From: Greg Kroah-Hartman Date: Wed, 9 Oct 2013 15:54:50 +0000 (-0700) Subject: 3.4-stable patches X-Git-Tag: v3.0.100~11 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=e1fe2fa1f91fdaceaac2fac89b35da1a7c5f8db8;p=thirdparty%2Fkernel%2Fstable-queue.git 3.4-stable patches added patches: esp_scsi-fix-tag-state-corruption-when-autosensing.patch kernel-kmod.c-check-for-null-in-call_usermodehelper_exec.patch sparc32-fix-exit-flag-passed-from-traced-sys_sigreturn.patch sparc64-fix-itlb-handler-of-null-page.patch sparc64-fix-not-sra-ed-o5-in-32-bit-traced-syscall.patch sparc64-fix-off-by-one-in-trampoline-tlb-mapping.patch sparc64-remove-rwsem-export-leftovers.patch usb-serial-option-ignore-card-reader-interface-on-huawei-e1750.patch --- diff --git a/queue-3.4/esp_scsi-fix-tag-state-corruption-when-autosensing.patch b/queue-3.4/esp_scsi-fix-tag-state-corruption-when-autosensing.patch new file mode 100644 index 00000000000..975cf554cb2 --- /dev/null +++ b/queue-3.4/esp_scsi-fix-tag-state-corruption-when-autosensing.patch @@ -0,0 +1,94 @@ +From 5d9a6dc6ed2d7fd962e592e85a0ece02b6285b38 Mon Sep 17 00:00:00 2001 +From: "David S. Miller" +Date: Thu, 1 Aug 2013 18:08:34 -0700 +Subject: esp_scsi: Fix tag state corruption when autosensing. + +From: "David S. Miller" + +[ Upstream commit 21af8107f27878813d0364733c0b08813c2c192a ] + +Meelis Roos reports a crash in esp_free_lun_tag() in the presense +of a disk which has died. + +The issue is that when we issue an autosense command, we do so by +hijacking the original command that caused the check-condition. + +When we do so we clear out the ent->tag[] array when we issue it via +find_and_prep_issuable_command(). This is so that the autosense +command is forced to be issued non-tagged. + +That is problematic, because it is the value of ent->tag[] which +determines whether we issued the original scsi command as tagged +vs. non-tagged (see esp_alloc_lun_tag()). + +And that, in turn, is what trips up the sanity checks in +esp_free_lun_tag(). That function needs the original ->tag[] values +in order to free up the tag slot properly. + +Fix this by remembering the original command's tag values, and +having esp_alloc_lun_tag() and esp_free_lun_tag() use them. + +Reported-by: Meelis Roos +Tested-by: Meelis Roos +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/scsi/esp_scsi.c | 14 ++++++++------ + drivers/scsi/esp_scsi.h | 1 + + 2 files changed, 9 insertions(+), 6 deletions(-) + +--- a/drivers/scsi/esp_scsi.c ++++ b/drivers/scsi/esp_scsi.c +@@ -530,7 +530,7 @@ static int esp_need_to_nego_sync(struct + static int esp_alloc_lun_tag(struct esp_cmd_entry *ent, + struct esp_lun_data *lp) + { +- if (!ent->tag[0]) { ++ if (!ent->orig_tag[0]) { + /* Non-tagged, slot already taken? */ + if (lp->non_tagged_cmd) + return -EBUSY; +@@ -564,9 +564,9 @@ static int esp_alloc_lun_tag(struct esp_ + return -EBUSY; + } + +- BUG_ON(lp->tagged_cmds[ent->tag[1]]); ++ BUG_ON(lp->tagged_cmds[ent->orig_tag[1]]); + +- lp->tagged_cmds[ent->tag[1]] = ent; ++ lp->tagged_cmds[ent->orig_tag[1]] = ent; + lp->num_tagged++; + + return 0; +@@ -575,9 +575,9 @@ static int esp_alloc_lun_tag(struct esp_ + static void