From: Greg Kroah-Hartman Date: Thu, 23 Oct 2014 07:56:50 +0000 (+0800) Subject: 3.14-stable patches X-Git-Tag: v3.10.59~26 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=f8ddce100b429709c6cb85a8dadbbc5183c28846;p=thirdparty%2Fkernel%2Fstable-queue.git 3.14-stable patches added patches: be2iscsi-check-ip-buffer-before-copying.patch dmaengine-fix-xor-sources-continuation.patch dmaengine-pl330-fix-null-pointer-dereference-on-driver-unbind.patch dmaengine-pl330-fix-null-pointer-dereference-on-probe-failure.patch drivers-hv-vmbus-cleanup-vmbus_close_internal.patch drivers-hv-vmbus-cleanup-vmbus_establish_gpadl.patch drivers-hv-vmbus-cleanup-vmbus_post_msg.patch drivers-hv-vmbus-cleanup-vmbus_teardown_gpadl.patch drivers-hv-vmbus-fix-a-bug-in-vmbus_open.patch firmware_class-make-sure-fw-requests-contain-a-name.patch mptfusion-enable-no_write_same-for-vmware-scsi-disks.patch qla2xxx-fix-shost-use-after-free-on-device-removal.patch qla2xxx-use-correct-offset-to-req-q-out-for-reserve-calculation.patch regmap-debugfs-fix-possbile-null-pointer-dereference.patch regmap-fix-null-pointer-dereference-in-_regmap_write-read.patch regmap-fix-possible-zero_size_ptr-pointer-dereferencing-error.patch --- diff --git a/queue-3.14/be2iscsi-check-ip-buffer-before-copying.patch b/queue-3.14/be2iscsi-check-ip-buffer-before-copying.patch new file mode 100644 index 00000000000..d0748809815 --- /dev/null +++ b/queue-3.14/be2iscsi-check-ip-buffer-before-copying.patch @@ -0,0 +1,62 @@ +From a41a9ad3bbf61fae0b6bfb232153da60d14fdbd9 Mon Sep 17 00:00:00 2001 +From: Mike Christie +Date: Mon, 29 Sep 2014 13:55:41 -0500 +Subject: be2iscsi: check ip buffer before copying + +From: Mike Christie + +commit a41a9ad3bbf61fae0b6bfb232153da60d14fdbd9 upstream. + +Dan Carpenter found a issue where be2iscsi would copy the ip +from userspace to the driver buffer before checking the len +of the data being copied: +http://marc.info/?l=linux-scsi&m=140982651504251&w=2 + +This patch just has us only copy what we the driver buffer +can support. + +Tested-by: John Soni Jose +Signed-off-by: Mike Christie +Signed-off-by: Christoph Hellwig +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/be2iscsi/be_mgmt.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +--- a/drivers/scsi/be2iscsi/be_mgmt.c ++++ b/drivers/scsi/be2iscsi/be_mgmt.c +@@ -897,17 +897,20 @@ mgmt_static_ip_modify(struct beiscsi_hba + + if (ip_action == IP_ACTION_ADD) { + memcpy(req->ip_params.ip_record.ip_addr.addr, ip_param->value, +- ip_param->len); ++ sizeof(req->ip_params.ip_record.ip_addr.addr)); + + if (subnet_param) + memcpy(req->ip_params.ip_record.ip_addr.subnet_mask, +- subnet_param->value, subnet_param->len); ++ subnet_param->value, ++ sizeof(req->ip_params.ip_record.ip_addr.subnet_mask)); + } else { + memcpy(req->ip_params.ip_record.ip_addr.addr, +- if_info->ip_addr.addr, ip_param->len); ++ if_info->ip_addr.addr, ++ sizeof(req->ip_params.ip_record.ip_addr.addr)); + + memcpy(req->ip_params.ip_record.ip_addr.subnet_mask, +- if_info->ip_addr.subnet_mask, ip_param->len); ++ if_info->ip_addr.subnet_mask, ++ sizeof(req->ip_params.ip_record.ip_addr.subnet_mask)); + } + + rc = mgmt_exec_nonemb_cmd(phba, &nonemb_cmd, NULL, 0); +@@ -935,7 +938,7 @@ static int mgmt_modify_gateway(struct be + req->action = gtway_action; + req->ip_addr.ip_type = BE2_IPV4; + +- memcpy(req->ip_addr.addr, gt_addr, param_len); ++ memcpy(req->ip_addr.addr, gt_addr, sizeof(req->ip_addr.addr)); + + return mgmt_exec_nonemb_cmd(phba, &nonemb_cmd, NULL, 0); + } diff --git a/queue-3.14/dmaengine-fix-xor-sources-continuation.patch b/queue-3.14/dmaengine-fix-xor-sources-continuation.patch new file mode 100644 index 00000000000..9718b5fdec3 --- /dev/null +++ b/queue-3.14/dmaengine-fix-xor-sources-continuation.patch @@ -0,0 +1,39 @@ +From 87cea76384257e6ac3fa4791b6a6b9d0335f7457 Mon Sep 17 00:00:00 2001 +From: Xuelin Shi +Date: Tue, 1 Jul 2014 16:32:38 +0800 +Subject: dmaengine: fix xor sources continuation + +From: Xuelin Shi + +commit 87cea76384257e6ac3fa4791b6a6b9d0335f7457 upstream. + +the partial xor result must be kept until the next +tx is generated. + +Signed-off-by: Xuelin Shi +Signed-off-by: Dan Williams +Signed-off-by: Greg Kroah-Hartman + +--- + crypto/async_tx/async_xor.