--- /dev/null
+From 875979368eb4cfecff9f0e97625b90cc6009269d Mon Sep 17 00:00:00 2001
+From: Ming Lei <ming.lei@canonical.com>
+Date: Sat, 15 Jun 2013 16:36:38 +0800
+Subject: firmware loader: fix use-after-free by double abort
+
+From: Ming Lei <ming.lei@canonical.com>
+
+commit 875979368eb4cfecff9f0e97625b90cc6009269d upstream.
+
+fw_priv->buf is accessed in both request_firmware_load() and
+writing to sysfs file of 'loading' context, but not protected
+by 'fw_lock' entirely. The patch makes sure that access on
+'fw_priv->buf' is protected by the lock.
+
+So fixes the double abort problem reported by nirinA raseliarison:
+
+ http://lkml.org/lkml/2013/6/14/188
+
+Reported-and-tested-by: nirinA raseliarison <nirina.raseliarison@gmail.com>
+Cc: Guenter Roeck <linux@roeck-us.net>
+Cc: Bjorn Helgaas <bhelgaas@google.com>
+Signed-off-by: Ming Lei <ming.lei@canonical.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/base/firmware_class.c | 27 ++++++++++++++++++---------
+ 1 file changed, 18 insertions(+), 9 deletions(-)
+
+--- a/drivers/base/firmware_class.c
++++ b/drivers/base/firmware_class.c
+@@ -450,8 +450,18 @@ static void fw_load_abort(struct firmwar
+ {
+ struct firmware_buf *buf = fw_priv->buf;
+
++ /*
++ * There is a small window in which user can write to 'loading'
++ * between loading done and disappearance of 'loading'
++ */
++ if (test_bit(FW_STATUS_DONE, &buf->status))
++ return;
++
+ set_bit(FW_STATUS_ABORT, &buf->status);
+ complete_all(&buf->completion);
++
++ /* avoid user action after loading abort */
++ fw_priv->buf = NULL;
+ }
+
+ #define is_fw_load_aborted(buf) \
+@@ -528,7 +538,12 @@ static ssize_t firmware_loading_show(str
+ struct device_attribute *attr, char *buf)
+ {
+ struct firmware_priv *fw_priv = to_firmware_priv(dev);
+- int loading = test_bit(FW_STATUS_LOADING, &fw_priv->buf->status);
++ int loading = 0;
++
++ mutex_lock(&fw_lock);
++ if (fw_priv->buf)
++ loading = test_bit(FW_STATUS_LOADING, &fw_priv->buf->status);
++ mutex_unlock(&fw_lock);
+
+ return sprintf(buf, "%d\n", loading);
+ }
+@@ -570,12 +585,12 @@ static ssize_t firmware_loading_store(st
+ const char *buf, size_t count)
+ {
+ struct firmware_priv *fw_priv = to_firmware_priv(dev);
+- struct firmware_buf *fw_buf = fw_priv->buf;
++ struct firmware_buf *fw_buf;
+ int loading = simple_strtol(buf, NULL, 10);
+ int i;
+
+ mutex_lock(&fw_lock);
+-
++ fw_buf = fw_priv->buf;
+ if (!fw_buf)
+ goto out;
+
+@@ -777,10 +792,6 @@ static void firmware_class_timeout_work(
+ struct firmware_priv, timeout_work.work);
+
+ mutex_lock(&fw_lock);
+- if (test_bit(FW_STATUS_DONE, &(fw_priv->buf->status))) {
+- mutex_unlock(&fw_lock);
+- return;
+- }
+ fw_load_abort(fw_priv);
+ mutex_unlock(&fw_lock);
+ }
+@@ -861,8 +872,6 @@ static int _request_firmware_load(struct
+
+ cancel_delayed_work_sync(&fw_priv->timeout_work);
+
+- fw_priv->buf = NULL;
+-
+ device_remove_file(f_dev, &dev_attr_loading);
+ err_del_bin_attr:
+ device_remove_bin_file(f_dev, &firmware_attr_data);
--- /dev/null
+From 150e5928d6063b273a80d9d6722417ac3c93ff82 Mon Sep 17 00:00:00 2001
+From: Ben Hutchings <ben@decadent.org.uk>
+Date: Mon, 10 Jun 2013 11:05:40 -0700
+Subject: Input: add missing dependencies on CONFIG_HAS_IOMEM
+
+From: Ben Hutchings <ben@decadent.org.uk>
+
+commit 150e5928d6063b273a80d9d6722417ac3c93ff82 upstream.
+
+Several drivers don't build on s390 with CONFIG_PCI disabled as
+they require MMIO functions.
