From: Greg Kroah-Hartman Date: Thu, 4 Oct 2012 18:13:02 +0000 (-0700) Subject: 3.4-stable patches X-Git-Tag: v3.0.45~6 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=9c9f0fcc819c89ec68ee9ce5096a0b2969928ad6;p=thirdparty%2Fkernel%2Fstable-queue.git 3.4-stable patches added patches: can-mscan-mpc5xxx-fix-return-value-check-in-mpc512x_can_get_clock.patch ib-srp-avoid-having-aborted-requests-hang.patch ib-srp-fix-use-after-free-in-srp_reset_req.patch ipoib-fix-use-after-free-of-multicast-object.patch isci-fix-isci_pci_probe-generates-warning-on-efi-failure-path.patch remoteproc-fix-a-potential-null-dereference-on-cleanup.patch remoteproc-select-virtio-to-avoid-build-breakage.patch scsi-hpsa-use-lun-reset-instead-of-target-reset.patch scsi-ibmvscsi-fix-host-config-length-field-overflow.patch ubi-fix-autoresize-handling-in-r-o-mode.patch x86-alternatives-fix-p6-nops-on-non-modular-kernels.patch yama-handle-32-bit-userspace-prctl.patch --- diff --git a/queue-3.4/can-mscan-mpc5xxx-fix-return-value-check-in-mpc512x_can_get_clock.patch b/queue-3.4/can-mscan-mpc5xxx-fix-return-value-check-in-mpc512x_can_get_clock.patch new file mode 100644 index 00000000000..811a1653e65 --- /dev/null +++ b/queue-3.4/can-mscan-mpc5xxx-fix-return-value-check-in-mpc512x_can_get_clock.patch @@ -0,0 +1,45 @@ +From f61bd0585dfc7d99db4936d7467de4ca8e2f7ea0 Mon Sep 17 00:00:00 2001 +From: Wei Yongjun +Date: Fri, 21 Sep 2012 15:09:47 +0800 +Subject: can: mscan-mpc5xxx: fix return value check in mpc512x_can_get_clock() + +From: Wei Yongjun + +commit f61bd0585dfc7d99db4936d7467de4ca8e2f7ea0 upstream. + +In case of error, the function clk_get() returns ERR_PTR() +and never returns NULL pointer. The NULL test in the error +handling should be replaced with IS_ERR(). + +dpatch engine is used to auto generated this patch. +(https://github.com/weiyj/dpatch) + +Signed-off-by: Wei Yongjun +Acked-by: Wolfgang Grandegger +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/can/mscan/mpc5xxx_can.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/can/mscan/mpc5xxx_can.c ++++ b/drivers/net/can/mscan/mpc5xxx_can.c +@@ -181,7 +181,7 @@ static u32 __devinit mpc512x_can_get_clo + + if (!clock_name || !strcmp(clock_name, "sys")) { + sys_clk = clk_get(&ofdev->dev, "sys_clk"); +- if (!sys_clk) { ++ if (IS_ERR(sys_clk)) { + dev_err(&ofdev->dev, "couldn't get sys_clk\n"); + goto exit_unmap; + } +@@ -204,7 +204,7 @@ static u32 __devinit mpc512x_can_get_clo + + if (clocksrc < 0) { + ref_clk = clk_get(&ofdev->dev, "ref_clk"); +- if (!ref_clk) { ++ if (IS_ERR(ref_clk)) { + dev_err(&ofdev->dev, "couldn't get ref_clk\n"); + goto exit_unmap; + } diff --git a/queue-3.4/ib-srp-avoid-having-aborted-requests-hang.patch b/queue-3.4/ib-srp-avoid-having-aborted-requests-hang.patch new file mode 100644 index 00000000000..b149cf5471f --- /dev/null +++ b/queue-3.4/ib-srp-avoid-having-aborted-requests-hang.patch @@ -0,0 +1,30 @@ +From d8536670916a685df116b5c2cb256573fd25e4e3 Mon Sep 17 00:00:00 2001 +From: Bart Van Assche +Date: Fri, 24 Aug 2012 10:29:11 +0000 +Subject: IB/srp: Avoid having aborted requests hang + +From: Bart Van Assche + +commit d8536670916a685df116b5c2cb256573fd25e4e3 upstream. + +We need to call scsi_done() for commands after we abort them. + +Signed-off-by: Bart Van Assche +Acked-by: David Dillow +Signed-off-by: Roland Dreier +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/ulp/srp/ib_srp.