esp_free_lun_tag(struct esp_cmd_entry *ent, + struct esp_lun_data *lp) + { +- if (ent->tag[0]) { +- BUG_ON(lp->tagged_cmds[ent->tag[1]] != ent); +- lp->tagged_cmds[ent->tag[1]] = NULL; ++ if (ent->orig_tag[0]) { ++ BUG_ON(lp->tagged_cmds[ent->orig_tag[1]] != ent); ++ lp->tagged_cmds[ent->orig_tag[1]] = NULL; + lp->num_tagged--; + } else { + BUG_ON(lp->non_tagged_cmd != ent); +@@ -667,6 +667,8 @@ static struct esp_cmd_entry *find_and_pr + ent->tag[0] = 0; + ent->tag[1] = 0; + } ++ ent->orig_tag[0] = ent->tag[0]; ++ ent->orig_tag[1] = ent->tag[1]; + + if (esp_alloc_lun_tag(ent, lp) < 0) + continue; +--- a/drivers/scsi/esp_scsi.h ++++ b/drivers/scsi/esp_scsi.h +@@ -271,6 +271,7 @@ struct esp_cmd_entry { + #define ESP_CMD_FLAG_AUTOSENSE 0x04 /* Doing automatic REQUEST_SENSE */ + + u8 tag[2]; ++ u8 orig_tag[2]; + + u8 status; + u8 message; diff --git a/queue-3.4/kernel-kmod.c-check-for-null-in-call_usermodehelper_exec.patch b/queue-3.4/kernel-kmod.c-check-for-null-in-call_usermodehelper_exec.patch new file mode 100644 index 00000000000..1067c514c17 --- /dev/null +++ b/queue-3.4/kernel-kmod.c-check-for-null-in-call_usermodehelper_exec.patch @@ -0,0 +1,45 @@ +From 4c1c7be95c345cf2ad537a0c48e9aeadc7304527 Mon Sep 17 00:00:00 2001 +From: Tetsuo Handa +Date: Mon, 30 Sep 2013 13:45:08 -0700 +Subject: kernel/kmod.c: check for NULL in call_usermodehelper_exec() + +From: Tetsuo Handa + +commit 4c1c7be95c345cf2ad537a0c48e9aeadc7304527 upstream. + +If /proc/sys/kernel/core_pattern contains only "|", a NULL pointer +dereference happens upon core dump because argv_split("") returns +argv[0] == NULL. + +This bug was once fixed by commit 264b83c07a84 ("usermodehelper: check +subprocess_info->path != NULL") but was by error reintroduced by commit +7f57cfa4e2aa ("usermodehelper: kill the sub_info->path[0] check"). + +This bug seems to exist since 2.6.19 (the version which core dump to +pipe was added). Depending on kernel version and config, some side +effect might happen immediately after this oops (e.g. kernel panic with +2.6.32-358.18.1.el6). + +Signed-off-by: Tetsuo Handa +Acked-by: Oleg Nesterov +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/kmod.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/kernel/kmod.c ++++ b/kernel/kmod.c +@@ -540,6 +540,10 @@ int call_usermodehelper_exec(struct subp + DECLARE_COMPLETION_ONSTACK(done); + int retval = 0; + ++ if (!sub_info->path) { ++ call_usermodehelper_freeinfo(sub_info); ++ return -EINVAL; ++ } + helper_lock(); + if (!sub_info->path) { + retval = -EINVAL; diff --git a/queue-3.4/series b/queue-3.4/series index 018521a9949..2006b536c81 100644 --- a/queue-3.4/series +++ b/queue-3.4/series @@ -25,3 +25,11 @@ powerpc-fix-parameter-clobber-in-csum_partial_copy_generic.patch powerpc-restore-registers-on-error-exit-from-csum_partial_copy_generic.patch bluetooth-fix-security-level-for-peripheral-role.patch bluetooth-fix-encryption-key-size-for-peripheral-role.patch +esp_scsi-fix-tag-state-corruption-when-autosensing.patch +sparc64-fix-itlb-handler-of-null-page.patch +sparc64-remove-rwsem-export-leftovers.patch +sparc64-fix-off-by-one-in-trampoline-tlb-mapping.patch +sparc64-fix-not-sra-ed-o5-in-32-bit-traced-syscall.patch +sparc32-fix-exit-flag-passed-from-traced-sys_sigreturn.patch +kernel-kmod.c-check-for-null-in-call_usermodehelper_exec.patch +usb-serial-option-ignore-card-reader-interface-on-huawei-e1750.patch diff --git a/queue-3.4/sparc32-fix-exit-flag-passed-from-traced-sys_sigreturn.patch b/queue-3.4/sparc32-fix-exit-flag-passed-from-traced-sys_sigreturn.patch new file mode 100644 index 00000000000..88b9511143c --- /dev/null +++ b/queue-3.4/sparc32-fix-exit-flag-passed-from-traced-sys_sigreturn.patch @@ -0,0 +1,30 @@ +From a3f6068bbfee0a7edfef8b9579395e2613130692 Mon Sep 17 00:00:00 2001 +From: Kirill Tkhai +Date: Fri, 26 Jul 2013 01:17:15 +0400 +Subject: sparc32: Fix exit flag passed from traced sys_sigreturn + +From: Kirill Tkhai + +[ Upstream commit 7a3b0f89e3fea680f93932691ca41a68eee7ab5e ] + +Pass 1 in %o1 to indicate that syscall_trace accounts exit. + +Signed-off-by: Kirill Tkhai +CC: David Miller +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + arch/sparc/kernel/entry.S | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/sparc/kernel/entry.S ++++ b/arch/sparc/kernel/entry.S +@@ -1177,7 +1177,7 @@ sys_sigreturn: + nop + + call syscall_trace +- nop ++ mov 1, %o1 + + 1: + /* We don't want to muck with user registers like a diff --git a/queue-3.4/sparc64-fix-itlb-handler-of-null-page.patch b/queue-3.4/sparc64-fix-itlb-handler-of-null-page.patch new file mode 100644 index 00000000000..cf1b42a9951 --- /dev/null +++ b/queue-3.4/sparc64-fix-itlb-handler-of-null-page.patch @@ -0,0 +1,41 @@ +From 428d8e4747bdaa3dcbb09c9f13254ce001dcfa33 Mon Sep 17 00:00:00 2001 +From: Kirill Tkhai +Date: Fri, 2 Aug 2013 19:23:18 +0400 +Subject: sparc64: Fix ITLB handler of null page + +From: Kirill Tkhai + +[ Upstream commit 1c2696cdaad84580545a2e9c0879ff597880b1a9 ] + +1)Use kvmap_itlb_longpath instead of kvmap_dtlb_longpath. + +2)Handle page #0 only, don't handle page #1: bleu -> blu + + (KERNBASE is 0x400000, so #1 does not exist too. But everything + is possible in the future. Fix to not to have problems later.) + +3)Remove unused kvmap_itlb_nonlinear. + +Signed-off-by: Kirill Tkhai +CC: David Miller +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + arch/sparc/kernel/ktlb.S | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/arch/sparc/kernel/ktlb.S ++++ b/arch/sparc/kernel/ktlb.S +@@ -25,11 +25,10 @@ kvmap_itlb: + */ + kvmap_itlb_4v: + +-kvmap_itlb_nonlinear: + /* Catch kernel NULL pointer calls. */ + sethi %hi(PAGE_SIZE), %g5 + cmp %g4, %g5 +- bleu,pn %xcc, kvmap_dtlb_longpath ++ blu,pn %xcc, kvmap_itlb_longpath + nop + + KERN_TSB_LOOKUP_TL1(%g4, %g6, %g5, %g1, %g2, %g3, kvmap_itlb_load) diff --git a/queue-3.4/sparc64-fix-not-sra-ed-o5-in-32-bit-traced-syscall.patch b/queue-3.4/sparc64-fix-not-sra-ed-o5-in-32-bit-traced-syscall.patch new file mode 100644 index 00000000000..07c4574f16e --- /dev/null +++ b/queue-3.4/sparc64-fix-not-sra-ed-o5-in-32-bit-traced-syscall.patch @@ -0,0 +1,52 @@ +From cd1e2d67583d9f3e3f86d5fbb8ac4cef070a241b Mon Sep 17 00:00:00 2001 +From: Kirill Tkhai +Date: Fri, 26 Jul 2013 17:21:12 +0400 +Subject: sparc64: Fix not SRA'ed %o5 in 32-bit traced syscall + +From: Kirill Tkhai + +[ Upstream commit ab2abda6377723e0d5fbbfe5f5aa16a5523344d1 ] + +(From v1 to v2: changed comment) + +On the way linux_sparc_syscall32->linux_syscall_trace32->goto 2f, +register %o5 doesn't clear its second 32-bit. + +Fix that. + +Signed-off-by: Kirill Tkhai +CC: David Miller +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + arch/sparc/kernel/syscalls.S | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/arch/sparc/kernel/syscalls.S ++++ b/arch/sparc/kernel/syscalls.S +@@ -147,7 +147,7 @@ linux_syscall_trace32: + srl %i4, 0, %o4 + srl %i1, 0, %o1 + srl %i2, 0, %o2 +- ba,pt %xcc, 2f ++ ba,pt %xcc, 5f + srl %i3, 0, %o3 + + linux_syscall_trace: +@@ -177,13 +177,13 @@ linux_sparc_syscall32: + srl %i1, 0, %o1 ! IEU0 Group + ldx [%g6 + TI_FLAGS], %l0 ! Load + +- srl %i5, 0, %o5 ! IEU1 ++ srl %i3, 0, %o3 ! IEU0 + srl %i2, 0, %o2 ! IEU0 Group + andcc %l0, (_TIF_SYSCALL_TRACE|_TIF_SECCOMP|_TIF_SYSCALL_AUDIT|_TIF_SYSCALL_TRACEPOINT), %g0 + bne,pn %icc, linux_syscall_trace32 ! CTI + mov %i0, %l5 ! IEU1 +- call %l7 ! CTI Group brk forced +- srl %i3, 0, %o3 ! IEU0 ++5: call %l7 ! CTI Group brk forced ++ srl %i5, 0, %o5 ! IEU1 + ba,a,pt %xcc, 3f + + /* Linux native system calls enter here... */ diff --git a/queue-3.4/sparc64-fix-off-by-one-in-trampoline-tlb-mapping.patch b/queue-3.4/sparc64-fix-off-by-one-in-trampoline-tlb-mapping.patch new file mode 100644 index 00000000000..cea1f31fce7 --- /dev/null +++ b/queue-3.4/sparc64-fix-off-by-one-in-trampoline-tlb-mapping.patch @@ -0,0 +1,35 @@ +From a742bc857e63bce5d66a595e9c497b2c3c21cb49 Mon Sep 17 00:00:00 2001 +From: "David S. Miller" +Date: Thu, 22 Aug 2013 16:38:46 -0700 +Subject: sparc64: Fix off by one in trampoline TLB mapping + installation loop. + +From: "David S. Miller" + +[ Upstream commit 63d499662aeec1864ec36d042aca8184ea6a938e ] + +Reported-by: Kirill Tkhai +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + arch/sparc/kernel/trampoline_64.S | 2 -- + 1 file changed, 2 deletions(-) + +--- a/arch/sparc/kernel/trampoline_64.S ++++ b/arch/sparc/kernel/trampoline_64.S +@@ -131,7 +131,6 @@ startup_continue: + clr %l5 + sethi %hi(num_kernel_image_mappings), %l6 + lduw [%l6 + %lo(num_kernel_image_mappings)], %l6 +- add %l6, 1, %l6 + + mov 15, %l7 + BRANCH_IF_ANY_CHEETAH(g1,g5,2f) +@@ -224,7 +223,6 @@ niagara_lock_tlb: + clr %l5 + sethi %hi(num_kernel_image_mappings), %l6 + lduw [%l6 + %lo(num_kernel_image_mappings)], %l6 +- add %l6, 1, %l6 + + 1: + mov HV_FAST_MMU_MAP_PERM_ADDR, %o5 diff --git a/queue-3.4/sparc64-remove-rwsem-export-leftovers.patch b/queue-3.4/sparc64-remove-rwsem-export-leftovers.patch new file mode 100644 index 00000000000..4a585c23a3e --- /dev/null +++ b/queue-3.4/sparc64-remove-rwsem-export-leftovers.patch @@ -0,0 +1,48 @@ +From 9a4cf4da867f35db5931bde2bccd5e2f2da8490f Mon Sep 17 00:00:00 2001 +From: Kirill Tkhai +Date: Mon, 12 Aug 2013 16:02:24 +0400 +Subject: sparc64: Remove RWSEM export leftovers + +From: Kirill Tkhai + +[ Upstream commit 61d9b9355b0d427bd1e732bd54628ff9103e496f ] + +The functions + + __down_read + __down_read_trylock + __down_write + __down_write_trylock + __up_read + __up_write + __downgrade_write + +are implemented inline, so