w1-fix-w1_send_slave-dropping-a-slave-id.patch
staging-serqt_usb2-fix-sparse-warning-restricted-__le16-degrades-to-integer.patch
staging-r8712u-fix-case-where-ethtype-was-never-obtained-and-always-be-checked-against-0.patch
+x86-64-modify_ldt-ban-16-bit-segments-on-64-bit-kernels.patch
+usb-fix-crash-during-hotplug-of-pci-usb-controller-card.patch
--- /dev/null
+From a2ff864b53eac9a0e9b05bfe9d1781ccd6c2af71 Mon Sep 17 00:00:00 2001
+From: Alan Stern <stern@rowland.harvard.edu>
+Date: Mon, 14 Apr 2014 13:48:47 -0400
+Subject: USB: fix crash during hotplug of PCI USB controller card
+
+From: Alan Stern <stern@rowland.harvard.edu>
+
+commit a2ff864b53eac9a0e9b05bfe9d1781ccd6c2af71 upstream.
+
+The code in hcd-pci.c that matches up EHCI controllers with their
+companion UHCI or OHCI controllers assumes that the private drvdata
+fields don't get set too early. However, it turns out that this field
+gets set by usb_create_hcd(), before hcd-pci expects it, and this can
+result in a crash when two controllers are probed in parallel (as can
+happen when a new controller card is hotplugged).
+
+The companions_rwsem lock was supposed to prevent this sort of thing,
+but usb_create_hcd() is called outside the scope of the rwsem.
+
+A simple solution is to check that the root-hub pointer has been
+initialized as well as the drvdata field. This doesn't happen until
+usb_add_hcd() is called; that call and the check are both protected by
+the rwsem.
+
+This patch should be applied to stable kernels from 3.10 onward.
+
+Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
+Reported-by: Stefani Seibold <stefani@seibold.net>
+Tested-by: Stefani Seibold <stefani@seibold.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/core/hcd-pci.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/core/hcd-pci.c
++++ b/drivers/usb/core/hcd-pci.c
+@@ -71,7 +71,7 @@ static void companion_common(struct pci_
+ continue;
+
+ companion_hcd = pci_get_drvdata(companion);
+- if (!companion_hcd)
++ if (!companion_hcd || !companion_hcd->self.root_hub)
+ continue;
+
+ /* For SET_HS_COMPANION, store a pointer to the EHCI bus in
--- /dev/null
+From b3b42ac2cbae1f3cecbb6229964a4d48af31d382 Mon Sep 17 00:00:00 2001
+From: "H. Peter Anvin" <hpa@linux.intel.com>
+Date: Sun, 16 Mar 2014 15:31:54 -0700
+Subject: x86-64, modify_ldt: Ban 16-bit segments on 64-bit kernels
+
+From: "H. Peter Anvin" <hpa@linux.intel.com>
+
+commit b3b42ac2cbae1f3cecbb6229964a4d48af31d382 upstream.
+
+The IRET instruction, when returning to a 16-bit segment, only
+restores the bottom 16 bits of the user space stack pointer. We have
+a software workaround for that ("espfix") for the 32-bit kernel, but
+it relies on a nonzero stack segment base which is not available in
+32-bit mode.
+
+Since 16-bit support is somewhat crippled anyway on a 64-bit kernel
+(no V86 mode), and most (if not quite all) 64-bit processors support
+virtualization for the users who really need it, simply reject
+attempts at creating a 16-bit segment when running on top of a 64-bit
+kernel.
+
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
+Link: http://lkml.kernel.org/n/tip-kicdm89kzw9lldryb1br9od0@git.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/ldt.c | 11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+--- a/arch/x86/kernel/ldt.c
++++ b/arch/x86/kernel/ldt.c
+@@ -229,6 +229,17 @@ static int write_ldt(void __user *ptr, u
+ }
+ }
+
++ /*
++ * On x86-64 we do not support 16-bit segments due to
++ * IRET leaking the high bits of the kernel stack address.
++ */
++#ifdef CONFIG_X86_64
++ if (!ldt_info.seg_32bit) {
++ error = -EINVAL;
++ goto out_unlock;
++ }
++#endif
++
+ fill_ldt(&ldt, &ldt_info);
+ if (oldmode)
+ ldt.avl = 0;
projects / thirdparty / kernel / stable-queue.git / commitdiff
