From: Greg Kroah-Hartman Date: Sat, 9 Nov 2013 05:51:42 +0000 (-0800) Subject: 3.11-stable patches X-Git-Tag: v3.4.69~9 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=747c60a083fa021d4d19fa8e5c3255c13b4164a0;p=thirdparty%2Fkernel%2Fstable-queue.git 3.11-stable patches added patches: aacraid-missing-capable-check-in-compat-ioctl.patch alsa-fix-oops-in-snd_pcm_info-caused-by-asoc-dpcm.patch alsa-hda-add-a-fixup-for-asus-n76vz.patch alsa-hda-add-missing-initial-vmaster-hook-at-build_controls-callback.patch alsa-hda-fix-unbalanced-runtime-pm-refcount-after-s3-s4.patch arc-incorrect-mm-reference-used-in-vmalloc-fault-handler.patch asoc-dapm-fix-source-list-debugfs-outputs.patch asoc-wm_hubs-add-missing-break-in-hp_supply_event.patch clk-fixup-argument-order-when-setting-vco-parameters.patch clk-nomadik-set-all-timers-to-use-2.4-mhz-timclk.patch fix-a-few-incorrectly-checked-remap_pfn_range-calls.patch lib-scatterlist.c-don-t-flush_kernel_dcache_page-on-slab-page.patch mm-make-generic_access_phys-available-for-modules.patch scripts-kallsyms-filter-symbols-not-in-kernel-address-space.patch staging-bcm-info-leak-in-ioctl.patch staging-ozwpan-prevent-overflow-in-oz_cdev_write.patch staging-sb105x-info-leak-in-mp_get_count.patch staging-wlags49_h2-buffer-overflow-setting-station-name.patch uio-provide-vm-access-to-uio_mem_phys-maps.patch uml-check-length-in-exitcode_proc_write.patch xtensa-don-t-use-alternate-signal-stack-on-threads.patch --- diff --git a/queue-3.11/aacraid-missing-capable-check-in-compat-ioctl.patch b/queue-3.11/aacraid-missing-capable-check-in-compat-ioctl.patch new file mode 100644 index 00000000000..27f1d37651d --- /dev/null +++ b/queue-3.11/aacraid-missing-capable-check-in-compat-ioctl.patch @@ -0,0 +1,32 @@ +From f856567b930dfcdbc3323261bf77240ccdde01f5 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Tue, 29 Oct 2013 22:11:06 +0300 +Subject: aacraid: missing capable() check in compat ioctl + +From: Dan Carpenter + +commit f856567b930dfcdbc3323261bf77240ccdde01f5 upstream. + +In commit d496f94d22d1 ('[SCSI] aacraid: fix security weakness') we +added a check on CAP_SYS_RAWIO to the ioctl. The compat ioctls need the +check as well. + +Signed-off-by: Dan Carpenter +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/aacraid/linit.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/scsi/aacraid/linit.c ++++ b/drivers/scsi/aacraid/linit.c +@@ -771,6 +771,8 @@ static long aac_compat_do_ioctl(struct a + static int aac_compat_ioctl(struct scsi_device *sdev, int cmd, void __user *arg) + { + struct aac_dev *dev = (struct aac_dev *)sdev->host->hostdata; ++ if (!capable(CAP_SYS_RAWIO)) ++ return -EPERM; + return aac_compat_do_ioctl(dev, cmd, (unsigned long)arg); + } + diff --git a/queue-3.11/alsa-fix-oops-in-snd_pcm_info-caused-by-asoc-dpcm.patch b/queue-3.11/alsa-fix-oops-in-snd_pcm_info-caused-by-asoc-dpcm.patch new file mode 100644 index 00000000000..c820361b622 --- /dev/null +++ b/queue-3.11/alsa-fix-oops-in-snd_pcm_info-caused-by-asoc-dpcm.patch @@ -0,0 +1,71 @@ +From a4461f41b94cb52e0141af717dcf4ef6558c8e2e Mon Sep 17 00:00:00 2001 +From: Russell King +Date: Thu, 31 Oct 2013 15:01:37 +0000 +Subject: ALSA: fix oops in snd_pcm_info() caused by ASoC DPCM + +From: Russell King + +commit a4461f41b94cb52e0141af717dcf4ef6558c8e2e upstream. + +Unable to handle kernel NULL pointer dereference at virtual address 00000008 +pgd = d5300000 +[00000008] *pgd=0d265831, *pte=00000000, *ppte=00000000 +Internal error: Oops: 17 [#1] PREEMPT ARM +CPU: 0 PID: 2295 Comm: vlc Not tainted 3.11.0+ #755 +task: dee74800 ti: e213c000 task.ti: e213c000 +PC is at snd_pcm_info+0xc8/0xd8 +LR is at 0x30232065 +pc : [] lr : [<30232065>] psr: a0070013 +sp : e213dea8 ip : d81cb0d0 fp : c05f7678 +r10: c05f7770 r9 : fffffdfd r8 : 00000000 +r7 : d8a968a8 r6 : d8a96800 r5 : d8a96200 r4 : d81cb000 +r3 : 00000000 r2 : d81cb000 r1 : 00000001 r0 : d8a96200 +Flags: NzCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment user +Control: 10c5387d Table: 15300019 DAC: 00000015 +Process vlc (pid: 2295, stack limit = 0xe213c248) +[] (snd_pcm_info) from [] (snd_pcm_info_user+0x34/0x9c) +[] (snd_pcm_info_user) from [] (snd_pcm_control_ioctl+0x274/0x280) +[] (snd_pcm_control_ioctl) from [] (snd_ctl_ioctl+0xc0/0x55c) +[] (snd_ctl_ioctl) from [] (do_vfs_ioctl+0x80/0x31c) +[] (do_vfs_ioctl) from [] (SyS_ioctl+0x3c/0x60) +[] (SyS_ioctl) from [] (ret_fast_syscall+0x0/0x48) +Code: e1a00005 e59530dc e3a01001 e1a02004 (e5933008) +---[ end trace cb3d9bdb8dfefb3c ]--- + +This is provoked when the ASoC front end is open along with its backend, +(which causes the backend to have a runtime assigned to it) and then the +SNDRV_CTL_IOCTL_PCM_INFO is requested for the (visible) backend device. + +Resolve this by ensuring that ASoC internal backend devices are not +visible to userspace, just as the commentry for snd_pcm_new_internal() +says it should be. + +Signed-off-by: Russell King +Acked-by: Mark Brown +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/core/pcm.