From 6b760542001d8a51d9ad05cc73c26b9783778491 Mon Sep 17 00:00:00 2001 From: Ben Hutchings Date: Sun, 4 Sep 2011 23:30:50 +0000 Subject: [PATCH] Add fixes from the stable queue believed to fix Debian bugs svn path=/dists/sid/linux-2.6/; revision=18045 --- debian/changelog | 6 +- ...2x00-fix-crash-in-rt2800usb_get_txwi.patch | 74 +++++++++++++ ...fix-crash-in-rt2800usb_write_tx_desc.patch | 102 ++++++++++++++++++ ...ndmsg-fix-unsafe-user-pointer-access.patch | 60 +++++++++++ ...only-panther-cheetah-chips-have-popc.patch | 35 ++++++ debian/patches/series/4 | 5 + 6 files changed, 281 insertions(+), 1 deletion(-) create mode 100644 debian/patches/bugfix/all/rt2x00-fix-crash-in-rt2800usb_get_txwi.patch create mode 100644 debian/patches/bugfix/all/rt2x00-fix-crash-in-rt2800usb_write_tx_desc.patch create mode 100644 debian/patches/bugfix/all/sendmmsg-sendmsg-fix-unsafe-user-pointer-access.patch create mode 100644 debian/patches/bugfix/sparc/sparc64-only-panther-cheetah-chips-have-popc.patch diff --git a/debian/changelog b/debian/changelog index dcb3eaad4..e1ae2bf06 100644 --- a/debian/changelog +++ b/debian/changelog @@ -13,10 +13,14 @@ linux-2.6 (3.0.0-4) UNRELEASED; urgency=low - ext4: fix nomblk_io_submit option so it correctly converts uninit blocks - xen-blkfront: Drop name and minor adjustments for emulated scsi devices - xen/x86: replace order-based range checking of M2P table by linear one - - rt2x00: fix order of entry flags modification (Closes: #636531) + - rt2x00: fix order of entry flags modification - Add a personality to report 2.6.x version numbers For the complete list of changes, see: http://www.kernel.org/pub/linux/kernel/v3.0/ChangeLog-3.0.4 + * sendmmsg/sendmsg: fix unsafe user pointer access + * rt2x00: fix crash in rt2800usb_write_tx_desc + * rt2x00: fix crash in rt2800usb_get_txwi (Closes: #636531) + * [sparc] Only Panther cheetah+ chips have POPC (Closes: #639949) -- Ben Hutchings Sun, 28 Aug 2011 17:07:47 +0100 diff --git a/debian/patches/bugfix/all/rt2x00-fix-crash-in-rt2800usb_get_txwi.patch b/debian/patches/bugfix/all/rt2x00-fix-crash-in-rt2800usb_get_txwi.patch new file mode 100644 index 000000000..95aa53fd4 --- /dev/null +++ b/debian/patches/bugfix/all/rt2x00-fix-crash-in-rt2800usb_get_txwi.patch @@ -0,0 +1,74 @@ +From sgruszka@redhat.com Mon Aug 29 15:24:50 2011 +From: Stanislaw Gruszka +Date: Thu, 25 Aug 2011 17:14:26 +0200 +Subject: rt2x00: fix crash in rt2800usb_get_txwi +To: stable@kernel.org +Cc: IvDoorn@gmail.com, Stanislaw Gruszka , jpiszcz@lucidpixels.com, "John W. Linville" +Message-ID: <1314285266-5098-3-git-send-email-sgruszka@redhat.com> + +From: Stanislaw Gruszka + +commit 674db1344443204b6ce3293f2df8fd1b7665deea upstream. + +Patch should fix this oops: + +BUG: unable to handle kernel NULL pointer dereference at 000000a0 +IP: [] rt2800usb_get_txwi+0x19/0x70 [rt2800usb] +*pdpt = 0000000000000000 *pde = f000ff53f000ff53 +Oops: 0000 [#1] SMP +Pid: 198, comm: kworker/u:3 Tainted: G W 3.0.0-wl+ #9 LENOVO 6369CTO/6369CTO +EIP: 0060:[] EFLAGS: 00010283 CPU: 1 +EIP is at rt2800usb_get_txwi+0x19/0x70 [rt2800usb] +EAX: 00000000 EBX: f465e140 ECX: f4494960 EDX: ef24c5f8 +ESI: 810f21f5 EDI: f1da9960 EBP: f4581e80 ESP: f4581e70 + DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068 +Process kworker/u:3 (pid: 198, ti=f4580000 task=f4494960 task.ti=f4580000) +Call Trace: + [] rt2800_txdone_entry+0x2f/0xf0 [rt2800lib] + [] ? warn_slowpath_common+0x7d/0xa0 + [] ? rt2800usb_work_txdone+0x288/0x360 [rt2800usb] + [] ? rt2800usb_work_txdone+0x288/0x360 [rt2800usb] + [] rt2800usb_work_txdone+0x263/0x360 [rt2800usb] + [] process_one_work+0x186/0x440 + [] ? process_one_work+0x10a/0x440 + [] ? rt2800usb_probe_hw+0x120/0x120 [rt2800usb] + [] worker_thread+0x133/0x310 + [] ? trace_hardirqs_on+0xb/0x10 + [] ? manage_workers+0x1e0/0x1e0 + [] kthread+0x7c/0x90 + [] ? __init_kthread_worker+0x60/0x60 + [] kernel_thread_helper+0x6/0x1 + +Oops might happen because we check rt2x00queue_empty(queue) twice, +but this condition can change and we can process entry in +rt2800_txdone_entry(), which was already processed by +rt2800usb_txdone_entry_check() -> rt2x00lib_txdone_noinfo() and +has nullify entry->skb . + +Reported-by: Justin Piszcz +Signed-off-by: Stanislaw Gruszka +Acked-by: Ivo van Doorn +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/rt2x00/rt2800lib.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +--- a/drivers/net/wireless/rt2x00/rt2800lib.c ++++ b/drivers/net/wireless/rt2x00/rt2800lib.c +@@ -764,12 +764,11 @@ void rt2800_txdone(struct rt2x00_dev *rt + entry = rt2x00queue_get_entry(queue, Q_INDEX_DONE); + if (rt2800_txdone_entry_check(entry, reg)) + break; ++ entry = NULL; + } + +- if (!entry || rt2x00queue_empty(queue)) +- break; +- +- rt2800_txdone_entry(entry, reg); ++ if (entry) ++ rt2800_txdone_entry(entry, reg); + } + } + EXPORT_SYMBOL_GPL(rt2800_txdone); diff --git a/debian/patches/bugfix/all/rt2x00-fix-crash-in-rt2800usb_write_tx_desc.patch b/debian/patches/bugfix/all/rt2x00-fix-crash-in-rt2800usb_write_tx_desc.patch new file mode 100644 index 000000000..89a86ae35 --- /dev/null +++ b/debian/patches/bugfix/all/rt2x00-fix-crash-in-rt2800usb_write_tx_desc.patch @@ -0,0 +1,102 @@ +From sgruszka@redhat.com Mon Aug 29 15:23:55 2011 +From: Stanislaw Gruszka +Date: Thu, 25 Aug 2011 17:14:24 +0200 +Subject: rt2x00: fix crash in rt2800usb_write_tx_desc +To: stable@kernel.org +Cc: IvDoorn@gmail.com, Stanislaw Gruszka , jpiszcz@lucidpixels.com, "John W. Linville" +Message-ID: <1314285266-5098-1-git-send-email-sgruszka@redhat.com> + +From: Stanislaw Gruszka + +commit 4b1bfb7d2d125af6653d6c2305356b2677f79dc6 upstream. + +Patch should fix this oops: + +BUG: unable to handle kernel NULL pointer dereference at 000000a0 +IP: [] rt2800usb_write_tx_desc+0x18/0xc0 [rt2800usb] +*pdpt = 000000002408c001 *pde = 0000000024079067 *pte = 0000000000000000 +Oops: 0000 [#1] SMP +EIP: 0060:[] EFLAGS: 00010282 CPU: 0 +EIP is at rt2800usb_write_tx_desc+0x18/0xc0 [rt2800usb] +EAX: 00000035 EBX: ef2bef10 ECX: 00000000 EDX: d40958a0 +ESI: ef1865f8 EDI: ef1865f8 EBP: d4095878 ESP: d409585c + DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068 +Call Trace: + [] rt2x00queue_write_tx_frame+0x155/0x300 [rt2x00lib] + [] rt2x00mac_tx+0x7c/0x370 [rt2x00lib] + [] ? mark_held_locks+0x62/0x90 + [] ? _raw_spin_unlock_irqrestore+0x35/0x60 + [] ? trace_hardirqs_on_caller+0x5a/0x170 + [] ? trace_hardirqs_on+0xb/0x10 + [] __ieee80211_tx+0x5c/0x1e0 [mac80211] + [] ieee80211_tx+0xbc/0xe0 [mac80211] + [] ? ieee80211_tx+0x23/0xe0 [mac80211] + [] ieee80211_xmit+0xc1/0x200 [mac80211] + [] ? ieee80211_tx+0xe0/0xe0 [mac80211] + [] ? lock_release_holdtime+0x35/0x1b0 + [] ? ieee80211_subif_start_xmit+0x446/0x5f0 [mac80211] + [] ieee80211_subif_start_xmit+0x29d/0x5f0 [mac80211] + [] ? ieee80211_subif_start_xmit+0x3e4/0x5f0 [mac80211] + [] ? sock_setsockopt+0x6a8/0x6f0 + [] ? sock_setsockopt+0x520/0x6f0 + [] dev_hard_start_xmit+0x2ef/0x650 + +Oops might happen because we perform parallel putting new entries in a +queue (rt2x00queue_write_tx_frame()) and removing entries after +finishing transmitting (rt2800usb_work_txdone()). There are cases when +_txdone may process an entry that was not fully send and nullify +entry->skb . + +To fix check in _txdone if entry has flags that indicate pending +transmission and wait until flags get cleared. + +Reported-by: Justin Piszcz +Signed-off-by: Stanislaw Gruszka +Acked-by: Ivo van Doorn +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman +--- + drivers/net/wireless/rt2x00/rt2800lib.c | 10 ++++++++++ + drivers/net/wireless/rt2x00/rt2800usb.c | 4 +++- + 2 files changed, 13 insertions(+), 1 deletion(-) + +--- a/drivers/net/wireless/rt2x00/rt2800lib.c ++++ b/drivers/net/wireless/rt2x00/rt2800lib.c +@@ -38,6 +38,7 @@ + #include + #include + #include ++#include + + #include "rt2x00.h" + #include "rt2800lib.h" +@@ -607,6 +608,15 @@ static bool rt2800_txdone_entry_check(st + int wcid, ack, pid; + int tx_wcid, tx_ack, tx_pid; + ++ if (test_bit(ENTRY_OWNER_DEVICE_DATA, &entry->flags) || ++ !test_bit(ENTRY_DATA_STATUS_PENDING, &entry->flags)) { ++ WARNING(entry->queue->rt2x00dev, ++ "Data pending for entry %u in queue %u\n", ++ entry->entry_idx, entry->queue->qid); ++ cond_resched(); ++ return false; ++ } ++ + wcid = rt2x00_get_field32(reg, TX_STA_FIFO_WCID); + ack = rt2x00_get_field32(reg, TX_STA_FIFO_TX_ACK_REQUIRED); + pid = rt2x00_get_field32(reg, TX_STA_FIFO_PID_TYPE); +--- a/drivers/net/wireless/rt2x00/rt2800usb.c ++++ b/drivers/net/wireless/rt2x00/rt2800usb.c +@@ -477,8 +477,10 @@ static void rt2800usb_work_txdone(struct + while (!rt2x00queue_empty(queue)) { + entry = rt2x00queue_get_entry(queue, Q_INDEX_DONE); + +- if (test_bit(ENTRY_OWNER_DEVICE_DATA, &entry->flags)) ++ if (test_bit(ENTRY_OWNER_DEVICE_DATA, &entry->flags) || ++ !test_bit(ENTRY_DATA_STATUS_PENDING, &entry->flags)) + break; ++ + if (test_bit(ENTRY_DATA_IO_FAILED, &entry->flags)) + rt2x00lib_txdone_noinfo(entry, TXDONE_FAILURE); + else if (rt2x00queue_status_timeout(entry)) diff --git a/debian/patches/bugfix/all/sendmmsg-sendmsg-fix-unsafe-user-pointer-access.patch b/debian/patches/bugfix/all/sendmmsg-sendmsg-fix-unsafe-user-pointer-access.patch new file mode 100644 index 000000000..0f85bd910 --- /dev/null +++ b/debian/patches/bugfix/all/sendmmsg-sendmsg-fix-unsafe-user-pointer-access.patch @@ -0,0 +1,60 @@ +From bc909d9ddbf7778371e36a651d6e4194b1cc7d4c Mon Sep 17 00:00:00 2001 +From: Mathieu Desnoyers +Date: Wed, 24 Aug 2011 19:45:03 -0700 +Subject: sendmmsg/sendmsg: fix unsafe user pointer access + +From: Mathieu Desnoyers + +commit bc909d9ddbf7778371e36a651d6e4194b1cc7d4c upstream. + +Dereferencing a user pointer directly from kernel-space without going +through the copy_from_user family of functions is a bad idea. Two of +such usages can be found in the sendmsg code path called from sendmmsg, +added by + +commit c71d8ebe7a4496fb7231151cb70a6baa0cb56f9a upstream. +commit 5b47b8038f183b44d2d8ff1c7d11a5c1be706b34 in the 3.0-stable tree. + +Usages are performed through memcmp() and memcpy() directly. Fix those +by using the already copied msg_sys structure instead of the __user *msg +structure. Note that msg_sys can be set to NULL by verify_compat_iovec() +or verify_iovec(), which requires additional NULL pointer checks. + +Signed-off-by: Mathieu Desnoyers +Signed-off-by: David Goulet +CC: Tetsuo Handa +CC: Anton Blanchard +CC: David S. Miller +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/socket.