<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux-stable.git/drivers/misc/genwqe, branch linux-3.18.y</title>
<subtitle>Linux kernel stable tree</subtitle>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/'/>
<entry>
<title>genwqe: Fix size check</title>
<updated>2019-01-13T09:07:12+00:00</updated>
<author>
<name>Christian Borntraeger</name>
<email>borntraeger@de.ibm.com</email>
</author>
<published>2018-12-12T13:45:18+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=6ca24838257befa3879e43b2607dd8ee7a9c2cc4'/>
<id>6ca24838257befa3879e43b2607dd8ee7a9c2cc4</id>
<content type='text'>
commit fdd669684655c07dacbdb0d753fd13833de69a33 upstream.

Calling the test program genwqe_cksum with the default buffer size of
2MB triggers the following kernel warning on s390:

WARNING: CPU: 30 PID: 9311 at mm/page_alloc.c:3189 __alloc_pages_nodemask+0x45c/0xbe0
CPU: 30 PID: 9311 Comm: genwqe_cksum Kdump: loaded Not tainted 3.10.0-957.el7.s390x #1
task: 00000005e5d13980 ti: 00000005e7c6c000 task.ti: 00000005e7c6c000
Krnl PSW : 0704c00180000000 00000000002780ac (__alloc_pages_nodemask+0x45c/0xbe0)
           R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:0 PM:0 EA:3
Krnl GPRS: 00000000002932b8 0000000000b73d7c 0000000000000010 0000000000000009
           0000000000000041 00000005e7c6f9b8 0000000000000001 00000000000080d0
           0000000000000000 0000000000b70500 0000000000000001 0000000000000000
           0000000000b70528 00000000007682c0 0000000000277df2 00000005e7c6f9a0
Krnl Code: 000000000027809e: de7195001000	ed	1280(114,%r9),0(%r1)
	   00000000002780a4: a774fead		brc	7,277dfe
	  #00000000002780a8: a7f40001		brc	15,2780aa
	  &gt;00000000002780ac: 92011000		mvi	0(%r1),1
	   00000000002780b0: a7f4fea7		brc	15,277dfe
	   00000000002780b4: 9101c6b6		tm	1718(%r12),1
	   00000000002780b8: a784ff3a		brc	8,277f2c
	   00000000002780bc: a7f4fe2e		brc	15,277d18
Call Trace:
([&lt;0000000000277df2&gt;] __alloc_pages_nodemask+0x1a2/0xbe0)
 [&lt;000000000013afae&gt;] s390_dma_alloc+0xfe/0x310
 [&lt;000003ff8065f362&gt;] __genwqe_alloc_consistent+0xfa/0x148 [genwqe_card]
 [&lt;000003ff80658f7a&gt;] genwqe_mmap+0xca/0x248 [genwqe_card]
 [&lt;00000000002b2712&gt;] mmap_region+0x4e2/0x778
 [&lt;00000000002b2c54&gt;] do_mmap+0x2ac/0x3e0
 [&lt;0000000000292d7e&gt;] vm_mmap_pgoff+0xd6/0x118
 [&lt;00000000002b081c&gt;] SyS_mmap_pgoff+0xdc/0x268
 [&lt;00000000002b0a34&gt;] SyS_old_mmap+0x8c/0xb0
 [&lt;000000000074e518&gt;] sysc_tracego+0x14/0x1e
 [&lt;000003ffacf87dc6&gt;] 0x3ffacf87dc6

turns out the check in __genwqe_alloc_consistent uses "&gt; MAX_ORDER"
while the mm code uses "&gt;= MAX_ORDER". Fix genwqe.

Cc: stable@vger.kernel.org
Signed-off-by: Christian Borntraeger &lt;borntraeger@de.ibm.com&gt;
Signed-off-by: Frank Haverkamp &lt;haver@linux.vnet.ibm.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit fdd669684655c07dacbdb0d753fd13833de69a33 upstream.

