From: Greg Kroah-Hartman Date: Sat, 28 Feb 2015 23:18:09 +0000 (-0800) Subject: 3.14-stable patches X-Git-Tag: v3.10.71~32 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=f8b3a8928e468e1ebd36b549c26aa81930f898f2;p=thirdparty%2Fkernel%2Fstable-queue.git 3.14-stable patches added patches: arc-fix-page-address-calculation-if-page_offset-linux_link_base.patch arm-pxa-add-regulator_has_full_constraints-to-corgi-board-file.patch arm-pxa-add-regulator_has_full_constraints-to-poodle-board-file.patch axonram-fix-bug-in-direct_access.patch kdb-fix-incorrect-counts-in-kdb-summary-command-output.patch ntp-fixup-adjtimex-freq-validation-on-32-bit-systems.patch tty-prevent-untrappable-signals-from-malicious-program.patch tty-serial-at91-fix-error-handling-in-atmel_serial_probe.patch usb-core-buffer-smallest-buffer-should-start-at-arch_dma_minalign.patch usb-cp210x-add-id-for-ruggedcom-usb-serial-console.patch usb-fix-use-after-free-bug-in-usb_hcd_unlink_urb.patch vt-provide-notifications-on-selection-changes.patch --- diff --git a/queue-3.14/arc-fix-page-address-calculation-if-page_offset-linux_link_base.patch b/queue-3.14/arc-fix-page-address-calculation-if-page_offset-linux_link_base.patch new file mode 100644 index 00000000000..61e92166d34 --- /dev/null +++ b/queue-3.14/arc-fix-page-address-calculation-if-page_offset-linux_link_base.patch @@ -0,0 +1,52 @@ +From 06f34e1c28f3608b0ce5b310e41102d3fe7b65a1 Mon Sep 17 00:00:00 2001 +From: Alexey Brodkin +Date: Thu, 12 Feb 2015 21:10:11 +0300 +Subject: ARC: fix page address calculation if PAGE_OFFSET != LINUX_LINK_BASE + +From: Alexey Brodkin + +commit 06f34e1c28f3608b0ce5b310e41102d3fe7b65a1 upstream. + +We used to calculate page address differently in 2 cases: + +1. In virt_to_page(x) we do + --->8--- + mem_map + (x - CONFIG_LINUX_LINK_BASE) >> PAGE_SHIFT + --->8--- + +2. In in pte_page(x) we do + --->8--- + mem_map + (pte_val(x) - PAGE_OFFSET) >> PAGE_SHIFT + --->8--- + +That leads to problems in case PAGE_OFFSET != CONFIG_LINUX_LINK_BASE - +different pages will be selected depending on where and how we calculate +page address. + +In particular in the STAR 9000853582 when gdb attempted to read memory +of another process it got improper page in get_user_pages() because this +is exactly one of the places where we search for a page by pte_page(). + +The fix is trivial - we need to calculate page address similarly in both +cases. + +Signed-off-by: Alexey Brodkin +Signed-off-by: Vineet Gupta +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arc/include/asm/pgtable.h | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/arch/arc/include/asm/pgtable.h ++++ b/arch/arc/include/asm/pgtable.h +@@ -259,7 +259,8 @@ static inline void pmd_set(pmd_t *pmdp, + #define pmd_clear(xp) do { pmd_val(*(xp)) = 0; } while (0) + + #define pte_page(x) (mem_map + \ +- (unsigned long)(((pte_val(x) - PAGE_OFFSET) >> PAGE_SHIFT))) ++ (unsigned long)(((pte_val(x) - CONFIG_LINUX_LINK_BASE) >> \ ++ PAGE_SHIFT))) + + #define mk_pte(page, pgprot) \ + ({ \ diff --git a/queue-3.14/arm-pxa-add-regulator_has_full_constraints-to-corgi-board-file.patch b/queue-3.14/arm-pxa-add-regulator_has_full_constraints-to-corgi-board-file.patch new file mode 100644 index 00000000000..66fb8902c84 --- /dev/null +++ b/queue-3.14/arm-pxa-add-regulator_has_full_constraints-to-corgi-board-file.patch @@ -0,0 +1,51 @@ +From 271e80176aae4e5b481f4bb92df9768c6075bbca Mon Sep 17 00:00:00 2001 +From: Dmitry Eremin-Solenikov +Date: Thu, 4 Dec 2014 14:10:00 +0300 +Subject: ARM: pxa: add regulator_has_full_constraints to corgi board file + +From: Dmitry Eremin-Solenikov + +commit 271e80176aae4e5b481f4bb92df9768c6075bbca upstream. + +Add regulator_has_full_constraints() call to corgi board file to let +regulator core know that we do not have any additional regulators left. +This lets it substitute unprovided regulators with dummy ones. + +This fixes the following warnings that can be seen on corgi if +regulators are enabled: + +ads7846 spi1.0: unable to get regulator: -517 +spi spi1.0: Driver ads7846 requests probe deferral +wm8731 0-001b: Failed to get supply 'AVDD': -517 +wm8731 0-001b: Failed to request supplies: -517 +wm8731 0-001b: ASoC: failed to probe component -517 +corgi-audio corgi-audio: ASoC: failed to instantiate card -517 + +Signed-off-by: Dmitry Eremin-Solenikov +Acked-by: Mark Brown +Signed-off-by: Robert Jarzmik +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/mach-pxa/corgi.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/arch/arm/mach-pxa/corgi.c ++++ b/arch/arm/mach-pxa/corgi.c +@@ -26,6 +26,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -711,6 +712,8 @@ static void __init corgi_init(void) + sharpsl_nand_partitions[1].size = 53 * 1024 * 1024; + + platform_add_devices(devices, ARRAY_SIZE(devices)); ++ ++ regulator_has_full_constraints(); + } + + static void __init fixup_corgi(struct tag *tags, char **cmdline, diff --git a/queue-3.14/arm-pxa-add-regulator_has_full_constraints-to-poodle-board-file.patch b/queue-3.14/arm-pxa-add-regulator_has_full_constraints-to-poodle-board-file.patch new file mode 100644 index 00000000000..daa5962ead5 --- /dev/null +++ b/queue-3.14/arm-pxa-add-regulator_has_full_constraints-to-poodle-board-file.patch @@ -0,0 +1,49 @@ +From 9bc78f32c2e430aebf6def965b316aa95e37a20c Mon Sep 17 00:00:00 2001 +From: Dmitry Eremin-Solenikov +Date: Thu, 4 Dec 2014 14:10:01 +0300 +Subject: ARM: pxa: add regulator_has_full_constraints to poodle board file + +From: Dmitry Eremin-Solenikov + +commit 9bc78f32c2e430aebf6def965b316aa95e37a20c upstream. + +Add regulator_has_full_constraints() call to poodle board file to let +regulator core know that we do not have any additional regulators left. +This lets it substitute unprovided regulators with dummy ones. + +This fixes the following warnings that can be seen on poodle if +regulators are enabled: + +ads7846 spi1.0: unable to get regulator: -517 +spi spi1.0: Driver ads7846 requests probe deferral +wm8731 0-001b: Failed to get supply 'AVDD': -517 +wm8731 0-001b: Failed to request supplies: -517 +wm8731 0-001b: ASoC: failed to probe component -517 + +Signed-off-by: Dmitry Eremin-Solenikov +Acked-by: Mark Brown +Signed-off-by: Robert Jarzmik +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/mach-pxa/poodle.