From: Greg Kroah-Hartman Date: Tue, 9 Apr 2013 23:05:34 +0000 (-0700) Subject: 3.8-stable patches X-Git-Tag: v3.0.73~20 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=330470c0bb30511d129e0e65213ffb7ff1e0ca3b;p=thirdparty%2Fkernel%2Fstable-queue.git 3.8-stable patches added patches: ftrace-consistently-restore-trace-function-on-sysctl-enabling.patch hwspinlock-fix-__hwspin_lock_request-error-path.patch mac80211-fix-remain-on-channel-cancel-crash.patch mwifiex-limit-channel-number-not-to-overflow-memory.patch powerpc-pseries_lpar_hpte_remove-fails-from-adjunct-partition-being-performed-before-the-andcond-test.patch remoteproc-fix-error-path-of-handle_vdev.patch remoteproc-fix-fw_config-typo.patch remoteproc-ste-fix-memory-leak-on-shutdown.patch x86-remove-the-x32-syscall-bitmask-from-syscall_get_nr.patch --- diff --git a/queue-3.8/ftrace-consistently-restore-trace-function-on-sysctl-enabling.patch b/queue-3.8/ftrace-consistently-restore-trace-function-on-sysctl-enabling.patch new file mode 100644 index 00000000000..5a50c6728f5 --- /dev/null +++ b/queue-3.8/ftrace-consistently-restore-trace-function-on-sysctl-enabling.patch @@ -0,0 +1,40 @@ +From 5000c418840b309251c5887f0b56503aae30f84c Mon Sep 17 00:00:00 2001 +From: Jan Kiszka +Date: Tue, 26 Mar 2013 17:53:03 +0100 +Subject: ftrace: Consistently restore trace function on sysctl enabling + +From: Jan Kiszka + +commit 5000c418840b309251c5887f0b56503aae30f84c upstream. + +If we reenable ftrace via syctl, we currently set ftrace_trace_function +based on the previous simplistic algorithm. This is inconsistent with +what update_ftrace_function does. So better call that helper instead. + +Link: http://lkml.kernel.org/r/5151D26F.1070702@siemens.com + +Signed-off-by: Jan Kiszka +Signed-off-by: Steven Rostedt +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/trace/ftrace.c | 8 ++------ + 1 file changed, 2 insertions(+), 6 deletions(-) + +--- a/kernel/trace/ftrace.c ++++ b/kernel/trace/ftrace.c +@@ -4537,12 +4537,8 @@ ftrace_enable_sysctl(struct ctl_table *t + ftrace_startup_sysctl(); + + /* we are starting ftrace again */ +- if (ftrace_ops_list != &ftrace_list_end) { +- if (ftrace_ops_list->next == &ftrace_list_end) +- ftrace_trace_function = ftrace_ops_list->func; +- else +- ftrace_trace_function = ftrace_ops_list_func; +- } ++ if (ftrace_ops_list != &ftrace_list_end) ++ update_ftrace_function(); + + } else { + /* stopping ftrace calls (just send to ftrace_stub) */ diff --git a/queue-3.8/hwspinlock-fix-__hwspin_lock_request-error-path.patch b/queue-3.8/hwspinlock-fix-__hwspin_lock_request-error-path.patch new file mode 100644 index 00000000000..9733a9b7833 --- /dev/null +++ b/queue-3.8/hwspinlock-fix-__hwspin_lock_request-error-path.patch @@ -0,0 +1,38 @@ +From c10b90d85a5126d25c89cbaa50dc9fdd1c4d001a Mon Sep 17 00:00:00 2001 +From: Li Fei +Date: Fri, 5 Apr 2013 21:20:36 +0800 +Subject: hwspinlock: fix __hwspin_lock_request error path + +From: Li Fei + +commit c10b90d85a5126d25c89cbaa50dc9fdd1c4d001a upstream. + +Even in failed case of pm_runtime_get_sync, the usage_count +is incremented. In order to keep the usage_count with correct +value and runtime power management to behave correctly, call +pm_runtime_put_noidle in such case. + +In __hwspin_lock_request, module_put is also called before +return in pm_runtime_get_sync failed case. + +Signed-off-by Liu Chuansheng +Signed-off-by: Li Fei +[edit commit log] +Signed-off-by: Ohad Ben-Cohen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hwspinlock/hwspinlock_core.