From: Greg Kroah-Hartman Date: Thu, 1 Aug 2013 03:31:34 +0000 (+0800) Subject: 3.10-stable patches X-Git-Tag: v3.0.89~16 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=9e67e21427904f62ab07a0e63cfcd14651ad9554;p=thirdparty%2Fkernel%2Fstable-queue.git 3.10-stable patches added patches: acpi-memhotplug-fix-a-stale-pointer-in-error-path.patch acpi-scan-always-call-acpi_bus_scan-for-bus-check-notifications.patch acpi-scan-do-not-try-to-attach-scan-handlers-to-devices-having-them.patch acpi-video-ignore-bios-initial-backlight-value-for-fujitsu-e753.patch ata-fix-dvd-not-dectected-at-some-platform-with-wellsburg-pch.patch btrfs-fix-lock-leak-when-resuming-snapshot-deletion.patch btrfs-fix-wrong-write-offset-when-replacing-a-device.patch btrfs-re-add-root-to-dead-root-list-if-we-stop-dropping-it.patch cpufreq-intel_pstate-change-to-scale-off-of-max-p-state.patch crypto-caam-fixed-the-memory-out-of-bound-overwrite-issue.patch dm-ioctl-set-noio-flag-to-avoid-__vmalloc-deadlock.patch dm-mpath-fix-ioctl-deadlock-when-no-paths.patch dm-verity-fix-inability-to-use-a-few-specific-devices-sizes.patch drivers-hv-balloon-do-not-post-pressure-status-if-interrupted.patch drivers-hv-balloon-fix-a-bug-in-the-hot-add-code.patch libata-make-it-clear-that-sata_inic162x-is-experimental.patch md-raid10-remove-use-after-free-bug.patch md-raid1-fix-bio-handling-problems-in-process_checks.patch md-raid5-fix-interaction-of-replace-and-recovery.patch md-remove-recent-change-which-allows-devices-to-skip-recovery.patch nfsd-nfsd_open-when-dentry_open-returns-an-error-do-not-propagate-as-struct-file.patch powerpc-modules-module-crc-relocation-fix-causes-perf-issues.patch regmap-cache-bail-in-regmap_async_complete-for-bus-less-maps.patch scsi-isci-fix-a-race-condition-in-the-ssp-task-management-path.patch scsi-qla2xxx-properly-set-the-tagging-for-commands.patch scsi-sd-fix-crash-when-ua-received-on-dif-enabled-device.patch staging-android-logger-correct-write-offset-reset-on-error.patch staging-comedi-comedi_cancel-ioctl-should-wake-up-read-write.patch staging-comedi-fix-a-race-between-do_cmd_ioctl-and-read-write.patch svcrdma-underflow-issue-in-decode_write_list.patch tools-hv-kvp-fix-a-bug-in-ipv6-subnet-enumeration.patch tracing-fix-error-handling-to-ensure-instances-can-always-be-removed.patch tracing-kill-the-unbalanced-tr-ref-in-tracing_buffers_open.patch tracing-miscellaneous-fixes-for-trace_array-ref-counting.patch tracing-remove-locking-trace_types_lock-from-tracing_reset_all_online_cpus.patch usb-clear-both-buffers-when-clearing-a-control-transfer-tt-buffer.patch usb-dwc3-fix-the-error-returned-with-usb3_phy-failure.patch usb-dwc3-fix-wrong-bit-mask-in-dwc3_event_type.patch usb-dwc3-gadget-don-t-prevent-gadget-from-being-probed-if-we-fail.patch usb-ehci-fix-resume-signalling-on-remote-wakeup.patch usb-global-suspend-and-remote-wakeup-don-t-mix.patch usb-host-xhci-enable-xhci_spurious_success-for-all-controllers-with-xhci-1.0.patch usb-misc-add-manhattan-hi-speed-usb-dvi-converter-to-sisusbvga.patch usb-mos7840-fix-memory-leak-in-open.patch usb-ti_usb_3410_5052-fix-dynamic-id-matching.patch x86-make-sure-idt-is-page-aligned.patch x86-suspend-handle-cpus-which-fail-to-gp-on-rdmsr.patch xen-blkback-check-device-permissions-before-allowing-op_discard.patch xen-netfront-pull-on-receive-skb-may-need-to-happen-earlier.patch xhci-avoid-null-pointer-deref-when-host-dies.patch xhci-fix-null-pointer-dereference-on-ring_doorbell_for_active_rings.patch --- diff --git a/queue-3.10/acpi-memhotplug-fix-a-stale-pointer-in-error-path.patch b/queue-3.10/acpi-memhotplug-fix-a-stale-pointer-in-error-path.patch new file mode 100644 index 00000000000..12d7bf68dd9 --- /dev/null +++ b/queue-3.10/acpi-memhotplug-fix-a-stale-pointer-in-error-path.patch @@ -0,0 +1,36 @@ +From d19f503e22316a84c39bc19445e0e4fdd49b3532 Mon Sep 17 00:00:00 2001 +From: Toshi Kani +Date: Wed, 10 Jul 2013 10:47:13 -0600 +Subject: ACPI / memhotplug: Fix a stale pointer in error path + +From: Toshi Kani + +commit d19f503e22316a84c39bc19445e0e4fdd49b3532 upstream. + +device->driver_data needs to be cleared when releasing its data, +mem_device, in an error path of acpi_memory_device_add(). + +The function evaluates the _CRS of memory device objects, and fails +when it gets an unexpected resource or cannot allocate memory. A +kernel crash or data corruption may occur when the kernel accesses +the stale pointer. + +Signed-off-by: Toshi Kani +Reviewed-by: Yasuaki Ishimatsu +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/acpi/acpi_memhotplug.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/acpi/acpi_memhotplug.c ++++ b/drivers/acpi/acpi_memhotplug.c +@@ -283,6 +283,7 @@ static int acpi_memory_device_add(struct + /* Get the range from the _CRS */ + result = acpi_memory_get_device_resources(mem_device); + if (result) { ++ device->driver_data = NULL; + kfree(mem_device); + return result; + } diff --git a/queue-3.10/acpi-scan-always-call-acpi_bus_scan-for-bus-check-notifications.patch b/queue-3.10/acpi-scan-always-call-acpi_bus_scan-for-bus-check-notifications.patch new file mode 100644 index 00000000000..65664ab33da --- /dev/null +++ b/queue-3.10/acpi-scan-always-call-acpi_bus_scan-for-bus-check-notifications.patch @@ -0,0 +1,45 @@ +From 8832f7e43fa7f0f19bd54e13766a825dd1ed4d6f Mon Sep 17 00:00:00 2001 +From: "Rafael J. Wysocki" +Date: Mon, 8 Jul 2013 02:01:53 +0200 +Subject: ACPI / scan: Always call acpi_bus_scan() for bus check notifications + +From: "Rafael J. Wysocki" + +commit 8832f7e43fa7f0f19bd54e13766a825dd1ed4d6f upstream. + +An ACPI_NOTIFY_BUS_CHECK notification means that we should scan the +entire namespace starting from the given handle even if the device +represented by that handle is present (other devices below it may +just have appeared). + +For this reason, modify acpi_scan_bus_device_check() to always run +acpi_bus_scan() if the notification being handled is of type +ACPI_NOTIFY_BUS_CHECK. + +Signed-off-by: Rafael J. Wysocki +Acked-by: Toshi Kani +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/acpi/scan.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +--- a/drivers/acpi/scan.c ++++ b/drivers/acpi/scan.c +@@ -237,10 +237,12 @@ static void acpi_scan_bus_device_check(a + + mutex_lock(&acpi_scan_lock); + +- acpi_bus_get_device(handle, &device); +- if (device) { +- dev_warn(&device->dev, "Attempt to re-insert\n"); +- goto out; ++ if (ost_source != ACPI_NOTIFY_BUS_CHECK) { ++ acpi_bus_get_device(handle, &device); ++ if (device) { ++ dev_warn(&device->dev, "Attempt to re-insert\n"); ++ goto out; ++ } + } + acpi_evaluate_hotplug_ost(handle, ost_source, + ACPI_OST_SC_INSERT_IN_PROGRESS, NULL); diff --git a/queue-3.10/acpi-scan-do-not-try-to-attach-scan-handlers-to-devices-having-them.patch b/queue-3.10/acpi-scan-do-not-try-to-attach-scan-handlers-to-devices-having-them.patch new file mode 100644 index 00000000000..b3f84710d17 --- /dev/null +++ b/queue-3.10/acpi-scan-do-not-try-to-attach-scan-handlers-to-devices-having-them.patch @@ -0,0 +1,42 @@ +From 3a391a39593b48341f0908511590a6c0e55cc069 Mon Sep 17 00:00:00 2001 +From: "Rafael J. Wysocki" +Date: Fri, 12 Jul 2013 13:45:59 +0200 +Subject: ACPI / scan: Do not try to attach scan handlers to devices having them + +From: "Rafael J. Wysocki" + +commit 3a391a39593b48341f0908511590a6c0e55cc069 upstream. + +In acpi_bus_device_attach(), if there is an ACPI device object +for the given handle and that device object has a scan handler +attached to it already, there's nothing more to do for that handle. +Moreover, if acpi_scan_attach_handler() is called then, it may +execute the .attach() callback of the ACPI scan handler already +attached to the device object and that may lead to interesting +breakage. + +For this reason, make acpi_bus_device_attach() return success +immediately when the handle's device object has a scan handler +attached to it. + +Reported-by: Toshi Kani +Signed-off-by: Rafael J. Wysocki +Acked-by: Toshi Kani +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/acpi/scan.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/acpi/scan.c ++++ b/drivers/acpi/scan.c +@@ -1892,6 +1892,9 @@ static acpi_status acpi_bus_device_attac + if (acpi_bus_get_device(handle, &device)) + return AE_CTRL_DEPTH; + ++ if (device->handler) ++ return AE_OK; ++ + ret = acpi_scan_attach_handler(device); + if (ret) + return ret > 0 ? AE_OK : AE_CTRL_DEPTH; diff --git a/queue-3.10/acpi-video-ignore-bios-initial-backlight-value-for-fujitsu-e753.patch b/queue-3.10/acpi-video-ignore-bios-initial-backlight-value-for-fujitsu-e753.patch new file mode 100644 index 00000000000..52f68b99f6e --- /dev/null +++ b/queue-3.10/acpi-video-ignore-bios-initial-backlight-value-for-fujitsu-e753.patch @@ -0,0 +1,40 @@ +From 9657a565a476d517451c10b0bcc106e300785aff Mon Sep 17 00:00:00 2001 +From: Lan Tianyu +Date: Tue, 16 Jul 2013 10:07:21 +0800 +Subject: ACPI / video: ignore BIOS initial backlight value for Fujitsu E753 + +From: Lan Tianyu + +commit 9657a565a476d517451c10b0bcc106e300785aff upstream. + +The BIOS of FUjitsu E753 reports an incorrect initial backlight value +for WIN8 compatible OS, causing backlight to be dark during startup. +This change causes the incorrect initial value from BIOS to be ignored. + +References: https://bugzilla.kernel.org/show_bug.cgi?id=60161 +Reported-and-tested-by: Jan Hinnerk Stosch +Signed-off-by: Lan Tianyu +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/acpi/video.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/drivers/acpi/video.c ++++ b/drivers/acpi/video.c +@@ -450,6 +450,14 @@ static struct dmi_system_id video_dmi_ta + }, + { + .callback = video_ignore_initial_backlight, ++ .ident = "Fujitsu E753", ++ .matches = { ++ DMI_MATCH(DMI_BOARD_VENDOR, "FUJITSU"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "LIFEBOOK E753"), ++ }, ++ }, ++ { ++ .callback = video_ignore_initial_backlight, + .ident = "HP Pavilion dm4", + .matches = { + DMI_MATCH(DMI_BOARD_VENDOR, "Hewlett-Packard"), diff --git a/queue-3.10/ata-fix-dvd-not-dectected-at-some-platform-with-wellsburg-pch.patch b/queue-3.10/ata-fix-dvd-not-dectected-at-some-platform-with-wellsburg-pch.patch new file mode 100644 index 00000000000..c2774841848 --- /dev/null +++ b/queue-3.10/ata-fix-dvd-not-dectected-at-some-platform-with-wellsburg-pch.patch @@ -0,0 +1,35 @@ +From eac27f04a71e1f39f196f7e520d16dcefc955d77 Mon Sep 17 00:00:00 2001 +From: Youquan Song +Date: Thu, 11 Jul 2013 21:15:57 -0400 +Subject: ata: Fix DVD not dectected at some platform with Wellsburg PCH + +From: Youquan Song + +commit eac27f04a71e1f39f196f7e520d16dcefc955d77 upstream. + +There is a patch b55f84e2d527182e7c611d466cd0bb6ddce201de "ata_piix: Fix DVD + not dectected at some Haswell platforms" to fix an issue of DVD not +recognized on Haswell Desktop platform with Lynx Point. +Recently, it is also found the same issue at some platformas with Wellsburg PCH. + +So deliver a similar patch to fix it by disables 32bit PIO in IDE mode. + +Signed-off-by: Youquan Song +Signed-off-by: Tejun Heo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/ata/ata_piix.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/ata/ata_piix.c ++++ b/drivers/ata/ata_piix.c +@@ -330,7 +330,7 @@ static const struct pci_device_id piix_p + /* SATA Controller IDE (Wellsburg) */ + { 0x8086, 0x8d00, PCI_ANY_ID, PCI_ANY_ID, 0, 0, ich8_sata_snb }, + /* SATA Controller IDE (Wellsburg) */ +- { 0x8086, 0x8d08, PCI_ANY_ID, PCI_ANY_ID, 0, 0, ich8_2port_sata }, ++ { 0x8086, 0x8d08, PCI_ANY_ID, PCI_ANY_ID, 0, 0, ich8_2port_sata_snb }, + /* SATA Controller IDE (Wellsburg) */ + { 0x8086, 0x8d60, PCI_ANY_ID, PCI_ANY_ID, 0, 0, ich8_sata_snb }, + /* SATA Controller IDE (Wellsburg) */ diff --git a/queue-3.10/btrfs-fix-lock-leak-when-resuming-snapshot-deletion.patch b/queue-3.10/btrfs-fix-lock-leak-when-resuming-snapshot-deletion.patch new file mode 100644 index 00000000000..82e7a40bc03 --- /dev/null +++ b/queue-3.10/btrfs-fix-lock-leak-when-resuming-snapshot-deletion.patch @@ -0,0 +1,40 @@ +From fec386ac1428f9c0e672df952cbca5cebd4e4e2f Mon Sep 17 00:00:00 2001 +From: Josef Bacik +Date: Mon, 15 Jul 2013 12:41:42 -0400 +Subject: Btrfs: fix lock leak when resuming snapshot deletion + +From: Josef Bacik + +commit fec386ac1428f9c0e672df952cbca5cebd4e4e2f upstream. + +We aren't setting path->locks[level] when we resume a snapshot deletion which +means we won't unlock the buffer when we free the path. This causes deadlocks +if we happen to re-allocate the block before we've evicted the extent buffer +from cache. Thanks, + +Reported-by: Alex Lyakas +Signed-off-by: Josef Bacik +Signed-off-by: Greg Kroah-Hartman + +--- + fs/btrfs/extent-tree.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/fs/btrfs/extent-tree.c ++++ b/fs/btrfs/extent-tree.c +@@ -7355,6 +7355,7 @@ int btrfs_drop_snapshot(struct btrfs_roo + while (1) { + btrfs_tree_lock(path->nodes[level]); + btrfs_set_lock_blocking(path->nodes[level]); ++ path->locks[level] = BTRFS_WRITE_LOCK_BLOCKING; + + ret = btrfs_lookup_extent_info(trans, root, + path->nodes[level]->start, +@@ -7370,6 +7371,7 @@ int btrfs_drop_snapshot(struct btrfs_roo + break; + + btrfs_tree_unlock(path->nodes[level]); ++ path->locks[level] = 0; + WARN_ON(wc->refs[level] != 1); + level--; + } diff --git a/queue-3.10/btrfs-fix-wrong-write-offset-when-replacing-a-device.patch b/queue-3.10/btrfs-fix-wrong-write-offset-when-replacing-a-device.patch new file mode 100644 index 00000000000..92b8c4099fc --- /dev/null +++ b/queue-3.10/btrfs-fix-wrong-write-offset-when-replacing-a-device.patch @@ -0,0 +1,52 @@ +From 115930cb2d444a684975cf2325759cb48ebf80cc Mon Sep 17 00:00:00 2001 +From: Stefan Behrens +Date: Thu, 4 Jul 2013 16:14:23 +0200 +Subject: Btrfs: fix wrong write offset when replacing a device + +From: Stefan Behrens + +commit 115930cb2d444a684975cf2325759cb48ebf80cc upstream. + +Miao Xie reported the following issue: + +The filesystem was corrupted after we did a device replace. + +Steps to reproduce: + # mkfs.btrfs -f -m single -d raid10 .. + # mount + # btrfs replace start -rfB 1 + # umount + # btrfsck + +The reason for the issue is that we changed the write offset by mistake, +introduced by commit 625f1c8dc. + +We read the data from the source device at first, and then write the +data into the corresponding place of the new device. In order to +implement the "-r" option, the source location is remapped using +btrfs_map_block(). The read takes place on the mapped location, and +the write needs to take place on the unmapped location. Currently +the write is using the mapped location, and this commit changes it +back by undoing the change to the write address that the aforementioned +commit added by mistake. + +Reported-by: Miao Xie +Signed-off-by: Stefan Behrens +Signed-off-by: Josef Bacik +Signed-off-by: Greg Kroah-Hartman + +--- + fs/btrfs/scrub.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/btrfs/scrub.c ++++ b/fs/btrfs/scrub.c +@@ -2501,7 +2501,7 @@ again: + ret = scrub_extent(sctx, extent_logical, extent_len, + extent_physical, extent_dev, flags, + generation, extent_mirror_num, +- extent_physical); ++ extent_logical - logical + physical); + if (ret) + goto out; + diff --git a/queue-3.10/btrfs-re-add-root-to-dead-root-list-if-we-stop-dropping-it.patch b/queue-3.10/btrfs-re-add-root-to-dead-root-list-if-we-stop-dropping-it.patch new file mode 100644 index 00000000000..b2444aa97d6 --- /dev/null +++ b/queue-3.10/btrfs-re-add-root-to-dead-root-list-if-we-stop-dropping-it.patch @@ -0,0 +1,57 @@ +From d29a9f629e009c9b90e5859bce581070fd6247fc Mon Sep 17 00:00:00 2001 +From: Josef Bacik +Date: Wed, 17 Jul 2013 19:30:20 -0400 +Subject: Btrfs: re-add root to dead root list if we stop dropping it + +From: Josef Bacik + +commit d29a9f629e009c9b90e5859bce581070fd6247fc upstream. + +If we stop dropping a root for whatever reason we need to add it back to the +dead root list so that we will re-start the dropping next transaction commit. +The other case this happens is if we recover a drop because we will add a root +without adding it to the fs radix tree, so we can leak it's root and commit root +extent buffer, adding this to the dead root list makes this cleanup happen. +Thanks, + +Reported-by: Alex Lyakas +Signed-off-by: Josef Bacik +Signed-off-by: Greg Kroah-Hartman + +--- + fs/btrfs/extent-tree.