From: Greg Kroah-Hartman Date: Tue, 10 Jul 2012 20:36:25 +0000 (-0700) Subject: 3.4-stable patches X-Git-Tag: v3.0.37~35 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=ccf57d3235e4a01477a3f328f3bf2cbf37688233;p=thirdparty%2Fkernel%2Fstable-queue.git 3.4-stable patches added patches: hwmon-applesmc-limit-key-length-in-warning-messages.patch nfc-prevent-multiple-buffer-overflows-in-nci.patch nfc-return-from-rawsock_release-when-sk-is-null.patch nilfs2-ensure-proper-cache-clearing-for-gc-inodes.patch powerpc-fix-build-of-some-debug-irq-code.patch powerpc-more-fixes-for-lazy-irq-vs.-idle.patch staging-r8712u-add-new-usb-ids.patch udf-avoid-run-away-loop-when-partition-table-length-is-corrupted.patch udf-fortify-loading-of-sparing-table.patch udf-use-ret-instead-of-abusing-i-in-udf_load_logicalvol.patch --- diff --git a/queue-3.4/hwmon-applesmc-limit-key-length-in-warning-messages.patch b/queue-3.4/hwmon-applesmc-limit-key-length-in-warning-messages.patch new file mode 100644 index 00000000000..2630fcac240 --- /dev/null +++ b/queue-3.4/hwmon-applesmc-limit-key-length-in-warning-messages.patch @@ -0,0 +1,41 @@ +From ac852edb47b15900886ba2564eeeb13b3b526e3e Mon Sep 17 00:00:00 2001 +From: Henrik Rydberg +Date: Thu, 7 Jun 2012 04:54:29 -0400 +Subject: hwmon: (applesmc) Limit key length in warning messages + +From: Henrik Rydberg + +commit ac852edb47b15900886ba2564eeeb13b3b526e3e upstream. + +Key lookups may call read_smc() with a fixed-length key string, +and if the lookup fails, trailing stack content may appear in the +kernel log. Fixed with this patch. + +Signed-off-by: Henrik Rydberg +Signed-off-by: Guenter Roeck +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hwmon/applesmc.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/hwmon/applesmc.c ++++ b/drivers/hwmon/applesmc.c +@@ -215,7 +215,7 @@ static int read_smc(u8 cmd, const char * + int i; + + if (send_command(cmd) || send_argument(key)) { +- pr_warn("%s: read arg fail\n", key); ++ pr_warn("%.4s: read arg fail\n", key); + return -EIO; + } + +@@ -223,7 +223,7 @@ static int read_smc(u8 cmd, const char * + + for (i = 0; i < len; i++) { + if (__wait_status(0x05)) { +- pr_warn("%s: read data fail\n", key); ++ pr_warn("%.4s: read data fail\n", key); + return -EIO; + } + buffer[i] = inb(APPLESMC_DATA_PORT); diff --git a/queue-3.4/nfc-prevent-multiple-buffer-overflows-in-nci.patch b/queue-3.4/nfc-prevent-multiple-buffer-overflows-in-nci.patch new file mode 100644 index 00000000000..5f0dd79d912 --- /dev/null +++ b/queue-3.4/nfc-prevent-multiple-buffer-overflows-in-nci.patch @@ -0,0 +1,74 @@ +From 67de956ff5dc1d4f321e16cfbd63f5be3b691b43 Mon Sep 17 00:00:00 2001 +From: Dan Rosenberg +Date: Mon, 25 Jun 2012 16:05:27 +0200 +Subject: NFC: Prevent multiple buffer overflows in NCI + +From: Dan Rosenberg + +commit 67de956ff5dc1d4f321e16cfbd63f5be3b691b43 upstream. + +Fix multiple remotely-exploitable stack-based buffer overflows due to +the NCI code pulling length fields directly from incoming frames and +copying too much data into statically-sized arrays. + +Signed-off-by: Dan Rosenberg +Cc: security@kernel.org +Cc: Lauro Ramos Venancio +Cc: Aloisio Almeida Jr +Cc: Samuel Ortiz +Cc: David S. Miller +Acked-by: Ilan Elias +Signed-off-by: Samuel Ortiz +Signed-off-by: Greg Kroah-Hartman + +--- + net/nfc/nci/ntf.