From: Greg Kroah-Hartman Date: Sun, 1 Dec 2013 04:05:56 +0000 (-0800) Subject: 3.4-stable patches X-Git-Tag: v3.4.72~45 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=b3ce352dfa073c1da1acd4844328e238b7ea0b59;p=thirdparty%2Fkernel%2Fstable-queue.git 3.4-stable patches added patches: can-flexcan-fix-flexcan_chip_start-on-imx6.patch drivers-libata-set-max-sector-to-65535-for-slimtype-dvd-a-ds8a9sh-drive.patch libata-fix-display-of-sata-speed.patch vsprintf-check-real-user-group-id-for-pk.patch --- diff --git a/queue-3.4/can-flexcan-fix-flexcan_chip_start-on-imx6.patch b/queue-3.4/can-flexcan-fix-flexcan_chip_start-on-imx6.patch new file mode 100644 index 00000000000..f807cf188a6 --- /dev/null +++ b/queue-3.4/can-flexcan-fix-flexcan_chip_start-on-imx6.patch @@ -0,0 +1,54 @@ +From 0d1862ea1a5bb876cf05555a7307080cb75bf379 Mon Sep 17 00:00:00 2001 +From: Marc Kleine-Budde +Date: Fri, 27 Sep 2013 12:15:05 +0200 +Subject: can: flexcan: fix flexcan_chip_start() on imx6 + +From: Marc Kleine-Budde + +commit 0d1862ea1a5bb876cf05555a7307080cb75bf379 upstream. + +In the flexcan_chip_start() function first the flexcan core is going through +the soft reset sequence, then the RX FIFO is enabled. + +With the hardware is put into FIFO mode, message buffers 1...7 are reserved by +the FIFO engine. The remaining message buffers are in reset default values. +This patch removes the bogus initialization of the message buffers, as it +causes an imprecise external abort on imx6. + +Reported-by: Lothar Waßmann +Tested-by: Lothar Waßmann +[mkl: adjusted context for stable] +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/can/flexcan.c | 12 ------------ + 1 file changed, 12 deletions(-) + +--- a/drivers/net/can/flexcan.c ++++ b/drivers/net/can/flexcan.c +@@ -667,7 +667,6 @@ static int flexcan_chip_start(struct net + { + struct flexcan_priv *priv = netdev_priv(dev); + struct flexcan_regs __iomem *regs = priv->base; +- unsigned int i; + int err; + u32 reg_mcr, reg_ctrl; + +@@ -735,17 +734,6 @@ static int flexcan_chip_start(struct net + netdev_dbg(dev, "%s: writing ctrl=0x%08x", __func__, reg_ctrl); + flexcan_write(reg_ctrl, ®s->ctrl); + +- for (i = 0; i < ARRAY_SIZE(regs->cantxfg); i++) { +- flexcan_write(0, ®s->cantxfg[i].can_ctrl); +- flexcan_write(0, ®s->cantxfg[i].can_id); +- flexcan_write(0, ®s->cantxfg[i].data[0]); +- flexcan_write(0, ®s->cantxfg[i].data[1]); +- +- /* put MB into rx queue */ +- flexcan_write(FLEXCAN_MB_CNT_CODE(0x4), +- ®s->cantxfg[i].can_ctrl); +- } +- + /* Abort any pending TX, mark Mailbox as INACTIVE */ + flexcan_write(FLEXCAN_MB_CNT_CODE(0x4), + ®s->cantxfg[FLEXCAN_TX_BUF_ID].can_ctrl); diff --git a/queue-3.4/drivers-libata-set-max-sector-to-65535-for-slimtype-dvd-a-ds8a9sh-drive.patch b/queue-3.4/drivers-libata-set-max-sector-to-65535-for-slimtype-dvd-a-ds8a9sh-drive.patch new file mode 100644 index 00000000000..768eabece42 --- /dev/null +++ b/queue-3.4/drivers-libata-set-max-sector-to-65535-for-slimtype-dvd-a-ds8a9sh-drive.patch @@ -0,0 +1,79 @@ +From 0523f037f65dba10191b0fa9c51266f90ba64630 Mon Sep 17 00:00:00 2001 +From: Shan Hai +Date: Mon, 28 Oct 2013 16:08:01 +0800 +Subject: drivers/libata: Set max sector to 65535 for Slimtype DVD A DS8A9SH drive + +From: Shan Hai + +commit 0523f037f65dba10191b0fa9c51266f90ba64630 upstream. + +The "Slimtype DVD A DS8A9SH" drive locks up with following backtrace when +the max sector is smaller than 65535 bytes, fix it by adding a quirk to set +the max sector to 65535 bytes. + +INFO: task flush-11:0:663 