Calling the test program genwqe_cksum with the default buffer size of
2MB triggers the following kernel warning on s390:

WARNING: CPU: 30 PID: 9311 at mm/page_alloc.c:3189 __alloc_pages_nodemask+0x45c/0xbe0
CPU: 30 PID: 9311 Comm: genwqe_cksum Kdump: loaded Not tainted 3.10.0-957.el7.s390x #1
task: 00000005e5d13980 ti: 00000005e7c6c000 task.ti: 00000005e7c6c000
Krnl PSW : 0704c00180000000 00000000002780ac (__alloc_pages_nodemask+0x45c/0xbe0)
           R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:3 CC:0 PM:0 EA:3
Krnl GPRS: 00000000002932b8 0000000000b73d7c 0000000000000010 0000000000000009
           0000000000000041 00000005e7c6f9b8 0000000000000001 00000000000080d0
           0000000000000000 0000000000b70500 0000000000000001 0000000000000000
           0000000000b70528 00000000007682c0 0000000000277df2 00000005e7c6f9a0
Krnl Code: 000000000027809e: de7195001000	ed	1280(114,%r9),0(%r1)
	   00000000002780a4: a774fead		brc	7,277dfe
	  #00000000002780a8: a7f40001		brc	15,2780aa
	  &gt;00000000002780ac: 92011000		mvi	0(%r1),1
	   00000000002780b0: a7f4fea7		brc	15,277dfe
	   00000000002780b4: 9101c6b6		tm	1718(%r12),1
	   00000000002780b8: a784ff3a		brc	8,277f2c
	   00000000002780bc: a7f4fe2e		brc	15,277d18
Call Trace:
([&lt;0000000000277df2&gt;] __alloc_pages_nodemask+0x1a2/0xbe0)
 [&lt;000000000013afae&gt;] s390_dma_alloc+0xfe/0x310
 [&lt;000003ff8065f362&gt;] __genwqe_alloc_consistent+0xfa/0x148 [genwqe_card]
 [&lt;000003ff80658f7a&gt;] genwqe_mmap+0xca/0x248 [genwqe_card]
 [&lt;00000000002b2712&gt;] mmap_region+0x4e2/0x778
 [&lt;00000000002b2c54&gt;] do_mmap+0x2ac/0x3e0
 [&lt;0000000000292d7e&gt;] vm_mmap_pgoff+0xd6/0x118
 [&lt;00000000002b081c&gt;] SyS_mmap_pgoff+0xdc/0x268
 [&lt;00000000002b0a34&gt;] SyS_old_mmap+0x8c/0xb0
 [&lt;000000000074e518&gt;] sysc_tracego+0x14/0x1e
 [&lt;000003ffacf87dc6&gt;] 0x3ffacf87dc6

turns out the check in __genwqe_alloc_consistent uses "&gt; MAX_ORDER"
while the mm code uses "&gt;= MAX_ORDER". Fix genwqe.

Cc: stable@vger.kernel.org
Signed-off-by: Christian Borntraeger &lt;borntraeger@de.ibm.com&gt;
Signed-off-by: Frank Haverkamp &lt;haver@linux.vnet.ibm.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>signal/GenWQE: Fix sending of SIGKILL</title>
<updated>2018-11-22T06:32:43+00:00</updated>
<author>
<name>Eric W. Biederman</name>
<email>ebiederm@xmission.com</email>
</author>
<published>2018-09-13T09:28:01+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=d4e37066b0451df3eabd2a1b1ec64940b1f6d612'/>
<id>d4e37066b0451df3eabd2a1b1ec64940b1f6d612</id>
<content type='text'>
commit 0ab93e9c99f8208c0a1a7b7170c827936268c996 upstream.

The genweq_add_file and genwqe_del_file by caching current without
using reference counting embed the assumption that a file descriptor
will never be passed from one process to another.  It even embeds the
assumption that the the thread that opened the file will be in
existence when the process terminates.   Neither of which are
guaranteed to be true.

Therefore replace caching the task_struct of the opener with
pid of the openers thread group id.  All the knowledge of the
opener is used for is as the target of SIGKILL and a SIGKILL
will kill the entire process group.

Rename genwqe_force_sig to genwqe_terminate, remove it's unncessary
signal argument, update it's ownly caller, and use kill_pid
instead of force_sig.

The work force_sig does in changing signal handling state is not
relevant to SIGKILL sent as SEND_SIG_PRIV.  The exact same processess
will be killed just with less work, and less confusion.  The work done
by force_sig is really only needed for handling syncrhonous
exceptions.

It will still be possible to cause genwqe_device_remove to wait
8 seconds by passing a file descriptor to another process but
the possible user after free is fixed.

