From 5d18965a7b51e7416823fde48b8a4604e9c57d5a Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Tue, 6 May 2014 15:36:40 -0700 Subject: [PATCH] 3.4-stable patches added patches: floppy-don-t-write-kernel-only-members-to-fdrawcmd-ioctl-output.patch floppy-ignore-kernel-only-members-in-fdrawcmd-ioctl-input.patch mips-hibernate-flush-tlb-entries-in-swsusp_arch_resume.patch mpt2sas-don-t-disable-device-twice-at-suspend.patch virtio_balloon-don-t-softlockup-on-huge-balloon-changes.patch --- ...nly-members-to-fdrawcmd-ioctl-output.patch | 35 +++++++++++++++ ...only-members-in-fdrawcmd-ioctl-input.patch | 45 +++++++++++++++++++ ...sh-tlb-entries-in-swsusp_arch_resume.patch | 45 +++++++++++++++++++ ...on-t-disable-device-twice-at-suspend.patch | 37 +++++++++++++++ queue-3.4/series | 5 +++ ...t-softlockup-on-huge-balloon-changes.patch | 41 +++++++++++++++++ 6 files changed, 208 insertions(+) create mode 100644 queue-3.4/floppy-don-t-write-kernel-only-members-to-fdrawcmd-ioctl-output.patch create mode 100644 queue-3.4/floppy-ignore-kernel-only-members-in-fdrawcmd-ioctl-input.patch create mode 100644 queue-3.4/mips-hibernate-flush-tlb-entries-in-swsusp_arch_resume.patch create mode 100644 queue-3.4/mpt2sas-don-t-disable-device-twice-at-suspend.patch create mode 100644 queue-3.4/virtio_balloon-don-t-softlockup-on-huge-balloon-changes.patch diff --git a/queue-3.4/floppy-don-t-write-kernel-only-members-to-fdrawcmd-ioctl-output.patch b/queue-3.4/floppy-don-t-write-kernel-only-members-to-fdrawcmd-ioctl-output.patch new file mode 100644 index 00000000000..e126cfba978 --- /dev/null +++ b/queue-3.4/floppy-don-t-write-kernel-only-members-to-fdrawcmd-ioctl-output.patch @@ -0,0 +1,35 @@ +From 2145e15e0557a01b9195d1c7199a1b92cb9be81f Mon Sep 17 00:00:00 2001 +From: Matthew Daley +Date: Mon, 28 Apr 2014 19:05:21 +1200 +Subject: floppy: don't write kernel-only members to FDRAWCMD ioctl output + +From: Matthew Daley + +commit 2145e15e0557a01b9195d1c7199a1b92cb9be81f upstream. + +Do not leak kernel-only floppy_raw_cmd structure members to userspace. +This includes the linked-list pointer and the pointer to the allocated +DMA space. + +Signed-off-by: Matthew Daley +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/block/floppy.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/block/floppy.c ++++ b/drivers/block/floppy.c +@@ -3058,7 +3058,10 @@ static int raw_cmd_copyout(int cmd, void + int ret; + + while (ptr) { +- ret = copy_to_user(param, ptr, sizeof(*ptr)); ++ struct floppy_raw_cmd cmd = *ptr; ++ cmd.next = NULL; ++ cmd.kernel_data = NULL; ++ ret = copy_to_user(param, &cmd, sizeof(cmd)); + if (ret) + return -EFAULT; + param += sizeof(struct floppy_raw_cmd); diff --git a/queue-3.4/floppy-ignore-kernel-only-members-in-fdrawcmd-ioctl-input.patch b/queue-3.4/floppy-ignore-kernel-only-members-in-fdrawcmd-ioctl-input.patch new file mode 100644 index 00000000000..bd9ef2aec8b --- /dev/null +++ b/queue-3.4/floppy-ignore-kernel-only-members-in-fdrawcmd-ioctl-input.patch @@ -0,0 +1,45 @@ +From ef87dbe7614341c2e7bfe8d32fcb7028cc97442c Mon Sep 17 00:00:00 2001 +From: Matthew Daley +Date: Mon, 28 Apr 2014 19:05:20 +1200 +Subject: floppy: ignore kernel-only members in FDRAWCMD ioctl input + +From: Matthew Daley + +commit ef87dbe7614341c2e7bfe8d32fcb7028cc97442c upstream. + +Always clear out these floppy_raw_cmd struct members after copying the +entire structure from userspace so that the in-kernel version is always +valid and never left in an interdeterminate state. + +Signed-off-by: Matthew Daley +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/block/floppy.