From: Greg Kroah-Hartman Date: Sun, 1 Dec 2013 20:23:42 +0000 (-0800) Subject: 3.10-stable patches X-Git-Tag: v3.4.72~33 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=ea250ae9692171fcbc7ffb9513a73d2060078c49;p=thirdparty%2Fkernel%2Fstable-queue.git 3.10-stable patches added patches: acpi-hotplug-fix-conflicted-pci-bridge-notify-handlers.patch audit-add-child-record-before-the-create-to-handle-case-where-create-fails.patch audit-fix-info-leak-in-audit_get-requests.patch audit-fix-mq_open-and-mq_unlink-to-add-the-mq-root-as-a-hidden-parent-audit_names-record.patch audit-log-the-audit_names-record-type.patch audit-printk-user_avc-messages-when-audit-isn-t-enabled.patch audit-use-nlmsg_len-to-get-message-payload-length.patch avr32-fix-out-of-range-jump-in-large-kernels.patch avr32-setup-crt-for-early-panic.patch ftrace-fix-function-graph-with-loading-of-modules.patch mwifiex-correct-packet-length-for-packets-from-sdio-interface.patch mwifiex-fix-wrong-eth_hdr-usage-for-bridged-packets-in-ap-mode.patch pci-remove-duplicate-pci_disable_device-from-pcie_portdrv_remove.patch prism54-set-netdev-type-to-wlan.patch qxl-avoid-an-oops-in-the-deferred-io-code.patch selinux-correct-locking-in-selinux_netlbl_socket_connect.patch --- diff --git a/queue-3.10/acpi-hotplug-fix-conflicted-pci-bridge-notify-handlers.patch b/queue-3.10/acpi-hotplug-fix-conflicted-pci-bridge-notify-handlers.patch new file mode 100644 index 00000000000..9031316e38e --- /dev/null +++ b/queue-3.10/acpi-hotplug-fix-conflicted-pci-bridge-notify-handlers.patch @@ -0,0 +1,65 @@ +From ca499fc87ed945094d952da0eb7eea7dbeb1feec Mon Sep 17 00:00:00 2001 +From: Toshi Kani +Date: Wed, 20 Nov 2013 14:25:34 +0100 +Subject: ACPI / hotplug: Fix conflicted PCI bridge notify handlers + +From: Toshi Kani + +commit ca499fc87ed945094d952da0eb7eea7dbeb1feec upstream. + +The PCI host bridge scan handler installs its own notify handler, +handle_hotplug_event_root(), by itself. Nevertheless, the ACPI +hotplug framework also installs the common notify handler, +acpi_hotplug_notify_cb(), for PCI root bridges. This causes +acpi_hotplug_notify_cb() to call _OST method with unsupported +error as hotplug.enabled is not set. + +To address this issue, introduce hotplug.ignore flag, which +indicates that the scan handler installs its own notify handler by +itself. The ACPI hotplug framework does not install the common +notify handler when this flag is set. + +Signed-off-by: Toshi Kani +[rjw: Changed the name of the new flag] +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/acpi/pci_root.c | 3 +++ + drivers/acpi/scan.c | 2 +- + include/acpi/acpi_bus.h | 1 + + 3 files changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/acpi/pci_root.c ++++ b/drivers/acpi/pci_root.c +@@ -63,6 +63,9 @@ static struct acpi_scan_handler pci_root + .ids = root_device_ids, + .attach = acpi_pci_root_add, + .detach = acpi_pci_root_remove, ++ .hotplug = { ++ .ignore = true, ++ }, + }; + + /* Lock to protect both acpi_pci_roots lists */ +--- a/drivers/acpi/scan.c ++++ b/drivers/acpi/scan.c +@@ -1790,7 +1790,7 @@ static void acpi_scan_init_hotplug(acpi_ + */ + list_for_each_entry(hwid, &pnp.ids, list) { + handler = acpi_scan_match_handler(hwid->id, NULL); +- if (handler) { ++ if (handler && !handler->hotplug.ignore) { + acpi_install_notify_handler(handle, ACPI_SYSTEM_NOTIFY, + acpi_hotplug_notify_cb, handler); + break; +--- a/include/acpi/acpi_bus.h ++++ b/include/acpi/acpi_bus.h +@@ -97,6 +97,7 @@ enum acpi_hotplug_mode { + struct acpi_hotplug_profile { + struct kobject kobj; + bool enabled:1; ++ bool ignore:1; + enum acpi_hotplug_mode mode; + }; + diff --git a/queue-3.10/audit-add-child-record-before-the-create-to-handle-case-where-create-fails.patch b/queue-3.10/audit-add-child-record-before-the-create-to-handle-case-where-create-fails.patch new file mode 100644 index 00000000000..c5261bbfb92 --- /dev/null +++ b/queue-3.10/audit-add-child-record-before-the-create-to-handle-case-where-create-fails.patch @@ -0,0 +1,53 @@ +From 14e972b4517128ac8e30e3de2ee4fbd995084223 Mon Sep 17 00:00:00 2001 +From: Jeff Layton +Date: Wed, 8 May 2013 10:25:58 -0400 +Subject: audit: add child record before the create to handle case where create fails + +From: Jeff Layton + +commit 14e972b4517128ac8e30e3de2ee4fbd995084223 upstream. + +Historically, when a syscall that creates a dentry fails, you get an audit +record that looks something like this (when trying to create a file named +"new" in "/tmp/tmp.SxiLnCcv63"): + + type=PATH msg=audit(1366128956.279:965): item=0 name="/tmp/tmp.SxiLnCcv63/new" inode=2138308 dev=fd:02 mode=040700 ouid=0 ogid=0 rdev=00:00 obj=staff_u:object_r:user_tmp_t:s15:c0.c1023 + +This record makes no sense since it's associating the inode information for +"/tmp/tmp.SxiLnCcv63" with the path "/tmp/tmp.SxiLnCcv63/new". The recent +patch I posted to fix the audit_inode call in do_last fixes this, by making it +look more like this: + + type=PATH msg=audit(1366128765.989:13875): item=0 name="/tmp/tmp.DJ1O8V3e4f/" inode=141 dev=fd:02 mode=040700 ouid=0 ogid=0 rdev=00:00 obj=staff_u:object_r:user_tmp_t:s15:c0.c1023 + +While this is more correct, if the creation of the file fails, then we +have no record of the filename that the user tried to create. + +This patch adds a call to audit_inode_child to may_create. This creates +an AUDIT_TYPE_CHILD_CREATE record that will sit in place until the +create succeeds. When and if the create does succeed, then this record +will be updated with the correct inode info from the create. + +This fixes what was broken in commit bfcec708. +Commit 79f6530c should also be backported to stable v3.7+. + +Signed-off-by: Jeff Layton +Signed-off-by: Eric Paris +Signed-off-by: Richard Guy Briggs +Signed-off-by: Eric Paris +Signed-off-by: Greg Kroah-Hartman + +--- + fs/namei.