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/crypto/async_tx/async_xor.c ++++ b/crypto/async_tx/async_xor.c +@@ -78,8 +78,6 @@ do_async_xor(struct dma_chan *chan, stru + tx = dma->device_prep_dma_xor(chan, dma_dest, src_list, + xor_src_cnt, unmap->len, + dma_flags); +- src_list[0] = tmp; +- + + if (unlikely(!tx)) + async_tx_quiesce(&submit->depend_tx); +@@ -92,6 +90,7 @@ do_async_xor(struct dma_chan *chan, stru + xor_src_cnt, unmap->len, + dma_flags); + } ++ src_list[0] = tmp; + + dma_set_unmap(tx, unmap); + async_tx_submit(chan, tx, submit); diff --git a/queue-3.14/dmaengine-pl330-fix-null-pointer-dereference-on-driver-unbind.patch b/queue-3.14/dmaengine-pl330-fix-null-pointer-dereference-on-driver-unbind.patch new file mode 100644 index 00000000000..0558026caaa --- /dev/null +++ b/queue-3.14/dmaengine-pl330-fix-null-pointer-dereference-on-driver-unbind.patch @@ -0,0 +1,89 @@ +From 6e4a2a83f95826201bbd89f55522537ea52d1d67 Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Mon, 29 Sep 2014 14:42:21 +0200 +Subject: dmaengine: pl330: Fix NULL pointer dereference on driver unbind + +From: Krzysztof Kozlowski + +commit 6e4a2a83f95826201bbd89f55522537ea52d1d67 upstream. + +Fix a NULL pointer dereference after unbinding the driver, if channel +resources were not yet allocated (no call to +pl330_alloc_chan_resources()): +$ echo 12850000.mdma > /sys/bus/amba/drivers/dma-pl330/unbind +[ 13.606533] DMA pl330_control: removing pch: eeab6800, chan: eeab6814, thread: (null) +[ 13.614472] Unable to handle kernel NULL pointer dereference at virtual address 0000000c +[ 13.622537] pgd = ee284000 +[ 13.625228] [0000000c] *pgd=6e1e4831, *pte=00000000, *ppte=00000000 +[ 13.631482] Internal error: Oops: 17 [#1] PREEMPT SMP ARM +[ 13.636859] Modules linked in: +[ 13.639903] CPU: 0 PID: 1 Comm: sh Not tainted 3.17.0-rc3-next-20140904-00004-g7020ffc33ca3-dirty #420 +[ 13.649187] task: ee80a800 ti: ee888000 task.ti: ee888000 +[ 13.654589] PC is at _stop+0x8/0x2c8 +[ 13.658131] LR is at pl330_control+0x70/0x2e8 +[ 13.662468] pc : [] lr : [] psr: 60000093 +[ 13.662468] sp : ee889e58 ip : 00000001 fp : 000bab70 +[ 13.673922] r10: eeab6814 r9 : ee16debc r8 : 00000000 +[ 13.679131] r7 : eeab685c r6 : 60000013 r5 : ee16de10 r4 : eeab6800 +[ 13.685641] r3 : 00000002 r2 : 00000000 r1 : 00010000 r0 : 00000000 +[ 13.692153] Flags: nZCv IRQs off FIQs on Mode SVC_32 ISA ARM Segment user +[ 13.699357] Control: 10c5387d Table: 6e28404a DAC: 00000015 +[ 13.705085] Process sh (pid: 1, stack limit = 0xee888240) +[ 13.710466] Stack: (0xee889e58 to 0xee88a000) +[ 13.714808] 9e40: 00000002 eeab6800 +[ 13.722969] 9e60: ee16de10 eeab6800 ee16de10 60000013 eeab685c c020649c 00000000 c040280c +[ 13.731128] 9e80: ee889e80 ee889e80 ee16de18 ee16de10 eeab6880 eeab6814 00200200 eeab68a8 +[ 13.739287] 9ea0: 00100100 c0208048 00000000 c0409fc4 eea80800 eea808f8 c0605c44 0000000e +[ 13.747446] 9ec0: 0000000e eeb3960c eeb39600 c0203c48 eea80800 c0605c44 c0605a8c c023f694 +[ 13.755605] 9ee0: ee80a800 eea80834 eea80800 c023f704 ee80a800 eea80800 c0605c44 c023e8ec +[ 13.763764] 9f00: 0000000e ee149780 ee29e580 ee889f80 ee29e580 c023e19c 0000000e c01167e4 +[ 13.771923] 9f20: c01167a0 00000000 00000000 c0115e88 00000000 00000000 ee0b1a00 0000000e +[ 13.780082] 9f40: b6f48000 ee889f80 0000000e ee888000 b6f48000 c00bfadc 00000000 00000003 +[ 13.788241] 9f60: 00000000 00000000 00000000 ee0b1a00 ee0b1a00 0000000e b6f48000 c00bfdf4 +[ 13.796401] 9f80: 00000000 00000000 ffffffff 0000000e b6f48000 b6edc5d0 00000004 c000e7a4 +[ 13.804560] 9fa0: 00000000 c000e620 0000000e b6f48000 00000001 b6f48000 0000000e 00000000 +[ 13.812719] 9fc0: 0000000e b6f48000 b6edc5d0 00000004 0000000e b6f4c8c0 000c3470 000bab70 +[ 13.820879] 9fe0: 00000000 bed2aa50 b6e18bdc b6e6b52c 60000010 00000001 c0c0c0c0 c0c0c0c0 +[ 13.829058] [] (_stop) from [] (pl330_control+0x70/0x2e8) +[ 13.836165] [] (pl330_control) from [] (pl330_remove+0xb0/0xdc) +[ 13.843800] [] (pl330_remove) from [] (amba_remove+0x24/0xc0) +[ 13.851272] [] (amba_remove) from [] (__device_release_driver+0x70/0xc4) +[ 13.859685] [] (__device_release_driver) from [] (device_release_driver+0x1c/0x28) +[ 13.868971] [] (device_release_driver) from [] (unbind_store+0x58/0x90) +[ 13.877303] [] (unbind_store) from [] (drv_attr_store+0x20/0x2c) +[ 13.885036] [] (drv_attr_store) from [] (sysfs_kf_write+0x44/0x48) +[ 13.892928] [] (sysfs_kf_write) from [] (kernfs_fop_write+0xc0/0x17c) +[ 13.901090] [] (kernfs_fop_write) from [] (vfs_write+0xa0/0x1a8) +[ 13.908812] [] (vfs_write) from [] (SyS_write+0x40/0x8c) +[ 13.915850] [] (SyS_write) from [] (ret_fast_syscall+0x0/0x30) +[ 13.923392] Code: e5813010 e12fff1e e92d40f0 e24dd00c (e590200c) +[ 13.929467] ---[ end trace 10064e15a5929cf8 ]--- + +Terminate the thread and free channel resource only if channel resources +were allocated (thread is not NULL). + +Signed-off-by: Krzysztof Kozlowski +Fixes: b3040e40675e ("DMA: PL330: Add dma api driver") +Reviewed-by: Lars-Peter Clausen +Signed-off-by: Vinod Koul +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/dma/pl330.