commit 0adf2e75799293df1200b5c77395bc2effa9e199 Author: Greg Kroah-Hartman Date: Wed Jul 3 10:56:36 2013 -0700 Linux 3.9.9 commit 491c1b809b64748ff579ae7efe4d1cd909463504 Author: Phil Oester Date: Wed Jun 19 06:49:51 2013 -0400 netfilter: nf_conntrack_ipv6: Plug sk_buff leak in fragment handling commit 142dcdd3c25fc7a3866bb06980e8f93a2ed7e050 upstream. In commit 4cdd3408 ("netfilter: nf_conntrack_ipv6: improve fragmentation handling"), an sk_buff leak was introduced when dealing with reassembled packets by grabbing a reference to the original skb instead of the reassembled skb. At this point, the leak only impacted conntracks with an associated helper. In commit 58a317f1 ("netfilter: ipv6: add IPv6 NAT support"), the bug was expanded to include all reassembled packets with unconfirmed conntracks. Fix this by grabbing a reference to the proper reassembled skb. This closes netfilter bugzilla #823. Signed-off-by: Phil Oester Signed-off-by: Pablo Neira Ayuso Signed-off-by: Greg Kroah-Hartman commit b1e1d6fc62a376b96170eee079d5560d1718bd55 Author: Johannes Berg Date: Tue May 28 10:54:03 2013 +0200 mac80211: work around broken APs not including HT info commit 35d865afbbdf79e492f7d61df92b1a9e1d93d26f upstream. There are some APs, notably 2G/3G/4G Wifi routers, specifically the "Onda PN51T", "Vodafone PocketWiFi 2", "ZTE MF60" and a similar T-Mobile branded device [1] that erroneously don't include all the needed information in (re)association response frames. Work around this by assuming the information is the same as it was in the beacon or probe response and using the data from there instead. This fixes https://bugzilla.kernel.org/show_bug.cgi?id=58881. [1] https://bbs.archlinux.org/viewtopic.php?pid=1277305 Note that this requires marking the first ieee802_11_parse_elems() argument const, otherwise we'd get a compiler warning. Reported-and-tested-by: Michal Zajac Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman commit bc0afb482febab74c665efce54507c9d70d8c6f2 Author: Marc Kleine-Budde Date: Tue Jun 18 14:33:58 2013 +0200 can: usb_8dev: unregister netdev before free()ing commit 4afe2156eb639e563d6ef0c2706b66ea400348b2 upstream. The usb_8dev hardware has problems on some xhci USB hosts. The driver fails to read the firmware revision in the probe function. This leads to the following Oops: [ 3356.635912] kernel BUG at net/core/dev.c:5701! The driver tries to free the netdev, which has already been registered, without unregistering it. This patch fixes the problem by unregistering the netdev in the error path. Reported-by: Michael Olbrich Reviewed-by: Bernd Krumboeck Signed-off-by: Marc Kleine-Budde Cc: Oliver Hartkopp Signed-off-by: Greg Kroah-Hartman commit 3dec0d57dee4be55b50cc8fa8cfbf78c77a50712 Author: Tang Yuantian Date: Wed Apr 10 11:36:39 2013 +0800 of/base: release the node correctly in of_parse_phandle_with_args() commit b855f16b05a697ac1863adabe99bfba56e6d3199 upstream. Call of_node_put() only when the out_args is NULL on success, or the node's reference count will not be correct because the caller will call of_node_put() again. Signed-off-by: Tang Yuantian [grant.likely: tightened up the patch] Signed-off-by: Grant Likely Cc: Guenter Roeck Signed-off-by: Greg Kroah-Hartman commit 22cd748cf97f4ea97a776bc246b7932f6c9f050e Author: Aaron Lu Date: Thu Jun 20 09:38:34 2013 +0800 libata-acpi: add back ACPI based hotplug functionality commit 44521527be36172864e6e7a6fba4b66e9aa48e40 upstream. Commit 30dcf76acc69 "libata: migrate ACPI code over to new bindings" mistakenly dropped the code to register hotplug notificaion handler for ATA port/devices, causing regression for people using ATA bay, as kernel bug #59871 shows. Fix this by adding back the hotplug notification handler registration code. Since this code has to be run once and notification needs to be installed on every ATA port/devices handle no matter if there is actual device attached, we can't do this in binding time for ATA device ACPI handle, as the binding only occurs when a SCSI device is created, i.e. there is device attached. So introduce the ata_acpi_hotplug_init() function to loop scan all ATA ACPI handles and if it is available, install the notificaion handler for it during ATA init time. With the ATA ACPI handle binding to SCSI device tree, it is possible now that when the SCSI hotplug work removes the SCSI device, the ACPI unbind function will find that the corresponding ACPI device has already been deleted by dock driver, causing a scaring message like: [ 128.263966] scsi 4:0:0:0: Oops, 'acpi_handle' corrupt Fix this by waiting for SCSI hotplug task finish in our notificaion handler, so that the removal of ACPI device done in ACPI unbind function triggered by the removal of SCSI device is run earlier when ACPI device is still available. [The only change I've made is to remove the two NULL params in register_hotplug_dock_device, which doesn't accept those params in pre-v3.10 kernels. - aaron.lu] [rjw: Rebased] References: https://bugzilla.kernel.org/show_bug.cgi?id=59871 Reported-bisected-and-tested-by: Dirk Griesbach Signed-off-by: Aaron Lu Acked-by: Tejun Heo Signed-off-by: Rafael J. Wysocki Signed-off-by: Greg Kroah-Hartman commit 155b2fa48c26661f7dcc3ededeff4a70608672db Author: Artem Bityutskiy Date: Fri Jun 28 14:15:15 2013 +0300 UBIFS: fix a horrid bug commit 605c912bb843c024b1ed173dc427cd5c08e5d54d upstream. Al Viro pointed me to the fact that '->readdir()' and '->llseek()' have no mutual exclusion, which means the 'ubifs_dir_llseek()' can be run while we are in the middle of 'ubifs_readdir()'. This means that 'file->private_data' can be freed while 'ubifs_readdir()' uses it, and this is a very bad bug: not only 'ubifs_readdir()' can return garbage, but this may corrupt memory and lead to all kinds of problems like crashes an security holes. This patch fixes the problem by using the 'file->f_version' field, which '->llseek()' always unconditionally sets to zero. We set it to 1 in 'ubifs_readdir()' and whenever we detect that it became 0, we know there was a seek and it is time to clear the state saved in 'file->private_data'. I tested this patch by writing a user-space program which runds readdir and seek in parallell. I could easily crash the kernel without these patches, but could not crash it with these patches. Reported-by: Al Viro Tested-by: Artem Bityutskiy Signed-off-by: Artem Bityutskiy Signed-off-by: Al Viro Signed-off-by: Greg Kroah-Hartman commit cc35ca4227f399bd358c01ef299a7e14e9907d7b Author: Artem Bityutskiy Date: Fri Jun 28 14:15:14 2013 +0300 UBIFS: prepare to fix a horrid bug commit 33f1a63ae84dfd9ad298cf275b8f1887043ced36 upstream. Al Viro pointed me to the fact that '->readdir()' and '->llseek()' have no mutual exclusion, which means the 'ubifs_dir_llseek()' can be run while we are in the middle of 'ubifs_readdir()'. First of all, this means that 'file->private_data' can be freed while 'ubifs_readdir()' uses it. But this particular patch