From: Greg Kroah-Hartman Date: Mon, 11 May 2015 12:17:52 +0000 (-0700) Subject: 3.14-stable patches X-Git-Tag: v3.19.8~2 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=ae7da82f3e47b8037f2bf8886ff30b5075b96304;p=thirdparty%2Fkernel%2Fstable-queue.git 3.14-stable patches added patches: arc-signal-handling-robustify.patch compal-laptop-fix-leaking-hwmon-device.patch drivers-hv-vmbus-don-t-wait-after-requesting-offers.patch staging-panel-fix-lcd-type.patch ubi-fix-soft-lockup-in-ubi_check_volume.patch usb-gadget-printer-enqueue-printer-s-response-for-setup-request.patch --- diff --git a/queue-3.14/arc-signal-handling-robustify.patch b/queue-3.14/arc-signal-handling-robustify.patch new file mode 100644 index 00000000000..857fe49bb7e --- /dev/null +++ b/queue-3.14/arc-signal-handling-robustify.patch @@ -0,0 +1,99 @@ +From e4140819dadc3624accac8294881bca8a3cba4ed Mon Sep 17 00:00:00 2001 +From: Vineet Gupta +Date: Thu, 26 Mar 2015 11:14:41 +0530 +Subject: ARC: signal handling robustify + +From: Vineet Gupta + +commit e4140819dadc3624accac8294881bca8a3cba4ed upstream. + +A malicious signal handler / restorer can DOS the system by fudging the +user regs saved on stack, causing weird things such as sigreturn returning +to user mode PC but cpu state still being kernel mode.... + +Ensure that in sigreturn path status32 always has U bit; any other bogosity +(gargbage PC etc) will be taken care of by normal user mode exceptions mechanisms. + +Reproducer signal handler: + + void handle_sig(int signo, siginfo_t *info, void *context) + { + ucontext_t *uc = context; + struct user_regs_struct *regs = &(uc->uc_mcontext.regs); + + regs->scratch.status32 = 0; + } + +Before the fix, kernel would go off to weeds like below: + + --------->8----------- + [ARCLinux]$ ./signal-test + Path: /signal-test + CPU: 0 PID: 61 Comm: signal-test Not tainted 4.0.0-rc5+ #65 + task: 8f177880 ti: 5ffe6000 task.ti: 8f15c000 + + [ECR ]: 0x00220200 => Invalid Write @ 0x00000010 by insn @ 0x00010698 + [EFA ]: 0x00000010 + [BLINK ]: 0x2007c1ee + [ERET ]: 0x10698 + [STAT32]: 0x00000000 : <-------- + BTA: 0x00010680 SP: 0x5ffe7e48 FP: 0x00000000 + LPS: 0x20003c6c LPE: 0x20003c70 LPC: 0x00000000 + ... + --------->8----------- + +Reported-by: Alexey Brodkin +Signed-off-by: Vineet Gupta +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arc/kernel/signal.c | 20 ++++++++++++++++---- + 1 file changed, 16 insertions(+), 4 deletions(-) + +--- a/arch/arc/kernel/signal.c ++++ b/arch/arc/kernel/signal.c +@@ -131,6 +131,15 @@ SYSCALL_DEFINE0(rt_sigreturn) + /* Don't restart from sigreturn */ + syscall_wont_restart(regs); + ++ /* ++ * Ensure that sigreturn always returns to user mode (in case the ++ * regs saved on user stack got fudged between save and sigreturn) ++ * Otherwise it is easy to panic the kernel with a custom ++ * signal handler and/or restorer which clobberes the status32/ret ++ * to return to a bogus location in kernel mode. ++ */ ++ regs->status32 |= STATUS_U_MASK; ++ + return regs->r0; + + badframe: +@@ -234,8 +243,11 @@ setup_rt_frame(int signo, struct k_sigac + + /* + * handler returns using sigreturn stub provided already by userpsace ++ * If not, nuke the process right away + */ +- BUG_ON(!