From: Greg Kroah-Hartman Date: Sun, 1 Dec 2013 04:51:17 +0000 (-0800) Subject: 3.10-stable patches X-Git-Tag: v3.4.72~44 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=bb77710d2ab659e0f0ba02f872f84094a18bfeae;p=thirdparty%2Fkernel%2Fstable-queue.git 3.10-stable patches added patches: ahci-add-device-ids-for-intel-wildcat-point-lp.patch ahci-add-marvell-9230-to-the-ahci-pci-device-list.patch ahci-disabled-fbs-prior-to-issuing-software-reset.patch ext4-avoid-bh-leak-in-retry-path-of-ext4_expand_extra_isize_ea.patch ib-ipath-convert-ipath_user_sdma_pin_pages-to-use-get_user_pages_fast.patch ib-qib-fix-txselect-regression.patch ib-srp-report-receive-errors-correctly.patch ipc-msg-fix-message-length-check-for-negative-values.patch ipc-msg-forbid-negative-values-for-msg-max-mnb-mni.patch ipc-sem.c-synchronize-semop-and-semctl-with-ipc_rmid.patch ipc-update-locking-scheme-comments.patch iscsi-target-chap-auth-shouldn-t-match-username-with-trailing-garbage.patch iscsi-target-fix-extract_param-to-handle-buffer-length-corner-case.patch iscsi-target-fix-mutex_trylock-usage-in-iscsit_increment_maxcmdsn.patch loop-fix-crash-if-blk_alloc_queue-fails.patch loop-fix-crash-when-using-unassigned-loop-device.patch mtd-gpmi-fix-kernel-bug-due-to-racing-dma-operations.patch mtd-map-fixed-bug-in-64-bit-systems.patch mtd-nand-hack-onfi-for-non-power-of-2-dimensions.patch rtlwifi-fix-endian-error-in-extracting-packet-type.patch rtlwifi-rtl8188ee-fix-smatch-warning-in-rtl8188ee-hw.c.patch rtlwifi-rtl8192cu-fix-more-pointer-arithmetic-errors.patch rtlwifi-rtl8192se-fix-wrong-assignment.patch xen-blkback-fix-reference-counting.patch --- diff --git a/queue-3.10/ahci-add-device-ids-for-intel-wildcat-point-lp.patch b/queue-3.10/ahci-add-device-ids-for-intel-wildcat-point-lp.patch new file mode 100644 index 00000000000..9c6cd1d241d --- /dev/null +++ b/queue-3.10/ahci-add-device-ids-for-intel-wildcat-point-lp.patch @@ -0,0 +1,32 @@ +From 9f961a5f6efc87a79571d7166257b36af28ffcfe Mon Sep 17 00:00:00 2001 +From: James Ralston +Date: Mon, 4 Nov 2013 09:24:58 -0800 +Subject: ahci: Add Device IDs for Intel Wildcat Point-LP + +From: James Ralston + +commit 9f961a5f6efc87a79571d7166257b36af28ffcfe upstream. + +This patch adds the AHCI-mode SATA Device IDs for the Intel Wildcat Point-LP PCH. + +Signed-off-by: James Ralston +Signed-off-by: Tejun Heo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/ata/ahci.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/ata/ahci.c ++++ b/drivers/ata/ahci.c +@@ -292,6 +292,10 @@ static const struct pci_device_id ahci_p + { PCI_VDEVICE(INTEL, 0x8d66), board_ahci }, /* Wellsburg RAID */ + { PCI_VDEVICE(INTEL, 0x8d6e), board_ahci }, /* Wellsburg RAID */ + { PCI_VDEVICE(INTEL, 0x23a3), board_ahci }, /* Coleto Creek AHCI */ ++ { PCI_VDEVICE(INTEL, 0x9c83), board_ahci }, /* Wildcat Point-LP AHCI */ ++ { PCI_VDEVICE(INTEL, 0x9c85), board_ahci }, /* Wildcat Point-LP RAID */ ++ { PCI_VDEVICE(INTEL, 0x9c87), board_ahci }, /* Wildcat Point-LP RAID */ ++ { PCI_VDEVICE(INTEL, 0x9c8f), board_ahci }, /* Wildcat Point-LP RAID */ + + /* JMicron 360/1/3/5/6, match class to avoid IDE function */ + { PCI_VENDOR_ID_JMICRON, PCI_ANY_ID, PCI_ANY_ID, PCI_ANY_ID, diff --git a/queue-3.10/ahci-add-marvell-9230-to-the-ahci-pci-device-list.patch b/queue-3.10/ahci-add-marvell-9230-to-the-ahci-pci-device-list.patch new file mode 100644 index 00000000000..3fbbc58a779 --- /dev/null +++ b/queue-3.10/ahci-add-marvell-9230-to-the-ahci-pci-device-list.patch @@ -0,0 +1,31 @@ +From 6d5278a68a75891db1df5ae1ecf83d288fc58c65 Mon Sep 17 00:00:00 2001 +From: Samir Benmendil +Date: Sun, 17 Nov 2013 23:56:17 +0100 +Subject: ahci: add Marvell 9230 to the AHCI PCI device list + +From: Samir Benmendil + +commit 6d5278a68a75891db1df5ae1ecf83d288fc58c65 upstream. + +Tested with a DAWICONTROL DC-624e on 3.10.10 + +Signed-off-by: Samir Benmendil +Signed-off-by: Tejun Heo +Reviewed-by: Levente Kurusa +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/ata/ahci.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/ata/ahci.c ++++ b/drivers/ata/ahci.c +@@ -435,6 +435,8 @@ static const struct pci_device_id ahci_p + .driver_data = board_ahci_yes_fbs }, /* 88se9172 on some Gigabyte */ + { PCI_DEVICE(PCI_VENDOR_ID_MARVELL_EXT, 0x91a3), + .driver_data = board_ahci_yes_fbs }, ++ { PCI_DEVICE(PCI_VENDOR_ID_MARVELL_EXT, 0x9230), ++ .driver_data = board_ahci_yes_fbs }, + + /* Promise */ + { PCI_VDEVICE(PROMISE, 0x3f20), board_ahci }, /* PDC42819 */ diff --git a/queue-3.10/ahci-disabled-fbs-prior-to-issuing-software-reset.patch b/queue-3.10/ahci-disabled-fbs-prior-to-issuing-software-reset.patch new file mode 100644 index 00000000000..413c3a936a6 --- /dev/null +++ b/queue-3.10/ahci-disabled-fbs-prior-to-issuing-software-reset.patch @@ -0,0 +1,127 @@ +From 89dafa20f3daab5b3e0c13d0068a28e8e64e2102 Mon Sep 17 00:00:00 2001 +From: xiangliang yu +Date: Sun, 27 Oct 2013 08:03:04 -0400 +Subject: ahci: disabled FBS prior to issuing software reset + +From: xiangliang yu + +commit 89dafa20f3daab5b3e0c13d0068a28e8e64e2102 upstream. + +Tested with Marvell 88se9125, attached with one port mulitplier(5 ports) +and one disk, we will get following boot log messages if using current +code: + + ata8: SATA link up 6.0 Gbps (SStatus 133 SControl 330) + ata8.15: Port Multiplier 1.2, 0x1b4b:0x9715 r160, 5 ports, feat 0x1/0x1f + ahci 0000:03:00.0: FBS is enabled + ata8.00: hard resetting link + ata8.00: SATA link down (SStatus 0 SControl 330) + ata8.01: hard resetting link + ata8.01: SATA link down (SStatus 0 SControl 330) + ata8.02: hard resetting link + ata8.02: SATA link down (SStatus 0 SControl 330) + ata8.03: hard resetting link + ata8.03: SATA link up 6.0 Gbps (SStatus 133 SControl 133) + ata8.04: hard resetting link + ata8.04: failed to resume link (SControl 133) + ata8.04: failed to read SCR 0 (Emask=0x40) + ata8.04: failed to read SCR 0 (Emask=0x40) + ata8.04: failed to read SCR 1 (Emask=0x40) + ata8.04: failed to read SCR 0 (Emask=0x40) + ata8.03: native sectors (2) is smaller than sectors (976773168) + ata8.03: ATA-8: ST3500413AS, JC4B, max UDMA/133 + ata8.03: 976773168 sectors, multi 0: LBA48 NCQ (depth 31/32) + ata8.03: configured for UDMA/133 + ata8.04: failed to IDENTIFY (I/O error, err_mask=0x100) + ata8.15: hard resetting link + ata8.15: SATA link up 6.0 Gbps (SStatus 133 SControl 330) + ata8.15: Port Multiplier vendor mismatch '0x1b4b' != '0x133' + ata8.15: PMP revalidation failed (errno=-19) + ata8.15: hard resetting link + ata8.15: SATA link up 6.0 Gbps (SStatus 133 SControl 330) + ata8.15: Port Multiplier vendor mismatch '0x1b4b' != '0x133' + ata8.15: PMP revalidation failed (errno=-19) + ata8.15: limiting SATA link speed to 3.0 Gbps + ata8.15: hard resetting link + ata8.15: SATA link up 3.0 Gbps (SStatus 123 SControl 320) + ata8.15: Port Multiplier vendor mismatch '0x1b4b' != '0x133' + ata8.15: PMP revalidation failed (errno=-19) + ata8.15: failed to recover PMP after 5 tries, giving up + ata8.15: Port Multiplier detaching + ata8.03: disabled + ata8.00: disabled + ata8: EH complete + +The reason is that current detection code doesn't follow AHCI spec: + +First,the port multiplier detection process look like this: + + ahci_hardreset(link, class, deadline) + if (class == ATA_DEV_PMP) { + sata_pmp_attach(dev) /* will enable FBS */ + sata_pmp_init_links(ap, nr_ports); + ata_for_each_link(link, ap, EDGE) { + sata_std_hardreset(link, class, deadline); + if (link_is_online) /* do soft reset */ + ahci_softreset(link, class, deadline); + } + } +But, according to chapter 9.3.9 in AHCI spec: Prior to issuing software +reset, software shall clear PxCMD.ST to '0' and then clear PxFBS.EN to +'0'. + +The patch test ok with kernel 3.11.1. + +tj: Patch white space contaminated, applied manually with trivial + updates. + +Signed-off-by: Xiangliang Yu +Signed-off-by: Tejun Heo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/ata/libahci.c | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +--- a/drivers/ata/libahci.c ++++ b/drivers/ata/libahci.c +@@ -1266,9 +1266,11 @@ int ahci_do_softreset(struct ata_link *l + { + struct ata_port *ap = link->ap; + struct ahci_host_priv *hpriv = ap->host->private_data; ++ struct ahci_port_priv *pp = ap->private_data; + const char *reason = NULL; + unsigned long now, msecs; + struct ata_taskfile tf; ++ bool fbs_disabled = false; + int rc; + + DPRINTK("ENTER\n"); +@@ -1278,6 +1280,16 @@ int ahci_do_softreset(struct ata_link *l + if (rc && rc != -EOPNOTSUPP) + ata_link_warn(link, "failed to reset engine (errno=%d)\n", rc); + ++ /* ++ * According to AHCI-1.2 9.3.9: if FBS is enable, software shall ++ * clear PxFBS.EN to '0' prior to issuing software reset to devices ++ * that is attached to port multiplier. ++ */ ++ if (!ata_is_host_link(link) && pp->fbs_enabled) { ++ ahci_disable_fbs(ap); ++ fbs_disabled = true; ++ } ++ + ata_tf_init(link->device, &tf); + + /* issue the first D2H Register FIS */ +@@ -1318,6 +1330,10 @@ int ahci_do_softreset(struct ata_link *l + } else + *class = ahci_dev_classify(ap); + ++ /* re-enable FBS if disabled before */ ++ if (fbs_disabled) ++ ahci_enable_fbs(ap); ++ + DPRINTK("EXIT, class=%u\n", *class); + return 0; + diff --git a/queue-3.10/ext4-avoid-bh-leak-in-retry-path-of-ext4_expand_extra_isize_ea.patch b/queue-3.10/ext4-avoid-bh-leak-in-retry-path-of-ext4_expand_extra_isize_ea.patch new file mode 100644 index 00000000000..ef960443767 --- /dev/null +++ b/queue-3.10/ext4-avoid-bh-leak-in-retry-path-of-ext4_expand_extra_isize_ea.patch @@ -0,0 +1,27 @@ +From dcb9917ba041866686fe152850364826c4622a36 Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o +Date: Thu, 31 Oct 2013 23:00:24 -0400 +Subject: ext4: avoid bh leak in retry path of ext4_expand_extra_isize_ea() + +From: Theodore Ts'o + +commit dcb9917ba041866686fe152850364826c4622a36 upstream. + +Reported-by: Dave Jones +Signed-off-by: "Theodore Ts'o" +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ext4/xattr.