From fbac3852fd812c7a3f966fdcf733c24202c451e1 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 2 Feb 2015 19:03:24 -0800 Subject: [PATCH] 3.14-stable patches added patches: dm-cache-fix-missing-err_ptr-returns-and-handling.patch dm-thin-don-t-allow-messages-to-be-sent-to-a-pool-target-in-read_only-or-fail-mode.patch drivers-net-cpsw-discard-dual-emac-default-vlan-configuration.patch nl80211-fix-per-station-group-key-get-del-and-memory-leak.patch regulator-core-fix-race-condition-in-regulator_put.patch spi-pxa2xx-clear-cur_chip-pointer-before-starting-next-message.patch --- ...missing-err_ptr-returns-and-handling.patch | 56 +++++++++++++ ...ool-target-in-read_only-or-fail-mode.patch | 38 +++++++++ ...dual-emac-default-vlan-configuration.patch | 65 +++++++++++++++ ...on-group-key-get-del-and-memory-leak.patch | 59 ++++++++++++++ ...-fix-race-condition-in-regulator_put.patch | 55 +++++++++++++ queue-3.14/series | 6 ++ ...pointer-before-starting-next-message.patch | 79 +++++++++++++++++++ 7 files changed, 358 insertions(+) create mode 100644 queue-3.14/dm-cache-fix-missing-err_ptr-returns-and-handling.patch create mode 100644 queue-3.14/dm-thin-don-t-allow-messages-to-be-sent-to-a-pool-target-in-read_only-or-fail-mode.patch create mode 100644 queue-3.14/drivers-net-cpsw-discard-dual-emac-default-vlan-configuration.patch create mode 100644 queue-3.14/nl80211-fix-per-station-group-key-get-del-and-memory-leak.patch create mode 100644 queue-3.14/regulator-core-fix-race-condition-in-regulator_put.patch create mode 100644 queue-3.14/spi-pxa2xx-clear-cur_chip-pointer-before-starting-next-message.patch diff --git a/queue-3.14/dm-cache-fix-missing-err_ptr-returns-and-handling.patch b/queue-3.14/dm-cache-fix-missing-err_ptr-returns-and-handling.patch new file mode 100644 index 00000000000..41d29268787 --- /dev/null +++ b/queue-3.14/dm-cache-fix-missing-err_ptr-returns-and-handling.patch @@ -0,0 +1,56 @@ +From 766a78882ddf79b162243649d7dfdbac1fb6fb88 Mon Sep 17 00:00:00 2001 +From: Joe Thornber +Date: Wed, 28 Jan 2015 12:07:46 +0000 +Subject: dm cache: fix missing ERR_PTR returns and handling + +From: Joe Thornber + +commit 766a78882ddf79b162243649d7dfdbac1fb6fb88 upstream. + +Commit 9b1cc9f251 ("dm cache: share cache-metadata object across +inactive and active DM tables") mistakenly ignored the use of ERR_PTR +returns. Restore missing IS_ERR checks and ERR_PTR returns where +appropriate. + +Reported-by: Dan Carpenter +Signed-off-by: Joe Thornber +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/dm-cache-metadata.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/drivers/md/dm-cache-metadata.c ++++ b/drivers/md/dm-cache-metadata.c +@@ -683,7 +683,7 @@ static struct dm_cache_metadata *metadat + cmd = kzalloc(sizeof(*cmd), GFP_KERNEL); + if (!cmd) { + DMERR("could not allocate metadata struct"); +- return NULL; ++ return ERR_PTR(-ENOMEM); + } + + atomic_set(&cmd->ref_count, 1); +@@ -745,7 +745,7 @@ static struct dm_cache_metadata *lookup_ + return cmd; + + cmd = metadata_open(bdev, data_block_size, may_format_device, policy_hint_size); +- if (cmd) { ++ if (!IS_ERR(cmd)) { + mutex_lock(&table_lock); + cmd2 = lookup(bdev); + if (cmd2) { +@@ -780,9 +780,10 @@ struct dm_cache_metadata *dm_cache_metad + { + struct