From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Fri, 3 Oct 2014 20:36:18 +0000 (-0700)
Subject: 3.10-stable patches
X-Git-Tag: v3.16.4~14
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=f5e78c914634a8615bf03f5aa82827b331a01ccc;p=thirdparty%2Fkernel%2Fstable-queue.git

3.10-stable patches

added patches:
	fix-nasty-32-bit-overflow-bug-in-buffer-i-o-code.patch
	media-cx18-fix-kernel-oops-with-tda8290-tuner.patch
---

diff --git a/queue-3.10/fix-nasty-32-bit-overflow-bug-in-buffer-i-o-code.patch b/queue-3.10/fix-nasty-32-bit-overflow-bug-in-buffer-i-o-code.patch
new file mode 100644
index 00000000000..1fed7e8b3d0
--- /dev/null
+++ b/queue-3.10/fix-nasty-32-bit-overflow-bug-in-buffer-i-o-code.patch
@@ -0,0 +1,73 @@
+From f2d5a94436cc7cc0221b9a81bba2276a25187dd3 Mon Sep 17 00:00:00 2001
+From: Anton Altaparmakov <aia21@cam.ac.uk>
+Date: Mon, 22 Sep 2014 01:53:03 +0100
+Subject: Fix nasty 32-bit overflow bug in buffer i/o code.
+
+From: Anton Altaparmakov <aia21@cam.ac.uk>
+
+commit f2d5a94436cc7cc0221b9a81bba2276a25187dd3 upstream.
+
+On 32-bit architectures, the legacy buffer_head functions are not always
+handling the sector number with the proper 64-bit types, and will thus
+fail on 4TB+ disks.
+
+Any code that uses __getblk() (and thus bread(), breadahead(),
+sb_bread(), sb_breadahead(), sb_getblk()), and calls it using a 64-bit
+block on a 32-bit arch (where "long" is 32-bit) causes an inifinite loop
+in __getblk_slow() with an infinite stream of errors logged to dmesg
+like this:
+
+  __find_get_block_slow() failed. block=6740375944, b_blocknr=2445408648
+  b_state=0x00000020, b_size=512
+  device sda1 blocksize: 512
+
+Note how in hex block is 0x191C1F988 and b_blocknr is 0x91C1F988 i.e. the
+top 32-bits are missing (in this case the 0x1 at the top).
+
+This is because grow_dev_page() is broken and has a 32-bit overflow due
+to shifting the page index value (a pgoff_t - which is just 32 bits on
+32-bit architectures) left-shifted as the block number.  But the top
+bits to get lost as the pgoff_t is not type cast to sector_t / 64-bit
+before the shift.
+
+This patch fixes this issue by type casting "index" to sector_t before
+doing the left shift.
+
+Note this is not a theoretical bug but has been seen in the field on a
+4TiB hard drive with logical sector size 512 bytes.
+
+This patch has been verified to fix the infinite loop problem on 3.17-rc5
+kernel using a 4TB disk image mounted using "-o loop".  Without this patch
+doing a "find /nt" where /nt is an NTFS volume causes the inifinite loop
+100% reproducibly whilst with the patch it works fine as expected.
+
+Signed-off-by: Anton Altaparmakov <aia21@cantab.net>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/buffer.c |    6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/fs/buffer.c
++++ b/fs/buffer.c
+@@ -985,7 +985,8 @@ grow_dev_page(struct block_device *bdev,
+ 		bh = page_buffers(page);
+ 		if (bh->b_size == size) {
+ 			end_block = init_page_buffers(page, bdev,
+-						index << sizebits, size);
++						(sector_t)index << sizebits,
++						size);
+ 			goto done;
+ 		}
+ 		if (!try_to_free_buffers(page))
+@@ -1006,7 +1007,8 @@ grow_dev_page(struct block_device *bdev,
+ 	 */
+ 	spin_lock(&inode->i_mapping->private_lock);
+ 	link_dev_buffers(page, bh);
+-	end_block = init_page_buffers(page, bdev, index << sizebits, size);
++	end_block = init_page_buffers(page, bdev, (sector_t)index << sizebits,
++			size);
+ 	spin_unlock(&inode->i_mapping->private_lock);
+ done:
+ 	ret = (block < end_block) ? 1 : -ENXIO;
diff --git a/queue-3.10/media-cx18-fix-kernel-oops-with-tda8290-tuner.patch b/queue-3.10/media-cx18-fix-kernel-oops-with-tda8290-tuner.patch
new file mode 100644
index 00000000000..d2be172a8f8
--- /dev/null
+++ b/queue-3.10/media-cx18-fix-kernel-oops-with-tda8290-tuner.patch
@@ -0,0 +1,34 @@
+From 6a03dc92cc2edfa2257502557b9f714893987383 Mon Sep 17 00:00:00 2001
+From: Hans Verkuil <hans.verkuil@cisco.com>
+Date: Tue, 26 Aug 2014 02:59:53 -0300
+Subject: media: cx18: fix kernel oops with tda8290 tuner
+
+From: Hans Verkuil <hans.verkuil@cisco.com>
+
+commit 6a03dc92cc2edfa2257502557b9f714893987383 upstream.
+
+This was caused by an uninitialized setup.config field.
+
+Based on a suggestion from Devin Heitmueller.
+
+Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com>
+Thanks-to: Devin Heitmueller <dheitmueller@kernellabs.com>
+Reported-by: Scott Robinson <scott.robinson55@gmail.com>
+Tested-by: Hans Verkuil <hans.verkuil@cisco.com>
+Signed-off-by: Mauro Carvalho Chehab <m.chehab@samsung.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/media/pci/cx18/cx18-driver.c |    1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/media/pci/cx18/cx18-driver.c
++++ b/drivers/media/pci/cx18/cx18-driver.c
+@@ -1092,6 +1092,7 @@ static int cx18_probe(struct pci_dev *pc
+ 		setup.addr = ADDR_UNSET;
+ 		setup.type = cx->options.tuner;
+ 		setup.mode_mask = T_ANALOG_TV;  /* matches TV tuners */
++		setup.config = NULL;
+ 		if (cx->options.radio > 0)
+ 			setup.mode_mask |= T_RADIO;
+ 		setup.tuner_callback = (setup.type == TUNER_XC2028) ?
diff --git a/queue-3.10/series b/queue-3.10/series
index 664124d9ffa..3d1bfa102d9 100644
--- a/queue-3.10/series
+++ b/queue-3.10/series
@@ -122,3 +122,5 @@ alarmtimer-do-not-signal-sigev_none-timers.patch
 alarmtimer-lock-k_itimer-during-timer-callback.patch
 perf-fix-a-race-condition-in-perf_remove_from_context.patch
 perf-kmem-make-it-work-again-on-non-numa-machines.patch
+fix-nasty-32-bit-overflow-bug-in-buffer-i-o-code.patch
+media-cx18-fix-kernel-oops-with-tda8290-tuner.patch