From: Greg Kroah-Hartman Date: Tue, 25 Jul 2017 04:31:52 +0000 (-0700) Subject: 3.18-stable patches X-Git-Tag: v3.18.63~16 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=09f9b93b03b036141f3e4126493871c841713299;p=thirdparty%2Fkernel%2Fstable-queue.git 3.18-stable patches added patches: drm-mst-avoid-dereferencing-a-null-mstb-in-drm_dp_mst_handle_up_req.patch drm-mst-avoid-processing-partially-received-up-down-message-transactions.patch drm-mst-fix-error-handling-during-mst-sideband-message-reception.patch input-i8042-fix-crash-at-boot-time.patch mips-actually-decode-jalx-in-__compute_return_epc_for_insn.patch mips-fix-mips_atomic_set-retry-condition.patch mips-fix-mips_atomic_set-with-eva.patch mips-fix-unaligned-pc-interpretation-in-compute_return_epc.patch mips-math-emu-prevent-wrong-isa-mode-instruction-emulation.patch mips-negate-error-syscall-return-in-trace.patch mips-save-static-registers-before-sysmips.patch nfs-only-invalidate-dentrys-that-are-clearly-invalid.patch perf-annotate-fix-broken-arrow-at-row-0-connecting-jmp-instruction-to-its-target.patch revert-perf-core-drop-kernel-samples-even-though-u-is-specified.patch staging-rtl8188eu-add-tl-wn722n-v2-support.patch target-fix-compare_and_write-caw_sem-leak-during-se_cmd-quiesce.patch udf-fix-deadlock-between-writeback-and-udf_setsize.patch vfio-fix-group-release-deadlock.patch vfio-new-external-user-group-file-match.patch x86-acpi-prevent-out-of-bound-access-caused-by-broken-acpi-tables.patch --- diff --git a/queue-3.18/drm-mst-avoid-dereferencing-a-null-mstb-in-drm_dp_mst_handle_up_req.patch b/queue-3.18/drm-mst-avoid-dereferencing-a-null-mstb-in-drm_dp_mst_handle_up_req.patch new file mode 100644 index 00000000000..0e73848065c --- /dev/null +++ b/queue-3.18/drm-mst-avoid-dereferencing-a-null-mstb-in-drm_dp_mst_handle_up_req.patch @@ -0,0 +1,38 @@ +From 7f8b3987da54cb4d41ad2545cd4d7958b9a36bdf Mon Sep 17 00:00:00 2001 +From: Imre Deak +Date: Wed, 19 Jul 2017 14:43:29 +0300 +Subject: drm/mst: Avoid dereferencing a NULL mstb in drm_dp_mst_handle_up_req() + +From: Imre Deak + +commit 7f8b3987da54cb4d41ad2545cd4d7958b9a36bdf upstream. + +In case of an unknown broadcast message is sent mstb will remain unset, +so check for this. + +Cc: Dave Airlie +Cc: Lyude +Cc: Daniel Vetter +Signed-off-by: Imre Deak +Reviewed-by: Lyude +Signed-off-by: Daniel Vetter +Link: https://patchwork.freedesktop.org/patch/msgid/20170719114330.26540-3-imre.deak@intel.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/drm_dp_mst_topology.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/drm_dp_mst_topology.c ++++ b/drivers/gpu/drm/drm_dp_mst_topology.c +@@ -2209,7 +2209,9 @@ static int drm_dp_mst_handle_up_req(stru + DRM_DEBUG_KMS("Got RSN: pn: %d avail_pbn %d\n", msg.u.resource_stat.port_number, msg.u.resource_stat.available_pbn); + } + +- drm_dp_put_mst_branch_device(mstb); ++ if (mstb) ++ drm_dp_put_mst_branch_device(mstb); ++ + memset(&mgr->up_req_recv, 0, sizeof(struct drm_dp_sideband_msg_rx)); + } + return ret; diff --git a/queue-3.18/drm-mst-avoid-processing-partially-received-up-down-message-transactions.patch b/queue-3.18/drm-mst-avoid-processing-partially-received-up-down-message-transactions.patch new file mode 100644 index 00000000000..fcf4da2dd6c --- /dev/null +++ b/queue-3.18/drm-mst-avoid-processing-partially-received-up-down-message-transactions.patch @@ -0,0 +1,129 @@ +From 636c4c3e762b62aa93632c645ca65879285b16e3 Mon Sep 17 00:00:00 2001 +From: Imre Deak +Date: Wed, 19 Jul 2017 16:46:32 +0300 +Subject: drm/mst: Avoid processing partially received up/down message transactions + +From: Imre Deak + +commit 636c4c3e762b62aa93632c645ca65879285b16e3 upstream. + +Currently we may process up/down message transactions containing +uninitialized data. This can happen if there was an error during the +reception of any message in the transaction, but we happened to receive +the last message correctly with the end-of-message flag set. + +To avoid this abort the reception of the transaction when the first +error is detected, rejecting any messages until a message with the +start-of-message flag is received (which will start a new transaction). +This is also what the DP 1.4 spec 2.11.8.2 calls for in this case. + +In addtion this also prevents receiving bogus transactions without the +first message with the the start-of-message flag set. + +v2: +- unchanged +v3: +- git add the part that actually skips messages after an error in + drm_dp_sideband_msg_build() + +Cc: Dave Airlie +Cc: Lyude +Cc: Daniel Vetter +Signed-off-by: Imre Deak +Reviewed-by: Lyude +Signed-off-by: Daniel Vetter +Link: https://patchwork.freedesktop.org/patch/msgid/20170719134632.13366-1-imre.deak@intel.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/drm_dp_mst_topology.c | 31 ++++++++++++++++++++++++------- + 1 file changed, 24 insertions(+), 7 deletions(-) + +--- a/drivers/gpu/drm/drm_dp_mst_topology.c ++++ b/drivers/gpu/drm/drm_dp_mst_topology.c +@@ -330,6 +330,13 @@ static bool drm_dp_sideband_msg_build(st + return false; + } + ++ /* ++ * ignore out-of-order messages or messages that are part of a ++ * failed transaction ++ */ ++ if (!recv_hdr.somt && !msg->have_somt) ++ return false; ++ + /* get length contained in this portion */ + msg->curchunk_len = recv_hdr.msg_len; + msg->curchunk_hdrlen = hdrlen; +@@ -2049,7 +2056,7 @@ out_unlock: + } + EXPORT_SYMBOL(drm_dp_mst_topology_mgr_resume); + +-static void drm_dp_get_one_sb_msg(struct drm_dp_mst_topology_mgr *mgr, bool up) ++static bool drm_dp_get_one_sb_msg(struct drm_dp_mst_topology_mgr *mgr, bool up) + { + int len; + u8 replyblock[32]; +@@ -2064,12 +2071,12 @@ static void drm_dp_get_one_sb_msg(struct + replyblock, len); + if (ret != len) { + DRM_DEBUG_KMS("failed to read DPCD down rep %d %d\n", len, ret); +- return; ++ return false; + } + ret = drm_dp_sideband_msg_build(msg, replyblock, len, true); + if (!ret) { + DRM_DEBUG_KMS("sideband msg build failed %d\n", replyblock[0]); +- return; ++ return false; + } + replylen = msg->curchunk_len + msg->curchunk_hdrlen; + +@@ -2083,25 +2090,30 @@ static void drm_dp_get_one_sb_msg(struct + if (ret != len) { + DRM_DEBUG_KMS("failed to read a chunk (len %d, ret %d)\n", + len, ret); +- return; ++ return false; + } + + ret = drm_dp_sideband_msg_build(msg, replyblock, len, false); + if (!ret) { + DRM_DEBUG_KMS("failed to build sideband msg\n"); +- return; ++ return false; + } + + curreply += len; + replylen -= len; + } ++ return true; + } + + static int drm_dp_mst_handle_down_rep(struct drm_dp_mst_topology_mgr *mgr) + { + int ret = 0; + +- drm_dp_get_one_sb_msg(mgr, false); ++ if (!drm_dp_get_one_sb_msg(mgr, false)) { ++ memset(&mgr->down_rep_recv, 0, ++ sizeof(struct drm_dp_sideband_msg_rx)); ++ return 0; ++ } + + if (mgr->down_rep_recv.have_eomt) { + struct