From 155ca7d3569b0e3fac34f558678fa19ba902edf9 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Tue, 25 Jun 2013 11:04:44 -0700 Subject: [PATCH] 3.9-stable patches added patches: spi-pxa2xx-fix-memory-corruption-due-to-wrong-size-used-in-devm_kzalloc.patch spi-pxa2xx-use-gfp_atomic-in-sg-table-allocation.patch --- queue-3.9/series | 2 + ...e-to-wrong-size-used-in-devm_kzalloc.patch | 68 +++++++++++++++++++ ...se-gfp_atomic-in-sg-table-allocation.patch | 31 +++++++++ 3 files changed, 101 insertions(+) create mode 100644 queue-3.9/spi-pxa2xx-fix-memory-corruption-due-to-wrong-size-used-in-devm_kzalloc.patch create mode 100644 queue-3.9/spi-pxa2xx-use-gfp_atomic-in-sg-table-allocation.patch diff --git a/queue-3.9/series b/queue-3.9/series index a7dbef970e7..7bfba6fccf6 100644 --- a/queue-3.9/series +++ b/queue-3.9/series @@ -91,3 +91,5 @@ rbd-use-the-correct-length-for-format-2-object-names.patch perf-fix-perf-mmap-bugs.patch perf-fix-mmap-accounting-hole.patch drivers-uio-fix-uio-device-registration-failure.patch +spi-pxa2xx-use-gfp_atomic-in-sg-table-allocation.patch +spi-pxa2xx-fix-memory-corruption-due-to-wrong-size-used-in-devm_kzalloc.patch diff --git a/queue-3.9/spi-pxa2xx-fix-memory-corruption-due-to-wrong-size-used-in-devm_kzalloc.patch b/queue-3.9/spi-pxa2xx-fix-memory-corruption-due-to-wrong-size-used-in-devm_kzalloc.patch new file mode 100644 index 00000000000..2596310cc39 --- /dev/null +++ b/queue-3.9/spi-pxa2xx-fix-memory-corruption-due-to-wrong-size-used-in-devm_kzalloc.patch @@ -0,0 +1,68 @@ +From cc0ee9873c6afafb387379ca1df25da78a08c603 Mon Sep 17 00:00:00 2001 +From: Mika Westerberg +Date: Thu, 20 Jun 2013 17:44:22 +0300 +Subject: spi/pxa2xx: fix memory corruption due to wrong size used in devm_kzalloc() + +From: Mika Westerberg + +commit cc0ee9873c6afafb387379ca1df25da78a08c603 upstream. + +ACPI part of the driver accidentally used sizeof(*ssp) instead of the +correct sizeof(*pdata). This leads to nasty memory corruptions like the one +below: + + BUG: unable to handle kernel paging request at 0000000749fd30b8 + IP: [] __list_del_entry+0x31/0xd0 + PGD 0 + Oops: 0000 [#1] PREEMPT SMP + Modules linked in: + CPU: 0 PID: 30 Comm: kworker/0:1 Not tainted 3.10.0-rc6v3.10-rc6_sdhci_modprobe+ #443 + task: ffff8801483a0940 ti: ffff88014839e000 task.ti: ffff88014839e000 + RIP: 0010:[] [] __list_del_entry+0x31/0xd0 + RSP: 0000:ffff88014839fde8 EFLAGS: 00010046 + RAX: ffff880149fd30b0 RBX: ffff880149fd3040 RCX: dead000000200200 + RDX: 0000000749fd30b0 RSI: ffff880149fd3058 RDI: ffff88014834d640 + RBP: ffff88014839fde8 R08: ffff88014834d640 R09: 0000000000000001 + R10: ffff8801483a0940 R11: 0000000000000001 R12: ffff880149fd3040 + R13: ffffffff810e0b30 R14: ffff8801483a0940 R15: ffff88014834d640 + FS: 0000000000000000(0000) GS:ffff880149e00000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 0000000000000168 CR3: 0000000001e0b000 CR4: 00000000001407f0 + DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 + DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 + Stack: + ffff88014839fe48 ffffffff810e0baf ffffffff81120abd ffff88014839fe20 + ffff8801483a0940 ffff8801483a0940 ffff8801483a0940 ffff8801486b1c90 + ffff88014834d640 ffffffff810e0b30 0000000000000000 0000000000000000 + Call Trace: + [] worker_thread+0x7f/0x390 + [] ? trace_hardirqs_on+0xd/0x10 + [] ? manage_workers.isra.22+0x2b0/0x2b0 + [] kthread+0xd9/0xe0 + [] ? local_clock+0x3f/0x50 + [] ? kthread_create_on_node+0x110/0x110 + [] ret_from_fork+0x7c/0xb0 + [] ? kthread_create_on_node+0x110/0x110 + +Fix this by using the right structure size in devm_kzalloc(). + +Reported-by: Jerome Blin +Signed-off-by: Mika Westerberg +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/spi/spi-pxa2xx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/spi/spi-pxa2xx.c ++++ b/drivers/spi/spi-pxa2xx.c +@@ -1069,7 +1069,7 @@ pxa2xx_spi_acpi_get_pdata(struct platfor + acpi_bus_get_device(ACPI_HANDLE(&pdev->dev), &adev)) + return NULL; + +- pdata = devm_kzalloc(&pdev->dev, sizeof(*ssp), GFP_KERNEL); ++ pdata = devm_kzalloc(&pdev->dev, sizeof(*pdata), GFP_KERNEL); + if (!pdata) { + dev_err(&pdev->dev, + "failed to allocate memory for platform data\n"); diff --git a/queue-3.9/spi-pxa2xx-use-gfp_atomic-in-sg-table-allocation.patch b/queue-3.9/spi-pxa2xx-use-gfp_atomic-in-sg-table-allocation.patch new file mode 100644 index 00000000000..3be4fe74a44 --- /dev/null +++ b/queue-3.9/spi-pxa2xx-use-gfp_atomic-in-sg-table-allocation.patch @@ -0,0 +1,31 @@ +From 5548f98c46538d1da04eff179a52e50537d11465 Mon Sep 17 00:00:00 2001 +From: Mika Westerberg +Date: Tue, 18 Jun 2013 17:29:44 +0300 +Subject: spi/pxa2xx: use GFP_ATOMIC in sg table allocation + +From: Mika Westerberg + +commit 5548f98c46538d1da04eff179a52e50537d11465 upstream. + +pxa2xx_spi_map_dma_buffer() gets called in tasklet context so we can't +sleep when we allocate a new sg table. Use GFP_ATOMIC here instead. + +Signed-off-by: Mika Westerberg +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/spi/spi-pxa2xx-dma.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/spi/spi-pxa2xx-dma.c ++++ b/drivers/spi/spi-pxa2xx-dma.c +@@ -59,7 +59,7 @@ static int pxa2xx_spi_map_dma_buffer(str + int ret; + + sg_free_table(sgt); +- ret = sg_alloc_table(sgt, nents, GFP_KERNEL); ++ ret = sg_alloc_table(sgt, nents, GFP_ATOMIC); + if (ret) + return ret; + } -- 2.47.3