--- /dev/null
+From 28fe5c825f8e15744d04c7c1b8df197950923ecd Mon Sep 17 00:00:00 2001
+From: Lan Tianyu <tianyu.lan@intel.com>
+Date: Mon, 6 May 2013 03:23:40 +0000
+Subject: ACPI / EC: Restart transaction even when the IBF flag set
+
+From: Lan Tianyu <tianyu.lan@intel.com>
+
+commit 28fe5c825f8e15744d04c7c1b8df197950923ecd upstream.
+
+The EC driver works abnormally with IBF flag always set.
+IBF means "The host has written a byte of data to the command
+or data port, but the embedded controller has not yet read it".
+If IBF is set in the EC status and not cleared, this will cause
+all subsequent EC requests to fail with a timeout error.
+
+Change the EC driver so that it doesn't refuse to restart a
+transaction if IBF is set in the status. Also increase the
+number of transaction restarts to 5, as it turns out that 2
+is not sufficient in some cases.
+
+This bug happens on several different machines (Asus V1S,
+Dell Latitude E6530, Samsung R719, Acer Aspire 5930G,
+Sony Vaio SR19VN and others).
+
+[rjw: Changelog]
+References: https://bugzilla.kernel.org/show_bug.cgi?id=14733
+References: https://bugzilla.kernel.org/show_bug.cgi?id=15560
+References: https://bugzilla.kernel.org/show_bug.cgi?id=15946
+References: https://bugzilla.kernel.org/show_bug.cgi?id=42945
+References: https://bugzilla.kernel.org/show_bug.cgi?id=48221
+Signed-off-by: Lan Tianyu <tianyu.lan@intel.com>
+Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/acpi/ec.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+--- a/drivers/acpi/ec.c
++++ b/drivers/acpi/ec.c
+@@ -217,7 +217,7 @@ static int ec_check_sci_sync(struct acpi
+ static int ec_poll(struct acpi_ec *ec)
+ {
+ unsigned long flags;
+- int repeat = 2; /* number of command restarts */
++ int repeat = 5; /* number of command restarts */
+ while (repeat--) {
+ unsigned long delay = jiffies +
+ msecs_to_jiffies(ec_delay);
+@@ -235,8 +235,6 @@ static int ec_poll(struct acpi_ec *ec)
+ }
+ advance_transaction(ec, acpi_ec_read_status(ec));
+ } while (time_before(jiffies, delay));
+- if (acpi_ec_read_status(ec) & ACPI_EC_FLAG_IBF)
+- break;
+ pr_debug(PREFIX "controller reset, restart transaction\n");
+ spin_lock_irqsave(&ec->curr_lock, flags);
+ start_transaction(ec);
--- /dev/null
+From a5f2b3d6a738e7d4180012fe7b541172f8c8dcea Mon Sep 17 00:00:00 2001
+From: Chen Gang <gang.chen@asianux.com>
+Date: Thu, 16 May 2013 14:04:25 -0500
+Subject: drivers/char/ipmi: memcpy, need additional 2 bytes to avoid memory overflow
+
+From: Chen Gang <gang.chen@asianux.com>
+
+commit a5f2b3d6a738e7d4180012fe7b541172f8c8dcea upstream.
+
+When calling memcpy, read_data and write_data need additional 2 bytes.
+
+ write_data:
+ for checking: "if (size > IPMI_MAX_MSG_LENGTH)"
+ for operating: "memcpy(bt->write_data + 3, data + 1, size - 1)"
+
+ read_data:
+ for checking: "if (msg_len < 3 || msg_len > IPMI_MAX_MSG_LENGTH)"
+ for operating: "memcpy(data + 2, bt->read_data + 4, msg_len - 2)"
+
+Signed-off-by: Chen Gang <gang.chen@asianux.com>
+Signed-off-by: Corey Minyard <cminyard@mvista.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/char/ipmi/ipmi_bt_sm.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/char/ipmi/ipmi_bt_sm.c
++++ b/drivers/char/ipmi/ipmi_bt_sm.c
+@@ -95,9 +95,9 @@ struct si_sm_data {
+ enum bt_states state;
+ unsigned char seq; /* BT sequence number */
+ struct si_sm_io *io;
+- unsigned char write_data[IPMI_MAX_MSG_LENGTH];
++ unsigned char write_data[IPMI_MAX_MSG_LENGTH + 2]; /* +2 for memcpy */
+ int write_count;
+- unsigned char read_data[IPMI_MAX_MSG_LENGTH];
++ unsigned char read_data[IPMI_MAX_MSG_LENGTH + 2]; /* +2 for memcpy */
+ int read_count;
+ int truncated;
+ long timeout; /* microseconds countdown */
+++ /dev/null
-From a9b054e8ab06504c2afa0e307ee78d3778993a1d Mon Sep 17 00:00:00 2001
-From: Daniel Vetter <daniel.vetter@ffwll.ch>
-Date: Thu, 2 May 2013 09:43:05 +0200
-Subject: drm: don't check modeset locks in panic handler
-
-From: Daniel Vetter <daniel.vetter@ffwll.ch>
-
-commit a9b054e8ab06504c2afa0e307ee78d3778993a1d upstream.