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/infiniband/ulp/srp/ib_srp.c ++++ b/drivers/infiniband/ulp/srp/ib_srp.c +@@ -1687,6 +1687,7 @@ static int srp_abort(struct scsi_cmnd *s + SRP_TSK_ABORT_TASK); + srp_free_req(target, req, scmnd, 0); + scmnd->result = DID_ABORT << 16; ++ scmnd->scsi_done(scmnd); + + return SUCCESS; + } diff --git a/queue-3.4/ib-srp-fix-use-after-free-in-srp_reset_req.patch b/queue-3.4/ib-srp-fix-use-after-free-in-srp_reset_req.patch new file mode 100644 index 00000000000..b84b66ffb02 --- /dev/null +++ b/queue-3.4/ib-srp-fix-use-after-free-in-srp_reset_req.patch @@ -0,0 +1,35 @@ +From 9b796d06d5d1b1e85ae2316a283ea11dd739ef96 Mon Sep 17 00:00:00 2001 +From: Bart Van Assche +Date: Fri, 24 Aug 2012 10:27:54 +0000 +Subject: IB/srp: Fix use-after-free in srp_reset_req() + +From: Bart Van Assche + +commit 9b796d06d5d1b1e85ae2316a283ea11dd739ef96 upstream. + +srp_free_req() uses the scsi_cmnd structure contents to unmap +buffers, so we must invoke srp_free_req() before we release +ownership of that structure. + +Signed-off-by: Bart Van Assche +Acked-by: David Dillow +Signed-off-by: Roland Dreier +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/ulp/srp/ib_srp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/infiniband/ulp/srp/ib_srp.c ++++ b/drivers/infiniband/ulp/srp/ib_srp.c +@@ -638,9 +638,9 @@ static void srp_reset_req(struct srp_tar + struct scsi_cmnd *scmnd = srp_claim_req(target, req, NULL); + + if (scmnd) { ++ srp_free_req(target, req, scmnd, 0); + scmnd->result = DID_RESET << 16; + scmnd->scsi_done(scmnd); +- srp_free_req(target, req, scmnd, 0); + } + } + diff --git a/queue-3.4/ipoib-fix-use-after-free-of-multicast-object.patch b/queue-3.4/ipoib-fix-use-after-free-of-multicast-object.patch new file mode 100644 index 00000000000..2ac4053ba67 --- /dev/null +++ b/queue-3.4/ipoib-fix-use-after-free-of-multicast-object.patch @@ -0,0 +1,92 @@ +From bea1e22df494a729978e7f2c54f7bda328f74bc3 Mon Sep 17 00:00:00 2001 +From: Patrick McHardy +Date: Thu, 30 Aug 2012 07:01:30 +0000 +Subject: IPoIB: Fix use-after-free of multicast object + +From: Patrick McHardy + +commit bea1e22df494a729978e7f2c54f7bda328f74bc3 upstream. + +Fix a crash in ipoib_mcast_join_task(). (with help from Or Gerlitz) + +Commit c8c2afe360b7 ("IPoIB: Use rtnl lock/unlock when changing device +flags") added a call to rtnl_lock() in ipoib_mcast_join_task(), which +is run from the ipoib_workqueue, and hence the workqueue can't be +flushed from the context of ipoib_stop(). + +In the current code, ipoib_stop() (which doesn't flush the workqueue) +calls ipoib_mcast_dev_flush(), which goes and deletes all the +multicast entries. This takes place without any synchronization with +a possible running instance of ipoib_mcast_join_task() for the same +ipoib device, leading to a crash due to NULL pointer dereference. + +Fix this by making sure that the workqueue is flushed before +ipoib_mcast_dev_flush() is called. To make that possible, we move the +RTNL-lock wrapped code to ipoib_mcast_join_finish(). + +Signed-off-by: Patrick McHardy +Signed-off-by: Roland Dreier +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/ulp/ipoib/ipoib_main.c | 2 +- + drivers/infiniband/ulp/ipoib/ipoib_multicast.c | 19 ++++++++++--------- + 2 files changed, 11 insertions(+), 10 deletions(-) + +--- a/drivers/infiniband/ulp/ipoib/ipoib_main.c ++++ b/drivers/infiniband/ulp/ipoib/ipoib_main.c +@@ -148,7 +148,7 @@ static int ipoib_stop(struct net_device + + netif_stop_queue(dev); + +- ipoib_ib_dev_down(dev, 0); ++ ipoib_ib_dev_down(dev, 1); + ipoib_ib_dev_stop(dev, 0); + + if (!test_bit(IPOIB_FLAG_SUBINTERFACE, &priv->flags)) { +--- a/drivers/infiniband/ulp/ipoib/ipoib_multicast.c ++++ b/drivers/infiniband/ulp/ipoib/ipoib_multicast.c +@@ -190,7 +190,9 @@ static int ipoib_mcast_join_finish(struc + + mcast->mcmember = *mcmember; + +- /* Set the cached Q_Key before we attach if it's the broadcast group */ ++ /* Set the multicast MTU and cached Q_Key before we attach if it's ++ * the broadcast group. ++ */ + if (!memcmp(mcast->mcmember.mgid.raw, priv->dev->broadcast + 4, + sizeof (union ib_gid))) { + spin_lock_irq(&priv->lock); +@@ -198,10 +200,17 @@ static int ipoib_mcast_join_finish(struc + spin_unlock_irq(&priv->lock); + return -EAGAIN; + } ++ priv->mcast_mtu = IPOIB_UD_MTU(ib_mtu_enum_to_int(priv->broadcast->mcmember.mtu)); + priv->qkey = be32_to_cpu(priv->broadcast->mcmember.qkey); + spin_unlock_irq(&priv->lock); + priv->tx_wr.wr.ud.remote_qkey = priv->qkey; + set_qkey = 1; ++ ++ if (!ipoib_cm_admin_enabled(dev)) { ++ rtnl_lock(); ++ dev_set_mtu(dev, min(priv->mcast_mtu, priv->admin_mtu)); ++ rtnl_unlock(); ++ } + } + + if (!test_bit(IPOIB_MCAST_FLAG_SENDONLY, &mcast->flags)) { +@@ -589,14 +598,6 @@ void ipoib_mcast_join_task(struct work_s + return; + } + +- priv->mcast_mtu = IPOIB_UD_MTU(ib_mtu_enum_to_int(priv->broadcast->mcmember.mtu)); +- +- if (!ipoib_cm_admin_enabled(dev)) { +- rtnl_lock(); +- dev_set_mtu(dev, min(priv->mcast_mtu, priv->admin_mtu)); +- rtnl_unlock(); +- } +- + ipoib_dbg_mcast(priv, "successfully joined all multicast groups\n"); + + clear_bit(IPOIB_MCAST_RUN, &priv->flags); diff --git a/queue-3.4/isci-fix-isci_pci_probe-generates-warning-on-efi-failure-path.patch b/queue-3.4/isci-fix-isci_pci_probe-generates-warning-on-efi-failure-path.patch new file mode 100644 index 00000000000..aacc26c03e4 --- /dev/null +++ b/queue-3.4/isci-fix-isci_pci_probe-generates-warning-on-efi-failure-path.patch @@ -0,0 +1,46 @@ +From 6d70a74ffd616073a68ae0974d98819bfa8e6da6 Mon Sep 17 00:00:00 2001 +From: Dan Williams +Date: Fri, 22 Jun 2012 11:31:14 -0700 +Subject: isci: fix isci_pci_probe() generates warning on efi failure path + +From: Dan Williams + +commit 6d70a74ffd616073a68ae0974d98819bfa8e6da6 upstream. + +The oem parameter image embedded in the efi variable is at an offset +from the start of the variable. However, in the failure path we try to +free the 'orom' pointer which is only valid when the paramaters are +being read from the legacy option-rom space. + +Since failure to load the oem parameters is unlikely and we keep the +memory around in the success case just defer all de-allocation to devm. + +Reported-by: Don Morris +Signed-off-by: Dan Williams +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/isci/init.c | 1 - + drivers/scsi/isci/probe_roms.c | 1 - + 2 files changed, 2 deletions(-) + +--- a/drivers/scsi/isci/init.c ++++ b/drivers/scsi/isci/init.c +@@ -481,7 +481,6 @@ static int __devinit isci_pci_probe(stru + orom->hdr.version)) { + dev_warn(&pdev->dev, + "[%d]: invalid oem parameters detected, falling back to firmware\n", i); +- devm_kfree(&pdev->dev, orom); + orom = NULL; + break; + } +--- a/drivers/scsi/isci/probe_roms.c ++++ b/drivers/scsi/isci/probe_roms.c +@@ -104,7 +104,6 @@ struct isci_orom *isci_request_oprom(str + + if (i >= len) { + dev_err(&pdev->dev, "oprom parse error\n"); +- devm_kfree(&pdev->dev, rom); + rom = NULL; + } + pci_unmap_biosrom(oprom); diff --git a/queue-3.4/remoteproc-fix-a-potential-null-dereference-on-cleanup.patch b/queue-3.4/remoteproc-fix-a-potential-null-dereference-on-cleanup.patch new file mode 100644 index 00000000000..36cd8c36e70 --- /dev/null +++ b/queue-3.4/remoteproc-fix-a-potential-null-dereference-on-cleanup.patch @@ -0,0 +1,79 @@ +From 7168d914a782086e217214c57ddfc7cc4b738c0c Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Tue, 25 Sep 2012 10:01:56 +0300 +Subject: remoteproc: fix a potential NULL-dereference on cleanup + +From: Dan Carpenter + +commit 7168d914a782086e217214c57ddfc7cc4b738c0c upstream. + +We only need to allocate mapping if there is an IOMMU domain. + +Otherwise, when the mappings are released, the assumption that +an IOMMU domain is there will crash and burn. + +Signed-off-by: Dan Carpenter +[ohad: revise commit log] +Signed-off-by: Ohad Ben-Cohen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/remoteproc/remoteproc_core.c | 22 +++++++++++----------- + 1 file changed, 11 insertions(+), 11 deletions(-) + +--- a/drivers/remoteproc/remoteproc_core.c ++++ b/drivers/remoteproc/remoteproc_core.c +@@ -643,17 +643,10 @@ static int rproc_handle_carveout(struct + dev_dbg(dev, "carveout rsc: da %x, pa %x, len %x, flags %x\n", + rsc->da, rsc->pa, rsc->len, rsc->flags); + +- mapping = kzalloc(sizeof(*mapping), GFP_KERNEL); +- if (!mapping) { +- dev_err(dev, "kzalloc mapping failed\n"); +- return -ENOMEM; +- } +- + carveout = kzalloc(sizeof(*carveout), GFP_KERNEL); + if (!carveout) { + dev_err(dev, "kzalloc carveout failed\n"); +- ret = -ENOMEM; +- goto free_mapping; ++ return -ENOMEM; + } + + va = dma_alloc_coherent(dev, rsc->len, &dma, GFP_KERNEL); +@@ -683,11 +676,18 @@ static int rproc_handle_carveout(struct + * physical address in this case. + */ + if (rproc->domain) { ++ mapping = kzalloc(sizeof(*mapping), GFP_KERNEL); ++ if (!mapping) { ++ dev_err(dev, "kzalloc mapping failed\n"); ++ ret = -ENOMEM; ++ goto dma_free; ++ } ++ + ret = iommu_map(rproc->domain, rsc->da, dma, rsc->len, + rsc->flags); + if (ret) { + dev_err(dev, "iommu_map failed: %d\n", ret); +- goto dma_free; ++ goto free_mapping; + } + + /* +@@ -728,12 +728,12 @@ static int rproc_handle_carveout(struct + + return 0; + ++free_mapping: ++ kfree(mapping); + dma_free: + dma_free_coherent(dev, rsc->len, va, dma); + free_carv: + kfree(carveout); +-free_mapping: +- kfree(mapping); + return ret; + } + diff --git a/queue-3.4/remoteproc-select-virtio-to-avoid-build-breakage.patch b/queue-3.4/remoteproc-select-virtio-to-avoid-build-breakage.patch new file mode 100644 index 00000000000..9dd5f997f32 --- /dev/null +++ b/queue-3.4/remoteproc-select-virtio-to-avoid-build-breakage.patch @@ -0,0 +1,40 @@ +From 2ed6d29c725c4aead510b5c23f563795b265acf5 Mon Sep 17 00:00:00 2001 +From: Ohad Ben-Cohen +Date: Sun, 30 Sep 2012 10:25:34 +0200 +Subject: remoteproc: select VIRTIO to avoid build breakage + +From: Ohad Ben-Cohen + +commit 2ed6d29c725c4aead510b5c23f563795b265acf5 upstream. + +drivers/built-in.o: In function `rproc_virtio_finalize_features': +remoteproc_virtio.c:(.text+0x2f9a02): undefined reference to `vring_transport_features' +drivers/built-in.o: In function `rproc_virtio_del_vqs': +remoteproc_virtio.c:(.text+0x2f9a74): undefined reference to `vring_del_virtqueue' +drivers/built-in.o: In function `rproc_virtio_find_vqs': +remoteproc_virtio.c:(.text+0x2f9c44): undefined reference to `vring_new_virtqueue' +drivers/built-in.o: In function `rproc_add_virtio_dev': +(.text+0x2f9e2c): undefined reference to `register_virtio_device' +drivers/built-in.o: In function `rproc_vq_interrupt': +(.text+0x2f9db7): undefined reference to `vring_interrupt' +drivers/built-in.o: In function `rproc_remove_virtio_dev': +(.text+0x2f9e9f): undefined reference to `unregister_virtio_device' + +Reported-by: Randy Dunlap +Signed-off-by: Ohad Ben-Cohen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/remoteproc/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/remoteproc/Kconfig ++++ b/drivers/remoteproc/Kconfig +@@ -5,6 +5,7 @@ config REMOTEPROC + tristate + depends on EXPERIMENTAL + select FW_CONFIG ++ select VIRTIO + + config OMAP_REMOTEPROC + tristate "OMAP remoteproc support" diff --git a/queue-3.4/scsi-hpsa-use-lun-reset-instead-of-target-reset.patch b/queue-3.4/scsi-hpsa-use-lun-reset-instead-of-target-reset.patch new file mode 100644 index 00000000000..f9c67261472 --- /dev/null +++ b/queue-3.4/scsi-hpsa-use-lun-reset-instead-of-target-reset.patch @@ -0,0 +1,53 @@ +From 21e89afd325849eb38adccf382df16cc895911f9 Mon Sep 17 00:00:00 2001 +From: "Stephen M. Cameron" +Date: Thu, 26 Jul 2012 11:34:10 -0500 +Subject: SCSI: hpsa: Use LUN reset instead of target reset + +From: "Stephen M. Cameron" + +commit 21e89afd325849eb38adccf382df16cc895911f9 upstream. + +It turns out Smart Array logical drives do not support target +reset and when the target reset fails, the logical drive will +be taken off line. Symptoms look like this: + +hpsa 0000:03:00.0: Abort request on C1:B0:T0:L0 +hpsa 0000:03:00.0: resetting device 1:0:0:0 +hpsa 0000:03:00.0: cp ffff880037c56000 is reported invalid (probably means target device no longer present) +hpsa 0000:03:00.0: resetting device failed. +sd 1:0:0:0: Device offlined - not ready after error recovery +sd 1:0:0:0: rejecting I/O to offline device +EXT3-fs error (device sdb1): read_block_bitmap: + +LUN reset is supported though, and is what we should be using. +Target reset is also disruptive in shared SAS situations, +for example, an external MSA1210m which does support target +reset attached to Smart Arrays in multiple hosts -- a target +reset from one host is disruptive to other hosts as all LUNs +on the target will be reset and will abort all outstanding i/os +back to all the attached hosts. So we should use LUN reset, +not target reset. + +Tested this with Smart Array logical drives and with tape drives. +Not sure how this bug survived since 2009, except it must be very +rare for a Smart Array to require more than 30s to complete a request. + +Signed-off-by: Stephen M. Cameron +Signed-off-by: James Bottomley +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/hpsa.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/scsi/hpsa.c ++++ b/drivers/scsi/hpsa.c +@@ -2943,7 +2943,7 @@ static void fill_cmd(struct CommandList + c->Request.Timeout = 0; /* Don't time out */ + memset(&c->Request.CDB[0], 0, sizeof(c->Request.CDB)); + c->Request.CDB[0] = cmd; +- c->Request.CDB[1] = 0x03; /* Reset target above */ ++ c->Request.CDB[1] = HPSA_RESET_TYPE_LUN; + /* If bytes 4-7 are zero, it means reset the */ + /* LunID device */ + c->Request.CDB[4] = 0x00; diff --git a/queue-3.4/scsi-ibmvscsi-fix-host-config-length-field-overflow.patch