From: Greg Kroah-Hartman Date: Wed, 9 Oct 2013 04:13:37 +0000 (-0700) Subject: 3.4-stable patches X-Git-Tag: v3.0.100~16 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=39b5f670e6edfb0067fdd5e671add643858664a7;p=thirdparty%2Fkernel%2Fstable-queue.git 3.4-stable patches added patches: asoc-88pm860x-array-overflow-in-snd_soc_put_volsw_2r_st.patch asoc-max98095-a-couple-array-underflows.patch bluetooth-fix-encryption-key-size-for-peripheral-role.patch bluetooth-fix-security-level-for-peripheral-role.patch powerpc-fix-parameter-clobber-in-csum_partial_copy_generic.patch powerpc-iommu-use-gfp_kernel-instead-of-gfp_atomic-in-iommu_init_table.patch powerpc-restore-registers-on-error-exit-from-csum_partial_copy_generic.patch powerpc-vio-fix-modalias_show-return-values.patch --- diff --git a/queue-3.4/asoc-88pm860x-array-overflow-in-snd_soc_put_volsw_2r_st.patch b/queue-3.4/asoc-88pm860x-array-overflow-in-snd_soc_put_volsw_2r_st.patch new file mode 100644 index 00000000000..95247999330 --- /dev/null +++ b/queue-3.4/asoc-88pm860x-array-overflow-in-snd_soc_put_volsw_2r_st.patch @@ -0,0 +1,32 @@ +From d967967e8d1116fb38bad25e58714b5dddd03cca Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Fri, 13 Sep 2013 10:52:49 +0300 +Subject: ASoC: 88pm860x: array overflow in snd_soc_put_volsw_2r_st() + +From: Dan Carpenter + +commit d967967e8d1116fb38bad25e58714b5dddd03cca upstream. + +This is called from snd_ctl_elem_write() with user supplied data so we +need to add some bounds checking. + +Signed-off-by: Dan Carpenter +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + sound/soc/codecs/88pm860x-codec.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/sound/soc/codecs/88pm860x-codec.c ++++ b/sound/soc/codecs/88pm860x-codec.c +@@ -351,6 +351,9 @@ static int snd_soc_put_volsw_2r_st(struc + val = ucontrol->value.integer.value[0]; + val2 = ucontrol->value.integer.value[1]; + ++ if (val >= ARRAY_SIZE(st_table) || val2 >= ARRAY_SIZE(st_table)) ++ return -EINVAL; ++ + err = snd_soc_update_bits(codec, reg, 0x3f, st_table[val].m); + if (err < 0) + return err; diff --git a/queue-3.4/asoc-max98095-a-couple-array-underflows.patch b/queue-3.4/asoc-max98095-a-couple-array-underflows.patch new file mode 100644 index 00000000000..4b7531cf941 --- /dev/null +++ b/queue-3.4/asoc-max98095-a-couple-array-underflows.patch @@ -0,0 +1,41 @@ +From f8d7b13e14357ed19d2ca2799539600418dc3939 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Fri, 13 Sep 2013 10:52:14 +0300 +Subject: ASoC: max98095: a couple array underflows + +From: Dan Carpenter + +commit f8d7b13e14357ed19d2ca2799539600418dc3939 upstream. + +The ->put() function are called from snd_ctl_elem_write() with user +supplied data. The limit checks here could underflow leading to a +crash. + +Signed-off-by: Dan Carpenter +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + sound/soc/codecs/max98095.