From: Greg Kroah-Hartman Date: Wed, 24 Oct 2012 16:05:21 +0000 (-0700) Subject: 3.6-stable patches X-Git-Tag: v3.0.49~52 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=4117bfa612bb0ae34dc399a0a17a087240290007;p=thirdparty%2Fkernel%2Fstable-queue.git 3.6-stable patches added patches: kernel-sys.c-fix-stack-memory-content-leak-via-uname26.patch nlm-nlm_lookup_file-may-return-nlmv4-specific-error-codes.patch oprofile-x86-fix-wrapping-bug-in-op_x86_get_ctrl.patch pcmcia-sharpsl-don-t-discard-sharpsl_pcmcia_ops.patch ring-buffer-check-for-uninitialized-cpu-buffer-before-resizing.patch s390-fix-linker-script-for-31-bit-builds.patch sunrpc-prevent-kernel-stack-corruption-on-long-values-of-flush.patch sunrpc-set-alloc_slot-for-backchannel-tcp-ops.patch use-clamp_t-in-uname26-fix.patch x86-amd-mce-avoid-null-pointer-reference-on-cpu-northbridge-lookup.patch x86-exclude-e820_reserved-regions-and-memory-holes-above-4-gb-from-direct-mapping.patch --- diff --git a/queue-3.6/kernel-sys.c-fix-stack-memory-content-leak-via-uname26.patch b/queue-3.6/kernel-sys.c-fix-stack-memory-content-leak-via-uname26.patch new file mode 100644 index 00000000000..7f4bef7358f --- /dev/null +++ b/queue-3.6/kernel-sys.c-fix-stack-memory-content-leak-via-uname26.patch @@ -0,0 +1,63 @@ +From 2702b1526c7278c4d65d78de209a465d4de2885e Mon Sep 17 00:00:00 2001 +From: Kees Cook +Date: Fri, 19 Oct 2012 13:56:51 -0700 +Subject: kernel/sys.c: fix stack memory content leak via UNAME26 + +From: Kees Cook + +commit 2702b1526c7278c4d65d78de209a465d4de2885e upstream. + +Calling uname() with the UNAME26 personality set allows a leak of kernel +stack contents. This fixes it by defensively calculating the length of +copy_to_user() call, making the len argument unsigned, and initializing +the stack buffer to zero (now technically unneeded, but hey, overkill). + +CVE-2012-0957 + +Reported-by: PaX Team +Signed-off-by: Kees Cook +Cc: Andi Kleen +Cc: PaX Team +Cc: Brad Spengler +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/sys.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +--- a/kernel/sys.c ++++ b/kernel/sys.c +@@ -1265,15 +1265,16 @@ DECLARE_RWSEM(uts_sem); + * Work around broken programs that cannot handle "Linux 3.0". + * Instead we map 3.x to 2.6.40+x, so e.g. 3.0 would be 2.6.40 + */ +-static int override_release(char __user *release, int len) ++static int override_release(char __user *release, size_t len) + { + int ret = 0; +- char buf[65]; + + if (current->personality & UNAME26) { +- char *rest = UTS_RELEASE; ++ const char *rest = UTS_RELEASE; ++ char buf[65] = { 0 }; + int ndots = 0; + unsigned v; ++ size_t copy; + + while (*rest) { + if (*rest == '.' && ++ndots >= 3) +@@ -1283,8 +1284,9 @@ static int override_release(char __user + rest++; + } + v = ((LINUX_VERSION_CODE >> 8) & 0xff) + 40; +- snprintf(buf, len, "2.6.%u%s", v, rest); +- ret = copy_to_user(release, buf, len); ++ copy = min(sizeof(buf), max_t(size_t, 1, len)); ++ copy = scnprintf(buf, copy, "2.6.