From: Greg Kroah-Hartman Date: Thu, 1 Aug 2013 03:31:53 +0000 (+0800) Subject: 3.4-stable patches X-Git-Tag: v3.0.89~15 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=ba23ed0e624db48782d1daa21898d2644d3f8fe4;p=thirdparty%2Fkernel%2Fstable-queue.git 3.4-stable patches added patches: acpi-memhotplug-fix-a-stale-pointer-in-error-path.patch ata-fix-dvd-not-dectected-at-some-platform-with-wellsburg-pch.patch btrfs-fix-lock-leak-when-resuming-snapshot-deletion.patch btrfs-re-add-root-to-dead-root-list-if-we-stop-dropping-it.patch dm-verity-fix-inability-to-use-a-few-specific-devices-sizes.patch libata-make-it-clear-that-sata_inic162x-is-experimental.patch powerpc-modules-module-crc-relocation-fix-causes-perf-issues.patch scsi-qla2xxx-properly-set-the-tagging-for-commands.patch scsi-sd-fix-crash-when-ua-received-on-dif-enabled-device.patch staging-comedi-comedi_cancel-ioctl-should-wake-up-read-write.patch tracing-fix-irqs-off-tag-display-in-syscall-tracing.patch usb-clear-both-buffers-when-clearing-a-control-transfer-tt-buffer.patch usb-dwc3-fix-wrong-bit-mask-in-dwc3_event_type.patch usb-dwc3-gadget-don-t-prevent-gadget-from-being-probed-if-we-fail.patch usb-host-xhci-enable-xhci_spurious_success-for-all-controllers-with-xhci-1.0.patch usb-misc-add-manhattan-hi-speed-usb-dvi-converter-to-sisusbvga.patch usb-ti_usb_3410_5052-fix-dynamic-id-matching.patch xen-blkback-check-device-permissions-before-allowing-op_discard.patch xhci-avoid-null-pointer-deref-when-host-dies.patch xhci-fix-null-pointer-dereference-on-ring_doorbell_for_active_rings.patch --- diff --git a/queue-3.4/acpi-memhotplug-fix-a-stale-pointer-in-error-path.patch b/queue-3.4/acpi-memhotplug-fix-a-stale-pointer-in-error-path.patch new file mode 100644 index 00000000000..65311c36f4b --- /dev/null +++ b/queue-3.4/acpi-memhotplug-fix-a-stale-pointer-in-error-path.patch @@ -0,0 +1,36 @@ +From d19f503e22316a84c39bc19445e0e4fdd49b3532 Mon Sep 17 00:00:00 2001 +From: Toshi Kani +Date: Wed, 10 Jul 2013 10:47:13 -0600 +Subject: ACPI / memhotplug: Fix a stale pointer in error path + +From: Toshi Kani + +commit d19f503e22316a84c39bc19445e0e4fdd49b3532 upstream. + +device->driver_data needs to be cleared when releasing its data, +mem_device, in an error path of acpi_memory_device_add(). + +The function evaluates the _CRS of memory device objects, and fails +when it gets an unexpected resource or cannot allocate memory. A +kernel crash or data corruption may occur when the kernel accesses +the stale pointer. + +Signed-off-by: Toshi Kani +Reviewed-by: Yasuaki Ishimatsu +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/acpi/acpi_memhotplug.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/acpi/acpi_memhotplug.c ++++ b/drivers/acpi/acpi_memhotplug.c +@@ -421,6 +421,7 @@ static int acpi_memory_device_add(struct + /* Get the range from the _CRS */ + result = acpi_memory_get_device_resources(mem_device); + if (result) { ++ device->driver_data = NULL; + kfree(mem_device); + return result; + } diff --git a/queue-3.4/ata-fix-dvd-not-dectected-at-some-platform-with-wellsburg-pch.patch b/queue-3.4/ata-fix-dvd-not-dectected-at-some-platform-with-wellsburg-pch.patch new file mode 100644 index 00000000000..f261a57b7e9 --- /dev/null +++ b/queue-3.4/ata-fix-dvd-not-dectected-at-some-platform-with-wellsburg-pch.patch @@ -0,0 +1,35 @@ +From eac27f04a71e1f39f196f7e520d16dcefc955d77 Mon Sep 17 00:00:00 2001 +From: Youquan Song +Date: Thu, 11 Jul 2013 21:15:57 -0400 +Subject: ata: Fix DVD not dectected at some platform with Wellsburg PCH + +From: Youquan Song + +commit eac27f04a71e1f39f196f7e520d16dcefc955d77 upstream. + +There is a patch b55f84e2d527182e7c611d466cd0bb6ddce201de "ata_piix: Fix DVD + not dectected at some Haswell platforms" to fix an issue of DVD not +recognized on Haswell Desktop platform with Lynx Point. +Recently, it is also found the same issue at some platformas with Wellsburg PCH. + +So deliver a similar patch to fix it by disables 32bit PIO in IDE mode. + +Signed-off-by: Youquan Song +Signed-off-by: Tejun Heo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/ata/ata_piix.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/ata/ata_piix.c ++++ b/drivers/ata/ata_piix.c +@@ -344,7 +344,7 @@ static const struct pci_device_id piix_p + /* SATA Controller IDE (Wellsburg) */ + { 0x8086, 0x8d00, PCI_ANY_ID, PCI_ANY_ID, 0, 0, ich8_sata_snb }, + /* SATA Controller IDE (Wellsburg) */ +- { 0x8086, 0x8d08, PCI_ANY_ID, PCI_ANY_ID, 0, 0, ich8_2port_sata }, ++ { 0x8086, 0x8d08, PCI_ANY_ID, PCI_ANY_ID, 0, 0, ich8_2port_sata_snb }, + /* SATA Controller IDE (Wellsburg) */ + { 0x8086, 0x8d60, PCI_ANY_ID, PCI_ANY_ID, 0, 0, ich8_sata_snb }, + /* SATA Controller IDE (Wellsburg) */ diff --git a/queue-3.4/btrfs-fix-lock-leak-when-resuming-snapshot-deletion.patch b/queue-3.4/btrfs-fix-lock-leak-when-resuming-snapshot-deletion.patch new file mode 100644 index 00000000000..6faf0a179de --- /dev/null +++ b/queue-3.4/btrfs-fix-lock-leak-when-resuming-snapshot-deletion.patch @@ -0,0 +1,40 @@ +From fec386ac1428f9c0e672df952cbca5cebd4e4e2f Mon Sep 17 00:00:00 2001 +From: Josef Bacik +Date: Mon, 15 Jul 2013 12:41:42 -0400 +Subject: Btrfs: fix lock leak when resuming snapshot deletion + +From: Josef Bacik + +commit fec386ac1428f9c0e672df952cbca5cebd4e4e2f upstream. + +We aren't setting path->locks[level] when we resume a snapshot deletion which +means we won't unlock the buffer when we free the path. This causes deadlocks +if we happen to re-allocate the block before we've evicted the extent buffer +from cache. Thanks, + +Reported-by: Alex Lyakas +Signed-off-by: Josef Bacik +Signed-off-by: Greg Kroah-Hartman + +--- + fs/btrfs/extent-tree.