1 files changed, 104 insertions, 0 deletions
diff --git a/recipes-kernel/linux/linux-ti33x-psp-3.2/3.2.9/0059-scsi_scan-Fix-Poison-overwritten-warning-caused-by-u.patch b/recipes-kernel/linux/linux-ti33x-psp-3.2/3.2.9/0059-scsi_scan-Fix-Poison-overwritten-warning-caused-by-u.patch
new file mode 100644
index 00000000..1f9fcd1d
--- /dev/null
+++ b/recipes-kernel/linux/linux-ti33x-psp-3.2/3.2.9/0059-scsi_scan-Fix-Poison-overwritten-warning-caused-by-u.patch
@@ -0,0 +1,104 @@
+From 0234f0569820c617e90b0ced54a345705cee031b Mon Sep 17 00:00:00 2001
+From: Huajun Li <huajun.li.lee@gmail.com>
+Date: Sun, 12 Feb 2012 19:59:14 +0800
+Subject: [PATCH 59/73] scsi_scan: Fix 'Poison overwritten' warning caused by
+ using freed 'shost'
+commit 267a6ad4aefaafbde607804c60945bcf97f91c1b upstream.
+In do_scan_async(), calling scsi_autopm_put_host(shost) may reference
+freed shost, and cause Posison overwitten warning.
+Yes, this case can happen, for example, an USB is disconnected just
+when do_scan_async() thread starts to run, then scsi_host_put() called
+in scsi_finish_async_scan() will lead to shost be freed(because the
+refcount of shost->shost_gendev decreases to 1 after USB disconnects),
+at this point, if references shost again, system will show following
+warning msg.
+To make scsi_autopm_put_host(shost) always reference a valid shost,
+put it just before scsi_host_put() in function
+scsi_finish_async_scan().
+[  299.281565] =============================================================================
+[  299.281634] BUG kmalloc-4096 (Tainted: G          I ): Poison overwritten
+[  299.281682] -----------------------------------------------------------------------------
+[  299.281684]
+[  299.281752] INFO: 0xffff880056c305d0-0xffff880056c305d0. First byte
+0x6a instead of 0x6b
+[  299.281816] INFO: Allocated in scsi_host_alloc+0x4a/0x490 age=1688
+cpu=1 pid=2004
+[  299.281870]  __slab_alloc+0x617/0x6c1
+[  299.281901]  __kmalloc+0x28c/0x2e0
+[  299.281931]  scsi_host_alloc+0x4a/0x490
+[  299.281966]  usb_stor_probe1+0x5b/0xc40 [usb_storage]
+[  299.282010]  storage_probe+0xa4/0xe0 [usb_storage]
+[  299.282062]  usb_probe_interface+0x172/0x330 [usbcore]
+[  299.282105]  driver_probe_device+0x257/0x3b0
+[  299.282138]  __driver_attach+0x103/0x110
+[  299.282171]  bus_for_each_dev+0x8e/0xe0
+[  299.282201]  driver_attach+0x26/0x30
+[  299.282230]  bus_add_driver+0x1c4/0x430
+[  299.282260]  driver_register+0xb6/0x230
+[  299.282298]  usb_register_driver+0xe5/0x270 [usbcore]
+[  299.282337]  0xffffffffa04ab03d
+[  299.282364]  do_one_initcall+0x47/0x230
+[  299.282396]  sys_init_module+0xa0f/0x1fe0
+[  299.282429] INFO: Freed in scsi_host_dev_release+0x18a/0x1d0 age=85
+cpu=0 pid=2008
+[  299.282482]  __slab_free+0x3c/0x2a1
+[  299.282510]  kfree+0x296/0x310
+[  299.282536]  scsi_host_dev_release+0x18a/0x1d0
+[  299.282574]  device_release+0x74/0x100
+[  299.282606]  kobject_release+0xc7/0x2a0
+[  299.282637]  kobject_put+0x54/0xa0
+[  299.282668]  put_device+0x27/0x40
+[  299.282694]  scsi_host_put+0x1d/0x30
+[  299.282723]  do_scan_async+0x1fc/0x2b0
+[  299.282753]  kthread+0xdf/0xf0
+[  299.282782]  kernel_thread_helper+0x4/0x10
+[  299.282817] INFO: Slab 0xffffea00015b0c00 objects=7 used=7 fp=0x
+      (null) flags=0x100000000004080
+[  299.282882] INFO: Object 0xffff880056c30000 @offset=0 fp=0x          (null)
+[  299.282884]
+...
