From: Greg Kroah-Hartman Date: Sun, 9 Apr 2017 19:25:36 +0000 (+0200) Subject: 4.4-stable patches X-Git-Tag: v4.4.61~33 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=f99637f64ad1455c413a018bb639afa7c132e062;p=thirdparty%2Fkernel%2Fstable-queue.git 4.4-stable patches added patches: arm-arm64-kvm-take-mmap_sem-in-kvm_arch_prepare_memory_region.patch arm-arm64-kvm-take-mmap_sem-in-stage2_unmap_vm.patch iio-bmg160-reset-chip-when-probing.patch staging-android-ashmem-lseek-failed-due-to-no-fmode_lseek.patch sysfs-be-careful-of-error-returns-from-ops-show.patch --- diff --git a/queue-4.4/arm-arm64-kvm-take-mmap_sem-in-kvm_arch_prepare_memory_region.patch b/queue-4.4/arm-arm64-kvm-take-mmap_sem-in-kvm_arch_prepare_memory_region.patch new file mode 100644 index 00000000000..1ff4a77aa0e --- /dev/null +++ b/queue-4.4/arm-arm64-kvm-take-mmap_sem-in-kvm_arch_prepare_memory_region.patch @@ -0,0 +1,66 @@ +From 72f310481a08db821b614e7b5d00febcc9064b36 Mon Sep 17 00:00:00 2001 +From: Marc Zyngier +Date: Thu, 16 Mar 2017 18:20:50 +0000 +Subject: arm/arm64: KVM: Take mmap_sem in kvm_arch_prepare_memory_region + +From: Marc Zyngier + +commit 72f310481a08db821b614e7b5d00febcc9064b36 upstream. + +We don't hold the mmap_sem while searching for VMAs (via find_vma), in +kvm_arch_prepare_memory_region, which can end up in expected failures. + +Fixes: commit 8eef91239e57 ("arm/arm64: KVM: map MMIO regions at creation time") +Cc: Ard Biesheuvel +Cc: Eric Auger +Reviewed-by: Christoffer Dall +[ Handle dirty page logging failure case ] +Signed-off-by: Suzuki K Poulose +Signed-off-by: Marc Zyngier +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/kvm/mmu.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +--- a/arch/arm/kvm/mmu.c ++++ b/arch/arm/kvm/mmu.c +@@ -1761,6 +1761,7 @@ int kvm_arch_prepare_memory_region(struc + (KVM_PHYS_SIZE >> PAGE_SHIFT)) + return -EFAULT; + ++ down_read(¤t->mm->mmap_sem); + /* + * A memory region could potentially cover multiple VMAs, and any holes + * between them, so iterate over all of them to find out if we can map +@@ -1804,8 +1805,10 @@ int kvm_arch_prepare_memory_region(struc + pa += vm_start - vma->vm_start; + + /* IO region dirty page logging not allowed */ +- if (memslot->flags & KVM_MEM_LOG_DIRTY_PAGES) +- return -EINVAL; ++ if (memslot->flags & KVM_MEM_LOG_DIRTY_PAGES) { ++ ret = -EINVAL; ++ goto out; ++ } + + ret = kvm_phys_addr_ioremap(kvm, gpa, pa, + vm_end - vm_start, +@@ -1817,7 +1820,7 @@ int kvm_arch_prepare_memory_region(struc + } while (hva < reg_end); + + if (change == KVM_MR_FLAGS_ONLY) +- return ret; ++ goto out; + + spin_lock(&kvm->mmu_lock); + if (ret) +@@ -1825,6 +1828,8 @@ int kvm_arch_prepare_memory_region(struc + else + stage2_flush_memslot(kvm, memslot); + spin_unlock(&kvm->mmu_lock); ++out: ++ up_read(¤t->mm->mmap_sem); + return ret; + } + diff --git a/queue-4.4/arm-arm64-kvm-take-mmap_sem-in-stage2_unmap_vm.patch b/queue-4.4/arm-arm64-kvm-take-mmap_sem-in-stage2_unmap_vm.patch new file mode 100644 index 00000000000..f55af8bae44 --- /dev/null +++ b/queue-4.4/arm-arm64-kvm-take-mmap_sem-in-stage2_unmap_vm.patch @@ -0,0 +1,41 @@ +From 90f6e150e44a0dc3883110eeb3ab35d1be42b6bb Mon Sep 17 00:00:00 2001 +From: Marc Zyngier +Date: Thu, 16 Mar 2017 18:20:49 +0000 +Subject: arm/arm64: KVM: Take mmap_sem in stage2_unmap_vm + +From: Marc Zyngier + +commit 90f6e150e44a0dc3883110eeb3ab35d1be42b6bb upstream. + +We don't hold the mmap_sem while searching for the VMAs when +we try to unmap each memslot for a VM. Fix this properly to +avoid unexpected results. + +Fixes: commit 957db105c997 ("arm/arm64: KVM: Introduce stage2_unmap_vm") +Reviewed-by: Christoffer Dall +Signed-off-by: Suzuki K Poulose +Signed-off-by: Marc Zyngier +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/kvm/mmu.