--- /dev/null
+From 1da80cfa8727abf404fcee44d04743febea54069 Mon Sep 17 00:00:00 2001
+From: Ilija Hadzic <ihadzic@research.bell-labs.com>
+Date: Wed, 23 Jan 2013 13:59:05 -0500
+Subject: drm/radeon: fix a rare case of double kfree
+
+From: Ilija Hadzic <ihadzic@research.bell-labs.com>
+
+commit 1da80cfa8727abf404fcee44d04743febea54069 upstream.
+
+If one (but not both) allocations of p->chunks[].kpage[]
+in radeon_cs_parser_init fail, the error path will free
+the successfully allocated page, but leave a stale pointer
+value in the kpage[] field. This will later cause a
+double-free when radeon_cs_parser_fini is called.
+This patch fixes the issue by forcing both pointers to NULL
+after kfree in the error path.
+
+The circumstances under which the problem happens are very
+rare. The card must be AGP and the system must run out of
+kmalloc area just at the right time so that one allocation
+succeeds, while the other fails.
+
+Signed-off-by: Ilija Hadzic <ihadzic@research.bell-labs.com>
+Cc: Herton Ronaldo Krzesinski <herton.krzesinski@canonical.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/radeon/radeon_cs.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/drivers/gpu/drm/radeon/radeon_cs.c
++++ b/drivers/gpu/drm/radeon/radeon_cs.c
+@@ -273,6 +273,8 @@ int radeon_cs_parser_init(struct radeon_
+ p->chunks[p->chunk_ib_idx].kpage[1] == NULL) {
+ kfree(p->chunks[p->chunk_ib_idx].kpage[0]);
+ kfree(p->chunks[p->chunk_ib_idx].kpage[1]);
++ p->chunks[p->chunk_ib_idx].kpage[0] = NULL;
++ p->chunks[p->chunk_ib_idx].kpage[1] = NULL;
+ return -ENOMEM;
+ }
+ }
--- /dev/null
+From 25d8999780f8c1f53928f4a24a09c01550423109 Mon Sep 17 00:00:00 2001
+From: Ilija Hadzic <ihadzic@research.bell-labs.com>
+Date: Mon, 7 Jan 2013 18:21:59 -0500
+Subject: drm/radeon: fix error path in kpage allocation
+
+From: Ilija Hadzic <ihadzic@research.bell-labs.com>
+
+commit 25d8999780f8c1f53928f4a24a09c01550423109 upstream.
+
+Index into chunks[] array doesn't look right.
+
+Signed-off-by: Ilija Hadzic <ihadzic@research.bell-labs.com>
+Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ drivers/gpu/drm/radeon/radeon_cs.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/gpu/drm/radeon/radeon_cs.c
++++ b/drivers/gpu/drm/radeon/radeon_cs.c
+@@ -271,8 +271,8 @@ int radeon_cs_parser_init(struct radeon_
+ p->chunks[p->chunk_ib_idx].kpage[1] = kmalloc(PAGE_SIZE, GFP_KERNEL);
+ if (p->chunks[p->chunk_ib_idx].kpage[0] == NULL ||
+ p->chunks[p->chunk_ib_idx].kpage[1] == NULL) {
+- kfree(p->chunks[i].kpage[0]);
+- kfree(p->chunks[i].kpage[1]);
++ kfree(p->chunks[p->chunk_ib_idx].kpage[0]);
++ kfree(p->chunks[p->chunk_ib_idx].kpage[1]);
+ return -ENOMEM;
+ }
+ }
--- /dev/null
+From 49f8a1a5394d8baee5e56fb71e5cf993c228689a Mon Sep 17 00:00:00 2001
+From: Alex Williamson <alex.williamson@redhat.com>
+Date: Thu, 6 Dec 2012 14:44:59 -0700
+Subject: kvm: Fix irqfd resampler list walk
+
+From: Alex Williamson <alex.williamson@redhat.com>
+
+commit 49f8a1a5394d8baee5e56fb71e5cf993c228689a upstream.
+
+Typo for the next pointer means we're walking random data here.
+
+Signed-off-by: Alex Williamson <alex.williamson@redhat.com>
+Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ virt/kvm/eventfd.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/virt/kvm/eventfd.c
++++ b/virt/kvm/eventfd.c
+@@ -332,7 +332,7 @@ kvm_irqfd_assign(struct kvm *kvm, struct
+ mutex_lock(&kvm->irqfds.resampler_lock);
+
+ list_for_each_entry(resampler,
+- &kvm->irqfds.resampler_list, list) {
++ &kvm->irqfds.resampler_list, link) {
+ if (resampler->notifier.gsi == irqfd->gsi) {
+ irqfd->resampler = resampler;
+ break;
--- /dev/null
+From c6f408996c625cb950cad024f90e50519f94713c Mon Sep 17 00:00:00 2001
+From: Mukund Jampala <jbmukund@gmail.com>
+Date: Sun, 16 Dec 2012 19:25:58 +0100
+Subject: netfilter: ip[6]t_REJECT: fix wrong transport header pointer in TCP reset
+
+From: Mukund Jampala <jbmukund@gmail.com>
+
+commit c6f408996c625cb950cad024f90e50519f94713c upstream.
