From d0bbd454068e47cf8bf4182b50a858dfe491bbfd Mon Sep 17 00:00:00 2001 From: Dave Jones Date: Tue, 12 Mar 2013 11:57:42 -0400 Subject: [PATCH 001/468] remove warning cow --- kernel.spec | 9 --------- 1 file changed, 9 deletions(-) diff --git a/kernel.spec b/kernel.spec index 330920411..2258d3b07 100644 --- a/kernel.spec +++ b/kernel.spec @@ -2273,15 +2273,6 @@ fi # plz don't put in a version string unless you're going to tag # and build. -# ___________________________________________________________ -# / This branch is for Fedora 19. You probably want to commit \ -# \ to the F-18 branch instead, or in addition to this one. / -# ----------------------------------------------------------- -# \ ^__^ -# \ (@@)\_______ -# (__)\ )\/\ -# ||----w | -# || || %changelog * Tue Mar 12 2013 Dave Airlie - add QXL driver (f19 only) From 243c2fd97b5cfd484f805ddd0aad8c8ccdec6920 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Tue, 12 Mar 2013 08:51:34 -0400 Subject: [PATCH 002/468] CVE-2013-0914 sa_restorer information leak (rhbz 920499 920510) --- kernel.spec | 9 ++ ...l-always-clear-sa_restorer-on-execve.patch | 113 ++++++++++++++++++ 2 files changed, 122 insertions(+) create mode 100644 signal-always-clear-sa_restorer-on-execve.patch diff --git a/kernel.spec b/kernel.spec index 2258d3b07..2e020c01b 100644 --- a/kernel.spec +++ b/kernel.spec @@ -742,6 +742,9 @@ Patch21268: w1-fix-oops-when-w1_search-is-called-from.patch #rhbz 911771 Patch21269: serial-8250-Keep-8250.-xxxx-module-options-functiona.patch +#CVE-2013-0914 rhbz 920499 920510 +Patch21270: signal-always-clear-sa_restorer-on-execve.patch + Patch22000: weird-root-dentry-name-debug.patch #selinux ptrace child permissions @@ -1442,6 +1445,9 @@ ApplyPatch w1-fix-oops-when-w1_search-is-called-from.patch #rhbz 911771 ApplyPatch serial-8250-Keep-8250.-xxxx-module-options-functiona.patch +#CVE-2013-0914 rhbz 920499 920510 +ApplyPatch signal-always-clear-sa_restorer-on-execve.patch + # END OF PATCH APPLICATIONS %endif @@ -2274,6 +2280,9 @@ fi # and build. %changelog +* Tue Mar 12 2013 Josh Boyer +- CVE-2013-0914 sa_restorer information leak (rhbz 920499 920510) + * Tue Mar 12 2013 Dave Airlie - add QXL driver (f19 only) diff --git a/signal-always-clear-sa_restorer-on-execve.patch b/signal-always-clear-sa_restorer-on-execve.patch new file mode 100644 index 000000000..feb005c44 --- /dev/null +++ b/signal-always-clear-sa_restorer-on-execve.patch @@ -0,0 +1,113 @@ + +Delivered-To: jwboyer@gmail.com +Received: by 10.76.169.233 with SMTP id ah9csp99159oac; + Mon, 11 Mar 2013 13:14:17 -0700 (PDT) +X-Received: by 10.68.179.1 with SMTP id dc1mr24297029pbc.128.1363032856671; + Mon, 11 Mar 2013 13:14:16 -0700 (PDT) +Return-Path: +Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) + by mx.google.com with ESMTP id tx10si24737165pbc.272.2013.03.11.13.14.10; + Mon, 11 Mar 2013 13:14:16 -0700 (PDT) +Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; +Authentication-Results: mx.google.com; + spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mail=linux-kernel-owner@vger.kernel.org +Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand + id S1754069Ab3CKUN4 (ORCPT + 99 others); + Mon, 11 Mar 2013 16:13:56 -0400 +Received: from smtp.outflux.net ([198.145.64.163]:59839 "EHLO smtp.outflux.net" + rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP + id S1753913Ab3CKUN4 (ORCPT ); + Mon, 11 Mar 2013 16:13:56 -0400 +Received: from www.outflux.net (serenity-end.outflux.net [10.2.0.2]) + by vinyl.outflux.net (8.14.4/8.14.4/Debian-2ubuntu2) with ESMTP id r2BKDgjn022201; + Mon, 11 Mar 2013 13:13:43 -0700 +Date: Mon, 11 Mar 2013 13:13:42 -0700 +From: Kees Cook +To: linux-kernel@vger.kernel.org +Cc: Al Viro , Oleg Nesterov , + Andrew Morton , + "Eric W. Biederman" , + Serge Hallyn , + Emese Revfy , + PaX Team , jln@google.com +Subject: [PATCH v2] signal: always clear sa_restorer on execve +Message-ID: <20130311201342.GA19824@www.outflux.net> +MIME-Version: 1.0 +Content-Type: text/plain; charset=us-ascii +Content-Disposition: inline +X-MIMEDefang-Filter: outflux$Revision: 1.316 $ +X-HELO: www.outflux.net +X-Scanned-By: MIMEDefang 2.71 on 10.2.0.1 +Sender: linux-kernel-owner@vger.kernel.org +Precedence: bulk +List-ID: +X-Mailing-List: linux-kernel@vger.kernel.org + +When the new signal handlers are set up, the location of sa_restorer +is not cleared, leaking a parent process's address space location to +children. This allows for a potential bypass of the parent's ASLR by +examining the sa_restorer value returned when calling sigaction(). + +Based on what should be considered "secret" about addresses, it only +matters across the exec not the fork (since the VMAs haven't changed +until the exec). But since exec sets SIG_DFL and keeps sa_restorer, +this is where it should be fixed. + +Given the few uses of sa_restorer, a "set" function was not written +since this would be the only use. Instead, we use __ARCH_HAS_SA_RESTORER, +as already done in other places. + +Example of the leak before applying this patch: + +$ cat /proc/$$/maps +... +7fb9f3083000-7fb9f3238000 r-xp 00000000 fd:01 404469 .../libc-2.15.so +... +$ ./leak +... +7f278bc74000-7f278be29000 r-xp 00000000 fd:01 404469 .../libc-2.15.so +... +1 0 (nil) 0x7fb9f30b94a0 +2 4000000 (nil) 0x7f278bcaa4a0 +3 4000000 (nil) 0x7f278bcaa4a0 +4 0 (nil) 0x7fb9f30b94a0 +... + +Signed-off-by: Kees Cook +Reported-by: Emese Revfy +Cc: Emese Revfy +Cc: PaX Team +Cc: stable@vger.kernel.org +--- +v2: + - clarify commit, explain use of #ifdef. +--- + kernel/signal.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/kernel/signal.c b/kernel/signal.c +index 2ec870a..8c8e3ca 100644 +--- a/kernel/signal.c ++++ b/kernel/signal.c +@@ -485,6 +485,9 @@ flush_signal_handlers(struct task_struct *t, int force_default) + if (force_default || ka->sa.sa_handler != SIG_IGN) + ka->sa.sa_handler = SIG_DFL; + ka->sa.sa_flags = 0; ++#ifdef __ARCH_HAS_SA_RESTORER ++ ka->sa.sa_restorer = NULL; ++#endif + sigemptyset(&ka->sa.sa_mask); + ka++; + } +-- +1.7.9.5 + + +-- +Kees Cook +Chrome OS Security +-- +To unsubscribe from this list: send the line "unsubscribe linux-kernel" in +the body of a message to majordomo@vger.kernel.org +More majordomo info at http://vger.kernel.org/majordomo-info.html +Please read the FAQ at http://www.tux.org/lkml/ From c8e6afb8f399ba5efa8ded4b0ef7b78efc7df262 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Tue, 12 Mar 2013 09:07:02 -0400 Subject: [PATCH 003/468] CVE-2013-0913 drm/i915: head writing overflow (rhbz 920471 920529) --- ...ds-check-execbuffer-relocation-count.patch | 100 ++++++++++++++++++ kernel.spec | 7 ++ 2 files changed, 107 insertions(+) create mode 100644 drm-i915-bounds-check-execbuffer-relocation-count.patch diff --git a/drm-i915-bounds-check-execbuffer-relocation-count.patch b/drm-i915-bounds-check-execbuffer-relocation-count.patch new file mode 100644 index 000000000..1377a5285 --- /dev/null +++ b/drm-i915-bounds-check-execbuffer-relocation-count.patch @@ -0,0 +1,100 @@ + +Delivered-To: jwboyer@gmail.com +Received: by 10.76.169.233 with SMTP id ah9csp107244oac; + Mon, 11 Mar 2013 17:32:43 -0700 (PDT) +X-Received: by 10.68.195.70 with SMTP id ic6mr32376980pbc.60.1363048363048; + Mon, 11 Mar 2013 17:32:43 -0700 (PDT) +Return-Path: +Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) + by mx.google.com with ESMTP id xm3si25923071pbc.196.2013.03.11.17.32.12; + Mon, 11 Mar 2013 17:32:43 -0700 (PDT) +Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; +Authentication-Results: mx.google.com; + spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mail=linux-kernel-owner@vger.kernel.org +Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand + id S1754633Ab3CLAbx (ORCPT + 99 others); + Mon, 11 Mar 2013 20:31:53 -0400 +Received: from smtp.outflux.net ([198.145.64.163]:48630 "EHLO smtp.outflux.net" + rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP + id S1754446Ab3CLAbx (ORCPT ); + Mon, 11 Mar 2013 20:31:53 -0400 +Received: from www.outflux.net (serenity-end.outflux.net [10.2.0.2]) + by vinyl.outflux.net (8.14.4/8.14.4/Debian-2ubuntu2) with ESMTP id r2C0VjYO004342; + Mon, 11 Mar 2013 17:31:45 -0700 +Date: Mon, 11 Mar 2013 17:31:45 -0700 +From: Kees Cook +To: linux-kernel@vger.kernel.org +Cc: Daniel Vetter , + David Airlie , + dri-devel@lists.freedesktop.org, intel-gfx@lists.freedesktop.org, + Julien Tinnes , marcheu@chromium.org +Subject: [PATCH v3] drm/i915: bounds check execbuffer relocation count +Message-ID: <20130312003145.GA28993@www.outflux.net> +MIME-Version: 1.0 +Content-Type: text/plain; charset=us-ascii +Content-Disposition: inline +X-MIMEDefang-Filter: outflux$Revision: 1.316 $ +X-HELO: www.outflux.net +X-Scanned-By: MIMEDefang 2.71 on 10.2.0.1 +Sender: linux-kernel-owner@vger.kernel.org +Precedence: bulk +List-ID: +X-Mailing-List: linux-kernel@vger.kernel.org + +It is possible to wrap the counter used to allocate the buffer for +relocation copies. This could lead to heap writing overflows. + +CVE-2013-0913 + +v3: collapse test, improve comment +v2: move check into validate_exec_list + +Signed-off-by: Kees Cook +Reported-by: Pinkie Pie +Cc: stable@vger.kernel.org +--- + drivers/gpu/drm/i915/i915_gem_execbuffer.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/i915/i915_gem_execbuffer.c b/drivers/gpu/drm/i915/i915_gem_execbuffer.c +index b3a40ee..094ba41 100644 +--- a/drivers/gpu/drm/i915/i915_gem_execbuffer.c ++++ b/drivers/gpu/drm/i915/i915_gem_execbuffer.c +@@ -732,6 +732,8 @@ validate_exec_list(struct drm_i915_gem_exec_object2 *exec, + int count) + { + int i; ++ int relocs_total = 0; ++ int relocs_max = INT_MAX / sizeof(struct drm_i915_gem_relocation_entry); + + for (i = 0; i < count; i++) { + char __user *ptr = (char __user *)(uintptr_t)exec[i].relocs_ptr; +@@ -740,10 +742,13 @@ validate_exec_list(struct drm_i915_gem_exec_object2 *exec, + if (exec[i].flags & __EXEC_OBJECT_UNKNOWN_FLAGS) + return -EINVAL; + +- /* First check for malicious input causing overflow */ +- if (exec[i].relocation_count > +- INT_MAX / sizeof(struct drm_i915_gem_relocation_entry)) ++ /* First check for malicious input causing overflow in ++ * the worst case where we need to allocate the entire ++ * relocation tree as a single array. ++ */ ++ if (exec[i].relocation_count > relocs_max - relocs_total) + return -EINVAL; ++ relocs_total += exec[i].relocation_count; + + length = exec[i].relocation_count * + sizeof(struct drm_i915_gem_relocation_entry); +-- +1.7.9.5 + + +-- +Kees Cook +Chrome OS Security +-- +To unsubscribe from this list: send the line "unsubscribe linux-kernel" in +the body of a message to majordomo@vger.kernel.org +More majordomo info at http://vger.kernel.org/majordomo-info.html +Please read the FAQ at http://www.tux.org/lkml/ diff --git a/kernel.spec b/kernel.spec index 2e020c01b..a70aabfa7 100644 --- a/kernel.spec +++ b/kernel.spec @@ -745,6 +745,9 @@ Patch21269: serial-8250-Keep-8250.-xxxx-module-options-functiona.patch #CVE-2013-0914 rhbz 920499 920510 Patch21270: signal-always-clear-sa_restorer-on-execve.patch +#CVE-2013-0913 rhbz 920471 920529 +Patch21271: drm-i915-bounds-check-execbuffer-relocation-count.patch + Patch22000: weird-root-dentry-name-debug.patch #selinux ptrace child permissions @@ -1448,6 +1451,9 @@ ApplyPatch serial-8250-Keep-8250.-xxxx-module-options-functiona.patch #CVE-2013-0914 rhbz 920499 920510 ApplyPatch signal-always-clear-sa_restorer-on-execve.patch +#CVE-2013-0913 rhbz 920471 920529 +ApplyPatch drm-i915-bounds-check-execbuffer-relocation-count.patch + # END OF PATCH APPLICATIONS %endif @@ -2281,6 +2287,7 @@ fi %changelog * Tue Mar 12 2013 Josh Boyer +- CVE-2013-0913 drm/i915: head writing overflow (rhbz 920471 920529) - CVE-2013-0914 sa_restorer information leak (rhbz 920499 920510) * Tue Mar 12 2013 Dave Airlie From 696db7d9525585697431b649e69818db4f2188ac Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Tue, 12 Mar 2013 12:24:21 -0400 Subject: [PATCH 004/468] Add patches to fix cfg80211 issues with suspend (rhbz 856863) --- cfg80211-mac80211-disconnect-on-suspend.patch | 219 ++++++++++++++++++ kernel.spec | 7 + 2 files changed, 226 insertions(+) create mode 100644 cfg80211-mac80211-disconnect-on-suspend.patch diff --git a/cfg80211-mac80211-disconnect-on-suspend.patch b/cfg80211-mac80211-disconnect-on-suspend.patch new file mode 100644 index 000000000..92ab492ce --- /dev/null +++ b/cfg80211-mac80211-disconnect-on-suspend.patch @@ -0,0 +1,219 @@ +From 8125696991194aacb1173b6e8196d19098b44e17 Mon Sep 17 00:00:00 2001 +From: Stanislaw Gruszka +Date: Thu, 28 Feb 2013 09:55:25 +0000 +Subject: cfg80211/mac80211: disconnect on suspend + +If possible that after suspend, cfg80211 will receive request to +disconnect what require action on interface that was removed during +suspend. + +Problem can manifest itself by various warnings similar to below one: + +WARNING: at net/mac80211/driver-ops.h:12 ieee80211_bss_info_change_notify+0x2f9/0x300 [mac80211]() +wlan0: Failed check-sdata-in-driver check, flags: 0x4 +Call Trace: + [] warn_slowpath_fmt+0x33/0x40 + [] ieee80211_bss_info_change_notify+0x2f9/0x300 [mac80211] + [] ieee80211_recalc_ps_vif+0x2a/0x30 [mac80211] + [] ieee80211_set_disassoc+0xf6/0x500 [mac80211] + [] ieee80211_mgd_deauth+0x1f1/0x280 [mac80211] + [] ieee80211_deauth+0x16/0x20 [mac80211] + [] cfg80211_mlme_down+0x70/0xc0 [cfg80211] + [] __cfg80211_disconnect+0x1b1/0x1d0 [cfg80211] + +To fix the problem disconnect from any associated network before +suspend. User space is responsible to establish connection again +after resume. This basically need to be done by user space anyway, +because associated stations can go away during suspend (for example +NetworkManager disconnects on suspend and connect on resume by default). + +Patch also handle situation when driver refuse to suspend with wowlan +configured and try to suspend again without it. + +Signed-off-by: Stanislaw Gruszka +Signed-off-by: Johannes Berg +--- +diff --git a/net/mac80211/pm.c b/net/mac80211/pm.c +index d0275f3..4d105c7 100644 +--- a/net/mac80211/pm.c ++++ b/net/mac80211/pm.c +@@ -93,7 +93,7 @@ int __ieee80211_suspend(struct ieee80211_hw *hw, struct cfg80211_wowlan *wowlan) + return err; + } else if (err > 0) { + WARN_ON(err != 1); +- local->wowlan = false; ++ return err; + } else { + list_for_each_entry(sdata, &local->interfaces, list) + if (ieee80211_sdata_running(sdata)) +diff --git a/net/wireless/core.c b/net/wireless/core.c +index ea4155f..f382cae 100644 +--- a/net/wireless/core.c ++++ b/net/wireless/core.c +@@ -814,6 +814,46 @@ void cfg80211_update_iface_num(struct cfg80211_registered_device *rdev, + rdev->num_running_monitor_ifaces += num; + } + ++void cfg80211_leave(struct cfg80211_registered_device *rdev, ++ struct wireless_dev *wdev) ++{ ++ struct net_device *dev = wdev->netdev; ++ ++ switch (wdev->iftype) { ++ case NL80211_IFTYPE_ADHOC: ++ cfg80211_leave_ibss(rdev, dev, true); ++ break; ++ case NL80211_IFTYPE_P2P_CLIENT: ++ case NL80211_IFTYPE_STATION: ++ mutex_lock(&rdev->sched_scan_mtx); ++ __cfg80211_stop_sched_scan(rdev, false); ++ mutex_unlock(&rdev->sched_scan_mtx); ++ ++ wdev_lock(wdev); ++#ifdef CONFIG_CFG80211_WEXT ++ kfree(wdev->wext.ie); ++ wdev->wext.ie = NULL; ++ wdev->wext.ie_len = 0; ++ wdev->wext.connect.auth_type = NL80211_AUTHTYPE_AUTOMATIC; ++#endif ++ __cfg80211_disconnect(rdev, dev, ++ WLAN_REASON_DEAUTH_LEAVING, true); ++ cfg80211_mlme_down(rdev, dev); ++ wdev_unlock(wdev); ++ break; ++ case NL80211_IFTYPE_MESH_POINT: ++ cfg80211_leave_mesh(rdev, dev); ++ break; ++ case NL80211_IFTYPE_AP: ++ cfg80211_stop_ap(rdev, dev); ++ break; ++ default: ++ break; ++ } ++ ++ wdev->beacon_interval = 0; ++} ++ + static int cfg80211_netdev_notifier_call(struct notifier_block *nb, + unsigned long state, + void *ndev) +@@ -882,38 +922,7 @@ static int cfg80211_netdev_notifier_call(struct notifier_block *nb, + dev->priv_flags |= IFF_DONT_BRIDGE; + break; + case NETDEV_GOING_DOWN: +- switch (wdev->iftype) { +- case NL80211_IFTYPE_ADHOC: +- cfg80211_leave_ibss(rdev, dev, true); +- break; +- case NL80211_IFTYPE_P2P_CLIENT: +- case NL80211_IFTYPE_STATION: +- mutex_lock(&rdev->sched_scan_mtx); +- __cfg80211_stop_sched_scan(rdev, false); +- mutex_unlock(&rdev->sched_scan_mtx); +- +- wdev_lock(wdev); +-#ifdef CONFIG_CFG80211_WEXT +- kfree(wdev->wext.ie); +- wdev->wext.ie = NULL; +- wdev->wext.ie_len = 0; +- wdev->wext.connect.auth_type = NL80211_AUTHTYPE_AUTOMATIC; +-#endif +- __cfg80211_disconnect(rdev, dev, +- WLAN_REASON_DEAUTH_LEAVING, true); +- cfg80211_mlme_down(rdev, dev); +- wdev_unlock(wdev); +- break; +- case NL80211_IFTYPE_MESH_POINT: +- cfg80211_leave_mesh(rdev, dev); +- break; +- case NL80211_IFTYPE_AP: +- cfg80211_stop_ap(rdev, dev); +- break; +- default: +- break; +- } +- wdev->beacon_interval = 0; ++ cfg80211_leave(rdev, wdev); + break; + case NETDEV_DOWN: + cfg80211_update_iface_num(rdev, wdev->iftype, -1); +diff --git a/net/wireless/core.h b/net/wireless/core.h +index 9a2be8d..d5d06fd 100644 +--- a/net/wireless/core.h ++++ b/net/wireless/core.h +@@ -500,6 +500,9 @@ int cfg80211_validate_beacon_int(struct cfg80211_registered_device *rdev, + void cfg80211_update_iface_num(struct cfg80211_registered_device *rdev, + enum nl80211_iftype iftype, int num); + ++void cfg80211_leave(struct cfg80211_registered_device *rdev, ++ struct wireless_dev *wdev); ++ + #define CFG80211_MAX_NUM_DIFFERENT_CHANNELS 10 + + #ifdef CONFIG_CFG80211_DEVELOPER_WARNINGS +diff --git a/net/wireless/rdev-ops.h b/net/wireless/rdev-ops.h +index 8c8b26f..d77e1c1 100644 +--- a/net/wireless/rdev-ops.h ++++ b/net/wireless/rdev-ops.h +@@ -6,11 +6,12 @@ + #include "core.h" + #include "trace.h" + +-static inline int rdev_suspend(struct cfg80211_registered_device *rdev) ++static inline int rdev_suspend(struct cfg80211_registered_device *rdev, ++ struct cfg80211_wowlan *wowlan) + { + int ret; +- trace_rdev_suspend(&rdev->wiphy, rdev->wowlan); +- ret = rdev->ops->suspend(&rdev->wiphy, rdev->wowlan); ++ trace_rdev_suspend(&rdev->wiphy, wowlan); ++ ret = rdev->ops->suspend(&rdev->wiphy, wowlan); + trace_rdev_return_int(&rdev->wiphy, ret); + return ret; + } +diff --git a/net/wireless/sysfs.c b/net/wireless/sysfs.c +index 238ee49..8f28b9f 100644 +--- a/net/wireless/sysfs.c ++++ b/net/wireless/sysfs.c +@@ -83,6 +83,14 @@ static int wiphy_uevent(struct device *dev, struct kobj_uevent_env *env) + return 0; + } + ++static void cfg80211_leave_all(struct cfg80211_registered_device *rdev) ++{ ++ struct wireless_dev *wdev; ++ ++ list_for_each_entry(wdev, &rdev->wdev_list, list) ++ cfg80211_leave(rdev, wdev); ++} ++ + static int wiphy_suspend(struct device *dev, pm_message_t state) + { + struct cfg80211_registered_device *rdev = dev_to_rdev(dev); +@@ -90,12 +98,19 @@ static int wiphy_suspend(struct device *dev, pm_message_t state) + + rdev->suspend_at = get_seconds(); + +- if (rdev->ops->suspend) { +- rtnl_lock(); +- if (rdev->wiphy.registered) +- ret = rdev_suspend(rdev); +- rtnl_unlock(); ++ rtnl_lock(); ++ if (rdev->wiphy.registered) { ++ if (!rdev->wowlan) ++ cfg80211_leave_all(rdev); ++ if (rdev->ops->suspend) ++ ret = rdev_suspend(rdev, rdev->wowlan); ++ if (ret == 1) { ++ /* Driver refuse to configure wowlan */ ++ cfg80211_leave_all(rdev); ++ ret = rdev_suspend(rdev, NULL); ++ } + } ++ rtnl_unlock(); + + return ret; + } +-- +cgit v0.9.1 diff --git a/kernel.spec b/kernel.spec index a70aabfa7..aa5a74f76 100644 --- a/kernel.spec +++ b/kernel.spec @@ -748,6 +748,9 @@ Patch21270: signal-always-clear-sa_restorer-on-execve.patch #CVE-2013-0913 rhbz 920471 920529 Patch21271: drm-i915-bounds-check-execbuffer-relocation-count.patch +#rhbz 856863 +Patch21273: cfg80211-mac80211-disconnect-on-suspend.patch + Patch22000: weird-root-dentry-name-debug.patch #selinux ptrace child permissions @@ -1454,6 +1457,9 @@ ApplyPatch signal-always-clear-sa_restorer-on-execve.patch #CVE-2013-0913 rhbz 920471 920529 ApplyPatch drm-i915-bounds-check-execbuffer-relocation-count.patch +#rhbz 856863 +ApplyPatch cfg80211-mac80211-disconnect-on-suspend.patch + # END OF PATCH APPLICATIONS %endif @@ -2287,6 +2293,7 @@ fi %changelog * Tue Mar 12 2013 Josh Boyer +- Add patches to fix cfg80211 issues with suspend (rhbz 856863) - CVE-2013-0913 drm/i915: head writing overflow (rhbz 920471 920529) - CVE-2013-0914 sa_restorer information leak (rhbz 920499 920510) From 8743f385919e68d3b4325b34e1154405eb585783 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Tue, 12 Mar 2013 12:57:55 -0400 Subject: [PATCH 005/468] Add patch to fix ieee80211_do_stop (rhbz 892599) --- kernel.spec | 7 +- ...ieee80211_do_stop_while_suspend_v3.9.patch | 109 ++++++++++++++++++ 2 files changed, 114 insertions(+), 2 deletions(-) create mode 100644 mac80211_fixes_for_ieee80211_do_stop_while_suspend_v3.9.patch diff --git a/kernel.spec b/kernel.spec index aa5a74f76..ddfe9bc21 100644 --- a/kernel.spec +++ b/kernel.spec @@ -748,8 +748,9 @@ Patch21270: signal-always-clear-sa_restorer-on-execve.patch #CVE-2013-0913 rhbz 920471 920529 Patch21271: drm-i915-bounds-check-execbuffer-relocation-count.patch -#rhbz 856863 +#rhbz 856863 892599 Patch21273: cfg80211-mac80211-disconnect-on-suspend.patch +Patch21274: mac80211_fixes_for_ieee80211_do_stop_while_suspend_v3.9.patch Patch22000: weird-root-dentry-name-debug.patch @@ -1457,8 +1458,9 @@ ApplyPatch signal-always-clear-sa_restorer-on-execve.patch #CVE-2013-0913 rhbz 920471 920529 ApplyPatch drm-i915-bounds-check-execbuffer-relocation-count.patch -#rhbz 856863 +#rhbz 856863 892599 ApplyPatch cfg80211-mac80211-disconnect-on-suspend.patch +ApplyPatch mac80211_fixes_for_ieee80211_do_stop_while_suspend_v3.9.patch # END OF PATCH APPLICATIONS @@ -2293,6 +2295,7 @@ fi %changelog * Tue Mar 12 2013 Josh Boyer +- Add patch to fix ieee80211_do_stop (rhbz 892599) - Add patches to fix cfg80211 issues with suspend (rhbz 856863) - CVE-2013-0913 drm/i915: head writing overflow (rhbz 920471 920529) - CVE-2013-0914 sa_restorer information leak (rhbz 920499 920510) diff --git a/mac80211_fixes_for_ieee80211_do_stop_while_suspend_v3.9.patch b/mac80211_fixes_for_ieee80211_do_stop_while_suspend_v3.9.patch new file mode 100644 index 000000000..2f0cb5338 --- /dev/null +++ b/mac80211_fixes_for_ieee80211_do_stop_while_suspend_v3.9.patch @@ -0,0 +1,109 @@ +commit 801d929ca7d935ee199fd61d8ef914f51e892270 +Author: Felix Fietkau +Date: Sat Mar 2 19:05:47 2013 +0100 + + mac80211: another fix for idle handling in monitor mode + + When setting a monitor interface up or down, the idle state needs to be + recalculated, otherwise the hardware will just stay in its previous idle + state. + + Signed-off-by: Felix Fietkau + Signed-off-by: Johannes Berg + +diff --git a/net/mac80211/iface.c b/net/mac80211/iface.c +index 640afab..baaa860 100644 +--- a/net/mac80211/iface.c ++++ b/net/mac80211/iface.c +@@ -541,6 +541,9 @@ int ieee80211_do_open(struct wireless_dev *wdev, bool coming_up) + + ieee80211_adjust_monitor_flags(sdata, 1); + ieee80211_configure_filter(local); ++ mutex_lock(&local->mtx); ++ ieee80211_recalc_idle(local); ++ mutex_unlock(&local->mtx); + + netif_carrier_on(dev); + break; +@@ -812,6 +815,9 @@ static void ieee80211_do_stop(struct ieee80211_sub_if_data *sdata, + + ieee80211_adjust_monitor_flags(sdata, -1); + ieee80211_configure_filter(local); ++ mutex_lock(&local->mtx); ++ ieee80211_recalc_idle(local); ++ mutex_unlock(&local->mtx); + break; + case NL80211_IFTYPE_P2P_DEVICE: + /* relies on synchronize_rcu() below */ +diff --git a/net/mac80211/iface.c b/net/mac80211/iface.c +index baaa860..937174b 100644 +--- a/net/mac80211/iface.c ++++ b/net/mac80211/iface.c +@@ -748,8 +748,7 @@ static void ieee80211_do_stop(struct ieee80211_sub_if_data *sdata, + sdata->dev->addr_len); + spin_unlock_bh(&local->filter_lock); + netif_addr_unlock_bh(sdata->dev); +- +- ieee80211_configure_filter(local); ++ /* configure filter latter (if not suspended) */ + } + + del_timer_sync(&local->dynamic_ps_timer); +@@ -814,10 +813,7 @@ static void ieee80211_do_stop(struct ieee80211_sub_if_data *sdata, + } + + ieee80211_adjust_monitor_flags(sdata, -1); +- ieee80211_configure_filter(local); +- mutex_lock(&local->mtx); +- ieee80211_recalc_idle(local); +- mutex_unlock(&local->mtx); ++ /* tell driver latter (if not suspended) */ + break; + case NL80211_IFTYPE_P2P_DEVICE: + /* relies on synchronize_rcu() below */ +@@ -848,28 +844,30 @@ static void ieee80211_do_stop(struct ieee80211_sub_if_data *sdata, + + drv_remove_interface_debugfs(local, sdata); + +- if (going_down) ++ if (going_down && !local->suspended) + drv_remove_interface(local, sdata); + } + + sdata->bss = NULL; + +- ieee80211_recalc_ps(local, -1); +- +- if (local->open_count == 0) { +- if (local->ops->napi_poll) +- napi_disable(&local->napi); +- ieee80211_clear_tx_pending(local); +- ieee80211_stop_device(local); +- +- /* no reconfiguring after stop! */ +- hw_reconf_flags = 0; ++ if (!local->suspended) { ++ if (local->open_count == 0) { ++ if (local->ops->napi_poll) ++ napi_disable(&local->napi); ++ ieee80211_clear_tx_pending(local); ++ ieee80211_stop_device(local); ++ } else { ++ ieee80211_configure_filter(local); ++ ieee80211_recalc_ps(local, -1); ++ ++ mutex_lock(&local->mtx); ++ ieee80211_recalc_idle(local); ++ mutex_unlock(&local->mtx); ++ ++ if (hw_reconf_flags) ++ ieee80211_hw_config(local, hw_reconf_flags); + } + +- /* do after stop to avoid reconfiguring when we stop anyway */ +- if (hw_reconf_flags) +- ieee80211_hw_config(local, hw_reconf_flags); +- + spin_lock_irqsave(&local->queue_stop_reason_lock, flags); + for (i = 0; i < IEEE80211_MAX_QUEUES; i++) { + skb_queue_walk_safe(&local->pending[i], skb, tmp) { From 4f44acc7383da1127f6b856d2b551e224b0c87ad Mon Sep 17 00:00:00 2001 From: Dave Jones Date: Tue, 12 Mar 2013 22:07:59 -0400 Subject: [PATCH 006/468] Reenable debugging options. --- config-generic | 8 ++-- config-nodebug | 110 ++++++++++++++++++++++----------------------- config-x86-generic | 2 +- kernel.spec | 9 ++-- 4 files changed, 66 insertions(+), 63 deletions(-) diff --git a/config-generic b/config-generic index 52145225f..9c1cf4b94 100644 --- a/config-generic +++ b/config-generic @@ -1554,13 +1554,13 @@ CONFIG_B43_SDIO=y CONFIG_B43_BCMA=y # CONFIG_B43_BCMA_EXTRA is not set CONFIG_B43_BCMA_PIO=y -# CONFIG_B43_DEBUG is not set +CONFIG_B43_DEBUG=y CONFIG_B43_PHY_LP=y CONFIG_B43_PHY_N=y CONFIG_B43_PHY_HT=y # CONFIG_B43_FORCE_PIO is not set CONFIG_B43LEGACY=m -# CONFIG_B43LEGACY_DEBUG is not set +CONFIG_B43LEGACY_DEBUG=y CONFIG_B43LEGACY_DMA=y CONFIG_B43LEGACY_PIO=y CONFIG_B43LEGACY_DMA_AND_PIO_MODE=y @@ -3198,7 +3198,7 @@ CONFIG_USB_STORAGE_REALTEK=m CONFIG_REALTEK_AUTOPM=y CONFIG_USB_STORAGE_ENE_UB6250=m # CONFIG_USB_LIBUSUAL is not set -# CONFIG_USB_UAS is not set +CONFIG_USB_UAS=m # @@ -4190,7 +4190,7 @@ CONFIG_IBMASR=m CONFIG_PM_DEBUG=y CONFIG_PM_TRACE=y CONFIG_PM_TRACE_RTC=y -# CONFIG_PM_TEST_SUSPEND is not set +CONFIG_PM_TEST_SUSPEND=y CONFIG_PM_RUNTIME=y # CONFIG_PM_OPP is not set # CONFIG_PM_AUTOSLEEP is not set diff --git a/config-nodebug b/config-nodebug index aa7568c82..cfabd29c7 100644 --- a/config-nodebug +++ b/config-nodebug @@ -2,95 +2,95 @@ CONFIG_SND_VERBOSE_PRINTK=y CONFIG_SND_DEBUG=y CONFIG_SND_PCM_XRUN_DEBUG=y -# CONFIG_DEBUG_ATOMIC_SLEEP is not set +CONFIG_DEBUG_ATOMIC_SLEEP=y -# CONFIG_DEBUG_MUTEXES is not set -# CONFIG_DEBUG_RT_MUTEXES is not set -# CONFIG_DEBUG_LOCK_ALLOC is not set -# CONFIG_PROVE_LOCKING is not set -# CONFIG_DEBUG_SPINLOCK is not set -# CONFIG_PROVE_RCU is not set +CONFIG_DEBUG_MUTEXES=y +CONFIG_DEBUG_RT_MUTEXES=y +CONFIG_DEBUG_LOCK_ALLOC=y +CONFIG_PROVE_LOCKING=y +CONFIG_DEBUG_SPINLOCK=y +CONFIG_PROVE_RCU=y # CONFIG_PROVE_RCU_REPEATEDLY is not set -# CONFIG_DEBUG_PER_CPU_MAPS is not set +CONFIG_DEBUG_PER_CPU_MAPS=y CONFIG_CPUMASK_OFFSTACK=y -# CONFIG_CPU_NOTIFIER_ERROR_INJECT is not set +CONFIG_CPU_NOTIFIER_ERROR_INJECT=m -# CONFIG_FAULT_INJECTION is not set -# CONFIG_FAILSLAB is not set -# CONFIG_FAIL_PAGE_ALLOC is not set -# CONFIG_FAIL_MAKE_REQUEST is not set -# CONFIG_FAULT_INJECTION_DEBUG_FS is not set -# CONFIG_FAULT_INJECTION_STACKTRACE_FILTER is not set -# CONFIG_FAIL_IO_TIMEOUT is not set -# CONFIG_FAIL_MMC_REQUEST is not set +CONFIG_FAULT_INJECTION=y +CONFIG_FAILSLAB=y +CONFIG_FAIL_PAGE_ALLOC=y +CONFIG_FAIL_MAKE_REQUEST=y +CONFIG_FAULT_INJECTION_DEBUG_FS=y +CONFIG_FAULT_INJECTION_STACKTRACE_FILTER=y +CONFIG_FAIL_IO_TIMEOUT=y +CONFIG_FAIL_MMC_REQUEST=y -# CONFIG_SLUB_DEBUG_ON is not set +CONFIG_SLUB_DEBUG_ON=y -# CONFIG_LOCK_STAT is not set +CONFIG_LOCK_STAT=y -# CONFIG_DEBUG_STACK_USAGE is not set +CONFIG_DEBUG_STACK_USAGE=y -# CONFIG_ACPI_DEBUG is not set +CONFIG_ACPI_DEBUG=y # CONFIG_ACPI_DEBUG_FUNC_TRACE is not set -# CONFIG_DEBUG_SG is not set +CONFIG_DEBUG_SG=y # CONFIG_DEBUG_PAGEALLOC is not set -# CONFIG_DEBUG_WRITECOUNT is not set -# CONFIG_DEBUG_OBJECTS is not set +CONFIG_DEBUG_WRITECOUNT=y +CONFIG_DEBUG_OBJECTS=y # CONFIG_DEBUG_OBJECTS_SELFTEST is not set -# CONFIG_DEBUG_OBJECTS_FREE is not set -# CONFIG_DEBUG_OBJECTS_TIMERS is not set -# CONFIG_DEBUG_OBJECTS_RCU_HEAD is not set +CONFIG_DEBUG_OBJECTS_FREE=y +CONFIG_DEBUG_OBJECTS_TIMERS=y +CONFIG_DEBUG_OBJECTS_RCU_HEAD=y CONFIG_DEBUG_OBJECTS_ENABLE_DEFAULT=1 -# CONFIG_X86_PTDUMP is not set +CONFIG_X86_PTDUMP=y -# CONFIG_CAN_DEBUG_DEVICES is not set +CONFIG_CAN_DEBUG_DEVICES=y -# CONFIG_MODULE_FORCE_UNLOAD is not set +CONFIG_MODULE_FORCE_UNLOAD=y -# CONFIG_SYSCTL_SYSCALL_CHECK is not set +CONFIG_SYSCTL_SYSCALL_CHECK=y -# CONFIG_DEBUG_NOTIFIERS is not set +CONFIG_DEBUG_NOTIFIERS=y -# CONFIG_DMA_API_DEBUG is not set +CONFIG_DMA_API_DEBUG=y -# CONFIG_MMIOTRACE is not set +CONFIG_MMIOTRACE=y -# CONFIG_DEBUG_CREDENTIALS is not set +CONFIG_DEBUG_CREDENTIALS=y # off in both production debug and nodebug builds, # on in rawhide nodebug builds -# CONFIG_DEBUG_FORCE_WEAK_PER_CPU is not set +CONFIG_DEBUG_FORCE_WEAK_PER_CPU=y -# CONFIG_EXT4_DEBUG is not set +CONFIG_EXT4_DEBUG=y -# CONFIG_DEBUG_PERF_USE_VMALLOC is not set +CONFIG_DEBUG_PERF_USE_VMALLOC=y -# CONFIG_JBD2_DEBUG is not set +CONFIG_JBD2_DEBUG=y -# CONFIG_NFSD_FAULT_INJECTION is not set +CONFIG_NFSD_FAULT_INJECTION=y -# CONFIG_DEBUG_BLK_CGROUP is not set +CONFIG_DEBUG_BLK_CGROUP=y -# CONFIG_DRBD_FAULT_INJECTION is not set +CONFIG_DRBD_FAULT_INJECTION=y -# CONFIG_ATH_DEBUG is not set -# CONFIG_CARL9170_DEBUGFS is not set -# CONFIG_IWLWIFI_DEVICE_TRACING is not set +CONFIG_ATH_DEBUG=y +CONFIG_CARL9170_DEBUGFS=y +CONFIG_IWLWIFI_DEVICE_TRACING=y -# CONFIG_DEBUG_OBJECTS_WORK is not set +CONFIG_DEBUG_OBJECTS_WORK=y -# CONFIG_DMADEVICES_DEBUG is not set -# CONFIG_DMADEVICES_VDEBUG is not set +CONFIG_DMADEVICES_DEBUG=y +CONFIG_DMADEVICES_VDEBUG=y CONFIG_PM_ADVANCED_DEBUG=y -# CONFIG_CEPH_LIB_PRETTYDEBUG is not set -# CONFIG_QUOTA_DEBUG is not set +CONFIG_CEPH_LIB_PRETTYDEBUG=y +CONFIG_QUOTA_DEBUG=y CONFIG_PCI_DEFAULT_USE_CRS=y @@ -98,16 +98,16 @@ CONFIG_KGDB_KDB=y CONFIG_KDB_KEYBOARD=y CONFIG_KDB_CONTINUE_CATASTROPHIC=0 -# CONFIG_DEBUG_OBJECTS_PERCPU_COUNTER is not set -# CONFIG_TEST_LIST_SORT is not set +CONFIG_DEBUG_OBJECTS_PERCPU_COUNTER=y +CONFIG_TEST_LIST_SORT=y -# CONFIG_DETECT_HUNG_TASK is not set +CONFIG_DETECT_HUNG_TASK=y CONFIG_DEFAULT_HUNG_TASK_TIMEOUT=120 # CONFIG_BOOTPARAM_HUNG_TASK_PANIC is not set -# CONFIG_X86_BOOTPARAM_MEMORY_CORRUPTION_CHECK is not set +CONFIG_X86_BOOTPARAM_MEMORY_CORRUPTION_CHECK=y -# CONFIG_DEBUG_KMEMLEAK is not set +CONFIG_DEBUG_KMEMLEAK=y CONFIG_DEBUG_KMEMLEAK_EARLY_LOG_SIZE=1024 # CONFIG_DEBUG_KMEMLEAK_TEST is not set CONFIG_DEBUG_KMEMLEAK_DEFAULT_OFF=y diff --git a/config-x86-generic b/config-x86-generic index 226859b4e..cac1a3157 100644 --- a/config-x86-generic +++ b/config-x86-generic @@ -326,7 +326,7 @@ CONFIG_STRICT_DEVMEM=y # CONFIG_MEMTEST is not set # CONFIG_DEBUG_TLBFLUSH is not set -# CONFIG_MAXSMP is not set +CONFIG_MAXSMP=y CONFIG_HP_ILO=m diff --git a/kernel.spec b/kernel.spec index ddfe9bc21..5b27030f2 100644 --- a/kernel.spec +++ b/kernel.spec @@ -62,7 +62,7 @@ Summary: The Linux kernel # For non-released -rc kernels, this will be appended after the rcX and # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3" # -%global baserelease 2 +%global baserelease 3 %global fedora_build %{baserelease} # base_sublevel is the kernel version we're starting with and patching @@ -157,7 +157,7 @@ Summary: The Linux kernel # Set debugbuildsenabled to 1 for production (build separate debug kernels) # and 0 for rawhide (all kernels are debug kernels). # See also 'make debug' and 'make release'. -%define debugbuildsenabled 1 +%define debugbuildsenabled 0 # Want to build a vanilla kernel build without any non-upstream patches? %define with_vanilla %{?_with_vanilla: 1} %{?!_with_vanilla: 0} @@ -170,7 +170,7 @@ Summary: The Linux kernel %define doc_build_fail true %endif -%define rawhide_skip_docs 0 +%define rawhide_skip_docs 1 %if 0%{?rawhide_skip_docs} %define with_doc 0 %define doc_build_fail true @@ -2294,6 +2294,9 @@ fi # and build. %changelog +* Wed Mar 13 2013 Dave Jones - 3.9.0-0.rc2.git0.3 +- Reenable debugging options. + * Tue Mar 12 2013 Josh Boyer - Add patch to fix ieee80211_do_stop (rhbz 892599) - Add patches to fix cfg80211 issues with suspend (rhbz 856863) From caf64a2b13da018578fb00eced7ec72ce9e49d7e Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Wed, 13 Mar 2013 07:27:17 -0400 Subject: [PATCH 007/468] Fix missing bracket in patch for bug 892599 --- ...0211_fixes_for_ieee80211_do_stop_while_suspend_v3.9.patch | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/mac80211_fixes_for_ieee80211_do_stop_while_suspend_v3.9.patch b/mac80211_fixes_for_ieee80211_do_stop_while_suspend_v3.9.patch index 2f0cb5338..81090e3ec 100644 --- a/mac80211_fixes_for_ieee80211_do_stop_while_suspend_v3.9.patch +++ b/mac80211_fixes_for_ieee80211_do_stop_while_suspend_v3.9.patch @@ -36,7 +36,7 @@ index 640afab..baaa860 100644 case NL80211_IFTYPE_P2P_DEVICE: /* relies on synchronize_rcu() below */ diff --git a/net/mac80211/iface.c b/net/mac80211/iface.c -index baaa860..937174b 100644 +index baaa860..7a3d675 100644 --- a/net/mac80211/iface.c +++ b/net/mac80211/iface.c @@ -748,8 +748,7 @@ static void ieee80211_do_stop(struct ieee80211_sub_if_data *sdata, @@ -61,7 +61,7 @@ index baaa860..937174b 100644 break; case NL80211_IFTYPE_P2P_DEVICE: /* relies on synchronize_rcu() below */ -@@ -848,28 +844,30 @@ static void ieee80211_do_stop(struct ieee80211_sub_if_data *sdata, +@@ -848,28 +844,31 @@ static void ieee80211_do_stop(struct ieee80211_sub_if_data *sdata, drv_remove_interface_debugfs(local, sdata); @@ -98,6 +98,7 @@ index baaa860..937174b 100644 + + if (hw_reconf_flags) + ieee80211_hw_config(local, hw_reconf_flags); ++ } } - /* do after stop to avoid reconfiguring when we stop anyway */ From 240f3bddfc33e78cf0d3dfda213af0108dadb4b1 Mon Sep 17 00:00:00 2001 From: Dave Airlie Date: Thu, 14 Mar 2013 17:54:32 +1000 Subject: [PATCH 008/468] drm/qxl: disable for now, some wierd fb interaction is leaking ram --- config-generic | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config-generic b/config-generic index 9c1cf4b94..a742f06de 100644 --- a/config-generic +++ b/config-generic @@ -2591,7 +2591,7 @@ CONFIG_DRM_UDL=m CONFIG_DRM_VMWGFX=m CONFIG_DRM_VMWGFX_FBCON=y CONFIG_DRM_VGEM=m -CONFIG_DRM_QXL=m +# CONFIG_DRM_QXL is not set # # PCMCIA character devices From 4c6b4ff7d808f5878bf8ddc60b937105df33791e Mon Sep 17 00:00:00 2001 From: Dave Airlie Date: Fri, 15 Mar 2013 10:53:55 +1000 Subject: [PATCH 009/468] drm/qxl: reenable qxl now that some fbcon bugs are fixed --- config-generic | 2 +- drm-qxl-driver.patch | 113 ++++++++++++++++++++++++++++--------------- 2 files changed, 74 insertions(+), 41 deletions(-) diff --git a/config-generic b/config-generic index a742f06de..9c1cf4b94 100644 --- a/config-generic +++ b/config-generic @@ -2591,7 +2591,7 @@ CONFIG_DRM_UDL=m CONFIG_DRM_VMWGFX=m CONFIG_DRM_VMWGFX_FBCON=y CONFIG_DRM_VGEM=m -# CONFIG_DRM_QXL is not set +CONFIG_DRM_QXL=m # # PCMCIA character devices diff --git a/drm-qxl-driver.patch b/drm-qxl-driver.patch index 7514234b9..6a6bf111d 100644 --- a/drm-qxl-driver.patch +++ b/drm-qxl-driver.patch @@ -1,7 +1,7 @@ -From 4a4f7a19b0145c28b4d62339433c733c00de3558 Mon Sep 17 00:00:00 2001 +From 1a401a749cb1f06e637ef0e91fb8c120963aa356 Mon Sep 17 00:00:00 2001 From: Dave Airlie Date: Mon, 25 Feb 2013 14:47:55 +1000 -Subject: [PATCH 2/2] drm: add new QXL driver. (v1.2) +Subject: [PATCH 2/2] drm: add new QXL driver. (v1.3) QXL is a paravirtual graphics device used by the Spice virtual desktop interface. @@ -26,6 +26,8 @@ Authors: Dave Airlie, Alon Levy v1.1: fixup some issues in the ioctl interface with padding v1.2: add module device table +v1.3: fix nomodeset, fbcon leak, dumb bo create, release ring irq, + don't try flush release ring (broken hw), fix -modesetting. Signed-off-by: Alon Levy Signed-off-by: Dave Airlie @@ -34,28 +36,28 @@ Signed-off-by: Dave Airlie drivers/gpu/drm/Makefile | 1 + drivers/gpu/drm/qxl/Kconfig | 10 + drivers/gpu/drm/qxl/Makefile | 9 + - drivers/gpu/drm/qxl/qxl_cmd.c | 711 +++++++++++++++++++++++++++ + drivers/gpu/drm/qxl/qxl_cmd.c | 707 +++++++++++++++++++++++++++ drivers/gpu/drm/qxl/qxl_debugfs.c | 135 ++++++ drivers/gpu/drm/qxl/qxl_dev.h | 879 ++++++++++++++++++++++++++++++++++ drivers/gpu/drm/qxl/qxl_display.c | 981 ++++++++++++++++++++++++++++++++++++++ - drivers/gpu/drm/qxl/qxl_draw.c | 378 +++++++++++++++ - drivers/gpu/drm/qxl/qxl_drv.c | 132 +++++ + drivers/gpu/drm/qxl/qxl_draw.c | 384 +++++++++++++++ + drivers/gpu/drm/qxl/qxl_drv.c | 145 ++++++ drivers/gpu/drm/qxl/qxl_drv.h | 566 ++++++++++++++++++++++ - drivers/gpu/drm/qxl/qxl_dumb.c | 76 +++ + drivers/gpu/drm/qxl/qxl_dumb.c | 93 ++++ drivers/gpu/drm/qxl/qxl_fb.c | 567 ++++++++++++++++++++++ drivers/gpu/drm/qxl/qxl_fence.c | 97 ++++ drivers/gpu/drm/qxl/qxl_gem.c | 178 +++++++ drivers/gpu/drm/qxl/qxl_image.c | 120 +++++ drivers/gpu/drm/qxl/qxl_ioctl.c | 411 ++++++++++++++++ drivers/gpu/drm/qxl/qxl_irq.c | 97 ++++ - drivers/gpu/drm/qxl/qxl_kms.c | 300 ++++++++++++ + drivers/gpu/drm/qxl/qxl_kms.c | 302 ++++++++++++ drivers/gpu/drm/qxl/qxl_object.c | 365 ++++++++++++++ drivers/gpu/drm/qxl/qxl_object.h | 112 +++++ drivers/gpu/drm/qxl/qxl_release.c | 307 ++++++++++++ - drivers/gpu/drm/qxl/qxl_ttm.c | 580 ++++++++++++++++++++++ + drivers/gpu/drm/qxl/qxl_ttm.c | 577 ++++++++++++++++++++++ include/uapi/drm/Kbuild | 1 + include/uapi/drm/qxl_drm.h | 152 ++++++ - 25 files changed, 7167 insertions(+) + 25 files changed, 7198 insertions(+) create mode 100644 drivers/gpu/drm/qxl/Kconfig create mode 100644 drivers/gpu/drm/qxl/Makefile create mode 100644 drivers/gpu/drm/qxl/qxl_cmd.c @@ -132,10 +134,10 @@ index 0000000..ea046ba +obj-$(CONFIG_DRM_QXL)+= qxl.o diff --git a/drivers/gpu/drm/qxl/qxl_cmd.c b/drivers/gpu/drm/qxl/qxl_cmd.c new file mode 100644 -index 0000000..a860d71 +index 0000000..804b411 --- /dev/null +++ b/drivers/gpu/drm/qxl/qxl_cmd.c -@@ -0,0 +1,711 @@ +@@ -0,0 +1,707 @@ +/* + * Copyright 2013 Red Hat Inc. + * @@ -192,6 +194,7 @@ index 0000000..a860d71 + int element_size, + int n_elements, + int prod_notify, ++ bool set_prod_notify, + wait_queue_head_t *push_event) +{ + struct qxl_ring *ring; @@ -205,7 +208,8 @@ index 0000000..a860d71 + ring->n_elements = n_elements; + ring->prod_notify = prod_notify; + ring->push_event = push_event; -+ ++ if (set_prod_notify) ++ header->notify_on_prod = ring->n_elements; + spin_lock_init(&ring->lock); + return ring; +} @@ -289,6 +293,7 @@ index 0000000..a860d71 + unsigned long flags; + spin_lock_irqsave(&ring->lock, flags); + if (header->cons == header->prod) { ++ header->notify_on_prod = header->cons + 1; + spin_unlock_irqrestore(&ring->lock, flags); + return false; + } @@ -321,13 +326,6 @@ index 0000000..a860d71 + spin_unlock_irqrestore(&ring->lock, flags); +} + -+void qxl_release_ring_flush(struct qxl_device *qdev) -+{ -+ if (!qxl_check_header(qdev->release_ring)) -+ return; -+ qxl_io_flush_release(qdev); -+} -+ +int +qxl_push_command_ring_release(struct qxl_device *qdev, struct qxl_release *release, + uint32_t type, bool interruptible) @@ -2862,10 +2860,10 @@ index 0000000..c80ddfe +} diff --git a/drivers/gpu/drm/qxl/qxl_draw.c b/drivers/gpu/drm/qxl/qxl_draw.c new file mode 100644 -index 0000000..c35c715 +index 0000000..7d5396d2 --- /dev/null +++ b/drivers/gpu/drm/qxl/qxl_draw.c -@@ -0,0 +1,378 @@ +@@ -0,0 +1,384 @@ +/* + * Copyright 2011 Red Hat, Inc. + * @@ -3042,6 +3040,7 @@ index 0000000..c35c715 + image->u.bitmap.palette = + qxl_bo_physical_address(qdev, palette_bo, 0); + qxl_bo_kunmap(image_bo); ++ qxl_bo_unreserve(palette_bo); + qxl_bo_unref(&palette_bo); + } + @@ -3102,7 +3101,7 @@ index 0000000..c35c715 + int stride = qxl_fb->base.pitches[0]; + /* depth is not actually interesting, we don't mask with it */ + int depth = qxl_fb->base.bits_per_pixel; -+ uint8_t *surface_base = bo->kptr; ++ uint8_t *surface_base; + struct qxl_release *release; + struct qxl_bo *image_bo; + struct qxl_bo *clips_bo; @@ -3133,8 +3132,13 @@ index 0000000..c35c715 + if (ret) + return; + ++ ret = qxl_bo_kmap(bo, (void **)&surface_base); ++ if (ret) ++ return; ++ + ret = qxl_image_create(qdev, release, &image_bo, surface_base, + left, top, width, height, depth, stride); ++ qxl_bo_kunmap(bo); + if (ret) + goto out_unref; + @@ -3246,10 +3250,10 @@ index 0000000..c35c715 +} diff --git a/drivers/gpu/drm/qxl/qxl_drv.c b/drivers/gpu/drm/qxl/qxl_drv.c new file mode 100644 -index 0000000..2aad724 +index 0000000..d337da0 --- /dev/null +++ b/drivers/gpu/drm/qxl/qxl_drv.c -@@ -0,0 +1,132 @@ +@@ -0,0 +1,145 @@ +/* vim: set ts=8 sw=8 tw=78 ai noexpandtab */ +/* qxl_drv.c -- QXL driver -*- linux-c -*- + * @@ -3281,6 +3285,7 @@ index 0000000..2aad724 + */ + +#include ++#include + +#include "drmP.h" +#include "drm/drm.h" @@ -3297,6 +3302,11 @@ index 0000000..2aad724 +}; +MODULE_DEVICE_TABLE(pci, pciidlist); + ++int qxl_modeset = -1; ++ ++MODULE_PARM_DESC(modeset, "Disable/Enable modesetting"); ++module_param_named(modeset, qxl_modeset, int, 0400); ++ +static struct drm_driver qxl_driver; +static struct pci_driver qxl_pci_driver; + @@ -3367,6 +3377,13 @@ index 0000000..2aad724 + +static int __init qxl_init(void) +{ ++#ifdef CONFIG_VGA_CONSOLE ++ if (vgacon_text_force() && qxl_modeset == -1) ++ return -EINVAL; ++#endif ++ ++ if (qxl_modeset == 0) ++ return -EINVAL; + qxl_driver.num_ioctls = qxl_max_ioctls; + return drm_pci_init(&qxl_driver, &qxl_pci_driver); +} @@ -3384,7 +3401,7 @@ index 0000000..2aad724 +MODULE_LICENSE("GPL and additional rights"); diff --git a/drivers/gpu/drm/qxl/qxl_drv.h b/drivers/gpu/drm/qxl/qxl_drv.h new file mode 100644 -index 0000000..4eb4638 +index 0000000..52b582c --- /dev/null +++ b/drivers/gpu/drm/qxl/qxl_drv.h @@ -0,0 +1,566 @@ @@ -3732,6 +3749,7 @@ index 0000000..4eb4638 + int element_size, + int n_elements, + int prod_notify, ++ bool set_prod_notify, + wait_queue_head_t *push_event); +void qxl_ring_free(struct qxl_ring *ring); + @@ -3845,7 +3863,6 @@ index 0000000..4eb4638 +int qxl_ring_push(struct qxl_ring *ring, const void *new_elt, bool interruptible); +void qxl_io_flush_release(struct qxl_device *qdev); +void qxl_io_flush_surfaces(struct qxl_device *qdev); -+void qxl_release_ring_flush(struct qxl_device *qdev); + +int qxl_release_reserve(struct qxl_device *qdev, + struct qxl_release *release, bool no_wait); @@ -3956,10 +3973,10 @@ index 0000000..4eb4638 +#endif diff --git a/drivers/gpu/drm/qxl/qxl_dumb.c b/drivers/gpu/drm/qxl/qxl_dumb.c new file mode 100644 -index 0000000..6b653d3 +index 0000000..847c4ee --- /dev/null +++ b/drivers/gpu/drm/qxl/qxl_dumb.c -@@ -0,0 +1,76 @@ +@@ -0,0 +1,93 @@ +/* + * Copyright 2013 Red Hat Inc. + * @@ -3998,17 +4015,34 @@ index 0000000..6b653d3 + struct qxl_bo *qobj; + uint32_t handle; + int r; -+ -+ args->pitch = args->width * ((args->bpp + 1) / 8); -+ args->size = args->pitch * args->height; ++ struct qxl_surface surf; ++ uint32_t pitch, format; ++ pitch = args->width * ((args->bpp + 1) / 8); ++ args->size = pitch * args->height; + args->size = ALIGN(args->size, PAGE_SIZE); + ++ switch (args->bpp) { ++ case 16: ++ format = SPICE_SURFACE_FMT_16_565; ++ break; ++ case 32: ++ format = SPICE_SURFACE_FMT_32_xRGB; ++ break; ++ default: ++ return -EINVAL; ++ } ++ ++ surf.width = args->width; ++ surf.height = args->height; ++ surf.stride = pitch; ++ surf.format = format; + r = qxl_gem_object_create_with_handle(qdev, file_priv, + QXL_GEM_DOMAIN_VRAM, -+ args->size, NULL, &qobj, ++ args->size, &surf, &qobj, + &handle); + if (r) + return r; ++ args->pitch = pitch; + args->handle = handle; + return 0; +} @@ -5544,10 +5578,10 @@ index 0000000..21393dc +} diff --git a/drivers/gpu/drm/qxl/qxl_kms.c b/drivers/gpu/drm/qxl/qxl_kms.c new file mode 100644 -index 0000000..a7bd677 +index 0000000..036e0de --- /dev/null +++ b/drivers/gpu/drm/qxl/qxl_kms.c -@@ -0,0 +1,300 @@ +@@ -0,0 +1,302 @@ +/* + * Copyright 2013 Red Hat Inc. + * @@ -5709,6 +5743,7 @@ index 0000000..a7bd677 + sizeof(struct qxl_command), + QXL_COMMAND_RING_SIZE, + qdev->io_base + QXL_IO_NOTIFY_CMD, ++ false, + &qdev->display_event); + + qdev->cursor_ring = qxl_ring_create( @@ -5716,12 +5751,13 @@ index 0000000..a7bd677 + sizeof(struct qxl_command), + QXL_CURSOR_RING_SIZE, + qdev->io_base + QXL_IO_NOTIFY_CMD, ++ false, + &qdev->cursor_event); + + qdev->release_ring = qxl_ring_create( + &(qdev->ram_header->release_ring_hdr), + sizeof(uint64_t), -+ QXL_RELEASE_RING_SIZE, 0, ++ QXL_RELEASE_RING_SIZE, 0, true, + NULL); + + /* TODO - slot initialization should happen on reset. where is our @@ -6652,10 +6688,10 @@ index 0000000..1600781 +} diff --git a/drivers/gpu/drm/qxl/qxl_ttm.c b/drivers/gpu/drm/qxl/qxl_ttm.c new file mode 100644 -index 0000000..5a6e772 +index 0000000..aa9fb9a --- /dev/null +++ b/drivers/gpu/drm/qxl/qxl_ttm.c -@@ -0,0 +1,580 @@ +@@ -0,0 +1,577 @@ +/* + * Copyright 2013 Red Hat Inc. + * @@ -7036,7 +7072,6 @@ index 0000000..5a6e772 + qxl_io_notify_oom(qfence->qdev); + } + -+ qxl_release_ring_flush(qfence->qdev); + sc++; + + for (count = 0; count < 10; count++) { @@ -7047,8 +7082,6 @@ index 0000000..5a6e772 + + if (qfence->num_active_releases == 0) + return 0; -+ -+ qxl_release_ring_flush(qfence->qdev); + } + + if (qfence->num_active_releases) { From ba0e8b1ec45f9b8873fe8be12e90fb504e370d68 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Fri, 15 Mar 2013 08:13:33 -0400 Subject: [PATCH 010/468] Linux v3.9-rc2-292-ga2362d2 - Fixes CVE-2013-1860 kernel: usb: cdc-wdm buffer overflow triggered by device --- alps-v2.patch | 248 ------------------ kernel.spec | 33 +-- ...ith-concurrent-install_user_keyrings.patch | 15 -- ...ieee80211_do_stop_while_suspend_v3.9.patch | 37 --- ...-8250.-xxxx-module-options-functiona.patch | 63 ----- ...l-always-clear-sa_restorer-on-execve.patch | 113 -------- sources | 1 + 7 files changed, 8 insertions(+), 502 deletions(-) delete mode 100644 alps-v2.patch delete mode 100644 keys-fix-race-with-concurrent-install_user_keyrings.patch delete mode 100644 serial-8250-Keep-8250.-xxxx-module-options-functiona.patch delete mode 100644 signal-always-clear-sa_restorer-on-execve.patch diff --git a/alps-v2.patch b/alps-v2.patch deleted file mode 100644 index bdb57067e..000000000 --- a/alps-v2.patch +++ /dev/null @@ -1,248 +0,0 @@ -From db7192fa07fa5c70c9849d8f658a7ff696cff99d Mon Sep 17 00:00:00 2001 -From: Kevin Cernekee -Date: Sat, 16 Feb 2013 22:40:03 -0800 -Subject: [PATCH 14/15] Input: ALPS - Remove unused argument to - alps_enter_command_mode() - -Now that alps_identify() explicitly issues an EC report using -alps_rpt_cmd(), we no longer need to look at the magic numbers returned -by alps_enter_command_mode(). - -Signed-off-by: Kevin Cernekee ---- - drivers/input/mouse/alps.c | 18 +++++++----------- - 1 file changed, 7 insertions(+), 11 deletions(-) - -diff --git a/drivers/input/mouse/alps.c b/drivers/input/mouse/alps.c -index 7b99fc7..9c97531 100644 ---- a/drivers/input/mouse/alps.c -+++ b/drivers/input/mouse/alps.c -@@ -994,8 +994,7 @@ static int alps_rpt_cmd(struct psmouse *psmouse, int init_command, - return 0; - } - --static int alps_enter_command_mode(struct psmouse *psmouse, -- unsigned char *resp) -+static int alps_enter_command_mode(struct psmouse *psmouse) - { - unsigned char param[4]; - -@@ -1009,9 +1008,6 @@ static int alps_enter_command_mode(struct psmouse *psmouse, - "unknown response while entering command mode\n"); - return -1; - } -- -- if (resp) -- *resp = param[2]; - return 0; - } - -@@ -1176,7 +1172,7 @@ static int alps_passthrough_mode_v3(struct psmouse *psmouse, - { - int reg_val, ret = -1; - -- if (alps_enter_command_mode(psmouse, NULL)) -+ if (alps_enter_command_mode(psmouse)) - return -1; - - reg_val = alps_command_mode_read_reg(psmouse, reg_base + 0x0008); -@@ -1216,7 +1212,7 @@ static int alps_probe_trackstick_v3(struct psmouse *psmouse, int reg_base) - { - int ret = -EIO, reg_val; - -- if (alps_enter_command_mode(psmouse, NULL)) -+ if (alps_enter_command_mode(psmouse)) - goto error; - - reg_val = alps_command_mode_read_reg(psmouse, reg_base + 0x08); -@@ -1279,7 +1275,7 @@ static int alps_setup_trackstick_v3(struct psmouse *psmouse, int reg_base) - * supported by this driver. If bit 1 isn't set the packet - * format is different. - */ -- if (alps_enter_command_mode(psmouse, NULL) || -+ if (alps_enter_command_mode(psmouse) || - alps_command_mode_write_reg(psmouse, - reg_base + 0x08, 0x82) || - alps_exit_command_mode(psmouse)) -@@ -1306,7 +1302,7 @@ static int alps_hw_init_v3(struct psmouse *psmouse) - alps_setup_trackstick_v3(psmouse, ALPS_REG_BASE_PINNACLE) == -EIO) - goto error; - -- if (alps_enter_command_mode(psmouse, NULL) || -+ if (alps_enter_command_mode(psmouse) || - alps_absolute_mode_v3(psmouse)) { - psmouse_err(psmouse, "Failed to enter absolute mode\n"); - goto error; -@@ -1381,7 +1377,7 @@ static int alps_hw_init_rushmore_v3(struct psmouse *psmouse) - priv->flags &= ~ALPS_DUALPOINT; - } - -- if (alps_enter_command_mode(psmouse, NULL) || -+ if (alps_enter_command_mode(psmouse) || - alps_command_mode_read_reg(psmouse, 0xc2d9) == -1 || - alps_command_mode_write_reg(psmouse, 0xc2cb, 0x00)) - goto error; -@@ -1431,7 +1427,7 @@ static int alps_hw_init_v4(struct psmouse *psmouse) - struct ps2dev *ps2dev = &psmouse->ps2dev; - unsigned char param[4]; - -- if (alps_enter_command_mode(psmouse, NULL)) -+ if (alps_enter_command_mode(psmouse)) - goto error; - - if (alps_absolute_mode_v4(psmouse)) { --- -1.8.1.2 - - -From 10740a25bb3b895b5de7773f926a978416b38409 Mon Sep 17 00:00:00 2001 -From: Dave Turvene -Date: Sat, 16 Feb 2013 22:40:04 -0800 -Subject: [PATCH 15/15] Input: ALPS - Add "Dolphin V1" touchpad support - -These touchpads use a different protocol; they have been seen on Dell -N5110, Dell 17R SE, and others. - -The official ALPS driver identifies them by looking for an exact match -on the E7 report: 73 03 50. Dolphin V1 returns an EC report of -73 01 xx (02 and 0d have been seen); Dolphin V2 returns an EC report of -73 02 xx (02 has been seen). - -Dolphin V2 probably needs a different initialization sequence and/or -report parser, so it is left for a future commit. - -Signed-off-by: Dave Turvene -Signed-off-by: Kevin Cernekee ---- - drivers/input/mouse/alps.c | 67 ++++++++++++++++++++++++++++++++++++++++++++-- - drivers/input/mouse/alps.h | 1 + - 2 files changed, 66 insertions(+), 2 deletions(-) - -diff --git a/drivers/input/mouse/alps.c b/drivers/input/mouse/alps.c -index 9c97531..0238e0e 100644 ---- a/drivers/input/mouse/alps.c -+++ b/drivers/input/mouse/alps.c -@@ -490,6 +490,29 @@ static void alps_decode_rushmore(struct alps_fields *f, unsigned char *p) - f->y_map |= (p[5] & 0x20) << 6; - } - -+static void alps_decode_dolphin(struct alps_fields *f, unsigned char *p) -+{ -+ f->first_mp = !!(p[0] & 0x02); -+ f->is_mp = !!(p[0] & 0x20); -+ -+ f->fingers = ((p[0] & 0x6) >> 1 | -+ (p[0] & 0x10) >> 2); -+ f->x_map = ((p[2] & 0x60) >> 5) | -+ ((p[4] & 0x7f) << 2) | -+ ((p[5] & 0x7f) << 9) | -+ ((p[3] & 0x07) << 16) | -+ ((p[3] & 0x70) << 15) | -+ ((p[0] & 0x01) << 22); -+ f->y_map = (p[1] & 0x7f) | -+ ((p[2] & 0x1f) << 7); -+ -+ f->x = ((p[1] & 0x7f) | ((p[4] & 0x0f) << 7)); -+ f->y = ((p[2] & 0x7f) | ((p[4] & 0xf0) << 3)); -+ f->z = (p[0] & 4) ? 0 : p[5] & 0x7f; -+ -+ alps_decode_buttons_v3(f, p); -+} -+ - static void alps_process_touchpad_packet_v3(struct psmouse *psmouse) - { - struct alps_data *priv = psmouse->private; -@@ -874,7 +897,8 @@ static psmouse_ret_t alps_process_byte(struct psmouse *psmouse) - } - - /* Bytes 2 - pktsize should have 0 in the highest bit */ -- if (psmouse->pktcnt >= 2 && psmouse->pktcnt <= psmouse->pktsize && -+ if (priv->proto_version != ALPS_PROTO_V5 && -+ psmouse->pktcnt >= 2 && psmouse->pktcnt <= psmouse->pktsize && - (psmouse->packet[psmouse->pktcnt - 1] & 0x80)) { - psmouse_dbg(psmouse, "refusing packet[%i] = %x\n", - psmouse->pktcnt - 1, -@@ -1003,7 +1027,8 @@ static int alps_enter_command_mode(struct psmouse *psmouse) - return -1; - } - -- if (param[0] != 0x88 || (param[1] != 0x07 && param[1] != 0x08)) { -+ if ((param[0] != 0x88 || (param[1] != 0x07 && param[1] != 0x08)) && -+ param[0] != 0x73) { - psmouse_dbg(psmouse, - "unknown response while entering command mode\n"); - return -1; -@@ -1495,6 +1520,23 @@ error: - return -1; - } - -+static int alps_hw_init_dolphin_v1(struct psmouse *psmouse) -+{ -+ struct ps2dev *ps2dev = &psmouse->ps2dev; -+ unsigned char param[2]; -+ -+ /* This is dolphin "v1" as empirically defined by florin9doi */ -+ param[0] = 0x64; -+ param[1] = 0x28; -+ -+ if (ps2_command(ps2dev, NULL, PSMOUSE_CMD_SETSTREAM) || -+ ps2_command(ps2dev, ¶m[0], PSMOUSE_CMD_SETRATE) || -+ ps2_command(ps2dev, ¶m[1], PSMOUSE_CMD_SETRATE)) -+ return -1; -+ -+ return 0; -+} -+ - static void alps_set_defaults(struct alps_data *priv) - { - priv->byte0 = 0x8f; -@@ -1528,6 +1570,21 @@ static void alps_set_defaults(struct alps_data *priv) - priv->nibble_commands = alps_v4_nibble_commands; - priv->addr_command = PSMOUSE_CMD_DISABLE; - break; -+ case ALPS_PROTO_V5: -+ priv->hw_init = alps_hw_init_dolphin_v1; -+ priv->process_packet = alps_process_packet_v3; -+ priv->decode_fields = alps_decode_dolphin; -+ priv->set_abs_params = alps_set_abs_params_mt; -+ priv->nibble_commands = alps_v3_nibble_commands; -+ priv->addr_command = PSMOUSE_CMD_RESET_WRAP; -+ priv->byte0 = 0xc8; -+ priv->mask0 = 0xc8; -+ priv->flags = 0; -+ priv->x_max = 1360; -+ priv->y_max = 660; -+ priv->x_bits = 23; -+ priv->y_bits = 12; -+ break; - } - } - -@@ -1588,6 +1645,12 @@ static int alps_identify(struct psmouse *psmouse, struct alps_data *priv) - - if (alps_match_table(psmouse, priv, e7, ec) == 0) { - return 0; -+ } else if (e7[0] == 0x73 && e7[1] == 0x03 && e7[2] == 0x50 && -+ ec[0] == 0x73 && ec[1] == 0x01) { -+ priv->proto_version = ALPS_PROTO_V5; -+ alps_set_defaults(priv); -+ -+ return 0; - } else if (ec[0] == 0x88 && ec[1] == 0x08) { - priv->proto_version = ALPS_PROTO_V3; - alps_set_defaults(priv); -diff --git a/drivers/input/mouse/alps.h b/drivers/input/mouse/alps.h -index 9704805..eee5985 100644 ---- a/drivers/input/mouse/alps.h -+++ b/drivers/input/mouse/alps.h -@@ -16,6 +16,7 @@ - #define ALPS_PROTO_V2 2 - #define ALPS_PROTO_V3 3 - #define ALPS_PROTO_V4 4 -+#define ALPS_PROTO_V5 5 - - /** - * struct alps_model_info - touchpad ID table --- -1.8.1.2 - diff --git a/kernel.spec b/kernel.spec index 5b27030f2..42a53c3e4 100644 --- a/kernel.spec +++ b/kernel.spec @@ -62,7 +62,7 @@ Summary: The Linux kernel # For non-released -rc kernels, this will be appended after the rcX and # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3" # -%global baserelease 3 +%global baserelease 1 %global fedora_build %{baserelease} # base_sublevel is the kernel version we're starting with and patching @@ -95,7 +95,7 @@ Summary: The Linux kernel # The rc snapshot level %define rcrev 2 # The git snapshot level -%define gitrev 0 +%define gitrev 1 # Set rpm version accordingly %define rpmversion 3.%{upstream_sublevel}.0 %endif @@ -724,27 +724,15 @@ Patch21247: ath9k_rx_dma_stop_check.patch #rhbz 844750 Patch21250: 0001-bluetooth-Add-support-for-atheros-04ca-3004-device-t.patch -#rhbz 812111 -Patch21260: alps-v2.patch - #rhbz 903192 Patch21261: 0001-kmsg-Honor-dmesg_restrict-sysctl-on-dev-kmsg.patch #rhbz 914737 Patch21262: x86-mm-Fix-vmalloc_fault-oops-during-lazy-MMU-updates.patch -# CVE-2013-1792 rhbz 916646,919021 -Patch21267: keys-fix-race-with-concurrent-install_user_keyrings.patch - #rhbz 857954 Patch21268: w1-fix-oops-when-w1_search-is-called-from.patch -#rhbz 911771 -Patch21269: serial-8250-Keep-8250.-xxxx-module-options-functiona.patch - -#CVE-2013-0914 rhbz 920499 920510 -Patch21270: signal-always-clear-sa_restorer-on-execve.patch - #CVE-2013-0913 rhbz 920471 920529 Patch21271: drm-i915-bounds-check-execbuffer-relocation-count.patch @@ -1434,27 +1422,15 @@ ApplyPatch ath9k_rx_dma_stop_check.patch #rhbz 844750 ApplyPatch 0001-bluetooth-Add-support-for-atheros-04ca-3004-device-t.patch -#rhbz 812111 -ApplyPatch alps-v2.patch - #rhbz 903192 ApplyPatch 0001-kmsg-Honor-dmesg_restrict-sysctl-on-dev-kmsg.patch #rhbz 914737 ApplyPatch x86-mm-Fix-vmalloc_fault-oops-during-lazy-MMU-updates.patch -# CVE-2013-1792 rhbz 916646,919021 -ApplyPatch keys-fix-race-with-concurrent-install_user_keyrings.patch - #rhbz 857954 ApplyPatch w1-fix-oops-when-w1_search-is-called-from.patch -#rhbz 911771 -ApplyPatch serial-8250-Keep-8250.-xxxx-module-options-functiona.patch - -#CVE-2013-0914 rhbz 920499 920510 -ApplyPatch signal-always-clear-sa_restorer-on-execve.patch - #CVE-2013-0913 rhbz 920471 920529 ApplyPatch drm-i915-bounds-check-execbuffer-relocation-count.patch @@ -2294,6 +2270,11 @@ fi # and build. %changelog +* Fri Mar 15 2013 Josh Boyer - 3.9.0-0.rc2.git1.1 +- Linux v3.9-rc2-292-ga2362d2 +- Fixes CVE-2013-1860 kernel: usb: cdc-wdm buffer overflow triggered by device + + * Wed Mar 13 2013 Dave Jones - 3.9.0-0.rc2.git0.3 - Reenable debugging options. diff --git a/keys-fix-race-with-concurrent-install_user_keyrings.patch b/keys-fix-race-with-concurrent-install_user_keyrings.patch deleted file mode 100644 index ba7b30a6d..000000000 --- a/keys-fix-race-with-concurrent-install_user_keyrings.patch +++ /dev/null @@ -1,15 +0,0 @@ -diff --git a/security/keys/process_keys.c b/security/keys/process_keys.c -index 58dfe08..c5ec083 100644 ---- a/security/keys/process_keys.c -+++ b/security/keys/process_keys.c -@@ -57,7 +57,7 @@ int install_user_keyrings(void) - - kenter("%p{%u}", user, uid); - -- if (user->uid_keyring) { -+ if (user->uid_keyring && user->session_keyring) { - kleave(" = 0 [exist]"); - return 0; - } - - \ No newline at end of file diff --git a/mac80211_fixes_for_ieee80211_do_stop_while_suspend_v3.9.patch b/mac80211_fixes_for_ieee80211_do_stop_while_suspend_v3.9.patch index 81090e3ec..7d49d9834 100644 --- a/mac80211_fixes_for_ieee80211_do_stop_while_suspend_v3.9.patch +++ b/mac80211_fixes_for_ieee80211_do_stop_while_suspend_v3.9.patch @@ -1,40 +1,3 @@ -commit 801d929ca7d935ee199fd61d8ef914f51e892270 -Author: Felix Fietkau -Date: Sat Mar 2 19:05:47 2013 +0100 - - mac80211: another fix for idle handling in monitor mode - - When setting a monitor interface up or down, the idle state needs to be - recalculated, otherwise the hardware will just stay in its previous idle - state. - - Signed-off-by: Felix Fietkau - Signed-off-by: Johannes Berg - -diff --git a/net/mac80211/iface.c b/net/mac80211/iface.c -index 640afab..baaa860 100644 ---- a/net/mac80211/iface.c -+++ b/net/mac80211/iface.c -@@ -541,6 +541,9 @@ int ieee80211_do_open(struct wireless_dev *wdev, bool coming_up) - - ieee80211_adjust_monitor_flags(sdata, 1); - ieee80211_configure_filter(local); -+ mutex_lock(&local->mtx); -+ ieee80211_recalc_idle(local); -+ mutex_unlock(&local->mtx); - - netif_carrier_on(dev); - break; -@@ -812,6 +815,9 @@ static void ieee80211_do_stop(struct ieee80211_sub_if_data *sdata, - - ieee80211_adjust_monitor_flags(sdata, -1); - ieee80211_configure_filter(local); -+ mutex_lock(&local->mtx); -+ ieee80211_recalc_idle(local); -+ mutex_unlock(&local->mtx); - break; - case NL80211_IFTYPE_P2P_DEVICE: - /* relies on synchronize_rcu() below */ diff --git a/net/mac80211/iface.c b/net/mac80211/iface.c index baaa860..7a3d675 100644 --- a/net/mac80211/iface.c diff --git a/serial-8250-Keep-8250.-xxxx-module-options-functiona.patch b/serial-8250-Keep-8250.-xxxx-module-options-functiona.patch deleted file mode 100644 index b16be4417..000000000 --- a/serial-8250-Keep-8250.-xxxx-module-options-functiona.patch +++ /dev/null @@ -1,63 +0,0 @@ -From e94256528a988231ccc7a2a0b6b206a1131cb358 Mon Sep 17 00:00:00 2001 -From: Josh Boyer -Date: Fri, 8 Mar 2013 21:13:52 -0500 -Subject: [PATCH] serial: 8250: Keep 8250. module options functional - after driver rename - -With commit 835d844d1 (8250_pnp: do pnp probe before legacy probe), the -8250 driver was renamed to 8250_core. This means any existing usage of -the 8259. module parameters or as a kernel command line switch is -now broken, as the 8250_core driver doesn't parse options belonging to -something called "8250". - -To solve this, we redefine the module options in a dummy function using -a redefined MODULE_PARAM_PREFX when built into the kernel. In the case -where we're building as a module, we provide an alias to the old 8250 -name. The dummy function prevents compiler errors due to global variable -redefinitions that happen as part of the module_param_ macro expansions. - -Signed-off-by: Josh Boyer ---- - drivers/tty/serial/8250/8250.c | 29 +++++++++++++++++++++++++++++ - 1 file changed, 29 insertions(+) - -diff --git a/drivers/tty/serial/8250/8250.c b/drivers/tty/serial/8250/8250.c -index 0efc815..f982633 100644 ---- a/drivers/tty/serial/8250/8250.c -+++ b/drivers/tty/serial/8250/8250.c -@@ -3396,3 +3396,32 @@ module_param_array(probe_rsa, ulong, &probe_rsa_count, 0444); - MODULE_PARM_DESC(probe_rsa, "Probe I/O ports for RSA"); - #endif - MODULE_ALIAS_CHARDEV_MAJOR(TTY_MAJOR); -+ -+#ifndef MODULE -+/* This module was renamed to 8250_core in 3.7. Keep the old "8250" name -+ * working as well for the module options so we don't break people. We -+ * need to keep the names identical and the convenient macros will happily -+ * refuse to let us do that by failing the build with redefinition errors -+ * of global variables. So we stick them inside a dummy function to avoid -+ * those conflicts. The options still get parsed, and the redefined -+ * MODULE_PARAM_PREFIX lets us keep the "8250." syntax alive. -+ * -+ * This is hacky. I'm sorry. -+ */ -+static void __used s8250_options(void) -+{ -+#undef MODULE_PARAM_PREFIX -+#define MODULE_PARAM_PREFIX "8250." -+ -+ module_param_cb(share_irqs, ¶m_ops_uint, &share_irqs, 0644); -+ module_param_cb(nr_uarts, ¶m_ops_uint, &nr_uarts, 0644); -+ module_param_cb(skip_txen_test, ¶m_ops_uint, &skip_txen_test, 0644); -+#ifdef CONFIG_SERIAL_8250_RSA -+ __module_param_call(MODULE_PARAM_PREFIX, probe_rsa, -+ ¶m_array_ops, .arr = &__param_arr_probe_rsa, -+ 0444, -1); -+#endif -+} -+#else -+MODULE_ALIAS("8250"); -+#endif --- -1.8.1.2 - diff --git a/signal-always-clear-sa_restorer-on-execve.patch b/signal-always-clear-sa_restorer-on-execve.patch deleted file mode 100644 index feb005c44..000000000 --- a/signal-always-clear-sa_restorer-on-execve.patch +++ /dev/null @@ -1,113 +0,0 @@ - -Delivered-To: jwboyer@gmail.com -Received: by 10.76.169.233 with SMTP id ah9csp99159oac; - Mon, 11 Mar 2013 13:14:17 -0700 (PDT) -X-Received: by 10.68.179.1 with SMTP id dc1mr24297029pbc.128.1363032856671; - Mon, 11 Mar 2013 13:14:16 -0700 (PDT) -Return-Path: -Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) - by mx.google.com with ESMTP id tx10si24737165pbc.272.2013.03.11.13.14.10; - Mon, 11 Mar 2013 13:14:16 -0700 (PDT) -Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; -Authentication-Results: mx.google.com; - spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mail=linux-kernel-owner@vger.kernel.org -Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand - id S1754069Ab3CKUN4 (ORCPT + 99 others); - Mon, 11 Mar 2013 16:13:56 -0400 -Received: from smtp.outflux.net ([198.145.64.163]:59839 "EHLO smtp.outflux.net" - rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP - id S1753913Ab3CKUN4 (ORCPT ); - Mon, 11 Mar 2013 16:13:56 -0400 -Received: from www.outflux.net (serenity-end.outflux.net [10.2.0.2]) - by vinyl.outflux.net (8.14.4/8.14.4/Debian-2ubuntu2) with ESMTP id r2BKDgjn022201; - Mon, 11 Mar 2013 13:13:43 -0700 -Date: Mon, 11 Mar 2013 13:13:42 -0700 -From: Kees Cook -To: linux-kernel@vger.kernel.org -Cc: Al Viro , Oleg Nesterov , - Andrew Morton , - "Eric W. Biederman" , - Serge Hallyn , - Emese Revfy , - PaX Team , jln@google.com -Subject: [PATCH v2] signal: always clear sa_restorer on execve -Message-ID: <20130311201342.GA19824@www.outflux.net> -MIME-Version: 1.0 -Content-Type: text/plain; charset=us-ascii -Content-Disposition: inline -X-MIMEDefang-Filter: outflux$Revision: 1.316 $ -X-HELO: www.outflux.net -X-Scanned-By: MIMEDefang 2.71 on 10.2.0.1 -Sender: linux-kernel-owner@vger.kernel.org -Precedence: bulk -List-ID: -X-Mailing-List: linux-kernel@vger.kernel.org - -When the new signal handlers are set up, the location of sa_restorer -is not cleared, leaking a parent process's address space location to -children. This allows for a potential bypass of the parent's ASLR by -examining the sa_restorer value returned when calling sigaction(). - -Based on what should be considered "secret" about addresses, it only -matters across the exec not the fork (since the VMAs haven't changed -until the exec). But since exec sets SIG_DFL and keeps sa_restorer, -this is where it should be fixed. - -Given the few uses of sa_restorer, a "set" function was not written -since this would be the only use. Instead, we use __ARCH_HAS_SA_RESTORER, -as already done in other places. - -Example of the leak before applying this patch: - -$ cat /proc/$$/maps -... -7fb9f3083000-7fb9f3238000 r-xp 00000000 fd:01 404469 .../libc-2.15.so -... -$ ./leak -... -7f278bc74000-7f278be29000 r-xp 00000000 fd:01 404469 .../libc-2.15.so -... -1 0 (nil) 0x7fb9f30b94a0 -2 4000000 (nil) 0x7f278bcaa4a0 -3 4000000 (nil) 0x7f278bcaa4a0 -4 0 (nil) 0x7fb9f30b94a0 -... - -Signed-off-by: Kees Cook -Reported-by: Emese Revfy -Cc: Emese Revfy -Cc: PaX Team -Cc: stable@vger.kernel.org ---- -v2: - - clarify commit, explain use of #ifdef. ---- - kernel/signal.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/kernel/signal.c b/kernel/signal.c -index 2ec870a..8c8e3ca 100644 ---- a/kernel/signal.c -+++ b/kernel/signal.c -@@ -485,6 +485,9 @@ flush_signal_handlers(struct task_struct *t, int force_default) - if (force_default || ka->sa.sa_handler != SIG_IGN) - ka->sa.sa_handler = SIG_DFL; - ka->sa.sa_flags = 0; -+#ifdef __ARCH_HAS_SA_RESTORER -+ ka->sa.sa_restorer = NULL; -+#endif - sigemptyset(&ka->sa.sa_mask); - ka++; - } --- -1.7.9.5 - - --- -Kees Cook -Chrome OS Security --- -To unsubscribe from this list: send the line "unsubscribe linux-kernel" in -the body of a message to majordomo@vger.kernel.org -More majordomo info at http://vger.kernel.org/majordomo-info.html -Please read the FAQ at http://www.tux.org/lkml/ diff --git a/sources b/sources index 64b1211ea..aae0bfacb 100644 --- a/sources +++ b/sources @@ -1,2 +1,3 @@ 1c738edfc54e7c65faeb90c436104e2f linux-3.8.tar.xz 519f8799f8cf9aae2f05ba8fadc43bd1 patch-3.9-rc2.xz +813d50e12eb677a04e4a2743cc54242d patch-3.9-rc2-git1.xz From 2fffaa5d9f101c038ab383d542f7e40379e64885 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Thu, 14 Mar 2013 07:45:49 -0400 Subject: [PATCH 011/468] Fix divide by zero on host TSC calibration failure (rhbz 859282) --- ...-handle-host-TSC-calibration-failure.patch | 58 +++++++++++++++++++ kernel.spec | 12 +++- 2 files changed, 68 insertions(+), 2 deletions(-) create mode 100644 VMX-x86-handle-host-TSC-calibration-failure.patch diff --git a/VMX-x86-handle-host-TSC-calibration-failure.patch b/VMX-x86-handle-host-TSC-calibration-failure.patch new file mode 100644 index 000000000..6b6ddd2d2 --- /dev/null +++ b/VMX-x86-handle-host-TSC-calibration-failure.patch @@ -0,0 +1,58 @@ +@@ -, +, @@ + VMX: x86: handle host TSC calibration failure + + If the host TSC calibration fails, tsc_khz is zero (see tsc_init.c). + Handle such case properly in KVM (instead of dividing by zero). + + https://bugzilla.redhat.com/show_bug.cgi?id=859282 + + Signed-off-by: Marcelo Tosatti + Signed-off-by: Gleb Natapov +--- a/arch/x86/kvm/x86.c ++++ a/arch/x86/kvm/x86.c +@@ -1079,6 +1079,10 @@ static void kvm_set_tsc_khz(struct kvm_vcpu *vcpu, u32 this_tsc_khz) + u32 thresh_lo, thresh_hi; + int use_scaling = 0; + ++ /* tsc_khz can be zero if TSC calibration fails */ ++ if (this_tsc_khz == 0) ++ return; ++ + /* Compute a scale to convert nanoseconds in TSC cycles */ + kvm_get_time_scale(this_tsc_khz, NSEC_PER_SEC / 1000, + &vcpu->arch.virtual_tsc_shift, +@@ -1156,20 +1160,23 @@ void kvm_write_tsc(struct kvm_vcpu *vcpu, struct msr_data *msr) + ns = get_kernel_ns(); + elapsed = ns - kvm->arch.last_tsc_nsec; + +- /* n.b - signed multiplication and division required */ +- usdiff = data - kvm->arch.last_tsc_write; ++ if (vcpu->arch.virtual_tsc_khz) { ++ /* n.b - signed multiplication and division required */ ++ usdiff = data - kvm->arch.last_tsc_write; + #ifdef CONFIG_X86_64 +- usdiff = (usdiff * 1000) / vcpu->arch.virtual_tsc_khz; ++ usdiff = (usdiff * 1000) / vcpu->arch.virtual_tsc_khz; + #else +- /* do_div() only does unsigned */ +- asm("idivl %2; xor %%edx, %%edx" +- : "=A"(usdiff) +- : "A"(usdiff * 1000), "rm"(vcpu->arch.virtual_tsc_khz)); ++ /* do_div() only does unsigned */ ++ asm("idivl %2; xor %%edx, %%edx" ++ : "=A"(usdiff) ++ : "A"(usdiff * 1000), "rm"(vcpu->arch.virtual_tsc_khz)); + #endif +- do_div(elapsed, 1000); +- usdiff -= elapsed; +- if (usdiff < 0) +- usdiff = -usdiff; ++ do_div(elapsed, 1000); ++ usdiff -= elapsed; ++ if (usdiff < 0) ++ usdiff = -usdiff; ++ } else ++ usdiff = USEC_PER_SEC; /* disable TSC match window below */ + + /* + * Special case: TSC write with a small delta (1 second) of virtual diff --git a/kernel.spec b/kernel.spec index 42a53c3e4..750fc51ea 100644 --- a/kernel.spec +++ b/kernel.spec @@ -62,7 +62,7 @@ Summary: The Linux kernel # For non-released -rc kernels, this will be appended after the rcX and # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3" # -%global baserelease 1 +%global baserelease 2 %global fedora_build %{baserelease} # base_sublevel is the kernel version we're starting with and patching @@ -740,6 +740,9 @@ Patch21271: drm-i915-bounds-check-execbuffer-relocation-count.patch Patch21273: cfg80211-mac80211-disconnect-on-suspend.patch Patch21274: mac80211_fixes_for_ieee80211_do_stop_while_suspend_v3.9.patch +#rhbz 859282 +Patch21275: VMX-x86-handle-host-TSC-calibration-failure.patch + Patch22000: weird-root-dentry-name-debug.patch #selinux ptrace child permissions @@ -1438,6 +1441,9 @@ ApplyPatch drm-i915-bounds-check-execbuffer-relocation-count.patch ApplyPatch cfg80211-mac80211-disconnect-on-suspend.patch ApplyPatch mac80211_fixes_for_ieee80211_do_stop_while_suspend_v3.9.patch +#rhbz 859282 +ApplyPatch VMX-x86-handle-host-TSC-calibration-failure.patch + # END OF PATCH APPLICATIONS %endif @@ -2270,11 +2276,13 @@ fi # and build. %changelog +* Fri Mar 15 2013 Josh Boyer +- Fix divide by zero on host TSC calibration failure (rhbz 859282) + * Fri Mar 15 2013 Josh Boyer - 3.9.0-0.rc2.git1.1 - Linux v3.9-rc2-292-ga2362d2 - Fixes CVE-2013-1860 kernel: usb: cdc-wdm buffer overflow triggered by device - * Wed Mar 13 2013 Dave Jones - 3.9.0-0.rc2.git0.3 - Reenable debugging options. From 1ba238e82285053251309ad5a8395f4f286905ae Mon Sep 17 00:00:00 2001 From: Peter Robinson Date: Sun, 17 Mar 2013 23:20:06 +0000 Subject: [PATCH 012/468] Initial merge OMAP support into ARM unified kernel Add ARM LPAE kernel for Cortex A-15 devices that support LPAE and HW virtualisation Unified ARM kernel provides highbank and OMAP support Drop remantents of ARM softfp kernels --- Makefile.config | 25 ++- config-arm-generic | 1 - config-arm-omap | 5 +- config-armv7 | 475 ++++++++++++++++++------------------------- config-armv7-generic | 284 ++++++++++++++++++++++++++ config-armv7-lpae | 57 ++++++ kernel.spec | 42 ++-- 7 files changed, 578 insertions(+), 311 deletions(-) create mode 100644 config-armv7-generic create mode 100644 config-armv7-lpae diff --git a/Makefile.config b/Makefile.config index 78085481b..140172d6c 100644 --- a/Makefile.config +++ b/Makefile.config @@ -9,9 +9,8 @@ CONFIGFILES = \ $(CFG)-i686-PAE.config $(CFG)-i686-PAEdebug.config \ $(CFG)-x86_64.config $(CFG)-x86_64-debug.config \ $(CFG)-s390x.config \ - $(CFG)-armv7l.config $(CFG)-armv7hl.config \ - $(CFG)-armv7l-omap.config $(CFG)-armv7hl-omap.config \ - $(CFG)-armv7l-tegra.config $(CFG)-armv7hl-tegra.config \ + $(CFG)-armv7hl.config $(CFG)-armv7hl-lpae.config\ + $(CFG)-armv7hl-omap.config $(CFG)-armv7hl-tegra.config \ $(CFG)-ppc.config $(CFG)-ppc-smp.config \ $(CFG)-ppc64.config $(CFG)-ppc64p7.config $(CFG)-ppc64-debug.config @@ -33,7 +32,13 @@ temp-generic: config-generic temp-debug-generic: config-generic cat config-generic config-debug > temp-debug-generic -temp-armv7: config-armv7 temp-generic +temp-armv7-generic: config-armv7-generic temp-generic + perl merge.pl $^ > $@ + +temp-armv7: config-armv7 temp-armv7-generic + perl merge.pl $^ > $@ + +temp-armv7-lpae: config-armv7-lpae temp-armv7-generic perl merge.pl $^ > $@ temp-arm-generic: config-arm-generic temp-generic @@ -108,18 +113,12 @@ kernel-$(VERSION)-ppc64p7.config: config-powerpc64p7 temp-powerpc64-generic kernel-$(VERSION)-s390x.config: config-s390x temp-s390-generic perl merge.pl $^ s390 > $@ -kernel-$(VERSION)-armv7l.config: /dev/null temp-armv7 - perl merge.pl $^ arm > $@ - -kernel-$(VERSION)-armv7l-omap.config: /dev/null temp-armv7l-omap - perl merge.pl $^ arm > $@ - -kernel-$(VERSION)-armv7l-tegra.config: /dev/null temp-armv7l-tegra - perl merge.pl $^ arm > $@ - kernel-$(VERSION)-armv7hl.config: /dev/null temp-armv7 perl merge.pl $^ arm > $@ +kernel-$(VERSION)-armv7hl-lpae.config: /dev/null temp-armv7-lpae + perl merge.pl $^ arm > $@ + kernel-$(VERSION)-armv7hl-omap.config: /dev/null temp-armv7l-omap perl merge.pl $^ arm > $@ diff --git a/config-arm-generic b/config-arm-generic index 01e5a1c3c..03d93925e 100644 --- a/config-arm-generic +++ b/config-arm-generic @@ -416,7 +416,6 @@ CONFIG_IEEE802154_MRF24J40=m # CONFIG_VFIO is not set -# CONFIG_XIP_KERNEL is not set # CONFIG_CPU_ICACHE_DISABLE is not set # CONFIG_CPU_DCACHE_DISABLE is not set # CONFIG_APM_EMULATION is not set diff --git a/config-arm-omap b/config-arm-omap index 3ec36d0cf..4d64f90cd 100644 --- a/config-arm-omap +++ b/config-arm-omap @@ -370,8 +370,9 @@ CONFIG_PWM_TWL_LED=m # CONFIG_OMAP_REMOTEPROC is not set # CONFIG_OMAP_IOVMM is not set -# CONFIG_CRYPTO_DEV_OMAP_SHAM is not set -# CONFIG_CRYPTO_DEV_OMAP_AES is not set +CONFIG_CRYPTO_DEV_OMAP_SHAM=m +CONFIG_CRYPTO_DEV_OMAP_AES=m +CONFIG_HW_RANDOM_OMAP=m # CONFIG_NET_VENDOR_BROADCOM is not set # CONFIG_MTD_NAND_OMAP_BCH is not set diff --git a/config-armv7 b/config-armv7 index bfc2d13c0..7142ed965 100644 --- a/config-armv7 +++ b/config-armv7 @@ -10,7 +10,7 @@ CONFIG_ARCH_MULTI_V7=y CONFIG_ARCH_HIGHBANK=y CONFIG_ARCH_MVEBU=y # CONFIG_ARCH_MXC is not set -# CONFIG_ARCH_OMAP2PLUS is not set +CONFIG_ARCH_OMAP2PLUS=y CONFIG_ARCH_PICOXCELL=y CONFIG_ARCH_SOCFPGA=y CONFIG_ARCH_SUNXI=y @@ -18,159 +18,22 @@ CONFIG_ARCH_VEXPRESS_CA9X4=y CONFIG_ARCH_VEXPRESS_DT=y CONFIG_ARCH_VIRT=y # CONFIG_ARCH_WM8850 is not set -# not enabling first round -# CONFIG_ARCH_ZYNQ is not set +CONFIG_ARCH_ZYNQ=y -CONFIG_MACH_ARMADA_370_XP=y -CONFIG_MACH_ARMADA_370=y -CONFIG_MACH_ARMADA_XP=y - -# generic ARM config options -CONFIG_CMDLINE="" -CONFIG_HAVE_ARM_ARCH_TIMER=y -CONFIG_AEABI=y -CONFIG_VFP=y -CONFIG_VFPv3=y -CONFIG_NEON=y -CONFIG_ZBOOT_ROM_TEXT=0x0 -CONFIG_ZBOOT_ROM_BSS=0x0 -CONFIG_ARM_UNWIND=y -CONFIG_ARM_THUMB=y -CONFIG_ARM_THUMBEE=y -CONFIG_ARM_GIC=y -CONFIG_ARM_ASM_UNIFIED=y -CONFIG_ARM_CPU_TOPOLOGY=y -CONFIG_ARM_DMA_MEM_BUFFERABLE=y -CONFIG_SWP_EMULATE=y -CONFIG_CPU_BPREDICT_DISABLE=y -CONFIG_CACHE_L2X0=y -CONFIG_HIGHPTE=y -# CONFIG_OABI_COMPAT is not set -# CONFIG_ATAGS is not set -# CONFIG_ATAGS_PROC is not set -# CONFIG_FPE_NWFPE is not set -# CONFIG_FPE_FASTFPE is not set -# CONFIG_APM_EMULATION is not set -# CONFIG_CPU_ICACHE_DISABLE is not set -# CONFIG_CPU_DCACHE_DISABLE is not set -# CONFIG_DMA_CACHE_RWFO is not set +# These are supported in the LPAE kernel # CONFIG_ARM_LPAE is not set -# CONFIG_THUMB2_KERNEL is not set # CONFIG_XEN is not set -# CONFIG_HVC_DCC is not set # CONFIG_VIRTIO_CONSOLE is not set - # CONFIG_ARM_VIRT_EXT is not set -# errata -# v5/v6 -# CONFIG_ARM_ERRATA_326103 is not set -# CONFIG_ARM_ERRATA_411920 is not set -# Cortex-A8 -# CONFIG_ARM_ERRATA_430973 is not set -# CONFIG_ARM_ERRATA_458693 is not set -# CONFIG_ARM_ERRATA_460075 is not set -# Cortex-A9 -CONFIG_ARM_ERRATA_742230=y -CONFIG_ARM_ERRATA_742231=y -CONFIG_ARM_ERRATA_743622=y -CONFIG_ARM_ERRATA_754322=y -CONFIG_ARM_ERRATA_754327=y -CONFIG_ARM_ERRATA_764369=y -CONFIG_ARM_ERRATA_775420=y -# Disabled due to causing highbank to crash -# CONFIG_PL310_ERRATA_588369 is not set -# CONFIG_PL310_ERRATA_727915 is not set -CONFIG_PL310_ERRATA_769419=y - -# generic that deviates from or should be merged into config-generic -CONFIG_SMP=y -CONFIG_NR_CPUS=4 -CONFIG_SMP_ON_UP=y -CONFIG_HIGHMEM=y -CONFIG_CC_OPTIMIZE_FOR_SIZE=y - -CONFIG_SCHED_MC=y -CONFIG_SCHED_SMT=y - -CONFIG_RCU_FANOUT=32 -CONFIG_RCU_FANOUT_LEAF=16 - -CONFIG_CPU_IDLE=y -# CONFIG_CPU_IDLE_GOV_LADDER is not set -CONFIG_CPU_IDLE_GOV_MENU=y -CONFIG_CPU_IDLE_MULTIPLE_DRIVERS=y - -CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 -CONFIG_LSM_MMAP_MIN_ADDR=32768 - -CONFIG_NO_HZ=y -CONFIG_HIGH_RES_TIMERS=y - -CONFIG_SECCOMP=y -CONFIG_STRICT_DEVMEM=y - -CONFIG_XZ_DEC_ARM=y - -CONFIG_PM=y -CONFIG_PM_STD_PARTITION="" -CONFIG_SUSPEND=y -CONFIG_ARM_CPU_SUSPEND=y -CONFIG_ARM_CPU_TOPOLOGY=y - -CONFIG_LOCAL_TIMERS=y -CONFIG_HW_PERF_EVENTS=y -CONFIG_UACCESS_WITH_MEMCPY=y -CONFIG_CC_STACKPROTECTOR=y - -CONFIG_IKCONFIG=y -CONFIG_IKCONFIG_PROC=y -CONFIG_LOG_BUF_SHIFT=14 - -CONFIG_IP_PNP=y -CONFIG_IP_PNP_DHCP=y -CONFIG_IP_PNP_BOOTP=y - -CONFIG_PINCTRL=y -CONFIG_PINCONF=y - -CONFIG_NFS_FS=y -CONFIG_ROOT_NFS=y -CONFIG_NLS_CODEPAGE_437=y -CONFIG_NLS_ISO8859_1=y -CONFIG_EARLY_PRINTK=y - -CONFIG_LBDAF=y - -CONFIG_COMMON_CLK=y - -# Versatile and highbank -CONFIG_ARM_TIMER_SP804=y - -CONFIG_SERIO_AMBAKMI=m -CONFIG_SERIAL_AMBA_PL010=y -CONFIG_SERIAL_AMBA_PL010_CONSOLE=y -CONFIG_SERIAL_AMBA_PL011=y -CONFIG_SERIAL_AMBA_PL011_CONSOLE=y - -CONFIG_RTC_DRV_PL030=y -CONFIG_RTC_DRV_PL031=y - -CONFIG_PL330_DMA=y -CONFIG_AMBA_PL08X=y -CONFIG_ARM_SP805_WATCHDOG=m - # highbank CONFIG_CPU_IDLE_CALXEDA=y - CONFIG_EDAC_HIGHBANK_MC=m CONFIG_EDAC_HIGHBANK_L2=m - -CONFIG_OC_ETM=y - CONFIG_SATA_HIGHBANK=m # versatile +CONFIG_VEXPRESS_CONFIG=y CONFIG_FB=y CONFIG_FB_ARMCLCD=m CONFIG_FB_CFB_COPYAREA=m @@ -178,15 +41,19 @@ CONFIG_FB_CFB_FILLRECT=m CONFIG_FB_CFB_IMAGEBLIT=m CONFIG_TOUCHSCREEN_ADS7846=m -CONFIG_I2C_VERSATILE=m CONFIG_OC_ETM=y CONFIG_ARCH_VEXPRESS_CORTEX_A5_A9_ERRATA=y -CONFIG_SENSORS_VEXPRESS=m - -# unknown and needs review -CONFIG_ARM_AMBA=y # mvebu +CONFIG_MACH_ARMADA_370_XP=y +CONFIG_MACH_ARMADA_370=y +CONFIG_MACH_ARMADA_XP=y +CONFIG_ARCH_DOVE=y +# CONFIG_MACH_DOVE_DB is not set +# CONFIG_MACH_CM_A510 is not set +CONFIG_MACH_DOVE_DT=y + +CONFIG_CACHE_TAUROS2=y CONFIG_MV_XOR=y CONFIG_CRYPTO_DEV_MV_CESA=m CONFIG_MV643XX_ETH=m @@ -206,8 +73,158 @@ CONFIG_MVNETA=m CONFIG_GPIO_MVEBU=y CONFIG_MVEBU_CLK_CORE=y CONFIG_MVEBU_CLK_GATING=y +CONFIG_DOVE_THERMAL=m +CONFIG_MMC_SDHCI_DOVE=m +CONFIG_MMC_MVSDIO=m + +# omap +CONFIG_ARCH_OMAP2PLUS_TYPICAL=y +# CONFIG_ARCH_OMAP2 is not set +CONFIG_ARCH_OMAP3=y +CONFIG_ARCH_OMAP4=y +# CONFIG_SOC_OMAP5 is not set +# CONFIG_SOC_OMAP2420 is not set +# CONFIG_SOC_OMAP2430 is not set +CONFIG_SOC_OMAP3430=y +CONFIG_SOC_TI81XX=y +CONFIG_SOC_AM33XX=y +CONFIG_MACH_OMAP_GENERIC=y +CONFIG_MACH_OMAP3_BEAGLE=y +CONFIG_MACH_DEVKIT8000=y +CONFIG_MACH_OMAP_LDP=y +CONFIG_MACH_OMAP3530_LV_SOM=y +CONFIG_MACH_OMAP3_TORPEDO=y +CONFIG_MACH_OVERO=y +CONFIG_MACH_OMAP3EVM=y +CONFIG_MACH_OMAP3517EVM=y +CONFIG_MACH_CRANEBOARD=y +CONFIG_MACH_OMAP3_PANDORA=y +CONFIG_MACH_TOUCHBOOK=y +CONFIG_MACH_OMAP_3430SDP=y +# CONFIG_MACH_NOKIA_N8X0 is not set +# CONFIG_MACH_NOKIA_RM680 is not set +# CONFIG_MACH_NOKIA_RX51 is not set +CONFIG_MACH_OMAP_ZOOM2=y +CONFIG_MACH_OMAP_ZOOM3=y +CONFIG_MACH_CM_T35=y +CONFIG_MACH_CM_T3517=y +CONFIG_MACH_IGEP0030=y +CONFIG_MACH_SBC3530=y +CONFIG_MACH_OMAP_3630SDP=y +CONFIG_MACH_TI8168EVM=y +CONFIG_MACH_TI8148EVM=y +CONFIG_MACH_OMAP_4430SDP=y +CONFIG_MACH_OMAP4_PANDA=y + +CONFIG_OMAP_RESET_CLOCKS=y +CONFIG_OMAP_MUX=y +CONFIG_OMAP_MUX_WARNINGS=y +CONFIG_OMAP_32K_TIMER=y +# CONFIG_OMAP3_L2_AUX_SECURE_SAVE_RESTORE is not set +CONFIG_OMAP3_EMU=y +# CONFIG_OMAP3_SDRC_AC_TIMING is not set +CONFIG_ARM_OMAP2PLUS_CPUFREQ=y +CONFIG_TI_DAVINCI_EMAC=m +CONFIG_TI_DAVINCI_MDIO=m +CONFIG_TI_DAVINCI_CPDMA=m +CONFIG_TI_CPSW=m +CONFIG_TI_CPTS=y +CONFIG_GPIO_TWL4030=m +CONFIG_GPIO_TWL6040=m +CONFIG_CHARGER_TWL4030=m +CONFIG_OMAP_WATCHDOG=m +CONFIG_TWL4030_WATCHDOG=m +CONFIG_TWL4030_MADC=m +CONFIG_TWL6040_CORE=y +CONFIG_MFD_OMAP_USB_HOST=y +CONFIG_REGULATOR_TWL4030=y +CONFIG_BACKLIGHT_PANDORA=m +CONFIG_USB_EHCI_HCD_OMAP=y +CONFIG_USB_OHCI_HCD_OMAP3=y +CONFIG_MMC_OMAP=y +CONFIG_MMC_OMAP_HS=y +CONFIG_RTC_DRV_MAX8907=m +CONFIG_RTC_DRV_TWL92330=y +CONFIG_RTC_DRV_TWL4030=y +CONFIG_RTC_DRV_OMAP=y +CONFIG_DMA_OMAP=m +CONFIG_OMAP_IOVMM=m +CONFIG_HWSPINLOCK_OMAP=m +CONFIG_OMAP_IOMMU=y +CONFIG_SENSORS_TWL4030_MADC=m +CONFIG_TWL6040_CORE=m +CONFIG_CLK_TWL6040=m + +CONFIG_INPUT_TWL4030_PWRBUTTON=m +CONFIG_INPUT_TWL4030_VIBRA=m +CONFIG_INPUT_TWL6040_VIBRA=m +CONFIG_KEYBOARD_TWL4030=m + +# OMAP thermal temp. Can likely be built as module but doesn't autoload so build in to ensure performance on PandaES +CONFIG_OMAP_BANDGAP=y +CONFIG_OMAP4_THERMAL=y +CONFIG_OMAP5_THERMAL=y + +# OMAP3 thermal/power +CONFIG_POWER_AVS=y +CONFIG_POWER_AVS_OMAP=y +CONFIG_POWER_AVS_OMAP_CLASS3=y + +CONFIG_ARM_OMAP2PLUS_CPUFREQ=y + +CONFIG_PWM_TIECAP=m +CONFIG_PWM_TIEHRPWM=m +CONFIG_PWM_TWL=m +CONFIG_PWM_TWL_LED=m + +CONFIG_CRYPTO_DEV_OMAP_SHAM=m +CONFIG_CRYPTO_DEV_OMAP_AES=m +CONFIG_HW_RANDOM_OMAP=m + +CONFIG_DRM_TILCDC=m +CONFIG_DRM_OMAP=m +CONFIG_DRM_OMAP_NUM_CRTCS=2 +CONFIG_OMAP2_VRAM=y +CONFIG_OMAP2_VRAM_SIZE=0 +CONFIG_OMAP2_VRFB=y +# CONFIG_FB_OMAP_BOOTLOADER_INIT is not set +# CONFIG_FB_OMAP_LCD_VGA is not set +# CONFIG_FB_OMAP2 is not set +# CONFIG_FB_DA8XX is not set + +CONFIG_OMAP2_DSS=m +CONFIG_OMAP2_DSS_DEBUG_SUPPORT=y +# CONFIG_OMAP2_DSS_COLLECT_IRQ_STATS is not set +CONFIG_OMAP2_DSS_DPI=y +CONFIG_OMAP2_DSS_RFBI=y +CONFIG_OMAP2_DSS_VENC=y +CONFIG_OMAP4_DSS_HDMI=y +CONFIG_OMAP2_DSS_SDI=y +CONFIG_OMAP2_DSS_DSI=y +# CONFIG_OMAP2_DSS_FAKE_VSYNC is not set +CONFIG_OMAP2_DSS_MIN_FCK_PER_PCK=0 +CONFIG_OMAP2_DSS_SLEEP_BEFORE_RESET=y +CONFIG_OMAP2_DSS_SLEEP_AFTER_VENC_RESET=y + +CONFIG_PANEL_GENERIC_DPI=m +CONFIG_PANEL_TFP410=m +CONFIG_PANEL_SHARP_LS037V7DW01=m +CONFIG_PANEL_PICODLP=m +CONFIG_PANEL_TAAL=m + +CONFIG_SND_OMAP_SOC=m +CONFIG_SND_OMAP_SOC_AM3517EVM=m +CONFIG_SND_OMAP_SOC_OMAP_ABE_TWL6040=m +CONFIG_SND_OMAP_SOC_OMAP_HDMI=m +CONFIG_SND_OMAP_SOC_OMAP_TWL4030=m +CONFIG_SND_OMAP_SOC_OMAP3_PANDORA=m + +# CONFIG_OMAP2_DSS_DEBUGFS is not set +# CONFIG_OMAP_IOMMU_DEBUG is not set +# CONFIG_OMAP_MUX_DEBUG is not set # Allwinner a1x +CONFIG_PINCTRL_SUNXI=y # CONFIG_SUNXI_RFKILL=y # CONFIG_SUNXI_NAND=y # CONFIG_SUNXI_DBGREG=m @@ -243,10 +260,6 @@ CONFIG_MVEBU_CLK_GATING=y # CONFIG_MMC_SUNXI=y # CONFIG_RTC_DRV_SUN4I=y -# OMAP -# CONFIG_DRM_TILCDC is not set -# CONFIG_SENSORS_LIS3_I2C is not set - # imx # CONFIG_BACKLIGHT_PWM is not set # CONFIG_DRM_IMX is not set @@ -257,6 +270,7 @@ CONFIG_MVEBU_CLK_GATING=y # CONFIG_VIDEO_CODA is not set CONFIG_INPUT_PWM_BEEPER=m +CONFIG_INPUT_88PM80X_ONKEY=m # exynos # CONFIG_DRM_EXYNOS is not set @@ -265,123 +279,27 @@ CONFIG_INPUT_PWM_BEEPER=m # picoxcell CONFIG_CRYPTO_DEV_PICOXCELL=m +CONFIG_HW_RANDOM_PICOXCELL=m # ST Ericsson # CONFIG_I2C_NOMADIK is not set +# CONFIG_SENSORS_LIS3_I2C is not set # ZYNQ -# CONFIG_LATTICE_ECP3_CONFIG is not set - -# General ARM drivers -# Device tree -CONFIG_DTC=y -CONFIG_OF=y -CONFIG_USE_OF=y -CONFIG_OF_DEVICE=y -CONFIG_OF_IRQ=y -CONFIG_ARM_ATAG_DTB_COMPAT=y -CONFIG_ARM_APPENDED_DTB=y -CONFIG_PROC_DEVICETREE=y -# CONFIG_OF_SELFTEST is not set -CONFIG_SERIAL_OF_PLATFORM=y -CONFIG_OF_PCI=y -CONFIG_OF_PCI_IRQ=y -CONFIG_OF_GPIO=y -CONFIG_I2C_MUX_PINCTRL=m -CONFIG_OF_MDIO=m - -CONFIG_OF_DISPLAY_TIMING=y -CONFIG_OF_VIDEOMODE=y - -CONFIG_MDIO_BUS_MUX_GPIO=m -CONFIG_GPIOLIB=y +CONFIG_LATTICE_ECP3_CONFIG=m # MMC/SD -CONFIG_MMC=y -CONFIG_MMC_ARMMMCI=y -CONFIG_MMC_SDHCI_PLTFM=m -CONFIG_MMC_SDHCI_OF=m -CONFIG_MMC_SPI=m -CONFIG_MMC_DW=m -CONFIG_MMC_DW_PLTFM=m -CONFIG_MMC_DW_PCI=m -# CONFIG_MMC_DW_EXYNOS is not set -# CONFIG_MMC_DW_IDMAC is not set CONFIG_MMC_TMIO=m CONFIG_MMC_SDHCI_PXAV3=m CONFIG_MMC_SDHCI_PXAV2=m -CONFIG_MMC_MVSDIO=m - -# usb -CONFIG_USB_ULPI=y -CONFIG_AX88796=m -CONFIG_AX88796_93CX6=y -CONFIG_SMC91X=m -CONFIG_SMC911X=m -CONFIG_SMSC911X=m -CONFIG_USB_ISP1760_HCD=m - -# HW crypto and rng -CONFIG_CRYPTO_SHA1_ARM=m -CONFIG_CRYPTO_AES_ARM=m -CONFIG_HW_RANDOM_ATMEL=m -CONFIG_HW_RANDOM_EXYNOS=m - -# Sound -CONFIG_SND_ARM=y -CONFIG_SND_ARMAACI=m -CONFIG_SND_SOC=m -CONFIG_SND_DESIGNWARE_I2S=m -CONFIG_SND_SIMPLE_CARD=m -CONFIG_SND_SOC_CACHE_LZO=y -CONFIG_SND_SOC_ALL_CODECS=m -# CONFIG_SND_ATMEL_SOC is not set - -# EDAC -CONFIG_EDAC=y -CONFIG_EDAC_MM_EDAC=m -CONFIG_EDAC_LEGACY_SYSFS=y - -# Watchdog -CONFIG_MPCORE_WATCHDOG=m # Multi function devices CONFIG_MFD_CORE=m +CONFIG_MFD_SYSCON=y +CONFIG_MFD_88PM800=m +CONFIG_MFD_88PM805=m CONFIG_MFD_T7L66XB=y CONFIG_MFD_TC6387XB=y -CONFIG_MFD_SYSCON=y -CONFIG_MFD_MAX8907=m -# CONFIG_MFD_DA9055 is not set -# CONFIG_MFD_SMSC is not set - -# RTC -CONFIG_RTC_DRV_SNVS=m - -# Pin stuff -CONFIG_PINMUX=y -CONFIG_PINCONF=y -CONFIG_PINCTRL_SINGLE=m -# CONFIG_PINCTRL_SAMSUNG is not set -# CONFIG_PINCTRL_EXYNOS4 is not set - -# GPIO -CONFIG_GPIO_GENERIC_PLATFORM=m -# CONFIG_GPIO_EM is not set -CONFIG_GPIO_ADNP=m -CONFIG_GPIO_MCP23S08=m -CONFIG_POWER_RESET_GPIO=y -CONFIG_RFKILL_GPIO=m -CONFIG_SERIAL_8250_EM=m -CONFIG_INPUT_GP2A=m -CONFIG_INPUT_GPIO_TILT_POLLED=m -CONFIG_MDIO_BUS_MUX_MMIOREG=m - -# MTD -CONFIG_MTD_OF_PARTS=y -# CONFIG_MG_DISK is not set - -# Framebuffers -CONFIG_FB_SSD1307=m # Regulator drivers CONFIG_REGULATOR_FAN53555=m @@ -404,6 +322,9 @@ CONFIG_REGULATOR_TPS51632=m CONFIG_REGULATOR_TPS62360=m CONFIG_REGULATOR_TPS65023=m CONFIG_REGULATOR_TPS6507X=m +CONFIG_REGULATOR_MAX8907=m +CONFIG_REGULATOR_LP872X=y +CONFIG_REGULATOR_LP8755=m # Needs work/investigation @@ -415,27 +336,10 @@ CONFIG_REGULATOR_TPS6507X=m # CONFIG_PID_IN_CONTEXTIDR is not set # CONFIG_DEPRECATED_PARAM_STRUCT is not set -# CONFIG_IRQ_DOMAIN_DEBUG is not set -# CONFIG_COMMON_CLK_DEBUG is not set -# CONFIG_DEBUG_USER is not set -# CONFIG_DEBUG_LL is not set -# CONFIG_DEBUG_PINCTRL is not set - -# CONFIG_CS89x0 is not set -# CONFIG_DM9000 is not set - # CONFIG_DW_DMAC_BIG_ENDIAN_IO is not set # CONFIG_ARM_KPROBES_TEST is not set -# CONFIG_LEDS_RENESAS_TPU is not set # CONFIG_LEDS_PWM is not set -CONFIG_ETHERNET=y -# CONFIG_NET_VENDOR_BROADCOM is not set -# CONFIG_NET_VENDOR_CIRRUS is not set -CONFIG_THERMAL=y -# CONFIG_PATA_PLATFORM is not set -CONFIG_PERF_EVENTS=y - # Defined config options we don't use yet # CONFIG_PINCTRL_IMX35 is not set # CONFIG_DRM_IMX_FB_HELPER is not set @@ -444,23 +348,34 @@ CONFIG_PERF_EVENTS=y # CONFIG_DRM_IMX_IPUV3 is not set # CONFIG_REGULATOR_ANATOP is not set -# CONFIG_GPIO_TWL6040 is not set -# CONFIG_SND_OMAP_SOC_OMAP_TWL4030 is not set -# CONFIG_VIDEO_DM6446_CCDC is not set -# CONFIG_PANEL_TAAL is not set +# CONFIG_BATTERY_RX51 is not set # CONFIG_IR_RX51 is not set -# CONFIG_DRM_OMAP is not set - # CONFIG_GENERIC_CPUFREQ_CPU0 is not set -# CONFIG_GPIO_TWL6040 is not set # CONFIG_MFD_SMSC is not set +# CONFIG_MFD_SEC_CORE is not set # CONFIG_MFD_DA9055 is not set # CONFIG_MFD_LP8788 is not set # CONFIG_MFD_MAX8907 is not set -# CONFIG_IR_RX51 is not set -# CONFIG_VIDEO_DM6446_CCDC is not set -# CONFIG_PANEL_TAAL is not set -# CONFIG_SND_OMAP_SOC_OMAP_TWL4030 is not set +# CONFIG_MFD_TPS65912_I2C is not set +# CONFIG_MFD_DA9052_I2C is not set +# CONFIG_MFD_MAX77686 is not set +# CONFIG_MFD_MAX77693 is not set +# CONFIG_MFD_MAX8997 is not set +# CONFIG_MFD_TPS65090 is not set +# CONFIG_MFD_AAT2870_CORE is not set +# CONFIG_MFD_RC5T583 is not set +# CONFIG_MFD_PALMAS is not set +# CONFIG_MFD_DA9055 is not set +# CONFIG_MFD_SMSC is not set +# CONFIG_MFD_TPS65910 is not set +# CONFIG_MFD_TPS80031 is not set +# CONFIG_MFD_AS3711 is not set +# CONFIG_PMIC_DA903X is not set +# CONFIG_PMIC_ADP5520 is not set +# CONFIG_REGULATOR_LP3972 is not set +# CONFIG_REGULATOR_LP872X is not set +# CONFIG_SGI_IOC4 is not set +# CONFIG_BLK_DEV_PCIESSD_MTIP32XX is not set # CONFIG_DVB_USB_PCTV452E is not set # We need to fix these as they should be either generic includes or kconfig fixes diff --git a/config-armv7-generic b/config-armv7-generic new file mode 100644 index 000000000..77faa7264 --- /dev/null +++ b/config-armv7-generic @@ -0,0 +1,284 @@ +# arm configs for sharing between armv7 and armv7-lpae +# generic ARM config options +CONFIG_CMDLINE="" +CONFIG_HAVE_ARM_ARCH_TIMER=y +CONFIG_AEABI=y +CONFIG_VFP=y +CONFIG_VFPv3=y +CONFIG_NEON=y +CONFIG_ZBOOT_ROM_TEXT=0x0 +CONFIG_ZBOOT_ROM_BSS=0x0 +CONFIG_ARM_UNWIND=y +CONFIG_ARM_THUMB=y +CONFIG_ARM_THUMBEE=y +CONFIG_ARM_GIC=y +CONFIG_ARM_ASM_UNIFIED=y +CONFIG_ARM_CPU_TOPOLOGY=y +CONFIG_ARM_DMA_MEM_BUFFERABLE=y +CONFIG_SWP_EMULATE=y +CONFIG_CPU_BPREDICT_DISABLE=y +CONFIG_CACHE_L2X0=y +CONFIG_HIGHPTE=y +# CONFIG_OABI_COMPAT is not set +# CONFIG_ATAGS is not set +# CONFIG_ATAGS_PROC is not set +# CONFIG_FPE_NWFPE is not set +# CONFIG_FPE_FASTFPE is not set +# CONFIG_APM_EMULATION is not set +# CONFIG_CPU_ICACHE_DISABLE is not set +# CONFIG_CPU_DCACHE_DISABLE is not set +# CONFIG_DMA_CACHE_RWFO is not set +# CONFIG_THUMB2_KERNEL is not set +# CONFIG_HVC_DCC is not set +# CONFIG_XIP_KERNEL is not set +# CONFIG_AUTO_ZRELADDR is not set + +# errata +# v5/v6 +# CONFIG_ARM_ERRATA_326103 is not set +# CONFIG_ARM_ERRATA_411920 is not set +# Cortex-A8 +# CONFIG_ARM_ERRATA_430973 is not set +# CONFIG_ARM_ERRATA_458693 is not set +# CONFIG_ARM_ERRATA_460075 is not set +# Cortex-A9 +CONFIG_ARM_ERRATA_720789=y +CONFIG_ARM_ERRATA_742230=y +CONFIG_ARM_ERRATA_742231=y +CONFIG_ARM_ERRATA_743622=y +CONFIG_ARM_ERRATA_751472=y +CONFIG_ARM_ERRATA_754322=y +CONFIG_ARM_ERRATA_754327=y +CONFIG_ARM_ERRATA_764369=y +CONFIG_ARM_ERRATA_775420=y +# Disabled due to causing highbank to crash +# CONFIG_PL310_ERRATA_588369 is not set +# CONFIG_PL310_ERRATA_727915 is not set +CONFIG_PL310_ERRATA_753970=y +CONFIG_PL310_ERRATA_769419=y + +# generic that deviates from or should be merged into config-generic +CONFIG_SMP=y +CONFIG_NR_CPUS=4 +CONFIG_SMP_ON_UP=y +CONFIG_HIGHMEM=y +CONFIG_CC_OPTIMIZE_FOR_SIZE=y + +CONFIG_SCHED_MC=y +CONFIG_SCHED_SMT=y + +CONFIG_RCU_FANOUT=32 +CONFIG_RCU_FANOUT_LEAF=16 + +CONFIG_CPU_IDLE=y +# CONFIG_CPU_IDLE_GOV_LADDER is not set +CONFIG_CPU_IDLE_GOV_MENU=y +CONFIG_CPU_IDLE_MULTIPLE_DRIVERS=y + +CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 +CONFIG_LSM_MMAP_MIN_ADDR=32768 + +CONFIG_NO_HZ=y +CONFIG_HIGH_RES_TIMERS=y + +CONFIG_SECCOMP=y +CONFIG_STRICT_DEVMEM=y + +CONFIG_XZ_DEC_ARM=y +CONFIG_OC_ETM=y + +CONFIG_PM=y +CONFIG_PM_STD_PARTITION="" +CONFIG_SUSPEND=y +CONFIG_ARM_CPU_SUSPEND=y +CONFIG_ARM_CPU_TOPOLOGY=y + +CONFIG_LOCAL_TIMERS=y +CONFIG_HW_PERF_EVENTS=y +CONFIG_UACCESS_WITH_MEMCPY=y +CONFIG_CC_STACKPROTECTOR=y + +CONFIG_IKCONFIG=y +CONFIG_IKCONFIG_PROC=y +CONFIG_LOG_BUF_SHIFT=14 + +CONFIG_IP_PNP=y +CONFIG_IP_PNP_DHCP=y +CONFIG_IP_PNP_BOOTP=y + +CONFIG_PINCTRL=y +CONFIG_PINCONF=y + +CONFIG_NFS_FS=y +CONFIG_ROOT_NFS=y +CONFIG_NLS_CODEPAGE_437=y +CONFIG_NLS_ISO8859_1=y +CONFIG_EARLY_PRINTK=y + +CONFIG_LBDAF=y + +CONFIG_COMMON_CLK=y + +# Device tree +CONFIG_DTC=y +CONFIG_OF=y +CONFIG_USE_OF=y +CONFIG_OF_DEVICE=y +CONFIG_OF_IRQ=y +CONFIG_ARM_ATAG_DTB_COMPAT=y +CONFIG_ARM_APPENDED_DTB=y +CONFIG_PROC_DEVICETREE=y +# CONFIG_OF_SELFTEST is not set +CONFIG_SERIAL_OF_PLATFORM=y +CONFIG_OF_PCI=y +CONFIG_OF_PCI_IRQ=y +CONFIG_OF_GPIO=y +CONFIG_I2C_MUX_PINCTRL=m +CONFIG_OF_MDIO=m +CONFIG_MFD_SYSCON=y + +CONFIG_OF_DISPLAY_TIMING=y +CONFIG_OF_VIDEOMODE=y + +CONFIG_MDIO_BUS_MUX_GPIO=m +CONFIG_GPIOLIB=y + +# General vexpress ARM drivers +CONFIG_ARM_AMBA=y +CONFIG_ARM_TIMER_SP804=y + +CONFIG_SERIO_AMBAKMI=m +CONFIG_SERIAL_AMBA_PL010=y +CONFIG_SERIAL_AMBA_PL010_CONSOLE=y +CONFIG_SERIAL_AMBA_PL011=y +CONFIG_SERIAL_AMBA_PL011_CONSOLE=y + +CONFIG_RTC_DRV_PL030=y +CONFIG_RTC_DRV_PL031=y + +CONFIG_PL330_DMA=y +CONFIG_AMBA_PL08X=y +CONFIG_ARM_SP805_WATCHDOG=m +CONFIG_I2C_VERSATILE=m +CONFIG_GPIO_PL061=y +CONFIG_SENSORS_VEXPRESS=m +CONFIG_FB_ARMCLCD=m +CONFIG_REGULATOR_VEXPRESS=m + +# usb +CONFIG_USB_ULPI=y +CONFIG_AX88796=m +CONFIG_AX88796_93CX6=y +CONFIG_SMC91X=m +CONFIG_SMC911X=m +CONFIG_SMSC911X=m +CONFIG_USB_ISP1760_HCD=m + +# Pin stuff +CONFIG_PINMUX=y +CONFIG_PINCONF=y +CONFIG_PINCTRL_SINGLE=m +# CONFIG_PINCTRL_SAMSUNG is not set +# CONFIG_PINCTRL_EXYNOS4 is not set + +# GPIO +CONFIG_GPIO_GENERIC_PLATFORM=m +# CONFIG_GPIO_EM is not set +CONFIG_GPIO_ADNP=m +CONFIG_GPIO_MCP23S08=m +CONFIG_POWER_RESET_GPIO=y +CONFIG_RFKILL_GPIO=m +CONFIG_SERIAL_8250_EM=m +CONFIG_INPUT_GP2A=m +CONFIG_INPUT_GPIO_TILT_POLLED=m +CONFIG_MDIO_BUS_MUX_MMIOREG=m + +# HW crypto and rng +CONFIG_CRYPTO_SHA1_ARM=m +CONFIG_CRYPTO_AES_ARM=m + +# EDAC +CONFIG_EDAC=y +CONFIG_EDAC_MM_EDAC=m +CONFIG_EDAC_LEGACY_SYSFS=y + +# Watchdog +CONFIG_MPCORE_WATCHDOG=m + +# Thermal / powersaving +CONFIG_THERMAL=y +CONFIG_POWER_RESET_RESTART=y + +# MTD +CONFIG_MTD_OF_PARTS=y +# CONFIG_MG_DISK is not set + +# MMC/SD +CONFIG_MMC=y +CONFIG_MMC_ARMMMCI=y +CONFIG_MMC_SDHCI_PLTFM=m +CONFIG_MMC_SDHCI_OF=m +CONFIG_MMC_SPI=m +CONFIG_MMC_DW=m +CONFIG_MMC_DW_PLTFM=m +CONFIG_MMC_DW_PCI=m +# CONFIG_MMC_DW_EXYNOS is not set +# CONFIG_MMC_DW_IDMAC is not set + +# Sound +CONFIG_SND_ARM=y +CONFIG_SND_ARMAACI=m +CONFIG_SND_SOC=m +CONFIG_SND_DESIGNWARE_I2S=m +CONFIG_SND_SIMPLE_CARD=m +CONFIG_SND_SOC_CACHE_LZO=y +CONFIG_SND_SOC_ALL_CODECS=m +# CONFIG_SND_ATMEL_SOC is not set + +# Displays +CONFIG_FB_SSD1307=m + +CONFIG_ARM_KPROBES_TEST=m + +# PWM +CONFIG_PWM=y +CONFIG_BACKLIGHT_PWM=m +CONFIG_INPUT_PWM_BEEPER=m + +# Should be in generic +CONFIG_ETHERNET=y +# CONFIG_NET_VENDOR_BROADCOM is not set +# CONFIG_NET_VENDOR_CIRRUS is not set +# CONFIG_PATA_PLATFORM is not set +CONFIG_PERF_EVENTS=y + +# CONFIG_RTC_DRV_SNVS is not set +# CONFIG_DRM_EXYNOS is not set +# CONFIG_DRM_TILCDC is not set +# CONFIG_DRM_IMX is not set +# CONFIG_MMC_SDHCI_PXAV3 is not set +# CONFIG_MMC_SDHCI_PXAV2 is not set +# CONFIG_CS89x0 is not set +# CONFIG_DM9000 is not set +# CONFIG_HW_RANDOM_ATMEL is not set +# CONFIG_HW_RANDOM_EXYNOS is not set +# CONFIG_I2C_NOMADIK is not set +# CONFIG_LEDS_RENESAS_TPU is not set +# CONFIG_MFD_T7L66XB is not set +# CONFIG_MFD_TC6387XB is not set + +# Needs work/investigation +# CONFIG_ARM_CHARLCD is not set +# CONFIG_MTD_AFS_PARTS is not set +# CONFIG_IP_PNP_RARP is not set +# CONFIG_BPF_JIT is not set +# CONFIG_ASYMMETRIC_KEY_TYPE is not set +# CONFIG_PID_IN_CONTEXTIDR is not set +# CONFIG_DEPRECATED_PARAM_STRUCT is not set + +# Debug options. We need to deal with them at some point like x86 +# CONFIG_COMMON_CLK_DEBUG is not set +# CONFIG_DEBUG_USER is not set +# CONFIG_DEBUG_LL is not set +# CONFIG_IRQ_DOMAIN_DEBUG is not set +# CONFIG_DEBUG_PINCTRL is not set diff --git a/config-armv7-lpae b/config-armv7-lpae new file mode 100644 index 000000000..847de9786 --- /dev/null +++ b/config-armv7-lpae @@ -0,0 +1,57 @@ +# ARM unified arch kernel +CONFIG_CPU_V7=y +# CONFIG_ARCH_MULTI_V4 is not set +# CONFIG_ARCH_MULTI_V4T is not set +# CONFIG_ARCH_MULTI_V6 is not set +CONFIG_ARCH_MULTI_V6_V7=y +CONFIG_ARCH_MULTI_V7=y +# CONFIG_ARCH_BCM is not set +# CONFIG_ARCH_HIGHBANK is not set +# CONFIG_ARCH_MVEBU is not set +# CONFIG_ARCH_MXC is not set +# CONFIG_ARCH_OMAP2PLUS is not set +# CONFIG_ARCH_PICOXCELL is not set +# CONFIG_ARCH_SOCFPGA is not set +# CONFIG_ARCH_SUNXI is not set +# CONFIG_ARCH_VEXPRESS_CA9X4 is not set +CONFIG_ARCH_VEXPRESS_DT=y +CONFIG_ARCH_VIRT=y +# CONFIG_ARCH_WM8850 is not set +# CONFIG_ARCH_ZYNQ is not set +CONFIG_VEXPRESS_EXTENDED_MEMORY_MAP=y +CONFIG_ARCH_VEXPRESS_CA15X4=y +# CONFIG_ARCH_VEXPRESS_CORTEX_A5_A9_ERRATA is not set + +CONFIG_ARM_LPAE=y +CONFIG_VIRTIO_CONSOLE=m +CONFIG_ARM_VIRT_EXT=y +CONFIG_VIRTUALIZATION=y + +CONFIG_KVM=y +CONFIG_KVM_ARM_HOST=y +CONFIG_KVM_ARM_MAX_VCPUS=8 +CONFIG_KVM_ARM_VGIC=y +CONFIG_KVM_ARM_TIMER=y + +CONFIG_XEN=y +CONFIG_XEN_FBDEV_FRONTEND=y +CONFIG_INPUT_XEN_KBDDEV_FRONTEND=m +CONFIG_XEN_BLKDEV_FRONTEND=m +CONFIG_XEN_BLKDEV_BACKEND=m +CONFIG_XEN_NETDEV_FRONTEND=m +CONFIG_XEN_NETDEV_BACKEND=m +CONFIG_HVC_XEN=y +CONFIG_HVC_XEN_FRONTEND=y +CONFIG_XEN_DEV_EVTCHN=m +CONFIG_XEN_BACKEND=y +CONFIG_XENFS=m +CONFIG_XEN_COMPAT_XENFS=y +CONFIG_XEN_SYS_HYPERVISOR=y +CONFIG_XEN_GNTDEV=y +CONFIG_XEN_GRANT_DEV_ALLOC=m +CONFIG_XEN_WDT=m + +# CONFIG_ARCH_OMAP2 is not set +# CONFIG_ARCH_OMAP3 is not set +# CONFIG_ARCH_OMAP4 is not set +CONFIG_ARCH_OMAP5=y diff --git a/kernel.spec b/kernel.spec index 750fc51ea..9cef3369c 100644 --- a/kernel.spec +++ b/kernel.spec @@ -132,8 +132,8 @@ Summary: The Linux kernel %define with_bootwrapper %{?_without_bootwrapper: 0} %{?!_without_bootwrapper: 1} # Want to build a the vsdo directories installed %define with_vdso_install %{?_without_vdso_install: 0} %{?!_without_vdso_install: 1} -# ARM OMAP (Beagle/Panda Board) -%define with_omap %{?_without_omap: 0} %{?!_without_omap: 1} +# ARM Cortex-A15 support with LPAE and HW Virtualisation +%define with_lpae %{?_without_lpae: 0} %{?!_without_lpae: 1} # kernel-tegra (only valid for arm) %define with_tegra %{?_without_tegra: 0} %{?!_without_tegra: 1} # @@ -249,10 +249,10 @@ Summary: The Linux kernel %define with_pae 0 %endif -# kernel up (unified kernel target), tegra and omap are only built on armv7 hfp/sfp -%ifnarch armv7hl armv7l -%define with_omap 0 +# kernel up (unified kernel target), unified LPAE, tegra are only built on armv7 hfp +%ifnarch armv7hl %endif +%define with_lpae 0 %define with_tegra 0 # if requested, only build base kernel @@ -475,6 +475,10 @@ Provides: kernel-drm = 4.3.0\ Provides: kernel-drm-nouveau = 16\ Provides: kernel-modeset = 1\ Provides: kernel-uname-r = %{KVERREL}%{?1:.%{1}}\ +Provides: kernel-highbank\ +Provides: kernel-highbank-uname-r = %{KVERREL}%{?1:.%{1}}\ +Provides: kernel-omap\ +Provides: kernel-omap-uname-r = %{KVERREL}%{?1:.%{1}}\ Requires(pre): %{kernel_prereq}\ Requires(pre): %{initrd_prereq}\ Requires(pre): linux-firmware >= 20120206-0.1.git06c8f81\ @@ -571,7 +575,9 @@ Source54: config-powerpc64p7 Source70: config-s390x # Unified ARM kernels -Source100: config-armv7 +Source100: config-armv7-generic +Source101: config-armv7 +Source102: config-armv7-lpae # Legacy ARM kernels Source105: config-arm-generic @@ -1027,11 +1033,11 @@ This variant of the kernel has numerous debugging options enabled. It should only be installed when trying to gather additional information on kernel bugs, as some of these options impact performance noticably. -%define variant_summary The Linux kernel compiled for TI-OMAP boards -%kernel_variant_package omap -%description omap +%define variant_summary The Linux kernel compiled for Cortex-A15 +%kernel_variant_package lpae +%description lpae This package includes a version of the Linux kernel with support for -TI-OMAP based systems, i.e., BeagleBoard-xM. +Cortex-A15 devices with LPAE and HW virtualisation support %define variant_summary The Linux kernel compiled for tegra boards %kernel_variant_package tegra @@ -1790,8 +1796,8 @@ BuildKernel %make_target %kernel_image PAEdebug BuildKernel %make_target %kernel_image PAE %endif -%if %{with_omap} -BuildKernel %make_target %kernel_image omap +%if %{with_lpae} +BuildKernel %make_target %kernel_image lpae %endif %if %{with_tegra} @@ -2120,8 +2126,8 @@ fi}\ %kernel_variant_post -v PAEdebug -r (kernel|kernel-smp) %kernel_variant_preun PAEdebug -%kernel_variant_preun omap -%kernel_variant_post -v omap +%kernel_variant_preun lpae +%kernel_variant_post -v lpae %kernel_variant_preun tegra %kernel_variant_post -v tegra @@ -2269,13 +2275,19 @@ fi %kernel_variant_files %{with_debug} debug %kernel_variant_files %{with_pae} PAE %kernel_variant_files %{with_pae_debug} PAEdebug -%kernel_variant_files %{with_omap} omap +%kernel_variant_files %{with_lpae} lpae %kernel_variant_files %{with_tegra} tegra # plz don't put in a version string unless you're going to tag # and build. %changelog +* Sun Mar 17 2013 Peter Robinson +- Merge OMAP support into ARM unified kernel +- Add ARM LPAE kernel for Cortex A-15 devices that support LPAE and HW virtualisation +- Unified ARM kernel provides highbank and OMAP support +- Drop remantents of ARM softfp kernels + * Fri Mar 15 2013 Josh Boyer - Fix divide by zero on host TSC calibration failure (rhbz 859282) From a4763394eecdedbe2012471583056122b2a07605 Mon Sep 17 00:00:00 2001 From: Peter Robinson Date: Sun, 17 Mar 2013 23:23:24 +0000 Subject: [PATCH 013/468] fix lpae/tegra defines --- kernel.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kernel.spec b/kernel.spec index 9cef3369c..4f9381c3b 100644 --- a/kernel.spec +++ b/kernel.spec @@ -251,9 +251,9 @@ Summary: The Linux kernel # kernel up (unified kernel target), unified LPAE, tegra are only built on armv7 hfp %ifnarch armv7hl -%endif %define with_lpae 0 %define with_tegra 0 +%endif # if requested, only build base kernel %if %{with_baseonly} From ce7657991282676dfeea1ab6a25625031ba99edd Mon Sep 17 00:00:00 2001 From: Dave Jones Date: Mon, 18 Mar 2013 09:19:47 -0400 Subject: [PATCH 014/468] Linux v3.9-rc3 merged: w1-fix-oops-when-w1_search-is-called-from.patch - Disable debugging options. --- config-generic | 8 +- config-nodebug | 110 ++++++++--------- config-x86-generic | 2 +- kernel.spec | 19 ++- sources | 3 +- ...x-oops-when-w1_search-is-called-from.patch | 111 ------------------ 6 files changed, 70 insertions(+), 183 deletions(-) delete mode 100644 w1-fix-oops-when-w1_search-is-called-from.patch diff --git a/config-generic b/config-generic index 9c1cf4b94..52145225f 100644 --- a/config-generic +++ b/config-generic @@ -1554,13 +1554,13 @@ CONFIG_B43_SDIO=y CONFIG_B43_BCMA=y # CONFIG_B43_BCMA_EXTRA is not set CONFIG_B43_BCMA_PIO=y -CONFIG_B43_DEBUG=y +# CONFIG_B43_DEBUG is not set CONFIG_B43_PHY_LP=y CONFIG_B43_PHY_N=y CONFIG_B43_PHY_HT=y # CONFIG_B43_FORCE_PIO is not set CONFIG_B43LEGACY=m -CONFIG_B43LEGACY_DEBUG=y +# CONFIG_B43LEGACY_DEBUG is not set CONFIG_B43LEGACY_DMA=y CONFIG_B43LEGACY_PIO=y CONFIG_B43LEGACY_DMA_AND_PIO_MODE=y @@ -3198,7 +3198,7 @@ CONFIG_USB_STORAGE_REALTEK=m CONFIG_REALTEK_AUTOPM=y CONFIG_USB_STORAGE_ENE_UB6250=m # CONFIG_USB_LIBUSUAL is not set -CONFIG_USB_UAS=m +# CONFIG_USB_UAS is not set # @@ -4190,7 +4190,7 @@ CONFIG_IBMASR=m CONFIG_PM_DEBUG=y CONFIG_PM_TRACE=y CONFIG_PM_TRACE_RTC=y -CONFIG_PM_TEST_SUSPEND=y +# CONFIG_PM_TEST_SUSPEND is not set CONFIG_PM_RUNTIME=y # CONFIG_PM_OPP is not set # CONFIG_PM_AUTOSLEEP is not set diff --git a/config-nodebug b/config-nodebug index cfabd29c7..aa7568c82 100644 --- a/config-nodebug +++ b/config-nodebug @@ -2,95 +2,95 @@ CONFIG_SND_VERBOSE_PRINTK=y CONFIG_SND_DEBUG=y CONFIG_SND_PCM_XRUN_DEBUG=y -CONFIG_DEBUG_ATOMIC_SLEEP=y +# CONFIG_DEBUG_ATOMIC_SLEEP is not set -CONFIG_DEBUG_MUTEXES=y -CONFIG_DEBUG_RT_MUTEXES=y -CONFIG_DEBUG_LOCK_ALLOC=y -CONFIG_PROVE_LOCKING=y -CONFIG_DEBUG_SPINLOCK=y -CONFIG_PROVE_RCU=y +# CONFIG_DEBUG_MUTEXES is not set +# CONFIG_DEBUG_RT_MUTEXES is not set +# CONFIG_DEBUG_LOCK_ALLOC is not set +# CONFIG_PROVE_LOCKING is not set +# CONFIG_DEBUG_SPINLOCK is not set +# CONFIG_PROVE_RCU is not set # CONFIG_PROVE_RCU_REPEATEDLY is not set -CONFIG_DEBUG_PER_CPU_MAPS=y +# CONFIG_DEBUG_PER_CPU_MAPS is not set CONFIG_CPUMASK_OFFSTACK=y -CONFIG_CPU_NOTIFIER_ERROR_INJECT=m +# CONFIG_CPU_NOTIFIER_ERROR_INJECT is not set -CONFIG_FAULT_INJECTION=y -CONFIG_FAILSLAB=y -CONFIG_FAIL_PAGE_ALLOC=y -CONFIG_FAIL_MAKE_REQUEST=y -CONFIG_FAULT_INJECTION_DEBUG_FS=y -CONFIG_FAULT_INJECTION_STACKTRACE_FILTER=y -CONFIG_FAIL_IO_TIMEOUT=y -CONFIG_FAIL_MMC_REQUEST=y +# CONFIG_FAULT_INJECTION is not set +# CONFIG_FAILSLAB is not set +# CONFIG_FAIL_PAGE_ALLOC is not set +# CONFIG_FAIL_MAKE_REQUEST is not set +# CONFIG_FAULT_INJECTION_DEBUG_FS is not set +# CONFIG_FAULT_INJECTION_STACKTRACE_FILTER is not set +# CONFIG_FAIL_IO_TIMEOUT is not set +# CONFIG_FAIL_MMC_REQUEST is not set -CONFIG_SLUB_DEBUG_ON=y +# CONFIG_SLUB_DEBUG_ON is not set -CONFIG_LOCK_STAT=y +# CONFIG_LOCK_STAT is not set -CONFIG_DEBUG_STACK_USAGE=y +# CONFIG_DEBUG_STACK_USAGE is not set -CONFIG_ACPI_DEBUG=y +# CONFIG_ACPI_DEBUG is not set # CONFIG_ACPI_DEBUG_FUNC_TRACE is not set -CONFIG_DEBUG_SG=y +# CONFIG_DEBUG_SG is not set # CONFIG_DEBUG_PAGEALLOC is not set -CONFIG_DEBUG_WRITECOUNT=y -CONFIG_DEBUG_OBJECTS=y +# CONFIG_DEBUG_WRITECOUNT is not set +# CONFIG_DEBUG_OBJECTS is not set # CONFIG_DEBUG_OBJECTS_SELFTEST is not set -CONFIG_DEBUG_OBJECTS_FREE=y -CONFIG_DEBUG_OBJECTS_TIMERS=y -CONFIG_DEBUG_OBJECTS_RCU_HEAD=y +# CONFIG_DEBUG_OBJECTS_FREE is not set +# CONFIG_DEBUG_OBJECTS_TIMERS is not set +# CONFIG_DEBUG_OBJECTS_RCU_HEAD is not set CONFIG_DEBUG_OBJECTS_ENABLE_DEFAULT=1 -CONFIG_X86_PTDUMP=y +# CONFIG_X86_PTDUMP is not set -CONFIG_CAN_DEBUG_DEVICES=y +# CONFIG_CAN_DEBUG_DEVICES is not set -CONFIG_MODULE_FORCE_UNLOAD=y +# CONFIG_MODULE_FORCE_UNLOAD is not set -CONFIG_SYSCTL_SYSCALL_CHECK=y +# CONFIG_SYSCTL_SYSCALL_CHECK is not set -CONFIG_DEBUG_NOTIFIERS=y +# CONFIG_DEBUG_NOTIFIERS is not set -CONFIG_DMA_API_DEBUG=y +# CONFIG_DMA_API_DEBUG is not set -CONFIG_MMIOTRACE=y +# CONFIG_MMIOTRACE is not set -CONFIG_DEBUG_CREDENTIALS=y +# CONFIG_DEBUG_CREDENTIALS is not set # off in both production debug and nodebug builds, # on in rawhide nodebug builds -CONFIG_DEBUG_FORCE_WEAK_PER_CPU=y +# CONFIG_DEBUG_FORCE_WEAK_PER_CPU is not set -CONFIG_EXT4_DEBUG=y +# CONFIG_EXT4_DEBUG is not set -CONFIG_DEBUG_PERF_USE_VMALLOC=y +# CONFIG_DEBUG_PERF_USE_VMALLOC is not set -CONFIG_JBD2_DEBUG=y +# CONFIG_JBD2_DEBUG is not set -CONFIG_NFSD_FAULT_INJECTION=y +# CONFIG_NFSD_FAULT_INJECTION is not set -CONFIG_DEBUG_BLK_CGROUP=y +# CONFIG_DEBUG_BLK_CGROUP is not set -CONFIG_DRBD_FAULT_INJECTION=y +# CONFIG_DRBD_FAULT_INJECTION is not set -CONFIG_ATH_DEBUG=y -CONFIG_CARL9170_DEBUGFS=y -CONFIG_IWLWIFI_DEVICE_TRACING=y +# CONFIG_ATH_DEBUG is not set +# CONFIG_CARL9170_DEBUGFS is not set +# CONFIG_IWLWIFI_DEVICE_TRACING is not set -CONFIG_DEBUG_OBJECTS_WORK=y +# CONFIG_DEBUG_OBJECTS_WORK is not set -CONFIG_DMADEVICES_DEBUG=y -CONFIG_DMADEVICES_VDEBUG=y +# CONFIG_DMADEVICES_DEBUG is not set +# CONFIG_DMADEVICES_VDEBUG is not set CONFIG_PM_ADVANCED_DEBUG=y -CONFIG_CEPH_LIB_PRETTYDEBUG=y -CONFIG_QUOTA_DEBUG=y +# CONFIG_CEPH_LIB_PRETTYDEBUG is not set +# CONFIG_QUOTA_DEBUG is not set CONFIG_PCI_DEFAULT_USE_CRS=y @@ -98,16 +98,16 @@ CONFIG_KGDB_KDB=y CONFIG_KDB_KEYBOARD=y CONFIG_KDB_CONTINUE_CATASTROPHIC=0 -CONFIG_DEBUG_OBJECTS_PERCPU_COUNTER=y -CONFIG_TEST_LIST_SORT=y +# CONFIG_DEBUG_OBJECTS_PERCPU_COUNTER is not set +# CONFIG_TEST_LIST_SORT is not set -CONFIG_DETECT_HUNG_TASK=y +# CONFIG_DETECT_HUNG_TASK is not set CONFIG_DEFAULT_HUNG_TASK_TIMEOUT=120 # CONFIG_BOOTPARAM_HUNG_TASK_PANIC is not set -CONFIG_X86_BOOTPARAM_MEMORY_CORRUPTION_CHECK=y +# CONFIG_X86_BOOTPARAM_MEMORY_CORRUPTION_CHECK is not set -CONFIG_DEBUG_KMEMLEAK=y +# CONFIG_DEBUG_KMEMLEAK is not set CONFIG_DEBUG_KMEMLEAK_EARLY_LOG_SIZE=1024 # CONFIG_DEBUG_KMEMLEAK_TEST is not set CONFIG_DEBUG_KMEMLEAK_DEFAULT_OFF=y diff --git a/config-x86-generic b/config-x86-generic index cac1a3157..226859b4e 100644 --- a/config-x86-generic +++ b/config-x86-generic @@ -326,7 +326,7 @@ CONFIG_STRICT_DEVMEM=y # CONFIG_MEMTEST is not set # CONFIG_DEBUG_TLBFLUSH is not set -CONFIG_MAXSMP=y +# CONFIG_MAXSMP is not set CONFIG_HP_ILO=m diff --git a/kernel.spec b/kernel.spec index 4f9381c3b..e9417e587 100644 --- a/kernel.spec +++ b/kernel.spec @@ -93,9 +93,9 @@ Summary: The Linux kernel # The next upstream release sublevel (base_sublevel+1) %define upstream_sublevel %(echo $((%{base_sublevel} + 1))) # The rc snapshot level -%define rcrev 2 +%define rcrev 3 # The git snapshot level -%define gitrev 1 +%define gitrev 0 # Set rpm version accordingly %define rpmversion 3.%{upstream_sublevel}.0 %endif @@ -157,7 +157,7 @@ Summary: The Linux kernel # Set debugbuildsenabled to 1 for production (build separate debug kernels) # and 0 for rawhide (all kernels are debug kernels). # See also 'make debug' and 'make release'. -%define debugbuildsenabled 0 +%define debugbuildsenabled 1 # Want to build a vanilla kernel build without any non-upstream patches? %define with_vanilla %{?_with_vanilla: 1} %{?!_with_vanilla: 0} @@ -170,7 +170,7 @@ Summary: The Linux kernel %define doc_build_fail true %endif -%define rawhide_skip_docs 1 +%define rawhide_skip_docs 0 %if 0%{?rawhide_skip_docs} %define with_doc 0 %define doc_build_fail true @@ -736,9 +736,6 @@ Patch21261: 0001-kmsg-Honor-dmesg_restrict-sysctl-on-dev-kmsg.patch #rhbz 914737 Patch21262: x86-mm-Fix-vmalloc_fault-oops-during-lazy-MMU-updates.patch -#rhbz 857954 -Patch21268: w1-fix-oops-when-w1_search-is-called-from.patch - #CVE-2013-0913 rhbz 920471 920529 Patch21271: drm-i915-bounds-check-execbuffer-relocation-count.patch @@ -1437,9 +1434,6 @@ ApplyPatch 0001-kmsg-Honor-dmesg_restrict-sysctl-on-dev-kmsg.patch #rhbz 914737 ApplyPatch x86-mm-Fix-vmalloc_fault-oops-during-lazy-MMU-updates.patch -#rhbz 857954 -ApplyPatch w1-fix-oops-when-w1_search-is-called-from.patch - #CVE-2013-0913 rhbz 920471 920529 ApplyPatch drm-i915-bounds-check-execbuffer-relocation-count.patch @@ -2282,6 +2276,11 @@ fi # and build. %changelog +* Mon Mar 18 2013 Dave Jones - 3.9.0-0.rc3.git0.2 +- Linux 3.9-rc3 + merged: w1-fix-oops-when-w1_search-is-called-from.patch +- Disable debugging options. + * Sun Mar 17 2013 Peter Robinson - Merge OMAP support into ARM unified kernel - Add ARM LPAE kernel for Cortex A-15 devices that support LPAE and HW virtualisation diff --git a/sources b/sources index aae0bfacb..fabb0ec3d 100644 --- a/sources +++ b/sources @@ -1,3 +1,2 @@ 1c738edfc54e7c65faeb90c436104e2f linux-3.8.tar.xz -519f8799f8cf9aae2f05ba8fadc43bd1 patch-3.9-rc2.xz -813d50e12eb677a04e4a2743cc54242d patch-3.9-rc2-git1.xz +f7e97476e1ba31c3bb666b442fcb75dd patch-3.9-rc3.xz diff --git a/w1-fix-oops-when-w1_search-is-called-from.patch b/w1-fix-oops-when-w1_search-is-called-from.patch deleted file mode 100644 index 0a54eff17..000000000 --- a/w1-fix-oops-when-w1_search-is-called-from.patch +++ /dev/null @@ -1,111 +0,0 @@ - -Delivered-To: jwboyer@gmail.com -Received: by 10.101.212.35 with SMTP id o35csp6769anq; - Sat, 2 Mar 2013 05:50:51 -0800 (PST) -X-Received: by 10.68.137.42 with SMTP id qf10mr19122124pbb.80.1362232251119; - Sat, 02 Mar 2013 05:50:51 -0800 (PST) -Return-Path: -Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) - by mx.google.com with ESMTP id pu7si8560937pbc.232.2013.03.02.05.50.50; - Sat, 02 Mar 2013 05:50:51 -0800 (PST) -Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; -Authentication-Results: mx.google.com; - spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mail=linux-kernel-owner@vger.kernel.org; - dkim=neutral (body hash did not verify) header.i=@gmail.com -Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand - id S1752198Ab3CBNuU (ORCPT - + 99 others); Sat, 2 Mar 2013 08:50:20 -0500 -Received: from mail-ee0-f48.google.com ([74.125.83.48]:46431 "EHLO - mail-ee0-f48.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org - with ESMTP id S1752038Ab3CBNuT (ORCPT - ); - Sat, 2 Mar 2013 08:50:19 -0500 -Received: by mail-ee0-f48.google.com with SMTP id t10so2921534eei.7 - for ; Sat, 02 Mar 2013 05:50:18 -0800 (PST) -DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; - d=gmail.com; s=20120113; - h=x-received:date:from:to:cc:subject:message-id:references - :mime-version:content-type:content-disposition:in-reply-to - :user-agent; - bh=8ABPYEMGQsyhtGtpdGpnD1kQchBrqYm9rJ3sEUcIQOc=; - b=hx/4GjbvaME9C3c+WOrfUkkwnJ5jJXefsOhCKmPCE8kmswk3Tvm11198r4+y1jM/Bl - 1wtIYby6sFgA08JUldm09fPpsKfbdeDnFAI5WmUAGJjahFXXRrQPocI6E0+s2BcM+t3H - Ii8g8ZvYJ+YMgbbSmp7mwMv98aa0+qdY6TIF4P/wNwAWrsjFh5TBgc/QyB0MzyQQ2tMp - LfA7n/2sH11vofS6FLSaWhtwGIIexPZ+oxWpvwBcCIYX+gTrSHPZqnLQkvhQ5oZDx7WF - 6QlNEqlmL+usW1ApRCAwcL4jOaORDAC2MytGH4jdZNic0PqdzonfbJTRE6YmZ45FHtNG - l+6w== -X-Received: by 10.15.101.204 with SMTP id bp52mr38431150eeb.31.1362232218031; - Sat, 02 Mar 2013 05:50:18 -0800 (PST) -Received: from gmail.com (aek101.neoplus.adsl.tpnet.pl. [83.25.114.101]) - by mx.google.com with ESMTPS id o3sm22363368eem.15.2013.03.02.05.50.16 - (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); - Sat, 02 Mar 2013 05:50:17 -0800 (PST) -Date: Sat, 2 Mar 2013 14:50:15 +0100 -From: Marcin Jurkowski -To: Sven Geggus -Cc: Evgeniy Polyakov , linux-kernel@vger.kernel.org -Subject: [PATCH 1/1] w1: fix oops when w1_search is called from netlink - connector -Message-ID: <20130302135015.GA21448@gmail.com> -References: <20130116141627.GA23638@ioremap.net> - <20130302001103.GB18026@gmail.com> - <20130302094510.GA4695@geggus.net> -MIME-Version: 1.0 -Content-Type: text/plain; charset=us-ascii -Content-Disposition: inline -In-Reply-To: <20130302094510.GA4695@geggus.net> -User-Agent: Mutt/1.5.21 (2010-09-15) -Sender: linux-kernel-owner@vger.kernel.org -Precedence: bulk -List-ID: -X-Mailing-List: linux-kernel@vger.kernel.org - -On Sat, Mar 02, 2013 at 10:45:10AM +0100, Sven Geggus wrote: -> This is the bad commit I found doing git bisect: -> 04f482faf50535229a5a5c8d629cf963899f857c is the first bad commit -> commit 04f482faf50535229a5a5c8d629cf963899f857c -> Author: Patrick McHardy -> Date: Mon Mar 28 08:39:36 2011 +0000 - -Good job. I was too lazy to bisect for bad commit;) - -Reading the code I found problematic kthread_should_stop call from netlink -connector which causes the oops. After applying a patch, I've been testing -owfs+w1 setup for nearly two days and it seems to work very reliable (no -hangs, no memleaks etc). -More detailed description and possible fix is given below: - -Function w1_search can be called from either kthread or netlink callback. -While the former works fine, the latter causes oops due to kthread_should_stop -invocation. - -This patch adds a check if w1_search is serving netlink command, skipping -kthread_should_stop invocation if so. - -Signed-off-by: Marcin Jurkowski ---- - drivers/w1/w1.