From: Greg Kroah-Hartman Date: Fri, 3 Oct 2014 20:36:24 +0000 (-0700) Subject: 3.14-stable patches X-Git-Tag: v3.16.4~13 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=b0356f3e939af297b06eb2f89233a75954332fd8;p=thirdparty%2Fkernel%2Fstable-queue.git 3.14-stable patches added patches: cpufreq-release-policy-rwsem-on-error.patch fix-nasty-32-bit-overflow-bug-in-buffer-i-o-code.patch media-adv7604-fix-inverted-condition.patch media-af9035-new-ids-add-support-for-pctv-78e-and-pctv-79e.patch media-cx18-fix-kernel-oops-with-tda8290-tuner.patch nl80211-clear-skb-cb-before-passing-to-netlink.patch --- diff --git a/queue-3.14/cpufreq-release-policy-rwsem-on-error.patch b/queue-3.14/cpufreq-release-policy-rwsem-on-error.patch new file mode 100644 index 00000000000..f5a48e99e46 --- /dev/null +++ b/queue-3.14/cpufreq-release-policy-rwsem-on-error.patch @@ -0,0 +1,98 @@ +From 7106e02baed4a72fb23de56b02ad4d31daa74d95 Mon Sep 17 00:00:00 2001 +From: Prarit Bhargava +Date: Wed, 10 Sep 2014 10:12:08 -0400 +Subject: cpufreq: release policy->rwsem on error + +From: Prarit Bhargava + +commit 7106e02baed4a72fb23de56b02ad4d31daa74d95 upstream. + +While debugging a cpufreq-related hardware failure on a system I saw the +following lockdep warning: + + ========================= + [ BUG: held lock freed! ] 3.17.0-rc4+ #1 Tainted: G E + ------------------------- + insmod/2247 is freeing memory ffff88006e1b1400-ffff88006e1b17ff, with a lock still held there! + (&policy->rwsem){+.+...}, at: [] __cpufreq_add_dev.isra.21+0x47d/0xb80 + 3 locks held by insmod/2247: + #0: (subsys mutex#5){+.+.+.}, at: [] subsys_interface_register+0x69/0x120 + #1: (cpufreq_rwsem){.+.+.+}, at: [] __cpufreq_add_dev.isra.21+0x73/0xb80 + #2: (&policy->rwsem){+.+...}, at: [] __cpufreq_add_dev.isra.21+0x47d/0xb80 + + stack backtrace: + CPU: 0 PID: 2247 Comm: insmod Tainted: G E 3.17.0-rc4+ #1 + Hardware name: HP ProLiant MicroServer Gen8, BIOS J06 08/24/2013 + 0000000000000000 000000008f3063c4 ffff88006f87bb30 ffffffff8171b358 + ffff88006bcf3750 ffff88006f87bb68 ffffffff810e09e1 ffff88006e1b1400 + ffffea0001b86c00 ffffffff8156d327 ffff880073003500 0000000000000246 + Call Trace: + [] dump_stack+0x4d/0x66 + [] debug_check_no_locks_freed+0x171/0x180 + [] ? __cpufreq_add_dev.isra.21+0x427/0xb80 + [] kfree+0xab/0x2b0 + [] __cpufreq_add_dev.isra.21+0x427/0xb80 + [] ? _raw_spin_unlock+0x27/0x40 + [] ? pcc_cpufreq_do_osc+0x17f/0x17f [pcc_cpufreq] + [] cpufreq_add_dev+0xe/0x10 + [] subsys_interface_register+0xc1/0x120 + [] cpufreq_register_driver+0x112/0x340 + [] ? kfree+0xda/0x2b0 + [] ? pcc_cpufreq_do_osc+0x17f/0x17f [pcc_cpufreq] + [] pcc_cpufreq_init+0x4af/0xe81 [pcc_cpufreq] + [] ? pcc_cpufreq_do_osc+0x17f/0x17f [pcc_cpufreq] + [] do_one_initcall+0xd4/0x210 + [] ? __vunmap+0xd2/0x120 + [] load_module+0x1315/0x1b70 + [] ? store_uevent+0x70/0x70 + [] ? copy_module_from_fd.isra.44+0x129/0x180 + [] SyS_finit_module+0xa6/0xd0 + [] system_call_fastpath+0x16/0x1b + cpufreq: __cpufreq_add_dev: ->get() failed +insmod: ERROR: could not insert module pcc-cpufreq.ko: No such device + +The warning occurs in the __cpufreq_add_dev() code which does + + down_write(&policy->rwsem); + ... + if (cpufreq_driver->get && !cpufreq_driver->setpolicy) { + policy->cur = cpufreq_driver->get(policy->cpu); + if (!policy->cur) { + pr_err("%s: ->get() failed\n", __func__); + goto err_get_freq; + } + +If cpufreq_driver->get(policy->cpu) returns an error we execute the +code at err_get_freq, which does not up the policy->rwsem. This causes +the lockdep warning. + +Trivial patch to up the policy->rwsem in the error path. + +After the patch has been applied, and an error occurs in the +cpufreq_driver->get(policy->cpu) call we will now see + +cpufreq: __cpufreq_add_dev: ->get() failed +cpufreq: __cpufreq_add_dev: ->get() failed +modprobe: ERROR: could not insert 'pcc_cpufreq': No such device + +Fixes: 4e97b631f24c (cpufreq: Initialize governor for a new policy under policy->rwsem) +Signed-off-by: Prarit Bhargava +Acked-by: Viresh Kumar +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/cpufreq/cpufreq.