(ka->sa.sa_flags & SA_RESTORER)); ++ if(!(ka->sa.sa_flags & SA_RESTORER)) ++ return 1; ++ + regs->blink = (unsigned long)ka->sa.sa_restorer; + + /* User Stack for signal handler will be above the frame just carved */ +@@ -302,12 +314,12 @@ handle_signal(unsigned long sig, struct + struct pt_regs *regs) + { + sigset_t *oldset = sigmask_to_save(); +- int ret; ++ int failed; + + /* Set up the stack frame */ +- ret = setup_rt_frame(sig, ka, info, oldset, regs); ++ failed = setup_rt_frame(sig, ka, info, oldset, regs); + +- if (ret) ++ if (failed) + force_sigsegv(sig, current); + else + signal_delivered(sig, info, ka, regs, 0); diff --git a/queue-3.14/compal-laptop-fix-leaking-hwmon-device.patch b/queue-3.14/compal-laptop-fix-leaking-hwmon-device.patch new file mode 100644 index 00000000000..2b75bc59e14 --- /dev/null +++ b/queue-3.14/compal-laptop-fix-leaking-hwmon-device.patch @@ -0,0 +1,42 @@ +From ad774702f1705c04e5fa492b793d8d477a504fa6 Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Thu, 12 Mar 2015 08:43:59 +0100 +Subject: compal-laptop: Fix leaking hwmon device + +From: Krzysztof Kozlowski + +commit ad774702f1705c04e5fa492b793d8d477a504fa6 upstream. + +The commit c2be45f09bb0 ("compal-laptop: Use +devm_hwmon_device_register_with_groups") wanted to change the +registering of hwmon device to resource-managed version. It mostly did +it except the main thing - it forgot to use devm-like function so the +hwmon device leaked after device removal or probe failure. + +Signed-off-by: Krzysztof Kozlowski +Fixes: c2be45f09bb0 ("compal-laptop: Use devm_hwmon_device_register_with_groups") +Acked-by: Guenter Roeck +Acked-by: Darren Hart +Signed-off-by: Sebastian Reichel +Signed-off-by: Greg Kroah-Hartman + + +--- + drivers/platform/x86/compal-laptop.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/platform/x86/compal-laptop.c ++++ b/drivers/platform/x86/compal-laptop.c +@@ -1027,9 +1027,9 @@ static int compal_probe(struct platform_ + if (err) + return err; + +- hwmon_dev = hwmon_device_register_with_groups(&pdev->dev, +- DRIVER_NAME, data, +- compal_hwmon_groups); ++ hwmon_dev = devm_hwmon_device_register_with_groups(&pdev->dev, ++ DRIVER_NAME, data, ++ compal_hwmon_groups); + if (IS_ERR(hwmon_dev)) { + err = PTR_ERR(hwmon_dev); + goto remove; diff --git a/queue-3.14/drivers-hv-vmbus-don-t-wait-after-requesting-offers.patch b/queue-3.14/drivers-hv-vmbus-don-t-wait-after-requesting-offers.patch new file mode 100644 index 00000000000..c3752502bc6 --- /dev/null +++ b/queue-3.14/drivers-hv-vmbus-don-t-wait-after-requesting-offers.patch @@ -0,0 +1,55 @@ +From 73cffdb65e679b98893f484063462c045adcf212 Mon Sep 17 00:00:00 2001 +From: "K. Y. Srinivasan" +Date: Thu, 19 Mar 2015 08:11:34 -0700 +Subject: Drivers: hv: vmbus: Don't wait after requesting offers + +From: "K. Y. Srinivasan" + +commit 73cffdb65e679b98893f484063462c045adcf212 upstream. + +Don't wait after sending