drm_dp_sideband_msg_tx *txmsg; +@@ -2157,7 +2169,12 @@ static int drm_dp_mst_handle_down_rep(st + static int drm_dp_mst_handle_up_req(struct drm_dp_mst_topology_mgr *mgr) + { + int ret = 0; +- drm_dp_get_one_sb_msg(mgr, true); ++ ++ if (!drm_dp_get_one_sb_msg(mgr, true)) { ++ memset(&mgr->up_req_recv, 0, ++ sizeof(struct drm_dp_sideband_msg_rx)); ++ return 0; ++ } + + if (mgr->up_req_recv.have_eomt) { + struct drm_dp_sideband_msg_req_body msg; diff --git a/queue-3.18/drm-mst-fix-error-handling-during-mst-sideband-message-reception.patch b/queue-3.18/drm-mst-fix-error-handling-during-mst-sideband-message-reception.patch new file mode 100644 index 00000000000..d2dbeb6ea42 --- /dev/null +++ b/queue-3.18/drm-mst-fix-error-handling-during-mst-sideband-message-reception.patch @@ -0,0 +1,48 @@ +From 448421b5e93b9177c5698f0cf6f5e72d2995eeca Mon Sep 17 00:00:00 2001 +From: Imre Deak +Date: Wed, 19 Jul 2017 14:43:28 +0300 +Subject: drm/mst: Fix error handling during MST sideband message reception + +From: Imre Deak + +commit 448421b5e93b9177c5698f0cf6f5e72d2995eeca upstream. + +Handle any error due to partial reads, timeouts etc. to avoid parsing +uninitialized data subsequently. Also bail out if the parsing itself +fails. + +Cc: Dave Airlie +Cc: Lyude +Cc: Daniel Vetter +Signed-off-by: Imre Deak +Reviewed-by: Lyude +Signed-off-by: Daniel Vetter +Link: https://patchwork.freedesktop.org/patch/msgid/20170719114330.26540-2-imre.deak@intel.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/drm_dp_mst_topology.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/drm_dp_mst_topology.c ++++ b/drivers/gpu/drm/drm_dp_mst_topology.c +@@ -2081,11 +2081,17 @@ static void drm_dp_get_one_sb_msg(struct + ret = drm_dp_dpcd_read(mgr->aux, basereg + curreply, + replyblock, len); + if (ret != len) { +- DRM_DEBUG_KMS("failed to read a chunk\n"); ++ DRM_DEBUG_KMS("failed to read a chunk (len %d, ret %d)\n", ++ len, ret); ++ return; + } ++ + ret = drm_dp_sideband_msg_build(msg, replyblock, len, false); +- if (ret == false) ++ if (!ret) { + DRM_DEBUG_KMS("failed to build sideband msg\n"); ++ return; ++ } ++ + curreply += len; + replylen -= len; + } diff --git a/queue-3.18/input-i8042-fix-crash-at-boot-time.patch b/queue-3.18/input-i8042-fix-crash-at-boot-time.patch new file mode 100644 index 00000000000..fd755617d12 --- /dev/null +++ b/queue-3.18/input-i8042-fix-crash-at-boot-time.patch @@ -0,0 +1,121 @@ +From 340d394a789518018f834ff70f7534fc463d3226 Mon Sep 17 00:00:00 2001 +From: Chen Hong +Date: Sun, 2 Jul 2017 15:11:10 -0700 +Subject: Input: i8042 - fix crash at boot time + +From: Chen Hong + +commit 340d394a789518018f834ff70f7534fc463d3226 upstream. + +The driver checks port->exists twice in i8042_interrupt(), first when +trying to assign temporary "serio" variable, and second time when deciding +whether it should call serio_interrupt(). The value of port->exists may +change between the 2 checks, and we may end up calling serio_interrupt() +with a NULL pointer: + +BUG: unable to handle kernel NULL pointer dereference at 0000000000000050 +IP: [] _spin_lock_irqsave+0x1f/0x40 +PGD 0 +Oops: 0002 [#1] SMP +last sysfs file: +CPU 0 +Modules linked in: + +Pid: 1, comm: swapper Not tainted 2.6.32-358.el6.x86_64 #1 QEMU Standard PC (i440FX + PIIX, 1996) +RIP: 0010:[] [] _spin_lock_irqsave+0x1f/0x40 +RSP: 0018:ffff880028203cc0 EFLAGS: 00010082 +RAX: 0000000000010000 RBX: 0000000000000000 RCX: 0000000000000000 +RDX: 0000000000000282 RSI: 0000000000000098 RDI: 0000000000000050 +RBP: ffff880028203cc0 R08: ffff88013e79c000 R09: ffff880028203ee0 +R10: 0000000000000298 R11: 0000000000000282 R12: 0000000000000050 +R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000098 +FS: 0000000000000000(0000) GS:ffff880028200000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0018 ES: 0018 CR0: 000000008005003b +CR2: 0000000000000050 CR3: 0000000001a85000 CR4: 00000000001407f0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 +Process swapper (pid: 1, threadinfo ffff88013e79c000, task ffff88013e79b500) +Stack: +ffff880028203d00 ffffffff813de186 ffffffffffffff02 0000000000000000 + 0000000000000000 0000000000000000 0000000000000000 0000000000000098 + ffff880028203d70 ffffffff813e0162 ffff880028203d20 ffffffff8103b8ac +Call Trace: + + [] serio_interrupt+0x36/0xa0 +[] i8042_interrupt+0x132/0x3a0 +[] ? kvm_clock_read+0x1c/0x20 +[] ? kvm_clock_get_cycles+0x9/0x10 +[] handle_IRQ_event+0x60/0x170 +[] ? kvm_guest_apic_eoi_write+0x44/0x50 +[] handle_edge_irq+0xde/0x180 +[] handle_irq+0x49/0xa0 +[] do_IRQ+0x6c/0xf0 +[] ret_from_intr+0x0/0x11 +[] ? __do_softirq+0x73/0x1e0 +[] ? hrtimer_interrupt+0x14b/0x260 +[] ? call_softirq+0x1c/0x30 +[] ? do_softirq+0x65/0xa0 +[] ? irq_exit+0x85/0x90 +[] ? smp_apic_timer_interrupt+0x70/0x9b +[] ? apic_timer_interrupt+0x13/0x20 + +To avoid the issue let's change the second check to test whether serio is +NULL or not. + +Also, let's take i8042_lock in i8042_start() and i8042_stop() instead of +trying to be overly smart and using memory barriers. + +Signed-off-by: Chen Hong +[dtor: take lock in i8042_start()/i8042_stop()] +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/input/serio/i8042.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +--- a/drivers/input/serio/i8042.c ++++ b/drivers/input/serio/i8042.c +@@ -397,8 +397,10 @@ static int i8042_start(struct serio *ser + { + struct i8042_port *port = serio->port_data; + ++ spin_lock_irq(&i8042_lock); + port->exists = true; +- mb(); ++ spin_unlock_irq(&i8042_lock); ++ + return 0; + } + +@@ -411,16 +413,20 @@ static void i8042_stop(struct serio *ser + { + struct i8042_port *port = serio->port_data; + ++ spin_lock_irq(&i8042_lock); + port->exists = false; ++ port->serio = NULL; ++ spin_unlock_irq(&i8042_lock); + + /* ++ * We need to make sure that interrupt handler finishes using ++ * our serio port before we return from this function. + * We synchronize with both AUX and KBD IRQs because there is + * a (very unlikely) chance that AUX IRQ is raised for KBD port + * and vice versa. + */ + synchronize_irq(I8042_AUX_IRQ); + synchronize_irq(I8042_KBD_IRQ); +- port->serio = NULL; + } + + /* +@@ -537,7 +543,7 @@ static irqreturn_t i8042_interrupt(int i + + spin_unlock_irqrestore(&i8042_lock, flags); + +- if (likely(port->exists && !filtered)) ++ if (likely(serio && !filtered)) + serio_interrupt(serio, data, dfl); + + out: diff --git a/queue-3.18/mips-actually-decode-jalx-in-__compute_return_epc_for_insn.patch b/queue-3.18/mips-actually-decode-jalx-in-__compute_return_epc_for_insn.patch new file mode 100644 index 00000000000..62e923fa713 --- /dev/null +++ b/queue-3.18/mips-actually-decode-jalx-in-__compute_return_epc_for_insn.patch @@ -0,0 +1,36 @@ +From a9db101b735a9d49295326ae41f610f6da62b08c Mon Sep 17 00:00:00 2001 +From: "Maciej W. Rozycki" +Date: Fri, 16 Jun 2017 00:06:19 +0100 +Subject: MIPS: Actually decode JALX in `__compute_return_epc_for_insn' + +From: Maciej W. Rozycki + +commit a9db101b735a9d49295326ae41f610f6da62b08c upstream. + +Complement commit fb6883e5809c ("MIPS: microMIPS: Support handling of +delay slots.") and actually decode the regular MIPS JALX major +instruction opcode, the handling of which has been added with the said +commit for EPC calculation in `__compute_return_epc_for_insn'. + +Fixes: fb6883e5809c ("MIPS: microMIPS: Support handling of delay slots.") +Signed-off-by: Maciej W. Rozycki +Cc: James Hogan +Cc: linux-mips@linux-mips.org +Patchwork: https://patchwork.linux-mips.org/patch/16394/ +Signed-off-by: Ralf Baechle +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/kernel/branch.