From: Greg Kroah-Hartman Date: Wed, 11 Mar 2015 15:33:59 +0000 (+0100) Subject: 3.10-stable patches X-Git-Tag: v3.10.72~31 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=9bdf00d05eeac4c817709fc462034762932cd2ee;p=thirdparty%2Fkernel%2Fstable-queue.git 3.10-stable patches added patches: net-irda-fix-wait_until_sent-poll-timeout.patch tty-fix-tty_wait_until_sent-on-64-bit-machines.patch usb-ftdi_sio-add-jtag-quirk-support-for-cyber-cortex-av-boards.patch usb-serial-cp210x-adding-seletek-device-id-s.patch usb-serial-fix-infinite-wait_until_sent-timeout.patch usb-serial-fix-potential-use-after-free-after-failed-probe.patch usb-usbfs-don-t-leak-kernel-data-in-siginfo.patch xhci-allocate-correct-amount-of-scratchpad-buffers.patch xhci-fix-reporting-of-0-sized-urbs-in-control-endpoint.patch --- diff --git a/queue-3.10/net-irda-fix-wait_until_sent-poll-timeout.patch b/queue-3.10/net-irda-fix-wait_until_sent-poll-timeout.patch new file mode 100644 index 00000000000..9179abe600f --- /dev/null +++ b/queue-3.10/net-irda-fix-wait_until_sent-poll-timeout.patch @@ -0,0 +1,37 @@ +From 2c3fbe3cf28fbd7001545a92a83b4f8acfd9fa36 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 4 Mar 2015 10:39:03 +0100 +Subject: net: irda: fix wait_until_sent poll timeout + +From: Johan Hovold + +commit 2c3fbe3cf28fbd7001545a92a83b4f8acfd9fa36 upstream. + +In case an infinite timeout (0) is requested, the irda wait_until_sent +implementation would use a zero poll timeout rather than the default +200ms. + +Note that wait_until_sent is currently never called with a 0-timeout +argument due to a bug in tty_wait_until_sent. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + net/irda/ircomm/ircomm_tty.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/net/irda/ircomm/ircomm_tty.c ++++ b/net/irda/ircomm/ircomm_tty.c +@@ -820,7 +820,9 @@ static void ircomm_tty_wait_until_sent(s + orig_jiffies = jiffies; + + /* Set poll time to 200 ms */ +- poll_time = IRDA_MIN(timeout, msecs_to_jiffies(200)); ++ poll_time = msecs_to_jiffies(200); ++ if (timeout) ++ poll_time = min_t(unsigned long, timeout, poll_time); + + spin_lock_irqsave(&self->spinlock, flags); + while (self->tx_skb && self->tx_skb->len) { diff --git a/queue-3.10/series b/queue-3.10/series index 3dcdbdf1efa..2f56b4162ee 100644 --- a/queue-3.10/series +++ b/queue-3.10/series @@ -27,3 +27,12 @@ btrfs-fix-data-loss-in-the-fast-fsync-path.patch btrfs-__add_inode_ref-out-of-bounds-memory-read-when-looking-for-extended-ref.patch kvm-emulate-fix-cmpxchg8b-on-32-bit-hosts.patch kvm-mips-fix-trace-event-to-save-pc-directly.patch +usb-serial-cp210x-adding-seletek-device-id-s.patch +usb-usbfs-don-t-leak-kernel-data-in-siginfo.patch +usb-ftdi_sio-add-jtag-quirk-support-for-cyber-cortex-av-boards.patch +xhci-allocate-correct-amount-of-scratchpad-buffers.patch +xhci-fix-reporting-of-0-sized-urbs-in-control-endpoint.patch +net-irda-fix-wait_until_sent-poll-timeout.patch +usb-serial-fix-infinite-wait_until_sent-timeout.patch +tty-fix-tty_wait_until_sent-on-64-bit-machines.patch +usb-serial-fix-potential-use-after-free-after-failed-probe.patch diff --git a/queue-3.10/tty-fix-tty_wait_until_sent-on-64-bit-machines.patch b/queue-3.10/tty-fix-tty_wait_until_sent-on-64-bit-machines.patch new file mode 100644 index 00000000000..c9b57feeb4f --- /dev/null +++ b/queue-3.10/tty-fix-tty_wait_until_sent-on-64-bit-machines.patch @@ -0,0 +1,63 @@ +From 79fbf4a550ed6a22e1ae1516113e6c7fa5d56a53 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 4 Mar 2015 10:39:06 +0100 +Subject: TTY: fix tty_wait_until_sent on 64-bit machines + +From: Johan Hovold + +commit 79fbf4a550ed6a22e1ae1516113e6c7fa5d56a53 upstream. + +Fix overflow bug in tty_wait_until_sent on 64-bit machines, where an +infinite timeout (0) would be passed to the underlying tty-driver's +wait_until_sent-operation as a negative timeout (-1), causing it to +return immediately. + +This manifests itself for example as tcdrain() returning immediately, +drivers not honouring the drain flags when setting terminal attributes, +or even dropped data on close as a requested infinite closing-wait +timeout would be ignored. + +The first symptom was reported by Asier LLANO who noted that tcdrain() +returned prematurely when using the ftdi_sio usb-serial driver. + +Fix this by passing 0 rather than MAX_SCHEDULE_TIMEOUT (LONG_MAX) to the +underlying tty driver. + +Note that the serial-core wait_until_sent-implementation is not affected +by this bug due to a lucky chance (comparison to an unsigned maximum +timeout), and neither is the cyclades one that had an explicit check for +negative timeouts, but all other tty drivers appear to be affected. + +Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") +Reported-by: ZIV-Asier Llano Palacios +Signed-off-by: Johan Hovold +Reviewed-by: Peter Hurley +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/tty_ioctl.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +--- a/drivers/tty/tty_ioctl.c ++++ b/drivers/tty/tty_ioctl.c +@@ -217,11 +217,17 @@ void tty_wait_until_sent(struct tty_stru + #endif + if (!timeout) + timeout = MAX_SCHEDULE_TIMEOUT; ++ + if (wait_event_interruptible_timeout(tty->write_wait, +- !tty_chars_in_buffer(tty), timeout) >= 0) { +- if (tty->ops->wait_until_sent) +- tty->ops->wait_until_sent(tty, timeout); ++ !tty_chars_in_buffer(tty), timeout) < 0) { ++ return; + } ++ ++ if (timeout == MAX_SCHEDULE_TIMEOUT) ++ timeout = 0; ++ ++ if (tty->ops->wait_until_sent) ++ tty->ops->wait_until_sent(tty, timeout); + } + EXPORT_SYMBOL(tty_wait_until_sent); + diff --git a/queue-3.10/usb-ftdi_sio-add-jtag-quirk-support-for-cyber-cortex-av-boards.patch b/queue-3.10/usb-ftdi_sio-add-jtag-quirk-support-for-cyber-cortex-av-boards.patch new file mode 100644 index 00000000000..7a0f9650091 --- /dev/null +++ b/queue-3.10/usb-ftdi_sio-add-jtag-quirk-support-for-cyber-cortex-av-boards.patch @@ -0,0 +1,54 @@ +From c7d373c3f0da2b2b78c4b1ce5ae41485b3ef848c Mon Sep 17 00:00:00 2001 +From: Max Mansfield +Date: Mon, 2 Mar 2015 18:38:02 -0700 +Subject: usb: ftdi_sio: Add jtag quirk support for Cyber Cortex AV boards + +From: Max Mansfield + +commit c7d373c3f0da2b2b78c4b1ce5ae41485b3ef848c upstream. + +This patch integrates Cyber Cortex AV boards with the existing +ftdi_jtag_quirk in order to use serial port 0 with JTAG which is +required by the manufacturers' software. + +Steps: 2 + +[ftdi_sio_ids.h] +1. Defined the device PID + +[ftdi_sio.c] +2. Added a macro declaration to the ids array, in order to enable the +jtag quirk for the device. + +Signed-off-by: Max Mansfield +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/ftdi_sio.c | 2 ++ + drivers/usb/serial/ftdi_sio_ids.h | 3 +++ + 2 files changed, 5 insertions(+) + +--- a/drivers/usb/serial/ftdi_sio.c ++++ b/drivers/usb/serial/ftdi_sio.c +@@ -815,6 +815,8 @@ static struct usb_device_id id_table_com + { USB_DEVICE(FTDI_VID, FTDI_ELSTER_UNICOM_PID) }, + { USB_DEVICE(FTDI_VID, FTDI_PROPOX_JTAGCABLEII_PID) }, + { USB_DEVICE(FTDI_VID, FTDI_PROPOX_ISPCABLEIII_PID) }, ++ { USB_DEVICE(FTDI_VID, CYBER_CORTEX_AV_PID), ++ .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk }, + { USB_DEVICE(OLIMEX_VID, OLIMEX_ARM_USB_OCD_PID), + .