1 files changed, 72 insertions, 0 deletions
diff --git a/recipes-kernel/linux/linux-ti33x-psp-3.2/3.2.27/0039-s390-mm-fix-fault-handling-for-page-table-walk-case.patch b/recipes-kernel/linux/linux-ti33x-psp-3.2/3.2.27/0039-s390-mm-fix-fault-handling-for-page-table-walk-case.patch
new file mode 100644
index 00000000..51b2063d
--- /dev/null
+++ b/recipes-kernel/linux/linux-ti33x-psp-3.2/3.2.27/0039-s390-mm-fix-fault-handling-for-page-table-walk-case.patch
@@ -0,0 +1,72 @@
+From 3f3c533087d18cd75fbd23caa35032b3cec80ea8 Mon Sep 17 00:00:00 2001
+From: Heiko Carstens <heiko.carstens@de.ibm.com>
+Date: Fri, 27 Jul 2012 09:45:39 +0200
+Subject: [PATCH 39/70] s390/mm: fix fault handling for page table walk case
+commit 008c2e8f247f0a8db1e8e26139da12f3a3abcda0 upstream.
+Make sure the kernel does not incorrectly create a SIGBUS signal during
+user space accesses:
+For user space accesses in the switched addressing mode case the kernel
+may walk page tables and access user address space via the kernel
+mapping. If a page table entry is invalid the function __handle_fault()
+gets called in order to emulate a page fault and trigger all the usual
+actions like paging in a missing page etc. by calling handle_mm_fault().
+If handle_mm_fault() returns with an error fixup handling is necessary.
+For the switched addressing mode case all errors need to be mapped to
+-EFAULT, so that the calling uaccess function can return -EFAULT to
+user space.
+Unfortunately the __handle_fault() incorrectly calls do_sigbus() if
+VM_FAULT_SIGBUS is set. This however should only happen if a page fault
+was triggered by a user space instruction. For kernel mode uaccesses
+the correct action is to only return -EFAULT.
+So user space may incorrectly see SIGBUS signals because of this bug.
+For current machines this would only be possible for the switched
+addressing mode case in conjunction with futex operations.
+Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
+Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
+[bwh: Backported to 3.2: do_exception() and do_sigbus() parameters differ]
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+---
+ arch/s390/mm/fault.c |   13 +++++++------
+ 1 files changed, 7 insertions(+), 6 deletions(-)
+diff --git a/arch/s390/mm/fault.c b/arch/s390/mm/fault.c
+index b28aaa4..0fc0a7e 100644
+--- a/arch/s390/mm/fault.c
+++ b/arch/s390/mm/fault.c
+@@ -453,6 +453,7 @@ int __handle_fault(unsigned long uaddr, unsigned long pgm_int_code, int write)
+        struct pt_regs regs;
+        int access, fault;
+ 
+       /* Emulate a uaccess fault from kernel mode. */
+        regs.psw.mask = psw_kernel_bits | PSW_MASK_DAT | PSW_MASK_MCHECK;
+        if (!irqs_disabled())
+                regs.psw.mask |= PSW_MASK_IO | PSW_MASK_EXT;
+@@ -461,12 +462,12 @@ int __handle_fault(unsigned long uaddr, unsigned long pgm_int_code, int write)
+        uaddr &= PAGE_MASK;
+        access = write ? VM_WRITE : VM_READ;
+        fault = do_exception(&regs, access, uaddr | 2);
+-       if (unlikely(fault)) {
+-               if (fault & VM_FAULT_OOM)
+-                       return -EFAULT;
+-               else if (fault & VM_FAULT_SIGBUS)
+-                       do_sigbus(&regs, pgm_int_code, uaddr);
+-       }
+       /*
+        * Since the fault happened in kernel mode while performing a uaccess
+        * all we need to do now is emulating a fixup in case "fault" is not
+        * zero.
+        * For the calling uaccess functions this results always in -EFAULT.
