--- /dev/null
+From 6fd024893911dcb51b4a0aa71971db5ba38f7071 Mon Sep 17 00:00:00 2001
+From: Ben Hutchings <ben@decadent.org.uk>
+Date: Wed, 24 Mar 2010 03:36:31 +0000
+Subject: amd64-agp: Probe unknown AGP devices the right way
+
+From: Ben Hutchings <ben@decadent.org.uk>
+
+commit 6fd024893911dcb51b4a0aa71971db5ba38f7071 upstream.
+
+The current initialisation code probes 'unsupported' AGP devices
+simply by calling its own probe function. It does not lock these
+devices or even check whether another driver is already bound to
+them.
+
+We must use the device core to manage this. So if the specific
+device id table didn't match anything and agp_try_unsupported=1,
+switch the device id table and call driver_attach() again.
+
+Signed-off-by: Ben Hutchings <ben@decadent.org.uk>
+Signed-off-by: Dave Airlie <airlied@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/char/agp/amd64-agp.c | 27 +++++++++++++++------------
+ 1 file changed, 15 insertions(+), 12 deletions(-)
+
+--- a/drivers/char/agp/amd64-agp.c
++++ b/drivers/char/agp/amd64-agp.c
+@@ -491,6 +491,10 @@ static int __devinit agp_amd64_probe(str
+ u8 cap_ptr;
+ int err;
+
++ /* The Highlander principle */
++ if (agp_bridges_found)
++ return -ENODEV;
++
+ cap_ptr = pci_find_capability(pdev, PCI_CAP_ID_AGP);
+ if (!cap_ptr)
+ return -ENODEV;
+@@ -554,6 +558,8 @@ static void __devexit agp_amd64_remove(s
+ amd64_aperture_sizes[bridge->aperture_size_idx].size);
+ agp_remove_bridge(bridge);
+ agp_put_bridge(bridge);
++
++ agp_bridges_found--;
+ }
+
+ #ifdef CONFIG_PM
+@@ -701,6 +707,11 @@ static struct pci_device_id agp_amd64_pc
+
+ MODULE_DEVICE_TABLE(pci, agp_amd64_pci_table);
+
++static DEFINE_PCI_DEVICE_TABLE(agp_amd64_pci_promisc_table) = {
++ { PCI_DEVICE_CLASS(0, 0) },
++ { }
++};
++
+ static struct pci_driver agp_amd64_pci_driver = {
+ .name = "agpgart-amd64",
+ .id_table = agp_amd64_pci_table,
+@@ -725,7 +736,6 @@ int __init agp_amd64_init(void)
+ return err;
+
+ if (agp_bridges_found == 0) {
+- struct pci_dev *dev;
+ if (!agp_try_unsupported && !agp_try_unsupported_boot) {
+ printk(KERN_INFO PFX "No supported AGP bridge found.\n");
+ #ifdef MODULE
+@@ -741,17 +751,10 @@ int __init agp_amd64_init(void)
+ return -ENODEV;
+
+ /* Look for any AGP bridge */
+- dev = NULL;
+- err = -ENODEV;
+- for_each_pci_dev(dev) {
+- if (!pci_find_capability(dev, PCI_CAP_ID_AGP))
+- continue;
+- /* Only one bridge supported right now */
+- if (agp_amd64_probe(dev, NULL) == 0) {
+- err = 0;
+- break;
+- }
+- }
++ agp_amd64_pci_driver.id_table = agp_amd64_pci_promisc_table;
++ err = driver_attach(&agp_amd64_pci_driver.driver);
++ if (err == 0 && agp_bridges_found == 0)
++ err = -ENODEV;
+ }
+ return err;
+ }
--- /dev/null
+From 499031ac8a3df6738f6186ded9da853e8ea18253 Mon Sep 17 00:00:00 2001
+From: Eric Dumazet <eric.dumazet@gmail.com>
+Date: Fri, 2 Jul 2010 10:05:01 +0200
+Subject: netfilter: ip6t_REJECT: fix a dst leak in ipv6 REJECT
+
+From: Eric Dumazet <eric.dumazet@gmail.com>
+
+commit 499031ac8a3df6738f6186ded9da853e8ea18253 upstream.