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/sound/soc/codecs/max98095.c ++++ b/sound/soc/codecs/max98095.c +@@ -1860,7 +1860,7 @@ static int max98095_put_eq_enum(struct s + struct max98095_pdata *pdata = max98095->pdata; + int channel = max98095_get_eq_channel(kcontrol->id.name); + struct max98095_cdata *cdata; +- int sel = ucontrol->value.integer.value[0]; ++ unsigned int sel = ucontrol->value.integer.value[0]; + struct max98095_eq_cfg *coef_set; + int fs, best, best_val, i; + int regmask, regsave; +@@ -2013,7 +2013,7 @@ static int max98095_put_bq_enum(struct s + struct max98095_pdata *pdata = max98095->pdata; + int channel = max98095_get_bq_channel(codec, kcontrol->id.name); + struct max98095_cdata *cdata; +- int sel = ucontrol->value.integer.value[0]; ++ unsigned int sel = ucontrol->value.integer.value[0]; + struct max98095_biquad_cfg *coef_set; + int fs, best, best_val, i; + int regmask, regsave; diff --git a/queue-3.4/bluetooth-fix-encryption-key-size-for-peripheral-role.patch b/queue-3.4/bluetooth-fix-encryption-key-size-for-peripheral-role.patch new file mode 100644 index 00000000000..cad01449278 --- /dev/null +++ b/queue-3.4/bluetooth-fix-encryption-key-size-for-peripheral-role.patch @@ -0,0 +1,32 @@ +From 89cbb4da0abee2f39d75f67f9fd57f7410c8b65c Mon Sep 17 00:00:00 2001 +From: Andre Guedes +Date: Wed, 31 Jul 2013 16:25:29 -0300 +Subject: Bluetooth: Fix encryption key size for peripheral role + +From: Andre Guedes + +commit 89cbb4da0abee2f39d75f67f9fd57f7410c8b65c upstream. + +This patch fixes the connection encryption key size information when +the host is playing the peripheral role. We should set conn->enc_key_ +size in hci_le_ltk_request_evt, otherwise it is left uninitialized. + +Signed-off-by: Andre Guedes +Signed-off-by: Gustavo Padovan +Signed-off-by: Greg Kroah-Hartman + +--- + net/bluetooth/hci_event.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/bluetooth/hci_event.c ++++ b/net/bluetooth/hci_event.c +@@ -3379,6 +3379,8 @@ static inline void hci_le_ltk_request_ev + else + conn->pending_sec_level = BT_SECURITY_MEDIUM; + ++ conn->enc_key_size = ltk->enc_size; ++ + hci_send_cmd(hdev, HCI_OP_LE_LTK_REPLY, sizeof(cp), &cp); + + if (ltk->type & HCI_SMP_STK) { diff --git a/queue-3.4/bluetooth-fix-security-level-for-peripheral-role.patch b/queue-3.4/bluetooth-fix-security-level-for-peripheral-role.patch new file mode 100644 index 00000000000..f2f1637b7bf --- /dev/null +++ b/queue-3.4/bluetooth-fix-security-level-for-peripheral-role.patch @@ -0,0 +1,43 @@ +From f8776218e8546397be64ad2bc0ebf4748522d6e3 Mon Sep 17 00:00:00 2001 +From: Andre Guedes +Date: Wed, 31 Jul 2013 16:25:28 -0300 +Subject: Bluetooth: Fix security level for peripheral role + +From: Andre Guedes + +commit f8776218e8546397be64ad2bc0ebf4748522d6e3 upstream. + +While playing the peripheral role, the host gets a LE Long Term Key +Request Event from the controller when a connection is established +with a bonded device. The host then informs the LTK which should be +used for the connection. Once the link is encrypted, the host gets +an Encryption Change Event. + +Therefore we should set conn->pending_sec_level instead of conn-> +sec_level in hci_le_ltk_request_evt. This way, conn->sec_level is +properly updated in hci_encrypt_change_evt. + +Moreover, since we have a LTK associated to the device, we have at +least BT_SECURITY_MEDIUM security level. + +Signed-off-by: Andre Guedes +Signed-off-by: Gustavo Padovan +Signed-off-by: Greg Kroah-Hartman + +--- + net/bluetooth/hci_event.