From: Greg Kroah-Hartman Date: Wed, 9 Jan 2013 18:20:39 +0000 (-0800) Subject: 3.0-stable patches X-Git-Tag: v3.0.58~8 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=e7f4e87339c4d54cdcf1285dbc53958c7987a363;p=thirdparty%2Fkernel%2Fstable-queue.git 3.0-stable patches added patches: arm-missing-mmap_sem-around-find_vma-in-swp_emulate.c.patch arm-mm-use-pteval_t-to-represent-page-protection-values.patch bluetooth-ath3k-add-support-for-vaio-vpceh.patch bluetooth-cancel-power_on-work-when-unregistering-the-device.patch pci-reduce-ricoh-0xe822-sd-card-reader-base-clock-frequency-to-50mhz.patch solos-pci-fix-double-free-of-tx-skb-in-dma-mode.patch --- diff --git a/queue-3.0/arm-missing-mmap_sem-around-find_vma-in-swp_emulate.c.patch b/queue-3.0/arm-missing-mmap_sem-around-find_vma-in-swp_emulate.c.patch new file mode 100644 index 00000000000..a6ae0b820cb --- /dev/null +++ b/queue-3.0/arm-missing-mmap_sem-around-find_vma-in-swp_emulate.c.patch @@ -0,0 +1,38 @@ +From 7bf9b7bef881aac820bf1f2e9951a17b09bd7e04 Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Sun, 16 Dec 2012 00:25:57 +0000 +Subject: ARM: missing ->mmap_sem around find_vma() in swp_emulate.c + +From: Al Viro + +commit 7bf9b7bef881aac820bf1f2e9951a17b09bd7e04 upstream. + +find_vma() is *not* safe when somebody else is removing vmas. Not just +the return value might get bogus just as you are getting it (this instance +doesn't try to dereference the resulting vma), the search itself can get +buggered in rather spectacular ways. IOW, ->mmap_sem really, really is +not optional here. + +Signed-off-by: Al Viro +Signed-off-by: Russell King +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/kernel/swp_emulate.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/arch/arm/kernel/swp_emulate.c ++++ b/arch/arm/kernel/swp_emulate.c +@@ -108,10 +108,12 @@ static void set_segfault(struct pt_regs + { + siginfo_t info; + ++ down_read(¤t->mm->mmap_sem); + if (find_vma(current->mm, addr) == NULL) + info.si_code = SEGV_MAPERR; + else + info.si_code = SEGV_ACCERR; ++ up_read(¤t->mm->mmap_sem); + + info.si_signo = SIGSEGV; + info.si_errno = 0; diff --git a/queue-3.0/arm-mm-use-pteval_t-to-represent-page-protection-values.patch b/queue-3.0/arm-mm-use-pteval_t-to-represent-page-protection-values.patch new file mode 100644 index 00000000000..9eb27143b0d --- /dev/null +++ b/queue-3.0/arm-mm-use-pteval_t-to-represent-page-protection-values.patch @@ -0,0 +1,38 @@ +From 864aa04cd02979c2c755cb28b5f4fe56039171c0 Mon Sep 17 00:00:00 2001 +From: Will Deacon +Date: Tue, 18 Sep 2012 19:18:35 +0100 +Subject: ARM: mm: use pteval_t to represent page protection values + +From: Will Deacon + +commit 864aa04cd02979c2c755cb28b5f4fe56039171c0 upstream. + +When updating the page protection map after calculating the user_pgprot +value, the base protection map is temporarily stored in an unsigned long +type, causing truncation of the protection bits when LPAE is enabled. +This effectively means that calls to mprotect() will corrupt the upper +page