From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Wed, 23 Jan 2013 01:21:22 +0000 (-0800)
Subject: 3.7-stable patches
X-Git-Tag: v3.0.61~29
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=ee7cee2325778ad541b031e83cc9f058d39a0b08;p=thirdparty%2Fkernel%2Fstable-queue.git

3.7-stable patches

added patches:
	drm-i915-invalidate-the-relocation-presumed_offsets-along-the-slow-path.patch
	security-device_cgroup-lock-assert-fails-in-dev_exception_clean.patch
---

diff --git a/queue-3.7/drm-i915-invalidate-the-relocation-presumed_offsets-along-the-slow-path.patch b/queue-3.7/drm-i915-invalidate-the-relocation-presumed_offsets-along-the-slow-path.patch
new file mode 100644
index 00000000000..34851e0d677
--- /dev/null
+++ b/queue-3.7/drm-i915-invalidate-the-relocation-presumed_offsets-along-the-slow-path.patch
@@ -0,0 +1,71 @@
+From 262b6d363fcff16359c93bd58c297f961f6e6273 Mon Sep 17 00:00:00 2001
+From: Chris Wilson <chris@chris-wilson.co.uk>
+Date: Tue, 15 Jan 2013 16:17:54 +0000
+Subject: drm/i915: Invalidate the relocation presumed_offsets along the slow path
+
+From: Chris Wilson <chris@chris-wilson.co.uk>
+
+commit 262b6d363fcff16359c93bd58c297f961f6e6273 upstream.
+
+In the slow path, we are forced to copy the relocations prior to
+acquiring the struct mutex in order to handle pagefaults. We forgo
+copying the new offsets back into the relocation entries in order to
+prevent a recursive locking bug should we trigger a pagefault whilst
+holding the mutex for the reservations of the execbuffer. Therefore, we
+need to reset the presumed_offsets just in case the objects are rebound
+back into their old locations after relocating for this exexbuffer - if
+that were to happen we would assume the relocations were valid and leave
+the actual pointers to the kernels dangling, instant hang.
+
+Fixes regression from commit bcf50e2775bbc3101932d8e4ab8c7902aa4163b4
+Author: Chris Wilson <chris@chris-wilson.co.uk>
+Date:   Sun Nov 21 22:07:12 2010 +0000
+
+    drm/i915: Handle pagefaults in execbuffer user relocations
+
+Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=55984
+Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk>
+Cc: Daniel Vetter <daniel.vetter@fwll.ch>
+Signed-off-by: Daniel Vetter <daniel.vetter@ffwll.ch>
+
+---
+ drivers/gpu/drm/i915/i915_gem_execbuffer.c |   21 +++++++++++++++++++++
+ 1 file changed, 21 insertions(+)
+
+--- a/drivers/gpu/drm/i915/i915_gem_execbuffer.c
++++ b/drivers/gpu/drm/i915/i915_gem_execbuffer.c
+@@ -548,6 +548,8 @@ i915_gem_execbuffer_relocate_slow(struct
+ 	total = 0;
+ 	for (i = 0; i < count; i++) {
+ 		struct drm_i915_gem_relocation_entry __user *user_relocs;
++		u64 invalid_offset = (u64)-1;
++		int j;
+ 
+ 		user_relocs = (void __user *)(uintptr_t)exec[i].relocs_ptr;
+ 
+@@ -558,6 +560,25 @@ i915_gem_execbuffer_relocate_slow(struct
+ 			goto err;
+ 		}
+ 
++		/* As we do not update the known relocation offsets after
++		 * relocating (due to the complexities in lock handling),
++		 * we need to mark them as invalid now so that we force the
++		 * relocation processing next time. Just in case the target
++		 * object is evicted and then rebound into its old
++		 * presumed_offset before the next execbuffer - if that
++		 * happened we would make the mistake of assuming that the
++		 * relocations were valid.
++		 */
++		for (j = 0; j < exec[i].relocation_count; j++) {
++			if (copy_to_user(&user_relocs[j].presumed_offset,
++					 &invalid_offset,
++					 sizeof(invalid_offset))) {
++				ret = -EFAULT;
++				mutex_lock(&dev->struct_mutex);
++				goto err;
++			}
++		}
++
+ 		reloc_offset[i] = total;
+ 		total += exec[i].relocation_count;
+ 	}