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/net/bluetooth/hci_event.c ++++ b/net/bluetooth/hci_event.c +@@ -3375,7 +3375,9 @@ static inline void hci_le_ltk_request_ev + cp.handle = cpu_to_le16(conn->handle); + + if (ltk->authenticated) +- conn->sec_level = BT_SECURITY_HIGH; ++ conn->pending_sec_level = BT_SECURITY_HIGH; ++ else ++ conn->pending_sec_level = BT_SECURITY_MEDIUM; + + hci_send_cmd(hdev, HCI_OP_LE_LTK_REPLY, sizeof(cp), &cp); + diff --git a/queue-3.4/powerpc-fix-parameter-clobber-in-csum_partial_copy_generic.patch b/queue-3.4/powerpc-fix-parameter-clobber-in-csum_partial_copy_generic.patch new file mode 100644 index 00000000000..c10316e2836 --- /dev/null +++ b/queue-3.4/powerpc-fix-parameter-clobber-in-csum_partial_copy_generic.patch @@ -0,0 +1,38 @@ +From d9813c3681a36774b254c0cdc9cce53c9e22c756 Mon Sep 17 00:00:00 2001 +From: "Paul E. McKenney" +Date: Tue, 1 Oct 2013 16:54:05 +1000 +Subject: powerpc: Fix parameter clobber in csum_partial_copy_generic() + +From: "Paul E. McKenney" + +commit d9813c3681a36774b254c0cdc9cce53c9e22c756 upstream. + +The csum_partial_copy_generic() uses register r7 to adjust the remaining +bytes to process. Unfortunately, r7 also holds a parameter, namely the +address of the flag to set in case of access exceptions while reading +the source buffer. Lacking a quantum implementation of PowerPC, this +commit instead uses register r9 to do the adjusting, leaving r7's +pointer uncorrupted. + +Signed-off-by: Paul E. McKenney +Signed-off-by: Anton Blanchard +Signed-off-by: Benjamin Herrenschmidt +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/lib/checksum_64.S | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/powerpc/lib/checksum_64.S ++++ b/arch/powerpc/lib/checksum_64.S +@@ -272,8 +272,8 @@ _GLOBAL(csum_partial_copy_generic) + rldicl. r6,r3,64-1,64-2 /* r6 = (r3 & 0x3) >> 1 */ + beq .Lcopy_aligned + +- li r7,4 +- sub r6,r7,r6 ++ li r9,4 ++ sub r6,r9,r6 + mtctr r6 + + 1: diff --git a/queue-3.4/powerpc-iommu-use-gfp_kernel-instead-of-gfp_atomic-in-iommu_init_table.patch b/queue-3.4/powerpc-iommu-use-gfp_kernel-instead-of-gfp_atomic-in-iommu_init_table.patch new file mode 100644 index 00000000000..37908b3c9be --- /dev/null +++ b/queue-3.4/powerpc-iommu-use-gfp_kernel-instead-of-gfp_atomic-in-iommu_init_table.patch @@ -0,0 +1,47 @@ +From 1cf389df090194a0976dc867b7fffe99d9d490cb Mon Sep 17 00:00:00 2001 +From: Nishanth Aravamudan +Date: Tue, 1 Oct 2013 14:04:53 -0700 +Subject: powerpc/iommu: Use GFP_KERNEL instead of GFP_ATOMIC in iommu_init_table() + +From: Nishanth Aravamudan + +commit 1cf389df090194a0976dc867b7fffe99d9d490cb upstream. + +Under heavy (DLPAR?) stress, we tripped this panic() in +arch/powerpc/kernel/iommu.c::iommu_init_table(): + + page = alloc_pages_node(nid, GFP_ATOMIC, get_order(sz)); + if (!page) + panic("iommu_init_table: Can't allocate %ld bytes\n", sz); + +Before the panic() we got a page allocation failure for an order-2 +allocation. There appears to be memory free, but perhaps not in the +ATOMIC context. I looked through all the call-sites of +iommu_init_table() and didn't see any obvious reason to need an ATOMIC +allocation. Most call-sites in fact have an explicit GFP_KERNEL +allocation shortly before the call to iommu_init_table(), indicating we +are not in an atomic context. There is some indirection for some paths, +but I didn't see any locks indicating that GFP_KERNEL is inappropriate. + +With this change under the same conditions, we have not been able to +reproduce the panic. + +Signed-off-by: Nishanth Aravamudan +Signed-off-by: Benjamin Herrenschmidt +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/kernel/iommu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/powerpc/kernel/iommu.c ++++ b/arch/powerpc/kernel/iommu.c +@@ -501,7 +501,7 @@ struct iommu_table *iommu_init_table(str + /* number of bytes needed for the bitmap */ + sz = (tbl->it_size + 7) >> 3; + +- page = alloc_pages_node(nid, GFP_ATOMIC, get_order(sz)); ++ page = alloc_pages_node(nid, GFP_KERNEL, get_order(sz)); + if (!page) + panic("iommu_init_table: Can't allocate %ld bytes\n", sz); + tbl->it_map = page_address(page); diff --git a/queue-3.4/powerpc-restore-registers-on-error-exit-from-csum_partial_copy_generic.patch b/queue-3.4/powerpc-restore-registers-on-error-exit-from-csum_partial_copy_generic.patch new file mode 100644 index 00000000000..77c3e1c5a64 --- /dev/null +++ b/queue-3.4/powerpc-restore-registers-on-error-exit-from-csum_partial_copy_generic.patch @@ -0,0 +1,158 @@ +From 8f21bd0090052e740944f9397e2be5ac7957ded7 Mon Sep 17 00:00:00 2001 +From: "Paul E. McKenney" +Date: Tue, 1 Oct 2013 17:11:35 +1000 +Subject: powerpc: Restore registers on error exit from csum_partial_copy_generic() + +From: "Paul E. McKenney" + +commit 8f21bd0090052e740944f9397e2be5ac7957ded7 upstream. + +The csum_partial_copy_generic() function saves the PowerPC non-volatile +r14, r15, and r16 registers for the main checksum-and-copy loop. +Unfortunately, it fails to restore them upon error exit from this loop, +which results in silent corruption of these registers in the presumably +rare event of an access exception within that loop. + +This commit therefore restores these register on error exit from the loop. + +Signed-off-by: Paul E. McKenney +Signed-off-by: Anton Blanchard +Signed-off-by: Benjamin Herrenschmidt +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/lib/checksum_64.S | 54 ++++++++++++++++++++++++++++++----------- + 1 file changed, 40 insertions(+), 14 deletions(-) + +--- a/arch/powerpc/lib/checksum_64.S ++++ b/arch/powerpc/lib/checksum_64.S +@@ -229,19 +229,35 @@ _GLOBAL(csum_partial) + blr + + +- .macro source ++ .macro srcnr + 100: + .section __ex_table,"a" + .align 3 +- .llong 100b,.Lsrc_error ++ .llong 100b,.Lsrc_error_nr + .previous + .endm + +- .macro dest ++ .macro source ++150: ++ .section __ex_table,"a" ++ .align 3 ++ .llong 150b,.Lsrc_error ++ .previous ++ .endm ++ ++ .macro dstnr + 200: + .section __ex_table,"a" + .align 3 +- .llong 200b,.Ldest_error ++ .llong 200b,.Ldest_error_nr ++ .previous ++ .endm ++ ++ .macro dest ++250: ++ .section __ex_table,"a" ++ .align 3 ++ .llong 250b,.Ldest_error + .previous + .endm + +@@ -277,11 +293,11 @@ _GLOBAL(csum_partial_copy_generic) + mtctr r6 + + 1: +-source; lhz r6,0(r3) /* align to doubleword */ ++srcnr; lhz r6,0(r3) /* align to doubleword */ + subi r5,r5,2 + addi r3,r3,2 + adde r0,r0,r6 +-dest; sth r6,0(r4) ++dstnr; sth r6,0(r4) + addi r4,r4,2 + bdnz 1b + +@@ -395,10 +411,10 @@ dest; std r16,56(r4) + + mtctr r6 + 3: +-source; ld r6,0(r3) ++srcnr; ld r6,0(r3) + addi r3,r3,8 + adde r0,r0,r6 +-dest; std r6,0(r4) ++dstnr; std r6,0(r4) + addi r4,r4,8 + bdnz 3b + +@@ -408,10 +424,10 @@ dest; std r6,0(r4) + srdi. r6,r5,2 + beq .Lcopy_tail_halfword + +-source; lwz r6,0(r3) ++srcnr; lwz r6,0(r3) + addi r3,r3,4 + adde r0,r0,r6 +-dest; stw r6,0(r4) ++dstnr; stw r6,0(r4) + addi r4,r4,4 + subi r5,r5,4 + +@@ -419,10 +435,10 @@ dest; stw r6,0(r4) + srdi. r6,r5,1 + beq .Lcopy_tail_byte + +-source; lhz r6,0(r3) ++srcnr; lhz r6,0(r3) + addi r3,r3,2 + adde r0,r0,r6 +-dest; sth r6,0(r4) ++dstnr; sth r6,0(r4) + addi