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/arch/arm/mach-pxa/poodle.c ++++ b/arch/arm/mach-pxa/poodle.c +@@ -25,6 +25,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -454,6 +455,7 @@ static void __init poodle_init(void) + pxa_set_i2c_info(NULL); + i2c_register_board_info(0, ARRAY_AND_SIZE(poodle_i2c_devices)); + poodle_init_spi(); ++ regulator_has_full_constraints(); + } + + static void __init fixup_poodle(struct tag *tags, char **cmdline, diff --git a/queue-3.14/axonram-fix-bug-in-direct_access.patch b/queue-3.14/axonram-fix-bug-in-direct_access.patch new file mode 100644 index 00000000000..a18c4c7f9a6 --- /dev/null +++ b/queue-3.14/axonram-fix-bug-in-direct_access.patch @@ -0,0 +1,33 @@ +From 91117a20245b59f70b563523edbf998a62fc6383 Mon Sep 17 00:00:00 2001 +From: Matthew Wilcox +Date: Wed, 7 Jan 2015 18:04:18 +0200 +Subject: axonram: Fix bug in direct_access + +From: Matthew Wilcox + +commit 91117a20245b59f70b563523edbf998a62fc6383 upstream. + +The 'pfn' returned by axonram was completely bogus, and has been since +2008. + +Signed-off-by: Matthew Wilcox +Reviewed-by: Jan Kara +Reviewed-by: Mathieu Desnoyers +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/sysdev/axonram.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/powerpc/sysdev/axonram.c ++++ b/arch/powerpc/sysdev/axonram.c +@@ -156,7 +156,7 @@ axon_ram_direct_access(struct block_devi + } + + *kaddr = (void *)(bank->ph_addr + offset); +- *pfn = virt_to_phys(kaddr) >> PAGE_SHIFT; ++ *pfn = virt_to_phys(*kaddr) >> PAGE_SHIFT; + + return 0; + } diff --git a/queue-3.14/kdb-fix-incorrect-counts-in-kdb-summary-command-output.patch b/queue-3.14/kdb-fix-incorrect-counts-in-kdb-summary-command-output.patch new file mode 100644 index 00000000000..3a5f5fb06aa --- /dev/null +++ b/queue-3.14/kdb-fix-incorrect-counts-in-kdb-summary-command-output.patch @@ -0,0 +1,37 @@ +From 146755923262037fc4c54abc28c04b1103f3cc51 Mon Sep 17 00:00:00 2001 +From: Jay Lan +Date: Mon, 29 Sep 2014 15:36:57 -0700 +Subject: kdb: fix incorrect counts in KDB summary command output + +From: Jay Lan + +commit 146755923262037fc4c54abc28c04b1103f3cc51 upstream. + +The output of KDB 'summary' command should report MemTotal, MemFree +and Buffers output in kB. Current codes report in unit of pages. + +A define of K(x) as +is defined in the code, but not used. + +This patch would apply the define to convert the values to kB. +Please include me on Cc on replies. I do not subscribe to linux-kernel. + +Signed-off-by: Jay Lan +Signed-off-by: Jason Wessel +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/debug/kdb/kdb_main.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/kernel/debug/kdb/kdb_main.c ++++ b/kernel/debug/kdb/kdb_main.c +@@ -2535,7 +2535,7 @@ static int kdb_summary(int argc, const c + #define K(x) ((x) << (PAGE_SHIFT - 10)) + kdb_printf("\nMemTotal: %8lu kB\nMemFree: %8lu kB\n" + "Buffers: %8lu kB\n", +- val.totalram, val.freeram, val.bufferram); ++ K(val.totalram), K(val.freeram), K(val.bufferram)); + return 0; + } + diff --git a/queue-3.14/ntp-fixup-adjtimex-freq-validation-on-32-bit-systems.patch b/queue-3.14/ntp-fixup-adjtimex-freq-validation-on-32-bit-systems.patch new file mode 100644 index 00000000000..46123519d19 --- /dev/null +++ b/queue-3.14/ntp-fixup-adjtimex-freq-validation-on-32-bit-systems.patch @@ -0,0 +1,71 @@ +From 29183a70b0b828500816bd794b3fe192fce89f73 Mon Sep 17 00:00:00 2001 +From: John Stultz +Date: Mon, 9 Feb 2015 23:30:36 -0800 +Subject: ntp: Fixup adjtimex freq validation on 32-bit systems + +From: John Stultz + +commit 29183a70b0b828500816bd794b3fe192fce89f73 upstream. + +Additional validation of adjtimex freq values to avoid +potential multiplication overflows were added in commit +5e5aeb4367b (time: adjtimex: Validate the ADJ_FREQUENCY values) + +Unfortunately the patch used LONG_MAX/MIN instead of +LLONG_MAX/MIN, which was fine on 64-bit systems, but being +much smaller on 32-bit systems caused false positives +resulting in most direct frequency adjustments to fail w/ +EINVAL. + +ntpd only does direct frequency adjustments at startup, so +the issue was not as easily observed there, but other time +sync applications like ptpd and chrony were more effected by +the bug. + +See bugs: + + https://bugzilla.kernel.org/show_bug.cgi?id=92481 + https://bugzilla.redhat.com/show_bug.cgi?id=1188074 + +This patch changes the checks to use LLONG_MAX for +clarity, and additionally the checks are disabled +on 32-bit systems since LLONG_MAX/PPM_SCALE is always +larger then the 32-bit long freq value, so multiplication +overflows aren't possible there. + +Reported-by: Josh Boyer +Reported-by: George Joseph +Tested-by: George Joseph +Signed-off-by: John Stultz +Signed-off-by: Peter Zijlstra (Intel) +Cc: Linus Torvalds +Cc: Sasha Levin +Link: http://lkml.kernel.org/r/1423553436-29747-1-git-send-email-john.stultz@linaro.org +[ Prettified the changelog and the comments a bit. ] +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/time/ntp.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +--- a/kernel/time/ntp.c ++++ b/kernel/time/ntp.c +@@ -631,10 +631,14 @@ int ntp_validate_timex(struct timex *txc + if ((txc->modes & ADJ_SETOFFSET) && (!capable(CAP_SYS_TIME))) + return -EPERM; + +- if (txc->modes & ADJ_FREQUENCY) { +- if (LONG_MIN / PPM_SCALE > txc->freq) ++ /* ++ * Check for potential multiplication overflows that can ++ * only happen on 64-bit systems: ++ */ ++ if ((txc->modes & ADJ_FREQUENCY) && (BITS_PER_LONG == 64)) { ++ if (LLONG_MIN / PPM_SCALE > txc->freq) + return -EINVAL; +- if (LONG_MAX / PPM_SCALE < txc->freq) ++ if (LLONG_MAX / PPM_SCALE < txc->freq) + return -EINVAL; + } + diff --git a/queue-3.14/series b/queue-3.14/series index fc8f9893867..41756592fd5 100644 --- a/queue-3.14/series +++ b/queue-3.14/series @@ -43,3 +43,15 @@ nfsv4.1-fix-a-kfree-of-uninitialised-pointers-in-decode_cb_sequence_args.patch iscsi-target-drop-problematic-active_ts_list-usage.patch cfq-iosched-handle-failure-of-cfq-group-allocation.patch cfq-iosched-fix-incorrect-filing-of-rt-async-cfqq.patch +axonram-fix-bug-in-direct_access.patch +tty-prevent-untrappable-signals-from-malicious-program.patch +tty-serial-at91-fix-error-handling-in-atmel_serial_probe.patch +usb-cp210x-add-id-for-ruggedcom-usb-serial-console.patch +usb-fix-use-after-free-bug-in-usb_hcd_unlink_urb.patch +usb-core-buffer-smallest-buffer-should-start-at-arch_dma_minalign.patch +vt-provide-notifications-on-selection-changes.patch +arm-pxa-add-regulator_has_full_constraints-to-corgi-board-file.patch +arm-pxa-add-regulator_has_full_constraints-to-poodle-board-file.patch +kdb-fix-incorrect-counts-in-kdb-summary-command-output.patch +ntp-fixup-adjtimex-freq-validation-on-32-bit-systems.patch +arc-fix-page-address-calculation-if-page_offset-linux_link_base.patch diff --git a/queue-3.14/tty-prevent-untrappable-signals-from-malicious-program.patch b/queue-3.14/tty-prevent-untrappable-signals-from-malicious-program.patch new file mode 100644 index 00000000000..f84d663bc6d --- /dev/null +++ b/queue-3.14/tty-prevent-untrappable-signals-from-malicious-program.patch @@ -0,0 +1,40 @@ +From 37480a05685ed5b8e1b9bf5e5c53b5810258b149 Mon Sep 17 00:00:00 2001 +From: Peter Hurley +Date: Mon, 19 Jan 2015 13:05:03 -0500 +Subject: tty: Prevent untrappable signals from malicious program + +From: Peter Hurley + +commit 37480a05685ed5b8e1b9bf5e5c53b5810258b149 upstream. + +Commit 26df6d13406d1a5 ("tty: Add EXTPROC support for LINEMODE") +allows a process which has opened a pty master to send _any_ signal +to the process group of the pty slave. Although potentially +exploitable by a malicious program running a setuid program on +a pty slave, it's unknown if this exploit currently exists. + +Limit to signals actually used. + +Cc: Theodore Ts'o +Cc: Howard Chu +Cc: One Thousand Gnomes +Cc: Jiri Slaby +Signed-off-by: Peter Hurley +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/pty.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/tty/pty.c ++++ b/drivers/tty/pty.c +@@ -209,6 +209,9 @@ static int pty_signal(struct tty_struct + unsigned long flags; + struct pid *pgrp; + ++ if (sig != SIGINT && sig != SIGQUIT && sig != SIGTSTP) ++ return -EINVAL; ++ + if (tty->link) { + spin_lock_irqsave(&tty->link->ctrl_lock, flags); + pgrp = get_pid(tty->link->pgrp); diff --git a/queue-3.14/tty-serial-at91-fix-error-handling-in-atmel_serial_probe.patch b/queue-3.14/tty-serial-at91-fix-error-handling-in-atmel_serial_probe.patch new file mode 100644 index 00000000000..3f919fae05d --- /dev/null +++ b/queue-3.14/tty-serial-at91-fix-error-handling-in-atmel_serial_probe.patch @@ -0,0 +1,49 @@ +From 6fbb9bdf0f3fbe23aeff806489791aa876adaffb Mon Sep 17 00:00:00 2001 +From: Cyrille Pitchen +Date: Tue, 9 Dec 2014 14:31:34 +0100 +Subject: tty/serial: at91: fix error handling in atmel_serial_probe() + +From: Cyrille Pitchen + +commit 6fbb9bdf0f3fbe23aeff806489791aa876adaffb upstream. + +-EDEFER error wasn't handle properly by atmel_serial_probe(). +As an example, when atmel_serial_probe() is called for the first time, we pass +the test_and_set_bit() test to check whether the port has already been +initalized. Then we call atmel_init_port(), which may return -EDEFER, possibly +returned before by clk_get(). Consequently atmel_serial_probe() used to return +this error code WITHOUT clearing the port bit in the "atmel_ports_in_use" mask. +When atmel_serial_probe() was called for the second time, it used to fail on +the test_and_set_bit() function then returning -EBUSY. + +When atmel_serial_probe() fails, this patch make it clear the port bit in the +"atmel_ports_in_use" mask, if needed, before returning the error code. + +Signed-off-by: Cyrille Pitchen +Acked-by: Nicolas Ferre +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/serial/atmel_serial.