does not fix the problem. This patch is only a preparation, and the fix will follow next. In this patch we make 'ubifs_readdir()' stop using 'file->f_pos' directly, because 'file->f_pos' can be changed by '->llseek()' at any point. This may lead 'ubifs_readdir()' to returning inconsistent data: directory entry names may correspond to incorrect file positions. So here we introduce a local variable 'pos', read 'file->f_pose' once at very the beginning, and then stick to 'pos'. The result of this is that when 'ubifs_dir_llseek()' changes 'file->f_pos' while we are in the middle of 'ubifs_readdir()', the latter "wins". Reported-by: Al Viro Tested-by: Artem Bityutskiy Signed-off-by: Artem Bityutskiy Signed-off-by: Al Viro Signed-off-by: Greg Kroah-Hartman commit ba94200678873543591a50a5de36811ca99131aa Author: Gavin Shan Date: Wed Jun 5 15:34:02 2013 +0800 powerpc/eeh: Fix fetching bus for single-dev-PE commit ea461abf61753b4b79e625a7c20650105b990f21 upstream. While running Linux as guest on top of phyp, we possiblly have PE that includes single PCI device. However, we didn't return its PCI bus correctly and it leads to failure on recovery from EEH errors for single-dev-PE. The patch fixes the issue. Signed-off-by: Gavin Shan Cc: Steve Best Signed-off-by: Benjamin Herrenschmidt Signed-off-by: Greg Kroah-Hartman commit 56bd6ad3d86567697c4e3937583b117dcdf096bb Author: Herbert Xu Date: Tue Jun 25 19:15:17 2013 +0800 crypto: algboss - Hold ref count on larval commit 939e17799619e31331d2433041196529515a86a6 upstream. On Thu, Jun 20, 2013 at 10:00:21AM +0200, Daniel Borkmann wrote: > After having fixed a NULL pointer dereference in SCTP 1abd165e ("net: > sctp: fix NULL pointer dereference in socket destruction"), I ran into > the following NULL pointer dereference in the crypto subsystem with > the same reproducer, easily hit each time: > > BUG: unable to handle kernel NULL pointer dereference at (null) > IP: [] __wake_up_common+0x31/0x90 > PGD 0 > Oops: 0000 [#1] SMP > Modules linked in: padlock_sha(F-) sha256_generic(F) sctp(F) libcrc32c(F) [..] > CPU: 6 PID: 3326 Comm: cryptomgr_probe Tainted: GF 3.10.0-rc5+ #1 > Hardware name: Dell Inc. PowerEdge T410/0H19HD, BIOS 1.6.3 02/01/2011 > task: ffff88007b6cf4e0 ti: ffff88007b7cc000 task.ti: ffff88007b7cc000 > RIP: 0010:[] [] __wake_up_common+0x31/0x90 > RSP: 0018:ffff88007b7cde08 EFLAGS: 00010082 > RAX: ffffffffffffffe8 RBX: ffff88003756c130 RCX: 0000000000000000 > RDX: 0000000000000000 RSI: 0000000000000003 RDI: ffff88003756c130 > RBP: ffff88007b7cde48 R08: 0000000000000000 R09: ffff88012b173200 > R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000282 > R13: ffff88003756c138 R14: 0000000000000000 R15: 0000000000000000 > FS: 0000000000000000(0000) GS:ffff88012fc60000(0000) knlGS:0000000000000000 > CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b > CR2: 0000000000000000 CR3: 0000000001a0b000 CR4: 00000000000007e0 > DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 > DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 > Stack: > ffff88007b7cde28 0000000300000000 ffff88007b7cde28 ffff88003756c130 > 0000000000000282 ffff88003756c128 ffffffff81227670 0000000000000000 > ffff88007b7cde78 ffffffff810722b7 ffff88007cdcf000 ffffffff81a90540 > Call Trace: > [] ? crypto_alloc_pcomp+0x20/0x20 > [] complete_all+0x47/0x60 > [] cryptomgr_probe+0x98/0xc0 > [] ? crypto_alloc_pcomp+0x20/0x20 > [] kthread+0xce/0xe0 > [] ? kthread_freezable_should_stop+0x70/0x70 > [] ret_from_fork+0x7c/0xb0 > [] ? kthread_freezable_should_stop+0x70/0x70 > Code: 41 56 41 55 41 54 53 48 83 ec 18 66 66 66 66 90 89 75 cc 89 55 c8 > 4c 8d 6f 08 48 8b 57 08 41 89 cf 4d 89 c6 48 8d 42 e > RIP [] __wake_up_common+0x31/0x90 > RSP > CR2: 0000000000000000 > ---[ end trace b495b19270a4d37e ]--- > > My assumption is that the following is happening: the minimal SCTP > tool runs under ``echo 1 > /proc/sys/net/sctp/auth_enable'', hence > it's making use of crypto_alloc_hash() via sctp_auth_init_hmacs(). > It forks itself, heavily allocates, binds, listens and waits in > accept on sctp sockets, and then randomly kills some of them (no > need for an actual client in this case to hit this). Then, again, > allocating, binding, etc, and then killing child processes. > > The problem that might be happening here is that cryptomgr requests > the module to probe/load through cryptomgr_schedule_probe(), but > before the thread handler cryptomgr_probe() returns, we return from > the wait_for_completion_interruptible() function and probably already > have cleared up larval, thus we run into a NULL pointer dereference > when in cryptomgr_probe() complete_all() is being called. > > If we wait with wait_for_completion() instead, this panic will not > occur anymore. This is valid, because in case a signal is pending, > cryptomgr_probe() returns from probing anyway with properly calling > complete_all(). The use of wait_for_completion_interruptible is intentional so that we don't lock up the thread if a bug causes us to never wake up. This bug is caused by the helper thread using the larval without holding a reference count on it. If the helper thread completes after the original thread requesting for help has gone away and destroyed the larval, then we get the crash above. So the fix is to hold a reference count on the larval. Reported-by: Daniel Borkmann Tested-by: Daniel Borkmann Signed-off-by: Herbert Xu Signed-off-by: Greg Kroah-Hartman commit 641449de20cb40f1b4e6acb42008ad40c27e8741 Author: Stephane Eranian Date: Thu Jun 20 11:36:28 2013 +0200 perf: Disable monitoring on setuid processes for regular users commit 2976b10f05bd7f6dab9f9e7524451ddfed656a89 upstream. There was a a bug in setup_new_exec(), whereby the test to disabled perf monitoring was not correct because the new credentials for the process were not yet committed and therefore the get_dumpable() test was never firing. The patch fixes the problem by moving the perf_event test until after the credentials are committed. Signed-off-by: Stephane Eranian Tested-by: Jiri Olsa Acked-by: Peter Zijlstra Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit c45180b29474509662e45d051a2448fd2e60feba Author: Neil Horman Date: Tue Apr 16 16:38:32 2013 -0400 iommu/vt-d: add quirk for broken interrupt remapping on 55XX chipsets commit 03bbcb2e7e292838bb0244f5a7816d194c911d62 upstream. A few years back intel published a spec update: http://www.intel.com/content/dam/doc/specification-update/5520-and-5500-chipset-ioh-specification-update.pdf For the 5520 and 5500 chipsets which contained an errata (specificially errata 53), which noted that these chipsets can't properly do interrupt remapping, and as a result the recommend that interrupt remapping be disabled in bios. While many vendors have a bios update to do exactly that, not all do, and of course not all users update their bios to a level that corrects the problem. As a result, occasionally interrupts can arrive at a cpu even after affinity