%u%s", v, rest); ++ ret = copy_to_user(release, buf, copy + 1); + } + return ret; + } diff --git a/queue-3.6/nlm-nlm_lookup_file-may-return-nlmv4-specific-error-codes.patch b/queue-3.6/nlm-nlm_lookup_file-may-return-nlmv4-specific-error-codes.patch new file mode 100644 index 00000000000..f180af18de3 --- /dev/null +++ b/queue-3.6/nlm-nlm_lookup_file-may-return-nlmv4-specific-error-codes.patch @@ -0,0 +1,50 @@ +From cd0b16c1c3cda12dbed1f8de8f1a9b0591990724 Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Sat, 13 Oct 2012 00:30:28 -0400 +Subject: NLM: nlm_lookup_file() may return NLMv4-specific error codes + +From: Trond Myklebust + +commit cd0b16c1c3cda12dbed1f8de8f1a9b0591990724 upstream. + +If the filehandle is stale, or open access is denied for some reason, +nlm_fopen() may return one of the NLMv4-specific error codes nlm4_stale_fh +or nlm4_failed. These get passed right through nlm_lookup_file(), +and so when nlmsvc_retrieve_args() calls the latter, it needs to filter +the result through the cast_status() machinery. + +Failure to do so, will trigger the BUG_ON() in encode_nlm_stat... + +Signed-off-by: Trond Myklebust +Reported-by: Larry McVoy +Signed-off-by: J. Bruce Fields +Signed-off-by: Greg Kroah-Hartman + +--- + fs/lockd/clntxdr.c | 2 +- + fs/lockd/svcproc.c | 3 ++- + 2 files changed, 3 insertions(+), 2 deletions(-) + +--- a/fs/lockd/clntxdr.c ++++ b/fs/lockd/clntxdr.c +@@ -223,7 +223,7 @@ static void encode_nlm_stat(struct xdr_s + { + __be32 *p; + +- BUG_ON(be32_to_cpu(stat) > NLM_LCK_DENIED_GRACE_PERIOD); ++ WARN_ON_ONCE(be32_to_cpu(stat) > NLM_LCK_DENIED_GRACE_PERIOD); + p = xdr_reserve_space(xdr, 4); + *p = stat; + } +--- a/fs/lockd/svcproc.c ++++ b/fs/lockd/svcproc.c +@@ -68,7 +68,8 @@ nlmsvc_retrieve_args(struct svc_rqst *rq + + /* Obtain file pointer. Not used by FREE_ALL call. */ + if (filp != NULL) { +- if ((error = nlm_lookup_file(rqstp, &file, &lock->fh)) != 0) ++ error = cast_status(nlm_lookup_file(rqstp, &file, &lock->fh)); ++ if (error != 0) + goto no_locks; + *filp = file; + diff --git a/queue-3.6/oprofile-x86-fix-wrapping-bug-in-op_x86_get_ctrl.patch b/queue-3.6/oprofile-x86-fix-wrapping-bug-in-op_x86_get_ctrl.patch new file mode 100644 index 00000000000..ef8ff477cab --- /dev/null +++ b/queue-3.6/oprofile-x86-fix-wrapping-bug-in-op_x86_get_ctrl.patch @@ -0,0 +1,31 @@ +From 44009105081b51417f311f4c3be0061870b6b8ed Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Wed, 10 Oct 2012 10:18:35 +0300 +Subject: oprofile, x86: Fix wrapping bug in op_x86_get_ctrl() + +From: Dan Carpenter + +commit 44009105081b51417f311f4c3be0061870b6b8ed upstream. + +The "event" variable is a u16 so the shift will always wrap to zero +making the line a no-op. + +Signed-off-by: Dan Carpenter +Signed-off-by: Robert Richter +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/oprofile/nmi_int.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/oprofile/nmi_int.c ++++ b/arch/x86/oprofile/nmi_int.c +@@ -55,7 +55,7 @@ u64 op_x86_get_ctrl(struct op_x86_model_ + val |= counter_config->extra; + event &= model->event_mask ? model->event_mask : 0xFF; + val |= event & 0xFF; +- val |= (event & 0x0F00) << 24; ++ val |= (u64)(event & 0x0F00) << 24; + + return val; + } diff --git a/queue-3.6/pcmcia-sharpsl-don-t-discard-sharpsl_pcmcia_ops.patch b/queue-3.6/pcmcia-sharpsl-don-t-discard-sharpsl_pcmcia_ops.patch new file mode 