blocked for more than 120 seconds. +"echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. +flush-11:0 D 00000000ffff5ceb 0 663 2 0x00000000 + ffff88026d3b1710 0000000000000046 0000000000000001 0000000000000000 + ffff88026f2530c0 ffff88026d365860 ffff88026d3b16e0 ffffffff812ffd52 + ffff88026d4fd3d0 0000000100000001 ffff88026d3b16f0 ffff88026d3b1fd8 +Call Trace: + [] ? cfq_may_queue+0x52/0xf0 + [] schedule+0x18/0x30 + [] io_schedule+0x42/0x60 + [] get_request_wait+0xeb/0x1f0 + [] ? autoremove_wake_function+0x0/0x40 + [] ? elv_merge+0x42/0x210 + [] __make_request+0x8e/0x4e0 + [] generic_make_request+0x21e/0x5e0 + [] submit_bio+0x5d/0xd0 + [] submit_bh+0xf2/0x130 + [] __block_write_full_page+0x1dc/0x3a0 + [] ? end_buffer_async_write+0x0/0x120 + [] ? blkdev_get_block+0x0/0x70 + [] ? blkdev_get_block+0x0/0x70 + [] ? end_buffer_async_write+0x0/0x120 + [] block_write_full_page_endio+0xde/0x100 + [] block_write_full_page+0x10/0x20 + [] blkdev_writepage+0x13/0x20 + [] __writepage+0x15/0x40 + [] write_cache_pages+0x1cf/0x3e0 + [] ? __writepage+0x0/0x40 + [] generic_writepages+0x22/0x30 + [] do_writepages+0x1f/0x40 + [] writeback_single_inode+0xe7/0x3b0 + [] writeback_sb_inodes+0x184/0x280 + [] writeback_inodes_wb+0x6b/0x1a0 + [] wb_writeback+0x23b/0x2a0 + [] wb_do_writeback+0x17d/0x190 + [] bdi_writeback_task+0x4b/0xe0 + [] ? bdi_start_fn+0x0/0x100 + [] bdi_start_fn+0x81/0x100 + [] ? bdi_start_fn+0x0/0x100 + [] kthread+0x8e/0xa0 + [] ? finish_task_switch+0x54/0xc0 + [] kernel_thread_helper+0x4/0x10 + [] ? kthread+0x0/0xa0 + [] ? kernel_thread_helper+0x0/0x10 + + The above trace was triggered by + "dd if=/dev/zero of=/dev/sr0 bs=2048 count=32768" + +Signed-off-by: Shan Hai +Signed-off-by: Tejun Heo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/ata/libata-core.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/ata/libata-core.c ++++ b/drivers/ata/libata-core.c +@@ -4074,6 +4074,7 @@ static const struct ata_blacklist_entry + { "TORiSAN DVD-ROM DRD-N216", NULL, ATA_HORKAGE_MAX_SEC_128 }, + { "QUANTUM DAT DAT72-000", NULL, ATA_HORKAGE_ATAPI_MOD16_DMA }, + { "Slimtype DVD A DS8A8SH", NULL, ATA_HORKAGE_MAX_SEC_LBA48 }, ++ { "Slimtype DVD A DS8A9SH", NULL, ATA_HORKAGE_MAX_SEC_LBA48 }, + + /* Devices we expect to fail diagnostics */ + diff --git a/queue-3.4/libata-fix-display-of-sata-speed.patch b/queue-3.4/libata-fix-display-of-sata-speed.patch new file mode 100644 index 00000000000..cab4adc8cdb --- /dev/null +++ b/queue-3.4/libata-fix-display-of-sata-speed.patch @@ -0,0 +1,67 @@ +From 3e85c3ecbc520751324a191d23bb94873ed01b10 Mon Sep 17 00:00:00 2001 +From: Gwendal Grignou +Date: Fri, 25 Oct 2013 16:28:57 -0700 +Subject: libata: Fix display of sata speed + +From: Gwendal Grignou + +commit 3e85c3ecbc520751324a191d23bb94873ed01b10 upstream. + +6.0 Gbps link speed was not decoded properly: +speed was reported at 3.0 Gbps only. + +Tested: On a machine where libata reports 6.0 Gbps in + /var/log/messages: + ata1: SATA link up 6.0 Gbps (SStatus 133 SControl 300) + + Before: + cat /sys/class/ata_link/link1/sata_spd + 3.0 Gbps + After: + cat /sys/class/ata_link/link1/sata_spd + 6.0 Gbps + +Signed-off-by: Gwendal Grignou +Signed-off-by: Tejun Heo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/ata/libata-transport.