for that interrupt has be moved, leading to lost or spurrious interrupts (usually characterized by the message: kernel: do_IRQ: 7.71 No irq handler for vector (irq -1) There have been several incidents recently of people seeing this error, and investigation has shown that they have system for which their BIOS level is such that this feature was not properly turned off. As such, it would be good to give them a reminder that their systems are vulnurable to this problem. For details of those that reported the problem, please see: https://bugzilla.redhat.com/show_bug.cgi?id=887006 [ Joerg: Removed CONFIG_IRQ_REMAP ifdef from early-quirks.c ] Signed-off-by: Neil Horman CC: Prarit Bhargava CC: Don Zickus CC: Don Dutile CC: Bjorn Helgaas CC: Asit Mallick CC: David Woodhouse CC: linux-pci@vger.kernel.org CC: Joerg Roedel CC: Konrad Rzeszutek Wilk CC: Arkadiusz Miƛkiewicz Signed-off-by: Joerg Roedel Signed-off-by: Greg Kroah-Hartman commit a31da56adfdbc020f1edbc308be17599a465ee6d Author: Stanislaw Gruszka Date: Tue Jun 11 18:48:53 2013 +0200 rt2800: fix RT5390 & RT3290 TX power settings regression commit 8c8d2017ba25c510ddf093419048460db1109bc4 upstream. My change: commit cee2c7315f60beeff6137ee59e99acc77d636eeb Author: Stanislaw Gruszka Date: Fri Oct 5 13:44:09 2012 +0200 rt2800: use BBP_R1 for setting tx power unfortunately does not work well with RT5390 and RT3290 chips as they require different temperature compensation TX power settings (TSSI tuning). Since that commit make wireless connection very unstable on those chips, restore previous behavior to fix regression. Once we implement proper TSSI tuning on 5390/3290 we can restore back setting TX power by BBP_R1 register for those chips. Reported-and-tested-by: Mike Romberg Signed-off-by: Stanislaw Gruszka Acked-by: Gertjan van Wingerde Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 8d5bf1f09c2dbe6f6286812c67ca98e2726e6573 Author: Zefan Li Date: Wed Jun 26 15:31:58 2013 +0800 dlci: validate the net device in dlci_del() commit 578a1310f2592ba90c5674bca21c1dbd1adf3f0a upstream. We triggered an oops while running trinity with 3.4 kernel: BUG: unable to handle kernel paging request at 0000000100000d07 IP: [] dlci_ioctl+0xd8/0x2d4 [dlci] PGD 640c0d067 PUD 0 Oops: 0000 [#1] PREEMPT SMP CPU 3 ... Pid: 7302, comm: trinity-child3 Not tainted 3.4.24.09+ 40 Huawei Technologies Co., Ltd. Tecal RH2285 /BC11BTSA RIP: 0010:[] [] dlci_ioctl+0xd8/0x2d4 [dlci] ... Call Trace: [] sock_ioctl+0x153/0x280 [] do_vfs_ioctl+0xa4/0x5e0 [] ? fget_light+0x3ea/0x490 [] sys_ioctl+0x4f/0x80 [] system_call_fastpath+0x16/0x1b ... It's because the net device is not a dlci device. Reported-by: Li Jinyue Signed-off-by: Li Zefan Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit ef2c57720e61dc84ebaee8d09b4d9fffb813f4d7 Author: Zefan Li Date: Wed Jun 26 15:29:54 2013 +0800 dlci: acquire rtnl_lock before calling __dev_get_by_name() commit 11eb2645cbf38a08ae491bf6c602eea900ec0bb5 upstream. Otherwise the net device returned can be freed at anytime. Signed-off-by: Li Zefan Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 7b1866f9f35ac2042ea507559055015bf9d8271e Author: Ben Hutchings Date: Fri Jun 14 01:18:44 2013 +0100 s390/irq: Only define synchronize_irq() on SMP commit 690cec8e70c211d1f5f6e520b21a68d0306173b6 upstream. In uniprocessor configurations, synchronize_irq() is defined in as a macro, and this function definition fails to compile. Reported-by: kbuild test robot Signed-off-by: Ben Hutchings