From: Greg Kroah-Hartman Date: Thu, 28 Apr 2016 00:06:13 +0000 (-0700) Subject: 3.14-stable patches X-Git-Tag: v3.14.68~52 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=34d637e11e466e947817db935515b0ea051ff91a;p=thirdparty%2Fkernel%2Fstable-queue.git 3.14-stable patches added patches: arm-omap2-hwmod-fix-updating-of-sysconfig-register.patch assoc_array-don-t-call-compare_object-on-a-node.patch usb-hcd-out-of-bounds-access-in-for_each_companion.patch usb-xhci-fix-wild-pointers-in-xhci_mem_cleanup.patch --- diff --git a/queue-3.14/arm-omap2-hwmod-fix-updating-of-sysconfig-register.patch b/queue-3.14/arm-omap2-hwmod-fix-updating-of-sysconfig-register.patch new file mode 100644 index 00000000000..35cfa00c54d --- /dev/null +++ b/queue-3.14/arm-omap2-hwmod-fix-updating-of-sysconfig-register.patch @@ -0,0 +1,56 @@ +From 3ca4a238106dedc285193ee47f494a6584b6fd2f Mon Sep 17 00:00:00 2001 +From: Lokesh Vutla +Date: Sat, 26 Mar 2016 23:08:55 -0600 +Subject: ARM: OMAP2+: hwmod: Fix updating of sysconfig register + +From: Lokesh Vutla + +commit 3ca4a238106dedc285193ee47f494a6584b6fd2f upstream. + +Commit 127500ccb766f ("ARM: OMAP2+: Only write the sysconfig on idle +when necessary") talks about verification of sysconfig cache value before +updating it, only during idle path. But the patch is adding the +verification in the enable path. So, adding the check in a proper place +as per the commit description. + +Not keeping this check during enable path as there is a chance of losing +context and it is safe to do on idle as the context of the register will +never be lost while the device is active. + +Signed-off-by: Lokesh Vutla +Acked-by: Tero Kristo +Cc: Jon Hunter +Fixes: commit 127500ccb766 "ARM: OMAP2+: Only write the sysconfig on idle when necessary" +[paul@pwsan.com: appears to have been caused by my own mismerge of the + originally posted patch] +Signed-off-by: Paul Walmsley +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/mach-omap2/omap_hwmod.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/arch/arm/mach-omap2/omap_hwmod.c ++++ b/arch/arm/mach-omap2/omap_hwmod.c +@@ -1439,9 +1439,7 @@ static void _enable_sysc(struct omap_hwm + (sf & SYSC_HAS_CLOCKACTIVITY)) + _set_clockactivity(oh, oh->class->sysc->clockact, &v); + +- /* If the cached value is the same as the new value, skip the write */ +- if (oh->_sysc_cache != v) +- _write_sysconfig(v, oh); ++ _write_sysconfig(v, oh); + + /* + * Set the autoidle bit only after setting the smartidle bit +@@ -1504,7 +1502,9 @@ static void _idle_sysc(struct omap_hwmod + _set_master_standbymode(oh, idlemode, &v); + } + +- _write_sysconfig(v, oh); ++ /* If the cached value is the same as the new value, skip the write */ ++ if (oh->_sysc_cache != v) ++ _write_sysconfig(v, oh); + } + + /** diff --git a/queue-3.14/assoc_array-don-t-call-compare_object-on-a-node.patch b/queue-3.14/assoc_array-don-t-call-compare_object-on-a-node.patch new file mode 100644 index 00000000000..5e716a85c91 --- /dev/null +++ b/queue-3.14/assoc_array-don-t-call-compare_object-on-a-node.patch @@ -0,0 +1,112 @@ +From 8d4a2ec1e0b41b0cf9a0c5cd4511da7f8e4f3de2 Mon Sep 17 00:00:00 2001 +From: Jerome Marchand +Date: Wed, 6 Apr 2016 14:06:48 +0100 +Subject: assoc_array: don't call compare_object() on a node + +From: Jerome Marchand + +commit 8d4a2ec1e0b41b0cf9a0c5cd4511da7f8e4f3de2 upstream. + +Changes since V1: fixed the description and added KASan warning. + +In assoc_array_insert_into_terminal_node(), we call the +compare_object() method on all non-empty slots, even when they're +not leaves, passing a pointer to an unexpected structure to +compare_object(). Currently it causes an out-of-bound read access +in keyring_compare_object detected by KASan (see below). The issue +is easily reproduced with keyutils testsuite. +Only call