+
+The problem occurs when iptables constructs the tcp reset packet.
+It doesn't initialize the pointer to the tcp header within the skb.
+When the skb is passed to the ixgbe driver for transmit, the ixgbe
+driver attempts to access the tcp header and crashes.
+Currently, other drivers (such as our 1G e1000e or igb drivers) don't
+access the tcp header on transmit unless the TSO option is turned on.
+
+<1>BUG: unable to handle kernel NULL pointer dereference at 0000000d
+<1>IP: [<d081621c>] ixgbe_xmit_frame_ring+0x8cc/0x2260 [ixgbe]
+<4>*pdpt = 0000000085e5d001 *pde = 0000000000000000
+<0>Oops: 0000 [#1] SMP
+[...]
+<4>Pid: 0, comm: swapper Tainted: P 2.6.35.12 #1 Greencity/Thurley
+<4>EIP: 0060:[<d081621c>] EFLAGS: 00010246 CPU: 16
+<4>EIP is at ixgbe_xmit_frame_ring+0x8cc/0x2260 [ixgbe]
+<4>EAX: c7628820 EBX: 00000007 ECX: 00000000 EDX: 00000000
+<4>ESI: 00000008 EDI: c6882180 EBP: dfc6b000 ESP: ced95c48
+<4> DS: 007b ES: 007b FS: 00d8 GS: 0000 SS: 0068
+<0>Process swapper (pid: 0, ti=ced94000 task=ced73bd0 task.ti=ced94000)
+<0>Stack:
+<4> cbec7418 c779e0d8 c77cc888 c77cc8a8 0903010a 00000000 c77c0008 00000002
+<4><0> cd4997c0 00000010 dfc6b000 00000000 d0d176c9 c77cc8d8 c6882180 cbec7318
+<4><0> 00000004 00000004 cbec7230 cbec7110 00000000 cbec70c0 c779e000 00000002
+<0>Call Trace:
+<4> [<d0d176c9>] ? 0xd0d176c9
+<4> [<d0d18a4d>] ? 0xd0d18a4d
+<4> [<411e243e>] ? dev_hard_start_xmit+0x218/0x2d7
+<4> [<411f03d7>] ? sch_direct_xmit+0x4b/0x114
+<4> [<411f056a>] ? __qdisc_run+0xca/0xe0
+<4> [<411e28b0>] ? dev_queue_xmit+0x2d1/0x3d0
+<4> [<411e8120>] ? neigh_resolve_output+0x1c5/0x20f
+<4> [<411e94a1>] ? neigh_update+0x29c/0x330
+<4> [<4121cf29>] ? arp_process+0x49c/0x4cd
+<4> [<411f80c9>] ? nf_hook_slow+0x3f/0xac
+<4> [<4121ca8d>] ? arp_process+0x0/0x4cd
+<4> [<4121ca8d>] ? arp_process+0x0/0x4cd
+<4> [<4121c6d5>] ? T.901+0x38/0x3b
+<4> [<4121c918>] ? arp_rcv+0xa3/0xb4
+<4> [<4121ca8d>] ? arp_process+0x0/0x4cd
+<4> [<411e1173>] ? __netif_receive_skb+0x32b/0x346
+<4> [<411e19e1>] ? netif_receive_skb+0x5a/0x5f
+<4> [<411e1ea9>] ? napi_skb_finish+0x1b/0x30
+<4> [<d0816eb4>] ? ixgbe_xmit_frame_ring+0x1564/0x2260 [ixgbe]
+<4> [<41013468>] ? lapic_next_event+0x13/0x16
+<4> [<410429b2>] ? clockevents_program_event+0xd2/0xe4
+<4> [<411e1b03>] ? net_rx_action+0x55/0x127
+<4> [<4102da1a>] ? __do_softirq+0x77/0xeb
+<4> [<4102dab1>] ? do_softirq+0x23/0x27
+<4> [<41003a67>] ? do_IRQ+0x7d/0x8e
+<4> [<41002a69>] ? common_interrupt+0x29/0x30
+<4> [<41007bcf>] ? mwait_idle+0x48/0x4d
+<4> [<4100193b>] ? cpu_idle+0x37/0x4c
+<0>Code: df 09 d7 0f 94 c2 0f b6 d2 e9 e7 fb ff ff 31 db 31 c0 e9 38
+ff ff ff 80 78 06 06 0f 85 3e fb ff ff 8b 7c 24 38 8b 8f b8 00 00 00
+<0f> b6 51 0d f6 c2 01 0f 85 27 fb ff ff 80 e2 02 75 0d 8b 6c 24
+<0>EIP: [<d081621c>] ixgbe_xmit_frame_ring+0x8cc/0x2260 [ixgbe] SS:ESP
+
+Signed-off-by: Mukund Jampala <jbmukund@gmail.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/ipv4/netfilter/ipt_REJECT.c | 1 +
+ net/ipv6/netfilter/ip6t_REJECT.c | 1 +
+ 2 files changed, 2 insertions(+)
+
