From: Greg Kroah-Hartman Date: Mon, 25 Nov 2013 21:31:29 +0000 (-0800) Subject: 3.11-stable patches X-Git-Tag: v3.11.10~41 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=d0cb5f0c73e8bc546dfe228bdacd6afae4f5c9f1;p=thirdparty%2Fkernel%2Fstable-queue.git 3.11-stable patches added patches: alx-reset-phy-speed-after-resume.patch btrfs-relocate-csums-properly-with-prealloc-extents.patch can-c_can-fix-rx-message-handling-handle-lost-message-before-eob.patch crypto-ansi_cprng-fix-off-by-one-error-in-non-block-size-request.patch crypto-s390-fix-aes-cbc-iv-corruption.patch drm-nvc0-gr-fix-a-number-of-missing-explicit-array-terminators.patch ipc-shm-correct-error-return-value-in-shmctl-shm_unlock.patch ipc-shm-fix-shm_file-deletion-races.patch sunrpc-don-t-map-ekeyexpired-to-eacces-in-call_refreshresult.patch thinkpad_acpi-fix-build-error-when-config_snd_max_cards-32.patch --- diff --git a/queue-3.11/alx-reset-phy-speed-after-resume.patch b/queue-3.11/alx-reset-phy-speed-after-resume.patch new file mode 100644 index 00000000000..b07531458fe --- /dev/null +++ b/queue-3.11/alx-reset-phy-speed-after-resume.patch @@ -0,0 +1,34 @@ +From b54629e226d196e802abdd30c5e34f2a47cddcf2 Mon Sep 17 00:00:00 2001 +From: hahnjo +Date: Tue, 12 Nov 2013 18:19:24 +0100 +Subject: alx: Reset phy speed after resume + +From: hahnjo + +commit b54629e226d196e802abdd30c5e34f2a47cddcf2 upstream. + +This fixes bug 62491 (https://bugzilla.kernel.org/show_bug.cgi?id=62491). +After resuming some users got the following error flooding the kernel log: +alx 0000:02:00.0: invalid PHY speed/duplex: 0xffff + +Signed-off-by: Jonas Hahnfeld +Signed-off-by: David S. Miller +Cc: hahnjo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/ethernet/atheros/alx/main.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/net/ethernet/atheros/alx/main.c ++++ b/drivers/net/ethernet/atheros/alx/main.c +@@ -1394,6 +1394,9 @@ static int alx_resume(struct device *dev + { + struct pci_dev *pdev = to_pci_dev(dev); + struct alx_priv *alx = pci_get_drvdata(pdev); ++ struct alx_hw *hw = &alx->hw; ++ ++ alx_reset_phy(hw); + + if (!netif_running(alx->dev)) + return 0; diff --git a/queue-3.11/btrfs-relocate-csums-properly-with-prealloc-extents.patch b/queue-3.11/btrfs-relocate-csums-properly-with-prealloc-extents.patch new file mode 100644 index 00000000000..735b891c9d5 --- /dev/null +++ b/queue-3.11/btrfs-relocate-csums-properly-with-prealloc-extents.patch @@ -0,0 +1,67 @@ +From 4577b014d1bc3db386da3246f625888fc48083a9 Mon Sep 17 00:00:00 2001 +From: Josef Bacik +Date: Fri, 27 Sep 2013 09:33:09 -0400 +Subject: Btrfs: relocate csums properly with prealloc extents + +From: Josef Bacik + +commit 4577b014d1bc3db386da3246f625888fc48083a9 upstream. + +A user reported a problem where they were getting csum errors when running a +balance and running systemd's journal. This is because systemd is awesome and +fallocate()'s its log space and writes into it. Unfortunately we assume that +when we read in all the csums for an extent that they are sequential