From: Greg Kroah-Hartman Date: Fri, 1 Feb 2013 10:26:31 +0000 (+0100) Subject: 3.7-stable patches X-Git-Tag: v3.0.62~8 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=a254002e66001afa65337282bedd642f303ec36e;p=thirdparty%2Fkernel%2Fstable-queue.git 3.7-stable patches added patches: drm-radeon-fix-a-rare-case-of-double-kfree.patch drm-radeon-fix-error-path-in-kpage-allocation.patch kvm-fix-irqfd-resampler-list-walk.patch netfilter-ipt_reject-fix-wrong-transport-header-pointer-in-tcp-reset.patch netfilter-nf_ct_reasm-fix-conntrack-reassembly-expire-code.patch x86-sandy-bridge-sandy-bridge-workaround-depends-on-config_pci.patch xfs-fix-_xfs_buf_find-oops-on-blocks-beyond-the-filesystem-end.patch --- diff --git a/queue-3.7/drm-radeon-fix-a-rare-case-of-double-kfree.patch b/queue-3.7/drm-radeon-fix-a-rare-case-of-double-kfree.patch new file mode 100644 index 00000000000..70538843254 --- /dev/null +++ b/queue-3.7/drm-radeon-fix-a-rare-case-of-double-kfree.patch @@ -0,0 +1,42 @@ +From 1da80cfa8727abf404fcee44d04743febea54069 Mon Sep 17 00:00:00 2001 +From: Ilija Hadzic +Date: Wed, 23 Jan 2013 13:59:05 -0500 +Subject: drm/radeon: fix a rare case of double kfree + +From: Ilija Hadzic + +commit 1da80cfa8727abf404fcee44d04743febea54069 upstream. + +If one (but not both) allocations of p->chunks[].kpage[] +in radeon_cs_parser_init fail, the error path will free +the successfully allocated page, but leave a stale pointer +value in the kpage[] field. This will later cause a +double-free when radeon_cs_parser_fini is called. +This patch fixes the issue by forcing both pointers to NULL +after kfree in the error path. + +The circumstances under which the problem happens are very +rare. The card must be AGP and the system must run out of +kmalloc area just at the right time so that one allocation +succeeds, while the other fails. + +Signed-off-by: Ilija Hadzic +Cc: Herton Ronaldo Krzesinski +Signed-off-by: Alex Deucher +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/radeon/radeon_cs.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/gpu/drm/radeon/radeon_cs.c ++++ b/drivers/gpu/drm/radeon/radeon_cs.c +@@ -273,6 +273,8 @@ int radeon_cs_parser_init(struct radeon_ + p->chunks[p->chunk_ib_idx].kpage[1] == NULL) { + kfree(p->chunks[p->chunk_ib_idx].kpage[0]); + kfree(p->chunks[p->chunk_ib_idx].kpage[1]); ++ p->chunks[p->chunk_ib_idx].kpage[0] = NULL; ++ p->chunks[p->chunk_ib_idx].kpage[1] = NULL; + return -ENOMEM; + } + } diff --git a/queue-3.7/drm-radeon-fix-error-path-in-kpage-allocation.patch b/queue-3.7/drm-radeon-fix-error-path-in-kpage-allocation.patch new file mode 100644 index 00000000000..1c8dcf2c6d8 --- /dev/null +++ b/queue-3.7/drm-radeon-fix-error-path-in-kpage-allocation.patch @@ -0,0 +1,32 @@ +From 25d8999780f8c1f53928f4a24a09c01550423109 Mon Sep 17 00:00:00 2001 +From: Ilija Hadzic +Date: Mon, 7 Jan 2013 18:21:59 -0500 +Subject: drm/radeon: fix error path in kpage allocation + +From: Ilija Hadzic + +commit 25d8999780f8c1f53928f4a24a09c01550423109 upstream. + +Index into chunks[] array doesn't look right. + +Signed-off-by: Ilija Hadzic +Signed-off-by: Alex Deucher +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/radeon/radeon_cs.