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/ext4/xattr.c ++++ b/fs/ext4/xattr.c +@@ -1352,6 +1352,7 @@ retry: + new_extra_isize = s_min_extra_isize; + kfree(is); is = NULL; + kfree(bs); bs = NULL; ++ brelse(bh); + goto retry; + } + error = -1; diff --git a/queue-3.10/ib-ipath-convert-ipath_user_sdma_pin_pages-to-use-get_user_pages_fast.patch b/queue-3.10/ib-ipath-convert-ipath_user_sdma_pin_pages-to-use-get_user_pages_fast.patch new file mode 100644 index 00000000000..6f4e7a3a15d --- /dev/null +++ b/queue-3.10/ib-ipath-convert-ipath_user_sdma_pin_pages-to-use-get_user_pages_fast.patch @@ -0,0 +1,58 @@ +From 4adcf7fb6783e354aab38824d803fa8c4f8e8a27 Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Fri, 4 Oct 2013 09:29:06 -0400 +Subject: IB/ipath: Convert ipath_user_sdma_pin_pages() to use get_user_pages_fast() + +From: Jan Kara + +commit 4adcf7fb6783e354aab38824d803fa8c4f8e8a27 upstream. + +ipath_user_sdma_queue_pkts() gets called with mmap_sem held for +writing. Except for get_user_pages() deep down in +ipath_user_sdma_pin_pages() we don't seem to need mmap_sem at all. + +Even more interestingly the function ipath_user_sdma_queue_pkts() (and +also ipath_user_sdma_coalesce() called somewhat later) call +copy_from_user() which can hit a page fault and we deadlock on trying +to get mmap_sem when handling that fault. So just make +ipath_user_sdma_pin_pages() use get_user_pages_fast() and leave +mmap_sem locking for mm. + +This deadlock has actually been observed in the wild when the node +is under memory pressure. + +Signed-off-by: Jan Kara +Signed-off-by: Mike Marciniszyn +[ Merged in fix for call to get_user_pages_fast from Tetsuo Handa + . - Roland ] +Signed-off-by: Roland Dreier +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/hw/ipath/ipath_user_sdma.c | 7 +------ + 1 file changed, 1 insertion(+), 6 deletions(-) + +--- a/drivers/infiniband/hw/ipath/ipath_user_sdma.c ++++ b/drivers/infiniband/hw/ipath/ipath_user_sdma.c +@@ -280,9 +280,7 @@ static int ipath_user_sdma_pin_pages(con + int j; + int ret; + +- ret = get_user_pages(current, current->mm, addr, +- npages, 0, 1, pages, NULL); +- ++ ret = get_user_pages_fast(addr, npages, 0, pages); + if (ret != npages) { + int i; + +@@ -811,10 +809,7 @@ int ipath_user_sdma_writev(struct ipath_ + while (dim) { + const int mxp = 8; + +- down_write(¤t->mm->mmap_sem); + ret = ipath_user_sdma_queue_pkts(dd, pq, &list, iov, dim, mxp); +- up_write(¤t->mm->mmap_sem); +- + if (ret <= 0) + goto done_unlock; + else { diff --git a/queue-3.10/ib-qib-fix-txselect-regression.patch b/queue-3.10/ib-qib-fix-txselect-regression.patch new file mode 100644 index 00000000000..0c6e9a408b7 --- /dev/null +++ b/queue-3.10/ib-qib-fix-txselect-regression.patch @@ -0,0 +1,52 @@ +From 2fadd83184d58701f1116ca578465b5a75f9417c Mon Sep 17 00:00:00 2001 +From: Mike Marciniszyn +Date: Fri, 25 Oct 2013 11:17:59 -0400 +Subject: IB/qib: Fix txselect regression + +From: Mike Marciniszyn + +commit 2fadd83184d58701f1116ca578465b5a75f9417c upstream. + +Commit 7fac33014f54("IB/qib: checkpatch fixes") was overzealous in +removing a simple_strtoul for a parse routine, setup_txselect(). That +routine is required to handle a multi-value string. + +Unwind that aspect of the fix. + +Signed-off-by: Mike Marciniszyn +Signed-off-by: Roland Dreier +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/hw/qib/qib_iba7322.c | 11 +++++------ + 1 file changed, 5 insertions(+), 6 deletions(-) + +--- a/drivers/infiniband/hw/qib/qib_iba7322.c ++++ b/drivers/infiniband/hw/qib/qib_iba7322.c +@@ -5853,21 +5853,20 @@ static int setup_txselect(const char *st + { + struct qib_devdata *dd; + unsigned long val; +- int ret; +- ++ char *n; + if (strlen(str) >= MAX_ATTEN_LEN) { + pr_info("txselect_values string too long\n"); + return -ENOSPC; + } +- ret = kstrtoul(str, 0, &val); +- if (ret || val >= (TXDDS_TABLE_SZ + TXDDS_EXTRA_SZ + ++ val = simple_strtoul(str, &n, 0); ++ if (n == str || val >= (TXDDS_TABLE_SZ + TXDDS_EXTRA_SZ + + TXDDS_MFG_SZ)) { + pr_info("txselect_values must start with a number < %d\n", + TXDDS_TABLE_SZ + TXDDS_EXTRA_SZ + TXDDS_MFG_SZ); +- return ret ? ret : -EINVAL; ++ return -EINVAL; + } +- + strcpy(txselect_list, str); ++ + list_for_each_entry(dd, &qib_dev_list, list) + if (dd->deviceid == PCI_DEVICE_ID_QLOGIC_IB_7322) + set_no_qsfp_atten(dd, 1); diff --git a/queue-3.10/ib-srp-report-receive-errors-correctly.patch b/queue-3.10/ib-srp-report-receive-errors-correctly.patch new file mode 100644 index 00000000000..fd8a3934208 --- /dev/null +++ b/queue-3.10/ib-srp-report-receive-errors-correctly.patch @@ -0,0 +1,58 @@ +From cd4e38542a5c2cab94e5410fb17c1cc004a60792 Mon Sep 17 00:00:00 2001 +From: Bart Van Assche +Date: Thu, 10 Oct 2013 13:53:25 +0200 +Subject: IB/srp: Report receive errors correctly + +From: Bart Van Assche + +commit cd4e38542a5c2cab94e5410fb17c1cc004a60792 upstream. + +The IB spec does not guarantee that the opcode is available in error +completions. Hence do not rely on it. See also commit 948d1e889e5b +("IB/srp: Introduce srp_handle_qp_err()"). + +Signed-off-by: Bart Van Assche +Signed-off-by: Roland Dreier +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/ulp/srp/ib_srp.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +--- a/drivers/infiniband/ulp/srp/ib_srp.c ++++ b/drivers/infiniband/ulp/srp/ib_srp.c +@@ -1300,14 +1300,13 @@ static void srp_handle_recv(struct srp_t + PFX "Recv failed with error code %d\n", res); + } + +-static void srp_handle_qp_err(enum ib_wc_status wc_status, +- enum ib_wc_opcode wc_opcode, ++static void srp_handle_qp_err(enum ib_wc_status wc_status, bool send_err, + struct srp_target_port *target) + { + if (target->connected && !target->qp_in_error) { + shost_printk(KERN_ERR, target->scsi_host, + PFX "failed %s status %d\n", +- wc_opcode & IB_WC_RECV ? "receive" : "send", ++ send_err ? "send" : "receive", + wc_status); + } + target->qp_in_error = true; +@@ -1323,7 +1322,7 @@ static void srp_recv_completion(struct i + if (likely(wc.status == IB_WC_SUCCESS)) { + srp_handle_recv(target, &wc); + } else { +- srp_handle_qp_err(wc.status, wc.opcode, target); ++ srp_handle_qp_err(wc.status, false, target); + } + } + } +@@ -1339,7 +1338,7 @@ static void srp_send_completion(struct i + iu = (struct srp_iu *) (uintptr_t) wc.wr_id; + list_add(&iu->list, &target->free_tx); + } else { +- srp_handle_qp_err(wc.status, wc.opcode, target); ++ srp_handle_qp_err(wc.status, true, target); + } + } + } diff --git a/queue-3.10/ipc-msg-fix-message-length-check-for-negative-values.patch b/queue-3.10/ipc-msg-fix-message-length-check-for-negative-values.patch new file mode 100644 index 00000000000..3e7e969bfc8 --- /dev/null +++ b/queue-3.10/ipc-msg-fix-message-length-check-for-negative-values.patch @@ -0,0 +1,171 @@ +From 4e9b45a19241354daec281d7a785739829b52359 Mon Sep 17 00:00:00 2001 +From: Mathias Krause +Date: Tue, 12 Nov 2013 15:11:47 -0800 +Subject: ipc, msg: fix message length check for negative values + +From: Mathias Krause + +commit 4e9b45a19241354daec281d7a785739829b52359 upstream. + +On 64 bit systems the test for negative message sizes is bogus as the +size, which may be positive when evaluated as a long, will get truncated +to an int when passed to load_msg(). So a long might very well contain a +positive value but when truncated to an int it would become negative. + +That in combination with a small negative value of msg_ctlmax (which will +be promoted to an unsigned type for the comparison against msgsz, making +it a big positive value and therefore make it pass the check) will lead to +two problems: 1/ The kmalloc() call in alloc_msg() will allocate a too +small buffer as the addition of alen is effectively a subtraction. 