From b1797ed3d8f1a4e02f1d04999b14b543b82a8c2e Mon Sep 17 00:00:00 2001
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Wed, 30 Apr 2014 17:47:00 -0700
Subject: [PATCH] 3.4-stable patches

added patches:
	usb-fix-crash-during-hotplug-of-pci-usb-controller-card.patch
	x86-64-modify_ldt-ban-16-bit-segments-on-64-bit-kernels.patch
---
 queue-3.4/series                              |  2 +
 ...g-hotplug-of-pci-usb-controller-card.patch | 46 +++++++++++++++++
 ...an-16-bit-segments-on-64-bit-kernels.patch | 50 +++++++++++++++++++
 3 files changed, 98 insertions(+)
 create mode 100644 queue-3.4/usb-fix-crash-during-hotplug-of-pci-usb-controller-card.patch
 create mode 100644 queue-3.4/x86-64-modify_ldt-ban-16-bit-segments-on-64-bit-kernels.patch

diff --git a/queue-3.4/series b/queue-3.4/series
index e0668df39cb..d6aa2e15a2f 100644
--- a/queue-3.4/series
+++ b/queue-3.4/series
@@ -12,3 +12,5 @@ mfd-max8997-fix-possible-null-pointer-dereference-on-i2c_new_dummy-error.patch
 w1-fix-w1_send_slave-dropping-a-slave-id.patch
 staging-serqt_usb2-fix-sparse-warning-restricted-__le16-degrades-to-integer.patch
 staging-r8712u-fix-case-where-ethtype-was-never-obtained-and-always-be-checked-against-0.patch
+x86-64-modify_ldt-ban-16-bit-segments-on-64-bit-kernels.patch
+usb-fix-crash-during-hotplug-of-pci-usb-controller-card.patch
diff --git a/queue-3.4/usb-fix-crash-during-hotplug-of-pci-usb-controller-card.patch b/queue-3.4/usb-fix-crash-during-hotplug-of-pci-usb-controller-card.patch
new file mode 100644
index 00000000000..722b7b5bef7
--- /dev/null
+++ b/queue-3.4/usb-fix-crash-during-hotplug-of-pci-usb-controller-card.patch
@@ -0,0 +1,46 @@
+From a2ff864b53eac9a0e9b05bfe9d1781ccd6c2af71 Mon Sep 17 00:00:00 2001
+From: Alan Stern <stern@rowland.harvard.edu>
+Date: Mon, 14 Apr 2014 13:48:47 -0400
+Subject: USB: fix crash during hotplug of PCI USB controller card
+
+From: Alan Stern <stern@rowland.harvard.edu>
+
+commit a2ff864b53eac9a0e9b05bfe9d1781ccd6c2af71 upstream.
+
+The code in hcd-pci.c that matches up EHCI controllers with their
+companion UHCI or OHCI controllers assumes that the private drvdata
+fields don't get set too early.  However, it turns out that this field
+gets set by usb_create_hcd(), before hcd-pci expects it, and this can
+result in a crash when two controllers are probed in parallel (as can
+happen when a new controller card is hotplugged).
+
+The companions_rwsem lock was supposed to prevent this sort of thing,
+but usb_create_hcd() is called outside the scope of the rwsem.
+
+A simple solution is to check that the root-hub pointer has been
+initialized as well as the drvdata field.  This doesn't happen until
+usb_add_hcd() is called; that call and the check are both protected by
+the rwsem.
+
+This patch should be applied to stable kernels from 3.10 onward.
+
+Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
+Reported-by: Stefani Seibold <stefani@seibold.net>
+Tested-by: Stefani Seibold <stefani@seibold.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/usb/core/hcd-pci.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/drivers/usb/core/hcd-pci.c
++++ b/drivers/usb/core/hcd-pci.c
+@@ -71,7 +71,7 @@ static void companion_common(struct pci_
+ 			continue;
+ 
+ 		companion_hcd = pci_get_drvdata(companion);
+-		if (!companion_hcd)
++		if (!companion_hcd || !companion_hcd->self.root_hub)
+ 			continue;
+ 
+ 		/* For SET_HS_COMPANION, store a pointer to the EHCI bus in
diff --git a/queue-3.4/x86-64-modify_ldt-ban-16-bit-segments-on-64-bit-kernels.patch b/queue-3.4/x86-64-modify_ldt-ban-16-bit-segments-on-64-bit-kernels.patch
new file mode 100644
index 00000000000..33d6bfc3181
--- /dev/null
+++ b/queue-3.4/x86-64-modify_ldt-ban-16-bit-segments-on-64-bit-kernels.patch
@@ -0,0 +1,50 @@
+From b3b42ac2cbae1f3cecbb6229964a4d48af31d382 Mon Sep 17 00:00:00 2001
+From: "H. Peter Anvin" <hpa@linux.intel.com>
+Date: Sun, 16 Mar 2014 15:31:54 -0700
+Subject: x86-64, modify_ldt: Ban 16-bit segments on 64-bit kernels
+
+From: "H. Peter Anvin" <hpa@linux.intel.com>
+
+commit b3b42ac2cbae1f3cecbb6229964a4d48af31d382 upstream.
+
+The IRET instruction, when returning to a 16-bit segment, only
+restores the bottom 16 bits of the user space stack pointer.  We have
+a software workaround for that ("espfix") for the 32-bit kernel, but
+it relies on a nonzero stack segment base which is not available in
+32-bit mode.
+
+Since 16-bit support is somewhat crippled anyway on a 64-bit kernel
+(no V86 mode), and most (if not quite all) 64-bit processors support
+virtualization for the users who really need it, simply reject
+attempts at creating a 16-bit segment when running on top of a 64-bit
+kernel.
+
+Cc: Linus Torvalds <torvalds@linux-foundation.org>
+Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
+Link: http://lkml.kernel.org/n/tip-kicdm89kzw9lldryb1br9od0@git.kernel.org
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ arch/x86/kernel/ldt.c |   11 +++++++++++
+ 1 file changed, 11 insertions(+)
+
+--- a/arch/x86/kernel/ldt.c
++++ b/arch/x86/kernel/ldt.c
+@@ -229,6 +229,17 @@ static int write_ldt(void __user *ptr, u
+ 		}
+ 	}
+ 
++	/*
++	 * On x86-64 we do not support 16-bit segments due to
++	 * IRET leaking the high bits of the kernel stack address.
++	 */
++#ifdef CONFIG_X86_64
++	if (!ldt_info.seg_32bit) {
++		error = -EINVAL;
++		goto out_unlock;
++	}
++#endif
++
+ 	fill_ldt(&ldt, &ldt_info);
+ 	if (oldmode)
+ 		ldt.avl = 0;
-- 
2.47.3