Fixes: eaf4722d4645 ("GenWQE Character device and DDCB queue")
Cc: stable@vger.kernel.org
Cc: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
Cc: Frank Haverkamp &lt;haver@linux.vnet.ibm.com&gt;
Cc: Joerg-Stephan Vogt &lt;jsvogt@de.ibm.com&gt;
Cc: Michael Jung &lt;mijung@gmx.net&gt;
Cc: Michael Ruettger &lt;michael@ibmra.de&gt;
Cc: Kleber Sacilotto de Souza &lt;klebers@linux.vnet.ibm.com&gt;
Cc: Sebastian Ott &lt;sebott@linux.vnet.ibm.com&gt;
Cc: Eberhard S. Amann &lt;esa@linux.vnet.ibm.com&gt;
Cc: Gabriel Krisman Bertazi &lt;krisman@linux.vnet.ibm.com&gt;
Cc: Guilherme G. Piccoli &lt;gpiccoli@linux.vnet.ibm.com&gt;
Signed-off-by: "Eric W. Biederman" &lt;ebiederm@xmission.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit 0ab93e9c99f8208c0a1a7b7170c827936268c996 upstream.

The genweq_add_file and genwqe_del_file by caching current without
using reference counting embed the assumption that a file descriptor
will never be passed from one process to another.  It even embeds the
assumption that the the thread that opened the file will be in
existence when the process terminates.   Neither of which are
guaranteed to be true.

Therefore replace caching the task_struct of the opener with
pid of the openers thread group id.  All the knowledge of the
opener is used for is as the target of SIGKILL and a SIGKILL
will kill the entire process group.

Rename genwqe_force_sig to genwqe_terminate, remove it's unncessary
signal argument, update it's ownly caller, and use kill_pid
instead of force_sig.

The work force_sig does in changing signal handling state is not
relevant to SIGKILL sent as SEND_SIG_PRIV.  The exact same processess
will be killed just with less work, and less confusion.  The work done
by force_sig is really only needed for handling syncrhonous
exceptions.

It will still be possible to cause genwqe_device_remove to wait
8 seconds by passing a file descriptor to another process but
the possible user after free is fixed.

Fixes: eaf4722d4645 ("GenWQE Character device and DDCB queue")
Cc: stable@vger.kernel.org
Cc: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
Cc: Frank Haverkamp &lt;haver@linux.vnet.ibm.com&gt;
Cc: Joerg-Stephan Vogt &lt;jsvogt@de.ibm.com&gt;
Cc: Michael Jung &lt;mijung@gmx.net&gt;
Cc: Michael Ruettger &lt;michael@ibmra.de&gt;
Cc: Kleber Sacilotto de Souza &lt;klebers@linux.vnet.ibm.com&gt;
Cc: Sebastian Ott &lt;sebott@linux.vnet.ibm.com&gt;
Cc: Eberhard S. Amann &lt;esa@linux.vnet.ibm.com&gt;
Cc: Gabriel Krisman Bertazi &lt;krisman@linux.vnet.ibm.com&gt;
Cc: Guilherme G. Piccoli &lt;gpiccoli@linux.vnet.ibm.com&gt;
Signed-off-by: "Eric W. Biederman" &lt;ebiederm@xmission.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>GenWQE: Fix bad page access during abort of resource allocation</title>
<updated>2016-11-24T03:56:30+00:00</updated>
<author>
<name>Gerald Schaefer</name>
<email>gerald.schaefer@de.ibm.com</email>
</author>
<published>2016-10-19T10:29:41+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=7d9ad295527ff08a9f44aa71e2d77a84f57efcd1'/>
<id>7d9ad295527ff08a9f44aa71e2d77a84f57efcd1</id>
<content type='text'>
[ Upstream commit a7a7aeefbca2982586ba2c9fd7739b96416a6d1d ]

When interrupting an application which was allocating DMAable
memory, it was possible, that the DMA memory was deallocated
twice, leading to the error symptoms below.

Thanks to Gerald, who analyzed the problem and provided this
patch.