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/drivers/w1/w1.c b/drivers/w1/w1.c -index 7994d933..7e2220d 100644 ---- a/drivers/w1/w1.c -+++ b/drivers/w1/w1.c -@@ -924,7 +924,8 @@ void w1_search(struct w1_master *dev, u8 search_type, w1_slave_found_callback cb - tmp64 = (triplet_ret >> 2); - rn |= (tmp64 << i); - -- if (kthread_should_stop()) { -+ /* ensure we're called from kthread and not by netlink callback */ -+ if (!dev->priv && kthread_should_stop()) { - mutex_unlock(&dev->bus_mutex); - dev_dbg(&dev->dev, "Abort w1_search\n"); - return; --- -1.7.12.4 - --- -To unsubscribe from this list: send the line "unsubscribe linux-kernel" in -the body of a message to majordomo@vger.kernel.org -More majordomo info at http://vger.kernel.org/majordomo-info.html -Please read the FAQ at http://www.tux.org/lkml/ From cf865f635c8d9615c8dc8b16d48d74fbef519a64 Mon Sep 17 00:00:00 2001 From: Dave Jones Date: Mon, 18 Mar 2013 17:23:36 -0400 Subject: [PATCH 015/468] =?UTF-8?q?s390x=20config=20option=20changes=20fro?= =?UTF-8?q?m=20Dan=20Hor=C3=A1k=20=20-=20kernel-3.9.0-0.rc3.?= =?UTF-8?q?git0.3?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - enable PCI - disable few useless drivers - disable drivers conflicting with s390x --- config-s390x | 15 ++++++++++++--- kernel.spec | 7 ++++++- 2 files changed, 18 insertions(+), 4 deletions(-) diff --git a/config-s390x b/config-s390x index c0ae0aa0a..9ab57f8aa 100644 --- a/config-s390x +++ b/config-s390x @@ -260,6 +260,15 @@ CONFIG_HOTPLUG_PCI_S390=m # CONFIG_GPIO_GENERIC_PLATFORM is not set # CONFIG_GPIO_MCP23S08 is not set -# CONFIG_PCI is not set -# CONFIG_NET_VENDOR_MARVELL is not set -# CONFIG_PTP_1588_CLOCK_PCH is not set +# CONFIG_MEDIA_SUPPORT is not set +# CONFIG_USB_SUPPORT is not set +# CONFIG_DRM is not set +# CONFIG_SOUND is not set +# CONFIG_DW_DMAC is not set +# CONFIG_I2C_SMBUS is not set +# CONFIG_I2C_STUB is not set +# CONFIG_I2C_HELPER_AUTO is not set +# CONFIG_I2C_PARPORT is not set +# CONFIG_I2C_PARPORT_LIGHT is not set +# CONFIG_I2C_NFORCE2 is not set + diff --git a/kernel.spec b/kernel.spec index e9417e587..f4bd7495f 100644 --- a/kernel.spec +++ b/kernel.spec @@ -62,7 +62,7 @@ Summary: The Linux kernel # For non-released -rc kernels, this will be appended after the rcX and # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3" # -%global baserelease 2 +%global baserelease 3 %global fedora_build %{baserelease} # base_sublevel is the kernel version we're starting with and patching @@ -2276,6 +2276,11 @@ fi # and build. %changelog +- s390x config option changes from Dan Horák - kernel-3.9.0-0.rc3.git0.3 + - enable PCI + - disable few useless drivers + - disable drivers conflicting with s390x + * Mon Mar 18 2013 Dave Jones - 3.9.0-0.rc3.git0.2 - Linux 3.9-rc3 merged: w1-fix-oops-when-w1_search-is-called-from.patch From edbd7a108e06b9576c4891e67e6dea629a0e8c7b Mon Sep 17 00:00:00 2001 From: Dave Jones Date: Mon, 18 Mar 2013 17:24:13 -0400 Subject: [PATCH 016/468] fix mess --- kernel.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kernel.spec b/kernel.spec index f4bd7495f..cb9cdaf0d 100644 --- a/kernel.spec +++ b/kernel.spec @@ -2276,7 +2276,7 @@ fi # and build. %changelog -- s390x config option changes from Dan Horák - kernel-3.9.0-0.rc3.git0.3 +* s390x config option changes from Dan Horák - 3.9.0-0.rc3.git0.3 - enable PCI - disable few useless drivers - disable drivers conflicting with s390x From c970d9aadbe19eb200fbcd02b9dc8c8b4692da35 Mon Sep 17 00:00:00 2001 From: Dave Jones Date: Mon, 18 Mar 2013 17:24:58 -0400 Subject: [PATCH 017/468] I need a vacation --- kernel.spec | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/kernel.spec b/kernel.spec index cb9cdaf0d..7883df164 100644 --- a/kernel.spec +++ b/kernel.spec @@ -2276,7 +2276,8 @@ fi # and build. %changelog -* s390x config option changes from Dan Horák - 3.9.0-0.rc3.git0.3 +* Mon Mar 18 2013 Dave Jones - 3.9.0-0.rc3.git0.3 +- s390x config option changes from Dan Horák - enable PCI - disable few useless drivers - disable drivers conflicting with s390x From 3cc4927aab4b6b51db502c78226e7a843180a413 Mon Sep 17 00:00:00 2001 From: Dave Jones Date: Tue, 19 Mar 2013 14:59:33 -0400 Subject: [PATCH 018/468] cpufreq/intel_pstate: Add function to check that all MSR's are valid (rhbz 922923) --- cpufreq-intel-pstate-validate-msrs.patch | 56 ++++++++++++++++++++++++ kernel.spec | 8 ++++ 2 files changed, 64 insertions(+) create mode 100644 cpufreq-intel-pstate-validate-msrs.patch diff --git a/cpufreq-intel-pstate-validate-msrs.patch b/cpufreq-intel-pstate-validate-msrs.patch new file mode 100644 index 000000000..0a790a0b6 --- /dev/null +++ b/cpufreq-intel-pstate-validate-msrs.patch @@ -0,0 +1,56 @@ +commit 866111646f2c5d4c6c25e2bb97f5c61c3992defb +Author: Dirk Brandewie +Date: Mon Mar 18 16:55:02 2013 -0700 + + cpufreq/intel_pstate: Add function to check that all MSR's are valid + + Some VMs seem to try to implement some MSRs but not all the registers + the driver needs. Check to make sure all the MSR that we need are + available. If any of the required MSRs are not available refuse to + load. + + Signed-off-by: Dirk Brandewie + +--- linux-3.9.0-0.rc3.git0.2.fc19.x86_64/drivers/cpufreq/intel_pstate.c~ 2013-03-19 14:54:33.489581718 -0400 ++++ linux-3.9.0-0.rc3.git0.2.fc19.x86_64/drivers/cpufreq/intel_pstate.c 2013-03-19 14:55:09.667523730 -0400 +@@ -752,6 +752,30 @@ static struct cpufreq_driver intel_pstat + + static int __initdata no_load; + ++static int intel_pstate_msrs_not_valid(void) ++{ ++ /* Check that all the msr's we are using are valid. */ ++ u64 aperf, mperf, tmp; ++ ++ rdmsrl(MSR_IA32_APERF, aperf); ++ rdmsrl(MSR_IA32_MPERF, mperf); ++ ++ if (!intel_pstate_min_pstate() || ++ !intel_pstate_max_pstate() || ++ !intel_pstate_turbo_pstate()) ++ return -ENODEV; ++ ++ rdmsrl(MSR_IA32_APERF, tmp); ++ if (!(tmp - aperf)) ++ return -ENODEV; ++ ++ rdmsrl(MSR_IA32_MPERF, tmp); ++ if (!(tmp - mperf)) ++ return -ENODEV; ++ ++ return 0; ++} ++ + static int __init intel_pstate_init(void) + { + int cpu, rc = 0; +@@ -764,6 +788,9 @@ static int __init intel_pstate_init(void + if (!id) + return -ENODEV; + ++ if (intel_pstate_msrs_not_valid()) ++ return -ENODEV; ++ + pr_info("Intel P-state driver initializing.\n"); + + all_cpu_data = vmalloc(sizeof(void *) * num_possible_cpus()); diff --git a/kernel.spec b/kernel.spec index 7883df164..86f3b27e8 100644 --- a/kernel.spec +++ b/kernel.spec @@ -751,6 +751,8 @@ Patch22000: weird-root-dentry-name-debug.patch #selinux ptrace child permissions Patch22001: selinux-apply-different-permission-to-ptrace-child.patch +Patch23000: cpufreq-intel-pstate-validate-msrs.patch + # END OF PATCH DEFINITIONS %endif @@ -1416,6 +1418,9 @@ ApplyPatch weird-root-dentry-name-debug.patch #selinux ptrace child permissions ApplyPatch selinux-apply-different-permission-to-ptrace-child.patch +# rhbz 922923 +ApplyPatch cpufreq-intel-pstate-validate-msrs.patch + #rhbz 859485 ApplyPatch vt-Drop-K_OFF-for-VC_MUTE.patch @@ -2276,6 +2281,9 @@ fi # and build. %changelog +* Tue Mar 19 2013 Dave Jones +- cpufreq/intel_pstate: Add function to check that all MSR's are valid (rhbz 922923) + * Mon Mar 18 2013 Dave Jones - 3.9.0-0.rc3.git0.3 - s390x config option changes from Dan Horák - enable PCI From 2be584888b02181db75fee812591963035863d54 Mon Sep 17 00:00:00 2001 From: Dave Jones Date: Tue, 19 Mar 2013 19:05:33 -0400 Subject: [PATCH 019/468] Reenable debugging options. --- config-generic | 8 ++-- config-nodebug | 110 ++++++++++++++++++++++----------------------- config-x86-generic | 2 +- kernel.spec | 9 ++-- 4 files changed, 66 insertions(+), 63 deletions(-) diff --git a/config-generic b/config-generic index 52145225f..9c1cf4b94 100644 --- a/config-generic +++ b/config-generic @@ -1554,13 +1554,13 @@ CONFIG_B43_SDIO=y CONFIG_B43_BCMA=y # CONFIG_B43_BCMA_EXTRA is not set CONFIG_B43_BCMA_PIO=y -# CONFIG_B43_DEBUG is not set +CONFIG_B43_DEBUG=y CONFIG_B43_PHY_LP=y CONFIG_B43_PHY_N=y CONFIG_B43_PHY_HT=y # CONFIG_B43_FORCE_PIO is not set CONFIG_B43LEGACY=m -# CONFIG_B43LEGACY_DEBUG is not set +CONFIG_B43LEGACY_DEBUG=y CONFIG_B43LEGACY_DMA=y CONFIG_B43LEGACY_PIO=y CONFIG_B43LEGACY_DMA_AND_PIO_MODE=y @@ -3198,7 +3198,7 @@ CONFIG_USB_STORAGE_REALTEK=m CONFIG_REALTEK_AUTOPM=y CONFIG_USB_STORAGE_ENE_UB6250=m # CONFIG_USB_LIBUSUAL is not set -# CONFIG_USB_UAS is not set +CONFIG_USB_UAS=m # @@ -4190,7 +4190,7 @@ CONFIG_IBMASR=m CONFIG_PM_DEBUG=y CONFIG_PM_TRACE=y CONFIG_PM_TRACE_RTC=y -# CONFIG_PM_TEST_SUSPEND is not set +CONFIG_PM_TEST_SUSPEND=y CONFIG_PM_RUNTIME=y # CONFIG_PM_OPP is not set # CONFIG_PM_AUTOSLEEP is not set diff --git a/config-nodebug b/config-nodebug index aa7568c82..cfabd29c7 100644 --- a/config-nodebug +++ b/config-nodebug @@ -2,95 +2,95 @@ CONFIG_SND_VERBOSE_PRINTK=y CONFIG_SND_DEBUG=y CONFIG_SND_PCM_XRUN_DEBUG=y -# CONFIG_DEBUG_ATOMIC_SLEEP is not set +CONFIG_DEBUG_ATOMIC_SLEEP=y -# CONFIG_DEBUG_MUTEXES is not set -# CONFIG_DEBUG_RT_MUTEXES is not set -# CONFIG_DEBUG_LOCK_ALLOC is not set -# CONFIG_PROVE_LOCKING is not set -# CONFIG_DEBUG_SPINLOCK is not set -# CONFIG_PROVE_RCU is not set +CONFIG_DEBUG_MUTEXES=y +CONFIG_DEBUG_RT_MUTEXES=y +CONFIG_DEBUG_LOCK_ALLOC=y +CONFIG_PROVE_LOCKING=y +CONFIG_DEBUG_SPINLOCK=y +CONFIG_PROVE_RCU=y # CONFIG_PROVE_RCU_REPEATEDLY is not set -# CONFIG_DEBUG_PER_CPU_MAPS is not set +CONFIG_DEBUG_PER_CPU_MAPS=y CONFIG_CPUMASK_OFFSTACK=y -# CONFIG_CPU_NOTIFIER_ERROR_INJECT is not set +CONFIG_CPU_NOTIFIER_ERROR_INJECT=m -# CONFIG_FAULT_INJECTION is not set -# CONFIG_FAILSLAB is not set -# CONFIG_FAIL_PAGE_ALLOC is not set -# CONFIG_FAIL_MAKE_REQUEST is not set -# CONFIG_FAULT_INJECTION_DEBUG_FS is not set -# CONFIG_FAULT_INJECTION_STACKTRACE_FILTER is not set -# CONFIG_FAIL_IO_TIMEOUT is not set -# CONFIG_FAIL_MMC_REQUEST is not set +CONFIG_FAULT_INJECTION=y +CONFIG_FAILSLAB=y +CONFIG_FAIL_PAGE_ALLOC=y +CONFIG_FAIL_MAKE_REQUEST=y +CONFIG_FAULT_INJECTION_DEBUG_FS=y +CONFIG_FAULT_INJECTION_STACKTRACE_FILTER=y +CONFIG_FAIL_IO_TIMEOUT=y +CONFIG_FAIL_MMC_REQUEST=y -# CONFIG_SLUB_DEBUG_ON is not set +CONFIG_SLUB_DEBUG_ON=y -# CONFIG_LOCK_STAT is not set +CONFIG_LOCK_STAT=y -# CONFIG_DEBUG_STACK_USAGE is not set +CONFIG_DEBUG_STACK_USAGE=y -# CONFIG_ACPI_DEBUG is not set +CONFIG_ACPI_DEBUG=y # CONFIG_ACPI_DEBUG_FUNC_TRACE is not set -# CONFIG_DEBUG_SG is not set +CONFIG_DEBUG_SG=y # CONFIG_DEBUG_PAGEALLOC is not set -# CONFIG_DEBUG_WRITECOUNT is not set -# CONFIG_DEBUG_OBJECTS is not set +CONFIG_DEBUG_WRITECOUNT=y +CONFIG_DEBUG_OBJECTS=y # CONFIG_DEBUG_OBJECTS_SELFTEST is not set -# CONFIG_DEBUG_OBJECTS_FREE is not set -# CONFIG_DEBUG_OBJECTS_TIMERS is not set -# CONFIG_DEBUG_OBJECTS_RCU_HEAD is not set +CONFIG_DEBUG_OBJECTS_FREE=y +CONFIG_DEBUG_OBJECTS_TIMERS=y +CONFIG_DEBUG_OBJECTS_RCU_HEAD=y CONFIG_DEBUG_OBJECTS_ENABLE_DEFAULT=1 -# CONFIG_X86_PTDUMP is not set +CONFIG_X86_PTDUMP=y -# CONFIG_CAN_DEBUG_DEVICES is not set +CONFIG_CAN_DEBUG_DEVICES=y -# CONFIG_MODULE_FORCE_UNLOAD is not set +CONFIG_MODULE_FORCE_UNLOAD=y -# CONFIG_SYSCTL_SYSCALL_CHECK is not set +CONFIG_SYSCTL_SYSCALL_CHECK=y -# CONFIG_DEBUG_NOTIFIERS is not set +CONFIG_DEBUG_NOTIFIERS=y -# CONFIG_DMA_API_DEBUG is not set +CONFIG_DMA_API_DEBUG=y -# CONFIG_MMIOTRACE is not set +CONFIG_MMIOTRACE=y -# CONFIG_DEBUG_CREDENTIALS is not set +CONFIG_DEBUG_CREDENTIALS=y # off in both production debug and nodebug builds, # on in rawhide nodebug builds -# CONFIG_DEBUG_FORCE_WEAK_PER_CPU is not set +CONFIG_DEBUG_FORCE_WEAK_PER_CPU=y -# CONFIG_EXT4_DEBUG is not set +CONFIG_EXT4_DEBUG=y -# CONFIG_DEBUG_PERF_USE_VMALLOC is not set +CONFIG_DEBUG_PERF_USE_VMALLOC=y -# CONFIG_JBD2_DEBUG is not set +CONFIG_JBD2_DEBUG=y -# CONFIG_NFSD_FAULT_INJECTION is not set +CONFIG_NFSD_FAULT_INJECTION=y -# CONFIG_DEBUG_BLK_CGROUP is not set +CONFIG_DEBUG_BLK_CGROUP=y -# CONFIG_DRBD_FAULT_INJECTION is not set +CONFIG_DRBD_FAULT_INJECTION=y -# CONFIG_ATH_DEBUG is not set -# CONFIG_CARL9170_DEBUGFS is not set -# CONFIG_IWLWIFI_DEVICE_TRACING is not set +CONFIG_ATH_DEBUG=y +CONFIG_CARL9170_DEBUGFS=y +CONFIG_IWLWIFI_DEVICE_TRACING=y -# CONFIG_DEBUG_OBJECTS_WORK is not set +CONFIG_DEBUG_OBJECTS_WORK=y -# CONFIG_DMADEVICES_DEBUG is not set -# CONFIG_DMADEVICES_VDEBUG is not set +CONFIG_DMADEVICES_DEBUG=y +CONFIG_DMADEVICES_VDEBUG=y CONFIG_PM_ADVANCED_DEBUG=y -# CONFIG_CEPH_LIB_PRETTYDEBUG is not set -# CONFIG_QUOTA_DEBUG is not set +CONFIG_CEPH_LIB_PRETTYDEBUG=y +CONFIG_QUOTA_DEBUG=y CONFIG_PCI_DEFAULT_USE_CRS=y @@ -98,16 +98,16 @@ CONFIG_KGDB_KDB=y CONFIG_KDB_KEYBOARD=y CONFIG_KDB_CONTINUE_CATASTROPHIC=0 -# CONFIG_DEBUG_OBJECTS_PERCPU_COUNTER is not set -# CONFIG_TEST_LIST_SORT is not set +CONFIG_DEBUG_OBJECTS_PERCPU_COUNTER=y +CONFIG_TEST_LIST_SORT=y -# CONFIG_DETECT_HUNG_TASK is not set +CONFIG_DETECT_HUNG_TASK=y CONFIG_DEFAULT_HUNG_TASK_TIMEOUT=120 # CONFIG_BOOTPARAM_HUNG_TASK_PANIC is not set -# CONFIG_X86_BOOTPARAM_MEMORY_CORRUPTION_CHECK is not set +CONFIG_X86_BOOTPARAM_MEMORY_CORRUPTION_CHECK=y -# CONFIG_DEBUG_KMEMLEAK is not set +CONFIG_DEBUG_KMEMLEAK=y CONFIG_DEBUG_KMEMLEAK_EARLY_LOG_SIZE=1024 # CONFIG_DEBUG_KMEMLEAK_TEST is not set CONFIG_DEBUG_KMEMLEAK_DEFAULT_OFF=y diff --git a/config-x86-generic b/config-x86-generic index 226859b4e..cac1a3157 100644 --- a/config-x86-generic +++ b/config-x86-generic @@ -326,7 +326,7 @@ CONFIG_STRICT_DEVMEM=y # CONFIG_MEMTEST is not set # CONFIG_DEBUG_TLBFLUSH is not set -# CONFIG_MAXSMP is not set +CONFIG_MAXSMP=y CONFIG_HP_ILO=m diff --git a/kernel.spec b/kernel.spec index 86f3b27e8..5c351ca81 100644 --- a/kernel.spec +++ b/kernel.spec @@ -62,7 +62,7 @@ Summary: The Linux kernel # For non-released -rc kernels, this will be appended after the rcX and # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3" # -%global baserelease 3 +%global baserelease 4 %global fedora_build %{baserelease} # base_sublevel is the kernel version we're starting with and patching @@ -157,7 +157,7 @@ Summary: The Linux kernel # Set debugbuildsenabled to 1 for production (build separate debug kernels) # and 0 for rawhide (all kernels are debug kernels). # See also 'make debug' and 'make release'. -%define debugbuildsenabled 1 +%define debugbuildsenabled 0 # Want to build a vanilla kernel build without any non-upstream patches? %define with_vanilla %{?_with_vanilla: 1} %{?!_with_vanilla: 0} @@ -170,7 +170,7 @@ Summary: The Linux kernel %define doc_build_fail true %endif -%define rawhide_skip_docs 0 +%define rawhide_skip_docs 1 %if 0%{?rawhide_skip_docs} %define with_doc 0 %define doc_build_fail true @@ -2281,6 +2281,9 @@ fi # and build. %changelog +* Tue Mar 19 2013 Dave Jones - 3.9.0-0.rc3.git0.4 +- Reenable debugging options. + * Tue Mar 19 2013 Dave Jones - cpufreq/intel_pstate: Add function to check that all MSR's are valid (rhbz 922923) From 884111f215ce993feed3de05a8bb60bd80ec52d7 Mon Sep 17 00:00:00 2001 From: Dave Jones Date: Wed, 20 Mar 2013 10:45:32 -0400 Subject: [PATCH 020/468] Enable CONFIG_DM_DELAY (rhbz 923721) --- config-generic | 2 +- kernel.spec | 3 +++ 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/config-generic b/config-generic index 9c1cf4b94..f7eef4183 100644 --- a/config-generic +++ b/config-generic @@ -590,7 +590,7 @@ CONFIG_ASYNC_RAID6_TEST=m CONFIG_BLK_DEV_DM=y CONFIG_DM_CRYPT=m CONFIG_DM_DEBUG=y -# CONFIG_DM_DELAY is not set +CONFIG_DM_DELAY=m CONFIG_DM_MIRROR=y CONFIG_DM_MULTIPATH=m CONFIG_DM_SNAPSHOT=y diff --git a/kernel.spec b/kernel.spec index 5c351ca81..7fccd0d79 100644 --- a/kernel.spec +++ b/kernel.spec @@ -2281,6 +2281,9 @@ fi # and build. %changelog +* Wed Mar 20 2013 Dave Jones +- Enable CONFIG_DM_DELAY (rhbz 923721) + * Tue Mar 19 2013 Dave Jones - 3.9.0-0.rc3.git0.4 - Reenable debugging options. From a30c5a0847a5e15be5b91f9bf295f856e5935e4c Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Thu, 21 Mar 2013 09:09:33 -0400 Subject: [PATCH 021/468] Linux v3.9-rc3-148-g2ffdd7e - Fixes CVE-2013-1796, CVE-2013-1797, CVE-2013-1798 in kvm. --- ...pport-for-atheros-04ca-3004-device-t.patch | 61 ------------------- kernel.spec | 14 ++--- sources | 1 + 3 files changed, 7 insertions(+), 69 deletions(-) delete mode 100644 0001-bluetooth-Add-support-for-atheros-04ca-3004-device-t.patch diff --git a/0001-bluetooth-Add-support-for-atheros-04ca-3004-device-t.patch b/0001-bluetooth-Add-support-for-atheros-04ca-3004-device-t.patch deleted file mode 100644 index a14532b22..000000000 --- a/0001-bluetooth-Add-support-for-atheros-04ca-3004-device-t.patch +++ /dev/null @@ -1,61 +0,0 @@ -From fe7963cbe464048cfae4523975aa208a6c7dc420 Mon Sep 17 00:00:00 2001 -From: Josh Boyer -Date: Mon, 18 Feb 2013 10:32:13 -0500 -Subject: [PATCH] bluetooth: Add support for atheros 04ca:3004 device to ath3k - -Yet another version of the atheros bluetooth chipset - -T: Bus=01 Lev=02 Prnt=02 Port=03 Cnt=01 Dev#= 3 Spd=12 MxCh= 0 -D: Ver= 1.10 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1 -P: Vendor=04ca ProdID=3004 Rev=00.01 -S: Manufacturer=Atheros Communications -S: Product=Bluetooth USB Host Controller -S: SerialNumber=Alaska Day 2006 -C: #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=100mA -I: If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb -I: If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb - -This resolves https://bugzilla.redhat.com/show_bug.cgi?id=844750 - -Reported-by: niktr@mail.ru -Signed-off-by: Josh Boyer ---- - drivers/bluetooth/ath3k.c | 2 ++ - drivers/bluetooth/btusb.c | 1 + - 2 files changed, 3 insertions(+) - -diff --git a/drivers/bluetooth/ath3k.c b/drivers/bluetooth/ath3k.c -index 33c9a44..b9908dd 100644 ---- a/drivers/bluetooth/ath3k.c -+++ b/drivers/bluetooth/ath3k.c -@@ -76,6 +76,7 @@ static struct usb_device_id ath3k_table[] = { - { USB_DEVICE(0x0CF3, 0x3004) }, - { USB_DEVICE(0x0CF3, 0x311D) }, - { USB_DEVICE(0x13d3, 0x3375) }, -+ { USB_DEVICE(0x04CA, 0x3004) }, - { USB_DEVICE(0x04CA, 0x3005) }, - { USB_DEVICE(0x04CA, 0x3006) }, - { USB_DEVICE(0x04CA, 0x3008) }, -@@ -108,6 +109,7 @@ static struct usb_device_id ath3k_blist_tbl[] = { - { USB_DEVICE(0x0cf3, 0x3004), .driver_info = BTUSB_ATH3012 }, - { USB_DEVICE(0x0cf3, 0x311D), .driver_info = BTUSB_ATH3012 }, - { USB_DEVICE(0x13d3, 0x3375), .driver_info = BTUSB_ATH3012 }, -+ { USB_DEVICE(0x04ca, 0x3004), .driver_info = BTUSB_ATH3012 }, - { USB_DEVICE(0x04ca, 0x3005), .driver_info = BTUSB_ATH3012 }, - { USB_DEVICE(0x04ca, 0x3006), .driver_info = BTUSB_ATH3012 }, - { USB_DEVICE(0x04ca, 0x3008), .driver_info = BTUSB_ATH3012 }, -diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c -index 7e351e3..59cde8e 100644 ---- a/drivers/bluetooth/btusb.c -+++ b/drivers/bluetooth/btusb.c -@@ -134,6 +134,7 @@ static struct usb_device_id blacklist_table[] = { - { USB_DEVICE(0x0cf3, 0x3004), .driver_info = BTUSB_ATH3012 }, - { USB_DEVICE(0x0cf3, 0x311d), .driver_info = BTUSB_ATH3012 }, - { USB_DEVICE(0x13d3, 0x3375), .driver_info = BTUSB_ATH3012 }, -+ { USB_DEVICE(0x04ca, 0x3004), .driver_info = BTUSB_ATH3012 }, - { USB_DEVICE(0x04ca, 0x3005), .driver_info = BTUSB_ATH3012 }, - { USB_DEVICE(0x04ca, 0x3006), .driver_info = BTUSB_ATH3012 }, - { USB_DEVICE(0x04ca, 0x3008), .driver_info = BTUSB_ATH3012 }, --- -1.8.1.2 - diff --git a/kernel.spec b/kernel.spec index 7fccd0d79..f021e200c 100644 --- a/kernel.spec +++ b/kernel.spec @@ -62,7 +62,7 @@ Summary: The Linux kernel # For non-released -rc kernels, this will be appended after the rcX and # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3" # -%global baserelease 4 +%global baserelease 1 %global fedora_build %{baserelease} # base_sublevel is the kernel version we're starting with and patching @@ -95,7 +95,7 @@ Summary: The Linux kernel # The rc snapshot level %define rcrev 3 # The git snapshot level -%define gitrev 0 +%define gitrev 1 # Set rpm version accordingly %define rpmversion 3.%{upstream_sublevel}.0 %endif @@ -727,9 +727,6 @@ Patch21242: criu-no-expert.patch #rhbz 892811 Patch21247: ath9k_rx_dma_stop_check.patch -#rhbz 844750 -Patch21250: 0001-bluetooth-Add-support-for-atheros-04ca-3004-device-t.patch - #rhbz 903192 Patch21261: 0001-kmsg-Honor-dmesg_restrict-sysctl-on-dev-kmsg.patch @@ -1430,9 +1427,6 @@ ApplyPatch criu-no-expert.patch #rhbz 892811 ApplyPatch ath9k_rx_dma_stop_check.patch -#rhbz 844750 -ApplyPatch 0001-bluetooth-Add-support-for-atheros-04ca-3004-device-t.patch - #rhbz 903192 ApplyPatch 0001-kmsg-Honor-dmesg_restrict-sysctl-on-dev-kmsg.patch @@ -2281,6 +2275,10 @@ fi # and build. %changelog +* Thu Mar 21 2013 Josh Boyer - 3.9.0-0.rc3.git1.1 +- Linux v3.9-rc3-148-g2ffdd7e +- Fixes CVE-2013-1796, CVE-2013-1797, CVE-2013-1798 in kvm. + * Wed Mar 20 2013 Dave Jones - Enable CONFIG_DM_DELAY (rhbz 923721) diff --git a/sources b/sources index fabb0ec3d..9a2b372a7 100644 --- a/sources +++ b/sources @@ -1,2 +1,3 @@ 1c738edfc54e7c65faeb90c436104e2f linux-3.8.tar.xz f7e97476e1ba31c3bb666b442fcb75dd patch-3.9-rc3.xz +95c3a8605dc96802e2dfe86a2655840c patch-3.9-rc3-git1.xz From 876ede3c3a3fec0976d4a736966102dca926f35d Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Thu, 21 Mar 2013 09:04:30 -0400 Subject: [PATCH 022/468] Fix workqueue crash in mac80211 (rhbz 920218) --- kernel.spec | 11 +++- ...ont-restart-sta-timer-if-not-running.patch | 55 +++++++++++++++++++ 2 files changed, 65 insertions(+), 1 deletion(-) create mode 100644 mac80211-Dont-restart-sta-timer-if-not-running.patch diff --git a/kernel.spec b/kernel.spec index f021e200c..1d099e8bc 100644 --- a/kernel.spec +++ b/kernel.spec @@ -62,7 +62,7 @@ Summary: The Linux kernel # For non-released -rc kernels, this will be appended after the rcX and # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3" # -%global baserelease 1 +%global baserelease 2 %global fedora_build %{baserelease} # base_sublevel is the kernel version we're starting with and patching @@ -740,6 +740,9 @@ Patch21271: drm-i915-bounds-check-execbuffer-relocation-count.patch Patch21273: cfg80211-mac80211-disconnect-on-suspend.patch Patch21274: mac80211_fixes_for_ieee80211_do_stop_while_suspend_v3.9.patch +#rhbz 920218 +Patch21276: mac80211-Dont-restart-sta-timer-if-not-running.patch + #rhbz 859282 Patch21275: VMX-x86-handle-host-TSC-calibration-failure.patch @@ -1443,6 +1446,9 @@ ApplyPatch mac80211_fixes_for_ieee80211_do_stop_while_suspend_v3.9.patch #rhbz 859282 ApplyPatch VMX-x86-handle-host-TSC-calibration-failure.patch +#rhbz 920218 +ApplyPatch mac80211-Dont-restart-sta-timer-if-not-running.patch + # END OF PATCH APPLICATIONS %endif @@ -2275,6 +2281,9 @@ fi # and build. %changelog +* Thu Mar 21 2013 Josh Boyer +- Fix workqueue crash in mac80211 (rhbz 920218) + * Thu Mar 21 2013 Josh Boyer - 3.9.0-0.rc3.git1.1 - Linux v3.9-rc3-148-g2ffdd7e - Fixes CVE-2013-1796, CVE-2013-1797, CVE-2013-1798 in kvm. diff --git a/mac80211-Dont-restart-sta-timer-if-not-running.patch b/mac80211-Dont-restart-sta-timer-if-not-running.patch new file mode 100644 index 000000000..7727ad8f2 --- /dev/null +++ b/mac80211-Dont-restart-sta-timer-if-not-running.patch @@ -0,0 +1,55 @@ +From: Ben Greear + +I found another crash when deleting lots of virtual stations +in a congested environment. I think the problem is that +the ieee80211_mlme_notify_scan_completed could call +ieee80211_restart_sta_timer for a stopped interface +that was about to be deleted. Fix similar problem for +mesh interfaces as well. + +Signed-off-by: Ben Greear +--- +v4: Fix up mesh as well, add check in calling code instead of + in the methods that mucks iwth the timers. + +:100644 100644 67fcfdf... 02e3d75... M net/mac80211/mesh.c +:100644 100644 aec786d... 1d237e9... M net/mac80211/mlme.c + net/mac80211/mesh.c | 3 ++- + net/mac80211/mlme.c | 3 ++- + 2 files changed, 4 insertions(+), 2 deletions(-) + +diff --git a/net/mac80211/mesh.c b/net/mac80211/mesh.c +index 67fcfdf..02e3d75 100644 +--- a/net/mac80211/mesh.c ++++ b/net/mac80211/mesh.c +@@ -779,7 +779,8 @@ void ieee80211_mesh_notify_scan_completed(struct ieee80211_local *local) + + rcu_read_lock(); + list_for_each_entry_rcu(sdata, &local->interfaces, list) +- if (ieee80211_vif_is_mesh(&sdata->vif)) ++ if (ieee80211_sdata_running(sdata) ++ && ieee80211_vif_is_mesh(&sdata->vif)) + ieee80211_queue_work(&local->hw, &sdata->work); + rcu_read_unlock(); + } +diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c +index aec786d..1d237e9 100644 +--- a/net/mac80211/mlme.c ++++ b/net/mac80211/mlme.c +@@ -3054,7 +3054,8 @@ void ieee80211_mlme_notify_scan_completed(struct ieee80211_local *local) + /* Restart STA timers */ + rcu_read_lock(); + list_for_each_entry_rcu(sdata, &local->interfaces, list) +- ieee80211_restart_sta_timer(sdata); ++ if (ieee80211_sdata_running(sdata)) ++ ieee80211_restart_sta_timer(sdata); + rcu_read_unlock(); + } + +-- +1.7.3.4 + +-- +To unsubscribe from this list: send the line "unsubscribe linux-wireless" in +the body of a message to majordomo@vger.kernel.org +More majordomo info at http://vger.kernel.org/majordomo-info.html \ No newline at end of file From 4093611836b0b6352ff3bfc732157bf8aac49634 Mon Sep 17 00:00:00 2001 From: Dave Jones Date: Thu, 21 Mar 2013 10:49:36 -0400 Subject: [PATCH 023/468] Only print "bad: scheduling from the idle thread" warning once. --- debug-idle-sched-warn-once.patch | 19 +++++++++++++++++++ kernel.spec | 7 ++++++- 2 files changed, 25 insertions(+), 1 deletion(-) create mode 100644 debug-idle-sched-warn-once.patch diff --git a/debug-idle-sched-warn-once.patch b/debug-idle-sched-warn-once.patch new file mode 100644 index 000000000..a2e873c16 --- /dev/null +++ b/debug-idle-sched-warn-once.patch @@ -0,0 +1,19 @@ +Instead of spewing this over and over, and scrolling useful info +off the screen, just print it once. + +--- linux-3.9.0-0.rc3.git0.2.fc19.x86_64/kernel/sched/idle_task.c~ 2013-03-21 10:44:17.935087323 -0400 ++++ linux-3.9.0-0.rc3.git0.2.fc19.x86_64/kernel/sched/idle_task.c 2013-03-21 10:44:41.936092782 -0400 +@@ -35,6 +35,13 @@ static struct task_struct *pick_next_tas + static void + dequeue_task_idle(struct rq *rq, struct task_struct *p, int flags) + { ++ static bool once = FALSE; ++ ++ if (once == TRUE) ++ return; ++ ++ once = TRUE; ++ + raw_spin_unlock_irq(&rq->lock); + printk(KERN_ERR "bad: scheduling from the idle thread!\n"); + dump_stack(); diff --git a/kernel.spec b/kernel.spec index 1d099e8bc..8cc0ae9a6 100644 --- a/kernel.spec +++ b/kernel.spec @@ -62,7 +62,7 @@ Summary: The Linux kernel # For non-released -rc kernels, this will be appended after the rcX and # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3" # -%global baserelease 2 +%global baserelease 3 %global fedora_build %{baserelease} # base_sublevel is the kernel version we're starting with and patching @@ -747,6 +747,7 @@ Patch21276: mac80211-Dont-restart-sta-timer-if-not-running.patch Patch21275: VMX-x86-handle-host-TSC-calibration-failure.patch Patch22000: weird-root-dentry-name-debug.patch +Patch22010: debug-idle-sched-warn-once.patch #selinux ptrace child permissions Patch22001: selinux-apply-different-permission-to-ptrace-child.patch @@ -1414,6 +1415,7 @@ ApplyPatch lis3-improve-handling-of-null-rate.patch ApplyPatch scsi-sd_revalidate_disk-prevent-NULL-ptr-deref.patch ApplyPatch weird-root-dentry-name-debug.patch +ApplyPatch debug-idle-sched-warn-once.patch #selinux ptrace child permissions ApplyPatch selinux-apply-different-permission-to-ptrace-child.patch @@ -2281,6 +2283,9 @@ fi # and build. %changelog +* Thu Mar 21 2013 Dave Jones - 3.9.0-0.rc3.git1.2 +- Only print "bad: scheduling from the idle thread" warning once. + * Thu Mar 21 2013 Josh Boyer - Fix workqueue crash in mac80211 (rhbz 920218) From 32241a4d579607a5d8acb24970f249161a0e092a Mon Sep 17 00:00:00 2001 From: Dave Jones Date: Thu, 21 Mar 2013 10:54:52 -0400 Subject: [PATCH 024/468] compile testing is for weenies --- debug-idle-sched-warn-once.patch | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/debug-idle-sched-warn-once.patch b/debug-idle-sched-warn-once.patch index a2e873c16..1dd30496e 100644 --- a/debug-idle-sched-warn-once.patch +++ b/debug-idle-sched-warn-once.patch @@ -7,12 +7,12 @@ off the screen, just print it once. static void dequeue_task_idle(struct rq *rq, struct task_struct *p, int flags) { -+ static bool once = FALSE; ++ static bool once = 0; + -+ if (once == TRUE) ++ if (once == 1) + return; + -+ once = TRUE; ++ once = 1; + raw_spin_unlock_irq(&rq->lock); printk(KERN_ERR "bad: scheduling from the idle thread!\n"); From 7dd3fc397e0cfc5e26bbdf67b51a013aa9440ed5 Mon Sep 17 00:00:00 2001 From: Dave Jones Date: Fri, 22 Mar 2013 15:03:56 -0400 Subject: [PATCH 025/468] Fix calculation of current frequency in intel_pstate driver. (rhbz 923942) --- ...-max-is-in-the-max-variable-who-knew.patch | 42 +++++++++++++++++++ kernel.spec | 5 +++ 2 files changed, 47 insertions(+) create mode 100644 cpufreq-intel-pstate-max-is-in-the-max-variable-who-knew.patch diff --git a/cpufreq-intel-pstate-max-is-in-the-max-variable-who-knew.patch b/cpufreq-intel-pstate-max-is-in-the-max-variable-who-knew.patch new file mode 100644 index 000000000..e0d590b21 --- /dev/null +++ b/cpufreq-intel-pstate-max-is-in-the-max-variable-who-knew.patch @@ -0,0 +1,42 @@ +From: dirk.brandewie@gmail.com +To: linux-kernel@vger.kernel.org, cpufreq@vger.kernel.org +Cc: Dirk Brandewie , + Dirk Brandewie +Subject: [PATCH] cpufreq/intel_pstate: Fix calculation of current frequency +Date: Fri, 22 Mar 2013 10:51:05 -0700 +Message-Id: <1363974665-22049-1-git-send-email-dirk.brandewie@gmail.com> + +From: Dirk Brandewie + +Use the correct pstate value to calculate the effective frequency. + +https://bugzilla.redhat.com/show_bug.cgi?id=923942 +Reported-by: Satish Balay + +Signed-off-by: Dirk Brandewie +--- + drivers/cpufreq/intel_pstate.c | 2 +- + 1 files changed, 1 insertions(+), 1 deletions(-) + +diff --git a/drivers/cpufreq/intel_pstate.c b/drivers/cpufreq/intel_pstate.c +index e84af66..ad72922 100644 +--- a/drivers/cpufreq/intel_pstate.c ++++ b/drivers/cpufreq/intel_pstate.c +@@ -454,7 +454,7 @@ static inline void intel_pstate_calc_busy(struct cpudata *cpu, + sample->idletime_us * 100, + sample->duration_us); + core_pct = div64_u64(sample->aperf * 100, sample->mperf); +- sample->freq = cpu->pstate.turbo_pstate * core_pct * 1000; ++ sample->freq = cpu->pstate.max_pstate * core_pct * 1000; + + sample->core_pct_busy = div_s64((sample->pstate_pct_busy * core_pct), + 100); +-- +1.7.7.6 + +-- +To unsubscribe from this list: send the line "unsubscribe linux-kernel" in +the body of a message to majordomo@vger.kernel.org +More majordomo info at http://vger.kernel.org/majordomo-info.html +Please read the FAQ at http://www.tux.org/lkml/ + diff --git a/kernel.spec b/kernel.spec index 8cc0ae9a6..e42dc44d9 100644 --- a/kernel.spec +++ b/kernel.spec @@ -753,6 +753,7 @@ Patch22010: debug-idle-sched-warn-once.patch Patch22001: selinux-apply-different-permission-to-ptrace-child.patch Patch23000: cpufreq-intel-pstate-validate-msrs.patch +Patch23001: cpufreq-intel-pstate-max-is-in-the-max-variable-who-knew.patch # END OF PATCH DEFINITIONS @@ -1422,6 +1423,7 @@ ApplyPatch selinux-apply-different-permission-to-ptrace-child.patch # rhbz 922923 ApplyPatch cpufreq-intel-pstate-validate-msrs.patch +ApplyPatch cpufreq-intel-pstate-max-is-in-the-max-variable-who-knew.patch #rhbz 859485 ApplyPatch vt-Drop-K_OFF-for-VC_MUTE.patch @@ -2283,6 +2285,9 @@ fi # and build. %changelog +* Fri Mar 22 2013 Dave Jones +- Fix calculation of current frequency in intel_pstate driver. (rhbz 923942) + * Thu Mar 21 2013 Dave Jones - 3.9.0-0.rc3.git1.2 - Only print "bad: scheduling from the idle thread" warning once. From 0003c7222fb388b0431d8fa47da8d4f1f5094ff6 Mon Sep 17 00:00:00 2001 From: Dave Jones Date: Fri, 22 Mar 2013 15:06:24 -0400 Subject: [PATCH 026/468] bump --- kernel.spec | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/kernel.spec b/kernel.spec index e42dc44d9..a4911240a 100644 --- a/kernel.spec +++ b/kernel.spec @@ -62,7 +62,7 @@ Summary: The Linux kernel # For non-released -rc kernels, this will be appended after the rcX and # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3" # -%global baserelease 3 +%global baserelease 4 %global fedora_build %{baserelease} # base_sublevel is the kernel version we're starting with and patching @@ -2285,7 +2285,7 @@ fi # and build. %changelog -* Fri Mar 22 2013 Dave Jones +* Fri Mar 22 2013 Dave Jones - 3.9.0-0.rc3.git1.4 - Fix calculation of current frequency in intel_pstate driver. (rhbz 923942) * Thu Mar 21 2013 Dave Jones - 3.9.0-0.rc3.git1.2 From c8bb0ad5e226958c704ef6687f10cc73224824b3 Mon Sep 17 00:00:00 2001 From: Peter Robinson Date: Sun, 24 Mar 2013 18:10:58 +0000 Subject: [PATCH 027/468] fix cherry pick --- arm-lpae-ax88796.patch | 21 +++++++ arm-omap-fix-usb-mvebu-conflict.patch | 85 +++++++++++++++++++++++++++ config-arm-generic | 3 +- config-armv7 | 24 ++++---- config-armv7-generic | 18 +++++- config-armv7-lpae | 67 +++++++++++++-------- kernel.spec | 16 +++-- 7 files changed, 189 insertions(+), 45 deletions(-) create mode 100644 arm-lpae-ax88796.patch create mode 100644 arm-omap-fix-usb-mvebu-conflict.patch diff --git a/arm-lpae-ax88796.patch b/arm-lpae-ax88796.patch new file mode 100644 index 000000000..3b9c32644 --- /dev/null +++ b/arm-lpae-ax88796.patch @@ -0,0 +1,21 @@ +X-Git-Url: http://git.linaro.org/gitweb?p=people%2Fahs3%2Farndale-acpi.git;a=blobdiff_plain;f=drivers%2Fnet%2Fethernet%2F8390%2Fax88796.c;fp=drivers%2Fnet%2Fethernet%2F8390%2Fax88796.c;h=763e575c82bc5d24e1927ad685dfbdd7a0eaa19e;hp=70dba5d01ad3cc8178318f9976a5922894a86859;hb=fe8e7c500d3d25234759351096d457b6e557ebd9;hpb=af28003b46fa7b2c5d7b52e0d4bc8f725a6305f1 + +diff --git a/drivers/net/ethernet/8390/ax88796.c b/drivers/net/ethernet/8390/ax88796.c +index 70dba5d..763e575 100644 +--- a/drivers/net/ethernet/8390/ax88796.c ++++ b/drivers/net/ethernet/8390/ax88796.c +@@ -828,7 +828,14 @@ static int ax_probe(struct platform_device *pdev) + struct ei_device *ei_local; + struct ax_device *ax; + struct resource *irq, *mem, *mem2; ++#ifndef CONFIG_ARM_LPAE ++ /* LPAE breaks this code as __aeabi_uldivmod for 64-bit ++ * is not supported in lib1funcs.s yet ++ */ + resource_size_t mem_size, mem2_size = 0; ++#else ++ u32 mem_size, mem2_size = 0; ++#endif + int ret = 0; + + dev = ax__alloc_ei_netdev(sizeof(struct ax_device)); diff --git a/arm-omap-fix-usb-mvebu-conflict.patch b/arm-omap-fix-usb-mvebu-conflict.patch new file mode 100644 index 000000000..7ef76619f --- /dev/null +++ b/arm-omap-fix-usb-mvebu-conflict.patch @@ -0,0 +1,85 @@ +--- linux-3.9.0-0.rc3.git1.4.fc19.x86_64/drivers/usb/host/ehci-hcd.c.orig 2013-03-23 18:52:52.576674960 +0000 ++++ linux-3.9.0-0.rc3.git1.4.fc19.x86_64/drivers/usb/host/ehci-hcd.c 2013-03-24 12:46:49.149621810 +0000 +@@ -1252,7 +1252,7 @@ + + #ifdef CONFIG_USB_EHCI_HCD_OMAP + #include "ehci-omap.c" +-#define PLATFORM_DRIVER ehci_hcd_omap_driver ++#define OMAP_PLATFORM_DRIVER ehci_hcd_omap_driver + #endif + + #ifdef CONFIG_PPC_PS3 +@@ -1272,7 +1272,7 @@ + + #ifdef CONFIG_PLAT_ORION + #include "ehci-orion.c" +-#define PLATFORM_DRIVER ehci_orion_driver ++#define ORION_PLATFORM_DRIVER ehci_orion_driver + #endif + + #ifdef CONFIG_USB_W90X900_EHCI +@@ -1384,6 +1384,12 @@ + goto clean0; + #endif + ++#ifdef ORION_PLATFORM_DRIVER ++ retval = platform_driver_register(&ORION_PLATFORM_DRIVER); ++ if (retval < 0) ++ goto clean1; ++#endif ++ + #ifdef PS3_SYSTEM_BUS_DRIVER + retval = ps3_ehci_driver_register(&PS3_SYSTEM_BUS_DRIVER); + if (retval < 0) +@@ -1401,10 +1407,20 @@ + if (retval < 0) + goto clean4; + #endif ++ ++#ifdef OMAP_PLATFORM_DRIVER ++ retval = platform_driver_register(&OMAP_PLATFORM_DRIVER); ++ if (retval < 0) ++ goto clean5; ++#endif + return retval; + ++#ifdef OMAP_PLATFORM_DRIVER ++ /* platform_driver_unregister(&OMAP_PLATFORM_DRIVER); */ ++clean5: ++#endif + #ifdef XILINX_OF_PLATFORM_DRIVER +- /* platform_driver_unregister(&XILINX_OF_PLATFORM_DRIVER); */ ++ platform_driver_unregister(&XILINX_OF_PLATFORM_DRIVER); + clean4: + #endif + #ifdef OF_PLATFORM_DRIVER +@@ -1415,6 +1431,10 @@ + ps3_ehci_driver_unregister(&PS3_SYSTEM_BUS_DRIVER); + clean2: + #endif ++#ifdef ORION_PLATFORM_DRIVER ++ platform_driver_unregister(&ORION_PLATFORM_DRIVER); ++clean1: ++#endif + #ifdef PLATFORM_DRIVER + platform_driver_unregister(&PLATFORM_DRIVER); + clean0: +@@ -1431,12 +1451,18 @@ + + static void __exit ehci_hcd_cleanup(void) + { ++#ifdef OMAP_PLATFORM_DRIVER ++ platform_driver_unregister(&OMAP_PLATFORM_DRIVER); ++#endif + #ifdef XILINX_OF_PLATFORM_DRIVER + platform_driver_unregister(&XILINX_OF_PLATFORM_DRIVER); + #endif + #ifdef OF_PLATFORM_DRIVER + platform_driver_unregister(&OF_PLATFORM_DRIVER); + #endif ++#ifdef ORION_PLATFORM_DRIVER ++ platform_driver_unregister(&ORION_PLATFORM_DRIVER); ++#endif + #ifdef PLATFORM_DRIVER + platform_driver_unregister(&PLATFORM_DRIVER); + #endif diff --git a/config-arm-generic b/config-arm-generic index 03d93925e..2397c3758 100644 --- a/config-arm-generic +++ b/config-arm-generic @@ -48,9 +48,8 @@ CONFIG_LOCAL_TIMERS=y CONFIG_ATAGS=y CONFIG_ATAGS_PROC=y -CONFIG_PL330_DMA=y +CONFIG_PL330_DMA=m CONFIG_AMBA_PL08X=y -CONFIG_PL330_DMA=y # CONFIG_XIP_KERNEL is not set # CONFIG_PID_IN_CONTEXTIDR is not set diff --git a/config-armv7 b/config-armv7 index 7142ed965..ffaf72eea 100644 --- a/config-armv7 +++ b/config-armv7 @@ -31,6 +31,7 @@ CONFIG_CPU_IDLE_CALXEDA=y CONFIG_EDAC_HIGHBANK_MC=m CONFIG_EDAC_HIGHBANK_L2=m CONFIG_SATA_HIGHBANK=m +CONFIG_ARM_HIGHBANK_CPUFREQ=m # versatile CONFIG_VEXPRESS_CONFIG=y @@ -48,10 +49,6 @@ CONFIG_ARCH_VEXPRESS_CORTEX_A5_A9_ERRATA=y CONFIG_MACH_ARMADA_370_XP=y CONFIG_MACH_ARMADA_370=y CONFIG_MACH_ARMADA_XP=y -CONFIG_ARCH_DOVE=y -# CONFIG_MACH_DOVE_DB is not set -# CONFIG_MACH_CM_A510 is not set -CONFIG_MACH_DOVE_DT=y CONFIG_CACHE_TAUROS2=y CONFIG_MV_XOR=y @@ -73,8 +70,6 @@ CONFIG_MVNETA=m CONFIG_GPIO_MVEBU=y CONFIG_MVEBU_CLK_CORE=y CONFIG_MVEBU_CLK_GATING=y -CONFIG_DOVE_THERMAL=m -CONFIG_MMC_SDHCI_DOVE=m CONFIG_MMC_MVSDIO=m # omap @@ -141,13 +136,18 @@ CONFIG_REGULATOR_TWL4030=y CONFIG_BACKLIGHT_PANDORA=m CONFIG_USB_EHCI_HCD_OMAP=y CONFIG_USB_OHCI_HCD_OMAP3=y +CONFIG_OMAP_CONTROL_USB=m +CONFIG_NOP_USB_XCEIV=m +CONFIG_TWL4030_USB=m +CONFIG_TWL6030_USB=m +CONFIG_USB_MUSB_AM35X=m CONFIG_MMC_OMAP=y CONFIG_MMC_OMAP_HS=y CONFIG_RTC_DRV_MAX8907=m CONFIG_RTC_DRV_TWL92330=y CONFIG_RTC_DRV_TWL4030=y CONFIG_RTC_DRV_OMAP=y -CONFIG_DMA_OMAP=m +CONFIG_DMA_OMAP=y CONFIG_OMAP_IOVMM=m CONFIG_HWSPINLOCK_OMAP=m CONFIG_OMAP_IOMMU=y @@ -181,7 +181,7 @@ CONFIG_CRYPTO_DEV_OMAP_SHAM=m CONFIG_CRYPTO_DEV_OMAP_AES=m CONFIG_HW_RANDOM_OMAP=m -CONFIG_DRM_TILCDC=m +# CONFIG_DRM_TILCDC is not set CONFIG_DRM_OMAP=m CONFIG_DRM_OMAP_NUM_CRTCS=2 CONFIG_OMAP2_VRAM=y @@ -383,12 +383,10 @@ CONFIG_REGULATOR_LP8755=m # CONFIG_TOUCHSCREEN_EETI is not set # CONFIG_TOUCHSCREEN_EGALAX is not set # CONFIG_TOUCHSCREEN_AUO_PIXCIR is not set -CONFIG_VIRTUALIZATION=y + +# CONFIG_VIRTUALIZATION is not set # CONFIG_CHARGER_MANAGER is not set # CONFIG_POWER_RESET_QNAP is not set # CONFIG_POWER_RESET_RESTART is not set # CONFIG_ARM_PSCI is not set -# CONFIG_ARM_HIGHBANK_CPUFREQ is not set -# CONFIG_RFKILL_REGULATOR is not set - -CONFIG_XZ_DEC_ARM=y +# CONFIG_OMAP2_DSS_DEBUG is not set diff --git a/config-armv7-generic b/config-armv7-generic index 77faa7264..6012c3295 100644 --- a/config-armv7-generic +++ b/config-armv7-generic @@ -156,7 +156,7 @@ CONFIG_SERIAL_AMBA_PL011_CONSOLE=y CONFIG_RTC_DRV_PL030=y CONFIG_RTC_DRV_PL031=y -CONFIG_PL330_DMA=y +CONFIG_PL330_DMA=m CONFIG_AMBA_PL08X=y CONFIG_ARM_SP805_WATCHDOG=m CONFIG_I2C_VERSATILE=m @@ -276,6 +276,22 @@ CONFIG_PERF_EVENTS=y # CONFIG_PID_IN_CONTEXTIDR is not set # CONFIG_DEPRECATED_PARAM_STRUCT is not set +# these modules all fail with missing __bad_udelay +# http://www.spinics.net/lists/arm/msg15615.html provides some background +# CONFIG_SUNGEM is not set +# CONFIG_FB_SAVAGE is not set +# CONFIG_FB_RADEON is not set +# CONFIG_DRM_RADEON is not set +# CONFIG_ATM_HE is not set +# CONFIG_SCSI_ACARD is not set +# CONFIG_SFC is not set + +# these all currently fail due to missing symbols __bad_udelay or +# error: implicit declaration of function ‘iowrite32be’ +# CONFIG_SND_ALI5451 is not set +# CONFIG_DRM_NOUVEAU is not set +# CONFIG_MLX4_EN is not set + # Debug options. We need to deal with them at some point like x86 # CONFIG_COMMON_CLK_DEBUG is not set # CONFIG_DEBUG_USER is not set diff --git a/config-armv7-lpae b/config-armv7-lpae index 847de9786..324a31e21 100644 --- a/config-armv7-lpae +++ b/config-armv7-lpae @@ -1,26 +1,10 @@ # ARM unified arch kernel CONFIG_CPU_V7=y -# CONFIG_ARCH_MULTI_V4 is not set -# CONFIG_ARCH_MULTI_V4T is not set -# CONFIG_ARCH_MULTI_V6 is not set -CONFIG_ARCH_MULTI_V6_V7=y -CONFIG_ARCH_MULTI_V7=y -# CONFIG_ARCH_BCM is not set -# CONFIG_ARCH_HIGHBANK is not set -# CONFIG_ARCH_MVEBU is not set -# CONFIG_ARCH_MXC is not set -# CONFIG_ARCH_OMAP2PLUS is not set -# CONFIG_ARCH_PICOXCELL is not set -# CONFIG_ARCH_SOCFPGA is not set -# CONFIG_ARCH_SUNXI is not set -# CONFIG_ARCH_VEXPRESS_CA9X4 is not set -CONFIG_ARCH_VEXPRESS_DT=y +CONFIG_ARCH_EXYNOS=y CONFIG_ARCH_VIRT=y -# CONFIG_ARCH_WM8850 is not set -# CONFIG_ARCH_ZYNQ is not set -CONFIG_VEXPRESS_EXTENDED_MEMORY_MAP=y -CONFIG_ARCH_VEXPRESS_CA15X4=y -# CONFIG_ARCH_VEXPRESS_CORTEX_A5_A9_ERRATA is not set + +# CONFIG_ARCH_EXYNOS4 is not set +CONFIG_ARCH_EXYNOS5=y CONFIG_ARM_LPAE=y CONFIG_VIRTIO_CONSOLE=m @@ -51,7 +35,42 @@ CONFIG_XEN_GNTDEV=y CONFIG_XEN_GRANT_DEV_ALLOC=m CONFIG_XEN_WDT=m -# CONFIG_ARCH_OMAP2 is not set -# CONFIG_ARCH_OMAP3 is not set -# CONFIG_ARCH_OMAP4 is not set -CONFIG_ARCH_OMAP5=y +CONFIG_S3C_BOOT_ERROR_RESET=y +CONFIG_S3C_BOOT_UART_FORCE_FIFO=y +CONFIG_S3C_LOWLEVEL_UART_PORT=0 +CONFIG_S3C_GPIO_SPACE=8 +CONFIG_S3C_ADC=y +CONFIG_S3C24XX_PWM=y +# CONFIG_SAMSUNG_PM_DEBUG is not set +# CONFIG_SAMSUNG_PM_CHECK is not set +CONFIG_SOC_EXYNOS5250=y +CONFIG_SOC_EXYNOS5440=y +CONFIG_MACH_EXYNOS5_DT=y +CONFIG_ARM_PSCI=y +CONFIG_ARM_EXYNOS_CPUFREQ=y +CONFIG_SERIAL_SAMSUNG=y +CONFIG_I2C_S3C2410=m +CONFIG_PINCTRL_EXYNOS=y +CONFIG_S3C2410_WATCHDOG=m +CONFIG_VIDEO_SAMSUNG_S5P_G2D=m +CONFIG_VIDEO_SAMSUNG_S5P_JPEG=m +CONFIG_VIDEO_SAMSUNG_S5P_MFC=m +CONFIG_VIDEO_SAMSUNG_EXYNOS_GSC=m +CONFIG_FB_S3C=m +CONFIG_SND_SOC_SAMSUNG=m +CONFIG_USB_EHCI_S5P=y +CONFIG_USB_OHCI_EXYNOS=y +CONFIG_MMC_SDHCI_S3C=m +CONFIG_RTC_DRV_S3C=m +CONFIG_PWM_SAMSUNG=m +CONFIG_S3C_BOOT_WATCHDOG=y +CONFIG_SAMSUNG_GPIO_EXTRA=8 +CONFIG_SERIAL_SAMSUNG_CONSOLE=y +CONFIG_BATTERY_S3C_ADC=m +CONFIG_SENSORS_S3C=m +CONFIG_SENSORS_S3C_RAW=y +CONFIG_FB_S3C_DEBUG_REGWRITE=y +CONFIG_SND_SOC_SAMSUNG_SMDK_SPDIF=m +CONFIG_USB_EHCI_S5P=y +CONFIG_SAMSUNG_USBPHY=y +CONFIG_MMC_SDHCI_S3C_DMA=y diff --git a/kernel.spec b/kernel.spec index a4911240a..00c682d06 100644 --- a/kernel.spec +++ b/kernel.spec @@ -252,8 +252,8 @@ Summary: The Linux kernel # kernel up (unified kernel target), unified LPAE, tegra are only built on armv7 hfp %ifnarch armv7hl %define with_lpae 0 -%define with_tegra 0 %endif +%define with_tegra 0 # if requested, only build base kernel %if %{with_baseonly} @@ -706,14 +706,15 @@ Patch14010: lis3-improve-handling-of-null-rate.patch # ARM Patch21000: arm-export-read_current_timer.patch -# IMX +# lpae +Patch21001: arm-lpae-ax88796.patch + +# ARM omap +Patch21002: arm-omap-fix-usb-mvebu-conflict.patch # ARM tegra Patch21004: arm-tegra-nvec-kconfig.patch Patch21005: arm-tegra-usb-no-reset-linux33.patch -# https://patchwork.kernel.org/patch/2106061/ - -# versatile #rhbz 754518 Patch21235: scsi-sd_revalidate_disk-prevent-NULL-ptr-deref.patch @@ -1308,6 +1309,8 @@ ApplyPatch vmbugon-warnon.patch # ARM # ApplyPatch arm-export-read_current_timer.patch +ApplyPatch arm-lpae-ax88796.patch +# ApplyPatch arm-omap-fix-usb-mvebu-conflict.patch # ApplyPatch arm-tegra-nvec-kconfig.patch ApplyPatch arm-tegra-usb-no-reset-linux33.patch @@ -2285,6 +2288,9 @@ fi # and build. %changelog +* Sun Mar 24 2013 Peter Robinson +- Update ARM config for OMAP/mvebu/lpae + * Fri Mar 22 2013 Dave Jones - 3.9.0-0.rc3.git1.4 - Fix calculation of current frequency in intel_pstate driver. (rhbz 923942) From 8cb0a854bb6df0e353d30cc4044a9d3e23965870 Mon Sep 17 00:00:00 2001 From: Dave Jones Date: Sun, 24 Mar 2013 22:21:32 -0400 Subject: [PATCH 028/468] Linux 3.9-rc4 merged: drm-i915-bounds-check-execbuffer-relocation-count.patch --- ...ds-check-execbuffer-relocation-count.patch | 100 ------------------ kernel.spec | 16 ++- sources | 3 +- 3 files changed, 8 insertions(+), 111 deletions(-) delete mode 100644 drm-i915-bounds-check-execbuffer-relocation-count.patch diff --git a/drm-i915-bounds-check-execbuffer-relocation-count.patch b/drm-i915-bounds-check-execbuffer-relocation-count.patch deleted file mode 100644 index 1377a5285..000000000 --- a/drm-i915-bounds-check-execbuffer-relocation-count.patch +++ /dev/null @@ -1,100 +0,0 @@ - -Delivered-To: jwboyer@gmail.com -Received: by 10.76.169.233 with SMTP id ah9csp107244oac; - Mon, 11 Mar 2013 17:32:43 -0700 (PDT) -X-Received: by 10.68.195.70 with SMTP id ic6mr32376980pbc.60.1363048363048; - Mon, 11 Mar 2013 17:32:43 -0700 (PDT) -Return-Path: -Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) - by mx.google.com with ESMTP id xm3si25923071pbc.196.2013.03.11.17.32.12; - Mon, 11 Mar 2013 17:32:43 -0700 (PDT) -Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; -Authentication-Results: mx.google.com; - spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mail=linux-kernel-owner@vger.kernel.org -Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand - id S1754633Ab3CLAbx (ORCPT + 99 others); - Mon, 11 Mar 2013 20:31:53 -0400 -Received: from smtp.outflux.net ([198.145.64.163]:48630 "EHLO smtp.outflux.net" - rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP - id S1754446Ab3CLAbx (ORCPT ); - Mon, 11 Mar 2013 20:31:53 -0400 -Received: from www.outflux.net (serenity-end.outflux.net [10.2.0.2]) - by vinyl.outflux.net (8.14.4/8.14.4/Debian-2ubuntu2) with ESMTP id r2C0VjYO004342; - Mon, 11 Mar 2013 17:31:45 -0700 -Date: Mon, 11 Mar 2013 17:31:45 -0700 -From: Kees Cook -To: linux-kernel@vger.kernel.org -Cc: Daniel Vetter , - David Airlie , - dri-devel@lists.freedesktop.org, intel-gfx@lists.freedesktop.org, - Julien Tinnes , marcheu@chromium.org -Subject: [PATCH v3] drm/i915: bounds check execbuffer relocation count -Message-ID: <20130312003145.GA28993@www.outflux.net> -MIME-Version: 1.0 -Content-Type: text/plain; charset=us-ascii -Content-Disposition: inline -X-MIMEDefang-Filter: outflux$Revision: 1.316 $ -X-HELO: www.outflux.net -X-Scanned-By: MIMEDefang 2.71 on 10.2.0.1 -Sender: linux-kernel-owner@vger.kernel.org -Precedence: bulk -List-ID: -X-Mailing-List: linux-kernel@vger.kernel.org - -It is possible to wrap the counter used to allocate the buffer for -relocation copies. This could lead to heap writing overflows. - -CVE-2013-0913 - -v3: collapse test, improve comment -v2: move check into validate_exec_list - -Signed-off-by: Kees Cook -Reported-by: Pinkie Pie -Cc: stable@vger.kernel.org ---- - drivers/gpu/drm/i915/i915_gem_execbuffer.c | 11 ++++++++--- - 1 file changed, 8 insertions(+), 3 deletions(-) - -diff --git a/drivers/gpu/drm/i915/i915_gem_execbuffer.c b/drivers/gpu/drm/i915/i915_gem_execbuffer.c -index b3a40ee..094ba41 100644 ---- a/drivers/gpu/drm/i915/i915_gem_execbuffer.c -+++ b/drivers/gpu/drm/i915/i915_gem_execbuffer.c -@@ -732,6 +732,8 @@ validate_exec_list(struct drm_i915_gem_exec_object2 *exec, - int count) - { - int i; -+ int relocs_total = 0; -+ int relocs_max = INT_MAX / sizeof(struct drm_i915_gem_relocation_entry); - - for (i = 0; i < count; i++) { - char __user *ptr = (char __user *)(uintptr_t)exec[i].relocs_ptr; -@@ -740,10 +742,13 @@ validate_exec_list(struct drm_i915_gem_exec_object2 *exec, - if (exec[i].flags & __EXEC_OBJECT_UNKNOWN_FLAGS) - return -EINVAL; - -- /* First check for malicious input causing overflow */ -- if (exec[i].relocation_count > -- INT_MAX / sizeof(struct drm_i915_gem_relocation_entry)) -+ /* First check for malicious input causing overflow in -+ * the worst case where we need to allocate the entire -+ * relocation tree as a single array. -+ */ -+ if (exec[i].relocation_count > relocs_max - relocs_total) - return -EINVAL; -+ relocs_total += exec[i].relocation_count; - - length = exec[i].relocation_count * - sizeof(struct drm_i915_gem_relocation_entry); --- -1.7.9.5 - - --- -Kees Cook -Chrome OS Security --- -To unsubscribe from this list: send the line "unsubscribe linux-kernel" in -the body of a message to majordomo@vger.kernel.org -More majordomo info at http://vger.kernel.org/majordomo-info.html -Please read the FAQ at http://www.tux.org/lkml/ diff --git a/kernel.spec b/kernel.spec index 00c682d06..60c59235c 100644 --- a/kernel.spec +++ b/kernel.spec @@ -62,7 +62,7 @@ Summary: The Linux kernel # For non-released -rc kernels, this will be appended after the rcX and # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3" # -%global baserelease 4 +%global baserelease 1 %global fedora_build %{baserelease} # base_sublevel is the kernel version we're starting with and patching @@ -93,9 +93,9 @@ Summary: The Linux kernel # The next upstream release sublevel (base_sublevel+1) %define upstream_sublevel %(echo $((%{base_sublevel} + 1))) # The rc snapshot level -%define rcrev 3 +%define rcrev 4 # The git snapshot level -%define gitrev 1 +%define gitrev 0 # Set rpm version accordingly %define rpmversion 3.%{upstream_sublevel}.0 %endif @@ -734,9 +734,6 @@ Patch21261: 0001-kmsg-Honor-dmesg_restrict-sysctl-on-dev-kmsg.patch #rhbz 914737 Patch21262: x86-mm-Fix-vmalloc_fault-oops-during-lazy-MMU-updates.patch -#CVE-2013-0913 rhbz 920471 920529 -Patch21271: drm-i915-bounds-check-execbuffer-relocation-count.patch - #rhbz 856863 892599 Patch21273: cfg80211-mac80211-disconnect-on-suspend.patch Patch21274: mac80211_fixes_for_ieee80211_do_stop_while_suspend_v3.9.patch @@ -1443,9 +1440,6 @@ ApplyPatch 0001-kmsg-Honor-dmesg_restrict-sysctl-on-dev-kmsg.patch #rhbz 914737 ApplyPatch x86-mm-Fix-vmalloc_fault-oops-during-lazy-MMU-updates.patch -#CVE-2013-0913 rhbz 920471 920529 -ApplyPatch drm-i915-bounds-check-execbuffer-relocation-count.patch - #rhbz 856863 892599 ApplyPatch cfg80211-mac80211-disconnect-on-suspend.patch ApplyPatch mac80211_fixes_for_ieee80211_do_stop_while_suspend_v3.9.patch @@ -2288,6 +2282,10 @@ fi # and build. %changelog +* Sun Mar 24 2013 Dave Jones - 3.9.0-0.rc4.git0.1 +- Linux 3.9-rc4 + merged: drm-i915-bounds-check-execbuffer-relocation-count.patch + * Sun Mar 24 2013 Peter Robinson - Update ARM config for OMAP/mvebu/lpae diff --git a/sources b/sources index 9a2b372a7..24acb5b33 100644 --- a/sources +++ b/sources @@ -1,3 +1,2 @@ 1c738edfc54e7c65faeb90c436104e2f linux-3.8.tar.xz -f7e97476e1ba31c3bb666b442fcb75dd patch-3.9-rc3.xz -95c3a8605dc96802e2dfe86a2655840c patch-3.9-rc3-git1.xz +8106d3a1c94ea6eb726e62c167a794da patch-3.9-rc4.xz From be41f87775aee5c68537b018318050282ed439fd Mon Sep 17 00:00:00 2001 From: "Justin M. Forbes" Date: Mon, 25 Mar 2013 13:58:11 -0500 Subject: [PATCH 029/468] disable whci-hcd since it doesnt seem to have users (rhbz 919289) --- config-generic | 2 +- kernel.spec | 3 +++ 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/config-generic b/config-generic index f7eef4183..c4006debe 100644 --- a/config-generic +++ b/config-generic @@ -4463,7 +4463,7 @@ CONFIG_WM8350_POWER=m CONFIG_USB_WUSB=m CONFIG_USB_WUSB_CBAF=m # CONFIG_USB_WUSB_CBAF_DEBUG is not set -CONFIG_USB_WHCI_HCD=m +# CONFIG_USB_WHCI_HCD is not set CONFIG_USB_HWA_HCD=m # CONFIG_USB_HCD_BCMA is not set # CONFIG_USB_HCD_SSB is not set diff --git a/kernel.spec b/kernel.spec index 60c59235c..40eb8094a 100644 --- a/kernel.spec +++ b/kernel.spec @@ -2282,6 +2282,9 @@ fi # and build. %changelog +* Mon Mar 25 2013 Justin M. Forbes +- disable whci-hcd since it doesnt seem to have users (rhbz 919289) + * Sun Mar 24 2013 Dave Jones - 3.9.0-0.rc4.git0.1 - Linux 3.9-rc4 merged: drm-i915-bounds-check-execbuffer-relocation-count.patch From 8231bf37c091a91567cb2dd0323ceee0235debd3 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Tue, 26 Mar 2013 07:47:37 -0400 Subject: [PATCH 030/468] Add quirk for MSI keyboard backlight to avoid 10 sec boot delay (rhbz 907221) --- ...sbhid-quirk-for-MSI-GX680R-led-panel.patch | 45 +++++++++++++++++++ kernel.spec | 11 ++++- 2 files changed, 55 insertions(+), 1 deletion(-) create mode 100644 HID-usbhid-quirk-for-MSI-GX680R-led-panel.patch diff --git a/HID-usbhid-quirk-for-MSI-GX680R-led-panel.patch b/HID-usbhid-quirk-for-MSI-GX680R-led-panel.patch new file mode 100644 index 000000000..66e529d72 --- /dev/null +++ b/HID-usbhid-quirk-for-MSI-GX680R-led-panel.patch @@ -0,0 +1,45 @@ +From 565bd59e8f55b82eb49b58b0972ac41f4448ef06 Mon Sep 17 00:00:00 2001 +From: Josh Boyer +Date: Fri, 15 Mar 2013 10:31:31 -0400 +Subject: [PATCH] HID: usbhid: quirk for MSI GX680R led panel + +This keyboard backlight device causes a 10 second delay to boot. Add it +to the quirk list with HID_QUIRK_NO_INIT_REPORTS. + +This fixes Red Hat bugzilla https://bugzilla.redhat.com/show_bug.cgi?id=907221 + +Signed-off-by: Josh Boyer +--- + drivers/hid/hid-ids.h | 3 +++ + drivers/hid/usbhid/hid-quirks.c | 1 + + 2 files changed, 4 insertions(+) + +diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h +index d1063e9..c438877 100644 +--- a/drivers/hid/hid-ids.h ++++ b/drivers/hid/hid-ids.h +@@ -590,6 +590,9 @@ + #define USB_VENDOR_ID_MONTEREY 0x0566 + #define USB_DEVICE_ID_GENIUS_KB29E 0x3004 + ++#define USB_VENDOR_ID_MSI 0x1770 ++#define USB_DEVICE_ID_MSI_GX680R_LED_PANEL 0xff00 ++ + #define USB_VENDOR_ID_NATIONAL_SEMICONDUCTOR 0x0400 + #define USB_DEVICE_ID_N_S_HARMONY 0xc359 + +diff --git a/drivers/hid/usbhid/hid-quirks.c b/drivers/hid/usbhid/hid-quirks.c +index e991d81..476c984 100644 +--- a/drivers/hid/usbhid/hid-quirks.c ++++ b/drivers/hid/usbhid/hid-quirks.c +@@ -73,6 +73,7 @@ static const struct hid_blacklist { + { USB_VENDOR_ID_FORMOSA, USB_DEVICE_ID_FORMOSA_IR_RECEIVER, HID_QUIRK_NO_INIT_REPORTS }, + { USB_VENDOR_ID_FREESCALE, USB_DEVICE_ID_FREESCALE_MX28, HID_QUIRK_NOGET }, + { USB_VENDOR_ID_MGE, USB_DEVICE_ID_MGE_UPS, HID_QUIRK_NOGET }, ++ { USB_VENDOR_ID_MSI, USB_DEVICE_ID_MSI_GX680R_LED_PANEL, HID_QUIRK_NO_INIT_REPORTS }, + { USB_VENDOR_ID_NOVATEK, USB_DEVICE_ID_NOVATEK_MOUSE, HID_QUIRK_NO_INIT_REPORTS }, + { USB_VENDOR_ID_PIXART, USB_DEVICE_ID_PIXART_OPTICAL_TOUCH_SCREEN, HID_QUIRK_NO_INIT_REPORTS }, + { USB_VENDOR_ID_PIXART, USB_DEVICE_ID_PIXART_OPTICAL_TOUCH_SCREEN1, HID_QUIRK_NO_INIT_REPORTS }, +-- +1.8.1.2 + diff --git a/kernel.spec b/kernel.spec index 40eb8094a..a243f4601 100644 --- a/kernel.spec +++ b/kernel.spec @@ -62,7 +62,7 @@ Summary: The Linux kernel # For non-released -rc kernels, this will be appended after the rcX and # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3" # -%global baserelease 1 +%global baserelease 2 %global fedora_build %{baserelease} # base_sublevel is the kernel version we're starting with and patching @@ -744,6 +744,9 @@ Patch21276: mac80211-Dont-restart-sta-timer-if-not-running.patch #rhbz 859282 Patch21275: VMX-x86-handle-host-TSC-calibration-failure.patch +#rhbz 907221 +Patch21277: HID-usbhid-quirk-for-MSI-GX680R-led-panel.patch + Patch22000: weird-root-dentry-name-debug.patch Patch22010: debug-idle-sched-warn-once.patch @@ -1450,6 +1453,9 @@ ApplyPatch VMX-x86-handle-host-TSC-calibration-failure.patch #rhbz 920218 ApplyPatch mac80211-Dont-restart-sta-timer-if-not-running.patch +#rhbz 907221 +ApplyPatch HID-usbhid-quirk-for-MSI-GX680R-led-panel.patch + # END OF PATCH APPLICATIONS %endif @@ -2282,6 +2288,9 @@ fi # and build. %changelog +* Tue Mar 26 2013 Josh Boyer +- Add quirk for MSI keyboard backlight to avoid 10 sec boot delay (rhbz 907221) + * Mon Mar 25 2013 Justin M. Forbes - disable whci-hcd since it doesnt seem to have users (rhbz 919289) From e192462c6744f75db149a1bc6d3f572482dcf8ec Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Tue, 26 Mar 2013 07:52:06 -0400 Subject: [PATCH 031/468] Add quirk for Realtek card reader to avoid 10 sec boot delay (rhbz 806587) --- ...-quirk-for-Realtek-Multi-card-reader.patch | 45 +++++++++++++++++++ kernel.spec | 7 +++ 2 files changed, 52 insertions(+) create mode 100644 HID-usbhid-quirk-for-Realtek-Multi-card-reader.patch diff --git a/HID-usbhid-quirk-for-Realtek-Multi-card-reader.patch b/HID-usbhid-quirk-for-Realtek-Multi-card-reader.patch new file mode 100644 index 000000000..6bccd6cd1 --- /dev/null +++ b/HID-usbhid-quirk-for-Realtek-Multi-card-reader.patch @@ -0,0 +1,45 @@ +From 926bb9deb21046248d01e2f6fc86fdbb149b514c Mon Sep 17 00:00:00 2001 +From: Josh Boyer +Date: Fri, 15 Mar 2013 10:27:36 -0400 +Subject: [PATCH 1/2] HID: usbhid: quirk for Realtek Multi-card reader + +This device has an odd HID entry and causes a 10 second delay in boot. +Add this device to the quirks list with HID_QUIRK_NO_INIT_REPORTS. + +This fixes Red Hat bugzilla https://bugzilla.redhat.com/show_bug.cgi?id=806587 + +Signed-off-by: Josh Boyer +--- + drivers/hid/hid-ids.h | 3 +++ + drivers/hid/usbhid/hid-quirks.c | 1 + + 2 files changed, 4 insertions(+) + +diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h +index 92e47e5..d1063e9 100644 +--- a/drivers/hid/hid-ids.h ++++ b/drivers/hid/hid-ids.h +@@ -684,6 +684,9 @@ + #define USB_DEVICE_ID_QUANTA_OPTICAL_TOUCH_3001 0x3001 + #define USB_DEVICE_ID_QUANTA_OPTICAL_TOUCH_3008 0x3008 + ++#define USB_VENDOR_ID_REALTEK 0x0bda ++#define USB_DEVICE_ID_REALTEK_READER 0x0152 ++ + #define USB_VENDOR_ID_ROCCAT 0x1e7d + #define USB_DEVICE_ID_ROCCAT_ARVO 0x30d4 + #define USB_DEVICE_ID_ROCCAT_ISKU 0x319c +diff --git a/drivers/hid/usbhid/hid-quirks.c b/drivers/hid/usbhid/hid-quirks.c +index e0e6abf..e991d81 100644 +--- a/drivers/hid/usbhid/hid-quirks.c ++++ b/drivers/hid/usbhid/hid-quirks.c +@@ -80,6 +80,7 @@ static const struct hid_blacklist { + { USB_VENDOR_ID_PRODIGE, USB_DEVICE_ID_PRODIGE_CORDLESS, HID_QUIRK_NOGET }, + { USB_VENDOR_ID_QUANTA, USB_DEVICE_ID_QUANTA_OPTICAL_TOUCH_3001, HID_QUIRK_NOGET }, + { USB_VENDOR_ID_QUANTA, USB_DEVICE_ID_QUANTA_OPTICAL_TOUCH_3008, HID_QUIRK_NOGET }, ++ { USB_VENDOR_ID_REALTEK, USB_DEVICE_ID_REALTEK_READER, HID_QUIRK_NO_INIT_REPORTS }, + { USB_VENDOR_ID_SENNHEISER, USB_DEVICE_ID_SENNHEISER_BTD500USB, HID_QUIRK_NOGET }, + { USB_VENDOR_ID_SIGMATEL, USB_DEVICE_ID_SIGMATEL_STMP3780, HID_QUIRK_NOGET }, + { USB_VENDOR_ID_SUN, USB_DEVICE_ID_RARITAN_KVM_DONGLE, HID_QUIRK_NOGET }, +-- +1.8.1.2 + diff --git a/kernel.spec b/kernel.spec index a243f4601..3a08eb851 100644 --- a/kernel.spec +++ b/kernel.spec @@ -747,6 +747,9 @@ Patch21275: VMX-x86-handle-host-TSC-calibration-failure.patch #rhbz 907221 Patch21277: HID-usbhid-quirk-for-MSI-GX680R-led-panel.patch +#rhbz 806587 +Patch21278: HID-usbhid-quirk-for-Realtek-Multi-card-reader.patch + Patch22000: weird-root-dentry-name-debug.patch Patch22010: debug-idle-sched-warn-once.patch @@ -1456,6 +1459,9 @@ ApplyPatch mac80211-Dont-restart-sta-timer-if-not-running.patch #rhbz 907221 ApplyPatch HID-usbhid-quirk-for-MSI-GX680R-led-panel.patch +#rhbz 806587 +ApplyPatch HID-usbhid-quirk-for-Realtek-Multi-card-reader.patch + # END OF PATCH APPLICATIONS %endif @@ -2289,6 +2295,7 @@ fi %changelog * Tue Mar 26 2013 Josh Boyer +- Add quirk for Realtek card reader to avoid 10 sec boot delay (rhbz 806587) - Add quirk for MSI keyboard backlight to avoid 10 sec boot delay (rhbz 907221) * Mon Mar 25 2013 Justin M. Forbes From 5eb41544d2ad61f35caf24050ad2ca3da980ec92 Mon Sep 17 00:00:00 2001 From: Dave Jones Date: Tue, 26 Mar 2013 11:11:15 -0400 Subject: [PATCH 032/468] Enable CONFIG_DM_CACHE (rhbz 924325) --- config-generic | 2 +- kernel.spec | 3 +++ 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/config-generic b/config-generic index c4006debe..acbf3a048 100644 --- a/config-generic +++ b/config-generic @@ -595,7 +595,7 @@ CONFIG_DM_MIRROR=y CONFIG_DM_MULTIPATH=m CONFIG_DM_SNAPSHOT=y CONFIG_DM_THIN_PROVISIONING=m -# CONFIG_DM_CACHE is not set +CONFIG_DM_CACHE=m # CONFIG_DM_DEBUG_BLOCK_STACK_TRACING is not set # CONFIG_DM_DEBUG_SPACE_MAPS is not set CONFIG_DM_UEVENT=y diff --git a/kernel.spec b/kernel.spec index 3a08eb851..94c9da3cc 100644 --- a/kernel.spec +++ b/kernel.spec @@ -2294,6 +2294,9 @@ fi # and build. %changelog +* Tue Mar 26 2013 Dave Jones +- Enable CONFIG_DM_CACHE (rhbz 924325) + * Tue Mar 26 2013 Josh Boyer - Add quirk for Realtek card reader to avoid 10 sec boot delay (rhbz 806587) - Add quirk for MSI keyboard backlight to avoid 10 sec boot delay (rhbz 907221) From 2ddced2782886483efc34c54b9de90e37c756ed0 Mon Sep 17 00:00:00 2001 From: "Justin M. Forbes" Date: Tue, 26 Mar 2013 15:07:55 -0500 Subject: [PATCH 033/468] Fix child thread introspection of of /proc/self/exe (rhbz 927469) --- fix-child-thread-introspection.patch | 76 ++++++++++++++++++++++++++++ kernel.spec | 9 ++++ 2 files changed, 85 insertions(+) create mode 100644 fix-child-thread-introspection.patch diff --git a/fix-child-thread-introspection.patch b/fix-child-thread-introspection.patch new file mode 100644 index 000000000..4c0bad1a6 --- /dev/null +++ b/fix-child-thread-introspection.patch @@ -0,0 +1,76 @@ +Allow threads other than the main thread to do introspection of files in +proc without relying on read permissions. proc_pid_follow_link() calls +proc_fd_access_allowed() which ultimately calls __ptrace_may_access(). + +Though this allows additional access to some proc files, we do not +believe that this has any unintended security implications. However it +probably needs to be looked at carefully. + +The original problem was a thread of a process whose permissions were +111 couldn't open its own /proc/self/exe This was interfering with a +special purpose debugging tool. A simple reproducer is below.: + +#include +#include +#include +#include +#include +#include + +#define BUFSIZE 2048 + +void *thread_main(void *arg){ + char *str=(char*)arg; + char buf[BUFSIZE]; + ssize_t len=readlink("/proc/self/exe", buf, BUFSIZE); + if(len==-1) + printf("/proc/self/exe in %s: %s\n", str,sys_errlist[errno]); + else + printf("/proc/self/exe in %s: OK\n", str); + + return 0; +} + +int main(){ + pthread_t thread; + + int retval=pthread_create( &thread, NULL, thread_main, "thread"); + if(retval!=0) + exit(1); + + thread_main("main"); + pthread_join(thread, NULL); + + exit(0); +} + +Signed-off-by: Ben Woodard +Signed-off-by: Mark Grondona +--- + kernel/ptrace.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/kernel/ptrace.c b/kernel/ptrace.c +index acbd284..347c4c7 100644 +--- a/kernel/ptrace.c ++++ b/kernel/ptrace.c +diff -ruNp linux-3.8.4-103.fc17.noarch/kernel/ptrace.c linux-3.8.4-103.fc17.ptrace/kernel/ptrace.c +--- linux-3.8.4-103.fc17.noarch/kernel/ptrace.c 2013-02-18 17:58:34.000000000 -0600 ++++ linux-3.8.4-103.fc17.ptrace/kernel/ptrace.c 2013-03-26 14:59:01.939396346 -0500 +@@ -234,7 +234,7 @@ static int __ptrace_may_access(struct ta + */ + int dumpable = 0; + /* Don't let security modules deny introspection */ +- if (task == current) ++ if (same_thread_group(task, current)) + return 0; + rcu_read_lock(); + tcred = __task_cred(task); +-- +1.8.1.4 + +-- +To unsubscribe from this list: send the line "unsubscribe linux-kernel" in +the body of a message to majordomo@vger.kernel.org +More majordomo info at http://vger.kernel.org/majordomo-info.html +Please read the FAQ at http://www.tux.org/lkml/ diff --git a/kernel.spec b/kernel.spec index 94c9da3cc..997202c9b 100644 --- a/kernel.spec +++ b/kernel.spec @@ -759,6 +759,9 @@ Patch22001: selinux-apply-different-permission-to-ptrace-child.patch Patch23000: cpufreq-intel-pstate-validate-msrs.patch Patch23001: cpufreq-intel-pstate-max-is-in-the-max-variable-who-knew.patch +#rhbz 927469 +Patch23006: fix-child-thread-introspection.patch + # END OF PATCH DEFINITIONS %endif @@ -1462,6 +1465,9 @@ ApplyPatch HID-usbhid-quirk-for-MSI-GX680R-led-panel.patch #rhbz 806587 ApplyPatch HID-usbhid-quirk-for-Realtek-Multi-card-reader.patch +#rhbz 927469 +ApplyPatch fix-child-thread-introspection.patch + # END OF PATCH APPLICATIONS %endif @@ -2294,6 +2300,9 @@ fi # and build. %changelog +* Tue Mar 26 2013 Justin M. Forbes +- Fix child thread introspection of of /proc/self/exe (rhbz 927469) + * Tue Mar 26 2013 Dave Jones - Enable CONFIG_DM_CACHE (rhbz 924325) From 50292ae0f2889d200b70df7e74108f0b3fae2638 Mon Sep 17 00:00:00 2001 From: Peter Robinson Date: Thu, 28 Mar 2013 13:26:45 +0000 Subject: [PATCH 034/468] fix merge --- config-arm-generic | 2 +- config-armv7 | 99 ++++++++++++++++++++++++++++++++++++++++---- config-armv7-generic | 2 +- config-generic | 2 + kernel.spec | 3 ++ 5 files changed, 97 insertions(+), 11 deletions(-) diff --git a/config-arm-generic b/config-arm-generic index 2397c3758..6c070483a 100644 --- a/config-arm-generic +++ b/config-arm-generic @@ -410,7 +410,7 @@ CONFIG_IEEE802154_MRF24J40=m # CONFIG_PINCTRL_EXYNOS4 is not set # CONFIG_PINCTRL_EXYNOS5440 is not set -# CONFIG_AUTO_ZRELADDR is not set +CONFIG_AUTO_ZRELADDR=y # CONFIG_ASYMMETRIC_KEY_TYPE is not set # CONFIG_VFIO is not set diff --git a/config-armv7 b/config-armv7 index ffaf72eea..6c5ebce33 100644 --- a/config-armv7 +++ b/config-armv7 @@ -115,50 +115,89 @@ CONFIG_OMAP_RESET_CLOCKS=y CONFIG_OMAP_MUX=y CONFIG_OMAP_MUX_WARNINGS=y CONFIG_OMAP_32K_TIMER=y +CONFIG_OMAP_32K_TIMER_HZ=128 # CONFIG_OMAP3_L2_AUX_SECURE_SAVE_RESTORE is not set + +CONFIG_OMAP_MCBSP=y +CONFIG_OMAP_MBOX_FWK=m +CONFIG_OMAP_MBOX_KFIFO_SIZE=256 +CONFIG_OMAP_DM_TIMER=y +CONFIG_OMAP_PM_NOOP=y +CONFIG_OMAP_IOMMU=y CONFIG_OMAP3_EMU=y # CONFIG_OMAP3_SDRC_AC_TIMING is not set CONFIG_ARM_OMAP2PLUS_CPUFREQ=y + +CONFIG_TI_ST=m +CONFIG_TI_DAC7512=m CONFIG_TI_DAVINCI_EMAC=m CONFIG_TI_DAVINCI_MDIO=m CONFIG_TI_DAVINCI_CPDMA=m CONFIG_TI_CPSW=m CONFIG_TI_CPTS=y + +CONFIG_SERIAL_OMAP=y +CONFIG_SERIAL_OMAP_CONSOLE=y + CONFIG_GPIO_TWL4030=m CONFIG_GPIO_TWL6040=m CONFIG_CHARGER_TWL4030=m CONFIG_OMAP_WATCHDOG=m -CONFIG_TWL4030_WATCHDOG=m +CONFIG_TWL4030_CORE=y CONFIG_TWL4030_MADC=m +CONFIG_TWL4030_POWER=y +CONFIG_TWL4030_CODEC=y +CONFIG_TWL4030_WATCHDOG=m +CONFIG_TWL4030_USB=m +CONFIG_TWL6030_USB=m +CONFIG_TWL6030_PWM=m CONFIG_TWL6040_CORE=y +CONFIG_CLK_TWL6040=m CONFIG_MFD_OMAP_USB_HOST=y CONFIG_REGULATOR_TWL4030=y CONFIG_BACKLIGHT_PANDORA=m CONFIG_USB_EHCI_HCD_OMAP=y CONFIG_USB_OHCI_HCD_OMAP3=y +CONFIG_USB_MUSB_AM35X=m CONFIG_OMAP_CONTROL_USB=m CONFIG_NOP_USB_XCEIV=m -CONFIG_TWL4030_USB=m -CONFIG_TWL6030_USB=m -CONFIG_USB_MUSB_AM35X=m CONFIG_MMC_OMAP=y CONFIG_MMC_OMAP_HS=y CONFIG_RTC_DRV_MAX8907=m CONFIG_RTC_DRV_TWL92330=y CONFIG_RTC_DRV_TWL4030=y CONFIG_RTC_DRV_OMAP=y +# Note needs to be compiled in until we build MMC modular CONFIG_DMA_OMAP=y CONFIG_OMAP_IOVMM=m CONFIG_HWSPINLOCK_OMAP=m -CONFIG_OMAP_IOMMU=y CONFIG_SENSORS_TWL4030_MADC=m -CONFIG_TWL6040_CORE=m -CONFIG_CLK_TWL6040=m + +CONFIG_WL_TI=y +CONFIG_WLCORE_SDIO=m +CONFIG_WLCORE_SPI=m +CONFIG_WL1251_SPI=m +CONFIG_WL12XX_SPI=m +CONFIG_WL12XX_SDIO_TEST=m +CONFIG_WL18XX=m +CONFIG_WILINK_PLATFORM_DATA=y +CONFIG_MFD_WL1273_CORE=m +CONFIG_NFC_WILINK=m + +CONFIG_MTD_NAND_OMAP2=y +CONFIG_MTD_NAND_OMAP_PREFETCH=y +CONFIG_MTD_NAND_OMAP_PREFETCH_DMA=y +CONFIG_SPI_DAVINCI=m +CONFIG_SPI_OMAP24XX=y +CONFIG_MFD_TI_SSP=m +CONFIG_SPI_TI_SSP=m CONFIG_INPUT_TWL4030_PWRBUTTON=m CONFIG_INPUT_TWL4030_VIBRA=m CONFIG_INPUT_TWL6040_VIBRA=m +CONFIG_KEYBOARD_OMAP4=m CONFIG_KEYBOARD_TWL4030=m +CONFIG_TOUCHSCREEN_TI_TSCADC=m # OMAP thermal temp. Can likely be built as module but doesn't autoload so build in to ensure performance on PandaES CONFIG_OMAP_BANDGAP=y @@ -211,17 +250,59 @@ CONFIG_PANEL_TFP410=m CONFIG_PANEL_SHARP_LS037V7DW01=m CONFIG_PANEL_PICODLP=m CONFIG_PANEL_TAAL=m +CONFIG_PANEL_NEC_NL8048HL11_01B=m +CONFIG_PANEL_TPO_TD043MTEA1=m + +# Enable V4L2 drivers for OMAP2+ +CONFIG_MEDIA_CONTROLLER=y +CONFIG_VIDEO_V4L2_SUBDEV_API=y +CONFIG_V4L_PLATFORM_DRIVERS=y +CONFIG_VIDEO_OMAP2_VOUT=m +CONFIG_VIDEO_OMAP3=m +CONFIG_VIDEO_VPFE_CAPTURE=m +# The ones below are for TI Davinci +# CONFIG_VIDEO_VPSS_SYSTEM is not set +# CONFIG_VIDEO_DM6446_CCDC is not set +# CONFIG_VIDEO_DM644X_VPBE is not set +# CONFIG_VIDEO_DM355_CCDC is not set +# CONFIG_VIDEO_ISIF is not set +# Also enable vivi driver - useful for testing a full kernelspace V4L2 driver +CONFIG_V4L_TEST_DRIVERS=y +CONFIG_VIDEO_VIVI=m -CONFIG_SND_OMAP_SOC=m -CONFIG_SND_OMAP_SOC_AM3517EVM=m CONFIG_SND_OMAP_SOC_OMAP_ABE_TWL6040=m CONFIG_SND_OMAP_SOC_OMAP_HDMI=m CONFIG_SND_OMAP_SOC_OMAP_TWL4030=m CONFIG_SND_OMAP_SOC_OMAP3_PANDORA=m +CONFIG_SND_OMAP_SOC=m +CONFIG_SND_SOC_I2C_AND_SPI=m +CONFIG_SND_OMAP_SOC_AM3517EVM=m +CONFIG_SND_OMAP_SOC_DMIC=m +CONFIG_SND_OMAP_SOC_IGEP0020=m +CONFIG_SND_OMAP_SOC_MCBSP=m +CONFIG_SND_OMAP_SOC_MCPDM=m +CONFIG_SND_OMAP_SOC_OMAP_HDMI=m +CONFIG_SND_OMAP_SOC_OMAP_ABE_TWL6040=m +CONFIG_SND_OMAP_SOC_OMAP_TWL4030=m +CONFIG_SND_OMAP_SOC_OMAP3EVM=m +CONFIG_SND_OMAP_SOC_OMAP3_BEAGLE=m +CONFIG_SND_OMAP_SOC_OMAP3_PANDORA=m +CONFIG_SND_OMAP_SOC_OVERO=m +# CONFIG_SND_OMAP_SOC_RX51 is not set +CONFIG_SND_OMAP_SOC_SDP3430=m +CONFIG_SND_OMAP_SOC_SDP4430=m +CONFIG_SND_OMAP_SOC_ZOOM2=m +CONFIG_SND_SOC_TLV320AIC23=m +CONFIG_SND_SOC_TLV320AIC3X=m +CONFIG_SND_SOC_TWL4030=m +CONFIG_SND_SOC_TWL6040=m +CONFIG_RADIO_WL128X=m + # CONFIG_OMAP2_DSS_DEBUGFS is not set # CONFIG_OMAP_IOMMU_DEBUG is not set # CONFIG_OMAP_MUX_DEBUG is not set +# CONFIG_VIDEO_OMAP3_DEBUG is not set # Allwinner a1x CONFIG_PINCTRL_SUNXI=y diff --git a/config-armv7-generic b/config-armv7-generic index 6012c3295..924b0239c 100644 --- a/config-armv7-generic +++ b/config-armv7-generic @@ -19,6 +19,7 @@ CONFIG_SWP_EMULATE=y CONFIG_CPU_BPREDICT_DISABLE=y CONFIG_CACHE_L2X0=y CONFIG_HIGHPTE=y +CONFIG_AUTO_ZRELADDR=y # CONFIG_OABI_COMPAT is not set # CONFIG_ATAGS is not set # CONFIG_ATAGS_PROC is not set @@ -31,7 +32,6 @@ CONFIG_HIGHPTE=y # CONFIG_THUMB2_KERNEL is not set # CONFIG_HVC_DCC is not set # CONFIG_XIP_KERNEL is not set -# CONFIG_AUTO_ZRELADDR is not set # errata # v5/v6 diff --git a/config-generic b/config-generic index acbf3a048..a7bfa4dee 100644 --- a/config-generic +++ b/config-generic @@ -596,6 +596,8 @@ CONFIG_DM_MULTIPATH=m CONFIG_DM_SNAPSHOT=y CONFIG_DM_THIN_PROVISIONING=m CONFIG_DM_CACHE=m +CONFIG_DM_CACHE_MQ=m +CONFIG_DM_CACHE_CLEANER=m # CONFIG_DM_DEBUG_BLOCK_STACK_TRACING is not set # CONFIG_DM_DEBUG_SPACE_MAPS is not set CONFIG_DM_UEVENT=y diff --git a/kernel.spec b/kernel.spec index 997202c9b..20a5853c1 100644 --- a/kernel.spec +++ b/kernel.spec @@ -2300,6 +2300,9 @@ fi # and build. %changelog +* Thu Mar 28 2013 Peter Robinson +- Update ARM unified config for OMAP + * Tue Mar 26 2013 Justin M. Forbes - Fix child thread introspection of of /proc/self/exe (rhbz 927469) From fa8fcf50626c7cb59018af380306a8bd27220698 Mon Sep 17 00:00:00 2001 From: Peter Robinson Date: Sat, 30 Mar 2013 08:31:19 +0000 Subject: [PATCH 035/468] minor omap update --- config-armv7 | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/config-armv7 b/config-armv7 index 6c5ebce33..b4cb3eb08 100644 --- a/config-armv7 +++ b/config-armv7 @@ -257,9 +257,9 @@ CONFIG_PANEL_TPO_TD043MTEA1=m CONFIG_MEDIA_CONTROLLER=y CONFIG_VIDEO_V4L2_SUBDEV_API=y CONFIG_V4L_PLATFORM_DRIVERS=y -CONFIG_VIDEO_OMAP2_VOUT=m -CONFIG_VIDEO_OMAP3=m -CONFIG_VIDEO_VPFE_CAPTURE=m +# CONFIG_VIDEO_OMAP2_VOUT is not set +# CONFIG_VIDEO_OMAP3 is not set +# CONFIG_VIDEO_VPFE_CAPTURE is not set # The ones below are for TI Davinci # CONFIG_VIDEO_VPSS_SYSTEM is not set # CONFIG_VIDEO_DM6446_CCDC is not set From 1e37df09d47ff7c03bd0985afa862824286ccc9b Mon Sep 17 00:00:00 2001 From: Peter Robinson Date: Mon, 1 Apr 2013 00:45:08 +0100 Subject: [PATCH 036/468] fix arm merge --- Makefile.config | 15 +- config-arm-generic | 524 ------------------------- config-arm-omap | 323 --------------- config-armv7 | 32 +- config-armv7-generic | 195 ++++++++- config-armv7-lpae | 6 +- config-arm-tegra => config-armv7-tegra | 28 +- kernel.spec | 21 +- 8 files changed, 237 insertions(+), 907 deletions(-) delete mode 100644 config-arm-generic rename config-arm-tegra => config-armv7-tegra (84%) diff --git a/Makefile.config b/Makefile.config index 140172d6c..69b12baa4 100644 --- a/Makefile.config +++ b/Makefile.config @@ -10,7 +10,7 @@ CONFIGFILES = \ $(CFG)-x86_64.config $(CFG)-x86_64-debug.config \ $(CFG)-s390x.config \ $(CFG)-armv7hl.config $(CFG)-armv7hl-lpae.config\ - $(CFG)-armv7hl-omap.config $(CFG)-armv7hl-tegra.config \ + $(CFG)-armv7hl-tegra.config \ $(CFG)-ppc.config $(CFG)-ppc-smp.config \ $(CFG)-ppc64.config $(CFG)-ppc64p7.config $(CFG)-ppc64-debug.config @@ -41,13 +41,7 @@ temp-armv7: config-armv7 temp-armv7-generic temp-armv7-lpae: config-armv7-lpae temp-armv7-generic perl merge.pl $^ > $@ -temp-arm-generic: config-arm-generic temp-generic - perl merge.pl $^ > $@ - -temp-armv7l-omap: config-arm-omap temp-arm-generic - perl merge.pl $^ > $@ - -temp-armv7l-tegra: config-arm-tegra temp-arm-generic +temp-armv7-tegra: config-armv7-tegra temp-armv7-generic perl merge.pl $^ > $@ temp-x86-32: config-x86-32-generic config-x86-generic @@ -119,10 +113,7 @@ kernel-$(VERSION)-armv7hl.config: /dev/null temp-armv7 kernel-$(VERSION)-armv7hl-lpae.config: /dev/null temp-armv7-lpae perl merge.pl $^ arm > $@ -kernel-$(VERSION)-armv7hl-omap.config: /dev/null temp-armv7l-omap - perl merge.pl $^ arm > $@ - -kernel-$(VERSION)-armv7hl-tegra.config: /dev/null temp-armv7l-tegra +kernel-$(VERSION)-armv7hl-tegra.config: /dev/null temp-armv7-tegra perl merge.pl $^ arm > $@ kernel-$(VERSION)-ppc.config: /dev/null temp-powerpc32-generic diff --git a/config-arm-generic b/config-arm-generic deleted file mode 100644 index 6c070483a..000000000 --- a/config-arm-generic +++ /dev/null @@ -1,524 +0,0 @@ -# Generic ARM config. This is common config options that should be -# enabled on all ARM kernels and hence should be added here -# -# FIXME - we need to add debug/nodebug generic build options -# CONFIG_DEBUG_PER_CPU_MAPS is not set - -# Generic ARM processor options -CONFIG_ARM=y - -CONFIG_ARM_THUMB=y -CONFIG_AEABI=y -CONFIG_VFP=y -CONFIG_ARM_UNWIND=y -# CONFIG_ARCH_MULTI_V7 is not set -# CONFIG_OABI_COMPAT is not set - -CONFIG_SMP=y -CONFIG_NR_CPUS=4 -CONFIG_SMP_ON_UP=y - -CONFIG_HAVE_ARM_ARCH_TIMER=y - -CONFIG_CMDLINE="" - -# CONFIG_ARM_LPAE is not set -# CONFIG_FPE_NWFPE is not set -CONFIG_FPE_FASTFPE=y -CONFIG_HIGHPTE=y -CONFIG_HW_PERF_EVENTS=y -CONFIG_UACCESS_WITH_MEMCPY=y -# CONFIG_GENERIC_CPUFREQ_CPU0 is not set - -# Generic ARM Errata -CONFIG_ARM_ERRATA_720789=y -CONFIG_ARM_ERRATA_751472=y -CONFIG_ARM_ERRATA_742230=y -CONFIG_ARM_ERRATA_742231=y -CONFIG_ARM_ERRATA_754327=y -CONFIG_ARM_ERRATA_764369=y -CONFIG_ARM_ERRATA_775420=y -CONFIG_PL310_ERRATA_753970=y - -# Generic ARM config options -CONFIG_ZBOOT_ROM_TEXT=0 -CONFIG_ZBOOT_ROM_BSS=0 -CONFIG_LOCAL_TIMERS=y - -CONFIG_ATAGS=y -CONFIG_ATAGS_PROC=y - -CONFIG_PL330_DMA=m -CONFIG_AMBA_PL08X=y -# CONFIG_XIP_KERNEL is not set -# CONFIG_PID_IN_CONTEXTIDR is not set - -# Generic options we want for ARM that aren't defualt -CONFIG_EARLY_PRINTK=y - -CONFIG_HIGHMEM=y -CONFIG_CC_OPTIMIZE_FOR_SIZE=y - -CONFIG_SCHED_MC=y -CONFIG_SCHED_SMT=y - -CONFIG_RCU_FANOUT=32 - -CONFIG_CPU_IDLE=y -# CONFIG_CPU_IDLE_MULTIPLE_DRIVERS is not set -# CONFIG_CPU_IDLE_GOV_LADDER is not set -CONFIG_CPU_IDLE_GOV_MENU=y - -CONFIG_NO_HZ=y -CONFIG_HIGH_RES_TIMERS=y - -CONFIG_PM=y -CONFIG_PM_STD_PARTITION="" -CONFIG_SUSPEND=y -CONFIG_ARM_CPU_SUSPEND=y -CONFIG_ARM_CPU_TOPOLOGY=y - -CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 -CONFIG_LSM_MMAP_MIN_ADDR=32768 - -# CONFIG_XEN is not set - -CONFIG_PINCTRL=y -CONFIG_PINCONF=y - -CONFIG_COMMON_CLK=y - -CONFIG_THERMAL=y - -CONFIG_ETHERNET=y - -CONFIG_PERF_EVENTS=y -CONFIG_PERF_COUNTERS=y - -CONFIG_CC_STACKPROTECTOR=y - -CONFIG_SECCOMP=y -CONFIG_STRICT_DEVMEM=y - -CONFIG_SPARSE_IRQ=y - -# Generic HW for all ARM platforms -CONFIG_LEDS_GPIO=m - -CONFIG_LBDAF=y - -CONFIG_GPIOLIB=y -CONFIG_RFKILL_GPIO=m -CONFIG_ARCH_WANT_OPTIONAL_GPIOLIB=y -CONFIG_GPIO_GENERIC_PLATFORM=m -CONFIG_PINCTRL_SINGLE=m -CONFIG_POWER_RESET_GPIO=y -CONFIG_POWER_RESET_RESTART=y - -CONFIG_USB_ULPI=y - -CONFIG_SND_ARM=y -CONFIG_SND_ARMAACI=m -CONFIG_SND_SOC=m -CONFIG_SND_DESIGNWARE_I2S=m -CONFIG_SND_SIMPLE_CARD=m -# CONFIG_SND_SOC_CACHE_LZO is not set -CONFIG_SND_SOC_ALL_CODECS=m -CONFIG_SND_SPI=y - -CONFIG_AX88796=m -CONFIG_AX88796_93CX6=y -CONFIG_SMC91X=m -CONFIG_DM9000=m -CONFIG_DM9000_DEBUGLEVEL=4 -# CONFIG_DM9000_FORCE_SIMPLE_PHY_POLL is not set -CONFIG_SMC911X=m -CONFIG_SMSC911X=m - -CONFIG_SERIO_AMBAKMI=m -CONFIG_I2C_NOMADIK=m -CONFIG_ARM_SP805_WATCHDOG=m -CONFIG_FB_ARMCLCD=m -CONFIG_FB_SSD1307=m -CONFIG_MPCORE_WATCHDOG=m -CONFIG_BACKLIGHT_PWM=m - -CONFIG_MMC_ARMMMCI=m -CONFIG_MMC_SDHCI_PLTFM=m -CONFIG_MMC_SDHCI_OF=m -CONFIG_MMC_SPI=m -CONFIG_MMC_DW=m -CONFIG_MMC_DW_PLTFM=m -CONFIG_MMC_DW_PCI=m -# CONFIG_MMC_DW_EXYNOS is not set -# CONFIG_MMC_DW_IDMAC is not set -CONFIG_MMC_SDHCI_PXAV3=m -CONFIG_MMC_SDHCI_PXAV2=m - -# CONFIG_DW_DMAC_BIG_ENDIAN_IO is not set - -CONFIG_SPI=y -# Generic GPIO options -CONFIG_GENERIC_GPIO=y - -CONFIG_MTD=m -CONFIG_MTD_TESTS=m -CONFIG_MTD_CMDLINE_PARTS=y -CONFIG_MTD_OF_PARTS=y -CONFIG_MTD_PHYSMAP_OF=y -# CONFIG_MTD_AFS_PARTS is not set -CONFIG_MTD_CHAR=m -CONFIG_MTD_BLKDEVS=m -CONFIG_MTD_BLOCK=m -# CONFIG_MTD_TESTS is not set -# CONFIG_MTD_BLOCK_RO is not set -# CONFIG_MTD_AR7_PARTS is not set -CONFIG_MTD_CFI=m -CONFIG_MTD_CFI_AMDSTD=m -CONFIG_MTD_CFI_ADV_OPTIONS=y -CONFIG_MTD_CFI_NOSWAP=y -CONFIG_MTD_CFI_GEOMETRY=y -CONFIG_MTD_CFI_I1=y -CONFIG_MTD_CFI_I2=y -CONFIG_MTD_CFI_INTELEXT=y -CONFIG_MTD_CFI_STAA=y -CONFIG_MTD_CFI_UTIL=y -CONFIG_MTD_DOC2000=m -CONFIG_MTD_DOC2001=m -CONFIG_MTD_DOC2001PLUS=m -# CONFIG_MTD_DOCPROBE_ADVANCED is not set -CONFIG_MTD_ALAUDA=m -# CONFIG_MTD_ONENAND is not set -CONFIG_MTD_JEDECPROBE=m -CONFIG_MTD_GEN_PROBE=y -CONFIG_MTD_IMPA7=m -CONFIG_MTD_MAP_BANK_WIDTH_1=y -CONFIG_MTD_MAP_BANK_WIDTH_2=y -# CONFIG_MTD_MAP_BANK_WIDTH_4 is not set -# CONFIG_MTD_MAP_BANK_WIDTH_8 is not set -# CONFIG_MTD_MAP_BANK_WIDTH_16 is not set -# CONFIG_MTD_MAP_BANK_WIDTH_32 is not set -# CONFIG_MTD_CFI_I4 is not set -# CONFIG_MTD_CFI_I8 is not set -CONFIG_MTD_PHYSMAP=m -# CONFIG_MTD_PHYSMAP_COMPAT is not set -CONFIG_MTD_M25P80=m -CONFIG_M25PXX_USE_FAST_READ=y -CONFIG_MTD_NAND=m -CONFIG_MTD_NAND_ECC=m -CONFIG_MTD_NAND_IDS=m -# CONFIG_MTD_NAND_CAFE is not set -# CONFIG_MTD_NAND_ECC_SMC is not set -# CONFIG_MTD_NAND_DENALI is not set -# CONFIG_MTD_NAND_DOCG4 is not set -CONFIG_MTD_NAND_GPIO=m -# CONFIG_MTD_INTEL_VR_NOR is not set -# CONFIG_MTD_NAND_NANDSIM is not set -CONFIG_MTD_NAND_ORION=m -# CONFIG_MTD_NAND_RICOH is not set -# CONFIG_MTD_NAND_PLATFORM is not set -# CONFIG_MTD_OTP is not set -# CONFIG_MTD_PMC551 is not set -# CONFIG_MTD_PLATRAM is not set -# CONFIG_MTD_PHRAM is not set -# CONFIG_MTD_SLRAM is not set -CONFIG_MTD_DATAFLASH=m -CONFIG_MTD_DATAFLASH_WRITE_VERIFY=y -CONFIG_MTD_DATAFLASH_OTP=y -CONFIG_MTD_SST25L=m -CONFIG_MTD_UBI=m -CONFIG_MTD_UBI_WL_THRESHOLD=4096 -CONFIG_MTD_UBI_BEB_RESERVE=1 -# CONFIG_MTD_UBI_GLUEBI is not set -# CONFIG_MTD_UBI_DEBUG is not set -CONFIG_MG_DISK=m -CONFIG_MG_DISK_RES=0 - -# CONFIG_SM_FTL is not set - -CONFIG_JFFS2_FS=m -CONFIG_JFFS2_FS_DEBUG=0 -CONFIG_JFFS2_FS_WRITEBUFFER=y -# CONFIG_JFFS2_FS_WBUF_VERIFY is not set -# CONFIG_JFFS2_SUMMARY is not set -# CONFIG_JFFS2_FS_XATTR is not set -# CONFIG_JFFS2_COMPRESSION_OPTIONS is not set -CONFIG_JFFS2_ZLIB=y -# CONFIG_JFFS2_LZO is not set -CONFIG_JFFS2_RTIME=y -# CONFIG_JFFS2_RUBIN is not set - -CONFIG_UBIFS_FS=m -CONFIG_UBIFS_FS_XATTR=y -CONFIG_UBIFS_FS_ADVANCED_COMPR=y -CONFIG_UBIFS_FS_LZO=y -CONFIG_UBIFS_FS_ZLIB=y -# CONFIG_UBIFS_FS_DEBUG is not set - -# HW crypto and rng -CONFIG_CRYPTO_SHA1_ARM=m -CONFIG_CRYPTO_AES_ARM=m -CONFIG_HW_RANDOM_ATMEL=m -CONFIG_HW_RANDOM_EXYNOS=m - -# Device tree -CONFIG_DTC=y -CONFIG_OF=y -CONFIG_USE_OF=y -CONFIG_OF_DEVICE=y -CONFIG_OF_IRQ=y -CONFIG_OF_GPIO=y -CONFIG_ARM_ATAG_DTB_COMPAT=y -CONFIG_ARM_APPENDED_DTB=y -CONFIG_PROC_DEVICETREE=y -# CONFIG_OF_SELFTEST is not set - -CONFIG_SERIAL_OF_PLATFORM=y -CONFIG_OF_GPIO=y -CONFIG_OF_PCI=y -CONFIG_OF_PCI_IRQ=y -CONFIG_I2C_MUX_PINCTRL=m -CONFIG_OF_MDIO=m -CONFIG_MDIO_BUS_MUX_GPIO=m -CONFIG_MDIO_BUS_MUX_MMIOREG=m - -CONFIG_BPF_JIT=y - -CONFIG_RCU_FANOUT_LEAF=16 -CONFIG_EDAC=y -CONFIG_EDAC_MM_EDAC=m -CONFIG_EDAC_LEGACY_SYSFS=y - -CONFIG_RTC_DRV_88PM80X=m -CONFIG_RTC_DRV_DS1305=m -CONFIG_RTC_DRV_DS1390=m -CONFIG_RTC_DRV_DS3234=m -CONFIG_RTC_DRV_M41T93=m -CONFIG_RTC_DRV_M41T94=m -CONFIG_RTC_DRV_MAX6902=m -CONFIG_RTC_DRV_MC13XXX=m -CONFIG_RTC_DRV_PCF2123=m -CONFIG_RTC_DRV_PL030=m -CONFIG_RTC_DRV_PL031=m -CONFIG_RTC_DRV_R9701=m -CONFIG_RTC_DRV_RS5C348=m -CONFIG_RTC_DRV_RX4581=m -CONFIG_RTC_DRV_SNVS=m - -CONFIG_RFKILL_REGULATOR=m -CONFIG_INPUT_88PM80X_ONKEY=y -CONFIG_INPUT_GP2A=m -CONFIG_INPUT_GPIO_TILT_POLLED=m -CONFIG_INPUT_PWM_BEEPER=m -CONFIG_INPUT_ARIZONA_HAPTICS=m -CONFIG_INPUT_MC13783_PWRBUTTON=m - -CONFIG_SERIAL_AMBA_PL010=m -CONFIG_SERIAL_AMBA_PL011=m -CONFIG_SERIAL_MAX3100=m -CONFIG_SERIAL_MAX310X=y -CONFIG_SERIAL_IFX6X60=m - -CONFIG_GPIO_74X164=m -CONFIG_GPIO_ADNP=m -CONFIG_GPIO_ARIZONA=m -CONFIG_GPIO_MAX7301=m -CONFIG_GPIO_MC33880=m -CONFIG_GPIO_MCP23S08=m -CONFIG_GPIO_PL061=y - -CONFIG_SPI_ALTERA=m -CONFIG_SPI_BITBANG=m -CONFIG_SPI_BUTTERFLY=m -CONFIG_SPI_DW_MMIO=m -CONFIG_SPI_GPIO=m -CONFIG_SPI_LM70_LLP=m -CONFIG_SPI_OC_TINY=m -CONFIG_SPI_PL022=m -CONFIG_SPI_SC18IS602=m -CONFIG_SPI_XCOMM=m -CONFIG_SPI_XILINX=m -CONFIG_SPI_DESIGNWARE=m -CONFIG_SPI_SPIDEV=m -CONFIG_SPI_TLE62X0=m -CONFIG_BMP085_SPI=m -CONFIG_BMP085_SPI=m -CONFIG_EEPROM_AT25=m -CONFIG_EEPROM_93XX46=m -CONFIG_KS8851=m -CONFIG_MICREL_KS8995MA=m -CONFIG_LIBERTAS_SPI=m -CONFIG_P54_SPI=m -CONFIG_P54_SPI_DEFAULT_EEPROM=y - -CONFIG_MFD_CORE=m -CONFIG_MFD_88PM800=m -CONFIG_MFD_88PM805=m -CONFIG_MFD_ARIZONA_SPI=m -CONFIG_MFD_MC13XXX_SPI=m -CONFIG_MFD_SYSCON=y -# CONFIG_MFD_WM5102 is not set -# CONFIG_MFD_WM5110 is not set -# CONFIG_MFD_TPS65912_SPI is not set -# CONFIG_MFD_DA9052_SPI is not set -# CONFIG_MFD_WM831X_SPI is not set -# CONFIG_MFD_TPS80031 is not set -# CONFIG_MFD_AS3711 is not set -# CONFIG_MFD_SMSC is not set -# CONFIG_MFD_DA9055 is not set -# CONFIG_MFD_MAX8907 is not set - -CONFIG_REGULATOR_VIRTUAL_CONSUMER=m -CONFIG_REGULATOR_USERSPACE_CONSUMER=m -# CONFIG_REGULATOR_DUMMY is not set -CONFIG_REGULATOR_GPIO=m -CONFIG_REGULATOR_AD5398=m -CONFIG_REGULATOR_ANATOP=m -CONFIG_REGULATOR_ARIZONA=m -CONFIG_REGULATOR_FAN53555=m -CONFIG_REGULATOR_ISL6271A=m -CONFIG_REGULATOR_LP3972=m -CONFIG_REGULATOR_LP8755=m -CONFIG_REGULATOR_MAX1586=m -CONFIG_REGULATOR_MAX8649=m -CONFIG_REGULATOR_MAX8660=m -CONFIG_REGULATOR_MAX8952=m -CONFIG_REGULATOR_MAX8973=m -CONFIG_REGULATOR_MC13783=m -CONFIG_REGULATOR_MC13892=m -CONFIG_REGULATOR_LP3971=m -CONFIG_REGULATOR_TPS51632=m -CONFIG_REGULATOR_TPS62360=m -CONFIG_REGULATOR_TPS65023=m -CONFIG_REGULATOR_TPS6524X=m -CONFIG_REGULATOR_TPS6507X=m -CONFIG_CHARGER_MANAGER=y -CONFIG_EXTCON_GPIO=m - -CONFIG_SENSORS_AD7314=m -CONFIG_SENSORS_ADCXX=m -CONFIG_SENSORS_LM70=m -CONFIG_SENSORS_MAX1111=m -CONFIG_SENSORS_MC13783_ADC=m -CONFIG_SENSORS_ADS7871=m -CONFIG_SENSORS_LIS3_SPI=m - -CONFIG_IEEE802154_AT86RF230=m -CONFIG_IEEE802154_MRF24J40=m - -# CONFIG_ARM_VIRT_EXT is not set -# CONFIG_PINCTRL_EXYNOS4 is not set -# CONFIG_PINCTRL_EXYNOS5440 is not set - -CONFIG_AUTO_ZRELADDR=y -# CONFIG_ASYMMETRIC_KEY_TYPE is not set - -# CONFIG_VFIO is not set - -# CONFIG_CPU_ICACHE_DISABLE is not set -# CONFIG_CPU_DCACHE_DISABLE is not set -# CONFIG_APM_EMULATION is not set -# CONFIG_DEPRECATED_PARAM_STRUCT is not set - -# CONFIG_SERIAL_8250_EM is not set -# CONFIG_GPIO_EM is not set -# CONFIG_HVC_DCC is not set -# CONFIG_LEDS_RENESAS_TPU is not set -# CONFIG_LEDS_PWM is not set -CONFIG_LEDS_DAC124S085=m -CONFIG_LEDS_MC13783=m - -# CONFIG_VIRTIO_CONSOLE is not set - -# Possibly part of Snowball -# CONFIG_MFD_T7L66XB is not set -# CONFIG_MFD_TC6387XB is not set - -# CONFIG_IRQ_DOMAIN_DEBUG is not set -# CONFIG_COMMON_CLK_DEBUG is not set -# CONFIG_DEBUG_USER is not set -# CONFIG_DEBUG_LL is not set -# CONFIG_ARM_KPROBES_TEST is not set -# CONFIG_SGI_IOC4 is not set -# CONFIG_BLK_DEV_PCIESSD_MTIP32XX is not set - -# CONFIG_DEBUG_PINCTRL is not set - -# HW Disabled because it causes issues on ARM platforms - -# disable TPM on arm at least on the trimslices it causes havoc -# CONFIG_TCG_TPM is not set - -# CONFIG_IMA is not set - -# ERROR: "__bswapsi2" [drivers/staging/crystalhd/crystalhd.ko] undefined! -# CONFIG_CRYSTALHD is not set - -# these modules all fail with missing __bad_udelay -# http://www.spinics.net/lists/arm/msg15615.html provides some background -# CONFIG_SUNGEM is not set -# CONFIG_FB_SAVAGE is not set -# CONFIG_FB_RADEON is not set -# CONFIG_ATM_HE is not set -# CONFIG_SCSI_ACARD is not set -# CONFIG_SFC is not set - -# these all currently fail due to missing symbols __bad_udelay or -# error: implicit declaration of function ‘iowrite32be’ -# CONFIG_SND_ALI5451 is not set -# CONFIG_MLX4_EN is not set - -CONFIG_TOUCHSCREEN_ADS7846=m -CONFIG_TOUCHSCREEN_AD7877=m -CONFIG_TOUCHSCREEN_TSC2005=m -CONFIG_TOUCHSCREEN_MC13783=m - -# drivers/input/touchscreen/eeti_ts.c:65:2: error: implicit declaration of function 'irq_to_gpio' [-Werror=implicit-function-declaration] -# CONFIG_TOUCHSCREEN_EETI is not set -# CONFIG_TOUCHSCREEN_EGALAX is not set -# CONFIG_TOUCHSCREEN_AUO_PIXCIR is not set - -# CONFIG_PANEL_LGPHILIPS_LB035Q02 is not set -# CONFIG_PANEL_ACX565AKM is not set -# CONFIG_PANEL_N8X0 is not set - -# CONFIG_LCD_L4F00242T03 is not set -# CONFIG_LCD_LMS283GF05 is not set -# CONFIG_LCD_LTV350QV is not set -# CONFIG_LCD_ILI9320 is not set -# CONFIG_LCD_TDO24M is not set -# CONFIG_LCD_VGG2432A4 is not set -# CONFIG_LCD_S6E63M0 is not set -# CONFIG_LCD_LD9040 is not set -# CONFIG_LCD_AMS369FG06 is not set -# CONFIG_LCD_LMS501KF03 is not set -# CONFIG_LCD_HX8357 is not set - -# CONFIG_FB_MX3 is not set -# CONFIG_MX3_IPU is not set -# CONFIG_MX3_IPU_IRQS is not set -# CONFIG_SND_ATMEL_SOC is not set - -# CONFIG_NET_VENDOR_CIRRUS is not set -# CONFIG_NET_VENDOR_MICROCHIP is not set -# CONFIG_CS89x0 is not set -# CONFIG_DVB_USB_PCTV452E is not set -# CONFIG_PINCTRL_EXYNOS is not set -# CONFIG_VIRTUALIZATION is not set - -CONFIG_XZ_DEC_ARM=y - -# CONFIG_EZX_PCAP is not set - -# CONFIG_EXTCON_ARIZONA is not set - -# CONFIG_VIRTUALIZATION is not set -# CONFIG_VIRTIO_PCI is not set -# VIRTIO_MMIO is not set -# REMOTEPROC is not set -# RPMSG is not set - -# CONFIG_LATTICE_ECP3_CONFIG is not set -# CONFIG_DRM_TILCDC is not set -CONFIG_OF_DISPLAY_TIMING=y -CONFIG_OF_VIDEOMODE=y diff --git a/config-arm-omap b/config-arm-omap index 4d64f90cd..877f7c16b 100644 --- a/config-arm-omap +++ b/config-arm-omap @@ -1,70 +1,6 @@ -CONFIG_ARCH_OMAP=y -CONFIG_ARCH_OMAP_OTG=y -# CONFIG_ARCH_OMAP1 is not set -# CONFIG_ARCH_MULTI_V4 is not set -# CONFIG_ARCH_MULTI_V4T is not set -# CONFIG_ARCH_MULTI_V6 is not set -CONFIG_ARCH_MULTI_V6_V7=y -CONFIG_ARCH_MULTI_V7=y -CONFIG_ARCH_OMAP2PLUS=y -# CONFIG_ARCH_MVEBU is not set -# CONFIG_ARCH_BCM is not set -# CONFIG_ARCH_HIGHBANK is not set -# CONFIG_ARCH_SOCFPGA is not set -# CONFIG_ARCH_SUNXI is not set -# CONFIG_ARCH_VEXPRESS_CORTEX_A5_A9_ERRATA is not set -# CONFIG_ARCH_VEXPRESS_CA9X4 is not set -# CONFIG_ARCH_VIRT is not set -# CONFIG_ARCH_WM8850 is not set -# CONFIG_ARCH_ZYNQ is not set -# CONFIG_ARCH_MXC is not set -# CONFIG_ARCH_WM8505 is not set -# CONFIG_ARM_CHARLCD is not set -# CONFIG_PATA_PLATFORM is not set -# CONFIG_I2C_VERSATILE is not set -# CONFIG_SENSORS_VEXPRESS is not set -# CONFIG_REGULATOR_VEXPRESS is not set -# CONFIG_RTC_DRV_LP8788 is not set - -# -# OMAP Feature Selections -# -CONFIG_OMAP_RESET_CLOCKS=y -CONFIG_OMAP_MUX=y -# CONFIG_OMAP_MUX_DEBUG is not set -CONFIG_OMAP_MUX_WARNINGS=y -CONFIG_OMAP_MCBSP=y -CONFIG_OMAP_MBOX_FWK=m -CONFIG_OMAP_MBOX_KFIFO_SIZE=256 -CONFIG_OMAP_32K_TIMER=y -# CONFIG_OMAP3_L2_AUX_SECURE_SAVE_RESTORE is not set -CONFIG_OMAP_32K_TIMER_HZ=128 -CONFIG_OMAP_DM_TIMER=y -# CONFIG_OMAP_PM_NONE is not set -CONFIG_OMAP_PM_NOOP=y -CONFIG_OMAP_IOMMU=y -# CONFIG_OMAP_IOMMU_DEBUG is not set -CONFIG_OMAP3_EMU=y -CONFIG_HWSPINLOCK_OMAP=m -CONFIG_DMA_OMAP=y -# CONFIG_DMADEVICES_VDEBUG is not set - -# -# TI OMAP2/3/4 Specific Features -# -CONFIG_ARCH_OMAP2PLUS_TYPICAL=y -# CONFIG_ARCH_OMAP2 is not set -CONFIG_ARCH_OMAP3=y -CONFIG_ARCH_OMAP4=y -CONFIG_SOC_OMAP3430=y -CONFIG_SOC_TI81XX=y -CONFIG_SOC_AM33XX=y -CONFIG_SOC_OMAPTI816X=y -# CONFIG_SOC_OMAP5 is not set CONFIG_OMAP_PACKAGE_CBB=y CONFIG_OMAP_PACKAGE_CBL=y CONFIG_OMAP_PACKAGE_CBS=y -# CONFIG_OMAP4_ERRATA_I688 is not set # # OMAP Board Type @@ -104,299 +40,40 @@ CONFIG_MACH_TOUCHBOOK=y # System MMU -CONFIG_CPU_32v6K=y -CONFIG_CPU_V7=y -CONFIG_CPU_32v7=y -CONFIG_CPU_ABRT_EV7=y -CONFIG_CPU_PABRT_V7=y -CONFIG_CPU_CACHE_V7=y -CONFIG_CPU_CACHE_VIPT=y -CONFIG_CPU_COPY_V6=y -CONFIG_CPU_TLB_V7=y -CONFIG_CPU_HAS_ASID=y -CONFIG_ARM_THUMBEE=y CONFIG_SWP_EMULATE=y # CONFIG_CPU_BPREDICT_DISABLE is not set -CONFIG_OUTER_CACHE=y -CONFIG_OUTER_CACHE_SYNC=y -CONFIG_CACHE_L2X0=y -CONFIG_CACHE_PL310=y -CONFIG_ARM_DMA_MEM_BUFFERABLE=y -CONFIG_ARM_ERRATA_430973=y -# CONFIG_ARM_ERRATA_458693 is not set -# CONFIG_ARM_ERRATA_460075 is not set -# CONFIG_ARM_ERRATA_742230 is not set -# CONFIG_ARM_ERRATA_742231 is not set -CONFIG_PL310_ERRATA_588369=y -CONFIG_PL310_ERRATA_769419=y -CONFIG_ARM_ERRATA_720789=y -# CONFIG_ARM_ERRATA_743622 is not set -# CONFIG_ARM_ERRATA_751472 is not set -# CONFIG_ARM_ERRATA_753970 is not set -# CONFIG_ARM_ERRATA_754322 is not set -# CONFIG_ARM_ERRATA_754327 is not set -# CONFIG_ARM_ERRATA_764369 is not set -CONFIG_ARM_GIC=y -CONFIG_HAVE_ARM_SCU=y -CONFIG_HAVE_ARM_TWD=y -CONFIG_HOTPLUG_CPU=y -CONFIG_HZ=128 # CONFIG_THUMB2_KERNEL is not set -CONFIG_ARCH_HAS_HOLES_MEMORYMODEL=y -CONFIG_SPLIT_PTLOCK_CPUS=4 -# CONFIG_KSM is not set CONFIG_ZBOOT_ROM_TEXT=0x0 CONFIG_ZBOOT_ROM_BSS=0x0 -CONFIG_CMDLINE="" -# CONFIG_AUTO_ZRELADDR is not set -CONFIG_VFPv3=y -CONFIG_NEON=y CONFIG_BINFMT_MISC=m -CONFIG_PM_DEBUG=y -# CONFIG_PM_ADVANCED_DEBUG is not set -# CONFIG_PM_VERBOSE is not set CONFIG_CAN_PM_TRACE=y CONFIG_PM_SLEEP_SMP=y CONFIG_ARCH_HAS_OPP=y CONFIG_PM_OPP=y -# OMAP thermal temp. Can likely be built as module but doesn't autoload so build in to ensure performance on PandaES -CONFIG_OMAP_BANDGAP=y -CONFIG_OMAP4_THERMAL=y -CONFIG_OMAP5_THERMAL=y - -# OMAP3 thermal/power -CONFIG_POWER_AVS=y -CONFIG_POWER_AVS_OMAP=y -CONFIG_POWER_AVS_OMAP_CLASS3=y - -CONFIG_ARM_OMAP2PLUS_CPUFREQ=y - # # OMAP Hardware # -CONFIG_WL_TI=y -CONFIG_WLCORE_SDIO=m -CONFIG_WLCORE_SPI=m -CONFIG_TI_ST=m -CONFIG_TI_DAC7512=m -# CONFIG_TI_CPSW is not set -CONFIG_MTD_NAND_OMAP2=y -CONFIG_MTD_NAND_OMAP_PREFETCH=y -CONFIG_MTD_NAND_OMAP_PREFETCH_DMA=y -CONFIG_WL1251_SPI=m -CONFIG_WL12XX_SPI=m -CONFIG_WL12XX_SDIO_TEST=m -CONFIG_WL18XX=m -CONFIG_SPI_DAVINCI=m -CONFIG_SPI_OMAP24XX=y -CONFIG_MFD_TI_SSP=m -CONFIG_SPI_TI_SSP=m -CONFIG_NFC_WILINK=m -CONFIG_INPUT_TWL4030_PWRBUTTON=m -CONFIG_INPUT_TWL4030_VIBRA=m -CONFIG_INPUT_TWL6040_VIBRA=m -CONFIG_KEYBOARD_OMAP4=m -CONFIG_KEYBOARD_TWL4030=m -CONFIG_TOUCHSCREEN_TI_TSCADC=m -CONFIG_SERIAL_OMAP=y -CONFIG_SERIAL_OMAP_CONSOLE=y -CONFIG_OMAP_WATCHDOG=y -CONFIG_CLK_TWL6040=m -CONFIG_TWL4030_CORE=y -CONFIG_TWL4030_MADC=m -CONFIG_TWL4030_POWER=y -CONFIG_TWL4030_CODEC=y -CONFIG_TWL4030_WATCHDOG=m -CONFIG_GPIO_TWL4030=m -CONFIG_GPIO_TWL6040=m -CONFIG_CHARGER_TWL4030=m -CONFIG_TWL6030_PWM=m -CONFIG_TWL6040_CORE=y -CONFIG_SENSORS_TWL4030_MADC=m -CONFIG_SENSORS_LIS3_I2C=m -CONFIG_TI_DAVINCI_EMAC=m -CONFIG_TI_DAVINCI_MDIO=m -CONFIG_TI_DAVINCI_CPDMA=m CONFIG_LEDS_PWM=m CONFIG_LEDS_LP8788=m CONFIG_MTD_ONENAND_OMAP2=y -CONFIG_HDQ_MASTER_OMAP=m -CONFIG_I2C_OMAP=m -CONFIG_MFD_OMAP_USB_HOST=y -CONFIG_MFD_WL1273_CORE=m CONFIG_MFD_LP8788=y CONFIG_MFD_TPS65910=y CONFIG_GPIO_TPS65910=y -CONFIG_REGULATOR_TWL4030=y CONFIG_REGULATOR_LP8788=y CONFIG_REGULATOR_TPS65217=y CONFIG_REGULATOR_TPS65910=y -# Enable V4L2 drivers for OMAP2+ -CONFIG_MEDIA_CONTROLLER=y -CONFIG_VIDEO_V4L2_SUBDEV_API=y -CONFIG_V4L_PLATFORM_DRIVERS=y -CONFIG_VIDEO_OMAP2_VOUT=m -CONFIG_VIDEO_OMAP3=m -CONFIG_VIDEO_VPFE_CAPTURE=m -# The ones below are for TI Davinci -# CONFIG_VIDEO_VPSS_SYSTEM is not set -# CONFIG_VIDEO_DM6446_CCDC is not set -# CONFIG_VIDEO_DM644X_VPBE is not set -# CONFIG_VIDEO_DM355_CCDC is not set -# CONFIG_VIDEO_ISIF is not set -# Also enable vivi driver - useful for testing a full kernelspace V4L2 driver -CONFIG_V4L_TEST_DRIVERS=y -CONFIG_VIDEO_VIVI=m - -CONFIG_DRM=m -CONFIG_DRM_OMAP=m -CONFIG_DRM_OMAP_NUM_CRTCS=2 -# CONFIG_DRM_EXYNOS is not set -# CONFIG_DRM_IMX is not set -# CONFIG_FB_OMAP_BOOTLOADER_INIT is not set -# CONFIG_FB_OMAP_LCD_VGA is not set -CONFIG_OMAP2_VRAM=y -CONFIG_OMAP2_VRAM_SIZE=0 -CONFIG_OMAP2_VRFB=y -# CONFIG_FB_OMAP2 is not set - -CONFIG_OMAP2_DSS=m -CONFIG_OMAP2_DSS_DEBUG_SUPPORT=y -# CONFIG_OMAP2_DSS_COLLECT_IRQ_STATS is not set -CONFIG_OMAP2_DSS_DPI=y -CONFIG_OMAP2_DSS_RFBI=y -CONFIG_OMAP2_DSS_VENC=y -CONFIG_OMAP4_DSS_HDMI=y -CONFIG_OMAP2_DSS_SDI=y -CONFIG_OMAP2_DSS_DSI=y -# CONFIG_OMAP2_DSS_FAKE_VSYNC is not set -CONFIG_OMAP2_DSS_MIN_FCK_PER_PCK=0 -CONFIG_OMAP2_DSS_SLEEP_BEFORE_RESET=y -CONFIG_OMAP2_DSS_SLEEP_AFTER_VENC_RESET=y - -CONFIG_FB_DA8XX=m -CONFIG_FB_DA8XX_CONSISTENT_DMA_SIZE=5 CONFIG_LCD_CLASS_DEVICE=m -CONFIG_PANEL_GENERIC_DPI=m -CONFIG_PANEL_TFP410=m -CONFIG_PANEL_TAAL=m -CONFIG_PANEL_PICODLP=m -CONFIG_PANEL_SHARP_LS037V7DW01=m -CONFIG_PANEL_NEC_NL8048HL11_01B=m -CONFIG_PANEL_TPO_TD043MTEA1=m CONFIG_BACKLIGHT_LCD_SUPPORT=y CONFIG_BACKLIGHT_CLASS_DEVICE=m CONFIG_BACKLIGHT_LP8788=m CONFIG_BACKLIGHT_PWM=m CONFIG_BACKLIGHT_PANDORA=m - -CONFIG_SND_OMAP_SOC=y -CONFIG_SND_OMAP_SOC_DMIC=m -CONFIG_SND_OMAP_SOC_MCBSP=m -CONFIG_SND_OMAP_SOC_MCPDM=m -CONFIG_SND_OMAP_SOC_OVERO=m -CONFIG_SND_OMAP_SOC_OMAP3EVM=m -CONFIG_SND_OMAP_SOC_AM3517EVM=m -CONFIG_SND_OMAP_SOC_SDP3430=m -CONFIG_SND_OMAP_SOC_SDP4430=m -CONFIG_SND_OMAP_SOC_OMAP3_PANDORA=m -CONFIG_SND_OMAP_SOC_OMAP3_BEAGLE=m -CONFIG_SND_OMAP_SOC_ZOOM2=m -CONFIG_SND_OMAP_SOC_IGEP0020=m -CONFIG_SND_OMAP_SOC_OMAP_HDMI=m -CONFIG_SND_OMAP_SOC_OMAP_ABE_TWL6040=m -CONFIG_SND_OMAP_SOC_OMAP_TWL4030=m -CONFIG_SND_SOC_I2C_AND_SPI=y -# CONFIG_SND_OMAP_SOC_RX51 is not set -# CONFIG_SND_SOC_ALL_CODECS is not set -CONFIG_SND_SOC_TLV320AIC23=m -CONFIG_SND_SOC_TLV320AIC3X=m -CONFIG_SND_SOC_TWL4030=m -CONFIG_SND_SOC_TWL6040=m -CONFIG_RADIO_WL128X=m - -CONFIG_USB_OTG=y -CONFIG_USB_EHCI_HCD_OMAP=y -CONFIG_USB_MUSB_OMAP2PLUS=y -CONFIG_USB_MUSB_HDRC=y -CONFIG_USB_OHCI_HCD_OMAP3=y # CONFIG_USB_OTG_WHITELIST is not set # CONFIG_USB_OTG_BLACKLIST_HUB is not set -# CONFIG_MUSB_PIO_ONLY is not set -# CONFIG_USB_MUSB_DEBUG is not set -# # CONFIG_USB_GADGET_OMAP is not set # CONFIG_ISP1301_OMAP is not set - -# This block is temporary until we work out why the MMC modules don't work as modules -CONFIG_MMC=y -CONFIG_MMC_BLOCK=y -CONFIG_MMC_SDHCI=y -CONFIG_MMC_SDHCI_PLTFM=y -CONFIG_MMC_SDHCI_OF=y -CONFIG_MMC_SPI=y - -CONFIG_MMC_OMAP=y -CONFIG_MMC_OMAP_HS=y -CONFIG_TWL4030_USB=y -CONFIG_TWL6030_USB=y -CONFIG_RTC_DRV_OMAP=m -CONFIG_RTC_DRV_TWL4030=y -CONFIG_RTC_DRV_TPS65910=m - -CONFIG_PWM_TIECAP=m -CONFIG_PWM_TIEHRPWM=m -CONFIG_PWM_TWL=m -CONFIG_PWM_TWL_LED=m - -# CONFIG_IR_RX51 is not set -# CONFIG_BATTERY_RX51 is not set - -# CONFIG_TIDSPBRIDGE is not set -# CONFIG_TIDSPBRIDGE_MEMPOOL_SIZE=0x600000 -# CONFIG_TIDSPBRIDGE_DEBUG is not set -# CONFIG_TIDSPBRIDGE_RECOVERY=y -# CONFIG_TIDSPBRIDGE_CACHE_LINE_CHECK is not set -# CONFIG_TIDSPBRIDGE_WDT3=y -# CONFIG_TIDSPBRIDGE_WDT_TIMEOUT=5 -# CONFIG_TIDSPBRIDGE_NTFY_PWRERR is not set -# CONFIG_TIDSPBRIDGE_BACKTRACE is not set - -# CONFIG_OMAP_REMOTEPROC is not set -# CONFIG_OMAP_IOVMM is not set - -CONFIG_CRYPTO_DEV_OMAP_SHAM=m -CONFIG_CRYPTO_DEV_OMAP_AES=m -CONFIG_HW_RANDOM_OMAP=m - -# CONFIG_NET_VENDOR_BROADCOM is not set -# CONFIG_MTD_NAND_OMAP_BCH is not set -# CONFIG_MFD_TPS65912_I2C is not set -# CONFIG_PMIC_DA903X is not set -# CONFIG_MFD_DA9052_I2C is not set -# CONFIG_PMIC_ADP5520 is not set -# CONFIG_MFD_MAX77686 is not set -# CONFIG_MFD_MAX77693 is not set -# CONFIG_MFD_MAX8997 is not set -# CONFIG_MFD_SEC_CORE is not set -# CONFIG_MFD_TPS65090 is not set -# CONFIG_MFD_AAT2870_CORE is not set -# CONFIG_MFD_RC5T583 is not set -# CONFIG_MFD_PALMAS is not set -# CONFIG_REGULATOR_LP3972 is not set -# CONFIG_REGULATOR_LP872X is not set - -# CONFIG_OMAP2_DSS_DEBUG is not set -# CONFIG_OMAP2_DSS_DEBUGFS is not set -# CONFIG_ARM_PSCI is not set -# CONFIG_WILINK_PLATFORM_DATA is not set - -# VIRTIO_PCI is not set -# VIRTIO_MMIO is not set -# REMOTEPROC is not set -# RPMSG is not set diff --git a/config-armv7 b/config-armv7 index b4cb3eb08..749406051 100644 --- a/config-armv7 +++ b/config-armv7 @@ -71,6 +71,7 @@ CONFIG_GPIO_MVEBU=y CONFIG_MVEBU_CLK_CORE=y CONFIG_MVEBU_CLK_GATING=y CONFIG_MMC_MVSDIO=m +CONFIG_SPI_ORION=m # omap CONFIG_ARCH_OMAP2PLUS_TYPICAL=y @@ -141,6 +142,7 @@ CONFIG_SERIAL_OMAP_CONSOLE=y CONFIG_GPIO_TWL4030=m CONFIG_GPIO_TWL6040=m +CONFIG_I2C_OMAP=m CONFIG_CHARGER_TWL4030=m CONFIG_OMAP_WATCHDOG=m CONFIG_TWL4030_CORE=y @@ -154,19 +156,25 @@ CONFIG_TWL6030_PWM=m CONFIG_TWL6040_CORE=y CONFIG_CLK_TWL6040=m CONFIG_MFD_OMAP_USB_HOST=y +CONFIG_MTD_ONENAND_OMAP2=m +CONFIG_HDQ_MASTER_OMAP=m CONFIG_REGULATOR_TWL4030=y CONFIG_BACKLIGHT_PANDORA=m CONFIG_USB_EHCI_HCD_OMAP=y CONFIG_USB_OHCI_HCD_OMAP3=y CONFIG_USB_MUSB_AM35X=m +CONFIG_USB_MUSB_OMAP2PLUS=y +CONFIG_USB_MUSB_HDRC=y +# CONFIG_MUSB_PIO_ONLY is not set +# CONFIG_USB_MUSB_DEBUG is not set CONFIG_OMAP_CONTROL_USB=m CONFIG_NOP_USB_XCEIV=m CONFIG_MMC_OMAP=y CONFIG_MMC_OMAP_HS=y CONFIG_RTC_DRV_MAX8907=m -CONFIG_RTC_DRV_TWL92330=y -CONFIG_RTC_DRV_TWL4030=y -CONFIG_RTC_DRV_OMAP=y +# CONFIG_RTC_DRV_TWL92330 is not set +CONFIG_RTC_DRV_TWL4030=m +CONFIG_RTC_DRV_OMAP=m # Note needs to be compiled in until we build MMC modular CONFIG_DMA_OMAP=y CONFIG_OMAP_IOVMM=m @@ -252,6 +260,9 @@ CONFIG_PANEL_PICODLP=m CONFIG_PANEL_TAAL=m CONFIG_PANEL_NEC_NL8048HL11_01B=m CONFIG_PANEL_TPO_TD043MTEA1=m +CONFIG_PANEL_LGPHILIPS_LB035Q02=m +CONFIG_PANEL_ACX565AKM=m +# CONFIG_PANEL_N8X0 is not set # Enable V4L2 drivers for OMAP2+ CONFIG_MEDIA_CONTROLLER=y @@ -299,6 +310,18 @@ CONFIG_SND_SOC_TWL4030=m CONFIG_SND_SOC_TWL6040=m CONFIG_RADIO_WL128X=m +# CONFIG_OMAP_REMOTEPROC is not set + +# CONFIG_TIDSPBRIDGE is not set +# CONFIG_TIDSPBRIDGE_MEMPOOL_SIZE=0x600000 +# CONFIG_TIDSPBRIDGE_DEBUG is not set +# CONFIG_TIDSPBRIDGE_RECOVERY=y +# CONFIG_TIDSPBRIDGE_CACHE_LINE_CHECK is not set +# CONFIG_TIDSPBRIDGE_WDT3=y +# CONFIG_TIDSPBRIDGE_WDT_TIMEOUT=5 +# CONFIG_TIDSPBRIDGE_NTFY_PWRERR is not set +# CONFIG_TIDSPBRIDGE_BACKTRACE is not set + # CONFIG_OMAP2_DSS_DEBUGFS is not set # CONFIG_OMAP_IOMMU_DEBUG is not set # CONFIG_OMAP_MUX_DEBUG is not set @@ -402,7 +425,9 @@ CONFIG_REGULATOR_LP3972=m CONFIG_REGULATOR_TPS51632=m CONFIG_REGULATOR_TPS62360=m CONFIG_REGULATOR_TPS65023=m +CONFIG_REGULATOR_TPS6524X=m CONFIG_REGULATOR_TPS6507X=m +CONFIG_REGULATOR_TPS65912=m CONFIG_REGULATOR_MAX8907=m CONFIG_REGULATOR_LP872X=y CONFIG_REGULATOR_LP8755=m @@ -412,7 +437,6 @@ CONFIG_REGULATOR_LP8755=m # CONFIG_ARM_CHARLCD is not set # CONFIG_MTD_AFS_PARTS is not set # CONFIG_IP_PNP_RARP is not set -# CONFIG_BPF_JIT is not set # CONFIG_ASYMMETRIC_KEY_TYPE is not set # CONFIG_PID_IN_CONTEXTIDR is not set # CONFIG_DEPRECATED_PARAM_STRUCT is not set diff --git a/config-armv7-generic b/config-armv7-generic index 924b0239c..057ea50d8 100644 --- a/config-armv7-generic +++ b/config-armv7-generic @@ -1,7 +1,10 @@ # arm configs for sharing between armv7 and armv7-lpae -# generic ARM config options +# Generic ARM config options +CONFIG_ARM=y + CONFIG_CMDLINE="" CONFIG_HAVE_ARM_ARCH_TIMER=y +CONFIG_HAVE_ARM_TWD=y CONFIG_AEABI=y CONFIG_VFP=y CONFIG_VFPv3=y @@ -16,22 +19,26 @@ CONFIG_ARM_ASM_UNIFIED=y CONFIG_ARM_CPU_TOPOLOGY=y CONFIG_ARM_DMA_MEM_BUFFERABLE=y CONFIG_SWP_EMULATE=y -CONFIG_CPU_BPREDICT_DISABLE=y CONFIG_CACHE_L2X0=y +CONFIG_CACHE_PL310=y CONFIG_HIGHPTE=y CONFIG_AUTO_ZRELADDR=y +CONFIG_EARLY_PRINTK=y +CONFIG_ATAGS=y +CONFIG_ATAGS_PROC=y + # CONFIG_OABI_COMPAT is not set -# CONFIG_ATAGS is not set -# CONFIG_ATAGS_PROC is not set # CONFIG_FPE_NWFPE is not set # CONFIG_FPE_FASTFPE is not set # CONFIG_APM_EMULATION is not set # CONFIG_CPU_ICACHE_DISABLE is not set # CONFIG_CPU_DCACHE_DISABLE is not set +# CONFIG_CPU_BPREDICT_DISABLE is not set # CONFIG_DMA_CACHE_RWFO is not set # CONFIG_THUMB2_KERNEL is not set # CONFIG_HVC_DCC is not set # CONFIG_XIP_KERNEL is not set +# CONFIG_ARM_VIRT_EXT is not set # errata # v5/v6 @@ -59,7 +66,7 @@ CONFIG_PL310_ERRATA_769419=y # generic that deviates from or should be merged into config-generic CONFIG_SMP=y -CONFIG_NR_CPUS=4 +CONFIG_NR_CPUS=8 CONFIG_SMP_ON_UP=y CONFIG_HIGHMEM=y CONFIG_CC_OPTIMIZE_FOR_SIZE=y @@ -98,22 +105,17 @@ CONFIG_HW_PERF_EVENTS=y CONFIG_UACCESS_WITH_MEMCPY=y CONFIG_CC_STACKPROTECTOR=y -CONFIG_IKCONFIG=y -CONFIG_IKCONFIG_PROC=y CONFIG_LOG_BUF_SHIFT=14 CONFIG_IP_PNP=y CONFIG_IP_PNP_DHCP=y CONFIG_IP_PNP_BOOTP=y -CONFIG_PINCTRL=y -CONFIG_PINCONF=y - +# Root as NFS, different from mainline CONFIG_NFS_FS=y CONFIG_ROOT_NFS=y CONFIG_NLS_CODEPAGE_437=y CONFIG_NLS_ISO8859_1=y -CONFIG_EARLY_PRINTK=y CONFIG_LBDAF=y @@ -135,14 +137,10 @@ CONFIG_OF_PCI_IRQ=y CONFIG_OF_GPIO=y CONFIG_I2C_MUX_PINCTRL=m CONFIG_OF_MDIO=m -CONFIG_MFD_SYSCON=y CONFIG_OF_DISPLAY_TIMING=y CONFIG_OF_VIDEOMODE=y -CONFIG_MDIO_BUS_MUX_GPIO=m -CONFIG_GPIOLIB=y - # General vexpress ARM drivers CONFIG_ARM_AMBA=y CONFIG_ARM_TIMER_SP804=y @@ -166,6 +164,9 @@ CONFIG_FB_ARMCLCD=m CONFIG_REGULATOR_VEXPRESS=m # usb +CONFIG_USB_OTG=y +# CONFIG_USB_OTG_WHITELIST is not set +# CONFIG_USB_OTG_BLACKLIST_HUB is not set CONFIG_USB_ULPI=y CONFIG_AX88796=m CONFIG_AX88796_93CX6=y @@ -174,24 +175,58 @@ CONFIG_SMC911X=m CONFIG_SMSC911X=m CONFIG_USB_ISP1760_HCD=m +# Multifunction Devices +CONFIG_MFD_SYSCON=y +CONFIG_MFD_TPS65912_SPI=y +# CONFIG_MFD_DA9052_SPI is not set +# CONFIG_MFD_ARIZONA_SPI is not set +# CONFIG_MFD_WM831X_SPI is not set +# CONFIG_MFD_MC13XXX_SPI is not set + # Pin stuff CONFIG_PINMUX=y CONFIG_PINCONF=y +CONFIG_PINCTRL=y CONFIG_PINCTRL_SINGLE=m # CONFIG_PINCTRL_SAMSUNG is not set # CONFIG_PINCTRL_EXYNOS4 is not set # GPIO CONFIG_GPIO_GENERIC_PLATFORM=m +CONFIG_EXTCON_GPIO=m +CONFIG_GENERIC_GPIO=y +CONFIG_ARCH_WANT_OPTIONAL_GPIOLIB=y # CONFIG_GPIO_EM is not set CONFIG_GPIO_ADNP=m CONFIG_GPIO_MCP23S08=m CONFIG_POWER_RESET_GPIO=y CONFIG_RFKILL_GPIO=m CONFIG_SERIAL_8250_EM=m -CONFIG_INPUT_GP2A=m CONFIG_INPUT_GPIO_TILT_POLLED=m +CONFIG_MDIO_BUS_MUX_GPIO=m CONFIG_MDIO_BUS_MUX_MMIOREG=m +CONFIG_LEDS_GPIO=m +CONFIG_GPIOLIB=y +CONFIG_GPIO_MAX7301=m +CONFIG_GPIO_MC33880=m +CONFIG_GPIO_74X164=m +CONFIG_GPIO_TPS65912=m + +CONFIG_SPI=y +CONFIG_SPI_GPIO=m +CONFIG_SPI_BITBANG=m +CONFIG_SPI_PL022=m +CONFIG_SPI_SPIDEV=m +CONFIG_SPI_ALTERA=m +CONFIG_SPI_BUTTERFLY=m +CONFIG_SPI_LM70_LLP=m +CONFIG_SPI_OC_TINY=m +CONFIG_SPI_S3C64XX=m +CONFIG_SPI_SC18IS602=m +CONFIG_SPI_XCOMM=m +CONFIG_SPI_XILINX=m +CONFIG_SPI_DESIGNWARE=m +CONFIG_SPI_TLE62X0=m # HW crypto and rng CONFIG_CRYPTO_SHA1_ARM=m @@ -212,16 +247,23 @@ CONFIG_POWER_RESET_RESTART=y # MTD CONFIG_MTD_OF_PARTS=y # CONFIG_MG_DISK is not set +CONFIG_MTD_DATAFLASH=m +CONFIG_MTD_DATAFLASH_WRITE_VERIFY=y +CONFIG_MTD_DATAFLASH_OTP=y +CONFIG_MTD_M25P80=m +CONFIG_MTD_SST25L=m +CONFIG_EEPROM_AT25=m +CONFIG_EEPROM_93XX46=m # MMC/SD CONFIG_MMC=y CONFIG_MMC_ARMMMCI=y CONFIG_MMC_SDHCI_PLTFM=m -CONFIG_MMC_SDHCI_OF=m CONFIG_MMC_SPI=m CONFIG_MMC_DW=m CONFIG_MMC_DW_PLTFM=m CONFIG_MMC_DW_PCI=m +CONFIG_SPI_DW_MMIO=m # CONFIG_MMC_DW_EXYNOS is not set # CONFIG_MMC_DW_IDMAC is not set @@ -229,6 +271,7 @@ CONFIG_MMC_DW_PCI=m CONFIG_SND_ARM=y CONFIG_SND_ARMAACI=m CONFIG_SND_SOC=m +CONFIG_SND_SPI=y CONFIG_SND_DESIGNWARE_I2S=m CONFIG_SND_SIMPLE_CARD=m CONFIG_SND_SOC_CACHE_LZO=y @@ -238,17 +281,123 @@ CONFIG_SND_SOC_ALL_CODECS=m # Displays CONFIG_FB_SSD1307=m -CONFIG_ARM_KPROBES_TEST=m - # PWM CONFIG_PWM=y CONFIG_BACKLIGHT_PWM=m + +# RTC +CONFIG_RTC_DRV_M41T93=m +CONFIG_RTC_DRV_M41T94=m +CONFIG_RTC_DRV_DS1305=m +CONFIG_RTC_DRV_DS1390=m +CONFIG_RTC_DRV_MAX6902=m +CONFIG_RTC_DRV_R9701=m +CONFIG_RTC_DRV_RS5C348=m +CONFIG_RTC_DRV_DS3234=m +CONFIG_RTC_DRV_PCF2123=m +CONFIG_RTC_DRV_RX4581=m + +# Regulators +CONFIG_REGULATOR=y +CONFIG_RFKILL_REGULATOR=m +CONFIG_CHARGER_MANAGER=y +# CONFIG_REGULATOR_DUMMY is not set +CONFIG_REGULATOR_FIXED_VOLTAGE=m +CONFIG_REGULATOR_VIRTUAL_CONSUMER=m +CONFIG_REGULATOR_USERSPACE_CONSUMER=m +CONFIG_REGULATOR_GPIO=m +CONFIG_REGULATOR_AD5398=m +CONFIG_REGULATOR_FAN53555=m +CONFIG_REGULATOR_ANATOP=m +CONFIG_REGULATOR_ISL6271A=m +CONFIG_REGULATOR_MAX1586=m +CONFIG_REGULATOR_MAX8649=m +CONFIG_REGULATOR_MAX8660=m +CONFIG_REGULATOR_MAX8952=m +CONFIG_REGULATOR_MAX8973=m +CONFIG_REGULATOR_LP3971=m +CONFIG_REGULATOR_LP3972=m +CONFIG_REGULATOR_LP8755=m +CONFIG_REGULATOR_TPS51632=m +CONFIG_REGULATOR_TPS62360=m +CONFIG_REGULATOR_TPS65023=m +CONFIG_REGULATOR_TPS6507X=m +CONFIG_REGULATOR_TPS6524X=m +CONFIG_REGULATOR_TPS65912=m + +CONFIG_SENSORS_AD7314=m +CONFIG_SENSORS_ADCXX=m +CONFIG_SENSORS_LM70=m +CONFIG_SENSORS_MAX1111=m +CONFIG_SENSORS_ADS7871=m +CONFIG_SENSORS_LIS3_SPI=m + +CONFIG_LCD_L4F00242T03=m +CONFIG_LCD_LMS283GF05=m +CONFIG_LCD_LTV350QV=m +CONFIG_LCD_ILI9320=m +CONFIG_LCD_TDO24M=m +CONFIG_LCD_VGG2432A4=m +CONFIG_LCD_S6E63M0=m +CONFIG_LCD_LD9040=m +CONFIG_LCD_AMS369FG06=m +CONFIG_LCD_LMS501KF03=m +CONFIG_LCD_HX8357=m + CONFIG_INPUT_PWM_BEEPER=m +CONFIG_INPUT_GP2A=m +CONFIG_INPUT_ARIZONA_HAPTICS=m +CONFIG_INPUT_MC13783_PWRBUTTON=m + + +CONFIG_TOUCHSCREEN_ADS7846=m +CONFIG_TOUCHSCREEN_AD7877=m +CONFIG_TOUCHSCREEN_MC13783=m +CONFIG_TOUCHSCREEN_TSC2005=m + +CONFIG_LEDS_DAC124S085=m +CONFIG_BMP085_SPI=m + +# Ethernet +CONFIG_KS8851=m +CONFIG_ENC28J60=m +CONFIG_LIBERTAS_SPI=m +CONFIG_P54_SPI=m +CONFIG_P54_SPI_DEFAULT_EEPROM=n +CONFIG_MICREL_KS8995MA=m +CONFIG_IEEE802154_AT86RF230=m +CONFIG_IEEE802154_MRF24J40=m + +CONFIG_ARM_KPROBES_TEST=m + +# jffs2 +CONFIG_JFFS2_FS=m +CONFIG_JFFS2_FS_DEBUG=0 +# CONFIG_JFFS2_COMPRESSION_OPTIONS is not set +# CONFIG_JFFS2_FS_WBUF_VERIFY is not set +CONFIG_JFFS2_FS_POSIX_ACL=y +CONFIG_JFFS2_FS_SECURITY=y +CONFIG_JFFS2_FS_WRITEBUFFER=y +CONFIG_JFFS2_FS_XATTR=y +CONFIG_JFFS2_LZO=y +CONFIG_JFFS2_RTIME=y +CONFIG_JFFS2_RUBIN=y +CONFIG_JFFS2_SUMMARY=y +CONFIG_JFFS2_ZLIB=y + +CONFIG_UBIFS_FS=m +CONFIG_UBIFS_FS_ADVANCED_COMPR=y +CONFIG_UBIFS_FS_LZO=y +CONFIG_UBIFS_FS_ZLIB=y +# CONFIG_UBIFS_FS_DEBUG is not set # Should be in generic CONFIG_ETHERNET=y +CONFIG_BPF_JIT=y # CONFIG_NET_VENDOR_BROADCOM is not set # CONFIG_NET_VENDOR_CIRRUS is not set +# CONFIG_NET_VENDOR_MICROCHIP is not set + # CONFIG_PATA_PLATFORM is not set CONFIG_PERF_EVENTS=y @@ -266,15 +415,21 @@ CONFIG_PERF_EVENTS=y # CONFIG_LEDS_RENESAS_TPU is not set # CONFIG_MFD_T7L66XB is not set # CONFIG_MFD_TC6387XB is not set +# CONFIG_TI_DAC7512 is not set +# CONFIG_EZX_PCAP is not set # Needs work/investigation # CONFIG_ARM_CHARLCD is not set # CONFIG_MTD_AFS_PARTS is not set # CONFIG_IP_PNP_RARP is not set -# CONFIG_BPF_JIT is not set # CONFIG_ASYMMETRIC_KEY_TYPE is not set # CONFIG_PID_IN_CONTEXTIDR is not set # CONFIG_DEPRECATED_PARAM_STRUCT is not set +# CONFIG_LATTICE_ECP3_CONFIG is not set +# CONFIG_M25PXX_USE_FAST_READ is not set +# CONFIG_SERIAL_MAX3100 is not set +# CONFIG_SERIAL_MAX310X is not set +# CONFIG_SERIAL_IFX6X60 is not set # these modules all fail with missing __bad_udelay # http://www.spinics.net/lists/arm/msg15615.html provides some background diff --git a/config-armv7-lpae b/config-armv7-lpae index 324a31e21..7263d7608 100644 --- a/config-armv7-lpae +++ b/config-armv7-lpae @@ -61,6 +61,7 @@ CONFIG_SND_SOC_SAMSUNG=m CONFIG_USB_EHCI_S5P=y CONFIG_USB_OHCI_EXYNOS=y CONFIG_MMC_SDHCI_S3C=m +CONFIG_MMC_SDHCI_S3C_DMA=y CONFIG_RTC_DRV_S3C=m CONFIG_PWM_SAMSUNG=m CONFIG_S3C_BOOT_WATCHDOG=y @@ -73,4 +74,7 @@ CONFIG_FB_S3C_DEBUG_REGWRITE=y CONFIG_SND_SOC_SAMSUNG_SMDK_SPDIF=m CONFIG_USB_EHCI_S5P=y CONFIG_SAMSUNG_USBPHY=y -CONFIG_MMC_SDHCI_S3C_DMA=y +CONFIG_MMC_DW=y +CONFIG_MMC_DW_PLTFM=y +CONFIG_MMC_DW_PCI=y +CONFIG_MMC_DW_EXYNOS=y diff --git a/config-arm-tegra b/config-armv7-tegra similarity index 84% rename from config-arm-tegra rename to config-armv7-tegra index 53c415312..12235bae7 100644 --- a/config-arm-tegra +++ b/config-armv7-tegra @@ -3,10 +3,13 @@ CONFIG_ARCH_TEGRA=y CONFIG_ARCH_TEGRA_2x_SOC=y # CONFIG_ARCH_TEGRA_3x_SOC is not set # CONFIG_ARCH_TEGRA_114_SOC is not set -# CONFIG_ARM_LPAE is not set -CONFIG_VFP=y -CONFIG_VFPv3=y +# These are supported in the LPAE kernel +# CONFIG_ARM_LPAE is not set +# CONFIG_XEN is not set +# CONFIG_VIRTIO_CONSOLE is not set +# CONFIG_ARM_VIRT_EXT is not set +# CONFIG_VIRTUALIZATION is not set # CONFIG_MACH_HARMONY is not set CONFIG_MACH_KAEN=y @@ -24,7 +27,7 @@ CONFIG_TEGRA_PCI=y CONFIG_TEGRA_IOMMU_GART=y CONFIG_TEGRA_IOMMU_SMMU=y -CONFIG_I2C_TEGRA=m +# CONFIG_I2C_TEGRA is not set # This block is temporary until we work out why the MMC modules don't work as modules CONFIG_MMC=y @@ -32,8 +35,6 @@ CONFIG_MMC_BLOCK=y CONFIG_MMC_SDHCI=y CONFIG_MMC_SDHCI_PLTFM=y CONFIG_MMC_SDHCI_OF=y -CONFIG_MMC_SPI=y - CONFIG_MMC_SDHCI_TEGRA=y # CONFIG_RCU_BOOST is not set @@ -41,12 +42,10 @@ CONFIG_TEGRA_SYSTEM_DMA=y CONFIG_TEGRA_EMC_SCALING_ENABLE=y CONFIG_TEGRA_AHB=y CONFIG_TEGRA20_APB_DMA=y -CONFIG_SPI_TEGRA20_SFLASH=m -CONFIG_SPI_TEGRA20_SLINK=m +CONFIG_SPI_TEGRA20_SFLASH=y +CONFIG_SPI_TEGRA20_SLINK=y CONFIG_ARM_THUMBEE=y CONFIG_SWP_EMULATE=y -# CONFIG_CPU_BPREDICT_DISABLE is not set -CONFIG_CACHE_L2X0=y CONFIG_ARM_ERRATA_430973=y # CONFIG_ARM_ERRATA_458693 is not set # CONFIG_ARM_ERRATA_460075 is not set @@ -69,6 +68,7 @@ CONFIG_GPIO_GENERIC_PLATFORM=y # CONFIG_KEYBOARD_TEGRA is not set CONFIG_PINCTRL_TEGRA=y CONFIG_PINCTRL_TEGRA20=y +CONFIG_PINCTRL_TEGRA30=y CONFIG_USB_EHCI_TEGRA=y CONFIG_RTC_DRV_TEGRA=y @@ -82,7 +82,7 @@ CONFIG_SND_SOC_TEGRA30_AHUB=m CONFIG_SND_SOC_TEGRA30_I2S=m # AC100 (PAZ00) -# CONFIG_MFD_NVEC is not set +CONFIG_MFD_NVEC=y CONFIG_MFD_TPS80031=y CONFIG_KEYBOARD_NVEC=y CONFIG_SERIO_NVEC_PS2=y @@ -96,7 +96,7 @@ CONFIG_NVEC_PAZ00=y CONFIG_PWM_TEGRA=m -CONFIG_DRM_TEGRA=m +# CONFIG_DRM_TEGRA is not set CONFIG_CPU_PM=y CONFIG_ARM_CPU_SUSPEND=y @@ -119,3 +119,7 @@ CONFIG_OF_PCI_IRQ=y # CONFIG_SPI_TOPCLIFF_PCH is not set # CONFIG_SPI_DW_PCI is not set # CONFIG_SPI_PXA2XX is not set +# CONFIG_BLK_DEV_PCIESSD_MTIP32XX is not set +# CONFIG_SGI_IOC4 is not set +# CONFIG_PINCTRL_EXYNOS is not set +# CONFIG_PINCTRL_EXYNOS5440 is not set diff --git a/kernel.spec b/kernel.spec index 20a5853c1..9816597d8 100644 --- a/kernel.spec +++ b/kernel.spec @@ -251,9 +251,9 @@ Summary: The Linux kernel # kernel up (unified kernel target), unified LPAE, tegra are only built on armv7 hfp %ifnarch armv7hl -%define with_lpae 0 -%endif %define with_tegra 0 +%endif +%define with_lpae 0 # if requested, only build base kernel %if %{with_baseonly} @@ -387,10 +387,7 @@ Summary: The Linux kernel %define kernel_image arch/arm/boot/zImage # we only build headers/perf/tools on the base arm arches # just like we used to only build them on i386 for x86 -%ifarch armv5tel -%define with_up 0 -%endif -%ifnarch armv5tel armv7hl +%ifnarch armv7hl %define with_headers 0 %define with_perf 0 %define with_tools 0 @@ -578,11 +575,7 @@ Source70: config-s390x Source100: config-armv7-generic Source101: config-armv7 Source102: config-armv7-lpae - -# Legacy ARM kernels -Source105: config-arm-generic -Source110: config-arm-omap -Source111: config-arm-tegra +Source103: config-armv7-tegra # This file is intentionally left empty in the stock kernel. Its a nicety # added for those wanting to do custom rebuilds with altered config opts. @@ -2300,6 +2293,12 @@ fi # and build. %changelog +* Sun Mar 31 2013 Peter Robinson +- Make tegra inherit armv7-generic, fix and re-enable tegra +- Enable SPI on ARM +- Drop config-arm-generic +- ARM config updates + * Thu Mar 28 2013 Peter Robinson - Update ARM unified config for OMAP From 8d026d8a101f5146baeca9ac7fc660e31c84314a Mon Sep 17 00:00:00 2001 From: Peter Robinson Date: Mon, 1 Apr 2013 01:01:35 +0100 Subject: [PATCH 037/468] enable lpae ARM kernel --- kernel.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kernel.spec b/kernel.spec index 9816597d8..63ba85e8d 100644 --- a/kernel.spec +++ b/kernel.spec @@ -251,9 +251,9 @@ Summary: The Linux kernel # kernel up (unified kernel target), unified LPAE, tegra are only built on armv7 hfp %ifnarch armv7hl +%define with_lpae 0 %define with_tegra 0 %endif -%define with_lpae 0 # if requested, only build base kernel %if %{with_baseonly} From 1a28231db0d83b38fc8077e7a56917ba71c22e14 Mon Sep 17 00:00:00 2001 From: Peter Robinson Date: Mon, 1 Apr 2013 08:21:46 +0100 Subject: [PATCH 038/468] Minor ARM LPAE updates --- config-armv7-generic | 1 + config-armv7-lpae | 14 +++++++++++++- kernel.spec | 3 +++ 3 files changed, 17 insertions(+), 1 deletion(-) diff --git a/config-armv7-generic b/config-armv7-generic index 057ea50d8..3e17eb532 100644 --- a/config-armv7-generic +++ b/config-armv7-generic @@ -127,6 +127,7 @@ CONFIG_OF=y CONFIG_USE_OF=y CONFIG_OF_DEVICE=y CONFIG_OF_IRQ=y +CONFIG_DMA_OF=y CONFIG_ARM_ATAG_DTB_COMPAT=y CONFIG_ARM_APPENDED_DTB=y CONFIG_PROC_DEVICETREE=y diff --git a/config-armv7-lpae b/config-armv7-lpae index 7263d7608..8732c4bcd 100644 --- a/config-armv7-lpae +++ b/config-armv7-lpae @@ -51,12 +51,24 @@ CONFIG_ARM_EXYNOS_CPUFREQ=y CONFIG_SERIAL_SAMSUNG=y CONFIG_I2C_S3C2410=m CONFIG_PINCTRL_EXYNOS=y +CONFIG_PINCTRL_EXYNOS5440=y CONFIG_S3C2410_WATCHDOG=m CONFIG_VIDEO_SAMSUNG_S5P_G2D=m CONFIG_VIDEO_SAMSUNG_S5P_JPEG=m CONFIG_VIDEO_SAMSUNG_S5P_MFC=m CONFIG_VIDEO_SAMSUNG_EXYNOS_GSC=m -CONFIG_FB_S3C=m +CONFIG_DRM_EXYNOS=m +CONFIG_DRM_EXYNOS_IOMMU=y +CONFIG_DRM_EXYNOS_DMABUF=y +CONFIG_DRM_EXYNOS_FIMD=y +CONFIG_DRM_EXYNOS_HDMI=y +CONFIG_DRM_EXYNOS_VIDI=y +CONFIG_DRM_EXYNOS_G2D=y +CONFIG_DRM_EXYNOS_IPP=y +CONFIG_DRM_EXYNOS_FIMC=y +CONFIG_DRM_EXYNOS_ROTATOR=y +CONFIG_DRM_EXYNOS_GSC=y +# CONFIG_FB_S3C is not set CONFIG_SND_SOC_SAMSUNG=m CONFIG_USB_EHCI_S5P=y CONFIG_USB_OHCI_EXYNOS=y diff --git a/kernel.spec b/kernel.spec index 63ba85e8d..6125ba924 100644 --- a/kernel.spec +++ b/kernel.spec @@ -2293,6 +2293,9 @@ fi # and build. %changelog +* Mon Apr 1 2013 Peter Robinson +- Minor ARM LPAE updates + * Sun Mar 31 2013 Peter Robinson - Make tegra inherit armv7-generic, fix and re-enable tegra - Enable SPI on ARM From 6ba7175650d004b61fc9d18fca4eb3ab028b41eb Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Mon, 1 Apr 2013 12:43:09 -0400 Subject: [PATCH 039/468] Enable CONFIG_MCE_INJECT (rhbz 927353) --- config-x86-generic | 2 +- kernel.spec | 3 +++ 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/config-x86-generic b/config-x86-generic index cac1a3157..3ac852384 100644 --- a/config-x86-generic +++ b/config-x86-generic @@ -350,7 +350,7 @@ CONFIG_PERF_EVENTS=y CONFIG_X86_MCE=y CONFIG_X86_MCE_INTEL=y CONFIG_X86_MCE_AMD=y -# CONFIG_X86_MCE_INJECT is not set +CONFIG_X86_MCE_INJECT=m CONFIG_SFI=y diff --git a/kernel.spec b/kernel.spec index 6125ba924..9bebe91cb 100644 --- a/kernel.spec +++ b/kernel.spec @@ -2293,6 +2293,9 @@ fi # and build. %changelog +* Mon Apr 01 2013 Josh Boyer +- Enable CONFIG_MCE_INJECT (rhbz 927353) + * Mon Apr 1 2013 Peter Robinson - Minor ARM LPAE updates From 4c578540af6ca542bab88582c9cf6dd02b4cfb10 Mon Sep 17 00:00:00 2001 From: "Justin M. Forbes" Date: Tue, 2 Apr 2013 07:34:22 -0500 Subject: [PATCH 040/468] Linux v3.9-rc5 --- ...sbhid-quirk-for-MSI-GX680R-led-panel.patch | 45 --------------- ...