From: Greg Kroah-Hartman Date: Sun, 14 Aug 2016 15:43:01 +0000 (+0200) Subject: 3.14-stable patches X-Git-Tag: v3.14.76~20 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=5c4551b456fe8a0359b1f497fd2d23f5a5fa7346;p=thirdparty%2Fkernel%2Fstable-queue.git 3.14-stable patches added patches: apparmor-fix-ref-count-leak-when-profile-sha1-hash-is-read.patch arm-oabi-compat-add-missing-access-checks.patch cdc_ncm-do-not-call-usbnet_link_change-from-cdc_ncm_bind.patch ib-security-restrict-use-of-the-write-interface.patch keys-64-bit-mips-needs-to-use-compat_sys_keyctl-for-32-bit-userspace.patch random-strengthen-input-validation-for-rndaddtoentcnt.patch scsi-remove-scsi_end_request.patch scsi_lib-correctly-retry-failed-zero-length-req_type_fs-commands.patch usb-quirk-fix.patch --- diff --git a/queue-3.14/apparmor-fix-ref-count-leak-when-profile-sha1-hash-is-read.patch b/queue-3.14/apparmor-fix-ref-count-leak-when-profile-sha1-hash-is-read.patch new file mode 100644 index 00000000000..80d7f82019b --- /dev/null +++ b/queue-3.14/apparmor-fix-ref-count-leak-when-profile-sha1-hash-is-read.patch @@ -0,0 +1,27 @@ +From 0b938a2e2cf0b0a2c8bac9769111545aff0fee97 Mon Sep 17 00:00:00 2001 +From: John Johansen +Date: Wed, 18 Nov 2015 11:41:05 -0800 +Subject: apparmor: fix ref count leak when profile sha1 hash is read + +From: John Johansen + +commit 0b938a2e2cf0b0a2c8bac9769111545aff0fee97 upstream. + +Signed-off-by: John Johansen +Acked-by: Seth Arnold +Signed-off-by: Greg Kroah-Hartman + +--- + security/apparmor/apparmorfs.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/security/apparmor/apparmorfs.c ++++ b/security/apparmor/apparmorfs.c +@@ -331,6 +331,7 @@ static int aa_fs_seq_hash_show(struct se + seq_printf(seq, "%.2x", profile->hash[i]); + seq_puts(seq, "\n"); + } ++ aa_put_profile(profile); + + return 0; + } diff --git a/queue-3.14/arm-oabi-compat-add-missing-access-checks.patch b/queue-3.14/arm-oabi-compat-add-missing-access-checks.patch new file mode 100644 index 00000000000..b34275e95cb --- /dev/null +++ b/queue-3.14/arm-oabi-compat-add-missing-access-checks.patch @@ -0,0 +1,49 @@ +From 7de249964f5578e67b99699c5f0b405738d820a2 Mon Sep 17 00:00:00 2001 +From: Dave Weinstein +Date: Thu, 28 Jul 2016 11:55:41 -0700 +Subject: arm: oabi compat: add missing access checks + +From: Dave Weinstein + +commit 7de249964f5578e67b99699c5f0b405738d820a2 upstream. + +Add access checks to sys_oabi_epoll_wait() and sys_oabi_semtimedop(). +This fixes CVE-2016-3857, a local privilege escalation under +CONFIG_OABI_COMPAT. + +Reported-by: Chiachih Wu +Reviewed-by: Kees Cook +Reviewed-by: Nicolas Pitre +Signed-off-by: Dave Weinstein +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/kernel/sys_oabi-compat.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/arch/arm/kernel/sys_oabi-compat.c ++++ b/arch/arm/kernel/sys_oabi-compat.c +@@ -275,8 +275,12 @@ asmlinkage long sys_oabi_epoll_wait(int + mm_segment_t fs; + long ret, err, i; + +- if (maxevents <= 0 || maxevents > (INT_MAX/sizeof(struct epoll_event))) ++ if (maxevents <= 0 || ++ maxevents > (INT_MAX/sizeof(*kbuf)) || ++ maxevents > (INT_MAX/sizeof(*events))) + return -EINVAL; ++ if (!access_ok(VERIFY_WRITE, events, sizeof(*events) * maxevents)) ++ return -EFAULT; + kbuf = kmalloc(sizeof(*kbuf) * maxevents, GFP_KERNEL); + if (!kbuf) + return -ENOMEM; +@@ -313,6 +317,8 @@ asmlinkage long sys_oabi_semtimedop(int + + if (nsops < 1 || nsops > SEMOPM) + return -EINVAL; ++ if (!access_ok(VERIFY_READ, tsops, sizeof(*tsops) * nsops)) ++ return -EFAULT; + sops = kmalloc(sizeof(*sops) * nsops, GFP_KERNEL); + if (!sops) + return -ENOMEM; diff --git a/queue-3.14/cdc_ncm-do-not-call-usbnet_link_change-from-cdc_ncm_bind.patch b/queue-3.14/cdc_ncm-do-not-call-usbnet_link_change-from-cdc_ncm_bind.patch new file mode 100644 index 00000000000..fce3058a941 --- /dev/null +++ b/queue-3.14/cdc_ncm-do-not-call-usbnet_link_change-from-cdc_ncm_bind.patch @@ -0,0 +1,88 @@ +From 4d06dd537f95683aba3651098ae288b7cbff8274 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Bj=C3=B8rn=20Mork?= +Date: Mon, 7 Mar 2016 21:15:36 +0100 +Subject: cdc_ncm: do not call usbnet_link_change from cdc_ncm_bind +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Bjørn Mork + +commit 4d06dd537f95683aba3651098ae288b7cbff8274 upstream. + +usbnet_link_change will call schedule_work and should be +avoided if bind is failing. Otherwise we will end up with +scheduled work referring to a netdev which has gone away. + +Instead of making the call conditional, we can just defer +it to usbnet_probe, using the driver_info flag made for +this purpose. + +Fixes: 8a34b0ae8778 ("usbnet: cdc_ncm: apply usbnet_link_change") +Reported-by: Andrey Konovalov +Suggested-by: Linus Torvalds +Signed-off-by: Bjørn Mork +Signed-off-by: David S. Miller +[ciwillia@brocade.com: backported to 3.14: adjusted context] +Signed-off-by: Charles (Chas) Williams +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/usb/cdc_ncm.c | 20 +++++--------------- + 1 file changed, 5 insertions(+), 15 deletions(-) + +--- a/drivers/net/usb/cdc_ncm.c ++++ b/drivers/net/usb/cdc_ncm.c +@@ -571,24 +571,13 @@ EXPORT_SYMBOL_GPL(cdc_ncm_select_altsett + + static int cdc_ncm_bind(struct usbnet *dev, struct usb_interface *intf) + { +- int ret; +- + /* MBIM backwards compatible function? */ + cdc_ncm_select_altsetting(dev, intf); + if (cdc_ncm_comm_intf_is_mbim(intf->cur_altsetting)) + return -ENODEV; + + /* NCM data altsetting is always 1 */ +- ret = cdc_ncm_bind_common(dev, intf, 1); +- +- /* +- * We should get an event when network connection is "connected" or +- * "disconnected". Set network connection in "disconnected" state +- * (carrier is OFF) during attach, so the IP network stack does not +- * start IPv6 negotiation and more. +- */ +- usbnet_link_change(dev, 0, 0); +- return ret; ++ return cdc_ncm_bind_common(dev, intf, 1); + } + + static void cdc_ncm_align_tail(struct sk_buff *skb, size_t modulus, size_t remainder, size_t max) +@@ -1117,7 +1106,8 @@ static int cdc_ncm_check_connect(struct + + static const struct driver_info cdc_ncm_info = { + .description = "CDC NCM", +- .flags = FLAG_POINTTOPOINT | FLAG_NO_SETINT | FLAG_MULTI_PACKET, ++ .flags = FLAG_POINTTOPOINT | FLAG_NO_SETINT | FLAG_MULTI_PACKET ++ | FLAG_LINK_INTR, + .bind = cdc_ncm_bind, + .unbind = cdc_ncm_unbind, + .check_connect = cdc_ncm_check_connect, +@@ -1131,7 +1121,7 @@ static const struct driver_info cdc_ncm_ + static const struct driver_info wwan_info = { + .description = "Mobile Broadband Network Device", + .flags = FLAG_POINTTOPOINT | FLAG_NO_SETINT | FLAG_MULTI_PACKET +- | FLAG_WWAN, ++ | FLAG_LINK_INTR | FLAG_WWAN, + .bind = cdc_ncm_bind, + .unbind = cdc_ncm_unbind, + .check_connect = cdc_ncm_check_connect, +@@ -1145,7 +1135,7 @@ static const struct driver_info wwan_inf + static const struct driver_info wwan_noarp_info = { + .description = "Mobile Broadband Network Device (NO ARP)", + .flags = FLAG_POINTTOPOINT | FLAG_NO_SETINT | FLAG_MULTI_PACKET +- | FLAG_WWAN | FLAG_NOARP, ++ | FLAG_LINK_INTR | FLAG_WWAN | FLAG_NOARP, + .bind = cdc_ncm_bind, + .unbind = cdc_ncm_unbind, + .check_connect = cdc_ncm_check_connect, diff --git a/queue-3.14/ib-security-restrict-use-of-the-write-interface.patch b/queue-3.14/ib-security-restrict-use-of-the-write-interface.patch new file mode 100644 index 00000000000..3656e2d7a7d --- /dev/null +++ b/queue-3.14/ib-security-restrict-use-of-the-write-interface.patch @@ -0,0 +1,45 @@ +From ben@decadent.org.uk Sun Aug 14 17:34:33 2016 +From: Ben Hutchings +Date: Tue, 31 May 2016 03:40:50 +0100 +Subject: IB/security: Restrict use of the write() interface +To: stable@vger.kernel.org +Cc: Jason Gunthorpe , Doug Ledford , linux-rdma@vger.kernel.org +Message-ID: <20160531024050.GL7555@decadent.org.uk> +Content-Disposition: inline + +From: Ben Hutchings + +Commit e6bd18f57aad ("IB/security: Restrict use of the write() +interface") fixed a security problem with various write() +implementations in the Infiniband subsystem. In older kernel versions +the ipath_write() function has the same problem and needs the same +restriction. (The ipath driver has been completely removed upstream.) + +Signed-off-by: Ben Hutchings +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/hw/ipath/ipath_file_ops.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/infiniband/hw/ipath/ipath_file_ops.c ++++ b/drivers/infiniband/hw/ipath/ipath_file_ops.c +@@ -45,6 +45,8 @@ + #include + #include + ++#include ++ + #include "ipath_kernel.h" + #include "ipath_common.h" + #include "ipath_user_sdma.h" +@@ -2240,6 +2242,9 @@ static ssize_t ipath_write(struct file * + ssize_t ret = 0; + void *dest; + ++ if (WARN_ON_ONCE(!ib_safe_file_access(fp))) ++ return -EACCES; ++ + if (count < sizeof(cmd.type)) { + ret = -EINVAL; + goto bail; diff --git a/queue-3.14/keys-64-bit-mips-needs-to-use-compat_sys_keyctl-for-32-bit-userspace.patch b/queue-3.14/keys-64-bit-mips-needs-to-use-compat_sys_keyctl-for-32-bit-userspace.patch new file mode 100644 index 00000000000..9636098467b --- /dev/null +++ b/queue-3.14/keys-64-bit-mips-needs-to-use-compat_sys_keyctl-for-32-bit-userspace.patch @@ -0,0 +1,50 @@ +From 20f06ed9f61a185c6dabd662c310bed6189470df Mon Sep 17 00:00:00 2001 +From: David Howells +Date: Wed, 27 Jul 2016 11:43:37 +0100 +Subject: KEYS: 64-bit MIPS needs to use compat_sys_keyctl for 32-bit userspace + +From: David Howells + +commit 20f06ed9f61a185c6dabd662c310bed6189470df upstream. + +MIPS64 needs to use compat_sys_keyctl for 32-bit userspace rather than +calling sys_keyctl. The latter will work in a lot of cases, thereby hiding +the issue. + +Reported-by: Stephan Mueller +Signed-off-by: David Howells +Cc: linux-mips@linux-mips.org +Cc: linux-kernel@vger.kernel.org +Cc: linux-security-module@vger.kernel.org +Cc: keyrings@vger.kernel.org +Patchwork: https://patchwork.linux-mips.org/patch/13832/ +Signed-off-by: Ralf Baechle +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/kernel/scall64-n32.S | 2 +- + arch/mips/kernel/scall64-o32.S | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/mips/kernel/scall64-n32.S ++++ b/arch/mips/kernel/scall64-n32.S +@@ -350,7 +350,7 @@ EXPORT(sysn32_call_table) + PTR sys_ni_syscall /* available, was setaltroot */ + PTR sys_add_key + PTR sys_request_key +- PTR sys_keyctl /* 6245 */ ++ PTR compat_sys_keyctl /* 6245 */ + PTR sys_set_thread_area + PTR sys_inotify_init + PTR sys_inotify_add_watch +--- a/arch/mips/kernel/scall64-o32.S ++++ b/arch/mips/kernel/scall64-o32.S +@@ -474,7 +474,7 @@ EXPORT(sys32_call_table) + PTR sys_ni_syscall /* available, was setaltroot */ + PTR sys_add_key /* 4280 */ + PTR sys_request_key +- PTR sys_keyctl ++ PTR compat_sys_keyctl + PTR sys_set_thread_area + PTR sys_inotify_init + PTR sys_inotify_add_watch /* 4285 */ diff --git a/queue-3.14/random-strengthen-input-validation-for-rndaddtoentcnt.patch b/queue-3.14/random-strengthen-input-validation-for-rndaddtoentcnt.patch new file mode 100644 index 00000000000..eb05b1a2f00 --- /dev/null +++ b/queue-3.14/random-strengthen-input-validation-for-rndaddtoentcnt.patch @@ -0,0 +1,107 @@ +From 86a574de4590ffe6fd3f3ca34cdcf655a78e36ec Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o +Date: Sun, 3 Jul 2016 17:01:26 -0400 +Subject: random: strengthen input validation for RNDADDTOENTCNT + +From: Theodore Ts'o + +commit 86a574de4590ffe6fd3f3ca34cdcf655a78e36ec upstream. + +Don't allow RNDADDTOENTCNT or RNDADDENTROPY to accept a negative +entropy value. It doesn't make any sense to subtract from the entropy +counter, and it can trigger a warning: + +random: negative entropy/overflow: pool input count -40000 +------------[ cut here ]------------ +WARNING: CPU: 3 PID: 6828 at drivers/char/random.c:670[< none + >] credit_entropy_bits+0x21e/0xad0 drivers/char/random.c:670 +Modules linked in: +CPU: 3 PID: 6828 Comm: a.out Not tainted 4.7.0-rc4+ #4 +Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 + ffffffff880b58e0 ffff88005dd9fcb0 ffffffff82cc838f ffffffff87158b40 + fffffbfff1016b1c 0000000000000000 0000000000000000 ffffffff87158b40 + ffffffff83283dae 0000000000000009 ffff88005dd9fcf8 ffffffff8136d27f +Call Trace: + [< inline >] __dump_stack lib/dump_stack.c:15 + [] dump_stack+0x12e/0x18f lib/dump_stack.c:51 + [] __warn+0x19f/0x1e0 kernel/panic.c:516 + [] warn_slowpath_null+0x2c/0x40 kernel/panic.c:551 + [] credit_entropy_bits+0x21e/0xad0 drivers/char/random.c:670 + [< inline >] credit_entropy_bits_safe drivers/char/random.c:734 + [] random_ioctl+0x21d/0x250 drivers/char/random.c:1546 + [< inline >] vfs_ioctl fs/ioctl.c:43 + [] do_vfs_ioctl+0x18c/0xff0 fs/ioctl.c:674 + [< inline >] SYSC_ioctl fs/ioctl.c:689 + [] SyS_ioctl+0x8f/0xc0 fs/ioctl.c:680 + [] entry_SYSCALL_64_fastpath+0x23/0xc1 +arch/x86/entry/entry_64.S:207 +---[ end trace 5d4902b2ba842f1f ]--- + +This was triggered using the test program: + +// autogenerated by syzkaller (http://github.com/google/syzkaller) + +int main() { + int fd = open("/dev/random", O_RDWR); + int val = -5000; + ioctl(fd, RNDADDTOENTCNT, &val); + return 0; +} + +It's harmless in that (a) only root can trigger it, and (b) after +complaining the code never does let the entropy count go negative, but +it's better to simply not allow this userspace from passing in a +negative entropy value altogether. + +Google-Bug-Id: #29575089 +Reported-By: Dmitry Vyukov +Signed-off-by: Theodore Ts'o +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/char/random.c | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +--- a/drivers/char/random.c ++++ b/drivers/char/random.c +@@ -698,15 +698,18 @@ retry: + } + } + +-static void credit_entropy_bits_safe(struct entropy_store *r, int nbits) ++static int credit_entropy_bits_safe(struct entropy_store *r, int nbits) + { + const int nbits_max = (int)(~0U >> (ENTROPY_SHIFT + 1)); + ++ if (nbits < 0) ++ return -EINVAL; ++ + /* Cap the value to avoid overflows */ + nbits = min(nbits, nbits_max); +- nbits = max(nbits, -nbits_max); + + credit_entropy_bits(r, nbits); ++ return 0; + } + + /********************************************************************* +@@ -1420,8 +1423,7 @@ static long random_ioctl(struct file *f, + return -EPERM; + if (get_user(ent_count, p)) + return -EFAULT; +- credit_entropy_bits_safe(&input_pool, ent_count); +- return 0; ++ return credit_entropy_bits_safe(&input_pool, ent_count); + case RNDADDENTROPY: + if (!capable(CAP_SYS_ADMIN)) + return -EPERM; +@@ -1435,8 +1437,7 @@ static long random_ioctl(struct file *f, + size); + if (retval < 0) + return retval; +- credit_entropy_bits_safe(&input_pool, ent_count); +- return 0; ++ return credit_entropy_bits_safe(&input_pool, ent_count); + case RNDZAPENTCNT: + case RNDCLEARPOOL: + /* diff --git a/queue-3.14/scsi-remove-scsi_end_request.patch b/queue-3.14/scsi-remove-scsi_end_request.patch new file mode 100644 index 00000000000..34bf5e8555e --- /dev/null +++ b/queue-3.14/scsi-remove-scsi_end_request.patch @@ -0,0 +1,191 @@ +From bc85dc500f9df9b2eec15077e5046672c46adeaa Mon Sep 17 00:00:00 2001 +From: Christoph Hellwig +Date: Thu, 1 May 2014 16:51:03 +0200 +Subject: scsi: remove scsi_end_request + +From: Christoph Hellwig + +commit bc85dc500f9df9b2eec15077e5046672c46adeaa upstream. + +By folding scsi_end_request into its only caller we can significantly clean +up the completion logic. We can use simple goto labels now to only have +a single place to finish or requeue command there instead of the previous +convoluted logic. + +Signed-off-by: Christoph Hellwig +Reviewed-by: Nicholas Bellinger +Reviewed-by: Mike Christie +Reviewed-by: Hannes Reinecke +[jwang: backport to 3.12] +Signed-off-by: Jack Wang +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/scsi_lib.c | 113 +++++++++++++----------------------------------- + 1 file changed, 31 insertions(+), 82 deletions(-) + +--- a/drivers/scsi/scsi_lib.c ++++ b/drivers/scsi/scsi_lib.c +@@ -540,66 +540,6 @@ void scsi_run_host_queues(struct Scsi_Ho + + static void __scsi_release_buffers(struct scsi_cmnd *, int); + +-/* +- * Function: scsi_end_request() +- * +- * Purpose: Post-processing of completed commands (usually invoked at