From: Greg Kroah-Hartman Date: Wed, 23 Sep 2015 04:14:29 +0000 (-0700) Subject: 3.14-stable patches X-Git-Tag: v4.1.9~54 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=6c02a88775ed3f914e814aeac8a8e0a1ccb962b2;p=thirdparty%2Fkernel%2Fstable-queue.git 3.14-stable patches added patches: blk-mq-fix-buffer-overflow-when-reading-sysfs-file-of-pending.patch mac80211-enable-assoc-check-for-mesh-interfaces.patch rtlwifi-rtl8192cu-add-new-device-id.patch tg3-fix-temperature-reporting.patch unshare-unsharing-a-thread-does-not-require-unsharing-a-vm.patch --- diff --git a/queue-3.14/blk-mq-fix-buffer-overflow-when-reading-sysfs-file-of-pending.patch b/queue-3.14/blk-mq-fix-buffer-overflow-when-reading-sysfs-file-of-pending.patch new file mode 100644 index 00000000000..e8ca74617ca --- /dev/null +++ b/queue-3.14/blk-mq-fix-buffer-overflow-when-reading-sysfs-file-of-pending.patch @@ -0,0 +1,73 @@ +From 596f5aad2a704b72934e5abec1b1b4114c16f45b Mon Sep 17 00:00:00 2001 +From: Ming Lei +Date: Sun, 9 Aug 2015 03:41:50 -0400 +Subject: blk-mq: fix buffer overflow when reading sysfs file of 'pending' + +From: Ming Lei + +commit 596f5aad2a704b72934e5abec1b1b4114c16f45b upstream. + +There may be lots of pending requests so that the buffer of PAGE_SIZE +can't hold them at all. + +One typical example is scsi-mq, the queue depth(.can_queue) of +scsi_host and blk-mq is quite big but scsi_device's queue_depth +is a bit small(.cmd_per_lun), then it is quite easy to have lots +of pending requests in hw queue. + +This patch fixes the following warning and the related memory +destruction. + +[ 359.025101] fill_read_buffer: blk_mq_hw_sysfs_show+0x0/0x7d returned bad count^M +[ 359.055595] irq event stamp: 15537^M +[ 359.055606] general protection fault: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC ^M +[ 359.055614] Dumping ftrace buffer:^M +[ 359.055660] (ftrace buffer empty)^M +[ 359.055672] Modules linked in: nbd ipv6 kvm_intel kvm serio_raw^M +[ 359.055678] CPU: 4 PID: 21631 Comm: stress-ng-sysfs Not tainted 4.2.0-rc5-next-20150805 #434^M +[ 359.055679] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011^M +[ 359.055682] task: ffff8802161cc000 ti: ffff88021b4a8000 task.ti: ffff88021b4a8000^M +[ 359.055693] RIP: 0010:[] [] __kmalloc+0xe8/0x152^M + +Signed-off-by: Ming Lei +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + block/blk-mq-sysfs.c | 21 ++++++++++++++++----- + 1 file changed, 16 insertions(+), 5 deletions(-) + +--- a/block/blk-mq-sysfs.c ++++ b/block/blk-mq-sysfs.c +@@ -141,15 +141,26 @@ static ssize_t blk_mq_sysfs_completed_sh + + static ssize_t sysfs_list_show(char *page, struct list_head *list, char *msg) + { +- char *start_page = page; + struct request *rq; ++ int len = snprintf(page, PAGE_SIZE - 1, "%s:\n", msg); + +- page += sprintf(page, "%s:\n", msg); ++ list_for_each_entry(rq, list, queuelist) { ++ const int rq_len = 2 * sizeof(rq) + 2; + +- list_for_each_entry(rq, list, queuelist) +- page += sprintf(page, "\t%p\n", rq); ++ /* if the output will be truncated */ ++ if (PAGE_SIZE - 1 < len + rq_len) { ++ /* backspacing if it can't hold '\t...\n' */ ++ if (PAGE_SIZE - 1 < len + 5) ++ len -= rq_len; ++ len += snprintf(page + len, PAGE_SIZE - 1 - len, ++ "\t...\n"); ++ break; ++ } ++ len += snprintf(page + len, PAGE_SIZE - 1 - len, ++ "\t%p\n", rq); ++ } + +- return page - start_page; ++ return len; + } + + static ssize_t blk_mq_sysfs_rq_list_show(struct blk_mq_ctx *ctx, char *page) diff --git a/queue-3.14/mac80211-enable-assoc-check-for-mesh-interfaces.patch b/queue-3.14/mac80211-enable-assoc-check-for-mesh-interfaces.patch new file mode 100644 index 00000000000..a8632387d43 --- /dev/null +++ b/queue-3.14/mac80211-enable-assoc-check-for-mesh-interfaces.patch @@ -0,0 +1,41 @@ +From 3633ebebab2bbe88124388b7620442315c968e8f Mon Sep 17 00:00:00 2001 +From: Bob Copeland +Date: Sat, 13 Jun 2015 10:16:31 -0400 +Subject: mac80211: enable assoc check