From: Greg Kroah-Hartman Date: Fri, 31 May 2013 23:45:35 +0000 (-0700) Subject: 3.0-stable patches X-Git-Tag: v3.0.81~23 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=464338cfca9c6e6f241d04b020bad7281995c854;p=thirdparty%2Fkernel%2Fstable-queue.git 3.0-stable patches added patches: cifs-fix-potential-buffer-overrun-when-composing-a-new-options-string.patch drm-radeon-fix-card_posted-check-for-newer-asics.patch usb-io_ti-fix-null-dereference-in-chase_port.patch --- diff --git a/queue-3.0/cifs-fix-potential-buffer-overrun-when-composing-a-new-options-string.patch b/queue-3.0/cifs-fix-potential-buffer-overrun-when-composing-a-new-options-string.patch new file mode 100644 index 00000000000..307ae7e6ecf --- /dev/null +++ b/queue-3.0/cifs-fix-potential-buffer-overrun-when-composing-a-new-options-string.patch @@ -0,0 +1,42 @@ +From 166faf21bd14bc5c5295a44874bf7f3930c30b20 Mon Sep 17 00:00:00 2001 +From: Jeff Layton +Date: Fri, 24 May 2013 07:40:04 -0400 +Subject: cifs: fix potential buffer overrun when composing a new options string + +From: Jeff Layton + +commit 166faf21bd14bc5c5295a44874bf7f3930c30b20 upstream. + +Consider the case where we have a very short ip= string in the original +mount options, and when we chase a referral we end up with a very long +IPv6 address. Be sure to allow for that possibility when estimating the +size of the string to allocate. + +Signed-off-by: Jeff Layton +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman + +--- + fs/cifs/cifs_dfs_ref.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/fs/cifs/cifs_dfs_ref.c ++++ b/fs/cifs/cifs_dfs_ref.c +@@ -18,6 +18,7 @@ + #include + #include + #include ++#include + #include "cifsglob.h" + #include "cifsproto.h" + #include "cifsfs.h" +@@ -149,7 +150,8 @@ char *cifs_compose_mount_options(const c + * assuming that we have 'unc=' and 'ip=' in + * the original sb_mountdata + */ +- md_len = strlen(sb_mountdata) + rc + strlen(ref->node_name) + 12; ++ md_len = strlen(sb_mountdata) + rc + strlen(ref->node_name) + 12 + ++ INET6_ADDRSTRLEN; + mountdata = kzalloc(md_len+1, GFP_KERNEL); + if (mountdata == NULL) { + rc = -ENOMEM; diff --git a/queue-3.0/drm-radeon-fix-card_posted-check-for-newer-asics.patch b/queue-3.0/drm-radeon-fix-card_posted-check-for-newer-asics.patch new file mode 100644 index 00000000000..b75db4c4b28 --- /dev/null +++ b/queue-3.0/drm-radeon-fix-card_posted-check-for-newer-asics.patch @@ -0,0 +1,52 @@ +From 09fb8bd1a63b0f9f15e655c4fe8d047e5d2bf67a Mon Sep 17 00:00:00 2001 +From: Alex Deucher +Date: Wed, 22 May 2013 11:22:51 -0400 +Subject: drm/radeon: fix card_posted check for newer asics + +From: Alex Deucher + +commit 09fb8bd1a63b0f9f15e655c4fe8d047e5d2bf67a upstream. + +Newer asics have variable numbers of crtcs. Use that +rather than the asic family to determine which crtcs +to check. This avoids checking non-existent crtcs or +missing crtcs on certain asics. + +Reviewed-by: Michel Dänzer +Signed-off-by: Alex Deucher +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/radeon/radeon_device.c | 19 +++++++++---------- + 1 file changed, 9 insertions(+), 10 deletions(-) + +--- a/drivers/gpu/drm/radeon/radeon_device.c ++++ b/drivers/gpu/drm/radeon/radeon_device.c +@@ -352,18 +352,17 @@ bool radeon_card_posted(struct radeon_de + uint32_t