diff options
author | Greg Kroah-Hartman <gregkh@suse.de> | 2011-05-09 17:10:13 -0700 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@suse.de> | 2011-05-09 17:10:13 -0700 |
commit | 00c526581a0b7cb914c7efa96335a4e2f0cd6107 (patch) | |
tree | ec1a01a38b1227f16f1e70346358f48a31e5ece4 | |
parent | 5df25c2e494adc2df12f671adcbbd791c7ecc1f8 (diff) | |
download | stable-queue-00c526581a0b7cb914c7efa96335a4e2f0cd6107.tar.gz |
.38 patches
14 files changed, 993 insertions, 0 deletions
diff --git a/queue-2.6.38/cifs-change-bleft-in-decode_unicode_ssetup-back-to-signed-type.patch b/queue-2.6.38/cifs-change-bleft-in-decode_unicode_ssetup-back-to-signed-type.patch new file mode 100644 index 0000000000..c6a148f51e --- /dev/null +++ b/queue-2.6.38/cifs-change-bleft-in-decode_unicode_ssetup-back-to-signed-type.patch @@ -0,0 +1,58 @@ +From bfacf2225a955bea9c41c707fc72ba16009674a0 Mon Sep 17 00:00:00 2001 +From: Jeff Layton <jlayton@redhat.com> +Date: Wed, 27 Apr 2011 13:25:51 -0400 +Subject: cifs: change bleft in decode_unicode_ssetup back to signed type + +From: Jeff Layton <jlayton@redhat.com> + +commit bfacf2225a955bea9c41c707fc72ba16009674a0 upstream. + +The buffer length checks in this function depend on this value being a +signed data type, but 690c522fa converted it to an unsigned type. + +Also, eliminate a problem with the null termination check in the same +function. cifs_strndup_from_ucs handles that situation correctly +already, and the existing check could potentially lead to a buffer +overrun since it increments bleft without checking to see whether it +falls off the end of the buffer. + +Reported-and-Acked-by: David Howells <dhowells@redhat.com> +Signed-off-by: Jeff Layton <jlayton@redhat.com> +Signed-off-by: Steve French <sfrench@us.ibm.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + fs/cifs/sess.c | 15 +-------------- + 1 file changed, 1 insertion(+), 14 deletions(-) + +--- a/fs/cifs/sess.c ++++ b/fs/cifs/sess.c +@@ -277,7 +277,7 @@ static void ascii_ssetup_strings(char ** + } + + static void +-decode_unicode_ssetup(char **pbcc_area, __u16 bleft, struct cifsSesInfo *ses, ++decode_unicode_ssetup(char **pbcc_area, int bleft, struct cifsSesInfo *ses, + const struct nls_table *nls_cp) + { + int len; +@@ -285,19 +285,6 @@ decode_unicode_ssetup(char **pbcc_area, + + cFYI(1, "bleft %d", bleft); + +- /* +- * Windows servers do not always double null terminate their final +- * Unicode string. Check to see if there are an uneven number of bytes +- * left. If so, then add an extra NULL pad byte to the end of the +- * response. +- * +- * See section 2.7.2 in "Implementing CIFS" for details +- */ +- if (bleft % 2) { +- data[bleft] = 0; +- ++bleft; +- } +- + kfree(ses->serverOS); + ses->serverOS = cifs_strndup_from_ucs(data, bleft, true, nls_cp); + cFYI(1, "serverOS=%s", ses->serverOS); diff --git a/queue-2.6.38/cifs-check-for-bytes_remaining-going-to-zero-in-cifs_sesssetup.patch b/queue-2.6.38/cifs-check-for-bytes_remaining-going-to-zero-in-cifs_sesssetup.patch new file mode 100644 index 0000000000..4493188c34 --- /dev/null +++ b/queue-2.6.38/cifs-check-for-bytes_remaining-going-to-zero-in-cifs_sesssetup.patch @@ -0,0 +1,37 @@ +From fcda7f4578bbf9717444ca6da8a421d21489d078 Mon Sep 17 00:00:00 2001 +From: Jeff Layton <jlayton@redhat.com> +Date: Wed, 27 Apr 2011 13:25:51 -0400 +Subject: cifs: check for bytes_remaining going to zero in CIFS_SessSetup + +From: Jeff Layton <jlayton@redhat.com> + +commit fcda7f4578bbf9717444ca6da8a421d21489d078 upstream. + +It's possible that when we go to decode the string area in the +SESSION_SETUP response, that bytes_remaining will be 0. Decrementing it at +that point will mean that it can go "negative" and wrap. Check for a +bytes_remaining value of 0, and don't try to decode the string area if +that's the case. + +Reported-and-Acked-by: David Howells <dhowells@redhat.com> +Signed-off-by: Jeff Layton <jlayton@redhat.com> +Signed-off-by: Steve French <sfrench@us.ibm.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + fs/cifs/sess.