From: Greg Kroah-Hartman Date: Tue, 26 Mar 2013 17:38:42 +0000 (-0700) Subject: 3.4-stable patches X-Git-Tag: v3.0.71~18 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=b2d517dc1727c3d78ba6e969cb3921bccbe0be1b;p=thirdparty%2Fkernel%2Fstable-queue.git 3.4-stable patches added patches: drm-i915-bounds-check-execbuffer-relocation-count.patch kms-fix-edid-detailed-timing-frame-rate.patch kms-fix-edid-detailed-timing-vsync-parsing.patch mm-hugetlb-fix-total-hugetlbfs-pages-count-when-using-memory-overcommit-accouting.patch mwifiex-fix-potential-out-of-boundary-access-to-ibss-rate-table.patch rtlwifi-rtl8192cu-fix-problem-that-prevents-reassociation.patch rtlwifi-rtl8192cu-fix-schedule-while-atomic-bug-splat.patch target-iscsi-fix-mutual-chap-auth-on-big-endian-arches.patch tracing-fix-free-of-probe-entry-by-calling-call_rcu_sched.patch tracing-fix-race-in-snapshot-swapping.patch --- diff --git a/queue-3.4/drm-i915-bounds-check-execbuffer-relocation-count.patch b/queue-3.4/drm-i915-bounds-check-execbuffer-relocation-count.patch new file mode 100644 index 00000000000..d4da30d9f05 --- /dev/null +++ b/queue-3.4/drm-i915-bounds-check-execbuffer-relocation-count.patch @@ -0,0 +1,53 @@ +From 3118a4f652c7b12c752f3222af0447008f9b2368 Mon Sep 17 00:00:00 2001 +From: Kees Cook +Date: Mon, 11 Mar 2013 17:31:45 -0700 +Subject: drm/i915: bounds check execbuffer relocation count + +From: Kees Cook + +commit 3118a4f652c7b12c752f3222af0447008f9b2368 upstream. + +It is possible to wrap the counter used to allocate the buffer for +relocation copies. This could lead to heap writing overflows. + +CVE-2013-0913 + +v3: collapse test, improve comment +v2: move check into validate_exec_list + +Signed-off-by: Kees Cook +Reported-by: Pinkie Pie +Reviewed-by: Chris Wilson +Signed-off-by: Daniel Vetter +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/i915/i915_gem_execbuffer.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +--- a/drivers/gpu/drm/i915/i915_gem_execbuffer.c ++++ b/drivers/gpu/drm/i915/i915_gem_execbuffer.c +@@ -957,15 +957,20 @@ validate_exec_list(struct drm_i915_gem_e + int count) + { + int i; ++ int relocs_total = 0; ++ int relocs_max = INT_MAX / sizeof(struct drm_i915_gem_relocation_entry); + + for (i = 0; i < count; i++) { + char __user *ptr = (char __user *)(uintptr_t)exec[i].relocs_ptr; + int length; /* limited by fault_in_pages_readable() */ + +- /* First check for malicious input causing overflow */ +- if (exec[i].relocation_count > +- INT_MAX / sizeof(struct drm_i915_gem_relocation_entry)) ++ /* First check for malicious input causing overflow in ++ * the worst case where we need to allocate the entire ++ * relocation tree as a single array. ++ */ ++ if (exec[i].relocation_count > relocs_max - relocs_total) + return -EINVAL; ++ relocs_total += exec[i].relocation_count; + + length = exec[i].relocation_count * + sizeof(struct drm_i915_gem_relocation_entry); diff --git a/queue-3.4/kms-fix-edid-detailed-timing-frame-rate.patch