From: Greg Kroah-Hartman Date: Mon, 7 Jul 2014 23:44:54 +0000 (-0700) Subject: 3.4-stable patches X-Git-Tag: v3.4.98~7 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=68b640634daf904ae1861a8e5aeacafd7890143f;p=thirdparty%2Fkernel%2Fstable-queue.git 3.4-stable patches added patches: acpi-video-ignore-bios-backlight-value-for-hp-dm4.patch powerpc-don-t-oops-when-accessing-proc-powerpc-lparcfg-without-hypervisor.patch powerpc-fix-emulation-of-illegal-instructions-on-powernv-platform.patch powerpc-pseries-duplicate-dtl-entries-sometimes-sent-to-userspace.patch powerpc-pseries-lparcfg-fix-possible-overflow-are-more-than-1026.patch powerpc-restore-registers-on-error-exit-from-csum_partial_copy_generic.patch powerpc-smp-section-mismatch-from-smp_release_cpus-to-__initdata-spinning_secondaries.patch powerpc-sysfs-disable-writing-to-purr-in-guest-mode.patch staging-bcm-add-two-products-and-remove-an-existing-product.patch staging-bcm-create-and-initialize-new-device-id-in-interfaceinit.patch staging-comedi-fix-a-race-between-do_cmd_ioctl-and-read-write.patch staging-wlags49_h2-buffer-overflow-setting-station-name.patch --- diff --git a/queue-3.4/acpi-video-ignore-bios-backlight-value-for-hp-dm4.patch b/queue-3.4/acpi-video-ignore-bios-backlight-value-for-hp-dm4.patch new file mode 100644 index 00000000000..7885ee0c409 --- /dev/null +++ b/queue-3.4/acpi-video-ignore-bios-backlight-value-for-hp-dm4.patch @@ -0,0 +1,40 @@ +From 771d09b3c4c45d4d534a83a68e6331b97fd82e15 Mon Sep 17 00:00:00 2001 +From: Gustavo Maciel Dias Vieira +Date: Mon, 4 Mar 2013 15:23:37 +0000 +Subject: ACPI video: ignore BIOS backlight value for HP dm4 + +From: Gustavo Maciel Dias Vieira + +commit 771d09b3c4c45d4d534a83a68e6331b97fd82e15 upstream. + +On a HP Pavilion dm4 laptop the BIOS sets minimum backlight on boot, +completely dimming the screen. Ignore this initial value for this +machine. + +Signed-off-by: Gustavo Maciel Dias Vieira +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Ben Hutchings +[wyj: Backported to 3.4: adjust context] +Signed-off-by: Yijing Wang +Signed-off-by: Greg Kroah-Hartman +--- + drivers/acpi/video.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/drivers/acpi/video.c ++++ b/drivers/acpi/video.c +@@ -471,6 +471,14 @@ static struct dmi_system_id video_dmi_ta + DMI_MATCH(DMI_PRODUCT_NAME, "HP 1000 Notebook PC"), + }, + }, ++ { ++ .callback = video_ignore_initial_backlight, ++ .ident = "HP Pavilion dm4", ++ .matches = { ++ DMI_MATCH(DMI_BOARD_VENDOR, "Hewlett-Packard"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "HP Pavilion dm4 Notebook PC"), ++ }, ++ }, + {} + }; + diff --git a/queue-3.4/powerpc-don-t-oops-when-accessing-proc-powerpc-lparcfg-without-hypervisor.patch b/queue-3.4/powerpc-don-t-oops-when-accessing-proc-powerpc-lparcfg-without-hypervisor.patch new file mode 100644 index 00000000000..e9e80d66dd2 --- /dev/null +++ b/queue-3.4/powerpc-don-t-oops-when-accessing-proc-powerpc-lparcfg-without-hypervisor.patch @@ -0,0 +1,87 @@ +From c349bf07d6c05e89c967327af0f334604826d0e4 Mon Sep 17 00:00:00 2001 +From: Benjamin Herrenschmidt +Date: Tue, 27 Aug 2013 16:38:33 +1000 +Subject: powerpc: Don't Oops when accessing /proc/powerpc/lparcfg without hypervisor + +From: Benjamin Herrenschmidt + +commit f5f6cbb61610b7bf9d9d96db9c3979d62a424bab upstream. + +/proc/powerpc/lparcfg is an ancient facility (though still actively used) +which allows access to some informations relative to the partition when +running underneath a PAPR compliant hypervisor. + +It makes no sense on non-pseries machines. However, currently, not only +can it be created on these if the kernel has pseries support, but accessing +it on such a machine will crash due to trying to do hypervisor calls. + +In fact, it should also not do HV calls on older pseries that didn't have +an hypervisor either. + +Finally, it has the plumbing to be a module but is a "bool" Kconfig option. + +This fixes the whole lot by turning it into a machine_device_initcall +that is only created on pseries, and adding the necessary hypervisor +check before calling the H_GET_EM_PARMS hypercall + +Signed-off-by: Benjamin Herrenschmidt +[bwh: Backported to 3.2: lparcfg_cleanup() was a bit different] +Signed-off-by: Ben Hutchings +Cc: Yijing Wang +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/kernel/lparcfg.c | 23 +++++++++-------------- + 1 file changed, 9 insertions(+), 