I agree with his analysis of the problem: ddcb_cmd_fixups() -&gt;
genwqe_alloc_sync_sgl() (fails in f/lpage, but sgl-&gt;sgl != NULL
and f/lpage maybe also != NULL) -&gt; ddcb_cmd_cleanup() -&gt;
genwqe_free_sync_sgl() (double free, because sgl-&gt;sgl != NULL and
f/lpage maybe also != NULL)

In this scenario we would have exactly the kind of double free that
would explain the WARNING / Bad page state, and as expected it is
caused by broken error handling (cleanup).

Using the Ubuntu git source, tag Ubuntu-4.4.0-33.52, he was able to reproduce
the "Bad page state" issue, and with the patch on top he could not reproduce
it any more.

------------[ cut here ]------------
WARNING: at /build/linux-o03cxz/linux-4.4.0/arch/s390/include/asm/pci_dma.h:141
Modules linked in: qeth_l2 ghash_s390 prng aes_s390 des_s390 des_generic sha512_s390 sha256_s390 sha1_s390 sha_common genwqe_card qeth crc_itu_t qdio ccwgroup vmur dm_multipath dasd_eckd_mod dasd_mod
CPU: 2 PID: 3293 Comm: genwqe_gunzip Not tainted 4.4.0-33-generic #52-Ubuntu
task: 0000000032c7e270 ti: 00000000324e4000 task.ti: 00000000324e4000
Krnl PSW : 0404c00180000000 0000000000156346 (dma_update_cpu_trans+0x9e/0xa8)
           R:0 T:1 IO:0 EX:0 Key:0 M:1 W:0 P:0 AS:3 CC:0 PM:0 EA:3
Krnl GPRS: 00000000324e7bcd 0000000000c3c34a 0000000027628298 000000003215b400
           0000000000000400 0000000000001fff 0000000000000400 0000000116853000
           07000000324e7b1e 0000000000000001 0000000000000001 0000000000000001
           0000000000001000 0000000116854000 0000000000156402 00000000324e7a38
Krnl Code: 000000000015633a: 95001000           cli     0(%r1),0
           000000000015633e: a774ffc3           brc     7,1562c4
          #0000000000156342: a7f40001           brc     15,156344
          &gt;0000000000156346: 92011000           mvi     0(%r1),1
           000000000015634a: a7f4ffbd           brc     15,1562c4
           000000000015634e: 0707               bcr     0,%r7
           0000000000156350: c00400000000       brcl    0,156350
           0000000000156356: eb7ff0500024       stmg    %r7,%r15,80(%r15)
Call Trace:
([&lt;00000000001563e0&gt;] dma_update_trans+0x90/0x228)
 [&lt;00000000001565dc&gt;] s390_dma_unmap_pages+0x64/0x160
 [&lt;00000000001567c2&gt;] s390_dma_free+0x62/0x98
 [&lt;000003ff801310ce&gt;] __genwqe_free_consistent+0x56/0x70 [genwqe_card]
 [&lt;000003ff801316d0&gt;] genwqe_free_sync_sgl+0xf8/0x160 [genwqe_card]
 [&lt;000003ff8012bd6e&gt;] ddcb_cmd_cleanup+0x86/0xa8 [genwqe_card]
 [&lt;000003ff8012c1c0&gt;] do_execute_ddcb+0x110/0x348 [genwqe_card]
 [&lt;000003ff8012c914&gt;] genwqe_ioctl+0x51c/0xc20 [genwqe_card]
 [&lt;000000000032513a&gt;] do_vfs_ioctl+0x3b2/0x518
 [&lt;0000000000325344&gt;] SyS_ioctl+0xa4/0xb8
 [&lt;00000000007b86c6&gt;] system_call+0xd6/0x264
 [&lt;000003ff9e8e520a&gt;] 0x3ff9e8e520a
Last Breaking-Event-Address:
 [&lt;0000000000156342&gt;] dma_update_cpu_trans+0x9a/0xa8
---[ end trace 35996336235145c8 ]---
BUG: Bad page state in process jbd2/dasdb1-8  pfn:3215b
page:000003d100c856c0 count:-1 mapcount:0 mapping:          (null) index:0x0
flags: 0x3fffc0000000000()
page dumped because: nonzero _count

Signed-off-by: Gerald Schaefer &lt;gerald.schaefer@de.ibm.com&gt;
Signed-off-by: Frank Haverkamp &lt;haver@linux.vnet.ibm.com&gt;
Cc: stable &lt;stable@vger.kernel.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@verizon.com&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit a7a7aeefbca2982586ba2c9fd7739b96416a6d1d ]

When interrupting an application which was allocating DMAable
memory, it was possible, that the DMA memory was deallocated
twice, leading to the error symptoms below.