-quirk-for-Realtek-Multi-card-reader.patch | 45 --------------- config-generic | 1 + config-x86-generic | 2 + ...-max-is-in-the-max-variable-who-knew.patch | 42 -------------- cpufreq-intel-pstate-validate-msrs.patch | 56 ------------------- htmldoc-build-fix.patch | 16 ++++++ kernel.spec | 30 +++------- serial-460800.patch | 4 +- sources | 2 +- 10 files changed, 31 insertions(+), 212 deletions(-) delete mode 100644 HID-usbhid-quirk-for-MSI-GX680R-led-panel.patch delete mode 100644 HID-usbhid-quirk-for-Realtek-Multi-card-reader.patch delete mode 100644 cpufreq-intel-pstate-max-is-in-the-max-variable-who-knew.patch delete mode 100644 cpufreq-intel-pstate-validate-msrs.patch create mode 100644 htmldoc-build-fix.patch diff --git a/HID-usbhid-quirk-for-MSI-GX680R-led-panel.patch b/HID-usbhid-quirk-for-MSI-GX680R-led-panel.patch deleted file mode 100644 index 66e529d72..000000000 --- a/HID-usbhid-quirk-for-MSI-GX680R-led-panel.patch +++ /dev/null @@ -1,45 +0,0 @@ -From 565bd59e8f55b82eb49b58b0972ac41f4448ef06 Mon Sep 17 00:00:00 2001 -From: Josh Boyer -Date: Fri, 15 Mar 2013 10:31:31 -0400 -Subject: [PATCH] HID: usbhid: quirk for MSI GX680R led panel - -This keyboard backlight device causes a 10 second delay to boot. Add it -to the quirk list with HID_QUIRK_NO_INIT_REPORTS. - -This fixes Red Hat bugzilla https://bugzilla.redhat.com/show_bug.cgi?id=907221 - -Signed-off-by: Josh Boyer ---- - drivers/hid/hid-ids.h | 3 +++ - drivers/hid/usbhid/hid-quirks.c | 1 + - 2 files changed, 4 insertions(+) - -diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h -index d1063e9..c438877 100644 ---- a/drivers/hid/hid-ids.h -+++ b/drivers/hid/hid-ids.h -@@ -590,6 +590,9 @@ - #define USB_VENDOR_ID_MONTEREY 0x0566 - #define USB_DEVICE_ID_GENIUS_KB29E 0x3004 - -+#define USB_VENDOR_ID_MSI 0x1770 -+#define USB_DEVICE_ID_MSI_GX680R_LED_PANEL 0xff00 -+ - #define USB_VENDOR_ID_NATIONAL_SEMICONDUCTOR 0x0400 - #define USB_DEVICE_ID_N_S_HARMONY 0xc359 - -diff --git a/drivers/hid/usbhid/hid-quirks.c b/drivers/hid/usbhid/hid-quirks.c -index e991d81..476c984 100644 ---- a/drivers/hid/usbhid/hid-quirks.c -+++ b/drivers/hid/usbhid/hid-quirks.c -@@ -73,6 +73,7 @@ static const struct hid_blacklist { - { USB_VENDOR_ID_FORMOSA, USB_DEVICE_ID_FORMOSA_IR_RECEIVER, HID_QUIRK_NO_INIT_REPORTS }, - { USB_VENDOR_ID_FREESCALE, USB_DEVICE_ID_FREESCALE_MX28, HID_QUIRK_NOGET }, - { USB_VENDOR_ID_MGE, USB_DEVICE_ID_MGE_UPS, HID_QUIRK_NOGET }, -+ { USB_VENDOR_ID_MSI, USB_DEVICE_ID_MSI_GX680R_LED_PANEL, HID_QUIRK_NO_INIT_REPORTS }, - { USB_VENDOR_ID_NOVATEK, USB_DEVICE_ID_NOVATEK_MOUSE, HID_QUIRK_NO_INIT_REPORTS }, - { USB_VENDOR_ID_PIXART, USB_DEVICE_ID_PIXART_OPTICAL_TOUCH_SCREEN, HID_QUIRK_NO_INIT_REPORTS }, - { USB_VENDOR_ID_PIXART, USB_DEVICE_ID_PIXART_OPTICAL_TOUCH_SCREEN1, HID_QUIRK_NO_INIT_REPORTS }, --- -1.8.1.2 - diff --git a/HID-usbhid-quirk-for-Realtek-Multi-card-reader.patch b/HID-usbhid-quirk-for-Realtek-Multi-card-reader.patch deleted file mode 100644 index 6bccd6cd1..000000000 --- a/HID-usbhid-quirk-for-Realtek-Multi-card-reader.patch +++ /dev/null @@ -1,45 +0,0 @@ -From 926bb9deb21046248d01e2f6fc86fdbb149b514c Mon Sep 17 00:00:00 2001 -From: Josh Boyer -Date: Fri, 15 Mar 2013 10:27:36 -0400 -Subject: [PATCH 1/2] HID: usbhid: quirk for Realtek Multi-card reader - -This device has an odd HID entry and causes a 10 second delay in boot. -Add this device to the quirks list with HID_QUIRK_NO_INIT_REPORTS. - -This fixes Red Hat bugzilla https://bugzilla.redhat.com/show_bug.cgi?id=806587 - -Signed-off-by: Josh Boyer ---- - drivers/hid/hid-ids.h | 3 +++ - drivers/hid/usbhid/hid-quirks.c | 1 + - 2 files changed, 4 insertions(+) - -diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h -index 92e47e5..d1063e9 100644 ---- a/drivers/hid/hid-ids.h -+++ b/drivers/hid/hid-ids.h -@@ -684,6 +684,9 @@ - #define USB_DEVICE_ID_QUANTA_OPTICAL_TOUCH_3001 0x3001 - #define USB_DEVICE_ID_QUANTA_OPTICAL_TOUCH_3008 0x3008 - -+#define USB_VENDOR_ID_REALTEK 0x0bda -+#define USB_DEVICE_ID_REALTEK_READER 0x0152 -+ - #define USB_VENDOR_ID_ROCCAT 0x1e7d - #define USB_DEVICE_ID_ROCCAT_ARVO 0x30d4 - #define USB_DEVICE_ID_ROCCAT_ISKU 0x319c -diff --git a/drivers/hid/usbhid/hid-quirks.c b/drivers/hid/usbhid/hid-quirks.c -index e0e6abf..e991d81 100644 ---- a/drivers/hid/usbhid/hid-quirks.c -+++ b/drivers/hid/usbhid/hid-quirks.c -@@ -80,6 +80,7 @@ static const struct hid_blacklist { - { USB_VENDOR_ID_PRODIGE, USB_DEVICE_ID_PRODIGE_CORDLESS, HID_QUIRK_NOGET }, - { USB_VENDOR_ID_QUANTA, USB_DEVICE_ID_QUANTA_OPTICAL_TOUCH_3001, HID_QUIRK_NOGET }, - { USB_VENDOR_ID_QUANTA, USB_DEVICE_ID_QUANTA_OPTICAL_TOUCH_3008, HID_QUIRK_NOGET }, -+ { USB_VENDOR_ID_REALTEK, USB_DEVICE_ID_REALTEK_READER, HID_QUIRK_NO_INIT_REPORTS }, - { USB_VENDOR_ID_SENNHEISER, USB_DEVICE_ID_SENNHEISER_BTD500USB, HID_QUIRK_NOGET }, - { USB_VENDOR_ID_SIGMATEL, USB_DEVICE_ID_SIGMATEL_STMP3780, HID_QUIRK_NOGET }, - { USB_VENDOR_ID_SUN, USB_DEVICE_ID_RARITAN_KVM_DONGLE, HID_QUIRK_NOGET }, --- -1.8.1.2 - diff --git a/config-generic b/config-generic index a7bfa4dee..d0000b4ac 100644 --- a/config-generic +++ b/config-generic @@ -2152,6 +2152,7 @@ CONFIG_TELCLOCK=m # Serial drivers # CONFIG_SERIAL_8250=y +# CONFIG_SERIAL_8250_DEPRECATED_OPTIONS is not set CONFIG_SERIAL_8250_CONSOLE=y CONFIG_SERIAL_8250_CS=m CONFIG_SERIAL_8250_NR_UARTS=32 diff --git a/config-x86-generic b/config-x86-generic index 3ac852384..bab32a852 100644 --- a/config-x86-generic +++ b/config-x86-generic @@ -37,6 +37,8 @@ CONFIG_X86_PM_TIMER=y CONFIG_EFI=y CONFIG_EFI_STUB=y CONFIG_EFI_VARS=y +CONFIG_EFI_VARS_PSTORE=y +CONFIG_EFI_VARS_PSTORE_DEFAULT_DISABLE=y CONFIG_EFI_PCDP=y CONFIG_FB_EFI=y diff --git a/cpufreq-intel-pstate-max-is-in-the-max-variable-who-knew.patch b/cpufreq-intel-pstate-max-is-in-the-max-variable-who-knew.patch deleted file mode 100644 index e0d590b21..000000000 --- a/cpufreq-intel-pstate-max-is-in-the-max-variable-who-knew.patch +++ /dev/null @@ -1,42 +0,0 @@ -From: dirk.brandewie@gmail.com -To: linux-kernel@vger.kernel.org, cpufreq@vger.kernel.org -Cc: Dirk Brandewie , - Dirk Brandewie -Subject: [PATCH] cpufreq/intel_pstate: Fix calculation of current frequency -Date: Fri, 22 Mar 2013 10:51:05 -0700 -Message-Id: <1363974665-22049-1-git-send-email-dirk.brandewie@gmail.com> - -From: Dirk Brandewie - -Use the correct pstate value to calculate the effective frequency. - -https://bugzilla.redhat.com/show_bug.cgi?id=923942 -Reported-by: Satish Balay - -Signed-off-by: Dirk Brandewie ---- - drivers/cpufreq/intel_pstate.c | 2 +- - 1 files changed, 1 insertions(+), 1 deletions(-) - -diff --git a/drivers/cpufreq/intel_pstate.c b/drivers/cpufreq/intel_pstate.c -index e84af66..ad72922 100644 ---- a/drivers/cpufreq/intel_pstate.c -+++ b/drivers/cpufreq/intel_pstate.c -@@ -454,7 +454,7 @@ static inline void intel_pstate_calc_busy(struct cpudata *cpu, - sample->idletime_us * 100, - sample->duration_us); - core_pct = div64_u64(sample->aperf * 100, sample->mperf); -- sample->freq = cpu->pstate.turbo_pstate * core_pct * 1000; -+ sample->freq = cpu->pstate.max_pstate * core_pct * 1000; - - sample->core_pct_busy = div_s64((sample->pstate_pct_busy * core_pct), - 100); --- -1.7.7.6 - --- -To unsubscribe from this list: send the line "unsubscribe linux-kernel" in -the body of a message to majordomo@vger.kernel.org -More majordomo info at http://vger.kernel.org/majordomo-info.html -Please read the FAQ at http://www.tux.org/lkml/ - diff --git a/cpufreq-intel-pstate-validate-msrs.patch b/cpufreq-intel-pstate-validate-msrs.patch deleted file mode 100644 index 0a790a0b6..000000000 --- a/cpufreq-intel-pstate-validate-msrs.patch +++ /dev/null @@ -1,56 +0,0 @@ -commit 866111646f2c5d4c6c25e2bb97f5c61c3992defb -Author: Dirk Brandewie -Date: Mon Mar 18 16:55:02 2013 -0700 - - cpufreq/intel_pstate: Add function to check that all MSR's are valid - - Some VMs seem to try to implement some MSRs but not all the registers - the driver needs. Check to make sure all the MSR that we need are - available. If any of the required MSRs are not available refuse to - load. - - Signed-off-by: Dirk Brandewie - ---- linux-3.9.0-0.rc3.git0.2.fc19.x86_64/drivers/cpufreq/intel_pstate.c~ 2013-03-19 14:54:33.489581718 -0400 -+++ linux-3.9.0-0.rc3.git0.2.fc19.x86_64/drivers/cpufreq/intel_pstate.c 2013-03-19 14:55:09.667523730 -0400 -@@ -752,6 +752,30 @@ static struct cpufreq_driver intel_pstat - - static int __initdata no_load; - -+static int intel_pstate_msrs_not_valid(void) -+{ -+ /* Check that all the msr's we are using are valid. */ -+ u64 aperf, mperf, tmp; -+ -+ rdmsrl(MSR_IA32_APERF, aperf); -+ rdmsrl(MSR_IA32_MPERF, mperf); -+ -+ if (!intel_pstate_min_pstate() || -+ !intel_pstate_max_pstate() || -+ !intel_pstate_turbo_pstate()) -+ return -ENODEV; -+ -+ rdmsrl(MSR_IA32_APERF, tmp); -+ if (!(tmp - aperf)) -+ return -ENODEV; -+ -+ rdmsrl(MSR_IA32_MPERF, tmp); -+ if (!(tmp - mperf)) -+ return -ENODEV; -+ -+ return 0; -+} -+ - static int __init intel_pstate_init(void) - { - int cpu, rc = 0; -@@ -764,6 +788,9 @@ static int __init intel_pstate_init(void - if (!id) - return -ENODEV; - -+ if (intel_pstate_msrs_not_valid()) -+ return -ENODEV; -+ - pr_info("Intel P-state driver initializing.\n"); - - all_cpu_data = vmalloc(sizeof(void *) * num_possible_cpus()); diff --git a/htmldoc-build-fix.patch b/htmldoc-build-fix.patch new file mode 100644 index 000000000..424246c1b --- /dev/null +++ b/htmldoc-build-fix.patch @@ -0,0 +1,16 @@ +htmldocs will fail, because device-drivers.tmpl references the +non-existant file 8250.c (which got renamed to 8250_core.c) + +Signed-off-by: Kyle McMartin + +--- a/Documentation/DocBook/device-drivers.tmpl ++++ b/Documentation/DocBook/device-drivers.tmpl +@@ -227,7 +227,7 @@ X!Isound/sound_firmware.c + + 16x50 UART Driver + !Edrivers/tty/serial/serial_core.c +-!Edrivers/tty/serial/8250/8250.c ++!Edrivers/tty/serial/8250/8250_core.c + + + diff --git a/kernel.spec b/kernel.spec index 9bebe91cb..1d986fa84 100644 --- a/kernel.spec +++ b/kernel.spec @@ -62,7 +62,7 @@ Summary: The Linux kernel # For non-released -rc kernels, this will be appended after the rcX and # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3" # -%global baserelease 2 +%global baserelease 1 %global fedora_build %{baserelease} # base_sublevel is the kernel version we're starting with and patching @@ -93,7 +93,7 @@ Summary: The Linux kernel # The next upstream release sublevel (base_sublevel+1) %define upstream_sublevel %(echo $((%{base_sublevel} + 1))) # The rc snapshot level -%define rcrev 4 +%define rcrev 5 # The git snapshot level %define gitrev 0 # Set rpm version accordingly @@ -737,24 +737,17 @@ Patch21276: mac80211-Dont-restart-sta-timer-if-not-running.patch #rhbz 859282 Patch21275: VMX-x86-handle-host-TSC-calibration-failure.patch -#rhbz 907221 -Patch21277: HID-usbhid-quirk-for-MSI-GX680R-led-panel.patch - -#rhbz 806587 -Patch21278: HID-usbhid-quirk-for-Realtek-Multi-card-reader.patch - Patch22000: weird-root-dentry-name-debug.patch Patch22010: debug-idle-sched-warn-once.patch #selinux ptrace child permissions Patch22001: selinux-apply-different-permission-to-ptrace-child.patch -Patch23000: cpufreq-intel-pstate-validate-msrs.patch -Patch23001: cpufreq-intel-pstate-max-is-in-the-max-variable-who-knew.patch - #rhbz 927469 Patch23006: fix-child-thread-introspection.patch +Patch23007: htmldoc-build-fix.patch + # END OF PATCH DEFINITIONS %endif @@ -1423,10 +1416,6 @@ ApplyPatch debug-idle-sched-warn-once.patch #selinux ptrace child permissions ApplyPatch selinux-apply-different-permission-to-ptrace-child.patch -# rhbz 922923 -ApplyPatch cpufreq-intel-pstate-validate-msrs.patch -ApplyPatch cpufreq-intel-pstate-max-is-in-the-max-variable-who-knew.patch - #rhbz 859485 ApplyPatch vt-Drop-K_OFF-for-VC_MUTE.patch @@ -1452,15 +1441,11 @@ ApplyPatch VMX-x86-handle-host-TSC-calibration-failure.patch #rhbz 920218 ApplyPatch mac80211-Dont-restart-sta-timer-if-not-running.patch -#rhbz 907221 -ApplyPatch HID-usbhid-quirk-for-MSI-GX680R-led-panel.patch - -#rhbz 806587 -ApplyPatch HID-usbhid-quirk-for-Realtek-Multi-card-reader.patch - #rhbz 927469 ApplyPatch fix-child-thread-introspection.patch +ApplyPatch htmldoc-build-fix.patch + # END OF PATCH APPLICATIONS %endif @@ -2293,6 +2278,9 @@ fi # and build. %changelog +* Tue Apr 02 2013 Justin M. Forbes - 3.9.0-0.rc5.git0.1 +- Linux v3.9-rc5 + * Mon Apr 01 2013 Josh Boyer - Enable CONFIG_MCE_INJECT (rhbz 927353) diff --git a/serial-460800.patch b/serial-460800.patch index 0e68378e7..bdae70e31 100644 --- a/serial-460800.patch +++ b/serial-460800.patch @@ -1,7 +1,7 @@ diff --git a/drivers/serial/8250.c b/drivers/serial/8250.c index 2209620..659c1bb 100644 ---- a/drivers/tty/serial/8250/8250.c -+++ b/drivers/tty/serial/8250/8250.c +--- a/drivers/tty/serial/8250/8250_core.c ++++ b/drivers/tty/serial/8250/8250_core.c @@ -7,6 +7,9 @@ * * Copyright (C) 2001 Russell King. diff --git a/sources b/sources index 24acb5b33..9eae90e95 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ 1c738edfc54e7c65faeb90c436104e2f linux-3.8.tar.xz -8106d3a1c94ea6eb726e62c167a794da patch-3.9-rc4.xz +0f6de99ae977b38feb460fbd4e1288a3 patch-3.9-rc5.xz From e2fe0f96bd3e03b16a558b222914882199bb69b8 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Tue, 2 Apr 2013 12:00:46 -0400 Subject: [PATCH 041/468] Enable CONFIG_SCSI_DMX3191D (rhbz 919874) --- config-generic | 2 +- kernel.spec | 5 ++++- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/config-generic b/config-generic index d0000b4ac..c9754dd14 100644 --- a/config-generic +++ b/config-generic @@ -457,7 +457,7 @@ CONFIG_SCSI_ARCMSR=m CONFIG_SCSI_BUSLOGIC=m CONFIG_SCSI_INITIO=m CONFIG_SCSI_FLASHPOINT=y -# CONFIG_SCSI_DMX3191D is not set +CONFIG_SCSI_DMX3191D=m # CONFIG_SCSI_EATA is not set # CONFIG_SCSI_EATA_PIO is not set # CONFIG_SCSI_FUTURE_DOMAIN is not set diff --git a/kernel.spec b/kernel.spec index 1d986fa84..151839832 100644 --- a/kernel.spec +++ b/kernel.spec @@ -62,7 +62,7 @@ Summary: The Linux kernel # For non-released -rc kernels, this will be appended after the rcX and # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3" # -%global baserelease 1 +%global baserelease 2 %global fedora_build %{baserelease} # base_sublevel is the kernel version we're starting with and patching @@ -2278,6 +2278,9 @@ fi # and build. %changelog +* Tue Apr 02 2013 Josh Boyer +- Enable CONFIG_SCSI_DMX3191D (rhbz 919874) + * Tue Apr 02 2013 Justin M. Forbes - 3.9.0-0.rc5.git0.1 - Linux v3.9-rc5 From 7d8fdd730ac26ee56d4e2cd310d681510fdf2129 Mon Sep 17 00:00:00 2001 From: Neil Horman Date: Tue, 2 Apr 2013 15:33:22 -0400 Subject: [PATCH 042/468] Resolves: bz 928024 --- forcedeth-dma-error-check.patch | 134 ++++++++++++++++++++++++++++++++ kernel.spec | 9 +++ 2 files changed, 143 insertions(+) create mode 100644 forcedeth-dma-error-check.patch diff --git a/forcedeth-dma-error-check.patch b/forcedeth-dma-error-check.patch new file mode 100644 index 000000000..563fe87e0 --- /dev/null +++ b/forcedeth-dma-error-check.patch @@ -0,0 +1,134 @@ +From e33f52b67b45dd95b973260c54c6ef207ee44f84 Mon Sep 17 00:00:00 2001 +From: Neil Horman +Date: Tue, 26 Mar 2013 14:36:56 -0400 +Subject: [PATCH] forcedeth: Do a dma_mapping_error check after + skb_frag_dma_map + +This backtrace was recently reported on a 3.9 kernel: + +Actual results: from syslog /var/log/messsages: +kernel: [17539.340285] ------------[ cut here ]------------ +kernel: [17539.341012] WARNING: at lib/dma-debug.c:937 check_unmap+0x493/0x960() +kernel: [17539.341012] Hardware name: MS-7125 +kernel: [17539.341012] forcedeth 0000:00:0a.0: DMA-API: device driver failed to +check map error[device address=0x0000000013c88000] [size=544 bytes] [mapped as +page] +kernel: [17539.341012] Modules linked in: fuse ebtable_nat ipt_MASQUERADE +nf_conntrack_netbios_ns nf_conntrack_broadcast ip6table_nat nf_nat_ipv6 +ip6table_mangle ip6t_REJECT nf_conntrack_ipv6 nf_defrag_ipv6 iptable_nat +nf_nat_ipv4 nf_nat iptable_mangle nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack +nf_conntrack bnep bluetooth rfkill ebtable_filter ebtables ip6table_filter +ip6_tables snd_hda_codec_hdmi snd_cmipci snd_mpu401_uart snd_hda_intel +snd_intel8x0 snd_opl3_lib snd_ac97_codec gameport snd_hda_codec snd_rawmidi +ac97_bus snd_hwdep snd_seq snd_seq_device snd_pcm snd_page_alloc snd_timer snd +k8temp soundcore serio_raw i2c_nforce2 forcedeth ata_generic pata_acpi nouveau +video mxm_wmi wmi i2c_algo_bit drm_kms_helper ttm drm i2c_core sata_sil pata_amd +sata_nv uinput +kernel: [17539.341012] Pid: 17340, comm: sshd Not tainted +3.9.0-0.rc4.git0.1.fc19.i686.PAE #1 +kernel: [17539.341012] Call Trace: +kernel: [17539.341012] [] warn_slowpath_common+0x6c/0xa0 +kernel: [17539.341012] [] ? check_unmap+0x493/0x960 +kernel: [17539.341012] [] ? check_unmap+0x493/0x960 +kernel: [17539.341012] [] warn_slowpath_fmt+0x33/0x40 +kernel: [17539.341012] [] check_unmap+0x493/0x960 +kernel: [17539.341012] [] ? sched_clock_cpu+0xdf/0x150 +kernel: [17539.341012] [] debug_dma_unmap_page+0x67/0x70 +kernel: [17539.341012] [] nv_unmap_txskb.isra.32+0x92/0x100 + +Its pretty plainly the result of an skb fragment getting unmapped without having +its initial mapping operation checked for errors. This patch corrects that + +Signed-off-by: Neil Horman +CC: "David S. Miller" +--- + drivers/net/ethernet/nvidia/forcedeth.c | 41 ++++++++++++++++++++++++++++++++- + 1 file changed, 40 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/nvidia/forcedeth.c b/drivers/net/ethernet/nvidia/forcedeth.c +index b62262c..5ae1247 100644 +--- a/drivers/net/ethernet/nvidia/forcedeth.c ++++ b/drivers/net/ethernet/nvidia/forcedeth.c +@@ -2200,6 +2200,7 @@ static netdev_tx_t nv_start_xmit(struct sk_buff *skb, struct net_device *dev) + struct ring_desc *start_tx; + struct ring_desc *prev_tx; + struct nv_skb_map *prev_tx_ctx; ++ struct nv_skb_map *tmp_tx_ctx = NULL, *start_tx_ctx = NULL; + unsigned long flags; + + /* add fragments to entries count */ +@@ -2261,12 +2262,31 @@ static netdev_tx_t nv_start_xmit(struct sk_buff *skb, struct net_device *dev) + do { + prev_tx = put_tx; + prev_tx_ctx = np->put_tx_ctx; ++ if (!start_tx_ctx) ++ start_tx_ctx = tmp_tx_ctx = np->put_tx_ctx; ++ + bcnt = (frag_size > NV_TX2_TSO_MAX_SIZE) ? NV_TX2_TSO_MAX_SIZE : frag_size; + np->put_tx_ctx->dma = skb_frag_dma_map( + &np->pci_dev->dev, + frag, offset, + bcnt, + DMA_TO_DEVICE); ++ if (dma_mapping_error(&np->pci_dev->dev, np->put_tx_ctx->dma)) { ++ ++ /* Unwind the mapped fragments */ ++ do { ++ nv_unmap_txskb(np, start_tx_ctx); ++ if (unlikely(tmp_tx_ctx++ == np->last_tx_ctx)) ++ tmp_tx_ctx = np->first_tx_ctx; ++ } while (tmp_tx_ctx != np->put_tx_ctx); ++ kfree_skb(skb); ++ np->put_tx_ctx = start_tx_ctx; ++ u64_stats_update_begin(&np->swstats_tx_syncp); ++ np->stat_tx_dropped++; ++ u64_stats_update_end(&np->swstats_tx_syncp); ++ return NETDEV_TX_OK; ++ } ++ + np->put_tx_ctx->dma_len = bcnt; + np->put_tx_ctx->dma_single = 0; + put_tx->buf = cpu_to_le32(np->put_tx_ctx->dma); +@@ -2327,7 +2347,8 @@ static netdev_tx_t nv_start_xmit_optimized(struct sk_buff *skb, + struct ring_desc_ex *start_tx; + struct ring_desc_ex *prev_tx; + struct nv_skb_map *prev_tx_ctx; +- struct nv_skb_map *start_tx_ctx; ++ struct nv_skb_map *start_tx_ctx = NULL; ++ struct nv_skb_map *tmp_tx_ctx = NULL; + unsigned long flags; + + /* add fragments to entries count */ +@@ -2392,11 +2413,29 @@ static netdev_tx_t nv_start_xmit_optimized(struct sk_buff *skb, + prev_tx = put_tx; + prev_tx_ctx = np->put_tx_ctx; + bcnt = (frag_size > NV_TX2_TSO_MAX_SIZE) ? NV_TX2_TSO_MAX_SIZE : frag_size; ++ if (!start_tx_ctx) ++ start_tx_ctx = tmp_tx_ctx = np->put_tx_ctx; + np->put_tx_ctx->dma = skb_frag_dma_map( + &np->pci_dev->dev, + frag, offset, + bcnt, + DMA_TO_DEVICE); ++ ++ if (dma_mapping_error(&np->pci_dev->dev, np->put_tx_ctx->dma)) { ++ ++ /* Unwind the mapped fragments */ ++ do { ++ nv_unmap_txskb(np, start_tx_ctx); ++ if (unlikely(tmp_tx_ctx++ == np->last_tx_ctx)) ++ tmp_tx_ctx = np->first_tx_ctx; ++ } while (tmp_tx_ctx != np->put_tx_ctx); ++ kfree_skb(skb); ++ np->put_tx_ctx = start_tx_ctx; ++ u64_stats_update_begin(&np->swstats_tx_syncp); ++ np->stat_tx_dropped++; ++ u64_stats_update_end(&np->swstats_tx_syncp); ++ return NETDEV_TX_OK; ++ } + np->put_tx_ctx->dma_len = bcnt; + np->put_tx_ctx->dma_single = 0; + put_tx->bufhigh = cpu_to_le32(dma_high(np->put_tx_ctx->dma)); +-- +1.7.11.7 + diff --git a/kernel.spec b/kernel.spec index 151839832..fdc83efc3 100644 --- a/kernel.spec +++ b/kernel.spec @@ -748,6 +748,9 @@ Patch23006: fix-child-thread-introspection.patch Patch23007: htmldoc-build-fix.patch +#rhbz 928024 +Patch23008: forcedeth-dma-error-check.patch + # END OF PATCH DEFINITIONS %endif @@ -1446,6 +1449,9 @@ ApplyPatch fix-child-thread-introspection.patch ApplyPatch htmldoc-build-fix.patch +#rhbz 928024 +ApplyPatch forcedeth-dma-error-check.patch + # END OF PATCH APPLICATIONS %endif @@ -2278,6 +2284,9 @@ fi # and build. %changelog +* Tue Apr 02 2013 Neil Horman +- Fix dma debug error on unmap (rhbz 928024) + * Tue Apr 02 2013 Josh Boyer - Enable CONFIG_SCSI_DMX3191D (rhbz 919874) From d837c754a7281a3f393fef138ac3c2edbbb12dbb Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Tue, 2 Apr 2013 16:21:07 -0400 Subject: [PATCH 043/468] Enable CONFIG_FB_MATROX_G on powerpc --- config-powerpc-generic | 1 + kernel.spec | 3 +++ 2 files changed, 4 insertions(+) diff --git a/config-powerpc-generic b/config-powerpc-generic index 2ef1da559..b6df88ea8 100644 --- a/config-powerpc-generic +++ b/config-powerpc-generic @@ -39,6 +39,7 @@ CONFIG_FB_OF=y # CONFIG_FB_CONTROL is not set CONFIG_FB_IBM_GXT4500=y CONFIG_FB_MATROX=y +CONFIG_FB_MATROX_G=y # CONFIG_FB_VGA16 is not set CONFIG_FB_ATY128_BACKLIGHT=y CONFIG_FB_ATY_BACKLIGHT=y diff --git a/kernel.spec b/kernel.spec index fdc83efc3..6d4827674 100644 --- a/kernel.spec +++ b/kernel.spec @@ -2284,6 +2284,9 @@ fi # and build. %changelog +* Tue Apr 02 2013 Josh Boyer +- Enable CONFIG_FB_MATROX_G on powerpc + * Tue Apr 02 2013 Neil Horman - Fix dma debug error on unmap (rhbz 928024) From f545817e3c410f58a8da69a3ae06ff71a4b2f1cd Mon Sep 17 00:00:00 2001 From: "Justin M. Forbes" Date: Tue, 2 Apr 2013 15:25:06 -0500 Subject: [PATCH 044/468] Linux v3.9-rc5-108-g118c9a4 --- cfg80211-mac80211-disconnect-on-suspend.patch | 6 +- kernel.spec | 14 ++--- ...ont-restart-sta-timer-if-not-running.patch | 55 ------------------- sources | 1 + 4 files changed, 10 insertions(+), 66 deletions(-) delete mode 100644 mac80211-Dont-restart-sta-timer-if-not-running.patch diff --git a/cfg80211-mac80211-disconnect-on-suspend.patch b/cfg80211-mac80211-disconnect-on-suspend.patch index 92ab492ce..b3180fb54 100644 --- a/cfg80211-mac80211-disconnect-on-suspend.patch +++ b/cfg80211-mac80211-disconnect-on-suspend.patch @@ -141,16 +141,16 @@ diff --git a/net/wireless/core.h b/net/wireless/core.h index 9a2be8d..d5d06fd 100644 --- a/net/wireless/core.h +++ b/net/wireless/core.h -@@ -500,6 +500,9 @@ int cfg80211_validate_beacon_int(struct cfg80211_registered_device *rdev, +@@ -503,6 +503,9 @@ int cfg80211_validate_beacon_int(struct cfg80211_registered_device *rdev, void cfg80211_update_iface_num(struct cfg80211_registered_device *rdev, enum nl80211_iftype iftype, int num); +void cfg80211_leave(struct cfg80211_registered_device *rdev, + struct wireless_dev *wdev); + - #define CFG80211_MAX_NUM_DIFFERENT_CHANNELS 10 + void cfg80211_stop_p2p_device(struct cfg80211_registered_device *rdev, + struct wireless_dev *wdev); - #ifdef CONFIG_CFG80211_DEVELOPER_WARNINGS diff --git a/net/wireless/rdev-ops.h b/net/wireless/rdev-ops.h index 8c8b26f..d77e1c1 100644 --- a/net/wireless/rdev-ops.h diff --git a/kernel.spec b/kernel.spec index 6d4827674..2fde86c4e 100644 --- a/kernel.spec +++ b/kernel.spec @@ -62,7 +62,7 @@ Summary: The Linux kernel # For non-released -rc kernels, this will be appended after the rcX and # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3" # -%global baserelease 2 +%global baserelease 301 %global fedora_build %{baserelease} # base_sublevel is the kernel version we're starting with and patching @@ -95,7 +95,7 @@ Summary: The Linux kernel # The rc snapshot level %define rcrev 5 # The git snapshot level -%define gitrev 0 +%define gitrev 1 # Set rpm version accordingly %define rpmversion 3.%{upstream_sublevel}.0 %endif @@ -731,9 +731,6 @@ Patch21262: x86-mm-Fix-vmalloc_fault-oops-during-lazy-MMU-updates.patch Patch21273: cfg80211-mac80211-disconnect-on-suspend.patch Patch21274: mac80211_fixes_for_ieee80211_do_stop_while_suspend_v3.9.patch -#rhbz 920218 -Patch21276: mac80211-Dont-restart-sta-timer-if-not-running.patch - #rhbz 859282 Patch21275: VMX-x86-handle-host-TSC-calibration-failure.patch @@ -1441,9 +1438,6 @@ ApplyPatch mac80211_fixes_for_ieee80211_do_stop_while_suspend_v3.9.patch #rhbz 859282 ApplyPatch VMX-x86-handle-host-TSC-calibration-failure.patch -#rhbz 920218 -ApplyPatch mac80211-Dont-restart-sta-timer-if-not-running.patch - #rhbz 927469 ApplyPatch fix-child-thread-introspection.patch @@ -2284,6 +2278,10 @@ fi # and build. %changelog +* Tue Apr 02 2013 Justin M. Forbes - 3.9.0-0.rc5.git1.301 +- Linux v3.9-rc5-108-g118c9a4 +- Reenable debugging options. + * Tue Apr 02 2013 Josh Boyer - Enable CONFIG_FB_MATROX_G on powerpc diff --git a/mac80211-Dont-restart-sta-timer-if-not-running.patch b/mac80211-Dont-restart-sta-timer-if-not-running.patch deleted file mode 100644 index 7727ad8f2..000000000 --- a/mac80211-Dont-restart-sta-timer-if-not-running.patch +++ /dev/null @@ -1,55 +0,0 @@ -From: Ben Greear - -I found another crash when deleting lots of virtual stations -in a congested environment. I think the problem is that -the ieee80211_mlme_notify_scan_completed could call -ieee80211_restart_sta_timer for a stopped interface -that was about to be deleted. Fix similar problem for -mesh interfaces as well. - -Signed-off-by: Ben Greear ---- -v4: Fix up mesh as well, add check in calling code instead of - in the methods that mucks iwth the timers. - -:100644 100644 67fcfdf... 02e3d75... M net/mac80211/mesh.c -:100644 100644 aec786d... 1d237e9... M net/mac80211/mlme.c - net/mac80211/mesh.c | 3 ++- - net/mac80211/mlme.c | 3 ++- - 2 files changed, 4 insertions(+), 2 deletions(-) - -diff --git a/net/mac80211/mesh.c b/net/mac80211/mesh.c -index 67fcfdf..02e3d75 100644 ---- a/net/mac80211/mesh.c -+++ b/net/mac80211/mesh.c -@@ -779,7 +779,8 @@ void ieee80211_mesh_notify_scan_completed(struct ieee80211_local *local) - - rcu_read_lock(); - list_for_each_entry_rcu(sdata, &local->interfaces, list) -- if (ieee80211_vif_is_mesh(&sdata->vif)) -+ if (ieee80211_sdata_running(sdata) -+ && ieee80211_vif_is_mesh(&sdata->vif)) - ieee80211_queue_work(&local->hw, &sdata->work); - rcu_read_unlock(); - } -diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c -index aec786d..1d237e9 100644 ---- a/net/mac80211/mlme.c -+++ b/net/mac80211/mlme.c -@@ -3054,7 +3054,8 @@ void ieee80211_mlme_notify_scan_completed(struct ieee80211_local *local) - /* Restart STA timers */ - rcu_read_lock(); - list_for_each_entry_rcu(sdata, &local->interfaces, list) -- ieee80211_restart_sta_timer(sdata); -+ if (ieee80211_sdata_running(sdata)) -+ ieee80211_restart_sta_timer(sdata); - rcu_read_unlock(); - } - --- -1.7.3.4 - --- -To unsubscribe from this list: send the line "unsubscribe linux-wireless" in -the body of a message to majordomo@vger.kernel.org -More majordomo info at http://vger.kernel.org/majordomo-info.html \ No newline at end of file diff --git a/sources b/sources index 9eae90e95..fb4253d3b 100644 --- a/sources +++ b/sources @@ -1,2 +1,3 @@ 1c738edfc54e7c65faeb90c436104e2f linux-3.8.tar.xz 0f6de99ae977b38feb460fbd4e1288a3 patch-3.9-rc5.xz +becd731256239cc2f08c9edcc0b72f23 patch-3.9-rc5-git1.xz From 925399a2635da6ed2a8dacb4667243551908c617 Mon Sep 17 00:00:00 2001 From: Peter Robinson Date: Wed, 3 Apr 2013 11:55:29 +0100 Subject: [PATCH 045/468] Add upstream usb-next OMAP patch to fix usb on omap/mvebu --- arm-omap-ehci-fix.patch | 190 ++++++++++++++++++++++++++ arm-omap-fix-usb-mvebu-conflict.patch | 85 ------------ config-armv7 | 1 - config-armv7-lpae | 2 +- kernel.spec | 7 +- 5 files changed, 196 insertions(+), 89 deletions(-) create mode 100644 arm-omap-ehci-fix.patch delete mode 100644 arm-omap-fix-usb-mvebu-conflict.patch diff --git a/arm-omap-ehci-fix.patch b/arm-omap-ehci-fix.patch new file mode 100644 index 000000000..f6fc0a934 --- /dev/null +++ b/arm-omap-ehci-fix.patch @@ -0,0 +1,190 @@ +From 54a419668b0f27b7982807fb2376d237e0a0ce05 Mon Sep 17 00:00:00 2001 +From: Alan Stern +Date: Tue, 12 Mar 2013 10:44:39 +0000 +Subject: USB: EHCI: split ehci-omap out to a separate driver + +This patch (as1645) converts ehci-omap over to the new "ehci-hcd is a +library" approach, so that it can coexist peacefully with other EHCI +platform drivers and can make use of the private area allocated at +the end of struct ehci_hcd. + +Signed-off-by: Alan Stern +Signed-off-by: Greg Kroah-Hartman +--- +diff --git a/drivers/usb/host/Kconfig b/drivers/usb/host/Kconfig +index c59a112..62f4e9a 100644 +--- a/drivers/usb/host/Kconfig ++++ b/drivers/usb/host/Kconfig +@@ -155,7 +155,7 @@ config USB_EHCI_MXC + Variation of ARC USB block used in some Freescale chips. + + config USB_EHCI_HCD_OMAP +- bool "EHCI support for OMAP3 and later chips" ++ tristate "EHCI support for OMAP3 and later chips" + depends on USB_EHCI_HCD && ARCH_OMAP + default y + ---help--- +diff --git a/drivers/usb/host/Makefile b/drivers/usb/host/Makefile +index 001fbff..56de410 100644 +--- a/drivers/usb/host/Makefile ++++ b/drivers/usb/host/Makefile +@@ -27,6 +27,7 @@ obj-$(CONFIG_USB_EHCI_HCD) += ehci-hcd.o + obj-$(CONFIG_USB_EHCI_PCI) += ehci-pci.o + obj-$(CONFIG_USB_EHCI_HCD_PLATFORM) += ehci-platform.o + obj-$(CONFIG_USB_EHCI_MXC) += ehci-mxc.o ++obj-$(CONFIG_USB_EHCI_HCD_OMAP) += ehci-omap.o + + obj-$(CONFIG_USB_OXU210HP_HCD) += oxu210hp-hcd.o + obj-$(CONFIG_USB_ISP116X_HCD) += isp116x-hcd.o +diff --git a/drivers/usb/host/ehci-hcd.c b/drivers/usb/host/ehci-hcd.c +index b416a3f..303b022 100644 +--- a/drivers/usb/host/ehci-hcd.c ++++ b/drivers/usb/host/ehci-hcd.c +@@ -1252,11 +1252,6 @@ MODULE_LICENSE ("GPL"); + #define PLATFORM_DRIVER ehci_hcd_sh_driver + #endif + +-#ifdef CONFIG_USB_EHCI_HCD_OMAP +-#include "ehci-omap.c" +-#define PLATFORM_DRIVER ehci_hcd_omap_driver +-#endif +- + #ifdef CONFIG_PPC_PS3 + #include "ehci-ps3.c" + #define PS3_SYSTEM_BUS_DRIVER ps3_ehci_driver +@@ -1346,6 +1341,7 @@ MODULE_LICENSE ("GPL"); + !IS_ENABLED(CONFIG_USB_EHCI_HCD_PLATFORM) && \ + !IS_ENABLED(CONFIG_USB_CHIPIDEA_HOST) && \ + !IS_ENABLED(CONFIG_USB_EHCI_MXC) && \ ++ !IS_ENABLED(CONFIG_USB_EHCI_HCD_OMAP) && \ + !defined(PLATFORM_DRIVER) && \ + !defined(PS3_SYSTEM_BUS_DRIVER) && \ + !defined(OF_PLATFORM_DRIVER) && \ +diff --git a/drivers/usb/host/ehci-omap.c b/drivers/usb/host/ehci-omap.c +index 0555ee4..fa66757 100644 +--- a/drivers/usb/host/ehci-omap.c ++++ b/drivers/usb/host/ehci-omap.c +@@ -36,6 +36,9 @@ + * - convert to use hwmod and runtime PM + */ + ++#include ++#include ++#include + #include + #include + #include +@@ -43,6 +46,10 @@ + #include + #include + #include ++#include ++#include ++ ++#include "ehci.h" + + #include + +@@ -57,9 +64,11 @@ + #define EHCI_INSNREG05_ULPI_EXTREGADD_SHIFT 8 + #define EHCI_INSNREG05_ULPI_WRDATA_SHIFT 0 + +-/*-------------------------------------------------------------------------*/ ++#define DRIVER_DESC "OMAP-EHCI Host Controller driver" + +-static const struct hc_driver ehci_omap_hc_driver; ++static const char hcd_name[] = "ehci-omap"; ++ ++/*-------------------------------------------------------------------------*/ + + + static inline void ehci_write(void __iomem *base, u32 reg, u32 val) +@@ -166,6 +175,12 @@ static void disable_put_regulator( + /* configure so an HC device and id are always provided */ + /* always called with process context; sleeping is OK */ + ++static struct hc_driver __read_mostly ehci_omap_hc_driver; ++ ++static const struct ehci_driver_overrides ehci_omap_overrides __initdata = { ++ .reset = omap_ehci_init, ++}; ++ + /** + * ehci_hcd_omap_probe - initialize TI-based HCDs + * +@@ -315,56 +330,33 @@ static struct platform_driver ehci_hcd_omap_driver = { + /*.suspend = ehci_hcd_omap_suspend, */ + /*.resume = ehci_hcd_omap_resume, */ + .driver = { +- .name = "ehci-omap", ++ .name = hcd_name, + } + }; + + /*-------------------------------------------------------------------------*/ + +-static const struct hc_driver ehci_omap_hc_driver = { +- .description = hcd_name, +- .product_desc = "OMAP-EHCI Host Controller", +- .hcd_priv_size = sizeof(struct ehci_hcd), +- +- /* +- * generic hardware linkage +- */ +- .irq = ehci_irq, +- .flags = HCD_MEMORY | HCD_USB2, +- +- /* +- * basic lifecycle operations +- */ +- .reset = omap_ehci_init, +- .start = ehci_run, +- .stop = ehci_stop, +- .shutdown = ehci_shutdown, +- +- /* +- * managing i/o requests and associated device resources +- */ +- .urb_enqueue = ehci_urb_enqueue, +- .urb_dequeue = ehci_urb_dequeue, +- .endpoint_disable = ehci_endpoint_disable, +- .endpoint_reset = ehci_endpoint_reset, ++static int __init ehci_omap_init(void) ++{ ++ if (usb_disabled()) ++ return -ENODEV; + +- /* +- * scheduling support +- */ +- .get_frame_number = ehci_get_frame, ++ pr_info("%s: " DRIVER_DESC "\n", hcd_name); + +- /* +- * root hub support +- */ +- .hub_status_data = ehci_hub_status_data, +- .hub_control = ehci_hub_control, +- .bus_suspend = ehci_bus_suspend, +- .bus_resume = ehci_bus_resume, ++ ehci_init_driver(&ehci_omap_hc_driver, &ehci_omap_overrides); ++ return platform_driver_register(&ehci_hcd_omap_driver); ++} ++module_init(ehci_omap_init); + +- .clear_tt_buffer_complete = ehci_clear_tt_buffer_complete, +-}; ++static void __exit ehci_omap_cleanup(void) ++{ ++ platform_driver_unregister(&ehci_hcd_omap_driver); ++} ++module_exit(ehci_omap_cleanup); + + MODULE_ALIAS("platform:ehci-omap"); + MODULE_AUTHOR("Texas Instruments, Inc."); + MODULE_AUTHOR("Felipe Balbi "); + ++MODULE_DESCRIPTION(DRIVER_DESC); ++MODULE_LICENSE("GPL"); +-- +cgit v0.9.1 diff --git a/arm-omap-fix-usb-mvebu-conflict.patch b/arm-omap-fix-usb-mvebu-conflict.patch deleted file mode 100644 index 7ef76619f..000000000 --- a/arm-omap-fix-usb-mvebu-conflict.patch +++ /dev/null @@ -1,85 +0,0 @@ ---- linux-3.9.0-0.rc3.git1.4.fc19.x86_64/drivers/usb/host/ehci-hcd.c.orig 2013-03-23 18:52:52.576674960 +0000 -+++ linux-3.9.0-0.rc3.git1.4.fc19.x86_64/drivers/usb/host/ehci-hcd.c 2013-03-24 12:46:49.149621810 +0000 -@@ -1252,7 +1252,7 @@ - - #ifdef CONFIG_USB_EHCI_HCD_OMAP - #include "ehci-omap.c" --#define PLATFORM_DRIVER ehci_hcd_omap_driver -+#define OMAP_PLATFORM_DRIVER ehci_hcd_omap_driver - #endif - - #ifdef CONFIG_PPC_PS3 -@@ -1272,7 +1272,7 @@ - - #ifdef CONFIG_PLAT_ORION - #include "ehci-orion.c" --#define PLATFORM_DRIVER ehci_orion_driver -+#define ORION_PLATFORM_DRIVER ehci_orion_driver - #endif - - #ifdef CONFIG_USB_W90X900_EHCI -@@ -1384,6 +1384,12 @@ - goto clean0; - #endif - -+#ifdef ORION_PLATFORM_DRIVER -+ retval = platform_driver_register(&ORION_PLATFORM_DRIVER); -+ if (retval < 0) -+ goto clean1; -+#endif -+ - #ifdef PS3_SYSTEM_BUS_DRIVER - retval = ps3_ehci_driver_register(&PS3_SYSTEM_BUS_DRIVER); - if (retval < 0) -@@ -1401,10 +1407,20 @@ - if (retval < 0) - goto clean4; - #endif -+ -+#ifdef OMAP_PLATFORM_DRIVER -+ retval = platform_driver_register(&OMAP_PLATFORM_DRIVER); -+ if (retval < 0) -+ goto clean5; -+#endif - return retval; - -+#ifdef OMAP_PLATFORM_DRIVER -+ /* platform_driver_unregister(&OMAP_PLATFORM_DRIVER); */ -+clean5: -+#endif - #ifdef XILINX_OF_PLATFORM_DRIVER -- /* platform_driver_unregister(&XILINX_OF_PLATFORM_DRIVER); */ -+ platform_driver_unregister(&XILINX_OF_PLATFORM_DRIVER); - clean4: - #endif - #ifdef OF_PLATFORM_DRIVER -@@ -1415,6 +1431,10 @@ - ps3_ehci_driver_unregister(&PS3_SYSTEM_BUS_DRIVER); - clean2: - #endif -+#ifdef ORION_PLATFORM_DRIVER -+ platform_driver_unregister(&ORION_PLATFORM_DRIVER); -+clean1: -+#endif - #ifdef PLATFORM_DRIVER - platform_driver_unregister(&PLATFORM_DRIVER); - clean0: -@@ -1431,12 +1451,18 @@ - - static void __exit ehci_hcd_cleanup(void) - { -+#ifdef OMAP_PLATFORM_DRIVER -+ platform_driver_unregister(&OMAP_PLATFORM_DRIVER); -+#endif - #ifdef XILINX_OF_PLATFORM_DRIVER - platform_driver_unregister(&XILINX_OF_PLATFORM_DRIVER); - #endif - #ifdef OF_PLATFORM_DRIVER - platform_driver_unregister(&OF_PLATFORM_DRIVER); - #endif -+#ifdef ORION_PLATFORM_DRIVER -+ platform_driver_unregister(&ORION_PLATFORM_DRIVER); -+#endif - #ifdef PLATFORM_DRIVER - platform_driver_unregister(&PLATFORM_DRIVER); - #endif diff --git a/config-armv7 b/config-armv7 index 749406051..507b73225 100644 --- a/config-armv7 +++ b/config-armv7 @@ -441,7 +441,6 @@ CONFIG_REGULATOR_LP8755=m # CONFIG_PID_IN_CONTEXTIDR is not set # CONFIG_DEPRECATED_PARAM_STRUCT is not set -# CONFIG_DW_DMAC_BIG_ENDIAN_IO is not set # CONFIG_ARM_KPROBES_TEST is not set # CONFIG_LEDS_PWM is not set diff --git a/config-armv7-lpae b/config-armv7-lpae index 8732c4bcd..7bae32788 100644 --- a/config-armv7-lpae +++ b/config-armv7-lpae @@ -57,7 +57,7 @@ CONFIG_VIDEO_SAMSUNG_S5P_G2D=m CONFIG_VIDEO_SAMSUNG_S5P_JPEG=m CONFIG_VIDEO_SAMSUNG_S5P_MFC=m CONFIG_VIDEO_SAMSUNG_EXYNOS_GSC=m -CONFIG_DRM_EXYNOS=m +# CONFIG_DRM_EXYNOS is not set CONFIG_DRM_EXYNOS_IOMMU=y CONFIG_DRM_EXYNOS_DMABUF=y CONFIG_DRM_EXYNOS_FIMD=y diff --git a/kernel.spec b/kernel.spec index 2fde86c4e..50eb74fa7 100644 --- a/kernel.spec +++ b/kernel.spec @@ -703,7 +703,7 @@ Patch21000: arm-export-read_current_timer.patch Patch21001: arm-lpae-ax88796.patch # ARM omap -Patch21002: arm-omap-fix-usb-mvebu-conflict.patch +Patch21002: arm-omap-ehci-fix.patch # ARM tegra Patch21004: arm-tegra-nvec-kconfig.patch @@ -1302,7 +1302,7 @@ ApplyPatch vmbugon-warnon.patch # ApplyPatch arm-export-read_current_timer.patch ApplyPatch arm-lpae-ax88796.patch -# ApplyPatch arm-omap-fix-usb-mvebu-conflict.patch +ApplyPatch arm-omap-ehci-fix.patch # ApplyPatch arm-tegra-nvec-kconfig.patch ApplyPatch arm-tegra-usb-no-reset-linux33.patch @@ -2278,6 +2278,9 @@ fi # and build. %changelog +* Wed Apr 3 2013 Peter Robinson +- Add upstream usb-next OMAP patch to fix usb on omap/mvebu + * Tue Apr 02 2013 Justin M. Forbes - 3.9.0-0.rc5.git1.301 - Linux v3.9-rc5-108-g118c9a4 - Reenable debugging options. From 27e9125baeca87e1c39efb456bbff3f5c2b29c64 Mon Sep 17 00:00:00 2001 From: "Justin M. Forbes" Date: Wed, 3 Apr 2013 11:38:22 -0500 Subject: [PATCH 046/468] Linux v3.9-rc5-146-gda241ef --- kernel.spec | 8 ++++++-- sources | 2 +- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/kernel.spec b/kernel.spec index 50eb74fa7..0f328de0b 100644 --- a/kernel.spec +++ b/kernel.spec @@ -62,7 +62,7 @@ Summary: The Linux kernel # For non-released -rc kernels, this will be appended after the rcX and # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3" # -%global baserelease 301 +%global baserelease 1 %global fedora_build %{baserelease} # base_sublevel is the kernel version we're starting with and patching @@ -95,7 +95,7 @@ Summary: The Linux kernel # The rc snapshot level %define rcrev 5 # The git snapshot level -%define gitrev 1 +%define gitrev 2 # Set rpm version accordingly %define rpmversion 3.%{upstream_sublevel}.0 %endif @@ -2278,6 +2278,10 @@ fi # and build. %changelog +* Wed Apr 03 2013 Justin M. Forbes - 3.9.0-0.rc5.git2.1 +- Linux v3.9-rc5-146-gda241ef +- Drop basrelease back to 1 until 3.9 is out of rc + * Wed Apr 3 2013 Peter Robinson - Add upstream usb-next OMAP patch to fix usb on omap/mvebu diff --git a/sources b/sources index fb4253d3b..97f380802 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ 1c738edfc54e7c65faeb90c436104e2f linux-3.8.tar.xz 0f6de99ae977b38feb460fbd4e1288a3 patch-3.9-rc5.xz -becd731256239cc2f08c9edcc0b72f23 patch-3.9-rc5-git1.xz +95ce628dbfbc12d7a4397cb917bc0946 patch-3.9-rc5-git2.xz From bbcfe9909e2ab2629dde92bc28816f6e9f309b00 Mon Sep 17 00:00:00 2001 From: Dave Jones Date: Wed, 3 Apr 2013 14:31:59 -0400 Subject: [PATCH 047/468] Enable MTD_CHAR/MTD_BLOCK (Needed for SFC) Enable 10gigE on 64-bit only. --- config-generic | 13 +++---------- config-x86_64-generic | 21 +++++++++++++++++++++ kernel.spec | 4 ++++ 3 files changed, 28 insertions(+), 10 deletions(-) diff --git a/config-generic b/config-generic index c9754dd14..30419fe7b 100644 --- a/config-generic +++ b/config-generic @@ -1447,16 +1447,9 @@ CONFIG_JME=m # # Ethernet (10000 Mbit) # -CONFIG_IP1000=m -CONFIG_MLX4_EN=m -CONFIG_MLX4_EN_DCB=y -# CONFIG_MLX4_DEBUG is not set -CONFIG_SFC=m -CONFIG_SFC_MCDI_MON=y -CONFIG_SFC_SRIOV=y -CONFIG_SFC_PTP=y - -# CONFIG_SFC_MTD is not set +# CONFIG_IP1000 is not set +# CONFIG_MLX4_EN is not set +# CONFIG_SFC is not set # CONFIG_FDDI is not set # CONFIG_DEFXX is not set diff --git a/config-x86_64-generic b/config-x86_64-generic index 64e5c332a..92f283073 100644 --- a/config-x86_64-generic +++ b/config-x86_64-generic @@ -136,3 +136,24 @@ CONFIG_CHECKPOINT_RESTORE=y CONFIG_NTB=m CONFIG_NTB_NETDEV=m + +CONFIG_SFC=m +CONFIG_SFC_MCDI_MON=y +CONFIG_SFC_SRIOV=y +CONFIG_SFC_PTP=y + +# 10GigE +# +CONFIG_IP1000=m +CONFIG_MLX4_EN=m +CONFIG_MLX4_EN_DCB=y +# CONFIG_MLX4_DEBUG is not set +CONFIG_SFC=m +CONFIG_SFC_MCDI_MON=y +CONFIG_SFC_SRIOV=y +CONFIG_SFC_PTP=y +CONFIG_SFC_MTD=y +# Override MTD stuff because SFC_MTD needs it +CONFIG_MTD_CHAR=m +CONFIG_MTD_BLOCK=m + diff --git a/kernel.spec b/kernel.spec index 0f328de0b..0c556f1d7 100644 --- a/kernel.spec +++ b/kernel.spec @@ -2278,6 +2278,10 @@ fi # and build. %changelog +* Wed Apr 03 2013 Dave Jones +- Enable MTD_CHAR/MTD_BLOCK (Needed for SFC) + Enable 10gigE on 64-bit only. + * Wed Apr 03 2013 Justin M. Forbes - 3.9.0-0.rc5.git2.1 - Linux v3.9-rc5-146-gda241ef - Drop basrelease back to 1 until 3.9 is out of rc From 4f691e90efd9b7bee91f517be4d3ad7d1e18f784 Mon Sep 17 00:00:00 2001 From: "Justin M. Forbes" Date: Fri, 5 Apr 2013 11:15:50 -0500 Subject: [PATCH 048/468] Move cpufreq drivers to be modular (rhbz 746372) --- config-x86-generic | 8 ++++---- kernel.spec | 3 +++ 2 files changed, 7 insertions(+), 4 deletions(-) diff --git a/config-x86-generic b/config-x86-generic index bab32a852..357c18ecf 100644 --- a/config-x86-generic +++ b/config-x86-generic @@ -98,11 +98,11 @@ CONFIG_ACPI_CUSTOM_METHOD=m CONFIG_ACPI_BGRT=y CONFIG_X86_INTEL_PSTATE=y -CONFIG_X86_ACPI_CPUFREQ=y -CONFIG_X86_PCC_CPUFREQ=y +CONFIG_X86_ACPI_CPUFREQ=m +CONFIG_X86_PCC_CPUFREQ=m CONFIG_X86_ACPI_CPUFREQ_CPB=y -CONFIG_X86_POWERNOW_K8=y -CONFIG_X86_P4_CLOCKMOD=y +CONFIG_X86_POWERNOW_K8=m +CONFIG_X86_P4_CLOCKMOD=m # CONFIG_X86_SPEEDSTEP_CENTRINO is not set # diff --git a/kernel.spec b/kernel.spec index 0c556f1d7..ab08d09bc 100644 --- a/kernel.spec +++ b/kernel.spec @@ -2278,6 +2278,9 @@ fi # and build. %changelog +* Fri Apr 05 2013 Justin M. Forbes +- Move cpufreq drivers to be modular (rhbz 746372) + * Wed Apr 03 2013 Dave Jones - Enable MTD_CHAR/MTD_BLOCK (Needed for SFC) Enable 10gigE on 64-bit only. From fdda053dcd2eacacf0520823dbb72e73226eb66e Mon Sep 17 00:00:00 2001 From: "Justin M. Forbes" Date: Mon, 8 Apr 2013 10:19:49 -0500 Subject: [PATCH 049/468] Linux v3.9-rc6 --- config-armv7-generic | 1 + config-generic | 8 ++-- config-nodebug | 110 +++++++++++++++++++++---------------------- config-x86-generic | 2 +- kernel.spec | 12 +++-- sources | 3 +- 6 files changed, 70 insertions(+), 66 deletions(-) diff --git a/config-armv7-generic b/config-armv7-generic index 3e17eb532..514b3d1d8 100644 --- a/config-armv7-generic +++ b/config-armv7-generic @@ -454,3 +454,4 @@ CONFIG_PERF_EVENTS=y # CONFIG_DEBUG_LL is not set # CONFIG_IRQ_DOMAIN_DEBUG is not set # CONFIG_DEBUG_PINCTRL is not set +# CONFIG_ARM_ERRATA_798181 is not set diff --git a/config-generic b/config-generic index 30419fe7b..a59044ec3 100644 --- a/config-generic +++ b/config-generic @@ -1549,13 +1549,13 @@ CONFIG_B43_SDIO=y CONFIG_B43_BCMA=y # CONFIG_B43_BCMA_EXTRA is not set CONFIG_B43_BCMA_PIO=y -CONFIG_B43_DEBUG=y +# CONFIG_B43_DEBUG is not set CONFIG_B43_PHY_LP=y CONFIG_B43_PHY_N=y CONFIG_B43_PHY_HT=y # CONFIG_B43_FORCE_PIO is not set CONFIG_B43LEGACY=m -CONFIG_B43LEGACY_DEBUG=y +# CONFIG_B43LEGACY_DEBUG is not set CONFIG_B43LEGACY_DMA=y CONFIG_B43LEGACY_PIO=y CONFIG_B43LEGACY_DMA_AND_PIO_MODE=y @@ -3194,7 +3194,7 @@ CONFIG_USB_STORAGE_REALTEK=m CONFIG_REALTEK_AUTOPM=y CONFIG_USB_STORAGE_ENE_UB6250=m # CONFIG_USB_LIBUSUAL is not set -CONFIG_USB_UAS=m +# CONFIG_USB_UAS is not set # @@ -4186,7 +4186,7 @@ CONFIG_IBMASR=m CONFIG_PM_DEBUG=y CONFIG_PM_TRACE=y CONFIG_PM_TRACE_RTC=y -CONFIG_PM_TEST_SUSPEND=y +# CONFIG_PM_TEST_SUSPEND is not set CONFIG_PM_RUNTIME=y # CONFIG_PM_OPP is not set # CONFIG_PM_AUTOSLEEP is not set diff --git a/config-nodebug b/config-nodebug index cfabd29c7..aa7568c82 100644 --- a/config-nodebug +++ b/config-nodebug @@ -2,95 +2,95 @@ CONFIG_SND_VERBOSE_PRINTK=y CONFIG_SND_DEBUG=y CONFIG_SND_PCM_XRUN_DEBUG=y -CONFIG_DEBUG_ATOMIC_SLEEP=y +# CONFIG_DEBUG_ATOMIC_SLEEP is not set -CONFIG_DEBUG_MUTEXES=y -CONFIG_DEBUG_RT_MUTEXES=y -CONFIG_DEBUG_LOCK_ALLOC=y -CONFIG_PROVE_LOCKING=y -CONFIG_DEBUG_SPINLOCK=y -CONFIG_PROVE_RCU=y +# CONFIG_DEBUG_MUTEXES is not set +# CONFIG_DEBUG_RT_MUTEXES is not set +# CONFIG_DEBUG_LOCK_ALLOC is not set +# CONFIG_PROVE_LOCKING is not set +# CONFIG_DEBUG_SPINLOCK is not set +# CONFIG_PROVE_RCU is not set # CONFIG_PROVE_RCU_REPEATEDLY is not set -CONFIG_DEBUG_PER_CPU_MAPS=y +# CONFIG_DEBUG_PER_CPU_MAPS is not set CONFIG_CPUMASK_OFFSTACK=y -CONFIG_CPU_NOTIFIER_ERROR_INJECT=m +# CONFIG_CPU_NOTIFIER_ERROR_INJECT is not set -CONFIG_FAULT_INJECTION=y -CONFIG_FAILSLAB=y -CONFIG_FAIL_PAGE_ALLOC=y -CONFIG_FAIL_MAKE_REQUEST=y -CONFIG_FAULT_INJECTION_DEBUG_FS=y -CONFIG_FAULT_INJECTION_STACKTRACE_FILTER=y -CONFIG_FAIL_IO_TIMEOUT=y -CONFIG_FAIL_MMC_REQUEST=y +# CONFIG_FAULT_INJECTION is not set +# CONFIG_FAILSLAB is not set +# CONFIG_FAIL_PAGE_ALLOC is not set +# CONFIG_FAIL_MAKE_REQUEST is not set +# CONFIG_FAULT_INJECTION_DEBUG_FS is not set +# CONFIG_FAULT_INJECTION_STACKTRACE_FILTER is not set +# CONFIG_FAIL_IO_TIMEOUT is not set +# CONFIG_FAIL_MMC_REQUEST is not set -CONFIG_SLUB_DEBUG_ON=y +# CONFIG_SLUB_DEBUG_ON is not set -CONFIG_LOCK_STAT=y +# CONFIG_LOCK_STAT is not set -CONFIG_DEBUG_STACK_USAGE=y +# CONFIG_DEBUG_STACK_USAGE is not set -CONFIG_ACPI_DEBUG=y +# CONFIG_ACPI_DEBUG is not set # CONFIG_ACPI_DEBUG_FUNC_TRACE is not set -CONFIG_DEBUG_SG=y +# CONFIG_DEBUG_SG is not set # CONFIG_DEBUG_PAGEALLOC is not set -CONFIG_DEBUG_WRITECOUNT=y -CONFIG_DEBUG_OBJECTS=y +# CONFIG_DEBUG_WRITECOUNT is not set +# CONFIG_DEBUG_OBJECTS is not set # CONFIG_DEBUG_OBJECTS_SELFTEST is not set -CONFIG_DEBUG_OBJECTS_FREE=y -CONFIG_DEBUG_OBJECTS_TIMERS=y -CONFIG_DEBUG_OBJECTS_RCU_HEAD=y +# CONFIG_DEBUG_OBJECTS_FREE is not set +# CONFIG_DEBUG_OBJECTS_TIMERS is not set +# CONFIG_DEBUG_OBJECTS_RCU_HEAD is not set CONFIG_DEBUG_OBJECTS_ENABLE_DEFAULT=1 -CONFIG_X86_PTDUMP=y +# CONFIG_X86_PTDUMP is not set -CONFIG_CAN_DEBUG_DEVICES=y +# CONFIG_CAN_DEBUG_DEVICES is not set -CONFIG_MODULE_FORCE_UNLOAD=y +# CONFIG_MODULE_FORCE_UNLOAD is not set -CONFIG_SYSCTL_SYSCALL_CHECK=y +# CONFIG_SYSCTL_SYSCALL_CHECK is not set -CONFIG_DEBUG_NOTIFIERS=y +# CONFIG_DEBUG_NOTIFIERS is not set -CONFIG_DMA_API_DEBUG=y +# CONFIG_DMA_API_DEBUG is not set -CONFIG_MMIOTRACE=y +# CONFIG_MMIOTRACE is not set -CONFIG_DEBUG_CREDENTIALS=y +# CONFIG_DEBUG_CREDENTIALS is not set # off in both production debug and nodebug builds, # on in rawhide nodebug builds -CONFIG_DEBUG_FORCE_WEAK_PER_CPU=y +# CONFIG_DEBUG_FORCE_WEAK_PER_CPU is not set -CONFIG_EXT4_DEBUG=y +# CONFIG_EXT4_DEBUG is not set -CONFIG_DEBUG_PERF_USE_VMALLOC=y +# CONFIG_DEBUG_PERF_USE_VMALLOC is not set -CONFIG_JBD2_DEBUG=y +# CONFIG_JBD2_DEBUG is not set -CONFIG_NFSD_FAULT_INJECTION=y +# CONFIG_NFSD_FAULT_INJECTION is not set -CONFIG_DEBUG_BLK_CGROUP=y +# CONFIG_DEBUG_BLK_CGROUP is not set -CONFIG_DRBD_FAULT_INJECTION=y +# CONFIG_DRBD_FAULT_INJECTION is not set -CONFIG_ATH_DEBUG=y -CONFIG_CARL9170_DEBUGFS=y -CONFIG_IWLWIFI_DEVICE_TRACING=y +# CONFIG_ATH_DEBUG is not set +# CONFIG_CARL9170_DEBUGFS is not set +# CONFIG_IWLWIFI_DEVICE_TRACING is not set -CONFIG_DEBUG_OBJECTS_WORK=y +# CONFIG_DEBUG_OBJECTS_WORK is not set -CONFIG_DMADEVICES_DEBUG=y -CONFIG_DMADEVICES_VDEBUG=y +# CONFIG_DMADEVICES_DEBUG is not set +# CONFIG_DMADEVICES_VDEBUG is not set CONFIG_PM_ADVANCED_DEBUG=y -CONFIG_CEPH_LIB_PRETTYDEBUG=y -CONFIG_QUOTA_DEBUG=y +# CONFIG_CEPH_LIB_PRETTYDEBUG is not set +# CONFIG_QUOTA_DEBUG is not set CONFIG_PCI_DEFAULT_USE_CRS=y @@ -98,16 +98,16 @@ CONFIG_KGDB_KDB=y CONFIG_KDB_KEYBOARD=y CONFIG_KDB_CONTINUE_CATASTROPHIC=0 -CONFIG_DEBUG_OBJECTS_PERCPU_COUNTER=y -CONFIG_TEST_LIST_SORT=y +# CONFIG_DEBUG_OBJECTS_PERCPU_COUNTER is not set +# CONFIG_TEST_LIST_SORT is not set -CONFIG_DETECT_HUNG_TASK=y +# CONFIG_DETECT_HUNG_TASK is not set CONFIG_DEFAULT_HUNG_TASK_TIMEOUT=120 # CONFIG_BOOTPARAM_HUNG_TASK_PANIC is not set -CONFIG_X86_BOOTPARAM_MEMORY_CORRUPTION_CHECK=y +# CONFIG_X86_BOOTPARAM_MEMORY_CORRUPTION_CHECK is not set -CONFIG_DEBUG_KMEMLEAK=y +# CONFIG_DEBUG_KMEMLEAK is not set CONFIG_DEBUG_KMEMLEAK_EARLY_LOG_SIZE=1024 # CONFIG_DEBUG_KMEMLEAK_TEST is not set CONFIG_DEBUG_KMEMLEAK_DEFAULT_OFF=y diff --git a/config-x86-generic b/config-x86-generic index 357c18ecf..1308a3414 100644 --- a/config-x86-generic +++ b/config-x86-generic @@ -328,7 +328,7 @@ CONFIG_STRICT_DEVMEM=y # CONFIG_MEMTEST is not set # CONFIG_DEBUG_TLBFLUSH is not set -CONFIG_MAXSMP=y +# CONFIG_MAXSMP is not set CONFIG_HP_ILO=m diff --git a/kernel.spec b/kernel.spec index ab08d09bc..22692138c 100644 --- a/kernel.spec +++ b/kernel.spec @@ -93,9 +93,9 @@ Summary: The Linux kernel # The next upstream release sublevel (base_sublevel+1) %define upstream_sublevel %(echo $((%{base_sublevel} + 1))) # The rc snapshot level -%define rcrev 5 +%define rcrev 6 # The git snapshot level -%define gitrev 2 +%define gitrev 0 # Set rpm version accordingly %define rpmversion 3.%{upstream_sublevel}.0 %endif @@ -157,7 +157,7 @@ Summary: The Linux kernel # Set debugbuildsenabled to 1 for production (build separate debug kernels) # and 0 for rawhide (all kernels are debug kernels). # See also 'make debug' and 'make release'. -%define debugbuildsenabled 0 +%define debugbuildsenabled 1 # Want to build a vanilla kernel build without any non-upstream patches? %define with_vanilla %{?_with_vanilla: 1} %{?!_with_vanilla: 0} @@ -170,7 +170,7 @@ Summary: The Linux kernel %define doc_build_fail true %endif -%define rawhide_skip_docs 1 +%define rawhide_skip_docs 0 %if 0%{?rawhide_skip_docs} %define with_doc 0 %define doc_build_fail true @@ -2278,6 +2278,10 @@ fi # and build. %changelog +* Mon Apr 08 2013 Justin M. Forbes - 3.9.0-0.rc6.git0.1 +- Disable debugging options. +- Linux v3.9-rc6 + * Fri Apr 05 2013 Justin M. Forbes - Move cpufreq drivers to be modular (rhbz 746372) diff --git a/sources b/sources index 97f380802..8e757f055 100644 --- a/sources +++ b/sources @@ -1,3 +1,2 @@ 1c738edfc54e7c65faeb90c436104e2f linux-3.8.tar.xz -0f6de99ae977b38feb460fbd4e1288a3 patch-3.9-rc5.xz -95ce628dbfbc12d7a4397cb917bc0946 patch-3.9-rc5-git2.xz +90a96910b25480f66fe2be4b0dadbb11 patch-3.9-rc6.xz From 27a77e1bafc5fbdd546e3b7004c4a805b85f2ba3 Mon Sep 17 00:00:00 2001 From: Peter Robinson Date: Tue, 9 Apr 2013 09:03:49 +0100 Subject: [PATCH 050/468] Add patch to fix building some ARM tegra modules, Some minor ARM OMAP updates --- arm-tegra-fixclk.patch | 28 +++++++++++++++++++++++++ config-armv7 | 6 +++--- config-armv7-generic | 15 ++++++++++---- config-armv7-lpae | 1 - config-armv7-tegra | 47 ++++++++++++++---------------------------- kernel.spec | 6 ++++++ 6 files changed, 64 insertions(+), 39 deletions(-) create mode 100644 arm-tegra-fixclk.patch diff --git a/arm-tegra-fixclk.patch b/arm-tegra-fixclk.patch new file mode 100644 index 000000000..df0991293 --- /dev/null +++ b/arm-tegra-fixclk.patch @@ -0,0 +1,28 @@ +diff --git a/drivers/clk/tegra/clk-periph.c b/drivers/clk/tegra/clk-periph.c +index 788486e..2f4d0e3 100644 +--- a/drivers/clk/tegra/clk-periph.c ++++ b/drivers/clk/tegra/clk-periph.c +@@ -18,6 +18,7 @@ + #include + #include + #include ++#include + + #include "clk.h" + +@@ -128,6 +129,7 @@ void tegra_periph_reset_deassert(struct clk *c) + + tegra_periph_reset(gate, 0); + } ++EXPORT_SYMBOL_GPL(tegra_periph_reset_deassert); + + void tegra_periph_reset_assert(struct clk *c) + { +@@ -147,6 +149,7 @@ void tegra_periph_reset_assert(struct clk *c) + + tegra_periph_reset(gate, 1); + } ++EXPORT_SYMBOL_GPL(tegra_periph_reset_assert); + + const struct clk_ops tegra_clk_periph_ops = { + .get_parent = clk_periph_get_parent, diff --git a/config-armv7 b/config-armv7 index 507b73225..dc80b797c 100644 --- a/config-armv7 +++ b/config-armv7 @@ -163,8 +163,9 @@ CONFIG_BACKLIGHT_PANDORA=m CONFIG_USB_EHCI_HCD_OMAP=y CONFIG_USB_OHCI_HCD_OMAP3=y CONFIG_USB_MUSB_AM35X=m -CONFIG_USB_MUSB_OMAP2PLUS=y -CONFIG_USB_MUSB_HDRC=y +CONFIG_USB_MUSB_OMAP2PLUS=m +CONFIG_USB_MUSB_HDRC=m +CONFIG_USB_GADGET_MUSB_HDRC=m # CONFIG_MUSB_PIO_ONLY is not set # CONFIG_USB_MUSB_DEBUG is not set CONFIG_OMAP_CONTROL_USB=m @@ -492,5 +493,4 @@ CONFIG_REGULATOR_LP8755=m # CONFIG_CHARGER_MANAGER is not set # CONFIG_POWER_RESET_QNAP is not set # CONFIG_POWER_RESET_RESTART is not set -# CONFIG_ARM_PSCI is not set # CONFIG_OMAP2_DSS_DEBUG is not set diff --git a/config-armv7-generic b/config-armv7-generic index 514b3d1d8..883e8ffaf 100644 --- a/config-armv7-generic +++ b/config-armv7-generic @@ -9,8 +9,6 @@ CONFIG_AEABI=y CONFIG_VFP=y CONFIG_VFPv3=y CONFIG_NEON=y -CONFIG_ZBOOT_ROM_TEXT=0x0 -CONFIG_ZBOOT_ROM_BSS=0x0 CONFIG_ARM_UNWIND=y CONFIG_ARM_THUMB=y CONFIG_ARM_THUMBEE=y @@ -26,6 +24,13 @@ CONFIG_AUTO_ZRELADDR=y CONFIG_EARLY_PRINTK=y CONFIG_ATAGS=y CONFIG_ATAGS_PROC=y +CONFIG_ZBOOT_ROM_TEXT=0x0 +CONFIG_ZBOOT_ROM_BSS=0x0 + +CONFIG_XZ_DEC_ARMTHUMB=y +CONFIG_ARM_ARCH_TIMER=y +CONFIG_ARCH_HAS_TICK_BROADCAST=y +CONFIG_ALWAYS_USE_PERSISTENT_CLOCK=y # CONFIG_OABI_COMPAT is not set # CONFIG_FPE_NWFPE is not set @@ -63,6 +68,8 @@ CONFIG_ARM_ERRATA_775420=y # CONFIG_PL310_ERRATA_727915 is not set CONFIG_PL310_ERRATA_753970=y CONFIG_PL310_ERRATA_769419=y +# Cortex-A15 +CONFIG_ARM_ERRATA_798181=y # generic that deviates from or should be merged into config-generic CONFIG_SMP=y @@ -105,7 +112,7 @@ CONFIG_HW_PERF_EVENTS=y CONFIG_UACCESS_WITH_MEMCPY=y CONFIG_CC_STACKPROTECTOR=y -CONFIG_LOG_BUF_SHIFT=14 +CONFIG_LOG_BUF_SHIFT=18 CONFIG_IP_PNP=y CONFIG_IP_PNP_DHCP=y @@ -244,6 +251,7 @@ CONFIG_MPCORE_WATCHDOG=m # Thermal / powersaving CONFIG_THERMAL=y CONFIG_POWER_RESET_RESTART=y +CONFIG_ARM_PSCI=y # MTD CONFIG_MTD_OF_PARTS=y @@ -454,4 +462,3 @@ CONFIG_PERF_EVENTS=y # CONFIG_DEBUG_LL is not set # CONFIG_IRQ_DOMAIN_DEBUG is not set # CONFIG_DEBUG_PINCTRL is not set -# CONFIG_ARM_ERRATA_798181 is not set diff --git a/config-armv7-lpae b/config-armv7-lpae index 7bae32788..9df571d55 100644 --- a/config-armv7-lpae +++ b/config-armv7-lpae @@ -46,7 +46,6 @@ CONFIG_S3C24XX_PWM=y CONFIG_SOC_EXYNOS5250=y CONFIG_SOC_EXYNOS5440=y CONFIG_MACH_EXYNOS5_DT=y -CONFIG_ARM_PSCI=y CONFIG_ARM_EXYNOS_CPUFREQ=y CONFIG_SERIAL_SAMSUNG=y CONFIG_I2C_S3C2410=m diff --git a/config-armv7-tegra b/config-armv7-tegra index 12235bae7..99d5985fa 100644 --- a/config-armv7-tegra +++ b/config-armv7-tegra @@ -4,6 +4,7 @@ CONFIG_ARCH_TEGRA_2x_SOC=y # CONFIG_ARCH_TEGRA_3x_SOC is not set # CONFIG_ARCH_TEGRA_114_SOC is not set +# CONFIG_NEON is not set # These are supported in the LPAE kernel # CONFIG_ARM_LPAE is not set # CONFIG_XEN is not set @@ -27,7 +28,7 @@ CONFIG_TEGRA_PCI=y CONFIG_TEGRA_IOMMU_GART=y CONFIG_TEGRA_IOMMU_SMMU=y -# CONFIG_I2C_TEGRA is not set +CONFIG_I2C_TEGRA=m # This block is temporary until we work out why the MMC modules don't work as modules CONFIG_MMC=y @@ -37,35 +38,14 @@ CONFIG_MMC_SDHCI_PLTFM=y CONFIG_MMC_SDHCI_OF=y CONFIG_MMC_SDHCI_TEGRA=y -# CONFIG_RCU_BOOST is not set CONFIG_TEGRA_SYSTEM_DMA=y CONFIG_TEGRA_EMC_SCALING_ENABLE=y CONFIG_TEGRA_AHB=y CONFIG_TEGRA20_APB_DMA=y -CONFIG_SPI_TEGRA20_SFLASH=y -CONFIG_SPI_TEGRA20_SLINK=y -CONFIG_ARM_THUMBEE=y -CONFIG_SWP_EMULATE=y -CONFIG_ARM_ERRATA_430973=y -# CONFIG_ARM_ERRATA_458693 is not set -# CONFIG_ARM_ERRATA_460075 is not set -CONFIG_ARM_ERRATA_742230=y -# CONFIG_ARM_ERRATA_742231 is not set -CONFIG_PL310_ERRATA_588369=y -CONFIG_PL310_ERRATA_769419=y -CONFIG_ARM_ERRATA_720789=y -# CONFIG_PL310_ERRATA_727915 is not set -# CONFIG_ARM_ERRATA_743622 is not set -# CONFIG_ARM_ERRATA_751472 is not set -# CONFIG_ARM_ERRATA_753970 is not set -# CONFIG_ARM_ERRATA_754322 is not set -# CONFIG_ARM_ERRATA_754327 is not set -# CONFIG_ARM_ERRATA_764369 is not set -# CONFIG_THUMB2_KERNEL is not set -# CONFIG_NEON is not set -CONFIG_GPIO_GENERIC_PLATFORM=y -# CONFIG_GPIO_MCP23S08 is not set -# CONFIG_KEYBOARD_TEGRA is not set +CONFIG_SPI_TEGRA20_SFLASH=m +CONFIG_SPI_TEGRA20_SLINK=m + +CONFIG_KEYBOARD_TEGRA=m CONFIG_PINCTRL_TEGRA=y CONFIG_PINCTRL_TEGRA20=y CONFIG_PINCTRL_TEGRA30=y @@ -96,14 +76,20 @@ CONFIG_NVEC_PAZ00=y CONFIG_PWM_TEGRA=m -# CONFIG_DRM_TEGRA is not set +CONFIG_CMA=y +# CONFIG_CMA_DEBUG is not set +CONFIG_CMA_SIZE_MBYTES=16 +CONFIG_CMA_SIZE_SEL_MBYTES=y +# CONFIG_CMA_SIZE_SEL_PERCENTAGE is not set +# CONFIG_CMA_SIZE_SEL_MIN is not set +# CONFIG_CMA_SIZE_SEL_MAX is not set +CONFIG_CMA_ALIGNMENT=8 +CONFIG_CMA_AREAS=7 -CONFIG_CPU_PM=y -CONFIG_ARM_CPU_SUSPEND=y +CONFIG_DRM_TEGRA=m CONFIG_CRYPTO_DEV_TEGRA_AES=m -CONFIG_PL310_ERRATA_753970=y CONFIG_LEDS_RENESAS_TPU=y CONFIG_OF=y @@ -114,7 +100,6 @@ CONFIG_OF_PCI=y CONFIG_OF_PCI_IRQ=y # CONFIG_DRM_TEGRA_DEBUG is not set -# CONFIG_ARM_PSCI is not set # CONFIG_TI_DAC7512 is not set # CONFIG_SPI_TOPCLIFF_PCH is not set # CONFIG_SPI_DW_PCI is not set diff --git a/kernel.spec b/kernel.spec index 22692138c..e82797ce1 100644 --- a/kernel.spec +++ b/kernel.spec @@ -708,6 +708,7 @@ Patch21002: arm-omap-ehci-fix.patch # ARM tegra Patch21004: arm-tegra-nvec-kconfig.patch Patch21005: arm-tegra-usb-no-reset-linux33.patch +Patch21006: arm-tegra-fixclk.patch #rhbz 754518 Patch21235: scsi-sd_revalidate_disk-prevent-NULL-ptr-deref.patch @@ -1305,6 +1306,7 @@ ApplyPatch arm-lpae-ax88796.patch ApplyPatch arm-omap-ehci-fix.patch # ApplyPatch arm-tegra-nvec-kconfig.patch ApplyPatch arm-tegra-usb-no-reset-linux33.patch +ApplyPatch arm-tegra-fixclk.patch # # bugfixes to drivers and filesystems @@ -2278,6 +2280,10 @@ fi # and build. %changelog +* Tue Apr 9 2013 Peter Robinson +- Add patch to fix building some ARM tegra modules +- Some minor ARM OMAP updates + * Mon Apr 08 2013 Justin M. Forbes - 3.9.0-0.rc6.git0.1 - Disable debugging options. - Linux v3.9-rc6 From f846a2a17e54edd11e4b1406327fd36a1a499df0 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Tue, 9 Apr 2013 13:27:49 -0400 Subject: [PATCH 051/468] Update dmesg_restrict patch to v2 --- ...or-dmesg_restrict-sysctl-on-dev-kmsg.patch | 166 +++++++++++++++--- 1 file changed, 141 insertions(+), 25 deletions(-) diff --git a/0001-kmsg-Honor-dmesg_restrict-sysctl-on-dev-kmsg.patch b/0001-kmsg-Honor-dmesg_restrict-sysctl-on-dev-kmsg.patch index acaf5f881..c42c8c4f1 100644 --- a/0001-kmsg-Honor-dmesg_restrict-sysctl-on-dev-kmsg.patch +++ b/0001-kmsg-Honor-dmesg_restrict-sysctl-on-dev-kmsg.patch @@ -1,46 +1,162 @@ -From feaf4959c30d0640093a607c577940d3e9351076 Mon Sep 17 00:00:00 2001 +From ce10d1b72b4da3c98bbbcb1b945687d964c31923 Mon Sep 17 00:00:00 2001 From: Josh Boyer -Date: Fri, 22 Feb 2013 11:47:37 -0500 +Date: Tue, 9 Apr 2013 11:08:13 -0400 Subject: [PATCH] kmsg: Honor dmesg_restrict sysctl on /dev/kmsg -Originally, the addition of the dmesg_restrict covered both the syslog -method of accessing dmesg, as well as /dev/kmsg itself. This was done -indirectly by security_syslog calling cap_syslog before doing any LSM -checks. +The dmesg_restrict sysctl currently covers the syslog method for access +dmesg, however /dev/kmsg isn't covered by the same protections. Most +people haven't noticed because util-linux dmesg(1) defaults to using the +syslog method for access in older versions. With util-linux dmesg(1) +defaults to reading directly from /dev/kmsg. -However, commit 12b3052c3ee (capabilities/syslog: open code cap_syslog -logic to fix build failure) moved the code around and pushed the checks -into the caller itself. That seems to have inadvertently dropped the -checks for dmesg_restrict on /dev/kmsg. Most people haven't noticed -because util-linux dmesg(1) defaults to using the syslog method for -access in older versions. With util-linux 2.22 and a kernel newer than -3.5, dmesg(1) defaults to reading directly from /dev/kmsg. - -Fix this by making an explicit check in the devkmsg_open function. +Fix this by reworking all of the access methods to use the +check_syslog_permissions function and adding checks to devkmsg_open and +devkmsg_read. This fixes https://bugzilla.redhat.com/show_bug.cgi?id=903192 Reported-by: Christian Kujau CC: stable@vger.kernel.org +Signed-off-by: Eric Paris Signed-off-by: Josh Boyer --- - kernel/printk.c | 3 +++ - 1 file changed, 3 insertions(+) + kernel/printk.c | 91 +++++++++++++++++++++++++++++---------------------------- + 1 file changed, 47 insertions(+), 44 deletions(-) diff --git a/kernel/printk.c b/kernel/printk.c -index f24633a..398ef9a 100644 +index abbdd9e..5541095 100644 --- a/kernel/printk.c +++ b/kernel/printk.c -@@ -615,6 +615,9 @@ static int devkmsg_open(struct inode *inode, struct file *file) - struct devkmsg_user *user; - int err; +@@ -368,6 +368,46 @@ static void log_store(int facility, int level, + log_next_seq++; + } -+ if (dmesg_restrict && !capable(CAP_SYSLOG)) -+ return -EACCES; ++#ifdef CONFIG_SECURITY_DMESG_RESTRICT ++int dmesg_restrict = 1; ++#else ++int dmesg_restrict; ++#endif + - /* write-only does not need any file context */ ++static int syslog_action_restricted(int type) ++{ ++ if (dmesg_restrict) ++ return 1; ++ /* Unless restricted, we allow "read all" and "get buffer size" for everybody */ ++ return type != SYSLOG_ACTION_READ_ALL && type != SYSLOG_ACTION_SIZE_BUFFER; ++} ++ ++static int check_syslog_permissions(int type, bool from_file) ++{ ++ /* ++ * If this is from /proc/kmsg and we've already opened it, then we've ++ * already done the capabilities checks at open time. ++ */ ++ if (from_file && type != SYSLOG_ACTION_OPEN) ++ goto ok; ++ ++ if (syslog_action_restricted(type)) { ++ if (capable(CAP_SYSLOG)) ++ goto ok; ++ /* For historical reasons, accept CAP_SYS_ADMIN too, with a warning */ ++ if (capable(CAP_SYS_ADMIN)) { ++ printk_once(KERN_WARNING "%s (%d): " ++ "Attempt to access syslog with CAP_SYS_ADMIN " ++ "but no CAP_SYSLOG (deprecated).\n", ++ current->comm, task_pid_nr(current)); ++ goto ok; ++ } ++ return -EPERM; ++ } ++ok: ++ return security_syslog(type); ++} ++ + /* /dev/kmsg - userspace message inject/listen interface */ + struct devkmsg_user { + u64 seq; +@@ -443,10 +483,16 @@ static ssize_t devkmsg_read(struct file *file, char __user *buf, + char cont = '-'; + size_t len; + ssize_t ret; ++ int err; + + if (!user) + return -EBADF; + ++ err = check_syslog_permissions(SYSLOG_ACTION_READ_ALL, ++ SYSLOG_FROM_FILE); ++ if (err) ++ return err; ++ + ret = mutex_lock_interruptible(&user->lock); + if (ret) + return ret; +@@ -624,7 +670,7 @@ static int devkmsg_open(struct inode *inode, struct file *file) if ((file->f_flags & O_ACCMODE) == O_WRONLY) return 0; + +- err = security_syslog(SYSLOG_ACTION_READ_ALL); ++ err = check_syslog_permissions(SYSLOG_ACTION_OPEN, SYSLOG_FROM_FILE); + if (err) + return err; + +@@ -817,45 +863,6 @@ static inline void boot_delay_msec(int level) + } + #endif + +-#ifdef CONFIG_SECURITY_DMESG_RESTRICT +-int dmesg_restrict = 1; +-#else +-int dmesg_restrict; +-#endif +- +-static int syslog_action_restricted(int type) +-{ +- if (dmesg_restrict) +- return 1; +- /* Unless restricted, we allow "read all" and "get buffer size" for everybody */ +- return type != SYSLOG_ACTION_READ_ALL && type != SYSLOG_ACTION_SIZE_BUFFER; +-} +- +-static int check_syslog_permissions(int type, bool from_file) +-{ +- /* +- * If this is from /proc/kmsg and we've already opened it, then we've +- * already done the capabilities checks at open time. +- */ +- if (from_file && type != SYSLOG_ACTION_OPEN) +- return 0; +- +- if (syslog_action_restricted(type)) { +- if (capable(CAP_SYSLOG)) +- return 0; +- /* For historical reasons, accept CAP_SYS_ADMIN too, with a warning */ +- if (capable(CAP_SYS_ADMIN)) { +- printk_once(KERN_WARNING "%s (%d): " +- "Attempt to access syslog with CAP_SYS_ADMIN " +- "but no CAP_SYSLOG (deprecated).\n", +- current->comm, task_pid_nr(current)); +- return 0; +- } +- return -EPERM; +- } +- return 0; +-} +- + #if defined(CONFIG_PRINTK_TIME) + static bool printk_time = 1; + #else +@@ -1131,10 +1138,6 @@ int do_syslog(int type, char __user *buf, int len, bool from_file) + if (error) + goto out; + +- error = security_syslog(type); +- if (error) +- return error; +- + switch (type) { + case SYSLOG_ACTION_CLOSE: /* Close log */ + break; -- -1.8.1.2 +1.8.1.4 From 5af864752e9ec7acef126fdf34e05819fcde1b4d Mon Sep 17 00:00:00 2001 From: Dave Airlie Date: Wed, 10 Apr 2013 21:40:27 -0400 Subject: [PATCH 052/468] drm/qxl update qxl driver to v1.4 --- drm-qxl-driver.patch | 115 +++++++++++++++++++++++++++++++++---------- 1 file changed, 89 insertions(+), 26 deletions(-) diff --git a/drm-qxl-driver.patch b/drm-qxl-driver.patch index 6a6bf111d..72341a8c7 100644 --- a/drm-qxl-driver.patch +++ b/drm-qxl-driver.patch @@ -1,7 +1,7 @@ -From 1a401a749cb1f06e637ef0e91fb8c120963aa356 Mon Sep 17 00:00:00 2001 +From bb57317d5f86a60fd5dd98b3f82241c47ae2cc5d Mon Sep 17 00:00:00 2001 From: Dave Airlie Date: Mon, 25 Feb 2013 14:47:55 +1000 -Subject: [PATCH 2/2] drm: add new QXL driver. (v1.3) +Subject: [PATCH] drm: add new QXL driver. (v1.4) QXL is a paravirtual graphics device used by the Spice virtual desktop interface. @@ -28,6 +28,7 @@ v1.1: fixup some issues in the ioctl interface with padding v1.2: add module device table v1.3: fix nomodeset, fbcon leak, dumb bo create, release ring irq, don't try flush release ring (broken hw), fix -modesetting. +v1.4: fbcon cpu usage reduction + suitable accel flags. Signed-off-by: Alon Levy Signed-off-by: Dave Airlie @@ -40,14 +41,14 @@ Signed-off-by: Dave Airlie drivers/gpu/drm/qxl/qxl_debugfs.c | 135 ++++++ drivers/gpu/drm/qxl/qxl_dev.h | 879 ++++++++++++++++++++++++++++++++++ drivers/gpu/drm/qxl/qxl_display.c | 981 ++++++++++++++++++++++++++++++++++++++ - drivers/gpu/drm/qxl/qxl_draw.c | 384 +++++++++++++++ + drivers/gpu/drm/qxl/qxl_draw.c | 390 +++++++++++++++ drivers/gpu/drm/qxl/qxl_drv.c | 145 ++++++ drivers/gpu/drm/qxl/qxl_drv.h | 566 ++++++++++++++++++++++ drivers/gpu/drm/qxl/qxl_dumb.c | 93 ++++ drivers/gpu/drm/qxl/qxl_fb.c | 567 ++++++++++++++++++++++ drivers/gpu/drm/qxl/qxl_fence.c | 97 ++++ drivers/gpu/drm/qxl/qxl_gem.c | 178 +++++++ - drivers/gpu/drm/qxl/qxl_image.c | 120 +++++ + drivers/gpu/drm/qxl/qxl_image.c | 176 +++++++ drivers/gpu/drm/qxl/qxl_ioctl.c | 411 ++++++++++++++++ drivers/gpu/drm/qxl/qxl_irq.c | 97 ++++ drivers/gpu/drm/qxl/qxl_kms.c | 302 ++++++++++++ @@ -57,7 +58,7 @@ Signed-off-by: Dave Airlie drivers/gpu/drm/qxl/qxl_ttm.c | 577 ++++++++++++++++++++++ include/uapi/drm/Kbuild | 1 + include/uapi/drm/qxl_drm.h | 152 ++++++ - 25 files changed, 7198 insertions(+) + 25 files changed, 7260 insertions(+) create mode 100644 drivers/gpu/drm/qxl/Kconfig create mode 100644 drivers/gpu/drm/qxl/Makefile create mode 100644 drivers/gpu/drm/qxl/qxl_cmd.c @@ -2860,10 +2861,10 @@ index 0000000..c80ddfe +} diff --git a/drivers/gpu/drm/qxl/qxl_draw.c b/drivers/gpu/drm/qxl/qxl_draw.c new file mode 100644 -index 0000000..7d5396d2 +index 0000000..3c8c3db --- /dev/null +++ b/drivers/gpu/drm/qxl/qxl_draw.c -@@ -0,0 +1,384 @@ +@@ -0,0 +1,390 @@ +/* + * Copyright 2011 Red Hat, Inc. + * @@ -3029,17 +3030,23 @@ index 0000000..7d5396d2 + ret = qxl_image_create(qdev, release, &image_bo, + (const uint8_t *)src, 0, 0, + width, height, depth, stride); -+ QXL_INFO(qdev, "image_bo offset %llx\n", -+ image_bo->tbo.addr_space_offset - DRM_FILE_OFFSET); ++ if (ret) { ++ qxl_release_unreserve(qdev, release); ++ qxl_release_free(qdev, release); ++ return; ++ } ++ + if (depth == 1) { + struct qxl_bo *palette_bo; -+ ++ void *ptr; + ret = qxl_palette_create_1bit(&palette_bo, qxl_fb_image); + qxl_release_add_res(qdev, release, palette_bo); -+ ret = qxl_bo_kmap(image_bo, (void **)&image); ++ ++ ptr = qxl_bo_kmap_atomic_page(qdev, image_bo, 0); ++ image = ptr; + image->u.bitmap.palette = + qxl_bo_physical_address(qdev, palette_bo, 0); -+ qxl_bo_kunmap(image_bo); ++ qxl_bo_kunmap_atomic_page(qdev, image_bo, ptr); + qxl_bo_unreserve(palette_bo); + qxl_bo_unref(&palette_bo); + } @@ -3134,7 +3141,7 @@ index 0000000..7d5396d2 + + ret = qxl_bo_kmap(bo, (void **)&surface_base); + if (ret) -+ return; ++ goto out_unref; + + ret = qxl_image_create(qdev, release, &image_bo, surface_base, + left, top, width, height, depth, stride); @@ -4072,7 +4079,7 @@ index 0000000..847c4ee +} diff --git a/drivers/gpu/drm/qxl/qxl_fb.c b/drivers/gpu/drm/qxl/qxl_fb.c new file mode 100644 -index 0000000..0c5067d +index 0000000..232b52b --- /dev/null +++ b/drivers/gpu/drm/qxl/qxl_fb.c @@ -0,0 +1,567 @@ @@ -4493,7 +4500,7 @@ index 0000000..0c5067d + + drm_fb_helper_fill_fix(info, fb->pitches[0], fb->depth); + -+ info->flags = FBINFO_DEFAULT; ++ info->flags = FBINFO_DEFAULT | FBINFO_HWACCEL_COPYAREA | FBINFO_HWACCEL_FILLRECT; + info->fbops = &qxlfb_ops; + + /* @@ -4932,10 +4939,10 @@ index 0000000..adc1ee2 +} diff --git a/drivers/gpu/drm/qxl/qxl_image.c b/drivers/gpu/drm/qxl/qxl_image.c new file mode 100644 -index 0000000..7fc7204 +index 0000000..cf85620 --- /dev/null +++ b/drivers/gpu/drm/qxl/qxl_image.c -@@ -0,0 +1,120 @@ +@@ -0,0 +1,176 @@ +/* + * Copyright 2013 Red Hat Inc. + * @@ -4983,6 +4990,7 @@ index 0000000..7fc7204 + int linesize = width * depth / 8; + struct qxl_bo *chunk_bo; + int ret; ++ void *ptr; + /* Chunk */ + /* FIXME: Check integer overflow */ + /* TODO: variable number of chunks */ @@ -4991,23 +4999,77 @@ index 0000000..7fc7204 + first) */ + ret = qxl_alloc_bo_reserved(qdev, sizeof(*chunk) + height * chunk_stride, + &chunk_bo); -+ ret = qxl_bo_kmap(chunk_bo, (void **)&chunk); ++ ++ ptr = qxl_bo_kmap_atomic_page(qdev, chunk_bo, 0); ++ chunk = ptr; + chunk->data_size = height * chunk_stride; + chunk->prev_chunk = 0; + chunk->next_chunk = 0; ++ qxl_bo_kunmap_atomic_page(qdev, chunk_bo, ptr); ++ ++ { ++ void *k_data, *i_data; ++ int remain; ++ int page; ++ int size; ++ if (stride == linesize && chunk_stride == stride) { ++ remain = linesize * height; ++ page = 0; ++ i_data = (void *)data; ++ ++ while (remain > 0) { ++ ptr = qxl_bo_kmap_atomic_page(qdev, chunk_bo, page << PAGE_SHIFT); ++ ++ if (page == 0) { ++ chunk = ptr; ++ k_data = chunk->data; ++ size = PAGE_SIZE - offsetof(struct qxl_data_chunk, data); ++ } else { ++ k_data = ptr; ++ size = PAGE_SIZE; ++ } ++ size = min(size, remain); ++ ++ memcpy(k_data, i_data, size); ++ ++ qxl_bo_kunmap_atomic_page(qdev, chunk_bo, ptr); ++ i_data += size; ++ remain -= size; ++ page++; ++ } ++ } else { ++ unsigned page_base, page_offset, out_offset; ++ for (i = 0 ; i < height ; ++i) { ++ i_data = (void *)data + i * stride; ++ remain = linesize; ++ out_offset = offsetof(struct qxl_data_chunk, data) + i * chunk_stride; ++ ++ while (remain > 0) { ++ page_base = out_offset & PAGE_MASK; ++ page_offset = offset_in_page(out_offset); ++ ++ size = min((int)(PAGE_SIZE - page_offset), remain); ++ ++ ptr = qxl_bo_kmap_atomic_page(qdev, chunk_bo, page_base); ++ k_data = ptr + page_offset; ++ memcpy(k_data, i_data, size); ++ qxl_bo_kunmap_atomic_page(qdev, chunk_bo, ptr); ++ remain -= size; ++ i_data += size; ++ out_offset += size; ++ } ++ } ++ } ++ } + -+ if (stride == linesize && chunk_stride == stride) -+ memcpy(chunk->data, data, linesize * height); -+ else -+ for (i = 0 ; i < height ; ++i) -+ memcpy(chunk->data + i*chunk_stride, data + i*stride, -+ linesize); + + qxl_bo_kunmap(chunk_bo); + + /* Image */ + ret = qxl_alloc_bo_reserved(qdev, sizeof(*image), image_bo); -+ qxl_bo_kmap(*image_bo, (void **)&image); ++ ++ ptr = qxl_bo_kmap_atomic_page(qdev, *image_bo, 0); ++ image = ptr; + + image->descriptor.id = 0; + image->descriptor.type = SPICE_IMAGE_TYPE_BITMAP; @@ -5041,7 +5103,8 @@ index 0000000..7fc7204 + qxl_bo_unreserve(chunk_bo); + qxl_bo_unref(&chunk_bo); + -+ qxl_bo_kunmap(*image_bo); ++ qxl_bo_kunmap_atomic_page(qdev, *image_bo, ptr); ++ + return 0; +} + From 10bc23bf57a839aa6cea260285de791c6ab512f1 Mon Sep 17 00:00:00 2001 From: Dave Jones Date: Thu, 11 Apr 2013 12:07:53 -0400 Subject: [PATCH 053/468] Print out some extra debug information when we hit bad page tables. --- debug-bad-pte-dmi.patch | 64 +++++++++++++++++++++++++++++++++++++ debug-bad-pte-modules.patch | 20 ++++++++++++ kernel.spec | 9 ++++++ 3 files changed, 93 insertions(+) create mode 100644 debug-bad-pte-dmi.patch create mode 100644 debug-bad-pte-modules.patch diff --git a/debug-bad-pte-dmi.patch b/debug-bad-pte-dmi.patch new file mode 100644 index 000000000..0552cb34f --- /dev/null +++ b/debug-bad-pte-dmi.patch @@ -0,0 +1,64 @@ +diff -durpN '--exclude-from=/home/davej/.exclude' /home/davej/src/kernel/git-trees/linux/include/asm-generic/bug.h linux-dj/include/asm-generic/bug.h +--- /home/davej/src/kernel/git-trees/linux/include/asm-generic/bug.h 2013-01-04 18:57:12.604282214 -0500 ++++ linux-dj/include/asm-generic/bug.h 2013-02-28 20:04:37.649304147 -0500 +@@ -55,6 +55,8 @@ struct bug_entry { + #define BUG_ON(condition) do { if (unlikely(condition)) BUG(); } while(0) + #endif + ++void print_hardware_dmi_name(void); ++ + /* + * WARN(), WARN_ON(), WARN_ON_ONCE, and so on can be used to report + * significant issues that need prompt attention if they should ever +diff -durpN '--exclude-from=/home/davej/.exclude' /home/davej/src/kernel/git-trees/linux/kernel/panic.c linux-dj/kernel/panic.c +--- /home/davej/src/kernel/git-trees/linux/kernel/panic.c 2013-02-26 14:41:18.544116674 -0500 ++++ linux-dj/kernel/panic.c 2013-02-28 20:04:37.666304115 -0500 +@@ -397,16 +397,22 @@ struct slowpath_args { + va_list args; + }; + +-static void warn_slowpath_common(const char *file, int line, void *caller, +- unsigned taint, struct slowpath_args *args) ++void print_hardware_dmi_name(void) + { + const char *board; + +- printk(KERN_WARNING "------------[ cut here ]------------\n"); +- printk(KERN_WARNING "WARNING: at %s:%d %pS()\n", file, line, caller); + board = dmi_get_system_info(DMI_PRODUCT_NAME); + if (board) + printk(KERN_WARNING "Hardware name: %s\n", board); ++} ++ ++static void warn_slowpath_common(const char *file, int line, void *caller, ++ unsigned taint, struct slowpath_args *args) ++{ ++ printk(KERN_WARNING "------------[ cut here ]------------\n"); ++ printk(KERN_WARNING "WARNING: at %s:%d %pS()\n", file, line, caller); ++ ++ print_hardware_dmi_name(); + + if (args) + vprintk(args->fmt, args->args); +diff -durpN '--exclude-from=/home/davej/.exclude' /home/davej/src/kernel/git-trees/linux/mm/memory.c linux-dj/mm/memory.c +--- /home/davej/src/kernel/git-trees/linux/mm/memory.c 2013-02-26 14:41:18.591116577 -0500 ++++ linux-dj/mm/memory.c 2013-02-28 20:04:37.678304092 -0500 +@@ -705,6 +706,8 @@ static void print_bad_pte(struct vm_area + "BUG: Bad page map in process %s pte:%08llx pmd:%08llx\n", + current->comm, + (long long)pte_val(pte), (long long)pmd_val(*pmd)); ++ print_hardware_dmi_name(); ++ + if (page) + dump_page(page); + printk(KERN_ALERT +--- linux-dj/mm/page_alloc.c~ 2013-04-11 11:47:12.536675503 -0400 ++++ linux-dj/mm/page_alloc.c 2013-04-11 11:47:16.416667806 -0400 +@@ -321,6 +321,7 @@ static void bad_page(struct page *page) + current->comm, page_to_pfn(page)); + dump_page(page); + ++ print_hardware_dmi_name(); + print_modules(); + dump_stack(); + out: diff --git a/debug-bad-pte-modules.patch b/debug-bad-pte-modules.patch new file mode 100644 index 000000000..88ca28043 --- /dev/null +++ b/debug-bad-pte-modules.patch @@ -0,0 +1,20 @@ +diff -durpN '--exclude-from=/home/davej/.exclude' /home/davej/src/kernel/git-trees/linux/mm/memory.c linux-dj/mm/memory.c +--- /home/davej/src/kernel/git-trees/linux/mm/memory.c 2013-02-26 14:41:18.591116577 -0500 ++++ linux-dj/mm/memory.c 2013-02-28 20:04:37.678304092 -0500 +@@ -57,6 +57,7 @@ + #include + #include + #include ++#include + #include + #include + +@@ -719,6 +722,7 @@ static void print_bad_pte(struct vm_area + if (vma->vm_file && vma->vm_file->f_op) + print_symbol(KERN_ALERT "vma->vm_file->f_op->mmap: %s\n", + (unsigned long)vma->vm_file->f_op->mmap); ++ print_modules(); + dump_stack(); + add_taint(TAINT_BAD_PAGE, LOCKDEP_NOW_UNRELIABLE); + } + diff --git a/kernel.spec b/kernel.spec index e82797ce1..0f1c1e39e 100644 --- a/kernel.spec +++ b/kernel.spec @@ -638,6 +638,9 @@ Patch100: taint-vbox.patch Patch110: vmbugon-warnon.patch +Patch200: debug-bad-pte-dmi.patch +Patch201: debug-bad-pte-modules.patch + Patch390: defaults-acpi-video.patch Patch391: acpi-video-dos.patch Patch396: acpi-sony-nonvs-blacklist.patch @@ -1295,6 +1298,9 @@ ApplyPatch taint-vbox.patch ApplyPatch vmbugon-warnon.patch +ApplyPatch debug-bad-pte-dmi.patch +ApplyPatch debug-bad-pte-modules.patch + # Architecture patches # x86(-64) @@ -2280,6 +2286,9 @@ fi # and build. %changelog +* Thu Apr 11 2013 Dave Jones +- Print out some extra debug information when we hit bad page tables. + * Tue Apr 9 2013 Peter Robinson - Add patch to fix building some ARM tegra modules - Some minor ARM OMAP updates From 46b15e028119229652927499e6cb00c77cbc4f16 Mon Sep 17 00:00:00 2001 From: "Justin M. Forbes" Date: Thu, 11 Apr 2013 11:57:32 -0500 Subject: [PATCH 054/468] Linux v3.9-rc6-36-ge8f2b54 --- config-generic | 8 +- config-nodebug | 110 +++++++++--------- config-x86-generic | 2 +- htmldoc-build-fix.patch | 16 --- kernel.spec | 21 ++-- ...right-function-to-alloc-smp-response.patch | 27 +++++ sources | 1 + 7 files changed, 102 insertions(+), 83 deletions(-) delete mode 100644 htmldoc-build-fix.patch create mode 100644 libsas-use-right-function-to-alloc-smp-response.patch diff --git a/config-generic b/config-generic index a59044ec3..30419fe7b 100644 --- a/config-generic +++ b/config-generic @@ -1549,13 +1549,13 @@ CONFIG_B43_SDIO=y CONFIG_B43_BCMA=y # CONFIG_B43_BCMA_EXTRA is not set CONFIG_B43_BCMA_PIO=y -# CONFIG_B43_DEBUG is not set +CONFIG_B43_DEBUG=y CONFIG_B43_PHY_LP=y CONFIG_B43_PHY_N=y CONFIG_B43_PHY_HT=y # CONFIG_B43_FORCE_PIO is not set CONFIG_B43LEGACY=m -# CONFIG_B43LEGACY_DEBUG is not set +CONFIG_B43LEGACY_DEBUG=y CONFIG_B43LEGACY_DMA=y CONFIG_B43LEGACY_PIO=y CONFIG_B43LEGACY_DMA_AND_PIO_MODE=y @@ -3194,7 +3194,7 @@ CONFIG_USB_STORAGE_REALTEK=m CONFIG_REALTEK_AUTOPM=y CONFIG_USB_STORAGE_ENE_UB6250=m # CONFIG_USB_LIBUSUAL is not set -# CONFIG_USB_UAS is not set +CONFIG_USB_UAS=m # @@ -4186,7 +4186,7 @@ CONFIG_IBMASR=m CONFIG_PM_DEBUG=y CONFIG_PM_TRACE=y CONFIG_PM_TRACE_RTC=y -# CONFIG_PM_TEST_SUSPEND is not set +CONFIG_PM_TEST_SUSPEND=y CONFIG_PM_RUNTIME=y # CONFIG_PM_OPP is not set # CONFIG_PM_AUTOSLEEP is not set diff --git a/config-nodebug b/config-nodebug index aa7568c82..cfabd29c7 100644 --- a/config-nodebug +++ b/config-nodebug @@ -2,95 +2,95 @@ CONFIG_SND_VERBOSE_PRINTK=y CONFIG_SND_DEBUG=y CONFIG_SND_PCM_XRUN_DEBUG=y -# CONFIG_DEBUG_ATOMIC_SLEEP is not set +CONFIG_DEBUG_ATOMIC_SLEEP=y -# CONFIG_DEBUG_MUTEXES is not set -# CONFIG_DEBUG_RT_MUTEXES is not set -# CONFIG_DEBUG_LOCK_ALLOC is not set -# CONFIG_PROVE_LOCKING is not set -# CONFIG_DEBUG_SPINLOCK is not set -# CONFIG_PROVE_RCU is not set +CONFIG_DEBUG_MUTEXES=y +CONFIG_DEBUG_RT_MUTEXES=y +CONFIG_DEBUG_LOCK_ALLOC=y +CONFIG_PROVE_LOCKING=y +CONFIG_DEBUG_SPINLOCK=y +CONFIG_PROVE_RCU=y # CONFIG_PROVE_RCU_REPEATEDLY is not set -# CONFIG_DEBUG_PER_CPU_MAPS is not set +CONFIG_DEBUG_PER_CPU_MAPS=y CONFIG_CPUMASK_OFFSTACK=y -# CONFIG_CPU_NOTIFIER_ERROR_INJECT is not set +CONFIG_CPU_NOTIFIER_ERROR_INJECT=m -# CONFIG_FAULT_INJECTION is not set -# CONFIG_FAILSLAB is not set -# CONFIG_FAIL_PAGE_ALLOC is not set -# CONFIG_FAIL_MAKE_REQUEST is not set -# CONFIG_FAULT_INJECTION_DEBUG_FS is not set -# CONFIG_FAULT_INJECTION_STACKTRACE_FILTER is not set -# CONFIG_FAIL_IO_TIMEOUT is not set -# CONFIG_FAIL_MMC_REQUEST is not set +CONFIG_FAULT_INJECTION=y +CONFIG_FAILSLAB=y +CONFIG_FAIL_PAGE_ALLOC=y +CONFIG_FAIL_MAKE_REQUEST=y +CONFIG_FAULT_INJECTION_DEBUG_FS=y +CONFIG_FAULT_INJECTION_STACKTRACE_FILTER=y +CONFIG_FAIL_IO_TIMEOUT=y +CONFIG_FAIL_MMC_REQUEST=y -# CONFIG_SLUB_DEBUG_ON is not set +CONFIG_SLUB_DEBUG_ON=y -# CONFIG_LOCK_STAT is not set +CONFIG_LOCK_STAT=y -# CONFIG_DEBUG_STACK_USAGE is not set +CONFIG_DEBUG_STACK_USAGE=y -# CONFIG_ACPI_DEBUG is not set +CONFIG_ACPI_DEBUG=y # CONFIG_ACPI_DEBUG_FUNC_TRACE is not set -# CONFIG_DEBUG_SG is not set +CONFIG_DEBUG_SG=y # CONFIG_DEBUG_PAGEALLOC is not set -# CONFIG_DEBUG_WRITECOUNT is not set -# CONFIG_DEBUG_OBJECTS is not set +CONFIG_DEBUG_WRITECOUNT=y +CONFIG_DEBUG_OBJECTS=y # CONFIG_DEBUG_OBJECTS_SELFTEST is not set -# CONFIG_DEBUG_OBJECTS_FREE is not set -# CONFIG_DEBUG_OBJECTS_TIMERS is not set -# CONFIG_DEBUG_OBJECTS_RCU_HEAD is not set +CONFIG_DEBUG_OBJECTS_FREE=y +CONFIG_DEBUG_OBJECTS_TIMERS=y +CONFIG_DEBUG_OBJECTS_RCU_HEAD=y CONFIG_DEBUG_OBJECTS_ENABLE_DEFAULT=1 -# CONFIG_X86_PTDUMP is not set +CONFIG_X86_PTDUMP=y -# CONFIG_CAN_DEBUG_DEVICES is not set +CONFIG_CAN_DEBUG_DEVICES=y -# CONFIG_MODULE_FORCE_UNLOAD is not set +CONFIG_MODULE_FORCE_UNLOAD=y -# CONFIG_SYSCTL_SYSCALL_CHECK is not set +CONFIG_SYSCTL_SYSCALL_CHECK=y -# CONFIG_DEBUG_NOTIFIERS is not set +CONFIG_DEBUG_NOTIFIERS=y -# CONFIG_DMA_API_DEBUG is not set +CONFIG_DMA_API_DEBUG=y -# CONFIG_MMIOTRACE is not set +CONFIG_MMIOTRACE=y -# CONFIG_DEBUG_CREDENTIALS is not set +CONFIG_DEBUG_CREDENTIALS=y # off in both production debug and nodebug builds, # on in rawhide nodebug builds -# CONFIG_DEBUG_FORCE_WEAK_PER_CPU is not set +CONFIG_DEBUG_FORCE_WEAK_PER_CPU=y -# CONFIG_EXT4_DEBUG is not set +CONFIG_EXT4_DEBUG=y -# CONFIG_DEBUG_PERF_USE_VMALLOC is not set +CONFIG_DEBUG_PERF_USE_VMALLOC=y -# CONFIG_JBD2_DEBUG is not set +CONFIG_JBD2_DEBUG=y -# CONFIG_NFSD_FAULT_INJECTION is not set +CONFIG_NFSD_FAULT_INJECTION=y -# CONFIG_DEBUG_BLK_CGROUP is not set +CONFIG_DEBUG_BLK_CGROUP=y -# CONFIG_DRBD_FAULT_INJECTION is not set +CONFIG_DRBD_FAULT_INJECTION=y -# CONFIG_ATH_DEBUG is not set -# CONFIG_CARL9170_DEBUGFS is not set -# CONFIG_IWLWIFI_DEVICE_TRACING is not set +CONFIG_ATH_DEBUG=y +CONFIG_CARL9170_DEBUGFS=y +CONFIG_IWLWIFI_DEVICE_TRACING=y -# CONFIG_DEBUG_OBJECTS_WORK is not set +CONFIG_DEBUG_OBJECTS_WORK=y -# CONFIG_DMADEVICES_DEBUG is not set -# CONFIG_DMADEVICES_VDEBUG is not set +CONFIG_DMADEVICES_DEBUG=y +CONFIG_DMADEVICES_VDEBUG=y CONFIG_PM_ADVANCED_DEBUG=y -# CONFIG_CEPH_LIB_PRETTYDEBUG is not set -# CONFIG_QUOTA_DEBUG is not set +CONFIG_CEPH_LIB_PRETTYDEBUG=y +CONFIG_QUOTA_DEBUG=y CONFIG_PCI_DEFAULT_USE_CRS=y @@ -98,16 +98,16 @@ CONFIG_KGDB_KDB=y CONFIG_KDB_KEYBOARD=y CONFIG_KDB_CONTINUE_CATASTROPHIC=0 -# CONFIG_DEBUG_OBJECTS_PERCPU_COUNTER is not set -# CONFIG_TEST_LIST_SORT is not set +CONFIG_DEBUG_OBJECTS_PERCPU_COUNTER=y +CONFIG_TEST_LIST_SORT=y -# CONFIG_DETECT_HUNG_TASK is not set +CONFIG_DETECT_HUNG_TASK=y CONFIG_DEFAULT_HUNG_TASK_TIMEOUT=120 # CONFIG_BOOTPARAM_HUNG_TASK_PANIC is not set -# CONFIG_X86_BOOTPARAM_MEMORY_CORRUPTION_CHECK is not set +CONFIG_X86_BOOTPARAM_MEMORY_CORRUPTION_CHECK=y -# CONFIG_DEBUG_KMEMLEAK is not set +CONFIG_DEBUG_KMEMLEAK=y CONFIG_DEBUG_KMEMLEAK_EARLY_LOG_SIZE=1024 # CONFIG_DEBUG_KMEMLEAK_TEST is not set CONFIG_DEBUG_KMEMLEAK_DEFAULT_OFF=y diff --git a/config-x86-generic b/config-x86-generic index 1308a3414..357c18ecf 100644 --- a/config-x86-generic +++ b/config-x86-generic @@ -328,7 +328,7 @@ CONFIG_STRICT_DEVMEM=y # CONFIG_MEMTEST is not set # CONFIG_DEBUG_TLBFLUSH is not set -# CONFIG_MAXSMP is not set +CONFIG_MAXSMP=y CONFIG_HP_ILO=m diff --git a/htmldoc-build-fix.patch b/htmldoc-build-fix.patch deleted file mode 100644 index 424246c1b..000000000 --- a/htmldoc-build-fix.patch +++ /dev/null @@ -1,16 +0,0 @@ -htmldocs will fail, because device-drivers.tmpl references the -non-existant file 8250.c (which got renamed to 8250_core.c) - -Signed-off-by: Kyle McMartin - ---- a/Documentation/DocBook/device-drivers.tmpl -+++ b/Documentation/DocBook/device-drivers.tmpl -@@ -227,7 +227,7 @@ X!Isound/sound_firmware.c - - 16x50 UART Driver - !Edrivers/tty/serial/serial_core.c --!Edrivers/tty/serial/8250/8250.c -+!Edrivers/tty/serial/8250/8250_core.c - - - diff --git a/kernel.spec b/kernel.spec index 0f1c1e39e..6ae68357b 100644 --- a/kernel.spec +++ b/kernel.spec @@ -95,7 +95,7 @@ Summary: The Linux kernel # The rc snapshot level %define rcrev 6 # The git snapshot level -%define gitrev 0 +%define gitrev 2 # Set rpm version accordingly %define rpmversion 3.%{upstream_sublevel}.0 %endif @@ -157,7 +157,7 @@ Summary: The Linux kernel # Set debugbuildsenabled to 1 for production (build separate debug kernels) # and 0 for rawhide (all kernels are debug kernels). # See also 'make debug' and 'make release'. -%define debugbuildsenabled 1 +%define debugbuildsenabled 0 # Want to build a vanilla kernel build without any non-upstream patches? %define with_vanilla %{?_with_vanilla: 1} %{?!_with_vanilla: 0} @@ -170,7 +170,7 @@ Summary: The Linux kernel %define doc_build_fail true %endif -%define rawhide_skip_docs 0 +%define rawhide_skip_docs 1 %if 0%{?rawhide_skip_docs} %define with_doc 0 %define doc_build_fail true @@ -747,11 +747,12 @@ Patch22001: selinux-apply-different-permission-to-ptrace-child.patch #rhbz 927469 Patch23006: fix-child-thread-introspection.patch -Patch23007: htmldoc-build-fix.patch - #rhbz 928024 Patch23008: forcedeth-dma-error-check.patch +#rhbz 949875 +Patch23007: libsas-use-right-function-to-alloc-smp-response.patch + # END OF PATCH DEFINITIONS %endif @@ -1449,11 +1450,12 @@ ApplyPatch VMX-x86-handle-host-TSC-calibration-failure.patch #rhbz 927469 ApplyPatch fix-child-thread-introspection.patch -ApplyPatch htmldoc-build-fix.patch - #rhbz 928024 ApplyPatch forcedeth-dma-error-check.patch +#rhbz 949875 +ApplyPatch libsas-use-right-function-to-alloc-smp-response.patch + # END OF PATCH APPLICATIONS %endif @@ -2286,6 +2288,11 @@ fi # and build. %changelog +* Thu Apr 11 2013 Justin M. Forbes - 3.9.0-0.rc6.git2 +- Linux v3.9-rc6-115-g7ee32a6 +- libsas: use right function to alloc smp response (rhbz 949875) +- Reenable debugging options. + * Thu Apr 11 2013 Dave Jones - Print out some extra debug information when we hit bad page tables. diff --git a/libsas-use-right-function-to-alloc-smp-response.patch b/libsas-use-right-function-to-alloc-smp-response.patch new file mode 100644 index 000000000..4c96ca2f8 --- /dev/null +++ b/libsas-use-right-function-to-alloc-smp-response.patch @@ -0,0 +1,27 @@ +From 95c9f4d4da6c4e445a9dd58c8382356520ea91a0 Mon Sep 17 00:00:00 2001 +From: John Gong +Date: Wed, 06 Mar 2013 02:43:03 +0000 +Subject: [SCSI] libsas: use right function to alloc smp response + +In fact the disc_resp buffer will be overwrite by smp response, so we never +found this typo, correct it by using the right one. + +Signed-off-by: John Gong +Signed-off-by: Jack Wang +Signed-off-by: James Bottomley +--- +diff --git a/drivers/scsi/libsas/sas_expander.c b/drivers/scsi/libsas/sas_expander.c +index aec2e0d..588affd 100644 +--- a/drivers/scsi/libsas/sas_expander.c ++++ b/drivers/scsi/libsas/sas_expander.c +@@ -388,7 +388,7 @@ int sas_ex_phy_discover(struct domain_device *dev, int single) + if (!disc_req) + return -ENOMEM; + +- disc_resp = alloc_smp_req(DISCOVER_RESP_SIZE); ++ disc_resp = alloc_smp_resp(DISCOVER_RESP_SIZE); + if (!disc_resp) { + kfree(disc_req); + return -ENOMEM; +-- +cgit v0.9.1 diff --git a/sources b/sources index 8e757f055..137e963ba 100644 --- a/sources +++ b/sources @@ -1,2 +1,3 @@ 1c738edfc54e7c65faeb90c436104e2f linux-3.8.tar.xz 90a96910b25480f66fe2be4b0dadbb11 patch-3.9-rc6.xz +49d9958e0959003f50c14140ed399339 patch-3.9-rc6-git2.xz From a6e2f8f0bee7062571067b2a9f7b3df3141798c3 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Fri, 12 Apr 2013 11:52:38 -0400 Subject: [PATCH 055/468] Enable CONFIG_LDM_PARTITION (rhbz 948636) --- config-generic | 3 ++- kernel.spec | 5 ++++- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/config-generic b/config-generic index 30419fe7b..8822fb79d 100644 --- a/config-generic +++ b/config-generic @@ -3829,7 +3829,8 @@ CONFIG_AMIGA_PARTITION=y CONFIG_BSD_DISKLABEL=y CONFIG_EFI_PARTITION=y CONFIG_KARMA_PARTITION=y -# CONFIG_LDM_PARTITION is not set +CONFIG_LDM_PARTITION=y +# CONFIG_LDM_DEBUG is not set CONFIG_MAC_PARTITION=y CONFIG_MSDOS_PARTITION=y CONFIG_MINIX_SUBPARTITION=y diff --git a/kernel.spec b/kernel.spec index 6ae68357b..aefc99122 100644 --- a/kernel.spec +++ b/kernel.spec @@ -62,7 +62,7 @@ Summary: The Linux kernel # For non-released -rc kernels, this will be appended after the rcX and # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3" # -%global baserelease 1 +%global baserelease 2 %global fedora_build %{baserelease} # base_sublevel is the kernel version we're starting with and patching @@ -2288,6 +2288,9 @@ fi # and build. %changelog +* Fri Apr 12 2013 Josh Boyer +- Enable CONFIG_LDM_PARTITION (rhbz 948636) + * Thu Apr 11 2013 Justin M. Forbes - 3.9.0-0.rc6.git2 - Linux v3.9-rc6-115-g7ee32a6 - libsas: use right function to alloc smp response (rhbz 949875) From 9ce432e40a94dc11bff995ed59f7a5ff9ffdb8ce Mon Sep 17 00:00:00 2001 From: Peter Robinson Date: Sun, 14 Apr 2013 23:40:15 +0100 Subject: [PATCH 056/468] drop obsolete tegra patch --- arm-tegra-nvec-kconfig.patch | 10 ---------- kernel.spec | 2 -- 2 files changed, 12 deletions(-) delete mode 100644 arm-tegra-nvec-kconfig.patch diff --git a/arm-tegra-nvec-kconfig.patch b/arm-tegra-nvec-kconfig.patch deleted file mode 100644 index 64aa9f8e3..000000000 --- a/arm-tegra-nvec-kconfig.patch +++ /dev/null @@ -1,10 +0,0 @@ ---- linux-3.8.0-0.rc2.git1.1.fc19.x86_64/drivers/staging/nvec/Kconfig.orig 2013-01-07 11:04:43.493510550 +0000 -+++ linux-3.8.0-0.rc2.git1.1.fc19.x86_64/drivers/staging/nvec/Kconfig 2013-01-07 11:14:18.186033211 +0000 -@@ -1,6 +1,6 @@ - config MFD_NVEC - bool "NV Tegra Embedded Controller SMBus Interface" -- depends on I2C && GPIOLIB && ARCH_TEGRA -+ depends on I2C && GPIOLIB && ARCH_TEGRA && MFD_CORE - select MFD_CORE - help - Say Y here to enable support for a nVidia compliant embedded diff --git a/kernel.spec b/kernel.spec index aefc99122..75f484e16 100644 --- a/kernel.spec +++ b/kernel.spec @@ -709,7 +709,6 @@ Patch21001: arm-lpae-ax88796.patch Patch21002: arm-omap-ehci-fix.patch # ARM tegra -Patch21004: arm-tegra-nvec-kconfig.patch Patch21005: arm-tegra-usb-no-reset-linux33.patch Patch21006: arm-tegra-fixclk.patch @@ -1311,7 +1310,6 @@ ApplyPatch debug-bad-pte-modules.patch ApplyPatch arm-export-read_current_timer.patch ApplyPatch arm-lpae-ax88796.patch ApplyPatch arm-omap-ehci-fix.patch -# ApplyPatch arm-tegra-nvec-kconfig.patch ApplyPatch arm-tegra-usb-no-reset-linux33.patch ApplyPatch arm-tegra-fixclk.patch From 0493017c9e88d860c80f0e9121ec9ee4e5953ba4 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Mon, 15 Apr 2013 16:07:05 -0400 Subject: [PATCH 057/468] Grab fixes for UEFI space issues (rhbz 947142) --- efi-space-fixes.patch | 953 ++++++++++++++++++++++++++++++++++++++++++ kernel.spec | 11 +- 2 files changed, 963 insertions(+), 1 deletion(-) create mode 100644 efi-space-fixes.patch diff --git a/efi-space-fixes.patch b/efi-space-fixes.patch new file mode 100644 index 000000000..d5863e72a --- /dev/null +++ b/efi-space-fixes.patch @@ -0,0 +1,953 @@ +From a6e4d5a03e9e3587e88aba687d8f225f4f04c792 Mon Sep 17 00:00:00 2001 +From: Matt Fleming +Date: Mon, 25 Mar 2013 09:14:30 +0000 +Subject: [PATCH] x86, efivars: firmware bug workarounds should be in platform + code + +Let's not burden ia64 with checks in the common efivars code that we're not +writing too much data to the variable store. That kind of thing is an x86 +firmware bug, plain and simple. + +efi_query_variable_store() provides platforms with a wrapper in which they can +perform checks and workarounds for EFI variable storage bugs. + +Cc: H. Peter Anvin +Cc: Matthew Garrett +Signed-off-by: Matt Fleming +--- + arch/x86/platform/efi/efi.c | 25 +++++++++++++++++++++++++ + drivers/firmware/efivars.c | 18 +++--------------- + include/linux/efi.h | 9 ++++++++- + 3 files changed, 36 insertions(+), 16 deletions(-) + +diff --git a/arch/x86/platform/efi/efi.c b/arch/x86/platform/efi/efi.c +index 5f2ecaf..c89c245 100644 +--- a/arch/x86/platform/efi/efi.c ++++ b/arch/x86/platform/efi/efi.c +@@ -999,3 +999,28 @@ u64 efi_mem_attributes(unsigned long phys_addr) + } + return 0; + } ++ ++/* ++ * Some firmware has serious problems when using more than 50% of the EFI ++ * variable store, i.e. it triggers bugs that can brick machines. Ensure that ++ * we never use more than this safe limit. ++ * ++ * Return EFI_SUCCESS if it is safe to write 'size' bytes to the variable ++ * store. ++ */ ++efi_status_t efi_query_variable_store(u32 attributes, unsigned long size) ++{ ++ efi_status_t status; ++ u64 storage_size, remaining_size, max_size; ++ ++ status = efi.query_variable_info(attributes, &storage_size, ++ &remaining_size, &max_size); ++ if (status != EFI_SUCCESS) ++ return status; ++ ++ if (!storage_size || size > remaining_size || size > max_size || ++ (remaining_size - size) < (storage_size / 2)) ++ return EFI_OUT_OF_RESOURCES; ++ ++ return EFI_SUCCESS; ++} +diff --git a/drivers/firmware/efivars.c b/drivers/firmware/efivars.c +index 7acafb8..bf15d81 100644 +--- a/drivers/firmware/efivars.c ++++ b/drivers/firmware/efivars.c +@@ -436,24 +436,12 @@ static efi_status_t + check_var_size_locked(struct efivars *efivars, u32 attributes, + unsigned long size) + { +- u64 storage_size, remaining_size, max_size; +- efi_status_t status; + const struct efivar_operations *fops = efivars->ops; + +- if (!efivars->ops->query_variable_info) ++ if (!efivars->ops->query_variable_store) + return EFI_UNSUPPORTED; + +- status = fops->query_variable_info(attributes, &storage_size, +- &remaining_size, &max_size); +- +- if (status != EFI_SUCCESS) +- return status; +- +- if (!storage_size || size > remaining_size || size > max_size || +- (remaining_size - size) < (storage_size / 2)) +- return EFI_OUT_OF_RESOURCES; +- +- return status; ++ return fops->query_variable_store(attributes, size); + } + + +@@ -2131,7 +2119,7 @@ efivars_init(void) + ops.get_variable = efi.get_variable; + ops.set_variable = efi.set_variable; + ops.get_next_variable = efi.get_next_variable; +- ops.query_variable_info = efi.query_variable_info; ++ ops.query_variable_store = efi_query_variable_store; + + error = register_efivars(&__efivars, &ops, efi_kobj); + if (error) +diff --git a/include/linux/efi.h b/include/linux/efi.h +index 9bf2f1f..3d7df3d 100644 +--- a/include/linux/efi.h ++++ b/include/linux/efi.h +@@ -333,6 +333,7 @@ typedef efi_status_t efi_query_capsule_caps_t(efi_capsule_header_t **capsules, + unsigned long count, + u64 *max_size, + int *reset_type); ++typedef efi_status_t efi_query_variable_store_t(u32 attributes, unsigned long size); + + /* + * EFI Configuration Table and GUID definitions +@@ -575,9 +576,15 @@ extern void efi_enter_virtual_mode (void); /* switch EFI to virtual mode, if pos + #ifdef CONFIG_X86 + extern void efi_late_init(void); + extern void efi_free_boot_services(void); ++extern efi_status_t efi_query_variable_store(u32 attributes, unsigned long size); + #else + static inline void efi_late_init(void) {} + static inline void efi_free_boot_services(void) {} ++ ++static inline efi_status_t efi_query_variable_store(u32 attributes, unsigned long size) ++{ ++ return EFI_SUCCESS; ++} + #endif + extern void __iomem *efi_lookup_mapped_addr(u64 phys_addr); + extern u64 efi_get_iobase (void); +@@ -731,7 +738,7 @@ struct efivar_operations { + efi_get_variable_t *get_variable; + efi_get_next_variable_t *get_next_variable; + efi_set_variable_t *set_variable; +- efi_query_variable_info_t *query_variable_info; ++ efi_query_variable_store_t *query_variable_store; + }; + + struct efivars { +-- +1.8.1.4 + + +Delivered-To: jwboyer@gmail.com +Received: by 10.76.92.6 with SMTP id ci6csp30969oab; + Mon, 15 Apr 2013 13:11:20 -0700 (PDT) +X-Received: by 10.66.233.66 with SMTP id tu2mr16310292pac.12.1366056679639; + Mon, 15 Apr 2013 13:11:19 -0700 (PDT) +Return-Path: +Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) + by mx.google.com with ESMTP id px5si683046pbb.263.2013.04.15.13.11.18; + Mon, 15 Apr 2013 13:11:19 -0700 (PDT) +Received-SPF: pass (google.com: best guess record for domain of linux-efi-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; +Authentication-Results: mx.google.com; + spf=pass (google.com: best guess record for domain of linux-efi-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mail=linux-efi-owner@vger.kernel.org +Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand + id S1755430Ab3DOUKG (ORCPT + + 14 others); Mon, 15 Apr 2013 16:10:06 -0400 +Received: from cavan.codon.org.uk ([93.93.128.6]:40554 "EHLO + cavan.codon.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org + with ESMTP id S1754223Ab3DOUKF (ORCPT + ); Mon, 15 Apr 2013 16:10:05 -0400 +Received: from 50-0-250-146.dedicated.static.sonic.net ([50.0.250.146] helo=x230.nebula.com) + by cavan.codon.org.uk with esmtpsa (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) + (Exim 4.72) + (envelope-from ) + id 1URpiv-00027X-TB; Mon, 15 Apr 2013 21:09:58 +0100 +From: Matthew Garrett +To: matt.fleming@intel.com +Cc: linux-efi@vger.kernel.org, x86@kernel.org, + linux-kernel@vger.kernel.org, + Matthew Garrett +Subject: [PATCH V6 1/3] Move utf16 functions to kernel core and rename +Date: Mon, 15 Apr 2013 13:09:45 -0700 +Message-Id: <1366056587-24414-2-git-send-email-matthew.garrett@nebula.com> +X-Mailer: git-send-email 1.8.1.2 +In-Reply-To: <1366056587-24414-1-git-send-email-matthew.garrett@nebula.com> +References: <1365561717-12343-1-git-send-email-matthew.garrett@nebula.com> + <1366056587-24414-1-git-send-email-matthew.garrett@nebula.com> +X-SA-Do-Not-Run: Yes +X-SA-Exim-Connect-IP: 50.0.250.146 +X-SA-Exim-Mail-From: matthew.garrett@nebula.com +X-SA-Exim-Scanned: No (on cavan.codon.org.uk); SAEximRunCond expanded to false +Sender: linux-efi-owner@vger.kernel.org +Precedence: bulk +List-ID: +X-Mailing-List: linux-efi@vger.kernel.org + +We want to be able to use the utf16 functions that are currently present +in the EFI variables code in platform-specific code as well. Move them to +the kernel core, and in the process rename them to accurately describe what +they do - they don't handle UTF16, only UCS2. + +Signed-off-by: Matthew Garrett +--- + drivers/firmware/Kconfig | 1 + + drivers/firmware/efivars.c | 80 ++++++++++----------------------------------- + include/linux/ucs2_string.h | 14 ++++++++ + lib/Kconfig | 3 ++ + lib/Makefile | 2 ++ + lib/ucs2_string.c | 51 +++++++++++++++++++++++++++++ + 6 files changed, 89 insertions(+), 62 deletions(-) + create mode 100644 include/linux/ucs2_string.h + create mode 100644 lib/ucs2_string.c + +diff --git a/drivers/firmware/Kconfig b/drivers/firmware/Kconfig +index 42c759a..3e53200 100644 +--- a/drivers/firmware/Kconfig ++++ b/drivers/firmware/Kconfig +@@ -39,6 +39,7 @@ config FIRMWARE_MEMMAP + config EFI_VARS + tristate "EFI Variable Support via sysfs" + depends on EFI ++ select UCS2_STRING + default n + help + If you say Y here, you are able to get EFI (Extensible Firmware +diff --git a/drivers/firmware/efivars.c b/drivers/firmware/efivars.c +index bf15d81..182ce94 100644 +--- a/drivers/firmware/efivars.c ++++ b/drivers/firmware/efivars.c +@@ -80,6 +80,7 @@ + #include + #include + #include ++#include + + #include + #include +@@ -172,51 +173,6 @@ static void efivar_update_sysfs_entries(struct work_struct *); + static DECLARE_WORK(efivar_work, efivar_update_sysfs_entries); + static bool efivar_wq_enabled = true; + +-/* Return the number of unicode characters in data */ +-static unsigned long +-utf16_strnlen(efi_char16_t *s, size_t maxlength) +-{ +- unsigned long length = 0; +- +- while (*s++ != 0 && length < maxlength) +- length++; +- return length; +-} +- +-static inline unsigned long +-utf16_strlen(efi_char16_t *s) +-{ +- return utf16_strnlen(s, ~0UL); +-} +- +-/* +- * Return the number of bytes is the length of this string +- * Note: this is NOT the same as the number of unicode characters +- */ +-static inline unsigned long +-utf16_strsize(efi_char16_t *data, unsigned long maxlength) +-{ +- return utf16_strnlen(data, maxlength/sizeof(efi_char16_t)) * sizeof(efi_char16_t); +-} +- +-static inline int +-utf16_strncmp(const efi_char16_t *a, const efi_char16_t *b, size_t len) +-{ +- while (1) { +- if (len == 0) +- return 0; +- if (*a < *b) +- return -1; +- if (*a > *b) +- return 1; +- if (*a == 0) /* implies *b == 0 */ +- return 0; +- a++; +- b++; +- len--; +- } +-} +- + static bool + validate_device_path(struct efi_variable *var, int match, u8 *buffer, + unsigned long len) +@@ -268,7 +224,7 @@ validate_load_option(struct efi_variable *var, int match, u8 *buffer, + u16 filepathlength; + int i, desclength = 0, namelen; + +- namelen = utf16_strnlen(var->VariableName, sizeof(var->VariableName)); ++ namelen = ucs2_strnlen(var->VariableName, sizeof(var->VariableName)); + + /* Either "Boot" or "Driver" followed by four digits of hex */ + for (i = match; i < match+4; i++) { +@@ -291,7 +247,7 @@ validate_load_option(struct efi_variable *var, int match, u8 *buffer, + * There's no stored length for the description, so it has to be + * found by hand + */ +- desclength = utf16_strsize((efi_char16_t *)(buffer + 6), len - 6) + 2; ++ desclength = ucs2_strsize((efi_char16_t *)(buffer + 6), len - 6) + 2; + + /* Each boot entry must have a descriptor */ + if (!desclength) +@@ -581,7 +537,7 @@ efivar_store_raw(struct efivar_entry *entry, const char *buf, size_t count) + spin_lock_irq(&efivars->lock); + + status = check_var_size_locked(efivars, new_var->Attributes, +- new_var->DataSize + utf16_strsize(new_var->VariableName, 1024)); ++ new_var->DataSize + ucs2_strsize(new_var->VariableName, 1024)); + + if (status == EFI_SUCCESS || status == EFI_UNSUPPORTED) + status = efivars->ops->set_variable(new_var->VariableName, +@@ -759,7 +715,7 @@ static ssize_t efivarfs_file_write(struct file *file, + * QueryVariableInfo() isn't supported by the firmware. + */ + +- varsize = datasize + utf16_strsize(var->var.VariableName, 1024); ++ varsize = datasize + ucs2_strsize(var->var.VariableName, 1024); + status = check_var_size(efivars, attributes, varsize); + + if (status != EFI_SUCCESS) { +@@ -1211,7 +1167,7 @@ static int efivarfs_fill_super(struct super_block *sb, void *data, int silent) + + inode = NULL; + +- len = utf16_strlen(entry->var.VariableName); ++ len = ucs2_strlen(entry->var.VariableName); + + /* name, plus '-', plus GUID, plus NUL*/ + name = kmalloc(len + 1 + GUID_LEN + 1, GFP_ATOMIC); +@@ -1469,8 +1425,8 @@ static int efi_pstore_erase(enum pstore_type_id type, u64 id, int count, + + if (efi_guidcmp(entry->var.VendorGuid, vendor)) + continue; +- if (utf16_strncmp(entry->var.VariableName, efi_name, +- utf16_strlen(efi_name))) { ++ if (ucs2_strncmp(entry->var.VariableName, efi_name, ++ ucs2_strlen(efi_name))) { + /* + * Check if an old format, + * which doesn't support holding +@@ -1482,8 +1438,8 @@ static int efi_pstore_erase(enum pstore_type_id type, u64 id, int count, + for (i = 0; i < DUMP_NAME_LEN; i++) + efi_name_old[i] = name_old[i]; + +- if (utf16_strncmp(entry->var.VariableName, efi_name_old, +- utf16_strlen(efi_name_old))) ++ if (ucs2_strncmp(entry->var.VariableName, efi_name_old, ++ ucs2_strlen(efi_name_old))) + continue; + } + +@@ -1561,8 +1517,8 @@ static ssize_t efivar_create(struct file *filp, struct kobject *kobj, + * Does this variable already exist? + */ + list_for_each_entry_safe(search_efivar, n, &efivars->list, list) { +- strsize1 = utf16_strsize(search_efivar->var.VariableName, 1024); +- strsize2 = utf16_strsize(new_var->VariableName, 1024); ++ strsize1 = ucs2_strsize(search_efivar->var.VariableName, 1024); ++ strsize2 = ucs2_strsize(new_var->VariableName, 1024); + if (strsize1 == strsize2 && + !memcmp(&(search_efivar->var.VariableName), + new_var->VariableName, strsize1) && +@@ -1578,7 +1534,7 @@ static ssize_t efivar_create(struct file *filp, struct kobject *kobj, + } + + status = check_var_size_locked(efivars, new_var->Attributes, +- new_var->DataSize + utf16_strsize(new_var->VariableName, 1024)); ++ new_var->DataSize + ucs2_strsize(new_var->VariableName, 1024)); + + if (status && status != EFI_UNSUPPORTED) { + spin_unlock_irq(&efivars->lock); +@@ -1602,7 +1558,7 @@ static ssize_t efivar_create(struct file *filp, struct kobject *kobj, + + /* Create the entry in sysfs. Locking is not required here */ + status = efivar_create_sysfs_entry(efivars, +- utf16_strsize(new_var->VariableName, ++ ucs2_strsize(new_var->VariableName, + 1024), + new_var->VariableName, + &new_var->VendorGuid); +@@ -1632,8 +1588,8 @@ static ssize_t efivar_delete(struct file *filp, struct kobject *kobj, + * Does this variable already exist? + */ + list_for_each_entry_safe(search_efivar, n, &efivars->list, list) { +- strsize1 = utf16_strsize(search_efivar->var.VariableName, 1024); +- strsize2 = utf16_strsize(del_var->VariableName, 1024); ++ strsize1 = ucs2_strsize(search_efivar->var.VariableName, 1024); ++ strsize2 = ucs2_strsize(del_var->VariableName, 1024); + if (strsize1 == strsize2 && + !memcmp(&(search_efivar->var.VariableName), + del_var->VariableName, strsize1) && +@@ -1679,9 +1635,9 @@ static bool variable_is_present(efi_char16_t *variable_name, efi_guid_t *vendor) + unsigned long strsize1, strsize2; + bool found = false; + +- strsize1 = utf16_strsize(variable_name, 1024); ++ strsize1 = ucs2_strsize(variable_name, 1024); + list_for_each_entry_safe(entry, n, &efivars->list, list) { +- strsize2 = utf16_strsize(entry->var.VariableName, 1024); ++ strsize2 = ucs2_strsize(entry->var.VariableName, 1024); + if (strsize1 == strsize2 && + !memcmp(variable_name, &(entry->var.VariableName), + strsize2) && +diff --git a/include/linux/ucs2_string.h b/include/linux/ucs2_string.h +new file mode 100644 +index 0000000..cbb20af +--- /dev/null ++++ b/include/linux/ucs2_string.h +@@ -0,0 +1,14 @@ ++#ifndef _LINUX_UCS2_STRING_H_ ++#define _LINUX_UCS2_STRING_H_ ++ ++#include /* for size_t */ ++#include /* for NULL */ ++ ++typedef u16 ucs2_char_t; ++ ++unsigned long ucs2_strnlen(const ucs2_char_t *s, size_t maxlength); ++unsigned long ucs2_strlen(const ucs2_char_t *s); ++unsigned long ucs2_strsize(const ucs2_char_t *data, unsigned long maxlength); ++int ucs2_strncmp(const ucs2_char_t *a, const ucs2_char_t *b, size_t len); ++ ++#endif /* _LINUX_UCS2_STRING_H_ */ +diff --git a/lib/Kconfig b/lib/Kconfig +index 3958dc4..fe01d41 100644 +--- a/lib/Kconfig ++++ b/lib/Kconfig +@@ -404,4 +404,7 @@ config OID_REGISTRY + help + Enable fast lookup object identifier registry. + ++config UCS2_STRING ++ tristate ++ + endmenu +diff --git a/lib/Makefile b/lib/Makefile +index d7946ff..6e2cc56 100644 +--- a/lib/Makefile ++++ b/lib/Makefile +@@ -174,3 +174,5 @@ quiet_cmd_build_OID_registry = GEN $@ + cmd_build_OID_registry = perl $(srctree)/$(src)/build_OID_registry $< $@ + + clean-files += oid_registry_data.c ++ ++obj-$(CONFIG_UCS2_STRING) += ucs2_string.o +diff --git a/lib/ucs2_string.c b/lib/ucs2_string.c +new file mode 100644 +index 0000000..6f500ef +--- /dev/null ++++ b/lib/ucs2_string.c +@@ -0,0 +1,51 @@ ++#include ++#include ++ ++/* Return the number of unicode characters in data */ ++unsigned long ++ucs2_strnlen(const ucs2_char_t *s, size_t maxlength) ++{ ++ unsigned long length = 0; ++ ++ while (*s++ != 0 && length < maxlength) ++ length++; ++ return length; ++} ++EXPORT_SYMBOL(ucs2_strnlen); ++ ++unsigned long ++ucs2_strlen(const ucs2_char_t *s) ++{ ++ return ucs2_strnlen(s, ~0UL); ++} ++EXPORT_SYMBOL(ucs2_strlen); ++ ++/* ++ * Return the number of bytes is the length of this string ++ * Note: this is NOT the same as the number of unicode characters ++ */ ++unsigned long ++ucs2_strsize(const ucs2_char_t *data, unsigned long maxlength) ++{ ++ return ucs2_strnlen(data, maxlength/sizeof(ucs2_char_t)) * sizeof(ucs2_char_t); ++} ++EXPORT_SYMBOL(ucs2_strsize); ++ ++int ++ucs2_strncmp(const ucs2_char_t *a, const ucs2_char_t *b, size_t len) ++{ ++ while (1) { ++ if (len == 0) ++ return 0; ++ if (*a < *b) ++ return -1; ++ if (*a > *b) ++ return 1; ++ if (*a == 0) /* implies *b == 0 */ ++ return 0; ++ a++; ++ b++; ++ len--; ++ } ++} ++EXPORT_SYMBOL(ucs2_strncmp); +-- +1.8.1.2 + +-- +To unsubscribe from this list: send the line "unsubscribe linux-efi" in +the body of a message to majordomo@vger.kernel.org +More majordomo info at http://vger.kernel.org/majordomo-info.html + +Delivered-To: jwboyer@gmail.com +Received: by 10.76.92.6 with SMTP id ci6csp21932oab; + Mon, 15 Apr 2013 08:57:40 -0700 (PDT) +X-Received: by 10.66.9.7 with SMTP id v7mr30771745paa.216.1366041459856; + Mon, 15 Apr 2013 08:57:39 -0700 (PDT) +Return-Path: +Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) + by mx.google.com with ESMTP id fd8si20555261pad.17.2013.04.15.08.57.37; + Mon, 15 Apr 2013 08:57:39 -0700 (PDT) +Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; +Authentication-Results: mx.google.com; + spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mail=linux-kernel-owner@vger.kernel.org +Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand + id S1754718Ab3DOPyZ (ORCPT + 99 others); + Mon, 15 Apr 2013 11:54:25 -0400 +Received: from cavan.codon.org.uk ([93.93.128.6]:36679 "EHLO + cavan.codon.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org + with ESMTP id S1752817Ab3DOPyU (ORCPT + ); + Mon, 15 Apr 2013 11:54:20 -0400 +Received: from mb70536d0.tmodns.net ([208.54.5.183] helo=x230.localdomain) + by cavan.codon.org.uk with esmtpsa (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) + (Exim 4.72) + (envelope-from ) + id 1URljM-0005hz-Uk; Mon, 15 Apr 2013 16:54:09 +0100 +From: Matthew Garrett +To: matt.fleming@intel.com +Cc: linux-efi@vger.kernel.org, x86@kernel.org, + linux-kernel@vger.kernel.org, + Matthew Garrett +Subject: [PATCH V5 1/2] efi: Pass boot services variable info to runtime code +Date: Mon, 15 Apr 2013 08:53:46 -0700 +Message-Id: <1366041227-17710-1-git-send-email-matthew.garrett@nebula.com> +X-Mailer: git-send-email 1.8.1.2 +In-Reply-To: <1365561717-12343-1-git-send-email-matthew.garrett@nebula.com> +References: <1365561717-12343-1-git-send-email-matthew.garrett@nebula.com> +X-cavan-blacklisted-at: zen.spamhaus.org +X-SA-Do-Not-Run: Yes +X-SA-Exim-Connect-IP: 208.54.5.183 +X-SA-Exim-Mail-From: matthew.garrett@nebula.com +X-SA-Exim-Scanned: No (on cavan.codon.org.uk); SAEximRunCond expanded to false +Sender: linux-kernel-owner@vger.kernel.org +Precedence: bulk +List-ID: +X-Mailing-List: linux-kernel@vger.kernel.org + +EFI variables can be flagged as being accessible only within boot services. +This makes it awkward for us to figure out how much space they use at +runtime. In theory we could figure this out by simply comparing the results +from QueryVariableInfo() to the space used by all of our variables, but +that fails if the platform doesn't garbage collect on every boot. Thankfully, +calling QueryVariableInfo() while still inside boot services gives a more +reliable answer. This patch passes that information from the EFI boot stub +up to the efi platform code. + +Signed-off-by: Matthew Garrett +--- + arch/x86/boot/compressed/eboot.c | 47 +++++++++++++++++++++++++++++++++++ + arch/x86/include/asm/efi.h | 7 ++++++ + arch/x86/include/uapi/asm/bootparam.h | 1 + + arch/x86/platform/efi/efi.c | 21 ++++++++++++++++ + 4 files changed, 76 insertions(+) + +diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c +index c205035..8615f75 100644 +--- a/arch/x86/boot/compressed/eboot.c ++++ b/arch/x86/boot/compressed/eboot.c +@@ -251,6 +251,51 @@ static void find_bits(unsigned long mask, u8 *pos, u8 *size) + *size = len; + } + ++static efi_status_t setup_efi_vars(struct boot_params *params) ++{ ++ struct setup_data *data; ++ struct efi_var_bootdata *efidata; ++ u64 store_size, remaining_size, var_size; ++ efi_status_t status; ++ ++ if (!sys_table->runtime->query_variable_info) ++ return EFI_UNSUPPORTED; ++ ++ data = (struct setup_data *)(unsigned long)params->hdr.setup_data; ++ ++ while (data && data->next) ++ data = (struct setup_data *)(unsigned long)data->next; ++ ++ status = efi_call_phys4(sys_table->runtime->query_variable_info, ++ EFI_VARIABLE_NON_VOLATILE | ++ EFI_VARIABLE_BOOTSERVICE_ACCESS | ++ EFI_VARIABLE_RUNTIME_ACCESS, &store_size, ++ &remaining_size, &var_size); ++ ++ if (status != EFI_SUCCESS) ++ return status; ++ ++ status = efi_call_phys3(sys_table->boottime->allocate_pool, ++ EFI_LOADER_DATA, sizeof(*efidata), &efidata); ++ ++ if (status != EFI_SUCCESS) ++ return status; ++ ++ efidata->data.type = SETUP_EFI_VARS; ++ efidata->data.len = sizeof(struct efi_var_bootdata) - ++ sizeof(struct setup_data); ++ efidata->data.next = 0; ++ efidata->store_size = store_size; ++ efidata->remaining_size = remaining_size; ++ efidata->max_var_size = var_size; ++ ++ if (data) ++ data->next = (unsigned long)efidata; ++ else ++ params->hdr.setup_data = (unsigned long)efidata; ++ ++} ++ + static efi_status_t setup_efi_pci(struct boot_params *params) + { + efi_pci_io_protocol *pci; +@@ -1157,6 +1202,8 @@ struct boot_params *efi_main(void *handle, efi_system_table_t *_table, + + setup_graphics(boot_params); + ++ setup_efi_vars(boot_params); ++ + setup_efi_pci(boot_params); + + status = efi_call_phys3(sys_table->boottime->allocate_pool, +diff --git a/arch/x86/include/asm/efi.h b/arch/x86/include/asm/efi.h +index 60c89f3..2fb5d58 100644 +--- a/arch/x86/include/asm/efi.h ++++ b/arch/x86/include/asm/efi.h +@@ -102,6 +102,13 @@ extern void efi_call_phys_epilog(void); + extern void efi_unmap_memmap(void); + extern void efi_memory_uc(u64 addr, unsigned long size); + ++struct efi_var_bootdata { ++ struct setup_data data; ++ u64 store_size; ++ u64 remaining_size; ++ u64 max_var_size; ++}; ++ + #ifdef CONFIG_EFI + + static inline bool efi_is_native(void) +diff --git a/arch/x86/include/uapi/asm/bootparam.h b/arch/x86/include/uapi/asm/bootparam.h +index c15ddaf..0874424 100644 +--- a/arch/x86/include/uapi/asm/bootparam.h ++++ b/arch/x86/include/uapi/asm/bootparam.h +@@ -6,6 +6,7 @@ + #define SETUP_E820_EXT 1 + #define SETUP_DTB 2 + #define SETUP_PCI 3 ++#define SETUP_EFI_VARS 4 + + /* ram_size flags */ + #define RAMDISK_IMAGE_START_MASK 0x07FF +diff --git a/arch/x86/platform/efi/efi.c b/arch/x86/platform/efi/efi.c +index c89c245..e844d82 100644 +--- a/arch/x86/platform/efi/efi.c ++++ b/arch/x86/platform/efi/efi.c +@@ -69,6 +69,10 @@ struct efi_memory_map memmap; + static struct efi efi_phys __initdata; + static efi_system_table_t efi_systab __initdata; + ++static u64 efi_var_store_size; ++static u64 efi_var_remaining_size; ++static u64 efi_var_max_var_size; ++ + unsigned long x86_efi_facility; + + /* +@@ -682,6 +686,9 @@ void __init efi_init(void) + char vendor[100] = "unknown"; + int i = 0; + void *tmp; ++ struct setup_data *data; ++ struct efi_var_bootdata *efi_var_data; ++ u64 pa_data; + + #ifdef CONFIG_X86_32 + if (boot_params.efi_info.efi_systab_hi || +@@ -699,6 +706,20 @@ void __init efi_init(void) + if (efi_systab_init(efi_phys.systab)) + return; + ++ pa_data = boot_params.hdr.setup_data; ++ while (pa_data) { ++ data = early_ioremap(pa_data, sizeof(*efi_var_data)); ++ if (data->type == SETUP_EFI_VARS) { ++ efi_var_data = (struct efi_var_bootdata *)data; ++ ++ efi_var_store_size = efi_var_data->store_size; ++ efi_var_remaining_size = efi_var_data->remaining_size; ++ efi_var_max_var_size = efi_var_data->max_var_size; ++ } ++ pa_data = data->next; ++ early_iounmap(data, sizeof(*efi_var_data)); ++ } ++ + set_bit(EFI_SYSTEM_TABLES, &x86_efi_facility); + + /* +-- +1.8.1.2 + +-- +To unsubscribe from this list: send the line "unsubscribe linux-kernel" in +the body of a message to majordomo@vger.kernel.org +More majordomo info at http://vger.kernel.org/majordomo-info.html +Please read the FAQ at http://www.tux.org/lkml/ + +Delivered-To: jwboyer@gmail.com +Received: by 10.76.92.6 with SMTP id ci6csp21956oab; + Mon, 15 Apr 2013 08:58:13 -0700 (PDT) +X-Received: by 10.66.118.201 with SMTP id ko9mr29757383pab.81.1366041492585; + Mon, 15 Apr 2013 08:58:12 -0700 (PDT) +Return-Path: +Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) + by mx.google.com with ESMTP id cm3si20556099pad.185.2013.04.15.08.58.11; + Mon, 15 Apr 2013 08:58:12 -0700 (PDT) +Received-SPF: pass (google.com: best guess record for domain of linux-efi-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; +Authentication-Results: mx.google.com; + spf=pass (google.com: best guess record for domain of linux-efi-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mail=linux-efi-owner@vger.kernel.org +Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand + id S1754177Ab3DOPyX (ORCPT + + 14 others); Mon, 15 Apr 2013 11:54:23 -0400 +Received: from cavan.codon.org.uk ([93.93.128.6]:36680 "EHLO + cavan.codon.