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/sound/core/pcm.c ++++ b/sound/core/pcm.c +@@ -49,6 +49,8 @@ static struct snd_pcm *snd_pcm_get(struc + struct snd_pcm *pcm; + + list_for_each_entry(pcm, &snd_pcm_devices, list) { ++ if (pcm->internal) ++ continue; + if (pcm->card == card && pcm->device == device) + return pcm; + } +@@ -60,6 +62,8 @@ static int snd_pcm_next(struct snd_card + struct snd_pcm *pcm; + + list_for_each_entry(pcm, &snd_pcm_devices, list) { ++ if (pcm->internal) ++ continue; + if (pcm->card == card && pcm->device > device) + return pcm->device; + else if (pcm->card->number > card->number) diff --git a/queue-3.11/alsa-hda-add-a-fixup-for-asus-n76vz.patch b/queue-3.11/alsa-hda-add-a-fixup-for-asus-n76vz.patch new file mode 100644 index 00000000000..7b9da7f0c75 --- /dev/null +++ b/queue-3.11/alsa-hda-add-a-fixup-for-asus-n76vz.patch @@ -0,0 +1,30 @@ +From 6fc16e58adf50c0f1e4478538983fb5ff6f453d4 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Wed, 30 Oct 2013 12:29:40 +0100 +Subject: ALSA: hda - Add a fixup for ASUS N76VZ + +From: Takashi Iwai + +commit 6fc16e58adf50c0f1e4478538983fb5ff6f453d4 upstream. + +ASUS N76VZ needs the same fixup as N56VZ for supporting the boost +speaker. + +Bugzilla: https://bugzilla.novell.com/show_bug.cgi?id=846529 +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/patch_realtek.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -4382,6 +4382,7 @@ static const struct snd_pci_quirk alc662 + SND_PCI_QUIRK(0x1028, 0x05db, "Dell", ALC668_FIXUP_DELL_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x103c, 0x1632, "HP RP5800", ALC662_FIXUP_HP_RP5800), + SND_PCI_QUIRK(0x1043, 0x1477, "ASUS N56VZ", ALC662_FIXUP_ASUS_MODE4), ++ SND_PCI_QUIRK(0x1043, 0x1bf3, "ASUS N76VZ", ALC662_FIXUP_ASUS_MODE4), + SND_PCI_QUIRK(0x1043, 0x8469, "ASUS mobo", ALC662_FIXUP_NO_JACK_DETECT), + SND_PCI_QUIRK(0x105b, 0x0cd6, "Foxconn", ALC662_FIXUP_ASUS_MODE2), + SND_PCI_QUIRK(0x144d, 0xc051, "Samsung R720", ALC662_FIXUP_IDEAPAD), diff --git a/queue-3.11/alsa-hda-add-missing-initial-vmaster-hook-at-build_controls-callback.patch b/queue-3.11/alsa-hda-add-missing-initial-vmaster-hook-at-build_controls-callback.patch new file mode 100644 index 00000000000..b8f18fe2edd --- /dev/null +++ b/queue-3.11/alsa-hda-add-missing-initial-vmaster-hook-at-build_controls-callback.patch @@ -0,0 +1,41 @@ +From b63eae0a6c84839275a4638a7baa391be965cd0e Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Fri, 25 Oct 2013 23:43:10 +0200 +Subject: ALSA: hda - Add missing initial vmaster hook at build_controls callback + +From: Takashi Iwai + +commit b63eae0a6c84839275a4638a7baa391be965cd0e upstream. + +The generic parser has a support of vmaster hook, but this is +initialized only in the init callback with the check of the presence +of the corresponding kctl. However, since kctl is NULL at the very +first init callback that is called before build_controls callback, the +vmaster hook sync is skipped there. Eventually this leads to the +uninitialized state depending on the hook implementation. + +This patch adds a simple workaround, just calling the sync function +explicitly at build_controls callback. + +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/hda_generic.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/sound/pci/hda/hda_generic.c ++++ b/sound/pci/hda/hda_generic.c +@@ -4428,9 +4428,11 @@ int snd_hda_gen_build_controls(struct hd + true, &spec->vmaster_mute.sw_kctl); + if (err < 0) + return err; +- if (spec->vmaster_mute.hook) ++ if (spec->vmaster_mute.hook) { + snd_hda_add_vmaster_hook(codec, &spec->vmaster_mute, + spec->vmaster_mute_enum); ++ snd_hda_sync_vmaster_hook(&spec->vmaster_mute); ++ } + } + + free_kctls(spec); /* no longer needed */ diff --git a/queue-3.11/alsa-hda-fix-unbalanced-runtime-pm-refcount-after-s3-s4.patch b/queue-3.11/alsa-hda-fix-unbalanced-runtime-pm-refcount-after-s3-s4.patch new file mode 100644 index 00000000000..f61a826e901 --- /dev/null +++ b/queue-3.11/alsa-hda-fix-unbalanced-runtime-pm-refcount-after-s3-s4.patch @@ -0,0 +1,37 @@ +From e6bbe666673ab044a3d39ddb74e4d9a401cf1d6f Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Thu, 24 Oct 2013 01:20:24 +0200 +Subject: ALSA: hda - Fix unbalanced runtime PM refcount after S3/S4 + +From: Takashi Iwai + +commit e6bbe666673ab044a3d39ddb74e4d9a401cf1d6f upstream. + +When a machine goes to S3/S4 after power-save is enabled, the runtime +PM refcount might be incorrectly decreased because the power-down +triggered soon after resume assumes that the controller was already +powered up, and issues the pm_notify down. + +This patch fixes the incorrect pm_notify call simply by checking the +current value properly. + +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/hda_codec.