Thanks to Gerald, who analyzed the problem and provided this
patch.

I agree with his analysis of the problem: ddcb_cmd_fixups() -&gt;
genwqe_alloc_sync_sgl() (fails in f/lpage, but sgl-&gt;sgl != NULL
and f/lpage maybe also != NULL) -&gt; ddcb_cmd_cleanup() -&gt;
genwqe_free_sync_sgl() (double free, because sgl-&gt;sgl != NULL and
f/lpage maybe also != NULL)

In this scenario we would have exactly the kind of double free that
would explain the WARNING / Bad page state, and as expected it is
caused by broken error handling (cleanup).

Using the Ubuntu git source, tag Ubuntu-4.4.0-33.52, he was able to reproduce
the "Bad page state" issue, and with the patch on top he could not reproduce
it any more.

------------[ cut here ]------------
WARNING: at /build/linux-o03cxz/linux-4.4.0/arch/s390/include/asm/pci_dma.h:141
Modules linked in: qeth_l2 ghash_s390 prng aes_s390 des_s390 des_generic sha512_s390 sha256_s390 sha1_s390 sha_common genwqe_card qeth crc_itu_t qdio ccwgroup vmur dm_multipath dasd_eckd_mod dasd_mod
CPU: 2 PID: 3293 Comm: genwqe_gunzip Not tainted 4.4.0-33-generic #52-Ubuntu
task: 0000000032c7e270 ti: 00000000324e4000 task.ti: 00000000324e4000
Krnl PSW : 0404c00180000000 0000000000156346 (dma_update_cpu_trans+0x9e/0xa8)
           R:0 T:1 IO:0 EX:0 Key:0 M:1 W:0 P:0 AS:3 CC:0 PM:0 EA:3
Krnl GPRS: 00000000324e7bcd 0000000000c3c34a 0000000027628298 000000003215b400
           0000000000000400 0000000000001fff 0000000000000400 0000000116853000
           07000000324e7b1e 0000000000000001 0000000000000001 0000000000000001
           0000000000001000 0000000116854000 0000000000156402 00000000324e7a38
Krnl Code: 000000000015633a: 95001000           cli     0(%r1),0
           000000000015633e: a774ffc3           brc     7,1562c4
          #0000000000156342: a7f40001           brc     15,156344
          &gt;0000000000156346: 92011000           mvi     0(%r1),1
           000000000015634a: a7f4ffbd           brc     15,1562c4
           000000000015634e: 0707               bcr     0,%r7
           0000000000156350: c00400000000       brcl    0,156350
           0000000000156356: eb7ff0500024       stmg    %r7,%r15,80(%r15)
Call Trace:
([&lt;00000000001563e0&gt;] dma_update_trans+0x90/0x228)
 [&lt;00000000001565dc&gt;] s390_dma_unmap_pages+0x64/0x160
 [&lt;00000000001567c2&gt;] s390_dma_free+0x62/0x98
 [&lt;000003ff801310ce&gt;] __genwqe_free_consistent+0x56/0x70 [genwqe_card]
 [&lt;000003ff801316d0&gt;] genwqe_free_sync_sgl+0xf8/0x160 [genwqe_card]
 [&lt;000003ff8012bd6e&gt;] ddcb_cmd_cleanup+0x86/0xa8 [genwqe_card]
 [&lt;000003ff8012c1c0&gt;] do_execute_ddcb+0x110/0x348 [genwqe_card]
 [&lt;000003ff8012c914&gt;] genwqe_ioctl+0x51c/0xc20 [genwqe_card]
 [&lt;000000000032513a&gt;] do_vfs_ioctl+0x3b2/0x518
 [&lt;0000000000325344&gt;] SyS_ioctl+0xa4/0xb8
 [&lt;00000000007b86c6&gt;] system_call+0xd6/0x264
 [&lt;000003ff9e8e520a&gt;] 0x3ff9e8e520a
Last Breaking-Event-Address:
 [&lt;0000000000156342&gt;] dma_update_cpu_trans+0x9a/0xa8
---[ end trace 35996336235145c8 ]---
BUG: Bad page state in process jbd2/dasdb1-8  pfn:3215b
page:000003d100c856c0 count:-1 mapcount:0 mapping:          (null) index:0x0
flags: 0x3fffc0000000000()
page dumped because: nonzero _count