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/hwspinlock/hwspinlock_core.c ++++ b/drivers/hwspinlock/hwspinlock_core.c +@@ -416,6 +416,8 @@ static int __hwspin_lock_request(struct + ret = pm_runtime_get_sync(dev); + if (ret < 0) { + dev_err(dev, "%s: can't power on device\n", __func__); ++ pm_runtime_put_noidle(dev); ++ module_put(dev->driver->owner); + return ret; + } + diff --git a/queue-3.8/mac80211-fix-remain-on-channel-cancel-crash.patch b/queue-3.8/mac80211-fix-remain-on-channel-cancel-crash.patch new file mode 100644 index 00000000000..bc7ca5b0944 --- /dev/null +++ b/queue-3.8/mac80211-fix-remain-on-channel-cancel-crash.patch @@ -0,0 +1,153 @@ +From 3fbd45ca8d1c98f3c2582ef8bc70ade42f70947b Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Mon, 25 Mar 2013 11:51:14 +0100 +Subject: mac80211: fix remain-on-channel cancel crash + +From: Johannes Berg + +commit 3fbd45ca8d1c98f3c2582ef8bc70ade42f70947b upstream. + +If a ROC item is canceled just as it expires, the work +struct may be scheduled while it is running (and waiting +for the mutex). This results in it being run after being +freed, which obviously crashes. + +To fix this don't free it when aborting is requested but +instead mark it as "to be freed", which makes the work a +no-op and allows freeing it outside. + +Reported-by: Jouni Malinen +Tested-by: Jouni Malinen +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + net/mac80211/cfg.c | 6 ++++-- + net/mac80211/ieee80211_i.h | 3 ++- + net/mac80211/offchannel.c | 23 +++++++++++++++++------ + 3 files changed, 23 insertions(+), 9 deletions(-) + +--- a/net/mac80211/cfg.c ++++ b/net/mac80211/cfg.c +@@ -2499,7 +2499,7 @@ static int ieee80211_cancel_roc(struct i + list_del(&dep->list); + mutex_unlock(&local->mtx); + +- ieee80211_roc_notify_destroy(dep); ++ ieee80211_roc_notify_destroy(dep, true); + return 0; + } + +@@ -2539,7 +2539,7 @@ static int ieee80211_cancel_roc(struct i + ieee80211_start_next_roc(local); + mutex_unlock(&local->mtx); + +- ieee80211_roc_notify_destroy(found); ++ ieee80211_roc_notify_destroy(found, true); + } else { + /* work may be pending so use it all the time */ + found->abort = true; +@@ -2549,6 +2549,8 @@ static int ieee80211_cancel_roc(struct i + + /* work will clean up etc */ + flush_delayed_work(&found->work); ++ WARN_ON(!found->to_be_freed); ++ kfree(found); + } + + return 0; +--- a/net/mac80211/ieee80211_i.h ++++ b/net/mac80211/ieee80211_i.h +@@ -346,6 +346,7 @@ struct ieee80211_roc_work { + struct ieee80211_channel *chan; + + bool started, abort, hw_begun, notified; ++ bool to_be_freed; + + unsigned long hw_start_time; + +@@ -1363,7 +1364,7 @@ void ieee80211_offchannel_return(struct + void ieee80211_roc_setup(struct ieee80211_local *local); + void ieee80211_start_next_roc(struct ieee80211_local *local); + void ieee80211_roc_purge(struct ieee80211_sub_if_data *sdata); +-void ieee80211_roc_notify_destroy(struct ieee80211_roc_work *roc); ++void ieee80211_roc_notify_destroy(struct ieee80211_roc_work *roc, bool free); + void ieee80211_sw_roc_work(struct