From: Greg Kroah-Hartman Date: Fri, 13 Jan 2012 00:40:45 +0000 (-0800) Subject: 3.0-stable patches X-Git-Tag: v3.1.10~22 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=3f14851e9eec82ae1f491fd1b6dc42e241bcc4b2;p=thirdparty%2Fkernel%2Fstable-queue.git 3.0-stable patches added patches: hid-bump-maximum-global-item-tag-report-size-to-96-bytes.patch hid-wiimote-select-input_ff_memless.patch ima-fix-invalid-memory-reference.patch ima-free-duplicate-measurement-memory.patch nfs-fix-regression-in-handling-of-context-option-in-nfsv4.patch nfs-retry-mounting-nfsroot.patch nfsv4.1-fix-backchannel-slotid-off-by-one-bug.patch pci-fix-pci_exp_type_rc_ec-value.patch pci-msi-disable-msi-interrupts-when-we-initialize-a-pci-device.patch pnp-work-around-dell-1536-1546-bios-mmconfig-bug-that-breaks-usb.patch scsi-mpt2sas-fix-for-memory-allocation-error-for-large-host-credits.patch scsi-mpt2sas-release-spinlock-for-the-raid-device-list-before-blocking-it.patch ubi-fix-missing-scrub-when-there-is-a-bit-flip.patch ubi-fix-use-after-free-on-error-path.patch x86-pci-amd-factor-out-mmconfig-discovery.patch x86-pci-build-amd_bus.o-only-when-config_amd_nb-y.patch x86-pci-ignore-cpu-non-addressable-_crs-reserved-memory-resources.patch xen-xenbus-reject-replies-with-payload-xenstore_payload_max.patch --- diff --git a/queue-3.0/hid-bump-maximum-global-item-tag-report-size-to-96-bytes.patch b/queue-3.0/hid-bump-maximum-global-item-tag-report-size-to-96-bytes.patch new file mode 100644 index 00000000000..ec8bba3d564 --- /dev/null +++ b/queue-3.0/hid-bump-maximum-global-item-tag-report-size-to-96-bytes.patch @@ -0,0 +1,32 @@ +From e46e927b9b7e8d95526e69322855243882b7e1a3 Mon Sep 17 00:00:00 2001 +From: Chase Douglas +Date: Mon, 7 Nov 2011 11:08:05 -0800 +Subject: HID: bump maximum global item tag report size to 96 bytes + +From: Chase Douglas + +commit e46e927b9b7e8d95526e69322855243882b7e1a3 upstream. + +This allows the latest N-Trig devices to function properly. + +BugLink: https://bugs.launchpad.net/bugs/724831 + +Signed-off-by: Chase Douglas +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hid/hid-core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/hid/hid-core.c ++++ b/drivers/hid/hid-core.c +@@ -361,7 +361,7 @@ static int hid_parser_global(struct hid_ + + case HID_GLOBAL_ITEM_TAG_REPORT_SIZE: + parser->global.report_size = item_udata(item); +- if (parser->global.report_size > 32) { ++ if (parser->global.report_size > 96) { + dbg_hid("invalid report_size %d\n", + parser->global.report_size); + return -1; diff --git a/queue-3.0/hid-wiimote-select-input_ff_memless.patch b/queue-3.0/hid-wiimote-select-input_ff_memless.patch new file mode 100644 index 00000000000..972692f0eca --- /dev/null +++ b/queue-3.0/hid-wiimote-select-input_ff_memless.patch @@ -0,0 +1,31 @@ +From ef6f41157f3864d9bf42671b2ed66062dcafb72e Mon Sep 17 00:00:00 2001 +From: David Herrmann +Date: Wed, 7 Dec 2011 21:33:59 +0100 +Subject: HID: wiimote: Select INPUT_FF_MEMLESS + +From: David Herrmann + +commit ef6f41157f3864d9bf42671b2ed66062dcafb72e upstream. + +We depend on memless force-feedback support, therefore correctly select the +related config options. + +Reported-by: Randy Dunlap +Signed-off-by: David Herrmann +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hid/Kconfig | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/hid/Kconfig ++++ b/drivers/hid/Kconfig +@@ -565,6 +565,7 @@ config HID_WACOM_POWER_SUPPLY + bool "Wacom Bluetooth devices power supply status support" + depends on HID_WACOM + select POWER_SUPPLY ++ select INPUT_FF_MEMLESS + ---help--- + Say Y here if you want to enable power supply status monitoring for + Wacom Bluetooth devices. diff --git a/queue-3.0/ima-fix-invalid-memory-reference.patch b/queue-3.0/ima-fix-invalid-memory-reference.patch new file mode 100644 index 00000000000..15cc3b41a74 --- /dev/null +++ b/queue-3.0/ima-fix-invalid-memory-reference.patch @@ -0,0 +1,66 @@ +From 7b7e5916aa2f46e57f8bd8cb89c34620ebfda5da Mon Sep 17 00:00:00 2001 +From: Roberto Sassu +Date: Mon, 19 Dec 2011 15:57:28 +0100 +Subject: ima: fix invalid memory reference + +From: Roberto Sassu + +commit 7b7e5916aa2f46e57f8bd8cb89c34620ebfda5da upstream. + +Don't free a valid measurement entry on TPM PCR extend failure. + +Signed-off-by: Roberto Sassu +Signed-off-by: Mimi Zohar +Signed-off-by: Greg Kroah-Hartman + +--- + security/integrity/ima/ima_queue.c | 16 +++++++++++----- + 1 file changed, 11 insertions(+), 5 deletions(-) + +--- a/security/integrity/ima/ima_queue.c ++++ b/security/integrity/ima/ima_queue.c +@@ -23,6 +23,8 @@ + #include + #include "ima.h" + ++#define AUDIT_CAUSE_LEN_MAX 32 ++ + LIST_HEAD(ima_measurements); /* list of all measurements */ + + /* key: inode (before secure-hashing a file) */ +@@ -94,7 +96,8 @@ static int ima_pcr_extend(const u8 *hash + + result = tpm_pcr_extend(TPM_ANY_NUM, CONFIG_IMA_MEASURE_PCR_IDX, hash); + if (result != 0) +- pr_err("IMA: Error Communicating to TPM chip\n"); ++ pr_err("IMA: Error Communicating to TPM chip, result: %d\n", ++ result); + return result; + } + +@@ -106,8 +109,9 @@ int ima_add_template_entry(struct ima_te + { + u8 digest[IMA_DIGEST_SIZE]; + const char *audit_cause = "hash_added"; ++ char tpm_audit_cause[AUDIT_CAUSE_LEN_MAX]; + int audit_info = 1; +- int result = 0; ++ int result = 0, tpmresult = 0; + + mutex_lock(&ima_extend_list_mutex); + if (!violation) { +@@ -129,9 +133,11 @@ int ima_add_template_entry(struct ima_te + if (violation) /* invalidate pcr */ + memset(digest, 0xff, sizeof digest); + +- result = ima_pcr_extend(digest); +- if (result != 0) { +- audit_cause = "TPM error"; ++ tpmresult = ima_pcr_extend(digest); ++ if (tpmresult != 0) { ++ snprintf(tpm_audit_cause, AUDIT_CAUSE_LEN_MAX, "TPM_error(%d)", ++ tpmresult); ++ audit_cause = tpm_audit_cause; + audit_info = 0; + } + out: diff --git a/queue-3.0/ima-free-duplicate-measurement-memory.patch b/queue-3.0/ima-free-duplicate-measurement-memory.patch new file mode 100644 index 00000000000..3dd0488e8a8 --- /dev/null +++ b/queue-3.0/ima-free-duplicate-measurement-memory.patch @@ -0,0 +1,48 @@ +From 