From: Greg Kroah-Hartman Date: Sat, 9 Nov 2013 05:51:48 +0000 (-0800) Subject: 3.4-stable patches X-Git-Tag: v3.4.69~8 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=29e1ef803746a6e7ce128d2984f170b6c04d373a;p=thirdparty%2Fkernel%2Fstable-queue.git 3.4-stable patches added patches: aacraid-missing-capable-check-in-compat-ioctl.patch alsa-fix-oops-in-snd_pcm_info-caused-by-asoc-dpcm.patch alsa-hda-add-a-fixup-for-asus-n76vz.patch asoc-dapm-fix-source-list-debugfs-outputs.patch asoc-wm_hubs-add-missing-break-in-hp_supply_event.patch lib-scatterlist.c-don-t-flush_kernel_dcache_page-on-slab-page.patch staging-bcm-info-leak-in-ioctl.patch staging-ozwpan-prevent-overflow-in-oz_cdev_write.patch uml-check-length-in-exitcode_proc_write.patch xtensa-don-t-use-alternate-signal-stack-on-threads.patch --- diff --git a/queue-3.4/aacraid-missing-capable-check-in-compat-ioctl.patch b/queue-3.4/aacraid-missing-capable-check-in-compat-ioctl.patch new file mode 100644 index 00000000000..61d57b02c96 --- /dev/null +++ b/queue-3.4/aacraid-missing-capable-check-in-compat-ioctl.patch @@ -0,0 +1,32 @@ +From f856567b930dfcdbc3323261bf77240ccdde01f5 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Tue, 29 Oct 2013 22:11:06 +0300 +Subject: aacraid: missing capable() check in compat ioctl + +From: Dan Carpenter + +commit f856567b930dfcdbc3323261bf77240ccdde01f5 upstream. + +In commit d496f94d22d1 ('[SCSI] aacraid: fix security weakness') we +added a check on CAP_SYS_RAWIO to the ioctl. The compat ioctls need the +check as well. + +Signed-off-by: Dan Carpenter +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/aacraid/linit.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/scsi/aacraid/linit.c ++++ b/drivers/scsi/aacraid/linit.c +@@ -777,6 +777,8 @@ static long aac_compat_do_ioctl(struct a + static int aac_compat_ioctl(struct scsi_device *sdev, int cmd, void __user *arg) + { + struct aac_dev *dev = (struct aac_dev *)sdev->host->hostdata; ++ if (!capable(CAP_SYS_RAWIO)) ++ return -EPERM; + return aac_compat_do_ioctl(dev, cmd, (unsigned long)arg); + } + diff --git a/queue-3.4/alsa-fix-oops-in-snd_pcm_info-caused-by-asoc-dpcm.patch b/queue-3.4/alsa-fix-oops-in-snd_pcm_info-caused-by-asoc-dpcm.patch new file mode 100644 index 00000000000..c820361b622 --- /dev/null +++ b/queue-3.4/alsa-fix-oops-in-snd_pcm_info-caused-by-asoc-dpcm.patch @@ -0,0 +1,71 @@ +From a4461f41b94cb52e0141af717dcf4ef6558c8e2e Mon Sep 17 00:00:00 2001 +From: Russell King +Date: Thu, 31 Oct 2013 15:01:37 +0000 +Subject: ALSA: fix oops in snd_pcm_info() caused by ASoC DPCM + +From: Russell King + +commit a4461f41b94cb52e0141af717dcf4ef6558c8e2e upstream. + +Unable to handle kernel NULL pointer dereference at virtual address 00000008 +pgd = d5300000 +[00000008] *pgd=0d265831, *pte=00000000, *ppte=00000000 +Internal error: Oops: 17 [#1] PREEMPT ARM +CPU: 0 PID: 2295 Comm: vlc Not tainted 3.11.0+ #755 +task: dee74800 ti: e213c000 task.ti: e213c000 +PC is at snd_pcm_info+0xc8/0xd8 +LR is at 0x30232065 +pc : [] lr : [<30232065>] psr: a0070013 +sp : e213dea8 ip : d81cb0d0 fp : c05f7678 +r10: c05f7770 r9 : fffffdfd r8 : 00000000 +r7 : d8a968a8 r6 : d8a96800 r5 : d8a96200 r4 : d81cb000 +r3 : 00000000 r2 : d81cb000 r1 : 00000001 r0 : d8a96200 +Flags: NzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment user +Control: 10c5387d Table: 15300019 DAC: 00000015 +Process vlc (pid: 