reg; + + /* first check CRTCs */ +- if (ASIC_IS_DCE41(rdev)) { ++ if (ASIC_IS_DCE4(rdev)) { + reg = RREG32(EVERGREEN_CRTC_CONTROL + EVERGREEN_CRTC0_REGISTER_OFFSET) | + RREG32(EVERGREEN_CRTC_CONTROL + EVERGREEN_CRTC1_REGISTER_OFFSET); +- if (reg & EVERGREEN_CRTC_MASTER_EN) +- return true; +- } else if (ASIC_IS_DCE4(rdev)) { +- reg = RREG32(EVERGREEN_CRTC_CONTROL + EVERGREEN_CRTC0_REGISTER_OFFSET) | +- RREG32(EVERGREEN_CRTC_CONTROL + EVERGREEN_CRTC1_REGISTER_OFFSET) | +- RREG32(EVERGREEN_CRTC_CONTROL + EVERGREEN_CRTC2_REGISTER_OFFSET) | +- RREG32(EVERGREEN_CRTC_CONTROL + EVERGREEN_CRTC3_REGISTER_OFFSET) | +- RREG32(EVERGREEN_CRTC_CONTROL + EVERGREEN_CRTC4_REGISTER_OFFSET) | +- RREG32(EVERGREEN_CRTC_CONTROL + EVERGREEN_CRTC5_REGISTER_OFFSET); ++ if (rdev->num_crtc >= 4) { ++ reg |= RREG32(EVERGREEN_CRTC_CONTROL + EVERGREEN_CRTC2_REGISTER_OFFSET) | ++ RREG32(EVERGREEN_CRTC_CONTROL + EVERGREEN_CRTC3_REGISTER_OFFSET); ++ } ++ if (rdev->num_crtc >= 6) { ++ reg |= RREG32(EVERGREEN_CRTC_CONTROL + EVERGREEN_CRTC4_REGISTER_OFFSET) | ++ RREG32(EVERGREEN_CRTC_CONTROL + EVERGREEN_CRTC5_REGISTER_OFFSET); ++ } + if (reg & EVERGREEN_CRTC_MASTER_EN) + return true; + } else if (ASIC_IS_AVIVO(rdev)) { diff --git a/queue-3.0/series b/queue-3.0/series index 4e590ddd846..c84587e6f51 100644 --- a/queue-3.0/series +++ b/queue-3.0/series @@ -21,3 +21,6 @@ mm-mmu_notifier-re-fix-freed-page-still-mapped-in-secondary-mmu.patch drivers-block-brd.c-fix-brd_lookup_page-race.patch mm-thp-use-pmd_populate-to-update-the-pmd-with-pgtable_t-pointer.patch um-serve-io_remap_pfn_range.patch +drm-radeon-fix-card_posted-check-for-newer-asics.patch +cifs-fix-potential-buffer-overrun-when-composing-a-new-options-string.patch +usb-io_ti-fix-null-dereference-in-chase_port.patch diff --git a/queue-3.0/usb-io_ti-fix-null-dereference-in-chase_port.patch b/queue-3.0/usb-io_ti-fix-null-dereference-in-chase_port.patch new file mode 100644 index 00000000000..e17bec08dc3 --- /dev/null +++ b/queue-3.0/usb-io_ti-fix-null-dereference-in-chase_port.patch @@ -0,0 +1,102 @@ +From 1ee0a224bc9aad1de496c795f96bc6ba2c394811 Mon Sep 17 00:00:00 2001 +From: Wolfgang Frisch +Date: Thu, 17 Jan 2013 01:07:02 +0100 +Subject: USB: io_ti: Fix NULL dereference in chase_port() + +From: Wolfgang Frisch + +commit 1ee0a224bc9aad1de496c795f96bc6ba2c394811 upstream. + +The tty is NULL when the port is hanging up. +chase_port() needs to check for this. + +This patch is intended for stable series. +The behavior was observed and tested in Linux 3.2 and 3.7.1. + +Johan Hovold submitted a more elaborate patch for the mainline kernel. + +[ 56.277883] usb 1-1: edge_bulk_in_callback - nonzero read bulk status received: -84 +[ 56.278811] usb 1-1: USB disconnect, device number 3 +[ 56.278856] usb 1-1: edge_bulk_in_callback - stopping read! +[ 56.279562] BUG: unable to handle kernel NULL pointer dereference at 00000000000001c8 +[ 56.280536] IP: [] _raw_spin_lock_irqsave+0x19/0x35 +[ 56.281212] PGD 1dc1b067 PUD 1e0f7067 PMD 0 +[ 56.282085] Oops: 0002 [#1] SMP +[ 56.282744] Modules linked in: +[ 56.283512] CPU 1 +[ 56.283512] Pid: 25, comm: khubd Not tainted 3.7.1 #1 innotek GmbH VirtualBox/VirtualBox +[ 56.283512] RIP: 0010:[] [] _raw_spin_lock_irqsave+0x19/0x35 +[ 56.283512] RSP: 0018:ffff88001fa99ab0 EFLAGS: 00010046 +[ 56.283512] RAX: 