Signed-off-by: Gerald Schaefer &lt;gerald.schaefer@de.ibm.com&gt;
Signed-off-by: Frank Haverkamp &lt;haver@linux.vnet.ibm.com&gt;
Cc: stable &lt;stable@vger.kernel.org&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
Signed-off-by: Sasha Levin &lt;alexander.levin@verizon.com&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>misc: genwqe: check for error from get_user_pages_fast()</title>
<updated>2015-01-16T14:59:50+00:00</updated>
<author>
<name>Ian Abbott</name>
<email>abbotti@mev.co.uk</email>
</author>
<published>2014-11-06T16:23:39+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=1a5773af11ccd56972a5b764028646326bdc9799'/>
<id>1a5773af11ccd56972a5b764028646326bdc9799</id>
<content type='text'>
commit cf35d6e0475982667b0d2d318fb27be4b8849827 upstream.

`genwqe_user_vmap()` calls `get_user_pages_fast()` and if the return
value is less than the number of pages requested, it frees the pages and
returns an error (`-EFAULT`).  However, it fails to consider a negative
error return value from `get_user_pages_fast()`.  In that case, the test
`if (rc &lt; m-&gt;nr_pages)` will be false (due to promotion of `rc` to a
large `unsigned int`) and the code will continue on to call
`genwqe_map_pages()` with an invalid list of page pointers.  Fix it by
bailing out if `get_user_pages_fast()` returns a negative error value.

Signed-off-by: Ian Abbott &lt;abbotti@mev.co.uk&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
commit cf35d6e0475982667b0d2d318fb27be4b8849827 upstream.

`genwqe_user_vmap()` calls `get_user_pages_fast()` and if the return
value is less than the number of pages requested, it frees the pages and
returns an error (`-EFAULT`).  However, it fails to consider a negative
error return value from `get_user_pages_fast()`.  In that case, the test
`if (rc &lt; m-&gt;nr_pages)` will be false (due to promotion of `rc` to a
large `unsigned int`) and the code will continue on to call
`genwqe_map_pages()` with an invalid list of page pointers.  Fix it by
bailing out if `get_user_pages_fast()` returns a negative error value.

Signed-off-by: Ian Abbott &lt;abbotti@mev.co.uk&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;

</pre>
</div>
</content>
</entry>
<entry>
<title>GenWQE: Support blocking when DDCB queue is busy</title>
<updated>2014-09-24T06:15:47+00:00</updated>
<author>
<name>Frank Haverkamp</name>
<email>haver@linux.vnet.ibm.com</email>
</author>
<published>2014-09-10T14:37:53+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=1451f414639465995dfc1f820aa1a64723cbd662'/>
<id>1451f414639465995dfc1f820aa1a64723cbd662</id>
<content type='text'>
When the GenWQE hardware queue was busy, the driver returned simply
-EBUSY. This caused polling by applications which increased the load
on the already busy system. This change implements the possiblity to
sleep on a waitqueue instead when the DDCB queue is busy. The
requestor is woken up when there is free space on the queue again.
The old way to get -EBUSY is still available if the device is openend
with O_NONBLOCKING. The default is now blocking behavior.

Signed-off-by: Frank Haverkamp &lt;haver@linux.vnet.ibm.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
When the GenWQE hardware queue was busy, the driver returned simply
-EBUSY. This caused polling by applications which increased the load
on the already busy system. This change implements the possiblity to
sleep on a waitqueue instead when the DDCB queue is busy. The
requestor is woken up when there is free space on the queue again.
The old way to get -EBUSY is still available if the device is openend
with O_NONBLOCKING. The default is now blocking behavior.

Signed-off-by: Frank Haverkamp &lt;haver@linux.vnet.ibm.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>GenWQE: Fix problem when reading HSI and Retc</title>
<updated>2014-09-24T06:15:47+00:00</updated>
<author>
<name>Eberhard S. Amann</name>
<email>esa@linux.vnet.ibm.com</email>
</author>
<published>2014-09-10T14:37:52+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=08e4906cc29d092ae2da0ff089efe1488e584d3c'/>
<id>08e4906cc29d092ae2da0ff089efe1488e584d3c</id>
<content type='text'>
This patch fixes a problem we found during debug on PPC64 when
reading HSI status and Retc.