Signed-off-by: Heiko Carstens Signed-off-by: Martin Schwidefsky Signed-off-by: Greg Kroah-Hartman commit eb10d6c79f8bbbf6c64d3c1f0a8162c76c2a5bfc Author: Ben Hutchings Date: Mon Jun 10 15:34:04 2013 +0200 s390/pci: Implement IRQ functions if !PCI commit c46b54f7406780ec4cf9c9124d1cfb777674dc70 upstream. All architectures must implement IRQ functions. Since various dependencies on !S390 were removed, there are various drivers that can be selected but will fail to link. Provide a dummy implementation of these functions for the !PCI case. Signed-off-by: Ben Hutchings Acked-by: David S. Miller Signed-off-by: Martin Schwidefsky Signed-off-by: Greg Kroah-Hartman commit 89db426a432c7e1d7838607fbe63f520aabbdaed Author: Nikolay Martynov Date: Fri May 31 01:29:12 2013 -0400 iwlwifi: dvm: fix chain noise calibration commit b28b6dfe580ab1ab8bf08b908fd69e299b877103 upstream. First step of chain noise calibration process had disable flag check inverted. Chain noise calibration never started because of this. Tested on intel 5300 with two antennas attached. The driver correctly disabled one chain. Signed-off-by: Nikolay Martynov Reviewed-by: Emmanuel Grumbach Signed-off-by: Johannes Berg Signed-off-by: Greg Kroah-Hartman commit 0ea096bc04b0b69437a03c8461d4f09ad1c2a77e Author: Sujith Manoharan Date: Thu Jun 20 13:57:07 2013 +0530 ath9k_htc: Handle IDLE state transition properly commit 075163bbb0f51174359947e1bce84f5edb23f21e upstream. Make sure that a chip reset is done when IDLE is turned off - this fixes authentication timeouts. Reported-by: Ignacy Gawedzki Signed-off-by: Sujith Manoharan Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 98cbb319993288110355f3e33ecad503bd4bad1b Author: Oleg Nesterov Date: Thu Jun 20 17:50:09 2013 +0200 hw_breakpoint: Use cpu_possible_mask in {reserve,release}_bp_slot() commit c790b0ad23f427c7522ffed264706238c57c007e upstream. fetch_bp_busy_slots() and toggle_bp_slot() use for_each_online_cpu(), this is obviously wrong wrt cpu_up() or cpu_down(), we can over/under account the per-cpu numbers. For example: # echo 0 >> /sys/devices/system/cpu/cpu1/online # perf record -e mem:0x10 -p 1 & # echo 1 >> /sys/devices/system/cpu/cpu1/online # perf record -e mem:0x10,mem:0x10,mem:0x10,mem:0x10 -C1 -a & # taskset -p 0x2 1 triggers the same WARN_ONCE("Can't find any breakpoint slot") in arch_install_hw_breakpoint(). Reported-by: Vince Weaver Signed-off-by: Oleg Nesterov Acked-by: Frederic Weisbecker Link: http://lkml.kernel.org/r/20130620155009.GA6327@redhat.com Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit 3a8448a7982bd2c2169d9cc1eba7514cd11174ed Author: Oleg Nesterov Date: Thu Jun 20 17:50:06 2013 +0200 hw_breakpoint: Fix cpu check in task_bp_pinned(cpu) commit 8b4d801b2b123b6c09742f861fe44a8527b84d47 upstream. trinity fuzzer triggered WARN_ONCE("Can't find any breakpoint slot") in arch_install_hw_breakpoint() but the problem is not arch-specific. The problem is, task_bp_pinned(cpu) checks "cpu == iter->cpu" but this doesn't account the "all cpus" events with iter->cpu < 0. This means that, say, register_user_hw_breakpoint(tsk) can happily create the arbitrary number > HBP_NUM of breakpoints which can not be activated. toggle_bp_task_slot() is equally wrong by the same reason and nr_task_bp_pinned[] can have negative entries. Simple test: # perl -e 'sleep 1 while 1' & # perf record -e mem:0x10,mem:0x10,mem:0x10,mem:0x10,mem:0x10 -p `pidof perl` Before this patch this triggers the same