2/ The +copy_from_user() call in load_msg() will first overflow the buffer with +userland data and then, when the userland access generates an access +violation, the fixup handler copy_user_handle_tail() will try to fill the +remainder with zeros -- roughly 4GB. That almost instantly results in a +system crash or reset. + + ,-[ Reproducer (needs to be run as root) ]-- + | #include + | #include + | #include + | #include + | + | int main(void) { + | long msg = 1; + | int fd; + | + | fd = open("/proc/sys/kernel/msgmax", O_WRONLY); + | write(fd, "-1", 2); + | close(fd); + | + | msgsnd(0, &msg, 0xfffffff0, IPC_NOWAIT); + | + | return 0; + | } + '--- + +Fix the issue by preventing msgsz from getting truncated by consistently +using size_t for the message length. This way the size checks in +do_msgsnd() could still be passed with a negative value for msg_ctlmax but +we would fail on the buffer allocation in that case and error out. + +Also change the type of m_ts from int to size_t to avoid similar nastiness +in other code paths -- it is used in similar constructs, i.e. signed vs. +unsigned checks. It should never become negative under normal +circumstances, though. + +Setting msg_ctlmax to a negative value is an odd configuration and should +be prevented. As that might break existing userland, it will be handled +in a separate commit so it could easily be reverted and reworked without +reintroducing the above described bug. + +Hardening mechanisms for user copy operations would have catched that bug +early -- e.g. checking slab object sizes on user copy operations as the +usercopy feature of the PaX patch does. Or, for that matter, detect the +long vs. int sign change due to truncation, as the size overflow plugin +of the very same patch does. + +[akpm@linux-foundation.org: fix i386 min() warnings] +Signed-off-by: Mathias Krause +Cc: Pax Team +Cc: Davidlohr Bueso +Cc: Brad Spengler +Cc: Manfred Spraul +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/msg.h | 6 +++--- + ipc/msgutil.c | 20 ++++++++++---------- + ipc/util.h | 4 ++-- + 3 files changed, 15 insertions(+), 15 deletions(-) + +--- a/include/linux/msg.h ++++ b/include/linux/msg.h +@@ -6,9 +6,9 @@ + + /* one msg_msg structure for each message */ + struct msg_msg { +- struct list_head m_list; +- long m_type; +- int m_ts; /* message text size */ ++ struct list_head m_list; ++ long m_type; ++ size_t m_ts; /* message text size */ + struct msg_msgseg* next; + void *security; + /* the actual message follows immediately */ +--- a/ipc/msgutil.c ++++ b/ipc/msgutil.c +@@ -41,15 +41,15 @@ struct msg_msgseg { + /* the next part of the message follows immediately */ + }; + +-#define DATALEN_MSG (int)(PAGE_SIZE-sizeof(struct msg_msg)) +-#define DATALEN_SEG (int)(PAGE_SIZE-sizeof(struct msg_msgseg)) ++#define DATALEN_MSG ((size_t)PAGE_SIZE-sizeof(struct msg_msg)) ++#define DATALEN_SEG ((size_t)PAGE_SIZE-sizeof(struct msg_msgseg)) + + +-static struct msg_msg *alloc_msg(int len) ++static struct msg_msg *alloc_msg(size_t len) + { + struct msg_msg *msg; + struct msg_msgseg **pseg; +- int alen; ++ size_t alen; + + alen = min(len, DATALEN_MSG); + msg = kmalloc(sizeof(*msg) + alen, GFP_KERNEL); +@@ -80,12 +80,12 @@ out_err: + return NULL; + } + +-struct msg_msg *load_msg(const void __user *src, int len) ++struct msg_msg *load_msg(const void __user *src, size_t len) + { + struct msg_msg *msg; + struct msg_msgseg *seg; + int err = -EFAULT; +- int alen; ++ size_t alen; + + msg = alloc_msg(len); + if (msg == NULL) +@@ -117,8 +117,8 @@ out_err: + struct msg_msg *copy_msg(struct msg_msg *src, struct msg_msg *dst) + { + struct msg_msgseg *dst_pseg, *src_pseg; +- int len = src->m_ts; +- int alen; ++ size_t len = src->m_ts; ++ size_t alen; + + BUG_ON(dst == NULL); + if (src->m_ts > dst->m_ts) +@@ -147,9 +147,9 @@ struct msg_msg *copy_msg(struct msg_msg + return ERR_PTR(-ENOSYS); + } + #endif +-int store_msg(void __user *dest, struct msg_msg *msg, int len) ++int store_msg(void __user *dest, struct msg_msg *msg, size_t len) + { +- int alen; ++ size_t alen; + struct msg_msgseg *seg; + + alen = min(len, DATALEN_MSG); +--- a/ipc/util.h ++++ b/ipc/util.h +@@ -148,9 +148,9 @@ int ipc_parse_version (int *cmd); + #endif + + extern void free_msg(struct msg_msg *msg); +-extern struct msg_msg *load_msg(const void __user *src, int len); ++extern struct msg_msg *load_msg(const void __user *src, size_t len); + extern struct msg_msg *copy_msg(struct msg_msg *src, struct msg_msg *dst); +-extern int store_msg(void __user *dest, struct msg_msg *msg, int len); ++extern int store_msg(void __user *dest, struct msg_msg *msg, size_t len); + + extern void recompute_msgmni(struct ipc_namespace *); + diff --git a/queue-3.10/ipc-msg-forbid-negative-values-for-msg-max-mnb-mni.patch b/queue-3.10/ipc-msg-forbid-negative-values-for-msg-max-mnb-mni.patch new file mode 100644 index 00000000000..b3c9fef7e5a --- /dev/null +++ b/queue-3.10/ipc-msg-forbid-negative-values-for-msg-max-mnb-mni.patch @@ -0,0 +1,112 @@ +From 9bf76ca325d5e9208eb343f7bd4cc666f703ed30 Mon Sep 17 00:00:00 2001 +From: Mathias Krause +Date: Sun, 3 Nov 2013 12:36:28 +0100 +Subject: ipc, msg: forbid negative values for "msg{max,mnb,mni}" + +From: Mathias Krause + +commit 9bf76ca325d5e9208eb343f7bd4cc666f703ed30 upstream. + +Negative message lengths make no sense -- so don't do negative queue +lenghts or identifier counts. Prevent them from getting negative. + +Also change the underlying data types to be unsigned to avoid hairy +surprises with sign extensions in cases where those variables get +evaluated in unsigned expressions with bigger data types, e.g size_t. + +In case a user still wants to have "unlimited" sizes she could just use +INT_MAX instead. + +Signed-off-by: Mathias Krause +Cc: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/ipc_namespace.h | 6 +++--- + ipc/ipc_sysctl.c | 20 ++++++++++++-------- + 2 files changed, 15 insertions(+), 11 deletions(-) + +--- a/include/linux/ipc_namespace.h ++++ b/include/linux/ipc_namespace.h +@@ -34,9 +34,9 @@ struct ipc_namespace { + int sem_ctls[4]; + int used_sems; + +- int msg_ctlmax; +- int msg_ctlmnb; +- int msg_ctlmni; ++ unsigned int msg_ctlmax; ++ unsigned int msg_ctlmnb; ++ unsigned int msg_ctlmni; + atomic_t msg_bytes; + atomic_t msg_hdrs; + int auto_msgmni; +--- a/ipc/ipc_sysctl.c ++++ b/ipc/ipc_sysctl.c +@@ -62,7 +62,7 @@ static int proc_ipc_dointvec_minmax_orph + return err; + } + +-static int proc_ipc_callback_dointvec(ctl_table *table, int write, ++static int proc_ipc_callback_dointvec_minmax(ctl_table *table, int write, + void __user *buffer, size_t *lenp, loff_t *ppos) + { + struct ctl_table ipc_table; +@@ -72,7 +72,7 @@ static int proc_ipc_callback_dointvec(ct + memcpy(&ipc_table, table, sizeof(ipc_table)); + ipc_table.data = get_ipc(table); + +- rc = proc_dointvec(&ipc_table, write, buffer, lenp, ppos); ++ rc = proc_dointvec_minmax(&ipc_table, write, buffer, lenp, ppos); + + if (write && !rc && lenp_bef == *lenp) + /* +@@ -152,15 +152,13 @@ static int proc_ipcauto_dointvec_minmax( + #define proc_ipc_dointvec NULL + #define proc_ipc_dointvec_minmax NULL + #define proc_ipc_dointvec_minmax_orphans NULL +-#define proc_ipc_callback_dointvec NULL ++#define proc_ipc_callback_dointvec_minmax NULL + #define proc_ipcauto_dointvec_minmax NULL + #endif + + static int zero; + static int one = 1; +-#ifdef CONFIG_CHECKPOINT_RESTORE + static int int_max = INT_MAX; +-#endif + + static struct ctl_table ipc_kern_table[] = { + { +@@ -198,21 +196,27 @@ static struct ctl_table ipc_kern_table[] + .data = &init_ipc_ns.msg_ctlmax, + .maxlen = sizeof (init_ipc_ns.msg_ctlmax), + .mode = 0644, +- .proc_handler = proc_ipc_dointvec, ++ .proc_handler = proc_ipc_dointvec_minmax, ++ .extra1 = &zero, ++ .extra2 = &int_max, + }, + { + .procname = "msgmni", + .data = &init_ipc_ns.msg_ctlmni, + .maxlen = sizeof (init_ipc_ns.msg_ctlmni), + .mode = 0644, +- .proc_handler = proc_ipc_callback_dointvec, ++ .proc_handler = proc_ipc_callback_dointvec_minmax, ++ .extra1 = &zero, ++ .extra2 = &int_max, + }, + { + .procname = "msgmnb", + .data = &init_ipc_ns.msg_ctlmnb, + .maxlen = sizeof (init_ipc_ns.msg_ctlmnb), + .mode = 0644, +- .proc_handler = proc_ipc_dointvec, ++ .proc_handler = proc_ipc_dointvec_minmax, ++ .extra1 = &zero, ++ .extra2 = &int_max, + }, + { + .procname = "sem", diff --git a/queue-3.10/ipc-sem.c-synchronize-semop-and-semctl-with-ipc_rmid.patch b/queue-3.10/ipc-sem.c-synchronize-semop-and-semctl-with-ipc_rmid.patch new file mode 100644 index 00000000000..f96afb23d58 --- /dev/null +++ b/queue-3.10/ipc-sem.c-synchronize-semop-and-semctl-with-ipc_rmid.patch @@ -0,0 +1,156 @@ +From 6e224f94597842c5eb17f1fc2208d20b6f7f7d49 Mon Sep 17 00:00:00 2001 +From: Manfred Spraul +Date: Wed, 16 Oct 2013 13:46:45 -0700 +Subject: ipc/sem.c: synchronize semop and semctl with IPC_RMID + +From: Manfred Spraul + +commit 6e224f94597842c5eb17f1fc2208d20b6f7f7d49 upstream. + +After acquiring the semlock spinlock, operations must test that the +array is still valid. + + - semctl() and exit_sem() would walk stale linked lists (ugly, but + should be ok: all lists are empty) + + - semtimedop() would sleep forever - and if woken up due to