diff --git a/queue-3.7/security-device_cgroup-lock-assert-fails-in-dev_exception_clean.patch b/queue-3.7/security-device_cgroup-lock-assert-fails-in-dev_exception_clean.patch
new file mode 100644
index 00000000000..1b6ad7d063e
--- /dev/null
+++ b/queue-3.7/security-device_cgroup-lock-assert-fails-in-dev_exception_clean.patch
@@ -0,0 +1,52 @@
+From 103a197c0c4ec936f5a243b5b092e4e49213f569 Mon Sep 17 00:00:00 2001
+From: Jerry Snitselaar <jerry.snitselaar@oracle.com>
+Date: Thu, 17 Jan 2013 01:04:14 -0700
+Subject: security/device_cgroup: lock assert fails in dev_exception_clean()
+
+From: Jerry Snitselaar <jerry.snitselaar@oracle.com>
+
+commit 103a197c0c4ec936f5a243b5b092e4e49213f569 upstream.
+
+devcgroup_css_free() calls dev_exception_clean() without the devcgroup_mutex being locked.
+
+Shutting down a kvm virt was giving me the following trace:
+
+[36280.732764] ------------[ cut here ]------------
+[36280.732778] WARNING: at /home/snits/dev/linux/security/device_cgroup.c:172 dev_exception_clean+0xa9/0xc0()
+[36280.732782] Hardware name: Studio XPS 8100
+[36280.732785] Modules linked in: xt_REDIRECT fuse ebtable_nat ebtables ipt_MASQUERADE iptable_nat nf_nat_ipv4 nf_nat xt_CHECKSUM iptable_mangle bridge stp llc nf_conntrack_ipv4 ip6t_REJECT nf_conntrack_ipv6 nf_defrag_ipv6 nf_defrag_ipv4 ip6table_filter it87 hwmon_vid xt_state nf_conntrack ip6_tables snd_hda_codec_hdmi snd_hda_codec_realtek snd_hda_intel snd_hda_codec snd_hwdep snd_seq coretemp snd_seq_device crc32c_intel snd_pcm snd_page_alloc snd_timer snd broadcom tg3 serio_raw i7core_edac edac_core ptp pps_core lpc_ich pcspkr mfd_core soundcore microcode i2c_i801 nfsd auth_rpcgss nfs_acl lockd vhost_net sunrpc tun macvtap macvlan kvm_intel kvm uinput binfmt_misc autofs4 usb_storage firewire_ohci firewire_core crc_itu_t radeon drm_kms_helper ttm
+[36280.732921] Pid: 933, comm: libvirtd Tainted: G        W    3.8.0-rc3-00307-g4c217de #1
+[36280.732922] Call Trace:
+[36280.732927]  [<ffffffff81044303>] warn_slowpath_common+0x93/0xc0
+[36280.732930]  [<ffffffff8104434a>] warn_slowpath_null+0x1a/0x20
+[36280.732932]  [<ffffffff812deaf9>] dev_exception_clean+0xa9/0xc0
+[36280.732934]  [<ffffffff812deb2a>] devcgroup_css_free+0x1a/0x30
+[36280.732938]  [<ffffffff810ccd76>] cgroup_diput+0x76/0x210
+[36280.732941]  [<ffffffff8119eac0>] d_delete+0x120/0x180
+[36280.732943]  [<ffffffff81195cff>] vfs_rmdir+0xef/0x130
+[36280.732945]  [<ffffffff81195e47>] do_rmdir+0x107/0x1c0
+[36280.732949]  [<ffffffff8132d17e>] ? trace_hardirqs_on_thunk+0x3a/0x3f
+[36280.732951]  [<ffffffff81198646>] sys_rmdir+0x16/0x20
+[36280.732954]  [<ffffffff8173bd82>] system_call_fastpath+0x16/0x1b
+[36280.732956] ---[ end trace ca39dced899a7d9f ]---
+
+Signed-off-by: Jerry Snitselaar <jerry.snitselaar@oracle.com>
+Signed-off-by: James Morris <james.l.morris@oracle.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ security/device_cgroup.c |    2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/security/device_cgroup.c
++++ b/security/device_cgroup.c
+@@ -207,7 +207,9 @@ static void devcgroup_destroy(struct cgr
+ 	struct dev_cgroup *dev_cgroup;
+ 
+ 	dev_cgroup = cgroup_to_devcgroup(cgroup);
++	mutex_lock(&devcgroup_mutex);
+ 	dev_exception_clean(dev_cgroup);
++	mutex_unlock(&devcgroup_mutex);
+ 	kfree(dev_cgroup);
+ }
+ 
diff --git a/queue-3.7/series b/queue-3.7/series
index 9df3fc62397..df42ea94b00 100644
--- a/queue-3.7/series
+++ b/queue-3.7/series
@@ -1,2 +1,4 @@
 make-sure-that-linuxrc-has-std-in-out-err.patch
 ensure-that-kernel_init_freeable-is-not-inlined-into-non-__init-code.patch
+drm-i915-invalidate-the-relocation-presumed_offsets-along-the-slow-path.patch
+security-device_cgroup-lock-assert-fails-in-dev_exception_clean.patch