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/tty/serial/atmel_serial.c ++++ b/drivers/tty/serial/atmel_serial.c +@@ -2392,7 +2392,7 @@ static int atmel_serial_probe(struct pla + + ret = atmel_init_port(port, pdev); + if (ret) +- goto err; ++ goto err_clear_bit; + + if (!atmel_use_pdc_rx(&port->uart)) { + ret = -ENOMEM; +@@ -2441,6 +2441,8 @@ err_alloc_ring: + clk_put(port->clk); + port->clk = NULL; + } ++err_clear_bit: ++ clear_bit(port->uart.line, atmel_ports_in_use); + err: + return ret; + } diff --git a/queue-3.14/usb-core-buffer-smallest-buffer-should-start-at-arch_dma_minalign.patch b/queue-3.14/usb-core-buffer-smallest-buffer-should-start-at-arch_dma_minalign.patch new file mode 100644 index 00000000000..db99f2ffc76 --- /dev/null +++ b/queue-3.14/usb-core-buffer-smallest-buffer-should-start-at-arch_dma_minalign.patch @@ -0,0 +1,99 @@ +From 5efd2ea8c9f4f12916ffc8ba636792ce052f6911 Mon Sep 17 00:00:00 2001 +From: Sebastian Andrzej Siewior +Date: Fri, 5 Dec 2014 15:13:54 +0100 +Subject: usb: core: buffer: smallest buffer should start at ARCH_DMA_MINALIGN + +From: Sebastian Andrzej Siewior + +commit 5efd2ea8c9f4f12916ffc8ba636792ce052f6911 upstream. + +the following error pops up during "testusb -a -t 10" +| musb-hdrc musb-hdrc.1.auto: dma_pool_free buffer-128, f134e000/be842000 (bad dma) +hcd_buffer_create() creates a few buffers, the smallest has 32 bytes of +size. ARCH_KMALLOC_MINALIGN is set to 64 bytes. This combo results in +hcd_buffer_alloc() returning memory which is 32 bytes aligned and it +might by identified by buffer_offset() as another buffer. This means the +buffer which is on a 32 byte boundary will not get freed, instead it +tries to free another buffer with the error message. + +This patch fixes the issue by creating the smallest DMA buffer with the +size of ARCH_KMALLOC_MINALIGN (or 32 in case ARCH_KMALLOC_MINALIGN is +smaller). This might be 32, 64 or even 128 bytes. The next three pools +will have the size 128, 512 and 2048. +In case the smallest pool is 128 bytes then we have only three pools +instead of four (and zero the first entry in the array). +The last pool size is always 2048 bytes which is the assumed PAGE_SIZE / +2 of 4096. I doubt it makes sense to continue using PAGE_SIZE / 2 where +we would end up with 8KiB buffer in case we have 16KiB pages. +Instead I think it makes sense to have a common size(s) and extend them +if there is need to. +There is a BUILD_BUG_ON() now in case someone has a minalign of more than +128 bytes. + +Signed-off-by: Sebastian Andrzej Siewior +Acked-by: Alan Stern +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/core/buffer.c | 26 +++++++++++++++++--------- + drivers/usb/core/usb.c | 1 + + include/linux/usb/hcd.h | 1 + + 3 files changed, 19 insertions(+), 9 deletions(-) + +--- a/drivers/usb/core/buffer.c ++++ b/drivers/usb/core/buffer.c +@@ -22,17 +22,25 @@ + */ + + /* FIXME tune these based on pool statistics ... */ +-static const size_t pool_max[HCD_BUFFER_POOLS] = { +- /* platforms without dma-friendly caches might need to +- * prevent cacheline sharing... +- */ +- 32, +- 128, +- 512, +- PAGE_SIZE / 2 +- /* bigger --> allocate pages */ ++static size_t pool_max[HCD_BUFFER_POOLS] = { ++ 32, 128, 512, 2048, + }; + ++void __init usb_init_pool_max(void) ++{ ++ /* ++ * The pool_max values must