From b5ccec034ed25b9db77f5860ce7b9dcdc56b16d2 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sun, 14 Apr 2013 18:58:09 -0700 Subject: [PATCH] 3.0-stable patches added patches: mtdchar-fix-offset-overflow-detection.patch r8169-fix-auto-speed-down-issue.patch --- ...tdchar-fix-offset-overflow-detection.patch | 113 ++++++++++++++++++ .../r8169-fix-auto-speed-down-issue.patch | 78 ++++++++++++ queue-3.0/series | 2 + 3 files changed, 193 insertions(+) create mode 100644 queue-3.0/mtdchar-fix-offset-overflow-detection.patch create mode 100644 queue-3.0/r8169-fix-auto-speed-down-issue.patch diff --git a/queue-3.0/mtdchar-fix-offset-overflow-detection.patch b/queue-3.0/mtdchar-fix-offset-overflow-detection.patch new file mode 100644 index 00000000000..66e7587f057 --- /dev/null +++ b/queue-3.0/mtdchar-fix-offset-overflow-detection.patch @@ -0,0 +1,113 @@ +From 9c603e53d380459fb62fec7cd085acb0b74ac18f Mon Sep 17 00:00:00 2001 +From: Linus Torvalds +Date: Sat, 8 Sep 2012 12:57:30 -0700 +Subject: mtdchar: fix offset overflow detection + +From: Linus Torvalds + +commit 9c603e53d380459fb62fec7cd085acb0b74ac18f upstream. + +Sasha Levin has been running trinity in a KVM tools guest, and was able +to trigger the BUG_ON() at arch/x86/mm/pat.c:279 (verifying the range of +the memory type). The call trace showed that it was mtdchar_mmap() that +created an invalid remap_pfn_range(). + +The problem is that mtdchar_mmap() does various really odd and subtle +things with the vma page offset etc, and uses the wrong types (and the +wrong overflow) detection for it. + +For example, the page offset may well be 32-bit on a 32-bit +architecture, but after shifting it up by PAGE_SHIFT, we need to use a +potentially 64-bit resource_size_t to correctly hold the full value. + +Also, we need to check that the vma length plus offset doesn't overflow +before we check that it is smaller than the length of the mtdmap region. + +This fixes things up and tries to make the code a bit easier to read. + +Reported-and-tested-by: Sasha Levin +Acked-by: Suresh Siddha +Acked-by: Artem Bityutskiy +Cc: David Woodhouse +Cc: linux-mtd@lists.infradead.org +Signed-off-by: Linus Torvalds +Cc: Ben Hutchings +Cc: Brad Spengler +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mtd/mtdchar.c | 48 ++++++++++++++++++++++++++++++++++++++++++------ + 1 file changed, 42 insertions(+), 6 deletions(-) + +--- a/drivers/mtd/mtdchar.c ++++ b/drivers/mtd/mtdchar.c +@@ -1064,6 +1064,33 @@ static unsigned long mtd_get_unmapped_ar + } + #endif + ++static inline unsigned long get_vm_size(struct vm_area_struct *vma) ++{ ++ return vma->vm_end - vma->vm_start; ++} ++ ++static inline resource_size_t get_vm_offset(struct vm_area_struct *vma) ++{ ++ return (resource_size_t) vma->vm_pgoff << PAGE_SHIFT; ++} ++ ++/* ++ * Set a new vm offset. ++ * ++ * Verify that the incoming offset really works as a page offset, ++ * and that the offset and size fit in a resource_size_t. ++ */ ++static inline int set_vm_offset(struct vm_area_struct *vma, resource_size_t off) ++{ ++ pgoff_t pgoff = off >> PAGE_SHIFT; ++ if (off != (resource_size_t) pgoff << PAGE_SHIFT) ++ return -EINVAL; ++ if (off + get_vm_size(vma) - 1 < off) ++ return -EINVAL; ++ vma->vm_pgoff = pgoff; ++ return 0; ++} ++ + /* + * set up a mapping for shared memory segments + */ +@@ -1073,20 +1100,29 @@ static int mtd_mmap(struct file *file, s + struct mtd_file_info *mfi = file->private_data; + struct mtd_info *mtd = mfi->mtd; + struct map_info *map = mtd->priv; +- unsigned long start; +- unsigned long off; +- u32 len; ++ resource_size_t start, off; ++ unsigned long len, vma_len; + + if (mtd->type == MTD_RAM || mtd->type == MTD_ROM) { +- off = vma->vm_pgoff << PAGE_SHIFT; ++ off = get_vm_offset(vma); + start = map->phys; + len = PAGE_ALIGN((start & ~PAGE_MASK) + map->size); + start &= PAGE_MASK; +- if ((vma->vm_end - vma->vm_start + off) > len) ++ vma_len = get_vm_size(vma); ++ ++ /* Overflow in off+len? */ ++ if (vma_len + off < off) ++ return -EINVAL; ++ /* Does it fit in the mapping? */ ++ if (vma_len + off > len) + return -EINVAL; + + off += start; +- vma->vm_pgoff = off >> PAGE_SHIFT; ++ /* Did that overflow? */ ++ if (off < start) ++ return -EINVAL; ++ if (set_vm_offset(vma, off) < 0) ++ return -EINVAL; + vma->vm_flags |= VM_IO | VM_RESERVED; + + #ifdef pgprot_noncached diff --git a/queue-3.0/r8169-fix-auto-speed-down-issue.patch b/queue-3.0/r8169-fix-auto-speed-down-issue.patch new file mode 100644 index 00000000000..32423ef626f --- /dev/null +++ b/queue-3.0/r8169-fix-auto-speed-down-issue.patch @@ -0,0 +1,78 @@ +From romieu@fr.zoreil.com Sun Apr 14 18:34:05 2013 +From: Francois Romieu +Date: Sat, 13 Apr 2013 12:26:55 +0200 +Subject: r8169: fix auto speed down issue +To: Greg Kroah-Hartman +Cc: stable@vger.kernel.org, Hayes Wang , "David S. Miller" +Message-ID: <20130413102655.GB19939@electric-eye.fr.zoreil.com> +Content-Disposition: inline + +From: Hayes Wang + +commit e2409d83434d77874b461b78af6a19cd6e6a1280 upstream. + +It would cause no link after suspending or shutdowning when the +nic changes the speed to 10M and connects to a link partner which +forces the speed to 100M. + +Check the link partner ability to determine which speed to set. + +The link speed down code path is not factored in this kernel version. + +Signed-off-by: Hayes Wang +Acked-by: Francois Romieu +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/r8169.c | 30 ++++++++++++++++++++++++++---- + 1 file changed, 26 insertions(+), 4 deletions(-) + +--- a/drivers/net/r8169.c ++++ b/drivers/net/r8169.c +@@ -3105,11 +3105,34 @@ static void r810x_phy_power_up(struct rt + rtl_writephy(tp, MII_BMCR, BMCR_ANENABLE); + } + ++static void rtl_speed_down(struct rtl8169_private *tp) ++{ ++ u32 adv; ++ int lpa; ++ ++ rtl_writephy(tp, 0x1f, 0x0000); ++ lpa = rtl_readphy(tp, MII_LPA); ++ ++ if (lpa & (LPA_10HALF | LPA_10FULL)) ++ adv = ADVERTISED_10baseT_Half | ADVERTISED_10baseT_Full; ++ else if (lpa & (LPA_100HALF | LPA_100FULL)) ++ adv = ADVERTISED_10baseT_Half | ADVERTISED_10baseT_Full | ++ ADVERTISED_100baseT_Half | ADVERTISED_100baseT_Full; ++ else ++ adv = ADVERTISED_10baseT_Half | ADVERTISED_10baseT_Full | ++ ADVERTISED_100baseT_Half | ADVERTISED_100baseT_Full | ++ (tp->mii.supports_gmii ? ++ ADVERTISED_1000baseT_Half | ++ ADVERTISED_1000baseT_Full : 0); ++ ++ rtl8169_set_speed(tp->dev, AUTONEG_ENABLE, SPEED_1000, DUPLEX_FULL, ++ adv); ++} ++ + static void r810x_pll_power_down(struct rtl8169_private *tp) + { + if (__rtl8169_get_wol(tp) & WAKE_ANY) { +- rtl_writephy(tp, 0x1f, 0x0000); +- rtl_writephy(tp, MII_BMCR, 0x0000); ++ rtl_speed_down(tp); + return; + } + +@@ -3201,8 +3224,7 @@ static void r8168_pll_power_down(struct + rtl_ephy_write(ioaddr, 0x19, 0xff64); + + if (__rtl8169_get_wol(tp) & WAKE_ANY) { +- rtl_writephy(tp, 0x1f, 0x0000); +- rtl_writephy(tp, MII_BMCR, 0x0000); ++ rtl_speed_down(tp); + + if (tp->mac_version == RTL_GIGA_MAC_VER_32 || + tp->mac_version == RTL_GIGA_MAC_VER_33) diff --git a/queue-3.0/series b/queue-3.0/series index 26bd4b4f566..1378040ce57 100644 --- a/queue-3.0/series +++ b/queue-3.0/series @@ -7,3 +7,5 @@ target-fix-incorrect-fallthrough-of-alua-standby-offline-transition-cdbs.patch sched_clock-prevent-64bit-inatomicity-on-32bit-systems.patch x86-mm-paravirt-fix-vmalloc_fault-oops-during-lazy-mmu-updates.patch x86-mm-patch-out-arch_flush_lazy_mmu_mode-when-running-on-bare-metal.patch +mtdchar-fix-offset-overflow-detection.patch +r8169-fix-auto-speed-down-issue.patch -- 2.47.3