for mesh interfaces + +From: Bob Copeland + +commit 3633ebebab2bbe88124388b7620442315c968e8f upstream. + +We already set a station to be associated when peering completes, both +in user space and in the kernel. Thus we should always have an +associated sta before sending data frames to that station. + +Failure to check assoc state can cause crashes in the lower-level driver +due to transmitting unicast data frames before driver sta structures +(e.g. ampdu state in ath9k) are initialized. This occurred when +forwarding in the presence of fixed mesh paths: frames were transmitted +to stations with whom we hadn't yet completed peering. + +Reported-by: Alexis Green +Tested-by: Jesse Jones +Signed-off-by: Bob Copeland +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + net/mac80211/tx.c | 3 --- + 1 file changed, 3 deletions(-) + +--- a/net/mac80211/tx.c ++++ b/net/mac80211/tx.c +@@ -297,9 +297,6 @@ ieee80211_tx_h_check_assoc(struct ieee80 + if (tx->sdata->vif.type == NL80211_IFTYPE_WDS) + return TX_CONTINUE; + +- if (tx->sdata->vif.type == NL80211_IFTYPE_MESH_POINT) +- return TX_CONTINUE; +- + if (tx->flags & IEEE80211_TX_PS_BUFFERED) + return TX_CONTINUE; + diff --git a/queue-3.14/rtlwifi-rtl8192cu-add-new-device-id.patch b/queue-3.14/rtlwifi-rtl8192cu-add-new-device-id.patch new file mode 100644 index 00000000000..d162623830b --- /dev/null +++ b/queue-3.14/rtlwifi-rtl8192cu-add-new-device-id.patch @@ -0,0 +1,30 @@ +From 1642d09fb9b128e8e538b2a4179962a34f38dff9 Mon Sep 17 00:00:00 2001 +From: Adrien Schildknecht +Date: Wed, 19 Aug 2015 17:33:12 +0200 +Subject: rtlwifi: rtl8192cu: Add new device ID + +From: Adrien Schildknecht + +commit 1642d09fb9b128e8e538b2a4179962a34f38dff9 upstream. + +The v2 of NetGear WNA1000M uses a different idProduct: USB ID 0846:9043 + +Signed-off-by: Adrien Schildknecht +Acked-by: Larry Finger +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/rtlwifi/rtl8192cu/sw.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/wireless/rtlwifi/rtl8192cu/sw.c ++++ b/drivers/net/wireless/rtlwifi/rtl8192cu/sw.c +@@ -314,6 +314,7 @@ static struct usb_device_id rtl8192c_usb + {RTL_USB_DEVICE(0x07b8, 0x8188, rtl92cu_hal_cfg)}, /*Abocom - Abocom*/ + {RTL_USB_DEVICE(0x07b8, 0x8189, rtl92cu_hal_cfg)}, /*Funai - Abocom*/ + {RTL_USB_DEVICE(0x0846, 0x9041, rtl92cu_hal_cfg)}, /*NetGear WNA1000M*/ ++ {RTL_USB_DEVICE(0x0846, 0x9043, rtl92cu_hal_cfg)}, /*NG WNA1000Mv2*/ + {RTL_USB_DEVICE(0x0b05, 0x17ba, rtl92cu_hal_cfg)}, /*ASUS-Edimax*/ + {RTL_USB_DEVICE(0x0bda, 0x5088, rtl92cu_hal_cfg)}, /*Thinkware-CC&C*/ + {RTL_USB_DEVICE(0x0df6, 0x0052, rtl92cu_hal_cfg)}, /*Sitecom - Edimax*/ diff --git a/queue-3.14/tg3-fix-temperature-reporting.patch b/queue-3.14/tg3-fix-temperature-reporting.patch new file mode 100644 index 00000000000..5f6e2a66817 --- /dev/null +++ b/queue-3.14/tg3-fix-temperature-reporting.patch @@ -0,0 +1,36 @@ +From d3d11fe08ccc9bff174fc958722b5661f0932486 Mon Sep 17 00:00:00 2001 +From: Jean Delvare +Date: Tue, 1 Sep 2015 18:07:41 +0200 +Subject: tg3: Fix temperature reporting + +From: Jean Delvare + +commit d3d11fe08ccc9bff174fc958722b5661f0932486 upstream. + +The temperature registers appear to report values in degrees Celsius +while the hwmon API mandates values to be exposed in millidegrees +Celsius. Do the conversion so that the values reported by "sensors" +are correct. + +Fixes: aed93e0bf493 ("tg3: Add hwmon support for temperature") +Signed-off-by: Jean Delvare +Cc: Prashant Sreedharan +Cc: Michael Chan +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/ethernet/broadcom/tg3.