end +- * of upper level post-processing and scsi_io_completion). +- * +- * Arguments: cmd - command that is complete. +- * error - 0 if I/O indicates success, < 0 for I/O error. +- * bytes - number of bytes of completed I/O +- * requeue - indicates whether we should requeue leftovers. +- * +- * Lock status: Assumed that lock is not held upon entry. +- * +- * Returns: cmd if requeue required, NULL otherwise. +- * +- * Notes: This is called for block device requests in order to +- * mark some number of sectors as complete. +- * +- * We are guaranteeing that the request queue will be goosed +- * at some point during this call. +- * Notes: If cmd was requeued, upon return it will be a stale pointer. +- */ +-static struct scsi_cmnd *scsi_end_request(struct scsi_cmnd *cmd, int error, +- int bytes, int requeue) +-{ +- struct request_queue *q = cmd->device->request_queue; +- struct request *req = cmd->request; +- +- /* +- * If there are blocks left over at the end, set up the command +- * to queue the remainder of them. +- */ +- if (blk_end_request(req, error, bytes)) { +- /* kill remainder if no retrys */ +- if (error && scsi_noretry_cmd(cmd)) +- blk_end_request_all(req, error); +- else { +- if (requeue) { +- /* +- * Bleah. Leftovers again. Stick the +- * leftovers in the front of the +- * queue, and goose the queue again. +- */ +- scsi_release_buffers(cmd); +- scsi_requeue_command(q, cmd); +- cmd = NULL; +- } +- return cmd; +- } +- } +- +- /* +- * This will goose the queue request function at the end, so we don't +- * need to worry about launching another command. +- */ +- __scsi_release_buffers(cmd, 0); +- scsi_next_command(cmd); +- return NULL; +-} +- + static inline unsigned int scsi_sgtable_index(unsigned short nents) + { + unsigned int index; +@@ -751,16 +691,9 @@ static int __scsi_error_from_host_byte(s + * + * Returns: Nothing + * +- * Notes: This function is matched in terms of capabilities to +- * the function that created the scatter-gather list. +- * In other words, if there are no bounce buffers +- * (the normal case for most drivers), we don't need +- * the logic to deal with cleaning up afterwards. +- * +- * We must call scsi_end_request(). This will finish off +- * the specified number of sectors. If we are done, the +- * command block will be released and the queue function +- * will be goosed. If we are not done then we have to ++ * Notes: We will finish off the specified number of sectors. If we ++ * are done, the command block will be released and the queue ++ * function will be goosed. If we are not done then we have to + * figure out what to do next: + * + * a) We can call scsi_requeue_command(). The request +@@ -769,7 +702,7 @@ static int __scsi_error_from_host_byte(s + * be used if we made forward progress, or if we want + * to switch from READ(10) to READ(6) for example. + * +- * b) We can call scsi_queue_insert(). The request will ++ * b) We can call __scsi_queue_insert(). The request will + * be put back on the queue and retried using the same + * command as before, possibly after a delay. + * +@@ -873,12 +806,25 @@ void scsi_io_completion(struct scsi_cmnd + } + + /* +- * A number of bytes were successfully read. If there +- * are leftovers