From a6dee57638097a85d661ef0095761451a4635c8c Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Tue, 19 Oct 2010 17:44:13 -0700 Subject: [PATCH] .33 stuff ignore please --- queue-2.6.33/atl1-fix-resume.patch | 40 ++++++ .../de-pessimize-rds_page_copy_user.patch | 78 +++++++++++ ...ne-fix-interrupt-clearing-for-mv_xor.patch | 42 ++++++ ...adeon-fix-pci-id-5657-to-be-an-rv410.patch | 36 +++++ ...eserve-timer-state-in-remove_hrtimer.patch | 88 ++++++++++++ .../input-joydev-fix-jsiocsaxmap-ioctl.patch | 33 +++++ .../mac80211-fix-use-after-free.patch | 58 ++++++++ ...-t-walk-off-the-end-of-fast-symlinks.patch | 33 +++++ ...n-between-inode-and-reiserfs-mutexes.patch | 98 +++++++++++++ ...fix-unwanted-reiserfs-lock-recursion.patch | 129 ++++++++++++++++++ ...er-fix-typo-of-time-extends-per-page.patch | 89 ++++++++++++ queue-2.6.33/series | 19 +++ ...ctor-handling-during-request-restart.patch | 104 ++++++++++++++ ...-an-oops-when-card-is-unknown-card-0.patch | 53 +++++++ ...compat-microcode-loading-translation.patch | 88 ++++++++++++ ...al-private-ioctl-memory-content-leak.patch | 39 ++++++ ...ng-fix-the-mci_miscj-iteration-order.patch | 61 +++++++++ ...bogus-error-check-in-hpet_assign_irq.patch | 35 +++++ ...6-irq-plug-memory-leak-in-sparse-irq.patch | 51 +++++++ ...ster-the-memory-blocks-actually-used.patch | 78 +++++++++++ 20 files changed, 1252 insertions(+) create mode 100644 queue-2.6.33/atl1-fix-resume.patch create mode 100644 queue-2.6.33/de-pessimize-rds_page_copy_user.patch create mode 100644 queue-2.6.33/dmaengine-fix-interrupt-clearing-for-mv_xor.patch create mode 100644 queue-2.6.33/drm-radeon-fix-pci-id-5657-to-be-an-rv410.patch create mode 100644 queue-2.6.33/hrtimer-preserve-timer-state-in-remove_hrtimer.patch create mode 100644 queue-2.6.33/input-joydev-fix-jsiocsaxmap-ioctl.patch create mode 100644 queue-2.6.33/mac80211-fix-use-after-free.patch create mode 100644 queue-2.6.33/ocfs2-don-t-walk-off-the-end-of-fast-symlinks.patch create mode 100644 queue-2.6.33/reiserfs-fix-dependency-inversion-between-inode-and-reiserfs-mutexes.patch create mode 100644 queue-2.6.33/reiserfs-fix-unwanted-reiserfs-lock-recursion.patch create mode 100644 queue-2.6.33/ring-buffer-fix-typo-of-time-extends-per-page.patch create mode 100644 queue-2.6.33/ubd-fix-incorrect-sector-handling-during-request-restart.patch create mode 100644 queue-2.6.33/v4l-dvb-cx231xx-avoid-an-oops-when-card-is-unknown-card-0.patch create mode 100644 queue-2.6.33/v4l1-fix-32-bit-compat-microcode-loading-translation.patch create mode 100644 queue-2.6.33/wext-fix-potential-private-ioctl-memory-content-leak.patch create mode 100644 queue-2.6.33/x86-amd-mce-thresholding-fix-the-mci_miscj-iteration-order.patch create mode 100644 queue-2.6.33/x86-hpet-fix-bogus-error-check-in-hpet_assign_irq.patch create mode 100644 queue-2.6.33/x86-irq-plug-memory-leak-in-sparse-irq.patch create mode 100644 queue-2.6.33/x86-numa-for-each-node-register-the-memory-blocks-actually-used.patch diff --git a/queue-2.6.33/atl1-fix-resume.patch b/queue-2.6.33/atl1-fix-resume.patch new file mode 100644 index 00000000000..1f7831bf6ba --- /dev/null +++ b/queue-2.6.33/atl1-fix-resume.patch @@ -0,0 +1,40 @@ +From ec5a32f67c603b11d68eb283d94eb89a4f6cfce1 Mon Sep 17 00:00:00 2001 +From: Luca Tettamanti +Date: Wed, 22 Sep 2010 10:41:58 +0000 +Subject: atl1: fix resume + +From: Luca Tettamanti + +commit ec5a32f67c603b11d68eb283d94eb89a4f6cfce1 upstream. + +adapter->cmb.cmb is initialized when the device is opened and freed when +it's closed. Accessing it unconditionally during resume results either +in a crash (NULL pointer dereference, when the interface has not been +opened yet) or data corruption (when the interface has been used and +brought down adapter->cmb.cmb points to a deallocated memory area). + +Signed-off-by: Luca Tettamanti +Acked-by: Chris Snook +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/atlx/atl1.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/net/atlx/atl1.c ++++ b/drivers/net/atlx/atl1.c +@@ -2849,10 +2849,11 @@ static int atl1_resume(struct pci_dev *p + pci_enable_wake(pdev, PCI_D3cold, 0); + + atl1_reset_hw(&adapter->hw); +- adapter->cmb.cmb->int_stats = 0; + +- if (netif_running(netdev)) ++ if (netif_running(netdev)) { ++ adapter->cmb.cmb->int_stats = 0; + atl1_up(adapter); ++ } + netif_device_attach(netdev); + + return 0; diff --git a/queue-2.6.33/de-pessimize-rds_page_copy_user.patch b/queue-2.6.33/de-pessimize-rds_page_copy_user.patch new file mode 100644 index 00000000000..143b006fb1e --- /dev/null +++ b/queue-2.6.33/de-pessimize-rds_page_copy_user.patch @@ -0,0 +1,78 @@ +From 799c10559d60f159ab2232203f222f18fa3c4a5f Mon Sep 17 00:00:00 2001 +From: Linus Torvalds +Date: Fri, 15 Oct 2010 11:09:28 -0700 +Subject: De-pessimize rds_page_copy_user + +From: Linus Torvalds + +commit 799c10559d60f159ab2232203f222f18fa3c4a5f upstream. + +Don't try to "optimize" rds_page_copy_user() by using kmap_atomic() and +the unsafe atomic user mode accessor functions. It's actually slower +than the straightforward code on any reasonable modern CPU. + +Back when the code was written (although probably not by the time it was +actually merged, though), 32-bit x86 may have been the dominant +architecture. And there kmap_atomic() can be a lot faster than kmap() +(unless you have very good locality, in which case the virtual address +caching by kmap() can overcome all the downsides). + +But these days, x86-64 may not be more populous, but it's getting there +(and if you care about performance, it's definitely already there - +you'd have upgraded your CPU's already in the last few years). And on +x86-64, the non-kmap_atomic() version is faster, simply because the code +is simpler and doesn't have the "re-try page fault" case. + +People with old hardware are not likely to care about RDS anyway, and +the optimization for the 32-bit case is simply buggy, since it doesn't +verify the user addresses properly. + +Reported-by: Dan Rosenberg +Acked-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + net/rds/page.c | 27 +++++++-------------------- + 1 file changed, 7 insertions(+), 20 deletions(-) + +--- a/net/rds/page.c ++++ b/net/rds/page.c +@@ -56,30 +56,17 @@ int rds_page_copy_user(struct page *page + unsigned long ret; + void *addr; + +- if (to_user) ++ addr = kmap(page); ++ if (to_user) { + rds_stats_add(s_copy_to_user, bytes); +- else ++ ret = copy_to_user(ptr, addr + offset, bytes); ++ } else { + rds_stats_add(s_copy_from_user, bytes); +- +- addr = kmap_atomic(page, KM_USER0); +- if (to_user) +- ret = __copy_to_user_inatomic(ptr, addr + offset, bytes); +- else +- ret = __copy_from_user_inatomic(addr + offset, ptr, bytes); +- kunmap_atomic(addr, KM_USER0); +- +- if (ret) { +- addr = kmap(page); +- if (to_user) +- ret = copy_to_user(ptr, addr + offset, bytes); +- else +- ret = copy_from_user(addr + offset, ptr, bytes); +- kunmap(page); +- if (ret) +- return -EFAULT; ++ ret = copy_from_user(addr + offset, ptr, bytes); + } ++ kunmap(page); + +- return 0; ++ return ret ? -EFAULT : 0; + } + EXPORT_SYMBOL_GPL(rds_page_copy_user); + diff --git a/queue-2.6.33/dmaengine-fix-interrupt-clearing-for-mv_xor.patch b/queue-2.6.33/dmaengine-fix-interrupt-clearing-for-mv_xor.patch new file mode 100644 index 00000000000..7b111f3cba7 --- /dev/null +++ b/queue-2.6.33/dmaengine-fix-interrupt-clearing-for-mv_xor.patch @@ -0,0 +1,42 @@ +From cc60f8878eab892c03d06b10f389232b9b66bd83 Mon Sep 17 00:00:00 2001 +From: Simon Guinot +Date: Fri, 17 Sep 2010 23:33:51 +0200 +Subject: dmaengine: fix interrupt clearing for mv_xor + +From: Simon Guinot + +commit cc60f8878eab892c03d06b10f389232b9b66bd83 upstream. + +When using simultaneously the two DMA channels on a same engine, some +transfers are never completed. For example, an endless lock can occur +while writing heavily on a RAID5 array (with async-tx offload support +enabled). + +Note that this issue can also be reproduced by using the DMA test +client. + +On a same engine, the interrupt cause register is shared between two +DMA channels. This patch make sure that the cause bit is only cleared +for the requested channel. + +Signed-off-by: Simon Guinot +Tested-by: Luc Saillard +Acked-by: saeed bishara +Signed-off-by: Dan Williams +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/dma/mv_xor.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/dma/mv_xor.c ++++ b/drivers/dma/mv_xor.c +@@ -161,7 +161,7 @@ static int mv_is_err_intr(u32 intr_cause + + static void mv_xor_device_clear_eoc_cause(struct mv_xor_chan *chan) + { +- u32 val = (1 << (1 + (chan->idx * 16))); ++ u32 val = ~(1 << (chan->idx * 16)); + dev_dbg(chan->device->common.dev, "%s, val 0x%08x\n", __func__, val); + __raw_writel(val, XOR_INTR_CAUSE(chan)); + } diff --git a/queue-2.6.33/drm-radeon-fix-pci-id-5657-to-be-an-rv410.patch b/queue-2.6.33/drm-radeon-fix-pci-id-5657-to-be-an-rv410.patch new file mode 100644 index 00000000000..7a1439ad3dd --- /dev/null +++ b/queue-2.6.33/drm-radeon-fix-pci-id-5657-to-be-an-rv410.patch @@ -0,0 +1,36 @@ +From f459ffbdfd04edb4a8ce6eea33170eb057a5e695 Mon Sep 17 00:00:00 2001 +From: Dave Airlie +Date: Sat, 25 Sep 2010 17:45:50 +1000 +Subject: drm/radeon: fix PCI ID 5657 to be an RV410 + +From: Dave Airlie + +commit f459ffbdfd04edb4a8ce6eea33170eb057a5e695 upstream. + +fixes https://bugzilla.kernel.org/show_bug.cgi?id=19012 + +Signed-off-by: Dave Airlie +Signed-off-by: Greg Kroah-Hartman + +--- + include/drm/drm_pciids.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/include/drm/drm_pciids.h ++++ b/include/drm/drm_pciids.h +@@ -85,7 +85,6 @@ + {0x1002, 0x5460, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_RV380|RADEON_IS_MOBILITY}, \ + {0x1002, 0x5462, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_RV380|RADEON_IS_MOBILITY}, \ + {0x1002, 0x5464, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_RV380|RADEON_IS_MOBILITY}, \ +- {0x1002, 0x5657, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_RV380|RADEON_NEW_MEMMAP}, \ + {0x1002, 0x5548, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_R423|RADEON_NEW_MEMMAP}, \ + {0x1002, 0x5549, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_R423|RADEON_NEW_MEMMAP}, \ + {0x1002, 0x554A, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_R423|RADEON_NEW_MEMMAP}, \ +@@ -103,6 +102,7 @@ + {0x1002, 0x564F, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_RV410|RADEON_IS_MOBILITY|RADEON_NEW_MEMMAP}, \ + {0x1002, 0x5652, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_RV410|RADEON_IS_MOBILITY|RADEON_NEW_MEMMAP}, \ + {0x1002, 0x5653, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_RV410|RADEON_IS_MOBILITY|RADEON_NEW_MEMMAP}, \ ++ {0x1002, 0x5657, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_RV410|RADEON_NEW_MEMMAP}, \ + {0x1002, 0x5834, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_RS300|RADEON_IS_IGP}, \ + {0x1002, 0x5835, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_RS300|RADEON_IS_IGP|RADEON_IS_MOBILITY}, \ + {0x1002, 0x5954, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_RS480|RADEON_IS_IGP|RADEON_IS_MOBILITY|RADEON_IS_IGPGART}, \ diff --git a/queue-2.6.33/hrtimer-preserve-timer-state-in-remove_hrtimer.patch b/queue-2.6.33/hrtimer-preserve-timer-state-in-remove_hrtimer.patch new file mode 100644 index 00000000000..0d3a15bbfa8 --- /dev/null +++ b/queue-2.6.33/hrtimer-preserve-timer-state-in-remove_hrtimer.patch @@ -0,0 +1,88 @@ +From f13d4f979c518119bba5439dd2364d76d31dcd3f Mon Sep 17 00:00:00 2001 +From: Salman Qazi +Date: Tue, 12 Oct 2010 07:25:19 -0700 +Subject: hrtimer: Preserve timer state in remove_hrtimer() + +From: Salman Qazi + +commit f13d4f979c518119bba5439dd2364d76d31dcd3f upstream. + +The race is described as follows: + +CPU X CPU Y +remove_hrtimer +// state & QUEUED == 0 +timer->state = CALLBACK +unlock timer base +timer->f(n) //very long + hrtimer_start + lock timer base + remove_hrtimer // no effect + hrtimer_enqueue + timer->state = CALLBACK | + QUEUED + unlock timer base + hrtimer_start + lock timer base + remove_hrtimer + mode = INACTIVE + // CALLBACK bit lost! + switch_hrtimer_base + CALLBACK bit not set: + timer->base + changes to a + different CPU. +lock this CPU's timer base + +The bug was introduced with commit ca109491f (hrtimer: removing all ur +callback modes) in 2.6.29 + +[ tglx: Feed new state via local variable and add a comment. ] + +Signed-off-by: Salman Qazi +Cc: akpm@linux-foundation.org +Cc: Peter Zijlstra +LKML-Reference: <20101012142351.8485.21823.stgit@dungbeetle.mtv.corp.google.com> +Signed-off-by: Thomas Gleixner +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/hrtimer.