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org + with ESMTP id S1753076Ab3DOPyU (ORCPT + ); Mon, 15 Apr 2013 11:54:20 -0400 +Received: from mb70536d0.tmodns.net ([208.54.5.183] helo=x230.localdomain) + by cavan.codon.org.uk with esmtpsa (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) + (Exim 4.72) + (envelope-from ) + id 1URljO-0005hz-NR; Mon, 15 Apr 2013 16:54:11 +0100 +From: Matthew Garrett +To: matt.fleming@intel.com +Cc: linux-efi@vger.kernel.org, x86@kernel.org, + linux-kernel@vger.kernel.org, + Matthew Garrett +Subject: [PATCH V5 2/2] efi: Distinguish between "remaining space" and actually used space +Date: Mon, 15 Apr 2013 08:53:47 -0700 +Message-Id: <1366041227-17710-2-git-send-email-matthew.garrett@nebula.com> +X-Mailer: git-send-email 1.8.1.2 +In-Reply-To: <1366041227-17710-1-git-send-email-matthew.garrett@nebula.com> +References: <1365561717-12343-1-git-send-email-matthew.garrett@nebula.com> + <1366041227-17710-1-git-send-email-matthew.garrett@nebula.com> +X-cavan-blacklisted-at: zen.spamhaus.org +X-SA-Do-Not-Run: Yes +X-SA-Exim-Connect-IP: 208.54.5.183 +X-SA-Exim-Mail-From: matthew.garrett@nebula.com +X-SA-Exim-Scanned: No (on cavan.codon.org.uk); SAEximRunCond expanded to false +Sender: linux-efi-owner@vger.kernel.org +Precedence: bulk +List-ID: +X-Mailing-List: linux-efi@vger.kernel.org + +EFI implementations distinguish between space that is actively used by a +variable and space that merely hasn't been garbage collected yet. Space +that hasn't yet been garbage collected isn't available for use and so isn't +counted in the remaining_space field returned by QueryVariableInfo(). + +Combined with commit 68d9298 this can cause problems. Some implementations +don't garbage collect until the remaining space is smaller than the maximum +variable size, and as a result check_var_size() will always fail once more +than 50% of the variable store has been used even if most of that space is +marked as available for garbage collection. The user is unable to create +new variables, and deleting variables doesn't increase the remaining space. + +The problem that 68d9298 was attempting to avoid was one where certain +platforms fail if the actively used space is greater than 50% of the +available storage space. We should be able to calculate that by simply +summing the size of each available variable and subtracting that from +the total storage space. With luck this will fix the problem described in +https://bugzilla.kernel.org/show_bug.cgi?id=55471 without permitting +damage to occur to the machines 68d9298 was attempting to fix. + +Signed-off-by: Matthew Garrett +--- + arch/x86/platform/efi/efi.c | 109 +++++++++++++++++++++++++++++++++++++++++--- + 1 file changed, 102 insertions(+), 7 deletions(-) + +diff --git a/arch/x86/platform/efi/efi.c b/arch/x86/platform/efi/efi.c +index e844d82..a3f03cd 100644 +--- a/arch/x86/platform/efi/efi.c ++++ b/arch/x86/platform/efi/efi.c +@@ -41,6 +41,7 @@ + #include + #include + #include ++#include + + #include + #include +@@ -51,6 +52,13 @@ + + #define EFI_DEBUG 1 + ++/* ++ * There's some additional metadata associated with each ++ * variable. Intel's reference implementation is 60 bytes - bump that ++ * to account for potential alignment constraints ++ */ ++#define VAR_METADATA_SIZE 64 ++ + struct efi __read_mostly efi = { + .mps = EFI_INVALID_TABLE_ADDR, + .acpi = EFI_INVALID_TABLE_ADDR, +@@ -72,6 +80,9 @@ static efi_system_table_t efi_systab __initdata; + static u64 efi_var_store_size; + static u64 efi_var_remaining_size; + static u64 efi_var_max_var_size; ++static u64 boot_used_size; ++static u64 boot_var_size; ++static u64 active_size; + + unsigned long x86_efi_facility; + +@@ -166,8 +177,53 @@ static efi_status_t virt_efi_get_next_variable(unsigned long *name_size, + efi_char16_t *name, + efi_guid_t *vendor) + { +- return efi_call_virt3(get_next_variable, +- name_size, name, vendor); ++ efi_status_t status; ++ static bool finished = false; ++ static u64 var_size; ++ ++ status = efi_call_virt3(get_next_variable, ++ name_size, name, vendor); ++ ++ if (status == EFI_NOT_FOUND) { ++ finished = true; ++ if (var_size < boot_used_size) { ++ boot_var_size = boot_used_size - var_size; ++ active_size += boot_var_size; ++ } else { ++ printk(KERN_WARNING FW_BUG "efi: Inconsistent initial sizes\n"); ++ } ++ } ++ ++ if (boot_used_size && !finished) { ++ unsigned long size; ++ u32 attr; ++ efi_status_t s; ++ void *tmp; ++ ++ s = virt_efi_get_variable(name, vendor, &attr, &size, NULL); ++ ++ if (s != EFI_BUFFER_TOO_SMALL || !size) ++ return status; ++ ++ tmp = kmalloc(size, GFP_ATOMIC); ++ ++ if (!tmp) ++ return status; ++ ++ s = virt_efi_get_variable(name, vendor, &attr, &size, tmp); ++ ++ if (s == EFI_SUCCESS && (attr & EFI_VARIABLE_NON_VOLATILE)) { ++ var_size += size; ++ var_size += ucs2_strsize(name, 1024); ++ active_size += size; ++ active_size += VAR_METADATA_SIZE; ++ active_size += ucs2_strsize(name, 1024); ++ } ++ ++ kfree(tmp); ++ } ++ ++ return status; + } + + static efi_status_t virt_efi_set_variable(efi_char16_t *name, +@@ -176,9 +232,34 @@ static efi_status_t virt_efi_set_variable(efi_char16_t *name, + unsigned long data_size, + void *data) + { +- return efi_call_virt5(set_variable, +- name, vendor, attr, +- data_size, data); ++ efi_status_t status; ++ u32 orig_attr = 0; ++ unsigned long orig_size = 0; ++ ++ status = virt_efi_get_variable(name, vendor, &orig_attr, &orig_size, ++ NULL); ++ ++ if (status != EFI_BUFFER_TOO_SMALL) ++ orig_size = 0; ++ ++ status = efi_call_virt5(set_variable, ++ name, vendor, attr, ++ data_size, data); ++ ++ if (status == EFI_SUCCESS) { ++ if (orig_size) { ++ active_size -= orig_size; ++ active_size -= ucs2_strsize(name, 1024); ++ active_size -= VAR_METADATA_SIZE; ++ } ++ if (data_size) { ++ active_size += data_size; ++ active_size += ucs2_strsize(name, 1024); ++ active_size += VAR_METADATA_SIZE; ++ } ++ } ++ ++ return status; + } + + static efi_status_t virt_efi_query_variable_info(u32 attr, +@@ -720,6 +801,8 @@ void __init efi_init(void) + early_iounmap(data, sizeof(*efi_var_data)); + } + ++ boot_used_size = efi_var_store_size - efi_var_remaining_size; ++ + set_bit(EFI_SYSTEM_TABLES, &x86_efi_facility); + + /* +@@ -1039,8 +1122,20 @@ efi_status_t efi_query_variable_store(u32 attributes, unsigned long size) + if (status != EFI_SUCCESS) + return status; + +- if (!storage_size || size > remaining_size || size > max_size || +- (remaining_size - size) < (storage_size / 2)) ++ /* ++ * Some firmware implementations refuse to boot if there's insufficient ++ * space in the variable store. We account for that by refusing the ++ * write if permitting it would reduce the available space to under ++ * 50%. However, some firmware won't reclaim variable space until ++ * after the used (not merely the actively used) space drops below ++ * a threshold. We can approximate that case with the value calculated ++ * above. If both the firmware and our calculations indicate that the ++ * available space would drop below 50%, refuse the write. ++ */ ++ ++ if (!storage_size || size > remaining_size || ++ ((active_size + size + VAR_METADATA_SIZE > storage_size / 2) && ++ (remaining_size - size < storage_size / 2))) + return EFI_OUT_OF_RESOURCES; + + return EFI_SUCCESS; +-- +1.8.1.2 + +-- +To unsubscribe from this list: send the line "unsubscribe linux-efi" in +the body of a message to majordomo@vger.kernel.org +More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/kernel.spec b/kernel.spec index 75f484e16..1d1f1e6d6 100644 --- a/kernel.spec +++ b/kernel.spec @@ -62,7 +62,7 @@ Summary: The Linux kernel # For non-released -rc kernels, this will be appended after the rcX and # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3" # -%global baserelease 2 +%global baserelease 3 %global fedora_build %{baserelease} # base_sublevel is the kernel version we're starting with and patching @@ -752,6 +752,9 @@ Patch23008: forcedeth-dma-error-check.patch #rhbz 949875 Patch23007: libsas-use-right-function-to-alloc-smp-response.patch +#rhbz 947142 +Patch23009: efi-space-fixes.patch + # END OF PATCH DEFINITIONS %endif @@ -1454,6 +1457,9 @@ ApplyPatch forcedeth-dma-error-check.patch #rhbz 949875 ApplyPatch libsas-use-right-function-to-alloc-smp-response.patch +#rhbz 947142 +ApplyPatch efi-space-fixes.patch + # END OF PATCH APPLICATIONS %endif @@ -2286,6 +2292,9 @@ fi # and build. %changelog +* Mon Apr 15 2013 Josh Boyer +- Grab fixes for UEFI space issues (rhbz 947142) + * Fri Apr 12 2013 Josh Boyer - Enable CONFIG_LDM_PARTITION (rhbz 948636) From 254514501e9875d24f9434223a6df4c709a88160 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Mon, 15 Apr 2013 20:36:23 -0400 Subject: [PATCH 058/468] Fix debug patches to build on s390x/ppc --- debug-bad-pte-dmi.patch | 62 +++++++++++++++++++++-------------------- kernel.spec | 5 +++- 2 files changed, 36 insertions(+), 31 deletions(-) diff --git a/debug-bad-pte-dmi.patch b/debug-bad-pte-dmi.patch index 0552cb34f..eddd595b0 100644 --- a/debug-bad-pte-dmi.patch +++ b/debug-bad-pte-dmi.patch @@ -1,6 +1,5 @@ -diff -durpN '--exclude-from=/home/davej/.exclude' /home/davej/src/kernel/git-trees/linux/include/asm-generic/bug.h linux-dj/include/asm-generic/bug.h ---- /home/davej/src/kernel/git-trees/linux/include/asm-generic/bug.h 2013-01-04 18:57:12.604282214 -0500 -+++ linux-dj/include/asm-generic/bug.h 2013-02-28 20:04:37.649304147 -0500 +--- linux.orig/include/asm-generic/bug.h ++++ linux/include/asm-generic/bug.h @@ -55,6 +55,8 @@ struct bug_entry { #define BUG_ON(condition) do { if (unlikely(condition)) BUG(); } while(0) #endif @@ -10,40 +9,43 @@ diff -durpN '--exclude-from=/home/davej/.exclude' /home/davej/src/kernel/git-tre /* * WARN(), WARN_ON(), WARN_ON_ONCE, and so on can be used to report * significant issues that need prompt attention if they should ever -diff -durpN '--exclude-from=/home/davej/.exclude' /home/davej/src/kernel/git-trees/linux/kernel/panic.c linux-dj/kernel/panic.c ---- /home/davej/src/kernel/git-trees/linux/kernel/panic.c 2013-02-26 14:41:18.544116674 -0500 -+++ linux-dj/kernel/panic.c 2013-02-28 20:04:37.666304115 -0500 -@@ -397,16 +397,22 @@ struct slowpath_args { - va_list args; - }; +--- linux.orig/kernel/panic.c ++++ linux/kernel/panic.c +@@ -391,6 +391,15 @@ void oops_exit(void) + kmsg_dump(KMSG_DUMP_OOPS); + } --static void warn_slowpath_common(const char *file, int line, void *caller, -- unsigned taint, struct slowpath_args *args) +void print_hardware_dmi_name(void) - { - const char *board; - -- printk(KERN_WARNING "------------[ cut here ]------------\n"); -- printk(KERN_WARNING "WARNING: at %s:%d %pS()\n", file, line, caller); - board = dmi_get_system_info(DMI_PRODUCT_NAME); - if (board) - printk(KERN_WARNING "Hardware name: %s\n", board); ++{ ++ const char *board; ++ ++ board = dmi_get_system_info(DMI_PRODUCT_NAME); ++ if (board) ++ printk(KERN_WARNING "Hardware name: %s\n", board); +} + -+static void warn_slowpath_common(const char *file, int line, void *caller, -+ unsigned taint, struct slowpath_args *args) -+{ -+ printk(KERN_WARNING "------------[ cut here ]------------\n"); -+ printk(KERN_WARNING "WARNING: at %s:%d %pS()\n", file, line, caller); + #ifdef WANT_WARN_ON_SLOWPATH + struct slowpath_args { + const char *fmt; +@@ -400,13 +409,10 @@ struct slowpath_args { + static void warn_slowpath_common(const char *file, int line, void *caller, + unsigned taint, struct slowpath_args *args) + { +- const char *board; +- + printk(KERN_WARNING "------------[ cut here ]------------\n"); + printk(KERN_WARNING "WARNING: at %s:%d %pS()\n", file, line, caller); +- board = dmi_get_system_info(DMI_PRODUCT_NAME); +- if (board) +- printk(KERN_WARNING "Hardware name: %s\n", board); + + print_hardware_dmi_name(); if (args) vprintk(args->fmt, args->args); -diff -durpN '--exclude-from=/home/davej/.exclude' /home/davej/src/kernel/git-trees/linux/mm/memory.c linux-dj/mm/memory.c ---- /home/davej/src/kernel/git-trees/linux/mm/memory.c 2013-02-26 14:41:18.591116577 -0500 -+++ linux-dj/mm/memory.c 2013-02-28 20:04:37.678304092 -0500 -@@ -705,6 +706,8 @@ static void print_bad_pte(struct vm_area +--- linux.orig/mm/memory.c ++++ linux/mm/memory.c +@@ -706,6 +706,8 @@ static void print_bad_pte(struct vm_area "BUG: Bad page map in process %s pte:%08llx pmd:%08llx\n", current->comm, (long long)pte_val(pte), (long long)pmd_val(*pmd)); @@ -52,8 +54,8 @@ diff -durpN '--exclude-from=/home/davej/.exclude' /home/davej/src/kernel/git-tre if (page) dump_page(page); printk(KERN_ALERT ---- linux-dj/mm/page_alloc.c~ 2013-04-11 11:47:12.536675503 -0400 -+++ linux-dj/mm/page_alloc.c 2013-04-11 11:47:16.416667806 -0400 +--- linux.orig/mm/page_alloc.c ++++ linux/mm/page_alloc.c @@ -321,6 +321,7 @@ static void bad_page(struct page *page) current->comm, page_to_pfn(page)); dump_page(page); diff --git a/kernel.spec b/kernel.spec index 1d1f1e6d6..00ca8590d 100644 --- a/kernel.spec +++ b/kernel.spec @@ -62,7 +62,7 @@ Summary: The Linux kernel # For non-released -rc kernels, this will be appended after the rcX and # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3" # -%global baserelease 3 +%global baserelease 4 %global fedora_build %{baserelease} # base_sublevel is the kernel version we're starting with and patching @@ -2292,6 +2292,9 @@ fi # and build. %changelog +* Mon Apr 15 2013 Josh Boyer +- Fix debug patches to build on s390x/ppc + * Mon Apr 15 2013 Josh Boyer - Grab fixes for UEFI space issues (rhbz 947142) From e175b26961d921c5048e57225bb07014fa6ee704 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Tue, 16 Apr 2013 10:36:56 -0400 Subject: [PATCH 059/468] Fix race in regulatory code (rhbz 919176) --- kernel.spec | 9 +++++ ...fix-channel-disabling-race-condition.patch | 40 +++++++++++++++++++ 2 files changed, 49 insertions(+) create mode 100644 wireless-regulatory-fix-channel-disabling-race-condition.patch diff --git a/kernel.spec b/kernel.spec index 00ca8590d..bd131cb8f 100644 --- a/kernel.spec +++ b/kernel.spec @@ -755,6 +755,9 @@ Patch23007: libsas-use-right-function-to-alloc-smp-response.patch #rhbz 947142 Patch23009: efi-space-fixes.patch +#rhbz 919176 +Patch25010: wireless-regulatory-fix-channel-disabling-race-condition.patch + # END OF PATCH DEFINITIONS %endif @@ -1460,6 +1463,9 @@ ApplyPatch libsas-use-right-function-to-alloc-smp-response.patch #rhbz 947142 ApplyPatch efi-space-fixes.patch +#rhbz 919176 +ApplyPatch wireless-regulatory-fix-channel-disabling-race-condition.patch + # END OF PATCH APPLICATIONS %endif @@ -2292,6 +2298,9 @@ fi # and build. %changelog +* Tue Apr 16 2013 Josh Boyer +- Fix race in regulatory code (rhbz 919176) + * Mon Apr 15 2013 Josh Boyer - Fix debug patches to build on s390x/ppc diff --git a/wireless-regulatory-fix-channel-disabling-race-condition.patch b/wireless-regulatory-fix-channel-disabling-race-condition.patch new file mode 100644 index 000000000..313735377 --- /dev/null +++ b/wireless-regulatory-fix-channel-disabling-race-condition.patch @@ -0,0 +1,40 @@ +From: Johannes Berg + +When a full scan 2.4 and 5 GHz scan is scheduled, but then the 2.4 GHz +part of the scan disables a 5.2 GHz channel due to, e.g. receiving +country or frequency information, that 5.2 GHz channel might already +be in the list of channels to scan next. Then, when the driver checks +if it should do a passive scan, that will return false and attempt an +active scan. This is not only wrong but can also lead to the iwlwifi +device firmware crashing since it checks regulatory as well. + +Fix this by not setting the channel flags to just disabled but rather +OR'ing in the disabled flag. That way, even if the race happens, the +channel will be scanned passively which is still (mostly) correct. + +Cc: stable@vger.kernel.org +Signed-off-by: Johannes Berg +--- + net/wireless/reg.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/wireless/reg.c b/net/wireless/reg.c +index 93ab840..507c28e 100644 +--- a/net/wireless/reg.c ++++ b/net/wireless/reg.c +@@ -855,7 +855,7 @@ static void handle_channel(struct wiphy *wiphy, + return; + + REG_DBG_PRINT("Disabling freq %d MHz\n", chan->center_freq); +- chan->flags = IEEE80211_CHAN_DISABLED; ++ chan->flags |= IEEE80211_CHAN_DISABLED; + return; + } + +-- +1.8.0 + +-- +To unsubscribe from this list: send the line "unsubscribe linux-wireless" in +the body of a message to majordomo@vger.kernel.org +More majordomo info at http://vger.kernel.org/majordomo-info.html \ No newline at end of file From a2b0698807cbc806363954198ceed3eb03dc822d Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Tue, 16 Apr 2013 10:39:20 -0400 Subject: [PATCH 060/468] Fix uninitialized variable free in iwlwifi (rhbz 951241) --- ...fi-fix-freeing-uninitialized-pointer.patch | 51 +++++++++++++++++++ kernel.spec | 7 +++ 2 files changed, 58 insertions(+) create mode 100644 iwlwifi-fix-freeing-uninitialized-pointer.patch diff --git a/iwlwifi-fix-freeing-uninitialized-pointer.patch b/iwlwifi-fix-freeing-uninitialized-pointer.patch new file mode 100644 index 000000000..90e6b6f64 --- /dev/null +++ b/iwlwifi-fix-freeing-uninitialized-pointer.patch @@ -0,0 +1,51 @@ +If on iwl_dump_nic_event_log() error occurs before that function +initialize buf, we process uninitiated pointer in +iwl_dbgfs_log_event_read() and can hit "BUG at mm/slub.c:3409" + +Resolves: +https://bugzilla.redhat.com/show_bug.cgi?id=951241 + +Reported-by: ian.odette@eprize.com +Cc: stable@vger.kernel.org +Signed-off-by: Stanislaw Gruszka +--- +Patch is only compile tested, but I'm sure it fixes the problem. + + drivers/net/wireless/iwlwifi/dvm/debugfs.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/drivers/net/wireless/iwlwifi/dvm/debugfs.c b/drivers/net/wireless/iwlwifi/dvm/debugfs.c +index 7b8178b..cb6dd58 100644 +--- a/drivers/net/wireless/iwlwifi/dvm/debugfs.c ++++ b/drivers/net/wireless/iwlwifi/dvm/debugfs.c +@@ -2237,15 +2237,15 @@ static ssize_t iwl_dbgfs_log_event_read(struct file *file, + size_t count, loff_t *ppos) + { + struct iwl_priv *priv = file->private_data; +- char *buf; +- int pos = 0; +- ssize_t ret = -ENOMEM; ++ char *buf = NULL; ++ ssize_t ret; + +- ret = pos = iwl_dump_nic_event_log(priv, true, &buf, true); +- if (buf) { +- ret = simple_read_from_buffer(user_buf, count, ppos, buf, pos); +- kfree(buf); +- } ++ ret = iwl_dump_nic_event_log(priv, true, &buf, true); ++ if (ret < 0) ++ goto err; ++ ret = simple_read_from_buffer(user_buf, count, ppos, buf, ret); ++err: ++ kfree(buf); + return ret; + } + +-- +1.7.11.7 + +-- +To unsubscribe from this list: send the line "unsubscribe linux-wireless" in +the body of a message to majordomo@vger.kernel.org +More majordomo info at http://vger.kernel.org/majordomo-info.html \ No newline at end of file diff --git a/kernel.spec b/kernel.spec index bd131cb8f..bc23c8b64 100644 --- a/kernel.spec +++ b/kernel.spec @@ -758,6 +758,9 @@ Patch23009: efi-space-fixes.patch #rhbz 919176 Patch25010: wireless-regulatory-fix-channel-disabling-race-condition.patch +#rhbz 951241 +Patch25011: iwlwifi-fix-freeing-uninitialized-pointer.patch + # END OF PATCH DEFINITIONS %endif @@ -1466,6 +1469,9 @@ ApplyPatch efi-space-fixes.patch #rhbz 919176 ApplyPatch wireless-regulatory-fix-channel-disabling-race-condition.patch +#rhbz 951241 +ApplyPatch iwlwifi-fix-freeing-uninitialized-pointer.patch + # END OF PATCH APPLICATIONS %endif @@ -2299,6 +2305,7 @@ fi %changelog * Tue Apr 16 2013 Josh Boyer +- Fix uninitialized variable free in iwlwifi (rhbz 951241) - Fix race in regulatory code (rhbz 919176) * Mon Apr 15 2013 Josh Boyer From 7bb389111c685304d3cfe06c25697f1522fc1e79 Mon Sep 17 00:00:00 2001 From: "Justin M. Forbes" Date: Thu, 18 Apr 2013 15:07:27 -0500 Subject: [PATCH 061/468] Linux v3.9-rc7-70-gd202f05 --- config-generic | 8 +- config-nodebug | 110 +++++++++--------- config-x86-generic | 2 +- kernel.spec | 26 ++--- ...right-function-to-alloc-smp-response.patch | 27 ----- sources | 4 +- ...c_fault-oops-during-lazy-MMU-updates.patch | 48 -------- 7 files changed, 71 insertions(+), 154 deletions(-) delete mode 100644 libsas-use-right-function-to-alloc-smp-response.patch delete mode 100644 x86-mm-Fix-vmalloc_fault-oops-during-lazy-MMU-updates.patch diff --git a/config-generic b/config-generic index 8822fb79d..911a38625 100644 --- a/config-generic +++ b/config-generic @@ -1549,13 +1549,13 @@ CONFIG_B43_SDIO=y CONFIG_B43_BCMA=y # CONFIG_B43_BCMA_EXTRA is not set CONFIG_B43_BCMA_PIO=y -CONFIG_B43_DEBUG=y +# CONFIG_B43_DEBUG is not set CONFIG_B43_PHY_LP=y CONFIG_B43_PHY_N=y CONFIG_B43_PHY_HT=y # CONFIG_B43_FORCE_PIO is not set CONFIG_B43LEGACY=m -CONFIG_B43LEGACY_DEBUG=y +# CONFIG_B43LEGACY_DEBUG is not set CONFIG_B43LEGACY_DMA=y CONFIG_B43LEGACY_PIO=y CONFIG_B43LEGACY_DMA_AND_PIO_MODE=y @@ -3194,7 +3194,7 @@ CONFIG_USB_STORAGE_REALTEK=m CONFIG_REALTEK_AUTOPM=y CONFIG_USB_STORAGE_ENE_UB6250=m # CONFIG_USB_LIBUSUAL is not set -CONFIG_USB_UAS=m +# CONFIG_USB_UAS is not set # @@ -4187,7 +4187,7 @@ CONFIG_IBMASR=m CONFIG_PM_DEBUG=y CONFIG_PM_TRACE=y CONFIG_PM_TRACE_RTC=y -CONFIG_PM_TEST_SUSPEND=y +# CONFIG_PM_TEST_SUSPEND is not set CONFIG_PM_RUNTIME=y # CONFIG_PM_OPP is not set # CONFIG_PM_AUTOSLEEP is not set diff --git a/config-nodebug b/config-nodebug index cfabd29c7..aa7568c82 100644 --- a/config-nodebug +++ b/config-nodebug @@ -2,95 +2,95 @@ CONFIG_SND_VERBOSE_PRINTK=y CONFIG_SND_DEBUG=y CONFIG_SND_PCM_XRUN_DEBUG=y -CONFIG_DEBUG_ATOMIC_SLEEP=y +# CONFIG_DEBUG_ATOMIC_SLEEP is not set -CONFIG_DEBUG_MUTEXES=y -CONFIG_DEBUG_RT_MUTEXES=y -CONFIG_DEBUG_LOCK_ALLOC=y -CONFIG_PROVE_LOCKING=y -CONFIG_DEBUG_SPINLOCK=y -CONFIG_PROVE_RCU=y +# CONFIG_DEBUG_MUTEXES is not set +# CONFIG_DEBUG_RT_MUTEXES is not set +# CONFIG_DEBUG_LOCK_ALLOC is not set +# CONFIG_PROVE_LOCKING is not set +# CONFIG_DEBUG_SPINLOCK is not set +# CONFIG_PROVE_RCU is not set # CONFIG_PROVE_RCU_REPEATEDLY is not set -CONFIG_DEBUG_PER_CPU_MAPS=y +# CONFIG_DEBUG_PER_CPU_MAPS is not set CONFIG_CPUMASK_OFFSTACK=y -CONFIG_CPU_NOTIFIER_ERROR_INJECT=m +# CONFIG_CPU_NOTIFIER_ERROR_INJECT is not set -CONFIG_FAULT_INJECTION=y -CONFIG_FAILSLAB=y -CONFIG_FAIL_PAGE_ALLOC=y -CONFIG_FAIL_MAKE_REQUEST=y -CONFIG_FAULT_INJECTION_DEBUG_FS=y -CONFIG_FAULT_INJECTION_STACKTRACE_FILTER=y -CONFIG_FAIL_IO_TIMEOUT=y -CONFIG_FAIL_MMC_REQUEST=y +# CONFIG_FAULT_INJECTION is not set +# CONFIG_FAILSLAB is not set +# CONFIG_FAIL_PAGE_ALLOC is not set +# CONFIG_FAIL_MAKE_REQUEST is not set +# CONFIG_FAULT_INJECTION_DEBUG_FS is not set +# CONFIG_FAULT_INJECTION_STACKTRACE_FILTER is not set +# CONFIG_FAIL_IO_TIMEOUT is not set +# CONFIG_FAIL_MMC_REQUEST is not set -CONFIG_SLUB_DEBUG_ON=y +# CONFIG_SLUB_DEBUG_ON is not set -CONFIG_LOCK_STAT=y +# CONFIG_LOCK_STAT is not set -CONFIG_DEBUG_STACK_USAGE=y +# CONFIG_DEBUG_STACK_USAGE is not set -CONFIG_ACPI_DEBUG=y +# CONFIG_ACPI_DEBUG is not set # CONFIG_ACPI_DEBUG_FUNC_TRACE is not set -CONFIG_DEBUG_SG=y +# CONFIG_DEBUG_SG is not set # CONFIG_DEBUG_PAGEALLOC is not set -CONFIG_DEBUG_WRITECOUNT=y -CONFIG_DEBUG_OBJECTS=y +# CONFIG_DEBUG_WRITECOUNT is not set +# CONFIG_DEBUG_OBJECTS is not set # CONFIG_DEBUG_OBJECTS_SELFTEST is not set -CONFIG_DEBUG_OBJECTS_FREE=y -CONFIG_DEBUG_OBJECTS_TIMERS=y -CONFIG_DEBUG_OBJECTS_RCU_HEAD=y +# CONFIG_DEBUG_OBJECTS_FREE is not set +# CONFIG_DEBUG_OBJECTS_TIMERS is not set +# CONFIG_DEBUG_OBJECTS_RCU_HEAD is not set CONFIG_DEBUG_OBJECTS_ENABLE_DEFAULT=1 -CONFIG_X86_PTDUMP=y +# CONFIG_X86_PTDUMP is not set -CONFIG_CAN_DEBUG_DEVICES=y +# CONFIG_CAN_DEBUG_DEVICES is not set -CONFIG_MODULE_FORCE_UNLOAD=y +# CONFIG_MODULE_FORCE_UNLOAD is not set -CONFIG_SYSCTL_SYSCALL_CHECK=y +# CONFIG_SYSCTL_SYSCALL_CHECK is not set -CONFIG_DEBUG_NOTIFIERS=y +# CONFIG_DEBUG_NOTIFIERS is not set -CONFIG_DMA_API_DEBUG=y +# CONFIG_DMA_API_DEBUG is not set -CONFIG_MMIOTRACE=y +# CONFIG_MMIOTRACE is not set -CONFIG_DEBUG_CREDENTIALS=y +# CONFIG_DEBUG_CREDENTIALS is not set # off in both production debug and nodebug builds, # on in rawhide nodebug builds -CONFIG_DEBUG_FORCE_WEAK_PER_CPU=y +# CONFIG_DEBUG_FORCE_WEAK_PER_CPU is not set -CONFIG_EXT4_DEBUG=y +# CONFIG_EXT4_DEBUG is not set -CONFIG_DEBUG_PERF_USE_VMALLOC=y +# CONFIG_DEBUG_PERF_USE_VMALLOC is not set -CONFIG_JBD2_DEBUG=y +# CONFIG_JBD2_DEBUG is not set -CONFIG_NFSD_FAULT_INJECTION=y +# CONFIG_NFSD_FAULT_INJECTION is not set -CONFIG_DEBUG_BLK_CGROUP=y +# CONFIG_DEBUG_BLK_CGROUP is not set -CONFIG_DRBD_FAULT_INJECTION=y +# CONFIG_DRBD_FAULT_INJECTION is not set -CONFIG_ATH_DEBUG=y -CONFIG_CARL9170_DEBUGFS=y -CONFIG_IWLWIFI_DEVICE_TRACING=y +# CONFIG_ATH_DEBUG is not set +# CONFIG_CARL9170_DEBUGFS is not set +# CONFIG_IWLWIFI_DEVICE_TRACING is not set -CONFIG_DEBUG_OBJECTS_WORK=y +# CONFIG_DEBUG_OBJECTS_WORK is not set -CONFIG_DMADEVICES_DEBUG=y -CONFIG_DMADEVICES_VDEBUG=y +# CONFIG_DMADEVICES_DEBUG is not set +# CONFIG_DMADEVICES_VDEBUG is not set CONFIG_PM_ADVANCED_DEBUG=y -CONFIG_CEPH_LIB_PRETTYDEBUG=y -CONFIG_QUOTA_DEBUG=y +# CONFIG_CEPH_LIB_PRETTYDEBUG is not set +# CONFIG_QUOTA_DEBUG is not set CONFIG_PCI_DEFAULT_USE_CRS=y @@ -98,16 +98,16 @@ CONFIG_KGDB_KDB=y CONFIG_KDB_KEYBOARD=y CONFIG_KDB_CONTINUE_CATASTROPHIC=0 -CONFIG_DEBUG_OBJECTS_PERCPU_COUNTER=y -CONFIG_TEST_LIST_SORT=y +# CONFIG_DEBUG_OBJECTS_PERCPU_COUNTER is not set +# CONFIG_TEST_LIST_SORT is not set -CONFIG_DETECT_HUNG_TASK=y +# CONFIG_DETECT_HUNG_TASK is not set CONFIG_DEFAULT_HUNG_TASK_TIMEOUT=120 # CONFIG_BOOTPARAM_HUNG_TASK_PANIC is not set -CONFIG_X86_BOOTPARAM_MEMORY_CORRUPTION_CHECK=y +# CONFIG_X86_BOOTPARAM_MEMORY_CORRUPTION_CHECK is not set -CONFIG_DEBUG_KMEMLEAK=y +# CONFIG_DEBUG_KMEMLEAK is not set CONFIG_DEBUG_KMEMLEAK_EARLY_LOG_SIZE=1024 # CONFIG_DEBUG_KMEMLEAK_TEST is not set CONFIG_DEBUG_KMEMLEAK_DEFAULT_OFF=y diff --git a/config-x86-generic b/config-x86-generic index 357c18ecf..1308a3414 100644 --- a/config-x86-generic +++ b/config-x86-generic @@ -328,7 +328,7 @@ CONFIG_STRICT_DEVMEM=y # CONFIG_MEMTEST is not set # CONFIG_DEBUG_TLBFLUSH is not set -CONFIG_MAXSMP=y +# CONFIG_MAXSMP is not set CONFIG_HP_ILO=m diff --git a/kernel.spec b/kernel.spec index bc23c8b64..f4dc3c051 100644 --- a/kernel.spec +++ b/kernel.spec @@ -62,7 +62,7 @@ Summary: The Linux kernel # For non-released -rc kernels, this will be appended after the rcX and # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3" # -%global baserelease 4 +%global baserelease 1 %global fedora_build %{baserelease} # base_sublevel is the kernel version we're starting with and patching @@ -93,9 +93,9 @@ Summary: The Linux kernel # The next upstream release sublevel (base_sublevel+1) %define upstream_sublevel %(echo $((%{base_sublevel} + 1))) # The rc snapshot level -%define rcrev 6 +%define rcrev 7 # The git snapshot level -%define gitrev 2 +%define gitrev 3 # Set rpm version accordingly %define rpmversion 3.%{upstream_sublevel}.0 %endif @@ -157,7 +157,7 @@ Summary: The Linux kernel # Set debugbuildsenabled to 1 for production (build separate debug kernels) # and 0 for rawhide (all kernels are debug kernels). # See also 'make debug' and 'make release'. -%define debugbuildsenabled 0 +%define debugbuildsenabled 1 # Want to build a vanilla kernel build without any non-upstream patches? %define with_vanilla %{?_with_vanilla: 1} %{?!_with_vanilla: 0} @@ -170,7 +170,7 @@ Summary: The Linux kernel %define doc_build_fail true %endif -%define rawhide_skip_docs 1 +%define rawhide_skip_docs 0 %if 0%{?rawhide_skip_docs} %define with_doc 0 %define doc_build_fail true @@ -727,9 +727,6 @@ Patch21247: ath9k_rx_dma_stop_check.patch #rhbz 903192 Patch21261: 0001-kmsg-Honor-dmesg_restrict-sysctl-on-dev-kmsg.patch -#rhbz 914737 -Patch21262: x86-mm-Fix-vmalloc_fault-oops-during-lazy-MMU-updates.patch - #rhbz 856863 892599 Patch21273: cfg80211-mac80211-disconnect-on-suspend.patch Patch21274: mac80211_fixes_for_ieee80211_do_stop_while_suspend_v3.9.patch @@ -749,9 +746,6 @@ Patch23006: fix-child-thread-introspection.patch #rhbz 928024 Patch23008: forcedeth-dma-error-check.patch -#rhbz 949875 -Patch23007: libsas-use-right-function-to-alloc-smp-response.patch - #rhbz 947142 Patch23009: efi-space-fixes.patch @@ -1444,9 +1438,6 @@ ApplyPatch ath9k_rx_dma_stop_check.patch #rhbz 903192 ApplyPatch 0001-kmsg-Honor-dmesg_restrict-sysctl-on-dev-kmsg.patch -#rhbz 914737 -ApplyPatch x86-mm-Fix-vmalloc_fault-oops-during-lazy-MMU-updates.patch - #rhbz 856863 892599 ApplyPatch cfg80211-mac80211-disconnect-on-suspend.patch ApplyPatch mac80211_fixes_for_ieee80211_do_stop_while_suspend_v3.9.patch @@ -1460,9 +1451,6 @@ ApplyPatch fix-child-thread-introspection.patch #rhbz 928024 ApplyPatch forcedeth-dma-error-check.patch -#rhbz 949875 -ApplyPatch libsas-use-right-function-to-alloc-smp-response.patch - #rhbz 947142 ApplyPatch efi-space-fixes.patch @@ -2304,6 +2292,10 @@ fi # and build. %changelog +* Thu Apr 18 2013 Justin M. Forbes - 3.9.0-0.rc7.git3.1 +- Linux v3.9-rc7-70-gd202f05 +- Disable debugging options. + * Tue Apr 16 2013 Josh Boyer - Fix uninitialized variable free in iwlwifi (rhbz 951241) - Fix race in regulatory code (rhbz 919176) diff --git a/libsas-use-right-function-to-alloc-smp-response.patch b/libsas-use-right-function-to-alloc-smp-response.patch deleted file mode 100644 index 4c96ca2f8..000000000 --- a/libsas-use-right-function-to-alloc-smp-response.patch +++ /dev/null @@ -1,27 +0,0 @@ -From 95c9f4d4da6c4e445a9dd58c8382356520ea91a0 Mon Sep 17 00:00:00 2001 -From: John Gong -Date: Wed, 06 Mar 2013 02:43:03 +0000 -Subject: [SCSI] libsas: use right function to alloc smp response - -In fact the disc_resp buffer will be overwrite by smp response, so we never -found this typo, correct it by using the right one. - -Signed-off-by: John Gong -Signed-off-by: Jack Wang -Signed-off-by: James Bottomley ---- -diff --git a/drivers/scsi/libsas/sas_expander.c b/drivers/scsi/libsas/sas_expander.c -index aec2e0d..588affd 100644 ---- a/drivers/scsi/libsas/sas_expander.c -+++ b/drivers/scsi/libsas/sas_expander.c -@@ -388,7 +388,7 @@ int sas_ex_phy_discover(struct domain_device *dev, int single) - if (!disc_req) - return -ENOMEM; - -- disc_resp = alloc_smp_req(DISCOVER_RESP_SIZE); -+ disc_resp = alloc_smp_resp(DISCOVER_RESP_SIZE); - if (!disc_resp) { - kfree(disc_req); - return -ENOMEM; --- -cgit v0.9.1 diff --git a/sources b/sources index 137e963ba..c0a0bcbcc 100644 --- a/sources +++ b/sources @@ -1,3 +1,3 @@ 1c738edfc54e7c65faeb90c436104e2f linux-3.8.tar.xz -90a96910b25480f66fe2be4b0dadbb11 patch-3.9-rc6.xz -49d9958e0959003f50c14140ed399339 patch-3.9-rc6-git2.xz +397b22065c5731d72ad9b4137c40dae4 patch-3.9-rc7.xz +790d0eb70ca65c1a5215d14b05bb38f8 patch-3.9-rc7-git3.xz diff --git a/x86-mm-Fix-vmalloc_fault-oops-during-lazy-MMU-updates.patch b/x86-mm-Fix-vmalloc_fault-oops-during-lazy-MMU-updates.patch deleted file mode 100644 index 31b0de8fb..000000000 --- a/x86-mm-Fix-vmalloc_fault-oops-during-lazy-MMU-updates.patch +++ /dev/null @@ -1,48 +0,0 @@ -From: Samu Kallio <> -Subject: [PATCH] x86: mm: Fix vmalloc_fault oops during lazy MMU updates. -Date: Sun, 17 Feb 2013 04:35:52 +0200 - -In paravirtualized x86_64 kernels, vmalloc_fault may cause an oops -when lazy MMU updates are enabled, because set_pgd effects are being -deferred. - -One instance of this problem is during process mm cleanup with memory -cgroups enabled. The chain of events is as follows: - -- zap_pte_range enables lazy MMU updates -- zap_pte_range eventually calls mem_cgroup_charge_statistics, - which accesses the vmalloc'd mem_cgroup per-cpu stat area -- vmalloc_fault is triggered which tries to sync the corresponding - PGD entry with set_pgd, but the update is deferred -- vmalloc_fault oopses due to a mismatch in the PUD entries - -Calling arch_flush_lazy_mmu_mode immediately after set_pgd makes the -changes visible to the consistency checks. - -Signed-off-by: Samu Kallio ---- - arch/x86/mm/fault.c | 6 ++++-- - 1 file changed, 4 insertions(+), 2 deletions(-) -diff --git a/arch/x86/mm/fault.c b/arch/x86/mm/fault.c -index 8e13ecb..0a45298 100644 ---- a/arch/x86/mm/fault.c -+++ b/arch/x86/mm/fault.c -@@ -378,10 +378,12 @@ static noinline __kprobes int vmalloc_fault(unsigned long address) - if (pgd_none(*pgd_ref)) - return -1; - -- if (pgd_none(*pgd)) -+ if (pgd_none(*pgd)) { - set_pgd(pgd, *pgd_ref); -- else -+ arch_flush_lazy_mmu_mode(); -+ } else { - BUG_ON(pgd_page_vaddr(*pgd) != pgd_page_vaddr(*pgd_ref)); -+ } - - /* - * Below here mismatches are bugs because these lower tables --- -1.8.1.3 - - From ec8b3c3fe9248d639eceeb4310c749479c380bfa Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Fri, 19 Apr 2013 09:20:31 -0400 Subject: [PATCH 062/468] Disable Intel HDA and enable RSXX block dev on ppc64/ppc64p7 --- config-powerpc64 | 2 ++ config-powerpc64p7 | 3 ++- kernel.spec | 3 +++ 3 files changed, 7 insertions(+), 1 deletion(-) diff --git a/config-powerpc64 b/config-powerpc64 index 2a587a6fd..d0e0aab5b 100644 --- a/config-powerpc64 +++ b/config-powerpc64 @@ -179,3 +179,5 @@ CONFIG_BPF_JIT=y # CONFIG_BLK_DEV_PCIESSD_MTIP32XX is not set # CONFIG_PCIEPORTBUS is not set # CONFIG_PPC_TRANSACTIONAL_MEM is not set +# CONFIG_SND_HDA_INTEL is not set +CONFIG_BLK_DEV_RSXX=m diff --git a/config-powerpc64p7 b/config-powerpc64p7 index 9a8289588..285d9fff9 100644 --- a/config-powerpc64p7 +++ b/config-powerpc64p7 @@ -169,4 +169,5 @@ CONFIG_BPF_JIT=y # CONFIG_PPC_ICSWX_USE_SIGILL is not set # CONFIG_BLK_DEV_PCIESSD_MTIP32XX is not set # CONFIG_PCIEPORTBUS is not set - +# CONFIG_SND_HDA_INTEL is not set +CONFIG_BLK_DEV_RSXX=m diff --git a/kernel.spec b/kernel.spec index f4dc3c051..3092e1410 100644 --- a/kernel.spec +++ b/kernel.spec @@ -2292,6 +2292,9 @@ fi # and build. %changelog +* Fri Apr 19 2013 Josh Boyer +- Disable Intel HDA and enable RSXX block dev on ppc64/ppc64p7 + * Thu Apr 18 2013 Justin M. Forbes - 3.9.0-0.rc7.git3.1 - Linux v3.9-rc7-70-gd202f05 - Disable debugging options. From 2ec528d96c21baae9467d14535790761c8b2e742 Mon Sep 17 00:00:00 2001 From: Peter Robinson Date: Fri, 19 Apr 2013 15:39:04 +0100 Subject: [PATCH 063/468] - Temporaily disable cpu idle on ARM as it appears to be causing stability issues - Minor ARM config updates - Add patch for DT DMA issues that affect at least highbank/tegra ARM devices --- arm-of-dma.patch | 43 +++++++++++++++++++++++++++++++++++++++++++ config-armv7 | 14 ++++++++++---- config-armv7-generic | 14 ++++++++------ config-armv7-tegra | 1 + kernel.spec | 12 ++++++++++-- 5 files changed, 72 insertions(+), 12 deletions(-) create mode 100644 arm-of-dma.patch diff --git a/arm-of-dma.patch b/arm-of-dma.patch new file mode 100644 index 000000000..c3223a4e6 --- /dev/null +++ b/arm-of-dma.patch @@ -0,0 +1,43 @@ +From 7362f04c2888b14c20f8aaa02e1a897025261768 Mon Sep 17 00:00:00 2001 +From: Viresh Kumar +Date: Fri, 15 Mar 2013 08:48:20 +0000 +Subject: DMA: OF: Check properties value before running be32_to_cpup() on it + +In of_dma_controller_register() routine we are calling of_get_property() as an +parameter to be32_to_cpup(). In case the property doesn't exist we will get a +crash. + +This patch changes this code to check if we got a valid property first and then +runs be32_to_cpup() on it. + +Signed-off-by: Viresh Kumar +Signed-off-by: Vinod Koul +--- +diff --git a/drivers/dma/of-dma.c b/drivers/dma/of-dma.c +index 6036cd0..00db454 100644 +--- a/drivers/dma/of-dma.c ++++ b/drivers/dma/of-dma.c +@@ -93,6 +93,7 @@ int of_dma_controller_register(struct device_node *np, + { + struct of_dma *ofdma; + int nbcells; ++ const __be32 *prop; + + if (!np || !of_dma_xlate) { + pr_err("%s: not enough information provided\n", __func__); +@@ -103,8 +104,11 @@ int of_dma_controller_register(struct device_node *np, + if (!ofdma) + return -ENOMEM; + +- nbcells = be32_to_cpup(of_get_property(np, "#dma-cells", NULL)); +- if (!nbcells) { ++ prop = of_get_property(np, "#dma-cells", NULL); ++ if (prop) ++ nbcells = be32_to_cpup(prop); ++ ++ if (!prop || !nbcells) { + pr_err("%s: #dma-cells property is missing or invalid\n", + __func__); + kfree(ofdma); +-- +cgit v0.9.1 diff --git a/config-armv7 b/config-armv7 index dc80b797c..6e34dec47 100644 --- a/config-armv7 +++ b/config-armv7 @@ -27,7 +27,8 @@ CONFIG_ARCH_ZYNQ=y # CONFIG_ARM_VIRT_EXT is not set # highbank -CONFIG_CPU_IDLE_CALXEDA=y +# 2013/04/19 - stability issues +# CONFIG_CPU_IDLE_CALXEDA is not set CONFIG_EDAC_HIGHBANK_MC=m CONFIG_EDAC_HIGHBANK_L2=m CONFIG_SATA_HIGHBANK=m @@ -72,6 +73,7 @@ CONFIG_MVEBU_CLK_CORE=y CONFIG_MVEBU_CLK_GATING=y CONFIG_MMC_MVSDIO=m CONFIG_SPI_ORION=m +CONFIG_USB_MV_UDC=m # omap CONFIG_ARCH_OMAP2PLUS_TYPICAL=y @@ -125,6 +127,7 @@ CONFIG_OMAP_MBOX_KFIFO_SIZE=256 CONFIG_OMAP_DM_TIMER=y CONFIG_OMAP_PM_NOOP=y CONFIG_OMAP_IOMMU=y +CONFIG_OMAP_IOVMM=m CONFIG_OMAP3_EMU=y # CONFIG_OMAP3_SDRC_AC_TIMING is not set CONFIG_ARM_OMAP2PLUS_CPUFREQ=y @@ -136,6 +139,7 @@ CONFIG_TI_DAVINCI_MDIO=m CONFIG_TI_DAVINCI_CPDMA=m CONFIG_TI_CPSW=m CONFIG_TI_CPTS=y +CONFIG_TI_EMIF=m CONFIG_SERIAL_OMAP=y CONFIG_SERIAL_OMAP_CONSOLE=y @@ -155,12 +159,17 @@ CONFIG_TWL6030_USB=m CONFIG_TWL6030_PWM=m CONFIG_TWL6040_CORE=y CONFIG_CLK_TWL6040=m +CONFIG_OMAP_INTERCONNECT=m +# CONFIG_MFD_TPS80031 is not set +CONFIG_MFD_TI_AM335X_TSCADC=m CONFIG_MFD_OMAP_USB_HOST=y CONFIG_MTD_ONENAND_OMAP2=m CONFIG_HDQ_MASTER_OMAP=m CONFIG_REGULATOR_TWL4030=y CONFIG_BACKLIGHT_PANDORA=m +CONFIG_OMAP_OCP2SCP=m CONFIG_USB_EHCI_HCD_OMAP=y +CONFIG_USB_OHCI_HCD_PLATFORM=y CONFIG_USB_OHCI_HCD_OMAP3=y CONFIG_USB_MUSB_AM35X=m CONFIG_USB_MUSB_OMAP2PLUS=m @@ -302,9 +311,7 @@ CONFIG_SND_OMAP_SOC_OMAP3_BEAGLE=m CONFIG_SND_OMAP_SOC_OMAP3_PANDORA=m CONFIG_SND_OMAP_SOC_OVERO=m # CONFIG_SND_OMAP_SOC_RX51 is not set -CONFIG_SND_OMAP_SOC_SDP3430=m CONFIG_SND_OMAP_SOC_SDP4430=m -CONFIG_SND_OMAP_SOC_ZOOM2=m CONFIG_SND_SOC_TLV320AIC23=m CONFIG_SND_SOC_TLV320AIC3X=m CONFIG_SND_SOC_TWL4030=m @@ -473,7 +480,6 @@ CONFIG_REGULATOR_LP8755=m # CONFIG_MFD_DA9055 is not set # CONFIG_MFD_SMSC is not set # CONFIG_MFD_TPS65910 is not set -# CONFIG_MFD_TPS80031 is not set # CONFIG_MFD_AS3711 is not set # CONFIG_PMIC_DA903X is not set # CONFIG_PMIC_ADP5520 is not set diff --git a/config-armv7-generic b/config-armv7-generic index 883e8ffaf..d6f2c84c0 100644 --- a/config-armv7-generic +++ b/config-armv7-generic @@ -84,10 +84,11 @@ CONFIG_SCHED_SMT=y CONFIG_RCU_FANOUT=32 CONFIG_RCU_FANOUT_LEAF=16 -CONFIG_CPU_IDLE=y -# CONFIG_CPU_IDLE_GOV_LADDER is not set -CONFIG_CPU_IDLE_GOV_MENU=y -CONFIG_CPU_IDLE_MULTIPLE_DRIVERS=y +# 2013/04/19 - disable due to stability issues in 3.9 for the moment +# CONFIG_CPU_IDLE is not set +## CONFIG_CPU_IDLE_GOV_LADDER is not set +# CONFIG_CPU_IDLE_GOV_MENU is not set +# CONFIG_CPU_IDLE_MULTIPLE_DRIVERS is not set CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 CONFIG_LSM_MMAP_MIN_ADDR=32768 @@ -112,8 +113,6 @@ CONFIG_HW_PERF_EVENTS=y CONFIG_UACCESS_WITH_MEMCPY=y CONFIG_CC_STACKPROTECTOR=y -CONFIG_LOG_BUF_SHIFT=18 - CONFIG_IP_PNP=y CONFIG_IP_PNP_DHCP=y CONFIG_IP_PNP_BOOTP=y @@ -219,6 +218,8 @@ CONFIG_GPIO_MAX7301=m CONFIG_GPIO_MC33880=m CONFIG_GPIO_74X164=m CONFIG_GPIO_TPS65912=m +CONFIG_W1_MASTER_GPIO=m +CONFIG_CHARGER_GPIO=m CONFIG_SPI=y CONFIG_SPI_GPIO=m @@ -340,6 +341,7 @@ CONFIG_SENSORS_LM70=m CONFIG_SENSORS_MAX1111=m CONFIG_SENSORS_ADS7871=m CONFIG_SENSORS_LIS3_SPI=m +CONFIG_SENSORS_GPIO_FAN=m CONFIG_LCD_L4F00242T03=m CONFIG_LCD_LMS283GF05=m diff --git a/config-armv7-tegra b/config-armv7-tegra index 99d5985fa..0058f0adb 100644 --- a/config-armv7-tegra +++ b/config-armv7-tegra @@ -60,6 +60,7 @@ CONFIG_SND_SOC_TEGRA_WM9712=m CONFIG_SND_SOC_TEGRA_TRIMSLICE=m CONFIG_SND_SOC_TEGRA30_AHUB=m CONFIG_SND_SOC_TEGRA30_I2S=m +CONFIG_SND_SOC_TEGRA20_AC97=m # AC100 (PAZ00) CONFIG_MFD_NVEC=y diff --git a/kernel.spec b/kernel.spec index 3092e1410..4742bd49e 100644 --- a/kernel.spec +++ b/kernel.spec @@ -701,12 +701,14 @@ Patch14010: lis3-improve-handling-of-null-rate.patch # ARM Patch21000: arm-export-read_current_timer.patch +# https://lists.ozlabs.org/pipermail/devicetree-discuss/2013-March/029029.html +Patch21001: arm-of-dma.patch # lpae -Patch21001: arm-lpae-ax88796.patch +Patch21002: arm-lpae-ax88796.patch # ARM omap -Patch21002: arm-omap-ehci-fix.patch +Patch21003: arm-omap-ehci-fix.patch # ARM tegra Patch21005: arm-tegra-usb-no-reset-linux33.patch @@ -1311,6 +1313,7 @@ ApplyPatch debug-bad-pte-modules.patch # ARM # ApplyPatch arm-export-read_current_timer.patch +ApplyPatch arm-of-dma.patch ApplyPatch arm-lpae-ax88796.patch ApplyPatch arm-omap-ehci-fix.patch ApplyPatch arm-tegra-usb-no-reset-linux33.patch @@ -2292,6 +2295,11 @@ fi # and build. %changelog +* Fri Apr 19 2013 Peter Robinson +- Temporaily disable cpu idle on ARM as it appears to be causing stability issues +- Minor ARM config updates +- Add patch for DT DMA issues that affect at least highbank/tegra ARM devices + * Fri Apr 19 2013 Josh Boyer - Disable Intel HDA and enable RSXX block dev on ppc64/ppc64p7 From 0d7cb9e5e45b6483737ad381b12794175dd89288 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Fri, 19 Apr 2013 15:40:02 -0400 Subject: [PATCH 064/468] Add patch to fix RCU splat from perf events --- ...t-access-via-task-subsys-state-check.patch | 61 +++++++++++++++++++ kernel.spec | 7 +++ 2 files changed, 68 insertions(+) create mode 100644 events-protect-access-via-task-subsys-state-check.patch diff --git a/events-protect-access-via-task-subsys-state-check.patch b/events-protect-access-via-task-subsys-state-check.patch new file mode 100644 index 000000000..a7d3972c0 --- /dev/null +++ b/events-protect-access-via-task-subsys-state-check.patch @@ -0,0 +1,61 @@ +The following RCU splat indicates lack of RCU protection: + +[ 953.267649] =============================== +[ 953.267652] [ INFO: suspicious RCU usage. ] +[ 953.267657] 3.9.0-0.rc6.git2.4.fc19.ppc64p7 #1 Not tainted +[ 953.267661] ------------------------------- +[ 953.267664] include/linux/cgroup.h:534 suspicious rcu_dereference_check() usage! +[ 953.267669] +[ 953.267669] other info that might help us debug this: +[ 953.267669] +[ 953.267675] +[ 953.267675] rcu_scheduler_active = 1, debug_locks = 0 +[ 953.267680] 1 lock held by glxgears/1289: +[ 953.267683] #0: (&sig->cred_guard_mutex){+.+.+.}, at: [] .prepare_bprm_creds+0x34/0xa0 +[ 953.267700] +[ 953.267700] stack backtrace: +[ 953.267704] Call Trace: +[ 953.267709] [c0000001f0d1b6e0] [c000000000016e30] .show_stack+0x130/0x200 (unreliable) +[ 953.267717] [c0000001f0d1b7b0] [c0000000001267f8] .lockdep_rcu_suspicious+0x138/0x180 +[ 953.267724] [c0000001f0d1b840] [c0000000001d43a4] .perf_event_comm+0x4c4/0x690 +[ 953.267731] [c0000001f0d1b950] [c00000000027f6e4] .set_task_comm+0x84/0x1f0 +[ 953.267737] [c0000001f0d1b9f0] [c000000000280414] .setup_new_exec+0x94/0x220 +[ 953.267744] [c0000001f0d1ba70] [c0000000002f665c] .load_elf_binary+0x58c/0x19b0 +[ 953.267751] [c0000001f0d1bbc0] [c00000000027e724] .search_binary_handler+0x254/0x680 +[ 953.267758] [c0000001f0d1bca0] [c0000000002800dc] .do_execve_common.isra.17+0x76c/0x860 +[ 953.267764] [c0000001f0d1bd90] [c000000000280698] .SyS_execve+0x58/0x90 +[ 953.267771] [c0000001f0d1be30] [c000000000009e60] syscall_exit+0x0/0x98 + +This commit therefore adds the required RCU read-side critical section to +perf_event_comm(). + +Reported-by: Adam Jackson +Signed-off-by: Paul E. McKenney +Tested-by: Gustavo Luiz Duarte + +diff --git a/kernel/events/core.c b/kernel/events/core.c +index b0cd865..8db9551 100644 +--- a/kernel/events/core.c ++++ b/kernel/events/core.c +@@ -4593,6 +4593,7 @@ void perf_event_comm(struct task_struct *task) + struct perf_event_context *ctx; + int ctxn; + ++ rcu_read_lock(); + for_each_task_context_nr(ctxn) { + ctx = task->perf_event_ctxp[ctxn]; + if (!ctx) +@@ -4600,6 +4601,7 @@ void perf_event_comm(struct task_struct *task) + + perf_event_enable_on_exec(ctx); + } ++ rcu_read_unlock(); + + if (!atomic_read(&nr_comm_events)) + return; + +-- +To unsubscribe from this list: send the line "unsubscribe linux-kernel" in +the body of a message to majordomo@vger.kernel.org +More majordomo info at http://vger.kernel.org/majordomo-info.html +Please read the FAQ at http://www.tux.org/lkml/ diff --git a/kernel.spec b/kernel.spec index 4742bd49e..3ae5b81c6 100644 --- a/kernel.spec +++ b/kernel.spec @@ -757,6 +757,8 @@ Patch25010: wireless-regulatory-fix-channel-disabling-race-condition.patch #rhbz 951241 Patch25011: iwlwifi-fix-freeing-uninitialized-pointer.patch +Patch25012: events-protect-access-via-task-subsys-state-check.patch + # END OF PATCH DEFINITIONS %endif @@ -1463,6 +1465,8 @@ ApplyPatch wireless-regulatory-fix-channel-disabling-race-condition.patch #rhbz 951241 ApplyPatch iwlwifi-fix-freeing-uninitialized-pointer.patch +ApplyPatch events-protect-access-via-task-subsys-state-check.patch + # END OF PATCH APPLICATIONS %endif @@ -2295,6 +2299,9 @@ fi # and build. %changelog +* Fri Apr 19 2013 Josh Boyer +- Add patch to fix RCU splat from perf events + * Fri Apr 19 2013 Peter Robinson - Temporaily disable cpu idle on ARM as it appears to be causing stability issues - Minor ARM config updates From dc4f4d024df64b95edf459590d8e7c0614947752 Mon Sep 17 00:00:00 2001 From: Peter Robinson Date: Mon, 22 Apr 2013 12:44:26 +0100 Subject: [PATCH 065/468] Minor ARM updates --- config-armv7 | 6 +----- config-armv7-generic | 2 +- config-armv7-lpae | 4 ++++ config-armv7-tegra | 3 --- kernel.spec | 3 +++ 5 files changed, 9 insertions(+), 9 deletions(-) diff --git a/config-armv7 b/config-armv7 index 6e34dec47..4f27e5c06 100644 --- a/config-armv7 +++ b/config-armv7 @@ -61,12 +61,9 @@ CONFIG_PINCTRL_ARMADA_370=y CONFIG_PINCTRL_ARMADA_XP=y CONFIG_PINCTRL_DOVE=y CONFIG_EDAC_MV64X60=m -CONFIG_SATA_MV=m -CONFIG_MARVELL_PHY=m -CONFIG_RTC_DRV_S35390A=y +CONFIG_RTC_DRV_S35390A=m CONFIG_RTC_DRV_88PM80X=m CONFIG_RTC_DRV_MV=m -CONFIG_MVMDIO=m CONFIG_MVNETA=m CONFIG_GPIO_MVEBU=y CONFIG_MVEBU_CLK_CORE=y @@ -450,7 +447,6 @@ CONFIG_REGULATOR_LP8755=m # CONFIG_DEPRECATED_PARAM_STRUCT is not set # CONFIG_ARM_KPROBES_TEST is not set -# CONFIG_LEDS_PWM is not set # Defined config options we don't use yet # CONFIG_PINCTRL_IMX35 is not set diff --git a/config-armv7-generic b/config-armv7-generic index d6f2c84c0..4105483df 100644 --- a/config-armv7-generic +++ b/config-armv7-generic @@ -106,7 +106,6 @@ CONFIG_PM=y CONFIG_PM_STD_PARTITION="" CONFIG_SUSPEND=y CONFIG_ARM_CPU_SUSPEND=y -CONFIG_ARM_CPU_TOPOLOGY=y CONFIG_LOCAL_TIMERS=y CONFIG_HW_PERF_EVENTS=y @@ -367,6 +366,7 @@ CONFIG_TOUCHSCREEN_MC13783=m CONFIG_TOUCHSCREEN_TSC2005=m CONFIG_LEDS_DAC124S085=m +CONFIG_LEDS_PWM=m CONFIG_BMP085_SPI=m # Ethernet diff --git a/config-armv7-lpae b/config-armv7-lpae index 9df571d55..15b0d53cd 100644 --- a/config-armv7-lpae +++ b/config-armv7-lpae @@ -56,6 +56,10 @@ CONFIG_VIDEO_SAMSUNG_S5P_G2D=m CONFIG_VIDEO_SAMSUNG_S5P_JPEG=m CONFIG_VIDEO_SAMSUNG_S5P_MFC=m CONFIG_VIDEO_SAMSUNG_EXYNOS_GSC=m +CONFIG_EXYNOS_VIDEO=y +CONFIG_EXYNOS_MIPI_DSI=y +CONFIG_EXYNOS_DP=y +# CONFIG_EXYNOS_LCD_S6E8AX0 is not set # CONFIG_DRM_EXYNOS is not set CONFIG_DRM_EXYNOS_IOMMU=y CONFIG_DRM_EXYNOS_DMABUF=y diff --git a/config-armv7-tegra b/config-armv7-tegra index 0058f0adb..20cda8a7b 100644 --- a/config-armv7-tegra +++ b/config-armv7-tegra @@ -21,9 +21,6 @@ CONFIG_MACH_TRIMSLICE=y CONFIG_MACH_WARIO=y CONFIG_MACH_VENTANA=y -CONFIG_TEGRA_DEBUG_UARTD=y -CONFIG_ARM_CPU_TOPOLOGY=y - CONFIG_TEGRA_PCI=y CONFIG_TEGRA_IOMMU_GART=y CONFIG_TEGRA_IOMMU_SMMU=y diff --git a/kernel.spec b/kernel.spec index 3ae5b81c6..415ea7ced 100644 --- a/kernel.spec +++ b/kernel.spec @@ -2299,6 +2299,9 @@ fi # and build. %changelog +* Mon Apr 22 2013 Peter Robinson +- Minor ARM updates + * Fri Apr 19 2013 Josh Boyer - Add patch to fix RCU splat from perf events From 7f7c4766c8883ba23517dc6e3d46b2361bf5cf37 Mon Sep 17 00:00:00 2001 From: "Justin M. Forbes" Date: Mon, 22 Apr 2013 16:58:43 -0500 Subject: [PATCH 066/468] Linux v3.9-rc8 --- arm-lpae-ax88796.patch | 2 +- efi-dont-map-boot-services-on-32bit.patch | 22 - efi-space-fixes.patch | 953 ---------------------- kernel.spec | 17 +- sources | 3 +- 5 files changed, 7 insertions(+), 990 deletions(-) delete mode 100644 efi-dont-map-boot-services-on-32bit.patch delete mode 100644 efi-space-fixes.patch diff --git a/arm-lpae-ax88796.patch b/arm-lpae-ax88796.patch index 3b9c32644..b1bdc760c 100644 --- a/arm-lpae-ax88796.patch +++ b/arm-lpae-ax88796.patch @@ -12,7 +12,7 @@ index 70dba5d..763e575 100644 + /* LPAE breaks this code as __aeabi_uldivmod for 64-bit + * is not supported in lib1funcs.s yet + */ - resource_size_t mem_size, mem2_size = 0; + unsigned long mem_size, mem2_size = 0; +#else + u32 mem_size, mem2_size = 0; +#endif diff --git a/efi-dont-map-boot-services-on-32bit.patch b/efi-dont-map-boot-services-on-32bit.patch deleted file mode 100644 index 7cc614992..000000000 --- a/efi-dont-map-boot-services-on-32bit.patch +++ /dev/null @@ -1,22 +0,0 @@ -diff --git a/arch/x86/platform/efi/efi.c b/arch/x86/platform/efi/efi.c -index 3ae4128..ff7dc70 100644 ---- a/arch/x86/platform/efi/efi.c -+++ b/arch/x86/platform/efi/efi.c -@@ -659,10 +659,13 @@ void __init efi_enter_virtual_mode(void) - - for (p = memmap.map; p < memmap.map_end; p += memmap.desc_size) { - md = p; -- if (!(md->attribute & EFI_MEMORY_RUNTIME) && -- md->type != EFI_BOOT_SERVICES_CODE && -- md->type != EFI_BOOT_SERVICES_DATA) -- continue; -+ if (!(md->attribute & EFI_MEMORY_RUNTIME)) { -+#ifdef CONFIG_X86_64 -+ if (md->type != EFI_BOOT_SERVICES_CODE && -+ md->type != EFI_BOOT_SERVICES_DATA) -+#endif -+ continue; -+ } - - size = md->num_pages << EFI_PAGE_SHIFT; - end = md->phys_addr + size; diff --git a/efi-space-fixes.patch b/efi-space-fixes.patch deleted file mode 100644 index d5863e72a..000000000 --- a/efi-space-fixes.patch +++ /dev/null @@ -1,953 +0,0 @@ -From a6e4d5a03e9e3587e88aba687d8f225f4f04c792 Mon Sep 17 00:00:00 2001 -From: Matt Fleming -Date: Mon, 25 Mar 2013 09:14:30 +0000 -Subject: [PATCH] x86, efivars: firmware bug workarounds should be in platform - code - -Let's not burden ia64 with checks in the common efivars code that we're not -writing too much data to the variable store. That kind of thing is an x86 -firmware bug, plain and simple. - -efi_query_variable_store() provides platforms with a wrapper in which they can -perform checks and workarounds for EFI variable storage bugs. - -Cc: H. Peter Anvin -Cc: Matthew Garrett -Signed-off-by: Matt Fleming ---- - arch/x86/platform/efi/efi.c | 25 +++++++++++++++++++++++++ - drivers/firmware/efivars.c | 18 +++--------------- - include/linux/efi.h | 9 ++++++++- - 3 files changed, 36 insertions(+), 16 deletions(-) - -diff --git a/arch/x86/platform/efi/efi.c b/arch/x86/platform/efi/efi.c -index 5f2ecaf..c89c245 100644 ---- a/arch/x86/platform/efi/efi.c -+++ b/arch/x86/platform/efi/efi.c -@@ -999,3 +999,28 @@ u64 efi_mem_attributes(unsigned long phys_addr) - } - return 0; - } -+ -+/* -+ * Some firmware has serious problems when using more than 50% of the EFI -+ * variable store, i.e. it triggers bugs that can brick machines. Ensure that -+ * we never use more than this safe limit. -+ * -+ * Return EFI_SUCCESS if it is safe to write 'size' bytes to the variable -+ * store. -+ */ -+efi_status_t efi_query_variable_store(u32 attributes, unsigned long size) -+{ -+ efi_status_t status; -+ u64 storage_size, remaining_size, max_size; -+ -+ status = efi.query_variable_info(attributes, &storage_size, -+ &remaining_size, &max_size); -+ if (status != EFI_SUCCESS) -+ return status; -+ -+ if (!storage_size || size > remaining_size || size > max_size || -+ (remaining_size - size) < (storage_size / 2)) -+ return EFI_OUT_OF_RESOURCES; -+ -+ return EFI_SUCCESS; -+} -diff --git a/drivers/firmware/efivars.c b/drivers/firmware/efivars.c -index 7acafb8..bf15d81 100644 ---- a/drivers/firmware/efivars.c -+++ b/drivers/firmware/efivars.c -@@ -436,24 +436,12 @@ static efi_status_t - check_var_size_locked(struct efivars *efivars, u32 attributes, - unsigned long size) - { -- u64 storage_size, remaining_size, max_size; -- efi_status_t status; - const struct efivar_operations *fops = efivars->ops; - -- if (!efivars->ops->query_variable_info) -+ if (!efivars->ops->query_variable_store) - return EFI_UNSUPPORTED; - -- status = fops->query_variable_info(attributes, &storage_size, -- &remaining_size, &max_size); -- -- if (status != EFI_SUCCESS) -- return status; -- -- if (!storage_size || size > remaining_size || size > max_size || -- (remaining_size - size) < (storage_size / 2)) -- return EFI_OUT_OF_RESOURCES; -- -- return status; -+ return fops->query_variable_store(attributes, size); - } - - -@@ -2131,7 +2119,7 @@ efivars_init(void) - ops.get_variable = efi.get_variable; - ops.set_variable = efi.set_variable; - ops.get_next_variable = efi.get_next_variable; -- ops.query_variable_info = efi.query_variable_info; -+ ops.query_variable_store = efi_query_variable_store; - - error = register_efivars(&__efivars, &ops, efi_kobj); - if (error) -diff --git a/include/linux/efi.h b/include/linux/efi.h -index 9bf2f1f..3d7df3d 100644 ---- a/include/linux/efi.h -+++ b/include/linux/efi.h -@@ -333,6 +333,7 @@ typedef efi_status_t efi_query_capsule_caps_t(efi_capsule_header_t **capsules, - unsigned long count, - u64 *max_size, - int *reset_type); -+typedef efi_status_t efi_query_variable_store_t(u32 attributes, unsigned long size); - - /* - * EFI Configuration Table and GUID definitions -@@ -575,9 +576,15 @@ extern void efi_enter_virtual_mode (void); /* switch EFI to virtual mode, if pos - #ifdef CONFIG_X86 - extern void efi_late_init(void); - extern void efi_free_boot_services(void); -+extern efi_status_t efi_query_variable_store(u32 attributes, unsigned long size); - #else - static inline void efi_late_init(void) {} - static inline void efi_free_boot_services(void) {} -+ -+static inline efi_status_t efi_query_variable_store(u32 attributes, unsigned long size) -+{ -+ return EFI_SUCCESS; -+} - #endif - extern void __iomem *efi_lookup_mapped_addr(u64 phys_addr); - extern u64 efi_get_iobase (void); -@@ -731,7 +738,7 @@ struct efivar_operations { - efi_get_variable_t *get_variable; - efi_get_next_variable_t *get_next_variable; - efi_set_variable_t *set_variable; -- efi_query_variable_info_t *query_variable_info; -+ efi_query_variable_store_t *query_variable_store; - }; - - struct efivars { --- -1.8.1.4 - - -Delivered-To: jwboyer@gmail.com -Received: by 10.76.92.6 with SMTP id ci6csp30969oab; - Mon, 15 Apr 2013 13:11:20 -0700 (PDT) -X-Received: by 10.66.233.66 with SMTP id tu2mr16310292pac.12.1366056679639; - Mon, 15 Apr 2013 13:11:19 -0700 (PDT) -Return-Path: -Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) - by mx.google.com with ESMTP id px5si683046pbb.263.2013.04.15.13.11.18; - Mon, 15 Apr 2013 13:11:19 -0700 (PDT) -Received-SPF: pass (google.com: best guess record for domain of linux-efi-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; -Authentication-Results: mx.google.com; - spf=pass (google.com: best guess record for domain of linux-efi-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mail=linux-efi-owner@vger.kernel.org -Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand - id S1755430Ab3DOUKG (ORCPT - + 14 others); Mon, 15 Apr 2013 16:10:06 -0400 -Received: from cavan.codon.org.uk ([93.93.128.6]:40554 "EHLO - cavan.codon.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org - with ESMTP id S1754223Ab3DOUKF (ORCPT - ); Mon, 15 Apr 2013 16:10:05 -0400 -Received: from 50-0-250-146.dedicated.static.sonic.net ([50.0.250.146] helo=x230.nebula.com) - by cavan.codon.org.uk with esmtpsa (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) - (Exim 4.72) - (envelope-from ) - id 1URpiv-00027X-TB; Mon, 15 Apr 2013 21:09:58 +0100 -From: Matthew Garrett -To: matt.fleming@intel.com -Cc: linux-efi@vger.kernel.org, x86@kernel.org, - linux-kernel@vger.kernel.org, - Matthew Garrett -Subject: [PATCH V6 1/3] Move utf16 functions to kernel core and rename -Date: Mon, 15 Apr 2013 13:09:45 -0700 -Message-Id: <1366056587-24414-2-git-send-email-matthew.garrett@nebula.com> -X-Mailer: git-send-email 1.8.1.2 -In-Reply-To: <1366056587-24414-1-git-send-email-matthew.garrett@nebula.com> -References: <1365561717-12343-1-git-send-email-matthew.garrett@nebula.com> - <1366056587-24414-1-git-send-email-matthew.garrett@nebula.com> -X-SA-Do-Not-Run: Yes -X-SA-Exim-Connect-IP: 50.0.250.146 -X-SA-Exim-Mail-From: matthew.garrett@nebula.com -X-SA-Exim-Scanned: No (on cavan.codon.org.uk); SAEximRunCond expanded to false -Sender: linux-efi-owner@vger.kernel.org -Precedence: bulk -List-ID: -X-Mailing-List: linux-efi@vger.kernel.org - -We want to be able to use the utf16 functions that are currently present -in the EFI variables code in platform-specific code as well. Move them to -the kernel core, and in the process rename them to accurately describe what -they do - they don't handle UTF16, only UCS2. - -Signed-off-by: Matthew Garrett ---- - drivers/firmware/Kconfig | 1 + - drivers/firmware/efivars.c | 80 ++++++++++----------------------------------- - include/linux/ucs2_string.h | 14 ++++++++ - lib/Kconfig | 3 ++ - lib/Makefile | 2 ++ - lib/ucs2_string.c | 51 +++++++++++++++++++++++++++++ - 6 files changed, 89 insertions(+), 62 deletions(-) - create mode 100644 include/linux/ucs2_string.h - create mode 100644 lib/ucs2_string.c - -diff --git a/drivers/firmware/Kconfig b/drivers/firmware/Kconfig -index 42c759a..3e53200 100644 ---- a/drivers/firmware/Kconfig -+++ b/drivers/firmware/Kconfig -@@ -39,6 +39,7 @@ config FIRMWARE_MEMMAP - config EFI_VARS - tristate "EFI Variable Support via sysfs" - depends on EFI -+ select UCS2_STRING - default n - help - If you say Y here, you are able to get EFI (Extensible Firmware -diff --git a/drivers/firmware/efivars.c b/drivers/firmware/efivars.c -index bf15d81..182ce94 100644 ---- a/drivers/firmware/efivars.c -+++ b/drivers/firmware/efivars.c -@@ -80,6 +80,7 @@ - #include - #include - #include -+#include - - #include - #include -@@ -172,51 +173,6 @@ static void efivar_update_sysfs_entries(struct work_struct *); - static DECLARE_WORK(efivar_work, efivar_update_sysfs_entries); - static bool efivar_wq_enabled = true; - --/* Return the number of unicode characters in data */ --static unsigned long --utf16_strnlen(efi_char16_t *s, size_t maxlength) --{ -- unsigned long length = 0; -- -- while (*s++ != 0 && length < maxlength) -- length++; -- return length; --} -- --static inline unsigned long --utf16_strlen(efi_char16_t *s) --{ -- return utf16_strnlen(s, ~0UL); --} -- --/* -- * Return the number of bytes is the length of this string -- * Note: this is NOT the same as the number of unicode characters -- */ --static inline unsigned long --utf16_strsize(efi_char16_t *data, unsigned long maxlength) --{ -- return utf16_strnlen(data, maxlength/sizeof(efi_char16_t)) * sizeof(efi_char16_t); --} -- --static inline int --utf16_strncmp(const efi_char16_t *a, const efi_char16_t *b, size_t len) --{ -- while (1) { -- if (len == 0) -- return 0; -- if (*a < *b) -- return -1; -- if (*a > *b) -- return 1; -- if (*a == 0) /* implies *b == 0 */ -- return 0; -- a++; -- b++; -- len--; -- } --} -- - static bool - validate_device_path(struct efi_variable *var, int match, u8 *buffer, - unsigned long len) -@@ -268,7 +224,7 @@ validate_load_option(struct efi_variable *var, int match, u8 *buffer, - u16 filepathlength; - int i, desclength = 0, namelen; - -- namelen = utf16_strnlen(var->VariableName, sizeof(var->VariableName)); -+ namelen = ucs2_strnlen(var->VariableName, sizeof(var->VariableName)); - - /* Either "Boot" or "Driver" followed by four digits of hex */ - for (i = match; i < match+4; i++) { -@@ -291,7 +247,7 @@ validate_load_option(struct efi_variable *var, int match, u8 *buffer, - * There's no stored length for the description, so it has to be - * found by hand - */ -- desclength = utf16_strsize((efi_char16_t *)(buffer + 6), len - 6) + 2; -+ desclength = ucs2_strsize((efi_char16_t *)(buffer + 6), len - 6) + 2; - - /* Each boot entry must have a descriptor */ - if (!desclength) -@@ -581,7 +537,7 @@ efivar_store_raw(struct efivar_entry *entry, const char *buf, size_t count) - spin_lock_irq(&efivars->lock); - - status = check_var_size_locked(efivars, new_var->Attributes, -- new_var->DataSize + utf16_strsize(new_var->VariableName, 1024)); -+ new_var->DataSize + ucs2_strsize(new_var->VariableName, 1024)); - - if (status == EFI_SUCCESS || status == EFI_UNSUPPORTED) - status = efivars->ops->set_variable(new_var->VariableName, -@@ -759,7 +715,7 @@ static ssize_t efivarfs_file_write(struct file *file, - * QueryVariableInfo() isn't supported by the firmware. - */ - -- varsize = datasize + utf16_strsize(var->var.VariableName, 1024); -+ varsize = datasize + ucs2_strsize(var->var.VariableName, 1024); - status = check_var_size(efivars, attributes, varsize); - - if (status != EFI_SUCCESS) { -@@ -1211,7 +1167,7 @@ static int efivarfs_fill_super(struct super_block *sb, void *data, int silent) - - inode = NULL; - -- len = utf16_strlen(entry->var.VariableName); -+ len = ucs2_strlen(entry->var.VariableName); - - /* name, plus '-', plus GUID, plus NUL*/ - name = kmalloc(len + 1 + GUID_LEN + 1, GFP_ATOMIC); -@@ -1469,8 +1425,8 @@ static int efi_pstore_erase(enum pstore_type_id type, u64 id, int count, - - if (efi_guidcmp(entry->var.VendorGuid, vendor)) - continue; -- if (utf16_strncmp(entry->var.VariableName, efi_name, -- utf16_strlen(efi_name))) { -+ if (ucs2_strncmp(entry->var.VariableName, efi_name, -+ ucs2_strlen(efi_name))) { - /* - * Check if an old format, - * which doesn't support holding -@@ -1482,8 +1438,8 @@ static int efi_pstore_erase(enum pstore_type_id type, u64 id, int count, - for (i = 0; i < DUMP_NAME_LEN; i++) - efi_name_old[i] = name_old[i]; - -- if (utf16_strncmp(entry->var.VariableName, efi_name_old, -- utf16_strlen(efi_name_old))) -+ if (ucs2_strncmp(entry->var.VariableName, efi_name_old, -+ ucs2_strlen(efi_name_old))) - continue; - } - -@@ -1561,8 +1517,8 @@ static ssize_t efivar_create(struct file *filp, struct kobject *kobj, - * Does this variable already exist? - */ - list_for_each_entry_safe(search_efivar, n, &efivars->list, list) { -- strsize1 = utf16_strsize(search_efivar->var.VariableName, 1024); -- strsize2 = utf16_strsize(new_var->VariableName, 1024); -+ strsize1 = ucs2_strsize(search_efivar->var.VariableName, 1024); -+ strsize2 = ucs2_strsize(new_var->VariableName, 1024); - if (strsize1 == strsize2 && - !memcmp(&(search_efivar->var.VariableName), - new_var->VariableName, strsize1) && -@@ -1578,7 +1534,7 @@ static ssize_t efivar_create(struct file *filp, struct kobject *kobj, - } - - status = check_var_size_locked(efivars, new_var->Attributes, -- new_var->DataSize + utf16_strsize(new_var->VariableName, 1024)); -+ new_var->DataSize + ucs2_strsize(new_var->VariableName, 1024)); - - if (status && status != EFI_UNSUPPORTED) { - spin_unlock_irq(&efivars->lock); -@@ -1602,7 +1558,7 @@ static ssize_t efivar_create(struct file *filp, struct kobject *kobj, - - /* Create the entry in sysfs. Locking is not required here */ - status = efivar_create_sysfs_entry(efivars, -- utf16_strsize(new_var->VariableName, -+ ucs2_strsize(new_var->VariableName, - 1024), - new_var->VariableName, - &new_var->VendorGuid); -@@ -1632,8 +1588,8 @@ static ssize_t efivar_delete(struct file *filp, struct kobject *kobj, - * Does this variable already exist? - */ - list_for_each_entry_safe(search_efivar, n, &efivars->list, list) { -- strsize1 = utf16_strsize(search_efivar->var.VariableName, 1024); -- strsize2 = utf16_strsize(del_var->VariableName, 1024); -+ strsize1 = ucs2_strsize(search_efivar->var.VariableName, 1024); -+ strsize2 = ucs2_strsize(del_var->VariableName, 1024); - if (strsize1 == strsize2 && - !memcmp(&(search_efivar->var.VariableName), - del_var->VariableName, strsize1) && -@@ -1679,9 +1635,9 @@ static bool variable_is_present(efi_char16_t *variable_name, efi_guid_t *vendor) - unsigned long strsize1, strsize2; - bool found = false; - -- strsize1 = utf16_strsize(variable_name, 1024); -+ strsize1 = ucs2_strsize(variable_name, 1024); - list_for_each_entry_safe(entry, n, &efivars->list, list) { -- strsize2 = utf16_strsize(entry->var.VariableName, 1024); -+ strsize2 = ucs2_strsize(entry->var.VariableName, 1024); - if (strsize1 == strsize2 && - !memcmp(variable_name, &(entry->var.VariableName), - strsize2) && -diff --git a/include/linux/ucs2_string.h b/include/linux/ucs2_string.h -new file mode 100644 -index 0000000..cbb20af ---- /dev/null -+++ b/include/linux/ucs2_string.h -@@ -0,0 +1,14 @@ -+#ifndef _LINUX_UCS2_STRING_H_ -+#define _LINUX_UCS2_STRING_H_ -+ -+#include /* for size_t */ -+#include /* for NULL */ -+ -+typedef u16 ucs2_char_t; -+ -+unsigned long ucs2_strnlen(const ucs2_char_t *s, size_t maxlength); -+unsigned long ucs2_strlen(const ucs2_char_t *s); -+unsigned long ucs2_strsize(const ucs2_char_t *data, unsigned long maxlength); -+int ucs2_strncmp(const ucs2_char_t *a, const ucs2_char_t *b, size_t len); -+ -+#endif /* _LINUX_UCS2_STRING_H_ */ -diff --git a/lib/Kconfig b/lib/Kconfig -index 3958dc4..fe01d41 100644 ---- a/lib/Kconfig -+++ b/lib/Kconfig -@@ -404,4 +404,7 @@ config OID_REGISTRY - help - Enable fast lookup object identifier registry. - -+config UCS2_STRING -+ tristate -+ - endmenu -diff --git a/lib/Makefile b/lib/Makefile -index d7946ff..6e2cc56 100644 ---- a/lib/Makefile -+++ b/lib/Makefile -@@ -174,3 +174,5 @@ quiet_cmd_build_OID_registry = GEN $@ - cmd_build_OID_registry = perl $(srctree)/$(src)/build_OID_registry $< $@ - - clean-files += oid_registry_data.c -+ -+obj-$(CONFIG_UCS2_STRING) += ucs2_string.o -diff --git a/lib/ucs2_string.c b/lib/ucs2_string.c -new file mode 100644 -index 0000000..6f500ef ---- /dev/null -+++ b/lib/ucs2_string.c -@@ -0,0 +1,51 @@ -+#include -+#include -+ -+/* Return the number of unicode characters in data */ -+unsigned long -+ucs2_strnlen(const ucs2_char_t *s, size_t maxlength) -+{ -+ unsigned long length = 0; -+ -+ while (*s++ != 0 && length < maxlength) -+ length++; -+ return length; -+} -+EXPORT_SYMBOL(ucs2_strnlen); -+ -+unsigned long -+ucs2_strlen(const ucs2_char_t *s) -+{ -+ return ucs2_strnlen(s, ~0UL); -+} -+EXPORT_SYMBOL(ucs2_strlen); -+ -+/* -+ * Return the number of bytes is the length of this string -+ * Note: this is NOT the same as the number of unicode characters -+ */ -+unsigned long -+ucs2_strsize(const ucs2_char_t *data, unsigned long maxlength) -+{ -+ return ucs2_strnlen(data, maxlength/sizeof(ucs2_char_t)) * sizeof(ucs2_char_t); -+} -+EXPORT_SYMBOL(ucs2_strsize); -+ -+int -+ucs2_strncmp(const ucs2_char_t *a, const ucs2_char_t *b, size_t len) -+{ -+ while (1) { -+ if (len == 0) -+ return 0; -+ if (*a < *b) -+ return -1; -+ if (*a > *b) -+ return 1; -+ if (*a == 0) /* implies *b == 0 */ -+ return 0; -+ a++; -+ b++; -+ len--; -+ } -+} -+EXPORT_SYMBOL(ucs2_strncmp); --- -1.8.1.2 - --- -To unsubscribe from this list: send the line "unsubscribe linux-efi" in -the body of a message to majordomo@vger.kernel.org -More majordomo info at http://vger.kernel.org/majordomo-info.html - -Delivered-To: jwboyer@gmail.com -Received: by 10.76.92.6 with SMTP id ci6csp21932oab; - Mon, 15 Apr 2013 08:57:40 -0700 (PDT) -X-Received: by 10.66.9.7 with SMTP id v7mr30771745paa.216.1366041459856; - Mon, 15 Apr 2013 08:57:39 -0700 (PDT) -Return-Path: -Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) - by mx.google.com with ESMTP id fd8si20555261pad.17.2013.04.15.08.57.37; - Mon, 15 Apr 2013 08:57:39 -0700 (PDT) -Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; -Authentication-Results: mx.google.com; - spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mail=linux-kernel-owner@vger.kernel.org -Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand - id S1754718Ab3DOPyZ (ORCPT + 99 others); - Mon, 15 Apr 2013 11:54:25 -0400 -Received: from cavan.codon.org.uk ([93.93.128.6]:36679 "EHLO - cavan.codon.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org - with ESMTP id S1752817Ab3DOPyU (ORCPT - ); - Mon, 15 Apr 2013 11:54:20 -0400 -Received: from mb70536d0.tmodns.net ([208.54.5.183] helo=x230.localdomain) - by cavan.codon.org.uk with esmtpsa (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) - (Exim 4.72) - (envelope-from ) - id 1URljM-0005hz-Uk; Mon, 15 Apr 2013 16:54:09 +0100 -From: Matthew Garrett -To: matt.fleming@intel.com -Cc: linux-efi@vger.kernel.org, x86@kernel.org, - linux-kernel@vger.kernel.org, - Matthew Garrett -Subject: [PATCH V5 1/2] efi: Pass boot services variable info to runtime code -Date: Mon, 15 Apr 2013 08:53:46 -0700 -Message-Id: <1366041227-17710-1-git-send-email-matthew.garrett@nebula.com> -X-Mailer: git-send-email 1.8.1.2 -In-Reply-To: <1365561717-12343-1-git-send-email-matthew.garrett@nebula.com> -References: <1365561717-12343-1-git-send-email-matthew.garrett@nebula.com> -X-cavan-blacklisted-at: zen.spamhaus.org -X-SA-Do-Not-Run: Yes -X-SA-Exim-Connect-IP: 208.54.5.183 -X-SA-Exim-Mail-From: matthew.garrett@nebula.com -X-SA-Exim-Scanned: No (on cavan.codon.org.uk); SAEximRunCond expanded to false -Sender: linux-kernel-owner@vger.kernel.org -Precedence: bulk -List-ID: -X-Mailing-List: linux-kernel@vger.kernel.org - -EFI variables can be flagged as being accessible only within boot services. -This makes it awkward for us to figure out how much space they use at -runtime. In theory we could figure this out by simply comparing the results -from QueryVariableInfo() to the space used by all of our variables, but -that fails if the platform doesn't garbage collect on every boot. Thankfully, -calling QueryVariableInfo() while still inside boot services gives a more -reliable answer. This patch passes that information from the EFI boot stub -up to the efi platform code. - -Signed-off-by: Matthew Garrett ---- - arch/x86/boot/compressed/eboot.c | 47 +++++++++++++++++++++++++++++++++++ - arch/x86/include/asm/efi.h | 7 ++++++ - arch/x86/include/uapi/asm/bootparam.h | 1 + - arch/x86/platform/efi/efi.c | 21 ++++++++++++++++ - 4 files changed, 76 insertions(+) - -diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c -index c205035..8615f75 100644 ---- a/arch/x86/boot/compressed/eboot.c -+++ b/arch/x86/boot/compressed/eboot.c -@@ -251,6 +251,51 @@ static void find_bits(unsigned long mask, u8 *pos, u8 *size) - *size = len; - } - -+static efi_status_t setup_efi_vars(struct boot_params *params) -+{ -+ struct setup_data *data; -+ struct efi_var_bootdata *efidata; -+ u64 store_size, remaining_size, var_size; -+ efi_status_t status; -+ -+ if (!sys_table->runtime->query_variable_info) -+ return EFI_UNSUPPORTED; -+ -+ data = (struct setup_data *)(unsigned long)params->hdr.setup_data; -+ -+ while (data && data->next) -+ data = (struct setup_data *)(unsigned long)data->next; -+ -+ status = efi_call_phys4(sys_table->runtime->query_variable_info, -+ EFI_VARIABLE_NON_VOLATILE | -+ EFI_VARIABLE_BOOTSERVICE_ACCESS | -+ EFI_VARIABLE_RUNTIME_ACCESS, &store_size, -+ &remaining_size, &var_size); -+ -+ if (status != EFI_SUCCESS) -+ return status; -+ -+ status = efi_call_phys3(sys_table->boottime->allocate_pool, -+ EFI_LOADER_DATA, sizeof(*efidata), &efidata); -+ -+ if (status != EFI_SUCCESS) -+ return status; -+ -+ efidata->data.type = SETUP_EFI_VARS; -+ efidata->data.len = sizeof(struct efi_var_bootdata) - -+ sizeof(struct setup_data); -+ efidata->data.next = 0; -+ efidata->store_size = store_size; -+ efidata->remaining_size = remaining_size; -+ efidata->max_var_size = var_size; -+ -+ if (data) -+ data->next = (unsigned long)efidata; -+ else -+ params->hdr.setup_data = (unsigned long)efidata; -+ -+} -+ - static efi_status_t setup_efi_pci(struct boot_params *params) - { - efi_pci_io_protocol *pci; -@@ -1157,6 +1202,8 @@ struct boot_params *efi_main(void *handle, efi_system_table_t *_table, - - setup_graphics(boot_params); - -+ setup_efi_vars(boot_params); -+ - setup_efi_pci(boot_params); - - status = efi_call_phys3(sys_table->boottime->allocate_pool, -diff --git a/arch/x86/include/asm/efi.h b/arch/x86/include/asm/efi.h -index 60c89f3..2fb5d58 100644 ---- a/arch/x86/include/asm/efi.h -+++ b/arch/x86/include/asm/efi.h -@@ -102,6 +102,13 @@ extern void efi_call_phys_epilog(void); - extern void efi_unmap_memmap(void); - extern void efi_memory_uc(u64 addr, unsigned long size); - -+struct efi_var_bootdata { -+ struct setup_data data; -+ u64 store_size; -+ u64 remaining_size; -+ u64 max_var_size; -+}; -+ - #ifdef CONFIG_EFI - - static inline bool efi_is_native(void) -diff --git a/arch/x86/include/uapi/asm/bootparam.h b/arch/x86/include/uapi/asm/bootparam.h -index c15ddaf..0874424 100644 ---- a/arch/x86/include/uapi/asm/bootparam.h -+++ b/arch/x86/include/uapi/asm/bootparam.h -@@ -6,6 +6,7 @@ - #define SETUP_E820_EXT 1 - #define SETUP_DTB 2 - #define SETUP_PCI 3 -+#define SETUP_EFI_VARS 4 - - /* ram_size flags */ - #define RAMDISK_IMAGE_START_MASK 0x07FF -diff --git a/arch/x86/platform/efi/efi.c b/arch/x86/platform/efi/efi.c -index c89c245..e844d82 100644 ---- a/arch/x86/platform/efi/efi.c -+++ b/arch/x86/platform/efi/efi.c -@@ -69,6 +69,10 @@ struct efi_memory_map memmap; - static struct efi efi_phys __initdata; - static efi_system_table_t efi_systab __initdata; - -+static u64 efi_var_store_size; -+static u64 efi_var_remaining_size; -+static u64 efi_var_max_var_size; -+ - unsigned long x86_efi_facility; - - /* -@@ -682,6 +686,9 @@ void __init efi_init(void) - char vendor[100] = "unknown"; - int i = 0; - void *tmp; -+ struct setup_data *data; -+ struct efi_var_bootdata *efi_var_data; -+ u64 pa_data; - - #ifdef CONFIG_X86_32 - if (boot_params.efi_info.efi_systab_hi || -@@ -699,6 +706,20 @@ void __init efi_init(void) - if (efi_systab_init(efi_phys.systab)) - return; - -+ pa_data = boot_params.hdr.setup_data; -+ while (pa_data) { -+ data = early_ioremap(pa_data, sizeof(*efi_var_data)); -+ if (data->type == SETUP_EFI_VARS) { -+ efi_var_data = (struct efi_var_bootdata *)data; -+ -+ efi_var_store_size = efi_var_data->store_size; -+ efi_var_remaining_size = efi_var_data->remaining_size; -+ efi_var_max_var_size = efi_var_data->max_var_size; -+ } -+ pa_data = data->next; -+ early_iounmap(data, sizeof(*efi_var_data)); -+ } -+ - set_bit(EFI_SYSTEM_TABLES, &x86_efi_facility); - - /* --- -1.8.1.2 - --- -To unsubscribe from this list: send the line "unsubscribe linux-kernel" in -the body of a message to majordomo@vger.kernel.org -More majordomo info at http://vger.kernel.org/majordomo-info.html -Please read the FAQ at http://www.tux.org/lkml/ - -Delivered-To: jwboyer@gmail.com -Received: by 10.76.92.6 with SMTP id ci6csp21956oab; - Mon, 15 Apr 2013 08:58:13 -0700 (PDT) -X-Received: by 10.66.118.201 with SMTP id ko9mr29757383pab.81.1366041492585; - Mon, 15 Apr 2013 08:58:12 -0700 (PDT) -Return-Path: -Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) - by mx.google.com with ESMTP id cm3si20556099pad.185.2013.04.15.08.58.11; - Mon, 15 Apr 2013 08:58:12 -0700 (PDT) -Received-SPF: pass (google.com: best guess record for domain of linux-efi-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; -Authentication-Results: mx.google.com; - spf=pass (google.com: best guess record for domain of linux-efi-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mail=linux-efi-owner@vger.kernel.org -Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand - id S1754177Ab3DOPyX (ORCPT - + 14 others); Mon, 15 Apr 2013 11:54:23 -0400 -Received: from cavan.codon.org.uk ([93.93.128.6]:36680 "EHLO - cavan.codon.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org - with ESMTP id S1753076Ab3DOPyU (ORCPT - ); Mon, 15 Apr 2013 11:54:20 -0400 -Received: from mb70536d0.tmodns.net ([208.54.5.183] helo=x230.localdomain) - by cavan.codon.org.uk with esmtpsa (TLS1.0:DHE_RSA_AES_256_CBC_SHA1:32) - (Exim 4.72) - (envelope-from ) - id 1URljO-0005hz-NR; Mon, 15 Apr 2013 16:54:11 +0100 -From: Matthew Garrett -To: matt.fleming@intel.com -Cc: linux-efi@vger.kernel.org, x86@kernel.org, - linux-kernel@vger.kernel.org, - Matthew Garrett -Subject: [PATCH V5 2/2] efi: Distinguish between "remaining space" and actually used space -Date: Mon, 15 Apr 2013 08:53:47 -0700 -Message-Id: <1366041227-17710-2-git-send-email-matthew.garrett@nebula.com> -X-Mailer: git-send-email 1.8.1.2 -In-Reply-To: <1366041227-17710-1-git-send-email-matthew.garrett@nebula.com> -References: <1365561717-12343-1-git-send-email-matthew.garrett@nebula.com> - <1366041227-17710-1-git-send-email-matthew.garrett@nebula.com> -X-cavan-blacklisted-at: zen.spamhaus.org -X-SA-Do-Not-Run: Yes -X-SA-Exim-Connect-IP: 208.54.5.183 -X-SA-Exim-Mail-From: matthew.garrett@nebula.com -X-SA-Exim-Scanned: No (on cavan.codon.org.uk); SAEximRunCond expanded to false -Sender: linux-efi-owner@vger.kernel.org -Precedence: bulk -List-ID: -X-Mailing-List: linux-efi@vger.kernel.org - -EFI implementations distinguish between space that is actively used by a -variable and space that merely hasn't been garbage collected yet. Space -that hasn't yet been garbage collected isn't available for use and so isn't -counted in the remaining_space field returned by QueryVariableInfo(). - -Combined with commit 68d9298 this can cause problems. Some implementations -don't garbage collect until the remaining space is smaller than the maximum -variable size, and as a result check_var_size() will always fail once more -than 50% of the variable store has been used even if most of that space is -marked as available for garbage collection. The user is unable to create -new variables, and deleting variables doesn't increase the remaining space. - -The problem that 68d9298 was attempting to avoid was one where certain -platforms fail if the actively used space is greater than 50% of the -available storage space. We should be able to calculate that by simply -summing the size of each available variable and subtracting that from -the total storage space. With luck this will fix the problem described in -https://bugzilla.kernel.org/show_bug.cgi?id=55471 without permitting -damage to occur to the machines 68d9298 was attempting to fix. - -Signed-off-by: Matthew Garrett ---- - arch/x86/platform/efi/efi.c | 109 +++++++++++++++++++++++++++++++++++++++++--- - 1 file changed, 102 insertions(+), 7 deletions(-) - -diff --git a/arch/x86/platform/efi/efi.c b/arch/x86/platform/efi/efi.c -index e844d82..a3f03cd 100644 ---- a/arch/x86/platform/efi/efi.c -+++ b/arch/x86/platform/efi/efi.c -@@ -41,6 +41,7 @@ - #include - #include - #include -+#include - - #include - #include -@@ -51,6 +52,13 @@ - - #define EFI_DEBUG 1 - -+/* -+ * There's some additional metadata associated with each -+ * variable. Intel's reference implementation is 60 bytes - bump that -+ * to account for potential alignment constraints -+ */ -+#define VAR_METADATA_SIZE 64 -+ - struct efi __read_mostly efi = { - .mps = EFI_INVALID_TABLE_ADDR, - .acpi = EFI_INVALID_TABLE_ADDR, -@@ -72,6 +80,9 @@ static efi_system_table_t efi_systab __initdata; - static u64 efi_var_store_size; - static u64 efi_var_remaining_size; - static u64 efi_var_max_var_size; -+static u64 boot_used_size; -+static u64 boot_var_size; -+static u64 active_size; - - unsigned long x86_efi_facility; - -@@ -166,8 +177,53 @@ static efi_status_t virt_efi_get_next_variable(unsigned long *name_size, - efi_char16_t *name, - efi_guid_t *vendor) - { -- return efi_call_virt3(get_next_variable, -- name_size, name, vendor); -+ efi_status_t status; -+ static bool finished = false; -+ static u64 var_size; -+ -+ status = efi_call_virt3(get_next_variable, -+ name_size, name, vendor); -+ -+ if (status == EFI_NOT_FOUND) { -+ finished = true; -+ if (var_size < boot_used_size) { -+ boot_var_size = boot_used_size - var_size; -+ active_size += boot_var_size; -+ } else { -+ printk(KERN_WARNING FW_BUG "efi: Inconsistent initial sizes\n"); -+ } -+ } -+ -+ if (boot_used_size && !finished) { -+ unsigned long size; -+ u32 attr; -+ efi_status_t s; -+ void *tmp; -+ -+ s = virt_efi_get_variable(name, vendor, &attr, &size, NULL); -+ -+ if (s != EFI_BUFFER_TOO_SMALL || !size) -+ return status; -+ -+ tmp = kmalloc(size, GFP_ATOMIC); -+ -+ if (!tmp) -+ return status; -+ -+ s = virt_efi_get_variable(name, vendor, &attr, &size, tmp); -+ -+ if (s == EFI_SUCCESS && (attr & EFI_VARIABLE_NON_VOLATILE)) { -+ var_size += size; -+ var_size += ucs2_strsize(name, 1024); -+ active_size += size; -+ active_size += VAR_METADATA_SIZE; -+ active_size += ucs2_strsize(name, 1024); -+ } -+ -+ kfree(tmp); -+ } -+ -+ return status; - } - - static efi_status_t virt_efi_set_variable(efi_char16_t *name, -@@ -176,9 +232,34 @@ static efi_status_t virt_efi_set_variable(efi_char16_t *name, - unsigned long data_size, - void *data) - { -- return efi_call_virt5(set_variable, -- name, vendor, attr, -- data_size, data); -+ efi_status_t status; -+ u32 orig_attr = 0; -+ unsigned long orig_size = 0; -+ -+ status = virt_efi_get_variable(name, vendor, &orig_attr, &orig_size, -+ NULL); -+ -+ if (status != EFI_BUFFER_TOO_SMALL) -+ orig_size = 0; -+ -+ status = efi_call_virt5(set_variable, -+ name, vendor, attr, -+ data_size, data); -+ -+ if (status == EFI_SUCCESS) { -+ if (orig_size) { -+ active_size -= orig_size; -+ active_size -= ucs2_strsize(name, 1024); -+ active_size -= VAR_METADATA_SIZE; -+ } -+ if (data_size) { -+ active_size += data_size; -+ active_size += ucs2_strsize(name, 1024); -+ active_size += VAR_METADATA_SIZE; -+ } -+ } -+ -+ return status; - } - - static efi_status_t virt_efi_query_variable_info(u32 attr, -@@ -720,6 +801,8 @@ void __init efi_init(void) - early_iounmap(data, sizeof(*efi_var_data)); - } - -+ boot_used_size = efi_var_store_size - efi_var_remaining_size; -+ - set_bit(EFI_SYSTEM_TABLES, &x86_efi_facility); - - /* -@@ -1039,8 +1122,20 @@ efi_status_t efi_query_variable_store(u32 attributes, unsigned long size) - if (status != EFI_SUCCESS) - return status; - -- if (!storage_size || size > remaining_size || size > max_size || -- (remaining_size - size) < (storage_size / 2)) -+ /* -+ * Some firmware implementations refuse to boot if there's insufficient -+ * space in the variable store. We account for that by refusing the -+ * write if permitting it would reduce the available space to under -+ * 50%. However, some firmware won't reclaim variable space until -+ * after the used (not merely the actively used) space drops below -+ * a threshold. We can approximate that case with the value calculated -+ * above. If both the firmware and our calculations indicate that the -+ * available space would drop below 50%, refuse the write. -+ */ -+ -+ if (!storage_size || size > remaining_size || -+ ((active_size + size + VAR_METADATA_SIZE > storage_size / 2) && -+ (remaining_size - size < storage_size / 2))) - return EFI_OUT_OF_RESOURCES; - - return EFI_SUCCESS; --- -1.8.1.2 - --- -To unsubscribe from this list: send the line "unsubscribe linux-efi" in -the body of a message to majordomo@vger.kernel.org -More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/kernel.spec b/kernel.spec index 415ea7ced..b98d37ee3 100644 --- a/kernel.spec +++ b/kernel.spec @@ -93,9 +93,9 @@ Summary: The Linux kernel # The next upstream release sublevel (base_sublevel+1) %define upstream_sublevel %(echo $((%{base_sublevel} + 1))) # The rc snapshot level -%define rcrev 7 +%define rcrev 8 # The git snapshot level -%define gitrev 3 +%define gitrev 0 # Set rpm version accordingly %define rpmversion 3.%{upstream_sublevel}.0 %endif @@ -692,8 +692,6 @@ Patch10000: fs-proc-devtree-remove_proc_entry.patch Patch12016: disable-i8042-check-on-apple-mac.patch -Patch13003: efi-dont-map-boot-services-on-32bit.patch - Patch14000: hibernate-freeze-filesystems.patch Patch14010: lis3-improve-handling-of-null-rate.patch @@ -748,9 +746,6 @@ Patch23006: fix-child-thread-introspection.patch #rhbz 928024 Patch23008: forcedeth-dma-error-check.patch -#rhbz 947142 -Patch23009: efi-space-fixes.patch - #rhbz 919176 Patch25010: wireless-regulatory-fix-channel-disabling-race-condition.patch @@ -1415,8 +1410,6 @@ ApplyPatch fs-proc-devtree-remove_proc_entry.patch ApplyPatch disable-i8042-check-on-apple-mac.patch -ApplyPatch efi-dont-map-boot-services-on-32bit.patch - # FIXME: REBASE #ApplyPatch hibernate-freeze-filesystems.patch @@ -1456,9 +1449,6 @@ ApplyPatch fix-child-thread-introspection.patch #rhbz 928024 ApplyPatch forcedeth-dma-error-check.patch -#rhbz 947142 -ApplyPatch efi-space-fixes.patch - #rhbz 919176 ApplyPatch wireless-regulatory-fix-channel-disabling-race-condition.patch @@ -2299,6 +2289,9 @@ fi # and build. %changelog +* Mon Apr 22 2013 Justin M. Forbes - 3.9.0-0.rc8.git0.1 +- Linux v3.9-rc8 + * Mon Apr 22 2013 Peter Robinson - Minor ARM updates diff --git a/sources b/sources index c0a0bcbcc..217f54bf2 100644 --- a/sources +++ b/sources @@ -1,3 +1,2 @@ 1c738edfc54e7c65faeb90c436104e2f linux-3.8.tar.xz -397b22065c5731d72ad9b4137c40dae4 patch-3.9-rc7.xz -790d0eb70ca65c1a5215d14b05bb38f8 patch-3.9-rc7-git3.xz +5288991c5756cd165402861a5083ec8b patch-3.9-rc8.xz From 0ba0b78d00827bb43e6d29aef3e061f9cd4fd86d Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Wed, 24 Apr 2013 11:21:48 -0400 Subject: [PATCH 067/468] Add patch to fix EFI boot on Macs (rhbz 953447) --- ...Check-EFI-revision-in-setup_efi_vars.patch | 35 +++++++++++++++++++ kernel.spec | 11 +++++- 2 files changed, 45 insertions(+), 1 deletion(-) create mode 100644 efi-Check-EFI-revision-in-setup_efi_vars.patch diff --git a/efi-Check-EFI-revision-in-setup_efi_vars.patch b/efi-Check-EFI-revision-in-setup_efi_vars.patch new file mode 100644 index 000000000..3e69cc6a9 --- /dev/null +++ b/efi-Check-EFI-revision-in-setup_efi_vars.patch @@ -0,0 +1,35 @@ +From 4b367720588ea97a32dc6393ac8975d6111ba72b Mon Sep 17 00:00:00 2001 +From: Josh Boyer +Date: Wed, 24 Apr 2013 10:30:02 -0400 +Subject: [PATCH] efi: Check EFI revision in setup_efi_vars + +We need to check the runtime sys_table for the EFI version the firmware +specifies instead of just checking for a NULL QueryVariableInfo. Older +implementations of EFI don't have QueryVariableInfo but the runtime is +a smaller structure, so the pointer to it may be pointing off into garbage. + +This is apparently the case with several Apple firmwares that support EFI +1.10, and the current check causes them to no longer boot. Fix based on +a suggestion from Matthew Garrett. + +Signed-off-by: Josh Boyer +--- + arch/x86/boot/compressed/eboot.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c +index 8615f75..4060c8d 100644 +--- a/arch/x86/boot/compressed/eboot.c ++++ b/arch/x86/boot/compressed/eboot.c +@@ -258,7 +258,7 @@ static efi_status_t setup_efi_vars(struct boot_params *params) + u64 store_size, remaining_size, var_size; + efi_status_t status; + +- if (!sys_table->runtime->query_variable_info) ++ if (sys_table->runtime->hdr.revision < EFI_2_00_SYSTEM_TABLE_REVISION) + return EFI_UNSUPPORTED; + + data = (struct setup_data *)(unsigned long)params->hdr.setup_data; +-- +1.8.1.4 + diff --git a/kernel.spec b/kernel.spec index b98d37ee3..c34d421b7 100644 --- a/kernel.spec +++ b/kernel.spec @@ -62,7 +62,7 @@ Summary: The Linux kernel # For non-released -rc kernels, this will be appended after the rcX and # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3" # -%global baserelease 1 +%global baserelease 2 %global fedora_build %{baserelease} # base_sublevel is the kernel version we're starting with and patching @@ -754,6 +754,9 @@ Patch25011: iwlwifi-fix-freeing-uninitialized-pointer.patch Patch25012: events-protect-access-via-task-subsys-state-check.patch +#rhbz 953447 +Patch25013: efi-Check-EFI-revision-in-setup_efi_vars.patch + # END OF PATCH DEFINITIONS %endif @@ -1457,6 +1460,9 @@ ApplyPatch iwlwifi-fix-freeing-uninitialized-pointer.patch ApplyPatch events-protect-access-via-task-subsys-state-check.patch +#rhbz 953447 +ApplyPatch efi-Check-EFI-revision-in-setup_efi_vars.patch + # END OF PATCH APPLICATIONS %endif @@ -2289,6 +2295,9 @@ fi # and build. %changelog +* Wed Apr 24 2013 Josh Boyer +- Add patch to fix EFI boot on Macs (rhbz 953447) + * Mon Apr 22 2013 Justin M. Forbes - 3.9.0-0.rc8.git0.1 - Linux v3.9-rc8 From 9015f9ecf3b8c6478acad0307f27057bb8ddc082 Mon Sep 17 00:00:00 2001 From: "Justin M. Forbes" Date: Wed, 24 Apr 2013 13:02:42 -0500 Subject: [PATCH 068/468] Add nvr for build --- kernel.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kernel.spec b/kernel.spec index c34d421b7..afb16a34c 100644 --- a/kernel.spec +++ b/kernel.spec @@ -2295,7 +2295,7 @@ fi # and build. %changelog -* Wed Apr 24 2013 Josh Boyer +* Wed Apr 24 2013 Josh Boyer - 3.9.0-0.rc8.git0.2 - Add patch to fix EFI boot on Macs (rhbz 953447) * Mon Apr 22 2013 Justin M. Forbes - 3.9.0-0.rc8.git0.1 From 07c0cc859c743c44941ebf2c2d5128f09acb9bbb Mon Sep 17 00:00:00 2001 From: Neil Horman Date: Thu, 25 Apr 2013 15:16:43 -0400 Subject: [PATCH 069/468] Resolves: bz 956365 add CONFIG_TIPC to config-generic --- config-generic | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/config-generic b/config-generic index 911a38625..5dd409c46 100644 --- a/config-generic +++ b/config-generic @@ -1037,7 +1037,8 @@ CONFIG_IP_DCCP_CCID3=y # # TIPC Configuration (EXPERIMENTAL) # -# CONFIG_TIPC is not set +CONFIG_TIPC=m +CONFIG_TIPC_PORTS=8192 # CONFIG_TIPC_ADVANCED is not set # CONFIG_TIPC_DEBUG is not set From 37a72f1596d24e10f60269224030e7eb4122f049 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Fri, 26 Apr 2013 08:45:12 -0400 Subject: [PATCH 070/468] Add patch to prevent scheduling while atomic error in blkcg --- ...ile-atomic-in-blk_queue_bypass_start.patch | 79 +++++++++++++++++++ kernel.spec | 7 ++ 2 files changed, 86 insertions(+) create mode 100644 blkcg-fix-scheduling-while-atomic-in-blk_queue_bypass_start.patch diff --git a/blkcg-fix-scheduling-while-atomic-in-blk_queue_bypass_start.patch b/blkcg-fix-scheduling-while-atomic-in-blk_queue_bypass_start.patch new file mode 100644 index 000000000..615d7555b --- /dev/null +++ b/blkcg-fix-scheduling-while-atomic-in-blk_queue_bypass_start.patch @@ -0,0 +1,79 @@ +From e5072664f8237cf53b0bd68a51aa1a7bc69061c5 Mon Sep 17 00:00:00 2001 +From: Jun'ichi Nomura +Date: Tue, 09 Apr 2013 13:01:21 +0000 +Subject: blkcg: fix "scheduling while atomic" in blk_queue_bypass_start + +Since 749fefe677 in v3.7 ("block: lift the initial queue bypass mode +on blk_register_queue() instead of blk_init_allocated_queue()"), +the following warning appears when multipath is used with CONFIG_PREEMPT=y. + +This patch moves blk_queue_bypass_start() before radix_tree_preload() +to avoid the sleeping call while preemption is disabled. + + BUG: scheduling while atomic: multipath/2460/0x00000002 + 1 lock held by multipath/2460: + #0: (&md->type_lock){......}, at: [] dm_lock_md_type+0x17/0x19 [dm_mod] + Modules linked in: ... + Pid: 2460, comm: multipath Tainted: G W 3.7.0-rc2 #1 + Call Trace: + [] __schedule_bug+0x6a/0x78 + [] __schedule+0xb4/0x5e0 + [] schedule+0x64/0x66 + [] schedule_timeout+0x39/0xf8 + [] ? put_lock_stats+0xe/0x29 + [] ? lock_release_holdtime+0xb6/0xbb + [] wait_for_common+0x9d/0xee + [] ? try_to_wake_up+0x206/0x206 + [] ? kfree_call_rcu+0x1c/0x1c + [] wait_for_completion+0x1d/0x1f + [] wait_rcu_gp+0x5d/0x7a + [] ? wait_rcu_gp+0x7a/0x7a + [] ? complete+0x21/0x53 + [] synchronize_rcu+0x1e/0x20 + [] blk_queue_bypass_start+0x5d/0x62 + [] blkcg_activate_policy+0x73/0x270 + [] ? kmem_cache_alloc_node_trace+0xc7/0x108 + [] cfq_init_queue+0x80/0x28e + [] ? dm_blk_ioctl+0xa7/0xa7 [dm_mod] + [] elevator_init+0xe1/0x115 + [] ? blk_queue_make_request+0x54/0x59 + [] blk_init_allocated_queue+0x8c/0x9e + [] dm_setup_md_queue+0x36/0xaa [dm_mod] + [] table_load+0x1bd/0x2c8 [dm_mod] + [] ctl_ioctl+0x1d6/0x236 [dm_mod] + [] ? table_clear+0xaa/0xaa [dm_mod] + [] dm_ctl_ioctl+0x13/0x17 [dm_mod] + [] do_vfs_ioctl+0x3fb/0x441 + [] ? file_has_perm+0x8a/0x99 + [] sys_ioctl+0x5e/0x82 + [] ? trace_hardirqs_on_thunk+0x3a/0x3f + [] system_call_fastpath+0x16/0x1b + +Signed-off-by: Jun'ichi Nomura +Acked-by: Vivek Goyal +Acked-by: Tejun Heo +Cc: Alasdair G Kergon +Cc: stable@kernel.org +Signed-off-by: Jens Axboe +--- +(limited to 'block/blk-cgroup.c') + +diff --git a/block/blk-cgroup.c b/block/blk-cgroup.c +index b2b9837..e8918ff 100644 +--- a/block/blk-cgroup.c ++++ b/block/blk-cgroup.c +@@ -972,10 +972,10 @@ int blkcg_activate_policy(struct request_queue *q, + if (!new_blkg) + return -ENOMEM; + +- preloaded = !radix_tree_preload(GFP_KERNEL); +- + blk_queue_bypass_start(q); + ++ preloaded = !radix_tree_preload(GFP_KERNEL); ++ + /* + * Make sure the root blkg exists and count the existing blkgs. As + * @q is bypassing at this point, blkg_lookup_create() can't be +-- +cgit v0.9.1 diff --git a/kernel.spec b/kernel.spec index afb16a34c..eb5f2549f 100644 --- a/kernel.spec +++ b/kernel.spec @@ -757,6 +757,8 @@ Patch25012: events-protect-access-via-task-subsys-state-check.patch #rhbz 953447 Patch25013: efi-Check-EFI-revision-in-setup_efi_vars.patch +Patch25014: blkcg-fix-scheduling-while-atomic-in-blk_queue_bypass_start.patch + # END OF PATCH DEFINITIONS %endif @@ -1463,6 +1465,8 @@ ApplyPatch events-protect-access-via-task-subsys-state-check.patch #rhbz 953447 ApplyPatch efi-Check-EFI-revision-in-setup_efi_vars.patch +ApplyPatch blkcg-fix-scheduling-while-atomic-in-blk_queue_bypass_start.patch + # END OF PATCH APPLICATIONS %endif @@ -2295,6 +2299,9 @@ fi # and build. %changelog +* Fri Apr 26 2013 Josh Boyer +- Add patch to prevent scheduling while atomic error in blkcg + * Wed Apr 24 2013 Josh Boyer - 3.9.0-0.rc8.git0.2 - Add patch to fix EFI boot on Macs (rhbz 953447) From db65632c365e8a0bb24f759f51b9140cb8d022ab Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Mon, 29 Apr 2013 08:32:41 -0400 Subject: [PATCH 071/468] Linux v3.9 --- ...Check-EFI-revision-in-setup_efi_vars.patch | 35 ----------- ...t-access-via-task-subsys-state-check.patch | 61 ------------------- kernel.spec | 19 ++---- sources | 3 +- 4 files changed, 7 insertions(+), 111 deletions(-) delete mode 100644 efi-Check-EFI-revision-in-setup_efi_vars.patch delete mode 100644 events-protect-access-via-task-subsys-state-check.patch diff --git a/efi-Check-EFI-revision-in-setup_efi_vars.patch b/efi-Check-EFI-revision-in-setup_efi_vars.patch deleted file mode 100644 index 3e69cc6a9..000000000 --- a/efi-Check-EFI-revision-in-setup_efi_vars.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 4b367720588ea97a32dc6393ac8975d6111ba72b Mon Sep 17 00:00:00 2001 -From: Josh Boyer -Date: Wed, 24 Apr 2013 10:30:02 -0400 -Subject: [PATCH] efi: Check EFI revision in setup_efi_vars - -We need to check the runtime sys_table for the EFI version the firmware -specifies instead of just checking for a NULL QueryVariableInfo. Older -implementations of EFI don't have QueryVariableInfo but the runtime is -a smaller structure, so the pointer to it may be pointing off into garbage. - -This is apparently the case with several Apple firmwares that support EFI -1.10, and the current check causes them to no longer boot. Fix based on -a suggestion from Matthew Garrett. - -Signed-off-by: Josh Boyer ---- - arch/x86/boot/compressed/eboot.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c -index 8615f75..4060c8d 100644 ---- a/arch/x86/boot/compressed/eboot.c -+++ b/arch/x86/boot/compressed/eboot.c -@@ -258,7 +258,7 @@ static efi_status_t setup_efi_vars(struct boot_params *params) - u64 store_size, remaining_size, var_size; - efi_status_t status; - -- if (!sys_table->runtime->query_variable_info) -+ if (sys_table->runtime->hdr.revision < EFI_2_00_SYSTEM_TABLE_REVISION) - return EFI_UNSUPPORTED; - - data = (struct setup_data *)(unsigned long)params->hdr.setup_data; --- -1.8.1.4 - diff --git a/events-protect-access-via-task-subsys-state-check.patch b/events-protect-access-via-task-subsys-state-check.patch deleted file mode 100644 index a7d3972c0..000000000 --- a/events-protect-access-via-task-subsys-state-check.patch +++ /dev/null @@ -1,61 +0,0 @@ -The following RCU splat indicates lack of RCU protection: - -[ 953.267649] =============================== -[ 953.267652] [ INFO: suspicious RCU usage. ] -[ 953.267657] 3.9.0-0.rc6.git2.4.fc19.ppc64p7 #1 Not tainted -[ 953.267661] ------------------------------- -[ 953.267664] include/linux/cgroup.h:534 suspicious rcu_dereference_check() usage! -[ 953.267669] -[ 953.267669] other info that might help us debug this: -[ 953.267669] -[ 953.267675] -[ 953.267675] rcu_scheduler_active = 1, debug_locks = 0 -[ 953.267680] 1 lock held by glxgears/1289: -[ 953.267683] #0: (&sig->cred_guard_mutex){+.+.+.}, at: [] .prepare_bprm_creds+0x34/0xa0 -[ 953.267700] -[ 953.267700] stack backtrace: -[ 953.267704] Call Trace: -[ 953.267709] [c0000001f0d1b6e0] [c000000000016e30] .show_stack+0x130/0x200 (unreliable) -[ 953.267717] [c0000001f0d1b7b0] [c0000000001267f8] .lockdep_rcu_suspicious+0x138/0x180 -[ 953.267724] [c0000001f0d1b840] [c0000000001d43a4] .perf_event_comm+0x4c4/0x690 -[ 953.267731] [c0000001f0d1b950] [c00000000027f6e4] .set_task_comm+0x84/0x1f0 -[ 953.267737] [c0000001f0d1b9f0] [c000000000280414] .setup_new_exec+0x94/0x220 -[ 953.267744] [c0000001f0d1ba70] [c0000000002f665c] .load_elf_binary+0x58c/0x19b0 -[ 953.267751] [c0000001f0d1bbc0] [c00000000027e724] .search_binary_handler+0x254/0x680 -[ 953.267758] [c0000001f0d1bca0] [c0000000002800dc] .do_execve_common.isra.17+0x76c/0x860 -[ 953.267764] [c0000001f0d1bd90] [c000000000280698] .SyS_execve+0x58/0x90 -[ 953.267771] [c0000001f0d1be30] [c000000000009e60] syscall_exit+0x0/0x98 - -This commit therefore adds the required RCU read-side critical section to -perf_event_comm(). - -Reported-by: Adam Jackson -Signed-off-by: Paul E. McKenney -Tested-by: Gustavo Luiz Duarte - -diff --git a/kernel/events/core.c b/kernel/events/core.c -index b0cd865..8db9551 100644 ---- a/kernel/events/core.c -+++ b/kernel/events/core.c -@@ -4593,6 +4593,7 @@ void perf_event_comm(struct task_struct *task) - struct perf_event_context *ctx; - int ctxn; - -+ rcu_read_lock(); - for_each_task_context_nr(ctxn) { - ctx = task->perf_event_ctxp[ctxn]; - if (!ctx) -@@ -4600,6 +4601,7 @@ void perf_event_comm(struct task_struct *task) - - perf_event_enable_on_exec(ctx); - } -+ rcu_read_unlock(); - - if (!atomic_read(&nr_comm_events)) - return; - --- -To unsubscribe from this list: send the line "unsubscribe linux-kernel" in -the body of a message to majordomo@vger.kernel.org -More majordomo info at http://vger.kernel.org/majordomo-info.html -Please read the FAQ at http://www.tux.org/lkml/ diff --git a/kernel.spec b/kernel.spec index eb5f2549f..5e484fa36 100644 --- a/kernel.spec +++ b/kernel.spec @@ -6,7 +6,7 @@ Summary: The Linux kernel # For a stable, released kernel, released_kernel should be 1. For rawhide # and/or a kernel built from an rc or git snapshot, released_kernel should # be 0. -%global released_kernel 0 +%global released_kernel 1 # Sign modules on x86. Make sure the config files match this setting if more # architectures are added. @@ -62,13 +62,13 @@ Summary: The Linux kernel # For non-released -rc kernels, this will be appended after the rcX and # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3" # -%global baserelease 2 +%global baserelease 1 %global fedora_build %{baserelease} # base_sublevel is the kernel version we're starting with and patching # on top of -- for example, 3.1-rc7-git1 starts with a 3.0 base, # which yields a base_sublevel of 0. -%define base_sublevel 8 +%define base_sublevel 9 ## If this is a released kernel ## %if 0%{?released_kernel} @@ -752,11 +752,6 @@ Patch25010: wireless-regulatory-fix-channel-disabling-race-condition.patch #rhbz 951241 Patch25011: iwlwifi-fix-freeing-uninitialized-pointer.patch -Patch25012: events-protect-access-via-task-subsys-state-check.patch - -#rhbz 953447 -Patch25013: efi-Check-EFI-revision-in-setup_efi_vars.patch - Patch25014: blkcg-fix-scheduling-while-atomic-in-blk_queue_bypass_start.patch # END OF PATCH DEFINITIONS @@ -1460,11 +1455,6 @@ ApplyPatch wireless-regulatory-fix-channel-disabling-race-condition.patch #rhbz 951241 ApplyPatch iwlwifi-fix-freeing-uninitialized-pointer.patch -ApplyPatch events-protect-access-via-task-subsys-state-check.patch - -#rhbz 953447 -ApplyPatch efi-Check-EFI-revision-in-setup_efi_vars.patch - ApplyPatch blkcg-fix-scheduling-while-atomic-in-blk_queue_bypass_start.patch # END OF PATCH APPLICATIONS @@ -2299,6 +2289,9 @@ fi # and build. %changelog +* Mon Apr 29 2013 Josh Boyer +- Linux v3.9 + * Fri Apr 26 2013 Josh Boyer - Add patch to prevent scheduling while atomic error in blkcg diff --git a/sources b/sources index 217f54bf2..06558d5b1 100644 --- a/sources +++ b/sources @@ -1,2 +1 @@ -1c738edfc54e7c65faeb90c436104e2f linux-3.8.tar.xz -5288991c5756cd165402861a5083ec8b patch-3.9-rc8.xz +4348c9b6b2eb3144d601e87c19d5d909 linux-3.9.tar.xz From cee68baed2ba5eb639936196586b88abcfc0d8bb Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Mon, 29 Apr 2013 09:27:52 -0400 Subject: [PATCH 072/468] Add verrel for build --- kernel.spec | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/kernel.spec b/kernel.spec index 5e484fa36..9a5f14049 100644 --- a/kernel.spec +++ b/kernel.spec @@ -62,7 +62,7 @@ Summary: The Linux kernel # For non-released -rc kernels, this will be appended after the rcX and # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3" # -%global baserelease 1 +%global baserelease 301 %global fedora_build %{baserelease} # base_sublevel is the kernel version we're starting with and patching @@ -2289,7 +2289,7 @@ fi # and build. %changelog -* Mon Apr 29 2013 Josh Boyer +* Mon Apr 29 2013 Josh Boyer - 3.9.0-301 - Linux v3.9 * Fri Apr 26 2013 Josh Boyer From a4062c687f02d2238bdb39a74d1ce954c90659b2 Mon Sep 17 00:00:00 2001 From: Neil Horman Date: Mon, 29 Apr 2013 15:39:43 -0400 Subject: [PATCH 073/468] af_packet: Enable CONFIG_PACKET_DIAG as a module Resolves: rhbz956870 --- config-generic | 2 +- kernel.spec | 3 +++ 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/config-generic b/config-generic index 5dd409c46..1fd53ba97 100644 --- a/config-generic +++ b/config-generic @@ -674,7 +674,7 @@ CONFIG_TCP_MD5SIG=y # Networking options # CONFIG_PACKET=y -# CONFIG_PACKET_DIAG is not set +CONFIG_PACKET_DIAG=m CONFIG_UNIX=y CONFIG_UNIX_DIAG=m CONFIG_NET_KEY=m diff --git a/kernel.spec b/kernel.spec index 9a5f14049..f09dd695b 100644 --- a/kernel.spec +++ b/kernel.spec @@ -2289,6 +2289,9 @@ fi # and build. %changelog +* Mon Apr 29 2013 Neil Horman +- Enabled CONFIG_PACKET_DIAG (rhbz 956870) + * Mon Apr 29 2013 Josh Boyer - 3.9.0-301 - Linux v3.9 From adf08266dc5deab905600701829c734f6b57454b Mon Sep 17 00:00:00 2001 From: Peter Robinson Date: Tue, 30 Apr 2013 20:47:46 +0100 Subject: [PATCH 074/468] Enable CONFIG_SERIAL_8250_DW on ARM --- config-armv7-generic | 1 + kernel.spec | 3 +++ 2 files changed, 4 insertions(+) diff --git a/config-armv7-generic b/config-armv7-generic index 4105483df..abe4bdd1a 100644 --- a/config-armv7-generic +++ b/config-armv7-generic @@ -156,6 +156,7 @@ CONFIG_SERIAL_AMBA_PL010=y CONFIG_SERIAL_AMBA_PL010_CONSOLE=y CONFIG_SERIAL_AMBA_PL011=y CONFIG_SERIAL_AMBA_PL011_CONSOLE=y +CONFIG_SERIAL_8250_DW=y CONFIG_RTC_DRV_PL030=y CONFIG_RTC_DRV_PL031=y diff --git a/kernel.spec b/kernel.spec index f09dd695b..0f730ce52 100644 --- a/kernel.spec +++ b/kernel.spec @@ -2289,6 +2289,9 @@ fi # and build. %changelog +* Tue Apr 30 2013 Peter Robinson +- Enable CONFIG_SERIAL_8250_DW on ARM + * Mon Apr 29 2013 Neil Horman - Enabled CONFIG_PACKET_DIAG (rhbz 956870) From ee95a2a44dd91a56038caafe37efaa53a427530e Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Wed, 1 May 2013 08:45:58 -0400 Subject: [PATCH 075/468] Add some powerpc fixes for POWER8 --- kernel.spec | 13 ++++++- powerpc-Add-isync-to-copy_and_flush.patch | 39 +++++++++++++++++++ ...RQs-with-MMU-on-exceptions-when-HV=0.patch | 39 +++++++++++++++++++ ...ondary-CPUs-hanging-on-boot-for-HV=0.patch | 33 ++++++++++++++++ 4 files changed, 123 insertions(+), 1 deletion(-) create mode 100644 powerpc-Add-isync-to-copy_and_flush.patch create mode 100644 powerpc-Fix-hardware-IRQs-with-MMU-on-exceptions-when-HV=0.patch create mode 100644 powerpc-power8-Fix-secondary-CPUs-hanging-on-boot-for-HV=0.patch diff --git a/kernel.spec b/kernel.spec index 0f730ce52..da0914afb 100644 --- a/kernel.spec +++ b/kernel.spec @@ -62,7 +62,7 @@ Summary: The Linux kernel # For non-released -rc kernels, this will be appended after the rcX and # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3" # -%global baserelease 301 +%global baserelease 302 %global fedora_build %{baserelease} # base_sublevel is the kernel version we're starting with and patching @@ -754,6 +754,10 @@ Patch25011: iwlwifi-fix-freeing-uninitialized-pointer.patch Patch25014: blkcg-fix-scheduling-while-atomic-in-blk_queue_bypass_start.patch +Patch25015: powerpc-Add-isync-to-copy_and_flush.patch +Patch25016: powerpc-power8-Fix-secondary-CPUs-hanging-on-boot-for-HV=0.patch +Patch25017: powerpc-Fix-hardware-IRQs-with-MMU-on-exceptions-when-HV=0.patch + # END OF PATCH DEFINITIONS %endif @@ -1457,6 +1461,10 @@ ApplyPatch iwlwifi-fix-freeing-uninitialized-pointer.patch ApplyPatch blkcg-fix-scheduling-while-atomic-in-blk_queue_bypass_start.patch +ApplyPatch powerpc-Add-isync-to-copy_and_flush.patch +ApplyPatch powerpc-power8-Fix-secondary-CPUs-hanging-on-boot-for-HV=0.patch +ApplyPatch powerpc-Fix-hardware-IRQs-with-MMU-on-exceptions-when-HV=0.patch + # END OF PATCH APPLICATIONS %endif @@ -2289,6 +2297,9 @@ fi # and build. %changelog +* Wed May 01 2013 Josh Boyer +- Add some powerpc fixes for POWER8 + * Tue Apr 30 2013 Peter Robinson - Enable CONFIG_SERIAL_8250_DW on ARM diff --git a/powerpc-Add-isync-to-copy_and_flush.patch b/powerpc-Add-isync-to-copy_and_flush.patch new file mode 100644 index 000000000..f9f3fa874 --- /dev/null +++ b/powerpc-Add-isync-to-copy_and_flush.patch @@ -0,0 +1,39 @@ +From 29ce3c5073057991217916abc25628e906911757 Mon Sep 17 00:00:00 2001 +From: Michael Neuling +Date: Wed, 24 Apr 2013 00:30:09 +0000 +Subject: powerpc: Add isync to copy_and_flush + +In __after_prom_start we copy the kernel down to zero in two calls to +copy_and_flush. After the first call (copy from 0 to copy_to_here:) +we jump to the newly copied code soon after. + +Unfortunately there's no isync between the copy of this code and the +jump to it. Hence it's possible that stale instructions could still be +in the icache or pipeline before we branch to it. + +We've seen this on real machines and it's results in no console output +after: + calling quiesce... + returning from prom_init + +The below adds an isync to ensure that the copy and flushing has +completed before any branching to the new instructions occurs. + +Signed-off-by: Michael Neuling +CC: +Signed-off-by: Benjamin Herrenschmidt +--- +diff --git a/arch/powerpc/kernel/head_64.S b/arch/powerpc/kernel/head_64.S +index 0886ae6..b61363d 100644 +--- a/arch/powerpc/kernel/head_64.S ++++ b/arch/powerpc/kernel/head_64.S +@@ -509,6 +509,7 @@ _GLOBAL(copy_and_flush) + sync + addi r5,r5,8 + addi r6,r6,8 ++ isync + blr + + .align 8 +-- +cgit v0.9.1 diff --git a/powerpc-Fix-hardware-IRQs-with-MMU-on-exceptions-when-HV=0.patch b/powerpc-Fix-hardware-IRQs-with-MMU-on-exceptions-when-HV=0.patch new file mode 100644 index 000000000..c1a2a4687 --- /dev/null +++ b/powerpc-Fix-hardware-IRQs-with-MMU-on-exceptions-when-HV=0.patch @@ -0,0 +1,39 @@ +From 3e96ca7f007ddb06b82a74a68585d1dbafa85ff1 Mon Sep 17 00:00:00 2001 +From: Michael Neuling +Date: Thu, 25 Apr 2013 15:30:57 +0000 +Subject: powerpc: Fix hardware IRQs with MMU on exceptions when HV=0 + +POWER8 allows us to take interrupts with the MMU on. This gives us a +second set of vectors offset at 0x4000. + +Unfortunately when coping these vectors we missed checking for MSR HV +for hardware interrupts (0x500). This results in us trying to use +HSRR0/1 when HV=0, rather than SRR0/1 on HW IRQs + +The below fixes this to check CPU_FTR_HVMODE when patching the code at +0x4500. + +Also we remove the check for CPU_FTR_ARCH_206 since relocation on IRQs +are only available in arch 2.07 and beyond. + +Thanks to benh for helping find this. + +Signed-off-by: Michael Neuling +CC: +Signed-off-by: Benjamin Herrenschmidt +--- +diff --git a/arch/powerpc/kernel/exceptions-64s.S b/arch/powerpc/kernel/exceptions-64s.S +index e789ee7..82ceab4 100644 +--- a/arch/powerpc/kernel/exceptions-64s.S ++++ b/arch/powerpc/kernel/exceptions-64s.S +@@ -797,7 +797,7 @@ hardware_interrupt_relon_hv: + _MASKABLE_RELON_EXCEPTION_PSERIES(0x502, hardware_interrupt, EXC_HV, SOFTEN_TEST_HV) + FTR_SECTION_ELSE + _MASKABLE_RELON_EXCEPTION_PSERIES(0x500, hardware_interrupt, EXC_STD, SOFTEN_TEST_PR) +- ALT_FTR_SECTION_END_IFSET(CPU_FTR_ARCH_206) ++ ALT_FTR_SECTION_END_IFSET(CPU_FTR_HVMODE) + STD_RELON_EXCEPTION_PSERIES(0x4600, 0x600, alignment) + STD_RELON_EXCEPTION_PSERIES(0x4700, 0x700, program_check) + STD_RELON_EXCEPTION_PSERIES(0x4800, 0x800, fp_unavailable) +-- +cgit v0.9.1 diff --git a/powerpc-power8-Fix-secondary-CPUs-hanging-on-boot-for-HV=0.patch b/powerpc-power8-Fix-secondary-CPUs-hanging-on-boot-for-HV=0.patch new file mode 100644 index 000000000..b3754af95 --- /dev/null +++ b/powerpc-power8-Fix-secondary-CPUs-hanging-on-boot-for-HV=0.patch @@ -0,0 +1,33 @@ +From 8c2a381734fc9718f127f4aba958e8a7958d4028 Mon Sep 17 00:00:00 2001 +From: Michael Neuling +Date: Wed, 24 Apr 2013 21:00:37 +0000 +Subject: powerpc/power8: Fix secondary CPUs hanging on boot for HV=0 + +In __restore_cpu_power8 we determine if we are HV and if not, we return +before setting HV only resources. + +Unfortunately we forgot to restore the link register from r11 before +returning. + +This will happen on boot and with secondary CPUs not coming online. + +This adds the missing link register restore. + +Signed-off-by: Michael Neuling +CC: +Signed-off-by: Benjamin Herrenschmidt +--- +diff --git a/arch/powerpc/kernel/cpu_setup_power.S b/arch/powerpc/kernel/cpu_setup_power.S +index 2e6ad11..4daa5b7 100644 +--- a/arch/powerpc/kernel/cpu_setup_power.S ++++ b/arch/powerpc/kernel/cpu_setup_power.S +@@ -67,6 +67,7 @@ _GLOBAL(__restore_cpu_power8) + bl __init_FSCR + mfmsr r3 + rldicl. r0,r3,4,63 ++ mtlr r11 + beqlr + li r0,0 + mtspr SPRN_LPID,r0 +-- +cgit v0.9.1 From a773a38fa1d1cdc79419127353636d683a04c3c8 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Fri, 3 May 2013 09:31:11 -0400 Subject: [PATCH 076/468] Add two more patches for POWER --- kernel.spec | 9 +++- pci-Set-dev-dev.type-in-alloc_pci_dev.patch | 37 ++++++++++++++++ powerpc-Set-default-VGA-device.patch | 47 +++++++++++++++++++++ 3 files changed, 92 insertions(+), 1 deletion(-) create mode 100644 pci-Set-dev-dev.type-in-alloc_pci_dev.patch create mode 100644 powerpc-Set-default-VGA-device.patch diff --git a/kernel.spec b/kernel.spec index da0914afb..3da1165d3 100644 --- a/kernel.spec +++ b/kernel.spec @@ -62,7 +62,7 @@ Summary: The Linux kernel # For non-released -rc kernels, this will be appended after the rcX and # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3" # -%global baserelease 302 +%global baserelease 303 %global fedora_build %{baserelease} # base_sublevel is the kernel version we're starting with and patching @@ -757,6 +757,8 @@ Patch25014: blkcg-fix-scheduling-while-atomic-in-blk_queue_bypass_start.patch Patch25015: powerpc-Add-isync-to-copy_and_flush.patch Patch25016: powerpc-power8-Fix-secondary-CPUs-hanging-on-boot-for-HV=0.patch Patch25017: powerpc-Fix-hardware-IRQs-with-MMU-on-exceptions-when-HV=0.patch +Patch25018: pci-Set-dev-dev.type-in-alloc_pci_dev.patch +Patch25019: powerpc-Set-default-VGA-device.patch # END OF PATCH DEFINITIONS @@ -1464,6 +1466,8 @@ ApplyPatch blkcg-fix-scheduling-while-atomic-in-blk_queue_bypass_start.patch ApplyPatch powerpc-Add-isync-to-copy_and_flush.patch ApplyPatch powerpc-power8-Fix-secondary-CPUs-hanging-on-boot-for-HV=0.patch ApplyPatch powerpc-Fix-hardware-IRQs-with-MMU-on-exceptions-when-HV=0.patch +ApplyPatch pci-Set-dev-dev.type-in-alloc_pci_dev.patch +ApplyPatch powerpc-Set-default-VGA-device.patch # END OF PATCH APPLICATIONS @@ -2297,6 +2301,9 @@ fi # and build. %changelog +* Fri May 03 2013 Josh Boyer +- Add two more patches for POWER + * Wed May 01 2013 Josh Boyer - Add some powerpc fixes for POWER8 diff --git a/pci-Set-dev-dev.type-in-alloc_pci_dev.patch b/pci-Set-dev-dev.type-in-alloc_pci_dev.patch new file mode 100644 index 000000000..9f90daff9 --- /dev/null +++ b/pci-Set-dev-dev.type-in-alloc_pci_dev.patch @@ -0,0 +1,37 @@ +From 88e7b167a079f090405ab4390b629b5effdab41a Mon Sep 17 00:00:00 2001 +From: Brian King +Date: Mon, 08 Apr 2013 03:05:07 +0000 +Subject: pci: Set dev->dev.type in alloc_pci_dev + +Set dev->dev.type in alloc_pci_dev so that archs that have their own +versions of pci_setup_device get this set properly in order to ensure +things like the boot_vga sysfs parameter get created as expected. + +Signed-off-by: Brian King +Acked-by: Bjorn Helgaas +Signed-off-by: Michael Ellerman +--- +(limited to 'drivers/pci/probe.c') + +diff --git a/drivers/pci/probe.c b/drivers/pci/probe.c +index b494066..92be60c 100644 +--- a/drivers/pci/probe.c ++++ b/drivers/pci/probe.c +@@ -988,7 +988,6 @@ int pci_setup_device(struct pci_dev *dev) + dev->sysdata = dev->bus->sysdata; + dev->dev.parent = dev->bus->bridge; + dev->dev.bus = &pci_bus_type; +- dev->dev.type = &pci_dev_type; + dev->hdr_type = hdr_type & 0x7f; + dev->multifunction = !!