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +--- a/drivers/ata/libata-transport.c ++++ b/drivers/ata/libata-transport.c +@@ -319,25 +319,25 @@ int ata_tport_add(struct device *parent, + /* + * ATA link attributes + */ ++static int noop(int x) { return x; } + +- +-#define ata_link_show_linkspeed(field) \ ++#define ata_link_show_linkspeed(field, format) \ + static ssize_t \ + show_ata_link_##field(struct device *dev, \ + struct device_attribute *attr, char *buf) \ + { \ + struct ata_link *link = transport_class_to_link(dev); \ + \ +- return sprintf(buf,"%s\n", sata_spd_string(fls(link->field))); \ ++ return sprintf(buf, "%s\n", sata_spd_string(format(link->field))); \ + } + +-#define ata_link_linkspeed_attr(field) \ +- ata_link_show_linkspeed(field) \ ++#define ata_link_linkspeed_attr(field, format) \ ++ ata_link_show_linkspeed(field, format) \ + static DEVICE_ATTR(field, S_IRUGO, show_ata_link_##field, NULL) + +-ata_link_linkspeed_attr(hw_sata_spd_limit); +-ata_link_linkspeed_attr(sata_spd_limit); +-ata_link_linkspeed_attr(sata_spd); ++ata_link_linkspeed_attr(hw_sata_spd_limit, fls); ++ata_link_linkspeed_attr(sata_spd_limit, fls); ++ata_link_linkspeed_attr(sata_spd, noop); + + + static DECLARE_TRANSPORT_CLASS(ata_link_class, diff --git a/queue-3.4/series b/queue-3.4/series index 19f1bb75098..8eb7962c31a 100644 --- a/queue-3.4/series +++ b/queue-3.4/series @@ -7,3 +7,7 @@ asoc-wm8962-turn-on-regcache_cache_only-before-disabling-regulator.patch asoc-blackfin-fix-missing-break.patch alarmtimer-return-einval-instead-of-enotsupp-if-rtcdev-doesn-t-exist.patch devpts-plug-the-memory-leak-in-kill_sb.patch +can-flexcan-fix-flexcan_chip_start-on-imx6.patch +libata-fix-display-of-sata-speed.patch +drivers-libata-set-max-sector-to-65535-for-slimtype-dvd-a-ds8a9sh-drive.patch +vsprintf-check-real-user-group-id-for-pk.patch diff --git a/queue-3.4/vsprintf-check-real-user-group-id-for-pk.patch b/queue-3.4/vsprintf-check-real-user-group-id-for-pk.patch new file mode 100644 index 00000000000..f3381531d32 --- /dev/null +++ b/queue-3.4/vsprintf-check-real-user-group-id-for-pk.patch @@ -0,0 +1,141 @@ +From 312b4e226951f707e120b95b118cbc14f3d162b2 Mon Sep 17 00:00:00 2001 +From: Ryan Mallon +Date: Tue, 12 Nov 2013 15:08:51 -0800 +Subject: vsprintf: check real user/group id for %pK + +From: Ryan Mallon + +commit 312b4e226951f707e120b95b118cbc14f3d162b2 upstream. + +Some setuid binaries will allow reading of files which have read +permission by the real user id. This is problematic with files which +use %pK because the file access permission is checked at open() time, +but the kptr_restrict setting is checked at read() time. If a setuid +binary opens a %pK file as an unprivileged user, and then elevates +permissions before reading the file, then kernel pointer values may be +leaked. + +This happens for example with the setuid pppd application on Ubuntu 12.04: + + $ head -1 /proc/kallsyms + 00000000 T startup_32 + + $ pppd file /proc/kallsyms + pppd: In file /proc/kallsyms: unrecognized option 'c1000000' + +This will only leak the pointer value from the first line, but other +setuid binaries may leak more information. + +Fix this by adding a check that in addition to the current process having +CAP_SYSLOG, that effective user and group ids are equal to the real ids. +If a setuid binary reads the contents of a file which uses %pK then the +pointer values will be printed as NULL if the real user is unprivileged. + +Update the sysctl documentation to reflect the changes, and also correct +the documentation to state the kptr_restrict=0 is the default. + +This is a only temporary solution to the issue. The correct solution is +to do the permission check at open() time on files, and to replace %pK +with