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/dma/pl330.c ++++ b/drivers/dma/pl330.c +@@ -3084,8 +3084,10 @@ static int pl330_remove(struct amba_devi + list_del(&pch->chan.device_node); + + /* Flush the channel */ +- pl330_control(&pch->chan, DMA_TERMINATE_ALL, 0); +- pl330_free_chan_resources(&pch->chan); ++ if (pch->thread) { ++ pl330_control(&pch->chan, DMA_TERMINATE_ALL, 0); ++ pl330_free_chan_resources(&pch->chan); ++ } + } + + pi = &pdmac->pif; diff --git a/queue-3.14/dmaengine-pl330-fix-null-pointer-dereference-on-probe-failure.patch b/queue-3.14/dmaengine-pl330-fix-null-pointer-dereference-on-probe-failure.patch new file mode 100644 index 00000000000..fbb3c983cb9 --- /dev/null +++ b/queue-3.14/dmaengine-pl330-fix-null-pointer-dereference-on-probe-failure.patch @@ -0,0 +1,96 @@ +From 0f5ebabdd03b471da1906f7edddc61ceb35cee02 Mon Sep 17 00:00:00 2001 +From: Krzysztof Kozlowski +Date: Mon, 29 Sep 2014 14:42:20 +0200 +Subject: dmaengine: pl330: Fix NULL pointer dereference on probe failure + +From: Krzysztof Kozlowski + +commit 0f5ebabdd03b471da1906f7edddc61ceb35cee02 upstream. + +If dma_async_device_register() returns error and probe should clean up +and return error, a NULL pointer exception happens because of +dereference of not allocated channel thread: + +Dmesg log (from early printk): +dma-pl330 12680000.pdma: unable to register DMAC +DMA pl330_control: removing pch: eeac4000, chan: eeac4014, thread: (null) +Unable to handle kernel NULL pointer dereference at virtual address 0000000c +pgd = c0004000 +[0000000c] *pgd=00000000 +Internal error: Oops: 5 [#1] PREEMPT SMP ARM +Modules linked in: +CPU: 2 PID: 1 Comm: swapper/0 Not tainted 3.17.0-rc3-next-20140904-00005-g6cc4c1937d90-dirty #427 +task: ee80a800 ti: ee888000 task.ti: ee888000 +PC is at _stop+0x8/0x2c8 +LR is at pl330_control+0x70/0x2e8 +pc : [] lr : [] psr: 60000193 +sp : ee889df8 ip : 00000002 fp : 00000000 +r10: eeac4014 r9 : ee0e62bc r8 : 00000000 +r7 : eeac405c r6 : 60000113 r5 : ee0e6210 r4 : eeac4000 +r3 : 00000002 r2 : 00000002 r1 : 00010000 r0 : 00000000 +Flags: nZCv IRQs off FIQs on Mode SVC_32 ISA ARM Segment kernel +Control: 10c5387d Table: 4000404a DAC: 00000015 +Process swapper/0 (pid: 1, stack limit = 0xee888240) +Stack: (0xee889df8 to 0xee88a000) +9de0: 00000002 eeac4000 +9e00: ee0e6210 eeac4000 ee0e6210 60000113 eeac405c c020623c 00000000 c020725c +9e20: ee889e20 ee889e20 ee0e6210 eeac4080 00200200 00100100 eeac4014 00000020 +9e40: ee0e6218 c0208374 00000000 ee9bb340 ee0e6210 00000000 00000000 c0605cd8 +9e60: ee970000 c0605c84 ee9700f8 00000000 c05c4270 00000000 00000000 c0203b3c +9e80: ee970000 c06624a8 00000000 c0605c84 00000000 c023f890 ee970000 c0605c84 +9ea0: ee970034 00000000 c05b23d0 c023fa3c 00000000 c0605c84 c023f9b0 c023e0d4 +9ec0: ee947e78 ee9b9440 c0605c84 eea1e780 c0605acc c023f094 c0513b50 c0605c84 +9ee0: c05ecbd8 c0605c84 c05ecbd8 ee11ba40 c0626500 c0240064 00000000 c05ecbd8 +9f00: c05ecbd8 c0008964 c040f13c 0000009f c0626500 c057465c ee80a800 60000113 +9f20: 00000000 c05efdb0 60000113 00000000 ef7fc89d c0421168 0000008f c003787c +9f40: c0573d6c 00000006 ef7fc8bb 00000006 c05efd50 ef7fc800 c05dfbc4 00000006 +9f60: c05c4264 c0626500 0000008f c05c4270 c059b518 c059bcb4 00000006 00000006 +9f80: c059b518 c003c08c 00000000 c040091c 00000000 00000000 00000000 00000000 +9fa0: 00000000 c0400924 00000000 c000e7b8 00000000 00000000 00000000 00000000 +9fc0: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 +9fe0: 00000000 00000000 00000000 00000000 00000013 00000000 c0c0c0c0 c0c0c0c0 +[] (_stop) from [] (pl330_control+0x70/0x2e8) +[] (pl330_control) from [] (pl330_probe+0x594/0x75c) +[] (pl330_probe) from [] (amba_probe+0xb8/0x120) +[] (amba_probe) from [] (driver_probe_device+0x10c/0x22c) +[] (driver_probe_device) from [] (__driver_attach+0x8c/0x90) +[] (__driver_attach) from [] (bus_for_each_dev+0x54/0x88) +[] (bus_for_each_dev) from [] (bus_add_driver+0xd4/0x1d0) +[] (bus_add_driver) from [] (driver_register+0x78/0xf4) +[] (driver_register) from [] (do_one_initcall+0x80/0x1d0) +[] (do_one_initcall) from [] (kernel_init_freeable+0x108/0x1d4) +[] (kernel_init_freeable) from [] (kernel_init+0x8/0xec) +[] (kernel_init) from [] (ret_from_fork+0x14/0x3c) +Code: e5813010 e12fff1e e92d40f0 e24dd00c (e590200c) +---[ end trace c94b2f4f38dff3bf ]--- + +This happens because the necessary resources were not yet allocated - no +call to pl330_alloc_chan_resources(). + +Terminate the thread and free channel resource only if channel thread is not NULL. + +Signed-off-by: Krzysztof Kozlowski +Fixes: 0b94c5771705 ("DMA: PL330: Add check if device tree compatible") +Reviewed-by: Lars-Peter Clausen +Signed-off-by: Vinod Koul +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/dma/pl330.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/dma/pl330.c ++++ b/drivers/dma/pl330.c +@@ -3051,8 +3051,10 @@ probe_err3: + list_del(&pch->chan.device_node); + + /* Flush the channel */ +- pl330_control(&pch->chan, DMA_TERMINATE_ALL, 0); +- pl330_free_chan_resources(&pch->chan); ++ if (pch->thread) { ++ pl330_control(&pch->chan, DMA_TERMINATE_ALL, 0); ++ pl330_free_chan_resources(&pch->chan); ++ } + } + probe_err2: + pl330_del(pi); diff --git a/queue-3.14/drivers-hv-vmbus-cleanup-vmbus_close_internal.patch b/queue-3.14/drivers-hv-vmbus-cleanup-vmbus_close_internal.patch new file mode 100644 index 00000000000..62bf615b2b0 --- /dev/null +++ b/queue-3.14/drivers-hv-vmbus-cleanup-vmbus_close_internal.patch @@ -0,0 +1,77 @@ +From 98d731bb064a9d1817a6ca9bf8b97051334a7cfe Mon Sep 17 00:00:00 2001 +From: "K. Y. Srinivasan" +Date: Wed, 27 Aug 2014 16:25:33 -0700 +Subject: Drivers: hv: vmbus: Cleanup vmbus_close_internal() + +From: "K. Y. Srinivasan" + +commit 98d731bb064a9d1817a6ca9bf8b97051334a7cfe upstream. + +Eliminate calls to BUG_ON() in vmbus_close_internal(). +We have chosen to potentially leak memory, than crash the guest +in case of failures. + +In this version of the patch I have addressed comments from +Dan Carpenter (dan.carpenter@oracle.com). + +Signed-off-by: K. Y. Srinivasan +Tested-by: Sitsofe Wheeler +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hv/channel.c | 29 +++++++++++++++++++++++------ + 1 file changed, 23 insertions(+), 6 deletions(-) + +--- a/drivers/hv/channel.c ++++ b/drivers/hv/channel.c +@@ -471,7 +471,7 @@ post_msg_err: + } + EXPORT_SYMBOL_GPL(vmbus_teardown_gpadl); + +-static void vmbus_close_internal(struct vmbus_channel *channel) ++static int vmbus_close_internal(struct vmbus_channel *channel) + { + struct vmbus_channel_close_channel *msg; + int ret; +@@ -493,11 +493,28 @@ static void vmbus_close_internal(struct + + ret = vmbus_post_msg(msg, sizeof(struct vmbus_channel_close_channel)); + +- BUG_ON(ret != 0); ++ if (ret) { ++ pr_err("Close failed: close post msg return is %d\n", ret); ++ /* ++ * If we failed to post the close msg, ++ * it is perhaps better to leak memory. ++ */ ++ return ret; ++ } ++ + /* Tear down the gpadl for the channel's ring buffer */ +- if (channel->ringbuffer_gpadlhandle) +- vmbus_teardown_gpadl(channel, +- channel->ringbuffer_gpadlhandle); ++ if (channel->ringbuffer_gpadlhandle) { ++ ret = vmbus_teardown_gpadl(channel, ++ channel->ringbuffer_gpadlhandle); ++ if (ret) { ++ pr_err("Close failed: teardown gpadl return %d\n", ret); ++ /* ++ * If we failed to teardown gpadl, ++ * it is perhaps better to leak memory. ++ */ ++ return ret; ++ } ++ } + + /* Cleanup the ring buffers for this channel */ + hv_ringbuffer_cleanup(&channel->outbound); +@@ -506,7 +523,7 @@ static void vmbus_close_internal(struct + free_pages((unsigned long)channel->ringbuffer_pages, + get_order(channel->ringbuffer_pagecount * PAGE_SIZE)); + +- ++ return ret; + } + + /* diff --git a/queue-3.14/drivers-hv-vmbus-cleanup-vmbus_establish_gpadl.patch b/queue-3.14/drivers-hv-vmbus-cleanup-vmbus_establish_gpadl.patch new file mode 100644 index 00000000000..baba1eaad44 --- /dev/null +++ b/queue-3.14/drivers-hv-vmbus-cleanup-vmbus_establish_gpadl.patch @@ -0,0 +1,42 @@ +From 72c6b71c245dac8f371167d97ef471b367d0b66b Mon Sep 17 00:00:00 2001 +From: "K. Y. Srinivasan" +Date: Wed, 27 Aug 2014 16:25:34 -0700 +Subject: Drivers: hv: vmbus: Cleanup vmbus_establish_gpadl() + +From: "K. Y. Srinivasan" + +commit 72c6b71c245dac8f371167d97ef471b367d0b66b upstream. + +Eliminate the call to BUG_ON() by waiting for the host to respond. We are +trying to reclaim the ownership of memory that was given to the host and so +we will have to wait until the host responds. + +Signed-off-by: K. Y. Srinivasan +Tested-by: Sitsofe Wheeler +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hv/channel.c | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +--- a/drivers/hv/channel.c ++++ b/drivers/hv/channel.c +@@ -362,7 +362,6 @@ int vmbus_establish_gpadl(struct vmbus_c + u32 next_gpadl_handle; + unsigned long flags; + int ret = 0; +- int t; + + next_gpadl_handle = atomic_read(&vmbus_connection.next_gpadl_handle); + atomic_inc(&vmbus_connection.next_gpadl_handle); +@@ -409,9 +408,7 @@ int vmbus_establish_gpadl(struct vmbus_c + + } + } +- t = wait_for_completion_timeout(&msginfo->waitevent, 5*HZ); +- BUG_ON(t == 0); +- ++ wait_for_completion(&msginfo->waitevent); + + /* At this point, we received the gpadl created msg */ + *gpadl_handle = gpadlmsg->gpadl; diff --git a/queue-3.14/drivers-hv-vmbus-cleanup-vmbus_post_msg.patch b/queue-3.14/drivers-hv-vmbus-cleanup-vmbus_post_msg.patch new file mode 100644 index 00000000000..e4836e7bf50 --- /dev/null +++ b/queue-3.14/drivers-hv-vmbus-cleanup-vmbus_post_msg.patch @@ -0,0 +1,51 @@ +From fdeebcc62279119dbeafbc1a2e39e773839025fd Mon Sep 17 00:00:00 2001 +From: "K. Y. Srinivasan" +Date: Wed, 27 Aug 2014 16:25:31 -0700 +Subject: Drivers: hv: vmbus: Cleanup vmbus_post_msg() + +From: "K. Y. Srinivasan" + +commit fdeebcc62279119dbeafbc1a2e39e773839025fd upstream. + +Posting messages to the host can fail because of transient resource +related failures. Correctly deal with these failures and increase the +number of attempts to post the message before giving up. + +In this version of the patch, I have normalized the error code to +Linux error code. + +Signed-off-by: K. Y. Srinivasan +Tested-by: Sitsofe Wheeler +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hv/connection.c | 17 ++++++++++++++--- + 1 file changed, 14 insertions(+), 3 deletions(-) + +--- a/drivers/hv/connection.c ++++ b/drivers/hv/connection.c +@@ -408,10 +408,21 @@ int vmbus_post_msg(void *buffer, size_t + * insufficient resources. Retry the operation a couple of + * times before giving up. + */ +- while (retries < 3) { +- ret = hv_post_message(conn_id, 1, buffer, buflen); +- if (ret != HV_STATUS_INSUFFICIENT_BUFFERS) ++ while (retries < 10) { ++ ret = hv_post_message(conn_id, 1, buffer, buflen); ++ ++ switch (ret) { ++ case HV_STATUS_INSUFFICIENT_BUFFERS: ++ ret = -ENOMEM; ++ case -ENOMEM: ++ break; ++ case HV_STATUS_SUCCESS: + return ret; ++ default: ++ pr_err("hv_post_msg() failed; error code:%d\n", ret); ++ return -EINVAL; ++ } ++ + retries++; + msleep(100); + } diff --git a/queue-3.14/drivers-hv-vmbus-cleanup-vmbus_teardown_gpadl.patch b/queue-3.14/drivers-hv-vmbus-cleanup-vmbus_teardown_gpadl.patch new file mode 100644 index 00000000000..f63a1fea4a7 --- /dev/null +++ b/queue-3.14/drivers-hv-vmbus-cleanup-vmbus_teardown_gpadl.patch @@ -0,0 +1,51 @@ +From 66be653083057358724d56d817e870e53fb81ca7 Mon Sep 17 00:00:00 2001 +From: "K. Y. Srinivasan" +Date: Wed, 27 Aug 2014 16:25:32 -0700 +Subject: Drivers: hv: vmbus: Cleanup vmbus_teardown_gpadl() + +From: "K. Y. Srinivasan" + +commit 66be653083057358724d56d817e870e53fb81ca7 upstream. + +Eliminate calls to BUG_ON() by properly handling errors. In cases where +rollback is possible, we will return the appropriate error to have the +calling code decide how to rollback state. In the case where we are +transferring ownership of the guest physical pages to the host, +we will wait for the host to respond. + +Signed-off-by: K. Y. Srinivasan +Tested-by: Sitsofe Wheeler +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hv/channel.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +--- a/drivers/hv/channel.c ++++ b/drivers/hv/channel.c +@@ -434,7 +434,7 @@ int vmbus_teardown_gpadl(struct vmbus_ch + struct vmbus_channel_gpadl_teardown *msg; + struct vmbus_channel_msginfo *info; + unsigned long flags; +- int ret, t; ++ int ret; + + info = kmalloc(sizeof(*info) + + sizeof(struct vmbus_channel_gpadl_teardown), GFP_KERNEL); +@@ -456,11 +456,12 @@ int vmbus_teardown_gpadl(struct vmbus_ch + ret = vmbus_post_msg(msg, + sizeof(struct vmbus_channel_gpadl_teardown)); + +- BUG_ON(ret != 0); +- t = wait_for_completion_timeout(&info->waitevent, 5*HZ); +- BUG_ON(t == 0); ++ if (ret) ++ goto post_msg_err; + +- /* Received a torndown response */ ++ wait_for_completion(&info->waitevent); ++ ++post_msg_err: + spin_lock_irqsave(&vmbus_connection.channelmsg_lock, flags); + list_del(&info->msglistentry); + spin_unlock_irqrestore(&vmbus_connection.channelmsg_lock, flags); diff --git a/queue-3.14/drivers-hv-vmbus-fix-a-bug-in-vmbus_open.patch b/queue-3.14/drivers-hv-vmbus-fix-a-bug-in-vmbus_open.patch new file mode 100644 index 00000000000..4448be6a2a6 --- /dev/null +++ b/queue-3.14/drivers-hv-vmbus-fix-a-bug-in-vmbus_open.patch @@ -0,0 +1,35 @@ +From 45d727cee9e200f5b351528b9fb063b69cf702c8 Mon Sep 17 00:00:00 2001 +From: "K. Y. Srinivasan" +Date: Wed, 27 Aug 2014 16:25:35 -0700 +Subject: Drivers: hv: vmbus: Fix a bug in vmbus_open() + +From: "K. Y. Srinivasan" + +commit 45d727cee9e200f5b351528b9fb063b69cf702c8 upstream. + +Fix a bug in vmbus_open() and properly propagate the error. I would +like to thank Dexuan Cui for identifying the +issue. + +Signed-off-by: K. Y. Srinivasan +Tested-by: Sitsofe Wheeler +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hv/channel.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/hv/channel.c ++++ b/drivers/hv/channel.c +@@ -164,8 +164,10 @@ int vmbus_open(struct vmbus_channel *new + ret = vmbus_post_msg(open_msg, + sizeof(struct vmbus_channel_open_channel)); + +- if (ret != 0) ++ if (ret != 0) { ++ err = ret; + goto error1; ++ } + + t = wait_for_completion_timeout(&open_info->waitevent, 5*HZ); + if (t == 0) { diff --git a/queue-3.14/firmware_class-make-sure-fw-requests-contain-a-name.patch b/queue-3.14/firmware_class-make-sure-fw-requests-contain-a-name.patch new file mode 100644 index 00000000000..3a12848d41e --- /dev/null +++ b/queue-3.14/firmware_class-make-sure-fw-requests-contain-a-name.patch @@ -0,0 +1,37 @@ +From 471b095dfe0d693a8d624cbc716d1ee4d74eb437 Mon Sep 17 00:00:00 2001 +From: Kees Cook +Date: Thu, 18 Sep 2014 11:25:37 -0700 +Subject: firmware_class: make sure fw requests contain a name + +From: Kees Cook + +commit 471b095dfe0d693a8d624cbc716d1ee4d74eb437 upstream. + +An empty firmware request name will trigger warnings when building +device names. Make sure this is caught earlier and rejected. + +The warning was visible via the test_firmware.ko module interface: + +echo -ne "\x00" > /sys/devices/virtual/misc/test_firmware/trigger_request + +Reported-by: Sasha Levin +Signed-off-by: Kees Cook +Tested-by: Sasha Levin +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/base/firmware_class.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/base/firmware_class.c ++++ b/drivers/base/firmware_class.c +@@ -1081,6 +1081,9 @@ _request_firmware(const struct firmware + if (!firmware_p) + return -EINVAL; + ++ if (!name || name[0] == '\0') ++ return -EINVAL; ++ + ret = _request_firmware_prepare(&fw, name, device); + if (ret <= 0) /* error or already assigned */ + goto out; diff --git a/queue-3.14/mptfusion-enable-no_write_same-for-vmware-scsi-disks.patch b/queue-3.14/mptfusion-enable-no_write_same-for-vmware-scsi-disks.patch new file mode 100644 index 00000000000..a5068800423 --- /dev/null +++ b/queue-3.14/mptfusion-enable-no_write_same-for-vmware-scsi-disks.patch @@ -0,0 +1,40 @@ +From 4089b71cc820a426d601283c92fcd4ffeb5139c2 Mon Sep 17 00:00:00 2001 +From: Chris J Arges +Date: Tue, 23 Sep 2014 09:22:25 -0500 +Subject: mptfusion: enable no_write_same for vmware scsi disks + +From: Chris J Arges + +commit 4089b71cc820a426d601283c92fcd4ffeb5139c2 upstream. + +When using a virtual SCSI disk in a VMWare VM if blkdev_issue_zeroout is used +data can be improperly zeroed out using the mptfusion driver. This patch +disables write_same for this driver and the vmware subsystem_vendor which +ensures that manual zeroing out is used instead. + +BugLink: http://bugs.launchpad.net/bugs/1371591 +Reported-by: Bruce Lucas +Tested-by: Chris J Arges +Signed-off-by: Chris J Arges +Reviewed-by: Martin K. Petersen +Signed-off-by: Christoph Hellwig +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/message/fusion/mptspi.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/message/fusion/mptspi.c ++++ b/drivers/message/fusion/mptspi.c +@@ -1422,6 +1422,11 @@ mptspi_probe(struct pci_dev *pdev, const + goto out_mptspi_probe; + } + ++ /* VMWare emulation doesn't properly implement WRITE_SAME ++ */ ++ if (pdev->subsystem_vendor == 0x15AD) ++ sh->no_write_same = 1; ++ + spin_lock_irqsave(&ioc->FreeQlock, flags); + + /* Attach the SCSI Host to the IOC structure diff --git a/queue-3.14/qla2xxx-fix-shost-use-after-free-on-device-removal.patch b/queue-3.14/qla2xxx-fix-shost-use-after-free-on-device-removal.patch new file mode 100644 index 00000000000..4c26535000e --- /dev/null +++ b/queue-3.14/qla2xxx-fix-shost-use-after-free-on-device-removal.patch @@ -0,0 +1,45 @@ +From db7157d4cfce6edf052452fb1d327d4d11b67f4c Mon Sep 17 00:00:00 2001 +From: Joe Lawrence +Date: Tue, 26 Aug 2014 17:10:41 -0400 +Subject: qla2xxx: Fix shost use-after-free on device removal + +From: Joe Lawrence + +commit db7157d4cfce6edf052452fb1d327d4d11b67f4c upstream. + +Once calling scsi_host_put, be careful to not access qla_hw_data through +the Scsi_Host private data (ie, scsi_qla_host base_vha). + +Fixes: fe1b806f4f71 ("qla2xxx: Refactor shutdown code so some functionality can be reused") +Signed-off-by: Joe Lawrence +Acked-by: Chad Dupuis +Signed-off-by: Christoph Hellwig +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/qla2xxx/qla_os.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +--- a/drivers/scsi/qla2xxx/qla_os.c ++++ b/drivers/scsi/qla2xxx/qla_os.c +@@ -3039,10 +3039,8 @@ qla2x00_unmap_iobases(struct qla_hw_data + } + + static void +-qla2x00_clear_drv_active(scsi_qla_host_t *vha) ++qla2x00_clear_drv_active(struct qla_hw_data *ha) + { +- struct qla_hw_data *ha = vha->hw; +- + if (IS_QLA8044(ha)) { + qla8044_idc_lock(ha); + qla8044_clear_drv_active(ha); +@@ -3111,7 +3109,7 @@ qla2x00_remove_one(struct pci_dev *pdev) + + scsi_host_put(base_vha->host); + +- qla2x00_clear_drv_active(base_vha); ++ qla2x00_clear_drv_active(ha); + + qla2x00_unmap_iobases(ha); + diff --git a/queue-3.14/qla2xxx-use-correct-offset-to-req-q-out-for-reserve-calculation.patch b/queue-3.14/qla2xxx-use-correct-offset-to-req-q-out-for-reserve-calculation.patch new file mode 100644 index 00000000000..18eb9c08533 --- /dev/null +++ b/queue-3.14/qla2xxx-use-correct-offset-to-req-q-out-for-reserve-calculation.patch @@ -0,0 +1,34 @@ +From 75554b68ac1e018bca00d68a430b92ada8ab52dd Mon Sep 17 00:00:00 2001 +From: Arun Easi +Date: Thu, 25 Sep 2014 06:14:45 -0400 +Subject: qla2xxx: Use correct offset to req-q-out for reserve calculation + +From: Arun Easi + +commit 75554b68ac1e018bca00d68a430b92ada8ab52dd upstream. + +Signed-off-by: Arun Easi +Signed-off-by: Saurav Kashyap +Signed-off-by: Christoph Hellwig +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/qla2xxx/qla_target.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/drivers/scsi/qla2xxx/qla_target.c ++++ b/drivers/scsi/qla2xxx/qla_target.c +@@ -1382,12 +1382,10 @@ static inline void qlt_unmap_sg(struct s + static int qlt_check_reserve_free_req(struct scsi_qla_host *vha, + uint32_t req_cnt) + { +- struct qla_hw_data *ha = vha->hw; +- device_reg_t __iomem *reg = ha->iobase; + uint32_t cnt; + + if (vha->req->cnt < (req_cnt + 2)) { +- cnt = (uint16_t)RD_REG_DWORD(®->isp24.req_q_out); ++ cnt = (uint16_t)RD_REG_DWORD(vha->req->req_q_out); + + ql_dbg(ql_dbg_tgt, vha, 0xe00a, + "Request ring circled: cnt=%d, vha->->ring_index=%d, " diff --git a/queue-3.14/regmap-debugfs-fix-possbile-null-pointer-dereference.patch b/queue-3.14/regmap-debugfs-fix-possbile-null-pointer-dereference.patch new file mode 100644 index 00000000000..c9e4d574d7d --- /dev/null +++ b/queue-3.14/regmap-debugfs-fix-possbile-null-pointer-dereference.patch @@ -0,0 +1,53 @@ +From 2c98e0c1cc6b8e86f1978286c3d4e0769ee9d733 Mon Sep 17 00:00:00 2001 +From: Xiubo Li +Date: Sun, 28 Sep 2014 11:35:25 +0800 +Subject: regmap: debugfs: fix possbile NULL pointer dereference + +From: Xiubo Li + +commit 2c98e0c1cc6b8e86f1978286c3d4e0769ee9d733 upstream. + +If 'map->dev' is NULL and there will lead dev_name() to be NULL pointer +dereference. So before dev_name(), we need to have check of the map->dev +pionter. + +We also should make sure that the 'name' pointer shouldn't be NULL for +debugfs_create_dir(). So here using one default "dummy" debugfs name when +the 'name' pointer and 'map->dev' are both NULL. + +Signed-off-by: Xiubo Li +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/base/regmap/regmap-debugfs.