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/fs/btrfs/extent-tree.c ++++ b/fs/btrfs/extent-tree.c +@@ -6903,6 +6903,7 @@ int btrfs_drop_snapshot(struct btrfs_roo + while (1) { + btrfs_tree_lock(path->nodes[level]); + btrfs_set_lock_blocking(path->nodes[level]); ++ path->locks[level] = BTRFS_WRITE_LOCK_BLOCKING; + + ret = btrfs_lookup_extent_info(trans, root, + path->nodes[level]->start, +@@ -6919,6 +6920,7 @@ int btrfs_drop_snapshot(struct btrfs_roo + break; + + btrfs_tree_unlock(path->nodes[level]); ++ path->locks[level] = 0; + WARN_ON(wc->refs[level] != 1); + level--; + } diff --git a/queue-3.4/btrfs-re-add-root-to-dead-root-list-if-we-stop-dropping-it.patch b/queue-3.4/btrfs-re-add-root-to-dead-root-list-if-we-stop-dropping-it.patch new file mode 100644 index 00000000000..80a38d5a935 --- /dev/null +++ b/queue-3.4/btrfs-re-add-root-to-dead-root-list-if-we-stop-dropping-it.patch @@ -0,0 +1,57 @@ +From d29a9f629e009c9b90e5859bce581070fd6247fc Mon Sep 17 00:00:00 2001 +From: Josef Bacik +Date: Wed, 17 Jul 2013 19:30:20 -0400 +Subject: Btrfs: re-add root to dead root list if we stop dropping it + +From: Josef Bacik + +commit d29a9f629e009c9b90e5859bce581070fd6247fc upstream. + +If we stop dropping a root for whatever reason we need to add it back to the +dead root list so that we will re-start the dropping next transaction commit. +The other case this happens is if we recover a drop because we will add a root +without adding it to the fs radix tree, so we can leak it's root and commit root +extent buffer, adding this to the dead root list makes this cleanup happen. +Thanks, + +Reported-by: Alex Lyakas +Signed-off-by: Josef Bacik +Signed-off-by: Greg Kroah-Hartman + +--- + fs/btrfs/extent-tree.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +--- a/fs/btrfs/extent-tree.c ++++ b/fs/btrfs/extent-tree.c +@@ -6846,6 +6846,7 @@ int btrfs_drop_snapshot(struct btrfs_roo + int err = 0; + int ret; + int level; ++ bool root_dropped = false; + + path = btrfs_alloc_path(); + if (!path) { +@@ -7016,12 +7017,22 @@ int btrfs_drop_snapshot(struct btrfs_roo + free_extent_buffer(root->commit_root); + kfree(root); + } ++ root_dropped = true; + out_end_trans: + btrfs_end_transaction_throttle(trans, tree_root); + out_free: + kfree(wc); + btrfs_free_path(path); + out: ++ /* ++ * So if we need to stop dropping the snapshot for whatever reason we ++ * need to make sure to add it back to the dead root list so that we ++ * keep trying to do the work later. This also cleans up roots if we ++ * don't have it in the radix (like when we recover after a power fail ++ * or unmount) so we don't leak memory. ++ */ ++ if (root_dropped == false) ++ btrfs_add_dead_root(root); + if (err) + btrfs_std_error(root->fs_info, err); + return err; diff --git a/queue-3.4/dm-verity-fix-inability-to-use-a-few-specific-devices-sizes.patch b/queue-3.4/dm-verity-fix-inability-to-use-a-few-specific-devices-sizes.patch new file mode 100644 index 00000000000..69247c47767 --- /dev/null +++ b/queue-3.4/dm-verity-fix-inability-to-use-a-few-specific-devices-sizes.patch @@ -0,0 +1,62 @@ +From b1bf2de07271932326af847a3c6a01fdfd29d4be Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Wed, 10 Jul 2013 23:41:16 +0100 +Subject: dm verity: fix inability to use a few specific devices sizes + +From: Mikulas Patocka + +commit b1bf2de07271932326af847a3c6a01fdfd29d4be upstream. + +Fix a boundary condition that caused failure for certain device sizes. + +The problem is reported at + http://code.google.com/p/cryptsetup/issues/detail?id=160 + +For certain device sizes the number of hashes at a specific level was +calculated incorrectly. + +It happens for example for a device with data and metadata block size 4096 +that has 16385 blocks and algorithm sha256. + +The user can test if he is affected by this bug by running the +"veritysetup verify" command and also by activating the dm-verity kernel +driver and reading the whole block device. If it passes without an error, +then the user is not affected. + +The condition for the bug is: + +Split the total number of data blocks (data_block_bits) into bit strings, +each string has hash_per_block_bits bits. hash_per_block_bits is +rounddown(log2(metadata_block_size/hash_digest_size)). Equivalently, you +can say that you convert data_blocks_bits to 2^hash_per_block_bits base. + +If there some zero bit string below the most significant bit string and at +least one bit below this zero bit string is set, then the bug happens. + +The same bug exists in the userspace veritysetup tool, so you must use +fixed veritysetup too if you want to use devices that are affected by +this boundary condition. + +Signed-off-by: Mikulas Patocka +Cc: Milan Broz +Signed-off-by: Alasdair G Kergon +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/dm-verity.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/drivers/md/dm-verity.c ++++ b/drivers/md/dm-verity.c +@@ -813,9 +813,8 @@ static int verity_ctr(struct dm_target * + for (i = v->levels - 1; i >= 0; i--) { + sector_t s; + v->hash_level_block[i] = hash_position; +- s = verity_position_at_level(v, v->data_blocks, i); +- s = (s >> v->hash_per_block_bits) + +- !!