remove corresponding EXPORT_SYMBOLs +(They lead to compile errors on RT kernel). + +Signed-off-by: Kirill Tkhai +CC: David Miller +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + arch/sparc/lib/ksyms.c | 9 --------- + 1 file changed, 9 deletions(-) + +--- a/arch/sparc/lib/ksyms.c ++++ b/arch/sparc/lib/ksyms.c +@@ -125,15 +125,6 @@ EXPORT_SYMBOL(___copy_from_user); + EXPORT_SYMBOL(___copy_in_user); + EXPORT_SYMBOL(__clear_user); + +-/* RW semaphores */ +-EXPORT_SYMBOL(__down_read); +-EXPORT_SYMBOL(__down_read_trylock); +-EXPORT_SYMBOL(__down_write); +-EXPORT_SYMBOL(__down_write_trylock); +-EXPORT_SYMBOL(__up_read); +-EXPORT_SYMBOL(__up_write); +-EXPORT_SYMBOL(__downgrade_write); +- + /* Atomic counter implementation. */ + EXPORT_SYMBOL(atomic_add); + EXPORT_SYMBOL(atomic_add_ret); diff --git a/queue-3.4/usb-serial-option-ignore-card-reader-interface-on-huawei-e1750.patch b/queue-3.4/usb-serial-option-ignore-card-reader-interface-on-huawei-e1750.patch new file mode 100644 index 00000000000..5bcf24f33c2 --- /dev/null +++ b/queue-3.4/usb-serial-option-ignore-card-reader-interface-on-huawei-e1750.patch @@ -0,0 +1,45 @@ +From eb2addd4044b4b2ce77693bde5bc810536dd96ee Mon Sep 17 00:00:00 2001 +From: Michal Malý +Date: Sat, 28 Sep 2013 19:50:27 +0200 +Subject: USB: serial: option: Ignore card reader interface on Huawei E1750 + +From: Michal Malý + +commit eb2addd4044b4b2ce77693bde5bc810536dd96ee upstream. + +Hi, + +my Huawei 3G modem has an embedded Smart Card reader which causes +trouble when the modem is being detected (a bunch of " (ttyUSBx): +open blocked by driver for more than 7 seconds!" in messages.log). This +trivial patch corrects the problem for me. The modem identifies itself +as "12d1:1406 Huawei Technologies Co., Ltd. E1750" in lsusb although the +description on the body says "Model E173u-1" + +Signed-off-by: Michal Malý +Cc: Bjørn Mork +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/option.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/usb/serial/option.c ++++ b/drivers/usb/serial/option.c +@@ -81,6 +81,7 @@ static void option_instat_callback(struc + + #define HUAWEI_VENDOR_ID 0x12D1 + #define HUAWEI_PRODUCT_E173 0x140C ++#define HUAWEI_PRODUCT_E1750 0x1406 + #define HUAWEI_PRODUCT_K4505 0x1464 + #define HUAWEI_PRODUCT_K3765 0x1465 + #define HUAWEI_PRODUCT_K4605 0x14C6 +@@ -581,6 +582,8 @@ static const struct usb_device_id option + { USB_DEVICE_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0x1c23, USB_CLASS_COMM, 0x02, 0xff) }, + { USB_DEVICE_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, HUAWEI_PRODUCT_E173, 0xff, 0xff, 0xff), + .driver_info = (kernel_ulong_t) &net_intf1_blacklist }, ++ { USB_DEVICE_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, HUAWEI_PRODUCT_E1750, 0xff, 0xff, 0xff), ++ .driver_info = (kernel_ulong_t) &net_intf2_blacklist }, + { USB_DEVICE_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0x1441, USB_CLASS_COMM, 0x02, 0xff) }, + { USB_DEVICE_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, 0x1442, USB_CLASS_COMM, 0x02, 0xff) }, + { USB_DEVICE_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, HUAWEI_PRODUCT_K4505, 0xff, 0xff, 0xff),