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- a/net/nfc/nci/ntf.c ++++ b/net/nfc/nci/ntf.c +@@ -106,7 +106,7 @@ static __u8 *nci_extract_rf_params_nfca_ + nfca_poll->sens_res = __le16_to_cpu(*((__u16 *)data)); + data += 2; + +- nfca_poll->nfcid1_len = *data++; ++ nfca_poll->nfcid1_len = min_t(__u8, *data++, NFC_NFCID1_MAXSIZE); + + pr_debug("sens_res 0x%x, nfcid1_len %d\n", + nfca_poll->sens_res, nfca_poll->nfcid1_len); +@@ -130,7 +130,7 @@ static __u8 *nci_extract_rf_params_nfcb_ + struct rf_tech_specific_params_nfcb_poll *nfcb_poll, + __u8 *data) + { +- nfcb_poll->sensb_res_len = *data++; ++ nfcb_poll->sensb_res_len = min_t(__u8, *data++, NFC_SENSB_RES_MAXSIZE); + + pr_debug("sensb_res_len %d\n", nfcb_poll->sensb_res_len); + +@@ -145,7 +145,7 @@ static __u8 *nci_extract_rf_params_nfcf_ + __u8 *data) + { + nfcf_poll->bit_rate = *data++; +- nfcf_poll->sensf_res_len = *data++; ++ nfcf_poll->sensf_res_len = min_t(__u8, *data++, NFC_SENSF_RES_MAXSIZE); + + pr_debug("bit_rate %d, sensf_res_len %d\n", + nfcf_poll->bit_rate, nfcf_poll->sensf_res_len); +@@ -331,7 +331,7 @@ static int nci_extract_activation_params + switch (ntf->activation_rf_tech_and_mode) { + case NCI_NFC_A_PASSIVE_POLL_MODE: + nfca_poll = &ntf->activation_params.nfca_poll_iso_dep; +- nfca_poll->rats_res_len = *data++; ++ nfca_poll->rats_res_len = min_t(__u8, *data++, 20); + pr_debug("rats_res_len %d\n", nfca_poll->rats_res_len); + if (nfca_poll->rats_res_len > 0) { + memcpy(nfca_poll->rats_res, +@@ -341,7 +341,7 @@ static int nci_extract_activation_params + + case NCI_NFC_B_PASSIVE_POLL_MODE: + nfcb_poll = &ntf->activation_params.nfcb_poll_iso_dep; +- nfcb_poll->attrib_res_len = *data++; ++ nfcb_poll->attrib_res_len = min_t(__u8, *data++, 50); + pr_debug("attrib_res_len %d\n", nfcb_poll->attrib_res_len); + if (nfcb_poll->attrib_res_len > 0) { + memcpy(nfcb_poll->attrib_res, diff --git a/queue-3.4/nfc-return-from-rawsock_release-when-sk-is-null.patch b/queue-3.4/nfc-return-from-rawsock_release-when-sk-is-null.patch new file mode 100644 index 00000000000..1b6d2598ce9 --- /dev/null +++ b/queue-3.4/nfc-return-from-rawsock_release-when-sk-is-null.patch @@ -0,0 +1,104 @@ +From 03e934f620101ca2cfc9383bd76172dd3e1f8567 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Tue, 12 Jun 2012 00:47:58 +0200 +Subject: NFC: Return from rawsock_release when sk is NULL + +From: Eric Dumazet + +commit 03e934f620101ca2cfc9383bd76172dd3e1f8567 upstream. + +Sasha Levin reported following panic : + +[ 2136.383310] BUG: unable to handle kernel NULL pointer dereference at +00000000000003b0 +[ 2136.384022] IP: [] __lock_acquire+0xc0/0x4b0 +[ 2136.384022] PGD 131c4067 PUD 11c0c067 PMD 0 +[ 2136.388106] Oops: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC +[ 2136.388106] CPU 1 +[ 2136.388106] Pid: 24855, comm: trinity-child1 Tainted: G W +3.5.0-rc2-sasha-00015-g7b268f7 #374 +[ 2136.388106] RIP: 0010:[] [] +__lock_acquire+0xc0/0x4b0 +[ 2136.388106] RSP: 0018:ffff8800130b3ca8 EFLAGS: 00010046 +[ 2136.388106] RAX: 0000000000000086 RBX: ffff88001186b000 RCX: +0000000000000000 +[ 2136.388106] RDX: 0000000000000000 RSI: 0000000000000000 RDI: +0000000000000000 +[ 2136.388106] RBP: ffff8800130b3d08 R08: 0000000000000001 R09: +0000000000000000 +[ 2136.388106] R10: 0000000000000000 R11: 0000000000000001 R12: +0000000000000002 +[ 2136.388106] R13: 00000000000003b0 R14: 0000000000000000 R15: +0000000000000000 +[ 2136.388106] FS: 00007fa5b1bd4700(0000) GS:ffff88001b800000(0000) +knlGS:0000000000000000 +[ 2136.388106] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 2136.388106] CR2: 00000000000003b0 CR3: 0000000011d1f000 CR4: +00000000000406e0 +[ 2136.388106] DR0: 0000000000000000 DR1: 0000000000000000 DR2: +0000000000000000 +[ 2136.388106] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: +0000000000000400 +[ 2136.388106] Process trinity-child1 (pid: 