From: Greg Kroah-Hartman Date: Wed, 9 Oct 2013 15:54:42 +0000 (-0700) Subject: 3.10-stable patches X-Git-Tag: v3.0.100~13 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=5ccb0e700d21e46dac9f8f82878067858eac8447;p=thirdparty%2Fkernel%2Fstable-queue.git 3.10-stable patches added patches: esp_scsi-fix-tag-state-corruption-when-autosensing.patch kernel-kmod.c-check-for-null-in-call_usermodehelper_exec.patch mm-bounce.c-fix-a-regression-where-ms_snap_stable-stable-pages-snapshotting-was-ignored.patch mm-fix-generic-hugetlb-pte-check-return-type.patch mwifiex-fix-hang-issue-for-usb-chipsets.patch mwifiex-fix-null-pointer-dereference-in-usb-suspend-handler.patch mwifiex-fix-pcie-hs_cfg-cancel-cmd-timeout.patch nfsv4.1-nfs4_fl_prepare_ds-fix-bugs-when-the-connect-attempt-fails.patch sparc32-fix-exit-flag-passed-from-traced-sys_sigreturn.patch sparc64-fix-buggy-strlcpy-conversion-in-ldom_reboot.patch sparc64-fix-itlb-handler-of-null-page.patch sparc64-fix-not-sra-ed-o5-in-32-bit-traced-syscall.patch sparc64-fix-off-by-one-in-trampoline-tlb-mapping-installation-loop.patch sparc64-remove-rwsem-export-leftovers.patch sparc-fix-ldom_reboot-buffer-overflow-harder.patch staging-comedi-ni_65xx-bug-fix-confine-insn_bits-to-one-subdevice.patch usb-serial-option-ignore-card-reader-interface-on-huawei-e1750.patch --- diff --git a/queue-3.10/esp_scsi-fix-tag-state-corruption-when-autosensing.patch b/queue-3.10/esp_scsi-fix-tag-state-corruption-when-autosensing.patch new file mode 100644 index 00000000000..c227fdb753b --- /dev/null +++ b/queue-3.10/esp_scsi-fix-tag-state-corruption-when-autosensing.patch @@ -0,0 +1,94 @@ +From 0e6ee51b0bbf8d62529c586d268438f7667a8c43 Mon Sep 17 00:00:00 2001 +From: "David S. Miller" +Date: Thu, 1 Aug 2013 18:08:34 -0700 +Subject: esp_scsi: Fix tag state corruption when autosensing. + +From: "David S. Miller" + +[ Upstream commit 21af8107f27878813d0364733c0b08813c2c192a ] + +Meelis Roos reports a crash in esp_free_lun_tag() in the presense +of a disk which has died. + +The issue is that when we issue an autosense command, we do so by +hijacking the original command that caused the check-condition. + +When we do so we clear out the ent->tag[] array when we issue it via +find_and_prep_issuable_command(). This is so that the autosense +command is forced to be issued non-tagged. + +That is problematic, because it is the value of ent->tag[] which +determines whether we issued the original scsi command as tagged +vs. non-tagged (see esp_alloc_lun_tag()). + +And that, in turn, is what trips up the sanity checks in +esp_free_lun_tag(). That function needs the original ->tag[] values +in order to free up the tag slot properly. + +Fix this by remembering the original command's tag values, and +having esp_alloc_lun_tag() and esp_free_lun_tag() use them. + +Reported-by: Meelis Roos +Tested-by: Meelis Roos +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/esp_scsi.c | 14 ++++++++------ + drivers/scsi/esp_scsi.h | 1 + + 2 files changed, 9 insertions(+), 6 deletions(-) + +--- a/drivers/scsi/esp_scsi.c ++++ b/drivers/scsi/esp_scsi.c +@@ -530,7 +530,7 @@ static int esp_need_to_nego_sync(struct + static int esp_alloc_lun_tag(struct esp_cmd_entry *ent, + struct esp_lun_data *lp) + { +- if (!ent->tag[0]) { ++ if (!ent->orig_tag[0]) { + /* Non-tagged, slot already taken? */ + if (lp->non_tagged_cmd) + return -EBUSY; +@@ -564,9 +564,9 @@ static int esp_alloc_lun_tag(struct esp_ + return -EBUSY; + } + +- BUG_ON(lp->tagged_cmds[ent->tag[1]]); ++ BUG_ON(lp->tagged_cmds[ent->orig_tag[1]]); + +- lp->tagged_cmds[ent->tag[1]] = ent; ++ lp->tagged_cmds[ent->orig_tag[1]] = ent; + lp->num_tagged++; + + return 0; +@@ -575,9 +575,9 @@ static int esp_alloc_lun_tag(struct esp_ + static void esp_free_lun_tag(struct esp_cmd_entry *ent, + struct esp_lun_data *lp) + { +- if (ent->tag[0]) { +- BUG_ON(lp->tagged_cmds[ent->tag[1]] != ent); +- lp->tagged_cmds[ent->tag[1]] = NULL; ++ if (ent->orig_tag[0]) { ++ BUG_ON(lp->tagged_cmds[ent->orig_tag[1]] != ent); ++ lp->tagged_cmds[ent->orig_tag[1]] = NULL; + lp->num_tagged--; + } else { + BUG_ON(lp->non_tagged_cmd != ent); +@@ -667,6 +667,8 @@ static struct esp_cmd_entry *find_and_pr + ent->tag[0] = 0; + ent->tag[1] = 0; + } ++ ent->orig_tag[0] = ent->tag[0]; ++ ent->orig_tag[1] = ent->tag[1]; + + if (esp_alloc_lun_tag(ent, lp) < 0) + continue; +--- a/drivers/scsi/esp_scsi.h ++++ b/drivers/scsi/esp_scsi.h +@@ -271,6 +271,7 @@ struct esp_cmd_entry { + #define ESP_CMD_FLAG_AUTOSENSE 0x04 /* Doing automatic REQUEST_SENSE */ + + u8 tag[2]; ++ u8 orig_tag[2]; + + u8 