From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sat, 8 Aug 2015 20:37:36 +0000 (-0700)
Subject: 3.14-stable patches
X-Git-Tag: v4.1.5~13
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=3092fa5b1ce5835f84323327d2acb26a721f0bd4;p=thirdparty%2Fkernel%2Fstable-queue.git

3.14-stable patches

added patches:
	mac80211-clear-subdir_stations-when-removing-debugfs.patch
	mmc-sdhci-esdhc-make-8bit-bus-work.patch
	mmc-sdhci-pxav3-fix-platform_data-is-not-initialized.patch
	st-null-pointer-dereference-panic-caused-by-use-after-kref_put-by-st_open.patch
---

diff --git a/queue-3.14/mac80211-clear-subdir_stations-when-removing-debugfs.patch b/queue-3.14/mac80211-clear-subdir_stations-when-removing-debugfs.patch
new file mode 100644
index 00000000000..5df463b9f15
--- /dev/null
+++ b/queue-3.14/mac80211-clear-subdir_stations-when-removing-debugfs.patch
@@ -0,0 +1,38 @@
+From 4479004e6409087d1b4986881dc98c6c15dffb28 Mon Sep 17 00:00:00 2001
+From: Tom Hughes <tom@compton.nu>
+Date: Mon, 29 Jun 2015 19:41:49 +0100
+Subject: mac80211: clear subdir_stations when removing debugfs
+
+From: Tom Hughes <tom@compton.nu>
+
+commit 4479004e6409087d1b4986881dc98c6c15dffb28 upstream.
+
+If we don't do this, and we then fail to recreate the debugfs
+directory during a mode change, then we will fail later trying
+to add stations to this now bogus directory:
+
+BUG: unable to handle kernel NULL pointer dereference at 0000006c
+IP: [<c0a92202>] mutex_lock+0x12/0x30
+Call Trace:
+[<c0678ab4>] start_creating+0x44/0xc0
+[<c0679203>] debugfs_create_dir+0x13/0xf0
+[<f8a938ae>] ieee80211_sta_debugfs_add+0x6e/0x490 [mac80211]
+
+Signed-off-by: Tom Hughes <tom@compton.nu>
+Signed-off-by: Johannes Berg <johannes.berg@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/mac80211/debugfs_netdev.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/net/mac80211/debugfs_netdev.c
++++ b/net/mac80211/debugfs_netdev.c
+@@ -712,6 +712,7 @@ void ieee80211_debugfs_remove_netdev(str
+ 
+ 	debugfs_remove_recursive(sdata->vif.debugfs_dir);
+ 	sdata->vif.debugfs_dir = NULL;
++	sdata->debugfs.subdir_stations = NULL;
+ }
+ 
+ void ieee80211_debugfs_rename_netdev(struct ieee80211_sub_if_data *sdata)
diff --git a/queue-3.14/mmc-sdhci-esdhc-make-8bit-bus-work.patch b/queue-3.14/mmc-sdhci-esdhc-make-8bit-bus-work.patch
new file mode 100644
index 00000000000..f31391e220d
--- /dev/null
+++ b/queue-3.14/mmc-sdhci-esdhc-make-8bit-bus-work.patch
@@ -0,0 +1,32 @@
+From 8e91125ff3f57f15c6568e2a6d32743b3f7815e4 Mon Sep 17 00:00:00 2001
+From: Joakim Tjernlund <Joakim.Tjernlund@transmode.se>
+Date: Wed, 22 Jul 2015 16:44:26 +0200
+Subject: mmc: sdhci-esdhc: Make 8BIT bus work
+
+From: Joakim Tjernlund <Joakim.Tjernlund@transmode.se>
+
+commit 8e91125ff3f57f15c6568e2a6d32743b3f7815e4 upstream.
+
+Support for 8BIT bus with was added some time ago to sdhci-esdhc but
+then missed to remove the 8BIT from the reserved bit mask which made
+8BIT non functional.
+
+Fixes: 66b50a00992d ("mmc: esdhc: Add support for 8-bit bus width and..")
