]> git.ipfire.org Git - thirdparty/kernel/stable-queue.git/commitdiff
3.14-stable patches
authorGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Thu, 28 Apr 2016 00:06:13 +0000 (17:06 -0700)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Thu, 28 Apr 2016 00:06:13 +0000 (17:06 -0700)
added patches:
arm-omap2-hwmod-fix-updating-of-sysconfig-register.patch
assoc_array-don-t-call-compare_object-on-a-node.patch
usb-hcd-out-of-bounds-access-in-for_each_companion.patch
usb-xhci-fix-wild-pointers-in-xhci_mem_cleanup.patch

queue-3.14/arm-omap2-hwmod-fix-updating-of-sysconfig-register.patch [new file with mode: 0644]
queue-3.14/assoc_array-don-t-call-compare_object-on-a-node.patch [new file with mode: 0644]
queue-3.14/series
queue-3.14/usb-hcd-out-of-bounds-access-in-for_each_companion.patch [new file with mode: 0644]
queue-3.14/usb-xhci-fix-wild-pointers-in-xhci_mem_cleanup.patch [new file with mode: 0644]

diff --git a/queue-3.14/arm-omap2-hwmod-fix-updating-of-sysconfig-register.patch b/queue-3.14/arm-omap2-hwmod-fix-updating-of-sysconfig-register.patch
new file mode 100644 (file)
index 0000000..35cfa00
--- /dev/null
@@ -0,0 +1,56 @@
+From 3ca4a238106dedc285193ee47f494a6584b6fd2f Mon Sep 17 00:00:00 2001
+From: Lokesh Vutla <lokeshvutla@ti.com>
+Date: Sat, 26 Mar 2016 23:08:55 -0600
+Subject: ARM: OMAP2+: hwmod: Fix updating of sysconfig register
+
+From: Lokesh Vutla <lokeshvutla@ti.com>
+
+commit 3ca4a238106dedc285193ee47f494a6584b6fd2f upstream.
+
+Commit 127500ccb766f ("ARM: OMAP2+: Only write the sysconfig on idle
+when necessary") talks about verification of sysconfig cache value before
+updating it, only during idle path. But the patch is adding the
+verification in the enable path. So, adding the check in a proper place
+as per the commit description.
+
+Not keeping this check during enable path as there is a chance of losing
+context and it is safe to do on idle as the context of the register will
+never be lost while the device is active.
+
+Signed-off-by: Lokesh Vutla <lokeshvutla@ti.com>
+Acked-by: Tero Kristo <t-kristo@ti.com>
+Cc: Jon Hunter <jonathanh@nvidia.com>
+Fixes: commit 127500ccb766 "ARM: OMAP2+: Only write the sysconfig on idle when necessary"
+[paul@pwsan.com: appears to have been caused by my own mismerge of the
+ originally posted patch]
+Signed-off-by: Paul Walmsley <paul@pwsan.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/mach-omap2/omap_hwmod.c |    8 ++++----
+ 1 file changed, 4 insertions(+), 4 deletions(-)
+
+--- a/arch/arm/mach-omap2/omap_hwmod.c
++++ b/arch/arm/mach-omap2/omap_hwmod.c
+@@ -1439,9 +1439,7 @@ static void _enable_sysc(struct omap_hwm
+           (sf & SYSC_HAS_CLOCKACTIVITY))
+               _set_clockactivity(oh, oh->class->sysc->clockact, &v);
+-      /* If the cached value is the same as the new value, skip the write */
+-      if (oh->_sysc_cache != v)
+-              _write_sysconfig(v, oh);
++      _write_sysconfig(v, oh);
+       /*
+        * Set the autoidle bit only after setting the smartidle bit
+@@ -1504,7 +1502,9 @@ static void _idle_sysc(struct omap_hwmod
+               _set_master_standbymode(oh, idlemode, &v);
+       }
+-      _write_sysconfig(v, oh);
++      /* If the cached value is the same as the new value, skip the write */
++      if (oh->_sysc_cache != v)
++              _write_sysconfig(v, oh);
+ }
+ /**
diff --git a/queue-3.14/assoc_array-don-t-call-compare_object-on-a-node.patch b/queue-3.14/assoc_array-don-t-call-compare_object-on-a-node.patch
new file mode 100644 (file)
index 0000000..5e716a8
--- /dev/null
@@ -0,0 +1,112 @@
+From 8d4a2ec1e0b41b0cf9a0c5cd4511da7f8e4f3de2 Mon Sep 17 00:00:00 2001
+From: Jerome Marchand <jmarchan@redhat.com>
+Date: Wed, 6 Apr 2016 14:06:48 +0100
+Subject: assoc_array: don't call compare_object() on a node
+
+From: Jerome Marchand <jmarchan@redhat.com>
+
+commit 8d4a2ec1e0b41b0cf9a0c5cd4511da7f8e4f3de2 upstream.
+
+Changes since V1: fixed the description and added KASan warning.
+
+In assoc_array_insert_into_terminal_node(), we call the
+compare_object() method on all non-empty slots, even when they're
+not leaves, passing a pointer to an unexpected structure to
+compare_object(). Currently it causes an out-of-bound read access
+in keyring_compare_object detected by KASan (see below). The issue
+is easily reproduced with keyutils testsuite.