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk }, + { USB_DEVICE(OLIMEX_VID, OLIMEX_ARM_USB_OCD_H_PID), +--- a/drivers/usb/serial/ftdi_sio_ids.h ++++ b/drivers/usb/serial/ftdi_sio_ids.h +@@ -38,6 +38,9 @@ + + #define FTDI_LUMEL_PD12_PID 0x6002 + ++/* Cyber Cortex AV by Fabulous Silicon (http://fabuloussilicon.com) */ ++#define CYBER_CORTEX_AV_PID 0x8698 ++ + /* + * Marvell OpenRD Base, Client + * http://www.open-rd.org diff --git a/queue-3.10/usb-serial-cp210x-adding-seletek-device-id-s.patch b/queue-3.10/usb-serial-cp210x-adding-seletek-device-id-s.patch new file mode 100644 index 00000000000..70be7e713e7 --- /dev/null +++ b/queue-3.10/usb-serial-cp210x-adding-seletek-device-id-s.patch @@ -0,0 +1,32 @@ +From 675af70856d7cc026be8b6ea7a8b9db10b8b38a1 Mon Sep 17 00:00:00 2001 +From: Michiel vd Garde +Date: Fri, 27 Feb 2015 02:08:29 +0100 +Subject: USB: serial: cp210x: Adding Seletek device id's + +From: Michiel vd Garde + +commit 675af70856d7cc026be8b6ea7a8b9db10b8b38a1 upstream. + +These device ID's are not associated with the cp210x module currently, +but should be. This patch allows the devices to operate upon connecting +them to the usb bus as intended. + +Signed-off-by: Michiel van de Garde +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/cp210x.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/usb/serial/cp210x.c ++++ b/drivers/usb/serial/cp210x.c +@@ -147,6 +147,8 @@ static const struct usb_device_id id_tab + { USB_DEVICE(0x166A, 0x0305) }, /* Clipsal C-5000CT2 C-Bus Spectrum Colour Touchscreen */ + { USB_DEVICE(0x166A, 0x0401) }, /* Clipsal L51xx C-Bus Architectural Dimmer */ + { USB_DEVICE(0x166A, 0x0101) }, /* Clipsal 5560884 C-Bus Multi-room Audio Matrix Switcher */ ++ { USB_DEVICE(0x16C0, 0x09B0) }, /* Lunatico Seletek */ ++ { USB_DEVICE(0x16C0, 0x09B1) }, /* Lunatico Seletek */ + { USB_DEVICE(0x16D6, 0x0001) }, /* Jablotron serial interface */ + { USB_DEVICE(0x16DC, 0x0010) }, /* W-IE-NE-R Plein & Baus GmbH PL512 Power Supply */ + { USB_DEVICE(0x16DC, 0x0011) }, /* W-IE-NE-R Plein & Baus GmbH RCM Remote Control for MARATON Power Supply */ diff --git a/queue-3.10/usb-serial-fix-infinite-wait_until_sent-timeout.patch b/queue-3.10/usb-serial-fix-infinite-wait_until_sent-timeout.patch new file mode 100644 index 00000000000..12ae6cdaced --- /dev/null +++ b/queue-3.10/usb-serial-fix-infinite-wait_until_sent-timeout.patch @@ -0,0 +1,44 @@ +From f528bf4f57e43d1af4b2a5c97f09e43e0338c105 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 4 Mar 2015 10:39:05 +0100 +Subject: USB: serial: fix infinite wait_until_sent timeout + +From: Johan Hovold + +commit f528bf4f57e43d1af4b2a5c97f09e43e0338c105 upstream. + +Make sure to handle an infinite timeout (0). + +Note that wait_until_sent is currently never called with a 0-timeout +argument due to a bug in tty_wait_until_sent. + +Fixes: dcf010503966 ("USB: serial: add generic wait_until_sent +implementation") +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/generic.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/usb/serial/generic.c ++++ b/drivers/usb/serial/generic.c +@@ -261,7 +261,8 @@ void usb_serial_generic_wait_until_sent( + * character or at least one jiffy. + */ + period = max_t(unsigned long, (10 * HZ / bps), 1); +- period = min_t(unsigned long, period, timeout); ++ if (timeout) ++ period = min_t(unsigned long, period, timeout); + + dev_dbg(&port->dev, "%s - timeout = %u ms, period = %u ms\n", + __func__, jiffies_to_msecs(timeout), +@@ -271,7 +272,7 @@ void usb_serial_generic_wait_until_sent( + schedule_timeout_interruptible(period); + if (signal_pending(current)) + break; +- if (time_after(jiffies, expire)) ++ if (timeout && time_after(jiffies, expire)) + break; + } + } diff --git a/queue-3.10/usb-serial-fix-potential-use-after-free-after-failed-probe.patch b/queue-3.10/usb-serial-fix-potential-use-after-free-after-failed-probe.patch new file mode 100644 index 00000000000..b3fa4e9b846 --- /dev/null +++ b/queue-3.10/usb-serial-fix-potential-use-after-free-after-failed-probe.patch @@ -0,0 +1,34 @@ +From 07fdfc5e9f1c966be8722e8fa927e5ea140df5ce Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 18 Feb 2015 10:34:50 +0700 +Subject: USB: serial: fix potential use-after-free after failed probe + +From: Johan Hovold + +commit 07fdfc5e9f1c966be8722e8fa927e5ea140df5ce upstream. + +Fix return value in probe error path, which could end up returning +success (0) on errors. This could in turn lead to use-after-free or +double free (e.g. in port_remove) when the port device is removed. + +Fixes: c706ebdfc895 ("USB: usb-serial: call port_probe and port_remove +at the right times") +Signed-off-by: Johan Hovold +Acked-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/bus.