0000000000000046 RBX: 00000000000001c8 RCX: 0000000000640064 +[ 56.283512] RDX: 0000000000010000 RSI: ffff88001fa99b20 RDI: 00000000000001c8 +[ 56.283512] RBP: ffff88001fa99b20 R08: 0000000000000000 R09: 0000000000000000 +[ 56.283512] R10: 0000000000000000 R11: ffffffff812fcb4c R12: ffff88001ddf53c0 +[ 56.283512] R13: 0000000000000000 R14: 00000000000001c8 R15: ffff88001e19b9f4 +[ 56.283512] FS: 0000000000000000(0000) GS:ffff88001fd00000(0000) knlGS:0000000000000000 +[ 56.283512] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b +[ 56.283512] CR2: 00000000000001c8 CR3: 000000001dc51000 CR4: 00000000000006e0 +[ 56.283512] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 56.283512] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 +[ 56.283512] Process khubd (pid: 25, threadinfo ffff88001fa98000, task ffff88001fa94f80) +[ 56.283512] Stack: +[ 56.283512] 0000000000000046 00000000000001c8 ffffffff810578ec ffffffff812fcb4c +[ 56.283512] ffff88001e19b980 0000000000002710 ffffffff812ffe81 0000000000000001 +[ 56.283512] ffff88001fa94f80 0000000000000202 ffffffff00000001 0000000000000296 +[ 56.283512] Call Trace: +[ 56.283512] [] ? add_wait_queue+0x12/0x3c +[ 56.283512] [] ? usb_serial_port_work+0x28/0x28 +[ 56.283512] [] ? chase_port+0x84/0x2d6 +[ 56.283512] [] ? try_to_wake_up+0x199/0x199 +[ 56.283512] [] ? tty_ldisc_hangup+0x222/0x298 +[ 56.283512] [] ? edge_close+0x64/0x129 +[ 56.283512] [] ? __wake_up+0x35/0x46 +[ 56.283512] [] ? should_resched+0x5/0x23 +[ 56.283512] [] ? tty_port_shutdown+0x39/0x44 +[ 56.283512] [] ? usb_serial_port_work+0x28/0x28 +[ 56.283512] [] ? __tty_hangup+0x307/0x351 +[ 56.283512] [] ? usb_hcd_flush_endpoint+0xde/0xed +[ 56.283512] [] ? _raw_spin_lock_irqsave+0x14/0x35 +[ 56.283512] [] ? usb_serial_disconnect+0x57/0xc2 +[ 56.283512] [] ? usb_unbind_interface+0x5c/0x131 +[ 56.283512] [] ? __device_release_driver+0x7f/0xd5 +[ 56.283512] [] ? device_release_driver+0x1a/0x25 +[ 56.283512] [] ? bus_remove_device+0xd2/0xe7 +[ 56.283512] [] ? device_del+0x119/0x167 +[ 56.283512] [] ? usb_disable_device+0x6a/0x180 +[ 56.283512] [] ? usb_disconnect+0x81/0xe6 +[ 56.283512] [] ? hub_thread+0x577/0xe82 +[ 56.283512] [] ? __schedule+0x490/0x4be +[ 56.283512] [] ? abort_exclusive_wait+0x79/0x79 +[ 56.283512] [] ? usb_remote_wakeup+0x2f/0x2f +[ 56.283512] [] ? usb_remote_wakeup+0x2f/0x2f +[ 56.283512] [] ? kthread+0x81/0x89 +[ 56.283512] [] ? __kthread_parkme+0x5c/0x5c +[ 56.283512] [] ? ret_from_fork+0x7c/0xb0 +[ 56.283512] [] ? __kthread_parkme+0x5c/0x5c +[ 56.283512] Code: 8b 7c 24 08 e8 17 0b c3 ff 48 8b 04 24 48 83 c4 10 c3 53 48 89 fb 41 50 e8 e0 0a c3 ff 48 89 04 24 e8 e7 0a c3 ff ba 00 00 01 00 + 0f c1 13 48 8b 04 24 89 d1 c1 ea 10 66 39 d1 74 07 f3 90 66 +[ 56.283512] RIP [] _raw_spin_lock_irqsave+0x19/0x35 +[ 56.283512] RSP +[ 56.283512] CR2: 00000000000001c8 +[ 56.283512] ---[ end trace 49714df27e1679ce ]--- + +Signed-off-by: Wolfgang Frisch +Cc: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/io_ti.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/usb/serial/io_ti.c ++++ b/drivers/usb/serial/io_ti.c +@@ -558,6 +558,9 @@ static void chase_port(struct edgeport_p + wait_queue_t wait; + unsigned long flags; + ++ if (!tty) ++ return; ++ + if (!timeout) + timeout = (HZ * EDGE_CLOSING_WAIT)/100; +