From 84189814c975bf142a4ba7719a4906a74b476015 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Fri, 17 May 2013 11:37:37 -0700 Subject: [PATCH] 3.4-stable patches added patches: acpi-ec-restart-transaction-even-when-the-ibf-flag-set.patch drivers-char-ipmi-memcpy-need-additional-2-bytes-to-avoid-memory-overflow.patch drm-radeon-check-incoming-cliprects-pointer.patch ipmi-ipmi_devintf-compat_ioctl-method-fails-to-take-ipmi_mutex.patch iscsi-target-fix-processing-of-ooo-commands.patch usermodehelper-check-subprocess_info-path-null.patch --- ...ansaction-even-when-the-ibf-flag-set.patch | 58 +++++++++++++++++++ ...nal-2-bytes-to-avoid-memory-overflow.patch | 42 ++++++++++++++ ...check-modeset-locks-in-panic-handler.patch | 36 ------------ ...eon-check-incoming-cliprects-pointer.patch | 31 ++++++++++ ...octl-method-fails-to-take-ipmi_mutex.patch | 52 +++++++++++++++++ ...arget-fix-processing-of-ooo-commands.patch | 50 ++++++++++++++++ ...exec-when-using-vmx-optimised-memcpy.patch | 54 ----------------- queue-3.4/series | 8 ++- ...lper-check-subprocess_info-path-null.patch | 45 ++++++++++++++ 9 files changed, 284 insertions(+), 92 deletions(-) create mode 100644 queue-3.4/acpi-ec-restart-transaction-even-when-the-ibf-flag-set.patch create mode 100644 queue-3.4/drivers-char-ipmi-memcpy-need-additional-2-bytes-to-avoid-memory-overflow.patch delete mode 100644 queue-3.4/drm-don-t-check-modeset-locks-in-panic-handler.patch create mode 100644 queue-3.4/drm-radeon-check-incoming-cliprects-pointer.patch create mode 100644 queue-3.4/ipmi-ipmi_devintf-compat_ioctl-method-fails-to-take-ipmi_mutex.patch create mode 100644 queue-3.4/iscsi-target-fix-processing-of-ooo-commands.patch delete mode 100644 queue-3.4/powerpc-kexec-fix-kexec-when-using-vmx-optimised-memcpy.patch create mode 100644 queue-3.4/usermodehelper-check-subprocess_info-path-null.patch diff --git a/queue-3.4/acpi-ec-restart-transaction-even-when-the-ibf-flag-set.patch b/queue-3.4/acpi-ec-restart-transaction-even-when-the-ibf-flag-set.patch new file mode 100644 index 00000000000..e9b6773bbae --- /dev/null +++ b/queue-3.4/acpi-ec-restart-transaction-even-when-the-ibf-flag-set.patch @@ -0,0 +1,58 @@ +From 28fe5c825f8e15744d04c7c1b8df197950923ecd Mon Sep 17 00:00:00 2001 +From: Lan Tianyu +Date: Mon, 6 May 2013 03:23:40 +0000 +Subject: ACPI / EC: Restart transaction even when the IBF flag set + +From: Lan Tianyu + +commit 28fe5c825f8e15744d04c7c1b8df197950923ecd upstream. + +The EC driver works abnormally with IBF flag always set. +IBF means "The host has written a byte of data to the command +or data port, but the embedded controller has not yet read it". +If IBF is set in the EC status and not cleared, this will cause +all subsequent EC requests to fail with a timeout error. + +Change the EC driver so that it doesn't refuse to restart a +transaction if IBF is set in the status. Also increase the +number of transaction restarts to 5, as it turns out that 2 +is not sufficient in some cases. + +This bug happens on several different machines (Asus V1S, +Dell Latitude E6530, Samsung R719, Acer Aspire 5930G, +Sony Vaio SR19VN and others). + +[rjw: Changelog] +References: https://bugzilla.kernel.org/show_bug.cgi?id=14733 +References: https://bugzilla.kernel.org/show_bug.cgi?id=15560 +References: https://bugzilla.kernel.org/show_bug.cgi?id=15946 +References: https://bugzilla.kernel.org/show_bug.cgi?id=42945 +References: https://bugzilla.kernel.org/show_bug.cgi?id=48221 +Signed-off-by: Lan Tianyu +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/acpi/ec.