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/block/floppy.c ++++ b/drivers/block/floppy.c +@@ -3112,10 +3112,11 @@ loop: + return -ENOMEM; + *rcmd = ptr; + ret = copy_from_user(ptr, param, sizeof(*ptr)); +- if (ret) +- return -EFAULT; + ptr->next = NULL; + ptr->buffer_length = 0; ++ ptr->kernel_data = NULL; ++ if (ret) ++ return -EFAULT; + param += sizeof(struct floppy_raw_cmd); + if (ptr->cmd_count > 33) + /* the command may now also take up the space +@@ -3131,7 +3132,6 @@ loop: + for (i = 0; i < 16; i++) + ptr->reply[i] = 0; + ptr->resultcode = 0; +- ptr->kernel_data = NULL; + + if (ptr->flags & (FD_RAW_READ | FD_RAW_WRITE)) { + if (ptr->length <= 0) diff --git a/queue-3.4/mips-hibernate-flush-tlb-entries-in-swsusp_arch_resume.patch b/queue-3.4/mips-hibernate-flush-tlb-entries-in-swsusp_arch_resume.patch new file mode 100644 index 00000000000..97cdb900694 --- /dev/null +++ b/queue-3.4/mips-hibernate-flush-tlb-entries-in-swsusp_arch_resume.patch @@ -0,0 +1,45 @@ +From c14af233fbe279d0e561ecf84f1208b1bae087ef Mon Sep 17 00:00:00 2001 +From: Huacai Chen +Date: Sat, 22 Mar 2014 17:21:44 +0800 +Subject: MIPS: Hibernate: Flush TLB entries in swsusp_arch_resume() + +From: Huacai Chen + +commit c14af233fbe279d0e561ecf84f1208b1bae087ef upstream. + +The original MIPS hibernate code flushes cache and TLB entries in +swsusp_arch_resume(). But they are removed in Commit 44eeab67416711 +(MIPS: Hibernation: Remove SMP TLB and cacheflushing code.). A cross- +CPU flush is surely unnecessary because all but the local CPU have +already been disabled. But a local flush (at least the TLB flush) is +needed. When we do hibernation on Loongson-3 with an E1000E NIC, it is +very easy to produce a kernel panic (kernel page fault, or unaligned +access). The root cause is E1000E driver use vzalloc_node() to allocate +pages, the stale TLB entries of the booting kernel will be misused by +the resumed target kernel. + +Signed-off-by: Huacai Chen +Cc: John Crispin +Cc: Steven J. Hill +Cc: Aurelien Jarno +Cc: linux-mips@linux-mips.org +Cc: Fuxin Zhang +Cc: Zhangjin Wu +Patchwork: https://patchwork.linux-mips.org/patch/6643/ +Signed-off-by: Ralf Baechle +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/power/hibernate.S | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/mips/power/hibernate.S ++++ b/arch/mips/power/hibernate.S +@@ -44,6 +44,7 @@ LEAF(swsusp_arch_resume) + bne t1, t3, 1b + PTR_L t0, PBE_NEXT(t0) + bnez t0, 0b ++ jal local_flush_tlb_all /* Avoid TLB mismatch after kernel resume */ + PTR_LA t0, saved_regs + PTR_L ra, PT_R31(t0) + PTR_L sp, PT_R29(t0) diff --git a/queue-3.4/mpt2sas-don-t-disable-device-twice-at-suspend.patch b/queue-3.4/mpt2sas-don-t-disable-device-twice-at-suspend.patch new file mode 100644 index 00000000000..4ef72a0a428 --- /dev/null +++ b/queue-3.4/mpt2sas-don-t-disable-device-twice-at-suspend.patch @@ -0,0 +1,37 @@ +From af61e27c3f77c7623b5335590ae24b6a5c323e22 