100644 index 00000000000..0e8b992804a --- /dev/null +++ b/queue-3.6/pcmcia-sharpsl-don-t-discard-sharpsl_pcmcia_ops.patch @@ -0,0 +1,49 @@ +From fdc858a466b738d35d3492bc7cf77b1dac98bf7c Mon Sep 17 00:00:00 2001 +From: Arnd Bergmann +Date: Mon, 30 Apr 2012 13:50:56 +0000 +Subject: pcmcia: sharpsl: don't discard sharpsl_pcmcia_ops + +From: Arnd Bergmann + +commit fdc858a466b738d35d3492bc7cf77b1dac98bf7c upstream. + +The sharpsl_pcmcia_ops structure gets passed into +sa11xx_drv_pcmcia_probe, where it gets accessed at run-time, +unlike all other pcmcia drivers that pass their structures +into platform_device_add_data, which makes a copy. + +This means the gcc warning is valid and the structure +must not be marked as __initdata. + +Without this patch, building collie_defconfig results in: + +drivers/pcmcia/pxa2xx_sharpsl.c:22:31: fatal error: mach-pxa/hardware.h: No such file or directory +compilation terminated. +make[3]: *** [drivers/pcmcia/pxa2xx_sharpsl.o] Error 1 +make[2]: *** [drivers/pcmcia] Error 2 +make[1]: *** [drivers] Error 2 +make: *** [sub-make] Error 2 + +Signed-off-by: Arnd Bergmann +Cc: Dominik Brodowski +Cc: Russell King +Cc: Pavel Machek +Cc: linux-pcmcia@lists.infradead.org +Cc: Jochen Friedrich +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pcmcia/pxa2xx_sharpsl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/pcmcia/pxa2xx_sharpsl.c ++++ b/drivers/pcmcia/pxa2xx_sharpsl.c +@@ -194,7 +194,7 @@ static void sharpsl_pcmcia_socket_suspen + sharpsl_pcmcia_init_reset(skt); + } + +-static struct pcmcia_low_level sharpsl_pcmcia_ops __initdata = { ++static struct pcmcia_low_level sharpsl_pcmcia_ops = { + .owner = THIS_MODULE, + .hw_init = sharpsl_pcmcia_hw_init, + .socket_state = sharpsl_pcmcia_socket_state, diff --git a/queue-3.6/ring-buffer-check-for-uninitialized-cpu-buffer-before-resizing.patch b/queue-3.6/ring-buffer-check-for-uninitialized-cpu-buffer-before-resizing.patch new file mode 100644 index 00000000000..c297cfa12ee --- /dev/null +++ b/queue-3.6/ring-buffer-check-for-uninitialized-cpu-buffer-before-resizing.patch @@ -0,0 +1,40 @@ +From 8e49f418c9632790bf456634742d34d97120a784 Mon Sep 17 00:00:00 2001 +From: Vaibhav Nagarnaik +Date: Wed, 10 Oct 2012 16:40:27 -0700 +Subject: ring-buffer: Check for uninitialized cpu buffer before resizing + +From: Vaibhav Nagarnaik + +commit 8e49f418c9632790bf456634742d34d97120a784 upstream. + +With a system where, num_present_cpus < num_possible_cpus, even if all +CPUs are online, non-present CPUs don't have per_cpu buffers allocated. +If per_cpu//buffer_size_kb is modified for such a CPU, it can cause +a panic due to NULL dereference in ring_buffer_resize(). + +To fix this, resize operation is allowed only if the per-cpu buffer has +been initialized. + +Link: http://lkml.kernel.org/r/1349912427-6486-1-git-send-email-vnagarnaik@google.com + +Signed-off-by: Vaibhav Nagarnaik +Signed-off-by: Steven Rostedt +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/trace/ring_buffer.