+Signed-off-by: Huajun Li <huajun.li.lee@gmail.com>
+Acked-by: Alan Stern <stern@rowland.harvard.edu>
+Signed-off-by: James Bottomley <JBottomley@Parallels.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ drivers/scsi/scsi_scan.c |    4 ++--
+ 1 files changed, 2 insertions(+), 2 deletions(-)
+diff --git a/drivers/scsi/scsi_scan.c b/drivers/scsi/scsi_scan.c
+index b3c6d95..6e7ea4a 100644
+--- a/drivers/scsi/scsi_scan.c
+++ b/drivers/scsi/scsi_scan.c
+@@ -1815,6 +1815,7 @@ static void scsi_finish_async_scan(struct async_scan_data *data)
+        }
+        spin_unlock(&async_scan_lock);
+ 
+       scsi_autopm_put_host(shost);
+        scsi_host_put(shost);
+        kfree(data);
+ }
+@@ -1841,7 +1842,6 @@ static int do_scan_async(void *_data)
+ 
+        do_scsi_scan_host(shost);
+        scsi_finish_async_scan(data);
+-       scsi_autopm_put_host(shost);
+        return 0;
+ }
+ 
+@@ -1869,7 +1869,7 @@ void scsi_scan_host(struct Scsi_Host *shost)
+        p = kthread_run(do_scan_async, data, "scsi_scan_%d", shost->host_no);
+        if (IS_ERR(p))
+                do_scan_async(data);
+-       /* scsi_autopm_put_host(shost) is called in do_scan_async() */
+       /* scsi_autopm_put_host(shost) is called in scsi_finish_async_scan() */
+ }
+ EXPORT_SYMBOL(scsi_scan_host);
+ 
+-- 
+1.7.7.4

diff --git a/recipes-kernel/linux/linux-ti33x-psp-3.2/3.2.9/0059-scsi_scan-Fix-Poison-overwritten-warning-caused-by-u.patch b/recipes-kernel/linux/linux-ti33x-psp-3.2/3.2.9/0059-scsi_scan-Fix-Poison-overwritten-warning-caused-by-u.patch new file mode 100644 index 00000000..1f9fcd1d --- /dev/null +++ b/recipes-kernel/linux/linux-ti33x-psp-3.2/3.2.9/0059-scsi_scan-Fix-Poison-overwritten-warning-caused-by-u.patch
@@ -0,0 +1,104 @@
	1	From 0234f0569820c617e90b0ced54a345705cee031b Mon Sep 17 00:00:00 2001
	2	From: Huajun Li <huajun.li.lee@gmail.com>
	3	Date: Sun, 12 Feb 2012 19:59:14 +0800
	4	Subject: [PATCH 59/73] scsi_scan: Fix 'Poison overwritten' warning caused by
	5	using freed 'shost'
	6
	7	commit 267a6ad4aefaafbde607804c60945bcf97f91c1b upstream.
	8
	9	In do_scan_async(), calling scsi_autopm_put_host(shost) may reference
	10	freed shost, and cause Posison overwitten warning.
	11	Yes, this case can happen, for example, an USB is disconnected just
	12	when do_scan_async() thread starts to run, then scsi_host_put() called
	13	in scsi_finish_async_scan() will lead to shost be freed(because the
	14	refcount of shost->shost_gendev decreases to 1 after USB disconnects),
	15	at this point, if references shost again, system will show following
	16	warning msg.
	17
	18	To make scsi_autopm_put_host(shost) always reference a valid shost,
	19	put it just before scsi_host_put() in function
	20	scsi_finish_async_scan().