+
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/keyboard/Kconfig | 1 +
+ drivers/input/serio/Kconfig | 1 +
+ 2 files changed, 2 insertions(+)
+
+--- a/drivers/input/keyboard/Kconfig
++++ b/drivers/input/keyboard/Kconfig
+@@ -431,6 +431,7 @@ config KEYBOARD_TEGRA
+
+ config KEYBOARD_OPENCORES
+ tristate "OpenCores Keyboard Controller"
++ depends on HAS_IOMEM
+ help
+ Say Y here if you want to use the OpenCores Keyboard Controller
+ http://www.opencores.org/project,keyboardcontroller
+--- a/drivers/input/serio/Kconfig
++++ b/drivers/input/serio/Kconfig
+@@ -205,6 +205,7 @@ config SERIO_XILINX_XPS_PS2
+
+ config SERIO_ALTERA_PS2
+ tristate "Altera UP PS/2 controller"
++ depends on HAS_IOMEM
+ help
+ Say Y here if you have Altera University Program PS/2 ports.
+
--- /dev/null
+From d2983cdb480157f637df07723f28aaa657b1080d Mon Sep 17 00:00:00 2001
+From: Ferruh Yigit <fery@cypress.com>
+Date: Thu, 23 May 2013 09:56:55 -0700
+Subject: Input: cyttsp - fix memcpy size param
+
+From: Ferruh Yigit <fery@cypress.com>
+
+commit d2983cdb480157f637df07723f28aaa657b1080d upstream.
+
+memcpy param is wrong because of offset in bl_cmd, this may corrupt the
+stack which may cause a crash.
+
+Tested-by: Ferruh Yigit <fery@cypress.com> on TMA300-DVK
+Signed-off-by: Ferruh Yigit <fery@cypress.com>
+Acked-by: Javier Martinez Canillas <javier@dowhile0.org>
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/touchscreen/cyttsp_core.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/input/touchscreen/cyttsp_core.c
++++ b/drivers/input/touchscreen/cyttsp_core.c
+@@ -133,7 +133,7 @@ static int cyttsp_exit_bl_mode(struct cy
+ memcpy(bl_cmd, bl_command, sizeof(bl_command));
+ if (ts->pdata->bl_keys)
+ memcpy(&bl_cmd[sizeof(bl_command) - CY_NUM_BL_KEYS],
+- ts->pdata->bl_keys, sizeof(bl_command));
++ ts->pdata->bl_keys, CY_NUM_BL_KEYS);
+
+ error = ttsp_write_block_data(ts, CY_REG_BASE,
+ sizeof(bl_cmd), bl_cmd);
--- /dev/null
+From be66227151c0cd4da536098c3ee07809101c6faa Mon Sep 17 00:00:00 2001
+From: Shawn Joseph <jms.576@gmail.com>
+Date: Tue, 18 Jun 2013 23:07:45 -0700
+Subject: Input: xpad - fix for "Mad Catz Street Fighter IV FightPad" controllers
+
+From: Shawn Joseph <jms.576@gmail.com>
+
+commit be66227151c0cd4da536098c3ee07809101c6faa upstream.
+
+Added MAP_TRIGGERS_TO_BUTTONS for Mad Catz Street Fighter IV FightPad
+device. This controller model was already supported by the xpad
+driver, but none of the buttons work correctly without this change.
+
+Tested on kernel version 3.9.5.