status; + u8 message; diff --git a/queue-3.10/kernel-kmod.c-check-for-null-in-call_usermodehelper_exec.patch b/queue-3.10/kernel-kmod.c-check-for-null-in-call_usermodehelper_exec.patch new file mode 100644 index 00000000000..9de201bd419 --- /dev/null +++ b/queue-3.10/kernel-kmod.c-check-for-null-in-call_usermodehelper_exec.patch @@ -0,0 +1,45 @@ +From 4c1c7be95c345cf2ad537a0c48e9aeadc7304527 Mon Sep 17 00:00:00 2001 +From: Tetsuo Handa +Date: Mon, 30 Sep 2013 13:45:08 -0700 +Subject: kernel/kmod.c: check for NULL in call_usermodehelper_exec() + +From: Tetsuo Handa + +commit 4c1c7be95c345cf2ad537a0c48e9aeadc7304527 upstream. + +If /proc/sys/kernel/core_pattern contains only "|", a NULL pointer +dereference happens upon core dump because argv_split("") returns +argv[0] == NULL. + +This bug was once fixed by commit 264b83c07a84 ("usermodehelper: check +subprocess_info->path != NULL") but was by error reintroduced by commit +7f57cfa4e2aa ("usermodehelper: kill the sub_info->path[0] check"). + +This bug seems to exist since 2.6.19 (the version which core dump to +pipe was added). Depending on kernel version and config, some side +effect might happen immediately after this oops (e.g. kernel panic with +2.6.32-358.18.1.el6). + +Signed-off-by: Tetsuo Handa +Acked-by: Oleg Nesterov +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/kmod.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/kernel/kmod.c ++++ b/kernel/kmod.c +@@ -568,6 +568,10 @@ int call_usermodehelper_exec(struct subp + DECLARE_COMPLETION_ONSTACK(done); + int retval = 0; + ++ if (!sub_info->path) { ++ call_usermodehelper_freeinfo(sub_info); ++ return -EINVAL; ++ } + helper_lock(); + if (!sub_info->path) { + retval = -EINVAL; diff --git a/queue-3.10/mm-bounce.c-fix-a-regression-where-ms_snap_stable-stable-pages-snapshotting-was-ignored.patch b/queue-3.10/mm-bounce.c-fix-a-regression-where-ms_snap_stable-stable-pages-snapshotting-was-ignored.patch new file mode 100644 index 00000000000..b5c739fb623 --- /dev/null +++ b/queue-3.10/mm-bounce.c-fix-a-regression-where-ms_snap_stable-stable-pages-snapshotting-was-ignored.patch @@ -0,0 +1,39 @@ +From 83b2944fd2532b92db099cb3ada12df32a05b368 Mon Sep 17 00:00:00 2001 +From: "Darrick J. Wong" +Date: Mon, 30 Sep 2013 13:45:09 -0700 +Subject: mm/bounce.c: fix a regression where MS_SNAP_STABLE (stable pages snapshotting) was ignored + +From: "Darrick J. Wong" + +commit 83b2944fd2532b92db099cb3ada12df32a05b368 upstream. + +The "force" parameter in __blk_queue_bounce was being ignored, which +means that stable page snapshots are not always happening (on ext3). +This of course leads to DIF disks reporting checksum errors, so fix this +regression. + +The regression was introduced in commit 6bc454d15004 ("bounce: Refactor +__blk_queue_bounce to not use bi_io_vec") + +Reported-by: Mel Gorman +Signed-off-by: Darrick J. Wong +Cc: Kent Overstreet +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/bounce.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/mm/bounce.c ++++ b/mm/bounce.c +@@ -204,6 +204,8 @@ static void __blk_queue_bounce(struct re + struct bio_vec *to, *from; + unsigned i; + ++ if (force) ++ goto bounce; + bio_for_each_segment(from, *bio_orig, i) + if (page_to_pfn(from->bv_page) > queue_bounce_pfn(q)) + goto bounce; diff --git a/queue-3.10/mm-fix-generic-hugetlb-pte-check-return-type.patch b/queue-3.10/mm-fix-generic-hugetlb-pte-check-return-type.patch new file mode 100644 index 00000000000..db50f350b81 --- /dev/null +++ b/queue-3.10/mm-fix-generic-hugetlb-pte-check-return-type.patch @@ -0,0 +1,47 @@ +From c92169cbbff72696875e310312a2273e44a65e24 Mon Sep 17 00:00:00 2001 +From: David Miller +Date: Wed, 2 Oct 2013 14:25:09 -0400 +Subject: mm: Fix generic hugetlb pte check return type. + +From: David Miller + +[ Upstream commit 26794942461f438a6bc725ec7294b08a6bd782c4 ] + +The include/asm-generic/hugetlb.h stubs that just vector huge_pte_*() +calls to the pte_*() implementations won't work in certain situations. + +x86 and sparc, for example, return "unsigned long" from the bit +checks, and just go "return pte_val(pte) & PTE_BIT_FOO;" + +But since huge_pte_*() returns 'int', if any high bits on 64-bit are +relevant, they get chopped off. + +The net effect is that we can loop forever trying to COW a huge page, +because the huge_pte_write() check signals false all the time. + +Reported-by: Gurudas Pai +Tested-by: Gurudas Pai +Signed-off-by: David S. Miller +Acked-by: David Rientjes +Signed-off-by: Greg Kroah-Hartman +--- + include/asm-generic/hugetlb.