compare_object() when the slot is a leave. + +KASan warning: +================================================================== +BUG: KASAN: slab-out-of-bounds in keyring_compare_object+0x213/0x240 at addr ffff880060a6f838 +Read of size 8 by task keyctl/1655 +============================================================================= +BUG kmalloc-192 (Not tainted): kasan: bad access detected +----------------------------------------------------------------------------- + +Disabling lock debugging due to kernel taint +INFO: Allocated in assoc_array_insert+0xfd0/0x3a60 age=69 cpu=1 pid=1647 + ___slab_alloc+0x563/0x5c0 + __slab_alloc+0x51/0x90 + kmem_cache_alloc_trace+0x263/0x300 + assoc_array_insert+0xfd0/0x3a60 + __key_link_begin+0xfc/0x270 + key_create_or_update+0x459/0xaf0 + SyS_add_key+0x1ba/0x350 + entry_SYSCALL_64_fastpath+0x12/0x76 +INFO: Slab 0xffffea0001829b80 objects=16 used=8 fp=0xffff880060a6f550 flags=0x3fff8000004080 +INFO: Object 0xffff880060a6f740 @offset=5952 fp=0xffff880060a6e5d1 + +Bytes b4 ffff880060a6f730: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ +Object ffff880060a6f740: d1 e5 a6 60 00 88 ff ff 0e 00 00 00 00 00 00 00 ...`............ +Object ffff880060a6f750: 02 cf 8e 60 00 88 ff ff 02 c0 8e 60 00 88 ff ff ...`.......`.... +Object ffff880060a6f760: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ +Object ffff880060a6f770: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ +Object ffff880060a6f780: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ +Object ffff880060a6f790: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ +Object ffff880060a6f7a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ +Object ffff880060a6f7b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ +Object ffff880060a6f7c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ +Object ffff880060a6f7d0: 02 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ +Object ffff880060a6f7e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ +Object ffff880060a6f7f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ +CPU: 0 PID: 1655 Comm: keyctl Tainted: G B 4.5.0-rc4-kasan+ #291 +Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 + 0000000000000000 000000001b2800b4 ffff880060a179e0 ffffffff81b60491 + ffff88006c802900 ffff880060a6f740 ffff880060a17a10 ffffffff815e2969 + ffff88006c802900 ffffea0001829b80 ffff880060a6f740 ffff880060a6e650 +Call Trace: + [] dump_stack+0x85/0xc4 + [] print_trailer+0xf9/0x150 + [] object_err+0x34/0x40 + [] kasan_report_error+0x230/0x550 + [] ? keyring_get_key_chunk+0x13e/0x210 + [] __asan_report_load_n_noabort+0x5d/0x70 + [] ? keyring_compare_object+0x213/0x240 + [] keyring_compare_object+0x213/0x240 + [] assoc_array_insert+0x86c/0x3a60 + [] ? assoc_array_cancel_edit+0x70/0x70 + [] ? __key_link_begin+0x20d/0x270 + [] __key_link_begin+0xfc/0x270 + [] key_create_or_update+0x459/0xaf0 + [] ? trace_hardirqs_on+0xd/0x10 + [] ? key_type_lookup+0xc0/0xc0 + [] ? lookup_user_key+0x13d/0xcd0 + [] ? memdup_user+0x53/0x80 + [] SyS_add_key+0x1ba/0x350 + [] ? key_get_type_from_user.constprop.6+0xa0/0xa0 + [] ? retint_user+0x18/0x23 + [] ? trace_hardirqs_on_caller+0x3fe/0x580 + [] ? trace_hardirqs_on_thunk+0x17/0x19 + [] entry_SYSCALL_64_fastpath+0x12/0x76 +Memory state around the buggy address: + ffff880060a6f700: fc fc fc fc fc fc fc fc 00 00 00 00 00 00 00 00 + ffff880060a6f780: 00 00 00 00 00 00 00 00 00 00 00 fc fc fc fc fc +>ffff880060a6f800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + ^ + ffff880060a6f880: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc + ffff880060a6f900: fc fc fc fc fc fc 00 00 00 00 00 00 00 00 00 00 +================================================================== + +Signed-off-by: Jerome Marchand +Signed-off-by: David Howells +Signed-off-by: Greg Kroah-Hartman + +--- + lib/assoc_array.