(hdr_type & 0x80); + dev->error_state = pci_channel_io_normal; +@@ -1208,6 +1207,7 @@ struct pci_dev *alloc_pci_dev(void) + return NULL; + + INIT_LIST_HEAD(&dev->bus_list); ++ dev->dev.type = &pci_dev_type; + + return dev; + } +-- +cgit v0.9.1 diff --git a/powerpc-Set-default-VGA-device.patch b/powerpc-Set-default-VGA-device.patch new file mode 100644 index 000000000..4e0a07ed9 --- /dev/null +++ b/powerpc-Set-default-VGA-device.patch @@ -0,0 +1,47 @@ +From c2e1d84523ad2a19e5be08c1f01999cc9e82652e Mon Sep 17 00:00:00 2001 +From: Brian King +Date: Mon, 08 Apr 2013 03:05:10 +0000 +Subject: powerpc: Set default VGA device + +Add a PCI quirk for VGA devices on Power to set the default VGA device. +Ensures a default VGA is always set if a graphics adapter is present, +even if firmware did not initialize it. If more than one graphics +adapter is present, ensure the one initialized by firmware is set +as the default VGA device. This ensures that X autoconfiguration +will work. + +Signed-off-by: Brian King +Signed-off-by: Michael Ellerman +--- +(limited to 'arch/powerpc/kernel/pci-common.c') + +diff --git a/arch/powerpc/kernel/pci-common.c b/arch/powerpc/kernel/pci-common.c +index 0324758..f325dc9 100644 +--- a/arch/powerpc/kernel/pci-common.c ++++ b/arch/powerpc/kernel/pci-common.c +@@ -30,6 +30,7 @@ + #include + #include + #include ++#include + + #include + #include +@@ -1734,3 +1735,15 @@ static void fixup_hide_host_resource_fsl(struct pci_dev *dev) + } + DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_MOTOROLA, PCI_ANY_ID, fixup_hide_host_resource_fsl); + DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_FREESCALE, PCI_ANY_ID, fixup_hide_host_resource_fsl); ++ ++static void fixup_vga(struct pci_dev *pdev) ++{ ++ u16 cmd; ++ ++ pci_read_config_word(pdev, PCI_COMMAND, &cmd); ++ if ((cmd & (PCI_COMMAND_IO | PCI_COMMAND_MEMORY)) || !vga_default_device()) ++ vga_set_default_device(pdev); ++ ++} ++DECLARE_PCI_FIXUP_CLASS_FINAL(PCI_ANY_ID, PCI_ANY_ID, ++ PCI_CLASS_DISPLAY_VGA, 8, fixup_vga); +-- +cgit v0.9.1 From 7e083c1684c7519452fe569470f419ceeab9458f Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Mon, 6 May 2013 10:22:52 -0400 Subject: [PATCH 077/468] Don't remove headers explicitly exported via UAPI (rhbz 959467) --- kernel.spec | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/kernel.spec b/kernel.spec index 3da1165d3..0b03861e6 100644 --- a/kernel.spec +++ b/kernel.spec @@ -1987,11 +1987,6 @@ find $RPM_BUILD_ROOT/usr/include \ \( -name .install -o -name .check -o \ -name ..install.cmd -o -name ..check.cmd \) | xargs rm -f -# glibc provides scsi headers for itself, for now -rm -rf $RPM_BUILD_ROOT/usr/include/scsi -rm -f $RPM_BUILD_ROOT/usr/include/asm*/atomic.h -rm -f $RPM_BUILD_ROOT/usr/include/asm*/io.h -rm -f $RPM_BUILD_ROOT/usr/include/asm*/irq.h %endif %if %{with_perf} @@ -2301,6 +2296,9 @@ fi # and build. %changelog +* Mon May 06 2013 Josh Boyer +- Don't remove headers explicitly exported via UAPI (rhbz 959467) + * Fri May 03 2013 Josh Boyer - Add two more patches for POWER From 99a4618a16f17ab02069fc5e3bed0b7275bbff21 Mon Sep 17 00:00:00 2001 From: Peter Robinson Date: Mon, 6 May 2013 23:16:16 +0100 Subject: [PATCH 078/468] Enable TPS65217 (am33xx) on ARM --- config-armv7 | 3 +++ kernel.spec | 3 +++ 2 files changed, 6 insertions(+) diff --git a/config-armv7 b/config-armv7 index 4f27e5c06..db8a2b69d 100644 --- a/config-armv7 +++ b/config-armv7 @@ -137,6 +137,9 @@ CONFIG_TI_DAVINCI_CPDMA=m CONFIG_TI_CPSW=m CONFIG_TI_CPTS=y CONFIG_TI_EMIF=m +CONFIG_MFD_TPS65217=m +CONFIG_REGULATOR_TPS65217=m +CONFIG_BACKLIGHT_TPS65217=m CONFIG_SERIAL_OMAP=y CONFIG_SERIAL_OMAP_CONSOLE=y diff --git a/kernel.spec b/kernel.spec index 0b03861e6..2385c6068 100644 --- a/kernel.spec +++ b/kernel.spec @@ -2296,6 +2296,9 @@ fi # and build. %changelog +* Mon May 6 2013 Peter Robinson +- Enable TPS65217 (am33xx) on ARM + * Mon May 06 2013 Josh Boyer - Don't remove headers explicitly exported via UAPI (rhbz 959467) From 1d50f330bcb9e44d342bb948c7684a6720fdfcf1 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Tue, 7 May 2013 12:29:25 -0400 Subject: [PATCH 079/468] Fix dmesg_restrict patch to avoid regression (rhbz 952655) --- ...or-dmesg_restrict-sysctl-on-dev-kmsg.patch | 182 ++++++++++++------ kernel.spec | 3 + 2 files changed, 127 insertions(+), 58 deletions(-) diff --git a/0001-kmsg-Honor-dmesg_restrict-sysctl-on-dev-kmsg.patch b/0001-kmsg-Honor-dmesg_restrict-sysctl-on-dev-kmsg.patch index c42c8c4f1..7197f7f7a 100644 --- a/0001-kmsg-Honor-dmesg_restrict-sysctl-on-dev-kmsg.patch +++ b/0001-kmsg-Honor-dmesg_restrict-sysctl-on-dev-kmsg.patch @@ -1,33 +1,106 @@ -From ce10d1b72b4da3c98bbbcb1b945687d964c31923 Mon Sep 17 00:00:00 2001 -From: Josh Boyer -Date: Tue, 9 Apr 2013 11:08:13 -0400 -Subject: [PATCH] kmsg: Honor dmesg_restrict sysctl on /dev/kmsg +To fix /dev/kmsg, let's compare the existing interfaces and what they allow: -The dmesg_restrict sysctl currently covers the syslog method for access -dmesg, however /dev/kmsg isn't covered by the same protections. Most -people haven't noticed because util-linux dmesg(1) defaults to using the -syslog method for access in older versions. With util-linux dmesg(1) -defaults to reading directly from /dev/kmsg. +- /proc/kmsg allows: + - open (SYSLOG_ACTION_OPEN) if CAP_SYSLOG since it uses a destructive + single-reader interface (SYSLOG_ACTION_READ). + - everything, after an open. -Fix this by reworking all of the access methods to use the -check_syslog_permissions function and adding checks to devkmsg_open and -devkmsg_read. +- syslog syscall allows: + - anything, if CAP_SYSLOG. + - SYSLOG_ACTION_READ_ALL and SYSLOG_ACTION_SIZE_BUFFER, if dmesg_restrict==0. + - nothing else (EPERM). -This fixes https://bugzilla.redhat.com/show_bug.cgi?id=903192 +The use-cases were: +- dmesg(1) needs to do non-destructive SYSLOG_ACTION_READ_ALLs. +- sysklog(1) needs to open /proc/kmsg, drop privs, and still issue the + destructive SYSLOG_ACTION_READs. +AIUI, dmesg(1) is moving to /dev/kmsg, and systemd-journald doesn't +clear the ring buffer. + +Based on the comments in devkmsg_llseek, it sounds like actions besides +reading aren't going to be supported by /dev/kmsg (i.e. SYSLOG_ACTION_CLEAR), +so we have a strict subset of the non-destructive syslog syscall actions. + +To this end, move the check as Josh had done, but also rename the constants +to reflect their new uses (SYSLOG_FROM_CALL becomes SYSLOG_FROM_READER, and +SYSLOG_FROM_FILE becomes SYSLOG_FROM_PROC). SYSLOG_FROM_READER allows +non-destructive actions, and SYSLOG_FROM_PROC allows destructive actions +after a capabilities-constrained SYSLOG_ACTION_OPEN check. + +- /dev/kmsg allows: + - open if CAP_SYSLOG or dmesg_restrict==0 + - reading/polling, after open + +Signed-off-by: Kees Cook Reported-by: Christian Kujau -CC: stable@vger.kernel.org -Signed-off-by: Eric Paris -Signed-off-by: Josh Boyer +Cc: Josh Boyer +Cc: Kay Sievers +Cc: stable@vger.kernel.org --- - kernel/printk.c | 91 +++++++++++++++++++++++++++++---------------------------- - 1 file changed, 47 insertions(+), 44 deletions(-) + fs/proc/kmsg.c | 10 +++--- + include/linux/syslog.h | 4 +-- + kernel/printk.c | 91 ++++++++++++++++++++++++++---------------------- + 3 files changed, 57 insertions(+), 48 deletions(-) +diff --git a/fs/proc/kmsg.c b/fs/proc/kmsg.c +index bd4b5a7..bdfabda 100644 +--- a/fs/proc/kmsg.c ++++ b/fs/proc/kmsg.c +@@ -21,12 +21,12 @@ extern wait_queue_head_t log_wait; + + static int kmsg_open(struct inode * inode, struct file * file) + { +- return do_syslog(SYSLOG_ACTION_OPEN, NULL, 0, SYSLOG_FROM_FILE); ++ return do_syslog(SYSLOG_ACTION_OPEN, NULL, 0, SYSLOG_FROM_PROC); + } + + static int kmsg_release(struct inode * inode, struct file * file) + { +- (void) do_syslog(SYSLOG_ACTION_CLOSE, NULL, 0, SYSLOG_FROM_FILE); ++ (void) do_syslog(SYSLOG_ACTION_CLOSE, NULL, 0, SYSLOG_FROM_PROC); + return 0; + } + +@@ -34,15 +34,15 @@ static ssize_t kmsg_read(struct file *file, char __user *buf, + size_t count, loff_t *ppos) + { + if ((file->f_flags & O_NONBLOCK) && +- !do_syslog(SYSLOG_ACTION_SIZE_UNREAD, NULL, 0, SYSLOG_FROM_FILE)) ++ !do_syslog(SYSLOG_ACTION_SIZE_UNREAD, NULL, 0, SYSLOG_FROM_PROC)) + return -EAGAIN; +- return do_syslog(SYSLOG_ACTION_READ, buf, count, SYSLOG_FROM_FILE); ++ return do_syslog(SYSLOG_ACTION_READ, buf, count, SYSLOG_FROM_PROC); + } + + static unsigned int kmsg_poll(struct file *file, poll_table *wait) + { + poll_wait(file, &log_wait, wait); +- if (do_syslog(SYSLOG_ACTION_SIZE_UNREAD, NULL, 0, SYSLOG_FROM_FILE)) ++ if (do_syslog(SYSLOG_ACTION_SIZE_UNREAD, NULL, 0, SYSLOG_FROM_PROC)) + return POLLIN | POLLRDNORM; + return 0; + } +diff --git a/include/linux/syslog.h b/include/linux/syslog.h +index 3891139..98a3153 100644 +--- a/include/linux/syslog.h ++++ b/include/linux/syslog.h +@@ -44,8 +44,8 @@ + /* Return size of the log buffer */ + #define SYSLOG_ACTION_SIZE_BUFFER 10 + +-#define SYSLOG_FROM_CALL 0 +-#define SYSLOG_FROM_FILE 1 ++#define SYSLOG_FROM_READER 0 ++#define SYSLOG_FROM_PROC 1 + + int do_syslog(int type, char __user *buf, int count, bool from_file); + diff --git a/kernel/printk.c b/kernel/printk.c -index abbdd9e..5541095 100644 +index abbdd9e..53b5c5e 100644 --- a/kernel/printk.c +++ b/kernel/printk.c -@@ -368,6 +368,46 @@ static void log_store(int facility, int level, +@@ -368,6 +368,53 @@ static void log_store(int facility, int level, log_next_seq++; } @@ -41,8 +114,12 @@ index abbdd9e..5541095 100644 +{ + if (dmesg_restrict) + return 1; -+ /* Unless restricted, we allow "read all" and "get buffer size" for everybody */ -+ return type != SYSLOG_ACTION_READ_ALL && type != SYSLOG_ACTION_SIZE_BUFFER; ++ /* ++ * Unless restricted, we allow "read all" and "get buffer size" ++ * for everybody. ++ */ ++ return type != SYSLOG_ACTION_READ_ALL && ++ type != SYSLOG_ACTION_SIZE_BUFFER; +} + +static int check_syslog_permissions(int type, bool from_file) @@ -52,55 +129,42 @@ index abbdd9e..5541095 100644 + * already done the capabilities checks at open time. + */ + if (from_file && type != SYSLOG_ACTION_OPEN) -+ goto ok; ++ return 0; + + if (syslog_action_restricted(type)) { + if (capable(CAP_SYSLOG)) -+ goto ok; -+ /* For historical reasons, accept CAP_SYS_ADMIN too, with a warning */ ++ return 0; ++ /* ++ * For historical reasons, accept CAP_SYS_ADMIN too, with ++ * a warning. ++ */ + if (capable(CAP_SYS_ADMIN)) { + printk_once(KERN_WARNING "%s (%d): " + "Attempt to access syslog with CAP_SYS_ADMIN " + "but no CAP_SYSLOG (deprecated).\n", + current->comm, task_pid_nr(current)); -+ goto ok; ++ return 0; + } + return -EPERM; + } -+ok: + return security_syslog(type); +} ++ + /* /dev/kmsg - userspace message inject/listen interface */ struct devkmsg_user { u64 seq; -@@ -443,10 +483,16 @@ static ssize_t devkmsg_read(struct file *file, char __user *buf, - char cont = '-'; - size_t len; - ssize_t ret; -+ int err; - - if (!user) - return -EBADF; - -+ err = check_syslog_permissions(SYSLOG_ACTION_READ_ALL, -+ SYSLOG_FROM_FILE); -+ if (err) -+ return err; -+ - ret = mutex_lock_interruptible(&user->lock); - if (ret) - return ret; -@@ -624,7 +670,7 @@ static int devkmsg_open(struct inode *inode, struct file *file) +@@ -624,7 +671,8 @@ static int devkmsg_open(struct inode *inode, struct file *file) if ((file->f_flags & O_ACCMODE) == O_WRONLY) return 0; - err = security_syslog(SYSLOG_ACTION_READ_ALL); -+ err = check_syslog_permissions(SYSLOG_ACTION_OPEN, SYSLOG_FROM_FILE); ++ err = check_syslog_permissions(SYSLOG_ACTION_READ_ALL, ++ SYSLOG_FROM_READER); if (err) return err; -@@ -817,45 +863,6 @@ static inline void boot_delay_msec(int level) +@@ -817,45 +865,6 @@ static inline void boot_delay_msec(int level) } #endif @@ -146,17 +210,19 @@ index abbdd9e..5541095 100644 #if defined(CONFIG_PRINTK_TIME) static bool printk_time = 1; #else -@@ -1131,10 +1138,6 @@ int do_syslog(int type, char __user *buf, int len, bool from_file) - if (error) - goto out; +@@ -1253,7 +1262,7 @@ out: -- error = security_syslog(type); -- if (error) -- return error; -- - switch (type) { - case SYSLOG_ACTION_CLOSE: /* Close log */ - break; + SYSCALL_DEFINE3(syslog, int, type, char __user *, buf, int, len) + { +- return do_syslog(type, buf, len, SYSLOG_FROM_CALL); ++ return do_syslog(type, buf, len, SYSLOG_FROM_READER); + } + + /* -- -1.8.1.4 +1.7.9.5 + +-- +Kees Cook +Chrome OS Security diff --git a/kernel.spec b/kernel.spec index 2385c6068..1e4b04911 100644 --- a/kernel.spec +++ b/kernel.spec @@ -2296,6 +2296,9 @@ fi # and build. %changelog +* Tue May 07 2013 Josh Boyer +- Fix dmesg_restrict patch to avoid regression (rhbz 952655) + * Mon May 6 2013 Peter Robinson - Enable TPS65217 (am33xx) on ARM From cea9a6f1ab8f81c9b1d9e03693085fe993ba7592 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Tue, 7 May 2013 15:41:00 -0400 Subject: [PATCH 080/468] Add verrel for build --- kernel.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kernel.spec b/kernel.spec index 1e4b04911..6f616a5d7 100644 --- a/kernel.spec +++ b/kernel.spec @@ -2296,7 +2296,7 @@ fi # and build. %changelog -* Tue May 07 2013 Josh Boyer +* Tue May 07 2013 Josh Boyer - 3.9.0-303 - Fix dmesg_restrict patch to avoid regression (rhbz 952655) * Mon May 6 2013 Peter Robinson From 511c1c627ab708596287b586a74c034e5ada739a Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Wed, 8 May 2013 11:24:51 -0400 Subject: [PATCH 081/468] Linux v3.9.1 --- ...fi-fix-freeing-uninitialized-pointer.patch | 51 ------------------- kernel.spec | 25 ++------- powerpc-Add-isync-to-copy_and_flush.patch | 39 -------------- ...RQs-with-MMU-on-exceptions-when-HV=0.patch | 39 -------------- ...ondary-CPUs-hanging-on-boot-for-HV=0.patch | 33 ------------ sources | 1 + ...fix-channel-disabling-race-condition.patch | 40 --------------- 7 files changed, 6 insertions(+), 222 deletions(-) delete mode 100644 iwlwifi-fix-freeing-uninitialized-pointer.patch delete mode 100644 powerpc-Add-isync-to-copy_and_flush.patch delete mode 100644 powerpc-Fix-hardware-IRQs-with-MMU-on-exceptions-when-HV=0.patch delete mode 100644 powerpc-power8-Fix-secondary-CPUs-hanging-on-boot-for-HV=0.patch delete mode 100644 wireless-regulatory-fix-channel-disabling-race-condition.patch diff --git a/iwlwifi-fix-freeing-uninitialized-pointer.patch b/iwlwifi-fix-freeing-uninitialized-pointer.patch deleted file mode 100644 index 90e6b6f64..000000000 --- a/iwlwifi-fix-freeing-uninitialized-pointer.patch +++ /dev/null @@ -1,51 +0,0 @@ -If on iwl_dump_nic_event_log() error occurs before that function -initialize buf, we process uninitiated pointer in -iwl_dbgfs_log_event_read() and can hit "BUG at mm/slub.c:3409" - -Resolves: -https://bugzilla.redhat.com/show_bug.cgi?id=951241 - -Reported-by: ian.odette@eprize.com -Cc: stable@vger.kernel.org -Signed-off-by: Stanislaw Gruszka ---- -Patch is only compile tested, but I'm sure it fixes the problem. - - drivers/net/wireless/iwlwifi/dvm/debugfs.c | 16 ++++++++-------- - 1 file changed, 8 insertions(+), 8 deletions(-) - -diff --git a/drivers/net/wireless/iwlwifi/dvm/debugfs.c b/drivers/net/wireless/iwlwifi/dvm/debugfs.c -index 7b8178b..cb6dd58 100644 ---- a/drivers/net/wireless/iwlwifi/dvm/debugfs.c -+++ b/drivers/net/wireless/iwlwifi/dvm/debugfs.c -@@ -2237,15 +2237,15 @@ static ssize_t iwl_dbgfs_log_event_read(struct file *file, - size_t count, loff_t *ppos) - { - struct iwl_priv *priv = file->private_data; -- char *buf; -- int pos = 0; -- ssize_t ret = -ENOMEM; -+ char *buf = NULL; -+ ssize_t ret; - -- ret = pos = iwl_dump_nic_event_log(priv, true, &buf, true); -- if (buf) { -- ret = simple_read_from_buffer(user_buf, count, ppos, buf, pos); -- kfree(buf); -- } -+ ret = iwl_dump_nic_event_log(priv, true, &buf, true); -+ if (ret < 0) -+ goto err; -+ ret = simple_read_from_buffer(user_buf, count, ppos, buf, ret); -+err: -+ kfree(buf); - return ret; - } - --- -1.7.11.7 - --- -To unsubscribe from this list: send the line "unsubscribe linux-wireless" in -the body of a message to majordomo@vger.kernel.org -More majordomo info at http://vger.kernel.org/majordomo-info.html \ No newline at end of file diff --git a/kernel.spec b/kernel.spec index 6f616a5d7..5f0b3e8ef 100644 --- a/kernel.spec +++ b/kernel.spec @@ -62,7 +62,7 @@ Summary: The Linux kernel # For non-released -rc kernels, this will be appended after the rcX and # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3" # -%global baserelease 303 +%global baserelease 301 %global fedora_build %{baserelease} # base_sublevel is the kernel version we're starting with and patching @@ -74,7 +74,7 @@ Summary: The Linux kernel %if 0%{?released_kernel} # Do we have a -stable update to apply? -%define stable_update 0 +%define stable_update 1 # Is it a -stable RC? %define stable_rc 0 # Set rpm version accordingly @@ -746,17 +746,8 @@ Patch23006: fix-child-thread-introspection.patch #rhbz 928024 Patch23008: forcedeth-dma-error-check.patch -#rhbz 919176 -Patch25010: wireless-regulatory-fix-channel-disabling-race-condition.patch - -#rhbz 951241 -Patch25011: iwlwifi-fix-freeing-uninitialized-pointer.patch - Patch25014: blkcg-fix-scheduling-while-atomic-in-blk_queue_bypass_start.patch -Patch25015: powerpc-Add-isync-to-copy_and_flush.patch -Patch25016: powerpc-power8-Fix-secondary-CPUs-hanging-on-boot-for-HV=0.patch -Patch25017: powerpc-Fix-hardware-IRQs-with-MMU-on-exceptions-when-HV=0.patch Patch25018: pci-Set-dev-dev.type-in-alloc_pci_dev.patch Patch25019: powerpc-Set-default-VGA-device.patch @@ -1455,17 +1446,8 @@ ApplyPatch fix-child-thread-introspection.patch #rhbz 928024 ApplyPatch forcedeth-dma-error-check.patch -#rhbz 919176 -ApplyPatch wireless-regulatory-fix-channel-disabling-race-condition.patch - -#rhbz 951241 -ApplyPatch iwlwifi-fix-freeing-uninitialized-pointer.patch - ApplyPatch blkcg-fix-scheduling-while-atomic-in-blk_queue_bypass_start.patch -ApplyPatch powerpc-Add-isync-to-copy_and_flush.patch -ApplyPatch powerpc-power8-Fix-secondary-CPUs-hanging-on-boot-for-HV=0.patch -ApplyPatch powerpc-Fix-hardware-IRQs-with-MMU-on-exceptions-when-HV=0.patch ApplyPatch pci-Set-dev-dev.type-in-alloc_pci_dev.patch ApplyPatch powerpc-Set-default-VGA-device.patch @@ -2296,6 +2278,9 @@ fi # and build. %changelog +* Wed May 08 2013 Josh Boyer - 3.0.1-301 +- Linux v3.9.1 + * Tue May 07 2013 Josh Boyer - 3.9.0-303 - Fix dmesg_restrict patch to avoid regression (rhbz 952655) diff --git a/powerpc-Add-isync-to-copy_and_flush.patch b/powerpc-Add-isync-to-copy_and_flush.patch deleted file mode 100644 index f9f3fa874..000000000 --- a/powerpc-Add-isync-to-copy_and_flush.patch +++ /dev/null @@ -1,39 +0,0 @@ -From 29ce3c5073057991217916abc25628e906911757 Mon Sep 17 00:00:00 2001 -From: Michael Neuling -Date: Wed, 24 Apr 2013 00:30:09 +0000 -Subject: powerpc: Add isync to copy_and_flush - -In __after_prom_start we copy the kernel down to zero in two calls to -copy_and_flush. After the first call (copy from 0 to copy_to_here:) -we jump to the newly copied code soon after. - -Unfortunately there's no isync between the copy of this code and the -jump to it. Hence it's possible that stale instructions could still be -in the icache or pipeline before we branch to it. - -We've seen this on real machines and it's results in no console output -after: - calling quiesce... - returning from prom_init - -The below adds an isync to ensure that the copy and flushing has -completed before any branching to the new instructions occurs. - -Signed-off-by: Michael Neuling -CC: -Signed-off-by: Benjamin Herrenschmidt ---- -diff --git a/arch/powerpc/kernel/head_64.S b/arch/powerpc/kernel/head_64.S -index 0886ae6..b61363d 100644 ---- a/arch/powerpc/kernel/head_64.S -+++ b/arch/powerpc/kernel/head_64.S -@@ -509,6 +509,7 @@ _GLOBAL(copy_and_flush) - sync - addi r5,r5,8 - addi r6,r6,8 -+ isync - blr - - .align 8 --- -cgit v0.9.1 diff --git a/powerpc-Fix-hardware-IRQs-with-MMU-on-exceptions-when-HV=0.patch b/powerpc-Fix-hardware-IRQs-with-MMU-on-exceptions-when-HV=0.patch deleted file mode 100644 index c1a2a4687..000000000 --- a/powerpc-Fix-hardware-IRQs-with-MMU-on-exceptions-when-HV=0.patch +++ /dev/null @@ -1,39 +0,0 @@ -From 3e96ca7f007ddb06b82a74a68585d1dbafa85ff1 Mon Sep 17 00:00:00 2001 -From: Michael Neuling -Date: Thu, 25 Apr 2013 15:30:57 +0000 -Subject: powerpc: Fix hardware IRQs with MMU on exceptions when HV=0 - -POWER8 allows us to take interrupts with the MMU on. This gives us a -second set of vectors offset at 0x4000. - -Unfortunately when coping these vectors we missed checking for MSR HV -for hardware interrupts (0x500). This results in us trying to use -HSRR0/1 when HV=0, rather than SRR0/1 on HW IRQs - -The below fixes this to check CPU_FTR_HVMODE when patching the code at -0x4500. - -Also we remove the check for CPU_FTR_ARCH_206 since relocation on IRQs -are only available in arch 2.07 and beyond. - -Thanks to benh for helping find this. - -Signed-off-by: Michael Neuling -CC: -Signed-off-by: Benjamin Herrenschmidt ---- -diff --git a/arch/powerpc/kernel/exceptions-64s.S b/arch/powerpc/kernel/exceptions-64s.S -index e789ee7..82ceab4 100644 ---- a/arch/powerpc/kernel/exceptions-64s.S -+++ b/arch/powerpc/kernel/exceptions-64s.S -@@ -797,7 +797,7 @@ hardware_interrupt_relon_hv: - _MASKABLE_RELON_EXCEPTION_PSERIES(0x502, hardware_interrupt, EXC_HV, SOFTEN_TEST_HV) - FTR_SECTION_ELSE - _MASKABLE_RELON_EXCEPTION_PSERIES(0x500, hardware_interrupt, EXC_STD, SOFTEN_TEST_PR) -- ALT_FTR_SECTION_END_IFSET(CPU_FTR_ARCH_206) -+ ALT_FTR_SECTION_END_IFSET(CPU_FTR_HVMODE) - STD_RELON_EXCEPTION_PSERIES(0x4600, 0x600, alignment) - STD_RELON_EXCEPTION_PSERIES(0x4700, 0x700, program_check) - STD_RELON_EXCEPTION_PSERIES(0x4800, 0x800, fp_unavailable) --- -cgit v0.9.1 diff --git a/powerpc-power8-Fix-secondary-CPUs-hanging-on-boot-for-HV=0.patch b/powerpc-power8-Fix-secondary-CPUs-hanging-on-boot-for-HV=0.patch deleted file mode 100644 index b3754af95..000000000 --- a/powerpc-power8-Fix-secondary-CPUs-hanging-on-boot-for-HV=0.patch +++ /dev/null @@ -1,33 +0,0 @@ -From 8c2a381734fc9718f127f4aba958e8a7958d4028 Mon Sep 17 00:00:00 2001 -From: Michael Neuling -Date: Wed, 24 Apr 2013 21:00:37 +0000 -Subject: powerpc/power8: Fix secondary CPUs hanging on boot for HV=0 - -In __restore_cpu_power8 we determine if we are HV and if not, we return -before setting HV only resources. - -Unfortunately we forgot to restore the link register from r11 before -returning. - -This will happen on boot and with secondary CPUs not coming online. - -This adds the missing link register restore. - -Signed-off-by: Michael Neuling -CC: -Signed-off-by: Benjamin Herrenschmidt ---- -diff --git a/arch/powerpc/kernel/cpu_setup_power.S b/arch/powerpc/kernel/cpu_setup_power.S -index 2e6ad11..4daa5b7 100644 ---- a/arch/powerpc/kernel/cpu_setup_power.S -+++ b/arch/powerpc/kernel/cpu_setup_power.S -@@ -67,6 +67,7 @@ _GLOBAL(__restore_cpu_power8) - bl __init_FSCR - mfmsr r3 - rldicl. r0,r3,4,63 -+ mtlr r11 - beqlr - li r0,0 - mtspr SPRN_LPID,r0 --- -cgit v0.9.1 diff --git a/sources b/sources index 06558d5b1..f74ebc7ea 100644 --- a/sources +++ b/sources @@ -1 +1,2 @@ 4348c9b6b2eb3144d601e87c19d5d909 linux-3.9.tar.xz +66f171a17aa39b6dc6eb8bb51a4117c7 patch-3.9.1.xz diff --git a/wireless-regulatory-fix-channel-disabling-race-condition.patch b/wireless-regulatory-fix-channel-disabling-race-condition.patch deleted file mode 100644 index 313735377..000000000 --- a/wireless-regulatory-fix-channel-disabling-race-condition.patch +++ /dev/null @@ -1,40 +0,0 @@ -From: Johannes Berg - -When a full scan 2.4 and 5 GHz scan is scheduled, but then the 2.4 GHz -part of the scan disables a 5.2 GHz channel due to, e.g. receiving -country or frequency information, that 5.2 GHz channel might already -be in the list of channels to scan next. Then, when the driver checks -if it should do a passive scan, that will return false and attempt an -active scan. This is not only wrong but can also lead to the iwlwifi -device firmware crashing since it checks regulatory as well. - -Fix this by not setting the channel flags to just disabled but rather -OR'ing in the disabled flag. That way, even if the race happens, the -channel will be scanned passively which is still (mostly) correct. - -Cc: stable@vger.kernel.org -Signed-off-by: Johannes Berg ---- - net/wireless/reg.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/net/wireless/reg.c b/net/wireless/reg.c -index 93ab840..507c28e 100644 ---- a/net/wireless/reg.c -+++ b/net/wireless/reg.c -@@ -855,7 +855,7 @@ static void handle_channel(struct wiphy *wiphy, - return; - - REG_DBG_PRINT("Disabling freq %d MHz\n", chan->center_freq); -- chan->flags = IEEE80211_CHAN_DISABLED; -+ chan->flags |= IEEE80211_CHAN_DISABLED; - return; - } - --- -1.8.0 - --- -To unsubscribe from this list: send the line "unsubscribe linux-wireless" in -the body of a message to majordomo@vger.kernel.org -More majordomo info at http://vger.kernel.org/majordomo-info.html \ No newline at end of file From 7be528a41a4c6b4cf8e6119d091b6d8807cb4893 Mon Sep 17 00:00:00 2001 From: Peter Robinson Date: Thu, 9 May 2013 22:30:23 +0100 Subject: [PATCH 082/468] Disable PL330 on ARM as it's broken on highbank --- config-armv7-generic | 3 ++- kernel.spec | 3 +++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/config-armv7-generic b/config-armv7-generic index abe4bdd1a..7b4d546c7 100644 --- a/config-armv7-generic +++ b/config-armv7-generic @@ -161,7 +161,8 @@ CONFIG_SERIAL_8250_DW=y CONFIG_RTC_DRV_PL030=y CONFIG_RTC_DRV_PL031=y -CONFIG_PL330_DMA=m +# disable because it's currently broken on highbank :-/ +# CONFIG_PL330_DMA is not set CONFIG_AMBA_PL08X=y CONFIG_ARM_SP805_WATCHDOG=m CONFIG_I2C_VERSATILE=m diff --git a/kernel.spec b/kernel.spec index 5f0b3e8ef..f6a5675b4 100644 --- a/kernel.spec +++ b/kernel.spec @@ -2278,6 +2278,9 @@ fi # and build. %changelog +* Thu May 9 2013 Peter Robinson +- Disable PL330 on ARM as it's broken on highbank + * Wed May 08 2013 Josh Boyer - 3.0.1-301 - Linux v3.9.1 From 2a15379f0bdd829fbc03517c5da938353816f4b7 Mon Sep 17 00:00:00 2001 From: Peter Robinson Date: Thu, 9 May 2013 22:32:02 +0100 Subject: [PATCH 083/468] PL330 still needed for exynos5 though --- config-armv7-lpae | 1 + 1 file changed, 1 insertion(+) diff --git a/config-armv7-lpae b/config-armv7-lpae index 15b0d53cd..7e34dedb9 100644 --- a/config-armv7-lpae +++ b/config-armv7-lpae @@ -35,6 +35,7 @@ CONFIG_XEN_GNTDEV=y CONFIG_XEN_GRANT_DEV_ALLOC=m CONFIG_XEN_WDT=m +CONFIG_PL330_DMA=m CONFIG_S3C_BOOT_ERROR_RESET=y CONFIG_S3C_BOOT_UART_FORCE_FIFO=y CONFIG_S3C_LOWLEVEL_UART_PORT=0 From 213c07c6cc07968c6332983eda8ae508ca2d75d4 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Mon, 13 May 2013 08:20:35 -0400 Subject: [PATCH 084/468] Linux v3.9.2 --- ...ile-atomic-in-blk_queue_bypass_start.patch | 79 ------------------- kernel.spec | 11 ++- sources | 2 +- 3 files changed, 6 insertions(+), 86 deletions(-) delete mode 100644 blkcg-fix-scheduling-while-atomic-in-blk_queue_bypass_start.patch diff --git a/blkcg-fix-scheduling-while-atomic-in-blk_queue_bypass_start.patch b/blkcg-fix-scheduling-while-atomic-in-blk_queue_bypass_start.patch deleted file mode 100644 index 615d7555b..000000000 --- a/blkcg-fix-scheduling-while-atomic-in-blk_queue_bypass_start.patch +++ /dev/null @@ -1,79 +0,0 @@ -From e5072664f8237cf53b0bd68a51aa1a7bc69061c5 Mon Sep 17 00:00:00 2001 -From: Jun'ichi Nomura -Date: Tue, 09 Apr 2013 13:01:21 +0000 -Subject: blkcg: fix "scheduling while atomic" in blk_queue_bypass_start - -Since 749fefe677 in v3.7 ("block: lift the initial queue bypass mode -on blk_register_queue() instead of blk_init_allocated_queue()"), -the following warning appears when multipath is used with CONFIG_PREEMPT=y. - -This patch moves blk_queue_bypass_start() before radix_tree_preload() -to avoid the sleeping call while preemption is disabled. - - BUG: scheduling while atomic: multipath/2460/0x00000002 - 1 lock held by multipath/2460: - #0: (&md->type_lock){......}, at: [] dm_lock_md_type+0x17/0x19 [dm_mod] - Modules linked in: ... - Pid: 2460, comm: multipath Tainted: G W 3.7.0-rc2 #1 - Call Trace: - [] __schedule_bug+0x6a/0x78 - [] __schedule+0xb4/0x5e0 - [] schedule+0x64/0x66 - [] schedule_timeout+0x39/0xf8 - [] ? put_lock_stats+0xe/0x29 - [] ? lock_release_holdtime+0xb6/0xbb - [] wait_for_common+0x9d/0xee - [] ? try_to_wake_up+0x206/0x206 - [] ? kfree_call_rcu+0x1c/0x1c - [] wait_for_completion+0x1d/0x1f - [] wait_rcu_gp+0x5d/0x7a - [] ? wait_rcu_gp+0x7a/0x7a - [] ? complete+0x21/0x53 - [] synchronize_rcu+0x1e/0x20 - [] blk_queue_bypass_start+0x5d/0x62 - [] blkcg_activate_policy+0x73/0x270 - [] ? kmem_cache_alloc_node_trace+0xc7/0x108 - [] cfq_init_queue+0x80/0x28e - [] ? dm_blk_ioctl+0xa7/0xa7 [dm_mod] - [] elevator_init+0xe1/0x115 - [] ? blk_queue_make_request+0x54/0x59 - [] blk_init_allocated_queue+0x8c/0x9e - [] dm_setup_md_queue+0x36/0xaa [dm_mod] - [] table_load+0x1bd/0x2c8 [dm_mod] - [] ctl_ioctl+0x1d6/0x236 [dm_mod] - [] ? table_clear+0xaa/0xaa [dm_mod] - [] dm_ctl_ioctl+0x13/0x17 [dm_mod] - [] do_vfs_ioctl+0x3fb/0x441 - [] ? file_has_perm+0x8a/0x99 - [] sys_ioctl+0x5e/0x82 - [] ? trace_hardirqs_on_thunk+0x3a/0x3f - [] system_call_fastpath+0x16/0x1b - -Signed-off-by: Jun'ichi Nomura -Acked-by: Vivek Goyal -Acked-by: Tejun Heo -Cc: Alasdair G Kergon -Cc: stable@kernel.org -Signed-off-by: Jens Axboe ---- -(limited to 'block/blk-cgroup.c') - -diff --git a/block/blk-cgroup.c b/block/blk-cgroup.c -index b2b9837..e8918ff 100644 ---- a/block/blk-cgroup.c -+++ b/block/blk-cgroup.c -@@ -972,10 +972,10 @@ int blkcg_activate_policy(struct request_queue *q, - if (!new_blkg) - return -ENOMEM; - -- preloaded = !radix_tree_preload(GFP_KERNEL); -- - blk_queue_bypass_start(q); - -+ preloaded = !radix_tree_preload(GFP_KERNEL); -+ - /* - * Make sure the root blkg exists and count the existing blkgs. As - * @q is bypassing at this point, blkg_lookup_create() can't be --- -cgit v0.9.1 diff --git a/kernel.spec b/kernel.spec index f6a5675b4..bf5a42d13 100644 --- a/kernel.spec +++ b/kernel.spec @@ -74,7 +74,7 @@ Summary: The Linux kernel %if 0%{?released_kernel} # Do we have a -stable update to apply? -%define stable_update 1 +%define stable_update 2 # Is it a -stable RC? %define stable_rc 0 # Set rpm version accordingly @@ -746,8 +746,6 @@ Patch23006: fix-child-thread-introspection.patch #rhbz 928024 Patch23008: forcedeth-dma-error-check.patch -Patch25014: blkcg-fix-scheduling-while-atomic-in-blk_queue_bypass_start.patch - Patch25018: pci-Set-dev-dev.type-in-alloc_pci_dev.patch Patch25019: powerpc-Set-default-VGA-device.patch @@ -1446,8 +1444,6 @@ ApplyPatch fix-child-thread-introspection.patch #rhbz 928024 ApplyPatch forcedeth-dma-error-check.patch -ApplyPatch blkcg-fix-scheduling-while-atomic-in-blk_queue_bypass_start.patch - ApplyPatch pci-Set-dev-dev.type-in-alloc_pci_dev.patch ApplyPatch powerpc-Set-default-VGA-device.patch @@ -2278,10 +2274,13 @@ fi # and build. %changelog +* Mon May 13 2013 Josh Boyer - 3.9.2-301 +- Linux v3.9.2 + * Thu May 9 2013 Peter Robinson - Disable PL330 on ARM as it's broken on highbank -* Wed May 08 2013 Josh Boyer - 3.0.1-301 +* Wed May 08 2013 Josh Boyer - 3.9.1-301 - Linux v3.9.1 * Tue May 07 2013 Josh Boyer - 3.9.0-303 diff --git a/sources b/sources index f74ebc7ea..fcd96b534 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ 4348c9b6b2eb3144d601e87c19d5d909 linux-3.9.tar.xz -66f171a17aa39b6dc6eb8bb51a4117c7 patch-3.9.1.xz +adeb2556568f79e827e7a0ce4c483605 patch-3.9.2.xz From 59f427f918687883b08adf670adc0e841e0db30d Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Mon, 13 May 2013 10:11:10 -0400 Subject: [PATCH 085/468] Add radeon fixes for PCI-e gen2 speed issues (rhbz 961527) --- kernel.spec | 13 +- ...Perform-proper-max_bus_speed-detecti.patch | 153 ++++++++++++++++++ ...ax_bus-speed-to-activate-gen2-speeds.patch | 99 ++++++++++++ 3 files changed, 264 insertions(+), 1 deletion(-) create mode 100644 powerpc-pseries-Perform-proper-max_bus_speed-detecti.patch create mode 100644 radeon-use-max_bus-speed-to-activate-gen2-speeds.patch diff --git a/kernel.spec b/kernel.spec index bf5a42d13..7bf6d28ce 100644 --- a/kernel.spec +++ b/kernel.spec @@ -62,7 +62,7 @@ Summary: The Linux kernel # For non-released -rc kernels, this will be appended after the rcX and # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3" # -%global baserelease 301 +%global baserelease 302 %global fedora_build %{baserelease} # base_sublevel is the kernel version we're starting with and patching @@ -749,6 +749,10 @@ Patch23008: forcedeth-dma-error-check.patch Patch25018: pci-Set-dev-dev.type-in-alloc_pci_dev.patch Patch25019: powerpc-Set-default-VGA-device.patch +#rhbz 961527 +Patch25020: powerpc-pseries-Perform-proper-max_bus_speed-detecti.patch +Patch25021: radeon-use-max_bus-speed-to-activate-gen2-speeds.patch + # END OF PATCH DEFINITIONS %endif @@ -1447,6 +1451,10 @@ ApplyPatch forcedeth-dma-error-check.patch ApplyPatch pci-Set-dev-dev.type-in-alloc_pci_dev.patch ApplyPatch powerpc-Set-default-VGA-device.patch +#rhbz 961527 +ApplyPatch powerpc-pseries-Perform-proper-max_bus_speed-detecti.patch +ApplyPatch radeon-use-max_bus-speed-to-activate-gen2-speeds.patch + # END OF PATCH APPLICATIONS %endif @@ -2274,6 +2282,9 @@ fi # and build. %changelog +* Mon May 13 2013 Josh Boyer +- Add radeon fixes for PCI-e gen2 speed issues (rhbz 961527) + * Mon May 13 2013 Josh Boyer - 3.9.2-301 - Linux v3.9.2 diff --git a/powerpc-pseries-Perform-proper-max_bus_speed-detecti.patch b/powerpc-pseries-Perform-proper-max_bus_speed-detecti.patch new file mode 100644 index 000000000..5701a8732 --- /dev/null +++ b/powerpc-pseries-Perform-proper-max_bus_speed-detecti.patch @@ -0,0 +1,153 @@ +From d82fb31abc46620b7c22758c75707069f2763646 Mon Sep 17 00:00:00 2001 +From: Kleber Sacilotto de Souza +Date: Fri, 3 May 2013 12:43:12 +0000 +Subject: [PATCH] powerpc/pseries: Perform proper max_bus_speed detection + +On pseries machines the detection for max_bus_speed should be done +through an OpenFirmware property. This patch adds a function to perform +this detection and a hook to perform dynamic adding of the function only +for pseries. This is done by overwriting the weak +pcibios_root_bridge_prepare function which is called by +pci_create_root_bus(). + +From: Lucas Kannebley Tavares +Signed-off-by: Kleber Sacilotto de Souza +Signed-off-by: Benjamin Herrenschmidt +--- + arch/powerpc/include/asm/machdep.h | 3 ++ + arch/powerpc/kernel/pci-common.c | 8 +++++ + arch/powerpc/platforms/pseries/pci.c | 53 ++++++++++++++++++++++++++++++++ + arch/powerpc/platforms/pseries/pseries.h | 4 +++ + arch/powerpc/platforms/pseries/setup.c | 2 ++ + 5 files changed, 70 insertions(+) + +diff --git a/arch/powerpc/include/asm/machdep.h b/arch/powerpc/include/asm/machdep.h +index 3f3f691..92386fc 100644 +--- a/arch/powerpc/include/asm/machdep.h ++++ b/arch/powerpc/include/asm/machdep.h +@@ -29,6 +29,7 @@ struct rtc_time; + struct file; + struct pci_controller; + struct kimage; ++struct pci_host_bridge; + + struct machdep_calls { + char *name; +@@ -108,6 +109,8 @@ struct machdep_calls { + void (*pcibios_fixup)(void); + int (*pci_probe_mode)(struct pci_bus *); + void (*pci_irq_fixup)(struct pci_dev *dev); ++ int (*pcibios_root_bridge_prepare)(struct pci_host_bridge ++ *bridge); + + /* To setup PHBs when using automatic OF platform driver for PCI */ + int (*pci_setup_phb)(struct pci_controller *host); +diff --git a/arch/powerpc/kernel/pci-common.c b/arch/powerpc/kernel/pci-common.c +index f325dc9..d5811d8 100644 +--- a/arch/powerpc/kernel/pci-common.c ++++ b/arch/powerpc/kernel/pci-common.c +@@ -845,6 +845,14 @@ int pci_proc_domain(struct pci_bus *bus) + return 1; + } + ++int pcibios_root_bridge_prepare(struct pci_host_bridge *bridge) ++{ ++ if (ppc_md.pcibios_root_bridge_prepare) ++ return ppc_md.pcibios_root_bridge_prepare(bridge); ++ ++ return 0; ++} ++ + /* This header fixup will do the resource fixup for all devices as they are + * probed, but not for bridge ranges + */ +diff --git a/arch/powerpc/platforms/pseries/pci.c b/arch/powerpc/platforms/pseries/pci.c +index 0b580f4..5f93856 100644 +--- a/arch/powerpc/platforms/pseries/pci.c ++++ b/arch/powerpc/platforms/pseries/pci.c +@@ -108,3 +108,56 @@ static void fixup_winbond_82c105(struct pci_dev* dev) + } + DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_WINBOND, PCI_DEVICE_ID_WINBOND_82C105, + fixup_winbond_82c105); ++ ++int pseries_root_bridge_prepare(struct pci_host_bridge *bridge) ++{ ++ struct device_node *dn, *pdn; ++ struct pci_bus *bus; ++ const uint32_t *pcie_link_speed_stats; ++ ++ bus = bridge->bus; ++ ++ dn = pcibios_get_phb_of_node(bus); ++ if (!dn) ++ return 0; ++ ++ for (pdn = dn; pdn != NULL; pdn = of_get_next_parent(pdn)) { ++ pcie_link_speed_stats = (const uint32_t *) of_get_property(pdn, ++ "ibm,pcie-link-speed-stats", NULL); ++ if (pcie_link_speed_stats) ++ break; ++ } ++ ++ of_node_put(pdn); ++ ++ if (!pcie_link_speed_stats) { ++ pr_err("no ibm,pcie-link-speed-stats property\n"); ++ return 0; ++ } ++ ++ switch (pcie_link_speed_stats[0]) { ++ case 0x01: ++ bus->max_bus_speed = PCIE_SPEED_2_5GT; ++ break; ++ case 0x02: ++ bus->max_bus_speed = PCIE_SPEED_5_0GT; ++ break; ++ default: ++ bus->max_bus_speed = PCI_SPEED_UNKNOWN; ++ break; ++ } ++ ++ switch (pcie_link_speed_stats[1]) { ++ case 0x01: ++ bus->cur_bus_speed = PCIE_SPEED_2_5GT; ++ break; ++ case 0x02: ++ bus->cur_bus_speed = PCIE_SPEED_5_0GT; ++ break; ++ default: ++ bus->cur_bus_speed = PCI_SPEED_UNKNOWN; ++ break; ++ } ++ ++ return 0; ++} +diff --git a/arch/powerpc/platforms/pseries/pseries.h b/arch/powerpc/platforms/pseries/pseries.h +index 8af71e4..c2a3a25 100644 +--- a/arch/powerpc/platforms/pseries/pseries.h ++++ b/arch/powerpc/platforms/pseries/pseries.h +@@ -63,4 +63,8 @@ extern int dlpar_detach_node(struct device_node *); + /* Snooze Delay, pseries_idle */ + DECLARE_PER_CPU(long, smt_snooze_delay); + ++/* PCI root bridge prepare function override for pseries */ ++struct pci_host_bridge; ++int pseries_root_bridge_prepare(struct pci_host_bridge *bridge); ++ + #endif /* _PSERIES_PSERIES_H */ +diff --git a/arch/powerpc/platforms/pseries/setup.c b/arch/powerpc/platforms/pseries/setup.c +index ac932a9..c11c823 100644 +--- a/arch/powerpc/platforms/pseries/setup.c ++++ b/arch/powerpc/platforms/pseries/setup.c +@@ -466,6 +466,8 @@ static void __init pSeries_setup_arch(void) + else + ppc_md.enable_pmcs = power4_enable_pmcs; + ++ ppc_md.pcibios_root_bridge_prepare = pseries_root_bridge_prepare; ++ + if (firmware_has_feature(FW_FEATURE_SET_MODE)) { + long rc; + if ((rc = pSeries_enable_reloc_on_exc()) != H_SUCCESS) { +-- +1.8.1.4 + diff --git a/radeon-use-max_bus-speed-to-activate-gen2-speeds.patch b/radeon-use-max_bus-speed-to-activate-gen2-speeds.patch new file mode 100644 index 000000000..f9a11993f --- /dev/null +++ b/radeon-use-max_bus-speed-to-activate-gen2-speeds.patch @@ -0,0 +1,99 @@ +radeon: use max_bus_speed to activate gen2 speeds + +radeon currently uses a drm function to get the speed capabilities for +the bus, drm_pcie_get_speed_cap_mask. However, this is a non-standard +method of performing this detection and this patch changes it to use +the max_bus_speed attribute. + +From: Lucas Kannebley Tavares +Signed-off-by: Kleber Sacilotto de Souza +--- + drivers/gpu/drm/radeon/evergreen.c | 10 +++------- + drivers/gpu/drm/radeon/r600.c | 9 ++------- + drivers/gpu/drm/radeon/rv770.c | 9 ++------- + 3 files changed, 7 insertions(+), 21 deletions(-) + +diff --git a/drivers/gpu/drm/radeon/evergreen.c b/drivers/gpu/drm/radeon/evergreen.c +index 105bafb..3966696 100644 +--- a/drivers/gpu/drm/radeon/evergreen.c ++++ b/drivers/gpu/drm/radeon/evergreen.c +@@ -4992,8 +4992,7 @@ void evergreen_fini(struct radeon_device *rdev) + + void evergreen_pcie_gen2_enable(struct radeon_device *rdev) + { +- u32 link_width_cntl, speed_cntl, mask; +- int ret; ++ u32 link_width_cntl, speed_cntl; + + if (radeon_pcie_gen2 == 0) + return; +@@ -5008,11 +5007,8 @@ void evergreen_pcie_gen2_enable(struct radeon_device *rdev) + if (ASIC_IS_X2(rdev)) + return; + +- ret = drm_pcie_get_speed_cap_mask(rdev->ddev, &mask); +- if (ret != 0) +- return; +- +- if (!(mask & DRM_PCIE_SPEED_50)) ++ if ((rdev->pdev->bus->max_bus_speed != PCIE_SPEED_5_0GT) && ++ (rdev->pdev->bus->max_bus_speed != PCIE_SPEED_8_0GT)) + return; + + speed_cntl = RREG32_PCIE_PORT(PCIE_LC_SPEED_CNTL); +diff --git a/drivers/gpu/drm/radeon/r600.c b/drivers/gpu/drm/radeon/r600.c +index 1a08008..b45e648 100644 +--- a/drivers/gpu/drm/radeon/r600.c ++++ b/drivers/gpu/drm/radeon/r600.c +@@ -4631,8 +4631,6 @@ static void r600_pcie_gen2_enable(struct radeon_device *rdev) + { + u32 link_width_cntl, lanes, speed_cntl, training_cntl, tmp; + u16 link_cntl2; +- u32 mask; +- int ret; + + if (radeon_pcie_gen2 == 0) + return; +@@ -4651,11 +4649,8 @@ static void r600_pcie_gen2_enable(struct radeon_device *rdev) + if (rdev->family <= CHIP_R600) + return; + +- ret = drm_pcie_get_speed_cap_mask(rdev->ddev, &mask); +- if (ret != 0) +- return; +- +- if (!(mask & DRM_PCIE_SPEED_50)) ++ if ((rdev->pdev->bus->max_bus_speed != PCIE_SPEED_5_0GT) && ++ (rdev->pdev->bus->max_bus_speed != PCIE_SPEED_8_0GT)) + return; + + speed_cntl = RREG32_PCIE_PORT(PCIE_LC_SPEED_CNTL); +diff --git a/drivers/gpu/drm/radeon/rv770.c b/drivers/gpu/drm/radeon/rv770.c +index 83f612a..a6af4aa 100644 +--- a/drivers/gpu/drm/radeon/rv770.c ++++ b/drivers/gpu/drm/radeon/rv770.c +@@ -2113,8 +2113,6 @@ static void rv770_pcie_gen2_enable(struct radeon_device *rdev) + { + u32 link_width_cntl, lanes, speed_cntl, tmp; + u16 link_cntl2; +- u32 mask; +- int ret; + + if (radeon_pcie_gen2 == 0) + return; +@@ -2129,11 +2127,8 @@ static void rv770_pcie_gen2_enable(struct radeon_device *rdev) + if (ASIC_IS_X2(rdev)) + return; + +- ret = drm_pcie_get_speed_cap_mask(rdev->ddev, &mask); +- if (ret != 0) +- return; +- +- if (!(mask & DRM_PCIE_SPEED_50)) ++ if ((rdev->pdev->bus->max_bus_speed != PCIE_SPEED_5_0GT) && ++ (rdev->pdev->bus->max_bus_speed != PCIE_SPEED_8_0GT)) + return; + + DRM_INFO("enabling PCIE gen 2 link speeds, disable with radeon.pcie_gen2=0\n"); +-- +1.7.1 From ee3bb47cc5150d7fd6a3080938180d14f5adb68f Mon Sep 17 00:00:00 2001 From: Dave Airlie Date: Tue, 14 May 2013 11:26:20 +1000 Subject: [PATCH 086/468] backport upstream qxl fixes, fixes VM crash on X exit or randr. --- drm-qxl-backport-fixes.patch | 154 +++++++++++++++++++++++++++++++++++ kernel.spec | 5 ++ 2 files changed, 159 insertions(+) create mode 100644 drm-qxl-backport-fixes.patch diff --git a/drm-qxl-backport-fixes.patch b/drm-qxl-backport-fixes.patch new file mode 100644 index 000000000..0979f2509 --- /dev/null +++ b/drm-qxl-backport-fixes.patch @@ -0,0 +1,154 @@ +diff --git a/drivers/gpu/drm/qxl/qxl_cmd.c b/drivers/gpu/drm/qxl/qxl_cmd.c +index 08b0823..f867714 100644 +--- a/drivers/gpu/drm/qxl/qxl_cmd.c ++++ b/drivers/gpu/drm/qxl/qxl_cmd.c +@@ -277,7 +277,7 @@ out_unref: + return 0; + } + +-static int wait_for_io_cmd_user(struct qxl_device *qdev, uint8_t val, long port) ++static int wait_for_io_cmd_user(struct qxl_device *qdev, uint8_t val, long port, bool intr) + { + int irq_num; + long addr = qdev->io_base + port; +@@ -285,20 +285,29 @@ static int wait_for_io_cmd_user(struct qxl_device *qdev, uint8_t val, long port) + + mutex_lock(&qdev->async_io_mutex); + irq_num = atomic_read(&qdev->irq_received_io_cmd); +- +- + if (qdev->last_sent_io_cmd > irq_num) { +- ret = wait_event_interruptible(qdev->io_cmd_event, +- atomic_read(&qdev->irq_received_io_cmd) > irq_num); +- if (ret) ++ if (intr) ++ ret = wait_event_interruptible_timeout(qdev->io_cmd_event, ++ atomic_read(&qdev->irq_received_io_cmd) > irq_num, 5*HZ); ++ else ++ ret = wait_event_timeout(qdev->io_cmd_event, ++ atomic_read(&qdev->irq_received_io_cmd) > irq_num, 5*HZ); ++ /* 0 is timeout, just bail the "hw" has gone away */ ++ if (ret <= 0) + goto out; + irq_num = atomic_read(&qdev->irq_received_io_cmd); + } + outb(val, addr); + qdev->last_sent_io_cmd = irq_num + 1; +- ret = wait_event_interruptible(qdev->io_cmd_event, +- atomic_read(&qdev->irq_received_io_cmd) > irq_num); ++ if (intr) ++ ret = wait_event_interruptible_timeout(qdev->io_cmd_event, ++ atomic_read(&qdev->irq_received_io_cmd) > irq_num, 5*HZ); ++ else ++ ret = wait_event_timeout(qdev->io_cmd_event, ++ atomic_read(&qdev->irq_received_io_cmd) > irq_num, 5*HZ); + out: ++ if (ret > 0) ++ ret = 0; + mutex_unlock(&qdev->async_io_mutex); + return ret; + } +@@ -308,7 +317,7 @@ static void wait_for_io_cmd(struct qxl_device *qdev, uint8_t val, long port) + int ret; + + restart: +- ret = wait_for_io_cmd_user(qdev, val, port); ++ ret = wait_for_io_cmd_user(qdev, val, port, false); + if (ret == -ERESTARTSYS) + goto restart; + } +@@ -340,7 +349,7 @@ int qxl_io_update_area(struct qxl_device *qdev, struct qxl_bo *surf, + mutex_lock(&qdev->update_area_mutex); + qdev->ram_header->update_area = *area; + qdev->ram_header->update_surface = surface_id; +- ret = wait_for_io_cmd_user(qdev, 0, QXL_IO_UPDATE_AREA_ASYNC); ++ ret = wait_for_io_cmd_user(qdev, 0, QXL_IO_UPDATE_AREA_ASYNC, true); + mutex_unlock(&qdev->update_area_mutex); + return ret; + } +diff --git a/drivers/gpu/drm/qxl/qxl_display.c b/drivers/gpu/drm/qxl/qxl_display.c +index fcfd443..823d29e 100644 +--- a/drivers/gpu/drm/qxl/qxl_display.c ++++ b/drivers/gpu/drm/qxl/qxl_display.c +@@ -428,10 +428,10 @@ static int qxl_framebuffer_surface_dirty(struct drm_framebuffer *fb, + int inc = 1; + + qobj = gem_to_qxl_bo(qxl_fb->obj); +- if (qxl_fb != qdev->active_user_framebuffer) { +- DRM_INFO("%s: qxl_fb 0x%p != qdev->active_user_framebuffer 0x%p\n", +- __func__, qxl_fb, qdev->active_user_framebuffer); +- } ++ /* if we aren't primary surface ignore this */ ++ if (!qobj->is_primary) ++ return 0; ++ + if (!num_clips) { + num_clips = 1; + clips = &norect; +@@ -604,7 +604,6 @@ static int qxl_crtc_mode_set(struct drm_crtc *crtc, + mode->hdisplay, + mode->vdisplay); + } +- qdev->mode_set = true; + return 0; + } + +@@ -893,7 +892,6 @@ qxl_user_framebuffer_create(struct drm_device *dev, + { + struct drm_gem_object *obj; + struct qxl_framebuffer *qxl_fb; +- struct qxl_device *qdev = dev->dev_private; + int ret; + + obj = drm_gem_object_lookup(dev, file_priv, mode_cmd->handles[0]); +@@ -909,13 +907,6 @@ qxl_user_framebuffer_create(struct drm_device *dev, + return NULL; + } + +- if (qdev->active_user_framebuffer) { +- DRM_INFO("%s: active_user_framebuffer %p -> %p\n", +- __func__, +- qdev->active_user_framebuffer, qxl_fb); +- } +- qdev->active_user_framebuffer = qxl_fb; +- + return &qxl_fb->base; + } + +diff --git a/drivers/gpu/drm/qxl/qxl_drv.h b/drivers/gpu/drm/qxl/qxl_drv.h +index 52b582c..43d06ab 100644 +--- a/drivers/gpu/drm/qxl/qxl_drv.h ++++ b/drivers/gpu/drm/qxl/qxl_drv.h +@@ -255,12 +255,6 @@ struct qxl_device { + struct qxl_gem gem; + struct qxl_mode_info mode_info; + +- /* +- * last created framebuffer with fb_create +- * only used by debugfs dumbppm +- */ +- struct qxl_framebuffer *active_user_framebuffer; +- + struct fb_info *fbdev_info; + struct qxl_framebuffer *fbdev_qfb; + void *ram_physical; +@@ -270,7 +264,6 @@ struct qxl_device { + struct qxl_ring *cursor_ring; + + struct qxl_ram_header *ram_header; +- bool mode_set; + + bool primary_created; + +diff --git a/drivers/gpu/drm/qxl/qxl_ioctl.c b/drivers/gpu/drm/qxl/qxl_ioctl.c +index 04b64f9..6db7370 100644 +--- a/drivers/gpu/drm/qxl/qxl_ioctl.c ++++ b/drivers/gpu/drm/qxl/qxl_ioctl.c +@@ -294,6 +294,7 @@ static int qxl_update_area_ioctl(struct drm_device *dev, void *data, + goto out; + + if (!qobj->pin_count) { ++ qxl_ttm_placement_from_domain(qobj, qobj->type); + ret = ttm_bo_validate(&qobj->tbo, &qobj->placement, + true, false); + if (unlikely(ret)) diff --git a/kernel.spec b/kernel.spec index 7bf6d28ce..f7983c61d 100644 --- a/kernel.spec +++ b/kernel.spec @@ -669,6 +669,7 @@ Patch1000: devel-pekey-secure-boot-20130306.patch #Patch1800: drm-vgem.patch Patch1700: drm-ttm-exports-for-qxl.patch Patch1701: drm-qxl-driver.patch +Patch1702: drm-qxl-backport-fixes.patch # nouveau + drm fixes # intel drm is all merged upstream Patch1824: drm-intel-next.patch @@ -1386,6 +1387,7 @@ ApplyPatch devel-pekey-secure-boot-20130306.patch # DRM core ApplyPatch drm-ttm-exports-for-qxl.patch ApplyPatch drm-qxl-driver.patch +ApplyPatch drm-qxl-backport-fixes.patch #ApplyPatch drm-edid-try-harder-to-fix-up-broken-headers.patch #ApplyPatch drm-vgem.patch @@ -2282,6 +2284,9 @@ fi # and build. %changelog +* Tue May 14 2013 Dave Airlie +- backport upstream qxl fixes, fixes VM crash on X exit or randr. + * Mon May 13 2013 Josh Boyer - Add radeon fixes for PCI-e gen2 speed issues (rhbz 961527) From b4d48651d40c1f83169e90863ab6dd72a3fdcc7a Mon Sep 17 00:00:00 2001 From: Dave Airlie Date: Wed, 15 May 2013 11:25:42 +1000 Subject: [PATCH 087/468] fix nomodeset on radeon (rhbz 924507) --- drm-radeon-fix-nomodeset.patch | 52 ++++++++++++++++++++++++++++++++++ kernel.spec | 8 ++++++ 2 files changed, 60 insertions(+) create mode 100644 drm-radeon-fix-nomodeset.patch diff --git a/drm-radeon-fix-nomodeset.patch b/drm-radeon-fix-nomodeset.patch new file mode 100644 index 000000000..f9d60e6e6 --- /dev/null +++ b/drm-radeon-fix-nomodeset.patch @@ -0,0 +1,52 @@ +From 3cebd7639faa9b315d0c82056c518f59ed080a84 Mon Sep 17 00:00:00 2001 +From: Dave Airlie +Date: Wed, 15 May 2013 11:18:17 +1000 +Subject: [PATCH] drm/radeon: restore nomodeset operation (v2) + +When UMS was deprecated it removed support for nomodeset commandline +we really want this in distro land so we can debug stuff, everyone +should fallback to vesa correctly. + +v2: oops -1 isn't used anymore, restore original behaviour +-1 is default, so we can boot with nomodeset on the command line, +then use radeon.modeset=1 to override it for debugging later. + +Cc: stable@vger.kernel.org +Signed-off-by: Dave Airlie +--- + drivers/gpu/drm/radeon/radeon_drv.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +diff --git a/drivers/gpu/drm/radeon/radeon_drv.c b/drivers/gpu/drm/radeon/radeon_drv.c +index d33f484..094e7e5 100644 +--- a/drivers/gpu/drm/radeon/radeon_drv.c ++++ b/drivers/gpu/drm/radeon/radeon_drv.c +@@ -147,7 +147,7 @@ static inline void radeon_unregister_atpx_handler(void) {} + #endif + + int radeon_no_wb; +-int radeon_modeset = 1; ++int radeon_modeset = -1; + int radeon_dynclks = -1; + int radeon_r4xx_atom = 0; + int radeon_agpmode = 0; +@@ -456,6 +456,16 @@ static struct pci_driver radeon_kms_pci_driver = { + + static int __init radeon_init(void) + { ++#ifdef CONFIG_VGA_CONSOLE ++ if (vgacon_text_force() && radeon_modeset == -1) { ++ DRM_INFO("VGACON disable radeon kernel modesetting.\n"); ++ radeon_modeset = 0; ++ } ++#endif ++ /* set to modesetting by default if not nomodeset */ ++ if (radeon_modeset == -1) ++ radeon_modeset = 1; ++ + if (radeon_modeset == 1) { + DRM_INFO("radeon kernel modesetting enabled.\n"); + driver = &kms_driver; +-- +1.8.1.2 + diff --git a/kernel.spec b/kernel.spec index f7983c61d..4396cd480 100644 --- a/kernel.spec +++ b/kernel.spec @@ -674,6 +674,9 @@ Patch1702: drm-qxl-backport-fixes.patch # intel drm is all merged upstream Patch1824: drm-intel-next.patch Patch1825: drm-i915-dp-stfu.patch +# radeon drm fix +# 924507 +Patch1900: drm-radeon-fix-nomodeset.patch # Quiet boot fixes # silence the ACPI blacklist code @@ -1397,6 +1400,8 @@ ApplyPatch drm-qxl-backport-fixes.patch ApplyOptionalPatch drm-intel-next.patch ApplyPatch drm-i915-dp-stfu.patch +ApplyPatch drm-radeon-fix-nomodeset.patch + # silence the ACPI blacklist code ApplyPatch silence-acpi-blacklist.patch @@ -2284,6 +2289,9 @@ fi # and build. %changelog +* Wed May 15 2013 Dave Airlie +- fix nomodeset on radeon (rhbz 924507) + * Tue May 14 2013 Dave Airlie - backport upstream qxl fixes, fixes VM crash on X exit or randr. From 9184c309b4788ba5396f4996302953603be5b373 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Thu, 16 May 2013 10:40:24 -0400 Subject: [PATCH 088/468] Fix config-local usage (rhbz 950841) --- kernel.spec | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/kernel.spec b/kernel.spec index 4396cd480..15a80f861 100644 --- a/kernel.spec +++ b/kernel.spec @@ -1278,14 +1278,12 @@ make -f %{SOURCE19} config-release make -f %{SOURCE20} VERSION=%{version} configs # Merge in any user-provided local config option changes -%if %{?all_arch_configs:1}%{!?all_arch_configs:0} -for i in %{all_arch_configs} +for i in kernel-%{version}-*.config do mv $i $i.tmp ./merge.pl %{SOURCE1000} $i.tmp > $i rm $i.tmp done -%endif ApplyPatch makefile-after_link.patch @@ -2289,6 +2287,9 @@ fi # and build. %changelog +* Thu May 16 2013 Josh Boyer +- Fix config-local usage (rhbz 950841) + * Wed May 15 2013 Dave Airlie - fix nomodeset on radeon (rhbz 924507) From 6bdd2efb6b2a9508102e6c5ad94c6fe4d3b93e3e Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Mon, 20 May 2013 08:31:04 -0400 Subject: [PATCH 089/468] Linux v3.9.3 --- arm-of-dma.patch | 43 ---------------------------- drm-radeon-fix-nomodeset.patch | 52 ---------------------------------- kernel.spec | 14 ++++----- sources | 2 +- 4 files changed, 6 insertions(+), 105 deletions(-) delete mode 100644 arm-of-dma.patch delete mode 100644 drm-radeon-fix-nomodeset.patch diff --git a/arm-of-dma.patch b/arm-of-dma.patch deleted file mode 100644 index c3223a4e6..000000000 --- a/arm-of-dma.patch +++ /dev/null @@ -1,43 +0,0 @@ -From 7362f04c2888b14c20f8aaa02e1a897025261768 Mon Sep 17 00:00:00 2001 -From: Viresh Kumar -Date: Fri, 15 Mar 2013 08:48:20 +0000 -Subject: DMA: OF: Check properties value before running be32_to_cpup() on it - -In of_dma_controller_register() routine we are calling of_get_property() as an -parameter to be32_to_cpup(). In case the property doesn't exist we will get a -crash. - -This patch changes this code to check if we got a valid property first and then -runs be32_to_cpup() on it. - -Signed-off-by: Viresh Kumar -Signed-off-by: Vinod Koul ---- -diff --git a/drivers/dma/of-dma.c b/drivers/dma/of-dma.c -index 6036cd0..00db454 100644 ---- a/drivers/dma/of-dma.c -+++ b/drivers/dma/of-dma.c -@@ -93,6 +93,7 @@ int of_dma_controller_register(struct device_node *np, - { - struct of_dma *ofdma; - int nbcells; -+ const __be32 *prop; - - if (!np || !of_dma_xlate) { - pr_err("%s: not enough information provided\n", __func__); -@@ -103,8 +104,11 @@ int of_dma_controller_register(struct device_node *np, - if (!ofdma) - return -ENOMEM; - -- nbcells = be32_to_cpup(of_get_property(np, "#dma-cells", NULL)); -- if (!nbcells) { -+ prop = of_get_property(np, "#dma-cells", NULL); -+ if (prop) -+ nbcells = be32_to_cpup(prop); -+ -+ if (!prop || !nbcells) { - pr_err("%s: #dma-cells property is missing or invalid\n", - __func__); - kfree(ofdma); --- -cgit v0.9.1 diff --git a/drm-radeon-fix-nomodeset.patch b/drm-radeon-fix-nomodeset.patch deleted file mode 100644 index f9d60e6e6..000000000 --- a/drm-radeon-fix-nomodeset.patch +++ /dev/null @@ -1,52 +0,0 @@ -From 3cebd7639faa9b315d0c82056c518f59ed080a84 Mon Sep 17 00:00:00 2001 -From: Dave Airlie -Date: Wed, 15 May 2013 11:18:17 +1000 -Subject: [PATCH] drm/radeon: restore nomodeset operation (v2) - -When UMS was deprecated it removed support for nomodeset commandline -we really want this in distro land so we can debug stuff, everyone -should fallback to vesa correctly. - -v2: oops -1 isn't used anymore, restore original behaviour --1 is default, so we can boot with nomodeset on the command line, -then use radeon.modeset=1 to override it for debugging later. - -Cc: stable@vger.kernel.org -Signed-off-by: Dave Airlie ---- - drivers/gpu/drm/radeon/radeon_drv.c | 12 +++++++++++- - 1 file changed, 11 insertions(+), 1 deletion(-) - -diff --git a/drivers/gpu/drm/radeon/radeon_drv.c b/drivers/gpu/drm/radeon/radeon_drv.c -index d33f484..094e7e5 100644 ---- a/drivers/gpu/drm/radeon/radeon_drv.c -+++ b/drivers/gpu/drm/radeon/radeon_drv.c -@@ -147,7 +147,7 @@ static inline void radeon_unregister_atpx_handler(void) {} - #endif - - int radeon_no_wb; --int radeon_modeset = 1; -+int radeon_modeset = -1; - int radeon_dynclks = -1; - int radeon_r4xx_atom = 0; - int radeon_agpmode = 0; -@@ -456,6 +456,16 @@ static struct pci_driver radeon_kms_pci_driver = { - - static int __init radeon_init(void) - { -+#ifdef CONFIG_VGA_CONSOLE -+ if (vgacon_text_force() && radeon_modeset == -1) { -+ DRM_INFO("VGACON disable radeon kernel modesetting.\n"); -+ radeon_modeset = 0; -+ } -+#endif -+ /* set to modesetting by default if not nomodeset */ -+ if (radeon_modeset == -1) -+ radeon_modeset = 1; -+ - if (radeon_modeset == 1) { - DRM_INFO("radeon kernel modesetting enabled.\n"); - driver = &kms_driver; --- -1.8.1.2 - diff --git a/kernel.spec b/kernel.spec index 15a80f861..3a850d90e 100644 --- a/kernel.spec +++ b/kernel.spec @@ -62,7 +62,7 @@ Summary: The Linux kernel # For non-released -rc kernels, this will be appended after the rcX and # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3" # -%global baserelease 302 +%global baserelease 301 %global fedora_build %{baserelease} # base_sublevel is the kernel version we're starting with and patching @@ -74,7 +74,7 @@ Summary: The Linux kernel %if 0%{?released_kernel} # Do we have a -stable update to apply? -%define stable_update 2 +%define stable_update 3 # Is it a -stable RC? %define stable_rc 0 # Set rpm version accordingly @@ -675,8 +675,6 @@ Patch1702: drm-qxl-backport-fixes.patch Patch1824: drm-intel-next.patch Patch1825: drm-i915-dp-stfu.patch # radeon drm fix -# 924507 -Patch1900: drm-radeon-fix-nomodeset.patch # Quiet boot fixes # silence the ACPI blacklist code @@ -703,8 +701,6 @@ Patch14010: lis3-improve-handling-of-null-rate.patch # ARM Patch21000: arm-export-read_current_timer.patch -# https://lists.ozlabs.org/pipermail/devicetree-discuss/2013-March/029029.html -Patch21001: arm-of-dma.patch # lpae Patch21002: arm-lpae-ax88796.patch @@ -1311,7 +1307,6 @@ ApplyPatch debug-bad-pte-modules.patch # ARM # ApplyPatch arm-export-read_current_timer.patch -ApplyPatch arm-of-dma.patch ApplyPatch arm-lpae-ax88796.patch ApplyPatch arm-omap-ehci-fix.patch ApplyPatch arm-tegra-usb-no-reset-linux33.patch @@ -1398,8 +1393,6 @@ ApplyPatch drm-qxl-backport-fixes.patch ApplyOptionalPatch drm-intel-next.patch ApplyPatch drm-i915-dp-stfu.patch -ApplyPatch drm-radeon-fix-nomodeset.patch - # silence the ACPI blacklist code ApplyPatch silence-acpi-blacklist.patch @@ -2287,6 +2280,9 @@ fi # and build. %changelog +* Mon May 20 2013 Josh Boyer - 3.9.3-301 +- Linux v3.9.3 + * Thu May 16 2013 Josh Boyer - Fix config-local usage (rhbz 950841) diff --git a/sources b/sources index fcd96b534..d004fc552 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ 4348c9b6b2eb3144d601e87c19d5d909 linux-3.9.tar.xz -adeb2556568f79e827e7a0ce4c483605 patch-3.9.2.xz +71b31e29e0cb437a27017c781293b6f4 patch-3.9.3.xz From 3810f48d89f05120c16a1bda410613fe3b2595c2 Mon Sep 17 00:00:00 2001 From: Peter Robinson Date: Tue, 21 May 2013 15:27:44 +0100 Subject: [PATCH 090/468] Enable OMAP5 on ARM multiplatform --- config-armv7 | 3 ++- kernel.spec | 3 +++ 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/config-armv7 b/config-armv7 index db8a2b69d..15b707960 100644 --- a/config-armv7 +++ b/config-armv7 @@ -77,7 +77,7 @@ CONFIG_ARCH_OMAP2PLUS_TYPICAL=y # CONFIG_ARCH_OMAP2 is not set CONFIG_ARCH_OMAP3=y CONFIG_ARCH_OMAP4=y -# CONFIG_SOC_OMAP5 is not set +CONFIG_SOC_OMAP5=y # CONFIG_SOC_OMAP2420 is not set # CONFIG_SOC_OMAP2430 is not set CONFIG_SOC_OMAP3430=y @@ -111,6 +111,7 @@ CONFIG_MACH_TI8148EVM=y CONFIG_MACH_OMAP_4430SDP=y CONFIG_MACH_OMAP4_PANDA=y +CONFIG_SOC_HAS_REALTIME_COUNTER=y CONFIG_OMAP_RESET_CLOCKS=y CONFIG_OMAP_MUX=y CONFIG_OMAP_MUX_WARNINGS=y diff --git a/kernel.spec b/kernel.spec index 3a850d90e..d57d9cdfa 100644 --- a/kernel.spec +++ b/kernel.spec @@ -2280,6 +2280,9 @@ fi # and build. %changelog +* Tue May 21 2013 Peter Robinson +- Enable OMAP5 on ARM multiplatform + * Mon May 20 2013 Josh Boyer - 3.9.3-301 - Linux v3.9.3 From aafb874739105b2bf26d49b5b02b5bc628f6319b Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Wed, 22 May 2013 08:22:02 -0400 Subject: [PATCH 091/468] Fix memset error in iwlwifi --- iwlwifi-dvm-fix-memset.patch | 39 ++++++++++++++++++++++++++++++++++++ kernel.spec | 9 ++++++++- 2 files changed, 47 insertions(+), 1 deletion(-) create mode 100644 iwlwifi-dvm-fix-memset.patch diff --git a/iwlwifi-dvm-fix-memset.patch b/iwlwifi-dvm-fix-memset.patch new file mode 100644 index 000000000..ef063f2a9 --- /dev/null +++ b/iwlwifi-dvm-fix-memset.patch @@ -0,0 +1,39 @@ +From: Emmanuel Grumbach + +In 63b77bf489881747c5118476918cc8c29378ee63 + + iwlwifi: dvm: don't send zeroed LQ cmd + +I tried to avoid to send zeroed LQ cmd, but I made a (very) +stupid mistake in the memcmp. +Since this patch has been ported to stable, the fix should +go to stable too. + +This fixes https://bugzilla.kernel.org/show_bug.cgi?id=58341 + +Change-Id: I0af4b3fdd537a1f674e85eb02dc0f5b5ac1ee7ac +Cc: stable@vger.kernel.org +Reported-by: Hinnerk van Bruinehsen +Signed-off-by: Emmanuel Grumbach +--- +Josh, this fix ugly -stable 3.8, 3.9 regression, please apply. + + drivers/net/wireless/iwlwifi/dvm/sta.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/iwlwifi/dvm/sta.c b/drivers/net/wireless/iwlwifi/dvm/sta.c +index 5175368..8212097 100644 +--- a/drivers/net/wireless/iwlwifi/dvm/sta.c ++++ b/drivers/net/wireless/iwlwifi/dvm/sta.c +@@ -735,7 +735,7 @@ void iwl_restore_stations(struct iwl_priv *priv, struct iwl_rxon_context *ctx) + memcpy(&lq, priv->stations[i].lq, + sizeof(struct iwl_link_quality_cmd)); + +- if (!memcmp(&lq, &zero_lq, sizeof(lq))) ++ if (memcmp(&lq, &zero_lq, sizeof(lq))) + send_lq = true; + } + spin_unlock_bh(&priv->sta_lock); +-- +1.7.10.4 + diff --git a/kernel.spec b/kernel.spec index d57d9cdfa..38b889bee 100644 --- a/kernel.spec +++ b/kernel.spec @@ -62,7 +62,7 @@ Summary: The Linux kernel # For non-released -rc kernels, this will be appended after the rcX and # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3" # -%global baserelease 301 +%global baserelease 302 %global fedora_build %{baserelease} # base_sublevel is the kernel version we're starting with and patching @@ -753,6 +753,8 @@ Patch25019: powerpc-Set-default-VGA-device.patch Patch25020: powerpc-pseries-Perform-proper-max_bus_speed-detecti.patch Patch25021: radeon-use-max_bus-speed-to-activate-gen2-speeds.patch +Patch25022: iwlwifi-dvm-fix-memset.patch + # END OF PATCH DEFINITIONS %endif @@ -1453,6 +1455,8 @@ ApplyPatch powerpc-Set-default-VGA-device.patch ApplyPatch powerpc-pseries-Perform-proper-max_bus_speed-detecti.patch ApplyPatch radeon-use-max_bus-speed-to-activate-gen2-speeds.patch +ApplyPatch iwlwifi-dvm-fix-memset.patch + # END OF PATCH APPLICATIONS %endif @@ -2280,6 +2284,9 @@ fi # and build. %changelog +* Wed May 22 2013 Josh Boyer +- Fix memset error in iwlwifi + * Tue May 21 2013 Peter Robinson - Enable OMAP5 on ARM multiplatform From 8eaa30b48fd8acded9d661d8bcfc352c92b096c9 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Wed, 22 May 2013 09:47:27 -0400 Subject: [PATCH 092/468] memcmp, not memset. I promise I read the code before I applied the patch. --- kernel.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kernel.spec b/kernel.spec index 38b889bee..69555c580 100644 --- a/kernel.spec +++ b/kernel.spec @@ -2285,7 +2285,7 @@ fi %changelog * Wed May 22 2013 Josh Boyer -- Fix memset error in iwlwifi +- Fix memcmp error in iwlwifi * Tue May 21 2013 Peter Robinson - Enable OMAP5 on ARM multiplatform From 0ba0c995e00bf275a8222fea5e763d2530633cd7 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Thu, 23 May 2013 16:12:08 -0400 Subject: [PATCH 093/468] Fix oops from incorrect rfkill set in hp-wmi (rhbz 964367) --- hp-wmi-fix-incorrect-rfkill-set-hw-state.patch | 13 +++++++++++++ kernel.spec | 11 ++++++++++- 2 files changed, 23 insertions(+), 1 deletion(-) create mode 100644 hp-wmi-fix-incorrect-rfkill-set-hw-state.patch diff --git a/hp-wmi-fix-incorrect-rfkill-set-hw-state.patch b/hp-wmi-fix-incorrect-rfkill-set-hw-state.patch new file mode 100644 index 000000000..07f27b6c2 --- /dev/null +++ b/hp-wmi-fix-incorrect-rfkill-set-hw-state.patch @@ -0,0 +1,13 @@ +diff --git a/drivers/platform/x86/hp-wmi.c b/drivers/platform/x86/hp-wmi.c +index 8df0c5a..d111c86 100644 +--- a/drivers/platform/x86/hp-wmi.c ++++ b/drivers/platform/x86/hp-wmi.c +@@ -703,7 +703,7 @@ static int hp_wmi_rfkill_setup(struct platform_device *device) + } + rfkill_init_sw_state(gps_rfkill, + hp_wmi_get_sw_state(HPWMI_GPS)); +- rfkill_set_hw_state(bluetooth_rfkill, ++ rfkill_set_hw_state(gps_rfkill, + hp_wmi_get_hw_state(HPWMI_GPS)); + err = rfkill_register(gps_rfkill); + if (err) diff --git a/kernel.spec b/kernel.spec index 69555c580..54acf6773 100644 --- a/kernel.spec +++ b/kernel.spec @@ -62,7 +62,7 @@ Summary: The Linux kernel # For non-released -rc kernels, this will be appended after the rcX and # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3" # -%global baserelease 302 +%global baserelease 303 %global fedora_build %{baserelease} # base_sublevel is the kernel version we're starting with and patching @@ -755,6 +755,9 @@ Patch25021: radeon-use-max_bus-speed-to-activate-gen2-speeds.patch Patch25022: iwlwifi-dvm-fix-memset.patch +#rhbz 964367 +Patch25023: hp-wmi-fix-incorrect-rfkill-set-hw-state.patch + # END OF PATCH DEFINITIONS %endif @@ -1457,6 +1460,9 @@ ApplyPatch radeon-use-max_bus-speed-to-activate-gen2-speeds.patch ApplyPatch iwlwifi-dvm-fix-memset.patch +#rhbz 964367 +ApplyPatch hp-wmi-fix-incorrect-rfkill-set-hw-state.patch + # END OF PATCH APPLICATIONS %endif @@ -2284,6 +2290,9 @@ fi # and build. %changelog +* Thu May 23 2013 Josh Boyer +- Fix oops from incorrect rfkill set in hp-wmi (rhbz 964367) + * Wed May 22 2013 Josh Boyer - Fix memcmp error in iwlwifi From 724c41730cd9bca399a497375a29bf94559dcaa8 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Fri, 24 May 2013 12:58:52 -0400 Subject: [PATCH 094/468] Add patch to quiet irq remapping failures (rhbz 948262) --- ...ning-if-enabling-irq-remapping-fails.patch | 25 +++++++++++++++++++ kernel.spec | 9 +++++++ 2 files changed, 34 insertions(+) create mode 100644 intel_iommu-Downgrade-the-warning-if-enabling-irq-remapping-fails.patch diff --git a/intel_iommu-Downgrade-the-warning-if-enabling-irq-remapping-fails.patch b/intel_iommu-Downgrade-the-warning-if-enabling-irq-remapping-fails.patch new file mode 100644 index 000000000..424d60350 --- /dev/null +++ b/intel_iommu-Downgrade-the-warning-if-enabling-irq-remapping-fails.patch @@ -0,0 +1,25 @@ +This triggers on a MacBook Pro. + +Signed-off-by: Andy Lutomirski +https://bugzilla.redhat.com/show_bug.cgi?id=948262 +--- + drivers/iommu/intel_irq_remapping.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/iommu/intel_irq_remapping.c b/drivers/iommu/intel_irq_remapping.c +index f3b8f23..a7e0ad1 100644 +--- a/drivers/iommu/intel_irq_remapping.c ++++ b/drivers/iommu/intel_irq_remapping.c +@@ -654,8 +654,7 @@ error: + */ + + if (x2apic_present) +- WARN(1, KERN_WARNING +- "Failed to enable irq remapping. You are vulnerable to irq-injection attacks.\n"); ++ pr_warn("Failed to enable irq remapping. You are vulnerable to irq-injection attacks.\n"); + + return -1; + } +-- +1.8.1.4 + diff --git a/kernel.spec b/kernel.spec index 54acf6773..90773bed9 100644 --- a/kernel.spec +++ b/kernel.spec @@ -758,6 +758,9 @@ Patch25022: iwlwifi-dvm-fix-memset.patch #rhbz 964367 Patch25023: hp-wmi-fix-incorrect-rfkill-set-hw-state.patch +#rhbz 948262 +Patch25024: intel_iommu-Downgrade-the-warning-if-enabling-irq-remapping-fails.patch + # END OF PATCH DEFINITIONS %endif @@ -1463,6 +1466,9 @@ ApplyPatch iwlwifi-dvm-fix-memset.patch #rhbz 964367 ApplyPatch hp-wmi-fix-incorrect-rfkill-set-hw-state.patch +#rhbz 948262 +ApplyPatch intel_iommu-Downgrade-the-warning-if-enabling-irq-remapping-fails.patch + # END OF PATCH APPLICATIONS %endif @@ -2290,6 +2296,9 @@ fi # and build. %changelog +* Fri May 24 2013 Josh Boyer +- Add patch to quiet irq remapping failures (rhbz 948262) + * Thu May 23 2013 Josh Boyer - Fix oops from incorrect rfkill set in hp-wmi (rhbz 964367) From a01a3883f5ca87626d8ab8df81f0aba53b30a680 Mon Sep 17 00:00:00 2001 From: "Justin M. Forbes" Date: Fri, 24 May 2013 14:39:33 -0500 Subject: [PATCH 095/468] Linux v3.9.4 --- kernel.spec | 7 +++++-- sources | 2 +- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/kernel.spec b/kernel.spec index 90773bed9..120ca80f9 100644 --- a/kernel.spec +++ b/kernel.spec @@ -62,7 +62,7 @@ Summary: The Linux kernel # For non-released -rc kernels, this will be appended after the rcX and # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3" # -%global baserelease 303 +%global baserelease 300 %global fedora_build %{baserelease} # base_sublevel is the kernel version we're starting with and patching @@ -74,7 +74,7 @@ Summary: The Linux kernel %if 0%{?released_kernel} # Do we have a -stable update to apply? -%define stable_update 3 +%define stable_update 4 # Is it a -stable RC? %define stable_rc 0 # Set rpm version accordingly @@ -2296,6 +2296,9 @@ fi # and build. %changelog +* Fri May 24 2013 Justin M. Forbes +- Linux v3.9.4 + * Fri May 24 2013 Josh Boyer - Add patch to quiet irq remapping failures (rhbz 948262) diff --git a/sources b/sources index d004fc552..50d708523 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ 4348c9b6b2eb3144d601e87c19d5d909 linux-3.9.tar.xz -71b31e29e0cb437a27017c781293b6f4 patch-3.9.3.xz +922c4553299e6692a28761d3032fc012 patch-3.9.4.xz From b1c4c5525898e2580df4a860cfef45ee8ee1a778 Mon Sep 17 00:00:00 2001 From: "Justin M. Forbes" Date: Fri, 24 May 2013 14:59:55 -0500 Subject: [PATCH 096/468] add verrel for build --- kernel.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kernel.spec b/kernel.spec index 120ca80f9..71b233924 100644 --- a/kernel.spec +++ b/kernel.spec @@ -2296,7 +2296,7 @@ fi # and build. %changelog -* Fri May 24 2013 Justin M. Forbes +* Fri May 24 2013 Justin M. Forbes - 3.9.3-300 - Linux v3.9.4 * Fri May 24 2013 Josh Boyer From dc6ef3598ce6c6e152d4d9b51cbe59ee97e4b8c7 Mon Sep 17 00:00:00 2001 From: Peter Robinson Date: Thu, 30 May 2013 19:36:04 +0100 Subject: [PATCH 097/468] Update ARM tegra config --- config-armv7-tegra | 15 +++++---------- kernel.spec | 3 +++ 2 files changed, 8 insertions(+), 10 deletions(-) diff --git a/config-armv7-tegra b/config-armv7-tegra index 20cda8a7b..67077459e 100644 --- a/config-armv7-tegra +++ b/config-armv7-tegra @@ -1,7 +1,7 @@ CONFIG_ARCH_TEGRA=y CONFIG_ARCH_TEGRA_2x_SOC=y -# CONFIG_ARCH_TEGRA_3x_SOC is not set +CONFIG_ARCH_TEGRA_3x_SOC=y # CONFIG_ARCH_TEGRA_114_SOC is not set # CONFIG_NEON is not set @@ -12,15 +12,6 @@ CONFIG_ARCH_TEGRA_2x_SOC=y # CONFIG_ARM_VIRT_EXT is not set # CONFIG_VIRTUALIZATION is not set -# CONFIG_MACH_HARMONY is not set -CONFIG_MACH_KAEN=y -CONFIG_MACH_PAZ00=y -CONFIG_MACH_SEABOARD=y -CONFIG_MACH_TEGRA_DT=y -CONFIG_MACH_TRIMSLICE=y -CONFIG_MACH_WARIO=y -CONFIG_MACH_VENTANA=y - CONFIG_TEGRA_PCI=y CONFIG_TEGRA_IOMMU_GART=y CONFIG_TEGRA_IOMMU_SMMU=y @@ -68,6 +59,10 @@ CONFIG_NVEC_POWER=y CONFIG_POWER_SUPPLY=y CONFIG_NVEC_LEDS=y CONFIG_NVEC_PAZ00=y +CONFIG_MFD_TPS6586X=y +CONFIG_GPIO_TPS6586X=y +CONFIG_REGULATOR_TPS6586X=m +CONFIG_RTC_DRV_TPS6586X=m # CONFIG_MFD_TPS6586X is not set # CONFIG_RTC_DRV_TPS6586X is not set diff --git a/kernel.spec b/kernel.spec index 71b233924..0384b560c 100644 --- a/kernel.spec +++ b/kernel.spec @@ -2296,6 +2296,9 @@ fi # and build. %changelog +* Thu May 30 2013 Peter Robinson +- Update ARM tegra config + * Fri May 24 2013 Justin M. Forbes - 3.9.3-300 - Linux v3.9.4 From 613531314d944114920f555cd80a0ded8223ea0c Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Fri, 31 May 2013 07:33:17 -0400 Subject: [PATCH 098/468] CVE-2013-2850 iscsi-target: heap buffer overflow on large key error (rhbz 968036 969272) --- ...et-fix-heap-buffer-overflow-on-error.patch | 63 +++++++++++++++++++ kernel.spec | 9 +++ 2 files changed, 72 insertions(+) create mode 100644 iscsi-target-fix-heap-buffer-overflow-on-error.patch diff --git a/iscsi-target-fix-heap-buffer-overflow-on-error.patch b/iscsi-target-fix-heap-buffer-overflow-on-error.patch new file mode 100644 index 000000000..7b368122d --- /dev/null +++ b/iscsi-target-fix-heap-buffer-overflow-on-error.patch @@ -0,0 +1,63 @@ +From cea4dcfdad926a27a18e188720efe0f2c9403456 Mon Sep 17 00:00:00 2001 +From: Kees Cook +Date: Thu, 23 May 2013 17:32:17 +0000 +Subject: iscsi-target: fix heap buffer overflow on error + +If a key was larger than 64 bytes, as checked by iscsi_check_key(), the +error response packet, generated by iscsi_add_notunderstood_response(), +would still attempt to copy the entire key into the packet, overflowing +the structure on the heap. + +Remote preauthentication kernel memory corruption was possible if a +target was configured and listening on the network. + +CVE-2013-2850 + +Signed-off-by: Kees Cook +Cc: stable@vger.kernel.org +Signed-off-by: Nicholas Bellinger +--- +diff --git a/drivers/target/iscsi/iscsi_target_parameters.c b/drivers/target/iscsi/iscsi_target_parameters.c +index c2185fc..e382221 100644 +--- a/drivers/target/iscsi/iscsi_target_parameters.c ++++ b/drivers/target/iscsi/iscsi_target_parameters.c +@@ -758,9 +758,9 @@ static int iscsi_add_notunderstood_response( + } + INIT_LIST_HEAD(&extra_response->er_list); + +- strncpy(extra_response->key, key, strlen(key) + 1); +- strncpy(extra_response->value, NOTUNDERSTOOD, +- strlen(NOTUNDERSTOOD) + 1); ++ strlcpy(extra_response->key, key, sizeof(extra_response->key)); ++ strlcpy(extra_response->value, NOTUNDERSTOOD, ++ sizeof(extra_response->value)); + + list_add_tail(&extra_response->er_list, + ¶m_list->extra_response_list); +@@ -1629,8 +1629,6 @@ int iscsi_decode_text_input( + + if (phase & PHASE_SECURITY) { + if (iscsi_check_for_auth_key(key) > 0) { +- char *tmpptr = key + strlen(key); +- *tmpptr = '='; + kfree(tmpbuf); + return 1; + } +diff --git a/drivers/target/iscsi/iscsi_target_parameters.h b/drivers/target/iscsi/iscsi_target_parameters.h +index 915b067..a47046a 100644 +--- a/drivers/target/iscsi/iscsi_target_parameters.h ++++ b/drivers/target/iscsi/iscsi_target_parameters.h +@@ -1,8 +1,10 @@ + #ifndef ISCSI_PARAMETERS_H + #define ISCSI_PARAMETERS_H + ++#include ++ + struct iscsi_extra_response { +- char key[64]; ++ char key[KEY_MAXLEN]; + char value[32]; + struct list_head er_list; + } ____cacheline_aligned; +-- +cgit v0.9.2 diff --git a/kernel.spec b/kernel.spec index 0384b560c..59d248b3d 100644 --- a/kernel.spec +++ b/kernel.spec @@ -761,6 +761,9 @@ Patch25023: hp-wmi-fix-incorrect-rfkill-set-hw-state.patch #rhbz 948262 Patch25024: intel_iommu-Downgrade-the-warning-if-enabling-irq-remapping-fails.patch +#CVE-2013-2850 rhbz 968036 969272 +Patch25025: iscsi-target-fix-heap-buffer-overflow-on-error.patch + # END OF PATCH DEFINITIONS %endif @@ -1469,6 +1472,9 @@ ApplyPatch hp-wmi-fix-incorrect-rfkill-set-hw-state.patch #rhbz 948262 ApplyPatch intel_iommu-Downgrade-the-warning-if-enabling-irq-remapping-fails.patch +#CVE-2013-2850 rhbz 968036 969272 +ApplyPatch iscsi-target-fix-heap-buffer-overflow-on-error.patch + # END OF PATCH APPLICATIONS %endif @@ -2296,6 +2302,9 @@ fi # and build. %changelog +* Fri May 31 2013 Josh Boyer +- CVE-2013-2850 iscsi-target: heap buffer overflow on large key error (rhbz 968036 969272) + * Thu May 30 2013 Peter Robinson - Update ARM tegra config From f40124cd40aae84630ec7d03c4bfe2056db9cb81 Mon Sep 17 00:00:00 2001 From: Peter Robinson Date: Sat, 1 Jun 2013 16:46:57 +0100 Subject: [PATCH 099/468] Add patch to fix DRM/X on omap (panda), Enable Cortex-A8 errata on multiplatform kernels (omap3) --- arm-omap-load-tfp410.patch | 14 ++++++++++++++ config-armv7-generic | 6 +++--- kernel.spec | 6 +++++- 3 files changed, 22 insertions(+), 4 deletions(-) create mode 100644 arm-omap-load-tfp410.patch diff --git a/arm-omap-load-tfp410.patch b/arm-omap-load-tfp410.patch new file mode 100644 index 000000000..0f2ba5457 --- /dev/null +++ b/arm-omap-load-tfp410.patch @@ -0,0 +1,14 @@ +diff -urNp linux-3.9.4-300.fc19.armv7hl_orig/drivers/video/omap2/dss/core.c linux-3.9.4-300.fc19.armv7hl/drivers/video/omap2/dss/core.c +--- linux-3.9.4-300.fc19.armv7hl_orig/drivers/video/omap2/dss/core.c 2013-04-28 20:36:01.000000000 -0400 ++++ linux-3.9.4-300.fc19.armv7hl/drivers/video/omap2/dss/core.c 2013-05-31 12:24:07.711334359 -0400 +@@ -596,6 +596,9 @@ static int __init omap_dss_init(void) + { + int r; + ++ /* hack to load panel-tfp410 driver */ ++ request_module("panel-tfp410"); ++ + r = omap_dss_bus_register(); + if (r) + return r; +Binary files linux-3.9.4-300.fc19.armv7hl_orig/drivers/video/omap2/dss/.Makefile.swp and linux-3.9.4-300.fc19.armv7hl/drivers/video/omap2/dss/.Makefile.swp differ diff --git a/config-armv7-generic b/config-armv7-generic index 7b4d546c7..41119608e 100644 --- a/config-armv7-generic +++ b/config-armv7-generic @@ -50,9 +50,9 @@ CONFIG_ALWAYS_USE_PERSISTENT_CLOCK=y # CONFIG_ARM_ERRATA_326103 is not set # CONFIG_ARM_ERRATA_411920 is not set # Cortex-A8 -# CONFIG_ARM_ERRATA_430973 is not set -# CONFIG_ARM_ERRATA_458693 is not set -# CONFIG_ARM_ERRATA_460075 is not set +CONFIG_ARM_ERRATA_430973=y +CONFIG_ARM_ERRATA_458693=y +CONFIG_ARM_ERRATA_460075=y # Cortex-A9 CONFIG_ARM_ERRATA_720789=y CONFIG_ARM_ERRATA_742230=y diff --git a/kernel.spec b/kernel.spec index 0384b560c..132d58c8b 100644 --- a/kernel.spec +++ b/kernel.spec @@ -707,6 +707,7 @@ Patch21002: arm-lpae-ax88796.patch # ARM omap Patch21003: arm-omap-ehci-fix.patch +Patch21004: arm-omap-load-tfp410.patch # ARM tegra Patch21005: arm-tegra-usb-no-reset-linux33.patch @@ -1317,6 +1318,7 @@ ApplyPatch debug-bad-pte-modules.patch ApplyPatch arm-export-read_current_timer.patch ApplyPatch arm-lpae-ax88796.patch ApplyPatch arm-omap-ehci-fix.patch +ApplyPatch arm-omap-load-tfp410.patch ApplyPatch arm-tegra-usb-no-reset-linux33.patch ApplyPatch arm-tegra-fixclk.patch @@ -2296,8 +2298,10 @@ fi # and build. %changelog -* Thu May 30 2013 Peter Robinson +* Sat June 1 2013 Peter Robinson - Update ARM tegra config +- Add patch to fix DRM/X on omap (panda) +- Enable Cortex-A8 errata on multiplatform kernels (omap3) * Fri May 24 2013 Justin M. Forbes - 3.9.3-300 - Linux v3.9.4 From fa94b00713981b39ea33519f8971a6912128bff6 Mon Sep 17 00:00:00 2001 From: Peter Robinson Date: Sat, 1 Jun 2013 20:36:25 +0100 Subject: [PATCH 100/468] fix changelog date, add extra crash patch for omap drm --- arm-omap-fixdrm.patch | 19 +++++++++++++++++++ kernel.spec | 10 ++++++---- 2 files changed, 25 insertions(+), 4 deletions(-) create mode 100644 arm-omap-fixdrm.patch diff --git a/arm-omap-fixdrm.patch b/arm-omap-fixdrm.patch new file mode 100644 index 000000000..e0eec8061 --- /dev/null +++ b/arm-omap-fixdrm.patch @@ -0,0 +1,19 @@ +diff --git a/drivers/gpu/drm/omapdrm/omap_plane.c b/drivers/gpu/drm/omapdrm/omap_plane.c +index 2882cda..8d225d7 100644 +--- a/drivers/gpu/drm/omapdrm/omap_plane.c ++++ b/drivers/gpu/drm/omapdrm/omap_plane.c +@@ -247,6 +247,12 @@ static int omap_plane_update(struct drm_plane *plane, + { + struct omap_plane *omap_plane = to_omap_plane(plane); + omap_plane->enabled = true; ++ ++ if (plane->fb) ++ drm_framebuffer_unreference(plane->fb); ++ ++ drm_framebuffer_reference(fb); ++ + return omap_plane_mode_set(plane, crtc, fb, + crtc_x, crtc_y, crtc_w, crtc_h, + src_x, src_y, src_w, src_h, + + diff --git a/kernel.spec b/kernel.spec index 1d968e04a..a4538cdee 100644 --- a/kernel.spec +++ b/kernel.spec @@ -703,11 +703,12 @@ Patch14010: lis3-improve-handling-of-null-rate.patch Patch21000: arm-export-read_current_timer.patch # lpae -Patch21002: arm-lpae-ax88796.patch +Patch21001: arm-lpae-ax88796.patch # ARM omap -Patch21003: arm-omap-ehci-fix.patch -Patch21004: arm-omap-load-tfp410.patch +Patch21002: arm-omap-ehci-fix.patch +Patch21003: arm-omap-load-tfp410.patch +Patch21004: arm-omap-fixdrm.patch # ARM tegra Patch21005: arm-tegra-usb-no-reset-linux33.patch @@ -1322,6 +1323,7 @@ ApplyPatch arm-export-read_current_timer.patch ApplyPatch arm-lpae-ax88796.patch ApplyPatch arm-omap-ehci-fix.patch ApplyPatch arm-omap-load-tfp410.patch +ApplyPatch arm-omap-fixdrm.patch ApplyPatch arm-tegra-usb-no-reset-linux33.patch ApplyPatch arm-tegra-fixclk.patch @@ -2304,7 +2306,7 @@ fi # and build. %changelog -* Sat June 1 2013 Peter Robinson +* Sat Jun 1 2013 Peter Robinson - Add patch to fix DRM/X on omap (panda) - Enable Cortex-A8 errata on multiplatform kernels (omap3) From cb1fe2850d49c85df26c23e199445e686607eaaa Mon Sep 17 00:00:00 2001 From: Peter Robinson Date: Sat, 1 Jun 2013 20:38:16 +0100 Subject: [PATCH 101/468] add link for patch --- kernel.spec | 1 + 1 file changed, 1 insertion(+) diff --git a/kernel.spec b/kernel.spec index a4538cdee..6d519732d 100644 --- a/kernel.spec +++ b/kernel.spec @@ -708,6 +708,7 @@ Patch21001: arm-lpae-ax88796.patch # ARM omap Patch21002: arm-omap-ehci-fix.patch Patch21003: arm-omap-load-tfp410.patch +# https://patchwork.kernel.org/patch/2414881/ Patch21004: arm-omap-fixdrm.patch # ARM tegra From d51efdbb5bbb27bb4f0e5565d15a57e767c83303 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Mon, 3 Jun 2013 09:58:23 -0400 Subject: [PATCH 102/468] Add patches to fix PowerPC MSI handling (rhbz 962496) --- kernel.spec | 11 +++ ...Force-32-bit-MSIs-for-devices-that-r.patch | 86 +++++++++++++++++ ...Make-32-bit-MSI-quirk-work-on-system.patch | 95 +++++++++++++++++++ 3 files changed, 192 insertions(+) create mode 100644 powerpc-pseries-Force-32-bit-MSIs-for-devices-that-r.patch create mode 100644 powerpc-pseries-Make-32-bit-MSI-quirk-work-on-system.patch diff --git a/kernel.spec b/kernel.spec index 6d519732d..db6f028e6 100644 --- a/kernel.spec +++ b/kernel.spec @@ -756,6 +756,10 @@ Patch25019: powerpc-Set-default-VGA-device.patch Patch25020: powerpc-pseries-Perform-proper-max_bus_speed-detecti.patch Patch25021: radeon-use-max_bus-speed-to-activate-gen2-speeds.patch +#rhbz 962496 +Patch25027: powerpc-pseries-Force-32-bit-MSIs-for-devices-that-r.patch +Patch25029: powerpc-pseries-Make-32-bit-MSI-quirk-work-on-system.patch + Patch25022: iwlwifi-dvm-fix-memset.patch #rhbz 964367 @@ -1469,6 +1473,10 @@ ApplyPatch powerpc-Set-default-VGA-device.patch ApplyPatch powerpc-pseries-Perform-proper-max_bus_speed-detecti.patch ApplyPatch radeon-use-max_bus-speed-to-activate-gen2-speeds.patch +#rhbz 962496 +ApplyPatch powerpc-pseries-Force-32-bit-MSIs-for-devices-that-r.patch +ApplyPatch powerpc-pseries-Make-32-bit-MSI-quirk-work-on-system.patch + ApplyPatch iwlwifi-dvm-fix-memset.patch #rhbz 964367 @@ -2307,6 +2315,9 @@ fi # and build. %changelog +* Mon Jun 03 2013 Josh Boyer +- Add patches to fix PowerPC MSI handling (rhbz 962496) + * Sat Jun 1 2013 Peter Robinson - Add patch to fix DRM/X on omap (panda) - Enable Cortex-A8 errata on multiplatform kernels (omap3) diff --git a/powerpc-pseries-Force-32-bit-MSIs-for-devices-that-r.patch b/powerpc-pseries-Force-32-bit-MSIs-for-devices-that-r.patch new file mode 100644 index 000000000..eeb39950f --- /dev/null +++ b/powerpc-pseries-Force-32-bit-MSIs-for-devices-that-r.patch @@ -0,0 +1,86 @@ +From e61133dda480062d221f09e4fc18f66763f8ecd0 Mon Sep 17 00:00:00 2001 +From: Brian King +Date: Fri, 3 May 2013 11:30:59 +0000 +Subject: [PATCH] powerpc/pseries: Force 32 bit MSIs for devices that require + it + +The following patch implements a new PAPR change which allows +the OS to force the use of 32 bit MSIs, regardless of what +the PCI capabilities indicate. This is required for some +devices that advertise support for 64 bit MSIs but don't +actually support them. + +Signed-off-by: Brian King +Signed-off-by: Benjamin Herrenschmidt +--- + arch/powerpc/include/asm/pci-bridge.h | 2 ++ + arch/powerpc/platforms/pseries/msi.c | 21 ++++++++++++++++++--- + 2 files changed, 20 insertions(+), 3 deletions(-) + +diff --git a/arch/powerpc/include/asm/pci-bridge.h b/arch/powerpc/include/asm/pci-bridge.h +index ffbc5fd..0694f73 100644 +--- a/arch/powerpc/include/asm/pci-bridge.h ++++ b/arch/powerpc/include/asm/pci-bridge.h +@@ -163,6 +163,8 @@ struct pci_dn { + + int pci_ext_config_space; /* for pci devices */ + ++ int force_32bit_msi:1; ++ + struct pci_dev *pcidev; /* back-pointer to the pci device */ + #ifdef CONFIG_EEH + struct eeh_dev *edev; /* eeh device */ +diff --git a/arch/powerpc/platforms/pseries/msi.c b/arch/powerpc/platforms/pseries/msi.c +index e5b0847..420524e 100644 +--- a/arch/powerpc/platforms/pseries/msi.c ++++ b/arch/powerpc/platforms/pseries/msi.c +@@ -24,6 +24,7 @@ static int query_token, change_token; + #define RTAS_RESET_FN 2 + #define RTAS_CHANGE_MSI_FN 3 + #define RTAS_CHANGE_MSIX_FN 4 ++#define RTAS_CHANGE_32MSI_FN 5 + + static struct pci_dn *get_pdn(struct pci_dev *pdev) + { +@@ -58,7 +59,8 @@ static int rtas_change_msi(struct pci_dn *pdn, u32 func, u32 num_irqs) + + seq_num = 1; + do { +- if (func == RTAS_CHANGE_MSI_FN || func == RTAS_CHANGE_MSIX_FN) ++ if (func == RTAS_CHANGE_MSI_FN || func == RTAS_CHANGE_MSIX_FN || ++ func == RTAS_CHANGE_32MSI_FN) + rc = rtas_call(change_token, 6, 4, rtas_ret, addr, + BUID_HI(buid), BUID_LO(buid), + func, num_irqs, seq_num); +@@ -426,9 +428,12 @@ static int rtas_setup_msi_irqs(struct pci_dev *pdev, int nvec_in, int type) + */ + again: + if (type == PCI_CAP_ID_MSI) { +- rc = rtas_change_msi(pdn, RTAS_CHANGE_MSI_FN, nvec); ++ if (pdn->force_32bit_msi) ++ rc = rtas_change_msi(pdn, RTAS_CHANGE_32MSI_FN, nvec); ++ else ++ rc = rtas_change_msi(pdn, RTAS_CHANGE_MSI_FN, nvec); + +- if (rc < 0) { ++ if (rc < 0 && !pdn->force_32bit_msi) { + pr_debug("rtas_msi: trying the old firmware call.\n"); + rc = rtas_change_msi(pdn, RTAS_CHANGE_FN, nvec); + } +@@ -512,3 +517,13 @@ static int rtas_msi_init(void) + return 0; + } + arch_initcall(rtas_msi_init); ++ ++static void quirk_radeon(struct pci_dev *dev) ++{ ++ struct pci_dn *pdn = get_pdn(dev); ++ ++ if (pdn) ++ pdn->force_32bit_msi = 1; ++} ++DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_ATI, 0x68f2, quirk_radeon); ++DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_ATI, 0xaa68, quirk_radeon); +-- +1.8.1.4 + diff --git a/powerpc-pseries-Make-32-bit-MSI-quirk-work-on-system.patch b/powerpc-pseries-Make-32-bit-MSI-quirk-work-on-system.patch new file mode 100644 index 000000000..6edd14b23 --- /dev/null +++ b/powerpc-pseries-Make-32-bit-MSI-quirk-work-on-system.patch @@ -0,0 +1,95 @@ +From ad735c038a1c3273b605c398a765fdd525527ef7 Mon Sep 17 00:00:00 2001 +From: Brian King +Date: Wed, 22 May 2013 11:07:46 +0000 +Subject: [PATCH] powerpc/pseries: Make 32-bit MSI quirk work on systems + lacking firmware support + +Recent commit e61133dda480062d221f09e4fc18f66763f8ecd0 added support +for a new firmware feature to force an adapter to use 32 bit MSIs. +However, this firmware is not available for all systems. The hack below +allows devices needing 32 bit MSIs to work on these systems as well. +It is careful to only enable this on Gen2 slots, which should limit +this to configurations where this hack is needed and tested to work. + +[Small change to factor out the hack into a separate function -- BenH] + +Signed-off-by: Brian King +Signed-off-by: Benjamin Herrenschmidt +--- + arch/powerpc/platforms/pseries/msi.c | 40 +++++++++++++++++++++++++++++++++--- + 1 file changed, 37 insertions(+), 3 deletions(-) + +diff --git a/arch/powerpc/platforms/pseries/msi.c b/arch/powerpc/platforms/pseries/msi.c +index 420524e..cd7d23d 100644 +--- a/arch/powerpc/platforms/pseries/msi.c ++++ b/arch/powerpc/platforms/pseries/msi.c +@@ -394,6 +394,23 @@ static int check_msix_entries(struct pci_dev *pdev) + return 0; + } + ++static void rtas_hack_32bit_msi_gen2(struct pci_dev *pdev) ++{ ++ u32 addr_hi, addr_lo; ++ ++ /* ++ * We should only get in here for IODA1 configs. This is based on the ++ * fact that we using RTAS for MSIs, we don't have the 32 bit MSI RTAS ++ * support, and we are in a PCIe Gen2 slot. ++ */ ++ dev_info(&pdev->dev, ++ "rtas_msi: No 32 bit MSI firmware support, forcing 32 bit MSI\n"); ++ pci_read_config_dword(pdev, pdev->msi_cap + PCI_MSI_ADDRESS_HI, &addr_hi); ++ addr_lo = 0xffff0000 | ((addr_hi >> (48 - 32)) << 4); ++ pci_write_config_dword(pdev, pdev->msi_cap + PCI_MSI_ADDRESS_LO, addr_lo); ++ pci_write_config_dword(pdev, pdev->msi_cap + PCI_MSI_ADDRESS_HI, 0); ++} ++ + static int rtas_setup_msi_irqs(struct pci_dev *pdev, int nvec_in, int type) + { + struct pci_dn *pdn; +@@ -401,6 +418,7 @@ static int rtas_setup_msi_irqs(struct pci_dev *pdev, int nvec_in, int type) + struct msi_desc *entry; + struct msi_msg msg; + int nvec = nvec_in; ++ int use_32bit_msi_hack = 0; + + pdn = get_pdn(pdev); + if (!pdn) +@@ -428,15 +446,31 @@ static int rtas_setup_msi_irqs(struct pci_dev *pdev, int nvec_in, int type) + */ + again: + if (type == PCI_CAP_ID_MSI) { +- if (pdn->force_32bit_msi) ++ if (pdn->force_32bit_msi) { + rc = rtas_change_msi(pdn, RTAS_CHANGE_32MSI_FN, nvec); +- else ++ if (rc < 0) { ++ /* ++ * We only want to run the 32 bit MSI hack below if ++ * the max bus speed is Gen2 speed ++ */ ++ if (pdev->bus->max_bus_speed != PCIE_SPEED_5_0GT) ++ return rc; ++ ++ use_32bit_msi_hack = 1; ++ } ++ } else ++ rc = -1; ++ ++ if (rc < 0) + rc = rtas_change_msi(pdn, RTAS_CHANGE_MSI_FN, nvec); + +- if (rc < 0 && !pdn->force_32bit_msi) { ++ if (rc < 0) { + pr_debug("rtas_msi: trying the old firmware call.\n"); + rc = rtas_change_msi(pdn, RTAS_CHANGE_FN, nvec); + } ++ ++ if (use_32bit_msi_hack && rc > 0) ++ rtas_hack_32bit_msi_gen2(pdev); + } else + rc = rtas_change_msi(pdn, RTAS_CHANGE_MSIX_FN, nvec); + +-- +1.8.1.4 + From 65373eab6448276b7dada77b3590a46c495fc589 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Mon, 3 Jun 2013 19:05:22 -0400 Subject: [PATCH 103/468] Fix UEFI anti-bricking code (rhbz 964335) --- Modify-UEFI-anti-bricking-code.patch | 371 +++++++++++++++++++++++++++ kernel.spec | 9 +- 2 files changed, 379 insertions(+), 1 deletion(-) create mode 100644 Modify-UEFI-anti-bricking-code.patch diff --git a/Modify-UEFI-anti-bricking-code.patch b/Modify-UEFI-anti-bricking-code.patch new file mode 100644 index 000000000..862574556 --- /dev/null +++ b/Modify-UEFI-anti-bricking-code.patch @@ -0,0 +1,371 @@ +From 2380baac8b96f6e93ef72135d1b60d686d7f82e6 Mon Sep 17 00:00:00 2001 +From: Matthew Garrett +Date: Sat, 1 Jun 2013 16:06:20 -0400 +Subject: [PATCH] Modify UEFI anti-bricking code + +This patch reworks the UEFI anti-bricking code, including an effective +reversion of cc5a080c and 31ff2f20. It turns out that calling +QueryVariableInfo() from boot services results in some firmware +implementations jumping to physical addresses even after entering virtual +mode, so until we have 1:1 mappings for UEFI runtime space this isn't +going to work so well. + +Reverting these gets us back to the situation where we'd refuse to create +variables on some systems because they classify deleted variables as "used" +until the firmware triggers a garbage collection run, which they won't do +until they reach a lower threshold. This results in it being impossible to +install a bootloader, which is unhelpful. + +Feedback from Samsung indicates that the firmware doesn't need more than +5KB of storage space for its own purposes, so that seems like a reasonable +threshold. However, there's still no guarantee that a platform will attempt +garbage collection merely because it drops below this threshold. It seems +that this is often only triggered if an attempt to write generates a +genuine EFI_OUT_OF_RESOURCES error. We can force that by attempting to +create a variable larger than the remaining space. This should fail, but if +it somehow succeeds we can then immediately delete it. + +I've tested this on the UEFI machines I have available, but I don't have +a Samsung and so can't verify that it avoids the bricking problem. + +Signed-off-by: Matthew Garrett +--- + arch/x86/boot/compressed/eboot.c | 47 ---------- + arch/x86/include/asm/efi.h | 7 -- + arch/x86/include/uapi/asm/bootparam.h | 1 - + arch/x86/platform/efi/efi.c | 167 +++++++++------------------------- + 4 files changed, 44 insertions(+), 178 deletions(-) + +diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c +index 35ee62f..c205035 100644 +--- a/arch/x86/boot/compressed/eboot.c ++++ b/arch/x86/boot/compressed/eboot.c +@@ -251,51 +251,6 @@ static void find_bits(unsigned long mask, u8 *pos, u8 *size) + *size = len; + } + +-static efi_status_t setup_efi_vars(struct boot_params *params) +-{ +- struct setup_data *data; +- struct efi_var_bootdata *efidata; +- u64 store_size, remaining_size, var_size; +- efi_status_t status; +- +- if (sys_table->runtime->hdr.revision < EFI_2_00_SYSTEM_TABLE_REVISION) +- return EFI_UNSUPPORTED; +- +- data = (struct setup_data *)(unsigned long)params->hdr.setup_data; +- +- while (data && data->next) +- data = (struct setup_data *)(unsigned long)data->next; +- +- status = efi_call_phys4((void *)sys_table->runtime->query_variable_info, +- EFI_VARIABLE_NON_VOLATILE | +- EFI_VARIABLE_BOOTSERVICE_ACCESS | +- EFI_VARIABLE_RUNTIME_ACCESS, &store_size, +- &remaining_size, &var_size); +- +- if (status != EFI_SUCCESS) +- return status; +- +- status = efi_call_phys3(sys_table->boottime->allocate_pool, +- EFI_LOADER_DATA, sizeof(*efidata), &efidata); +- +- if (status != EFI_SUCCESS) +- return status; +- +- efidata->data.type = SETUP_EFI_VARS; +- efidata->data.len = sizeof(struct efi_var_bootdata) - +- sizeof(struct setup_data); +- efidata->data.next = 0; +- efidata->store_size = store_size; +- efidata->remaining_size = remaining_size; +- efidata->max_var_size = var_size; +- +- if (data) +- data->next = (unsigned long)efidata; +- else +- params->hdr.setup_data = (unsigned long)efidata; +- +-} +- + static efi_status_t setup_efi_pci(struct boot_params *params) + { + efi_pci_io_protocol *pci; +@@ -1202,8 +1157,6 @@ struct boot_params *efi_main(void *handle, efi_system_table_t *_table, + + setup_graphics(boot_params); + +- setup_efi_vars(boot_params); +- + setup_efi_pci(boot_params); + + status = efi_call_phys3(sys_table->boottime->allocate_pool, +diff --git a/arch/x86/include/asm/efi.h b/arch/x86/include/asm/efi.h +index 2fb5d58..60c89f3 100644 +--- a/arch/x86/include/asm/efi.h ++++ b/arch/x86/include/asm/efi.h +@@ -102,13 +102,6 @@ extern void efi_call_phys_epilog(void); + extern void efi_unmap_memmap(void); + extern void efi_memory_uc(u64 addr, unsigned long size); + +-struct efi_var_bootdata { +- struct setup_data data; +- u64 store_size; +- u64 remaining_size; +- u64 max_var_size; +-}; +- + #ifdef CONFIG_EFI + + static inline bool efi_is_native(void) +diff --git a/arch/x86/include/uapi/asm/bootparam.h b/arch/x86/include/uapi/asm/bootparam.h +index 0874424..c15ddaf 100644 +--- a/arch/x86/include/uapi/asm/bootparam.h ++++ b/arch/x86/include/uapi/asm/bootparam.h +@@ -6,7 +6,6 @@ + #define SETUP_E820_EXT 1 + #define SETUP_DTB 2 + #define SETUP_PCI 3 +-#define SETUP_EFI_VARS 4 + + /* ram_size flags */ + #define RAMDISK_IMAGE_START_MASK 0x07FF +diff --git a/arch/x86/platform/efi/efi.c b/arch/x86/platform/efi/efi.c +index e4a86a6..beb5d5f 100644 +--- a/arch/x86/platform/efi/efi.c ++++ b/arch/x86/platform/efi/efi.c +@@ -41,7 +41,6 @@ + #include + #include + #include +-#include + + #include + #include +@@ -52,13 +51,6 @@ + + #define EFI_DEBUG 1 + +-/* +- * There's some additional metadata associated with each +- * variable. Intel's reference implementation is 60 bytes - bump that +- * to account for potential alignment constraints +- */ +-#define VAR_METADATA_SIZE 64 +- + struct efi __read_mostly efi = { + .mps = EFI_INVALID_TABLE_ADDR, + .acpi = EFI_INVALID_TABLE_ADDR, +@@ -77,13 +69,6 @@ struct efi_memory_map memmap; + static struct efi efi_phys __initdata; + static efi_system_table_t efi_systab __initdata; + +-static u64 efi_var_store_size; +-static u64 efi_var_remaining_size; +-static u64 efi_var_max_var_size; +-static u64 boot_used_size; +-static u64 boot_var_size; +-static u64 active_size; +- + unsigned long x86_efi_facility; + + /* +@@ -186,53 +171,8 @@ static efi_status_t virt_efi_get_next_variable(unsigned long *name_size, + efi_char16_t *name, + efi_guid_t *vendor) + { +- efi_status_t status; +- static bool finished = false; +- static u64 var_size; +- +- status = efi_call_virt3(get_next_variable, ++ return efi_call_virt3(get_next_variable, + name_size, name, vendor); +- +- if (status == EFI_NOT_FOUND) { +- finished = true; +- if (var_size < boot_used_size) { +- boot_var_size = boot_used_size - var_size; +- active_size += boot_var_size; +- } else { +- printk(KERN_WARNING FW_BUG "efi: Inconsistent initial sizes\n"); +- } +- } +- +- if (boot_used_size && !finished) { +- unsigned long size; +- u32 attr; +- efi_status_t s; +- void *tmp; +- +- s = virt_efi_get_variable(name, vendor, &attr, &size, NULL); +- +- if (s != EFI_BUFFER_TOO_SMALL || !size) +- return status; +- +- tmp = kmalloc(size, GFP_ATOMIC); +- +- if (!tmp) +- return status; +- +- s = virt_efi_get_variable(name, vendor, &attr, &size, tmp); +- +- if (s == EFI_SUCCESS && (attr & EFI_VARIABLE_NON_VOLATILE)) { +- var_size += size; +- var_size += ucs2_strsize(name, 1024); +- active_size += size; +- active_size += VAR_METADATA_SIZE; +- active_size += ucs2_strsize(name, 1024); +- } +- +- kfree(tmp); +- } +- +- return status; + } + + static efi_status_t virt_efi_set_variable(efi_char16_t *name, +@@ -241,34 +181,9 @@ static efi_status_t virt_efi_set_variable(efi_char16_t *name, + unsigned long data_size, + void *data) + { +- efi_status_t status; +- u32 orig_attr = 0; +- unsigned long orig_size = 0; +- +- status = virt_efi_get_variable(name, vendor, &orig_attr, &orig_size, +- NULL); +- +- if (status != EFI_BUFFER_TOO_SMALL) +- orig_size = 0; +- +- status = efi_call_virt5(set_variable, +- name, vendor, attr, +- data_size, data); +- +- if (status == EFI_SUCCESS) { +- if (orig_size) { +- active_size -= orig_size; +- active_size -= ucs2_strsize(name, 1024); +- active_size -= VAR_METADATA_SIZE; +- } +- if (data_size) { +- active_size += data_size; +- active_size += ucs2_strsize(name, 1024); +- active_size += VAR_METADATA_SIZE; +- } +- } +- +- return status; ++ return efi_call_virt5(set_variable, ++ name, vendor, attr, ++ data_size, data); + } + + static efi_status_t virt_efi_query_variable_info(u32 attr, +@@ -776,9 +691,6 @@ void __init efi_init(void) + char vendor[100] = "unknown"; + int i = 0; + void *tmp; +- struct setup_data *data; +- struct efi_var_bootdata *efi_var_data; +- u64 pa_data; + + #ifdef CONFIG_X86_32 + if (boot_params.efi_info.efi_systab_hi || +@@ -796,22 +708,6 @@ void __init efi_init(void) + if (efi_systab_init(efi_phys.systab)) + return; + +- pa_data = boot_params.hdr.setup_data; +- while (pa_data) { +- data = early_ioremap(pa_data, sizeof(*efi_var_data)); +- if (data->type == SETUP_EFI_VARS) { +- efi_var_data = (struct efi_var_bootdata *)data; +- +- efi_var_store_size = efi_var_data->store_size; +- efi_var_remaining_size = efi_var_data->remaining_size; +- efi_var_max_var_size = efi_var_data->max_var_size; +- } +- pa_data = data->next; +- early_iounmap(data, sizeof(*efi_var_data)); +- } +- +- boot_used_size = efi_var_store_size - efi_var_remaining_size; +- + set_bit(EFI_SYSTEM_TABLES, &x86_efi_facility); + + /* +@@ -1131,28 +1027,53 @@ efi_status_t efi_query_variable_store(u32 attributes, unsigned long size) + if (status != EFI_SUCCESS) + return status; + +- if (!max_size && remaining_size > size) +- printk_once(KERN_ERR FW_BUG "Broken EFI implementation" +- " is returning MaxVariableSize=0\n"); + /* + * Some firmware implementations refuse to boot if there's insufficient + * space in the variable store. We account for that by refusing the + * write if permitting it would reduce the available space to under +- * 50%. However, some firmware won't reclaim variable space until +- * after the used (not merely the actively used) space drops below +- * a threshold. We can approximate that case with the value calculated +- * above. If both the firmware and our calculations indicate that the +- * available space would drop below 50%, refuse the write. ++ * 5KB. This figure was provided by Samsung, so should be safe. + */ ++ if ((remaining_size - size < 5120) && !efi_no_storage_paranoia) { ++ /* ++ * Triggering garbage collection may require that the firmware ++ * generate a real EFI_OUT_OF_RESOURCES error. We can force ++ * that by attempting to use more space than is available. ++ */ ++ unsigned long dummy_size = remaining_size + 1024; ++ void *dummy = kmalloc(dummy_size, GFP_ATOMIC); ++ efi_char16_t efi_name[6] = { 'D', 'U', 'M', 'M', 'Y', 0 }; ++ efi_guid_t guid = EFI_GUID(0x4424ac57, 0xbe4b, 0x47dd, 0x9e, ++ 0x97, 0xed, 0x50, 0xf0, 0x9f, 0x92, ++ 0xa9); ++ ++ status = efi.set_variable(efi_name, &guid, attributes, ++ dummy_size, dummy); ++ ++ if (status == EFI_SUCCESS) { ++ /* ++ * This should have failed, so if it didn't make sure ++ * that we delete it... ++ */ ++ efi.set_variable(efi_name, &guid, attributes, 0, ++ dummy); ++ } + +- if (!storage_size || size > remaining_size || +- (max_size && size > max_size)) +- return EFI_OUT_OF_RESOURCES; ++ /* ++ * The runtime code may now have triggered a garbage collection ++ * run, so check the variable info again ++ */ ++ status = efi.query_variable_info(attributes, &storage_size, ++ &remaining_size, &max_size); + +- if (!efi_no_storage_paranoia && +- ((active_size + size + VAR_METADATA_SIZE > storage_size / 2) && +- (remaining_size - size < storage_size / 2))) +- return EFI_OUT_OF_RESOURCES; ++ if (status != EFI_SUCCESS) ++ return status; ++ ++ /* ++ * There still isn't enough room, so return an error ++ */ ++ if (remaining_size - size < 5120) ++ return EFI_OUT_OF_RESOURCES; ++ } + + return EFI_SUCCESS; + } +-- +1.8.1.4 + diff --git a/kernel.spec b/kernel.spec index db6f028e6..d9a7be5b9 100644 --- a/kernel.spec +++ b/kernel.spec @@ -62,7 +62,7 @@ Summary: The Linux kernel # For non-released -rc kernels, this will be appended after the rcX and # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3" # -%global baserelease 300 +%global baserelease 301 %global fedora_build %{baserelease} # base_sublevel is the kernel version we're starting with and patching @@ -771,6 +771,9 @@ Patch25024: intel_iommu-Downgrade-the-warning-if-enabling-irq-remapping-fails.pa #CVE-2013-2850 rhbz 968036 969272 Patch25025: iscsi-target-fix-heap-buffer-overflow-on-error.patch +#rhbz 964335 +Patch25026: Modify-UEFI-anti-bricking-code.patch + # END OF PATCH DEFINITIONS %endif @@ -1488,6 +1491,9 @@ ApplyPatch intel_iommu-Downgrade-the-warning-if-enabling-irq-remapping-fails.pat #CVE-2013-2850 rhbz 968036 969272 ApplyPatch iscsi-target-fix-heap-buffer-overflow-on-error.patch +#rhbz 964335 +ApplyPatch Modify-UEFI-anti-bricking-code.patch + # END OF PATCH APPLICATIONS %endif @@ -2316,6 +2322,7 @@ fi %changelog * Mon Jun 03 2013 Josh Boyer +- Fix UEFI anti-bricking code (rhbz 964335) - Add patches to fix PowerPC MSI handling (rhbz 962496) * Sat Jun 1 2013 Peter Robinson From f9b60448ad77032ae3a3f357a28280bbce1004dd Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Tue, 4 Jun 2013 13:37:01 -0400 Subject: [PATCH 104/468] Fix build issue with PowerPC MSI patches (rhbz 962496) --- kernel.spec | 5 ++++- ...Make-32-bit-MSI-quirk-work-on-system.patch | 22 ++++++++++--------- 2 files changed, 16 insertions(+), 11 deletions(-) diff --git a/kernel.spec b/kernel.spec index d9a7be5b9..aaceefd1a 100644 --- a/kernel.spec +++ b/kernel.spec @@ -2321,7 +2321,10 @@ fi # and build. %changelog -* Mon Jun 03 2013 Josh Boyer +* Tue Jun 04 2013 Josh Boyer +- Fix build issue with PowerPC MSI patches (rhbz 962496) + +* Mon Jun 03 2013 Josh Boyer - 3.9.4-301 - Fix UEFI anti-bricking code (rhbz 964335) - Add patches to fix PowerPC MSI handling (rhbz 962496) diff --git a/powerpc-pseries-Make-32-bit-MSI-quirk-work-on-system.patch b/powerpc-pseries-Make-32-bit-MSI-quirk-work-on-system.patch index 6edd14b23..8add1a4ed 100644 --- a/powerpc-pseries-Make-32-bit-MSI-quirk-work-on-system.patch +++ b/powerpc-pseries-Make-32-bit-MSI-quirk-work-on-system.patch @@ -1,4 +1,4 @@ -From ad735c038a1c3273b605c398a765fdd525527ef7 Mon Sep 17 00:00:00 2001 +From ffbc2a5d4bb9c758867332d2f4d521a02375e43a Mon Sep 17 00:00:00 2001 From: Brian King Date: Wed, 22 May 2013 11:07:46 +0000 Subject: [PATCH] powerpc/pseries: Make 32-bit MSI quirk work on systems @@ -16,19 +16,20 @@ this to configurations where this hack is needed and tested to work. Signed-off-by: Brian King Signed-off-by: Benjamin Herrenschmidt --- - arch/powerpc/platforms/pseries/msi.c | 40 +++++++++++++++++++++++++++++++++--- - 1 file changed, 37 insertions(+), 3 deletions(-) + arch/powerpc/platforms/pseries/msi.c | 42 +++++++++++++++++++++++++++++++++--- + 1 file changed, 39 insertions(+), 3 deletions(-) diff --git a/arch/powerpc/platforms/pseries/msi.c b/arch/powerpc/platforms/pseries/msi.c -index 420524e..cd7d23d 100644 +index 420524e..5a75b02 100644 --- a/arch/powerpc/platforms/pseries/msi.c +++ b/arch/powerpc/platforms/pseries/msi.c -@@ -394,6 +394,23 @@ static int check_msix_entries(struct pci_dev *pdev) +@@ -394,6 +394,25 @@ static int check_msix_entries(struct pci_dev *pdev) return 0; } +static void rtas_hack_32bit_msi_gen2(struct pci_dev *pdev) +{ ++ int pos; + u32 addr_hi, addr_lo; + + /* @@ -38,16 +39,17 @@ index 420524e..cd7d23d 100644 + */ + dev_info(&pdev->dev, + "rtas_msi: No 32 bit MSI firmware support, forcing 32 bit MSI\n"); -+ pci_read_config_dword(pdev, pdev->msi_cap + PCI_MSI_ADDRESS_HI, &addr_hi); ++ pos = pci_find_capability(pdev, PCI_CAP_ID_MSI); ++ pci_read_config_dword(pdev, pos + PCI_MSI_ADDRESS_HI, &addr_hi); + addr_lo = 0xffff0000 | ((addr_hi >> (48 - 32)) << 4); -+ pci_write_config_dword(pdev, pdev->msi_cap + PCI_MSI_ADDRESS_LO, addr_lo); -+ pci_write_config_dword(pdev, pdev->msi_cap + PCI_MSI_ADDRESS_HI, 0); ++ pci_write_config_dword(pdev, pos + PCI_MSI_ADDRESS_LO, addr_lo); ++ pci_write_config_dword(pdev, pos + PCI_MSI_ADDRESS_HI, 0); +} + static int rtas_setup_msi_irqs(struct pci_dev *pdev, int nvec_in, int type) { struct pci_dn *pdn; -@@ -401,6 +418,7 @@ static int rtas_setup_msi_irqs(struct pci_dev *pdev, int nvec_in, int type) +@@ -401,6 +420,7 @@ static int rtas_setup_msi_irqs(struct pci_dev *pdev, int nvec_in, int type) struct msi_desc *entry; struct msi_msg msg; int nvec = nvec_in; @@ -55,7 +57,7 @@ index 420524e..cd7d23d 100644 pdn = get_pdn(pdev); if (!pdn) -@@ -428,15 +446,31 @@ static int rtas_setup_msi_irqs(struct pci_dev *pdev, int nvec_in, int type) +@@ -428,15 +448,31 @@ static int rtas_setup_msi_irqs(struct pci_dev *pdev, int nvec_in, int type) */ again: if (type == PCI_CAP_ID_MSI) { From ca4d8d15577f63012f0d561e886cf7ddec760319 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Tue, 4 Jun 2013 13:39:30 -0400 Subject: [PATCH 105/468] Add gssproxy backport from J. Bruce Fields --- gssproxy-backport.patch | 2896 +++++++++++++++++++++++++++++++++++++++ kernel.spec | 11 +- 2 files changed, 2905 insertions(+), 2 deletions(-) create mode 100644 gssproxy-backport.patch diff --git a/gssproxy-backport.patch b/gssproxy-backport.patch new file mode 100644 index 000000000..05efe2794 --- /dev/null +++ b/gssproxy-backport.patch @@ -0,0 +1,2896 @@ +From 7e5eee0a24ea886a0b68a8521117c5ef97668443 Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Sun, 14 Apr 2013 11:42:00 -0400 +Subject: [PATCH 01/13] SUNRPC: Allow rpc_create() to request that TCP slots be + unlimited + +This is mainly for use by NFSv4.1, where the session negotiation +ultimately wants to decide how many RPC slots we can fill. + +Signed-off-by: Trond Myklebust +--- + include/linux/sunrpc/clnt.h | 1 + + include/linux/sunrpc/xprt.h | 3 +++ + net/sunrpc/clnt.c | 2 ++ + net/sunrpc/xprtsock.c | 6 +++++- + 4 files changed, 11 insertions(+), 1 deletion(-) + +diff --git a/include/linux/sunrpc/clnt.h b/include/linux/sunrpc/clnt.h +index 2cf4ffa..e7d492c 100644 +--- a/include/linux/sunrpc/clnt.h ++++ b/include/linux/sunrpc/clnt.h +@@ -124,6 +124,7 @@ struct rpc_create_args { + #define RPC_CLNT_CREATE_NOPING (1UL << 4) + #define RPC_CLNT_CREATE_DISCRTRY (1UL << 5) + #define RPC_CLNT_CREATE_QUIET (1UL << 6) ++#define RPC_CLNT_CREATE_INFINITE_SLOTS (1UL << 7) + + struct rpc_clnt *rpc_create(struct rpc_create_args *args); + struct rpc_clnt *rpc_bind_new_program(struct rpc_clnt *, +diff --git a/include/linux/sunrpc/xprt.h b/include/linux/sunrpc/xprt.h +index 30834be..12afb29 100644 +--- a/include/linux/sunrpc/xprt.h ++++ b/include/linux/sunrpc/xprt.h +@@ -255,6 +255,8 @@ static inline int bc_prealloc(struct rpc_rqst *req) + } + #endif /* CONFIG_SUNRPC_BACKCHANNEL */ + ++#define XPRT_CREATE_INFINITE_SLOTS (1U) ++ + struct xprt_create { + int ident; /* XPRT_TRANSPORT identifier */ + struct net * net; +@@ -263,6 +265,7 @@ struct xprt_create { + size_t addrlen; + const char *servername; + struct svc_xprt *bc_xprt; /* NFSv4.1 backchannel */ ++ unsigned int flags; + }; + + struct xprt_class { +diff --git a/net/sunrpc/clnt.c b/net/sunrpc/clnt.c +index d5f35f1..54b69fc 100644 +--- a/net/sunrpc/clnt.c ++++ b/net/sunrpc/clnt.c +@@ -411,6 +411,8 @@ struct rpc_clnt *rpc_create(struct rpc_create_args *args) + }; + char servername[48]; + ++ if (args->flags & RPC_CLNT_CREATE_INFINITE_SLOTS) ++ xprtargs.flags |= XPRT_CREATE_INFINITE_SLOTS; + /* + * If the caller chooses not to specify a hostname, whip + * up a string representation of the passed-in address. +diff --git a/net/sunrpc/xprtsock.c b/net/sunrpc/xprtsock.c +index 3d02130..b08d314 100644 +--- a/net/sunrpc/xprtsock.c ++++ b/net/sunrpc/xprtsock.c +@@ -2767,9 +2767,13 @@ static struct rpc_xprt *xs_setup_tcp(struct xprt_create *args) + struct rpc_xprt *xprt; + struct sock_xprt *transport; + struct rpc_xprt *ret; ++ unsigned int max_slot_table_size = xprt_max_tcp_slot_table_entries; ++ ++ if (args->flags & XPRT_CREATE_INFINITE_SLOTS) ++ max_slot_table_size = RPC_MAX_SLOT_TABLE_LIMIT; + + xprt = xs_setup_xprt(args, xprt_tcp_slot_table_entries, +- xprt_max_tcp_slot_table_entries); ++ max_slot_table_size); + if (IS_ERR(xprt)) + return xprt; + transport = container_of(xprt, struct sock_xprt, xprt); +-- +1.8.1.4 + + +From 932c7301413eb94f7b60efaa1a80cb8cf0264459 Mon Sep 17 00:00:00 2001 +From: "J. Bruce Fields" +Date: Thu, 21 Feb 2013 10:14:22 -0500 +Subject: [PATCH 02/13] SUNRPC: attempt AF_LOCAL connect on setup + +In the gss-proxy case, setup time is when I know I'll have the right +namespace for the connect. + +In other cases, it might be useful to get any connection errors +earlier--though actually in practice it doesn't make any difference for +rpcbind. + +Signed-off-by: J. Bruce Fields +--- + net/sunrpc/xprtsock.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/sunrpc/xprtsock.c b/net/sunrpc/xprtsock.c +index b08d314..867ce36 100644 +--- a/net/sunrpc/xprtsock.c ++++ b/net/sunrpc/xprtsock.c +@@ -2655,6 +2655,9 @@ static struct rpc_xprt *xs_setup_local(struct xprt_create *args) + } + xprt_set_bound(xprt); + xs_format_peer_addresses(xprt, "local", RPCBIND_NETID_LOCAL); ++ ret = ERR_PTR(xs_local_setup_socket(transport)); ++ if (ret) ++ goto out_err; + break; + default: + ret = ERR_PTR(-EAFNOSUPPORT); +-- +1.8.1.4 + + +From 915d3592cc8718cc3e83164bb78c532d3a7d1f00 Mon Sep 17 00:00:00 2001 +From: "J. Bruce Fields" +Date: Thu, 11 Apr 2013 15:06:36 -0400 +Subject: [PATCH 03/13] SUNRPC: allow disabling idle timeout + +In the gss-proxy case we don't want to have to reconnect at random--we +want to connect only on gss-proxy startup when we can steal gss-proxy's +context to do the connect in the right namespace. + +So, provide a flag that allows the rpc_create caller to turn off the +idle timeout. + +Signed-off-by: J. Bruce Fields +--- + include/linux/sunrpc/clnt.h | 1 + + include/linux/sunrpc/xprt.h | 1 + + net/sunrpc/clnt.c | 2 ++ + net/sunrpc/xprt.c | 2 ++ + 4 files changed, 6 insertions(+) + +diff --git a/include/linux/sunrpc/clnt.h b/include/linux/sunrpc/clnt.h +index e7d492c..bfe11be 100644 +--- a/include/linux/sunrpc/clnt.h ++++ b/include/linux/sunrpc/clnt.h +@@ -125,6 +125,7 @@ struct rpc_create_args { + #define RPC_CLNT_CREATE_DISCRTRY (1UL << 5) + #define RPC_CLNT_CREATE_QUIET (1UL << 6) + #define RPC_CLNT_CREATE_INFINITE_SLOTS (1UL << 7) ++#define RPC_CLNT_CREATE_NO_IDLE_TIMEOUT (1UL << 8) + + struct rpc_clnt *rpc_create(struct rpc_create_args *args); + struct rpc_clnt *rpc_bind_new_program(struct rpc_clnt *, +diff --git a/include/linux/sunrpc/xprt.h b/include/linux/sunrpc/xprt.h +index 12afb29..c8708d8 100644 +--- a/include/linux/sunrpc/xprt.h ++++ b/include/linux/sunrpc/xprt.h +@@ -256,6 +256,7 @@ static inline int bc_prealloc(struct rpc_rqst *req) + #endif /* CONFIG_SUNRPC_BACKCHANNEL */ + + #define XPRT_CREATE_INFINITE_SLOTS (1U) ++#define XPRT_CREATE_NO_IDLE_TIMEOUT (1U << 1) + + struct xprt_create { + int ident; /* XPRT_TRANSPORT identifier */ +diff --git a/net/sunrpc/clnt.c b/net/sunrpc/clnt.c +index 54b69fc..6d29b53 100644 +--- a/net/sunrpc/clnt.c ++++ b/net/sunrpc/clnt.c +@@ -413,6 +413,8 @@ struct rpc_clnt *rpc_create(struct rpc_create_args *args) + + if (args->flags & RPC_CLNT_CREATE_INFINITE_SLOTS) + xprtargs.flags |= XPRT_CREATE_INFINITE_SLOTS; ++ if (args->flags & RPC_CLNT_CREATE_NO_IDLE_TIMEOUT) ++ xprtargs.flags |= XPRT_CREATE_NO_IDLE_TIMEOUT; + /* + * If the caller chooses not to specify a hostname, whip + * up a string representation of the passed-in address. +diff --git a/net/sunrpc/xprt.c b/net/sunrpc/xprt.c +index b7478d5..33fac38 100644 +--- a/net/sunrpc/xprt.c ++++ b/net/sunrpc/xprt.c +@@ -1245,6 +1245,8 @@ found: + -PTR_ERR(xprt)); + goto out; + } ++ if (args->flags & XPRT_CREATE_NO_IDLE_TIMEOUT) ++ xprt->idle_timeout = 0; + INIT_WORK(&xprt->task_cleanup, xprt_autoclose); + if (xprt_has_timer(xprt)) + setup_timer(&xprt->timer, xprt_init_autodisconnect, +-- +1.8.1.4 + + +From faa25a9e80ab40a0e923011771aca6a1ddeea30d Mon Sep 17 00:00:00 2001 +From: Simo Sorce +Date: Fri, 25 May 2012 18:09:53 -0400 +Subject: [PATCH 04/13] SUNRPC: conditionally return endtime from + import_sec_context + +We expose this parameter for a future caller. +It will be used to extract the endtime from the gss-proxy upcall mechanism, +in order to set the rsc cache expiration time. + +Signed-off-by: Simo Sorce +Signed-off-by: J. Bruce Fields +--- + include/linux/sunrpc/gss_api.h | 2 ++ + net/sunrpc/auth_gss/auth_gss.c | 2 +- + net/sunrpc/auth_gss/gss_krb5_mech.c | 7 +++++-- + net/sunrpc/auth_gss/gss_mech_switch.c | 5 +++-- + net/sunrpc/auth_gss/svcauth_gss.c | 3 ++- + 5 files changed, 13 insertions(+), 6 deletions(-) + +diff --git a/include/linux/sunrpc/gss_api.h b/include/linux/sunrpc/gss_api.h +index a19e254..04d03bb 100644 +--- a/include/linux/sunrpc/gss_api.h ++++ b/include/linux/sunrpc/gss_api.h +@@ -37,6 +37,7 @@ int gss_import_sec_context( + size_t bufsize, + struct gss_api_mech *mech, + struct gss_ctx **ctx_id, ++ time_t *endtime, + gfp_t gfp_mask); + u32 gss_get_mic( + struct gss_ctx *ctx_id, +@@ -92,6 +93,7 @@ struct gss_api_ops { + const void *input_token, + size_t bufsize, + struct gss_ctx *ctx_id, ++ time_t *endtime, + gfp_t gfp_mask); + u32 (*gss_get_mic)( + struct gss_ctx *ctx_id, +diff --git a/net/sunrpc/auth_gss/auth_gss.c b/net/sunrpc/auth_gss/auth_gss.c +index 5257d29..23563e7 100644 +--- a/net/sunrpc/auth_gss/auth_gss.c ++++ b/net/sunrpc/auth_gss/auth_gss.c +@@ -238,7 +238,7 @@ gss_fill_context(const void *p, const void *end, struct gss_cl_ctx *ctx, struct + p = ERR_PTR(-EFAULT); + goto err; + } +- ret = gss_import_sec_context(p, seclen, gm, &ctx->gc_gss_ctx, GFP_NOFS); ++ ret = gss_import_sec_context(p, seclen, gm, &ctx->gc_gss_ctx, NULL, GFP_NOFS); + if (ret < 0) { + p = ERR_PTR(ret); + goto err; +diff --git a/net/sunrpc/auth_gss/gss_krb5_mech.c b/net/sunrpc/auth_gss/gss_krb5_mech.c +index d3611f1..3bc4a23 100644 +--- a/net/sunrpc/auth_gss/gss_krb5_mech.c ++++ b/net/sunrpc/auth_gss/gss_krb5_mech.c +@@ -679,6 +679,7 @@ out_err: + static int + gss_import_sec_context_kerberos(const void *p, size_t len, + struct gss_ctx *ctx_id, ++ time_t *endtime, + gfp_t gfp_mask) + { + const void *end = (const void *)((const char *)p + len); +@@ -694,9 +695,11 @@ gss_import_sec_context_kerberos(const void *p, size_t len, + else + ret = gss_import_v2_context(p, end, ctx, gfp_mask); + +- if (ret == 0) ++ if (ret == 0) { + ctx_id->internal_ctx_id = ctx; +- else ++ if (endtime) ++ *endtime = ctx->endtime; ++ } else + kfree(ctx); + + dprintk("RPC: %s: returning %d\n", __func__, ret); +diff --git a/net/sunrpc/auth_gss/gss_mech_switch.c b/net/sunrpc/auth_gss/gss_mech_switch.c +index f0f4eee..43fd5bb 100644 +--- a/net/sunrpc/auth_gss/gss_mech_switch.c ++++ b/net/sunrpc/auth_gss/gss_mech_switch.c +@@ -325,14 +325,15 @@ int + gss_import_sec_context(const void *input_token, size_t bufsize, + struct gss_api_mech *mech, + struct gss_ctx **ctx_id, ++ time_t *endtime, + gfp_t gfp_mask) + { + if (!