From: Greg Kroah-Hartman Date: Sat, 2 May 2015 18:18:21 +0000 (+0200) Subject: 3.10-stable patches X-Git-Tag: v3.10.77~21 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=edb1653c20694c9abbe603d6d35914dcbbc35b5d;p=thirdparty%2Fkernel%2Fstable-queue.git 3.10-stable patches added patches: c6x-time-ensure-consistency-in-__init.patch e1000-add-dummy-allocator-to-fix-race-condition-between-mtu-change-and-netpoll.patch lib-memzero_explicit-use-barrier-instead-of-optimizer_hide_var.patch memstick-mspro_block-add-missing-curly-braces.patch wl18xx-show-rx_frames_per_rates-as-an-array-as-it-really-is.patch --- diff --git a/queue-3.10/c6x-time-ensure-consistency-in-__init.patch b/queue-3.10/c6x-time-ensure-consistency-in-__init.patch new file mode 100644 index 00000000000..743db423d78 --- /dev/null +++ b/queue-3.10/c6x-time-ensure-consistency-in-__init.patch @@ -0,0 +1,42 @@ +From f4831605f2dacd12730fe73961c77253cc2ea425 Mon Sep 17 00:00:00 2001 +From: Nishanth Menon +Date: Sat, 7 Mar 2015 03:39:05 -0600 +Subject: C6x: time: Ensure consistency in __init + +From: Nishanth Menon + +commit f4831605f2dacd12730fe73961c77253cc2ea425 upstream. + +time_init invokes timer64_init (which is __init annotation) +since all of these are invoked at init time, lets maintain +consistency by ensuring time_init is marked appropriately +as well. + +This fixes the following warning with CONFIG_DEBUG_SECTION_MISMATCH=y + +WARNING: vmlinux.o(.text+0x3bfc): Section mismatch in reference from the function time_init() to the function .init.text:timer64_init() +The function time_init() references +the function __init timer64_init(). +This is often because time_init lacks a __init +annotation or the annotation of timer64_init is wrong. + +Fixes: 546a39546c64 ("C6X: time management") +Signed-off-by: Nishanth Menon +Signed-off-by: Mark Salter +Signed-off-by: Greg Kroah-Hartman + +--- + arch/c6x/kernel/time.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/c6x/kernel/time.c ++++ b/arch/c6x/kernel/time.c +@@ -49,7 +49,7 @@ u64 sched_clock(void) + return (tsc * sched_clock_multiplier) >> SCHED_CLOCK_SHIFT; + } + +-void time_init(void) ++void __init time_init(void) + { + u64 tmp = (u64)NSEC_PER_SEC << SCHED_CLOCK_SHIFT; + diff --git a/queue-3.10/e1000-add-dummy-allocator-to-fix-race-condition-between-mtu-change-and-netpoll.patch b/queue-3.10/e1000-add-dummy-allocator-to-fix-race-condition-between-mtu-change-and-netpoll.patch new file mode 100644 index 00000000000..7874ebbb17a --- /dev/null +++ b/queue-3.10/e1000-add-dummy-allocator-to-fix-race-condition-between-mtu-change-and-netpoll.patch @@ -0,0 +1,93 @@ +From 08e8331654d1d7b2c58045e549005bc356aa7810 Mon Sep 17 00:00:00 2001 +From: Sabrina Dubroca +Date: Thu, 26 Feb 2015 05:35:41 +0000 +Subject: e1000: add dummy allocator to fix race condition between mtu change and netpoll + +From: Sabrina Dubroca + +commit 08e8331654d1d7b2c58045e549005bc356aa7810 upstream. + +There is a race condition between e1000_change_mtu's cleanups and +netpoll, when we change the MTU across jumbo size: + +Changing MTU frees all the rx buffers: + e1000_change_mtu -> e1000_down -> e1000_clean_all_rx_rings -> + e1000_clean_rx_ring + +Then, close to the end of e1000_change_mtu: + pr_info -> ... -> netpoll_poll_dev -> e1000_clean -> + e1000_clean_rx_irq -> e1000_alloc_rx_buffers -> e1000_alloc_frag + +And when we come back to do the rest of the MTU change: + e1000_up -> e1000_configure -> e1000_configure_rx -> + e1000_alloc_jumbo_rx_buffers + +alloc_jumbo finds the buffers already != NULL, since