14 deletions(-) + +--- a/arch/powerpc/kernel/lparcfg.c ++++ b/arch/powerpc/kernel/lparcfg.c +@@ -35,7 +35,13 @@ + #include + #include + #include ++#include + ++ ++/* ++ * This isn't a module but we expose that to userspace ++ * via /proc so leave the definitions here ++ */ + #define MODULE_VERS "1.9" + #define MODULE_NAME "lparcfg" + +@@ -419,7 +425,8 @@ static void parse_em_data(struct seq_fil + { + unsigned long retbuf[PLPAR_HCALL_BUFSIZE]; + +- if (plpar_hcall(H_GET_EM_PARMS, retbuf) == H_SUCCESS) ++ if (firmware_has_feature(FW_FEATURE_LPAR) && ++ plpar_hcall(H_GET_EM_PARMS, retbuf) == H_SUCCESS) + seq_printf(m, "power_mode_data=%016lx\n", retbuf[0]); + } + +@@ -678,7 +685,6 @@ static int lparcfg_open(struct inode *in + } + + static const struct file_operations lparcfg_fops = { +- .owner = THIS_MODULE, + .read = seq_read, + .write = lparcfg_write, + .open = lparcfg_open, +@@ -704,15 +710,4 @@ static int __init lparcfg_init(void) + proc_ppc64_lparcfg = ent; + return 0; + } +- +-static void __exit lparcfg_cleanup(void) +-{ +- if (proc_ppc64_lparcfg) +- remove_proc_entry("lparcfg", proc_ppc64_lparcfg->parent); +-} +- +-module_init(lparcfg_init); +-module_exit(lparcfg_cleanup); +-MODULE_DESCRIPTION("Interface for LPAR configuration data"); +-MODULE_AUTHOR("Dave Engebretsen"); +-MODULE_LICENSE("GPL"); ++machine_device_initcall(pseries, lparcfg_init); diff --git a/queue-3.4/powerpc-fix-emulation-of-illegal-instructions-on-powernv-platform.patch b/queue-3.4/powerpc-fix-emulation-of-illegal-instructions-on-powernv-platform.patch new file mode 100644 index 00000000000..369788ee285 --- /dev/null +++ b/queue-3.4/powerpc-fix-emulation-of-illegal-instructions-on-powernv-platform.patch @@ -0,0 +1,64 @@ +From e4f37de094d8c0a55af0fe63d7f715457b2de3e6 Mon Sep 17 00:00:00 2001 +From: Paul Mackerras +Date: Fri, 14 Jun 2013 20:07:41 +1000 +Subject: powerpc: Fix emulation of illegal instructions on PowerNV platform + +From: Paul Mackerras + +commit bf593907f7236e95698a76b7c7a2bbf8b1165327 upstream. + +Normally, the kernel emulates a few instructions that are unimplemented +on some processors (e.g. the old dcba instruction), or privileged (e.g. +mfpvr). The emulation of unimplemented instructions is currently not +working on the PowerNV platform. The reason is that on these machines, +unimplemented and illegal instructions cause a hypervisor emulation +assist interrupt, rather than a program interrupt as on older CPUs. +Our vector for the emulation assist interrupt just calls +program_check_exception() directly, without setting the bit in SRR1 +that indicates an illegal instruction interrupt. This fixes it by +making the emulation assist interrupt set that bit before calling +program_check_interrupt(). With this, old programs that use no-longer +implemented instructions such as dcba now work again. + +Signed-off-by: Paul Mackerras +Signed-off-by: Benjamin Herrenschmidt +[bwh: Backported to 3.2: adjust context] +Signed-off-by: Ben Hutchings +Cc: Yijing Wang +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/kernel/exceptions-64s.S | 2 +- + arch/powerpc/kernel/traps.c | 10 ++++++++++ + 2 files changed, 11 insertions(+), 1 deletion(-) + +--- a/arch/powerpc/kernel/exceptions-64s.S ++++ b/arch/powerpc/kernel/exceptions-64s.S +@@ -491,7 +491,7 @@ machine_check_common: + STD_EXCEPTION_COMMON(0xb00, trap_0b, .unknown_exception) + STD_EXCEPTION_COMMON(0xd00, single_step, .single_step_exception) + STD_EXCEPTION_COMMON(0xe00, trap_0e, .unknown_exception) +- STD_EXCEPTION_COMMON(0xe40, emulation_assist, .program_check_exception) ++ STD_EXCEPTION_COMMON(0xe40, emulation_assist, .emulation_assist_interrupt) + STD_EXCEPTION_COMMON(0xe60, hmi_exception, .unknown_exception) + STD_EXCEPTION_COMMON_ASYNC(0xf00, performance_monitor, .performance_monitor_exception) + STD_EXCEPTION_COMMON(0x1300, instruction_breakpoint, .instruction_breakpoint_exception) +--- a/arch/powerpc/kernel/traps.c ++++ b/arch/powerpc/kernel/traps.c +@@ -1074,6 +1074,16 @@ void __kprobes program_check_exception(s + _exception(SIGILL, regs, ILL_ILLOPC, regs->nip); + } + ++/* ++ * This occurs when running in hypervisor mode on POWER6 or later ++ * and an illegal instruction is encountered. ++ */ ++void __kprobes emulation_assist_interrupt(struct pt_regs *regs) ++{ ++ regs->msr |= REASON_ILLEGAL; ++ program_check_exception(regs); ++} ++ + void alignment_exception(struct