(*ctx_id = kzalloc(sizeof(**ctx_id), gfp_mask))) + return -ENOMEM; + (*ctx_id)->mech_type = gss_mech_get(mech); + +- return mech->gm_ops +- ->gss_import_sec_context(input_token, bufsize, *ctx_id, gfp_mask); ++ return mech->gm_ops->gss_import_sec_context(input_token, bufsize, ++ *ctx_id, endtime, gfp_mask); + } + + /* gss_get_mic: compute a mic over message and return mic_token. */ +diff --git a/net/sunrpc/auth_gss/svcauth_gss.c b/net/sunrpc/auth_gss/svcauth_gss.c +index 5ead605..20eedec 100644 +--- a/net/sunrpc/auth_gss/svcauth_gss.c ++++ b/net/sunrpc/auth_gss/svcauth_gss.c +@@ -497,7 +497,8 @@ static int rsc_parse(struct cache_detail *cd, + len = qword_get(&mesg, buf, mlen); + if (len < 0) + goto out; +- status = gss_import_sec_context(buf, len, gm, &rsci.mechctx, GFP_KERNEL); ++ status = gss_import_sec_context(buf, len, gm, &rsci.mechctx, ++ NULL, GFP_KERNEL); + if (status) + goto out; + +-- +1.8.1.4 + + +From ffc614331a36038700b7bc13bc2da6b8f120b9d6 Mon Sep 17 00:00:00 2001 +From: Simo Sorce +Date: Fri, 25 May 2012 18:09:55 -0400 +Subject: [PATCH 05/13] SUNRPC: Add RPC based upcall mechanism for RPCGSS auth + +This patch implements a sunrpc client to use the services of the gssproxy +userspace daemon. + +In particular it allows to perform calls in user space using an RPC +call instead of custom hand-coded upcall/downcall messages. + +Currently only accept_sec_context is implemented as that is all is needed for +the server case. + +File server modules like NFS and CIFS can use full gssapi services this way, +once init_sec_context is also implemented. + +For the NFS server case this code allow to lift the limit of max 2k krb5 +tickets. This limit is prevents legitimate kerberos deployments from using krb5 +authentication with the Linux NFS server as they have normally ticket that are +many kilobytes large. + +It will also allow to lift the limitation on the size of the credential set +(uid,gid,gids) passed down from user space for users that have very many groups +associated. Currently the downcall mechanism used by rpc.svcgssd is limited +to around 2k secondary groups of the 65k allowed by kernel structures. + +Signed-off-by: Simo Sorce +[bfields: containerization, concurrent upcalls, misc. fixes and cleanup] +Signed-off-by: J. Bruce Fields +--- + net/sunrpc/auth_gss/Makefile | 3 +- + net/sunrpc/auth_gss/gss_rpc_upcall.c | 355 +++++++++++++++ + net/sunrpc/auth_gss/gss_rpc_upcall.h | 47 ++ + net/sunrpc/auth_gss/gss_rpc_xdr.c | 832 +++++++++++++++++++++++++++++++++++ + net/sunrpc/auth_gss/gss_rpc_xdr.h | 264 +++++++++++ + net/sunrpc/clnt.c | 1 + + net/sunrpc/netns.h | 3 + + 7 files changed, 1504 insertions(+), 1 deletion(-) + create mode 100644 net/sunrpc/auth_gss/gss_rpc_upcall.c + create mode 100644 net/sunrpc/auth_gss/gss_rpc_upcall.h + create mode 100644 net/sunrpc/auth_gss/gss_rpc_xdr.c + create mode 100644 net/sunrpc/auth_gss/gss_rpc_xdr.h + +diff --git a/net/sunrpc/auth_gss/Makefile b/net/sunrpc/auth_gss/Makefile +index 9e4cb59..14e9e53 100644 +--- a/net/sunrpc/auth_gss/Makefile ++++ b/net/sunrpc/auth_gss/Makefile +@@ -5,7 +5,8 @@ + obj-$(CONFIG_SUNRPC_GSS) += auth_rpcgss.o + + auth_rpcgss-y := auth_gss.o gss_generic_token.o \ +- gss_mech_switch.o svcauth_gss.o ++ gss_mech_switch.o svcauth_gss.o \ ++ gss_rpc_upcall.o gss_rpc_xdr.o + + obj-$(CONFIG_RPCSEC_GSS_KRB5) += rpcsec_gss_krb5.o + +diff --git a/net/sunrpc/auth_gss/gss_rpc_upcall.c b/net/sunrpc/auth_gss/gss_rpc_upcall.c +new file mode 100644 +index 0000000..2d33ddf +--- /dev/null ++++ b/net/sunrpc/auth_gss/gss_rpc_upcall.c +@@ -0,0 +1,355 @@ ++/* ++ * linux/net/sunrpc/gss_rpc_upcall.c ++ * ++ * Copyright (C) 2012 Simo Sorce ++ * ++ * This program is free software; you can redistribute it and/or modify ++ * it under the terms of the GNU General Public License as published by ++ * the Free Software Foundation; either version 2 of the License, or ++ * (at your option) any later version. ++ * ++ * This program is distributed in the hope that it will be useful, ++ * but WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++ * GNU General Public License for more details. ++ * ++ * You should have received a copy of the GNU General Public License ++ * along with this program; if not, write to the Free Software ++ * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. ++ */ ++ ++#include ++#include ++ ++#include ++#include "gss_rpc_upcall.h" ++ ++#define GSSPROXY_SOCK_PATHNAME "/var/run/gssproxy.sock" ++ ++#define GSSPROXY_PROGRAM (400112u) ++#define GSSPROXY_VERS_1 (1u) ++ ++/* ++ * Encoding/Decoding functions ++ */ ++ ++enum { ++ GSSX_NULL = 0, /* Unused */ ++ GSSX_INDICATE_MECHS = 1, ++ GSSX_GET_CALL_CONTEXT = 2, ++ GSSX_IMPORT_AND_CANON_NAME = 3, ++ GSSX_EXPORT_CRED = 4, ++ GSSX_IMPORT_CRED = 5, ++ GSSX_ACQUIRE_CRED = 6, ++ GSSX_STORE_CRED = 7, ++ GSSX_INIT_SEC_CONTEXT = 8, ++ GSSX_ACCEPT_SEC_CONTEXT = 9, ++ GSSX_RELEASE_HANDLE = 10, ++ GSSX_GET_MIC = 11, ++ GSSX_VERIFY = 12, ++ GSSX_WRAP = 13, ++ GSSX_UNWRAP = 14, ++ GSSX_WRAP_SIZE_LIMIT = 15, ++}; ++ ++#define PROC(proc, name) \ ++[GSSX_##proc] = { \ ++ .p_proc = GSSX_##proc, \ ++ .p_encode = (kxdreproc_t)gssx_enc_##name, \ ++ .p_decode = (kxdrdproc_t)gssx_dec_##name, \ ++ .p_arglen = GSSX_ARG_##name##_sz, \ ++ .p_replen = GSSX_RES_##name##_sz, \ ++ .p_statidx = GSSX_##proc, \ ++ .p_name = #proc, \ ++} ++ ++struct rpc_procinfo gssp_procedures[] = { ++ PROC(INDICATE_MECHS, indicate_mechs), ++ PROC(GET_CALL_CONTEXT, get_call_context), ++ PROC(IMPORT_AND_CANON_NAME, import_and_canon_name), ++ PROC(EXPORT_CRED, export_cred), ++ PROC(IMPORT_CRED, import_cred), ++ PROC(ACQUIRE_CRED, acquire_cred), ++ PROC(STORE_CRED, store_cred), ++ PROC(INIT_SEC_CONTEXT, init_sec_context), ++ PROC(ACCEPT_SEC_CONTEXT, accept_sec_context), ++ PROC(RELEASE_HANDLE, release_handle), ++ PROC(GET_MIC, get_mic), ++ PROC(VERIFY, verify), ++ PROC(WRAP, wrap), ++ PROC(UNWRAP, unwrap), ++ PROC(WRAP_SIZE_LIMIT, wrap_size_limit), ++}; ++ ++ ++ ++/* ++ * Common transport functions ++ */ ++ ++static const struct rpc_program gssp_program; ++ ++static int gssp_rpc_create(struct net *net, struct rpc_clnt **_clnt) ++{ ++ static const struct sockaddr_un gssp_localaddr = { ++ .sun_family = AF_LOCAL, ++ .sun_path = GSSPROXY_SOCK_PATHNAME, ++ }; ++ struct rpc_create_args args = { ++ .net = net, ++ .protocol = XPRT_TRANSPORT_LOCAL, ++ .address = (struct sockaddr *)&gssp_localaddr, ++ .addrsize = sizeof(gssp_localaddr), ++ .servername = "localhost", ++ .program = &gssp_program, ++ .version = GSSPROXY_VERS_1, ++ .authflavor = RPC_AUTH_NULL, ++ /* ++ * Note we want connection to be done in the caller's ++ * filesystem namespace. We therefore turn off the idle ++ * timeout, which would result in reconnections being ++ * done without the correct namespace: ++ */ ++ .flags = RPC_CLNT_CREATE_NOPING | ++ RPC_CLNT_CREATE_NO_IDLE_TIMEOUT ++ }; ++ struct rpc_clnt *clnt; ++ int result = 0; ++ ++ clnt = rpc_create(&args); ++ if (IS_ERR(clnt)) { ++ dprintk("RPC: failed to create AF_LOCAL gssproxy " ++ "client (errno %ld).\n", PTR_ERR(clnt)); ++ result = -PTR_ERR(clnt); ++ *_clnt = NULL; ++ goto out; ++ } ++ ++ dprintk("RPC: created new gssp local client (gssp_local_clnt: " ++ "%p)\n", clnt); ++ *_clnt = clnt; ++ ++out: ++ return result; ++} ++ ++void init_gssp_clnt(struct sunrpc_net *sn) ++{ ++ mutex_init(&sn->gssp_lock); ++ sn->gssp_clnt = NULL; ++} ++ ++int set_gssp_clnt(struct net *net) ++{ ++ struct sunrpc_net *sn = net_generic(net, sunrpc_net_id); ++ struct rpc_clnt *clnt; ++ int ret; ++ ++ mutex_lock(&sn->gssp_lock); ++ ret = gssp_rpc_create(net, &clnt); ++ if (!ret) { ++ if (sn->gssp_clnt) ++ rpc_shutdown_client(sn->gssp_clnt); ++ sn->gssp_clnt = clnt; ++ } ++ mutex_unlock(&sn->gssp_lock); ++ return ret; ++} ++ ++void clear_gssp_clnt(struct sunrpc_net *sn) ++{ ++ mutex_lock(&sn->gssp_lock); ++ if (sn->gssp_clnt) { ++ rpc_shutdown_client(sn->gssp_clnt); ++ sn->gssp_clnt = NULL; ++ } ++ mutex_unlock(&sn->gssp_lock); ++} ++ ++static struct rpc_clnt *get_gssp_clnt(struct sunrpc_net *sn) ++{ ++ struct rpc_clnt *clnt; ++ ++ mutex_lock(&sn->gssp_lock); ++ clnt = sn->gssp_clnt; ++ if (clnt) ++ atomic_inc(&clnt->cl_count); ++ mutex_unlock(&sn->gssp_lock); ++ return clnt; ++} ++ ++static int gssp_call(struct net *net, struct rpc_message *msg) ++{ ++ struct sunrpc_net *sn = net_generic(net, sunrpc_net_id); ++ struct rpc_clnt *clnt; ++ int status; ++ ++ clnt = get_gssp_clnt(sn); ++ if (!clnt) ++ return -EIO; ++ status = rpc_call_sync(clnt, msg, 0); ++ if (status < 0) { ++ dprintk("gssp: rpc_call returned error %d\n", -status); ++ switch (status) { ++ case -EPROTONOSUPPORT: ++ status = -EINVAL; ++ break; ++ case -ECONNREFUSED: ++ case -ETIMEDOUT: ++ case -ENOTCONN: ++ status = -EAGAIN; ++ break; ++ case -ERESTARTSYS: ++ if (signalled ()) ++ status = -EINTR; ++ break; ++ default: ++ break; ++ } ++ } ++ rpc_release_client(clnt); ++ return status; ++} ++ ++ ++/* ++ * Public functions ++ */ ++ ++/* numbers somewhat arbitrary but large enough for current needs */ ++#define GSSX_MAX_OUT_HANDLE 128 ++#define GSSX_MAX_MECH_OID 16 ++#define GSSX_MAX_SRC_PRINC 256 ++#define GSSX_KMEMBUF (GSSX_max_output_handle_sz + \ ++ GSSX_max_oid_sz + \ ++ GSSX_max_princ_sz + \ ++ sizeof(struct svc_cred)) ++ ++int gssp_accept_sec_context_upcall(struct net *net, ++ struct gssp_upcall_data *data) ++{ ++ struct gssx_ctx ctxh = { ++ .state = data->in_handle ++ }; ++ struct gssx_arg_accept_sec_context arg = { ++ .input_token = data->in_token, ++ }; ++ struct gssx_ctx rctxh = { ++ /* ++ * pass in the max length we expect for each of these ++ * buffers but let the xdr code kmalloc them: ++ */ ++ .exported_context_token.len = GSSX_max_output_handle_sz, ++ .mech.len = GSSX_max_oid_sz, ++ .src_name.display_name.len = GSSX_max_princ_sz ++ }; ++ struct gssx_res_accept_sec_context res = { ++ .context_handle = &rctxh, ++ .output_token = &data->out_token ++ }; ++ struct rpc_message msg = { ++ .rpc_proc = &gssp_procedures[GSSX_ACCEPT_SEC_CONTEXT], ++ .rpc_argp = &arg, ++ .rpc_resp = &res, ++ .rpc_cred = NULL, /* FIXME ? */ ++ }; ++ struct xdr_netobj client_name = { 0 , NULL }; ++ int ret; ++ ++ if (data->in_handle.len != 0) ++ arg.context_handle = &ctxh; ++ res.output_token->len = GSSX_max_output_token_sz; ++ ++ /* use nfs/ for targ_name ? */ ++ ++ ret = gssp_call(net, &msg); ++ ++ /* we need to fetch all data even in case of error so ++ * that we can free special strctures is they have been allocated */ ++ data->major_status = res.status.major_status; ++ data->minor_status = res.status.minor_status; ++ if (res.context_handle) { ++ data->out_handle = rctxh.exported_context_token; ++ data->mech_oid = rctxh.mech; ++ client_name = rctxh.src_name.display_name; ++ } ++ ++ if (res.options.count == 1) { ++ gssx_buffer *value = &res.options.data[0].value; ++ /* Currently we only decode CREDS_VALUE, if we add ++ * anything else we'll have to loop and match on the ++ * option name */ ++ if (value->len == 1) { ++ /* steal group info from struct svc_cred */ ++ data->creds = *(struct svc_cred *)value->data; ++ data->found_creds = 1; ++ } ++ /* whether we use it or not, free data */ ++ kfree(value->data); ++ } ++ ++ if (res.options.count != 0) { ++ kfree(res.options.data); ++ } ++ ++ /* convert to GSS_NT_HOSTBASED_SERVICE form and set into creds */ ++ if (data->found_creds && client_name.data != NULL) { ++ char *c; ++ ++ data->creds.cr_principal = kstrndup(client_name.data, ++ client_name.len, GFP_KERNEL); ++ if (data->creds.cr_principal) { ++ /* terminate and remove realm part */ ++ c = strchr(data->creds.cr_principal, '@'); ++ if (c) { ++ *c = '\0'; ++ ++ /* change service-hostname delimiter */ ++ c = strchr(data->creds.cr_principal, '/'); ++ if (c) *c = '@'; ++ } ++ if (!c) { ++ /* not a service principal */ ++ kfree(data->creds.cr_principal); ++ data->creds.cr_principal = NULL; ++ } ++ } ++ } ++ kfree(client_name.data); ++ ++ return ret; ++} ++ ++void gssp_free_upcall_data(struct gssp_upcall_data *data) ++{ ++ kfree(data->in_handle.data); ++ kfree(data->out_handle.data); ++ kfree(data->out_token.data); ++ kfree(data->mech_oid.data); ++ free_svc_cred(&data->creds); ++} ++ ++/* ++ * Initialization stuff ++ */ ++ ++static const struct rpc_version gssp_version1 = { ++ .number = GSSPROXY_VERS_1, ++ .nrprocs = ARRAY_SIZE(gssp_procedures), ++ .procs = gssp_procedures, ++}; ++ ++static const struct rpc_version *gssp_version[] = { ++ NULL, ++ &gssp_version1, ++}; ++ ++static struct rpc_stat gssp_stats; ++ ++static const struct rpc_program gssp_program = { ++ .name = "gssproxy", ++ .number = GSSPROXY_PROGRAM, ++ .nrvers = ARRAY_SIZE(gssp_version), ++ .version = gssp_version, ++ .stats = &gssp_stats, ++}; +diff --git a/net/sunrpc/auth_gss/gss_rpc_upcall.h b/net/sunrpc/auth_gss/gss_rpc_upcall.h +new file mode 100644 +index 0000000..4c2caaa +--- /dev/null ++++ b/net/sunrpc/auth_gss/gss_rpc_upcall.h +@@ -0,0 +1,47 @@ ++/* ++ * linux/net/sunrpc/gss_rpc_upcall.h ++ * ++ * Copyright (C) 2012 Simo Sorce ++ * ++ * This program is free software; you can redistribute it and/or modify ++ * it under the terms of the GNU General Public License as published by ++ * the Free Software Foundation; either version 2 of the License, or ++ * (at your option) any later version. ++ * ++ * This program is distributed in the hope that it will be useful, ++ * but WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++ * GNU General Public License for more details. ++ * ++ * You should have received a copy of the GNU General Public License ++ * along with this program; if not, write to the Free Software ++ * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. ++ */ ++ ++#ifndef _GSS_RPC_UPCALL_H ++#define _GSS_RPC_UPCALL_H ++ ++#include ++#include "gss_rpc_xdr.h" ++#include "../netns.h" ++ ++struct gssp_upcall_data { ++ struct xdr_netobj in_handle; ++ struct gssp_in_token in_token; ++ struct xdr_netobj out_handle; ++ struct xdr_netobj out_token; ++ struct xdr_netobj mech_oid; ++ struct svc_cred creds; ++ int found_creds; ++ int major_status; ++ int minor_status; ++}; ++ ++int gssp_accept_sec_context_upcall(struct net *net, ++ struct gssp_upcall_data *data); ++void gssp_free_upcall_data(struct gssp_upcall_data *data); ++ ++void init_gssp_clnt(struct sunrpc_net *); ++int set_gssp_clnt(struct net *); ++void clear_gssp_clnt(struct sunrpc_net *); ++#endif /* _GSS_RPC_UPCALL_H */ +diff --git a/net/sunrpc/auth_gss/gss_rpc_xdr.c b/net/sunrpc/auth_gss/gss_rpc_xdr.c +new file mode 100644 +index 0000000..d0ccdff +--- /dev/null ++++ b/net/sunrpc/auth_gss/gss_rpc_xdr.c +@@ -0,0 +1,832 @@ ++/* ++ * GSS Proxy upcall module ++ * ++ * Copyright (C) 2012 Simo Sorce ++ * ++ * This program is free software; you can redistribute it and/or modify ++ * it under the terms of the GNU General Public License as published by ++ * the Free Software Foundation; either version 2 of the License, or ++ * (at your option) any later version. ++ * ++ * This program is distributed in the hope that it will be useful, ++ * but WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++ * GNU General Public License for more details. ++ * ++ * You should have received a copy of the GNU General Public License ++ * along with this program; if not, write to the Free Software ++ * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. ++ */ ++ ++#include ++#include "gss_rpc_xdr.h" ++ ++static bool gssx_check_pointer(struct xdr_stream *xdr) ++{ ++ __be32 *p; ++ ++ p = xdr_reserve_space(xdr, 4); ++ if (unlikely(p == NULL)) ++ return -ENOSPC; ++ return *p?true:false; ++} ++ ++static int gssx_enc_bool(struct xdr_stream *xdr, int v) ++{ ++ __be32 *p; ++ ++ p = xdr_reserve_space(xdr, 4); ++ if (unlikely(p == NULL)) ++ return -ENOSPC; ++ *p = v ? xdr_one : xdr_zero; ++ return 0; ++} ++ ++static int gssx_dec_bool(struct xdr_stream *xdr, u32 *v) ++{ ++ __be32 *p; ++ ++ p = xdr_inline_decode(xdr, 4); ++ if (unlikely(p == NULL)) ++ return -ENOSPC; ++ *v = be32_to_cpu(*p); ++ return 0; ++} ++ ++static int gssx_enc_buffer(struct xdr_stream *xdr, ++ gssx_buffer *buf) ++{ ++ __be32 *p; ++ ++ p = xdr_reserve_space(xdr, sizeof(u32) + buf->len); ++ if (!p) ++ return -ENOSPC; ++ xdr_encode_opaque(p, buf->data, buf->len); ++ return 0; ++} ++ ++static int gssx_enc_in_token(struct xdr_stream *xdr, ++ struct gssp_in_token *in) ++{ ++ __be32 *p; ++ ++ p = xdr_reserve_space(xdr, 4); ++ if (!p) ++ return -ENOSPC; ++ *p = cpu_to_be32(in->page_len); ++ ++ /* all we need to do is to write pages */ ++ xdr_write_pages(xdr, in->pages, in->page_base, in->page_len); ++ ++ return 0; ++} ++ ++ ++static int gssx_dec_buffer(struct xdr_stream *xdr, ++ gssx_buffer *buf) ++{ ++ u32 length; ++ __be32 *p; ++ ++ p = xdr_inline_decode(xdr, 4); ++ if (unlikely(p == NULL)) ++ return -ENOSPC; ++ ++ length = be32_to_cpup(p); ++ p = xdr_inline_decode(xdr, length); ++ if (unlikely(p == NULL)) ++ return -ENOSPC; ++ ++ if (buf->len == 0) { ++ /* we intentionally are not interested in this buffer */ ++ return 0; ++ } ++ if (length > buf->len) ++ return -ENOSPC; ++ ++ if (!buf->data) { ++ buf->data = kmemdup(p, length, GFP_KERNEL); ++ if (!buf->data) ++ return -ENOMEM; ++ } else { ++ memcpy(buf->data, p, length); ++ } ++ buf->len = length; ++ return 0; ++} ++ ++static int gssx_enc_option(struct xdr_stream *xdr, ++ struct gssx_option *opt) ++{ ++ int err; ++ ++ err = gssx_enc_buffer(xdr, &opt->option); ++ if (err) ++ return err; ++ err = gssx_enc_buffer(xdr, &opt->value); ++ return err; ++} ++ ++static int gssx_dec_option(struct xdr_stream *xdr, ++ struct gssx_option *opt) ++{ ++ int err; ++ ++ err = gssx_dec_buffer(xdr, &opt->option); ++ if (err) ++ return err; ++ err = gssx_dec_buffer(xdr, &opt->value); ++ return err; ++} ++ ++static int dummy_enc_opt_array(struct xdr_stream *xdr, ++ struct gssx_option_array *oa) ++{ ++ __be32 *p; ++ ++ if (oa->count != 0) ++ return -EINVAL; ++ ++ p = xdr_reserve_space(xdr, 4); ++ if (!p) ++ return -ENOSPC; ++ *p = 0; ++ ++ return 0; ++} ++ ++static int dummy_dec_opt_array(struct xdr_stream *xdr, ++ struct gssx_option_array *oa) ++{ ++ struct gssx_option dummy; ++ u32 count, i; ++ __be32 *p; ++ ++ p = xdr_inline_decode(xdr, 4); ++ if (unlikely(p == NULL)) ++ return -ENOSPC; ++ count = be32_to_cpup(p++); ++ memset(&dummy, 0, sizeof(dummy)); ++ for (i = 0; i < count; i++) { ++ gssx_dec_option(xdr, &dummy); ++ } ++ ++ oa->count = 0; ++ oa->data = NULL; ++ return 0; ++} ++ ++static int get_s32(void **p, void *max, s32 *res) ++{ ++ void *base = *p; ++ void *next = (void *)((char *)base + sizeof(s32)); ++ if (unlikely(next > max || next < base)) ++ return -EINVAL; ++ memcpy(res, base, sizeof(s32)); ++ *p = next; ++ return 0; ++} ++ ++static int gssx_dec_linux_creds(struct xdr_stream *xdr, ++ struct svc_cred *creds) ++{ ++ u32 length; ++ __be32 *p; ++ void *q, *end; ++ s32 tmp; ++ int N, i, err; ++ ++ p = xdr_inline_decode(xdr, 4); ++ if (unlikely(p == NULL)) ++ return -ENOSPC; ++ ++ length = be32_to_cpup(p); ++ ++ /* FIXME: we do not want to use the scratch buffer for this one ++ * may need to use functions that allows us to access an io vector ++ * directly */ ++ p = xdr_inline_decode(xdr, length); ++ if (unlikely(p == NULL)) ++ return -ENOSPC; ++ ++ q = p; ++ end = q + length; ++ ++ /* uid */ ++ err = get_s32(&q, end, &tmp); ++ if (err) ++ return err; ++ creds->cr_uid = tmp; ++ ++ /* gid */ ++ err = get_s32(&q, end, &tmp); ++ if (err) ++ return err; ++ creds->cr_gid = tmp; ++ ++ /* number of additional gid's */ ++ err = get_s32(&q, end, &tmp); ++ if (err) ++ return err; ++ N = tmp; ++ creds->cr_group_info = groups_alloc(N); ++ if (creds->cr_group_info == NULL) ++ return -ENOMEM; ++ ++ /* gid's */ ++ for (i = 0; i < N; i++) { ++ err = get_s32(&q, end, &tmp); ++ if (err) { ++ groups_free(creds->cr_group_info); ++ return err; ++ } ++ GROUP_AT(creds->cr_group_info, i) = tmp; ++ } ++ ++ return 0; ++} ++ ++static int gssx_dec_option_array(struct xdr_stream *xdr, ++ struct gssx_option_array *oa) ++{ ++ struct svc_cred *creds; ++ u32 count, i; ++ __be32 *p; ++ int err; ++ ++ p = xdr_inline_decode(xdr, 4); ++ if (unlikely(p == NULL)) ++ return -ENOSPC; ++ count = be32_to_cpup(p++); ++ if (count != 0) { ++ /* we recognize only 1 currently: CREDS_VALUE */ ++ oa->count = 1; ++ ++ oa->data = kmalloc(sizeof(struct gssx_option), GFP_KERNEL); ++ if (!oa->data) ++ return -ENOMEM; ++ ++ creds = kmalloc(sizeof(struct svc_cred), GFP_KERNEL); ++ if (!creds) { ++ kfree(oa->data); ++ return -ENOMEM; ++ } ++ ++ oa->data[0].option.data = CREDS_VALUE; ++ oa->data[0].option.len = sizeof(CREDS_VALUE); ++ oa->data[0].value.data = (void *)creds; ++ oa->data[0].value.len = 0; ++ } ++ for (i = 0; i < count; i++) { ++ gssx_buffer dummy = { 0, NULL }; ++ u32 length; ++ ++ /* option buffer */ ++ p = xdr_inline_decode(xdr, 4); ++ if (unlikely(p == NULL)) ++ return -ENOSPC; ++ ++ length = be32_to_cpup(p); ++ p = xdr_inline_decode(xdr, length); ++ if (unlikely(p == NULL)) ++ return -ENOSPC; ++ ++ if (length == sizeof(CREDS_VALUE) && ++ memcmp(p, CREDS_VALUE, sizeof(CREDS_VALUE)) == 0) { ++ /* We have creds here. parse them */ ++ err = gssx_dec_linux_creds(xdr, creds); ++ if (err) ++ return err; ++ oa->data[0].value.len = 1; /* presence */ ++ } else { ++ /* consume uninteresting buffer */ ++ err = gssx_dec_buffer(xdr, &dummy); ++ if (err) ++ return err; ++ } ++ } ++ return 0; ++} ++ ++static int gssx_dec_status(struct xdr_stream *xdr, ++ struct gssx_status *status) ++{ ++ __be32 *p; ++ int err; ++ ++ /* status->major_status */ ++ p = xdr_inline_decode(xdr, 8); ++ if (unlikely(p == NULL)) ++ return -ENOSPC; ++ p = xdr_decode_hyper(p, &status->major_status); ++ ++ /* status->mech */ ++ err = gssx_dec_buffer(xdr, &status->mech); ++ if (err) ++ return err; ++ ++ /* status->minor_status */ ++ p = xdr_inline_decode(xdr, 8); ++ if (unlikely(p == NULL)) ++ return -ENOSPC; ++ p = xdr_decode_hyper(p, &status->minor_status); ++ ++ /* status->major_status_string */ ++ err = gssx_dec_buffer(xdr, &status->major_status_string); ++ if (err) ++ return err; ++ ++ /* status->minor_status_string */ ++ err = gssx_dec_buffer(xdr, &status->minor_status_string); ++ if (err) ++ return err; ++ ++ /* status->server_ctx */ ++ err = gssx_dec_buffer(xdr, &status->server_ctx); ++ if (err) ++ return err; ++ ++ /* we assume we have no options for now, so simply consume them */ ++ /* status->options */ ++ err = dummy_dec_opt_array(xdr, &status->options); ++ ++ return err; ++} ++ ++static int gssx_enc_call_ctx(struct xdr_stream *xdr, ++ struct gssx_call_ctx *ctx) ++{ ++ struct gssx_option opt; ++ __be32 *p; ++ int err; ++ ++ /* ctx->locale */ ++ err = gssx_enc_buffer(xdr, &ctx->locale); ++ if (err) ++ return err; ++ ++ /* ctx->server_ctx */ ++ err = gssx_enc_buffer(xdr, &ctx->server_ctx); ++ if (err) ++ return err; ++ ++ /* we always want to ask for lucid contexts */ ++ /* ctx->options */ ++ p = xdr_reserve_space(xdr, 4); ++ *p = cpu_to_be32(2); ++ ++ /* we want a lucid_v1 context */ ++ opt.option.data = LUCID_OPTION; ++ opt.option.len = sizeof(LUCID_OPTION); ++ opt.value.data = LUCID_VALUE; ++ opt.value.len = sizeof(LUCID_VALUE); ++ err = gssx_enc_option(xdr, &opt); ++ ++ /* ..and user creds */ ++ opt.option.data = CREDS_OPTION; ++ opt.option.len = sizeof(CREDS_OPTION); ++ opt.value.data = CREDS_VALUE; ++ opt.value.len = sizeof(CREDS_VALUE); ++ err = gssx_enc_option(xdr, &opt); ++ ++ return err; ++} ++ ++static int gssx_dec_name_attr(struct xdr_stream *xdr, ++ struct gssx_name_attr *attr) ++{ ++ int err; ++ ++ /* attr->attr */ ++ err = gssx_dec_buffer(xdr, &attr->attr); ++ if (err) ++ return err; ++ ++ /* attr->value */ ++ err = gssx_dec_buffer(xdr, &attr->value); ++ if (err) ++ return err; ++ ++ /* attr->extensions */ ++ err = dummy_dec_opt_array(xdr, &attr->extensions); ++ ++ return err; ++} ++ ++static int dummy_enc_nameattr_array(struct xdr_stream *xdr, ++ struct gssx_name_attr_array *naa) ++{ ++ __be32 *p; ++ ++ if (naa->count != 0) ++ return -EINVAL; ++ ++ p = xdr_reserve_space(xdr, 4); ++ if (!p) ++ return -ENOSPC; ++ *p = 0; ++ ++ return 0; ++} ++ ++static int dummy_dec_nameattr_array(struct xdr_stream *xdr, ++ struct gssx_name_attr_array *naa) ++{ ++ struct gssx_name_attr dummy; ++ u32 count, i; ++ __be32 *p; ++ ++ p = xdr_inline_decode(xdr, 4); ++ if (unlikely(p == NULL)) ++ return -ENOSPC; ++ count = be32_to_cpup(p++); ++ for (i = 0; i < count; i++) { ++ gssx_dec_name_attr(xdr, &dummy); ++ } ++ ++ naa->count = 0; ++ naa->data = NULL; ++ return 0; ++} ++ ++static struct xdr_netobj zero_netobj = {}; ++ ++static struct gssx_name_attr_array zero_name_attr_array = {}; ++ ++static struct gssx_option_array zero_option_array = {}; ++ ++static int gssx_enc_name(struct xdr_stream *xdr, ++ struct gssx_name *name) ++{ ++ int err; ++ ++ /* name->display_name */ ++ err = gssx_enc_buffer(xdr, &name->display_name); ++ if (err) ++ return err; ++ ++ /* name->name_type */ ++ err = gssx_enc_buffer(xdr, &zero_netobj); ++ if (err) ++ return err; ++ ++ /* name->exported_name */ ++ err = gssx_enc_buffer(xdr, &zero_netobj); ++ if (err) ++ return err; ++ ++ /* name->exported_composite_name */ ++ err = gssx_enc_buffer(xdr, &zero_netobj); ++ if (err) ++ return err; ++ ++ /* leave name_attributes empty for now, will add once we have any ++ * to pass up at all */ ++ /* name->name_attributes */ ++ err = dummy_enc_nameattr_array(xdr, &zero_name_attr_array); ++ if (err) ++ return err; ++ ++ /* leave options empty for now, will add once we have any options ++ * to pass up at all */ ++ /* name->extensions */ ++ err = dummy_enc_opt_array(xdr, &zero_option_array); ++ ++ return err; ++} ++ ++static int gssx_dec_name(struct xdr_stream *xdr, ++ struct gssx_name *name) ++{ ++ struct xdr_netobj dummy_netobj; ++ struct gssx_name_attr_array dummy_name_attr_array; ++ struct gssx_option_array dummy_option_array; ++ int err; ++ ++ /* name->display_name */ ++ err = gssx_dec_buffer(xdr, &name->display_name); ++ if (err) ++ return err; ++ ++ /* name->name_type */ ++ err = gssx_dec_buffer(xdr, &dummy_netobj); ++ if (err) ++ return err; ++ ++ /* name->exported_name */ ++ err = gssx_dec_buffer(xdr, &dummy_netobj); ++ if (err) ++ return err; ++ ++ /* name->exported_composite_name */ ++ err = gssx_dec_buffer(xdr, &dummy_netobj); ++ if (err) ++ return err; ++ ++ /* we assume we have no attributes for now, so simply consume them */ ++ /* name->name_attributes */ ++ err = dummy_dec_nameattr_array(xdr, &dummy_name_attr_array); ++ if (err) ++ return err; ++ ++ /* we assume we have no options for now, so simply consume them */ ++ /* name->extensions */ ++ err = dummy_dec_opt_array(xdr, &dummy_option_array); ++ ++ return err; ++} ++ ++static int dummy_enc_credel_array(struct xdr_stream *xdr, ++ struct gssx_cred_element_array *cea) ++{ ++ __be32 *p; ++ ++ if (cea->count != 0) ++ return -EINVAL; ++ ++ p = xdr_reserve_space(xdr, 4); ++ if (!p) ++ return -ENOSPC; ++ *p = 0; ++ ++ return 0; ++} ++ ++static int gssx_enc_cred(struct xdr_stream *xdr, ++ struct gssx_cred *cred) ++{ ++ int err; ++ ++ /* cred->desired_name */ ++ err = gssx_enc_name(xdr, &cred->desired_name); ++ if (err) ++ return err; ++ ++ /* cred->elements */ ++ err = dummy_enc_credel_array(xdr, &cred->elements); ++ ++ /* cred->cred_handle_reference */ ++ err = gssx_enc_buffer(xdr, &cred->cred_handle_reference); ++ if (err) ++ return err; ++ ++ /* cred->needs_release */ ++ err = gssx_enc_bool(xdr, cred->needs_release); ++ ++ return err; ++} ++ ++static int gssx_enc_ctx(struct xdr_stream *xdr, ++ struct gssx_ctx *ctx) ++{ ++ __be32 *p; ++ int err; ++ ++ /* ctx->exported_context_token */ ++ err = gssx_enc_buffer(xdr, &ctx->exported_context_token); ++ if (err) ++ return err; ++ ++ /* ctx->state */ ++ err = gssx_enc_buffer(xdr, &ctx->state); ++ if (err) ++ return err; ++ ++ /* ctx->need_release */ ++ err = gssx_enc_bool(xdr, ctx->need_release); ++ if (err) ++ return err; ++ ++ /* ctx->mech */ ++ err = gssx_enc_buffer(xdr, &ctx->mech); ++ if (err) ++ return err; ++ ++ /* ctx->src_name */ ++ err = gssx_enc_name(xdr, &ctx->src_name); ++ if (err) ++ return err; ++ ++ /* ctx->targ_name */ ++ err = gssx_enc_name(xdr, &ctx->targ_name); ++ if (err) ++ return err; ++ ++ /* ctx->lifetime */ ++ p = xdr_reserve_space(xdr, 8+8); ++ if (!p) ++ return -ENOSPC; ++ p = xdr_encode_hyper(p, ctx->lifetime); ++ ++ /* ctx->ctx_flags */ ++ p = xdr_encode_hyper(p, ctx->ctx_flags); ++ ++ /* ctx->locally_initiated */ ++ err = gssx_enc_bool(xdr, ctx->locally_initiated); ++ if (err) ++ return err; ++ ++ /* ctx->open */ ++ err = gssx_enc_bool(xdr, ctx->open); ++ if (err) ++ return err; ++ ++ /* leave options empty for now, will add once we have any options ++ * to pass up at all */ ++ /* ctx->options */ ++ err = dummy_enc_opt_array(xdr, &ctx->options); ++ ++ return err; ++} ++ ++static int gssx_dec_ctx(struct xdr_stream *xdr, ++ struct gssx_ctx *ctx) ++{ ++ __be32 *p; ++ int err; ++ ++ /* ctx->exported_context_token */ ++ err = gssx_dec_buffer(xdr, &ctx->exported_context_token); ++ if (err) ++ return err; ++ ++ /* ctx->state */ ++ err = gssx_dec_buffer(xdr, &ctx->state); ++ if (err) ++ return err; ++ ++ /* ctx->need_release */ ++ err = gssx_dec_bool(xdr, &ctx->need_release); ++ if (err) ++ return err; ++ ++ /* ctx->mech */ ++ err = gssx_dec_buffer(xdr, &ctx->mech); ++ if (err) ++ return err; ++ ++ /* ctx->src_name */ ++ err = gssx_dec_name(xdr, &ctx->src_name); ++ if (err) ++ return err; ++ ++ /* ctx->targ_name */ ++ err = gssx_dec_name(xdr, &ctx->targ_name); ++ if (err) ++ return err; ++ ++ /* ctx->lifetime */ ++ p = xdr_inline_decode(xdr, 8+8); ++ if (unlikely(p == NULL)) ++ return -ENOSPC; ++ p = xdr_decode_hyper(p, &ctx->lifetime); ++ ++ /* ctx->ctx_flags */ ++ p = xdr_decode_hyper(p, &ctx->ctx_flags); ++ ++ /* ctx->locally_initiated */ ++ err = gssx_dec_bool(xdr, &ctx->locally_initiated); ++ if (err) ++ return err; ++ ++ /* ctx->open */ ++ err = gssx_dec_bool(xdr, &ctx->open); ++ if (err) ++ return err; ++ ++ /* we assume we have no options for now, so simply consume them */ ++ /* ctx->options */ ++ err = dummy_dec_opt_array(xdr, &ctx->options); ++ ++ return err; ++} ++ ++static int gssx_enc_cb(struct xdr_stream *xdr, struct gssx_cb *cb) ++{ ++ __be32 *p; ++ int err; ++ ++ /* cb->initiator_addrtype */ ++ p = xdr_reserve_space(xdr, 8); ++ if (!p) ++ return -ENOSPC; ++ p = xdr_encode_hyper(p, cb->initiator_addrtype); ++ ++ /* cb->initiator_address */ ++ err = gssx_enc_buffer(xdr, &cb->initiator_address); ++ if (err) ++ return err; ++ ++ /* cb->acceptor_addrtype */ ++ p = xdr_reserve_space(xdr, 8); ++ if (!p) ++ return -ENOSPC; ++ p = xdr_encode_hyper(p, cb->acceptor_addrtype); ++ ++ /* cb->acceptor_address */ ++ err = gssx_enc_buffer(xdr, &cb->acceptor_address); ++ if (err) ++ return err; ++ ++ /* cb->application_data */ ++ err = gssx_enc_buffer(xdr, &cb->application_data); ++ ++ return err; ++} ++ ++void gssx_enc_accept_sec_context(struct rpc_rqst *req, ++ struct xdr_stream *xdr, ++ struct gssx_arg_accept_sec_context *arg) ++{ ++ int err; ++ ++ err = gssx_enc_call_ctx(xdr, &arg->call_ctx); ++ if (err) ++ goto done; ++ ++ /* arg->context_handle */ ++ if (arg->context_handle) { ++ err = gssx_enc_ctx(xdr, arg->context_handle); ++ if (err) ++ goto done; ++ } else { ++ err = gssx_enc_bool(xdr, 0); ++ } ++ ++ /* arg->cred_handle */ ++ if (arg->cred_handle) { ++ err = gssx_enc_cred(xdr, arg->cred_handle); ++ if (err) ++ goto done; ++ } else { ++ err = gssx_enc_bool(xdr, 0); ++ } ++ ++ /* arg->input_token */ ++ err = gssx_enc_in_token(xdr, &arg->input_token); ++ if (err) ++ goto done; ++ ++ /* arg->input_cb */ ++ if (arg->input_cb) { ++ err = gssx_enc_cb(xdr, arg->input_cb); ++ if (err) ++ goto done; ++ } else { ++ err = gssx_enc_bool(xdr, 0); ++ } ++ ++ err = gssx_enc_bool(xdr, arg->ret_deleg_cred); ++ if (err) ++ goto done; ++ ++ /* leave options empty for now, will add once we have any options ++ * to pass up at all */ ++ /* arg->options */ ++ err = dummy_enc_opt_array(xdr, &arg->options); ++ ++done: ++ if (err) ++ dprintk("RPC: gssx_enc_accept_sec_context: %d\n", err); ++} ++ ++int gssx_dec_accept_sec_context(struct rpc_rqst *rqstp, ++ struct xdr_stream *xdr, ++ struct gssx_res_accept_sec_context *res) ++{ ++ int err; ++ ++ /* res->status */ ++ err = gssx_dec_status(xdr, &res->status); ++ if (err) ++ return err; ++ ++ /* res->context_handle */ ++ if (gssx_check_pointer(xdr)) { ++ err = gssx_dec_ctx(xdr, res->context_handle); ++ if (err) ++ return err; ++ } else { ++ res->context_handle = NULL; ++ } ++ ++ /* res->output_token */ ++ if (gssx_check_pointer(xdr)) { ++ err = gssx_dec_buffer(xdr, res->output_token); ++ if (err) ++ return err; ++ } else { ++ res->output_token = NULL; ++ } ++ ++ /* res->delegated_cred_handle */ ++ if (gssx_check_pointer(xdr)) { ++ /* we do not support upcall servers sending this data. */ ++ return -EINVAL; ++ } ++ ++ /* res->options */ ++ err = gssx_dec_option_array(xdr, &res->options); ++ ++ return err; ++} +diff --git a/net/sunrpc/auth_gss/gss_rpc_xdr.h b/net/sunrpc/auth_gss/gss_rpc_xdr.h +new file mode 100644 +index 0000000..1c98b27 +--- /dev/null ++++ b/net/sunrpc/auth_gss/gss_rpc_xdr.h +@@ -0,0 +1,264 @@ ++/* ++ * GSS Proxy upcall module ++ * ++ * Copyright (C) 2012 Simo Sorce ++ * ++ * This program is free software; you can redistribute it and/or modify ++ * it under the terms of the GNU General Public License as published by ++ * the Free Software Foundation; either version 2 of the License, or ++ * (at your option) any later version. ++ * ++ * This program is distributed in the hope that it will be useful, ++ * but WITHOUT ANY WARRANTY; without even the implied warranty of ++ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the ++ * GNU General Public License for more details. ++ * ++ * You should have received a copy of the GNU General Public License ++ * along with this program; if not, write to the Free Software ++ * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. ++ */ ++ ++#ifndef _LINUX_GSS_RPC_XDR_H ++#define _LINUX_GSS_RPC_XDR_H ++ ++#include ++#include ++#include ++ ++#ifdef RPC_DEBUG ++# define RPCDBG_FACILITY RPCDBG_AUTH ++#endif ++ ++#define LUCID_OPTION "exported_context_type" ++#define LUCID_VALUE "linux_lucid_v1" ++#define CREDS_OPTION "exported_creds_type" ++#define CREDS_VALUE "linux_creds_v1" ++ ++typedef struct xdr_netobj gssx_buffer; ++typedef struct xdr_netobj utf8string; ++typedef struct xdr_netobj gssx_OID; ++ ++enum gssx_cred_usage { ++ GSSX_C_INITIATE = 1, ++ GSSX_C_ACCEPT = 2, ++ GSSX_C_BOTH = 3, ++}; ++ ++struct gssx_option { ++ gssx_buffer option; ++ gssx_buffer value; ++}; ++ ++struct gssx_option_array { ++ u32 count; ++ struct gssx_option *data; ++}; ++ ++struct gssx_status { ++ u64 major_status; ++ gssx_OID mech; ++ u64 minor_status; ++ utf8string major_status_string; ++ utf8string minor_status_string; ++ gssx_buffer server_ctx; ++ struct gssx_option_array options; ++}; ++ ++struct gssx_call_ctx { ++ utf8string locale; ++ gssx_buffer server_ctx; ++ struct gssx_option_array options; ++}; ++ ++struct gssx_name_attr { ++ gssx_buffer attr; ++ gssx_buffer value; ++ struct gssx_option_array extensions; ++}; ++ ++struct gssx_name_attr_array { ++ u32 count; ++ struct gssx_name_attr *data; ++}; ++ ++struct gssx_name { ++ gssx_buffer display_name; ++}; ++typedef struct gssx_name gssx_name; ++ ++struct gssx_cred_element { ++ gssx_name MN; ++ gssx_OID mech; ++ u32 cred_usage; ++ u64 initiator_time_rec; ++ u64 acceptor_time_rec; ++ struct gssx_option_array options; ++}; ++ ++struct gssx_cred_element_array { ++ u32 count; ++ struct gssx_cred_element *data; ++}; ++ ++struct gssx_cred { ++ gssx_name desired_name; ++ struct gssx_cred_element_array elements; ++ gssx_buffer cred_handle_reference; ++ u32 needs_release; ++}; ++ ++struct gssx_ctx { ++ gssx_buffer exported_context_token; ++ gssx_buffer state; ++ u32 need_release; ++ gssx_OID mech; ++ gssx_name src_name; ++ gssx_name targ_name; ++ u64 lifetime; ++ u64 ctx_flags; ++ u32 locally_initiated; ++ u32 open; ++ struct gssx_option_array options; ++}; ++ ++struct gssx_cb { ++ u64 initiator_addrtype; ++ gssx_buffer initiator_address; ++ u64 acceptor_addrtype; ++ gssx_buffer acceptor_address; ++ gssx_buffer application_data; ++}; ++ ++ ++/* This structure is not defined in the protocol. ++ * It is used in the kernel to carry around a big buffer ++ * as a set of pages */ ++struct gssp_in_token { ++ struct page **pages; /* Array of contiguous pages */ ++ unsigned int page_base; /* Start of page data */ ++ unsigned int page_len; /* Length of page data */ ++}; ++ ++struct gssx_arg_accept_sec_context { ++ struct gssx_call_ctx call_ctx; ++ struct gssx_ctx *context_handle; ++ struct gssx_cred *cred_handle; ++ struct gssp_in_token input_token; ++ struct gssx_cb *input_cb; ++ u32 ret_deleg_cred; ++ struct gssx_option_array options; ++}; ++ ++struct gssx_res_accept_sec_context { ++ struct gssx_status status; ++ struct gssx_ctx *context_handle; ++ gssx_buffer *output_token; ++ /* struct gssx_cred *delegated_cred_handle; not used in kernel */ ++ struct gssx_option_array options; ++}; ++ ++ ++ ++#define gssx_enc_indicate_mechs NULL ++#define gssx_dec_indicate_mechs NULL ++#define gssx_enc_get_call_context NULL ++#define gssx_dec_get_call_context NULL ++#define gssx_enc_import_and_canon_name NULL ++#define gssx_dec_import_and_canon_name NULL ++#define gssx_enc_export_cred NULL ++#define gssx_dec_export_cred NULL ++#define gssx_enc_import_cred NULL ++#define gssx_dec_import_cred NULL ++#define gssx_enc_acquire_cred NULL ++#define gssx_dec_acquire_cred NULL ++#define gssx_enc_store_cred NULL ++#define gssx_dec_store_cred NULL ++#define gssx_enc_init_sec_context NULL ++#define gssx_dec_init_sec_context NULL ++void gssx_enc_accept_sec_context(struct rpc_rqst *req, ++ struct xdr_stream *xdr, ++ struct gssx_arg_accept_sec_context *args); ++int gssx_dec_accept_sec_context(struct rpc_rqst *rqstp, ++ struct xdr_stream *xdr, ++ struct gssx_res_accept_sec_context *res); ++#define gssx_enc_release_handle NULL ++#define gssx_dec_release_handle NULL ++#define gssx_enc_get_mic NULL ++#define gssx_dec_get_mic NULL ++#define gssx_enc_verify NULL ++#define gssx_dec_verify NULL ++#define gssx_enc_wrap NULL ++#define gssx_dec_wrap NULL ++#define gssx_enc_unwrap NULL ++#define gssx_dec_unwrap NULL ++#define gssx_enc_wrap_size_limit NULL ++#define gssx_dec_wrap_size_limit NULL ++ ++/* non implemented calls are set to 0 size */ ++#define GSSX_ARG_indicate_mechs_sz 0 ++#define GSSX_RES_indicate_mechs_sz 0 ++#define GSSX_ARG_get_call_context_sz 0 ++#define GSSX_RES_get_call_context_sz 0 ++#define GSSX_ARG_import_and_canon_name_sz 0 ++#define GSSX_RES_import_and_canon_name_sz 0 ++#define GSSX_ARG_export_cred_sz 0 ++#define GSSX_RES_export_cred_sz 0 ++#define GSSX_ARG_import_cred_sz 0 ++#define GSSX_RES_import_cred_sz 0 ++#define GSSX_ARG_acquire_cred_sz 0 ++#define GSSX_RES_acquire_cred_sz 0 ++#define GSSX_ARG_store_cred_sz 0 ++#define GSSX_RES_store_cred_sz 0 ++#define GSSX_ARG_init_sec_context_sz 0 ++#define GSSX_RES_init_sec_context_sz 0 ++ ++#define GSSX_default_in_call_ctx_sz (4 + 4 + 4 + \ ++ 8 + sizeof(LUCID_OPTION) + sizeof(LUCID_VALUE) + \ ++ 8 + sizeof(CREDS_OPTION) + sizeof(CREDS_VALUE)) ++#define GSSX_default_in_ctx_hndl_sz (4 + 4+8 + 4 + 4 + 6*4 + 6*4 + 8 + 8 + \ ++ 4 + 4 + 4) ++#define GSSX_default_in_cred_sz 4 /* we send in no cred_handle */ ++#define GSSX_default_in_token_sz 4 /* does *not* include token data */ ++#define GSSX_default_in_cb_sz 4 /* we do not use channel bindings */ ++#define GSSX_ARG_accept_sec_context_sz (GSSX_default_in_call_ctx_sz + \ ++ GSSX_default_in_ctx_hndl_sz + \ ++ GSSX_default_in_cred_sz + \ ++ GSSX_default_in_token_sz + \ ++ GSSX_default_in_cb_sz + \ ++ 4 /* no deleg creds boolean */ + \ ++ 4) /* empty options */ ++ ++/* somewhat arbitrary numbers but large enough (we ignore some of the data ++ * sent down, but it is part of the protocol so we need enough space to take ++ * it in) */ ++#define GSSX_default_status_sz 8 + 24 + 8 + 256 + 256 + 16 + 4 ++#define GSSX_max_output_handle_sz 128 ++#define GSSX_max_oid_sz 16 ++#define GSSX_max_princ_sz 256 ++#define GSSX_default_ctx_sz (GSSX_max_output_handle_sz + \ ++ 16 + 4 + GSSX_max_oid_sz + \ ++ 2 * GSSX_max_princ_sz + \ ++ 8 + 8 + 4 + 4 + 4) ++#define GSSX_max_output_token_sz 1024 ++#define GSSX_max_creds_sz (4 + 4 + 4 + NGROUPS_MAX * 4) ++#define GSSX_RES_accept_sec_context_sz (GSSX_default_status_sz + \ ++ GSSX_default_ctx_sz + \ ++ GSSX_max_output_token_sz + \ ++ 4 + GSSX_max_creds_sz) ++ ++#define GSSX_ARG_release_handle_sz 0 ++#define GSSX_RES_release_handle_sz 0 ++#define GSSX_ARG_get_mic_sz 0 ++#define GSSX_RES_get_mic_sz 0 ++#define GSSX_ARG_verify_sz 0 ++#define GSSX_RES_verify_sz 0 ++#define GSSX_ARG_wrap_sz 0 ++#define GSSX_RES_wrap_sz 0 ++#define GSSX_ARG_unwrap_sz 0 ++#define GSSX_RES_unwrap_sz 0 ++#define GSSX_ARG_wrap_size_limit_sz 0 ++#define GSSX_RES_wrap_size_limit_sz 0 ++ ++ ++ ++#endif /* _LINUX_GSS_RPC_XDR_H */ +diff --git a/net/sunrpc/clnt.c b/net/sunrpc/clnt.c +index 6d29b53..eb4cb72 100644 +--- a/net/sunrpc/clnt.c ++++ b/net/sunrpc/clnt.c +@@ -683,6 +683,7 @@ rpc_release_client(struct rpc_clnt *clnt) + if (atomic_dec_and_test(&clnt->cl_count)) + rpc_free_auth(clnt); + } ++EXPORT_SYMBOL_GPL(rpc_release_client); + + /** + * rpc_bind_new_program - bind a new RPC program to an existing client +diff --git a/net/sunrpc/netns.h b/net/sunrpc/netns.h +index ce7bd44..e9f8895 100644 +--- a/net/sunrpc/netns.h ++++ b/net/sunrpc/netns.h +@@ -23,6 +23,9 @@ struct sunrpc_net { + struct rpc_clnt *rpcb_local_clnt4; + spinlock_t rpcb_clnt_lock; + unsigned int rpcb_users; ++ ++ struct mutex gssp_lock; ++ struct rpc_clnt *gssp_clnt; + }; + + extern int sunrpc_net_id; +-- +1.8.1.4 + + +From f682043df7bb81715124c82e9cea8bc68ded9667 Mon Sep 17 00:00:00 2001 +From: Simo Sorce +Date: Fri, 25 May 2012 18:09:56 -0400 +Subject: [PATCH 06/13] SUNRPC: Use gssproxy upcall for server RPCGSS + authentication. + +The main advantge of this new upcall mechanism is that it can handle +big tickets as seen in Kerberos implementations where tickets carry +authorization data like the MS-PAC buffer with AD or the Posix Authorization +Data being discussed in IETF on the krbwg working group. + +The Gssproxy program is used to perform the accept_sec_context call on the +kernel's behalf. The code is changed to also pass the input buffer straight +to upcall mechanism to avoid allocating and copying many pages as tokens can +be as big (potentially more in future) as 64KiB. + +Signed-off-by: Simo Sorce +[bfields: containerization, negotiation api] +Signed-off-by: J. Bruce Fields +--- + Documentation/filesystems/nfs/00-INDEX | 2 + + Documentation/filesystems/nfs/rpc-server-gss.txt | 91 ++++++ + net/sunrpc/auth_gss/gss_rpc_upcall.c | 2 + + net/sunrpc/auth_gss/svcauth_gss.c | 347 ++++++++++++++++++++++- + net/sunrpc/netns.h | 3 + + 5 files changed, 436 insertions(+), 9 deletions(-) + create mode 100644 Documentation/filesystems/nfs/rpc-server-gss.txt + +diff --git a/Documentation/filesystems/nfs/00-INDEX b/Documentation/filesystems/nfs/00-INDEX +index 1716874..66eb6c8 100644 +--- a/Documentation/filesystems/nfs/00-INDEX ++++ b/Documentation/filesystems/nfs/00-INDEX +@@ -20,3 +20,5 @@ rpc-cache.txt + - introduction to the caching mechanisms in the sunrpc layer. + idmapper.txt + - information for configuring request-keys to be used by idmapper ++knfsd-rpcgss.txt ++ - Information on GSS authentication support in the NFS Server +diff --git a/Documentation/filesystems/nfs/rpc-server-gss.txt b/Documentation/filesystems/nfs/rpc-server-gss.txt +new file mode 100644 +index 0000000..716f4be +--- /dev/null ++++ b/Documentation/filesystems/nfs/rpc-server-gss.txt +@@ -0,0 +1,91 @@ ++ ++rpcsec_gss support for kernel RPC servers ++========================================= ++ ++This document gives references to the standards and protocols used to ++implement RPCGSS authentication in kernel RPC servers such as the NFS ++server and the NFS client's NFSv4.0 callback server. (But note that ++NFSv4.1 and higher don't require the client to act as a server for the ++purposes of authentication.) ++ ++RPCGSS is specified in a few IETF documents: ++ - RFC2203 v1: http://tools.ietf.org/rfc/rfc2203.txt ++ - RFC5403 v2: http://tools.ietf.org/rfc/rfc5403.txt ++and there is a 3rd version being proposed: ++ - http://tools.ietf.org/id/draft-williams-rpcsecgssv3.txt ++ (At draft n. 02 at the time of writing) ++ ++Background ++---------- ++ ++The RPCGSS Authentication method describes a way to perform GSSAPI ++Authentication for NFS. Although GSSAPI is itself completely mechanism ++agnostic, in many cases only the KRB5 mechanism is supported by NFS ++implementations. ++ ++The Linux kernel, at the moment, supports only the KRB5 mechanism, and ++depends on GSSAPI extensions that are KRB5 specific. ++ ++GSSAPI is a complex library, and implementing it completely in kernel is ++unwarranted. However GSSAPI operations are fundementally separable in 2 ++parts: ++- initial context establishment ++- integrity/privacy protection (signing and encrypting of individual ++ packets) ++ ++The former is more complex and policy-independent, but less ++performance-sensitive. The latter is simpler and needs to be very fast. ++ ++Therefore, we perform per-packet integrity and privacy protection in the ++kernel, but leave the initial context establishment to userspace. We ++need upcalls to request userspace to perform context establishment. ++ ++NFS Server Legacy Upcall Mechanism ++---------------------------------- ++ ++The classic upcall mechanism uses a custom text based upcall mechanism ++to talk to a custom daemon called rpc.svcgssd that is provide by the ++nfs-utils package. ++ ++This upcall mechanism has 2 limitations: ++ ++A) It can handle tokens that are no bigger than 2KiB ++ ++In some Kerberos deployment GSSAPI tokens can be quite big, up and ++beyond 64KiB in size due to various authorization extensions attacked to ++the Kerberos tickets, that needs to be sent through the GSS layer in ++order to perform context establishment. ++ ++B) It does not properly handle creds where the user is member of more ++than a few housand groups (the current hard limit in the kernel is 65K ++groups) due to limitation on the size of the buffer that can be send ++back to the kernel (4KiB). ++ ++NFS Server New RPC Upcall Mechanism ++----------------------------------- ++ ++The newer upcall mechanism uses RPC over a unix socket to a daemon ++called gss-proxy, implemented by a userspace program called Gssproxy. ++ ++The gss_proxy RPC protocol is currently documented here: ++ ++ https://fedorahosted.org/gss-proxy/wiki/ProtocolDocumentation ++ ++This upcall mechanism uses the kernel rpc client and connects to the gssproxy ++userspace program over a regular unix socket. The gssproxy protocol does not ++suffer from the size limitations of the legacy protocol. ++ ++Negotiating Upcall Mechanisms ++----------------------------- ++ ++To provide backward compatibility, the kernel defaults to using the ++legacy mechanism. To switch to the new mechanism, gss-proxy must bind ++to /var/run/gssproxy.sock and then write "1" to ++/proc/net/rpc/use-gss-proxy. If gss-proxy dies, it must repeat both ++steps. ++ ++Once the upcall mechanism is chosen, it cannot be changed. To prevent ++locking into the legacy mechanisms, the above steps must be performed ++before starting nfsd. Whoever starts nfsd can guarantee this by reading ++from /proc/net/rpc/use-gss-proxy and checking that it contains a ++"1"--the read will block until gss-proxy has done its write to the file. +diff --git a/net/sunrpc/auth_gss/gss_rpc_upcall.c b/net/sunrpc/auth_gss/gss_rpc_upcall.c +index 2d33ddf..3f874d7 100644 +--- a/net/sunrpc/auth_gss/gss_rpc_upcall.c ++++ b/net/sunrpc/auth_gss/gss_rpc_upcall.c +@@ -137,6 +137,7 @@ void init_gssp_clnt(struct sunrpc_net *sn) + { + mutex_init(&sn->gssp_lock); + sn->gssp_clnt = NULL; ++ init_waitqueue_head(&sn->gssp_wq); + } + + int set_gssp_clnt(struct net *net) +@@ -153,6 +154,7 @@ int set_gssp_clnt(struct net *net) + sn->gssp_clnt = clnt; + } + mutex_unlock(&sn->gssp_lock); ++ wake_up(&sn->gssp_wq); + return ret; + } + +diff --git a/net/sunrpc/auth_gss/svcauth_gss.c b/net/sunrpc/auth_gss/svcauth_gss.c +index 20eedec..58f5bc3 100644 +--- a/net/sunrpc/auth_gss/svcauth_gss.c ++++ b/net/sunrpc/auth_gss/svcauth_gss.c +@@ -48,8 +48,8 @@ + #include + #include + #include ++#include "gss_rpc_upcall.h" + +-#include "../netns.h" + + #ifdef RPC_DEBUG + # define RPCDBG_FACILITY RPCDBG_AUTH +@@ -988,13 +988,10 @@ gss_write_init_verf(struct cache_detail *cd, struct svc_rqst *rqstp, + } + + static inline int +-gss_read_verf(struct rpc_gss_wire_cred *gc, +- struct kvec *argv, __be32 *authp, +- struct xdr_netobj *in_handle, +- struct xdr_netobj *in_token) ++gss_read_common_verf(struct rpc_gss_wire_cred *gc, ++ struct kvec *argv, __be32 *authp, ++ struct xdr_netobj *in_handle) + { +- struct xdr_netobj tmpobj; +- + /* Read the verifier; should be NULL: */ + *authp = rpc_autherr_badverf; + if (argv->iov_len < 2 * 4) +@@ -1010,6 +1007,23 @@ gss_read_verf(struct rpc_gss_wire_cred *gc, + if (dup_netobj(in_handle, &gc->gc_ctx)) + return SVC_CLOSE; + *authp = rpc_autherr_badverf; ++ ++ return 0; ++} ++ ++static inline int ++gss_read_verf(struct rpc_gss_wire_cred *gc, ++ struct kvec *argv, __be32 *authp, ++ struct xdr_netobj *in_handle, ++ struct xdr_netobj *in_token) ++{ ++ struct xdr_netobj tmpobj; ++ int res; ++ ++ res = gss_read_common_verf(gc, argv, authp, in_handle); ++ if (res) ++ return res; ++ + if (svc_safe_getnetobj(argv, &tmpobj)) { + kfree(in_handle->data); + return SVC_DENIED; +@@ -1022,6 +1036,40 @@ gss_read_verf(struct rpc_gss_wire_cred *gc, + return 0; + } + ++/* Ok this is really heavily depending on a set of semantics in ++ * how rqstp is set up by svc_recv and pages laid down by the ++ * server when reading a request. We are basically guaranteed that ++ * the token lays all down linearly across a set of pages, starting ++ * at iov_base in rq_arg.head[0] which happens to be the first of a ++ * set of pages stored in rq_pages[]. ++ * rq_arg.head[0].iov_base will provide us the page_base to pass ++ * to the upcall. ++ */ ++static inline int ++gss_read_proxy_verf(struct svc_rqst *rqstp, ++ struct rpc_gss_wire_cred *gc, __be32 *authp, ++ struct xdr_netobj *in_handle, ++ struct gssp_in_token *in_token) ++{ ++ struct kvec *argv = &rqstp->rq_arg.head[0]; ++ u32 inlen; ++ int res; ++ ++ res = gss_read_common_verf(gc, argv, authp, in_handle); ++ if (res) ++ return res; ++ ++ inlen = svc_getnl(argv); ++ if (inlen > (argv->iov_len + rqstp->rq_arg.page_len)) ++ return SVC_DENIED; ++ ++ in_token->pages = rqstp->rq_pages; ++ in_token->page_base = (ulong)argv->iov_base & ~PAGE_MASK; ++ in_token->page_len = inlen; ++ ++ return 0; ++} ++ + static inline int + gss_write_resv(struct kvec *resv, size_t size_limit, + struct xdr_netobj *out_handle, struct xdr_netobj *out_token, +@@ -1049,7 +1097,7 @@ gss_write_resv(struct kvec *resv, size_t size_limit, + * the upcall results are available, write the verifier and result. + * Otherwise, drop the request pending an answer to the upcall. + */ +-static int svcauth_gss_handle_init(struct svc_rqst *rqstp, ++static int svcauth_gss_legacy_init(struct svc_rqst *rqstp, + struct rpc_gss_wire_cred *gc, __be32 *authp) + { + struct kvec *argv = &rqstp->rq_arg.head[0]; +@@ -1089,6 +1137,278 @@ out: + return ret; + } + ++static int gss_proxy_save_rsc(struct cache_detail *cd, ++ struct gssp_upcall_data *ud, ++ uint64_t *handle) ++{ ++ struct rsc rsci, *rscp = NULL; ++ static atomic64_t ctxhctr; ++ long long ctxh; ++ struct gss_api_mech *gm = NULL; ++ time_t expiry; ++ int status = -EINVAL; ++ ++ memset(&rsci, 0, sizeof(rsci)); ++ /* context handle */ ++ status = -ENOMEM; ++ /* the handle needs to be just a unique id, ++ * use a static counter */ ++ ctxh = atomic64_inc_return(&ctxhctr); ++ ++ /* make a copy for the caller */ ++ *handle = ctxh; ++ ++ /* make a copy for the rsc cache */ ++ if (dup_to_netobj(&rsci.handle, (char *)handle, sizeof(uint64_t))) ++ goto out; ++ rscp = rsc_lookup(cd, &rsci); ++ if (!rscp) ++ goto out; ++ ++ /* creds */ ++ if (!ud->found_creds) { ++ /* userspace seem buggy, we should always get at least a ++ * mapping to nobody */ ++ dprintk("RPC: No creds found, marking Negative!\n"); ++ set_bit(CACHE_NEGATIVE, &rsci.h.flags); ++ } else { ++ ++ /* steal creds */ ++ rsci.cred = ud->creds; ++ memset(&ud->creds, 0, sizeof(struct svc_cred)); ++ ++ status = -EOPNOTSUPP; ++ /* get mech handle from OID */ ++ gm = gss_mech_get_by_OID(&ud->mech_oid); ++ if (!gm) ++ goto out; ++ ++ status = -EINVAL; ++ /* mech-specific data: */ ++ status = gss_import_sec_context(ud->out_handle.data, ++ ud->out_handle.len, ++ gm, &rsci.mechctx, ++ &expiry, GFP_KERNEL); ++ if (status) ++ goto out; ++ } ++ ++ rsci.h.expiry_time = expiry; ++ rscp = rsc_update(cd, &rsci, rscp); ++ status = 0; ++out: ++ gss_mech_put(gm); ++ rsc_free(&rsci); ++ if (rscp) ++ cache_put(&rscp->h, cd); ++ else ++ status = -ENOMEM; ++ return status; ++} ++ ++static int svcauth_gss_proxy_init(struct svc_rqst *rqstp, ++ struct rpc_gss_wire_cred *gc, __be32 *authp) ++{ ++ struct kvec *resv = &rqstp->rq_res.head[0]; ++ struct xdr_netobj cli_handle; ++ struct gssp_upcall_data ud; ++ uint64_t handle; ++ int status; ++ int ret; ++ struct net *net = rqstp->rq_xprt->xpt_net; ++ struct sunrpc_net *sn = net_generic(net, sunrpc_net_id); ++ ++ memset(&ud, 0, sizeof(ud)); ++ ret = gss_read_proxy_verf(rqstp, gc, authp, ++ &ud.in_handle, &ud.in_token); ++ if (ret) ++ return ret; ++ ++ ret = SVC_CLOSE; ++ ++ /* Perform synchronous upcall to gss-proxy */ ++ status = gssp_accept_sec_context_upcall(net, &ud); ++ if (status) ++ goto out; ++ ++ dprintk("RPC: svcauth_gss: gss major status = %d\n", ++ ud.major_status); ++ ++ switch (ud.major_status) { ++ case GSS_S_CONTINUE_NEEDED: ++ cli_handle = ud.out_handle; ++ break; ++ case GSS_S_COMPLETE: ++ status = gss_proxy_save_rsc(sn->rsc_cache, &ud, &handle); ++ if (status) ++ goto out; ++ cli_handle.data = (u8 *)&handle; ++ cli_handle.len = sizeof(handle); ++ break; ++ default: ++ ret = SVC_CLOSE; ++ goto out; ++ } ++ ++ /* Got an answer to the upcall; use it: */ ++ if (gss_write_init_verf(sn->rsc_cache, rqstp, ++ &cli_handle, &ud.major_status)) ++ goto out; ++ if (gss_write_resv(resv, PAGE_SIZE, ++ &cli_handle, &ud.out_token, ++ ud.major_status, ud.minor_status)) ++ goto out; ++ ++ ret = SVC_COMPLETE; ++out: ++ gssp_free_upcall_data(&ud); ++ return ret; ++} ++ ++DEFINE_SPINLOCK(use_gssp_lock); ++ ++static bool use_gss_proxy(struct net *net) ++{ ++ struct sunrpc_net *sn = net_generic(net, sunrpc_net_id); ++ ++ if (sn->use_gss_proxy != -1) ++ return sn->use_gss_proxy; ++ spin_lock(&use_gssp_lock); ++ /* ++ * If you wanted gss-proxy, you should have said so before ++ * starting to accept requests: ++ */ ++ sn->use_gss_proxy = 0; ++ spin_unlock(&use_gssp_lock); ++ return 0; ++} ++ ++static bool set_gss_proxy(struct net *net, int type) ++{ ++ struct sunrpc_net *sn = net_generic(net, sunrpc_net_id); ++ int ret = 0; ++ ++ WARN_ON_ONCE(type != 0 && type != 1); ++ spin_lock(&use_gssp_lock); ++ if (sn->use_gss_proxy == -1 || sn->use_gss_proxy == type) ++ sn->use_gss_proxy = type; ++ else ++ ret = -EBUSY; ++ spin_unlock(&use_gssp_lock); ++ wake_up(&sn->gssp_wq); ++ return ret; ++} ++ ++static inline bool gssp_ready(struct sunrpc_net *sn) ++{ ++ switch (sn->use_gss_proxy) { ++ case -1: ++ return false; ++ case 0: ++ return true; ++ case 1: ++ return sn->gssp_clnt; ++ } ++ WARN_ON_ONCE(1); ++ return false; ++} ++ ++static int wait_for_gss_proxy(struct net *net) ++{ ++ struct sunrpc_net *sn = net_generic(net, sunrpc_net_id); ++ ++ return wait_event_interruptible(sn->gssp_wq, gssp_ready(sn)); ++} ++ ++#ifdef CONFIG_PROC_FS ++ ++static ssize_t write_gssp(struct file *file, const char __user *buf, ++ size_t count, loff_t *ppos) ++{ ++ struct net *net = PDE(file->f_path.dentry->d_inode)->data; ++ char tbuf[20]; ++ unsigned long i; ++ int res; ++ ++ if (*ppos || count > sizeof(tbuf)-1) ++ return -EINVAL; ++ if (copy_from_user(tbuf, buf, count)) ++ return -EFAULT; ++ ++ tbuf[count] = 0; ++ res = kstrtoul(tbuf, 0, &i); ++ if (res) ++ return res; ++ if (i != 1) ++ return -EINVAL; ++ res = set_gss_proxy(net, 1); ++ if (res) ++ return res; ++ res = set_gssp_clnt(net); ++ if (res) ++ return res; ++ return count; ++} ++ ++static ssize_t read_gssp(struct file *file, char __user *buf, ++ size_t count, loff_t *ppos) ++{ ++ struct net *net = PDE(file->f_path.dentry->d_inode)->data; ++ unsigned long p = *ppos; ++ char tbuf[10]; ++ size_t len; ++ int ret; ++ ++ ret = wait_for_gss_proxy(net); ++ if (ret) ++ return ret; ++ ++ snprintf(tbuf, sizeof(tbuf), "%d\n", use_gss_proxy(net)); ++ len = strlen(tbuf); ++ if (p >= len) ++ return 0; ++ len -= p; ++ if (len > count) ++ len = count; ++ if (copy_to_user(buf, (void *)(tbuf+p), len)) ++ return -EFAULT; ++ *ppos += len; ++ return len; ++} ++ ++static const struct file_operations use_gss_proxy_ops = { ++ .open = nonseekable_open, ++ .write = write_gssp, ++ .read = read_gssp, ++}; ++ ++static int create_use_gss_proxy_proc_entry(struct net *net) ++{ ++ struct sunrpc_net *sn = net_generic(net, sunrpc_net_id); ++ struct proc_dir_entry **p = &sn->use_gssp_proc; ++ ++ sn->use_gss_proxy = -1; ++ *p = proc_create_data("use-gss-proxy", S_IFREG|S_IRUSR|S_IWUSR, ++ sn->proc_net_rpc, ++ &use_gss_proxy_ops, net); ++ if (!*p) ++ return -ENOMEM; ++ init_gssp_clnt(sn); ++ return 0; ++} ++ ++static void destroy_use_gss_proxy_proc_entry(struct net *net) ++{ ++ struct sunrpc_net *sn = net_generic(net, sunrpc_net_id); ++ ++ if (sn->use_gssp_proc) { ++ remove_proc_entry("use-gss-proxy", sn->proc_net_rpc); ++ clear_gssp_clnt(sn); ++ } ++} ++ ++#endif /* CONFIG_PROC_FS */ ++ + /* + * Accept an rpcsec packet. + * If context establishment, punt to user space +@@ -1155,7 +1475,10 @@ svcauth_gss_accept(struct svc_rqst *rqstp, __be32 *authp) + switch (gc->gc_proc) { + case RPC_GSS_PROC_INIT: + case RPC_GSS_PROC_CONTINUE_INIT: +- return svcauth_gss_handle_init(rqstp, gc, authp); ++ if (use_gss_proxy(SVC_NET(rqstp))) ++ return svcauth_gss_proxy_init(rqstp, gc, authp); ++ else ++ return svcauth_gss_legacy_init(rqstp, gc, authp); + case RPC_GSS_PROC_DATA: + case RPC_GSS_PROC_DESTROY: + /* Look up the context, and check the verifier: */ +@@ -1530,7 +1853,12 @@ gss_svc_init_net(struct net *net) + rv = rsi_cache_create_net(net); + if (rv) + goto out1; ++ rv = create_use_gss_proxy_proc_entry(net); ++ if (rv) ++ goto out2; + return 0; ++out2: ++ destroy_use_gss_proxy_proc_entry(net); + out1: + rsc_cache_destroy_net(net); + return rv; +@@ -1539,6 +1867,7 @@ out1: + void + gss_svc_shutdown_net(struct net *net) + { ++ destroy_use_gss_proxy_proc_entry(net); + rsi_cache_destroy_net(net); + rsc_cache_destroy_net(net); + } +diff --git a/net/sunrpc/netns.h b/net/sunrpc/netns.h +index e9f8895..7111a4c 100644 +--- a/net/sunrpc/netns.h ++++ b/net/sunrpc/netns.h +@@ -25,7 +25,10 @@ struct sunrpc_net { + unsigned int rpcb_users; + + struct mutex gssp_lock; ++ wait_queue_head_t gssp_wq; + struct rpc_clnt *gssp_clnt; ++ int use_gss_proxy; ++ struct proc_dir_entry *use_gssp_proc; + }; + + extern int sunrpc_net_id; +-- +1.8.1.4 + + +From 06404241b88b51c50427b833268d7cad7dec30f5 Mon Sep 17 00:00:00 2001 +From: "J. Bruce Fields" +Date: Mon, 29 Apr 2013 17:03:31 -0400 +Subject: [PATCH 07/13] SUNRPC: define + {create,destroy}_use_gss_proxy_proc_entry in !PROC case + +Though I wonder whether we should really just depend on CONFIG_PROC_FS +at some point. + +Reported-by: kbuild test robot +--- + net/sunrpc/auth_gss/svcauth_gss.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +diff --git a/net/sunrpc/auth_gss/svcauth_gss.c b/net/sunrpc/auth_gss/svcauth_gss.c +index 58f5bc3..71446b6 100644 +--- a/net/sunrpc/auth_gss/svcauth_gss.c ++++ b/net/sunrpc/auth_gss/svcauth_gss.c +@@ -1283,6 +1283,8 @@ static bool use_gss_proxy(struct net *net) + return 0; + } + ++#ifdef CONFIG_PROC_FS ++ + static bool set_gss_proxy(struct net *net, int type) + { + struct sunrpc_net *sn = net_generic(net, sunrpc_net_id); +@@ -1320,7 +1322,6 @@ static int wait_for_gss_proxy(struct net *net) + return wait_event_interruptible(sn->gssp_wq, gssp_ready(sn)); + } + +-#ifdef CONFIG_PROC_FS + + static ssize_t write_gssp(struct file *file, const char __user *buf, + size_t count, loff_t *ppos) +@@ -1406,6 +1407,14 @@ static void destroy_use_gss_proxy_proc_entry(struct net *net) + clear_gssp_clnt(sn); + } + } ++#else /* CONFIG_PROC_FS */ ++ ++static int create_use_gss_proxy_proc_entry(struct net *net) ++{ ++ return 0; ++} ++ ++static void destroy_use_gss_proxy_proc_entry(struct net *net) {} + + #endif /* CONFIG_PROC_FS */ + +-- +1.8.1.4 + + +From 3cc961ce9784f0b4a9cb21217dd4a8403efc220d Mon Sep 17 00:00:00 2001 +From: Fengguang Wu +Date: Mon, 29 Apr 2013 17:19:48 -0400 +Subject: [PATCH 08/13] SUNRPC: gssp_procedures[] can be static + +Cc: Simo Sorce +Signed-off-by: Fengguang Wu +--- + net/sunrpc/auth_gss/gss_rpc_upcall.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/sunrpc/auth_gss/gss_rpc_upcall.c b/net/sunrpc/auth_gss/gss_rpc_upcall.c +index 3f874d7..98818d6 100644 +--- a/net/sunrpc/auth_gss/gss_rpc_upcall.c ++++ b/net/sunrpc/auth_gss/gss_rpc_upcall.c +@@ -63,7 +63,7 @@ enum { + .p_name = #proc, \ + } + +-struct rpc_procinfo gssp_procedures[] = { ++static struct rpc_procinfo gssp_procedures[] = { + PROC(INDICATE_MECHS, indicate_mechs), + PROC(GET_CALL_CONTEXT, get_call_context), + PROC(IMPORT_AND_CANON_NAME, import_and_canon_name), +-- +1.8.1.4 + + +From d6afcafd515bbf16e39817170cd212a7debd8959 Mon Sep 17 00:00:00 2001 +From: "J. Bruce Fields" +Date: Mon, 29 Apr 2013 18:21:29 -0400 +Subject: [PATCH 09/13] svcrpc: fix gss-proxy to respect user namespaces + +Signed-off-by: J. Bruce Fields +--- + net/sunrpc/auth_gss/gss_rpc_xdr.c | 20 +++++++++++++------- + 1 file changed, 13 insertions(+), 7 deletions(-) + +diff --git a/net/sunrpc/auth_gss/gss_rpc_xdr.c b/net/sunrpc/auth_gss/gss_rpc_xdr.c +index d0ccdff..5c4c61d 100644 +--- a/net/sunrpc/auth_gss/gss_rpc_xdr.c ++++ b/net/sunrpc/auth_gss/gss_rpc_xdr.c +@@ -216,13 +216,13 @@ static int gssx_dec_linux_creds(struct xdr_stream *xdr, + err = get_s32(&q, end, &tmp); + if (err) + return err; +- creds->cr_uid = tmp; ++ creds->cr_uid = make_kuid(&init_user_ns, tmp); + + /* gid */ + err = get_s32(&q, end, &tmp); + if (err) + return err; +- creds->cr_gid = tmp; ++ creds->cr_gid = make_kgid(&init_user_ns, tmp); + + /* number of additional gid's */ + err = get_s32(&q, end, &tmp); +@@ -235,15 +235,21 @@ static int gssx_dec_linux_creds(struct xdr_stream *xdr, + + /* gid's */ + for (i = 0; i < N; i++) { ++ kgid_t kgid; + err = get_s32(&q, end, &tmp); +- if (err) { +- groups_free(creds->cr_group_info); +- return err; +- } +- GROUP_AT(creds->cr_group_info, i) = tmp; ++ if (err) ++ goto out_free_groups; ++ err = -EINVAL; ++ kgid = make_kgid(&init_user_ns, tmp); ++ if (!gid_valid(kgid)) ++ goto out_free_groups; ++ GROUP_AT(creds->cr_group_info, i) = kgid; + } + + return 0; ++out_free_groups: ++ groups_free(creds->cr_group_info); ++ return err; + } + + static int gssx_dec_option_array(struct xdr_stream *xdr, +-- +1.8.1.4 + + +From e4f7a037aa575bdbe6d1e42e58283cb4d663b000 Mon Sep 17 00:00:00 2001 +From: Geert Uytterhoeven +Date: Mon, 6 May 2013 09:21:03 +0200 +Subject: [PATCH 10/13] SUNRPC: Refactor gssx_dec_option_array() to kill + uninitialized warning +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +net/sunrpc/auth_gss/gss_rpc_xdr.c: In function ‘gssx_dec_option_array’: +net/sunrpc/auth_gss/gss_rpc_xdr.c:258: warning: ‘creds’ may be used uninitialized in this function + +Return early if count is zero, to make it clearer to the compiler (and the +casual reviewer) that no more processing is done. + +Signed-off-by: Geert Uytterhoeven +Signed-off-by: J. Bruce Fields +--- + net/sunrpc/auth_gss/gss_rpc_xdr.c | 32 +++++++++++++++++--------------- + 1 file changed, 17 insertions(+), 15 deletions(-) + +diff --git a/net/sunrpc/auth_gss/gss_rpc_xdr.c b/net/sunrpc/auth_gss/gss_rpc_xdr.c +index 5c4c61d..a1e1b1a 100644 +--- a/net/sunrpc/auth_gss/gss_rpc_xdr.c ++++ b/net/sunrpc/auth_gss/gss_rpc_xdr.c +@@ -264,25 +264,27 @@ static int gssx_dec_option_array(struct xdr_stream *xdr, + if (unlikely(p == NULL)) + return -ENOSPC; + count = be32_to_cpup(p++); +- if (count != 0) { +- /* we recognize only 1 currently: CREDS_VALUE */ +- oa->count = 1; ++ if (!count) ++ return 0; + +- oa->data = kmalloc(sizeof(struct gssx_option), GFP_KERNEL); +- if (!oa->data) +- return -ENOMEM; ++ /* we recognize only 1 currently: CREDS_VALUE */ ++ oa->count = 1; + +- creds = kmalloc(sizeof(struct svc_cred), GFP_KERNEL); +- if (!creds) { +- kfree(oa->data); +- return -ENOMEM; +- } ++ oa->data = kmalloc(sizeof(struct gssx_option), GFP_KERNEL); ++ if (!oa->data) ++ return -ENOMEM; + +- oa->data[0].option.data = CREDS_VALUE; +- oa->data[0].option.len = sizeof(CREDS_VALUE); +- oa->data[0].value.data = (void *)creds; +- oa->data[0].value.len = 0; ++ creds = kmalloc(sizeof(struct svc_cred), GFP_KERNEL); ++ if (!creds) { ++ kfree(oa->data); ++ return -ENOMEM; + } ++ ++ oa->data[0].option.data = CREDS_VALUE; ++ oa->data[0].option.len = sizeof(CREDS_VALUE); ++ oa->data[0].value.data = (void *)creds; ++ oa->data[0].value.len = 0; ++ + for (i = 0; i < count; i++) { + gssx_buffer dummy = { 0, NULL }; + u32 length; +-- +1.8.1.4 + + +From f174f54afb853cd818e2121a0b5dc66012a4a3eb Mon Sep 17 00:00:00 2001 +From: "J. Bruce Fields" +Date: Tue, 7 May 2013 17:45:20 -0400 +Subject: [PATCH 11/13] SUNRPC: fix decoding of optional gss-proxy xdr fields + +The current code works, but sort of by accident: it obviously didn't +intend the error return to be interpreted as "true". + +Reported-by: Dan Carpenter +Signed-off-by: J. Bruce Fields +--- + net/sunrpc/auth_gss/gss_rpc_xdr.c | 26 +++++++++++++------------- + 1 file changed, 13 insertions(+), 13 deletions(-) + +diff --git a/net/sunrpc/auth_gss/gss_rpc_xdr.c b/net/sunrpc/auth_gss/gss_rpc_xdr.c +index a1e1b1a..357f613 100644 +--- a/net/sunrpc/auth_gss/gss_rpc_xdr.c ++++ b/net/sunrpc/auth_gss/gss_rpc_xdr.c +@@ -21,16 +21,6 @@ + #include + #include "gss_rpc_xdr.h" + +-static bool gssx_check_pointer(struct xdr_stream *xdr) +-{ +- __be32 *p; +- +- p = xdr_reserve_space(xdr, 4); +- if (unlikely(p == NULL)) +- return -ENOSPC; +- return *p?true:false; +-} +- + static int gssx_enc_bool(struct xdr_stream *xdr, int v) + { + __be32 *p; +@@ -802,6 +792,7 @@ int gssx_dec_accept_sec_context(struct rpc_rqst *rqstp, + struct xdr_stream *xdr, + struct gssx_res_accept_sec_context *res) + { ++ u32 value_follows; + int err; + + /* res->status */ +@@ -810,7 +801,10 @@ int gssx_dec_accept_sec_context(struct rpc_rqst *rqstp, + return err; + + /* res->context_handle */ +- if (gssx_check_pointer(xdr)) { ++ err = gssx_dec_bool(xdr, &value_follows); ++ if (err) ++ return err; ++ if (value_follows) { + err = gssx_dec_ctx(xdr, res->context_handle); + if (err) + return err; +@@ -819,7 +813,10 @@ int gssx_dec_accept_sec_context(struct rpc_rqst *rqstp, + } + + /* res->output_token */ +- if (gssx_check_pointer(xdr)) { ++ err = gssx_dec_bool(xdr, &value_follows); ++ if (err) ++ return err; ++ if (value_follows) { + err = gssx_dec_buffer(xdr, res->output_token); + if (err) + return err; +@@ -828,7 +825,10 @@ int gssx_dec_accept_sec_context(struct rpc_rqst *rqstp, + } + + /* res->delegated_cred_handle */ +- if (gssx_check_pointer(xdr)) { ++ err = gssx_dec_bool(xdr, &value_follows); ++ if (err) ++ return err; ++ if (value_follows) { + /* we do not support upcall servers sending this data. */ + return -EINVAL; + } +-- +1.8.1.4 + + +From 653ba539c4d845b004c7d29416c9083cb74f8270 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Sat, 11 May 2013 19:13:49 +0300 +Subject: [PATCH 12/13] svcauth_gss: fix error code in use_gss_proxy() + +This should return zero on success and -EBUSY on error so the type +needs to be int instead of bool. + +Signed-off-by: Dan Carpenter +Signed-off-by: J. Bruce Fields +--- + net/sunrpc/auth_gss/svcauth_gss.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/sunrpc/auth_gss/svcauth_gss.c b/net/sunrpc/auth_gss/svcauth_gss.c +index 71446b6..141902e 100644 +--- a/net/sunrpc/auth_gss/svcauth_gss.c ++++ b/net/sunrpc/auth_gss/svcauth_gss.c +@@ -1285,7 +1285,7 @@ static bool use_gss_proxy(struct net *net) + + #ifdef CONFIG_PROC_FS + +-static bool set_gss_proxy(struct net *net, int type) ++static int set_gss_proxy(struct net *net, int type) + { + struct sunrpc_net *sn = net_generic(net, sunrpc_net_id); + int ret = 0; +-- +1.8.1.4 + + +From 66a26c8c42ebbdfb7dbf297b3d7f404f0dc86ed8 Mon Sep 17 00:00:00 2001 +From: "J. Bruce Fields" +Date: Fri, 24 May 2013 09:47:49 -0400 +Subject: [PATCH 13/13] svcrpc: implement O_NONBLOCK behavior for use-gss-proxy + +Somebody noticed LTP was complaining about O_NONBLOCK opens of +/proc/net/rpc/use-gss-proxy succeeding and then a following read +hanging. + +I'm not convinced LTP really has any business opening random proc files +and expecting them to behave a certain way. Maybe this isn't really a +bug. + +But in any case the O_NONBLOCK behavior could be useful for someone that +wants to test whether gss-proxy is up without waiting. + +Reported-by: Jan Stancek +Signed-off-by: J. Bruce Fields +--- + net/sunrpc/auth_gss/svcauth_gss.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/net/sunrpc/auth_gss/svcauth_gss.c b/net/sunrpc/auth_gss/svcauth_gss.c +index 141902e..a7d4dfa 100644 +--- a/net/sunrpc/auth_gss/svcauth_gss.c ++++ b/net/sunrpc/auth_gss/svcauth_gss.c +@@ -1315,10 +1315,12 @@ static inline bool gssp_ready(struct sunrpc_net *sn) + return false; + } + +-static int wait_for_gss_proxy(struct net *net) ++static int wait_for_gss_proxy(struct net *net, struct file *file) + { + struct sunrpc_net *sn = net_generic(net, sunrpc_net_id); + ++ if (file->f_flags & O_NONBLOCK && !gssp_ready(sn)) ++ return -EAGAIN; + return wait_event_interruptible(sn->gssp_wq, gssp_ready(sn)); + } + +@@ -1360,7 +1362,7 @@ static ssize_t read_gssp(struct file *file, char __user *buf, + size_t len; + int ret; + +- ret = wait_for_gss_proxy(net); ++ ret = wait_for_gss_proxy(net, file); + if (ret) + return ret; + +-- +1.8.1.4 + diff --git a/kernel.spec b/kernel.spec index aaceefd1a..5bf9baf19 100644 --- a/kernel.spec +++ b/kernel.spec @@ -62,7 +62,7 @@ Summary: The Linux kernel # For non-released -rc kernels, this will be appended after the rcX and # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3" # -%global baserelease 301 +%global baserelease 302 %global fedora_build %{baserelease} # base_sublevel is the kernel version we're starting with and patching @@ -774,6 +774,9 @@ Patch25025: iscsi-target-fix-heap-buffer-overflow-on-error.patch #rhbz 964335 Patch25026: Modify-UEFI-anti-bricking-code.patch +# Needed for F19 gssproxy feature +Patch25030: gssproxy-backport.patch + # END OF PATCH DEFINITIONS %endif @@ -1494,6 +1497,9 @@ ApplyPatch iscsi-target-fix-heap-buffer-overflow-on-error.patch #rhbz 964335 ApplyPatch Modify-UEFI-anti-bricking-code.patch +# Needed for F19 gssproxy feature +ApplyPatch gssproxy-backport.patch + # END OF PATCH APPLICATIONS %endif @@ -2321,7 +2327,8 @@ fi # and build. %changelog -* Tue Jun 04 2013 Josh Boyer +* Tue Jun 04 2013 Josh Boyer - 3.9.4-302 +- Add gssproxy backport from J. Bruce Fields - Fix build issue with PowerPC MSI patches (rhbz 962496) * Mon Jun 03 2013 Josh Boyer - 3.9.4-301 From e2d3ded7b3c998bc24814e3d4469e793975af9d4 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Wed, 5 Jun 2013 16:10:51 -0400 Subject: [PATCH 106/468] CVE-2013-2140 xen: blkback: insufficient permission checks for BLKIF_OP_DISCARD (rhbz 971146 971148) --- kernel.spec | 11 +++- ...k-device-permissions-before-allowing.patch | 54 +++++++++++++++++++ 2 files changed, 64 insertions(+), 1 deletion(-) create mode 100644 xen-blkback-Check-device-permissions-before-allowing.patch diff --git a/kernel.spec b/kernel.spec index 5bf9baf19..a627ddc08 100644 --- a/kernel.spec +++ b/kernel.spec @@ -62,7 +62,7 @@ Summary: The Linux kernel # For non-released -rc kernels, this will be appended after the rcX and # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3" # -%global baserelease 302 +%global baserelease 303 %global fedora_build %{baserelease} # base_sublevel is the kernel version we're starting with and patching @@ -777,6 +777,9 @@ Patch25026: Modify-UEFI-anti-bricking-code.patch # Needed for F19 gssproxy feature Patch25030: gssproxy-backport.patch +#CVE-2013-2140 rhbz 971146 971148 +Patch25031: xen-blkback-Check-device-permissions-before-allowing.patch + # END OF PATCH DEFINITIONS %endif @@ -1500,6 +1503,9 @@ ApplyPatch Modify-UEFI-anti-bricking-code.patch # Needed for F19 gssproxy feature ApplyPatch gssproxy-backport.patch +#CVE-2013-2140 rhbz 971146 971148 +ApplyPatch xen-blkback-Check-device-permissions-before-allowing.patch + # END OF PATCH APPLICATIONS %endif @@ -2327,6 +2333,9 @@ fi # and build. %changelog +* Wed Jun 05 2013 Josh Boyer +- CVE-2013-2140 xen: blkback: insufficient permission checks for BLKIF_OP_DISCARD (rhbz 971146 971148) + * Tue Jun 04 2013 Josh Boyer - 3.9.4-302 - Add gssproxy backport from J. Bruce Fields - Fix build issue with PowerPC MSI patches (rhbz 962496) diff --git a/xen-blkback-Check-device-permissions-before-allowing.patch b/xen-blkback-Check-device-permissions-before-allowing.patch new file mode 100644 index 000000000..933e82890 --- /dev/null +++ b/xen-blkback-Check-device-permissions-before-allowing.patch @@ -0,0 +1,54 @@ +From e029d62efa5eb46831a9e1414468e582379b743f Mon Sep 17 00:00:00 2001 +From: Konrad Rzeszutek Wilk +Date: Wed, 16 Jan 2013 11:33:52 -0500 +Subject: [PATCH] xen/blkback: Check device permissions before allowing + OP_DISCARD + +We need to make sure that the device is not RO or that +the request is not past the number of sectors we want to +issue the DISCARD operation for. + +Cc: stable () vger kernel org +Acked-by: Jan Beulich +Acked-by: Ian Campbell +[v1: Made it pr_warn instead of pr_debug] +Signed-off-by: Konrad Rzeszutek Wilk +--- + drivers/block/xen-blkback/blkback.c | 13 ++++++++++++- + 1 file changed, 12 insertions(+), 1 deletion(-) + +diff --git a/drivers/block/xen-blkback/blkback.c b/drivers/block/xen-blkback/blkback.c +index e79ab45..4119bcd 100644 +--- a/drivers/block/xen-blkback/blkback.c ++++ b/drivers/block/xen-blkback/blkback.c +@@ -876,7 +876,18 @@ static int dispatch_discard_io(struct xen_blkif *blkif, + int status = BLKIF_RSP_OKAY; + struct block_device *bdev = blkif->vbd.bdev; + unsigned long secure; ++ struct phys_req preq; ++ ++ preq.sector_number = req->u.discard.sector_number; ++ preq.nr_sects = req->u.discard.nr_sectors; + ++ err = xen_vbd_translate(&preq, blkif, WRITE); ++ if (err) { ++ pr_warn(DRV_PFX "access denied: DISCARD [%llu->%llu] on dev=%04x\n", ++ preq.sector_number, ++ preq.sector_number + preq.nr_sects, blkif->vbd.pdevice); ++ goto fail_response; ++ } + blkif->st_ds_req++; + + xen_blkif_get(blkif); +@@ -887,7 +898,7 @@ static int dispatch_discard_io(struct xen_blkif *blkif, + err = blkdev_issue_discard(bdev, req->u.discard.sector_number, + req->u.discard.nr_sectors, + GFP_KERNEL, secure); +- ++fail_response: + if (err == -EOPNOTSUPP) { + pr_debug(DRV_PFX "discard op failed, not supported\n"); + status = BLKIF_RSP_EOPNOTSUPP; +-- +1.8.1.4 + From 9df6e58f8fc244f081e7661ce4b108deba933771 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Thu, 6 Jun 2013 08:20:24 -0400 Subject: [PATCH 107/468] CVE-2013-2147 cpqarray/cciss: information leak via ioctl (rhbz 971242 971249) --- cve-2013-2147-ciss-info-leak.patch | 27 +++++++++++++++++++++++++++ kernel.spec | 9 +++++++++ 2 files changed, 36 insertions(+) create mode 100644 cve-2013-2147-ciss-info-leak.patch diff --git a/cve-2013-2147-ciss-info-leak.patch b/cve-2013-2147-ciss-info-leak.patch new file mode 100644 index 000000000..ee49d3bfb --- /dev/null +++ b/cve-2013-2147-ciss-info-leak.patch @@ -0,0 +1,27 @@ +diff --git a/drivers/block/cpqarray.c b/drivers/block/cpqarray.c +index 639d26b..2b94403 100644 +--- a/drivers/block/cpqarray.c ++++ b/drivers/block/cpqarray.c +@@ -1193,6 +1193,7 @@ out_passthru: + ida_pci_info_struct pciinfo; + + if (!arg) return -EINVAL; ++ memset(&pciinfo, 0, sizeof(pciinfo)); + pciinfo.bus = host->pci_dev->bus->number; + pciinfo.dev_fn = host->pci_dev->devfn; + pciinfo.board_id = host->board_id; + + diff --git a/drivers/block/cciss.c b/drivers/block/cciss.c +index 6374dc1..34971aa 100644 +--- a/drivers/block/cciss.c ++++ b/drivers/block/cciss.c +@@ -1201,6 +1201,7 @@ static int cciss_ioctl32_passthru(struct block_device *bdev, fmode_t mode, + int err; + u32 cp; + ++ memset(&arg64, 0, sizeof(arg64)); + err = 0; + err |= + copy_from_user(&arg64.LUN_info, &arg32->LUN_info, + + \ No newline at end of file diff --git a/kernel.spec b/kernel.spec index a627ddc08..197984844 100644 --- a/kernel.spec +++ b/kernel.spec @@ -780,6 +780,9 @@ Patch25030: gssproxy-backport.patch #CVE-2013-2140 rhbz 971146 971148 Patch25031: xen-blkback-Check-device-permissions-before-allowing.patch +#CVE-2013-2147 rhbz 971242 971249 +Patch25032: cve-2013-2147-ciss-info-leak.patch + # END OF PATCH DEFINITIONS %endif @@ -1506,6 +1509,9 @@ ApplyPatch gssproxy-backport.patch #CVE-2013-2140 rhbz 971146 971148 ApplyPatch xen-blkback-Check-device-permissions-before-allowing.patch +#CVE-2013-2147 rhbz 971242 971249 +ApplyPatch cve-2013-2147-ciss-info-leak.patch + # END OF PATCH APPLICATIONS %endif @@ -2333,6 +2339,9 @@ fi # and build. %changelog +* Thu Jun 06 2013 Josh Boyer +- CVE-2013-2147 cpqarray/cciss: information leak via ioctl (rhbz 971242 971249) + * Wed Jun 05 2013 Josh Boyer - CVE-2013-2140 xen: blkback: insufficient permission checks for BLKIF_OP_DISCARD (rhbz 971146 971148) From 5e7ce920b25d41f59cb9152268cd35997afd88f3 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Thu, 6 Jun 2013 08:24:07 -0400 Subject: [PATCH 108/468] CVE-2013-2148 fanotify: info leak in copy_event_to_user (rhbz 971258 971261) --- fanotify-info-leak-in-copy_event_to_user.patch | 14 ++++++++++++++ kernel.spec | 7 +++++++ 2 files changed, 21 insertions(+) create mode 100644 fanotify-info-leak-in-copy_event_to_user.patch diff --git a/fanotify-info-leak-in-copy_event_to_user.patch b/fanotify-info-leak-in-copy_event_to_user.patch new file mode 100644 index 000000000..92b218b1c --- /dev/null +++ b/fanotify-info-leak-in-copy_event_to_user.patch @@ -0,0 +1,14 @@ +diff --git a/fs/notify/fanotify/fanotify_user.c b/fs/notify/fanotify/fanotify_user.c +index 6c80083..77cc85d 100644 +--- a/fs/notify/fanotify/fanotify_user.c ++++ b/fs/notify/fanotify/fanotify_user.c +@@ -122,6 +122,7 @@ static int fill_event_metadata(struct fsnotify_group *group, + metadata->event_len = FAN_EVENT_METADATA_LEN; + metadata->metadata_len = FAN_EVENT_METADATA_LEN; + metadata->vers = FANOTIFY_METADATA_VERSION; ++ metadata->reserved = 0; + metadata->mask = event->mask & FAN_ALL_OUTGOING_EVENTS; + metadata->pid = pid_vnr(event->tgid); + if (unlikely(event->mask & FAN_Q_OVERFLOW)) + + \ No newline at end of file diff --git a/kernel.spec b/kernel.spec index 197984844..c5b68b653 100644 --- a/kernel.spec +++ b/kernel.spec @@ -783,6 +783,9 @@ Patch25031: xen-blkback-Check-device-permissions-before-allowing.patch #CVE-2013-2147 rhbz 971242 971249 Patch25032: cve-2013-2147-ciss-info-leak.patch +#CVE-2013-2148 rhbz 971258 971261 +Patch25033: fanotify-info-leak-in-copy_event_to_user.patch + # END OF PATCH DEFINITIONS %endif @@ -1512,6 +1515,9 @@ ApplyPatch xen-blkback-Check-device-permissions-before-allowing.patch #CVE-2013-2147 rhbz 971242 971249 ApplyPatch cve-2013-2147-ciss-info-leak.patch +#CVE-2013-2148 rhbz 971258 971261 +ApplyPatch fanotify-info-leak-in-copy_event_to_user.patch + # END OF PATCH APPLICATIONS %endif @@ -2340,6 +2346,7 @@ fi %changelog * Thu Jun 06 2013 Josh Boyer +- CVE-2013-2148 fanotify: info leak in copy_event_to_user (rhbz 971258 971261) - CVE-2013-2147 cpqarray/cciss: information leak via ioctl (rhbz 971242 971249) * Wed Jun 05 2013 Josh Boyer From 424c42e68793e6420a21e5358dc543a8be5b06e0 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Fri, 7 Jun 2013 08:15:42 -0400 Subject: [PATCH 109/468] CVE-2013-2852 b43: format string leaking into error msgs (rhbz 969518 971665) --- ...ormat-string-leaking-into-error-msgs.patch | 32 +++++++++++++++++++ kernel.spec | 9 ++++++ 2 files changed, 41 insertions(+) create mode 100644 b43-stop-format-string-leaking-into-error-msgs.patch diff --git a/b43-stop-format-string-leaking-into-error-msgs.patch b/b43-stop-format-string-leaking-into-error-msgs.patch new file mode 100644 index 000000000..84249e5eb --- /dev/null +++ b/b43-stop-format-string-leaking-into-error-msgs.patch @@ -0,0 +1,32 @@ +From 9538cbaab6e8b8046039b4b2eb6c9d614dc782bd Mon Sep 17 00:00:00 2001 +From: Kees Cook +Date: Fri, 10 May 2013 21:48:21 +0000 +Subject: b43: stop format string leaking into error msgs + +The module parameter "fwpostfix" is userspace controllable, unfiltered, +and is used to define the firmware filename. b43_do_request_fw() populates +ctx->errors[] on error, containing the firmware filename. b43err() +parses its arguments as a format string. For systems with b43 hardware, +this could lead to a uid-0 to ring-0 escalation. + +CVE-2013-2852 + +Signed-off-by: Kees Cook +Cc: stable@vger.kernel.org +Signed-off-by: John W. Linville +--- +diff --git a/drivers/net/wireless/b43/main.c b/drivers/net/wireless/b43/main.c +index 6dd07e2..a95b77a 100644 +--- a/drivers/net/wireless/b43/main.c ++++ b/drivers/net/wireless/b43/main.c +@@ -2458,7 +2458,7 @@ static void b43_request_firmware(struct work_struct *work) + for (i = 0; i < B43_NR_FWTYPES; i++) { + errmsg = ctx->errors[i]; + if (strlen(errmsg)) +- b43err(dev->wl, errmsg); ++ b43err(dev->wl, "%s", errmsg); + } + b43_print_fw_helptext(dev->wl, 1); + goto out; +-- +cgit v0.9.2 diff --git a/kernel.spec b/kernel.spec index c5b68b653..ae26788b4 100644 --- a/kernel.spec +++ b/kernel.spec @@ -786,6 +786,9 @@ Patch25032: cve-2013-2147-ciss-info-leak.patch #CVE-2013-2148 rhbz 971258 971261 Patch25033: fanotify-info-leak-in-copy_event_to_user.patch +#CVE-2013-2852 rhbz 969518 971665 +Patch25034: b43-stop-format-string-leaking-into-error-msgs.patch + # END OF PATCH DEFINITIONS %endif @@ -1518,6 +1521,9 @@ ApplyPatch cve-2013-2147-ciss-info-leak.patch #CVE-2013-2148 rhbz 971258 971261 ApplyPatch fanotify-info-leak-in-copy_event_to_user.patch +#CVE-2013-2852 rhbz 969518 971665 +ApplyPatch b43-stop-format-string-leaking-into-error-msgs.patch + # END OF PATCH APPLICATIONS %endif @@ -2345,6 +2351,9 @@ fi # and build. %changelog +* Fri Jun 07 2013 Josh Boyer +- CVE-2013-2852 b43: format string leaking into error msgs (rhbz 969518 971665) + * Thu Jun 06 2013 Josh Boyer - CVE-2013-2148 fanotify: info leak in copy_event_to_user (rhbz 971258 971261) - CVE-2013-2147 cpqarray/cciss: information leak via ioctl (rhbz 971242 971249) From 692bbe5871786574387bfb2982f2d51bb4c9e482 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Fri, 7 Jun 2013 08:23:01 -0400 Subject: [PATCH 110/468] CVE-2013-2851 block: passing disk names as format strings (rhbz 969515 971662) --- ...ot-pass-disk-names-as-format-strings.patch | 64 +++++++++++++++++++ kernel.spec | 7 ++ 2 files changed, 71 insertions(+) create mode 100644 block-do-not-pass-disk-names-as-format-strings.patch diff --git a/block-do-not-pass-disk-names-as-format-strings.patch b/block-do-not-pass-disk-names-as-format-strings.patch new file mode 100644 index 000000000..496111dcd --- /dev/null +++ b/block-do-not-pass-disk-names-as-format-strings.patch @@ -0,0 +1,64 @@ +Disk names may contain arbitrary strings, so they must not be interpreted +as format strings. It seems that only md allows arbitrary strings to be +used for disk names, but this could allow for a local memory corruption +from uid 0 into ring 0. + +CVE-2013-2851 + +Signed-off-by: Kees Cook +Cc: stable@vger.kernel.org +Cc: Jens Axboe +--- + block/genhd.c | 2 +- + drivers/block/nbd.c | 3 ++- + drivers/scsi/osd/osd_uld.c | 2 +- + 3 files changed, 4 insertions(+), 3 deletions(-) + +diff --git a/block/genhd.c b/block/genhd.c +index 20625ee..cdeb527 100644 +--- a/block/genhd.c ++++ b/block/genhd.c +@@ -512,7 +512,7 @@ static void register_disk(struct gendisk *disk) + + ddev->parent = disk->driverfs_dev; + +- dev_set_name(ddev, disk->disk_name); ++ dev_set_name(ddev, "%s", disk->disk_name); + + /* delay uevents, until we scanned partition table */ + dev_set_uevent_suppress(ddev, 1); +diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c +index 037288e..46b35f7 100644 +--- a/drivers/block/nbd.c ++++ b/drivers/block/nbd.c +@@ -714,7 +714,8 @@ static int __nbd_ioctl(struct block_device *bdev, struct nbd_device *nbd, + else + blk_queue_flush(nbd->disk->queue, 0); + +- thread = kthread_create(nbd_thread, nbd, nbd->disk->disk_name); ++ thread = kthread_create(nbd_thread, nbd, "%s", ++ nbd->disk->disk_name); + if (IS_ERR(thread)) { + mutex_lock(&nbd->tx_lock); + return PTR_ERR(thread); +diff --git a/drivers/scsi/osd/osd_uld.c b/drivers/scsi/osd/osd_uld.c +index 0fab6b5..9d86947 100644 +--- a/drivers/scsi/osd/osd_uld.c ++++ b/drivers/scsi/osd/osd_uld.c +@@ -485,7 +485,7 @@ static int osd_probe(struct device *dev) + oud->class_dev.class = &osd_uld_class; + oud->class_dev.parent = dev; + oud->class_dev.release = __remove; +- error = dev_set_name(&oud->class_dev, disk->disk_name); ++ error = dev_set_name(&oud->class_dev, "%s", disk->disk_name); + if (error) { + OSD_ERR("dev_set_name failed => %d\n", error); + goto err_put_cdev; +-- +1.7.9.5 + +-- +To unsubscribe from this list: send the line "unsubscribe linux-kernel" in +the body of a message to majordomo@vger.kernel.org +More majordomo info at http://vger.kernel.org/majordomo-info.html +Please read the FAQ at http://www.tux.org/lkml/ \ No newline at end of file diff --git a/kernel.spec b/kernel.spec index ae26788b4..9dae94e08 100644 --- a/kernel.spec +++ b/kernel.spec @@ -789,6 +789,9 @@ Patch25033: fanotify-info-leak-in-copy_event_to_user.patch #CVE-2013-2852 rhbz 969518 971665 Patch25034: b43-stop-format-string-leaking-into-error-msgs.patch +#CVE-2013-2851 rhbz 969515 971662 +Patch25035: block-do-not-pass-disk-names-as-format-strings.patch + # END OF PATCH DEFINITIONS %endif @@ -1524,6 +1527,9 @@ ApplyPatch fanotify-info-leak-in-copy_event_to_user.patch #CVE-2013-2852 rhbz 969518 971665 ApplyPatch b43-stop-format-string-leaking-into-error-msgs.patch +#CVE-2013-2851 rhbz 969515 971662 +ApplyPatch block-do-not-pass-disk-names-as-format-strings.patch + # END OF PATCH APPLICATIONS %endif @@ -2352,6 +2358,7 @@ fi %changelog * Fri Jun 07 2013 Josh Boyer +- CVE-2013-2851 block: passing disk names as format strings (rhbz 969515 971662) - CVE-2013-2852 b43: format string leaking into error msgs (rhbz 969518 971665) * Thu Jun 06 2013 Josh Boyer From ae14b143188917449740bac0cde0a7198e23b495 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Mon, 10 Jun 2013 07:28:01 -0400 Subject: [PATCH 111/468] Linux v3.9.5 --- ...et-fix-heap-buffer-overflow-on-error.patch | 63 ------------------- iwlwifi-dvm-fix-memset.patch | 39 ------------ kernel.spec | 17 ++--- sources | 2 +- 4 files changed, 6 insertions(+), 115 deletions(-) delete mode 100644 iscsi-target-fix-heap-buffer-overflow-on-error.patch delete mode 100644 iwlwifi-dvm-fix-memset.patch diff --git a/iscsi-target-fix-heap-buffer-overflow-on-error.patch b/iscsi-target-fix-heap-buffer-overflow-on-error.patch deleted file mode 100644 index 7b368122d..000000000 --- a/iscsi-target-fix-heap-buffer-overflow-on-error.patch +++ /dev/null @@ -1,63 +0,0 @@ -From cea4dcfdad926a27a18e188720efe0f2c9403456 Mon Sep 17 00:00:00 2001 -From: Kees Cook -Date: Thu, 23 May 2013 17:32:17 +0000 -Subject: iscsi-target: fix heap buffer overflow on error - -If a key was larger than 64 bytes, as checked by iscsi_check_key(), the -error response packet, generated by iscsi_add_notunderstood_response(), -would still attempt to copy the entire key into the packet, overflowing -the structure on the heap. - -Remote preauthentication kernel memory corruption was possible if a -target was configured and listening on the network. - -CVE-2013-2850 - -Signed-off-by: Kees Cook -Cc: stable@vger.kernel.org -Signed-off-by: Nicholas Bellinger ---- -diff --git a/drivers/target/iscsi/iscsi_target_parameters.c b/drivers/target/iscsi/iscsi_target_parameters.c -index c2185fc..e382221 100644 ---- a/drivers/target/iscsi/iscsi_target_parameters.c -+++ b/drivers/target/iscsi/iscsi_target_parameters.c -@@ -758,9 +758,9 @@ static int iscsi_add_notunderstood_response( - } - INIT_LIST_HEAD(&extra_response->er_list); - -- strncpy(extra_response->key, key, strlen(key) + 1); -- strncpy(extra_response->value, NOTUNDERSTOOD, -- strlen(NOTUNDERSTOOD) + 1); -+ strlcpy(extra_response->key, key, sizeof(extra_response->key)); -+ strlcpy(extra_response->value, NOTUNDERSTOOD, -+ sizeof(extra_response->value)); - - list_add_tail(&extra_response->er_list, - ¶m_list->extra_response_list); -@@ -1629,8 +1629,6 @@ int iscsi_decode_text_input( - - if (phase & PHASE_SECURITY) { - if (iscsi_check_for_auth_key(key) > 0) { -- char *tmpptr = key + strlen(key); -- *tmpptr = '='; - kfree(tmpbuf); - return 1; - } -diff --git a/drivers/target/iscsi/iscsi_target_parameters.h b/drivers/target/iscsi/iscsi_target_parameters.h -index 915b067..a47046a 100644 ---- a/drivers/target/iscsi/iscsi_target_parameters.h -+++ b/drivers/target/iscsi/iscsi_target_parameters.h -@@ -1,8 +1,10 @@ - #ifndef ISCSI_PARAMETERS_H - #define ISCSI_PARAMETERS_H - -+#include -+ - struct iscsi_extra_response { -- char key[64]; -+ char key[KEY_MAXLEN]; - char value[32]; - struct list_head er_list; - } ____cacheline_aligned; --- -cgit v0.9.2 diff --git a/iwlwifi-dvm-fix-memset.patch b/iwlwifi-dvm-fix-memset.patch deleted file mode 100644 index ef063f2a9..000000000 --- a/iwlwifi-dvm-fix-memset.patch +++ /dev/null @@ -1,39 +0,0 @@ -From: Emmanuel Grumbach - -In 63b77bf489881747c5118476918cc8c29378ee63 - - iwlwifi: dvm: don't send zeroed LQ cmd - -I tried to avoid to send zeroed LQ cmd, but I made a (very) -stupid mistake in the memcmp. -Since this patch has been ported to stable, the fix should -go to stable too. - -This fixes https://bugzilla.kernel.org/show_bug.cgi?id=58341 - -Change-Id: I0af4b3fdd537a1f674e85eb02dc0f5b5ac1ee7ac -Cc: stable@vger.kernel.org -Reported-by: Hinnerk van Bruinehsen -Signed-off-by: Emmanuel Grumbach ---- -Josh, this fix ugly -stable 3.8, 3.9 regression, please apply. - - drivers/net/wireless/iwlwifi/dvm/sta.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/drivers/net/wireless/iwlwifi/dvm/sta.c b/drivers/net/wireless/iwlwifi/dvm/sta.c -index 5175368..8212097 100644 ---- a/drivers/net/wireless/iwlwifi/dvm/sta.c -+++ b/drivers/net/wireless/iwlwifi/dvm/sta.c -@@ -735,7 +735,7 @@ void iwl_restore_stations(struct iwl_priv *priv, struct iwl_rxon_context *ctx) - memcpy(&lq, priv->stations[i].lq, - sizeof(struct iwl_link_quality_cmd)); - -- if (!memcmp(&lq, &zero_lq, sizeof(lq))) -+ if (memcmp(&lq, &zero_lq, sizeof(lq))) - send_lq = true; - } - spin_unlock_bh(&priv->sta_lock); --- -1.7.10.4 - diff --git a/kernel.spec b/kernel.spec index 9dae94e08..7e55da827 100644 --- a/kernel.spec +++ b/kernel.spec @@ -62,7 +62,7 @@ Summary: The Linux kernel # For non-released -rc kernels, this will be appended after the rcX and # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3" # -%global baserelease 303 +%global baserelease 300 %global fedora_build %{baserelease} # base_sublevel is the kernel version we're starting with and patching @@ -74,7 +74,7 @@ Summary: The Linux kernel %if 0%{?released_kernel} # Do we have a -stable update to apply? -%define stable_update 4 +%define stable_update 5 # Is it a -stable RC? %define stable_rc 0 # Set rpm version accordingly @@ -760,17 +760,12 @@ Patch25021: radeon-use-max_bus-speed-to-activate-gen2-speeds.patch Patch25027: powerpc-pseries-Force-32-bit-MSIs-for-devices-that-r.patch Patch25029: powerpc-pseries-Make-32-bit-MSI-quirk-work-on-system.patch -Patch25022: iwlwifi-dvm-fix-memset.patch - #rhbz 964367 Patch25023: hp-wmi-fix-incorrect-rfkill-set-hw-state.patch #rhbz 948262 Patch25024: intel_iommu-Downgrade-the-warning-if-enabling-irq-remapping-fails.patch -#CVE-2013-2850 rhbz 968036 969272 -Patch25025: iscsi-target-fix-heap-buffer-overflow-on-error.patch - #rhbz 964335 Patch25026: Modify-UEFI-anti-bricking-code.patch @@ -1498,17 +1493,12 @@ ApplyPatch radeon-use-max_bus-speed-to-activate-gen2-speeds.patch ApplyPatch powerpc-pseries-Force-32-bit-MSIs-for-devices-that-r.patch ApplyPatch powerpc-pseries-Make-32-bit-MSI-quirk-work-on-system.patch -ApplyPatch iwlwifi-dvm-fix-memset.patch - #rhbz 964367 ApplyPatch hp-wmi-fix-incorrect-rfkill-set-hw-state.patch #rhbz 948262 ApplyPatch intel_iommu-Downgrade-the-warning-if-enabling-irq-remapping-fails.patch -#CVE-2013-2850 rhbz 968036 969272 -ApplyPatch iscsi-target-fix-heap-buffer-overflow-on-error.patch - #rhbz 964335 ApplyPatch Modify-UEFI-anti-bricking-code.patch @@ -2357,6 +2347,9 @@ fi # and build. %changelog +* Mon Jun 10 2013 Josh Boyer +- Linux v3.9.5 + * Fri Jun 07 2013 Josh Boyer - CVE-2013-2851 block: passing disk names as format strings (rhbz 969515 971662) - CVE-2013-2852 b43: format string leaking into error msgs (rhbz 969518 971665) diff --git a/sources b/sources index 50d708523..2e345eb6b 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ 4348c9b6b2eb3144d601e87c19d5d909 linux-3.9.tar.xz -922c4553299e6692a28761d3032fc012 patch-3.9.4.xz +aa22187ae5cd482a69097e9e59244491 patch-3.9.5.xz From f259b76a836bed3e9e69b2a6178cfd82feff75d6 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Mon, 10 Jun 2013 07:50:56 -0400 Subject: [PATCH 112/468] Apply scsi lockdep patch for powerpc IPR issues (rhbz 954252) --- kernel.spec | 7 ++ ...q-lock-inversion-dependency-detected.patch | 83 +++++++++++++++++++ 2 files changed, 90 insertions(+) create mode 100644 scsi-ipr-possible-irq-lock-inversion-dependency-detected.patch diff --git a/kernel.spec b/kernel.spec index 7e55da827..9de973f47 100644 --- a/kernel.spec +++ b/kernel.spec @@ -787,6 +787,9 @@ Patch25034: b43-stop-format-string-leaking-into-error-msgs.patch #CVE-2013-2851 rhbz 969515 971662 Patch25035: block-do-not-pass-disk-names-as-format-strings.patch +#rhbz 954252 +Patch25036: scsi-ipr-possible-irq-lock-inversion-dependency-detected.patch + # END OF PATCH DEFINITIONS %endif @@ -1520,6 +1523,9 @@ ApplyPatch b43-stop-format-string-leaking-into-error-msgs.patch #CVE-2013-2851 rhbz 969515 971662 ApplyPatch block-do-not-pass-disk-names-as-format-strings.patch +#rhbz 954252 +ApplyPatch scsi-ipr-possible-irq-lock-inversion-dependency-detected.patch + # END OF PATCH APPLICATIONS %endif @@ -2348,6 +2354,7 @@ fi %changelog * Mon Jun 10 2013 Josh Boyer +- Apply scsi lockdep patch for powerpc IPR issues (rhbz 954252) - Linux v3.9.5 * Fri Jun 07 2013 Josh Boyer diff --git a/scsi-ipr-possible-irq-lock-inversion-dependency-detected.patch b/scsi-ipr-possible-irq-lock-inversion-dependency-detected.patch new file mode 100644 index 000000000..d89b9f8e8 --- /dev/null +++ b/scsi-ipr-possible-irq-lock-inversion-dependency-detected.patch @@ -0,0 +1,83 @@ +When enable lockdep, seeing "possible irq lock inversion dependency detected" +error. This patch fixes the issue. + +Signed-off-by: Wen Xiong +--- + drivers/scsi/ipr.c | 17 +++++++++-------- + 1 file changed, 9 insertions(+), 8 deletions(-) + +Index: b/drivers/scsi/ipr.c +=================================================================== +--- a/drivers/scsi/ipr.c 2013-05-20 09:55:23.000000000 -0500 ++++ b/drivers/scsi/ipr.c 2013-05-20 10:00:34.548380858 -0500 +@@ -9408,7 +9408,7 @@ static int ipr_probe_ioa(struct pci_dev + void __iomem *ipr_regs; + int rc = PCIBIOS_SUCCESSFUL; + volatile u32 mask, uproc, interrupts; +- unsigned long lock_flags; ++ unsigned long lock_flags, driver_lock_flags; + + ENTER; + +@@ -9631,9 +9631,9 @@ static int ipr_probe_ioa(struct pci_dev + } else + ioa_cfg->reset = ipr_reset_start_bist; + +- spin_lock(&ipr_driver_lock); ++ spin_lock_irqsave(&ipr_driver_lock, driver_lock_flags); + list_add_tail(&ioa_cfg->queue, &ipr_ioa_head); +- spin_unlock(&ipr_driver_lock); ++ spin_unlock_irqrestore(&ipr_driver_lock, driver_lock_flags); + + LEAVE; + out: +@@ -9716,6 +9716,7 @@ static void __ipr_remove(struct pci_dev + unsigned long host_lock_flags = 0; + struct ipr_ioa_cfg *ioa_cfg = pci_get_drvdata(pdev); + int i; ++ unsigned long driver_lock_flags; + ENTER; + + spin_lock_irqsave(ioa_cfg->host->host_lock, host_lock_flags); +@@ -9739,9 +9740,9 @@ static void __ipr_remove(struct pci_dev + INIT_LIST_HEAD(&ioa_cfg->used_res_q); + spin_lock_irqsave(ioa_cfg->host->host_lock, host_lock_flags); + +- spin_lock(&ipr_driver_lock); ++ spin_lock_irqsave(&ipr_driver_lock, driver_lock_flags); + list_del(&ioa_cfg->queue); +- spin_unlock(&ipr_driver_lock); ++ spin_unlock_irqrestore(&ipr_driver_lock, driver_lock_flags); + + if (ioa_cfg->sdt_state == ABORT_DUMP) + ioa_cfg->sdt_state = WAIT_FOR_DUMP; +@@ -10007,12 +10008,12 @@ static int ipr_halt(struct notifier_bloc + { + struct ipr_cmnd *ipr_cmd; + struct ipr_ioa_cfg *ioa_cfg; +- unsigned long flags = 0; ++ unsigned long flags = 0, driver_lock_flags; + + if (event != SYS_RESTART && event != SYS_HALT && event != SYS_POWER_OFF) + return NOTIFY_DONE; + +- spin_lock(&ipr_driver_lock); ++ spin_lock_irqsave(&ipr_driver_lock, driver_lock_flags); + + list_for_each_entry(ioa_cfg, &ipr_ioa_head, queue) { + spin_lock_irqsave(ioa_cfg->host->host_lock, flags); +@@ -10030,7 +10031,7 @@ static int ipr_halt(struct notifier_bloc + ipr_do_req(ipr_cmd, ipr_halt_done, ipr_timeout, IPR_DEVICE_RESET_TIMEOUT); + spin_unlock_irqrestore(ioa_cfg->host->host_lock, flags); + } +- spin_unlock(&ipr_driver_lock); ++ spin_unlock_irqrestore(&ipr_driver_lock, driver_lock_flags); + + return NOTIFY_OK; + } + +-- +-- +To unsubscribe from this list: send the line "unsubscribe linux-scsi" in +the body of a message to majordomo@vger.kernel.org +More majordomo info at http://vger.kernel.org/majordomo-info.html \ No newline at end of file From 84cc627730dee5ebe76ef8cdd307eeaeb626bbd0 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Mon, 10 Jun 2013 10:04:12 -0400 Subject: [PATCH 113/468] Add patch to fix 3.9.5 build on powerpc --- kernel.spec | 6 ++++++ powerpc-3.9.5-fix.patch | 13 +++++++++++++ 2 files changed, 19 insertions(+) create mode 100644 powerpc-3.9.5-fix.patch diff --git a/kernel.spec b/kernel.spec index 9de973f47..9ec3def06 100644 --- a/kernel.spec +++ b/kernel.spec @@ -790,6 +790,9 @@ Patch25035: block-do-not-pass-disk-names-as-format-strings.patch #rhbz 954252 Patch25036: scsi-ipr-possible-irq-lock-inversion-dependency-detected.patch +# Fix for build failure on powerpc in 3.9.5 +Patch25037: powerpc-3.9.5-fix.patch + # END OF PATCH DEFINITIONS %endif @@ -1526,6 +1529,9 @@ ApplyPatch block-do-not-pass-disk-names-as-format-strings.patch #rhbz 954252 ApplyPatch scsi-ipr-possible-irq-lock-inversion-dependency-detected.patch +# Fix for build failure on powerpc in 3.9.5 +ApplyPatch powerpc-3.9.5-fix.patch + # END OF PATCH APPLICATIONS %endif diff --git a/powerpc-3.9.5-fix.patch b/powerpc-3.9.5-fix.patch new file mode 100644 index 000000000..5cc7e4fa0 --- /dev/null +++ b/powerpc-3.9.5-fix.patch @@ -0,0 +1,13 @@ +diff --git a/arch/powerpc/kernel/traps.c b/arch/powerpc/kernel/traps.c +index 1c22b2d..29857c6 100644 +--- a/arch/powerpc/kernel/traps.c ++++ b/arch/powerpc/kernel/traps.c +@@ -1151,7 +1151,7 @@ void alignment_exception(struct pt_regs *regs) + local_irq_enable(); + + if (tm_abort_check(regs, TM_CAUSE_ALIGNMENT | TM_CAUSE_PERSISTENT)) +- goto bail; ++ return; + + /* we don't implement logging of alignment exceptions */ + if (!(current->thread.align_ctl & PR_UNALIGN_SIGBUS)) From 74d4b19534137a6902a2ce4191dd2876751acedb Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Mon, 10 Jun 2013 10:08:38 -0400 Subject: [PATCH 114/468] Add verrel for build --- kernel.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kernel.spec b/kernel.spec index 9ec3def06..464a7dd70 100644 --- a/kernel.spec +++ b/kernel.spec @@ -2359,7 +2359,7 @@ fi # and build. %changelog -* Mon Jun 10 2013 Josh Boyer +* Mon Jun 10 2013 Josh Boyer - 3.9.5-300 - Apply scsi lockdep patch for powerpc IPR issues (rhbz 954252) - Linux v3.9.5 From 179c177680cbfafb5f665d8944325a41f46cec36 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Tue, 11 Jun 2013 08:06:36 -0400 Subject: [PATCH 115/468] CVE-2013-2164 information leak in cdrom driver (rhbz 973100 973109) --- cdrom-use-kzalloc-for-failing-hardware.patch | 45 ++++++++++++++++++++ kernel.spec | 11 ++++- 2 files changed, 55 insertions(+), 1 deletion(-) create mode 100644 cdrom-use-kzalloc-for-failing-hardware.patch diff --git a/cdrom-use-kzalloc-for-failing-hardware.patch b/cdrom-use-kzalloc-for-failing-hardware.patch new file mode 100644 index 000000000..6afb6c4d8 --- /dev/null +++ b/cdrom-use-kzalloc-for-failing-hardware.patch @@ -0,0 +1,45 @@ +From 050e4b8fb7cdd7096c987a9cd556029c622c7fe2 Mon Sep 17 00:00:00 2001 +From: Jonathan Salwan +Date: Thu, 06 Jun 2013 00:39:39 +0000 +Subject: drivers/cdrom/cdrom.c: use kzalloc() for failing hardware + +In drivers/cdrom/cdrom.c mmc_ioctl_cdrom_read_data() allocates a memory +area with kmalloc in line 2885. + +2885 cgc->buffer = kmalloc(blocksize, GFP_KERNEL); +2886 if (cgc->buffer == NULL) +2887 return -ENOMEM; + +In line 2908 we can find the copy_to_user function: + +2908 if (!ret && copy_to_user(arg, cgc->buffer, blocksize)) + +The cgc->buffer is never cleaned and initialized before this function. If +ret = 0 with the previous basic block, it's possible to display some +memory bytes in kernel space from userspace. + +When we read a block from the disk it normally fills the ->buffer but if +the drive is malfunctioning there is a chance that it would only be +partially filled. The result is an leak information to userspace. + +Signed-off-by: Dan Carpenter +Cc: Jens Axboe +Signed-off-by: Andrew Morton +--- +(limited to 'drivers/cdrom/cdrom.c') + +diff --git a/drivers/cdrom/cdrom.c b/drivers/cdrom/cdrom.c +index d620b44..8a3aff7 100644 +--- a/drivers/cdrom/cdrom.c ++++ b/drivers/cdrom/cdrom.c +@@ -2882,7 +2882,7 @@ static noinline int mmc_ioctl_cdrom_read_data(struct cdrom_device_info *cdi, + if (lba < 0) + return -EINVAL; + +- cgc->buffer = kmalloc(blocksize, GFP_KERNEL); ++ cgc->buffer = kzalloc(blocksize, GFP_KERNEL); + if (cgc->buffer == NULL) + return -ENOMEM; + +-- +cgit v0.9.2 diff --git a/kernel.spec b/kernel.spec index 464a7dd70..0d0a276b2 100644 --- a/kernel.spec +++ b/kernel.spec @@ -62,7 +62,7 @@ Summary: The Linux kernel # For non-released -rc kernels, this will be appended after the rcX and # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3" # -%global baserelease 300 +%global baserelease 301 %global fedora_build %{baserelease} # base_sublevel is the kernel version we're starting with and patching @@ -793,6 +793,9 @@ Patch25036: scsi-ipr-possible-irq-lock-inversion-dependency-detected.patch # Fix for build failure on powerpc in 3.9.5 Patch25037: powerpc-3.9.5-fix.patch +#CVE-2013-2164 rhbz 973100 973109 +Patch25038: cdrom-use-kzalloc-for-failing-hardware.patch + # END OF PATCH DEFINITIONS %endif @@ -1532,6 +1535,9 @@ ApplyPatch scsi-ipr-possible-irq-lock-inversion-dependency-detected.patch # Fix for build failure on powerpc in 3.9.5 ApplyPatch powerpc-3.9.5-fix.patch +#CVE-2013-2164 rhbz 973100 973109 +ApplyPatch cdrom-use-kzalloc-for-failing-hardware.patch + # END OF PATCH APPLICATIONS %endif @@ -2359,6 +2365,9 @@ fi # and build. %changelog +* Tue Jun 11 2013 Josh Boyer +- CVE-2013-2164 information leak in cdrom driver (rhbz 973100 973109) + * Mon Jun 10 2013 Josh Boyer - 3.9.5-300 - Apply scsi lockdep patch for powerpc IPR issues (rhbz 954252) - Linux v3.9.5 From b0ef6b5009713b5e9bcda0171c5bacce0a1fbc5a Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Tue, 11 Jun 2013 09:26:41 -0400 Subject: [PATCH 116/468] Add two patches to fix issues with vhost_net and macvlan (rhbz 954181) --- kernel.spec | 10 ++++ ...p-set-SOCK_ZEROCOPY-flag-during-open.patch | 26 ++++++++ ...trol-for-non-zerocopy-case-during-tx.patch | 60 +++++++++++++++++++ 3 files changed, 96 insertions(+) create mode 100644 tuntap-set-SOCK_ZEROCOPY-flag-during-open.patch create mode 100644 vhost_net-clear-msg.control-for-non-zerocopy-case-during-tx.patch diff --git a/kernel.spec b/kernel.spec index 0d0a276b2..9cdc721ac 100644 --- a/kernel.spec +++ b/kernel.spec @@ -796,6 +796,11 @@ Patch25037: powerpc-3.9.5-fix.patch #CVE-2013-2164 rhbz 973100 973109 Patch25038: cdrom-use-kzalloc-for-failing-hardware.patch +#rhbz 954181 +Patch25039: vhost_net-clear-msg.control-for-non-zerocopy-case-during-tx.patch +Patch25040: tuntap-set-SOCK_ZEROCOPY-flag-during-open.patch + + # END OF PATCH DEFINITIONS %endif @@ -1538,6 +1543,10 @@ ApplyPatch powerpc-3.9.5-fix.patch #CVE-2013-2164 rhbz 973100 973109 ApplyPatch cdrom-use-kzalloc-for-failing-hardware.patch +#rhbz 954181 +ApplyPatch vhost_net-clear-msg.control-for-non-zerocopy-case-during-tx.patch +ApplyPatch tuntap-set-SOCK_ZEROCOPY-flag-during-open.patch + # END OF PATCH APPLICATIONS %endif @@ -2366,6 +2375,7 @@ fi %changelog * Tue Jun 11 2013 Josh Boyer +- Add two patches to fix issues with vhost_net and macvlan (rhbz 954181) - CVE-2013-2164 information leak in cdrom driver (rhbz 973100 973109) * Mon Jun 10 2013 Josh Boyer - 3.9.5-300 diff --git a/tuntap-set-SOCK_ZEROCOPY-flag-during-open.patch b/tuntap-set-SOCK_ZEROCOPY-flag-during-open.patch new file mode 100644 index 000000000..75de6ccce --- /dev/null +++ b/tuntap-set-SOCK_ZEROCOPY-flag-during-open.patch @@ -0,0 +1,26 @@ +tuntap: set SOCK_ZEROCOPY flag during open + +Commit 54f968d6efdbf7dec36faa44fc11f01b0e4d1990 +(tuntap: move socket to tun_file) forgets to set SOCK_ZEROCOPY flag, which will +prevent vhost_net from doing zercopy w/ tap. This patch fixes this by setting +it during file open. + +Cc: Michael S. Tsirkin +Signed-off-by: Jason Wang +Acked-by: Michael S. Tsirkin + +--- + +diff --git a/drivers/net/tun.c b/drivers/net/tun.c +index 89776c5..ff5312d 100644 +--- a/drivers/net/tun.c ++++ b/drivers/net/tun.c +@@ -2159,6 +2159,8 @@ static int tun_chr_open(struct inode *inode, struct file * file) + set_bit(SOCK_EXTERNALLY_ALLOCATED, &tfile->socket.flags); + INIT_LIST_HEAD(&tfile->next); + ++ sock_set_flag(&tfile->sk, SOCK_ZEROCOPY); ++ + return 0; + } + diff --git a/vhost_net-clear-msg.control-for-non-zerocopy-case-during-tx.patch b/vhost_net-clear-msg.control-for-non-zerocopy-case-during-tx.patch new file mode 100644 index 000000000..4455bbc0b --- /dev/null +++ b/vhost_net-clear-msg.control-for-non-zerocopy-case-during-tx.patch @@ -0,0 +1,60 @@ +From 3add6ae9e1b854a9ddbe0dc17ff4ec48a2dac9fe Mon Sep 17 00:00:00 2001 +From: Jason Wang +Date: Wed, 5 Jun 2013 07:40:46 +0000 +Subject: [PATCH] vhost_net: clear msg.control for non-zerocopy case during tx + +When we decide not use zero-copy, msg.control should be set to NULL otherwise +macvtap/tap may set zerocopy callbacks which may decrease the kref of ubufs +wrongly. + +Bug were introduced by commit cedb9bdce099206290a2bdd02ce47a7b253b6a84 +(vhost-net: skip head management if no outstanding). + +This solves the following warnings: + +WARNING: at include/linux/kref.h:47 handle_tx+0x477/0x4b0 [vhost_net]() +Modules linked in: vhost_net macvtap macvlan tun nfsd exportfs bridge stp llc openvswitch kvm_amd kvm bnx2 megaraid_sas [last unloaded: tun] +CPU: 5 PID: 8670 Comm: vhost-8668 Not tainted 3.10.0-rc2+ #1566 +Hardware name: Dell Inc. PowerEdge R715/00XHKG, BIOS 1.5.2 04/19/2011 +ffffffffa0198323 ffff88007c9ebd08 ffffffff81796b73 ffff88007c9ebd48 +ffffffff8103d66b 000000007b773e20 ffff8800779f0000 ffff8800779f43f0 +ffff8800779f8418 000000000000015c 0000000000000062 ffff88007c9ebd58 +Call Trace: +[] dump_stack+0x19/0x1e +[] warn_slowpath_common+0x6b/0xa0 +[] warn_slowpath_null+0x15/0x20 +[] handle_tx+0x477/0x4b0 [vhost_net] +[] handle_tx_kick+0x10/0x20 [vhost_net] +[] vhost_worker+0xfe/0x1a0 [vhost_net] +[] ? vhost_attach_cgroups_work+0x30/0x30 [vhost_net] +[] ? vhost_attach_cgroups_work+0x30/0x30 [vhost_net] +[] kthread+0xc6/0xd0 +[] ? kthread_freezable_should_stop+0x70/0x70 +[] ret_from_fork+0x7c/0xb0 +[] ? kthread_freezable_should_stop+0x70/0x70 + +Signed-off-by: Jason Wang +Acked-by: Michael S. Tsirkin +Signed-off-by: David S. Miller +--- + drivers/vhost/net.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/vhost/net.c b/drivers/vhost/net.c +index ec6fb3f..3980e66 100644 +--- a/drivers/vhost/net.c ++++ b/drivers/vhost/net.c +@@ -353,7 +353,9 @@ static void handle_tx(struct vhost_net *net) + kref_get(&ubufs->kref); + } + vq->upend_idx = (vq->upend_idx + 1) % UIO_MAXIOV; +- } ++ } else ++ msg.msg_control = NULL; ++ + /* TODO: Check specific error and bomb out unless ENOBUFS? */ + err = sock->ops->sendmsg(NULL, sock, &msg, len); + if (unlikely(err < 0)) { +-- +1.8.1.4 + From eec175726c0330214f8ec21967b0c619373ab979 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Tue, 11 Jun 2013 14:51:35 -0400 Subject: [PATCH 117/468] Add patches to fix MTRR issues in 3.9.5 (rhbz 973185) --- kernel.spec | 8 ++ ...inal-mtrr-range-get-for-mtrr_cleanup.patch | 63 ++++++++++++++++ x86-range-make-add_range-use-blank-slot.patch | 73 +++++++++++++++++++ 3 files changed, 144 insertions(+) create mode 100644 x86-mtrr-Fix-original-mtrr-range-get-for-mtrr_cleanup.patch create mode 100644 x86-range-make-add_range-use-blank-slot.patch diff --git a/kernel.spec b/kernel.spec index 9cdc721ac..faeb8c37d 100644 --- a/kernel.spec +++ b/kernel.spec @@ -800,6 +800,9 @@ Patch25038: cdrom-use-kzalloc-for-failing-hardware.patch Patch25039: vhost_net-clear-msg.control-for-non-zerocopy-case-during-tx.patch Patch25040: tuntap-set-SOCK_ZEROCOPY-flag-during-open.patch +#rhbz 973185 +Patch25041: x86-mtrr-Fix-original-mtrr-range-get-for-mtrr_cleanup.patch +Patch25042: x86-range-make-add_range-use-blank-slot.patch # END OF PATCH DEFINITIONS @@ -1547,6 +1550,10 @@ ApplyPatch cdrom-use-kzalloc-for-failing-hardware.patch ApplyPatch vhost_net-clear-msg.control-for-non-zerocopy-case-during-tx.patch ApplyPatch tuntap-set-SOCK_ZEROCOPY-flag-during-open.patch +#rhbz 973185 +ApplyPatch x86-mtrr-Fix-original-mtrr-range-get-for-mtrr_cleanup.patch +ApplyPatch x86-range-make-add_range-use-blank-slot.patch + # END OF PATCH APPLICATIONS %endif @@ -2375,6 +2382,7 @@ fi %changelog * Tue Jun 11 2013 Josh Boyer +- Add patches to fix MTRR issues in 3.9.5 (rhbz 973185) - Add two patches to fix issues with vhost_net and macvlan (rhbz 954181) - CVE-2013-2164 information leak in cdrom driver (rhbz 973100 973109) diff --git a/x86-mtrr-Fix-original-mtrr-range-get-for-mtrr_cleanup.patch b/x86-mtrr-Fix-original-mtrr-range-get-for-mtrr_cleanup.patch new file mode 100644 index 000000000..7c8b930f7 --- /dev/null +++ b/x86-mtrr-Fix-original-mtrr-range-get-for-mtrr_cleanup.patch @@ -0,0 +1,63 @@ +Joshua reported: Commit cd7b304dfaf1 (x86, range: fix missing merge +during add range) broke mtrr cleanup on his setup in 3.9.5. +corresponding commit in upstream is fbe06b7bae7c. + + *BAD*gran_size: 64K chunk_size: 16M num_reg: 6 lose cover RAM: -0G + +https://bugzilla.kernel.org/show_bug.cgi?id=59491 + +So it rejects new var mtrr layout. + +It turns out we have some problem with initial mtrr range retrievel. +current sequence is: + x86_get_mtrr_mem_range + ==> bunchs of add_range_with_merge + ==> bunchs of subract_range + ==> clean_sort_range + add_range_with_merge for [0,1M) + sort_range() + +add_range_with_merge could have blank slots, so we can not just +sort only, that will have final result have extra blank slot in head. + +So move that calling add_range_with_merge for [0,1M), with that we +could avoid extra clean_sort_range calling. + +Reported-by: Joshua Covington +Tested-by: Joshua Covington +Signed-off-by: Yinghai Lu +Cc: v3.9 + +--- + arch/x86/kernel/cpu/mtrr/cleanup.