work_struct *work); + void ieee80211_handle_roc_started(struct ieee80211_roc_work *roc); + +--- a/net/mac80211/offchannel.c ++++ b/net/mac80211/offchannel.c +@@ -299,10 +299,13 @@ void ieee80211_start_next_roc(struct iee + } + } + +-void ieee80211_roc_notify_destroy(struct ieee80211_roc_work *roc) ++void ieee80211_roc_notify_destroy(struct ieee80211_roc_work *roc, bool free) + { + struct ieee80211_roc_work *dep, *tmp; + ++ if (WARN_ON(roc->to_be_freed)) ++ return; ++ + /* was never transmitted */ + if (roc->frame) { + cfg80211_mgmt_tx_status(&roc->sdata->wdev, +@@ -318,9 +321,12 @@ void ieee80211_roc_notify_destroy(struct + GFP_KERNEL); + + list_for_each_entry_safe(dep, tmp, &roc->dependents, list) +- ieee80211_roc_notify_destroy(dep); ++ ieee80211_roc_notify_destroy(dep, true); + +- kfree(roc); ++ if (free) ++ kfree(roc); ++ else ++ roc->to_be_freed = true; + } + + void ieee80211_sw_roc_work(struct work_struct *work) +@@ -333,6 +339,9 @@ void ieee80211_sw_roc_work(struct work_s + + mutex_lock(&local->mtx); + ++ if (roc->to_be_freed) ++ goto out_unlock; ++ + if (roc->abort) + goto finish; + +@@ -372,7 +381,7 @@ void ieee80211_sw_roc_work(struct work_s + finish: + list_del(&roc->list); + started = roc->started; +- ieee80211_roc_notify_destroy(roc); ++ ieee80211_roc_notify_destroy(roc, !roc->abort); + + if (started) { + drv_flush(local, false); +@@ -412,7 +421,7 @@ static void ieee80211_hw_roc_done(struct + + list_del(&roc->list); + +- ieee80211_roc_notify_destroy(roc); ++ ieee80211_roc_notify_destroy(roc, true); + + /* if there's another roc, start it now */ + ieee80211_start_next_roc(local); +@@ -462,12 +471,14 @@ void ieee80211_roc_purge(struct ieee8021 + list_for_each_entry_safe(roc, tmp, &tmp_list, list) { + if (local->ops->remain_on_channel) { + list_del(&roc->list); +- ieee80211_roc_notify_destroy(roc); ++ ieee80211_roc_notify_destroy(roc, true); + } else { + ieee80211_queue_delayed_work(&local->hw, &roc->work, 0); + + /* work will clean up etc */ + flush_delayed_work(&roc->work); ++ WARN_ON(!roc->to_be_freed); ++ kfree(roc); + } + } + diff --git a/queue-3.8/mwifiex-limit-channel-number-not-to-overflow-memory.patch b/queue-3.8/mwifiex-limit-channel-number-not-to-overflow-memory.patch new file mode 100644 index 00000000000..51f62d03700 --- /dev/null +++ b/queue-3.8/mwifiex-limit-channel-number-not-to-overflow-memory.patch @@ -0,0 +1,33 @@ +From 901ceba4e81e9dd6b4a3c4c37ee22000a6c5c65f Mon Sep 17 00:00:00 2001 +From: Stone Piao +Date: Fri, 29 Mar 2013 19:21:21 -0700 +Subject: mwifiex: limit channel number not to overflow memory + +From: Stone Piao + +commit 901ceba4e81e9dd6b4a3c4c37ee22000a6c5c65f upstream. + +Limit the channel number in scan request, or the driver scan +config structure memory will be overflowed. + +Signed-off-by: Stone Piao +Signed-off-by: Bing Zhao +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/mwifiex/cfg80211.