Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 8696708b authored by Greg Kroah-Hartman's avatar Greg Kroah-Hartman
Browse files

Merge 3.18.92 into android-3.18 



Changes in 3.18.92
	kernel/acct.c: fix the acct->needcheck check in check_free_space()
	crypto: n2 - cure use after free
	fscache: Fix the default for fscache_maybe_release_page()
	kernel/signal.c: protect the traced SIGNAL_UNKILLABLE tasks from SIGKILL
	kernel/signal.c: protect the SIGNAL_UNKILLABLE tasks from !sig_kernel_only() signals
	kernel/signal.c: remove the no longer needed SIGNAL_UNKILLABLE check in complete_signal()
	Input: elantech - add new icbody type 15
	can: gs_usb: fix return value of the "set_bittiming" callback
	IB/srpt: Disable RDMA access by the initiator
	MIPS: Factor out NT_PRFPREG regset access helpers
	MIPS: Guard against any partial write attempt with PTRACE_SETREGSET
	MIPS: Consistently handle buffer counter with PTRACE_SETREGSET
	MIPS: Fix an FCSR access API regression with NT_PRFPREG and MSA
	MIPS: Disallow outsized PTRACE_SETREGSET NT_PRFPREG regset accesses
	MIPS: Also verify sizeof `elf_fpreg_t' with PTRACE_SETREGSET
	perf/core: Fix concurrent sys_perf_event_open() vs. 'move_group' race
	kvm: vmx: Scrub hardware GPRs at VM-exit
	x86/acpi: Handle SCI interrupts above legacy space gracefully
	ALSA: pcm: Remove incorrect snd_BUG_ON() usages
	ALSA: pcm: Add missing error checks in OSS emulation plugin builder
	ALSA: pcm: Abort properly at pending signal in OSS read/write loops
	ALSA: pcm: Allow aborting mutex lock at OSS read/write loops
	ALSA: aloop: Release cable upon open error path
	ALSA: aloop: Fix inconsistent format due to incomplete rule
	ALSA: aloop: Fix racy hw constraints adjustment
	x86/acpi: Reduce code duplication in mp_override_legacy_irq()
	8021q: fix a memory leak for VLAN 0 device
	RDS: Heap OOB write in rds_message_alloc_sgs()
	RDS: null pointer dereference in rds_atomic_free_op
	sh_eth: fix TSU resource handling
	sh_eth: fix SH7757 GEther initialization
	net: stmmac: enable EEE in MII, GMII or RGMII only
	crypto: algapi - fix NULL dereference in crypto_remove_spawns()
	x86/microcode/intel: Extend BDW late-loading with a revision check
	iscsi-target: Make TASK_REASSIGN use proper se_cmd->cmd_kref
	target: Avoid early CMD_T_PRE_EXECUTE failures during ABORT_TASK
	Revert "can: kvaser_usb: free buf in error paths"
	USB: serial: cp210x: add IDs for LifeScan OneTouch Verio IQ
	USB: serial: cp210x: add new device ID ELV ALC 8xxx
	usb: misc: usb3503: make sure reset is low for at least 100us
	USB: fix usbmon BUG trigger
	usbip: remove kernel addresses from usb device and urb debug msgs
	staging: android: ashmem: fix a race condition in ASHMEM_SET_SIZE ioctl
	Bluetooth: Prevent stack info leak from the EFS element.
	uas: ignore UAS for Norelsys NS1068(X) chips
	e1000e: Fix e1000_check_for_copper_link_ich8lan return value.
	Linux 3.18.92

Change-Id: I8b7c30f73e17a8547c2e5b948a2d62cec66bf237
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@google.com>
parents 5a7a92d3 a5d35dec

Makefile

+1 −1
Original line number Diff line number Diff line 
VERSION = 3

PATCHLEVEL = 18

SUBLEVEL = 91

SUBLEVEL = 92

EXTRAVERSION =

NAME = Diseased Newt

arch/mips/kernel/ptrace.c

+122 −25
Original line number Diff line number Diff line
@@ -400,61 +400,158 @@ static int gpr64_set(struct task_struct *target, 


#endif /* CONFIG_64BIT */



/*

 * Copy the floating-point context to the supplied NT_PRFPREG buffer,

 * !CONFIG_CPU_HAS_MSA variant.  FP context's general register slots

 * correspond 1:1 to buffer slots.  Only general registers are copied.