24855, threadinfo +ffff8800130b2000, task ffff88001186b000) +[ 2136.388106] Stack: +[ 2136.388106] ffff8800130b3cd8 ffffffff81121785 ffffffff81236774 +000080d000000001 +[ 2136.388106] ffff88001b9d6c00 00000000001d6c00 ffffffff130b3d08 +ffff88001186b000 +[ 2136.388106] 0000000000000000 0000000000000002 0000000000000000 +0000000000000000 +[ 2136.388106] Call Trace: +[ 2136.388106] [] ? sched_clock_local+0x25/0x90 +[ 2136.388106] [] ? get_empty_filp+0x74/0x220 +[ 2136.388106] [] lock_acquire+0x18a/0x1e0 +[ 2136.388106] [] ? rawsock_release+0x4f/0xa0 +[ 2136.388106] [] _raw_write_lock_bh+0x40/0x80 +[ 2136.388106] [] ? rawsock_release+0x4f/0xa0 +[ 2136.388106] [] rawsock_release+0x4f/0xa0 +[ 2136.388106] [] sock_release+0x18/0x70 +[ 2136.388106] [] sock_close+0x29/0x30 +[ 2136.388106] [] __fput+0x11a/0x2c0 +[ 2136.388106] [] fput+0x15/0x20 +[ 2136.388106] [] sys_accept4+0x1b4/0x200 +[ 2136.388106] [] ? _raw_spin_unlock_irq+0x4c/0x80 +[ 2136.388106] [] ? _raw_spin_unlock_irq+0x59/0x80 +[ 2136.388106] [] ? sysret_check+0x22/0x5d +[ 2136.388106] [] sys_accept+0xb/0x10 +[ 2136.388106] [] system_call_fastpath+0x16/0x1b +[ 2136.388106] Code: ec 04 00 0f 85 ea 03 00 00 be d5 0b 00 00 48 c7 c7 +8a c1 40 84 e8 b1 a5 f8 ff 31 c0 e9 d4 03 00 00 66 2e 0f 1f 84 00 00 00 +00 00 <49> 81 7d 00 60 73 5e 85 b8 01 00 00 00 44 0f 44 e0 83 fe 01 77 +[ 2136.388106] RIP [] __lock_acquire+0xc0/0x4b0 +[ 2136.388106] RSP +[ 2136.388106] CR2: 00000000000003b0 +[ 2136.388106] ---[ end trace 6d450e935ee18982 ]--- +[ 2136.388106] Kernel panic - not syncing: Fatal exception in interrupt + +rawsock_release() should test if sock->sk is NULL before calling +sock_orphan()/sock_put() + +Reported-by: Sasha Levin +Tested-by: Sasha Levin +Signed-off-by: Eric Dumazet +Signed-off-by: Samuel Ortiz +Signed-off-by: Greg Kroah-Hartman + +--- + net/nfc/rawsock.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/net/nfc/rawsock.c ++++ b/net/nfc/rawsock.c +@@ -54,7 +54,10 @@ static int rawsock_release(struct socket + { + struct sock *sk = sock->sk; + +- pr_debug("sock=%p\n", sock); ++ pr_debug("sock=%p sk=%p\n", sock, sk); ++ ++ if (!sk) ++ return 0; + + sock_orphan(sk); + sock_put(sk); diff --git a/queue-3.4/nilfs2-ensure-proper-cache-clearing-for-gc-inodes.patch b/queue-3.4/nilfs2-ensure-proper-cache-clearing-for-gc-inodes.patch new file mode 100644 index 00000000000..f49f9873749 --- /dev/null +++ b/queue-3.4/nilfs2-ensure-proper-cache-clearing-for-gc-inodes.patch @@ -0,0 +1,67 @@ +From fbb24a3a915f105016f1c828476be11aceac8504 Mon Sep 17 00:00:00 2001 +From: Ryusuke Konishi +Date: Wed, 20 Jun 2012 12:52:57 -0700 +Subject: nilfs2: ensure proper cache clearing for gc-inodes + +From: Ryusuke Konishi + +commit fbb24a3a915f105016f1c828476be11aceac8504 upstream. + +A gc-inode is a pseudo inode used to buffer the blocks to be moved by +garbage collection. + +Block caches of gc-inodes must be cleared every time a garbage collection +function (nilfs_clean_segments) completes. Otherwise, stale blocks +buffered in the caches may be wrongly reused in successive calls of the GC +function. + +For user files, this is not a problem because their gc-inodes are +distinguished by a checkpoint number as well as an inode number. They +never buffer different blocks if either an inode number, a checkpoint +number, or a block offset differs. + +However, gc-inodes of sufile, cpfile and DAT file can store different data +for the same block offset. Thus, the nilfs_clean_segments function can +move incorrect block for these meta-data files if an old block is cached. +I found this is really causing