From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Sun, 14 Oct 2012 12:48:18 +0000 (-0700)
Subject: 3.0-stable patches
X-Git-Tag: v3.0.47~38
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=6a71e6df78b1e8a03c4ba3149dac331c5cd4b06a;p=thirdparty%2Fkernel%2Fstable-queue.git

3.0-stable patches

added patches:
	arm-7541-1-add-arm-errata-775420-workaround.patch
	firewire-cdev-fix-user-memory-corruption-i386-userland-on-amd64-kernel.patch
	sunrpc-ensure-that-the-tcp-socket-is-closed-when-in-close_wait.patch
---

diff --git a/queue-3.0/arm-7541-1-add-arm-errata-775420-workaround.patch b/queue-3.0/arm-7541-1-add-arm-errata-775420-workaround.patch
new file mode 100644
index 00000000000..ae78b7c9ae2
--- /dev/null
+++ b/queue-3.0/arm-7541-1-add-arm-errata-775420-workaround.patch
@@ -0,0 +1,62 @@
+From 7253b85cc62d6ff84143d96fe6cd54f73736f4d7 Mon Sep 17 00:00:00 2001
+From: Simon Horman <horms@verge.net.au>
+Date: Fri, 28 Sep 2012 02:12:45 +0100
+Subject: ARM: 7541/1: Add ARM ERRATA 775420 workaround
+
+From: Simon Horman <horms@verge.net.au>
+
+commit 7253b85cc62d6ff84143d96fe6cd54f73736f4d7 upstream.
+
+arm: Add ARM ERRATA 775420 workaround
+
+Workaround for the 775420 Cortex-A9 (r2p2, r2p6,r2p8,r2p10,r3p0) erratum.
+In case a date cache maintenance operation aborts with MMU exception, it
+might cause the processor to deadlock. This workaround puts DSB before
+executing ISB if an abort may occur on cache maintenance.
+
+Based on work by Kouei Abe and feedback from Catalin Marinas.
+
+Signed-off-by: Kouei Abe <kouei.abe.cp@rms.renesas.com>
+[ horms@verge.net.au: Changed to implementation
+  suggested by catalin.marinas@arm.com ]
+Acked-by: Catalin Marinas <catalin.marinas@arm.com>
+Signed-off-by: Simon Horman <horms@verge.net.au>
+Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/arm/Kconfig       |   10 ++++++++++
+ arch/arm/mm/cache-v7.S |    3 +++
+ 2 files changed, 13 insertions(+)
+
+--- a/arch/arm/Kconfig
++++ b/arch/arm/Kconfig
+@@ -1260,6 +1260,16 @@ config PL310_ERRATA_769419
+ 	  on systems with an outer cache, the store buffer is drained
+ 	  explicitly.
+ 
++config ARM_ERRATA_775420
++       bool "ARM errata: A data cache maintenance operation which aborts, might lead to deadlock"
++       depends on CPU_V7
++       help
++	 This option enables the workaround for the 775420 Cortex-A9 (r2p2,
++	 r2p6,r2p8,r2p10,r3p0) erratum. In case a date cache maintenance
++	 operation aborts with MMU exception, it might cause the processor
++	 to deadlock. This workaround puts DSB before executing ISB if
++	 an abort may occur on cache maintenance.
++
+ endmenu
+ 
+ source "arch/arm/common/Kconfig"
+--- a/arch/arm/mm/cache-v7.S
++++ b/arch/arm/mm/cache-v7.S
+@@ -211,6 +211,9 @@ ENTRY(v7_coherent_user_range)
+  * isn't mapped, just try the next page.