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/fs/cifs/sess.c ++++ b/fs/cifs/sess.c +@@ -917,7 +917,9 @@ ssetup_ntlmssp_authenticate: + } + + /* BB check if Unicode and decode strings */ +- if (smb_buf->Flags2 & SMBFLG2_UNICODE) { ++ if (bytes_remaining == 0) { ++ /* no string area to decode, do nothing */ ++ } else if (smb_buf->Flags2 & SMBFLG2_UNICODE) { + /* unicode string area must be word-aligned */ + if (((unsigned long) bcc_ptr - (unsigned long) smb_buf) % 2) { + ++bcc_ptr; diff --git a/queue-2.6.38/cifs-handle-errors-from-coalesce_t2.patch b/queue-2.6.38/cifs-handle-errors-from-coalesce_t2.patch new file mode 100644 index 0000000000..5b71641f9b --- /dev/null +++ b/queue-2.6.38/cifs-handle-errors-from-coalesce_t2.patch @@ -0,0 +1,46 @@ +From 16541ba11c4f04ffe94b073e301f00b749fb84a1 Mon Sep 17 00:00:00 2001 +From: Jeff Layton <jlayton@redhat.com> +Date: Fri, 29 Apr 2011 06:52:44 -0400 +Subject: cifs: handle errors from coalesce_t2 + +From: Jeff Layton <jlayton@redhat.com> + +commit 16541ba11c4f04ffe94b073e301f00b749fb84a1 upstream. + +cifs_demultiplex_thread calls coalesce_t2 to try and merge follow-on t2 +responses into the original mid buffer. coalesce_t2 however can return +errors, but the caller doesn't handle that situation properly. Fix the +thread to treat such a case as it would a malformed packet. Mark the +mid as being malformed and issue the callback. + +Acked-by: David Howells <dhowells@redhat.com> +Signed-off-by: Jeff Layton <jlayton@redhat.com> +Signed-off-by: Steve French <sfrench@us.ibm.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + fs/cifs/connect.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +--- a/fs/cifs/connect.c ++++ b/fs/cifs/connect.c +@@ -631,12 +631,16 @@ incomplete_rcv: + isMultiRsp = true; + if (mid_entry->resp_buf) { + /* merge response - fix up 1st*/ +- if (coalesce_t2(smb_buffer, +- mid_entry->resp_buf)) { ++ length = coalesce_t2(smb_buffer, ++ mid_entry->resp_buf); ++ if (length > 0) { ++ length = 0; + mid_entry->multiRsp = true; + break; + } else { +- /* all parts received */ ++ /* all parts received or ++ * packet is malformed ++ */ + mid_entry->multiEnd = true; + goto multi_t2_fnd; + } diff --git a/queue-2.6.38/cifs-refactor-mid-finding-loop-in-cifs_demultiplex_thread.patch b/queue-2.6.38/cifs-refactor-mid-finding-loop-in-cifs_demultiplex_thread.patch new file mode 100644 index 0000000000..8cbb8dfe8a --- /dev/null +++ b/queue-2.6.38/cifs-refactor-mid-finding-loop-in-cifs_demultiplex_thread.patch @@ -0,0 +1,129 @@ +From 146f9f65bd13f56665205aed7205d531c810cb35 Mon Sep 17 00:00:00 2001 +From: Jeff Layton <jlayton@redhat.com> +Date: Fri, 29 Apr 2011 06:52:43 -0400 +Subject: cifs: refactor mid finding loop in cifs_demultiplex_thread + +From: Jeff Layton <jlayton@redhat.com> + +commit 146f9f65bd13f56665205aed7205d531c810cb35 upstream. + +...to reduce the extreme indentation. This should introduce no +behavioral changes. + +Acked-by: David Howells <dhowells@redhat.com> +Signed-off-by: Jeff Layton <jlayton@redhat.com> +Signed-off-by: Steve French <sfrench@us.ibm.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + fs/cifs/connect.c | 92 +++++++++++++++++++++++++++--------------------------- + 1 file changed, 46 insertions(+), 46 deletions(-) + +--- a/fs/cifs/connect.c ++++ b/fs/cifs/connect.c +@@ -618,59 +618,59 @@ incomplete_rcv: + list_for_each_safe(tmp, tmp2, &server->pending_mid_q) { + mid_entry = list_entry(tmp, struct mid_q_entry, qhead); + +- if ((mid_entry->mid == smb_buffer->Mid) && +- (mid_entry->midState == MID_REQUEST_SUBMITTED) && +- (mid_entry->command == smb_buffer->Command)) { +- if (length == 0 && +- check2ndT2(smb_buffer, server->maxBuf) > 0) { +- /* We have a multipart transact2 resp */ +- isMultiRsp = true; +- if (mid_entry->resp_buf) { +- /* merge response - fix up 1st*/ +- if (coalesce_t2(smb_buffer, ++ if (mid_entry->mid != smb_buffer->Mid || ++ mid_entry->midState != MID_REQUEST_SUBMITTED || ++ mid_entry->command != smb_buffer->Command) { ++ mid_entry = NULL; ++ continue; ++ } ++ ++ if (length == 0 && ++ check2ndT2(smb_buffer, server->maxBuf) > 0) { ++ /* We have a multipart transact2 resp */ ++ isMultiRsp = true; ++ if (mid_entry->resp_buf) { ++ /* merge response - fix up 1st*/ ++ if (coalesce_t2(smb_buffer, + mid_entry->resp_buf)) { +- mid_entry->multiRsp = +- true; +- break; +- } else { +- /* all parts received */ +- mid_entry->multiEnd = +- true; +- goto multi_t2_fnd; +- } ++ mid_entry->multiRsp = true; ++ break; ++ } else { ++ /* all parts received */ ++ mid_entry->multiEnd = true; ++ goto multi_t2_fnd; ++ } ++ } else { ++ if (!isLargeBuf) { ++ /* ++ * FIXME: switch to already ++ * allocated largebuf? ++ */ ++ cERROR(1, "1st trans2 resp " ++ "needs bigbuf"); + } else { +- if (!isLargeBuf) { +- cERROR(1, "1st trans2 resp needs bigbuf"); +- /* BB maybe we can fix this up, switch +- to already allocated large buffer? */ +- } else { +- /* Have first buffer */ +- mid_entry->resp_buf = +- smb_buffer; +- mid_entry->largeBuf = +- true; +- bigbuf = NULL; +- } ++ /* Have first buffer */ ++ mid_entry->resp_buf = ++ smb_buffer; ++ mid_entry->largeBuf = true; ++ bigbuf = NULL; + } +- break; + } +- mid_entry->resp_buf = smb_buffer; +- mid_entry->largeBuf = isLargeBuf; ++ break; ++ } ++ mid_entry->resp_buf = smb_buffer; ++ mid_entry->largeBuf = isLargeBuf; + multi_t2_fnd: +- if (length == 0) +- mid_entry->midState = +- MID_RESPONSE_RECEIVED; +- else +- mid_entry->midState = +- MID_RESPONSE_MALFORMED; ++ if (length == 0) ++ mid_entry->midState = MID_RESPONSE_RECEIVED; ++ else ++ mid_entry->midState = MID_RESPONSE_MALFORMED; + #ifdef CONFIG_CIFS_STATS2 +- mid_entry->when_received = jiffies; ++ mid_entry->when_received = jiffies; + #endif +- list_del_init(&mid_entry->qhead); +- mid_entry->callback(mid_entry); +- break; +- } +- mid_entry = NULL; ++ list_del_init(&mid_entry->qhead); ++ mid_entry->callback(mid_entry); ++ break; + } + spin_unlock(&GlobalMid_Lock); + diff --git a/queue-2.6.38/cifs-sanitize-length-checking-in-coalesce_t2-try-3.patch b/queue-2.6.38/cifs-sanitize-length-checking-in-coalesce_t2-try-3.patch new file mode 100644 index 0000000000..d0266e6911 --- /dev/null +++ b/queue-2.6.38/cifs-sanitize-length-checking-in-coalesce_t2-try-3.patch @@ -0,0 +1,84 @@ +From 2a2047bc94d0efc316401170c3d078d9edc20dc4 Mon Sep 17 00:00:00 2001 +From: Jeff Layton <jlayton@redhat.com> +Date: Wed, 27 Apr 2011 13:29:49 -0400 +Subject: cifs: sanitize length checking in coalesce_t2 (try #3) + +From: Jeff Layton <jlayton@redhat.com> + +commit 2a2047bc94d0efc316401170c3d078d9edc20dc4 upstream. + +There are a couple of places in this code where these values can wrap or +go negative, and that could potentially end up overflowing the buffer. +Ensure that that doesn't happen. Do all of the length calculation and +checks first, and only perform the memcpy after they pass. + +Also, increase some stack variables to 32 bits to ensure that they don't +wrap without being detected. + +Finally, change the error codes to be a bit more descriptive of any +problems detected. -EINVAL isn't very accurate. + +Reported-and-Acked-by: David Howells <dhowells@redhat.com> +Signed-off-by: Jeff Layton <jlayton@redhat.com> +Signed-off-by: Steve French <sfrench@us.ibm.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + fs/cifs/connect.c | 22 ++++++++++++++++------ + 1 file changed, 16 insertions(+), 6 deletions(-) + +--- a/fs/cifs/connect.c ++++ b/fs/cifs/connect.c +@@ -275,7 +275,8 @@ static int coalesce_t2(struct smb_hdr *p + char *data_area_of_target; + char *data_area_of_buf2; + int remaining; +- __u16 byte_count, total_data_size, total_in_buf, total_in_buf2; ++ unsigned int byte_count, total_in_buf; ++ __u16 total_data_size, total_in_buf2; + + total_data_size = get_unaligned_le16(&pSMBt->t2_rsp.TotalDataCount); + +@@ -288,7 +289,7 @@ static int coalesce_t2(struct smb_hdr *p + remaining = total_data_size - total_in_buf; + + if (remaining < 0) +- return -EINVAL; ++ return -EPROTO; + + if (remaining == 0) /* nothing to do, ignore */ + return 0; +@@ -309,20 +310,29 @@ static int coalesce_t2(struct smb_hdr *p + data_area_of_target += total_in_buf; + + /* copy second buffer into end of first buffer */ +- memcpy(data_area_of_target, data_area_of_buf2, total_in_buf2); + total_in_buf += total_in_buf2; ++ /* is the result too big for the field? */ ++ if (total_in_buf > USHRT_MAX) ++ return -EPROTO; + put_unaligned_le16(total_in_buf, &pSMBt->t2_rsp.DataCount); ++ ++ /* fix up the BCC */ + byte_count = get_bcc_le(pTargetSMB); + byte_count += total_in_buf2; ++ /* is the result too big for the field? */ ++ if (byte_count > USHRT_MAX) ++ return -EPROTO; + put_bcc_le(byte_count, pTargetSMB); + + byte_count = pTargetSMB->smb_buf_length; + byte_count += total_in_buf2; +- +- /* BB also add check that we are not beyond maximum buffer size */ +- ++ /* don't allow buffer to overflow */ ++ if (byte_count > CIFSMaxBufSize) ++ return -ENOBUFS; + pTargetSMB->smb_buf_length = byte_count; + ++ memcpy(data_area_of_target, data_area_of_buf2, total_in_buf2); ++ + if (remaining == total_in_buf2) { + cFYI(1, "found the last secondary response"); + return 0; /* we are done */ diff --git a/queue-2.6.38/drm-radeon-kms-add-pci-id-to-acer-travelmate-quirk-for-5730.patch b/queue-2.6.38/drm-radeon-kms-add-pci-id-to-acer-travelmate-quirk-for-5730.patch new file mode 100644 index 0000000000..6ba3e1e4cc --- /dev/null +++ b/queue-2.6.38/drm-radeon-kms-add-pci-id-to-acer-travelmate-quirk-for-5730.patch @@ -0,0 +1,41 @@ +From 4f87af46107499415afd238be104587b5a9d7ac3 Mon Sep 17 00:00:00 2001 +From: Alex Deucher <alexdeucher@gmail.com> +Date: Wed, 4 May 2011 11:41:47 -0400 +Subject: drm/radeon/kms: add pci id to acer travelmate quirk for 5730 + +From: Alex Deucher <alexdeucher@gmail.com> + +commit 4f87af46107499415afd238be104587b5a9d7ac3 upstream. + +Fixes: +https://bugzilla.kernel.org/show_bug.cgi?id=34082 + +Reported by: Sampo Laaksonen <zhamahn@gmail.com> +Signed-off-by: Alex Deucher <alexdeucher@gmail.com> +Signed-off-by: Dave Airlie <airlied@redhat.