From: Greg Kroah-Hartman Date: Tue, 1 Mar 2016 07:52:21 +0000 (-0800) Subject: 3.10-stable patches X-Git-Tag: v3.10.99~42 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=1134527b2a86a7b081b2148c55c680654012c641;p=thirdparty%2Fkernel%2Fstable-queue.git 3.10-stable patches added patches: can-sja1000-clear-interrupts-on-start.patch dm-btree-fix-bufio-buffer-leaks-in-dm_btree_del-error-path.patch mac80211-mesh-fix-call_rcu-usage.patch rds-fix-race-condition-when-sending-a-message-on-unbound-socket.patch rfkill-copy-the-name-into-the-rfkill-struct.patch sata_sil-disable-trim.patch sched-core-remove-false-positive-warning-from-wake_up_process.patch scripts-recordmcount-break-hardlinks.patch ses-fix-additional-element-traversal-bug.patch ses-fix-problems-with-simple-enclosures.patch vgaarb-fix-signal-handling-in-vga_get.patch --- diff --git a/queue-3.10/can-sja1000-clear-interrupts-on-start.patch b/queue-3.10/can-sja1000-clear-interrupts-on-start.patch new file mode 100644 index 00000000000..f1fa9dcbdac --- /dev/null +++ b/queue-3.10/can-sja1000-clear-interrupts-on-start.patch @@ -0,0 +1,46 @@ +From 7cecd9ab80f43972c056dc068338f7bcc407b71c Mon Sep 17 00:00:00 2001 +From: Mirza Krak +Date: Tue, 10 Nov 2015 14:59:34 +0100 +Subject: can: sja1000: clear interrupts on start + +From: Mirza Krak + +commit 7cecd9ab80f43972c056dc068338f7bcc407b71c upstream. + +According to SJA1000 data sheet error-warning (EI) interrupt is not +cleared by setting the controller in to reset-mode. + +Then if we have the following case: +- system is suspended (echo mem > /sys/power/state) and SJA1000 is left + in operating state +- A bus error condition occurs which activates EI interrupt, system is + still suspended which means EI interrupt will be not be handled nor + cleared. + +If the above two events occur, on resume there is no way to return the +SJA1000 to operating state, except to cycle power to it. + +By simply reading the IR register on start we will clear any previous +conditions that could be present. + +Signed-off-by: Mirza Krak +Reported-by: Christian Magnusson +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/can/sja1000/sja1000.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/net/can/sja1000/sja1000.c ++++ b/drivers/net/can/sja1000/sja1000.c +@@ -187,6 +187,9 @@ static void sja1000_start(struct net_dev + /* clear interrupt flags */ + priv->read_reg(priv, SJA1000_IR); + ++ /* clear interrupt flags */ ++ priv->read_reg(priv, SJA1000_IR); ++ + /* leave reset mode */ + set_normal_mode(dev); + } diff --git a/queue-3.10/dm-btree-fix-bufio-buffer-leaks-in-dm_btree_del-error-path.patch b/queue-3.10/dm-btree-fix-bufio-buffer-leaks-in-dm_btree_del-error-path.patch new file mode 100644 index 00000000000..48a2fef94d4 --- /dev/null +++ b/queue-3.10/dm-btree-fix-bufio-buffer-leaks-in-dm_btree_del-error-path.patch @@ -0,0 +1,60 @@ +From ed8b45a3679eb49069b094c0711b30833f27c734 Mon Sep 17 00:00:00 2001 +From: Joe Thornber +Date: Thu, 10 Dec 2015 14:37:53 +0000 +Subject: dm btree: fix bufio buffer leaks in dm_btree_del() error path + +From: Joe Thornber + +commit ed8b45a3679eb49069b094c0711b30833f27c734 upstream. + +If dm_btree_del()'s call to push_frame() fails, e.g. due to +btree_node_validator finding invalid metadata, the dm_btree_del() error +path must unlock all frames (which have active dm-bufio buffers) that +were pushed onto the del_stack. + +Otherwise, dm_bufio_client_destroy() will BUG_ON() because dm-bufio +buffers