	21
	22	[ 299.281565] =============================================================================
	23	[ 299.281634] BUG kmalloc-4096 (Tainted: G I ): Poison overwritten
	24	[ 299.281682] -----------------------------------------------------------------------------
	25	[ 299.281684]
	26	[ 299.281752] INFO: 0xffff880056c305d0-0xffff880056c305d0. First byte
	27	0x6a instead of 0x6b
	28	[ 299.281816] INFO: Allocated in scsi_host_alloc+0x4a/0x490 age=1688
	29	cpu=1 pid=2004
	30	[ 299.281870] __slab_alloc+0x617/0x6c1
	31	[ 299.281901] __kmalloc+0x28c/0x2e0
	32	[ 299.281931] scsi_host_alloc+0x4a/0x490
	33	[ 299.281966] usb_stor_probe1+0x5b/0xc40 [usb_storage]
	34	[ 299.282010] storage_probe+0xa4/0xe0 [usb_storage]
	35	[ 299.282062] usb_probe_interface+0x172/0x330 [usbcore]
	36	[ 299.282105] driver_probe_device+0x257/0x3b0
	37	[ 299.282138] __driver_attach+0x103/0x110
	38	[ 299.282171] bus_for_each_dev+0x8e/0xe0
	39	[ 299.282201] driver_attach+0x26/0x30
	40	[ 299.282230] bus_add_driver+0x1c4/0x430
	41	[ 299.282260] driver_register+0xb6/0x230
	42	[ 299.282298] usb_register_driver+0xe5/0x270 [usbcore]
	43	[ 299.282337] 0xffffffffa04ab03d
	44	[ 299.282364] do_one_initcall+0x47/0x230
	45	[ 299.282396] sys_init_module+0xa0f/0x1fe0
	46	[ 299.282429] INFO: Freed in scsi_host_dev_release+0x18a/0x1d0 age=85
	47	cpu=0 pid=2008
	48	[ 299.282482] __slab_free+0x3c/0x2a1
	49	[ 299.282510] kfree+0x296/0x310
	50	[ 299.282536] scsi_host_dev_release+0x18a/0x1d0
	51	[ 299.282574] device_release+0x74/0x100
	52	[ 299.282606] kobject_release+0xc7/0x2a0
	53	[ 299.282637] kobject_put+0x54/0xa0
	54	[ 299.282668] put_device+0x27/0x40
	55	[ 299.282694] scsi_host_put+0x1d/0x30
	56	[ 299.282723] do_scan_async+0x1fc/0x2b0
	57	[ 299.282753] kthread+0xdf/0xf0
	58	[ 299.282782] kernel_thread_helper+0x4/0x10
	59	[ 299.282817] INFO: Slab 0xffffea00015b0c00 objects=7 used=7 fp=0x
	60	(null) flags=0x100000000004080
	61	[ 299.282882] INFO: Object 0xffff880056c30000 @offset=0 fp=0x (null)
	62	[ 299.282884]
	63	...
	64
	65	Signed-off-by: Huajun Li <huajun.li.lee@gmail.com>
	66	Acked-by: Alan Stern <stern@rowland.harvard.edu>
	67	Signed-off-by: James Bottomley <JBottomley@Parallels.com>
	68	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	69	---
	70	drivers/scsi/scsi_scan.c \| 4 ++--
	71	1 files changed, 2 insertions(+), 2 deletions(-)
	72
	73	diff --git a/drivers/scsi/scsi_scan.c b/drivers/scsi/scsi_scan.c
	74	index b3c6d95..6e7ea4a 100644
	75	--- a/drivers/scsi/scsi_scan.c
	76	+++ b/drivers/scsi/scsi_scan.c
	77	@@ -1815,6 +1815,7 @@ static void scsi_finish_async_scan(struct async_scan_data *data)
	78	}
	79	spin_unlock(&async_scan_lock);
	80
	81	+ scsi_autopm_put_host(shost);
	82	scsi_host_put(shost);
	83	kfree(data);
	84	}
	85	@@ -1841,7 +1842,6 @@ static int do_scan_async(void *_data)
	86
	87	do_scsi_scan_host(shost);
	88	scsi_finish_async_scan(data);
	89	- scsi_autopm_put_host(shost);
	90	return 0;
	91	}
	92
	93	@@ -1869,7 +1869,7 @@ void scsi_scan_host(struct Scsi_Host *shost)
	94	p = kthread_run(do_scan_async, data, "scsi_scan_%d", shost->host_no);
	95	if (IS_ERR(p))
	96	do_scan_async(data);
	97	- /* scsi_autopm_put_host(shost) is called in do_scan_async() */
	98	+ /* scsi_autopm_put_host(shost) is called in scsi_finish_async_scan() */
	99	}
	100	EXPORT_SYMBOL(scsi_scan_host);
	101
	102	--
	103	1.7.7.4
	104