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + drivers/gpu/drm/radeon/radeon_atombios.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/radeon/radeon_atombios.c ++++ b/drivers/gpu/drm/radeon/radeon_atombios.c +@@ -431,7 +431,7 @@ static bool radeon_atom_apply_quirks(str + } + } + +- /* Acer laptop (Acer TravelMate 5730G) has an HDMI port ++ /* Acer laptop (Acer TravelMate 5730/5730G) has an HDMI port + * on the laptop and a DVI port on the docking station and + * both share the same encoder, hpd pin, and ddc line. + * So while the bios table is technically correct, +@@ -440,7 +440,7 @@ static bool radeon_atom_apply_quirks(str + * with different crtcs which isn't possible on the hardware + * side and leaves no crtcs for LVDS or VGA. + */ +- if ((dev->pdev->device == 0x95c4) && ++ if (((dev->pdev->device == 0x95c4) || (dev->pdev->device == 0x9591)) && + (dev->pdev->subsystem_vendor == 0x1025) && + (dev->pdev->subsystem_device == 0x013c)) { + if ((*connector_type == DRM_MODE_CONNECTOR_DVII) && diff --git a/queue-2.6.38/drm-radeon-kms-fix-gart-setup-on-fusion-parts-v2-backport.patch b/queue-2.6.38/drm-radeon-kms-fix-gart-setup-on-fusion-parts-v2-backport.patch new file mode 100644 index 0000000000..a8ec0e390d --- /dev/null +++ b/queue-2.6.38/drm-radeon-kms-fix-gart-setup-on-fusion-parts-v2-backport.patch @@ -0,0 +1,99 @@ +From alexdeucher@gmail.com Mon May 9 16:35:34 2011 +From: Alex Deucher <alexdeucher@gmail.com> +Date: Fri, 6 May 2011 14:29:55 -0400 +Subject: [stable] [PATCH] drm/radeon/kms: fix gart setup on fusion parts (v2) backport +To: stable@kernel.org +Cc: Alex Deucher <alexdeucher@gmail.com>, airlied@redhat.com, gregkh@suse.de +Message-ID: <1304706595-9781-1-git-send-email-alexdeucher@gmail.com> + +From: Alex Deucher <alexdeucher@gmail.com> + +Backport of 8aeb96f80232e9a701b5c4715504f4c9173978bd +(drm/radeon/kms: fix gart setup on fusion parts (v2)) +to the stable tree. + +Out of the entire GART/VM subsystem, the hw designers changed +the location of 3 regs. + +v2: airlied: add parameter for userspace to work from. + +Signed-off-by: Alex Deucher <alexdeucher@gmail.com> +Signed-off-by: Jerome Glisse <jglisse@redhat.com> +Signed-off-by: Dave Airlie <airlied@redhat.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> +--- + drivers/gpu/drm/radeon/evergreen.c | 17 +++++++++-------- + drivers/gpu/drm/radeon/evergreend.h | 5 +++++ + drivers/gpu/drm/radeon/radeon_kms.c | 3 +++ + include/drm/radeon_drm.h | 1 + + 4 files changed, 18 insertions(+), 8 deletions(-) + +--- a/drivers/gpu/drm/radeon/evergreen.c ++++ b/drivers/gpu/drm/radeon/evergreen.c +@@ -869,9 +869,15 @@ int evergreen_pcie_gart_enable(struct ra + SYSTEM_ACCESS_MODE_NOT_IN_SYS | + SYSTEM_APERTURE_UNMAPPED_ACCESS_PASS_THRU | + EFFECTIVE_L1_TLB_SIZE(5) | EFFECTIVE_L1_QUEUE_SIZE(5); +- WREG32(MC_VM_MD_L1_TLB0_CNTL, tmp); +- WREG32(MC_VM_MD_L1_TLB1_CNTL, tmp); +- WREG32(MC_VM_MD_L1_TLB2_CNTL, tmp); ++ if (rdev->flags & RADEON_IS_IGP) { ++ WREG32(FUS_MC_VM_MD_L1_TLB0_CNTL, tmp); ++ WREG32(FUS_MC_VM_MD_L1_TLB1_CNTL, tmp); ++ WREG32(FUS_MC_VM_MD_L1_TLB2_CNTL, tmp); ++ } else { ++ WREG32(MC_VM_MD_L1_TLB0_CNTL, tmp); ++ WREG32(MC_VM_MD_L1_TLB1_CNTL, tmp); ++ WREG32(MC_VM_MD_L1_TLB2_CNTL, tmp); ++ } + WREG32(MC_VM_MB_L1_TLB0_CNTL, tmp); + WREG32(MC_VM_MB_L1_TLB1_CNTL, tmp); + WREG32(MC_VM_MB_L1_TLB2_CNTL, tmp); +@@ -2930,11 +2936,6 @@ static int evergreen_startup(struct rade + rdev->asic->copy = NULL; + dev_warn(rdev->dev, "failed blitter (%d) falling back to memcpy\n", r); + } +- /* XXX: ontario has problems blitting to gart at the moment */ +- if (rdev->family == CHIP_PALM) { +- rdev->asic->copy = NULL; +- radeon_ttm_set_active_vram_size(rdev, rdev->mc.visible_vram_size); +- } + + /* allocate wb buffer */ + r = radeon_wb_init(rdev); +--- a/drivers/gpu/drm/radeon/evergreend.h ++++ b/drivers/gpu/drm/radeon/evergreend.h +@@ -221,6 +221,11 @@ + #define MC_VM_MD_L1_TLB0_CNTL 0x2654 + #define MC_VM_MD_L1_TLB1_CNTL 0x2658 + #define MC_VM_MD_L1_TLB2_CNTL 0x265C ++ ++#define FUS_MC_VM_MD_L1_TLB0_CNTL 0x265C ++#define FUS_MC_VM_MD_L1_TLB1_CNTL 0x2660 ++#define FUS_MC_VM_MD_L1_TLB2_CNTL 0x2664 ++ + #define MC_VM_SYSTEM_APERTURE_DEFAULT_ADDR 0x203C + #define MC_VM_SYSTEM_APERTURE_HIGH_ADDR 0x2038 + #define MC_VM_SYSTEM_APERTURE_LOW_ADDR 0x2034 +--- a/drivers/gpu/drm/radeon/radeon_kms.c ++++ b/drivers/gpu/drm/radeon/radeon_kms.c +@@ -205,6 +205,9 @@ int radeon_info_ioctl(struct drm_device + /* return clock value in KHz */ + value = rdev->clock.spll.reference_freq * 10; + break; ++ case RADEON_INFO_FUSION_GART_WORKING: ++ value = 1; ++ break; + default: + DRM_DEBUG_KMS("Invalid request %d\n", info->request); + return -EINVAL; +--- a/include/drm/radeon_drm.h ++++ b/include/drm/radeon_drm.h +@@ -908,6 +908,7 @@ struct drm_radeon_cs { + #define RADEON_INFO_WANT_HYPERZ 0x07 + #define RADEON_INFO_WANT_CMASK 0x08 /* get access to CMASK on r300 */ + #define RADEON_INFO_CLOCK_CRYSTAL_FREQ 0x09 /* clock crystal frequency */ ++#define RADEON_INFO_FUSION_GART_WORKING 0x0c /* fusion writes to GTT were broken before this */ + + struct drm_radeon_info { + uint32_t request; diff --git a/queue-2.6.38/hw_breakpoints-powerpc-fix-config_have_hw_breakpoint-off-case-in-ptrace_set_debugreg.patch b/queue-2.6.38/hw_breakpoints-powerpc-fix-config_have_hw_breakpoint-off-case-in-ptrace_set_debugreg.patch new file mode 100644 index 0000000000..18105b29d2 --- /dev/null +++ b/queue-2.6.38/hw_breakpoints-powerpc-fix-config_have_hw_breakpoint-off-case-in-ptrace_set_debugreg.patch @@ -0,0 +1,81 @@ +From 925f83c085e1bb08435556c5b4844a60de002e31 Mon Sep 17 00:00:00 2001 +From: Frederic Weisbecker <fweisbec@gmail.com> +Date: Fri, 6 May 2011 01:53:18 +0200 +Subject: hw_breakpoints, powerpc: Fix CONFIG_HAVE_HW_BREAKPOINT off-case in ptrace_set_debugreg() + +From: Frederic Weisbecker <fweisbec@gmail.com> + +commit 925f83c085e1bb08435556c5b4844a60de002e31 upstream. + +We make use of ptrace_get_breakpoints() / ptrace_put_breakpoints() to +protect ptrace_set_debugreg() even if CONFIG_HAVE_HW_BREAKPOINT if off. +However in this case, these APIs are not implemented. + +To fix this, push the protection down inside the relevant ifdef. +Best would be to export the code inside +CONFIG_HAVE_HW_BREAKPOINT into a standalone function to cleanup +the ifdefury there and call the breakpoint ref API inside. But +as it is more invasive, this should be rather made in an -rc1. + +Fixes this build error: + + arch/powerpc/kernel/ptrace.c:1594: error: implicit declaration of function 'ptrace_get_breakpoints' make[2]: *** + +Reported-by: Ingo Molnar <mingo@elte.hu> +Signed-off-by: Frederic Weisbecker <fweisbec@gmail.com> +Cc: LPPC <linuxppc-dev@lists.ozlabs.org> +Cc: Prasad <prasad@linux.vnet.ibm.com> +Link: http://lkml.kernel.org/r/1304639598-4707-1-git-send-email-fweisbec@gmail.com +Signed-off-by: Ingo Molnar <mingo@elte.hu> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + arch/powerpc/kernel/ptrace.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +--- a/arch/powerpc/kernel/ptrace.c ++++ b/arch/powerpc/kernel/ptrace.c +@@ -924,12 +924,16 @@ int ptrace_set_debugreg(struct task_stru + if (data && !(data & DABR_TRANSLATION)) + return -EIO; + #ifdef CONFIG_HAVE_HW_BREAKPOINT ++ if (ptrace_get_breakpoints(task) < 0) ++ return -ESRCH; ++ + bp = thread->ptrace_bps[0]; + if ((!data) || !(data & (DABR_DATA_WRITE | DABR_DATA_READ))) { + if (bp) { + unregister_hw_breakpoint(bp); + thread->ptrace_bps[0] = NULL; + } ++ ptrace_put_breakpoints(task); + return 0; + } + if (bp) { +@@ -939,9 +943,12 @@ int ptrace_set_debugreg(struct task_stru + (DABR_DATA_WRITE | DABR_DATA_READ), + &attr.bp_type); + ret = modify_user_hw_breakpoint(bp, &attr); +- if (ret) ++ if (ret) { ++ ptrace_put_breakpoints(task); + return ret; ++ } + thread->ptrace_bps[0] = bp; ++ ptrace_put_breakpoints(task); + thread->dabr = data; + return 0; + } +@@ -956,9 +963,12 @@ int ptrace_set_debugreg(struct task_stru + ptrace_triggered, task); + if (IS_ERR(bp)) { + thread->ptrace_bps[0] = NULL; ++ ptrace_put_breakpoints(task); + return PTR_ERR(bp); + } + ++ ptrace_put_breakpoints(task); ++ + #endif /* CONFIG_HAVE_HW_BREAKPOINT */ + + /* Move contents to the DABR register */ diff --git a/queue-2.6.38/iwlwifi-add-ack-plpc-_check-module-parameters.patch b/queue-2.6.38/iwlwifi-add-ack-plpc-_check-module-parameters.patch new file mode 100644 index 0000000000..b331fd5578 --- /dev/null +++ b/queue-2.6.38/iwlwifi-add-ack-plpc-_check-module-parameters.patch @@ -0,0 +1,90 @@ +From sgruszka@redhat.com Mon May 9 16:34:59 2011 +From: Stanislaw Gruszka <sgruszka@redhat.com> +Date: Mon, 9 May 2011 21:27:30 +0200 +Subject: iwlwifi: add {ack, plpc}_check module parameters +To: kernel@lists.fedoraproject.org, stable@kernel.org +Cc: Kyle McMartin <kmcmartin@redhat.com>, Stanislaw Gruszka <sgruszka@redhat.com> +Message-ID: <1304969250-27725-1-git-send-email-sgruszka@redhat.com> + +From: Stanislaw Gruszka <sgruszka@redhat.com> + +commit b7977ffaab5187ad75edaf04ac854615cea93828 upstream. + +Add module ack_check, and plcp_check parameters. Ack_check is disabled +by default since is proved that check ack health can cause troubles. +Plcp_check is enabled by default. + +This prevent connection hangs with "low ack