starting at +the bytenr we care about. This obviously isn't the case for prealloc extents, +where we could have written to the middle of the prealloc extent only, which +means the csum would be for the bytenr in the middle of our range and not the +front of our range. Fix this by offsetting the new bytenr we are logging to +based on the original bytenr the csum was for. With this patch I no longer see +the csum errors I was seeing. Thanks, + +Reported-by: Chris Murphy +Signed-off-by: Josef Bacik +Signed-off-by: Chris Mason +Signed-off-by: Greg Kroah-Hartman + +--- + fs/btrfs/relocation.c | 18 +++++++++++++++--- + 1 file changed, 15 insertions(+), 3 deletions(-) + +--- a/fs/btrfs/relocation.c ++++ b/fs/btrfs/relocation.c +@@ -4462,6 +4462,7 @@ int btrfs_reloc_clone_csums(struct inode + struct btrfs_root *root = BTRFS_I(inode)->root; + int ret; + u64 disk_bytenr; ++ u64 new_bytenr; + LIST_HEAD(list); + + ordered = btrfs_lookup_ordered_extent(inode, file_pos); +@@ -4473,13 +4474,24 @@ int btrfs_reloc_clone_csums(struct inode + if (ret) + goto out; + +- disk_bytenr = ordered->start; + while (!list_empty(&list)) { + sums = list_entry(list.next, struct btrfs_ordered_sum, list); + list_del_init(&sums->list); + +- sums->bytenr = disk_bytenr; +- disk_bytenr += sums->len; ++ /* ++ * We need to offset the new_bytenr based on where the csum is. ++ * We need to do this because we will read in entire prealloc ++ * extents but we may have written to say the middle of the ++ * prealloc extent, so we need to make sure the csum goes with ++ * the right disk offset. ++ * ++ * We can do this because the data reloc inode refers strictly ++ * to the on disk bytes, so we don't have to worry about ++ * disk_len vs real len like with real inodes since it's all ++ * disk length. ++ */ ++ new_bytenr = ordered->start + (sums->bytenr - disk_bytenr); ++ sums->bytenr = new_bytenr; + + btrfs_add_ordered_sum(inode, ordered, sums); + } diff --git a/queue-3.11/can-c_can-fix-rx-message-handling-handle-lost-message-before-eob.patch b/queue-3.11/can-c_can-fix-rx-message-handling-handle-lost-message-before-eob.patch new file mode 100644 index 00000000000..a117e0380ef --- /dev/null +++ b/queue-3.11/can-c_can-fix-rx-message-handling-handle-lost-message-before-eob.patch @@ -0,0 +1,47 @@ +From 5d0f801a2ccec3b1fdabc3392c8d99ed0413d216 Mon Sep 17 00:00:00 2001 +From: Markus Pargmann +Date: Mon, 28 Oct 2013 09:54:40 +0100 +Subject: can: c_can: Fix RX message handling, handle lost message before EOB + +From: Markus Pargmann + +commit 5d0f801a2ccec3b1fdabc3392c8d99ed0413d216 upstream. + +If we handle end of block messages with higher priority than a lost message, +we can run into an endless interrupt loop. + +This is reproducable with a am335x processor and "cansequence -r" at 1Mbit. +As soon as we loose a packet we can't escape from an interrupt loop. + +This patch fixes the problem by handling lost packets before EOB packets. + +Signed-off-by: Markus Pargmann +Signed-off-by: Marc Kleine-Budde +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/can/c_can/c_can.