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +--- a/kernel/hrtimer.c ++++ b/kernel/hrtimer.c +@@ -936,6 +936,7 @@ static inline int + remove_hrtimer(struct hrtimer *timer, struct hrtimer_clock_base *base) + { + if (hrtimer_is_queued(timer)) { ++ unsigned long state; + int reprogram; + + /* +@@ -949,8 +950,13 @@ remove_hrtimer(struct hrtimer *timer, st + debug_deactivate(timer); + timer_stats_hrtimer_clear_start_info(timer); + reprogram = base->cpu_base == &__get_cpu_var(hrtimer_bases); +- __remove_hrtimer(timer, base, HRTIMER_STATE_INACTIVE, +- reprogram); ++ /* ++ * We must preserve the CALLBACK state flag here, ++ * otherwise we could move the timer base in ++ * switch_hrtimer_base. ++ */ ++ state = timer->state & HRTIMER_STATE_CALLBACK; ++ __remove_hrtimer(timer, base, state, reprogram); + return 1; + } + return 0; +@@ -1237,6 +1243,9 @@ static void __run_hrtimer(struct hrtimer + BUG_ON(timer->state != HRTIMER_STATE_CALLBACK); + enqueue_hrtimer(timer, base); + } ++ ++ WARN_ON_ONCE(!(timer->state & HRTIMER_STATE_CALLBACK)); ++ + timer->state &= ~HRTIMER_STATE_CALLBACK; + } + diff --git a/queue-2.6.33/input-joydev-fix-jsiocsaxmap-ioctl.patch b/queue-2.6.33/input-joydev-fix-jsiocsaxmap-ioctl.patch new file mode 100644 index 00000000000..b9788a0c9c7 --- /dev/null +++ b/queue-2.6.33/input-joydev-fix-jsiocsaxmap-ioctl.patch @@ -0,0 +1,33 @@ +From d2520a426dc3033c00077e923a553fc6c98c7564 Mon Sep 17 00:00:00 2001 +From: Kenneth Waters +Date: Tue, 21 Sep 2010 00:58:23 -0700 +Subject: Input: joydev - fix JSIOCSAXMAP ioctl + +From: Kenneth Waters + +commit d2520a426dc3033c00077e923a553fc6c98c7564 upstream. + +Fixed JSIOCSAXMAP ioctl to update absmap, the map from hardware axis to +event axis in addition to abspam. This fixes a regression introduced +by 999b874f. + +Signed-off-by: Kenneth Waters +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/input/joydev.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/input/joydev.c ++++ b/drivers/input/joydev.c +@@ -481,6 +481,9 @@ static int joydev_handle_JSIOCSAXMAP(str + + memcpy(joydev->abspam, abspam, len); + ++ for (i = 0; i < joydev->nabs; i++) ++ joydev->absmap[joydev->abspam[i]] = i; ++ + out: + kfree(abspam); + return retval; diff --git a/queue-2.6.33/mac80211-fix-use-after-free.patch b/queue-2.6.33/mac80211-fix-use-after-free.patch new file mode 100644 index 00000000000..ee87a872367 --- /dev/null +++ b/queue-2.6.33/mac80211-fix-use-after-free.patch @@ -0,0 +1,58 @@ +From cd87a2d3a33d75a646f1aa1aa2ee5bf712d6f963 Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Fri, 24 Sep 2010 11:20:47 +0200 +Subject: mac80211: fix use-after-free + +From: Johannes Berg + +commit cd87a2d3a33d75a646f1aa1aa2ee5bf712d6f963 upstream. + +commit 8c0c709eea5cbab97fb464cd68b06f24acc58ee1 +Author: Johannes Berg +Date: Wed Nov 25 17:46:15 2009 +0100 + + mac80211: move cmntr flag out of rx flags + +moved the CMTR flag into the skb's status, and +in doing so introduced a use-after-free -- when +the skb has been handed to cooked monitors the +status setting will touch now invalid memory. + +Additionally, moving it there has effectively +discarded the optimisation -- since the bit is +only ever set on freed SKBs, and those were a +copy, it could never be checked. + +For the current release, fixing this properly +is a bit too involved, so let's just remove the +problematic code and leave userspace with one +copy of each frame for each virtual interface. + +Signed-off-by: Johannes Berg +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + net/mac80211/rx.c | 4 ---- + 1 file changed, 4 deletions(-) + +--- a/net/mac80211/rx.c ++++ b/net/mac80211/rx.c +@@ -2123,9 +2123,6 @@ static void ieee80211_rx_cooked_monitor( + struct net_device *prev_dev = NULL; + struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb); + +- if (status->flag & RX_FLAG_INTERNAL_CMTR) +- goto out_free_skb; +- + if (skb_headroom(skb) < sizeof(*rthdr) && + pskb_expand_head(skb, sizeof(*rthdr), 0, GFP_ATOMIC)) + goto out_free_skb; +@@ -2184,7 +2181,6 @@ static void ieee80211_rx_cooked_monitor( + } else + goto out_free_skb; + +- status->flag |= RX_FLAG_INTERNAL_CMTR; + return; + + out_free_skb: diff --git a/queue-2.6.33/ocfs2-don-t-walk-off-the-end-of-fast-symlinks.patch b/queue-2.6.33/ocfs2-don-t-walk-off-the-end-of-fast-symlinks.patch new file mode 100644 index 00000000000..d49b6f1b8ea --- /dev/null +++ b/queue-2.6.33/ocfs2-don-t-walk-off-the-end-of-fast-symlinks.patch @@ -0,0 +1,33 @@ +From 1fc8a117865b54590acd773a55fbac9221b018f0 Mon Sep 17 00:00:00 2001 +From: Joel Becker +Date: Wed, 29 Sep 2010 17:33:05 -0700 +Subject: ocfs2: Don't walk off the end of fast symlinks. + +From: Joel Becker + +commit 1fc8a117865b54590acd773a55fbac9221b018f0 upstream. + +ocfs2 fast symlinks are NUL terminated strings stored inline in the +inode data area. However, disk corruption or a local attacker could, in +theory, remove that NUL. Because we're using strlen() (my fault, +introduced in a731d1 when removing vfs_follow_link()), we could walk off +the end of that string. + +Signed-off-by: Joel Becker +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ocfs2/symlink.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/ocfs2/symlink.c ++++ b/fs/ocfs2/symlink.c +@@ -128,7 +128,7 @@ static void *ocfs2_fast_follow_link(stru + } + + /* Fast symlinks can't be large */ +- len = strlen(target); ++ len = strnlen(target, ocfs2_fast_symlink_chars(inode->i_sb)); + link = kzalloc(len + 1, GFP_NOFS); + if (!link) { + status = -ENOMEM; diff --git a/queue-2.6.33/reiserfs-fix-dependency-inversion-between-inode-and-reiserfs-mutexes.patch b/queue-2.6.33/reiserfs-fix-dependency-inversion-between-inode-and-reiserfs-mutexes.patch new file mode 100644 index 00000000000..54e3a5082cc --- /dev/null +++ b/queue-2.6.33/reiserfs-fix-dependency-inversion-between-inode-and-reiserfs-mutexes.patch @@ -0,0 +1,98 @@ +From 3f259d092c7a2fdf217823e8f1838530adb0cdb0 Mon Sep 17 00:00:00 2001 +From: Frederic Weisbecker +Date: Thu, 30 Sep 2010 15:15:37 -0700 +Subject: reiserfs: fix dependency inversion between inode and reiserfs mutexes + +From: Frederic Weisbecker + +commit 3f259d092c7a2fdf217823e8f1838530adb0cdb0 upstream. + +The reiserfs mutex already depends on the inode mutex, so we can't lock +the inode mutex in reiserfs_unpack() without using the safe locking API, +because reiserfs_unpack() is always called with the reiserfs mutex locked. + +This fixes: + + ======================================================= + [ INFO: possible circular locking dependency detected ] + 2.6.35c #13 + ------------------------------------------------------- + lilo/1606 is trying to acquire lock: + (&sb->s_type->i_mutex_key#8){+.