count detected" messages. + +Resolves: +https://bugzilla.redhat.com/show_bug.cgi?id=666646 + +Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> +--- + drivers/net/wireless/iwlwifi/iwl-agn-lib.c | 1 + + drivers/net/wireless/iwlwifi/iwl-agn.c | 6 ++++++ + drivers/net/wireless/iwlwifi/iwl-core.h | 2 ++ + drivers/net/wireless/iwlwifi/iwl-rx.c | 8 ++++++-- + 4 files changed, 15 insertions(+), 2 deletions(-) + +--- a/drivers/net/wireless/iwlwifi/iwl-agn-lib.c ++++ b/drivers/net/wireless/iwlwifi/iwl-agn-lib.c +@@ -604,6 +604,7 @@ const u8 *iwlagn_eeprom_query_addr(const + struct iwl_mod_params iwlagn_mod_params = { + .amsdu_size_8K = 1, + .restart_fw = 1, ++ .plcp_check = true, + /* the rest are 0 by default */ + }; + +--- a/drivers/net/wireless/iwlwifi/iwl-agn.c ++++ b/drivers/net/wireless/iwlwifi/iwl-agn.c +@@ -4586,3 +4586,9 @@ MODULE_PARM_DESC(antenna_coupling, + module_param_named(bt_ch_inhibition, iwlagn_bt_ch_announce, bool, S_IRUGO); + MODULE_PARM_DESC(bt_ch_inhibition, + "Disable BT channel inhibition (default: enable)"); ++ ++module_param_named(plcp_check, iwlagn_mod_params.plcp_check, bool, S_IRUGO); ++MODULE_PARM_DESC(plcp_check, "Check plcp health (default: 1 [enabled])"); ++ ++module_param_named(ack_check, iwlagn_mod_params.ack_check, bool, S_IRUGO); ++MODULE_PARM_DESC(ack_check, "Check ack health (default: 0 [disabled])"); +--- a/drivers/net/wireless/iwlwifi/iwl-core.h ++++ b/drivers/net/wireless/iwlwifi/iwl-core.h +@@ -263,6 +263,8 @@ struct iwl_mod_params { + int amsdu_size_8K; /* def: 1 = enable 8K amsdu size */ + int antenna; /* def: 0 = both antennas (use diversity) */ + int restart_fw; /* def: 1 = restart firmware */ ++ bool plcp_check; /* def: true = enable plcp health check */ ++ bool ack_check; /* def: false = disable ack health check */ + }; + + /* +--- a/drivers/net/wireless/iwlwifi/iwl-rx.c ++++ b/drivers/net/wireless/iwlwifi/iwl-rx.c +@@ -234,10 +234,13 @@ EXPORT_SYMBOL(iwl_rx_spectrum_measure_no + void iwl_recover_from_statistics(struct iwl_priv *priv, + struct iwl_rx_packet *pkt) + { ++ const struct iwl_mod_params *mod_params = priv->cfg->mod_params; ++ + if (test_bit(STATUS_EXIT_PENDING, &priv->status)) + return; + if (iwl_is_any_associated(priv)) { +- if (priv->cfg->ops->lib->check_ack_health) { ++ if (mod_params->ack_check && ++ priv->cfg->ops->lib->check_ack_health) { + if (!priv->cfg->ops->lib->check_ack_health( + priv, pkt)) { + /* +@@ -250,7 +253,8 @@ void iwl_recover_from_statistics(struct + return; + } + } +- if (priv->cfg->ops->lib->check_plcp_health) { ++ if (mod_params->plcp_check && ++ priv->cfg->ops->lib->check_plcp_health) { + if (!priv->cfg->ops->lib->check_plcp_health( + priv, pkt)) { + /* diff --git a/queue-2.6.38/ptrace-prepare-to-fix-racy-accesses-on-task-breakpoints.patch b/queue-2.6.38/ptrace-prepare-to-fix-racy-accesses-on-task-breakpoints.patch new file mode 100644 index 0000000000..d9be76b06f --- /dev/null +++ b/queue-2.6.38/ptrace-prepare-to-fix-racy-accesses-on-task-breakpoints.patch @@ -0,0 +1,121 @@ +From bf26c018490c2fce7fe9b629083b96ce0e6ad019 Mon Sep 17 00:00:00 2001 +From: Frederic Weisbecker <fweisbec@gmail.com> +Date: Thu, 7 Apr 2011 16:53:20 +0200 +Subject: ptrace: Prepare to fix racy accesses on task breakpoints + +From: Frederic Weisbecker <fweisbec@gmail.com> + +commit bf26c018490c2fce7fe9b629083b96ce0e6ad019 upstream. + +When a task is traced and is in a stopped state, the tracer +may execute a ptrace request to examine the tracee state and +get its task struct. Right after, the tracee can be killed +and thus its breakpoints released. +This can happen concurrently when the tracer is in the middle +of reading or modifying these breakpoints, leading to dereferencing +a freed pointer. + +Hence, to prepare the fix, create a generic breakpoint reference +holding API. When a reference on the breakpoints of a task is +held, the breakpoints won't be released until the last reference +is dropped. After that, no more ptrace request on the task's +breakpoints can be serviced for the tracer. + +Reported-by: Oleg Nesterov <oleg@redhat.com> +Signed-off-by: Frederic Weisbecker <fweisbec@gmail.com> +Cc: Ingo Molnar <mingo@elte.hu> +Cc: Peter Zijlstra <a.p.zijlstra@chello.nl> +Cc: Will Deacon <will.deacon@arm.com> +Cc: Prasad <prasad@linux.vnet.ibm.com> +Cc: Paul Mundt <lethal@linux-sh.org> +Link: http://lkml.kernel.org/r/1302284067-7860-2-git-send-email-fweisbec@gmail.com +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + include/linux/ptrace.h | 13 ++++++++++++- + include/linux/sched.h | 3 +++ + kernel/exit.c | 2 +- + kernel/ptrace.c | 17 +++++++++++++++++ + 4 files changed, 33 insertions(+), 2 