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +--- a/net/socket.c ++++ b/net/socket.c +@@ -1965,8 +1965,9 @@ static int __sys_sendmsg(struct socket * + * used_address->name_len is initialized to UINT_MAX so that the first + * destination address never matches. + */ +- if (used_address && used_address->name_len == msg_sys->msg_namelen && +- !memcmp(&used_address->name, msg->msg_name, ++ if (used_address && msg_sys->msg_name && ++ used_address->name_len == msg_sys->msg_namelen && ++ !memcmp(&used_address->name, msg_sys->msg_name, + used_address->name_len)) { + err = sock_sendmsg_nosec(sock, msg_sys, total_len); + goto out_freectl; +@@ -1978,8 +1979,9 @@ static int __sys_sendmsg(struct socket * + */ + if (used_address && err >= 0) { + used_address->name_len = msg_sys->msg_namelen; +- memcpy(&used_address->name, msg->msg_name, +- used_address->name_len); ++ if (msg_sys->msg_name) ++ memcpy(&used_address->name, msg_sys->msg_name, ++ used_address->name_len); + } + + out_freectl: diff --git a/debian/patches/bugfix/sparc/sparc64-only-panther-cheetah-chips-have-popc.patch b/debian/patches/bugfix/sparc/sparc64-only-panther-cheetah-chips-have-popc.patch new file mode 100644 index 000000000..06f21b225 --- /dev/null +++ b/debian/patches/bugfix/sparc/sparc64-only-panther-cheetah-chips-have-popc.patch @@ -0,0 +1,35 @@ +From 1a8e0da5937a6c87807083baa318cf8f98dac9aa Mon Sep 17 00:00:00 2001 +From: "David S. Miller" +Date: Mon, 29 Aug 2011 21:14:29 -0700 +Subject: sparc64: Only Panther cheetah+ chips have POPC. + +From: "David S. Miller" + +commit 1a8e0da5937a6c87807083baa318cf8f98dac9aa upstream. + +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + arch/sparc/kernel/setup_64.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +--- a/arch/sparc/kernel/setup_64.c ++++ b/arch/sparc/kernel/setup_64.c +@@ -440,8 +440,14 @@ static void __init init_sparc64_elf_hwca + cap |= AV_SPARC_VIS; + if (tlb_type == cheetah || tlb_type == cheetah_plus) + cap |= AV_SPARC_VIS | AV_SPARC_VIS2; +- if (tlb_type == cheetah_plus) +- cap |= AV_SPARC_POPC; ++ if (tlb_type == cheetah_plus) { ++ unsigned long impl, ver; ++ ++ __asm__ __volatile__("rdpr %%ver, %0" : "=r" (ver)); ++ impl = ((ver >> 32) & 0xffff); ++ if (impl == PANTHER_IMPL) ++ cap |= AV_SPARC_POPC; ++ } + if (tlb_type == hypervisor) { + if (sun4v_chip_type == SUN4V_CHIP_NIAGARA1) + cap |= AV_SPARC_ASI_BLK_INIT; diff --git a/debian/patches/series/4 b/debian/patches/series/4 index 6a02529f7..611dc68ff 100644 --- a/debian/patches/series/4 +++ b/debian/patches/series/4 @@ -7,3 +7,8 @@ - bugfix/all/befs-validate-length-of-long-symbolic-links.patch - bugfix/all/genirq-fix-wrong-bit-operation.patch + bugfix/all/stable/3.0.4.patch + ++ bugfix/all/sendmmsg-sendmsg-fix-unsafe-user-pointer-access.patch ++ bugfix/all/rt2x00-fix-crash-in-rt2800usb_write_tx_desc.patch ++ bugfix/all/rt2x00-fix-crash-in-rt2800usb_get_txwi.patch ++ bugfix/sparc/sparc64-only-panther-cheetah-chips-have-popc.patch