and there is some kind of error +- * (result != 0), retry the rest. ++ * If we finished all bytes in the request we are done now. + */ +- if (scsi_end_request(cmd, error, good_bytes, result == 0) == NULL) +- return; ++ if (!blk_end_request(req, error, good_bytes)) ++ goto next_command; ++ ++ /* ++ * Kill remainder if no retrys. ++ */ ++ if (error && scsi_noretry_cmd(cmd)) { ++ blk_end_request_all(req, error); ++ goto next_command; ++ } ++ ++ /* ++ * If there had been no error, but we have leftover bytes in the ++ * requeues just queue the command up again. ++ */ ++ if (result == 0) ++ goto requeue; + + error = __scsi_error_from_host_byte(cmd, result); + +@@ -1000,7 +946,6 @@ void scsi_io_completion(struct scsi_cmnd + switch (action) { + case ACTION_FAIL: + /* Give up and fail the remainder of the request */ +- scsi_release_buffers(cmd); + if (!(req->cmd_flags & REQ_QUIET)) { + if (description) + scmd_printk(KERN_INFO, cmd, "%s\n", +@@ -1010,12 +955,11 @@ void scsi_io_completion(struct scsi_cmnd + scsi_print_sense("", cmd); + scsi_print_command(cmd); + } +- if (blk_end_request_err(req, error)) +- scsi_requeue_command(q, cmd); +- else +- scsi_next_command(cmd); +- break; ++ if (!blk_end_request_err(req, error)) ++ goto next_command; ++ /*FALLTHRU*/ + case ACTION_REPREP: ++ requeue: + /* Unprep the request and put it back at the head of the queue. + * A new command will be prepared and issued. + */ +@@ -1031,6 +975,11 @@ void scsi_io_completion(struct scsi_cmnd + __scsi_queue_insert(cmd, SCSI_MLQUEUE_DEVICE_BUSY, 0); + break; + } ++ return; ++ ++next_command: ++ __scsi_release_buffers(cmd, 0); ++ scsi_next_command(cmd); + } + + static int scsi_init_sgtable(struct request *req, struct scsi_data_buffer *sdb, diff --git a/queue-3.14/scsi_lib-correctly-retry-failed-zero-length-req_type_fs-commands.patch b/queue-3.14/scsi_lib-correctly-retry-failed-zero-length-req_type_fs-commands.patch new file mode 100644 index 00000000000..c2f8d8f14c4 --- /dev/null +++ b/queue-3.14/scsi_lib-correctly-retry-failed-zero-length-req_type_fs-commands.patch @@ -0,0 +1,48 @@ +From a621bac3044ed6f7ec5fa0326491b2d4838bfa93 Mon Sep 17 00:00:00 2001 +From: James Bottomley +Date: Fri, 13 May 2016 12:04:06 -0700 +Subject: scsi_lib: correctly retry failed zero length REQ_TYPE_FS commands + +From: James Bottomley + +commit a621bac3044ed6f7ec5fa0326491b2d4838bfa93 upstream. + +When SCSI was written, all commands coming from the filesystem +(REQ_TYPE_FS commands) had data. This meant that our signal for needing +to complete the command was the number of bytes completed being equal to +the number of bytes in the request. Unfortunately, with the advent of +flush barriers, we can now get zero length REQ_TYPE_FS commands, which +confuse this logic because they satisfy the condition every time. This +means they never get retried even for retryable conditions, like UNIT +ATTENTION because we complete them early assuming they're done. Fix +this by special casing the early completion condition to recognise zero +length commands with errors and let them drop through to the retry code. + +Reported-by: Sebastian Parschauer +Signed-off-by: James E.J. Bottomley +Tested-by: Jack Wang +Signed-off-by: Martin K. Petersen +[ jwang: backport from upstream 4.7 to fix scsi resize issue ] +Signed-off-by: Jack Wang +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/scsi_lib.