 */

static int fpr_get_fpa(struct task_struct *target,

		       unsigned int *pos, unsigned int *count,

		       void **kbuf, void __user **ubuf)

{

	return user_regset_copyout(pos, count, kbuf, ubuf,

				   &target->thread.fpu,

				   0, NUM_FPU_REGS * sizeof(elf_fpreg_t));

}



/*

 * Copy the floating-point context to the supplied NT_PRFPREG buffer,

 * CONFIG_CPU_HAS_MSA variant.  Only lower 64 bits of FP context's

 * general register slots are copied to buffer slots.  Only general

 * registers are copied.

 */

static int fpr_get_msa(struct task_struct *target,

		       unsigned int *pos, unsigned int *count,

		       void **kbuf, void __user **ubuf)

{

	unsigned int i;

	u64 fpr_val;

	int err;



	BUILD_BUG_ON(sizeof(fpr_val) != sizeof(elf_fpreg_t));

	for (i = 0; i < NUM_FPU_REGS; i++) {

		fpr_val = get_fpr64(&target->thread.fpu.fpr[i], 0);

		err = user_regset_copyout(pos, count, kbuf, ubuf,

					  &fpr_val, i * sizeof(elf_fpreg_t),

					  (i + 1) * sizeof(elf_fpreg_t));

		if (err)

			return err;

	}



	return 0;

}



/*

 * Copy the floating-point context to the supplied NT_PRFPREG buffer.

 * Choose the appropriate helper for general registers, and then copy

 * the FCSR register separately.

 */

static int fpr_get(struct task_struct *target,

		   const struct user_regset *regset,

		   unsigned int pos, unsigned int count,

		   void *kbuf, void __user *ubuf)

{

	unsigned i;

	const int fcr31_pos = NUM_FPU_REGS * sizeof(elf_fpreg_t);

	int err;

	u64 fpr_val;



	/* XXX fcr31  */

	if (sizeof(target->thread.fpu.fpr[0]) == sizeof(elf_fpreg_t))

		err = fpr_get_fpa(target, &pos, &count, &kbuf, &ubuf);

	else

		err = fpr_get_msa(target, &pos, &count, &kbuf, &ubuf);

	if (err)

		return err;



	err = user_regset_copyout(&pos, &count, &kbuf, &ubuf,

				  &target->thread.fpu.fcr31,

				  fcr31_pos, fcr31_pos + sizeof(u32));



	if (sizeof(target->thread.fpu.fpr[i]) == sizeof(elf_fpreg_t))

		return user_regset_copyout(&pos, &count, &kbuf, &ubuf,

	return err;

}



/*

 * Copy the supplied NT_PRFPREG buffer to the floating-point context,

 * !CONFIG_CPU_HAS_MSA variant.   Buffer slots correspond 1:1 to FP

 * context's general register slots.  Only general registers are copied.

 */

static int fpr_set_fpa(struct task_struct *target,

		       unsigned int *pos, unsigned int *count,

		       const void **kbuf, const void __user **ubuf)

{

	return user_regset_copyin(pos, count, kbuf, ubuf,

				  &target->thread.fpu,

					   0, sizeof(elf_fpregset_t));

				  0, NUM_FPU_REGS * sizeof(elf_fpreg_t));

}



	for (i = 0; i < NUM_FPU_REGS; i++) {

		fpr_val = get_fpr64(&target->thread.fpu.fpr[i], 0);

		err = user_regset_copyout(&pos, &count, &kbuf, &ubuf,

/*

 * Copy the supplied NT_PRFPREG buffer to the floating-point context,

 * CONFIG_CPU_HAS_MSA variant.  Buffer slots are copied to lower 64

 * bits only of FP context's general register slots.  Only general

 * registers are copied.

 */

static int fpr_set_msa(struct task_struct *target,

		       unsigned int *pos, unsigned int *count,

		       const void **kbuf, const void __user **ubuf)

{

	unsigned int i;

	u64 fpr_val;

	int err;



	BUILD_BUG_ON(sizeof(fpr_val) != sizeof(elf_fpreg_t));

	for (i = 0; i < NUM_FPU_REGS && *count > 0; i++) {

		err = user_regset_copyin(pos, count, kbuf, ubuf,

					 &fpr_val, i * sizeof(elf_fpreg_t),

					 (i + 1) * sizeof(elf_fpreg_t));

		if (err)

			return err;

		set_fpr64(&target->thread.fpu.fpr[i], 0, fpr_val);

	}



	return 0;

}



/*

 * Copy the supplied NT_PRFPREG buffer to the floating-point context.