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/sound/pci/hda/hda_codec.c ++++ b/sound/pci/hda/hda_codec.c +@@ -4804,8 +4804,8 @@ static void hda_power_work(struct work_s + spin_unlock(&codec->power_lock); + + state = hda_call_codec_suspend(codec, true); +- codec->pm_down_notified = 0; +- if (!bus->power_keep_link_on && (state & AC_PWRST_CLK_STOP_OK)) { ++ if (!codec->pm_down_notified && ++ !bus->power_keep_link_on && (state & AC_PWRST_CLK_STOP_OK)) { + codec->pm_down_notified = 1; + hda_call_pm_notify(bus, false); + } diff --git a/queue-3.11/arc-incorrect-mm-reference-used-in-vmalloc-fault-handler.patch b/queue-3.11/arc-incorrect-mm-reference-used-in-vmalloc-fault-handler.patch new file mode 100644 index 00000000000..3a115f2f672 --- /dev/null +++ b/queue-3.11/arc-incorrect-mm-reference-used-in-vmalloc-fault-handler.patch @@ -0,0 +1,65 @@ +From 9c41f4eeb9d51f3ece20428d35a3ea32cf3b5622 Mon Sep 17 00:00:00 2001 +From: Vineet Gupta +Date: Sat, 2 Nov 2013 17:47:49 +0530 +Subject: ARC: Incorrect mm reference used in vmalloc fault handler + +From: Vineet Gupta + +commit 9c41f4eeb9d51f3ece20428d35a3ea32cf3b5622 upstream. + +A vmalloc fault needs to sync up PGD/PTE entry from init_mm to current +task's "active_mm". ARC vmalloc fault handler however was using mm. + +A vmalloc fault for non user task context (actually pre-userland, from +init thread's open for /dev/console) caused the handler to deref NULL mm +(for mm->pgd) + +The reasons it worked so far is amazing: + +1. By default (!SMP), vmalloc fault handler uses a cached value of PGD. + In SMP that MMU register is repurposed hence need for mm pointer deref. + +2. In pre-3.12 SMP kernel, the problem triggering vmalloc didn't exist in + pre-userland code path - it was introduced with commit 20bafb3d23d108bc + "n_tty: Move buffers into n_tty_data" + +Signed-off-by: Vineet Gupta +Cc: Gilad Ben-Yossef +Cc: Noam Camus +Cc: Peter Hurley +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arc/mm/fault.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/arch/arc/mm/fault.c ++++ b/arch/arc/mm/fault.c +@@ -17,7 +17,7 @@ + #include + #include + +-static int handle_vmalloc_fault(struct mm_struct *mm, unsigned long address) ++static int handle_vmalloc_fault(unsigned long address) + { + /* + * Synchronize this task's top level page-table +@@ -27,7 +27,7 @@ static int handle_vmalloc_fault(struct m + pud_t *pud, *pud_k; + pmd_t *pmd, *pmd_k; + +- pgd = pgd_offset_fast(mm, address); ++ pgd = pgd_offset_fast(current->active_mm, address); + pgd_k = pgd_offset_k(address); + + if (!pgd_present(*pgd_k)) +@@ -73,7 +73,7 @@ void do_page_fault(struct pt_regs *regs, + * nothing more. + */ + if (address >= VMALLOC_START && address <= VMALLOC_END) { +- ret = handle_vmalloc_fault(mm, address); ++ ret = handle_vmalloc_fault(address); + if (unlikely(ret)) + goto bad_area_nosemaphore; + else diff --git a/queue-3.11/asoc-dapm-fix-source-list-debugfs-outputs.patch b/queue-3.11/asoc-dapm-fix-source-list-debugfs-outputs.patch new file mode 100644 index 00000000000..3be58bc2693 --- /dev/null +++ b/queue-3.11/asoc-dapm-fix-source-list-debugfs-outputs.patch @@ -0,0 +1,32 @@ +From ff18620c2157671a8ee21ebb8e6a3520ea209b1f Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Mon, 28 Oct 2013 14:21:49 +0100 +Subject: ASoC: dapm: Fix source list debugfs outputs + +From: Takashi Iwai + +commit ff18620c2157671a8ee21ebb8e6a3520ea209b1f upstream. + +... due to a copy & paste error. + +Spotted by coverity CID 710923. + +Signed-off-by: Takashi Iwai +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + sound/soc/soc-dapm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/soc/soc-dapm.c ++++ b/sound/soc/soc-dapm.c +@@ -1810,7 +1810,7 @@ static ssize_t dapm_widget_power_read_fi + w->active ? "active" : "inactive"); + + list_for_each_entry(p, &w->sources, list_sink) { +- if (p->connected && !p->connected(w, p->sink)) ++ if (p->connected && !p->connected(w, p->source)) + continue; + + if (p->connect) diff --git a/queue-3.11/asoc-wm_hubs-add-missing-break-in-hp_supply_event.patch b/queue-3.11/asoc-wm_hubs-add-missing-break-in-hp_supply_event.patch new file mode 100644 index 00000000000..7e319bde890 --- /dev/null +++ b/queue-3.11/asoc-wm_hubs-add-missing-break-in-hp_supply_event.patch @@ -0,0 +1,29 @@ +From 268ff14525edba31da29a12a9dd693cdd6a7872e Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Wed, 30 Oct 2013 08:35:02 +0100 +Subject: ASoC: wm_hubs: Add missing break in hp_supply_event() + +From: Takashi Iwai + +commit 268ff14525edba31da29a12a9dd693cdd6a7872e upstream. + +Spotted by coverity CID 115170. + +Signed-off-by: Takashi Iwai +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + sound/soc/codecs/wm_hubs.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/soc/codecs/wm_hubs.c ++++ b/sound/soc/codecs/wm_hubs.c +@@ -530,6 +530,7 @@ static int hp_supply_event(struct snd_so + hubs->hp_startup_mode); + break; + } ++ break; + + case SND_SOC_DAPM_PRE_PMD: + snd_soc_update_bits(codec, WM8993_CHARGE_PUMP_1, diff --git a/queue-3.11/clk-fixup-argument-order-when-setting-vco-parameters.patch b/queue-3.11/clk-fixup-argument-order-when-setting-vco-parameters.patch new file mode 100644 index 00000000000..47e5a270e72 --- /dev/null +++ b/queue-3.11/clk-fixup-argument-order-when-setting-vco-parameters.patch @@ -0,0 +1,36 @@ +From 2f9f64bc5aa31836810cd25301aa4772ad73ebab Mon Sep 17 00:00:00 2001 +From: Jonathan Austin +Date: Tue, 23 Jul 2013 16:42:18 +0100 +Subject: clk: fixup argument order when setting VCO parameters + +From: Jonathan Austin + +commit 2f9f64bc5aa31836810cd25301aa4772ad73ebab upstream. + +The order of arguments in the call to vco_set() for the ICST clocks appears to +have been switched in error, which results in the VCO not being initialised +correctly. This in turn stops the integrated LCD on things like Integrator/CP +from working correctly. + +This patch fixes the order and restores the expected functionality. + +Reviewed-by: Linus Walleij +Signed-off-by: Jonathan Austin +Signed-off-by: Mike Turquette +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/clk/versatile/clk-icst.