b/queue-3.4/scsi-ibmvscsi-fix-host-config-length-field-overflow.patch new file mode 100644 index 00000000000..476b1f65b4a --- /dev/null +++ b/queue-3.4/scsi-ibmvscsi-fix-host-config-length-field-overflow.patch @@ -0,0 +1,34 @@ +From 225c56960fcafeccc2b6304f96cd3f0dbf42a16a Mon Sep 17 00:00:00 2001 +From: Benjamin Herrenschmidt +Date: Mon, 30 Jul 2012 11:33:05 +1000 +Subject: SCSI: ibmvscsi: Fix host config length field overflow + +From: Benjamin Herrenschmidt + +commit 225c56960fcafeccc2b6304f96cd3f0dbf42a16a upstream. + +The length field in the host config packet is only 16-bit long, so +passing it 0x10000 (64K which is our standard PAGE_SIZE) doesn't +work and result in an empty config from the server. + +Signed-off-by: Benjamin Herrenschmidt +Acked-by: Robert Jennings +Signed-off-by: James Bottomley +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/ibmvscsi/ibmvscsi.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/scsi/ibmvscsi/ibmvscsi.c ++++ b/drivers/scsi/ibmvscsi/ibmvscsi.c +@@ -1541,6 +1541,9 @@ static int ibmvscsi_do_host_config(struc + + host_config = &evt_struct->iu.mad.host_config; + ++ /* The transport length field is only 16-bit */ ++ length = min(0xffff, length); ++ + /* Set up a lun reset SRP command */ + memset(host_config, 0x00, sizeof(*host_config)); + host_config->common.type = VIOSRP_HOST_CONFIG_TYPE; diff --git a/queue-3.4/series b/queue-3.4/series index 17798276c4f..e7c2200c79f 100644 --- a/queue-3.4/series +++ b/queue-3.4/series @@ -36,3 +36,15 @@ n_gsm.c-implement-3gpp27.010-dlc-start-up-procedure-in-mux.patch n_gsm-uplink-skbs-accumulate-on-list.patch n_gsm-added-interlocking-for-gsm_data_lock-for-certain-code-paths.patch n_gsm-memory-leak-in-uplink-error-path.patch +ubi-fix-autoresize-handling-in-r-o-mode.patch +yama-handle-32-bit-userspace-prctl.patch +scsi-ibmvscsi-fix-host-config-length-field-overflow.patch +scsi-hpsa-use-lun-reset-instead-of-target-reset.patch +can-mscan-mpc5xxx-fix-return-value-check-in-mpc512x_can_get_clock.patch +remoteproc-select-virtio-to-avoid-build-breakage.patch +remoteproc-fix-a-potential-null-dereference-on-cleanup.patch +ipoib-fix-use-after-free-of-multicast-object.patch +ib-srp-fix-use-after-free-in-srp_reset_req.patch +ib-srp-avoid-having-aborted-requests-hang.patch +isci-fix-isci_pci_probe-generates-warning-on-efi-failure-path.patch +x86-alternatives-fix-p6-nops-on-non-modular-kernels.patch diff --git a/queue-3.4/ubi-fix-autoresize-handling-in-r-o-mode.patch b/queue-3.4/ubi-fix-autoresize-handling-in-r-o-mode.patch new file mode 100644 index 00000000000..7023388f853 --- /dev/null +++ b/queue-3.4/ubi-fix-autoresize-handling-in-r-o-mode.patch @@ -0,0 +1,35 @@ +From abb3e01103eb4e2ea5c15e6fedbc74e08bd4cc2b Mon Sep 17 00:00:00 2001 +From: Artem Bityutskiy +Date: Sat, 18 Aug 2012 14:11:42 +0200 +Subject: UBI: fix autoresize handling in R/O mode + +From: Artem Bityutskiy + +commit abb3e01103eb4e2ea5c15e6fedbc74e08bd4cc2b upstream. + +Currently UBI fails in autoresize when it is in R/O mode (e.g., because the +underlying MTD device is R/O). This patch fixes the issue - we just skip +autoresize and print a warning. + +Reported-by: Pali Rohár +Signed-off-by: Artem Bityutskiy +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mtd/ubi/build.