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +Index: linux-2.6/arch/x86/kernel/cpu/mtrr/cleanup.c +=================================================================== +--- linux-2.6.orig/arch/x86/kernel/cpu/mtrr/cleanup.c ++++ linux-2.6/arch/x86/kernel/cpu/mtrr/cleanup.c +@@ -714,15 +714,15 @@ int __init mtrr_cleanup(unsigned address + if (mtrr_tom2) + x_remove_size = (mtrr_tom2 >> PAGE_SHIFT) - x_remove_base; + +- nr_range = x86_get_mtrr_mem_range(range, 0, x_remove_base, x_remove_size); + /* + * [0, 1M) should always be covered by var mtrr with WB + * and fixed mtrrs should take effect before var mtrr for it: + */ +- nr_range = add_range_with_merge(range, RANGE_NUM, nr_range, 0, ++ nr_range = add_range_with_merge(range, RANGE_NUM, 0, 0, + 1ULL<<(20 - PAGE_SHIFT)); +- /* Sort the ranges: */ +- sort_range(range, nr_range); ++ /* add from var mtrr at last */ ++ nr_range = x86_get_mtrr_mem_range(range, nr_range, ++ x_remove_base, x_remove_size); + + range_sums = sum_ranges(range, nr_range); + printk(KERN_INFO "total RAM covered: %ldM\n", +-- +To unsubscribe from this list: send the line "unsubscribe linux-kernel" in +the body of a message to majordomo@vger.kernel.org +More majordomo info at http://vger.kernel.org/majordomo-info.html +Please read the FAQ at http://www.tux.org/lkml/ \ No newline at end of file diff --git a/x86-range-make-add_range-use-blank-slot.patch b/x86-range-make-add_range-use-blank-slot.patch new file mode 100644 index 000000000..8a04f4f5c --- /dev/null +++ b/x86-range-make-add_range-use-blank-slot.patch @@ -0,0 +1,73 @@ +Now add_range_with_merge will generate blank slot as subtract_range. +we could reach the array limit because of blank slots. + +We can let add_range to have second try to use blank slot. + +Also use WARN_ONCE to print trace. + +Reported-by: Joshua Covington +Signed-off-by: Yinghai Lu +Cc: v3.9 +--- + kernel/range.c | 34 ++++++++++++++++++++++------------ + 1 file changed, 22 insertions(+), 12 deletions(-) + +diff --git a/kernel/range.c b/kernel/range.c +index 98883ed..8ca718a 100644 +--- a/kernel/range.c ++++ b/kernel/range.c +@@ -3,23 +3,34 @@ + */ + #include + #include ++#include + #include +- + #include + + int add_range(struct range *range, int az, int nr_range, u64 start, u64 end) + { +- if (start >= end) +- return nr_range; ++ int i; + +- /* Out of slots: */ +- if (nr_range >= az) ++ if (start >= end) + return nr_range; + +- range[nr_range].start = start; +- range[nr_range].end = end; ++ /* Out of slots ? */ ++ if (nr_range < az) { ++ i = nr_range; ++ nr_range++; ++ } else { ++ /* find blank slot */ ++ for (i = 0; i < az; i++) ++ if (!range[i].end) ++ break; ++ if (i == az) { ++ WARN_ONCE(1, "run out of slot in ranges\n"); ++ return az; ++ } ++ } + +- nr_range++; ++ range[i].start = start; ++ range[i].end = end; + + return nr_range; + } +@@ -99,7 +110,7 @@ void subtract_range(struct range *range, int az, u64 start, u64 end) + range[i].end = range[j].end; + range[i].start = end; + } else { +- printk(KERN_ERR "run of slot in ranges\n"); ++ WARN_ONCE(1,"run of slot in ranges\n"); + } + range[j].end = start; + continue; +-- +1.8.1.4 + From c3faf8e85897df3ff4a34d11cda238ba785de8f6 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Tue, 11 Jun 2013 15:18:09 -0400 Subject: [PATCH 118/468] Add two patches to fix vfio device permissions (rhbz 967230) --- kernel.spec | 9 ++++++ vfio-Set-container-device-mode.patch | 41 ++++++++++++++++++++++++++++ vfio-fix-crash-on-rmmod.patch | 32 ++++++++++++++++++++++ 3 files changed, 82 insertions(+) create mode 100644 vfio-Set-container-device-mode.patch create mode 100644 vfio-fix-crash-on-rmmod.patch diff --git a/kernel.spec b/kernel.spec index faeb8c37d..b8934c92c 100644 --- a/kernel.spec +++ b/kernel.spec @@ -804,6 +804,10 @@ Patch25040: tuntap-set-SOCK_ZEROCOPY-flag-during-open.patch Patch25041: x86-mtrr-Fix-original-mtrr-range-get-for-mtrr_cleanup.patch Patch25042: x86-range-make-add_range-use-blank-slot.patch +#rhbz 967230 +Patch25043: vfio-Set-container-device-mode.patch +Patch25044: vfio-fix-crash-on-rmmod.patch + # END OF PATCH DEFINITIONS %endif @@ -1554,6 +1558,10 @@ ApplyPatch tuntap-set-SOCK_ZEROCOPY-flag-during-open.patch ApplyPatch x86-mtrr-Fix-original-mtrr-range-get-for-mtrr_cleanup.patch ApplyPatch x86-range-make-add_range-use-blank-slot.patch +#rhbz 967230 +ApplyPatch vfio-Set-container-device-mode.patch +ApplyPatch vfio-fix-crash-on-rmmod.patch + # END OF PATCH APPLICATIONS %endif @@ -2382,6 +2390,7 @@ fi %changelog * Tue Jun 11 2013 Josh Boyer +- Add two patches to fix vfio device permissions (rhbz 967230) - Add patches to fix MTRR issues in 3.9.5 (rhbz 973185) - Add two patches to fix issues with vhost_net and macvlan (rhbz 954181) - CVE-2013-2164 information leak in cdrom driver (rhbz 973100 973109) diff --git a/vfio-Set-container-device-mode.patch b/vfio-Set-container-device-mode.patch new file mode 100644 index 000000000..68e825a28 --- /dev/null +++ b/vfio-Set-container-device-mode.patch @@ -0,0 +1,41 @@ +From 664e9386bd05dbdfecfb28d6cf2fde983aabc65c Mon Sep 17 00:00:00 2001 +From: Alex Williamson +Date: Tue, 30 Apr 2013 15:42:28 -0600 +Subject: [PATCH] vfio: Set container device mode + +Minor 0 is the VFIO container device (/dev/vfio/vfio). On it's own +the container does not provide a user with any privileged access. It +only supports API version check and extension check ioctls. Only by +attaching a VFIO group to the container does it gain any access. Set +the mode of the container to allow access. + +Signed-off-by: Alex Williamson +--- + drivers/vfio/vfio.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/vfio/vfio.c b/drivers/vfio/vfio.c +index ac7423b..acb7121 100644 +--- a/drivers/vfio/vfio.c ++++ b/drivers/vfio/vfio.c +@@ -27,6 +27,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -1359,6 +1360,9 @@ static const struct file_operations vfio_device_fops = { + */ + static char *vfio_devnode(struct device *dev, umode_t *mode) + { ++ if (MINOR(dev->devt) == 0) ++ *mode = S_IRUGO | S_IWUGO; ++ + return kasprintf(GFP_KERNEL, "vfio/%s", dev_name(dev)); + } + +-- +1.8.1.4 + diff --git a/vfio-fix-crash-on-rmmod.patch b/vfio-fix-crash-on-rmmod.patch new file mode 100644 index 000000000..9f89b4d36 --- /dev/null +++ b/vfio-fix-crash-on-rmmod.patch @@ -0,0 +1,32 @@ +From 9a6aa279d3d17af73a029fa40654e92f4e75e8bb Mon Sep 17 00:00:00 2001 +From: Alexey Kardashevskiy +Date: Wed, 5 Jun 2013 08:54:16 -0600 +Subject: [PATCH] vfio: fix crash on rmmod + +devtmpfs_delete_node() calls devnode() callback with mode==NULL but +vfio still tries to write there. + +The patch fixes this. + +Signed-off-by: Alexey Kardashevskiy +Signed-off-by: Alex Williamson +--- + drivers/vfio/vfio.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/vfio/vfio.c b/drivers/vfio/vfio.c +index acb7121..6d78736 100644 +--- a/drivers/vfio/vfio.c ++++ b/drivers/vfio/vfio.c +@@ -1360,7 +1360,7 @@ static const struct file_operations vfio_device_fops = { + */ + static char *vfio_devnode(struct device *dev, umode_t *mode) + { +- if (MINOR(dev->devt) == 0) ++ if (mode && (MINOR(dev->devt) == 0)) + *mode = S_IRUGO | S_IWUGO; + + return kasprintf(GFP_KERNEL, "vfio/%s", dev_name(dev)); +-- +1.8.1.4 + From c7eebaee8856da74728de5c4acc302d674175e13 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Tue, 11 Jun 2013 15:18:59 -0400 Subject: [PATCH 119/468] Temporarily disable gssproxy patches --- kernel.spec | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/kernel.spec b/kernel.spec index b8934c92c..162514bae 100644 --- a/kernel.spec +++ b/kernel.spec @@ -1524,7 +1524,7 @@ ApplyPatch intel_iommu-Downgrade-the-warning-if-enabling-irq-remapping-fails.pat ApplyPatch Modify-UEFI-anti-bricking-code.patch # Needed for F19 gssproxy feature -ApplyPatch gssproxy-backport.patch +#pplyPatch gssproxy-backport.patch #CVE-2013-2140 rhbz 971146 971148 ApplyPatch xen-blkback-Check-device-permissions-before-allowing.patch @@ -2390,6 +2390,7 @@ fi %changelog * Tue Jun 11 2013 Josh Boyer +- Temporarily disable gssproxy patches - Add two patches to fix vfio device permissions (rhbz 967230) - Add patches to fix MTRR issues in 3.9.5 (rhbz 973185) - Add two patches to fix issues with vhost_net and macvlan (rhbz 954181) From 53ce8d47d8eda101543f56d1f75d8266095f9e96 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Tue, 11 Jun 2013 15:20:21 -0400 Subject: [PATCH 120/468] Add verrel for build --- kernel.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kernel.spec b/kernel.spec index 162514bae..01b9efba9 100644 --- a/kernel.spec +++ b/kernel.spec @@ -2389,7 +2389,7 @@ fi # and build. %changelog -* Tue Jun 11 2013 Josh Boyer +* Tue Jun 11 2013 Josh Boyer - 3.9.5-301 - Temporarily disable gssproxy patches - Add two patches to fix vfio device permissions (rhbz 967230) - Add patches to fix MTRR issues in 3.9.5 (rhbz 973185) From 7145a233358442aa82db0f68165f94cd04c6bc0e Mon Sep 17 00:00:00 2001 From: Dave Jones Date: Tue, 11 Jun 2013 15:58:15 -0400 Subject: [PATCH 121/468] Disable soft lockup detector on virtual machines. (rhbz 971139) --- kernel.spec | 7 +++++ nowatchdog-on-virt.patch | 67 ++++++++++++++++++++++++++++++++++++++++ 2 files changed, 74 insertions(+) create mode 100644 nowatchdog-on-virt.patch diff --git a/kernel.spec b/kernel.spec index 01b9efba9..cf516a198 100644 --- a/kernel.spec +++ b/kernel.spec @@ -698,6 +698,7 @@ Patch14000: hibernate-freeze-filesystems.patch Patch14010: lis3-improve-handling-of-null-rate.patch +Patch15000: nowatchdog-on-virt.patch # ARM Patch21000: arm-export-read_current_timer.patch @@ -1469,6 +1470,9 @@ ApplyPatch disable-i8042-check-on-apple-mac.patch ApplyPatch lis3-improve-handling-of-null-rate.patch +# Disable watchdog on virtual machines. +ApplyPatch nowatchdog-on-virt.patch + #rhbz 754518 ApplyPatch scsi-sd_revalidate_disk-prevent-NULL-ptr-deref.patch @@ -2389,6 +2393,9 @@ fi # and build. %changelog +* Tue Jun 11 2013 Dave Jones +- Disable soft lockup detector on virtual machines. (rhbz 971139) + * Tue Jun 11 2013 Josh Boyer - 3.9.5-301 - Temporarily disable gssproxy patches - Add two patches to fix vfio device permissions (rhbz 967230) diff --git a/nowatchdog-on-virt.patch b/nowatchdog-on-virt.patch new file mode 100644 index 000000000..b20642204 --- /dev/null +++ b/nowatchdog-on-virt.patch @@ -0,0 +1,67 @@ +Disable watchdog on virtual machines. + +For various reasons, VMs seem to trigger the soft lockup detector a lot, +in cases where it's just not possible for a lockup to occur. +(Example: https://bugzilla.redhat.com/show_bug.cgi?id=971139) + +In some cases it seems that the host just never scheduled the app running +the VM for a very long time (Could be the host was under heavy load). + +Just disable the detector on VMs. + +Signed-off-by: Dave Jones + +diff --git a/kernel/watchdog.c b/kernel/watchdog.c +index 05039e3..a28aab9 100644 +--- a/kernel/watchdog.c ++++ b/kernel/watchdog.c +@@ -24,6 +24,7 @@ + #include + #include + #include ++#include + + #include + #include +@@ -96,6 +97,32 @@ static int __init nosoftlockup_setup(char *str) + __setup("nosoftlockup", nosoftlockup_setup); + /* */ + ++static int disable_watchdog(const struct dmi_system_id *d) ++{ ++ printk(KERN_INFO "watchdog: disabled (inside virtual machine)\n"); ++ watchdog_enabled = 0; ++ return 0; ++} ++ ++static const struct dmi_system_id watchdog_virt_dmi_table[] = { ++ { ++ .callback = disable_watchdog, ++ .ident = "VMware", ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "VMware, Inc."), ++ }, ++ }, ++ { ++ .callback = disable_watchdog, ++ .ident = "Bochs", ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "Bochs Bochs"), ++ }, ++ }, ++ {} ++}; ++ ++ + /* + * Hard-lockup warnings should be triggered after just a few seconds. Soft- + * lockups can have false positives under extreme conditions. So we generally +@@ -543,6 +570,8 @@ static struct smp_hotplug_thread watchdog_threads = { + + void __init lockup_detector_init(void) + { ++ dmi_check_system(watchdog_virt_dmi_table); ++ + set_sample_period(); + if (smpboot_register_percpu_thread(&watchdog_threads)) { + pr_err("Failed to create watchdog threads, disabled\n"); From 50566522ea54a67ae71f8101f4f657c8e614ca22 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Wed, 12 Jun 2013 07:31:43 -0400 Subject: [PATCH 122/468] Add fix for rt5390/rt3290 regression (rhbz 950735) --- kernel.spec | 9 +++ ...-RT3290-TX-power-settings-regression.patch | 71 +++++++++++++++++++ 2 files changed, 80 insertions(+) create mode 100644 rt2800-fix-RT5390-RT3290-TX-power-settings-regression.patch diff --git a/kernel.spec b/kernel.spec index cf516a198..f1bde20aa 100644 --- a/kernel.spec +++ b/kernel.spec @@ -809,6 +809,9 @@ Patch25042: x86-range-make-add_range-use-blank-slot.patch Patch25043: vfio-Set-container-device-mode.patch Patch25044: vfio-fix-crash-on-rmmod.patch +#rhbz 950735 +Patch25045: rt2800-fix-RT5390-RT3290-TX-power-settings-regression.patch + # END OF PATCH DEFINITIONS %endif @@ -1566,6 +1569,9 @@ ApplyPatch x86-range-make-add_range-use-blank-slot.patch ApplyPatch vfio-Set-container-device-mode.patch ApplyPatch vfio-fix-crash-on-rmmod.patch +#rhbz 950735 +ApplyPatch rt2800-fix-RT5390-RT3290-TX-power-settings-regression.patch + # END OF PATCH APPLICATIONS %endif @@ -2393,6 +2399,9 @@ fi # and build. %changelog +* Wed Jun 12 2013 Josh Boyer +- Add fix for rt5390/rt3290 regression (rhbz 950735) + * Tue Jun 11 2013 Dave Jones - Disable soft lockup detector on virtual machines. (rhbz 971139) diff --git a/rt2800-fix-RT5390-RT3290-TX-power-settings-regression.patch b/rt2800-fix-RT5390-RT3290-TX-power-settings-regression.patch new file mode 100644 index 000000000..354873950 --- /dev/null +++ b/rt2800-fix-RT5390-RT3290-TX-power-settings-regression.patch @@ -0,0 +1,71 @@ +My change: + +commit cee2c7315f60beeff6137ee59e99acc77d636eeb +Author: Stanislaw Gruszka +Date: Fri Oct 5 13:44:09 2012 +0200 + + rt2800: use BBP_R1 for setting tx power + +unfortunately does not work well with RT5390 and RT3290 chips as they +require different temperature compensation TX power settings (TSSI +tuning). Since that commit make wireless connection very unstable on +those chips, restore previous behavior to fix regression. Once we +implement proper TSSI tuning on 5390/3290 we can restore back setting +TX power by BBP_R1 register for those chips. + +Reported-and-tested-by: Mike Romberg +Cc: stable@vger.kernel.org +Signed-off-by: Stanislaw Gruszka +--- + drivers/net/wireless/rt2x00/rt2800lib.c | 29 ++++++++++++++++++----------- + 1 file changed, 18 insertions(+), 11 deletions(-) + +diff --git a/drivers/net/wireless/rt2x00/rt2800lib.c b/drivers/net/wireless/rt2x00/rt2800lib.c +index 92849e5..8b679df 100644 +--- a/drivers/net/wireless/rt2x00/rt2800lib.c ++++ b/drivers/net/wireless/rt2x00/rt2800lib.c +@@ -2634,19 +2634,26 @@ static void rt2800_config_txpower(struct rt2x00_dev *rt2x00dev, + * TODO: we do not use +6 dBm option to do not increase power beyond + * regulatory limit, however this could be utilized for devices with + * CAPABILITY_POWER_LIMIT. ++ * ++ * TODO: add different temperature compensation code for RT3290 & RT5390 ++ * to allow to use BBP_R1 for those chips. + */ +- rt2800_bbp_read(rt2x00dev, 1, &r1); +- if (delta <= -12) { +- power_ctrl = 2; +- delta += 12; +- } else if (delta <= -6) { +- power_ctrl = 1; +- delta += 6; +- } else { +- power_ctrl = 0; ++ if (!rt2x00_rt(rt2x00dev, RT3290) && ++ !rt2x00_rt(rt2x00dev, RT5390)) { ++ rt2800_bbp_read(rt2x00dev, 1, &r1); ++ if (delta <= -12) { ++ power_ctrl = 2; ++ delta += 12; ++ } else if (delta <= -6) { ++ power_ctrl = 1; ++ delta += 6; ++ } else { ++ power_ctrl = 0; ++ } ++ rt2x00_set_field8(&r1, BBP1_TX_POWER_CTRL, power_ctrl); ++ rt2800_bbp_write(rt2x00dev, 1, r1); + } +- rt2x00_set_field8(&r1, BBP1_TX_POWER_CTRL, power_ctrl); +- rt2800_bbp_write(rt2x00dev, 1, r1); ++ + offset = TX_PWR_CFG_0; + + for (i = 0; i < EEPROM_TXPOWER_BYRATE_SIZE; i += 2) { +-- +1.7.11.7 + +-- +To unsubscribe from this list: send the line "unsubscribe linux-wireless" in +the body of a message to majordomo@vger.kernel.org +More majordomo info at http://vger.kernel.org/majordomo-info.html \ No newline at end of file From 3a7f0df1919f9a4a40b00394183cdab3e673bd5d Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Wed, 12 Jun 2013 07:37:50 -0400 Subject: [PATCH 123/468] Fix KVM divide by zero error (rhbz 969644) --- ...andle-idiv-overflow-at-kvm_write_tsc.patch | 45 +++++++++++++++++++ kernel.spec | 7 +++ 2 files changed, 52 insertions(+) create mode 100644 KVM-x86-handle-idiv-overflow-at-kvm_write_tsc.patch diff --git a/KVM-x86-handle-idiv-overflow-at-kvm_write_tsc.patch b/KVM-x86-handle-idiv-overflow-at-kvm_write_tsc.patch new file mode 100644 index 000000000..678e82953 --- /dev/null +++ b/KVM-x86-handle-idiv-overflow-at-kvm_write_tsc.patch @@ -0,0 +1,45 @@ +diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c +index 094b5d9..64a4b03 100644 +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -1194,20 +1194,37 @@ void kvm_write_tsc(struct kvm_vcpu *vcpu, struct msr_data *msr) + elapsed = ns - kvm->arch.last_tsc_nsec; + + if (vcpu->arch.virtual_tsc_khz) { ++ int faulted = 0; ++ + /* n.b - signed multiplication and division required */ + usdiff = data - kvm->arch.last_tsc_write; + #ifdef CONFIG_X86_64 + usdiff = (usdiff * 1000) / vcpu->arch.virtual_tsc_khz; + #else + /* do_div() only does unsigned */ +- asm("idivl %2; xor %%edx, %%edx" +- : "=A"(usdiff) +- : "A"(usdiff * 1000), "rm"(vcpu->arch.virtual_tsc_khz)); ++ asm("1: idivl %[divisor]\n" ++ "2: xor %%edx, %%edx\n" ++ " movl $0, %[faulted]\n" ++ "3:\n" ++ ".section .fixup,\"ax\"\n" ++ "4: movl $1, %[faulted]\n" ++ " jmp 3b\n" ++ ".previous\n" ++ ++ _ASM_EXTABLE(1b, 4b) ++ ++ : "=A"(usdiff), [faulted] "=r" (faulted) ++ : "A"(usdiff * 1000), [divisor] "rm"(vcpu->arch.virtual_tsc_khz)); ++ + #endif + do_div(elapsed, 1000); + usdiff -= elapsed; + if (usdiff < 0) + usdiff = -usdiff; ++ ++ /* idivl overflow => difference is larger than USEC_PER_SEC */ ++ if (faulted) ++ usdiff = USEC_PER_SEC; + } else + usdiff = USEC_PER_SEC; /* disable TSC match window below */ + diff --git a/kernel.spec b/kernel.spec index f1bde20aa..9f66807f8 100644 --- a/kernel.spec +++ b/kernel.spec @@ -812,6 +812,9 @@ Patch25044: vfio-fix-crash-on-rmmod.patch #rhbz 950735 Patch25045: rt2800-fix-RT5390-RT3290-TX-power-settings-regression.patch +#rhbz 969644 +Patch25046: KVM-x86-handle-idiv-overflow-at-kvm_write_tsc.patch + # END OF PATCH DEFINITIONS %endif @@ -1572,6 +1575,9 @@ ApplyPatch vfio-fix-crash-on-rmmod.patch #rhbz 950735 ApplyPatch rt2800-fix-RT5390-RT3290-TX-power-settings-regression.patch +#rhbz 969644 +ApplyPatch KVM-x86-handle-idiv-overflow-at-kvm_write_tsc.patch + # END OF PATCH APPLICATIONS %endif @@ -2400,6 +2406,7 @@ fi %changelog * Wed Jun 12 2013 Josh Boyer +- Fix KVM divide by zero error (rhbz 969644) - Add fix for rt5390/rt3290 regression (rhbz 950735) * Tue Jun 11 2013 Dave Jones From 924c09ec5f562913fac5aca4411e1c58860bc4a4 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Wed, 12 Jun 2013 09:12:37 -0400 Subject: [PATCH 124/468] Update gssproxy patches - Fix KVM divide by zero error (rhbz 969644) - Add fix for rt5390/rt3290 regression (rhbz 950735) --- gssproxy-backport.patch | 188 +++++++++++++++++++++++++++++++++++++--- kernel.spec | 5 +- 2 files changed, 178 insertions(+), 15 deletions(-) diff --git a/gssproxy-backport.patch b/gssproxy-backport.patch index 05efe2794..17640009c 100644 --- a/gssproxy-backport.patch +++ b/gssproxy-backport.patch @@ -1,7 +1,7 @@ From 7e5eee0a24ea886a0b68a8521117c5ef97668443 Mon Sep 17 00:00:00 2001 From: Trond Myklebust Date: Sun, 14 Apr 2013 11:42:00 -0400 -Subject: [PATCH 01/13] SUNRPC: Allow rpc_create() to request that TCP slots be +Subject: [PATCH 01/16] SUNRPC: Allow rpc_create() to request that TCP slots be unlimited This is mainly for use by NFSv4.1, where the session negotiation @@ -87,7 +87,7 @@ index 3d02130..b08d314 100644 From 932c7301413eb94f7b60efaa1a80cb8cf0264459 Mon Sep 17 00:00:00 2001 From: "J. Bruce Fields" Date: Thu, 21 Feb 2013 10:14:22 -0500 -Subject: [PATCH 02/13] SUNRPC: attempt AF_LOCAL connect on setup +Subject: [PATCH 02/16] SUNRPC: attempt AF_LOCAL connect on setup In the gss-proxy case, setup time is when I know I'll have the right namespace for the connect. @@ -122,7 +122,7 @@ index b08d314..867ce36 100644 From 915d3592cc8718cc3e83164bb78c532d3a7d1f00 Mon Sep 17 00:00:00 2001 From: "J. Bruce Fields" Date: Thu, 11 Apr 2013 15:06:36 -0400 -Subject: [PATCH 03/13] SUNRPC: allow disabling idle timeout +Subject: [PATCH 03/16] SUNRPC: allow disabling idle timeout In the gss-proxy case we don't want to have to reconnect at random--we want to connect only on gss-proxy startup when we can steal gss-proxy's @@ -196,7 +196,7 @@ index b7478d5..33fac38 100644 From faa25a9e80ab40a0e923011771aca6a1ddeea30d Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Fri, 25 May 2012 18:09:53 -0400 -Subject: [PATCH 04/13] SUNRPC: conditionally return endtime from +Subject: [PATCH 04/16] SUNRPC: conditionally return endtime from import_sec_context We expose this parameter for a future caller. @@ -315,7 +315,7 @@ index 5ead605..20eedec 100644 From ffc614331a36038700b7bc13bc2da6b8f120b9d6 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Fri, 25 May 2012 18:09:55 -0400 -Subject: [PATCH 05/13] SUNRPC: Add RPC based upcall mechanism for RPCGSS auth +Subject: [PATCH 05/16] SUNRPC: Add RPC based upcall mechanism for RPCGSS auth This patch implements a sunrpc client to use the services of the gssproxy userspace daemon. @@ -1925,7 +1925,7 @@ index ce7bd44..e9f8895 100644 From f682043df7bb81715124c82e9cea8bc68ded9667 Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Fri, 25 May 2012 18:09:56 -0400 -Subject: [PATCH 06/13] SUNRPC: Use gssproxy upcall for server RPCGSS +Subject: [PATCH 06/16] SUNRPC: Use gssproxy upcall for server RPCGSS authentication. The main advantge of this new upcall mechanism is that it can handle @@ -2516,7 +2516,7 @@ index e9f8895..7111a4c 100644 From 06404241b88b51c50427b833268d7cad7dec30f5 Mon Sep 17 00:00:00 2001 From: "J. Bruce Fields" Date: Mon, 29 Apr 2013 17:03:31 -0400 -Subject: [PATCH 07/13] SUNRPC: define +Subject: [PATCH 07/16] SUNRPC: define {create,destroy}_use_gss_proxy_proc_entry in !PROC case Though I wonder whether we should really just depend on CONFIG_PROC_FS @@ -2570,7 +2570,7 @@ index 58f5bc3..71446b6 100644 From 3cc961ce9784f0b4a9cb21217dd4a8403efc220d Mon Sep 17 00:00:00 2001 From: Fengguang Wu Date: Mon, 29 Apr 2013 17:19:48 -0400 -Subject: [PATCH 08/13] SUNRPC: gssp_procedures[] can be static +Subject: [PATCH 08/16] SUNRPC: gssp_procedures[] can be static Cc: Simo Sorce Signed-off-by: Fengguang Wu @@ -2598,7 +2598,7 @@ index 3f874d7..98818d6 100644 From d6afcafd515bbf16e39817170cd212a7debd8959 Mon Sep 17 00:00:00 2001 From: "J. Bruce Fields" Date: Mon, 29 Apr 2013 18:21:29 -0400 -Subject: [PATCH 09/13] svcrpc: fix gss-proxy to respect user namespaces +Subject: [PATCH 09/16] svcrpc: fix gss-proxy to respect user namespaces Signed-off-by: J. Bruce Fields --- @@ -2659,7 +2659,7 @@ index d0ccdff..5c4c61d 100644 From e4f7a037aa575bdbe6d1e42e58283cb4d663b000 Mon Sep 17 00:00:00 2001 From: Geert Uytterhoeven Date: Mon, 6 May 2013 09:21:03 +0200 -Subject: [PATCH 10/13] SUNRPC: Refactor gssx_dec_option_array() to kill +Subject: [PATCH 10/16] SUNRPC: Refactor gssx_dec_option_array() to kill uninitialized warning MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 @@ -2731,7 +2731,7 @@ index 5c4c61d..a1e1b1a 100644 From f174f54afb853cd818e2121a0b5dc66012a4a3eb Mon Sep 17 00:00:00 2001 From: "J. Bruce Fields" Date: Tue, 7 May 2013 17:45:20 -0400 -Subject: [PATCH 11/13] SUNRPC: fix decoding of optional gss-proxy xdr fields +Subject: [PATCH 11/16] SUNRPC: fix decoding of optional gss-proxy xdr fields The current code works, but sort of by accident: it obviously didn't intend the error return to be interpreted as "true". @@ -2814,7 +2814,7 @@ index a1e1b1a..357f613 100644 From 653ba539c4d845b004c7d29416c9083cb74f8270 Mon Sep 17 00:00:00 2001 From: Dan Carpenter Date: Sat, 11 May 2013 19:13:49 +0300 -Subject: [PATCH 12/13] svcauth_gss: fix error code in use_gss_proxy() +Subject: [PATCH 12/16] svcauth_gss: fix error code in use_gss_proxy() This should return zero on success and -EBUSY on error so the type needs to be int instead of bool. @@ -2845,7 +2845,7 @@ index 71446b6..141902e 100644 From 66a26c8c42ebbdfb7dbf297b3d7f404f0dc86ed8 Mon Sep 17 00:00:00 2001 From: "J. Bruce Fields" Date: Fri, 24 May 2013 09:47:49 -0400 -Subject: [PATCH 13/13] svcrpc: implement O_NONBLOCK behavior for use-gss-proxy +Subject: [PATCH 13/16] svcrpc: implement O_NONBLOCK behavior for use-gss-proxy Somebody noticed LTP was complaining about O_NONBLOCK opens of /proc/net/rpc/use-gss-proxy succeeding and then a following read @@ -2894,3 +2894,165 @@ index 141902e..a7d4dfa 100644 -- 1.8.1.4 + +From 30e8ac5e689fb6de9d27eeeca080fa46ed59c856 Mon Sep 17 00:00:00 2001 +From: "J. Bruce Fields" +Date: Mon, 10 Jun 2013 16:06:44 -0400 +Subject: [PATCH 14/16] svcrpc: fix gss_rpc_upcall create error + +Signed-off-by: J. Bruce Fields +--- + net/sunrpc/auth_gss/gss_rpc_upcall.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/sunrpc/auth_gss/gss_rpc_upcall.c b/net/sunrpc/auth_gss/gss_rpc_upcall.c +index 98818d6..aed11b7 100644 +--- a/net/sunrpc/auth_gss/gss_rpc_upcall.c ++++ b/net/sunrpc/auth_gss/gss_rpc_upcall.c +@@ -120,7 +120,7 @@ static int gssp_rpc_create(struct net *net, struct rpc_clnt **_clnt) + if (IS_ERR(clnt)) { + dprintk("RPC: failed to create AF_LOCAL gssproxy " + "client (errno %ld).\n", PTR_ERR(clnt)); +- result = -PTR_ERR(clnt); ++ result = PTR_ERR(clnt); + *_clnt = NULL; + goto out; + } +-- +1.8.1.4 + + +From aca1b52cdbef080ed3963810d2f41baeb746b8b2 Mon Sep 17 00:00:00 2001 +From: "J. Bruce Fields" +Date: Fri, 7 Jun 2013 10:11:19 -0400 +Subject: [PATCH 15/16] svcrpc: fix gss-proxy xdr decoding oops + +Uninitialized stack data was being used as the destination for memcpy's. + +Longer term we'll just delete some of this code; all we're doing is +skipping over xdr that we don't care about. + +Signed-off-by: J. Bruce Fields +--- + net/sunrpc/auth_gss/gss_rpc_xdr.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/net/sunrpc/auth_gss/gss_rpc_xdr.c b/net/sunrpc/auth_gss/gss_rpc_xdr.c +index 357f613..3c85d1c 100644 +--- a/net/sunrpc/auth_gss/gss_rpc_xdr.c ++++ b/net/sunrpc/auth_gss/gss_rpc_xdr.c +@@ -430,7 +430,7 @@ static int dummy_enc_nameattr_array(struct xdr_stream *xdr, + static int dummy_dec_nameattr_array(struct xdr_stream *xdr, + struct gssx_name_attr_array *naa) + { +- struct gssx_name_attr dummy; ++ struct gssx_name_attr dummy = { .attr = {.len = 0} }; + u32 count, i; + __be32 *p; + +@@ -493,12 +493,13 @@ static int gssx_enc_name(struct xdr_stream *xdr, + return err; + } + ++ + static int gssx_dec_name(struct xdr_stream *xdr, + struct gssx_name *name) + { +- struct xdr_netobj dummy_netobj; +- struct gssx_name_attr_array dummy_name_attr_array; +- struct gssx_option_array dummy_option_array; ++ struct xdr_netobj dummy_netobj = { .len = 0 }; ++ struct gssx_name_attr_array dummy_name_attr_array = { .count = 0 }; ++ struct gssx_option_array dummy_option_array = { .count = 0 }; + int err; + + /* name->display_name */ +-- +1.8.1.4 + + +From 127f9cd74d532b5189b767e803eaaf6d0c5015bf Mon Sep 17 00:00:00 2001 +From: Chuck Lever +Date: Sat, 16 Mar 2013 15:54:52 -0400 +Subject: [PATCH 16/16] SUNRPC: Load GSS kernel module by OID + +The current GSS mech switch can find and load GSS pseudoflavor +modules by name ("krb5") or pseudoflavor number ("390003"), but +cannot find GSS modules by GSS tuple: + + [ "1.2.840.113554.1.2.2", GSS_C_QOP_DEFAULT, RPC_GSS_SVC_NONE ] + +This is important when dealing with a SECINFO request. A SECINFO +reply contains a list of flavors the server supports for the +requested export, but GSS flavors also have a GSS tuple that maps +to a pseudoflavor (like 390003 for krb5). + +If the GSS module that supports the OID in the tuple is not loaded, +our client is not able to load that module dynamically to support +that pseudoflavor. + +Add a way for the GSS mech switch to load GSS pseudoflavor support +by OID before searching for the pseudoflavor that matches the OID +and service. + +Signed-off-by: Chuck Lever +Cc: David Howells +Signed-off-by: Trond Myklebust +--- + net/sunrpc/Kconfig | 1 + + net/sunrpc/auth_gss/gss_krb5_mech.c | 1 + + net/sunrpc/auth_gss/gss_mech_switch.c | 7 +++++++ + 3 files changed, 9 insertions(+) + +diff --git a/net/sunrpc/Kconfig b/net/sunrpc/Kconfig +index 516fe2c..804f4f6 100644 +--- a/net/sunrpc/Kconfig ++++ b/net/sunrpc/Kconfig +@@ -3,6 +3,7 @@ config SUNRPC + + config SUNRPC_GSS + tristate ++ select OID_REGISTRY + + config SUNRPC_BACKCHANNEL + bool +diff --git a/net/sunrpc/auth_gss/gss_krb5_mech.c b/net/sunrpc/auth_gss/gss_krb5_mech.c +index 3bc4a23..69be03f 100644 +--- a/net/sunrpc/auth_gss/gss_krb5_mech.c ++++ b/net/sunrpc/auth_gss/gss_krb5_mech.c +@@ -753,6 +753,7 @@ MODULE_ALIAS("rpc-auth-gss-krb5p"); + MODULE_ALIAS("rpc-auth-gss-390003"); + MODULE_ALIAS("rpc-auth-gss-390004"); + MODULE_ALIAS("rpc-auth-gss-390005"); ++MODULE_ALIAS("rpc-auth-gss-1.2.840.113554.1.2.2"); + + static struct gss_api_mech gss_kerberos_mech = { + .gm_name = "krb5", +diff --git a/net/sunrpc/auth_gss/gss_mech_switch.c b/net/sunrpc/auth_gss/gss_mech_switch.c +index 43fd5bb..f921647 100644 +--- a/net/sunrpc/auth_gss/gss_mech_switch.c ++++ b/net/sunrpc/auth_gss/gss_mech_switch.c +@@ -36,6 +36,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -175,6 +176,12 @@ struct gss_api_mech * + gss_mech_get_by_OID(struct xdr_netobj *obj) + { + struct gss_api_mech *pos, *gm = NULL; ++ char buf[32]; ++ ++ if (sprint_oid(obj->data, obj->len, buf, sizeof(buf)) < 0) ++ return NULL; ++ dprintk("RPC: %s(%s)\n", __func__, buf); ++ request_module("rpc-auth-gss-%s", buf); + + spin_lock(®istered_mechs_lock); + list_for_each_entry(pos, ®istered_mechs, gm_list) { +-- +1.8.1.4 + diff --git a/kernel.spec b/kernel.spec index 9f66807f8..8eb90a7c7 100644 --- a/kernel.spec +++ b/kernel.spec @@ -62,7 +62,7 @@ Summary: The Linux kernel # For non-released -rc kernels, this will be appended after the rcX and # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3" # -%global baserelease 301 +%global baserelease 302 %global fedora_build %{baserelease} # base_sublevel is the kernel version we're starting with and patching @@ -1534,7 +1534,7 @@ ApplyPatch intel_iommu-Downgrade-the-warning-if-enabling-irq-remapping-fails.pat ApplyPatch Modify-UEFI-anti-bricking-code.patch # Needed for F19 gssproxy feature -#pplyPatch gssproxy-backport.patch +ApplyPatch gssproxy-backport.patch #CVE-2013-2140 rhbz 971146 971148 ApplyPatch xen-blkback-Check-device-permissions-before-allowing.patch @@ -2406,6 +2406,7 @@ fi %changelog * Wed Jun 12 2013 Josh Boyer +- Update gssproxy patches - Fix KVM divide by zero error (rhbz 969644) - Add fix for rt5390/rt3290 regression (rhbz 950735) From 938c4bff17066fb22efe38119cbe50996bc377a2 Mon Sep 17 00:00:00 2001 From: Kyle McMartin Date: Wed, 12 Jun 2013 13:14:31 -0400 Subject: [PATCH 125/468] Merge ARM lpae and i686 PAE flavours --- kernel.spec | 78 ++++++++++++++++++++++++++--------------------------- 1 file changed, 39 insertions(+), 39 deletions(-) diff --git a/kernel.spec b/kernel.spec index 8eb90a7c7..df54952a5 100644 --- a/kernel.spec +++ b/kernel.spec @@ -114,7 +114,7 @@ Summary: The Linux kernel %define with_up %{?_without_up: 0} %{?!_without_up: 1} # kernel-smp (only valid for ppc 32-bit) %define with_smp %{?_without_smp: 0} %{?!_without_smp: 1} -# kernel-PAE (only valid for i686) +# kernel PAE (only valid for i686 (PAE) and ARM (lpae)) %define with_pae %{?_without_pae: 0} %{?!_without_pae: 1} # kernel-debug %define with_debug %{?_without_debug: 0} %{?!_without_debug: 1} @@ -132,8 +132,6 @@ Summary: The Linux kernel %define with_bootwrapper %{?_without_bootwrapper: 0} %{?!_without_bootwrapper: 1} # Want to build a the vsdo directories installed %define with_vdso_install %{?_without_vdso_install: 0} %{?!_without_vdso_install: 1} -# ARM Cortex-A15 support with LPAE and HW Virtualisation -%define with_lpae %{?_without_lpae: 0} %{?!_without_lpae: 1} # kernel-tegra (only valid for arm) %define with_tegra %{?_without_tegra: 0} %{?!_without_tegra: 1} # @@ -244,14 +242,13 @@ Summary: The Linux kernel %endif %define debuginfodir /usr/lib/debug -# kernel-PAE is only built on i686. -%ifnarch i686 +# kernel PAE is only built on i686 and ARMv7. +%ifnarch i686 armv7hl %define with_pae 0 %endif # kernel up (unified kernel target), unified LPAE, tegra are only built on armv7 hfp %ifnarch armv7hl -%define with_lpae 0 %define with_tegra 0 %endif @@ -336,6 +333,7 @@ Summary: The Linux kernel %ifarch %{all_x86} %define asmarch x86 %define hdrarch i386 +%define pae PAE %define all_arch_configs kernel-%{version}-i?86*.config %define image_install_path boot %define kernel_image arch/x86/boot/bzImage @@ -383,6 +381,7 @@ Summary: The Linux kernel %define image_install_path boot %define asmarch arm %define hdrarch arm +%define pae lpae %define make_target bzImage %define kernel_image arch/arm/boot/zImage # we only build headers/perf/tools on the base arm arches @@ -1059,19 +1058,29 @@ hyperthreading technology. Install the kernel-smp package if your machine uses two or more CPUs. +%ifarch %{ix86} %define variant_summary The Linux kernel compiled for PAE capable machines -%kernel_variant_package PAE -%description PAE +%kernel_variant_package %{pae} +%description %{pae} This package includes a version of the Linux kernel with support for up to 64GB of high memory. It requires a CPU with Physical Address Extensions (PAE). The non-PAE kernel can only address up to 4GB of memory. Install the kernel-PAE package if your machine has more than 4GB of memory. +%endif +%ifarch armv7hl +%define variant_summary The Linux kernel compiled for Cortex-A15 +%kernel_variant_package %{pae} +%description %{pae} +This package includes a version of the Linux kernel with support for +Cortex-A15 devices with LPAE and HW virtualisation support +%endif +%endif %define variant_summary The Linux kernel compiled with extra debugging enabled for PAE capable machines -%kernel_variant_package PAEdebug +%kernel_variant_package %{pae}debug Obsoletes: kernel-PAE-debug -%description PAEdebug +%description %{pae}debug This package includes a version of the Linux kernel with support for up to 64GB of high memory. It requires a CPU with Physical Address Extensions (PAE). The non-PAE kernel can only address up to 4GB of memory. @@ -1094,12 +1103,6 @@ This variant of the kernel has numerous debugging options enabled. It should only be installed when trying to gather additional information on kernel bugs, as some of these options impact performance noticably. -%define variant_summary The Linux kernel compiled for Cortex-A15 -%kernel_variant_package lpae -%description lpae -This package includes a version of the Linux kernel with support for -Cortex-A15 devices with LPAE and HW virtualisation support - %define variant_summary The Linux kernel compiled for tegra boards %kernel_variant_package tegra %description tegra @@ -1917,15 +1920,11 @@ BuildKernel %make_target %kernel_image debug %endif %if %{with_pae_debug} -BuildKernel %make_target %kernel_image PAEdebug +BuildKernel %make_target %kernel_image %{pae}debug %endif %if %{with_pae} -BuildKernel %make_target %kernel_image PAE -%endif - -%if %{with_lpae} -BuildKernel %make_target %kernel_image lpae +BuildKernel %make_target %kernel_image %{pae} %endif %if %{with_tegra} @@ -1998,9 +1997,9 @@ find Documentation -type d | xargs chmod u+w %define __modsign_install_post \ if [ "%{signmodules}" == "1" ]; then \ if [ "%{with_pae}" != "0" ]; then \ - mv signing_key.priv.sign.PAE signing_key.priv \ - mv signing_key.x509.sign.PAE signing_key.x509 \ - %{modsign_cmd} $RPM_BUILD_ROOT/lib/modules/%{KVERREL}.PAE/ \ + mv signing_key.priv.sign.%{pae} signing_key.priv \ + mv signing_key.x509.sign.%{pae} signing_key.x509 \ + %{modsign_cmd} $RPM_BUILD_ROOT/lib/modules/%{KVERREL}.%{pae}/ \ fi \ if [ "%{with_debug}" != "0" ]; then \ mv signing_key.priv.sign.debug signing_key.priv \ @@ -2008,9 +2007,9 @@ find Documentation -type d | xargs chmod u+w %{modsign_cmd} $RPM_BUILD_ROOT/lib/modules/%{KVERREL}.debug/ \ fi \ if [ "%{with_pae_debug}" != "0" ]; then \ - mv signing_key.priv.sign.PAEdebug signing_key.priv \ - mv signing_key.x509.sign.PAEdebug signing_key.x509 \ - %{modsign_cmd} $RPM_BUILD_ROOT/lib/modules/%{KVERREL}.PAEdebug/ \ + mv signing_key.priv.sign.%{pae}debug signing_key.priv \ + mv signing_key.x509.sign.%{pae}debug signing_key.x509 \ + %{modsign_cmd} $RPM_BUILD_ROOT/lib/modules/%{KVERREL}.%{pae}debug/ \ fi \ if [ "%{with_up}" != "0" ]; then \ mv signing_key.priv.sign signing_key.priv \ @@ -2240,18 +2239,15 @@ fi}\ %kernel_variant_preun smp %kernel_variant_post -v smp -%kernel_variant_preun PAE -%kernel_variant_post -v PAE -r (kernel|kernel-smp) +%kernel_variant_preun %{pae} +%kernel_variant_post -v %{pae} -r (kernel|kernel-smp) + +%kernel_variant_post -v %{pae}debug -r (kernel|kernel-smp) +%kernel_variant_preun %{pae}debug %kernel_variant_preun debug %kernel_variant_post -v debug -%kernel_variant_post -v PAEdebug -r (kernel|kernel-smp) -%kernel_variant_preun PAEdebug - -%kernel_variant_preun lpae -%kernel_variant_post -v lpae - %kernel_variant_preun tegra %kernel_variant_post -v tegra @@ -2396,15 +2392,19 @@ fi %kernel_variant_files %{with_up} %kernel_variant_files %{with_smp} smp %kernel_variant_files %{with_debug} debug -%kernel_variant_files %{with_pae} PAE -%kernel_variant_files %{with_pae_debug} PAEdebug -%kernel_variant_files %{with_lpae} lpae +%kernel_variant_files %{with_pae} %{pae} +%kernel_variant_files %{with_pae_debug} %{pae}debug %kernel_variant_files %{with_tegra} tegra # plz don't put in a version string unless you're going to tag # and build. %changelog +* Wed Jun 12 2013 Kyle McMartin +- Merge %{with_pae} and %{with_lpae} so both ARM and i686 use the same + flavours. Set %{pae} to the flavour name {lpae, PAE}. Merging + the descriptions would be nice, but is somewhat irrelevant... + * Wed Jun 12 2013 Josh Boyer - Update gssproxy patches - Fix KVM divide by zero error (rhbz 969644) From 250d8ff101285b45a1c92860b886e707e4a8e11c Mon Sep 17 00:00:00 2001 From: Kyle McMartin Date: Wed, 12 Jun 2013 13:39:46 -0400 Subject: [PATCH 126/468] Fix thinko in last commit kernel-PAE will be "used" (but not populated) for all but armv7hl. On !i686 and !arm, it still needs to exist for some of the other macros to expand properly. --- kernel.spec | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/kernel.spec b/kernel.spec index df54952a5..b02feb4ef 100644 --- a/kernel.spec +++ b/kernel.spec @@ -1058,7 +1058,7 @@ hyperthreading technology. Install the kernel-smp package if your machine uses two or more CPUs. -%ifarch %{ix86} +%ifnarch armv7hl %define variant_summary The Linux kernel compiled for PAE capable machines %kernel_variant_package %{pae} %description %{pae} @@ -1066,15 +1066,13 @@ This package includes a version of the Linux kernel with support for up to 64GB of high memory. It requires a CPU with Physical Address Extensions (PAE). The non-PAE kernel can only address up to 4GB of memory. Install the kernel-PAE package if your machine has more than 4GB of memory. -%endif -%ifarch armv7hl +%else %define variant_summary The Linux kernel compiled for Cortex-A15 %kernel_variant_package %{pae} %description %{pae} This package includes a version of the Linux kernel with support for Cortex-A15 devices with LPAE and HW virtualisation support %endif -%endif %define variant_summary The Linux kernel compiled with extra debugging enabled for PAE capable machines From 4dd7ed0a247a63610e1e08160ab6b24f6ab244ff Mon Sep 17 00:00:00 2001 From: Kyle McMartin Date: Wed, 12 Jun 2013 14:57:55 -0400 Subject: [PATCH 127/468] Shift some %ifarch arm stuff around Define kernel_mflags so we can use the same BuildTarget command for both arm and everyone else. Move the dtb install after modules. --- kernel.spec | 11 +++++------ 1 file changed, 5 insertions(+), 6 deletions(-) diff --git a/kernel.spec b/kernel.spec index b02feb4ef..b94ecbf16 100644 --- a/kernel.spec +++ b/kernel.spec @@ -384,6 +384,8 @@ Summary: The Linux kernel %define pae lpae %define make_target bzImage %define kernel_image arch/arm/boot/zImage +# http://lists.infradead.org/pipermail/linux-arm-kernel/2012-March/091404.html +%define kernel_mflags KALLSYMS_EXTRA_PASS=1 # we only build headers/perf/tools on the base arm arches # just like we used to only build them on i386 for x86 %ifnarch armv7hl @@ -1705,18 +1707,15 @@ BuildKernel() { echo USING ARCH=$Arch make -s ARCH=$Arch oldnoconfig >/dev/null -%ifarch %{arm} - # http://lists.infradead.org/pipermail/linux-arm-kernel/2012-March/091404.html - make -s ARCH=$Arch V=1 %{?_smp_mflags} $MakeTarget %{?sparse_mflags} KALLSYMS_EXTRA_PASS=1 + make -s ARCH=$Arch V=1 %{?_smp_mflags} $MakeTarget %{?sparse_mflags} %{?kernel_mflags} + make -s ARCH=$Arch V=1 %{?_smp_mflags} modules %{?sparse_mflags} || exit 1 +%ifarch %{arm} make -s ARCH=$Arch V=1 dtbs mkdir -p $RPM_BUILD_ROOT/%{image_install_path}/dtb-$KernelVer install -m 644 arch/arm/boot/dts/*.dtb $RPM_BUILD_ROOT/boot/dtb-$KernelVer/ rm -f arch/arm/boot/dts/*.dtb -%else - make -s ARCH=$Arch V=1 %{?_smp_mflags} $MakeTarget %{?sparse_mflags} %endif - make -s ARCH=$Arch V=1 %{?_smp_mflags} modules %{?sparse_mflags} || exit 1 # Start installing the results %if %{with_debuginfo} From cb5b076b0b1567905a7fb1d4d755db0160388475 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Thu, 13 Jun 2013 14:24:19 -0400 Subject: [PATCH 128/468] Linux v3.9.6 - Drop a bunch of powerpc patches that were includes in 3.9.6. Yay! --- ...mi-fix-incorrect-rfkill-set-hw-state.patch | 13 -- kernel.spec | 42 +---- pci-Set-dev-dev.type-in-alloc_pci_dev.patch | 37 ----- powerpc-3.9.5-fix.patch | 13 -- powerpc-Set-default-VGA-device.patch | 47 ------ ...Force-32-bit-MSIs-for-devices-that-r.patch | 86 ---------- ...Make-32-bit-MSI-quirk-work-on-system.patch | 97 ----------- ...Perform-proper-max_bus_speed-detecti.patch | 153 ------------------ ...ax_bus-speed-to-activate-gen2-speeds.patch | 99 ------------ sources | 2 +- 10 files changed, 7 insertions(+), 582 deletions(-) delete mode 100644 hp-wmi-fix-incorrect-rfkill-set-hw-state.patch delete mode 100644 pci-Set-dev-dev.type-in-alloc_pci_dev.patch delete mode 100644 powerpc-3.9.5-fix.patch delete mode 100644 powerpc-Set-default-VGA-device.patch delete mode 100644 powerpc-pseries-Force-32-bit-MSIs-for-devices-that-r.patch delete mode 100644 powerpc-pseries-Make-32-bit-MSI-quirk-work-on-system.patch delete mode 100644 powerpc-pseries-Perform-proper-max_bus_speed-detecti.patch delete mode 100644 radeon-use-max_bus-speed-to-activate-gen2-speeds.patch diff --git a/hp-wmi-fix-incorrect-rfkill-set-hw-state.patch b/hp-wmi-fix-incorrect-rfkill-set-hw-state.patch deleted file mode 100644 index 07f27b6c2..000000000 --- a/hp-wmi-fix-incorrect-rfkill-set-hw-state.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff --git a/drivers/platform/x86/hp-wmi.c b/drivers/platform/x86/hp-wmi.c -index 8df0c5a..d111c86 100644 ---- a/drivers/platform/x86/hp-wmi.c -+++ b/drivers/platform/x86/hp-wmi.c -@@ -703,7 +703,7 @@ static int hp_wmi_rfkill_setup(struct platform_device *device) - } - rfkill_init_sw_state(gps_rfkill, - hp_wmi_get_sw_state(HPWMI_GPS)); -- rfkill_set_hw_state(bluetooth_rfkill, -+ rfkill_set_hw_state(gps_rfkill, - hp_wmi_get_hw_state(HPWMI_GPS)); - err = rfkill_register(gps_rfkill); - if (err) diff --git a/kernel.spec b/kernel.spec index b94ecbf16..36ee808ab 100644 --- a/kernel.spec +++ b/kernel.spec @@ -62,7 +62,7 @@ Summary: The Linux kernel # For non-released -rc kernels, this will be appended after the rcX and # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3" # -%global baserelease 302 +%global baserelease 300 %global fedora_build %{baserelease} # base_sublevel is the kernel version we're starting with and patching @@ -74,7 +74,7 @@ Summary: The Linux kernel %if 0%{?released_kernel} # Do we have a -stable update to apply? -%define stable_update 5 +%define stable_update 6 # Is it a -stable RC? %define stable_rc 0 # Set rpm version accordingly @@ -751,20 +751,6 @@ Patch23006: fix-child-thread-introspection.patch #rhbz 928024 Patch23008: forcedeth-dma-error-check.patch -Patch25018: pci-Set-dev-dev.type-in-alloc_pci_dev.patch -Patch25019: powerpc-Set-default-VGA-device.patch - -#rhbz 961527 -Patch25020: powerpc-pseries-Perform-proper-max_bus_speed-detecti.patch -Patch25021: radeon-use-max_bus-speed-to-activate-gen2-speeds.patch - -#rhbz 962496 -Patch25027: powerpc-pseries-Force-32-bit-MSIs-for-devices-that-r.patch -Patch25029: powerpc-pseries-Make-32-bit-MSI-quirk-work-on-system.patch - -#rhbz 964367 -Patch25023: hp-wmi-fix-incorrect-rfkill-set-hw-state.patch - #rhbz 948262 Patch25024: intel_iommu-Downgrade-the-warning-if-enabling-irq-remapping-fails.patch @@ -792,9 +778,6 @@ Patch25035: block-do-not-pass-disk-names-as-format-strings.patch #rhbz 954252 Patch25036: scsi-ipr-possible-irq-lock-inversion-dependency-detected.patch -# Fix for build failure on powerpc in 3.9.5 -Patch25037: powerpc-3.9.5-fix.patch - #CVE-2013-2164 rhbz 973100 973109 Patch25038: cdrom-use-kzalloc-for-failing-hardware.patch @@ -1516,20 +1499,6 @@ ApplyPatch fix-child-thread-introspection.patch #rhbz 928024 ApplyPatch forcedeth-dma-error-check.patch -ApplyPatch pci-Set-dev-dev.type-in-alloc_pci_dev.patch -ApplyPatch powerpc-Set-default-VGA-device.patch - -#rhbz 961527 -ApplyPatch powerpc-pseries-Perform-proper-max_bus_speed-detecti.patch -ApplyPatch radeon-use-max_bus-speed-to-activate-gen2-speeds.patch - -#rhbz 962496 -ApplyPatch powerpc-pseries-Force-32-bit-MSIs-for-devices-that-r.patch -ApplyPatch powerpc-pseries-Make-32-bit-MSI-quirk-work-on-system.patch - -#rhbz 964367 -ApplyPatch hp-wmi-fix-incorrect-rfkill-set-hw-state.patch - #rhbz 948262 ApplyPatch intel_iommu-Downgrade-the-warning-if-enabling-irq-remapping-fails.patch @@ -1557,9 +1526,6 @@ ApplyPatch block-do-not-pass-disk-names-as-format-strings.patch #rhbz 954252 ApplyPatch scsi-ipr-possible-irq-lock-inversion-dependency-detected.patch -# Fix for build failure on powerpc in 3.9.5 -ApplyPatch powerpc-3.9.5-fix.patch - #CVE-2013-2164 rhbz 973100 973109 ApplyPatch cdrom-use-kzalloc-for-failing-hardware.patch @@ -2397,6 +2363,10 @@ fi # and build. %changelog +* Thu Jun 13 2013 Josh Boyer - 3.9.6-300 +- Linux v3.9.6 +- Drop a bunch of powerpc patches that were includes in 3.9.6. Yay! + * Wed Jun 12 2013 Kyle McMartin - Merge %{with_pae} and %{with_lpae} so both ARM and i686 use the same flavours. Set %{pae} to the flavour name {lpae, PAE}. Merging diff --git a/pci-Set-dev-dev.type-in-alloc_pci_dev.patch b/pci-Set-dev-dev.type-in-alloc_pci_dev.patch deleted file mode 100644 index 9f90daff9..000000000 --- a/pci-Set-dev-dev.type-in-alloc_pci_dev.patch +++ /dev/null @@ -1,37 +0,0 @@ -From 88e7b167a079f090405ab4390b629b5effdab41a Mon Sep 17 00:00:00 2001 -From: Brian King -Date: Mon, 08 Apr 2013 03:05:07 +0000 -Subject: pci: Set dev->dev.type in alloc_pci_dev - -Set dev->dev.type in alloc_pci_dev so that archs that have their own -versions of pci_setup_device get this set properly in order to ensure -things like the boot_vga sysfs parameter get created as expected. - -Signed-off-by: Brian King -Acked-by: Bjorn Helgaas -Signed-off-by: Michael Ellerman ---- -(limited to 'drivers/pci/probe.c') - -diff --git a/drivers/pci/probe.c b/drivers/pci/probe.c -index b494066..92be60c 100644 ---- a/drivers/pci/probe.c -+++ b/drivers/pci/probe.c -@@ -988,7 +988,6 @@ int pci_setup_device(struct pci_dev *dev) - dev->sysdata = dev->bus->sysdata; - dev->dev.parent = dev->bus->bridge; - dev->dev.bus = &pci_bus_type; -- dev->dev.type = &pci_dev_type; - dev->hdr_type = hdr_type & 0x7f; - dev->multifunction = !!(hdr_type & 0x80); - dev->error_state = pci_channel_io_normal; -@@ -1208,6 +1207,7 @@ struct pci_dev *alloc_pci_dev(void) - return NULL; - - INIT_LIST_HEAD(&dev->bus_list); -+ dev->dev.type = &pci_dev_type; - - return dev; - } --- -cgit v0.9.1 diff --git a/powerpc-3.9.5-fix.patch b/powerpc-3.9.5-fix.patch deleted file mode 100644 index 5cc7e4fa0..000000000 --- a/powerpc-3.9.5-fix.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff --git a/arch/powerpc/kernel/traps.c b/arch/powerpc/kernel/traps.c -index 1c22b2d..29857c6 100644 ---- a/arch/powerpc/kernel/traps.c -+++ b/arch/powerpc/kernel/traps.c -@@ -1151,7 +1151,7 @@ void alignment_exception(struct pt_regs *regs) - local_irq_enable(); - - if (tm_abort_check(regs, TM_CAUSE_ALIGNMENT | TM_CAUSE_PERSISTENT)) -- goto bail; -+ return; - - /* we don't implement logging of alignment exceptions */ - if (!(current->thread.align_ctl & PR_UNALIGN_SIGBUS)) diff --git a/powerpc-Set-default-VGA-device.patch b/powerpc-Set-default-VGA-device.patch deleted file mode 100644 index 4e0a07ed9..000000000 --- a/powerpc-Set-default-VGA-device.patch +++ /dev/null @@ -1,47 +0,0 @@ -From c2e1d84523ad2a19e5be08c1f01999cc9e82652e Mon Sep 17 00:00:00 2001 -From: Brian King -Date: Mon, 08 Apr 2013 03:05:10 +0000 -Subject: powerpc: Set default VGA device - -Add a PCI quirk for VGA devices on Power to set the default VGA device. -Ensures a default VGA is always set if a graphics adapter is present, -even if firmware did not initialize it. If more than one graphics -adapter is present, ensure the one initialized by firmware is set -as the default VGA device. This ensures that X autoconfiguration -will work. - -Signed-off-by: Brian King -Signed-off-by: Michael Ellerman ---- -(limited to 'arch/powerpc/kernel/pci-common.c') - -diff --git a/arch/powerpc/kernel/pci-common.c b/arch/powerpc/kernel/pci-common.c -index 0324758..f325dc9 100644 ---- a/arch/powerpc/kernel/pci-common.c -+++ b/arch/powerpc/kernel/pci-common.c -@@ -30,6 +30,7 @@ - #include - #include - #include -+#include - - #include - #include -@@ -1734,3 +1735,15 @@ static void fixup_hide_host_resource_fsl(struct pci_dev *dev) - } - DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_MOTOROLA, PCI_ANY_ID, fixup_hide_host_resource_fsl); - DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_FREESCALE, PCI_ANY_ID, fixup_hide_host_resource_fsl); -+ -+static void fixup_vga(struct pci_dev *pdev) -+{ -+ u16 cmd; -+ -+ pci_read_config_word(pdev, PCI_COMMAND, &cmd); -+ if ((cmd & (PCI_COMMAND_IO | PCI_COMMAND_MEMORY)) || !vga_default_device()) -+ vga_set_default_device(pdev); -+ -+} -+DECLARE_PCI_FIXUP_CLASS_FINAL(PCI_ANY_ID, PCI_ANY_ID, -+ PCI_CLASS_DISPLAY_VGA, 8, fixup_vga); --- -cgit v0.9.1 diff --git a/powerpc-pseries-Force-32-bit-MSIs-for-devices-that-r.patch b/powerpc-pseries-Force-32-bit-MSIs-for-devices-that-r.patch deleted file mode 100644 index eeb39950f..000000000 --- a/powerpc-pseries-Force-32-bit-MSIs-for-devices-that-r.patch +++ /dev/null @@ -1,86 +0,0 @@ -From e61133dda480062d221f09e4fc18f66763f8ecd0 Mon Sep 17 00:00:00 2001 -From: Brian King -Date: Fri, 3 May 2013 11:30:59 +0000 -Subject: [PATCH] powerpc/pseries: Force 32 bit MSIs for devices that require - it - -The following patch implements a new PAPR change which allows -the OS to force the use of 32 bit MSIs, regardless of what -the PCI capabilities indicate. This is required for some -devices that advertise support for 64 bit MSIs but don't -actually support them. - -Signed-off-by: Brian King -Signed-off-by: Benjamin Herrenschmidt ---- - arch/powerpc/include/asm/pci-bridge.h | 2 ++ - arch/powerpc/platforms/pseries/msi.c | 21 ++++++++++++++++++--- - 2 files changed, 20 insertions(+), 3 deletions(-) - -diff --git a/arch/powerpc/include/asm/pci-bridge.h b/arch/powerpc/include/asm/pci-bridge.h -index ffbc5fd..0694f73 100644 ---- a/arch/powerpc/include/asm/pci-bridge.h -+++ b/arch/powerpc/include/asm/pci-bridge.h -@@ -163,6 +163,8 @@ struct pci_dn { - - int pci_ext_config_space; /* for pci devices */ - -+ int force_32bit_msi:1; -+ - struct pci_dev *pcidev; /* back-pointer to the pci device */ - #ifdef CONFIG_EEH - struct eeh_dev *edev; /* eeh device */ -diff --git a/arch/powerpc/platforms/pseries/msi.c b/arch/powerpc/platforms/pseries/msi.c -index e5b0847..420524e 100644 ---- a/arch/powerpc/platforms/pseries/msi.c -+++ b/arch/powerpc/platforms/pseries/msi.c -@@ -24,6 +24,7 @@ static int query_token, change_token; - #define RTAS_RESET_FN 2 - #define RTAS_CHANGE_MSI_FN 3 - #define RTAS_CHANGE_MSIX_FN 4 -+#define RTAS_CHANGE_32MSI_FN 5 - - static struct pci_dn *get_pdn(struct pci_dev *pdev) - { -@@ -58,7 +59,8 @@ static int rtas_change_msi(struct pci_dn *pdn, u32 func, u32 num_irqs) - - seq_num = 1; - do { -- if (func == RTAS_CHANGE_MSI_FN || func == RTAS_CHANGE_MSIX_FN) -+ if (func == RTAS_CHANGE_MSI_FN || func == RTAS_CHANGE_MSIX_FN || -+ func == RTAS_CHANGE_32MSI_FN) - rc = rtas_call(change_token, 6, 4, rtas_ret, addr, - BUID_HI(buid), BUID_LO(buid), - func, num_irqs, seq_num); -@@ -426,9 +428,12 @@ static int rtas_setup_msi_irqs(struct pci_dev *pdev, int nvec_in, int type) - */ - again: - if (type == PCI_CAP_ID_MSI) { -- rc = rtas_change_msi(pdn, RTAS_CHANGE_MSI_FN, nvec); -+ if (pdn->force_32bit_msi) -+ rc = rtas_change_msi(pdn, RTAS_CHANGE_32MSI_FN, nvec); -+ else -+ rc = rtas_change_msi(pdn, RTAS_CHANGE_MSI_FN, nvec); - -- if (rc < 0) { -+ if (rc < 0 && !pdn->force_32bit_msi) { - pr_debug("rtas_msi: trying the old firmware call.\n"); - rc = rtas_change_msi(pdn, RTAS_CHANGE_FN, nvec); - } -@@ -512,3 +517,13 @@ static int rtas_msi_init(void) - return 0; - } - arch_initcall(rtas_msi_init); -+ -+static void quirk_radeon(struct pci_dev *dev) -+{ -+ struct pci_dn *pdn = get_pdn(dev); -+ -+ if (pdn) -+ pdn->force_32bit_msi = 1; -+} -+DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_ATI, 0x68f2, quirk_radeon); -+DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_ATI, 0xaa68, quirk_radeon); --- -1.8.1.4 - diff --git a/powerpc-pseries-Make-32-bit-MSI-quirk-work-on-system.patch b/powerpc-pseries-Make-32-bit-MSI-quirk-work-on-system.patch deleted file mode 100644 index 8add1a4ed..000000000 --- a/powerpc-pseries-Make-32-bit-MSI-quirk-work-on-system.patch +++ /dev/null @@ -1,97 +0,0 @@ -From ffbc2a5d4bb9c758867332d2f4d521a02375e43a Mon Sep 17 00:00:00 2001 -From: Brian King -Date: Wed, 22 May 2013 11:07:46 +0000 -Subject: [PATCH] powerpc/pseries: Make 32-bit MSI quirk work on systems - lacking firmware support - -Recent commit e61133dda480062d221f09e4fc18f66763f8ecd0 added support -for a new firmware feature to force an adapter to use 32 bit MSIs. -However, this firmware is not available for all systems. The hack below -allows devices needing 32 bit MSIs to work on these systems as well. -It is careful to only enable this on Gen2 slots, which should limit -this to configurations where this hack is needed and tested to work. - -[Small change to factor out the hack into a separate function -- BenH] - -Signed-off-by: Brian King -Signed-off-by: Benjamin Herrenschmidt ---- - arch/powerpc/platforms/pseries/msi.c | 42 +++++++++++++++++++++++++++++++++--- - 1 file changed, 39 insertions(+), 3 deletions(-) - -diff --git a/arch/powerpc/platforms/pseries/msi.c b/arch/powerpc/platforms/pseries/msi.c -index 420524e..5a75b02 100644 ---- a/arch/powerpc/platforms/pseries/msi.c -+++ b/arch/powerpc/platforms/pseries/msi.c -@@ -394,6 +394,25 @@ static int check_msix_entries(struct pci_dev *pdev) - return 0; - } - -+static void rtas_hack_32bit_msi_gen2(struct pci_dev *pdev) -+{ -+ int pos; -+ u32 addr_hi, addr_lo; -+ -+ /* -+ * We should only get in here for IODA1 configs. This is based on the -+ * fact that we using RTAS for MSIs, we don't have the 32 bit MSI RTAS -+ * support, and we are in a PCIe Gen2 slot. -+ */ -+ dev_info(&pdev->dev, -+ "rtas_msi: No 32 bit MSI firmware support, forcing 32 bit MSI\n"); -+ pos = pci_find_capability(pdev, PCI_CAP_ID_MSI); -+ pci_read_config_dword(pdev, pos + PCI_MSI_ADDRESS_HI, &addr_hi); -+ addr_lo = 0xffff0000 | ((addr_hi >> (48 - 32)) << 4); -+ pci_write_config_dword(pdev, pos + PCI_MSI_ADDRESS_LO, addr_lo); -+ pci_write_config_dword(pdev, pos + PCI_MSI_ADDRESS_HI, 0); -+} -+ - static int rtas_setup_msi_irqs(struct pci_dev *pdev, int nvec_in, int type) - { - struct pci_dn *pdn; -@@ -401,6 +420,7 @@ static int rtas_setup_msi_irqs(struct pci_dev *pdev, int nvec_in, int type) - struct msi_desc *entry; - struct msi_msg msg; - int nvec = nvec_in; -+ int use_32bit_msi_hack = 0; - - pdn = get_pdn(pdev); - if (!pdn) -@@ -428,15 +448,31 @@ static int rtas_setup_msi_irqs(struct pci_dev *pdev, int nvec_in, int type) - */ - again: - if (type == PCI_CAP_ID_MSI) { -- if (pdn->force_32bit_msi) -+ if (pdn->force_32bit_msi) { - rc = rtas_change_msi(pdn, RTAS_CHANGE_32MSI_FN, nvec); -- else -+ if (rc < 0) { -+ /* -+ * We only want to run the 32 bit MSI hack below if -+ * the max bus speed is Gen2 speed -+ */ -+ if (pdev->bus->max_bus_speed != PCIE_SPEED_5_0GT) -+ return rc; -+ -+ use_32bit_msi_hack = 1; -+ } -+ } else -+ rc = -1; -+ -+ if (rc < 0) - rc = rtas_change_msi(pdn, RTAS_CHANGE_MSI_FN, nvec); - -- if (rc < 0 && !pdn->force_32bit_msi) { -+ if (rc < 0) { - pr_debug("rtas_msi: trying the old firmware call.\n"); - rc = rtas_change_msi(pdn, RTAS_CHANGE_FN, nvec); - } -+ -+ if (use_32bit_msi_hack && rc > 0) -+ rtas_hack_32bit_msi_gen2(pdev); - } else - rc = rtas_change_msi(pdn, RTAS_CHANGE_MSIX_FN, nvec); - --- -1.8.1.4 - diff --git a/powerpc-pseries-Perform-proper-max_bus_speed-detecti.patch b/powerpc-pseries-Perform-proper-max_bus_speed-detecti.patch deleted file mode 100644 index 5701a8732..000000000 --- a/powerpc-pseries-Perform-proper-max_bus_speed-detecti.patch +++ /dev/null @@ -1,153 +0,0 @@ -From d82fb31abc46620b7c22758c75707069f2763646 Mon Sep 17 00:00:00 2001 -From: Kleber Sacilotto de Souza -Date: Fri, 3 May 2013 12:43:12 +0000 -Subject: [PATCH] powerpc/pseries: Perform proper max_bus_speed detection - -On pseries machines the detection for max_bus_speed should be done -through an OpenFirmware property. This patch adds a function to perform -this detection and a hook to perform dynamic adding of the function only -for pseries. This is done by overwriting the weak -pcibios_root_bridge_prepare function which is called by -pci_create_root_bus(). - -From: Lucas Kannebley Tavares -Signed-off-by: Kleber Sacilotto de Souza -Signed-off-by: Benjamin Herrenschmidt ---- - arch/powerpc/include/asm/machdep.h | 3 ++ - arch/powerpc/kernel/pci-common.c | 8 +++++ - arch/powerpc/platforms/pseries/pci.c | 53 ++++++++++++++++++++++++++++++++ - arch/powerpc/platforms/pseries/pseries.h | 4 +++ - arch/powerpc/platforms/pseries/setup.c | 2 ++ - 5 files changed, 70 insertions(+) - -diff --git a/arch/powerpc/include/asm/machdep.h b/arch/powerpc/include/asm/machdep.h -index 3f3f691..92386fc 100644 ---- a/arch/powerpc/include/asm/machdep.h -+++ b/arch/powerpc/include/asm/machdep.h -@@ -29,6 +29,7 @@ struct rtc_time; - struct file; - struct pci_controller; - struct kimage; -+struct pci_host_bridge; - - struct machdep_calls { - char *name; -@@ -108,6 +109,8 @@ struct machdep_calls { - void (*pcibios_fixup)(void); - int (*pci_probe_mode)(struct pci_bus *); - void (*pci_irq_fixup)(struct pci_dev *dev); -+ int (*pcibios_root_bridge_prepare)(struct pci_host_bridge -+ *bridge); - - /* To setup PHBs when using automatic OF platform driver for PCI */ - int (*pci_setup_phb)(struct pci_controller *host); -diff --git a/arch/powerpc/kernel/pci-common.c b/arch/powerpc/kernel/pci-common.c -index f325dc9..d5811d8 100644 ---- a/arch/powerpc/kernel/pci-common.c -+++ b/arch/powerpc/kernel/pci-common.c -@@ -845,6 +845,14 @@ int pci_proc_domain(struct pci_bus *bus) - return 1; - } - -+int pcibios_root_bridge_prepare(struct pci_host_bridge *bridge) -+{ -+ if (ppc_md.pcibios_root_bridge_prepare) -+ return ppc_md.pcibios_root_bridge_prepare(bridge); -+ -+ return 0; -+} -+ - /* This header fixup will do the resource fixup for all devices as they are - * probed, but not for bridge ranges - */ -diff --git a/arch/powerpc/platforms/pseries/pci.c b/arch/powerpc/platforms/pseries/pci.c -index 0b580f4..5f93856 100644 ---- a/arch/powerpc/platforms/pseries/pci.c -+++ b/arch/powerpc/platforms/pseries/pci.c -@@ -108,3 +108,56 @@ static void fixup_winbond_82c105(struct pci_dev* dev) - } - DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_WINBOND, PCI_DEVICE_ID_WINBOND_82C105, - fixup_winbond_82c105); -+ -+int pseries_root_bridge_prepare(struct pci_host_bridge *bridge) -+{ -+ struct device_node *dn, *pdn; -+ struct pci_bus *bus; -+ const uint32_t *pcie_link_speed_stats; -+ -+ bus = bridge->bus; -+ -+ dn = pcibios_get_phb_of_node(bus); -+ if (!dn) -+ return 0; -+ -+ for (pdn = dn; pdn != NULL; pdn = of_get_next_parent(pdn)) { -+ pcie_link_speed_stats = (const uint32_t *) of_get_property(pdn, -+ "ibm,pcie-link-speed-stats", NULL); -+ if (pcie_link_speed_stats) -+ break; -+ } -+ -+ of_node_put(pdn); -+ -+ if (!pcie_link_speed_stats) { -+ pr_err("no ibm,pcie-link-speed-stats property\n"); -+ return 0; -+ } -+ -+ switch (pcie_link_speed_stats[0]) { -+ case 0x01: -+ bus->max_bus_speed = PCIE_SPEED_2_5GT; -+ break; -+ case 0x02: -+ bus->max_bus_speed = PCIE_SPEED_5_0GT; -+ break; -+ default: -+ bus->max_bus_speed = PCI_SPEED_UNKNOWN; -+ break; -+ } -+ -+ switch (pcie_link_speed_stats[1]) { -+ case 0x01: -+ bus->cur_bus_speed = PCIE_SPEED_2_5GT; -+ break; -+ case 0x02: -+ bus->cur_bus_speed = PCIE_SPEED_5_0GT; -+ break; -+ default: -+ bus->cur_bus_speed = PCI_SPEED_UNKNOWN; -+ break; -+ } -+ -+ return 0; -+} -diff --git a/arch/powerpc/platforms/pseries/pseries.h b/arch/powerpc/platforms/pseries/pseries.h -index 8af71e4..c2a3a25 100644 ---- a/arch/powerpc/platforms/pseries/pseries.h -+++ b/arch/powerpc/platforms/pseries/pseries.h -@@ -63,4 +63,8 @@ extern int dlpar_detach_node(struct device_node *); - /* Snooze Delay, pseries_idle */ - DECLARE_PER_CPU(long, smt_snooze_delay); - -+/* PCI root bridge prepare function override for pseries */ -+struct pci_host_bridge; -+int pseries_root_bridge_prepare(struct pci_host_bridge *bridge); -+ - #endif /* _PSERIES_PSERIES_H */ -diff --git a/arch/powerpc/platforms/pseries/setup.c b/arch/powerpc/platforms/pseries/setup.c -index ac932a9..c11c823 100644 ---- a/arch/powerpc/platforms/pseries/setup.c -+++ b/arch/powerpc/platforms/pseries/setup.c -@@ -466,6 +466,8 @@ static void __init pSeries_setup_arch(void) - else - ppc_md.enable_pmcs = power4_enable_pmcs; - -+ ppc_md.pcibios_root_bridge_prepare = pseries_root_bridge_prepare; -+ - if (firmware_has_feature(FW_FEATURE_SET_MODE)) { - long rc; - if ((rc = pSeries_enable_reloc_on_exc()) != H_SUCCESS) { --- -1.8.1.4 - diff --git a/radeon-use-max_bus-speed-to-activate-gen2-speeds.patch b/radeon-use-max_bus-speed-to-activate-gen2-speeds.patch deleted file mode 100644 index f9a11993f..000000000 --- a/radeon-use-max_bus-speed-to-activate-gen2-speeds.patch +++ /dev/null @@ -1,99 +0,0 @@ -radeon: use max_bus_speed to activate gen2 speeds - -radeon currently uses a drm function to get the speed capabilities for -the bus, drm_pcie_get_speed_cap_mask. However, this is a non-standard -method of performing this detection and this patch changes it to use -the max_bus_speed attribute. - -From: Lucas Kannebley Tavares -Signed-off-by: Kleber Sacilotto de Souza ---- - drivers/gpu/drm/radeon/evergreen.c | 10 +++------- - drivers/gpu/drm/radeon/r600.c | 9 ++------- - drivers/gpu/drm/radeon/rv770.c | 9 ++------- - 3 files changed, 7 insertions(+), 21 deletions(-) - -diff --git a/drivers/gpu/drm/radeon/evergreen.c b/drivers/gpu/drm/radeon/evergreen.c -index 105bafb..3966696 100644 ---- a/drivers/gpu/drm/radeon/evergreen.c -+++ b/drivers/gpu/drm/radeon/evergreen.c -@@ -4992,8 +4992,7 @@ void evergreen_fini(struct radeon_device *rdev) - - void evergreen_pcie_gen2_enable(struct radeon_device *rdev) - { -- u32 link_width_cntl, speed_cntl, mask; -- int ret; -+ u32 link_width_cntl, speed_cntl; - - if (radeon_pcie_gen2 == 0) - return; -@@ -5008,11 +5007,8 @@ void evergreen_pcie_gen2_enable(struct radeon_device *rdev) - if (ASIC_IS_X2(rdev)) - return; - -- ret = drm_pcie_get_speed_cap_mask(rdev->ddev, &mask); -- if (ret != 0) -- return; -- -- if (!(mask & DRM_PCIE_SPEED_50)) -+ if ((rdev->pdev->bus->max_bus_speed != PCIE_SPEED_5_0GT) && -+ (rdev->pdev->bus->max_bus_speed != PCIE_SPEED_8_0GT)) - return; - - speed_cntl = RREG32_PCIE_PORT(PCIE_LC_SPEED_CNTL); -diff --git a/drivers/gpu/drm/radeon/r600.c b/drivers/gpu/drm/radeon/r600.c -index 1a08008..b45e648 100644 ---- a/drivers/gpu/drm/radeon/r600.c -+++ b/drivers/gpu/drm/radeon/r600.c -@@ -4631,8 +4631,6 @@ static void r600_pcie_gen2_enable(struct radeon_device *rdev) - { - u32 link_width_cntl, lanes, speed_cntl, training_cntl, tmp; - u16 link_cntl2; -- u32 mask; -- int ret; - - if (radeon_pcie_gen2 == 0) - return; -@@ -4651,11 +4649,8 @@ static void r600_pcie_gen2_enable(struct radeon_device *rdev) - if (rdev->family <= CHIP_R600) - return; - -- ret = drm_pcie_get_speed_cap_mask(rdev->ddev, &mask); -- if (ret != 0) -- return; -- -- if (!(mask & DRM_PCIE_SPEED_50)) -+ if ((rdev->pdev->bus->max_bus_speed != PCIE_SPEED_5_0GT) && -+ (rdev->pdev->bus->max_bus_speed != PCIE_SPEED_8_0GT)) - return; - - speed_cntl = RREG32_PCIE_PORT(PCIE_LC_SPEED_CNTL); -diff --git a/drivers/gpu/drm/radeon/rv770.c b/drivers/gpu/drm/radeon/rv770.c -index 83f612a..a6af4aa 100644 ---- a/drivers/gpu/drm/radeon/rv770.c -+++ b/drivers/gpu/drm/radeon/rv770.c -@@ -2113,8 +2113,6 @@ static void rv770_pcie_gen2_enable(struct radeon_device *rdev) - { - u32 link_width_cntl, lanes, speed_cntl, tmp; - u16 link_cntl2; -- u32 mask; -- int ret; - - if (radeon_pcie_gen2 == 0) - return; -@@ -2129,11 +2127,8 @@ static void rv770_pcie_gen2_enable(struct radeon_device *rdev) - if (ASIC_IS_X2(rdev)) - return; - -- ret = drm_pcie_get_speed_cap_mask(rdev->ddev, &mask); -- if (ret != 0) -- return; -- -- if (!(mask & DRM_PCIE_SPEED_50)) -+ if ((rdev->pdev->bus->max_bus_speed != PCIE_SPEED_5_0GT) && -+ (rdev->pdev->bus->max_bus_speed != PCIE_SPEED_8_0GT)) - return; - - DRM_INFO("enabling PCIE gen 2 link speeds, disable with radeon.pcie_gen2=0\n"); --- -1.7.1 diff --git a/sources b/sources index 2e345eb6b..803d88c2a 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ 4348c9b6b2eb3144d601e87c19d5d909 linux-3.9.tar.xz -aa22187ae5cd482a69097e9e59244491 patch-3.9.5.xz +897cffc5167a561b38c6748e7f0a4215 patch-3.9.6.xz From 5394ba72a9d27667d10801685f71c003a7e205bc Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Mon, 17 Jun 2013 10:11:18 -0400 Subject: [PATCH 129/468] Add patch to fix radeon issues on powerpc --- ...-Disable-writeback-by-default-on-ppc.patch | 85 +++++++++++++++++++ kernel.spec | 9 +- 2 files changed, 93 insertions(+), 1 deletion(-) create mode 100644 drm-radeon-Disable-writeback-by-default-on-ppc.patch diff --git a/drm-radeon-Disable-writeback-by-default-on-ppc.patch b/drm-radeon-Disable-writeback-by-default-on-ppc.patch new file mode 100644 index 000000000..0defb1340 --- /dev/null +++ b/drm-radeon-Disable-writeback-by-default-on-ppc.patch @@ -0,0 +1,85 @@ +From b67e0a6a7409f9c1a12e573fb7d8d80ee455b103 Mon Sep 17 00:00:00 2001 +From: Adam Jackson +Date: Mon, 17 Jun 2013 09:59:34 -0400 +Subject: [PATCH] drm/radeon: Disable writeback by default on ppc + +At least on an IBM Power 720, this check passes, but several piglit +tests will reliably trigger GPU resets due to the ring buffer pointers +not being updated. There's probably a better way to limit this to just +affected machines though. + +Signed-off-by: Adam Jackson +--- + drivers/gpu/drm/radeon/r600_cp.c | 7 +++++++ + drivers/gpu/drm/radeon/radeon_cp.c | 7 +++++++ + drivers/gpu/drm/radeon/radeon_device.c | 4 ++-- + drivers/gpu/drm/radeon/radeon_drv.c | 2 +- + 4 files changed, 17 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/radeon/r600_cp.c b/drivers/gpu/drm/radeon/r600_cp.c +index 1c51c08..ef28532 100644 +--- a/drivers/gpu/drm/radeon/r600_cp.c ++++ b/drivers/gpu/drm/radeon/r600_cp.c +@@ -552,6 +552,13 @@ static void r600_test_writeback(drm_radeon_private_t *dev_priv) + dev_priv->writeback_works = 0; + DRM_INFO("writeback test failed\n"); + } ++#if defined(__ppc__) || defined(__ppc64__) ++ /* the test might succeed on ppc, but it's usually not reliable */ ++ if (radeon_no_wb == -1) { ++ radeon_no_wb = 1; ++ DRM_INFO("not trusting writeback test due to arch quirk\n"); ++ } ++#endif + if (radeon_no_wb == 1) { + dev_priv->writeback_works = 0; + DRM_INFO("writeback forced off\n"); +diff --git a/drivers/gpu/drm/radeon/radeon_cp.c b/drivers/gpu/drm/radeon/radeon_cp.c +index efc4f64..a967b33 100644 +--- a/drivers/gpu/drm/radeon/radeon_cp.c ++++ b/drivers/gpu/drm/radeon/radeon_cp.c +@@ -892,6 +892,13 @@ static void radeon_test_writeback(drm_radeon_private_t * dev_priv) + dev_priv->writeback_works = 0; + DRM_INFO("writeback test failed\n"); + } ++#if defined(__ppc__) || defined(__ppc64__) ++ /* the test might succeed on ppc, but it's usually not reliable */ ++ if (radeon_no_wb == -1) { ++ radeon_no_wb = 1; ++ DRM_INFO("not trusting writeback test due to arch quirk\n"); ++ } ++#endif + if (radeon_no_wb == 1) { + dev_priv->writeback_works = 0; + DRM_INFO("writeback forced off\n"); +diff --git a/drivers/gpu/drm/radeon/radeon_device.c b/drivers/gpu/drm/radeon/radeon_device.c +index 1899738..524046e 100644 +--- a/drivers/gpu/drm/radeon/radeon_device.c ++++ b/drivers/gpu/drm/radeon/radeon_device.c +@@ -322,8 +322,8 @@ int radeon_wb_init(struct radeon_device *rdev) + /* disable event_write fences */ + rdev->wb.use_event = false; + /* disabled via module param */ +- if (radeon_no_wb == 1) { +- rdev->wb.enabled = false; ++ if (radeon_no_wb != -1) { ++ rdev->wb.enabled = !!radeon_no_wb; + } else { + if (rdev->flags & RADEON_IS_AGP) { + /* often unreliable on AGP */ +diff --git a/drivers/gpu/drm/radeon/radeon_drv.c b/drivers/gpu/drm/radeon/radeon_drv.c +index 094e7e5..04809d4 100644 +--- a/drivers/gpu/drm/radeon/radeon_drv.c ++++ b/drivers/gpu/drm/radeon/radeon_drv.c +@@ -146,7 +146,7 @@ static inline void radeon_register_atpx_handler(void) {} + static inline void radeon_unregister_atpx_handler(void) {} + #endif + +-int radeon_no_wb; ++int radeon_no_wb = -1; + int radeon_modeset = -1; + int radeon_dynclks = -1; + int radeon_r4xx_atom = 0; +-- +1.8.2.1 + diff --git a/kernel.spec b/kernel.spec index 36ee808ab..cd947889f 100644 --- a/kernel.spec +++ b/kernel.spec @@ -62,7 +62,7 @@ Summary: The Linux kernel # For non-released -rc kernels, this will be appended after the rcX and # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3" # -%global baserelease 300 +%global baserelease 301 %global fedora_build %{baserelease} # base_sublevel is the kernel version we're starting with and patching @@ -799,6 +799,8 @@ Patch25045: rt2800-fix-RT5390-RT3290-TX-power-settings-regression.patch #rhbz 969644 Patch25046: KVM-x86-handle-idiv-overflow-at-kvm_write_tsc.patch +Patch25047: drm-radeon-Disable-writeback-by-default-on-ppc.patch + # END OF PATCH DEFINITIONS %endif @@ -1547,6 +1549,8 @@ ApplyPatch rt2800-fix-RT5390-RT3290-TX-power-settings-regression.patch #rhbz 969644 ApplyPatch KVM-x86-handle-idiv-overflow-at-kvm_write_tsc.patch +ApplyPatch drm-radeon-Disable-writeback-by-default-on-ppc.patch + # END OF PATCH APPLICATIONS %endif @@ -2363,6 +2367,9 @@ fi # and build. %changelog +* Mon Jun 17 2013 Josh Boyer - 3.9.6-301 +- Add patch to fix radeon issues on powerpc + * Thu Jun 13 2013 Josh Boyer - 3.9.6-300 - Linux v3.9.6 - Drop a bunch of powerpc patches that were includes in 3.9.6. Yay! From 00760aaca8a8b858c839533b1f69c8d15e130318 Mon Sep 17 00:00:00 2001 From: Dave Jones Date: Tue, 18 Jun 2013 13:05:33 -0400 Subject: [PATCH 130/468] Disable MTRR sanitizer by default. --- config-x86-generic | 2 +- kernel.spec | 3 +++ 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/config-x86-generic b/config-x86-generic index 1308a3414..68041357f 100644 --- a/config-x86-generic +++ b/config-x86-generic @@ -29,7 +29,7 @@ CONFIG_PNP=y CONFIG_MTRR=y CONFIG_MTRR_SANITIZER=y -CONFIG_MTRR_SANITIZER_ENABLE_DEFAULT=1 +CONFIG_MTRR_SANITIZER_ENABLE_DEFAULT=0 CONFIG_MTRR_SANITIZER_SPARE_REG_NR_DEFAULT=1 CONFIG_X86_PAT=y CONFIG_X86_PM_TIMER=y diff --git a/kernel.spec b/kernel.spec index cd947889f..ff2633ab9 100644 --- a/kernel.spec +++ b/kernel.spec @@ -2367,6 +2367,9 @@ fi # and build. %changelog +* Tue Jun 18 2013 Dave Jones +- Disable MTRR sanitizer by default. + * Mon Jun 17 2013 Josh Boyer - 3.9.6-301 - Add patch to fix radeon issues on powerpc From c48b60cc207c55a6a6a2daa60af38776f9e611a2 Mon Sep 17 00:00:00 2001 From: Neil Horman Date: Tue, 18 Jun 2013 14:32:29 -0400 Subject: [PATCH 131/468] Resolves: bz 956732 --- kernel.spec | 9 +++++++++ tulip-dma-debug-error.patch | 32 ++++++++++++++++++++++++++++++++ 2 files changed, 41 insertions(+) create mode 100644 tulip-dma-debug-error.patch diff --git a/kernel.spec b/kernel.spec index ff2633ab9..9778a77d8 100644 --- a/kernel.spec +++ b/kernel.spec @@ -801,6 +801,9 @@ Patch25046: KVM-x86-handle-idiv-overflow-at-kvm_write_tsc.patch Patch25047: drm-radeon-Disable-writeback-by-default-on-ppc.patch +#rhbz 956732 +Patch25048: tulip-dma-debug-error.patch + # END OF PATCH DEFINITIONS %endif @@ -1551,6 +1554,9 @@ ApplyPatch KVM-x86-handle-idiv-overflow-at-kvm_write_tsc.patch ApplyPatch drm-radeon-Disable-writeback-by-default-on-ppc.patch +#rhbz 956732 +ApplyPatch tulip-dma-debug-error.patch + # END OF PATCH APPLICATIONS %endif @@ -2367,6 +2373,9 @@ fi # and build. %changelog +* Tue Jun 18 2013 Neil Horman +- Fix dma debug error in tulip driver (rhbz 956732) + * Tue Jun 18 2013 Dave Jones - Disable MTRR sanitizer by default. diff --git a/tulip-dma-debug-error.patch b/tulip-dma-debug-error.patch new file mode 100644 index 000000000..0ac631f0d --- /dev/null +++ b/tulip-dma-debug-error.patch @@ -0,0 +1,32 @@ +commit 2087ac1fc6fd9bbb1f7e16889e984e0af0510b4b +Author: Neil Horman +Date: Thu Jun 13 15:25:45 2013 -0400 + + tulip: Properly check dma mapping result + + Tulip throws an error when dma debugging is enabled, as it doesn't properly + check dma mapping results with dma_mapping_error() durring tx ring refills. + + Easy fix, just add it in, and drop the frame if the mapping is bad + + Signed-off-by: Neil Horman + CC: Grant Grundler + CC: "David S. Miller" + +diff --git a/drivers/net/ethernet/dec/tulip/interrupt.c b/drivers/net/ethernet/dec/tulip/interrupt.c +index 28a5e42..92306b3 100644 +--- a/drivers/net/ethernet/dec/tulip/interrupt.c ++++ b/drivers/net/ethernet/dec/tulip/interrupt.c +@@ -76,6 +76,12 @@ int tulip_refill_rx(struct net_device *dev) + + mapping = pci_map_single(tp->pdev, skb->data, PKT_BUF_SZ, + PCI_DMA_FROMDEVICE); ++ if (dma_mapping_error(&tp->pdev->dev, mapping)) { ++ dev_kfree_skb(skb); ++ tp->rx_buffers[entry].skb = NULL; ++ break; ++ } ++ + tp->rx_buffers[entry].mapping = mapping; + + tp->rx_ring[entry].buffer1 = cpu_to_le32(mapping); From 89e8c0e776abc632b206f7166d7894f010adea99 Mon Sep 17 00:00:00 2001 From: "Justin M. Forbes" Date: Thu, 20 Jun 2013 16:51:42 -0500 Subject: [PATCH 132/468] Linux v3.9.7 --- ...or-dmesg_restrict-sysctl-on-dev-kmsg.patch | 228 ----------- Modify-UEFI-anti-bricking-code.patch | 371 ------------------ ...ormat-string-leaking-into-error-msgs.patch | 32 -- config-generic | 2 +- kernel.spec | 25 +- sources | 2 +- 6 files changed, 7 insertions(+), 653 deletions(-) delete mode 100644 0001-kmsg-Honor-dmesg_restrict-sysctl-on-dev-kmsg.patch delete mode 100644 Modify-UEFI-anti-bricking-code.patch delete mode 100644 b43-stop-format-string-leaking-into-error-msgs.patch diff --git a/0001-kmsg-Honor-dmesg_restrict-sysctl-on-dev-kmsg.patch b/0001-kmsg-Honor-dmesg_restrict-sysctl-on-dev-kmsg.patch deleted file mode 100644 index 7197f7f7a..000000000 --- a/0001-kmsg-Honor-dmesg_restrict-sysctl-on-dev-kmsg.patch +++ /dev/null @@ -1,228 +0,0 @@ -To fix /dev/kmsg, let's compare the existing interfaces and what they allow: - -- /proc/kmsg allows: - - open (SYSLOG_ACTION_OPEN) if CAP_SYSLOG since it uses a destructive - single-reader interface (SYSLOG_ACTION_READ). - - everything, after an open. - -- syslog syscall allows: - - anything, if CAP_SYSLOG. - - SYSLOG_ACTION_READ_ALL and SYSLOG_ACTION_SIZE_BUFFER, if dmesg_restrict==0. - - nothing else (EPERM). - -The use-cases were: -- dmesg(1) needs to do non-destructive SYSLOG_ACTION_READ_ALLs. -- sysklog(1) needs to open /proc/kmsg, drop privs, and still issue the - destructive SYSLOG_ACTION_READs. - -AIUI, dmesg(1) is moving to /dev/kmsg, and systemd-journald doesn't -clear the ring buffer. - -Based on the comments in devkmsg_llseek, it sounds like actions besides -reading aren't going to be supported by /dev/kmsg (i.e. SYSLOG_ACTION_CLEAR), -so we have a strict subset of the non-destructive syslog syscall actions. - -To this end, move the check as Josh had done, but also rename the constants -to reflect their new uses (SYSLOG_FROM_CALL becomes SYSLOG_FROM_READER, and -SYSLOG_FROM_FILE becomes SYSLOG_FROM_PROC). SYSLOG_FROM_READER allows -non-destructive actions, and SYSLOG_FROM_PROC allows destructive actions -after a capabilities-constrained SYSLOG_ACTION_OPEN check. - -- /dev/kmsg allows: - - open if CAP_SYSLOG or dmesg_restrict==0 - - reading/polling, after open - -Signed-off-by: Kees Cook -Reported-by: Christian Kujau -Cc: Josh Boyer -Cc: Kay Sievers -Cc: stable@vger.kernel.org ---- - fs/proc/kmsg.c | 10 +++--- - include/linux/syslog.h | 4 +-- - kernel/printk.c | 91 ++++++++++++++++++++++++++---------------------- - 3 files changed, 57 insertions(+), 48 deletions(-) - -diff --git a/fs/proc/kmsg.c b/fs/proc/kmsg.c -index bd4b5a7..bdfabda 100644 ---- a/fs/proc/kmsg.c -+++ b/fs/proc/kmsg.c -@@ -21,12 +21,12 @@ extern wait_queue_head_t log_wait; - - static int kmsg_open(struct inode * inode, struct file * file) - { -- return do_syslog(SYSLOG_ACTION_OPEN, NULL, 0, SYSLOG_FROM_FILE); -+ return do_syslog(SYSLOG_ACTION_OPEN, NULL, 0, SYSLOG_FROM_PROC); - } - - static int kmsg_release(struct inode * inode, struct file * file) - { -- (void) do_syslog(SYSLOG_ACTION_CLOSE, NULL, 0, SYSLOG_FROM_FILE); -+ (void) do_syslog(SYSLOG_ACTION_CLOSE, NULL, 0, SYSLOG_FROM_PROC); - return 0; - } - -@@ -34,15 +34,15 @@ static ssize_t kmsg_read(struct file *file, char __user *buf, - size_t count, loff_t *ppos) - { - if ((file->f_flags & O_NONBLOCK) && -- !do_syslog(SYSLOG_ACTION_SIZE_UNREAD, NULL, 0, SYSLOG_FROM_FILE)) -+ !do_syslog(SYSLOG_ACTION_SIZE_UNREAD, NULL, 0, SYSLOG_FROM_PROC)) - return -EAGAIN; -- return do_syslog(SYSLOG_ACTION_READ, buf, count, SYSLOG_FROM_FILE); -+ return do_syslog(SYSLOG_ACTION_READ, buf, count, SYSLOG_FROM_PROC); - } - - static unsigned int kmsg_poll(struct file *file, poll_table *wait) - { - poll_wait(file, &log_wait, wait); -- if (do_syslog(SYSLOG_ACTION_SIZE_UNREAD, NULL, 0, SYSLOG_FROM_FILE)) -+ if (do_syslog(SYSLOG_ACTION_SIZE_UNREAD, NULL, 0, SYSLOG_FROM_PROC)) - return POLLIN | POLLRDNORM; - return 0; - } -diff --git a/include/linux/syslog.h b/include/linux/syslog.h -index 3891139..98a3153 100644 ---- a/include/linux/syslog.h -+++ b/include/linux/syslog.h -@@ -44,8 +44,8 @@ - /* Return size of the log buffer */ - #define SYSLOG_ACTION_SIZE_BUFFER 10 - --#define SYSLOG_FROM_CALL 0 --#define SYSLOG_FROM_FILE 1 -+#define SYSLOG_FROM_READER 0 -+#define SYSLOG_FROM_PROC 1 - - int do_syslog(int type, char __user *buf, int count, bool from_file); - -diff --git a/kernel/printk.c b/kernel/printk.c -index abbdd9e..53b5c5e 100644 ---- a/kernel/printk.c -+++ b/kernel/printk.c -@@ -368,6 +368,53 @@ static void log_store(int facility, int level, - log_next_seq++; - } - -+#ifdef CONFIG_SECURITY_DMESG_RESTRICT -+int dmesg_restrict = 1; -+#else -+int dmesg_restrict; -+#endif -+ -+static int syslog_action_restricted(int type) -+{ -+ if (dmesg_restrict) -+ return 1; -+ /* -+ * Unless restricted, we allow "read all" and "get buffer size" -+ * for everybody. -+ */ -+ return type != SYSLOG_ACTION_READ_ALL && -+ type != SYSLOG_ACTION_SIZE_BUFFER; -+} -+ -+static int check_syslog_permissions(int type, bool from_file) -+{ -+ /* -+ * If this is from /proc/kmsg and we've already opened it, then we've -+ * already done the capabilities checks at open time. -+ */ -+ if (from_file && type != SYSLOG_ACTION_OPEN) -+ return 0; -+ -+ if (syslog_action_restricted(type)) { -+ if (capable(CAP_SYSLOG)) -+ return 0; -+ /* -+ * For historical reasons, accept CAP_SYS_ADMIN too, with -+ * a warning. -+ */ -+ if (capable(CAP_SYS_ADMIN)) { -+ printk_once(KERN_WARNING "%s (%d): " -+ "Attempt to access syslog with CAP_SYS_ADMIN " -+ "but no CAP_SYSLOG (deprecated).\n", -+ current->comm, task_pid_nr(current)); -+ return 0; -+ } -+ return -EPERM; -+ } -+ return security_syslog(type); -+} -+ -+ - /* /dev/kmsg - userspace message inject/listen interface */ - struct devkmsg_user { - u64 seq; -@@ -624,7 +671,8 @@ static int devkmsg_open(struct inode *inode, struct file *file) - if ((file->f_flags & O_ACCMODE) == O_WRONLY) - return 0; - -- err = security_syslog(SYSLOG_ACTION_READ_ALL); -+ err = check_syslog_permissions(SYSLOG_ACTION_READ_ALL, -+ SYSLOG_FROM_READER); - if (err) - return err; - -@@ -817,45 +865,6 @@ static inline void boot_delay_msec(int level) - } - #endif - --#ifdef CONFIG_SECURITY_DMESG_RESTRICT --int dmesg_restrict = 1; --#else --int dmesg_restrict; --#endif -- --static int syslog_action_restricted(int type) --{ -- if (dmesg_restrict) -- return 1; -- /* Unless restricted, we allow "read all" and "get buffer size" for everybody */ -- return type != SYSLOG_ACTION_READ_ALL && type != SYSLOG_ACTION_SIZE_BUFFER; --} -- --static int check_syslog_permissions(int type, bool from_file) --{ -- /* -- * If this is from /proc/kmsg and we've already opened it, then we've -- * already done the capabilities checks at open time. -- */ -- if (from_file && type != SYSLOG_ACTION_OPEN) -- return 0; -- -- if (syslog_action_restricted(type)) { -- if (capable(CAP_SYSLOG)) -- return 0; -- /* For historical reasons, accept CAP_SYS_ADMIN too, with a warning */ -- if (capable(CAP_SYS_ADMIN)) { -- printk_once(KERN_WARNING "%s (%d): " -- "Attempt to access syslog with CAP_SYS_ADMIN " -- "but no CAP_SYSLOG (deprecated).\n", -- current->comm, task_pid_nr(current)); -- return 0; -- } -- return -EPERM; -- } -- return 0; --} -- - #if defined(CONFIG_PRINTK_TIME) - static bool printk_time = 1; - #else -@@ -1253,7 +1262,7 @@ out: - - SYSCALL_DEFINE3(syslog, int, type, char __user *, buf, int, len) - { -- return do_syslog(type, buf, len, SYSLOG_FROM_CALL); -+ return do_syslog(type, buf, len, SYSLOG_FROM_READER); - } - - /* --- -1.7.9.5 - - --- -Kees Cook -Chrome OS Security diff --git a/Modify-UEFI-anti-bricking-code.patch b/Modify-UEFI-anti-bricking-code.patch deleted file mode 100644 index 862574556..000000000 --- a/Modify-UEFI-anti-bricking-code.patch +++ /dev/null @@ -1,371 +0,0 @@ -From 2380baac8b96f6e93ef72135d1b60d686d7f82e6 Mon Sep 17 00:00:00 2001 -From: Matthew Garrett -Date: Sat, 1 Jun 2013 16:06:20 -0400 -Subject: [PATCH] Modify UEFI anti-bricking code - -This patch reworks the UEFI anti-bricking code, including an effective -reversion of cc5a080c and 31ff2f20. It turns out that calling -QueryVariableInfo() from boot services results in some firmware -implementations jumping to physical addresses even after entering virtual -mode, so until we have 1:1 mappings for UEFI runtime space this isn't -going to work so well. - -Reverting these gets us back to the situation where we'd refuse to create -variables on some systems because they classify deleted variables as "used" -until the firmware triggers a garbage collection run, which they won't do -until they reach a lower threshold. This results in it being impossible to -install a bootloader, which is unhelpful. - -Feedback from Samsung indicates that the firmware doesn't need more than -5KB of storage space for its own purposes, so that seems like a reasonable -threshold. However, there's still no guarantee that a platform will attempt -garbage collection merely because it drops below this threshold. It seems -that this is often only triggered if an attempt to write generates a -genuine EFI_OUT_OF_RESOURCES error. We can force that by attempting to -create a variable larger than the remaining space. This should fail, but if -it somehow succeeds we can then immediately delete it. - -I've tested this on the UEFI machines I have available, but I don't have -a Samsung and so can't verify that it avoids the bricking problem. - -Signed-off-by: Matthew Garrett ---- - arch/x86/boot/compressed/eboot.c | 47 ---------- - arch/x86/include/asm/efi.h | 7 -- - arch/x86/include/uapi/asm/bootparam.h | 1 - - arch/x86/platform/efi/efi.c | 167 +++++++++------------------------- - 4 files changed, 44 insertions(+), 178 deletions(-) - -diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c -index 35ee62f..c205035 100644 ---- a/arch/x86/boot/compressed/eboot.c -+++ b/arch/x86/boot/compressed/eboot.c -@@ -251,51 +251,6 @@ static void find_bits(unsigned long mask, u8 *pos, u8 *size) - *size = len; - } - --static efi_status_t setup_efi_vars(struct boot_params *params) --{ -- struct setup_data *data; -- struct efi_var_bootdata *efidata; -- u64 store_size, remaining_size, var_size; -- efi_status_t status; -- -- if (sys_table->runtime->hdr.revision < EFI_2_00_SYSTEM_TABLE_REVISION) -- return EFI_UNSUPPORTED; -- -- data = (struct setup_data *)(unsigned long)params->hdr.setup_data; -- -- while (data && data->next) -- data = (struct setup_data *)(unsigned long)data->next; -- -- status = efi_call_phys4((void *)sys_table->runtime->query_variable_info, -- EFI_VARIABLE_NON_VOLATILE | -- EFI_VARIABLE_BOOTSERVICE_ACCESS | -- EFI_VARIABLE_RUNTIME_ACCESS, &store_size, -- &remaining_size, &var_size); -- -- if (status != EFI_SUCCESS) -- return status; -- -- status = efi_call_phys3(sys_table->boottime->allocate_pool, -- EFI_LOADER_DATA, sizeof(*efidata), &efidata); -- -- if (status != EFI_SUCCESS) -- return status; -- -- efidata->data.type = SETUP_EFI_VARS; -- efidata->data.len = sizeof(struct efi_var_bootdata) - -- sizeof(struct setup_data); -- efidata->data.next = 0; -- efidata->store_size = store_size; -- efidata->remaining_size = remaining_size; -- efidata->max_var_size = var_size; -- -- if (data) -- data->next = (unsigned long)efidata; -- else -- params->hdr.setup_data = (unsigned long)efidata; -- --} -- - static efi_status_t setup_efi_pci(struct boot_params *params) - { - efi_pci_io_protocol *pci; -@@ -1202,8 +1157,6 @@ struct boot_params *efi_main(void *handle, efi_system_table_t *_table, - - setup_graphics(boot_params); - -- setup_efi_vars(boot_params); -- - setup_efi_pci(boot_params); - - status = efi_call_phys3(sys_table->boottime->allocate_pool, -diff --git a/arch/x86/include/asm/efi.h b/arch/x86/include/asm/efi.h -index 2fb5d58..60c89f3 100644 ---- a/arch/x86/include/asm/efi.h -+++ b/arch/x86/include/asm/efi.h -@@ -102,13 +102,6 @@ extern void efi_call_phys_epilog(void); - extern void efi_unmap_memmap(void); - extern void efi_memory_uc(u64 addr, unsigned long size); - --struct efi_var_bootdata { -- struct setup_data data; -- u64 store_size; -- u64 remaining_size; -- u64 max_var_size; --}; -- - #ifdef CONFIG_EFI - - static inline bool efi_is_native(void) -diff --git a/arch/x86/include/uapi/asm/bootparam.h b/arch/x86/include/uapi/asm/bootparam.h -index 0874424..c15ddaf 100644 ---- a/arch/x86/include/uapi/asm/bootparam.h -+++ b/arch/x86/include/uapi/asm/bootparam.h -@@ -6,7 +6,6 @@ - #define SETUP_E820_EXT 1 - #define SETUP_DTB 2 - #define SETUP_PCI 3 --#define SETUP_EFI_VARS 4 - - /* ram_size flags */ - #define RAMDISK_IMAGE_START_MASK 0x07FF -diff --git a/arch/x86/platform/efi/efi.c b/arch/x86/platform/efi/efi.c -index e4a86a6..beb5d5f 100644 ---- a/arch/x86/platform/efi/efi.c -+++ b/arch/x86/platform/efi/efi.c -@@ -41,7 +41,6 @@ - #include - #include - #include --#include - - #include - #include -@@ -52,13 +51,6 @@ - - #define EFI_DEBUG 1 - --/* -- * There's some additional metadata associated with each -- * variable. Intel's reference implementation is 60 bytes - bump that -- * to account for potential alignment constraints -- */ --#define VAR_METADATA_SIZE 64 -- - struct efi __read_mostly efi = { - .mps = EFI_INVALID_TABLE_ADDR, - .acpi = EFI_INVALID_TABLE_ADDR, -@@ -77,13 +69,6 @@ struct efi_memory_map memmap; - static struct efi efi_phys __initdata; - static efi_system_table_t efi_systab __initdata; - --static u64 efi_var_store_size; --static u64 efi_var_remaining_size; --static u64 efi_var_max_var_size; --static u64 boot_used_size; --static u64 boot_var_size; --static u64 active_size; -- - unsigned long x86_efi_facility; - - /* -@@ -186,53 +171,8 @@ static efi_status_t virt_efi_get_next_variable(unsigned long *name_size, - efi_char16_t *name, - efi_guid_t *vendor) - { -- efi_status_t status; -- static bool finished = false; -- static u64 var_size; -- -- status = efi_call_virt3(get_next_variable, -+ return efi_call_virt3(get_next_variable, - name_size, name, vendor); -- -- if (status == EFI_NOT_FOUND) { -- finished = true; -- if (var_size < boot_used_size) { -- boot_var_size = boot_used_size - var_size; -- active_size += boot_var_size; -- } else { -- printk(KERN_WARNING FW_BUG "efi: Inconsistent initial sizes\n"); -- } -- } -- -- if (boot_used_size && !finished) { -- unsigned long size; -- u32 attr; -- efi_status_t s; -- void *tmp; -- -- s = virt_efi_get_variable(name, vendor, &attr, &size, NULL); -- -- if (s != EFI_BUFFER_TOO_SMALL || !size) -- return status; -- -- tmp = kmalloc(size, GFP_ATOMIC); -- -- if (!tmp) -- return status; -- -- s = virt_efi_get_variable(name, vendor, &attr, &size, tmp); -- -- if (s == EFI_SUCCESS && (attr & EFI_VARIABLE_NON_VOLATILE)) { -- var_size += size; -- var_size += ucs2_strsize(name, 1024); -- active_size += size; -- active_size += VAR_METADATA_SIZE; -- active_size += ucs2_strsize(name, 1024); -- } -- -- kfree(tmp); -- } -- -- return status; - } - - static efi_status_t virt_efi_set_variable(efi_char16_t *name, -@@ -241,34 +181,9 @@ static efi_status_t virt_efi_set_variable(efi_char16_t *name, - unsigned long data_size, - void *data) - { -- efi_status_t status; -- u32 orig_attr = 0; -- unsigned long orig_size = 0; -- -- status = virt_efi_get_variable(name, vendor, &orig_attr, &orig_size, -- NULL); -- -- if (status != EFI_BUFFER_TOO_SMALL) -- orig_size = 0; -- -- status = efi_call_virt5(set_variable, -- name, vendor, attr, -- data_size, data); -- -- if (status == EFI_SUCCESS) { -- if (orig_size) { -- active_size -= orig_size; -- active_size -= ucs2_strsize(name, 1024); -- active_size -= VAR_METADATA_SIZE; -- } -- if (data_size) { -- active_size += data_size; -- active_size += ucs2_strsize(name, 1024); -- active_size += VAR_METADATA_SIZE; -- } -- } -- -- return status; -+ return efi_call_virt5(set_variable, -+ name, vendor, attr, -+ data_size, data); - } - - static efi_status_t virt_efi_query_variable_info(u32 attr, -@@ -776,9 +691,6 @@ void __init efi_init(void) - char vendor[100] = "unknown"; - int i = 0; - void *tmp; -- struct setup_data *data; -- struct efi_var_bootdata *efi_var_data; -- u64 pa_data; - - #ifdef CONFIG_X86_32 - if (boot_params.efi_info.efi_systab_hi || -@@ -796,22 +708,6 @@ void __init efi_init(void) - if (efi_systab_init(efi_phys.systab)) - return; - -- pa_data = boot_params.hdr.setup_data; -- while (pa_data) { -- data = early_ioremap(pa_data, sizeof(*efi_var_data)); -- if (data->type == SETUP_EFI_VARS) { -- efi_var_data = (struct efi_var_bootdata *)data; -- -- efi_var_store_size = efi_var_data->store_size; -- efi_var_remaining_size = efi_var_data->remaining_size; -- efi_var_max_var_size = efi_var_data->max_var_size; -- } -- pa_data = data->next; -- early_iounmap(data, sizeof(*efi_var_data)); -- } -- -- boot_used_size = efi_var_store_size - efi_var_remaining_size; -- - set_bit(EFI_SYSTEM_TABLES, &x86_efi_facility); - - /* -@@ -1131,28 +1027,53 @@ efi_status_t efi_query_variable_store(u32 attributes, unsigned long size) - if (status != EFI_SUCCESS) - return status; - -- if (!max_size && remaining_size > size) -- printk_once(KERN_ERR FW_BUG "Broken EFI implementation" -- " is returning MaxVariableSize=0\n"); - /* - * Some firmware implementations refuse to boot if there's insufficient - * space in the variable store. We account for that by refusing the - * write if permitting it would reduce the available space to under -- * 50%. However, some firmware won't reclaim variable space until -- * after the used (not merely the actively used) space drops below -- * a threshold. We can approximate that case with the value calculated -- * above. If both the firmware and our calculations indicate that the -- * available space would drop below 50%, refuse the write. -+ * 5KB. This figure was provided by Samsung, so should be safe. - */ -+ if ((remaining_size - size < 5120) && !efi_no_storage_paranoia) { -+ /* -+ * Triggering garbage collection may require that the firmware -+ * generate a real EFI_OUT_OF_RESOURCES error. We can force -+ * that by attempting to use more space than is available. -+ */ -+ unsigned long dummy_size = remaining_size + 1024; -+ void *dummy = kmalloc(dummy_size, GFP_ATOMIC); -+ efi_char16_t efi_name[6] = { 'D', 'U', 'M', 'M', 'Y', 0 }; -+ efi_guid_t guid = EFI_GUID(0x4424ac57, 0xbe4b, 0x47dd, 0x9e, -+ 0x97, 0xed, 0x50, 0xf0, 0x9f, 0x92, -+ 0xa9); -+ -+ status = efi.set_variable(efi_name, &guid, attributes, -+ dummy_size, dummy); -+ -+ if (status == EFI_SUCCESS) { -+ /* -+ * This should have failed, so if it didn't make sure -+ * that we delete it... -+ */ -+ efi.set_variable(efi_name, &guid, attributes, 0, -+ dummy); -+ } - -- if (!storage_size || size > remaining_size || -- (max_size && size > max_size)) -- return EFI_OUT_OF_RESOURCES; -+ /* -+ * The runtime code may now have triggered a garbage collection -+ * run, so check the variable info again -+ */ -+ status = efi.query_variable_info(attributes, &storage_size, -+ &remaining_size, &max_size); - -- if (!efi_no_storage_paranoia && -- ((active_size + size + VAR_METADATA_SIZE > storage_size / 2) && -- (remaining_size - size < storage_size / 2))) -- return EFI_OUT_OF_RESOURCES; -+ if (status != EFI_SUCCESS) -+ return status; -+ -+ /* -+ * There still isn't enough room, so return an error -+ */ -+ if (remaining_size - size < 5120) -+ return EFI_OUT_OF_RESOURCES; -+ } - - return EFI_SUCCESS; - } --- -1.8.1.4 - diff --git a/b43-stop-format-string-leaking-into-error-msgs.patch b/b43-stop-format-string-leaking-into-error-msgs.patch deleted file mode 100644 index 84249e5eb..000000000 --- a/b43-stop-format-string-leaking-into-error-msgs.patch +++ /dev/null @@ -1,32 +0,0 @@ -From 9538cbaab6e8b8046039b4b2eb6c9d614dc782bd Mon Sep 17 00:00:00 2001 -From: Kees Cook -Date: Fri, 10 May 2013 21:48:21 +0000 -Subject: b43: stop format string leaking into error msgs - -The module parameter "fwpostfix" is userspace controllable, unfiltered, -and is used to define the firmware filename. b43_do_request_fw() populates -ctx->errors[] on error, containing the firmware filename. b43err() -parses its arguments as a format string. For systems with b43 hardware, -this could lead to a uid-0 to ring-0 escalation. - -CVE-2013-2852 - -Signed-off-by: Kees Cook -Cc: stable@vger.kernel.org -Signed-off-by: John W. Linville ---- -diff --git a/drivers/net/wireless/b43/main.c b/drivers/net/wireless/b43/main.c -index 6dd07e2..a95b77a 100644 ---- a/drivers/net/wireless/b43/main.c -+++ b/drivers/net/wireless/b43/main.c -@@ -2458,7 +2458,7 @@ static void b43_request_firmware(struct work_struct *work) - for (i = 0; i < B43_NR_FWTYPES; i++) { - errmsg = ctx->errors[i]; - if (strlen(errmsg)) -- b43err(dev->wl, errmsg); -+ b43err(dev->wl, "%s", errmsg); - } - b43_print_fw_helptext(dev->wl, 1); - goto out; --- -cgit v0.9.2 diff --git a/config-generic b/config-generic index 1fd53ba97..4ee4aff2c 100644 --- a/config-generic +++ b/config-generic @@ -1534,7 +1534,7 @@ CONFIG_ATH9K_DEBUGFS=y CONFIG_ATH9K_HTC=m CONFIG_ATH9K_BTCOEX_SUPPORT=y # CONFIG_ATH9K_HTC_DEBUGFS is not set -CONFIG_ATH9K_RATE_CONTROL=y +CONFIG_ATH9K_LEGACY_RATE_CONTROL=y CONFIG_WIL6210=m CONFIG_WIL6210_ISR_COR=y CONFIG_CARL9170=m diff --git a/kernel.spec b/kernel.spec index 9778a77d8..17afeebaa 100644 --- a/kernel.spec +++ b/kernel.spec @@ -62,7 +62,7 @@ Summary: The Linux kernel # For non-released -rc kernels, this will be appended after the rcX and # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3" # -%global baserelease 301 +%global baserelease 300 %global fedora_build %{baserelease} # base_sublevel is the kernel version we're starting with and patching @@ -74,7 +74,7 @@ Summary: The Linux kernel %if 0%{?released_kernel} # Do we have a -stable update to apply? -%define stable_update 6 +%define stable_update 7 # Is it a -stable RC? %define stable_rc 0 # Set rpm version accordingly @@ -729,9 +729,6 @@ Patch21242: criu-no-expert.patch #rhbz 892811 Patch21247: ath9k_rx_dma_stop_check.patch -#rhbz 903192 -Patch21261: 0001-kmsg-Honor-dmesg_restrict-sysctl-on-dev-kmsg.patch - #rhbz 856863 892599 Patch21273: cfg80211-mac80211-disconnect-on-suspend.patch Patch21274: mac80211_fixes_for_ieee80211_do_stop_while_suspend_v3.9.patch @@ -754,9 +751,6 @@ Patch23008: forcedeth-dma-error-check.patch #rhbz 948262 Patch25024: intel_iommu-Downgrade-the-warning-if-enabling-irq-remapping-fails.patch -#rhbz 964335 -Patch25026: Modify-UEFI-anti-bricking-code.patch - # Needed for F19 gssproxy feature Patch25030: gssproxy-backport.patch @@ -769,9 +763,6 @@ Patch25032: cve-2013-2147-ciss-info-leak.patch #CVE-2013-2148 rhbz 971258 971261 Patch25033: fanotify-info-leak-in-copy_event_to_user.patch -#CVE-2013-2852 rhbz 969518 971665 -Patch25034: b43-stop-format-string-leaking-into-error-msgs.patch - #CVE-2013-2851 rhbz 969515 971662 Patch25035: block-do-not-pass-disk-names-as-format-strings.patch @@ -1488,9 +1479,6 @@ ApplyPatch criu-no-expert.patch #rhbz 892811 ApplyPatch ath9k_rx_dma_stop_check.patch -#rhbz 903192 -ApplyPatch 0001-kmsg-Honor-dmesg_restrict-sysctl-on-dev-kmsg.patch - #rhbz 856863 892599 ApplyPatch cfg80211-mac80211-disconnect-on-suspend.patch ApplyPatch mac80211_fixes_for_ieee80211_do_stop_while_suspend_v3.9.patch @@ -1507,9 +1495,6 @@ ApplyPatch forcedeth-dma-error-check.patch #rhbz 948262 ApplyPatch intel_iommu-Downgrade-the-warning-if-enabling-irq-remapping-fails.patch -#rhbz 964335 -ApplyPatch Modify-UEFI-anti-bricking-code.patch - # Needed for F19 gssproxy feature ApplyPatch gssproxy-backport.patch @@ -1522,9 +1507,6 @@ ApplyPatch cve-2013-2147-ciss-info-leak.patch #CVE-2013-2148 rhbz 971258 971261 ApplyPatch fanotify-info-leak-in-copy_event_to_user.patch -#CVE-2013-2852 rhbz 969518 971665 -ApplyPatch b43-stop-format-string-leaking-into-error-msgs.patch - #CVE-2013-2851 rhbz 969515 971662 ApplyPatch block-do-not-pass-disk-names-as-format-strings.patch @@ -2373,6 +2355,9 @@ fi # and build. %changelog +* Thu Jun 20 2013 Justin M. Forbes +- Linux v3.9.7 + * Tue Jun 18 2013 Neil Horman - Fix dma debug error in tulip driver (rhbz 956732) diff --git a/sources b/sources index 803d88c2a..6a7aeb8b7 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ 4348c9b6b2eb3144d601e87c19d5d909 linux-3.9.tar.xz -897cffc5167a561b38c6748e7f0a4215 patch-3.9.6.xz +74005c469fbd309ab631d981e2d3a6e7 patch-3.9.7.xz From 4e73d41e8d6cc8565d66c225b1447370dcccbc44 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Fri, 21 Jun 2013 09:07:54 -0400 Subject: [PATCH 133/468] Add patch to fix carl9170 oops (rhbz 967271) --- ...me-drop-and-WARN-due-to-minstrel_ht-.patch | 160 ++++++++++++++++++ kernel.spec | 9 + 2 files changed, 169 insertions(+) create mode 100644 carl9170-fix-frame-drop-and-WARN-due-to-minstrel_ht-.patch diff --git a/carl9170-fix-frame-drop-and-WARN-due-to-minstrel_ht-.patch b/carl9170-fix-frame-drop-and-WARN-due-to-minstrel_ht-.patch new file mode 100644 index 000000000..a360731bd --- /dev/null +++ b/carl9170-fix-frame-drop-and-WARN-due-to-minstrel_ht-.patch @@ -0,0 +1,160 @@ +From 5f34608fa2acbfef5a06d0072a978c9943c28a2d Mon Sep 17 00:00:00 2001 +From: Christian Lamparter +Date: Fri, 22 Feb 2013 01:30:44 +0100 +Subject: [PATCH] carl9170: fix frame drop and WARN due to minstrel_ht change + +With "mac80211/minstrel_ht: add support for using CCK rates" +minstrel_ht selects legacy CCK rates as viable rates for +outgoing frames which might be sent as part of an A-MPDU +[IEEE80211_TX_CTL_AMPDU is set]. + +This behavior triggered the following WARN_ON in the driver: +> WARNING: at carl9170/tx.c:995 carl9170_op_tx+0x1dd/0x6fd +The driver assumed that the rate control algorithm made a +mistake and dropped the frame. + +This patch removes the noisy warning altogether and allows +said A-MPDU frames with CCK sample and/or fallback rates to +be transmitted seamlessly. + +Signed-off-by: Christian Lamparter +Signed-off-by: John W. Linville +--- + drivers/net/wireless/ath/carl9170/tx.c | 69 ++++++++++++++-------------------- + 1 file changed, 28 insertions(+), 41 deletions(-) + +diff --git a/drivers/net/wireless/ath/carl9170/tx.c b/drivers/net/wireless/ath/carl9170/tx.c +index 9c0b150..c61cafa 100644 +--- a/drivers/net/wireless/ath/carl9170/tx.c ++++ b/drivers/net/wireless/ath/carl9170/tx.c +@@ -387,8 +387,7 @@ static void carl9170_tx_status_process_ampdu(struct ar9170 *ar, + u8 tid; + + if (!(txinfo->flags & IEEE80211_TX_CTL_AMPDU) || +- txinfo->flags & IEEE80211_TX_CTL_INJECTED || +- (!(super->f.mac_control & cpu_to_le16(AR9170_TX_MAC_AGGR)))) ++ txinfo->flags & IEEE80211_TX_CTL_INJECTED) + return; + + rcu_read_lock(); +@@ -981,30 +980,6 @@ static int carl9170_tx_prepare(struct ar9170 *ar, + + SET_VAL(CARL9170_TX_SUPER_AMPDU_FACTOR, + txc->s.ampdu_settings, factor); +- +- for (i = 0; i < CARL9170_TX_MAX_RATES; i++) { +- txrate = &info->control.rates[i]; +- if (txrate->idx >= 0) { +- txc->s.ri[i] = +- CARL9170_TX_SUPER_RI_AMPDU; +- +- if (WARN_ON(!(txrate->flags & +- IEEE80211_TX_RC_MCS))) { +- /* +- * Not sure if it's even possible +- * to aggregate non-ht rates with +- * this HW. +- */ +- goto err_out; +- } +- continue; +- } +- +- txrate->idx = 0; +- txrate->count = ar->hw->max_rate_tries; +- } +- +- mac_tmp |= cpu_to_le16(AR9170_TX_MAC_AGGR); + } + + /* +@@ -1012,11 +987,31 @@ static int carl9170_tx_prepare(struct ar9170 *ar, + * taken from mac_control. For all fallback rate, the firmware + * updates the mac_control flags from the rate info field. + */ +- for (i = 1; i < CARL9170_TX_MAX_RATES; i++) { ++ for (i = 0; i < CARL9170_TX_MAX_RATES; i++) { ++ __le32 phy_set; + txrate = &info->control.rates[i]; + if (txrate->idx < 0) + break; + ++ phy_set = carl9170_tx_physet(ar, info, txrate); ++ if (i == 0) { ++ /* first rate - part of the hw's frame header */ ++ txc->f.phy_control = phy_set; ++ ++ if (ampdu && txrate->flags & IEEE80211_TX_RC_MCS) ++ mac_tmp |= cpu_to_le16(AR9170_TX_MAC_AGGR); ++ if (carl9170_tx_rts_check(ar, txrate, ampdu, no_ack)) ++ mac_tmp |= cpu_to_le16(AR9170_TX_MAC_PROT_RTS); ++ else if (carl9170_tx_cts_check(ar, txrate)) ++ mac_tmp |= cpu_to_le16(AR9170_TX_MAC_PROT_CTS); ++ ++ } else { ++ /* fallback rates are stored in the firmware's ++ * retry rate set array. ++ */ ++ txc->s.rr[i - 1] = phy_set; ++ } ++ + SET_VAL(CARL9170_TX_SUPER_RI_TRIES, txc->s.ri[i], + txrate->count); + +@@ -1027,21 +1022,13 @@ static int carl9170_tx_prepare(struct ar9170 *ar, + txc->s.ri[i] |= (AR9170_TX_MAC_PROT_CTS << + CARL9170_TX_SUPER_RI_ERP_PROT_S); + +- txc->s.rr[i - 1] = carl9170_tx_physet(ar, info, txrate); ++ if (ampdu && (txrate->flags & IEEE80211_TX_RC_MCS)) ++ txc->s.ri[i] |= CARL9170_TX_SUPER_RI_AMPDU; + } + +- txrate = &info->control.rates[0]; +- SET_VAL(CARL9170_TX_SUPER_RI_TRIES, txc->s.ri[0], txrate->count); +- +- if (carl9170_tx_rts_check(ar, txrate, ampdu, no_ack)) +- mac_tmp |= cpu_to_le16(AR9170_TX_MAC_PROT_RTS); +- else if (carl9170_tx_cts_check(ar, txrate)) +- mac_tmp |= cpu_to_le16(AR9170_TX_MAC_PROT_CTS); +- + txc->s.len = cpu_to_le16(skb->len); + txc->f.length = cpu_to_le16(len + FCS_LEN); + txc->f.mac_control = mac_tmp; +- txc->f.phy_control = carl9170_tx_physet(ar, info, txrate); + + arinfo = (void *)info->rate_driver_data; + arinfo->timeout = jiffies; +@@ -1381,9 +1368,9 @@ static void carl9170_tx(struct ar9170 *ar) + } + + static bool carl9170_tx_ampdu_queue(struct ar9170 *ar, +- struct ieee80211_sta *sta, struct sk_buff *skb) ++ struct ieee80211_sta *sta, struct sk_buff *skb, ++ struct ieee80211_tx_info *txinfo) + { +- struct _carl9170_tx_superframe *super = (void *) skb->data; + struct carl9170_sta_info *sta_info; + struct carl9170_sta_tid *agg; + struct sk_buff *iter; +@@ -1450,7 +1437,7 @@ err_unlock: + + err_unlock_rcu: + rcu_read_unlock(); +- super->f.mac_control &= ~cpu_to_le16(AR9170_TX_MAC_AGGR); ++ txinfo->flags &= ~IEEE80211_TX_CTL_AMPDU; + carl9170_tx_status(ar, skb, false); + ar->tx_dropped++; + return false; +@@ -1492,7 +1479,7 @@ void carl9170_op_tx(struct ieee80211_hw *hw, + * sta == NULL checks are redundant in this + * special case. + */ +- run = carl9170_tx_ampdu_queue(ar, sta, skb); ++ run = carl9170_tx_ampdu_queue(ar, sta, skb, info); + if (run) + carl9170_tx_ampdu(ar); + +-- +1.7.11.7 + diff --git a/kernel.spec b/kernel.spec index 17afeebaa..20f0f7f5a 100644 --- a/kernel.spec +++ b/kernel.spec @@ -795,6 +795,9 @@ Patch25047: drm-radeon-Disable-writeback-by-default-on-ppc.patch #rhbz 956732 Patch25048: tulip-dma-debug-error.patch +#rhbz 967271 +Patch25049: carl9170-fix-frame-drop-and-WARN-due-to-minstrel_ht-.patch + # END OF PATCH DEFINITIONS %endif @@ -1539,6 +1542,9 @@ ApplyPatch drm-radeon-Disable-writeback-by-default-on-ppc.patch #rhbz 956732 ApplyPatch tulip-dma-debug-error.patch +#rhbz 967271 +ApplyPatch carl9170-fix-frame-drop-and-WARN-due-to-minstrel_ht-.patch + # END OF PATCH APPLICATIONS %endif @@ -2355,6 +2361,9 @@ fi # and build. %changelog +* Fri Jun 21 2013 Josh Boyer +- Add patch to fix carl9170 oops (rhbz 967271) + * Thu Jun 20 2013 Justin M. Forbes - Linux v3.9.7 From b063278ee0c6d4c05439f81b0f8a3844f9e4db2e Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Fri, 21 Jun 2013 09:33:25 -0400 Subject: [PATCH 134/468] Add two patches to fix iwlwifi issues in unmapping - Add patch to fix carl9170 oops (rhbz 967271) --- ...ifi-pcie-fix-race-in-queue-unmapping.patch | 56 +++++++++++++++++++ ...queue-if-stopped-when-being-unmapped.patch | 35 ++++++++++++ kernel.spec | 7 +++ 3 files changed, 98 insertions(+) create mode 100644 iwlwifi-pcie-fix-race-in-queue-unmapping.patch create mode 100644 iwlwifi-pcie-wake-the-queue-if-stopped-when-being-unmapped.patch diff --git a/iwlwifi-pcie-fix-race-in-queue-unmapping.patch b/iwlwifi-pcie-fix-race-in-queue-unmapping.patch new file mode 100644 index 000000000..ad9194af3 --- /dev/null +++ b/iwlwifi-pcie-fix-race-in-queue-unmapping.patch @@ -0,0 +1,56 @@ +From: Emmanuel Grumbach + +When a queue is disabled, it frees all its entries. Later, +the op_mode might still get notifications from the firmware +that triggers to free entries in the tx queue. The transport +should be prepared for these races and know to ignore +reclaim calls on queues that have been disabled and whose +entries have been freed. + +Cc: stable@vger.kernel.org +Signed-off-by: Emmanuel Grumbach +Signed-off-by: Johannes Berg +--- + drivers/net/wireless/iwlwifi/pcie/tx.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/drivers/net/wireless/iwlwifi/pcie/tx.c b/drivers/net/wireless/iwlwifi/pcie/tx.c +index cb5c679..faaf77c 100644 +--- a/drivers/net/wireless/iwlwifi/pcie/tx.c ++++ b/drivers/net/wireless/iwlwifi/pcie/tx.c +@@ -578,9 +578,12 @@ static void iwl_pcie_txq_unmap(struct iwl_trans *trans, int txq_id) + + spin_lock_bh(&txq->lock); + while (q->write_ptr != q->read_ptr) { ++ IWL_DEBUG_TX_REPLY(trans, "Q %d Free %d\n", ++ txq_id, q->read_ptr); + iwl_pcie_txq_free_tfd(trans, txq); + q->read_ptr = iwl_queue_inc_wrap(q->read_ptr, q->n_bd); + } ++ txq->active = false; + spin_unlock_bh(&txq->lock); + } + +@@ -929,6 +932,12 @@ void iwl_trans_pcie_reclaim(struct iwl_trans *trans, int txq_id, int ssn, + + spin_lock_bh(&txq->lock); + ++ if (!txq->active) { ++ IWL_DEBUG_TX_QUEUES(trans, "Q %d inactive - ignoring idx %d\n", ++ txq_id, ssn); ++ goto out; ++ } ++ + if (txq->q.read_ptr == tfd_num) + goto out; + +@@ -1105,6 +1114,7 @@ void iwl_trans_pcie_txq_enable(struct iwl_trans *trans, int txq_id, int fifo, + (fifo << SCD_QUEUE_STTS_REG_POS_TXF) | + (1 << SCD_QUEUE_STTS_REG_POS_WSL) | + SCD_QUEUE_STTS_REG_MSK); ++ trans_pcie->txq[txq_id].active = true; + IWL_DEBUG_TX_QUEUES(trans, "Activate queue %d on FIFO %d WrPtr: %d\n", + txq_id, fifo, ssn & 0xff); + } +-- +1.7.11.7 diff --git a/iwlwifi-pcie-wake-the-queue-if-stopped-when-being-unmapped.patch b/iwlwifi-pcie-wake-the-queue-if-stopped-when-being-unmapped.patch new file mode 100644 index 000000000..661fc5035 --- /dev/null +++ b/iwlwifi-pcie-wake-the-queue-if-stopped-when-being-unmapped.patch @@ -0,0 +1,35 @@ +From: Emmanuel Grumbach + +When the queue is unmapped while it was so loaded that +mac80211's was stopped, we need to wake the queue after +having freed all the packets in the queue. +Not doing so can result in weird stuff like: + +* run lots of traffic (mac80211's queue gets stopped) +* RFKILL +* de-assert RFKILL +* no traffic + +Cc: stable@vger.kernel.org +Signed-off-by: Emmanuel Grumbach +Signed-off-by: Johannes Berg +--- + drivers/net/wireless/iwlwifi/pcie/tx.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/net/wireless/iwlwifi/pcie/tx.c b/drivers/net/wireless/iwlwifi/pcie/tx.c +index faaf77c..4e7b8d4 100644 +--- a/drivers/net/wireless/iwlwifi/pcie/tx.c ++++ b/drivers/net/wireless/iwlwifi/pcie/tx.c +@@ -585,6 +585,9 @@ static void iwl_pcie_txq_unmap(struct iwl_trans *trans, int txq_id) + } + txq->active = false; + spin_unlock_bh(&txq->lock); ++ ++ /* just in case - this queue may have been stopped */ ++ iwl_wake_queue(trans, txq); + } + + /* +-- +1.7.11.7 diff --git a/kernel.spec b/kernel.spec index 20f0f7f5a..7ae2ac6c1 100644 --- a/kernel.spec +++ b/kernel.spec @@ -798,6 +798,9 @@ Patch25048: tulip-dma-debug-error.patch #rhbz 967271 Patch25049: carl9170-fix-frame-drop-and-WARN-due-to-minstrel_ht-.patch +Patch25050: iwlwifi-pcie-fix-race-in-queue-unmapping.patch +Patch25051: iwlwifi-pcie-wake-the-queue-if-stopped-when-being-unmapped.patch + # END OF PATCH DEFINITIONS %endif @@ -1545,6 +1548,9 @@ ApplyPatch tulip-dma-debug-error.patch #rhbz 967271 ApplyPatch carl9170-fix-frame-drop-and-WARN-due-to-minstrel_ht-.patch +ApplyPatch iwlwifi-pcie-fix-race-in-queue-unmapping.patch +ApplyPatch iwlwifi-pcie-wake-the-queue-if-stopped-when-being-unmapped.patch + # END OF PATCH APPLICATIONS %endif @@ -2362,6 +2368,7 @@ fi %changelog * Fri Jun 21 2013 Josh Boyer +- Add two patches to fix iwlwifi issues in unmapping - Add patch to fix carl9170 oops (rhbz 967271) * Thu Jun 20 2013 Justin M. Forbes From f334981c243ba52b70525f479d6d44e8baa74e3a Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Mon, 24 Jun 2013 10:24:19 -0400 Subject: [PATCH 135/468] Fix battery issue with bluetooth keyboards (rhbz 903741) --- ...ODATA-if-reading-battery-attrs-fails.patch | 55 +++++++++++++++++++ kernel.spec | 9 +++ 2 files changed, 64 insertions(+) create mode 100644 HID-input-return-ENODATA-if-reading-battery-attrs-fails.patch diff --git a/HID-input-return-ENODATA-if-reading-battery-attrs-fails.patch b/HID-input-return-ENODATA-if-reading-battery-attrs-fails.patch new file mode 100644 index 000000000..acdd66d48 --- /dev/null +++ b/HID-input-return-ENODATA-if-reading-battery-attrs-fails.patch @@ -0,0 +1,55 @@ +From d0a934b764c67b4bf626f5b7cf725a6e3066afd2 Mon Sep 17 00:00:00 2001 +From: David Herrmann +Date: Mon, 13 May 2013 15:01:30 +0000 +Subject: HID: input: return ENODATA if reading battery attrs fails + +power_supply core has the bad habit of calling our battery callbacks +from within power_supply_register(). Furthermore, if the callbacks +fail with an unhandled error code, it will skip any uevent that it +might currently process. +So if HID-core registers battery devices, an "add" uevent is generated +and the battery callbacks are called. These will gracefully fail due +to timeouts as they might still hold locks on event processing. One +could argue that this should be fixed in power_supply core, but the +least we can do is to signal ENODATA so power_supply core will just +skip the property and continue with the uevent. + +This fixes a bug where "add" and "remove" uevents are skipped for +battery devices. upower is unable to track these devices and currently +needs to ignore them. + +This patch also overwrites any other error code. I cannot see any reason +why we should forward protocol- or I/O-errors to the power_supply core. +We handle these errors in hid_ll_driver later, anyway, so just skip +them. power_supply core cannot do anything useful with them, anyway, +and we avoid skipping important uevents and confusing user-space. + +Thanks a lot to Daniel Nicoletti for pushing and investigating +on this. + +Cc: Jiri Kosina +Cc: Anton Vorontsov +Cc: David Woodhouse +Reported-by: Daniel Nicoletti +Signed-off-by: David Herrmann +Signed-off-by: Jiri Kosina +--- +diff --git a/drivers/hid/hid-input.c b/drivers/hid/hid-input.c +index 945b815..c526a3c 100644 +--- a/drivers/hid/hid-input.c ++++ b/drivers/hid/hid-input.c +@@ -354,10 +354,10 @@ static int hidinput_get_battery_property(struct power_supply *psy, + dev->battery_report_type); + + if (ret != 2) { +- if (ret >= 0) +- ret = -EINVAL; ++ ret = -ENODATA; + break; + } ++ ret = 0; + + if (dev->battery_min < dev->battery_max && + buf[1] >= dev->battery_min && +-- +cgit v0.9.2 diff --git a/kernel.spec b/kernel.spec index 7ae2ac6c1..094c3f60a 100644 --- a/kernel.spec +++ b/kernel.spec @@ -801,6 +801,9 @@ Patch25049: carl9170-fix-frame-drop-and-WARN-due-to-minstrel_ht-.patch Patch25050: iwlwifi-pcie-fix-race-in-queue-unmapping.patch Patch25051: iwlwifi-pcie-wake-the-queue-if-stopped-when-being-unmapped.patch +#rhbz 903741 +Patch25052: HID-input-return-ENODATA-if-reading-battery-attrs-fails.patch + # END OF PATCH DEFINITIONS %endif @@ -1551,6 +1554,9 @@ ApplyPatch carl9170-fix-frame-drop-and-WARN-due-to-minstrel_ht-.patch ApplyPatch iwlwifi-pcie-fix-race-in-queue-unmapping.patch ApplyPatch iwlwifi-pcie-wake-the-queue-if-stopped-when-being-unmapped.patch +#rhbz 903741 +ApplyPatch HID-input-return-ENODATA-if-reading-battery-attrs-fails.patch + # END OF PATCH APPLICATIONS %endif @@ -2367,6 +2373,9 @@ fi # and build. %changelog +* Mon Jun 24 2013 Josh Boyer +- Fix battery issue with bluetooth keyboards (rhbz 903741) + * Fri Jun 21 2013 Josh Boyer - Add two patches to fix iwlwifi issues in unmapping - Add patch to fix carl9170 oops (rhbz 967271) From cc01c0f6553b3c840b7777af0a57232aac1124bc Mon Sep 17 00:00:00 2001 From: Kyle McMartin Date: Tue, 25 Jun 2013 16:53:08 -0400 Subject: [PATCH 136/468] fix %{with_*} tests in modsigning --- kernel.spec | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/kernel.spec b/kernel.spec index 094c3f60a..66c86360b 100644 --- a/kernel.spec +++ b/kernel.spec @@ -1969,22 +1969,22 @@ find Documentation -type d | xargs chmod u+w %define __modsign_install_post \ if [ "%{signmodules}" == "1" ]; then \ - if [ "%{with_pae}" != "0" ]; then \ + if [ "%{with_pae}" -ne "0" ]; then \ mv signing_key.priv.sign.%{pae} signing_key.priv \ mv signing_key.x509.sign.