aboutsummaryrefslogtreecommitdiffstats
path: root/target/linux/generic/backport-4.14
diff options
context:
space:
mode:
Diffstat (limited to 'target/linux/generic/backport-4.14')
-rw-r--r--target/linux/generic/backport-4.14/025-tcp-allow-drivers-to-tweak-TSQ-logic.patch4
-rw-r--r--target/linux/generic/backport-4.14/096-mips-math-emu-Write-protect-delay-slot-emulation-pages.patch119
-rw-r--r--target/linux/generic/backport-4.14/101-arm-cns3xxx-use-actual-size-reads-for-PCIe.patch7
3 files changed, 3 insertions, 127 deletions
diff --git a/target/linux/generic/backport-4.14/025-tcp-allow-drivers-to-tweak-TSQ-logic.patch b/target/linux/generic/backport-4.14/025-tcp-allow-drivers-to-tweak-TSQ-logic.patch
index 067481ba94..5639497926 100644
--- a/target/linux/generic/backport-4.14/025-tcp-allow-drivers-to-tweak-TSQ-logic.patch
+++ b/target/linux/generic/backport-4.14/025-tcp-allow-drivers-to-tweak-TSQ-logic.patch
@@ -44,7 +44,7 @@ Cc: Kir Kolyshkin <kir@openvz.org>
* @sk_lingertime: %SO_LINGER l_linger setting
* @sk_backlog: always used with the per-socket spinlock held
* @sk_callback_lock: used with the callbacks in the end of this struct
-@@ -445,6 +446,8 @@ struct sock {
+@@ -446,6 +447,8 @@ struct sock {
sk_type : 16;
#define SK_PROTOCOL_MAX U8_MAX
u16 sk_gso_max_segs;
@@ -55,7 +55,7 @@ Cc: Kir Kolyshkin <kir@openvz.org>
rwlock_t sk_callback_lock;
--- a/net/core/sock.c
+++ b/net/core/sock.c
-@@ -2739,6 +2739,7 @@ void sock_init_data(struct socket *sock,
+@@ -2742,6 +2742,7 @@ void sock_init_data(struct socket *sock,
sk->sk_max_pacing_rate = ~0U;
sk->sk_pacing_rate = ~0U;
diff --git a/target/linux/generic/backport-4.14/096-mips-math-emu-Write-protect-delay-slot-emulation-pages.patch b/target/linux/generic/backport-4.14/096-mips-math-emu-Write-protect-delay-slot-emulation-pages.patch
deleted file mode 100644
index f428285a64..0000000000
--- a/target/linux/generic/backport-4.14/096-mips-math-emu-Write-protect-delay-slot-emulation-pages.patch
+++ /dev/null
@@ -1,119 +0,0 @@
-From adcc81f148d733b7e8e641300c5590a2cdc13bf3 Mon Sep 17 00:00:00 2001
-From: Paul Burton <paul.burton@mips.com>
-Date: Thu, 20 Dec 2018 17:45:43 +0000
-Subject: MIPS: math-emu: Write-protect delay slot emulation pages
-
-Mapping the delay slot emulation page as both writeable & executable
-presents a security risk, in that if an exploit can write to & jump into
-the page then it can be used as an easy way to execute arbitrary code.
-
-Prevent this by mapping the page read-only for userland, and using
-access_process_vm() with the FOLL_FORCE flag to write to it from
-mips_dsemul().
-
-This will likely be less efficient due to copy_to_user_page() performing
-cache maintenance on a whole page, rather than a single line as in the
-previous use of flush_cache_sigtramp(). However this delay slot
-emulation code ought not to be running in any performance critical paths
-anyway so this isn't really a problem, and we can probably do better in
-copy_to_user_page() anyway in future.
-
-A major advantage of this approach is that the fix is small & simple to
-backport to stable kernels.