pt_regs *regs) + { + int sig, code, fixed = 0; diff --git a/queue-3.4/powerpc-pseries-duplicate-dtl-entries-sometimes-sent-to-userspace.patch b/queue-3.4/powerpc-pseries-duplicate-dtl-entries-sometimes-sent-to-userspace.patch new file mode 100644 index 00000000000..d9cee4ca879 --- /dev/null +++ b/queue-3.4/powerpc-pseries-duplicate-dtl-entries-sometimes-sent-to-userspace.patch @@ -0,0 +1,58 @@ +From 36d04a55f34ab580aab001e497b97410f0ad5079 Mon Sep 17 00:00:00 2001 +From: Anton Blanchard +Date: Sun, 17 Nov 2013 11:39:05 +1100 +Subject: powerpc/pseries: Duplicate dtl entries sometimes sent to userspace + +From: Anton Blanchard + +commit 84b073868b9d9e754ae48b828337633d1b386482 upstream. + +When reading from the dispatch trace log (dtl) userspace interface, I +sometimes see duplicate entries. One example: + +# hexdump -C dtl.out + +00000000 07 04 00 0c 00 00 48 44 00 00 00 00 00 00 00 00 +00000010 00 0c a0 b4 16 83 6d 68 00 00 00 00 00 00 00 00 +00000020 00 00 00 00 10 00 13 50 80 00 00 00 00 00 d0 32 + +00000030 07 04 00 0c 00 00 48 44 00 00 00 00 00 00 00 00 +00000040 00 0c a0 b4 16 83 6d 68 00 00 00 00 00 00 00 00 +00000050 00 00 00 00 10 00 13 50 80 00 00 00 00 00 d0 32 + +The problem is in scan_dispatch_log() where we call dtl_consumer() +but bail out before incrementing the index. + +To fix this I moved dtl_consumer() after the timebase comparison. + +Signed-off-by: Anton Blanchard +Signed-off-by: Benjamin Herrenschmidt +[bwh: Backported to 3.2: adjust context] +Signed-off-by: Ben Hutchings +Cc: Yijing Wang +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/kernel/time.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/powerpc/kernel/time.c ++++ b/arch/powerpc/kernel/time.c +@@ -212,8 +212,6 @@ static u64 scan_dispatch_log(u64 stop_tb + if (i == vpa->dtl_idx) + return 0; + while (i < vpa->dtl_idx) { +- if (dtl_consumer) +- dtl_consumer(dtl, i); + dtb = dtl->timebase; + tb_delta = dtl->enqueue_to_dispatch_time + + dtl->ready_to_enqueue_time; +@@ -226,6 +224,8 @@ static u64 scan_dispatch_log(u64 stop_tb + } + if (dtb > stop_tb) + break; ++ if (dtl_consumer) ++ dtl_consumer(dtl, i); + stolen += tb_delta; + ++i; + ++dtl; diff --git a/queue-3.4/powerpc-pseries-lparcfg-fix-possible-overflow-are-more-than-1026.patch b/queue-3.4/powerpc-pseries-lparcfg-fix-possible-overflow-are-more-than-1026.patch new file mode 100644 index 00000000000..d936da98e56 --- /dev/null +++ b/queue-3.4/powerpc-pseries-lparcfg-fix-possible-overflow-are-more-than-1026.patch @@ -0,0 +1,38 @@ +From 8f0ce108f5e1c6a443548746b6f01b450f71a407 Mon Sep 17 00:00:00 2001 +From: Chen Gang +Date: Mon, 22 Apr 2013 17:12:54 +0000 +Subject: powerpc/pseries/lparcfg: Fix possible overflow are more than 1026 + +From: Chen Gang + +commit 5676005acf26ab7e924a8438ea4746e47d405762 upstream. + +need set '\0' for 'local_buffer'. + +SPLPAR_MAXLENGTH is 1026, RTAS_DATA_BUF_SIZE is 4096. so the contents of +rtas_data_buf may truncated in memcpy. + +if contents are really truncated. + the splpar_strlen is more than 1026. the next while loop checking will + not find the end of buffer. that will cause memory access violation. + +Signed-off-by: Chen Gang +Signed-off-by: Benjamin Herrenschmidt +Signed-off-by: Ben Hutchings +Cc: Yijing Wang +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/kernel/lparcfg.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/powerpc/kernel/lparcfg.c ++++ b/arch/powerpc/kernel/lparcfg.c +@@ -307,6 +307,7 @@ static void parse_system_parameter_strin + __pa(rtas_data_buf), + RTAS_DATA_BUF_SIZE); + memcpy(local_buffer, rtas_data_buf, SPLPAR_MAXLENGTH); ++ local_buffer[SPLPAR_MAXLENGTH - 1] = '\0'; + spin_unlock(&rtas_data_buf_lock); + + if (call_status != 0) { diff --git a/queue-3.4/powerpc-restore-registers-on-error-exit-from-csum_partial_copy_generic.patch b/queue-3.4/powerpc-restore-registers-on-error-exit-from-csum_partial_copy_generic.patch new file mode 100644 index 00000000000..dcd17529e74 --- /dev/null +++ b/queue-3.4/powerpc-restore-registers-on-error-exit-from-csum_partial_copy_generic.patch @@ -0,0 +1,161 @@ +From 0b2d10f8f2e686c9f4b718251765f09f77ee8088 Mon Sep 17 00:00:00 2001 +From: "Paul E. McKenney" +Date: Tue, 1 Oct 2013 17:11:35 +1000 +Subject: powerpc: Restore registers on error exit from csum_partial_copy_generic() + +From: "Paul E. McKenney" + +commit 8f21bd0090052e740944f9397e2be5ac7957ded7 upstream. + +The