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/drivers/acpi/ec.c ++++ b/drivers/acpi/ec.c +@@ -217,7 +217,7 @@ static int ec_check_sci_sync(struct acpi + static int ec_poll(struct acpi_ec *ec) + { + unsigned long flags; +- int repeat = 2; /* number of command restarts */ ++ int repeat = 5; /* number of command restarts */ + while (repeat--) { + unsigned long delay = jiffies + + msecs_to_jiffies(ec_delay); +@@ -235,8 +235,6 @@ static int ec_poll(struct acpi_ec *ec) + } + advance_transaction(ec, acpi_ec_read_status(ec)); + } while (time_before(jiffies, delay)); +- if (acpi_ec_read_status(ec) & ACPI_EC_FLAG_IBF) +- break; + pr_debug(PREFIX "controller reset, restart transaction\n"); + spin_lock_irqsave(&ec->curr_lock, flags); + start_transaction(ec); diff --git a/queue-3.4/drivers-char-ipmi-memcpy-need-additional-2-bytes-to-avoid-memory-overflow.patch b/queue-3.4/drivers-char-ipmi-memcpy-need-additional-2-bytes-to-avoid-memory-overflow.patch new file mode 100644 index 00000000000..974d0fd78ed --- /dev/null +++ b/queue-3.4/drivers-char-ipmi-memcpy-need-additional-2-bytes-to-avoid-memory-overflow.patch @@ -0,0 +1,42 @@ +From a5f2b3d6a738e7d4180012fe7b541172f8c8dcea Mon Sep 17 00:00:00 2001 +From: Chen Gang +Date: Thu, 16 May 2013 14:04:25 -0500 +Subject: drivers/char/ipmi: memcpy, need additional 2 bytes to avoid memory overflow + +From: Chen Gang + +commit a5f2b3d6a738e7d4180012fe7b541172f8c8dcea upstream. + +When calling memcpy, read_data and write_data need additional 2 bytes. + + write_data: + for checking: "if (size > IPMI_MAX_MSG_LENGTH)" + for operating: "memcpy(bt->write_data + 3, data + 1, size - 1)" + + read_data: + for checking: "if (msg_len < 3 || msg_len > IPMI_MAX_MSG_LENGTH)" + for operating: "memcpy(data + 2, bt->read_data + 4, msg_len - 2)" + +Signed-off-by: Chen Gang +Signed-off-by: Corey Minyard +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/char/ipmi/ipmi_bt_sm.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/char/ipmi/ipmi_bt_sm.c ++++ b/drivers/char/ipmi/ipmi_bt_sm.c +@@ -95,9 +95,9 @@ struct si_sm_data { + enum bt_states state; + unsigned char seq; /* BT sequence number */ + struct si_sm_io *io; +- unsigned char write_data[IPMI_MAX_MSG_LENGTH]; ++ unsigned char write_data[IPMI_MAX_MSG_LENGTH + 2]; /* +2 for memcpy */ + int write_count; +- unsigned char read_data[IPMI_MAX_MSG_LENGTH]; ++ unsigned char read_data[IPMI_MAX_MSG_LENGTH + 2]; /* +2 for memcpy */ + int read_count; + int truncated; + long timeout; /* microseconds countdown */ diff --git a/queue-3.4/drm-don-t-check-modeset-locks-in-panic-handler.patch b/queue-3.4/drm-don-t-check-modeset-locks-in-panic-handler.patch deleted file mode 100644 index 9b7a5b67bfc..00000000000 --- a/queue-3.4/drm-don-t-check-modeset-locks-in-panic-handler.patch +++ /dev/null @@ -1,36 +0,0 @@ -From a9b054e8ab06504c2afa0e307ee78d3778993a1d Mon Sep 17 00:00:00 2001 -From: Daniel Vetter -Date: Thu, 2 May 2013 09:43:05 +0200 -Subject: drm: don't check modeset locks in panic handler - -From: Daniel Vetter - -commit a9b054e8ab06504c2afa0e307ee78d3778993a1d upstream. - -Since we know that locking is broken in that case and it's more -important to not flood the dmesg with random gunk. - -References: http://lkml.kernel.org/r/20130502000206.GH15623@pd.tnic -Cc: Dave Airlie -Cc: Borislav Petkov -Reported-and-tested-by: Borislav Petkov -Signed-off-by: Daniel Vetter -Signed-off-by: Greg Kroah-Hartman - ---- - drivers/gpu/drm/drm_crtc.c | 4 ++++ - 1 file changed, 4 insertions(+) - ---- a/drivers/gpu/drm/drm_crtc.c -+++ b/drivers/gpu/drm/drm_crtc.c -@@ -973,6 +973,10 @@ int drm_mode_group_init_legacy_group(str - if ((ret = drm_mode_group_init(dev, group))) - return ret; - -+ /* Locking is currently fubar in the panic handler. */ -+ if (oops_in_progress) -+ return; -+ - list_for_each_entry(crtc, &dev->mode_config.crtc_list, head) - group->id_list[group->num_crtcs++] = crtc->base.id; - diff --git a/queue-3.4/drm-radeon-check-incoming-cliprects-pointer.patch b/queue-3.4/drm-radeon-check-incoming-cliprects-pointer.patch new file mode 100644 index 00000000000..87dead8b1a3 --- /dev/null +++ b/queue-3.4/drm-radeon-check-incoming-cliprects-pointer.patch @@ -0,0 +1,31 @@ +From fefaedcfb82d2e57c2320acf60604ab03b750cc0 Mon Sep 17 00:00:00 2001 +From: Kees Cook +Date: Sun, 12 May 2013 22:00:51 -0700 +Subject: drm/radeon: check incoming cliprects pointer + +From: Kees Cook + +commit fefaedcfb82d2e57c2320acf60604ab03b750cc0 upstream. + +The "boxes" parameter points into userspace memory. It should be verified +like any other operation against user memory. + +Signed-off-by: Kees Cook +Signed-off-by: Dave Airlie +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/radeon/r300_cmdbuf.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/radeon/r300_cmdbuf.c ++++ b/drivers/gpu/drm/radeon/r300_cmdbuf.c +@@ -74,7 +74,7 @@ static int r300_emit_cliprects(drm_radeo + OUT_RING(CP_PACKET0(R300_RE_CLIPRECT_TL_0, nr * 2 - 1)); + + for (i = 0; i < nr; ++i) { +- if (DRM_COPY_FROM_USER_UNCHECKED ++ if (DRM_COPY_FROM_USER + (&box, &cmdbuf->boxes[n + i], sizeof(box))) { + DRM_ERROR("copy cliprect faulted\n"); + return -EFAULT; diff --git a/queue-3.4/ipmi-ipmi_devintf-compat_ioctl-method-fails-to-take-ipmi_mutex.patch b/queue-3.4/ipmi-ipmi_devintf-compat_ioctl-method-fails-to-take-ipmi_mutex.patch new file mode 100644 index 00000000000..037d01b2196 --- /dev/null +++ b/queue-3.4/ipmi-ipmi_devintf-compat_ioctl-method-fails-to-take-ipmi_mutex.patch @@ -0,0 +1,52 @@ +From 6368087e851e697679af059b4247aca33a69cef3 Mon Sep 17 00:00:00 2001 +From: Benjamin LaHaise +Date: Thu, 16 May 2013 14:04:27 -0500 +Subject: ipmi: ipmi_devintf: compat_ioctl method fails to take ipmi_mutex + +From: Benjamin LaHaise + +commit 6368087e851e697679af059b4247aca33a69cef3 upstream. + +When a 32 bit version of ipmitool is used on a 64 bit kernel, the +ipmi_devintf code fails to correctly acquire ipmi_mutex. This results in +incomplete data being retrieved in some cases, or other possible failures. +Add a wrapper around compat_ipmi_ioctl() to take ipmi_mutex to fix this. + +Signed-off-by: Benjamin LaHaise +Signed-off-by: Corey Minyard +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/char/ipmi/ipmi_devintf.c | 14 +++++++++++++- + 1 file changed, 13 insertions(+), 1 deletion(-) + +--- a/drivers/char/ipmi/ipmi_devintf.c ++++ b/drivers/char/ipmi/ipmi_devintf.c +@@ -837,13 +837,25 @@ static long compat_ipmi_ioctl(struct fil + return ipmi_ioctl(filep, cmd, arg); + } + } ++ ++static long unlocked_compat_ipmi_ioctl(struct file *filep, unsigned int cmd, ++ unsigned long arg) ++{ ++ int ret; ++ ++ mutex_lock(&ipmi_mutex); ++ ret = compat_ipmi_ioctl(filep, cmd, arg); ++ mutex_unlock(&ipmi_mutex); ++ ++ return ret; ++} + #endif + + static const struct file_operations ipmi_fops = { + .owner = THIS_MODULE, + .unlocked_ioctl = ipmi_unlocked_ioctl, + #ifdef CONFIG_COMPAT +- .compat_ioctl = compat_ipmi_ioctl, ++ .compat_ioctl = unlocked_compat_ipmi_ioctl, + #endif + .open = ipmi_open, + .release = ipmi_release, diff --git a/queue-3.4/iscsi-target-fix-processing-of-ooo-commands.patch