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/namei.c ++++ b/fs/namei.c +@@ -2263,6 +2263,7 @@ static int may_delete(struct inode *dir, + */ + static inline int may_create(struct inode *dir, struct dentry *child) + { ++ audit_inode_child(dir, child, AUDIT_TYPE_CHILD_CREATE); + if (child->d_inode) + return -EEXIST; + if (IS_DEADDIR(dir)) diff --git a/queue-3.10/audit-fix-info-leak-in-audit_get-requests.patch b/queue-3.10/audit-fix-info-leak-in-audit_get-requests.patch new file mode 100644 index 00000000000..ff60d90d40a --- /dev/null +++ b/queue-3.10/audit-fix-info-leak-in-audit_get-requests.patch @@ -0,0 +1,33 @@ +From 64fbff9ae0a0a843365d922e0057fc785f23f0e3 Mon Sep 17 00:00:00 2001 +From: Mathias Krause +Date: Mon, 30 Sep 2013 22:04:24 +0200 +Subject: audit: fix info leak in AUDIT_GET requests + +From: Mathias Krause + +commit 64fbff9ae0a0a843365d922e0057fc785f23f0e3 upstream. + +We leak 4 bytes of kernel stack in response to an AUDIT_GET request as +we miss to initialize the mask member of status_set. Fix that. + +Cc: Al Viro +Cc: Eric Paris +Signed-off-by: Mathias Krause +Signed-off-by: Richard Guy Briggs +Signed-off-by: Eric Paris +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/audit.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/kernel/audit.c ++++ b/kernel/audit.c +@@ -659,6 +659,7 @@ static int audit_receive_msg(struct sk_b + + switch (msg_type) { + case AUDIT_GET: ++ status_set.mask = 0; + status_set.enabled = audit_enabled; + status_set.failure = audit_failure; + status_set.pid = audit_pid; diff --git a/queue-3.10/audit-fix-mq_open-and-mq_unlink-to-add-the-mq-root-as-a-hidden-parent-audit_names-record.patch b/queue-3.10/audit-fix-mq_open-and-mq_unlink-to-add-the-mq-root-as-a-hidden-parent-audit_names-record.patch new file mode 100644 index 00000000000..ec1fe13db99 --- /dev/null +++ b/queue-3.10/audit-fix-mq_open-and-mq_unlink-to-add-the-mq-root-as-a-hidden-parent-audit_names-record.patch @@ -0,0 +1,192 @@ +From 79f6530cb59e2a0af6953742a33cc29e98ca631c Mon Sep 17 00:00:00 2001 +From: Jeff Layton +Date: Mon, 8 Jul 2013 15:59:36 -0700 +Subject: audit: fix mq_open and mq_unlink to add the MQ root as a hidden parent audit_names record + +From: Jeff Layton + +commit 79f6530cb59e2a0af6953742a33cc29e98ca631c upstream. + +The old audit PATH records for mq_open looked like this: + + type=PATH msg=audit(1366282323.982:869): item=1 name=(null) inode=6777 + dev=00:0c mode=041777 ouid=0 ogid=0 rdev=00:00 + obj=system_u:object_r:tmpfs_t:s15:c0.c1023 + type=PATH msg=audit(1366282323.982:869): item=0 name="test_mq" inode=26732 + dev=00:0c mode=0100700 ouid=0 ogid=0 rdev=00:00 + obj=staff_u:object_r:user_tmpfs_t:s15:c0.c1023 + +...with the audit related changes that went into 3.7, they now look like this: + + type=PATH msg=audit(1366282236.776:3606): item=2 name=(null) inode=66655 + dev=00:0c mode=0100700 ouid=0 ogid=0 rdev=00:00 + obj=staff_u:object_r:user_tmpfs_t:s15:c0.c1023 + type=PATH msg=audit(1366282236.776:3606): item=1 name=(null) inode=6926 + dev=00:0c mode=041777 ouid=0 ogid=0 rdev=00:00 + obj=system_u:object_r:tmpfs_t:s15:c0.c1023 + type=PATH msg=audit(1366282236.776:3606): item=0 name="test_mq" + +Both of these look wrong to me. As Steve Grubb pointed out: + + "What we need is 1 PATH record that identifies the MQ. The other PATH + records probably should not be there." + +Fix it to record the mq root as a parent, and flag it such that it +should be hidden from view when the names are logged, since the root of +the mq filesystem isn't terribly interesting. With this change, we get +a single PATH record that looks more like this: + + type=PATH msg=audit(1368021604.836:484): item=0 name="test_mq" inode=16914 + dev=00:0c mode=0100644 ouid=0 ogid=0 rdev=00:00 + obj=unconfined_u:object_r:user_tmpfs_t:s0 + +In order to do this, a new audit_inode_parent_hidden() function is +added. If we do it this way, then we avoid having the existing callers +of audit_inode needing to do any sort of flag conversion if auditing is +inactive. + +Signed-off-by: Jeff Layton +Reported-by: Jiri Jaburek +Cc: Steve Grubb +Cc: Eric Paris +Cc: Al Viro +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/audit.h | 26 ++++++++++++++++++++++---- + ipc/mqueue.c | 2 ++ + kernel/audit.h | 1 + + kernel/auditsc.c | 12 +++++++++--- + 4 files changed, 34 insertions(+), 7 deletions(-) + +--- a/include/linux/audit.h ++++ b/include/linux/audit.h +@@ -103,8 +103,11 @@ extern void __audit_syscall_exit(int ret + extern struct filename *__audit_reusename(const __user char *uptr); + extern void __audit_getname(struct filename *name); + extern void audit_putname(struct filename *name); ++ ++#define AUDIT_INODE_PARENT 1 /* dentry represents the parent */ ++#define AUDIT_INODE_HIDDEN 2 /* audit record should be hidden */ + extern void __audit_inode(struct filename *name, const struct dentry *dentry, +- unsigned int parent); ++ unsigned int flags); + extern void __audit_inode_child(const struct inode *parent, + const struct dentry *dentry, + const unsigned char type); +@@ -148,10 +151,22 @@ static inline void audit_getname(struct + if (unlikely(!audit_dummy_context())) + __audit_getname(name); + } +-static inline void audit_inode(struct filename *name, const struct dentry *dentry, ++static inline void audit_inode(struct filename *name, ++ const struct dentry *dentry, + unsigned int parent) { ++ if (unlikely(!audit_dummy_context())) { ++ unsigned int flags = 0; ++ if (parent) ++ flags |= AUDIT_INODE_PARENT; ++ __audit_inode(name, dentry, flags); ++ } ++} ++static inline void audit_inode_parent_hidden(struct filename *name, ++ const struct dentry *dentry) ++{ + if (unlikely(!audit_dummy_context())) +- __audit_inode(name, dentry, parent); ++ __audit_inode(name, dentry, ++ AUDIT_INODE_PARENT | AUDIT_INODE_HIDDEN); + } + static inline void audit_inode_child(const struct inode *parent, + const struct dentry *dentry, +@@ -311,7 +326,7 @@ static inline void audit_putname(struct + { } + static inline void __audit_inode(struct filename *name, + const struct dentry *dentry, +- unsigned int parent) ++ unsigned int flags) + { } + static inline void __audit_inode_child(const struct inode *parent, + const struct dentry *dentry, +@@ -321,6 +336,9 @@ static inline void audit_inode(struct fi + const struct dentry *dentry, + unsigned int parent) + { } ++static inline void audit_inode_parent_hidden(struct filename *name, ++ const struct dentry *dentry) ++{ } + static inline void audit_inode_child(const struct inode *parent, + const struct dentry *dentry, + const unsigned char type) +--- a/ipc/mqueue.c ++++ b/ipc/mqueue.c +@@ -823,6 +823,7 @@ SYSCALL_DEFINE4(mq_open, const char __us + error = ro; + goto out; + } ++ audit_inode_parent_hidden(name, root); + filp = do_create(ipc_ns, root->d_inode, + &path, oflag, mode, + u_attr ? &attr : NULL); +@@ -868,6 +869,7 @@ SYSCALL_DEFINE1(mq_unlink, const char __ + if (IS_ERR(name)) + return PTR_ERR(name); + ++ audit_inode_parent_hidden(name, mnt->mnt_root); + err = mnt_want_write(mnt); + if (err) + goto out_name; +--- a/kernel/audit.h ++++ b/kernel/audit.h +@@ -85,6 +85,7 @@ struct audit_names { + + struct filename *name; + int name_len; /* number of chars to log */ ++ bool hidden; /* don't log this record */ + bool name_put; /* call __putname()? */ + + unsigned long ino; +--- a/kernel/auditsc.c ++++ b/kernel/auditsc.c +@@ -1399,8 +1399,11 @@ static void audit_log_exit(struct audit_ + } + + i = 0; +- list_for_each_entry(n, &context->names_list, list) ++ list_for_each_entry(n, &context->names_list, list) { ++ if (n->hidden) ++ continue; + audit_log_name(context, n, NULL, i++, &call_panic); ++ } + + /* Send end of event record to help user space know we are finished */ + ab = audit_log_start(context, GFP_KERNEL, AUDIT_EOE); +@@ -1769,14 +1772,15 @@ void audit_putname(struct filename *name + * __audit_inode - store the inode and device from a lookup + * @name: name being audited + * @dentry: dentry being audited +- * @parent: does this dentry represent the parent? ++ * @flags: attributes for this particular entry + */ + void __audit_inode(struct filename *name, const struct dentry *dentry, +- unsigned int parent) ++ unsigned int flags) + { + struct audit_context *context = current->audit_context; + const struct inode *inode = dentry->d_inode; + struct audit_names *n; ++ bool parent = flags & AUDIT_INODE_PARENT; + + if (!context->in_syscall) + return; +@@ -1831,6 +1835,8 @@ out: + if (parent) { + n->name_len = n->name ? parent_len(n->name->name) : AUDIT_NAME_FULL; + n->type = AUDIT_TYPE_PARENT; ++ if (flags & AUDIT_INODE_HIDDEN) ++ n->hidden = true; + } else { + n->name_len = AUDIT_NAME_FULL; + n->type = AUDIT_TYPE_NORMAL; diff --git a/queue-3.10/audit-log-the-audit_names-record-type.patch b/queue-3.10/audit-log-the-audit_names-record-type.patch new file mode 100644 index 00000000000..014867aa8a3 --- /dev/null +++ b/queue-3.10/audit-log-the-audit_names-record-type.patch @@ -0,0 +1,60 @@ +From d3aea84a4ace5ff9ce7fb7714cee07bebef681c2 Mon Sep 17 00:00:00 2001 +From: Jeff Layton +Date: Wed, 8 May 2013 10:32:23 -0400 +Subject: audit: log the audit_names record type + +From: Jeff Layton + +commit d3aea84a4ace5ff9ce7fb7714cee07bebef681c2 upstream. + +...to make it clear what the intent behind each record's operation was. + +In many cases you can infer this, based on the context of the syscall +and the result. In other cases it's not so obvious. For instance, in +the case where you have a file being renamed over another, you'll have +two different records with the same filename but different inode info. +By logging this information we can clearly tell which one was created +and which was deleted. + +This fixes what was broken in commit bfcec708. +Commit 79f6530c should also be backported to stable v3.7+. + +Signed-off-by: Jeff Layton +Signed-off-by: Eric Paris +Signed-off-by: Richard Guy Briggs +Signed-off-by: Eric Paris +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/audit.c | 20 ++++++++++++++++++++ + 1 file changed, 20 insertions(+) + +--- a/kernel/audit.c ++++ b/kernel/audit.c +@@ -1537,6 +1537,26 @@ void audit_log_name(struct audit_context + } + } + ++ /* log the audit_names record type */ ++ audit_log_format(ab, " nametype="); ++ switch(n->type) { ++ case AUDIT_TYPE_NORMAL: ++ audit_log_format(ab, "NORMAL"); ++ break; ++ case AUDIT_TYPE_PARENT: ++ audit_log_format(ab, "PARENT"); ++ break; ++ case AUDIT_TYPE_CHILD_DELETE: ++ audit_log_format(ab, "DELETE"); ++ break; ++ case AUDIT_TYPE_CHILD_CREATE: ++ audit_log_format(ab, "CREATE"); ++ break; ++ default: ++ audit_log_format(ab, "UNKNOWN"); ++ break; ++ } ++ + audit_log_fcaps(ab, n); + audit_log_end(ab); + } diff --git a/queue-3.10/audit-printk-user_avc-messages-when-audit-isn-t-enabled.patch b/queue-3.10/audit-printk-user_avc-messages-when-audit-isn-t-enabled.patch new file mode 100644 index 00000000000..089e0dfe31d --- /dev/null +++ b/queue-3.10/audit-printk-user_avc-messages-when-audit-isn-t-enabled.patch @@ -0,0 +1,48 @@ +From 0868a5e150bc4c47e7a003367cd755811eb41e0b Mon Sep 17 00:00:00 2001 +From: Tyler Hicks +Date: Thu, 25 Jul 2013 18:02:55 -0700 +Subject: audit: printk USER_AVC messages when audit isn't enabled + +From: Tyler Hicks + +commit 0868a5e150bc4c47e7a003367cd755811eb41e0b upstream. + +When the audit=1 kernel parameter is absent and auditd is not running, +AUDIT_USER_AVC messages are being silently discarded. + +AUDIT_USER_AVC messages should be sent to userspace using printk(), as +mentioned in the commit message of 4a4cd633 ("AUDIT: Optimise the +audit-disabled case for discarding user messages"). + +When audit_enabled is 0, audit_receive_msg() discards all user messages +except for AUDIT_USER_AVC messages. However, audit_log_common_recv_msg() +refuses to allocate an audit_buffer if audit_enabled is 0. The fix is to +special case AUDIT_USER_AVC messages in both functions. + +It looks like commit 50397bd1 ("[AUDIT] clean up audit_receive_msg()") +introduced this bug. + +Signed-off-by: Tyler Hicks +Cc: Al Viro +Cc: Eric Paris +Cc: linux-audit@redhat.com +Acked-by: Kees Cook +Signed-off-by: Richard Guy Briggs +Signed-off-by: Eric Paris +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/audit.