a signal - + access memory after free. + +The patch also: + - standardizes the tests for .deleted, so that all tests in one + function leave the function with the same approach. + - unconditionally tests for .deleted immediately after every call to + sem_lock - even it it means that for semctl(GETALL), .deleted will be + tested twice. + +Both changes make the review simpler: After every sem_lock, there must +be a test of .deleted, followed by a goto to the cleanup code (if the +function uses "goto cleanup"). + +The only exception is semctl_down(): If sem_ids().rwsem is locked, then +the presence in ids->ipcs_idr is equivalent to !.deleted, thus no +additional test is required. + +Signed-off-by: Manfred Spraul +Cc: Mike Galbraith +Acked-by: Davidlohr Bueso +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + ipc/sem.c | 42 +++++++++++++++++++++++++++++------------- + 1 file changed, 29 insertions(+), 13 deletions(-) + +--- a/ipc/sem.c ++++ b/ipc/sem.c +@@ -1282,6 +1282,12 @@ static int semctl_setval(struct ipc_name + + sem_lock(sma, NULL, -1); + ++ if (sma->sem_perm.deleted) { ++ sem_unlock(sma, -1); ++ rcu_read_unlock(); ++ return -EIDRM; ++ } ++ + curr = &sma->sem_base[semnum]; + + ipc_assert_locked_object(&sma->sem_perm); +@@ -1336,12 +1342,14 @@ static int semctl_main(struct ipc_namesp + int i; + + sem_lock(sma, NULL, -1); ++ if (sma->sem_perm.deleted) { ++ err = -EIDRM; ++ goto out_unlock; ++ } + if(nsems > SEMMSL_FAST) { + if (!ipc_rcu_getref(sma)) { +- sem_unlock(sma, -1); +- rcu_read_unlock(); + err = -EIDRM; +- goto out_free; ++ goto out_unlock; + } + sem_unlock(sma, -1); + rcu_read_unlock(); +@@ -1354,10 +1362,8 @@ static int semctl_main(struct ipc_namesp + rcu_read_lock(); + sem_lock_and_putref(sma); + if (sma->sem_perm.deleted) { +- sem_unlock(sma, -1); +- rcu_read_unlock(); + err = -EIDRM; +- goto out_free; ++ goto out_unlock; + } + } + for (i = 0; i < sma->sem_nsems; i++) +@@ -1375,8 +1381,8 @@ static int semctl_main(struct ipc_namesp + struct sem_undo *un; + + if (!ipc_rcu_getref(sma)) { +- rcu_read_unlock(); +- return -EIDRM; ++ err = -EIDRM; ++ goto out_rcu_wakeup; + } + rcu_read_unlock(); + +@@ -1404,10 +1410,8 @@ static int semctl_main(struct ipc_namesp + rcu_read_lock(); + sem_lock_and_putref(sma); + if (sma->sem_perm.deleted) { +- sem_unlock(sma, -1); +- rcu_read_unlock(); + err = -EIDRM; +- goto out_free; ++ goto out_unlock; + } + + for (i = 0; i < nsems; i++) +@@ -1431,6 +1435,10 @@ static int semctl_main(struct ipc_namesp + goto out_rcu_wakeup; + + sem_lock(sma, NULL, -1); ++ if (sma->sem_perm.deleted) { ++ err = -EIDRM; ++ goto out_unlock; ++ } + curr = &sma->sem_base[semnum]; + + switch (cmd) { +@@ -1836,6 +1844,10 @@ SYSCALL_DEFINE4(semtimedop, int, semid, + if (error) + goto out_rcu_wakeup; + ++ error = -EIDRM; ++ locknum = sem_lock(sma, sops, nsops); ++ if (sma->sem_perm.deleted) ++ goto out_unlock_free; + /* + * semid identifiers are not unique - find_alloc_undo may have + * allocated an undo structure, it was invalidated by an RMID +@@ -1843,8 +1855,6 @@ SYSCALL_DEFINE4(semtimedop, int, semid, + * This case can be detected checking un->semid. The existence of + * "un" itself is guaranteed by rcu. + */ +- error = -EIDRM; +- locknum = sem_lock(sma, sops, nsops); + if (un && un->semid == -1) + goto out_unlock_free; + +@@ -2057,6 +2067,12 @@ void exit_sem(struct task_struct *tsk) + } + + sem_lock(sma, NULL, -1); ++ /* exit_sem raced with IPC_RMID, nothing to do */ ++ if (sma->sem_perm.deleted) { ++ sem_unlock(sma, -1); ++ rcu_read_unlock(); ++ continue; ++ } + un = __lookup_undo(ulp, semid); + if (un == NULL) { + /* exit_sem raced with IPC_RMID+semget() that created diff --git a/queue-3.10/ipc-update-locking-scheme-comments.patch b/queue-3.10/ipc-update-locking-scheme-comments.patch new file mode 100644 index 00000000000..12a2d863672 --- /dev/null +++ b/queue-3.10/ipc-update-locking-scheme-comments.patch @@ -0,0 +1,58 @@ +From 18ccee263c7e250a57f01c9434658f11f4118a64 Mon Sep 17 00:00:00 2001 +From: Davidlohr Bueso +Date: Wed, 16 Oct 2013 13:46:45 -0700 +Subject: ipc: update locking scheme comments + +From: Davidlohr Bueso + +commit 18ccee263c7e250a57f01c9434658f11f4118a64 upstream. + +The initial documentation was a bit incomplete, update accordingly. + +[akpm@linux-foundation.org: make it more readable in 80 columns] +Signed-off-by: Davidlohr Bueso +Acked-by: Manfred Spraul +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + ipc/util.c | 27 +++++++++++++++++++++------ + 1 file changed, 21 insertions(+), 6 deletions(-) + +--- a/ipc/util.c ++++ b/ipc/util.c +@@ -17,12 +17,27 @@ + * Pavel Emelianov + * + * General sysv ipc locking scheme: +- * when doing ipc id lookups, take the ids->rwsem +- * rcu_read_lock() +- * obtain the ipc object (kern_ipc_perm) +- * perform security, capabilities, auditing and permission checks, etc. +- * acquire the ipc lock (kern_ipc_perm.lock) throught ipc_lock_object() +- * perform data updates (ie: SET, RMID, LOCK/UNLOCK commands) ++ * rcu_read_lock() ++ * obtain the ipc object (kern_ipc_perm) by looking up the id in an idr ++ * tree. ++ * - perform initial checks (capabilities, auditing and permission, ++ * etc). ++ * - perform read-only operations, such as STAT, INFO commands. ++ * acquire the ipc lock (kern_ipc_perm.lock) through ++ * ipc_lock_object() ++ * - perform data updates, such as SET, RMID commands and ++ * mechanism-specific operations (semop/semtimedop, ++ * msgsnd/msgrcv, shmat/shmdt). ++ * drop the ipc lock, through ipc_unlock_object(). ++ * rcu_read_unlock() ++ * ++ * The ids->rwsem must be taken when: ++ * - creating, removing and iterating the existing entries in ipc ++ * identifier sets. ++ * - iterating through files under /proc/sysvipc/ ++ * ++ * Note that sems have a special fast path that avoids kern_ipc_perm.lock - ++ * see sem_lock(). + */ + + #include diff --git a/queue-3.10/iscsi-target-chap-auth-shouldn-t-match-username-with-trailing-garbage.patch b/queue-3.10/iscsi-target-chap-auth-shouldn-t-match-username-with-trailing-garbage.patch new file mode 100644 index 00000000000..93e4bf819cf --- /dev/null +++ b/queue-3.10/iscsi-target-chap-auth-shouldn-t-match-username-with-trailing-garbage.patch @@ -0,0 +1,46 @@ +From 86784c6bdeeef78eed94d298be7a8879f6a97ee2 Mon Sep 17 00:00:00 2001 +From: Eric Seppanen +Date: Wed, 20 Nov 2013 14:19:52 -0800 +Subject: iscsi-target: chap auth shouldn't match username with trailing garbage + +From: Eric Seppanen + +commit 86784c6bdeeef78eed94d298be7a8879f6a97ee2 upstream. + +In iSCSI negotiations with initiator CHAP enabled, usernames with +trailing garbage are permitted, because the string comparison only +checks the strlen of the configured username. + +e.g. "usernameXXXXX" will be permitted to match "username". + +Just check one more byte so the trailing null char is also matched. + +Signed-off-by: Eric Seppanen +Signed-off-by: Nicholas Bellinger +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/target/iscsi/iscsi_target_auth.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/target/iscsi/iscsi_target_auth.c ++++ b/drivers/target/iscsi/iscsi_target_auth.c +@@ -148,6 +148,7 @@ static int chap_server_compute_md5( + unsigned char client_digest[MD5_SIGNATURE_SIZE]; + unsigned char server_digest[MD5_SIGNATURE_SIZE]; + unsigned char chap_n[MAX_CHAP_N_SIZE], chap_r[MAX_RESPONSE_LENGTH]; ++ size_t compare_len; + struct iscsi_chap *chap = conn->auth_protocol; + struct crypto_hash *tfm; + struct hash_desc desc; +@@ -186,7 +187,9 @@ static int chap_server_compute_md5( + goto out; + } + +- if (memcmp(chap_n, auth->userid, strlen(auth->userid)) != 0) { ++ /* Include the terminating NULL in the compare */ ++ compare_len = strlen(auth->userid) + 1; ++ if (strncmp(chap_n, auth->userid, compare_len) != 0) { + pr_err("CHAP_N values do not match!\n"); + goto out; + } diff --git a/queue-3.10/iscsi-target-fix-extract_param-to-handle-buffer-length-corner-case.patch b/queue-3.10/iscsi-target-fix-extract_param-to-handle-buffer-length-corner-case.patch new file mode 100644 index 00000000000..467f70412a7 --- /dev/null +++ b/queue-3.10/iscsi-target-fix-extract_param-to-handle-buffer-length-corner-case.patch @@ -0,0 +1,33 @@ +From 369653e4fb511928511b0ce81f41c812ff1f28b6 Mon Sep 17 00:00:00 2001 +From: Eric Seppanen +Date: Wed, 20 Nov 2013 14:19:51 -0800 +Subject: iscsi-target: fix extract_param to handle buffer length corner case + +From: Eric Seppanen + +commit 369653e4fb511928511b0ce81f41c812ff1f28b6 upstream. + +extract_param() is called with max_length set to the total size of the +output buffer. It's not safe to allow a parameter length equal to the +buffer size as the terminating null would be written one byte past the +end of the output buffer. + +Signed-off-by: Eric Seppanen +Signed-off-by: Nicholas Bellinger +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/target/iscsi/iscsi_target_nego.