attributes, clearing the XN bit unconditionally. + +This patch uses pteval_t to store the intermediate protection values, +preserving the upper bits for 64-bit descriptors. + +Acked-by: Nicolas Pitre +Acked-by: Catalin Marinas +Signed-off-by: Will Deacon +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/mm/mmu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm/mm/mmu.c ++++ b/arch/arm/mm/mmu.c +@@ -467,7 +467,7 @@ static void __init build_mem_type_table( + } + + for (i = 0; i < 16; i++) { +- unsigned long v = pgprot_val(protection_map[i]); ++ pteval_t v = pgprot_val(protection_map[i]); + protection_map[i] = __pgprot(v | user_pgprot); + } + diff --git a/queue-3.0/bluetooth-ath3k-add-support-for-vaio-vpceh.patch b/queue-3.0/bluetooth-ath3k-add-support-for-vaio-vpceh.patch new file mode 100644 index 00000000000..f231a868256 --- /dev/null +++ b/queue-3.0/bluetooth-ath3k-add-support-for-vaio-vpceh.patch @@ -0,0 +1,72 @@ +From acd9454433e28c1a365d8b069813c35c1c3a8ac3 Mon Sep 17 00:00:00 2001 +From: Marcos Chaparro +Date: Tue, 6 Nov 2012 16:19:11 -0300 +Subject: Bluetooth: ath3k: Add support for VAIO VPCEH [0489:e027] + +From: Marcos Chaparro + +commit acd9454433e28c1a365d8b069813c35c1c3a8ac3 upstream. + +Added Atheros AR3011 internal bluetooth device found in Sony VAIO VPCEH to the +devices list. +Before this, the bluetooth module was identified as an Foxconn / Hai bluetooth +device [0489:e027], now it claims to be an AtherosAR3011 Bluetooth +[0cf3:3005]. + +T: Bus=01 Lev=02 Prnt=02 Port=04 Cnt=02 Dev#= 4 Spd=12 MxCh= 0 +D: Ver= 1.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1 +P: Vendor=0489 ProdID=e027 Rev= 0.01 +C:* #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=100mA +I:* If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=81(I) Atr=03(Int.) MxPS= 16 Ivl=1ms +E: Ad=82(I) Atr=02(Bulk) MxPS= 64 Ivl=0ms +E: Ad=02(O) Atr=02(Bulk) MxPS= 64 Ivl=0ms +I:* If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=83(I) Atr=01(Isoc) MxPS= 0 Ivl=1ms +E: Ad=03(O) Atr=01(Isoc) MxPS= 0 Ivl=1ms +I: If#= 1 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=83(I) Atr=01(Isoc) MxPS= 9 Ivl=1ms +E: Ad=03(O) Atr=01(Isoc) MxPS= 9 Ivl=1ms +I: If#= 1 Alt= 2 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=83(I) Atr=01(Isoc) MxPS= 17 Ivl=1ms +E: Ad=03(O) Atr=01(Isoc) MxPS= 17 Ivl=1ms +I: If#= 1 Alt= 3 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=83(I) Atr=01(Isoc) MxPS= 25 Ivl=1ms +E: Ad=03(O) Atr=01(Isoc) MxPS= 25 Ivl=1ms +I: If#= 1 Alt= 4 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=83(I) Atr=01(Isoc) MxPS= 33 Ivl=1ms +E: Ad=03(O) Atr=01(Isoc) MxPS= 33 Ivl=1ms +I: If#= 1 Alt= 5 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb +E: Ad=83(I) Atr=01(Isoc) MxPS= 49 Ivl=1ms +E: Ad=03(O) Atr=01(Isoc) MxPS= 49 Ivl=1ms + +Signed-off-by: Marcos Chaparro +Signed-off-by: Gustavo Padovan +Cc: Ben Hutchings +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/bluetooth/ath3k.c | 1 + + drivers/bluetooth/btusb.c | 1 + + 2 files changed, 2 