+
+Signed-off-by: Shawn Joseph <jms.576@gmail.com>
+Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/input/joystick/xpad.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/input/joystick/xpad.c
++++ b/drivers/input/joystick/xpad.c
+@@ -137,7 +137,7 @@ static const struct xpad_device {
+ { 0x0738, 0x4540, "Mad Catz Beat Pad", MAP_DPAD_TO_BUTTONS, XTYPE_XBOX },
+ { 0x0738, 0x4556, "Mad Catz Lynx Wireless Controller", 0, XTYPE_XBOX },
+ { 0x0738, 0x4716, "Mad Catz Wired Xbox 360 Controller", 0, XTYPE_XBOX360 },
+- { 0x0738, 0x4728, "Mad Catz Street Fighter IV FightPad", XTYPE_XBOX360 },
++ { 0x0738, 0x4728, "Mad Catz Street Fighter IV FightPad", MAP_TRIGGERS_TO_BUTTONS, XTYPE_XBOX360 },
+ { 0x0738, 0x4738, "Mad Catz Wired Xbox 360 Controller (SFIV)", MAP_TRIGGERS_TO_BUTTONS, XTYPE_XBOX360 },
+ { 0x0738, 0x6040, "Mad Catz Beat Pad Pro", MAP_DPAD_TO_BUTTONS, XTYPE_XBOX },
+ { 0x0738, 0xbeef, "Mad Catz JOYTECH NEO SE Advanced GamePad", XTYPE_XBOX360 },
packet-set-transport-header-before-doing-xmit.patch
netback-set-transport-header-before-passing-it-to-kernel.patch
net_sched-better-precise-estimation-on-packet-length-for-untrusted-packets.patch
+input-cyttsp-fix-memcpy-size-param.patch
+input-add-missing-dependencies-on-config_has_iomem.patch
+input-xpad-fix-for-mad-catz-street-fighter-iv-fightpad-controllers.patch
+usb-serial-ti_usb_3410_5052-new-device-id-for-abbot-strip-port-cable.patch
+firmware-loader-fix-use-after-free-by-double-abort.patch
+tcm_qla2xxx-fix-residual-for-underrun-commands-that-fail.patch
+tty-fix-transient-pty-write-eio.patch
+target-iscsi-don-t-corrupt-bh_count-in-iscsit_stop_time2retain_timer.patch
--- /dev/null
+From 574780fd5e6ec52bd43e0bdb777a19e4c4c6aa9c Mon Sep 17 00:00:00 2001
+From: Joern Engel <joern@logfs.org>
+Date: Thu, 30 May 2013 16:36:51 -0400
+Subject: target/iscsi: don't corrupt bh_count in iscsit_stop_time2retain_timer()
+
+From: Joern Engel <joern@logfs.org>
+
+commit 574780fd5e6ec52bd43e0bdb777a19e4c4c6aa9c upstream.
+
+Here is a fun one. Bug seems to have been introduced by commit 140854cb,
+almost two years ago. I have no idea why we only started seeing it now,
+but we did.
+
+Rough callgraph:
+core_tpg_set_initiator_node_queue_depth()
+`-> spin_lock_irqsave(&tpg->session_lock, flags);
+`-> lio_tpg_shutdown_session()
+ `-> iscsit_stop_time2retain_timer()
+ `-> spin_unlock_bh(&se_tpg->session_lock);
+ `-> spin_lock_bh(&se_tpg->session_lock);
+`-> spin_unlock_irqrestore(&tpg->session_lock, flags);
+
+core_tpg_set_initiator_node_queue_depth() used to call spin_lock_bh(),
+but 140854cb changed that to spin_lock_irqsave(). However,
+lio_tpg_shutdown_session() still claims to be called with spin_lock_bh()
+held, as does iscsit_stop_time2retain_timer():
+ * Called with spin_lock_bh(&struct se_portal_group->session_lock) held
+
+Stale documentation is mostly annoying, but in this case the dropping
+the lock with the _bh variant is plain wrong. It is also wrong to drop
+locks two functions below the lock-holder, but I will ignore that bit
+for now.
+
+After some more locking and unlocking we eventually hit this backtrace:
+------------[ cut here ]------------
+WARNING: at kernel/softirq.c:159 local_bh_enable_ip+0xe8/0x100()
+Pid: 24645, comm: lio_helper.py Tainted: G O 3.6.11+
+Call Trace:
+ [<ffffffff8103e5ff>] warn_slowpath_common+0x7f/0xc0
+ [<ffffffffa040ae37>] ? iscsit_inc_conn_usage_count+0x37/0x50 [iscsi_target_mod]
+ [<ffffffff8103e65a>] warn_slowpath_null+0x1a/0x20
+ [<ffffffff810472f8>] local_bh_enable_ip+0xe8/0x100
+ [<ffffffff815b8365>] _raw_spin_unlock_bh+0x15/0x20
+ [<ffffffffa040ae37>] iscsit_inc_conn_usage_count+0x37/0x50 [iscsi_target_mod]
+ [<ffffffffa041149a>] iscsit_stop_session+0xfa/0x1c0 [iscsi_target_mod]
+ [<ffffffffa0417fab>] lio_tpg_shutdown_session+0x7b/0x90 [iscsi_target_mod]
+ [<ffffffffa033ede4>] core_tpg_set_initiator_node_queue_depth+0xe4/0x290 [target_core_mod]
+ [<ffffffffa0409032>] iscsit_tpg_set_initiator_node_queue_depth+0x12/0x20 [iscsi_target_mod]
+ [<ffffffffa0415c29>] lio_target_nacl_store_cmdsn_depth+0xa9/0x180 [iscsi_target_mod]
+ [<ffffffffa0331b49>] target_fabric_nacl_base_attr_store+0x39/0x40 [target_core_mod]
+ [<ffffffff811b857d>] configfs_write_file+0xbd/0x120
+ [<ffffffff81148f36>] vfs_write+0xc6/0x180
+ [<ffffffff81149251>] sys_write+0x51/0x90
+ [<ffffffff815c0969>] system_call_fastpath+0x16/0x1b
+---[ end trace 3747632b9b164652 ]---
+
+As a pure band-aid, this patch drops the _bh.