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/target/iscsi/iscsi_target_nego.c ++++ b/drivers/target/iscsi/iscsi_target_nego.c +@@ -90,7 +90,7 @@ int extract_param( + if (len < 0) + return -1; + +- if (len > max_length) { ++ if (len >= max_length) { + pr_err("Length of input: %d exceeds max_length:" + " %d\n", len, max_length); + return -1; diff --git a/queue-3.10/iscsi-target-fix-mutex_trylock-usage-in-iscsit_increment_maxcmdsn.patch b/queue-3.10/iscsi-target-fix-mutex_trylock-usage-in-iscsit_increment_maxcmdsn.patch new file mode 100644 index 00000000000..f3800090470 --- /dev/null +++ b/queue-3.10/iscsi-target-fix-mutex_trylock-usage-in-iscsit_increment_maxcmdsn.patch @@ -0,0 +1,64 @@ +From 5e8e6b4b3adebf01a9d97056cbbfd8c44330df99 Mon Sep 17 00:00:00 2001 +From: Nicholas Bellinger +Date: Tue, 12 Nov 2013 17:54:56 -0800 +Subject: iscsi-target: Fix mutex_trylock usage in iscsit_increment_maxcmdsn + +From: Nicholas Bellinger + +commit 5e8e6b4b3adebf01a9d97056cbbfd8c44330df99 upstream. + +This patch fixes a >= v3.10 regression bug with mutex_trylock() usage +within iscsit_increment_maxcmdsn(), that was originally added to allow +for a special case where ->cmdsn_mutex was already held from the +iscsit_execute_cmd() exception path for ib_isert. + +When !mutex_trylock() was occuring under contention during normal RX/TX +process context codepaths, the bug was manifesting itself as the following +protocol error: + + Received CmdSN: 0x000fcbb7 is greater than MaxCmdSN: 0x000fcbb6, protocol error. + Received CmdSN: 0x000fcbb8 is greater than MaxCmdSN: 0x000fcbb6, protocol error. + +This patch simply avoids the direct ib_isert callback in lio_queue_status() +for the special iscsi_execute_cmd() exception cases, that allows the problematic +mutex_trylock() usage in iscsit_increment_maxcmdsn() to go away. + +Reported-by: Moussa Ba +Tested-by: Moussa Ba +Signed-off-by: Nicholas Bellinger +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/target/iscsi/iscsi_target_configfs.c | 5 +++++ + drivers/target/iscsi/iscsi_target_device.c | 6 +----- + 2 files changed, 6 insertions(+), 5 deletions(-) + +--- a/drivers/target/iscsi/iscsi_target_configfs.c ++++ b/drivers/target/iscsi/iscsi_target_configfs.c +@@ -1650,6 +1650,11 @@ static int lio_queue_status(struct se_cm + struct iscsi_cmd *cmd = container_of(se_cmd, struct iscsi_cmd, se_cmd); + + cmd->i_state = ISTATE_SEND_STATUS; ++ ++ if (cmd->se_cmd.scsi_status || cmd->sense_reason) { ++ iscsit_add_cmd_to_response_queue(cmd, cmd->conn, cmd->i_state); ++ return 0; ++ } + cmd->conn->conn_transport->iscsit_queue_status(cmd->conn, cmd); + + return 0; +--- a/drivers/target/iscsi/iscsi_target_device.c ++++ b/drivers/target/iscsi/iscsi_target_device.c +@@ -60,11 +60,7 @@ void iscsit_increment_maxcmdsn(struct is + + cmd->maxcmdsn_inc = 1; + +- if (!mutex_trylock(&sess->cmdsn_mutex)) { +- sess->max_cmd_sn += 1; +- pr_debug("Updated MaxCmdSN to 0x%08x\n", sess->max_cmd_sn); +- return; +- } ++ mutex_lock(&sess->cmdsn_mutex); + sess->max_cmd_sn += 1; + pr_debug("Updated MaxCmdSN to 0x%08x\n", sess->max_cmd_sn); + mutex_unlock(&sess->cmdsn_mutex); diff --git a/queue-3.10/loop-fix-crash-if-blk_alloc_queue-fails.patch b/queue-3.10/loop-fix-crash-if-blk_alloc_queue-fails.patch new file mode 100644 index 00000000000..02e3495fd93 --- /dev/null +++ b/queue-3.10/loop-fix-crash-if-blk_alloc_queue-fails.patch @@ -0,0 +1,88 @@ +From 3ec981e30fae1f3c8728a05c730acaa1f627bcfb Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Mon, 14 Oct 2013 12:12:24 -0400 +Subject: loop: fix crash if blk_alloc_queue fails + +From: Mikulas Patocka + +commit 3ec981e30fae1f3c8728a05c730acaa1f627bcfb upstream. + +loop: fix crash if blk_alloc_queue fails + +If blk_alloc_queue fails, loop_add cleans up, but it doesn't clean up the +identifier allocated with idr_alloc. That causes crash on module unload in +idr_for_each(&loop_index_idr, &loop_exit_cb, NULL); where we attempt to +remove non-existed device with that id. + +BUG: unable to handle kernel NULL pointer dereference at 0000000000000380 +IP: [] del_gendisk+0x19/0x2d0 +PGD 43d399067 PUD 43d0ad067 PMD 0 +Oops: 0000 [#1] PREEMPT SMP +Modules linked in: loop(-) dm_snapshot dm_zero dm_mirror dm_region_hash dm_log dm_loop dm_mod ip6table_filter ip6_tables uvesafb cfbcopyarea cfbimgblt cfbfillrect fbcon font bitblit fbcon_rotate fbcon_cw fbcon_ud fbcon_ccw softcursor fb fbdev msr ipt_MASQUERADE iptable_nat nf_nat_ipv4 nf_conntrack_ipv4 nf_defrag_ipv4 xt_state ipt_REJECT xt_tcpudp iptable_filter ip_tables x_tables bridge stp llc tun ipv6 cpufreq_userspace cpufreq_stats cpufreq_ondemand cpufreq_conservative cpufreq_powersave spadfs fuse hid_generic usbhid hid raid0 md_mod dmi_sysfs nf_nat_ftp nf_nat nf_conntrack_ftp nf_conntrack snd_usb_audio snd_pcm_oss snd_mixer_oss snd_pcm snd_timer snd_page_alloc lm85 hwmon_vid snd_hwdep snd_usbmidi_lib snd_rawmidi snd soundcore acpi_cpufreq ohci_hcd freq_table tg3 ehci_pci mperf ehci_hcd kvm_amd kvm sata_svw serverworks libphy libata ide_core k10temp usbcore hwmon microcode ptp pcspkr pps_core e100 skge mii usb_common i2c_piix4 floppy evdev rtc_cmos i2c_core processor but! + ton unix +CPU: 7 PID: 2735 Comm: rmmod Tainted: G W 3.10.15-devel #15 +Hardware name: empty empty/S3992-E, BIOS 'V1.06 ' 06/09/2009 +task: ffff88043d38e780 ti: ffff88043d21e000 task.ti: ffff88043d21e000 +RIP: 0010:[] [] del_gendisk+0x19/0x2d0 +RSP: 0018:ffff88043d21fe10 EFLAGS: 00010282 +RAX: ffffffffa05102e0 RBX: 0000000000000000 RCX: 0000000000000000 +RDX: 0000000000000000 RSI: ffff88043ea82800 RDI: 0000000000000000 +RBP: ffff88043d21fe48 R08: 0000000000000000 R09: 0000000000000001 +R10: 0000000000000001 R11: 0000000000000000 R12: 00000000000000ff +R13: 0000000000000080 R14: 0000000000000000 R15: ffff88043ea82800 +FS: 00007ff646534700(0000) GS:ffff880447000000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b +CR2: 0000000000000380 CR3: 000000043e9bf000 CR4: 00000000000007e0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 +Stack: + ffffffff8100aba4 0000000000000092 ffff88043d21fe48 ffff88043ea82800 + 00000000000000ff ffff88043d21fe98 0000000000000000 ffff88043d21fe60 + ffffffffa05102b4 0000000000000000 ffff88043d21fe70 ffffffffa05102ec +Call Trace: + [] ? native_sched_clock+0x24/0x80 + [] loop_remove+0x14/0x40 [loop] + [] loop_exit_cb+0xc/0x10 [loop] + [] idr_for_each+0x104/0x190 + [] ? loop_remove+0x40/0x40 [loop] + [] ? trace_hardirqs_on_caller+0x105/0x1d0 + [] loop_exit+0x34/0xa58 [loop] + [] SyS_delete_module+0x13a/0x260 + [] ? trace_hardirqs_on_thunk+0x3a/0x3f + [] system_call_fastpath+0x1a/0x1f +Code: f0 4c 8b 6d f8 c9 c3 66 66 2e 0f 1f 84 00 00 00 00 00 55 48 89 e5 41 56 41 55 4c 8d af 80 00 00 00 41 54 53 48 89 fb 48 83 ec 18 <48> 83 bf 80 03 00 +00 00 74 4d e8 98 fe ff ff 31 f6 48 c7 c7 20 +RIP [] del_gendisk+0x19/0x2d0 + RSP +CR2: 0000000000000380 +---[ end trace 64ec069ec70f1309 ]--- + +Signed-off-by: Mikulas Patocka +Acked-by: Tejun Heo +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/block/loop.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/block/loop.c ++++ b/drivers/block/loop.c +@@ -1633,7 +1633,7 @@ static int loop_add(struct loop_device * + err = -ENOMEM; + lo->lo_queue = blk_alloc_queue(GFP_KERNEL); + if (!lo->lo_queue) +- goto out_free_dev; ++ goto out_free_idr; + + disk = lo->lo_disk = alloc_disk(1 << part_shift); + if (!disk) +@@ -1678,6 +1678,8 @@ static int loop_add(struct loop_device * + + out_free_queue: + blk_cleanup_queue(lo->lo_queue); ++out_free_idr: ++ idr_remove(&loop_index_idr, i); + out_free_dev: + kfree(lo); + out: diff --git a/queue-3.10/loop-fix-crash-when-using-unassigned-loop-device.patch b/queue-3.10/loop-fix-crash-when-using-unassigned-loop-device.patch new file mode 100644 index 00000000000..ffbbf6e58e3 --- /dev/null +++ b/queue-3.10/loop-fix-crash-when-using-unassigned-loop-device.patch @@ -0,0 +1,108 @@ +From ef7e7c82e02b602f29c2b87f42dcd6143a6777da Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Tue, 15 Oct 2013 14:14:38 -0600 +Subject: loop: fix crash when using unassigned loop device + +From: Mikulas Patocka + +commit ef7e7c82e02b602f29c2b87f42dcd6143a6777da upstream. + +When the loop module is loaded, it creates 8 loop devices /dev/loop[0-7]. +The devices have no request routine and thus, when they are used without +being assigned, a crash happens. + +For example, these commands cause crash (assuming there are no used loop +devices): + +Kernel Fault: Code=26 regs=000000007f420980 (Addr=0000000000000010) +CPU: 1 PID: 50 Comm: kworker/1:1 Not tainted 3.11.0 #1 +Workqueue: ksnaphd do_metadata [dm_snapshot] +task: 000000007fcf4078 ti: 000000007f420000 task.ti: 000000007f420000 +[ 116.319988] + YZrvWESTHLNXBCVMcbcbcbcbOGFRQPDI +PSW: 00001000000001001111111100001111 Not tainted +r00-03 000000ff0804ff0f 00000000408bf5d0 00000000402d8204 000000007b7ff6c0 +r04-07 00000000408a95d0 000000007f420950 000000007b7ff6c0 000000007d06c930 +r08-11 000000007f4205c0 0000000000000001 000000007f4205c0 000000007f4204b8 +r12-15 0000000000000010 0000000000000000 