insertions(+) + +--- a/drivers/bluetooth/ath3k.c ++++ b/drivers/bluetooth/ath3k.c +@@ -65,6 +65,7 @@ static struct usb_device_id ath3k_table[ + { USB_DEVICE(0x13d3, 0x3304) }, + { USB_DEVICE(0x0930, 0x0215) }, + { USB_DEVICE(0x0489, 0xE03D) }, ++ { USB_DEVICE(0x0489, 0xE027) }, + + /* Atheros AR9285 Malbec with sflash firmware */ + { USB_DEVICE(0x03F0, 0x311D) }, +--- a/drivers/bluetooth/btusb.c ++++ b/drivers/bluetooth/btusb.c +@@ -130,6 +130,7 @@ static struct usb_device_id blacklist_ta + { USB_DEVICE(0x13d3, 0x3304), .driver_info = BTUSB_IGNORE }, + { USB_DEVICE(0x0930, 0x0215), .driver_info = BTUSB_IGNORE }, + { USB_DEVICE(0x0489, 0xe03d), .driver_info = BTUSB_IGNORE }, ++ { USB_DEVICE(0x0489, 0xe027), .driver_info = BTUSB_IGNORE }, + + /* Atheros AR9285 Malbec with sflash firmware */ + { USB_DEVICE(0x03f0, 0x311d), .driver_info = BTUSB_IGNORE }, diff --git a/queue-3.0/bluetooth-cancel-power_on-work-when-unregistering-the-device.patch b/queue-3.0/bluetooth-cancel-power_on-work-when-unregistering-the-device.patch new file mode 100644 index 00000000000..dcc454ad247 --- /dev/null +++ b/queue-3.0/bluetooth-cancel-power_on-work-when-unregistering-the-device.patch @@ -0,0 +1,64 @@ +From b9b5ef188e5a2222cfc16ef62a4703080750b451 Mon Sep 17 00:00:00 2001 +From: Gustavo Padovan +Date: Wed, 21 Nov 2012 00:50:21 -0200 +Subject: Bluetooth: cancel power_on work when unregistering the device + +From: Gustavo Padovan + +commit b9b5ef188e5a2222cfc16ef62a4703080750b451 upstream. + +We need to cancel the hci_power_on work in order to avoid it run when we +try to free the hdev. + +[ 1434.201149] ------------[ cut here ]------------ +[ 1434.204998] WARNING: at lib/debugobjects.c:261 debug_print_object+0x8e/0xb0() +[ 1434.208324] ODEBUG: free active (active state 0) object type: work_struct hint: hci +_power_on+0x0/0x90 +[ 1434.210386] Pid: 8564, comm: trinity-child25 Tainted: G W 3.7.0-rc5-next- +20121112-sasha-00018-g2f4ce0e #127 +[ 1434.210760] Call Trace: +[ 1434.210760] [] ? debug_print_object+0x8e/0xb0 +[ 1434.210760] [] warn_slowpath_common+0x87/0xb0 +[ 1434.210760] [] warn_slowpath_fmt+0x41/0x50 +[ 1434.210760] [] debug_print_object+0x8e/0xb0 +[ 1434.210760] [] ? hci_dev_open+0x310/0x310 +[ 1434.210760] [] ? _raw_spin_unlock_irqrestore+0x55/0xa0 +[ 1434.210760] [] __debug_check_no_obj_freed+0xa5/0x230 +[ 1434.210760] [] ? bt_host_release+0x10/0x20 +[ 1434.210760] [] debug_check_no_obj_freed+0x15/0x20 +[ 1434.210760] [] kfree+0x227/0x330 +[ 1434.210760] [] bt_host_release+0x10/0x20 +[ 1434.210760] [] device_release+0x65/0xc0 +[ 1434.210760] [] kobject_cleanup+0x145/0x190 +[ 1434.210760] [] kobject_release+0xd/0x10 +[ 1434.210760] [] kobject_put+0x4c/0x60 +[ 1434.210760] [] put_device+0x12/0x20 +[ 1434.210760] [] hci_free_dev+0x24/0x30 +[ 1434.210760] [] vhci_release+0x31/0x60 +[ 1434.210760] [] __fput+0x122/0x250 +[ 1434.210760] [] ? rcu_user_exit+0x9d/0xd0 +[ 1434.210760] [] ____fput+0x9/0x10 +[ 1434.210760] [] task_work_run+0xb2/0xf0 +[ 1434.210760] [] do_notify_resume+0x77/0xa0 +[ 1434.210760] [] int_signal+0x12/0x17 +[ 1434.210760] ---[ end trace a6d57fefbc8a8cc7 ]--- + +Reported-by: Sasha Levin +Signed-off-by: Gustavo Padovan +Signed-off-by: Greg Kroah-Hartman + +--- + net/bluetooth/hci_core.