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/kernel/trace/ring_buffer.c ++++ b/kernel/trace/ring_buffer.c +@@ -1567,6 +1567,10 @@ int ring_buffer_resize(struct ring_buffe + + put_online_cpus(); + } else { ++ /* Make sure this CPU has been intitialized */ ++ if (!cpumask_test_cpu(cpu_id, buffer->cpumask)) ++ goto out; ++ + cpu_buffer = buffer->buffers[cpu_id]; + + if (nr_pages == cpu_buffer->nr_pages) diff --git a/queue-3.6/s390-fix-linker-script-for-31-bit-builds.patch b/queue-3.6/s390-fix-linker-script-for-31-bit-builds.patch new file mode 100644 index 00000000000..6adc8f6b265 --- /dev/null +++ b/queue-3.6/s390-fix-linker-script-for-31-bit-builds.patch @@ -0,0 +1,54 @@ +From c985cb37f1b39c2c8035af741a2a0b79f1fbaca7 Mon Sep 17 00:00:00 2001 +From: Heiko Carstens +Date: Thu, 18 Oct 2012 11:11:01 +0200 +Subject: s390: fix linker script for 31 bit builds + +From: Heiko Carstens + +commit c985cb37f1b39c2c8035af741a2a0b79f1fbaca7 upstream. + +Because of a change in the s390 arch backend of binutils (commit 23ecd77 +"Pick the default arch depending on the target size" in binutils repo) +31 bit builds will fail since the linker would now try to create 64 bit +binary output. +Fix this by setting OUTPUT_ARCH to s390:31-bit instead of s390. +Thanks to Andreas Krebbel for figuring out the issue. + +Fixes this build error: + + LD init/built-in.o +s390x-4.7.2-ld: s390:31-bit architecture of input file + `arch/s390/kernel/head.o' is incompatible with s390:64-bit output + +Cc: Andreas Krebbel +Signed-off-by: Heiko Carstens +Signed-off-by: Martin Schwidefsky +Signed-off-by: Greg Kroah-Hartman + +--- + arch/s390/boot/compressed/vmlinux.lds.S | 2 +- + arch/s390/kernel/vmlinux.lds.S | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/s390/boot/compressed/vmlinux.lds.S ++++ b/arch/s390/boot/compressed/vmlinux.lds.S +@@ -5,7 +5,7 @@ OUTPUT_FORMAT("elf64-s390", "elf64-s390" + OUTPUT_ARCH(s390:64-bit) + #else + OUTPUT_FORMAT("elf32-s390", "elf32-s390", "elf32-s390") +-OUTPUT_ARCH(s390) ++OUTPUT_ARCH(s390:31-bit) + #endif + + ENTRY(startup) +--- a/arch/s390/kernel/vmlinux.lds.S ++++ b/arch/s390/kernel/vmlinux.lds.S +@@ -8,7 +8,7 @@ + + #ifndef CONFIG_64BIT + OUTPUT_FORMAT("elf32-s390", "elf32-s390", "elf32-s390") +-OUTPUT_ARCH(s390) ++OUTPUT_ARCH(s390:31-bit) + ENTRY(startup) + jiffies = jiffies_64 + 4; + #else diff --git a/queue-3.6/series b/queue-3.6/series index 19be31e30e1..396d0ae7402 100644 --- a/queue-3.6/series +++ b/queue-3.6/series @@ -5,3 +5,14 @@ usbdevfs-fix-broken-scatter-gather-transfer.patch hwmon-coretemp-add-support-for-atom-ce4110-4150-4170.patch nohz-fix-idle-ticks-in-cpu-summary-line-of-proc-stat.patch arch-tile-avoid-generating-.eh_frame-information-in-modules.patch +nlm-nlm_lookup_file-may-return-nlmv4-specific-error-codes.patch +oprofile-x86-fix-wrapping-bug-in-op_x86_get_ctrl.patch +s390-fix-linker-script-for-31-bit-builds.patch +sunrpc-prevent-kernel-stack-corruption-on-long-values-of-flush.patch +sunrpc-set-alloc_slot-for-backchannel-tcp-ops.patch +ring-buffer-check-for-uninitialized-cpu-buffer-before-resizing.patch +pcmcia-sharpsl-don-t-discard-sharpsl_pcmcia_ops.patch +kernel-sys.c-fix-stack-memory-content-leak-via-uname26.patch +use-clamp_t-in-uname26-fix.patch +x86-amd-mce-avoid-null-pointer-reference-on-cpu-northbridge-lookup.patch +x86-exclude-e820_reserved-regions-and-memory-holes-above-4-gb-from-direct-mapping.patch