+--- a/net/ipv4/netfilter/ipt_REJECT.c
++++ b/net/ipv4/netfilter/ipt_REJECT.c
+@@ -81,6 +81,7 @@ static void send_reset(struct sk_buff *o
+ niph->saddr = oiph->daddr;
+ niph->daddr = oiph->saddr;
+
++ skb_reset_transport_header(nskb);
+ tcph = (struct tcphdr *)skb_put(nskb, sizeof(struct tcphdr));
+ memset(tcph, 0, sizeof(*tcph));
+ tcph->source = oth->dest;
+--- a/net/ipv6/netfilter/ip6t_REJECT.c
++++ b/net/ipv6/netfilter/ip6t_REJECT.c
+@@ -132,6 +132,7 @@ static void send_reset(struct net *net,
+ ip6h->saddr = oip6h->daddr;
+ ip6h->daddr = oip6h->saddr;
+
++ skb_reset_transport_header(nskb);
+ tcph = (struct tcphdr *)skb_put(nskb, sizeof(struct tcphdr));
+ /* Truncate to length (no data) */
+ tcph->doff = sizeof(struct tcphdr)/4;
--- /dev/null
+From 97cf00e93cc24898493e7a058105e3215257ee04 Mon Sep 17 00:00:00 2001
+From: Haibo Xi <haibbo@gmail.com>
+Date: Thu, 6 Dec 2012 23:42:17 +0000
+Subject: netfilter: nf_ct_reasm: fix conntrack reassembly expire code
+
+From: Haibo Xi <haibbo@gmail.com>
+
+commit 97cf00e93cc24898493e7a058105e3215257ee04 upstream.
+
+Commit b836c99fd6c9 (ipv6: unify conntrack reassembly expire
+code with standard one) use the standard IPv6 reassembly
+code(ip6_expire_frag_queue) to handle conntrack reassembly expire.
+
+In ip6_expire_frag_queue, it invoke dev_get_by_index_rcu to get
+which device received this expired packet.so we must save ifindex
+when NF_conntrack get this packet.
+
+With this patch applied, I can see ICMP Time Exceeded sent
+from the receiver when the sender sent out 1/2 fragmented
+IPv6 packet.
+
+Signed-off-by: Haibo Xi <haibbo@gmail.com>
+Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/ipv6/netfilter/nf_conntrack_reasm.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+--- a/net/ipv6/netfilter/nf_conntrack_reasm.c
++++ b/net/ipv6/netfilter/nf_conntrack_reasm.c
+@@ -311,7 +311,10 @@ found:
+ else
+ fq->q.fragments = skb;
+
+- skb->dev = NULL;
++ if (skb->dev) {
++ fq->iif = skb->dev->ifindex;
++ skb->dev = NULL;
++ }
+ fq->q.stamp = skb->tstamp;
+ fq->q.meat += skb->len;
+ if (payload_len > fq->q.max_size)
x86-efi-fix-32-bit-efi-handover-protocol-entry-point.patch
efi-x86-pass-a-proper-identity-mapping-in-efi_call_phys_prelog.patch
x86-efi-set-runtime_version-to-the-efi-spec-revision.patch
+xfs-fix-_xfs_buf_find-oops-on-blocks-beyond-the-filesystem-end.patch
+drm-radeon-fix-error-path-in-kpage-allocation.patch
+drm-radeon-fix-a-rare-case-of-double-kfree.patch
+kvm-fix-irqfd-resampler-list-walk.patch
+netfilter-ipt_reject-fix-wrong-transport-header-pointer-in-tcp-reset.patch
+netfilter-nf_ct_reasm-fix-conntrack-reassembly-expire-code.patch
+x86-sandy-bridge-sandy-bridge-workaround-depends-on-config_pci.patch
--- /dev/null
+From e43b3cec711a61edf047adf6204d542f3a659ef8 Mon Sep 17 00:00:00 2001
+From: "H. Peter Anvin" <hpa@linux.intel.com>
+Date: Sun, 13 Jan 2013 20:56:41 -0800
+Subject: x86/Sandy Bridge: Sandy Bridge workaround depends on CONFIG_PCI
+
+From: "H. Peter Anvin" <hpa@linux.intel.com>
+
+commit e43b3cec711a61edf047adf6204d542f3a659ef8 upstream.