 * Choose the appropriate helper for general registers, and then copy

 * the FCSR register separately.

 *

 * We optimize for the case where `count % sizeof(elf_fpreg_t) == 0',

 * which is supposed to have been guaranteed by the kernel before

 * calling us, e.g. in `ptrace_regset'.  We enforce that requirement,

 * so that we can safely avoid preinitializing temporaries for

 * partial register writes.

 */

static int fpr_set(struct task_struct *target,

		   const struct user_regset *regset,

		   unsigned int pos, unsigned int count,

		   const void *kbuf, const void __user *ubuf)

{

	unsigned i;

	const int fcr31_pos = NUM_FPU_REGS * sizeof(elf_fpreg_t);

	u32 fcr31;

	int err;

	u64 fpr_val;



	/* XXX fcr31  */

	BUG_ON(count % sizeof(elf_fpreg_t));



	if (sizeof(target->thread.fpu.fpr[i]) == sizeof(elf_fpreg_t))

		return user_regset_copyin(&pos, &count, &kbuf, &ubuf,

					  &target->thread.fpu,

					  0, sizeof(elf_fpregset_t));

	if (pos + count > sizeof(elf_fpregset_t))

		return -EIO;



	BUILD_BUG_ON(sizeof(fpr_val) != sizeof(elf_fpreg_t));

	for (i = 0; i < NUM_FPU_REGS && count >= sizeof(elf_fpreg_t); i++) {

	if (sizeof(target->thread.fpu.fpr[0]) == sizeof(elf_fpreg_t))

		err = fpr_set_fpa(target, &pos, &count, &kbuf, &ubuf);

	else

		err = fpr_set_msa(target, &pos, &count, &kbuf, &ubuf);

	if (err)

		return err;



	if (count > 0) {

		err = user_regset_copyin(&pos, &count, &kbuf, &ubuf,

					 &fpr_val, i * sizeof(elf_fpreg_t),

					 (i + 1) * sizeof(elf_fpreg_t));

					 &fcr31,

					 fcr31_pos, fcr31_pos + sizeof(u32));

		if (err)

			return err;

		set_fpr64(&target->thread.fpu.fpr[i], 0, fpr_val);



		target->thread.fpu.fcr31 = fcr31 & ~FPU_CSR_ALL_X;

	}



	return 0;

	return err;

}



enum mips_regset {

arch/x86/kernel/acpi/boot.c

+37 −23
Original line number Diff line number Diff line
@@ -308,13 +308,12 @@ acpi_parse_lapic_nmi(struct acpi_subtable_header * header, const unsigned long e 
#ifdef CONFIG_X86_IO_APIC

#define MP_ISA_BUS		0



static int __init mp_register_ioapic_irq(u8 bus_irq, u8 polarity,

						u8 trigger, u32 gsi);



static void __init mp_override_legacy_irq(u8 bus_irq, u8 polarity, u8 trigger,

					  u32 gsi)

{

	int ioapic;

	int pin;

	struct mpc_intsrc mp_irq;



	/*

	 * Check bus_irq boundary.

	 */
@@ -323,14 +322,6 @@ static void __init mp_override_legacy_irq(u8 bus_irq, u8 polarity, u8 trigger, 
		return;

	}



	/*

	 * Convert 'gsi' to 'ioapic.pin'.

	 */

	ioapic = mp_find_ioapic(gsi);

	if (ioapic < 0)

		return;

	pin = mp_find_ioapic_pin(ioapic, gsi);



	/*

	 * TBD: This check is for faulty timer entries, where the override

	 *      erroneously sets the trigger to level, resulting in a HUGE
@@ -339,16 +330,8 @@ static void __init mp_override_legacy_irq(u8 bus_irq, u8 polarity, u8 trigger, 
	if ((bus_irq == 0) && (trigger == 3))

		trigger = 1;



	mp_irq.type = MP_INTSRC;

	mp_irq.irqtype = mp_INT;

	mp_irq.irqflag = (trigger << 2) | polarity;

	mp_irq.srcbus = MP_ISA_BUS;

	mp_irq.srcbusirq = bus_irq;	/* IRQ */

	mp_irq.dstapic = mpc_ioapic_id(ioapic); /* APIC ID */

	mp_irq.dstirq = pin;	/* INTIN# */



	mp_save_irq(&mp_irq);



	if (mp_register_ioapic_irq(bus_irq, polarity, trigger, gsi) < 0)

		return;