have leaked, e.g.: + device-mapper: bufio: leaked buffer 3, hold count 1, list 0 + +Signed-off-by: Joe Thornber +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/persistent-data/dm-btree.c | 16 +++++++++++++++- + 1 file changed, 15 insertions(+), 1 deletion(-) + +--- a/drivers/md/persistent-data/dm-btree.c ++++ b/drivers/md/persistent-data/dm-btree.c +@@ -235,6 +235,16 @@ static bool is_internal_level(struct dm_ + return f->level < (info->levels - 1); + } + ++static void unlock_all_frames(struct del_stack *s) ++{ ++ struct frame *f; ++ ++ while (unprocessed_frames(s)) { ++ f = s->spine + s->top--; ++ dm_tm_unlock(s->tm, f->b); ++ } ++} ++ + int dm_btree_del(struct dm_btree_info *info, dm_block_t root) + { + int r; +@@ -290,9 +300,13 @@ int dm_btree_del(struct dm_btree_info *i + f->current_child = f->nr_children; + } + } +- + out: ++ if (r) { ++ /* cleanup all frames of del_stack */ ++ unlock_all_frames(s); ++ } + kfree(s); ++ + return r; + } + EXPORT_SYMBOL_GPL(dm_btree_del); diff --git a/queue-3.10/mac80211-mesh-fix-call_rcu-usage.patch b/queue-3.10/mac80211-mesh-fix-call_rcu-usage.patch new file mode 100644 index 00000000000..b9fa7e12916 --- /dev/null +++ b/queue-3.10/mac80211-mesh-fix-call_rcu-usage.patch @@ -0,0 +1,67 @@ +From c2e703a55245bfff3db53b1f7cbe59f1ee8a4339 Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Tue, 17 Nov 2015 14:25:21 +0100 +Subject: mac80211: mesh: fix call_rcu() usage + +From: Johannes Berg + +commit c2e703a55245bfff3db53b1f7cbe59f1ee8a4339 upstream. + +When using call_rcu(), the called function may be delayed quite +significantly, and without a matching rcu_barrier() there's no +way to be sure it has finished. +Therefore, global state that could be gone/freed/reused should +never be touched in the callback. + +Fix this in mesh by moving the atomic_dec() into the caller; +that's not really a problem since we already unlinked the path +and it will be destroyed anyway. + +This fixes a crash Jouni observed when running certain tests in +a certain order, in which the mesh interface was torn down, the +memory reused for a function pointer (work struct) and running +that then crashed since the pointer had been decremented by 1, +resulting in an invalid instruction byte stream. + +Fixes: eb2b9311fd00 ("mac80211: mesh path table implementation") +Reported-by: Jouni Malinen +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + net/mac80211/mesh_pathtbl.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/net/mac80211/mesh_pathtbl.c ++++ b/net/mac80211/mesh_pathtbl.c +@@ -747,10 +747,8 @@ void mesh_plink_broken(struct sta_info * + static void mesh_path_node_reclaim(struct rcu_head *rp) + { + struct mpath_node *node = container_of(rp, struct mpath_node, rcu); +- struct ieee80211_sub_if_data *sdata = node->mpath->sdata; + + del_timer_sync(&node->mpath->timer); +- atomic_dec(&sdata->u.mesh.mpaths); + kfree(node->mpath); + kfree(node); + } +@@ -758,8 +756,9 @@ static void mesh_path_node_reclaim(struc + /* needs to be called with the corresponding hashwlock taken */ + static void __mesh_path_del(struct mesh_table *tbl, struct mpath_node *node) + { +- struct mesh_path *mpath; +- mpath = node->mpath; ++ struct mesh_path *mpath = node->mpath; ++ struct ieee80211_sub_if_data *sdata = node->mpath->sdata; ++ + spin_lock(&mpath->state_lock); + mpath->flags |= MESH_PATH_RESOLVING; + if (mpath->is_gate) +@@ -767,6 +766,7 @@ static void __mesh_path_del(struct mesh_ + hlist_del_rcu(&node->list); + call_rcu(&node->rcu, mesh_path_node_reclaim); + spin_unlock(&mpath->state_lock); ++ atomic_dec(&sdata->u.mesh.mpaths); + atomic_dec(&tbl->entries); + } + diff --git a/queue-3.10/rds-fix-race-condition-when-sending-a-message-on-unbound-socket.patch b/queue-3.10/rds-fix-race-condition-when-sending-a-message-on-unbound-socket.patch new file mode 100644 index 00000000000..1cc002c41c9 --- /dev/null +++ b/queue-3.10/rds-fix-race-condition-when-sending-a-message-on-unbound-socket.patch @@ -0,0 +1,71 @@ +From 8c7188b23474cca017b3ef354c4a58456f68303a Mon Sep 17 00:00:00 2001 +From: Quentin Casasnovas +Date: Tue, 24 Nov 2015 17:13:21 -0500 +Subject: RDS: fix race condition when sending a message on unbound socket + +From: Quentin Casasnovas + +commit 8c7188b23474cca017b3ef354c4a58456f68303a upstream. + +Sasha's found a NULL pointer dereference in the RDS connection code when +sending a message to an apparently unbound socket. The problem is caused +by the code checking if the socket is bound in rds_sendmsg(), which checks +the rs_bound_addr field without taking a lock on the socket. This opens a +race where rs_bound_addr is temporarily set but where the transport is not +in rds_bind(), leading to a NULL pointer dereference when trying to +dereference 'trans' in __rds_conn_create(). + +Vegard wrote a reproducer for this issue, so kindly ask him to share if +you're interested. + +I cannot reproduce the NULL pointer dereference using Vegard's reproducer +with this patch, whereas I could without. + +Complete earlier incomplete fix to CVE-2015-6937: + + 74e98eb08588 ("RDS: verify the underlying transport exists before creating a connection") + +Reviewed-by: Vegard Nossum +Reviewed-by: Sasha Levin +Acked-by: Santosh Shilimkar +Signed-off-by: Quentin Casasnovas +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/rds/connection.c | 6 ------ + net/rds/send.c | 4 +++- + 2 files changed, 3 insertions(+), 7 deletions(-) + +--- a/net/rds/connection.c ++++ b/net/rds/connection.c +@@ -177,12 +177,6 @@ static struct rds_connection *__rds_conn + } + } + +- if (trans == NULL) { +- kmem_cache_free(rds_conn_slab, conn); +- conn = ERR_PTR(-ENODEV); +- goto out; +- } +- + conn->c_trans = trans; + + ret = trans->conn_alloc(conn, gfp); +--- a/net/rds/send.c ++++ b/net/rds/send.c +@@ -955,11 +955,13 @@ int rds_sendmsg(struct kiocb *iocb, stru + release_sock(sk); + } + +- /* racing with another thread binding seems ok here */ ++ lock_sock(sk); + if (daddr == 0 || rs->rs_bound_addr == 0) { ++ release_sock(sk); + ret = -ENOTCONN; /* XXX not a great errno */ + goto out; + } ++ release_sock(sk); + + /* size of rm including all sgs */ + ret = rds_rm_size(msg, payload_len); diff --git a/queue-3.10/rfkill-copy-the-name-into-the-rfkill-struct.patch b/queue-3.10/rfkill-copy-the-name-into-the-rfkill-struct.patch new file mode 100644 index 00000000000..63eec01be66 --- /dev/null +++ b/queue-3.10/rfkill-copy-the-name-into-the-rfkill-struct.patch @@ -0,0 +1,59 @@ +From b7bb110008607a915298bf0f47d25886ecb94477 Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Thu, 10 Dec 2015 10:37:51 +0100 +Subject: rfkill: copy the name into the rfkill struct + +From: Johannes Berg + +commit b7bb110008607a915298bf0f47d25886ecb94477 upstream. + +Some users of rfkill, like NFC and cfg80211, use a dynamic name when +allocating rfkill, in those cases dev_name(). Therefore, the pointer +passed to rfkill_alloc() might not be valid forever, I specifically +found the case that the rfkill name was quite obviously an invalid +pointer (or at least garbage) when the wiphy had been renamed. + +Fix this by making a copy of the rfkill name in rfkill_alloc(). + +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + net/rfkill/core.