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/mtd/ubi/build.c ++++ b/drivers/mtd/ubi/build.c +@@ -816,6 +816,11 @@ static int autoresize(struct ubi_device + struct ubi_volume *vol = ubi->volumes[vol_id]; + int err, old_reserved_pebs = vol->reserved_pebs; + ++ if (ubi->ro_mode) { ++ ubi_warn("skip auto-resize because of R/O mode"); ++ return 0; ++ } ++ + /* + * Clear the auto-resize flag in the volume in-memory copy of the + * volume table, and 'ubi_resize_volume()' will propagate this change diff --git a/queue-3.4/x86-alternatives-fix-p6-nops-on-non-modular-kernels.patch b/queue-3.4/x86-alternatives-fix-p6-nops-on-non-modular-kernels.patch new file mode 100644 index 00000000000..b5535a18543 --- /dev/null +++ b/queue-3.4/x86-alternatives-fix-p6-nops-on-non-modular-kernels.patch @@ -0,0 +1,44 @@ +From cb09cad44f07044d9810f18f6f9a6a6f3771f979 Mon Sep 17 00:00:00 2001 +From: Avi Kivity +Date: Wed, 22 Aug 2012 13:03:48 +0300 +Subject: x86/alternatives: Fix p6 nops on non-modular kernels + +From: Avi Kivity + +commit cb09cad44f07044d9810f18f6f9a6a6f3771f979 upstream. + +Probably a leftover from the early days of self-patching, p6nops +are marked __initconst_or_module, which causes them to be +discarded in a non-modular kernel. If something later triggers +patching, it will overwrite kernel code with garbage. + +Reported-by: Tomas Racek +Signed-off-by: Avi Kivity +Cc: Michael Tokarev +Cc: Borislav Petkov +Cc: Marcelo Tosatti +Cc: qemu-devel@nongnu.org +Cc: Anthony Liguori +Cc: H. Peter Anvin +Cc: Alan Cox +Cc: Alan Cox +Link: http://lkml.kernel.org/r/5034AE84.90708@redhat.com +Signed-off-by: Ingo Molnar +Cc: Ben Jencks +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/alternative.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/kernel/alternative.c ++++ b/arch/x86/kernel/alternative.c +@@ -160,7 +160,7 @@ static const unsigned char * const k7_no + #endif + + #ifdef P6_NOP1 +-static const unsigned char __initconst_or_module p6nops[] = ++static const unsigned char p6nops[] = + { + P6_NOP1, + P6_NOP2, diff --git a/queue-3.4/yama-handle-32-bit-userspace-prctl.patch b/queue-3.4/yama-handle-32-bit-userspace-prctl.patch new file mode 100644 index 00000000000..ca4b8638353 --- /dev/null +++ b/queue-3.4/yama-handle-32-bit-userspace-prctl.patch @@ -0,0 +1,36 @@ +From 2e4930eb7c8fb20a39dfb5f8a8f80402710dcea8 Mon Sep 17 00:00:00 2001 +From: Kees Cook +Date: Mon, 27 Aug 2012 11:38:13 -0700 +Subject: Yama: handle 32-bit userspace prctl + +From: Kees Cook + +commit 2e4930eb7c8fb20a39dfb5f8a8f80402710dcea8 upstream. + +When running a 64-bit kernel and receiving prctls from a 32-bit +userspace, the "-1" used as an unsigned long will end up being +misdetected. The kernel is looking for 0xffffffffffffffff instead of +0xffffffff. Since prctl lacks a distinct compat interface, Yama needs +to handle this translation itself. As such, support either value as +meaning PR_SET_PTRACER_ANY, to avoid breaking the ABI for 64-bit. + +Signed-off-by: Kees Cook +Acked-by: John Johansen +Signed-off-by: James Morris +Signed-off-by: Greg Kroah-Hartman + +--- + security/yama/yama_lsm.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/security/yama/yama_lsm.c ++++ b/security/yama/yama_lsm.c +@@ -138,7 +138,7 @@ static int yama_task_prctl(int option, u + if (arg2 == 0) { + yama_ptracer_del(NULL, myself); + rc = 0; +- } else if (arg2 == PR_SET_PTRACER_ANY) { ++ } else if (arg2 == PR_SET_PTRACER_ANY || (int)arg2 == -1) { + rc = yama_ptracer_add(NULL, myself); + } else { + struct task_struct *tracer;