From: Greg Kroah-Hartman Date: Tue, 25 Jul 2017 01:42:42 +0000 (-0700) Subject: 4.4-stable patches X-Git-Tag: v3.18.63~22 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=539ee6302b15099f0d5f6b4d9adff7f76f635236;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: cx88-fix-regression-in-initial-video-standard-setting.patch drm-amd-amdgpu-return-error-if-initiating-read-out-of-range-on-vram.patch drm-radeon-ci-disable-mclk-switching-for-high-refresh-rates-v2.patch drm-radeon-fix-edp-for-single-display-imac10-1-v2.patch f2fs-don-t-clear-sgid-when-inheriting-acls.patch ipmi-ssif-add-missing-unlock-in-error-branch.patch ipmi-use-rcu-lock-around-call-to-intf-handlers-sender.patch raid5-should-update-rdev-sectors-after-reshape.patch s390-syscalls-fix-out-of-bounds-arguments-access.patch --- diff --git a/queue-4.4/cx88-fix-regression-in-initial-video-standard-setting.patch b/queue-4.4/cx88-fix-regression-in-initial-video-standard-setting.patch new file mode 100644 index 00000000000..08a5d2c31e7 --- /dev/null +++ b/queue-4.4/cx88-fix-regression-in-initial-video-standard-setting.patch @@ -0,0 +1,68 @@ +From 4e0973a918b9a42e217093f078e04a61e5dd95a5 Mon Sep 17 00:00:00 2001 +From: Devin Heitmueller +Date: Sat, 20 Sep 2014 09:23:44 -0300 +Subject: [media] cx88: Fix regression in initial video standard setting + +From: Devin Heitmueller + +commit 4e0973a918b9a42e217093f078e04a61e5dd95a5 upstream. + +Setting initial standard at the top of cx8800_initdev would cause the +first call to cx88_set_tvnorm() to return without programming any +registers (leaving the driver saying it's set to NTSC but the hardware +isn't programmed). Even worse, any subsequent attempt to explicitly +set it to NTSC-M will return success but actually fail to program the +underlying registers unless first changing the standard to something +other than NTSC-M. + +Set the initial standard later in the process, and make sure the field +is zero at the beginning to ensure that the call always goes through. + +This regression was introduced in the following commit: + +commit ccd6f1d488e7 ("[media] cx88: move width, height and field to core +struct") + +Author: Hans Verkuil + +[media] cx88: move width, height and field to core struct + +Signed-off-by: Devin Heitmueller +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/pci/cx88/cx88-cards.c | 9 ++++++++- + drivers/media/pci/cx88/cx88-video.c | 2 +- + 2 files changed, 9 insertions(+), 2 deletions(-) + +--- a/drivers/media/pci/cx88/cx88-cards.c ++++ b/drivers/media/pci/cx88/cx88-cards.c +@@ -3691,7 +3691,14 @@ struct cx88_core *cx88_core_create(struc + core->nr = nr; + sprintf(core->name, "cx88[%d]", core->nr); + +- core->tvnorm = V4L2_STD_NTSC_M; ++ /* ++ * Note: Setting initial standard here would cause first call to ++ * cx88_set_tvnorm() to return without programming any registers. Leave ++ * it blank for at this point and it will get set later in ++ * cx8800_initdev() ++ */ ++ core->tvnorm = 0; ++ + core->width = 320; + core->height = 240; + core->field = V4L2_FIELD_INTERLACED; +--- a/drivers/media/pci/cx88/cx88-video.c ++++ b/drivers/media/pci/cx88/cx88-video.c +@@ -1429,7 +1429,7 @@ static int cx8800_initdev(struct pci_dev + + /* initial device configuration */ + mutex_lock(&core->lock); +- cx88_set_tvnorm(core, core->tvnorm); ++ cx88_set_tvnorm(core, V4L2_STD_NTSC_M); + v4l2_ctrl_handler_setup(&core->video_hdl); + v4l2_ctrl_handler_setup(&core->audio_hdl); + cx88_video_mux(core, 0); diff --git a/queue-4.4/drm-amd-amdgpu-return-error-if-initiating-read-out-of-range-on-vram.patch b/queue-4.4/drm-amd-amdgpu-return-error-if-initiating-read-out-of-range-on-vram.patch new file mode 100644 index 00000000000..b60a2caa90b --- /dev/null +++ b/queue-4.4/drm-amd-amdgpu-return-error-if-initiating-read-out-of-range-on-vram.patch @@ -0,0 +1,39 @@ +From 9156e723301c0a7a7def4cde820e018ce791b842 Mon Sep 17 00:00:00 2001 +From: Tom St Denis +Date: Tue, 23 May 2017 11:35:22 -0400 +Subject: drm/amd/amdgpu: Return error if initiating read out of range on vram +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Tom St Denis + +commit 9156e723301c0a7a7def4cde820e018ce791b842 upstream. + +If you initiate a read that is out of the VRAM address space return +ENXIO instead of 0. + +Reads that begin below that point will read upto the VRAM limit as +before. + +Signed-off-by: Tom St Denis +Reviewed-by: Christian König +Signed-off-by: Alex Deucher +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c ++++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_ttm.c +@@ -1126,6 +1126,9 @@ static ssize_t amdgpu_ttm_vram_read(stru + if (size & 0x3 || *pos & 0x3) + return -EINVAL; + ++ if (*pos >= adev->mc.mc_vram_size) ++ return -ENXIO; ++ + while (size) { + unsigned long flags; + uint32_t value; diff --git a/queue-4.4/drm-radeon-ci-disable-mclk-switching-for-high-refresh-rates-v2.patch b/queue-4.4/drm-radeon-ci-disable-mclk-switching-for-high-refresh-rates-v2.patch new file mode 100644 index 00000000000..daee33439a1 --- /dev/null +++ b/queue-4.4/drm-radeon-ci-disable-mclk-switching-for-high-refresh-rates-v2.patch @@ -0,0 +1,42 @@ +From ab03d9fe508f4e2914a8f4a9eef1b21051cacd0f Mon Sep 17 00:00:00 2001 +From: Alex Deucher +Date: Thu, 11 May 2017 13:14:14 -0400 +Subject: drm/radeon/ci: disable mclk switching for high refresh rates (v2) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Alex Deucher + +commit ab03d9fe508f4e2914a8f4a9eef1b21051cacd0f upstream. + +Even if the vblank period would allow it, it still seems to +be problematic on some cards. + +v2: fix logic inversion (Nils) + +bug: https://bugs.freedesktop.org/show_bug.cgi?id=96868 + +Acked-by: Christian König +Signed-off-by: Alex Deucher +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/radeon/ci_dpm.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/gpu/drm/radeon/ci_dpm.c ++++ b/drivers/gpu/drm/radeon/ci_dpm.c +@@ -782,6 +782,12 @@ bool ci_dpm_vblank_too_short(struct rade + if (r600_dpm_get_vrefresh(rdev) > 120) + return true; + ++ /* disable mclk switching if the refresh is >120Hz, even if the ++ * blanking period would allow it ++ */ ++ if (r600_dpm_get_vrefresh(rdev) > 120) ++ return true; ++ + if (vblank_time < switch_limit) + return true; + else diff --git a/queue-4.4/drm-radeon-fix-edp-for-single-display-imac10-1-v2.patch b/queue-4.4/drm-radeon-fix-edp-for-single-display-imac10-1-v2.patch new file mode 100644 index 00000000000..1d4fb72e454 --- /dev/null +++ b/queue-4.4/drm-radeon-fix-edp-for-single-display-imac10-1-v2.patch @@ -0,0 +1,88 @@ +From 564d8a2cf3abf16575af48bdc3e86e92ee8a617d Mon Sep 17 00:00:00 2001 +From: Mario Kleiner +Date: Fri, 7 Jul 2017 04:57:04 +0200 +Subject: drm/radeon: Fix eDP for single-display iMac10,1 (v2) +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Mario Kleiner + +commit 564d8a2cf3abf16575af48bdc3e86e92ee8a617d upstream. + +The late 2009, 27 inch Apple iMac10,1 has an +internal eDP display and an external Mini- +Displayport output, driven by a DCE-3.2, RV730 +Radeon Mobility HD-4670. + +The machine worked fine in a dual-display setup +with eDP panel + externally connected HDMI +or DVI-D digital display sink, connected via +MiniDP to DVI or HDMI adapter. + +However, booting the machine single-display with +only eDP panel results in a completely black +display - even backlight powering off, as soon as +the radeon modesetting driver loads. + +This patch fixes the single dispay eDP case by +assigning encoders based on dig->linkb, similar +to DCE-4+. While this should not be generally +necessary (Alex: "...atom on normal boards +should be able to handle any mapping."), Apple +seems to use some special routing here. + +One remaining problem not solved by this patch +is that an external Minidisplayport->DP sink +does still not work on iMac10,1, whereas external +DVI and HDMI sinks continue to work. + +The problem affects at least all tested kernels +since Linux 3.13 - didn't test earlier kernels, so +backporting to stable probably makes sense. + +v2: With the original patch from 2016, Alex was worried it + will break other DCE3.2 systems. Use dmi_match() to + apply this special encoder assignment only for the + Apple iMac 10,1 from late 2009. + +Signed-off-by: Mario Kleiner +Cc: Alex Deucher +Cc: Michel Dänzer +Signed-off-by: Alex Deucher +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/radeon/atombios_encoders.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/radeon/atombios_encoders.c ++++ b/drivers/gpu/drm/radeon/atombios_encoders.c +@@ -30,6 +30,7 @@ + #include "radeon_audio.h" + #include "atom.h" + #include ++#include + + extern int atom_debug; + +@@ -2183,9 +2184,17 @@ int radeon_atom_pick_dig_encoder(struct + goto assigned; + } + +- /* on DCE32 and encoder can driver any block so just crtc id */ ++ /* ++ * On DCE32 any encoder can drive any block so usually just use crtc id, ++ * but Apple thinks different at least on iMac10,1, so there use linkb, ++ * otherwise the internal eDP panel will stay dark. ++ */ + if (ASIC_IS_DCE32(rdev)) { +- enc_idx = radeon_crtc->crtc_id; ++ if (dmi_match(DMI_PRODUCT_NAME, "iMac10,1")) ++ enc_idx = (dig->linkb) ? 1 : 0; ++ else ++ enc_idx = radeon_crtc->crtc_id; ++ + goto assigned; + } + diff --git a/queue-4.4/f2fs-don-t-clear-sgid-when-inheriting-acls.patch b/queue-4.4/f2fs-don-t-clear-sgid-when-inheriting-acls.patch new file mode 100644 index 00000000000..e318e7eca6e --- /dev/null +++ b/queue-4.4/f2fs-don-t-clear-sgid-when-inheriting-acls.patch @@ -0,0 +1,34 @@ +From c925dc162f770578ff4a65ec9b08270382dba9e6 Mon Sep 17 00:00:00 2001 +From: Jaegeuk Kim +Date: Tue, 11 Jul 2017 14:56:49 -0700 +Subject: f2fs: Don't clear SGID when inheriting ACLs + +From: Jaegeuk Kim + +commit