+  */
+ 9001:
++#ifdef CONFIG_ARM_ERRATA_775420
++	dsb
++#endif
+ 	mov	r12, r12, lsr #12
+ 	mov	r12, r12, lsl #12
+ 	add	r12, r12, #4096
diff --git a/queue-3.0/firewire-cdev-fix-user-memory-corruption-i386-userland-on-amd64-kernel.patch b/queue-3.0/firewire-cdev-fix-user-memory-corruption-i386-userland-on-amd64-kernel.patch
new file mode 100644
index 00000000000..82ca2fa9e95
--- /dev/null
+++ b/queue-3.0/firewire-cdev-fix-user-memory-corruption-i386-userland-on-amd64-kernel.patch
@@ -0,0 +1,50 @@
+From 790198f74c9d1b46b6a89504361b1a844670d050 Mon Sep 17 00:00:00 2001
+From: Stefan Richter <stefanr@s5r6.in-berlin.de>
+Date: Sat, 6 Oct 2012 14:12:56 +0200
+Subject: firewire: cdev: fix user memory corruption (i386 userland on amd64 kernel)
+
+From: Stefan Richter <stefanr@s5r6.in-berlin.de>
+
+commit 790198f74c9d1b46b6a89504361b1a844670d050 upstream.
+
+Fix two bugs of the /dev/fw* character device concerning the
+FW_CDEV_IOC_GET_INFO ioctl with nonzero fw_cdev_get_info.bus_reset.
+(Practically all /dev/fw* clients issue this ioctl right after opening
+the device.)
+
+Both bugs are caused by sizeof(struct fw_cdev_event_bus_reset) being 36
+without natural alignment and 40 with natural alignment.
+
+ 1) Memory corruption, affecting i386 userland on amd64 kernel:
+    Userland reserves a 36 bytes large buffer, kernel writes 40 bytes.
+    This has been first found and reported against libraw1394 if
+    compiled with gcc 4.7 which happens to order libraw1394's stack such
+    that the bug became visible as data corruption.
+
+ 2) Information leak, affecting all kernel architectures except i386:
+    4 bytes of random kernel stack data were leaked to userspace.
+
+Hence limit the respective copy_to_user() to the 32-bit aligned size of
+struct fw_cdev_event_bus_reset.
+
+Reported-by: Simon Kirby <sim@hostway.ca>
+Signed-off-by: Stefan Richter <stefanr@s5r6.in-berlin.de>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/firewire/core-cdev.c |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/firewire/core-cdev.c
++++ b/drivers/firewire/core-cdev.c
+@@ -471,8 +471,8 @@ static int ioctl_get_info(struct client
+ 	client->bus_reset_closure = a->bus_reset_closure;
+ 	if (a->bus_reset != 0) {
+ 		fill_bus_reset_event(&bus_reset, client);
+-		ret = copy_to_user(u64_to_uptr(a->bus_reset),
+-				   &bus_reset, sizeof(bus_reset));
++		/* unaligned size of bus_reset is 36 bytes */
++		ret = copy_to_user(u64_to_uptr(a->bus_reset), &bus_reset, 36);
+ 	}
+ 	if (ret == 0 && list_empty(&client->link))
+ 		list_add_tail(&client->link, &client->device->client_list);
diff --git a/queue-3.0/series b/queue-3.0/series
index 37e1d79b0df..1ae3e58f9f8 100644
--- a/queue-3.0/series
+++ b/queue-3.0/series
@@ -4,3 +4,6 @@ acpi-ec-make-the-gpe-storm-threshold-a-module-parameter.patch
 acpi-ec-add-a-quirk-for-clevo-m720t-m730t-laptop.patch
 mips-kgdb-fix-recursive-page-fault-with-config_kprobes.patch
 tmpfs-ceph-gfs2-isofs-reiserfs-xfs-fix-fh_len-checking.patch
+arm-7541-1-add-arm-errata-775420-workaround.patch
+firewire-cdev-fix-user-memory-corruption-i386-userland-on-amd64-kernel.patch
+sunrpc-ensure-that-the-tcp-socket-is-closed-when-in-close_wait.patch
diff --git a/queue-3.0/sunrpc-ensure-that-the-tcp-socket-is-closed-when-in-close_wait.patch b/queue-3.0/sunrpc-ensure-that-the-tcp-socket-is-closed-when-in-close_wait.patch
new file mode 100644
index 00000000000..7afc6594d43
--- /dev/null
+++ b/queue-3.0/sunrpc-ensure-that-the-tcp-socket-is-closed-when-in-close_wait.patch
@@ -0,0 +1,86 @@
+From a519fc7a70d1a918574bb826cc6905b87b482eb9 Mon Sep 17 00:00:00 2001
+From: Trond Myklebust <Trond.Myklebust@netapp.com>
+Date: Wed, 12 Sep 2012 16:49:15 -0400
+Subject: SUNRPC: Ensure that the TCP socket is closed when in CLOSE_WAIT
+
+From: Trond Myklebust <Trond.Myklebust@netapp.com>
+
+commit a519fc7a70d1a918574bb826cc6905b87b482eb9 upstream.
