From: Greg Kroah-Hartman Date: Mon, 23 Sep 2013 18:00:50 +0000 (-0700) Subject: 3.10-stable patches X-Git-Tag: v3.0.97~33 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=30239701c9b382244963452d08e7b28c6545d379;p=thirdparty%2Fkernel%2Fstable-queue.git 3.10-stable patches added patches: arm-xen-only-set-pm-function-ptrs-for-xen-guests.patch crypto-api-fix-race-condition-in-larval-lookup.patch powerpc-default-arch-idle-could-cede-processor-on-pseries.patch powerpc-handle-unaligned-ldbrx-stdbrx.patch scsi-sd-fix-potential-out-of-bounds-access.patch ubi-fix-peb-leak-in-wear_leveling_worker.patch xen-gnt-prevent-adding-duplicate-gnt-callbacks.patch --- diff --git a/queue-3.10/arm-xen-only-set-pm-function-ptrs-for-xen-guests.patch b/queue-3.10/arm-xen-only-set-pm-function-ptrs-for-xen-guests.patch new file mode 100644 index 00000000000..3bcfff5a3b9 --- /dev/null +++ b/queue-3.10/arm-xen-only-set-pm-function-ptrs-for-xen-guests.patch @@ -0,0 +1,41 @@ +From 9dd4b2944c46e1fdbd0a516c221c8a2670cbf005 Mon Sep 17 00:00:00 2001 +From: Rob Herring +Date: Thu, 29 Aug 2013 07:43:52 -0500 +Subject: ARM: xen: only set pm function ptrs for Xen guests + +From: Rob Herring + +commit 9dd4b2944c46e1fdbd0a516c221c8a2670cbf005 upstream. + +xen_pm_init was unconditionally setting pm_power_off and arm_pm_restart +function pointers. This breaks multi-platform kernels. Make this +conditional on running as a Xen guest and make it a late_initcall to +ensure it is setup after platform code for Dom0. + +Signed-off-by: Rob Herring +Signed-off-by: Stefano Stabellini +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/xen/enlighten.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/arch/arm/xen/enlighten.c ++++ b/arch/arm/xen/enlighten.c +@@ -273,12 +273,15 @@ core_initcall(xen_guest_init); + + static int __init xen_pm_init(void) + { ++ if (!xen_domain()) ++ return -ENODEV; ++ + pm_power_off = xen_power_off; + arm_pm_restart = xen_restart; + + return 0; + } +-subsys_initcall(xen_pm_init); ++late_initcall(xen_pm_init); + + static irqreturn_t xen_arm_callback(int irq, void *arg) + { diff --git a/queue-3.10/crypto-api-fix-race-condition-in-larval-lookup.patch b/queue-3.10/crypto-api-fix-race-condition-in-larval-lookup.patch new file mode 100644 index 00000000000..2e3a429399f --- /dev/null +++ b/queue-3.10/crypto-api-fix-race-condition-in-larval-lookup.patch @@ -0,0 +1,49 @@ +From 77dbd7a95e4a4f15264c333a9e9ab97ee27dc2aa Mon Sep 17 00:00:00 2001 +From: Herbert Xu +Date: Sun, 8 Sep 2013 14:33:50 +1000 +Subject: crypto: api - Fix race condition in larval lookup + +From: Herbert Xu + +commit 77dbd7a95e4a4f15264c333a9e9ab97ee27dc2aa upstream. + +crypto_larval_lookup should only return a larval if it created one. +Any larval created by another entity must be processed through +crypto_larval_wait before being returned. + +Otherwise this will lead to a larval being killed twice, which +will most likely lead to a crash. + +Reported-by: Kees Cook +Tested-by: Kees Cook +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + crypto/api.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/crypto/api.c ++++ b/crypto/api.c +@@ -34,6 +34,8 @@ EXPORT_SYMBOL_GPL(crypto_alg_sem); + BLOCKING_NOTIFIER_HEAD(crypto_chain); + EXPORT_SYMBOL_GPL(crypto_chain); + ++static struct crypto_alg *crypto_larval_wait(struct crypto_alg *alg); ++ + struct crypto_alg *crypto_mod_get(struct crypto_alg *alg) + { + return try_module_get(alg->cra_module) ? crypto_alg_get(alg) : NULL; +@@ -144,8 +146,11 @@ static struct crypto_alg *crypto_larval_ + } + up_write(&crypto_alg_sem); + +- if (alg != &larval->alg) ++ if (alg != &larval->alg) { + kfree(larval); ++ if (crypto_is_larval(alg)) ++ alg = crypto_larval_wait(alg); ++ } + + return alg; + } diff --git a/queue-3.10/powerpc-default-arch-idle-could-cede-processor-on-pseries.patch b/queue-3.10/powerpc-default-arch-idle-could-cede-processor-on-pseries.patch new file mode 100644 index 00000000000..7220a1859ac --- /dev/null +++ b/queue-3.10/powerpc-default-arch-idle-could-cede-processor-on-pseries.patch @@ -0,0 +1,94 @@ +From 363edbe2614aa90df706c0f19ccfa2a6c06af0be Mon Sep 17 00:00:00 2001 +From: Vaidyanathan Srinivasan +Date: Fri, 6 Sep 2013 00:25:06 +0530 +Subject: powerpc: Default arch idle could cede processor on pseries + +From: Vaidyanathan Srinivasan + +commit 363edbe2614aa90df706c0f19ccfa2a6c06af0be upstream. + +When adding cpuidle support to pSeries, we introduced two +regressions: + + - The new cpuidle backend driver only works under hypervisors + supporting the "SLPLAR" option, which isn't the case of the + old POWER4 hypervisor and the HV "light" used on js2x blades + + - The cpuidle driver registers fairly late, meaning that for + a significant portion of the boot process, we end up having + all threads spinning. This slows down the boot process and + increases the overall resource usage if the hypervisor has + shared processors. + +This fixes both by implementing a "default" idle that will cede +to the hypervisor when possible, in a very simple way without +all the bells and whisles of cpuidle. + +Reported-by: Paul Mackerras +Signed-off-by: Vaidyanathan Srinivasan +Acked-by: Deepthi Dharwar +Signed-off-by: Benjamin Herrenschmidt +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/platforms/pseries/setup.c | 31 +++++++++++++++++++++---------- + 1 file changed, 21 insertions(+), 10 deletions(-) + +--- a/arch/powerpc/platforms/pseries/setup.c ++++ b/arch/powerpc/platforms/pseries/setup.c +@@ -354,7 +354,7 @@ static int alloc_dispatch_log_kmem_cache + } + early_initcall(alloc_dispatch_log_kmem_cache); + +-static void pSeries_idle(void) ++static void pseries_lpar_idle(void) + { + /* This would call on the cpuidle framework, and the back-end pseries + * driver to go to idle states +@@ -362,10 +362,22 @@ static void pSeries_idle(void) + if (cpuidle_idle_call()) { + /* On error, execute default handler + * to go into low thread priority and possibly +- * low power mode. ++ * low power mode by cedeing processor to hypervisor + */ +- HMT_low(); +- HMT_very_low(); ++ ++ /* Indicate to hypervisor that we are idle. */ ++ get_lppaca()->idle = 1; ++ ++ /* ++ * Yield the processor to the hypervisor. We return if ++ * an external interrupt occurs (which are driven prior ++ * to returning here) or if a prod occurs from another ++ * processor. When returning here, external interrupts ++ * are enabled. ++ */ ++ cede_processor(); ++ ++ get_lppaca()->idle = 0; + } + } + +@@ -456,15 +468,14 @@ static void __init pSeries_setup_arch(vo + + pSeries_nvram_init(); + +- if (firmware_has_feature(FW_FEATURE_SPLPAR)) { ++ if (firmware_has_feature(FW_FEATURE_LPAR)) { + vpa_init(boot_cpuid); +- ppc_md.power_save = pSeries_idle; +- } +- +- if (firmware_has_feature(FW_FEATURE_LPAR)) ++ ppc_md.power_save = pseries_lpar_idle; + ppc_md.enable_pmcs = pseries_lpar_enable_pmcs; +- else ++ } else { ++ /* No special idle routine */ + ppc_md.enable_pmcs = power4_enable_pmcs; ++ } + + ppc_md.pcibios_root_bridge_prepare = pseries_root_bridge_prepare; + diff --git a/queue-3.10/powerpc-handle-unaligned-ldbrx-stdbrx.patch b/queue-3.10/powerpc-handle-unaligned-ldbrx-stdbrx.patch new file mode 100644 index 00000000000..62ffc4ff4d9 --- /dev/null +++ b/queue-3.10/powerpc-handle-unaligned-ldbrx-stdbrx.patch @@ -0,0 +1,51 @@ +From 230aef7a6a23b6166bd4003bfff5af23c9bd381f Mon Sep 17 00:00:00 2001 +From: Anton Blanchard +Date: Wed, 7 Aug 2013 02:01:19 +1000 +Subject: powerpc: Handle unaligned ldbrx/stdbrx + +From: Anton Blanchard + +commit 230aef7a6a23b6166bd4003bfff5af23c9bd381f upstream. + +Normally when we haven't implemented an alignment handler for +a load or store instruction the process will be terminated. + +The alignment handler uses the DSISR (or a pseudo one) to locate +the right handler. Unfortunately ldbrx and stdbrx overlap lfs and +stfs so we incorrectly think ldbrx is an lfs and stdbrx is an +stfs. + +This bug is particularly nasty - instead of terminating the +process we apply an incorrect fixup and continue on. + +With more and more overlapping instructions we should stop +creating a pseudo DSISR and index using the instruction directly, +but for now add a special case to catch ldbrx/stdbrx. + +Signed-off-by: Anton Blanchard +Signed-off-by: Benjamin Herrenschmidt +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/kernel/align.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/arch/powerpc/kernel/align.c ++++ b/arch/powerpc/kernel/align.c +@@ -764,6 +764,16 @@ int fix_alignment(struct pt_regs *regs) + nb = aligninfo[instr].len; + flags = aligninfo[instr].flags; + ++ /* ldbrx/stdbrx overlap lfs/stfs in the DSISR unfortunately */ ++ if (IS_XFORM(instruction) && ((instruction >> 1) & 0x3ff) == 532) { ++ nb = 8; ++ flags = LD+SW; ++ } else if (IS_XFORM(instruction) && ++ ((instruction >> 1) & 0x3ff) == 660) { ++ nb = 8; ++ flags = ST+SW; ++ } ++ + /* Byteswap little endian loads and stores */ + swiz = 0; + if (regs->msr & MSR_LE) { diff --git a/queue-3.10/scsi-sd-fix-potential-out-of-bounds-access.patch b/queue-3.10/scsi-sd-fix-potential-out-of-bounds-access.patch new file mode 100644 index 00000000000..cc7bd0f7f59 --- /dev/null +++ b/queue-3.10/scsi-sd-fix-potential-out-of-bounds-access.patch @@ -0,0 +1,44 @@ +From 984f1733fcee3fbc78d47e26c5096921c5d9946a Mon Sep 17 00:00:00 2001 +From: Alan Stern +Date: Fri, 6 Sep 2013 11:49:51 -0400 +Subject: SCSI: sd: Fix potential out-of-bounds access + +From: Alan Stern + +commit 984f1733fcee3fbc78d47e26c5096921c5d9946a upstream. + +This patch fixes an out-of-bounds error in sd_read_cache_type(), found +by Google's AddressSanitizer tool. When the loop ends, we know that +"offset" lies beyond the end of the data in the buffer, so no Caching +mode page was found. In theory it may be present, but the buffer size +is limited to 512 bytes. + +Signed-off-by: Alan Stern +Reported-by: Dmitry Vyukov +Signed-off-by: James Bottomley +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/sd.c | 11 +++-------- + 1 file changed, 3 insertions(+), 8 deletions(-) + +--- a/drivers/scsi/sd.c ++++ b/drivers/scsi/sd.c +@@ -2409,14 +2409,9 @@ sd_read_cache_type(struct scsi_disk *sdk + } + } + +- if (modepage == 0x3F) { +- sd_printk(KERN_ERR, sdkp, "No Caching mode page " +- "present\n"); +- goto defaults; +- } else if ((buffer[offset] & 0x3f) != modepage) { +- sd_printk(KERN_ERR, sdkp, "Got wrong page\n"); +- goto defaults; +- } ++ sd_printk(KERN_ERR, sdkp, "No Caching mode page found\n"); ++ goto defaults; ++ + Page_found: + if (modepage == 8) { + sdkp->WCE = ((buffer[offset + 2] & 0x04) != 0); diff --git a/queue-3.10/series b/queue-3.10/series index 3b6672af415..97e8307e5d3 100644 --- a/queue-3.10/series +++ b/queue-3.10/series @@ -1 +1,8 @@ scsi-allow-mpt-fusion-sas-3.0-driver-to-be-built-into-the-kernel.patch +ubi-fix-peb-leak-in-wear_leveling_worker.patch +scsi-sd-fix-potential-out-of-bounds-access.patch +crypto-api-fix-race-condition-in-larval-lookup.patch +powerpc-handle-unaligned-ldbrx-stdbrx.patch +powerpc-default-arch-idle-could-cede-processor-on-pseries.patch +xen-gnt-prevent-adding-duplicate-gnt-callbacks.patch +arm-xen-only-set-pm-function-ptrs-for-xen-guests.patch diff --git a/queue-3.10/ubi-fix-peb-leak-in-wear_leveling_worker.patch b/queue-3.10/ubi-fix-peb-leak-in-wear_leveling_worker.patch new file mode 100644 index 00000000000..a1488d60ace --- /dev/null +++ b/queue-3.10/ubi-fix-peb-leak-in-wear_leveling_worker.patch @@ -0,0 +1,37 @@ +From 5ef4414f4bc26a19cfd5cd11aee9697a863e4d51 Mon Sep 17 00:00:00 2001 +From: Richard Weinberger +Date: Mon, 19 Aug 2013 08:48:12 +0200 +Subject: UBI: Fix PEB leak in wear_leveling_worker() + +From: Richard Weinberger + +commit 5ef4414f4bc26a19cfd5cd11aee9697a863e4d51 upstream. + +get_peb_for_wl() removes the PEB from the free list. +If the WL subsystem detects that no wear leveling is needed +it cancels the operation and drops the gained PEB. +In this case we have to put the PEB back into the free list. + +This issue was introduced with commit ed4b7021c +(UBI: remove PEB from free tree in get_peb_for_wl()). + +Signed-off-by: Richard Weinberger +Signed-off-by: Artem Bityutskiy +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mtd/ubi/wl.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/mtd/ubi/wl.c ++++ b/drivers/mtd/ubi/wl.c +@@ -1069,6 +1069,9 @@ static int wear_leveling_worker(struct u + if (!(e2->ec - e1->ec >= UBI_WL_THRESHOLD)) { + dbg_wl("no WL needed: min used EC %d, max free EC %d", + e1->ec, e2->ec); ++ ++ /* Give the unused PEB back */ ++ wl_tree_add(e2, &ubi->free); + goto out_cancel; + } + self_check_in_wl_tree(ubi, e1, &ubi->used); diff --git a/queue-3.10/xen-gnt-prevent-adding-duplicate-gnt-callbacks.patch b/queue-3.10/xen-gnt-prevent-adding-duplicate-gnt-callbacks.patch new file mode 100644 index 00000000000..b2b0fbd8c6c --- /dev/null +++ b/queue-3.10/xen-gnt-prevent-adding-duplicate-gnt-callbacks.patch @@ -0,0 +1,53 @@ +From 5f338d9001094a56cf87bd8a280b4e7ff953bb59 Mon Sep 17 00:00:00 2001 +From: Roger Pau Monne +Date: Wed, 31 Jul 2013 17:00:42 +0200 +Subject: xen-gnt: prevent adding duplicate gnt callbacks + +From: Roger Pau Monne + +commit 5f338d9001094a56cf87bd8a280b4e7ff953bb59 upstream. + +With the current implementation, the callback in the tail of the list +can be added twice, because the check done in +gnttab_request_free_callback is bogus, callback->next can be NULL if +it is the last callback in the list. If we add the same callback twice +we end up with an infinite loop, were callback == callback->next. + +Replace this check with a proper one that iterates over the list to +see if the callback has already been added. + +Signed-off-by: Roger Pau Monné +Cc: Konrad Rzeszutek Wilk +Cc: David Vrabel +Signed-off-by: Konrad Rzeszutek Wilk +Acked-by: Matt Wilson +Reviewed-by: David Vrabel +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/xen/grant-table.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +--- a/drivers/xen/grant-table.c ++++ b/drivers/xen/grant-table.c +@@ -729,9 +729,18 @@ void gnttab_request_free_callback(struct + void (*fn)(void *), void *arg, u16 count) + { + unsigned long flags; ++ struct gnttab_free_callback *cb; ++ + spin_lock_irqsave(&gnttab_list_lock, flags); +- if (callback->next) +- goto out; ++ ++ /* Check if the callback is already on the list */ ++ cb = gnttab_free_callback_list; ++ while (cb) { ++ if (cb == callback) ++ goto out; ++ cb = cb->next; ++ } ++ + callback->fn = fn; + callback->arg = arg; + callback->count = count;