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/serial/bus.c ++++ b/drivers/usb/serial/bus.c +@@ -76,7 +76,7 @@ static int usb_serial_device_probe(struc + retval = device_create_file(dev, &dev_attr_port_number); + if (retval) { + if (driver->port_remove) +- retval = driver->port_remove(port); ++ driver->port_remove(port); + goto exit_with_autopm; + } + diff --git a/queue-3.10/usb-usbfs-don-t-leak-kernel-data-in-siginfo.patch b/queue-3.10/usb-usbfs-don-t-leak-kernel-data-in-siginfo.patch new file mode 100644 index 00000000000..d839cc50bb4 --- /dev/null +++ b/queue-3.10/usb-usbfs-don-t-leak-kernel-data-in-siginfo.patch @@ -0,0 +1,41 @@ +From f0c2b68198589249afd2b1f2c4e8de8c03e19c16 Mon Sep 17 00:00:00 2001 +From: Alan Stern +Date: Fri, 13 Feb 2015 10:54:53 -0500 +Subject: USB: usbfs: don't leak kernel data in siginfo + +From: Alan Stern + +commit f0c2b68198589249afd2b1f2c4e8de8c03e19c16 upstream. + +When a signal is delivered, the information in the siginfo structure +is copied to userspace. Good security practice dicatates that the +unused fields in this structure should be initialized to 0 so that +random kernel stack data isn't exposed to the user. This patch adds +such an initialization to the two places where usbfs raises signals. + +Signed-off-by: Alan Stern +Reported-by: Dave Mielke +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/core/devio.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/usb/core/devio.c ++++ b/drivers/usb/core/devio.c +@@ -501,6 +501,7 @@ static void async_completed(struct urb * + as->status = urb->status; + signr = as->signr; + if (signr) { ++ memset(&sinfo, 0, sizeof(sinfo)); + sinfo.si_signo = as->signr; + sinfo.si_errno = as->status; + sinfo.si_code = SI_ASYNCIO; +@@ -2228,6 +2229,7 @@ static void usbdev_remove(struct usb_dev + wake_up_all(&ps->wait); + list_del_init(&ps->list); + if (ps->discsignr) { ++ memset(&sinfo, 0, sizeof(sinfo)); + sinfo.si_signo = ps->discsignr; + sinfo.si_errno = EPIPE; + sinfo.si_code = SI_ASYNCIO; diff --git a/queue-3.10/xhci-allocate-correct-amount-of-scratchpad-buffers.patch b/queue-3.10/xhci-allocate-correct-amount-of-scratchpad-buffers.patch new file mode 100644 index 00000000000..dff34107292 --- /dev/null +++ b/queue-3.10/xhci-allocate-correct-amount-of-scratchpad-buffers.patch @@ -0,0 +1,42 @@ +From 6596a926b0b6c80b730a1dd2fa91908e0a539c37 Mon Sep 17 00:00:00 2001 +From: Mathias Nyman +Date: Tue, 24 Feb 2015 18:27:01 +0200 +Subject: xhci: Allocate correct amount of scratchpad buffers + +From: Mathias Nyman + +commit 6596a926b0b6c80b730a1dd2fa91908e0a539c37 upstream. + +Include the high order bit fields for Max scratchpad buffers when +calculating how many scratchpad buffers are needed. + +I'm suprised this hasn't caused more issues, we never allocated more than +32 buffers even if xhci needed more. Either we got lucky and xhci never +really used past that area, or then we got enough zeroed dma memory anyway. + +Should be backported as far back as possible + +Reported-by: Tim Chen +Tested-by: Tim Chen +Signed-off-by: Mathias Nyman +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/host/xhci.h | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/usb/host/xhci.h ++++ b/drivers/usb/host/xhci.h +@@ -88,9 +88,10 @@ struct xhci_cap_regs { + #define HCS_IST(p) (((p) >> 0) & 0xf) + /* bits 