c925dc162f770578ff4a65ec9b08270382dba9e6 upstream. + +This patch copies commit b7f8a09f80: +"btrfs: Don't clear SGID when inheriting ACLs" written by Jan. + +Fixes: 073931017b49d9458aa351605b43a7e34598caef +Signed-off-by: Jan Kara +Reviewed-by: Chao Yu +Reviewed-by: Jan Kara +Signed-off-by: Jaegeuk Kim +Signed-off-by: Greg Kroah-Hartman + +--- + fs/f2fs/acl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/f2fs/acl.c ++++ b/fs/f2fs/acl.c +@@ -213,7 +213,7 @@ static int __f2fs_set_acl(struct inode * + switch (type) { + case ACL_TYPE_ACCESS: + name_index = F2FS_XATTR_INDEX_POSIX_ACL_ACCESS; +- if (acl) { ++ if (acl && !ipage) { + error = posix_acl_update_mode(inode, &inode->i_mode, &acl); + if (error) + return error; diff --git a/queue-4.4/ipmi-ssif-add-missing-unlock-in-error-branch.patch b/queue-4.4/ipmi-ssif-add-missing-unlock-in-error-branch.patch new file mode 100644 index 00000000000..8166e9779f1 --- /dev/null +++ b/queue-4.4/ipmi-ssif-add-missing-unlock-in-error-branch.patch @@ -0,0 +1,35 @@ +From 4495ec6d770e1bca7a04e93ac453ab6720c56c5d Mon Sep 17 00:00:00 2001 +From: Corey Minyard +Date: Fri, 30 Jun 2017 07:18:08 -0500 +Subject: ipmi:ssif: Add missing unlock in error branch + +From: Corey Minyard + +commit 4495ec6d770e1bca7a04e93ac453ab6720c56c5d upstream. + +When getting flags, a response to a different message would +result in a deadlock because of a missing unlock. Add that +unlock and a comment. Found by static analysis. + +Reported-by: Dan Carpenter +Signed-off-by: Corey Minyard +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/char/ipmi/ipmi_ssif.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/char/ipmi/ipmi_ssif.c ++++ b/drivers/char/ipmi/ipmi_ssif.c +@@ -758,6 +758,11 @@ static void msg_done_handler(struct ssif + result, len, data[2]); + } else if (data[0] != (IPMI_NETFN_APP_REQUEST | 1) << 2 + || data[1] != IPMI_GET_MSG_FLAGS_CMD) { ++ /* ++ * Don't abort here, maybe it was a queued ++ * response to a previous command. ++ */ ++ ipmi_ssif_unlock_cond(ssif_info, flags); + pr_warn(PFX "Invalid response getting flags: %x %x\n", + data[0], data[1]); + } else { diff --git a/queue-4.4/ipmi-use-rcu-lock-around-call-to-intf-handlers-sender.patch b/queue-4.4/ipmi-use-rcu-lock-around-call-to-intf-handlers-sender.patch new file mode 100644 index 00000000000..d41c8c2cb89 --- /dev/null +++ b/queue-4.4/ipmi-use-rcu-lock-around-call-to-intf-handlers-sender.patch @@ -0,0 +1,124 @@ +From cdea46566bb21ce309725a024208322a409055cc Mon Sep 17 00:00:00 2001 +From: Tony Camuso +Date: Mon, 19 Jun 2017 13:17:33 -0400 +Subject: ipmi: use rcu lock around call to intf->handlers->sender() + +From: Tony Camuso + +commit cdea46566bb21ce309725a024208322a409055cc upstream. + +A vendor with a system having more than 128 CPUs occasionally encounters +the following crash during shutdown. This is not an easily reproduceable +event, but the vendor was able to provide the following analysis of the +crash, which exhibits the same footprint each time. + +crash> bt +PID: 0 TASK: ffff88017c70ce70 CPU: 5 COMMAND: "swapper/5" + #0 [ffff88085c143ac8] machine_kexec at ffffffff81059c8b + #1 [ffff88085c143b28] __crash_kexec at ffffffff811052e2 + #2 [ffff88085c143bf8] crash_kexec at ffffffff811053d0 + #3 [ffff88085c143c10] oops_end at ffffffff8168ef88 + #4 [ffff88085c143c38] no_context at ffffffff8167ebb3 + #5 [ffff88085c143c88] __bad_area_nosemaphore at ffffffff8167ec49 + #6 [ffff88085c143cd0] bad_area_nosemaphore at ffffffff8167edb3 + #7 [ffff88085c143ce0] __do_page_fault at ffffffff81691d1e + #8 [ffff88085c143d40] do_page_fault at ffffffff81691ec5 + #9 [ffff88085c143d70] page_fault at ffffffff8168e188 + [exception RIP: unknown or invalid address] + RIP: ffffffffa053c800 RSP: ffff88085c143e28 RFLAGS: 00010206 + RAX: ffff88017c72bfd8 RBX: ffff88017a8dc000 RCX: ffff8810588b5ac8 + RDX: ffff8810588b5a00 RSI: ffffffffa053c800 RDI: ffff8810588b5a00 + RBP: ffff88085c143e58 R8: ffff88017c70d408 R9: ffff88017a8dc000 + R10: 0000000000000002 R11: ffff88085c143da0 R12: ffff8810588b5ac8 + R13: 0000000000000100 R14: ffffffffa053c800 R15: ffff8810588b5a00 + ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018 + + [exception RIP: cpuidle_enter_state+82] + RIP: ffffffff81514192 RSP: ffff88017c72be50 RFLAGS: 00000202 + RAX: 0000001e4c3c6f16 RBX: 000000000000f8a0 RCX: 0000000000000018 + RDX: 0000000225c17d03 RSI: ffff88017c72bfd8 RDI: 0000001e4c3c6f16 + RBP: ffff88017c72be78 R8: 000000000000237e R9: 0000000000000018 + R10: 0000000000002494 R11: 0000000000000001 R12: ffff88017c72be20 + R13: ffff88085c14f8e0 R14: 0000000000000082 R15: 0000001e4c3bb400 + ORIG_RAX: ffffffffffffff10 CS: 0010 SS: 0018 + +This is the corresponding stack trace + +It has crashed because the area pointed with RIP extracted from timer +element is already removed during a shutdown process. + +The function is smi_timeout(). + +And we think ffff8810588b5a00 in RDX is a parameter struct smi_info + +crash> rd ffff8810588b5a00 20 +ffff8810588b5a00: ffff8810588b6000 0000000000000000 .`.X............ +ffff8810588b5a10: ffff880853264400 ffffffffa05417e0 .D&S......T..... +ffff8810588b5a20: 24a024a000000000 0000000000000000 .....$.$........ +ffff8810588b5a30: 0000000000000000 0000000000000000 ................ +ffff8810588b5a30: 0000000000000000 0000000000000000 ................ +ffff8810588b5a40: ffffffffa053a040 ffffffffa053a060 @.S.....`.S..... +ffff8810588b5a50: 0000000000000000 0000000100000001 ................ +ffff8810588b5a60: 0000000000000000 0000000000000e00 ................ +ffff8810588b5a70: ffffffffa053a580 ffffffffa053a6e0 ..S.......S..... +ffff8810588b5a80: ffffffffa053a4a0 ffffffffa053a250 ..S.....P.S..... +ffff8810588b5a90: 0000000500000002 0000000000000000 ................ + +Unfortunately the top of this area is already detroyed by someone. +But because of two reasonns we think this is struct smi_info + 1) The address included in between ffff8810588b5a70 and ffff8810588b5a80: + are inside of ipmi_si_intf.c see crash> module ffff88085779d2c0 + + 2) We've found the area which point this. + It is offset 0x68 of ffff880859df4000 + +crash> rd ffff880859df4000 100 +ffff880859df4000: 0000000000000000 0000000000000001 ................ +ffff880859df4010: ffffffffa0535290 dead000000000200 .RS............. +ffff880859df4020: ffff880859df4020 ffff880859df4020 @.Y.... @.Y.... +ffff880859df4030: 0000000000000002 0000000000100010 ................ +ffff880859df4040: ffff880859df4040 ffff880859df4040 @@.Y....