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/mips/kernel/branch.c ++++ b/arch/mips/kernel/branch.c +@@ -493,6 +493,7 @@ int __compute_return_epc_for_insn(struct + /* + * These are unconditional and in j_format. + */ ++ case jalx_op: + case jal_op: + regs->regs[31] = regs->cp0_epc + 8; + case j_op: diff --git a/queue-3.18/mips-fix-mips_atomic_set-retry-condition.patch b/queue-3.18/mips-fix-mips_atomic_set-retry-condition.patch new file mode 100644 index 00000000000..c43e132e104 --- /dev/null +++ b/queue-3.18/mips-fix-mips_atomic_set-retry-condition.patch @@ -0,0 +1,40 @@ +From 2ec420b26f7b6ff332393f0bb5a7d245f7ad87f0 Mon Sep 17 00:00:00 2001 +From: James Hogan +Date: Wed, 31 May 2017 16:19:47 +0100 +Subject: MIPS: Fix mips_atomic_set() retry condition + +From: James Hogan + +commit 2ec420b26f7b6ff332393f0bb5a7d245f7ad87f0 upstream. + +The inline asm retry check in the MIPS_ATOMIC_SET operation of the +sysmips system call has been backwards since commit f1e39a4a616c ("MIPS: +Rewrite sysmips(MIPS_ATOMIC_SET, ...) in C with inline assembler") +merged in v2.6.32, resulting in the non R10000_LLSC_WAR case retrying +until the operation was inatomic, before returning the new value that +was probably just written multiple times instead of the old value. + +Invert the branch condition to fix that particular issue. + +Fixes: f1e39a4a616c ("MIPS: Rewrite sysmips(MIPS_ATOMIC_SET, ...) in C with inline assembler") +Signed-off-by: James Hogan +Cc: linux-mips@linux-mips.org +Patchwork: https://patchwork.linux-mips.org/patch/16148/ +Signed-off-by: Ralf Baechle +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/kernel/syscall.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/mips/kernel/syscall.c ++++ b/arch/mips/kernel/syscall.c +@@ -140,7 +140,7 @@ static inline int mips_atomic_set(unsign + "1: ll %[old], (%[addr]) \n" + " move %[tmp], %[new] \n" + "2: sc %[tmp], (%[addr]) \n" +- " bnez %[tmp], 4f \n" ++ " beqz %[tmp], 4f \n" + "3: \n" + " .subsection 2 \n" + "4: b 1b \n" diff --git a/queue-3.18/mips-fix-mips_atomic_set-with-eva.patch b/queue-3.18/mips-fix-mips_atomic_set-with-eva.patch new file mode 100644 index 00000000000..9a44e103d01 --- /dev/null +++ b/queue-3.18/mips-fix-mips_atomic_set-with-eva.patch @@ -0,0 +1,49 @@ +From 4915e1b043d6286928207b1f6968197b50407294 Mon Sep 17 00:00:00 2001 +From: James Hogan +Date: Wed, 31 May 2017 16:19:49 +0100 +Subject: MIPS: Fix mips_atomic_set() with EVA + +From: James Hogan + +commit 4915e1b043d6286928207b1f6968197b50407294 upstream. + +EVA linked loads (LLE) and conditional stores (SCE) should be used on +EVA kernels for the MIPS_ATOMIC_SET operation of the sysmips system +call, or else the atomic set will apply to the kernel view of the +virtual address space (potentially unmapped on EVA kernels) rather than +the user view (TLB mapped). + +Signed-off-by: James Hogan +Cc: linux-mips@linux-mips.org +Patchwork: https://patchwork.linux-mips.org/patch/16151/ +Signed-off-by: Ralf Baechle +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/kernel/syscall.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/arch/mips/kernel/syscall.c ++++ b/arch/mips/kernel/syscall.c +@@ -28,6 +28,7 @@ + #include + + #include ++#include + #include + #include + #include +@@ -137,9 +138,11 @@ static inline int mips_atomic_set(unsign + __asm__ __volatile__ ( + " .set arch=r4000 \n" + " li %[err], 0 \n" +- "1: ll %[old], (%[addr]) \n" ++ "1: \n" ++ user_ll("%[old]", "(%[addr])") + " move %[tmp], %[new] \n" +- "2: sc %[tmp], (%[addr]) \n" ++ "2: \n" ++ user_sc("%[tmp]", "(%[addr])") + " beqz %[tmp], 4f \n" + "3: \n" + " .subsection 2 \n" diff --git a/queue-3.18/mips-fix-unaligned-pc-interpretation-in-compute_return_epc.patch b/queue-3.18/mips-fix-unaligned-pc-interpretation-in-compute_return_epc.patch new file mode 100644 index 00000000000..761bcd4d2d3 --- /dev/null +++ b/queue-3.18/mips-fix-unaligned-pc-interpretation-in-compute_return_epc.patch @@ -0,0 +1,43 @@ +From 11a3799dbeb620bf0400b1fda5cc2c6bea55f20a Mon Sep 17 00:00:00 2001 +From: "Maciej W. Rozycki" +Date: Fri, 16 Jun 2017 00:07:34 +0100 +Subject: MIPS: Fix unaligned PC interpretation in `compute_return_epc' + +From: Maciej W. Rozycki + +commit 11a3799dbeb620bf0400b1fda5cc2c6bea55f20a upstream. + +Fix a regression introduced with commit fb6883e5809c ("MIPS: microMIPS: +Support handling of delay slots.") and defer to `__compute_return_epc' +if the ISA bit is set in EPC with non-MIPS16, non-microMIPS hardware, +which will then arrange for a SIGBUS due to an unaligned instruction +reference. Returning EPC here is never correct as the API defines this +function's result to be either a negative error code on failure or one +of 0 and BRANCH_LIKELY_TAKEN on success. + +Fixes: fb6883e5809c ("MIPS: microMIPS: Support handling of delay slots.") +Signed-off-by: Maciej W. Rozycki +Cc: James Hogan +Cc: linux-mips@linux-mips.org +Patchwork: https://patchwork.linux-mips.org/patch/16395/ +Signed-off-by: Ralf Baechle +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/include/asm/branch.h | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +--- a/arch/mips/include/asm/branch.h ++++ b/arch/mips/include/asm/branch.h +@@ -74,10 +74,7 @@ static inline int compute_return_epc(str + return __microMIPS_compute_return_epc(regs); + if (cpu_has_mips16) + return __MIPS16e_compute_return_epc(regs); +- return regs->cp0_epc; +- } +- +- if (!delay_slot(regs)) { ++ } else if (!delay_slot(regs)) { + regs->cp0_epc += 4; + return 0; + } diff --git a/queue-3.18/mips-math-emu-prevent-wrong-isa-mode-instruction-emulation.patch b/queue-3.18/mips-math-emu-prevent-wrong-isa-mode-instruction-emulation.patch new file mode 100644 index 00000000000..948ba434cad --- /dev/null +++ b/queue-3.18/mips-math-emu-prevent-wrong-isa-mode-instruction-emulation.patch @@ -0,0 +1,152 @@ +From 13769ebad0c42738831787e27c7c7f982e7da579 Mon Sep 17 00:00:00 2001 +From: "Maciej W. Rozycki" +Date: Fri, 16 Jun 2017 00:05:08 +0100 +Subject: MIPS: math-emu: Prevent wrong ISA mode instruction emulation + +From: Maciej W. Rozycki + +commit 13769ebad0c42738831787e27c7c7f982e7da579 upstream. + +Terminate FPU emulation immediately whenever an ISA mode switch has been +observed. This is so that we do not interpret machine code in the wrong +mode, for example when a regular MIPS FPU instruction has been placed in +a delay slot of a jump that switches into the MIPS16 mode, as with the +following code (taken from a GCC test suite case): + +00400650 : + 400650: 3c020100 lui v0,0x100 + 400654: 03e00008 jr ra + 400658: 44c2f800 ctc1 v0,c1_fcsr + 40065c: 00000000 nop + +[...] + +004012d0 <__libc_csu_init>: + 4012d0: f000 6a02 li v0,2 + 4012d4: f150 0b1c la v1,3f9430 <_DYNAMIC-0x6df0> + 4012d8: f400 3240 sll v0,16 + 4012dc: e269 addu v0,v1 + 4012de: 659a move gp,v0 + 4012e0: f00c 64f6 save a0-a2,48,ra,s0-s1 + 4012e4: 673c move s1,gp + 4012e6: f010 9978 lw v1,-32744(s1) + 4012ea: d204 sw v0,16(sp) + 4012ec: eb40 jalr v1 + 4012ee: 653b move t9,v1 + 4012f0: f010 997c lw v1,-32740(s1) + 4012f4: f030 9920 lw s1,-32736(s1) + 4012f8: e32f subu v1,s1 + 4012fa: 326b sra v0,v1,2 + 4012fc: d206 sw v0,24(sp) + 4012fe: 220c beqz v0,401318 <__libc_csu_init+0x48> + 401300: 6800 li s0,0 + 401302: 99e0 lw a3,0(s1) + 401304: 4801 addiu s0,1 + 401306: 960e lw a2,56(sp) + 401308: 4904 addiu s1,4 + 40130a: 950d lw a1,52(sp) + 40130c: 940c lw a0,48(sp) + 40130e: ef40 jalr a3 + 401310: 653f move t9,a3 + 401312: 9206 lw v0,24(sp) + 401314: ea0a cmp v0,s0 + 401316: 61f5 btnez 401302 <__libc_csu_init+0x32> + 401318: 6476 restore 48,ra,s0-s1 + 40131a: e8a0 jrc ra + +Here `set_fast_math' is called from `40130e' (`40130f' with the ISA bit) +and emulation triggers for the CTC1 instruction. As it is in a jump +delay slot emulation continues from `401312' (`401313' with the ISA +bit). However we have no path to handle MIPS16 FPU code emulation, +because there are no MIPS16 FPU instructions. So the default emulation +path is taken, interpreting a 32-bit word fetched by `get_user' from +`401313' as a regular MIPS instruction, which is: + + 401313: f5ea0a92 sdc1 $f10,2706(t7) + +This makes the FPU emulator proceed with the supposed SDC1 instruction +and consequently makes the program considered here terminate with +SIGSEGV. + +A similar although less severe issue exists with pure-microMIPS +processors in the case where similarly an FPU instruction is emulated in +a delay slot of a register jump that (incorrectly) switches into the +regular MIPS mode. A subsequent instruction fetch from the jump's +target is supposed to cause an Address Error exception, however instead +we proceed with regular MIPS FPU emulation. + +For simplicity then, always terminate the emulation loop whenever a mode +change is detected, denoted by an ISA mode bit flip. As from commit +377cb1b6c16a ("MIPS: Disable MIPS16/microMIPS crap for platforms not +supporting these ASEs.") the result of `get_isa16_mode' can be hardcoded +to 0, so we need to examine the ISA mode bit by hand. + +This complements commit 102cedc32a6e ("MIPS: microMIPS: Floating point +support.") which added JALX decoding to FPU emulation. + +Fixes: 102cedc32a6e ("MIPS: microMIPS: Floating point support.") +Signed-off-by: Maciej W. Rozycki +Cc: James Hogan +Cc: linux-mips@linux-mips.org +Patchwork: https://patchwork.linux-mips.org/patch/16393/ +Signed-off-by: Ralf Baechle +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/math-emu/cp1emu.c | 38 ++++++++++++++++++++++++++++++++++++++ + 1 file changed, 38 insertions(+) + +--- a/arch/mips/math-emu/cp1emu.c ++++ b/arch/mips/math-emu/cp1emu.c +@@ -1856,6 +1856,35 @@ dcopuop: + return 0; + } + ++/* ++ * Emulate FPU instructions. ++ * ++ * If we use FPU hardware, then we have been typically called to handle ++ * an unimplemented operation, such as where an operand is a NaN or ++ * denormalized. In that case exit the emulation loop after a single ++ * iteration so as to let hardware execute any subsequent instructions. ++ * ++ * If we have no FPU hardware or it has been disabled, then continue ++ * emulating floating-point instructions until one of these conditions ++ * has occurred: ++ * ++ * - a non-FPU instruction has been encountered, ++ * ++ * - an attempt to emulate has ended with a signal, ++ * ++ * - the ISA mode has been switched. ++ * ++ * We need to terminate the emulation loop if we got switched to the ++ * MIPS16 mode, whether supported or not, so that we do not attempt ++ * to emulate a MIPS16 instruction as a regular MIPS FPU instruction. ++ * Similarly if we got switched to the microMIPS mode and only the ++ * regular MIPS mode is supported, so that we do not attempt to emulate ++ * a microMIPS instruction as a regular MIPS FPU instruction. Or if ++ * we got switched to the regular MIPS mode and only the microMIPS mode ++ * is supported, so that we do not attempt to emulate a regular MIPS ++ * instruction that should cause an Address Error exception instead. ++ * For simplicity we always terminate upon an ISA mode switch. ++ */ + int fpu_emulator_cop1Handler(struct pt_regs *xcp, struct mips_fpu_struct *ctx, + int has_fpu, void *__user *fault_addr) + { +@@ -1943,6 +1972,15 @@ int fpu_emulator_cop1Handler(struct pt_r + break; + if (sig) + break; ++ /* ++ * We have to check for the ISA bit explicitly here, ++ * because `get_isa16_mode' may return 0 if support ++ * for code compression has been globally disabled, ++ * or otherwise we may produce the wrong signal or ++ * even proceed successfully where we must not. ++ */ ++ if ((xcp->cp0_epc ^ prevepc) & 0x1) ++ break; + + cond_resched(); + } while (xcp->cp0_epc > prevepc); diff --git a/queue-3.18/mips-negate-error-syscall-return-in-trace.patch b/queue-3.18/mips-negate-error-syscall-return-in-trace.patch new file mode 100644 index 00000000000..e77f4c8aad4 --- /dev/null +++ b/queue-3.18/mips-negate-error-syscall-return-in-trace.patch @@ -0,0 +1,43 @@ +From 4f32a39d49b25eaa66d2420f1f03d371ea4cd906 Mon Sep 17 00:00:00 2001 +From: James Hogan +Date: Thu, 29 Jun 2017 10:12:34 +0100 +Subject: MIPS: Negate error syscall return in trace + +From: James Hogan + +commit 4f32a39d49b25eaa66d2420f1f03d371ea4cd906 upstream. + +The sys_exit trace event takes a single return value for the system +call, which MIPS passes the value of the $v0 (result) register, however +MIPS returns positive error codes in $v0 with $a3 specifying that $v0 +contains an error code. As a result erroring system calls are traced +returning positive error numbers that can't always be distinguished from +success. + +Use regs_return_value() to negate the error code if $a3 is set. + +Fixes: 1d7bf993e073 ("MIPS: ftrace: Add support for syscall tracepoints.") +Signed-off-by: James Hogan +Cc: Steven Rostedt +Cc: Ingo Molnar +Cc: linux-mips@linux-mips.org +Patchwork: https://patchwork.linux-mips.org/patch/16651/ +Acked-by: Steven Rostedt (VMware) +Signed-off-by: Ralf Baechle +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/kernel/ptrace.