45fae7493970d7c45626ccd96d4a74f5f1eea5a9 Mon Sep 17 00:00:00 2001 +From: Roberto Sassu +Date: Mon, 19 Dec 2011 15:57:27 +0100 +Subject: ima: free duplicate measurement memory + +From: Roberto Sassu + +commit 45fae7493970d7c45626ccd96d4a74f5f1eea5a9 upstream. + +Info about new measurements are cached in the iint for performance. When +the inode is flushed from cache, the associated iint is flushed as well. +Subsequent access to the inode will cause the inode to be re-measured and +will attempt to add a duplicate entry to the measurement list. + +This patch frees the duplicate measurement memory, fixing a memory leak. + +Signed-off-by: Roberto Sassu +Signed-off-by: Mimi Zohar +Signed-off-by: Greg Kroah-Hartman + +--- + security/integrity/ima/ima_api.c | 4 ++-- + security/integrity/ima/ima_queue.c | 1 + + 2 files changed, 3 insertions(+), 2 deletions(-) + +--- a/security/integrity/ima/ima_api.c ++++ b/security/integrity/ima/ima_api.c +@@ -177,8 +177,8 @@ void ima_store_measurement(struct ima_ii + strncpy(entry->template.file_name, filename, IMA_EVENT_NAME_LEN_MAX); + + result = ima_store_template(entry, violation, inode); +- if (!result) ++ if (!result || result == -EEXIST) + iint->flags |= IMA_MEASURED; +- else ++ if (result < 0) + kfree(entry); + } +--- a/security/integrity/ima/ima_queue.c ++++ b/security/integrity/ima/ima_queue.c +@@ -114,6 +114,7 @@ int ima_add_template_entry(struct ima_te + memcpy(digest, entry->digest, sizeof digest); + if (ima_lookup_digest_entry(digest)) { + audit_cause = "hash_exists"; ++ result = -EEXIST; + goto out; + } + } diff --git a/queue-3.0/nfs-fix-regression-in-handling-of-context-option-in-nfsv4.patch b/queue-3.0/nfs-fix-regression-in-handling-of-context-option-in-nfsv4.patch new file mode 100644 index 00000000000..bcec995cd95 --- /dev/null +++ b/queue-3.0/nfs-fix-regression-in-handling-of-context-option-in-nfsv4.patch @@ -0,0 +1,144 @@ +From 8a0d551a59ac92d8ff048d6cb29d3a02073e81e8 Mon Sep 17 00:00:00 2001 +From: Jeff Layton +Date: Tue, 20 Dec 2011 06:57:45 -0500 +Subject: nfs: fix regression in handling of context= option in NFSv4 + +From: Jeff Layton + +commit 8a0d551a59ac92d8ff048d6cb29d3a02073e81e8 upstream. + +Setting the security context of a NFSv4 mount via the context= mount +option is currently broken. The NFSv4 codepath allocates a parsed +options struct, and then parses the mount options to fill it. It +eventually calls nfs4_remote_mount which calls security_init_mnt_opts. +That clobbers the lsm_opts struct that was populated earlier. This bug +also looks like it causes a small memory leak on each v4 mount where +context= is used. + +Fix this by moving the initialization of the lsm_opts into +nfs_alloc_parsed_mount_data. Also, add a destructor for +nfs_parsed_mount_data to make it easier to free all of the allocations +hanging off of it, and to ensure that the security_free_mnt_opts is +called whenever security_init_mnt_opts is. + +I believe this regression was introduced quite some time ago, probably +by commit c02d7adf. + +Signed-off-by: Jeff Layton +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfs/super.c | 43 +++++++++++++++++++------------------------ + 1 file changed, 19 insertions(+), 24 deletions(-) + +--- a/fs/nfs/super.c ++++ b/fs/nfs/super.c +@@ -904,10 +904,24 @@ static struct nfs_parsed_mount_data *nfs + data->auth_flavor_len = 1; + data->version = version; + data->minorversion = 0; ++ security_init_mnt_opts(&data->lsm_opts); + } + return data; + } + ++static void nfs_free_parsed_mount_data(struct nfs_parsed_mount_data *data) ++{ ++ if (data) { ++ kfree(data->client_address); ++ kfree(data->mount_server.hostname); ++ kfree(data->nfs_server.export_path); ++ kfree(data->nfs_server.hostname); ++ kfree(data->fscache_uniq); ++ security_free_mnt_opts(&data->lsm_opts); ++ kfree(data); ++ } ++} ++ + /* + * Sanity-check a server address provided by the mount command. + * +@@ -2218,9 +2232,7 @@ static struct dentry *nfs_fs_mount(struc + data = nfs_alloc_parsed_mount_data(NFS_DEFAULT_VERSION); + mntfh = nfs_alloc_fhandle(); + if (data == NULL || mntfh == NULL) +- goto out_free_fh; +- +- security_init_mnt_opts(&data->lsm_opts); ++ goto out; + + /* Validate the mount data */ + error = nfs_validate_mount_data(raw_data, data, mntfh, dev_name); +@@ -2232,8 +2244,6 @@ static struct dentry *nfs_fs_mount(struc + #ifdef CONFIG_NFS_V4 + if (data->version == 4) { + mntroot = nfs4_try_mount(flags, dev_name, data); +- kfree(data->client_address); +- kfree(data->nfs_server.export_path); + goto out; + } + #endif /* CONFIG_NFS_V4 */ +@@ -2284,13 +2294,8 @@ static struct dentry *nfs_fs_mount(struc + s->s_flags |= MS_ACTIVE; + + out: +- kfree(data->nfs_server.hostname); +- kfree(data->mount_server.hostname); +- kfree(data->fscache_uniq); +- security_free_mnt_opts(&data->lsm_opts); +-out_free_fh: ++ nfs_free_parsed_mount_data(data); + nfs_free_fhandle(mntfh); +- kfree(data); + return mntroot; + + out_err_nosb: +@@ -2613,9 +2618,7 @@ nfs4_remote_mount(struct file_system_typ + + mntfh = nfs_alloc_fhandle(); + if (data == NULL || mntfh == NULL) +- goto out_free_fh; +- +- security_init_mnt_opts(&data->lsm_opts); ++ goto out; + + /* Get a volume representation */ + server = nfs4_create_server(data, mntfh); +@@ -2663,13 +2666,10 @@ nfs4_remote_mount(struct file_system_typ + + s->s_flags |= MS_ACTIVE; + +- security_free_mnt_opts(&data->lsm_opts); + nfs_free_fhandle(mntfh); + return mntroot; + + out: +- security_free_mnt_opts(&data->lsm_opts); +-out_free_fh: + nfs_free_fhandle(mntfh); + return ERR_PTR(error); + +@@ -2855,7 +2855,7 @@ static struct dentry *nfs4_mount(struct + + data = nfs_alloc_parsed_mount_data(4); + if (data == NULL) +- goto out_free_data; ++ goto out; + + /* Validate the mount data */ + error = nfs4_validate_mount_data(raw_data, data, dev_name); +@@ -2869,12 +2869,7 @@ static struct dentry *nfs4_mount(struct + error = PTR_ERR(res); + + out: +- kfree(data->client_address); +- kfree(data->nfs_server.export_path); +- kfree(data->nfs_server.hostname); +- kfree(data->fscache_uniq); +-out_free_data: +- kfree(data); ++ nfs_free_parsed_mount_data(data); + dprintk("<-- nfs4_mount() = %d%s\n", error, + error != 0 ? " [error]" : ""); + return res; diff --git a/queue-3.0/nfs-retry-mounting-nfsroot.patch b/queue-3.0/nfs-retry-mounting-nfsroot.patch new file mode 100644 index 00000000000..61cae32afbf --- /dev/null +++ b/queue-3.0/nfs-retry-mounting-nfsroot.patch @@ -0,0 +1,92 @@ +From 43717c7daebf10b43f12e68512484b3095bb1ba5 Mon Sep 17 00:00:00 2001 +From: Chuck Lever +Date: Mon, 5 Dec 2011 15:40:30 -0500 +Subject: NFS: Retry mounting NFSROOT + +From: Chuck Lever + +commit 43717c7daebf10b43f12e68512484b3095bb1ba5 upstream. + +Lukas Razik reports that on his SPARC system, +booting with an NFS root file system stopped working after commit +56463e50 "NFS: Use super.c for NFSROOT mount option parsing." + +We found that the network switch to which Lukas' client was attached +was delaying access to the LAN after the client's NIC driver reported +that its link was up. The delay was longer than the timeouts used in +the NFS client during mounting. + +NFSROOT worked for Lukas before commit 56463e50 because in those +kernels, the client's first operation was an rpcbind request to +determine which port the NFS server was listening on. When that +request failed after a long timeout, the client simply selected the +default NFS port (2049). By that time the switch was allowing access +to the LAN, and the mount succeeded. + +Neither of these client behaviors is desirable, so reverting 56463e50 +is really not a choice. Instead, introduce a mechanism that retries +the NFSROOT mount request several times. This is the same tactic that +normal user space NFS mounts employ to overcome server and network +delays. + +Signed-off-by: Lukas Razik +[ cel: match kernel coding style, add proper patch description ] +[ cel: add exponential back-off ] +Signed-off-by: Chuck Lever +Tested-by: Lukas Razik +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman + +--- + init/do_mounts.c | 35 +++++++++++++++++++++++++++++++---- + 1 file changed, 31 insertions(+), 4 deletions(-) + +--- a/init/do_mounts.c ++++ b/init/do_mounts.c +@@ -360,15 +360,42 @@ out: + } + + #ifdef CONFIG_ROOT_NFS ++ ++#define NFSROOT_TIMEOUT_MIN 5 ++#define NFSROOT_TIMEOUT_MAX 30 ++#define NFSROOT_RETRY_MAX 5 ++ + static int __init mount_nfs_root(void) + { + char *root_dev, *root_data; ++ unsigned int timeout; ++ int try, err; + +- if (nfs_root_data(&root_dev, &root_data) != 0) +- return 0; +- if (do_mount_root(root_dev, "nfs", root_mountflags, root_data) != 0) ++ err = nfs_root_data(&root_dev, &root_data); ++ if (err != 0) + return 0; +- return 1; ++ ++ /* ++ * The server or network may not be ready, so try several ++ * times. Stop after a few tries in case the client wants ++ * to fall back to other boot methods. ++ */ ++ timeout = NFSROOT_TIMEOUT_MIN; ++ for (try = 1; ; try++) { ++ err = do_mount_root(root_dev, "nfs", ++ root_mountflags, root_data); ++ if (err == 0) ++ return 1; ++ if (try > NFSROOT_RETRY_MAX) ++ break; ++ ++ /* Wait, in case the server refused us immediately */ ++ ssleep(timeout); ++ timeout <<= 1; ++ if (timeout > NFSROOT_TIMEOUT_MAX) ++ timeout = NFSROOT_TIMEOUT_MAX; ++ } ++ return 0; + } + #endif + diff --git a/queue-3.0/nfsv4.1-fix-backchannel-slotid-off-by-one-bug.patch b/queue-3.0/nfsv4.1-fix-backchannel-slotid-off-by-one-bug.patch new file mode 100644 index 00000000000..98691de0efd --- /dev/null +++ b/queue-3.0/nfsv4.1-fix-backchannel-slotid-off-by-one-bug.patch @@ -0,0 +1,28 @@ +From 61f2e5106582d02f30b6807e3f9c07463c572ccb Mon Sep 17 00:00:00 2001 +From: Andy Adamson +Date: Wed, 9 Nov 2011 13:58:20 -0500 +Subject: NFSv4.1: fix backchannel slotid off-by-one bug + +From: Andy Adamson + +commit 61f2e5106582d02f30b6807e3f9c07463c572ccb upstream. + +Signed-off-by: Andy Adamson +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfs/callback_proc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/nfs/callback_proc.c ++++ b/fs/nfs/callback_proc.c +@@ -324,7 +324,7 @@ validate_seqid(struct nfs4_slot_table *t + dprintk("%s enter. slotid %d seqid %d\n", + __func__, args->csa_slotid, args->csa_sequenceid); + +- if (args->csa_slotid > NFS41_BC_MAX_CALLBACKS) ++ if (args->csa_slotid >= NFS41_BC_MAX_CALLBACKS) + return htonl(NFS4ERR_BADSLOT); + + slot = tbl->slots + args->csa_slotid; diff --git a/queue-3.0/pci-fix-pci_exp_type_rc_ec-value.patch b/queue-3.0/pci-fix-pci_exp_type_rc_ec-value.patch new file mode 100644 index 00000000000..6f5f6ba45eb --- /dev/null +++ b/queue-3.0/pci-fix-pci_exp_type_rc_ec-value.patch @@ -0,0 +1,30 @@ +From 1830ea91c20b06608f7cdb2455ce05ba834b3214 Mon Sep 17 00:00:00 2001 +From: Alex Williamson +Date: Wed, 16 Nov 2011 09:24:16 -0700 +Subject: PCI: Fix PCI_EXP_TYPE_RC_EC value + +From: Alex Williamson + +commit 1830ea91c20b06608f7cdb2455ce05ba834b3214 upstream. + +Spec shows this as 1010b = 0xa + +Signed-off-by: Alex Williamson +Signed-off-by: Jesse Barnes +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/pci_regs.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/include/linux/pci_regs.h ++++ b/include/linux/pci_regs.h +@@ -392,7 +392,7 @@ + #define PCI_EXP_TYPE_DOWNSTREAM 0x6 /* Downstream Port */ + #define PCI_EXP_TYPE_PCI_BRIDGE 0x7 /* PCI/PCI-X Bridge */ + #define PCI_EXP_TYPE_RC_END 0x9 /* Root Complex Integrated Endpoint */ +-#define PCI_EXP_TYPE_RC_EC 0x10 /* Root Complex Event Collector */ ++#define PCI_EXP_TYPE_RC_EC 0xa /* Root Complex Event Collector */ + #define PCI_EXP_FLAGS_SLOT 0x0100 /* Slot implemented */ + #define PCI_EXP_FLAGS_IRQ 0x3e00 /* Interrupt message number */ + #define PCI_EXP_DEVCAP 4 /* Device capabilities */ diff --git a/queue-3.0/pci-msi-disable-msi-interrupts-when-we-initialize-a-pci-device.patch b/queue-3.0/pci-msi-disable-msi-interrupts-when-we-initialize-a-pci-device.patch new file mode 100644 index 00000000000..85c6c1fcdd6 --- /dev/null +++ b/queue-3.0/pci-msi-disable-msi-interrupts-when-we-initialize-a-pci-device.patch @@ -0,0 +1,50 @@ +From a776c491ca5e38c26d9f66923ff574d041e747f4 Mon Sep 17 00:00:00 2001 +From: "Eric W. Biederman" +Date: Mon, 17 Oct 2011 11:46:06 -0700 +Subject: PCI: msi: Disable msi interrupts when we initialize