b/queue-3.4/iscsi-target-fix-processing-of-ooo-commands.patch new file mode 100644 index 00000000000..996ea6c9542 --- /dev/null +++ b/queue-3.4/iscsi-target-fix-processing-of-ooo-commands.patch @@ -0,0 +1,50 @@ +From 3eccfdb01da58fbd0f789ae6ca61cee3769e26de Mon Sep 17 00:00:00 2001 +From: Shlomo Pongratz +Date: Sun, 5 May 2013 17:36:26 +0300 +Subject: iscsi-target: Fix processing of OOO commands + +From: Shlomo Pongratz + +commit 3eccfdb01da58fbd0f789ae6ca61cee3769e26de upstream. + +Fix two issues in OOO commands processing done at iscsit_attach_ooo_cmdsn. + +Handle command serial numbers wrap around by using iscsi_sna_lt and not regular comparisson. + +The routine iterates until it finds an entry whose serial number is greater than the serial number of +the new one, thus the new entry should be inserted before that entry and not after. + +Signed-off-by: Shlomo Pongratz +Signed-off-by: Nicholas Bellinger +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/target/iscsi/iscsi_target_erl1.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/drivers/target/iscsi/iscsi_target_erl1.c ++++ b/drivers/target/iscsi/iscsi_target_erl1.c +@@ -824,7 +824,7 @@ static int iscsit_attach_ooo_cmdsn( + /* + * CmdSN is greater than the tail of the list. + */ +- if (ooo_tail->cmdsn < ooo_cmdsn->cmdsn) ++ if (iscsi_sna_lt(ooo_tail->cmdsn, ooo_cmdsn->cmdsn)) + list_add_tail(&ooo_cmdsn->ooo_list, + &sess->sess_ooo_cmdsn_list); + else { +@@ -834,11 +834,12 @@ static int iscsit_attach_ooo_cmdsn( + */ + list_for_each_entry(ooo_tmp, &sess->sess_ooo_cmdsn_list, + ooo_list) { +- if (ooo_tmp->cmdsn < ooo_cmdsn->cmdsn) ++ if (iscsi_sna_lt(ooo_tmp->cmdsn, ooo_cmdsn->cmdsn)) + continue; + ++ /* Insert before this entry */ + list_add(&ooo_cmdsn->ooo_list, +- &ooo_tmp->ooo_list); ++ ooo_tmp->ooo_list.prev); + break; + } + } diff --git a/queue-3.4/powerpc-kexec-fix-kexec-when-using-vmx-optimised-memcpy.patch b/queue-3.4/powerpc-kexec-fix-kexec-when-using-vmx-optimised-memcpy.patch deleted file mode 100644 index 833969b5703..00000000000 --- a/queue-3.4/powerpc-kexec-fix-kexec-when-using-vmx-optimised-memcpy.patch +++ /dev/null @@ -1,54 +0,0 @@ -From 79c66ce8f6448a3295a32efeac88c9debd7f7094 Mon Sep 17 00:00:00 2001 -From: Anton Blanchard -Date: Sun, 12 May 2013 15:04:53 +0000 -Subject: powerpc/kexec: Fix kexec when using VMX optimised memcpy - -From: Anton Blanchard - -commit 79c66ce8f6448a3295a32efeac88c9debd7f7094 upstream. - -commit b3f271e86e5a (powerpc: POWER7 optimised memcpy using VMX and -enhanced prefetch) uses VMX when it is safe to do so (ie not in -interrupt). It also looks at the task struct to decide if we have to -save the current tasks' VMX state. - -kexec calls memcpy() at a point where the task struct may have been -overwritten by the new kexec segments. If it has been overwritten -then when memcpy -> enable_altivec looks up current->thread.regs->msr -we get a cryptic oops or lockup. - -I also notice we aren't initialising thread_info->cpu, which means -smp_processor_id is broken. Fix that too. - -Signed-off-by: Anton Blanchard -Signed-off-by: Benjamin Herrenschmidt -Signed-off-by: Greg Kroah-Hartman - ---- - arch/powerpc/kernel/machine_kexec_64.c | 4 ++++ - 1 file changed, 4 insertions(+) - ---- a/arch/powerpc/kernel/machine_kexec_64.c -+++ b/arch/powerpc/kernel/machine_kexec_64.c -@@ -17,6 +17,7 @@ - #include - #include - #include -+#include - - #include - #include -@@ -335,10 +336,13 @@ void default_machine_kexec(struct kimage - pr_debug("kexec: Starting switchover sequence.