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/net/can/c_can/c_can.c ++++ b/drivers/net/can/c_can/c_can.c +@@ -814,9 +814,6 @@ static int c_can_do_rx_poll(struct net_d + msg_ctrl_save = priv->read_reg(priv, + C_CAN_IFACE(MSGCTRL_REG, 0)); + +- if (msg_ctrl_save & IF_MCONT_EOB) +- return num_rx_pkts; +- + if (msg_ctrl_save & IF_MCONT_MSGLST) { + c_can_handle_lost_msg_obj(dev, 0, msg_obj); + num_rx_pkts++; +@@ -824,6 +821,9 @@ static int c_can_do_rx_poll(struct net_d + continue; + } + ++ if (msg_ctrl_save & IF_MCONT_EOB) ++ return num_rx_pkts; ++ + if (!(msg_ctrl_save & IF_MCONT_NEWDAT)) + continue; + diff --git a/queue-3.11/crypto-ansi_cprng-fix-off-by-one-error-in-non-block-size-request.patch b/queue-3.11/crypto-ansi_cprng-fix-off-by-one-error-in-non-block-size-request.patch new file mode 100644 index 00000000000..9f0fa2f9f62 --- /dev/null +++ b/queue-3.11/crypto-ansi_cprng-fix-off-by-one-error-in-non-block-size-request.patch @@ -0,0 +1,49 @@ +From 714b33d15130cbb5ab426456d4e3de842d6c5b8a Mon Sep 17 00:00:00 2001 +From: Neil Horman +Date: Tue, 17 Sep 2013 08:33:11 -0400 +Subject: crypto: ansi_cprng - Fix off by one error in non-block size request + +From: Neil Horman + +commit 714b33d15130cbb5ab426456d4e3de842d6c5b8a upstream. + +Stephan Mueller reported to me recently a error in random number generation in +the ansi cprng. If several small requests are made that are less than the +instances block size, the remainder for loop code doesn't increment +rand_data_valid in the last iteration, meaning that the last bytes in the +rand_data buffer gets reused on the subsequent smaller-than-a-block request for +random data. + +The fix is pretty easy, just re-code the for loop to make sure that +rand_data_valid gets incremented appropriately + +Signed-off-by: Neil Horman +Reported-by: Stephan Mueller +CC: Stephan Mueller +CC: Petr Matousek +CC: Herbert Xu +CC: "David S. Miller" +Signed-off-by: Herbert Xu +Cc: Luis Henriques +Signed-off-by: Greg Kroah-Hartman + +--- + crypto/ansi_cprng.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/crypto/ansi_cprng.c ++++ b/crypto/ansi_cprng.c +@@ -230,11 +230,11 @@ remainder: + */ + if (byte_count < DEFAULT_BLK_SZ) { + empty_rbuf: +- for (; ctx->rand_data_valid < DEFAULT_BLK_SZ; +- ctx->rand_data_valid++) { ++ while (ctx->rand_data_valid < DEFAULT_BLK_SZ) { + *ptr = ctx->rand_data[ctx->rand_data_valid]; + ptr++; + byte_count--; ++ ctx->rand_data_valid++; + if (byte_count == 0) + goto done; + } diff --git a/queue-3.11/crypto-s390-fix-aes-cbc-iv-corruption.patch b/queue-3.11/crypto-s390-fix-aes-cbc-iv-corruption.patch new file mode 100644 index 00000000000..1c41a5b903b --- /dev/null +++ b/queue-3.11/crypto-s390-fix-aes-cbc-iv-corruption.patch @@ -0,0 +1,95 @@ +From f262f0f5cad0c9eca61d1d383e3b67b57dcbe5ea Mon Sep 17 00:00:00 2001 +From: Herbert Xu +Date: Tue, 5 Nov 2013 19:36:27 +0800 +Subject: crypto: s390 - Fix aes-cbc IV corruption + +From: Herbert Xu + +commit f262f0f5cad0c9eca61d1d383e3b67b57dcbe5ea