From: Greg Kroah-Hartman Date: Thu, 23 Oct 2014 07:56:20 +0000 (+0800) Subject: 3.10-stable patches X-Git-Tag: v3.10.59~27 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=6ef4f5ae252db9e5e09bc204daa643643845da9e;p=thirdparty%2Fkernel%2Fstable-queue.git 3.10-stable patches added patches: be2iscsi-check-ip-buffer-before-copying.patch dmaengine-pl330-fix-null-pointer-dereference-on-driver-unbind.patch dmaengine-pl330-fix-null-pointer-dereference-on-probe-failure.patch drivers-hv-vmbus-cleanup-vmbus_establish_gpadl.patch drivers-hv-vmbus-cleanup-vmbus_post_msg.patch drivers-hv-vmbus-cleanup-vmbus_teardown_gpadl.patch drivers-hv-vmbus-fix-a-bug-in-vmbus_open.patch firmware_class-make-sure-fw-requests-contain-a-name.patch mptfusion-enable-no_write_same-for-vmware-scsi-disks.patch qla2xxx-use-correct-offset-to-req-q-out-for-reserve-calculation.patch regmap-debugfs-fix-possbile-null-pointer-dereference.patch regmap-fix-null-pointer-dereference-in-_regmap_write-read.patch --- diff --git a/queue-3.10/be2iscsi-check-ip-buffer-before-copying.patch b/queue-3.10/be2iscsi-check-ip-buffer-before-copying.patch new file mode 100644 index 00000000000..14590f01eac --- /dev/null +++ b/queue-3.10/be2iscsi-check-ip-buffer-before-copying.patch @@ -0,0 +1,62 @@ +From a41a9ad3bbf61fae0b6bfb232153da60d14fdbd9 Mon Sep 17 00:00:00 2001 +From: Mike Christie +Date: Mon, 29 Sep 2014 13:55:41 -0500 +Subject: be2iscsi: check ip buffer before copying + +From: Mike Christie + +commit a41a9ad3bbf61fae0b6bfb232153da60d14fdbd9 upstream. + +Dan Carpenter found a issue where be2iscsi would copy the ip +from userspace to the driver buffer before checking the len +of the data being copied: +http://marc.info/?l=linux-scsi&m=140982651504251&w=2 + +This patch just has us only copy what we the driver buffer +can support. + +Tested-by: John Soni Jose +Signed-off-by: Mike Christie +Signed-off-by: Christoph Hellwig +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/be2iscsi/be_mgmt.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +--- a/drivers/scsi/be2iscsi/be_mgmt.c ++++ b/drivers/scsi/be2iscsi/be_mgmt.c +@@ -812,17 +812,20 @@ mgmt_static_ip_modify(struct beiscsi_hba + + if (ip_action == IP_ACTION_ADD) { + memcpy(req->ip_params.ip_record.ip_addr.addr, ip_param->value, +- ip_param->len); ++ sizeof(req->ip_params.ip_record.ip_addr.addr)); + + if (subnet_param) + memcpy(req->ip_params.ip_record.ip_addr.subnet_mask, +- subnet_param->value, subnet_param->len); ++ subnet_param->value, ++ sizeof(req->ip_params.ip_record.ip_addr.subnet_mask)); + } else { + memcpy(req->ip_params.ip_record.ip_addr.addr, +- if_info->ip_addr.addr, ip_param->len); ++ if_info->ip_addr.addr, ++ sizeof(req->ip_params.ip_record.ip_addr.addr)); + + memcpy(req->ip_params.ip_record.ip_addr.subnet_mask, +- if_info->ip_addr.subnet_mask, ip_param->len); ++ if_info->ip_addr.subnet_mask, ++ sizeof(req->ip_params.ip_record.ip_addr.subnet_mask)); + } + + rc = mgmt_exec_nonemb_cmd(phba, &nonemb_cmd, NULL, 0); +@@ -850,7 +853,7 @@ static int mgmt_modify_gateway(struct be + req->action = gtway_action; + req->ip_addr.ip_type = BE2_IPV4; + +- memcpy(req->ip_addr.addr, gt_addr, param_len); ++ memcpy(req->ip_addr.addr, gt_addr, sizeof(req->ip_addr.addr)); + + return mgmt_exec_nonemb_cmd(phba, &nonemb_cmd, NULL, 0); + } diff --git a/queue-3.10/dmaengine-pl330-fix-null-pointer-dereference-on-driver-unbind.patch b/queue-3.10/dmaengine-pl330-fix-null-pointer-dereference-on-driver-unbind.patch new file mode 100644 index 00000000000..067584d615b --- /dev/null +++ b/queue-3.10/dmaengine-pl330-fix-null-pointer-dereference-on-driver-unbind.patch @@ -0,0 +1,89 @@ +From 6e4a2a83f95826201bbd89f55522537ea52d1d67 Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Mon, 29 Sep 2014 14:42:21 +0200 +Subject: dmaengine: pl330: Fix NULL pointer dereference on driver unbind + +From: Krzysztof Kozlowski + +commit 6e4a2a83f95826201bbd89f55522537ea52d1d67 upstream. + +Fix a NULL pointer dereference after unbinding the driver, if channel +resources were not yet allocated (no call to +pl330_alloc_chan_resources()): +$ echo 12850000.mdma > /sys/bus/amba/drivers/dma-pl330/unbind +[ 13.606533] DMA pl330_control: removing pch: eeab6800, chan: eeab6814, thread: (null) +[ 13.614472] Unable to handle kernel NULL pointer dereference at virtual address 0000000c +[ 13.622537] pgd = ee284000 +[ 13.625228] [0000000c] *pgd=6e1e4831, *pte=00000000, *ppte=00000000 +[ 13.631482] Internal error: Oops: 17 [#1] PREEMPT SMP ARM +[ 13.636859] Modules linked in: +[ 13.639903] CPU: 0 PID: 1 Comm: sh Not tainted 3.17.0-rc3-next-20140904-00004-g7020ffc33ca3-dirty #420 +[ 13.649187] task: ee80a800 ti: ee888000 task.ti: ee888000 +[ 13.654589] PC is at _stop+0x8/0x2c8 +[ 13.658131] LR is at pl330_control+0x70/0x2e8 +[ 13.662468] pc : [] lr : [] psr: 60000093 +[ 13.662468] sp : ee889e58 ip : 00000001 fp : 000bab70 +[ 13.673922] r10: eeab6814 r9 : ee16debc r8 : 00000000 +[ 13.679131] r7 : eeab685c r6 : 60000013 r5 : ee16de10 r4 : eeab6800 +[ 13.685641] r3 : 00000002 r2 : 00000000 r1 : 00010000 r0 : 00000000 +[ 13.692153] Flags: nZCv IRQs off FIQs on Mode SVC_32 ISA ARM Segment user +[ 13.699357] Control: 10c5387d Table: 6e28404a DAC: 00000015 +[ 13.705085] Process sh (pid: 1, stack limit = 0xee888240) +[ 13.710466] Stack: (0xee889e58 to 0xee88a000) +[ 13.714808] 9e40: 00000002 eeab6800 +[ 13.722969] 9e60: ee16de10 eeab6800 ee16de10 60000013 eeab685c c020649c 00000000 c040280c +[ 13.731128] 9e80: ee889e80 ee889e80 ee16de18 ee16de10 eeab6880 eeab6814 00200200 eeab68a8 +[ 13.739287] 9ea0: 00100100 c0208048 00000000 c0409fc4 eea80800 eea808f8 c0605c44 0000000e +[ 13.747446] 9ec0: 0000000e eeb3960c eeb39600 c0203c48 eea80800 c0605c44 c0605a8c c023f694 +[ 13.755605] 9ee0: ee80a800 eea80834 eea80800 c023f704 ee80a800 eea80800 c0605c44 c023e8ec +[ 13.763764] 9f00: 0000000e ee149780 ee29e580 ee889f80 ee29e580 c023e19c 0000000e c01167e4 +[ 13.771923] 9f20: c01167a0 00000000 00000000 c0115e88 00000000 00000000 ee0b1a00 0000000e +[ 13.780082] 9f40: b6f48000 ee889f80 0000000e ee888000 b6f48000 c00bfadc 00000000 00000003 +[ 13.788241] 9f60: 00000000 00000000 00000000 ee0b1a00 ee0b1a00 0000000e b6f48000 c00bfdf4 +[ 13.796401] 9f80: 00000000 00000000 ffffffff 0000000e b6f48000 b6edc5d0 00000004 c000e7a4 +[ 13.804560] 9fa0: 00000000 c000e620 0000000e b6f48000 00000001 b6f48000 0000000e 00000000 +[ 13.812719] 9fc0: 0000000e b6f48000 b6edc5d0 00000004 0000000e b6f4c8c0 000c3470 000bab70 +[ 13.820879] 9fe0: 00000000 bed2aa50 b6e18bdc b6e6b52c 60000010 00000001 c0c0c0c0 c0c0c0c0 +[ 13.829058] [] (_stop) from [] (pl330_control+0x70/0x2e8) +[ 13.836165] [] (pl330_control) from [] (pl330_remove+0xb0/0xdc) +[ 13.843800] [] (pl330_remove) from [] (amba_remove+0x24/0xc0) +[ 13.851272] [] (amba_remove) from [] (__device_release_driver+0x70/0xc4) +[ 13.859685] [] (__device_release_driver) from [] (device_release_driver+0x1c/0x28) +[ 13.868971] [] (device_release_driver) from [] (unbind_store+0x58/0x90) +[ 13.877303] [] (unbind_store) from [] (drv_attr_store+0x20/0x2c) +[ 13.885036] [] (drv_attr_store) from [] (sysfs_kf_write+0x44/0x48) +[ 13.892928] [] (sysfs_kf_write) from [] (kernfs_fop_write+0xc0/0x17c) +[ 13.901090] [] (kernfs_fop_write) from [] (vfs_write+0xa0/0x1a8) +[ 13.908812] [] (vfs_write) from [] (SyS_write+0x40/0x8c) +[ 13.915850] [] (SyS_write) from [] (ret_fast_syscall+0x0/0x30) +[ 13.923392] Code: e5813010 e12fff1e e92d40f0 e24dd00c (e590200c) +[ 13.929467] ---[ end trace 10064e15a5929cf8 ]--- + +Terminate the thread and free channel resource only if channel resources +were allocated (thread is not NULL). + +Signed-off-by: Krzysztof Kozlowski +Fixes: b3040e40675e ("DMA: PL330: Add dma api driver") +Reviewed-by: Lars-Peter Clausen +Signed-off-by: Vinod Koul +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/dma/pl330.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/dma/pl330.c ++++ b/drivers/dma/pl330.c +@@ -3094,8 +3094,10 @@ static int pl330_remove(struct amba_devi + list_del(&pch->chan.device_node); + + /* Flush the channel */ +- pl330_control(&pch->chan, DMA_TERMINATE_ALL, 0); +- pl330_free_chan_resources(&pch->chan); ++ if (pch->thread) { ++ pl330_control(&pch->chan, DMA_TERMINATE_ALL, 0); ++ pl330_free_chan_resources(&pch->chan); ++ } + } + + pi = &pdmac->pif; diff --git a/queue-3.10/dmaengine-pl330-fix-null-pointer-dereference-on-probe-failure.patch b/queue-3.10/dmaengine-pl330-fix-null-pointer-dereference-on-probe-failure.patch new file mode 100644 index 00000000000..ba49f6eca6d --- /dev/null +++ b/queue-3.10/dmaengine-pl330-fix-null-pointer-dereference-on-probe-failure.patch @@ -0,0 +1,96 @@ +From 0f5ebabdd03b471da1906f7edddc61ceb35cee02 Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Mon, 29 Sep 2014 14:42:20 +0200 +Subject: dmaengine: pl330: Fix NULL pointer dereference on probe failure + +From: Krzysztof Kozlowski + +commit 0f5ebabdd03b471da1906f7edddc61ceb35cee02 upstream. + +If dma_async_device_register() returns error and probe should clean up +and return error, a NULL pointer exception happens because of +dereference of not allocated channel thread: + +Dmesg log (from early printk): +dma-pl330 12680000.pdma: unable to register DMAC +DMA pl330_control: removing pch: eeac4000, chan: eeac4014, thread: (null) +Unable to handle kernel NULL pointer dereference at virtual address 0000000c +pgd = c0004000 +[0000000c] *pgd=00000000 +Internal error: Oops: 5 [#1] PREEMPT SMP ARM +Modules linked in: +CPU: 2 PID: 1 Comm: swapper/0 Not tainted 3.17.0-rc3-next-20140904-00005-g6cc4c1937d90-dirty #427 +task: ee80a800 ti: ee888000 task.ti: ee888000 +PC is at _stop+0x8/0x2c8 +LR is at pl330_control+0x70/0x2e8 +pc : [] lr : [] psr: 60000193 +sp : ee889df8 ip : 00000002 fp : 00000000 +r10: eeac4014 r9 : ee0e62bc r8 : 00000000 +r7 : eeac405c r6 : 60000113 r5 : ee0e6210 r4 : eeac4000 +r3 : 00000002 r2 : 00000002 r1 : 00010000 r0 : 00000000 +Flags: nZCv IRQs off FIQs on Mode SVC_32 ISA ARM Segment kernel +Control: 10c5387d Table: 4000404a DAC: 00000015 +Process swapper/0 (pid: 1, stack limit = 0xee888240) +Stack: (0xee889df8 to 0xee88a000) +9de0: 00000002 eeac4000 +9e00: ee0e6210 eeac4000 ee0e6210 60000113 eeac405c c020623c 00000000 c020725c +9e20: ee889e20 ee889e20 ee0e6210 eeac4080 00200200 00100100 eeac4014 00000020 +9e40: ee0e6218 c0208374 00000000 ee9bb340 ee0e6210 00000000 00000000 c0605cd8 +9e60: ee970000 c0605c84 ee9700f8 00000000 c05c4270 00000000 00000000 c0203b3c +9e80: ee970000 c06624a8 00000000 c0605c84 00000000 c023f890 ee970000 c0605c84 +9ea0: ee970034 00000000 c05b23d0 c023fa3c 00000000 c0605c84 c023f9b0 c023e0d4 +9ec0: ee947e78 ee9b9440 c0605c84 eea1e780 