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/clk/versatile/clk-icst.c ++++ b/drivers/clk/versatile/clk-icst.c +@@ -107,7 +107,7 @@ static int icst_set_rate(struct clk_hw * + + vco = icst_hz_to_vco(icst->params, rate); + icst->rate = icst_hz(icst->params, vco); +- vco_set(icst->vcoreg, icst->lockreg, vco); ++ vco_set(icst->lockreg, icst->vcoreg, vco); + return 0; + } + diff --git a/queue-3.11/clk-nomadik-set-all-timers-to-use-2.4-mhz-timclk.patch b/queue-3.11/clk-nomadik-set-all-timers-to-use-2.4-mhz-timclk.patch new file mode 100644 index 00000000000..47e7d7c6b72 --- /dev/null +++ b/queue-3.11/clk-nomadik-set-all-timers-to-use-2.4-mhz-timclk.patch @@ -0,0 +1,64 @@ +From b9b5ab11ea221a9f2d5af41da639e0898675c34c Mon Sep 17 00:00:00 2001 +From: Linus Walleij +Date: Fri, 13 Sep 2013 21:45:51 +0200 +Subject: clk: nomadik: set all timers to use 2.4 MHz TIMCLK + +From: Linus Walleij + +commit b9b5ab11ea221a9f2d5af41da639e0898675c34c upstream. + +This fixes a regression for the Nomadik on the main system +timers. + +The Nomadik seemed a bit slow and its heartbeat wasn't looking +healthy. And it was not strange, because it has been connected +to the 32768 Hz clock at boot, while being told by the clock driver +that it was 2.4MHz. Actually connect the TIMCLK to 2.4MHz by +default as this is what we want for nice scheduling, clocksource +and clock event. + +Signed-off-by: Linus Walleij +Signed-off-by: Mike Turquette +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/clk/clk-nomadik.c | 21 +++++++++++++++++++++ + 1 file changed, 21 insertions(+) + +--- a/drivers/clk/clk-nomadik.c ++++ b/drivers/clk/clk-nomadik.c +@@ -27,6 +27,14 @@ + */ + + #define SRC_CR 0x00U ++#define SRC_CR_T0_ENSEL BIT(15) ++#define SRC_CR_T1_ENSEL BIT(17) ++#define SRC_CR_T2_ENSEL BIT(19) ++#define SRC_CR_T3_ENSEL BIT(21) ++#define SRC_CR_T4_ENSEL BIT(23) ++#define SRC_CR_T5_ENSEL BIT(25) ++#define SRC_CR_T6_ENSEL BIT(27) ++#define SRC_CR_T7_ENSEL BIT(29) + #define SRC_XTALCR 0x0CU + #define SRC_XTALCR_XTALTIMEN BIT(20) + #define SRC_XTALCR_SXTALDIS BIT(19) +@@ -543,6 +551,19 @@ void __init nomadik_clk_init(void) + __func__, np->name); + return; + } ++ ++ /* Set all timers to use the 2.4 MHz TIMCLK */ ++ val = readl(src_base + SRC_CR); ++ val |= SRC_CR_T0_ENSEL; ++ val |= SRC_CR_T1_ENSEL; ++ val |= SRC_CR_T2_ENSEL; ++ val |= SRC_CR_T3_ENSEL; ++ val |= SRC_CR_T4_ENSEL; ++ val |= SRC_CR_T5_ENSEL; ++ val |= SRC_CR_T6_ENSEL; ++ val |= SRC_CR_T7_ENSEL; ++ writel(val, src_base + SRC_CR); ++ + val = readl(src_base + SRC_XTALCR); + pr_info("SXTALO is %s\n", + (val & SRC_XTALCR_SXTALDIS) ? "disabled" : "enabled"); diff --git a/queue-3.11/fix-a-few-incorrectly-checked-remap_pfn_range-calls.patch b/queue-3.11/fix-a-few-incorrectly-checked-remap_pfn_range-calls.patch new file mode 100644 index 00000000000..6a8e764c474 --- /dev/null +++ b/queue-3.11/fix-a-few-incorrectly-checked-remap_pfn_range-calls.patch @@ -0,0 +1,138 @@ +From 7314e613d5ff9f0934f7a0f74ed7973b903315d1 Mon Sep 17 00:00:00 2001 +From: Linus Torvalds +Date: Tue, 29 Oct 2013 10:21:34 -0700 +Subject: Fix a few incorrectly checked [io_]remap_pfn_range() calls + +From: Linus Torvalds + +commit 7314e613d5ff9f0934f7a0f74ed7973b903315d1 upstream. + +Nico Golde reports a few straggling uses of [io_]remap_pfn_range() that +really should use the vm_iomap_memory() helper. This trivially converts +two of them to the helper, and comments about why the third one really +needs to continue to use remap_pfn_range(), and adds the missing size +check. + +Reported-by: Nico Golde +Signed-off-by: Linus Torvalds + +--- + drivers/uio/uio.c | 17 +++++++++++++++-- + drivers/video/au1100fb.c | 26 +------------------------- + drivers/video/au1200fb.c | 23 +---------------------- + 3 files changed, 17 insertions(+), 49 deletions(-) + +--- a/drivers/uio/uio.c ++++ b/drivers/uio/uio.c +@@ -654,16 +654,29 @@ static int uio_mmap_physical(struct vm_a + { + struct uio_device *idev = vma->vm_private_data; + int mi = uio_find_mem_index(vma); ++ struct uio_mem *mem; + if (mi < 0) + return -EINVAL; ++ mem = idev->info->mem + mi; + +- vma->vm_ops = &uio_physical_vm_ops; ++ if (vma->vm_end - vma->vm_start > mem->size) ++ return -EINVAL; + ++ vma->vm_ops = &uio_physical_vm_ops; + vma->vm_page_prot = pgprot_noncached(vma->vm_page_prot); + ++ /* ++ * We cannot use the vm_iomap_memory() helper here, ++ * because vma->vm_pgoff is the map index we looked ++ * up above in uio_find_mem_index(), rather than an ++ * actual page offset into the mmap. ++ * ++ * So we just do the physical mmap without a page ++ * offset. ++ */ + return remap_pfn_range(vma, + vma->vm_start, +- idev->info->mem[mi].addr >> PAGE_SHIFT, ++ mem->addr >> PAGE_SHIFT, + vma->vm_end - vma->vm_start, + vma->vm_page_prot); + } +--- a/drivers/video/au1100fb.c ++++ b/drivers/video/au1100fb.c +@@ -361,37 +361,13 @@ void au1100fb_fb_rotate(struct fb_info * + int au1100fb_fb_mmap(struct fb_info *fbi, struct vm_area_struct *vma) + { + struct au1100fb_device *fbdev; +- unsigned int len; +- unsigned long start=0, off; + + fbdev = to_au1100fb_device(fbi); + +- if (vma->vm_pgoff > (~0UL >> PAGE_SHIFT)) { +- return -EINVAL; +- } +- +- start = fbdev->fb_phys & PAGE_MASK; +- len = PAGE_ALIGN((start & ~PAGE_MASK) + fbdev->fb_len); +- +- off = vma->vm_pgoff << PAGE_SHIFT; +- +- if ((vma->vm_end - vma->vm_start + off) > len) { +- return -EINVAL; +- } +- +- off += start; +- vma->vm_pgoff = off >> PAGE_SHIFT; +- + vma->vm_page_prot = pgprot_noncached(vma->vm_page_prot); + pgprot_val(vma->vm_page_prot) |= (6 << 9); //CCA=6 + +- if (io_remap_pfn_range(vma, vma->vm_start, off >> PAGE_SHIFT, +- vma->vm_end - vma->vm_start, +- vma->vm_page_prot)) { +- return -EAGAIN; +- } +- +- return 0; ++ return vm_iomap_memory(vma, fbdev->fb_phys, fbdev->fb_len); + } + + static struct fb_ops au1100fb_ops = +--- a/drivers/video/au1200fb.c ++++ b/drivers/video/au1200fb.c +@@ -1233,34 +1233,13 @@ static int au1200fb_fb_blank(int blank_m + * method mainly to allow the use of the TLB streaming flag (CCA=6) + */ + static int au1200fb_fb_mmap(struct fb_info *info, struct vm_area_struct *vma) +- + { +- unsigned int len; +- unsigned long start=0, off; + struct au1200fb_device *fbdev = info->par; + +- if (vma->vm_pgoff > (~0UL >> PAGE_SHIFT)) { +- return -EINVAL; +- } +- +- start = fbdev->fb_phys & PAGE_MASK; +- len = PAGE_ALIGN((start & ~PAGE_MASK) + fbdev->fb_len); +- +- off = vma->vm_pgoff << PAGE_SHIFT; +- +- if ((vma->vm_end - vma->vm_start + off) > len) { +- return -EINVAL; +- } +- +- off += start; +- vma->vm_pgoff = off >> PAGE_SHIFT; +- + vma->vm_page_prot = pgprot_noncached(vma->vm_page_prot); + pgprot_val(vma->vm_page_prot) |= _CACHE_MASK; /* CCA=7 */ + +- return io_remap_pfn_range(vma, vma->vm_start, off >> PAGE_SHIFT, +- vma->vm_end - vma->vm_start, +- vma->vm_page_prot); ++ return vm_iomap_memory(vma, fbdev->fb_phys, fbdev->fb_len); + } + + static void set_global(u_int cmd, struct au1200_lcd_global_regs_t *pdata) diff --git a/queue-3.11/lib-scatterlist.c-don-t-flush_kernel_dcache_page-on-slab-page.patch b/queue-3.11/lib-scatterlist.c-don-t-flush_kernel_dcache_page-on-slab-page.patch new file mode 100644 index 00000000000..035278f9b8c --- /dev/null +++ b/queue-3.11/lib-scatterlist.c-don-t-flush_kernel_dcache_page-on-slab-page.patch @@ -0,0 +1,62 @@ +From 3d77b50c5874b7e923be946ba793644f82336b75 Mon Sep 17 00:00:00 2001 +From: Ming Lei +Date: Thu, 31 Oct 2013 16:34:17 -0700 +Subject: lib/scatterlist.c: don't flush_kernel_dcache_page on slab page + +From: Ming Lei + +commit 3d77b50c5874b7e923be946ba793644f82336b75 upstream. + +Commit b1adaf65ba03 ("[SCSI] block: add sg buffer copy helper +functions") introduces two sg buffer copy helpers, and calls +flush_kernel_dcache_page() on pages in SG list after these pages are +written to. + +Unfortunately, the commit may introduce a potential bug: + + - Before sending some SCSI commands, kmalloc() buffer may be passed to + block layper, so flush_kernel_dcache_page() can see a slab page + finally + + - According to cachetlb.txt, flush_kernel_dcache_page() is only called + on "a user page", which surely can't be a slab page. + + - ARCH's implementation of flush_kernel_dcache_page() may use page + mapping information to do optimization so page_mapping() will see the + slab page, then VM_BUG_ON() is triggered. + +Aaro Koskinen reported the bug on ARM/kirkwood when DEBUG_VM is enabled, +and this patch fixes the bug by adding test of '!PageSlab(miter->page)' +before calling flush_kernel_dcache_page(). + +Signed-off-by: Ming Lei +Reported-by: Aaro Koskinen +Tested-by: Simon Baatz +Cc: Russell King - ARM Linux +Cc: Will Deacon +Cc: Aaro Koskinen +Acked-by: Catalin Marinas +Cc: FUJITA Tomonori +Cc: Tejun Heo +Cc: "James E.J. Bottomley" +Cc: Jens Axboe +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + lib/scatterlist.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/lib/scatterlist.c ++++ b/lib/scatterlist.c +@@ -577,7 +577,8 @@ void sg_miter_stop(struct sg_mapping_ite + miter->__offset += miter->consumed; + miter->__remaining -= miter->consumed; + +- if (miter->__flags & SG_MITER_TO_SG) ++ if ((miter->__flags & SG_MITER_TO_SG) && ++ !PageSlab(miter->page)) + flush_kernel_dcache_page(miter->page); + + if (miter->__flags & SG_MITER_ATOMIC) { diff --git a/queue-3.11/mm-make-generic_access_phys-available-for-modules.patch b/queue-3.11/mm-make-generic_access_phys-available-for-modules.patch new file mode 100644 index 00000000000..9c6e3919164 --- /dev/null +++ b/queue-3.11/mm-make-generic_access_phys-available-for-modules.patch @@ -0,0 +1,28 @@ +From 5a73633ef01cd8772defa6a3c34a588376a1df4c Mon Sep 17 00:00:00 2001 +From: Uwe Kleine-König +Date: Wed, 7 Aug 2013 13:02:52 +0200 +Subject: mm: make generic_access_phys available for modules + +From: Uwe Kleine-König + +commit 5a73633ef01cd8772defa6a3c34a588376a1df4c upstream. + +In the next commit this function will be used in the uio subsystem + +Signed-off-by: Uwe Kleine-König +Signed-off-by: Greg Kroah-Hartman + +--- + mm/memory.