a pci device + +From: "Eric W. Biederman" + +commit a776c491ca5e38c26d9f66923ff574d041e747f4 upstream. + +I traced a nasty kexec on panic boot failure to the fact that we had +screaming msi interrupts and we were not disabling the msi messages at +kernel startup. The booting kernel had not enabled those interupts so +was not prepared to handle them. + +I can see no reason why we would ever want to leave the msi interrupts +enabled at boot if something else has enabled those interrupts. The pci +spec specifies that msi interrupts should be off by default. Drivers +are expected to enable the msi interrupts if they want to use them. Our +interrupt handling code reprograms the interrupt handlers at boot and +will not be be able to do anything useful with an unexpected interrupt. + +This patch applies cleanly all of the way back to 2.6.32 where I noticed +the problem. + +Signed-off-by: Eric W. Biederman +Signed-off-by: Jesse Barnes +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pci/msi.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/drivers/pci/msi.c ++++ b/drivers/pci/msi.c +@@ -869,5 +869,15 @@ EXPORT_SYMBOL(pci_msi_enabled); + + void pci_msi_init_pci_dev(struct pci_dev *dev) + { ++ int pos; + INIT_LIST_HEAD(&dev->msi_list); ++ ++ /* Disable the msi hardware to avoid screaming interrupts ++ * during boot. This is the power on reset default so ++ * usually this should be a noop. ++ */ ++ pos = pci_find_capability(dev, PCI_CAP_ID_MSI); ++ if (pos) ++ msi_set_enable(dev, pos, 0); ++ msix_set_enable(dev, 0); + } diff --git a/queue-3.0/pnp-work-around-dell-1536-1546-bios-mmconfig-bug-that-breaks-usb.patch b/queue-3.0/pnp-work-around-dell-1536-1546-bios-mmconfig-bug-that-breaks-usb.patch new file mode 100644 index 00000000000..914a18a07ff --- /dev/null +++ b/queue-3.0/pnp-work-around-dell-1536-1546-bios-mmconfig-bug-that-breaks-usb.patch @@ -0,0 +1,98 @@ +From eb31aae8cb5eb54e234ed2d857ddac868195d911 Mon Sep 17 00:00:00 2001 +From: Bjorn Helgaas +Date: Thu, 5 Jan 2012 14:27:24 -0700 +Subject: PNP: work around Dell 1536/1546 BIOS MMCONFIG bug that breaks USB + +From: Bjorn Helgaas + +commit eb31aae8cb5eb54e234ed2d857ddac868195d911 upstream. + +Some Dell BIOSes have MCFG tables that don't report the entire +MMCONFIG area claimed by the chipset. If we move PCI devices into +that claimed-but-unreported area, they don't work. + +This quirk reads the AMD MMCONFIG MSRs and adds PNP0C01 resources as +needed to cover the entire area. + +Example problem scenario: + + BIOS-e820: 00000000cfec5400 - 00000000d4000000 (reserved) + Fam 10h mmconf [d0000000, dfffffff] + PCI: MMCONFIG for domain 0000 [bus 00-3f] at [mem 0xd0000000-0xd3ffffff] (base 0xd0000000) + pnp 00:0c: [mem 0xd0000000-0xd3ffffff] + pci 0000:00:12.0: reg 10: [mem 0xffb00000-0xffb00fff] + pci 0000:00:12.0: no compatible bridge window for [mem 0xffb00000-0xffb00fff] + pci 0000:00:12.0: BAR 0: assigned [mem 0xd4000000-0xd40000ff] + +Reported-by: Lisa Salimbas +Reported-by: +Tested-by: dann frazier +References: https://bugzilla.kernel.org/show_bug.cgi?id=31602 +References: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/647043 +References: https://bugzilla.redhat.com/show_bug.cgi?id=770308 +Signed-off-by: Bjorn Helgaas +Signed-off-by: Jesse Barnes +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pnp/quirks.c | 42 ++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 42 insertions(+) + +--- a/drivers/pnp/quirks.c ++++ b/drivers/pnp/quirks.c +@@ -295,6 +295,45 @@ static void quirk_system_pci_resources(s + } + } + ++#ifdef CONFIG_AMD_NB ++ ++#include ++ ++static void quirk_amd_mmconfig_area(struct pnp_dev *dev) ++{ ++ resource_size_t start, end; ++ struct pnp_resource *pnp_res; ++ struct resource *res; ++ struct resource mmconfig_res, *mmconfig; ++ ++ mmconfig = amd_get_mmconfig_range(&mmconfig_res); ++ if (!mmconfig) ++ return; ++ ++ list_for_each_entry(pnp_res, &dev->resources, list) { ++ res = &pnp_res->res; ++ if (res->end < mmconfig->start || res->start > mmconfig->end || ++ (res->start == mmconfig->start && res->end == mmconfig->end)) ++ continue; ++ ++ dev_info(&dev->dev, FW_BUG ++ "%pR covers only part of AMD MMCONFIG area %pR; adding more reservations\n", ++ res, mmconfig); ++ if (mmconfig->start < res->start) { ++ start = mmconfig->start; ++ end = res->start - 1; ++ pnp_add_mem_resource(dev, start, end, 0); ++ } ++ if (mmconfig->end > res->end) { ++ start = res->end + 1; ++ end = mmconfig->end; ++ pnp_add_mem_resource(dev, start, end, 0); ++ } ++ break; ++ } ++} ++#endif ++ + /* + * PnP Quirks + * Cards or devices that need some tweaking due to incomplete resource info +@@ -322,6 +361,9 @@ static struct pnp_fixup pnp_fixups[] = { + /* PnP resources that might overlap PCI BARs */ + {"PNP0c01", quirk_system_pci_resources}, + {"PNP0c02", quirk_system_pci_resources}, ++#ifdef CONFIG_AMD_NB ++ {"PNP0c01", quirk_amd_mmconfig_area}, ++#endif + {""} + }; + diff --git a/queue-3.0/scsi-mpt2sas-fix-for-memory-allocation-error-for-large-host-credits.patch b/queue-3.0/scsi-mpt2sas-fix-for-memory-allocation-error-for-large-host-credits.patch new file mode 100644 index 00000000000..290ec97a16e --- /dev/null +++ b/queue-3.0/scsi-mpt2sas-fix-for-memory-allocation-error-for-large-host-credits.patch @@ -0,0 +1,172 @@ +From aff132d95ffe14eca96cab90597cdd010b457af7 Mon Sep 17 00:00:00 2001 +From: "nagalakshmi.nandigama@lsi.com" +Date: Thu, 1 Dec 2011 07:53:08 +0530 +Subject: SCSI: mpt2sas : Fix for memory allocation error for large host credits + +From: "nagalakshmi.nandigama@lsi.com" + +commit aff132d95ffe14eca96cab90597cdd010b457af7 upstream. + +The amount of memory required for tracking chain buffers is rather +large, and when the host credit count is big, memory allocation +failure occurs inside __get_free_pages. + +The fix is to limit the number of chains to 100,000. In addition, +the number of host credits is limited to 30,000 IOs. However this +limitation can be overridden this using the command line option +max_queue_depth. The algorithm for calculating the +reply_post_queue_depth is changed so that it is equal to +(reply_free_queue_depth + 16), previously it was (reply_free_queue_depth * 2). + +Signed-off-by: Nagalakshmi Nandigama +Signed-off-by: James Bottomley +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/mpt2sas/mpt2sas_base.c | 83 +++++++++++------------------------ + drivers/scsi/mpt2sas/mpt2sas_scsih.c | 4 - + 2 files changed, 29 insertions(+), 58 deletions(-) + +--- a/drivers/scsi/mpt2sas/mpt2sas_base.c ++++ b/drivers/scsi/mpt2sas/mpt2sas_base.c +@@ -66,6 +66,8 @@ static MPT_CALLBACK mpt_callbacks[MPT_MA + + #define FAULT_POLLING_INTERVAL 1000 /* in milliseconds */ + ++#define MAX_HBA_QUEUE_DEPTH 30000 ++#define MAX_CHAIN_DEPTH 100000 + static int max_queue_depth = -1; + module_param(max_queue_depth, int, 0); + MODULE_PARM_DESC(max_queue_depth, " max controller queue depth "); +@@ -2098,8 +2100,6 @@ _base_release_memory_pools(struct MPT2SA + } + if (ioc->chain_dma_pool) + pci_pool_destroy(ioc->chain_dma_pool); +- } +- if (ioc->chain_lookup) { + free_pages((ulong)ioc->chain_lookup, ioc->chain_pages); + ioc->chain_lookup = NULL; + } +@@ -2117,9 +2117,7 @@ static int + _base_allocate_memory_pools(struct MPT2SAS_ADAPTER *ioc, int sleep_flag) + { + struct mpt2sas_facts *facts; +- u32 queue_size, queue_diff; + u16 max_sge_elements; +- u16 num_of_reply_frames; + u16 chains_needed_per_io; + u32 sz, total_sz; + u32 retry_sz; +@@ -2146,7 +2144,8 @@ _base_allocate_memory_pools(struct MPT2S + max_request_credit = (max_queue_depth < facts->RequestCredit) + ? max_queue_depth : facts->RequestCredit; + else +- max_request_credit = facts->RequestCredit; ++ max_request_credit = min_t(u16, facts->RequestCredit, ++ MAX_HBA_QUEUE_DEPTH); + + ioc->hba_queue_depth = max_request_credit; + ioc->hi_priority_depth = facts->HighPriorityCredit; +@@ -2187,50 +2186,25 @@ _base_allocate_memory_pools(struct MPT2S + } + ioc->chains_needed_per_io = chains_needed_per_io; + +- /* reply free queue sizing - taking into account for events */ +- num_of_reply_frames = ioc->hba_queue_depth + 32; +- +- /* number of replies frames can't be a multiple of 16 */ +- /* decrease number of reply frames by 1 */ +- if (!(num_of_reply_frames % 16)) +- num_of_reply_frames--; +- +- /* calculate number of reply free queue entries +- * (must be multiple of 16) +- */ +- +- /* (we know reply_free_queue_depth is not a multiple of 16) */ +- queue_size = num_of_reply_frames; +- queue_size += 16 - (queue_size % 16); +- ioc->reply_free_queue_depth = queue_size; +- +- /* reply descriptor post queue sizing */ +- /* this size should be the number of request frames + number of reply +- * frames +- */ ++ /* reply free queue sizing - taking into account for 64 FW events */ ++ ioc->reply_free_queue_depth = ioc->hba_queue_depth + 64; + +- queue_size = ioc->hba_queue_depth + num_of_reply_frames + 1; +- /* round up to 16 byte boundary */ +- if (queue_size % 16) +- queue_size += 16 - (queue_size % 16); +- +- /* check against IOC maximum reply post queue depth */ +- if (queue_size > facts->MaxReplyDescriptorPostQueueDepth) { +- queue_diff = queue_size - +- facts->MaxReplyDescriptorPostQueueDepth; +- +- /* round queue_diff up to multiple of 16 */ +- if (queue_diff % 16) +- queue_diff += 16 - (queue_diff % 16); +- +- /* adjust hba_queue_depth, reply_free_queue_depth, +- * and queue_size +- */ +- ioc->hba_queue_depth -= (queue_diff / 2); +- ioc->reply_free_queue_depth -= (queue_diff / 2); +- queue_size = facts->MaxReplyDescriptorPostQueueDepth; ++ /* align the reply post queue on the next 16 count boundary */ ++ if (!ioc->reply_free_queue_depth % 16) ++ ioc->reply_post_queue_depth = ioc->reply_free_queue_depth + 16; ++ else ++ ioc->reply_post_queue_depth = ioc->reply_free_queue_depth + ++ 32 - (ioc->reply_free_queue_depth % 16); ++ if (ioc->reply_post_queue_depth > ++ facts->MaxReplyDescriptorPostQueueDepth) { ++ ioc->reply_post_queue_depth = min_t(u16, ++ (facts->MaxReplyDescriptorPostQueueDepth - ++ (facts->MaxReplyDescriptorPostQueueDepth % 16)), ++ (ioc->hba_queue_depth - (ioc->hba_queue_depth % 16))); ++ ioc->reply_free_queue_depth = ioc->reply_post_queue_depth - 16; ++ ioc->hba_queue_depth = ioc->reply_free_queue_depth - 64; + } +- ioc->reply_post_queue_depth = queue_size; ++ + + dinitprintk(ioc, printk(MPT2SAS_INFO_FMT "scatter gather: " + "sge_in_main_msg(%d), sge_per_chain(%d), sge_per_io(%d), " +@@ -2316,15 +2290,12 @@ _base_allocate_memory_pools(struct MPT2S + "depth(%d)\n", ioc->name, ioc->request, + ioc->scsiio_depth)); + +- /* loop till the allocation succeeds */ +- do { +- sz = ioc->chain_depth * sizeof(struct chain_tracker); +- ioc->chain_pages = get_order(sz); +- ioc->chain_lookup = (struct chain_tracker *)__get_free_pages( +- GFP_KERNEL, ioc->chain_pages); +- if (ioc->chain_lookup == NULL) +- ioc->chain_depth -= 100; +- } while (ioc->chain_lookup == NULL); ++ ioc->chain_depth = min_t(u32, ioc->chain_depth, MAX_CHAIN_DEPTH); ++ sz = ioc->chain_depth * sizeof(struct chain_tracker); ++ ioc->chain_pages = get_order(sz); ++ ++ ioc->chain_lookup = (struct chain_tracker *)__get_free_pages( ++ GFP_KERNEL, ioc->chain_pages); + ioc->chain_dma_pool = pci_pool_create("chain pool", ioc->pdev, + ioc->request_sz, 16, 0); + if (!ioc->chain_dma_pool) { +--- a/drivers/scsi/mpt2sas/mpt2sas_scsih.c ++++ b/drivers/scsi/mpt2sas/mpt2sas_scsih.c +@@ -974,8 +974,8 @@ _scsih_get_chain_buffer_tracker(struct M + spin_lock_irqsave(&ioc->scsi_lookup_lock, flags); + if (list_empty(&ioc->free_chain_list)) { + spin_unlock_irqrestore(&ioc->scsi_lookup_lock, flags); +- printk(MPT2SAS_WARN_FMT "chain buffers not available\n", +- ioc->name); ++ dfailprintk(ioc, printk(MPT2SAS_WARN_FMT "chain buffers not " ++ "available\n", ioc->name)); + return NULL; + } + chain_req = list_entry(ioc->free_chain_list.next, diff --git a/queue-3.0/scsi-mpt2sas-release-spinlock-for-the-raid-device-list-before-blocking-it.patch b/queue-3.0/scsi-mpt2sas-release-spinlock-for-the-raid-device-list-before-blocking-it.patch new file mode 100644 index 00000000000..87462b9322f --- /dev/null +++ b/queue-3.0/scsi-mpt2sas-release-spinlock-for-the-raid-device-list-before-blocking-it.patch @@ -0,0 +1,53 @@ +From 30c43282f3d347f47f9e05199d2b14f56f3f2837 Mon Sep 17 00:00:00 2001 +From: "nagalakshmi.nandigama@lsi.com" +Date: Thu, 1 Dec 2011 07:52:56 +0530 +Subject: SCSI: mpt2sas: Release spinlock for the raid device list before blocking it + +From: "nagalakshmi.nandigama@lsi.com" + +commit 30c43282f3d347f47f9e05199d2b14f56f3f2837 upstream. + +Added code to release the spinlock that is used to protect the +raid device list before calling a function that can block. The +blocking was causing a reschedule, and subsequently it is tried +to acquire the same lock, resulting in a panic (NMI Watchdog +detecting a CPU lockup). + +Signed-off-by: Nagalakshmi Nandigama +Signed-off-by: James Bottomley +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/mpt2sas/mpt2sas_scsih.