b/queue-3.4/kms-fix-edid-detailed-timing-frame-rate.patch new file mode 100644 index 00000000000..be08ab9c822 --- /dev/null +++ b/queue-3.4/kms-fix-edid-detailed-timing-frame-rate.patch @@ -0,0 +1,36 @@ +From c19b3b0f6eed552952845e4ad908dba2113d67b4 Mon Sep 17 00:00:00 2001 +From: Torsten Duwe +Date: Sat, 23 Mar 2013 15:39:34 +0100 +Subject: KMS: fix EDID detailed timing frame rate + +From: Torsten Duwe + +commit c19b3b0f6eed552952845e4ad908dba2113d67b4 upstream. + +When KMS has parsed an EDID "detailed timing", it leaves the frame rate +zeroed. Consecutive (debug-) output of that mode thus yields 0 for +vsync. This simple fix also speeds up future invocations of +drm_mode_vrefresh(). + +While it is debatable whether this qualifies as a -stable fix I'd apply +it for consistency's sake; drm_helper_probe_single_connector_modes() +does the same thing already for all probed modes. + +Signed-off-by: Torsten Duwe +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/drm_edid.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/gpu/drm/drm_edid.c ++++ b/drivers/gpu/drm/drm_edid.c +@@ -917,6 +917,7 @@ set_size: + } + + mode->type = DRM_MODE_TYPE_DRIVER; ++ mode->vrefresh = drm_mode_vrefresh(mode); + drm_mode_set_name(mode); + + return mode; diff --git a/queue-3.4/kms-fix-edid-detailed-timing-vsync-parsing.patch b/queue-3.4/kms-fix-edid-detailed-timing-vsync-parsing.patch new file mode 100644 index 00000000000..ff3cde39455 --- /dev/null +++ b/queue-3.4/kms-fix-edid-detailed-timing-vsync-parsing.patch @@ -0,0 +1,40 @@ +From 16dad1d743d31a104a849c8944e6b9eb479f6cd7 Mon Sep 17 00:00:00 2001 +From: Torsten Duwe +Date: Sat, 23 Mar 2013 15:38:22 +0100 +Subject: KMS: fix EDID detailed timing vsync parsing + +From: Torsten Duwe + +commit 16dad1d743d31a104a849c8944e6b9eb479f6cd7 upstream. + +EDID spreads some values across multiple bytes; bit-fiddling is needed +to retrieve these. The current code to parse "detailed timings" has a +cut&paste error that results in a vsync offset of at most 15 lines +instead of 63. + +See + + http://en.wikipedia.org/wiki/EDID + +and in the "EDID Detailed Timing Descriptor" see bytes 10+11 show why +that needs to be a left shift. + +Signed-off-by: Torsten Duwe +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/drm_edid.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/drm_edid.c ++++ b/drivers/gpu/drm/drm_edid.c +@@ -836,7 +836,7 @@ static struct drm_display_mode *drm_mode + unsigned vblank = (pt->vactive_vblank_hi & 0xf) << 8 | pt->vblank_lo; + unsigned hsync_offset = (pt->hsync_vsync_offset_pulse_width_hi & 0xc0) << 2 | pt->hsync_offset_lo; + unsigned hsync_pulse_width = (pt->hsync_vsync_offset_pulse_width_hi & 0x30) << 4 | pt->hsync_pulse_width_lo; +- unsigned vsync_offset = (pt->hsync_vsync_offset_pulse_width_hi & 0xc) >> 2 | pt->vsync_offset_pulse_width_lo >> 4; ++ unsigned vsync_offset = (pt->hsync_vsync_offset_pulse_width_hi & 0xc) << 2 | pt->vsync_offset_pulse_width_lo >> 4; + unsigned vsync_pulse_width = (pt->hsync_vsync_offset_pulse_width_hi & 0x3) << 4 | (pt->vsync_offset_pulse_width_lo & 0xf); + + /* ignore tiny modes */ diff --git a/queue-3.4/mm-hugetlb-fix-total-hugetlbfs-pages-count-when-using-memory-overcommit-accouting.patch b/queue-3.4/mm-hugetlb-fix-total-hugetlbfs-pages-count-when-using-memory-overcommit-accouting.patch new file mode 100644 index 00000000000..3e99d4a9171 --- /dev/null +++ b/queue-3.4/mm-hugetlb-fix-total-hugetlbfs-pages-count-when-using-memory-overcommit-accouting.patch @@ -0,0 +1,65 @@ +From d00285884c0892bb1310df96bce6056e9ce9b9d9 Mon Sep 17 00:00:00 2001 +From: Wanpeng Li +Date: Fri, 22 Mar 2013 15:04:40 -0700 +Subject: mm/hugetlb: fix total hugetlbfs pages count when using memory overcommit accouting + +From: Wanpeng Li + +commit d00285884c0892bb1310df96bce6056e9ce9b9d9 upstream. + +hugetlb_total_pages is used for overcommit calculations but the current +implementation considers only the default hugetlb page size (which is +either the first defined hugepage size or the one specified by +default_hugepagesz kernel boot parameter). + +If the system is configured for more than one hugepage size, which is +possible since commit a137e1cc6d6e ("hugetlbfs: per mount huge page +sizes") then the overcommit estimation done by __vm_enough_memory() +(resp. shown by meminfo_proc_show) is not precise - there is an +impression of more available/allowed memory. This can lead to an +unexpected ENOMEM/EFAULT resp. SIGSEGV when memory is accounted. + +Testcase: + boot: hugepagesz=1G hugepages=1 + the default overcommit ratio is 50 + before patch: + + egrep 'CommitLimit' /proc/meminfo + CommitLimit: 55434168 kB + + after patch: + + egrep 'CommitLimit' /proc/meminfo + CommitLimit: 54909880 kB + +[akpm@linux-foundation.org: coding-style tweak] +Signed-off-by: Wanpeng Li +Acked-by: Michal Hocko +Cc: "Aneesh Kumar K.V" +Cc: Hillf Danton +Cc: KAMEZAWA Hiroyuki +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/hugetlb.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/mm/hugetlb.c ++++ b/mm/hugetlb.c +@@ -2096,8 +2096,12 @@ int hugetlb_report_node_meminfo(int nid, + /* Return the number pages of memory we physically have, in PAGE_SIZE units. */ + unsigned long hugetlb_total_pages(void) + { +- struct hstate *h = &default_hstate; +- return h->nr_huge_pages * pages_per_huge_page(h); ++ struct hstate *h; ++ unsigned long nr_total_pages = 0; ++ ++ for_each_hstate(h) ++ nr_total_pages += h->nr_huge_pages * pages_per_huge_page(h); ++ return nr_total_pages; + } + + static int hugetlb_acct_memory(struct hstate *h, long delta) diff --git a/queue-3.4/mwifiex-fix-potential-out-of-boundary-access-to-ibss-rate-table.patch b/queue-3.4/mwifiex-fix-potential-out-of-boundary-access-to-ibss-rate-table.patch new file mode 100644 index 00000000000..c35a5b9e792 --- /dev/null +++ b/queue-3.4/mwifiex-fix-potential-out-of-boundary-access-to-ibss-rate-table.patch @@ -0,0 +1,40 @@ +From 5f0fabf84d7b52f979dcbafa3d3c530c60d9a92c Mon Sep 17 00:00:00 2001 +From: Bing Zhao +Date: Thu, 7 Mar 2013 20:00:16 -0800 +Subject: mwifiex: fix potential out-of-boundary access to ibss rate table + +From: Bing Zhao + +commit 5f0fabf84d7b52f979dcbafa3d3c530c60d9a92c upstream. + +smatch found this error: + +CHECK drivers/net/wireless/mwifiex/join.c + drivers/net/wireless/mwifiex/join.c:1121 + mwifiex_cmd_802_11_ad_hoc_join() + error: testing array offset 'i' after use. + +Signed-off-by: Bing Zhao +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/mwifiex/join.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +--- a/drivers/net/wireless/mwifiex/join.c ++++ b/drivers/net/wireless/mwifiex/join.c +@@ -1049,10 +1049,9 @@ mwifiex_cmd_802_11_ad_hoc_join(struct mw + adhoc_join->bss_descriptor.bssid, + adhoc_join->bss_descriptor.ssid); + +- for (i = 0; bss_desc->supported_rates[i] && +- i < MWIFIEX_SUPPORTED_RATES; +- i++) +- ; ++ for (i = 0; i < MWIFIEX_SUPPORTED_RATES && ++ bss_desc->supported_rates[i]; i++) ++ ; + rates_size = i; + + /* Copy Data Rates from the Rates recorded in scan response */ diff --git a/queue-3.4/rtlwifi-rtl8192cu-fix-problem-that-prevents-reassociation.patch b/queue-3.4/rtlwifi-rtl8192cu-fix-problem-that-prevents-reassociation.patch new file mode 100644 index 00000000000..84cc27b8a10 --- /dev/null +++ b/queue-3.4/rtlwifi-rtl8192cu-fix-problem-that-prevents-reassociation.patch @@ -0,0 +1,142 @@ +From 9437a248e7cac427c898bdb11bd1ac6844a1ead4 Mon Sep 17 00:00:00 2001 +From: Larry Finger +Date: Wed, 13 Mar 2013 10:28:13 -0500 +Subject: rtlwifi: rtl8192cu: Fix problem that prevents reassociation + +From: Larry Finger + +commit 9437a248e7cac427c898bdb11bd1ac6844a1ead4 upstream. + +The driver was failing to clear the BSSID when a disconnect happened. That +prevented a reconnection. This problem is reported at +https://bugzilla.redhat.com/show_bug.cgi?id=789605, +https://bugzilla.redhat.com/show_bug.cgi?id=866786, +https://bugzilla.redhat.com/show_bug.cgi?id=906734, and +https://bugzilla.kernel.org/show_bug.cgi?id=46171. + +Thanks to Jussi Kivilinna for making the critical observation +that led to the solution. + +Reported-by: Jussi Kivilinna +Tested-by: Jussi Kivilinna +Tested-by: Alessandro Lannocca +Signed-off-by: Larry Finger +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/rtlwifi/rtl8192cu/hw.c | 87 +++++++++++----------------- + 1 file changed, 35 insertions(+), 52 deletions(-) + +--- a/drivers/net/wireless/rtlwifi/rtl8192cu/hw.c ++++ b/drivers/net/wireless/rtlwifi/rtl8192cu/hw.c +@@ -1377,74 +1377,57 @@ void rtl92cu_card_disable(struct ieee802 + + void rtl92cu_set_check_bssid(struct ieee80211_hw *hw, bool check_bssid) + { +- /* dummy routine needed for callback from rtl_op_configure_filter() */ +-} +- +-/*========================================================================== */ +- +-static void _rtl92cu_set_check_bssid(struct ieee80211_hw *hw, +- enum nl80211_iftype type) +-{ + struct rtl_priv *rtlpriv = rtl_priv(hw); +- u32 reg_rcr = rtl_read_dword(rtlpriv, REG_RCR); + struct rtl_hal *rtlhal = rtl_hal(rtlpriv); +- struct rtl_phy *rtlphy = &(rtlpriv->phy); +- u8 filterout_non_associated_bssid = false; ++ u32 reg_rcr = rtl_read_dword(rtlpriv, REG_RCR); + +- switch (type) { +- case NL80211_IFTYPE_ADHOC: +- case NL80211_IFTYPE_STATION: +- filterout_non_associated_bssid = true; +- break; +- case NL80211_IFTYPE_UNSPECIFIED: +- case NL80211_IFTYPE_AP: +- default: +- break; +- } +- if (filterout_non_associated_bssid) { ++ if (rtlpriv->psc.rfpwr_state != ERFON) ++ return; ++ ++ if (check_bssid) { ++ u8 tmp; + if (IS_NORMAL_CHIP(rtlhal->version)) { +- switch (rtlphy->current_io_type) { +- case IO_CMD_RESUME_DM_BY_SCAN: +- reg_rcr |= (RCR_CBSSID_DATA | RCR_CBSSID_BCN); +- rtlpriv->cfg->ops->set_hw_reg(hw, +- HW_VAR_RCR, (u8 *)(®_rcr)); +- /* enable update TSF */ +- _rtl92cu_set_bcn_ctrl_reg(hw, 0, BIT(4)); +- break; +- case IO_CMD_PAUSE_DM_BY_SCAN: +- reg_rcr &= ~(RCR_CBSSID_DATA | RCR_CBSSID_BCN); +- rtlpriv->cfg->ops->set_hw_reg(hw, +- HW_VAR_RCR, (u8 *)(®_rcr)); +- /* disable update TSF */ +- _rtl92cu_set_bcn_ctrl_reg(hw, BIT(4), 0); +- break; +- } ++ reg_rcr |= (RCR_CBSSID_DATA | RCR_CBSSID_BCN); ++ tmp = BIT(4); + } else { +- reg_rcr |= (RCR_CBSSID); +- rtlpriv->cfg->ops->set_hw_reg(hw, HW_VAR_RCR, +- (u8 *)(®_rcr)); +- _rtl92cu_set_bcn_ctrl_reg(hw, 0, (BIT(4)|BIT(5))); ++ reg_rcr |= RCR_CBSSID; ++ tmp = BIT(4) | BIT(5); + } +- } else if (filterout_non_associated_bssid == false) { ++ rtlpriv->cfg->ops->set_hw_reg(hw, HW_VAR_RCR, ++ (u8 *) (®_rcr)); ++ _rtl92cu_set_bcn_ctrl_reg(hw, 0, tmp); ++ } else { ++ u8 tmp; + if (IS_NORMAL_CHIP(rtlhal->version)) { +- reg_rcr &= (~(RCR_CBSSID_DATA | RCR_CBSSID_BCN)); +- rtlpriv->cfg->ops->set_hw_reg(hw, HW_VAR_RCR, +- (u8 *)(®_rcr)); +- _rtl92cu_set_bcn_ctrl_reg(hw, BIT(4), 0); ++ reg_rcr &= ~(RCR_CBSSID_DATA | RCR_CBSSID_BCN); ++ tmp = BIT(4); + } else { +- reg_rcr &= (~RCR_CBSSID); +- rtlpriv->cfg->ops->set_hw_reg(hw, HW_VAR_RCR, +- (u8 *)(®_rcr)); +- _rtl92cu_set_bcn_ctrl_reg(hw, (BIT(4)|BIT(5)), 0); ++ reg_rcr &= ~RCR_CBSSID; ++ tmp = BIT(4) | BIT(5); + } ++ reg_rcr &= (~(RCR_CBSSID_DATA | RCR_CBSSID_BCN)); ++ rtlpriv->cfg->ops->set_hw_reg(hw, ++ HW_VAR_RCR, (u8 *) (®_rcr)); ++ _rtl92cu_set_bcn_ctrl_reg(hw, tmp, 0); + } + } + ++/*========================================================================== */ ++ + int rtl92cu_set_network_type(struct ieee80211_hw *hw, enum nl80211_iftype type) + { ++ struct rtl_priv *rtlpriv = rtl_priv(hw); ++ + if (_rtl92cu_set_media_status(hw, type)) + return -EOPNOTSUPP; +- _rtl92cu_set_check_bssid(hw, type); ++ ++ if (rtlpriv->mac80211.link_state == MAC80211_LINKED) { ++ if (type != NL80211_IFTYPE_AP) ++ rtl92cu_set_check_bssid(hw, true); ++ } else { ++ rtl92cu_set_check_bssid(hw, false); ++ } ++ + return 0; + } + diff --git a/queue-3.4/rtlwifi-rtl8192cu-fix-schedule-while-atomic-bug-splat.patch