+Signed-off-by: Joakim Tjernlund <joakim.tjernlund@transmode.se>
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mmc/host/sdhci-esdhc.h |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/mmc/host/sdhci-esdhc.h
++++ b/drivers/mmc/host/sdhci-esdhc.h
+@@ -47,6 +47,6 @@
+ #define ESDHC_DMA_SYSCTL	0x40c
+ #define ESDHC_DMA_SNOOP		0x00000040
+ 
+-#define ESDHC_HOST_CONTROL_RES	0x05
++#define ESDHC_HOST_CONTROL_RES	0x01
+ 
+ #endif /* _DRIVERS_MMC_SDHCI_ESDHC_H */
diff --git a/queue-3.14/mmc-sdhci-pxav3-fix-platform_data-is-not-initialized.patch b/queue-3.14/mmc-sdhci-pxav3-fix-platform_data-is-not-initialized.patch
new file mode 100644
index 00000000000..77f14d91b41
--- /dev/null
+++ b/queue-3.14/mmc-sdhci-pxav3-fix-platform_data-is-not-initialized.patch
@@ -0,0 +1,46 @@
+From 9cd76049f0d90ae241f5ad80e311489824527000 Mon Sep 17 00:00:00 2001
+From: Jingju Hou <houjingj@marvell.com>
+Date: Thu, 23 Jul 2015 17:56:23 +0800
+Subject: mmc: sdhci-pxav3: fix platform_data is not initialized
+
+From: Jingju Hou <houjingj@marvell.com>
+
+commit 9cd76049f0d90ae241f5ad80e311489824527000 upstream.
+
+pdev->dev.platform_data is not initialized if match is true in function
+sdhci_pxav3_probe. Just local variable pdata is assigned the return value
+from function pxav3_get_mmc_pdata().
+
+static int sdhci_pxav3_probe(struct platform_device *pdev) {
+
+    struct sdhci_pxa_platdata *pdata = pdev->dev.platform_data;
+    ...
+    if (match) {
+		ret = mmc_of_parse(host->mmc);
+		if (ret)
+			goto err_of_parse;
+		sdhci_get_of_property(pdev);
+		pdata = pxav3_get_mmc_pdata(dev);
+     }
+     ...
+}
+
+Signed-off-by: Jingju Hou <houjingj@marvell.com>
+Fixes: b650352dd3df("mmc: sdhci-pxa: Add device tree support")
+Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/mmc/host/sdhci-pxav3.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/mmc/host/sdhci-pxav3.c
++++ b/drivers/mmc/host/sdhci-pxav3.c
+@@ -257,6 +257,7 @@ static int sdhci_pxav3_probe(struct plat
+ 			goto err_of_parse;
+ 		sdhci_get_of_property(pdev);
+ 		pdata = pxav3_get_mmc_pdata(dev);
++		pdev->dev.platform_data = pdata;
+ 	} else if (pdata) {
+ 		/* on-chip device */
+ 		if (pdata->flags & PXA_FLAG_CARD_PERMANENT)
diff --git a/queue-3.14/series b/queue-3.14/series
index 41233d3c856..47933c11cae 100644
--- a/queue-3.14/series
+++ b/queue-3.14/series
@@ -7,3 +7,7 @@ genirq-prevent-resend-to-interrupts-marked-irq_nested_thread.patch
 alsa-usb-audio-add-midi-support-for-steinberg-mi2-mi4.patch
 alsa-usb-audio-add-db-range-mapping-for-some-devices.patch
 alsa-hda-fix-macbook-pro-5-2-quirk.patch
+st-null-pointer-dereference-panic-caused-by-use-after-kref_put-by-st_open.patch
+mac80211-clear-subdir_stations-when-removing-debugfs.patch
+mmc-sdhci-esdhc-make-8bit-bus-work.patch
+mmc-sdhci-pxav3-fix-platform_data-is-not-initialized.patch
diff --git a/queue-3.14/st-null-pointer-dereference-panic-caused-by-use-after-kref_put-by-st_open.patch b/queue-3.14/st-null-pointer-dereference-panic-caused-by-use-after-kref_put-by-st_open.patch
new file mode 100644
index 00000000000..cf6e8c1b01a
--- /dev/null
+++ b/queue-3.14/st-null-pointer-dereference-panic-caused-by-use-after-kref_put-by-st_open.patch
@@ -0,0 +1,177 @@
+From e7ac6c6666bec0a354758a1298d3231e4a635362 Mon Sep 17 00:00:00 2001
+From: "Seymour, Shane M" <shane.seymour@hp.com>
+Date: Thu, 2 Jul 2015 12:01:10 +0000
+Subject: st: null pointer dereference panic caused by use after kref_put by st_open
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: "Seymour, Shane M" <shane.seymour@hp.com>
+
+commit e7ac6c6666bec0a354758a1298d3231e4a635362 upstream.
+
+Two SLES11 SP3 servers encountered similar crashes simultaneously
+following some kind of SAN/tape target issue:
+
+...
+qla2xxx [0000:81:00.0]-801c:3: Abort command issued nexus=3:0:2 --  1 2002.
+qla2xxx [0000:81:00.0]-801c:3: Abort command issued nexus=3:0:2 --  1 2002.