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/drivers/scsi/mpt2sas/mpt2sas_scsih.c ++++ b/drivers/scsi/mpt2sas/mpt2sas_scsih.c +@@ -6425,6 +6425,7 @@ _scsih_mark_responding_raid_device(struc + } else + sas_target_priv_data = NULL; + raid_device->responding = 1; ++ spin_unlock_irqrestore(&ioc->raid_device_lock, flags); + starget_printk(KERN_INFO, raid_device->starget, + "handle(0x%04x), wwid(0x%016llx)\n", handle, + (unsigned long long)raid_device->wwid); +@@ -6435,16 +6436,16 @@ _scsih_mark_responding_raid_device(struc + */ + _scsih_init_warpdrive_properties(ioc, raid_device); + if (raid_device->handle == handle) +- goto out; ++ return; + printk(KERN_INFO "\thandle changed from(0x%04x)!!!\n", + raid_device->handle); + raid_device->handle = handle; + if (sas_target_priv_data) + sas_target_priv_data->handle = handle; +- goto out; ++ return; + } + } +- out: ++ + spin_unlock_irqrestore(&ioc->raid_device_lock, flags); + } + diff --git a/queue-3.0/series b/queue-3.0/series index 1921f3f3e43..7ec16ec3c10 100644 --- a/queue-3.0/series +++ b/queue-3.0/series @@ -10,3 +10,21 @@ alsa-hda-return-the-error-from-get_wcaps_type-for-invalid-nids.patch drm-radeon-kms-workaround-invalid-avi-infoframe-checksum-issue.patch drm-radeon-kms-disable-writeback-on-pre-r300-asics.patch radeon-fix-disabling-pci-bus-mastering-on-big-endian-hosts.patch +nfs-retry-mounting-nfsroot.patch +nfsv4.1-fix-backchannel-slotid-off-by-one-bug.patch +nfs-fix-regression-in-handling-of-context-option-in-nfsv4.patch +hid-bump-maximum-global-item-tag-report-size-to-96-bytes.patch +hid-wiimote-select-input_ff_memless.patch +ubi-fix-missing-scrub-when-there-is-a-bit-flip.patch +ubi-fix-use-after-free-on-error-path.patch +pci-fix-pci_exp_type_rc_ec-value.patch +pci-msi-disable-msi-interrupts-when-we-initialize-a-pci-device.patch +x86-pci-ignore-cpu-non-addressable-_crs-reserved-memory-resources.patch +x86-pci-amd-factor-out-mmconfig-discovery.patch +x86-pci-build-amd_bus.o-only-when-config_amd_nb-y.patch +scsi-mpt2sas-release-spinlock-for-the-raid-device-list-before-blocking-it.patch +scsi-mpt2sas-fix-for-memory-allocation-error-for-large-host-credits.patch +xen-xenbus-reject-replies-with-payload-xenstore_payload_max.patch +ima-free-duplicate-measurement-memory.patch +ima-fix-invalid-memory-reference.patch +pnp-work-around-dell-1536-1546-bios-mmconfig-bug-that-breaks-usb.patch diff --git a/queue-3.0/ubi-fix-missing-scrub-when-there-is-a-bit-flip.patch b/queue-3.0/ubi-fix-missing-scrub-when-there-is-a-bit-flip.patch new file mode 100644 index 00000000000..6956c5c2e2d --- /dev/null +++ b/queue-3.0/ubi-fix-missing-scrub-when-there-is-a-bit-flip.patch @@ -0,0 +1,75 @@ +From e801e128b2200c40a0ec236cf2330b2586b6e05a Mon Sep 17 00:00:00 2001 +From: Bhavesh Parekh +Date: Wed, 30 Nov 2011 17:43:42 +0530 +Subject: UBI: fix missing scrub when there is a bit-flip + +From: Bhavesh Parekh + +commit e801e128b2200c40a0ec236cf2330b2586b6e05a upstream. + +Under some cases, when scrubbing the PEB if we did not get the lock on +the PEB it fails to scrub. Add that PEB again to the scrub list + +Artem: minor amendments. + +Signed-off-by: Bhavesh Parekh +Signed-off-by: Artem Bityutskiy +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mtd/ubi/eba.c | 6 ++++-- + drivers/mtd/ubi/ubi.h | 2 ++ + drivers/mtd/ubi/wl.c | 5 ++++- + 3 files changed, 10 insertions(+), 3 deletions(-) + +--- a/drivers/mtd/ubi/eba.c ++++ b/drivers/mtd/ubi/eba.c +@@ -1028,12 +1028,14 @@ int ubi_eba_copy_leb(struct ubi_device * + * 'ubi_wl_put_peb()' function on the @ubi->move_mutex. In turn, we are + * holding @ubi->move_mutex and go sleep on the LEB lock. So, if the + * LEB is already locked, we just do not move it and return +- * %MOVE_CANCEL_RACE, which means that UBI will re-try, but later. ++ * %MOVE_RETRY. Note, we do not return %MOVE_CANCEL_RACE here because ++ * we do not know the reasons of the contention - it may be just a ++ * normal I/O on this LEB, so we want to re-try. + */ + err = leb_write_trylock(ubi, vol_id, lnum); + if (err) { + dbg_wl("contention on LEB %d:%d, cancel", vol_id, lnum); +- return MOVE_CANCEL_RACE; ++ return MOVE_RETRY; + } + + /* +--- a/drivers/mtd/ubi/ubi.h ++++ b/drivers/mtd/ubi/ubi.h +@@ -121,6 +121,7 @@ enum { + * PEB + * MOVE_CANCEL_BITFLIPS: canceled because a bit-flip was detected in the + * target PEB ++ * MOVE_RETRY: retry scrubbing the PEB + */ + enum { + MOVE_CANCEL_RACE = 1, +@@ -128,6 +129,7 @@ enum { + MOVE_TARGET_RD_ERR, + MOVE_TARGET_WR_ERR, + MOVE_CANCEL_BITFLIPS, ++ MOVE_RETRY, + }; + + /** +--- a/drivers/mtd/ubi/wl.c ++++ b/drivers/mtd/ubi/wl.c +@@ -792,7 +792,10 @@ static int wear_leveling_worker(struct u + protect = 1; + goto out_not_moved; + } +- ++ if (err == MOVE_RETRY) { ++ scrubbing = 1; ++ goto out_not_moved; ++ } + if (err == MOVE_CANCEL_BITFLIPS || err == MOVE_TARGET_WR_ERR || + err == MOVE_TARGET_RD_ERR) { + /* diff --git a/queue-3.0/ubi-fix-use-after-free-on-error-path.patch b/queue-3.0/ubi-fix-use-after-free-on-error-path.patch new file mode 100644 index 00000000000..c2ee5a85df6 --- /dev/null +++ b/queue-3.0/ubi-fix-use-after-free-on-error-path.patch @@ -0,0 +1,50 @@ +From e57e0d8e818512047fe379157c3f77f1b9fabffb Mon Sep 17 00:00:00 2001 +From: Artem Bityutskiy +Date: Thu, 5 Jan 2012 10:47:18 +0200 +Subject: UBI: fix use-after-free on error path + +From: Artem Bityutskiy + +commit e57e0d8e818512047fe379157c3f77f1b9fabffb upstream. + +When we fail to erase a PEB, we free the corresponding erase entry object, +but then re-schedule this object if the error code was something like -EAGAIN. +Obviously, it is a bug to use the object after we have freed it. + +Reported-by: Emese Revfy +Signed-off-by: Artem Bityutskiy +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mtd/ubi/wl.