r4,r4,2 + subi r5,r5,2 + +@@ -430,10 +446,10 @@ dest; sth r6,0(r4) + andi. r6,r5,1 + beq .Lcopy_finish + +-source; lbz r6,0(r3) ++srcnr; lbz r6,0(r3) + sldi r9,r6,8 /* Pad the byte out to 16 bits */ + adde r0,r0,r9 +-dest; stb r6,0(r4) ++dstnr; stb r6,0(r4) + + .Lcopy_finish: + addze r0,r0 /* add in final carry */ +@@ -443,6 +459,11 @@ dest; stb r6,0(r4) + blr + + .Lsrc_error: ++ ld r14,STK_REG(R14)(r1) ++ ld r15,STK_REG(R15)(r1) ++ ld r16,STK_REG(R16)(r1) ++ addi r1,r1,STACKFRAMESIZE ++.Lsrc_error_nr: + cmpdi 0,r7,0 + beqlr + li r6,-EFAULT +@@ -450,6 +471,11 @@ dest; stb r6,0(r4) + blr + + .Ldest_error: ++ ld r14,STK_REG(R14)(r1) ++ ld r15,STK_REG(R15)(r1) ++ ld r16,STK_REG(R16)(r1) ++ addi r1,r1,STACKFRAMESIZE ++.Ldest_error_nr: + cmpdi 0,r8,0 + beqlr + li r6,-EFAULT diff --git a/queue-3.4/powerpc-vio-fix-modalias_show-return-values.patch b/queue-3.4/powerpc-vio-fix-modalias_show-return-values.patch new file mode 100644 index 00000000000..e341d5a7b04 --- /dev/null +++ b/queue-3.4/powerpc-vio-fix-modalias_show-return-values.patch @@ -0,0 +1,50 @@ +From e82b89a6f19bae73fb064d1b3dd91fcefbb478f4 Mon Sep 17 00:00:00 2001 +From: Prarit Bhargava +Date: Mon, 23 Sep 2013 09:33:36 -0400 +Subject: powerpc/vio: Fix modalias_show return values + +From: Prarit Bhargava + +commit e82b89a6f19bae73fb064d1b3dd91fcefbb478f4 upstream. + +modalias_show() should return an empty string on error, not -ENODEV. + +This causes the following false and annoying error: + +> find /sys/devices -name modalias -print0 | xargs -0 cat >/dev/null +cat: /sys/devices/vio/4000/modalias: No such device +cat: /sys/devices/vio/4001/modalias: No such device +cat: /sys/devices/vio/4002/modalias: No such device +cat: /sys/devices/vio/4004/modalias: No such device +cat: /sys/devices/vio/modalias: No such device + +Signed-off-by: Prarit Bhargava +Signed-off-by: Benjamin Herrenschmidt +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/kernel/vio.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +--- a/arch/powerpc/kernel/vio.c ++++ b/arch/powerpc/kernel/vio.c +@@ -1341,11 +1341,15 @@ static ssize_t modalias_show(struct devi + const char *cp; + + dn = dev->of_node; +- if (!dn) +- return -ENODEV; ++ if (!dn) { ++ strcat(buf, "\n"); ++ return strlen(buf); ++ } + cp = of_get_property(dn, "compatible", NULL); +- if (!cp) +- return -ENODEV; ++ if (!cp) { ++ strcat(buf, "\n"); ++ return strlen(buf); ++ } + + return sprintf(buf, "vio:T%sS%s\n", vio_dev->type, cp); + } diff --git a/queue-3.4/series b/queue-3.4/series index 1f31fac8a6e..018521a9949 100644 --- a/queue-3.4/series +++ b/queue-3.4/series @@ -17,3 +17,11 @@ bonding-fix-broken-promiscuity-reference-counting-issue.patch ipv4-igmp-use-in_dev_put-in-timer-handlers-instead-of-__in_dev_put.patch ipv6-mcast-use-in6_dev_put-in-timer-handlers-instead-of-__in6_dev_put.patch ll_temac-reset-dma-descriptors-indexes-on-ndo_open.patch +asoc-max98095-a-couple-array-underflows.patch +asoc-88pm860x-array-overflow-in-snd_soc_put_volsw_2r_st.patch +powerpc-iommu-use-gfp_kernel-instead-of-gfp_atomic-in-iommu_init_table.patch +powerpc-vio-fix-modalias_show-return-values.patch +powerpc-fix-parameter-clobber-in-csum_partial_copy_generic.patch +powerpc-restore-registers-on-error-exit-from-csum_partial_copy_generic.patch +bluetooth-fix-security-level-for-peripheral-role.patch +bluetooth-fix-encryption-key-size-for-peripheral-role.patch