csum_partial_copy_generic() function saves the PowerPC non-volatile +r14, r15, and r16 registers for the main checksum-and-copy loop. +Unfortunately, it fails to restore them upon error exit from this loop, +which results in silent corruption of these registers in the presumably +rare event of an access exception within that loop. + +This commit therefore restores these register on error exit from the loop. + +Signed-off-by: Paul E. McKenney +Signed-off-by: Anton Blanchard +Signed-off-by: Benjamin Herrenschmidt +[bwh: Backported to 3.2: register name macros use lower-case 'r'] +Signed-off-by: Ben Hutchings +Cc: Yijing Wang +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/lib/checksum_64.S | 54 ++++++++++++++++++++++++++++++----------- + 1 file changed, 40 insertions(+), 14 deletions(-) + +--- a/arch/powerpc/lib/checksum_64.S ++++ b/arch/powerpc/lib/checksum_64.S +@@ -229,19 +229,35 @@ _GLOBAL(csum_partial) + blr + + +- .macro source ++ .macro srcnr + 100: + .section __ex_table,"a" + .align 3 +- .llong 100b,.Lsrc_error ++ .llong 100b,.Lsrc_error_nr + .previous + .endm + +- .macro dest ++ .macro source ++150: ++ .section __ex_table,"a" ++ .align 3 ++ .llong 150b,.Lsrc_error ++ .previous ++ .endm ++ ++ .macro dstnr + 200: + .section __ex_table,"a" + .align 3 +- .llong 200b,.Ldest_error ++ .llong 200b,.Ldest_error_nr ++ .previous ++ .endm ++ ++ .macro dest ++250: ++ .section __ex_table,"a" ++ .align 3 ++ .llong 250b,.Ldest_error + .previous + .endm + +@@ -277,11 +293,11 @@ _GLOBAL(csum_partial_copy_generic) + mtctr r6 + + 1: +-source; lhz r6,0(r3) /* align to doubleword */ ++srcnr; lhz r6,0(r3) /* align to doubleword */ + subi r5,r5,2 + addi r3,r3,2 + adde r0,r0,r6 +-dest; sth r6,0(r4) ++dstnr; sth r6,0(r4) + addi r4,r4,2 + bdnz 1b + +@@ -395,10 +411,10 @@ dest; std r16,56(r4) + + mtctr r6 + 3: +-source; ld r6,0(r3) ++srcnr; ld r6,0(r3) + addi r3,r3,8 + adde r0,r0,r6 +-dest; std r6,0(r4) ++dstnr; std r6,0(r4) + addi r4,r4,8 + bdnz 3b + +@@ -408,10 +424,10 @@ dest; std r6,0(r4) + srdi. r6,r5,2 + beq .Lcopy_tail_halfword + +-source; lwz r6,0(r3) ++srcnr; lwz r6,0(r3) + addi r3,r3,4 + adde r0,r0,r6 +-dest; stw r6,0(r4) ++dstnr; stw r6,0(r4) + addi r4,r4,4 + subi r5,r5,4 + +@@ -419,10 +435,10 @@ dest; stw r6,0(r4) + srdi. r6,r5,1 + beq .Lcopy_tail_byte + +-source; lhz r6,0(r3) ++srcnr; lhz r6,0(r3) + addi r3,r3,2 + adde r0,r0,r6 +-dest; sth r6,0(r4) ++dstnr; sth r6,0(r4) + addi r4,r4,2 + subi r5,r5,2 + +@@ -430,10 +446,10 @@ dest; sth r6,0(r4) + andi. r6,r5,1 + beq .Lcopy_finish + +-source; lbz r6,0(r3) ++srcnr; lbz r6,0(r3) + sldi r9,r6,8 /* Pad the byte out to 16 bits */ + adde r0,r0,r9 +-dest; stb r6,0(r4) ++dstnr; stb r6,0(r4) + + .Lcopy_finish: + addze r0,r0 /* add in final carry */ +@@ -443,6 +459,11 @@ dest; stb r6,0(r4) + blr + + .Lsrc_error: ++ ld r14,STK_REG(r14)(r1) ++ ld r15,STK_REG(r15)(r1) ++ ld r16,STK_REG(r16)(r1) ++ addi r1,r1,STACKFRAMESIZE ++.Lsrc_error_nr: + cmpdi 0,r7,0 + beqlr + li r6,-EFAULT +@@ -450,6 +471,11 @@ dest; stb r6,0(r4) + blr + + .Ldest_error: ++ ld r14,STK_REG(r14)(r1) ++ ld r15,STK_REG(r15)(r1) ++ ld r16,STK_REG(r16)(r1) ++ addi r1,r1,STACKFRAMESIZE ++.Ldest_error_nr: + cmpdi 0,r8,0 + beqlr + li r6,-EFAULT diff --git a/queue-3.4/powerpc-smp-section-mismatch-from-smp_release_cpus-to-__initdata-spinning_secondaries.patch b/queue-3.4/powerpc-smp-section-mismatch-from-smp_release_cpus-to-__initdata-spinning_secondaries.patch new file mode 100644 index 00000000000..654727273e1 --- /dev/null +++ b/queue-3.4/powerpc-smp-section-mismatch-from-smp_release_cpus-to-__initdata-spinning_secondaries.patch @@ -0,0 +1,53 @@ +From 1aa33199c5969b6a062727438ba0795864dd3fbe Mon Sep 17 00:00:00 2001 +From: Chen Gang +Date: Wed, 20 Mar 2013 14:30:12 +0800 +Subject: powerpc/smp: Section mismatch from smp_release_cpus to __initdata spinning_secondaries + +From: Chen Gang + +commit 8246aca7058f3f2c2ae503081777965cd8df7b90 upstream. + +the smp_release_cpus is a normal funciton and called in normal environments, + but it calls the __initdata spinning_secondaries. + need modify spinning_secondaries to match smp_release_cpus. + +the related warning: + (the linker report boot_paca.33377, but it should be spinning_secondaries) + +----------------------------------------------------------------------------- + +WARNING: arch/powerpc/kernel/built-in.o(.text+0x23176): Section mismatch in reference from the function .smp_release_cpus() to the variable .init.data:boot_paca.33377 +The function .smp_release_cpus() references +the variable __initdata boot_paca.33377. +This is often because .smp_release_cpus lacks a __initdata +annotation or the annotation of boot_paca.33377 is wrong. + +WARNING: arch/powerpc/kernel/built-in.o(.text+0x231fe): Section mismatch in reference from the function .smp_release_cpus() to the variable .init.data:boot_paca.33377 +The function .smp_release_cpus() references +the variable __initdata boot_paca.33377. +This is often because .smp_release_cpus lacks a __initdata +annotation or the annotation of boot_paca.33377 is wrong. + +----------------------------------------------------------------------------- + +Signed-off-by: Chen Gang +Signed-off-by: Benjamin Herrenschmidt +Signed-off-by: Ben Hutchings +Cc: Yijing Wang +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/kernel/setup_64.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/powerpc/kernel/setup_64.c ++++ b/arch/powerpc/kernel/setup_64.c +@@ -76,7 +76,7 @@ + #endif + + int boot_cpuid = 0; +-int __initdata spinning_secondaries; ++int spinning_secondaries; + u64 ppc64_pft_size; + + /* Pick defaults since we might want to patch instructions diff --git a/queue-3.4/powerpc-sysfs-disable-writing-to-purr-in-guest-mode.patch b/queue-3.4/powerpc-sysfs-disable-writing-to-purr-in-guest-mode.patch new file mode 100644 index 00000000000..c516b9b3fa3 --- /dev/null +++ b/queue-3.4/powerpc-sysfs-disable-writing-to-purr-in-guest-mode.patch @@ -0,0 +1,72 @@ +From d1211af3049f4c9c1d8d4eb8f8098cc4f4f0d0c7 Mon Sep 17 00:00:00 2001 +From: Madhavan Srinivasan +Date: Wed, 2 Oct 2013 00:34:10 +0530 +Subject: powerpc/sysfs: Disable writing to PURR in guest mode + +From: Madhavan Srinivasan + +commit d1211af3049f4c9c1d8d4eb8f8098cc4f4f0d0c7 upstream. + +arch/powerpc/kernel/sysfs.c exports PURR with write permission. +This may be valid for kernel in phyp mode. But writing to +the file in guest mode causes crash due to a priviledge violation + +Signed-off-by: Madhavan Srinivasan +Signed-off-by: Benjamin Herrenschmidt +[Backported to 3.4: adjust context] +Signed-off-by: Yijing Wang +Signed-off-by: Greg Kroah-Hartman +--- + arch/powerpc/kernel/sysfs.c | 18 ++++++++++++++++-- + 1 file changed, 16 insertions(+), 2 deletions(-) + +--- a/arch/powerpc/kernel/sysfs.c ++++ b/arch/powerpc/kernel/sysfs.c +@@ -17,6 +17,7 @@ + #include + #include + #include ++#include + + #include "cacheinfo.h" + +@@ -179,15 +180,25 @@ SYSFS_PMCSETUP(spurr, SPRN_SPURR); + SYSFS_PMCSETUP(dscr, SPRN_DSCR); + SYSFS_PMCSETUP(pir, SPRN_PIR); + ++/* ++ Lets only enable read for phyp resources and ++ enable write when needed with a separate function. ++ Lets be conservative and default to pseries. ++ */ + static DEVICE_ATTR(mmcra, 0600, show_mmcra, store_mmcra); + static DEVICE_ATTR(spurr, 0600, show_spurr, NULL); + static DEVICE_ATTR(dscr, 0600, show_dscr, store_dscr); +-static DEVICE_ATTR(purr, 0600, show_purr, store_purr); ++static DEVICE_ATTR(purr, 0400, show_purr, store_purr); + static DEVICE_ATTR(pir, 0400, show_pir, NULL); + + unsigned long dscr_default = 0; + EXPORT_SYMBOL(dscr_default); + ++static void add_write_permission_dev_attr(struct device_attribute *attr) ++{ ++ attr->attr.mode |= 0200; ++} ++ + static ssize_t show_dscr_default(struct device *dev, + struct device_attribute *attr, char *buf) + { +@@ -394,8 +405,11 @@ static void __cpuinit register_cpu_onlin + if (cpu_has_feature(CPU_FTR_MMCRA)) + device_create_file(s, &dev_attr_mmcra); + +- if (cpu_has_feature(CPU_FTR_PURR)) ++ if (cpu_has_feature(CPU_FTR_PURR)) { ++ if (!firmware_has_feature(FW_FEATURE_LPAR)) ++ add_write_permission_dev_attr(&dev_attr_purr); + device_create_file(s, &dev_attr_purr); ++ } + + if (cpu_has_feature(CPU_FTR_SPURR)) + device_create_file(s, &dev_attr_spurr); diff --git a/queue-3.4/series b/queue-3.4/series index 35187cc8871..662ff69f033 100644 --- a/queue-3.4/series +++ b/queue-3.4/series @@ -30,3 +30,15 @@ acpi-video-add-asus-ul30vt-to-acpi-video-detect-blacklist.patch acpi-video-add-asus-ul30a-to-acpi-video-detect-blacklist.patch acpi-video-ignore-bios-initial-backlight-value-for-hp-1000.patch staging-comedi-das08-correct-ai-encoding-for-das08jr-16-ao.patch +staging-comedi-fix-a-race-between-do_cmd_ioctl-and-read-write.patch +staging-wlags49_h2-buffer-overflow-setting-station-name.patch +staging-bcm-create-and-initialize-new-device-id-in-interfaceinit.patch +staging-bcm-add-two-products-and-remove-an-existing-product.patch +powerpc-fix-emulation-of-illegal-instructions-on-powernv-platform.patch +powerpc-smp-section-mismatch-from-smp_release_cpus-to-__initdata-spinning_secondaries.patch +powerpc-don-t-oops-when-accessing-proc-powerpc-lparcfg-without-hypervisor.patch +powerpc-restore-registers-on-error-exit-from-csum_partial_copy_generic.patch +powerpc-pseries-lparcfg-fix-possible-overflow-are-more-than-1026.patch +powerpc-pseries-duplicate-dtl-entries-sometimes-sent-to-userspace.patch +acpi-video-ignore-bios-backlight-value-for-hp-dm4.patch +powerpc-sysfs-disable-writing-to-purr-in-guest-mode.patch diff --git a/queue-3.4/staging-bcm-add-two-products-and-remove-an-existing-product.patch b/queue-3.4/staging-bcm-add-two-products-and-remove-an-existing-product.patch new file mode 100644 index 00000000000..3924c2305f4 --- /dev/null +++ b/queue-3.4/staging-bcm-add-two-products-and-remove-an-existing-product.patch @@ -0,0 +1,58 @@ +From fc5884d265e78f15915f650585cfb28c9aa5aca6 Mon Sep 17 00:00:00 2001 +From: Kevin McKinney +Date: Mon, 12 Nov 2012 22:20:30 -0500 +Subject: Staging: bcm: Add two products and remove an existing product. + +From: Kevin McKinney + +commit 4f29ef050848245f7c180b95ccf67dfcd76b1fd8 upstream. + +This patch adds two new products and modifies +the device id table to include them. In addition, +product of 0xbccd - BCM_USB_PRODUCT_ID_SM250 is +removed because Beceem, ZTE, Sprint use this id +for block devices. + +Reported-by: Muhammad Minhazul Haque +Signed-off-by: Kevin McKinney +[bwh: Backported to 3.2: adjust context] +Signed-off-by: Ben Hutchings +Cc: Yijing Wang +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/bcm/InterfaceInit.c | 3 ++- + drivers/staging/bcm/InterfaceInit.h | 2 +- + 2 files changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/staging/bcm/InterfaceInit.c ++++ b/drivers/staging/bcm/InterfaceInit.c +@@ -4,11 +4,12 @@ static struct usb_device_id InterfaceUsb + { USB_DEVICE(BCM_USB_VENDOR_ID_T3, BCM_USB_PRODUCT_ID_T3) }, + { USB_DEVICE(BCM_USB_VENDOR_ID_T3, BCM_USB_PRODUCT_ID_T3B) }, + { USB_DEVICE(BCM_USB_VENDOR_ID_T3, BCM_USB_PRODUCT_ID_T3L) }, +- { USB_DEVICE(BCM_USB_VENDOR_ID_T3, BCM_USB_PRODUCT_ID_SM250) }, ++ { USB_DEVICE(BCM_USB_VENDOR_ID_T3, BCM_USB_PRODUCT_ID_SYM) }, + { USB_DEVICE(BCM_USB_VENDOR_ID_ZTE, BCM_USB_PRODUCT_ID_226) }, + { USB_DEVICE(BCM_USB_VENDOR_ID_FOXCONN, BCM_USB_PRODUCT_ID_1901) }, + { USB_DEVICE(BCM_USB_VENDOR_ID_ZTE, BCM_USB_PRODUCT_ID_ZTE_TU25) }, + { USB_DEVICE(BCM_USB_VENDOR_ID_ZTE, BCM_USB_PRODUCT_ID_ZTE_226) }, ++ { USB_DEVICE(BCM_USB_VENDOR_ID_ZTE, BCM_USB_PRODUCT_ID_ZTE_326) }, + { } + }; + MODULE_DEVICE_TABLE(usb, InterfaceUsbtable); +--- a/drivers/staging/bcm/InterfaceInit.h ++++ b/drivers/staging/bcm/InterfaceInit.h +@@ -8,11 +8,11 @@ + #define BCM_USB_PRODUCT_ID_T3 0x0300 + #define BCM_USB_PRODUCT_ID_T3B 0x0210 + #define BCM_USB_PRODUCT_ID_T3L 0x0220 +-#define BCM_USB_PRODUCT_ID_SM250 0xbccd + #define BCM_USB_PRODUCT_ID_SYM 0x15E + #define BCM_USB_PRODUCT_ID_1901 0xe017 + #define BCM_USB_PRODUCT_ID_226 0x0132 /* not sure if this is valid */ + #define BCM_USB_PRODUCT_ID_ZTE_226 0x172 ++#define BCM_USB_PRODUCT_ID_ZTE_326 0x173 /* ZTE AX326 */ + #define BCM_USB_PRODUCT_ID_ZTE_TU25 0x0007 + + #define BCM_USB_MINOR_BASE 192 diff --git a/queue-3.4/staging-bcm-create-and-initialize-new-device-id-in-interfaceinit.patch b/queue-3.4/staging-bcm-create-and-initialize-new-device-id-in-interfaceinit.patch new file mode 100644 index 00000000000..9a85cc0d67e --- /dev/null +++ b/queue-3.4/staging-bcm-create-and-initialize-new-device-id-in-interfaceinit.patch @@ -0,0 +1,50 @@ +From bf78d71280f1caa4b266c8ca430b68308bfd4db0 Mon Sep 17 00:00:00 2001 +From: Kevin McKinney +Date: Tue, 11 Sep 2012 22:19:06 -0400 +Subject: Staging: bcm: Create and initialize new device id in InterfaceInit + +From: Kevin McKinney + +commit e66fc1fba248738d32f3b64508f9ef1176d9e767 upstream. + +This patch create and initalizes a new device +id of 0x172 as reported by Rinat Camalov +. In addition, a +comment is added to the potential invalid +existing device id. + +Reported-by: Rinat Camalov +Signed-off-by: Kevin McKinney +Signed-off-by: Greg Kroah-Hartman +[bwh: Backported to 3.2: adjust context] +Signed-off-by: Ben Hutchings +Cc: Yijing Wang +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/bcm/InterfaceInit.c | 1 + + drivers/staging/bcm/InterfaceInit.h | 3 ++- + 2 files changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/staging/bcm/InterfaceInit.c ++++ b/drivers/staging/bcm/InterfaceInit.c +@@ -8,6 +8,7 @@ static struct usb_device_id InterfaceUsb + { USB_DEVICE(BCM_USB_VENDOR_ID_ZTE, BCM_USB_PRODUCT_ID_226) }, + { USB_DEVICE(BCM_USB_VENDOR_ID_FOXCONN, BCM_USB_PRODUCT_ID_1901) }, + { USB_DEVICE(BCM_USB_VENDOR_ID_ZTE, BCM_USB_PRODUCT_ID_ZTE_TU25) }, ++ { USB_DEVICE(BCM_USB_VENDOR_ID_ZTE, BCM_USB_PRODUCT_ID_ZTE_226) }, + { } + }; + MODULE_DEVICE_TABLE(usb, InterfaceUsbtable); +--- a/drivers/staging/bcm/InterfaceInit.h ++++ b/drivers/staging/bcm/InterfaceInit.h +@@ -11,7 +11,8 @@ + #define BCM_USB_PRODUCT_ID_SM250 0xbccd + #define BCM_USB_PRODUCT_ID_SYM 0x15E + #define BCM_USB_PRODUCT_ID_1901 0xe017 +-#define BCM_USB_PRODUCT_ID_226 0x0132 ++#define BCM_USB_PRODUCT_ID_226 0x0132 /* not sure if this is valid */ ++#define BCM_USB_PRODUCT_ID_ZTE_226 0x172 + #define BCM_USB_PRODUCT_ID_ZTE_TU25 0x0007 + + #define BCM_USB_MINOR_BASE 192 diff --git a/queue-3.4/staging-comedi-fix-a-race-between-do_cmd_ioctl-and-read-write.patch b/queue-3.4/staging-comedi-fix-a-race-between-do_cmd_ioctl-and-read-write.patch new file mode 100644 index 00000000000..136cc8fe012 --- /dev/null +++ b/queue-3.4/staging-comedi-fix-a-race-between-do_cmd_ioctl-and-read-write.patch @@ -0,0 +1,141 @@ +From 1f8adde06e866835fafa1b34fcea9b1dab82bb78 Mon Sep 17 00:00:00 2001 +From: Ian Abbott +Date: Fri, 5 Jul 2013 16:49:34 +0100 +Subject: staging: comedi: fix a race between do_cmd_ioctl() and read/write + +From: Ian Abbott + +commit 4b18f08be01a7b3c7b6df497137b6e3cb28adaa3 upstream. + +`do_cmd_ioctl()` is called with the comedi device's mutex locked to +process the `COMEDI_CMD` ioctl to set up comedi's asynchronous command +handling on a comedi subdevice. `comedi_read()` and `comedi_write()` +are the `read` and `write` handlers for the comedi device, but do not +lock the mutex (for performance reasons, as some things can hold the +mutex for quite a long time). + +There is a race condition if `comedi_read()` or `comedi_write()` is +running at the same time and for the same file object and comedi +subdevice as `do_cmd_ioctl()`. `do_cmd_ioctl()` sets the subdevice's +`busy` pointer to the file object way before it sets the `SRF_RUNNING` flag +in the subdevice's `runflags` member. `comedi_read() and +`comedi_write()` check the subdevice's `busy` pointer is pointing to the +current file object, then if the `SRF_RUNNING` flag is not set, will call +`do_become_nonbusy()` to shut down the asyncronous command. Bad things +can happen if the asynchronous command is being shutdown and set up at +the same time. + +To prevent the race, don't set the `busy` pointer until +after the `SRF_RUNNING` flag has been set. Also, make sure the mutex is +held in `comedi_read()` and `comedi_write()` while calling +`do_become_nonbusy()` in order to avoid moving the race condition to a +point within that function. + +Change some error handling `goto cleanup` statements in `do_cmd_ioctl()` +to simple `return -ERRFOO` statements as a result of changing when the +`busy` pointer is set. + +Signed-off-by: Ian Abbott +[bwh: Backported to 3.2: adjust context] +Signed-off-by: Ben Hutchings +Cc: Yijing Wang +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/comedi/comedi_fops.c | 25 +++++++++++++++---------- + 1 file changed, 15 insertions(+), 10 deletions(-) + +--- a/drivers/staging/comedi/comedi_fops.c ++++ b/drivers/staging/comedi/comedi_fops.c +@@ -1078,22 +1078,19 @@ static int do_cmd_ioctl(struct comedi_de + DPRINTK("subdevice busy\n"); + return -EBUSY; + } +- s->busy = file; + + /* make sure channel/gain list isn't too long */ + if (user_cmd.chanlist_len > s->len_chanlist) { + DPRINTK("channel/gain list too long %u > %d\n", + user_cmd.chanlist_len, s->len_chanlist); +- ret = -EINVAL; +- goto cleanup; ++ return -EINVAL; + } + + /* make sure channel/gain list isn't too short */ + if (user_cmd.chanlist_len < 1) { + DPRINTK("channel/gain list too short %u < 1\n", + user_cmd.chanlist_len); +- ret = -EINVAL; +- goto cleanup; ++ return -EINVAL; + } + + async->cmd = user_cmd; +@@ -1103,8 +1100,7 @@ static int do_cmd_ioctl(struct comedi_de + kmalloc(async->cmd.chanlist_len * sizeof(int), GFP_KERNEL); + if (!async->cmd.chanlist) { + DPRINTK("allocation failed\n"); +- ret = -ENOMEM; +- goto cleanup; ++ return -ENOMEM; + } + + if (copy_from_user(async->cmd.chanlist, user_cmd.chanlist, +@@ -1156,6 +1152,9 @@ static int do_cmd_ioctl(struct comedi_de + + comedi_set_subdevice_runflags(s, ~0, SRF_USER | SRF_RUNNING); + ++ /* set s->busy _after_ setting SRF_RUNNING flag to avoid race with ++ * comedi_read() or comedi_write() */ ++ s->busy = file; + ret = s->do_cmd(dev, s); + if (ret == 0) + return 0; +@@ -1658,6 +1657,7 @@ static ssize_t comedi_write(struct file + + if (!