a function which checks the open() time permission. %pK uses in +printk should be removed since no sane permission check can be done, and +instead protected by using dmesg_restrict. + +Signed-off-by: Ryan Mallon +Cc: Kees Cook +Cc: Alexander Viro +Cc: Joe Perches +Cc: "Eric W. Biederman" +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + Documentation/sysctl/kernel.txt | 25 ++++++++++++++++++------- + lib/vsprintf.c | 33 ++++++++++++++++++++++++++++++--- + 2 files changed, 48 insertions(+), 10 deletions(-) + +--- a/Documentation/sysctl/kernel.txt ++++ b/Documentation/sysctl/kernel.txt +@@ -284,13 +284,24 @@ Default value is "/sbin/hotplug". + kptr_restrict: + + This toggle indicates whether restrictions are placed on +-exposing kernel addresses via /proc and other interfaces. When +-kptr_restrict is set to (0), there are no restrictions. When +-kptr_restrict is set to (1), the default, kernel pointers +-printed using the %pK format specifier will be replaced with 0's +-unless the user has CAP_SYSLOG. When kptr_restrict is set to +-(2), kernel pointers printed using %pK will be replaced with 0's +-regardless of privileges. ++exposing kernel addresses via /proc and other interfaces. ++ ++When kptr_restrict is set to (0), the default, there are no restrictions. ++ ++When kptr_restrict is set to (1), kernel pointers printed using the %pK ++format specifier will be replaced with 0's unless the user has CAP_SYSLOG ++and effective user and group ids are equal to the real ids. This is ++because %pK checks are done at read() time rather than open() time, so ++if permissions are elevated between the open() and the read() (e.g via ++a setuid binary) then %pK will not leak kernel pointers to unprivileged ++users. Note, this is a temporary solution only. The correct long-term ++solution is to do the permission checks at open() time. Consider removing ++world read permissions from files that use %pK, and using dmesg_restrict ++to protect against uses of %pK in dmesg(8) if leaking kernel pointer ++values to unprivileged users is a concern. ++ ++When kptr_restrict is set to (2), kernel pointers printed using ++%pK will be replaced with 0's regardless of privileges. + + ============================================================== + +--- a/lib/vsprintf.c ++++ b/lib/vsprintf.c +@@ -25,6 +25,7 @@ + #include + #include + #include ++#include + #include + + #include /* for PAGE_SIZE */ +@@ -930,11 +931,37 @@ char *pointer(const char *fmt, char *buf + spec.field_width = 2 * sizeof(void *); + return string(buf, end, "pK-error", spec); + } +- if (!((kptr_restrict == 0) || +- (kptr_restrict == 1 && +- has_capability_noaudit(current, CAP_SYSLOG)))) ++ ++ switch (kptr_restrict) { ++ case 0: ++ /* Always print %pK values */ ++ break; ++ case 1: { ++ /* ++ * Only print the real pointer value if the current ++ * process has CAP_SYSLOG and is running with the ++ * same credentials it started with. This is because ++ * access to files is checked at open() time, but %pK ++ * checks permission at read() time. We don't want to ++ * leak pointer values if a binary opens a file using ++ * %pK and then elevates privileges before reading it. ++ */ ++ const struct cred *cred = current_cred(); ++ ++ if (!has_capability_noaudit(current, CAP_SYSLOG) || ++ (cred->euid != cred->uid) || ++ (cred->egid != cred->gid)) ++ ptr = NULL; ++ break; ++ } ++ case 2: ++ default: ++ /* Always print 0's for %pK */ + ptr = NULL; ++ break; ++ } + break; ++ + case 'N': + switch (fmt[1]) { + case 'F':