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/net/wireless/mwifiex/cfg80211.c ++++ b/drivers/net/wireless/mwifiex/cfg80211.c +@@ -1846,7 +1846,8 @@ mwifiex_cfg80211_scan(struct wiphy *wiph + } + } + +- for (i = 0; i < request->n_channels; i++) { ++ for (i = 0; i < min_t(u32, request->n_channels, ++ MWIFIEX_USER_SCAN_CHAN_MAX); i++) { + chan = request->channels[i]; + priv->user_scan_cfg->chan_list[i].chan_number = chan->hw_value; + priv->user_scan_cfg->chan_list[i].radio_type = chan->band; diff --git a/queue-3.8/powerpc-pseries_lpar_hpte_remove-fails-from-adjunct-partition-being-performed-before-the-andcond-test.patch b/queue-3.8/powerpc-pseries_lpar_hpte_remove-fails-from-adjunct-partition-being-performed-before-the-andcond-test.patch new file mode 100644 index 00000000000..7724adf112e --- /dev/null +++ b/queue-3.8/powerpc-pseries_lpar_hpte_remove-fails-from-adjunct-partition-being-performed-before-the-andcond-test.patch @@ -0,0 +1,42 @@ +From 9fb2640159f9d4f5a2a9d60e490482d4cbecafdb Mon Sep 17 00:00:00 2001 +From: Michael Wolf +Date: Fri, 5 Apr 2013 10:41:40 +0000 +Subject: powerpc: pSeries_lpar_hpte_remove fails from Adjunct partition being performed before the ANDCOND test + +From: Michael Wolf + +commit 9fb2640159f9d4f5a2a9d60e490482d4cbecafdb upstream. + +Some versions of pHyp will perform the adjunct partition test before the +ANDCOND test. The result of this is that H_RESOURCE can be returned and +cause the BUG_ON condition to occur. The HPTE is not removed. So add a +check for H_RESOURCE, it is ok if this HPTE is not removed as +pSeries_lpar_hpte_remove is looking for an HPTE to remove and not a +specific HPTE to remove. So it is ok to just move on to the next slot +and try again. + +Signed-off-by: Michael Wolf +Signed-off-by: Stephen Rothwell +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/platforms/pseries/lpar.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/arch/powerpc/platforms/pseries/lpar.c ++++ b/arch/powerpc/platforms/pseries/lpar.c +@@ -186,7 +186,13 @@ static long pSeries_lpar_hpte_remove(uns + (0x1UL << 4), &dummy1, &dummy2); + if (lpar_rc == H_SUCCESS) + return i; +- BUG_ON(lpar_rc != H_NOT_FOUND); ++ ++ /* ++ * The test for adjunct partition is performed before the ++ * ANDCOND test. H_RESOURCE may be returned, so we need to ++ * check for that as well. ++ */ ++ BUG_ON(lpar_rc != H_NOT_FOUND && lpar_rc != H_RESOURCE); + + slot_offset++; + slot_offset &= 0x7; diff --git a/queue-3.8/remoteproc-fix-error-path-of-handle_vdev.patch b/queue-3.8/remoteproc-fix-error-path-of-handle_vdev.patch new file mode 100644 index 00000000000..d27f953dd98 --- /dev/null +++ b/queue-3.8/remoteproc-fix-error-path-of-handle_vdev.patch @@ -0,0 +1,38 @@ +From cde42e076c1cdd69a1f955d66ff6596bad3d2105 Mon Sep 17 00:00:00 2001 +From: Sjur Brændeland +Date: Thu, 21 Feb 2013 18:15:32 +0100 +Subject: remoteproc: fix error path of handle_vdev + +From: Sjur Brændeland + +commit cde42e076c1cdd69a1f955d66ff6596bad3d2105 upstream. + +Remove the vdev entry from the list before freeing it, +otherwise rproc->vdevs will explode. + +Signed-off-by: Sjur Brændeland +Acked-by: Ido Yariv +[edit subject, minor commit log edit, cc stable] +Signed-off-by: Ohad Ben-Cohen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/remoteproc/remoteproc_core.