+
+We should release dst if dst->error is set.
+
+Bug introduced in 2.6.14 by commit e104411b82f5c
+([XFRM]: Always release dst_entry on error in xfrm_lookup)
+
+Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com>
+Signed-off-by: Patrick McHardy <kaber@trash.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/ipv6/netfilter/ip6t_REJECT.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+--- a/net/ipv6/netfilter/ip6t_REJECT.c
++++ b/net/ipv6/netfilter/ip6t_REJECT.c
+@@ -95,9 +95,11 @@ static void send_reset(struct sk_buff *o
+ fl.fl_ip_dport = otcph.source;
+ security_skb_classify_flow(oldskb, &fl);
+ dst = ip6_route_output(&init_net, NULL, &fl);
+- if (dst == NULL)
++ if (dst == NULL || dst->error) {
++ dst_release(dst);
+ return;
+- if (dst->error || xfrm_lookup(&dst, &fl, NULL, 0))
++ }
++ if (xfrm_lookup(&dst, &fl, NULL, 0))
+ return;
+
+ hh_len = (dst->dev->hard_header_len + 15)&~15;
--- /dev/null
+From 8a52da632ceb9d8b776494563df579e87b7b586b Mon Sep 17 00:00:00 2001
+From: Julia Lawall <julia@diku.dk>
+Date: Sat, 15 May 2010 11:46:12 +0200
+Subject: SCSI: aacraid: Eliminate use after free
+
+From: Julia Lawall <julia@diku.dk>
+
+commit 8a52da632ceb9d8b776494563df579e87b7b586b upstream.
+
+The debugging code using the freed structure is moved before the kfree.
+
+A simplified version of the semantic match that finds this problem is as
+follows: (http://coccinelle.lip6.fr/)
+
+// <smpl>
+@free@
+expression E;
+position p;
+@@
+kfree@p(E)
+
+@@
+expression free.E, subE<=free.E, E1;
+position free.p;
+@@
+
+ kfree@p(E)
+ ...
+(
+ subE = E1
+|
+* E
+)
+// </smpl>
+
+Signed-off-by: Julia Lawall <julia@diku.dk>
+Signed-off-by: James Bottomley <James.Bottomley@suse.de>
+
+---
+ drivers/scsi/aacraid/commctrl.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/scsi/aacraid/commctrl.c
++++ b/drivers/scsi/aacraid/commctrl.c
+@@ -645,9 +645,9 @@ static int aac_send_raw_srb(struct aac_d
+ /* Does this really need to be GFP_DMA? */
+ p = kmalloc(usg->sg[i].count,GFP_KERNEL|__GFP_DMA);
+ if(!p) {
+- kfree (usg);
+- dprintk((KERN_DEBUG"aacraid: Could not allocate SG buffer - size = %d buffer number %d of %d\n",
++ dprintk((KERN_DEBUG "aacraid: Could not allocate SG buffer - size = %d buffer number %d of %d\n",
+ usg->sg[i].count,i,usg->count));
++ kfree(usg);
+ rcode = -ENOMEM;
+ goto cleanup;
+ }
sky2-enable-rx-tx-in-sky2_phy_reinit.patch
math-emu-correct-test-for-downshifting-fraction-in-_fp_from_int.patch
hostap-protect-against-initialization-interrupt.patch
+netfilter-ip6t_reject-fix-a-dst-leak-in-ipv6-reject.patch
+scsi-aacraid-eliminate-use-after-free.patch
+amd64-agp-probe-unknown-agp-devices-the-right-way.patch
+x86-calgary-increase-max-phb-number.patch
+x86-calgary-limit-the-max-phb-number-to-256.patch
--- /dev/null
+From 499a00e92dd9a75395081f595e681629eb1eebad Mon Sep 17 00:00:00 2001
+From: Darrick J. Wong <djwong@us.ibm.com>
+Date: Thu, 24 Jun 2010 14:26:47 -0700
+Subject: x86, Calgary: Increase max PHB number
+
+From: Darrick J. Wong <djwong@us.ibm.com>
+
+commit 499a00e92dd9a75395081f595e681629eb1eebad upstream.