diff --git a/queue-3.6/sunrpc-prevent-kernel-stack-corruption-on-long-values-of-flush.patch b/queue-3.6/sunrpc-prevent-kernel-stack-corruption-on-long-values-of-flush.patch new file mode 100644 index 00000000000..c4b3f6e72f8 --- /dev/null +++ b/queue-3.6/sunrpc-prevent-kernel-stack-corruption-on-long-values-of-flush.patch @@ -0,0 +1,54 @@ +From 212ba90696ab4884e2025b0b13726d67aadc2cd4 Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Tue, 17 Jul 2012 00:01:26 +0200 +Subject: SUNRPC: Prevent kernel stack corruption on long values of flush + +From: Sasha Levin + +commit 212ba90696ab4884e2025b0b13726d67aadc2cd4 upstream. + +The buffer size in read_flush() is too small for the longest possible values +for it. This can lead to a kernel stack corruption: + +[ 43.047329] Kernel panic - not syncing: stack-protector: Kernel stack is corrupted in: ffffffff833e64b4 +[ 43.047329] +[ 43.049030] Pid: 6015, comm: trinity-child18 Tainted: G W 3.5.0-rc7-next-20120716-sasha #221 +[ 43.050038] Call Trace: +[ 43.050435] [] panic+0xcd/0x1f4 +[ 43.050931] [] ? read_flush.isra.7+0xe4/0x100 +[ 43.051602] [] __stack_chk_fail+0x16/0x20 +[ 43.052206] [] read_flush.isra.7+0xe4/0x100 +[ 43.052951] [] ? read_flush_pipefs+0x30/0x30 +[ 43.053594] [] read_flush_procfs+0x2c/0x30 +[ 43.053596] [] proc_reg_read+0x9c/0xd0 +[ 43.053596] [] ? proc_reg_write+0xd0/0xd0 +[ 43.053596] [] do_loop_readv_writev+0x4b/0x90 +[ 43.053596] [] do_readv_writev+0xf6/0x1d0 +[ 43.053596] [] vfs_readv+0x3e/0x60 +[ 43.053596] [] sys_readv+0x48/0xb0 +[ 43.053596] [] system_call_fastpath+0x1a/0x1f + +Signed-off-by: Sasha Levin +Signed-off-by: J. Bruce Fields +Signed-off-by: Greg Kroah-Hartman + +--- + net/sunrpc/cache.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/net/sunrpc/cache.c ++++ b/net/sunrpc/cache.c +@@ -1409,11 +1409,11 @@ static ssize_t read_flush(struct file *f + size_t count, loff_t *ppos, + struct cache_detail *cd) + { +- char tbuf[20]; ++ char tbuf[22]; + unsigned long p = *ppos; + size_t len; + +- sprintf(tbuf, "%lu\n", convert_to_wallclock(cd->flush_time)); ++ snprintf(tbuf, sizeof(tbuf), "%lu\n", convert_to_wallclock(cd->flush_time)); + len = strlen(tbuf); + if (p >= len) + return 0; diff --git a/queue-3.6/sunrpc-set-alloc_slot-for-backchannel-tcp-ops.patch b/queue-3.6/sunrpc-set-alloc_slot-for-backchannel-tcp-ops.patch new file mode 100644 index 00000000000..89caeb6b453 --- /dev/null +++ b/queue-3.6/sunrpc-set-alloc_slot-for-backchannel-tcp-ops.patch @@ -0,0 +1,49 @@ +From Trond.Myklebust@netapp.com Wed Oct 24 08:40:27 2012 +From: Trond Myklebust +Date: Mon, 22 Oct 2012 12:35:40 -0400 +Subject: SUNRPC: Set alloc_slot for backchannel tcp ops +To: stable@vger.kernel.org + +From: Bryan Schumaker + +commit 84e28a307e376f271505af65a7b7e212dd6f61f4 upstream. + +f39c1bfb5a03e2d255451bff05be0d7255298fa4 (SUNRPC: Fix a UDP transport +regression) introduced the "alloc_slot" function for xprt operations, +but never created one for the backchannel operations. This patch fixes +a null pointer dereference when mounting NFS over v4.1. + +Call Trace: + [] ? xprt_reserve+0x47/0x50 [sunrpc] + [] call_reserve+0x34/0x60 [sunrpc] + [] __rpc_execute+0x90/0x400 [sunrpc] + [] rpc_async_schedule+0x2a/0x40 [sunrpc] + [] process_one_work+0x139/0x500 + [] ? alloc_worker+0x70/0x70 + [] ? __rpc_execute+0x400/0x400 [sunrpc] + [] worker_thread+0x15e/0x460 + [] ? preempt_schedule+0x49/0x70 + [] ? rescuer_thread+0x230/0x230 + [] kthread+0x93/0xa0 + [] kernel_thread_helper+0x4/0x10 + [] ? kthread_freezable_should_stop+0x70/0x70 + [] ? gs_change+0x13/0x13 + +Signed-off-by: Bryan Schumaker +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman + +--- + net/sunrpc/xprtsock.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/sunrpc/xprtsock.c ++++ b/net/sunrpc/xprtsock.c +@@ -2539,6 +2539,7 @@ static struct rpc_xprt_ops xs_tcp_ops = + static struct rpc_xprt_ops bc_tcp_ops = { + .reserve_xprt = xprt_reserve_xprt, + .release_xprt = xprt_release_xprt, ++ .alloc_slot = xprt_alloc_slot, + .rpcbind = xs_local_rpcbind, + .buf_alloc = bc_malloc, + .buf_free = bc_free, diff --git a/queue-3.6/use-clamp_t-in-uname26-fix.patch b/queue-3.6/use-clamp_t-in-uname26-fix.patch new file mode 100644 index 00000000000..791ec054a35 --- /dev/null +++ b/queue-3.6/use-clamp_t-in-uname26-fix.patch @@ -0,0 +1,35 @@ +From 31fd84b95eb211d5db460a1dda85e004800a7b52 Mon Sep 17 00:00:00 2001 +From: Kees Cook +Date: Fri, 19 Oct 2012 18:45:53 -0700 +Subject: use clamp_t in UNAME26 fix + +From: Kees Cook + +commit 31fd84b95eb211d5db460a1dda85e004800a7b52 upstream. + +The min/max call needed to have explicit types on some architectures +(e.g. mn10300). Use clamp_t instead to avoid the warning: + + kernel/sys.c: In function 'override_release': + kernel/sys.c:1287:10: warning: comparison of distinct pointer types lacks a cast [enabled by default] + +Reported-by: Fengguang Wu +Signed-off-by: Kees Cook +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/sys.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/kernel/sys.c ++++ b/kernel/sys.c +@@ -1284,7 +1284,7 @@ static int override_release(char __user + rest++; + } + v = ((LINUX_VERSION_CODE >> 8) & 0xff) + 40; +- copy = min(sizeof(buf), max_t(size_t, 1, len)); ++ copy = clamp_t(size_t, len, 1, sizeof(buf)); + copy = scnprintf(buf, copy, "2.6.%u%s", v, rest); + ret = copy_to_user(release, buf, copy + 1); + } diff --git a/queue-3.6/x86-amd-mce-avoid-null-pointer-reference-on-cpu-northbridge-lookup.patch b/queue-3.6/x86-amd-mce-avoid-null-pointer-reference-on-cpu-northbridge-lookup.patch new file mode 100644 index 00000000000..9a0485bdc85 --- /dev/null +++ b/queue-3.6/x86-amd-mce-avoid-null-pointer-reference-on-cpu-northbridge-lookup.patch @@ -0,0 +1,59 @@ +From 21c5e50e15b1abd797e62f18fd7f90b9cc004cbd Mon Sep 17 00:00:00 2001 +From: Daniel J Blueman +Date: Mon, 1 Oct 2012 14:42:05 +0800 +Subject: x86, amd, mce: Avoid NULL pointer reference on CPU northbridge lookup + +From: Daniel J Blueman + +commit 21c5e50e15b1abd797e62f18fd7f90b9cc004cbd upstream. + +When booting on a federated multi-server system (NumaScale), the +processor Northbridge lookup returns NULL; add guards to prevent this +causing an oops. + +On those systems, the northbridge is accessed through MMIO and the +"normal" northbridge enumeration in amd_nb.c doesn't work since we're +generating the northbridge ID from the initial APIC ID and the last +is not unique on those systems. Long story short, we end up without +northbridge descriptors. + +Signed-off-by: Daniel J Blueman +Link: http://lkml.kernel.org/r/1349073725-14093-1-git-send-email-daniel@numascale-asia.com +[ Boris: beef up commit message ] +Signed-off-by: Borislav Petkov +Signed-off-by: H. Peter Anvin +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/cpu/mcheck/mce_amd.