@@.Y.... +ffff880859df4050: 0000000000000000 0000000000000000 ................ +ffff880859df4060: 0000000000000000 ffff8810588b5a00 .........Z.X.... +ffff880859df4070: 0000000000000001 ffff880859df4078 ........x@.Y.... + + If we regards it as struct ipmi_smi in shutdown process + it looks consistent. + +The remedy for this apparent race is affixed below. + +Signed-off-by: Tony Camuso +Signed-off-by: Greg Kroah-Hartman + +This was first introduced in 7ea0ed2b5be817 ipmi: Make the +message handler easier to use for SMI interfaces +where some code was moved outside of the rcu_read_lock() +and the lock was not added. + +Signed-off-by: Corey Minyard + +--- + drivers/char/ipmi/ipmi_msghandler.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/char/ipmi/ipmi_msghandler.c ++++ b/drivers/char/ipmi/ipmi_msghandler.c +@@ -3877,6 +3877,9 @@ static void smi_recv_tasklet(unsigned lo + * because the lower layer is allowed to hold locks while calling + * message delivery. + */ ++ ++ rcu_read_lock(); ++ + if (!run_to_completion) + spin_lock_irqsave(&intf->xmit_msgs_lock, flags); + if (intf->curr_msg == NULL && !intf->in_shutdown) { +@@ -3899,6 +3902,8 @@ static void smi_recv_tasklet(unsigned lo + if (newmsg) + intf->handlers->sender(intf->send_info, newmsg); + ++ rcu_read_unlock(); ++ + handle_new_recv_msgs(intf); + } + diff --git a/queue-4.4/raid5-should-update-rdev-sectors-after-reshape.patch b/queue-4.4/raid5-should-update-rdev-sectors-after-reshape.patch new file mode 100644 index 00000000000..bbce37fcc4c --- /dev/null +++ b/queue-4.4/raid5-should-update-rdev-sectors-after-reshape.patch @@ -0,0 +1,53 @@ +From b5d27718f38843a74552e9a93d32e2391fd3999f Mon Sep 17 00:00:00 2001 +From: Xiao Ni +Date: Wed, 5 Jul 2017 17:34:04 +0800 +Subject: Raid5 should update rdev->sectors after reshape + +From: Xiao Ni + +commit b5d27718f38843a74552e9a93d32e2391fd3999f upstream. + +The raid5 md device is created by the disks which we don't use the total size. For example, +the size of the device is 5G and it just uses 3G of the devices to create one raid5 device. +Then change the chunksize and wait reshape to finish. After reshape finishing stop the raid +and assemble it again. It fails. +mdadm -CR /dev/md0 -l5 -n3 /dev/loop[0-2] --size=3G --chunk=32 --assume-clean +mdadm /dev/md0 --grow --chunk=64 +wait reshape to finish +mdadm -S /dev/md0 +mdadm -As +The error messages: +[197519.814302] md: loop1 does not have a valid v1.2 superblock, not importing! +[197519.821686] md: md_import_device returned -22 + +After reshape the data offset is changed. It selects backwards direction in this condition. +In function super_1_load it compares the available space of the underlying device with +sb->data_size. The new data offset gets bigger after reshape. So super_1_load returns -EINVAL. +rdev->sectors is updated in md_finish_reshape. Then sb->data_size is set in super_1_sync based +on rdev->sectors. So add md_finish_reshape in end_reshape. + +Signed-off-by: Xiao Ni +Acked-by: Guoqing Jiang +Signed-off-by: Shaohua Li +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/raid5.