From cd3946a43523494f16c623372397c93d98b1dc4e Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Tue, 13 Nov 2012 15:36:16 -0800 Subject: [PATCH] 3.4-stable patches added patches: drm-i915-clear-the-entire-sdvo-infoframe-buffer.patch drm-i915-fixup-infoframe-support-for-sdvo.patch drm-radeon-cayman-add-some-missing-regs-to-the-vm-reg-checker.patch drm-radeon-si-add-some-missing-regs-to-the-vm-reg-checker.patch drm-vmwgfx-fix-a-case-where-the-code-would-bug-when-trying-to-pin-gmr-memory.patch drm-vmwgfx-fix-hibernation-device-reset.patch futex-handle-futex_pi-owner_died-take-over-correctly.patch mmc-sdhci-fix-null-dereference-in-sdhci_request-tuning.patch usb-mos7840-remove-unused-variable.patch --- ...ear-the-entire-sdvo-infoframe-buffer.patch | 144 +++++++++++ ...915-fixup-infoframe-support-for-sdvo.patch | 94 ++++++++ ...e-missing-regs-to-the-vm-reg-checker.patch | 49 ++++ ...e-missing-regs-to-the-vm-reg-checker.patch | 40 ++++ ...ld-bug-when-trying-to-pin-gmr-memory.patch | 31 +++ ...-vmwgfx-fix-hibernation-device-reset.patch | 36 +++ ...ex_pi-owner_died-take-over-correctly.patch | 225 ++++++++++++++++++ ...-dereference-in-sdhci_request-tuning.patch | 52 ++++ queue-3.4/series | 9 + .../usb-mos7840-remove-unused-variable.patch | 32 +++ 10 files changed, 712 insertions(+) create mode 100644 queue-3.4/drm-i915-clear-the-entire-sdvo-infoframe-buffer.patch create mode 100644 queue-3.4/drm-i915-fixup-infoframe-support-for-sdvo.patch create mode 100644 queue-3.4/drm-radeon-cayman-add-some-missing-regs-to-the-vm-reg-checker.patch create mode 100644 queue-3.4/drm-radeon-si-add-some-missing-regs-to-the-vm-reg-checker.patch create mode 100644 queue-3.4/drm-vmwgfx-fix-a-case-where-the-code-would-bug-when-trying-to-pin-gmr-memory.patch create mode 100644 queue-3.4/drm-vmwgfx-fix-hibernation-device-reset.patch create mode 100644 queue-3.4/futex-handle-futex_pi-owner_died-take-over-correctly.patch create mode 100644 queue-3.4/mmc-sdhci-fix-null-dereference-in-sdhci_request-tuning.patch create mode 100644 queue-3.4/usb-mos7840-remove-unused-variable.patch diff --git a/queue-3.4/drm-i915-clear-the-entire-sdvo-infoframe-buffer.patch b/queue-3.4/drm-i915-clear-the-entire-sdvo-infoframe-buffer.patch new file mode 100644 index 00000000000..fac4fdb155a --- /dev/null +++ b/queue-3.4/drm-i915-clear-the-entire-sdvo-infoframe-buffer.patch @@ -0,0 +1,144 @@ +From b6e0e543f75729f207b9c72b0162ae61170635b2 Mon Sep 17 00:00:00 2001 +From: Daniel Vetter +Date: Sun, 21 Oct 2012 12:52:39 +0200 +Subject: drm/i915: clear the entire sdvo infoframe buffer + +From: Daniel Vetter + +commit b6e0e543f75729f207b9c72b0162ae61170635b2 upstream. + +Like in the case of native hdmi, which is fixed already in + +commit adf00b26d18e1b3570451296e03bcb20e4798cdd +Author: Paulo Zanoni +Date: Tue Sep 25 13:23:34 2012 -0300 + + drm/i915: make sure we write all the DIP data bytes + +we need to clear the entire sdvo buffer to avoid upsetting the +display. + +Since infoframe buffer writing is now a bit more elaborate, extract it +into it's own function. This will be useful if we ever get around to +properly update the ELD for sdvo. Also #define proper names for the +two buffer indexes with fixed usage. + +v2: Cite the right commit above, spotted by Paulo Zanoni. + +v3: I'm too stupid to paste the right commit. + +v4: Ben Hutchings noticed that I've failed to handle an underflow in +my loop logic, breaking it for i >= length + 8. Since I've just lost C +programmer license, use his solution. Also, make the frustrated 0-base +buffer size a notch more clear. + +Reported-and-tested-by: Jürg Billeter +Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=25732 +Cc: Paulo Zanoni +Cc: Ben Hutchings +Reviewed-by: Rodrigo Vivi +Signed-off-by: Daniel Vetter +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/i915/intel_sdvo.c | 62 ++++++++++++++++++++++----------- + drivers/gpu/drm/i915/intel_sdvo_regs.h | 2 + + 2 files changed, 44 insertions(+), 20 deletions(-) + +--- a/drivers/gpu/drm/i915/intel_sdvo.c ++++ b/drivers/gpu/drm/i915/intel_sdvo.c +@@ -868,6 +868,45 @@ static void intel_sdvo_dump_hdmi_buf(str + } + #endif + ++static bool intel_sdvo_write_infoframe(struct intel_sdvo *intel_sdvo, ++ unsigned if_index, uint8_t tx_rate, ++ uint8_t *data, unsigned length) ++{ ++ uint8_t set_buf_index[2] = { if_index, 0 }; ++ uint8_t hbuf_size, tmp[8]; ++ int i; ++ ++ if (!intel_sdvo_set_value(intel_sdvo, ++ SDVO_CMD_SET_HBUF_INDEX, ++ set_buf_index, 2)) ++ return false; ++ ++ if (!intel_sdvo_get_value(intel_sdvo, SDVO_CMD_GET_HBUF_INFO, ++ &hbuf_size, 1)) ++ return false; ++ ++ /* Buffer size is 0 based, hooray! */ ++ hbuf_size++; ++ ++ DRM_DEBUG_KMS("writing sdvo hbuf: %i, hbuf_size %i, hbuf_size: %i\n", ++ if_index, length, hbuf_size); ++ ++ for (i = 0; i < hbuf_size; i += 8) { ++ memset(tmp, 0, 8); ++ if (i < length) ++ memcpy(tmp, data + i, min_t(unsigned, 8, length - i)); ++ ++ if (!intel_sdvo_set_value(intel_sdvo, ++ SDVO_CMD_SET_HBUF_DATA, ++ tmp, 8)) ++ return false; ++ } ++ ++ return intel_sdvo_set_value(intel_sdvo, ++ SDVO_CMD_SET_HBUF_TXRATE, ++ &tx_rate, 1); ++} ++ + static bool intel_sdvo_set_avi_infoframe(struct intel_sdvo *intel_sdvo) + { + struct dip_infoframe avi_if = { +@@ -875,11 +914,7 @@ static bool intel_sdvo_set_avi_infoframe + .ver = DIP_VERSION_AVI, + .len = DIP_LEN_AVI, + }; +- uint8_t tx_rate = SDVO_HBUF_TX_VSYNC; +- uint8_t set_buf_index[2] = { 1, 0 }; + uint8_t sdvo_data[4 + sizeof(avi_if.body.avi)]; +- uint64_t *data = (uint64_t *)sdvo_data; +- unsigned i; + + intel_dip_infoframe_csum(&avi_if); + +@@ -889,22 +924,9 @@ static bool intel_sdvo_set_avi_infoframe + sdvo_data[3] = avi_if.checksum; + memcpy(&sdvo_data[4], &avi_if.body, sizeof(avi_if.body.avi)); + +- if (!intel_sdvo_set_value(intel_sdvo, +- SDVO_CMD_SET_HBUF_INDEX, +- set_buf_index, 2)) +- return false; +- +- for (i = 0; i < sizeof(sdvo_data); i += 8) { +- if (!intel_sdvo_set_value(intel_sdvo, +- SDVO_CMD_SET_HBUF_DATA, +- data, 8)) +- return false; +- data++; +- } +- +- return intel_sdvo_set_value(intel_sdvo, +- SDVO_CMD_SET_HBUF_TXRATE, +- &tx_rate, 1); ++ return intel_sdvo_write_infoframe(intel_sdvo, SDVO_HBUF_INDEX_AVI_IF, ++ SDVO_HBUF_TX_VSYNC, ++ sdvo_data, sizeof(sdvo_data)); + } + + static bool intel_sdvo_set_tv_format(struct intel_sdvo *intel_sdvo) +--- a/drivers/gpu/drm/i915/intel_sdvo_regs.h ++++ b/drivers/gpu/drm/i915/intel_sdvo_regs.h +@@ -708,6 +708,8 @@ struct intel_sdvo_enhancements_arg { + #define SDVO_CMD_SET_AUDIO_STAT 0x91 + #define SDVO_CMD_GET_AUDIO_STAT 0x92 + #define SDVO_CMD_SET_HBUF_INDEX 0x93 ++ #define SDVO_HBUF_INDEX_ELD 0 ++ #define SDVO_HBUF_INDEX_AVI_IF 1 + #define SDVO_CMD_GET_HBUF_INDEX 0x94 + #define SDVO_CMD_GET_HBUF_INFO 0x95 + #define SDVO_CMD_SET_HBUF_AV_SPLIT 0x96 diff --git a/queue-3.4/drm-i915-fixup-infoframe-support-for-sdvo.patch b/queue-3.4/drm-i915-fixup-infoframe-support-for-sdvo.patch new file mode 100644 index 00000000000..5dd68312ddb --- /dev/null +++ b/queue-3.4/drm-i915-fixup-infoframe-support-for-sdvo.patch @@ -0,0 +1,94 @@ +From 81014b9d0b55fb0b48f26cd2a943359750d532db