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/mm/memory.c ++++ b/mm/memory.c +@@ -4081,6 +4081,7 @@ int generic_access_phys(struct vm_area_s + + return len; + } ++EXPORT_SYMBOL_GPL(generic_access_phys); + #endif + + /* diff --git a/queue-3.11/scripts-kallsyms-filter-symbols-not-in-kernel-address-space.patch b/queue-3.11/scripts-kallsyms-filter-symbols-not-in-kernel-address-space.patch new file mode 100644 index 00000000000..f15f06b1c6b --- /dev/null +++ b/queue-3.11/scripts-kallsyms-filter-symbols-not-in-kernel-address-space.patch @@ -0,0 +1,84 @@ +From f6537f2f0eba4eba3354e48dbe3047db6d8b6254 Mon Sep 17 00:00:00 2001 +From: Ming Lei +Date: Sat, 2 Nov 2013 09:11:33 +1030 +Subject: scripts/kallsyms: filter symbols not in kernel address space + +From: Ming Lei + +commit f6537f2f0eba4eba3354e48dbe3047db6d8b6254 upstream. + +This patch uses CONFIG_PAGE_OFFSET to filter symbols which +are not in kernel address space because these symbols are +generally for generating code purpose and can't be run at +kernel mode, so we needn't keep them in /proc/kallsyms. + +For example, on ARM there are some symbols which may be +linked in relocatable code section, then perf can't parse +symbols any more from /proc/kallsyms, this patch fixes the +problem (introduced b9b32bf70f2fb710b07c94e13afbc729afe221da) + +Cc: Russell King +Cc: linux-arm-kernel@lists.infradead.org +Cc: Michal Marek +Signed-off-by: Ming Lei +Signed-off-by: Rusty Russell +Signed-off-by: Greg Kroah-Hartman + +--- + scripts/kallsyms.c | 12 +++++++++++- + scripts/link-vmlinux.sh | 2 ++ + 2 files changed, 13 insertions(+), 1 deletion(-) + +--- a/scripts/kallsyms.c ++++ b/scripts/kallsyms.c +@@ -55,6 +55,7 @@ static struct sym_entry *table; + static unsigned int table_size, table_cnt; + static int all_symbols = 0; + static char symbol_prefix_char = '\0'; ++static unsigned long long kernel_start_addr = 0; + + int token_profit[0x10000]; + +@@ -65,7 +66,10 @@ unsigned char best_table_len[256]; + + static void usage(void) + { +- fprintf(stderr, "Usage: kallsyms [--all-symbols] [--symbol-prefix=] < in.map > out.S\n"); ++ fprintf(stderr, "Usage: kallsyms [--all-symbols] " ++ "[--symbol-prefix=] " ++ "[--page-offset=] " ++ "< in.map > out.S\n"); + exit(1); + } + +@@ -194,6 +198,9 @@ static int symbol_valid(struct sym_entry + int i; + int offset = 1; + ++ if (s->addr < kernel_start_addr) ++ return 0; ++ + /* skip prefix char */ + if (symbol_prefix_char && *(s->sym + 1) == symbol_prefix_char) + offset++; +@@ -646,6 +653,9 @@ int main(int argc, char **argv) + if ((*p == '"' && *(p+2) == '"') || (*p == '\'' && *(p+2) == '\'')) + p++; + symbol_prefix_char = *p; ++ } else if (strncmp(argv[i], "--page-offset=", 14) == 0) { ++ const char *p = &argv[i][14]; ++ kernel_start_addr = strtoull(p, NULL, 16); + } else + usage(); + } +--- a/scripts/link-vmlinux.sh ++++ b/scripts/link-vmlinux.sh +@@ -82,6 +82,8 @@ kallsyms() + kallsymopt="${kallsymopt} --all-symbols" + fi + ++ kallsymopt="${kallsymopt} --page-offset=$CONFIG_PAGE_OFFSET" ++ + local aflags="${KBUILD_AFLAGS} ${KBUILD_AFLAGS_KERNEL} \ + ${NOSTDINC_FLAGS} ${LINUXINCLUDE} ${KBUILD_CPPFLAGS}" + diff --git a/queue-3.11/series b/queue-3.11/series index 0fa3ee535b0..00fbd9f0493 100644 --- a/queue-3.11/series +++ b/queue-3.11/series @@ -45,3 +45,24 @@ target-pscsi-fix-return-value-check.patch vhost-scsi-fix-incorrect-usage-of-get_user_pages_fast-write-parameter.patch clockevents-sanitize-ticks-to-nsec-conversion.patch parisc-do-not-crash-64bit-smp-kernels-on-machines-with-4gb-ram.patch +scripts-kallsyms-filter-symbols-not-in-kernel-address-space.patch +arc-incorrect-mm-reference-used-in-vmalloc-fault-handler.patch +alsa-hda-add-missing-initial-vmaster-hook-at-build_controls-callback.patch +alsa-hda-fix-unbalanced-runtime-pm-refcount-after-s3-s4.patch +alsa-hda-add-a-fixup-for-asus-n76vz.patch +alsa-fix-oops-in-snd_pcm_info-caused-by-asoc-dpcm.patch +asoc-wm_hubs-add-missing-break-in-hp_supply_event.patch +asoc-dapm-fix-source-list-debugfs-outputs.patch +staging-ozwpan-prevent-overflow-in-oz_cdev_write.patch +staging-bcm-info-leak-in-ioctl.patch +staging-sb105x-info-leak-in-mp_get_count.patch +staging-wlags49_h2-buffer-overflow-setting-station-name.patch +uml-check-length-in-exitcode_proc_write.patch +xtensa-don-t-use-alternate-signal-stack-on-threads.patch +mm-make-generic_access_phys-available-for-modules.patch +uio-provide-vm-access-to-uio_mem_phys-maps.patch +fix-a-few-incorrectly-checked-remap_pfn_range-calls.patch +lib-scatterlist.c-don-t-flush_kernel_dcache_page-on-slab-page.patch +aacraid-missing-capable-check-in-compat-ioctl.patch +clk-fixup-argument-order-when-setting-vco-parameters.patch +clk-nomadik-set-all-timers-to-use-2.4-mhz-timclk.patch diff --git a/queue-3.11/staging-bcm-info-leak-in-ioctl.patch b/queue-3.11/staging-bcm-info-leak-in-ioctl.patch new file mode 100644 index 00000000000..d93b34605a8 --- /dev/null +++ b/queue-3.11/staging-bcm-info-leak-in-ioctl.patch @@ -0,0 +1,32 @@ +From 8d1e72250c847fa96498ec029891de4dc638a5ba Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Tue, 29 Oct 2013 23:01:11 +0300 +Subject: Staging: bcm: info leak in ioctl + +From: Dan Carpenter + +commit 8d1e72250c847fa96498ec029891de4dc638a5ba upstream. + +The DevInfo.u32Reserved[] array isn't initialized so it leaks kernel +information to user space. + +Reported-by: Nico Golde +Reported-by: Fabian Yamaguchi +Signed-off-by: Dan Carpenter +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/bcm/Bcmchar.