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +--- a/fs/btrfs/extent-tree.c ++++ b/fs/btrfs/extent-tree.c +@@ -7298,6 +7298,7 @@ int btrfs_drop_snapshot(struct btrfs_roo + int err = 0; + int ret; + int level; ++ bool root_dropped = false; + + path = btrfs_alloc_path(); + if (!path) { +@@ -7473,12 +7474,22 @@ int btrfs_drop_snapshot(struct btrfs_roo + free_extent_buffer(root->commit_root); + kfree(root); + } ++ root_dropped = true; + out_end_trans: + btrfs_end_transaction_throttle(trans, tree_root); + out_free: + kfree(wc); + btrfs_free_path(path); + out: ++ /* ++ * So if we need to stop dropping the snapshot for whatever reason we ++ * need to make sure to add it back to the dead root list so that we ++ * keep trying to do the work later. This also cleans up roots if we ++ * don't have it in the radix (like when we recover after a power fail ++ * or unmount) so we don't leak memory. ++ */ ++ if (root_dropped == false) ++ btrfs_add_dead_root(root); + if (err) + btrfs_std_error(root->fs_info, err); + return err; diff --git a/queue-3.10/cpufreq-intel_pstate-change-to-scale-off-of-max-p-state.patch b/queue-3.10/cpufreq-intel_pstate-change-to-scale-off-of-max-p-state.patch new file mode 100644 index 00000000000..73ccd82d437 --- /dev/null +++ b/queue-3.10/cpufreq-intel_pstate-change-to-scale-off-of-max-p-state.patch @@ -0,0 +1,63 @@ +From 2134ed4d614349b2b4e8d7bb593baa9179b8dd1e Mon Sep 17 00:00:00 2001 +From: Dirk Brandewie +Date: Thu, 18 Jul 2013 08:48:42 -0700 +Subject: cpufreq / intel_pstate: Change to scale off of max P-state + +From: Dirk Brandewie + +commit 2134ed4d614349b2b4e8d7bb593baa9179b8dd1e upstream. + +Change to using max P-state instead of max turbo P-state. This +change resolves two issues. + +On a quiet system intel_pstate can fail to respond to a load change. + +On CPU SKUs that have a limited number of P-states and no turbo range +intel_pstate fails to select the highest available P-state. + +This change is suitable for stable v3.9+ + +References: https://bugzilla.kernel.org/show_bug.cgi?id=59481 +Reported-and-tested-by: Arjan van de Ven +Reported-and-tested-by: dsmythies@telus.net +Signed-off-by: Dirk Brandewie +Acked-by: Viresh Kumar +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/cpufreq/intel_pstate.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +--- a/drivers/cpufreq/intel_pstate.c ++++ b/drivers/cpufreq/intel_pstate.c +@@ -103,10 +103,10 @@ struct pstate_adjust_policy { + static struct pstate_adjust_policy default_policy = { + .sample_rate_ms = 10, + .deadband = 0, +- .setpoint = 109, +- .p_gain_pct = 17, ++ .setpoint = 97, ++ .p_gain_pct = 20, + .d_gain_pct = 0, +- .i_gain_pct = 4, ++ .i_gain_pct = 0, + }; + + struct perf_limits { +@@ -468,12 +468,12 @@ static inline void intel_pstate_set_samp + static inline int intel_pstate_get_scaled_busy(struct cpudata *cpu) + { + int32_t busy_scaled; +- int32_t core_busy, turbo_pstate, current_pstate; ++ int32_t core_busy, max_pstate, current_pstate; + + core_busy = int_tofp(cpu->samples[cpu->sample_ptr].core_pct_busy); +- turbo_pstate = int_tofp(cpu->pstate.turbo_pstate); ++ max_pstate = int_tofp(cpu->pstate.max_pstate); + current_pstate = int_tofp(cpu->pstate.current_pstate); +- busy_scaled = mul_fp(core_busy, div_fp(turbo_pstate, current_pstate)); ++ busy_scaled = mul_fp(core_busy, div_fp(max_pstate, current_pstate)); + + return fp_toint(busy_scaled); + } diff --git a/queue-3.10/crypto-caam-fixed-the-memory-out-of-bound-overwrite-issue.patch b/queue-3.10/crypto-caam-fixed-the-memory-out-of-bound-overwrite-issue.patch new file mode 100644 index 00000000000..a942f364512 --- /dev/null +++ b/queue-3.10/crypto-caam-fixed-the-memory-out-of-bound-overwrite-issue.patch @@ -0,0 +1,81 @@ +From 9c23b7d3d6bda41e2a27375df705485523a96dc8 Mon Sep 17 00:00:00 2001 +From: Vakul Garg +Date: Wed, 10 Jul 2013 06:26:13 +0000 +Subject: crypto: caam - Fixed the memory out of bound overwrite issue + +From: Vakul Garg + +commit 9c23b7d3d6bda41e2a27375df705485523a96dc8 upstream. + +When kernel is compiled with CONFIG_SLUB_DEBUG=y and +CRYPTO_MANAGER_DISABLE_TESTS=n, during kernel bootup, the kernel +reports error given below. The root cause is that in function +hash_digest_key(), for allocating descriptor, insufficient memory was +being allocated. The required number of descriptor words apart from +input and output pointers are 8 (instead of 6). + +============================================================================= +BUG dma-kmalloc-32 (Not tainted): Redzone overwritten +----------------------------------------------------------------------------- + +Disabling lock debugging due to kernel taint +INFO: 0xdec5dec0-0xdec5dec3. First byte 0x0 instead of 0xcc +INFO: Allocated in ahash_setkey+0x60/0x594 age=7 cpu=1 pid=1257 + __kmalloc+0x154/0x1b4 + ahash_setkey+0x60/0x594 + test_hash+0x260/0x5a0 + alg_test_hash+0x48/0xb0 + alg_test+0x84/0x228 + cryptomgr_test+0x4c/0x54 + kthread+0x98/0x9c + ret_from_kernel_thread+0x64/0x6c +INFO: Slab 0xc0bd0ba0 objects=19 used=2 fp=0xdec5d0d0 flags=0x0081 +INFO: Object 0xdec5dea0 @offset=3744 fp=0x5c200014 + +Bytes b4 dec5de90: 00 00 00 00 00 00 00 00 5a 5a 5a 5a 5a 5a 5a 5a +........ZZZZZZZZ +Object dec5dea0: b0 80 00 0a 84 41 00 0d f0 40 00 00 00 67 3f c0 +.....A...@...g?. +Object dec5deb0: 00 00 00 50 2c 14 00 50 f8 40 00 00 1e c5 d0 00 +...P,..P.@...... +Redzone dec5dec0: 00 00 00 14 .... +Padding dec5df68: 5a 5a 5a 5a 5a 5a 5a 5a +ZZZZZZZZ +Call Trace: +[dec65b60] [c00071b4] show_stack+0x4c/0x168 (unreliable) +[dec65ba0] [c00d4ec8] check_bytes_and_report+0xe4/0x11c +[dec65bd0] [c00d507c] check_object+0x17c/0x23c +[dec65bf0] [c0550a00] free_debug_processing+0xf4/0x294 +[dec65c20] [c0550bdc] __slab_free+0x3c/0x294 +[dec65c80] [c03f0744] ahash_setkey+0x4e0/0x594 +[dec65cd0] [c01ef138] test_hash+0x260/0x5a0 +[dec65e50] [c01ef4c0] alg_test_hash+0x48/0xb0 +[dec65e70] [c01eecc4] alg_test+0x84/0x228 +[dec65ee0] [c01ec640] cryptomgr_test+0x4c/0x54 +[dec65ef0] [c005adc0] kthread+0x98/0x9c +[dec65f40] [c000e1ac] ret_from_kernel_thread+0x64/0x6c +FIX dma-kmalloc-32: Restoring 0xdec5dec0-0xdec5dec3=0xcc + +Change-Id: I0c7a1048053e811025d1c3b487940f87345c8f5d +Signed-off-by: Vakul Garg +Reviewed-by: Geanta Neag Horia Ioan-B05471 +Reviewed-by: Fleming Andrew-AFLEMING +Tested-by: Fleming Andrew-AFLEMING +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/crypto/caam/caamhash.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/crypto/caam/caamhash.c ++++ b/drivers/crypto/caam/caamhash.c +@@ -429,7 +429,7 @@ static int hash_digest_key(struct caam_h + dma_addr_t src_dma, dst_dma; + int ret = 0; + +- desc = kmalloc(CAAM_CMD_SZ * 6 + CAAM_PTR_SZ * 2, GFP_KERNEL | GFP_DMA); ++ desc = kmalloc(CAAM_CMD_SZ * 8 + CAAM_PTR_SZ * 2, GFP_KERNEL | GFP_DMA); + if (!desc) { + dev_err(jrdev, "unable to allocate key input memory\n"); + return -ENOMEM; diff --git a/queue-3.10/dm-ioctl-set-noio-flag-to-avoid-__vmalloc-deadlock.patch b/queue-3.10/dm-ioctl-set-noio-flag-to-avoid-__vmalloc-deadlock.patch new file mode 100644 index 00000000000..3f5990fff1e --- /dev/null +++ b/queue-3.10/dm-ioctl-set-noio-flag-to-avoid-__vmalloc-deadlock.patch @@ -0,0 +1,38 @@ +From 1c0e883e86ece31880fac2f84b260545d66a39e0 Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Wed, 10 Jul 2013 23:41:15 +0100 +Subject: dm ioctl: set noio flag to avoid __vmalloc deadlock + +From: Mikulas Patocka + +commit 1c0e883e86ece31880fac2f84b260545d66a39e0 upstream. + +Set noio flag while calling __vmalloc() because it doesn't fully respect +gfp flags to avoid a possible deadlock (see commit +502624bdad3dba45dfaacaf36b7d83e39e74b2d2). + +This should be backported to stable kernels 3.8 and newer. The kernel 3.8 +doesn't have memalloc_noio_save(), so we should set and restore process +flag PF_MEMALLOC instead. + +Signed-off-by: Mikulas Patocka +Signed-off-by: Alasdair G Kergon +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/dm-ioctl.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/md/dm-ioctl.c ++++ b/drivers/md/dm-ioctl.c +@@ -1644,7 +1644,10 @@ static int copy_params(struct dm_ioctl _ + } + + if (!dmi) { ++ unsigned noio_flag; ++ noio_flag = memalloc_noio_save(); + dmi = __vmalloc(param_kernel->data_size, GFP_NOIO | __GFP_REPEAT | __GFP_HIGH, PAGE_KERNEL); ++ memalloc_noio_restore(noio_flag); + if (dmi) + *param_flags |= DM_PARAMS_VMALLOC; + } diff --git a/queue-3.10/dm-mpath-fix-ioctl-deadlock-when-no-paths.patch b/queue-3.10/dm-mpath-fix-ioctl-deadlock-when-no-paths.patch new file mode 100644 index 00000000000..c3ec017d386 --- /dev/null +++ b/queue-3.10/dm-mpath-fix-ioctl-deadlock-when-no-paths.patch @@ -0,0 +1,91 @@ +From 6c182cd88d179cbbd06f4f8a8a19b6977940753f Mon Sep 17 00:00:00 2001 +From: Hannes Reinecke +Date: Wed, 10 Jul 2013 23:41:15 +0100 +Subject: dm mpath: fix ioctl deadlock when no paths + +From: Hannes Reinecke + +commit 6c182cd88d179cbbd06f4f8a8a19b6977940753f upstream. + +When multipath needs to retry an ioctl the reference to the +current live table needs to be dropped. Otherwise a deadlock +occurs when all paths are down: +- dm_blk_ioctl takes a reference to the current table + and spins in multipath_ioctl(). +- A new table is being loaded, but upon resume the process + hangs in dm_table_destroy() waiting for references to + drop to zero. + +With this patch the reference to the old table is dropped +prior to retry, thereby avoiding the deadlock. + +Signed-off-by: Hannes Reinecke +Cc: Mike Snitzer +Signed-off-by: Alasdair G Kergon +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/dm-mpath.c | 8 ++------ + drivers/md/dm.c | 9 ++++++++- + 2 files changed, 10 insertions(+), 7 deletions(-) + +--- a/drivers/md/dm-mpath.c ++++ b/drivers/md/dm-mpath.c +@@ -1561,7 +1561,6 @@ static int multipath_ioctl(struct dm_tar + unsigned long flags; + int r; + +-again: + bdev = NULL; + mode = 0; + r = 0; +@@ -1579,7 +1578,7 @@ again: + } + + if ((pgpath && m->queue_io) || (!pgpath && m->queue_if_no_path)) +- r = -EAGAIN; ++ r = -ENOTCONN; + else if (!bdev) + r = -EIO; + +@@ -1591,11 +1590,8 @@ again: + if (!r && ti->len != i_size_read(bdev->bd_inode) >> SECTOR_SHIFT) + r = scsi_verify_blk_ioctl(NULL, cmd); + +- if (r == -EAGAIN && !fatal_signal_pending(current)) { ++ if (r == -ENOTCONN && !fatal_signal_pending(current)) + queue_work(kmultipathd, &m->process_queued_ios); +- msleep(10); +- goto again; +- } + + return r ? : __blkdev_driver_ioctl(bdev, mode, cmd, arg); + } +--- a/drivers/md/dm.c ++++ b/drivers/md/dm.c +@@ -386,10 +386,12 @@ static int dm_blk_ioctl(struct block_dev + unsigned int cmd, unsigned long arg) + { + struct mapped_device *md = bdev->bd_disk->private_data; +- struct dm_table *map = dm_get_live_table(md); ++ struct dm_table *map; + struct dm_target *tgt; + int r = -ENOTTY; + ++retry: ++ map = dm_get_live_table(md); + if (!map || !dm_table_get_size(map)) + goto out; + +@@ -410,6 +412,11 @@ static int dm_blk_ioctl(struct block_dev + out: + dm_table_put(map); + ++ if (r == -ENOTCONN) { ++ msleep(10); ++ goto retry; ++ } ++ + return r; + } + diff --git a/queue-3.10/dm-verity-fix-inability-to-use-a-few-specific-devices-sizes.patch b/queue-3.10/dm-verity-fix-inability-to-use-a-few-specific-devices-sizes.patch new file mode 100644 index 00000000000..76b6ebc2b11 --- /dev/null +++ b/queue-3.10/dm-verity-fix-inability-to-use-a-few-specific-devices-sizes.patch @@ -0,0 +1,62 @@ +From b1bf2de07271932326af847a3c6a01fdfd29d4be Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Wed, 10 Jul 2013 23:41:16 +0100 +Subject: dm verity: fix inability to use a few specific devices sizes + +From: Mikulas Patocka + +commit b1bf2de07271932326af847a3c6a01fdfd29d4be upstream. + +Fix a boundary condition that caused failure for certain device sizes. + +The problem is reported at + http://code.google.com/p/cryptsetup/issues/detail?id=160 + +For certain device sizes the number of hashes at a specific level was +calculated incorrectly. + +It happens for example for a device with data and metadata block size 4096 +that has 16385 blocks and algorithm sha256. + +The user can test if he is affected by this bug by running the +"veritysetup verify" command and also by activating the dm-verity kernel +driver and reading the whole block device. If it passes without an error, +then the user is not affected. + +The condition for the bug is: + +Split the total number of data blocks (data_block_bits) into bit strings, +each string has hash_per_block_bits bits. hash_per_block_bits is +rounddown(log2(metadata_block_size/hash_digest_size)). Equivalently, you +can say that you convert data_blocks_bits to 2^hash_per_block_bits base. + +If there some zero bit string below the most significant bit string and at +least one bit below this zero bit string is set, then the bug happens. + +The same bug exists in the userspace veritysetup tool, so you must use +fixed veritysetup too if you want to use devices that are affected by +this boundary condition. + +Signed-off-by: Mikulas Patocka +Cc: Milan Broz +Signed-off-by: Alasdair G Kergon +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/dm-verity.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/drivers/md/dm-verity.c ++++ b/drivers/md/dm-verity.c +@@ -831,9 +831,8 @@ static int verity_ctr(struct dm_target * + for (i = v->levels - 1; i >= 0; i--) { + sector_t s; + v->hash_level_block[i] = hash_position; +- s = verity_position_at_level(v, v->data_blocks, i); +- s = (s >> v->hash_per_block_bits) + +- !!(s & ((1 << v->hash_per_block_bits) - 1)); ++ s = (v->data_blocks + ((sector_t)1 << ((i + 1) * v->hash_per_block_bits)) - 1) ++ >> ((i + 1) * v->hash_per_block_bits); + if (hash_position + s < hash_position) { + ti->error = "Hash device offset overflow"; + r = -E2BIG; diff --git a/queue-3.10/drivers-hv-balloon-do-not-post-pressure-status-if-interrupted.patch b/queue-3.10/drivers-hv-balloon-do-not-post-pressure-status-if-interrupted.patch new file mode 100644 index 00000000000..7efe386c4db --- /dev/null +++ b/queue-3.10/drivers-hv-balloon-do-not-post-pressure-status-if-interrupted.patch @@ -0,0 +1,37 @@ +From c5e2254f8d63a6654149aa32ac5f2b7dd66a976d Mon Sep 17 00:00:00 2001 +From: "K. Y. Srinivasan" +Date: Sun, 14 Jul 2013 22:38:12 -0700 +Subject: Drivers: hv: balloon: Do not post pressure status if interrupted + +From: "K. Y. Srinivasan" + +commit c5e2254f8d63a6654149aa32ac5f2b7dd66a976d upstream. + +When we are posting pressure status, we may get interrupted and handle +the un-balloon operation. In this case just don't post the status as we +know the pressure status is stale. + +Signed-off-by: K. Y. Srinivasan +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hv/hv_balloon.