Mon Sep 17 00:00:00 2001 +From: Daniel Vetter +Date: Sat, 12 May 2012 20:22:00 +0200 +Subject: drm/i915: fixup infoframe support for sdvo + +From: Daniel Vetter + +commit 81014b9d0b55fb0b48f26cd2a943359750d532db upstream. + +At least the worst offenders: +- SDVO specifies that the encoder should compute the ecc. Testing also + shows that we must not send the ecc field, so copy the dip_infoframe + struct to a temporay place and avoid the ecc field. This way the avi + infoframe is exactly 17 bytes long, which agrees with what the spec + mandates as a minimal storage capacity (with the ecc field it would + be 18 bytes). +- Only 17 when sending the avi infoframe. The SDVO spec explicitly + says that sending more data than what the device announces results + in undefined behaviour. +- Add __attribute__((packed)) to the avi and spd infoframes, for + otherwise they're wrongly aligned. Noticed because the avi infoframe + ended up being 18 bytes large instead of 17. We haven't noticed this + yet because we don't use the uint16_t fields yet (which are the only + ones that would be wrongly aligned). + +This regression has been introduce by + +3c17fe4b8f40a112a85758a9ab2aebf772bdd647 is the first bad commit +commit 3c17fe4b8f40a112a85758a9ab2aebf772bdd647 +Author: David Härdeman +Date: Fri Sep 24 21:44:32 2010 +0200 + + i915: enable AVI infoframe for intel_hdmi.c [v4] + +Patch tested on my g33 with a sdvo hdmi adaptor. + +Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=25732 +Tested-by: Peter Ross (G35 SDVO-HDMI) +Reviewed-by: Eugeni Dodonov +Signed-Off-by: Daniel Vetter +Cc: Ben Hutchings +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/i915/intel_drv.h | 4 ++-- + drivers/gpu/drm/i915/intel_sdvo.c | 11 +++++++++-- + 2 files changed, 11 insertions(+), 4 deletions(-) + +--- a/drivers/gpu/drm/i915/intel_drv.h ++++ b/drivers/gpu/drm/i915/intel_drv.h +@@ -247,12 +247,12 @@ struct dip_infoframe { + uint16_t bottom_bar_start; + uint16_t left_bar_end; + uint16_t right_bar_start; +- } avi; ++ } __attribute__ ((packed)) avi; + struct { + uint8_t vn[8]; + uint8_t pd[16]; + uint8_t sdi; +- } spd; ++ } __attribute__ ((packed)) spd; + uint8_t payload[27]; + } __attribute__ ((packed)) body; + } __attribute__((packed)); +--- a/drivers/gpu/drm/i915/intel_sdvo.c ++++ b/drivers/gpu/drm/i915/intel_sdvo.c +@@ -877,17 +877,24 @@ static bool intel_sdvo_set_avi_infoframe + }; + uint8_t tx_rate = SDVO_HBUF_TX_VSYNC; + uint8_t set_buf_index[2] = { 1, 0 }; +- uint64_t *data = (uint64_t *)&avi_if; ++ uint8_t sdvo_data[4 + sizeof(avi_if.body.avi)]; ++ uint64_t *data = (uint64_t *)sdvo_data; + unsigned i; + + intel_dip_infoframe_csum(&avi_if); + ++ /* sdvo spec says that the ecc is handled by the hw, and it looks like ++ * we must not send the ecc field, either. */ ++ memcpy(sdvo_data, &avi_if, 3); ++ sdvo_data[3] = avi_if.checksum; ++ memcpy(&sdvo_data[4], &avi_if.body, sizeof(avi_if.body.avi)); ++ + if (!intel_sdvo_set_value(intel_sdvo, + SDVO_CMD_SET_HBUF_INDEX, + set_buf_index, 2)) + return false; + +- for (i = 0; i < sizeof(avi_if); i += 8) { ++ for (i = 0; i < sizeof(sdvo_data); i += 8) { + if (!intel_sdvo_set_value(intel_sdvo, + SDVO_CMD_SET_HBUF_DATA, + data, 8)) diff --git a/queue-3.4/drm-radeon-cayman-add-some-missing-regs-to-the-vm-reg-checker.patch b/queue-3.4/drm-radeon-cayman-add-some-missing-regs-to-the-vm-reg-checker.patch new file mode 100644 index 00000000000..16dd19bc2b6 --- /dev/null +++ b/queue-3.4/drm-radeon-cayman-add-some-missing-regs-to-the-vm-reg-checker.patch @@ -0,0 +1,49 @@ +From 860fe2f05fa2eacac84368e23547ec8cf3cc6652 Mon Sep 17 00:00:00 2001 +From: Alex Deucher +Date: Thu, 8 Nov 2012 10:08:04 -0500 +Subject: drm/radeon/cayman: add some missing regs to the VM reg checker + +From: Alex Deucher + +commit 860fe2f05fa2eacac84368e23547ec8cf3cc6652 upstream. + +These regs were being wronly rejected leading to rendering +issues. + +fixes: +https://bugs.freedesktop.org/show_bug.cgi?id=56876 + +Signed-off-by: Alex Deucher +Reviewed-by: Michel Dänzer +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/radeon/evergreen_cs.c | 3 +++ + drivers/gpu/drm/radeon/evergreend.h | 4 ++++ + 2 files changed, 7 insertions(+) + +--- a/drivers/gpu/drm/radeon/evergreen_cs.c ++++ b/drivers/gpu/drm/radeon/evergreen_cs.c +@@ -2671,6 +2671,9 @@ static bool evergreen_vm_reg_valid(u32 r + /* check config regs */ + switch (reg) { + case GRBM_GFX_INDEX: ++ case CP_STRMOUT_CNTL: ++ case CP_COHER_CNTL: ++ case CP_COHER_SIZE: + case VGT_VTX_VECT_EJECT_REG: + case VGT_CACHE_INVALIDATION: + case VGT_GS_VERTEX_REUSE: +--- a/drivers/gpu/drm/radeon/evergreend.h ++++ b/drivers/gpu/drm/radeon/evergreend.h +@@ -77,6 +77,10 @@ + + #define CONFIG_MEMSIZE 0x5428 + ++#define CP_STRMOUT_CNTL 0x84FC ++ ++#define CP_COHER_CNTL 0x85F0 ++#define CP_COHER_SIZE 0x85F4 + #define CP_COHER_BASE 0x85F8 + #define CP_ME_CNTL 0x86D8 + #define CP_ME_HALT (1 << 28) diff --git a/queue-3.4/drm-radeon-si-add-some-missing-regs-to-the-vm-reg-checker.patch b/queue-3.4/drm-radeon-si-add-some-missing-regs-to-the-vm-reg-checker.patch new file mode 100644 index 00000000000..5bde379c6c9 --- /dev/null +++ b/queue-3.4/drm-radeon-si-add-some-missing-regs-to-the-vm-reg-checker.patch @@ -0,0 +1,40 @@ +From f418b88aad0c42b4caf4d79a0cf8d14a5d0a2284 Mon Sep 17 00:00:00 2001 +From: Alex Deucher +Date: Thu, 8 Nov 2012 10:13:24 -0500 +Subject: drm/radeon/si: add some missing regs to the VM reg checker + +From: Alex Deucher + +commit f418b88aad0c42b4caf4d79a0cf8d14a5d0a2284 upstream. + +This register is needed for streamout to work properly. + +Signed-off-by: Alex Deucher +Reviewed-by: Michel Dänzer +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/radeon/si.c | 1 + + drivers/gpu/drm/radeon/sid.h | 1 + + 2 files changed, 2 insertions(+) + +--- a/drivers/gpu/drm/radeon/si.c ++++ b/drivers/gpu/drm/radeon/si.c +@@ -2593,6 +2593,7 @@ static bool si_vm_reg_valid(u32 reg) + /* check config regs */ + switch (reg) { + case GRBM_GFX_INDEX: ++ case CP_STRMOUT_CNTL: + case VGT_VTX_VECT_EJECT_REG: + case VGT_CACHE_INVALIDATION: + case VGT_ESGS_RING_SIZE: +--- a/drivers/gpu/drm/radeon/sid.h ++++ b/drivers/gpu/drm/radeon/sid.h +@@ -413,6 +413,7 @@ + # define RDERR_INT_ENABLE (1 << 0) + # define GUI_IDLE_INT_ENABLE (1 << 19) + ++#define CP_STRMOUT_CNTL 0x84FC + #define SCRATCH_REG0 0x8500 + #define SCRATCH_REG1 0x8504 + #define SCRATCH_REG2 0x8508 diff --git a/queue-3.4/drm-vmwgfx-fix-a-case-where-the-code-would-bug-when-trying-to-pin-gmr-memory.patch b/queue-3.4/drm-vmwgfx-fix-a-case-where-the-code-would-bug-when-trying-to-pin-gmr-memory.patch new file mode 100644 index 00000000000..79033f579d8 --- /dev/null +++ b/queue-3.4/drm-vmwgfx-fix-a-case-where-the-code-would-bug-when-trying-to-pin-gmr-memory.patch @@ -0,0 +1,31 @@ +From afcc87aa6a233e52df73552dc1dc9ae3881b7cc8 Mon Sep 17 00:00:00 2001 +From: Thomas Hellstrom +Date: Fri, 9 Nov 2012 10:45:14 +0100 +Subject: drm/vmwgfx: Fix a case where the code would BUG when trying to pin GMR memory + +From: Thomas Hellstrom + +commit afcc87aa6a233e52df73552dc1dc9ae3881b7cc8 upstream. + +Signed-off-by: Thomas Hellstrom +Reviewed-by: Brian Paul +Reviewed-by: Dmitry Torokhov +Cc: linux-graphics-maintainer@vmware.com +Signed-off-by: Dave Airlie +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/vmwgfx/vmwgfx_dmabuf.