(s & ((1 << v->hash_per_block_bits) - 1)); ++ s = (v->data_blocks + ((sector_t)1 << ((i + 1) * v->hash_per_block_bits)) - 1) ++ >> ((i + 1) * v->hash_per_block_bits); + if (hash_position + s < hash_position) { + ti->error = "Hash device offset overflow"; + r = -E2BIG; diff --git a/queue-3.4/libata-make-it-clear-that-sata_inic162x-is-experimental.patch b/queue-3.4/libata-make-it-clear-that-sata_inic162x-is-experimental.patch new file mode 100644 index 00000000000..6c53bf940d2 --- /dev/null +++ b/queue-3.4/libata-make-it-clear-that-sata_inic162x-is-experimental.patch @@ -0,0 +1,70 @@ +From bb9696192826a7d9279caf872e95b41bc26c7eff Mon Sep 17 00:00:00 2001 +From: Tejun Heo +Date: Mon, 22 Jul 2013 16:53:36 -0400 +Subject: libata: make it clear that sata_inic162x is experimental + +From: Tejun Heo + +commit bb9696192826a7d9279caf872e95b41bc26c7eff upstream. + +sata_inic162x never reached a state where it's reliable enough for +production use and data corruption is a relatively common occurrence. +Make the driver generate warning about the issues and mark the Kconfig +option as experimental. + +If the situation doesn't improve, we'd be better off making it depend +on CONFIG_BROKEN. Let's wait for several cycles and see if the kernel +message draws any attention. + +Signed-off-by: Tejun Heo +Reported-by: Martin Braure de Calignon +Reported-by: Ben Hutchings +Reported-by: risc4all@yahoo.com +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/ata/Kconfig | 2 +- + drivers/ata/sata_inic162x.c | 14 ++++++++++++++ + 2 files changed, 15 insertions(+), 1 deletion(-) + +--- a/drivers/ata/Kconfig ++++ b/drivers/ata/Kconfig +@@ -93,7 +93,7 @@ config SATA_FSL + If unsure, say N. + + config SATA_INIC162X +- tristate "Initio 162x SATA support" ++ tristate "Initio 162x SATA support (Very Experimental)" + depends on PCI + help + This option enables support for Initio 162x Serial ATA. +--- a/drivers/ata/sata_inic162x.c ++++ b/drivers/ata/sata_inic162x.c +@@ -6,6 +6,18 @@ + * + * This file is released under GPL v2. + * ++ * **** WARNING **** ++ * ++ * This driver never worked properly and unfortunately data corruption is ++ * relatively common. There isn't anyone working on the driver and there's ++ * no support from the vendor. Do not use this driver in any production ++ * environment. ++ * ++ * http://thread.gmane.org/gmane.linux.debian.devel.bugs.rc/378525/focus=54491 ++ * https://bugzilla.kernel.org/show_bug.cgi?id=60565 ++ * ++ * ***************** ++ * + * This controller is eccentric and easily locks up if something isn't + * right. Documentation is available at initio's website but it only + * documents registers (not programming model). +@@ -809,6 +821,8 @@ static int inic_init_one(struct pci_dev + + ata_print_version_once(&pdev->dev, DRV_VERSION); + ++ dev_alert(&pdev->dev, "inic162x support is broken with common data corruption issues and will be disabled by default, contact linux-ide@vger.kernel.org if in production use\n"); ++ + /* alloc host */ + host = ata_host_alloc_pinfo(&pdev->dev, ppi, NR_PORTS); + hpriv = devm_kzalloc(&pdev->dev, sizeof(*hpriv), GFP_KERNEL); diff --git a/queue-3.4/powerpc-modules-module-crc-relocation-fix-causes-perf-issues.patch b/queue-3.4/powerpc-modules-module-crc-relocation-fix-causes-perf-issues.patch new file mode 100644 index 00000000000..41c83ede342 --- /dev/null +++ b/queue-3.4/powerpc-modules-module-crc-relocation-fix-causes-perf-issues.patch @@ -0,0 +1,75 @@ +From 0e0ed6406e61434d3f38fb58aa8464ec4722b77e Mon Sep 17 00:00:00 2001 +From: Anton Blanchard +Date: Mon, 15 Jul 2013 14:04:50 +1000 +Subject: powerpc/modules: Module CRC relocation fix causes perf issues + +From: Anton Blanchard + +commit 0e0ed6406e61434d3f38fb58aa8464ec4722b77e upstream. + +Module CRCs are implemented as absolute symbols that get resolved by +a linker script. We build an intermediate .o that contains an +unresolved symbol for each CRC. genksysms parses this .o, calculates +the CRCs and writes a linker script that "resolves" the symbols to +the calculated CRC. + +Unfortunately the ppc64 relocatable kernel sees these CRCs as symbols +that need relocating and relocates them at boot. Commit d4703aef +(module: handle ppc64 relocating kcrctabs when CONFIG_RELOCATABLE=y) +added a hook to reverse the bogus relocations. Part of this patch +created a symbol at 0x0: + +# head -2 /proc/kallsyms +0000000000000000 T reloc_start +c000000000000000 T .__start + +This reloc_start symbol is causing lots of confusion to perf. It +thinks reloc_start is a massive function that stretches from 0x0 to +0xc000000000000000 and we get various cryptic errors out of perf, +including: + +problem incrementing symbol count, skipping event + +This patch removes the reloc_start linker script label and instead +defines it as PHYSICAL_START. We also need to wrap it with +CONFIG_PPC64 because the ppc32 kernel can set a non zero +PHYSICAL_START at compile time and we wouldn't want to subtract +it from the CRCs in that case. + +Signed-off-by: Anton Blanchard +Acked-by: Rusty Russell +Signed-off-by: Benjamin Herrenschmidt +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/include/asm/module.h | 5 ++--- + arch/powerpc/kernel/vmlinux.lds.S | 3 --- + 2 files changed, 2 insertions(+), 6 deletions(-) + +--- a/arch/powerpc/include/asm/module.h ++++ b/arch/powerpc/include/asm/module.h +@@ -87,10 +87,9 @@ struct exception_table_entry; + void sort_ex_table(struct exception_table_entry *start, + struct exception_table_entry *finish); + +-#ifdef CONFIG_MODVERSIONS ++#if defined(CONFIG_MODVERSIONS) && defined(CONFIG_PPC64) + #define ARCH_RELOCATES_KCRCTAB +- +-extern const unsigned long reloc_start[]; ++#define reloc_start PHYSICAL_START + #endif + #endif /* __KERNEL__ */ + #endif /* _ASM_POWERPC_MODULE_H */ +--- a/arch/powerpc/kernel/vmlinux.lds.S ++++ b/arch/powerpc/kernel/vmlinux.lds.S +@@ -38,9 +38,6 @@ jiffies = jiffies_64 + 4; + #endif + SECTIONS + { +- . = 0; +- reloc_start = .; +- + . = KERNELBASE; + + /* diff --git a/queue-3.4/scsi-qla2xxx-properly-set-the-tagging-for-commands.patch b/queue-3.4/scsi-qla2xxx-properly-set-the-tagging-for-commands.patch new file mode 100644 index 00000000000..530fed57b81 --- /dev/null +++ b/queue-3.4/scsi-qla2xxx-properly-set-the-tagging-for-commands.patch @@ -0,0 +1,62 @@ +From c3ccb1d7cf4c4549151876dd37c0944a682fd9e1 Mon Sep 17 00:00:00 2001 +From: Saurav Kashyap +Date: Fri, 12 Jul 2013 14:47:51 -0400 +Subject: SCSI: qla2xxx: Properly set the tagging for commands. + +From: Saurav Kashyap + +commit c3ccb1d7cf4c4549151876dd37c0944a682fd9e1 upstream. + +This fixes a regression where Xyratex controllers and disks were lost by the +driver: + +https://bugzilla.kernel.org/show_bug.cgi?id=59601 + +Reported-by: Jack Hill +Signed-off-by: Saurav Kashyap +Signed-off-by: Giridhar Malavali +Signed-off-by: James Bottomley +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/qla2xxx/qla_iocb.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +--- a/drivers/scsi/qla2xxx/qla_iocb.c ++++ b/drivers/scsi/qla2xxx/qla_iocb.c +@@ -423,6 +423,8 @@ qla2x00_start_scsi(srb_t *sp) + __constant_cpu_to_le16(CF_SIMPLE_TAG); + break; + } ++ } else { ++ cmd_pkt->control_flags = __constant_cpu_to_le16(CF_SIMPLE_TAG); + } + + /* Load SCSI command packet. */ +@@ -1331,11 +1333,11 @@ qla24xx_build_scsi_crc_2_iocbs(srb_t *sp + fcp_cmnd->task_attribute = TSK_ORDERED; + break; + default: +- fcp_cmnd->task_attribute = 0; ++ fcp_cmnd->task_attribute = TSK_SIMPLE; + break; + } + } else { +- fcp_cmnd->task_attribute = 0; ++ fcp_cmnd->task_attribute = TSK_SIMPLE; + } + + cmd_pkt->fcp_rsp_dseg_len = 0; /* Let response come in status iocb */ +@@ -1541,7 +1543,12 @@ qla24xx_start_scsi(srb_t *sp) + case ORDERED_QUEUE_TAG: + cmd_pkt->task = TSK_ORDERED; + break; ++ default: ++ cmd_pkt->task = TSK_SIMPLE; ++ break; + } ++ } else { ++ cmd_pkt->task = TSK_SIMPLE; + } + + /* Load SCSI command packet. */ diff --git a/queue-3.4/scsi-sd-fix-crash-when-ua-received-on-dif-enabled-device.patch b/queue-3.4/scsi-sd-fix-crash-when-ua-received-on-dif-enabled-device.patch new file mode 100644 index 00000000000..f119814664a --- /dev/null +++ b/queue-3.4/scsi-sd-fix-crash-when-ua-received-on-dif-enabled-device.patch @@ -0,0 +1,74 @@ +From 085b513f97d8d799d28491239be4b451bcd8c2c5 Mon Sep 17 00:00:00 2001 +From: "Ewan D. Milne" +Date: Fri, 2 Nov 2012 09:38:34 -0400 +Subject: SCSI: sd: fix crash when UA received on DIF enabled device + +From: "Ewan D. Milne" + +commit 085b513f97d8d799d28491239be4b451bcd8c2c5 upstream. + +sd_prep_fn will allocate a larger CDB for the command via mempool_alloc +for devices using DIF type 2 protection. This CDB was being freed +in sd_done, which results in a kernel crash if the command is retried +due to a UNIT ATTENTION. This change moves the code to free the larger +CDB into sd_unprep_fn instead, which is invoked after the request is +complete. + +It is no longer necessary to call scsi_print_command separately for +this case as the ->cmnd will no longer be NULL in the normal code path. + +Also removed conditional test for DIF type 2 when freeing the larger +CDB because the protection_type could have been changed via sysfs while +the command was executing. + +Signed-off-by: Ewan D. Milne +Acked-by: Martin K. Petersen +Signed-off-by: James Bottomley +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/sd.c | 22 +++++++--------------- + 1 file changed, 7 insertions(+), 15 deletions(-) + +--- a/drivers/scsi/sd.c ++++ b/drivers/scsi/sd.c +@@ -672,10 +672,17 @@ static int scsi_setup_flush_cmnd(struct + + static void sd_unprep_fn(struct request_queue *q, struct request *rq) + { ++ struct scsi_cmnd *SCpnt = rq->special; ++ + if (rq->cmd_flags & REQ_DISCARD) { + free_page((unsigned long)rq->buffer); + rq->buffer = NULL; + } ++ if (SCpnt->cmnd != rq->cmd) { ++ mempool_free(SCpnt->cmnd, sd_cdb_pool); ++ SCpnt->cmnd = NULL; ++ SCpnt->cmd_len = 0; ++ } + } + + /** +@@ -1539,21 +1546,6 @@ static int sd_done(struct scsi_cmnd *SCp + if (rq_data_dir(SCpnt->request) == READ && scsi_prot_sg_count(SCpnt)) + sd_dif_complete(SCpnt, good_bytes); + +- if (scsi_host_dif_capable(sdkp->device->host, sdkp->protection_type) +- == SD_DIF_TYPE2_PROTECTION && SCpnt->cmnd != SCpnt->request->cmd) { +- +- /* We have to print a failed command here as the +- * extended CDB gets freed before scsi_io_completion() +- * is called. +- */ +- if (result) +- scsi_print_command(SCpnt); +- +- mempool_free(SCpnt->cmnd, sd_cdb_pool); +- SCpnt->cmnd = NULL; +- SCpnt->cmd_len = 0; +- } +- + return good_bytes; + } + diff --git a/queue-3.4/series b/queue-3.4/series index d691012271e..c28a0e78d41 100644 --- a/queue-3.4/series +++ b/queue-3.4/series @@ -2,3 +2,23 @@ iscsi-target-fix-tfc_tpg_nacl_auth_cit-configfs-length-overflow.patch usb-storage-add-microvault-flash-drive-to-unusual_devs.patch asoc-max98088-fix-element-type-of-the-register-cache.patch asoc-wm8962-remove-remaining-direct-register-cache-accesses.patch +scsi-sd-fix-crash-when-ua-received-on-dif-enabled-device.patch +scsi-qla2xxx-properly-set-the-tagging-for-commands.patch +tracing-fix-irqs-off-tag-display-in-syscall-tracing.patch +usb-host-xhci-enable-xhci_spurious_success-for-all-controllers-with-xhci-1.0.patch +xhci-fix-null-pointer-dereference-on-ring_doorbell_for_active_rings.patch +xhci-avoid-null-pointer-deref-when-host-dies.patch +usb-dwc3-fix-wrong-bit-mask-in-dwc3_event_type.patch +usb-dwc3-gadget-don-t-prevent-gadget-from-being-probed-if-we-fail.patch +usb-ti_usb_3410_5052-fix-dynamic-id-matching.patch +usb-misc-add-manhattan-hi-speed-usb-dvi-converter-to-sisusbvga.patch +usb-clear-both-buffers-when-clearing-a-control-transfer-tt-buffer.patch +staging-comedi-comedi_cancel-ioctl-should-wake-up-read-write.patch +btrfs-fix-lock-leak-when-resuming-snapshot-deletion.patch +btrfs-re-add-root-to-dead-root-list-if-we-stop-dropping-it.patch +xen-blkback-check-device-permissions-before-allowing-op_discard.patch +ata-fix-dvd-not-dectected-at-some-platform-with-wellsburg-pch.patch +libata-make-it-clear-that-sata_inic162x-is-experimental.patch +powerpc-modules-module-crc-relocation-fix-causes-perf-issues.patch +acpi-memhotplug-fix-a-stale-pointer-in-error-path.patch +dm-verity-fix-inability-to-use-a-few-specific-devices-sizes.patch diff --git a/queue-3.4/staging-comedi-comedi_cancel-ioctl-should-wake-up-read-write.patch b/queue-3.4/staging-comedi-comedi_cancel-ioctl-should-wake-up-read-write.patch new file mode 100644 index 00000000000..4032db9bc38 --- /dev/null +++ b/queue-3.4/staging-comedi-comedi_cancel-ioctl-should-wake-up-read-write.patch @@ -0,0 +1,57 @@ +From 69acbaac303e8cb948801a9ddd0ac24e86cc4a1b Mon Sep 17 00:00:00 2001 +From: Ian Abbott +Date: Mon, 8 Jul 2013 13:36:19 +0100 +Subject: staging: comedi: COMEDI_CANCEL ioctl should wake up read/write + +From: Ian Abbott + +commit 69acbaac303e8cb948801a9ddd0ac24e86cc4a1b upstream. + +Comedi devices can do blocking read() or write() (or poll()) if an +asynchronous command has been set up, blocking for data (for read()) or +buffer space (for write()). Various events associated with the +asynchronous command will wake up the blocked reader or writer (or +poller). It is also possible to force the asynchronous command to +terminate by issuing a `COMEDI_CANCEL` ioctl. That shuts down the +asynchronous command, but does not currently wake up the blocked reader +or writer (or poller). If the blocked task could be woken up, it would +see that the command is no longer active and return. The caller of the +`COMEDI_CANCEL` ioctl could attempt to wake up the blocked task by +sending a signal, but that's a nasty workaround. + +Change `do_cancel_ioctl()` to wake up the wait queue after it returns +from `do_cancel()`. `do_cancel()` can propagate an error return value +from the low-level comedi driver's cancel routine, but it always shuts +the command down regardless, so `do_cancel_ioctl()` can wake up he wait +queue regardless of the return value from `do_cancel()`. + +Signed-off-by: Ian Abbott +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/comedi/comedi_fops.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/drivers/staging/comedi/comedi_fops.c ++++ b/drivers/staging/comedi/comedi_fops.c +@@ -1370,6 +1370,7 @@ static int do_cancel_ioctl(struct comedi + void *file) + { + struct comedi_subdevice *s; ++ int ret; + + if (arg >= dev->n_subdevices) + return -EINVAL; +@@ -1386,7 +1387,11 @@ static int do_cancel_ioctl(struct comedi + if (s->busy != file) + return -EBUSY; + +- return do_cancel(dev, s); ++ ret = do_cancel(dev, s); ++ if (comedi_get_subdevice_runflags(s) & SRF_USER) ++ wake_up_interruptible(&s->async->wait_head); ++ ++ return ret; + } + + /* diff --git a/queue-3.4/tracing-fix-irqs-off-tag-display-in-syscall-tracing.patch b/queue-3.4/tracing-fix-irqs-off-tag-display-in-syscall-tracing.patch new file mode 100644 index 00000000000..78ec459ab9d --- /dev/null +++ b/queue-3.4/tracing-fix-irqs-off-tag-display-in-syscall-tracing.patch @@ -0,0 +1,33 @@ +From jovi.zhangwei@huawei.com Thu Aug 1 10:53:20 2013 +From: "zhangwei(Jovi)" +Date: Mon, 29 Jul 2013 09:33:58 +0800 +Subject: tracing: Fix irqs-off tag display in syscall tracing +To: Greg KH +Cc: Ben Hutchings , Steven Rostedt , +Message-ID: <51F5C686.4020608@huawei.com> + +From: "zhangwei(Jovi)" + +commit 11034ae9c20f4057a6127fc965906417978e69b2 upstream + +Initialization of variable irq_flags and pc was missed when backport +11034ae9c to linux-3.0.y and linux-3.4.y, my fault. + +Signed-off-by: zhangwei(Jovi) +Signed-off-by: Greg Kroah-Hartman +--- + kernel/trace/trace_syscalls.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/kernel/trace/trace_syscalls.c ++++ b/kernel/trace/trace_syscalls.c +@@ -358,6 +358,9 @@ void ftrace_syscall_exit(void *ignore, s + if (!sys_data) + return; + ++ local_save_flags(irq_flags); ++ pc = preempt_count(); ++ + event = trace_current_buffer_lock_reserve(&buffer, + sys_data->exit_event->event.type, sizeof(*entry), + irq_flags, pc); diff --git a/queue-3.4/usb-clear-both-buffers-when-clearing-a-control-transfer-tt-buffer.patch b/queue-3.4/usb-clear-both-buffers-when-clearing-a-control-transfer-tt-buffer.patch new file mode 100644 index 00000000000..64437c6f22b --- /dev/null +++ b/queue-3.4/usb-clear-both-buffers-when-clearing-a-control-transfer-tt-buffer.patch @@ -0,0 +1,39 @@ +From 2c7b871b9102c497ba8f972aa5d38532f05b654d Mon Sep 17 00:00:00 2001 +From: William Gulland +Date: Thu, 27 Jun 2013 16:10:20 -0700 +Subject: usb: Clear both buffers when clearing a control transfer TT buffer. + +From: William Gulland + +commit 2c7b871b9102c497ba8f972aa5d38532f05b654d upstream. + +Control transfers have both IN and OUT (or SETUP) packets, so when +clearing TT buffers for a control transfer it's necessary to send +two HUB_CLEAR_TT_BUFFER requests to the hub. + +Signed-off-by: William Gulland +Acked-by: Alan Stern +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/core/hub.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/drivers/usb/core/hub.c ++++ b/drivers/usb/core/hub.c +@@ -488,6 +488,15 @@ resubmit: + static inline int + hub_clear_tt_buffer (struct usb_device *hdev, u16 devinfo, u16 tt) + { ++ /* Need to clear both directions for control ep */ ++ if (((devinfo >> 11) & USB_ENDPOINT_XFERTYPE_MASK) == ++ USB_ENDPOINT_XFER_CONTROL) { ++ int status = usb_control_msg(hdev, usb_sndctrlpipe(hdev, 0), ++ HUB_CLEAR_TT_BUFFER, USB_RT_PORT, ++ devinfo ^ 0x8000, tt, NULL, 0, 1000); ++ if (status) ++ return status; ++ } + return usb_control_msg(hdev, usb_sndctrlpipe(hdev, 0), + HUB_CLEAR_TT_BUFFER, USB_RT_PORT, devinfo, + tt, NULL, 0, 1000); diff --git a/queue-3.4/usb-dwc3-fix-wrong-bit-mask-in-dwc3_event_type.patch b/queue-3.4/usb-dwc3-fix-wrong-bit-mask-in-dwc3_event_type.patch new file mode 100644 index 00000000000..699ec3ebdef --- /dev/null +++ b/queue-3.4/usb-dwc3-fix-wrong-bit-mask-in-dwc3_event_type.patch @@ -0,0 +1,47 @@ +From 1974d494dea05ea227cb42f5e918828801e237aa Mon Sep 17 00:00:00 2001 +From: Huang Rui +Date: Thu, 27 Jun 2013 01:08:11 +0800 +Subject: usb: dwc3: fix wrong bit mask in dwc3_event_type + +From: Huang Rui + +commit 1974d494dea05ea227cb42f5e918828801e237aa upstream. + +Per dwc3 2.50a spec, the is_devspec bit is used to distinguish the +Device Endpoint-Specific Event or Device-Specific Event (DEVT). If the +bit is 1, the event is represented Device-Specific Event, then use +[7:1] bits as Device Specific Event to marked the type. It has 7 bits, +and we can see the reserved8_31 variable name which means from 8 to 31 +bits marked reserved, actually there are 24 bits not 25 bits between +that. And 1 + 7 + 24 = 32, the event size is 4 byes. + +So in dwc3_event_type, the bit mask should be: +is_devspec [0] 1 bit +type [7:1] 7 bits +reserved8_31 [31:8] 24 bits + +This patch should be backported to kernels as old as 3.2, that contain +the commit 72246da40f3719af3bfd104a2365b32537c27d83 "usb: Introduce +DesignWare USB3 DRD Driver". + +Signed-off-by: Huang Rui +Signed-off-by: Felipe Balbi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/dwc3/core.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/usb/dwc3/core.h ++++ b/drivers/usb/dwc3/core.h +@@ -641,8 +641,8 @@ struct dwc3 { + + struct dwc3_event_type { + u32 is_devspec:1; +- u32 type:6; +- u32 reserved8_31:25; ++ u32 type:7; ++ u32 reserved8_31:24; + } __packed; + + #define DWC3_DEPEVT_XFERCOMPLETE 0x01 diff --git a/queue-3.4/usb-dwc3-gadget-don-t-prevent-gadget-from-being-probed-if-we-fail.patch b/queue-3.4/usb-dwc3-gadget-don-t-prevent-gadget-from-being-probed-if-we-fail.patch new file mode 100644 index 00000000000..6000d39b589 --- /dev/null +++ b/queue-3.4/usb-dwc3-gadget-don-t-prevent-gadget-from-being-probed-if-we-fail.patch @@ -0,0 +1,34 @@ +From cdcedd6981194e511cc206887db661d016069d68 Mon Sep 17 00:00:00 2001 +From: Felipe Balbi +Date: Mon, 15 Jul 2013 12:36:35 +0300 +Subject: usb: dwc3: gadget: don't prevent gadget from being probed if we fail + +From: Felipe Balbi + +commit cdcedd6981194e511cc206887db661d016069d68 upstream. + +In case we fail our ->udc_start() callback, we +should be ready to accept another modprobe following +the failed one. + +We had forgotten to clear dwc->gadget_driver back +to NULL and, because of that, we were preventing +gadget driver modprobe from being retried. + +Signed-off-by: Felipe Balbi +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/dwc3/gadget.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/usb/dwc3/gadget.c ++++ b/drivers/usb/dwc3/gadget.c +@@ -1393,6 +1393,7 @@ err1: + __dwc3_gadget_ep_disable(dwc->eps[0]); + + err0: ++ dwc->gadget_driver = NULL; + spin_unlock_irqrestore(&dwc->lock, flags); + + return ret; diff --git a/queue-3.4/usb-host-xhci-enable-xhci_spurious_success-for-all-controllers-with-xhci-1.0.patch b/queue-3.4/usb-host-xhci-enable-xhci_spurious_success-for-all-controllers-with-xhci-1.0.patch new file mode 100644 index 00000000000..cc7edc3562a --- /dev/null +++ b/queue-3.4/usb-host-xhci-enable-xhci_spurious_success-for-all-controllers-with-xhci-1.0.patch @@ -0,0 +1,78 @@ +From 07f3cb7c28bf3f4dd80bfb136cf45810c46ac474 Mon Sep 17 00:00:00 2001 +From: George Cherian +Date: Mon, 1 Jul 2013 10:59:12 +0530 +Subject: usb: host: xhci: Enable XHCI_SPURIOUS_SUCCESS for all controllers with xhci 1.0 + +From: George Cherian + +commit 07f3cb7c28bf3f4dd80bfb136cf45810c46ac474 upstream. + +Xhci controllers with hci_version > 0.96 gives spurious success +events on short packet completion. During webcam capture the +"ERROR Transfer event TRB DMA ptr not part of current TD" was observed. +The same application works fine with synopsis controllers hci_version 0.96. +The same issue is seen with Intel Pantherpoint xhci controller. So enabling +this quirk in xhci_gen_setup if controller verion is greater than 0.96. +For xhci-pci move the quirk to much generic place xhci_gen_setup. + +Note from Sarah: + +The xHCI 1.0 spec changed how hardware handles short packets. The HW +will notify SW of the TRB where the short packet occurred, and it will +also give a successful status for the last TRB in a TD (the one with the +IOC flag set). On the second successful status, that warning will be +triggered in the driver. + +Software is now supposed to not assume the TD is not completed until it +gets that last successful