upstream. + +The cbc-aes-s390 algorithm incorrectly places the IV in the tfm +data structure. As the tfm is shared between multiple threads, +this introduces a possibility of data corruption. + +This patch fixes this by moving the parameter block containing +the IV and key onto the stack (the block is 48 bytes long). + +The same bug exists elsewhere in the s390 crypto system and they +will be fixed in subsequent patches. + +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + arch/s390/crypto/aes_s390.c | 19 ++++++++++++------- + 1 file changed, 12 insertions(+), 7 deletions(-) + +--- a/arch/s390/crypto/aes_s390.c ++++ b/arch/s390/crypto/aes_s390.c +@@ -35,7 +35,6 @@ static u8 *ctrblk; + static char keylen_flag; + + struct s390_aes_ctx { +- u8 iv[AES_BLOCK_SIZE]; + u8 key[AES_MAX_KEY_SIZE]; + long enc; + long dec; +@@ -441,30 +440,36 @@ static int cbc_aes_set_key(struct crypto + return aes_set_key(tfm, in_key, key_len); + } + +-static int cbc_aes_crypt(struct blkcipher_desc *desc, long func, void *param, ++static int cbc_aes_crypt(struct blkcipher_desc *desc, long func, + struct blkcipher_walk *walk) + { ++ struct s390_aes_ctx *sctx = crypto_blkcipher_ctx(desc->tfm); + int ret = blkcipher_walk_virt(desc, walk); + unsigned int nbytes = walk->nbytes; ++ struct { ++ u8 iv[AES_BLOCK_SIZE]; ++ u8 key[AES_MAX_KEY_SIZE]; ++ } param; + + if (!nbytes) + goto out; + +- memcpy(param, walk->iv, AES_BLOCK_SIZE); ++ memcpy(param.iv, walk->iv, AES_BLOCK_SIZE); ++ memcpy(param.key, sctx->key, sctx->key_len); + do { + /* only use complete blocks */ + unsigned int n = nbytes & ~(AES_BLOCK_SIZE - 1); + u8 *out = walk->dst.virt.addr; + u8 *in = walk->src.virt.addr; + +- ret = crypt_s390_kmc(func, param, out, in, n); ++ ret = crypt_s390_kmc(func, ¶m, out, in, n); + if (ret < 0 || ret != n) + return -EIO; + + nbytes &= AES_BLOCK_SIZE - 1; + ret = blkcipher_walk_done(desc, walk, nbytes); + } while ((nbytes = walk->nbytes)); +- memcpy(walk->iv, param, AES_BLOCK_SIZE); ++ memcpy(walk->iv, param.iv, AES_BLOCK_SIZE); + + out: + return ret; +@@ -481,7 +486,7 @@ static int cbc_aes_encrypt(struct blkcip + return fallback_blk_enc(desc, dst, src, nbytes); + + blkcipher_walk_init(&walk, dst, src, nbytes); +- return cbc_aes_crypt(desc, sctx->enc, sctx->iv, &walk); ++ return cbc_aes_crypt(desc, sctx->enc, &walk); + } + + static int cbc_aes_decrypt(struct blkcipher_desc *desc, +@@ -495,7 +500,7 @@ static int cbc_aes_decrypt(struct blkcip + return fallback_blk_dec(desc, dst, src, nbytes); + + blkcipher_walk_init(&walk, dst, src, nbytes); +- return cbc_aes_crypt(desc, sctx->dec, sctx->iv, &walk); ++ return cbc_aes_crypt(desc, sctx->dec, &walk); + } + + static struct crypto_alg cbc_aes_alg = { diff --git a/queue-3.11/drm-nvc0-gr-fix-a-number-of-missing-explicit-array-terminators.patch b/queue-3.11/drm-nvc0-gr-fix-a-number-of-missing-explicit-array-terminators.patch new file mode 100644 index 00000000000..f45c1d83fca --- /dev/null +++ b/queue-3.11/drm-nvc0-gr-fix-a-number-of-missing-explicit-array-terminators.patch @@ -0,0 +1,73 @@ +From 13d2b35a065399fb447c84e80368927e5f8bf086 Mon Sep 17 00:00:00 2001 +From: Ben Skeggs +Date: Tue, 5 Nov 2013 09:28:26 +1000 +Subject: drm/nvc0-/gr: fix a number of missing explicit array terminators... + +From: Ben Skeggs + +commit 13d2b35a065399fb447c84e80368927e5f8bf086 upstream. + +Signed-off-by: Ben Skeggs +Cc: Ilia Mirkin +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/nouveau/core/engine/graph/ctxnvc1.c | 4 ++++ + drivers/gpu/drm/nouveau/core/engine/graph/ctxnvd7.c | 1 + + drivers/gpu/drm/nouveau/core/engine/graph/ctxnvd9.c | 1 + + 3 files changed, 6 insertions(+) + +--- a/drivers/gpu/drm/nouveau/core/engine/graph/ctxnvc1.c ++++ b/drivers/gpu/drm/nouveau/core/engine/graph/ctxnvc1.c +@@ -587,6 +587,7 @@ nvc1_grctx_init_unk58xx[] = { + { 0x405870, 4, 0x04, 0x00000001 }, + { 0x405a00, 2, 0x04, 0x00000000 }, + { 0x405a18, 1, 0x04, 0x00000000 }, ++ {} + }; + + static struct nvc0_graph_init +@@ -598,6 +599,7 @@ nvc1_grctx_init_rop[] = { + { 0x408904, 1, 0x04, 0x62000001 }, + { 0x408908, 1, 0x04, 0x00c80929 }, + { 0x408980, 1, 0x04, 0x0000011d }, ++ {} + }; + + static struct nvc0_graph_init +@@ -671,6 +673,7 @@ nvc1_grctx_init_gpc_0[] = { + { 0x419000, 1, 0x04, 0x00000780 }, + { 0x419004, 2, 0x04, 0x00000000 }, + { 0x419014, 1, 0x04, 0x00000004 }, ++ {} + }; + + static struct nvc0_graph_init +@@ -717,6 +720,7 @@ nvc1_grctx_init_tpc[] = { + { 0x419e98, 1, 0x04, 0x00000000 }, + { 0x419ee0, 1, 0x04, 0x00011110 }, + { 0x419f30, 11, 0x04, 0x00000000 }, ++ {} + }; + + void +--- a/drivers/gpu/drm/nouveau/core/engine/graph/ctxnvd7.c ++++ b/drivers/gpu/drm/nouveau/core/engine/graph/ctxnvd7.c +@@ -258,6 +258,7 @@ nvd7_grctx_init_hub[] = { + nvc0_grctx_init_unk78xx, + nvc0_grctx_init_unk80xx, + nvd9_grctx_init_rop, ++ NULL + }; + + struct nvc0_graph_init * +--- a/drivers/gpu/drm/nouveau/core/engine/graph/ctxnvd9.c ++++ b/drivers/gpu/drm/nouveau/core/engine/graph/ctxnvd9.c +@@ -466,6 +466,7 @@ nvd9_grctx_init_hub[] = { + nvc0_grctx_init_unk78xx, + nvc0_grctx_init_unk80xx, + nvd9_grctx_init_rop, ++ NULL + }; + + struct nvc0_graph_init * diff --git a/queue-3.11/ipc-shm-correct-error-return-value-in-shmctl-shm_unlock.patch b/queue-3.11/ipc-shm-correct-error-return-value-in-shmctl-shm_unlock.patch new file mode 100644 index 00000000000..c25cd670341 --- /dev/null +++ b/queue-3.11/ipc-shm-correct-error-return-value-in-shmctl-shm_unlock.patch @@ -0,0 +1,58 @@ +From 3a72660b07d86d60457ca32080b1ce8c2b628ee2 Mon Sep 17 00:00:00 2001 +From: Jesper Nilsson +Date: Thu, 21 Nov 2013 14:32:08 -0800 +Subject: ipc,shm: correct error return value in shmctl (SHM_UNLOCK) + +From: Jesper Nilsson + +commit 3a72660b07d86d60457ca32080b1ce8c2b628ee2 upstream. + +Commit 2caacaa82a51 ("ipc,shm: shorten critical region for shmctl") +restructured the ipc shm to shorten critical region, but introduced a +path where the return value could be -EPERM, even if the operation +actually was performed. + +Before the commit, the err return value was reset by the return value +from security_shm_shmctl() after the if (!ns_capable(...)) statement. + +Now, we still exit the if statement with err set to -EPERM, and in the +case of SHM_UNLOCK, it is not reset at all, and used as the return value +from shmctl. + +To fix this, we only set err when errors occur, leaving the fallthrough +case alone. + +Signed-off-by: Jesper Nilsson +Cc: Davidlohr Bueso +Cc: Rik van Riel +Cc: Michel Lespinasse +Cc: Al Viro +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + ipc/shm.