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/drivers/base/regmap/regmap-debugfs.c ++++ b/drivers/base/regmap/regmap-debugfs.c +@@ -473,6 +473,7 @@ void regmap_debugfs_init(struct regmap * + { + struct rb_node *next; + struct regmap_range_node *range_node; ++ const char *devname = "dummy"; + + /* If we don't have the debugfs root yet, postpone init */ + if (!regmap_debugfs_root) { +@@ -491,12 +492,15 @@ void regmap_debugfs_init(struct regmap * + INIT_LIST_HEAD(&map->debugfs_off_cache); + mutex_init(&map->cache_lock); + ++ if (map->dev) ++ devname = dev_name(map->dev); ++ + if (name) { + map->debugfs_name = kasprintf(GFP_KERNEL, "%s-%s", +- dev_name(map->dev), name); ++ devname, name); + name = map->debugfs_name; + } else { +- name = dev_name(map->dev); ++ name = devname; + } + + map->debugfs = debugfs_create_dir(name, regmap_debugfs_root); diff --git a/queue-3.14/regmap-fix-null-pointer-dereference-in-_regmap_write-read.patch b/queue-3.14/regmap-fix-null-pointer-dereference-in-_regmap_write-read.patch new file mode 100644 index 00000000000..1d1b03826fb --- /dev/null +++ b/queue-3.14/regmap-fix-null-pointer-dereference-in-_regmap_write-read.patch @@ -0,0 +1,41 @@ +From 5336be8416a71b5568d2cf54a2f2066abe9f2a53 Mon Sep 17 00:00:00 2001 +From: Pankaj Dubey +Date: Sat, 27 Sep 2014 09:47:55 +0530 +Subject: regmap: fix NULL pointer dereference in _regmap_write/read + +From: Pankaj Dubey + +commit 5336be8416a71b5568d2cf54a2f2066abe9f2a53 upstream. + +If LOG_DEVICE is defined and map->dev is NULL it will lead to NULL +pointer dereference. This patch fixes this issue by adding check for +dev->NULL in all such places in regmap.c + +Signed-off-by: Pankaj Dubey +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/base/regmap/regmap.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/base/regmap/regmap.c ++++ b/drivers/base/regmap/regmap.c +@@ -1308,7 +1308,7 @@ int _regmap_write(struct regmap *map, un + } + + #ifdef LOG_DEVICE +- if (strcmp(dev_name(map->dev), LOG_DEVICE) == 0) ++ if (map->dev && strcmp(dev_name(map->dev), LOG_DEVICE) == 0) + dev_info(map->dev, "%x <= %x\n", reg, val); + #endif + +@@ -1739,7 +1739,7 @@ static int _regmap_read(struct regmap *m + ret = map->reg_read(context, reg, val); + if (ret == 0) { + #ifdef LOG_DEVICE +- if (strcmp(dev_name(map->dev), LOG_DEVICE) == 0) ++ if (map->dev && strcmp(dev_name(map->dev), LOG_DEVICE) == 0) + dev_info(map->dev, "%x => %x\n", reg, *val); + #endif + diff --git a/queue-3.14/regmap-fix-possible-zero_size_ptr-pointer-dereferencing-error.patch b/queue-3.14/regmap-fix-possible-zero_size_ptr-pointer-dereferencing-error.patch new file mode 100644 index 00000000000..618225b65d3 --- /dev/null +++ b/queue-3.14/regmap-fix-possible-zero_size_ptr-pointer-dereferencing-error.patch @@ -0,0 +1,36 @@ +From d6b41cb06044a7d895db82bdd54f6e4219970510 Mon Sep 17 00:00:00 2001 +From: Xiubo Li +Date: Sun, 28 Sep 2014 17:09:54 +0800 +Subject: regmap: fix possible ZERO_SIZE_PTR pointer dereferencing error. + +From: Xiubo Li + +commit d6b41cb06044a7d895db82bdd54f6e4219970510 upstream. + +Since we cannot make sure the 'val_count' will always be none zero +here, and then if it equals to zero, the kmemdup() will return +ZERO_SIZE_PTR, which equals to ((void *)16). + +So this patch fix this with just doing the zero check before calling +kmemdup(). + +Signed-off-by: Xiubo Li +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/base/regmap/regmap.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/base/regmap/regmap.c ++++ b/drivers/base/regmap/regmap.c +@@ -1557,6 +1557,9 @@ int regmap_bulk_write(struct regmap *map + } else { + void *wval; + ++ if (!val_count) ++ return -EINVAL; ++ + wval = kmemdup(val, val_count * val_bytes, GFP_KERNEL); + if (!wval) { + ret = -ENOMEM; diff --git a/queue-3.14/series b/queue-3.14/series index 5e2f4ecbf8c..4ba38981742 100644 --- a/queue-3.14/series +++ b/queue-3.14/series @@ -16,3 +16,19 @@ kvm-don-t-take-vcpu-mutex-for-obviously-invalid-vcpu-ioctls.patch x86-intel-quark-switch-off-cr4.pge-so-tlb-flush-uses-cr3-instead.patch spi-dw-mid-respect-8-bit-mode.patch spi-dw-mid-check-that-dma-was-inited-before-exit.patch +regmap-debugfs-fix-possbile-null-pointer-dereference.patch +regmap-fix-null-pointer-dereference-in-_regmap_write-read.patch +regmap-fix-possible-zero_size_ptr-pointer-dereferencing-error.patch +be2iscsi-check-ip-buffer-before-copying.patch +mptfusion-enable-no_write_same-for-vmware-scsi-disks.patch +qla2xxx-use-correct-offset-to-req-q-out-for-reserve-calculation.patch +qla2xxx-fix-shost-use-after-free-on-device-removal.patch +dmaengine-fix-xor-sources-continuation.patch +dmaengine-pl330-fix-null-pointer-dereference-on-probe-failure.patch +dmaengine-pl330-fix-null-pointer-dereference-on-driver-unbind.patch +firmware_class-make-sure-fw-requests-contain-a-name.patch +drivers-hv-vmbus-cleanup-vmbus_post_msg.patch +drivers-hv-vmbus-cleanup-vmbus_teardown_gpadl.patch +drivers-hv-vmbus-cleanup-vmbus_close_internal.patch +drivers-hv-vmbus-cleanup-vmbus_establish_gpadl.patch +drivers-hv-vmbus-fix-a-bug-in-vmbus_open.patch