-
-Since we know that locking is broken in that case and it's more
-important to not flood the dmesg with random gunk.
-
-References: http://lkml.kernel.org/r/20130502000206.GH15623@pd.tnic
-Cc: Dave Airlie <airlied@gmail.com>
-Cc: Borislav Petkov <bp@alien8.de>
-Reported-and-tested-by: Borislav Petkov <bp@suse.de>
-Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-
----
- drivers/gpu/drm/drm_crtc.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
---- a/drivers/gpu/drm/drm_crtc.c
-+++ b/drivers/gpu/drm/drm_crtc.c
-@@ -973,6 +973,10 @@ int drm_mode_group_init_legacy_group(str
- if ((ret = drm_mode_group_init(dev, group)))
- return ret;
-
-+ /* Locking is currently fubar in the panic handler. */
-+ if (oops_in_progress)
-+ return;
-+
- list_for_each_entry(crtc, &dev->mode_config.crtc_list, head)
- group->id_list[group->num_crtcs++] = crtc->base.id;
-
--- /dev/null
+From fefaedcfb82d2e57c2320acf60604ab03b750cc0 Mon Sep 17 00:00:00 2001
+From: Kees Cook <keescook@chromium.org>
+Date: Sun, 12 May 2013 22:00:51 -0700
+Subject: drm/radeon: check incoming cliprects pointer
+
+From: Kees Cook <keescook@chromium.org>
+
+commit fefaedcfb82d2e57c2320acf60604ab03b750cc0 upstream.
+
+The "boxes" parameter points into userspace memory. It should be verified
+like any other operation against user memory.
+
+Signed-off-by: Kees Cook <keescook@chromium.org>
+Signed-off-by: Dave Airlie <airlied@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/radeon/r300_cmdbuf.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/gpu/drm/radeon/r300_cmdbuf.c
++++ b/drivers/gpu/drm/radeon/r300_cmdbuf.c
+@@ -74,7 +74,7 @@ static int r300_emit_cliprects(drm_radeo
+ OUT_RING(CP_PACKET0(R300_RE_CLIPRECT_TL_0, nr * 2 - 1));
+
+ for (i = 0; i < nr; ++i) {
+- if (DRM_COPY_FROM_USER_UNCHECKED
++ if (DRM_COPY_FROM_USER
+ (&box, &cmdbuf->boxes[n + i], sizeof(box))) {
+ DRM_ERROR("copy cliprect faulted\n");
+ return -EFAULT;
--- /dev/null
+From 6368087e851e697679af059b4247aca33a69cef3 Mon Sep 17 00:00:00 2001
+From: Benjamin LaHaise <bcrl@kvack.org>
+Date: Thu, 16 May 2013 14:04:27 -0500
+Subject: ipmi: ipmi_devintf: compat_ioctl method fails to take ipmi_mutex
+
+From: Benjamin LaHaise <bcrl@kvack.org>
+
+commit 6368087e851e697679af059b4247aca33a69cef3 upstream.
+
+When a 32 bit version of ipmitool is used on a 64 bit kernel, the
+ipmi_devintf code fails to correctly acquire ipmi_mutex. This results in
+incomplete data being retrieved in some cases, or other possible failures.
+Add a wrapper around compat_ipmi_ioctl() to take ipmi_mutex to fix this.