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/broadcom/tg3.c ++++ b/drivers/net/ethernet/broadcom/tg3.c +@@ -10737,7 +10737,7 @@ static ssize_t tg3_show_temp(struct devi + tg3_ape_scratchpad_read(tp, &temperature, attr->index, + sizeof(temperature)); + spin_unlock_bh(&tp->lock); +- return sprintf(buf, "%u\n", temperature); ++ return sprintf(buf, "%u\n", temperature * 1000); + } + + diff --git a/queue-3.14/unshare-unsharing-a-thread-does-not-require-unsharing-a-vm.patch b/queue-3.14/unshare-unsharing-a-thread-does-not-require-unsharing-a-vm.patch new file mode 100644 index 00000000000..c5750d33a2d --- /dev/null +++ b/queue-3.14/unshare-unsharing-a-thread-does-not-require-unsharing-a-vm.patch @@ -0,0 +1,96 @@ +From 12c641ab8270f787dfcce08b5f20ce8b65008096 Mon Sep 17 00:00:00 2001 +From: "Eric W. Biederman" +Date: Mon, 10 Aug 2015 17:35:07 -0500 +Subject: unshare: Unsharing a thread does not require unsharing a vm + +From: "Eric W. Biederman" + +commit 12c641ab8270f787dfcce08b5f20ce8b65008096 upstream. + +In the logic in the initial commit of unshare made creating a new +thread group for a process, contingent upon creating a new memory +address space for that process. That is wrong. Two separate +processes in different thread groups can share a memory address space +and clone allows creation of such proceses. + +This is significant because it was observed that mm_users > 1 does not +mean that a process is multi-threaded, as reading /proc/PID/maps +temporarily increments mm_users, which allows other processes to +(accidentally) interfere with unshare() calls. + +Correct the check in check_unshare_flags() to test for +!thread_group_empty() for CLONE_THREAD, CLONE_SIGHAND, and CLONE_VM. +For sighand->count > 1 for CLONE_SIGHAND and CLONE_VM. +For !current_is_single_threaded instead of mm_users > 1 for CLONE_VM. + +By using the correct checks in unshare this removes the possibility of +an accidental denial of service attack. + +Additionally using the correct checks in unshare ensures that only an +explicit unshare(CLONE_VM) can possibly trigger the slow path of +current_is_single_threaded(). As an explict unshare(CLONE_VM) is +pointless it is not expected there are many applications that make +that call. + +Fixes: b2e0d98705e60e45bbb3c0032c48824ad7ae0704 userns: Implement unshare of the user namespace +Reported-by: Ricky Zhou +Reported-by: Kees Cook +Reviewed-by: Kees Cook +Signed-off-by: "Eric W. Biederman" +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/fork.c | 28 ++++++++++++++++++---------- + 1 file changed, 18 insertions(+), 10 deletions(-) + +--- a/kernel/fork.c ++++ b/kernel/fork.c +@@ -1756,13 +1756,21 @@ static int check_unshare_flags(unsigned + CLONE_NEWUSER|CLONE_NEWPID)) + return -EINVAL; + /* +- * Not implemented, but pretend it works if there is nothing to +- * unshare. Note that unsharing CLONE_THREAD or CLONE_SIGHAND +- * needs to unshare vm. ++ * Not implemented, but pretend it works if there is nothing ++ * to unshare. Note that unsharing the address space or the ++ * signal handlers also need to unshare the signal queues (aka ++ * CLONE_THREAD). + */ + if (unshare_flags & (CLONE_THREAD | CLONE_SIGHAND | CLONE_VM)) { +- /* FIXME: get_task_mm() increments ->mm_users */ +- if (atomic_read(¤t->mm->mm_users) > 1) ++ if (!thread_group_empty(current)) ++ return -EINVAL; ++ } ++ if (unshare_flags & (CLONE_SIGHAND | CLONE_VM)) { ++ if (atomic_read(¤t->sighand->count) > 1) ++ return -EINVAL; ++ } ++ if (unshare_flags & CLONE_VM) { ++ if (!current_is_single_threaded()) + return -EINVAL; + } + +@@ -1831,16 +1839,16 @@ SYSCALL_DEFINE1(unshare, unsigned long, + if (unshare_flags & CLONE_NEWUSER) + unshare_flags |= CLONE_THREAD | CLONE_FS; + /* +- * If unsharing a thread from a thread group, must also unshare vm. +- */ +- if (unshare_flags & CLONE_THREAD) +- unshare_flags |= CLONE_VM; +- /* + * If unsharing vm, must also unshare signal handlers. + */ + if (unshare_flags & CLONE_VM) + unshare_flags |= CLONE_SIGHAND; + /* ++ * If unsharing a signal handlers, must also unshare the signal queues. ++ */ ++ if (unshare_flags & CLONE_SIGHAND) ++ unshare_flags |= CLONE_THREAD; ++ /* + * If unsharing namespace, must also unshare filesystem information. + */ + if (unshare_flags & CLONE_NEWNS)