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/arch/arm/kvm/mmu.c ++++ b/arch/arm/kvm/mmu.c +@@ -796,6 +796,7 @@ void stage2_unmap_vm(struct kvm *kvm) + int idx; + + idx = srcu_read_lock(&kvm->srcu); ++ down_read(¤t->mm->mmap_sem); + spin_lock(&kvm->mmu_lock); + + slots = kvm_memslots(kvm); +@@ -803,6 +804,7 @@ void stage2_unmap_vm(struct kvm *kvm) + stage2_unmap_memslot(kvm, memslot); + + spin_unlock(&kvm->mmu_lock); ++ up_read(¤t->mm->mmap_sem); + srcu_read_unlock(&kvm->srcu, idx); + } + diff --git a/queue-4.4/iio-bmg160-reset-chip-when-probing.patch b/queue-4.4/iio-bmg160-reset-chip-when-probing.patch new file mode 100644 index 00000000000..d403897de47 --- /dev/null +++ b/queue-4.4/iio-bmg160-reset-chip-when-probing.patch @@ -0,0 +1,63 @@ +From 4bdc9029685ac03be50b320b29691766d2326c2b Mon Sep 17 00:00:00 2001 +From: Quentin Schulz +Date: Tue, 21 Mar 2017 16:52:14 +0100 +Subject: iio: bmg160: reset chip when probing + +From: Quentin Schulz + +commit 4bdc9029685ac03be50b320b29691766d2326c2b upstream. + +The gyroscope chip might need to be reset to be used. + +Without the chip being reset, the driver stopped at the first +regmap_read (to get the CHIP_ID) and failed to probe. + +The datasheet of the gyroscope says that a minimum wait of 30ms after +the reset has to be done. + +This patch has been checked on a BMX055 and the datasheet of the BMG160 +and the BMI055 give the same reset register and bits. + +Signed-off-by: Quentin Schulz +Signed-off-by: Jonathan Cameron +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/iio/gyro/bmg160_core.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +--- a/drivers/iio/gyro/bmg160_core.c ++++ b/drivers/iio/gyro/bmg160_core.c +@@ -28,6 +28,7 @@ + #include + #include + #include ++#include + #include "bmg160.h" + + #define BMG160_IRQ_NAME "bmg160_event" +@@ -53,6 +54,9 @@ + #define BMG160_NO_FILTER 0 + #define BMG160_DEF_BW 100 + ++#define BMG160_GYRO_REG_RESET 0x14 ++#define BMG160_GYRO_RESET_VAL 0xb6 ++ + #define BMG160_REG_INT_MAP_0 0x17 + #define BMG160_INT_MAP_0_BIT_ANY BIT(1) + +@@ -186,6 +190,14 @@ static int bmg160_chip_init(struct bmg16 + int ret; + unsigned int val; + ++ /* ++ * Reset chip to get it in a known good state. A delay of 30ms after ++ * reset is required according to the datasheet. ++ */ ++ regmap_write(data->regmap, BMG160_GYRO_REG_RESET, ++ BMG160_GYRO_RESET_VAL); ++ usleep_range(30000, 30700); ++ + ret = regmap_read(data->regmap, BMG160_REG_CHIP_ID, &val); + if (ret < 0) { + dev_err(data->dev, "Error reading reg_chip_id\n"); diff --git a/queue-4.4/series b/queue-4.4/series index 5e64ca67394..2c500074610 100644 --- a/queue-4.4/series +++ b/queue-4.4/series @@ -4,3 +4,8 @@ drm-vmwgfx-avoid-calling-vzalloc-with-a-0-size-in-vmw_get_cap_3d_ioctl.patch drm-ttm-drm-vmwgfx-relax-permission-checking-when-opening-surfaces.patch drm-vmwgfx-remove-getparam-error-message.patch drm-vmwgfx-fix-integer-overflow-in-vmw_surface_define_ioctl.patch +sysfs-be-careful-of-error-returns-from-ops-show.patch +staging-android-ashmem-lseek-failed-due-to-no-fmode_lseek.patch +arm-arm64-kvm-take-mmap_sem-in-stage2_unmap_vm.patch +arm-arm64-kvm-take-mmap_sem-in-kvm_arch_prepare_memory_region.patch +iio-bmg160-reset-chip-when-probing.patch diff --git a/queue-4.4/staging-android-ashmem-lseek-failed-due-to-no-fmode_lseek.patch b/queue-4.4/staging-android-ashmem-lseek-failed-due-to-no-fmode_lseek.patch new file mode 100644 index 00000000000..4764c7c4021 --- /dev/null +++ b/queue-4.4/staging-android-ashmem-lseek-failed-due-to-no-fmode_lseek.patch @@ -0,0 +1,39 @@ +From 97fbfef6bd597888485b653175fb846c6998b60c Mon Sep 17 00:00:00 2001 +From: Shuxiao Zhang +Date: Thu, 6 Apr 2017 22:30:29 +0800 +Subject: staging: android: ashmem: lseek failed due to no FMODE_LSEEK. + +From: Shuxiao Zhang + +commit 97fbfef6bd597888485b653175fb846c6998b60c upstream. + +vfs_llseek will check whether the file mode has +FMODE_LSEEK, no return failure. But ashmem can be +lseek, so add FMODE_LSEEK to ashmem file. + +Comment From Greg Hackmann: + ashmem_llseek() passes the llseek() call through to the backing + shmem file. 91360b02ab48 ("ashmem: use vfs_llseek()") changed + this from directly calling the file's llseek() op into a VFS + layer call. This also adds a check for the FMODE_LSEEK bit, so + without that bit ashmem_llseek() now always fails with -ESPIPE. + +Fixes: 91360b02ab48 ("ashmem: use vfs_llseek()") +Signed-off-by: Shuxiao Zhang +Tested-by: Greg Hackmann +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/android/ashmem.