c0605acc c023f094 c0513b50 c0605c84 +9ee0: c05ecbd8 c0605c84 c05ecbd8 ee11ba40 c0626500 c0240064 00000000 c05ecbd8 +9f00: c05ecbd8 c0008964 c040f13c 0000009f c0626500 c057465c ee80a800 60000113 +9f20: 00000000 c05efdb0 60000113 00000000 ef7fc89d c0421168 0000008f c003787c +9f40: c0573d6c 00000006 ef7fc8bb 00000006 c05efd50 ef7fc800 c05dfbc4 00000006 +9f60: c05c4264 c0626500 0000008f c05c4270 c059b518 c059bcb4 00000006 00000006 +9f80: c059b518 c003c08c 00000000 c040091c 00000000 00000000 00000000 00000000 +9fa0: 00000000 c0400924 00000000 c000e7b8 00000000 00000000 00000000 00000000 +9fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 +9fe0: 00000000 00000000 00000000 00000000 00000013 00000000 c0c0c0c0 c0c0c0c0 +[] (_stop) from [] (pl330_control+0x70/0x2e8) +[] (pl330_control) from [] (pl330_probe+0x594/0x75c) +[] (pl330_probe) from [] (amba_probe+0xb8/0x120) +[] (amba_probe) from [] (driver_probe_device+0x10c/0x22c) +[] (driver_probe_device) from [] (__driver_attach+0x8c/0x90) +[] (__driver_attach) from [] (bus_for_each_dev+0x54/0x88) +[] (bus_for_each_dev) from [] (bus_add_driver+0xd4/0x1d0) +[] (bus_add_driver) from [] (driver_register+0x78/0xf4) +[] (driver_register) from [] (do_one_initcall+0x80/0x1d0) +[] (do_one_initcall) from [] (kernel_init_freeable+0x108/0x1d4) +[] (kernel_init_freeable) from [] (kernel_init+0x8/0xec) +[] (kernel_init) from [] (ret_from_fork+0x14/0x3c) +Code: e5813010 e12fff1e e92d40f0 e24dd00c (e590200c) +---[ end trace c94b2f4f38dff3bf ]--- + +This happens because the necessary resources were not yet allocated - no +call to pl330_alloc_chan_resources(). + +Terminate the thread and free channel resource only if channel thread is not NULL. + +Signed-off-by: Krzysztof Kozlowski +Fixes: 0b94c5771705 ("DMA: PL330: Add check if device tree compatible") +Reviewed-by: Lars-Peter Clausen +Signed-off-by: Vinod Koul +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/dma/pl330.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/dma/pl330.c ++++ b/drivers/dma/pl330.c +@@ -3057,8 +3057,10 @@ probe_err3: + list_del(&pch->chan.device_node); + + /* Flush the channel */ +- pl330_control(&pch->chan, DMA_TERMINATE_ALL, 0); +- pl330_free_chan_resources(&pch->chan); ++ if (pch->thread) { ++ pl330_control(&pch->chan, DMA_TERMINATE_ALL, 0); ++ pl330_free_chan_resources(&pch->chan); ++ } + } + probe_err2: + pl330_del(pi); diff --git a/queue-3.10/drivers-hv-vmbus-cleanup-vmbus_establish_gpadl.patch b/queue-3.10/drivers-hv-vmbus-cleanup-vmbus_establish_gpadl.patch new file mode 100644 index 00000000000..eb137656094 --- /dev/null +++ b/queue-3.10/drivers-hv-vmbus-cleanup-vmbus_establish_gpadl.patch @@ -0,0 +1,42 @@ +From 72c6b71c245dac8f371167d97ef471b367d0b66b Mon Sep 17 00:00:00 2001 +From: "K. Y. Srinivasan" +Date: Wed, 27 Aug 2014 16:25:34 -0700 +Subject: Drivers: hv: vmbus: Cleanup vmbus_establish_gpadl() + +From: "K. Y. Srinivasan" + +commit 72c6b71c245dac8f371167d97ef471b367d0b66b upstream. + +Eliminate the call to BUG_ON() by waiting for the host to respond. We are +trying to reclaim the ownership of memory that was given to the host and so +we will have to wait until the host responds. + +Signed-off-by: K. Y. Srinivasan +Tested-by: Sitsofe Wheeler +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hv/channel.c | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +--- a/drivers/hv/channel.c ++++ b/drivers/hv/channel.c +@@ -392,7 +392,6 @@ int vmbus_establish_gpadl(struct vmbus_c + u32 next_gpadl_handle; + unsigned long flags; + int ret = 0; +- int