2295, stack limit = 0xe213c248) +[] (snd_pcm_info) from [] (snd_pcm_info_user+0x34/0x9c) +[] (snd_pcm_info_user) from [] (snd_pcm_control_ioctl+0x274/0x280) +[] (snd_pcm_control_ioctl) from [] (snd_ctl_ioctl+0xc0/0x55c) +[] (snd_ctl_ioctl) from [] (do_vfs_ioctl+0x80/0x31c) +[] (do_vfs_ioctl) from [] (SyS_ioctl+0x3c/0x60) +[] (SyS_ioctl) from [] (ret_fast_syscall+0x0/0x48) +Code: e1a00005 e59530dc e3a01001 e1a02004 (e5933008) +---[ end trace cb3d9bdb8dfefb3c ]--- + +This is provoked when the ASoC front end is open along with its backend, +(which causes the backend to have a runtime assigned to it) and then the +SNDRV_CTL_IOCTL_PCM_INFO is requested for the (visible) backend device. + +Resolve this by ensuring that ASoC internal backend devices are not +visible to userspace, just as the commentry for snd_pcm_new_internal() +says it should be. + +Signed-off-by: Russell King +Acked-by: Mark Brown +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/core/pcm.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/sound/core/pcm.c ++++ b/sound/core/pcm.c +@@ -49,6 +49,8 @@ static struct snd_pcm *snd_pcm_get(struc + struct snd_pcm *pcm; + + list_for_each_entry(pcm, &snd_pcm_devices, list) { ++ if (pcm->internal) ++ continue; + if (pcm->card == card && pcm->device == device) + return pcm; + } +@@ -60,6 +62,8 @@ static int snd_pcm_next(struct snd_card + struct snd_pcm *pcm; + + list_for_each_entry(pcm, &snd_pcm_devices, list) { ++ if (pcm->internal) ++ continue; + if (pcm->card == card && pcm->device > device) + return pcm->device; + else if (pcm->card->number > card->number) diff --git a/queue-3.4/alsa-hda-add-a-fixup-for-asus-n76vz.patch b/queue-3.4/alsa-hda-add-a-fixup-for-asus-n76vz.patch new file mode 100644 index 00000000000..9ebeb6998fb --- /dev/null +++ b/queue-3.4/alsa-hda-add-a-fixup-for-asus-n76vz.patch @@ -0,0 +1,30 @@ +From 6fc16e58adf50c0f1e4478538983fb5ff6f453d4 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Wed, 30 Oct 2013 12:29:40 +0100 +Subject: ALSA: hda - Add a fixup for ASUS N76VZ + +From: Takashi Iwai + +commit 6fc16e58adf50c0f1e4478538983fb5ff6f453d4 upstream. + +ASUS N76VZ needs the same fixup as N56VZ for supporting the boost +speaker. + +Bugzilla: https://bugzilla.novell.com/show_bug.cgi?id=846529 +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -6833,6 +6833,7 @@ static const struct snd_pci_quirk alc662 + SND_PCI_QUIRK(0x1025, 0x038b, "Acer Aspire 8943G", ALC662_FIXUP_ASPIRE), + SND_PCI_QUIRK(0x103c, 0x1632, "HP RP5800", ALC662_FIXUP_HP_RP5800), + SND_PCI_QUIRK(0x1043, 0x1477, "ASUS N56VZ", ALC662_FIXUP_ASUS_MODE4), ++ SND_PCI_QUIRK(0x1043, 0x1bf3, "ASUS N76VZ", ALC662_FIXUP_ASUS_MODE4), + SND_PCI_QUIRK(0x1043, 0x8469, "ASUS mobo", ALC662_FIXUP_NO_JACK_DETECT), + SND_PCI_QUIRK(0x105b, 0x0cd6, "Foxconn", ALC662_FIXUP_ASUS_MODE2), + SND_PCI_QUIRK(0x144d, 0xc051, "Samsung R720", ALC662_FIXUP_IDEAPAD), diff --git a/queue-3.4/asoc-dapm-fix-source-list-debugfs-outputs.patch b/queue-3.4/asoc-dapm-fix-source-list-debugfs-outputs.patch new file mode 100644 index 00000000000..37991ad14fa --- /dev/null +++ b/queue-3.4/asoc-dapm-fix-source-list-debugfs-outputs.patch @@ -0,0 +1,32 @@ +From ff18620c2157671a8ee21ebb8e6a3520ea209b1f Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Mon, 28 Oct 2013 14:21:49 +0100 +Subject: ASoC: dapm: Fix source list debugfs outputs + +From: Takashi Iwai + +commit ff18620c2157671a8ee21ebb8e6a3520ea209b1f