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/staging/bcm/Bcmchar.c ++++ b/drivers/staging/bcm/Bcmchar.c +@@ -1960,6 +1960,7 @@ cntrlEnd: + + BCM_DEBUG_PRINT(Adapter, DBG_TYPE_OTHERS, OSAL_DBG, DBG_LVL_ALL, "Called IOCTL_BCM_GET_DEVICE_DRIVER_INFO\n"); + ++ memset(&DevInfo, 0, sizeof(DevInfo)); + DevInfo.MaxRDMBufferSize = BUFFER_4K; + DevInfo.u32DSDStartOffset = EEPROM_CALPARAM_START; + DevInfo.u32RxAlignmentCorrection = 0; diff --git a/queue-3.11/staging-ozwpan-prevent-overflow-in-oz_cdev_write.patch b/queue-3.11/staging-ozwpan-prevent-overflow-in-oz_cdev_write.patch new file mode 100644 index 00000000000..074bb59f65e --- /dev/null +++ b/queue-3.11/staging-ozwpan-prevent-overflow-in-oz_cdev_write.patch @@ -0,0 +1,33 @@ +From c2c65cd2e14ada6de44cb527e7f1990bede24e15 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Tue, 29 Oct 2013 22:07:47 +0300 +Subject: staging: ozwpan: prevent overflow in oz_cdev_write() + +From: Dan Carpenter + +commit c2c65cd2e14ada6de44cb527e7f1990bede24e15 upstream. + +We need to check "count" so we don't overflow the ei->data buffer. + +Reported-by: Nico Golde +Reported-by: Fabian Yamaguchi +Signed-off-by: Dan Carpenter +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/ozwpan/ozcdev.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/staging/ozwpan/ozcdev.c ++++ b/drivers/staging/ozwpan/ozcdev.c +@@ -152,6 +152,9 @@ static ssize_t oz_cdev_write(struct file + struct oz_app_hdr *app_hdr; + struct oz_serial_ctx *ctx; + ++ if (count > sizeof(ei->data) - sizeof(*elt) - sizeof(*app_hdr)) ++ return -EINVAL; ++ + spin_lock_bh(&g_cdev.lock); + pd = g_cdev.active_pd; + if (pd) diff --git a/queue-3.11/staging-sb105x-info-leak-in-mp_get_count.patch b/queue-3.11/staging-sb105x-info-leak-in-mp_get_count.patch new file mode 100644 index 00000000000..e87d56848ab --- /dev/null +++ b/queue-3.11/staging-sb105x-info-leak-in-mp_get_count.patch @@ -0,0 +1,33 @@ +From a8b33654b1e3b0c74d4a1fed041c9aae50b3c427 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Tue, 29 Oct 2013 23:01:43 +0300 +Subject: Staging: sb105x: info leak in mp_get_count() + +From: Dan Carpenter + +commit a8b33654b1e3b0c74d4a1fed041c9aae50b3c427 upstream. + +The icount.reserved[] array isn't initialized so it leaks stack +information to userspace. + +Reported-by: Nico Golde +Reported-by: Fabian Yamaguchi +Signed-off-by: Dan Carpenter +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/sb105x/sb_pci_mp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/staging/sb105x/sb_pci_mp.c ++++ b/drivers/staging/sb105x/sb_pci_mp.c +@@ -1063,7 +1063,7 @@ static int mp_wait_modem_status(struct s + + static int mp_get_count(struct sb_uart_state *state, struct serial_icounter_struct *icnt) + { +- struct serial_icounter_struct icount; ++ struct serial_icounter_struct icount = {}; + struct sb_uart_icount cnow; + struct sb_uart_port *port = state->port; + diff --git a/queue-3.11/staging-wlags49_h2-buffer-overflow-setting-station-name.patch b/queue-3.11/staging-wlags49_h2-buffer-overflow-setting-station-name.patch new file mode 100644 index 00000000000..a6945f3d7da --- /dev/null +++ b/queue-3.11/staging-wlags49_h2-buffer-overflow-setting-station-name.patch @@ -0,0 +1,64 @@ +From b5e2f339865fb443107e5b10603e53bbc92dc054 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Tue, 29 Oct 2013 23:00:15 +0300 +Subject: staging: wlags49_h2: buffer overflow setting station name + +From: Dan Carpenter + +commit b5e2f339865fb443107e5b10603e53bbc92dc054 upstream. + +We need to check the length parameter before doing the memcpy(). I've +actually changed it to strlcpy() as well so that it's NUL terminated. + +You need CAP_NET_ADMIN to trigger these so it's not the end of the +world. + +Reported-by: Nico Golde +Reported-by: Fabian Yamaguchi +Signed-off-by: Dan Carpenter +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/wlags49_h2/wl_priv.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/drivers/staging/wlags49_h2/wl_priv.c ++++ b/drivers/staging/wlags49_h2/wl_priv.c +@@ -570,6 +570,7 @@ int wvlan_uil_put_info(struct uilreq *ur + ltv_t *pLtv; + bool_t ltvAllocated = FALSE; + ENCSTRCT sEncryption; ++ size_t len; + + #ifdef USE_WDS + hcf_16 hcfPort = HCF_PORT_0; +@@ -686,7 +687,8 @@ int wvlan_uil_put_info(struct uilreq *ur + break; + case CFG_CNF_OWN_NAME: + memset(lp->StationName, 0, sizeof(lp->StationName)); +- memcpy((void *)lp->StationName, (void *)&pLtv->u.u8[2], (size_t)pLtv->u.u16[0]); ++ len = min_t(size_t, pLtv->u.u16[0], sizeof(lp->StationName)); ++ strlcpy(lp->StationName, &pLtv->u.u8[2], len); + pLtv->u.u16[0] = CNV_INT_TO_LITTLE(pLtv->u.u16[0]); + break; + case CFG_CNF_LOAD_BALANCING: +@@ -1783,6 +1785,7 @@ int wvlan_set_station_nickname(struct ne + { + struct wl_private *lp = wl_priv(dev); + unsigned long flags; ++ size_t len; + int ret = 0; + /*------------------------------------------------------------------------*/ + +@@ -1793,8 +1796,8 @@ int wvlan_set_station_nickname(struct ne + wl_lock(lp, &flags); + + memset(lp->StationName, 0, sizeof(lp->StationName)); +- +- memcpy(lp->StationName, extra, wrqu->data.length); ++ len = min_t(size_t, wrqu->data.length, sizeof(lp->StationName)); ++ strlcpy(lp->StationName, extra, len); + + /* Commit the adapter parameters */ + wl_apply(lp); diff --git a/queue-3.11/uio-provide-vm-access-to-uio_mem_phys-maps.patch