t; + + next_gpadl_handle = atomic_read(&vmbus_connection.next_gpadl_handle); + atomic_inc(&vmbus_connection.next_gpadl_handle); +@@ -439,9 +438,7 @@ int vmbus_establish_gpadl(struct vmbus_c + + } + } +- t = wait_for_completion_timeout(&msginfo->waitevent, 5*HZ); +- BUG_ON(t == 0); +- ++ wait_for_completion(&msginfo->waitevent); + + /* At this point, we received the gpadl created msg */ + *gpadl_handle = gpadlmsg->gpadl; diff --git a/queue-3.10/drivers-hv-vmbus-cleanup-vmbus_post_msg.patch b/queue-3.10/drivers-hv-vmbus-cleanup-vmbus_post_msg.patch new file mode 100644 index 00000000000..2eaba26f0db --- /dev/null +++ b/queue-3.10/drivers-hv-vmbus-cleanup-vmbus_post_msg.patch @@ -0,0 +1,51 @@ +From fdeebcc62279119dbeafbc1a2e39e773839025fd Mon Sep 17 00:00:00 2001 +From: "K. Y. Srinivasan" +Date: Wed, 27 Aug 2014 16:25:31 -0700 +Subject: Drivers: hv: vmbus: Cleanup vmbus_post_msg() + +From: "K. Y. Srinivasan" + +commit fdeebcc62279119dbeafbc1a2e39e773839025fd upstream. + +Posting messages to the host can fail because of transient resource +related failures. Correctly deal with these failures and increase the +number of attempts to post the message before giving up. + +In this version of the patch, I have normalized the error code to +Linux error code. + +Signed-off-by: K. Y. Srinivasan +Tested-by: Sitsofe Wheeler +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hv/connection.c | 17 ++++++++++++++--- + 1 file changed, 14 insertions(+), 3 deletions(-) + +--- a/drivers/hv/connection.c ++++ b/drivers/hv/connection.c +@@ -393,10 +393,21 @@ int vmbus_post_msg(void *buffer, size_t + * insufficient resources. Retry the operation a couple of + * times before giving up. + */ +- while (retries < 3) { +- ret = hv_post_message(conn_id, 1, buffer, buflen); +- if (ret != HV_STATUS_INSUFFICIENT_BUFFERS) ++ while (retries < 10) { ++ ret = hv_post_message(conn_id, 1, buffer, buflen); ++ ++ switch (ret) { ++ case HV_STATUS_INSUFFICIENT_BUFFERS: ++ ret = -ENOMEM; ++ case -ENOMEM: ++ break; ++ case HV_STATUS_SUCCESS: + return ret; ++ default: ++ pr_err("hv_post_msg() failed; error code:%d\n", ret); ++ return -EINVAL; ++ } ++ + retries++; + msleep(100); + } diff --git a/queue-3.10/drivers-hv-vmbus-cleanup-vmbus_teardown_gpadl.patch b/queue-3.10/drivers-hv-vmbus-cleanup-vmbus_teardown_gpadl.patch new file mode 100644 index 00000000000..be6e907ce18 --- /dev/null +++ b/queue-3.10/drivers-hv-vmbus-cleanup-vmbus_teardown_gpadl.patch @@ -0,0 +1,51 @@ +From 66be653083057358724d56d817e870e53fb81ca7 Mon Sep 17 00:00:00 2001 +From: "K. Y. Srinivasan" +Date: Wed, 27 Aug 2014 16:25:32 -0700 +Subject: Drivers: hv: vmbus: Cleanup vmbus_teardown_gpadl() + +From: "K. Y. Srinivasan" + +commit 66be653083057358724d56d817e870e53fb81ca7 upstream. + +Eliminate calls to BUG_ON() by properly handling errors. In cases where +rollback is possible, we will return the appropriate error to have the +calling code decide how to rollback state. In the case where we are +transferring ownership of the guest physical pages to the host, +we will wait for the host to respond. + +Signed-off-by: K. Y. Srinivasan +Tested-by: Sitsofe Wheeler +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hv/channel.