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/drivers/scsi/scsi_lib.c ++++ b/drivers/scsi/scsi_lib.c +@@ -806,9 +806,12 @@ void scsi_io_completion(struct scsi_cmnd + } + + /* +- * If we finished all bytes in the request we are done now. ++ * special case: failed zero length commands always need to ++ * drop down into the retry code. Otherwise, if we finished ++ * all bytes in the request we are done now. + */ +- if (!blk_end_request(req, error, good_bytes)) ++ if (!(blk_rq_bytes(req) == 0 && error) && ++ !blk_end_request(req, error, good_bytes)) + goto next_command; + + /* diff --git a/queue-3.14/series b/queue-3.14/series index 7cdb5a579c3..7a573c7d260 100644 --- a/queue-3.14/series +++ b/queue-3.14/series @@ -4,3 +4,12 @@ printk-do-cond_resched-between-lines-while-outputting-to-consoles.patch x86-mm-add-barriers-and-document-switch_mm-vs-flush-synchronization.patch sctp-prevent-soft-lockup-when-sctp_accept-is-called-during-a-timeout-event.patch x86-mm-improve-switch_mm-barrier-comments.patch +cdc_ncm-do-not-call-usbnet_link_change-from-cdc_ncm_bind.patch +usb-quirk-fix.patch +arm-oabi-compat-add-missing-access-checks.patch +keys-64-bit-mips-needs-to-use-compat_sys_keyctl-for-32-bit-userspace.patch +apparmor-fix-ref-count-leak-when-profile-sha1-hash-is-read.patch +random-strengthen-input-validation-for-rndaddtoentcnt.patch +scsi-remove-scsi_end_request.patch +scsi_lib-correctly-retry-failed-zero-length-req_type_fs-commands.patch +ib-security-restrict-use-of-the-write-interface.patch diff --git a/queue-3.14/usb-quirk-fix.patch b/queue-3.14/usb-quirk-fix.patch new file mode 100644 index 00000000000..535cd29ba55 --- /dev/null +++ b/queue-3.14/usb-quirk-fix.patch @@ -0,0 +1,44 @@ +From foo@baz Sun Aug 14 17:09:16 CEST 2016 +Date: Sun, 14 Aug 2016 17:09:16 +0200 +To: Greg KH +From: Greg Kroah-Hartman +Subject: USB: fix up incorrect quirk + +From: Greg Kroah-Hartman + +Ben Hutchings reported that commit ddbe1fca0bcb ("USB: Add device quirk +for ASUS T100 Base Station keyboard") was incorrectly ported. + +This patch fixes up the quirk by putting it in the correct table. + +Reported-by: Ben Hutchings +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/core/quirks.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/usb/core/quirks.c ++++ b/drivers/usb/core/quirks.c +@@ -164,6 +164,10 @@ static const struct usb_device_id usb_qu + /* MAYA44USB sound device */ + { USB_DEVICE(0x0a92, 0x0091), .driver_info = USB_QUIRK_RESET_RESUME }, + ++ /* ASUS Base Station(T100) */ ++ { USB_DEVICE(0x0b05, 0x17e0), .driver_info = ++ USB_QUIRK_IGNORE_REMOTE_WAKEUP }, ++ + /* Action Semiconductor flash disk */ + { USB_DEVICE(0x10d6, 0x2200), .driver_info = + USB_QUIRK_STRING_FETCH_255 }, +@@ -186,10 +190,6 @@ static const struct usb_device_id usb_in + { USB_VENDOR_AND_INTERFACE_INFO(0x046d, USB_CLASS_VIDEO, 1, 0), + .driver_info = USB_QUIRK_RESET_RESUME }, + +- /* ASUS Base Station(T100) */ +- { USB_DEVICE(0x0b05, 0x17e0), .driver_info = +- USB_QUIRK_IGNORE_REMOTE_WAKEUP }, +- + { } /* terminating entry must be last */ + }; +