+
+Signed-off-by: Benjamin LaHaise <bcrl@kvack.org>
+Signed-off-by: Corey Minyard <cminyard@mvista.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/char/ipmi/ipmi_devintf.c | 14 +++++++++++++-
+ 1 file changed, 13 insertions(+), 1 deletion(-)
+
+--- a/drivers/char/ipmi/ipmi_devintf.c
++++ b/drivers/char/ipmi/ipmi_devintf.c
+@@ -837,13 +837,25 @@ static long compat_ipmi_ioctl(struct fil
+ return ipmi_ioctl(filep, cmd, arg);
+ }
+ }
++
++static long unlocked_compat_ipmi_ioctl(struct file *filep, unsigned int cmd,
++ unsigned long arg)
++{
++ int ret;
++
++ mutex_lock(&ipmi_mutex);
++ ret = compat_ipmi_ioctl(filep, cmd, arg);
++ mutex_unlock(&ipmi_mutex);
++
++ return ret;
++}
+ #endif
+
+ static const struct file_operations ipmi_fops = {
+ .owner = THIS_MODULE,
+ .unlocked_ioctl = ipmi_unlocked_ioctl,
+ #ifdef CONFIG_COMPAT
+- .compat_ioctl = compat_ipmi_ioctl,
++ .compat_ioctl = unlocked_compat_ipmi_ioctl,
+ #endif
+ .open = ipmi_open,
+ .release = ipmi_release,
--- /dev/null
+From 3eccfdb01da58fbd0f789ae6ca61cee3769e26de Mon Sep 17 00:00:00 2001
+From: Shlomo Pongratz <shlomop@mellanox.com>
+Date: Sun, 5 May 2013 17:36:26 +0300
+Subject: iscsi-target: Fix processing of OOO commands
+
+From: Shlomo Pongratz <shlomop@mellanox.com>
+
+commit 3eccfdb01da58fbd0f789ae6ca61cee3769e26de upstream.
+
+Fix two issues in OOO commands processing done at iscsit_attach_ooo_cmdsn.
+
+Handle command serial numbers wrap around by using iscsi_sna_lt and not regular comparisson.
+
+The routine iterates until it finds an entry whose serial number is greater than the serial number of
+the new one, thus the new entry should be inserted before that entry and not after.
+
+Signed-off-by: Shlomo Pongratz <shlomop@mellanox.com>
+Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/target/iscsi/iscsi_target_erl1.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/drivers/target/iscsi/iscsi_target_erl1.c
++++ b/drivers/target/iscsi/iscsi_target_erl1.c
+@@ -824,7 +824,7 @@ static int iscsit_attach_ooo_cmdsn(
+ /*
+ * CmdSN is greater than the tail of the list.
+ */
+- if (ooo_tail->cmdsn < ooo_cmdsn->cmdsn)
++ if (iscsi_sna_lt(ooo_tail->cmdsn, ooo_cmdsn->cmdsn))
+ list_add_tail(&ooo_cmdsn->ooo_list,
+ &sess->sess_ooo_cmdsn_list);
+ else {
+@@ -834,11 +834,12 @@ static int iscsit_attach_ooo_cmdsn(
+ */
+ list_for_each_entry(ooo_tmp, &sess->sess_ooo_cmdsn_list,
+ ooo_list) {
+- if (ooo_tmp->cmdsn < ooo_cmdsn->cmdsn)
++ if (iscsi_sna_lt(ooo_tmp->cmdsn, ooo_cmdsn->cmdsn))
+ continue;
+
++ /* Insert before this entry */
+ list_add(&ooo_cmdsn->ooo_list,
+- &ooo_tmp->ooo_list);
++ ooo_tmp->ooo_list.prev);
+ break;
+ }
+ }
+++ /dev/null
-From 79c66ce8f6448a3295a32efeac88c9debd7f7094 Mon Sep 17 00:00:00 2001
-From: Anton Blanchard <anton@au1.ibm.com>
-Date: Sun, 12 May 2013 15:04:53 +0000
-Subject: powerpc/kexec: Fix kexec when using VMX optimised memcpy
-
-From: Anton Blanchard <anton@au1.ibm.com>
-
-commit 79c66ce8f6448a3295a32efeac88c9debd7f7094 upstream.
-
-commit b3f271e86e5a (powerpc: POWER7 optimised memcpy using VMX and
-enhanced prefetch) uses VMX when it is safe to do so (ie not in
-interrupt). It also looks at the task struct to decide if we have to
-save the current tasks' VMX state.
-
-kexec calls memcpy() at a point where the task struct may have been
-overwritten by the new kexec segments. If it has been overwritten
-then when memcpy -> enable_altivec looks up current->thread.regs->msr
-we get a cryptic oops or lockup.
-
-I also notice we aren't initialising thread_info->cpu, which means
-smp_processor_id is broken. Fix that too.