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/drivers/mtd/ubi/wl.c ++++ b/drivers/mtd/ubi/wl.c +@@ -1049,7 +1049,6 @@ static int erase_worker(struct ubi_devic + + ubi_err("failed to erase PEB %d, error %d", pnum, err); + kfree(wl_wrk); +- kmem_cache_free(ubi_wl_entry_slab, e); + + if (err == -EINTR || err == -ENOMEM || err == -EAGAIN || + err == -EBUSY) { +@@ -1062,14 +1061,16 @@ static int erase_worker(struct ubi_devic + goto out_ro; + } + return err; +- } else if (err != -EIO) { ++ } ++ ++ kmem_cache_free(ubi_wl_entry_slab, e); ++ if (err != -EIO) + /* + * If this is not %-EIO, we have no idea what to do. Scheduling + * this physical eraseblock for erasure again would cause + * errors again and again. Well, lets switch to R/O mode. + */ + goto out_ro; +- } + + /* It is %-EIO, the PEB went bad */ + diff --git a/queue-3.0/x86-pci-amd-factor-out-mmconfig-discovery.patch b/queue-3.0/x86-pci-amd-factor-out-mmconfig-discovery.patch new file mode 100644 index 00000000000..cf808645c21 --- /dev/null +++ b/queue-3.0/x86-pci-amd-factor-out-mmconfig-discovery.patch @@ -0,0 +1,154 @@ +From 24d25dbfa63c376323096660bfa9ad45a08870ce Mon Sep 17 00:00:00 2001 +From: Bjorn Helgaas +Date: Thu, 5 Jan 2012 14:27:19 -0700 +Subject: x86/PCI: amd: factor out MMCONFIG discovery + +From: Bjorn Helgaas + +commit 24d25dbfa63c376323096660bfa9ad45a08870ce upstream. + +This factors out the AMD native MMCONFIG discovery so we can use it +outside amd_bus.c. + +amd_bus.c reads AMD MSRs so it can remove the MMCONFIG area from the +PCI resources. We may also need the MMCONFIG information to work +around BIOS defects in the ACPI MCFG table. + +Cc: Borislav Petkov +Cc: Yinghai Lu +Signed-off-by: Bjorn Helgaas +Signed-off-by: Jesse Barnes +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/include/asm/amd_nb.h | 2 ++ + arch/x86/kernel/amd_nb.c | 31 +++++++++++++++++++++++++++++++ + arch/x86/pci/amd_bus.c | 42 +++++++++++------------------------------- + 3 files changed, 44 insertions(+), 31 deletions(-) + +--- a/arch/x86/include/asm/amd_nb.h ++++ b/arch/x86/include/asm/amd_nb.h +@@ -1,6 +1,7 @@ + #ifndef _ASM_X86_AMD_NB_H + #define _ASM_X86_AMD_NB_H + ++#include + #include + + struct amd_nb_bus_dev_range { +@@ -13,6 +14,7 @@ extern const struct pci_device_id amd_nb + extern const struct amd_nb_bus_dev_range amd_nb_bus_dev_ranges[]; + + extern bool early_is_amd_nb(u32 value); ++extern struct resource *amd_get_mmconfig_range(struct resource *res); + extern int amd_cache_northbridges(void); + extern void amd_flush_garts(void); + extern int amd_numa_init(void); +--- a/arch/x86/kernel/amd_nb.c ++++ b/arch/x86/kernel/amd_nb.c +@@ -119,6 +119,37 @@ bool __init early_is_amd_nb(u32 device) + return false; + } + ++struct resource *amd_get_mmconfig_range(struct resource *res) ++{ ++ u32 address; ++ u64 base, msr; ++ unsigned segn_busn_bits; ++ ++ if (boot_cpu_data.x86_vendor != X86_VENDOR_AMD) ++ return NULL; ++ ++ /* assume all cpus from fam10h have mmconfig */ ++ if (boot_cpu_data.x86 < 0x10) ++ return NULL; ++ ++ address = MSR_FAM10H_MMIO_CONF_BASE; ++ rdmsrl(address, msr); ++ ++ /* mmconfig is not enabled */ ++ if (!(msr & FAM10H_MMIO_CONF_ENABLE)) ++ return NULL; ++ ++ base = msr & (FAM10H_MMIO_CONF_BASE_MASK<> FAM10H_MMIO_CONF_BUSRANGE_SHIFT) & ++ FAM10H_MMIO_CONF_BUSRANGE_MASK; ++ ++ res->flags = IORESOURCE_MEM; ++ res->start = base; ++ res->end = base + (1ULL<<(segn_busn_bits + 20)) - 1; ++ return res; ++} ++ + int amd_get_subcaches(int cpu) + { + struct pci_dev *link = node_to_amd_nb(amd_get_nb_id(cpu))->link; +--- a/arch/x86/pci/amd_bus.c ++++ b/arch/x86/pci/amd_bus.c +@@ -30,34 +30,6 @@ static struct pci_hostbridge_probe pci_p + { 0, 0x18, PCI_VENDOR_ID_AMD, 0x1300 }, + }; + +-static u64 __initdata fam10h_mmconf_start; +-static u64 __initdata fam10h_mmconf_end; +-static void __init get_pci_mmcfg_amd_fam10h_range(void) +-{ +- u32 address; +- u64 base, msr; +- unsigned segn_busn_bits; +- +- /* assume all cpus from fam10h have mmconf */ +- if (boot_cpu_data.x86 < 0x10) +- return; +- +- address = MSR_FAM10H_MMIO_CONF_BASE; +- rdmsrl(address, msr); +- +- /* mmconfig is not enable */ +- if (!(msr & FAM10H_MMIO_CONF_ENABLE)) +- return; +- +- base = msr & (FAM10H_MMIO_CONF_BASE_MASK<> FAM10H_MMIO_CONF_BUSRANGE_SHIFT) & +- FAM10H_MMIO_CONF_BUSRANGE_MASK; +- +- fam10h_mmconf_start = base; +- fam10h_mmconf_end = base + (1ULL<<(segn_busn_bits + 20)) - 1; +-} +- + #define RANGE_NUM 16 + + /** +@@ -85,6 +57,9 @@ static int __init early_fill_mp_bus_info + u64 val; + u32 address; + bool found; ++ struct resource fam10h_mmconf_res, *fam10h_mmconf; ++ u64 fam10h_mmconf_start; ++ u64 fam10h_mmconf_end; + + if (!early_pci_allowed()) + return -1; +@@ -211,12 +186,17 @@ static int __init early_fill_mp_bus_info + subtract_range(range, RANGE_NUM, 0, end); + + /* get mmconfig */ +- get_pci_mmcfg_amd_fam10h_range(); ++ fam10h_mmconf = amd_get_mmconfig_range(&fam10h_mmconf_res); + /* need to take out mmconf range */ +- if (fam10h_mmconf_end) { +- printk(KERN_DEBUG "Fam 10h mmconf [%llx, %llx]\n", fam10h_mmconf_start, fam10h_mmconf_end); ++ if (fam10h_mmconf) { ++ printk(KERN_DEBUG "Fam 10h mmconf %pR\n", fam10h_mmconf); ++ fam10h_mmconf_start = fam10h_mmconf->start; ++ fam10h_mmconf_end = fam10h_mmconf->end; + subtract_range(range, RANGE_NUM, fam10h_mmconf_start, + fam10h_mmconf_end + 1); ++ } else { ++ fam10h_mmconf_start = 0; ++ fam10h_mmconf_end = 0; + } + + /* mmio resource */ diff --git a/queue-3.0/x86-pci-build-amd_bus.o-only-when-config_amd_nb-y.patch b/queue-3.0/x86-pci-build-amd_bus.o-only-when-config_amd_nb-y.patch new file mode 100644 index 00000000000..9e779ec31e9 --- /dev/null +++ b/queue-3.0/x86-pci-build-amd_bus.o-only-when-config_amd_nb-y.patch @@ -0,0 +1,35 @@ +From 5cf9a4e69c1ff0ccdd1d2b7404f95c0531355274 Mon Sep 17 00:00:00 2001 +From: Bjorn Helgaas +Date: Thu, 12 Jan 2012 08:01:40 -0700 +Subject: x86/PCI: build amd_bus.o only when CONFIG_AMD_NB=y + +From: Bjorn Helgaas + +commit 5cf9a4e69c1ff0ccdd1d2b7404f95c0531355274 upstream. + +We only need amd_bus.o for AMD systems with PCI. arch/x86/pci/Makefile +already depends on CONFIG_PCI=y, so this patch just adds the dependency +on CONFIG_AMD_NB. + +Cc: Yinghai Lu +Signed-off-by: Bjorn Helgaas +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/pci/Makefile | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/arch/x86/pci/Makefile ++++ b/arch/x86/pci/Makefile +@@ -18,8 +18,9 @@ obj-$(CONFIG_X86_NUMAQ) += numaq_32.o + obj-$(CONFIG_X86_MRST) += mrst.o + + obj-y += common.o early.o +-obj-y += amd_bus.o bus_numa.o ++obj-y += bus_numa.o + ++obj-$(CONFIG_AMD_NB) += amd_bus.o + obj-$(CONFIG_PCI_CNB20LE_QUIRK) += broadcom_bus.o + + ifeq ($(CONFIG_PCI_DEBUG),y) diff --git a/queue-3.0/x86-pci-ignore-cpu-non-addressable-_crs-reserved-memory-resources.patch b/queue-3.0/x86-pci-ignore-cpu-non-addressable-_crs-reserved-memory-resources.patch new file mode 100644 index 00000000000..dc98bf0a6d4 --- /dev/null +++ b/queue-3.0/x86-pci-ignore-cpu-non-addressable-_crs-reserved-memory-resources.patch @@ -0,0 +1,62 @@ +From ae5cd86455381282ece162966183d3f208c6fad7 Mon Sep 17 00:00:00 2001 +From: Gary Hade +Date: Mon, 14 Nov 2011 15:42:16 -0800 +Subject: x86/PCI: Ignore CPU non-addressable _CRS reserved memory resources + +From: Gary Hade + +commit ae5cd86455381282ece162966183d3f208c6fad7 upstream. + +This assures that a _CRS reserved host bridge window or window region is +not used if it is not addressable by the CPU. The new code either trims +the window to exclude the non-addressable portion or totally ignores the +window if the entire window is non-addressable. + +The current code has been shown to be problematic with 32-bit non-PAE +kernels on systems where _CRS reserves resources above 4GB. + +Signed-off-by: Gary Hade +Reviewed-by: Bjorn Helgaas +Cc: Thomas Renninger +Cc: linux-kernel@vger.kernel.org +Signed-off-by: Jesse Barnes +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/pci/acpi.c | 18 ++++++++++++++++-- + 1 file changed, 16 insertions(+), 2 deletions(-) + +--- a/arch/x86/pci/acpi.c ++++ b/arch/x86/pci/acpi.c +@@ -149,7 +149,7 @@ setup_resource(struct acpi_resource *acp + struct acpi_resource_address64 addr; + acpi_status status; + unsigned long flags; +- u64 start, end; ++ u64 start, orig_end, end; + + status = resource_to_addr(acpi_res, &addr); + if (!ACPI_SUCCESS(status)) +@@ -165,7 +165,21 @@ setup_resource(struct acpi_resource *acp + return AE_OK; + + start = addr.minimum + addr.translation_offset; +- end = addr.maximum + addr.translation_offset; ++ orig_end = end = addr.maximum + addr.translation_offset; ++ ++ /* Exclude non-addressable range or non-addressable portion of range */ ++ end = min(end, (u64)iomem_resource.end); ++ if (end <= start) { ++ dev_info(&info->bridge->dev, ++ "host bridge window [%#llx-%#llx] " ++ "(ignored, not CPU addressable)\n", start, orig_end); ++ return AE_OK; ++ } else if (orig_end != end) { ++ dev_info(&info->bridge->dev, ++ "host bridge window [%#llx-%#llx] " ++ "([%#llx-%#llx] ignored, not CPU addressable)\n", ++ start, orig_end, end + 1, orig_end); ++ } + + res = &info->res[info->res_num]; + res->name = info->name; diff --git a/queue-3.0/xen-xenbus-reject-replies-with-payload-xenstore_payload_max.patch b/queue-3.0/xen-xenbus-reject-replies-with-payload-xenstore_payload_max.patch new file mode 100644 index 00000000000..01074cbcc5d --- /dev/null +++ b/queue-3.0/xen-xenbus-reject-replies-with-payload-xenstore_payload_max.patch @@ -0,0 +1,73 @@ +From 9e7860cee18241633eddb36a4c34c7b61d8cecbc Mon Sep 17 00:00:00 2001 +From: Ian Campbell +Date: Wed, 4 Jan 2012 09:34:49 +0000 +Subject: xen/xenbus: Reject replies with payload > XENSTORE_PAYLOAD_MAX. + +From: Ian Campbell + +commit 9e7860cee18241633eddb36a4c34c7b61d8cecbc upstream. + +Haogang Chen found out that: + + There is a potential integer overflow in process_msg() that could result + in cross-domain attack. + + body = kmalloc(msg->hdr.len + 1, GFP_NOIO | __GFP_HIGH); + + When a malicious guest passes 0xffffffff in msg->hdr.len, the subsequent + call to xb_read() would write to a zero-length buffer. + + The other end of this connection is always the xenstore backend daemon + so there is no guest (malicious or otherwise) which can do this. The + xenstore daemon is a trusted component in the system. + + However this seem like a reasonable robustness improvement so we should + have it. + +And Ian when read the API docs found that: + The payload length (len field of the header) is limited to 4096 + (XENSTORE_PAYLOAD_MAX) in both directions. If a client exceeds the + limit, its xenstored connection will be immediately killed by + xenstored, which is usually catastrophic from the client's point of + view. Clients (particularly domains, which cannot just reconnect) + should avoid this. + +so this patch checks against that instead. + +This also avoids a potential integer overflow pointed out by Haogang Chen. + +Signed-off-by: Ian Campbell +Cc: Haogang Chen +Signed-off-by: Konrad Rzeszutek Wilk +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/xen/xenbus/xenbus_xs.c | 6 ++++++ + include/xen/interface/io/xs_wire.h | 3 +++ + 2 files changed, 9 insertions(+) + +--- a/drivers/xen/xenbus/xenbus_xs.c ++++ b/drivers/xen/xenbus/xenbus_xs.c +@@ -801,6 +801,12 @@ static int process_msg(void) + goto out; + } + ++ if (msg->hdr.len > XENSTORE_PAYLOAD_MAX) { ++ kfree(msg); ++ err = -EINVAL; ++ goto out; ++ } ++ + body = kmalloc(msg->hdr.len + 1, GFP_NOIO | __GFP_HIGH); + if (body == NULL) { + kfree(msg); +--- a/include/xen/interface/io/xs_wire.h ++++ b/include/xen/interface/io/xs_wire.h +@@ -84,4 +84,7 @@ struct xenstore_domain_interface { + XENSTORE_RING_IDX rsp_cons, rsp_prod; + }; + ++/* Violating this is very bad. See docs/misc/xenstore.txt. */ ++#define XENSTORE_PAYLOAD_MAX 4096 ++ + #endif /* _XS_WIRE_H */