Mon Sep 17 00:00:00 2001 +From: Tyler Stachecki +Date: Fri, 25 Apr 2014 16:41:04 -0400 +Subject: [SCSI] mpt2sas: Don't disable device twice at suspend. + +From: Tyler Stachecki + +commit af61e27c3f77c7623b5335590ae24b6a5c323e22 upstream. + +On suspend, _scsih_suspend calls mpt2sas_base_free_resources, which +in turn calls pci_disable_device if the device is enabled prior to +suspending. However, _scsih_suspend also calls pci_disable_device +itself. + +Thus, in the event that the device is enabled prior to suspending, +pci_disable_device will be called twice. This patch removes the +duplicate call to pci_disable_device in _scsi_suspend as it is both +unnecessary and results in a kernel oops. + +Signed-off-by: Tyler Stachecki +Signed-off-by: James Bottomley +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/mpt2sas/mpt2sas_scsih.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/drivers/scsi/mpt2sas/mpt2sas_scsih.c ++++ b/drivers/scsi/mpt2sas/mpt2sas_scsih.c +@@ -8086,7 +8086,6 @@ _scsih_suspend(struct pci_dev *pdev, pm_ + + mpt2sas_base_free_resources(ioc); + pci_save_state(pdev); +- pci_disable_device(pdev); + pci_set_power_state(pdev, device_state); + return 0; + } diff --git a/queue-3.4/series b/queue-3.4/series index 28a7eec3a76..a70eaca99b8 100644 --- a/queue-3.4/series +++ b/queue-3.4/series @@ -1 +1,6 @@ drivers-tty-hvc-don-t-free-hvc_console_setup-after-init.patch +floppy-ignore-kernel-only-members-in-fdrawcmd-ioctl-input.patch +floppy-don-t-write-kernel-only-members-to-fdrawcmd-ioctl-output.patch +mips-hibernate-flush-tlb-entries-in-swsusp_arch_resume.patch +virtio_balloon-don-t-softlockup-on-huge-balloon-changes.patch +mpt2sas-don-t-disable-device-twice-at-suspend.patch diff --git a/queue-3.4/virtio_balloon-don-t-softlockup-on-huge-balloon-changes.patch b/queue-3.4/virtio_balloon-don-t-softlockup-on-huge-balloon-changes.patch new file mode 100644 index 00000000000..bbc216a8a44 --- /dev/null +++ b/queue-3.4/virtio_balloon-don-t-softlockup-on-huge-balloon-changes.patch @@ -0,0 +1,41 @@ +From 1f74ef0f2d7d692fcd615621e0e734c3e7771413 Mon Sep 17 00:00:00 2001 +From: Rusty Russell +Date: Thu, 13 Mar 2014 11:23:38 +1030 +Subject: virtio_balloon: don't softlockup on huge balloon changes. + +From: Rusty Russell + +commit 1f74ef0f2d7d692fcd615621e0e734c3e7771413 upstream. + +When adding or removing 100G from a balloon: + + BUG: soft lockup - CPU#0 stuck for 22s! [vballoon:367] + +We have a wait_event_interruptible(), but the condition is always true +(more ballooning to do) so we don't ever sleep. We also have a +wait_event() for the host to ack, but that is also always true as QEMU +is synchronous for balloon operations. + +Reported-by: Gopesh Kumar Chaudhary +Signed-off-by: Rusty Russell +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/virtio/virtio_balloon.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/virtio/virtio_balloon.c ++++ b/drivers/virtio/virtio_balloon.c +@@ -305,6 +305,12 @@ static int balloon(void *_vballoon) + else if (diff < 0) + leak_balloon(vb, -diff); + update_balloon_size(vb); ++ ++ /* ++ * For large balloon changes, we could spend a lot of time ++ * and always have work to do. Be nice if preempt disabled. ++ */ ++ cond_resched(); + } + return 0; + } -- 2.47.3