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/remoteproc/remoteproc_core.c ++++ b/drivers/remoteproc/remoteproc_core.c +@@ -370,10 +370,12 @@ static int rproc_handle_vdev(struct rpro + /* it is now safe to add the virtio device */ + ret = rproc_add_virtio_dev(rvdev, rsc->id); + if (ret) +- goto free_rvdev; ++ goto remove_rvdev; + + return 0; + ++remove_rvdev: ++ list_del(&rvdev->node); + free_rvdev: + kfree(rvdev); + return ret; diff --git a/queue-3.8/remoteproc-fix-fw_config-typo.patch b/queue-3.8/remoteproc-fix-fw_config-typo.patch new file mode 100644 index 00000000000..8627062b9fb --- /dev/null +++ b/queue-3.8/remoteproc-fix-fw_config-typo.patch @@ -0,0 +1,32 @@ +From c7426bce5933d16b492a34e42ae77e26fceddff6 Mon Sep 17 00:00:00 2001 +From: Robert Tivy +Date: Thu, 28 Mar 2013 18:41:43 -0700 +Subject: remoteproc: fix FW_CONFIG typo + +From: Robert Tivy + +commit c7426bce5933d16b492a34e42ae77e26fceddff6 upstream. + +Fix obvious typo introduced in commit e121aefa7d9f10eee5cf26ed47129237a05d940b +("remoteproc: fix missing CONFIG_FW_LOADER configurations"). + +Signed-off-by: Robert Tivy +[cc stable, slight subject change] +Signed-off-by: Ohad Ben-Cohen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/remoteproc/Kconfig | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/remoteproc/Kconfig ++++ b/drivers/remoteproc/Kconfig +@@ -5,7 +5,7 @@ config REMOTEPROC + tristate + depends on EXPERIMENTAL + depends on HAS_DMA +- select FW_CONFIG ++ select FW_LOADER + select VIRTIO + + config OMAP_REMOTEPROC diff --git a/queue-3.8/remoteproc-ste-fix-memory-leak-on-shutdown.patch b/queue-3.8/remoteproc-ste-fix-memory-leak-on-shutdown.patch new file mode 100644 index 00000000000..44736300af0 --- /dev/null +++ b/queue-3.8/remoteproc-ste-fix-memory-leak-on-shutdown.patch @@ -0,0 +1,49 @@ +From 1cd425b660bd5b4f41b9175b0b7bf3828ce88144 Mon Sep 17 00:00:00 2001 +From: Dmitry Tarnyagin +Date: Sun, 10 Feb 2013 12:39:04 +0100 +Subject: remoteproc/ste: fix memory leak on shutdown + +From: Dmitry Tarnyagin + +commit 1cd425b660bd5b4f41b9175b0b7bf3828ce88144 upstream. + +Fixes coherent memory leakage, caused by non-deallocated +firmware image chunk. + +Signed-off-by: Dmitry Tarnyagin +Signed-off-by: Sjur Brændeland +Acked-by: Ido Yariv +[slightly edit subject and commit log] +Signed-off-by: Ohad Ben-Cohen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/remoteproc/ste_modem_rproc.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/drivers/remoteproc/ste_modem_rproc.c ++++ b/drivers/remoteproc/ste_modem_rproc.c +@@ -240,6 +240,8 @@ static int sproc_drv_remove(struct platf + + /* Unregister as remoteproc device */ + rproc_del(sproc->rproc); ++ dma_free_coherent(sproc->rproc->dev.parent, SPROC_FW_SIZE, ++ sproc->fw_addr, sproc->fw_dma_addr); + rproc_put(sproc->rproc); + + mdev->drv_data = NULL; +@@ -297,10 +299,13 @@ static int sproc_probe(struct platform_d + /* Register as a remoteproc device */ + err = rproc_add(rproc); + if (err) +- goto free_rproc; ++ goto free_mem; + + return 0; + ++free_mem: ++ dma_free_coherent(rproc->dev.parent, SPROC_FW_SIZE, ++ sproc->fw_addr, sproc->fw_dma_addr); + free_rproc: + /* Reset device data upon error */ + mdev->drv_data = NULL; diff --git a/queue-3.8/series b/queue-3.8/series index d6fc6900ab9..6303aa4e1bd 100644 --- a/queue-3.8/series +++ b/queue-3.8/series @@ -29,3 +29,12 @@ alpha-add-irongate_io-to-pci-bus-resources.patch pci-acpi-always-resume-devices-on-acpi-wakeup-notifications.patch pci-pm-disable-runtime-pm-of-pcie-ports.patch ata_piix-fix-dvd-not-dectected-at-some-haswell-platforms.patch +ftrace-consistently-restore-trace-function-on-sysctl-enabling.patch +powerpc-pseries_lpar_hpte_remove-fails-from-adjunct-partition-being-performed-before-the-andcond-test.patch +mwifiex-limit-channel-number-not-to-overflow-memory.patch +mac80211-fix-remain-on-channel-cancel-crash.patch +x86-remove-the-x32-syscall-bitmask-from-syscall_get_nr.patch +hwspinlock-fix-__hwspin_lock_request-error-path.patch +remoteproc-ste-fix-memory-leak-on-shutdown.patch +remoteproc-fix-error-path-of-handle_vdev.patch +remoteproc-fix-fw_config-typo.patch diff --git a/queue-3.8/x86-remove-the-x32-syscall-bitmask-from-syscall_get_nr.patch b/queue-3.8/x86-remove-the-x32-syscall-bitmask-from-syscall_get_nr.patch new file mode 100644 index 00000000000..0986a08a232 --- /dev/null +++ b/queue-3.8/x86-remove-the-x32-syscall-bitmask-from-syscall_get_nr.patch @@ -0,0 +1,63 @@ +From 8b4b9f27e57584f3d90e0bb84cf800ad81cfe3a1 Mon Sep 17 00:00:00 2001 +From: Paul Moore +Date: Fri, 15 Feb 2013 12:21:43 -0500 +Subject: x86: remove the x32 syscall bitmask from syscall_get_nr() + +From: Paul Moore + +commit 8b4b9f27e57584f3d90e0bb84cf800ad81cfe3a1 upstream. + +Commit fca460f95e928bae373daa8295877b6905bc62b8 simplified the x32 +implementation by creating a syscall bitmask, equal to 0x40000000, that +could be applied to x32 syscalls such that the masked syscall number +would be the same as a x86_64 syscall. While that patch was a nice +way to simplify the code, it went a bit too far by adding the mask to +syscall_get_nr(); returning the masked syscall numbers can cause +confusion with callers that expect syscall numbers matching the x32 +ABI, e.g. unmasked syscall numbers. + +This patch fixes this by simply removing the mask from syscall_get_nr() +while preserving the other changes from the original commit. While +there are several syscall_get_nr() callers in the kernel, most simply +check that the syscall number is greater than zero, in this case this +patch will have no effect. Of those remaining callers, they appear +to be few, seccomp and ftrace, and from my testing of seccomp without +this patch the original commit definitely breaks things; the seccomp +filter does not correctly filter the syscalls due to the difference in +syscall numbers in the BPF filter and the value from syscall_get_nr(). +Applying this patch restores the seccomp BPF filter functionality on +x32. + +I've tested this patch with the seccomp BPF filters as well as ftrace +and everything looks reasonable to me; needless to say general usage +seemed fine as well. + +Signed-off-by: Paul Moore +Link: http://lkml.kernel.org/r/20130215172143.12549.10292.stgit@localhost +Cc: Will Drewry +Cc: H. Peter Anvin +Signed-off-by: H. Peter Anvin +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/include/asm/syscall.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/x86/include/asm/syscall.h ++++ b/arch/x86/include/asm/syscall.h +@@ -29,13 +29,13 @@ extern const unsigned long sys_call_tabl + */ + static inline int syscall_get_nr(struct task_struct *task, struct pt_regs *regs) + { +- return regs->orig_ax & __SYSCALL_MASK; ++ return regs->orig_ax; + } + + static inline void syscall_rollback(struct task_struct *task, + struct pt_regs *regs) + { +- regs->ax = regs->orig_ax & __SYSCALL_MASK; ++ regs->ax = regs->orig_ax; + } + + static inline long syscall_get_error(struct task_struct *task,