--- /dev/null
+From 7253b85cc62d6ff84143d96fe6cd54f73736f4d7 Mon Sep 17 00:00:00 2001
+From: Simon Horman <horms@verge.net.au>
+Date: Fri, 28 Sep 2012 02:12:45 +0100
+Subject: ARM: 7541/1: Add ARM ERRATA 775420 workaround
+
+From: Simon Horman <horms@verge.net.au>
+
+commit 7253b85cc62d6ff84143d96fe6cd54f73736f4d7 upstream.
+
+arm: Add ARM ERRATA 775420 workaround
+
+Workaround for the 775420 Cortex-A9 (r2p2, r2p6,r2p8,r2p10,r3p0) erratum.
+In case a date cache maintenance operation aborts with MMU exception, it
+might cause the processor to deadlock. This workaround puts DSB before
+executing ISB if an abort may occur on cache maintenance.
+
+Based on work by Kouei Abe and feedback from Catalin Marinas.
+
+Signed-off-by: Kouei Abe <kouei.abe.cp@rms.renesas.com>
+[ horms@verge.net.au: Changed to implementation
+ suggested by catalin.marinas@arm.com ]
+Acked-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Simon Horman <horms@verge.net.au>
+Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/Kconfig | 10 ++++++++++
+ arch/arm/mm/cache-v7.S | 3 +++
+ 2 files changed, 13 insertions(+)
+
+--- a/arch/arm/Kconfig
++++ b/arch/arm/Kconfig
+@@ -1260,6 +1260,16 @@ config PL310_ERRATA_769419
+ on systems with an outer cache, the store buffer is drained
+ explicitly.
+
++config ARM_ERRATA_775420
++ bool "ARM errata: A data cache maintenance operation which aborts, might lead to deadlock"
++ depends on CPU_V7
++ help
++ This option enables the workaround for the 775420 Cortex-A9 (r2p2,
++ r2p6,r2p8,r2p10,r3p0) erratum. In case a date cache maintenance
++ operation aborts with MMU exception, it might cause the processor
++ to deadlock. This workaround puts DSB before executing ISB if
++ an abort may occur on cache maintenance.
++
+ endmenu
+
+ source "arch/arm/common/Kconfig"
+--- a/arch/arm/mm/cache-v7.S
++++ b/arch/arm/mm/cache-v7.S
+@@ -211,6 +211,9 @@ ENTRY(v7_coherent_user_range)
+ * isn't mapped, just try the next page.
+ */
+ 9001:
++#ifdef CONFIG_ARM_ERRATA_775420
++ dsb
++#endif
+ mov r12, r12, lsr #12
+ mov r12, r12, lsl #12
+ add r12, r12, #4096
--- /dev/null
+From 790198f74c9d1b46b6a89504361b1a844670d050 Mon Sep 17 00:00:00 2001
+From: Stefan Richter <stefanr@s5r6.in-berlin.de>
+Date: Sat, 6 Oct 2012 14:12:56 +0200
+Subject: firewire: cdev: fix user memory corruption (i386 userland on amd64 kernel)
+
+From: Stefan Richter <stefanr@s5r6.in-berlin.de>
+
+commit 790198f74c9d1b46b6a89504361b1a844670d050 upstream.
+
+Fix two bugs of the /dev/fw* character device concerning the
+FW_CDEV_IOC_GET_INFO ioctl with nonzero fw_cdev_get_info.bus_reset.
+(Practically all /dev/fw* clients issue this ioctl right after opening
+the device.)
+
+Both bugs are caused by sizeof(struct fw_cdev_event_bus_reset) being 36
+without natural alignment and 40 with natural alignment.
+
+ 1) Memory corruption, affecting i386 userland on amd64 kernel:
+ Userland reserves a 36 bytes large buffer, kernel writes 40 bytes.
+ This has been first found and reported against libraw1394 if
+ compiled with gcc 4.7 which happens to order libraw1394's stack such
+ that the bug became visible as data corruption.
+
+ 2) Information leak, affecting all kernel architectures except i386:
+ 4 bytes of random kernel stack data were leaked to userspace.
+
+Hence limit the respective copy_to_user() to the 32-bit aligned size of
+struct fw_cdev_event_bus_reset.