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/ipc/shm.c ++++ b/ipc/shm.c +@@ -974,12 +974,15 @@ SYSCALL_DEFINE3(shmctl, int, shmid, int, + ipc_lock_object(&shp->shm_perm); + if (!ns_capable(ns->user_ns, CAP_IPC_LOCK)) { + kuid_t euid = current_euid(); +- err = -EPERM; + if (!uid_eq(euid, shp->shm_perm.uid) && +- !uid_eq(euid, shp->shm_perm.cuid)) ++ !uid_eq(euid, shp->shm_perm.cuid)) { ++ err = -EPERM; + goto out_unlock0; +- if (cmd == SHM_LOCK && !rlimit(RLIMIT_MEMLOCK)) ++ } ++ if (cmd == SHM_LOCK && !rlimit(RLIMIT_MEMLOCK)) { ++ err = -EPERM; + goto out_unlock0; ++ } + } + + shm_file = shp->shm_file; diff --git a/queue-3.11/ipc-shm-fix-shm_file-deletion-races.patch b/queue-3.11/ipc-shm-fix-shm_file-deletion-races.patch new file mode 100644 index 00000000000..1e687cf141f --- /dev/null +++ b/queue-3.11/ipc-shm-fix-shm_file-deletion-races.patch @@ -0,0 +1,158 @@ +From a399b29dfbaaaf91162b2dc5a5875dd51bbfa2a1 Mon Sep 17 00:00:00 2001 +From: Greg Thelen +Date: Thu, 21 Nov 2013 14:32:00 -0800 +Subject: ipc,shm: fix shm_file deletion races + +From: Greg Thelen + +commit a399b29dfbaaaf91162b2dc5a5875dd51bbfa2a1 upstream. + +When IPC_RMID races with other shm operations there's potential for +use-after-free of the shm object's associated file (shm_file). + +Here's the race before this patch: + + TASK 1 TASK 2 + ------ ------ + shm_rmid() + ipc_lock_object() + shmctl() + shp = shm_obtain_object_check() + + shm_destroy() + shum_unlock() + fput(shp->shm_file) + ipc_lock_object() + shmem_lock(shp->shm_file) + + +The oops is caused because shm_destroy() calls fput() after dropping the +ipc_lock. fput() clears the file's f_inode, f_path.dentry, and +f_path.mnt, which causes various NULL pointer references in task 2. I +reliably see the oops in task 2 if with shmlock, shmu + +This patch fixes the races by: +1) set shm_file=NULL in shm_destroy() while holding ipc_object_lock(). +2) modify at risk operations to check shm_file while holding + ipc_object_lock(). + +Example workloads, which each trigger oops... + +Workload 1: + while true; do + id=$(shmget 1 4096) + shm_rmid $id & + shmlock $id & + wait + done + + The oops stack shows accessing NULL f_inode due to racing fput: + _raw_spin_lock + shmem_lock + SyS_shmctl + +Workload 2: + while true; do + id=$(shmget 1 4096) + shmat $id 4096 & + shm_rmid $id & + wait + done + + The oops stack is similar to workload 1 due to NULL f_inode: + touch_atime + shmem_mmap + shm_mmap + mmap_region + do_mmap_pgoff + do_shmat + SyS_shmat + +Workload 3: + while true; do + id=$(shmget 1 4096) + shmlock $id + shm_rmid $id & + shmunlock $id & + wait + done + + The oops stack shows second fput tripping on an NULL f_inode. The + first fput() completed via from shm_destroy(), but a racing thread did + a get_file() and queued this fput(): + locks_remove_flock + __fput + ____fput + task_work_run + do_notify_resume + int_signal + +Fixes: c2c737a0461e ("ipc,shm: shorten critical region for shmat") +Fixes: 2caacaa82a51 ("ipc,shm: shorten critical region for shmctl") +Signed-off-by: Greg Thelen +Cc: Davidlohr Bueso +Cc: Rik van Riel +Cc: Manfred Spraul +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + ipc/shm.c | 28 +++++++++++++++++++++++----- + 1 file changed, 23 insertions(+), 5 deletions(-) + +--- a/ipc/shm.c ++++ b/ipc/shm.c +@@ -208,15 +208,18 @@ static void shm_open(struct vm_area_stru + */ + static void shm_destroy(struct ipc_namespace *ns, struct shmid_kernel *shp) + { ++ struct file *shm_file; ++ ++ shm_file = shp->shm_file; ++ shp->shm_file = NULL; + ns->shm_tot -= (shp->shm_segsz + PAGE_SIZE - 1) >> PAGE_SHIFT; + shm_rmid(ns, shp); + shm_unlock(shp); +- if (!is_file_hugepages(shp->shm_file)) +- shmem_lock(shp->shm_file, 0, shp->mlock_user); ++ if (!is_file_hugepages(shm_file)) ++ shmem_lock(shm_file, 0, shp->mlock_user); + else if (shp->mlock_user) +- user_shm_unlock(file_inode(shp->shm_file)->i_size, +- shp->mlock_user); +- fput (shp->shm_file); ++ user_shm_unlock(file_inode(shm_file)->i_size, shp->mlock_user); ++ fput(shm_file); + ipc_rcu_putref(shp, shm_rcu_free); + } + +@@ -986,6 +989,13 @@ SYSCALL_DEFINE3(shmctl, int, shmid, int, + } + + shm_file = shp->shm_file; ++ ++ /* check if shm_destroy() is tearing down shp */ ++ if (shm_file == NULL) { ++ err = -EIDRM; ++ goto out_unlock0; ++ } ++ + if (is_file_hugepages(shm_file)) + goto out_unlock0; + +@@ -1104,6 +1114,14 @@ long do_shmat(int shmid, char __user *sh + goto out_unlock; + + ipc_lock_object(&shp->shm_perm); ++ ++ /* check if shm_destroy() is tearing down shp */ ++ if (shp->shm_file == NULL) { ++ ipc_unlock_object(&shp->shm_perm); ++ err = -EIDRM; ++ goto out_unlock; ++ } ++ + path = shp->shm_file->f_path; + path_get(&path); + shp->shm_nattch++; diff --git a/queue-3.11/series b/queue-3.11/series index 86c55e541bb..8dc3d46217b 100644 --- a/queue-3.11/series +++ b/queue-3.11/series @@ -5,3 +5,13 @@ acpica-return-error-if-derefof-resolves-to-a-null-package-element.patch acpica-fix-for-a-store-argx-when-argx-contains-a-reference-to-a-field.patch usb-mos7840-fix-tiocmget-error-handling.patch can-kvaser_usb-fix-usb-endpoints-detection.patch +btrfs-relocate-csums-properly-with-prealloc-extents.patch +crypto-ansi_cprng-fix-off-by-one-error-in-non-block-size-request.patch +crypto-s390-fix-aes-cbc-iv-corruption.patch +can-c_can-fix-rx-message-handling-handle-lost-message-before-eob.patch +alx-reset-phy-speed-after-resume.patch +ipc-shm-correct-error-return-value-in-shmctl-shm_unlock.patch +ipc-shm-fix-shm_file-deletion-races.patch +drm-nvc0-gr-fix-a-number-of-missing-explicit-array-terminators.patch +thinkpad_acpi-fix-build-error-when-config_snd_max_cards-32.patch +sunrpc-don-t-map-ekeyexpired-to-eacces-in-call_refreshresult.patch diff --git a/queue-3.11/sunrpc-don-t-map-ekeyexpired-to-eacces-in-call_refreshresult.patch b/queue-3.11/sunrpc-don-t-map-ekeyexpired-to-eacces-in-call_refreshresult.patch new file mode 100644 index 00000000000..0109af2f175 --- /dev/null +++ b/queue-3.11/sunrpc-don-t-map-ekeyexpired-to-eacces-in-call_refreshresult.patch @@ -0,0 +1,35 @@ +From f1ff0c27fd9987c59d707cd1a6b6c1fc3ae0a250 Mon Sep 17 00:00:00 2001 +From: Andy Adamson +Date: Wed, 14 Aug 2013 11:59:13 -0400 +Subject: SUNRPC: don't map EKEYEXPIRED to EACCES in call_refreshresult + +From: Andy Adamson + +commit f1ff0c27fd9987c59d707cd1a6b6c1fc3ae0a250 upstream. + +The NFS layer needs to know when a key has expired. +This change also returns -EKEYEXPIRED to the application, and the informative +"Key has expired" error message is displayed. The user then knows that +credential renewal is required. + +Signed-off-by: Andy Adamson +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman + +--- + net/sunrpc/clnt.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/sunrpc/clnt.c ++++ b/net/sunrpc/clnt.c +@@ -1423,9 +1423,9 @@ call_refreshresult(struct rpc_task *task + return; + case -ETIMEDOUT: + rpc_delay(task, 3*HZ); +- case -EKEYEXPIRED: + case -EAGAIN: + status = -EACCES; ++ case -EKEYEXPIRED: + if (!task->tk_cred_retry) + break; + task->tk_cred_retry--; diff --git a/queue-3.11/thinkpad_acpi-fix-build-error-when-config_snd_max_cards-32.patch b/queue-3.11/thinkpad_acpi-fix-build-error-when-config_snd_max_cards-32.patch new file mode 100644 index 00000000000..81bb11baadc --- /dev/null +++ b/queue-3.11/thinkpad_acpi-fix-build-error-when-config_snd_max_cards-32.patch @@ -0,0 +1,36 @@ +From cab6661344f14a09d7aecdf821a40f68ef9b18cc Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Thu, 24 Oct 2013 16:06:32 +0200 +Subject: thinkpad_acpi: Fix build error when CONFIG_SND_MAX_CARDS > 32 + +From: Takashi Iwai + +commit cab6661344f14a09d7aecdf821a40f68ef9b18cc upstream. + +SNDRV_CARDS can be specified via Kconfig since 3.11 kernel, so this +can be over 32bit integer range, which leads to a build error. + +Signed-off-by: Takashi Iwai +Signed-off-by: Matthew Garrett +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/platform/x86/thinkpad_acpi.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/drivers/platform/x86/thinkpad_acpi.c ++++ b/drivers/platform/x86/thinkpad_acpi.c +@@ -6438,7 +6438,12 @@ static struct ibm_struct brightness_driv + #define TPACPI_ALSA_SHRTNAME "ThinkPad Console Audio Control" + #define TPACPI_ALSA_MIXERNAME TPACPI_ALSA_SHRTNAME + +-static int alsa_index = ~((1 << (SNDRV_CARDS - 3)) - 1); /* last three slots */ ++#if SNDRV_CARDS <= 32 ++#define DEFAULT_ALSA_IDX ~((1 << (SNDRV_CARDS - 3)) - 1) ++#else ++#define DEFAULT_ALSA_IDX ~((1 << (32 - 3)) - 1) ++#endif ++static int alsa_index = DEFAULT_ALSA_IDX; /* last three slots */ + static char *alsa_id = "ThinkPadEC"; + static bool alsa_enable = SNDRV_DEFAULT_ENABLE1; +