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- a/arch/x86/kernel/cpu/mcheck/mce_amd.c ++++ b/arch/x86/kernel/cpu/mcheck/mce_amd.c +@@ -576,12 +576,10 @@ static __cpuinit int threshold_create_ba + int err = 0; + + if (shared_bank[bank]) { +- + nb = node_to_amd_nb(amd_get_nb_id(cpu)); +- WARN_ON(!nb); + + /* threshold descriptor already initialized on this node? */ +- if (nb->bank4) { ++ if (nb && nb->bank4) { + /* yes, use it */ + b = nb->bank4; + err = kobject_add(b->kobj, &dev->kobj, name); +@@ -615,8 +613,10 @@ static __cpuinit int threshold_create_ba + atomic_set(&b->cpus, 1); + + /* nb is already initialized, see above */ +- WARN_ON(nb->bank4); +- nb->bank4 = b; ++ if (nb) { ++ WARN_ON(nb->bank4); ++ nb->bank4 = b; ++ } + } + + err = allocate_threshold_blocks(cpu, bank, 0, diff --git a/queue-3.6/x86-exclude-e820_reserved-regions-and-memory-holes-above-4-gb-from-direct-mapping.patch b/queue-3.6/x86-exclude-e820_reserved-regions-and-memory-holes-above-4-gb-from-direct-mapping.patch new file mode 100644 index 00000000000..5bf83a3e440 --- /dev/null +++ b/queue-3.6/x86-exclude-e820_reserved-regions-and-memory-holes-above-4-gb-from-direct-mapping.patch @@ -0,0 +1,52 @@ +From 1bbbbe779aabe1f0768c2bf8f8c0a5583679b54a Mon Sep 17 00:00:00 2001 +From: Jacob Shin +Date: Thu, 20 Oct 2011 16:15:26 -0500 +Subject: x86: Exclude E820_RESERVED regions and memory holes above 4 GB from direct mapping. + +From: Jacob Shin + +commit 1bbbbe779aabe1f0768c2bf8f8c0a5583679b54a upstream. + +On systems with very large memory (1 TB in our case), BIOS may report a +reserved region or a hole in the E820 map, even above the 4 GB range. Exclude +these from the direct mapping. + +[ hpa: this should be done not just for > 4 GB but for everything above the legacy + region (1 MB), at the very least. That, however, turns out to require significant + restructuring. That work is well underway, but is not suitable for rc/stable. ] + +Signed-off-by: Jacob Shin +Link: http://lkml.kernel.org/r/1319145326-13902-1-git-send-email-jacob.shin@amd.com +Signed-off-by: H. Peter Anvin +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/setup.c | 17 +++++++++++++++-- + 1 file changed, 15 insertions(+), 2 deletions(-) + +--- a/arch/x86/kernel/setup.c ++++ b/arch/x86/kernel/setup.c +@@ -919,8 +919,21 @@ void __init setup_arch(char **cmdline_p) + + #ifdef CONFIG_X86_64 + if (max_pfn > max_low_pfn) { +- max_pfn_mapped = init_memory_mapping(1UL<<32, +- max_pfn<addr + ei->size <= 1UL << 32) ++ continue; ++ ++ if (ei->type == E820_RESERVED) ++ continue; ++ ++ max_pfn_mapped = init_memory_mapping( ++ ei->addr < 1UL << 32 ? 1UL << 32 : ei->addr, ++ ei->addr + ei->size); ++ } ++ + /* can we preseve max_low_pfn ?*/ + max_low_pfn = max_pfn; + }