Signed-off-by: Eberhard S. Amann &lt;esa@linux.vnet.ibm.com&gt;
Signed-off-by: Frank Haverkamp &lt;haver@linux.vnet.ibm.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
This patch fixes a problem we found during debug on PPC64 when
reading HSI status and Retc.

Signed-off-by: Eberhard S. Amann &lt;esa@linux.vnet.ibm.com&gt;
Signed-off-by: Frank Haverkamp &lt;haver@linux.vnet.ibm.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>GenWQE: Fix checkpatch complaints</title>
<updated>2014-09-24T06:15:47+00:00</updated>
<author>
<name>Frank Haverkamp</name>
<email>haver@linux.vnet.ibm.com</email>
</author>
<published>2014-09-10T14:37:51+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=d9c11d45b33c9226abd50a50c87e19bfa7c7a2cb'/>
<id>d9c11d45b33c9226abd50a50c87e19bfa7c7a2cb</id>
<content type='text'>
The checkpatch.pl script got improved. I ran it on the latest GenWQE
sources and fixed what it complained about.

Signed-off-by: Frank Haverkamp &lt;haver@linux.vnet.ibm.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
The checkpatch.pl script got improved. I ran it on the latest GenWQE
sources and fixed what it complained about.

Signed-off-by: Frank Haverkamp &lt;haver@linux.vnet.ibm.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>GenWQE: Check return code of pci_sriov_enable</title>
<updated>2014-09-24T06:15:46+00:00</updated>
<author>
<name>Frank Haverkamp</name>
<email>haver@linux.vnet.ibm.com</email>
</author>
<published>2014-09-10T14:37:50+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=bc407dd319bb8c3608369989d95b700d00e6cf43'/>
<id>bc407dd319bb8c3608369989d95b700d00e6cf43</id>
<content type='text'>
Forgetting to check this, can lead to problems on systems which
do not support SRIOV.

Signed-off-by: Frank Haverkamp &lt;haver@linux.vnet.ibm.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Forgetting to check this, can lead to problems on systems which
do not support SRIOV.

Signed-off-by: Frank Haverkamp &lt;haver@linux.vnet.ibm.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>GenWQE: Do not modify return code of genwqe_set_interrupt_capability</title>
<updated>2014-09-24T06:15:46+00:00</updated>
<author>
<name>Frank Haverkamp</name>
<email>haver@linux.vnet.ibm.com</email>
</author>
<published>2014-09-10T14:37:49+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=2d880ccfa9be92a10ea19f5a8f7e4be2a7d45e4d'/>
<id>2d880ccfa9be92a10ea19f5a8f7e4be2a7d45e4d</id>
<content type='text'>
Follow up patch to the one from Sebastian Ott. There is no need to
change the return code once it fails. And Sebastians version is tested
now and works nicely on our test-system.

Signed-off-by: Frank Haverkamp &lt;haver@linux.vnet.ibm.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Follow up patch to the one from Sebastian Ott. There is no need to
change the return code once it fails. And Sebastians version is tested
now and works nicely on our test-system.

Signed-off-by: Frank Haverkamp &lt;haver@linux.vnet.ibm.com&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>GenWQE: Update author information</title>
<updated>2014-09-24T06:15:46+00:00</updated>
<author>
<name>Frank Haverkamp</name>
<email>haver@linux.vnet.ibm.com</email>
</author>
<published>2014-09-10T14:37:48+00:00</published>
<link rel='alternate' type='text/html' href='https://git.tavy.me/linux-stable.git/commit/?id=26d8f6f15112b8b0fbff360c360e8c42bf2bc370'/>
<id>26d8f6f15112b8b0fbff360c360e8c42bf2bc370</id>
<content type='text'>
Updated email address of co-author.

Signed-off-by: Frank Haverkamp &lt;haver@linux.vnet.ibm.com&gt;
Signed-off-by: Michael Jung &lt;mijung@gmx.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
Updated email address of co-author.

Signed-off-by: Frank Haverkamp &lt;haver@linux.vnet.ibm.com&gt;
Signed-off-by: Michael Jung &lt;mijung@gmx.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
</feed>