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/include/asm-generic/hugetlb.h ++++ b/include/asm-generic/hugetlb.h +@@ -6,12 +6,12 @@ static inline pte_t mk_huge_pte(struct p + return mk_pte(page, pgprot); + } + +-static inline int huge_pte_write(pte_t pte) ++static inline unsigned long huge_pte_write(pte_t pte) + { + return pte_write(pte); + } + +-static inline int huge_pte_dirty(pte_t pte) ++static inline unsigned long huge_pte_dirty(pte_t pte) + { + return pte_dirty(pte); + } diff --git a/queue-3.10/mwifiex-fix-hang-issue-for-usb-chipsets.patch b/queue-3.10/mwifiex-fix-hang-issue-for-usb-chipsets.patch new file mode 100644 index 00000000000..f89c51c3f57 --- /dev/null +++ b/queue-3.10/mwifiex-fix-hang-issue-for-usb-chipsets.patch @@ -0,0 +1,75 @@ +From bd1c6142edce787b8ac1be15635f845aa9905333 Mon Sep 17 00:00:00 2001 +From: Amitkumar Karwar +Date: Tue, 24 Sep 2013 19:31:24 -0700 +Subject: mwifiex: fix hang issue for USB chipsets + +From: Amitkumar Karwar + +commit bd1c6142edce787b8ac1be15635f845aa9905333 upstream. + +Bug 60815 - Interface hangs in mwifiex_usb +https://bugzilla.kernel.org/show_bug.cgi?id=60815 + +We have 4 bytes of interface header for packets delivered to SDIO +and PCIe, but not for USB interface. + +In Tx AMSDU case, currently 4 bytes of garbage data is unnecessarily +appended for USB packets. This sometimes leads to a firmware hang, +because it may not interpret the data packet correctly. + +Problem is fixed by removing this redundant headroom for USB. + +Tested-by: Dmitry Khromov +Signed-off-by: Amitkumar Karwar +Signed-off-by: Bing Zhao +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/mwifiex/11n_aggr.c | 3 ++- + drivers/net/wireless/mwifiex/11n_aggr.h | 2 +- + drivers/net/wireless/mwifiex/wmm.c | 3 +-- + 3 files changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/net/wireless/mwifiex/11n_aggr.c ++++ b/drivers/net/wireless/mwifiex/11n_aggr.c +@@ -149,7 +149,7 @@ mwifiex_11n_form_amsdu_txpd(struct mwifi + */ + int + mwifiex_11n_aggregate_pkt(struct mwifiex_private *priv, +- struct mwifiex_ra_list_tbl *pra_list, int headroom, ++ struct mwifiex_ra_list_tbl *pra_list, + int ptrindex, unsigned long ra_list_flags) + __releases(&priv->wmm.ra_list_spinlock) + { +@@ -159,6 +159,7 @@ mwifiex_11n_aggregate_pkt(struct mwifiex + int pad = 0, ret; + struct mwifiex_tx_param tx_param; + struct txpd *ptx_pd = NULL; ++ int headroom = adapter->iface_type == MWIFIEX_USB ? 0 : INTF_HEADER_LEN; + + skb_src = skb_peek(&pra_list->skb_head); + if (!skb_src) { +--- a/drivers/net/wireless/mwifiex/11n_aggr.h ++++ b/drivers/net/wireless/mwifiex/11n_aggr.h +@@ -26,7 +26,7 @@ + int mwifiex_11n_deaggregate_pkt(struct mwifiex_private *priv, + struct sk_buff *skb); + int mwifiex_11n_aggregate_pkt(struct mwifiex_private *priv, +- struct mwifiex_ra_list_tbl *ptr, int headroom, ++ struct mwifiex_ra_list_tbl *ptr, + int ptr_index, unsigned long flags) + __releases(&priv->wmm.ra_list_spinlock); + +--- a/drivers/net/wireless/mwifiex/wmm.c ++++ b/drivers/net/wireless/mwifiex/wmm.c +@@ -1236,8 +1236,7 @@ mwifiex_dequeue_tx_packet(struct mwifiex + if (mwifiex_is_amsdu_allowed(priv, tid) && + mwifiex_is_11n_aggragation_possible(priv, ptr, + adapter->tx_buf_size)) +- mwifiex_11n_aggregate_pkt(priv, ptr, INTF_HEADER_LEN, +- ptr_index, flags); ++ mwifiex_11n_aggregate_pkt(priv, ptr, ptr_index, flags); + /* ra_list_spinlock has been freed in + mwifiex_11n_aggregate_pkt() */ + else diff --git a/queue-3.10/mwifiex-fix-null-pointer-dereference-in-usb-suspend-handler.patch b/queue-3.10/mwifiex-fix-null-pointer-dereference-in-usb-suspend-handler.patch new file mode 100644 index 00000000000..a057ba27408 --- /dev/null +++ b/queue-3.10/mwifiex-fix-null-pointer-dereference-in-usb-suspend-handler.patch @@ -0,0 +1,63 @@ +From 346ece0b7ba2730b4d633b9e371fe55488803102 Mon Sep 17 00:00:00 2001 +From: Bing Zhao +Date: Tue, 24 Sep 2013 19:31:25 -0700 +Subject: mwifiex: fix NULL pointer dereference in usb suspend handler + +From: Bing Zhao + +commit 346ece0b7ba2730b4d633b9e371fe55488803102 upstream. + +Bug 60815 - Interface hangs in mwifiex_usb +https://bugzilla.kernel.org/show_bug.cgi?id=60815 + +[ 2.883807] BUG: unable to handle kernel NULL pointer dereference + at 0000000000000048 +[ 2.883813] IP: [] pfifo_fast_enqueue+0x90/0x90 + +[ 2.883834] CPU: 1 PID: 3220 Comm: kworker/u8:90 Not tainted + 3.11.1-monotone-l0 #6 +[ 2.883834] Hardware name: Microsoft Corporation Surface with + Windows 8 Pro/Surface with Windows 8 Pro, + BIOS 1.03.0450 03/29/2013 + +On Surface Pro, suspend to ram gives a NULL pointer dereference in +pfifo_fast_enqueue(). The stack trace reveals that the offending +call is clearing carrier in mwifiex_usb suspend handler. + +Since commit 1499d9f "mwifiex: don't drop carrier flag over suspend" +has removed the carrier flag handling over suspend/resume in SDIO +and PCIe drivers, I'm removing it in USB driver too. This also fixes +the bug for Surface Pro. + +Tested-by: Dmitry Khromov +Signed-off-by: Bing Zhao +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/mwifiex/usb.c | 7 ------- + 1 file changed, 7 deletions(-) + +--- a/drivers/net/wireless/mwifiex/usb.c ++++ b/drivers/net/wireless/mwifiex/usb.c +@@ -446,9 +446,6 @@ static int mwifiex_usb_suspend(struct us + */ + adapter->is_suspended = true; + +- for (i = 0; i < adapter->priv_num; i++) +- netif_carrier_off(adapter->priv[i]->netdev); +- + if (atomic_read(&card->rx_cmd_urb_pending) && card->rx_cmd.urb) + usb_kill_urb(card->rx_cmd.urb); + +@@ -508,10 +505,6 @@ static int mwifiex_usb_resume(struct usb + MWIFIEX_RX_CMD_BUF_SIZE); + } + +- for (i = 0; i < adapter->priv_num; i++) +- if (adapter->priv[i]->media_connected) +- netif_carrier_on(adapter->priv[i]->netdev); +- + /* Disable Host Sleep */ + if (adapter->hs_activated) + mwifiex_cancel_hs(mwifiex_get_priv(adapter, diff --git a/queue-3.10/mwifiex-fix-pcie-hs_cfg-cancel-cmd-timeout.patch b/queue-3.10/mwifiex-fix-pcie-hs_cfg-cancel-cmd-timeout.patch new file mode 100644 index 00000000000..3fba5cf4eb4 --- /dev/null +++ b/queue-3.10/mwifiex-fix-pcie-hs_cfg-cancel-cmd-timeout.patch @@ -0,0 +1,47 @@ +From b7be1522def9a9988b67afd0be999c50a96394b5 Mon Sep 17 00:00:00 2001 +From: Bing Zhao +Date: Fri, 20 Sep 2013 19:56:45 -0700 +Subject: mwifiex: fix PCIe hs_cfg cancel cmd timeout + +From: Bing Zhao + +commit b7be1522def9a9988b67afd0be999c50a96394b5 upstream. + +For pcie8897, the hs_cfg cancel command (0xe5) times out when host +comes out of suspend. This is caused by an incompleted host sleep +handshake between driver and firmware. + +Like SDIO interface, PCIe also needs to go through firmware power +save events to complete the handshake for host sleep configuration. +Only USB interface doesn't require power save events for hs_cfg. + +Signed-off-by: Bing Zhao +Signed-off-by: Amitkumar Karwar +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/mwifiex/cmdevt.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/drivers/net/wireless/mwifiex/cmdevt.c ++++ b/drivers/net/wireless/mwifiex/cmdevt.c +@@ -1154,7 +1154,7 @@ int mwifiex_ret_802_11_hs_cfg(struct mwi + uint32_t conditions = le32_to_cpu(phs_cfg->params.hs_config.conditions); + + if (phs_cfg->action == cpu_to_le16(HS_ACTIVATE) && +- adapter->iface_type == MWIFIEX_SDIO) { ++ adapter->iface_type != MWIFIEX_USB) { + mwifiex_hs_activated_event(priv, true); + return 0; + } else { +@@ -1166,8 +1166,7 @@ int mwifiex_ret_802_11_hs_cfg(struct mwi + } + if (conditions != HS_CFG_CANCEL) { + adapter->is_hs_configured = true; +- if (adapter->iface_type == MWIFIEX_USB || +- adapter->iface_type == MWIFIEX_PCIE) ++ if (adapter->iface_type == MWIFIEX_USB) + mwifiex_hs_activated_event(priv, true); + } else { + adapter->is_hs_configured = false; diff --git a/queue-3.10/nfsv4.1-nfs4_fl_prepare_ds-fix-bugs-when-the-connect-attempt-fails.patch b/queue-3.10/nfsv4.1-nfs4_fl_prepare_ds-fix-bugs-when-the-connect-attempt-fails.patch new file mode 100644 index 00000000000..30233523bb9 --- /dev/null +++ b/queue-3.10/nfsv4.1-nfs4_fl_prepare_ds-fix-bugs-when-the-connect-attempt-fails.patch @@ -0,0 +1,67 @@ +From 52b26a3e1bb3e065c32b3febdac1e1f117d88e15 Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Thu, 26 Sep 2013 14:08:36 -0400 +Subject: NFSv4.1: nfs4_fl_prepare_ds - fix bugs when the connect attempt fails + +From: Trond Myklebust + +commit 52b26a3e1bb3e065c32b3febdac1e1f117d88e15 upstream. + +- Fix an Oops when nfs4_ds_connect() returns an error. +- Always check the device status after waiting for a connect to complete. + +Reported-by: Andy Adamson +Reported-by: Jeff Layton +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfs/nfs4filelayoutdev.c | 18 +++++++++--------- + 1 file changed, 9 insertions(+), 9 deletions(-) + +--- a/fs/nfs/nfs4filelayoutdev.c ++++ b/fs/nfs/nfs4filelayoutdev.c +@@ -797,34 +797,34 @@ nfs4_fl_prepare_ds(struct pnfs_layout_se + struct nfs4_file_layout_dsaddr *dsaddr = FILELAYOUT_LSEG(lseg)->dsaddr; + struct nfs4_pnfs_ds *ds = dsaddr->ds_list[ds_idx]; + struct nfs4_deviceid_node *devid = FILELAYOUT_DEVID_NODE(lseg); +- +- if (filelayout_test_devid_unavailable(devid)) +- return NULL; ++ struct nfs4_pnfs_ds *ret = ds; + + if (ds == NULL) { + printk(KERN_ERR "NFS: %s: No data server for offset index %d\n", + __func__, ds_idx); + filelayout_mark_devid_invalid(devid); +- return NULL; ++ goto out; + } + if (ds->ds_clp) +- return ds; ++ goto out_test_devid; + + if (test_and_set_bit(NFS4DS_CONNECTING, &ds->ds_state) == 0) { + struct nfs_server *s = NFS_SERVER(lseg->pls_layout->plh_inode); + int err; + + err = nfs4_ds_connect(s, ds); +- if (err) { ++ if (err) + nfs4_mark_deviceid_unavailable(devid); +- ds = NULL; +- } + nfs4_clear_ds_conn_bit(ds); + } else { + /* Either ds is connected, or ds is NULL */ + nfs4_wait_ds_connect(ds); + } +- return ds; ++out_test_devid: ++ if (filelayout_test_devid_unavailable(devid)) ++ ret = NULL; ++out: ++ return ret; + } + + module_param(dataserver_retrans, uint, 0644); diff --git a/queue-3.10/series b/queue-3.10/series index 0c9cf7a6e90..75643a26484 100644 --- a/queue-3.10/series +++ b/queue-3.10/series @@ -64,3 +64,20 @@ bluetooth-add-support-for-bcm20702a0.patch bluetooth-introduce-a-new-hci_rfkilled-flag.patch bluetooth-fix-rfkill-functionality-during-the-hci-setup-stage.patch nilfs2-fix-issue-with-race-condition-of-competition-between-segments-for-dirty-blocks.patch +esp_scsi-fix-tag-state-corruption-when-autosensing.patch +sparc64-fix-itlb-handler-of-null-page.patch +sparc64-remove-rwsem-export-leftovers.patch +sparc64-fix-buggy-strlcpy-conversion-in-ldom_reboot.patch +sparc-fix-ldom_reboot-buffer-overflow-harder.patch +sparc64-fix-off-by-one-in-trampoline-tlb-mapping-installation-loop.patch +sparc64-fix-not-sra-ed-o5-in-32-bit-traced-syscall.patch +sparc32-fix-exit-flag-passed-from-traced-sys_sigreturn.patch +mm-fix-generic-hugetlb-pte-check-return-type.patch +mm-bounce.c-fix-a-regression-where-ms_snap_stable-stable-pages-snapshotting-was-ignored.patch +kernel-kmod.c-check-for-null-in-call_usermodehelper_exec.patch +staging-comedi-ni_65xx-bug-fix-confine-insn_bits-to-one-subdevice.patch +nfsv4.1-nfs4_fl_prepare_ds-fix-bugs-when-the-connect-attempt-fails.patch +mwifiex-fix-null-pointer-dereference-in-usb-suspend-handler.patch +mwifiex-fix-hang-issue-for-usb-chipsets.patch +mwifiex-fix-pcie-hs_cfg-cancel-cmd-timeout.patch +usb-serial-option-ignore-card-reader-interface-on-huawei-e1750.patch diff --git a/queue-3.10/sparc-fix-ldom_reboot-buffer-overflow-harder.patch b/queue-3.10/sparc-fix-ldom_reboot-buffer-overflow-harder.patch new file mode 100644 index 00000000000..689d0c7dedf --- /dev/null +++ b/queue-3.10/sparc-fix-ldom_reboot-buffer-overflow-harder.patch @@ -0,0 +1,34 @@ +From c0df7cd18f0c94fabb00a2e89d561934ae7b7a74 Mon Sep 17 00:00:00 2001 +From: Kees Cook +Date: Tue, 1 Oct 2013 22:13:34 -0700 +Subject: sparc: fix ldom_reboot buffer overflow harder + +From: Kees Cook + +[ Upstream commit 20928bd3f08afb036c096d9559d581926b895918 ] + +The length argument to strlcpy was still wrong. It could overflow the end of +full_boot_str by 5 bytes. Instead of strcat and strlcpy, just use snprint. + +Reported-by: Brad Spengler +Signed-off-by: Kees Cook +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + arch/sparc/kernel/ds.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/arch/sparc/kernel/ds.c ++++ b/arch/sparc/kernel/ds.c +@@ -842,9 +842,8 @@ void ldom_reboot(const char *boot_comman + if (boot_command && strlen(boot_command)) { + unsigned long len; + +- strcpy(full_boot_str, "boot "); +- strlcpy(full_boot_str + strlen("boot "), boot_command, +- sizeof(full_boot_str)); ++ snprintf(full_boot_str, sizeof(full_boot_str), "boot %s", ++ boot_command); + len = strlen(full_boot_str); + + if (reboot_data_supported) { diff --git a/queue-3.10/sparc32-fix-exit-flag-passed-from-traced-sys_sigreturn.patch b/queue-3.10/sparc32-fix-exit-flag-passed-from-traced-sys_sigreturn.patch new file mode 100644 index 00000000000..69c51e688ca --- /dev/null +++ b/queue-3.10/sparc32-fix-exit-flag-passed-from-traced-sys_sigreturn.patch @@ -0,0 +1,30 @@ +From 2dd98af98a28e1914b74a88eb4860dd10a733e74 Mon Sep 17 00:00:00 2001 +From: Kirill Tkhai +Date: Fri, 26 Jul 2013 01:17:15 +0400 +Subject: sparc32: Fix exit flag passed from traced sys_sigreturn + +From: Kirill Tkhai + +[ Upstream commit 7a3b0f89e3fea680f93932691ca41a68eee7ab5e ] + +Pass 1 in %o1 to indicate that syscall_trace accounts exit. + +Signed-off-by: Kirill Tkhai +CC: David Miller +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + arch/sparc/kernel/entry.S | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/sparc/kernel/entry.S ++++ b/arch/sparc/kernel/entry.S +@@ -839,7 +839,7 @@ sys_sigreturn: + nop + + call syscall_trace +- nop ++ mov 1, %o1 + + 1: + /* We don't want to muck with user registers like a diff --git a/queue-3.10/sparc64-fix-buggy-strlcpy-conversion-in-ldom_reboot.patch b/queue-3.10/sparc64-fix-buggy-strlcpy-conversion-in-ldom_reboot.patch new file mode 100644 index 00000000000..32e440911fd --- /dev/null +++ b/queue-3.10/sparc64-fix-buggy-strlcpy-conversion-in-ldom_reboot.patch @@ -0,0 +1,45 @@ +From 2df267384cc05ac3f08f5bb3e4800b240ce773d7 Mon Sep 17 00:00:00 2001 +From: "David S. Miller" +Date: Fri, 27 Sep 2013 13:46:04 -0700 +Subject: sparc64: Fix buggy strlcpy() conversion in ldom_reboot(). + +From: "David S. Miller" + +[ Upstream commit 2bd161a605f1f84a5fc8a4fe8410113a94f79355 ] + +Commit 117a0c5fc9c2d06045bd217385b2b39ea426b5a6 ("sparc: kernel: using +strlcpy() instead of strcpy()") added a bug to ldom_reboot in +arch/sparc/kernel/ds.c + +- strcpy(full_boot_str + strlen("boot "), boot_command); ++ strlcpy(full_boot_str + strlen("boot "), boot_command, ++ sizeof(full_boot_str + strlen("boot "))); + +That last sizeof() expression evaluates to sizeof(size_t) which is +not what was intended. + +Also even the corrected: + + sizeof(full_boot_str) + strlen("boot ") + +is not right as the destination buffer length is just plain +"sizeof(full_boot_str)" and that's what the final argument +should be. + +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + arch/sparc/kernel/ds.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/sparc/kernel/ds.c ++++ b/arch/sparc/kernel/ds.c +@@ -844,7 +844,7 @@ void ldom_reboot(const char *boot_comman + + strcpy(full_boot_str, "boot "); + strlcpy(full_boot_str + strlen("boot "), boot_command, +- sizeof(full_boot_str + strlen("boot "))); ++ sizeof(full_boot_str)); + len = strlen(full_boot_str); + + if (reboot_data_supported) { diff --git a/queue-3.10/sparc64-fix-itlb-handler-of-null-page.patch b/queue-3.10/sparc64-fix-itlb-handler-of-null-page.patch new file mode 100644 index 00000000000..e023db5de99 --- /dev/null +++ b/queue-3.10/sparc64-fix-itlb-handler-of-null-page.patch @@ -0,0 +1,41 @@ +From 938aedff5eabbebcb084ff05f91f1576cfb204da Mon Sep 17 00:00:00 2001 +From: Kirill Tkhai +Date: Fri, 2 Aug 2013 19:23:18 +0400 +Subject: sparc64: Fix ITLB handler of null page + +From: Kirill Tkhai + +[ Upstream commit 1c2696cdaad84580545a2e9c0879ff597880b1a9 ] + +1)Use kvmap_itlb_longpath instead of kvmap_dtlb_longpath. + +2)Handle page #0 only, don't handle page #1: bleu -> blu + + (KERNBASE is 0x400000, so #1 does not exist too. But everything + is possible in the future. Fix to not to have problems later.) + +3)Remove unused kvmap_itlb_nonlinear. + +Signed-off-by: Kirill Tkhai +CC: David Miller +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + arch/sparc/kernel/ktlb.S | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/arch/sparc/kernel/ktlb.S ++++ b/arch/sparc/kernel/ktlb.S +@@ -25,11 +25,10 @@ kvmap_itlb: + */ + kvmap_itlb_4v: + +-kvmap_itlb_nonlinear: + /* Catch kernel NULL pointer calls. */ + sethi %hi(PAGE_SIZE), %g5 + cmp %g4, %g5 +- bleu,pn %xcc, kvmap_dtlb_longpath ++ blu,pn %xcc, kvmap_itlb_longpath + nop + + KERN_TSB_LOOKUP_TL1(%g4, %g6, %g5, %g1, %g2, %g3, kvmap_itlb_load) diff --git a/queue-3.10/sparc64-fix-not-sra-ed-o5-in-32-bit-traced-syscall.patch b/queue-3.10/sparc64-fix-not-sra-ed-o5-in-32-bit-traced-syscall.patch new file mode 100644 index 00000000000..c37869b318e --- /dev/null +++ b/queue-3.10/sparc64-fix-not-sra-ed-o5-in-32-bit-traced-syscall.patch @@ -0,0 +1,52 @@ +From 62ba95f5b51a8df09c1aeb1a19e4b34ec2175cae Mon Sep 17 00:00:00 2001 +From: Kirill Tkhai +Date: Fri, 26 Jul 2013 17:21:12 +0400 +Subject: sparc64: Fix not SRA'ed %o5 in 32-bit traced syscall + +From: Kirill Tkhai + +[ Upstream commit ab2abda6377723e0d5fbbfe5f5aa16a5523344d1 ] + +(From v1 to v2: changed comment) + +On the way linux_sparc_syscall32->linux_syscall_trace32->goto 2f, +register %o5 doesn't clear its second 32-bit. + +Fix that. + +Signed-off-by: Kirill Tkhai +CC: David Miller +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + arch/sparc/kernel/syscalls.S | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/arch/sparc/kernel/syscalls.S ++++ b/arch/sparc/kernel/syscalls.S +@@ -152,7 +152,7 @@ linux_syscall_trace32: + srl %i4, 0, %o4 + srl %i1, 0, %o1 + srl %i2, 0, %o2 +- ba,pt %xcc, 2f ++ ba,pt %xcc, 5f + srl %i3, 0, %o3 + + linux_syscall_trace: +@@ -182,13 +182,13 @@ linux_sparc_syscall32: + srl %i1, 0, %o1 ! IEU0 Group + ldx [%g6 + TI_FLAGS], %l0 ! Load + +- srl %i5, 0, %o5 ! IEU1 ++ srl %i3, 0, %o3 ! IEU0 + srl %i2, 0, %o2 ! IEU0 Group + andcc %l0, (_TIF_SYSCALL_TRACE|_TIF_SECCOMP|_TIF_SYSCALL_AUDIT|_TIF_SYSCALL_TRACEPOINT), %g0 + bne,pn %icc, linux_syscall_trace32 ! CTI + mov %i0, %l5 ! IEU1 +- call %l7 ! CTI Group brk forced +- srl %i3, 0, %o3 ! IEU0 ++5: call %l7 ! CTI Group brk forced ++ srl %i5, 0, %o5 ! IEU1 + ba,a,pt %xcc, 3f + + /* Linux native system calls enter here... */ diff --git a/queue-3.10/sparc64-fix-off-by-one-in-trampoline-tlb-mapping-installation-loop.patch b/queue-3.10/sparc64-fix-off-by-one-in-trampoline-tlb-mapping-installation-loop.patch new file mode 100644 index 00000000000..5c335175b54 --- /dev/null +++ b/queue-3.10/sparc64-fix-off-by-one-in-trampoline-tlb-mapping-installation-loop.patch @@ -0,0 +1,34 @@ +From 300d3233d2dcab4ce896da706ce5f4ef65e2831c Mon Sep 17 00:00:00 2001 +From: "David S. Miller" +Date: Thu, 22 Aug 2013 16:38:46 -0700 +Subject: sparc64: Fix off by one in trampoline TLB mapping installation loop. + +From: "David S. Miller" + +[ Upstream commit 63d499662aeec1864ec36d042aca8184ea6a938e ] + +Reported-by: Kirill Tkhai +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + arch/sparc/kernel/trampoline_64.S | 2 -- + 1 file changed, 2 deletions(-) + +--- a/arch/sparc/kernel/trampoline_64.S ++++ b/arch/sparc/kernel/trampoline_64.S +@@ -131,7 +131,6 @@ startup_continue: + clr %l5 + sethi %hi(num_kernel_image_mappings), %l6 + lduw [%l6 + %lo(num_kernel_image_mappings)], %l6 +- add %l6, 1, %l6 + + mov 15, %l7 + BRANCH_IF_ANY_CHEETAH(g1,g5,2f) +@@ -224,7 +223,6 @@ niagara_lock_tlb: + clr %l5 + sethi %hi(num_kernel_image_mappings), %l6 + lduw [%l6 + %lo(num_kernel_image_mappings)], %l6 +- add %l6, 1, %l6 + + 1: + mov HV_FAST_MMU_MAP_PERM_ADDR, %o5 diff --git a/queue-3.10/sparc64-remove-rwsem-export-leftovers.patch b/queue-3.10/sparc64-remove-rwsem-export-leftovers.patch new file mode 100644 index 00000000000..47cd5787082 --- /dev/null +++ b/queue-3.10/sparc64-remove-rwsem-export-leftovers.patch @@ -0,0 +1,48 @@ +From 24b5bfc7f42227b16e3f1bea84eb8e7e5fa146df Mon Sep 17 00:00:00 2001 +From: Kirill Tkhai +Date: Mon, 12 Aug 2013 16:02:24 +0400 +Subject: sparc64: Remove RWSEM export leftovers + +From: Kirill Tkhai + +[ Upstream commit 61d9b9355b0d427bd1e732bd54628ff9103e496f ] + +The functions + + __down_read + __down_read_trylock + __down_write + __down_write_trylock + __up_read + __up_write + __downgrade_write + +are implemented inline, so remove corresponding EXPORT_SYMBOLs +(They lead to compile errors on RT kernel). + +Signed-off-by: Kirill Tkhai +CC: David Miller +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + arch/sparc/lib/ksyms.c | 9 --------- + 1 file changed, 9 deletions(-) + +--- a/arch/sparc/lib/ksyms.c ++++ b/arch/sparc/lib/ksyms.c +@@ -98,15 +98,6 @@ EXPORT_SYMBOL(___copy_from_user); + EXPORT_SYMBOL(___copy_in_user); + EXPORT_SYMBOL(__clear_user); + +-/* RW semaphores */ +-EXPORT_SYMBOL(__down_read); +-EXPORT_SYMBOL(__down_read_trylock); +-EXPORT_SYMBOL(__down_write); +-EXPORT_SYMBOL(__down_write_trylock); +-EXPORT_SYMBOL(__up_read); +-EXPORT_SYMBOL(__up_write); +-EXPORT_SYMBOL(__downgrade_write); +- + /* Atomic counter implementation. */ + EXPORT_SYMBOL(atomic_add); + EXPORT_SYMBOL(atomic_add_ret); diff --git a/queue-3.10/staging-comedi-ni_65xx-bug-fix-confine-insn_bits-to-one-subdevice.patch b/queue-3.10/staging-comedi-ni_65xx-bug-fix-confine-insn_bits-to-one-subdevice.patch new file mode 100644 index 00000000000..70e1f9a1bf3 --- /dev/null +++ b/queue-3.10/staging-comedi-ni_65xx-bug-fix-confine-insn_bits-to-one-subdevice.patch @@ -0,0 +1,77 @@ +From 677a31565692d596ef42ea589b53ba289abf4713 Mon Sep 17 00:00:00 2001 +From: Ian Abbott +Date: Wed, 2 Oct 2013 14:57:51 +0100 +Subject: staging: comedi: ni_65xx: (bug fix) confine insn_bits to one subdevice + +From: Ian Abbott + +commit 677a31565692d596ef42ea589b53ba289abf4713 upstream. + +The `insn_bits` handler `ni_65xx_dio_insn_bits()` has a `for` loop that +currently writes (optionally) and reads back up to 5 "ports" consisting +of 8 channels each. It reads up to 32 1-bit channels but can only read +and write a whole port at once - it needs to handle up to 5 ports as the +first channel it reads might not be aligned on a port boundary. It +breaks out of the loop early if the next port it handles is beyond the +final port on the card. It also breaks out early on the 5th port in the +loop if the first channel was aligned. Unfortunately, it doesn't check +that the current port it is dealing with belongs to the comedi subdevice +the `insn_bits` handler is acting on. That's a bug. + +Redo the `for` loop to terminate after the final port belonging to the +subdevice, changing the loop variable in the process to simplify things +a bit. The `for` loop could now try and handle more than 5 ports if the +subdevice has more than 40 channels, but the test `if (bitshift >= 32)` +ensures it will break out early after 4 or 5 ports (depending on whether +the first channel is aligned on a port boundary). (`bitshift` will be +between -7 and 7 inclusive on the first iteration, increasing by 8 for +each subsequent operation.) + +Signed-off-by: Ian Abbott +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/comedi/drivers/ni_65xx.c | 25 ++++++++++--------------- + 1 file changed, 10 insertions(+), 15 deletions(-) + +--- a/drivers/staging/comedi/drivers/ni_65xx.c ++++ b/drivers/staging/comedi/drivers/ni_65xx.c +@@ -383,28 +383,23 @@ static int ni_65xx_dio_insn_bits(struct + { + const struct ni_65xx_board *board = comedi_board(dev); + struct ni_65xx_private *devpriv = dev->private; +- unsigned base_bitfield_channel; +- const unsigned max_ports_per_bitfield = 5; ++ int base_bitfield_channel; + unsigned read_bits = 0; +- unsigned j; ++ int last_port_offset = ni_65xx_port_by_channel(s->n_chan - 1); ++ int port_offset; + + base_bitfield_channel = CR_CHAN(insn->chanspec); +- for (j = 0; j < max_ports_per_bitfield; ++j) { +- const unsigned port_offset = +- ni_65xx_port_by_channel(base_bitfield_channel) + j; +- const unsigned port = +- sprivate(s)->base_port + port_offset; +- unsigned base_port_channel; ++ for (port_offset = ni_65xx_port_by_channel(base_bitfield_channel); ++ port_offset <= last_port_offset; port_offset++) { ++ unsigned port = sprivate(s)->base_port + port_offset; ++ int base_port_channel = port_offset * ni_65xx_channels_per_port; + unsigned port_mask, port_data, port_read_bits; +- int bitshift; +- if (port >= ni_65xx_total_num_ports(board)) ++ int bitshift = base_port_channel - base_bitfield_channel; ++ ++ if (bitshift >= 32) + break; +- base_port_channel = port_offset * ni_65xx_channels_per_port; + port_mask = data[0]; + port_data = data[1]; +- bitshift = base_port_channel - base_bitfield_channel; +- if (bitshift >= 32 || bitshift <= -32) +- break; + if (bitshift > 0) { + port_mask >>= bitshift; + port_data >>= bitshift; diff --git a/queue-3.10/usb-serial-option-ignore-card-reader-interface-on-huawei-e1750.patch b/queue-3.10/usb-serial-option-ignore-card-reader-interface-on-huawei-e1750.patch new file mode 100644 index 00000000000..b8de256b104 --- /dev/null +++ b/queue-3.10/usb-serial-option-ignore-card-reader-interface-on-huawei-e1750.patch @@ -0,0 +1,45 @@ +From eb2addd4044b4b2ce77693bde5bc810536dd96ee Mon Sep 17 00:00:00 2001 +From: Michal Malý +Date: Sat, 28 Sep 2013 19:50:27 +0200 +Subject: USB: serial: option: Ignore card reader interface on Huawei E1750 + +From: Michal Malý + +commit eb2addd4044b4b2ce77693bde5bc810536dd96ee upstream. + +Hi, + +my Huawei 3G modem has an embedded Smart Card reader which causes +trouble when the modem is being detected (a bunch of " (ttyUSBx): +open blocked by driver for more than 7 seconds!" in messages.log). This +trivial patch corrects the problem for me. The modem identifies itself +as "12d1:1406 Huawei Technologies Co., Ltd. E1750" in lsusb although the +description on the body says "Model E173u-1" + +Signed-off-by: Michal Malý +Cc: Bjørn Mork +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/option.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/usb/serial/option.c ++++ b/drivers/usb/serial/option.c +@@ -81,6 +81,7 @@ static void option_instat_callback(struc + + #define HUAWEI_VENDOR_ID 0x12D1 + #define HUAWEI_PRODUCT_E173 0x140C ++#define HUAWEI_PRODUCT_E1750 0x1406 + #define HUAWEI_PRODUCT_K4505 0x1464 + #define HUAWEI_PRODUCT_K3765 0x1465 + #define HUAWEI_PRODUCT_K4605 0x14C6 +@@ -567,6 +568,8 @@ static const struct usb_device_id option + { USB_DEVICE_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0x1c23, USB_CLASS_COMM, 0x02, 0xff) }, + { USB_DEVICE_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, HUAWEI_PRODUCT_E173, 0xff, 0xff, 0xff), + .driver_info = (kernel_ulong_t) &net_intf1_blacklist }, ++ { USB_DEVICE_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, HUAWEI_PRODUCT_E1750, 0xff, 0xff, 0xff), ++ .driver_info = (kernel_ulong_t) &net_intf2_blacklist }, + { USB_DEVICE_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0x1441, USB_CLASS_COMM, 0x02, 0xff) }, + { USB_DEVICE_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0x1442, USB_CLASS_COMM, 0x02, 0xff) }, + { USB_DEVICE_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, HUAWEI_PRODUCT_K4505, 0xff, 0xff, 0xff),