+Only call compare_object() when the slot is a leave.
+
+KASan warning:
+==================================================================
+BUG: KASAN: slab-out-of-bounds in keyring_compare_object+0x213/0x240 at addr ffff880060a6f838
+Read of size 8 by task keyctl/1655
+=============================================================================
+BUG kmalloc-192 (Not tainted): kasan: bad access detected
+-----------------------------------------------------------------------------
+
+Disabling lock debugging due to kernel taint
+INFO: Allocated in assoc_array_insert+0xfd0/0x3a60 age=69 cpu=1 pid=1647
+       ___slab_alloc+0x563/0x5c0
+       __slab_alloc+0x51/0x90
+       kmem_cache_alloc_trace+0x263/0x300
+       assoc_array_insert+0xfd0/0x3a60
+       __key_link_begin+0xfc/0x270
+       key_create_or_update+0x459/0xaf0
+       SyS_add_key+0x1ba/0x350
+       entry_SYSCALL_64_fastpath+0x12/0x76
+INFO: Slab 0xffffea0001829b80 objects=16 used=8 fp=0xffff880060a6f550 flags=0x3fff8000004080
+INFO: Object 0xffff880060a6f740 @offset=5952 fp=0xffff880060a6e5d1
+
+Bytes b4 ffff880060a6f730: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
+Object ffff880060a6f740: d1 e5 a6 60 00 88 ff ff 0e 00 00 00 00 00 00 00  ...`............
+Object ffff880060a6f750: 02 cf 8e 60 00 88 ff ff 02 c0 8e 60 00 88 ff ff  ...`.......`....
+Object ffff880060a6f760: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
+Object ffff880060a6f770: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
+Object ffff880060a6f780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
+Object ffff880060a6f790: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
+Object ffff880060a6f7a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
+Object ffff880060a6f7b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
+Object ffff880060a6f7c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
+Object ffff880060a6f7d0: 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
+Object ffff880060a6f7e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
+Object ffff880060a6f7f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
+CPU: 0 PID: 1655 Comm: keyctl Tainted: G    B           4.5.0-rc4-kasan+ #291
+Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011
+ 0000000000000000 000000001b2800b4 ffff880060a179e0 ffffffff81b60491
+ ffff88006c802900 ffff880060a6f740 ffff880060a17a10 ffffffff815e2969
+ ffff88006c802900 ffffea0001829b80 ffff880060a6f740 ffff880060a6e650
+Call Trace:
+ [<ffffffff81b60491>] dump_stack+0x85/0xc4
+ [<ffffffff815e2969>] print_trailer+0xf9/0x150
+ [<ffffffff815e9454>] object_err+0x34/0x40
+ [<ffffffff815ebe50>] kasan_report_error+0x230/0x550
+ [<ffffffff819949be>] ? keyring_get_key_chunk+0x13e/0x210
+ [<ffffffff815ec62d>] __asan_report_load_n_noabort+0x5d/0x70
+ [<ffffffff81994cc3>] ? keyring_compare_object+0x213/0x240
+ [<ffffffff81994cc3>] keyring_compare_object+0x213/0x240
+ [<ffffffff81bc238c>] assoc_array_insert+0x86c/0x3a60
+ [<ffffffff81bc1b20>] ? assoc_array_cancel_edit+0x70/0x70
+ [<ffffffff8199797d>] ? __key_link_begin+0x20d/0x270
+ [<ffffffff8199786c>] __key_link_begin+0xfc/0x270
+ [<ffffffff81993389>] key_create_or_update+0x459/0xaf0
+ [<ffffffff8128ce0d>] ? trace_hardirqs_on+0xd/0x10
+ [<ffffffff81992f30>] ? key_type_lookup+0xc0/0xc0
+ [<ffffffff8199e19d>] ? lookup_user_key+0x13d/0xcd0
+ [<ffffffff81534763>] ? memdup_user+0x53/0x80
+ [<ffffffff819983ea>] SyS_add_key+0x1ba/0x350
+ [<ffffffff81998230>] ? key_get_type_from_user.constprop.6+0xa0/0xa0
+ [<ffffffff828bcf4e>] ? retint_user+0x18/0x23
+ [<ffffffff8128cc7e>] ? trace_hardirqs_on_caller+0x3fe/0x580
+ [<ffffffff81004017>] ? trace_hardirqs_on_thunk+0x17/0x19
+ [<ffffffff828bc432>] entry_SYSCALL_64_fastpath+0x12/0x76
+Memory state around the buggy address:
+ ffff880060a6f700: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00
+ ffff880060a6f780: 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc
+>ffff880060a6f800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+                                        ^
+ ffff880060a6f880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
+ ffff880060a6f900: fc fc fc fc fc fc 00 00 00 00 00 00 00 00 00 00
+==================================================================
+
+Signed-off-by: Jerome Marchand <jmarchan@redhat.com>
