From: Greg Kroah-Hartman Date: Sun, 25 Jan 2015 13:55:01 +0000 (+0800) Subject: 3.10-stable patches X-Git-Tag: v3.10.66~31 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=0e491ed33f98c82876fc68debc1f7758c4fcb2e2;p=thirdparty%2Fkernel%2Fstable-queue.git 3.10-stable patches added patches: af9005-fix-kernel-panic-on-init-if-compiled-without.patch smiapp-pll-correct-clock-debug-prints.patch smiapp-take-mutex-during-pll-update-in-sensor-initialisation.patch uvcvideo-fix-destruction-order-in-uvc_delete.patch vfio-pci-fix-the-check-on-pci-device-type-in.patch video-logo-prevent-use-of-logos-after-they-have-been-freed.patch --- diff --git a/queue-3.10/af9005-fix-kernel-panic-on-init-if-compiled-without.patch b/queue-3.10/af9005-fix-kernel-panic-on-init-if-compiled-without.patch new file mode 100644 index 00000000000..2c41307aed1 --- /dev/null +++ b/queue-3.10/af9005-fix-kernel-panic-on-init-if-compiled-without.patch @@ -0,0 +1,97 @@ +From 2279948735609d0d17d7384e776b674619f792ef Mon Sep 17 00:00:00 2001 +From: Frank Schaefer +Date: Mon, 29 Sep 2014 15:17:35 -0300 +Subject: [media] af9005: fix kernel panic on init if compiled without + IR +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Frank Schaefer + +commit 2279948735609d0d17d7384e776b674619f792ef upstream. + +This patches fixes an ancient bug in the dvb_usb_af9005 driver, which +has been reported at least in the following threads: +https://lkml.org/lkml/2009/2/4/350 +https://lkml.org/lkml/2014/9/18/558 + +If the driver is compiled in without any IR support (neither +DVB_USB_AF9005_REMOTE nor custom symbols), the symbol_request calls in +af9005_usb_module_init() return pointers != NULL although the IR +symbols are not available. + +This leads to the following oops: +... +[ 8.529751] usbcore: registered new interface driver dvb_usb_af9005 +[ 8.531584] BUG: unable to handle kernel paging request at 02e00000 +[ 8.533385] IP: [<7d9d67c6>] af9005_usb_module_init+0x6b/0x9d +[ 8.535613] *pde = 00000000 +[ 8.536416] Oops: 0000 [#1] PREEMPT PREEMPT DEBUG_PAGEALLOCDEBUG_PAGEALLOC +[ 8.537863] CPU: 0 PID: 1 Comm: swapper Not tainted 3.15.0-rc6-00151-ga5c075c #1 +[ 8.539827] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.7.5-20140531_083030-gandalf 04/01/2014 +[ 8.541519] task: 89c9a670 ti: 89c9c000 task.ti: 89c9c000 +[ 8.541519] EIP: 0060:[<7d9d67c6>] EFLAGS: 00010206 CPU: 0 +[ 8.541519] EIP is at af9005_usb_module_init+0x6b/0x9d +[ 8.541519] EAX: 02e00000 EBX: 00000000 ECX: 00000006 EDX: 00000000 +[ 8.541519] ESI: 00000000 EDI: 7da33ec8 EBP: 89c9df30 ESP: 89c9df2c +[ 8.541519] DS: 007b ES: 007b FS: 0000 GS: 00e0 SS: 0068 +[ 8.541519] CR0: 8005003b CR2: 02e00000 CR3: 05a54000 CR4: 00000690 +[ 8.541519] Stack: +[ 8.541519] 7d9d675b 89c9df90 7d992a49 7d7d5914 89c9df4c 7be3a800 7d08c58c 8a4c3968 +[ 8.541519] 89c9df80 7be3a966 00000192 00000006 00000006 7d7d3ff4 8a4c397a 00000200 +[ 8.541519] 7d6b1280 8a4c3979 00000006 000009a6 7da32db8 b13eec81 00000006 000009a6 +[ 8.541519] Call Trace: +[ 8.541519] [<7d9d675b>] ? ttusb2_driver_init+0x16/0x16 +[ 8.541519] [<7d992a49>] do_one_initcall+0x77/0x106 +[ 8.541519] [<7be3a800>] ? parameqn+0x2/0x35 +[ 8.541519] [<7be3a966>] ? parse_args+0x113/0x25c +[ 8.541519] [<7d992bc2>] kernel_init_freeable+0xea/0x167 +[ 8.541519] [<7cf01070>] kernel_init+0x8/0xb8 +[ 