From: Greg Kroah-Hartman Date: Mon, 23 Jan 2012 19:43:35 +0000 (-0800) Subject: 3.0-stable patches X-Git-Tag: v3.2.2~5 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=c7010373bfe4a92fa4af3aa81d37addbcebe81a3;p=thirdparty%2Fkernel%2Fstable-queue.git 3.0-stable patches added patches: iwlagn-check-for-smps-mode.patch iwlegacy-3945-fix-hw-passive-scan-on-radar-channels.patch kprobes-initialize-before-using-a-hlist.patch mm-fix-null-ptr-dereference-in-__count_immobile_pages.patch proc-clear_refs-do-not-clear-reserved-pages.patch score-fix-off-by-one-index-into-syscall-table.patch ubifs-make-debugging-messages-light-again.patch --- diff --git a/queue-3.0/iwlagn-check-for-smps-mode.patch b/queue-3.0/iwlagn-check-for-smps-mode.patch new file mode 100644 index 00000000000..ea6fe937de2 --- /dev/null +++ b/queue-3.0/iwlagn-check-for-smps-mode.patch @@ -0,0 +1,47 @@ +From b2ccccdca46273c7b321ecf5041c362cd950da20 Mon Sep 17 00:00:00 2001 +From: Wey-Yi Guy +Date: Thu, 10 Nov 2011 06:55:04 -0800 +Subject: iwlagn: check for SMPS mode + +From: Wey-Yi Guy + +commit b2ccccdca46273c7b321ecf5041c362cd950da20 upstream. + +Check and report WARN only when its invalid + +Resolves: +https://bugzilla.kernel.org/show_bug.cgi?id=42621 +https://bugzilla.redhat.com/show_bug.cgi?id=766071 + +Signed-off-by: Wey-Yi Guy +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + + +--- + drivers/net/wireless/iwlwifi/iwl-agn-lib.c | 1 + + drivers/net/wireless/iwlwifi/iwl-agn-rxon.c | 3 +++ + 2 files changed, 4 insertions(+) + +--- a/drivers/net/wireless/iwlwifi/iwl-agn-lib.c ++++ b/drivers/net/wireless/iwlwifi/iwl-agn-lib.c +@@ -2023,6 +2023,7 @@ static int iwl_get_idle_rx_chain_count(s + case IEEE80211_SMPS_STATIC: + case IEEE80211_SMPS_DYNAMIC: + return IWL_NUM_IDLE_CHAINS_SINGLE; ++ case IEEE80211_SMPS_AUTOMATIC: + case IEEE80211_SMPS_OFF: + return active_cnt; + default: +--- a/drivers/net/wireless/iwlwifi/iwl-agn-rxon.c ++++ b/drivers/net/wireless/iwlwifi/iwl-agn-rxon.c +@@ -442,6 +442,9 @@ int iwlagn_mac_config(struct ieee80211_h + + mutex_lock(&priv->mutex); + ++ if (test_bit(STATUS_EXIT_PENDING, &priv->status)) ++ goto out; ++ + if (unlikely(test_bit(STATUS_SCANNING, &priv->status))) { + IWL_DEBUG_MAC80211(priv, "leave - scanning\n"); + goto out; diff --git a/queue-3.0/iwlegacy-3945-fix-hw-passive-scan-on-radar-channels.patch b/queue-3.0/iwlegacy-3945-fix-hw-passive-scan-on-radar-channels.patch new file mode 100644 index 00000000000..ee918e3997f --- /dev/null +++ b/queue-3.0/iwlegacy-3945-fix-hw-passive-scan-on-radar-channels.patch @@ -0,0 +1,57 @@ +From 68acc4afb040d98ddfd2cae0de09e2f4e1ee127f Mon Sep 17 00:00:00 2001 +From: Stanislaw Gruszka +Date: Fri, 23 Dec 2011 08:13:50 +0100 +Subject: iwlegacy: 3945: fix hw passive scan on radar channels + +From: Stanislaw Gruszka + +commit 68acc4afb040d98ddfd2cae0de09e2f4e1ee127f upstream. + +Patch fix firmware error on "iw dev wlan0 scan passive" for +hardware scanning (with disable_hw_scan=0 module parameter). + + iwl3945 0000:03:00.0: Microcode SW error detected. Restarting 0x82000008. + iwl3945 0000:03:00.0: Loaded firmware version: 15.32.2.9 + iwl3945 0000:03:00.0: Start IWL Error Log Dump: + iwl3945 0000:03:00.0: Status: 0x0002A2E4, count: 1 + iwl3945 0000:03:00.0: Desc Time asrtPC blink2 ilink1 nmiPC Line + iwl3945 0000:03:00.0: SYSASSERT (0x5) 0041263900 0x13756 0x0031C 0x00000 764 + iwl3945 0000:03:00.0: Error Reply type 0x000002FC cmd C_SCAN (0x80) seq 0x443E ser 0x00340000 + iwl3945 0000:03:00.0: Command C_SCAN failed: FW Error + iwl3945 0000:03:00.0: Can't stop Rx DMA. + +We have disable ability to change passive scanning to active on +particular channel when traffic is detected on that channel. Otherwise +firmware will report error, when we try to do passive scan on radar +channels. + +Reported-and-debugged-by: Pedro Francisco +Signed-off-by: Stanislaw Gruszka +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/iwlegacy/iwl3945-base.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +--- a/drivers/net/wireless/iwlegacy/iwl3945-base.c ++++ b/drivers/net/wireless/iwlegacy/iwl3945-base.c +@@ -2910,14 +2910,13 @@ int iwl3945_request_scan(struct iwl_priv + IWL_WARN(priv, "Invalid scan band\n"); + return -EIO; + } +- + /* +- * If active scaning is requested but a certain channel +- * is marked passive, we can do active scanning if we +- * detect transmissions. ++ * If active scaning is requested but a certain channel is marked ++ * passive, we can do active scanning if we detect transmissions. For ++ * passive only scanning disable switching to active on any channel. + */ + scan->good_CRC_th = is_active ? IWL_GOOD_CRC_TH_DEFAULT : +- IWL_GOOD_CRC_TH_DISABLED; ++ IWL_GOOD_CRC_TH_NEVER; + + if (!priv->is_internal_short_scan) { + scan->tx_cmd.len = cpu_to_le16( diff --git a/queue-3.0/kprobes-initialize-before-using-a-hlist.patch b/queue-3.0/kprobes-initialize-before-using-a-hlist.patch new file mode 100644 index 00000000000..5ecef6a8645 --- /dev/null +++ b/queue-3.0/kprobes-initialize-before-using-a-hlist.patch @@ -0,0 +1,47 @@ +From d496aab567e7e52b3e974c9192a5de6e77dce32c Mon Sep 17 00:00:00 2001 +From: Ananth N Mavinakayanahalli +Date: Fri, 20 Jan 2012 14:34:04 -0800 +Subject: kprobes: initialize before using a hlist + +From: Ananth N Mavinakayanahalli + +commit d496aab567e7e52b3e974c9192a5de6e77dce32c upstream. + +Commit ef53d9c5e ("kprobes: improve kretprobe scalability with hashed +locking") introduced a bug where we can potentially leak +kretprobe_instances since we initialize a hlist head after having used +it. + +Initialize the hlist head before using it. + +Reported by: Jim Keniston +Acked-by: Jim Keniston +Signed-off-by: Ananth N Mavinakayanahalli +Acked-by: Masami Hiramatsu +Cc: Srinivasa D S +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/kprobes.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/kernel/kprobes.c ++++ b/kernel/kprobes.c +@@ -1077,6 +1077,7 @@ void __kprobes kprobe_flush_task(struct + /* Early boot. kretprobe_table_locks not yet initialized. */ + return; + ++ INIT_HLIST_HEAD(&empty_rp); + hash = hash_ptr(tk, KPROBE_HASH_BITS); + head = &kretprobe_inst_table[hash]; + kretprobe_table_lock(hash, &flags); +@@ -1085,7 +1086,6 @@ void __kprobes kprobe_flush_task(struct + recycle_rp_inst(ri, &empty_rp); + } + kretprobe_table_unlock(hash, &flags); +- INIT_HLIST_HEAD(&empty_rp); + hlist_for_each_entry_safe(ri, node, tmp, &empty_rp, hlist) { + hlist_del(&ri->hlist); + kfree(ri); diff --git a/queue-3.0/mm-fix-null-ptr-dereference-in-__count_immobile_pages.patch b/queue-3.0/mm-fix-null-ptr-dereference-in-__count_immobile_pages.patch new file mode 100644 index 00000000000..bf9c1b40f14 --- /dev/null +++ b/queue-3.0/mm-fix-null-ptr-dereference-in-__count_immobile_pages.patch @@ -0,0 +1,88 @@ +From 687875fb7de4a95223af20ee024282fa9099f860 Mon Sep 17 00:00:00 2001 +From: Michal Hocko +Date: Fri, 20 Jan 2012 14:33:55 -0800 +Subject: mm: fix NULL ptr dereference in __count_immobile_pages + +From: Michal Hocko + +commit 687875fb7de4a95223af20ee024282fa9099f860 upstream. + +Fix the following NULL ptr dereference caused by + + cat /sys/devices/system/memory/memory0/removable + +Pid: 13979, comm: sed Not tainted 3.0.13-0.5-default #1 IBM BladeCenter LS21 -[7971PAM]-/Server Blade +RIP: __count_immobile_pages+0x4/0x100 +Process sed (pid: 13979, threadinfo ffff880221c36000, task ffff88022e788480) +Call Trace: + is_pageblock_removable_nolock+0x34/0x40 + is_mem_section_removable+0x74/0xf0 + show_mem_removable+0x41/0x70 + sysfs_read_file+0xfe/0x1c0 + vfs_read+0xc7/0x130 + sys_read+0x53/0xa0 + system_call_fastpath+0x16/0x1b + +We are crashing because we are trying to dereference NULL zone which +came from pfn=0 (struct page ffffea0000000000). According to the boot +log this page is marked reserved: +e820 update range: 0000000000000000 - 0000000000010000 (usable) ==> (reserved) + +and early_node_map confirms that: +early_node_map[3] active PFN ranges + 1: 0x00000010 -> 0x0000009c + 1: 0x00000100 -> 0x000bffa3 + 1: 0x00100000 -> 0x00240000 + +The problem is that memory_present works in PAGE_SECTION_MASK aligned +blocks so the reserved range sneaks into the the section as well. This +also means that free_area_init_node will not take care of those reserved +pages and they stay uninitialized. + +When we try to read the removable status we walk through all available +sections and hope that the zone is valid for all pages in the section. +But this is not true in this case as the zone and nid are not initialized. + +We have only one node in this particular case and it is marked as node=1 +(rather than 0) and that made the problem visible because page_to_nid will +return 0 and there are no zones on the node. + +Let's check that the zone is valid and that the given pfn falls into its +boundaries and mark the section not removable. This might cause some +false positives, probably, but we do not have any sane way to find out +whether the page is reserved by the platform or it is just not used for +whatever other reasons. + +Signed-off-by: Michal Hocko +Acked-by: Mel Gorman +Cc: KAMEZAWA Hiroyuki +Cc: Andrea Arcangeli +Cc: David Rientjes +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/page_alloc.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +--- a/mm/page_alloc.c ++++ b/mm/page_alloc.c +@@ -5565,6 +5565,17 @@ __count_immobile_pages(struct zone *zone + bool is_pageblock_removable_nolock(struct page *page) + { + struct zone *zone = page_zone(page); ++ unsigned long pfn = page_to_pfn(page); ++ ++ /* ++ * We have to be careful here because we are iterating over memory ++ * sections which are not zone aware so we might end up outside of ++ * the zone but still within the section. ++ */ ++ if (!zone || zone->zone_start_pfn > pfn || ++ zone->zone_start_pfn + zone->spanned_pages <= pfn) ++ return false; ++ + return __count_immobile_pages(zone, page, 0); + } + diff --git a/queue-3.0/proc-clear_refs-do-not-clear-reserved-pages.patch b/queue-3.0/proc-clear_refs-do-not-clear-reserved-pages.patch new file mode 100644 index 00000000000..eb0219d11c0 --- /dev/null +++ b/queue-3.0/proc-clear_refs-do-not-clear-reserved-pages.patch @@ -0,0 +1,62 @@ +From 85e72aa5384b1a614563ad63257ded0e91d1a620 Mon Sep 17 00:00:00 2001 +From: Will Deacon +Date: Fri, 20 Jan 2012 14:34:09 -0800 +Subject: proc: clear_refs: do not clear reserved pages + +From: Will Deacon + +commit 85e72aa5384b1a614563ad63257ded0e91d1a620 upstream. + +/proc/pid/clear_refs is used to clear the Referenced and YOUNG bits for +pages and corresponding page table entries of the task with PID pid, which +includes any special mappings inserted into the page tables in order to +provide things like vDSOs and user helper functions. + +On ARM this causes a problem because the vectors page is mapped as a +global mapping and since ec706dab ("ARM: add a vma entry for the user +accessible vector page"), a VMA is also inserted into each task for this +page to aid unwinding through signals and syscall restarts. Since the +vectors page is required for handling faults, clearing the YOUNG bit (and +subsequently writing a faulting pte) means that we lose the vectors page +*globally* and cannot fault it back in. This results in a system deadlock +on the next exception. + +To see this problem in action, just run: + + $ echo 1 > /proc/self/clear_refs + +on an ARM platform (as any user) and watch your system hang. I think this +has been the case since 2.6.37 + +This patch avoids clearing the aforementioned bits for reserved pages, +therefore leaving the vectors page intact on ARM. Since reserved pages +are not candidates for swap, this change should not have any impact on the +usefulness of clear_refs. + +Signed-off-by: Will Deacon +Reported-by: Moussa Ba +Acked-by: Hugh Dickins +Cc: David Rientjes +Cc: Russell King +Acked-by: Nicolas Pitre +Cc: Matt Mackall +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/proc/task_mmu.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/fs/proc/task_mmu.c ++++ b/fs/proc/task_mmu.c +@@ -516,6 +516,9 @@ static int clear_refs_pte_range(pmd_t *p + if (!page) + continue; + ++ if (PageReserved(page)) ++ continue; ++ + /* Clear accessed and referenced bits. */ + ptep_test_and_clear_young(vma, addr, pte); + ClearPageReferenced(page); diff --git a/queue-3.0/score-fix-off-by-one-index-into-syscall-table.patch b/queue-3.0/score-fix-off-by-one-index-into-syscall-table.patch new file mode 100644 index 00000000000..03b0ec29cae --- /dev/null +++ b/queue-3.0/score-fix-off-by-one-index-into-syscall-table.patch @@ -0,0 +1,44 @@ +From c25a785d6647984505fa165b5cd84cfc9a95970b Mon Sep 17 00:00:00 2001 +From: Dan Rosenberg +Date: Fri, 20 Jan 2012 14:34:27 -0800 +Subject: score: fix off-by-one index into syscall table + +From: Dan Rosenberg + +commit c25a785d6647984505fa165b5cd84cfc9a95970b upstream. + +If the provided system call number is equal to __NR_syscalls, the +current check will pass and a function pointer just after the system +call table may be called, since sys_call_table is an array with total +size __NR_syscalls. + +Whether or not this is a security bug depends on what the compiler puts +immediately after the system call table. It's likely that this won't do +anything bad because there is an additional NULL check on the syscall +entry, but if there happens to be a non-NULL value immediately after the +system call table, this may result in local privilege escalation. + +Signed-off-by: Dan Rosenberg +Cc: Chen Liqin +Cc: Lennox Wu +Cc: Eugene Teo +Cc: Arnd Bergmann +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + arch/score/kernel/entry.S | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/score/kernel/entry.S ++++ b/arch/score/kernel/entry.S +@@ -408,7 +408,7 @@ ENTRY(handle_sys) + sw r9, [r0, PT_EPC] + + cmpi.c r27, __NR_syscalls # check syscall number +- bgtu illegal_syscall ++ bgeu illegal_syscall + + slli r8, r27, 2 # get syscall routine + la r11, sys_call_table diff --git a/queue-3.0/series b/queue-3.0/series index eb0012a3b3d..c65b6fced6f 100644 --- a/queue-3.0/series +++ b/queue-3.0/series @@ -81,3 +81,10 @@ pnfs-obj-pnfs-errors-are-communicated-on-iodata-pnfs_error.patch pnfs-obj-must-return-layout-on-io-error.patch net-fix-driver-name-for-mdio-gpio.c.patch i2c-eg20t-modified-the-setting-of-transfer-rate.patch +score-fix-off-by-one-index-into-syscall-table.patch +kprobes-initialize-before-using-a-hlist.patch +proc-clear_refs-do-not-clear-reserved-pages.patch +mm-fix-null-ptr-dereference-in-__count_immobile_pages.patch +iwlagn-check-for-smps-mode.patch +iwlegacy-3945-fix-hw-passive-scan-on-radar-channels.patch +ubifs-make-debugging-messages-light-again.patch diff --git a/queue-3.0/ubifs-make-debugging-messages-light-again.patch b/queue-3.0/ubifs-make-debugging-messages-light-again.patch new file mode 100644 index 00000000000..5585af93025 --- /dev/null +++ b/queue-3.0/ubifs-make-debugging-messages-light-again.patch @@ -0,0 +1,54 @@ +From 1f5d78dc4823a85f112aaa2d0f17624f8c2a6c52 Mon Sep 17 00:00:00 2001 +From: Artem Bityutskiy +Date: Wed, 11 Jan 2012 15:13:27 +0200 +Subject: UBIFS: make debugging messages light again + +From: Artem Bityutskiy + +commit 1f5d78dc4823a85f112aaa2d0f17624f8c2a6c52 upstream. + +We switch to dynamic debugging in commit +56e46742e846e4de167dde0e1e1071ace1c882a5 but did not take into account that +now we do not control anymore whether a specific message is enabled or not. +So now we lock the "dbg_lock" and release it in every debugging macro, which +make them not so light-weight. + +This commit removes the "dbg_lock" protection from the debugging macros to +fix the issue. + +The downside is that now our DBGKEY() stuff is broken, but this is not +critical at all and will be fixed later. + +Signed-off-by: Artem Bityutskiy +Signed-off-by: Greg Kroah-Hartman + + +--- + fs/ubifs/debug.h | 12 +++++------- + 1 file changed, 5 insertions(+), 7 deletions(-) + +--- a/fs/ubifs/debug.h ++++ b/fs/ubifs/debug.h +@@ -121,17 +121,15 @@ const char *dbg_key_str1(const struct ub + const union ubifs_key *key); + + /* +- * DBGKEY macros require @dbg_lock to be held, which it is in the dbg message +- * macros. ++ * TODO: these macros are now broken because there is no locking around them ++ * and we use a global buffer for the key string. This means that in case of ++ * concurrent execution we will end up with incorrect and messy key strings. + */ + #define DBGKEY(key) dbg_key_str0(c, (key)) + #define DBGKEY1(key) dbg_key_str1(c, (key)) + +-#define ubifs_dbg_msg(type, fmt, ...) do { \ +- spin_lock(&dbg_lock); \ +- pr_debug("UBIFS DBG " type ": " fmt "\n", ##__VA_ARGS__); \ +- spin_unlock(&dbg_lock); \ +-} while (0) ++#define ubifs_dbg_msg(type, fmt, ...) \ ++ pr_debug("UBIFS DBG " type ": " fmt "\n", ##__VA_ARGS__) + + /* Just a debugging messages not related to any specific UBIFS subsystem */ + #define dbg_msg(fmt, ...) \