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/radeon/radeon_cs.c ++++ b/drivers/gpu/drm/radeon/radeon_cs.c +@@ -271,8 +271,8 @@ int radeon_cs_parser_init(struct radeon_ + p->chunks[p->chunk_ib_idx].kpage[1] = kmalloc(PAGE_SIZE, GFP_KERNEL); + if (p->chunks[p->chunk_ib_idx].kpage[0] == NULL || + p->chunks[p->chunk_ib_idx].kpage[1] == NULL) { +- kfree(p->chunks[i].kpage[0]); +- kfree(p->chunks[i].kpage[1]); ++ kfree(p->chunks[p->chunk_ib_idx].kpage[0]); ++ kfree(p->chunks[p->chunk_ib_idx].kpage[1]); + return -ENOMEM; + } + } diff --git a/queue-3.7/kvm-fix-irqfd-resampler-list-walk.patch b/queue-3.7/kvm-fix-irqfd-resampler-list-walk.patch new file mode 100644 index 00000000000..1eca60ee499 --- /dev/null +++ b/queue-3.7/kvm-fix-irqfd-resampler-list-walk.patch @@ -0,0 +1,30 @@ +From 49f8a1a5394d8baee5e56fb71e5cf993c228689a Mon Sep 17 00:00:00 2001 +From: Alex Williamson +Date: Thu, 6 Dec 2012 14:44:59 -0700 +Subject: kvm: Fix irqfd resampler list walk + +From: Alex Williamson + +commit 49f8a1a5394d8baee5e56fb71e5cf993c228689a upstream. + +Typo for the next pointer means we're walking random data here. + +Signed-off-by: Alex Williamson +Signed-off-by: Marcelo Tosatti +Signed-off-by: Greg Kroah-Hartman + +--- + virt/kvm/eventfd.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/virt/kvm/eventfd.c ++++ b/virt/kvm/eventfd.c +@@ -332,7 +332,7 @@ kvm_irqfd_assign(struct kvm *kvm, struct + mutex_lock(&kvm->irqfds.resampler_lock); + + list_for_each_entry(resampler, +- &kvm->irqfds.resampler_list, list) { ++ &kvm->irqfds.resampler_list, link) { + if (resampler->notifier.gsi == irqfd->gsi) { + irqfd->resampler = resampler; + break; diff --git a/queue-3.7/netfilter-ipt_reject-fix-wrong-transport-header-pointer-in-tcp-reset.patch b/queue-3.7/netfilter-ipt_reject-fix-wrong-transport-header-pointer-in-tcp-reset.patch new file mode 100644 index 00000000000..d6425f09a45 --- /dev/null +++ b/queue-3.7/netfilter-ipt_reject-fix-wrong-transport-header-pointer-in-tcp-reset.patch @@ -0,0 +1,95 @@ +From c6f408996c625cb950cad024f90e50519f94713c Mon Sep 17 00:00:00 2001 +From: Mukund Jampala +Date: Sun, 16 Dec 2012 19:25:58 +0100 +Subject: netfilter: ip[6]t_REJECT: fix wrong transport header pointer in TCP reset + +From: Mukund Jampala + +commit c6f408996c625cb950cad024f90e50519f94713c upstream. + +The problem occurs when iptables constructs the tcp reset packet. +It doesn't initialize the pointer to the tcp header within the skb. +When the skb is passed to the ixgbe driver for transmit, the ixgbe +driver attempts to access the tcp header and crashes. +Currently, other drivers (such as our 1G e1000e or igb drivers) don't +access the tcp header on transmit unless the TSO option is turned on. + +<1>BUG: unable to handle kernel NULL pointer dereference at 0000000d +<1>IP: [] ixgbe_xmit_frame_ring+0x8cc/0x2260 [ixgbe] +<4>*pdpt = 0000000085e5d001 *pde = 0000000000000000 +<0>Oops: 0000 [#1] SMP +[...] +<4>Pid: 0, comm: swapper Tainted: P 2.6.35.12 #1 Greencity/Thurley +<4>EIP: 0060:[] EFLAGS: 00010246 CPU: 16 +<4>EIP is at ixgbe_xmit_frame_ring+0x8cc/0x2260 [ixgbe] +<4>EAX: c7628820 EBX: 00000007 ECX: 00000000 EDX: 00000000 +<4>ESI: 00000008 EDI: c6882180 EBP: dfc6b000 ESP: ced95c48 +<4> DS: 007b ES: 007b FS: 00d8 GS: 0000 SS: 0068 +<0>Process swapper (pid: 0, ti=ced94000 task=ced73bd0 task.ti=ced94000) +<0>Stack: +<4> cbec7418 c779e0d8 c77cc888 c77cc8a8 0903010a 00000000 c77c0008 00000002 +<4><0> cd4997c0 00000010 dfc6b000 00000000 d0d176c9 c77cc8d8 c6882180 cbec7318 +<4><0> 00000004 00000004 cbec7230 cbec7110 00000000 cbec70c0 c779e000 00000002 +<0>Call Trace: +<4> [] ? 0xd0d176c9 +<4> [] ? 0xd0d18a4d +<4> [<411e243e>] ? dev_hard_start_xmit+0x218/0x2d7 +<4> [<411f03d7>] ? sch_direct_xmit+0x4b/0x114 +<4> [<411f056a>] ? __qdisc_run+0xca/0xe0 +<4> [<411e28b0>] ? dev_queue_xmit+0x2d1/0x3d0 +<4> [<411e8120>] ? neigh_resolve_output+0x1c5/0x20f +<4> [<411e94a1>] ? neigh_update+0x29c/0x330 +<4> [<4121cf29>] ? arp_process+0x49c/0x4cd +<4> [<411f80c9>] ? nf_hook_slow+0x3f/0xac +<4> [<4121ca8d>] ? arp_process+0x0/0x4cd +<4> [<4121ca8d>] ? arp_process+0x0/0x4cd +<4> [<4121c6d5>] ? T.901+0x38/0x3b +<4> [<4121c918>] ? arp_rcv+0xa3/0xb4 +<4> [<4121ca8d>] ? arp_process+0x0/0x4cd +<4> [<411e1173>] ? __netif_receive_skb+0x32b/0x346 +<4> [<411e19e1>] ? netif_receive_skb+0x5a/0x5f +<4> [<411e1ea9>] ? napi_skb_finish+0x1b/0x30 +<4> [] ? ixgbe_xmit_frame_ring+0x1564/0x2260 [ixgbe] +<4> [<41013468>] ? lapic_next_event+0x13/0x16 +<4> [<410429b2>] ? clockevents_program_event+0xd2/0xe4 +<4> [<411e1b03>] ? net_rx_action+0x55/0x127 +<4> [<4102da1a>] ? __do_softirq+0x77/0xeb +<4> [<4102dab1>] ? do_softirq+0x23/0x27 +<4> [<41003a67>] ? do_IRQ+0x7d/0x8e +<4> [<41002a69>] ? common_interrupt+0x29/0x30 +<4> [<41007bcf>] ? mwait_idle+0x48/0x4d +<4> [<4100193b>] ? cpu_idle+0x37/0x4c +<0>Code: df 09 d7 0f 94 c2 0f b6 d2 e9 e7 fb ff ff 31 db 31 c0 e9 38 +ff ff ff 80 78 06 06 0f 85 3e fb ff ff 8b 7c 24 38 8b 8f b8 00 00 00 +<0f> b6 51 0d f6 c2 01 0f 85 27 fb ff ff 80 e2 02 75 0d 8b 6c 24 +<0>EIP: [] ixgbe_xmit_frame_ring+0x8cc/0x2260 [ixgbe] SS:ESP + +Signed-off-by: Mukund Jampala +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman + +--- + net/ipv4/netfilter/ipt_REJECT.c | 1 + + net/ipv6/netfilter/ip6t_REJECT.c | 1 + + 2 files changed, 2 insertions(+) + +--- a/net/ipv4/netfilter/ipt_REJECT.c ++++ b/net/ipv4/netfilter/ipt_REJECT.c +@@ -81,6 +81,7 @@ static void send_reset(struct sk_buff *o + niph->saddr = oiph->daddr; + niph->daddr = oiph->saddr; + ++ skb_reset_transport_header(nskb); + tcph = (struct tcphdr *)skb_put(nskb, sizeof(struct tcphdr)); + memset(tcph, 0, sizeof(*tcph)); + tcph->source = oth->dest; +--- a/net/ipv6/netfilter/ip6t_REJECT.c ++++ b/net/ipv6/netfilter/ip6t_REJECT.c +@@ -132,6 +132,7 @@ static void send_reset(struct net *net, + ip6h->saddr = oip6h->daddr; + ip6h->daddr = oip6h->saddr; + ++ skb_reset_transport_header(nskb); + tcph = (struct tcphdr *)skb_put(nskb, sizeof(struct tcphdr)); + /* Truncate to length (no data) */ + tcph->doff = sizeof(struct tcphdr)/4; diff --git a/queue-3.7/netfilter-nf_ct_reasm-fix-conntrack-reassembly-expire-code.patch b/queue-3.7/netfilter-nf_ct_reasm-fix-conntrack-reassembly-expire-code.patch new file mode 100644 index 