-
-Reported-by: Andy Lutomirski <luto@kernel.org>
-Signed-off-by: Paul Burton <paul.burton@mips.com>
-Fixes: 432c6bacbd0c ("MIPS: Use per-mm page to execute branch delay slot instructions")
-Cc: stable@vger.kernel.org # v4.8+
-Cc: linux-mips@vger.kernel.org
-Cc: linux-kernel@vger.kernel.org
-Cc: Rich Felker <dalias@libc.org>
-Cc: David Daney <david.daney@cavium.com>
----
- arch/mips/kernel/vdso.c | 4 ++--
- arch/mips/math-emu/dsemul.c | 38 ++++++++++++++++++++------------------
- 2 files changed, 22 insertions(+), 20 deletions(-)
-
---- a/arch/mips/kernel/vdso.c
-+++ b/arch/mips/kernel/vdso.c
-@@ -126,8 +126,8 @@ int arch_setup_additional_pages(struct l
-
- /* Map delay slot emulation page */
- base = mmap_region(NULL, STACK_TOP, PAGE_SIZE,
-- VM_READ|VM_WRITE|VM_EXEC|
-- VM_MAYREAD|VM_MAYWRITE|VM_MAYEXEC,
-+ VM_READ | VM_EXEC |
-+ VM_MAYREAD | VM_MAYWRITE | VM_MAYEXEC,
- 0, NULL);
- if (IS_ERR_VALUE(base)) {
- ret = base;
---- a/arch/mips/math-emu/dsemul.c
-+++ b/arch/mips/math-emu/dsemul.c
-@@ -214,8 +214,9 @@ int mips_dsemul(struct pt_regs *regs, mi
- {
- int isa16 = get_isa16_mode(regs->cp0_epc);
- mips_instruction break_math;
-- struct emuframe __user *fr;
-- int err, fr_idx;
-+ unsigned long fr_uaddr;
-+ struct emuframe fr;
-+ int fr_idx, ret;
-
- /* NOP is easy */
- if (ir == 0)
-@@ -250,27 +251,31 @@ int mips_dsemul(struct pt_regs *regs, mi
- fr_idx = alloc_emuframe();
- if (fr_idx == BD_EMUFRAME_NONE)
- return SIGBUS;
-- fr = &dsemul_page()[fr_idx];
-
- /* Retrieve the appropriately encoded break instruction */
- break_math = BREAK_MATH(isa16);
-
- /* Write the instructions to the frame */
- if (isa16) {
-- err = __put_user(ir >> 16,
-- (u16 __user *)(&fr->emul));
-- err |= __put_user(ir & 0xffff,
-- (u16 __user *)((long)(&fr->emul) + 2));
-- err |= __put_user(break_math >> 16,
-- (u16 __user *)(&fr->badinst));
-- err |= __put_user(break_math & 0xffff,
-- (u16 __user *)((long)(&fr->badinst) + 2));
-+ union mips_instruction _emul = {
-+ .halfword = { ir >> 16, ir }
-+ };
-+ union mips_instruction _badinst = {
-+ .halfword = { break_math >> 16, break_math }
-+ };
-+
-+ fr.emul = _emul.word;
-+ fr.badinst = _badinst.word;
- } else {
-- err = __put_user(ir, &fr->emul);
-- err |= __put_user(break_math, &fr->badinst);
-+ fr.emul = ir;
-+ fr.badinst = break_math;
- }
-
-- if (unlikely(err)) {
-+ /* Write the frame to user memory */
-+ fr_uaddr = (unsigned long)&dsemul_page()[fr_idx];
-+ ret = access_process_vm(current, fr_uaddr, &fr, sizeof(fr),
-+ FOLL_FORCE | FOLL_WRITE);
-+ if (unlikely(ret != sizeof(fr))) {
- MIPS_FPU_EMU_INC_STATS(errors);
- free_emuframe(fr_idx, current->mm);
- return SIGBUS;
-@@ -282,10 +287,7 @@ int mips_dsemul(struct pt_regs *regs, mi
- atomic_set(&current->thread.bd_emu_frame, fr_idx);
-
- /* Change user register context to execute the frame */
-- regs->cp0_epc = (unsigned long)&fr->emul | isa16;
--
-- /* Ensure the icache observes our newly written frame */
-- flush_cache_sigtramp((unsigned long)&fr->emul);
-+ regs->cp0_epc = fr_uaddr | isa16;
-
- return 0;
- }
diff --git a/target/linux/generic/backport-4.14/101-arm-cns3xxx-use-actual-size-reads-for-PCIe.patch b/target/linux/generic/backport-4.14/101-arm-cns3xxx-use-actual-size-reads-for-PCIe.patch
index 44ca833705..2b3384391a 100644
--- a/target/linux/generic/backport-4.14/101-arm-cns3xxx-use-actual-size-reads-for-PCIe.patch
+++ b/target/linux/generic/backport-4.14/101-arm-cns3xxx-use-actual-size-reads-for-PCIe.patch
@@ -33,11 +33,9 @@ CC: stable@vger.kernel.org # v4.0+
arch/arm/mach-cns3xxx/pcie.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
-diff --git a/arch/arm/mach-cns3xxx/pcie.c b/arch/arm/mach-cns3xxx/pcie.c
-index 5e11ad3164e0..95a11d5b3587 100644
--- a/arch/arm/mach-cns3xxx/pcie.c
+++ b/arch/arm/mach-cns3xxx/pcie.c
-@@ -93,7 +93,7 @@ static int cns3xxx_pci_read_config(struct pci_bus *bus, unsigned int devfn,
+@@ -93,7 +93,7 @@ static int cns3xxx_pci_read_config(struc
u32 mask = (0x1ull << (size * 8)) - 1;
int shift = (where % 4) * 8;
@@ -46,6 +44,3 @@ index 5e11ad3164e0..95a11d5b3587 100644
if (ret == PCIBIOS_SUCCESSFUL && !bus->number && !devfn &&
(where & 0xffc) == PCI_CLASS_REVISION)
---
-2.17.1
-