	/*

	 * Reset default identity mapping if gsi is also an legacy IRQ,

	 * otherwise there will be more than one entry with the same GSI
@@ -445,6 +428,34 @@ static struct irq_domain_ops acpi_irqdomain_ops = { 
	.unmap = mp_irqdomain_unmap,

};



static int __init mp_register_ioapic_irq(u8 bus_irq, u8 polarity,

						u8 trigger, u32 gsi)

{

	struct mpc_intsrc mp_irq;

	int ioapic, pin;



	/* Convert 'gsi' to 'ioapic.pin'(INTIN#) */

	ioapic = mp_find_ioapic(gsi);

	if (ioapic < 0) {

		pr_warn("Failed to find ioapic for gsi : %u\n", gsi);

		return ioapic;

	}



	pin = mp_find_ioapic_pin(ioapic, gsi);



	mp_irq.type = MP_INTSRC;

	mp_irq.irqtype = mp_INT;

	mp_irq.irqflag = (trigger << 2) | polarity;

	mp_irq.srcbus = MP_ISA_BUS;

	mp_irq.srcbusirq = bus_irq;

	mp_irq.dstapic = mpc_ioapic_id(ioapic);

	mp_irq.dstirq = pin;



	mp_save_irq(&mp_irq);



	return 0;

}



static int __init

acpi_parse_ioapic(struct acpi_subtable_header * header, const unsigned long end)

{
@@ -489,7 +500,10 @@ static void __init acpi_sci_ioapic_setup(u8 bus_irq, u16 polarity, u16 trigger, 
	if (acpi_sci_flags & ACPI_MADT_POLARITY_MASK)

		polarity = acpi_sci_flags & ACPI_MADT_POLARITY_MASK;



	if (bus_irq < NR_IRQS_LEGACY)

		mp_override_legacy_irq(bus_irq, polarity, trigger, gsi);

	else

		mp_register_ioapic_irq(bus_irq, polarity, trigger, gsi);



	/*

	 * stash over-ride to indicate we've been here

arch/x86/kernel/cpu/microcode/intel.c

+11 −2
Original line number Diff line number Diff line
@@ -271,8 +271,17 @@ static bool is_blacklisted(unsigned int cpu) 
{

	struct cpuinfo_x86 *c = &cpu_data(cpu);



	if (c->x86 == 6 && c->x86_model == 79) {

		pr_err_once("late loading on model 79 is disabled.\n");

	/*

	 * Late loading on model 79 with microcode revision less than 0x0b000021

	 * may result in a system hang. This behavior is documented in item

	 * BDF90, #334165 (Intel Xeon Processor E7-8800/4800 v4 Product Family).

	 */

	if (c->x86 == 6 &&

	    c->x86_model == 79 &&

	    c->x86_mask == 0x01 &&

	    c->microcode < 0x0b000021) {

		pr_err_once("Erratum BDF90: late loading with revision < 0x0b000021 (0x%x) disabled.\n", c->microcode);

		pr_err_once("Please consider either early loading through initrd/built-in or a potential BIOS update.\n");

		return true;

	}

arch/x86/kvm/svm.c

+19 −0
Original line number Diff line number Diff line
@@ -3945,6 +3945,25 @@ static void svm_vcpu_run(struct kvm_vcpu *vcpu) 
		"mov %%r13, %c[r13](%[svm]) \n\t"

		"mov %%r14, %c[r14](%[svm]) \n\t"

		"mov %%r15, %c[r15](%[svm]) \n\t"

#endif

		/*

		* Clear host registers marked as clobbered to prevent

		* speculative use.

		*/

		"xor %%" _ASM_BX ", %%" _ASM_BX " \n\t"

		"xor %%" _ASM_CX ", %%" _ASM_CX " \n\t"

		"xor %%" _ASM_DX ", %%" _ASM_DX " \n\t"

		"xor %%" _ASM_SI ", %%" _ASM_SI " \n\t"

		"xor %%" _ASM_DI ", %%" _ASM_DI " \n\t"

#ifdef CONFIG_X86_64

		"xor %%r8, %%r8 \n\t"

		"xor %%r9, %%r9 \n\t"

		"xor %%r10, %%r10 \n\t"

		"xor %%r11, %%r11 \n\t"

		"xor %%r12, %%r12 \n\t"

		"xor %%r13, %%r13 \n\t"

		"xor %%r14, %%r14 \n\t"

		"xor %%r15, %%r15 \n\t"

#endif

		"pop %%" _ASM_BP

		: