From: Greg Kroah-Hartman Date: Mon, 11 Mar 2013 19:38:10 +0000 (-0700) Subject: 3.8-stable patches X-Git-Tag: v3.8.3~26 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=7c11340b14a0bda5ddfe0731ed2a6607565a3274;p=thirdparty%2Fkernel%2Fstable-queue.git 3.8-stable patches added patches: alsa-ice1712-initialize-card-private_data-properly.patch alsa-vmaster-fix-slave-change-notification.patch dmi_scan-fix-missing-check-for-_dmi_-signature-in-smbios_present.patch ipc-don-t-allocate-a-copy-larger-than-max.patch ipc-fix-potential-oops-when-src-msg-4k-w-msg_copy.patch proc-use-nd_jump_link-in-proc_ns_follow_link.patch random-fix-locking-dependency-with-the-tasklist_lock.patch tile-work-around-bug-in-the-generic-sys_llseek.patch vfs-don-t-bug_on-if-following-a-proc-fd-pseudo-symlink.patch --- diff --git a/queue-3.8/alsa-ice1712-initialize-card-private_data-properly.patch b/queue-3.8/alsa-ice1712-initialize-card-private_data-properly.patch new file mode 100644 index 00000000000..302db4aa239 --- /dev/null +++ b/queue-3.8/alsa-ice1712-initialize-card-private_data-properly.patch @@ -0,0 +1,31 @@ +From 69a4cfdd444d1fe5c24d29b3a063964ac165d2cd Mon Sep 17 00:00:00 2001 +From: Sean Connor +Date: Thu, 28 Feb 2013 09:20:00 -0500 +Subject: ALSA: ice1712: Initialize card->private_data properly + +From: Sean Connor + +commit 69a4cfdd444d1fe5c24d29b3a063964ac165d2cd upstream. + +Set card->private_data in snd_ice1712_create for fixing NULL +dereference in snd_ice1712_remove(). + +Signed-off-by: Sean Connor +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/ice1712/ice1712.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/sound/pci/ice1712/ice1712.c ++++ b/sound/pci/ice1712/ice1712.c +@@ -2594,6 +2594,8 @@ static int snd_ice1712_create(struct snd + snd_ice1712_proc_init(ice); + synchronize_irq(pci->irq); + ++ card->private_data = ice; ++ + err = pci_request_regions(pci, "ICE1712"); + if (err < 0) { + kfree(ice); diff --git a/queue-3.8/alsa-vmaster-fix-slave-change-notification.patch b/queue-3.8/alsa-vmaster-fix-slave-change-notification.patch new file mode 100644 index 00000000000..c07516619ec --- /dev/null +++ b/queue-3.8/alsa-vmaster-fix-slave-change-notification.patch @@ -0,0 +1,40 @@ +From 2069d483b39a603a5f3428a19d3b4ac89aa97f48 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Tue, 5 Mar 2013 15:43:39 +0100 +Subject: ALSA: vmaster: Fix slave change notification + +From: Takashi Iwai + +commit 2069d483b39a603a5f3428a19d3b4ac89aa97f48 upstream. + +When a value of a vmaster slave control is changed, the ctl change +notification is sometimes ignored. This happens when the master +control overrides, e.g. when the corresponding master control is +muted. The reason is that slave_put() returns the value of the actual +slave put callback, and it doesn't reflect the virtual slave value +change. + +This patch fixes the function just to return 1 whenever a slave value +is changed. + +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/core/vmaster.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/sound/core/vmaster.c ++++ b/sound/core/vmaster.c +@@ -213,7 +213,10 @@ static int slave_put(struct snd_kcontrol + } + if (!changed) + return 0; +- return slave_put_val(slave, ucontrol); ++ err = slave_put_val(slave, ucontrol); ++ if (err < 0) ++ return err; ++ return 1; + } + + static int slave_tlv_cmd(struct snd_kcontrol *kcontrol, diff --git a/queue-3.8/dmi_scan-fix-missing-check-for-_dmi_-signature-in-smbios_present.patch b/queue-3.8/dmi_scan-fix-missing-check-for-_dmi_-signature-in-smbios_present.patch new file mode 100644 index 00000000000..1ef4c6be883 --- /dev/null +++ b/queue-3.8/dmi_scan-fix-missing-check-for-_dmi_-signature-in-smbios_present.patch @@ -0,0 +1,53 @@ +From a40e7cf8f06b4e322ba902e4e9f6a6b0c2daa907 Mon Sep 17 00:00:00 2001 +From: Ben Hutchings +Date: Fri, 8 Mar 2013 12:43:32 -0800 +Subject: dmi_scan: fix missing check for _DMI_ signature in smbios_present() + +From: Ben Hutchings + +commit a40e7cf8f06b4e322ba902e4e9f6a6b0c2daa907 upstream. + +Commit 9f9c9cbb6057 ("drivers/firmware/dmi_scan.c: fetch dmi version +from SMBIOS if it exists") hoisted the check for "_DMI_" into +dmi_scan_machine(), which means that we don't bother to check for +"_DMI_" at offset 16 in an SMBIOS entry. smbios_present() may also call +dmi_present() for an address where we found "_SM_", if it failed further +validation. + +Check for "_DMI_" in smbios_present() before calling dmi_present(). + +[akpm@linux-foundation.org: fix build] +Signed-off-by: Ben Hutchings +Reported-by: Tim McGrath +Tested-by: Tim Mcgrath +Cc: Zhenzhong Duan +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/firmware/dmi_scan.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/drivers/firmware/dmi_scan.c ++++ b/drivers/firmware/dmi_scan.c +@@ -442,7 +442,6 @@ static int __init dmi_present(const char + static int __init smbios_present(const char __iomem *p) + { + u8 buf[32]; +- int offset = 0; + + memcpy_fromio(buf, p, 32); + if ((buf[5] < 32) && dmi_checksum(buf, buf[5])) { +@@ -461,9 +460,9 @@ static int __init smbios_present(const c + dmi_ver = 0x0206; + break; + } +- offset = 16; ++ return memcmp(p + 16, "_DMI_", 5) || dmi_present(p + 16); + } +- return dmi_present(buf + offset); ++ return 1; + } + + void __init dmi_scan_machine(void) diff --git a/queue-3.8/ipc-don-t-allocate-a-copy-larger-than-max.patch b/queue-3.8/ipc-don-t-allocate-a-copy-larger-than-max.patch new file mode 100644 index 00000000000..e06a142ade1 --- /dev/null +++ b/queue-3.8/ipc-don-t-allocate-a-copy-larger-than-max.patch @@ -0,0 +1,45 @@ +From 88b9e456b1649722673ffa147914299799dc9041 Mon Sep 17 00:00:00 2001 +From: Peter Hurley +Date: Fri, 8 Mar 2013 12:43:27 -0800 +Subject: ipc: don't allocate a copy larger than max + +From: Peter Hurley + +commit 88b9e456b1649722673ffa147914299799dc9041 upstream. + +When MSG_COPY is set, a duplicate message must be allocated for the copy +before locking the queue. However, the copy could not be larger than was +sent which is limited to msg_ctlmax. + +Signed-off-by: Peter Hurley +Acked-by: Stanislav Kinsbursky +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + ipc/msg.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/ipc/msg.c ++++ b/ipc/msg.c +@@ -820,15 +820,17 @@ long do_msgrcv(int msqid, void __user *b + struct msg_msg *copy = NULL; + unsigned long copy_number = 0; + ++ ns = current->nsproxy->ipc_ns; ++ + if (msqid < 0 || (long) bufsz < 0) + return -EINVAL; + if (msgflg & MSG_COPY) { +- copy = prepare_copy(buf, bufsz, msgflg, &msgtyp, ©_number); ++ copy = prepare_copy(buf, min_t(size_t, bufsz, ns->msg_ctlmax), ++ msgflg, &msgtyp, ©_number); + if (IS_ERR(copy)) + return PTR_ERR(copy); + } + mode = convert_mode(&msgtyp, msgflg); +- ns = current->nsproxy->ipc_ns; + + msq = msg_lock_check(ns, msqid); + if (IS_ERR(msq)) { diff --git a/queue-3.8/ipc-fix-potential-oops-when-src-msg-4k-w-msg_copy.patch b/queue-3.8/ipc-fix-potential-oops-when-src-msg-4k-w-msg_copy.patch new file mode 100644 index 00000000000..ec28ec32a9a --- /dev/null +++ b/queue-3.8/ipc-fix-potential-oops-when-src-msg-4k-w-msg_copy.patch @@ -0,0 +1,35 @@ +From e1082f45f1e2bbf6e25f6b614fc6616ebf709d19 Mon Sep 17 00:00:00 2001 +From: Peter Hurley +Date: Fri, 8 Mar 2013 12:43:26 -0800 +Subject: ipc: fix potential oops when src msg > 4k w/ MSG_COPY + +From: Peter Hurley + +commit e1082f45f1e2bbf6e25f6b614fc6616ebf709d19 upstream. + +If the src msg is > 4k, then dest->next points to the +next allocated segment; resetting it just prior to dereferencing +is bad. + +Signed-off-by: Peter Hurley +Acked-by: Stanislav Kinsbursky +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + ipc/msgutil.c | 3 --- + 1 file changed, 3 deletions(-) + +--- a/ipc/msgutil.c ++++ b/ipc/msgutil.c +@@ -117,9 +117,6 @@ struct msg_msg *copy_msg(struct msg_msg + if (alen > DATALEN_MSG) + alen = DATALEN_MSG; + +- dst->next = NULL; +- dst->security = NULL; +- + memcpy(dst + 1, src + 1, alen); + + len -= alen; diff --git a/queue-3.8/proc-use-nd_jump_link-in-proc_ns_follow_link.patch b/queue-3.8/proc-use-nd_jump_link-in-proc_ns_follow_link.patch new file mode 100644 index 00000000000..6ecc0166e42 --- /dev/null +++ b/queue-3.8/proc-use-nd_jump_link-in-proc_ns_follow_link.patch @@ -0,0 +1,58 @@ +From db04dc679bcc780ad6907943afe24a30de974a1b Mon Sep 17 00:00:00 2001 +From: "Eric W. Biederman" +Date: Sat, 9 Mar 2013 00:14:45 -0800 +Subject: proc: Use nd_jump_link in proc_ns_follow_link + +From: "Eric W. Biederman" + +commit db04dc679bcc780ad6907943afe24a30de974a1b upstream. + +Update proc_ns_follow_link to use nd_jump_link instead of just +manually updating nd.path.dentry. + +This fixes the BUG_ON(nd->inode != parent->d_inode) reported by Dave +Jones and reproduced trivially with mkdir /proc/self/ns/uts/a. + +Sigh it looks like the VFS change to require use of nd_jump_link +happend while proc_ns_follow_link was baking and since the common case +of proc_ns_follow_link continued to work without problems the need for +making this change was overlooked. + +Signed-off-by: "Eric W. Biederman" +Signed-off-by: Greg Kroah-Hartman + +--- + fs/proc/namespaces.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +--- a/fs/proc/namespaces.c ++++ b/fs/proc/namespaces.c +@@ -118,7 +118,7 @@ static void *proc_ns_follow_link(struct + struct super_block *sb = inode->i_sb; + struct proc_inode *ei = PROC_I(inode); + struct task_struct *task; +- struct dentry *ns_dentry; ++ struct path ns_path; + void *error = ERR_PTR(-EACCES); + + task = get_proc_task(inode); +@@ -128,14 +128,14 @@ static void *proc_ns_follow_link(struct + if (!ptrace_may_access(task, PTRACE_MODE_READ)) + goto out_put_task; + +- ns_dentry = proc_ns_get_dentry(sb, task, ei->ns_ops); +- if (IS_ERR(ns_dentry)) { +- error = ERR_CAST(ns_dentry); ++ ns_path.dentry = proc_ns_get_dentry(sb, task, ei->ns_ops); ++ if (IS_ERR(ns_path.dentry)) { ++ error = ERR_CAST(ns_path.dentry); + goto out_put_task; + } + +- dput(nd->path.dentry); +- nd->path.dentry = ns_dentry; ++ ns_path.mnt = mntget(nd->path.mnt); ++ nd_jump_link(nd, &ns_path); + error = NULL; + + out_put_task: diff --git a/queue-3.8/random-fix-locking-dependency-with-the-tasklist_lock.patch b/queue-3.8/random-fix-locking-dependency-with-the-tasklist_lock.patch new file mode 100644 index 00000000000..21059d8e775 --- /dev/null +++ b/queue-3.8/random-fix-locking-dependency-with-the-tasklist_lock.patch @@ -0,0 +1,60 @@ +From b980955236922ae6106774511c5c05003d3ad225 Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o +Date: Mon, 4 Mar 2013 11:59:12 -0500 +Subject: random: fix locking dependency with the tasklist_lock + +From: Theodore Ts'o + +commit b980955236922ae6106774511c5c05003d3ad225 upstream. + +Commit 6133705494bb introduced a circular lock dependency because +posix_cpu_timers_exit() is called by release_task(), which is holding +a writer lock on tasklist_lock, and this can cause a deadlock since +kill_fasync() gets called with nonblocking_pool.lock taken. + +There's no reason why kill_fasync() needs to be taken while the random +pool is locked, so move it out to fix this locking dependency. + +Signed-off-by: "Theodore Ts'o" +Reported-by: Russ Dill +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/char/random.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +--- a/drivers/char/random.c ++++ b/drivers/char/random.c +@@ -852,6 +852,7 @@ static size_t account(struct entropy_sto + int reserved) + { + unsigned long flags; ++ int wakeup_write = 0; + + /* Hold lock while accounting */ + spin_lock_irqsave(&r->lock, flags); +@@ -873,10 +874,8 @@ static size_t account(struct entropy_sto + else + r->entropy_count = reserved; + +- if (r->entropy_count < random_write_wakeup_thresh) { +- wake_up_interruptible(&random_write_wait); +- kill_fasync(&fasync, SIGIO, POLL_OUT); +- } ++ if (r->entropy_count < random_write_wakeup_thresh) ++ wakeup_write = 1; + } + + DEBUG_ENT("debiting %zu entropy credits from %s%s\n", +@@ -884,6 +883,11 @@ static size_t account(struct entropy_sto + + spin_unlock_irqrestore(&r->lock, flags); + ++ if (wakeup_write) { ++ wake_up_interruptible(&random_write_wait); ++ kill_fasync(&fasync, SIGIO, POLL_OUT); ++ } ++ + return nbytes; + } + diff --git a/queue-3.8/series b/queue-3.8/series index a804fa44a10..ed7042d9207 100644 --- a/queue-3.8/series +++ b/queue-3.8/series @@ -54,3 +54,12 @@ drm-i915-fix-haswell-crw-pci-ids.patch drm-i915-reorder-setup-sequence-to-have-irqs-for-output-setup.patch drm-i915-enable-irqs-earlier-when-resuming.patch drm-i915-turn-off-hsync-and-vsync-on-adpa-when-disabling-crt.patch +ipc-fix-potential-oops-when-src-msg-4k-w-msg_copy.patch +ipc-don-t-allocate-a-copy-larger-than-max.patch +dmi_scan-fix-missing-check-for-_dmi_-signature-in-smbios_present.patch +alsa-ice1712-initialize-card-private_data-properly.patch +alsa-vmaster-fix-slave-change-notification.patch +vfs-don-t-bug_on-if-following-a-proc-fd-pseudo-symlink.patch +proc-use-nd_jump_link-in-proc_ns_follow_link.patch +tile-work-around-bug-in-the-generic-sys_llseek.patch +random-fix-locking-dependency-with-the-tasklist_lock.patch diff --git a/queue-3.8/tile-work-around-bug-in-the-generic-sys_llseek.patch b/queue-3.8/tile-work-around-bug-in-the-generic-sys_llseek.patch new file mode 100644 index 00000000000..4f85fee269d --- /dev/null +++ b/queue-3.8/tile-work-around-bug-in-the-generic-sys_llseek.patch @@ -0,0 +1,67 @@ +From 5a114b98661e3aaa0ac085eb931584dce3b0ef9b Mon Sep 17 00:00:00 2001 +From: Chris Metcalf +Date: Mon, 4 Mar 2013 11:19:09 -0500 +Subject: tile: work around bug in the generic sys_llseek + +From: Chris Metcalf + +commit 5a114b98661e3aaa0ac085eb931584dce3b0ef9b upstream. + +sys_llseek should specify the high and low 32-bit seek values as "unsigned +int" but instead it specifies "unsigned long". Since compat syscall +arguments are always sign-extended on tile, this means that a seek value +of 0xffffffff will be incorrectly interpreted as a value of -1ULL. + +To avoid the risk of breaking binary compatibility on architectures +that already use sys_llseek this way, we follow the same path as MIPS +and provide a wrapper override. + +Signed-off-by: Chris Metcalf +Signed-off-by: Greg Kroah-Hartman + +--- + arch/tile/include/asm/compat.h | 3 +++ + arch/tile/kernel/compat.c | 13 +++++++++++++ + 2 files changed, 16 insertions(+) + +--- a/arch/tile/include/asm/compat.h ++++ b/arch/tile/include/asm/compat.h +@@ -296,6 +296,9 @@ long compat_sys_sync_file_range2(int fd, + long compat_sys_fallocate(int fd, int mode, + u32 offset_lo, u32 offset_hi, + u32 len_lo, u32 len_hi); ++long compat_sys_llseek(unsigned int fd, unsigned int offset_high, ++ unsigned int offset_low, loff_t __user * result, ++ unsigned int origin); + + /* Assembly trampoline to avoid clobbering r0. */ + long _compat_sys_rt_sigreturn(void); +--- a/arch/tile/kernel/compat.c ++++ b/arch/tile/kernel/compat.c +@@ -76,6 +76,18 @@ long compat_sys_fallocate(int fd, int mo + ((loff_t)len_hi << 32) | len_lo); + } + ++/* ++ * Avoid bug in generic sys_llseek() that specifies offset_high and ++ * offset_low as "unsigned long", thus making it possible to pass ++ * a sign-extended high 32 bits in offset_low. ++ */ ++long compat_sys_llseek(unsigned int fd, unsigned int offset_high, ++ unsigned int offset_low, loff_t __user * result, ++ unsigned int origin) ++{ ++ return sys_llseek(fd, offset_high, offset_low, result, origin); ++} ++ + /* Provide the compat syscall number to call mapping. */ + #undef __SYSCALL + #define __SYSCALL(nr, call) [nr] = (call), +@@ -83,6 +95,7 @@ long compat_sys_fallocate(int fd, int mo + /* See comments in sys.c */ + #define compat_sys_fadvise64_64 sys32_fadvise64_64 + #define compat_sys_readahead sys32_readahead ++#define sys_llseek compat_sys_llseek + + /* Call the assembly trampolines where necessary. */ + #define compat_sys_rt_sigreturn _compat_sys_rt_sigreturn diff --git a/queue-3.8/vfs-don-t-bug_on-if-following-a-proc-fd-pseudo-symlink.patch b/queue-3.8/vfs-don-t-bug_on-if-following-a-proc-fd-pseudo-symlink.patch new file mode 100644 index 00000000000..7bcd1e0e511 --- /dev/null +++ b/queue-3.8/vfs-don-t-bug_on-if-following-a-proc-fd-pseudo-symlink.patch @@ -0,0 +1,33 @@ +From 7b54c165a0c012edbaeaa73c5c87cb73721eb580 Mon Sep 17 00:00:00 2001 +From: Linus Torvalds +Date: Fri, 8 Mar 2013 09:03:07 -0800 +Subject: vfs: don't BUG_ON() if following a /proc fd pseudo-symlink + results in a symlink + +From: Linus Torvalds + +commit 7b54c165a0c012edbaeaa73c5c87cb73721eb580 upstream. + +It's "normal" - it can happen if the file descriptor you followed was +opened with O_NOFOLLOW. + +Reported-by: Dave Jones +Cc: Al Viro +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/namei.c | 2 -- + 1 file changed, 2 deletions(-) + +--- a/fs/namei.c ++++ b/fs/namei.c +@@ -693,8 +693,6 @@ void nd_jump_link(struct nameidata *nd, + nd->path = *path; + nd->inode = nd->path.dentry->d_inode; + nd->flags |= LOOKUP_JUMPED; +- +- BUG_ON(nd->inode->i_op->follow_link); + } + + static inline void put_link(struct nameidata *nd, struct path *link, void *cookie)