+qla2xxx [0000:81:00.0]-8009:3: DEVICE RESET ISSUED nexus=3:0:2 cmd=ffff882f89c2c7c0.
+qla2xxx [0000:81:00.0]-800c:3: do_reset failed for cmd=ffff882f89c2c7c0.
+qla2xxx [0000:81:00.0]-800f:3: DEVICE RESET FAILED: Task management failed nexus=3:0:2 cmd=ffff882f89c2c7c0.
+qla2xxx [0000:81:00.0]-8009:3: TARGET RESET ISSUED nexus=3:0:2 cmd=ffff882f89c2c7c0.
+qla2xxx [0000:81:00.0]-800c:3: do_reset failed for cmd=ffff882f89c2c7c0.
+qla2xxx [0000:81:00.0]-800f:3: TARGET RESET FAILED: Task management failed nexus=3:0:2 cmd=ffff882f89c2c7c0.
+qla2xxx [0000:81:00.0]-8012:3: BUS RESET ISSUED nexus=3:0:2.
+qla2xxx [0000:81:00.0]-802b:3: BUS RESET SUCCEEDED nexus=3:0:2.
+qla2xxx [0000:81:00.0]-505f:3: Link is operational (8 Gbps).
+qla2xxx [0000:81:00.0]-8018:3: ADAPTER RESET ISSUED nexus=3:0:2.
+qla2xxx [0000:81:00.0]-00af:3: Performing ISP error recovery - ha=ffff88bf04d18000.
+ rport-3:0-0: blocked FC remote port time out: removing target and saving binding
+qla2xxx [0000:81:00.0]-505f:3: Link is operational (8 Gbps).
+qla2xxx [0000:81:00.0]-8017:3: ADAPTER RESET SUCCEEDED nexus=3:0:2.
+ rport-2:0-0: blocked FC remote port time out: removing target and saving binding
+sg_rq_end_io: device detached
+BUG: unable to handle kernel NULL pointer dereference at 00000000000002a8
+IP: [<ffffffff8133b268>] __pm_runtime_idle+0x28/0x90
+PGD 7e6586f067 PUD 7e5af06067 PMD 0 [1739975.390354] Oops: 0002 [#1] SMP
+CPU 0
+...
+Supported: No, Proprietary modules are loaded [1739975.390463]
+Pid: 27965, comm: ABCD Tainted: PF           X 3.0.101-0.29-default #1 HP ProLiant DL580 Gen8
+RIP: 0010:[<ffffffff8133b268>]  [<ffffffff8133b268>] __pm_runtime_idle+0x28/0x90
+RSP: 0018:ffff8839dc1e7c68  EFLAGS: 00010202
+RAX: 0000000000000000 RBX: ffff883f0592fc00 RCX: 0000000000000090
+RDX: 0000000000000000 RSI: 0000000000000004 RDI: 0000000000000138
+RBP: 0000000000000138 R08: 0000000000000010 R09: ffffffff81bd39d0
+R10: 00000000000009c0 R11: ffffffff81025790 R12: 0000000000000001
+R13: ffff883022212b80 R14: 0000000000000004 R15: ffff883022212b80
+FS:  00007f8e54560720(0000) GS:ffff88407f800000(0000) knlGS:0000000000000000
+CS:  0010 DS: 0000 ES: 0000 CR0: 000000008005003b
+CR2: 00000000000002a8 CR3: 0000007e6ced6000 CR4: 00000000001407f0
+DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
+DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
+Process ABCD (pid: 27965, threadinfo ffff8839dc1e6000, task ffff883592e0c640)
+Stack:
+ ffff883f0592fc00 00000000fffffffa 0000000000000001 ffff883022212b80
+ ffff883eff772400 ffffffffa03fa309 0000000000000000 0000000000000000
+ ffffffffa04003a0 ffff883f063196c0 ffff887f0379a930 ffffffff8115ea1e
+Call Trace:
+ [<ffffffffa03fa309>] st_open+0x129/0x240 [st]
+ [<ffffffff8115ea1e>] chrdev_open+0x13e/0x200
+ [<ffffffff811588a8>] __dentry_open+0x198/0x310
+ [<ffffffff81167d74>] do_last+0x1f4/0x800
+ [<ffffffff81168fe9>] path_openat+0xd9/0x420
+ [<ffffffff8116946c>] do_filp_open+0x4c/0xc0
+ [<ffffffff8115a00f>] do_sys_open+0x17f/0x250
+ [<ffffffff81468d92>] system_call_fastpath+0x16/0x1b
+ [<00007f8e4f617fd0>] 0x7f8e4f617fcf
+Code: eb d3 90 48 83 ec 28 40 f6 c6 04 48 89 6c 24 08 4c 89 74 24 20 48 89 fd 48 89 1c 24 4c 89 64 24 10 41 89 f6 4c 89 6c 24 18 74 11 <f0> ff 8f 70 01 00 00 0f 94 c0 45 31 ed 84 c0 74 2b 4c 8d a5 a0
+RIP  [<ffffffff8133b268>] __pm_runtime_idle+0x28/0x90
+ RSP <ffff8839dc1e7c68>
+CR2: 00000000000002a8
+
+Analysis reveals the cause of the crash to be due to STp->device
+being NULL. The pointer was NULLed via scsi_tape_put(STp) when it
+calls scsi_tape_release(). In st_open() we jump to err_out after
+scsi_block_when_processing_errors() completes and returns the
+device as offline (sdev_state was SDEV_DEL):
+
+1180 /* Open the device. Needs to take the BKL only because of incrementing the SCSI host
+1181    module count. */
+1182 static int st_open(struct inode *inode, struct file *filp)
+1183 {
+1184         int i, retval = (-EIO);
+1185         int resumed = 0;
+1186         struct scsi_tape *STp;
+1187         struct st_partstat *STps;
+1188         int dev = TAPE_NR(inode);
+1189         char *name;
+...