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/net/bluetooth/hci_core.c ++++ b/net/bluetooth/hci_core.c +@@ -1333,6 +1333,8 @@ int hci_unregister_dev(struct hci_dev *h + for (i = 0; i < NUM_REASSEMBLY; i++) + kfree_skb(hdev->reassembly[i]); + ++ cancel_work_sync(&hdev->power_on); ++ + if (!test_bit(HCI_INIT, &hdev->flags) && + !test_bit(HCI_SETUP, &hdev->flags)) + mgmt_index_removed(hdev->id); diff --git a/queue-3.0/pci-reduce-ricoh-0xe822-sd-card-reader-base-clock-frequency-to-50mhz.patch b/queue-3.0/pci-reduce-ricoh-0xe822-sd-card-reader-base-clock-frequency-to-50mhz.patch new file mode 100644 index 00000000000..fce4c882153 --- /dev/null +++ b/queue-3.0/pci-reduce-ricoh-0xe822-sd-card-reader-base-clock-frequency-to-50mhz.patch @@ -0,0 +1,70 @@ +From 812089e01b9f65f90fc8fc670d8cce72a0e01fbb Mon Sep 17 00:00:00 2001 +From: Andy Lutomirski +Date: Sat, 1 Dec 2012 12:37:20 -0800 +Subject: PCI: Reduce Ricoh 0xe822 SD card reader base clock frequency to 50MHz + +From: Andy Lutomirski + +commit 812089e01b9f65f90fc8fc670d8cce72a0e01fbb upstream. + +Otherwise it fails like this on cards like the Transcend 16GB SDHC card: + + mmc0: new SDHC card at address b368 + mmcblk0: mmc0:b368 SDC 15.0 GiB + mmcblk0: error -110 sending status command, retrying + mmcblk0: error -84 transferring data, sector 0, nr 8, cmd response 0x900, card status 0xb0 + +Tested on my Lenovo x200 laptop. + +[bhelgaas: changelog] +Signed-off-by: Andy Lutomirski +Signed-off-by: Bjorn Helgaas +Acked-by: Chris Ball +CC: Manoj Iyer +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pci/quirks.c | 7 +++++-- + include/linux/pci_ids.h | 1 + + 2 files changed, 6 insertions(+), 2 deletions(-) + +--- a/drivers/pci/quirks.c ++++ b/drivers/pci/quirks.c +@@ -2746,7 +2746,7 @@ static void ricoh_mmc_fixup_r5c832(struc + if (PCI_FUNC(dev->devfn)) + return; + /* +- * RICOH 0xe823 SD/MMC card reader fails to recognize ++ * RICOH 0xe822 and 0xe823 SD/MMC card readers fail to recognize + * certain types of SD/MMC cards. Lowering the SD base + * clock frequency from 200Mhz to 50Mhz fixes this issue. + * +@@ -2757,7 +2757,8 @@ static void ricoh_mmc_fixup_r5c832(struc + * 0xf9 - Key register for 0x150 + * 0xfc - key register for 0xe1 + */ +- if (dev->device == PCI_DEVICE_ID_RICOH_R5CE823) { ++ if (dev->device == PCI_DEVICE_ID_RICOH_R5CE822 || ++ dev->device == PCI_DEVICE_ID_RICOH_R5CE823) { + pci_write_config_byte(dev, 0xf9, 0xfc); + pci_write_config_byte(dev, 0x150, 0x10); + pci_write_config_byte(dev, 0xf9, 0x00); +@@ -2784,6 +2785,8 @@ static void ricoh_mmc_fixup_r5c832(struc + } + DECLARE_PCI_FIXUP_EARLY(PCI_VENDOR_ID_RICOH, PCI_DEVICE_ID_RICOH_R5C832, ricoh_mmc_fixup_r5c832); + DECLARE_PCI_FIXUP_RESUME_EARLY(PCI_VENDOR_ID_RICOH, PCI_DEVICE_ID_RICOH_R5C832, ricoh_mmc_fixup_r5c832); ++DECLARE_PCI_FIXUP_EARLY(PCI_VENDOR_ID_RICOH, PCI_DEVICE_ID_RICOH_R5CE822, ricoh_mmc_fixup_r5c832); ++DECLARE_PCI_FIXUP_RESUME_EARLY(PCI_VENDOR_ID_RICOH, PCI_DEVICE_ID_RICOH_R5CE822, ricoh_mmc_fixup_r5c832); + DECLARE_PCI_FIXUP_EARLY(PCI_VENDOR_ID_RICOH, PCI_DEVICE_ID_RICOH_R5CE823, ricoh_mmc_fixup_r5c832); + DECLARE_PCI_FIXUP_RESUME_EARLY(PCI_VENDOR_ID_RICOH, PCI_DEVICE_ID_RICOH_R5CE823, ricoh_mmc_fixup_r5c832); + #endif /*CONFIG_MMC_RICOH_MMC*/ +--- a/include/linux/pci_ids.h ++++ b/include/linux/pci_ids.h +@@ -1537,6 +1537,7 @@ + #define PCI_DEVICE_ID_RICOH_RL5C476 0x0476 + #define PCI_DEVICE_ID_RICOH_RL5C478 0x0478 + #define PCI_DEVICE_ID_RICOH_R5C822 0x0822 ++#define PCI_DEVICE_ID_RICOH_R5CE822 0xe822 + #define PCI_DEVICE_ID_RICOH_R5CE823 0xe823 + #define PCI_DEVICE_ID_RICOH_R5C832 0x0832 + #define PCI_DEVICE_ID_RICOH_R5C843 0x0843 diff --git a/queue-3.0/series b/queue-3.0/series index bea7e191a14..589d8f1dec9 100644 --- a/queue-3.0/series +++ b/queue-3.0/series @@ -34,3 +34,9 @@ tcp-implement-rfc-5961-4.2.patch tcp-refine-syn-handling-in-tcp_validate_incoming.patch tcp-tcp_replace_ts_recent-should-not-be-called-from-tcp_validate_incoming.patch tcp-rfc-5961-5.2-blind-data-injection-attack-mitigation.patch +arm-mm-use-pteval_t-to-represent-page-protection-values.patch +arm-missing-mmap_sem-around-find_vma-in-swp_emulate.c.patch +solos-pci-fix-double-free-of-tx-skb-in-dma-mode.patch +pci-reduce-ricoh-0xe822-sd-card-reader-base-clock-frequency-to-50mhz.patch +bluetooth-ath3k-add-support-for-vaio-vpceh.patch +bluetooth-cancel-power_on-work-when-unregistering-the-device.patch diff --git a/queue-3.0/solos-pci-fix-double-free-of-tx-skb-in-dma-mode.patch b/queue-3.0/solos-pci-fix-double-free-of-tx-skb-in-dma-mode.patch new file mode 100644 index 00000000000..64207eb5210 --- /dev/null +++ b/queue-3.0/solos-pci-fix-double-free-of-tx-skb-in-dma-mode.patch @@ -0,0 +1,38 @@ +From cae49ede00ec3d0cda290b03fee55b72b49efc11 Mon Sep 17 00:00:00 2001 +From: David Woodhouse +Date: Tue, 11 Dec 2012 14:57:14 +0000 +Subject: solos-pci: fix double-free of TX skb in DMA mode + +From: David Woodhouse + +commit cae49ede00ec3d0cda290b03fee55b72b49efc11 upstream. + +We weren't clearing card->tx_skb[port] when processing the TX done interrupt. +If there wasn't another skb ready to transmit immediately, this led to a +double-free because we'd free it *again* next time we did have a packet to +send. + +Signed-off-by: David Woodhouse +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/atm/solos-pci.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/atm/solos-pci.c ++++ b/drivers/atm/solos-pci.c +@@ -967,10 +967,11 @@ static uint32_t fpga_tx(struct solos_car + for (port = 0; tx_pending; tx_pending >>= 1, port++) { + if (tx_pending & 1) { + struct sk_buff *oldskb = card->tx_skb[port]; +- if (oldskb) ++ if (oldskb) { + pci_unmap_single(card->dev, SKB_CB(oldskb)->dma_addr, + oldskb->len, PCI_DMA_TODEVICE); +- ++ card->tx_skb[port] = NULL; ++ } + spin_lock(&card->tx_queue_lock); + skb = skb_dequeue(&card->tx_queue[port]); + if (!skb)