status. That means we have a slight race +condition, although it should have little practical impact. This patch +papers over that issue. + +It's on my long-term to-do list to fix this race condition, but it is a +much more involved patch that will probably be too big for stable. This +patch is needed for stable to avoid serious log spam. + +This patch should be backported to kernels as old as 3.0, that +contain the commit ad808333d8201d53075a11bc8dd83b81f3d68f0b "Intel xhci: +Ignore spurious successful event." + +The patch will have to be modified for kernels older than 3.2, since +that kernel added the xhci_gen_setup function for xhci platform devices. +The correct conflict resolution for kernels older than 3.2 is to set +XHCI_SPURIOUS_SUCCESS in xhci_pci_quirks for all xHCI 1.0 hosts. + +Signed-off-by: George Cherian +Signed-off-by: Sarah Sharp +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/host/xhci-pci.c | 1 - + drivers/usb/host/xhci.c | 7 +++++++ + 2 files changed, 7 insertions(+), 1 deletion(-) + +--- a/drivers/usb/host/xhci-pci.c ++++ b/drivers/usb/host/xhci-pci.c +@@ -89,7 +89,6 @@ static void xhci_pci_quirks(struct devic + xhci->quirks |= XHCI_AMD_PLL_FIX; + if (pdev->vendor == PCI_VENDOR_ID_INTEL && + pdev->device == PCI_DEVICE_ID_INTEL_PANTHERPOINT_XHCI) { +- xhci->quirks |= XHCI_SPURIOUS_SUCCESS; + xhci->quirks |= XHCI_EP_LIMIT_QUIRK; + xhci->limit_active_eps = 64; + xhci->quirks |= XHCI_SW_BW_CHECKING; +--- a/drivers/usb/host/xhci.c ++++ b/drivers/usb/host/xhci.c +@@ -4194,6 +4194,13 @@ int xhci_gen_setup(struct usb_hcd *hcd, + + get_quirks(dev, xhci); + ++ /* In xhci controllers which follow xhci 1.0 spec gives a spurious ++ * success event after a short transfer. This quirk will ignore such ++ * spurious event. ++ */ ++ if (xhci->hci_version > 0x96) ++ xhci->quirks |= XHCI_SPURIOUS_SUCCESS; ++ + /* Make sure the HC is halted. */ + retval = xhci_halt(xhci); + if (retval) diff --git a/queue-3.4/usb-misc-add-manhattan-hi-speed-usb-dvi-converter-to-sisusbvga.patch b/queue-3.4/usb-misc-add-manhattan-hi-speed-usb-dvi-converter-to-sisusbvga.patch new file mode 100644 index 00000000000..056b790fc55 --- /dev/null +++ b/queue-3.4/usb-misc-add-manhattan-hi-speed-usb-dvi-converter-to-sisusbvga.patch @@ -0,0 +1,26 @@ +From 58fc90db8261b571c026bb8bf23aad48a7233118 Mon Sep 17 00:00:00 2001 +From: Jóhann B. Guðmundsson +Date: Thu, 4 Jul 2013 21:47:52 +0000 +Subject: USB: misc: Add Manhattan Hi-Speed USB DVI Converter to sisusbvga + +From: Jóhann B. Guðmundsson + +commit 58fc90db8261b571c026bb8bf23aad48a7233118 upstream. + +Signed-off-by: Jóhann B. Guðmundsson +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/misc/sisusbvga/sisusb.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/usb/misc/sisusbvga/sisusb.c ++++ b/drivers/usb/misc/sisusbvga/sisusb.c +@@ -3247,6 +3247,7 @@ static const struct usb_device_id sisusb + { USB_DEVICE(0x0711, 0x0903) }, + { USB_DEVICE(0x0711, 0x0918) }, + { USB_DEVICE(0x0711, 0x0920) }, ++ { USB_DEVICE(0x0711, 0x0950) }, + { USB_DEVICE(0x182d, 0x021c) }, + { USB_DEVICE(0x182d, 0x0269) }, + { } diff --git a/queue-3.4/usb-ti_usb_3410_5052-fix-dynamic-id-matching.patch b/queue-3.4/usb-ti_usb_3410_5052-fix-dynamic-id-matching.patch new file mode 100644 index 00000000000..5ead4f0fdda --- /dev/null +++ b/queue-3.4/usb-ti_usb_3410_5052-fix-dynamic-id-matching.patch @@ -0,0 +1,35 @@ +From 1fad56424f5ad3ce4973505a357212b2e2282b3f Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Fri, 28 Jun 2013 12:24:26 +0200 +Subject: USB: ti_usb_3410_5052: fix dynamic-id matching + +From: Johan Hovold + +commit 1fad56424f5ad3ce4973505a357212b2e2282b3f upstream. + +The driver failed to take the dynamic ids into account when determining +the device type and therefore all devices were detected as 2-port +devices when using the dynamic-id interface. + +Match on the usb-serial-driver field instead of doing redundant id-table +searches. + +Reported-by: Anders Hammarquist +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/ti_usb_3410_5052.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/serial/ti_usb_3410_5052.c ++++ b/drivers/usb/serial/ti_usb_3410_5052.c +@@ -390,7 +390,7 @@ static int ti_startup(struct usb_serial + usb_set_serial_data(serial, tdev); + + /* determine device type */ +- if (usb_match_id(serial->interface, ti_id_table_3410)) ++ if (serial->type == &ti_1port_device) + tdev->td_is_3410 = 1; + dbg("%s - device type is %s", __func__, + tdev->td_is_3410 ? "3410" : "5052"); diff --git a/queue-3.4/xen-blkback-check-device-permissions-before-allowing-op_discard.patch b/queue-3.4/xen-blkback-check-device-permissions-before-allowing-op_discard.patch new file mode 100644 index 00000000000..7ada5a72e4c --- /dev/null +++ b/queue-3.4/xen-blkback-check-device-permissions-before-allowing-op_discard.patch @@ -0,0 +1,55 @@ +From 604c499cbbcc3d5fe5fb8d53306aa0fae1990109 Mon Sep 17 00:00:00 2001 +From: Konrad Rzeszutek Wilk +Date: Wed, 16 Jan 2013 11:33:52 -0500 +Subject: xen/blkback: Check device permissions before allowing OP_DISCARD + +From: Konrad Rzeszutek Wilk + +commit 604c499cbbcc3d5fe5fb8d53306aa0fae1990109 upstream. + +We need to make sure that the device is not RO or that +the request is not past the number of sectors we want to +issue the DISCARD operation for. + +This fixes CVE-2013-2140. + +Acked-by: Jan Beulich +Acked-by: Ian Campbell +[v1: Made it pr_warn instead of pr_debug] +Signed-off-by: Konrad Rzeszutek Wilk +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/block/xen-blkback/blkback.c | 13 ++++++++++++- + 1 file changed, 12 insertions(+), 1 deletion(-) + +--- a/drivers/block/xen-blkback/blkback.c ++++ b/drivers/block/xen-blkback/blkback.c +@@ -399,7 +399,18 @@ static int dispatch_discard_io(struct xe + int status = BLKIF_RSP_OKAY; + struct block_device *bdev = blkif->vbd.bdev; + unsigned long secure; ++ struct phys_req preq; + ++ preq.sector_number = req->u.discard.sector_number; ++ preq.nr_sects = req->u.discard.nr_sectors; ++ ++ err = xen_vbd_translate(&preq, blkif, WRITE); ++ if (err) { ++ pr_warn(DRV_PFX "access denied: DISCARD [%llu->%llu] on dev=%04x\n", ++ preq.sector_number, ++ preq.sector_number + preq.nr_sects, blkif->vbd.pdevice); ++ goto fail_response; ++ } + blkif->st_ds_req++; + + xen_blkif_get(blkif); +@@ -410,7 +421,7 @@ static int dispatch_discard_io(struct xe + err = blkdev_issue_discard(bdev, req->u.discard.sector_number, + req->u.discard.nr_sectors, + GFP_KERNEL, secure); +- ++fail_response: + if (err == -EOPNOTSUPP) { + pr_debug(DRV_PFX "discard op failed, not supported\n"); + status = BLKIF_RSP_EOPNOTSUPP; diff --git a/queue-3.4/xhci-avoid-null-pointer-deref-when-host-dies.patch b/queue-3.4/xhci-avoid-null-pointer-deref-when-host-dies.patch new file mode 100644 index 00000000000..e8301d283cd --- /dev/null +++ b/queue-3.4/xhci-avoid-null-pointer-deref-when-host-dies.patch @@ -0,0 +1,71 @@ +From 203a86613fb3bf2767335659513fa98563a3eb71 Mon Sep 17 00:00:00 2001 +From: Sarah Sharp +Date: Wed, 24 Jul 2013 10:27:13 -0700 +Subject: xhci: Avoid NULL pointer deref when host dies. + +From: Sarah Sharp + +commit 203a86613fb3bf2767335659513fa98563a3eb71 upstream. + +When the host controller fails to respond to an Enable Slot command, and +the host fails to respond to the register write to abort the command +ring, the xHCI driver will assume the host is dead, and call +usb_hc_died(). + +The USB device's slot_id is still set to zero, and the pointer stored at +xhci->devs[0] will always be NULL. The call to xhci_check_args in +xhci_free_dev should have caught the NULL virt_dev pointer. + +However, xhci_free_dev is designed to free the xhci_virt_device +structures, even if the host is dead, so that we don't leak kernel +memory. xhci_free_dev checks the return value from the generic +xhci_check_args function. If the return value is -ENODEV, it carries on +trying to free the virtual device. + +The issue is that xhci_check_args looks at the host controller state +before it looks at the xhci_virt_device pointer. It will return -ENIVAL +because the host is dead, and xhci_free_dev will ignore the return +value, and happily dereference the NULL xhci_virt_device pointer. + +The fix is to make sure that xhci_check_args checks the xhci_virt_device +pointer before it checks the host state. + +See https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1203453 for +further details. This patch doesn't solve the underlying issue, but +will ensure we don't see any more NULL pointer dereferences because of +the issue. + +This patch should be backported to kernels as old as 3.1, that +contain the commit 7bd89b4017f46a9b92853940fd9771319acb578a "xhci: Don't +submit commands or URBs to halted hosts." + +Signed-off-by: Sarah Sharp +Reported-by: Vincent Thiele +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/host/xhci.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/usb/host/xhci.c ++++ b/drivers/usb/host/xhci.c +@@ -1162,9 +1162,6 @@ static int xhci_check_args(struct usb_hc + } + + xhci = hcd_to_xhci(hcd); +- if (xhci->xhc_state & XHCI_STATE_HALTED) +- return -ENODEV; +- + if (check_virt_dev) { + if (!udev->slot_id || !xhci->devs[udev->slot_id]) { + printk(KERN_DEBUG "xHCI %s called with unaddressed " +@@ -1180,6 +1177,9 @@ static int xhci_check_args(struct usb_hc + } + } + ++ if (xhci->xhc_state & XHCI_STATE_HALTED) ++ return -ENODEV; ++ + return 1; + } + diff --git a/queue-3.4/xhci-fix-null-pointer-dereference-on-ring_doorbell_for_active_rings.patch b/queue-3.4/xhci-fix-null-pointer-dereference-on-ring_doorbell_for_active_rings.patch new file mode 100644 index 00000000000..3f6dc0f6769 --- /dev/null +++ b/queue-3.4/xhci-fix-null-pointer-dereference-on-ring_doorbell_for_active_rings.patch @@ -0,0 +1,37 @@ +From d66eaf9f89502971fddcb0de550b01fa6f409d83 Mon Sep 17 00:00:00 2001 +From: Oleksij Rempel +Date: Sun, 21 Jul 2013 15:36:19 +0200 +Subject: xhci: fix null pointer dereference on ring_doorbell_for_active_rings + +From: Oleksij Rempel + +commit d66eaf9f89502971fddcb0de550b01fa6f409d83 upstream. + +in some cases where device is attched to xhci port and do not responding, +for example ath9k_htc with stalled firmware, kernel will +crash on ring_doorbell_for_active_rings. +This patch check if pointer exist before it is used. + +This patch should be backported to kernels as old as 2.6.35, that +contain the commit e9df17eb1408cfafa3d1844bfc7f22c7237b31b8 "USB: xhci: +Correct assumptions about number of rings per endpoint" + +Signed-off-by: Oleksij Rempel +Signed-off-by: Sarah Sharp +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/host/xhci-ring.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/host/xhci-ring.c ++++ b/drivers/usb/host/xhci-ring.c +@@ -434,7 +434,7 @@ static void ring_doorbell_for_active_rin + + /* A ring has pending URBs if its TD list is not empty */ + if (!(ep->ep_state & EP_HAS_STREAMS)) { +- if (!(list_empty(&ep->ring->td_list))) ++ if (ep->ring && !(list_empty(&ep->ring->td_list))) + xhci_ring_ep_doorbell(xhci, slot_id, ep_index, 0); + return; + }