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/drivers/hv/hv_balloon.c ++++ b/drivers/hv/hv_balloon.c +@@ -975,6 +975,14 @@ static void post_status(struct hv_dynmem + dm->num_pages_ballooned + + compute_balloon_floor(); + ++ /* ++ * If our transaction ID is no longer current, just don't ++ * send the status. This can happen if we were interrupted ++ * after we picked our transaction ID. ++ */ ++ if (status.hdr.trans_id != atomic_read(&trans_id)) ++ return; ++ + vmbus_sendpacket(dm->dev->channel, &status, + sizeof(struct dm_status), + (unsigned long)NULL, diff --git a/queue-3.10/drivers-hv-balloon-fix-a-bug-in-the-hot-add-code.patch b/queue-3.10/drivers-hv-balloon-fix-a-bug-in-the-hot-add-code.patch new file mode 100644 index 00000000000..a1a84f74390 --- /dev/null +++ b/queue-3.10/drivers-hv-balloon-fix-a-bug-in-the-hot-add-code.patch @@ -0,0 +1,54 @@ +From ed07ec93e83ec471d365ce084e43ad90fd205903 Mon Sep 17 00:00:00 2001 +From: "K. Y. Srinivasan" +Date: Sun, 14 Jul 2013 22:38:11 -0700 +Subject: Drivers: hv: balloon: Fix a bug in the hot-add code + +From: "K. Y. Srinivasan" + +commit ed07ec93e83ec471d365ce084e43ad90fd205903 upstream. + +As we hot-add 128 MB chunks of memory, we wait to ensure that the memory +is onlined before attempting to hot-add the next chunk. If the udev rule for +memory hot-add is not executed within the allowed time, we would rollback the +state and abort further hot-add. Since the hot-add has succeeded and the only +failure is that the memory is not onlined within the allowed time, we should not +be rolling back the state. Fix this bug. + +Signed-off-by: K. Y. Srinivasan +Acked-by: Jason Wang +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hv/hv_balloon.c | 13 +++++-------- + 1 file changed, 5 insertions(+), 8 deletions(-) + +--- a/drivers/hv/hv_balloon.c ++++ b/drivers/hv/hv_balloon.c +@@ -562,7 +562,7 @@ static void hv_mem_hot_add(unsigned long + struct hv_hotadd_state *has) + { + int ret = 0; +- int i, nid, t; ++ int i, nid; + unsigned long start_pfn; + unsigned long processed_pfn; + unsigned long total_pfn = pfn_count; +@@ -607,14 +607,11 @@ static void hv_mem_hot_add(unsigned long + + /* + * Wait for the memory block to be onlined. ++ * Since the hot add has succeeded, it is ok to ++ * proceed even if the pages in the hot added region ++ * have not been "onlined" within the allowed time. + */ +- t = wait_for_completion_timeout(&dm_device.ol_waitevent, 5*HZ); +- if (t == 0) { +- pr_info("hot_add memory timedout\n"); +- has->ha_end_pfn -= HA_CHUNK; +- has->covered_end_pfn -= processed_pfn; +- break; +- } ++ wait_for_completion_timeout(&dm_device.ol_waitevent, 5*HZ); + + } + diff --git a/queue-3.10/libata-make-it-clear-that-sata_inic162x-is-experimental.patch b/queue-3.10/libata-make-it-clear-that-sata_inic162x-is-experimental.patch new file mode 100644 index 00000000000..d1033db9898 --- /dev/null +++ b/queue-3.10/libata-make-it-clear-that-sata_inic162x-is-experimental.patch @@ -0,0 +1,70 @@ +From bb9696192826a7d9279caf872e95b41bc26c7eff Mon Sep 17 00:00:00 2001 +From: Tejun Heo +Date: Mon, 22 Jul 2013 16:53:36 -0400 +Subject: libata: make it clear that sata_inic162x is experimental + +From: Tejun Heo + +commit bb9696192826a7d9279caf872e95b41bc26c7eff upstream. + +sata_inic162x never reached a state where it's reliable enough for +production use and data corruption is a relatively common occurrence. +Make the driver generate warning about the issues and mark the Kconfig +option as experimental. + +If the situation doesn't improve, we'd be better off making it depend +on CONFIG_BROKEN. Let's wait for several cycles and see if the kernel +message draws any attention. + +Signed-off-by: Tejun Heo +Reported-by: Martin Braure de Calignon +Reported-by: Ben Hutchings +Reported-by: risc4all@yahoo.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/ata/Kconfig | 2 +- + drivers/ata/sata_inic162x.c | 14 ++++++++++++++ + 2 files changed, 15 insertions(+), 1 deletion(-) + +--- a/drivers/ata/Kconfig ++++ b/drivers/ata/Kconfig +@@ -107,7 +107,7 @@ config SATA_FSL + If unsure, say N. + + config SATA_INIC162X +- tristate "Initio 162x SATA support" ++ tristate "Initio 162x SATA support (Very Experimental)" + depends on PCI + help + This option enables support for Initio 162x Serial ATA. +--- a/drivers/ata/sata_inic162x.c ++++ b/drivers/ata/sata_inic162x.c +@@ -6,6 +6,18 @@ + * + * This file is released under GPL v2. + * ++ * **** WARNING **** ++ * ++ * This driver never worked properly and unfortunately data corruption is ++ * relatively common. There isn't anyone working on the driver and there's ++ * no support from the vendor. Do not use this driver in any production ++ * environment. ++ * ++ * http://thread.gmane.org/gmane.linux.debian.devel.bugs.rc/378525/focus=54491 ++ * https://bugzilla.kernel.org/show_bug.cgi?id=60565 ++ * ++ * ***************** ++ * + * This controller is eccentric and easily locks up if something isn't + * right. Documentation is available at initio's website but it only + * documents registers (not programming model). +@@ -807,6 +819,8 @@ static int inic_init_one(struct pci_dev + + ata_print_version_once(&pdev->dev, DRV_VERSION); + ++ dev_alert(&pdev->dev, "inic162x support is broken with common data corruption issues and will be disabled by default, contact linux-ide@vger.kernel.org if in production use\n"); ++ + /* alloc host */ + host = ata_host_alloc_pinfo(&pdev->dev, ppi, NR_PORTS); + hpriv = devm_kzalloc(&pdev->dev, sizeof(*hpriv), GFP_KERNEL); diff --git a/queue-3.10/md-raid1-fix-bio-handling-problems-in-process_checks.patch b/queue-3.10/md-raid1-fix-bio-handling-problems-in-process_checks.patch new file mode 100644 index 00000000000..822da056dc7 --- /dev/null +++ b/queue-3.10/md-raid1-fix-bio-handling-problems-in-process_checks.patch @@ -0,0 +1,113 @@ +From 30bc9b53878a9921b02e3b5bc4283ac1c6de102a Mon Sep 17 00:00:00 2001 +From: NeilBrown +Date: Wed, 17 Jul 2013 15:19:29 +1000 +Subject: md/raid1: fix bio handling problems in process_checks() + +From: NeilBrown + +commit 30bc9b53878a9921b02e3b5bc4283ac1c6de102a upstream. + +Recent change to use bio_copy_data() in raid1 when repairing +an array is faulty. + +The underlying may have changed the bio in various ways using +bio_advance and these need to be undone not just for the 'sbio' which +is being copied to, but also the 'pbio' (primary) which is being +copied from. + +So perform the reset on all bios that were read from and do it early. + +This also ensure that the sbio->bi_io_vec[j].bv_len passed to +memcmp is correct. + +This fixes a crash during a 'check' of a RAID1 array. The crash was +introduced in 3.10 so this is suitable for 3.10-stable. + +Reported-by: Joe Lawrence +Signed-off-by: NeilBrown +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/raid1.c | 53 ++++++++++++++++++++++++++++++----------------------- + 1 file changed, 30 insertions(+), 23 deletions(-) + +--- a/drivers/md/raid1.c ++++ b/drivers/md/raid1.c +@@ -1848,6 +1848,36 @@ static int process_checks(struct r1bio * + int i; + int vcnt; + ++ /* Fix variable parts of all bios */ ++ vcnt = (r1_bio->sectors + PAGE_SIZE / 512 - 1) >> (PAGE_SHIFT - 9); ++ for (i = 0; i < conf->raid_disks * 2; i++) { ++ int j; ++ int size; ++ struct bio *b = r1_bio->bios[i]; ++ if (b->bi_end_io != end_sync_read) ++ continue; ++ /* fixup the bio for reuse */ ++ bio_reset(b); ++ b->bi_vcnt = vcnt; ++ b->bi_size = r1_bio->sectors << 9; ++ b->bi_sector = r1_bio->sector + ++ conf->mirrors[i].rdev->data_offset; ++ b->bi_bdev = conf->mirrors[i].rdev->bdev; ++ b->bi_end_io = end_sync_read; ++ b->bi_private = r1_bio; ++ ++ size = b->bi_size; ++ for (j = 0; j < vcnt ; j++) { ++ struct bio_vec *bi; ++ bi = &b->bi_io_vec[j]; ++ bi->bv_offset = 0; ++ if (size > PAGE_SIZE) ++ bi->bv_len = PAGE_SIZE; ++ else ++ bi->bv_len = size; ++ size -= PAGE_SIZE; ++ } ++ } + for (primary = 0; primary < conf->raid_disks * 2; primary++) + if (r1_bio->bios[primary]->bi_end_io == end_sync_read && + test_bit(BIO_UPTODATE, &r1_bio->bios[primary]->bi_flags)) { +@@ -1856,12 +1886,10 @@ static int process_checks(struct r1bio * + break; + } + r1_bio->read_disk = primary; +- vcnt = (r1_bio->sectors + PAGE_SIZE / 512 - 1) >> (PAGE_SHIFT - 9); + for (i = 0; i < conf->raid_disks * 2; i++) { + int j; + struct bio *pbio = r1_bio->bios[primary]; + struct bio *sbio = r1_bio->bios[i]; +- int size; + + if (sbio->bi_end_io != end_sync_read) + continue; +@@ -1887,27 +1915,6 @@ static int process_checks(struct r1bio * + rdev_dec_pending(conf->mirrors[i].rdev, mddev); + continue; + } +- /* fixup the bio for reuse */ +- bio_reset(sbio); +- sbio->bi_vcnt = vcnt; +- sbio->bi_size = r1_bio->sectors << 9; +- sbio->bi_sector = r1_bio->sector + +- conf->mirrors[i].rdev->data_offset; +- sbio->bi_bdev = conf->mirrors[i].rdev->bdev; +- sbio->bi_end_io = end_sync_read; +- sbio->bi_private = r1_bio; +- +- size = sbio->bi_size; +- for (j = 0; j < vcnt ; j++) { +- struct bio_vec *bi; +- bi = &sbio->bi_io_vec[j]; +- bi->bv_offset = 0; +- if (size > PAGE_SIZE) +- bi->bv_len = PAGE_SIZE; +- else +- bi->bv_len = size; +- size -= PAGE_SIZE; +- } + + bio_copy_data(sbio, pbio); + } diff --git a/queue-3.10/md-raid10-remove-use-after-free-bug.patch b/queue-3.10/md-raid10-remove-use-after-free-bug.patch new file mode 100644 index 00000000000..8d33972f834 --- /dev/null +++ b/queue-3.10/md-raid10-remove-use-after-free-bug.patch @@ -0,0 +1,49 @@ +From 0eb25bb027a100f5a9df8991f2f628e7d851bc1e Mon Sep 17 00:00:00 2001 +From: NeilBrown +Date: Wed, 24 Jul 2013 15:37:42 +1000 +Subject: md/raid10: remove use-after-free bug. + +From: NeilBrown + +commit 0eb25bb027a100f5a9df8991f2f628e7d851bc1e upstream. + +We always need to be careful when calling generic_make_request, as it +can start a chain of events which might free something that we are +using. + +Here is one place I wasn't careful enough. If the wbio2 is not in +use, then it might get freed at the first generic_make_request call. +So perform all necessary tests first. + +This bug was introduced in 3.3-rc3 (24afd80d99) and can cause an +oops, so fix is suitable for any -stable since then. + +Signed-off-by: NeilBrown +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/raid10.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/drivers/md/raid10.c ++++ b/drivers/md/raid10.c +@@ -2268,12 +2268,18 @@ static void recovery_request_write(struc + d = r10_bio->devs[1].devnum; + wbio = r10_bio->devs[1].bio; + wbio2 = r10_bio->devs[1].repl_bio; ++ /* Need to test wbio2->bi_end_io before we call ++ * generic_make_request as if the former is NULL, ++ * the latter is free to free wbio2. ++ */ ++ if (wbio2 && !wbio2->bi_end_io) ++ wbio2 = NULL; + if (wbio->bi_end_io) { + atomic_inc(&conf->mirrors[d].rdev->nr_pending); + md_sync_acct(conf->mirrors[d].rdev->bdev, bio_sectors(wbio)); + generic_make_request(wbio); + } +- if (wbio2 && wbio2->bi_end_io) { ++ if (wbio2) { + atomic_inc(&conf->mirrors[d].replacement->nr_pending); + md_sync_acct(conf->mirrors[d].replacement->bdev, + bio_sectors(wbio2)); diff --git a/queue-3.10/md-raid5-fix-interaction-of-replace-and-recovery.patch b/queue-3.10/md-raid5-fix-interaction-of-replace-and-recovery.patch new file mode 100644 index 00000000000..ab1259dad28 --- /dev/null +++ b/queue-3.10/md-raid5-fix-interaction-of-replace-and-recovery.patch @@ -0,0 +1,106 @@ +From f94c0b6658c7edea8bc19d13be321e3860a3fa54 Mon Sep 17 00:00:00 2001 +From: NeilBrown +Date: Mon, 22 Jul 2013 12:57:21 +1000 +Subject: md/raid5: fix interaction of 'replace' and 'recovery'. + +From: NeilBrown + +commit f94c0b6658c7edea8bc19d13be321e3860a3fa54 upstream. + +If a device in a RAID4/5/6 is being replaced while another is being +recovered, then the writes to the replacement device currently don't +happen, resulting in corruption when the replacement completes and the +new drive takes over. + +This is because the replacement writes are only triggered when +'s.replacing' is set and not when the similar 's.sync' is set (which +is the case during resync and recovery - it means all devices need to +be read). + +So schedule those writes when s.replacing is set as well. + +In this case we cannot use "STRIPE_INSYNC" to record that the +replacement has happened as that is needed for recording that any +parity calculation is complete. So introduce STRIPE_REPLACED to +record if the replacement has happened. + +For safety we should also check that STRIPE_COMPUTE_RUN is not set. +This has a similar effect to the "s.locked == 0" test. The latter +ensure that now IO has been flagged but not started. The former +checks if any parity calculation has been flagged by not started. +We must wait for both of these to complete before triggering the +'replace'. + +Add a similar test to the subsequent check for "are we finished yet". +This possibly isn't needed (is subsumed in the STRIPE_INSYNC test), +but it makes it more obvious that the REPLACE will happen before we +think we are finished. + +Finally if a NeedReplace device is not UPTODATE then that is an +error. We really must trigger a warning. + +This bug was introduced in commit 9a3e1101b827a59ac9036a672f5fa8d5279d0fe2 +(md/raid5: detect and handle replacements during recovery.) +which introduced replacement for raid5. +That was in 3.3-rc3, so any stable kernel since then would benefit +from this fix. + +Reported-by: qindehua <13691222965@163.com> +Tested-by: qindehua +Signed-off-by: NeilBrown +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/raid5.c | 15 ++++++++++----- + drivers/md/raid5.h | 1 + + 2 files changed, 11 insertions(+), 5 deletions(-) + +--- a/drivers/md/raid5.c ++++ b/drivers/md/raid5.c +@@ -3462,6 +3462,7 @@ static void handle_stripe(struct stripe_ + test_and_clear_bit(STRIPE_SYNC_REQUESTED, &sh->state)) { + set_bit(STRIPE_SYNCING, &sh->state); + clear_bit(STRIPE_INSYNC, &sh->state); ++ clear_bit(STRIPE_REPLACED, &sh->state); + } + spin_unlock(&sh->stripe_lock); + } +@@ -3607,19 +3608,23 @@ static void handle_stripe(struct stripe_ + handle_parity_checks5(conf, sh, &s, disks); + } + +- if (s.replacing && s.locked == 0 +- && !test_bit(STRIPE_INSYNC, &sh->state)) { ++ if ((s.replacing || s.syncing) && s.locked == 0 ++ && !test_bit(STRIPE_COMPUTE_RUN, &sh->state) ++ && !test_bit(STRIPE_REPLACED, &sh->state)) { + /* Write out to replacement devices where possible */ + for (i = 0; i < conf->raid_disks; i++) +- if (test_bit(R5_UPTODATE, &sh->dev[i].flags) && +- test_bit(R5_NeedReplace, &sh->dev[i].flags)) { ++ if (test_bit(R5_NeedReplace, &sh->dev[i].flags)) { ++ WARN_ON(!test_bit(R5_UPTODATE, &sh->dev[i].flags)); + set_bit(R5_WantReplace, &sh->dev[i].flags); + set_bit(R5_LOCKED, &sh->dev[i].flags); + s.locked++; + } +- set_bit(STRIPE_INSYNC, &sh->state); ++ if (s.replacing) ++ set_bit(STRIPE_INSYNC, &sh->state); ++ set_bit(STRIPE_REPLACED, &sh->state); + } + if ((s.syncing || s.replacing) && s.locked == 0 && ++ !test_bit(STRIPE_COMPUTE_RUN, &sh->state) && + test_bit(STRIPE_INSYNC, &sh->state)) { + md_done_sync(conf->mddev, STRIPE_SECTORS, 1); + clear_bit(STRIPE_SYNCING, &sh->state); +--- a/drivers/md/raid5.h ++++ b/drivers/md/raid5.h +@@ -306,6 +306,7 @@ enum { + STRIPE_SYNC_REQUESTED, + STRIPE_SYNCING, + STRIPE_INSYNC, ++ STRIPE_REPLACED, + STRIPE_PREREAD_ACTIVE, + STRIPE_DELAYED, + STRIPE_DEGRADED, diff --git a/queue-3.10/md-remove-recent-change-which-allows-devices-to-skip-recovery.patch b/queue-3.10/md-remove-recent-change-which-allows-devices-to-skip-recovery.patch new file mode 100644 index 00000000000..e3b31520f58 --- /dev/null +++ b/queue-3.10/md-remove-recent-change-which-allows-devices-to-skip-recovery.patch @@ -0,0 +1,61 @@ +From 5024c298311f3b97c85cb034f9edaa333fdb9338 Mon Sep 17 00:00:00 2001 +From: NeilBrown +Date: Wed, 17 Jul 2013 14:55:31 +1000 +Subject: md: Remove recent change which allows devices to skip recovery. + +From: NeilBrown + +commit 5024c298311f3b97c85cb034f9edaa333fdb9338 upstream. + +commit 7ceb17e87bde79d285a8b988cfed9eaeebe60b86 + md: Allow devices to be re-added to a read-only array. + +allowed a bit more than just that. It also allows devices to be added +to a read-write array and to end up skipping recovery. + +This patch removes the offending piece of code pending a rewrite for a +subsequent release. + +More specifically: + If the array has a bitmap, then the device will still need a bitmap + based resync ('saved_raid_disk' is set under different conditions + is a bitmap is present). + If the array doesn't have a bitmap, then this is correct as long as + nothing has been written to the array since the metadata was checked + by ->validate_super. However there is no locking to ensure that there + was no write. + +Bug was introduced in 3.10 and causes data corruption so +patch is suitable for 3.10-stable. + +Reported-by: Joe Lawrence +Signed-off-by: NeilBrown +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/md.c | 14 -------------- + 1 file changed, 14 deletions(-) + +--- a/drivers/md/md.c ++++ b/drivers/md/md.c +@@ -7697,20 +7697,6 @@ static int remove_and_add_spares(struct + continue; + + rdev->recovery_offset = 0; +- if (rdev->saved_raid_disk >= 0 && mddev->in_sync) { +- spin_lock_irq(&mddev->write_lock); +- if (mddev->in_sync) +- /* OK, this device, which is in_sync, +- * will definitely be noticed before +- * the next write, so recovery isn't +- * needed. +- */ +- rdev->recovery_offset = mddev->recovery_cp; +- spin_unlock_irq(&mddev->write_lock); +- } +- if (mddev->ro && rdev->recovery_offset != MaxSector) +- /* not safe to add this disk now */ +- continue; + if (mddev->pers-> + hot_add_disk(mddev, rdev) == 0) { + if (sysfs_link_rdev(mddev, rdev)) diff --git a/queue-3.10/nfsd-nfsd_open-when-dentry_open-returns-an-error-do-not-propagate-as-struct-file.patch b/queue-3.10/nfsd-nfsd_open-when-dentry_open-returns-an-error-do-not-propagate-as-struct-file.patch new file mode 100644 index 00000000000..2801d481a3e --- /dev/null +++ b/queue-3.10/nfsd-nfsd_open-when-dentry_open-returns-an-error-do-not-propagate-as-struct-file.patch @@ -0,0 +1,94 @@ +From e4daf1ffbe6cc3b12aab4d604e627829e93e9914 Mon Sep 17 00:00:00 2001 +From: Harshula Jayasuriya +Date: Tue, 23 Jul 2013 14:21:35 +1000 +Subject: nfsd: nfsd_open: when dentry_open returns an error do not propagate as struct file + +From: Harshula Jayasuriya + +commit e4daf1ffbe6cc3b12aab4d604e627829e93e9914 upstream. + +The following call chain: +------------------------------------------------------------ +nfs4_get_vfs_file +- nfsd_open + - dentry_open + - do_dentry_open + - __get_file_write_access + - get_write_access + - return atomic_inc_unless_negative(&inode->i_writecount) ? 