+.+.}, at: [] reiserfs_unpack+0x60/0x110 [reiserfs] + + but task is already holding lock: + (&REISERFS_SB(s)->lock){+.+.+.}, at: [] reiserfs_write_lock+0x28/0x40 [reiserfs] + + which lock already depends on the new lock. + + the existing dependency chain (in reverse order) is: + + -> #1 (&REISERFS_SB(s)->lock){+.+.+.}: + [] lock_acquire+0x67/0x80 + [] __mutex_lock_common+0x4d/0x410 + [] mutex_lock_nested+0x18/0x20 + [] reiserfs_write_lock+0x28/0x40 [reiserfs] + [] reiserfs_lookup_privroot+0x2a/0x90 [reiserfs] + [] reiserfs_fill_super+0x941/0xe60 [reiserfs] + [] get_sb_bdev+0x117/0x170 + [] get_super_block+0x21/0x30 [reiserfs] + [] vfs_kern_mount+0x6a/0x1b0 + [] do_kern_mount+0x39/0xe0 + [] do_mount+0x340/0x790 + [] sys_mount+0x84/0xb0 + [] syscall_call+0x7/0xb + + -> #0 (&sb->s_type->i_mutex_key#8){+.+.+.}: + [] __lock_acquire+0x1026/0x1180 + [] lock_acquire+0x67/0x80 + [] __mutex_lock_common+0x4d/0x410 + [] mutex_lock_nested+0x18/0x20 + [] reiserfs_unpack+0x60/0x110 [reiserfs] + [] reiserfs_ioctl+0x272/0x320 [reiserfs] + [] vfs_ioctl+0x28/0xa0 + [] do_vfs_ioctl+0x32d/0x5c0 + [] sys_ioctl+0x63/0x70 + [] syscall_call+0x7/0xb + + other info that might help us debug this: + + 1 lock held by lilo/1606: + #0: (&REISERFS_SB(s)->lock){+.+.+.}, at: [] reiserfs_write_lock+0x28/0x40 [reiserfs] + + stack backtrace: + Pid: 1606, comm: lilo Not tainted 2.6.35c #13 + Call Trace: + [] __lock_acquire+0x1026/0x1180 + [] lock_acquire+0x67/0x80 + [] __mutex_lock_common+0x4d/0x410 + [] mutex_lock_nested+0x18/0x20 + [] reiserfs_unpack+0x60/0x110 [reiserfs] + [] reiserfs_ioctl+0x272/0x320 [reiserfs] + [] vfs_ioctl+0x28/0xa0 + [] do_vfs_ioctl+0x32d/0x5c0 + [] sys_ioctl+0x63/0x70 + [] syscall_call+0x7/0xb + +Reported-by: Jarek Poplawski +Tested-by: Jarek Poplawski +Signed-off-by: Frederic Weisbecker +Cc: Jeff Mahoney +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/reiserfs/ioctl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/reiserfs/ioctl.c ++++ b/fs/reiserfs/ioctl.c +@@ -188,7 +188,7 @@ int reiserfs_unpack(struct inode *inode, + /* we need to make sure nobody is changing the file size beneath + ** us + */ +- mutex_lock(&inode->i_mutex); ++ reiserfs_mutex_lock_safe(&inode->i_mutex, inode->i_sb); + reiserfs_write_lock(inode->i_sb); + + write_from = inode->i_size & (blocksize - 1); diff --git a/queue-2.6.33/reiserfs-fix-unwanted-reiserfs-lock-recursion.patch b/queue-2.6.33/reiserfs-fix-unwanted-reiserfs-lock-recursion.patch new file mode 100644 index 00000000000..e7f39900857 --- /dev/null +++ b/queue-2.6.33/reiserfs-fix-unwanted-reiserfs-lock-recursion.patch @@ -0,0 +1,129 @@ +From 9d8117e72bf453dd9d85e0cd322ce4a0f8bccbc0 Mon Sep 17 00:00:00 2001 +From: Frederic Weisbecker +Date: Thu, 30 Sep 2010 15:15:38 -0700 +Subject: reiserfs: fix unwanted reiserfs lock recursion + +From: Frederic Weisbecker + +commit 9d8117e72bf453dd9d85e0cd322ce4a0f8bccbc0 upstream. + +Prevent from recursively locking the reiserfs lock in reiserfs_unpack() +because we may call journal_begin() that requires the lock to be taken +only once, otherwise it won't be able to release the lock while taking +other mutexes, ending up in inverted dependencies between the journal +mutex and the reiserfs lock for example. + +This fixes: + + ======================================================= + [ INFO: possible circular locking dependency detected ] + 2.6.35.4.4a #3 + ------------------------------------------------------- + lilo/1620 is trying to acquire lock: + (&journal->j_mutex){+.+...}, at: [] do_journal_begin_r+0x7f/0x340 [reiserfs] + + but task is already holding lock: + (&REISERFS_SB(s)->lock){+.+.+.}, at: [] reiserfs_write_lock+0x28/0x40 [reiserfs] + + which lock already depends on the new lock. + + the existing dependency chain (in reverse order) is: + + -> #1 (&REISERFS_SB(s)->lock){+.+.+.}: + [] lock_acquire+0x67/0x80 + [] __mutex_lock_common+0x4d/0x410 + [] mutex_lock_nested+0x18/0x20 + [] reiserfs_write_lock+0x28/0x40 [reiserfs] + [] do_journal_begin_r+0x86/0x340 [reiserfs] + [] journal_begin+0x77/0x140 [reiserfs] + [] reiserfs_remount+0x224/0x530 [reiserfs] + [] do_remount_sb+0x60/0x110 + [] do_mount+0x625/0x790 + [] sys_mount+0x84/0xb0 + [] syscall_call+0x7/0xb + + -> #0 (&journal->j_mutex){+.+...}: + [] __lock_acquire+0x1026/0x1180 + [] lock_acquire+0x67/0x80 + [] __mutex_lock_common+0x4d/0x410 + [] mutex_lock_nested+0x18/0x20 + [] do_journal_begin_r+0x7f/0x340 [reiserfs] + [] journal_begin+0x77/0x140 [reiserfs] + [] reiserfs_persistent_transaction+0x41/0x90 [reiserfs] + [] reiserfs_get_block+0x22c/0x1530 [reiserfs] + [] __block_prepare_write+0x1bb/0x3a0 + [] block_prepare_write+0x26/0x40 + [] reiserfs_prepare_write+0x88/0x170 [reiserfs] + [] reiserfs_unpack+0xe6/0x120 [reiserfs] + [] reiserfs_ioctl+0x272/0x320 [reiserfs] + [] vfs_ioctl+0x28/0xa0 + [] do_vfs_ioctl+0x32d/0x5c0 + [] sys_ioctl+0x63/0x70 + [] syscall_call+0x7/0xb + + other info that might help us debug this: + + 2 locks held by lilo/1620: + #0: (&sb->s_type->i_mutex_key#8){+.+.+.}, at: [] reiserfs_unpack+0x6a/0x120 [reiserfs] + #1: (&REISERFS_SB(s)->lock){+.+.+.}, at: [] reiserfs_write_lock+0x28/0x40 [reiserfs] + + stack backtrace: + Pid: 1620, comm: lilo Not tainted 2.6.35.4.4a #3 + Call Trace: + [] __lock_acquire+0x1026/0x1180 + [] lock_acquire+0x67/0x80 + [] __mutex_lock_common+0x4d/0x410 + [] mutex_lock_nested+0x18/0x20 + [] do_journal_begin_r+0x7f/0x340 [reiserfs] + [] journal_begin+0x77/0x140 [reiserfs] + [] reiserfs_persistent_transaction+0x41/0x90 [reiserfs] + [] reiserfs_get_block+0x22c/0x1530 [reiserfs] + [] __block_prepare_write+0x1bb/0x3a0 + [] block_prepare_write+0x26/0x40 + [] reiserfs_prepare_write+0x88/0x170 [reiserfs] + [] reiserfs_unpack+0xe6/0x120 [reiserfs] + [] reiserfs_ioctl+0x272/0x320 [reiserfs] + [] vfs_ioctl+0x28/0xa0 + [] do_vfs_ioctl+0x32d/0x5c0 + [] sys_ioctl+0x63/0x70 + [] syscall_call+0x7/0xb + +Reported-by: Jarek Poplawski +Tested-by: Jarek Poplawski +Signed-off-by: Frederic Weisbecker +Cc: Jeff Mahoney +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/reiserfs/ioctl.