+Signed-off-by: David Howells <dhowells@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ lib/assoc_array.c |    4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+--- a/lib/assoc_array.c
++++ b/lib/assoc_array.c
+@@ -523,7 +523,9 @@ static bool assoc_array_insert_into_term
+                       free_slot = i;
+                       continue;
+               }
+-              if (ops->compare_object(assoc_array_ptr_to_leaf(ptr), index_key)) {
++              if (assoc_array_ptr_is_leaf(ptr) &&
++                  ops->compare_object(assoc_array_ptr_to_leaf(ptr),
++                                      index_key)) {
+                       pr_devel("replace in slot %d\n", i);
+                       edit->leaf_p = &node->slots[i];
+                       edit->dead_leaf = node->slots[i];
index b8885f4fcf042f858543769006a1628639c1a834..aec5c2fe2aefa7b18ef7012980b0639c11b7ca9b 100644 (file)
@@ -1,5 +1,4 @@
 arm-omap2-hwmod-fix-updating-of-sysconfig-register.patch
 assoc_array-don-t-call-compare_object-on-a-node.patch
-usb-host-xhci-plat-fix-cannot-work-if-r-car-gen2-3-run-on-above-4gb-phys.patch
 usb-xhci-fix-wild-pointers-in-xhci_mem_cleanup.patch
 usb-hcd-out-of-bounds-access-in-for_each_companion.patch
diff --git a/queue-3.14/usb-hcd-out-of-bounds-access-in-for_each_companion.patch b/queue-3.14/usb-hcd-out-of-bounds-access-in-for_each_companion.patch
new file mode 100644 (file)
index 0000000..ceffdd6
--- /dev/null
@@ -0,0 +1,40 @@
+From e86103a75705c7c530768f4ffaba74cf382910f2 Mon Sep 17 00:00:00 2001
+From: Robert Dobrowolski <robert.dobrowolski@linux.intel.com>
+Date: Thu, 24 Mar 2016 03:30:07 -0700
+Subject: usb: hcd: out of bounds access in for_each_companion
+
+From: Robert Dobrowolski <robert.dobrowolski@linux.intel.com>
+
+commit e86103a75705c7c530768f4ffaba74cf382910f2 upstream.
+
+On BXT platform Host Controller and Device Controller figure as
+same PCI device but with different device function. HCD should
+not pass data to Device Controller but only to Host Controllers.
+Checking if companion device is Host Controller, otherwise skip.
+
+Signed-off-by: Robert Dobrowolski <robert.dobrowolski@linux.intel.com>
+Acked-by: Alan Stern <stern@rowland.harvard.edu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/core/hcd-pci.c |    9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+--- a/drivers/usb/core/hcd-pci.c
++++ b/drivers/usb/core/hcd-pci.c
+@@ -74,6 +74,15 @@ static void for_each_companion(struct pc
+               if (companion->bus != pdev->bus ||
+                               PCI_SLOT(companion->devfn) != slot)
+                       continue;
++
++              /*
++               * Companion device should be either UHCI,OHCI or EHCI host
++               * controller, otherwise skip.
++               */
++              if (companion->class != CL_UHCI && companion->class != CL_OHCI &&
++                              companion->class != CL_EHCI)
++                      continue;
++
+               companion_hcd = pci_get_drvdata(companion);
+               if (!companion_hcd || !companion_hcd->self.root_hub)
+                       continue;
diff --git a/queue-3.14/usb-xhci-fix-wild-pointers-in-xhci_mem_cleanup.patch b/queue-3.14/usb-xhci-fix-wild-pointers-in-xhci_mem_cleanup.patch
new file mode 100644 (file)
index 0000000..0dc4ada
--- /dev/null
@@ -0,0 +1,38 @@
+From 71504062a7c34838c3fccd92c447f399d3cb5797 Mon Sep 17 00:00:00 2001
+From: Lu Baolu <baolu.lu@linux.intel.com>
+Date: Fri, 8 Apr 2016 16:25:09 +0300
+Subject: usb: xhci: fix wild pointers in xhci_mem_cleanup
+
+From: Lu Baolu <baolu.lu@linux.intel.com>
+
+commit 71504062a7c34838c3fccd92c447f399d3cb5797 upstream.
+
+This patch fixes some wild pointers produced by xhci_mem_cleanup.
+These wild pointers will cause system crash if xhci_mem_cleanup()
+is called twice.
+
+Reported-and-tested-by: Pengcheng Li <lpc.li@hisilicon.com>
+Signed-off-by: Lu Baolu <baolu.lu@linux.intel.com>
+Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/host/xhci-mem.c |    6 ++++++
+ 1 file changed, 6 insertions(+)
+
+--- a/drivers/usb/host/xhci-mem.c
++++ b/drivers/usb/host/xhci-mem.c
+@@ -1785,6 +1785,12 @@ no_bw:
+       kfree(xhci->rh_bw);
+       kfree(xhci->ext_caps);
++      xhci->usb2_ports = NULL;
++      xhci->usb3_ports = NULL;
++      xhci->port_array = NULL;
++      xhci->rh_bw = NULL;
++      xhci->ext_caps = NULL;
++
+       xhci->page_size = 0;
+       xhci->page_shift = 0;
+       xhci->bus_state[0].bus_suspended = 0;