4:7, max number of Event Ring segments */ + #define HCS_ERST_MAX(p) (((p) >> 4) & 0xf) ++/* bits 21:25 Hi 5 bits of Scratchpad buffers SW must allocate for the HW */ + /* bit 26 Scratchpad restore - for save/restore HW state - not used yet */ +-/* bits 27:31 number of Scratchpad buffers SW must allocate for the HW */ +-#define HCS_MAX_SCRATCHPAD(p) (((p) >> 27) & 0x1f) ++/* bits 27:31 Lo 5 bits of Scratchpad buffers SW must allocate for the HW */ ++#define HCS_MAX_SCRATCHPAD(p) ((((p) >> 16) & 0x3e0) | (((p) >> 27) & 0x1f)) + + /* HCSPARAMS3 - hcs_params3 - bitmasks */ + /* bits 0:7, Max U1 to U0 latency for the roothub ports */ diff --git a/queue-3.10/xhci-fix-reporting-of-0-sized-urbs-in-control-endpoint.patch b/queue-3.10/xhci-fix-reporting-of-0-sized-urbs-in-control-endpoint.patch new file mode 100644 index 00000000000..7f5d8d339a0 --- /dev/null +++ b/queue-3.10/xhci-fix-reporting-of-0-sized-urbs-in-control-endpoint.patch @@ -0,0 +1,79 @@ +From 45ba2154d12fc43b70312198ec47085f10be801a Mon Sep 17 00:00:00 2001 +From: Aleksander Morgado +Date: Fri, 6 Mar 2015 17:14:21 +0200 +Subject: xhci: fix reporting of 0-sized URBs in control endpoint + +From: Aleksander Morgado + +commit 45ba2154d12fc43b70312198ec47085f10be801a upstream. + +When a control transfer has a short data stage, the xHCI controller generates +two transfer events: a COMP_SHORT_TX event that specifies the untransferred +amount, and a COMP_SUCCESS event. But when the data stage is not short, only the +COMP_SUCCESS event occurs. Therefore, xhci-hcd must set urb->actual_length to +urb->transfer_buffer_length while processing the COMP_SUCCESS event, unless +urb->actual_length was set already by a previous COMP_SHORT_TX event. + +The driver checks this by seeing whether urb->actual_length == 0, but this alone +is the wrong test, as it is entirely possible for a short transfer to have an +urb->actual_length = 0. + +This patch changes the xhci driver to rely on a new td->urb_length_set flag, +which is set to true when a COMP_SHORT_TX event is received and the URB length +updated at that stage. + +This fixes a bug which affected the HSO plugin, which relies on URBs with +urb->actual_length == 0 to halt re-submitting the RX URB in the control +endpoint. + +Signed-off-by: Aleksander Morgado +Signed-off-by: Mathias Nyman +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/host/xhci-ring.c | 10 ++++++++-- + drivers/usb/host/xhci.h | 3 +++ + 2 files changed, 11 insertions(+), 2 deletions(-) + +--- a/drivers/usb/host/xhci-ring.c ++++ b/drivers/usb/host/xhci-ring.c +@@ -2064,7 +2064,7 @@ static int process_ctrl_td(struct xhci_h + if (event_trb != ep_ring->dequeue) { + /* The event was for the status stage */ + if (event_trb == td->last_trb) { +- if (td->urb->actual_length != 0) { ++ if (td->urb_length_set) { + /* Don't overwrite a previously set error code + */ + if ((*status == -EINPROGRESS || *status == 0) && +@@ -2078,7 +2078,13 @@ static int process_ctrl_td(struct xhci_h + td->urb->transfer_buffer_length; + } + } else { +- /* Maybe the event was for the data stage? */ ++ /* ++ * Maybe the event was for the data stage? If so, update ++ * already the actual_length of the URB and flag it as ++ * set, so that it is not overwritten in the event for ++ * the last TRB. ++ */ ++ td->urb_length_set = true; + td->urb->actual_length = + td->urb->transfer_buffer_length - + EVENT_TRB_LEN(le32_to_cpu(event->transfer_len)); +--- a/drivers/usb/host/xhci.h ++++ b/drivers/usb/host/xhci.h +@@ -1,3 +1,4 @@ ++ + /* + * xHCI host controller driver + * +@@ -1259,6 +1260,8 @@ struct xhci_td { + struct xhci_segment *start_seg; + union xhci_trb *first_trb; + union xhci_trb *last_trb; ++ /* actual_length of the URB has already been set */ ++ bool urb_length_set; + }; + + /* xHCI command default timeout value */