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/fs/reiserfs/ioctl.c ++++ b/fs/reiserfs/ioctl.c +@@ -170,6 +170,7 @@ int reiserfs_prepare_write(struct file * + int reiserfs_unpack(struct inode *inode, struct file *filp) + { + int retval = 0; ++ int depth; + int index; + struct page *page; + struct address_space *mapping; +@@ -189,7 +190,7 @@ int reiserfs_unpack(struct inode *inode, + ** us + */ + reiserfs_mutex_lock_safe(&inode->i_mutex, inode->i_sb); +- reiserfs_write_lock(inode->i_sb); ++ depth = reiserfs_write_lock_once(inode->i_sb); + + write_from = inode->i_size & (blocksize - 1); + /* if we are on a block boundary, we are already unpacked. */ +@@ -224,6 +225,6 @@ int reiserfs_unpack(struct inode *inode, + + out: + mutex_unlock(&inode->i_mutex); +- reiserfs_write_unlock(inode->i_sb); ++ reiserfs_write_unlock_once(inode->i_sb, depth); + return retval; + } diff --git a/queue-2.6.33/ring-buffer-fix-typo-of-time-extends-per-page.patch b/queue-2.6.33/ring-buffer-fix-typo-of-time-extends-per-page.patch new file mode 100644 index 00000000000..ba2eb6c529e --- /dev/null +++ b/queue-2.6.33/ring-buffer-fix-typo-of-time-extends-per-page.patch @@ -0,0 +1,89 @@ +From d01343244abdedd18303d0323b518ed9cdcb1988 Mon Sep 17 00:00:00 2001 +From: Steven Rostedt +Date: Tue, 12 Oct 2010 12:06:43 -0400 +Subject: ring-buffer: Fix typo of time extends per page + +From: Steven Rostedt + +commit d01343244abdedd18303d0323b518ed9cdcb1988 upstream. + +Time stamps for the ring buffer are created by the difference between +two events. Each page of the ring buffer holds a full 64 bit timestamp. +Each event has a 27 bit delta stamp from the last event. The unit of time +is nanoseconds, so 27 bits can hold ~134 milliseconds. If two events +happen more than 134 milliseconds apart, a time extend is inserted +to add more bits for the delta. The time extend has 59 bits, which +is good for ~18 years. + +Currently the time extend is committed separately from the event. +If an event is discarded before it is committed, due to filtering, +the time extend still exists. If all events are being filtered, then +after ~134 milliseconds a new time extend will be added to the buffer. + +This can only happen till the end of the page. Since each page holds +a full timestamp, there is no reason to add a time extend to the +beginning of a page. Time extends can only fill a page that has actual +data at the beginning, so there is no fear that time extends will fill +more than a page without any data. + +When reading an event, a loop is made to skip over time extends +since they are only used to maintain the time stamp and are never +given to the caller. As a paranoid check to prevent the loop running +forever, with the knowledge that time extends may only fill a page, +a check is made that tests the iteration of the loop, and if the +iteration is more than the number of time extends that can fit in a page +a warning is printed and the ring buffer is disabled (all of ftrace +is also disabled with it). + +There is another event type that is called a TIMESTAMP which can +hold 64 bits of data in the theoretical case that two events happen +18 years apart. This code has not been implemented, but the name +of this event exists, as well as the structure for it. The +size of a TIMESTAMP is 16 bytes, where as a time extend is only +8 bytes. The macro used to calculate how many time extends can fit on +a page used the TIMESTAMP size instead of the time extend size +cutting the amount in half. + +The following test case can easily trigger the warning since we only +need to have half the page filled with time extends to trigger the +warning: + + # cd /sys/kernel/debug/tracing/ + # echo function > current_tracer + # echo 'common_pid < 0' > events/ftrace/function/filter + # echo > trace + # echo 1 > trace_marker + # sleep 120 + # cat trace + +Enabling the function tracer and then setting the filter to only trace +functions where the process id is negative (no events), then clearing +the trace buffer to ensure that we have nothing in the buffer, +then write to trace_marker to add an event to the beginning of a page, +sleep for 2 minutes (only 35 seconds is probably needed, but this +guarantees the bug), and then finally reading the trace which will +trigger the bug. + +This patch fixes the typo and prevents the false positive of that warning. + +Reported-by: Hans J. Koch +Tested-by: Hans J. Koch +Cc: Thomas Gleixner +Signed-off-by: Steven Rostedt +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/trace/ring_buffer.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/kernel/trace/ring_buffer.c ++++ b/kernel/trace/ring_buffer.c +@@ -389,7 +389,7 @@ static inline int test_time_stamp(u64 de + #define BUF_MAX_DATA_SIZE (BUF_PAGE_SIZE - (sizeof(u32) * 2)) + + /* Max number of timestamps that can fit on a page */ +-#define RB_TIMESTAMPS_PER_PAGE (BUF_PAGE_SIZE / RB_LEN_TIME_STAMP) ++#define RB_TIMESTAMPS_PER_PAGE (BUF_PAGE_SIZE / RB_LEN_TIME_EXTEND) + + int ring_buffer_print_page_header(struct trace_seq *s) + { diff --git a/queue-2.6.33/series b/queue-2.6.33/series index d618cf1df82..6e7ef79f7f5 100644 --- a/queue-2.6.33/series +++ b/queue-2.6.33/series @@ -12,3 +12,22 @@ x86-amd-iommu-fix-rounding-bug-in-__unmap_single.patch x86-amd-iommu-work-around-s3-bios-bug.patch tracing-x86-don-t-use-mcount-in-pvclock.c.patch tracing-x86-don-t-use-mcount-in-kvmclock.c.patch +v4l1-fix-32-bit-compat-microcode-loading-translation.patch +v4l-dvb-cx231xx-avoid-an-oops-when-card-is-unknown-card-0.patch +input-joydev-fix-jsiocsaxmap-ioctl.patch +mac80211-fix-use-after-free.patch +x86-hpet-fix-bogus-error-check-in-hpet_assign_irq.patch +x86-irq-plug-memory-leak-in-sparse-irq.patch +ubd-fix-incorrect-sector-handling-during-request-restart.patch +ring-buffer-fix-typo-of-time-extends-per-page.patch +dmaengine-fix-interrupt-clearing-for-mv_xor.patch +hrtimer-preserve-timer-state-in-remove_hrtimer.patch +reiserfs-fix-dependency-inversion-between-inode-and-reiserfs-mutexes.patch +reiserfs-fix-unwanted-reiserfs-lock-recursion.patch +ocfs2-don-t-walk-off-the-end-of-fast-symlinks.patch +wext-fix-potential-private-ioctl-memory-content-leak.patch +atl1-fix-resume.patch +x86-numa-for-each-node-register-the-memory-blocks-actually-used.patch +x86-amd-mce-thresholding-fix-the-mci_miscj-iteration-order.patch +de-pessimize-rds_page_copy_user.patch +drm-radeon-fix-pci-id-5657-to-be-an-rv410.patch diff --git a/queue-2.6.33/ubd-fix-incorrect-sector-handling-during-request-restart.patch b/queue-2.6.33/ubd-fix-incorrect-sector-handling-during-request-restart.patch new file mode 100644 index 00000000000..23caa4cd589 --- /dev/null +++ b/queue-2.6.33/ubd-fix-incorrect-sector-handling-during-request-restart.patch @@ -0,0 +1,104 @@ +From 47526903feb52f4c26a6350370bdf74e337fcdb1 Mon Sep 17 00:00:00 2001 +From: Tejun Heo +Date: Fri, 15 Oct 2010 12:56:21 +0200 +Subject: ubd: fix incorrect sector handling during request restart + +From: Tejun Heo + +commit 47526903feb52f4c26a6350370bdf74e337fcdb1 upstream. + +Commit f81f2f7c (ubd: drop unnecessary rq->sector manipulation) +dropped request->sector manipulation in preparation for global request +handling cleanup; unfortunately, it incorrectly assumed that the +updated sector wasn't being used. + +ubd tries to issue as many requests as possible to io_thread. When +issuing fails due to memory pressure or other reasons, the device is +put on the restart list and issuing stops. On IO completion, devices +on the restart list are scanned and IO issuing is restarted. + +ubd issues IOs sg-by-sg and issuing can be stopped in the middle of a +request, so each device on the restart queue needs to remember where +to restart in its current request. ubd needs to keep track of the +issue position itself because, + +* blk_rq_pos(req) is now updated by the block layer to keep track of + _completion_ position. + +* Multiple io_req's for the current request may be in flight, so it's + difficult to tell where blk_rq_pos(req) currently is. + +Add ubd->rq_pos to keep track of the issue position and use it to +correctly restart io_req issue. + +Signed-off-by: Tejun Heo +Reported-by: Richard Weinberger +Tested-by: Richard Weinberger +Tested-by: Chris Frey +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + arch/um/drivers/ubd_kern.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/arch/um/drivers/ubd_kern.c ++++ b/arch/um/drivers/ubd_kern.c +@@ -161,6 +161,7 @@ struct ubd { + struct scatterlist sg[MAX_SG]; + struct request *request; + int start_sg, end_sg; ++ sector_t rq_pos; + }; + + #define DEFAULT_COW { \ +@@ -185,6 +186,7 @@ struct ubd { + .request = NULL, \ + .start_sg = 0, \ + .end_sg = 0, \ ++ .rq_pos = 0, \ + } + + /* Protected by ubd_lock */ +@@ -1222,7 +1224,6 @@ static void do_ubd_request(struct reques + { + struct io_thread_req *io_req; + struct request *req; +- sector_t sector; + int n; + + while(1){ +@@ -1233,12 +1234,12 @@ static void do_ubd_request(struct reques + return; + + dev->request = req; ++ dev->rq_pos = blk_rq_pos(req); + dev->start_sg = 0; + dev->end_sg = blk_rq_map_sg(q, req, dev->sg); + } + + req = dev->request; +- sector = blk_rq_pos(req); + while(dev->start_sg < dev->end_sg){ + struct scatterlist *sg = &dev->sg[dev->start_sg]; + +@@ -1250,10 +1251,9 @@ static void do_ubd_request(struct reques + return; + } + prepare_request(req, io_req, +- (unsigned long long)sector << 9, ++ (unsigned long long)dev->rq_pos << 9, + sg->offset, sg->length, sg_page(sg)); + +- sector += sg->length >> 9; + n = os_write_file(thread_fd, &io_req, + sizeof(struct io_thread_req *)); + if(n != sizeof(struct io_thread_req *)){ +@@ -1266,6 +1266,7 @@ static void do_ubd_request(struct reques + return; + } + ++ dev->rq_pos += sg->length >> 9; + dev->start_sg++; + } + dev->end_sg = 0; diff --git a/queue-2.6.33/v4l-dvb-cx231xx-avoid-an-oops-when-card-is-unknown-card-0.patch b/queue-2.6.33/v4l-dvb-cx231xx-avoid-an-oops-when-card-is-unknown-card-0.patch new file mode 100644 index 00000000000..0b5d8ed00b8 --- /dev/null +++ b/queue-2.6.33/v4l-dvb-cx231xx-avoid-an-oops-when-card-is-unknown-card-0.patch @@ -0,0 +1,53 @@ +From c10469c637602c2385e2993d8c730cc44fd47d23 Mon Sep 17 00:00:00 2001 +From: Mauro Carvalho Chehab +Date: Sat, 11 Sep 2010 11:37:51 -0300 +Subject: V4L/DVB: cx231xx: Avoid an OOPS when card is unknown (card=0) + +From: Mauro Carvalho Chehab + +commit c10469c637602c2385e2993d8c730cc44fd47d23 upstream. + +As reported by: Carlos Americo Domiciano : + +[ 220.033500] cx231xx v4l2 driver loaded. +[ 220.033571] cx231xx #0: New device Conexant Corporation Polaris AV Capturb @ 480 Mbps (1554:5010) with 6 interfaces +[ 220.033577] cx231xx #0: registering interface 0 +[ 220.033591] cx231xx #0: registering interface 1 +[ 220.033654] cx231xx #0: registering interface 6 +[ 220.033910] cx231xx #0: Identified as Unknown CX231xx video grabber (card=0) +[ 220.033946] BUG: unable to handle kernel NULL pointer dereference at (null) +[ 220.033955] IP: [] cx231xx_pre_card_setup+0x5d/0xb0 [cx231xx] + +Thanks-to: Carlos Americo Domiciano +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/video/cx231xx/cx231xx-cards.c | 14 ++++++++------ + 1 file changed, 8 insertions(+), 6 deletions(-) + +--- a/drivers/media/video/cx231xx/cx231xx-cards.c ++++ b/drivers/media/video/cx231xx/cx231xx-cards.c +@@ -225,14 +225,16 @@ void cx231xx_pre_card_setup(struct cx231 + dev->board.name, dev->model); + + /* set the direction for GPIO pins */ +- cx231xx_set_gpio_direction(dev, dev->board.tuner_gpio->bit, 1); +- cx231xx_set_gpio_value(dev, dev->board.tuner_gpio->bit, 1); +- cx231xx_set_gpio_direction(dev, dev->board.tuner_sif_gpio, 1); ++ if (dev->board.tuner_gpio) { ++ cx231xx_set_gpio_direction(dev, dev->board.tuner_gpio->bit, 1); ++ cx231xx_set_gpio_value(dev, dev->board.tuner_gpio->bit, 1); ++ cx231xx_set_gpio_direction(dev, dev->board.tuner_sif_gpio, 1); + +- /* request some modules if any required */ ++ /* request some modules if any required */ + +- /* reset the Tuner */ +- cx231xx_gpio_set(dev, dev->board.tuner_gpio); ++ /* reset the Tuner */ ++ cx231xx_gpio_set(dev, dev->board.tuner_gpio); ++ } + + /* set the mode to Analog mode initially */ + cx231xx_set_mode(dev, CX231XX_ANALOG_MODE); diff --git a/queue-2.6.33/v4l1-fix-32-bit-compat-microcode-loading-translation.patch b/queue-2.6.33/v4l1-fix-32-bit-compat-microcode-loading-translation.patch new file mode 100644 index 00000000000..d1e78978660 --- /dev/null +++ b/queue-2.6.33/v4l1-fix-32-bit-compat-microcode-loading-translation.patch @@ -0,0 +1,88 @@ +From 3e645d6b485446c54c6745c5e2cf5c528fe4deec Mon Sep 17 00:00:00 2001 +From: Linus Torvalds +Date: Fri, 15 Oct 2010 11:12:38 -0700 +Subject: v4l1: fix 32-bit compat microcode loading translation + +From: Linus Torvalds + +commit 3e645d6b485446c54c6745c5e2cf5c528fe4deec upstream. + +The compat code for the VIDIOCSMICROCODE ioctl is totally buggered. +It's only used by the VIDEO_STRADIS driver, and that one is scheduled to +staging and eventually removed unless somebody steps up to maintain it +(at which point it should use request_firmware() rather than some magic +ioctl). So we'll get rid of it eventually. + +But in the meantime, the compatibility ioctl code is broken, and this +tries to get it to at least limp along (even if Mauro suggested just +deleting it entirely, which may be the right thing to do - I don't think +the compatibility translation code has ever worked unless you were very +lucky). + +Reported-by: Kees Cook +Cc: Mauro Carvalho Chehab +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/video/v4l2-compat-ioctl32.c | 32 +++++++++++++++++++----------- + 1 file changed, 21 insertions(+), 11 deletions(-) + +--- a/drivers/media/video/v4l2-compat-ioctl32.c ++++ b/drivers/media/video/v4l2-compat-ioctl32.c +@@ -193,17 +193,24 @@ static int put_video_window32(struct vid + struct video_code32 { + char loadwhat[16]; /* name or tag of file being passed */ + compat_int_t datasize; +- unsigned char *data; ++ compat_uptr_t data; + }; + +-static int get_microcode32(struct video_code *kp, struct video_code32 __user *up) ++static struct video_code __user *get_microcode32(struct video_code32 *kp) + { +- if (!access_ok(VERIFY_READ, up, sizeof(struct video_code32)) || +- copy_from_user(kp->loadwhat, up->loadwhat, sizeof(up->loadwhat)) || +- get_user(kp->datasize, &up->datasize) || +- copy_from_user(kp->data, up->data, up->datasize)) +- return -EFAULT; +- return 0; ++ struct video_code __user *up; ++ ++ up = compat_alloc_user_space(sizeof(*up)); ++ ++ /* ++ * NOTE! We don't actually care if these fail. If the ++ * user address is invalid, the native ioctl will do ++ * the error handling for us ++ */ ++ (void) copy_to_user(up->loadwhat, kp->loadwhat, sizeof(up->loadwhat)); ++ (void) put_user(kp->datasize, &up->datasize); ++ (void) put_user(compat_ptr(kp->data), &up->data); ++ return up; + } + + #define VIDIOCGTUNER32 _IOWR('v', 4, struct video_tuner32) +@@ -741,7 +748,7 @@ static long do_video_ioctl(struct file * + struct video_tuner vt; + struct video_buffer vb; + struct video_window vw; +- struct video_code vc; ++ struct video_code32 vc; + struct video_audio va; + #endif + struct v4l2_format v2f; +@@ -820,8 +827,11 @@ static long do_video_ioctl(struct file * + break; + + case VIDIOCSMICROCODE: +- err = get_microcode32(&karg.vc, up); +- compatible_arg = 0; ++ /* Copy the 32-bit "video_code32" to kernel space */ ++ if (copy_from_user(&karg.vc, up, sizeof(karg.vc))) ++ return -EFAULT; ++ /* Convert the 32-bit version to a 64-bit version in user space */ ++ up = get_microcode32(&karg.vc); + break; + + case VIDIOCSFREQ: diff --git a/queue-2.6.33/wext-fix-potential-private-ioctl-memory-content-leak.patch b/queue-2.6.33/wext-fix-potential-private-ioctl-memory-content-leak.patch new file mode 100644 index 00000000000..67b8260030d --- /dev/null +++ b/queue-2.6.33/wext-fix-potential-private-ioctl-memory-content-leak.patch @@ -0,0 +1,39 @@ +From df6d02300f7c2fbd0fbe626d819c8e5237d72c62 Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Fri, 17 Sep 2010 00:38:25 +0200 +Subject: wext: fix potential private ioctl memory content leak + +From: Johannes Berg + +commit df6d02300f7c2fbd0fbe626d819c8e5237d72c62 upstream. + +When a driver doesn't fill the entire buffer, old +heap contents may remain, and if it also doesn't +update the length properly, this old heap content +will be copied back to userspace. + +It is very unlikely that this happens in any of +the drivers using private ioctls since it would +show up as junk being reported by iwpriv, but it +seems better to be safe here, so use kzalloc. + +Reported-by: Jeff Mahoney +Signed-off-by: Johannes Berg +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + net/wireless/wext-priv.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/wireless/wext-priv.c ++++ b/net/wireless/wext-priv.c +@@ -151,7 +151,7 @@ static int ioctl_private_iw_point(struct + } else if (!iwp->pointer) + return -EFAULT; + +- extra = kmalloc(extra_size, GFP_KERNEL); ++ extra = kzalloc(extra_size, GFP_KERNEL); + if (!extra) + return -ENOMEM; + diff --git a/queue-2.6.33/x86-amd-mce-thresholding-fix-the-mci_miscj-iteration-order.patch b/queue-2.6.33/x86-amd-mce-thresholding-fix-the-mci_miscj-iteration-order.patch new file mode 100644 index 00000000000..b01fbc8758f --- /dev/null +++ b/queue-2.6.33/x86-amd-mce-thresholding-fix-the-mci_miscj-iteration-order.patch @@ -0,0 +1,61 @@ +From 6dcbfe4f0b4e17e289d56fa534b7ce5a6b7f63a3 Mon Sep 17 00:00:00 2001 +From: Borislav Petkov +Date: Fri, 8 Oct 2010 12:08:34 +0200 +Subject: x86, AMD, MCE thresholding: Fix the MCi_MISCj iteration order + +From: Borislav Petkov + +commit 6dcbfe4f0b4e17e289d56fa534b7ce5a6b7f63a3 upstream. + +This fixes possible cases of not collecting valid error info in +the MCE error thresholding groups on F10h hardware. + +The current code contains a subtle problem of checking only the +Valid bit of MSR0000_0413 (which is MC4_MISC0 - DRAM +thresholding group) in its first iteration and breaking out if +the bit is cleared. + +But (!), this MSR contains an offset value, BlkPtr[31:24], which +points to the remaining MSRs in this thresholding group which +might contain valid information too. But if we bail out only +after we checked the valid bit in the first MSR and not the +block pointer too, we miss that other information. + +The thing is, MC4_MISC0[BlkPtr] is not predicated on +MCi_STATUS[MiscV] or MC4_MISC0[Valid] and should be checked +prior to iterating over the MCI_MISCj thresholding group, +irrespective of the MC4_MISC0[Valid] setting. + +Signed-off-by: Borislav Petkov +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/cpu/mcheck/mce_amd.c | 9 +++------ + 1 file changed, 3 insertions(+), 6 deletions(-) + +--- a/arch/x86/kernel/cpu/mcheck/mce_amd.c ++++ b/arch/x86/kernel/cpu/mcheck/mce_amd.c +@@ -140,6 +140,7 @@ void mce_amd_feature_init(struct cpuinfo + address = (low & MASK_BLKPTR_LO) >> 21; + if (!address) + break; ++ + address += MCG_XBLK_ADDR; + } else + ++address; +@@ -147,12 +148,8 @@ void mce_amd_feature_init(struct cpuinfo + if (rdmsr_safe(address, &low, &high)) + break; + +- if (!