From: Greg Kroah-Hartman Date: Sun, 27 Nov 2011 03:28:58 +0000 (-0800) Subject: 3.1 patches X-Git-Tag: v3.0.13~23 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=13116225f13d445cf917cebdbf0cf331a0753642;p=thirdparty%2Fkernel%2Fstable-queue.git 3.1 patches added patches: crypto-mv_cesa-fix-hashing-of-chunks-1920-bytes.patch drm-i915-fix-inconsistent-backlight-level-during-disabled.patch drm-i915-ivybridge-still-has-fences.patch drm-i915-turn-on-another-required-clock-gating-bit-on-gen6.patch drm-i915-turn-on-a-required-3d-clock-gating-bit-on-sandybridge.patch drm-integer-overflow-in-drm_mode_dirtyfb_ioctl.patch drm-radeon-kms-fix-up-gpio-i2c-mask-bits-for-r4xx-for-real.patch ecryptfs-extend-array-bounds-for-all-filename-chars.patch ecryptfs-flush-file-in-vma-close.patch ecryptfs-prevent-file-create-race-condition.patch i2c-algo-bit-generate-correct-i2c-address-sequence-for-10-bit-target.patch pci-hotplug-shpchp-don-t-blindly-claim-non-amd-0x7450-device-ids.patch --- diff --git a/queue-3.1/crypto-mv_cesa-fix-hashing-of-chunks-1920-bytes.patch b/queue-3.1/crypto-mv_cesa-fix-hashing-of-chunks-1920-bytes.patch new file mode 100644 index 00000000000..8142c5338d5 --- /dev/null +++ b/queue-3.1/crypto-mv_cesa-fix-hashing-of-chunks-1920-bytes.patch @@ -0,0 +1,43 @@ +From 274252862f386b7868f35bf5ceaa5391a8ccfdf3 Mon Sep 17 00:00:00 2001 +From: Phil Sutter +Date: Wed, 16 Nov 2011 18:28:01 +0100 +Subject: crypto: mv_cesa - fix hashing of chunks > 1920 bytes + +From: Phil Sutter + +commit 274252862f386b7868f35bf5ceaa5391a8ccfdf3 upstream. + +This was broken by commit 7759995c75ae0cbd4c861582908449f6b6208e7a (yes, +myself). The basic problem here is since the digest state is only saved +after the last chunk, the state array is only valid when handling the +first chunk of the next buffer. Broken since linux-3.0. + +Signed-off-by: Phil Sutter +Signed-off-by: Herbert Xu +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/crypto/mv_cesa.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +--- a/drivers/crypto/mv_cesa.c ++++ b/drivers/crypto/mv_cesa.c +@@ -342,11 +342,13 @@ static void mv_process_hash_current(int + else + op.config |= CFG_MID_FRAG; + +- writel(req_ctx->state[0], cpg->reg + DIGEST_INITIAL_VAL_A); +- writel(req_ctx->state[1], cpg->reg + DIGEST_INITIAL_VAL_B); +- writel(req_ctx->state[2], cpg->reg + DIGEST_INITIAL_VAL_C); +- writel(req_ctx->state[3], cpg->reg + DIGEST_INITIAL_VAL_D); +- writel(req_ctx->state[4], cpg->reg + DIGEST_INITIAL_VAL_E); ++ if (first_block) { ++ writel(req_ctx->state[0], cpg->reg + DIGEST_INITIAL_VAL_A); ++ writel(req_ctx->state[1], cpg->reg + DIGEST_INITIAL_VAL_B); ++ writel(req_ctx->state[2], cpg->reg + DIGEST_INITIAL_VAL_C); ++ writel(req_ctx->state[3], cpg->reg + DIGEST_INITIAL_VAL_D); ++ writel(req_ctx->state[4], cpg->reg + DIGEST_INITIAL_VAL_E); ++ } + } + + memcpy(cpg->sram + SRAM_CONFIG, &op, sizeof(struct sec_accel_config)); diff --git a/queue-3.1/drm-i915-fix-inconsistent-backlight-level-during-disabled.patch b/queue-3.1/drm-i915-fix-inconsistent-backlight-level-during-disabled.patch new file mode 100644 index 00000000000..950c0115af7 --- /dev/null +++ b/queue-3.1/drm-i915-fix-inconsistent-backlight-level-during-disabled.patch @@ -0,0 +1,40 @@ +From 04b38670cf46c096705f24e92a8747d1ab89e53c Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Wed, 16 Nov 2011 10:58:03 +0100 +Subject: drm/i915: Fix inconsistent backlight level during disabled + +From: Takashi Iwai + +commit 04b38670cf46c096705f24e92a8747d1ab89e53c upstream. + +When the brightness property is inquired while the backlight is disabled, +the driver returns a wrong value (zero) because it probes the value after +the backlight was turned off. This caused a black screen even after the +backlight is enabled again. It should return the internal backlight_level +instead, so that it won't be influenced by the backlight-enable state. + +BugLink: https://bugs.freedesktop.org/show_bug.cgi?id=41926 +BugLink: https://bugs.launchpad.net/ubuntu/+source/linux/+bug/872652 + +Tested-by: Kamal Mostafa +Cc: Alex Davis +Signed-off-by: Takashi Iwai +Signed-off-by: Keith Packard +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/i915/intel_panel.