b/queue-3.4/rtlwifi-rtl8192cu-fix-schedule-while-atomic-bug-splat.patch new file mode 100644 index 00000000000..808c6ef7a4e --- /dev/null +++ b/queue-3.4/rtlwifi-rtl8192cu-fix-schedule-while-atomic-bug-splat.patch @@ -0,0 +1,60 @@ +From 664899786cb49cb52f620e06ac19c0be524a7cfa Mon Sep 17 00:00:00 2001 +From: Larry Finger +Date: Wed, 27 Feb 2013 14:10:30 -0600 +Subject: rtlwifi: rtl8192cu: Fix schedule while atomic bug splat + +From: Larry Finger + +commit 664899786cb49cb52f620e06ac19c0be524a7cfa upstream. + +When run at debug 3 or higher, rtl8192cu reports a BUG as follows: + +BUG: scheduling while atomic: kworker/u:0/5281/0x00000002 +INFO: lockdep is turned off. +Modules linked in: rtl8192cu rtl8192c_common rtlwifi fuse af_packet bnep bluetooth b43 mac80211 cfg80211 ipv6 snd_hda_codec_conexant kvm_amd k +vm snd_hda_intel snd_hda_codec bcma rng_core snd_pcm ssb mmc_core snd_seq snd_timer snd_seq_device snd i2c_nforce2 sr_mod pcmcia forcedeth i2c_core soundcore + cdrom sg serio_raw k8temp hwmon joydev ac battery pcmcia_core snd_page_alloc video button wmi autofs4 ext4 mbcache jbd2 crc16 thermal processor scsi_dh_alua + scsi_dh_hp_sw scsi_dh_rdac scsi_dh_emc scsi_dh ata_generic pata_acpi pata_amd [last unloaded: rtlwifi] +Pid: 5281, comm: kworker/u:0 Tainted: G W 3.8.0-wl+ #119 +Call Trace: + [] __schedule_bug+0x62/0x70 + [] __schedule+0x730/0xa30 + [] ? usb_hcd_link_urb_to_ep+0x19/0xa0 + [] schedule+0x24/0x70 + [] schedule_timeout+0x18c/0x2f0 + [] ? wait_for_common+0x40/0x180 + [] ? ehci_urb_enqueue+0xf1/0xee0 + [] ? trace_hardirqs_on+0xd/0x10 + [] wait_for_common+0xe5/0x180 + [] ? try_to_wake_up+0x2d0/0x2d0 + [] wait_for_completion_timeout+0xe/0x10 + [] usb_start_wait_urb+0x8c/0x100 + [] usb_control_msg+0xd9/0x130 + [] _usb_read_sync+0xcd/0x140 [rtlwifi] + [] _usb_read32_sync+0xe/0x10 [rtlwifi] + [] rtl92cu_update_hal_rate_table+0x1a5/0x1f0 [rtl8192cu] + +The cause is a synchronous read from routine rtl92cu_update_hal_rate_table(). +The resulting output is not critical, thus the debug statement is +deleted. + +Reported-by: Jussi Kivilinna +Signed-off-by: Larry Finger +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/rtlwifi/rtl8192cu/hw.c | 2 -- + 1 file changed, 2 deletions(-) + +--- a/drivers/net/wireless/rtlwifi/rtl8192cu/hw.c ++++ b/drivers/net/wireless/rtlwifi/rtl8192cu/hw.c +@@ -2059,8 +2059,6 @@ void rtl92cu_update_hal_rate_table(struc + (shortgi_rate << 4) | (shortgi_rate); + } + rtl_write_dword(rtlpriv, REG_ARFR0 + ratr_index * 4, ratr_value); +- RT_TRACE(rtlpriv, COMP_RATR, DBG_DMESG, "%x\n", +- rtl_read_dword(rtlpriv, REG_ARFR0)); + } + + void rtl92cu_update_hal_rate_mask(struct ieee80211_hw *hw, u8 rssi_level) diff --git a/queue-3.4/series b/queue-3.4/series index 2fa36e62c93..56bd4e9ff52 100644 --- a/queue-3.4/series +++ b/queue-3.4/series @@ -33,3 +33,13 @@ alsa-hda-fix-typo-in-checking-iec958-emphasis-bit.patch alsa-snd-usb-mixer-propagate-errors-up-the-call-chain.patch