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/vmwgfx/vmwgfx_dmabuf.c ++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_dmabuf.c +@@ -306,7 +306,7 @@ void vmw_bo_pin(struct ttm_buffer_object + + BUG_ON(!atomic_read(&bo->reserved)); + BUG_ON(old_mem_type != TTM_PL_VRAM && +- old_mem_type != VMW_PL_FLAG_GMR); ++ old_mem_type != VMW_PL_GMR); + + pl_flags = TTM_PL_FLAG_VRAM | VMW_PL_FLAG_GMR | TTM_PL_FLAG_CACHED; + if (pin) diff --git a/queue-3.4/drm-vmwgfx-fix-hibernation-device-reset.patch b/queue-3.4/drm-vmwgfx-fix-hibernation-device-reset.patch new file mode 100644 index 00000000000..ad243d333f7 --- /dev/null +++ b/queue-3.4/drm-vmwgfx-fix-hibernation-device-reset.patch @@ -0,0 +1,36 @@ +From 95e8f6a21996c4cc2c4574b231c6e858b749dce3 Mon Sep 17 00:00:00 2001 +From: Thomas Hellstrom +Date: Fri, 9 Nov 2012 10:05:57 +0100 +Subject: drm/vmwgfx: Fix hibernation device reset + +From: Thomas Hellstrom + +commit 95e8f6a21996c4cc2c4574b231c6e858b749dce3 upstream. + +The device would not reset properly when resuming from hibernation. + +Signed-off-by: Thomas Hellstrom +Reviewed-by: Brian Paul +Reviewed-by: Dmitry Torokhov +Cc: linux-graphics-maintainer@vmware.com +Signed-off-by: Dave Airlie +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/vmwgfx/vmwgfx_drv.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/drivers/gpu/drm/vmwgfx/vmwgfx_drv.c ++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_drv.c +@@ -1102,6 +1102,11 @@ static void vmw_pm_complete(struct devic + struct drm_device *dev = pci_get_drvdata(pdev); + struct vmw_private *dev_priv = vmw_priv(dev); + ++ mutex_lock(&dev_priv->hw_mutex); ++ vmw_write(dev_priv, SVGA_REG_ID, SVGA_ID_2); ++ (void) vmw_read(dev_priv, SVGA_REG_ID); ++ mutex_unlock(&dev_priv->hw_mutex); ++ + /** + * Reclaim 3d reference held by fbdev and potentially + * start fifo. diff --git a/queue-3.4/futex-handle-futex_pi-owner_died-take-over-correctly.patch b/queue-3.4/futex-handle-futex_pi-owner_died-take-over-correctly.patch new file mode 100644 index 00000000000..ff8d502a595 --- /dev/null +++ b/queue-3.4/futex-handle-futex_pi-owner_died-take-over-correctly.patch @@ -0,0 +1,225 @@ +From 59fa6245192159ab5e1e17b8e31f15afa9cff4bf Mon Sep 17 00:00:00 2001 +From: Thomas Gleixner +Date: Tue, 23 Oct 2012 22:29:38 +0200 +Subject: futex: Handle futex_pi OWNER_DIED take over correctly + +From: Thomas Gleixner + +commit 59fa6245192159ab5e1e17b8e31f15afa9cff4bf upstream. + +Siddhesh analyzed a failure in the take over of pi futexes in case the +owner died and provided a workaround. +See: http://sourceware.org/bugzilla/show_bug.cgi?id=14076 + +The detailed problem analysis shows: + +Futex F is initialized with PTHREAD_PRIO_INHERIT and +PTHREAD_MUTEX_ROBUST_NP attributes. + +T1 lock_futex_pi(F); + +T2 lock_futex_pi(F); + --> T2 blocks on the futex and creates pi_state which is associated + to T1. + +T1 exits + --> exit_robust_list() runs + --> Futex F userspace value TID field is set to 0 and + FUTEX_OWNER_DIED bit is set. + +T3 lock_futex_pi(F); + --> Succeeds due to the check for F's userspace TID field == 0 + --> Claims ownership of the futex and sets its own TID into the + userspace TID field of futex F + --> returns to user space + +T1 --> exit_pi_state_list() + --> Transfers pi_state to