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/i915/intel_panel.c ++++ b/drivers/gpu/drm/i915/intel_panel.c +@@ -326,7 +326,8 @@ static int intel_panel_update_status(str + static int intel_panel_get_brightness(struct backlight_device *bd) + { + struct drm_device *dev = bl_get_data(bd); +- return intel_panel_get_backlight(dev); ++ struct drm_i915_private *dev_priv = dev->dev_private; ++ return dev_priv->backlight_level; + } + + static const struct backlight_ops intel_panel_bl_ops = { diff --git a/queue-3.1/drm-i915-ivybridge-still-has-fences.patch b/queue-3.1/drm-i915-ivybridge-still-has-fences.patch new file mode 100644 index 00000000000..679a985e42f --- /dev/null +++ b/queue-3.1/drm-i915-ivybridge-still-has-fences.patch @@ -0,0 +1,50 @@ +From 775d17b6ca4357048f36c22151335addfe15db4b Mon Sep 17 00:00:00 2001 +From: Daniel Vetter +Date: Sun, 9 Oct 2011 21:52:01 +0200 +Subject: drm/i915: Ivybridge still has fences! + +From: Daniel Vetter + +commit 775d17b6ca4357048f36c22151335addfe15db4b upstream. + +So don't forget to restore them on resume and dump them into +the error state. + +Signed-off-by: Daniel Vetter +Reviewed-by: Chris Wilson +Signed-off-by: Keith Packard +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/i915/i915_irq.c | 1 + + drivers/gpu/drm/i915/i915_suspend.c | 2 ++ + 2 files changed, 3 insertions(+) + +--- a/drivers/gpu/drm/i915/i915_irq.c ++++ b/drivers/gpu/drm/i915/i915_irq.c +@@ -822,6 +822,7 @@ static void i915_gem_record_fences(struc + + /* Fences */ + switch (INTEL_INFO(dev)->gen) { ++ case 7: + case 6: + for (i = 0; i < 16; i++) + error->fence[i] = I915_READ64(FENCE_REG_SANDYBRIDGE_0 + (i * 8)); +--- a/drivers/gpu/drm/i915/i915_suspend.c ++++ b/drivers/gpu/drm/i915/i915_suspend.c +@@ -370,6 +370,7 @@ static void i915_save_modeset_reg(struct + + /* Fences */ + switch (INTEL_INFO(dev)->gen) { ++ case 7: + case 6: + for (i = 0; i < 16; i++) + dev_priv->saveFENCE[i] = I915_READ64(FENCE_REG_SANDYBRIDGE_0 + (i * 8)); +@@ -404,6 +405,7 @@ static void i915_restore_modeset_reg(str + + /* Fences */ + switch (INTEL_INFO(dev)->gen) { ++ case 7: + case 6: + for (i = 0; i < 16; i++) + I915_WRITE64(FENCE_REG_SANDYBRIDGE_0 + (i * 8), dev_priv->saveFENCE[i]); diff --git a/queue-3.1/drm-i915-turn-on-a-required-3d-clock-gating-bit-on-sandybridge.patch b/queue-3.1/drm-i915-turn-on-a-required-3d-clock-gating-bit-on-sandybridge.patch new file mode 100644 index 00000000000..08ef2cdf54e --- /dev/null +++ b/queue-3.1/drm-i915-turn-on-a-required-3d-clock-gating-bit-on-sandybridge.patch @@ -0,0 +1,51 @@ +From 406478dc911e16677fbd9c84d1d50cdffbc031ab Mon Sep 17 00:00:00 2001 +From: Eric Anholt +Date: Mon, 7 Nov 2011 16:07:04 -0800 +Subject: drm/i915: Turn on a required 3D clock gating bit on Sandybridge. + +From: Eric Anholt + +commit 406478dc911e16677fbd9c84d1d50cdffbc031ab upstream. + +Fixes rendering failures in Unigine Tropics and Sanctuary and the mesa +"fire" demo. + +Signed-off-by: Eric Anholt +Signed-off-by: Keith Packard +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/i915/i915_reg.h | 3 +++ + drivers/gpu/drm/i915/intel_display.c | 9 +++++++++ + 2 files changed, 12 insertions(+) + +--- a/drivers/gpu/drm/i915/i915_reg.h ++++ b/drivers/gpu/drm/i915/i915_reg.h +@@ -3401,6 +3401,9 @@ + #define GT_FIFO_FREE_ENTRIES 0x120008 + #define GT_FIFO_NUM_RESERVED_ENTRIES 20 + ++#define GEN6_UCGCTL2 0x9404 ++# define GEN6_RCPBUNIT_CLOCK_GATE_DISABLE (1 << 12) ++ + #define GEN6_RPNSWREQ 0xA008 + #define GEN6_TURBO_DISABLE (1<<31) + #define GEN6_FREQUENCY(x) ((x)<<25) +--- a/drivers/gpu/drm/i915/intel_display.c ++++ b/drivers/gpu/drm/i915/intel_display.c +@@ -7882,6 +7882,15 @@ static void gen6_init_clock_gating(struc + I915_WRITE(WM2_LP_ILK, 0); + I915_WRITE(WM1_LP_ILK, 0); + ++ /* According to the BSpec vol1g, bit 12 (RCPBUNIT) clock ++ * gating disable must be set. Failure to set it results in ++ * flickering pixels due to Z write ordering failures after ++ * some amount of runtime in