meta-data corruption in nilfs. + +This fixes the issue by ensuring cache clear of gc-inodes and resolves +reported GC problems including checkpoint file corruption, b-tree +corruption, and the following warning during GC. + + nilfs_palloc_freev: entry number 307234 already freed. + ... + +Signed-off-by: Ryusuke Konishi +Tested-by: Ryusuke Konishi +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nilfs2/gcinode.c | 2 ++ + fs/nilfs2/segment.c | 2 ++ + 2 files changed, 4 insertions(+) + +--- a/fs/nilfs2/gcinode.c ++++ b/fs/nilfs2/gcinode.c +@@ -191,6 +191,8 @@ void nilfs_remove_all_gcinodes(struct th + while (!list_empty(head)) { + ii = list_first_entry(head, struct nilfs_inode_info, i_dirty); + list_del_init(&ii->i_dirty); ++ truncate_inode_pages(&ii->vfs_inode.i_data, 0); ++ nilfs_btnode_cache_clear(&ii->i_btnode_cache); + iput(&ii->vfs_inode); + } + } +--- a/fs/nilfs2/segment.c ++++ b/fs/nilfs2/segment.c +@@ -2309,6 +2309,8 @@ nilfs_remove_written_gcinodes(struct the + if (!test_bit(NILFS_I_UPDATED, &ii->i_state)) + continue; + list_del_init(&ii->i_dirty); ++ truncate_inode_pages(&ii->vfs_inode.i_data, 0); ++ nilfs_btnode_cache_clear(&ii->i_btnode_cache); + iput(&ii->vfs_inode); + } + } diff --git a/queue-3.4/powerpc-fix-build-of-some-debug-irq-code.patch b/queue-3.4/powerpc-fix-build-of-some-debug-irq-code.patch new file mode 100644 index 00000000000..87618c79330 --- /dev/null +++ b/queue-3.4/powerpc-fix-build-of-some-debug-irq-code.patch @@ -0,0 +1,48 @@ +From 21b2de341270bd7bb7a811027ffe63276d9b3b75 Mon Sep 17 00:00:00 2001 +From: Benjamin Herrenschmidt +Date: Tue, 10 Jul 2012 18:37:56 +1000 +Subject: powerpc: Fix build of some debug irq code + +From: Benjamin Herrenschmidt + +commit 21b2de341270bd7bb7a811027ffe63276d9b3b75 upstream. + +There was a typo, checking for CONFIG_TRACE_IRQFLAG instead of +CONFIG_TRACE_IRQFLAGS causing some useful debug code to not be +built + +This in turns causes a build error on BookE 64-bit due to incorrect +semicolons at the end of a couple of macros, so let's fix that too + +Signed-off-by: Benjamin Herrenschmidt +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/include/asm/hw_irq.h | 4 ++-- + arch/powerpc/kernel/irq.c | 2 +- + 2 files changed, 3 insertions(+), 3 deletions(-) + +--- a/arch/powerpc/include/asm/hw_irq.h ++++ b/arch/powerpc/include/asm/hw_irq.h +@@ -85,8 +85,8 @@ static inline bool arch_irqs_disabled(vo + } + + #ifdef CONFIG_PPC_BOOK3E +-#define __hard_irq_enable() asm volatile("wrteei 1" : : : "memory"); +-#define __hard_irq_disable() asm volatile("wrteei 0" : : : "memory"); ++#define __hard_irq_enable() asm volatile("wrteei 1" : : : "memory") ++#define __hard_irq_disable() asm volatile("wrteei 0" : : : "memory") + #else + #define __hard_irq_enable() __mtmsrd(local_paca->kernel_msr | MSR_EE, 1) + #define __hard_irq_disable() __mtmsrd(local_paca->kernel_msr, 1) +--- a/arch/powerpc/kernel/irq.c ++++ b/arch/powerpc/kernel/irq.c +@@ -229,7 +229,7 @@ notrace void arch_local_irq_restore(unsi + */ + if (unlikely(irq_happened != PACA_IRQ_HARD_DIS)) + __hard_irq_disable(); +-#ifdef CONFIG_TRACE_IRQFLAG ++#ifdef CONFIG_TRACE_IRQFLAGS + else { + /* + * We should already be hard disabled here. We had bugs diff --git a/queue-3.4/powerpc-more-fixes-for-lazy-irq-vs.-idle.patch b/queue-3.4/powerpc-more-fixes-for-lazy-irq-vs.-idle.patch new file mode 100644 index 00000000000..3bae9171314 --- /dev/null +++ b/queue-3.4/powerpc-more-fixes-for-lazy-irq-vs.