waiter T2 and wakes T2 via + rt_mutex_unlock(&pi_state->mutex) + +T2 --> acquires pi_state->mutex and gains real ownership of the + pi_state + --> Claims ownership of the futex and sets its own TID into the + userspace TID field of futex F + --> returns to user space + +T3 --> observes inconsistent state + +This problem is independent of UP/SMP, preemptible/non preemptible +kernels, or process shared vs. private. The only difference is that +certain configurations are more likely to expose it. + +So as Siddhesh correctly analyzed the following check in +futex_lock_pi_atomic() is the culprit: + + if (unlikely(ownerdied || !(curval & FUTEX_TID_MASK))) { + +We check the userspace value for a TID value of 0 and take over the +futex unconditionally if that's true. + +AFAICT this check is there as it is correct for a different corner +case of futexes: the WAITERS bit became stale. + +Now the proposed change + +- if (unlikely(ownerdied || !(curval & FUTEX_TID_MASK))) { ++ if (unlikely(ownerdied || ++ !(curval & (FUTEX_TID_MASK | FUTEX_WAITERS)))) { + +solves the problem, but it's not obvious why and it wreckages the +"stale WAITERS bit" case. + +What happens is, that due to the WAITERS bit being set (T2 is blocked +on that futex) it enforces T3 to go through lookup_pi_state(), which +in the above case returns an existing pi_state and therefor forces T3 +to legitimately fight with T2 over the ownership of the pi_state (via +pi_state->mutex). Probelm solved! + +Though that does not work for the "WAITERS bit is stale" problem +because if lookup_pi_state() does not find existing pi_state it +returns -ERSCH (due to TID == 0) which causes futex_lock_pi() to +return -ESRCH to user space because the OWNER_DIED bit is not set. + +Now there is a different solution to that problem. Do not look at the +user space value at all and enforce a lookup of possibly available +pi_state. If pi_state can be found, then the new incoming locker T3 +blocks on that pi_state and legitimately races with T2 to acquire the +rt_mutex and the pi_state and therefor the proper ownership of the +user space futex. + +lookup_pi_state() has the correct order of checks. It first tries to +find a pi_state associated with the user space futex and only if that +fails it checks for futex TID value = 0. If no pi_state is available +nothing can create new state at that point because this happens with +the hash bucket lock held. + +So the above scenario changes to: + +T1 lock_futex_pi(F); + +T2 lock_futex_pi(F); + --> T2 blocks on the futex and creates pi_state which is associated + to T1. + +T1 exits + --> exit_robust_list() runs + --> Futex F userspace value TID field is set to 0 and + FUTEX_OWNER_DIED bit is set. + +T3 lock_futex_pi(F); + --> Finds pi_state and blocks on pi_state->rt_mutex + +T1 --> exit_pi_state_list() + --> Transfers pi_state to waiter T2 and wakes it via + rt_mutex_unlock(&pi_state->mutex) + +T2 --> acquires pi_state->mutex and gains ownership of the pi_state + --> Claims ownership of the futex and sets its own TID into the + userspace TID field of futex F + --> returns to user space + +This covers all gazillion points on which T3 might come in between +T1's exit_robust_list() clearing the TID field and T2 fixing it up. It +also solves the "WAITERS bit stale" problem by forcing the take over. + +Another benefit of changing the code this way is that it makes it less +dependent on untrusted user space values and therefor minimizes the +possible wreckage which might be inflicted. + +As usual after staring