dm_cache_metadata *cmd = lookup_or_open(bdev, data_block_size, + may_format_device, policy_hint_size); +- if (cmd && !same_params(cmd, data_block_size)) { ++ ++ if (!IS_ERR(cmd) && !same_params(cmd, data_block_size)) { + dm_cache_metadata_close(cmd); +- return NULL; ++ return ERR_PTR(-EINVAL); + } + + return cmd; diff --git a/queue-3.14/dm-thin-don-t-allow-messages-to-be-sent-to-a-pool-target-in-read_only-or-fail-mode.patch b/queue-3.14/dm-thin-don-t-allow-messages-to-be-sent-to-a-pool-target-in-read_only-or-fail-mode.patch new file mode 100644 index 00000000000..bffcb1396f2 --- /dev/null +++ b/queue-3.14/dm-thin-don-t-allow-messages-to-be-sent-to-a-pool-target-in-read_only-or-fail-mode.patch @@ -0,0 +1,38 @@ +From 2a7eaea02b99b6e267b1e89c79acc6e9a51cee3b Mon Sep 17 00:00:00 2001 +From: Joe Thornber +Date: Mon, 26 Jan 2015 11:38:21 +0000 +Subject: dm thin: don't allow messages to be sent to a pool target in READ_ONLY or FAIL mode + +From: Joe Thornber + +commit 2a7eaea02b99b6e267b1e89c79acc6e9a51cee3b upstream. + +You can't modify the metadata in these modes. It's better to fail these +messages immediately than let the block-manager deny write locks on +metadata blocks. Otherwise these failed metadata changes will trigger +'needs_check' to get set in the metadata superblock -- requiring repair +using the thin_check utility. + +Signed-off-by: Joe Thornber +Signed-off-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/dm-thin.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/md/dm-thin.c ++++ b/drivers/md/dm-thin.c +@@ -2744,6 +2744,12 @@ static int pool_message(struct dm_target + struct pool_c *pt = ti->private; + struct pool *pool = pt->pool; + ++ if (get_pool_mode(pool) >= PM_READ_ONLY) { ++ DMERR("%s: unable to service pool target messages in READ_ONLY or FAIL mode", ++ dm_device_name(pool->pool_md)); ++ return -EINVAL; ++ } ++ + if (!strcasecmp(argv[0], "create_thin")) + r = process_create_thin_mesg(argc, argv, pool); + diff --git a/queue-3.14/drivers-net-cpsw-discard-dual-emac-default-vlan-configuration.patch b/queue-3.14/drivers-net-cpsw-discard-dual-emac-default-vlan-configuration.patch new file mode 100644 index 00000000000..078adf3e646 --- /dev/null +++ b/queue-3.14/drivers-net-cpsw-discard-dual-emac-default-vlan-configuration.patch @@ -0,0 +1,65 @@ +From 02a54164c52ed6eca3089a0d402170fbf34d6cf5 Mon Sep 17 00:00:00 2001 +From: Mugunthan V N +Date: Thu, 22 Jan 2015 15:19:22 +0530 +Subject: drivers: net: cpsw: discard dual emac default vlan configuration + +From: Mugunthan V N + +commit 02a54164c52ed6eca3089a0d402170fbf34d6cf5 upstream. + +In Dual EMAC, the default VLANs are used to segregate Rx packets between +the ports, so adding the same default VLAN to the switch will affect the +normal packet transfers. So returning error on addition of dual EMAC +default VLANs. + +Even if EMAC 0 default port VLAN is added to EMAC 1, it will lead to +break dual EMAC port separations. + +Fixes: d9ba8f9e6298 (driver: net: ethernet: cpsw: dual emac interface implementation) +Reported-by: Felipe Balbi +Signed-off-by: Mugunthan V N +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/ethernet/ti/cpsw.c | 22 ++++++++++++++++++++++ + 1 file changed, 22 insertions(+) + +--- a/drivers/net/ethernet/ti/cpsw.c ++++ b/drivers/net/ethernet/ti/cpsw.c +@@ -1610,6 +1610,19 @@ static int cpsw_ndo_vlan_rx_add_vid(stru + if (vid == priv->data.default_vlan) + return 0; + ++ if (priv->data.dual_emac) { ++ /* In dual EMAC, reserved VLAN id should not be used for ++ * creating VLAN interfaces as this can break the dual ++ * EMAC port separation ++ */ ++ int i; ++ ++ for (i = 0; i < priv->data.slaves; i++) { ++ if (vid == priv->slaves[i].port_vlan) ++ return -EINVAL; ++ } ++ } ++ + dev_info(priv->dev, "Adding vlanid %d to vlan filter\n", vid); + return cpsw_add_vlan_ale_entry(priv, vid); + } +@@ -1623,6 +1636,15 @@ static int cpsw_ndo_vlan_rx_kill_vid(str + if (vid == priv->data.default_vlan) + return 0; + ++ if (priv->data.dual_emac) { ++ int i; ++ ++ for (i = 0; i < priv->data.slaves; i++) { ++ if (vid == priv->slaves[i].port_vlan) ++ return -EINVAL; ++ } ++ } ++ + dev_info(priv->dev, "removing vlanid %d from vlan filter\n", vid); + ret = cpsw_ale_del_vlan(priv->ale, vid, 0); + if (ret != 0) diff --git a/queue-3.14/nl80211-fix-per-station-group-key-get-del-and-memory-leak.patch b/queue-3.14/nl80211-fix-per-station-group-key-get-del-and-memory-leak.patch new file mode 100644 index 00000000000..95c1ed2b5ec --- /dev/null +++ b/queue-3.14/nl80211-fix-per-station-group-key-get-del-and-memory-leak.patch @@ -0,0 +1,59 @@ +From 0fa7b39131576dd1baa6ca17fca53c65d7f62249 Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Fri, 23 Jan 2015 11:10:12 +0100 +Subject: nl80211: fix per-station group key get/del and memory leak + +From: Johannes Berg + +commit 0fa7b39131576dd1baa6ca17fca53c65d7f62249 upstream. + +In case userspace attempts to obtain key information for or delete a +unicast key, this is currently erroneously rejected unless the driver +sets the WIPHY_FLAG_IBSS_RSN flag. Apparently enough drivers do so it +was never noticed. + +Fix that, and while at it fix a potential memory leak: the error path +in the get_key() function was placed after allocating a message but +didn't free it - move it to a better place. Luckily admin permissions +are needed to call this operation. + +Fixes: e31b82136d1ad ("cfg80211/mac80211: allow per-station GTKs") +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + net/wireless/nl80211.c | 9 ++++----- + 1 file changed, 4 insertions(+), 5 deletions(-) + +--- a/net/wireless/nl80211.c ++++ b/net/wireless/nl80211.c +@@ -2697,6 +2697,9 @@ static int nl80211_get_key(struct sk_buf + if (!rdev->ops->get_key) + return -EOPNOTSUPP; + ++ if (!pairwise && mac_addr && !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN)) ++ return -ENOENT; ++ + msg = nlmsg_new(NLMSG_DEFAULT_SIZE, GFP_KERNEL); + if (!msg) + return -ENOMEM; +@@ -2716,10 +2719,6 @@ static int nl80211_get_key(struct sk_buf + nla_put(msg, NL80211_ATTR_MAC, ETH_ALEN, mac_addr)) + goto nla_put_failure; + +- if (pairwise && mac_addr && +- !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN)) +- return -ENOENT; +- + err = rdev_get_key(rdev, dev, key_idx, pairwise, mac_addr, &cookie, + get_key_callback); + +@@ -2890,7 +2889,7 @@ static int nl80211_del_key(struct sk_buf + wdev_lock(dev->ieee80211_ptr); + err = nl80211_key_allowed(dev->ieee80211_ptr); + +- if (key.type == NL80211_KEYTYPE_PAIRWISE && mac_addr && ++ if (key.type == NL80211_KEYTYPE_GROUP && mac_addr && + !