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/net/rfkill/core.c ++++ b/net/rfkill/core.c +@@ -51,7 +51,6 @@ + struct rfkill { + spinlock_t lock; + +- const char *name; + enum rfkill_type type; + + unsigned long state; +@@ -75,6 +74,7 @@ struct rfkill { + struct delayed_work poll_work; + struct work_struct uevent_work; + struct work_struct sync_work; ++ char name[]; + }; + #define to_rfkill(d) container_of(d, struct rfkill, dev) + +@@ -871,14 +871,14 @@ struct rfkill * __must_check rfkill_allo + if (WARN_ON(type == RFKILL_TYPE_ALL || type >= NUM_RFKILL_TYPES)) + return NULL; + +- rfkill = kzalloc(sizeof(*rfkill), GFP_KERNEL); ++ rfkill = kzalloc(sizeof(*rfkill) + strlen(name) + 1, GFP_KERNEL); + if (!rfkill) + return NULL; + + spin_lock_init(&rfkill->lock); + INIT_LIST_HEAD(&rfkill->node); + rfkill->type = type; +- rfkill->name = name; ++ strcpy(rfkill->name, name); + rfkill->ops = ops; + rfkill->data = ops_data; + diff --git a/queue-3.10/sata_sil-disable-trim.patch b/queue-3.10/sata_sil-disable-trim.patch new file mode 100644 index 00000000000..d3208190580 --- /dev/null +++ b/queue-3.10/sata_sil-disable-trim.patch @@ -0,0 +1,51 @@ +From d98f1cd0a3b70ea91f1dfda3ac36c3b2e1a4d5e2 Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Thu, 26 Nov 2015 12:00:59 -0500 +Subject: sata_sil: disable trim + +From: Mikulas Patocka + +commit d98f1cd0a3b70ea91f1dfda3ac36c3b2e1a4d5e2 upstream. + +When I connect an Intel SSD to SATA SIL controller (PCI ID 1095:3114), any +TRIM command results in I/O errors being reported in the log. There is +other similar error reported with TRIM and the SIL controller: +https://bugs.centos.org/view.php?id=5880 + +Apparently the controller doesn't support TRIM commands. This patch +disables TRIM support on the SATA SIL controller. + +ata7.00: exception Emask 0x0 SAct 0x0 SErr 0x0 action 0x0 +ata7.00: BMDMA2 stat 0x50001 +ata7.00: failed command: DATA SET MANAGEMENT +ata7.00: cmd 06/01:01:00:00:00/00:00:00:00:00/a0 tag 0 dma 512 out + res 51/04:01:00:00:00/00:00:00:00:00/a0 Emask 0x1 (device error) +ata7.00: status: { DRDY ERR } +ata7.00: error: { ABRT } +ata7.00: device reported invalid CHS sector 0 +sd 8:0:0:0: [sdb] tag#0 FAILED Result: hostbyte=DID_OK driverbyte=DRIVER_SENSE +sd 8:0:0:0: [sdb] tag#0 Sense Key : Illegal Request [current] [descriptor] +sd 8:0:0:0: [sdb] tag#0 Add. Sense: Unaligned write command +sd 8:0:0:0: [sdb] tag#0 CDB: Write same(16) 93 08 00 00 00 00 00 21 95 88 00 20 00 00 00 00 +blk_update_request: I/O error, dev sdb, sector 2200968 + +Signed-off-by: Mikulas Patocka +Signed-off-by: Tejun Heo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/ata/sata_sil.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/ata/sata_sil.c ++++ b/drivers/ata/sata_sil.c +@@ -631,6 +631,9 @@ static void sil_dev_config(struct ata_de + unsigned int n, quirks = 0; + unsigned char model_num[ATA_ID_PROD_LEN + 1]; + ++ /* This controller doesn't support trim */ ++ dev->horkage |= ATA_HORKAGE_NOTRIM; ++ + ata_id_c_string(dev->id, model_num, ATA_ID_PROD, sizeof(model_num)); + + for (n = 0; sil_blacklist[n].product; n++) diff --git a/queue-3.10/sched-core-remove-false-positive-warning-from-wake_up_process.patch