From e67d426c454f93cabeb675fdaf8dd5d117ba4a2d Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sun, 10 Jun 2012 00:49:58 +0900 Subject: [PATCH] 3.0-stable patches added patches: btree-fix-tree-corruption-in-btree_get_prev.patch char-agp-add-another-ironlake-host-bridge.patch powerpc-fix-kernel-panic-during-kernel-module-load.patch --- ...ix-tree-corruption-in-btree_get_prev.patch | 54 +++++++++++++++ ...agp-add-another-ironlake-host-bridge.patch | 42 ++++++++++++ ...rnel-panic-during-kernel-module-load.patch | 68 +++++++++++++++++++ queue-3.0/series | 3 + 4 files changed, 167 insertions(+) create mode 100644 queue-3.0/btree-fix-tree-corruption-in-btree_get_prev.patch create mode 100644 queue-3.0/char-agp-add-another-ironlake-host-bridge.patch create mode 100644 queue-3.0/powerpc-fix-kernel-panic-during-kernel-module-load.patch create mode 100644 queue-3.0/series diff --git a/queue-3.0/btree-fix-tree-corruption-in-btree_get_prev.patch b/queue-3.0/btree-fix-tree-corruption-in-btree_get_prev.patch new file mode 100644 index 00000000000..5c3c5e38ddb --- /dev/null +++ b/queue-3.0/btree-fix-tree-corruption-in-btree_get_prev.patch @@ -0,0 +1,54 @@ +From cbf8ae32f66a9ceb8907ad9e16663c2a29e48990 Mon Sep 17 00:00:00 2001 +From: Roland Dreier +Date: Thu, 7 Jun 2012 14:21:13 -0700 +Subject: btree: fix tree corruption in btree_get_prev() + +From: Roland Dreier + +commit cbf8ae32f66a9ceb8907ad9e16663c2a29e48990 upstream. + +The memory the parameter __key points to is used as an iterator in +btree_get_prev(), so if we save off a bkey() pointer in retry_key and +then assign that to __key, we'll end up corrupting the btree internals +when we do eg + + longcpy(__key, bkey(geo, node, i), geo->keylen); + +to return the key value. What we should do instead is use longcpy() to +copy the key value that retry_key points to __key. + +This can cause a btree to get corrupted by seemingly read-only +operations such as btree_for_each_safe. + +[akpm@linux-foundation.org: avoid the double longcpy()] +Signed-off-by: Roland Dreier +Acked-by: Joern Engel +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + lib/btree.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/lib/btree.c ++++ b/lib/btree.c +@@ -319,8 +319,8 @@ void *btree_get_prev(struct btree_head * + + if (head->height == 0) + return NULL; +-retry: + longcpy(key, __key, geo->keylen); ++retry: + dec_key(geo, key); + + node = head->node; +@@ -351,7 +351,7 @@ retry: + } + miss: + if (retry_key) { +- __key = retry_key; ++ longcpy(key, retry_key, geo->keylen); + retry_key = NULL; + goto retry; + } diff --git a/queue-3.0/char-agp-add-another-ironlake-host-bridge.patch b/queue-3.0/char-agp-add-another-ironlake-host-bridge.patch new file mode 100644 index 00000000000..0165792bf04 --- /dev/null +++ b/queue-3.0/char-agp-add-another-ironlake-host-bridge.patch @@ -0,0 +1,42 @@ +From 67384fe3fd450536342330f684ea1f7dcaef8130 Mon Sep 17 00:00:00 2001 +From: Eugeni Dodonov +Date: Wed, 6 Jun 2012 11:59:06 -0300 +Subject: char/agp: add another Ironlake host bridge + +From: Eugeni Dodonov + +commit 67384fe3fd450536342330f684ea1f7dcaef8130 upstream. + +This seems to come on Gigabyte H55M-S2V and was discovered through the +https://bugs.freedesktop.org/show_bug.cgi?id=50381 debugging. + +Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=50381 +Signed-off-by: Eugeni Dodonov +Signed-off-by: Daniel Vetter +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/char/agp/intel-agp.c | 1 + + drivers/char/agp/intel-agp.h | 1 + + 2 files changed, 2 insertions(+) + +--- a/drivers/char/agp/intel-agp.c ++++ b/drivers/char/agp/intel-agp.c +@@ -897,6 +897,7 @@ static struct pci_device_id agp_intel_pc + ID(PCI_DEVICE_ID_INTEL_B43_HB), + ID(PCI_DEVICE_ID_INTEL_B43_1_HB), + ID(PCI_DEVICE_ID_INTEL_IRONLAKE_D_HB), ++ ID(PCI_DEVICE_ID_INTEL_IRONLAKE_D2_HB), + ID(PCI_DEVICE_ID_INTEL_IRONLAKE_M_HB), + ID(PCI_DEVICE_ID_INTEL_IRONLAKE_MA_HB), + ID(PCI_DEVICE_ID_INTEL_IRONLAKE_MC2_HB), +--- a/drivers/char/agp/intel-agp.h ++++ b/drivers/char/agp/intel-agp.h +@@ -211,6 +211,7 @@ + #define PCI_DEVICE_ID_INTEL_G41_HB 0x2E30 + #define PCI_DEVICE_ID_INTEL_G41_IG 0x2E32 + #define PCI_DEVICE_ID_INTEL_IRONLAKE_D_HB 0x0040 ++#define PCI_DEVICE_ID_INTEL_IRONLAKE_D2_HB 0x0069 + #define PCI_DEVICE_ID_INTEL_IRONLAKE_D_IG 0x0042 + #define PCI_DEVICE_ID_INTEL_IRONLAKE_M_HB 0x0044 + #define PCI_DEVICE_ID_INTEL_IRONLAKE_MA_HB 0x0062 diff --git a/queue-3.0/powerpc-fix-kernel-panic-during-kernel-module-load.patch b/queue-3.0/powerpc-fix-kernel-panic-during-kernel-module-load.patch new file mode 100644 index 00000000000..c8a8f73da4e --- /dev/null +++ b/queue-3.0/powerpc-fix-kernel-panic-during-kernel-module-load.patch @@ -0,0 +1,68 @@ +From 3c75296562f43e6fbc6cddd3de948a7b3e4e9bcf Mon Sep 17 00:00:00 2001 +From: Steffen Rumler +Date: Wed, 6 Jun 2012 16:37:17 +0200 +Subject: powerpc: Fix kernel panic during kernel module load + +From: Steffen Rumler + +commit 3c75296562f43e6fbc6cddd3de948a7b3e4e9bcf upstream. + +This fixes a problem which can causes kernel oopses while loading +a kernel module. + +According to the PowerPC EABI specification, GPR r11 is assigned +the dedicated function to point to the previous stack frame. +In the powerpc-specific kernel module loader, do_plt_call() +(in arch/powerpc/kernel/module_32.c), GPR r11 is also used +to generate trampoline code. + +This combination crashes the kernel, in the case where the compiler +chooses to use a helper function for saving GPRs on entry, and the +module loader has placed the .init.text section far away from the +.text section, meaning that it has to generate a trampoline for +functions in the .init.text section to call the GPR save helper. +Because the trampoline trashes r11, references to the stack frame +using r11 can cause an oops. + +The fix just uses GPR r12 instead of GPR r11 for generating the +trampoline code. According to the statements from Freescale, this is +safe from an EABI perspective. + +I've tested the fix for kernel 2.6.33 on MPC8541. + +Signed-off-by: Steffen Rumler +[paulus@samba.org: reworded the description] +Signed-off-by: Paul Mackerras +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/kernel/module_32.c | 11 +++++------ + 1 file changed, 5 insertions(+), 6 deletions(-) + +--- a/arch/powerpc/kernel/module_32.c ++++ b/arch/powerpc/kernel/module_32.c +@@ -187,8 +187,8 @@ int apply_relocate(Elf32_Shdr *sechdrs, + + static inline int entry_matches(struct ppc_plt_entry *entry, Elf32_Addr val) + { +- if (entry->jump[0] == 0x3d600000 + ((val + 0x8000) >> 16) +- && entry->jump[1] == 0x396b0000 + (val & 0xffff)) ++ if (entry->jump[0] == 0x3d800000 + ((val + 0x8000) >> 16) ++ && entry->jump[1] == 0x398c0000 + (val & 0xffff)) + return 1; + return 0; + } +@@ -215,10 +215,9 @@ static uint32_t do_plt_call(void *locati + entry++; + } + +- /* Stolen from Paul Mackerras as well... */ +- entry->jump[0] = 0x3d600000+((val+0x8000)>>16); /* lis r11,sym@ha */ +- entry->jump[1] = 0x396b0000 + (val&0xffff); /* addi r11,r11,sym@l*/ +- entry->jump[2] = 0x7d6903a6; /* mtctr r11 */ ++ entry->jump[0] = 0x3d800000+((val+0x8000)>>16); /* lis r12,sym@ha */ ++ entry->jump[1] = 0x398c0000 + (val&0xffff); /* addi r12,r12,sym@l*/ ++ entry->jump[2] = 0x7d8903a6; /* mtctr r12 */ + entry->jump[3] = 0x4e800420; /* bctr */ + + DEBUGP("Initialized plt for 0x%x at %p\n", val, entry); diff --git a/queue-3.0/series b/queue-3.0/series new file mode 100644 index 00000000000..6319d022638 --- /dev/null +++ b/queue-3.0/series @@ -0,0 +1,3 @@ +char-agp-add-another-ironlake-host-bridge.patch +btree-fix-tree-corruption-in-btree_get_prev.patch +powerpc-fix-kernel-panic-during-kernel-module-load.patch -- 2.47.3