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/kernel/audit.c ++++ b/kernel/audit.c +@@ -613,7 +613,7 @@ static int audit_log_common_recv_msg(str + int rc = 0; + uid_t uid = from_kuid(&init_user_ns, current_uid()); + +- if (!audit_enabled) { ++ if (!audit_enabled && msg_type != AUDIT_USER_AVC) { + *ab = NULL; + return rc; + } diff --git a/queue-3.10/audit-use-nlmsg_len-to-get-message-payload-length.patch b/queue-3.10/audit-use-nlmsg_len-to-get-message-payload-length.patch new file mode 100644 index 00000000000..385c0da0236 --- /dev/null +++ b/queue-3.10/audit-use-nlmsg_len-to-get-message-payload-length.patch @@ -0,0 +1,50 @@ +From 4d8fe7376a12bf4524783dd95cbc00f1fece6232 Mon Sep 17 00:00:00 2001 +From: Mathias Krause +Date: Mon, 30 Sep 2013 22:04:25 +0200 +Subject: audit: use nlmsg_len() to get message payload length + +From: Mathias Krause + +commit 4d8fe7376a12bf4524783dd95cbc00f1fece6232 upstream. + +Using the nlmsg_len member of the netlink header to test if the message +is valid is wrong as it includes the size of the netlink header itself. +Thereby allowing to send short netlink messages that pass those checks. + +Use nlmsg_len() instead to test for the right message length. The result +of nlmsg_len() is guaranteed to be non-negative as the netlink message +already passed the checks of nlmsg_ok(). + +Also switch to min_t() to please checkpatch.pl. + +Cc: Al Viro +Cc: Eric Paris +Signed-off-by: Mathias Krause +Signed-off-by: Richard Guy Briggs +Signed-off-by: Eric Paris +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/audit.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/kernel/audit.c ++++ b/kernel/audit.c +@@ -670,7 +670,7 @@ static int audit_receive_msg(struct sk_b + &status_set, sizeof(status_set)); + break; + case AUDIT_SET: +- if (nlh->nlmsg_len < sizeof(struct audit_status)) ++ if (nlmsg_len(nlh) < sizeof(struct audit_status)) + return -EINVAL; + status_get = (struct audit_status *)data; + if (status_get->mask & AUDIT_STATUS_ENABLED) { +@@ -832,7 +832,7 @@ static int audit_receive_msg(struct sk_b + + memset(&s, 0, sizeof(s)); + /* guard against past and future API changes */ +- memcpy(&s, data, min(sizeof(s), (size_t)nlh->nlmsg_len)); ++ memcpy(&s, data, min_t(size_t, sizeof(s), nlmsg_len(nlh))); + if ((s.enabled != 0 && s.enabled != 1) || + (s.log_passwd != 0 && s.log_passwd != 1)) + return -EINVAL; diff --git a/queue-3.10/avr32-fix-out-of-range-jump-in-large-kernels.patch b/queue-3.10/avr32-fix-out-of-range-jump-in-large-kernels.patch new file mode 100644 index 00000000000..b8c760e32f3 --- /dev/null +++ b/queue-3.10/avr32-fix-out-of-range-jump-in-large-kernels.patch @@ -0,0 +1,65 @@ +From d617b338bbfdd77e9cbd8e7dc949cee3dd73d575 Mon Sep 17 00:00:00 2001 +From: Andreas Bießmann +Date: Thu, 24 Oct 2013 12:31:04 +0200 +Subject: avr32: fix out-of-range jump in large kernels + +From: Andreas Bießmann + +commit d617b338bbfdd77e9cbd8e7dc949cee3dd73d575 upstream. + +This patch fixes following error (for big kernels): + +---8<--- +arch/avr32/boot/u-boot/head.o: In function `no_tag_table': +(.init.text+0x44): relocation truncated to fit: R_AVR32_22H_PCREL against symbol `panic' defined in .text.unlikely section in kernel/built-in.o +arch/avr32/kernel/built-in.o: In function `bad_return': +(.ex.text+0x236): relocation truncated to fit: R_AVR32_22H_PCREL against symbol `panic' defined in .text.unlikely section in kernel/built-in.o +--->8--- + +It comes up when the kernel increases and 'panic()' is too far away to fit in +the +/- 2MiB range. Which in turn issues from the 21-bit displacement in +'br{cond4}' mnemonic which is one of the two ways to do jumps (rjmp has just +10-bit displacement and therefore a way smaller range). This fact was stated +before in 8d29b7b9f81d6b83d869ff054e6c189d6da73f1f. +One solution to solve this is to add a local storage for the symbol address +and just load the $pc with that value. + +Signed-off-by: Andreas Bießmann +Acked-by: Hans-Christian Egtvedt +Cc: Haavard Skinnemoen +Signed-off-by: Greg Kroah-Hartman + +--- + arch/avr32/boot/u-boot/head.S | 5 ++++- + arch/avr32/kernel/entry-avr32b.S | 3 ++- + 2 files changed, 6 insertions(+), 2 deletions(-) + +--- a/arch/avr32/boot/u-boot/head.S ++++ b/arch/avr32/boot/u-boot/head.S +@@ -73,8 +73,11 @@ init_sr: + .long 0x007f0000 /* Supervisor mode, everything masked */ + stack_addr: + .long init_thread_union ++panic_addr: ++ .long panic + + no_tag_table: + sub r12, pc, (. - 2f) +- bral panic ++ /* branch to panic() which can be far away with that construct */ ++ lddpc pc, panic_addr + 2: .asciz "Boot loader didn't provide correct magic number\n" +--- a/arch/avr32/kernel/entry-avr32b.S ++++ b/arch/avr32/kernel/entry-avr32b.S +@@ -401,9 +401,10 @@ handle_critical: + /* We should never get here... */ + bad_return: + sub r12, pc, (. - 1f) +- bral panic ++ lddpc pc, 2f + .align 2 + 1: .asciz "Return from critical exception!" ++2: .long panic + + .align 1 + do_bus_error_write: diff --git a/queue-3.10/avr32-setup-crt-for-early-panic.patch b/queue-3.10/avr32-setup-crt-for-early-panic.patch new file mode 100644 index 00000000000..4b2a0bee72c --- /dev/null +++ b/queue-3.10/avr32-setup-crt-for-early-panic.patch @@ -0,0 +1,121 @@ +From 7a2a74f4b856993218aa7cdeeb6c3103101340db Mon Sep 17 00:00:00 2001 +From: Andreas Bießmann +Date: Thu, 24 Oct 2013 12:31:03 +0200 +Subject: avr32: setup crt for early panic() + +From: Andreas Bießmann + +commit 7a2a74f4b856993218aa7cdeeb6c3103101340db upstream. + +Before the CRT was (fully) set up in kernel_entry (bss cleared before in +_start, but