b/queue-3.10/sched-core-remove-false-positive-warning-from-wake_up_process.patch new file mode 100644 index 00000000000..b027c38888d --- /dev/null +++ b/queue-3.10/sched-core-remove-false-positive-warning-from-wake_up_process.patch @@ -0,0 +1,39 @@ +From 119d6f6a3be8b424b200dcee56e74484d5445f7e Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Mon, 30 Nov 2015 20:34:20 -0500 +Subject: sched/core: Remove false-positive warning from wake_up_process() + +From: Sasha Levin + +commit 119d6f6a3be8b424b200dcee56e74484d5445f7e upstream. + +Because wakeups can (fundamentally) be late, a task might not be in +the expected state. Therefore testing against a task's state is racy, +and can yield false positives. + +Signed-off-by: Sasha Levin +Signed-off-by: Peter Zijlstra (Intel) +Acked-by: Linus Torvalds +Cc: Mike Galbraith +Cc: Peter Zijlstra +Cc: Thomas Gleixner +Cc: oleg@redhat.com +Fixes: 9067ac85d533 ("wake_up_process() should be never used to wakeup a TASK_STOPPED/TRACED task") +Link: http://lkml.kernel.org/r/1448933660-23082-1-git-send-email-sasha.levin@oracle.com +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/sched/core.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/kernel/sched/core.c ++++ b/kernel/sched/core.c +@@ -1587,7 +1587,6 @@ out: + */ + int wake_up_process(struct task_struct *p) + { +- WARN_ON(task_is_stopped_or_traced(p)); + return try_to_wake_up(p, TASK_NORMAL, 0); + } + EXPORT_SYMBOL(wake_up_process); diff --git a/queue-3.10/scripts-recordmcount-break-hardlinks.patch b/queue-3.10/scripts-recordmcount-break-hardlinks.patch new file mode 100644 index 00000000000..3171006873c --- /dev/null +++ b/queue-3.10/scripts-recordmcount-break-hardlinks.patch @@ -0,0 +1,46 @@ +From dd39a26538e37f6c6131e829a4a510787e43c783 Mon Sep 17 00:00:00 2001 +From: Russell King +Date: Fri, 11 Dec 2015 12:09:03 +0000 +Subject: scripts: recordmcount: break hardlinks + +From: Russell King + +commit dd39a26538e37f6c6131e829a4a510787e43c783 upstream. + +recordmcount edits the file in-place, which can cause problems when +using ccache in hardlink mode. Arrange for recordmcount to break a +hardlinked object. + +Link: http://lkml.kernel.org/r/E1a7MVT-0000et-62@rmk-PC.arm.linux.org.uk + +Signed-off-by: Russell King +Signed-off-by: Steven Rostedt +Signed-off-by: Greg Kroah-Hartman + +--- + scripts/recordmcount.c | 14 ++++++++++++++ + 1 file changed, 14 insertions(+) + +--- a/scripts/recordmcount.c ++++ b/scripts/recordmcount.c +@@ -189,6 +189,20 @@ static void *mmap_file(char const *fname + addr = umalloc(sb.st_size); + uread(fd_map, addr, sb.st_size); + } ++ if (sb.st_nlink != 1) { ++ /* file is hard-linked, break the hard link */ ++ close(fd_map); ++ if (unlink(fname) < 0) { ++ perror(fname); ++ fail_file(); ++ } ++ fd_map = open(fname, O_RDWR | O_CREAT, sb.st_mode); ++ if (fd_map < 0) { ++ perror(fname); ++ fail_file(); ++ } ++ uwrite(fd_map, addr, sb.st_size); ++ } + return addr; + } + diff --git a/queue-3.10/series b/queue-3.10/series index f0af1565e6a..6818b6dc89a 100644 --- a/queue-3.10/series +++ b/queue-3.10/series @@ -33,3 +33,14 @@ arc-dw2-unwind-remove-falllback-linear-search-thru-fde-entries.patch vfs-avoid-softlockups-with-sendfile-2.patch ring-buffer-update-read-stamp-with-first-real-commit-on-page.patch virtio-fix-memory-leak-of-virtio-ida-cache-layers.patch +mac80211-mesh-fix-call_rcu-usage.patch +rds-fix-race-condition-when-sending-a-message-on-unbound-socket.patch +can-sja1000-clear-interrupts-on-start.patch +sched-core-remove-false-positive-warning-from-wake_up_process.patch +sata_sil-disable-trim.patch +dm-btree-fix-bufio-buffer-leaks-in-dm_btree_del-error-path.patch +vgaarb-fix-signal-handling-in-vga_get.patch +rfkill-copy-the-name-into-the-rfkill-struct.patch +ses-fix-problems-with-simple-enclosures.patch +ses-fix-additional-element-traversal-bug.patch +scripts-recordmcount-break-hardlinks.patch diff --git a/queue-3.10/ses-fix-additional-element-traversal-bug.patch b/queue-3.10/ses-fix-additional-element-traversal-bug.patch new file mode 100644 index 00000000000..f91861d717d --- /dev/null +++ b/queue-3.10/ses-fix-additional-element-traversal-bug.patch @@ -0,0 +1,61 @@ +From 5e1033561da1152c57b97ee84371dba2b3d64c25 Mon Sep 17 00:00:00 2001 +From: James Bottomley +Date: Fri, 11 Dec 2015 09:16:38 -0800 +Subject: ses: fix additional element traversal bug + +From: James Bottomley + +commit 5e1033561da1152c57b97ee84371dba2b3d64c25 upstream. + +KASAN found that our additional element processing scripts drop off +the end of the VPD page into unallocated space. The reason is that +not every element has additional information but our traversal +routines think they do, leading to them expecting far more additional +information than is present. Fix this by adding a gate to the +traversal routine so that it only processes elements that are expected +to have additional information (list is in SES-2 section 6.1.13.1: +Additional Element Status diagnostic page overview) + +Reported-by: Pavel Tikhomirov +Tested-by: Pavel Tikhomirov +Signed-off-by: James Bottomley +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/ses.c | 10 +++++++++- + include/linux/enclosure.h | 4 ++++ + 2 files changed, 13 insertions(+), 1 deletion(-) + +--- a/drivers/scsi/ses.c ++++ b/drivers/scsi/ses.c +@@ -454,7 +454,15 @@ static void ses_enclosure_data_process(s + if (desc_ptr) + desc_ptr += len; + +- if (addl_desc_ptr) ++ if (addl_desc_ptr && ++ /* only find additional descriptions for specific devices */ ++ (type_ptr[0] == ENCLOSURE_COMPONENT_DEVICE || ++ type_ptr[0] == ENCLOSURE_COMPONENT_ARRAY_DEVICE || ++ type_ptr[0] == ENCLOSURE_COMPONENT_SAS_EXPANDER || ++ /* these elements are optional */ ++ type_ptr[0] == ENCLOSURE_COMPONENT_SCSI_TARGET_PORT || ++ type_ptr[0] == ENCLOSURE_COMPONENT_SCSI_INITIATOR_PORT || ++ type_ptr[0] == ENCLOSURE_COMPONENT_CONTROLLER_ELECTRONICS)) + addl_desc_ptr += addl_desc_ptr[1] + 2; + + } +--- a/include/linux/enclosure.h ++++ b/include/linux/enclosure.h +@@ -29,7 +29,11 @@ + /* A few generic types ... taken from ses-2 */ + enum enclosure_component_type { + ENCLOSURE_COMPONENT_DEVICE = 0x01, ++ ENCLOSURE_COMPONENT_CONTROLLER_ELECTRONICS = 0x07, ++ ENCLOSURE_COMPONENT_SCSI_TARGET_PORT = 0x14, ++ ENCLOSURE_COMPONENT_SCSI_INITIATOR_PORT = 0x15, + ENCLOSURE_COMPONENT_ARRAY_DEVICE = 0x17, ++ ENCLOSURE_COMPONENT_SAS_EXPANDER = 0x18, + }; + + /* ses-2 common element status */ diff --git a/queue-3.10/ses-fix-problems-with-simple-enclosures.patch b/queue-3.10/ses-fix-problems-with-simple-enclosures.patch new file mode 100644 index 00000000000..a5e1c7d4b1f --- /dev/null +++ b/queue-3.10/ses-fix-problems-with-simple-enclosures.patch @@ -0,0 +1,67 @@ +From 3417c1b5cb1fdc10261dbed42b05cc93166a78fd Mon Sep 17 00:00:00 2001 +From: James Bottomley +Date: Tue, 8 Dec 2015 09:00:31 -0800 +Subject: ses: Fix problems with simple enclosures + +From: James Bottomley + +commit 3417c1b5cb1fdc10261dbed42b05cc93166a78fd upstream. + +Simple