From: Greg Kroah-Hartman Date: Fri, 7 Sep 2012 17:30:48 +0000 (-0700) Subject: 3.5-stable patches X-Git-Tag: v3.5.4~12 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=cfed9ce0de356e30425b6d7361afe5a360fd08d0;p=thirdparty%2Fkernel%2Fstable-queue.git 3.5-stable patches added patches: fix-order-of-arguments-to-compat_put_time.patch usbnet-fix-deadlock-in-resume.patch --- diff --git a/queue-3.5/fix-order-of-arguments-to-compat_put_time.patch b/queue-3.5/fix-order-of-arguments-to-compat_put_time.patch new file mode 100644 index 00000000000..97c0dbab7d5 --- /dev/null +++ b/queue-3.5/fix-order-of-arguments-to-compat_put_time.patch @@ -0,0 +1,51 @@ +From ed6fe9d614fc1bca95eb8c0ccd0e92db00ef9d5d Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Sat, 1 Sep 2012 12:34:07 -0400 +Subject: Fix order of arguments to compat_put_time[spec|val] + +From: Mikulas Patocka + +commit ed6fe9d614fc1bca95eb8c0ccd0e92db00ef9d5d upstream. + +Commit 644595f89620 ("compat: Handle COMPAT_USE_64BIT_TIME in +net/socket.c") introduced a bug where the helper functions to take +either a 64-bit or compat time[spec|val] got the arguments in the wrong +order, passing the kernel stack pointer off as a user pointer (and vice +versa). + +Because of the user address range check, that in turn then causes an +EFAULT due to the user pointer range checking failing for the kernel +address. Incorrectly resuling in a failed system call for 32-bit +processes with a 64-bit kernel. + +On odder architectures like HP-PA (with separate user/kernel address +spaces), it can be used read kernel memory. + +Signed-off-by: Mikulas Patocka +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + net/socket.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/net/socket.c ++++ b/net/socket.c +@@ -2605,7 +2605,7 @@ static int do_siocgstamp(struct net *net + err = sock_do_ioctl(net, sock, cmd, (unsigned long)&ktv); + set_fs(old_fs); + if (!err) +- err = compat_put_timeval(up, &ktv); ++ err = compat_put_timeval(&ktv, up); + + return err; + } +@@ -2621,7 +2621,7 @@ static int do_siocgstampns(struct net *n + err = sock_do_ioctl(net, sock, cmd, (unsigned long)&kts); + set_fs(old_fs); + if (!err) +- err = compat_put_timespec(up, &kts); ++ err = compat_put_timespec(&kts, up); + + return err; + } diff --git a/queue-3.5/series b/queue-3.5/series index 35571a9f769..b26a9e1db4b 100644 --- a/queue-3.5/series +++ b/queue-3.5/series @@ -81,3 +81,5 @@ powerpc-fix-dscr-inheritance-in-copy_thread.patch powerpc-restore-correct-dscr-in-context-switch.patch powerpc-make-sure-ipi-handlers-see-data-written-by-ipi-senders.patch remove-user-triggerable-bug-from-mpol_to_str.patch +fix-order-of-arguments-to-compat_put_time.patch +usbnet-fix-deadlock-in-resume.patch diff --git a/queue-3.5/usbnet-fix-deadlock-in-resume.patch b/queue-3.5/usbnet-fix-deadlock-in-resume.patch new file mode 100644 index 00000000000..118b4ed55e8 --- /dev/null +++ b/queue-3.5/usbnet-fix-deadlock-in-resume.patch @@ -0,0 +1,37 @@ +From ab6f148de28261682d300662e87b9477f7efc95b Mon Sep 17 00:00:00 2001 +From: Oliver Neukum +Date: Sun, 26 Aug 2012 20:41:38 +0000 +Subject: usbnet: fix deadlock in resume + +From: Oliver Neukum + +commit ab6f148de28261682d300662e87b9477f7efc95b upstream. + +A usbnet device can share a multifunction device +with a storage device. If the storage device is autoresumed +the usbnet devices also needs to be autoresumed. Allocating +memory with GFP_KERNEL can deadlock in this case. + +This should go back into all kernels that have +commit 65841fd5132c3941cdf5df09e70df3ed28323212 +That is 3.5 + +Signed-off-by: Oliver Neukum +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/usb/usbnet.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/usb/usbnet.c ++++ b/drivers/net/usb/usbnet.c +@@ -1580,7 +1580,7 @@ int usbnet_resume (struct usb_interface + netif_device_present(dev->net) && + !timer_pending(&dev->delay) && + !test_bit(EVENT_RX_HALT, &dev->flags)) +- rx_alloc_submit(dev, GFP_KERNEL); ++ rx_alloc_submit(dev, GFP_NOIO); + + if (!(dev->txq.qlen >= TX_QLEN(dev))) + netif_tx_wake_all_queues(dev->net);