+
+Signed-off-by: Joern Engel <joern@logfs.org>
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+
+---
+ drivers/target/iscsi/iscsi_target_erl0.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/target/iscsi/iscsi_target_erl0.c
++++ b/drivers/target/iscsi/iscsi_target_erl0.c
+@@ -842,11 +842,11 @@ int iscsit_stop_time2retain_timer(struct
+ return 0;
+
+ sess->time2retain_timer_flags |= ISCSI_TF_STOP;
+- spin_unlock_bh(&se_tpg->session_lock);
++ spin_unlock(&se_tpg->session_lock);
+
+ del_timer_sync(&sess->time2retain_timer);
+
+- spin_lock_bh(&se_tpg->session_lock);
++ spin_lock(&se_tpg->session_lock);
+ sess->time2retain_timer_flags &= ~ISCSI_TF_RUNNING;
+ pr_debug("Stopped Time2Retain Timer for SID: %u\n",
+ sess->sid);
--- /dev/null
+From b5aff3d2747bea08b386edd070941a45611ffe51 Mon Sep 17 00:00:00 2001
+From: Roland Dreier <roland@purestorage.com>
+Date: Wed, 5 Jun 2013 09:54:17 -0700
+Subject: tcm_qla2xxx: Fix residual for underrun commands that fail
+
+From: Roland Dreier <roland@purestorage.com>
+
+commit b5aff3d2747bea08b386edd070941a45611ffe51 upstream.
+
+Suppose an initiator sends a DATA IN command with an allocation length
+shorter than the FC transfer length -- we get a target message like
+
+ TARGET_CORE[qla2xxx]: Expected Transfer Length: 256 does not match SCSI CDB Length: 0 for SAM Opcode: 0x12
+
+In that case, the target core adjusts the data_length and sets
+se_cmd->residual_count for the underrun. But now suppose that command
+fails and we end up in tcm_qla2xxx_queue_status() -- that function
+unconditionally overwrites residual_count with the already adjusted
+data_length, and the initiator will burp with a message like
+
+ qla2xxx [0000:00:06.0]-301d:0: Dropped frame(s) detected (0x100 of 0x100 bytes).
+
+Fix this by adding on to the existing underflow residual count instead.
+
+Signed-off-by: Roland Dreier <roland@purestorage.com>
+Cc: Giridhar Malavali <giridhar.malavali@qlogic.com>
+Cc: Chad Dupuis <chad.dupuis@qlogic.com>
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/qla2xxx/tcm_qla2xxx.c | 6 +++++-
+ 1 file changed, 5 insertions(+), 1 deletion(-)
+
+--- a/drivers/scsi/qla2xxx/tcm_qla2xxx.c
++++ b/drivers/scsi/qla2xxx/tcm_qla2xxx.c
+@@ -688,8 +688,12 @@ static int tcm_qla2xxx_queue_status(stru
+ * For FCP_READ with CHECK_CONDITION status, clear cmd->bufflen
+ * for qla_tgt_xmit_response LLD code
+ */
++ if (se_cmd->se_cmd_flags & SCF_OVERFLOW_BIT) {
++ se_cmd->se_cmd_flags &= ~SCF_OVERFLOW_BIT;
++ se_cmd->residual_count = 0;
++ }
+ se_cmd->se_cmd_flags |= SCF_UNDERFLOW_BIT;
+- se_cmd->residual_count = se_cmd->data_length;
++ se_cmd->residual_count += se_cmd->data_length;
+
+ cmd->bufflen = 0;
+ }
--- /dev/null
+From 7c61c3d8f44d5d822f758754287af644307b4af9 Mon Sep 17 00:00:00 2001
+From: Peter Hurley <peter@hurleysoftware.com>
+Date: Thu, 13 Jun 2013 15:56:37 -0400
+Subject: tty: Fix transient pty write() EIO
+
+From: Peter Hurley <peter@hurleysoftware.com>
+
+commit 7c61c3d8f44d5d822f758754287af644307b4af9 upstream.