deletions(-) + +--- a/include/linux/ptrace.h ++++ b/include/linux/ptrace.h +@@ -189,6 +189,10 @@ static inline void ptrace_init_task(stru + child->ptrace = current->ptrace; + __ptrace_link(child, current->parent); + } ++ ++#ifdef CONFIG_HAVE_HW_BREAKPOINT ++ atomic_set(&child->ptrace_bp_refcnt, 1); ++#endif + } + + /** +@@ -350,6 +354,13 @@ extern int task_current_syscall(struct t + unsigned long args[6], unsigned int maxargs, + unsigned long *sp, unsigned long *pc); + +-#endif ++#ifdef CONFIG_HAVE_HW_BREAKPOINT ++extern int ptrace_get_breakpoints(struct task_struct *tsk); ++extern void ptrace_put_breakpoints(struct task_struct *tsk); ++#else ++static inline void ptrace_put_breakpoints(struct task_struct *tsk) { } ++#endif /* CONFIG_HAVE_HW_BREAKPOINT */ ++ ++#endif /* __KERNEL */ + + #endif +--- a/include/linux/sched.h ++++ b/include/linux/sched.h +@@ -1531,6 +1531,9 @@ struct task_struct { + unsigned long memsw_bytes; /* uncharged mem+swap usage */ + } memcg_batch; + #endif ++#ifdef CONFIG_HAVE_HW_BREAKPOINT ++ atomic_t ptrace_bp_refcnt; ++#endif + }; + + /* Future-safe accessor for struct task_struct's cpus_allowed. */ +--- a/kernel/exit.c ++++ b/kernel/exit.c +@@ -1015,7 +1015,7 @@ NORET_TYPE void do_exit(long code) + /* + * FIXME: do that only when needed, using sched_exit tracepoint + */ +- flush_ptrace_hw_breakpoint(tsk); ++ ptrace_put_breakpoints(tsk); + + exit_notify(tsk, group_dead); + #ifdef CONFIG_NUMA +--- a/kernel/ptrace.c ++++ b/kernel/ptrace.c +@@ -22,6 +22,7 @@ + #include <linux/syscalls.h> + #include <linux/uaccess.h> + #include <linux/regset.h> ++#include <linux/hw_breakpoint.h> + + + /* +@@ -876,3 +877,19 @@ asmlinkage long compat_sys_ptrace(compat + return ret; + } + #endif /* CONFIG_COMPAT */ ++ ++#ifdef CONFIG_HAVE_HW_BREAKPOINT ++int ptrace_get_breakpoints(struct task_struct *tsk) ++{ ++ if (atomic_inc_not_zero(&tsk->ptrace_bp_refcnt)) ++ return 0; ++ ++ return -1; ++} ++ ++void ptrace_put_breakpoints(struct task_struct *tsk) ++{ ++ if (atomic_dec_and_test(&tsk->ptrace_bp_refcnt)) ++ flush_ptrace_hw_breakpoint(tsk); ++} ++#endif /* CONFIG_HAVE_HW_BREAKPOINT */ diff --git a/queue-2.6.38/series b/queue-2.6.38/series new file mode 100644 index 0000000000..263dcd98d4 --- /dev/null +++ b/queue-2.6.38/series @@ -0,0 +1,13 @@ +cifs-change-bleft-in-decode_unicode_ssetup-back-to-signed-type.patch +cifs-check-for-bytes_remaining-going-to-zero-in-cifs_sesssetup.patch +cifs-sanitize-length-checking-in-coalesce_t2-try-3.patch +cifs-refactor-mid-finding-loop-in-cifs_demultiplex_thread.patch +cifs-handle-errors-from-coalesce_t2.patch +validate-size-of-efi-guid-partition-entries.patch +drm-radeon-kms-add-pci-id-to-acer-travelmate-quirk-for-5730.patch +thinkpad-acpi-module-autoloading-for-newer-lenovo-thinkpads.patch +x86-hw_breakpoints-fix-racy-access-to-ptrace-breakpoints.patch +ptrace-prepare-to-fix-racy-accesses-on-task-breakpoints.patch +hw_breakpoints-powerpc-fix-config_have_hw_breakpoint-off-case-in-ptrace_set_debugreg.patch +iwlwifi-add-ack-plpc-_check-module-parameters.patch +drm-radeon-kms-fix-gart-setup-on-fusion-parts-v2-backport.patch diff --git a/queue-2.6.38/thinkpad-acpi-module-autoloading-for-newer-lenovo-thinkpads.patch b/queue-2.6.38/thinkpad-acpi-module-autoloading-for-newer-lenovo-thinkpads.patch new file mode 100644 index 0000000000..f20df7e1ec --- /dev/null +++ b/queue-2.6.38/thinkpad-acpi-module-autoloading-for-newer-lenovo-thinkpads.patch @@ -0,0 +1,45 @@ +From 9fbdaeb4f4dd14a0caa9fc35c496d5440c251a3a Mon Sep 17 00:00:00 2001 +From: Manoj Iyer <manoj.iyer@canonical.com> +Date: Sun, 8 May 2011 18:04:29 -0400 +Subject: thinkpad-acpi: module autoloading for newer Lenovo ThinkPads. + +From: Manoj Iyer <manoj.iyer@canonical.com> + +commit 9fbdaeb4f4dd14a0caa9fc35c496d5440c251a3a upstream. + +The newer Lenovo ThinkPads have HKEY HID of LEN0068 instead +of IBM0068. Added new HID so that thinkpad_acpi module will +auto load on these newer Lenovo ThinkPads. + +Acked-by: Henrique de Moraes Holschuh <hmh@hmh.eng.br> +Signed-off-by: Manoj Iyer <manoj.iyer@canonical.com> +Signed-off-by: Andy Lutomirski <luto@mit.edu> +Signed-off-by: Matthew Garrett <mjg@redhat.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + drivers/platform/x86/thinkpad_acpi.