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/mips/kernel/ptrace.c ++++ b/arch/mips/kernel/ptrace.c +@@ -802,7 +802,7 @@ asmlinkage void syscall_trace_leave(stru + audit_syscall_exit(regs); + + if (unlikely(test_thread_flag(TIF_SYSCALL_TRACEPOINT))) +- trace_sys_exit(regs, regs->regs[2]); ++ trace_sys_exit(regs, regs_return_value(regs)); + + if (test_thread_flag(TIF_SYSCALL_TRACE)) + tracehook_report_syscall_exit(regs, 0); diff --git a/queue-3.18/mips-save-static-registers-before-sysmips.patch b/queue-3.18/mips-save-static-registers-before-sysmips.patch new file mode 100644 index 00000000000..62a7acb75e8 --- /dev/null +++ b/queue-3.18/mips-save-static-registers-before-sysmips.patch @@ -0,0 +1,92 @@ +From 49955d84cd9ccdca5a16a495e448e1a06fad9e49 Mon Sep 17 00:00:00 2001 +From: James Hogan +Date: Wed, 31 May 2017 16:19:48 +0100 +Subject: MIPS: Save static registers before sysmips + +From: James Hogan + +commit 49955d84cd9ccdca5a16a495e448e1a06fad9e49 upstream. + +The MIPS sysmips system call handler may return directly from the +MIPS_ATOMIC_SET case (mips_atomic_set()) to syscall_exit. This path +restores the static (callee saved) registers, however they won't have +been saved on entry to the system call. + +Use the save_static_function() macro to create a __sys_sysmips wrapper +function which saves the static registers before calling sys_sysmips, so +that the correct static register state is restored by syscall_exit. + +Fixes: f1e39a4a616c ("MIPS: Rewrite sysmips(MIPS_ATOMIC_SET, ...) in C with inline assembler") +Signed-off-by: James Hogan +Cc: linux-mips@linux-mips.org +Patchwork: https://patchwork.linux-mips.org/patch/16149/ +Signed-off-by: Ralf Baechle +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/kernel/scall32-o32.S | 2 +- + arch/mips/kernel/scall64-64.S | 2 +- + arch/mips/kernel/scall64-n32.S | 2 +- + arch/mips/kernel/scall64-o32.S | 2 +- + arch/mips/kernel/syscall.c | 6 ++++++ + 5 files changed, 10 insertions(+), 4 deletions(-) + +--- a/arch/mips/kernel/scall32-o32.S ++++ b/arch/mips/kernel/scall32-o32.S +@@ -361,7 +361,7 @@ EXPORT(sys_call_table) + PTR sys_writev + PTR sys_cacheflush + PTR sys_cachectl +- PTR sys_sysmips ++ PTR __sys_sysmips + PTR sys_ni_syscall /* 4150 */ + PTR sys_getsid + PTR sys_fdatasync +--- a/arch/mips/kernel/scall64-64.S ++++ b/arch/mips/kernel/scall64-64.S +@@ -318,7 +318,7 @@ EXPORT(sys_call_table) + PTR sys_sched_getaffinity + PTR sys_cacheflush + PTR sys_cachectl +- PTR sys_sysmips ++ PTR __sys_sysmips + PTR sys_io_setup /* 5200 */ + PTR sys_io_destroy + PTR sys_io_getevents +--- a/arch/mips/kernel/scall64-n32.S ++++ b/arch/mips/kernel/scall64-n32.S +@@ -307,7 +307,7 @@ EXPORT(sysn32_call_table) + PTR compat_sys_sched_getaffinity + PTR sys_cacheflush + PTR sys_cachectl +- PTR sys_sysmips ++ PTR __sys_sysmips + PTR compat_sys_io_setup /* 6200 */ + PTR sys_io_destroy + PTR compat_sys_io_getevents +--- a/arch/mips/kernel/scall64-o32.S ++++ b/arch/mips/kernel/scall64-o32.S +@@ -358,7 +358,7 @@ EXPORT(sys32_call_table) + PTR compat_sys_writev + PTR sys_cacheflush + PTR sys_cachectl +- PTR sys_sysmips ++ PTR __sys_sysmips + PTR sys_ni_syscall /* 4150 */ + PTR sys_getsid + PTR sys_fdatasync +--- a/arch/mips/kernel/syscall.c ++++ b/arch/mips/kernel/syscall.c +@@ -200,6 +200,12 @@ static inline int mips_atomic_set(unsign + unreachable(); + } + ++/* ++ * mips_atomic_set() normally returns directly via syscall_exit potentially ++ * clobbering static registers, so be sure to preserve them. ++ */ ++save_static_function(sys_sysmips); ++ + SYSCALL_DEFINE3(sysmips, long, cmd, long, arg1, long, arg2) + { + switch (cmd) { diff --git a/queue-3.18/nfs-only-invalidate-dentrys-that-are-clearly-invalid.patch b/queue-3.18/nfs-only-invalidate-dentrys-that-are-clearly-invalid.patch new file mode 100644 index 00000000000..92ebd6bfd54 --- /dev/null +++ b/queue-3.18/nfs-only-invalidate-dentrys-that-are-clearly-invalid.patch @@ -0,0 +1,97 @@ +From cc89684c9a265828ce061037f1f79f4a68ccd3f7 Mon Sep 17 00:00:00 2001 +From: NeilBrown +Date: Wed, 5 Jul 2017 12:22:20 +1000 +Subject: NFS: only invalidate dentrys that are clearly invalid. + +From: NeilBrown + +commit cc89684c9a265828ce061037f1f79f4a68ccd3f7 upstream. + +Since commit bafc9b754f75 ("vfs: More precise tests in d_invalidate") +in v3.18, a return of '0' from ->d_revalidate() will cause the dentry +to be invalidated even if it has filesystems mounted on or it or on a +descendant. The mounted filesystem is unmounted. + +This means we need to be careful not to return 0 unless the directory +referred to truly is invalid. So -ESTALE or -ENOENT should invalidate +the directory. Other errors such a -EPERM or -ERESTARTSYS should be +returned from ->d_revalidate() so they are propagated to the caller. + +A particular problem can be demonstrated by: + +1/ mount an NFS filesystem using NFSv3 on /mnt +2/ mount any other filesystem on /mnt/foo +3/ ls /mnt/foo +4/ turn off network, or otherwise make the server unable to respond +5/ ls /mnt/foo & +6/ cat /proc/$!/stack # note that nfs_lookup_revalidate is in the call stack +7/ kill -9 $! # this results in -ERESTARTSYS being returned +8/ observe that /mnt/foo has been unmounted. + +This patch changes nfs_lookup_revalidate() to only treat + -ESTALE from nfs_lookup_verify_inode() and + -ESTALE or -ENOENT from ->lookup() +as indicating an invalid inode. Other errors are returned. + +Also nfs_check_inode_attributes() is changed to return -ESTALE rather +than -EIO. This is consistent with the error returned in similar +circumstances from nfs_update_inode(). + +As this bug allows any user to unmount a filesystem mounted on an NFS +filesystem, this fix is suitable for stable kernels. + +Fixes: bafc9b754f75 ("vfs: More precise tests in d_invalidate") +Signed-off-by: NeilBrown +Signed-off-by: Anna Schumaker +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfs/dir.c | 12 ++++++++---- + fs/nfs/inode.c | 4 ++-- + 2 files changed, 10 insertions(+), 6 deletions(-) + +--- a/fs/nfs/dir.c ++++ b/fs/nfs/dir.c +@@ -1141,11 +1141,13 @@ static int nfs_lookup_revalidate(struct + /* Force a full look up iff the parent directory has changed */ + if (!nfs_is_exclusive_create(dir, flags) && + nfs_check_verifier(dir, dentry, flags & LOOKUP_RCU)) { +- +- if (nfs_lookup_verify_inode(inode, flags)) { ++ error = nfs_lookup_verify_inode(inode, flags); ++ if (error) { + if (flags & LOOKUP_RCU) + return -ECHILD; +- goto out_zap_parent; ++ if (error == -ESTALE) ++ goto out_zap_parent; ++ goto out_error; + } + goto out_valid; + } +@@ -1169,8 +1171,10 @@ static int nfs_lookup_revalidate(struct + trace_nfs_lookup_revalidate_enter(dir, dentry, flags); + error = NFS_PROTO(dir)->lookup(dir, &dentry->d_name, fhandle, fattr, label); + trace_nfs_lookup_revalidate_exit(dir, dentry, flags, error); +- if (error) ++ if (error == -ESTALE || error == -ENOENT) + goto out_bad; ++ if (error) ++ goto out_error; + if (nfs_compare_fh(NFS_FH(inode), fhandle)) + goto out_bad; + if ((error = nfs_refresh_inode(inode, fattr)) != 0) +--- a/fs/nfs/inode.c ++++ b/fs/nfs/inode.c +@@ -1177,9 +1177,9 @@ static int nfs_check_inode_attributes(st + return 0; + /* Has the inode gone and changed behind our back? */ + if ((fattr->valid & NFS_ATTR_FATTR_FILEID) && nfsi->fileid != fattr->fileid) +- return -EIO; ++ return -ESTALE; + if ((fattr->valid & NFS_ATTR_FATTR_TYPE) && (inode->i_mode & S_IFMT) != (fattr->mode & S_IFMT)) +- return -EIO; ++ return -ESTALE; + + if ((fattr->valid & NFS_ATTR_FATTR_CHANGE) != 0 && + inode->i_version != fattr->change_attr) diff --git a/queue-3.18/perf-annotate-fix-broken-arrow-at-row-0-connecting-jmp-instruction-to-its-target.patch b/queue-3.18/perf-annotate-fix-broken-arrow-at-row-0-connecting-jmp-instruction-to-its-target.patch new file mode 100644 index 00000000000..81ca814b5b3 --- /dev/null +++ b/queue-3.18/perf-annotate-fix-broken-arrow-at-row-0-connecting-jmp-instruction-to-its-target.patch @@ -0,0 +1,62 @@ +From 80f62589fa52f530cffc50e78c0b5a2ae572d61e Mon Sep 17 00:00:00 2001 +From: Jin Yao +Date: Thu, 8 Jun 2017 14:01:44 +0800 +Subject: perf annotate: Fix broken arrow at row 0 connecting jmp instruction to its target +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Jin Yao + +commit 80f62589fa52f530cffc50e78c0b5a2ae572d61e upstream. + +When the jump instruction is displayed at the row 0 in annotate view, +the arrow is broken. An example: + + 16.86 │ ┌──je 82 + 0.01 │ movsd (%rsp),%xmm0 + │ movsd 0x8(%rsp),%xmm4 + │ movsd 0x8(%rsp),%xmm1 + │ movsd (%rsp),%xmm3 + │ divsd %xmm4,%xmm0 + │ divsd %xmm3,%xmm1 + │ movsd (%rsp),%xmm2 + │ addsd %xmm1,%xmm0 + │ addsd %xmm2,%xmm0 + │ movsd %xmm0,(%rsp) + │82: sub $0x1,%ebx + 83.03 │ ↑ jne 38 + │ add $0x10,%rsp + │ xor %eax,%eax + │ pop %rbx + │ ← retq + +The patch increments the row number before checking with 0. + +Signed-off-by: Yao Jin +Tested-by: Arnaldo Carvalho de Melo +Cc: Alexander Shishkin +Cc: Andi Kleen +Cc: Jiri Olsa +Cc: Kan Liang +Cc: Peter Zijlstra +Fixes: 944e1abed9e1 ("perf ui browser: Add method to draw up/down arrow line") +Link: http://lkml.kernel.org/r/1496901704-30275-1-git-send-email-yao.jin@linux.intel.com +Signed-off-by: Arnaldo Carvalho de Melo +Signed-off-by: Greg Kroah-Hartman + +--- + tools/perf/ui/browser.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/tools/perf/ui/browser.c ++++ b/tools/perf/ui/browser.c +@@ -673,7 +673,7 @@ static void __ui_browser__line_arrow_dow + ui_browser__gotorc(browser, row, column + 1); + SLsmg_draw_hline(2); + +- if (row++ == 0) ++ if (++row == 0) + goto out; + } else + row = 0; diff --git a/queue-3.18/revert-perf-core-drop-kernel-samples-even-though-u-is-specified.patch b/queue-3.18/revert-perf-core-drop-kernel-samples-even-though-u-is-specified.patch new file mode 100644 index 00000000000..6887466e03e --- /dev/null +++ b/queue-3.18/revert-perf-core-drop-kernel-samples-even-though-u-is-specified.patch @@ -0,0 +1,75 @@ +From 6a8a75f3235724c5941a33e287b2f98966ad14c5 Mon Sep 17 00:00:00 2001 +From: Ingo Molnar +Date: Tue, 11 Jul 2017 10:56:54 +0200 +Subject: Revert "perf/core: Drop kernel samples even though :u is specified" + +From: Ingo Molnar + +commit 6a8a75f3235724c5941a33e287b2f98966ad14c5 upstream. + +This reverts commit cc1582c231ea041fbc68861dfaf957eaf902b829. + +This commit introduced a regression that broke rr-project, which uses sampling +events to receive a signal on overflow (but does not care about the contents +of the sample). These signals are critical to the correct operation of rr. + +There's been some back and forth about how to fix it - but to not keep +applications in limbo queue up a revert. + +Reported-by: Kyle Huey +Acked-by: Kyle Huey +Acked-by: Peter Zijlstra +Cc: Jin Yao +Cc: Vince Weaver +Cc: Linus Torvalds +Cc: Will Deacon +Cc: Arnaldo Carvalho de Melo +Cc: Alexander Shishkin +Cc: Stephane Eranian +Cc: Namhyung Kim +Cc: Jiri Olsa +Link: http://lkml.kernel.org/r/20170628105600.GC5981@leverpostej +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/events/core.c | 21 --------------------- + 1 file changed, 21 deletions(-) + +--- a/kernel/events/core.c ++++ b/kernel/events/core.c +@@ -5761,21 +5761,6 @@ static void perf_log_throttle(struct per + perf_output_end(&handle); + } + +-static bool sample_is_allowed(struct perf_event *event, struct pt_regs *regs) +-{ +- /* +- * Due to interrupt latency (AKA "skid"), we may enter the +- * kernel before taking an overflow, even if the PMU is only +- * counting user events. +- * To avoid leaking information to userspace, we must always +- * reject kernel samples when exclude_kernel is set. +- */ +- if (event->attr.exclude_kernel && !user_mode(regs)) +- return false; +- +- return true; +-} +- + /* + * Generic event overflow handling, sampling. + */ +@@ -5823,12 +5808,6 @@ static int __perf_event_overflow(struct + } + + /* +- * For security, drop the skid kernel samples if necessary. +- */ +- if (!sample_is_allowed(event, regs)) +- return ret; +- +- /* + * XXX event_limit might not quite work as expected on inherited + * events + */ diff --git a/queue-3.18/series b/queue-3.18/series index c5adf9e554a..b23734f792d 100644 --- a/queue-3.18/series +++ b/queue-3.18/series @@ -32,3 +32,23 @@ raid5-should-update-rdev-sectors-after-reshape.patch s390-syscalls-fix-out-of-bounds-arguments-access.patch drm-radeon-ci-disable-mclk-switching-for-high-refresh-rates-v2.patch f2fs-don-t-clear-sgid-when-inheriting-acls.patch +vfio-fix-group-release-deadlock.patch +vfio-new-external-user-group-file-match.patch +mips-fix-mips_atomic_set-retry-condition.patch +mips-fix-mips_atomic_set-with-eva.patch +mips-negate-error-syscall-return-in-trace.patch +x86-acpi-prevent-out-of-bound-access-caused-by-broken-acpi-tables.patch +mips-save-static-registers-before-sysmips.patch +mips-actually-decode-jalx-in-__compute_return_epc_for_insn.patch +mips-fix-unaligned-pc-interpretation-in-compute_return_epc.patch +mips-math-emu-prevent-wrong-isa-mode-instruction-emulation.patch +input-i8042-fix-crash-at-boot-time.patch +nfs-only-invalidate-dentrys-that-are-clearly-invalid.patch +udf-fix-deadlock-between-writeback-and-udf_setsize.patch +target-fix-compare_and_write-caw_sem-leak-during-se_cmd-quiesce.patch +perf-annotate-fix-broken-arrow-at-row-0-connecting-jmp-instruction-to-its-target.patch +revert-perf-core-drop-kernel-samples-even-though-u-is-specified.patch +staging-rtl8188eu-add-tl-wn722n-v2-support.patch +drm-mst-fix-error-handling-during-mst-sideband-message-reception.patch +drm-mst-avoid-dereferencing-a-null-mstb-in-drm_dp_mst_handle_up_req.patch +drm-mst-avoid-processing-partially-received-up-down-message-transactions.patch diff --git a/queue-3.18/staging-rtl8188eu-add-tl-wn722n-v2-support.patch b/queue-3.18/staging-rtl8188eu-add-tl-wn722n-v2-support.patch new file mode 100644 index 00000000000..5d7985a0ea1 --- /dev/null +++ b/queue-3.18/staging-rtl8188eu-add-tl-wn722n-v2-support.patch @@ -0,0 +1,29 @@ +From 5a1d4c5dd4eb2f1f8a9b30e61762f3b3b564df70 Mon Sep 17 00:00:00 2001 +From: Michael Gugino +Date: Mon, 17 Jul 2017 13:29:09 -0400 +Subject: staging: rtl8188eu: add TL-WN722N v2 support + +From: Michael Gugino + +commit 5a1d4c5dd4eb2f1f8a9b30e61762f3b3b564df70 upstream. + +Add support for USB Device TP-Link TL-WN722N v2. +VendorID: 0x2357, ProductID: 0x010c + +Signed-off-by: Michael Gugino +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/rtl8188eu/os_dep/usb_intf.