+ int ret;
+
+ while (ptr) {
+- ret = copy_to_user(param, ptr, sizeof(*ptr));
++ struct floppy_raw_cmd cmd = *ptr;
++ cmd.next = NULL;
++ cmd.kernel_data = NULL;
++ ret = copy_to_user(param, &cmd, sizeof(cmd));
+ if (ret)
+ return -EFAULT;
+ param += sizeof(struct floppy_raw_cmd);
--- /dev/null
+From ef87dbe7614341c2e7bfe8d32fcb7028cc97442c Mon Sep 17 00:00:00 2001
+From: Matthew Daley <mattd@bugfuzz.com>
+Date: Mon, 28 Apr 2014 19:05:20 +1200
+Subject: floppy: ignore kernel-only members in FDRAWCMD ioctl input
+
+From: Matthew Daley <mattd@bugfuzz.com>
+
+commit ef87dbe7614341c2e7bfe8d32fcb7028cc97442c upstream.
+
+Always clear out these floppy_raw_cmd struct members after copying the
+entire structure from userspace so that the in-kernel version is always
+valid and never left in an interdeterminate state.
+
+Signed-off-by: Matthew Daley <mattd@bugfuzz.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/block/floppy.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+--- a/drivers/block/floppy.c
++++ b/drivers/block/floppy.c
+@@ -3112,10 +3112,11 @@ loop:
+ return -ENOMEM;
+ *rcmd = ptr;
+ ret = copy_from_user(ptr, param, sizeof(*ptr));
+- if (ret)
+- return -EFAULT;
+ ptr->next = NULL;
+ ptr->buffer_length = 0;
++ ptr->kernel_data = NULL;
++ if (ret)
++ return -EFAULT;
+ param += sizeof(struct floppy_raw_cmd);
+ if (ptr->cmd_count > 33)
+ /* the command may now also take up the space
+@@ -3131,7 +3132,6 @@ loop:
+ for (i = 0; i < 16; i++)
+ ptr->reply[i] = 0;
+ ptr->resultcode = 0;
+- ptr->kernel_data = NULL;
+
+ if (ptr->flags & (FD_RAW_READ | FD_RAW_WRITE)) {
+ if (ptr->length <= 0)
--- /dev/null
+From c14af233fbe279d0e561ecf84f1208b1bae087ef Mon Sep 17 00:00:00 2001
+From: Huacai Chen <chenhc@lemote.com>
+Date: Sat, 22 Mar 2014 17:21:44 +0800
+Subject: MIPS: Hibernate: Flush TLB entries in swsusp_arch_resume()
+
+From: Huacai Chen <chenhc@lemote.com>
+
+commit c14af233fbe279d0e561ecf84f1208b1bae087ef upstream.
+
+The original MIPS hibernate code flushes cache and TLB entries in
+swsusp_arch_resume(). But they are removed in Commit 44eeab67416711
+(MIPS: Hibernation: Remove SMP TLB and cacheflushing code.). A cross-
+CPU flush is surely unnecessary because all but the local CPU have
+already been disabled. But a local flush (at least the TLB flush) is
+needed. When we do hibernation on Loongson-3 with an E1000E NIC, it is
+very easy to produce a kernel panic (kernel page fault, or unaligned
+access). The root cause is E1000E driver use vzalloc_node() to allocate
+pages, the stale TLB entries of the booting kernel will be misused by
+the resumed target kernel.
+
+Signed-off-by: Huacai Chen <chenhc@lemote.com>
+Cc: John Crispin <john@phrozen.org>
+Cc: Steven J. Hill <Steven.Hill@imgtec.com>
+Cc: Aurelien Jarno <aurelien@aurel32.net>
+Cc: linux-mips@linux-mips.org
+Cc: Fuxin Zhang <zhangfx@lemote.com>
+Cc: Zhangjin Wu <wuzhangjin@gmail.com>
+Patchwork: https://patchwork.linux-mips.org/patch/6643/
+Signed-off-by: Ralf Baechle <ralf@linux-mips.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/mips/power/hibernate.S | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/arch/mips/power/hibernate.S
++++ b/arch/mips/power/hibernate.S
+@@ -44,6 +44,7 @@ LEAF(swsusp_arch_resume)
+ bne t1, t3, 1b
+ PTR_L t0, PBE_NEXT(t0)
+ bnez t0, 0b
++ jal local_flush_tlb_all /* Avoid TLB mismatch after kernel resume */
+ PTR_LA t0, saved_regs
+ PTR_L ra, PT_R31(t0)
+ PTR_L sp, PT_R29(t0)
--- /dev/null
+From af61e27c3f77c7623b5335590ae24b6a5c323e22 Mon Sep 17 00:00:00 2001
+From: Tyler Stachecki <tstache1@binghamton.edu>
+Date: Fri, 25 Apr 2014 16:41:04 -0400
+Subject: [SCSI] mpt2sas: Don't disable device twice at suspend.
