From: Greg Kroah-Hartman Date: Mon, 14 Nov 2011 18:14:54 +0000 (-0800) Subject: 3.1 patches X-Git-Tag: v3.0.10~13 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=7d686b788408478cc92db8511a587550e93b22ba;p=thirdparty%2Fkernel%2Fstable-queue.git 3.1 patches added patches: alsa-hda-don-t-add-elements-of-other-codecs-to-vmaster-slave.patch alsa-hda-fix-internal-mic-on-dell-vostro-3500-laptop.patch arm-at91-fix-usba-gadget-registration.patch asoc-don-t-use-wm8994-control_data-in-wm8994_readable_register.patch drm-i915-fix-object-refcount-leak-on-mmappable-size-limit-error-path.patch drm-nouveau-initialize-chan-fence.lock-before-use.patch drm-radeon-kms-make-an-aux-failure-debug-only.patch sh-fix-cached-uncaced-address-calculation-in-29bit-mode.patch virtio-pci-fix-use-after-free.patch --- diff --git a/queue-3.1/alsa-hda-don-t-add-elements-of-other-codecs-to-vmaster-slave.patch b/queue-3.1/alsa-hda-don-t-add-elements-of-other-codecs-to-vmaster-slave.patch new file mode 100644 index 00000000000..4a61b093523 --- /dev/null +++ b/queue-3.1/alsa-hda-don-t-add-elements-of-other-codecs-to-vmaster-slave.patch @@ -0,0 +1,111 @@ +From aeb4b88ec0a948efce8e3a23a8f964d3560a7308 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Thu, 10 Nov 2011 12:28:38 +0100 +Subject: ALSA: hda - Don't add elements of other codecs to vmaster slave + +From: Takashi Iwai + +commit aeb4b88ec0a948efce8e3a23a8f964d3560a7308 upstream. + +When a virtual mater control is created, the driver looks for slave +elements from the assigned card instance. But this may include the +elements of other codecs when multiple codecs are on the same HD-audio +bus. This works at the first time, but it'll give Oops when it's once +freed and re-created via reconfig sysfs. + +This patch changes the element-look-up strategy to limit only to the +mixer elements of the same codec. + +Reported-by: David Henningsson +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/hda_codec.c | 60 +++++++++++++++++++++++++++++----------------- + 1 file changed, 39 insertions(+), 21 deletions(-) + +--- a/sound/pci/hda/hda_codec.c ++++ b/sound/pci/hda/hda_codec.c +@@ -2296,6 +2296,39 @@ int snd_hda_codec_reset(struct hda_codec + return 0; + } + ++typedef int (*map_slave_func_t)(void *, struct snd_kcontrol *); ++ ++/* apply the function to all matching slave ctls in the mixer list */ ++static int map_slaves(struct hda_codec *codec, const char * const *slaves, ++ map_slave_func_t func, void *data) ++{ ++ struct hda_nid_item *items; ++ const char * const *s; ++ int i, err; ++ ++ items = codec->mixers.list; ++ for (i = 0; i < codec->mixers.used; i++) { ++ struct snd_kcontrol *sctl = items[i].kctl; ++ if (!sctl || !sctl->id.name || ++ sctl->id.iface != SNDRV_CTL_ELEM_IFACE_MIXER) ++ continue; ++ for (s = slaves; *s; s++) { ++ if (!strcmp(sctl->id.name, *s)) { ++ err = func(data, sctl); ++ if (err) ++ return err; ++ break; ++ } ++ } ++ } ++ return 0; ++} ++ ++static int check_slave_present(void *data, struct snd_kcontrol *sctl) ++{ ++ return 1; ++} ++ + /** + * snd_hda_add_vmaster - create a virtual master control and add slaves + * @codec: HD-audio codec +@@ -2316,12 +2349,10 @@ int snd_hda_add_vmaster(struct hda_codec + unsigned int *tlv, const char * const *slaves) + { + struct snd_kcontrol *kctl; +- const char * const *s; + int err; + +- for (s = slaves; *s && !snd_hda_find_mixer_ctl(codec, *s); s++) +- ; +- if (!