8.541519] [<7cf27ec0>] ret_from_kernel_thread+0x20/0x30 +[ 8.541519] [<7cf01068>] ? rest_init+0x10c/0x10c +[ 8.541519] Code: 08 c2 c7 05 44 ed f9 7d 00 00 e0 02 c7 05 40 ed f9 7d 00 00 e0 02 c7 05 3c ed f9 7d 00 00 e0 02 75 1f b8 00 00 e0 02 85 c0 74 16 00 00 e0 02 c7 05 54 84 8e 7d 00 00 e0 02 a3 58 84 8e 7d eb +[ 8.541519] EIP: [<7d9d67c6>] af9005_usb_module_init+0x6b/0x9d SS:ESP 0068:89c9df2c +[ 8.541519] CR2: 0000000002e00000 +[ 8.541519] ---[ end trace 768b6faf51370fc7 ]--- + +The prefered fix would be to convert the whole IR code to use the kernel IR +infrastructure (which wasn't available at the time this driver had been created). + +Until anyone who still has this old hardware steps up an does the conversion, +fix it by not calling the symbol_request calls if the driver is compiled in +without the default IR symbols (CONFIG_DVB_USB_AF9005_REMOTE). +Due to the IR related pointers beeing NULL by default, IR support will then be disabled. + +The downside of this solution is, that it will no longer be possible to +compile custom IR symbols (not using CONFIG_DVB_USB_AF9005_REMOTE) in. + +Please note that this patch has NOT been tested with all possible cases. +I don't have the hardware and could only verify that it fixes the reported +bug. + +Reported-by: Fengguag Wu +Signed-off-by: Frank Schäfer +Acked-by: Luca Olivetti +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/usb/dvb-usb/af9005.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/media/usb/dvb-usb/af9005.c ++++ b/drivers/media/usb/dvb-usb/af9005.c +@@ -1081,9 +1081,12 @@ static int __init af9005_usb_module_init + err("usb_register failed. (%d)", result); + return result; + } ++#if IS_MODULE(CONFIG_DVB_USB_AF9005) || defined(CONFIG_DVB_USB_AF9005_REMOTE) ++ /* FIXME: convert to todays kernel IR infrastructure */ + rc_decode = symbol_request(af9005_rc_decode); + rc_keys = symbol_request(rc_map_af9005_table); + rc_keys_size = symbol_request(rc_map_af9005_table_size); ++#endif + if (rc_decode == NULL || rc_keys == NULL || rc_keys_size == NULL) { + err("af9005_rc_decode function not found, disabling remote"); + af9005_properties.rc.legacy.rc_query = NULL; diff --git a/queue-3.10/series b/queue-3.10/series index 85c50173f4b..4acda329b3f 100644 --- a/queue-3.10/series +++ b/queue-3.10/series @@ -14,3 +14,9 @@ cfg80211-fix-160-mhz-channels-with-80-80-and-160-mhz-drivers.patch hp_accel-add-support-for-hp-zbook-15.patch iscsi-target-fail-connection-on-short-sendmsg-writes.patch storvsc-ring-buffer-failures-may-result-in-i-o-freeze.patch +video-logo-prevent-use-of-logos-after-they-have-been-freed.patch +smiapp-pll-correct-clock-debug-prints.patch +af9005-fix-kernel-panic-on-init-if-compiled-without.patch +smiapp-take-mutex-during-pll-update-in-sensor-initialisation.patch +uvcvideo-fix-destruction-order-in-uvc_delete.patch +vfio-pci-fix-the-check-on-pci-device-type-in.patch diff --git a/queue-3.10/smiapp-pll-correct-clock-debug-prints.patch b/queue-3.10/smiapp-pll-correct-clock-debug-prints.patch new file mode 100644 index 00000000000..50820df610d --- /dev/null +++ b/queue-3.10/smiapp-pll-correct-clock-debug-prints.patch @@ -0,0 +1,40 @@ +From bc47150ab93988714d1fab7bc82fe5f505a107ad Mon Sep 17 00:00:00 2001 +From: Sakari Ailus +Date: Tue, 1 Apr 2014 10:22:46 -0300 +Subject: [media] smiapp-pll: Correct clock debug prints + +From: Sakari Ailus + +commit bc47150ab93988714d1fab7bc82fe5f505a107ad upstream. + +The PLL flags were not used correctly. + +Signed-off-by: Sakari Ailus +Acked-by: Laurent Pinchart +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/i2c/smiapp-pll.