(high & MASK_VALID_HI)) { +- if (block) +- continue; +- else +- break; +- } ++ if (!(high & MASK_VALID_HI)) ++ continue; + + if (!(high & MASK_CNTP_HI) || + (high & MASK_LOCKED_HI)) diff --git a/queue-2.6.33/x86-hpet-fix-bogus-error-check-in-hpet_assign_irq.patch b/queue-2.6.33/x86-hpet-fix-bogus-error-check-in-hpet_assign_irq.patch new file mode 100644 index 00000000000..15cd8b21b30 --- /dev/null +++ b/queue-2.6.33/x86-hpet-fix-bogus-error-check-in-hpet_assign_irq.patch @@ -0,0 +1,35 @@ +From 021989622810b02aab4b24f91e1f5ada2b654579 Mon Sep 17 00:00:00 2001 +From: Thomas Gleixner +Date: Tue, 28 Sep 2010 23:20:23 +0200 +Subject: x86, hpet: Fix bogus error check in hpet_assign_irq() + +From: Thomas Gleixner + +commit 021989622810b02aab4b24f91e1f5ada2b654579 upstream. + +create_irq() returns -1 if the interrupt allocation failed, but the +code checks for irq == 0. + +Use create_irq_nr() instead. + +Signed-off-by: Thomas Gleixner +Cc: Venkatesh Pallipadi +LKML-Reference: +Signed-off-by: H. Peter Anvin +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/hpet.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/kernel/hpet.c ++++ b/arch/x86/kernel/hpet.c +@@ -498,7 +498,7 @@ static int hpet_assign_irq(struct hpet_d + { + unsigned int irq; + +- irq = create_irq(); ++ irq = create_irq_nr(0, -1); + if (!irq) + return -EINVAL; + diff --git a/queue-2.6.33/x86-irq-plug-memory-leak-in-sparse-irq.patch b/queue-2.6.33/x86-irq-plug-memory-leak-in-sparse-irq.patch new file mode 100644 index 00000000000..069bcfae624 --- /dev/null +++ b/queue-2.6.33/x86-irq-plug-memory-leak-in-sparse-irq.patch @@ -0,0 +1,51 @@ +From 1cf180c94e9166cda083ff65333883ab3648e852 Mon Sep 17 00:00:00 2001 +From: Thomas Gleixner +Date: Tue, 28 Sep 2010 20:57:19 +0200 +Subject: x86, irq: Plug memory leak in sparse irq + +From: Thomas Gleixner + +commit 1cf180c94e9166cda083ff65333883ab3648e852 upstream. + +free_irq_cfg() is not freeing the cpumask_vars in irq_cfg. Fixing this +triggers a use after free caused by the fact that copying struct +irq_cfg is done with memcpy, which copies the pointer not the cpumask. + +Fix both places. + +Signed-off-by: Thomas Gleixner +Cc: Yinghai Lu +LKML-Reference: +Signed-off-by: Thomas Gleixner +Signed-off-by: H. Peter Anvin +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/apic/io_apic.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +--- a/arch/x86/kernel/apic/io_apic.c ++++ b/arch/x86/kernel/apic/io_apic.c +@@ -316,14 +316,19 @@ void arch_init_copy_chip_data(struct irq + + old_cfg = old_desc->chip_data; + +- memcpy(cfg, old_cfg, sizeof(struct irq_cfg)); ++ cfg->vector = old_cfg->vector; ++ cfg->move_in_progress = old_cfg->move_in_progress; ++ cpumask_copy(cfg->domain, old_cfg->domain); ++ cpumask_copy(cfg->old_domain, old_cfg->old_domain); + + init_copy_irq_2_pin(old_cfg, cfg, node); + } + +-static void free_irq_cfg(struct irq_cfg *old_cfg) ++static void free_irq_cfg(struct irq_cfg *cfg) + { +- kfree(old_cfg); ++ free_cpumask_var(cfg->domain); ++ free_cpumask_var(cfg->old_domain); ++ kfree(cfg); + } + + void arch_free_chip_data(struct irq_desc *old_desc, struct irq_desc *desc) diff --git a/queue-2.6.33/x86-numa-for-each-node-register-the-memory-blocks-actually-used.patch b/queue-2.6.33/x86-numa-for-each-node-register-the-memory-blocks-actually-used.patch new file mode 100644 index 00000000000..952b1c838ae --- /dev/null +++ b/queue-2.6.33/x86-numa-for-each-node-register-the-memory-blocks-actually-used.patch @@ -0,0 +1,78 @@ +From 73cf624d029d776a33d0a80c695485b3f9b36231 Mon Sep 17 00:00:00 2001 +From: Yinghai Lu +Date: Sun, 10 Oct 2010 19:52:15 -0700 +Subject: x86, numa: For each node, register the memory blocks actually used + +From: Yinghai Lu + +commit 73cf624d029d776a33d0a80c695485b3f9b36231 upstream. + +Russ reported SGI UV is broken recently. He said: + +| The SRAT table shows that memory range is spread over two nodes. +| +| SRAT: Node 0 PXM 0 100000000-800000000 +| SRAT: Node 1 PXM 1 800000000-1000000000 +| SRAT: Node 0 PXM 0 1000000000-1080000000 +| +|Previously, the kernel early_node_map[] would show three entries +|with the proper node. +| +|[ 0.000000] 0: 0x00100000 -> 0x00800000 +|[ 0.000000] 1: 0x00800000 -> 0x01000000 +|[ 0.000000] 0: 0x01000000 -> 0x01080000 +| +|The problem is recent community kernel early_node_map[] shows +|only two entries with the node 0 entry overlapping the node 1 +|entry. +| +| 0: 0x00100000 -> 0x01080000 +| 1: 0x00800000 -> 0x01000000 + +After looking at the changelog, Found out that it has been broken for a while by +following commit + +|commit 8716273caef7f55f39fe4fc6c69c5f9f197f41f1 +|Author: David Rientjes +|Date: Fri Sep 25 15:20:04 2009 -0700 +| +| x86: Export srat physical topology + +Before that commit, register_active_regions() is called for every SRAT memory +entry right away. + +Use nodememblk_range[] instead of nodes[] in order to make sure we +capture the actual memory blocks registered with each node. nodes[] +contains an extended range which spans all memory regions associated +with a node, but that does not mean that all the memory in between are +included. + +Reported-by: Russ Anderson +Tested-by: Russ Anderson +Signed-off-by: Yinghai Lu +LKML-Reference: <4CB27BDF.5000800@kernel.org> +Acked-by: David Rientjes +Signed-off-by: H. Peter Anvin +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/mm/srat_64.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/arch/x86/mm/srat_64.c ++++ b/arch/x86/mm/srat_64.c +@@ -372,9 +372,11 @@ int __init acpi_scan_nodes(unsigned long + return -1; + } + +- for_each_node_mask(i, nodes_parsed) +- e820_register_active_regions(i, nodes[i].start >> PAGE_SHIFT, +- nodes[i].end >> PAGE_SHIFT); ++ for (i = 0; i < num_node_memblks; i++) ++ e820_register_active_regions(memblk_nodeid[i], ++ node_memblk_range[i].start >> PAGE_SHIFT, ++ node_memblk_range[i].end >> PAGE_SHIFT); ++ + /* for out of order entries in SRAT */ + sort_node_map(); + if (!nodes_cover_memory(nodes)) { -- 2.47.2