From: Greg Kroah-Hartman Date: Fri, 31 May 2013 23:45:41 +0000 (-0700) Subject: 3.4-stable patches X-Git-Tag: v3.0.81~22 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=6b62189e343de6c92a433c434eb9ed09a2c687f6;p=thirdparty%2Fkernel%2Fstable-queue.git 3.4-stable patches added patches: cifs-fix-potential-buffer-overrun-when-composing-a-new-options-string.patch drm-radeon-fix-card_posted-check-for-newer-asics.patch usb-io_ti-fix-null-dereference-in-chase_port.patch xfs-kill-suid-sgid-through-the-truncate-path.patch --- diff --git a/queue-3.4/cifs-fix-potential-buffer-overrun-when-composing-a-new-options-string.patch b/queue-3.4/cifs-fix-potential-buffer-overrun-when-composing-a-new-options-string.patch new file mode 100644 index 00000000000..e774793f61b --- /dev/null +++ b/queue-3.4/cifs-fix-potential-buffer-overrun-when-composing-a-new-options-string.patch @@ -0,0 +1,42 @@ +From 166faf21bd14bc5c5295a44874bf7f3930c30b20 Mon Sep 17 00:00:00 2001 +From: Jeff Layton +Date: Fri, 24 May 2013 07:40:04 -0400 +Subject: cifs: fix potential buffer overrun when composing a new options string + +From: Jeff Layton + +commit 166faf21bd14bc5c5295a44874bf7f3930c30b20 upstream. + +Consider the case where we have a very short ip= string in the original +mount options, and when we chase a referral we end up with a very long +IPv6 address. Be sure to allow for that possibility when estimating the +size of the string to allocate. + +Signed-off-by: Jeff Layton +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman + +--- + fs/cifs/cifs_dfs_ref.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/fs/cifs/cifs_dfs_ref.c ++++ b/fs/cifs/cifs_dfs_ref.c +@@ -18,6 +18,7 @@ + #include + #include + #include ++#include + #include "cifsglob.h" + #include "cifsproto.h" + #include "cifsfs.h" +@@ -150,7 +151,8 @@ char *cifs_compose_mount_options(const c + * assuming that we have 'unc=' and 'ip=' in + * the original sb_mountdata + */ +- md_len = strlen(sb_mountdata) + rc + strlen(ref->node_name) + 12; ++ md_len = strlen(sb_mountdata) + rc + strlen(ref->node_name) + 12 + ++ INET6_ADDRSTRLEN; + mountdata = kzalloc(md_len+1, GFP_KERNEL); + if (mountdata == NULL) { + rc = -ENOMEM; diff --git a/queue-3.4/drm-radeon-fix-card_posted-check-for-newer-asics.patch b/queue-3.4/drm-radeon-fix-card_posted-check-for-newer-asics.patch new file mode 100644 index 00000000000..239f52afb12 --- /dev/null +++ b/queue-3.4/drm-radeon-fix-card_posted-check-for-newer-asics.patch @@ -0,0 +1,52 @@ +From 09fb8bd1a63b0f9f15e655c4fe8d047e5d2bf67a Mon Sep 17 00:00:00 2001 +From: Alex Deucher +Date: Wed, 22 May 2013 11:22:51 -0400 +Subject: drm/radeon: fix card_posted check for newer asics + +From: Alex Deucher + +commit 09fb8bd1a63b0f9f15e655c4fe8d047e5d2bf67a upstream. + +Newer asics have variable numbers of crtcs. Use that +rather than the asic family to determine which crtcs +to check. This avoids checking non-existent crtcs or +missing crtcs on certain asics. + +Reviewed-by: Michel Dänzer +Signed-off-by: Alex Deucher +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/radeon/radeon_device.c | 19 +++++++++---------- + 1 file changed, 9 insertions(+), 10 deletions(-) + +--- a/drivers/gpu/drm/radeon/radeon_device.c ++++ b/drivers/gpu/drm/radeon/radeon_device.c +@@ -363,18 +363,17 @@ bool radeon_card_posted(struct radeon_de + return false; + + /* first check CRTCs */ +- if (ASIC_IS_DCE41(rdev)) { ++ if (ASIC_IS_DCE4(rdev)) { + reg = RREG32(EVERGREEN_CRTC_CONTROL + EVERGREEN_CRTC0_REGISTER_OFFSET) | + RREG32(EVERGREEN_CRTC_CONTROL + EVERGREEN_CRTC1_REGISTER_OFFSET); +- if (reg & EVERGREEN_CRTC_MASTER_EN) +- return true; +- } else if (ASIC_IS_DCE4(rdev)) { +- reg = RREG32(EVERGREEN_CRTC_CONTROL + EVERGREEN_CRTC0_REGISTER_OFFSET) | +- RREG32(EVERGREEN_CRTC_CONTROL + EVERGREEN_CRTC1_REGISTER_OFFSET) | +- RREG32(EVERGREEN_CRTC_CONTROL + EVERGREEN_CRTC2_REGISTER_OFFSET) | +- RREG32(EVERGREEN_CRTC_CONTROL + EVERGREEN_CRTC3_REGISTER_OFFSET) | +- RREG32(EVERGREEN_CRTC_CONTROL + EVERGREEN_CRTC4_REGISTER_OFFSET) | +- RREG32(EVERGREEN_CRTC_CONTROL + EVERGREEN_CRTC5_REGISTER_OFFSET); ++ if (rdev->num_crtc >= 4) { ++ reg |= RREG32(EVERGREEN_CRTC_CONTROL + EVERGREEN_CRTC2_REGISTER_OFFSET) | ++ RREG32(EVERGREEN_CRTC_CONTROL + EVERGREEN_CRTC3_REGISTER_OFFSET); ++ } ++ if (rdev->num_crtc >= 6) { ++ reg |= RREG32(EVERGREEN_CRTC_CONTROL + EVERGREEN_CRTC4_REGISTER_OFFSET) | ++ RREG32(EVERGREEN_CRTC_CONTROL + EVERGREEN_CRTC5_REGISTER_OFFSET); ++ } + if (reg & EVERGREEN_CRTC_MASTER_EN) + return true; + } else if (ASIC_IS_AVIVO(rdev)) { diff --git a/queue-3.4/series b/queue-3.4/series index f82b9d8121e..41d5ea5b55d 100644 --- a/queue-3.4/series +++ b/queue-3.4/series @@ -25,3 +25,7 @@ mm-mmu_notifier-re-fix-freed-page-still-mapped-in-secondary-mmu.patch drivers-block-brd.c-fix-brd_lookup_page-race.patch mm-pagewalk.c-walk_page_range-should-avoid-vm_pfnmap-areas.patch mm-thp-use-pmd_populate-to-update-the-pmd-with-pgtable_t-pointer.patch +xfs-kill-suid-sgid-through-the-truncate-path.patch +drm-radeon-fix-card_posted-check-for-newer-asics.patch +cifs-fix-potential-buffer-overrun-when-composing-a-new-options-string.patch +usb-io_ti-fix-null-dereference-in-chase_port.patch diff --git a/queue-3.4/usb-io_ti-fix-null-dereference-in-chase_port.patch b/queue-3.4/usb-io_ti-fix-null-dereference-in-chase_port.patch new file mode 100644 index 00000000000..f81b034233b --- /dev/null +++ b/queue-3.4/usb-io_ti-fix-null-dereference-in-chase_port.patch @@ -0,0 +1,102 @@ +From 1ee0a224bc9aad1de496c795f96bc6ba2c394811 Mon Sep 17 00:00:00 2001 +From: Wolfgang Frisch +Date: Thu, 17 Jan 2013 01:07:02 +0100 +Subject: USB: io_ti: Fix NULL dereference in chase_port() + +From: Wolfgang Frisch + +commit 1ee0a224bc9aad1de496c795f96bc6ba2c394811 upstream. + +The tty is NULL when the port is hanging up. +chase_port() needs to check for this. + +This patch is intended for stable series. +The behavior was observed and tested in Linux 3.2 and 3.7.1. + +Johan Hovold submitted a more elaborate patch for the mainline kernel. + +[ 56.277883] usb 1-1: edge_bulk_in_callback - nonzero read bulk status received: -84 +[ 56.278811] usb 1-1: USB disconnect, device number 3 +[ 56.278856] usb 1-1: edge_bulk_in_callback - stopping read! +[ 56.279562] BUG: unable to handle kernel NULL pointer dereference at 00000000000001c8 +[ 56.280536] IP: [] _raw_spin_lock_irqsave+0x19/0x35 +[ 56.281212] PGD 1dc1b067 PUD 1e0f7067 PMD 0 +[ 56.282085] Oops: 0002 [#1] SMP +[ 56.282744] Modules linked in: +[ 56.283512] CPU 1 +[ 56.283512] Pid: 25, comm: khubd Not tainted 3.7.1 #1 innotek GmbH VirtualBox/VirtualBox +[ 56.283512] RIP: 0010:[] [] _raw_spin_lock_irqsave+0x19/0x35 +[ 56.283512] RSP: 0018:ffff88001fa99ab0 EFLAGS: 00010046 +[ 56.283512] RAX: 0000000000000046 RBX: 00000000000001c8 RCX: 0000000000640064 +[ 56.283512] RDX: 0000000000010000 RSI: ffff88001fa99b20 RDI: 00000000000001c8 +[ 56.283512] RBP: ffff88001fa99b20 R08: 0000000000000000 R09: 0000000000000000 +[ 56.283512] R10: 0000000000000000 R11: ffffffff812fcb4c R12: ffff88001ddf53c0 +[ 56.283512] R13: 0000000000000000 R14: 00000000000001c8 R15: ffff88001e19b9f4 +[ 56.283512] FS: 0000000000000000(0000) GS:ffff88001fd00000(0000) knlGS:0000000000000000 +[ 56.283512] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b +[ 56.283512] CR2: 00000000000001c8 CR3: 000000001dc51000 CR4: 00000000000006e0 +[ 56.283512] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 56.283512] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 +[ 56.283512] Process khubd (pid: 25, threadinfo ffff88001fa98000, task ffff88001fa94f80) +[ 56.283512] Stack: +[ 56.283512] 0000000000000046 00000000000001c8 ffffffff810578ec ffffffff812fcb4c +[ 56.283512] ffff88001e19b980 0000000000002710 ffffffff812ffe81 0000000000000001 +[ 56.283512] ffff88001fa94f80 0000000000000202 ffffffff00000001 0000000000000296 +[ 56.283512] Call Trace: +[ 56.283512] [] ? add_wait_queue+0x12/0x3c +[ 56.283512] [] ? usb_serial_port_work+0x28/0x28 +[ 56.283512] [] ? chase_port+0x84/0x2d6 +[ 56.283512] [] ? try_to_wake_up+0x199/0x199 +[ 56.283512] [] ? tty_ldisc_hangup+0x222/0x298 +[ 56.283512] [] ? edge_close+0x64/0x129 +[ 56.283512] [] ? __wake_up+0x35/0x46 +[ 56.283512] [] ? should_resched+0x5/0x23 +[ 56.283512] [] ? tty_port_shutdown+0x39/0x44 +[ 56.283512] [] ? usb_serial_port_work+0x28/0x28 +[ 56.283512] [] ? __tty_hangup+0x307/0x351 +[ 56.283512] [] ? usb_hcd_flush_endpoint+0xde/0xed +[ 56.283512] [] ? _raw_spin_lock_irqsave+0x14/0x35 +[ 56.283512] [] ? usb_serial_disconnect+0x57/0xc2 +[ 56.283512] [] ? usb_unbind_interface+0x5c/0x131 +[ 56.283512] [] ? __device_release_driver+0x7f/0xd5 +[ 56.283512] [] ? device_release_driver+0x1a/0x25 +[ 56.283512] [] ? bus_remove_device+0xd2/0xe7 +[ 56.283512] [] ? device_del+0x119/0x167 +[ 56.283512] [] ? usb_disable_device+0x6a/0x180 +[ 56.283512] [] ? usb_disconnect+0x81/0xe6 +[ 56.283512] [] ? hub_thread+0x577/0xe82 +[ 56.283512] [] ? __schedule+0x490/0x4be +[ 56.283512] [] ? abort_exclusive_wait+0x79/0x79 +[ 56.283512] [] ? usb_remote_wakeup+0x2f/0x2f +[ 56.283512] [] ? usb_remote_wakeup+0x2f/0x2f +[ 56.283512] [] ? kthread+0x81/0x89 +[ 56.283512] [] ? __kthread_parkme+0x5c/0x5c +[ 56.283512] [] ? ret_from_fork+0x7c/0xb0 +[ 56.283512] [] ? __kthread_parkme+0x5c/0x5c +[ 56.283512] Code: 8b 7c 24 08 e8 17 0b c3 ff 48 8b 04 24 48 83 c4 10 c3 53 48 89 fb 41 50 e8 e0 0a c3 ff 48 89 04 24 e8 e7 0a c3 ff ba 00 00 01 00 + 0f c1 13 48 8b 04 24 89 d1 c1 ea 10 66 39 d1 74 07 f3 90 66 +[ 56.283512] RIP [] _raw_spin_lock_irqsave+0x19/0x35 +[ 56.283512] RSP +[ 56.283512] CR2: 00000000000001c8 +[ 56.283512] ---[ end trace 49714df27e1679ce ]--- + +Signed-off-by: Wolfgang Frisch +Cc: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/io_ti.