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/media/i2c/smiapp-pll.c ++++ b/drivers/media/i2c/smiapp-pll.c +@@ -67,7 +67,7 @@ static void print_pll(struct device *dev + { + dev_dbg(dev, "pre_pll_clk_div\t%d\n", pll->pre_pll_clk_div); + dev_dbg(dev, "pll_multiplier \t%d\n", pll->pll_multiplier); +- if (pll->flags != SMIAPP_PLL_FLAG_NO_OP_CLOCKS) { ++ if (!(pll->flags & SMIAPP_PLL_FLAG_NO_OP_CLOCKS)) { + dev_dbg(dev, "op_sys_clk_div \t%d\n", pll->op_sys_clk_div); + dev_dbg(dev, "op_pix_clk_div \t%d\n", pll->op_pix_clk_div); + } +@@ -77,7 +77,7 @@ static void print_pll(struct device *dev + dev_dbg(dev, "ext_clk_freq_hz \t%d\n", pll->ext_clk_freq_hz); + dev_dbg(dev, "pll_ip_clk_freq_hz \t%d\n", pll->pll_ip_clk_freq_hz); + dev_dbg(dev, "pll_op_clk_freq_hz \t%d\n", pll->pll_op_clk_freq_hz); +- if (pll->flags & SMIAPP_PLL_FLAG_NO_OP_CLOCKS) { ++ if (!(pll->flags & SMIAPP_PLL_FLAG_NO_OP_CLOCKS)) { + dev_dbg(dev, "op_sys_clk_freq_hz \t%d\n", + pll->op_sys_clk_freq_hz); + dev_dbg(dev, "op_pix_clk_freq_hz \t%d\n", diff --git a/queue-3.10/smiapp-take-mutex-during-pll-update-in-sensor-initialisation.patch b/queue-3.10/smiapp-take-mutex-during-pll-update-in-sensor-initialisation.patch new file mode 100644 index 00000000000..6367ed5a511 --- /dev/null +++ b/queue-3.10/smiapp-take-mutex-during-pll-update-in-sensor-initialisation.patch @@ -0,0 +1,33 @@ +From f85698cd296f08218a7750f321e94607da128600 Mon Sep 17 00:00:00 2001 +From: Sakari Ailus +Date: Tue, 16 Sep 2014 15:57:07 -0300 +Subject: [media] smiapp: Take mutex during PLL update in sensor initialisation + +From: Sakari Ailus + +commit f85698cd296f08218a7750f321e94607da128600 upstream. + +The mutex does not serialise anything in this case but avoids a lockdep +warning from the control framework. + +Signed-off-by: Sakari Ailus +Acked-by: Laurent Pinchart +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/i2c/smiapp/smiapp-core.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/media/i2c/smiapp/smiapp-core.c ++++ b/drivers/media/i2c/smiapp/smiapp-core.c +@@ -2629,7 +2629,9 @@ static int smiapp_registered(struct v4l2 + pll->flags |= SMIAPP_PLL_FLAG_OP_PIX_CLOCK_PER_LANE; + pll->scale_n = sensor->limits[SMIAPP_LIMIT_SCALER_N_MIN]; + ++ mutex_lock(&sensor->mutex); + rval = smiapp_update_mode(sensor); ++ mutex_unlock(&sensor->mutex); + if (rval) { + dev_err(&client->dev, "update mode failed\n"); + goto out_nvm_release; diff --git a/queue-3.10/uvcvideo-fix-destruction-order-in-uvc_delete.patch b/queue-3.10/uvcvideo-fix-destruction-order-in-uvc_delete.patch new file mode 100644 index 00000000000..8d3afc28ffa --- /dev/null +++ b/queue-3.10/uvcvideo-fix-destruction-order-in-uvc_delete.patch @@ -0,0 +1,84 @@ +From 2228d80dd05a4fc5a410fde847677b8fb3eb23d7 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Fri, 24 Oct 2014 05:10:20 -0300 +Subject: [media] uvcvideo: Fix destruction order in uvc_delete() + +From: Takashi Iwai + +commit 2228d80dd05a4fc5a410fde847677b8fb3eb23d7 upstream. + +We've got a bug report at disconnecting a Webcam, where the kernel +spews warnings like below: + WARNING: CPU: 0 PID: 8385 at ../fs/sysfs/group.c:219 sysfs_remove_group+0x87/0x90() + sysfs group c0b2350c not found for kobject 'event3' + CPU: 0 PID: 8385 Comm: queue2:src Not tainted 3.16.2-1.gdcee397-default #1 + Hardware name: ASUSTeK Computer INC. A7N8X-E/A7N8X-E, BIOS ASUS A7N8X-E Deluxe ACPI BIOS Rev 1013 11/12/2004 + c08d0705 ddc75cbc c0718c5b ddc75ccc c024b654 c08c6d44 ddc75ce8 000020c1 + c08d0705 000000db c03d1ec7 c03d1ec7 00000009 00000000 c0b2350c d62c9064 + ddc75cd4 c024b6a3 00000009 ddc75ccc c08c6d44 ddc75ce8 ddc75cfc c03d1ec7 + Call Trace: + [] try_stack_unwind+0x156/0x170 + [] dump_trace+0x53/0x180 + [] show_trace_log_lvl+0x46/0x50 + [] show_stack_log_lvl+0x51/0xe0 + [] show_stack+0x27/0x50 + [] dump_stack+0x3e/0x4e + [] warn_slowpath_common+0x84/0xa0 + [] warn_slowpath_fmt+0x33/0x40 + [] sysfs_remove_group+0x87/0x90 + [] device_del+0x34/0x180 + [] evdev_disconnect+0x19/0x50 + [] __input_unregister_device+0x9a/0x140 + [] input_unregister_device+0x45/0x80 + [] uvc_delete+0x26/0x110 [uvcvideo] + [] v4l2_device_release+0x98/0xc0 [videodev] + [] device_release+0x2b/0x90 + [] kobject_cleanup+0x6f/0x1a0 + [] v4l2_release+0x43/0x70 [videodev] + [] __fput+0xb1/0x1b0 + [] task_work_run+0x91/0xb0 + [] do_exit+0x265/0x910 + [] do_group_exit+0x34/0xa0 + [] get_signal_to_deliver+0x17f/0x590 + [] do_signal+0x3a/0x960 + [] do_notify_resume+0x67/0x90 + [] work_notifysig+0x30/0x3b + [] 0xb7739e5f + ---[ end trace b1e56095a485b631 ]--- + +The cause is that uvc_status_cleanup() is called after usb_put_*() in +uvc_delete(). usb_put_*() removes the sysfs parent and eventually +removes the children recursively, so the later device_del() can't find +its sysfs. The fix is simply rearrange the call orders in +uvc_delete() so that the child is removed before the parent. + +Bugzilla: https://bugzilla.suse.com/show_bug.cgi?id=897736 +Reported-and-tested-by: Martin Pluskal + +Signed-off-by: Takashi Iwai +Signed-off-by: Laurent Pinchart +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/usb/uvc/uvc_driver.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/media/usb/uvc/uvc_driver.c ++++ b/drivers/media/usb/uvc/uvc_driver.c +@@ -1603,12 +1603,12 @@ static void uvc_delete(struct uvc_device + { + struct list_head *p, *n; + +- usb_put_intf(dev->intf); +- usb_put_dev(dev->udev); +- + uvc_status_cleanup(dev); + uvc_ctrl_cleanup_device(dev); + ++ usb_put_intf(dev->intf); ++ usb_put_dev(dev->udev); ++ + if (dev->vdev.dev) + v4l2_device_unregister(&dev->vdev); + #ifdef CONFIG_MEDIA_CONTROLLER diff --git a/queue-3.10/vfio-pci-fix-the-check-on-pci-device-type-in.patch b/queue-3.10/vfio-pci-fix-the-check-on-pci-device-type-in.patch new file mode 100644 index 00000000000..d3bf95fefd9 --- /dev/null +++ b/queue-3.10/vfio-pci-fix-the-check-on-pci-device-type-in.patch @@ -0,0 +1,42 @@ +From 7c2e211f3c95b91912a92a8c6736343690042e2e Mon Sep 17 00:00:00 2001 +From: Wei Yang +Date: Wed, 7 Jan 2015 10:29:11 -0700 +Subject: vfio-pci: Fix the check on pci device type in + vfio_pci_probe() + +From: Wei Yang + +commit 7c2e211f3c95b91912a92a8c6736343690042e2e upstream. + +Current vfio-pci just supports normal pci device, so vfio_pci_probe() will +return if the pci device is not a normal device. While current code makes a +mistake. PCI_HEADER_TYPE is the offset in configuration space of the device +type, but we use this value to mask the type value. + +This patch fixs this by do the check directly on the pci_dev->hdr_type. + +Signed-off-by: Wei Yang +Signed-off-by: Alex Williamson +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/vfio/pci/vfio_pci.