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/staging/rtl8188eu/os_dep/usb_intf.c ++++ b/drivers/staging/rtl8188eu/os_dep/usb_intf.c +@@ -48,6 +48,7 @@ static struct usb_device_id rtw_usb_id_t + {USB_DEVICE(0x2001, 0x330F)}, /* DLink DWA-125 REV D1 */ + {USB_DEVICE(0x2001, 0x3310)}, /* Dlink DWA-123 REV D1 */ + {USB_DEVICE(0x2001, 0x3311)}, /* DLink GO-USB-N150 REV B1 */ ++ {USB_DEVICE(0x2357, 0x010c)}, /* TP-Link TL-WN722N v2 */ + {USB_DEVICE(0x0df6, 0x0076)}, /* Sitecom N150 v2 */ + {} /* Terminating entry */ + }; diff --git a/queue-3.18/target-fix-compare_and_write-caw_sem-leak-during-se_cmd-quiesce.patch b/queue-3.18/target-fix-compare_and_write-caw_sem-leak-during-se_cmd-quiesce.patch new file mode 100644 index 00000000000..862a95813e1 --- /dev/null +++ b/queue-3.18/target-fix-compare_and_write-caw_sem-leak-during-se_cmd-quiesce.patch @@ -0,0 +1,51 @@ +From 1d6ef276594a781686058802996e09c8550fd767 Mon Sep 17 00:00:00 2001 +From: Jiang Yi +Date: Sun, 25 Jun 2017 12:28:50 -0700 +Subject: target: Fix COMPARE_AND_WRITE caw_sem leak during se_cmd quiesce + +From: Jiang Yi + +commit 1d6ef276594a781686058802996e09c8550fd767 upstream. + +This patch addresses a COMPARE_AND_WRITE se_device->caw_sem leak, +that would be triggered during normal se_cmd shutdown or abort +via __transport_wait_for_tasks(). + +This would occur because target_complete_cmd() would catch this +early and do complete_all(&cmd->t_transport_stop_comp), but since +target_complete_ok_work() or target_complete_failure_work() are +never called to invoke se_cmd->transport_complete_callback(), +the COMPARE_AND_WRITE specific callbacks never release caw_sem. + +To address this special case, go ahead and release caw_sem +directly from target_complete_cmd(). + +(Remove '&& success' from check, to release caw_sem regardless + of scsi_status - nab) + +Signed-off-by: Jiang Yi +Signed-off-by: Nicholas Bellinger +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/target/target_core_transport.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/drivers/target/target_core_transport.c ++++ b/drivers/target/target_core_transport.c +@@ -693,6 +693,15 @@ void target_complete_cmd(struct se_cmd * + if (cmd->transport_state & CMD_T_ABORTED || + cmd->transport_state & CMD_T_STOP) { + spin_unlock_irqrestore(&cmd->t_state_lock, flags); ++ /* ++ * If COMPARE_AND_WRITE was stopped by __transport_wait_for_tasks(), ++ * release se_device->caw_sem obtained by sbc_compare_and_write() ++ * since target_complete_ok_work() or target_complete_failure_work() ++ * won't be called to invoke the normal CAW completion callbacks. ++ */ ++ if (cmd->se_cmd_flags & SCF_COMPARE_AND_WRITE) { ++ up(&dev->caw_sem); ++ } + complete_all(&cmd->t_transport_stop_comp); + return; + } else if (!success) { diff --git a/queue-3.18/udf-fix-deadlock-between-writeback-and-udf_setsize.patch b/queue-3.18/udf-fix-deadlock-between-writeback-and-udf_setsize.patch new file mode 100644 index 00000000000..154ce3dd2a0 --- /dev/null +++ b/queue-3.18/udf-fix-deadlock-between-writeback-and-udf_setsize.patch @@ -0,0 +1,51 @@ +From f2e95355891153f66d4156bf3a142c6489cd78c6 Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Tue, 13 Jun 2017 16:20:25 +0200 +Subject: udf: Fix deadlock between writeback and udf_setsize() + +From: Jan Kara + +commit f2e95355891153f66d4156bf3a142c6489cd78c6 upstream. + +udf_setsize() called truncate_setsize() with i_data_sem held. Thus +truncate_pagecache() called from truncate_setsize() could lock a page +under i_data_sem which can deadlock as page lock ranks below +i_data_sem - e. g. writeback can hold page lock and try to acquire +i_data_sem to map a block. + +Fix the problem by moving truncate_setsize() calls from under +i_data_sem. It is safe for us to change i_size without holding +i_data_sem as all the places that depend on i_size being stable already +hold inode_lock. + +Fixes: 7e49b6f2480cb9a9e7322a91592e56a5c85361f5 +Signed-off-by: Jan Kara +Signed-off-by: Greg Kroah-Hartman + +--- + fs/udf/inode.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/fs/udf/inode.c ++++ b/fs/udf/inode.c +@@ -1237,8 +1237,8 @@ int udf_setsize(struct inode *inode, lof + return err; + } + set_size: +- truncate_setsize(inode, newsize); + up_write(&iinfo->i_data_sem); ++ truncate_setsize(inode, newsize); + } else { + if (iinfo->i_alloc_type == ICBTAG_FLAG_AD_IN_ICB) { + down_write(&iinfo->i_data_sem); +@@ -1255,9 +1255,9 @@ set_size: + udf_get_block); + if (err) + return err; ++ truncate_setsize(inode, newsize); + down_write(&iinfo->i_data_sem); + udf_clear_extent_cache(inode); +- truncate_setsize(inode, newsize); + udf_truncate_extents(inode); + up_write(&iinfo->i_data_sem); + } diff --git a/queue-3.18/vfio-fix-group-release-deadlock.patch b/queue-3.18/vfio-fix-group-release-deadlock.patch new file mode 100644 index 00000000000..fc8fd5e20e9 --- /dev/null +++ b/queue-3.18/vfio-fix-group-release-deadlock.patch @@ -0,0 +1,77 @@ +From 811642d8d8a82c0cce8dc2debfdaf23c5a144839 Mon Sep 17 00:00:00 2001 +From: Alex Williamson +Date: Mon, 19 Jun 2017 09:10:32 -0600 +Subject: vfio: Fix group release deadlock + +From: Alex Williamson + +commit 811642d8d8a82c0cce8dc2debfdaf23c5a144839 upstream. + +If vfio_iommu_group_notifier() acquires a group reference and that +reference becomes the last reference to the group, then vfio_group_put +introduces a deadlock code path where we're trying to unregister from +the iommu notifier chain from within a callout of that chain. Use a +work_struct to release this reference asynchronously. + +Signed-off-by: Alex Williamson +Reviewed-by: Eric Auger +Tested-by: Eric Auger +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/vfio/vfio.c | 37 ++++++++++++++++++++++++++++++++++++- + 1 file changed, 36 insertions(+), 1 deletion(-) + +--- a/drivers/vfio/vfio.c ++++ b/drivers/vfio/vfio.c +@@ -278,6 +278,34 @@ static void vfio_group_put(struct vfio_g + kref_put_mutex(&group->kref, vfio_group_release, &vfio.group_lock); + } + ++struct vfio_group_put_work { ++ struct work_struct work; ++ struct vfio_group *group; ++}; ++ ++static void vfio_group_put_bg(struct work_struct *work) ++{ ++ struct vfio_group_put_work *do_work; ++ ++ do_work = container_of(work, struct vfio_group_put_work, work); ++ ++ vfio_group_put(do_work->group); ++ kfree(do_work); ++} ++ ++static void vfio_group_schedule_put(struct vfio_group *group) ++{ ++ struct vfio_group_put_work *do_work; ++ ++ do_work = kmalloc(sizeof(*do_work), GFP_KERNEL); ++ if (WARN_ON(!do_work)) ++ return; ++ ++ INIT_WORK(&do_work->work, vfio_group_put_bg); ++ do_work->group = group; ++ schedule_work(&do_work->work); ++} ++ + /* Assume group_lock or group reference is held */ + static void vfio_group_get(struct vfio_group *group) + { +@@ -553,7 +581,14 @@ static int vfio_iommu_group_notifier(str + break; + } + +- vfio_group_put(group); ++ /* ++ * If we're the last reference to the group, the group will be ++ * released, which includes unregistering the iommu group notifier. ++ * We hold a read-lock on that notifier list, unregistering needs ++ * a write-lock... deadlock. Release our reference asynchronously ++ * to avoid that situation. ++ */ ++ vfio_group_schedule_put(group); + return NOTIFY_OK; + } + diff --git a/queue-3.18/vfio-new-external-user-group-file-match.patch b/queue-3.18/vfio-new-external-user-group-file-match.patch new file mode 100644 index 00000000000..ed6ae3782ee --- /dev/null +++ b/queue-3.18/vfio-new-external-user-group-file-match.patch @@ -0,0 +1,114 @@ +From 5d6dee80a1e94cc284d03e06d930e60e8d3ecf7d Mon Sep 17 00:00:00 2001 +From: Alex Williamson +Date: Wed, 28 Jun 2017 13:50:05 -0600 +Subject: vfio: New external user group/file match + +From: Alex Williamson + +commit 5d6dee80a1e94cc284d03e06d930e60e8d3ecf7d upstream. + +At the point where the kvm-vfio pseudo device wants to release its +vfio group reference, we can't always acquire a new reference to make +that happen. The group can be in a state where we wouldn't allow a +new reference to be added. This new helper function allows a caller +to match a file to a group to facilitate this. Given a file and +group, report if they match. Thus the caller needs to already have a +group reference to match to the file. This allows the deletion of a +group without acquiring a new reference. + +Signed-off-by: Alex Williamson +Reviewed-by: Eric Auger +Reviewed-by: Paolo Bonzini +Tested-by: Eric Auger +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/vfio/vfio.c | 9 +++++++++ + include/linux/vfio.h | 2 ++ + virt/kvm/vfio.c | 27 +++++++++++++++++++-------- + 3 files changed, 30 insertions(+), 8 deletions(-) + +--- a/drivers/vfio/vfio.c ++++ b/drivers/vfio/vfio.c +@@ -1436,6 +1436,15 @@ void vfio_group_put_external_user(struct + } + EXPORT_SYMBOL_GPL(vfio_group_put_external_user); + ++bool vfio_external_group_match_file(struct vfio_group *test_group, ++ struct file *filep) ++{ ++ struct vfio_group *group = filep->private_data; ++ ++ return (filep->f_op == &vfio_group_fops) && (group == test_group); ++} ++EXPORT_SYMBOL_GPL(vfio_external_group_match_file); ++ + int vfio_external_user_iommu_id(struct vfio_group *group) + { + return iommu_group_id(group->iommu_group); +--- a/include/linux/vfio.h ++++ b/include/linux/vfio.h +@@ -81,6 +81,8 @@ extern void vfio_unregister_iommu_driver + */ + extern struct vfio_group *vfio_group_get_external_user(struct file *filep); + extern void vfio_group_put_external_user(struct vfio_group *group); ++extern bool vfio_external_group_match_file(struct vfio_group *group, ++ struct file *filep); + extern int vfio_external_user_iommu_id(struct vfio_group *group); + extern long vfio_external_check_extension(struct vfio_group *group, + unsigned long arg); +--- a/virt/kvm/vfio.c ++++ b/virt/kvm/vfio.c +@@ -47,6 +47,22 @@ static struct vfio_group *kvm_vfio_group + return vfio_group; + } + ++static bool kvm_vfio_external_group_match_file(struct vfio_group *group, ++ struct file *filep) ++{ ++ bool ret, (*fn)(struct vfio_group *, struct file *); ++ ++ fn = symbol_get(vfio_external_group_match_file); ++ if (!fn) ++ return false; ++ ++ ret = fn(group, filep); ++ ++ symbol_put(vfio_external_group_match_file); ++ ++ return ret; ++} ++ + static void kvm_vfio_group_put_external_user(struct vfio_group *vfio_group) + { + void (*fn)(struct vfio_group *); +@@ -169,18 +185,13 @@ static int kvm_vfio_set_group(struct kvm + if (!f.file) + return -EBADF; + +- vfio_group = kvm_vfio_group_get_external_user(f.file); +- fdput(f); +- +- if (IS_ERR(vfio_group)) +- return PTR_ERR(vfio_group); +- + ret = -ENOENT; + + mutex_lock(&kv->lock); + + list_for_each_entry(kvg, &kv->group_list, node) { +- if (kvg->vfio_group != vfio_group) ++ if (!kvm_vfio_external_group_match_file(kvg->vfio_group, ++ f.file)) + continue; + + list_del(&kvg->node); +@@ -192,7 +203,7 @@ static int kvm_vfio_set_group(struct kvm + + mutex_unlock(&kv->lock); + +- kvm_vfio_group_put_external_user(vfio_group); ++ fdput(f); + + kvm_vfio_update_coherency(dev); + diff --git a/queue-3.18/x86-acpi-prevent-out-of-bound-access-caused-by-broken-acpi-tables.patch b/queue-3.18/x86-acpi-prevent-out-of-bound-access-caused-by-broken-acpi-tables.patch new file mode 100644 index 00000000000..a07dd9c69f3 --- /dev/null +++ b/queue-3.18/x86-acpi-prevent-out-of-bound-access-caused-by-broken-acpi-tables.patch @@ -0,0 +1,49 @@ +From dad5ab0db8deac535d03e3fe3d8f2892173fa6a4 Mon Sep 17 00:00:00 2001 +From: Seunghun Han +Date: Tue, 18 Jul 2017 20:03:51 +0900 +Subject: x86/acpi: Prevent out of bound access caused by broken ACPI tables + +From: Seunghun Han + +commit dad5ab0db8deac535d03e3fe3d8f2892173fa6a4 upstream. + +The bus_irq argument of mp_override_legacy_irq() is used as the index into +the isa_irq_to_gsi[] array. The bus_irq argument originates from +ACPI_MADT_TYPE_IO_APIC and ACPI_MADT_TYPE_INTERRUPT items in the ACPI +tables, but is nowhere sanity checked. + +That allows broken or malicious ACPI tables to overwrite memory, which +might cause malfunction, panic or arbitrary code execution. + +Add a sanity check and emit a warning when that triggers. + +[ tglx: Added warning and rewrote changelog ] + +Signed-off-by: Seunghun Han +Signed-off-by: Thomas Gleixner +Cc: security@kernel.org +Cc: "Rafael J. Wysocki" +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/acpi/boot.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/arch/x86/kernel/acpi/boot.c ++++ b/arch/x86/kernel/acpi/boot.c +@@ -316,6 +316,14 @@ static void __init mp_override_legacy_ir + struct mpc_intsrc mp_irq; + + /* ++ * Check bus_irq boundary. ++ */ ++ if (bus_irq >= NR_IRQS_LEGACY) { ++ pr_warn("Invalid bus_irq %u for legacy override\n", bus_irq); ++ return; ++ } ++ ++ /* + * Convert 'gsi' to 'ioapic.pin'. + */ + ioapic = mp_find_ioapic(gsi);