the Mesa "fire" demo, and Unigine ++ * Sanctuary and Tropics, and apparently anything else with ++ * alpha test or pixel discard. ++ */ ++ I915_WRITE(GEN6_UCGCTL2, GEN6_RCPBUNIT_CLOCK_GATE_DISABLE); ++ + /* + * According to the spec the following bits should be + * set in order to enable memory self-refresh and fbc: diff --git a/queue-3.1/drm-i915-turn-on-another-required-clock-gating-bit-on-gen6.patch b/queue-3.1/drm-i915-turn-on-another-required-clock-gating-bit-on-gen6.patch new file mode 100644 index 00000000000..1fb098d344b --- /dev/null +++ b/queue-3.1/drm-i915-turn-on-another-required-clock-gating-bit-on-gen6.patch @@ -0,0 +1,49 @@ +From 9ca1d10d748e56964de95e3ed80211b192f56cf4 Mon Sep 17 00:00:00 2001 +From: Eric Anholt +Date: Mon, 7 Nov 2011 16:07:05 -0800 +Subject: drm/i915: Turn on another required clock gating bit on gen6. + +From: Eric Anholt + +commit 9ca1d10d748e56964de95e3ed80211b192f56cf4 upstream. + +Unlike the previous one, I don't have known testcases it fixes. I'd +rather not go through the same debug cycle on whatever testcases those +might be. + +Signed-off-by: Eric Anholt +Signed-off-by: Keith Packard +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/i915/i915_reg.h | 1 + + drivers/gpu/drm/i915/intel_display.c | 7 ++++++- + 2 files changed, 7 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/i915/i915_reg.h ++++ b/drivers/gpu/drm/i915/i915_reg.h +@@ -3403,6 +3403,7 @@ + + #define GEN6_UCGCTL2 0x9404 + # define GEN6_RCPBUNIT_CLOCK_GATE_DISABLE (1 << 12) ++# define GEN6_RCCUNIT_CLOCK_GATE_DISABLE (1 << 11) + + #define GEN6_RPNSWREQ 0xA008 + #define GEN6_TURBO_DISABLE (1<<31) +--- a/drivers/gpu/drm/i915/intel_display.c ++++ b/drivers/gpu/drm/i915/intel_display.c +@@ -7888,8 +7888,13 @@ static void gen6_init_clock_gating(struc + * some amount of runtime in the Mesa "fire" demo, and Unigine + * Sanctuary and Tropics, and apparently anything else with + * alpha test or pixel discard. ++ * ++ * According to the spec, bit 11 (RCCUNIT) must also be set, ++ * but we didn't debug actual testcases to find it out. + */ +- I915_WRITE(GEN6_UCGCTL2, GEN6_RCPBUNIT_CLOCK_GATE_DISABLE); ++ I915_WRITE(GEN6_UCGCTL2, ++ GEN6_RCPBUNIT_CLOCK_GATE_DISABLE | ++ GEN6_RCCUNIT_CLOCK_GATE_DISABLE); + + /* + * According to the spec the following bits should be diff --git a/queue-3.1/drm-integer-overflow-in-drm_mode_dirtyfb_ioctl.patch b/queue-3.1/drm-integer-overflow-in-drm_mode_dirtyfb_ioctl.patch new file mode 100644 index 00000000000..3167a11772c --- /dev/null +++ b/queue-3.1/drm-integer-overflow-in-drm_mode_dirtyfb_ioctl.patch @@ -0,0 +1,48 @@ +From a5cd335165e31db9dbab636fd29895d41da55dd2 Mon Sep 17 00:00:00 2001 +From: Xi Wang +Date: Wed, 23 Nov 2011 01:12:01 -0500 +Subject: drm: integer overflow in drm_mode_dirtyfb_ioctl() + +From: Xi Wang + +commit a5cd335165e31db9dbab636fd29895d41da55dd2 upstream. + +There is a potential integer overflow in drm_mode_dirtyfb_ioctl() +if userspace passes in a large num_clips. The call to kmalloc would +allocate a small buffer, and the call to fb->funcs->dirty may result +in a memory corruption. + +Reported-by: Haogang Chen +Signed-off-by: Xi Wang +Signed-off-by: Dave Airlie +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/drm_crtc.c | 4 ++++ + include/drm/drm_mode.h | 2 ++ + 2 files changed, 6 insertions(+) + +--- a/drivers/gpu/drm/drm_crtc.c ++++ b/drivers/gpu/drm/drm_crtc.c +@@ -1868,6 +1868,10 @@ int drm_mode_dirtyfb_ioctl(struct drm_de + } + + if (num_clips && clips_ptr) { ++ if (num_clips < 0 || num_clips > DRM_MODE_FB_DIRTY_MAX_CLIPS) { ++ ret = -EINVAL; ++ goto out_err1; ++ } + clips = kzalloc(num_clips * sizeof(*clips), GFP_KERNEL); + if (!clips) { + ret = -ENOMEM; +--- a/include/drm/drm_mode.h ++++ b/include/drm/drm_mode.h +@@ -233,6 +233,8 @@ struct drm_mode_fb_cmd { + #define DRM_MODE_FB_DIRTY_ANNOTATE_FILL 0x02 + #define DRM_MODE_FB_DIRTY_FLAGS 0x03 + ++#define DRM_MODE_FB_DIRTY_MAX_CLIPS 256 ++ + /* + * Mark a region of a framebuffer as dirty. + * diff --git a/queue-3.1/drm-radeon-kms-fix-up-gpio-i2c-mask-bits-for-r4xx-for-real.patch