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/drivers/vfio/pci/vfio_pci.c ++++ b/drivers/vfio/pci/vfio_pci.c +@@ -519,13 +519,11 @@ static const struct vfio_device_ops vfio + + static int vfio_pci_probe(struct pci_dev *pdev, const struct pci_device_id *id) + { +- u8 type; + struct vfio_pci_device *vdev; + struct iommu_group *group; + int ret; + +- pci_read_config_byte(pdev, PCI_HEADER_TYPE, &type); +- if ((type & PCI_HEADER_TYPE) != PCI_HEADER_TYPE_NORMAL) ++ if (pdev->hdr_type != PCI_HEADER_TYPE_NORMAL) + return -EINVAL; + + group = iommu_group_get(&pdev->dev); diff --git a/queue-3.10/video-logo-prevent-use-of-logos-after-they-have-been-freed.patch b/queue-3.10/video-logo-prevent-use-of-logos-after-they-have-been-freed.patch new file mode 100644 index 00000000000..7f9ff5169cf --- /dev/null +++ b/queue-3.10/video-logo-prevent-use-of-logos-after-they-have-been-freed.patch @@ -0,0 +1,64 @@ +From 92b004d1aa9f367c372511ca0330f58216b25703 Mon Sep 17 00:00:00 2001 +From: Tomi Valkeinen +Date: Thu, 18 Dec 2014 13:40:06 +0200 +Subject: video/logo: prevent use of logos after they have been freed + +From: Tomi Valkeinen + +commit 92b004d1aa9f367c372511ca0330f58216b25703 upstream. + +If the probe of an fb driver has been deferred due to missing +dependencies, and the probe is later ran when a module is loaded, the +fbdev framework will try to find a logo to use. + +However, the logos are __initdata, and have already been freed. This +causes sometimes page faults, if the logo memory is not mapped, +sometimes other random crashes as the logo data is invalid, and +sometimes nothing, if the fbdev decides to reject the logo (e.g. the +random value depicting the logo's height is too big). + +This patch adds a late_initcall function to mark the logos as freed. In +reality the logos are freed later, and fbdev probe may be ran between +this late_initcall and the freeing of the logos. In that case we will +miss drawing the logo, even if it would be possible. + +Signed-off-by: Tomi Valkeinen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/video/logo/logo.c | 17 ++++++++++++++++- + 1 file changed, 16 insertions(+), 1 deletion(-) + +--- a/drivers/video/logo/logo.c ++++ b/drivers/video/logo/logo.c +@@ -25,6 +25,21 @@ static bool nologo; + module_param(nologo, bool, 0); + MODULE_PARM_DESC(nologo, "Disables startup logo"); + ++/* ++ * Logos are located in the initdata, and will be freed in kernel_init. ++ * Use late_init to mark the logos as freed to prevent any further use. ++ */ ++ ++static bool logos_freed; ++ ++static int __init fb_logo_late_init(void) ++{ ++ logos_freed = true; ++ return 0; ++} ++ ++late_initcall(fb_logo_late_init); ++ + /* logo's are marked __initdata. Use __init_refok to tell + * modpost that it is intended that this function uses data + * marked __initdata. +@@ -33,7 +48,7 @@ const struct linux_logo * __init_refok f + { + const struct linux_logo *logo = NULL; + +- if (nologo) ++ if (nologo || logos_freed) + return NULL; + + if (depth >= 1) {