\n"); - - /* switch to a staticly allocated stack. Based on irq stack code. -+ * We setup preempt_count to avoid using VMX in memcpy. - * XXX: the task struct will likely be invalid once we do the copy! - */ - kexec_stack.thread_info.task = current_thread_info()->task; - kexec_stack.thread_info.flags = 0; -+ kexec_stack.thread_info.preempt_count = HARDIRQ_OFFSET; -+ kexec_stack.thread_info.cpu = current_thread_info()->cpu; - - /* We need a static PACA, too; copy this CPU's PACA over and switch to - * it. Also poison per_cpu_offset to catch anyone using non-static diff --git a/queue-3.4/series b/queue-3.4/series index cf47cabefff..b79b38bb264 100644 --- a/queue-3.4/series +++ b/queue-3.4/series @@ -14,13 +14,11 @@ tick-cleanup-nohz-per-cpu-data-on-cpu-down.patch tracing-fix-leaks-of-filter-preds.patch ext4-limit-group-search-loop-for-non-extent-files.patch powerpc-bring-all-threads-online-prior-to-migration-hibernation.patch -powerpc-kexec-fix-kexec-when-using-vmx-optimised-memcpy.patch ath9k-fix-key-allocation-error-handling-for-powersave-keys.patch mwifiex-clear-is_suspended-flag-when-interrupt-is-received-early.patch mwifiex-fix-setting-of-multicast-filter.patch b43-handle-dma-rx-descriptor-underrun.patch drm-mm-fix-dump-table-bug.patch -drm-don-t-check-modeset-locks-in-panic-handler.patch net-qmi_wwan-fixup-missing-ethernet-header-firmware-bug-workaround.patch net-qmi_wwan-fixup-destination-address-firmware-bug-workaround.patch net-qmi_wwan-prevent-duplicate-mac-address-on-link-firmware-bug-workaround.patch @@ -44,3 +42,9 @@ hugetlbfs-fix-mmap-failure-in-unaligned-size-request.patch r8169-fix-vlan-tag-read-ordering.patch drbd-fix-for-deadlock-when-using-automatic-split-brain-recovery.patch drivers-rtc-rtc-pcf2123.c-fix-error-return-code-in-pcf2123_probe.patch +iscsi-target-fix-processing-of-ooo-commands.patch +acpi-ec-restart-transaction-even-when-the-ibf-flag-set.patch +drivers-char-ipmi-memcpy-need-additional-2-bytes-to-avoid-memory-overflow.patch +ipmi-ipmi_devintf-compat_ioctl-method-fails-to-take-ipmi_mutex.patch +drm-radeon-check-incoming-cliprects-pointer.patch +usermodehelper-check-subprocess_info-path-null.patch diff --git a/queue-3.4/usermodehelper-check-subprocess_info-path-null.patch b/queue-3.4/usermodehelper-check-subprocess_info-path-null.patch new file mode 100644 index 00000000000..8ded0f89f33 --- /dev/null +++ b/queue-3.4/usermodehelper-check-subprocess_info-path-null.patch @@ -0,0 +1,45 @@ +From 264b83c07a84223f0efd0d1db9ccc66d6f88288f Mon Sep 17 00:00:00 2001 +From: Oleg Nesterov +Date: Thu, 16 May 2013 17:43:55 +0200 +Subject: usermodehelper: check subprocess_info->path != NULL + +From: Oleg Nesterov + +commit 264b83c07a84223f0efd0d1db9ccc66d6f88288f upstream. + +argv_split(empty_or_all_spaces) happily succeeds, it simply returns +argc == 0 and argv[0] == NULL. Change call_usermodehelper_exec() to +check sub_info->path != NULL to avoid the crash. + +This is the minimal fix, todo: + + - perhaps we should change argv_split() to return NULL or change the + callers. + + - kill or justify ->path[0] check + + - narrow the scope of helper_lock() + +Signed-off-by: Oleg Nesterov +Acked-By: Lucas De Marchi +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/kmod.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/kernel/kmod.c ++++ b/kernel/kmod.c +@@ -541,6 +541,11 @@ int call_usermodehelper_exec(struct subp + int retval = 0; + + helper_lock(); ++ if (!sub_info->path) { ++ retval = -EINVAL; ++ goto out; ++ } ++ + if (sub_info->path[0] == '\0') + goto out; + -- 2.47.3