00000000000..26066bf5276 --- /dev/null +++ b/queue-3.7/netfilter-nf_ct_reasm-fix-conntrack-reassembly-expire-code.patch @@ -0,0 +1,43 @@ +From 97cf00e93cc24898493e7a058105e3215257ee04 Mon Sep 17 00:00:00 2001 +From: Haibo Xi +Date: Thu, 6 Dec 2012 23:42:17 +0000 +Subject: netfilter: nf_ct_reasm: fix conntrack reassembly expire code + +From: Haibo Xi + +commit 97cf00e93cc24898493e7a058105e3215257ee04 upstream. + +Commit b836c99fd6c9 (ipv6: unify conntrack reassembly expire +code with standard one) use the standard IPv6 reassembly +code(ip6_expire_frag_queue) to handle conntrack reassembly expire. + +In ip6_expire_frag_queue, it invoke dev_get_by_index_rcu to get +which device received this expired packet.so we must save ifindex +when NF_conntrack get this packet. + +With this patch applied, I can see ICMP Time Exceeded sent +from the receiver when the sender sent out 1/2 fragmented +IPv6 packet. + +Signed-off-by: Haibo Xi +Signed-off-by: Pablo Neira Ayuso +Signed-off-by: Greg Kroah-Hartman + +--- + net/ipv6/netfilter/nf_conntrack_reasm.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/net/ipv6/netfilter/nf_conntrack_reasm.c ++++ b/net/ipv6/netfilter/nf_conntrack_reasm.c +@@ -311,7 +311,10 @@ found: + else + fq->q.fragments = skb; + +- skb->dev = NULL; ++ if (skb->dev) { ++ fq->iif = skb->dev->ifindex; ++ skb->dev = NULL; ++ } + fq->q.stamp = skb->tstamp; + fq->q.meat += skb->len; + if (payload_len > fq->q.max_size) diff --git a/queue-3.7/series b/queue-3.7/series index 3c10edb08aa..2d9118a6847 100644 --- a/queue-3.7/series +++ b/queue-3.7/series @@ -65,3 +65,10 @@ x86-efi-fix-display-detection-in-efi-boot-stub.patch x86-efi-fix-32-bit-efi-handover-protocol-entry-point.patch efi-x86-pass-a-proper-identity-mapping-in-efi_call_phys_prelog.patch x86-efi-set-runtime_version-to-the-efi-spec-revision.patch +xfs-fix-_xfs_buf_find-oops-on-blocks-beyond-the-filesystem-end.patch +drm-radeon-fix-error-path-in-kpage-allocation.patch +drm-radeon-fix-a-rare-case-of-double-kfree.patch +kvm-fix-irqfd-resampler-list-walk.patch +netfilter-ipt_reject-fix-wrong-transport-header-pointer-in-tcp-reset.patch +netfilter-nf_ct_reasm-fix-conntrack-reassembly-expire-code.patch +x86-sandy-bridge-sandy-bridge-workaround-depends-on-config_pci.patch diff --git a/queue-3.7/x86-sandy-bridge-sandy-bridge-workaround-depends-on-config_pci.patch b/queue-3.7/x86-sandy-bridge-sandy-bridge-workaround-depends-on-config_pci.patch new file mode 100644 index 00000000000..28613ef2a10 --- /dev/null +++ b/queue-3.7/x86-sandy-bridge-sandy-bridge-workaround-depends-on-config_pci.patch @@ -0,0 +1,38 @@ +From e43b3cec711a61edf047adf6204d542f3a659ef8 Mon Sep 17 00:00:00 2001 +From: "H. Peter Anvin" +Date: Sun, 13 Jan 2013 20:56:41 -0800 +Subject: x86/Sandy Bridge: Sandy Bridge workaround depends on CONFIG_PCI + +From: "H. Peter Anvin" + +commit e43b3cec711a61edf047adf6204d542f3a659ef8 upstream. + +early_pci_allowed() and read_pci_config_16() are only available if +CONFIG_PCI is defined. + +Signed-off-by: H. Peter Anvin +Cc: Jesse Barnes +Signed-off-by: Abdallah Chatila + +--- + arch/x86/kernel/setup.