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +--- a/drivers/hv/channel.c ++++ b/drivers/hv/channel.c +@@ -464,7 +464,7 @@ int vmbus_teardown_gpadl(struct vmbus_ch + struct vmbus_channel_gpadl_teardown *msg; + struct vmbus_channel_msginfo *info; + unsigned long flags; +- int ret, t; ++ int ret; + + info = kmalloc(sizeof(*info) + + sizeof(struct vmbus_channel_gpadl_teardown), GFP_KERNEL); +@@ -486,11 +486,12 @@ int vmbus_teardown_gpadl(struct vmbus_ch + ret = vmbus_post_msg(msg, + sizeof(struct vmbus_channel_gpadl_teardown)); + +- BUG_ON(ret != 0); +- t = wait_for_completion_timeout(&info->waitevent, 5*HZ); +- BUG_ON(t == 0); ++ if (ret) ++ goto post_msg_err; + +- /* Received a torndown response */ ++ wait_for_completion(&info->waitevent); ++ ++post_msg_err: + spin_lock_irqsave(&vmbus_connection.channelmsg_lock, flags); + list_del(&info->msglistentry); + spin_unlock_irqrestore(&vmbus_connection.channelmsg_lock, flags); diff --git a/queue-3.10/drivers-hv-vmbus-fix-a-bug-in-vmbus_open.patch b/queue-3.10/drivers-hv-vmbus-fix-a-bug-in-vmbus_open.patch new file mode 100644 index 00000000000..16fecc97e61 --- /dev/null +++ b/queue-3.10/drivers-hv-vmbus-fix-a-bug-in-vmbus_open.patch @@ -0,0 +1,35 @@ +From 45d727cee9e200f5b351528b9fb063b69cf702c8 Mon Sep 17 00:00:00 2001 +From: "K. Y. Srinivasan" +Date: Wed, 27 Aug 2014 16:25:35 -0700 +Subject: Drivers: hv: vmbus: Fix a bug in vmbus_open() + +From: "K. Y. Srinivasan" + +commit 45d727cee9e200f5b351528b9fb063b69cf702c8 upstream. + +Fix a bug in vmbus_open() and properly propagate the error. I would +like to thank Dexuan Cui for identifying the +issue. + +Signed-off-by: K. Y. Srinivasan +Tested-by: Sitsofe Wheeler +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hv/channel.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/hv/channel.c ++++ b/drivers/hv/channel.c +@@ -199,8 +199,10 @@ int vmbus_open(struct vmbus_channel *new + ret = vmbus_post_msg(open_msg, + sizeof(struct vmbus_channel_open_channel)); + +- if (ret != 0) ++ if (ret != 0) { ++ err = ret; + goto error1; ++ } + + t = wait_for_completion_timeout(&open_info->waitevent, 5*HZ); + if (t == 0) { diff --git a/queue-3.10/firmware_class-make-sure-fw-requests-contain-a-name.patch b/queue-3.10/firmware_class-make-sure-fw-requests-contain-a-name.patch new file mode 100644 index 00000000000..650da14a048 --- /dev/null +++ b/queue-3.10/firmware_class-make-sure-fw-requests-contain-a-name.patch @@ -0,0 +1,37 @@ +From 471b095dfe0d693a8d624cbc716d1ee4d74eb437 Mon Sep 17 00:00:00 2001 +From: Kees Cook +Date: Thu, 18 Sep 2014 11:25:37 -0700 +Subject: firmware_class: make sure fw requests contain a name + +From: Kees Cook + +commit 471b095dfe0d693a8d624cbc716d1ee4d74eb437 upstream. + +An empty firmware request name will trigger warnings when building +device names. Make sure this is caught earlier and rejected. + +The warning was visible via the test_firmware.ko module interface: + +echo -ne "\x00" > /sys/devices/virtual/misc/test_firmware/trigger_request + +Reported-by: Sasha Levin +Signed-off-by: Kees Cook +Tested-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/base/firmware_class.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/base/firmware_class.c ++++ b/drivers/base/firmware_class.c +@@ -1021,6 +1021,9 @@ _request_firmware(const struct firmware + if (!firmware_p) + return -EINVAL; + ++ if (!name || name[0] == '\0') ++ return -EINVAL; ++ + ret = _request_firmware_prepare(&fw, name, device); + if (ret <= 0) /* error or already assigned */ + goto out; diff --git a/queue-3.10/mptfusion-enable-no_write_same-for-vmware-scsi-disks.patch b/queue-3.10/mptfusion-enable-no_write_same-for-vmware-scsi-disks.patch new file mode 100644 index 00000000000..a5068800423 --- /dev/null +++ b/queue-3.10/mptfusion-enable-no_write_same-for-vmware-scsi-disks.patch @@ -0,0 +1,40 @@ +From 4089b71cc820a426d601283c92fcd4ffeb5139c2 