-
-Signed-off-by: Anton Blanchard <anton@samba.org>
-Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org>
-Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
-
----
- arch/powerpc/kernel/machine_kexec_64.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
---- a/arch/powerpc/kernel/machine_kexec_64.c
-+++ b/arch/powerpc/kernel/machine_kexec_64.c
-@@ -17,6 +17,7 @@
- #include <linux/errno.h>
- #include <linux/kernel.h>
- #include <linux/cpu.h>
-+#include <linux/hardirq.h>
-
- #include <asm/page.h>
- #include <asm/current.h>
-@@ -335,10 +336,13 @@ void default_machine_kexec(struct kimage
- pr_debug("kexec: Starting switchover sequence.\n");
-
- /* switch to a staticly allocated stack. Based on irq stack code.
-+ * We setup preempt_count to avoid using VMX in memcpy.
- * XXX: the task struct will likely be invalid once we do the copy!
- */
- kexec_stack.thread_info.task = current_thread_info()->task;
- kexec_stack.thread_info.flags = 0;
-+ kexec_stack.thread_info.preempt_count = HARDIRQ_OFFSET;
-+ kexec_stack.thread_info.cpu = current_thread_info()->cpu;
-
- /* We need a static PACA, too; copy this CPU's PACA over and switch to
- * it. Also poison per_cpu_offset to catch anyone using non-static
tracing-fix-leaks-of-filter-preds.patch
ext4-limit-group-search-loop-for-non-extent-files.patch
powerpc-bring-all-threads-online-prior-to-migration-hibernation.patch
-powerpc-kexec-fix-kexec-when-using-vmx-optimised-memcpy.patch
ath9k-fix-key-allocation-error-handling-for-powersave-keys.patch
mwifiex-clear-is_suspended-flag-when-interrupt-is-received-early.patch
mwifiex-fix-setting-of-multicast-filter.patch
b43-handle-dma-rx-descriptor-underrun.patch
drm-mm-fix-dump-table-bug.patch
-drm-don-t-check-modeset-locks-in-panic-handler.patch
net-qmi_wwan-fixup-missing-ethernet-header-firmware-bug-workaround.patch
net-qmi_wwan-fixup-destination-address-firmware-bug-workaround.patch
net-qmi_wwan-prevent-duplicate-mac-address-on-link-firmware-bug-workaround.patch
r8169-fix-vlan-tag-read-ordering.patch
drbd-fix-for-deadlock-when-using-automatic-split-brain-recovery.patch
drivers-rtc-rtc-pcf2123.c-fix-error-return-code-in-pcf2123_probe.patch
+iscsi-target-fix-processing-of-ooo-commands.patch
+acpi-ec-restart-transaction-even-when-the-ibf-flag-set.patch
+drivers-char-ipmi-memcpy-need-additional-2-bytes-to-avoid-memory-overflow.patch
+ipmi-ipmi_devintf-compat_ioctl-method-fails-to-take-ipmi_mutex.patch
+drm-radeon-check-incoming-cliprects-pointer.patch
+usermodehelper-check-subprocess_info-path-null.patch
--- /dev/null
+From 264b83c07a84223f0efd0d1db9ccc66d6f88288f Mon Sep 17 00:00:00 2001
+From: Oleg Nesterov <oleg@redhat.com>
+Date: Thu, 16 May 2013 17:43:55 +0200
+Subject: usermodehelper: check subprocess_info->path != NULL
+
+From: Oleg Nesterov <oleg@redhat.com>
+
+commit 264b83c07a84223f0efd0d1db9ccc66d6f88288f upstream.
+
+argv_split(empty_or_all_spaces) happily succeeds, it simply returns
+argc == 0 and argv[0] == NULL. Change call_usermodehelper_exec() to
+check sub_info->path != NULL to avoid the crash.
+
+This is the minimal fix, todo:
+
+ - perhaps we should change argv_split() to return NULL or change the
+ callers.
+
+ - kill or justify ->path[0] check
+
+ - narrow the scope of helper_lock()
+
+Signed-off-by: Oleg Nesterov <oleg@redhat.com>
+Acked-By: Lucas De Marchi <lucas.demarchi@intel.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ kernel/kmod.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/kernel/kmod.c
++++ b/kernel/kmod.c
+@@ -541,6 +541,11 @@ int call_usermodehelper_exec(struct subp
+ int retval = 0;
+
+ helper_lock();
++ if (!sub_info->path) {
++ retval = -EINVAL;
++ goto out;
++ }
++
+ if (sub_info->path[0] == '\0')
+ goto out;
+
projects / thirdparty / kernel / stable-queue.git / commitdiff