upstream. + +... due to a copy & paste error. + +Spotted by coverity CID 710923. + +Signed-off-by: Takashi Iwai +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + sound/soc/soc-dapm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/soc/soc-dapm.c ++++ b/sound/soc/soc-dapm.c +@@ -1590,7 +1590,7 @@ static ssize_t dapm_widget_power_read_fi + w->active ? "active" : "inactive"); + + list_for_each_entry(p, &w->sources, list_sink) { +- if (p->connected && !p->connected(w, p->sink)) ++ if (p->connected && !p->connected(w, p->source)) + continue; + + if (p->connect) diff --git a/queue-3.4/asoc-wm_hubs-add-missing-break-in-hp_supply_event.patch b/queue-3.4/asoc-wm_hubs-add-missing-break-in-hp_supply_event.patch new file mode 100644 index 00000000000..951a9c78188 --- /dev/null +++ b/queue-3.4/asoc-wm_hubs-add-missing-break-in-hp_supply_event.patch @@ -0,0 +1,29 @@ +From 268ff14525edba31da29a12a9dd693cdd6a7872e Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Wed, 30 Oct 2013 08:35:02 +0100 +Subject: ASoC: wm_hubs: Add missing break in hp_supply_event() + +From: Takashi Iwai + +commit 268ff14525edba31da29a12a9dd693cdd6a7872e upstream. + +Spotted by coverity CID 115170. + +Signed-off-by: Takashi Iwai +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + sound/soc/codecs/wm_hubs.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/soc/codecs/wm_hubs.c ++++ b/sound/soc/codecs/wm_hubs.c +@@ -413,6 +413,7 @@ static int hp_supply_event(struct snd_so + hubs->hp_startup_mode); + break; + } ++ break; + + case SND_SOC_DAPM_PRE_PMD: + snd_soc_update_bits(codec, WM8993_CHARGE_PUMP_1, diff --git a/queue-3.4/lib-scatterlist.c-don-t-flush_kernel_dcache_page-on-slab-page.patch b/queue-3.4/lib-scatterlist.c-don-t-flush_kernel_dcache_page-on-slab-page.patch new file mode 100644 index 00000000000..3445409070f --- /dev/null +++ b/queue-3.4/lib-scatterlist.c-don-t-flush_kernel_dcache_page-on-slab-page.patch @@ -0,0 +1,62 @@ +From 3d77b50c5874b7e923be946ba793644f82336b75 Mon Sep 17 00:00:00 2001 +From: Ming Lei +Date: Thu, 31 Oct 2013 16:34:17 -0700 +Subject: lib/scatterlist.c: don't flush_kernel_dcache_page on slab page + +From: Ming Lei + +commit 3d77b50c5874b7e923be946ba793644f82336b75 upstream. + +Commit b1adaf65ba03 ("[SCSI] block: add sg buffer copy helper +functions") introduces two sg buffer copy helpers, and calls +flush_kernel_dcache_page() on pages in SG list after these pages are +written to. + +Unfortunately, the commit may introduce a potential bug: + + - Before sending some SCSI commands, kmalloc() buffer may be passed to + block layper, so flush_kernel_dcache_page() can see a slab page + finally + + - According to cachetlb.txt, flush_kernel_dcache_page() is only called + on "a user page", which surely can't be a slab page. + + - ARCH's implementation of flush_kernel_dcache_page() may use page + mapping information to do optimization so page_mapping() will see the + slab page, then VM_BUG_ON() is triggered. + +Aaro Koskinen reported the bug on ARM/kirkwood when DEBUG_VM is enabled, +and this patch fixes the bug by adding test of '!PageSlab(miter->page)' +before calling flush_kernel_dcache_page(). + +Signed-off-by: Ming Lei +Reported-by: Aaro Koskinen +Tested-by: Simon Baatz +Cc: Russell King - ARM Linux +Cc: Will Deacon +Cc: Aaro Koskinen +Acked-by: Catalin Marinas +Cc: FUJITA Tomonori +Cc: Tejun Heo +Cc: "James E.J. Bottomley" +Cc: Jens Axboe +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + lib/scatterlist.