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/drivers/md/raid5.c ++++ b/drivers/md/raid5.c +@@ -7531,12 +7531,10 @@ static void end_reshape(struct r5conf *c + { + + if (!test_bit(MD_RECOVERY_INTR, &conf->mddev->recovery)) { +- struct md_rdev *rdev; + + spin_lock_irq(&conf->device_lock); + conf->previous_raid_disks = conf->raid_disks; +- rdev_for_each(rdev, conf->mddev) +- rdev->data_offset = rdev->new_data_offset; ++ md_finish_reshape(conf->mddev); + smp_wmb(); + conf->reshape_progress = MaxSector; + conf->mddev->reshape_position = MaxSector; diff --git a/queue-4.4/s390-syscalls-fix-out-of-bounds-arguments-access.patch b/queue-4.4/s390-syscalls-fix-out-of-bounds-arguments-access.patch new file mode 100644 index 00000000000..b052ba2e6a6 --- /dev/null +++ b/queue-4.4/s390-syscalls-fix-out-of-bounds-arguments-access.patch @@ -0,0 +1,58 @@ +From c46fc0424ced3fb71208e72bd597d91b9169a781 Mon Sep 17 00:00:00 2001 +From: Jiri Olsa +Date: Thu, 29 Jun 2017 11:38:11 +0200 +Subject: s390/syscalls: Fix out of bounds arguments access + +From: Jiri Olsa + +commit c46fc0424ced3fb71208e72bd597d91b9169a781 upstream. + +Zorro reported following crash while having enabled +syscall tracing (CONFIG_FTRACE_SYSCALLS): + + Unable to handle kernel pointer dereference at virtual ... + Oops: 0011 [#1] SMP DEBUG_PAGEALLOC + + SNIP + + Call Trace: + ([<000000000024d79c>] ftrace_syscall_enter+0xec/0x1d8) + [<00000000001099c6>] do_syscall_trace_enter+0x236/0x2f8 + [<0000000000730f1c>] sysc_tracesys+0x1a/0x32 + [<000003fffcf946a2>] 0x3fffcf946a2 + INFO: lockdep is turned off. + Last Breaking-Event-Address: + [<000000000022dd44>] rb_event_data+0x34/0x40 + ---[ end trace 8c795f86b1b3f7b9 ]--- + +The crash happens in syscall_get_arguments function for +syscalls with zero arguments, that will try to access +first argument (args[0]) in event entry, but it's not +allocated. + +Bail out of there are no arguments. + +Reported-by: Zorro Lang +Signed-off-by: Jiri Olsa +Signed-off-by: Martin Schwidefsky +Signed-off-by: Greg Kroah-Hartman + +--- + arch/s390/include/asm/syscall.h | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/arch/s390/include/asm/syscall.h ++++ b/arch/s390/include/asm/syscall.h +@@ -64,6 +64,12 @@ static inline void syscall_get_arguments + { + unsigned long mask = -1UL; + ++ /* ++ * No arguments for this syscall, there's nothing to do. ++ */ ++ if (!n) ++ return; ++ + BUG_ON(i + n > 6); + #ifdef CONFIG_COMPAT + if (test_tsk_thread_flag(task, TIF_31BIT)) diff --git a/queue-4.4/series b/queue-4.4/series index f6ce0e07cb6..1bf951b1d55 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -39,3 +39,12 @@ usb-renesas_usbhs-fix-usbhsc_resume-for-usbhsf_runtime_pwctrl.patch usb-renesas_usbhs-gadget-disable-all-eps-when-the-driver-stops.patch md-don-t-use-flush_signals-in-userspace-processes.patch x86-xen-allow-userspace-access-during-hypercalls.patch +cx88-fix-regression-in-initial-video-standard-setting.patch +raid5-should-update-rdev-sectors-after-reshape.patch +s390-syscalls-fix-out-of-bounds-arguments-access.patch +drm-amd-amdgpu-return-error-if-initiating-read-out-of-range-on-vram.patch +drm-radeon-ci-disable-mclk-switching-for-high-refresh-rates-v2.patch +drm-radeon-fix-edp-for-single-display-imac10-1-v2.patch +ipmi-use-rcu-lock-around-call-to-intf-handlers-sender.patch +ipmi-ssif-add-missing-unlock-in-error-branch.patch +f2fs-don-t-clear-sgid-when-inheriting-acls.patch