0 : -ETXTBSY; +------------------------------------------------------------ + +can result in the following state: +------------------------------------------------------------ +struct nfs4_file { +... + fi_fds = {0xffff880c1fa65c80, 0xffffffffffffffe6, 0x0}, + fi_access = {{ + counter = 0x1 + }, { + counter = 0x0 + }}, +... +------------------------------------------------------------ + +1) First time around, in nfs4_get_vfs_file() fp->fi_fds[O_WRONLY] is +NULL, hence nfsd_open() is called where we get status set to an error +and fp->fi_fds[O_WRONLY] to -ETXTBSY. Thus we do not reach +nfs4_file_get_access() and fi_access[O_WRONLY] is not incremented. + +2) Second time around, in nfs4_get_vfs_file() fp->fi_fds[O_WRONLY] is +NOT NULL (-ETXTBSY), so nfsd_open() is NOT called, but +nfs4_file_get_access() IS called and fi_access[O_WRONLY] is incremented. +Thus we leave a landmine in the form of the nfs4_file data structure in +an incorrect state. + +3) Eventually, when __nfs4_file_put_access() is called it finds +fi_access[O_WRONLY] being non-zero, it decrements it and calls +nfs4_file_put_fd() which tries to fput -ETXTBSY. +------------------------------------------------------------ +... + [exception RIP: fput+0x9] + RIP: ffffffff81177fa9 RSP: ffff88062e365c90 RFLAGS: 00010282 + RAX: ffff880c2b3d99cc RBX: ffff880c2b3d9978 RCX: 0000000000000002 + RDX: dead000000100101 RSI: 0000000000000001 RDI: ffffffffffffffe6 + RBP: ffff88062e365c90 R8: ffff88041fe797d8 R9: ffff88062e365d58 + R10: 0000000000000008 R11: 0000000000000000 R12: 0000000000000001 + R13: 0000000000000007 R14: 0000000000000000 R15: 0000000000000000 + ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018 + #9 [ffff88062e365c98] __nfs4_file_put_access at ffffffffa0562334 [nfsd] + #10 [ffff88062e365cc8] nfs4_file_put_access at ffffffffa05623ab [nfsd] + #11 [ffff88062e365ce8] free_generic_stateid at ffffffffa056634d [nfsd] + #12 [ffff88062e365d18] release_open_stateid at ffffffffa0566e4b [nfsd] + #13 [ffff88062e365d38] nfsd4_close at ffffffffa0567401 [nfsd] + #14 [ffff88062e365d88] nfsd4_proc_compound at ffffffffa0557f28 [nfsd] + #15 [ffff88062e365dd8] nfsd_dispatch at ffffffffa054543e [nfsd] + #16 [ffff88062e365e18] svc_process_common at ffffffffa04ba5a4 [sunrpc] + #17 [ffff88062e365e98] svc_process at ffffffffa04babe0 [sunrpc] + #18 [ffff88062e365eb8] nfsd at ffffffffa0545b62 [nfsd] + #19 [ffff88062e365ee8] kthread at ffffffff81090886 + #20 [ffff88062e365f48] kernel_thread at ffffffff8100c14a +------------------------------------------------------------ + +Signed-off-by: Harshula Jayasuriya +Signed-off-by: J. Bruce Fields +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfsd/vfs.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/fs/nfsd/vfs.c ++++ b/fs/nfsd/vfs.c +@@ -802,9 +802,10 @@ nfsd_open(struct svc_rqst *rqstp, struct + flags = O_WRONLY|O_LARGEFILE; + } + *filp = dentry_open(&path, flags, current_cred()); +- if (IS_ERR(*filp)) ++ if (IS_ERR(*filp)) { + host_err = PTR_ERR(*filp); +- else { ++ *filp = NULL; ++ } else { + host_err = ima_file_check(*filp, may_flags); + + if (may_flags & NFSD_MAY_64BIT_COOKIE) diff --git a/queue-3.10/powerpc-modules-module-crc-relocation-fix-causes-perf-issues.patch b/queue-3.10/powerpc-modules-module-crc-relocation-fix-causes-perf-issues.patch new file mode 100644 index 00000000000..6b04ac61bc9 --- /dev/null +++ b/queue-3.10/powerpc-modules-module-crc-relocation-fix-causes-perf-issues.patch @@ -0,0 +1,75 @@ +From 0e0ed6406e61434d3f38fb58aa8464ec4722b77e Mon Sep 17 00:00:00 2001 +From: Anton Blanchard +Date: Mon, 15 Jul 2013 14:04:50 +1000 +Subject: powerpc/modules: Module CRC relocation fix causes perf issues + +From: Anton Blanchard + +commit 0e0ed6406e61434d3f38fb58aa8464ec4722b77e upstream. + +Module CRCs are implemented as absolute symbols that get resolved by +a linker script. We build an intermediate .o that contains an +unresolved symbol for each CRC. genksysms parses this .o, calculates +the CRCs and writes a linker script that "resolves" the symbols to +the calculated CRC. + +Unfortunately the ppc64 relocatable kernel sees these CRCs as symbols +that need relocating and relocates them at boot. Commit d4703aef +(module: handle ppc64 relocating kcrctabs when CONFIG_RELOCATABLE=y) +added a hook to reverse the bogus relocations. Part of this patch +created a symbol at 0x0: + +# head -2 /proc/kallsyms +0000000000000000 T reloc_start +c000000000000000 T .__start + +This reloc_start symbol is causing lots of confusion to perf. It +thinks reloc_start is a massive function that stretches from 0x0 to +0xc000000000000000 and we get various cryptic errors out of perf, +including: + +problem incrementing symbol count, skipping event + +This patch removes the reloc_start linker script label and instead +defines it as PHYSICAL_START. We also need to wrap it with +CONFIG_PPC64 because the ppc32 kernel can set a non zero +PHYSICAL_START at compile time and we wouldn't want to subtract +it from the CRCs in that case. + +Signed-off-by: Anton Blanchard +Acked-by: Rusty Russell +Signed-off-by: Benjamin Herrenschmidt +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/include/asm/module.h | 5 ++--- + arch/powerpc/kernel/vmlinux.lds.S | 3 --- + 2 files changed, 2 insertions(+), 6 deletions(-) + +--- a/arch/powerpc/include/asm/module.h ++++ b/arch/powerpc/include/asm/module.h +@@ -82,10 +82,9 @@ struct exception_table_entry; + void sort_ex_table(struct exception_table_entry *start, + struct exception_table_entry *finish); + +-#ifdef CONFIG_MODVERSIONS ++#if defined(CONFIG_MODVERSIONS) && defined(CONFIG_PPC64) + #define ARCH_RELOCATES_KCRCTAB +- +-extern const unsigned long reloc_start[]; ++#define reloc_start PHYSICAL_START + #endif + #endif /* __KERNEL__ */ + #endif /* _ASM_POWERPC_MODULE_H */ +--- a/arch/powerpc/kernel/vmlinux.lds.S ++++ b/arch/powerpc/kernel/vmlinux.lds.S +@@ -38,9 +38,6 @@ jiffies = jiffies_64 + 4; + #endif + SECTIONS + { +- . = 0; +- reloc_start = .; +- + . = KERNELBASE; + + /* diff --git a/queue-3.10/regmap-cache-bail-in-regmap_async_complete-for-bus-less-maps.patch b/queue-3.10/regmap-cache-bail-in-regmap_async_complete-for-bus-less-maps.patch new file mode 100644 index 00000000000..fa91095bb5f --- /dev/null +++ b/queue-3.10/regmap-cache-bail-in-regmap_async_complete-for-bus-less-maps.patch @@ -0,0 +1,34 @@ +From f2e055e7c9c6084bfbaa68701e52562acf96419e Mon Sep 17 00:00:00 2001 +From: Daniel Mack +Date: Thu, 4 Jul 2013 13:11:03 +0200 +Subject: regmap: cache: bail in regmap_async_complete() for bus-less maps + +From: Daniel Mack + +commit f2e055e7c9c6084bfbaa68701e52562acf96419e upstream. + +Commit f8bd822cb ("regmap: cache: Factor out block sync") made +regcache_rbtree_sync() call regmap_async_complete(), which in turn does +not check for map->bus before dereferencing it. + +This causes a NULL pointer dereference on bus-less maps. + +Signed-off-by: Daniel Mack +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/base/regmap/regmap.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/base/regmap/regmap.c ++++ b/drivers/base/regmap/regmap.c +@@ -1717,7 +1717,7 @@ int regmap_async_complete(struct regmap + int ret; + + /* Nothing to do with no async support */ +- if (!map->bus->async_write) ++ if (!map->bus || !map->bus->async_write) + return 0; + + trace_regmap_async_complete_start(map->dev); diff --git a/queue-3.10/scsi-isci-fix-a-race-condition-in-the-ssp-task-management-path.patch b/queue-3.10/scsi-isci-fix-a-race-condition-in-the-ssp-task-management-path.patch new file mode 100644 index 00000000000..9957197d62c --- /dev/null +++ b/queue-3.10/scsi-isci-fix-a-race-condition-in-the-ssp-task-management-path.patch @@ -0,0 +1,58 @@ +From 96f15f29038e58e1b0a96483e2b369ff446becf1 Mon Sep 17 00:00:00 2001 +From: Jeff Skirvin +Date: Thu, 11 Jul 2013 17:18:58 -0700 +Subject: SCSI: isci: Fix a race condition in the SSP task management path + +From: Jeff Skirvin + +commit 96f15f29038e58e1b0a96483e2b369ff446becf1 upstream. + +This commit fixes a race condition in the isci driver abort task and SSP +device task management path. The race is caused when an I/O termination +in the SCU hardware is necessary because of an SSP target timeout condition, +and the check of the I/O end state races against the HW-termination-driven +end state. The failure of the race meant that no TMF was sent to the device +to clean-up the pending I/O. + +Signed-off-by: Jeff Skirvin +Reviewed-by: Lukasz Dorau +Signed-off-by: James Bottomley +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/isci/task.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/drivers/scsi/isci/task.c ++++ b/drivers/scsi/isci/task.c +@@ -491,6 +491,7 @@ int isci_task_abort_task(struct sas_task + struct isci_tmf tmf; + int ret = TMF_RESP_FUNC_FAILED; + unsigned long flags; ++ int target_done_already = 0; + + /* Get the isci_request reference from the task. Note that + * this check does not depend on the pending request list +@@ -505,9 +506,11 @@ int isci_task_abort_task(struct sas_task + /* If task is already done, the request isn't valid */ + if (!(task->task_state_flags & SAS_TASK_STATE_DONE) && + (task->task_state_flags & SAS_TASK_AT_INITIATOR) && +- old_request) ++ old_request) { + idev = isci_get_device(task->dev->lldd_dev); +- ++ target_done_already = test_bit(IREQ_COMPLETE_IN_TARGET, ++ &old_request->flags); ++ } + spin_unlock(&task->task_state_lock); + spin_unlock_irqrestore(&ihost->scic_lock, flags); + +@@ -561,7 +564,7 @@ int isci_task_abort_task(struct sas_task + + if (task->task_proto == SAS_PROTOCOL_SMP || + sas_protocol_ata(task->task_proto) || +- test_bit(IREQ_COMPLETE_IN_TARGET, &old_request->flags) || ++ target_done_already || + test_bit(IDEV_GONE, &idev->flags)) { + + spin_unlock_irqrestore(&ihost->scic_lock, flags); diff --git a/queue-3.10/scsi-qla2xxx-properly-set-the-tagging-for-commands.patch b/queue-3.10/scsi-qla2xxx-properly-set-the-tagging-for-commands.patch new file mode 100644 index 00000000000..7ee57ba93a7 --- /dev/null +++ b/queue-3.10/scsi-qla2xxx-properly-set-the-tagging-for-commands.patch @@ -0,0 +1,62 @@ +From c3ccb1d7cf4c4549151876dd37c0944a682fd9e1 Mon Sep 17 00:00:00 2001 +From: Saurav Kashyap +Date: Fri, 12 Jul 2013 14:47:51 -0400 +Subject: SCSI: qla2xxx: Properly set the tagging for commands. + +From: Saurav Kashyap + +commit c3ccb1d7cf4c4549151876dd37c0944a682fd9e1 upstream. + +This fixes a regression where Xyratex controllers and disks were lost by the +driver: + +https://bugzilla.kernel.org/show_bug.cgi?id=59601 + +Reported-by: Jack Hill +Signed-off-by: Saurav Kashyap +Signed-off-by: Giridhar Malavali +Signed-off-by: James Bottomley +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/qla2xxx/qla_iocb.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +--- a/drivers/scsi/qla2xxx/qla_iocb.c ++++ b/drivers/scsi/qla2xxx/qla_iocb.c +@@ -419,6 +419,8 @@ qla2x00_start_scsi(srb_t *sp) + __constant_cpu_to_le16(CF_SIMPLE_TAG); + break; + } ++ } else { ++ cmd_pkt->control_flags = __constant_cpu_to_le16(CF_SIMPLE_TAG); + } + + /* Load SCSI command packet. */ +@@ -1308,11 +1310,11 @@ qla24xx_build_scsi_crc_2_iocbs(srb_t *sp + fcp_cmnd->task_attribute = TSK_ORDERED; + break; + default: +- fcp_cmnd->task_attribute = 0; ++ fcp_cmnd->task_attribute = TSK_SIMPLE; + break; + } + } else { +- fcp_cmnd->task_attribute = 0; ++ fcp_cmnd->task_attribute = TSK_SIMPLE; + } + + cmd_pkt->fcp_rsp_dseg_len = 0; /* Let response come in status iocb */ +@@ -1527,7 +1529,12 @@ qla24xx_start_scsi(srb_t *sp) + case ORDERED_QUEUE_TAG: + cmd_pkt->task = TSK_ORDERED; + break; ++ default: ++ cmd_pkt->task = TSK_SIMPLE; ++ break; + } ++ } else { ++ cmd_pkt->task = TSK_SIMPLE; + } + + /* Load SCSI command packet. */ diff --git a/queue-3.10/scsi-sd-fix-crash-when-ua-received-on-dif-enabled-device.patch b/queue-3.10/scsi-sd-fix-crash-when-ua-received-on-dif-enabled-device.patch new file mode 100644 index 00000000000..6e987517d97 --- /dev/null +++ b/queue-3.10/scsi-sd-fix-crash-when-ua-received-on-dif-enabled-device.patch @@ -0,0 +1,74 @@ +From 085b513f97d8d799d28491239be4b451bcd8c2c5 Mon Sep 17 00:00:00 2001 +From: "Ewan D. Milne" +Date: Fri, 2 Nov 2012 09:38:34 -0400 +Subject: SCSI: sd: fix crash when UA received on DIF enabled device + +From: "Ewan D. Milne" + +commit 085b513f97d8d799d28491239be4b451bcd8c2c5 upstream. + +sd_prep_fn will allocate a larger CDB for the command via mempool_alloc +for devices using DIF type 2 protection. This CDB was being freed +in sd_done, which results in a kernel crash if the command is retried +due to a UNIT ATTENTION. This change moves the code to free the larger +CDB into sd_unprep_fn instead, which is invoked after the request is +complete. + +It is no longer necessary to call scsi_print_command separately for +this case as the ->cmnd will no longer be NULL in the normal code path. + +Also removed conditional test for DIF type 2 when freeing the larger +CDB because the protection_type could have been changed via sysfs while +the command was executing. + +Signed-off-by: Ewan D. Milne +Acked-by: Martin K. Petersen +Signed-off-by: James Bottomley +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/sd.c | 22 +++++++--------------- + 1 file changed, 7 insertions(+), 15 deletions(-) + +--- a/drivers/scsi/sd.c ++++ b/drivers/scsi/sd.c +@@ -828,10 +828,17 @@ static int scsi_setup_flush_cmnd(struct + + static void sd_unprep_fn(struct request_queue *q, struct request *rq) + { ++ struct scsi_cmnd *SCpnt = rq->special; ++ + if (rq->cmd_flags & REQ_DISCARD) { + free_page((unsigned long)rq->buffer); + rq->buffer = NULL; + } ++ if (SCpnt->cmnd != rq->cmd) { ++ mempool_free(SCpnt->cmnd, sd_cdb_pool); ++ SCpnt->cmnd = NULL; ++ SCpnt->cmd_len = 0; ++ } + } + + /** +@@ -1710,21 +1717,6 @@ static int sd_done(struct scsi_cmnd *SCp + if (rq_data_dir(SCpnt->request) == READ && scsi_prot_sg_count(SCpnt)) + sd_dif_complete(SCpnt, good_bytes); + +- if (scsi_host_dif_capable(sdkp->device->host, sdkp->protection_type) +- == SD_DIF_TYPE2_PROTECTION && SCpnt->cmnd != SCpnt->request->cmd) { +- +- /* We have to print a failed command here as the +- * extended CDB gets freed before scsi_io_completion() +- * is called. +- */ +- if (result) +- scsi_print_command(SCpnt); +- +- mempool_free(SCpnt->cmnd, sd_cdb_pool); +- SCpnt->cmnd = NULL; +- SCpnt->cmd_len = 0; +- } +- + return good_bytes; + } + diff --git a/queue-3.10/series b/queue-3.10/series index d45bf63d321..98b3da40ac6 100644 --- a/queue-3.10/series +++ b/queue-3.10/series @@ -12,3 +12,54 @@ asoc-max98088-fix-element-type-of-the-register-cache.patch asoc-tegra-correct-playback_dma_data-setup.patch asoc-wm8962-remove-remaining-direct-register-cache-accesses.patch arm-7722-1-zimage-convert-32bits-memory-size-and-address-from-atag-to-64bits-dtb.patch +scsi-isci-fix-a-race-condition-in-the-ssp-task-management-path.patch +scsi-sd-fix-crash-when-ua-received-on-dif-enabled-device.patch +scsi-qla2xxx-properly-set-the-tagging-for-commands.patch +tracing-fix-error-handling-to-ensure-instances-can-always-be-removed.patch +tracing-miscellaneous-fixes-for-trace_array-ref-counting.patch +tracing-kill-the-unbalanced-tr-ref-in-tracing_buffers_open.patch +tracing-remove-locking-trace_types_lock-from-tracing_reset_all_online_cpus.patch +usb-host-xhci-enable-xhci_spurious_success-for-all-controllers-with-xhci-1.0.patch +xhci-fix-null-pointer-dereference-on-ring_doorbell_for_active_rings.patch +xhci-avoid-null-pointer-deref-when-host-dies.patch +usb-ehci-fix-resume-signalling-on-remote-wakeup.patch +usb-mos7840-fix-memory-leak-in-open.patch +usb-dwc3-fix-the-error-returned-with-usb3_phy-failure.patch +usb-dwc3-fix-wrong-bit-mask-in-dwc3_event_type.patch +usb-dwc3-gadget-don-t-prevent-gadget-from-being-probed-if-we-fail.patch +usb-ti_usb_3410_5052-fix-dynamic-id-matching.patch +usb-misc-add-manhattan-hi-speed-usb-dvi-converter-to-sisusbvga.patch +usb-clear-both-buffers-when-clearing-a-control-transfer-tt-buffer.patch +usb-global-suspend-and-remote-wakeup-don-t-mix.patch +staging-comedi-fix-a-race-between-do_cmd_ioctl-and-read-write.patch +staging-comedi-comedi_cancel-ioctl-should-wake-up-read-write.patch +staging-android-logger-correct-write-offset-reset-on-error.patch +cpufreq-intel_pstate-change-to-scale-off-of-max-p-state.patch +btrfs-fix-wrong-write-offset-when-replacing-a-device.patch +btrfs-fix-lock-leak-when-resuming-snapshot-deletion.patch +btrfs-re-add-root-to-dead-root-list-if-we-stop-dropping-it.patch +xen-netfront-pull-on-receive-skb-may-need-to-happen-earlier.patch +xen-blkback-check-device-permissions-before-allowing-op_discard.patch +x86-suspend-handle-cpus-which-fail-to-gp-on-rdmsr.patch +x86-make-sure-idt-is-page-aligned.patch +md-remove-recent-change-which-allows-devices-to-skip-recovery.patch +md-raid1-fix-bio-handling-problems-in-process_checks.patch +md-raid5-fix-interaction-of-replace-and-recovery.patch +md-raid10-remove-use-after-free-bug.patch +ata-fix-dvd-not-dectected-at-some-platform-with-wellsburg-pch.patch +libata-make-it-clear-that-sata_inic162x-is-experimental.patch +svcrdma-underflow-issue-in-decode_write_list.patch +crypto-caam-fixed-the-memory-out-of-bound-overwrite-issue.patch +powerpc-modules-module-crc-relocation-fix-causes-perf-issues.patch +nfsd-nfsd_open-when-dentry_open-returns-an-error-do-not-propagate-as-struct-file.patch +tools-hv-kvp-fix-a-bug-in-ipv6-subnet-enumeration.patch +drivers-hv-balloon-fix-a-bug-in-the-hot-add-code.patch +drivers-hv-balloon-do-not-post-pressure-status-if-interrupted.patch +regmap-cache-bail-in-regmap_async_complete-for-bus-less-maps.patch +acpi-scan-always-call-acpi_bus_scan-for-bus-check-notifications.patch +acpi-scan-do-not-try-to-attach-scan-handlers-to-devices-having-them.patch +acpi-memhotplug-fix-a-stale-pointer-in-error-path.patch +acpi-video-ignore-bios-initial-backlight-value-for-fujitsu-e753.patch +dm-mpath-fix-ioctl-deadlock-when-no-paths.patch +dm-ioctl-set-noio-flag-to-avoid-__vmalloc-deadlock.patch +dm-verity-fix-inability-to-use-a-few-specific-devices-sizes.patch diff --git a/queue-3.10/staging-android-logger-correct-write-offset-reset-on-error.patch b/queue-3.10/staging-android-logger-correct-write-offset-reset-on-error.patch new file mode 100644 index 00000000000..cb77ea92826 --- /dev/null +++ b/queue-3.10/staging-android-logger-correct-write-offset-reset-on-error.patch @@ -0,0 +1,43 @@ +From 72bb99cfe9c57d2044445fb34bbc95b4c0bae6f2 Mon Sep 17 00:00:00 2001 +From: Karlis Ogsts +Date: Mon, 22 Jul 2013 13:51:42 -0700 +Subject: staging: android: logger: Correct write offset reset on error + +From: Karlis Ogsts + +commit 72bb99cfe9c57d2044445fb34bbc95b4c0bae6f2 upstream. + +In the situation that a writer fails to copy data from userspace it will reset +the write offset to the value it had before it went to sleep. This discarding +any messages written while aquiring the mutex. + +Therefore the reset offset needs to be retrieved after acquiring the mutex. + +Cc: Android Kernel Team +Signed-off-by: Bjorn Andersson +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/android/logger.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/staging/android/logger.c ++++ b/drivers/staging/android/logger.c +@@ -469,7 +469,7 @@ static ssize_t logger_aio_write(struct k + unsigned long nr_segs, loff_t ppos) + { + struct logger_log *log = file_get_log(iocb->ki_filp); +- size_t orig = log->w_off; ++ size_t orig; + struct logger_entry header; + struct timespec now; + ssize_t ret = 0; +@@ -490,6 +490,8 @@ static ssize_t logger_aio_write(struct k + + mutex_lock(&log->mutex); + ++ orig = log->w_off; ++ + /* + * Fix up any readers, pulling them forward to the first readable + * entry after (what will be) the new write offset. We do this now diff --git a/queue-3.10/staging-comedi-comedi_cancel-ioctl-should-wake-up-read-write.patch b/queue-3.10/staging-comedi-comedi_cancel-ioctl-should-wake-up-read-write.patch new file mode 100644 index 00000000000..54b90f942bd --- /dev/null +++ b/queue-3.10/staging-comedi-comedi_cancel-ioctl-should-wake-up-read-write.patch @@ -0,0 +1,57 @@ +From 69acbaac303e8cb948801a9ddd0ac24e86cc4a1b Mon Sep 17 00:00:00 2001 +From: Ian Abbott +Date: Mon, 8 Jul 2013 13:36:19 +0100 +Subject: staging: comedi: COMEDI_CANCEL ioctl should wake up read/write + +From: Ian Abbott + +commit 69acbaac303e8cb948801a9ddd0ac24e86cc4a1b upstream. + +Comedi devices can do blocking read() or write() (or poll()) if an +asynchronous command has been set up, blocking for data (for read()) or +buffer space (for write()). Various events associated with the +asynchronous command will wake up the blocked reader or writer (or +poller). It is also possible to force the asynchronous command to +terminate by issuing a `COMEDI_CANCEL` ioctl. That shuts down the +asynchronous command, but does not currently wake up the blocked reader +or writer (or poller). If the blocked task could be woken up, it would +see that the command is no longer active and return. The caller of the +`COMEDI_CANCEL` ioctl could attempt to wake up the blocked task by +sending a signal, but that's a nasty workaround. + +Change `do_cancel_ioctl()` to wake up the wait queue after it returns +from `do_cancel()`. `do_cancel()` can propagate an error return value +from the low-level comedi driver's cancel routine, but it always shuts +the command down regardless, so `do_cancel_ioctl()` can wake up he wait +queue regardless of the return value from `do_cancel()`. + +Signed-off-by: Ian Abbott +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/comedi/comedi_fops.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/drivers/staging/comedi/comedi_fops.c ++++ b/drivers/staging/comedi/comedi_fops.c +@@ -1692,6 +1692,7 @@ static int do_cancel_ioctl(struct comedi + void *file) + { + struct comedi_subdevice *s; ++ int ret; + + if (arg >= dev->n_subdevices) + return -EINVAL; +@@ -1708,7 +1709,11 @@ static int do_cancel_ioctl(struct comedi + if (s->busy != file) + return -EBUSY; + +- return do_cancel(dev, s); ++ ret = do_cancel(dev, s); ++ if (comedi_get_subdevice_runflags(s) & SRF_USER) ++ wake_up_interruptible(&s->async->wait_head); ++ ++ return ret; + } + + /* diff --git a/queue-3.10/staging-comedi-fix-a-race-between-do_cmd_ioctl-and-read-write.patch b/queue-3.10/staging-comedi-fix-a-race-between-do_cmd_ioctl-and-read-write.patch new file mode 100644 index 00000000000..763886b57dd --- /dev/null +++ b/queue-3.10/staging-comedi-fix-a-race-between-do_cmd_ioctl-and-read-write.patch @@ -0,0 +1,134 @@ +From 4b18f08be01a7b3c7b6df497137b6e3cb28adaa3 Mon Sep 17 00:00:00 2001 +From: Ian Abbott +Date: Fri, 5 Jul 2013 16:49:34 +0100 +Subject: staging: comedi: fix a race between do_cmd_ioctl() and read/write + +From: Ian Abbott + +commit 4b18f08be01a7b3c7b6df497137b6e3cb28adaa3 upstream. + +`do_cmd_ioctl()` is called with the comedi device's mutex locked to +process the `COMEDI_CMD` ioctl to set up comedi's asynchronous command +handling on a comedi subdevice. `comedi_read()` and `comedi_write()` +are the `read` and `write` handlers for the comedi device, but do not +lock the mutex (for performance reasons, as some things can hold the +mutex for quite a long time). + +There is a race condition if `comedi_read()` or `comedi_write()` is +running at the same time and for the same file object and comedi +subdevice as `do_cmd_ioctl()`. `do_cmd_ioctl()` sets the subdevice's +`busy` pointer to the file object way before it sets the `SRF_RUNNING` flag +in the subdevice's `runflags` member. `comedi_read() and +`comedi_write()` check the subdevice's `busy` pointer is pointing to the +current file object, then if the `SRF_RUNNING` flag is not set, will call +`do_become_nonbusy()` to shut down the asyncronous command. Bad things +can happen if the asynchronous command is being shutdown and set up at +the same time. + +To prevent the race, don't set the `busy` pointer until +after the `SRF_RUNNING` flag has been set. Also, make sure the mutex is +held in `comedi_read()` and `comedi_write()` while calling +`do_become_nonbusy()` in order to avoid moving the race condition to a +point within that function. + +Change some error handling `goto cleanup` statements in `do_cmd_ioctl()` +to simple `return -ERRFOO` statements as a result of changing when the +`busy` pointer is set. + +Signed-off-by: Ian Abbott +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/comedi/comedi_fops.c | 25 +++++++++++++++---------- + 1 file changed, 15 insertions(+), 10 deletions(-) + +--- a/drivers/staging/comedi/comedi_fops.c ++++ b/drivers/staging/comedi/comedi_fops.c +@@ -1401,22 +1401,19 @@ static int do_cmd_ioctl(struct comedi_de + DPRINTK("subdevice busy\n"); + return -EBUSY; + } +- s->busy = file; + + /* make sure channel/gain list isn't too long */ + if (cmd.chanlist_len > s->len_chanlist) { + DPRINTK("channel/gain list too long %u > %d\n", + cmd.chanlist_len, s->len_chanlist); +- ret = -EINVAL; +- goto cleanup; ++ return -EINVAL; + } + + /* make sure channel/gain list isn't too short */ + if (cmd.chanlist_len < 1) { + DPRINTK("channel/gain list too short %u < 1\n", + cmd.chanlist_len); +- ret = -EINVAL; +- goto cleanup; ++ return -EINVAL; + } + + async->cmd = cmd; +@@ -1426,8 +1423,7 @@ static int do_cmd_ioctl(struct comedi_de + kmalloc(async->cmd.chanlist_len * sizeof(int), GFP_KERNEL); + if (!async->cmd.chanlist) { + DPRINTK("allocation failed\n"); +- ret = -ENOMEM; +- goto cleanup; ++ return -ENOMEM; + } + + if (copy_from_user(async->cmd.chanlist, user_chanlist, +@@ -1479,6 +1475,9 @@ static int do_cmd_ioctl(struct comedi_de + + comedi_set_subdevice_runflags(s, ~0, SRF_USER | SRF_RUNNING); + ++ /* set s->busy _after_ setting SRF_RUNNING flag to avoid race with ++ * comedi_read() or comedi_write() */ ++ s->busy = file; + ret = s->do_cmd(dev, s); + if (ret == 0) + return 0; +@@ -2041,11 +2040,13 @@ static ssize_t comedi_write(struct file + + if (!comedi_is_subdevice_running(s)) { + if (count == 0) { ++ mutex_lock(&dev->mutex); + if (comedi_is_subdevice_in_error(s)) + retval = -EPIPE; + else + retval = 0; + do_become_nonbusy(dev, s); ++ mutex_unlock(&dev->mutex); + } + break; + } +@@ -2144,11 +2145,13 @@ static ssize_t comedi_read(struct file * + + if (n == 0) { + if (!comedi_is_subdevice_running(s)) { ++ mutex_lock(&dev->mutex); + do_become_nonbusy(dev, s); + if (comedi_is_subdevice_in_error(s)) + retval = -EPIPE; + else + retval = 0; ++ mutex_unlock(&dev->mutex); + break; + } + if (file->f_flags & O_NONBLOCK) { +@@ -2186,9 +2189,11 @@ static ssize_t comedi_read(struct file * + buf += n; + break; /* makes device work like a pipe */ + } +- if (comedi_is_subdevice_idle(s) && +- async->buf_read_count - async->buf_write_count == 0) { +- do_become_nonbusy(dev, s); ++ if (comedi_is_subdevice_idle(s)) { ++ mutex_lock(&dev->mutex); ++ if (async->buf_read_count - async->buf_write_count == 0) ++ do_become_nonbusy(dev, s); ++ mutex_unlock(&dev->mutex); + } + set_current_state(TASK_RUNNING); + remove_wait_queue(&async->wait_head, &wait); diff --git a/queue-3.10/svcrdma-underflow-issue-in-decode_write_list.patch b/queue-3.10/svcrdma-underflow-issue-in-decode_write_list.patch new file mode 100644 index 00000000000..1f7b2e5b822 --- /dev/null +++ b/queue-3.10/svcrdma-underflow-issue-in-decode_write_list.patch @@ -0,0 +1,74 @@ +From b2781e1021525649c0b33fffd005ef219da33926 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Fri, 12 Jul 2013 09:39:03 +0300 +Subject: svcrdma: underflow issue in decode_write_list() + +From: Dan Carpenter + +commit b2781e1021525649c0b33fffd005ef219da33926 upstream. + +My static checker marks everything from ntohl() as untrusted and it +complains we could have an underflow problem doing: + + return (u32 *)&ary->wc_array[nchunks]; + +Also on 32 bit systems the upper bound check could overflow. + +Signed-off-by: Dan Carpenter +Signed-off-by: J. Bruce Fields +Signed-off-by: Greg Kroah-Hartman + +--- + net/sunrpc/xprtrdma/svc_rdma_marshal.c | 20 ++++++++++++++------ + 1 file changed, 14 insertions(+), 6 deletions(-) + +--- a/net/sunrpc/xprtrdma/svc_rdma_marshal.c ++++ b/net/sunrpc/xprtrdma/svc_rdma_marshal.c +@@ -98,6 +98,7 @@ void svc_rdma_rcl_chunk_counts(struct rp + */ + static u32 *decode_write_list(u32 *va, u32 *vaend) + { ++ unsigned long start, end; + int nchunks; + + struct rpcrdma_write_array *ary = +@@ -113,9 +114,12 @@ static u32 *decode_write_list(u32 *va, u + return NULL; + } + nchunks = ntohl(ary->wc_nchunks); +- if (((unsigned long)&ary->wc_array[0] + +- (sizeof(struct rpcrdma_write_chunk) * nchunks)) > +- (unsigned long)vaend) { ++ ++ start = (unsigned long)&ary->wc_array[0]; ++ end = (unsigned long)vaend; ++ if (nchunks < 0 || ++ nchunks > (SIZE_MAX - start) / sizeof(struct rpcrdma_write_chunk) || ++ (start + (sizeof(struct rpcrdma_write_chunk) * nchunks)) > end) { + dprintk("svcrdma: ary=%p, wc_nchunks=%d, vaend=%p\n", + ary, nchunks, vaend); + return NULL; +@@ -129,6 +133,7 @@ static u32 *decode_write_list(u32 *va, u + + static u32 *decode_reply_array(u32 *va, u32 *vaend) + { ++ unsigned long start, end; + int nchunks; + struct rpcrdma_write_array *ary = + (struct rpcrdma_write_array *)va; +@@ -143,9 +148,12 @@ static u32 *decode_reply_array(u32 *va, + return NULL; + } + nchunks = ntohl(ary->wc_nchunks); +- if (((unsigned long)&ary->wc_array[0] + +- (sizeof(struct rpcrdma_write_chunk) * nchunks)) > +- (unsigned long)vaend) { ++ ++ start = (unsigned long)&ary->wc_array[0]; ++ end = (unsigned long)vaend; ++ if (nchunks < 0 || ++ nchunks > (SIZE_MAX - start) / sizeof(struct rpcrdma_write_chunk) || ++ (start + (sizeof(struct rpcrdma_write_chunk) * nchunks)) > end) { + dprintk("svcrdma: ary=%p, wc_nchunks=%d, vaend=%p\n", + ary, nchunks, vaend); + return NULL; diff --git a/queue-3.10/tools-hv-kvp-fix-a-bug-in-ipv6-subnet-enumeration.patch b/queue-3.10/tools-hv-kvp-fix-a-bug-in-ipv6-subnet-enumeration.patch new file mode 100644 index 00000000000..eadf1fb5932 --- /dev/null +++ b/queue-3.10/tools-hv-kvp-fix-a-bug-in-ipv6-subnet-enumeration.patch @@ -0,0 +1,33 @@ +From ed4bb9744b41d39ba35080c2390e201575121dc7 Mon Sep 17 00:00:00 2001 +From: "K. Y. Srinivasan" +Date: Thu, 11 Jul 2013 12:03:31 -0700 +Subject: Tools: hv: KVP: Fix a bug in IPV6 subnet enumeration + +From: "K. Y. Srinivasan" + +commit ed4bb9744b41d39ba35080c2390e201575121dc7 upstream. + +Each subnet string needs to be separated with a semicolon. Fix this bug. + +Signed-off-by: K. Y. Srinivasan +Signed-off-by: Greg Kroah-Hartman + +--- + tools/hv/hv_kvp_daemon.