-idle.patch @@ -0,0 +1,161 @@ +From be2cf20a5ad31ebb13562c1c866ecc626fbd721e Mon Sep 17 00:00:00 2001 +From: Benjamin Herrenschmidt +Date: Tue, 10 Jul 2012 18:36:40 +1000 +Subject: powerpc: More fixes for lazy IRQ vs. idle + +From: Benjamin Herrenschmidt + +commit be2cf20a5ad31ebb13562c1c866ecc626fbd721e upstream. + +Looks like we still have issues with pSeries and Cell idle code +vs. the lazy irq state. In fact, the reset fixes that went upstream +are exposing the problem more by causing BUG_ON() to trigger (which +this patch turns into a WARN_ON instead). + +We need to be careful when using a variant of low power state that +has the side effect of turning interrupts back on, to properly set +all the SW & lazy state to look as if everything is enabled before +we enter the low power state with MSR:EE off as we will return with +MSR:EE on. If not, we have a discrepancy of state which can cause +things to go very wrong later on. + +This patch moves the logic into a helper and uses it from the +pseries and cell idle code. The power4/970 idle code already got +things right (in assembly even !) so I'm not touching it. The power7 +"bare metal" idle code is subtly different and correct. Remains PA6T +and some hypervisor based Cell platforms which have questionable +code in there, but they are mostly dead platforms so I'll fix them +when I manage to get final answers from the respective maintainers +about how the low power state actually works on them. + +Signed-off-by: Benjamin Herrenschmidt +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/include/asm/hw_irq.h | 2 + + arch/powerpc/kernel/irq.c | 46 ++++++++++++++++++++++++ + arch/powerpc/platforms/cell/pervasive.c | 11 +++-- + arch/powerpc/platforms/pseries/processor_idle.c | 17 +++++--- + 4 files changed, 64 insertions(+), 12 deletions(-) + +--- a/arch/powerpc/include/asm/hw_irq.h ++++ b/arch/powerpc/include/asm/hw_irq.h +@@ -124,6 +124,8 @@ static inline bool arch_irq_disabled_reg + return !regs->softe; + } + ++extern bool prep_irq_for_idle(void); ++ + #else /* CONFIG_PPC64 */ + + #define SET_MSR_EE(x) mtmsr(x) +--- a/arch/powerpc/kernel/irq.c ++++ b/arch/powerpc/kernel/irq.c +@@ -286,6 +286,52 @@ void notrace restore_interrupts(void) + __hard_irq_enable(); + } + ++/* ++ * This is a helper to use when about to go into idle low-power ++ * when the latter has the side effect of re-enabling interrupts ++ * (such as calling H_CEDE under pHyp). ++ * ++ * You call this function with interrupts soft-disabled (this is ++ * already the case when ppc_md.power_save is called). The function ++ * will return whether to enter power save or just return. ++ * ++ * In the former case, it will have notified lockdep of interrupts ++ * being re-enabled and generally sanitized the lazy irq state, ++ * and in the latter case it will leave with interrupts hard ++ * disabled and marked as such, so the local_irq_enable() call ++ * in cpu_idle() will properly re-enable everything. ++ */ ++bool prep_irq_for_idle(void) ++{ ++ /* ++ * First we need to hard disable to ensure no interrupt ++ * occurs before we effectively enter the low power state ++ */ ++ hard_irq_disable(); ++ ++ /* ++ * If anything happened while we were soft-disabled, ++ * we return now and do not enter the low power state. ++ */ ++ if (lazy_irq_pending()) ++ return false; ++ ++ /* Tell lockdep we are about to re-enable */ ++ trace_hardirqs_on(); ++ ++ /* ++ * Mark interrupts as soft-enabled and clear the ++ * PACA_IRQ_HARD_DIS from the pending mask since we ++ * are about to hard enable as well as a side effect ++ * of entering the low power state. ++ */ ++ local_paca->irq_happened &= ~PACA_IRQ_HARD_DIS; ++ local_paca->soft_enabled = 1; ++ ++ /* Tell the caller to enter