+
+Instead of doing a shutdown() call, we need to do an actual close().
+Ditto if/when the server is sending us junk RPC headers.
+
+Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
+Tested-by: Simon Kirby <sim@hostway.ca>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/sunrpc/xprtsock.c |   21 ++++++++++++++++-----
+ 1 file changed, 16 insertions(+), 5 deletions(-)
+
+--- a/net/sunrpc/xprtsock.c
++++ b/net/sunrpc/xprtsock.c
+@@ -1015,6 +1015,16 @@ static void xs_udp_data_ready(struct soc
+ 	read_unlock_bh(&sk->sk_callback_lock);
+ }
+ 
++/*
++ * Helper function to force a TCP close if the server is sending
++ * junk and/or it has put us in CLOSE_WAIT
++ */
++static void xs_tcp_force_close(struct rpc_xprt *xprt)
++{
++	set_bit(XPRT_CONNECTION_CLOSE, &xprt->state);
++	xprt_force_disconnect(xprt);
++}
++
+ static inline void xs_tcp_read_fraghdr(struct rpc_xprt *xprt, struct xdr_skb_reader *desc)
+ {
+ 	struct sock_xprt *transport = container_of(xprt, struct sock_xprt, xprt);
+@@ -1041,7 +1051,7 @@ static inline void xs_tcp_read_fraghdr(s
+ 	/* Sanity check of the record length */
+ 	if (unlikely(transport->tcp_reclen < 8)) {
+ 		dprintk("RPC:       invalid TCP record fragment length\n");
+-		xprt_force_disconnect(xprt);
++		xs_tcp_force_close(xprt);
+ 		return;
+ 	}
+ 	dprintk("RPC:       reading TCP record fragment of length %d\n",
+@@ -1122,7 +1132,7 @@ static inline void xs_tcp_read_calldir(s
+ 		break;
+ 	default:
+ 		dprintk("RPC:       invalid request message type\n");
+-		xprt_force_disconnect(&transport->xprt);
++		xs_tcp_force_close(&transport->xprt);
+ 	}
+ 	xs_tcp_check_fraghdr(transport);
+ }
+@@ -1445,6 +1455,8 @@ static void xs_tcp_cancel_linger_timeout
+ static void xs_sock_mark_closed(struct rpc_xprt *xprt)
+ {
+ 	smp_mb__before_clear_bit();
++	clear_bit(XPRT_CONNECTION_ABORT, &xprt->state);
++	clear_bit(XPRT_CONNECTION_CLOSE, &xprt->state);
+ 	clear_bit(XPRT_CLOSE_WAIT, &xprt->state);
+ 	clear_bit(XPRT_CLOSING, &xprt->state);
+ 	smp_mb__after_clear_bit();
+@@ -1502,8 +1514,8 @@ static void xs_tcp_state_change(struct s
+ 		break;
+ 	case TCP_CLOSE_WAIT:
+ 		/* The server initiated a shutdown of the socket */
+-		xprt_force_disconnect(xprt);
+ 		xprt->connect_cookie++;
++		xs_tcp_force_close(xprt);
+ 	case TCP_CLOSING:
+ 		/*
+ 		 * If the server closed down the connection, make sure that
+@@ -2146,8 +2158,7 @@ static void xs_tcp_setup_socket(struct w
+ 		/* We're probably in TIME_WAIT. Get rid of existing socket,
+ 		 * and retry
+ 		 */
+-		set_bit(XPRT_CONNECTION_CLOSE, &xprt->state);
+-		xprt_force_disconnect(xprt);
++		xs_tcp_force_close(xprt);
+ 		break;
+ 	case -ECONNREFUSED:
+ 	case -ECONNRESET: