From 48be622a9511fde207e3511080db9f4b8e4a7c33 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 23 Jan 2012 12:11:00 -0800 Subject: [PATCH] 3.2-stable patches added patches: cifs-lower-default-wsize-when-unix-extensions-are-not-used.patch iwlagn-check-for-smps-mode.patch iwlegacy-3945-fix-hw-passive-scan-on-radar-channels.patch kprobes-initialize-before-using-a-hlist.patch mm-fix-null-ptr-dereference-in-__count_immobile_pages.patch proc-clear_refs-do-not-clear-reserved-pages.patch score-fix-off-by-one-index-into-syscall-table.patch --- ...ze-when-unix-extensions-are-not-used.patch | 64 ++++++++++++++ queue-3.2/iwlagn-check-for-smps-mode.patch | 46 ++++++++++ ...ix-hw-passive-scan-on-radar-channels.patch | 57 ++++++++++++ ...obes-initialize-before-using-a-hlist.patch | 47 ++++++++++ ...ereference-in-__count_immobile_pages.patch | 88 +++++++++++++++++++ ...ear_refs-do-not-clear-reserved-pages.patch | 62 +++++++++++++ ...-off-by-one-index-into-syscall-table.patch | 44 ++++++++++ queue-3.2/series | 7 ++ 8 files changed, 415 insertions(+) create mode 100644 queue-3.2/cifs-lower-default-wsize-when-unix-extensions-are-not-used.patch create mode 100644 queue-3.2/iwlagn-check-for-smps-mode.patch create mode 100644 queue-3.2/iwlegacy-3945-fix-hw-passive-scan-on-radar-channels.patch create mode 100644 queue-3.2/kprobes-initialize-before-using-a-hlist.patch create mode 100644 queue-3.2/mm-fix-null-ptr-dereference-in-__count_immobile_pages.patch create mode 100644 queue-3.2/proc-clear_refs-do-not-clear-reserved-pages.patch create mode 100644 queue-3.2/score-fix-off-by-one-index-into-syscall-table.patch diff --git a/queue-3.2/cifs-lower-default-wsize-when-unix-extensions-are-not-used.patch b/queue-3.2/cifs-lower-default-wsize-when-unix-extensions-are-not-used.patch new file mode 100644 index 00000000000..73fd8844a59 --- /dev/null +++ b/queue-3.2/cifs-lower-default-wsize-when-unix-extensions-are-not-used.patch @@ -0,0 +1,64 @@ +From ce91acb3acae26f4163c5a6f1f695d1a1e8d9009 Mon Sep 17 00:00:00 2001 +From: Jeff Layton +Date: Tue, 17 Jan 2012 16:08:51 -0500 +Subject: cifs: lower default wsize when unix extensions are not used + +From: Jeff Layton + +commit ce91acb3acae26f4163c5a6f1f695d1a1e8d9009 upstream. + +We've had some reports of servers (namely, the Solaris in-kernel CIFS +server) that don't deal properly with writes that are "too large" even +though they set CAP_LARGE_WRITE_ANDX. Change the default to better +mirror what windows clients do. + +Cc: Pavel Shilovsky +Reported-by: Nick Davis +Signed-off-by: Jeff Layton +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman + +--- + fs/cifs/connect.c | 23 +++++++++++++++++++---- + 1 file changed, 19 insertions(+), 4 deletions(-) + +--- a/fs/cifs/connect.c ++++ b/fs/cifs/connect.c +@@ -2914,18 +2914,33 @@ void cifs_setup_cifs_sb(struct smb_vol * + #define CIFS_DEFAULT_IOSIZE (1024 * 1024) + + /* +- * Windows only supports a max of 60k reads. Default to that when posix +- * extensions aren't in force. ++ * Windows only supports a max of 60kb reads and 65535 byte writes. Default to ++ * those values when posix extensions aren't in force. In actuality here, we ++ * use 65536 to allow for a write that is a multiple of 4k. Most servers seem ++ * to be ok with the extra byte even though Windows doesn't send writes that ++ * are that large. ++ * ++ * Citation: ++ * ++ * http://blogs.msdn.com/b/openspecification/archive/2009/04/10/smb-maximum-transmit-buffer-size-and-performance-tuning.aspx + */ + #define CIFS_DEFAULT_NON_POSIX_RSIZE (60 * 1024) ++#define CIFS_DEFAULT_NON_POSIX_WSIZE (65536) + + static unsigned int + cifs_negotiate_wsize(struct cifs_tcon *tcon, struct smb_vol *pvolume_info) + { + __u64 unix_cap = le64_to_cpu(tcon->fsUnixInfo.Capability); + struct TCP_Server_Info *server = tcon->ses->server; +- unsigned int wsize = pvolume_info->wsize ? pvolume_info->wsize : +- CIFS_DEFAULT_IOSIZE; ++ unsigned int wsize; ++ ++ /* start with specified wsize, or default */ ++ if (pvolume_info->wsize) ++ wsize = pvolume_info->wsize; ++ else if (tcon->unix_ext && (unix_cap & CIFS_UNIX_LARGE_WRITE_CAP)) ++ wsize = CIFS_DEFAULT_IOSIZE; ++ else ++ wsize = CIFS_DEFAULT_NON_POSIX_WSIZE; + + /* can server support 24-bit write sizes? (via UNIX extensions) */ + if (!tcon->unix_ext || !(unix_cap & CIFS_UNIX_LARGE_WRITE_CAP)) diff --git a/queue-3.2/iwlagn-check-for-smps-mode.patch b/queue-3.2/iwlagn-check-for-smps-mode.patch new file mode 100644 index 00000000000..6e0cdddda7a --- /dev/null +++ b/queue-3.2/iwlagn-check-for-smps-mode.patch @@ -0,0 +1,46 @@ +From b2ccccdca46273c7b321ecf5041c362cd950da20 Mon Sep 17 00:00:00 2001 +From: Wey-Yi Guy +Date: Thu, 10 Nov 2011 06:55:04 -0800 +Subject: iwlagn: check for SMPS mode + +From: Wey-Yi Guy + +commit b2ccccdca46273c7b321ecf5041c362cd950da20 upstream. + +Check and report WARN only when its invalid + +Resolves: +https://bugzilla.kernel.org/show_bug.cgi?id=42621 +https://bugzilla.redhat.com/show_bug.cgi?id=766071 + +Signed-off-by: Wey-Yi Guy +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/iwlwifi/iwl-agn-lib.c | 1 + + drivers/net/wireless/iwlwifi/iwl-agn-rxon.c | 3 +++ + 2 files changed, 4 insertions(+) + +--- a/drivers/net/wireless/iwlwifi/iwl-agn-lib.c ++++ b/drivers/net/wireless/iwlwifi/iwl-agn-lib.c +@@ -827,6 +827,7 @@ static int iwl_get_idle_rx_chain_count(s + case IEEE80211_SMPS_STATIC: + case IEEE80211_SMPS_DYNAMIC: + return IWL_NUM_IDLE_CHAINS_SINGLE; ++ case IEEE80211_SMPS_AUTOMATIC: + case IEEE80211_SMPS_OFF: + return active_cnt; + default: +--- a/drivers/net/wireless/iwlwifi/iwl-agn-rxon.c ++++ b/drivers/net/wireless/iwlwifi/iwl-agn-rxon.c +@@ -559,6 +559,9 @@ int iwlagn_mac_config(struct ieee80211_h + + mutex_lock(&priv->shrd->mutex); + ++ if (test_bit(STATUS_EXIT_PENDING, &priv->shrd->status)) ++ goto out; ++ + if (unlikely(test_bit(STATUS_SCANNING, &priv->shrd->status))) { + IWL_DEBUG_MAC80211(priv, "leave - scanning\n"); + goto out; diff --git a/queue-3.2/iwlegacy-3945-fix-hw-passive-scan-on-radar-channels.patch b/queue-3.2/iwlegacy-3945-fix-hw-passive-scan-on-radar-channels.patch new file mode 100644 index 00000000000..dcc66be1d6b --- /dev/null +++ b/queue-3.2/iwlegacy-3945-fix-hw-passive-scan-on-radar-channels.patch @@ -0,0 +1,57 @@ +From 68acc4afb040d98ddfd2cae0de09e2f4e1ee127f Mon Sep 17 00:00:00 2001 +From: Stanislaw Gruszka +Date: Fri, 23 Dec 2011 08:13:50 +0100 +Subject: iwlegacy: 3945: fix hw passive scan on radar channels + +From: Stanislaw Gruszka + +commit 68acc4afb040d98ddfd2cae0de09e2f4e1ee127f upstream. + +Patch fix firmware error on "iw dev wlan0 scan passive" for +hardware scanning (with disable_hw_scan=0 module parameter). + + iwl3945 0000:03:00.0: Microcode SW error detected. Restarting 0x82000008. + iwl3945 0000:03:00.0: Loaded firmware version: 15.32.2.9 + iwl3945 0000:03:00.0: Start IWL Error Log Dump: + iwl3945 0000:03:00.0: Status: 0x0002A2E4, count: 1 + iwl3945 0000:03:00.0: Desc Time asrtPC blink2 ilink1 nmiPC Line + iwl3945 0000:03:00.0: SYSASSERT (0x5) 0041263900 0x13756 0x0031C 0x00000 764 + iwl3945 0000:03:00.0: Error Reply type 0x000002FC cmd C_SCAN (0x80) seq 0x443E ser 0x00340000 + iwl3945 0000:03:00.0: Command C_SCAN failed: FW Error + iwl3945 0000:03:00.0: Can't stop Rx DMA. + +We have disable ability to change passive scanning to active on +particular channel when traffic is detected on that channel. Otherwise +firmware will report error, when we try to do passive scan on radar +channels. + +Reported-and-debugged-by: Pedro Francisco +Signed-off-by: Stanislaw Gruszka +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/iwlegacy/iwl3945-base.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +--- a/drivers/net/wireless/iwlegacy/iwl3945-base.c ++++ b/drivers/net/wireless/iwlegacy/iwl3945-base.c +@@ -2656,14 +2656,13 @@ int iwl3945_request_scan(struct iwl_priv + IWL_WARN(priv, "Invalid scan band\n"); + return -EIO; + } +- + /* +- * If active scaning is requested but a certain channel +- * is marked passive, we can do active scanning if we +- * detect transmissions. ++ * If active scaning is requested but a certain channel is marked ++ * passive, we can do active scanning if we detect transmissions. For ++ * passive only scanning disable switching to active on any channel. + */ + scan->good_CRC_th = is_active ? IWL_GOOD_CRC_TH_DEFAULT : +- IWL_GOOD_CRC_TH_DISABLED; ++ IWL_GOOD_CRC_TH_NEVER; + + len = iwl_legacy_fill_probe_req(priv, (struct ieee80211_mgmt *)scan->data, + vif->addr, priv->scan_request->ie, diff --git a/queue-3.2/kprobes-initialize-before-using-a-hlist.patch b/queue-3.2/kprobes-initialize-before-using-a-hlist.patch new file mode 100644 index 00000000000..5ecef6a8645 --- /dev/null +++ b/queue-3.2/kprobes-initialize-before-using-a-hlist.patch @@ -0,0 +1,47 @@ +From d496aab567e7e52b3e974c9192a5de6e77dce32c Mon Sep 17 00:00:00 2001 +From: Ananth N Mavinakayanahalli +Date: Fri, 20 Jan 2012 14:34:04 -0800 +Subject: kprobes: initialize before using a hlist + +From: Ananth N Mavinakayanahalli + +commit d496aab567e7e52b3e974c9192a5de6e77dce32c upstream. + +Commit ef53d9c5e ("kprobes: improve kretprobe scalability with hashed +locking") introduced a bug where we can potentially leak +kretprobe_instances since we initialize a hlist head after having used +it. + +Initialize the hlist head before using it. + +Reported by: Jim Keniston +Acked-by: Jim Keniston +Signed-off-by: Ananth N Mavinakayanahalli +Acked-by: Masami Hiramatsu +Cc: Srinivasa D S +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/kprobes.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/kernel/kprobes.c ++++ b/kernel/kprobes.c +@@ -1077,6 +1077,7 @@ void __kprobes kprobe_flush_task(struct + /* Early boot. kretprobe_table_locks not yet initialized. */ + return; + ++ INIT_HLIST_HEAD(&empty_rp); + hash = hash_ptr(tk, KPROBE_HASH_BITS); + head = &kretprobe_inst_table[hash]; + kretprobe_table_lock(hash, &flags); +@@ -1085,7 +1086,6 @@ void __kprobes kprobe_flush_task(struct + recycle_rp_inst(ri, &empty_rp); + } + kretprobe_table_unlock(hash, &flags); +- INIT_HLIST_HEAD(&empty_rp); + hlist_for_each_entry_safe(ri, node, tmp, &empty_rp, hlist) { + hlist_del(&ri->hlist); + kfree(ri); diff --git a/queue-3.2/mm-fix-null-ptr-dereference-in-__count_immobile_pages.patch b/queue-3.2/mm-fix-null-ptr-dereference-in-__count_immobile_pages.patch new file mode 100644 index 00000000000..dd750e112c5 --- /dev/null +++ b/queue-3.2/mm-fix-null-ptr-dereference-in-__count_immobile_pages.patch @@ -0,0 +1,88 @@ +From 687875fb7de4a95223af20ee024282fa9099f860 Mon Sep 17 00:00:00 2001 +From: Michal Hocko +Date: Fri, 20 Jan 2012 14:33:55 -0800 +Subject: mm: fix NULL ptr dereference in __count_immobile_pages + +From: Michal Hocko + +commit 687875fb7de4a95223af20ee024282fa9099f860 upstream. + +Fix the following NULL ptr dereference caused by + + cat /sys/devices/system/memory/memory0/removable + +Pid: 13979, comm: sed Not tainted 3.0.13-0.5-default #1 IBM BladeCenter LS21 -[7971PAM]-/Server Blade +RIP: __count_immobile_pages+0x4/0x100 +Process sed (pid: 13979, threadinfo ffff880221c36000, task ffff88022e788480) +Call Trace: + is_pageblock_removable_nolock+0x34/0x40 + is_mem_section_removable+0x74/0xf0 + show_mem_removable+0x41/0x70 + sysfs_read_file+0xfe/0x1c0 + vfs_read+0xc7/0x130 + sys_read+0x53/0xa0 + system_call_fastpath+0x16/0x1b + +We are crashing because we are trying to dereference NULL zone which +came from pfn=0 (struct page ffffea0000000000). According to the boot +log this page is marked reserved: +e820 update range: 0000000000000000 - 0000000000010000 (usable) ==> (reserved) + +and early_node_map confirms that: +early_node_map[3] active PFN ranges + 1: 0x00000010 -> 0x0000009c + 1: 0x00000100 -> 0x000bffa3 + 1: 0x00100000 -> 0x00240000 + +The problem is that memory_present works in PAGE_SECTION_MASK aligned +blocks so the reserved range sneaks into the the section as well. This +also means that free_area_init_node will not take care of those reserved +pages and they stay uninitialized. + +When we try to read the removable status we walk through all available +sections and hope that the zone is valid for all pages in the section. +But this is not true in this case as the zone and nid are not initialized. + +We have only one node in this particular case and it is marked as node=1 +(rather than 0) and that made the problem visible because page_to_nid will +return 0 and there are no zones on the node. + +Let's check that the zone is valid and that the given pfn falls into its +boundaries and mark the section not removable. This might cause some +false positives, probably, but we do not have any sane way to find out +whether the page is reserved by the platform or it is just not used for +whatever other reasons. + +Signed-off-by: Michal Hocko +Acked-by: Mel Gorman +Cc: KAMEZAWA Hiroyuki +Cc: Andrea Arcangeli +Cc: David Rientjes +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/page_alloc.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +--- a/mm/page_alloc.c ++++ b/mm/page_alloc.c +@@ -5608,6 +5608,17 @@ __count_immobile_pages(struct zone *zone + bool is_pageblock_removable_nolock(struct page *page) + { + struct zone *zone = page_zone(page); ++ unsigned long pfn = page_to_pfn(page); ++ ++ /* ++ * We have to be careful here because we are iterating over memory ++ * sections which are not zone aware so we might end up outside of ++ * the zone but still within the section. ++ */ ++ if (!zone || zone->zone_start_pfn > pfn || ++ zone->zone_start_pfn + zone->spanned_pages <= pfn) ++ return false; ++ + return __count_immobile_pages(zone, page, 0); + } + diff --git a/queue-3.2/proc-clear_refs-do-not-clear-reserved-pages.patch b/queue-3.2/proc-clear_refs-do-not-clear-reserved-pages.patch new file mode 100644 index 00000000000..c1ed305764a --- /dev/null +++ b/queue-3.2/proc-clear_refs-do-not-clear-reserved-pages.patch @@ -0,0 +1,62 @@ +From 85e72aa5384b1a614563ad63257ded0e91d1a620 Mon Sep 17 00:00:00 2001 +From: Will Deacon +Date: Fri, 20 Jan 2012 14:34:09 -0800 +Subject: proc: clear_refs: do not clear reserved pages + +From: Will Deacon + +commit 85e72aa5384b1a614563ad63257ded0e91d1a620 upstream. + +/proc/pid/clear_refs is used to clear the Referenced and YOUNG bits for +pages and corresponding page table entries of the task with PID pid, which +includes any special mappings inserted into the page tables in order to +provide things like vDSOs and user helper functions. + +On ARM this causes a problem because the vectors page is mapped as a +global mapping and since ec706dab ("ARM: add a vma entry for the user +accessible vector page"), a VMA is also inserted into each task for this +page to aid unwinding through signals and syscall restarts. Since the +vectors page is required for handling faults, clearing the YOUNG bit (and +subsequently writing a faulting pte) means that we lose the vectors page +*globally* and cannot fault it back in. This results in a system deadlock +on the next exception. + +To see this problem in action, just run: + + $ echo 1 > /proc/self/clear_refs + +on an ARM platform (as any user) and watch your system hang. I think this +has been the case since 2.6.37 + +This patch avoids clearing the aforementioned bits for reserved pages, +therefore leaving the vectors page intact on ARM. Since reserved pages +are not candidates for swap, this change should not have any impact on the +usefulness of clear_refs. + +Signed-off-by: Will Deacon +Reported-by: Moussa Ba +Acked-by: Hugh Dickins +Cc: David Rientjes +Cc: Russell King +Acked-by: Nicolas Pitre +Cc: Matt Mackall +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/proc/task_mmu.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/fs/proc/task_mmu.c ++++ b/fs/proc/task_mmu.c +@@ -518,6 +518,9 @@ static int clear_refs_pte_range(pmd_t *p + if (!page) + continue; + ++ if (PageReserved(page)) ++ continue; ++ + /* Clear accessed and referenced bits. */ + ptep_test_and_clear_young(vma, addr, pte); + ClearPageReferenced(page); diff --git a/queue-3.2/score-fix-off-by-one-index-into-syscall-table.patch b/queue-3.2/score-fix-off-by-one-index-into-syscall-table.patch new file mode 100644 index 00000000000..03b0ec29cae --- /dev/null +++ b/queue-3.2/score-fix-off-by-one-index-into-syscall-table.patch @@ -0,0 +1,44 @@ +From c25a785d6647984505fa165b5cd84cfc9a95970b Mon Sep 17 00:00:00 2001 +From: Dan Rosenberg +Date: Fri, 20 Jan 2012 14:34:27 -0800 +Subject: score: fix off-by-one index into syscall table + +From: Dan Rosenberg + +commit c25a785d6647984505fa165b5cd84cfc9a95970b upstream. + +If the provided system call number is equal to __NR_syscalls, the +current check will pass and a function pointer just after the system +call table may be called, since sys_call_table is an array with total +size __NR_syscalls. + +Whether or not this is a security bug depends on what the compiler puts +immediately after the system call table. It's likely that this won't do +anything bad because there is an additional NULL check on the syscall +entry, but if there happens to be a non-NULL value immediately after the +system call table, this may result in local privilege escalation. + +Signed-off-by: Dan Rosenberg +Cc: Chen Liqin +Cc: Lennox Wu +Cc: Eugene Teo +Cc: Arnd Bergmann +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + arch/score/kernel/entry.S | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/score/kernel/entry.S ++++ b/arch/score/kernel/entry.S +@@ -408,7 +408,7 @@ ENTRY(handle_sys) + sw r9, [r0, PT_EPC] + + cmpi.c r27, __NR_syscalls # check syscall number +- bgtu illegal_syscall ++ bgeu illegal_syscall + + slli r8, r27, 2 # get syscall routine + la r11, sys_call_table diff --git a/queue-3.2/series b/queue-3.2/series index 4fc46aedaa3..529d53ce589 100644 --- a/queue-3.2/series +++ b/queue-3.2/series @@ -118,3 +118,10 @@ ath9k_hw-fix-interpretation-of-the-rx-keymiss-flag.patch rt2800pci-fix-spurious-interrupts-generation.patch xfs-fix-endian-conversion-issue-in-discard-code.patch i2c-eg20t-modified-the-setting-of-transfer-rate.patch +score-fix-off-by-one-index-into-syscall-table.patch +cifs-lower-default-wsize-when-unix-extensions-are-not-used.patch +kprobes-initialize-before-using-a-hlist.patch +proc-clear_refs-do-not-clear-reserved-pages.patch +mm-fix-null-ptr-dereference-in-__count_immobile_pages.patch +iwlagn-check-for-smps-mode.patch +iwlegacy-3945-fix-hw-passive-scan-on-radar-channels.patch -- 2.47.3