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/platform/x86/thinkpad_acpi.c ++++ b/drivers/platform/x86/thinkpad_acpi.c +@@ -128,7 +128,8 @@ enum { + }; + + /* ACPI HIDs */ +-#define TPACPI_ACPI_HKEY_HID "IBM0068" ++#define TPACPI_ACPI_IBM_HKEY_HID "IBM0068" ++#define TPACPI_ACPI_LENOVO_HKEY_HID "LEN0068" + #define TPACPI_ACPI_EC_HID "PNP0C09" + + /* Input IDs */ +@@ -3879,7 +3880,8 @@ errexit: + } + + static const struct acpi_device_id ibm_htk_device_ids[] = { +- {TPACPI_ACPI_HKEY_HID, 0}, ++ {TPACPI_ACPI_IBM_HKEY_HID, 0}, ++ {TPACPI_ACPI_LENOVO_HKEY_HID, 0}, + {"", 0}, + }; + diff --git a/queue-2.6.38/validate-size-of-efi-guid-partition-entries.patch b/queue-2.6.38/validate-size-of-efi-guid-partition-entries.patch new file mode 100644 index 0000000000..033888f82c --- /dev/null +++ b/queue-2.6.38/validate-size-of-efi-guid-partition-entries.patch @@ -0,0 +1,34 @@ +From fa039d5f6b126fbd65eefa05db2f67e44df8f121 Mon Sep 17 00:00:00 2001 +From: Timo Warns <Warns@pre-sense.de> +Date: Fri, 6 May 2011 13:47:35 +0200 +Subject: Validate size of EFI GUID partition entries. + +From: Timo Warns <Warns@pre-sense.de> + +commit fa039d5f6b126fbd65eefa05db2f67e44df8f121 upstream. + +Otherwise corrupted EFI partition tables can cause total confusion. + +Signed-off-by: Timo Warns <warns@pre-sense.de> +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + fs/partitions/efi.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/fs/partitions/efi.c ++++ b/fs/partitions/efi.c +@@ -348,6 +348,12 @@ static int is_gpt_valid(struct parsed_pa + goto fail; + } + ++ /* Check that sizeof_partition_entry has the correct value */ ++ if (le32_to_cpu((*gpt)->sizeof_partition_entry) != sizeof(gpt_entry)) { ++ pr_debug("GUID Partitition Entry Size check failed.\n"); ++ goto fail; ++ } ++ + if (!(*ptes = alloc_read_gpt_entries(state, *gpt))) + goto fail; + diff --git a/queue-2.6.38/x86-hw_breakpoints-fix-racy-access-to-ptrace-breakpoints.patch b/queue-2.6.38/x86-hw_breakpoints-fix-racy-access-to-ptrace-breakpoints.patch new file mode 100644 index 0000000000..fb1ba4fa11 --- /dev/null +++ b/queue-2.6.38/x86-hw_breakpoints-fix-racy-access-to-ptrace-breakpoints.patch @@ -0,0 +1,115 @@ +From 87dc669ba25777b67796d7262c569429e58b1ed4 Mon Sep 17 00:00:00 2001 +From: Frederic Weisbecker <fweisbec@gmail.com> +Date: Fri, 8 Apr 2011 17:29:36 +0200 +Subject: x86, hw_breakpoints: Fix racy access to ptrace breakpoints + +From: Frederic Weisbecker <fweisbec@gmail.com> + +commit 87dc669ba25777b67796d7262c569429e58b1ed4 upstream. + +While the tracer accesses ptrace breakpoints, the child task may +concurrently exit due to a SIGKILL and thus release its breakpoints +at the same time. We can then dereference some freed pointers. + +To fix this, hold a reference on the child breakpoints before +manipulating them. + +Reported-by: Oleg Nesterov <oleg@redhat.com> +Signed-off-by: Frederic Weisbecker <fweisbec@gmail.com> +Cc: Ingo Molnar <mingo@elte.hu> +Cc: Peter Zijlstra <a.p.zijlstra@chello.nl> +Cc: Will Deacon <will.deacon@arm.com> +Cc: Prasad <prasad@linux.vnet.ibm.com> +Cc: Paul Mundt <lethal@linux-sh.org> +Link: http://lkml.kernel.org/r/1302284067-7860-3-git-send-email-fweisbec@gmail.com +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + arch/x86/kernel/ptrace.c | 36 ++++++++++++++++++++++++++---------- + 1 file changed, 26 insertions(+), 10 deletions(-) + +--- a/arch/x86/kernel/ptrace.c ++++ b/arch/x86/kernel/ptrace.c +@@ -608,6 +608,9 @@ static int ptrace_write_dr7(struct task_ + unsigned len, type; + struct perf_event *bp; + ++ if (ptrace_get_breakpoints(tsk) < 0) ++ return -ESRCH; ++ + data &= ~DR_CONTROL_RESERVED; + old_dr7 = ptrace_get_dr7(thread->ptrace_bps); + restore: +@@ -655,6 +658,9 @@ restore: + } + goto restore; + } ++ ++ ptrace_put_breakpoints(tsk); ++ + return ((orig_ret < 0) ? orig_ret : rc); + } + +@@ -668,10 +674,17 @@ static unsigned long ptrace_get_debugreg + + if (n < HBP_NUM) { + struct perf_event *bp; ++ ++ if (ptrace_get_breakpoints(tsk) < 0) ++ return -ESRCH; ++ + bp = thread->ptrace_bps[n]; + if (!bp) +- return 0; +- val = bp->hw.info.address; ++ val = 0; ++ else ++ val = bp->hw.info.address; ++ ++ ptrace_put_breakpoints(tsk); + } else if (n == 6) { + val = thread->debugreg6; + } else if (n == 7) { +@@ -686,6 +699,10 @@ static int ptrace_set_breakpoint_addr(st + struct perf_event *bp; + struct thread_struct *t = &tsk->thread; + struct perf_event_attr attr; ++ int err = 0; ++ ++ if (ptrace_get_breakpoints(tsk) < 0) ++ return -ESRCH; + + if (!t->ptrace_bps[nr]) { + ptrace_breakpoint_init(&attr); +@@ -709,24 +726,23 @@ static int ptrace_set_breakpoint_addr(st + * writing for the user. And anyway this is the previous + * behaviour. + */ +- if (IS_ERR(bp)) +- return PTR_ERR(bp); ++ if (IS_ERR(bp)) { ++ err = PTR_ERR(bp); ++ goto put; ++ } + + t->ptrace_bps[nr] = bp; + } else { +- int err; +- + bp = t->ptrace_bps[nr]; + + attr = bp->attr; + attr.bp_addr = addr; + err = modify_user_hw_breakpoint(bp, &attr); +- if (err) +- return err; + } + +- +- return 0; ++put: ++ ptrace_put_breakpoints(tsk); ++ return err; + } + + /* |