also not before jump to panic() in no_tag_table case). + +This patch fixes this up to have a fully working CRT when branching to panic() +in no_tag_table. + +Signed-off-by: Andreas Bießmann +Acked-by: Hans-Christian Egtvedt +Cc: Haavard Skinnemoen +Signed-off-by: Greg Kroah-Hartman + +--- + arch/avr32/boot/u-boot/head.S | 30 +++++++++++++++++++++++++----- + arch/avr32/kernel/head.S | 20 -------------------- + 2 files changed, 25 insertions(+), 25 deletions(-) + +--- a/arch/avr32/boot/u-boot/head.S ++++ b/arch/avr32/boot/u-boot/head.S +@@ -8,6 +8,8 @@ + * published by the Free Software Foundation. + */ + #include ++#include ++#include + + /* + * The kernel is loaded where we want it to be and all caches +@@ -20,11 +22,6 @@ + .section .init.text,"ax" + .global _start + _start: +- /* Check if the boot loader actually provided a tag table */ +- lddpc r0, magic_number +- cp.w r12, r0 +- brne no_tag_table +- + /* Initialize .bss */ + lddpc r2, bss_start_addr + lddpc r3, end_addr +@@ -34,6 +31,25 @@ _start: + cp r2, r3 + brlo 1b + ++ /* Initialize status register */ ++ lddpc r0, init_sr ++ mtsr SYSREG_SR, r0 ++ ++ /* Set initial stack pointer */ ++ lddpc sp, stack_addr ++ sub sp, -THREAD_SIZE ++ ++#ifdef CONFIG_FRAME_POINTER ++ /* Mark last stack frame */ ++ mov lr, 0 ++ mov r7, 0 ++#endif ++ ++ /* Check if the boot loader actually provided a tag table */ ++ lddpc r0, magic_number ++ cp.w r12, r0 ++ brne no_tag_table ++ + /* + * Save the tag table address for later use. This must be done + * _after_ .bss has been initialized... +@@ -53,6 +69,10 @@ bss_start_addr: + .long __bss_start + end_addr: + .long _end ++init_sr: ++ .long 0x007f0000 /* Supervisor mode, everything masked */ ++stack_addr: ++ .long init_thread_union + + no_tag_table: + sub r12, pc, (. - 2f) +--- a/arch/avr32/kernel/head.S ++++ b/arch/avr32/kernel/head.S +@@ -10,33 +10,13 @@ + #include + + #include +-#include +-#include + + .section .init.text,"ax" + .global kernel_entry + kernel_entry: +- /* Initialize status register */ +- lddpc r0, init_sr +- mtsr SYSREG_SR, r0 +- +- /* Set initial stack pointer */ +- lddpc sp, stack_addr +- sub sp, -THREAD_SIZE +- +-#ifdef CONFIG_FRAME_POINTER +- /* Mark last stack frame */ +- mov lr, 0 +- mov r7, 0 +-#endif +- + /* Start the show */ + lddpc pc, kernel_start_addr + + .align 2 +-init_sr: +- .long 0x007f0000 /* Supervisor mode, everything masked */ +-stack_addr: +- .long init_thread_union + kernel_start_addr: + .long start_kernel diff --git a/queue-3.10/ftrace-fix-function-graph-with-loading-of-modules.patch b/queue-3.10/ftrace-fix-function-graph-with-loading-of-modules.patch new file mode 100644 index 00000000000..238a1843e61 --- /dev/null +++ b/queue-3.10/ftrace-fix-function-graph-with-loading-of-modules.patch @@ -0,0 +1,244 @@ +From 8a56d7761d2d041ae5e8215d20b4167d8aa93f51 Mon Sep 17 00:00:00 2001 +From: "Steven Rostedt (Red Hat)" +Date: Mon, 25 Nov 2013 20:59:46 -0500 +Subject: ftrace: Fix function graph with loading of modules + +From: "Steven Rostedt (Red Hat)" + +commit 8a56d7761d2d041ae5e8215d20b4167d8aa93f51 upstream. + +Commit 8c4f3c3fa9681 "ftrace: Check module functions being traced on reload" +fixed module loading and unloading with respect to function tracing, but +it missed the function graph tracer. If you perform the following + + # cd /sys/kernel/debug/tracing + # echo function_graph > current_tracer + # modprobe nfsd + # echo nop > current_tracer + +You'll get the following oops message: + + ------------[ cut here ]------------ + WARNING: CPU: 2 PID: 2910 at /linux.git/kernel/trace/ftrace.c:1640 __ftrace_hash_rec_update.part.35+0x168/0x1b9() + Modules linked in: nfsd exportfs nfs_acl lockd ipt_MASQUERADE sunrpc ip6t_REJECT nf_conntrack_ipv6 nf_defrag_ipv6 ip6table_filter ip6_tables uinput snd_hda_codec_idt + CPU: 2 PID: 2910 Comm: bash Not tainted 3.13.0-rc1-test #7 + Hardware name: To Be Filled By O.E.M. To Be Filled By O.E.M./To be filled by O.E.M., BIOS SDBLI944.86P 05/08/2007 + 0000000000000668 ffff8800787efcf8 ffffffff814fe193 ffff88007d500000 + 0000000000000000 ffff8800787efd38 ffffffff8103b80a 0000000000000668 + ffffffff810b2b9a ffffffff81a48370 0000000000000001 ffff880037aea000 + Call Trace: + [] dump_stack+0x4f/0x7c + [] warn_slowpath_common+0x81/0x9b + [] ? __ftrace_hash_rec_update.part.35+0x168/0x1b9 + [] warn_slowpath_null+0x1a/0x1c + [] __ftrace_hash_rec_update.part.35+0x168/0x1b9 + [] ? __mutex_lock_slowpath+0x364/0x364 + [] ftrace_shutdown+0xd7/0x12b + [] unregister_ftrace_graph+0x49/0x78 + [] graph_trace_reset+0xe/0x10 + [] tracing_set_tracer+0xa7/0x26a + [] tracing_set_trace_write+0x8b/0xbd + [] ? ftrace_return_to_handler+0xb2/0xde + [] ? __sb_end_write+0x5e/0x5e + [] vfs_write+0xab/0xf6 + [] ftrace_graph_caller+0x85/0x85 + [] SyS_write+0x59/0x82 + [] ftrace_graph_caller+0x85/0x85 + [] system_call_fastpath+0x16/0x1b + ---[ end trace 940358030751eafb ]--- + +The above mentioned commit didn't go far enough. Well, it covered the +function tracer by adding checks in __register_ftrace_function(). The +problem is that the function graph tracer circumvents that (for a slight +efficiency gain when function graph trace is running with a function +tracer. The gain was not worth this). + +The problem came with ftrace_startup() which should always be called after +__register_ftrace_function(), if you want this bug to be completely fixed. + +Anyway, this solution moves __register_ftrace_function() inside of +ftrace_startup() and removes the need to call them both. + +Reported-by: Dave Wysochanski +Fixes: ed926f9b35cd ("ftrace: Use counters to enable functions to trace") +Signed-off-by: Steven Rostedt +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/trace/ftrace.c | 64 +++++++++++++++++++++++++++----------------------- + 1 file changed, 35 insertions(+), 29 deletions(-) + +--- a/kernel/trace/ftrace.c ++++ b/kernel/trace/ftrace.c +@@ -367,9 +367,6 @@ static int remove_ftrace_list_ops(struct + + static int __register_ftrace_function(struct ftrace_ops *ops) + { +- if (unlikely(ftrace_disabled)) +- return -ENODEV; +- + if (FTRACE_WARN_ON(ops == &global_ops)) + return -EINVAL; + +@@ -417,9 +414,6 @@ static int __unregister_ftrace_function( + { + int ret; + +- if (ftrace_disabled) +- return -ENODEV; +- + if (WARN_ON(!