data (shared with +page in e1000_rx_buffer->rxbuf) has been re-alloc'd, but it's garbage, +or at least not what is expected when in jumbo state. + +This results in an unusable adapter (packets don't get through), and a +NULL pointer dereference on the next call to e1000_clean_rx_ring +(other mtu change, link down, shutdown): + +BUG: unable to handle kernel NULL pointer dereference at (null) +IP: [] put_compound_page+0x7e/0x330 + + [...] + +Call Trace: + [] put_page+0x55/0x60 + [] e1000_clean_rx_ring+0x134/0x200 + [] e1000_clean_all_rx_rings+0x45/0x60 + [] e1000_down+0x1c0/0x1d0 + [] ? deactivate_slab+0x7f0/0x840 + [] e1000_change_mtu+0xdc/0x170 + [] dev_set_mtu+0xa0/0x140 + [] do_setlink+0x218/0xac0 + [] ? nla_parse+0xb9/0x120 + [] rtnl_newlink+0x6d0/0x890 + [] ? kvm_clock_read+0x20/0x40 + [] ? sched_clock_cpu+0xa8/0x100 + [] rtnetlink_rcv_msg+0x92/0x260 + +By setting the allocator to a dummy version, netpoll can't mess up our +rx buffers. The allocator is set back to a sane value in +e1000_configure_rx. + +Fixes: edbbb3ca1077 ("e1000: implement jumbo receive with partial descriptors") +Signed-off-by: Sabrina Dubroca +Tested-by: Aaron Brown +Signed-off-by: Jeff Kirsher +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/ethernet/intel/e1000/e1000_main.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +--- a/drivers/net/ethernet/intel/e1000/e1000_main.c ++++ b/drivers/net/ethernet/intel/e1000/e1000_main.c +@@ -144,6 +144,11 @@ static bool e1000_clean_rx_irq(struct e1 + static bool e1000_clean_jumbo_rx_irq(struct e1000_adapter *adapter, + struct e1000_rx_ring *rx_ring, + int *work_done, int work_to_do); ++static void e1000_alloc_dummy_rx_buffers(struct e1000_adapter *adapter, ++ struct e1000_rx_ring *rx_ring, ++ int cleaned_count) ++{ ++} + static void e1000_alloc_rx_buffers(struct e1000_adapter *adapter, + struct e1000_rx_ring *rx_ring, + int cleaned_count); +@@ -3555,8 +3560,11 @@ static int e1000_change_mtu(struct net_d + msleep(1); + /* e1000_down has a dependency on max_frame_size */ + hw->max_frame_size = max_frame; +- if (netif_running(netdev)) ++ if (netif_running(netdev)) { ++ /* prevent buffers from being reallocated */ ++ adapter->alloc_rx_buf = e1000_alloc_dummy_rx_buffers; + e1000_down(adapter); ++ } + + /* NOTE: netdev_alloc_skb reserves 16 bytes, and typically NET_IP_ALIGN + * means we reserve 2 more, this pushes us to allocate from the next diff --git a/queue-3.10/lib-memzero_explicit-use-barrier-instead-of-optimizer_hide_var.patch b/queue-3.10/lib-memzero_explicit-use-barrier-instead-of-optimizer_hide_var.patch new file mode 100644 index 00000000000..8e700fd54d0 --- /dev/null +++ b/queue-3.10/lib-memzero_explicit-use-barrier-instead-of-optimizer_hide_var.patch @@ -0,0 +1,111 @@ +From 0b053c9518292705736329a8fe20ef4686ffc8e9 Mon Sep 17 00:00:00 2001 +From: mancha security +Date: Wed, 18 Mar 2015 18:47:25 +0100 +Subject: lib: memzero_explicit: use barrier instead of OPTIMIZER_HIDE_VAR + +From: mancha security + +commit 0b053c9518292705736329a8fe20ef4686ffc8e9 upstream. + +OPTIMIZER_HIDE_VAR(), as defined when using gcc, is insufficient to +ensure protection from dead store optimization. + +For the random driver and crypto drivers, calls are emitted ... + + $ gdb vmlinux + (gdb) disassemble memzero_explicit + Dump of assembler code for function memzero_explicit: + 0xffffffff813a18b0 <+0>: push %rbp + 0xffffffff813a18b1 <+1>: mov %rsi,%rdx + 0xffffffff813a18b4 <+4>: xor %esi,%esi + 0xffffffff813a18b6 <+6>: mov %rsp,%rbp + 0xffffffff813a18b9 <+9>: callq 0xffffffff813a7120 + 0xffffffff813a18be <+14>: pop %rbp + 0xffffffff813a18bf <+15>: retq + End of assembler dump. + + (gdb) disassemble extract_entropy + [...] + 0xffffffff814a5009 <+313>: mov %r12,%rdi + 0xffffffff814a500c <+316>: mov $0xa,%esi + 0xffffffff814a5011 <+321>: callq 0xffffffff813a18b0 + 0xffffffff814a5016 <+326>: mov -0x48(%rbp),%rax + [...] + +... but in case in future we might use facilities such as LTO, then +OPTIMIZER_HIDE_VAR() is not sufficient to protect gcc from a possible +eviction of the memset(). We have to use a compiler barrier instead. + +Minimal test example when we assume memzero_explicit() would *not* be +a call, but would have been *inlined* instead: + + static inline void memzero_explicit(void *s, size_t count) + { + memset(s, 0, count); + + } + + int main(void) + { + char buff[20]; + + snprintf(buff, sizeof(buff) - 1, "test"); + printf("%s", buff); + + memzero_explicit(buff, sizeof(buff)); + return 0; + } + +With := OPTIMIZER_HIDE_VAR(): + + (gdb) disassemble main + Dump of assembler code for function main: + [...] + 0x0000000000400464 <+36>: callq 0x400410 + 0x0000000000400469 <+41>: xor %eax,%eax + 0x000000000040046b <+43>: add $0x28,%rsp + 0x000000000040046f <+47>: retq + End of assembler dump. + +With := barrier(): + + (gdb) disassemble main + Dump of assembler code for function main: + [...] + 0x0000000000400464 <+36>: callq 0x400410 + 0x0000000000400469 <+41>: movq $0x0,(%rsp) + 0x0000000000400471 <+49>: movq $0x0,0x8(%rsp) + 0x000000000040047a <+58>: movl $0x0,0x10(%rsp) + 0x0000000000400482 <+66>: xor %eax,%eax + 0x0000000000400484 <+68>: add $0x28,%rsp + 0x0000000000400488 <+72>: retq + End of assembler dump. + +As can be seen, movq, movq, movl are being emitted inlined +via memset(). + +Reference: http://thread.gmane.org/gmane.linux.kernel.cryptoapi/13764/ +Fixes: d4c5efdb9777 ("random: add and use memzero_explicit() for clearing data") +Cc: Theodore Ts'o +Signed-off-by: mancha security +Signed-off-by: Daniel Borkmann +Acked-by: Hannes Frederic Sowa +Acked-by: Stephan Mueller +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + lib/string.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/lib/string.c ++++ b/lib/string.c +@@ -598,7 +598,7 @@ EXPORT_SYMBOL(memset); + void memzero_explicit(void *s, size_t count) + { + memset(s, 0, count); +- OPTIMIZER_HIDE_VAR(s); ++ barrier(); + } + EXPORT_SYMBOL(memzero_explicit); + diff --git a/queue-3.10/memstick-mspro_block-add-missing-curly-braces.patch b/queue-3.10/memstick-mspro_block-add-missing-curly-braces.patch new file mode 100644 index 00000000000..65f10669d4d --- /dev/null +++ b/queue-3.10/memstick-mspro_block-add-missing-curly-braces.patch @@ -0,0 +1,43 @@ +From 13f6b191aaa11c7fd718d35a0c565f3c16bc1d99 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Thu, 16 Apr 2015 12:48:35 -0700 +Subject: memstick: mspro_block: add missing curly braces + +From: Dan Carpenter + +commit 13f6b191aaa11c7fd718d35a0c565f3c16bc1d99 upstream. + +Using the indenting we can see the curly braces were obviously intended. +This is a static checker fix, but my guess is that we don't read enough +bytes, because we don't calculate "t_len" correctly. + +Fixes: f1d82698029b ('memstick: use fully asynchronous request processing') +Signed-off-by: Dan Carpenter +Cc: Alex Dubov +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/memstick/core/mspro_block.