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/tools/hv/hv_kvp_daemon.c ++++ b/tools/hv/hv_kvp_daemon.c +@@ -1016,9 +1016,10 @@ kvp_get_ip_info(int family, char *if_nam + + if (sn_offset == 0) + strcpy(sn_str, cidr_mask); +- else ++ else { ++ strcat((char *)ip_buffer->sub_net, ";"); + strcat(sn_str, cidr_mask); +- strcat((char *)ip_buffer->sub_net, ";"); ++ } + sn_offset += strlen(sn_str) + 1; + } + diff --git a/queue-3.10/tracing-fix-error-handling-to-ensure-instances-can-always-be-removed.patch b/queue-3.10/tracing-fix-error-handling-to-ensure-instances-can-always-be-removed.patch new file mode 100644 index 00000000000..3ac072a9634 --- /dev/null +++ b/queue-3.10/tracing-fix-error-handling-to-ensure-instances-can-always-be-removed.patch @@ -0,0 +1,42 @@ +From 609e85a70bcd0eedf4ec60639dbcfb1ab011e054 Mon Sep 17 00:00:00 2001 +From: Alexander Z Lam +Date: Wed, 10 Jul 2013 17:34:34 -0700 +Subject: tracing: Fix error handling to ensure instances can always be removed + +From: Alexander Z Lam + +commit 609e85a70bcd0eedf4ec60639dbcfb1ab011e054 upstream. + +Remove debugfs directories for tracing instances during creation if an error +occurs causing the trace_array for that instance to not be added to +ftrace_trace_arrays. If the directory continues to exist after the error, it +cannot be removed because the respective trace_array is not in +ftrace_trace_arrays. + +Link: http://lkml.kernel.org/r/1373502874-1706-2-git-send-email-azl@google.com + +Signed-off-by: Alexander Z Lam +Cc: Vaibhav Nagarnaik +Cc: David Sharp +Cc: Alexander Z Lam +Signed-off-by: Steven Rostedt +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/trace/trace.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/kernel/trace/trace.c ++++ b/kernel/trace/trace.c +@@ -5926,8 +5926,10 @@ static int new_instance_create(const cha + goto out_free_tr; + + ret = event_trace_add_tracer(tr->dir, tr); +- if (ret) ++ if (ret) { ++ debugfs_remove_recursive(tr->dir); + goto out_free_tr; ++ } + + init_tracer_debugfs(tr, tr->dir); + diff --git a/queue-3.10/tracing-kill-the-unbalanced-tr-ref-in-tracing_buffers_open.patch b/queue-3.10/tracing-kill-the-unbalanced-tr-ref-in-tracing_buffers_open.patch new file mode 100644 index 00000000000..7c9f9280963 --- /dev/null +++ b/queue-3.10/tracing-kill-the-unbalanced-tr-ref-in-tracing_buffers_open.patch @@ -0,0 +1,43 @@ +From e70e78e3c83b536730e31231dd9b979768d8df3c Mon Sep 17 00:00:00 2001 +From: Oleg Nesterov +Date: Fri, 19 Jul 2013 17:36:44 +0200 +Subject: tracing: Kill the unbalanced tr->ref++ in tracing_buffers_open() + +From: Oleg Nesterov + +commit e70e78e3c83b536730e31231dd9b979768d8df3c upstream. + +tracing_buffers_open() does trace_array_get() and then it wrongly +inrcements tr->ref again under trace_types_lock. This means that +every caller leaks trace_array: + + # cd /sys/kernel/debug/tracing/ + # mkdir instances/X + # true < instances/X/per_cpu/cpu0/trace_pipe_raw + # rmdir instances/X + rmdir: failed to remove `instances/X': Device or resource busy + +Link: http://lkml.kernel.org/r/20130719153644.GA18899@redhat.com + +Signed-off-by: Oleg Nesterov +Cc: Ingo Molnar +Cc: Frederic Weisbecker +Cc: Masami Hiramatsu +Signed-off-by: Steven Rostedt +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/trace/trace.c | 2 -- + 1 file changed, 2 deletions(-) + +--- a/kernel/trace/trace.c ++++ b/kernel/trace/trace.c +@@ -4907,8 +4907,6 @@ static int tracing_buffers_open(struct i + + mutex_lock(&trace_types_lock); + +- tr->ref++; +- + info->iter.tr = tr; + info->iter.cpu_file = tc->cpu; + info->iter.trace = tr->current_trace; diff --git a/queue-3.10/tracing-miscellaneous-fixes-for-trace_array-ref-counting.patch b/queue-3.10/tracing-miscellaneous-fixes-for-trace_array-ref-counting.patch new file mode 100644 index 00000000000..a1046eb403d --- /dev/null +++ b/queue-3.10/tracing-miscellaneous-fixes-for-trace_array-ref-counting.patch @@ -0,0 +1,171 @@ +From f77d09a384676bde6445413949d9d2c508ff3e62 Mon Sep 17 00:00:00 2001 +From: Alexander Z Lam +Date: Thu, 18 Jul 2013 11:18:44 -0700 +Subject: tracing: Miscellaneous fixes for trace_array ref counting + +From: Alexander Z Lam + +commit f77d09a384676bde6445413949d9d2c508ff3e62 upstream. + +Some error paths did not handle ref counting properly, and some trace files need +ref counting. + +Link: http://lkml.kernel.org/r/1374171524-11948-1-git-send-email-azl@google.com + +Signed-off-by: Alexander Z Lam +Cc: Vaibhav Nagarnaik +Cc: David Sharp +Cc: Alexander Z Lam +Signed-off-by: Steven Rostedt +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/trace/trace.c | 24 ++++++++++++++++++------ + kernel/trace/trace_events.c | 21 +++++++++++++++++++-- + 2 files changed, 37 insertions(+), 8 deletions(-) + +--- a/kernel/trace/trace.c ++++ b/kernel/trace/trace.c +@@ -2956,7 +2956,6 @@ static int tracing_release(struct inode + + iter = m->private; + tr = iter->tr; +- trace_array_put(tr); + + mutex_lock(&trace_types_lock); + +@@ -2971,6 +2970,9 @@ static int tracing_release(struct inode + if (!iter->snapshot) + /* reenable tracing if it was previously enabled */ + tracing_start_tr(tr); ++ ++ __trace_array_put(tr); ++ + mutex_unlock(&trace_types_lock); + + mutex_destroy(&iter->mutex); +@@ -3395,6 +3397,7 @@ tracing_trace_options_write(struct file + static int tracing_trace_options_open(struct inode *inode, struct file *file) + { + struct trace_array *tr = inode->i_private; ++ int ret; + + if (tracing_disabled) + return -ENODEV; +@@ -3402,7 +3405,11 @@ static int tracing_trace_options_open(st + if (trace_array_get(tr) < 0) + return -ENODEV; + +- return single_open(file, tracing_trace_options_show, inode->i_private); ++ ret = single_open(file, tracing_trace_options_show, inode->i_private); ++ if (ret < 0) ++ trace_array_put(tr); ++ ++ return ret; + } + + static const struct file_operations tracing_iter_fops = { +@@ -3906,6 +3913,7 @@ static int tracing_open_pipe(struct inod + iter = kzalloc(sizeof(*iter), GFP_KERNEL); + if (!iter) { + ret = -ENOMEM; ++ __trace_array_put(tr); + goto out; + } + +@@ -4652,21 +4660,24 @@ static int tracing_snapshot_open(struct + ret = PTR_ERR(iter); + } else { + /* Writes still need the seq_file to hold the private data */ ++ ret = -ENOMEM; + m = kzalloc(sizeof(*m), GFP_KERNEL); + if (!m) +- return -ENOMEM; ++ goto out; + iter = kzalloc(sizeof(*iter), GFP_KERNEL); + if (!iter) { + kfree(m); +- return -ENOMEM; ++ goto out; + } ++ ret = 0; ++ + iter->tr = tr; + iter->trace_buffer = &tc->tr->max_buffer; + iter->cpu_file = tc->cpu; + m->private = iter; + file->private_data = m; + } +- ++out: + if (ret < 0) + trace_array_put(tr); + +@@ -5276,9 +5287,10 @@ tracing_stats_read(struct file *filp, ch + } + + static const struct file_operations tracing_stats_fops = { +- .open = tracing_open_generic, ++ .open = tracing_open_generic_tc, + .read = tracing_stats_read, + .llseek = generic_file_llseek, ++ .release = tracing_release_generic_tc, + }; + + #ifdef CONFIG_DYNAMIC_FTRACE +--- a/kernel/trace/trace_events.c ++++ b/kernel/trace/trace_events.c +@@ -1221,6 +1221,7 @@ show_header(struct file *filp, char __us + + static int ftrace_event_avail_open(struct inode *inode, struct file *file); + static int ftrace_event_set_open(struct inode *inode, struct file *file); ++static int ftrace_event_release(struct inode *inode, struct file *file); + + static const struct seq_operations show_event_seq_ops = { + .start = t_start, +@@ -1248,7 +1249,7 @@ static const struct file_operations ftra + .read = seq_read, + .write = ftrace_event_write, + .llseek = seq_lseek, +- .release = seq_release, ++ .release = ftrace_event_release, + }; + + static const struct file_operations ftrace_enable_fops = { +@@ -1326,6 +1327,15 @@ ftrace_event_open(struct inode *inode, s + return ret; + } + ++static int ftrace_event_release(struct inode *inode, struct file *file) ++{ ++ struct trace_array *tr = inode->i_private; ++ ++ trace_array_put(tr); ++ ++ return seq_release(inode, file); ++} ++ + static int + ftrace_event_avail_open(struct inode *inode, struct file *file) + { +@@ -1339,12 +1349,19 @@ ftrace_event_set_open(struct inode *inod + { + const struct seq_operations *seq_ops = &show_set_event_seq_ops; + struct trace_array *tr = inode->i_private; ++ int ret; ++ ++ if (trace_array_get(tr) < 0) ++ return -ENODEV; + + if ((file->f_mode & FMODE_WRITE) && + (file->f_flags & O_TRUNC)) + ftrace_clear_events(tr); + +- return ftrace_event_open(inode, file, seq_ops); ++ ret = ftrace_event_open(inode, file, seq_ops); ++ if (ret < 0) ++ trace_array_put(tr); ++ return ret; + } + + static struct event_subsystem * diff --git a/queue-3.10/tracing-remove-locking-trace_types_lock-from-tracing_reset_all_online_cpus.patch b/queue-3.10/tracing-remove-locking-trace_types_lock-from-tracing_reset_all_online_cpus.patch new file mode 100644 index 00000000000..5b4e0ed8907 --- /dev/null +++ b/queue-3.10/tracing-remove-locking-trace_types_lock-from-tracing_reset_all_online_cpus.patch @@ -0,0 +1,60 @@ +From 09d8091c024ec88d1541d93eb8ddb2bd5cf10c39 Mon Sep 17 00:00:00 2001 +From: "Steven Rostedt (Red Hat)" +Date: Tue, 23 Jul 2013 22:21:59 -0400 +Subject: tracing: Remove locking trace_types_lock from tracing_reset_all_online_cpus() + +From: "Steven Rostedt (Red Hat)" + +commit 09d8091c024ec88d1541d93eb8ddb2bd5cf10c39 upstream. + +Commit a82274151af "tracing: Protect ftrace_trace_arrays list in trace_events.c" +added taking the trace_types_lock mutex in trace_events.c as there were +several locations that needed it for protection. Unfortunately, it also +encapsulated a call to tracing_reset_all_online_cpus() which also takes +the trace_types_lock, causing a deadlock. + +This happens when a module has tracepoints and has been traced. When the +module is removed, the trace events module notifier will grab the +trace_types_lock, do a bunch of clean ups, and also clears the buffer +by calling tracing_reset_all_online_cpus. This doesn't happen often +which explains why it wasn't caught right away. + +Commit a82274151af was marked for stable, which means this must be +sent to stable too. + +Link: http://lkml.kernel.org/r/51EEC646.7070306@broadcom.com + +Reported-by: Arend van Spril +Tested-by: Arend van Spriel +Cc: Alexander Z Lam +Cc: Vaibhav Nagarnaik +Cc: David Sharp +Signed-off-by: Steven Rostedt +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/trace/trace.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/kernel/trace/trace.c ++++ b/kernel/trace/trace.c +@@ -1163,18 +1163,17 @@ void tracing_reset_current(int cpu) + tracing_reset(&global_trace.trace_buffer, cpu); + } + ++/* Must have trace_types_lock held */ + void tracing_reset_all_online_cpus(void) + { + struct trace_array *tr; + +- mutex_lock(&trace_types_lock); + list_for_each_entry(tr, &ftrace_trace_arrays, list) { + tracing_reset_online_cpus(&tr->trace_buffer); + #ifdef CONFIG_TRACER_MAX_TRACE + tracing_reset_online_cpus(&tr->max_buffer); + #endif + } +- mutex_unlock(&trace_types_lock); + } + + #define SAVED_CMDLINES 128 diff --git a/queue-3.10/usb-clear-both-buffers-when-clearing-a-control-transfer-tt-buffer.patch b/queue-3.10/usb-clear-both-buffers-when-clearing-a-control-transfer-tt-buffer.patch new file mode 100644 index 00000000000..d7a5c94ee70 --- /dev/null +++ b/queue-3.10/usb-clear-both-buffers-when-clearing-a-control-transfer-tt-buffer.patch @@ -0,0 +1,39 @@ +From 2c7b871b9102c497ba8f972aa5d38532f05b654d Mon Sep 17 00:00:00 2001 +From: William Gulland +Date: Thu, 27 Jun 2013 16:10:20 -0700 +Subject: usb: Clear both buffers when clearing a control transfer TT buffer. + +From: William Gulland + +commit 2c7b871b9102c497ba8f972aa5d38532f05b654d upstream. + +Control transfers have both IN and OUT (or SETUP) packets, so when +clearing TT buffers for a control transfer it's necessary to send +two HUB_CLEAR_TT_BUFFER requests to the hub. + +Signed-off-by: William Gulland +Acked-by: Alan Stern +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/core/hub.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/drivers/usb/core/hub.c ++++ b/drivers/usb/core/hub.c +@@ -668,6 +668,15 @@ resubmit: + static inline int + hub_clear_tt_buffer (struct usb_device *hdev, u16 devinfo, u16 tt) + { ++ /* Need to clear both directions for control ep */ ++ if (((devinfo >> 11) & USB_ENDPOINT_XFERTYPE_MASK) == ++ USB_ENDPOINT_XFER_CONTROL) { ++ int status = usb_control_msg(hdev, usb_sndctrlpipe(hdev, 0), ++ HUB_CLEAR_TT_BUFFER, USB_RT_PORT, ++ devinfo ^ 0x8000, tt, NULL, 0, 1000); ++ if (status) ++ return status; ++ } + return usb_control_msg(hdev, usb_sndctrlpipe(hdev, 0), + HUB_CLEAR_TT_BUFFER, USB_RT_PORT, devinfo, + tt, NULL, 0, 1000); diff --git a/queue-3.10/usb-dwc3-fix-the-error-returned-with-usb3_phy-failure.patch b/queue-3.10/usb-dwc3-fix-the-error-returned-with-usb3_phy-failure.patch new file mode 100644 index 00000000000..ec45188af71 --- /dev/null +++ b/queue-3.10/usb-dwc3-fix-the-error-returned-with-usb3_phy-failure.patch @@ -0,0 +1,31 @@ +From 315955d707b50c8aad20a32ec0dd4c9fe243cabe Mon Sep 17 00:00:00 2001 +From: Ruchika Kharwar +Date: Thu, 4 Jul 2013 00:59:34 -0500 +Subject: usb: dwc3: fix the error returned with usb3_phy failure + +From: Ruchika Kharwar + +commit 315955d707b50c8aad20a32ec0dd4c9fe243cabe upstream. + +When there is an error with the usb3_phy probe or absence, the error returned +is erroneously for usb2_phy. + +Signed-off-by: Ruchika Kharwar +Signed-off-by: Felipe Balbi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/dwc3/core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/dwc3/core.c ++++ b/drivers/usb/dwc3/core.c +@@ -450,7 +450,7 @@ static int dwc3_probe(struct platform_de + } + + if (IS_ERR(dwc->usb3_phy)) { +- ret = PTR_ERR(dwc->usb2_phy); ++ ret = PTR_ERR(dwc->usb3_phy); + + /* + * if -ENXIO is returned, it means PHY layer wasn't diff --git a/queue-3.10/usb-dwc3-fix-wrong-bit-mask-in-dwc3_event_type.patch b/queue-3.10/usb-dwc3-fix-wrong-bit-mask-in-dwc3_event_type.patch new file mode 100644 index 00000000000..441738c9813 --- /dev/null +++ b/queue-3.10/usb-dwc3-fix-wrong-bit-mask-in-dwc3_event_type.patch @@ -0,0 +1,47 @@ +From 1974d494dea05ea227cb42f5e918828801e237aa Mon Sep 17 00:00:00 2001 +From: Huang Rui +Date: Thu, 27 Jun 2013 01:08:11 +0800 +Subject: usb: dwc3: fix wrong bit mask in dwc3_event_type + +From: Huang Rui + +commit 1974d494dea05ea227cb42f5e918828801e237aa upstream. + +Per dwc3 2.50a spec, the is_devspec bit is used to distinguish the +Device Endpoint-Specific Event or Device-Specific Event (DEVT). If the +bit is 1, the event is represented Device-Specific Event, then use +[7:1] bits as Device Specific Event to marked the type. It has 7 bits, +and we can see the reserved8_31 variable name which means from 8 to 31 +bits marked reserved, actually there are 24 bits not 25 bits between +that. And 1 + 7 + 24 = 32, the event size is 4 byes. + +So in dwc3_event_type, the bit mask should be: +is_devspec [0] 1 bit +type [7:1] 7 bits +reserved8_31 [31:8] 24 bits + +This patch should be backported to kernels as old as 3.2, that contain +the commit 72246da40f3719af3bfd104a2365b32537c27d83 "usb: Introduce +DesignWare USB3 DRD Driver". + +Signed-off-by: Huang Rui +Signed-off-by: Felipe Balbi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/dwc3/core.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/usb/dwc3/core.h ++++ b/drivers/usb/dwc3/core.h +@@ -759,8 +759,8 @@ struct dwc3 { + + struct dwc3_event_type { + u32 is_devspec:1; +- u32 type:6; +- u32 reserved8_31:25; ++ u32 type:7; ++ u32 reserved8_31:24; + } __packed; + + #define DWC3_DEPEVT_XFERCOMPLETE 0x01 diff --git a/queue-3.10/usb-dwc3-gadget-don-t-prevent-gadget-from-being-probed-if-we-fail.patch b/queue-3.10/usb-dwc3-gadget-don-t-prevent-gadget-from-being-probed-if-we-fail.patch new file mode 100644 index 00000000000..5cabb823e4f --- /dev/null +++ b/queue-3.10/usb-dwc3-gadget-don-t-prevent-gadget-from-being-probed-if-we-fail.patch @@ -0,0 +1,34 @@ +From cdcedd6981194e511cc206887db661d016069d68 Mon Sep 17 00:00:00 2001 +From: Felipe Balbi +Date: Mon, 15 Jul 2013 12:36:35 +0300 +Subject: usb: dwc3: gadget: don't prevent gadget from being probed if we fail + +From: Felipe Balbi + +commit cdcedd6981194e511cc206887db661d016069d68 upstream. + +In case we fail our ->udc_start() callback, we +should be ready to accept another modprobe following +the failed one. + +We had forgotten to clear dwc->gadget_driver back +to NULL and, because of that, we were preventing +gadget driver modprobe from being retried. + +Signed-off-by: Felipe Balbi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/dwc3/gadget.