From 63a2ed3ba5bca13db3029e6eb8aa0c35872b73b9 Mon Sep 17 00:00:00 2001 From: Koen Vandeputte Date: Tue, 15 Jan 2019 12:56:22 +0100 Subject: kernel: bump 4.9 to 4.9.150 Refreshed all patches. Remove upstreamed: - 096-mips-math-emu-Write-protect-delay-slot-emulation-pages.patch Altered patches: - 024-7-net-reorganize-struct-sock-for-better-data-locality.patch Compile-tested on: ar7 Runtime-tested on: none Signed-off-by: Koen Vandeputte --- ...nize-struct-sock-for-better-data-locality.patch | 13 +-- .../025-tcp-allow-drivers-to-tweak-TSQ-logic.patch | 4 +- .../090-net-generalize-napi_complete_done.patch | 4 +- ...Fix-missing-tunnel-encapsulation-limit-op.patch | 4 +- ...-Write-protect-delay-slot-emulation-pages.patch | 119 --------------------- ...rm-cns3xxx-use-actual-size-reads-for-PCIe.patch | 7 +- 6 files changed, 14 insertions(+), 137 deletions(-) delete mode 100644 target/linux/generic/backport-4.9/096-mips-math-emu-Write-protect-delay-slot-emulation-pages.patch (limited to 'target/linux/generic/backport-4.9') diff --git a/target/linux/generic/backport-4.9/024-7-net-reorganize-struct-sock-for-better-data-locality.patch b/target/linux/generic/backport-4.9/024-7-net-reorganize-struct-sock-for-better-data-locality.patch index e8c1915e18..a43b4037fe 100644 --- a/target/linux/generic/backport-4.9/024-7-net-reorganize-struct-sock-for-better-data-locality.patch +++ b/target/linux/generic/backport-4.9/024-7-net-reorganize-struct-sock-for-better-data-locality.patch @@ -52,7 +52,7 @@ Signed-off-by: David S. Miller --- a/include/net/sock.h +++ b/include/net/sock.h -@@ -343,6 +343,9 @@ struct sock { +@@ -344,6 +344,9 @@ struct sock { #define sk_rxhash __sk_common.skc_rxhash socket_lock_t sk_lock; @@ -62,7 +62,7 @@ Signed-off-by: David S. Miller struct sk_buff_head sk_receive_queue; /* * The backlog queue is special, it is always used with -@@ -359,14 +362,13 @@ struct sock { +@@ -360,14 +363,13 @@ struct sock { struct sk_buff *tail; } sk_backlog; #define sk_rmem_alloc sk_backlog.rmem_alloc @@ -80,7 +80,7 @@ Signed-off-by: David S. Miller int sk_rcvbuf; struct sk_filter __rcu *sk_filter; -@@ -379,11 +381,30 @@ struct sock { +@@ -380,11 +382,30 @@ struct sock { #endif struct dst_entry *sk_rx_dst; struct dst_entry __rcu *sk_dst_cache; @@ -113,7 +113,7 @@ Signed-off-by: David S. Miller /* * Because of non atomicity rules, all -@@ -399,41 +420,23 @@ struct sock { +@@ -400,31 +421,17 @@ struct sock { #define SK_PROTOCOL_MAX U8_MAX kmemcheck_bitfield_end(flags); @@ -143,8 +143,9 @@ Signed-off-by: David S. Miller - long sk_sndtimeo; - struct timer_list sk_timer; ktime_t sk_stamp; - u16 sk_tsflags; - u8 sk_shutdown; + #if BITS_PER_LONG==32 + seqlock_t sk_stamp_seq; +@@ -434,10 +441,6 @@ struct sock { u32 sk_tskey; struct socket *sk_socket; void *sk_user_data; diff --git a/target/linux/generic/backport-4.9/025-tcp-allow-drivers-to-tweak-TSQ-logic.patch b/target/linux/generic/backport-4.9/025-tcp-allow-drivers-to-tweak-TSQ-logic.patch index be3140bb9c..bedb4b3729 100644 --- a/target/linux/generic/backport-4.9/025-tcp-allow-drivers-to-tweak-TSQ-logic.patch +++ b/target/linux/generic/backport-4.9/025-tcp-allow-drivers-to-tweak-TSQ-logic.patch @@ -44,7 +44,7 @@ Cc: Kir Kolyshkin * @sk_lingertime: %SO_LINGER l_linger setting * @sk_backlog: always used with the per-socket spinlock held * @sk_callback_lock: used with the callbacks in the end of this struct -@@ -421,6 +422,8 @@ struct sock { +@@ -422,6 +423,8 @@ struct sock { kmemcheck_bitfield_end(flags); u16 sk_gso_max_segs; @@ -55,7 +55,7 @@ Cc: Kir Kolyshkin rwlock_t sk_callback_lock; --- a/net/core/sock.c +++ b/net/core/sock.c -@@ -2475,6 +2475,7 @@ void sock_init_data(struct socket *sock, +@@ -2478,6 +2478,7 @@ void sock_init_data(struct socket *sock, sk->sk_max_pacing_rate = ~0U; sk->sk_pacing_rate = ~0U; diff --git a/target/linux/generic/backport-4.9/090-net-generalize-napi_complete_done.patch b/target/linux/generic/backport-4.9/090-net-generalize-napi_complete_done.patch index e54545f9d8..c05ba5d158 100644 --- a/target/linux/generic/backport-4.9/090-net-generalize-napi_complete_done.patch +++ b/target/linux/generic/backport-4.9/090-net-generalize-napi_complete_done.patch @@ -269,7 +269,7 @@ Signed-off-by: David S. Miller "NAPI Complete, did %d packets with budget %d\n", --- a/drivers/net/ethernet/apm/xgene/xgene_enet_main.c +++ b/drivers/net/ethernet/apm/xgene/xgene_enet_main.c -@@ -658,7 +658,7 @@ static int xgene_enet_napi(struct napi_s +@@ -655,7 +655,7 @@ static int xgene_enet_napi(struct napi_s processed = xgene_enet_process_ring(ring, budget); if (processed != budget) { @@ -701,7 +701,7 @@ Signed-off-by: David S. Miller --- a/drivers/net/ethernet/ibm/ibmveth.c +++ b/drivers/net/ethernet/ibm/ibmveth.c -@@ -1320,7 +1320,7 @@ restart_poll: +@@ -1324,7 +1324,7 @@ restart_poll: ibmveth_replenish_task(adapter); if (frames_processed < budget) { diff --git a/target/linux/generic/backport-4.9/094-v4.12-0001-ip6_tunnel-Fix-missing-tunnel-encapsulation-limit-op.patch b/target/linux/generic/backport-4.9/094-v4.12-0001-ip6_tunnel-Fix-missing-tunnel-encapsulation-limit-op.patch index 136fdf48d3..7c3c5608c5 100644 --- a/target/linux/generic/backport-4.9/094-v4.12-0001-ip6_tunnel-Fix-missing-tunnel-encapsulation-limit-op.patch +++ b/target/linux/generic/backport-4.9/094-v4.12-0001-ip6_tunnel-Fix-missing-tunnel-encapsulation-limit-op.patch @@ -30,7 +30,7 @@ Signed-off-by: David S. Miller --- a/net/ipv6/ip6_tunnel.c +++ b/net/ipv6/ip6_tunnel.c -@@ -957,7 +957,7 @@ static void init_tel_txopt(struct ipv6_t +@@ -958,7 +958,7 @@ static void init_tel_txopt(struct ipv6_t opt->dst_opt[5] = IPV6_TLV_PADN; opt->dst_opt[6] = 1; @@ -39,7 +39,7 @@ Signed-off-by: David S. Miller opt->ops.opt_nflen = 8; } -@@ -1199,7 +1199,7 @@ route_lookup: +@@ -1200,7 +1200,7 @@ route_lookup: if (encap_limit >= 0) { init_tel_txopt(&opt, encap_limit); diff --git a/target/linux/generic/backport-4.9/096-mips-math-emu-Write-protect-delay-slot-emulation-pages.patch b/target/linux/generic/backport-4.9/096-mips-math-emu-Write-protect-delay-slot-emulation-pages.patch deleted file mode 100644 index 69cc493bba..0000000000 --- a/target/linux/generic/backport-4.9/096-mips-math-emu-Write-protect-delay-slot-emulation-pages.patch +++ /dev/null @@ -1,119 +0,0 @@ -From adcc81f148d733b7e8e641300c5590a2cdc13bf3 Mon Sep 17 00:00:00 2001 -From: Paul Burton -Date: Thu, 20 Dec 2018 17:45:43 +0000 -Subject: MIPS: math-emu: Write-protect delay slot emulation pages - -Mapping the delay slot emulation page as both writeable & executable -presents a security risk, in that if an exploit can write to & jump into -the page then it can be used as an easy way to execute arbitrary code. - -Prevent this by mapping the page read-only for userland, and using -access_process_vm() with the FOLL_FORCE flag to write to it from -mips_dsemul(). - -This will likely be less efficient due to copy_to_user_page() performing -cache maintenance on a whole page, rather than a single line as in the -previous use of flush_cache_sigtramp(). However this delay slot -emulation code ought not to be running in any performance critical paths -anyway so this isn't really a problem, and we can probably do better in -copy_to_user_page() anyway in future. - -A major advantage of this approach is that the fix is small & simple to -backport to stable kernels. - -Reported-by: Andy Lutomirski -Signed-off-by: Paul Burton -Fixes: 432c6bacbd0c ("MIPS: Use per-mm page to execute branch delay slot instructions") -Cc: stable@vger.kernel.org # v4.8+ -Cc: linux-mips@vger.kernel.org -Cc: linux-kernel@vger.kernel.org -Cc: Rich Felker -Cc: David Daney ---- - arch/mips/kernel/vdso.c | 4 ++-- - arch/mips/math-emu/dsemul.c | 38 ++++++++++++++++++++------------------ - 2 files changed, 22 insertions(+), 20 deletions(-) - ---- a/arch/mips/kernel/vdso.c -+++ b/arch/mips/kernel/vdso.c -@@ -111,8 +111,8 @@ int arch_setup_additional_pages(struct l - - /* Map delay slot emulation page */ - base = mmap_region(NULL, STACK_TOP, PAGE_SIZE, -- VM_READ|VM_WRITE|VM_EXEC| -- VM_MAYREAD|VM_MAYWRITE|VM_MAYEXEC, -+ VM_READ | VM_EXEC | -+ VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC, - 0); - if (IS_ERR_VALUE(base)) { - ret = base; ---- a/arch/mips/math-emu/dsemul.c -+++ b/arch/mips/math-emu/dsemul.c -@@ -211,8 +211,9 @@ int mips_dsemul(struct pt_regs *regs, mi - { - int isa16 = get_isa16_mode(regs->cp0_epc); - mips_instruction break_math; -- struct emuframe __user *fr; -- int err, fr_idx; -+ unsigned long fr_uaddr; -+ struct emuframe fr; -+ int fr_idx, ret; - - /* NOP is easy */ - if (ir == 0) -@@ -247,27 +248,31 @@ int mips_dsemul(struct pt_regs *regs, mi - fr_idx = alloc_emuframe(); - if (fr_idx == BD_EMUFRAME_NONE) - return SIGBUS; -- fr = &dsemul_page()[fr_idx]; - - /* Retrieve the appropriately encoded break instruction */ - break_math = BREAK_MATH(isa16); - - /* Write the instructions to the frame */ - if (isa16) { -- err = __put_user(ir >> 16, -- (u16 __user *)(&fr->emul)); -- err |= __put_user(ir & 0xffff, -- (u16 __user *)((long)(&fr->emul) + 2)); -- err |= __put_user(break_math >> 16, -- (u16 __user *)(&fr->badinst)); -- err |= __put_user(break_math & 0xffff, -- (u16 __user *)((long)(&fr->badinst) + 2)); -+ union mips_instruction _emul = { -+ .halfword = { ir >> 16, ir } -+ }; -+ union mips_instruction _badinst = { -+ .halfword = { break_math >> 16, break_math } -+ }; -+ -+ fr.emul = _emul.word; -+ fr.badinst = _badinst.word; - } else { -- err = __put_user(ir, &fr->emul); -- err |= __put_user(break_math, &fr->badinst); -+ fr.emul = ir; -+ fr.badinst = break_math; - } - -- if (unlikely(err)) { -+ /* Write the frame to user memory */ -+ fr_uaddr = (unsigned long)&dsemul_page()[fr_idx]; -+ ret = access_process_vm(current, fr_uaddr, &fr, sizeof(fr), -+ FOLL_FORCE | FOLL_WRITE); -+ if (unlikely(ret != sizeof(fr))) { - MIPS_FPU_EMU_INC_STATS(errors); - free_emuframe(fr_idx, current->mm); - return SIGBUS; -@@ -279,10 +284,7 @@ int mips_dsemul(struct pt_regs *regs, mi - atomic_set(¤t->thread.bd_emu_frame, fr_idx); - - /* Change user register context to execute the frame */ -- regs->cp0_epc = (unsigned long)&fr->emul | isa16; -- -- /* Ensure the icache observes our newly written frame */ -- flush_cache_sigtramp((unsigned long)&fr->emul); -+ regs->cp0_epc = fr_uaddr | isa16; - - return 0; - } diff --git a/target/linux/generic/backport-4.9/101-arm-cns3xxx-use-actual-size-reads-for-PCIe.patch b/target/linux/generic/backport-4.9/101-arm-cns3xxx-use-actual-size-reads-for-PCIe.patch index 44ca833705..2b3384391a 100644 --- a/target/linux/generic/backport-4.9/101-arm-cns3xxx-use-actual-size-reads-for-PCIe.patch +++ b/target/linux/generic/backport-4.9/101-arm-cns3xxx-use-actual-size-reads-for-PCIe.patch @@ -33,11 +33,9 @@ CC: stable@vger.kernel.org # v4.0+ arch/arm/mach-cns3xxx/pcie.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -diff --git a/arch/arm/mach-cns3xxx/pcie.c b/arch/arm/mach-cns3xxx/pcie.c -index 5e11ad3164e0..95a11d5b3587 100644 --- a/arch/arm/mach-cns3xxx/pcie.c +++ b/arch/arm/mach-cns3xxx/pcie.c -@@ -93,7 +93,7 @@ static int cns3xxx_pci_read_config(struct pci_bus *bus, unsigned int devfn, +@@ -93,7 +93,7 @@ static int cns3xxx_pci_read_config(struc u32 mask = (0x1ull << (size * 8)) - 1; int shift = (where % 4) * 8; @@ -46,6 +44,3 @@ index 5e11ad3164e0..95a11d5b3587 100644 if (ret == PCIBIOS_SUCCESSFUL && !bus->number && !devfn && (where & 0xffc) == PCI_CLASS_REVISION) --- -2.17.1 - -- cgit v1.2.3