(ops->flags & FTRACE_OPS_FL_ENABLED))) + return -EBUSY; + +@@ -2048,10 +2042,15 @@ static void ftrace_startup_enable(int co + static int ftrace_startup(struct ftrace_ops *ops, int command) + { + bool hash_enable = true; ++ int ret; + + if (unlikely(ftrace_disabled)) + return -ENODEV; + ++ ret = __register_ftrace_function(ops); ++ if (ret) ++ return ret; ++ + ftrace_start_up++; + command |= FTRACE_UPDATE_CALLS; + +@@ -2073,12 +2072,17 @@ static int ftrace_startup(struct ftrace_ + return 0; + } + +-static void ftrace_shutdown(struct ftrace_ops *ops, int command) ++static int ftrace_shutdown(struct ftrace_ops *ops, int command) + { + bool hash_disable = true; ++ int ret; + + if (unlikely(ftrace_disabled)) +- return; ++ return -ENODEV; ++ ++ ret = __unregister_ftrace_function(ops); ++ if (ret) ++ return ret; + + ftrace_start_up--; + /* +@@ -2113,9 +2117,10 @@ static void ftrace_shutdown(struct ftrac + } + + if (!command || !ftrace_enabled) +- return; ++ return 0; + + ftrace_run_update_code(command); ++ return 0; + } + + static void ftrace_startup_sysctl(void) +@@ -3020,16 +3025,13 @@ static void __enable_ftrace_function_pro + if (i == FTRACE_FUNC_HASHSIZE) + return; + +- ret = __register_ftrace_function(&trace_probe_ops); +- if (!ret) +- ret = ftrace_startup(&trace_probe_ops, 0); ++ ret = ftrace_startup(&trace_probe_ops, 0); + + ftrace_probe_registered = 1; + } + + static void __disable_ftrace_function_probe(void) + { +- int ret; + int i; + + if (!ftrace_probe_registered) +@@ -3042,9 +3044,7 @@ static void __disable_ftrace_function_pr + } + + /* no more funcs left */ +- ret = __unregister_ftrace_function(&trace_probe_ops); +- if (!ret) +- ftrace_shutdown(&trace_probe_ops, 0); ++ ftrace_shutdown(&trace_probe_ops, 0); + + ftrace_probe_registered = 0; + } +@@ -4241,12 +4241,15 @@ core_initcall(ftrace_nodyn_init); + static inline int ftrace_init_dyn_debugfs(struct dentry *d_tracer) { return 0; } + static inline void ftrace_startup_enable(int command) { } + /* Keep as macros so we do not need to define the commands */ +-# define ftrace_startup(ops, command) \ +- ({ \ +- (ops)->flags |= FTRACE_OPS_FL_ENABLED; \ +- 0; \ ++# define ftrace_startup(ops, command) \ ++ ({ \ ++ int ___ret = __register_ftrace_function(ops); \ ++ if (!___ret) \ ++ (ops)->flags |= FTRACE_OPS_FL_ENABLED; \ ++ ___ret; \ + }) +-# define ftrace_shutdown(ops, command) do { } while (0) ++# define ftrace_shutdown(ops, command) __unregister_ftrace_function(ops) ++ + # define ftrace_startup_sysctl() do { } while (0) + # define ftrace_shutdown_sysctl() do { } while (0) + +@@ -4646,9 +4649,7 @@ int register_ftrace_function(struct ftra + + mutex_lock(&ftrace_lock); + +- ret = __register_ftrace_function(ops); +- if (!ret) +- ret = ftrace_startup(ops, 0); ++ ret = ftrace_startup(ops, 0); + + mutex_unlock(&ftrace_lock); + +@@ -4667,9 +4668,7 @@ int unregister_ftrace_function(struct ft + int ret; + + mutex_lock(&ftrace_lock); +- ret = __unregister_ftrace_function(ops); +- if (!ret) +- ftrace_shutdown(ops, 0); ++ ret = ftrace_shutdown(ops, 0); + mutex_unlock(&ftrace_lock); + + return ret; +@@ -4863,6 +4862,13 @@ ftrace_suspend_notifier_call(struct noti + return NOTIFY_DONE; + } + ++/* Just a place holder for function graph */ ++static struct ftrace_ops fgraph_ops __read_mostly = { ++ .func = ftrace_stub, ++ .flags = FTRACE_OPS_FL_STUB | FTRACE_OPS_FL_GLOBAL | ++ FTRACE_OPS_FL_RECURSION_SAFE, ++}; ++ + int register_ftrace_graph(trace_func_graph_ret_t retfunc, + trace_func_graph_ent_t entryfunc) + { +@@ -4889,7 +4895,7 @@ int register_ftrace_graph(trace_func_gra + ftrace_graph_return = retfunc; + ftrace_graph_entry = entryfunc; + +- ret = ftrace_startup(&global_ops, FTRACE_START_FUNC_RET); ++ ret = ftrace_startup(&fgraph_ops, FTRACE_START_FUNC_RET); + + out: + mutex_unlock(&ftrace_lock); +@@ -4906,7 +4912,7 @@ void unregister_ftrace_graph(void) + ftrace_graph_active--; + ftrace_graph_return = (trace_func_graph_ret_t)ftrace_stub; + ftrace_graph_entry = ftrace_graph_entry_stub; +- ftrace_shutdown(&global_ops, FTRACE_STOP_FUNC_RET); ++ ftrace_shutdown(&fgraph_ops, FTRACE_STOP_FUNC_RET); + unregister_pm_notifier(&ftrace_suspend_notifier); + unregister_trace_sched_switch(ftrace_graph_probe_sched_switch, NULL); + diff --git a/queue-3.10/mwifiex-correct-packet-length-for-packets-from-sdio-interface.patch b/queue-3.10/mwifiex-correct-packet-length-for-packets-from-sdio-interface.patch new file mode 100644 index 00000000000..9754ef9916d --- /dev/null +++ b/queue-3.10/mwifiex-correct-packet-length-for-packets-from-sdio-interface.patch @@ -0,0 +1,35 @@ +From d03b4aa77e1187b77dfe37d14a923547f00baa66 Mon Sep 17 00:00:00 2001 +From: Avinash Patil +Date: Tue, 5 Nov 2013 15:01:44 -0800 +Subject: mwifiex: correct packet length for packets from SDIO interface + +From: Avinash Patil + +commit d03b4aa77e1187b77dfe37d14a923547f00baa66 upstream. + +While receiving a packet on SDIO interface, we allocate skb with +size multiple of SDIO block size. We need to resize this skb +after RX using packet length from RX header. + +Signed-off-by: Avinash Patil +Signed-off-by: Bing Zhao +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/mwifiex/sdio.