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/cpufreq/cpufreq.c ++++ b/drivers/cpufreq/cpufreq.c +@@ -1225,6 +1225,8 @@ err_get_freq: + per_cpu(cpufreq_cpu_data, j) = NULL; + write_unlock_irqrestore(&cpufreq_driver_lock, flags); + ++ up_write(&policy->rwsem); ++ + if (cpufreq_driver->exit) + cpufreq_driver->exit(policy); + err_set_policy_cpu: diff --git a/queue-3.14/fix-nasty-32-bit-overflow-bug-in-buffer-i-o-code.patch b/queue-3.14/fix-nasty-32-bit-overflow-bug-in-buffer-i-o-code.patch new file mode 100644 index 00000000000..c37ab9dc80f --- /dev/null +++ b/queue-3.14/fix-nasty-32-bit-overflow-bug-in-buffer-i-o-code.patch @@ -0,0 +1,73 @@ +From f2d5a94436cc7cc0221b9a81bba2276a25187dd3 Mon Sep 17 00:00:00 2001 +From: Anton Altaparmakov +Date: Mon, 22 Sep 2014 01:53:03 +0100 +Subject: Fix nasty 32-bit overflow bug in buffer i/o code. + +From: Anton Altaparmakov + +commit f2d5a94436cc7cc0221b9a81bba2276a25187dd3 upstream. + +On 32-bit architectures, the legacy buffer_head functions are not always +handling the sector number with the proper 64-bit types, and will thus +fail on 4TB+ disks. + +Any code that uses __getblk() (and thus bread(), breadahead(), +sb_bread(), sb_breadahead(), sb_getblk()), and calls it using a 64-bit +block on a 32-bit arch (where "long" is 32-bit) causes an inifinite loop +in __getblk_slow() with an infinite stream of errors logged to dmesg +like this: + + __find_get_block_slow() failed. block=6740375944, b_blocknr=2445408648 + b_state=0x00000020, b_size=512 + device sda1 blocksize: 512 + +Note how in hex block is 0x191C1F988 and b_blocknr is 0x91C1F988 i.e. the +top 32-bits are missing (in this case the 0x1 at the top). + +This is because grow_dev_page() is broken and has a 32-bit overflow due +to shifting the page index value (a pgoff_t - which is just 32 bits on +32-bit architectures) left-shifted as the block number. But the top +bits to get lost as the pgoff_t is not type cast to sector_t / 64-bit +before the shift. + +This patch fixes this issue by type casting "index" to sector_t before +doing the left shift. + +Note this is not a theoretical bug but has been seen in the field on a +4TiB hard drive with logical sector size 512 bytes. + +This patch has been verified to fix the infinite loop problem on 3.17-rc5 +kernel using a 4TB disk image mounted using "-o loop". Without this patch +doing a "find /nt" where /nt is an NTFS volume causes the inifinite loop +100% reproducibly whilst with the patch it works fine as expected. + +Signed-off-by: Anton Altaparmakov +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/buffer.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/fs/buffer.c ++++ b/fs/buffer.c +@@ -1029,7 +1029,8 @@ grow_dev_page(struct block_device *bdev, + bh = page_buffers(page); + if (bh->b_size == size) { + end_block = init_page_buffers(page, bdev, +- index << sizebits, size); ++ (sector_t)index << sizebits, ++ size); + goto done; + } + if (!try_to_free_buffers(page)) +@@ -1050,7 +1051,8 @@ grow_dev_page(struct block_device *bdev, + */ + spin_lock(&inode->i_mapping->private_lock); + link_dev_buffers(page, bh); +- end_block = init_page_buffers(page, bdev, index << sizebits, size); ++ end_block = init_page_buffers(page, bdev, (sector_t)index << sizebits, ++ size); + spin_unlock(&inode->i_mapping->private_lock); + done: + ret = (block < end_block) ? 