for too long at the futex code my brain hurts +so much that I really want to ditch that whole optimization of +avoiding the syscall for the non contended case for PI futexes and rip +out the maze of corner case handling code. Unfortunately we can't as +user space relies on that existing behaviour, but at least thinking +about it helps me to preserve my mental sanity. Maybe we should +nevertheless :) + +Reported-and-tested-by: Siddhesh Poyarekar +Link: http://lkml.kernel.org/r/alpine.LFD.2.02.1210232138540.2756@ionos +Acked-by: Darren Hart +Signed-off-by: Thomas Gleixner +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/futex.c | 41 ++++++++++++++++++++++------------------- + 1 file changed, 22 insertions(+), 19 deletions(-) + +--- a/kernel/futex.c ++++ b/kernel/futex.c +@@ -716,7 +716,7 @@ static int futex_lock_pi_atomic(u32 __us + struct futex_pi_state **ps, + struct task_struct *task, int set_waiters) + { +- int lock_taken, ret, ownerdied = 0; ++ int lock_taken, ret, force_take = 0; + u32 uval, newval, curval, vpid = task_pid_vnr(task); + + retry: +@@ -755,17 +755,15 @@ retry: + newval = curval | FUTEX_WAITERS; + + /* +- * There are two cases, where a futex might have no owner (the +- * owner TID is 0): OWNER_DIED. We take over the futex in this +- * case. We also do an unconditional take over, when the owner +- * of the futex died. +- * +- * This is safe as we are protected by the hash bucket lock ! ++ * Should we force take the futex? See below. + */ +- if (unlikely(ownerdied || !(curval & FUTEX_TID_MASK))) { +- /* Keep the OWNER_DIED bit */ ++ if (unlikely(force_take)) { ++ /* ++ * Keep the OWNER_DIED and the WAITERS bit and set the ++ * new TID value. ++ */ + newval = (curval & ~FUTEX_TID_MASK) | vpid; +- ownerdied = 0; ++ force_take = 0; + lock_taken = 1; + } + +@@ -775,7 +773,7 @@ retry: + goto retry; + + /* +- * We took the lock due to owner died take over. ++ * We took the lock due to forced take over. + */ + if (unlikely(lock_taken)) + return 1; +@@ -790,20 +788,25 @@ retry: + switch (ret) { + case -ESRCH: + /* +- * No owner found for this futex. Check if the +- * OWNER_DIED bit is set to figure out whether +- * this is a robust futex or not. ++ * We failed to find an owner for this ++ * futex. So we have no pi_state to block ++ * on. This can happen in two cases: ++ * ++ * 1) The owner died ++ * 2) A stale FUTEX_WAITERS bit ++ * ++ * Re-read the futex value. + */ + if (get_futex_value_locked(&curval, uaddr)) + return -EFAULT; + + /* +- * We simply start over in case of a robust +- * futex. The code above will take the futex +- * and return happy. ++ * If the owner died or we have a stale ++ * WAITERS bit the owner TID in the user space ++ * futex is 0. + */ +- if (curval & FUTEX_OWNER_DIED) { +- ownerdied = 1; ++ if (!(curval & FUTEX_TID_MASK)) { ++ force_take = 1; + goto retry; + } + default: diff --git a/queue-3.4/mmc-sdhci-fix-null-dereference-in-sdhci_request-tuning.patch b/queue-3.4/mmc-sdhci-fix-null-dereference-in-sdhci_request-tuning.patch new file mode 100644 index 00000000000..629d5166ef7 --- /dev/null +++ b/queue-3.4/mmc-sdhci-fix-null-dereference-in-sdhci_request-tuning.patch @@ -0,0 +1,52 @@ +From 14efd957209461bbdf285bf0d67e931955d04a4c Mon Sep 17 00:00:00 2001 +From: Chris Ball +Date: Mon, 5 Nov 2012 14:29:49 -0500 +Subject: mmc: sdhci: fix NULL dereference in sdhci_request() tuning + +From: Chris Ball + +commit 14efd957209461bbdf285bf0d67e931955d04a4c upstream. + +Commit 473b095a72a9 ("mmc: sdhci: fix incorrect command used in