+1217         if (scsi_autopm_get_device(STp->device) < 0) {
+1218                 retval = -EIO;
+1219                 goto err_out;
+1220         }
+1221         resumed = 1;
+1222         if (!scsi_block_when_processing_errors(STp->device)) {
+1223                 retval = (-ENXIO);
+1224                 goto err_out;
+1225         }
+...
+1264  err_out:
+1265         normalize_buffer(STp->buffer);
+1266         spin_lock(&st_use_lock);
+1267         STp->in_use = 0;
+1268         spin_unlock(&st_use_lock);
+1269         scsi_tape_put(STp); <-- STp->device = 0 after this
+1270         if (resumed)
+1271                 scsi_autopm_put_device(STp->device);
+1272         return retval;
+
+The ref count for the struct scsi_tape had already been reduced
+to 1 when the .remove method of the st module had been called.
+The kref_put() in scsi_tape_put() caused scsi_tape_release()
+to be called:
+
+0266 static void scsi_tape_put(struct scsi_tape *STp)
+0267 {
+0268         struct scsi_device *sdev = STp->device;
+0269
+0270         mutex_lock(&st_ref_mutex);
+0271         kref_put(&STp->kref, scsi_tape_release); <-- calls this
+0272         scsi_device_put(sdev);
+0273         mutex_unlock(&st_ref_mutex);
+0274 }
+
+In scsi_tape_release() the struct scsi_device in the struct
+scsi_tape gets set to NULL:
+
+4273 static void scsi_tape_release(struct kref *kref)
+4274 {
+4275         struct scsi_tape *tpnt = to_scsi_tape(kref);
+4276         struct gendisk *disk = tpnt->disk;
+4277
+4278         tpnt->device = NULL; <<<---- where the dev is nulled
+4279
+4280         if (tpnt->buffer) {
+4281                 normalize_buffer(tpnt->buffer);
+4282                 kfree(tpnt->buffer->reserved_pages);
+4283                 kfree(tpnt->buffer);
+4284         }
+4285
+4286         disk->private_data = NULL;
+4287         put_disk(disk);
+4288         kfree(tpnt);
+4289         return;
+4290 }
+
+Although the problem was reported on SLES11.3 the problem appears
+in linux-next as well.
+
+The crash is fixed by reordering the code so we no longer access
+the struct scsi_tape after the kref_put() is done on it in st_open().
+
+Signed-off-by: Shane Seymour <shane.seymour@hp.com>
+Signed-off-by: Darren Lavender <darren.lavender@hp.com>
+Reviewed-by: Johannes Thumshirn <jthumshirn@suse.com>
+Acked-by: Kai Mäkisara <kai.makisara@kolumbus.fi>
+Signed-off-by: James Bottomley <JBottomley@Odin.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/scsi/st.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/scsi/st.c
++++ b/drivers/scsi/st.c
+@@ -1262,9 +1262,9 @@ static int st_open(struct inode *inode,
+ 	spin_lock(&st_use_lock);
+ 	STp->in_use = 0;
+ 	spin_unlock(&st_use_lock);
+-	scsi_tape_put(STp);
+ 	if (resumed)
+ 		scsi_autopm_put_device(STp->device);
++	scsi_tape_put(STp);
+ 	return retval;
+ 
+ }