+
+From: Tyler Stachecki <tstache1@binghamton.edu>
+
+commit af61e27c3f77c7623b5335590ae24b6a5c323e22 upstream.
+
+On suspend, _scsih_suspend calls mpt2sas_base_free_resources, which
+in turn calls pci_disable_device if the device is enabled prior to
+suspending. However, _scsih_suspend also calls pci_disable_device
+itself.
+
+Thus, in the event that the device is enabled prior to suspending,
+pci_disable_device will be called twice. This patch removes the
+duplicate call to pci_disable_device in _scsi_suspend as it is both
+unnecessary and results in a kernel oops.
+
+Signed-off-by: Tyler Stachecki <tstache1@binghamton.edu>
+Signed-off-by: James Bottomley <JBottomley@Parallels.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/mpt2sas/mpt2sas_scsih.c | 1 -
+ 1 file changed, 1 deletion(-)
+
+--- a/drivers/scsi/mpt2sas/mpt2sas_scsih.c
++++ b/drivers/scsi/mpt2sas/mpt2sas_scsih.c
+@@ -8086,7 +8086,6 @@ _scsih_suspend(struct pci_dev *pdev, pm_
+
+ mpt2sas_base_free_resources(ioc);
+ pci_save_state(pdev);
+- pci_disable_device(pdev);
+ pci_set_power_state(pdev, device_state);
+ return 0;
+ }
drivers-tty-hvc-don-t-free-hvc_console_setup-after-init.patch
+floppy-ignore-kernel-only-members-in-fdrawcmd-ioctl-input.patch
+floppy-don-t-write-kernel-only-members-to-fdrawcmd-ioctl-output.patch
+mips-hibernate-flush-tlb-entries-in-swsusp_arch_resume.patch
+virtio_balloon-don-t-softlockup-on-huge-balloon-changes.patch
+mpt2sas-don-t-disable-device-twice-at-suspend.patch
--- /dev/null
+From 1f74ef0f2d7d692fcd615621e0e734c3e7771413 Mon Sep 17 00:00:00 2001
+From: Rusty Russell <rusty@rustcorp.com.au>
+Date: Thu, 13 Mar 2014 11:23:38 +1030
+Subject: virtio_balloon: don't softlockup on huge balloon changes.
+
+From: Rusty Russell <rusty@rustcorp.com.au>
+
+commit 1f74ef0f2d7d692fcd615621e0e734c3e7771413 upstream.
+
+When adding or removing 100G from a balloon:
+
+ BUG: soft lockup - CPU#0 stuck for 22s! [vballoon:367]
+
+We have a wait_event_interruptible(), but the condition is always true
+(more ballooning to do) so we don't ever sleep. We also have a
+wait_event() for the host to ack, but that is also always true as QEMU
+is synchronous for balloon operations.
+
+Reported-by: Gopesh Kumar Chaudhary <gopchaud@in.ibm.com>
+Signed-off-by: Rusty Russell <rusty@rustcorp.com.au>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/virtio/virtio_balloon.c | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/virtio/virtio_balloon.c
++++ b/drivers/virtio/virtio_balloon.c
+@@ -305,6 +305,12 @@ static int balloon(void *_vballoon)
+ else if (diff < 0)
+ leak_balloon(vb, -diff);
+ update_balloon_size(vb);
++
++ /*
++ * For large balloon changes, we could spend a lot of time
++ * and always have work to do. Be nice if preempt disabled.
++ */
++ cond_resched();
+ }
+ return 0;
+ }
projects / thirdparty / kernel / stable-queue.git / commitdiff