tuning") +introduced a NULL dereference at resume-time if an SD 3.0 host controller +raises the SDHCI_NEEDS_TUNING flag while no card is inserted. Seen on an +OLPC XO-4 with sdhci-pxav3, but presumably affects other controllers too. + +Signed-off-by: Chris Ball +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mmc/host/sdhci.c | 21 ++++++++++++--------- + 1 file changed, 12 insertions(+), 9 deletions(-) + +--- a/drivers/mmc/host/sdhci.c ++++ b/drivers/mmc/host/sdhci.c +@@ -1294,16 +1294,19 @@ static void sdhci_request(struct mmc_hos + */ + if ((host->flags & SDHCI_NEEDS_RETUNING) && + !(present_state & (SDHCI_DOING_WRITE | SDHCI_DOING_READ))) { +- /* eMMC uses cmd21 while sd and sdio use cmd19 */ +- tuning_opcode = mmc->card->type == MMC_TYPE_MMC ? +- MMC_SEND_TUNING_BLOCK_HS200 : +- MMC_SEND_TUNING_BLOCK; +- spin_unlock_irqrestore(&host->lock, flags); +- sdhci_execute_tuning(mmc, tuning_opcode); +- spin_lock_irqsave(&host->lock, flags); ++ if (mmc->card) { ++ /* eMMC uses cmd21 but sd and sdio use cmd19 */ ++ tuning_opcode = ++ mmc->card->type == MMC_TYPE_MMC ? ++ MMC_SEND_TUNING_BLOCK_HS200 : ++ MMC_SEND_TUNING_BLOCK; ++ spin_unlock_irqrestore(&host->lock, flags); ++ sdhci_execute_tuning(mmc, tuning_opcode); ++ spin_lock_irqsave(&host->lock, flags); + +- /* Restore original mmc_request structure */ +- host->mrq = mrq; ++ /* Restore original mmc_request structure */ ++ host->mrq = mrq; ++ } + } + + if (mrq->sbc && !(host->flags & SDHCI_AUTO_CMD23)) diff --git a/queue-3.4/series b/queue-3.4/series index 148ee905c90..72afd0c9833 100644 --- a/queue-3.4/series +++ b/queue-3.4/series @@ -46,3 +46,12 @@ l2tp-fix-oops-in-l2tp_eth_create-error-path.patch net-inet_diag-return-error-code-if-protocol-handler-is-missed.patch af-packet-fix-oops-when-socket-is-not-present.patch ipv6-send-unsolicited-neighbour-advertisements-to-all-nodes.patch +futex-handle-futex_pi-owner_died-take-over-correctly.patch +mmc-sdhci-fix-null-dereference-in-sdhci_request-tuning.patch +drm-vmwgfx-fix-hibernation-device-reset.patch +drm-vmwgfx-fix-a-case-where-the-code-would-bug-when-trying-to-pin-gmr-memory.patch +drm-radeon-cayman-add-some-missing-regs-to-the-vm-reg-checker.patch +drm-radeon-si-add-some-missing-regs-to-the-vm-reg-checker.patch +drm-i915-fixup-infoframe-support-for-sdvo.patch +drm-i915-clear-the-entire-sdvo-infoframe-buffer.patch +usb-mos7840-remove-unused-variable.patch diff --git a/queue-3.4/usb-mos7840-remove-unused-variable.patch b/queue-3.4/usb-mos7840-remove-unused-variable.patch new file mode 100644 index 00000000000..567ad0c96ce --- /dev/null +++ b/queue-3.4/usb-mos7840-remove-unused-variable.patch @@ -0,0 +1,32 @@ +From jhovold@gmail.com Tue Nov 13 15:26:35 2012 +From: Johan Hovold +Date: Thu, 8 Nov 2012 18:28:59 +0100 +Subject: USB: mos7840: remove unused variable +To: Greg KH + +From: Johan Hovold + +Fix warning about unused variable introduced by commit e681b66f2e19fa +("USB: mos7840: remove invalid disconnect handling") upstream. + +A subsequent fix which removed the disconnect function got rid of the +warning but that one was only backported to v3.6. + +Reported-by: Jiri Slaby +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/mos7840.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/drivers/usb/serial/mos7840.c ++++ b/drivers/usb/serial/mos7840.c +@@ -2581,7 +2581,6 @@ error: + static void mos7840_disconnect(struct usb_serial *serial) + { + int i; +- unsigned long flags; + struct moschip_port *mos7840_port; + dbg("%s", " disconnect :entering.........."); + -- 2.47.3