the low power state */ ++ return true; ++} ++ + #endif /* CONFIG_PPC64 */ + + int arch_show_interrupts(struct seq_file *p, int prec) +--- a/arch/powerpc/platforms/cell/pervasive.c ++++ b/arch/powerpc/platforms/cell/pervasive.c +@@ -42,11 +42,9 @@ static void cbe_power_save(void) + { + unsigned long ctrl, thread_switch_control; + +- /* +- * We need to hard disable interrupts, the local_irq_enable() done by +- * our caller upon return will hard re-enable. +- */ +- hard_irq_disable(); ++ /* Ensure our interrupt state is properly tracked */ ++ if (!prep_irq_for_idle()) ++ return; + + ctrl = mfspr(SPRN_CTRLF); + +@@ -81,6 +79,9 @@ static void cbe_power_save(void) + */ + ctrl &= ~(CTRL_RUNLATCH | CTRL_TE); + mtspr(SPRN_CTRLT, ctrl); ++ ++ /* Re-enable interrupts in MSR */ ++ __hard_irq_enable(); + } + + static int cbe_system_reset_exception(struct pt_regs *regs) +--- a/arch/powerpc/platforms/pseries/processor_idle.c ++++ b/arch/powerpc/platforms/pseries/processor_idle.c +@@ -99,15 +99,18 @@ out: + static void check_and_cede_processor(void) + { + /* +- * Interrupts are soft-disabled at this point, +- * but not hard disabled. So an interrupt might have +- * occurred before entering NAP, and would be potentially +- * lost (edge events, decrementer events, etc...) unless +- * we first hard disable then check. ++ * Ensure our interrupt state is properly tracked, ++ * also checks if no interrupt has occurred while we ++ * were soft-disabled + */ +- hard_irq_disable(); +- if (!lazy_irq_pending()) ++ if (prep_irq_for_idle()) { + cede_processor(); ++#ifdef CONFIG_TRACE_IRQFLAGS ++ /* Ensure that H_CEDE returns with IRQs on */ ++ if (WARN_ON(!(mfmsr() & MSR_EE))) ++ __hard_irq_enable(); ++#endif ++ } + } + + static int dedicated_cede_loop(struct cpuidle_device *dev, diff --git a/queue-3.4/series b/queue-3.4/series index 9494530b58e..79a33a9a6e5 100644 --- a/queue-3.4/series +++ b/queue-3.4/series @@ -40,3 +40,13 @@ net-remove-skb_orphan_try.patch bridge-assign-rtnl_link_ops-to-bridge-devices-created-via-ioctl-v2.patch xen-netfront-teardown-the-device-before-unregistering-it.patch mm-fix-slab-page-_count-corruption-when-using-slub.patch +powerpc-more-fixes-for-lazy-irq-vs.-idle.patch +powerpc-fix-build-of-some-debug-irq-code.patch +nfc-return-from-rawsock_release-when-sk-is-null.patch +nfc-prevent-multiple-buffer-overflows-in-nci.patch +hwmon-applesmc-limit-key-length-in-warning-messages.patch +staging-r8712u-add-new-usb-ids.patch +nilfs2-ensure-proper-cache-clearing-for-gc-inodes.patch +udf-use-ret-instead-of-abusing-i-in-udf_load_logicalvol.patch +udf-avoid-run-away-loop-when-partition-table-length-is-corrupted.patch +udf-fortify-loading-of-sparing-table.patch diff --git a/queue-3.4/staging-r8712u-add-new-usb-ids.patch b/queue-3.4/staging-r8712u-add-new-usb-ids.patch new file mode 100644 index 00000000000..f49db843db2 --- /dev/null +++ b/queue-3.4/staging-r8712u-add-new-usb-ids.patch @@ -0,0 +1,29 @@ +From 3026b0e942c65c65c8fc80d391d004228b52b916 Mon Sep 17 00:00:00 2001 +From: Lubomir Schmidt +Date: Fri, 15 Jun 2012 15:12:17 -0500 +Subject: staging: r8712u: Add new USB IDs + +From: Lubomir Schmidt + +commit 3026b0e942c65c65c8fc80d391d004228b52b916 upstream. + +There are two new devices for this driver. + +Signed-off-by: Larry Finger +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/rtl8712/usb_intf.