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/staging/android/ashmem.c ++++ b/drivers/staging/android/ashmem.c +@@ -392,6 +392,7 @@ static int ashmem_mmap(struct file *file + ret = PTR_ERR(vmfile); + goto out; + } ++ vmfile->f_mode |= FMODE_LSEEK; + asma->file = vmfile; + } + get_file(asma->file); diff --git a/queue-4.4/sysfs-be-careful-of-error-returns-from-ops-show.patch b/queue-4.4/sysfs-be-careful-of-error-returns-from-ops-show.patch new file mode 100644 index 00000000000..ed3186a7d6f --- /dev/null +++ b/queue-4.4/sysfs-be-careful-of-error-returns-from-ops-show.patch @@ -0,0 +1,80 @@ +From c8a139d001a1aab1ea8734db14b22dac9dd143b6 Mon Sep 17 00:00:00 2001 +From: NeilBrown +Date: Mon, 3 Apr 2017 11:30:34 +1000 +Subject: sysfs: be careful of error returns from ops->show() + +From: NeilBrown + +commit c8a139d001a1aab1ea8734db14b22dac9dd143b6 upstream. + +ops->show() can return a negative error code. +Commit 65da3484d9be ("sysfs: correctly handle short reads on PREALLOC attrs.") +(in v4.4) caused this to be stored in an unsigned 'size_t' variable, so errors +would look like large numbers. +As a result, if an error is returned, sysfs_kf_read() will return the +value of 'count', typically 4096. + +Commit 17d0774f8068 ("sysfs: correctly handle read offset on PREALLOC attrs") +(in v4.8) extended this error to use the unsigned large 'len' as a size for +memmove(). +Consequently, if ->show returns an error, then the first read() on the +sysfs file will return 4096 and could return uninitialized memory to +user-space. +If the application performs a subsequent read, this will trigger a memmove() +with extremely large count, and is likely to crash the machine is bizarre ways. + +This bug can currently only be triggered by reading from an md +sysfs attribute declared with __ATTR_PREALLOC() during the +brief period between when mddev_put() deletes an mddev from +the ->all_mddevs list, and when mddev_delayed_delete() - which is +scheduled on a workqueue - completes. +Before this, an error won't be returned by the ->show() +After this, the ->show() won't be called. + +I can reproduce it reliably only by putting delay like + usleep_range(500000,700000); +early in mddev_delayed_delete(). Then after creating an +md device md0 run + echo clear > /sys/block/md0/md/array_state; cat /sys/block/md0/md/array_state + +The bug can be triggered without the usleep. + +Fixes: 65da3484d9be ("sysfs: correctly handle short reads on PREALLOC attrs.") +Fixes: 17d0774f8068 ("sysfs: correctly handle read offset on PREALLOC attrs") +Signed-off-by: NeilBrown +Acked-by: Tejun Heo +Reported-and-tested-by: Miroslav Benes +Signed-off-by: Greg Kroah-Hartman + +--- + fs/sysfs/file.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/fs/sysfs/file.c ++++ b/fs/sysfs/file.c +@@ -108,7 +108,7 @@ static ssize_t sysfs_kf_read(struct kern + { + const struct sysfs_ops *ops = sysfs_file_ops(of->kn); + struct kobject *kobj = of->kn->parent->priv; +- size_t len; ++ ssize_t len; + + /* + * If buf != of->prealloc_buf, we don't know how +@@ -117,13 +117,15 @@ static ssize_t sysfs_kf_read(struct kern + if (WARN_ON_ONCE(buf != of->prealloc_buf)) + return 0; + len = ops->show(kobj, of->kn->priv, buf); ++ if (len < 0) ++ return len; + if (pos) { + if (len <= pos) + return 0; + len -= pos; + memmove(buf, buf + pos, len); + } +- return min(count, len); ++ return min_t(ssize_t, count, len); + } + + /* kernfs write callback for regular sysfs files */