alsa-snd-usb-mixer-ignore-einval-in-snd_usb_mixer_controls.patch drm-i915-restrict-kernel-address-leak-in-debugfs.patch +tracing-fix-race-in-snapshot-swapping.patch +tracing-fix-free-of-probe-entry-by-calling-call_rcu_sched.patch +rtlwifi-rtl8192cu-fix-schedule-while-atomic-bug-splat.patch +rtlwifi-rtl8192cu-fix-problem-that-prevents-reassociation.patch +mwifiex-fix-potential-out-of-boundary-access-to-ibss-rate-table.patch +drm-i915-bounds-check-execbuffer-relocation-count.patch +kms-fix-edid-detailed-timing-vsync-parsing.patch +kms-fix-edid-detailed-timing-frame-rate.patch +mm-hugetlb-fix-total-hugetlbfs-pages-count-when-using-memory-overcommit-accouting.patch +target-iscsi-fix-mutual-chap-auth-on-big-endian-arches.patch diff --git a/queue-3.4/target-iscsi-fix-mutual-chap-auth-on-big-endian-arches.patch b/queue-3.4/target-iscsi-fix-mutual-chap-auth-on-big-endian-arches.patch new file mode 100644 index 00000000000..0207085c6e3 --- /dev/null +++ b/queue-3.4/target-iscsi-fix-mutual-chap-auth-on-big-endian-arches.patch @@ -0,0 +1,42 @@ +From 7ac9ad11b2a5cf77a92b58ee6b672ad2fa155eb1 Mon Sep 17 00:00:00 2001 +From: Andy Grover +Date: Mon, 4 Mar 2013 13:52:09 -0800 +Subject: target/iscsi: Fix mutual CHAP auth on big-endian arches + +From: Andy Grover + +commit 7ac9ad11b2a5cf77a92b58ee6b672ad2fa155eb1 upstream. + +See https://bugzilla.redhat.com/show_bug.cgi?id=916290 + +Used a temp var since we take its address in sg_init_one. + +Signed-off-by: Andy Grover +Signed-off-by: Nicholas Bellinger +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/target/iscsi/iscsi_target_auth.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/target/iscsi/iscsi_target_auth.c ++++ b/drivers/target/iscsi/iscsi_target_auth.c +@@ -166,6 +166,7 @@ static int chap_server_compute_md5( + { + char *endptr; + unsigned long id; ++ unsigned char id_as_uchar; + unsigned char digest[MD5_SIGNATURE_SIZE]; + unsigned char type, response[MD5_SIGNATURE_SIZE * 2 + 2]; + unsigned char identifier[10], *challenge = NULL; +@@ -355,7 +356,9 @@ static int chap_server_compute_md5( + goto out; + } + +- sg_init_one(&sg, &id, 1); ++ /* To handle both endiannesses */ ++ id_as_uchar = id; ++ sg_init_one(&sg, &id_as_uchar, 1); + ret = crypto_hash_update(&desc, &sg, 1); + if (ret < 0) { + pr_err("crypto_hash_update() failed for id\n"); diff --git a/queue-3.4/tracing-fix-free-of-probe-entry-by-calling-call_rcu_sched.patch b/queue-3.4/tracing-fix-free-of-probe-entry-by-calling-call_rcu_sched.patch new file mode 100644 index 00000000000..dabd808f11a --- /dev/null +++ b/queue-3.4/tracing-fix-free-of-probe-entry-by-calling-call_rcu_sched.patch @@ -0,0 +1,41 @@ +From 740466bc89ad8bd5afcc8de220f715f62b21e365 Mon Sep 17 00:00:00 2001 +From: "Steven Rostedt (Red Hat)" +Date: Wed, 13 Mar 2013 11:15:19 -0400 +Subject: tracing: Fix free of probe entry by calling call_rcu_sched() + +From: "Steven Rostedt (Red Hat)" + +commit 