b/queue-3.11/uio-provide-vm-access-to-uio_mem_phys-maps.patch new file mode 100644 index 00000000000..3b142817a44 --- /dev/null +++ b/queue-3.11/uio-provide-vm-access-to-uio_mem_phys-maps.patch @@ -0,0 +1,76 @@ +From 7294151d0592e0ff48c61fca9fd7c93d613134da Mon Sep 17 00:00:00 2001 +From: Uwe Kleine-König +Date: Wed, 7 Aug 2013 13:02:53 +0200 +Subject: uio: provide vm access to UIO_MEM_PHYS maps + +From: Uwe Kleine-König + +commit 7294151d0592e0ff48c61fca9fd7c93d613134da upstream. + +This makes it possible to let gdb access mappings of the process that is +being debugged. + +uio_mmap_logical was moved and uio_vm_ops renamed to group related code +and differentiate to new stuff. + +Signed-off-by: Uwe Kleine-König +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/uio/uio.c | 26 +++++++++++++++++--------- + 1 file changed, 17 insertions(+), 9 deletions(-) + +--- a/drivers/uio/uio.c ++++ b/drivers/uio/uio.c +@@ -630,12 +630,26 @@ static int uio_vma_fault(struct vm_area_ + return 0; + } + +-static const struct vm_operations_struct uio_vm_ops = { ++static const struct vm_operations_struct uio_logical_vm_ops = { + .open = uio_vma_open, + .close = uio_vma_close, + .fault = uio_vma_fault, + }; + ++static int uio_mmap_logical(struct vm_area_struct *vma) ++{ ++ vma->vm_flags |= VM_DONTEXPAND | VM_DONTDUMP; ++ vma->vm_ops = &uio_logical_vm_ops; ++ uio_vma_open(vma); ++ return 0; ++} ++ ++static const struct vm_operations_struct uio_physical_vm_ops = { ++#ifdef CONFIG_HAVE_IOREMAP_PROT ++ .access = generic_access_phys, ++#endif ++}; ++ + static int uio_mmap_physical(struct vm_area_struct *vma) + { + struct uio_device *idev = vma->vm_private_data; +@@ -643,6 +657,8 @@ static int uio_mmap_physical(struct vm_a + if (mi < 0) + return -EINVAL; + ++ vma->vm_ops = &uio_physical_vm_ops; ++ + vma->vm_page_prot = pgprot_noncached(vma->vm_page_prot); + + return remap_pfn_range(vma, +@@ -652,14 +668,6 @@ static int uio_mmap_physical(struct vm_a + vma->vm_page_prot); + } + +-static int uio_mmap_logical(struct vm_area_struct *vma) +-{ +- vma->vm_flags |= VM_DONTEXPAND | VM_DONTDUMP; +- vma->vm_ops = &uio_vm_ops; +- uio_vma_open(vma); +- return 0; +-} +- + static int uio_mmap(struct file *filep, struct vm_area_struct *vma) + { + struct uio_listener *listener = filep->private_data; diff --git a/queue-3.11/uml-check-length-in-exitcode_proc_write.patch b/queue-3.11/uml-check-length-in-exitcode_proc_write.patch new file mode 100644 index 00000000000..4c39edb04ca --- /dev/null +++ b/queue-3.11/uml-check-length-in-exitcode_proc_write.patch @@ -0,0 +1,37 @@ +From 201f99f170df14ba52ea4c52847779042b7a623b Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Tue, 29 Oct 2013 22:06:04 +0300 +Subject: uml: check length in exitcode_proc_write() + +From: Dan Carpenter + +commit 201f99f170df14ba52ea4c52847779042b7a623b upstream. + +We don't cap the size of buffer from the user so we could write past the +end of the array here. Only root can write to this file. + +Reported-by: Nico Golde +Reported-by: Fabian Yamaguchi +Signed-off-by: Dan Carpenter +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + arch/um/kernel/exitcode.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/arch/um/kernel/exitcode.c ++++ b/arch/um/kernel/exitcode.c +@@ -40,9 +40,11 @@ static ssize_t exitcode_proc_write(struc + const char __user *buffer, size_t count, loff_t *pos) + { + char *end, buf[sizeof("nnnnn\0")]; ++ size_t size; + int tmp; + +- if (copy_from_user(buf, buffer, count)) ++ size = min(count, sizeof(buf)); ++ if (copy_from_user(buf, buffer, size)) + return -EFAULT; + + tmp = simple_strtol(buf, &end, 0); diff --git a/queue-3.11/xtensa-don-t-use-alternate-signal-stack-on-threads.patch b/queue-3.11/xtensa-don-t-use-alternate-signal-stack-on-threads.patch new file mode 100644 index 00000000000..a1a743ac360 --- /dev/null +++ b/queue-3.11/xtensa-don-t-use-alternate-signal-stack-on-threads.patch @@ -0,0 +1,38 @@ +From cba9a90053e3b7973eff4f1946f33032e98eeed5 Mon Sep 17 00:00:00 2001 +From: Baruch Siach +Date: Tue, 15 Oct 2013 02:22:43 +0400 +Subject: xtensa: don't use alternate signal stack on threads + +From: Baruch Siach + +commit cba9a90053e3b7973eff4f1946f33032e98eeed5 upstream. + +According to create_thread(3): "The new thread does not inherit the creating +thread's alternate signal stack". Since commit f9a3879a (Fix sigaltstack +corruption among cloned threads), current->sas_ss_size is set to 0 for cloned +processes sharing VM with their parent. Don't use the (nonexistent) alternate +signal stack in this case. This has been broken since commit 29c4dfd9 ([XTENSA] +Remove non-rt signal handling). + +Fixes the SA_ONSTACK part of the nptl/tst-cancel20 test from uClibc. + +Signed-off-by: Baruch Siach +Signed-off-by: Max Filippov +Signed-off-by: Chris Zankel +Signed-off-by: Greg Kroah-Hartman + +--- + arch/xtensa/kernel/signal.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/xtensa/kernel/signal.c ++++ b/arch/xtensa/kernel/signal.c +@@ -341,7 +341,7 @@ static int setup_frame(int sig, struct k + + sp = regs->areg[1]; + +- if ((ka->sa.sa_flags & SA_ONSTACK) != 0 && ! on_sig_stack(sp)) { ++ if ((ka->sa.sa_flags & SA_ONSTACK) != 0 && sas_ss_flags(sp) == 0) { + sp = current->sas_ss_sp + current->sas_ss_size; + } +