*s) { ++ err = map_slaves(codec, slaves, check_slave_present, NULL); ++ if (err != 1) { + snd_printdd("No slave found for %s\n", name); + return 0; + } +@@ -2332,23 +2363,10 @@ int snd_hda_add_vmaster(struct hda_codec + if (err < 0) + return err; + +- for (s = slaves; *s; s++) { +- struct snd_kcontrol *sctl; +- int i = 0; +- for (;;) { +- sctl = _snd_hda_find_mixer_ctl(codec, *s, i); +- if (!sctl) { +- if (!i) +- snd_printdd("Cannot find slave %s, " +- "skipped\n", *s); +- break; +- } +- err = snd_ctl_add_slave(kctl, sctl); +- if (err < 0) +- return err; +- i++; +- } +- } ++ err = map_slaves(codec, slaves, (map_slave_func_t)snd_ctl_add_slave, ++ kctl); ++ if (err < 0) ++ return err; + return 0; + } + EXPORT_SYMBOL_HDA(snd_hda_add_vmaster); diff --git a/queue-3.1/alsa-hda-fix-internal-mic-on-dell-vostro-3500-laptop.patch b/queue-3.1/alsa-hda-fix-internal-mic-on-dell-vostro-3500-laptop.patch new file mode 100644 index 00000000000..fff7c8dfcef --- /dev/null +++ b/queue-3.1/alsa-hda-fix-internal-mic-on-dell-vostro-3500-laptop.patch @@ -0,0 +1,79 @@ +From f7f9bdfadfda07afb904a9767468e38c2d1a6033 Mon Sep 17 00:00:00 2001 +From: Julian Wollrath +Date: Wed, 9 Nov 2011 10:02:40 +0100 +Subject: ALSA: hda - fix internal mic on Dell Vostro 3500 laptop + +From: Julian Wollrath + +commit f7f9bdfadfda07afb904a9767468e38c2d1a6033 upstream. + +Fix the not working internal mic on Dell Vostro 3500 laptop by introducing the +new model dell-vostro-3500. + +Signed-off-by: Julian Wollrath +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + Documentation/sound/alsa/HD-Audio-Models.txt | 1 + + sound/pci/hda/patch_sigmatel.c | 11 +++++++++++ + 2 files changed, 12 insertions(+) + +--- a/Documentation/sound/alsa/HD-Audio-Models.txt ++++ b/Documentation/sound/alsa/HD-Audio-Models.txt +@@ -408,6 +408,7 @@ STAC92HD83* + ref Reference board + mic-ref Reference board with power management for ports + dell-s14 Dell laptop ++ dell-vostro-3500 Dell Vostro 3500 laptop + hp HP laptops with (inverted) mute-LED + hp-dv7-4000 HP dv-7 4000 + auto BIOS setup (default) +--- a/sound/pci/hda/patch_sigmatel.c ++++ b/sound/pci/hda/patch_sigmatel.c +@@ -94,6 +94,7 @@ enum { + STAC_92HD83XXX_REF, + STAC_92HD83XXX_PWR_REF, + STAC_DELL_S14, ++ STAC_DELL_VOSTRO_3500, + STAC_92HD83XXX_HP, + STAC_92HD83XXX_HP_cNB11_INTQUAD, + STAC_HP_DV7_4000, +@@ -1658,6 +1659,12 @@ static const unsigned int dell_s14_pin_c + 0x40f000f0, 0x40f000f0, + }; + ++static const unsigned int dell_vostro_3500_pin_configs[10] = { ++ 0x02a11020, 0x0221101f, 0x400000f0, 0x90170110, ++ 0x400000f1, 0x400000f2, 0x400000f3, 0x90a60160, ++ 0x400000f4, 0x400000f5, ++}; ++ + static const unsigned int hp_dv7_4000_pin_configs[10] = { + 0x03a12050, 0x0321201f, 0x40f000f0, 0x90170110, + 0x40f000f0, 0x40f000f0, 0x90170110, 0xd5a30140, +@@ -1674,6 +1681,7 @@ static const unsigned int *stac92hd83xxx + [STAC_92HD83XXX_REF] = ref92hd83xxx_pin_configs, + [STAC_92HD83XXX_PWR_REF] = ref92hd83xxx_pin_configs, + [STAC_DELL_S14] = dell_s14_pin_configs, ++ [STAC_DELL_VOSTRO_3500] = dell_vostro_3500_pin_configs, + [STAC_92HD83XXX_HP_cNB11_INTQUAD] = hp_cNB11_intquad_pin_configs, + [STAC_HP_DV7_4000] = hp_dv7_4000_pin_configs, + }; +@@ -1683,6 +1691,7 @@ static const char * const stac92hd83xxx_ + [STAC_92HD83XXX_REF] = "ref", + [STAC_92HD83XXX_PWR_REF] = "mic-ref", + [STAC_DELL_S14] = "dell-s14", ++ [STAC_DELL_VOSTRO_3500] = "dell-vostro-3500", + [STAC_92HD83XXX_HP] = "hp", + [STAC_92HD83XXX_HP_cNB11_INTQUAD] = "hp_cNB11_intquad", + [STAC_HP_DV7_4000] = "hp-dv7-4000", +@@ -1696,6 +1705,8 @@ static const struct snd_pci_quirk stac92 + "DFI LanParty", STAC_92HD83XXX_REF), + SND_PCI_QUIRK(PCI_VENDOR_ID_DELL, 0x02ba, + "unknown Dell", STAC_DELL_S14), ++ SND_PCI_QUIRK(PCI_VENDOR_ID_DELL, 0x1028, ++ "Dell Vostro 3500", STAC_DELL_VOSTRO_3500), + SND_PCI_QUIRK_MASK(PCI_VENDOR_ID_HP, 0xff00, 0x3600, + "HP", STAC_92HD83XXX_HP), + SND_PCI_QUIRK(PCI_VENDOR_ID_HP, 0x1656, diff --git a/queue-3.1/arm-at91-fix-usba-gadget-registration.patch b/queue-3.1/arm-at91-fix-usba-gadget-registration.patch new file mode 100644 index 00000000000..2b5264dc5ea --- /dev/null +++ b/queue-3.1/arm-at91-fix-usba-gadget-registration.patch @@ -0,0 +1,57 @@ +From dd0b3825495a2e7a8cd6cf0ec077618c008ac7c4 Mon Sep 17 00:00:00 2001 +From: Jochen Friedrich +Date: Tue, 25 Oct 2011 20:51:06 +0200 +Subject: ARM: at91: Fix USBA gadget registration + +From: Jochen Friedrich + +commit dd0b3825495a2e7a8cd6cf0ec077618c008ac7c4 upstream. + +Since 193ab2a6070039e7ee2b9b9bebea754a7c52fd1b, various AT91 boards don't +register USBA adapters anymore due to depending on a now non-existing +symbol. Fix the symbol name. + +Signed-off-by: Jochen Friedrich +Acked-by: Nicolas Ferre +Signed-off-by: Jean-Christophe PLAGNIOL-VILLARD +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/mach-at91/at91cap9_devices.c | 2 +- + arch/arm/mach-at91/at91sam9g45_devices.c | 2 +- + arch/arm/mach-at91/at91sam9rl_devices.c | 2 +- + 3 files changed, 3 insertions(+), 3 deletions(-) + +--- a/arch/arm/mach-at91/at91cap9_devices.c ++++ b/arch/arm/mach-at91/at91cap9_devices.c +@@ -92,7 +92,7 @@ void __init at91_add_device_usbh(struct + * USB HS Device (Gadget) + * -------------------------------------------------------------------- */ + +-#if defined(CONFIG_USB_GADGET_ATMEL_USBA) || defined(CONFIG_USB_GADGET_ATMEL_USBA_MODULE) ++#if defined(CONFIG_USB_ATMEL_USBA) || defined(CONFIG_USB_ATMEL_USBA_MODULE) + + static struct resource usba_udc_resources[] = { + [0] = { +--- a/arch/arm/mach-at91/at91sam9g45_devices.c ++++ b/arch/arm/mach-at91/at91sam9g45_devices.c +@@ -191,7 +191,7 @@ void __init at91_add_device_usbh_ehci(st + * USB HS Device (Gadget) + * -------------------------------------------------------------------- */ + +-#if defined(CONFIG_USB_GADGET_ATMEL_USBA) || defined(CONFIG_USB_GADGET_ATMEL_USBA_MODULE) ++#if defined(CONFIG_USB_ATMEL_USBA) || defined(CONFIG_USB_ATMEL_USBA_MODULE) + static struct resource usba_udc_resources[] = { + [0] = { + .start = AT91SAM9G45_UDPHS_FIFO, +--- a/arch/arm/mach-at91/at91sam9rl_devices.c ++++ b/arch/arm/mach-at91/at91sam9rl_devices.c +@@ -75,7 +75,7 @@ void __init at91_add_device_hdmac(void) + * USB HS Device (Gadget) + * -------------------------------------------------------------------- */ + +-#if defined(CONFIG_USB_GADGET_ATMEL_USBA) || defined(CONFIG_USB_GADGET_ATMEL_USBA_MODULE) ++#if defined(CONFIG_USB_ATMEL_USBA) || defined(CONFIG_USB_ATMEL_USBA_MODULE) + + static struct resource usba_udc_resources[] = { + [0] = { diff --git a/queue-3.1/asoc-don-t-use-wm8994-control_data-in-wm8994_readable_register.patch b/queue-3.1/asoc-don-t-use-wm8994-control_data-in-wm8994_readable_register.patch new file mode 100644 index 00000000000..3ef8e0e7941 --- /dev/null +++ b/queue-3.1/asoc-don-t-use-wm8994-control_data-in-wm8994_readable_register.patch @@ -0,0 +1,31 @@ +From 8eeea521d9d0fa6afd62df8c6e6566ee946117fa Mon Sep 17 00:00:00 2001 +From: Mark Brown +Date: Fri, 4 Nov 2011 15:52:31 +0000 +Subject: ASoC: Don't use wm8994->control_data in wm8994_readable_register() + +From: Mark Brown + +commit 8eeea521d9d0fa6afd62df8c6e6566ee946117fa upstream. + +The field is no longer initialised so this will crash if running on +wm8958. + +Reported-by: Thomas Abraham +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + sound/soc/codecs/wm8994.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/soc/codecs/wm8994.c ++++ b/sound/soc/codecs/wm8994.c +@@ -56,7 +56,7 @@ static int wm8994_retune_mobile_base[] = + static int wm8994_readable(struct snd_soc_codec *codec, unsigned int reg) + { + struct wm8994_priv *wm8994 = snd_soc_codec_get_drvdata(codec); +- struct wm8994 *control = wm8994->control_data; ++ struct wm8994 *control = codec->control_data; + + switch (reg) { + case WM8994_GPIO_1: diff --git a/queue-3.1/drm-i915-fix-object-refcount-leak-on-mmappable-size-limit-error-path.patch b/queue-3.1/drm-i915-fix-object-refcount-leak-on-mmappable-size-limit-error-path.patch new file mode 100644 index 00000000000..fa530cb904c --- /dev/null +++ b/queue-3.1/drm-i915-fix-object-refcount-leak-on-mmappable-size-limit-error-path.patch @@ -0,0 +1,34 @@ +From 14660ccd599dc7bd6ecef17408bd76dc853f9b77 Mon Sep 17 00:00:00 2001 +From: Eric Anholt +Date: Mon, 31 Oct 2011 23:16:21 -0700 +Subject: drm/i915: Fix object refcount leak on mmappable size limit error path. + +From: Eric Anholt + +commit 14660ccd599dc7bd6ecef17408bd76dc853f9b77 upstream. + +I've been seeing memory leaks on my system in the form of large +(300-400MB) GEM objects created by now-dead processes laying around +clogging up memory. I usually notice when it gets to about 1.2GB of +them. Hopefully this clears up the issue, but I just found this bug +by inspection. + +Signed-off-by: Eric Anholt +Signed-off-by: Keith Packard +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/i915/i915_gem.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/i915/i915_gem.c ++++ b/drivers/gpu/drm/i915/i915_gem.c +@@ -1475,7 +1475,7 @@ i915_gem_mmap_gtt(struct drm_file *file, + + if (obj->base.size > dev_priv->mm.gtt_mappable_end) { + ret = -E2BIG; +- goto unlock; ++ goto out; + } + + if (obj->madv != I915_MADV_WILLNEED) { diff --git a/queue-3.1/drm-nouveau-initialize-chan-fence.lock-before-use.patch b/queue-3.1/drm-nouveau-initialize-chan-fence.lock-before-use.patch new file mode 100644 index 00000000000..6f1a06b5d1f --- /dev/null +++ b/queue-3.1/drm-nouveau-initialize-chan-fence.lock-before-use.patch @@ -0,0 +1,65 @@ +From 5e60ee780e792efe6dce97eceb110b1d30bab850 Mon Sep 17 00:00:00 2001 +From: Marcin Slusarz +Date: Fri, 9 Sep 2011 14:16:42 +0200 +Subject: drm/nouveau: initialize chan->fence.lock before use + +From: Marcin Slusarz + +commit 5e60ee780e792efe6dce97eceb110b1d30bab850 upstream. + +Fence lock needs to be initialized before any call to nouveau_channel_put +because it calls nouveau_channel_idle->nouveau_fence_update which uses +fence lock. + +BUG: spinlock bad magic on CPU#0, test/24134 + lock: ffff88019f90dba8, .magic: 00000000, .owner: /-1, .owner_cpu: 0 +Pid: 24134, comm: test Not tainted 3.0.0-nv+ #800 +Call Trace: + spin_bug+0x9c/0xa3 + do_raw_spin_lock+0x29/0x13c + _raw_spin_lock+0x1e/0x22 + nouveau_fence_update+0x2d/0xf1 + nouveau_channel_idle+0x22/0xa0 + nouveau_channel_put_unlocked+0x84/0x1bd + nouveau_channel_put+0x20/0x24 + nouveau_channel_alloc+0x4ec/0x585 + nouveau_ioctl_fifo_alloc+0x50/0x130 + drm_ioctl+0x289/0x361 + do_vfs_ioctl+0x4dd/0x52c + sys_ioctl+0x42/0x65 + system_call_fastpath+0x16/0x1b + +It's easily triggerable from userspace. + +Additionally remove double initialization of chan->fence.pending. + +Signed-off-by: Marcin Slusarz +Signed-off-by: Ben Skeggs +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/nouveau/nouveau_channel.c | 1 + + drivers/gpu/drm/nouveau/nouveau_fence.c | 2 -- + 2 files changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/gpu/drm/nouveau/nouveau_channel.c ++++ b/drivers/gpu/drm/nouveau/nouveau_channel.c +@@ -158,6 +158,7 @@ nouveau_channel_alloc(struct drm_device + INIT_LIST_HEAD(&chan->nvsw.vbl_wait); + INIT_LIST_HEAD(&chan->nvsw.flip); + INIT_LIST_HEAD(&chan->fence.pending); ++ spin_lock_init(&chan->fence.lock); + + /* setup channel's memory and vm */ + ret = nouveau_gpuobj_channel_init(chan, vram_handle, gart_handle); +--- a/drivers/gpu/drm/nouveau/nouveau_fence.c ++++ b/drivers/gpu/drm/nouveau/nouveau_fence.c +@@ -539,8 +539,6 @@ nouveau_fence_channel_init(struct nouvea + return ret; + } + +- INIT_LIST_HEAD(&chan->fence.pending); +- spin_lock_init(&chan->fence.lock); + atomic_set(&chan->fence.last_sequence_irq, 0); + return 0; + } diff --git a/queue-3.1/drm-radeon-kms-make-an-aux-failure-debug-only.patch b/queue-3.1/drm-radeon-kms-make-an-aux-failure-debug-only.patch new file mode 100644 index 00000000000..39dd77d20fb --- /dev/null +++ b/queue-3.1/drm-radeon-kms-make-an-aux-failure-debug-only.patch @@ -0,0 +1,31 @@ +From 091264f0bc12419560ac64fcef4567809d611658 Mon Sep 17 00:00:00 2001 +From: Alex Deucher +Date: Tue, 8 Nov 2011 10:09:58 -0500 +Subject: drm/radeon/kms: make an aux failure debug only + +From: Alex Deucher + +commit 091264f0bc12419560ac64fcef4567809d611658 upstream. + +Can happen when there is no DP panel attached, confusing +users. Make it debug only. + +Signed-off-by: Alex Deucher +Signed-off-by: Dave Airlie +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/radeon/atombios_dp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/radeon/atombios_dp.c ++++ b/drivers/gpu/drm/radeon/atombios_dp.c +@@ -283,7 +283,7 @@ int radeon_dp_i2c_aux_ch(struct i2c_adap + } + } + +- DRM_ERROR("aux i2c too many retries, giving up\n"); ++ DRM_DEBUG_KMS("aux i2c too many retries, giving up\n"); + return -EREMOTEIO; + } + diff --git a/queue-3.1/series b/queue-3.1/series new file mode 100644 index 00000000000..cf247f14348 --- /dev/null +++ b/queue-3.1/series @@ -0,0 +1,9 @@ +alsa-hda-fix-internal-mic-on-dell-vostro-3500-laptop.patch +alsa-hda-don-t-add-elements-of-other-codecs-to-vmaster-slave.patch +virtio-pci-fix-use-after-free.patch +arm-at91-fix-usba-gadget-registration.patch +asoc-don-t-use-wm8994-control_data-in-wm8994_readable_register.patch +sh-fix-cached-uncaced-address-calculation-in-29bit-mode.patch +drm-i915-fix-object-refcount-leak-on-mmappable-size-limit-error-path.patch +drm-nouveau-initialize-chan-fence.lock-before-use.patch +drm-radeon-kms-make-an-aux-failure-debug-only.patch diff --git a/queue-3.1/sh-fix-cached-uncaced-address-calculation-in-29bit-mode.patch b/queue-3.1/sh-fix-cached-uncaced-address-calculation-in-29bit-mode.patch new file mode 100644 index 00000000000..225342e22e5 --- /dev/null +++ b/queue-3.1/sh-fix-cached-uncaced-address-calculation-in-29bit-mode.patch @@ -0,0 +1,39 @@ +From dfd3b596fbbfa48b8e7966ef996d587157554b69 Mon Sep 17 00:00:00 2001 +From: Nobuhiro Iwamatsu +Date: Fri, 4 Nov 2011 22:13:50 +0900 +Subject: sh: Fix cached/uncaced address calculation in 29bit mode + +From: Nobuhiro Iwamatsu + +commit dfd3b596fbbfa48b8e7966ef996d587157554b69 upstream. + +In the case of 29bit mode, CAC/UNCAC_ADDR does not return a right address. +This revises this problem by using P1SEGADDR and P2SEGADDR in 29bit mode. + +Reported-by: Yutaro Ebihara +Signed-off-by: Nobuhiro Iwamatsu +Tested-by: Kuninori Morimoto +Tested-by: Simon Horman +Signed-off-by: Paul Mundt +Signed-off-by: Greg Kroah-Hartman + +--- + arch/sh/include/asm/page.h | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/arch/sh/include/asm/page.h ++++ b/arch/sh/include/asm/page.h +@@ -141,8 +141,13 @@ typedef struct page *pgtable_t; + #endif /* !__ASSEMBLY__ */ + + #ifdef CONFIG_UNCACHED_MAPPING ++#if defined(CONFIG_29BIT) ++#define UNCAC_ADDR(addr) P2SEGADDR(addr) ++#define CAC_ADDR(addr) P1SEGADDR(addr) ++#else + #define UNCAC_ADDR(addr) ((addr) - PAGE_OFFSET + uncached_start) + #define CAC_ADDR(addr) ((addr) - uncached_start + PAGE_OFFSET) ++#endif + #else + #define UNCAC_ADDR(addr) ((addr)) + #define CAC_ADDR(addr) ((addr)) diff --git a/queue-3.1/virtio-pci-fix-use-after-free.patch b/queue-3.1/virtio-pci-fix-use-after-free.patch new file mode 100644 index 00000000000..1850105c64c --- /dev/null +++ b/queue-3.1/virtio-pci-fix-use-after-free.patch @@ -0,0 +1,58 @@ +From 72103bd1285211440621f2c46f4fce377584de54 Mon Sep 17 00:00:00 2001 +From: "Michael S. Tsirkin" +Date: Mon, 7 Nov 2011 18:37:05 +0200 +Subject: virtio-pci: fix use after free + +From: "Michael S. Tsirkin" + +commit 72103bd1285211440621f2c46f4fce377584de54 upstream. + +Commit 31a3ddda166cda86d2b5111e09ba4bda5239fae6 introduced +a use after free in virtio-pci. The main issue is +that the release method signals removal of the virtio device, +while remove signals removal of the pci device. + +For example, on driver removal or hot-unplug, +virtio_pci_release_dev is called before virtio_pci_remove. +We then might get a crash as virtio_pci_remove tries to use the +device freed by virtio_pci_release_dev. + +We allocate/free all resources together with the +pci device, so we can leave the release method empty. + +Signed-off-by: Michael S. Tsirkin +Acked-by: Amit Shah +Signed-off-by: Rusty Russell +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/virtio/virtio_pci.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +--- a/drivers/virtio/virtio_pci.c ++++ b/drivers/virtio/virtio_pci.c +@@ -590,11 +590,11 @@ static struct virtio_config_ops virtio_p + + static void virtio_pci_release_dev(struct device *_d) + { +- struct virtio_device *dev = container_of(_d, struct virtio_device, +- dev); +- struct virtio_pci_device *vp_dev = to_vp_device(dev); +- +- kfree(vp_dev); ++ /* ++ * No need for a release method as we allocate/free ++ * all devices together with the pci devices. ++ * Provide an empty one to avoid getting a warning from core. ++ */ + } + + /* the PCI probing function */ +@@ -682,6 +682,7 @@ static void __devexit virtio_pci_remove( + pci_iounmap(pci_dev, vp_dev->ioaddr); + pci_release_regions(pci_dev); + pci_disable_device(pci_dev); ++ kfree(vp_dev); + } + + #ifdef CONFIG_PM