+
+Reported-by: Simon Kirby <sim@hostway.ca>
+Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/firewire/core-cdev.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/firewire/core-cdev.c
++++ b/drivers/firewire/core-cdev.c
+@@ -471,8 +471,8 @@ static int ioctl_get_info(struct client
+ client->bus_reset_closure = a->bus_reset_closure;
+ if (a->bus_reset != 0) {
+ fill_bus_reset_event(&bus_reset, client);
+- ret = copy_to_user(u64_to_uptr(a->bus_reset),
+- &bus_reset, sizeof(bus_reset));
++ /* unaligned size of bus_reset is 36 bytes */
++ ret = copy_to_user(u64_to_uptr(a->bus_reset), &bus_reset, 36);
+ }
+ if (ret == 0 && list_empty(&client->link))
+ list_add_tail(&client->link, &client->device->client_list);
acpi-ec-add-a-quirk-for-clevo-m720t-m730t-laptop.patch
mips-kgdb-fix-recursive-page-fault-with-config_kprobes.patch
tmpfs-ceph-gfs2-isofs-reiserfs-xfs-fix-fh_len-checking.patch
+arm-7541-1-add-arm-errata-775420-workaround.patch
+firewire-cdev-fix-user-memory-corruption-i386-userland-on-amd64-kernel.patch
+sunrpc-ensure-that-the-tcp-socket-is-closed-when-in-close_wait.patch
--- /dev/null
+From a519fc7a70d1a918574bb826cc6905b87b482eb9 Mon Sep 17 00:00:00 2001
+From: Trond Myklebust <Trond.Myklebust@netapp.com>
+Date: Wed, 12 Sep 2012 16:49:15 -0400
+Subject: SUNRPC: Ensure that the TCP socket is closed when in CLOSE_WAIT
+
+From: Trond Myklebust <Trond.Myklebust@netapp.com>
+
+commit a519fc7a70d1a918574bb826cc6905b87b482eb9 upstream.
+
+Instead of doing a shutdown() call, we need to do an actual close().
+Ditto if/when the server is sending us junk RPC headers.
+
+Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
+Tested-by: Simon Kirby <sim@hostway.ca>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/sunrpc/xprtsock.c | 21 ++++++++++++++++-----
+ 1 file changed, 16 insertions(+), 5 deletions(-)
+
+--- a/net/sunrpc/xprtsock.c
++++ b/net/sunrpc/xprtsock.c
+@@ -1015,6 +1015,16 @@ static void xs_udp_data_ready(struct soc
+ read_unlock_bh(&sk->sk_callback_lock);
+ }
+
++/*
++ * Helper function to force a TCP close if the server is sending
++ * junk and/or it has put us in CLOSE_WAIT
++ */
++static void xs_tcp_force_close(struct rpc_xprt *xprt)
++{
++ set_bit(XPRT_CONNECTION_CLOSE, &xprt->state);
++ xprt_force_disconnect(xprt);
++}
++
+ static inline void xs_tcp_read_fraghdr(struct rpc_xprt *xprt, struct xdr_skb_reader *desc)
+ {
+ struct sock_xprt *transport = container_of(xprt, struct sock_xprt, xprt);
+@@ -1041,7 +1051,7 @@ static inline void xs_tcp_read_fraghdr(s
+ /* Sanity check of the record length */
+ if (unlikely(transport->tcp_reclen < 8)) {
+ dprintk("RPC: invalid TCP record fragment length\n");
+- xprt_force_disconnect(xprt);
++ xs_tcp_force_close(xprt);
+ return;
+ }
+ dprintk("RPC: reading TCP record fragment of length %d\n",
+@@ -1122,7 +1132,7 @@ static inline void xs_tcp_read_calldir(s
+ break;
+ default:
+ dprintk("RPC: invalid request message type\n");
+- xprt_force_disconnect(&transport->xprt);
++ xs_tcp_force_close(&transport->xprt);
+ }
+ xs_tcp_check_fraghdr(transport);
+ }
+@@ -1445,6 +1455,8 @@ static void xs_tcp_cancel_linger_timeout
+ static void xs_sock_mark_closed(struct rpc_xprt *xprt)
+ {
+ smp_mb__before_clear_bit();
++ clear_bit(XPRT_CONNECTION_ABORT, &xprt->state);
++ clear_bit(XPRT_CONNECTION_CLOSE, &xprt->state);
+ clear_bit(XPRT_CLOSE_WAIT, &xprt->state);
+ clear_bit(XPRT_CLOSING, &xprt->state);
+ smp_mb__after_clear_bit();
+@@ -1502,8 +1514,8 @@ static void xs_tcp_state_change(struct s
+ break;
+ case TCP_CLOSE_WAIT:
+ /* The server initiated a shutdown of the socket */
+- xprt_force_disconnect(xprt);
+ xprt->connect_cookie++;
++ xs_tcp_force_close(xprt);
+ case TCP_CLOSING:
+ /*
+ * If the server closed down the connection, make sure that
+@@ -2146,8 +2158,7 @@ static void xs_tcp_setup_socket(struct w
+ /* We're probably in TIME_WAIT. Get rid of existing socket,
+ * and retry
+ */
+- set_bit(XPRT_CONNECTION_CLOSE, &xprt->state);
+- xprt_force_disconnect(xprt);
++ xs_tcp_force_close(xprt);
+ break;
+ case -ECONNREFUSED:
+ case -ECONNRESET:
projects / thirdparty / kernel / stable-queue.git / commitdiff