0000000000000000 0000000000000000 +r16-19 000000001108dd48 000000004061cd7c 000000007d859800 000000000800000f +r20-23 0000000000000000 0000000000000008 0000000000000000 0000000000000000 +r24-27 00000000ffffffff 000000007b7ff6c0 000000007d859800 00000000408a95d0 +r28-31 0000000000000000 000000007f420950 000000007f420980 000000007f4208e8 +sr00-03 0000000000000000 0000000000000000 0000000000000000 0000000000303000 +sr04-07 0000000000000000 0000000000000000 0000000000000000 0000000000000000 +[ 117.549988] +IASQ: 0000000000000000 0000000000000000 IAOQ: 00000000402d82fc 00000000402d8300 + IIR: 53820020 ISR: 0000000000000000 IOR: 0000000000000010 + CPU: 1 CR30: 000000007f420000 CR31: ffffffffffffffff + ORIG_R28: 0000000000000001 + IAOQ[0]: generic_make_request+0x11c/0x1a0 + IAOQ[1]: generic_make_request+0x120/0x1a0 + RP(r2): generic_make_request+0x24/0x1a0 +Backtrace: + [<00000000402d83f0>] submit_bio+0x70/0x140 + [<0000000011087c4c>] dispatch_io+0x234/0x478 [dm_mod] + [<0000000011087f44>] sync_io+0xb4/0x190 [dm_mod] + [<00000000110883bc>] dm_io+0x2c4/0x310 [dm_mod] + [<00000000110bfcd0>] do_metadata+0x28/0xb0 [dm_snapshot] + [<00000000401591d8>] process_one_work+0x160/0x460 + [<0000000040159bc0>] worker_thread+0x300/0x478 + [<0000000040161a70>] kthread+0x118/0x128 + [<0000000040104020>] end_fault_vector+0x20/0x28 + [<0000000040177220>] task_tick_fair+0x420/0x4d0 + [<00000000401aa048>] invoke_rcu_core+0x50/0x60 + [<00000000401ad5b8>] rcu_check_callbacks+0x210/0x8d8 + [<000000004014aaa0>] update_process_times+0xa8/0xc0 + [<00000000401ab86c>] rcu_process_callbacks+0x4b4/0x598 + [<0000000040142408>] __do_softirq+0x250/0x2c0 + [<00000000401789d0>] find_busiest_group+0x3c0/0xc70 +[ 119.379988] +Kernel panic - not syncing: Kernel Fault +Rebooting in 1 seconds.. + +Signed-off-by: Mikulas Patocka +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/block/loop.c | 15 ++++++++------- + 1 file changed, 8 insertions(+), 7 deletions(-) + +--- a/drivers/block/loop.c ++++ b/drivers/block/loop.c +@@ -894,13 +894,6 @@ static int loop_set_fd(struct loop_devic + + bio_list_init(&lo->lo_bio_list); + +- /* +- * set queue make_request_fn, and add limits based on lower level +- * device +- */ +- blk_queue_make_request(lo->lo_queue, loop_make_request); +- lo->lo_queue->queuedata = lo; +- + if (!(lo_flags & LO_FLAGS_READ_ONLY) && file->f_op->fsync) + blk_queue_flush(lo->lo_queue, REQ_FLUSH); + +@@ -1618,6 +1611,8 @@ static int loop_add(struct loop_device * + if (!lo) + goto out; + ++ lo->lo_state = Lo_unbound; ++ + /* allocate id, if @id >= 0, we're requesting that specific id */ + if (i >= 0) { + err = idr_alloc(&loop_index_idr, lo, i, i + 1, GFP_KERNEL); +@@ -1635,6 +1630,12 @@ static int loop_add(struct loop_device * + if (!lo->lo_queue) + goto out_free_idr; + ++ /* ++ * set queue make_request_fn ++ */ ++ blk_queue_make_request(lo->lo_queue, loop_make_request); ++ lo->lo_queue->queuedata = lo; ++ + disk = lo->lo_disk = alloc_disk(1 << part_shift); + if (!disk) + goto out_free_queue; diff --git a/queue-3.10/mtd-gpmi-fix-kernel-bug-due-to-racing-dma-operations.patch b/queue-3.10/mtd-gpmi-fix-kernel-bug-due-to-racing-dma-operations.patch new file mode 100644 index 00000000000..4c9be277121 --- /dev/null +++ b/queue-3.10/mtd-gpmi-fix-kernel-bug-due-to-racing-dma-operations.patch @@ -0,0 +1,110 @@ +From 7b3d2fb92067bcb29f0f085a9fa9fa64920a6646 Mon Sep 17 00:00:00 2001 +From: Huang Shijie +Date: Mon, 11 Nov 2013 12:13:45 +0800 +Subject: mtd: gpmi: fix kernel BUG due to racing DMA operations + +From: Huang Shijie + +commit 7b3d2fb92067bcb29f0f085a9fa9fa64920a6646 upstream. + +[1] The gpmi uses the nand_command_lp to issue the commands to NAND chips. + The gpmi issues a DMA operation with gpmi_cmd_ctrl when it handles + a NAND_CMD_NONE control command. So when we read a page(NAND_CMD_READ0) + from the NAND, we may send two DMA operations back-to-back. + + If we do not serialize the two DMA operations, we will meet a bug when + + 1.1) we enable CONFIG_DMA_API_DEBUG, CONFIG_DMADEVICES_DEBUG, + and CONFIG_DEBUG_SG. + + 1.2) Use the following commands in an UART console and a SSH console: + cmd 1: while true;do dd if=/dev/mtd0 of=/dev/null;done + cmd 1: while true;do dd if=/dev/mmcblk0 of=/dev/null;done + + The kernel log shows below: + ----------------------------------------------------------------- + kernel BUG at lib/scatterlist.c:28! + Unable to handle kernel NULL pointer dereference at virtual address 00000000 + ......................... + [<80044a0c>] (__bug+0x18/0x24) from [<80249b74>] (sg_next+0x48/0x4c) + [<80249b74>] (sg_next+0x48/0x4c) from [<80255398>] (debug_dma_unmap_sg+0x170/0x1a4) + [<80255398>] (debug_dma_unmap_sg+0x170/0x1a4) from [<8004af58>] (dma_unmap_sg+0x14/0x6c) + [<8004af58>] (dma_unmap_sg+0x14/0x6c) from [<8027e594>] (mxs_dma_tasklet+0x18/0x1c) + [<8027e594>] (mxs_dma_tasklet+0x18/0x1c) from [<8007d444>] (tasklet_action+0x114/0x164) + ----------------------------------------------------------------- + + 1.3) Assume the two DMA operations is X (first) and Y (second). + + The root cause of the bug: + Assume process P issues DMA X, and sleep on the completion + @this->dma_done. X's tasklet callback is dma_irq_callback. It firstly + wake up the process sleeping on the completion @this->dma_done, + and then trid to unmap the scatterlist S. The waked process P will + issue Y in another ARM core. Y initializes S->sg_magic to zero + with sg_init_one(), while dma_irq_callback is unmapping S at the same + time. + + See the diagram: + + ARM core 0 | ARM core 1 + ------------------------------------------------------------- + (P issues DMA X, then sleep) --> | + | + (X's tasklet wakes P) --> | + | + | <-- (P begin to issue DMA Y) + | + (X's tasklet unmap the | + scatterlist S with dma_unmap_sg) --> | <-- (Y calls sg_init_one() to init + | scatterlist S) + | + +[2] This patch serialize both the X and Y in the following way: + Unmap the DMA scatterlist S firstly, and wake up the process at the end + of the DMA callback, in such a way, Y will be executed after X. + + After this patch: + + ARM core 0 | ARM core 1 + ------------------------------------------------------------- + (P issues DMA X, then sleep) --> | + | + (X's tasklet unmap the | + scatterlist S with dma_unmap_sg) --> | + | + (X's tasklet wakes P) --> | + | + | <-- (P begin to issue DMA Y) + | + | <-- (Y calls sg_init_one() to init + | scatterlist S) + | + +Signed-off-by: Huang Shijie +Signed-off-by: Brian Norris +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mtd/nand/gpmi-nand/gpmi-nand.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/mtd/nand/gpmi-nand/gpmi-nand.c ++++ b/drivers/mtd/nand/gpmi-nand/gpmi-nand.c +@@ -264,8 +264,6 @@ static void dma_irq_callback(void *param + struct gpmi_nand_data *this = param; + struct completion *dma_c = &this->dma_done; + +- complete(dma_c); +- + switch (this->dma_type) { + case DMA_FOR_COMMAND: + dma_unmap_sg(this->dev, &this->cmd_sgl, 1, DMA_TO_DEVICE); +@@ -290,6 +288,8 @@ static void dma_irq_callback(void *param + default: + pr_err("in wrong DMA operation.\n"); + } ++ ++ complete(dma_c); + } + + int start_dma_without_bch_irq(struct gpmi_nand_data *this, diff --git a/queue-3.10/mtd-map-fixed-bug-in-64-bit-systems.patch b/queue-3.10/mtd-map-fixed-bug-in-64-bit-systems.patch new file mode 100644 index 00000000000..3eea60323a6 --- /dev/null +++ b/queue-3.10/mtd-map-fixed-bug-in-64-bit-systems.patch @@ -0,0 +1,71 @@ +From a4d62babf988fe5dfde24437fa135ef147bc7aa0 Mon Sep 17 00:00:00 2001 +From: Wang Haitao +Date: Thu, 22 Aug 2013 19:32:38 +0800 +Subject: mtd: map: fixed bug in 64-bit systems + +From: Wang Haitao + +commit a4d62babf988fe5dfde24437fa135ef147bc7aa0 upstream. + +Hardware: + CPU: XLP832,the 64-bit OS + NOR Flash:S29GL128S 128M +Software: + Kernel:2.6.32.41 + Filesystem:JFFS2 +When writing files, errors appear: + Write len 182 but return retlen 180 + Write of 182 bytes at 0x072c815c failed. returned -5, retlen 180 + Write len 186 but return retlen 184 + Write of 186 bytes at 0x072caff4 failed. returned -5, retlen 184 +These errors exist only in 64-bit systems,not in 32-bit systems. After analysis, we +found that the left shift operation is wrong in map_word_load_partial. For instance: + unsigned char buf[3] ={0x9e,0x3a,0xea}; + map_bankwidth(map) is 4; + for (i=0; i < 3; i++) { + int bitpos; + bitpos = (map_bankwidth(map)-1-i)*8; + orig.x[0] &= ~(0xff << bitpos); + orig.x[0] |= buf[i] << bitpos; + } + +The value of orig.x[0] is expected to be 0x9e3aeaff, but in this situation(64-bit +System) we'll get the wrong value of 0xffffffff9e3aeaff due to the 64-bit sign +extension: +buf[i] is defined as "unsigned char" and the left-shift operation will convert it +to the type of "signed int", so when left-shift buf[i] by 24 bits, the final result +will get the wrong value: 0xffffffff9e3aeaff. + +If the left-shift bits are less than 24, then sign extension will not occur. Whereas +the bankwidth of the nor flash we used is 4, therefore this BUG emerges. + +Signed-off-by: Pang Xunlei +Signed-off-by: Zhang Yi +Signed-off-by: Lu Zhongjun +Signed-off-by: Brian Norris +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/mtd/map.