b/queue-3.1/drm-radeon-kms-fix-up-gpio-i2c-mask-bits-for-r4xx-for-real.patch new file mode 100644 index 00000000000..4303e38566a --- /dev/null +++ b/queue-3.1/drm-radeon-kms-fix-up-gpio-i2c-mask-bits-for-r4xx-for-real.patch @@ -0,0 +1,46 @@ +From d724502a9d7a46f4a56a1663b1f50d2dc9d1ef40 Mon Sep 17 00:00:00 2001 +From: Alex Deucher +Date: Mon, 21 Nov 2011 12:10:14 -0500 +Subject: drm/radeon/kms: fix up gpio i2c mask bits for r4xx for real + +From: Alex Deucher + +commit d724502a9d7a46f4a56a1663b1f50d2dc9d1ef40 upstream. + +Fixes i2c test failures when i2c_algo_bit.bit_test=1. + +The hw doesn't actually require a mask, so just set it +to the default mask bits for r1xx-r4xx radeon ddc. + +I missed this part the first time through. + +Signed-off-by: Alex Deucher +Cc: Jean Delvare +Signed-off-by: Dave Airlie +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/radeon/radeon_atombios.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +--- a/drivers/gpu/drm/radeon/radeon_atombios.c ++++ b/drivers/gpu/drm/radeon/radeon_atombios.c +@@ -169,6 +169,18 @@ void radeon_atombios_i2c_init(struct rad + gpio = &i2c_info->asGPIO_Info[i]; + i2c.valid = false; + ++ /* r4xx mask is technically not used by the hw, so patch in the legacy mask bits */ ++ if ((rdev->family == CHIP_R420) || ++ (rdev->family == CHIP_R423) || ++ (rdev->family == CHIP_RV410)) { ++ if ((le16_to_cpu(gpio->usClkMaskRegisterIndex) == 0x0018) || ++ (le16_to_cpu(gpio->usClkMaskRegisterIndex) == 0x0019) || ++ (le16_to_cpu(gpio->usClkMaskRegisterIndex) == 0x001a)) { ++ gpio->ucClkMaskShift = 0x19; ++ gpio->ucDataMaskShift = 0x18; ++ } ++ } ++ + /* some evergreen boards have bad data for this entry */ + if (ASIC_IS_DCE4(rdev)) { + if ((i == 7) && diff --git a/queue-3.1/ecryptfs-extend-array-bounds-for-all-filename-chars.patch b/queue-3.1/ecryptfs-extend-array-bounds-for-all-filename-chars.patch new file mode 100644 index 00000000000..dba408cc932 --- /dev/null +++ b/queue-3.1/ecryptfs-extend-array-bounds-for-all-filename-chars.patch @@ -0,0 +1,56 @@ +From 0f751e641a71157aa584c2a2e22fda52b52b8a56 Mon Sep 17 00:00:00 2001 +From: Tyler Hicks +Date: Wed, 23 Nov 2011 11:31:24 -0600 +Subject: eCryptfs: Extend array bounds for all filename chars + +From: Tyler Hicks + +commit 0f751e641a71157aa584c2a2e22fda52b52b8a56 upstream. + +From mhalcrow's original commit message: + + Characters with ASCII values greater than the size of + filename_rev_map[] are valid filename characters. + ecryptfs_decode_from_filename() will access kernel memory beyond + that array, and ecryptfs_parse_tag_70_packet() will then decrypt + those characters. The attacker, using the FNEK of the crafted file, + can then re-encrypt the characters to reveal the kernel memory past + the end of the filename_rev_map[] array. I expect low security + impact since this array is statically allocated in the text area, + and the amount of memory past the array that is accessible is + limited by the largest possible ASCII filename character. + +This patch solves the issue reported by mhalcrow but with an +implementation suggested by Linus to simply extend the length of +filename_rev_map[] to 256. Characters greater than 0x7A are mapped to +0x00, which is how invalid characters less than 0x7A were previously +being handled. + +Signed-off-by: Tyler Hicks +Reported-by: Michael Halcrow +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ecryptfs/crypto.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/fs/ecryptfs/crypto.c ++++ b/fs/ecryptfs/crypto.c +@@ -1945,7 +1945,7 @@ static unsigned char *portable_filename_ + + /* We could either offset on every reverse map or just pad some 0x00's + * at the front here */ +-static const unsigned char filename_rev_map[] = { ++static const unsigned char filename_rev_map[256] = { + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* 7 */ + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* 15 */ + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, /* 23 */ +@@ -1961,7 +1961,7 @@ static const unsigned char filename_rev_ + 0x00, 0x26, 0x27, 0x28, 0x29, 0x2A, 0x2B, 0x2C, /* 103 */ + 