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/staging/rtl8712/usb_intf.c ++++ b/drivers/staging/rtl8712/usb_intf.c +@@ -102,6 +102,8 @@ static struct usb_device_id rtl871x_usb_ + /* - */ + {USB_DEVICE(0x20F4, 0x646B)}, + {USB_DEVICE(0x083A, 0xC512)}, ++ {USB_DEVICE(0x25D4, 0x4CA1)}, ++ {USB_DEVICE(0x25D4, 0x4CAB)}, + + /* RTL8191SU */ + /* Realtek */ diff --git a/queue-3.4/udf-avoid-run-away-loop-when-partition-table-length-is-corrupted.patch b/queue-3.4/udf-avoid-run-away-loop-when-partition-table-length-is-corrupted.patch new file mode 100644 index 00000000000..9cff549ab9d --- /dev/null +++ b/queue-3.4/udf-avoid-run-away-loop-when-partition-table-length-is-corrupted.patch @@ -0,0 +1,51 @@ +From adee11b2085bee90bd8f4f52123ffb07882d6256 Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Wed, 27 Jun 2012 20:20:22 +0200 +Subject: udf: Avoid run away loop when partition table length is corrupted + +From: Jan Kara + +commit adee11b2085bee90bd8f4f52123ffb07882d6256 upstream. + +Check provided length of partition table so that (possibly maliciously) +corrupted partition table cannot cause accessing data beyond current buffer. + +Signed-off-by: Jan Kara +Signed-off-by: Greg Kroah-Hartman + +--- + fs/udf/super.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +--- a/fs/udf/super.c ++++ b/fs/udf/super.c +@@ -1225,6 +1225,7 @@ static int udf_load_logicalvol(struct su + struct genericPartitionMap *gpm; + uint16_t ident; + struct buffer_head *bh; ++ unsigned int table_len; + int ret = 0; + + bh = udf_read_tagged(sb, block, block, &ident); +@@ -1232,13 +1233,20 @@ static int udf_load_logicalvol(struct su + return 1; + BUG_ON(ident != TAG_IDENT_LVD); + lvd = (struct logicalVolDesc *)bh->b_data; ++ table_len = le32_to_cpu(lvd->mapTableLength); ++ if (sizeof(*lvd) + table_len > sb->s_blocksize) { ++ udf_err(sb, "error loading logical volume descriptor: " ++ "Partition table too long (%u > %lu)\n", table_len, ++ sb->s_blocksize - sizeof(*lvd)); ++ goto out_bh; ++ } + + ret = udf_sb_alloc_partition_maps(sb, le32_to_cpu(lvd->numPartitionMaps)); + if (ret) + goto out_bh; + + for (i = 0, offset = 0; +- i < sbi->s_partitions && offset < le32_to_cpu(lvd->mapTableLength); ++ i < sbi->s_partitions && offset < table_len; + i++, offset += gpm->partitionMapLength) { + struct udf_part_map *map = &sbi->s_partmaps[i]; + gpm = (struct genericPartitionMap *) diff --git a/queue-3.4/udf-fortify-loading-of-sparing-table.patch b/queue-3.4/udf-fortify-loading-of-sparing-table.patch new file mode 100644 index 00000000000..109f2459cd1 --- /dev/null +++ b/queue-3.4/udf-fortify-loading-of-sparing-table.patch @@ -0,0 +1,132 @@ +From 1df2ae31c724e57be9d7ac00d78db8a5dabdd050 Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Wed, 27 Jun 2012 21:23:07 +0200 +Subject: udf: Fortify loading of sparing table + +From: Jan Kara + +commit 1df2ae31c724e57be9d7ac00d78db8a5dabdd050 upstream. + +Add sanity checks when loading sparing table from disk to avoid accessing +unallocated memory or writing to it. + +Signed-off-by: Jan Kara +Signed-off-by: Greg Kroah-Hartman + +--- + fs/udf/super.c | 86 +++++++++++++++++++++++++++++++++++---------------------- + 1 file changed, 53 insertions(+), 33 deletions(-) + +--- a/fs/udf/super.c ++++ b/fs/udf/super.c +@@ -56,6 +56,7 @@ + #include + #include + #include ++#include + #include + + #include "udf_sb.h" +@@ -1215,11 +1216,59 @@ out_bh: + return ret; + } + ++static int udf_load_sparable_map(struct super_block *sb, ++ struct udf_part_map *map, ++ struct sparablePartitionMap *spm) ++{ ++ uint32_t loc; ++ uint16_t ident; ++ struct sparingTable *st; ++ struct udf_sparing_data *sdata = &map->s_type_specific.s_sparing; ++ int i; ++ struct buffer_head *bh; ++ ++ map->s_partition_type = UDF_SPARABLE_MAP15; ++ sdata->s_packet_len = le16_to_cpu(spm->packetLength); ++ if (!is_power_of_2(sdata->s_packet_len)) { ++ udf_err(sb, "error loading logical volume descriptor: " ++ "Invalid packet length %u\n", ++ (unsigned)sdata->s_packet_len); ++ return -EIO; ++ } ++ if (spm->numSparingTables > 4) { ++ udf_err(sb, "error loading logical volume descriptor: " ++ "Too many sparing tables (%d)\n", ++ (int)spm->numSparingTables); ++ return -EIO; ++ } ++ ++ for (i = 0; i < spm->numSparingTables; i++) { ++ loc = le32_to_cpu(spm->locSparingTable[i]); ++ bh = udf_read_tagged(sb, loc, loc, &ident); ++ if (!bh) ++ continue; ++ ++ st = (struct sparingTable *)bh->b_data; ++ if (ident != 0 || ++ strncmp(st->sparingIdent.ident, UDF_ID_SPARING, ++ strlen(UDF_ID_SPARING)) || ++ sizeof(*st) + le16_to_cpu(st->reallocationTableLen) > ++ sb->s_blocksize) { ++ brelse(bh); ++ continue; ++ } ++ ++ sdata->s_spar_map[i] = bh; ++ } ++ map->s_partition_func = udf_get_pblock_spar15; ++ return 0; ++} ++ + static int udf_load_logicalvol(struct super_block *sb, sector_t block, + struct kernel_lb_addr *fileset) + { + struct logicalVolDesc *lvd; +- int i, j, offset; ++ int i, offset; + uint8_t type; + struct udf_sb_info *sbi = UDF_SB(sb); + struct genericPartitionMap *gpm; +@@ -1281,38 +1330,9 @@ static int udf_load_logicalvol(struct su + } else if (!strncmp(upm2->partIdent.ident, + UDF_ID_SPARABLE, + strlen(UDF_ID_SPARABLE))) { +- uint32_t loc; +- struct sparingTable *st; +- struct sparablePartitionMap *spm = +- (struct sparablePartitionMap *)gpm; +- +- map->s_partition_type = UDF_SPARABLE_MAP15; +- map->s_type_specific.s_sparing.s_packet_len = +- le16_to_cpu(spm->packetLength); +- for (j = 0; j < spm->numSparingTables; j++) { +- struct buffer_head *bh2; +- +- loc = le32_to_cpu( +- spm->locSparingTable[j]); +- bh2 = udf_read_tagged(sb, loc, loc, +- &ident); +- map->s_type_specific.s_sparing. +- s_spar_map[j] = bh2; +- +- if (bh2 == NULL) +- continue; +- +- st = (struct sparingTable *)bh2->b_data; +- if (ident != 0 || strncmp( +- st->sparingIdent.ident, +- UDF_ID_SPARING, +- strlen(UDF_ID_SPARING))) { +- brelse(bh2); +- map->s_type_specific.s_sparing. +- s_spar_map[j] = NULL; +- } +- } +- map->s_partition_func = udf_get_pblock_spar15; ++ if (udf_load_sparable_map(sb, map, ++ (struct sparablePartitionMap *)gpm) < 0) ++ goto out_bh; + } else if (!strncmp(upm2->partIdent.ident, + UDF_ID_METADATA, + strlen(UDF_ID_METADATA))) { diff --git a/queue-3.4/udf-use-ret-instead-of-abusing-i-in-udf_load_logicalvol.patch b/queue-3.4/udf-use-ret-instead-of-abusing-i-in-udf_load_logicalvol.patch new file mode 100644 index 00000000000..44e75accaa6 --- /dev/null +++ b/queue-3.4/udf-use-ret-instead-of-abusing-i-in-udf_load_logicalvol.patch @@ -0,0 +1,32 @@ +From cb14d340ef1737c24125dd663eff77734a482d47 Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Wed, 27 Jun 2012 20:08:44 +0200 +Subject: udf: Use 'ret' instead of abusing 'i' in udf_load_logicalvol() + +From: Jan Kara + +commit cb14d340ef1737c24125dd663eff77734a482d47 upstream. + +Signed-off-by: Jan Kara +Signed-off-by: Greg Kroah-Hartman + +--- + fs/udf/super.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +--- a/fs/udf/super.c ++++ b/fs/udf/super.c +@@ -1233,11 +1233,9 @@ static int udf_load_logicalvol(struct su + BUG_ON(ident != TAG_IDENT_LVD); + lvd = (struct logicalVolDesc *)bh->b_data; + +- i = udf_sb_alloc_partition_maps(sb, le32_to_cpu(lvd->numPartitionMaps)); +- if (i != 0) { +- ret = i; ++ ret = udf_sb_alloc_partition_maps(sb, le32_to_cpu(lvd->numPartitionMaps)); ++ if (ret) + goto out_bh; +- } + + for (i = 0, offset = 0; + i < sbi->s_partitions && offset < le32_to_cpu(lvd->mapTableLength);