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/lib/assoc_array.c ++++ b/lib/assoc_array.c +@@ -523,7 +523,9 @@ static bool assoc_array_insert_into_term + free_slot = i; + continue; + } +- if (ops->compare_object(assoc_array_ptr_to_leaf(ptr), index_key)) { ++ if (assoc_array_ptr_is_leaf(ptr) && ++ ops->compare_object(assoc_array_ptr_to_leaf(ptr), ++ index_key)) { + pr_devel("replace in slot %d\n", i); + edit->leaf_p = &node->slots[i]; + edit->dead_leaf = node->slots[i]; diff --git a/queue-3.14/series b/queue-3.14/series index b8885f4fcf0..aec5c2fe2ae 100644 --- a/queue-3.14/series +++ b/queue-3.14/series @@ -1,5 +1,4 @@ arm-omap2-hwmod-fix-updating-of-sysconfig-register.patch assoc_array-don-t-call-compare_object-on-a-node.patch -usb-host-xhci-plat-fix-cannot-work-if-r-car-gen2-3-run-on-above-4gb-phys.patch usb-xhci-fix-wild-pointers-in-xhci_mem_cleanup.patch usb-hcd-out-of-bounds-access-in-for_each_companion.patch diff --git a/queue-3.14/usb-hcd-out-of-bounds-access-in-for_each_companion.patch b/queue-3.14/usb-hcd-out-of-bounds-access-in-for_each_companion.patch new file mode 100644 index 00000000000..ceffdd68a57 --- /dev/null +++ b/queue-3.14/usb-hcd-out-of-bounds-access-in-for_each_companion.patch @@ -0,0 +1,40 @@ +From e86103a75705c7c530768f4ffaba74cf382910f2 Mon Sep 17 00:00:00 2001 +From: Robert Dobrowolski +Date: Thu, 24 Mar 2016 03:30:07 -0700 +Subject: usb: hcd: out of bounds access in for_each_companion + +From: Robert Dobrowolski + +commit e86103a75705c7c530768f4ffaba74cf382910f2 upstream. + +On BXT platform Host Controller and Device Controller figure as +same PCI device but with different device function. HCD should +not pass data to Device Controller but only to Host Controllers. +Checking if companion device is Host Controller, otherwise skip. + +Signed-off-by: Robert Dobrowolski +Acked-by: Alan Stern +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/core/hcd-pci.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/drivers/usb/core/hcd-pci.c ++++ b/drivers/usb/core/hcd-pci.c +@@ -74,6 +74,15 @@ static void for_each_companion(struct pc + if (companion->bus != pdev->bus || + PCI_SLOT(companion->devfn) != slot) + continue; ++ ++ /* ++ * Companion device should be either UHCI,OHCI or EHCI host ++ * controller, otherwise skip. ++ */ ++ if (companion->class != CL_UHCI && companion->class != CL_OHCI && ++ companion->class != CL_EHCI) ++ continue; ++ + companion_hcd = pci_get_drvdata(companion); + if (!companion_hcd || !companion_hcd->self.root_hub) + continue; diff --git a/queue-3.14/usb-xhci-fix-wild-pointers-in-xhci_mem_cleanup.patch b/queue-3.14/usb-xhci-fix-wild-pointers-in-xhci_mem_cleanup.patch new file mode 100644 index 00000000000..0dc4adac112 --- /dev/null +++ b/queue-3.14/usb-xhci-fix-wild-pointers-in-xhci_mem_cleanup.patch @@ -0,0 +1,38 @@ +From 71504062a7c34838c3fccd92c447f399d3cb5797 Mon Sep 17 00:00:00 2001 +From: Lu Baolu +Date: Fri, 8 Apr 2016 16:25:09 +0300 +Subject: usb: xhci: fix wild pointers in xhci_mem_cleanup + +From: Lu Baolu + +commit 71504062a7c34838c3fccd92c447f399d3cb5797 upstream. + +This patch fixes some wild pointers produced by xhci_mem_cleanup. +These wild pointers will cause system crash if xhci_mem_cleanup() +is called twice. + +Reported-and-tested-by: Pengcheng Li +Signed-off-by: Lu Baolu +Signed-off-by: Mathias Nyman +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/host/xhci-mem.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/usb/host/xhci-mem.c ++++ b/drivers/usb/host/xhci-mem.c +@@ -1785,6 +1785,12 @@ no_bw: + kfree(xhci->rh_bw); + kfree(xhci->ext_caps); + ++ xhci->usb2_ports = NULL; ++ xhci->usb3_ports = NULL; ++ xhci->port_array = NULL; ++ xhci->rh_bw = NULL; ++ xhci->ext_caps = NULL; ++ + xhci->page_size = 0; + xhci->page_shift = 0; + xhci->bus_state[0].bus_suspended = 0;