+
+early_pci_allowed() and read_pci_config_16() are only available if
+CONFIG_PCI is defined.
+
+Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
+Cc: Jesse Barnes <jbarnes@virtuousgeek.org>
+Signed-off-by: Abdallah Chatila <abdallah.chatila@ericsson.com>
+
+---
+ arch/x86/kernel/setup.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/arch/x86/kernel/setup.c
++++ b/arch/x86/kernel/setup.c
+@@ -616,6 +616,7 @@ static unsigned reserve_low = CONFIG_X86
+
+ static bool __init snb_gfx_workaround_needed(void)
+ {
++#ifdef CONFIG_PCI
+ int i;
+ u16 vendor, devid;
+ static const u16 snb_ids[] = {
+@@ -640,6 +641,7 @@ static bool __init snb_gfx_workaround_ne
+ for (i = 0; i < ARRAY_SIZE(snb_ids); i++)
+ if (devid == snb_ids[i])
+ return true;
++#endif
+
+ return false;
+ }
--- /dev/null
+From eb178619f930fa2ba2348de332a1ff1c66a31424 Mon Sep 17 00:00:00 2001
+From: Dave Chinner <dchinner@redhat.com>
+Date: Mon, 21 Jan 2013 23:53:52 +1100
+Subject: xfs: fix _xfs_buf_find oops on blocks beyond the filesystem end
+
+From: Dave Chinner <dchinner@redhat.com>
+
+commit eb178619f930fa2ba2348de332a1ff1c66a31424 upstream.
+
+When _xfs_buf_find is passed an out of range address, it will fail
+to find a relevant struct xfs_perag and oops with a null
+dereference. This can happen when trying to walk a filesystem with a
+metadata inode that has a partially corrupted extent map (i.e. the
+block number returned is corrupt, but is otherwise intact) and we
+try to read from the corrupted block address.
+
+In this case, just fail the lookup. If it is readahead being issued,
+it will simply not be done, but if it is real read that fails we
+will get an error being reported. Ideally this case should result
+in an EFSCORRUPTED error being reported, but we cannot return an
+error through xfs_buf_read() or xfs_buf_get() so this lookup failure
+may result in ENOMEM or EIO errors being reported instead.
+
+Signed-off-by: Dave Chinner <dchinner@redhat.com>
+Reviewed-by: Brian Foster <bfoster@redhat.com>
+Reviewed-by: Ben Myers <bpm@sgi.com>
+Signed-off-by: Ben Myers <bpm@sgi.com>
+Cc: CAI Qian <caiqian@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/xfs/xfs_buf.c | 18 ++++++++++++++++++
+ 1 file changed, 18 insertions(+)
+
+--- a/fs/xfs/xfs_buf.c
++++ b/fs/xfs/xfs_buf.c
+@@ -487,6 +487,7 @@ _xfs_buf_find(
+ struct rb_node *parent;
+ xfs_buf_t *bp;
+ xfs_daddr_t blkno = map[0].bm_bn;
++ xfs_daddr_t eofs;
+ int numblks = 0;
+ int i;
+
+@@ -498,6 +499,23 @@ _xfs_buf_find(
+ ASSERT(!(numbytes < (1 << btp->bt_sshift)));
+ ASSERT(!(BBTOB(blkno) & (xfs_off_t)btp->bt_smask));
+
++ /*
++ * Corrupted block numbers can get through to here, unfortunately, so we
++ * have to check that the buffer falls within the filesystem bounds.
++ */
++ eofs = XFS_FSB_TO_BB(btp->bt_mount, btp->bt_mount->m_sb.sb_dblocks);
++ if (blkno >= eofs) {
++ /*
++ * XXX (dgc): we should really be returning EFSCORRUPTED here,
++ * but none of the higher level infrastructure supports
++ * returning a specific error on buffer lookup failures.
++ */
++ xfs_alert(btp->bt_mount,
++ "%s: Block out of range: block 0x%llx, EOFS 0x%llx ",
++ __func__, blkno, eofs);
++ return NULL;
++ }
++
+ /* get tree root */
+ pag = xfs_perag_get(btp->bt_mount,
+ xfs_daddr_to_agno(btp->bt_mount, blkno));
projects / thirdparty / kernel / stable-queue.git / commitdiff