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/usb/serial/io_ti.c ++++ b/drivers/usb/serial/io_ti.c +@@ -550,6 +550,9 @@ static void chase_port(struct edgeport_p + wait_queue_t wait; + unsigned long flags; + ++ if (!tty) ++ return; ++ + if (!timeout) + timeout = (HZ * EDGE_CLOSING_WAIT)/100; + diff --git a/queue-3.4/xfs-kill-suid-sgid-through-the-truncate-path.patch b/queue-3.4/xfs-kill-suid-sgid-through-the-truncate-path.patch new file mode 100644 index 00000000000..80950458355 --- /dev/null +++ b/queue-3.4/xfs-kill-suid-sgid-through-the-truncate-path.patch @@ -0,0 +1,101 @@ +From 2962f5a5dcc56f69cbf62121a7be67cc15d6940b Mon Sep 17 00:00:00 2001 +From: Dave Chinner +Date: Mon, 27 May 2013 16:38:25 +1000 +Subject: xfs: kill suid/sgid through the truncate path. + +From: Dave Chinner + +commit 2962f5a5dcc56f69cbf62121a7be67cc15d6940b upstream. + +XFS has failed to kill suid/sgid bits correctly when truncating +files of non-zero size since commit c4ed4243 ("xfs: split +xfs_setattr") introduced in the 3.1 kernel. Fix it. + +Fix it. + +Signed-off-by: Dave Chinner +Reviewed-by: Brian Foster +Signed-off-by: Ben Myers +Signed-off-by: Greg Kroah-Hartman + +--- + fs/xfs/xfs_iops.c | 47 ++++++++++++++++++++++++++++++++--------------- + 1 file changed, 32 insertions(+), 15 deletions(-) + +--- a/fs/xfs/xfs_iops.c ++++ b/fs/xfs/xfs_iops.c +@@ -457,6 +457,28 @@ xfs_vn_getattr( + return 0; + } + ++static void ++xfs_setattr_mode( ++ struct xfs_trans *tp, ++ struct xfs_inode *ip, ++ struct iattr *iattr) ++{ ++ struct inode *inode = VFS_I(ip); ++ umode_t mode = iattr->ia_mode; ++ ++ ASSERT(tp); ++ ASSERT(xfs_isilocked(ip, XFS_ILOCK_EXCL)); ++ ++ if (!in_group_p(inode->i_gid) && !capable(CAP_FSETID)) ++ mode &= ~S_ISGID; ++ ++ ip->i_d.di_mode &= S_IFMT; ++ ip->i_d.di_mode |= mode & ~S_IFMT; ++ ++ inode->i_mode &= S_IFMT; ++ inode->i_mode |= mode & ~S_IFMT; ++} ++ + int + xfs_setattr_nonsize( + struct xfs_inode *ip, +@@ -608,18 +630,8 @@ xfs_setattr_nonsize( + /* + * Change file access modes. + */ +- if (mask & ATTR_MODE) { +- umode_t mode = iattr->ia_mode; +- +- if (!in_group_p(inode->i_gid) && !capable(CAP_FSETID)) +- mode &= ~S_ISGID; +- +- ip->i_d.di_mode &= S_IFMT; +- ip->i_d.di_mode |= mode & ~S_IFMT; +- +- inode->i_mode &= S_IFMT; +- inode->i_mode |= mode & ~S_IFMT; +- } ++ if (mask & ATTR_MODE) ++ xfs_setattr_mode(tp, ip, iattr); + + /* + * Change file access or modified times. +@@ -716,9 +728,8 @@ xfs_setattr_size( + return XFS_ERROR(error); + + ASSERT(S_ISREG(ip->i_d.di_mode)); +- ASSERT((mask & (ATTR_MODE|ATTR_UID|ATTR_GID|ATTR_ATIME|ATTR_ATIME_SET| +- ATTR_MTIME_SET|ATTR_KILL_SUID|ATTR_KILL_SGID| +- ATTR_KILL_PRIV|ATTR_TIMES_SET)) == 0); ++ ASSERT((mask & (ATTR_UID|ATTR_GID|ATTR_ATIME|ATTR_ATIME_SET| ++ ATTR_MTIME_SET|ATTR_KILL_PRIV|ATTR_TIMES_SET)) == 0); + + lock_flags = XFS_ILOCK_EXCL; + if (!(flags & XFS_ATTR_NOLOCK)) +@@ -861,6 +872,12 @@ xfs_setattr_size( + xfs_iflags_set(ip, XFS_ITRUNCATED); + } + ++ /* ++ * Change file access modes. ++ */ ++ if (mask & ATTR_MODE) ++ xfs_setattr_mode(tp, ip, iattr); ++ + if (mask & ATTR_CTIME) { + inode->i_ctime = iattr->ia_ctime; + ip->i_d.di_ctime.t_sec = iattr->ia_ctime.tv_sec;