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/lib/scatterlist.c ++++ b/lib/scatterlist.c +@@ -419,7 +419,8 @@ void sg_miter_stop(struct sg_mapping_ite + if (miter->addr) { + miter->__offset += miter->consumed; + +- if (miter->__flags & SG_MITER_TO_SG) ++ if ((miter->__flags & SG_MITER_TO_SG) && ++ !PageSlab(miter->page)) + flush_kernel_dcache_page(miter->page); + + if (miter->__flags & SG_MITER_ATOMIC) { diff --git a/queue-3.4/series b/queue-3.4/series index 2a5a37058f0..5cb4bcfda74 100644 --- a/queue-3.4/series +++ b/queue-3.4/series @@ -11,3 +11,13 @@ libata-make-ata_eh_qc_retry-bump-scmd-allowed-on-bogus-failures.patch md-fix-skipping-recovery-for-read-only-arrays.patch clockevents-sanitize-ticks-to-nsec-conversion.patch parisc-do-not-crash-64bit-smp-kernels-on-machines-with-4gb-ram.patch +alsa-hda-add-a-fixup-for-asus-n76vz.patch +alsa-fix-oops-in-snd_pcm_info-caused-by-asoc-dpcm.patch +asoc-wm_hubs-add-missing-break-in-hp_supply_event.patch +asoc-dapm-fix-source-list-debugfs-outputs.patch +staging-ozwpan-prevent-overflow-in-oz_cdev_write.patch +staging-bcm-info-leak-in-ioctl.patch +uml-check-length-in-exitcode_proc_write.patch +xtensa-don-t-use-alternate-signal-stack-on-threads.patch +lib-scatterlist.c-don-t-flush_kernel_dcache_page-on-slab-page.patch +aacraid-missing-capable-check-in-compat-ioctl.patch diff --git a/queue-3.4/staging-bcm-info-leak-in-ioctl.patch b/queue-3.4/staging-bcm-info-leak-in-ioctl.patch new file mode 100644 index 00000000000..092031c10c8 --- /dev/null +++ b/queue-3.4/staging-bcm-info-leak-in-ioctl.patch @@ -0,0 +1,32 @@ +From 8d1e72250c847fa96498ec029891de4dc638a5ba Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Tue, 29 Oct 2013 23:01:11 +0300 +Subject: Staging: bcm: info leak in ioctl + +From: Dan Carpenter + +commit 8d1e72250c847fa96498ec029891de4dc638a5ba upstream. + +The DevInfo.u32Reserved[] array isn't initialized so it leaks kernel +information to user space. + +Reported-by: Nico Golde +Reported-by: Fabian Yamaguchi +Signed-off-by: Dan Carpenter +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/bcm/Bcmchar.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/staging/bcm/Bcmchar.c ++++ b/drivers/staging/bcm/Bcmchar.c +@@ -1957,6 +1957,7 @@ cntrlEnd: + + BCM_DEBUG_PRINT(Adapter, DBG_TYPE_OTHERS, OSAL_DBG, DBG_LVL_ALL, "Called IOCTL_BCM_GET_DEVICE_DRIVER_INFO\n"); + ++ memset(&DevInfo, 0, sizeof(DevInfo)); + DevInfo.MaxRDMBufferSize = BUFFER_4K; + DevInfo.u32DSDStartOffset = EEPROM_CALPARAM_START; + DevInfo.u32RxAlignmentCorrection = 0; diff --git a/queue-3.4/staging-ozwpan-prevent-overflow-in-oz_cdev_write.patch b/queue-3.4/staging-ozwpan-prevent-overflow-in-oz_cdev_write.patch new file mode 100644 index 00000000000..b7308ff2344 --- /dev/null +++ b/queue-3.4/staging-ozwpan-prevent-overflow-in-oz_cdev_write.patch @@ -0,0 +1,33 @@ +From c2c65cd2e14ada6de44cb527e7f1990bede24e15 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Tue, 29 Oct 2013 22:07:47 +0300 +Subject: staging: ozwpan: prevent overflow in oz_cdev_write() + +From: Dan Carpenter + +commit c2c65cd2e14ada6de44cb527e7f1990bede24e15 upstream. + +We need to check "count" so we don't overflow the ei->data buffer. + +Reported-by: Nico Golde +Reported-by: Fabian Yamaguchi +Signed-off-by: Dan Carpenter +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/ozwpan/ozcdev.