(rdev->wiphy.flags & WIPHY_FLAG_IBSS_RSN)) + err = -ENOENT; + diff --git a/queue-3.14/regulator-core-fix-race-condition-in-regulator_put.patch b/queue-3.14/regulator-core-fix-race-condition-in-regulator_put.patch new file mode 100644 index 00000000000..3729144c162 --- /dev/null +++ b/queue-3.14/regulator-core-fix-race-condition-in-regulator_put.patch @@ -0,0 +1,55 @@ +From 83b0302d347a49f951e904184afe57ac3723476e Mon Sep 17 00:00:00 2001 +From: Ashay Jaiswal +Date: Thu, 8 Jan 2015 18:54:25 +0530 +Subject: regulator: core: fix race condition in regulator_put() + +From: Ashay Jaiswal + +commit 83b0302d347a49f951e904184afe57ac3723476e upstream. + +The regulator framework maintains a list of consumer regulators +for a regulator device and protects it from concurrent access using +the regulator device's mutex lock. + +In the case of regulator_put() the consumer is removed and regulator +device's parameters are updated without holding the regulator device's +mutex. This would lead to a race condition between the regulator_put() +and any function which traverses the consumer list or modifies regulator +device's parameters. +Fix this race condition by holding the regulator device's mutex in case +of regulator_put. + +Signed-off-by: Ashay Jaiswal +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/regulator/core.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/regulator/core.c ++++ b/drivers/regulator/core.c +@@ -1479,7 +1479,7 @@ struct regulator *regulator_get_optional + } + EXPORT_SYMBOL_GPL(regulator_get_optional); + +-/* Locks held by regulator_put() */ ++/* regulator_list_mutex lock held by regulator_put() */ + static void _regulator_put(struct regulator *regulator) + { + struct regulator_dev *rdev; +@@ -1494,12 +1494,14 @@ static void _regulator_put(struct regula + /* remove any sysfs entries */ + if (regulator->dev) + sysfs_remove_link(&rdev->dev.kobj, regulator->supply_name); ++ mutex_lock(&rdev->mutex); + kfree(regulator->supply_name); + list_del(®ulator->list); + kfree(regulator); + + rdev->open_count--; + rdev->exclusive = 0; ++ mutex_unlock(&rdev->mutex); + + module_put(rdev->owner); + } diff --git a/queue-3.14/series b/queue-3.14/series index 1eae819ed4a..9e6ae8577c2 100644 --- a/queue-3.14/series +++ b/queue-3.14/series @@ -17,3 +17,9 @@ input-i8042-add-noloop-quirk-for-medion-akoya-e7225-md98857.patch nfs-fix-dio-deadlock-when-o_direct-flag-is-flipped.patch nfsv4.1-fix-an-oops-in-nfs41_walk_client_list.patch mac80211-properly-set-cck-flag-in-radiotap.patch +nl80211-fix-per-station-group-key-get-del-and-memory-leak.patch +dm-thin-don-t-allow-messages-to-be-sent-to-a-pool-target-in-read_only-or-fail-mode.patch +dm-cache-fix-missing-err_ptr-returns-and-handling.patch +spi-pxa2xx-clear-cur_chip-pointer-before-starting-next-message.patch +regulator-core-fix-race-condition-in-regulator_put.patch +drivers-net-cpsw-discard-dual-emac-default-vlan-configuration.patch diff --git a/queue-3.14/spi-pxa2xx-clear-cur_chip-pointer-before-starting-next-message.patch b/queue-3.14/spi-pxa2xx-clear-cur_chip-pointer-before-starting-next-message.patch new file mode 100644 index 00000000000..970e4c20264 --- /dev/null +++ b/queue-3.14/spi-pxa2xx-clear-cur_chip-pointer-before-starting-next-message.patch @@ -0,0 +1,79 @@ +From c957e8f084e0d21febcd6b8a0ea9631eccc92f36 Mon Sep 17 00:00:00 2001 +From: Mika Westerberg +Date: Mon, 29 Dec 2014 10:33:36 +0200 +Subject: spi/pxa2xx: Clear cur_chip pointer before starting next message + +From: Mika Westerberg + +commit c957e8f084e0d21febcd6b8a0ea9631eccc92f36 upstream. + +Once the current message is finished, the driver notifies SPI core about +this by calling spi_finalize_current_message(). This function queues next +message to be transferred. If there are more messages in the queue, it is +possible that the driver is asked to transfer the next message at this +point. + +When spi_finalize_current_message() returns the driver clears the +drv_data->cur_chip pointer to NULL. The problem is that if the driver +already started the next message clearing drv_data->cur_chip will cause +NULL pointer dereference which crashes the kernel like: + + BUG: unable to handle kernel NULL pointer dereference at 0000000000000048 + IP: [] cs_deassert+0x18/0x70 [spi_pxa2xx_platform] + PGD 78bb8067 PUD 37712067 PMD 0 + Oops: 0000 [#1] SMP + Modules linked in: + CPU: 1 PID: 11 Comm: ksoftirqd/1 Tainted: G O 3.18.0-rc4-mjo #5 + Hardware name: Intel Corp. VALLEYVIEW B3 PLATFORM/NOTEBOOK, BIOS MNW2CRB1.X64.0071.R30.1408131301 08/13/2014 + task: ffff880077f9f290 ti: ffff88007a820000 task.ti: ffff88007a820000 + RIP: 0010:[] [] cs_deassert+0x18/0x70 [spi_pxa2xx_platform] + RSP: 0018:ffff88007a823d08 EFLAGS: 00010202 + RAX: 0000000000000008 RBX: ffff8800379a4430 RCX: 0000000000000026 + RDX: 0000000000000000 RSI: 0000000000000246 RDI: ffff8800379a4430 + RBP: ffff88007a823d18 R08: 00000000ffffffff R09: 000000007a9bc65a + R10: 000000000000028f R11: 0000000000000005 R12: ffff880070123e98 + R13: ffff880070123de8 R14: 0000000000000100 R15: ffffc90004888000 + FS: 0000000000000000(0000) GS:ffff880079a80000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b + CR2: 0000000000000048 CR3: 000000007029b000 CR4: 00000000001007e0 + Stack: + ffff88007a823d58 ffff8800379a4430 ffff88007a823d48 ffffffffa0022c89 + 0000000000000000 ffff8800379a4430 0000000000000000 0000000000000006 + ffff88007a823da8 ffffffffa0023be0 ffff88007a823dd8 ffffffff81076204 + Call Trace: + [] giveback+0x69/0xa0 [spi_pxa2xx_platform] + [] pump_transfers+0x710/0x740 [spi_pxa2xx_platform] + [] ? pick_next_task_fair+0x744/0x830 + [] tasklet_action+0xa9/0xe0 + [] __do_softirq+0xee/0x280 + [] run_ksoftirqd+0x20/0x40 + [] smpboot_thread_fn+0xff/0x1b0 + [] ? SyS_setgroups+0x150/0x150 + [] kthread+0xcd/0xf0 + [] ? kthread_create_on_node+0x180/0x180 + [] ret_from_fork+0x7c/0xb0 + +Fix this by clearing drv_data->cur_chip before we call spi_finalize_current_message(). + +Reported-by: Martin Oldfield +Signed-off-by: Mika Westerberg +Acked-by: Robert Jarzmik +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/spi/spi-pxa2xx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/spi/spi-pxa2xx.c ++++ b/drivers/spi/spi-pxa2xx.c +@@ -400,8 +400,8 @@ static void giveback(struct driver_data + cs_deassert(drv_data); + } + +- spi_finalize_current_message(drv_data->master); + drv_data->cur_chip = NULL; ++ spi_finalize_current_message(drv_data->master); + } + + static void reset_sccr1(struct driver_data *drv_data) -- 2.47.3