(comedi_get_subdevice_runflags(s) & SRF_RUNNING)) { + if (count == 0) { ++ mutex_lock(&dev->mutex); + if (comedi_get_subdevice_runflags(s) & + SRF_ERROR) { + retval = -EPIPE; +@@ -1665,6 +1665,7 @@ static ssize_t comedi_write(struct file + retval = 0; + } + do_become_nonbusy(dev, s); ++ mutex_unlock(&dev->mutex); + } + break; + } +@@ -1779,6 +1780,7 @@ static ssize_t comedi_read(struct file * + + if (n == 0) { + if (!(comedi_get_subdevice_runflags(s) & SRF_RUNNING)) { ++ mutex_lock(&dev->mutex); + do_become_nonbusy(dev, s); + if (comedi_get_subdevice_runflags(s) & + SRF_ERROR) { +@@ -1786,6 +1788,7 @@ static ssize_t comedi_read(struct file * + } else { + retval = 0; + } ++ mutex_unlock(&dev->mutex); + break; + } + if (file->f_flags & O_NONBLOCK) { +@@ -1823,9 +1826,11 @@ static ssize_t comedi_read(struct file * + buf += n; + break; /* makes device work like a pipe */ + } +- if (!(comedi_get_subdevice_runflags(s) & (SRF_ERROR | SRF_RUNNING)) && +- async->buf_read_count - async->buf_write_count == 0) { +- do_become_nonbusy(dev, s); ++ if (!(comedi_get_subdevice_runflags(s) & (SRF_ERROR | SRF_RUNNING))) { ++ mutex_lock(&dev->mutex); ++ if (async->buf_read_count - async->buf_write_count == 0) ++ do_become_nonbusy(dev, s); ++ mutex_unlock(&dev->mutex); + } + set_current_state(TASK_RUNNING); + remove_wait_queue(&async->wait_head, &wait); diff --git a/queue-3.4/staging-wlags49_h2-buffer-overflow-setting-station-name.patch b/queue-3.4/staging-wlags49_h2-buffer-overflow-setting-station-name.patch new file mode 100644 index 00000000000..0f46a21fcd0 --- /dev/null +++ b/queue-3.4/staging-wlags49_h2-buffer-overflow-setting-station-name.patch @@ -0,0 +1,67 @@ +From 840834b578803d8153b6fd8526d23e615916208b Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Tue, 29 Oct 2013 23:00:15 +0300 +Subject: staging: wlags49_h2: buffer overflow setting station name + +From: Dan Carpenter + +commit b5e2f339865fb443107e5b10603e53bbc92dc054 upstream. + +We need to check the length parameter before doing the memcpy(). I've +actually changed it to strlcpy() as well so that it's NUL terminated. + +You need CAP_NET_ADMIN to trigger these so it's not the end of the +world. + +Reported-by: Nico Golde +Reported-by: Fabian Yamaguchi +Signed-off-by: Dan Carpenter +Signed-off-by: Linus Torvalds +[bwh: Backported to 3.2: adjust context] +Signed-off-by: Ben Hutchings +Cc: Yijing Wang +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/staging/wlags49_h2/wl_priv.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/drivers/staging/wlags49_h2/wl_priv.c ++++ b/drivers/staging/wlags49_h2/wl_priv.c +@@ -570,6 +570,7 @@ int wvlan_uil_put_info( struct uilreq *u + ltv_t *pLtv; + bool_t ltvAllocated = FALSE; + ENCSTRCT sEncryption; ++ size_t len; + + #ifdef USE_WDS + hcf_16 hcfPort = HCF_PORT_0; +@@ -686,7 +687,8 @@ int wvlan_uil_put_info( struct uilreq *u + break; + case CFG_CNF_OWN_NAME: + memset( lp->StationName, 0, sizeof( lp->StationName )); +- memcpy( (void *)lp->StationName, (void *)&pLtv->u.u8[2], (size_t)pLtv->u.u16[0]); ++ len = min_t(size_t, pLtv->u.u16[0], sizeof(lp->StationName)); ++ strlcpy(lp->StationName, &pLtv->u.u8[2], len); + pLtv->u.u16[0] = CNV_INT_TO_LITTLE( pLtv->u.u16[0] ); + break; + case CFG_CNF_LOAD_BALANCING: +@@ -1800,6 +1802,7 @@ int wvlan_set_station_nickname(struct ne + { + struct wl_private *lp = wl_priv(dev); + unsigned long flags; ++ size_t len; + int ret = 0; + /*------------------------------------------------------------------------*/ + +@@ -1810,8 +1813,8 @@ int wvlan_set_station_nickname(struct ne + wl_lock(lp, &flags); + + memset( lp->StationName, 0, sizeof( lp->StationName )); +- +- memcpy( lp->StationName, extra, wrqu->data.length); ++ len = min_t(size_t, wrqu->data.length, sizeof(lp->StationName)); ++ strlcpy(lp->StationName, extra, len); + + /* Commit the adapter parameters */ + wl_apply( lp );