enclosure implementations (mostly USB) are allowed to return only +page 8 to every diagnostic query. That really confuses our +implementation because we assume the return is the page we asked for and +end up doing incorrect offsets based on bogus information leading to +accesses outside of allocated ranges. Fix that by checking the page +code of the return and giving an error if it isn't the one we asked for. +This should fix reported bugs with USB storage by simply refusing to +attach to enclosures that behave like this. It's also good defensive +practise now that we're starting to see more USB enclosures. + +Reported-by: Andrea Gelmini +Reviewed-by: Ewan D. Milne +Reviewed-by: Tomas Henzl +Signed-off-by: James Bottomley +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/ses.c | 20 +++++++++++++++++++- + 1 file changed, 19 insertions(+), 1 deletion(-) + +--- a/drivers/scsi/ses.c ++++ b/drivers/scsi/ses.c +@@ -70,6 +70,7 @@ static int ses_probe(struct device *dev) + static int ses_recv_diag(struct scsi_device *sdev, int page_code, + void *buf, int bufflen) + { ++ int ret; + unsigned char cmd[] = { + RECEIVE_DIAGNOSTIC, + 1, /* Set PCV bit */ +@@ -78,9 +79,26 @@ static int ses_recv_diag(struct scsi_dev + bufflen & 0xff, + 0 + }; ++ unsigned char recv_page_code; + +- return scsi_execute_req(sdev, cmd, DMA_FROM_DEVICE, buf, bufflen, ++ ret = scsi_execute_req(sdev, cmd, DMA_FROM_DEVICE, buf, bufflen, + NULL, SES_TIMEOUT, SES_RETRIES, NULL); ++ if (unlikely(!ret)) ++ return ret; ++ ++ recv_page_code = ((unsigned char *)buf)[0]; ++ ++ if (likely(recv_page_code == page_code)) ++ return ret; ++ ++ /* successful diagnostic but wrong page code. This happens to some ++ * USB devices, just print a message and pretend there was an error */ ++ ++ sdev_printk(KERN_ERR, sdev, ++ "Wrong diagnostic page; asked for %d got %u\n", ++ page_code, recv_page_code); ++ ++ return -EINVAL; + } + + static int ses_send_diag(struct scsi_device *sdev, int page_code, diff --git a/queue-3.10/vgaarb-fix-signal-handling-in-vga_get.patch b/queue-3.10/vgaarb-fix-signal-handling-in-vga_get.patch new file mode 100644 index 00000000000..a51dd312516 --- /dev/null +++ b/queue-3.10/vgaarb-fix-signal-handling-in-vga_get.patch @@ -0,0 +1,43 @@ +From 9f5bd30818c42c6c36a51f93b4df75a2ea2bd85e Mon Sep 17 00:00:00 2001 +From: "Kirill A. Shutemov" +Date: Mon, 30 Nov 2015 04:17:31 +0200 +Subject: vgaarb: fix signal handling in vga_get() + +From: Kirill A. Shutemov + +commit 9f5bd30818c42c6c36a51f93b4df75a2ea2bd85e upstream. + +There are few defects in vga_get() related to signal hadning: + + - we shouldn't check for pending signals for TASK_UNINTERRUPTIBLE + case; + + - if we found pending signal we must remove ourself from wait queue + and change task state back to running; + + - -ERESTARTSYS is more appropriate, I guess. + +Signed-off-by: Kirill A. Shutemov +Reviewed-by: David Herrmann +Signed-off-by: Dave Airlie +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/vga/vgaarb.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/vga/vgaarb.c ++++ b/drivers/gpu/vga/vgaarb.c +@@ -392,8 +392,10 @@ int vga_get(struct pci_dev *pdev, unsign + set_current_state(interruptible ? + TASK_INTERRUPTIBLE : + TASK_UNINTERRUPTIBLE); +- if (signal_pending(current)) { +- rc = -EINTR; ++ if (interruptible && signal_pending(current)) { ++ __set_current_state(TASK_RUNNING); ++ remove_wait_queue(&vga_wait_queue, &wait); ++ rc = -ERESTARTSYS; + break; + } + schedule();