From: Greg Kroah-Hartman Date: Tue, 27 Jan 2015 19:25:55 +0000 (-0800) Subject: 3.14-stable patches X-Git-Tag: v3.10.67~36 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=7bd03a8ae7e4fdea5c709dc99b42d0051bf6a5d4;p=thirdparty%2Fkernel%2Fstable-queue.git 3.14-stable patches added patches: arm-dts-imx25-fix-pwm-per-clocks.patch bus-mvebu-mbus-fix-support-of-mbus-window-13.patch fix-deadlock-in-cifs_ioctl_clone.patch time-adjtimex-validate-the-adj_frequency-values.patch time-settimeofday-validate-the-values-of-tv-from-user.patch --- diff --git a/queue-3.14/arm-dts-imx25-fix-pwm-per-clocks.patch b/queue-3.14/arm-dts-imx25-fix-pwm-per-clocks.patch new file mode 100644 index 00000000000..f8fc39751fa --- /dev/null +++ b/queue-3.14/arm-dts-imx25-fix-pwm-per-clocks.patch @@ -0,0 +1,66 @@ +From 7ecd0bde5bfea524a843ad8fa8cb66ccbce68779 Mon Sep 17 00:00:00 2001 +From: Fabio Estevam +Date: Wed, 14 Jan 2015 11:11:03 -0200 +Subject: ARM: dts: imx25: Fix PWM "per" clocks + +From: Fabio Estevam + +commit 7ecd0bde5bfea524a843ad8fa8cb66ccbce68779 upstream. + +Currently PWM functionality is broken on mx25 due to the wrong assignment of the +PWM "per" clock. + +According to Documentation/devicetree/bindings/clock/imx25-clock.txt: + pwm_ipg_per 52 + +,so update the pwm "per" to use 'pwm_ipg_per' instead of 'per10' clock. + +With this change PWM can work fine on mx25. + +Reported-by: Carlos Soto +Signed-off-by: Fabio Estevam +Signed-off-by: Shawn Guo +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/boot/dts/imx25.dtsi | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/arch/arm/boot/dts/imx25.dtsi ++++ b/arch/arm/boot/dts/imx25.dtsi +@@ -352,7 +352,7 @@ + compatible = "fsl,imx25-pwm", "fsl,imx27-pwm"; + #pwm-cells = <2>; + reg = <0x53fa0000 0x4000>; +- clocks = <&clks 106>, <&clks 36>; ++ clocks = <&clks 106>, <&clks 52>; + clock-names = "ipg", "per"; + interrupts = <36>; + }; +@@ -371,7 +371,7 @@ + compatible = "fsl,imx25-pwm", "fsl,imx27-pwm"; + #pwm-cells = <2>; + reg = <0x53fa8000 0x4000>; +- clocks = <&clks 107>, <&clks 36>; ++ clocks = <&clks 107>, <&clks 52>; + clock-names = "ipg", "per"; + interrupts = <41>; + }; +@@ -412,7 +412,7 @@ + pwm4: pwm@53fc8000 { + compatible = "fsl,imx25-pwm", "fsl,imx27-pwm"; + reg = <0x53fc8000 0x4000>; +- clocks = <&clks 108>, <&clks 36>; ++ clocks = <&clks 108>, <&clks 52>; + clock-names = "ipg", "per"; + interrupts = <42>; + }; +@@ -458,7 +458,7 @@ + compatible = "fsl,imx25-pwm", "fsl,imx27-pwm"; + #pwm-cells = <2>; + reg = <0x53fe0000 0x4000>; +- clocks = <&clks 105>, <&clks 36>; ++ clocks = <&clks 105>, <&clks 52>; + clock-names = "ipg", "per"; + interrupts = <26>; + }; diff --git a/queue-3.14/bus-mvebu-mbus-fix-support-of-mbus-window-13.patch b/queue-3.14/bus-mvebu-mbus-fix-support-of-mbus-window-13.patch new file mode 100644 index 00000000000..c64cab2ff07 --- /dev/null +++ b/queue-3.14/bus-mvebu-mbus-fix-support-of-mbus-window-13.patch @@ -0,0 +1,55 @@ +From 38bdf45f4aa5cb6186d50a29e6cbbd9d486a1519 Mon Sep 17 00:00:00 2001 +From: Andrew Lunn +Date: Sun, 18 Jan 2015 09:46:10 -0600 +Subject: bus: mvebu-mbus: fix support of MBus window 13 + +From: Andrew Lunn + +commit 38bdf45f4aa5cb6186d50a29e6cbbd9d486a1519 upstream. + +On Armada XP, 375 and 38x the MBus window 13 has the remap capability, +like windows 0 to 7. However, the mvebu-mbus driver isn't currently +taking into account this special case, which means that when window 13 +is actually used, the remap registers are left to 0, making the device +using this MBus window unavailable. + +As a minimal fix for stable, don't use window 13. A full fix will +follow later. + +Fixes: fddddb52a6c ("bus: introduce an Marvell EBU MBus driver") +Reviewed-by: Thomas Petazzoni +Signed-off-by: Andrew Lunn +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/bus/mvebu-mbus.c | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +--- a/drivers/bus/mvebu-mbus.c ++++ b/drivers/bus/mvebu-mbus.c +@@ -181,12 +181,25 @@ static void mvebu_mbus_disable_window(st + } + + /* Checks whether the given window number is available */ ++ ++/* On Armada XP, 375 and 38x the MBus window 13 has the remap ++ * capability, like windows 0 to 7. However, the mvebu-mbus driver ++ * isn't currently taking into account this special case, which means ++ * that when window 13 is actually used, the remap registers are left ++ * to 0, making the device using this MBus window unavailable. The ++ * quick fix for stable is to not use window 13. A follow up patch ++ * will correctly handle this window. ++*/ + static int mvebu_mbus_window_is_free(struct mvebu_mbus_state *mbus, + const int win) + { + void __iomem *addr = mbus->mbuswins_base + + mbus->soc->win_cfg_offset(win); + u32 ctrl = readl(addr + WIN_CTRL_OFF); ++ ++ if (win == 13) ++ return false; ++ + return !(ctrl & WIN_CTRL_ENABLE); + } + diff --git a/queue-3.14/fix-deadlock-in-cifs_ioctl_clone.patch b/queue-3.14/fix-deadlock-in-cifs_ioctl_clone.patch new file mode 100644 index 00000000000..c7dc431acf9 --- /dev/null +++ b/queue-3.14/fix-deadlock-in-cifs_ioctl_clone.patch @@ -0,0 +1,68 @@ +From 378ff1a53b5724f3ac97b0aba3c9ecac072f6fcd Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Sun, 18 Jan 2015 23:37:32 -0500 +Subject: fix deadlock in cifs_ioctl_clone() + +From: Al Viro + +commit 378ff1a53b5724f3ac97b0aba3c9ecac072f6fcd upstream. + +It really needs to check that src is non-directory *and* use +{un,}lock_two_nodirectories(). As it is, it's trivial to cause +double-lock (ioctl(fd, CIFS_IOC_COPYCHUNK_FILE, fd)) and if the +last argument is an fd of directory, we are asking for trouble +by violating the locking order - all directories go before all +non-directories. If the last argument is an fd of parent +directory, it has 50% odds of locking child before parent, +which will cause AB-BA deadlock if we race with unlink(). + +Signed-off-by: Al Viro +Signed-off-by: Greg Kroah-Hartman + +--- + fs/cifs/ioctl.c | 21 +++++---------------- + 1 file changed, 5 insertions(+), 16 deletions(-) + +--- a/fs/cifs/ioctl.c ++++ b/fs/cifs/ioctl.c +@@ -86,21 +86,16 @@ static long cifs_ioctl_clone(unsigned in + } + + src_inode = src_file.file->f_dentry->d_inode; ++ rc = -EINVAL; ++ if (S_ISDIR(src_inode->i_mode)) ++ goto out_fput; + + /* + * Note: cifs case is easier than btrfs since server responsible for + * checks for proper open modes and file type and if it wants + * server could even support copy of range where source = target + */ +- +- /* so we do not deadlock racing two ioctls on same files */ +- if (target_inode < src_inode) { +- mutex_lock_nested(&target_inode->i_mutex, I_MUTEX_PARENT); +- mutex_lock_nested(&src_inode->i_mutex, I_MUTEX_CHILD); +- } else { +- mutex_lock_nested(&src_inode->i_mutex, I_MUTEX_PARENT); +- mutex_lock_nested(&target_inode->i_mutex, I_MUTEX_CHILD); +- } ++ lock_two_nondirectories(target_inode, src_inode); + + /* determine range to clone */ + rc = -EINVAL; +@@ -124,13 +119,7 @@ static long cifs_ioctl_clone(unsigned in + out_unlock: + /* although unlocking in the reverse order from locking is not + strictly necessary here it is a little cleaner to be consistent */ +- if (target_inode < src_inode) { +- mutex_unlock(&src_inode->i_mutex); +- mutex_unlock(&target_inode->i_mutex); +- } else { +- mutex_unlock(&target_inode->i_mutex); +- mutex_unlock(&src_inode->i_mutex); +- } ++ unlock_two_nondirectories(src_inode, target_inode); + out_fput: + fdput(src_file); + out_drop_write: diff --git a/queue-3.14/series b/queue-3.14/series index 36117762ade..e4d1c329edb 100644 --- a/queue-3.14/series +++ b/queue-3.14/series @@ -13,3 +13,8 @@ pci-mark-atheros-ar93xx-to-avoid-bus-reset.patch ipr-wait-for-aborted-command-responses.patch dm-cache-share-cache-metadata-object-across-inactive-and-active-dm-tables.patch dm-cache-fix-problematic-dual-use-of-a-single-migration-count-variable.patch +time-settimeofday-validate-the-values-of-tv-from-user.patch +time-adjtimex-validate-the-adj_frequency-values.patch +arm-dts-imx25-fix-pwm-per-clocks.patch +bus-mvebu-mbus-fix-support-of-mbus-window-13.patch +fix-deadlock-in-cifs_ioctl_clone.patch diff --git a/queue-3.14/time-adjtimex-validate-the-adj_frequency-values.patch b/queue-3.14/time-adjtimex-validate-the-adj_frequency-values.patch new file mode 100644 index 00000000000..618de4037e3 --- /dev/null +++ b/queue-3.14/time-adjtimex-validate-the-adj_frequency-values.patch @@ -0,0 +1,40 @@ +From 5e5aeb4367b450a28f447f6d5ab57d8f2ab16a5f Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Dec 2014 19:25:05 -0500 +Subject: time: adjtimex: Validate the ADJ_FREQUENCY values + +From: Sasha Levin + +commit 5e5aeb4367b450a28f447f6d5ab57d8f2ab16a5f upstream. + +Verify that the frequency value from userspace is valid and makes sense. + +Unverified values can cause overflows later on. + +Cc: Thomas Gleixner +Cc: Ingo Molnar +Signed-off-by: Sasha Levin +[jstultz: Fix up bug for negative values and drop redunent cap check] +Signed-off-by: John Stultz +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/time/ntp.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/kernel/time/ntp.c ++++ b/kernel/time/ntp.c +@@ -631,6 +631,13 @@ int ntp_validate_timex(struct timex *txc + if ((txc->modes & ADJ_SETOFFSET) && (!capable(CAP_SYS_TIME))) + return -EPERM; + ++ if (txc->modes & ADJ_FREQUENCY) { ++ if (LONG_MIN / PPM_SCALE > txc->freq) ++ return -EINVAL; ++ if (LONG_MAX / PPM_SCALE < txc->freq) ++ return -EINVAL; ++ } ++ + return 0; + } + diff --git a/queue-3.14/time-settimeofday-validate-the-values-of-tv-from-user.patch b/queue-3.14/time-settimeofday-validate-the-values-of-tv-from-user.patch new file mode 100644 index 00000000000..a0d274a53a6 --- /dev/null +++ b/queue-3.14/time-settimeofday-validate-the-values-of-tv-from-user.patch @@ -0,0 +1,61 @@ +From 6ada1fc0e1c4775de0e043e1bd3ae9d065491aa5 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Wed, 3 Dec 2014 19:22:48 -0500 +Subject: time: settimeofday: Validate the values of tv from user + +From: Sasha Levin + +commit 6ada1fc0e1c4775de0e043e1bd3ae9d065491aa5 upstream. + +An unvalidated user input is multiplied by a constant, which can result in +an undefined behaviour for large values. While this is validated later, +we should avoid triggering undefined behaviour. + +Cc: Thomas Gleixner +Cc: Ingo Molnar +Signed-off-by: Sasha Levin +[jstultz: include trivial milisecond->microsecond correction noticed +by Andy] +Signed-off-by: John Stultz +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/time.h | 13 +++++++++++++ + kernel/time.c | 4 ++++ + 2 files changed, 17 insertions(+) + +--- a/include/linux/time.h ++++ b/include/linux/time.h +@@ -173,6 +173,19 @@ extern void getboottime(struct timespec + extern void monotonic_to_bootbased(struct timespec *ts); + extern void get_monotonic_boottime(struct timespec *ts); + ++static inline bool timeval_valid(const struct timeval *tv) ++{ ++ /* Dates before 1970 are bogus */ ++ if (tv->tv_sec < 0) ++ return false; ++ ++ /* Can't have more microseconds then a second */ ++ if (tv->tv_usec < 0 || tv->tv_usec >= USEC_PER_SEC) ++ return false; ++ ++ return true; ++} ++ + extern struct timespec timespec_trunc(struct timespec t, unsigned gran); + extern int timekeeping_valid_for_hres(void); + extern u64 timekeeping_max_deferment(void); +--- a/kernel/time.c ++++ b/kernel/time.c +@@ -195,6 +195,10 @@ SYSCALL_DEFINE2(settimeofday, struct tim + if (tv) { + if (copy_from_user(&user_tv, tv, sizeof(*tv))) + return -EFAULT; ++ ++ if (!timeval_valid(&user_tv)) ++ return -EINVAL; ++ + new_ts.tv_sec = user_tv.tv_sec; + new_ts.tv_nsec = user_tv.tv_usec * NSEC_PER_USEC; + }