740466bc89ad8bd5afcc8de220f715f62b21e365 upstream. + +Because function tracing is very invasive, and can even trace +calls to rcu_read_lock(), RCU access in function tracing is done +with preempt_disable_notrace(). This requires a synchronize_sched() +for updates and not a synchronize_rcu(). + +Function probes (traceon, traceoff, etc) must be freed after +a synchronize_sched() after its entry has been removed from the +hash. But call_rcu() is used. Fix this by using call_rcu_sched(). + +Also fix the usage to use hlist_del_rcu() instead of hlist_del(). + +Signed-off-by: Steven Rostedt +Cc: Paul McKenney +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/trace/ftrace.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/kernel/trace/ftrace.c ++++ b/kernel/trace/ftrace.c +@@ -3034,8 +3034,8 @@ __unregister_ftrace_function_probe(char + continue; + } + +- hlist_del(&entry->node); +- call_rcu(&entry->rcu, ftrace_free_entry_rcu); ++ hlist_del_rcu(&entry->node); ++ call_rcu_sched(&entry->rcu, ftrace_free_entry_rcu); + } + } + __disable_ftrace_function_probe(); diff --git a/queue-3.4/tracing-fix-race-in-snapshot-swapping.patch b/queue-3.4/tracing-fix-race-in-snapshot-swapping.patch new file mode 100644 index 00000000000..70b9c550137 --- /dev/null +++ b/queue-3.4/tracing-fix-race-in-snapshot-swapping.patch @@ -0,0 +1,51 @@ +From 2721e72dd10f71a3ba90f59781becf02638aa0d9 Mon Sep 17 00:00:00 2001 +From: "Steven Rostedt (Red Hat)" +Date: Tue, 12 Mar 2013 11:32:32 -0400 +Subject: tracing: Fix race in snapshot swapping + +From: "Steven Rostedt (Red Hat)" + +commit 2721e72dd10f71a3ba90f59781becf02638aa0d9 upstream. + +Although the swap is wrapped with a spin_lock, the assignment +of the temp buffer used to swap is not within that lock. +It needs to be moved into that lock, otherwise two swaps +happening on two different CPUs, can end up using the wrong +temp buffer to assign in the swap. + +Luckily, all current callers of the swap function appear to have +their own locks. But in case something is added that allows two +different callers to call the swap, then there's a chance that +this race can trigger and corrupt the buffers. + +New code is coming soon that will allow for this race to trigger. + +I've Cc'd stable, so this bug will not show up if someone backports +one of the changes that can trigger this bug. + +Signed-off-by: Steven Rostedt +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/trace/trace.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/kernel/trace/trace.c ++++ b/kernel/trace/trace.c +@@ -708,7 +708,7 @@ __update_max_tr(struct trace_array *tr, + void + update_max_tr(struct trace_array *tr, struct task_struct *tsk, int cpu) + { +- struct ring_buffer *buf = tr->buffer; ++ struct ring_buffer *buf; + + if (trace_stop_count) + return; +@@ -720,6 +720,7 @@ update_max_tr(struct trace_array *tr, st + } + arch_spin_lock(&ftrace_max_lock); + ++ buf = tr->buffer; + tr->buffer = max_tr.buffer; + max_tr.buffer = buf; +