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/net/wireless/mwifiex/sdio.c ++++ b/drivers/net/wireless/mwifiex/sdio.c +@@ -930,7 +930,10 @@ static int mwifiex_decode_rx_packet(stru + struct sk_buff *skb, u32 upld_typ) + { + u8 *cmd_buf; ++ __le16 *curr_ptr = (__le16 *)skb->data; ++ u16 pkt_len = le16_to_cpu(*curr_ptr); + ++ skb_trim(skb, pkt_len); + skb_pull(skb, INTF_HEADER_LEN); + + switch (upld_typ) { diff --git a/queue-3.10/mwifiex-fix-wrong-eth_hdr-usage-for-bridged-packets-in-ap-mode.patch b/queue-3.10/mwifiex-fix-wrong-eth_hdr-usage-for-bridged-packets-in-ap-mode.patch new file mode 100644 index 00000000000..f15e0be55ec --- /dev/null +++ b/queue-3.10/mwifiex-fix-wrong-eth_hdr-usage-for-bridged-packets-in-ap-mode.patch @@ -0,0 +1,74 @@ +From 8d93f1f309d38b65fce0b9f0de91ba6c96990c07 Mon Sep 17 00:00:00 2001 +From: Ujjal Roy +Date: Tue, 5 Nov 2013 15:01:45 -0800 +Subject: mwifiex: fix wrong eth_hdr usage for bridged packets in AP mode + +From: Ujjal Roy + +commit 8d93f1f309d38b65fce0b9f0de91ba6c96990c07 upstream. + +The eth_hdr is never defined in this driver but it gets compiled +without any warning/error because kernel has defined eth_hdr. + +Fix it by defining our own p_ethhdr and use it instead of eth_hdr. + +Signed-off-by: Ujjal Roy +Signed-off-by: Amitkumar Karwar +Signed-off-by: Bing Zhao +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/mwifiex/uap_txrx.c | 29 ++++++++++++++++++++++++++--- + 1 file changed, 26 insertions(+), 3 deletions(-) + +--- a/drivers/net/wireless/mwifiex/uap_txrx.c ++++ b/drivers/net/wireless/mwifiex/uap_txrx.c +@@ -34,6 +34,7 @@ static void mwifiex_uap_queue_bridged_pk + struct mwifiex_txinfo *tx_info; + int hdr_chop; + struct timeval tv; ++ struct ethhdr *p_ethhdr; + u8 rfc1042_eth_hdr[ETH_ALEN] = { 0xaa, 0xaa, 0x03, 0x00, 0x00, 0x00 }; + + uap_rx_pd = (struct uap_rxpd *)(skb->data); +@@ -48,14 +49,36 @@ static void mwifiex_uap_queue_bridged_pk + } + + if (!memcmp(&rx_pkt_hdr->rfc1042_hdr, +- rfc1042_eth_hdr, sizeof(rfc1042_eth_hdr))) ++ rfc1042_eth_hdr, sizeof(rfc1042_eth_hdr))) { ++ /* Replace the 803 header and rfc1042 header (llc/snap) with ++ * an Ethernet II header, keep the src/dst and snap_type ++ * (ethertype). ++ * ++ * The firmware only passes up SNAP frames converting all RX ++ * data from 802.11 to 802.2/LLC/SNAP frames. ++ * ++ * To create the Ethernet II, just move the src, dst address ++ * right before the snap_type. ++ */ ++ p_ethhdr = (struct ethhdr *) ++ ((u8 *)(&rx_pkt_hdr->eth803_hdr) ++ + sizeof(rx_pkt_hdr->eth803_hdr) ++ + sizeof(rx_pkt_hdr->rfc1042_hdr) ++ - sizeof(rx_pkt_hdr->eth803_hdr.h_dest) ++ - sizeof(rx_pkt_hdr->eth803_hdr.h_source) ++ - sizeof(rx_pkt_hdr->rfc1042_hdr.snap_type)); ++ memcpy(p_ethhdr->h_source, rx_pkt_hdr->eth803_hdr.h_source, ++ sizeof(p_ethhdr->h_source)); ++ memcpy(p_ethhdr->h_dest, rx_pkt_hdr->eth803_hdr.h_dest, ++ sizeof(p_ethhdr->h_dest)); + /* Chop off the rxpd + the excess memory from + * 802.2/llc/snap header that was removed. + */ +- hdr_chop = (u8 *)eth_hdr - (u8 *)uap_rx_pd; +- else ++ hdr_chop = (u8 *)p_ethhdr - (u8 *)uap_rx_pd; ++ } else { + /* Chop off the rxpd */ + hdr_chop = (u8 *)&rx_pkt_hdr->eth803_hdr - (u8 *)uap_rx_pd; ++ } + + /* Chop off the leading header bytes so the it points + * to the start of either the reconstructed EthII frame diff --git a/queue-3.10/pci-remove-duplicate-pci_disable_device-from-pcie_portdrv_remove.patch b/queue-3.10/pci-remove-duplicate-pci_disable_device-from-pcie_portdrv_remove.patch new file mode 100644 index 00000000000..d1fa10e3845 --- /dev/null +++ b/queue-3.10/pci-remove-duplicate-pci_disable_device-from-pcie_portdrv_remove.patch @@ -0,0 +1,42 @@ +From e7cc5cf74544d97d7b69e2701595037474db1f96 Mon Sep 17 00:00:00 2001 +From: Yinghai Lu +Date: Mon, 18 Nov 2013 17:02:45 -0700 +Subject: PCI: Remove duplicate pci_disable_device() from pcie_portdrv_remove() + +From: Yinghai Lu + +commit e7cc5cf74544d97d7b69e2701595037474db1f96 upstream. + +The pcie_portdrv .probe() method calls pci_enable_device() once, in +pcie_port_device_register(), but the .remove() method calls +pci_disable_device() twice, in pcie_port_device_remove() and in +pcie_portdrv_remove(). + +That causes a "disabling already-disabled device" warning when removing a +PCIe port device. This happens all the time when removing Thunderbolt +devices, but is also easy to reproduce with, e.g., +"echo 0000:00:1c.3 > /sys/bus/pci/drivers/pcieport/unbind" + +This patch removes the disable from pcie_portdrv_remove(). + +[bhelgaas: changelog, tag for stable] +Reported-by: David Bulkow +Reported-by: Mika Westerberg +Signed-off-by: Yinghai Lu +Signed-off-by: Bjorn Helgaas +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pci/pcie/portdrv_pci.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/drivers/pci/pcie/portdrv_pci.c ++++ b/drivers/pci/pcie/portdrv_pci.c +@@ -223,7 +223,6 @@ static int pcie_portdrv_probe(struct pci + static void pcie_portdrv_remove(struct pci_dev *dev) + { + pcie_port_device_remove(dev); +- pci_disable_device(dev); + } + + static int error_detected_iter(struct device *device, void *data) diff --git a/queue-3.10/prism54-set-netdev-type-to-wlan.patch b/queue-3.10/prism54-set-netdev-type-to-wlan.patch new file mode 100644 index 00000000000..2c4c6b7d8ab --- /dev/null +++ b/queue-3.10/prism54-set-netdev-type-to-wlan.patch @@ -0,0 +1,45 @@ +From 8e3ffa471091c560deb6738ed9ab7445b7a5fd04 Mon Sep 17 00:00:00 2001 +From: Dan Williams +Date: Fri, 8 Nov 2013 13:39:44 -0600 +Subject: prism54: set netdev type to "wlan" + +From: Dan Williams + +commit 8e3ffa471091c560deb6738ed9ab7445b7a5fd04 upstream. + +Userspace uses the netdev devtype for stuff like device naming and type +detection. Be nice and set it. Remove the pointless #if/#endif around +SET_NETDEV_DEV too. + +Signed-off-by: Dan Williams +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/prism54/islpci_dev.