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/arch/x86/kernel/setup.c ++++ b/arch/x86/kernel/setup.c +@@ -616,6 +616,7 @@ static unsigned reserve_low = CONFIG_X86 + + static bool __init snb_gfx_workaround_needed(void) + { ++#ifdef CONFIG_PCI + int i; + u16 vendor, devid; + static const u16 snb_ids[] = { +@@ -640,6 +641,7 @@ static bool __init snb_gfx_workaround_ne + for (i = 0; i < ARRAY_SIZE(snb_ids); i++) + if (devid == snb_ids[i]) + return true; ++#endif + + return false; + } diff --git a/queue-3.7/xfs-fix-_xfs_buf_find-oops-on-blocks-beyond-the-filesystem-end.patch b/queue-3.7/xfs-fix-_xfs_buf_find-oops-on-blocks-beyond-the-filesystem-end.patch new file mode 100644 index 00000000000..8ed07cb8773 --- /dev/null +++ b/queue-3.7/xfs-fix-_xfs_buf_find-oops-on-blocks-beyond-the-filesystem-end.patch @@ -0,0 +1,68 @@ +From eb178619f930fa2ba2348de332a1ff1c66a31424 Mon Sep 17 00:00:00 2001 +From: Dave Chinner +Date: Mon, 21 Jan 2013 23:53:52 +1100 +Subject: xfs: fix _xfs_buf_find oops on blocks beyond the filesystem end + +From: Dave Chinner + +commit eb178619f930fa2ba2348de332a1ff1c66a31424 upstream. + +When _xfs_buf_find is passed an out of range address, it will fail +to find a relevant struct xfs_perag and oops with a null +dereference. This can happen when trying to walk a filesystem with a +metadata inode that has a partially corrupted extent map (i.e. the +block number returned is corrupt, but is otherwise intact) and we +try to read from the corrupted block address. + +In this case, just fail the lookup. If it is readahead being issued, +it will simply not be done, but if it is real read that fails we +will get an error being reported. Ideally this case should result +in an EFSCORRUPTED error being reported, but we cannot return an +error through xfs_buf_read() or xfs_buf_get() so this lookup failure +may result in ENOMEM or EIO errors being reported instead. + +Signed-off-by: Dave Chinner +Reviewed-by: Brian Foster +Reviewed-by: Ben Myers +Signed-off-by: Ben Myers +Cc: CAI Qian +Signed-off-by: Greg Kroah-Hartman + +--- + fs/xfs/xfs_buf.c | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +--- a/fs/xfs/xfs_buf.c ++++ b/fs/xfs/xfs_buf.c +@@ -487,6 +487,7 @@ _xfs_buf_find( + struct rb_node *parent; + xfs_buf_t *bp; + xfs_daddr_t blkno = map[0].bm_bn; ++ xfs_daddr_t eofs; + int numblks = 0; + int i; + +@@ -498,6 +499,23 @@ _xfs_buf_find( + ASSERT(!(numbytes < (1 << btp->bt_sshift))); + ASSERT(!(BBTOB(blkno) & (xfs_off_t)btp->bt_smask)); + ++ /* ++ * Corrupted block numbers can get through to here, unfortunately, so we ++ * have to check that the buffer falls within the filesystem bounds. ++ */ ++ eofs = XFS_FSB_TO_BB(btp->bt_mount, btp->bt_mount->m_sb.sb_dblocks); ++ if (blkno >= eofs) { ++ /* ++ * XXX (dgc): we should really be returning EFSCORRUPTED here, ++ * but none of the higher level infrastructure supports ++ * returning a specific error on buffer lookup failures. ++ */ ++ xfs_alert(btp->bt_mount, ++ "%s: Block out of range: block 0x%llx, EOFS 0x%llx ", ++ __func__, blkno, eofs); ++ return NULL; ++ } ++ + /* get tree root */ + pag = xfs_perag_get(btp->bt_mount, + xfs_daddr_to_agno(btp->bt_mount, blkno));