+        */
+        return fault ? -EFAULT : 0;
+ }
+ 
+-- 
+1.7.7.6

diff --git a/recipes-kernel/linux/linux-ti33x-psp-3.2/3.2.27/0039-s390-mm-fix-fault-handling-for-page-table-walk-case.patch b/recipes-kernel/linux/linux-ti33x-psp-3.2/3.2.27/0039-s390-mm-fix-fault-handling-for-page-table-walk-case.patch new file mode 100644 index 00000000..51b2063d --- /dev/null +++ b/recipes-kernel/linux/linux-ti33x-psp-3.2/3.2.27/0039-s390-mm-fix-fault-handling-for-page-table-walk-case.patch
@@ -0,0 +1,72 @@
	1	From 3f3c533087d18cd75fbd23caa35032b3cec80ea8 Mon Sep 17 00:00:00 2001
	2	From: Heiko Carstens <heiko.carstens@de.ibm.com>
	3	Date: Fri, 27 Jul 2012 09:45:39 +0200
	4	Subject: [PATCH 39/70] s390/mm: fix fault handling for page table walk case
	5
	6	commit 008c2e8f247f0a8db1e8e26139da12f3a3abcda0 upstream.
	7
	8	Make sure the kernel does not incorrectly create a SIGBUS signal during
	9	user space accesses:
	10
	11	For user space accesses in the switched addressing mode case the kernel
	12	may walk page tables and access user address space via the kernel
	13	mapping. If a page table entry is invalid the function __handle_fault()
	14	gets called in order to emulate a page fault and trigger all the usual
	15	actions like paging in a missing page etc. by calling handle_mm_fault().
	16
	17	If handle_mm_fault() returns with an error fixup handling is necessary.
	18	For the switched addressing mode case all errors need to be mapped to
	19	-EFAULT, so that the calling uaccess function can return -EFAULT to
	20	user space.
	21
	22	Unfortunately the __handle_fault() incorrectly calls do_sigbus() if
	23	VM_FAULT_SIGBUS is set. This however should only happen if a page fault
	24	was triggered by a user space instruction. For kernel mode uaccesses
	25	the correct action is to only return -EFAULT.
	26	So user space may incorrectly see SIGBUS signals because of this bug.
	27
	28	For current machines this would only be possible for the switched
	29	addressing mode case in conjunction with futex operations.
	30
	31	Signed-off-by: Heiko Carstens <heiko.carstens@de.ibm.com>
	32	Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
	33	[bwh: Backported to 3.2: do_exception() and do_sigbus() parameters differ]
	34	Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
	35	---
	36	arch/s390/mm/fault.c \| 13 +++++++------
	37	1 files changed, 7 insertions(+), 6 deletions(-)
	38
	39	diff --git a/arch/s390/mm/fault.c b/arch/s390/mm/fault.c
	40	index b28aaa4..0fc0a7e 100644
	41	--- a/arch/s390/mm/fault.c
	42	+++ b/arch/s390/mm/fault.c
	43	@@ -453,6 +453,7 @@ int __handle_fault(unsigned long uaddr, unsigned long pgm_int_code, int write)
	44	struct pt_regs regs;
	45	int access, fault;
	46
	47	+ /* Emulate a uaccess fault from kernel mode. */
	48	regs.psw.mask = psw_kernel_bits \| PSW_MASK_DAT \| PSW_MASK_MCHECK;
	49	if (!irqs_disabled())
	50	regs.psw.mask \|= PSW_MASK_IO \| PSW_MASK_EXT;
	51	@@ -461,12 +462,12 @@ int __handle_fault(unsigned long uaddr, unsigned long pgm_int_code, int write)
	52	uaddr &= PAGE_MASK;
	53	access = write ? VM_WRITE : VM_READ;
	54	fault = do_exception(&regs, access, uaddr \| 2);
	55	- if (unlikely(fault)) {
	56	- if (fault & VM_FAULT_OOM)
	57	- return -EFAULT;
	58	- else if (fault & VM_FAULT_SIGBUS)
	59	- do_sigbus(&regs, pgm_int_code, uaddr);
	60	- }
	61	+ /*
	62	+ * Since the fault happened in kernel mode while performing a uaccess
	63	+ * all we need to do now is emulating a fixup in case "fault" is not
	64	+ * zero.
	65	+ * For the calling uaccess functions this results always in -EFAULT.
	66	+ */
	67	return fault ? -EFAULT : 0;
	68	}
	69
	70	--
	71	1.7.7.6
	72