From: Greg Kroah-Hartman Date: Sat, 2 May 2015 17:25:08 +0000 (+0200) Subject: 3.14-stable patches X-Git-Tag: v3.10.77~29 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=f8efc5892d9387722e93be108d6f01ce1100170d;p=thirdparty%2Fkernel%2Fstable-queue.git 3.14-stable patches added patches: drivers-hv-vmbus-fix-a-bug-in-the-error-path-in-vmbus_open.patch i2c-core-export-bus-recovery-functions.patch ib-core-disallow-registering-0-sized-memory-region.patch ib-core-don-t-disallow-registering-region-starting-at-0x0.patch ib-mlx4-fix-wqe-lso-segment-calculation.patch mvsas-fix-panic-on-expander-attached-sata-devices.patch stk1160-make-sure-current-buffer-is-released.patch --- diff --git a/queue-3.14/drivers-hv-vmbus-fix-a-bug-in-the-error-path-in-vmbus_open.patch b/queue-3.14/drivers-hv-vmbus-fix-a-bug-in-the-error-path-in-vmbus_open.patch new file mode 100644 index 00000000000..b68142a4f68 --- /dev/null +++ b/queue-3.14/drivers-hv-vmbus-fix-a-bug-in-the-error-path-in-vmbus_open.patch @@ -0,0 +1,49 @@ +From 40384e4bbeb9f2651fe9bffc0062d9f31ef625bf Mon Sep 17 00:00:00 2001 +From: "K. Y. Srinivasan" +Date: Fri, 27 Feb 2015 11:26:04 -0800 +Subject: Drivers: hv: vmbus: Fix a bug in the error path in vmbus_open() + +From: "K. Y. Srinivasan" + +commit 40384e4bbeb9f2651fe9bffc0062d9f31ef625bf upstream. + +Correctly rollback state if the failure occurs after we have handed over +the ownership of the buffer to the host. + +Signed-off-by: K. Y. Srinivasan +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hv/channel.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/drivers/hv/channel.c ++++ b/drivers/hv/channel.c +@@ -134,7 +134,7 @@ int vmbus_open(struct vmbus_channel *new + GFP_KERNEL); + if (!open_info) { + err = -ENOMEM; +- goto error0; ++ goto error_gpadl; + } + + init_completion(&open_info->waitevent); +@@ -150,7 +150,7 @@ int vmbus_open(struct vmbus_channel *new + + if (userdatalen > MAX_USER_DEFINED_BYTES) { + err = -EINVAL; +- goto error0; ++ goto error_gpadl; + } + + if (userdatalen) +@@ -194,6 +194,9 @@ error1: + list_del(&open_info->msglistentry); + spin_unlock_irqrestore(&vmbus_connection.channelmsg_lock, flags); + ++error_gpadl: ++ vmbus_teardown_gpadl(newchannel, newchannel->ringbuffer_gpadlhandle); ++ + error0: + free_pages((unsigned long)out, + get_order(send_ringbuffer_size + recv_ringbuffer_size)); diff --git a/queue-3.14/i2c-core-export-bus-recovery-functions.patch b/queue-3.14/i2c-core-export-bus-recovery-functions.patch new file mode 100644 index 00000000000..d69b9e5833f --- /dev/null +++ b/queue-3.14/i2c-core-export-bus-recovery-functions.patch @@ -0,0 +1,54 @@ +From c1c21f4e60ed4523292f1a89ff45a208bddd3849 Mon Sep 17 00:00:00 2001 +From: Mark Brown +Date: Wed, 15 Apr 2015 19:18:39 +0100 +Subject: i2c: core: Export bus recovery functions + +From: Mark Brown + +commit c1c21f4e60ed4523292f1a89ff45a208bddd3849 upstream. + +Current -next fails to link an ARM allmodconfig because drivers that use +the core recovery functions can be built as modules but those functions +are not exported: + +ERROR: "i2c_generic_gpio_recovery" [drivers/i2c/busses/i2c-davinci.ko] undefined! +ERROR: "i2c_generic_scl_recovery" [drivers/i2c/busses/i2c-davinci.ko] undefined! +ERROR: "i2c_recover_bus" [drivers/i2c/busses/i2c-davinci.ko] undefined! + +Add exports to fix this. + +Fixes: 5f9296ba21b3c (i2c: Add bus recovery infrastructure) +Signed-off-by: Mark Brown +Signed-off-by: Wolfram Sang +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/i2c/i2c-core.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/i2c/i2c-core.c ++++ b/drivers/i2c/i2c-core.c +@@ -217,6 +217,7 @@ int i2c_generic_scl_recovery(struct i2c_ + adap->bus_recovery_info->set_scl(adap, 1); + return i2c_generic_recovery(adap); + } ++EXPORT_SYMBOL_GPL(i2c_generic_scl_recovery); + + int i2c_generic_gpio_recovery(struct i2c_adapter *adap) + { +@@ -231,6 +232,7 @@ int i2c_generic_gpio_recovery(struct i2c + + return ret; + } ++EXPORT_SYMBOL_GPL(i2c_generic_gpio_recovery); + + int i2c_recover_bus(struct i2c_adapter *adap) + { +@@ -240,6 +242,7 @@ int i2c_recover_bus(struct i2c_adapter * + dev_dbg(&adap->dev, "Trying i2c bus recovery\n"); + return adap->bus_recovery_info->recover_bus(adap); + } ++EXPORT_SYMBOL_GPL(i2c_recover_bus); + + static int i2c_device_probe(struct device *dev) + { diff --git a/queue-3.14/ib-core-disallow-registering-0-sized-memory-region.patch b/queue-3.14/ib-core-disallow-registering-0-sized-memory-region.patch new file mode 100644 index 00000000000..03673639150 --- /dev/null +++ b/queue-3.14/ib-core-disallow-registering-0-sized-memory-region.patch @@ -0,0 +1,43 @@ +From 8abaae62f3fdead8f4ce0ab46b4ab93dee39bab2 Mon Sep 17 00:00:00 2001 +From: Yann Droneaud +Date: Mon, 13 Apr 2015 14:56:22 +0200 +Subject: IB/core: disallow registering 0-sized memory region + +From: Yann Droneaud + +commit 8abaae62f3fdead8f4ce0ab46b4ab93dee39bab2 upstream. + +If ib_umem_get() is called with a size equal to 0 and an +non-page aligned address, one page will be pinned and a +0-sized umem will be returned to the caller. + +This should not be allowed: it's not expected for a memory +region to have a size equal to 0. + +This patch adds a check to explicitly refuse to register +a 0-sized region. + +Link: http://mid.gmane.org/cover.1428929103.git.ydroneaud@opteya.com +Cc: Shachar Raindel +Cc: Jack Morgenstein +Cc: Or Gerlitz +Signed-off-by: Yann Droneaud +Signed-off-by: Doug Ledford +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/core/umem.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/infiniband/core/umem.c ++++ b/drivers/infiniband/core/umem.c +@@ -94,6 +94,9 @@ struct ib_umem *ib_umem_get(struct ib_uc + if (dmasync) + dma_set_attr(DMA_ATTR_WRITE_BARRIER, &attrs); + ++ if (!size) ++ return ERR_PTR(-EINVAL); ++ + /* + * If the combination of the addr and size requested for this memory + * region causes an integer overflow, return error. diff --git a/queue-3.14/ib-core-don-t-disallow-registering-region-starting-at-0x0.patch b/queue-3.14/ib-core-don-t-disallow-registering-region-starting-at-0x0.patch new file mode 100644 index 00000000000..4c25590c93d --- /dev/null +++ b/queue-3.14/ib-core-don-t-disallow-registering-region-starting-at-0x0.patch @@ -0,0 +1,55 @@ +From 66578b0b2f69659f00b6169e6fe7377c4b100d18 Mon Sep 17 00:00:00 2001 +From: Yann Droneaud +Date: Mon, 13 Apr 2015 14:56:23 +0200 +Subject: IB/core: don't disallow registering region starting at 0x0 + +From: Yann Droneaud + +commit 66578b0b2f69659f00b6169e6fe7377c4b100d18 upstream. + +In a call to ib_umem_get(), if address is 0x0 and size is +already page aligned, check added in commit 8494057ab5e4 +("IB/uverbs: Prevent integer overflow in ib_umem_get address +arithmetic") will refuse to register a memory region that +could otherwise be valid (provided vm.mmap_min_addr sysctl +and mmap_low_allowed SELinux knobs allow userspace to map +something at address 0x0). + +This patch allows back such registration: ib_umem_get() +should probably don't care of the base address provided it +can be pinned with get_user_pages(). + +There's two possible overflows, in (addr + size) and in +PAGE_ALIGN(addr + size), this patch keep ensuring none +of them happen while allowing to pin memory at address +0x0. Anyway, the case of size equal 0 is no more (partially) +handled as 0-length memory region are disallowed by an +earlier check. + +Link: http://mid.gmane.org/cover.1428929103.git.ydroneaud@opteya.com +Cc: Shachar Raindel +Cc: Jack Morgenstein +Cc: Or Gerlitz +Signed-off-by: Yann Droneaud +Reviewed-by: Sagi Grimberg +Reviewed-by: Haggai Eran +Signed-off-by: Doug Ledford +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/core/umem.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/infiniband/core/umem.c ++++ b/drivers/infiniband/core/umem.c +@@ -101,8 +101,8 @@ struct ib_umem *ib_umem_get(struct ib_uc + * If the combination of the addr and size requested for this memory + * region causes an integer overflow, return error. + */ +- if ((PAGE_ALIGN(addr + size) <= size) || +- (PAGE_ALIGN(addr + size) <= addr)) ++ if (((addr + size) < addr) || ++ PAGE_ALIGN(addr + size) < (addr + size)) + return ERR_PTR(-EINVAL); + + if (!can_do_mlock()) diff --git a/queue-3.14/ib-mlx4-fix-wqe-lso-segment-calculation.patch b/queue-3.14/ib-mlx4-fix-wqe-lso-segment-calculation.patch new file mode 100644 index 00000000000..b9accda560d --- /dev/null +++ b/queue-3.14/ib-mlx4-fix-wqe-lso-segment-calculation.patch @@ -0,0 +1,48 @@ +From ca9b590caa17bcbbea119594992666e96cde9c2f Mon Sep 17 00:00:00 2001 +From: Erez Shitrit +Date: Thu, 2 Apr 2015 13:39:05 +0300 +Subject: IB/mlx4: Fix WQE LSO segment calculation + +From: Erez Shitrit + +commit ca9b590caa17bcbbea119594992666e96cde9c2f upstream. + +The current code decreases from the mss size (which is the gso_size +from the kernel skb) the size of the packet headers. + +It shouldn't do that because the mss that comes from the stack +(e.g IPoIB) includes only the tcp payload without the headers. + +The result is indication to the HW that each packet that the HW sends +is smaller than what it could be, and too many packets will be sent +for big messages. + +An easy way to demonstrate one more aspect of the problem is by +configuring the ipoib mtu to be less than 2*hlen (2*56) and then +run app sending big TCP messages. This will tell the HW to send packets +with giant (negative value which under unsigned arithmetics becomes +a huge positive one) length and the QP moves to SQE state. + +Fixes: b832be1e4007 ('IB/mlx4: Add IPoIB LSO support') +Reported-by: Matthew Finlay +Signed-off-by: Erez Shitrit +Signed-off-by: Or Gerlitz +Signed-off-by: Doug Ledford +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/hw/mlx4/qp.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/infiniband/hw/mlx4/qp.c ++++ b/drivers/infiniband/hw/mlx4/qp.c +@@ -2274,8 +2274,7 @@ static int build_lso_seg(struct mlx4_wqe + + memcpy(wqe->header, wr->wr.ud.header, wr->wr.ud.hlen); + +- *lso_hdr_sz = cpu_to_be32((wr->wr.ud.mss - wr->wr.ud.hlen) << 16 | +- wr->wr.ud.hlen); ++ *lso_hdr_sz = cpu_to_be32(wr->wr.ud.mss << 16 | wr->wr.ud.hlen); + *lso_seg_len = halign; + return 0; + } diff --git a/queue-3.14/mvsas-fix-panic-on-expander-attached-sata-devices.patch b/queue-3.14/mvsas-fix-panic-on-expander-attached-sata-devices.patch new file mode 100644 index 00000000000..ed15c95e9e3 --- /dev/null +++ b/queue-3.14/mvsas-fix-panic-on-expander-attached-sata-devices.patch @@ -0,0 +1,54 @@ +From 56cbd0ccc1b508de19561211d7ab9e1c77e6b384 Mon Sep 17 00:00:00 2001 +From: James Bottomley +Date: Wed, 15 Apr 2015 22:16:01 -0700 +Subject: mvsas: fix panic on expander attached SATA devices + +From: James Bottomley + +commit 56cbd0ccc1b508de19561211d7ab9e1c77e6b384 upstream. + +mvsas is giving a General protection fault when it encounters an expander +attached ATA device. Analysis of mvs_task_prep_ata() shows that the driver is +assuming all ATA devices are locally attached and obtaining the phy mask by +indexing the local phy table (in the HBA structure) with the phy id. Since +expanders have many more phys than the HBA, this is causing the index into the +HBA phy table to overflow and returning rubbish as the pointer. + +mvs_task_prep_ssp() instead does the phy mask using the port properties. +Mirror this in mvs_task_prep_ata() to fix the panic. + +Reported-by: Adam Talbot +Tested-by: Adam Talbot +Signed-off-by: James Bottomley +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/mvsas/mv_sas.c | 5 +---- + 1 file changed, 1 insertion(+), 4 deletions(-) + +--- a/drivers/scsi/mvsas/mv_sas.c ++++ b/drivers/scsi/mvsas/mv_sas.c +@@ -441,14 +441,11 @@ static u32 mvs_get_ncq_tag(struct sas_ta + static int mvs_task_prep_ata(struct mvs_info *mvi, + struct mvs_task_exec_info *tei) + { +- struct sas_ha_struct *sha = mvi->sas; + struct sas_task *task = tei->task; + struct domain_device *dev = task->dev; + struct mvs_device *mvi_dev = dev->lldd_dev; + struct mvs_cmd_hdr *hdr = tei->hdr; + struct asd_sas_port *sas_port = dev->port; +- struct sas_phy *sphy = dev->phy; +- struct asd_sas_phy *sas_phy = sha->sas_phy[sphy->number]; + struct mvs_slot_info *slot; + void *buf_prd; + u32 tag = tei->tag, hdr_tag; +@@ -468,7 +465,7 @@ static int mvs_task_prep_ata(struct mvs_ + slot->tx = mvi->tx_prod; + del_q = TXQ_MODE_I | tag | + (TXQ_CMD_STP << TXQ_CMD_SHIFT) | +- (MVS_PHY_ID << TXQ_PHY_SHIFT) | ++ ((sas_port->phy_mask & TXQ_PHY_MASK) << TXQ_PHY_SHIFT) | + (mvi_dev->taskfileset << TXQ_SRS_SHIFT); + mvi->tx[mvi->tx_prod] = cpu_to_le32(del_q); + diff --git a/queue-3.14/series b/queue-3.14/series index b8c31064995..e97ef5834f1 100644 --- a/queue-3.14/series +++ b/queue-3.14/series @@ -71,3 +71,10 @@ gpio-clamp-returned-values-to-the-boolean-range.patch clk-tegra-register-the-proper-number-of-resets.patch clk-qcom-fix-rcg-m-n-counter-configuration.patch dm-crypt-fix-deadlock-when-async-crypto-algorithm-returns-ebusy.patch +drivers-hv-vmbus-fix-a-bug-in-the-error-path-in-vmbus_open.patch +mvsas-fix-panic-on-expander-attached-sata-devices.patch +stk1160-make-sure-current-buffer-is-released.patch +ib-core-disallow-registering-0-sized-memory-region.patch +ib-core-don-t-disallow-registering-region-starting-at-0x0.patch +ib-mlx4-fix-wqe-lso-segment-calculation.patch +i2c-core-export-bus-recovery-functions.patch diff --git a/queue-3.14/stk1160-make-sure-current-buffer-is-released.patch b/queue-3.14/stk1160-make-sure-current-buffer-is-released.patch new file mode 100644 index 00000000000..6c8c6deb10b --- /dev/null +++ b/queue-3.14/stk1160-make-sure-current-buffer-is-released.patch @@ -0,0 +1,55 @@ +From aeff09276748b66072f2db2e668cec955cf41959 Mon Sep 17 00:00:00 2001 +From: Ezequiel Garcia +Date: Tue, 10 Mar 2015 11:37:14 -0300 +Subject: [media] stk1160: Make sure current buffer is released + +From: Ezequiel Garcia + +commit aeff09276748b66072f2db2e668cec955cf41959 upstream. + +The available (i.e. not used) buffers are returned by stk1160_clear_queue(), +on the stop_streaming() path. However, this is insufficient and the current +buffer must be released as well. Fix it. + +Signed-off-by: Ezequiel Garcia +Signed-off-by: Hans Verkuil +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/usb/stk1160/stk1160-v4l.c | 17 +++++++++++++++-- + 1 file changed, 15 insertions(+), 2 deletions(-) + +--- a/drivers/media/usb/stk1160/stk1160-v4l.c ++++ b/drivers/media/usb/stk1160/stk1160-v4l.c +@@ -244,6 +244,11 @@ static int stk1160_stop_streaming(struct + if (mutex_lock_interruptible(&dev->v4l_lock)) + return -ERESTARTSYS; + ++ /* ++ * Once URBs are cancelled, the URB complete handler ++ * won't be running. This is required to safely release the ++ * current buffer (dev->isoc_ctl.buf). ++ */ + stk1160_cancel_isoc(dev); + + /* +@@ -624,8 +629,16 @@ void stk1160_clear_queue(struct stk1160 + stk1160_info("buffer [%p/%d] aborted\n", + buf, buf->vb.v4l2_buf.index); + } +- /* It's important to clear current buffer */ +- dev->isoc_ctl.buf = NULL; ++ ++ /* It's important to release the current buffer */ ++ if (dev->isoc_ctl.buf) { ++ buf = dev->isoc_ctl.buf; ++ dev->isoc_ctl.buf = NULL; ++ ++ vb2_buffer_done(&buf->vb, VB2_BUF_STATE_ERROR); ++ stk1160_info("buffer [%p/%d] aborted\n", ++ buf, buf->vb.v4l2_buf.index); ++ } + spin_unlock_irqrestore(&dev->buf_lock, flags); + } +