1 : -ENXIO; diff --git a/queue-3.14/media-adv7604-fix-inverted-condition.patch b/queue-3.14/media-adv7604-fix-inverted-condition.patch new file mode 100644 index 00000000000..3c427755124 --- /dev/null +++ b/queue-3.14/media-adv7604-fix-inverted-condition.patch @@ -0,0 +1,31 @@ +From 77639ff2b3404a913b8037d230a384798b854bae Mon Sep 17 00:00:00 2001 +From: Hans Verkuil +Date: Fri, 12 Sep 2014 06:02:02 -0300 +Subject: media: adv7604: fix inverted condition + +From: Hans Verkuil + +commit 77639ff2b3404a913b8037d230a384798b854bae upstream. + +The log_status function should show HDMI information, but the test checking for +an HDMI input was inverted. Fix this. + +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/i2c/adv7604.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/media/i2c/adv7604.c ++++ b/drivers/media/i2c/adv7604.c +@@ -1984,7 +1984,7 @@ static int adv7604_log_status(struct v4l + v4l2_info(sd, "HDCP keys read: %s%s\n", + (hdmi_read(sd, 0x04) & 0x20) ? "yes" : "no", + (hdmi_read(sd, 0x04) & 0x10) ? "ERROR" : ""); +- if (!is_hdmi(sd)) { ++ if (is_hdmi(sd)) { + bool audio_pll_locked = hdmi_read(sd, 0x04) & 0x01; + bool audio_sample_packet_detect = hdmi_read(sd, 0x18) & 0x01; + bool audio_mute = io_read(sd, 0x65) & 0x40; diff --git a/queue-3.14/media-af9035-new-ids-add-support-for-pctv-78e-and-pctv-79e.patch b/queue-3.14/media-af9035-new-ids-add-support-for-pctv-78e-and-pctv-79e.patch new file mode 100644 index 00000000000..49f803d3245 --- /dev/null +++ b/queue-3.14/media-af9035-new-ids-add-support-for-pctv-78e-and-pctv-79e.patch @@ -0,0 +1,50 @@ +From a04646c045cab08a9e62b9be8f01ecbb0632d24e Mon Sep 17 00:00:00 2001 +From: Malcolm Priestley +Date: Tue, 5 Aug 2014 06:19:16 -0300 +Subject: media: af9035: new IDs: add support for PCTV 78e and PCTV 79e + +From: Malcolm Priestley + +commit a04646c045cab08a9e62b9be8f01ecbb0632d24e upstream. + +add the following IDs +USB_PID_PCTV_78E (0x025a) for PCTV 78e +USB_PID_PCTV_79E (0x0262) for PCTV 79e + +For these it9135 devices. + +Signed-off-by: Malcolm Priestley +Cc: Antti Palosaari +Signed-off-by: Antti Palosaari +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/dvb-core/dvb-usb-ids.h | 2 ++ + drivers/media/usb/dvb-usb-v2/af9035.c | 4 ++++ + 2 files changed, 6 insertions(+) + +--- a/drivers/media/dvb-core/dvb-usb-ids.h ++++ b/drivers/media/dvb-core/dvb-usb-ids.h +@@ -279,6 +279,8 @@ + #define USB_PID_PCTV_400E 0x020f + #define USB_PID_PCTV_450E 0x0222 + #define USB_PID_PCTV_452E 0x021f ++#define USB_PID_PCTV_78E 0x025a ++#define USB_PID_PCTV_79E 0x0262 + #define USB_PID_REALTEK_RTL2831U 0x2831 + #define USB_PID_REALTEK_RTL2832U 0x2832 + #define USB_PID_TECHNOTREND_CONNECT_S2_3600 0x3007 +--- a/drivers/media/usb/dvb-usb-v2/af9035.c ++++ b/drivers/media/usb/dvb-usb-v2/af9035.c +@@ -1541,6 +1541,10 @@ static const struct usb_device_id af9035 + &af9035_props, "Leadtek WinFast DTV Dongle Dual", NULL) }, + { DVB_USB_DEVICE(USB_VID_HAUPPAUGE, 0xf900, + &af9035_props, "Hauppauge WinTV-MiniStick 2", NULL) }, ++ { DVB_USB_DEVICE(USB_VID_PCTV, USB_PID_PCTV_78E, ++ &af9035_props, "PCTV 78e", RC_MAP_IT913X_V1) }, ++ { DVB_USB_DEVICE(USB_VID_PCTV, USB_PID_PCTV_79E, ++ &af9035_props, "PCTV 79e", RC_MAP_IT913X_V2) }, + { } + }; + MODULE_DEVICE_TABLE(usb, af9035_id_table); diff --git a/queue-3.14/media-cx18-fix-kernel-oops-with-tda8290-tuner.patch b/queue-3.14/media-cx18-fix-kernel-oops-with-tda8290-tuner.patch new file mode 100644 index 00000000000..a052d7df8ea --- /dev/null +++ b/queue-3.14/media-cx18-fix-kernel-oops-with-tda8290-tuner.patch @@ -0,0 +1,34 @@ +From 6a03dc92cc2edfa2257502557b9f714893987383 Mon Sep 17 00:00:00 2001 +From: Hans Verkuil +Date: Tue, 26 Aug 2014 02:59:53 -0300 +Subject: media: cx18: fix kernel oops with tda8290 tuner + +From: Hans Verkuil + +commit 6a03dc92cc2edfa2257502557b9f714893987383 upstream. + +This was caused by an uninitialized setup.config field. + +Based on a suggestion from Devin Heitmueller. + +Signed-off-by: Hans Verkuil +Thanks-to: Devin Heitmueller +Reported-by: Scott Robinson +Tested-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/pci/cx18/cx18-driver.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/media/pci/cx18/cx18-driver.c ++++ b/drivers/media/pci/cx18/cx18-driver.c +@@ -1091,6 +1091,7 @@ static int cx18_probe(struct pci_dev *pc + setup.addr = ADDR_UNSET; + setup.type = cx->options.tuner; + setup.mode_mask = T_ANALOG_TV; /* matches TV tuners */ ++ setup.config = NULL; + if (cx->options.radio > 0) + setup.mode_mask |= T_RADIO; + setup.tuner_callback = (setup.type == TUNER_XC2028) ? diff --git a/queue-3.14/nl80211-clear-skb-cb-before-passing-to-netlink.patch b/queue-3.14/nl80211-clear-skb-cb-before-passing-to-netlink.patch new file mode 100644 index 00000000000..083bbe19f03 --- /dev/null +++ b/queue-3.14/nl80211-clear-skb-cb-before-passing-to-netlink.patch @@ -0,0 +1,50 @@ +From bd8c78e78d5011d8111bc2533ee73b13a3bd6c42 Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Wed, 30 Jul 2014 14:55:26 +0200 +Subject: nl80211: clear skb cb before passing to netlink + +From: Johannes Berg + +commit bd8c78e78d5011d8111bc2533ee73b13a3bd6c42 upstream. + +In testmode and vendor command reply/event SKBs we use the +skb cb data to store nl80211 parameters between allocation +and sending. This causes the code for CONFIG_NETLINK_MMAP +to get confused, because it takes ownership of the skb cb +data when the SKB is handed off to netlink, and it doesn't +explicitly clear it. + +Clear the skb cb explicitly when we're done and before it +gets passed to netlink to avoid this issue. + +Reported-by: Assaf Azulay +Reported-by: David Spinadel +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + net/wireless/nl80211.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/net/wireless/nl80211.c ++++ b/net/wireless/nl80211.c +@@ -6796,6 +6796,9 @@ void __cfg80211_send_event_skb(struct sk + struct nlattr *data = ((void **)skb->cb)[2]; + enum nl80211_multicast_groups mcgrp = NL80211_MCGRP_TESTMODE; + ++ /* clear CB data for netlink core to own from now on */ ++ memset(skb->cb, 0, sizeof(skb->cb)); ++ + nla_nest_end(skb, data); + genlmsg_end(skb, hdr); + +@@ -9075,6 +9078,9 @@ int cfg80211_vendor_cmd_reply(struct sk_ + void *hdr = ((void **)skb->cb)[1]; + struct nlattr *data = ((void **)skb->cb)[2]; + ++ /* clear CB data for netlink core to own from now on */ ++ memset(skb->cb, 0, sizeof(skb->cb)); ++ + if (WARN_ON(!rdev->cur_cmd_info)) { + kfree_skb(skb); + return -EINVAL; diff --git a/queue-3.14/series b/queue-3.14/series index 3aa8323ac3f..0727c7f3111 100644 --- a/queue-3.14/series +++ b/queue-3.14/series @@ -206,3 +206,9 @@ perf-fix-a-race-condition-in-perf_remove_from_context.patch vgaswitcheroo-add-vga_switcheroo_fini_domain_pm_ops.patch drm-nouveau-runpm-fix-module-unload.patch drm-radeon-px-fix-module-unload.patch +fix-nasty-32-bit-overflow-bug-in-buffer-i-o-code.patch +nl80211-clear-skb-cb-before-passing-to-netlink.patch +cpufreq-release-policy-rwsem-on-error.patch +media-af9035-new-ids-add-support-for-pctv-78e-and-pctv-79e.patch +media-cx18-fix-kernel-oops-with-tda8290-tuner.patch +media-adv7604-fix-inverted-condition.patch