0x2D, 0x2E, 0x2F, 0x30, 0x31, 0x32, 0x33, 0x34, /* 111 */ + 0x35, 0x36, 0x37, 0x38, 0x39, 0x3A, 0x3B, 0x3C, /* 119 */ +- 0x3D, 0x3E, 0x3F ++ 0x3D, 0x3E, 0x3F /* 123 - 255 initialized to 0x00 */ + }; + + /** diff --git a/queue-3.1/ecryptfs-flush-file-in-vma-close.patch b/queue-3.1/ecryptfs-flush-file-in-vma-close.patch new file mode 100644 index 00000000000..bb867ec1a92 --- /dev/null +++ b/queue-3.1/ecryptfs-flush-file-in-vma-close.patch @@ -0,0 +1,62 @@ +From 32001d6fe9ac6b0423e674a3093aa56740849f3b Mon Sep 17 00:00:00 2001 +From: Tyler Hicks +Date: Mon, 21 Nov 2011 17:31:29 -0600 +Subject: eCryptfs: Flush file in vma close + +From: Tyler Hicks + +commit 32001d6fe9ac6b0423e674a3093aa56740849f3b upstream. + +Dirty pages weren't being written back when an mmap'ed eCryptfs file was +closed before the mapping was unmapped. Since f_ops->flush() is not +called by the munmap() path, the lower file was simply being released. +This patch flushes the eCryptfs file in the vm_ops->close() path. + +https://launchpad.net/bugs/870326 + +Signed-off-by: Tyler Hicks +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ecryptfs/file.c | 23 ++++++++++++++++++++++- + 1 file changed, 22 insertions(+), 1 deletion(-) + +--- a/fs/ecryptfs/file.c ++++ b/fs/ecryptfs/file.c +@@ -139,6 +139,27 @@ out: + return rc; + } + ++static void ecryptfs_vma_close(struct vm_area_struct *vma) ++{ ++ filemap_write_and_wait(vma->vm_file->f_mapping); ++} ++ ++static const struct vm_operations_struct ecryptfs_file_vm_ops = { ++ .close = ecryptfs_vma_close, ++ .fault = filemap_fault, ++}; ++ ++static int ecryptfs_file_mmap(struct file *file, struct vm_area_struct *vma) ++{ ++ int rc; ++ ++ rc = generic_file_mmap(file, vma); ++ if (!rc) ++ vma->vm_ops = &ecryptfs_file_vm_ops; ++ ++ return rc; ++} ++ + struct kmem_cache *ecryptfs_file_info_cache; + + /** +@@ -349,7 +370,7 @@ const struct file_operations ecryptfs_ma + #ifdef CONFIG_COMPAT + .compat_ioctl = ecryptfs_compat_ioctl, + #endif +- .mmap = generic_file_mmap, ++ .mmap = ecryptfs_file_mmap, + .open = ecryptfs_open, + .flush = ecryptfs_flush, + .release = ecryptfs_release, diff --git a/queue-3.1/ecryptfs-prevent-file-create-race-condition.patch b/queue-3.1/ecryptfs-prevent-file-create-race-condition.patch new file mode 100644 index 00000000000..b061668d324 --- /dev/null +++ b/queue-3.1/ecryptfs-prevent-file-create-race-condition.patch @@ -0,0 +1,254 @@ +From b59db43ad4434519feb338eacb01d77eb50825c5 Mon Sep 17 00:00:00 2001 +From: Tyler Hicks +Date: Mon, 21 Nov 2011 17:31:02 -0600 +Subject: eCryptfs: Prevent file create race condition + +From: Tyler Hicks + +commit b59db43ad4434519feb338eacb01d77eb50825c5 upstream. + +The file creation path prematurely called d_instantiate() and +unlock_new_inode() before the eCryptfs inode info was fully +allocated and initialized and before the eCryptfs metadata was written +to the lower file. + +This could result in race conditions in subsequent file and inode +operations leading to unexpected error conditions or a null pointer +dereference while attempting to use the unallocated memory. + +https://launchpad.net/bugs/813146 + +Signed-off-by: Tyler Hicks +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ecryptfs/crypto.c | 22 +++++++++-------- + fs/ecryptfs/ecryptfs_kernel.h | 5 ++-- + fs/ecryptfs/inode.c | 52 +++++++++++++++++++++++++----------------- + 3 files changed, 46 insertions(+), 33 deletions(-) + +--- a/fs/ecryptfs/crypto.c ++++ b/fs/ecryptfs/crypto.c +@@ -967,7 +967,7 @@ static void ecryptfs_set_default_crypt_s + + /** + * ecryptfs_new_file_context +- * @ecryptfs_dentry: The eCryptfs dentry ++ * @ecryptfs_inode: The eCryptfs inode + * + * If the crypto context for the file has not yet been established, + * this is where we do that. Establishing a new crypto context +@@ -984,13 +984,13 @@ static void ecryptfs_set_default_crypt_s + * + * Returns zero on success; non-zero otherwise + */ +-int ecryptfs_new_file_context(struct dentry *ecryptfs_dentry) ++int ecryptfs_new_file_context(struct inode *ecryptfs_inode) + { + struct ecryptfs_crypt_stat *crypt_stat = +- &ecryptfs_inode_to_private(ecryptfs_dentry->d_inode)->crypt_stat; ++ &ecryptfs_inode_to_private(ecryptfs_inode)->crypt_stat; + struct ecryptfs_mount_crypt_stat *mount_crypt_stat = + &ecryptfs_superblock_to_private( +- ecryptfs_dentry->d_sb)->mount_crypt_stat; ++ ecryptfs_inode->i_sb)->mount_crypt_stat; + int cipher_name_len; + int rc = 0; + +@@ -1299,12 +1299,12 @@ static int ecryptfs_write_headers_virt(c + } + + static int +-ecryptfs_write_metadata_to_contents(struct dentry *ecryptfs_dentry, ++ecryptfs_write_metadata_to_contents(struct inode *ecryptfs_inode, + char *virt, size_t virt_len) + { + int rc; + +- rc = ecryptfs_write_lower(ecryptfs_dentry->d_inode, virt, ++ rc = ecryptfs_write_lower(ecryptfs_inode, virt, + 0, virt_len); + if (rc < 0) + printk(KERN_ERR "%s: Error attempting to write header " +@@ -1338,7 +1338,8 @@ static unsigned long ecryptfs_get_zeroed + + /** + * ecryptfs_write_metadata +- * @ecryptfs_dentry: The eCryptfs dentry ++ * @ecryptfs_dentry: The eCryptfs dentry, which should be negative ++ * @ecryptfs_inode: The newly created eCryptfs inode + * + * Write the file headers out. This will likely involve a userspace + * callout, in which the session key is encrypted with one or more +@@ -1348,10 +1349,11 @@ static unsigned long ecryptfs_get_zeroed + * + * Returns zero on success; non-zero on error + */ +-int ecryptfs_write_metadata(struct dentry *ecryptfs_dentry) ++int ecryptfs_write_metadata(struct dentry *ecryptfs_dentry, ++ struct inode *ecryptfs_inode) + { + struct ecryptfs_crypt_stat *crypt_stat = +- &ecryptfs_inode_to_private(ecryptfs_dentry->d_inode)->crypt_stat; ++ &ecryptfs_inode_to_private(ecryptfs_inode)->crypt_stat; + unsigned int order; + char *virt; + size_t virt_len; +@@ -1391,7 +1393,7 @@ int ecryptfs_write_metadata(struct dentr + rc = ecryptfs_write_metadata_to_xattr(ecryptfs_dentry, virt, + size); + else +- rc = ecryptfs_write_metadata_to_contents(ecryptfs_dentry, virt, ++ rc = ecryptfs_write_metadata_to_contents(ecryptfs_inode, virt, + virt_len); + if (rc) { + printk(KERN_ERR "%s: Error writing metadata out to lower file; " +--- a/fs/ecryptfs/ecryptfs_kernel.h ++++ b/fs/ecryptfs/ecryptfs_kernel.h +@@ -584,9 +584,10 @@ int ecryptfs_init_crypt_ctx(struct ecryp + int ecryptfs_write_inode_size_to_metadata(struct inode *ecryptfs_inode); + int ecryptfs_encrypt_page(struct page *page); + int ecryptfs_decrypt_page(struct page *page); +-int ecryptfs_write_metadata(struct dentry *ecryptfs_dentry); ++int ecryptfs_write_metadata(struct dentry *ecryptfs_dentry, ++ struct inode *ecryptfs_inode); + int ecryptfs_read_metadata(struct dentry *ecryptfs_dentry); +-int ecryptfs_new_file_context(struct dentry *ecryptfs_dentry); ++int ecryptfs_new_file_context(struct inode *ecryptfs_inode); + void ecryptfs_write_crypt_stat_flags(char *page_virt, + struct ecryptfs_crypt_stat *crypt_stat, + size_t *written); +--- a/fs/ecryptfs/inode.c ++++ b/fs/ecryptfs/inode.c +@@ -172,22 +172,23 @@ ecryptfs_create_underlying_file(struct i + * it. It will also update the eCryptfs directory inode to mimic the + * stat of the lower directory inode. + * +- * Returns zero on success; non-zero on error condition ++ * Returns the new eCryptfs inode on success; an ERR_PTR on error condition + */ +-static int ++static struct inode * + ecryptfs_do_create(struct inode *directory_inode, + struct dentry *ecryptfs_dentry, int mode) + { + int rc; + struct dentry *lower_dentry; + struct dentry *lower_dir_dentry; ++ struct inode *inode; + + lower_dentry = ecryptfs_dentry_to_lower(ecryptfs_dentry); + lower_dir_dentry = lock_parent(lower_dentry); + if (IS_ERR(lower_dir_dentry)) { + ecryptfs_printk(KERN_ERR, "Error locking directory of " + "dentry\n"); +- rc = PTR_ERR(lower_dir_dentry); ++ inode = ERR_CAST(lower_dir_dentry); + goto out; + } + rc = ecryptfs_create_underlying_file(lower_dir_dentry->d_inode, +@@ -195,20 +196,19 @@ ecryptfs_do_create(struct inode *directo + if (rc) { + printk(KERN_ERR "%s: Failure to create dentry in lower fs; " + "rc = [%d]\n", __func__, rc); ++ inode = ERR_PTR(rc); + goto out_lock; + } +- rc = ecryptfs_interpose(lower_dentry, ecryptfs_dentry, +- directory_inode->i_sb); +- if (rc) { +- ecryptfs_printk(KERN_ERR, "Failure in ecryptfs_interpose\n"); ++ inode = __ecryptfs_get_inode(lower_dentry->d_inode, ++ directory_inode->i_sb); ++ if (IS_ERR(inode)) + goto out_lock; +- } + fsstack_copy_attr_times(directory_inode, lower_dir_dentry->d_inode); + fsstack_copy_inode_size(directory_inode, lower_dir_dentry->d_inode); + out_lock: + unlock_dir(lower_dir_dentry); + out: +- return rc; ++ return inode; + } + + /** +@@ -219,26 +219,26 @@ out: + * + * Returns zero on success + */ +-static int ecryptfs_initialize_file(struct dentry *ecryptfs_dentry) ++static int ecryptfs_initialize_file(struct dentry *ecryptfs_dentry, ++ struct inode *ecryptfs_inode) + { + struct ecryptfs_crypt_stat *crypt_stat = +- &ecryptfs_inode_to_private(ecryptfs_dentry->d_inode)->crypt_stat; ++ &ecryptfs_inode_to_private(ecryptfs_inode)->crypt_stat; + int rc = 0; + +- if (S_ISDIR(ecryptfs_dentry->d_inode->i_mode)) { ++ if (S_ISDIR(ecryptfs_inode->i_mode)) { + ecryptfs_printk(KERN_DEBUG, "This is a directory\n"); + crypt_stat->flags &= ~(ECRYPTFS_ENCRYPTED); + goto out; + } + ecryptfs_printk(KERN_DEBUG, "Initializing crypto context\n"); +- rc = ecryptfs_new_file_context(ecryptfs_dentry); ++ rc = ecryptfs_new_file_context(ecryptfs_inode); + if (rc) { + ecryptfs_printk(KERN_ERR, "Error creating new file " + "context; rc = [%d]\n", rc); + goto out; + } +- rc = ecryptfs_get_lower_file(ecryptfs_dentry, +- ecryptfs_dentry->d_inode); ++ rc = ecryptfs_get_lower_file(ecryptfs_dentry, ecryptfs_inode); + if (rc) { + printk(KERN_ERR "%s: Error attempting to initialize " + "the lower file for the dentry with name " +@@ -246,10 +246,10 @@ static int ecryptfs_initialize_file(stru + ecryptfs_dentry->d_name.name, rc); + goto out; + } +- rc = ecryptfs_write_metadata(ecryptfs_dentry); ++ rc = ecryptfs_write_metadata(ecryptfs_dentry, ecryptfs_inode); + if (rc) + printk(KERN_ERR "Error writing headers; rc = [%d]\n", rc); +- ecryptfs_put_lower_file(ecryptfs_dentry->d_inode); ++ ecryptfs_put_lower_file(ecryptfs_inode); + out: + return rc; + } +@@ -269,18 +269,28 @@ static int + ecryptfs_create(struct inode *directory_inode, struct dentry *ecryptfs_dentry, + int mode, struct nameidata *nd) + { ++ struct inode *ecryptfs_inode; + int rc; + +- /* ecryptfs_do_create() calls ecryptfs_interpose() */ +- rc = ecryptfs_do_create(directory_inode, ecryptfs_dentry, mode); +- if (unlikely(rc)) { ++ ecryptfs_inode = ecryptfs_do_create(directory_inode, ecryptfs_dentry, ++ mode); ++ if (unlikely(IS_ERR(ecryptfs_inode))) { + ecryptfs_printk(KERN_WARNING, "Failed to create file in" + "lower filesystem\n"); ++ rc = PTR_ERR(ecryptfs_inode); + goto out; + } + /* At this point, a file exists on "disk"; we need to make sure + * that this on disk file is prepared to be an ecryptfs file */ +- rc = ecryptfs_initialize_file(ecryptfs_dentry); ++ rc = ecryptfs_initialize_file(ecryptfs_dentry, ecryptfs_inode); ++ if (rc) { ++ drop_nlink(ecryptfs_inode); ++ unlock_new_inode(ecryptfs_inode); ++ iput(ecryptfs_inode); ++ goto out; ++ } ++ d_instantiate(ecryptfs_dentry, ecryptfs_inode); ++ unlock_new_inode(ecryptfs_inode); + out: + return rc; + } diff --git a/queue-3.1/i2c-algo-bit-generate-correct-i2c-address-sequence-for-10-bit-target.patch b/queue-3.1/i2c-algo-bit-generate-correct-i2c-address-sequence-for-10-bit-target.patch new file mode 100644 index 00000000000..e07db3a0f24 --- /dev/null +++ b/queue-3.1/i2c-algo-bit-generate-correct-i2c-address-sequence-for-10-bit-target.patch @@ -0,0 +1,41 @@ +From cc6bcf7d2ec2234e7b41770185e4dc826390185e Mon Sep 17 00:00:00 2001 +From: "Jeffrey (Sheng-Hui) Chu" +Date: Wed, 23 Nov 2011 11:33:07 +0100 +Subject: i2c-algo-bit: Generate correct i2c address sequence for 10-bit target + +From: "Jeffrey (Sheng-Hui) Chu" + +commit cc6bcf7d2ec2234e7b41770185e4dc826390185e upstream. + +The wrong bits were put on the wire, fix that. + +This fixes kernel bug #42562. + +Signed-off-by: Sheng-Hui J. Chu +Signed-off-by: Jean Delvare +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/i2c/algos/i2c-algo-bit.