Mon Sep 17 00:00:00 2001 +From: Chris J Arges +Date: Tue, 23 Sep 2014 09:22:25 -0500 +Subject: mptfusion: enable no_write_same for vmware scsi disks + +From: Chris J Arges + +commit 4089b71cc820a426d601283c92fcd4ffeb5139c2 upstream. + +When using a virtual SCSI disk in a VMWare VM if blkdev_issue_zeroout is used +data can be improperly zeroed out using the mptfusion driver. This patch +disables write_same for this driver and the vmware subsystem_vendor which +ensures that manual zeroing out is used instead. + +BugLink: http://bugs.launchpad.net/bugs/1371591 +Reported-by: Bruce Lucas +Tested-by: Chris J Arges +Signed-off-by: Chris J Arges +Reviewed-by: Martin K. Petersen +Signed-off-by: Christoph Hellwig +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/message/fusion/mptspi.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/message/fusion/mptspi.c ++++ b/drivers/message/fusion/mptspi.c +@@ -1422,6 +1422,11 @@ mptspi_probe(struct pci_dev *pdev, const + goto out_mptspi_probe; + } + ++ /* VMWare emulation doesn't properly implement WRITE_SAME ++ */ ++ if (pdev->subsystem_vendor == 0x15AD) ++ sh->no_write_same = 1; ++ + spin_lock_irqsave(&ioc->FreeQlock, flags); + + /* Attach the SCSI Host to the IOC structure diff --git a/queue-3.10/qla2xxx-use-correct-offset-to-req-q-out-for-reserve-calculation.patch b/queue-3.10/qla2xxx-use-correct-offset-to-req-q-out-for-reserve-calculation.patch new file mode 100644 index 00000000000..e6462fff43f --- /dev/null +++ b/queue-3.10/qla2xxx-use-correct-offset-to-req-q-out-for-reserve-calculation.patch @@ -0,0 +1,34 @@ +From 75554b68ac1e018bca00d68a430b92ada8ab52dd Mon Sep 17 00:00:00 2001 +From: Arun Easi +Date: Thu, 25 Sep 2014 06:14:45 -0400 +Subject: qla2xxx: Use correct offset to req-q-out for reserve calculation + +From: Arun Easi + +commit 75554b68ac1e018bca00d68a430b92ada8ab52dd upstream. + +Signed-off-by: Arun Easi +Signed-off-by: Saurav Kashyap +Signed-off-by: Christoph Hellwig +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/qla2xxx/qla_target.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/drivers/scsi/qla2xxx/qla_target.c ++++ b/drivers/scsi/qla2xxx/qla_target.c +@@ -1514,12 +1514,10 @@ static inline void qlt_unmap_sg(struct s + static int qlt_check_reserve_free_req(struct scsi_qla_host *vha, + uint32_t req_cnt) + { +- struct qla_hw_data *ha = vha->hw; +- device_reg_t __iomem *reg = ha->iobase; + uint32_t cnt; + + if (vha->req->cnt < (req_cnt + 2)) { +- cnt = (uint16_t)RD_REG_DWORD(®->isp24.req_q_out); ++ cnt = (uint16_t)RD_REG_DWORD(vha->req->req_q_out); + + ql_dbg(ql_dbg_tgt, vha, 0xe00a, + "Request ring circled: cnt=%d, vha->->ring_index=%d, " diff --git a/queue-3.10/regmap-debugfs-fix-possbile-null-pointer-dereference.patch b/queue-3.10/regmap-debugfs-fix-possbile-null-pointer-dereference.patch new file mode 100644 index 00000000000..f5dff000441 --- /dev/null +++ b/queue-3.10/regmap-debugfs-fix-possbile-null-pointer-dereference.patch @@ -0,0 +1,50 @@ +From 2c98e0c1cc6b8e86f1978286c3d4e0769ee9d733 Mon Sep 17 00:00:00 2001 +From: Xiubo Li +Date: Sun, 28 Sep 2014 11:35:25 +0800 +Subject: regmap: debugfs: fix possbile NULL pointer dereference + +From: Xiubo Li + +commit 2c98e0c1cc6b8e86f1978286c3d4e0769ee9d733 upstream. + +If 'map->dev' is NULL and there will lead dev_name() to be NULL pointer +dereference. So before dev_name(), we need to have check of the map->dev +pionter. + +We also should make sure that the 'name' pointer shouldn't be NULL for +debugfs_create_dir(). So here using one default "dummy" debugfs name when +the 'name' pointer and 'map->dev' are both NULL. + +Signed-off-by: Xiubo Li +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/base/regmap/regmap-debugfs.