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/drivers/net/wireless/prism54/islpci_dev.c ++++ b/drivers/net/wireless/prism54/islpci_dev.c +@@ -811,6 +811,10 @@ static const struct net_device_ops islpc + .ndo_validate_addr = eth_validate_addr, + }; + ++static struct device_type wlan_type = { ++ .name = "wlan", ++}; ++ + struct net_device * + islpci_setup(struct pci_dev *pdev) + { +@@ -821,9 +825,8 @@ islpci_setup(struct pci_dev *pdev) + return ndev; + + pci_set_drvdata(pdev, ndev); +-#if defined(SET_NETDEV_DEV) + SET_NETDEV_DEV(ndev, &pdev->dev); +-#endif ++ SET_NETDEV_DEVTYPE(ndev, &wlan_type); + + /* setup the structure members */ + ndev->base_addr = pci_resource_start(pdev, 0); diff --git a/queue-3.10/qxl-avoid-an-oops-in-the-deferred-io-code.patch b/queue-3.10/qxl-avoid-an-oops-in-the-deferred-io-code.patch new file mode 100644 index 00000000000..f8001832ec2 --- /dev/null +++ b/queue-3.10/qxl-avoid-an-oops-in-the-deferred-io-code.patch @@ -0,0 +1,32 @@ +From cc87509d87696d7cd393882f5dedea01e03e41a9 Mon Sep 17 00:00:00 2001 +From: Dave Airlie +Date: Mon, 4 Nov 2013 16:38:08 +1000 +Subject: qxl: avoid an oops in the deferred io code. + +From: Dave Airlie + +commit cc87509d87696d7cd393882f5dedea01e03e41a9 upstream. + +If we are using deferred io due to plymouth or X.org fbdev driver +we will oops in memcpy due to this pointless multiply here, + +removing it fixes fbdev to start and not oops. + +Signed-off-by: Dave Airlie +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/qxl/qxl_fb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/qxl/qxl_fb.c ++++ b/drivers/gpu/drm/qxl/qxl_fb.c +@@ -91,7 +91,7 @@ static void qxl_fb_dirty_flush(struct fb + u32 x1, x2, y1, y2; + + /* TODO: hard coding 32 bpp */ +- int stride = qfbdev->qfb.base.pitches[0] * 4; ++ int stride = qfbdev->qfb.base.pitches[0]; + + x1 = qfbdev->dirty.x1; + x2 = qfbdev->dirty.x2; diff --git a/queue-3.10/selinux-correct-locking-in-selinux_netlbl_socket_connect.patch b/queue-3.10/selinux-correct-locking-in-selinux_netlbl_socket_connect.patch new file mode 100644 index 00000000000..9f2d7cd10a5 --- /dev/null +++ b/queue-3.10/selinux-correct-locking-in-selinux_netlbl_socket_connect.patch @@ -0,0 +1,78 @@ +From 42d64e1add3a1ce8a787116036163b8724362145 Mon Sep 17 00:00:00 2001 +From: Paul Moore +Date: Thu, 26 Sep 2013 17:00:46 -0400 +Subject: selinux: correct locking in selinux_netlbl_socket_connect) + +From: Paul Moore + +commit 42d64e1add3a1ce8a787116036163b8724362145 upstream. + +The SELinux/NetLabel glue code has a locking bug that affects systems +with NetLabel enabled, see the kernel error message below. This patch +corrects this problem by converting the bottom half socket lock to a +more conventional, and correct for this call-path, lock_sock() call. + + =============================== + [ INFO: suspicious RCU usage. ] + 3.11.0-rc3+ #19 Not tainted + ------------------------------- + net/ipv4/cipso_ipv4.c:1928 suspicious rcu_dereference_protected() usage! + + other info that might help us debug this: + + rcu_scheduler_active = 1, debug_locks = 0 + 2 locks held by ping/731: + #0: (slock-AF_INET/1){+.-...}, at: [...] selinux_netlbl_socket_connect + #1: (rcu_read_lock){.+.+..}, at: [<...>] netlbl_conn_setattr + + stack backtrace: + CPU: 1 PID: 731 Comm: ping Not tainted 3.11.0-rc3+ #19 + Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 + 0000000000000001 ffff88006f659d28 ffffffff81726b6a ffff88003732c500 + ffff88006f659d58 ffffffff810e4457 ffff88006b845a00 0000000000000000 + 000000000000000c ffff880075aa2f50 ffff88006f659d90 ffffffff8169bec7 + Call Trace: + [] dump_stack+0x54/0x74 + [] lockdep_rcu_suspicious+0xe7/0x120 + [] cipso_v4_sock_setattr+0x187/0x1a0 + [] netlbl_conn_setattr+0x187/0x190 + [] ? netlbl_conn_setattr+0x5/0x190 + [] selinux_netlbl_socket_connect+0xae/0xc0 + [] selinux_socket_connect+0x135/0x170 + [] ? might_fault+0x57/0xb0 + [] security_socket_connect+0x16/0x20 + [] SYSC_connect+0x73/0x130 + [] ? sysret_check+0x22/0x5d + [] ? trace_hardirqs_on_caller+0xfd/0x1c0 + [] ? trace_hardirqs_on_thunk+0x3a/0x3f + [] SyS_connect+0xe/0x10 + [] system_call_fastpath+0x16/0x1b + +Signed-off-by: Paul Moore +Signed-off-by: Greg Kroah-Hartman + +--- + security/selinux/netlabel.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +--- a/security/selinux/netlabel.c ++++ b/security/selinux/netlabel.c +@@ -442,8 +442,7 @@ int selinux_netlbl_socket_connect(struct + sksec->nlbl_state != NLBL_CONNLABELED) + return 0; + +- local_bh_disable(); +- bh_lock_sock_nested(sk); ++ lock_sock(sk); + + /* connected sockets are allowed to disconnect when the address family + * is set to AF_UNSPEC, if that is what is happening we want to reset +@@ -464,7 +463,6 @@ int selinux_netlbl_socket_connect(struct + sksec->nlbl_state = NLBL_CONNLABELED; + + socket_connect_return: +- bh_unlock_sock(sk); +- local_bh_enable(); ++ release_sock(sk); + return rc; + } diff --git a/queue-3.10/series b/queue-3.10/series index e1790834d80..f1cad298ced 100644 --- a/queue-3.10/series +++ b/queue-3.10/series @@ -75,3 +75,19 @@ ioatdma-fix-selection-of-16-vs-8-source-path.patch blk-core-fix-memory-corruption-if-blkcg_init_queue-fails.patch pm-hibernate-avoid-overflow-in-hibernate_preallocate_memory.patch pm-runtime-use-pm_runtime_put_sync-in-__device_release_driver.patch +qxl-avoid-an-oops-in-the-deferred-io-code.patch +mwifiex-correct-packet-length-for-packets-from-sdio-interface.patch +mwifiex-fix-wrong-eth_hdr-usage-for-bridged-packets-in-ap-mode.patch +audit-printk-user_avc-messages-when-audit-isn-t-enabled.patch +audit-use-nlmsg_len-to-get-message-payload-length.patch +audit-fix-info-leak-in-audit_get-requests.patch +audit-fix-mq_open-and-mq_unlink-to-add-the-mq-root-as-a-hidden-parent-audit_names-record.patch +audit-add-child-record-before-the-create-to-handle-case-where-create-fails.patch +audit-log-the-audit_names-record-type.patch +pci-remove-duplicate-pci_disable_device-from-pcie_portdrv_remove.patch +acpi-hotplug-fix-conflicted-pci-bridge-notify-handlers.patch +selinux-correct-locking-in-selinux_netlbl_socket_connect.patch +avr32-setup-crt-for-early-panic.patch +avr32-fix-out-of-range-jump-in-large-kernels.patch +prism54-set-netdev-type-to-wlan.patch +ftrace-fix-function-graph-with-loading-of-modules.patch