never be smaller than ++ * ARCH_KMALLOC_MINALIGN. ++ */ ++ if (ARCH_KMALLOC_MINALIGN <= 32) ++ ; /* Original value is okay */ ++ else if (ARCH_KMALLOC_MINALIGN <= 64) ++ pool_max[0] = 64; ++ else if (ARCH_KMALLOC_MINALIGN <= 128) ++ pool_max[0] = 0; /* Don't use this pool */ ++ else ++ BUILD_BUG(); /* We don't allow this */ ++} + + /* SETUP primitives */ + +--- a/drivers/usb/core/usb.c ++++ b/drivers/usb/core/usb.c +@@ -1050,6 +1050,7 @@ static int __init usb_init(void) + pr_info("%s: USB support disabled\n", usbcore_name); + return 0; + } ++ usb_init_pool_max(); + + retval = usb_debugfs_init(); + if (retval) +--- a/include/linux/usb/hcd.h ++++ b/include/linux/usb/hcd.h +@@ -447,6 +447,7 @@ extern const struct dev_pm_ops usb_hcd_p + #endif /* CONFIG_PCI */ + + /* pci-ish (pdev null is ok) buffer alloc/mapping support */ ++void usb_init_pool_max(void); + int hcd_buffer_create(struct usb_hcd *hcd); + void hcd_buffer_destroy(struct usb_hcd *hcd); + diff --git a/queue-3.14/usb-cp210x-add-id-for-ruggedcom-usb-serial-console.patch b/queue-3.14/usb-cp210x-add-id-for-ruggedcom-usb-serial-console.patch new file mode 100644 index 00000000000..9ed89f0ace0 --- /dev/null +++ b/queue-3.14/usb-cp210x-add-id-for-ruggedcom-usb-serial-console.patch @@ -0,0 +1,30 @@ +From a6f0331236fa75afba14bbcf6668d42cebb55c43 Mon Sep 17 00:00:00 2001 +From: Lennart Sorensen +Date: Wed, 21 Jan 2015 15:24:27 -0500 +Subject: USB: cp210x: add ID for RUGGEDCOM USB Serial Console + +From: Lennart Sorensen + +commit a6f0331236fa75afba14bbcf6668d42cebb55c43 upstream. + +Added the USB serial console device ID for Siemens Ruggedcom devices +which have a USB port for their serial console. + +Signed-off-by: Len Sorensen +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/cp210x.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/usb/serial/cp210x.c ++++ b/drivers/usb/serial/cp210x.c +@@ -56,6 +56,7 @@ static const struct usb_device_id id_tab + { USB_DEVICE(0x0846, 0x1100) }, /* NetGear Managed Switch M4100 series, M5300 series, M7100 series */ + { USB_DEVICE(0x08e6, 0x5501) }, /* Gemalto Prox-PU/CU contactless smartcard reader */ + { USB_DEVICE(0x08FD, 0x000A) }, /* Digianswer A/S , ZigBee/802.15.4 MAC Device */ ++ { USB_DEVICE(0x0908, 0x01FF) }, /* Siemens RUGGEDCOM USB Serial Console */ + { USB_DEVICE(0x0BED, 0x1100) }, /* MEI (TM) Cashflow-SC Bill/Voucher Acceptor */ + { USB_DEVICE(0x0BED, 0x1101) }, /* MEI series 2000 Combo Acceptor */ + { USB_DEVICE(0x0FCF, 0x1003) }, /* Dynastream ANT development board */ diff --git a/queue-3.14/usb-fix-use-after-free-bug-in-usb_hcd_unlink_urb.patch b/queue-3.14/usb-fix-use-after-free-bug-in-usb_hcd_unlink_urb.patch new file mode 100644 index 00000000000..440dc74dae3 --- /dev/null +++ b/queue-3.14/usb-fix-use-after-free-bug-in-usb_hcd_unlink_urb.patch @@ -0,0 +1,66 @@ +From c99197902da284b4b723451c1471c45b18537cde Mon Sep 17 00:00:00 2001 +From: Alan Stern +Date: Fri, 30 Jan 2015 12:58:26 -0500 +Subject: USB: fix use-after-free bug in usb_hcd_unlink_urb() + +From: Alan Stern + +commit c99197902da284b4b723451c1471c45b18537cde upstream. + +The usb_hcd_unlink_urb() routine in hcd.c contains two possible +use-after-free errors. The dev_dbg() statement at the end of the +routine dereferences urb and urb->dev even though both structures may +have been deallocated. + +This patch fixes the problem by storing urb->dev in a local variable +(avoiding the dereference of urb) and moving the dev_dbg() up before +the usb_put_dev() call. + +Signed-off-by: Alan Stern +Reported-by: Joe Lawrence +Tested-by: Joe Lawrence +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/core/hcd.