request for offers to the host. This wait is +unnecessary and simply adds 5 seconds to the boot time. + +Signed-off-by: K. Y. Srinivasan +Cc: +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hv/channel_mgmt.c | 12 +----------- + 1 file changed, 1 insertion(+), 11 deletions(-) + +--- a/drivers/hv/channel_mgmt.c ++++ b/drivers/hv/channel_mgmt.c +@@ -716,7 +716,7 @@ int vmbus_request_offers(void) + { + struct vmbus_channel_message_header *msg; + struct vmbus_channel_msginfo *msginfo; +- int ret, t; ++ int ret; + + msginfo = kmalloc(sizeof(*msginfo) + + sizeof(struct vmbus_channel_message_header), +@@ -724,8 +724,6 @@ int vmbus_request_offers(void) + if (!msginfo) + return -ENOMEM; + +- init_completion(&msginfo->waitevent); +- + msg = (struct vmbus_channel_message_header *)msginfo->msg; + + msg->msgtype = CHANNELMSG_REQUESTOFFERS; +@@ -739,14 +737,6 @@ int vmbus_request_offers(void) + goto cleanup; + } + +- t = wait_for_completion_timeout(&msginfo->waitevent, 5*HZ); +- if (t == 0) { +- ret = -ETIMEDOUT; +- goto cleanup; +- } +- +- +- + cleanup: + kfree(msginfo); + diff --git a/queue-3.14/series b/queue-3.14/series index 79c0d53318a..f9e2013217a 100644 --- a/queue-3.14/series +++ b/queue-3.14/series @@ -17,3 +17,9 @@ drm-radeon-add-si-dpm-quirk-for-sapphire-r9-270-dual-x-2g-gddr5.patch usb-musb-use-new-usb_resume_timeout.patch usb-host-oxu210hp-use-new-usb_resume_timeout.patch usb-host-ehci-use-new-usb_resume_timeout.patch +usb-gadget-printer-enqueue-printer-s-response-for-setup-request.patch +staging-panel-fix-lcd-type.patch +drivers-hv-vmbus-don-t-wait-after-requesting-offers.patch +compal-laptop-fix-leaking-hwmon-device.patch +ubi-fix-soft-lockup-in-ubi_check_volume.patch +arc-signal-handling-robustify.patch diff --git a/queue-3.14/staging-panel-fix-lcd-type.patch b/queue-3.14/staging-panel-fix-lcd-type.patch new file mode 100644 index 00000000000..86f8bb71d3d --- /dev/null +++ b/queue-3.14/staging-panel-fix-lcd-type.patch @@ -0,0 +1,59 @@ +From 2c20d92dad5db6440cfa88d811b69fd605240ce4 Mon Sep 17 00:00:00 2001 +From: Sudip Mukherjee +Date: Tue, 24 Mar 2015 16:29:32 +0530 +Subject: staging: panel: fix lcd type + +From: Sudip Mukherjee + +commit 2c20d92dad5db6440cfa88d811b69fd605240ce4 upstream. + +the lcd type as defined in the Kconfig is not matching in the code. +as a result the rs, rw and en pins were getting interchanged. +Kconfig defines the value of PANEL_LCD to be 1 if we select custom +configuration but in the code LCD_TYPE_CUSTOM is defined as 5. + +my hardware is LCD_TYPE_CUSTOM, but the pins were assigned to it +as pins of LCD_TYPE_OLD, and it was not working. +Now values are corrected with referenece to the values defined in +Kconfig and it is working. +checked on JHD204A lcd with LCD_TYPE_CUSTOM configuration. + +Signed-off-by: Sudip Mukherjee +Acked-by: Willy Tarreau +[wt: backport to 3.10 and 3.14] +Signed-off-by: Willy Tarreau +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/panel/panel.c | 13 ++++++------- + 1 file changed, 6 insertions(+), 7 deletions(-) + +--- a/drivers/staging/panel/panel.c ++++ b/drivers/staging/panel/panel.c +@@ -275,11 +275,11 @@ static unsigned char lcd_bits[LCD_PORTS] + * LCD types + */ + #define LCD_TYPE_NONE 0 +-#define LCD_TYPE_OLD 1 +-#define LCD_TYPE_KS0074 2 +-#define LCD_TYPE_HANTRONIX 3 +-#define LCD_TYPE_NEXCOM 4 +-#define LCD_TYPE_CUSTOM 5 ++#define LCD_TYPE_CUSTOM 1 ++#define LCD_TYPE_OLD 2 ++#define LCD_TYPE_KS0074 3 ++#define LCD_TYPE_HANTRONIX 4 ++#define LCD_TYPE_NEXCOM 5 + + /* + * keypad types +@@ -457,8 +457,7 @@ MODULE_PARM_DESC(keypad_enabled, "Deprec + static int lcd_type = -1; + module_param(lcd_type, int, 0000); + MODULE_PARM_DESC(lcd_type, +- "LCD type: 0=none, 1=old //, 2=serial ks0074, " +- "3=hantronix //, 4=nexcom //, 5=compiled-in"); ++ "LCD type: 0=none, 1=compiled-in, 2=old, 3=serial ks0074, 4=hantronix, 5=nexcom"); + + static int lcd_proto = -1; + module_param(lcd_proto, int, 0000); diff --git a/queue-3.14/ubi-fix-soft-lockup-in-ubi_check_volume.patch b/queue-3.14/ubi-fix-soft-lockup-in-ubi_check_volume.patch new file mode 100644 index 00000000000..26cdfa412e4 --- /dev/null +++ b/queue-3.14/ubi-fix-soft-lockup-in-ubi_check_volume.patch @@ -0,0 +1,64 @@ +From 9aa272b492e7551a9ee0e2c83c720ea013698485 Mon Sep 17 00:00:00 2001 +From: hujianyang +Date: Tue, 30 Dec 2014 11:56:09 +0800 +Subject: UBI: fix soft lockup in ubi_check_volume() + +From: hujianyang + +commit 9aa272b492e7551a9ee0e2c83c720ea013698485 upstream. + +Running mtd-utils/tests/ubi-tests/io_basic.c could cause +soft lockup or watchdog reset. It is because *updatevol* +will perform ubi_check_volume() after updating finish +and this function will full scan the updated lebs if the +volume is initialized as STATIC_VOLUME. + +This patch adds *cond_resched()* in the loop of lebs scan +to avoid soft lockup. + +Helped by Richard Weinberger + +[ 2158.067096] INFO: rcu_sched self-detected stall on CPU { 1} (t=2101 jiffies g=1606 c=1605 q=56) +[ 2158.172867] CPU: 1 PID: 2073 Comm: io_basic Tainted: G O 3.10.53 #21 +[ 2158.172898] [] (unwind_backtrace+0x0/0x120) from [] (show_stack+0x10/0x14) +[ 2158.172918] [] (show_stack+0x10/0x14) from [] (rcu_check_callbacks+0x1c0/0x660) +[ 2158.172936] [] (rcu_check_callbacks+0x1c0/0x660) from [] (update_process_times+0x38/0x64) +[ 2158.172953] [] (update_process_times+0x38/0x64) from [] (tick_sched_handle+0x54/0x60) +[ 2158.172966] [] (tick_sched_handle+0x54/0x60) from [] (tick_sched_timer+0x44/0x74) +[ 2158.172978] [] (tick_sched_timer+0x44/0x74) from [] (__run_hrtimer+0xc8/0x1b8) +[ 2158.172992] [] (__run_hrtimer+0xc8/0x1b8) from [] (hrtimer_interrupt+0x128/0x2a4) +[ 2158.173007] [] (hrtimer_interrupt+0x128/0x2a4) from [] (arch_timer_handler_virt+0x28/0x30) +[ 2158.173022] [] (arch_timer_handler_virt+0x28/0x30) from [] (handle_percpu_devid_irq+0x9c/0x124) +[ 2158.173036] [] (handle_percpu_devid_irq+0x9c/0x124) from [] (generic_handle_irq+0x20/0x30) +[ 2158.173049] [] (generic_handle_irq+0x20/0x30) from [] (handle_IRQ+0x64/0x8c) +[ 2158.173060] [] (handle_IRQ+0x64/0x8c) from [] (gic_handle_irq+0x3c/0x60) +[ 2158.173074] [] (gic_handle_irq+0x3c/0x60) from [] (__irq_svc+0x40/0x50) +[ 2158.173083] Exception stack(0xc4043c98 to 0xc4043ce0) +[ 2158.173092] 3c80: c4043ce4 00000019 +[ 2158.173102] 3ca0: 1f8a865f c050ad10 1f8a864c 00000031 c04b5970 0003ebce 00000000 f3550000 +[ 2158.173113] 3cc0: bf00bc68 00000800 0003ebce c4043ce0 c0186d14 c0186cb8 80000013 ffffffff +[ 2158.173130] [] (__irq_svc+0x40/0x50) from [] (read_current_timer+0x4/0x38) +[ 2158.173145] [] (read_current_timer+0x4/0x38) from [<1f8a865f>] (0x1f8a865f) +[ 2183.927097] BUG: soft lockup - CPU#1 stuck for 22s! [io_basic:2073] +[ 2184.002229] Modules linked in: nandflash(O) [last unloaded: nandflash] + +Signed-off-by: Wang Kai +Signed-off-by: hujianyang +Signed-off-by: Richard Weinberger +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mtd/ubi/misc.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/mtd/ubi/misc.c ++++ b/drivers/mtd/ubi/misc.c +@@ -74,6 +74,8 @@ int ubi_check_volume(struct ubi_device * + for (i = 0; i < vol->used_ebs; i++) { + int size; + ++ cond_resched(); ++ + if (i == vol->used_ebs - 1) + size = vol->last_eb_bytes; + else diff --git a/queue-3.14/usb-gadget-printer-enqueue-printer-s-response-for-setup-request.patch b/queue-3.14/usb-gadget-printer-enqueue-printer-s-response-for-setup-request.patch new file mode 100644 index 00000000000..2753edfd28f --- /dev/null +++ b/queue-3.14/usb-gadget-printer-enqueue-printer-s-response-for-setup-request.patch @@ -0,0 +1,50 @@ +From eb132ccbdec5df46e29c9814adf76075ce83576b Mon Sep 17 00:00:00 2001 +From: Andrzej Pietrasiewicz +Date: Tue, 3 Mar 2015 10:52:05 +0100 +Subject: usb: gadget: printer: enqueue printer's response for setup request + +From: Andrzej Pietrasiewicz + +commit eb132ccbdec5df46e29c9814adf76075ce83576b upstream. + +Function-specific setup requests should be handled in such a way, that +apart from filling in the data buffer, the requests are also actually +enqueued: if function-specific setup is called from composte_setup(), +the "usb_ep_queue()" block of code in composite_setup() is skipped. + +The printer function lacks this part and it results in e.g. get device id +requests failing: the host expects some response, the device prepares it +but does not equeue it for sending to the host, so the host finally asserts +timeout. + +This patch adds enqueueing the prepared responses. + +Fixes: 2e87edf49227: "usb: gadget: make g_printer use composite" +Signed-off-by: Andrzej Pietrasiewicz +Signed-off-by: Felipe Balbi +[ported to stable 3.10 and 3.14] +Signed-off-by: Andrzej Pietrasiewicz +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/gadget/printer.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/drivers/usb/gadget/printer.c ++++ b/drivers/usb/gadget/printer.c +@@ -975,6 +975,15 @@ unknown: + break; + } + /* host either stalls (value < 0) or reports success */ ++ if (value >= 0) { ++ req->length = value; ++ req->zero = value < wLength; ++ value = usb_ep_queue(cdev->gadget->ep0, req, GFP_ATOMIC); ++ if (value < 0) { ++ ERROR(dev, "%s:%d Error!\n", __func__, __LINE__); ++ req->status = 0; ++ } ++ } + return value; + } +