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/memstick/core/mspro_block.c ++++ b/drivers/memstick/core/mspro_block.c +@@ -758,7 +758,7 @@ static int mspro_block_complete_req(stru + + if (error || (card->current_mrq.tpc == MSPRO_CMD_STOP)) { + if (msb->data_dir == READ) { +- for (cnt = 0; cnt < msb->current_seg; cnt++) ++ for (cnt = 0; cnt < msb->current_seg; cnt++) { + t_len += msb->req_sg[cnt].length + / msb->page_size; + +@@ -766,6 +766,7 @@ static int mspro_block_complete_req(stru + t_len += msb->current_page - 1; + + t_len *= msb->page_size; ++ } + } + } else + t_len = blk_rq_bytes(msb->block_req); diff --git a/queue-3.10/series b/queue-3.10/series index f47e7afa168..451ff4a2f46 100644 --- a/queue-3.10/series +++ b/queue-3.10/series @@ -58,3 +58,8 @@ drm-radeon-fix-doublescan-modes-v2.patch drm-i915-cope-with-large-i2c-transfers.patch rcu-pathwalk-breakage-when-running-into-a-symlink-overmounting-something.patch ksoftirqd-enable-irqs-and-call-cond_resched-before-poking-rcu.patch +e1000-add-dummy-allocator-to-fix-race-condition-between-mtu-change-and-netpoll.patch +lib-memzero_explicit-use-barrier-instead-of-optimizer_hide_var.patch +wl18xx-show-rx_frames_per_rates-as-an-array-as-it-really-is.patch +c6x-time-ensure-consistency-in-__init.patch +memstick-mspro_block-add-missing-curly-braces.patch diff --git a/queue-3.10/wl18xx-show-rx_frames_per_rates-as-an-array-as-it-really-is.patch b/queue-3.10/wl18xx-show-rx_frames_per_rates-as-an-array-as-it-really-is.patch new file mode 100644 index 00000000000..274606b9601 --- /dev/null +++ b/queue-3.10/wl18xx-show-rx_frames_per_rates-as-an-array-as-it-really-is.patch @@ -0,0 +1,52 @@ +From a3fa71c40f1853d0c27e8f5bc01a722a705d9682 Mon Sep 17 00:00:00 2001 +From: Nicolas Iooss +Date: Fri, 13 Mar 2015 15:17:14 +0800 +Subject: wl18xx: show rx_frames_per_rates as an array as it really is + +From: Nicolas Iooss + +commit a3fa71c40f1853d0c27e8f5bc01a722a705d9682 upstream. + +In struct wl18xx_acx_rx_rate_stat, rx_frames_per_rates field is an +array, not a number. This means WL18XX_DEBUGFS_FWSTATS_FILE can't be +used to display this field in debugfs (it would display a pointer, not +the actual data). Use WL18XX_DEBUGFS_FWSTATS_FILE_ARRAY instead. + +This bug has been found by adding a __printf attribute to +wl1271_format_buffer. gcc complained about "format '%u' expects +argument of type 'unsigned int', but argument 5 has type 'u32 *'". + +Fixes: c5d94169e818 ("wl18xx: use new fw stats structures") +Signed-off-by: Nicolas Iooss +Signed-off-by: Kalle Valo +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/ti/wl18xx/debugfs.c | 2 +- + drivers/net/wireless/ti/wlcore/debugfs.h | 4 ++-- + 2 files changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/net/wireless/ti/wl18xx/debugfs.c ++++ b/drivers/net/wireless/ti/wl18xx/debugfs.c +@@ -136,7 +136,7 @@ WL18XX_DEBUGFS_FWSTATS_FILE(rx_filter, p + WL18XX_DEBUGFS_FWSTATS_FILE(rx_filter, accum_arp_pend_requests, "%u"); + WL18XX_DEBUGFS_FWSTATS_FILE(rx_filter, max_arp_queue_dep, "%u"); + +-WL18XX_DEBUGFS_FWSTATS_FILE(rx_rate, rx_frames_per_rates, "%u"); ++WL18XX_DEBUGFS_FWSTATS_FILE_ARRAY(rx_rate, rx_frames_per_rates, 50); + + WL18XX_DEBUGFS_FWSTATS_FILE_ARRAY(aggr_size, tx_agg_vs_rate, + AGGR_STATS_TX_AGG*AGGR_STATS_TX_RATE); +--- a/drivers/net/wireless/ti/wlcore/debugfs.h ++++ b/drivers/net/wireless/ti/wlcore/debugfs.h +@@ -26,8 +26,8 @@ + + #include "wlcore.h" + +-int wl1271_format_buffer(char __user *userbuf, size_t count, +- loff_t *ppos, char *fmt, ...); ++__printf(4, 5) int wl1271_format_buffer(char __user *userbuf, size_t count, ++ loff_t *ppos, char *fmt, ...); + + int wl1271_debugfs_init(struct wl1271 *wl); + void wl1271_debugfs_exit(struct wl1271 *wl);