problem/WARN_ON(), after the patch it correctly fails with -ENOSPC. Reported-by: Vince Weaver Signed-off-by: Oleg Nesterov Acked-by: Frederic Weisbecker Link: http://lkml.kernel.org/r/20130620155006.GA6324@redhat.com Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit b6afd2b6028d419c3743da88fd7c78ef2a6b0c20 Author: Jaganath Kanakkassery Date: Fri Jun 21 19:55:11 2013 +0530 Bluetooth: Fix invalid length check in l2cap_information_rsp() commit 3f6fa3d489e127ca5a5b298eabac3ff5dbe0e112 upstream. The length check is invalid since the length varies with type of info response. This was introduced by the commit cb3b3152b2f5939d67005cff841a1ca748b19888 Because of this, l2cap info rsp is not handled and command reject is sent. > ACL data: handle 11 flags 0x02 dlen 16 L2CAP(s): Info rsp: type 2 result 0 Extended feature mask 0x00b8 Enhanced Retransmission mode Streaming mode FCS Option Fixed Channels < ACL data: handle 11 flags 0x00 dlen 10 L2CAP(s): Command rej: reason 0 Command not understood Signed-off-by: Jaganath Kanakkassery Signed-off-by: Chan-Yeol Park Acked-by: Johan Hedberg Signed-off-by: Gustavo Padovan Signed-off-by: Greg Kroah-Hartman commit c86b176a359383b729fe9740705a6cd0fc0b88a9 Author: Anderson Lizardo Date: Sun Jun 2 16:30:40 2013 -0400 Bluetooth: Fix crash in l2cap_build_cmd() with small MTU commit 300b962e5244a1ea010df7e88595faa0085b461d upstream. If a too small MTU value is set with ioctl(HCISETACLMTU) or by a bogus controller, memory corruption happens due to a memcpy() call with negative length. Fix this crash on either incoming or outgoing connections with a MTU smaller than L2CAP_HDR_SIZE + L2CAP_CMD_HDR_SIZE: [ 46.885433] BUG: unable to handle kernel paging request at f56ad000 [ 46.888037] IP: [] memcpy+0x1d/0x40 [ 46.888037] *pdpt = 0000000000ac3001 *pde = 00000000373f8067 *pte = 80000000356ad060 [ 46.888037] Oops: 0002 [#1] SMP DEBUG_PAGEALLOC [ 46.888037] Modules linked in: hci_vhci bluetooth virtio_balloon i2c_piix4 uhci_hcd usbcore usb_common [ 46.888037] CPU: 0 PID: 1044 Comm: kworker/u3:0 Not tainted 3.10.0-rc1+ #12 [ 46.888037] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2007 [ 46.888037] Workqueue: hci0 hci_rx_work [bluetooth] [ 46.888037] task: f59b15b0 ti: f55c4000 task.ti: f55c4000 [ 46.888037] EIP: 0060:[] EFLAGS: 00010212 CPU: 0 [ 46.888037] EIP is at memcpy+0x1d/0x40 [ 46.888037] EAX: f56ac1c0 EBX: fffffff8 ECX: 3ffffc6e EDX: f55c5cf2 [ 46.888037] ESI: f55c6b32 EDI: f56ad000 EBP: f55c5c68 ESP: f55c5c5c [ 46.888037] DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068 [ 46.888037] CR0: 8005003b CR2: f56ad000 CR3: 3557d000 CR4: 000006f0 [ 46.888037] DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000 [ 46.888037] DR6: ffff0ff0 DR7: 00000400 [ 46.888037] Stack: [ 46.888037] fffffff8 00000010 00000003 f55c5cac f8c6a54c ffffffff f8c69eb2 00000000 [ 46.888037] f4783cdc f57f0070 f759c590 1001c580 00000003 0200000a 00000000 f5a88560 [ 46.888037] f5ba2600 f5a88560 00000041 00000000 f55c5d90 f8c6f4c7 00000008 f55c5cf2 [ 46.888037] Call Trace: [ 46.888037] [] l2cap_send_cmd+0x1cc/0x230 [bluetooth] [ 46.888037] [] ? l2cap_global_chan_by_psm+0x152/0x1a0 [bluetooth] [ 46.888037] [] l2cap_connect+0x3f7/0x540 [bluetooth] [ 46.888037] [] ? trace_hardirqs_off+0xb/0x10 [ 46.888037] [] ? mark_held_locks+0x68/0x110 [ 46.888037] [] ? mutex_lock_nested+0x280/0x360 [ 46.888037] [] ? __mutex_unlock_slowpath+0xa9/0x150 [ 46.888037] [] ? trace_hardirqs_on_caller+0xec/0x1b0 [ 46.888037] [] ? mutex_lock_nested+0x268/0x360 [ 46.888037] [] ? trace_hardirqs_on+0xb/0x10 [ 46.888037] [] l2cap_recv_frame+0xb2d/0x1d30 [bluetooth] [ 46.888037] [] ? mark_held_locks+0x68/0x110 [ 46.888037] [] ? __mutex_unlock_slowpath+0xa9/0x150 [ 46.888037] [] ? trace_hardirqs_on_caller+0xec/0x1b0 [ 46.888037] [] l2cap_recv_acldata+0x2a1/0x320 [bluetooth] [ 46.888037] [] hci_rx_work+0x518/0x810 [bluetooth] [ 46.888037] [] ? hci_rx_work+0x132/0x810 [bluetooth] [ 46.888037] [] process_one_work+0x1a9/0x600 [ 46.888037] [] ? process_one_work+0x12b/0x600 [ 46.888037] [] ? worker_thread+0x19e/0x320 [ 46.888037] [] ? worker_thread+0x19e/0x320 [ 46.888037] [] worker_thread+0xf7/0x320 [ 46.888037] [] ? rescuer_thread+0x290/0x290 [ 46.888037] [] kthread+0xa8/0xb0 [ 46.888037] [] ret_from_kernel_thread+0x1b/0x28 [ 46.888037] [] ? flush_kthread_worker+0x120/0x120 [ 46.888037] Code: c3 90 8d 74 26 00 e8 63 fc ff ff eb e8 90 55 89 e5 83 ec 0c 89 5d f4 89 75 f8 89 7d fc 3e 8d 74 26 00 89 cb 89 c7 c1 e9 02 89 d6 a5 89 d9 83 e1 03 74 02 f3 a4 8b 5d f4 8b 75 f8 8b 7d fc 89 [ 46.888037] EIP: [] memcpy+0x1d/0x40 SS:ESP 0068:f55c5c5c [ 46.888037] CR2: 00000000f56ad000 [ 46.888037] ---[ end trace 0217c1f4d78714a9 ]--- Signed-off-by: Anderson Lizardo Signed-off-by: Gustavo Padovan Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit acf81122dab13e966697614263e39a0f3fb32a67 Author: Simon Baatz Date: Sat Jun 22 22:01:25 2013 +0100 ARM: 7772/1: Fix missing flush_kernel_dcache_page() for noMMU commit 63384fd0b1509acf522a8a8fcede09087eedb7df upstream. Commit 1bc3974 (ARM: 7755/1: handle user space mapped pages in flush_kernel_dcache_page) moved the implementation of flush_kernel_dcache_page() into mm/flush.c but did not implement it on noMMU ARM. Signed-off-by: Simon Baatz Acked-by: Kevin Hilman Signed-off-by: Russell King Signed-off-by: Greg Kroah-Hartman commit c5ba85b81a2b6243437363b47390917f110b8583 Author: Simon Baatz Date: Mon Jun 10 21:10:12 2013 +0100 ARM: 7755/1: handle user space mapped pages in flush_kernel_dcache_page commit 1bc39742aab09248169ef9d3727c9def3528b3f3 upstream. Commit f8b63c1 made flush_kernel_dcache_page a no-op assuming that the pages it needs to handle are kernel mapped only. However, for example when doing direct I/O, pages with user space mappings may occur. Thus, continue to do lazy flushing if there are no user space mappings. Otherwise, flush the kernel cache lines directly. Signed-off-by: Simon Baatz Reviewed-by: Catalin Marinas Signed-off-by: Russell King Signed-off-by: Greg Kroah-Hartman commit 1ab7a7e0fb972bd5d32f3302c1e03207f836d6ff Author: Michael Holzheu Date: Fri Jun 21 13:21:30 2013 +0200 s390/ipl: Fix FCP WWPN and LUN format strings for read commit eda4ddf7e3a2245888e8c45c566fd514cdd5abbb upstream. The following git commit changed the behavior of sscanf: commit 53809751ac230a3611b5cdd375f3389f3207d471 Author: Jan Beulich Date: Mon Dec 17 16:01:31 2012 -0800 sscanf: don't ignore field widths for numeric conversions This broke the WWPN and LUN sysfs attributes for s390 reipl and dump on panic. Example: $ echo 0x0123456701234567 > /sys/firmware/reipl/fcp/wwpn $ cat /sys/firmware/reipl/fcp/wwpn 0x0001234567012345 So fix this and use format strings that work also with the new sscanf implementation: $ echo 0x012345670123456789 > /sys/firmware/reipl/fcp/wwpn $ cat /sys/firmware/reipl/fcp/wwpn 0x0123456701234567 Reviewed-by: Steffen Maier Signed-off-by: Michael Holzheu Signed-off-by: Martin Schwidefsky Signed-off-by: Greg Kroah-Hartman