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/include/linux/mtd/map.h ++++ b/include/linux/mtd/map.h +@@ -365,7 +365,7 @@ static inline map_word map_word_load_par + bitpos = (map_bankwidth(map)-1-i)*8; + #endif + orig.x[0] &= ~(0xff << bitpos); +- orig.x[0] |= buf[i-start] << bitpos; ++ orig.x[0] |= (unsigned long)buf[i-start] << bitpos; + } + } + return orig; +@@ -384,7 +384,7 @@ static inline map_word map_word_ff(struc + + if (map_bankwidth(map) < MAP_FF_LIMIT) { + int bw = 8 * map_bankwidth(map); +- r.x[0] = (1 << bw) - 1; ++ r.x[0] = (1UL << bw) - 1; + } else { + for (i=0; i +Date: Tue, 27 Aug 2013 18:45:10 -0700 +Subject: mtd: nand: hack ONFI for non-power-of-2 dimensions + +From: Brian Norris + +commit 4355b70cf48363c50a9de450b01178c83aba8f6a upstream. + +Some bright specification writers decided to write this in the ONFI spec +(from ONFI 3.0, Section 3.1): + + "The number of blocks and number of pages per block is not required to + be a power of two. In the case where one of these values is not a + power of two, the corresponding address shall be rounded to an + integral number of bits such that it addresses a range up to the + subsequent power of two value. The host shall not access upper + addresses in a range that is shown as not supported." + +This breaks every assumption MTD makes about NAND block/chip-size +dimensions -- they *must* be a power of two! + +And of course, an enterprising manufacturer has made use of this lovely +freedom. Exhibit A: Micron MT29F32G08CBADAWP + + "- Plane size: 2 planes x 1064 blocks per plane + - Device size: 32Gb: 2128 blockss [sic]" + +This quickly hits a BUG() in nand_base.c, since the extra dimensions +overflow so we think it's a second chip (on my single-chip setup): + + ONFI param page 0 valid + ONFI flash detected + NAND device: Manufacturer ID: 0x2c, Chip ID: 0x44 (Micron MT29F32G08CBADAWP), 4256MiB, page size: 8192, OOB size: 744 + ------------[ cut here ]------------ + kernel BUG at drivers/mtd/nand/nand_base.c:203! + Internal error: Oops - BUG: 0 [#1] SMP ARM + [... trim ...] + [] (nand_select_chip+0x18/0x2c) from [] (nand_do_read_ops+0x90/0x424) + [] (nand_do_read_ops+0x90/0x424) from [] (nand_read+0x54/0x78) + [] (nand_read+0x54/0x78) from [] (mtd_read+0x84/0xbc) + [] (mtd_read+0x84/0xbc) from [] (scan_read.clone.4+0x4c/0x64) + [] (scan_read.clone.4+0x4c/0x64) from [] (search_bbt+0x148/0x290) + [] (search_bbt+0x148/0x290) from [] (nand_scan_bbt+0xd4/0x5c0) + [... trim ...] + ---[ end trace 0c9363860d865ff2 ]--- + +So to fix this, just truncate these dimensions down to the greatest +power-of-2 dimension that is less than or equal to the specified +dimension. + +Signed-off-by: Brian Norris +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mtd/nand/nand_base.c | 15 +++++++++++++-- + 1 file changed, 13 insertions(+), 2 deletions(-) + +--- a/drivers/mtd/nand/nand_base.c ++++ b/drivers/mtd/nand/nand_base.c +@@ -2904,10 +2904,21 @@ static int nand_flash_detect_onfi(struct + sanitize_string(p->model, sizeof(p->model)); + if (!mtd->name) + mtd->name = p->model; ++ + mtd->writesize = le32_to_cpu(p->byte_per_page); +- mtd->erasesize = le32_to_cpu(p->pages_per_block) * mtd->writesize; ++ ++ /* ++ * pages_per_block and blocks_per_lun may not be a power-of-2 size ++ * (don't ask me who thought of this...). MTD assumes that these ++ * dimensions will be power-of-2, so just truncate the remaining area. ++ */ ++ mtd->erasesize = 1 << (fls(le32_to_cpu(p->pages_per_block)) - 1); ++ mtd->erasesize *= mtd->writesize; ++ + mtd->oobsize = le16_to_cpu(p->spare_bytes_per_page); +- chip->chipsize = le32_to_cpu(p->blocks_per_lun); ++ ++ /* See erasesize comment */ ++ chip->chipsize = 1 << (fls(le32_to_cpu(p->blocks_per_lun)) - 1); + chip->chipsize *= (uint64_t)mtd->erasesize * p->lun_count; + *busw = 0; + if (le16_to_cpu(p->features) & 1) diff --git a/queue-3.10/rtlwifi-fix-endian-error-in-extracting-packet-type.patch b/queue-3.10/rtlwifi-fix-endian-error-in-extracting-packet-type.patch new file mode 100644 index 00000000000..2dac87df4bd --- /dev/null +++ b/queue-3.10/rtlwifi-fix-endian-error-in-extracting-packet-type.patch @@ -0,0 +1,163 @@ +From 0c5d63f0ab6728f05ddefa25aff55e31297f95e6 Mon Sep 17 00:00:00 2001 +From: Mark Cave-Ayland +Date: Sat, 2 Nov 2013 14:28:35 -0500 +Subject: rtlwifi: Fix endian error in extracting packet type + +From: Mark Cave-Ayland + +commit 0c5d63f0ab6728f05ddefa25aff55e31297f95e6 upstream. + +All of the rtlwifi drivers have an error in the routine that tests if +the data is "special". If it is, the subsequant transmission will be +at the lowest rate to enhance reliability. The 16-bit quantity is +big-endian, but was being extracted in native CPU mode. One of the +effects of this bug is to inhibit association under some conditions +as the TX rate is too high. + +Based on suggestions by Joe Perches, the entire routine is rewritten. + +One of the local headers contained duplicates of some of the ETH_P_XXX +definitions. These are deleted. + +Signed-off-by: Larry Finger +Cc: Mark Cave-Ayland +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/rtlwifi/base.c | 97 +++++++++++++++--------------------- + drivers/net/wireless/rtlwifi/wifi.h | 6 -- + 2 files changed, 44 insertions(+), 59 deletions(-) + +--- a/drivers/net/wireless/rtlwifi/base.c ++++ b/drivers/net/wireless/rtlwifi/base.c +@@ -37,6 +37,7 @@ + + #include + #include ++#include + + /* + *NOTICE!!!: This file will be very big, we should +@@ -1066,64 +1067,52 @@ u8 rtl_is_special_data(struct ieee80211_ + if (!ieee80211_is_data(fc)) + return false; + ++ ip = (const struct iphdr *)(skb->data + mac_hdr_len + ++ SNAP_SIZE + PROTOC_TYPE_SIZE); ++ ether_type = be16_to_cpup((__be16 *) ++ (skb->data + mac_hdr_len + SNAP_SIZE)); ++ ++ switch (ether_type) { ++ case ETH_P_IP: { ++ struct udphdr *udp; ++ u16 src; ++ u16 dst; ++ ++ if (ip->protocol != IPPROTO_UDP) ++ return false; ++ udp = (struct udphdr *)((u8 *)ip + (ip->ihl << 2)); ++ src = be16_to_cpu(udp->source); ++ dst = be16_to_cpu(udp->dest); ++ ++ /* If this case involves port 68 (UDP BOOTP client) connecting ++ * with port 67 (UDP BOOTP server), then return true so that ++ * the lowest speed is used. ++ */ ++ if (!((src == 68 && dst == 67) || (src == 67 && dst == 68))) ++ return false; + +- ip = (struct iphdr *)((u8 *) skb->data + mac_hdr_len + +- SNAP_SIZE + PROTOC_TYPE_SIZE); +- ether_type = *(u16 *) ((u8 *) skb->data + mac_hdr_len + SNAP_SIZE); +- /* ether_type = ntohs(ether_type); */ +- +- if (ETH_P_IP == ether_type) { +- if (IPPROTO_UDP == ip->protocol) { +- struct udphdr *udp = (struct udphdr *)((u8 *) ip + +- (ip->ihl << 2)); +- if (((((u8 *) udp)[1] == 68) && +- (((u8 *) udp)[3] == 67)) || +- ((((u8 *) udp)[1] == 67) && +- (((u8 *) udp)[3] == 68))) { +- /* +- * 68 : UDP BOOTP client +- * 67 : UDP BOOTP server +- */ +- RT_TRACE(rtlpriv, (COMP_SEND | COMP_RECV), +- DBG_DMESG, "dhcp %s !!\n", +- is_tx ? "Tx" : "Rx"); +- +- if (is_tx) { +- rtlpriv->enter_ps = false; +- schedule_work(&rtlpriv-> +- works.lps_change_work); +- ppsc->last_delaylps_stamp_jiffies = +- jiffies; +- } +- +- return true; +- } +- } +- } else if (ETH_P_ARP == ether_type) { +- if (is_tx) { +- rtlpriv->enter_ps = false; +- schedule_work(&rtlpriv->works.lps_change_work); +- ppsc->last_delaylps_stamp_jiffies = jiffies; +- } +- +- return true; +- } else if (ETH_P_PAE == ether_type) { ++ RT_TRACE(rtlpriv, (COMP_SEND | COMP_RECV), DBG_DMESG, ++ "dhcp %s !!\n", is_tx ? "Tx" : "Rx"); ++ break; ++ } ++ case ETH_P_ARP: ++ break; ++ case ETH_P_PAE: + RT_TRACE(rtlpriv, (COMP_SEND | COMP_RECV), DBG_DMESG, + "802.1X %s EAPOL pkt!!\n", is_tx ? "Tx" : "Rx"); +- +- if (is_tx) { +- rtlpriv->enter_ps = false; +- schedule_work(&rtlpriv->works.lps_change_work); +- ppsc->last_delaylps_stamp_jiffies = jiffies; +- } +- +- return true; +- } else if (ETH_P_IPV6 == ether_type) { +- /* IPv6 */ +- return true; ++ break; ++ case ETH_P_IPV6: ++ /* TODO: Is this right? */ ++ return false; ++ default: ++ return false; + } +- +- return false; ++ if (is_tx) { ++ rtlpriv->enter_ps = false; ++ schedule_work(&rtlpriv->works.lps_change_work); ++ ppsc->last_delaylps_stamp_jiffies = jiffies; ++ } ++ return true; + } + + /********************************************************* +--- a/drivers/net/wireless/rtlwifi/wifi.h ++++ b/drivers/net/wireless/rtlwifi/wifi.h +@@ -77,11 +77,7 @@ + #define RTL_SLOT_TIME_9 9 + #define RTL_SLOT_TIME_20 20 + +-/*related with tcp/ip. */ +-/*if_ehther.h*/ +-#define ETH_P_PAE 0x888E /*Port Access Entity (IEEE 802.1X) */ +-#define ETH_P_IP 0x0800 /*Internet Protocol packet */ +-#define ETH_P_ARP 0x0806 /*Address Resolution packet */ ++/*related to tcp/ip. */ + #define SNAP_SIZE 6 + #define PROTOC_TYPE_SIZE 2 + diff --git a/queue-3.10/rtlwifi-rtl8188ee-fix-smatch-warning-in-rtl8188ee-hw.c.patch b/queue-3.10/rtlwifi-rtl8188ee-fix-smatch-warning-in-rtl8188ee-hw.c.patch new file mode 100644 index 00000000000..6b6afe00795 --- /dev/null +++ b/queue-3.10/rtlwifi-rtl8188ee-fix-smatch-warning-in-rtl8188ee-hw.c.patch @@ -0,0 +1,35 @@ +From dab3df5e88b979f8d09860f873ccfaa7a55758d2 Mon Sep 17 00:00:00 2001 +From: Larry Finger +Date: Wed, 25 Sep 2013 12:57:48 -0500 +Subject: rtlwifi: rtl8188ee: Fix smatch warning in rtl8188ee/hw.c + +From: Larry Finger + +commit dab3df5e88b979f8d09860f873ccfaa7a55758d2 upstream. + +Smatch lists the following: + CHECK drivers/net/wireless/rtlwifi/rtl8188ee/hw.c +drivers/net/wireless/rtlwifi/rtl8188ee/hw.c:149 _rtl88ee_set_fw_clock_on() info: ignoring unreachable code. +drivers/net/wireless/rtlwifi/rtl8188ee/hw.c:149 _rtl88ee_set_fw_clock_on() info: ignoring unreachable code. + +This info message is the result of a real error due to a missing break statement +in a "while (1)" loop. + +Signed-off-by: Larry Finger +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/rtlwifi/rtl8188ee/hw.