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/staging/ozwpan/ozcdev.c ++++ b/drivers/staging/ozwpan/ozcdev.c +@@ -153,6 +153,9 @@ ssize_t oz_cdev_write(struct file *filp, + struct oz_app_hdr *app_hdr; + struct oz_serial_ctx *ctx; + ++ if (count > sizeof(ei->data) - sizeof(*elt) - sizeof(*app_hdr)) ++ return -EINVAL; ++ + spin_lock_bh(&g_cdev.lock); + pd = g_cdev.active_pd; + if (pd) diff --git a/queue-3.4/uml-check-length-in-exitcode_proc_write.patch b/queue-3.4/uml-check-length-in-exitcode_proc_write.patch new file mode 100644 index 00000000000..4c39edb04ca --- /dev/null +++ b/queue-3.4/uml-check-length-in-exitcode_proc_write.patch @@ -0,0 +1,37 @@ +From 201f99f170df14ba52ea4c52847779042b7a623b Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Tue, 29 Oct 2013 22:06:04 +0300 +Subject: uml: check length in exitcode_proc_write() + +From: Dan Carpenter + +commit 201f99f170df14ba52ea4c52847779042b7a623b upstream. + +We don't cap the size of buffer from the user so we could write past the +end of the array here. Only root can write to this file. + +Reported-by: Nico Golde +Reported-by: Fabian Yamaguchi +Signed-off-by: Dan Carpenter +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + arch/um/kernel/exitcode.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/arch/um/kernel/exitcode.c ++++ b/arch/um/kernel/exitcode.c +@@ -40,9 +40,11 @@ static ssize_t exitcode_proc_write(struc + const char __user *buffer, size_t count, loff_t *pos) + { + char *end, buf[sizeof("nnnnn\0")]; ++ size_t size; + int tmp; + +- if (copy_from_user(buf, buffer, count)) ++ size = min(count, sizeof(buf)); ++ if (copy_from_user(buf, buffer, size)) + return -EFAULT; + + tmp = simple_strtol(buf, &end, 0); diff --git a/queue-3.4/xtensa-don-t-use-alternate-signal-stack-on-threads.patch b/queue-3.4/xtensa-don-t-use-alternate-signal-stack-on-threads.patch new file mode 100644 index 00000000000..f627301d658 --- /dev/null +++ b/queue-3.4/xtensa-don-t-use-alternate-signal-stack-on-threads.patch @@ -0,0 +1,38 @@ +From cba9a90053e3b7973eff4f1946f33032e98eeed5 Mon Sep 17 00:00:00 2001 +From: Baruch Siach +Date: Tue, 15 Oct 2013 02:22:43 +0400 +Subject: xtensa: don't use alternate signal stack on threads + +From: Baruch Siach + +commit cba9a90053e3b7973eff4f1946f33032e98eeed5 upstream. + +According to create_thread(3): "The new thread does not inherit the creating +thread's alternate signal stack". Since commit f9a3879a (Fix sigaltstack +corruption among cloned threads), current->sas_ss_size is set to 0 for cloned +processes sharing VM with their parent. Don't use the (nonexistent) alternate +signal stack in this case. This has been broken since commit 29c4dfd9 ([XTENSA] +Remove non-rt signal handling). + +Fixes the SA_ONSTACK part of the nptl/tst-cancel20 test from uClibc. + +Signed-off-by: Baruch Siach +Signed-off-by: Max Filippov +Signed-off-by: Chris Zankel +Signed-off-by: Greg Kroah-Hartman + +--- + arch/xtensa/kernel/signal.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/xtensa/kernel/signal.c ++++ b/arch/xtensa/kernel/signal.c +@@ -343,7 +343,7 @@ static int setup_frame(int sig, struct k + + sp = regs->areg[1]; + +- if ((ka->sa.sa_flags & SA_ONSTACK) != 0 && ! on_sig_stack(sp)) { ++ if ((ka->sa.sa_flags & SA_ONSTACK) != 0 && sas_ss_flags(sp) == 0) { + sp = current->sas_ss_sp + current->sas_ss_size; + } +