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/usb/dwc3/gadget.c ++++ b/drivers/usb/dwc3/gadget.c +@@ -1584,6 +1584,7 @@ err1: + __dwc3_gadget_ep_disable(dwc->eps[0]); + + err0: ++ dwc->gadget_driver = NULL; + spin_unlock_irqrestore(&dwc->lock, flags); + + return ret; diff --git a/queue-3.10/usb-ehci-fix-resume-signalling-on-remote-wakeup.patch b/queue-3.10/usb-ehci-fix-resume-signalling-on-remote-wakeup.patch new file mode 100644 index 00000000000..84c9ded71d6 --- /dev/null +++ b/queue-3.10/usb-ehci-fix-resume-signalling-on-remote-wakeup.patch @@ -0,0 +1,37 @@ +From 47a64a13d54f6c669b00542848d5550be3d3310e Mon Sep 17 00:00:00 2001 +From: Roger Quadros +Date: Tue, 9 Jul 2013 17:03:50 +0300 +Subject: USB: EHCI: Fix resume signalling on remote wakeup + +From: Roger Quadros + +commit 47a64a13d54f6c669b00542848d5550be3d3310e upstream. + +Set the ehci->resuming flag for the port we receive a remote +wakeup on so that resume signalling can be completed. + +Without this, the root hub timer will not fire again to check +if the resume was completed and there will be a never-ending wait on +on the port. + +This effect is only observed if the HUB IRQ IN does not come after we +have initiated the port resume. + +Signed-off-by: Roger Quadros +Acked-by: Alan Stern +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/host/ehci-hub.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/usb/host/ehci-hub.c ++++ b/drivers/usb/host/ehci-hub.c +@@ -858,6 +858,7 @@ static int ehci_hub_control ( + ehci->reset_done[wIndex] = jiffies + + msecs_to_jiffies(20); + usb_hcd_start_port_resume(&hcd->self, wIndex); ++ set_bit(wIndex, &ehci->resuming_ports); + /* check the port again */ + mod_timer(&ehci_to_hcd(ehci)->rh_timer, + ehci->reset_done[wIndex]); diff --git a/queue-3.10/usb-global-suspend-and-remote-wakeup-don-t-mix.patch b/queue-3.10/usb-global-suspend-and-remote-wakeup-don-t-mix.patch new file mode 100644 index 00000000000..0288d0d6d52 --- /dev/null +++ b/queue-3.10/usb-global-suspend-and-remote-wakeup-don-t-mix.patch @@ -0,0 +1,154 @@ +From e583d9db9960cf40e0bc8afee4946baa9d71596e Mon Sep 17 00:00:00 2001 +From: Alan Stern +Date: Thu, 11 Jul 2013 14:58:04 -0400 +Subject: USB: global suspend and remote wakeup don't mix + +From: Alan Stern + +commit e583d9db9960cf40e0bc8afee4946baa9d71596e upstream. + +The hub driver was recently changed to use "global" suspend for system +suspend transitions on non-SuperSpeed buses. This means that we don't +suspend devices individually by setting the suspend feature on the +upstream hub port; instead devices all go into suspend automatically +when the root hub stops transmitting packets. The idea was to save +time and to avoid certain kinds of wakeup races. + +Now it turns out that many hubs are buggy; they don't relay wakeup +requests from a downstream port to their upstream port if the +downstream port's suspend feature is not set (depending on the speed +of the downstream port, whether or not the hub is enabled for remote +wakeup, and possibly other factors). + +We can't have hubs dropping wakeup requests. Therefore this patch +goes partway back to the old policy: It sets the suspend feature for a +port if the device attached to that port or any of its descendants is +enabled for wakeup. People will still be able to benefit from the +time savings if they don't care about wakeup and leave it disabled on +all their devices. + +In order to accomplish this, the patch adds a new field to the usb_hub +structure: wakeup_enabled_descendants is a count of how many devices +below a suspended hub are enabled for remote wakeup. A corresponding +new subroutine determines the number of wakeup-enabled devices at or +below an arbitrary suspended USB device. + +This should be applied to the 3.10 stable kernel. + +Signed-off-by: Alan Stern +Reported-and-tested-by: Toralf Förster +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/core/hub.c | 39 +++++++++++++++++++++++++++++++-------- + drivers/usb/core/hub.h | 3 +++ + 2 files changed, 34 insertions(+), 8 deletions(-) + +--- a/drivers/usb/core/hub.c ++++ b/drivers/usb/core/hub.c +@@ -2855,6 +2855,15 @@ static int usb_disable_function_remotewa + USB_CTRL_SET_TIMEOUT); + } + ++/* Count of wakeup-enabled devices at or below udev */ ++static unsigned wakeup_enabled_descendants(struct usb_device *udev) ++{ ++ struct usb_hub *hub = usb_hub_to_struct_hub(udev); ++ ++ return udev->do_remote_wakeup + ++ (hub ? hub->wakeup_enabled_descendants : 0); ++} ++ + /* + * usb_port_suspend - suspend a usb device's upstream port + * @udev: device that's no longer in active use, not a root hub +@@ -2895,8 +2904,8 @@ static int usb_disable_function_remotewa + * Linux (2.6) currently has NO mechanisms to initiate that: no khubd + * timer, no SRP, no requests through sysfs. + * +- * If Runtime PM isn't enabled or used, non-SuperSpeed devices really get +- * suspended only when their bus goes into global suspend (i.e., the root ++ * If Runtime PM isn't enabled or used, non-SuperSpeed devices may not get ++ * suspended until their bus goes into global suspend (i.e., the root + * hub is suspended). Nevertheless, we change @udev->state to + * USB_STATE_SUSPENDED as this is the device's "logical" state. The actual + * upstream port setting is stored in @udev->port_is_suspended. +@@ -2967,15 +2976,21 @@ int usb_port_suspend(struct usb_device * + /* see 7.1.7.6 */ + if (hub_is_superspeed(hub->hdev)) + status = hub_set_port_link_state(hub, port1, USB_SS_PORT_LS_U3); +- else if (PMSG_IS_AUTO(msg)) +- status = set_port_feature(hub->hdev, port1, +- USB_PORT_FEAT_SUSPEND); ++ + /* + * For system suspend, we do not need to enable the suspend feature + * on individual USB-2 ports. The devices will automatically go + * into suspend a few ms after the root hub stops sending packets. + * The USB 2.0 spec calls this "global suspend". ++ * ++ * However, many USB hubs have a bug: They don't relay wakeup requests ++ * from a downstream port if the port's suspend feature isn't on. ++ * Therefore we will turn on the suspend feature if udev or any of its ++ * descendants is enabled for remote wakeup. + */ ++ else if (PMSG_IS_AUTO(msg) || wakeup_enabled_descendants(udev) > 0) ++ status = set_port_feature(hub->hdev, port1, ++ USB_PORT_FEAT_SUSPEND); + else { + really_suspend = false; + status = 0; +@@ -3010,15 +3025,16 @@ int usb_port_suspend(struct usb_device * + if (!PMSG_IS_AUTO(msg)) + status = 0; + } else { +- /* device has up to 10 msec to fully suspend */ + dev_dbg(&udev->dev, "usb %ssuspend, wakeup %d\n", + (PMSG_IS_AUTO(msg) ? "auto-" : ""), + udev->do_remote_wakeup); +- usb_set_device_state(udev, USB_STATE_SUSPENDED); + if (really_suspend) { + udev->port_is_suspended = 1; ++ ++ /* device has up to 10 msec to fully suspend */ + msleep(10); + } ++ usb_set_device_state(udev, USB_STATE_SUSPENDED); + } + + /* +@@ -3300,7 +3316,11 @@ static int hub_suspend(struct usb_interf + unsigned port1; + int status; + +- /* Warn if children aren't already suspended */ ++ /* ++ * Warn if children aren't already suspended. ++ * Also, add up the number of wakeup-enabled descendants. ++ */ ++ hub->wakeup_enabled_descendants = 0; + for (port1 = 1; port1 <= hdev->maxchild; port1++) { + struct usb_device *udev; + +@@ -3310,6 +3330,9 @@ static int hub_suspend(struct usb_interf + if (PMSG_IS_AUTO(msg)) + return -EBUSY; + } ++ if (udev) ++ hub->wakeup_enabled_descendants += ++ wakeup_enabled_descendants(udev); + } + + if (hdev->do_remote_wakeup && hub->quirk_check_port_auto_suspend) { +--- a/drivers/usb/core/hub.h ++++ b/drivers/usb/core/hub.h +@@ -59,6 +59,9 @@ struct usb_hub { + struct usb_tt tt; /* Transaction Translator */ + + unsigned mA_per_port; /* current for each child */ ++#ifdef CONFIG_PM ++ unsigned wakeup_enabled_descendants; ++#endif + + unsigned limited_power:1; + unsigned quiescing:1; diff --git a/queue-3.10/usb-host-xhci-enable-xhci_spurious_success-for-all-controllers-with-xhci-1.0.patch b/queue-3.10/usb-host-xhci-enable-xhci_spurious_success-for-all-controllers-with-xhci-1.0.patch new file mode 100644 index 00000000000..9a807b2234e --- /dev/null +++ b/queue-3.10/usb-host-xhci-enable-xhci_spurious_success-for-all-controllers-with-xhci-1.0.patch @@ -0,0 +1,78 @@ +From 07f3cb7c28bf3f4dd80bfb136cf45810c46ac474 Mon Sep 17 00:00:00 2001 +From: George Cherian +Date: Mon, 1 Jul 2013 10:59:12 +0530 +Subject: usb: host: xhci: Enable XHCI_SPURIOUS_SUCCESS for all controllers with xhci 1.0 + +From: George Cherian + +commit 07f3cb7c28bf3f4dd80bfb136cf45810c46ac474 upstream. + +Xhci controllers with hci_version > 0.96 gives spurious success +events on short packet completion. During webcam capture the +"ERROR Transfer event TRB DMA ptr not part of current TD" was observed. +The same application works fine with synopsis controllers hci_version 0.96. +The same issue is seen with Intel Pantherpoint xhci controller. So enabling +this quirk in xhci_gen_setup if controller verion is greater than 0.96. +For xhci-pci move the quirk to much generic place xhci_gen_setup. + +Note from Sarah: + +The xHCI 1.0 spec changed how hardware handles short packets. The HW +will notify SW of the TRB where the short packet occurred, and it will +also give a successful status for the last TRB in a TD (the one with the +IOC flag set). On the second successful status, that warning will be +triggered in the driver. + +Software is now supposed to not assume the TD is not completed until it +gets that last successful status. That means we have a slight race +condition, although it should have little practical impact. This patch +papers over that issue. + +It's on my long-term to-do list to fix this race condition, but it is a +much more involved patch that will probably be too big for stable. This +patch is needed for stable to avoid serious log spam. + +This patch should be backported to kernels as old as 3.0, that +contain the commit ad808333d8201d53075a11bc8dd83b81f3d68f0b "Intel xhci: +Ignore spurious successful event." + +The patch will have to be modified for kernels older than 3.2, since +that kernel added the xhci_gen_setup function for xhci platform devices. +The correct conflict resolution for kernels older than 3.2 is to set +XHCI_SPURIOUS_SUCCESS in xhci_pci_quirks for all xHCI 1.0 hosts. + +Signed-off-by: George Cherian +Signed-off-by: Sarah Sharp +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/host/xhci-pci.c | 1 - + drivers/usb/host/xhci.c | 7 +++++++ + 2 files changed, 7 insertions(+), 1 deletion(-) + +--- a/drivers/usb/host/xhci-pci.c ++++ b/drivers/usb/host/xhci-pci.c +@@ -93,7 +93,6 @@ static void xhci_pci_quirks(struct devic + } + if (pdev->vendor == PCI_VENDOR_ID_INTEL && + pdev->device == PCI_DEVICE_ID_INTEL_PANTHERPOINT_XHCI) { +- xhci->quirks |= XHCI_SPURIOUS_SUCCESS; + xhci->quirks |= XHCI_EP_LIMIT_QUIRK; + xhci->limit_active_eps = 64; + xhci->quirks |= XHCI_SW_BW_CHECKING; +--- a/drivers/usb/host/xhci.c ++++ b/drivers/usb/host/xhci.c +@@ -4697,6 +4697,13 @@ int xhci_gen_setup(struct usb_hcd *hcd, + + get_quirks(dev, xhci); + ++ /* In xhci controllers which follow xhci 1.0 spec gives a spurious ++ * success event after a short transfer. This quirk will ignore such ++ * spurious event. ++ */ ++ if (xhci->hci_version > 0x96) ++ xhci->quirks |= XHCI_SPURIOUS_SUCCESS; ++ + /* Make sure the HC is halted. */ + retval = xhci_halt(xhci); + if (retval) diff --git a/queue-3.10/usb-misc-add-manhattan-hi-speed-usb-dvi-converter-to-sisusbvga.patch b/queue-3.10/usb-misc-add-manhattan-hi-speed-usb-dvi-converter-to-sisusbvga.patch new file mode 100644 index 00000000000..056b790fc55 --- /dev/null +++ b/queue-3.10/usb-misc-add-manhattan-hi-speed-usb-dvi-converter-to-sisusbvga.patch @@ -0,0 +1,26 @@ +From 58fc90db8261b571c026bb8bf23aad48a7233118 Mon Sep 17 00:00:00 2001 +From: Jóhann B. Guðmundsson +Date: Thu, 4 Jul 2013 21:47:52 +0000 +Subject: USB: misc: Add Manhattan Hi-Speed USB DVI Converter to sisusbvga + +From: Jóhann B. Guðmundsson + +commit 58fc90db8261b571c026bb8bf23aad48a7233118 upstream. + +Signed-off-by: Jóhann B. Guðmundsson +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/misc/sisusbvga/sisusb.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/usb/misc/sisusbvga/sisusb.c ++++ b/drivers/usb/misc/sisusbvga/sisusb.c +@@ -3247,6 +3247,7 @@ static const struct usb_device_id sisusb + { USB_DEVICE(0x0711, 0x0903) }, + { USB_DEVICE(0x0711, 0x0918) }, + { USB_DEVICE(0x0711, 0x0920) }, ++ { USB_DEVICE(0x0711, 0x0950) }, + { USB_DEVICE(0x182d, 0x021c) }, + { USB_DEVICE(0x182d, 0x0269) }, + { } diff --git a/queue-3.10/usb-mos7840-fix-memory-leak-in-open.patch b/queue-3.10/usb-mos7840-fix-memory-leak-in-open.patch new file mode 100644 index 00000000000..5a6997701e8 --- /dev/null +++ b/queue-3.10/usb-mos7840-fix-memory-leak-in-open.patch @@ -0,0 +1,103 @@ +From 5f8a2e68b679b41cc8e9b642f2f5aa45dd678641 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Mon, 1 Jul 2013 14:03:33 +0200 +Subject: USB: mos7840: fix memory leak in open + +From: Johan Hovold + +commit 5f8a2e68b679b41cc8e9b642f2f5aa45dd678641 upstream. + +Allocated urbs and buffers were never freed on errors in open. + +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/mos7840.c | 25 +++++++++++++++++-------- + 1 file changed, 17 insertions(+), 8 deletions(-) + +--- a/drivers/usb/serial/mos7840.c ++++ b/drivers/usb/serial/mos7840.c +@@ -914,20 +914,20 @@ static int mos7840_open(struct tty_struc + status = mos7840_get_reg_sync(port, mos7840_port->SpRegOffset, &Data); + if (status < 0) { + dev_dbg(&port->dev, "Reading Spreg failed\n"); +- return -1; ++ goto err; + } + Data |= 0x80; + status = mos7840_set_reg_sync(port, mos7840_port->SpRegOffset, Data); + if (status < 0) { + dev_dbg(&port->dev, "writing Spreg failed\n"); +- return -1; ++ goto err; + } + + Data &= ~0x80; + status = mos7840_set_reg_sync(port, mos7840_port->SpRegOffset, Data); + if (status < 0) { + dev_dbg(&port->dev, "writing Spreg failed\n"); +- return -1; ++ goto err; + } + /* End of block to be checked */ + +@@ -936,7 +936,7 @@ static int mos7840_open(struct tty_struc + &Data); + if (status < 0) { + dev_dbg(&port->dev, "Reading Controlreg failed\n"); +- return -1; ++ goto err; + } + Data |= 0x08; /* Driver done bit */ + Data |= 0x20; /* rx_disable */ +@@ -944,7 +944,7 @@ static int mos7840_open(struct tty_struc + mos7840_port->ControlRegOffset, Data); + if (status < 0) { + dev_dbg(&port->dev, "writing Controlreg failed\n"); +- return -1; ++ goto err; + } + /* do register settings here */ + /* Set all regs to the device default values. */ +@@ -955,21 +955,21 @@ static int mos7840_open(struct tty_struc + status = mos7840_set_uart_reg(port, INTERRUPT_ENABLE_REGISTER, Data); + if (status < 0) { + dev_dbg(&port->dev, "disabling interrupts failed\n"); +- return -1; ++ goto err; + } + /* Set FIFO_CONTROL_REGISTER to the default value */ + Data = 0x00; + status = mos7840_set_uart_reg(port, FIFO_CONTROL_REGISTER, Data); + if (status < 0) { + dev_dbg(&port->dev, "Writing FIFO_CONTROL_REGISTER failed\n"); +- return -1; ++ goto err; + } + + Data = 0xcf; + status = mos7840_set_uart_reg(port, FIFO_CONTROL_REGISTER, Data); + if (status < 0) { + dev_dbg(&port->dev, "Writing FIFO_CONTROL_REGISTER failed\n"); +- return -1; ++ goto err; + } + + Data = 0x03; +@@ -1114,6 +1114,15 @@ static int mos7840_open(struct tty_struc + /* mos7840_change_port_settings(mos7840_port,old_termios); */ + + return 0; ++err: ++ for (j = 0; j < NUM_URBS; ++j) { ++ urb = mos7840_port->write_urb_pool[j]; ++ if (!urb) ++ continue; ++ kfree(urb->transfer_buffer); ++ usb_free_urb(urb); ++ } ++ return status; + } + + /***************************************************************************** diff --git a/queue-3.10/usb-ti_usb_3410_5052-fix-dynamic-id-matching.patch b/queue-3.10/usb-ti_usb_3410_5052-fix-dynamic-id-matching.patch new file mode 100644 index 00000000000..b96f9906669 --- /dev/null +++ b/queue-3.10/usb-ti_usb_3410_5052-fix-dynamic-id-matching.patch @@ -0,0 +1,35 @@ +From 1fad56424f5ad3ce4973505a357212b2e2282b3f Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Fri, 28 Jun 2013 12:24:26 +0200 +Subject: USB: ti_usb_3410_5052: fix dynamic-id matching + +From: Johan Hovold + +commit 1fad56424f5ad3ce4973505a357212b2e2282b3f upstream. + +The driver failed to take the dynamic ids into account when determining +the device type and therefore all devices were detected as 2-port +devices when using the dynamic-id interface. + +Match on the usb-serial-driver field instead of doing redundant id-table +searches. + +Reported-by: Anders Hammarquist +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/ti_usb_3410_5052.