+
+Commit 699390354da6c258b65bf8fa79cfd5feaede50b6
+('pty: Ignore slave pty close() if never successfully opened')
+introduced a bug with ptys whereby a write() in parallel with an
+open() on an existing pty could mistakenly indicate an I/O error.
+
+Only indicate an I/O error if the condition on open() actually exists.
+
+Reported-by: Markus Trippelsdorf <markus@trippelsdorf.de>
+Signed-off-by: Peter Hurley <peter@hurleysoftware.com>
+Tested-by: Mikael Pettersson <mikpe@it.uu.se>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/tty/pty.c | 13 +++++--------
+ 1 file changed, 5 insertions(+), 8 deletions(-)
+
+--- a/drivers/tty/pty.c
++++ b/drivers/tty/pty.c
+@@ -244,14 +244,9 @@ static void pty_flush_buffer(struct tty_
+
+ static int pty_open(struct tty_struct *tty, struct file *filp)
+ {
+- int retval = -ENODEV;
+-
+ if (!tty || !tty->link)
+- goto out;
+-
+- set_bit(TTY_IO_ERROR, &tty->flags);
++ return -ENODEV;
+
+- retval = -EIO;
+ if (test_bit(TTY_OTHER_CLOSED, &tty->flags))
+ goto out;
+ if (test_bit(TTY_PTY_LOCK, &tty->link->flags))
+@@ -262,9 +257,11 @@ static int pty_open(struct tty_struct *t
+ clear_bit(TTY_IO_ERROR, &tty->flags);
+ clear_bit(TTY_OTHER_CLOSED, &tty->link->flags);
+ set_bit(TTY_THROTTLED, &tty->flags);
+- retval = 0;
++ return 0;
++
+ out:
+- return retval;
++ set_bit(TTY_IO_ERROR, &tty->flags);
++ return -EIO;
+ }
+
+ static void pty_set_termios(struct tty_struct *tty,
--- /dev/null
+From 35a2fbc941accd0e9f1bfadd669311786118d874 Mon Sep 17 00:00:00 2001
+From: Anders Hammarquist <iko@iko.pp.se>
+Date: Wed, 19 Jun 2013 01:45:48 +0200
+Subject: USB: serial: ti_usb_3410_5052: new device id for Abbot strip port cable
+
+From: Anders Hammarquist <iko@iko.pp.se>
+
+commit 35a2fbc941accd0e9f1bfadd669311786118d874 upstream.
+
+Add product id for Abbott strip port cable for Precision meter which
+uses the TI 3410 chip.
+
+Signed-off-by: Anders Hammarquist <iko@iko.pp.se>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/serial/ti_usb_3410_5052.c | 3 ++-
+ drivers/usb/serial/ti_usb_3410_5052.h | 4 +++-
+ 2 files changed, 5 insertions(+), 2 deletions(-)
+
+--- a/drivers/usb/serial/ti_usb_3410_5052.c
++++ b/drivers/usb/serial/ti_usb_3410_5052.c
+@@ -178,7 +178,8 @@ static struct usb_device_id ti_id_table_
+ { USB_DEVICE(IBM_VENDOR_ID, IBM_4543_PRODUCT_ID) },
+ { USB_DEVICE(IBM_VENDOR_ID, IBM_454B_PRODUCT_ID) },
+ { USB_DEVICE(IBM_VENDOR_ID, IBM_454C_PRODUCT_ID) },
+- { USB_DEVICE(ABBOTT_VENDOR_ID, ABBOTT_PRODUCT_ID) },
++ { USB_DEVICE(ABBOTT_VENDOR_ID, ABBOTT_STEREO_PLUG_ID) },
++ { USB_DEVICE(ABBOTT_VENDOR_ID, ABBOTT_STRIP_PORT_ID) },
+ { USB_DEVICE(TI_VENDOR_ID, FRI2_PRODUCT_ID) },
+ };
+
+--- a/drivers/usb/serial/ti_usb_3410_5052.h
++++ b/drivers/usb/serial/ti_usb_3410_5052.h
+@@ -52,7 +52,9 @@
+
+ /* Abbott Diabetics vendor and product ids */
+ #define ABBOTT_VENDOR_ID 0x1a61
+-#define ABBOTT_PRODUCT_ID 0x3410
++#define ABBOTT_STEREO_PLUG_ID 0x3410
++#define ABBOTT_PRODUCT_ID ABBOTT_STEREO_PLUG_ID
++#define ABBOTT_STRIP_PORT_ID 0x3420
+
+ /* Commands */
+ #define TI_GET_VERSION 0x01
projects / thirdparty / kernel / stable-queue.git / commitdiff