+
+Newer systems (x3950M2) can have 48 PHBs per chassis and 8
+chassis, so bump the limits up and provide an explanation
+of the requirements for each class.
+
+Signed-off-by: Darrick J. Wong <djwong@us.ibm.com>
+Acked-by: Muli Ben-Yehuda <muli@il.ibm.com>
+Cc: Corinna Schultz <cschultz@linux.vnet.ibm.com>
+LKML-Reference: <20100624212647.GI15515@tux1.beaverton.ibm.com>
+[ v2: Fixed build bug, added back PHBS_PER_CALGARY == 4 ]
+Signed-off-by: Ingo Molnar <mingo@elte.hu>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/x86/kernel/pci-calgary_64.c | 15 ++++++++++-----
+ 1 file changed, 10 insertions(+), 5 deletions(-)
+
+--- a/arch/x86/kernel/pci-calgary_64.c
++++ b/arch/x86/kernel/pci-calgary_64.c
+@@ -102,11 +102,16 @@ int use_calgary __read_mostly = 0;
+ #define PMR_SOFTSTOPFAULT 0x40000000
+ #define PMR_HARDSTOP 0x20000000
+
+-#define MAX_NUM_OF_PHBS 8 /* how many PHBs in total? */
+-#define MAX_NUM_CHASSIS 8 /* max number of chassis */
+-/* MAX_PHB_BUS_NUM is the maximal possible dev->bus->number */
+-#define MAX_PHB_BUS_NUM (MAX_NUM_OF_PHBS * MAX_NUM_CHASSIS * 2)
+-#define PHBS_PER_CALGARY 4
++/*
++ * The maximum PHB bus number.
++ * x3950M2 (rare): 8 chassis, 48 PHBs per chassis = 384
++ * x3950M2: 4 chassis, 48 PHBs per chassis = 192
++ * x3950 (PCIE): 8 chassis, 32 PHBs per chassis = 256
++ * x3950 (PCIX): 8 chassis, 16 PHBs per chassis = 128
++ */
++#define MAX_PHB_BUS_NUM 384
++
++#define PHBS_PER_CALGARY 4
+
+ /* register offsets in Calgary's internal register space */
+ static const unsigned long tar_offsets[] = {
--- /dev/null
+From d596043d71ff0d7b3d0bead19b1d68c55f003093 Mon Sep 17 00:00:00 2001
+From: Darrick J. Wong <djwong@us.ibm.com>
+Date: Wed, 30 Jun 2010 17:45:19 -0700
+Subject: x86, Calgary: Limit the max PHB number to 256
+
+From: Darrick J. Wong <djwong@us.ibm.com>
+
+commit d596043d71ff0d7b3d0bead19b1d68c55f003093 upstream.
+
+The x3950 family can have as many as 256 PCI buses in a single system, so
+change the limits to the maximum. Since there can only be 256 PCI buses in one
+domain, we no longer need the BUG_ON check.
+
+Signed-off-by: Darrick J. Wong <djwong@us.ibm.com>
+LKML-Reference: <20100701004519.GQ15515@tux1.beaverton.ibm.com>
+Signed-off-by: H. Peter Anvin <hpa@zytor.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/x86/kernel/pci-calgary_64.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+--- a/arch/x86/kernel/pci-calgary_64.c
++++ b/arch/x86/kernel/pci-calgary_64.c
+@@ -109,7 +109,7 @@ int use_calgary __read_mostly = 0;
+ * x3950 (PCIE): 8 chassis, 32 PHBs per chassis = 256
+ * x3950 (PCIX): 8 chassis, 16 PHBs per chassis = 128
+ */
+-#define MAX_PHB_BUS_NUM 384
++#define MAX_PHB_BUS_NUM 256
+
+ #define PHBS_PER_CALGARY 4
+
+@@ -1097,8 +1097,6 @@ static int __init calgary_init_one(struc
+ struct iommu_table *tbl;
+ int ret;
+
+- BUG_ON(dev->bus->number >= MAX_PHB_BUS_NUM);
+-
+ bbar = busno_to_bbar(dev->bus->number);
+ ret = calgary_setup_tar(dev, bbar);
+ if (ret)
projects / thirdparty / kernel / stable-queue.git / commitdiff