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/serial/ti_usb_3410_5052.c ++++ b/drivers/usb/serial/ti_usb_3410_5052.c +@@ -371,7 +371,7 @@ static int ti_startup(struct usb_serial + usb_set_serial_data(serial, tdev); + + /* determine device type */ +- if (usb_match_id(serial->interface, ti_id_table_3410)) ++ if (serial->type == &ti_1port_device) + tdev->td_is_3410 = 1; + dev_dbg(&dev->dev, "%s - device type is %s\n", __func__, + tdev->td_is_3410 ? "3410" : "5052"); diff --git a/queue-3.10/x86-make-sure-idt-is-page-aligned.patch b/queue-3.10/x86-make-sure-idt-is-page-aligned.patch new file mode 100644 index 00000000000..e25beac9242 --- /dev/null +++ b/queue-3.10/x86-make-sure-idt-is-page-aligned.patch @@ -0,0 +1,43 @@ +From keescook@chromium.org Thu Aug 1 11:10:06 2013 +From: Kees Cook +Date: Mon, 15 Jul 2013 11:50:45 -0700 +Subject: x86: make sure IDT is page aligned +To: linux-kernel@vger.kernel.org +Cc: Thomas Gleixner , Ingo Molnar , "H. Peter Anvin" , x86@kernel.org, Yinghai Lu , Seiji Aguchi , Fenghua Yu , PaX Team +Message-ID: <20130715185045.GA24133@www.outflux.net> + +From: Kees Cook + +based on 4df05f361937ee86e5a8c9ead8aeb6a19ea9b7d7 upstream. + +Since the IDT is referenced from a fixmap, make sure it is page aligned. +This avoids the risk of the IDT ever being moved in the bss and having +the mapping be offset, resulting in calling incorrect handlers. In the +current upstream kernel this is not a manifested bug, but heavily patched +kernels (such as those using the PaX patch series) did encounter this bug. + +Signed-off-by: Kees Cook +Reported-by: PaX Team +Cc: Thomas Gleixner +Cc: Ingo Molnar +Cc: "H. Peter Anvin" +Cc: Yinghai Lu +Cc: Seiji Aguchi +Cc: Fenghua Yu +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/head_64.S | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/kernel/head_64.S ++++ b/arch/x86/kernel/head_64.S +@@ -513,7 +513,7 @@ ENTRY(phys_base) + #include "../../x86/xen/xen-head.S" + + .section .bss, "aw", @nobits +- .align L1_CACHE_BYTES ++ .align PAGE_SIZE + ENTRY(idt_table) + .skip IDT_ENTRIES * 16 + diff --git a/queue-3.10/x86-suspend-handle-cpus-which-fail-to-gp-on-rdmsr.patch b/queue-3.10/x86-suspend-handle-cpus-which-fail-to-gp-on-rdmsr.patch new file mode 100644 index 00000000000..13736553f59 --- /dev/null +++ b/queue-3.10/x86-suspend-handle-cpus-which-fail-to-gp-on-rdmsr.patch @@ -0,0 +1,67 @@ +From 5ff560fd48d5b3d82fa0c3aff625c9da1a301911 Mon Sep 17 00:00:00 2001 +From: "H. Peter Anvin" +Date: Fri, 12 Jul 2013 16:48:12 -0700 +Subject: x86, suspend: Handle CPUs which fail to #GP on RDMSR + +From: "H. Peter Anvin" + +commit 5ff560fd48d5b3d82fa0c3aff625c9da1a301911 upstream. + +There are CPUs which have errata causing RDMSR of a nonexistent MSR to +not fault. We would then try to WRMSR to restore the value of that +MSR, causing a crash. Specifically, some Pentium M variants would +have this problem trying to save and restore the non-existent EFER, +causing a crash on resume. + +Work around this by making sure we can write back the result at +suspend time. + +Huge thanks to Christian Sünkenberg for finding the offending erratum +that finally deciphered the mystery. + +Reported-and-tested-by: Johan Heinrich +Debugged-by: Christian Sünkenberg +Acked-by: Rafael J. Wysocki +Link: http://lkml.kernel.org/r/51DDC972.3010005@student.kit.edu +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/acpi/sleep.c | 18 ++++++++++++++++-- + 1 file changed, 16 insertions(+), 2 deletions(-) + +--- a/arch/x86/kernel/acpi/sleep.c ++++ b/arch/x86/kernel/acpi/sleep.c +@@ -48,9 +48,20 @@ int acpi_suspend_lowlevel(void) + #ifndef CONFIG_64BIT + native_store_gdt((struct desc_ptr *)&header->pmode_gdt); + ++ /* ++ * We have to check that we can write back the value, and not ++ * just read it. At least on 90 nm Pentium M (Family 6, Model ++ * 13), reading an invalid MSR is not guaranteed to trap, see ++ * Erratum X4 in "Intel Pentium M Processor on 90 nm Process ++ * with 2-MB L2 Cache and Intel® Processor A100 and A110 on 90 ++ * nm process with 512-KB L2 Cache Specification Update". ++ */ + if (!rdmsr_safe(MSR_EFER, + &header->pmode_efer_low, +- &header->pmode_efer_high)) ++ &header->pmode_efer_high) && ++ !wrmsr_safe(MSR_EFER, ++ header->pmode_efer_low, ++ header->pmode_efer_high)) + header->pmode_behavior |= (1 << WAKEUP_BEHAVIOR_RESTORE_EFER); + #endif /* !CONFIG_64BIT */ + +@@ -61,7 +72,10 @@ int acpi_suspend_lowlevel(void) + } + if (!rdmsr_safe(MSR_IA32_MISC_ENABLE, + &header->pmode_misc_en_low, +- &header->pmode_misc_en_high)) ++ &header->pmode_misc_en_high) && ++ !wrmsr_safe(MSR_IA32_MISC_ENABLE, ++ header->pmode_misc_en_low, ++ header->pmode_misc_en_high)) + header->pmode_behavior |= + (1 << WAKEUP_BEHAVIOR_RESTORE_MISC_ENABLE); + header->realmode_flags = acpi_realmode_flags; diff --git a/queue-3.10/xen-blkback-check-device-permissions-before-allowing-op_discard.patch b/queue-3.10/xen-blkback-check-device-permissions-before-allowing-op_discard.patch new file mode 100644 index 00000000000..2fab902639d --- /dev/null +++ b/queue-3.10/xen-blkback-check-device-permissions-before-allowing-op_discard.patch @@ -0,0 +1,55 @@ +From 604c499cbbcc3d5fe5fb8d53306aa0fae1990109 Mon Sep 17 00:00:00 2001 +From: Konrad Rzeszutek Wilk +Date: Wed, 16 Jan 2013 11:33:52 -0500 +Subject: xen/blkback: Check device permissions before allowing OP_DISCARD + +From: Konrad Rzeszutek Wilk + +commit 604c499cbbcc3d5fe5fb8d53306aa0fae1990109 upstream. + +We need to make sure that the device is not RO or that +the request is not past the number of sectors we want to +issue the DISCARD operation for. + +This fixes CVE-2013-2140. + +Acked-by: Jan Beulich +Acked-by: Ian Campbell +[v1: Made it pr_warn instead of pr_debug] +Signed-off-by: Konrad Rzeszutek Wilk +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/block/xen-blkback/blkback.c | 13 ++++++++++++- + 1 file changed, 12 insertions(+), 1 deletion(-) + +--- a/drivers/block/xen-blkback/blkback.c ++++ b/drivers/block/xen-blkback/blkback.c +@@ -647,7 +647,18 @@ static int dispatch_discard_io(struct xe + int status = BLKIF_RSP_OKAY; + struct block_device *bdev = blkif->vbd.bdev; + unsigned long secure; ++ struct phys_req preq; + ++ preq.sector_number = req->u.discard.sector_number; ++ preq.nr_sects = req->u.discard.nr_sectors; ++ ++ err = xen_vbd_translate(&preq, blkif, WRITE); ++ if (err) { ++ pr_warn(DRV_PFX "access denied: DISCARD [%llu->%llu] on dev=%04x\n", ++ preq.sector_number, ++ preq.sector_number + preq.nr_sects, blkif->vbd.pdevice); ++ goto fail_response; ++ } + blkif->st_ds_req++; + + xen_blkif_get(blkif); +@@ -658,7 +669,7 @@ static int dispatch_discard_io(struct xe + err = blkdev_issue_discard(bdev, req->u.discard.sector_number, + req->u.discard.nr_sectors, + GFP_KERNEL, secure); +- ++fail_response: + if (err == -EOPNOTSUPP) { + pr_debug(DRV_PFX "discard op failed, not supported\n"); + status = BLKIF_RSP_EOPNOTSUPP; diff --git a/queue-3.10/xen-netfront-pull-on-receive-skb-may-need-to-happen-earlier.patch b/queue-3.10/xen-netfront-pull-on-receive-skb-may-need-to-happen-earlier.patch new file mode 100644 index 00000000000..157ee3d25ae --- /dev/null +++ b/queue-3.10/xen-netfront-pull-on-receive-skb-may-need-to-happen-earlier.patch @@ -0,0 +1,117 @@ +From 093b9c71b6e450e375f4646ba86faed0195ec7df Mon Sep 17 00:00:00 2001 +From: Jan Beulich +Date: Wed, 17 Jul 2013 08:09:37 +0100 +Subject: xen-netfront: pull on receive skb may need to happen earlier + +From: Jan Beulich + +commit 093b9c71b6e450e375f4646ba86faed0195ec7df upstream. + +Due to commit 3683243b ("xen-netfront: use __pskb_pull_tail to ensure +linear area is big enough on RX") xennet_fill_frags() may end up +filling MAX_SKB_FRAGS + 1 fragments in a receive skb, and only reduce +the fragment count subsequently via __pskb_pull_tail(). That's a +result of xennet_get_responses() allowing a maximum of one more slot to +be consumed (and intermediately transformed into a fragment) if the +head slot has a size less than or equal to RX_COPY_THRESHOLD. + +Hence we need to adjust xennet_fill_frags() to pull earlier if we +reached the maximum fragment count - due to the described behavior of +xennet_get_responses() this guarantees that at least the first fragment +will get completely consumed, and hence the fragment count reduced. + +In order to not needlessly call __pskb_pull_tail() twice, make the +original call conditional upon the pull target not having been reached +yet, and defer the newly added one as much as possible (an alternative +would have been to always call the function right before the call to +xennet_fill_frags(), but that would imply more frequent cases of +needing to call it twice). + +Signed-off-by: Jan Beulich +Acked-by: Wei Liu +Cc: Ian Campbell +Acked-by: Ian Campbell +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/xen-netfront.c | 31 +++++++++++++------------------ + 1 file changed, 13 insertions(+), 18 deletions(-) + +--- a/drivers/net/xen-netfront.c ++++ b/drivers/net/xen-netfront.c +@@ -276,8 +276,7 @@ no_skb: + break; + } + +- __skb_fill_page_desc(skb, 0, page, 0, 0); +- skb_shinfo(skb)->nr_frags = 1; ++ skb_add_rx_frag(skb, 0, page, 0, 0, PAGE_SIZE); + __skb_queue_tail(&np->rx_batch, skb); + } + +@@ -822,7 +821,6 @@ static RING_IDX xennet_fill_frags(struct + struct sk_buff_head *list) + { + struct skb_shared_info *shinfo = skb_shinfo(skb); +- int nr_frags = shinfo->nr_frags; + RING_IDX cons = np->rx.rsp_cons; + struct sk_buff *nskb; + +@@ -831,19 +829,21 @@ static RING_IDX xennet_fill_frags(struct + RING_GET_RESPONSE(&np->rx, ++cons); + skb_frag_t *nfrag = &skb_shinfo(nskb)->frags[0]; + +- __skb_fill_page_desc(skb, nr_frags, +- skb_frag_page(nfrag), +- rx->offset, rx->status); ++ if (shinfo->nr_frags == MAX_SKB_FRAGS) { ++ unsigned int pull_to = NETFRONT_SKB_CB(skb)->pull_to; + +- skb->data_len += rx->status; ++ BUG_ON(pull_to <= skb_headlen(skb)); ++ __pskb_pull_tail(skb, pull_to - skb_headlen(skb)); ++ } ++ BUG_ON(shinfo->nr_frags >= MAX_SKB_FRAGS); ++ ++ skb_add_rx_frag(skb, shinfo->nr_frags, skb_frag_page(nfrag), ++ rx->offset, rx->status, PAGE_SIZE); + + skb_shinfo(nskb)->nr_frags = 0; + kfree_skb(nskb); +- +- nr_frags++; + } + +- shinfo->nr_frags = nr_frags; + return cons; + } + +@@ -929,7 +929,8 @@ static int handle_incoming_queue(struct + while ((skb = __skb_dequeue(rxq)) != NULL) { + int pull_to = NETFRONT_SKB_CB(skb)->pull_to; + +- __pskb_pull_tail(skb, pull_to - skb_headlen(skb)); ++ if (pull_to > skb_headlen(skb)) ++ __pskb_pull_tail(skb, pull_to - skb_headlen(skb)); + + /* Ethernet work: Delayed to here as it peeks the header. */ + skb->protocol = eth_type_trans(skb, dev); +@@ -1015,16 +1016,10 @@ err: + skb_shinfo(skb)->frags[0].page_offset = rx->offset; + skb_frag_size_set(&skb_shinfo(skb)->frags[0], rx->status); + skb->data_len = rx->status; ++ skb->len += rx->status; + + i = xennet_fill_frags(np, skb, &tmpq); + +- /* +- * Truesize is the actual allocation size, even if the +- * allocation is only partially used. +- */ +- skb->truesize += PAGE_SIZE * skb_shinfo(skb)->nr_frags; +- skb->len += skb->data_len; +- + if (rx->flags & XEN_NETRXF_csum_blank) + skb->ip_summed = CHECKSUM_PARTIAL; + else if (rx->flags & XEN_NETRXF_data_validated) diff --git a/queue-3.10/xhci-avoid-null-pointer-deref-when-host-dies.patch b/queue-3.10/xhci-avoid-null-pointer-deref-when-host-dies.patch new file mode 100644 index 00000000000..8458e1f9029 --- /dev/null +++ b/queue-3.10/xhci-avoid-null-pointer-deref-when-host-dies.patch @@ -0,0 +1,71 @@ +From 203a86613fb3bf2767335659513fa98563a3eb71 Mon Sep 17 00:00:00 2001 +From: Sarah Sharp +Date: Wed, 24 Jul 2013 10:27:13 -0700 +Subject: xhci: Avoid NULL pointer deref when host dies. + +From: Sarah Sharp + +commit 203a86613fb3bf2767335659513fa98563a3eb71 upstream. + +When the host controller fails to respond to an Enable Slot command, and +the host fails to respond to the register write to abort the command +ring, the xHCI driver will assume the host is dead, and call +usb_hc_died(). + +The USB device's slot_id is still set to zero, and the pointer stored at +xhci->devs[0] will always be NULL. The call to xhci_check_args in +xhci_free_dev should have caught the NULL virt_dev pointer. + +However, xhci_free_dev is designed to free the xhci_virt_device +structures, even if the host is dead, so that we don't leak kernel +memory. xhci_free_dev checks the return value from the generic +xhci_check_args function. If the return value is -ENODEV, it carries on +trying to free the virtual device. + +The issue is that xhci_check_args looks at the host controller state +before it looks at the xhci_virt_device pointer. It will return -ENIVAL +because the host is dead, and xhci_free_dev will ignore the return +value, and happily dereference the NULL xhci_virt_device pointer. + +The fix is to make sure that xhci_check_args checks the xhci_virt_device +pointer before it checks the host state. + +See https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1203453 for +further details. This patch doesn't solve the underlying issue, but +will ensure we don't see any more NULL pointer dereferences because of +the issue. + +This patch should be backported to kernels as old as 3.1, that +contain the commit 7bd89b4017f46a9b92853940fd9771319acb578a "xhci: Don't +submit commands or URBs to halted hosts." + +Signed-off-by: Sarah Sharp +Reported-by: Vincent Thiele +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/host/xhci.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/usb/host/xhci.c ++++ b/drivers/usb/host/xhci.c +@@ -1171,9 +1171,6 @@ static int xhci_check_args(struct usb_hc + } + + xhci = hcd_to_xhci(hcd); +- if (xhci->xhc_state & XHCI_STATE_HALTED) +- return -ENODEV; +- + if (check_virt_dev) { + if (!udev->slot_id || !xhci->devs[udev->slot_id]) { + printk(KERN_DEBUG "xHCI %s called with unaddressed " +@@ -1189,6 +1186,9 @@ static int xhci_check_args(struct usb_hc + } + } + ++ if (xhci->xhc_state & XHCI_STATE_HALTED) ++ return -ENODEV; ++ + return 1; + } + diff --git a/queue-3.10/xhci-fix-null-pointer-dereference-on-ring_doorbell_for_active_rings.patch b/queue-3.10/xhci-fix-null-pointer-dereference-on-ring_doorbell_for_active_rings.patch new file mode 100644 index 00000000000..3f6dc0f6769 --- /dev/null +++ b/queue-3.10/xhci-fix-null-pointer-dereference-on-ring_doorbell_for_active_rings.patch @@ -0,0 +1,37 @@ +From d66eaf9f89502971fddcb0de550b01fa6f409d83 Mon Sep 17 00:00:00 2001 +From: Oleksij Rempel +Date: Sun, 21 Jul 2013 15:36:19 +0200 +Subject: xhci: fix null pointer dereference on ring_doorbell_for_active_rings + +From: Oleksij Rempel + +commit d66eaf9f89502971fddcb0de550b01fa6f409d83 upstream. + +in some cases where device is attched to xhci port and do not responding, +for example ath9k_htc with stalled firmware, kernel will +crash on ring_doorbell_for_active_rings. +This patch check if pointer exist before it is used. + +This patch should be backported to kernels as old as 2.6.35, that +contain the commit e9df17eb1408cfafa3d1844bfc7f22c7237b31b8 "USB: xhci: +Correct assumptions about number of rings per endpoint" + +Signed-off-by: Oleksij Rempel +Signed-off-by: Sarah Sharp +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/host/xhci-ring.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/host/xhci-ring.c ++++ b/drivers/usb/host/xhci-ring.c +@@ -434,7 +434,7 @@ static void ring_doorbell_for_active_rin + + /* A ring has pending URBs if its TD list is not empty */ + if (!(ep->ep_state & EP_HAS_STREAMS)) { +- if (!(list_empty(&ep->ring->td_list))) ++ if (ep->ring && !(list_empty(&ep->ring->td_list))) + xhci_ring_ep_doorbell(xhci, slot_id, ep_index, 0); + return; + }