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/drivers/base/regmap/regmap-debugfs.c ++++ b/drivers/base/regmap/regmap-debugfs.c +@@ -460,16 +460,20 @@ void regmap_debugfs_init(struct regmap * + { + struct rb_node *next; + struct regmap_range_node *range_node; ++ const char *devname = "dummy"; + + INIT_LIST_HEAD(&map->debugfs_off_cache); + mutex_init(&map->cache_lock); + ++ if (map->dev) ++ devname = dev_name(map->dev); ++ + if (name) { + map->debugfs_name = kasprintf(GFP_KERNEL, "%s-%s", +- dev_name(map->dev), name); ++ devname, name); + name = map->debugfs_name; + } else { +- name = dev_name(map->dev); ++ name = devname; + } + + map->debugfs = debugfs_create_dir(name, regmap_debugfs_root); diff --git a/queue-3.10/regmap-fix-null-pointer-dereference-in-_regmap_write-read.patch b/queue-3.10/regmap-fix-null-pointer-dereference-in-_regmap_write-read.patch new file mode 100644 index 00000000000..0cee230ea28 --- /dev/null +++ b/queue-3.10/regmap-fix-null-pointer-dereference-in-_regmap_write-read.patch @@ -0,0 +1,41 @@ +From 5336be8416a71b5568d2cf54a2f2066abe9f2a53 Mon Sep 17 00:00:00 2001 +From: Pankaj Dubey +Date: Sat, 27 Sep 2014 09:47:55 +0530 +Subject: regmap: fix NULL pointer dereference in _regmap_write/read + +From: Pankaj Dubey + +commit 5336be8416a71b5568d2cf54a2f2066abe9f2a53 upstream. + +If LOG_DEVICE is defined and map->dev is NULL it will lead to NULL +pointer dereference. This patch fixes this issue by adding check for +dev->NULL in all such places in regmap.c + +Signed-off-by: Pankaj Dubey +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/base/regmap/regmap.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/base/regmap/regmap.c ++++ b/drivers/base/regmap/regmap.c +@@ -1177,7 +1177,7 @@ int _regmap_write(struct regmap *map, un + } + + #ifdef LOG_DEVICE +- if (strcmp(dev_name(map->dev), LOG_DEVICE) == 0) ++ if (map->dev && strcmp(dev_name(map->dev), LOG_DEVICE) == 0) + dev_info(map->dev, "%x <= %x\n", reg, val); + #endif + +@@ -1437,7 +1437,7 @@ static int _regmap_read(struct regmap *m + ret = map->reg_read(context, reg, val); + if (ret == 0) { + #ifdef LOG_DEVICE +- if (strcmp(dev_name(map->dev), LOG_DEVICE) == 0) ++ if (map->dev && strcmp(dev_name(map->dev), LOG_DEVICE) == 0) + dev_info(map->dev, "%x => %x\n", reg, *val); + #endif + diff --git a/queue-3.10/series b/queue-3.10/series index 792f3516fe8..68d7a9169fd 100644 --- a/queue-3.10/series +++ b/queue-3.10/series @@ -8,3 +8,15 @@ kvm-don-t-take-vcpu-mutex-for-obviously-invalid-vcpu-ioctls.patch x86-intel-quark-switch-off-cr4.pge-so-tlb-flush-uses-cr3-instead.patch spi-dw-mid-respect-8-bit-mode.patch spi-dw-mid-check-that-dma-was-inited-before-exit.patch +regmap-debugfs-fix-possbile-null-pointer-dereference.patch +regmap-fix-null-pointer-dereference-in-_regmap_write-read.patch +be2iscsi-check-ip-buffer-before-copying.patch +mptfusion-enable-no_write_same-for-vmware-scsi-disks.patch +qla2xxx-use-correct-offset-to-req-q-out-for-reserve-calculation.patch +dmaengine-pl330-fix-null-pointer-dereference-on-probe-failure.patch +dmaengine-pl330-fix-null-pointer-dereference-on-driver-unbind.patch +firmware_class-make-sure-fw-requests-contain-a-name.patch +drivers-hv-vmbus-cleanup-vmbus_post_msg.patch +drivers-hv-vmbus-cleanup-vmbus_teardown_gpadl.patch +drivers-hv-vmbus-cleanup-vmbus_establish_gpadl.patch +drivers-hv-vmbus-fix-a-bug-in-vmbus_open.patch