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +--- a/drivers/usb/core/hcd.c ++++ b/drivers/usb/core/hcd.c +@@ -1617,6 +1617,7 @@ static int unlink1(struct usb_hcd *hcd, + int usb_hcd_unlink_urb (struct urb *urb, int status) + { + struct usb_hcd *hcd; ++ struct usb_device *udev = urb->dev; + int retval = -EIDRM; + unsigned long flags; + +@@ -1628,20 +1629,19 @@ int usb_hcd_unlink_urb (struct urb *urb, + spin_lock_irqsave(&hcd_urb_unlink_lock, flags); + if (atomic_read(&urb->use_count) > 0) { + retval = 0; +- usb_get_dev(urb->dev); ++ usb_get_dev(udev); + } + spin_unlock_irqrestore(&hcd_urb_unlink_lock, flags); + if (retval == 0) { + hcd = bus_to_hcd(urb->dev->bus); + retval = unlink1(hcd, urb, status); +- usb_put_dev(urb->dev); ++ if (retval == 0) ++ retval = -EINPROGRESS; ++ else if (retval != -EIDRM && retval != -EBUSY) ++ dev_dbg(&udev->dev, "hcd_unlink_urb %p fail %d\n", ++ urb, retval); ++ usb_put_dev(udev); + } +- +- if (retval == 0) +- retval = -EINPROGRESS; +- else if (retval != -EIDRM && retval != -EBUSY) +- dev_dbg(&urb->dev->dev, "hcd_unlink_urb %p fail %d\n", +- urb, retval); + return retval; + } + diff --git a/queue-3.14/vt-provide-notifications-on-selection-changes.patch b/queue-3.14/vt-provide-notifications-on-selection-changes.patch new file mode 100644 index 00000000000..3a7541a8b52 --- /dev/null +++ b/queue-3.14/vt-provide-notifications-on-selection-changes.patch @@ -0,0 +1,51 @@ +From 19e3ae6b4f07a87822c1c9e7ed99d31860e701af Mon Sep 17 00:00:00 2001 +From: Nicolas Pitre +Date: Fri, 23 Jan 2015 17:07:21 -0500 +Subject: vt: provide notifications on selection changes + +From: Nicolas Pitre + +commit 19e3ae6b4f07a87822c1c9e7ed99d31860e701af upstream. + +The vcs device's poll/fasync support relies on the vt notifier to signal +changes to the screen content. Notifier invocations were missing for +changes that comes through the selection interface though. Fix that. + +Tested with BRLTTY 5.2. + +Signed-off-by: Nicolas Pitre +Cc: Dave Mielke +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/vt/vt.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/tty/vt/vt.c ++++ b/drivers/tty/vt/vt.c +@@ -498,6 +498,7 @@ void invert_screen(struct vc_data *vc, i + #endif + if (DO_UPDATE(vc)) + do_update_region(vc, (unsigned long) p, count); ++ notify_update(vc); + } + + /* used by selection: complement pointer position */ +@@ -514,6 +515,7 @@ void complement_pos(struct vc_data *vc, + scr_writew(old, screenpos(vc, old_offset, 1)); + if (DO_UPDATE(vc)) + vc->vc_sw->con_putc(vc, old, oldy, oldx); ++ notify_update(vc); + } + + old_offset = offset; +@@ -531,8 +533,8 @@ void complement_pos(struct vc_data *vc, + oldy = (offset >> 1) / vc->vc_cols; + vc->vc_sw->con_putc(vc, new, oldy, oldx); + } ++ notify_update(vc); + } +- + } + + static void insert_char(struct vc_data *vc, unsigned int nr)