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/i2c/algos/i2c-algo-bit.c ++++ b/drivers/i2c/algos/i2c-algo-bit.c +@@ -486,7 +486,7 @@ static int bit_doAddress(struct i2c_adap + + if (flags & I2C_M_TEN) { + /* a ten bit address */ +- addr = 0xf0 | ((msg->addr >> 7) & 0x03); ++ addr = 0xf0 | ((msg->addr >> 7) & 0x06); + bit_dbg(2, &i2c_adap->dev, "addr0: %d\n", addr); + /* try extended address code...*/ + ret = try_address(i2c_adap, addr, retries); +@@ -496,7 +496,7 @@ static int bit_doAddress(struct i2c_adap + return -EREMOTEIO; + } + /* the remaining 8 bit address */ +- ret = i2c_outb(i2c_adap, msg->addr & 0x7f); ++ ret = i2c_outb(i2c_adap, msg->addr & 0xff); + if ((ret != 1) && !nak_ok) { + /* the chip did not ack / xmission error occurred */ + dev_err(&i2c_adap->dev, "died at 2nd address code\n"); diff --git a/queue-3.1/pci-hotplug-shpchp-don-t-blindly-claim-non-amd-0x7450-device-ids.patch b/queue-3.1/pci-hotplug-shpchp-don-t-blindly-claim-non-amd-0x7450-device-ids.patch new file mode 100644 index 00000000000..eeda7c5a237 --- /dev/null +++ b/queue-3.1/pci-hotplug-shpchp-don-t-blindly-claim-non-amd-0x7450-device-ids.patch @@ -0,0 +1,54 @@ +From 4cac2eb158c6da0c761689345c6cc5df788a6292 Mon Sep 17 00:00:00 2001 +From: Bjorn Helgaas +Date: Tue, 23 Aug 2011 10:16:43 -0600 +Subject: PCI hotplug: shpchp: don't blindly claim non-AMD 0x7450 device IDs + +From: Bjorn Helgaas + +commit 4cac2eb158c6da0c761689345c6cc5df788a6292 upstream. + +Previously we claimed device ID 0x7450, regardless of the vendor, which is +clearly wrong. Now we'll claim that device ID only for AMD. + +I suspect this was just a typo in the original code, but it's possible this +change will break shpchp on non-7450 AMD bridges. If so, we'll have to fix +them as we find them. + +Reference: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=638863 +Reported-by: Ralf Jung +Cc: Joerg Roedel +Signed-off-by: Bjorn Helgaas +Signed-off-by: Jesse Barnes +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pci/hotplug/shpchp_core.c | 4 ++-- + drivers/pci/hotplug/shpchp_hpc.c | 4 ++-- + 2 files changed, 4 insertions(+), 4 deletions(-) + +--- a/drivers/pci/hotplug/shpchp_core.c ++++ b/drivers/pci/hotplug/shpchp_core.c +@@ -278,8 +278,8 @@ static int get_adapter_status (struct ho + + static int is_shpc_capable(struct pci_dev *dev) + { +- if ((dev->vendor == PCI_VENDOR_ID_AMD) || (dev->device == +- PCI_DEVICE_ID_AMD_GOLAM_7450)) ++ if (dev->vendor == PCI_VENDOR_ID_AMD && ++ dev->device == PCI_DEVICE_ID_AMD_GOLAM_7450) + return 1; + if (!pci_find_capability(dev, PCI_CAP_ID_SHPC)) + return 0; +--- a/drivers/pci/hotplug/shpchp_hpc.c ++++ b/drivers/pci/hotplug/shpchp_hpc.c +@@ -944,8 +944,8 @@ int shpc_init(struct controller *ctrl, s + ctrl->pci_dev = pdev; /* pci_dev of the P2P bridge */ + ctrl_dbg(ctrl, "Hotplug Controller:\n"); + +- if ((pdev->vendor == PCI_VENDOR_ID_AMD) || (pdev->device == +- PCI_DEVICE_ID_AMD_GOLAM_7450)) { ++ if (pdev->vendor == PCI_VENDOR_ID_AMD && ++ pdev->device == PCI_DEVICE_ID_AMD_GOLAM_7450) { + /* amd shpc driver doesn't use Base Offset; assume 0 */ + ctrl->mmio_base = pci_resource_start(pdev, 0); + ctrl->mmio_size = pci_resource_len(pdev, 0); diff --git a/queue-3.1/series b/queue-3.1/series new file mode 100644 index 00000000000..98209823780 --- /dev/null +++ b/queue-3.1/series @@ -0,0 +1,12 @@ +ecryptfs-prevent-file-create-race-condition.patch +ecryptfs-flush-file-in-vma-close.patch +i2c-algo-bit-generate-correct-i2c-address-sequence-for-10-bit-target.patch +ecryptfs-extend-array-bounds-for-all-filename-chars.patch +crypto-mv_cesa-fix-hashing-of-chunks-1920-bytes.patch +drm-integer-overflow-in-drm_mode_dirtyfb_ioctl.patch +drm-radeon-kms-fix-up-gpio-i2c-mask-bits-for-r4xx-for-real.patch +drm-i915-ivybridge-still-has-fences.patch +drm-i915-turn-on-a-required-3d-clock-gating-bit-on-sandybridge.patch +drm-i915-turn-on-another-required-clock-gating-bit-on-gen6.patch +drm-i915-fix-inconsistent-backlight-level-during-disabled.patch +pci-hotplug-shpchp-don-t-blindly-claim-non-amd-0x7450-device-ids.patch