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/wireless/rtlwifi/rtl8188ee/hw.c ++++ b/drivers/net/wireless/rtlwifi/rtl8188ee/hw.c +@@ -143,6 +143,7 @@ static void _rtl88ee_set_fw_clock_on(str + } else { + rtlhal->fw_clk_change_in_progress = false; + spin_unlock_bh(&rtlpriv->locks.fw_ps_lock); ++ break; + } + } + diff --git a/queue-3.10/rtlwifi-rtl8192cu-fix-more-pointer-arithmetic-errors.patch b/queue-3.10/rtlwifi-rtl8192cu-fix-more-pointer-arithmetic-errors.patch new file mode 100644 index 00000000000..bc0b07a08fe --- /dev/null +++ b/queue-3.10/rtlwifi-rtl8192cu-fix-more-pointer-arithmetic-errors.patch @@ -0,0 +1,73 @@ +From eafbdde9c5629bea58df07275c5917eb42afbbe7 Mon Sep 17 00:00:00 2001 +From: Larry Finger +Date: Sun, 10 Nov 2013 22:11:16 -0600 +Subject: rtlwifi: rtl8192cu: Fix more pointer arithmetic errors + +From: Larry Finger + +commit eafbdde9c5629bea58df07275c5917eb42afbbe7 upstream. + +This driver uses a number of macros to get and set various fields in the +RX and TX descriptors. To work correctly, a u8 pointer to the descriptor +must be used; however, in some cases a descriptor structure pointer is used +instead. In addition, a duplicated statement is removed. + +Signed-off-by: Larry Finger +Reported-by: Mark Cave-Ayland +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/rtlwifi/rtl8192cu/mac.c | 6 +++--- + drivers/net/wireless/rtlwifi/rtl8192cu/trx.c | 6 +++--- + 2 files changed, 6 insertions(+), 6 deletions(-) + +--- a/drivers/net/wireless/rtlwifi/rtl8192cu/mac.c ++++ b/drivers/net/wireless/rtlwifi/rtl8192cu/mac.c +@@ -778,7 +778,7 @@ static long _rtl92c_signal_scale_mapping + + static void _rtl92c_query_rxphystatus(struct ieee80211_hw *hw, + struct rtl_stats *pstats, +- struct rx_desc_92c *pdesc, ++ struct rx_desc_92c *p_desc, + struct rx_fwinfo_92c *p_drvinfo, + bool packet_match_bssid, + bool packet_toself, +@@ -793,11 +793,11 @@ static void _rtl92c_query_rxphystatus(st + u32 rssi, total_rssi = 0; + bool in_powersavemode = false; + bool is_cck_rate; ++ u8 *pdesc = (u8 *)p_desc; + +- is_cck_rate = RX_HAL_IS_CCK_RATE(pdesc); ++ is_cck_rate = RX_HAL_IS_CCK_RATE(p_desc); + pstats->packet_matchbssid = packet_match_bssid; + pstats->packet_toself = packet_toself; +- pstats->is_cck = is_cck_rate; + pstats->packet_beacon = packet_beacon; + pstats->is_cck = is_cck_rate; + pstats->RX_SIGQ[0] = -1; +--- a/drivers/net/wireless/rtlwifi/rtl8192cu/trx.c ++++ b/drivers/net/wireless/rtlwifi/rtl8192cu/trx.c +@@ -303,10 +303,10 @@ out: + bool rtl92cu_rx_query_desc(struct ieee80211_hw *hw, + struct rtl_stats *stats, + struct ieee80211_rx_status *rx_status, +- u8 *p_desc, struct sk_buff *skb) ++ u8 *pdesc, struct sk_buff *skb) + { + struct rx_fwinfo_92c *p_drvinfo; +- struct rx_desc_92c *pdesc = (struct rx_desc_92c *)p_desc; ++ struct rx_desc_92c *p_desc = (struct rx_desc_92c *)pdesc; + u32 phystatus = GET_RX_DESC_PHY_STATUS(pdesc); + + stats->length = (u16) GET_RX_DESC_PKT_LEN(pdesc); +@@ -345,7 +345,7 @@ bool rtl92cu_rx_query_desc(struct ieee80 + if (phystatus) { + p_drvinfo = (struct rx_fwinfo_92c *)(skb->data + + stats->rx_bufshift); +- rtl92c_translate_rx_signal_stuff(hw, skb, stats, pdesc, ++ rtl92c_translate_rx_signal_stuff(hw, skb, stats, p_desc, + p_drvinfo); + } + /*rx_status->qual = stats->signal; */ diff --git a/queue-3.10/rtlwifi-rtl8192se-fix-wrong-assignment.patch b/queue-3.10/rtlwifi-rtl8192se-fix-wrong-assignment.patch new file mode 100644 index 00000000000..be56bf6700e --- /dev/null +++ b/queue-3.10/rtlwifi-rtl8192se-fix-wrong-assignment.patch @@ -0,0 +1,33 @@ +From 3aef7dde8dcf09e0124f0a2665845a507331972b Mon Sep 17 00:00:00 2001 +From: Felipe Pena +Date: Fri, 18 Oct 2013 21:52:40 -0300 +Subject: rtlwifi: rtl8192se: Fix wrong assignment + +From: Felipe Pena + +commit 3aef7dde8dcf09e0124f0a2665845a507331972b upstream. + +There is a typo in the struct member name on assignment when checking +rtlphy->current_chan_bw == HT_CHANNEL_WIDTH_20_40, the check uses pwrgroup_ht40 +for bound limit and uses pwrgroup_ht20 when assigning instead. + +Signed-off-by: Felipe Pena +Acked-by: Larry Finger +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/rtlwifi/rtl8192se/rf.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/wireless/rtlwifi/rtl8192se/rf.c ++++ b/drivers/net/wireless/rtlwifi/rtl8192se/rf.c +@@ -265,7 +265,7 @@ static void _rtl92s_get_txpower_writeval + rtlefuse->pwrgroup_ht40 + [RF90_PATH_A][chnl - 1]) { + pwrdiff_limit[i] = +- rtlefuse->pwrgroup_ht20 ++ rtlefuse->pwrgroup_ht40 + [RF90_PATH_A][chnl - 1]; + } + } else { diff --git a/queue-3.10/series b/queue-3.10/series index 748344b1030..327a9efb86d 100644 --- a/queue-3.10/series +++ b/queue-3.10/series @@ -34,3 +34,27 @@ gpio-rcar-null-dereference-on-error-in-probe.patch libata-fix-display-of-sata-speed.patch drivers-libata-set-max-sector-to-65535-for-slimtype-dvd-a-ds8a9sh-drive.patch vsprintf-check-real-user-group-id-for-pk.patch +rtlwifi-rtl8188ee-fix-smatch-warning-in-rtl8188ee-hw.c.patch +rtlwifi-fix-endian-error-in-extracting-packet-type.patch +rtlwifi-rtl8192se-fix-wrong-assignment.patch +rtlwifi-rtl8192cu-fix-more-pointer-arithmetic-errors.patch +ipc-msg-fix-message-length-check-for-negative-values.patch +ipc-msg-forbid-negative-values-for-msg-max-mnb-mni.patch +ipc-update-locking-scheme-comments.patch +ipc-sem.c-synchronize-semop-and-semctl-with-ipc_rmid.patch +ahci-add-device-ids-for-intel-wildcat-point-lp.patch +ahci-disabled-fbs-prior-to-issuing-software-reset.patch +ahci-add-marvell-9230-to-the-ahci-pci-device-list.patch +iscsi-target-fix-mutex_trylock-usage-in-iscsit_increment_maxcmdsn.patch +iscsi-target-fix-extract_param-to-handle-buffer-length-corner-case.patch +iscsi-target-chap-auth-shouldn-t-match-username-with-trailing-garbage.patch +ib-ipath-convert-ipath_user_sdma_pin_pages-to-use-get_user_pages_fast.patch +ib-qib-fix-txselect-regression.patch +ib-srp-report-receive-errors-correctly.patch +loop-fix-crash-if-blk_alloc_queue-fails.patch +loop-fix-crash-when-using-unassigned-loop-device.patch +mtd-nand-hack-onfi-for-non-power-of-2-dimensions.patch +mtd-map-fixed-bug-in-64-bit-systems.patch +mtd-gpmi-fix-kernel-bug-due-to-racing-dma-operations.patch +ext4-avoid-bh-leak-in-retry-path-of-ext4_expand_extra_isize_ea.patch +xen-blkback-fix-reference-counting.patch diff --git a/queue-3.10/xen-blkback-fix-reference-counting.patch b/queue-3.10/xen-blkback-fix-reference-counting.patch new file mode 100644 index 00000000000..169e366ad51 --- /dev/null +++ b/queue-3.10/xen-blkback-fix-reference-counting.patch @@ -0,0 +1,44 @@ +From ea5ec76d76da9279d12027c1828544c5ccbe7932 Mon Sep 17 00:00:00 2001 +From: Vegard Nossum +Date: Thu, 5 Sep 2013 13:00:14 +0200 +Subject: xen/blkback: fix reference counting + +From: Vegard Nossum + +commit ea5ec76d76da9279d12027c1828544c5ccbe7932 upstream. + +If the permission check fails, we drop a reference to the blkif without +having taken it in the first place. The bug was introduced in commit +604c499cbbcc3d5fe5fb8d53306aa0fae1990109 (xen/blkback: Check device +permissions before allowing OP_DISCARD). + +Cc: Jan Beulich +Cc: Konrad Rzeszutek Wilk +Signed-off-by: Vegard Nossum +Signed-off-by: Konrad Rzeszutek Wilk +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/block/xen-blkback/blkback.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/block/xen-blkback/blkback.c ++++ b/drivers/block/xen-blkback/blkback.c +@@ -649,6 +649,8 @@ static int dispatch_discard_io(struct xe + unsigned long secure; + struct phys_req preq; + ++ xen_blkif_get(blkif); ++ + preq.sector_number = req->u.discard.sector_number; + preq.nr_sects = req->u.discard.nr_sectors; + +@@ -661,7 +663,6 @@ static int dispatch_discard_io(struct xe + } + blkif->st_ds_req++; + +- xen_blkif_get(blkif); + secure = (blkif->vbd.discard_secure && + (req->u.discard.flag & BLKIF_DISCARD_SECURE)) ? + BLKDEV_DISCARD_SECURE : 0;