%{pae} signing_key.x509 \ %{modsign_cmd} $RPM_BUILD_ROOT/lib/modules/%{KVERREL}.%{pae}/ \ fi \ - if [ "%{with_debug}" != "0" ]; then \ + if [ "%{with_debug}" -ne "0" ]; then \ mv signing_key.priv.sign.debug signing_key.priv \ mv signing_key.x509.sign.debug signing_key.x509 \ %{modsign_cmd} $RPM_BUILD_ROOT/lib/modules/%{KVERREL}.debug/ \ fi \ - if [ "%{with_pae_debug}" != "0" ]; then \ + if [ "%{with_pae_debug}" -ne "0" ]; then \ mv signing_key.priv.sign.%{pae}debug signing_key.priv \ mv signing_key.x509.sign.%{pae}debug signing_key.x509 \ %{modsign_cmd} $RPM_BUILD_ROOT/lib/modules/%{KVERREL}.%{pae}debug/ \ fi \ - if [ "%{with_up}" != "0" ]; then \ + if [ "%{with_up}" -ne "0" ]; then \ mv signing_key.priv.sign signing_key.priv \ mv signing_key.x509.sign signing_key.x509 \ %{modsign_cmd} $RPM_BUILD_ROOT/lib/modules/%{KVERREL}/ \ @@ -2373,6 +2373,10 @@ fi # and build. %changelog +* Tue Jun 25 2013 Kyle McMartin +- Cherry pick fix out of rawhide for %{with_*} tests in module + signing from Jan Stancek. + * Mon Jun 24 2013 Josh Boyer - Fix battery issue with bluetooth keyboards (rhbz 903741) From 76adb1ee6c26c5f42aa9acb03ef8c87ec6ff9923 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Wed, 26 Jun 2013 07:50:55 -0400 Subject: [PATCH 137/468] Add two patches to fix bridge networking issues (rhbz 880035) --- ...the-mdb-entry-when-query-is-received.patch | 159 ++++++++++++++++++ ...d-query-as-soon-as-leave-is-received.patch | 57 +++++++ kernel.spec | 11 ++ 3 files changed, 227 insertions(+) create mode 100644 bridge-only-expire-the-mdb-entry-when-query-is-received.patch create mode 100644 bridge-send-query-as-soon-as-leave-is-received.patch diff --git a/bridge-only-expire-the-mdb-entry-when-query-is-received.patch b/bridge-only-expire-the-mdb-entry-when-query-is-received.patch new file mode 100644 index 000000000..b58b57083 --- /dev/null +++ b/bridge-only-expire-the-mdb-entry-when-query-is-received.patch @@ -0,0 +1,159 @@ +From 9f00b2e7cf241fa389733d41b615efdaa2cb0f5b Mon Sep 17 00:00:00 2001 +From: Cong Wang +Date: Tue, 21 May 2013 21:52:55 +0000 +Subject: bridge: only expire the mdb entry when query is received + +Currently we arm the expire timer when the mdb entry is added, +however, this causes problem when there is no querier sent +out after that. + +So we should only arm the timer when a corresponding query is +received, as suggested by Herbert. + +And he also mentioned "if there is no querier then group +subscriptions shouldn't expire. There has to be at least one querier +in the network for this thing to work. Otherwise it just degenerates +into a non-snooping switch, which is OK." + +Cc: Herbert Xu +Cc: Stephen Hemminger +Cc: "David S. Miller" +Cc: Adam Baker +Signed-off-by: Cong Wang +Acked-by: Herbert Xu +Signed-off-by: David S. Miller +--- +(limited to 'net/bridge') + +diff --git a/net/bridge/br_multicast.c b/net/bridge/br_multicast.c +index 2475147..40bda80 100644 +--- a/net/bridge/br_multicast.c ++++ b/net/bridge/br_multicast.c +@@ -617,8 +617,6 @@ rehash: + + mp->br = br; + mp->addr = *group; +- setup_timer(&mp->timer, br_multicast_group_expired, +- (unsigned long)mp); + + hlist_add_head_rcu(&mp->hlist[mdb->ver], &mdb->mhash[hash]); + mdb->size++; +@@ -656,7 +654,6 @@ static int br_multicast_add_group(struct net_bridge *br, + struct net_bridge_mdb_entry *mp; + struct net_bridge_port_group *p; + struct net_bridge_port_group __rcu **pp; +- unsigned long now = jiffies; + int err; + + spin_lock(&br->multicast_lock); +@@ -671,7 +668,6 @@ static int br_multicast_add_group(struct net_bridge *br, + + if (!port) { + mp->mglist = true; +- mod_timer(&mp->timer, now + br->multicast_membership_interval); + goto out; + } + +@@ -679,7 +675,7 @@ static int br_multicast_add_group(struct net_bridge *br, + (p = mlock_dereference(*pp, br)) != NULL; + pp = &p->next) { + if (p->port == port) +- goto found; ++ goto out; + if ((unsigned long)p->port < (unsigned long)port) + break; + } +@@ -690,8 +686,6 @@ static int br_multicast_add_group(struct net_bridge *br, + rcu_assign_pointer(*pp, p); + br_mdb_notify(br->dev, port, group, RTM_NEWMDB); + +-found: +- mod_timer(&p->timer, now + br->multicast_membership_interval); + out: + err = 0; + +@@ -1131,6 +1125,10 @@ static int br_ip4_multicast_query(struct net_bridge *br, + if (!mp) + goto out; + ++ setup_timer(&mp->timer, br_multicast_group_expired, (unsigned long)mp); ++ mod_timer(&mp->timer, now + br->multicast_membership_interval); ++ mp->timer_armed = true; ++ + max_delay *= br->multicast_last_member_count; + + if (mp->mglist && +@@ -1205,6 +1203,10 @@ static int br_ip6_multicast_query(struct net_bridge *br, + if (!mp) + goto out; + ++ setup_timer(&mp->timer, br_multicast_group_expired, (unsigned long)mp); ++ mod_timer(&mp->timer, now + br->multicast_membership_interval); ++ mp->timer_armed = true; ++ + max_delay *= br->multicast_last_member_count; + if (mp->mglist && + (timer_pending(&mp->timer) ? +@@ -1263,7 +1265,7 @@ static void br_multicast_leave_group(struct net_bridge *br, + call_rcu_bh(&p->rcu, br_multicast_free_pg); + br_mdb_notify(br->dev, port, group, RTM_DELMDB); + +- if (!mp->ports && !mp->mglist && ++ if (!mp->ports && !mp->mglist && mp->timer_armed && + netif_running(br->dev)) + mod_timer(&mp->timer, jiffies); + } +@@ -1275,30 +1277,12 @@ static void br_multicast_leave_group(struct net_bridge *br, + br->multicast_last_member_interval; + + if (!port) { +- if (mp->mglist && ++ if (mp->mglist && mp->timer_armed && + (timer_pending(&mp->timer) ? + time_after(mp->timer.expires, time) : + try_to_del_timer_sync(&mp->timer) >= 0)) { + mod_timer(&mp->timer, time); + } +- +- goto out; +- } +- +- for (p = mlock_dereference(mp->ports, br); +- p != NULL; +- p = mlock_dereference(p->next, br)) { +- if (p->port != port) +- continue; +- +- if (!hlist_unhashed(&p->mglist) && +- (timer_pending(&p->timer) ? +- time_after(p->timer.expires, time) : +- try_to_del_timer_sync(&p->timer) >= 0)) { +- mod_timer(&p->timer, time); +- } +- +- break; + } + + out: +@@ -1674,6 +1658,7 @@ void br_multicast_stop(struct net_bridge *br) + hlist_for_each_entry_safe(mp, n, &mdb->mhash[i], + hlist[ver]) { + del_timer(&mp->timer); ++ mp->timer_armed = false; + call_rcu_bh(&mp->rcu, br_multicast_free_group); + } + } +diff --git a/net/bridge/br_private.h b/net/bridge/br_private.h +index e260710..1b0ac95 100644 +--- a/net/bridge/br_private.h ++++ b/net/bridge/br_private.h +@@ -112,6 +112,7 @@ struct net_bridge_mdb_entry + struct timer_list timer; + struct br_ip addr; + bool mglist; ++ bool timer_armed; + }; + + struct net_bridge_mdb_htable +-- +cgit v0.9.2 diff --git a/bridge-send-query-as-soon-as-leave-is-received.patch b/bridge-send-query-as-soon-as-leave-is-received.patch new file mode 100644 index 000000000..8b6652e7e --- /dev/null +++ b/bridge-send-query-as-soon-as-leave-is-received.patch @@ -0,0 +1,57 @@ +From 6b7df111ece130fa979a0c4f58e53674c1e47d3e Mon Sep 17 00:00:00 2001 +From: Cong Wang +Date: Tue, 21 May 2013 21:52:56 +0000 +Subject: bridge: send query as soon as leave is received + +Continue sending queries when leave is received if the user marks +it as a querier. + +Cc: Herbert Xu +Cc: Stephen Hemminger +Cc: "David S. Miller" +Cc: Adam Baker +Signed-off-by: Cong Wang +Acked-by: Herbert Xu +Signed-off-by: David S. Miller +--- +(limited to 'net/bridge') + +diff --git a/net/bridge/br_multicast.c b/net/bridge/br_multicast.c +index 40bda80..37a4676 100644 +--- a/net/bridge/br_multicast.c ++++ b/net/bridge/br_multicast.c +@@ -1250,6 +1250,32 @@ static void br_multicast_leave_group(struct net_bridge *br, + if (!mp) + goto out; + ++ if (br->multicast_querier && ++ !timer_pending(&br->multicast_querier_timer)) { ++ __br_multicast_send_query(br, port, &mp->addr); ++ ++ time = jiffies + br->multicast_last_member_count * ++ br->multicast_last_member_interval; ++ mod_timer(port ? &port->multicast_query_timer : ++ &br->multicast_query_timer, time); ++ ++ for (p = mlock_dereference(mp->ports, br); ++ p != NULL; ++ p = mlock_dereference(p->next, br)) { ++ if (p->port != port) ++ continue; ++ ++ if (!hlist_unhashed(&p->mglist) && ++ (timer_pending(&p->timer) ? ++ time_after(p->timer.expires, time) : ++ try_to_del_timer_sync(&p->timer) >= 0)) { ++ mod_timer(&p->timer, time); ++ } ++ ++ break; ++ } ++ } ++ + if (port && (port->flags & BR_MULTICAST_FAST_LEAVE)) { + struct net_bridge_port_group __rcu **pp; + +-- +cgit v0.9.2 diff --git a/kernel.spec b/kernel.spec index 66c86360b..c895a7416 100644 --- a/kernel.spec +++ b/kernel.spec @@ -804,6 +804,10 @@ Patch25051: iwlwifi-pcie-wake-the-queue-if-stopped-when-being-unmapped.patch #rhbz 903741 Patch25052: HID-input-return-ENODATA-if-reading-battery-attrs-fails.patch +#rhbz 880035 +Patch25053: bridge-only-expire-the-mdb-entry-when-query-is-received.patch +Patch25054: bridge-send-query-as-soon-as-leave-is-received.patch + # END OF PATCH DEFINITIONS %endif @@ -1557,6 +1561,10 @@ ApplyPatch iwlwifi-pcie-wake-the-queue-if-stopped-when-being-unmapped.patch #rhbz 903741 ApplyPatch HID-input-return-ENODATA-if-reading-battery-attrs-fails.patch +#rhbz 880035 +ApplyPatch bridge-only-expire-the-mdb-entry-when-query-is-received.patch +ApplyPatch bridge-send-query-as-soon-as-leave-is-received.patch + # END OF PATCH APPLICATIONS %endif @@ -2373,6 +2381,9 @@ fi # and build. %changelog +* Wed Jun 26 2013 Josh Boyer +- Add two patches to fix bridge networking issues (rhbz 880035) + * Tue Jun 25 2013 Kyle McMartin - Cherry pick fix out of rawhide for %{with_*} tests in module signing from Jan Stancek. From ea007cb6697b651b5298a37a15a6ccf5b63d3680 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Thu, 27 Jun 2013 09:36:48 -0400 Subject: [PATCH 138/468] Fix stack memory usage for DMA in ath3k (rhbz 977558) --- ath3k-dont-use-stack-memory-for-DMA.patch | 72 +++++++++++++++++++++++ kernel.spec | 9 +++ 2 files changed, 81 insertions(+) create mode 100644 ath3k-dont-use-stack-memory-for-DMA.patch diff --git a/ath3k-dont-use-stack-memory-for-DMA.patch b/ath3k-dont-use-stack-memory-for-DMA.patch new file mode 100644 index 000000000..610a00067 --- /dev/null +++ b/ath3k-dont-use-stack-memory-for-DMA.patch @@ -0,0 +1,72 @@ +Memory allocated by vmalloc (including stack) can not be used for DMA, +i.e. data pointer on usb_control_msg() should not point to stack memory. + +Resolves: +https://bugzilla.redhat.com/show_bug.cgi?id=977558 + +Reported-and-tested-by: Andy Lawrence +Signed-off-by: Stanislaw Gruszka +--- + drivers/bluetooth/ath3k.c | 38 +++++++++++++++++++++++++++++--------- + 1 file changed, 29 insertions(+), 9 deletions(-) + +diff --git a/drivers/bluetooth/ath3k.c b/drivers/bluetooth/ath3k.c +index 11f467c..81b636c 100644 +--- a/drivers/bluetooth/ath3k.c ++++ b/drivers/bluetooth/ath3k.c +@@ -193,24 +193,44 @@ error: + + static int ath3k_get_state(struct usb_device *udev, unsigned char *state) + { +- int pipe = 0; ++ int ret, pipe = 0; ++ char *buf; ++ ++ buf = kmalloc(1, GFP_KERNEL); ++ if (!buf) ++ return -ENOMEM; + + pipe = usb_rcvctrlpipe(udev, 0); +- return usb_control_msg(udev, pipe, ATH3K_GETSTATE, +- USB_TYPE_VENDOR | USB_DIR_IN, 0, 0, +- state, 0x01, USB_CTRL_SET_TIMEOUT); ++ ret = usb_control_msg(udev, pipe, ATH3K_GETSTATE, ++ USB_TYPE_VENDOR | USB_DIR_IN, 0, 0, ++ buf, 1, USB_CTRL_SET_TIMEOUT); ++ ++ *state = *buf; ++ kfree(buf); ++ ++ return ret; + } + + static int ath3k_get_version(struct usb_device *udev, + struct ath3k_version *version) + { +- int pipe = 0; ++ int ret, pipe = 0; ++ char *buf; ++ const int size = sizeof(struct ath3k_version); ++ ++ buf = kmalloc(size, GFP_KERNEL); ++ if (!buf) ++ return -ENOMEM; + + pipe = usb_rcvctrlpipe(udev, 0); +- return usb_control_msg(udev, pipe, ATH3K_GETVERSION, +- USB_TYPE_VENDOR | USB_DIR_IN, 0, 0, version, +- sizeof(struct ath3k_version), +- USB_CTRL_SET_TIMEOUT); ++ ret = usb_control_msg(udev, pipe, ATH3K_GETVERSION, ++ USB_TYPE_VENDOR | USB_DIR_IN, 0, 0, ++ buf, size, USB_CTRL_SET_TIMEOUT); ++ ++ memcpy(version, buf, size); ++ kfree(buf); ++ ++ return ret; + } + + static int ath3k_load_fwfile(struct usb_device *udev, +-- +1.7.11.7 diff --git a/kernel.spec b/kernel.spec index c895a7416..dae355c31 100644 --- a/kernel.spec +++ b/kernel.spec @@ -808,6 +808,9 @@ Patch25052: HID-input-return-ENODATA-if-reading-battery-attrs-fails.patch Patch25053: bridge-only-expire-the-mdb-entry-when-query-is-received.patch Patch25054: bridge-send-query-as-soon-as-leave-is-received.patch +#rhbz 977558 +Patch25055: ath3k-dont-use-stack-memory-for-DMA.patch + # END OF PATCH DEFINITIONS %endif @@ -1565,6 +1568,9 @@ ApplyPatch HID-input-return-ENODATA-if-reading-battery-attrs-fails.patch ApplyPatch bridge-only-expire-the-mdb-entry-when-query-is-received.patch ApplyPatch bridge-send-query-as-soon-as-leave-is-received.patch +#rhbz 977558 +ApplyPatch ath3k-dont-use-stack-memory-for-DMA.patch + # END OF PATCH APPLICATIONS %endif @@ -2381,6 +2387,9 @@ fi # and build. %changelog +* Thu Jun 27 2013 Josh Boyer +- Fix stack memory usage for DMA in ath3k (rhbz 977558) + * Wed Jun 26 2013 Josh Boyer - Add two patches to fix bridge networking issues (rhbz 880035) From 871f73f85797f453a72bc86b8180792fefc3fc27 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Thu, 27 Jun 2013 14:57:33 -0400 Subject: [PATCH 139/468] Linux v3.9.8 --- ...me-drop-and-WARN-due-to-minstrel_ht-.patch | 160 ------------------ config-armv7-generic | 1 + kernel.spec | 27 +-- sources | 2 +- ...p-set-SOCK_ZEROCOPY-flag-during-open.patch | 26 --- ...trol-for-non-zerocopy-case-during-tx.patch | 60 ------- ...inal-mtrr-range-get-for-mtrr_cleanup.patch | 63 ------- x86-range-make-add_range-use-blank-slot.patch | 73 -------- 8 files changed, 6 insertions(+), 406 deletions(-) delete mode 100644 carl9170-fix-frame-drop-and-WARN-due-to-minstrel_ht-.patch delete mode 100644 tuntap-set-SOCK_ZEROCOPY-flag-during-open.patch delete mode 100644 vhost_net-clear-msg.control-for-non-zerocopy-case-during-tx.patch delete mode 100644 x86-mtrr-Fix-original-mtrr-range-get-for-mtrr_cleanup.patch delete mode 100644 x86-range-make-add_range-use-blank-slot.patch diff --git a/carl9170-fix-frame-drop-and-WARN-due-to-minstrel_ht-.patch b/carl9170-fix-frame-drop-and-WARN-due-to-minstrel_ht-.patch deleted file mode 100644 index a360731bd..000000000 --- a/carl9170-fix-frame-drop-and-WARN-due-to-minstrel_ht-.patch +++ /dev/null @@ -1,160 +0,0 @@ -From 5f34608fa2acbfef5a06d0072a978c9943c28a2d Mon Sep 17 00:00:00 2001 -From: Christian Lamparter -Date: Fri, 22 Feb 2013 01:30:44 +0100 -Subject: [PATCH] carl9170: fix frame drop and WARN due to minstrel_ht change - -With "mac80211/minstrel_ht: add support for using CCK rates" -minstrel_ht selects legacy CCK rates as viable rates for -outgoing frames which might be sent as part of an A-MPDU -[IEEE80211_TX_CTL_AMPDU is set]. - -This behavior triggered the following WARN_ON in the driver: -> WARNING: at carl9170/tx.c:995 carl9170_op_tx+0x1dd/0x6fd -The driver assumed that the rate control algorithm made a -mistake and dropped the frame. - -This patch removes the noisy warning altogether and allows -said A-MPDU frames with CCK sample and/or fallback rates to -be transmitted seamlessly. - -Signed-off-by: Christian Lamparter -Signed-off-by: John W. Linville ---- - drivers/net/wireless/ath/carl9170/tx.c | 69 ++++++++++++++-------------------- - 1 file changed, 28 insertions(+), 41 deletions(-) - -diff --git a/drivers/net/wireless/ath/carl9170/tx.c b/drivers/net/wireless/ath/carl9170/tx.c -index 9c0b150..c61cafa 100644 ---- a/drivers/net/wireless/ath/carl9170/tx.c -+++ b/drivers/net/wireless/ath/carl9170/tx.c -@@ -387,8 +387,7 @@ static void carl9170_tx_status_process_ampdu(struct ar9170 *ar, - u8 tid; - - if (!(txinfo->flags & IEEE80211_TX_CTL_AMPDU) || -- txinfo->flags & IEEE80211_TX_CTL_INJECTED || -- (!(super->f.mac_control & cpu_to_le16(AR9170_TX_MAC_AGGR)))) -+ txinfo->flags & IEEE80211_TX_CTL_INJECTED) - return; - - rcu_read_lock(); -@@ -981,30 +980,6 @@ static int carl9170_tx_prepare(struct ar9170 *ar, - - SET_VAL(CARL9170_TX_SUPER_AMPDU_FACTOR, - txc->s.ampdu_settings, factor); -- -- for (i = 0; i < CARL9170_TX_MAX_RATES; i++) { -- txrate = &info->control.rates[i]; -- if (txrate->idx >= 0) { -- txc->s.ri[i] = -- CARL9170_TX_SUPER_RI_AMPDU; -- -- if (WARN_ON(!(txrate->flags & -- IEEE80211_TX_RC_MCS))) { -- /* -- * Not sure if it's even possible -- * to aggregate non-ht rates with -- * this HW. -- */ -- goto err_out; -- } -- continue; -- } -- -- txrate->idx = 0; -- txrate->count = ar->hw->max_rate_tries; -- } -- -- mac_tmp |= cpu_to_le16(AR9170_TX_MAC_AGGR); - } - - /* -@@ -1012,11 +987,31 @@ static int carl9170_tx_prepare(struct ar9170 *ar, - * taken from mac_control. For all fallback rate, the firmware - * updates the mac_control flags from the rate info field. - */ -- for (i = 1; i < CARL9170_TX_MAX_RATES; i++) { -+ for (i = 0; i < CARL9170_TX_MAX_RATES; i++) { -+ __le32 phy_set; - txrate = &info->control.rates[i]; - if (txrate->idx < 0) - break; - -+ phy_set = carl9170_tx_physet(ar, info, txrate); -+ if (i == 0) { -+ /* first rate - part of the hw's frame header */ -+ txc->f.phy_control = phy_set; -+ -+ if (ampdu && txrate->flags & IEEE80211_TX_RC_MCS) -+ mac_tmp |= cpu_to_le16(AR9170_TX_MAC_AGGR); -+ if (carl9170_tx_rts_check(ar, txrate, ampdu, no_ack)) -+ mac_tmp |= cpu_to_le16(AR9170_TX_MAC_PROT_RTS); -+ else if (carl9170_tx_cts_check(ar, txrate)) -+ mac_tmp |= cpu_to_le16(AR9170_TX_MAC_PROT_CTS); -+ -+ } else { -+ /* fallback rates are stored in the firmware's -+ * retry rate set array. -+ */ -+ txc->s.rr[i - 1] = phy_set; -+ } -+ - SET_VAL(CARL9170_TX_SUPER_RI_TRIES, txc->s.ri[i], - txrate->count); - -@@ -1027,21 +1022,13 @@ static int carl9170_tx_prepare(struct ar9170 *ar, - txc->s.ri[i] |= (AR9170_TX_MAC_PROT_CTS << - CARL9170_TX_SUPER_RI_ERP_PROT_S); - -- txc->s.rr[i - 1] = carl9170_tx_physet(ar, info, txrate); -+ if (ampdu && (txrate->flags & IEEE80211_TX_RC_MCS)) -+ txc->s.ri[i] |= CARL9170_TX_SUPER_RI_AMPDU; - } - -- txrate = &info->control.rates[0]; -- SET_VAL(CARL9170_TX_SUPER_RI_TRIES, txc->s.ri[0], txrate->count); -- -- if (carl9170_tx_rts_check(ar, txrate, ampdu, no_ack)) -- mac_tmp |= cpu_to_le16(AR9170_TX_MAC_PROT_RTS); -- else if (carl9170_tx_cts_check(ar, txrate)) -- mac_tmp |= cpu_to_le16(AR9170_TX_MAC_PROT_CTS); -- - txc->s.len = cpu_to_le16(skb->len); - txc->f.length = cpu_to_le16(len + FCS_LEN); - txc->f.mac_control = mac_tmp; -- txc->f.phy_control = carl9170_tx_physet(ar, info, txrate); - - arinfo = (void *)info->rate_driver_data; - arinfo->timeout = jiffies; -@@ -1381,9 +1368,9 @@ static void carl9170_tx(struct ar9170 *ar) - } - - static bool carl9170_tx_ampdu_queue(struct ar9170 *ar, -- struct ieee80211_sta *sta, struct sk_buff *skb) -+ struct ieee80211_sta *sta, struct sk_buff *skb, -+ struct ieee80211_tx_info *txinfo) - { -- struct _carl9170_tx_superframe *super = (void *) skb->data; - struct carl9170_sta_info *sta_info; - struct carl9170_sta_tid *agg; - struct sk_buff *iter; -@@ -1450,7 +1437,7 @@ err_unlock: - - err_unlock_rcu: - rcu_read_unlock(); -- super->f.mac_control &= ~cpu_to_le16(AR9170_TX_MAC_AGGR); -+ txinfo->flags &= ~IEEE80211_TX_CTL_AMPDU; - carl9170_tx_status(ar, skb, false); - ar->tx_dropped++; - return false; -@@ -1492,7 +1479,7 @@ void carl9170_op_tx(struct ieee80211_hw *hw, - * sta == NULL checks are redundant in this - * special case. - */ -- run = carl9170_tx_ampdu_queue(ar, sta, skb); -+ run = carl9170_tx_ampdu_queue(ar, sta, skb, info); - if (run) - carl9170_tx_ampdu(ar); - --- -1.7.11.7 - diff --git a/config-armv7-generic b/config-armv7-generic index 41119608e..58c581629 100644 --- a/config-armv7-generic +++ b/config-armv7-generic @@ -54,6 +54,7 @@ CONFIG_ARM_ERRATA_430973=y CONFIG_ARM_ERRATA_458693=y CONFIG_ARM_ERRATA_460075=y # Cortex-A9 +CONFIG_ARM_ERRATA_643719=y CONFIG_ARM_ERRATA_720789=y CONFIG_ARM_ERRATA_742230=y CONFIG_ARM_ERRATA_742231=y diff --git a/kernel.spec b/kernel.spec index dae355c31..2244925ec 100644 --- a/kernel.spec +++ b/kernel.spec @@ -74,7 +74,7 @@ Summary: The Linux kernel %if 0%{?released_kernel} # Do we have a -stable update to apply? -%define stable_update 7 +%define stable_update 8 # Is it a -stable RC? %define stable_rc 0 # Set rpm version accordingly @@ -772,14 +772,6 @@ Patch25036: scsi-ipr-possible-irq-lock-inversion-dependency-detected.patch #CVE-2013-2164 rhbz 973100 973109 Patch25038: cdrom-use-kzalloc-for-failing-hardware.patch -#rhbz 954181 -Patch25039: vhost_net-clear-msg.control-for-non-zerocopy-case-during-tx.patch -Patch25040: tuntap-set-SOCK_ZEROCOPY-flag-during-open.patch - -#rhbz 973185 -Patch25041: x86-mtrr-Fix-original-mtrr-range-get-for-mtrr_cleanup.patch -Patch25042: x86-range-make-add_range-use-blank-slot.patch - #rhbz 967230 Patch25043: vfio-Set-container-device-mode.patch Patch25044: vfio-fix-crash-on-rmmod.patch @@ -795,9 +787,6 @@ Patch25047: drm-radeon-Disable-writeback-by-default-on-ppc.patch #rhbz 956732 Patch25048: tulip-dma-debug-error.patch -#rhbz 967271 -Patch25049: carl9170-fix-frame-drop-and-WARN-due-to-minstrel_ht-.patch - Patch25050: iwlwifi-pcie-fix-race-in-queue-unmapping.patch Patch25051: iwlwifi-pcie-wake-the-queue-if-stopped-when-being-unmapped.patch @@ -1532,14 +1521,6 @@ ApplyPatch scsi-ipr-possible-irq-lock-inversion-dependency-detected.patch #CVE-2013-2164 rhbz 973100 973109 ApplyPatch cdrom-use-kzalloc-for-failing-hardware.patch -#rhbz 954181 -ApplyPatch vhost_net-clear-msg.control-for-non-zerocopy-case-during-tx.patch -ApplyPatch tuntap-set-SOCK_ZEROCOPY-flag-during-open.patch - -#rhbz 973185 -ApplyPatch x86-mtrr-Fix-original-mtrr-range-get-for-mtrr_cleanup.patch -ApplyPatch x86-range-make-add_range-use-blank-slot.patch - #rhbz 967230 ApplyPatch vfio-Set-container-device-mode.patch ApplyPatch vfio-fix-crash-on-rmmod.patch @@ -1555,9 +1536,6 @@ ApplyPatch drm-radeon-Disable-writeback-by-default-on-ppc.patch #rhbz 956732 ApplyPatch tulip-dma-debug-error.patch -#rhbz 967271 -ApplyPatch carl9170-fix-frame-drop-and-WARN-due-to-minstrel_ht-.patch - ApplyPatch iwlwifi-pcie-fix-race-in-queue-unmapping.patch ApplyPatch iwlwifi-pcie-wake-the-queue-if-stopped-when-being-unmapped.patch @@ -2387,6 +2365,9 @@ fi # and build. %changelog +* Thu Jun 27 2013 Josh Boyer +- Linux v3.9.8 + * Thu Jun 27 2013 Josh Boyer - Fix stack memory usage for DMA in ath3k (rhbz 977558) diff --git a/sources b/sources index 6a7aeb8b7..607da4fb5 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ 4348c9b6b2eb3144d601e87c19d5d909 linux-3.9.tar.xz -74005c469fbd309ab631d981e2d3a6e7 patch-3.9.7.xz +c5f2166686a913abf550bfed8b77df27 patch-3.9.8.xz diff --git a/tuntap-set-SOCK_ZEROCOPY-flag-during-open.patch b/tuntap-set-SOCK_ZEROCOPY-flag-during-open.patch deleted file mode 100644 index 75de6ccce..000000000 --- a/tuntap-set-SOCK_ZEROCOPY-flag-during-open.patch +++ /dev/null @@ -1,26 +0,0 @@ -tuntap: set SOCK_ZEROCOPY flag during open - -Commit 54f968d6efdbf7dec36faa44fc11f01b0e4d1990 -(tuntap: move socket to tun_file) forgets to set SOCK_ZEROCOPY flag, which will -prevent vhost_net from doing zercopy w/ tap. This patch fixes this by setting -it during file open. - -Cc: Michael S. Tsirkin -Signed-off-by: Jason Wang -Acked-by: Michael S. Tsirkin - ---- - -diff --git a/drivers/net/tun.c b/drivers/net/tun.c -index 89776c5..ff5312d 100644 ---- a/drivers/net/tun.c -+++ b/drivers/net/tun.c -@@ -2159,6 +2159,8 @@ static int tun_chr_open(struct inode *inode, struct file * file) - set_bit(SOCK_EXTERNALLY_ALLOCATED, &tfile->socket.flags); - INIT_LIST_HEAD(&tfile->next); - -+ sock_set_flag(&tfile->sk, SOCK_ZEROCOPY); -+ - return 0; - } - diff --git a/vhost_net-clear-msg.control-for-non-zerocopy-case-during-tx.patch b/vhost_net-clear-msg.control-for-non-zerocopy-case-during-tx.patch deleted file mode 100644 index 4455bbc0b..000000000 --- a/vhost_net-clear-msg.control-for-non-zerocopy-case-during-tx.patch +++ /dev/null @@ -1,60 +0,0 @@ -From 3add6ae9e1b854a9ddbe0dc17ff4ec48a2dac9fe Mon Sep 17 00:00:00 2001 -From: Jason Wang -Date: Wed, 5 Jun 2013 07:40:46 +0000 -Subject: [PATCH] vhost_net: clear msg.control for non-zerocopy case during tx - -When we decide not use zero-copy, msg.control should be set to NULL otherwise -macvtap/tap may set zerocopy callbacks which may decrease the kref of ubufs -wrongly. - -Bug were introduced by commit cedb9bdce099206290a2bdd02ce47a7b253b6a84 -(vhost-net: skip head management if no outstanding). - -This solves the following warnings: - -WARNING: at include/linux/kref.h:47 handle_tx+0x477/0x4b0 [vhost_net]() -Modules linked in: vhost_net macvtap macvlan tun nfsd exportfs bridge stp llc openvswitch kvm_amd kvm bnx2 megaraid_sas [last unloaded: tun] -CPU: 5 PID: 8670 Comm: vhost-8668 Not tainted 3.10.0-rc2+ #1566 -Hardware name: Dell Inc. PowerEdge R715/00XHKG, BIOS 1.5.2 04/19/2011 -ffffffffa0198323 ffff88007c9ebd08 ffffffff81796b73 ffff88007c9ebd48 -ffffffff8103d66b 000000007b773e20 ffff8800779f0000 ffff8800779f43f0 -ffff8800779f8418 000000000000015c 0000000000000062 ffff88007c9ebd58 -Call Trace: -[] dump_stack+0x19/0x1e -[] warn_slowpath_common+0x6b/0xa0 -[] warn_slowpath_null+0x15/0x20 -[] handle_tx+0x477/0x4b0 [vhost_net] -[] handle_tx_kick+0x10/0x20 [vhost_net] -[] vhost_worker+0xfe/0x1a0 [vhost_net] -[] ? vhost_attach_cgroups_work+0x30/0x30 [vhost_net] -[] ? vhost_attach_cgroups_work+0x30/0x30 [vhost_net] -[] kthread+0xc6/0xd0 -[] ? kthread_freezable_should_stop+0x70/0x70 -[] ret_from_fork+0x7c/0xb0 -[] ? kthread_freezable_should_stop+0x70/0x70 - -Signed-off-by: Jason Wang -Acked-by: Michael S. Tsirkin -Signed-off-by: David S. Miller ---- - drivers/vhost/net.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/drivers/vhost/net.c b/drivers/vhost/net.c -index ec6fb3f..3980e66 100644 ---- a/drivers/vhost/net.c -+++ b/drivers/vhost/net.c -@@ -353,7 +353,9 @@ static void handle_tx(struct vhost_net *net) - kref_get(&ubufs->kref); - } - vq->upend_idx = (vq->upend_idx + 1) % UIO_MAXIOV; -- } -+ } else -+ msg.msg_control = NULL; -+ - /* TODO: Check specific error and bomb out unless ENOBUFS? */ - err = sock->ops->sendmsg(NULL, sock, &msg, len); - if (unlikely(err < 0)) { --- -1.8.1.4 - diff --git a/x86-mtrr-Fix-original-mtrr-range-get-for-mtrr_cleanup.patch b/x86-mtrr-Fix-original-mtrr-range-get-for-mtrr_cleanup.patch deleted file mode 100644 index 7c8b930f7..000000000 --- a/x86-mtrr-Fix-original-mtrr-range-get-for-mtrr_cleanup.patch +++ /dev/null @@ -1,63 +0,0 @@ -Joshua reported: Commit cd7b304dfaf1 (x86, range: fix missing merge -during add range) broke mtrr cleanup on his setup in 3.9.5. -corresponding commit in upstream is fbe06b7bae7c. - - *BAD*gran_size: 64K chunk_size: 16M num_reg: 6 lose cover RAM: -0G - -https://bugzilla.kernel.org/show_bug.cgi?id=59491 - -So it rejects new var mtrr layout. - -It turns out we have some problem with initial mtrr range retrievel. -current sequence is: - x86_get_mtrr_mem_range - ==> bunchs of add_range_with_merge - ==> bunchs of subract_range - ==> clean_sort_range - add_range_with_merge for [0,1M) - sort_range() - -add_range_with_merge could have blank slots, so we can not just -sort only, that will have final result have extra blank slot in head. - -So move that calling add_range_with_merge for [0,1M), with that we -could avoid extra clean_sort_range calling. - -Reported-by: Joshua Covington -Tested-by: Joshua Covington -Signed-off-by: Yinghai Lu -Cc: v3.9 - ---- - arch/x86/kernel/cpu/mtrr/cleanup.c | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - -Index: linux-2.6/arch/x86/kernel/cpu/mtrr/cleanup.c -=================================================================== ---- linux-2.6.orig/arch/x86/kernel/cpu/mtrr/cleanup.c -+++ linux-2.6/arch/x86/kernel/cpu/mtrr/cleanup.c -@@ -714,15 +714,15 @@ int __init mtrr_cleanup(unsigned address - if (mtrr_tom2) - x_remove_size = (mtrr_tom2 >> PAGE_SHIFT) - x_remove_base; - -- nr_range = x86_get_mtrr_mem_range(range, 0, x_remove_base, x_remove_size); - /* - * [0, 1M) should always be covered by var mtrr with WB - * and fixed mtrrs should take effect before var mtrr for it: - */ -- nr_range = add_range_with_merge(range, RANGE_NUM, nr_range, 0, -+ nr_range = add_range_with_merge(range, RANGE_NUM, 0, 0, - 1ULL<<(20 - PAGE_SHIFT)); -- /* Sort the ranges: */ -- sort_range(range, nr_range); -+ /* add from var mtrr at last */ -+ nr_range = x86_get_mtrr_mem_range(range, nr_range, -+ x_remove_base, x_remove_size); - - range_sums = sum_ranges(range, nr_range); - printk(KERN_INFO "total RAM covered: %ldM\n", --- -To unsubscribe from this list: send the line "unsubscribe linux-kernel" in -the body of a message to majordomo@vger.kernel.org -More majordomo info at http://vger.kernel.org/majordomo-info.html -Please read the FAQ at http://www.tux.org/lkml/ \ No newline at end of file diff --git a/x86-range-make-add_range-use-blank-slot.patch b/x86-range-make-add_range-use-blank-slot.patch deleted file mode 100644 index 8a04f4f5c..000000000 --- a/x86-range-make-add_range-use-blank-slot.patch +++ /dev/null @@ -1,73 +0,0 @@ -Now add_range_with_merge will generate blank slot as subtract_range. -we could reach the array limit because of blank slots. - -We can let add_range to have second try to use blank slot. - -Also use WARN_ONCE to print trace. - -Reported-by: Joshua Covington -Signed-off-by: Yinghai Lu -Cc: v3.9 ---- - kernel/range.c | 34 ++++++++++++++++++++++------------ - 1 file changed, 22 insertions(+), 12 deletions(-) - -diff --git a/kernel/range.c b/kernel/range.c -index 98883ed..8ca718a 100644 ---- a/kernel/range.c -+++ b/kernel/range.c -@@ -3,23 +3,34 @@ - */ - #include - #include -+#include - #include -- - #include - - int add_range(struct range *range, int az, int nr_range, u64 start, u64 end) - { -- if (start >= end) -- return nr_range; -+ int i; - -- /* Out of slots: */ -- if (nr_range >= az) -+ if (start >= end) - return nr_range; - -- range[nr_range].start = start; -- range[nr_range].end = end; -+ /* Out of slots ? */ -+ if (nr_range < az) { -+ i = nr_range; -+ nr_range++; -+ } else { -+ /* find blank slot */ -+ for (i = 0; i < az; i++) -+ if (!range[i].end) -+ break; -+ if (i == az) { -+ WARN_ONCE(1, "run out of slot in ranges\n"); -+ return az; -+ } -+ } - -- nr_range++; -+ range[i].start = start; -+ range[i].end = end; - - return nr_range; - } -@@ -99,7 +110,7 @@ void subtract_range(struct range *range, int az, u64 start, u64 end) - range[i].end = range[j].end; - range[i].start = end; - } else { -- printk(KERN_ERR "run of slot in ranges\n"); -+ WARN_ONCE(1,"run of slot in ranges\n"); - } - range[j].end = start; - continue; --- -1.8.1.4 - From 0047ecfc5e8cbf861d24d4ab6dd7b4156c4b047a Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Thu, 27 Jun 2013 15:02:28 -0400 Subject: [PATCH 140/468] Add verrel for build --- kernel.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kernel.spec b/kernel.spec index 2244925ec..83ebfc7ae 100644 --- a/kernel.spec +++ b/kernel.spec @@ -2365,7 +2365,7 @@ fi # and build. %changelog -* Thu Jun 27 2013 Josh Boyer +* Thu Jun 27 2013 Josh Boyer - 3.9.8-300 - Linux v3.9.8 * Thu Jun 27 2013 Josh Boyer From a82de48640668ea8c0a8cffa01850d516971ab83 Mon Sep 17 00:00:00 2001 From: Dave Airlie Date: Fri, 28 Jun 2013 14:35:58 +1000 Subject: [PATCH 141/468] add qxl fix for missing access ok macro. --- drm-qxl-access-fix.patch | 30 ++++++++++++++++++++++++++++++ kernel.spec | 5 +++++ 2 files changed, 35 insertions(+) create mode 100644 drm-qxl-access-fix.patch diff --git a/drm-qxl-access-fix.patch b/drm-qxl-access-fix.patch new file mode 100644 index 000000000..e40a14d1b --- /dev/null +++ b/drm-qxl-access-fix.patch @@ -0,0 +1,30 @@ +From 18097b91aaff215e843f04b84ec2c686270bb55f Mon Sep 17 00:00:00 2001 +From: Dave Airlie +Date: Fri, 28 Jun 2013 13:27:40 +1000 +Subject: [PATCH] drm/qxl: add missing access check for execbuffer ioctl + +Reported-by: Mathieu Desnoyers +Signed-off-by: Dave Airlie +--- + drivers/gpu/drm/qxl/qxl_ioctl.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/gpu/drm/qxl/qxl_ioctl.c b/drivers/gpu/drm/qxl/qxl_ioctl.c +index a4b71b2..a30f294 100644 +--- a/drivers/gpu/drm/qxl/qxl_ioctl.c ++++ b/drivers/gpu/drm/qxl/qxl_ioctl.c +@@ -171,6 +171,11 @@ static int qxl_execbuffer_ioctl(struct drm_device *dev, void *data, + if (user_cmd.command_size > PAGE_SIZE - sizeof(union qxl_release_info)) + return -EINVAL; + ++ if (!access_ok(VERIFY_READ, ++ (void *)(unsigned long)user_cmd.command, ++ user_cmd.command_size)) ++ return -EFAULT; ++ + ret = qxl_alloc_release_reserved(qdev, + sizeof(union qxl_release_info) + + user_cmd.command_size, +-- +1.8.1.2 + diff --git a/kernel.spec b/kernel.spec index 83ebfc7ae..13bfcf12d 100644 --- a/kernel.spec +++ b/kernel.spec @@ -671,6 +671,7 @@ Patch1000: devel-pekey-secure-boot-20130306.patch Patch1700: drm-ttm-exports-for-qxl.patch Patch1701: drm-qxl-driver.patch Patch1702: drm-qxl-backport-fixes.patch +Patch1703: drm-qxl-access-fix.patch # nouveau + drm fixes # intel drm is all merged upstream Patch1824: drm-intel-next.patch @@ -1435,6 +1436,7 @@ ApplyPatch devel-pekey-secure-boot-20130306.patch ApplyPatch drm-ttm-exports-for-qxl.patch ApplyPatch drm-qxl-driver.patch ApplyPatch drm-qxl-backport-fixes.patch +ApplyPatch drm-qxl-access-fix.patch #ApplyPatch drm-edid-try-harder-to-fix-up-broken-headers.patch #ApplyPatch drm-vgem.patch @@ -2365,6 +2367,9 @@ fi # and build. %changelog +* Fri Jun 28 2013 Dave Airlie +- add qxl fix for missing access ok macro. + * Thu Jun 27 2013 Josh Boyer - 3.9.8-300 - Linux v3.9.8 From d4b4aa64a7bd8596d6885e15304876a2f4b85291 Mon Sep 17 00:00:00 2001 From: Peter Robinson Date: Fri, 28 Jun 2013 08:55:34 +0100 Subject: [PATCH 142/468] Only enable ARM A15 errata on the LPAE kernel as it breaks A8 --- config-armv7-generic | 2 +- config-armv7-lpae | 3 +++ kernel.spec | 3 +++ 3 files changed, 7 insertions(+), 1 deletion(-) diff --git a/config-armv7-generic b/config-armv7-generic index 58c581629..d1e984fce 100644 --- a/config-armv7-generic +++ b/config-armv7-generic @@ -70,7 +70,7 @@ CONFIG_ARM_ERRATA_775420=y CONFIG_PL310_ERRATA_753970=y CONFIG_PL310_ERRATA_769419=y # Cortex-A15 -CONFIG_ARM_ERRATA_798181=y +# CONFIG_ARM_ERRATA_798181 is not set # generic that deviates from or should be merged into config-generic CONFIG_SMP=y diff --git a/config-armv7-lpae b/config-armv7-lpae index 7e34dedb9..57d7d860e 100644 --- a/config-armv7-lpae +++ b/config-armv7-lpae @@ -11,6 +11,9 @@ CONFIG_VIRTIO_CONSOLE=m CONFIG_ARM_VIRT_EXT=y CONFIG_VIRTUALIZATION=y +# Cortex-A15 +CONFIG_ARM_ERRATA_798181=y + CONFIG_KVM=y CONFIG_KVM_ARM_HOST=y CONFIG_KVM_ARM_MAX_VCPUS=8 diff --git a/kernel.spec b/kernel.spec index 13bfcf12d..17746d51b 100644 --- a/kernel.spec +++ b/kernel.spec @@ -2367,6 +2367,9 @@ fi # and build. %changelog +* Fri Jun 28 2013 Peter Robinson +- Only enable ARM A15 errata on the LPAE kernel as it breaks A8 + * Fri Jun 28 2013 Dave Airlie - add qxl fix for missing access ok macro. From 5e49e82bdbefcfae421bcc35cdca0636c05e33f5 Mon Sep 17 00:00:00 2001 From: Dave Airlie Date: Mon, 1 Jul 2013 00:36:00 -0400 Subject: [PATCH 143/468] kernel portion of qxl cursor and dynamic resize fixes. --- drm-qxl-cursor-and-dynamic-resize-fixes.patch | 263 ++++++++++++++++++ kernel.spec | 5 + 2 files changed, 268 insertions(+) create mode 100644 drm-qxl-cursor-and-dynamic-resize-fixes.patch diff --git a/drm-qxl-cursor-and-dynamic-resize-fixes.patch b/drm-qxl-cursor-and-dynamic-resize-fixes.patch new file mode 100644 index 000000000..08a79b7b5 --- /dev/null +++ b/drm-qxl-cursor-and-dynamic-resize-fixes.patch @@ -0,0 +1,263 @@ +diff --git a/drivers/gpu/drm/drm_crtc.c b/drivers/gpu/drm/drm_crtc.c +index e7e9242..cc9eada 100644 +--- a/drivers/gpu/drm/drm_crtc.c ++++ b/drivers/gpu/drm/drm_crtc.c +@@ -2099,10 +2099,10 @@ out: + return ret; + } + +-int drm_mode_cursor_ioctl(struct drm_device *dev, +- void *data, struct drm_file *file_priv) ++static int drm_mode_cursor_common(struct drm_device *dev, ++ struct drm_mode_cursor2 *req, ++ struct drm_file *file_priv) + { +- struct drm_mode_cursor *req = data; + struct drm_mode_object *obj; + struct drm_crtc *crtc; + int ret = 0; +@@ -2122,13 +2122,17 @@ int drm_mode_cursor_ioctl(struct drm_device *dev, + + mutex_lock(&crtc->mutex); + if (req->flags & DRM_MODE_CURSOR_BO) { +- if (!crtc->funcs->cursor_set) { ++ if (!crtc->funcs->cursor_set && !crtc->funcs->cursor_set2) { + ret = -ENXIO; + goto out; + } + /* Turns off the cursor if handle is 0 */ +- ret = crtc->funcs->cursor_set(crtc, file_priv, req->handle, +- req->width, req->height); ++ if (crtc->funcs->cursor_set2) ++ ret = crtc->funcs->cursor_set2(crtc, file_priv, req->handle, ++ req->width, req->height, req->hot_x, req->hot_y); ++ else ++ ret = crtc->funcs->cursor_set(crtc, file_priv, req->handle, ++ req->width, req->height); + } + + if (req->flags & DRM_MODE_CURSOR_MOVE) { +@@ -2143,6 +2147,25 @@ out: + mutex_unlock(&crtc->mutex); + + return ret; ++ ++} ++int drm_mode_cursor_ioctl(struct drm_device *dev, ++ void *data, struct drm_file *file_priv) ++{ ++ struct drm_mode_cursor *req = data; ++ struct drm_mode_cursor2 new_req; ++ ++ memcpy(&new_req, req, sizeof(struct drm_mode_cursor)); ++ new_req.hot_x = new_req.hot_y = 0; ++ ++ return drm_mode_cursor_common(dev, &new_req, file_priv); ++} ++ ++int drm_mode_cursor2_ioctl(struct drm_device *dev, ++ void *data, struct drm_file *file_priv) ++{ ++ struct drm_mode_cursor2 *req = data; ++ return drm_mode_cursor_common(dev, req, file_priv); + } + + /* Original addfb only supported RGB formats, so figure out which one */ +diff --git a/drivers/gpu/drm/drm_drv.c b/drivers/gpu/drm/drm_drv.c +index 9cc247f..99fcd7c 100644 +--- a/drivers/gpu/drm/drm_drv.c ++++ b/drivers/gpu/drm/drm_drv.c +@@ -166,6 +166,7 @@ static const struct drm_ioctl_desc drm_ioctls[] = { + DRM_IOCTL_DEF(DRM_IOCTL_MODE_DESTROY_DUMB, drm_mode_destroy_dumb_ioctl, DRM_CONTROL_ALLOW|DRM_UNLOCKED), + DRM_IOCTL_DEF(DRM_IOCTL_MODE_OBJ_GETPROPERTIES, drm_mode_obj_get_properties_ioctl, DRM_CONTROL_ALLOW|DRM_UNLOCKED), + DRM_IOCTL_DEF(DRM_IOCTL_MODE_OBJ_SETPROPERTY, drm_mode_obj_set_property_ioctl, DRM_MASTER|DRM_CONTROL_ALLOW|DRM_UNLOCKED), ++ DRM_IOCTL_DEF(DRM_IOCTL_MODE_CURSOR2, drm_mode_cursor2_ioctl, DRM_MASTER|DRM_CONTROL_ALLOW|DRM_UNLOCKED), + }; + + #define DRM_CORE_IOCTL_COUNT ARRAY_SIZE( drm_ioctls ) +diff --git a/drivers/gpu/drm/qxl/qxl_display.c b/drivers/gpu/drm/qxl/qxl_display.c +index 823d29e..026a374 100644 +--- a/drivers/gpu/drm/qxl/qxl_display.c ++++ b/drivers/gpu/drm/qxl/qxl_display.c +@@ -30,55 +30,6 @@ + #include "qxl_object.h" + #include "drm_crtc_helper.h" + +-static void qxl_crtc_set_to_mode(struct qxl_device *qdev, +- struct drm_connector *connector, +- struct qxl_head *head) +-{ +- struct drm_device *dev = connector->dev; +- struct drm_display_mode *mode, *t; +- int width = head->width; +- int height = head->height; +- +- if (width < 320 || height < 240) { +- qxl_io_log(qdev, "%s: bad head: %dx%d", width, height); +- width = 1024; +- height = 768; +- } +- if (width * height * 4 > 16*1024*1024) { +- width = 1024; +- height = 768; +- } +- /* TODO: go over regular modes and removed preferred? */ +- list_for_each_entry_safe(mode, t, &connector->probed_modes, head) +- drm_mode_remove(connector, mode); +- mode = drm_cvt_mode(dev, width, height, 60, false, false, false); +- mode->type |= DRM_MODE_TYPE_PREFERRED; +- mode->status = MODE_OK; +- drm_mode_probed_add(connector, mode); +- qxl_io_log(qdev, "%s: %d x %d\n", __func__, width, height); +-} +- +-void qxl_crtc_set_from_monitors_config(struct qxl_device *qdev) +-{ +- struct drm_connector *connector; +- int i; +- struct drm_device *dev = qdev->ddev; +- +- i = 0; +- qxl_io_log(qdev, "%s: %d, %d\n", __func__, +- dev->mode_config.num_connector, +- qdev->monitors_config->count); +- list_for_each_entry(connector, &dev->mode_config.connector_list, head) { +- if (i > qdev->monitors_config->count) { +- /* crtc will be reported as disabled */ +- continue; +- } +- qxl_crtc_set_to_mode(qdev, connector, +- &qdev->monitors_config->heads[i]); +- ++i; +- } +-} +- + void qxl_alloc_client_monitors_config(struct qxl_device *qdev, unsigned count) + { + if (qdev->client_monitors_config && +@@ -117,8 +68,8 @@ static int qxl_display_copy_rom_client_monitors_config(struct qxl_device *qdev) + return 1; + } + if (num_monitors > qdev->monitors_config->max_allowed) { +- DRM_INFO("client monitors list will be truncated: %d < %d\n", +- qdev->monitors_config->max_allowed, num_monitors); ++ DRM_DEBUG_KMS("client monitors list will be truncated: %d < %d\n", ++ qdev->monitors_config->max_allowed, num_monitors); + num_monitors = qdev->monitors_config->max_allowed; + } else { + num_monitors = qdev->rom->client_monitors_config.count; +@@ -142,7 +93,7 @@ static int qxl_display_copy_rom_client_monitors_config(struct qxl_device *qdev) + client_head->surface_id = head->surface_id = 0; + client_head->id = head->id = i; + client_head->flags = head->flags = 0; +- QXL_DEBUG(qdev, "read %dx%d+%d+%d\n", head->width, head->height, ++ DRM_DEBUG_KMS("read %dx%d+%d+%d\n", head->width, head->height, + head->x, head->y); + } + return 0; +@@ -155,9 +106,6 @@ void qxl_display_read_client_monitors_config(struct qxl_device *qdev) + qxl_io_log(qdev, "failed crc check for client_monitors_config," + " retrying\n"); + } +- qxl_crtc_set_from_monitors_config(qdev); +- /* fire off a uevent and let userspace tell us what to do */ +- qxl_io_log(qdev, "calling drm_sysfs_hotplug_event\n"); + drm_sysfs_hotplug_event(qdev->ddev); + } + +@@ -255,11 +203,11 @@ qxl_hide_cursor(struct qxl_device *qdev) + qxl_release_unreserve(qdev, release); + } + +-static int qxl_crtc_cursor_set(struct drm_crtc *crtc, +- struct drm_file *file_priv, +- uint32_t handle, +- uint32_t width, +- uint32_t height) ++static int qxl_crtc_cursor_set2(struct drm_crtc *crtc, ++ struct drm_file *file_priv, ++ uint32_t handle, ++ uint32_t width, ++ uint32_t height, int32_t hot_x, int32_t hot_y) + { + struct drm_device *dev = crtc->dev; + struct qxl_device *qdev = dev->dev_private; +@@ -315,8 +263,8 @@ static int qxl_crtc_cursor_set(struct drm_crtc *crtc, + cursor->header.type = SPICE_CURSOR_TYPE_ALPHA; + cursor->header.width = 64; + cursor->header.height = 64; +- cursor->header.hot_spot_x = 0; +- cursor->header.hot_spot_y = 0; ++ cursor->header.hot_spot_x = hot_x; ++ cursor->header.hot_spot_y = hot_y; + cursor->data_size = size; + cursor->chunk.next_chunk = 0; + cursor->chunk.prev_chunk = 0; +@@ -397,7 +345,7 @@ static int qxl_crtc_cursor_move(struct drm_crtc *crtc, + + + static const struct drm_crtc_funcs qxl_crtc_funcs = { +- .cursor_set = qxl_crtc_cursor_set, ++ .cursor_set2 = qxl_crtc_cursor_set2, + .cursor_move = qxl_crtc_cursor_move, + .gamma_set = qxl_crtc_gamma_set, + .set_config = drm_crtc_helper_set_config, +diff --git a/include/drm/drm_crtc.h b/include/drm/drm_crtc.h +index adb3f9b..093c030 100644 +--- a/include/drm/drm_crtc.h ++++ b/include/drm/drm_crtc.h +@@ -339,6 +339,9 @@ struct drm_crtc_funcs { + /* cursor controls */ + int (*cursor_set)(struct drm_crtc *crtc, struct drm_file *file_priv, + uint32_t handle, uint32_t width, uint32_t height); ++ int (*cursor_set2)(struct drm_crtc *crtc, struct drm_file *file_priv, ++ uint32_t handle, uint32_t width, uint32_t height, ++ int32_t hot_x, int32_t hot_y); + int (*cursor_move)(struct drm_crtc *crtc, int x, int y); + + /* Set gamma on the CRTC */ +@@ -1022,6 +1025,8 @@ extern int drm_mode_setplane(struct drm_device *dev, + void *data, struct drm_file *file_priv); + extern int drm_mode_cursor_ioctl(struct drm_device *dev, + void *data, struct drm_file *file_priv); ++extern int drm_mode_cursor2_ioctl(struct drm_device *dev, ++ void *data, struct drm_file *file_priv); + extern int drm_mode_addfb(struct drm_device *dev, + void *data, struct drm_file *file_priv); + extern int drm_mode_addfb2(struct drm_device *dev, +diff --git a/include/uapi/drm/drm.h b/include/uapi/drm/drm.h +index 5a57be6..238a166 100644 +--- a/include/uapi/drm/drm.h ++++ b/include/uapi/drm/drm.h +@@ -732,6 +732,7 @@ struct drm_prime_handle { + #define DRM_IOCTL_MODE_ADDFB2 DRM_IOWR(0xB8, struct drm_mode_fb_cmd2) + #define DRM_IOCTL_MODE_OBJ_GETPROPERTIES DRM_IOWR(0xB9, struct drm_mode_obj_get_properties) + #define DRM_IOCTL_MODE_OBJ_SETPROPERTY DRM_IOWR(0xBA, struct drm_mode_obj_set_property) ++#define DRM_IOCTL_MODE_CURSOR2 DRM_IOWR(0xBB, struct drm_mode_cursor2) + + /** + * Device specific ioctls should only be in their respective headers +diff --git a/include/uapi/drm/drm_mode.h b/include/uapi/drm/drm_mode.h +index 090e533..53db7ce 100644 +--- a/include/uapi/drm/drm_mode.h ++++ b/include/uapi/drm/drm_mode.h +@@ -388,6 +388,19 @@ struct drm_mode_cursor { + __u32 handle; + }; + ++struct drm_mode_cursor2 { ++ __u32 flags; ++ __u32 crtc_id; ++ __s32 x; ++ __s32 y; ++ __u32 width; ++ __u32 height; ++ /* driver specific handle */ ++ __u32 handle; ++ __s32 hot_x; ++ __s32 hot_y; ++}; ++ + struct drm_mode_crtc_lut { + __u32 crtc_id; + __u32 gamma_size; diff --git a/kernel.spec b/kernel.spec index 17746d51b..93077054f 100644 --- a/kernel.spec +++ b/kernel.spec @@ -672,6 +672,7 @@ Patch1700: drm-ttm-exports-for-qxl.patch Patch1701: drm-qxl-driver.patch Patch1702: drm-qxl-backport-fixes.patch Patch1703: drm-qxl-access-fix.patch +Patch1704: drm-qxl-cursor-and-dynamic-resize-fixes.patch # nouveau + drm fixes # intel drm is all merged upstream Patch1824: drm-intel-next.patch @@ -1437,6 +1438,7 @@ ApplyPatch drm-ttm-exports-for-qxl.patch ApplyPatch drm-qxl-driver.patch ApplyPatch drm-qxl-backport-fixes.patch ApplyPatch drm-qxl-access-fix.patch +ApplyPatch drm-qxl-cursor-and-dynamic-resize-fixes.patch #ApplyPatch drm-edid-try-harder-to-fix-up-broken-headers.patch #ApplyPatch drm-vgem.patch @@ -2367,6 +2369,9 @@ fi # and build. %changelog +* Mon Jul 01 2013 Dave Airlie +- kernel portion of qxl cursor and dynamic resize fixes. + * Fri Jun 28 2013 Peter Robinson - Only enable ARM A15 errata on the LPAE kernel as it breaks A8 From 81f5f8b098f1c6e105d9a34387d4468981276d2d Mon Sep 17 00:00:00 2001 From: Dave Airlie Date: Wed, 3 Jul 2013 01:08:56 -0400 Subject: [PATCH 144/468] fixup QXL driver patches to make it easier to rebase - add qxl driver dynamic resize + multiple heads support --- drm-hotspot-cursor-backport.patch | 164 +++++ drm-qxl-3.10-rc7-diff.patch | 593 ++++++++++++++++++ drm-qxl-backport-fixes.patch | 154 ----- drm-qxl-cursor-and-dynamic-resize-fixes.patch | 263 -------- drm-qxl-post-3.10-feature-fixes.patch | 517 +++++++++++++++ kernel.spec | 18 +- 6 files changed, 1286 insertions(+), 423 deletions(-) create mode 100644 drm-hotspot-cursor-backport.patch create mode 100644 drm-qxl-3.10-rc7-diff.patch delete mode 100644 drm-qxl-backport-fixes.patch delete mode 100644 drm-qxl-cursor-and-dynamic-resize-fixes.patch create mode 100644 drm-qxl-post-3.10-feature-fixes.patch diff --git a/drm-hotspot-cursor-backport.patch b/drm-hotspot-cursor-backport.patch new file mode 100644 index 000000000..f3dc82042 --- /dev/null +++ b/drm-hotspot-cursor-backport.patch @@ -0,0 +1,164 @@ +From f2a2b3496b6024a5df546f0aedd60705b896a464 Mon Sep 17 00:00:00 2001 +From: Dave Airlie +Date: Thu, 20 Jun 2013 11:48:52 +1000 +Subject: [PATCH 2/5] drm: add hotspot support for cursors. + +So it looks like for virtual hw cursors on QXL we need to inform +the "hw" device what the cursor hotspot parameters are. This +makes sense if you think the host has to draw the cursor and interpret +clicks from it. However the current modesetting interface doesn't support +passing the hotspot information from userspace. + +This implements a new cursor ioctl, that takes the hotspot info as well, +userspace can try calling the new interface and if it gets -ENOSYS it means +its on an older kernel and can just fallback. + +Reviewed-by: Daniel Vetter +Signed-off-by: Dave Airlie +--- + drivers/gpu/drm/drm_crtc.c | 35 +++++++++++++++++++++++++++++------ + drivers/gpu/drm/drm_drv.c | 1 + + include/drm/drm_crtc.h | 5 +++++ + include/uapi/drm/drm.h | 1 + + include/uapi/drm/drm_mode.h | 13 +++++++++++++ + 5 files changed, 49 insertions(+), 6 deletions(-) + +diff --git a/drivers/gpu/drm/drm_crtc.c b/drivers/gpu/drm/drm_crtc.c +index dd64a06..21e71a8 100644 +--- a/drivers/gpu/drm/drm_crtc.c ++++ b/drivers/gpu/drm/drm_crtc.c +@@ -2202,10 +2202,10 @@ out: + return ret; + } + +-int drm_mode_cursor_ioctl(struct drm_device *dev, +- void *data, struct drm_file *file_priv) ++static int drm_mode_cursor_common(struct drm_device *dev, ++ struct drm_mode_cursor2 *req, ++ struct drm_file *file_priv) + { +- struct drm_mode_cursor *req = data; + struct drm_mode_object *obj; + struct drm_crtc *crtc; + int ret = 0; +@@ -2225,13 +2225,17 @@ int drm_mode_cursor_ioctl(struct drm_device *dev, + + mutex_lock(&crtc->mutex); + if (req->flags & DRM_MODE_CURSOR_BO) { +- if (!crtc->funcs->cursor_set) { ++ if (!crtc->funcs->cursor_set && !crtc->funcs->cursor_set2) { + ret = -ENXIO; + goto out; + } + /* Turns off the cursor if handle is 0 */ +- ret = crtc->funcs->cursor_set(crtc, file_priv, req->handle, +- req->width, req->height); ++ if (crtc->funcs->cursor_set2) ++ ret = crtc->funcs->cursor_set2(crtc, file_priv, req->handle, ++ req->width, req->height, req->hot_x, req->hot_y); ++ else ++ ret = crtc->funcs->cursor_set(crtc, file_priv, req->handle, ++ req->width, req->height); + } + + if (req->flags & DRM_MODE_CURSOR_MOVE) { +@@ -2246,6 +2250,25 @@ out: + mutex_unlock(&crtc->mutex); + + return ret; ++ ++} ++int drm_mode_cursor_ioctl(struct drm_device *dev, ++ void *data, struct drm_file *file_priv) ++{ ++ struct drm_mode_cursor *req = data; ++ struct drm_mode_cursor2 new_req; ++ ++ memcpy(&new_req, req, sizeof(struct drm_mode_cursor)); ++ new_req.hot_x = new_req.hot_y = 0; ++ ++ return drm_mode_cursor_common(dev, &new_req, file_priv); ++} ++ ++int drm_mode_cursor2_ioctl(struct drm_device *dev, ++ void *data, struct drm_file *file_priv) ++{ ++ struct drm_mode_cursor2 *req = data; ++ return drm_mode_cursor_common(dev, req, file_priv); + } + + /* Original addfb only supported RGB formats, so figure out which one */ +diff --git a/drivers/gpu/drm/drm_drv.c b/drivers/gpu/drm/drm_drv.c +index 25f91cd..cb4470b 100644 +--- a/drivers/gpu/drm/drm_drv.c ++++ b/drivers/gpu/drm/drm_drv.c +@@ -166,6 +166,7 @@ static struct drm_ioctl_desc drm_ioctls[] = { + DRM_IOCTL_DEF(DRM_IOCTL_MODE_DESTROY_DUMB, drm_mode_destroy_dumb_ioctl, DRM_CONTROL_ALLOW|DRM_UNLOCKED), + DRM_IOCTL_DEF(DRM_IOCTL_MODE_OBJ_GETPROPERTIES, drm_mode_obj_get_properties_ioctl, DRM_CONTROL_ALLOW|DRM_UNLOCKED), + DRM_IOCTL_DEF(DRM_IOCTL_MODE_OBJ_SETPROPERTY, drm_mode_obj_set_property_ioctl, DRM_MASTER|DRM_CONTROL_ALLOW|DRM_UNLOCKED), ++ DRM_IOCTL_DEF(DRM_IOCTL_MODE_CURSOR2, drm_mode_cursor2_ioctl, DRM_MASTER|DRM_CONTROL_ALLOW|DRM_UNLOCKED), + }; + + #define DRM_CORE_IOCTL_COUNT ARRAY_SIZE( drm_ioctls ) +diff --git a/include/drm/drm_crtc.h b/include/drm/drm_crtc.h +index e3e0d65..eba931b 100644 +--- a/include/drm/drm_crtc.h ++++ b/include/drm/drm_crtc.h +@@ -339,6 +339,9 @@ struct drm_crtc_funcs { + /* cursor controls */ + int (*cursor_set)(struct drm_crtc *crtc, struct drm_file *file_priv, + uint32_t handle, uint32_t width, uint32_t height); ++ int (*cursor_set2)(struct drm_crtc *crtc, struct drm_file *file_priv, ++ uint32_t handle, uint32_t width, uint32_t height, ++ int32_t hot_x, int32_t hot_y); + int (*cursor_move)(struct drm_crtc *crtc, int x, int y); + + /* Set gamma on the CRTC */ +@@ -1025,6 +1028,8 @@ extern int drm_mode_setplane(struct drm_device *dev, + void *data, struct drm_file *file_priv); + extern int drm_mode_cursor_ioctl(struct drm_device *dev, + void *data, struct drm_file *file_priv); ++extern int drm_mode_cursor2_ioctl(struct drm_device *dev, ++ void *data, struct drm_file *file_priv); + extern int drm_mode_addfb(struct drm_device *dev, + void *data, struct drm_file *file_priv); + extern int drm_mode_addfb2(struct drm_device *dev, +diff --git a/include/uapi/drm/drm.h b/include/uapi/drm/drm.h +index 8d1e2bb..5182a2d 100644 +--- a/include/uapi/drm/drm.h ++++ b/include/uapi/drm/drm.h +@@ -732,6 +732,7 @@ struct drm_prime_handle { + #define DRM_IOCTL_MODE_ADDFB2 DRM_IOWR(0xB8, struct drm_mode_fb_cmd2) + #define DRM_IOCTL_MODE_OBJ_GETPROPERTIES DRM_IOWR(0xB9, struct drm_mode_obj_get_properties) + #define DRM_IOCTL_MODE_OBJ_SETPROPERTY DRM_IOWR(0xBA, struct drm_mode_obj_set_property) ++#define DRM_IOCTL_MODE_CURSOR2 DRM_IOWR(0xBB, struct drm_mode_cursor2) + + /** + * Device specific ioctls should only be in their respective headers +diff --git a/include/uapi/drm/drm_mode.h b/include/uapi/drm/drm_mode.h +index 3d6301b..ecde539 100644 +--- a/include/uapi/drm/drm_mode.h ++++ b/include/uapi/drm/drm_mode.h +@@ -388,6 +388,19 @@ struct drm_mode_cursor { + __u32 handle; + }; + ++struct drm_mode_cursor2 { ++ __u32 flags; ++ __u32 crtc_id; ++ __s32 x; ++ __s32 y; ++ __u32 width; ++ __u32 height; ++ /* driver specific handle */ ++ __u32 handle; ++ __s32 hot_x; ++ __s32 hot_y; ++}; ++ + struct drm_mode_crtc_lut { + __u32 crtc_id; + __u32 gamma_size; +-- +1.8.3.1 + diff --git a/drm-qxl-3.10-rc7-diff.patch b/drm-qxl-3.10-rc7-diff.patch new file mode 100644 index 000000000..3aa53f60d --- /dev/null +++ b/drm-qxl-3.10-rc7-diff.patch @@ -0,0 +1,593 @@ +From be71369a5b4297776fb9988e6274595136294588 Mon Sep 17 00:00:00 2001 +From: Dave Airlie +Date: Tue, 16 Apr 2013 13:24:25 +1000 +Subject: [PATCH 4/5] drm/qxl 3.10-rc7 diff + +drm/qxl: make lots of things static. +drm/qxl: fix smatch warnings +drm/qxl: fix build with debugfs turned off. +drivers, drm: fix qxl build error when debugfs is disabled +drm/qxl: fix ioport interactions for kernel submitted commands. +qxl: drop unused variable. +drm/qxl: drop active_user_framebuffer as its unneeded +qxl: fix bug with object eviction and update area +qxl: fix Kconfig deps - select FB_DEFERRED_IO +drm/qxl: fix build warnings on 32-bit + +Signed-off-by: Dave Airlie +--- + drivers/gpu/drm/qxl/Kconfig | 1 + + drivers/gpu/drm/qxl/qxl_cmd.c | 52 +++++++++++++++++---------------------- + drivers/gpu/drm/qxl/qxl_debugfs.c | 6 +++++ + drivers/gpu/drm/qxl/qxl_display.c | 36 +++++++++++---------------- + drivers/gpu/drm/qxl/qxl_drv.c | 2 +- + drivers/gpu/drm/qxl/qxl_drv.h | 7 ------ + drivers/gpu/drm/qxl/qxl_fb.c | 2 +- + drivers/gpu/drm/qxl/qxl_gem.c | 29 ---------------------- + drivers/gpu/drm/qxl/qxl_ioctl.c | 29 +++++++++++----------- + drivers/gpu/drm/qxl/qxl_kms.c | 11 +++++---- + drivers/gpu/drm/qxl/qxl_object.c | 6 ++--- + drivers/gpu/drm/qxl/qxl_release.c | 4 +-- + drivers/gpu/drm/qxl/qxl_ttm.c | 10 +++++--- + 13 files changed, 78 insertions(+), 117 deletions(-) + +diff --git a/drivers/gpu/drm/qxl/Kconfig b/drivers/gpu/drm/qxl/Kconfig +index 2f1a57e..d6c1279 100644 +--- a/drivers/gpu/drm/qxl/Kconfig ++++ b/drivers/gpu/drm/qxl/Kconfig +@@ -4,6 +4,7 @@ config DRM_QXL + select FB_SYS_FILLRECT + select FB_SYS_COPYAREA + select FB_SYS_IMAGEBLIT ++ select FB_DEFERRED_IO + select DRM_KMS_HELPER + select DRM_TTM + help +diff --git a/drivers/gpu/drm/qxl/qxl_cmd.c b/drivers/gpu/drm/qxl/qxl_cmd.c +index 804b411..02befd9 100644 +--- a/drivers/gpu/drm/qxl/qxl_cmd.c ++++ b/drivers/gpu/drm/qxl/qxl_cmd.c +@@ -144,8 +144,8 @@ int qxl_ring_push(struct qxl_ring *ring, + return 0; + } + +-bool qxl_ring_pop(struct qxl_ring *ring, +- void *element) ++static bool qxl_ring_pop(struct qxl_ring *ring, ++ void *element) + { + volatile struct qxl_ring_header *header = &(ring->ring->header); + volatile uint8_t *ring_elt; +@@ -169,23 +169,6 @@ bool qxl_ring_pop(struct qxl_ring *ring, + return true; + } + +-void qxl_ring_wait_idle(struct qxl_ring *ring) +-{ +- struct qxl_ring_header *header = &(ring->ring->header); +- unsigned long flags; +- +- spin_lock_irqsave(&ring->lock, flags); +- if (ring->ring->header.cons < ring->ring->header.prod) { +- header->notify_on_cons = header->prod; +- mb(); +- spin_unlock_irqrestore(&ring->lock, flags); +- wait_event_interruptible(*ring->push_event, +- qxl_check_idle(ring)); +- spin_lock_irqsave(&ring->lock, flags); +- } +- spin_unlock_irqrestore(&ring->lock, flags); +-} +- + int + qxl_push_command_ring_release(struct qxl_device *qdev, struct qxl_release *release, + uint32_t type, bool interruptible) +@@ -294,7 +277,7 @@ out_unref: + return 0; + } + +-static int wait_for_io_cmd_user(struct qxl_device *qdev, uint8_t val, long port) ++static int wait_for_io_cmd_user(struct qxl_device *qdev, uint8_t val, long port, bool intr) + { + int irq_num; + long addr = qdev->io_base + port; +@@ -302,20 +285,29 @@ static int wait_for_io_cmd_user(struct qxl_device *qdev, uint8_t val, long port) + + mutex_lock(&qdev->async_io_mutex); + irq_num = atomic_read(&qdev->irq_received_io_cmd); +- +- + if (qdev->last_sent_io_cmd > irq_num) { +- ret = wait_event_interruptible(qdev->io_cmd_event, +- atomic_read(&qdev->irq_received_io_cmd) > irq_num); +- if (ret) ++ if (intr) ++ ret = wait_event_interruptible_timeout(qdev->io_cmd_event, ++ atomic_read(&qdev->irq_received_io_cmd) > irq_num, 5*HZ); ++ else ++ ret = wait_event_timeout(qdev->io_cmd_event, ++ atomic_read(&qdev->irq_received_io_cmd) > irq_num, 5*HZ); ++ /* 0 is timeout, just bail the "hw" has gone away */ ++ if (ret <= 0) + goto out; + irq_num = atomic_read(&qdev->irq_received_io_cmd); + } + outb(val, addr); + qdev->last_sent_io_cmd = irq_num + 1; +- ret = wait_event_interruptible(qdev->io_cmd_event, +- atomic_read(&qdev->irq_received_io_cmd) > irq_num); ++ if (intr) ++ ret = wait_event_interruptible_timeout(qdev->io_cmd_event, ++ atomic_read(&qdev->irq_received_io_cmd) > irq_num, 5*HZ); ++ else ++ ret = wait_event_timeout(qdev->io_cmd_event, ++ atomic_read(&qdev->irq_received_io_cmd) > irq_num, 5*HZ); + out: ++ if (ret > 0) ++ ret = 0; + mutex_unlock(&qdev->async_io_mutex); + return ret; + } +@@ -325,7 +317,7 @@ static void wait_for_io_cmd(struct qxl_device *qdev, uint8_t val, long port) + int ret; + + restart: +- ret = wait_for_io_cmd_user(qdev, val, port); ++ ret = wait_for_io_cmd_user(qdev, val, port, false); + if (ret == -ERESTARTSYS) + goto restart; + } +@@ -357,7 +349,7 @@ int qxl_io_update_area(struct qxl_device *qdev, struct qxl_bo *surf, + mutex_lock(&qdev->update_area_mutex); + qdev->ram_header->update_area = *area; + qdev->ram_header->update_surface = surface_id; +- ret = wait_for_io_cmd_user(qdev, 0, QXL_IO_UPDATE_AREA_ASYNC); ++ ret = wait_for_io_cmd_user(qdev, 0, QXL_IO_UPDATE_AREA_ASYNC, true); + mutex_unlock(&qdev->update_area_mutex); + return ret; + } +@@ -609,7 +601,7 @@ retry: + return ret; + } + +-void qxl_surface_evict_locked(struct qxl_device *qdev, struct qxl_bo *surf, bool do_update_area) ++static void qxl_surface_evict_locked(struct qxl_device *qdev, struct qxl_bo *surf, bool do_update_area) + { + /* no need to update area if we are just freeing the surface normally */ + if (do_update_area) +diff --git a/drivers/gpu/drm/qxl/qxl_debugfs.c b/drivers/gpu/drm/qxl/qxl_debugfs.c +index c630152..c3c2bbd 100644 +--- a/drivers/gpu/drm/qxl/qxl_debugfs.c ++++ b/drivers/gpu/drm/qxl/qxl_debugfs.c +@@ -35,6 +35,7 @@ + #include "qxl_object.h" + + ++#if defined(CONFIG_DEBUG_FS) + static int + qxl_debugfs_irq_received(struct seq_file *m, void *data) + { +@@ -69,20 +70,25 @@ static struct drm_info_list qxl_debugfs_list[] = { + { "qxl_buffers", qxl_debugfs_buffers_info, 0, NULL }, + }; + #define QXL_DEBUGFS_ENTRIES ARRAY_SIZE(qxl_debugfs_list) ++#endif + + int + qxl_debugfs_init(struct drm_minor *minor) + { ++#if defined(CONFIG_DEBUG_FS) + drm_debugfs_create_files(qxl_debugfs_list, QXL_DEBUGFS_ENTRIES, + minor->debugfs_root, minor); ++#endif + return 0; + } + + void + qxl_debugfs_takedown(struct drm_minor *minor) + { ++#if defined(CONFIG_DEBUG_FS) + drm_debugfs_remove_files(qxl_debugfs_list, QXL_DEBUGFS_ENTRIES, + minor); ++#endif + } + + int qxl_debugfs_add_files(struct qxl_device *qdev, +diff --git a/drivers/gpu/drm/qxl/qxl_display.c b/drivers/gpu/drm/qxl/qxl_display.c +index c80ddfe..823d29e 100644 +--- a/drivers/gpu/drm/qxl/qxl_display.c ++++ b/drivers/gpu/drm/qxl/qxl_display.c +@@ -84,6 +84,7 @@ void qxl_alloc_client_monitors_config(struct qxl_device *qdev, unsigned count) + if (qdev->client_monitors_config && + count > qdev->client_monitors_config->count) { + kfree(qdev->client_monitors_config); ++ qdev->client_monitors_config = NULL; + } + if (!qdev->client_monitors_config) { + qdev->client_monitors_config = kzalloc( +@@ -413,11 +414,11 @@ static void qxl_user_framebuffer_destroy(struct drm_framebuffer *fb) + kfree(qxl_fb); + } + +-int qxl_framebuffer_surface_dirty(struct drm_framebuffer *fb, +- struct drm_file *file_priv, +- unsigned flags, unsigned color, +- struct drm_clip_rect *clips, +- unsigned num_clips) ++static int qxl_framebuffer_surface_dirty(struct drm_framebuffer *fb, ++ struct drm_file *file_priv, ++ unsigned flags, unsigned color, ++ struct drm_clip_rect *clips, ++ unsigned num_clips) + { + /* TODO: vmwgfx where this was cribbed from had locking. Why? */ + struct qxl_framebuffer *qxl_fb = to_qxl_framebuffer(fb); +@@ -427,10 +428,10 @@ int qxl_framebuffer_surface_dirty(struct drm_framebuffer *fb, + int inc = 1; + + qobj = gem_to_qxl_bo(qxl_fb->obj); +- if (qxl_fb != qdev->active_user_framebuffer) { +- DRM_INFO("%s: qxl_fb 0x%p != qdev->active_user_framebuffer 0x%p\n", +- __func__, qxl_fb, qdev->active_user_framebuffer); +- } ++ /* if we aren't primary surface ignore this */ ++ if (!qobj->is_primary) ++ return 0; ++ + if (!num_clips) { + num_clips = 1; + clips = &norect; +@@ -603,7 +604,6 @@ static int qxl_crtc_mode_set(struct drm_crtc *crtc, + mode->hdisplay, + mode->vdisplay); + } +- qdev->mode_set = true; + return 0; + } + +@@ -619,7 +619,7 @@ static void qxl_crtc_commit(struct drm_crtc *crtc) + DRM_DEBUG("\n"); + } + +-void qxl_crtc_load_lut(struct drm_crtc *crtc) ++static void qxl_crtc_load_lut(struct drm_crtc *crtc) + { + DRM_DEBUG("\n"); + } +@@ -633,7 +633,7 @@ static const struct drm_crtc_helper_funcs qxl_crtc_helper_funcs = { + .load_lut = qxl_crtc_load_lut, + }; + +-int qdev_crtc_init(struct drm_device *dev, int num_crtc) ++static int qdev_crtc_init(struct drm_device *dev, int num_crtc) + { + struct qxl_crtc *qxl_crtc; + +@@ -764,7 +764,7 @@ static int qxl_conn_mode_valid(struct drm_connector *connector, + return MODE_OK; + } + +-struct drm_encoder *qxl_best_encoder(struct drm_connector *connector) ++static struct drm_encoder *qxl_best_encoder(struct drm_connector *connector) + { + struct qxl_output *qxl_output = + drm_connector_to_qxl_output(connector); +@@ -855,7 +855,7 @@ static const struct drm_encoder_funcs qxl_enc_funcs = { + .destroy = qxl_enc_destroy, + }; + +-int qdev_output_init(struct drm_device *dev, int num_output) ++static int qdev_output_init(struct drm_device *dev, int num_output) + { + struct qxl_output *qxl_output; + struct drm_connector *connector; +@@ -892,7 +892,6 @@ qxl_user_framebuffer_create(struct drm_device *dev, + { + struct drm_gem_object *obj; + struct qxl_framebuffer *qxl_fb; +- struct qxl_device *qdev = dev->dev_private; + int ret; + + obj = drm_gem_object_lookup(dev, file_priv, mode_cmd->handles[0]); +@@ -908,13 +907,6 @@ qxl_user_framebuffer_create(struct drm_device *dev, + return NULL; + } + +- if (qdev->active_user_framebuffer) { +- DRM_INFO("%s: active_user_framebuffer %p -> %p\n", +- __func__, +- qdev->active_user_framebuffer, qxl_fb); +- } +- qdev->active_user_framebuffer = qxl_fb; +- + return &qxl_fb->base; + } + +diff --git a/drivers/gpu/drm/qxl/qxl_drv.c b/drivers/gpu/drm/qxl/qxl_drv.c +index d337da0..aa291d8 100644 +--- a/drivers/gpu/drm/qxl/qxl_drv.c ++++ b/drivers/gpu/drm/qxl/qxl_drv.c +@@ -46,7 +46,7 @@ static DEFINE_PCI_DEVICE_TABLE(pciidlist) = { + }; + MODULE_DEVICE_TABLE(pci, pciidlist); + +-int qxl_modeset = -1; ++static int qxl_modeset = -1; + + MODULE_PARM_DESC(modeset, "Disable/Enable modesetting"); + module_param_named(modeset, qxl_modeset, int, 0400); +diff --git a/drivers/gpu/drm/qxl/qxl_drv.h b/drivers/gpu/drm/qxl/qxl_drv.h +index 52b582c..43d06ab 100644 +--- a/drivers/gpu/drm/qxl/qxl_drv.h ++++ b/drivers/gpu/drm/qxl/qxl_drv.h +@@ -255,12 +255,6 @@ struct qxl_device { + struct qxl_gem gem; + struct qxl_mode_info mode_info; + +- /* +- * last created framebuffer with fb_create +- * only used by debugfs dumbppm +- */ +- struct qxl_framebuffer *active_user_framebuffer; +- + struct fb_info *fbdev_info; + struct qxl_framebuffer *fbdev_qfb; + void *ram_physical; +@@ -270,7 +264,6 @@ struct qxl_device { + struct qxl_ring *cursor_ring; + + struct qxl_ram_header *ram_header; +- bool mode_set; + + bool primary_created; + +diff --git a/drivers/gpu/drm/qxl/qxl_fb.c b/drivers/gpu/drm/qxl/qxl_fb.c +index 232b52b..b3c5127 100644 +--- a/drivers/gpu/drm/qxl/qxl_fb.c ++++ b/drivers/gpu/drm/qxl/qxl_fb.c +@@ -159,7 +159,7 @@ static void qxl_deferred_io(struct fb_info *info, + }; + + +-struct fb_deferred_io qxl_defio = { ++static struct fb_deferred_io qxl_defio = { + .delay = QXL_DIRTY_DELAY, + .deferred_io = qxl_deferred_io, + }; +diff --git a/drivers/gpu/drm/qxl/qxl_gem.c b/drivers/gpu/drm/qxl/qxl_gem.c +index adc1ee2..a235693 100644 +--- a/drivers/gpu/drm/qxl/qxl_gem.c ++++ b/drivers/gpu/drm/qxl/qxl_gem.c +@@ -127,35 +127,6 @@ void qxl_gem_object_unpin(struct drm_gem_object *obj) + } + } + +-int qxl_gem_set_domain(struct drm_gem_object *gobj, +- uint32_t rdomain, uint32_t wdomain) +-{ +- struct qxl_bo *qobj; +- uint32_t domain; +- int r; +- +- /* FIXME: reeimplement */ +- qobj = gobj->driver_private; +- /* work out where to validate the buffer to */ +- domain = wdomain; +- if (!domain) +- domain = rdomain; +- if (!domain) { +- /* Do nothings */ +- pr_warn("Set domain withou domain !\n"); +- return 0; +- } +- if (domain == QXL_GEM_DOMAIN_CPU) { +- /* Asking for cpu access wait for object idle */ +- r = qxl_bo_wait(qobj, NULL, false); +- if (r) { +- pr_err("Failed to wait for object !\n"); +- return r; +- } +- } +- return 0; +-} +- + int qxl_gem_object_open(struct drm_gem_object *obj, struct drm_file *file_priv) + { + return 0; +diff --git a/drivers/gpu/drm/qxl/qxl_ioctl.c b/drivers/gpu/drm/qxl/qxl_ioctl.c +index 83ca4f7..a4b71b2 100644 +--- a/drivers/gpu/drm/qxl/qxl_ioctl.c ++++ b/drivers/gpu/drm/qxl/qxl_ioctl.c +@@ -30,8 +30,8 @@ + * TODO: allocating a new gem(in qxl_bo) for each request. + * This is wasteful since bo's are page aligned. + */ +-int qxl_alloc_ioctl(struct drm_device *dev, void *data, +- struct drm_file *file_priv) ++static int qxl_alloc_ioctl(struct drm_device *dev, void *data, ++ struct drm_file *file_priv) + { + struct qxl_device *qdev = dev->dev_private; + struct drm_qxl_alloc *qxl_alloc = data; +@@ -58,8 +58,8 @@ int qxl_alloc_ioctl(struct drm_device *dev, void *data, + return 0; + } + +-int qxl_map_ioctl(struct drm_device *dev, void *data, +- struct drm_file *file_priv) ++static int qxl_map_ioctl(struct drm_device *dev, void *data, ++ struct drm_file *file_priv) + { + struct qxl_device *qdev = dev->dev_private; + struct drm_qxl_map *qxl_map = data; +@@ -101,9 +101,9 @@ apply_surf_reloc(struct qxl_device *qdev, struct qxl_bo *dst, uint64_t dst_off, + } + + /* return holding the reference to this object */ +-struct qxl_bo *qxlhw_handle_to_bo(struct qxl_device *qdev, +- struct drm_file *file_priv, uint64_t handle, +- struct qxl_reloc_list *reloc_list) ++static struct qxl_bo *qxlhw_handle_to_bo(struct qxl_device *qdev, ++ struct drm_file *file_priv, uint64_t handle, ++ struct qxl_reloc_list *reloc_list) + { + struct drm_gem_object *gobj; + struct qxl_bo *qobj; +@@ -129,8 +129,8 @@ struct qxl_bo *qxlhw_handle_to_bo(struct qxl_device *qdev, + * However, the command as passed from user space must *not* contain the initial + * QXLReleaseInfo struct (first XXX bytes) + */ +-int qxl_execbuffer_ioctl(struct drm_device *dev, void *data, +- struct drm_file *file_priv) ++static int qxl_execbuffer_ioctl(struct drm_device *dev, void *data, ++ struct drm_file *file_priv) + { + struct qxl_device *qdev = dev->dev_private; + struct drm_qxl_execbuffer *execbuffer = data; +@@ -151,7 +151,7 @@ int qxl_execbuffer_ioctl(struct drm_device *dev, void *data, + struct qxl_bo *cmd_bo; + int release_type; + struct drm_qxl_command *commands = +- (struct drm_qxl_command *)execbuffer->commands; ++ (struct drm_qxl_command *)(uintptr_t)execbuffer->commands; + + if (DRM_COPY_FROM_USER(&user_cmd, &commands[cmd_num], + sizeof(user_cmd))) +@@ -193,7 +193,7 @@ int qxl_execbuffer_ioctl(struct drm_device *dev, void *data, + + for (i = 0 ; i < user_cmd.relocs_num; ++i) { + if (DRM_COPY_FROM_USER(&reloc, +- &((struct drm_qxl_reloc *)user_cmd.relocs)[i], ++ &((struct drm_qxl_reloc *)(uintptr_t)user_cmd.relocs)[i], + sizeof(reloc))) { + qxl_bo_list_unreserve(&reloc_list, true); + qxl_release_unreserve(qdev, release); +@@ -266,8 +266,8 @@ int qxl_execbuffer_ioctl(struct drm_device *dev, void *data, + return 0; + } + +-int qxl_update_area_ioctl(struct drm_device *dev, void *data, +- struct drm_file *file) ++static int qxl_update_area_ioctl(struct drm_device *dev, void *data, ++ struct drm_file *file) + { + struct qxl_device *qdev = dev->dev_private; + struct drm_qxl_update_area *update_area = data; +@@ -294,6 +294,7 @@ int qxl_update_area_ioctl(struct drm_device *dev, void *data, + goto out; + + if (!qobj->pin_count) { ++ qxl_ttm_placement_from_domain(qobj, qobj->type); + ret = ttm_bo_validate(&qobj->tbo, &qobj->placement, + true, false); + if (unlikely(ret)) +@@ -347,7 +348,7 @@ static int qxl_clientcap_ioctl(struct drm_device *dev, void *data, + if (qdev->pdev->revision < 4) + return -ENOSYS; + +- if (byte > 58) ++ if (byte >= 58) + return -ENOSYS; + + if (qdev->rom->client_capabilities[byte] & (1 << idx)) +diff --git a/drivers/gpu/drm/qxl/qxl_kms.c b/drivers/gpu/drm/qxl/qxl_kms.c +index 036e0de..e27ce2a 100644 +--- a/drivers/gpu/drm/qxl/qxl_kms.c ++++ b/drivers/gpu/drm/qxl/qxl_kms.c +@@ -128,12 +128,13 @@ int qxl_device_init(struct qxl_device *qdev, + + qdev->vram_mapping = io_mapping_create_wc(qdev->vram_base, pci_resource_len(pdev, 0)); + qdev->surface_mapping = io_mapping_create_wc(qdev->surfaceram_base, qdev->surfaceram_size); +- DRM_DEBUG_KMS("qxl: vram %p-%p(%dM %dk), surface %p-%p(%dM %dk)\n", +- (void *)qdev->vram_base, (void *)pci_resource_end(pdev, 0), ++ DRM_DEBUG_KMS("qxl: vram %llx-%llx(%dM %dk), surface %llx-%llx(%dM %dk)\n", ++ (unsigned long long)qdev->vram_base, ++ (unsigned long long)pci_resource_end(pdev, 0), + (int)pci_resource_len(pdev, 0) / 1024 / 1024, + (int)pci_resource_len(pdev, 0) / 1024, +- (void *)qdev->surfaceram_base, +- (void *)pci_resource_end(pdev, 1), ++ (unsigned long long)qdev->surfaceram_base, ++ (unsigned long long)pci_resource_end(pdev, 1), + (int)qdev->surfaceram_size / 1024 / 1024, + (int)qdev->surfaceram_size / 1024); + +@@ -230,7 +231,7 @@ int qxl_device_init(struct qxl_device *qdev, + return 0; + } + +-void qxl_device_fini(struct qxl_device *qdev) ++static void qxl_device_fini(struct qxl_device *qdev) + { + if (qdev->current_release_bo[0]) + qxl_bo_unref(&qdev->current_release_bo[0]); +diff --git a/drivers/gpu/drm/qxl/qxl_object.c b/drivers/gpu/drm/qxl/qxl_object.c +index 51efb94..d9b12e7 100644 +--- a/drivers/gpu/drm/qxl/qxl_object.c ++++ b/drivers/gpu/drm/qxl/qxl_object.c +@@ -59,11 +59,11 @@ void qxl_ttm_placement_from_domain(struct qxl_bo *qbo, u32 domain) + qbo->placement.lpfn = 0; + qbo->placement.placement = qbo->placements; + qbo->placement.busy_placement = qbo->placements; +- if (domain & QXL_GEM_DOMAIN_VRAM) ++ if (domain == QXL_GEM_DOMAIN_VRAM) + qbo->placements[c++] = TTM_PL_FLAG_CACHED | TTM_PL_FLAG_VRAM; +- if (domain & QXL_GEM_DOMAIN_SURFACE) ++ if (domain == QXL_GEM_DOMAIN_SURFACE) + qbo->placements[c++] = TTM_PL_FLAG_CACHED | TTM_PL_FLAG_PRIV0; +- if (domain & QXL_GEM_DOMAIN_CPU) ++ if (domain == QXL_GEM_DOMAIN_CPU) + qbo->placements[c++] = TTM_PL_MASK_CACHING | TTM_PL_FLAG_SYSTEM; + if (!c) + qbo->placements[c++] = TTM_PL_MASK_CACHING | TTM_PL_FLAG_SYSTEM; +diff --git a/drivers/gpu/drm/qxl/qxl_release.c b/drivers/gpu/drm/qxl/qxl_release.c +index 1600781..c4267c7 100644 +--- a/drivers/gpu/drm/qxl/qxl_release.c ++++ b/drivers/gpu/drm/qxl/qxl_release.c +@@ -117,8 +117,8 @@ qxl_release_add_res(struct qxl_device *qdev, struct qxl_release *release, + release->bos[release->bo_count++] = qxl_bo_ref(bo); + } + +-int qxl_release_bo_alloc(struct qxl_device *qdev, +- struct qxl_bo **bo) ++static int qxl_release_bo_alloc(struct qxl_device *qdev, ++ struct qxl_bo **bo) + { + int ret; + ret = qxl_bo_create(qdev, PAGE_SIZE, false, QXL_GEM_DOMAIN_VRAM, NULL, +diff --git a/drivers/gpu/drm/qxl/qxl_ttm.c b/drivers/gpu/drm/qxl/qxl_ttm.c +index aa9fb9a..489cb8c 100644 +--- a/drivers/gpu/drm/qxl/qxl_ttm.c ++++ b/drivers/gpu/drm/qxl/qxl_ttm.c +@@ -315,9 +315,9 @@ static void qxl_ttm_tt_unpopulate(struct ttm_tt *ttm) + ttm_pool_unpopulate(ttm); + } + +-struct ttm_tt *qxl_ttm_tt_create(struct ttm_bo_device *bdev, +- unsigned long size, uint32_t page_flags, +- struct page *dummy_read_page) ++static struct ttm_tt *qxl_ttm_tt_create(struct ttm_bo_device *bdev, ++ unsigned long size, uint32_t page_flags, ++ struct page *dummy_read_page) + { + struct qxl_device *qdev; + struct qxl_ttm_tt *gtt; +@@ -555,6 +555,7 @@ static int qxl_mm_dump_table(struct seq_file *m, void *data) + + static int qxl_ttm_debugfs_init(struct qxl_device *qdev) + { ++#if defined(CONFIG_DEBUG_FS) + static struct drm_info_list qxl_mem_types_list[QXL_DEBUGFS_MEM_TYPES]; + static char qxl_mem_types_names[QXL_DEBUGFS_MEM_TYPES][32]; + unsigned i; +@@ -574,4 +575,7 @@ static int qxl_ttm_debugfs_init(struct qxl_device *qdev) + + } + return qxl_debugfs_add_files(qdev, qxl_mem_types_list, i); ++#else ++ return 0; ++#endif + } +-- +1.8.3.1 + diff --git a/drm-qxl-backport-fixes.patch b/drm-qxl-backport-fixes.patch deleted file mode 100644 index 0979f2509..000000000 --- a/drm-qxl-backport-fixes.patch +++ /dev/null @@ -1,154 +0,0 @@ -diff --git a/drivers/gpu/drm/qxl/qxl_cmd.c b/drivers/gpu/drm/qxl/qxl_cmd.c -index 08b0823..f867714 100644 ---- a/drivers/gpu/drm/qxl/qxl_cmd.c -+++ b/drivers/gpu/drm/qxl/qxl_cmd.c -@@ -277,7 +277,7 @@ out_unref: - return 0; - } - --static int wait_for_io_cmd_user(struct qxl_device *qdev, uint8_t val, long port) -+static int wait_for_io_cmd_user(struct qxl_device *qdev, uint8_t val, long port, bool intr) - { - int irq_num; - long addr = qdev->io_base + port; -@@ -285,20 +285,29 @@ static int wait_for_io_cmd_user(struct qxl_device *qdev, uint8_t val, long port) - - mutex_lock(&qdev->async_io_mutex); - irq_num = atomic_read(&qdev->irq_received_io_cmd); -- -- - if (qdev->last_sent_io_cmd > irq_num) { -- ret = wait_event_interruptible(qdev->io_cmd_event, -- atomic_read(&qdev->irq_received_io_cmd) > irq_num); -- if (ret) -+ if (intr) -+ ret = wait_event_interruptible_timeout(qdev->io_cmd_event, -+ atomic_read(&qdev->irq_received_io_cmd) > irq_num, 5*HZ); -+ else -+ ret = wait_event_timeout(qdev->io_cmd_event, -+ atomic_read(&qdev->irq_received_io_cmd) > irq_num, 5*HZ); -+ /* 0 is timeout, just bail the "hw" has gone away */ -+ if (ret <= 0) - goto out; - irq_num = atomic_read(&qdev->irq_received_io_cmd); - } - outb(val, addr); - qdev->last_sent_io_cmd = irq_num + 1; -- ret = wait_event_interruptible(qdev->io_cmd_event, -- atomic_read(&qdev->irq_received_io_cmd) > irq_num); -+ if (intr) -+ ret = wait_event_interruptible_timeout(qdev->io_cmd_event, -+ atomic_read(&qdev->irq_received_io_cmd) > irq_num, 5*HZ); -+ else -+ ret = wait_event_timeout(qdev->io_cmd_event, -+ atomic_read(&qdev->irq_received_io_cmd) > irq_num, 5*HZ); - out: -+ if (ret > 0) -+ ret = 0; - mutex_unlock(&qdev->async_io_mutex); - return ret; - } -@@ -308,7 +317,7 @@ static void wait_for_io_cmd(struct qxl_device *qdev, uint8_t val, long port) - int ret; - - restart: -- ret = wait_for_io_cmd_user(qdev, val, port); -+ ret = wait_for_io_cmd_user(qdev, val, port, false); - if (ret == -ERESTARTSYS) - goto restart; - } -@@ -340,7 +349,7 @@ int qxl_io_update_area(struct qxl_device *qdev, struct qxl_bo *surf, - mutex_lock(&qdev->update_area_mutex); - qdev->ram_header->update_area = *area; - qdev->ram_header->update_surface = surface_id; -- ret = wait_for_io_cmd_user(qdev, 0, QXL_IO_UPDATE_AREA_ASYNC); -+ ret = wait_for_io_cmd_user(qdev, 0, QXL_IO_UPDATE_AREA_ASYNC, true); - mutex_unlock(&qdev->update_area_mutex); - return ret; - } -diff --git a/drivers/gpu/drm/qxl/qxl_display.c b/drivers/gpu/drm/qxl/qxl_display.c -index fcfd443..823d29e 100644 ---- a/drivers/gpu/drm/qxl/qxl_display.c -+++ b/drivers/gpu/drm/qxl/qxl_display.c -@@ -428,10 +428,10 @@ static int qxl_framebuffer_surface_dirty(struct drm_framebuffer *fb, - int inc = 1; - - qobj = gem_to_qxl_bo(qxl_fb->obj); -- if (qxl_fb != qdev->active_user_framebuffer) { -- DRM_INFO("%s: qxl_fb 0x%p != qdev->active_user_framebuffer 0x%p\n", -- __func__, qxl_fb, qdev->active_user_framebuffer); -- } -+ /* if we aren't primary surface ignore this */ -+ if (!qobj->is_primary) -+ return 0; -+ - if (!num_clips) { - num_clips = 1; - clips = &norect; -@@ -604,7 +604,6 @@ static int qxl_crtc_mode_set(struct drm_crtc *crtc, - mode->hdisplay, - mode->vdisplay); - } -- qdev->mode_set = true; - return 0; - } - -@@ -893,7 +892,6 @@ qxl_user_framebuffer_create(struct drm_device *dev, - { - struct drm_gem_object *obj; - struct qxl_framebuffer *qxl_fb; -- struct qxl_device *qdev = dev->dev_private; - int ret; - - obj = drm_gem_object_lookup(dev, file_priv, mode_cmd->handles[0]); -@@ -909,13 +907,6 @@ qxl_user_framebuffer_create(struct drm_device *dev, - return NULL; - } - -- if (qdev->active_user_framebuffer) { -- DRM_INFO("%s: active_user_framebuffer %p -> %p\n", -- __func__, -- qdev->active_user_framebuffer, qxl_fb); -- } -- qdev->active_user_framebuffer = qxl_fb; -- - return &qxl_fb->base; - } - -diff --git a/drivers/gpu/drm/qxl/qxl_drv.h b/drivers/gpu/drm/qxl/qxl_drv.h -index 52b582c..43d06ab 100644 ---- a/drivers/gpu/drm/qxl/qxl_drv.h -+++ b/drivers/gpu/drm/qxl/qxl_drv.h -@@ -255,12 +255,6 @@ struct qxl_device { - struct qxl_gem gem; - struct qxl_mode_info mode_info; - -- /* -- * last created framebuffer with fb_create -- * only used by debugfs dumbppm -- */ -- struct qxl_framebuffer *active_user_framebuffer; -- - struct fb_info *fbdev_info; - struct qxl_framebuffer *fbdev_qfb; - void *ram_physical; -@@ -270,7 +264,6 @@ struct qxl_device { - struct qxl_ring *cursor_ring; - - struct qxl_ram_header *ram_header; -- bool mode_set; - - bool primary_created; - -diff --git a/drivers/gpu/drm/qxl/qxl_ioctl.c b/drivers/gpu/drm/qxl/qxl_ioctl.c -index 04b64f9..6db7370 100644 ---- a/drivers/gpu/drm/qxl/qxl_ioctl.c -+++ b/drivers/gpu/drm/qxl/qxl_ioctl.c -@@ -294,6 +294,7 @@ static int qxl_update_area_ioctl(struct drm_device *dev, void *data, - goto out; - - if (!qobj->pin_count) { -+ qxl_ttm_placement_from_domain(qobj, qobj->type); - ret = ttm_bo_validate(&qobj->tbo, &qobj->placement, - true, false); - if (unlikely(ret)) diff --git a/drm-qxl-cursor-and-dynamic-resize-fixes.patch b/drm-qxl-cursor-and-dynamic-resize-fixes.patch deleted file mode 100644 index 08a79b7b5..000000000 --- a/drm-qxl-cursor-and-dynamic-resize-fixes.patch +++ /dev/null @@ -1,263 +0,0 @@ -diff --git a/drivers/gpu/drm/drm_crtc.c b/drivers/gpu/drm/drm_crtc.c -index e7e9242..cc9eada 100644 ---- a/drivers/gpu/drm/drm_crtc.c -+++ b/drivers/gpu/drm/drm_crtc.c -@@ -2099,10 +2099,10 @@ out: - return ret; - } - --int drm_mode_cursor_ioctl(struct drm_device *dev, -- void *data, struct drm_file *file_priv) -+static int drm_mode_cursor_common(struct drm_device *dev, -+ struct drm_mode_cursor2 *req, -+ struct drm_file *file_priv) - { -- struct drm_mode_cursor *req = data; - struct drm_mode_object *obj; - struct drm_crtc *crtc; - int ret = 0; -@@ -2122,13 +2122,17 @@ int drm_mode_cursor_ioctl(struct drm_device *dev, - - mutex_lock(&crtc->mutex); - if (req->flags & DRM_MODE_CURSOR_BO) { -- if (!crtc->funcs->cursor_set) { -+ if (!crtc->funcs->cursor_set && !crtc->funcs->cursor_set2) { - ret = -ENXIO; - goto out; - } - /* Turns off the cursor if handle is 0 */ -- ret = crtc->funcs->cursor_set(crtc, file_priv, req->handle, -- req->width, req->height); -+ if (crtc->funcs->cursor_set2) -+ ret = crtc->funcs->cursor_set2(crtc, file_priv, req->handle, -+ req->width, req->height, req->hot_x, req->hot_y); -+ else -+ ret = crtc->funcs->cursor_set(crtc, file_priv, req->handle, -+ req->width, req->height); - } - - if (req->flags & DRM_MODE_CURSOR_MOVE) { -@@ -2143,6 +2147,25 @@ out: - mutex_unlock(&crtc->mutex); - - return ret; -+ -+} -+int drm_mode_cursor_ioctl(struct drm_device *dev, -+ void *data, struct drm_file *file_priv) -+{ -+ struct drm_mode_cursor *req = data; -+ struct drm_mode_cursor2 new_req; -+ -+ memcpy(&new_req, req, sizeof(struct drm_mode_cursor)); -+ new_req.hot_x = new_req.hot_y = 0; -+ -+ return drm_mode_cursor_common(dev, &new_req, file_priv); -+} -+ -+int drm_mode_cursor2_ioctl(struct drm_device *dev, -+ void *data, struct drm_file *file_priv) -+{ -+ struct drm_mode_cursor2 *req = data; -+ return drm_mode_cursor_common(dev, req, file_priv); - } - - /* Original addfb only supported RGB formats, so figure out which one */ -diff --git a/drivers/gpu/drm/drm_drv.c b/drivers/gpu/drm/drm_drv.c -index 9cc247f..99fcd7c 100644 ---- a/drivers/gpu/drm/drm_drv.c -+++ b/drivers/gpu/drm/drm_drv.c -@@ -166,6 +166,7 @@ static const struct drm_ioctl_desc drm_ioctls[] = { - DRM_IOCTL_DEF(DRM_IOCTL_MODE_DESTROY_DUMB, drm_mode_destroy_dumb_ioctl, DRM_CONTROL_ALLOW|DRM_UNLOCKED), - DRM_IOCTL_DEF(DRM_IOCTL_MODE_OBJ_GETPROPERTIES, drm_mode_obj_get_properties_ioctl, DRM_CONTROL_ALLOW|DRM_UNLOCKED), - DRM_IOCTL_DEF(DRM_IOCTL_MODE_OBJ_SETPROPERTY, drm_mode_obj_set_property_ioctl, DRM_MASTER|DRM_CONTROL_ALLOW|DRM_UNLOCKED), -+ DRM_IOCTL_DEF(DRM_IOCTL_MODE_CURSOR2, drm_mode_cursor2_ioctl, DRM_MASTER|DRM_CONTROL_ALLOW|DRM_UNLOCKED), - }; - - #define DRM_CORE_IOCTL_COUNT ARRAY_SIZE( drm_ioctls ) -diff --git a/drivers/gpu/drm/qxl/qxl_display.c b/drivers/gpu/drm/qxl/qxl_display.c -index 823d29e..026a374 100644 ---- a/drivers/gpu/drm/qxl/qxl_display.c -+++ b/drivers/gpu/drm/qxl/qxl_display.c -@@ -30,55 +30,6 @@ - #include "qxl_object.h" - #include "drm_crtc_helper.h" - --static void qxl_crtc_set_to_mode(struct qxl_device *qdev, -- struct drm_connector *connector, -- struct qxl_head *head) --{ -- struct drm_device *dev = connector->dev; -- struct drm_display_mode *mode, *t; -- int width = head->width; -- int height = head->height; -- -- if (width < 320 || height < 240) { -- qxl_io_log(qdev, "%s: bad head: %dx%d", width, height); -- width = 1024; -- height = 768; -- } -- if (width * height * 4 > 16*1024*1024) { -- width = 1024; -- height = 768; -- } -- /* TODO: go over regular modes and removed preferred? */ -- list_for_each_entry_safe(mode, t, &connector->probed_modes, head) -- drm_mode_remove(connector, mode); -- mode = drm_cvt_mode(dev, width, height, 60, false, false, false); -- mode->type |= DRM_MODE_TYPE_PREFERRED; -- mode->status = MODE_OK; -- drm_mode_probed_add(connector, mode); -- qxl_io_log(qdev, "%s: %d x %d\n", __func__, width, height); --} -- --void qxl_crtc_set_from_monitors_config(struct qxl_device *qdev) --{ -- struct drm_connector *connector; -- int i; -- struct drm_device *dev = qdev->ddev; -- -- i = 0; -- qxl_io_log(qdev, "%s: %d, %d\n", __func__, -- dev->mode_config.num_connector, -- qdev->monitors_config->count); -- list_for_each_entry(connector, &dev->mode_config.connector_list, head) { -- if (i > qdev->monitors_config->count) { -- /* crtc will be reported as disabled */ -- continue; -- } -- qxl_crtc_set_to_mode(qdev, connector, -- &qdev->monitors_config->heads[i]); -- ++i; -- } --} -- - void qxl_alloc_client_monitors_config(struct qxl_device *qdev, unsigned count) - { - if (qdev->client_monitors_config && -@@ -117,8 +68,8 @@ static int qxl_display_copy_rom_client_monitors_config(struct qxl_device *qdev) - return 1; - } - if (num_monitors > qdev->monitors_config->max_allowed) { -- DRM_INFO("client monitors list will be truncated: %d < %d\n", -- qdev->monitors_config->max_allowed, num_monitors); -+ DRM_DEBUG_KMS("client monitors list will be truncated: %d < %d\n", -+ qdev->monitors_config->max_allowed, num_monitors); - num_monitors = qdev->monitors_config->max_allowed; - } else { - num_monitors = qdev->rom->client_monitors_config.count; -@@ -142,7 +93,7 @@ static int qxl_display_copy_rom_client_monitors_config(struct qxl_device *qdev) - client_head->surface_id = head->surface_id = 0; - client_head->id = head->id = i; - client_head->flags = head->flags = 0; -- QXL_DEBUG(qdev, "read %dx%d+%d+%d\n", head->width, head->height, -+ DRM_DEBUG_KMS("read %dx%d+%d+%d\n", head->width, head->height, - head->x, head->y); - } - return 0; -@@ -155,9 +106,6 @@ void qxl_display_read_client_monitors_config(struct qxl_device *qdev) - qxl_io_log(qdev, "failed crc check for client_monitors_config," - " retrying\n"); - } -- qxl_crtc_set_from_monitors_config(qdev); -- /* fire off a uevent and let userspace tell us what to do */ -- qxl_io_log(qdev, "calling drm_sysfs_hotplug_event\n"); - drm_sysfs_hotplug_event(qdev->ddev); - } - -@@ -255,11 +203,11 @@ qxl_hide_cursor(struct qxl_device *qdev) - qxl_release_unreserve(qdev, release); - } - --static int qxl_crtc_cursor_set(struct drm_crtc *crtc, -- struct drm_file *file_priv, -- uint32_t handle, -- uint32_t width, -- uint32_t height) -+static int qxl_crtc_cursor_set2(struct drm_crtc *crtc, -+ struct drm_file *file_priv, -+ uint32_t handle, -+ uint32_t width, -+ uint32_t height, int32_t hot_x, int32_t hot_y) - { - struct drm_device *dev = crtc->dev; - struct qxl_device *qdev = dev->dev_private; -@@ -315,8 +263,8 @@ static int qxl_crtc_cursor_set(struct drm_crtc *crtc, - cursor->header.type = SPICE_CURSOR_TYPE_ALPHA; - cursor->header.width = 64; - cursor->header.height = 64; -- cursor->header.hot_spot_x = 0; -- cursor->header.hot_spot_y = 0; -+ cursor->header.hot_spot_x = hot_x; -+ cursor->header.hot_spot_y = hot_y; - cursor->data_size = size; - cursor->chunk.next_chunk = 0; - cursor->chunk.prev_chunk = 0; -@@ -397,7 +345,7 @@ static int qxl_crtc_cursor_move(struct drm_crtc *crtc, - - - static const struct drm_crtc_funcs qxl_crtc_funcs = { -- .cursor_set = qxl_crtc_cursor_set, -+ .cursor_set2 = qxl_crtc_cursor_set2, - .cursor_move = qxl_crtc_cursor_move, - .gamma_set = qxl_crtc_gamma_set, - .set_config = drm_crtc_helper_set_config, -diff --git a/include/drm/drm_crtc.h b/include/drm/drm_crtc.h -index adb3f9b..093c030 100644 ---- a/include/drm/drm_crtc.h -+++ b/include/drm/drm_crtc.h -@@ -339,6 +339,9 @@ struct drm_crtc_funcs { - /* cursor controls */ - int (*cursor_set)(struct drm_crtc *crtc, struct drm_file *file_priv, - uint32_t handle, uint32_t width, uint32_t height); -+ int (*cursor_set2)(struct drm_crtc *crtc, struct drm_file *file_priv, -+ uint32_t handle, uint32_t width, uint32_t height, -+ int32_t hot_x, int32_t hot_y); - int (*cursor_move)(struct drm_crtc *crtc, int x, int y); - - /* Set gamma on the CRTC */ -@@ -1022,6 +1025,8 @@ extern int drm_mode_setplane(struct drm_device *dev, - void *data, struct drm_file *file_priv); - extern int drm_mode_cursor_ioctl(struct drm_device *dev, - void *data, struct drm_file *file_priv); -+extern int drm_mode_cursor2_ioctl(struct drm_device *dev, -+ void *data, struct drm_file *file_priv); - extern int drm_mode_addfb(struct drm_device *dev, - void *data, struct drm_file *file_priv); - extern int drm_mode_addfb2(struct drm_device *dev, -diff --git a/include/uapi/drm/drm.h b/include/uapi/drm/drm.h -index 5a57be6..238a166 100644 ---- a/include/uapi/drm/drm.h -+++ b/include/uapi/drm/drm.h -@@ -732,6 +732,7 @@ struct drm_prime_handle { - #define DRM_IOCTL_MODE_ADDFB2 DRM_IOWR(0xB8, struct drm_mode_fb_cmd2) - #define DRM_IOCTL_MODE_OBJ_GETPROPERTIES DRM_IOWR(0xB9, struct drm_mode_obj_get_properties) - #define DRM_IOCTL_MODE_OBJ_SETPROPERTY DRM_IOWR(0xBA, struct drm_mode_obj_set_property) -+#define DRM_IOCTL_MODE_CURSOR2 DRM_IOWR(0xBB, struct drm_mode_cursor2) - - /** - * Device specific ioctls should only be in their respective headers -diff --git a/include/uapi/drm/drm_mode.h b/include/uapi/drm/drm_mode.h -index 090e533..53db7ce 100644 ---- a/include/uapi/drm/drm_mode.h -+++ b/include/uapi/drm/drm_mode.h -@@ -388,6 +388,19 @@ struct drm_mode_cursor { - __u32 handle; - }; - -+struct drm_mode_cursor2 { -+ __u32 flags; -+ __u32 crtc_id; -+ __s32 x; -+ __s32 y; -+ __u32 width; -+ __u32 height; -+ /* driver specific handle */ -+ __u32 handle; -+ __s32 hot_x; -+ __s32 hot_y; -+}; -+ - struct drm_mode_crtc_lut { - __u32 crtc_id; - __u32 gamma_size; diff --git a/drm-qxl-post-3.10-feature-fixes.patch b/drm-qxl-post-3.10-feature-fixes.patch new file mode 100644 index 000000000..cf747c4b2 --- /dev/null +++ b/drm-qxl-post-3.10-feature-fixes.patch @@ -0,0 +1,517 @@ +From cd402bae4566410f38780e1ce94248b92c3403c0 Mon Sep 17 00:00:00 2001 +From: Dave Airlie +Date: Mon, 1 Jul 2013 14:14:38 +1000 +Subject: [PATCH 5/5] drm/qxl: post 3.10 feature fixes + +drm/qxl: make dynamic resizing work properly. +drm/qxl: add support for cursor hotspot. +drm/qxl: add support for > 1 output +drm/qxl: set time on drawables from userspace +--- + drivers/gpu/drm/qxl/qxl_cmd.c | 8 +- + drivers/gpu/drm/qxl/qxl_display.c | 187 ++++++++++++++++---------------------- + drivers/gpu/drm/qxl/qxl_drv.c | 4 + + drivers/gpu/drm/qxl/qxl_drv.h | 8 +- + drivers/gpu/drm/qxl/qxl_fb.c | 2 +- + drivers/gpu/drm/qxl/qxl_ioctl.c | 6 ++ + 6 files changed, 98 insertions(+), 117 deletions(-) + +diff --git a/drivers/gpu/drm/qxl/qxl_cmd.c b/drivers/gpu/drm/qxl/qxl_cmd.c +index 02befd9..0ec55e7 100644 +--- a/drivers/gpu/drm/qxl/qxl_cmd.c ++++ b/drivers/gpu/drm/qxl/qxl_cmd.c +@@ -375,8 +375,8 @@ void qxl_io_destroy_primary(struct qxl_device *qdev) + wait_for_io_cmd(qdev, 0, QXL_IO_DESTROY_PRIMARY_ASYNC); + } + +-void qxl_io_create_primary(struct qxl_device *qdev, unsigned width, +- unsigned height, unsigned offset, struct qxl_bo *bo) ++void qxl_io_create_primary(struct qxl_device *qdev, ++ unsigned offset, struct qxl_bo *bo) + { + struct qxl_surface_create *create; + +@@ -384,8 +384,8 @@ void qxl_io_create_primary(struct qxl_device *qdev, unsigned width, + qdev->ram_header); + create = &qdev->ram_header->create_surface; + create->format = bo->surf.format; +- create->width = width; +- create->height = height; ++ create->width = bo->surf.width; ++ create->height = bo->surf.height; + create->stride = bo->surf.stride; + create->mem = qxl_bo_physical_address(qdev, bo, offset); + +diff --git a/drivers/gpu/drm/qxl/qxl_display.c b/drivers/gpu/drm/qxl/qxl_display.c +index 823d29e..a127a97 100644 +--- a/drivers/gpu/drm/qxl/qxl_display.c ++++ b/drivers/gpu/drm/qxl/qxl_display.c +@@ -30,53 +30,9 @@ + #include "qxl_object.h" + #include "drm_crtc_helper.h" + +-static void qxl_crtc_set_to_mode(struct qxl_device *qdev, +- struct drm_connector *connector, +- struct qxl_head *head) ++static bool qxl_head_enabled(struct qxl_head *head) + { +- struct drm_device *dev = connector->dev; +- struct drm_display_mode *mode, *t; +- int width = head->width; +- int height = head->height; +- +- if (width < 320 || height < 240) { +- qxl_io_log(qdev, "%s: bad head: %dx%d", width, height); +- width = 1024; +- height = 768; +- } +- if (width * height * 4 > 16*1024*1024) { +- width = 1024; +- height = 768; +- } +- /* TODO: go over regular modes and removed preferred? */ +- list_for_each_entry_safe(mode, t, &connector->probed_modes, head) +- drm_mode_remove(connector, mode); +- mode = drm_cvt_mode(dev, width, height, 60, false, false, false); +- mode->type |= DRM_MODE_TYPE_PREFERRED; +- mode->status = MODE_OK; +- drm_mode_probed_add(connector, mode); +- qxl_io_log(qdev, "%s: %d x %d\n", __func__, width, height); +-} +- +-void qxl_crtc_set_from_monitors_config(struct qxl_device *qdev) +-{ +- struct drm_connector *connector; +- int i; +- struct drm_device *dev = qdev->ddev; +- +- i = 0; +- qxl_io_log(qdev, "%s: %d, %d\n", __func__, +- dev->mode_config.num_connector, +- qdev->monitors_config->count); +- list_for_each_entry(connector, &dev->mode_config.connector_list, head) { +- if (i > qdev->monitors_config->count) { +- /* crtc will be reported as disabled */ +- continue; +- } +- qxl_crtc_set_to_mode(qdev, connector, +- &qdev->monitors_config->heads[i]); +- ++i; +- } ++ return head->width && head->height; + } + + void qxl_alloc_client_monitors_config(struct qxl_device *qdev, unsigned count) +@@ -106,7 +62,6 @@ static int qxl_display_copy_rom_client_monitors_config(struct qxl_device *qdev) + int num_monitors; + uint32_t crc; + +- BUG_ON(!qdev->monitors_config); + num_monitors = qdev->rom->client_monitors_config.count; + crc = crc32(0, (const uint8_t *)&qdev->rom->client_monitors_config, + sizeof(qdev->rom->client_monitors_config)); +@@ -117,8 +72,8 @@ static int qxl_display_copy_rom_client_monitors_config(struct qxl_device *qdev) + return 1; + } + if (num_monitors > qdev->monitors_config->max_allowed) { +- DRM_INFO("client monitors list will be truncated: %d < %d\n", +- qdev->monitors_config->max_allowed, num_monitors); ++ DRM_DEBUG_KMS("client monitors list will be truncated: %d < %d\n", ++ qdev->monitors_config->max_allowed, num_monitors); + num_monitors = qdev->monitors_config->max_allowed; + } else { + num_monitors = qdev->rom->client_monitors_config.count; +@@ -132,18 +87,15 @@ static int qxl_display_copy_rom_client_monitors_config(struct qxl_device *qdev) + &qdev->rom->client_monitors_config.heads[i]; + struct qxl_head *client_head = + &qdev->client_monitors_config->heads[i]; +- struct qxl_head *head = &qdev->monitors_config->heads[i]; +- client_head->x = head->x = c_rect->left; +- client_head->y = head->y = c_rect->top; +- client_head->width = head->width = +- c_rect->right - c_rect->left; +- client_head->height = head->height = +- c_rect->bottom - c_rect->top; +- client_head->surface_id = head->surface_id = 0; +- client_head->id = head->id = i; +- client_head->flags = head->flags = 0; +- QXL_DEBUG(qdev, "read %dx%d+%d+%d\n", head->width, head->height, +- head->x, head->y); ++ client_head->x = c_rect->left; ++ client_head->y = c_rect->top; ++ client_head->width = c_rect->right - c_rect->left; ++ client_head->height = c_rect->bottom - c_rect->top; ++ client_head->surface_id = 0; ++ client_head->id = i; ++ client_head->flags = 0; ++ DRM_DEBUG_KMS("read %dx%d+%d+%d\n", client_head->width, client_head->height, ++ client_head->x, client_head->y); + } + return 0; + } +@@ -155,9 +107,6 @@ void qxl_display_read_client_monitors_config(struct qxl_device *qdev) + qxl_io_log(qdev, "failed crc check for client_monitors_config," + " retrying\n"); + } +- qxl_crtc_set_from_monitors_config(qdev); +- /* fire off a uevent and let userspace tell us what to do */ +- qxl_io_log(qdev, "calling drm_sysfs_hotplug_event\n"); + drm_sysfs_hotplug_event(qdev->ddev); + } + +@@ -170,9 +119,9 @@ static int qxl_add_monitors_config_modes(struct drm_connector *connector) + struct drm_display_mode *mode = NULL; + struct qxl_head *head; + +- if (!qdev->monitors_config) ++ if (!qdev->client_monitors_config) + return 0; +- head = &qdev->monitors_config->heads[h]; ++ head = &qdev->client_monitors_config->heads[h]; + + mode = drm_cvt_mode(dev, head->width, head->height, 60, false, false, + false); +@@ -255,11 +204,11 @@ qxl_hide_cursor(struct qxl_device *qdev) + qxl_release_unreserve(qdev, release); + } + +-static int qxl_crtc_cursor_set(struct drm_crtc *crtc, +- struct drm_file *file_priv, +- uint32_t handle, +- uint32_t width, +- uint32_t height) ++static int qxl_crtc_cursor_set2(struct drm_crtc *crtc, ++ struct drm_file *file_priv, ++ uint32_t handle, ++ uint32_t width, ++ uint32_t height, int32_t hot_x, int32_t hot_y) + { + struct drm_device *dev = crtc->dev; + struct qxl_device *qdev = dev->dev_private; +@@ -315,8 +264,8 @@ static int qxl_crtc_cursor_set(struct drm_crtc *crtc, + cursor->header.type = SPICE_CURSOR_TYPE_ALPHA; + cursor->header.width = 64; + cursor->header.height = 64; +- cursor->header.hot_spot_x = 0; +- cursor->header.hot_spot_y = 0; ++ cursor->header.hot_spot_x = hot_x; ++ cursor->header.hot_spot_y = hot_y; + cursor->data_size = size; + cursor->chunk.next_chunk = 0; + cursor->chunk.prev_chunk = 0; +@@ -397,7 +346,7 @@ static int qxl_crtc_cursor_move(struct drm_crtc *crtc, + + + static const struct drm_crtc_funcs qxl_crtc_funcs = { +- .cursor_set = qxl_crtc_cursor_set, ++ .cursor_set2 = qxl_crtc_cursor_set2, + .cursor_move = qxl_crtc_cursor_move, + .gamma_set = qxl_crtc_gamma_set, + .set_config = drm_crtc_helper_set_config, +@@ -506,7 +455,7 @@ qxl_send_monitors_config(struct qxl_device *qdev) + for (i = 0 ; i < qdev->monitors_config->count ; ++i) { + struct qxl_head *head = &qdev->monitors_config->heads[i]; + +- if (head->y > 8192 || head->y < head->x || ++ if (head->y > 8192 || head->x > 8192 || + head->width > 8192 || head->height > 8192) { + DRM_ERROR("head %d wrong: %dx%d+%d+%d\n", + i, head->width, head->height, +@@ -517,16 +466,19 @@ qxl_send_monitors_config(struct qxl_device *qdev) + qxl_io_monitors_config(qdev); + } + +-static void qxl_monitors_config_set_single(struct qxl_device *qdev, +- unsigned x, unsigned y, +- unsigned width, unsigned height) ++static void qxl_monitors_config_set(struct qxl_device *qdev, ++ int index, ++ unsigned x, unsigned y, ++ unsigned width, unsigned height, ++ unsigned surf_id) + { +- DRM_DEBUG("%dx%d+%d+%d\n", width, height, x, y); +- qdev->monitors_config->count = 1; +- qdev->monitors_config->heads[0].x = x; +- qdev->monitors_config->heads[0].y = y; +- qdev->monitors_config->heads[0].width = width; +- qdev->monitors_config->heads[0].height = height; ++ DRM_DEBUG_KMS("%d:%dx%d+%d+%d\n", index, width, height, x, y); ++ qdev->monitors_config->heads[index].x = x; ++ qdev->monitors_config->heads[index].y = y; ++ qdev->monitors_config->heads[index].width = width; ++ qdev->monitors_config->heads[index].height = height; ++ qdev->monitors_config->heads[index].surface_id = surf_id; ++ + } + + static int qxl_crtc_mode_set(struct drm_crtc *crtc, +@@ -540,10 +492,11 @@ static int qxl_crtc_mode_set(struct drm_crtc *crtc, + struct qxl_mode *m = (void *)mode->private; + struct qxl_framebuffer *qfb; + struct qxl_bo *bo, *old_bo = NULL; ++ struct qxl_crtc *qcrtc = to_qxl_crtc(crtc); + uint32_t width, height, base_offset; + bool recreate_primary = false; + int ret; +- ++ int surf_id; + if (!crtc->fb) { + DRM_DEBUG_KMS("No FB bound\n"); + return 0; +@@ -567,7 +520,8 @@ static int qxl_crtc_mode_set(struct drm_crtc *crtc, + adjusted_mode->hdisplay, + adjusted_mode->vdisplay); + +- recreate_primary = true; ++ if (qcrtc->index == 0) ++ recreate_primary = true; + + width = mode->hdisplay; + height = mode->vdisplay; +@@ -588,8 +542,11 @@ static int qxl_crtc_mode_set(struct drm_crtc *crtc, + "recreate primary: %dx%d (was %dx%d,%d,%d)\n", + width, height, bo->surf.width, + bo->surf.height, bo->surf.stride, bo->surf.format); +- qxl_io_create_primary(qdev, width, height, base_offset, bo); ++ qxl_io_create_primary(qdev, base_offset, bo); + bo->is_primary = true; ++ surf_id = 0; ++ } else { ++ surf_id = bo->surface_id; + } + + if (old_bo && old_bo != bo) { +@@ -599,11 +556,9 @@ static int qxl_crtc_mode_set(struct drm_crtc *crtc, + qxl_bo_unreserve(old_bo); + } + +- if (qdev->monitors_config->count == 0) { +- qxl_monitors_config_set_single(qdev, x, y, +- mode->hdisplay, +- mode->vdisplay); +- } ++ qxl_monitors_config_set(qdev, qcrtc->index, x, y, ++ mode->hdisplay, ++ mode->vdisplay, surf_id); + return 0; + } + +@@ -619,6 +574,26 @@ static void qxl_crtc_commit(struct drm_crtc *crtc) + DRM_DEBUG("\n"); + } + ++static void qxl_crtc_disable(struct drm_crtc *crtc) ++{ ++ struct qxl_crtc *qcrtc = to_qxl_crtc(crtc); ++ struct drm_device *dev = crtc->dev; ++ struct qxl_device *qdev = dev->dev_private; ++ if (crtc->fb) { ++ struct qxl_framebuffer *qfb = to_qxl_framebuffer(crtc->fb); ++ struct qxl_bo *bo = gem_to_qxl_bo(qfb->obj); ++ int ret; ++ ret = qxl_bo_reserve(bo, false); ++ qxl_bo_unpin(bo); ++ qxl_bo_unreserve(bo); ++ crtc->fb = NULL; ++ } ++ ++ qxl_monitors_config_set(qdev, qcrtc->index, 0, 0, 0, 0, 0); ++ ++ qxl_send_monitors_config(qdev); ++} ++ + static void qxl_crtc_load_lut(struct drm_crtc *crtc) + { + DRM_DEBUG("\n"); +@@ -626,6 +601,7 @@ static void qxl_crtc_load_lut(struct drm_crtc *crtc) + + static const struct drm_crtc_helper_funcs qxl_crtc_helper_funcs = { + .dpms = qxl_crtc_dpms, ++ .disable = qxl_crtc_disable, + .mode_fixup = qxl_crtc_mode_fixup, + .mode_set = qxl_crtc_mode_set, + .prepare = qxl_crtc_prepare, +@@ -633,7 +609,7 @@ static const struct drm_crtc_helper_funcs qxl_crtc_helper_funcs = { + .load_lut = qxl_crtc_load_lut, + }; + +-static int qdev_crtc_init(struct drm_device *dev, int num_crtc) ++static int qdev_crtc_init(struct drm_device *dev, int crtc_id) + { + struct qxl_crtc *qxl_crtc; + +@@ -642,7 +618,7 @@ static int qdev_crtc_init(struct drm_device *dev, int num_crtc) + return -ENOMEM; + + drm_crtc_init(dev, &qxl_crtc->base, &qxl_crtc_funcs); +- ++ qxl_crtc->index = crtc_id; + drm_mode_crtc_set_gamma_size(&qxl_crtc->base, 256); + drm_crtc_helper_add(&qxl_crtc->base, &qxl_crtc_helper_funcs); + return 0; +@@ -670,18 +646,13 @@ static void qxl_write_monitors_config_for_encoder(struct qxl_device *qdev, + struct drm_encoder *encoder) + { + int i; ++ struct qxl_output *output = drm_encoder_to_qxl_output(encoder); + struct qxl_head *head; + struct drm_display_mode *mode; + + BUG_ON(!encoder); + /* TODO: ugly, do better */ +- for (i = 0 ; (encoder->possible_crtcs != (1 << i)) && i < 32; ++i) +- ; +- if (encoder->possible_crtcs != (1 << i)) { +- DRM_ERROR("encoder has wrong possible_crtcs: %x\n", +- encoder->possible_crtcs); +- return; +- } ++ i = output->index; + if (!qdev->monitors_config || + qdev->monitors_config->max_allowed <= i) { + DRM_ERROR( +@@ -699,7 +670,6 @@ static void qxl_write_monitors_config_for_encoder(struct qxl_device *qdev, + DRM_DEBUG("missing for multiple monitors: no head holes\n"); + head = &qdev->monitors_config->heads[i]; + head->id = i; +- head->surface_id = 0; + if (encoder->crtc->enabled) { + mode = &encoder->crtc->mode; + head->width = mode->hdisplay; +@@ -714,8 +684,8 @@ static void qxl_write_monitors_config_for_encoder(struct qxl_device *qdev, + head->x = 0; + head->y = 0; + } +- DRM_DEBUG("setting head %d to +%d+%d %dx%d\n", +- i, head->x, head->y, head->width, head->height); ++ DRM_DEBUG_KMS("setting head %d to +%d+%d %dx%d out of %d\n", ++ i, head->x, head->y, head->width, head->height, qdev->monitors_config->count); + head->flags = 0; + /* TODO - somewhere else to call this for multiple monitors + * (config_commit?) */ +@@ -810,8 +780,9 @@ static enum drm_connector_status qxl_conn_detect( + + /* The first monitor is always connected */ + connected = (output->index == 0) || +- (qdev->monitors_config && +- qdev->monitors_config->count > output->index); ++ (qdev->client_monitors_config && ++ qdev->client_monitors_config->count > output->index && ++ qxl_head_enabled(&qdev->client_monitors_config->heads[output->index])); + + DRM_DEBUG("\n"); + return connected ? connector_status_connected +@@ -919,7 +890,7 @@ int qxl_modeset_init(struct qxl_device *qdev) + int i; + int ret; + struct drm_gem_object *gobj; +- int max_allowed = QXL_NUM_OUTPUTS; ++ int max_allowed = qxl_num_crtc; + int monitors_config_size = sizeof(struct qxl_monitors_config) + + max_allowed * sizeof(struct qxl_head); + +@@ -949,7 +920,7 @@ int qxl_modeset_init(struct qxl_device *qdev) + qdev->ddev->mode_config.max_height = 8192; + + qdev->ddev->mode_config.fb_base = qdev->vram_base; +- for (i = 0 ; i < QXL_NUM_OUTPUTS; ++i) { ++ for (i = 0 ; i < qxl_num_crtc; ++i) { + qdev_crtc_init(qdev->ddev, i); + qdev_output_init(qdev->ddev, i); + } +diff --git a/drivers/gpu/drm/qxl/qxl_drv.c b/drivers/gpu/drm/qxl/qxl_drv.c +index aa291d8..00e57b76 100644 +--- a/drivers/gpu/drm/qxl/qxl_drv.c ++++ b/drivers/gpu/drm/qxl/qxl_drv.c +@@ -47,10 +47,14 @@ static DEFINE_PCI_DEVICE_TABLE(pciidlist) = { + MODULE_DEVICE_TABLE(pci, pciidlist); + + static int qxl_modeset = -1; ++int qxl_num_crtc = 4; + + MODULE_PARM_DESC(modeset, "Disable/Enable modesetting"); + module_param_named(modeset, qxl_modeset, int, 0400); + ++MODULE_PARM_DESC(num_heads, "Number of virtual crtcs to expose (default 4)"); ++module_param_named(num_heads, qxl_num_crtc, int, 0400); ++ + static struct drm_driver qxl_driver; + static struct pci_driver qxl_pci_driver; + +diff --git a/drivers/gpu/drm/qxl/qxl_drv.h b/drivers/gpu/drm/qxl/qxl_drv.h +index 43d06ab..42ef0e2 100644 +--- a/drivers/gpu/drm/qxl/qxl_drv.h ++++ b/drivers/gpu/drm/qxl/qxl_drv.h +@@ -55,11 +55,10 @@ + #define DRIVER_MINOR 1 + #define DRIVER_PATCHLEVEL 0 + +-#define QXL_NUM_OUTPUTS 1 +- + #define QXL_DEBUGFS_MAX_COMPONENTS 32 + + extern int qxl_log_level; ++extern int qxl_num_crtc; + + enum { + QXL_INFO_LEVEL = 1, +@@ -139,6 +138,7 @@ struct qxl_reloc_list { + + struct qxl_crtc { + struct drm_crtc base; ++ int index; + int cur_x; + int cur_y; + }; +@@ -156,7 +156,7 @@ struct qxl_framebuffer { + + #define to_qxl_crtc(x) container_of(x, struct qxl_crtc, base) + #define drm_connector_to_qxl_output(x) container_of(x, struct qxl_output, base) +-#define drm_encoder_to_qxl_output(x) container_of(x, struct qxl_output, base) ++#define drm_encoder_to_qxl_output(x) container_of(x, struct qxl_output, enc) + #define to_qxl_framebuffer(x) container_of(x, struct qxl_framebuffer, base) + + struct qxl_mman { +@@ -435,7 +435,7 @@ void qxl_update_screen(struct qxl_device *qxl); + /* qxl io operations (qxl_cmd.c) */ + + void qxl_io_create_primary(struct qxl_device *qdev, +- unsigned width, unsigned height, unsigned offset, ++ unsigned offset, + struct qxl_bo *bo); + void qxl_io_destroy_primary(struct qxl_device *qdev); + void qxl_io_memslot_add(struct qxl_device *qdev, uint8_t id); +diff --git a/drivers/gpu/drm/qxl/qxl_fb.c b/drivers/gpu/drm/qxl/qxl_fb.c +index b3c5127..11ef7cb 100644 +--- a/drivers/gpu/drm/qxl/qxl_fb.c ++++ b/drivers/gpu/drm/qxl/qxl_fb.c +@@ -542,7 +542,7 @@ int qxl_fbdev_init(struct qxl_device *qdev) + qfbdev->helper.funcs = &qxl_fb_helper_funcs; + + ret = drm_fb_helper_init(qdev->ddev, &qfbdev->helper, +- 1 /* num_crtc - QXL supports just 1 */, ++ qxl_num_crtc /* num_crtc - QXL supports just 1 */, + QXLFB_CONN_LIMIT); + if (ret) { + kfree(qfbdev); +diff --git a/drivers/gpu/drm/qxl/qxl_ioctl.c b/drivers/gpu/drm/qxl/qxl_ioctl.c +index a4b71b2..6ba49d9 100644 +--- a/drivers/gpu/drm/qxl/qxl_ioctl.c ++++ b/drivers/gpu/drm/qxl/qxl_ioctl.c +@@ -183,6 +183,12 @@ static int qxl_execbuffer_ioctl(struct drm_device *dev, void *data, + /* TODO copy slow path code from i915 */ + fb_cmd = qxl_bo_kmap_atomic_page(qdev, cmd_bo, (release->release_offset & PAGE_SIZE)); + unwritten = __copy_from_user_inatomic_nocache(fb_cmd + sizeof(union qxl_release_info) + (release->release_offset & ~PAGE_SIZE), (void *)(unsigned long)user_cmd.command, user_cmd.command_size); ++ ++ { ++ struct qxl_drawable *draw = fb_cmd; ++ ++ draw->mm_time = qdev->rom->mm_clock; ++ } + qxl_bo_kunmap_atomic_page(qdev, cmd_bo, fb_cmd); + if (unwritten) { + DRM_ERROR("got unwritten %d\n", unwritten); +-- +1.8.3.1 + diff --git a/kernel.spec b/kernel.spec index 93077054f..bb008896a 100644 --- a/kernel.spec +++ b/kernel.spec @@ -669,10 +669,11 @@ Patch1000: devel-pekey-secure-boot-20130306.patch #atch1700: drm-edid-try-harder-to-fix-up-broken-headers.patch #Patch1800: drm-vgem.patch Patch1700: drm-ttm-exports-for-qxl.patch -Patch1701: drm-qxl-driver.patch -Patch1702: drm-qxl-backport-fixes.patch -Patch1703: drm-qxl-access-fix.patch -Patch1704: drm-qxl-cursor-and-dynamic-resize-fixes.patch +Patch1701: drm-hotspot-cursor-backport.patch +Patch1702: drm-qxl-driver.patch +Patch1703: drm-qxl-3.10-rc7-diff.patch +Patch1704: drm-qxl-access-fix.patch +Patch1705: drm-qxl-post-3.10-feature-fixes.patch # nouveau + drm fixes # intel drm is all merged upstream Patch1824: drm-intel-next.patch @@ -1435,10 +1436,11 @@ ApplyPatch devel-pekey-secure-boot-20130306.patch # DRM core ApplyPatch drm-ttm-exports-for-qxl.patch +ApplyPatch drm-hotspot-cursor-backport.patch ApplyPatch drm-qxl-driver.patch -ApplyPatch drm-qxl-backport-fixes.patch +ApplyPatch drm-qxl-3.10-rc7-diff.patch ApplyPatch drm-qxl-access-fix.patch -ApplyPatch drm-qxl-cursor-and-dynamic-resize-fixes.patch +ApplyPatch drm-qxl-post-3.10-feature-fixes.patch #ApplyPatch drm-edid-try-harder-to-fix-up-broken-headers.patch #ApplyPatch drm-vgem.patch @@ -2369,6 +2371,10 @@ fi # and build. %changelog +* Wed Jul 03 2013 Dave Airlie +- fixup QXL driver patches to make it easier to rebase +- add qxl driver dynamic resize + multiple heads support + * Mon Jul 01 2013 Dave Airlie - kernel portion of qxl cursor and dynamic resize fixes. From 7b9b3ffb29675179baa86112f52ee29f15760ca0 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Wed, 3 Jul 2013 08:29:53 -0400 Subject: [PATCH 145/468] Add patches to fix iwl skb managment (rhbz 977040) --- ...945-better-skb-management-in-rx-path.patch | 97 +++++++++++++++++++ ...965-better-skb-management-in-rx-path.patch | 65 +++++++++++++ kernel.spec | 11 +++ 3 files changed, 173 insertions(+) create mode 100644 iwl3945-better-skb-management-in-rx-path.patch create mode 100644 iwl4965-better-skb-management-in-rx-path.patch diff --git a/iwl3945-better-skb-management-in-rx-path.patch b/iwl3945-better-skb-management-in-rx-path.patch new file mode 100644 index 000000000..5d85af7d4 --- /dev/null +++ b/iwl3945-better-skb-management-in-rx-path.patch @@ -0,0 +1,97 @@ +From: Eric Dumazet + +Steinar reported reallocations of skb->head with IPv6, leading to +a warning in skb_try_coalesce() + +It turns out iwl3945 has several problems : + +1) skb->truesize is underestimated. + We really consume PAGE_SIZE bytes for a fragment, + not the frame length. +2) 128 bytes of initial headroom is a bit low and forces reallocations. +3) We can avoid consuming a full page for small enough frames. + +Reported-by: Steinar H. Gunderson +Signed-off-by: Eric Dumazet +Cc: Paul Stewart +--- +v3: use regular memcpy(skb_put(...),...) +v2: SMALL_PACKET_SIZE define + + drivers/net/wireless/iwlegacy/3945.c | 31 +++++++++++++++---------- + 1 file changed, 19 insertions(+), 12 deletions(-) + +diff --git a/drivers/net/wireless/iwlegacy/3945.c b/drivers/net/wireless/iwlegacy/3945.c +index c092033..f09e257 100644 +--- a/drivers/net/wireless/iwlegacy/3945.c ++++ b/drivers/net/wireless/iwlegacy/3945.c +@@ -475,6 +475,8 @@ il3945_is_network_packet(struct il_priv *il, struct ieee80211_hdr *header) + } + } + ++#define SMALL_PACKET_SIZE 256 ++ + static void + il3945_pass_packet_to_mac80211(struct il_priv *il, struct il_rx_buf *rxb, + struct ieee80211_rx_status *stats) +@@ -483,14 +485,13 @@ il3945_pass_packet_to_mac80211(struct il_priv *il, struct il_rx_buf *rxb, + struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)IL_RX_DATA(pkt); + struct il3945_rx_frame_hdr *rx_hdr = IL_RX_HDR(pkt); + struct il3945_rx_frame_end *rx_end = IL_RX_END(pkt); +- u16 len = le16_to_cpu(rx_hdr->len); ++ u32 len = le16_to_cpu(rx_hdr->len); + struct sk_buff *skb; + __le16 fc = hdr->frame_control; ++ u32 fraglen = PAGE_SIZE << il->hw_params.rx_page_order; + + /* We received data from the HW, so stop the watchdog */ +- if (unlikely +- (len + IL39_RX_FRAME_SIZE > +- PAGE_SIZE << il->hw_params.rx_page_order)) { ++ if (unlikely(len + IL39_RX_FRAME_SIZE > fraglen)) { + D_DROP("Corruption detected!\n"); + return; + } +@@ -506,26 +507,32 @@ il3945_pass_packet_to_mac80211(struct il_priv *il, struct il_rx_buf *rxb, + D_INFO("Woke queues - frame received on passive channel\n"); + } + +- skb = dev_alloc_skb(128); ++ skb = dev_alloc_skb(SMALL_PACKET_SIZE); + if (!skb) { + IL_ERR("dev_alloc_skb failed\n"); + return; + } + + if (!il3945_mod_params.sw_crypto) +- il_set_decrypted_flag(il, (struct ieee80211_hdr *)rxb_addr(rxb), ++ il_set_decrypted_flag(il, (struct ieee80211_hdr *)pkt, + le32_to_cpu(rx_end->status), stats); + +- skb_add_rx_frag(skb, 0, rxb->page, +- (void *)rx_hdr->payload - (void *)pkt, len, +- len); +- ++ /* If frame is small enough to fit into skb->head, copy it ++ * and do not consume a full page ++ */ ++ if (len <= SMALL_PACKET_SIZE) { ++ memcpy(skb_put(skb, len), rx_hdr->payload, len); ++ } else { ++ skb_add_rx_frag(skb, 0, rxb->page, ++ (void *)rx_hdr->payload - (void *)pkt, len, ++ fraglen); ++ il->alloc_rxb_page--; ++ rxb->page = NULL; ++ } + il_update_stats(il, false, fc, len); + memcpy(IEEE80211_SKB_RXCB(skb), stats, sizeof(*stats)); + + ieee80211_rx(il->hw, skb); +- il->alloc_rxb_page--; +- rxb->page = NULL; + } + + #define IL_DELAY_NEXT_SCAN_AFTER_ASSOC (HZ*6) + + diff --git a/iwl4965-better-skb-management-in-rx-path.patch b/iwl4965-better-skb-management-in-rx-path.patch new file mode 100644 index 000000000..904ff04f6 --- /dev/null +++ b/iwl4965-better-skb-management-in-rx-path.patch @@ -0,0 +1,65 @@ +4965 version of Eric patch "iwl3945: better skb management in rx path". +It fixes several problems : + +1) skb->truesize is underestimated. + We really consume PAGE_SIZE bytes for a fragment, + not the frame length. +2) 128 bytes of initial headroom is a bit low and forces reallocations. +3) We can avoid consuming a full page for small enough frames. + +Signed-off-by: Stanislaw Gruszka +--- + drivers/net/wireless/iwlegacy/4965-mac.c | 18 ++++++++++++------ + 1 file changed, 12 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/wireless/iwlegacy/4965-mac.c b/drivers/net/wireless/iwlegacy/4965-mac.c +index d287fd2..4e5d408 100644 +--- a/drivers/net/wireless/iwlegacy/4965-mac.c ++++ b/drivers/net/wireless/iwlegacy/4965-mac.c +@@ -574,9 +574,11 @@ il4965_translate_rx_status(struct il_priv *il, u32 decrypt_in) + return decrypt_out; + } + ++#define SMALL_PACKET_SIZE 256 ++ + static void + il4965_pass_packet_to_mac80211(struct il_priv *il, struct ieee80211_hdr *hdr, +- u16 len, u32 ampdu_status, struct il_rx_buf *rxb, ++ u32 len, u32 ampdu_status, struct il_rx_buf *rxb, + struct ieee80211_rx_status *stats) + { + struct sk_buff *skb; +@@ -598,21 +600,25 @@ il4965_pass_packet_to_mac80211(struct il_priv *il, struct ieee80211_hdr *hdr, + il_set_decrypted_flag(il, hdr, ampdu_status, stats)) + return; + +- skb = dev_alloc_skb(128); ++ skb = dev_alloc_skb(SMALL_PACKET_SIZE); + if (!skb) { + IL_ERR("dev_alloc_skb failed\n"); + return; + } + +- skb_add_rx_frag(skb, 0, rxb->page, (void *)hdr - rxb_addr(rxb), len, +- len); ++ if (len <= SMALL_PACKET_SIZE) { ++ memcpy(skb_put(skb, len), hdr, len); ++ } else { ++ skb_add_rx_frag(skb, 0, rxb->page, (void *)hdr - rxb_addr(rxb), ++ len, PAGE_SIZE << il->hw_params.rx_page_order); ++ il->alloc_rxb_page--; ++ rxb->page = NULL; ++ } + + il_update_stats(il, false, fc, len); + memcpy(IEEE80211_SKB_RXCB(skb), stats, sizeof(*stats)); + + ieee80211_rx(il->hw, skb); +- il->alloc_rxb_page--; +- rxb->page = NULL; + } + + /* Called for N_RX (legacy ABG frames), or +-- +1.7.11.7 + diff --git a/kernel.spec b/kernel.spec index bb008896a..b94565ed5 100644 --- a/kernel.spec +++ b/kernel.spec @@ -803,6 +803,10 @@ Patch25054: bridge-send-query-as-soon-as-leave-is-received.patch #rhbz 977558 Patch25055: ath3k-dont-use-stack-memory-for-DMA.patch +#rhbz 977040 +Patch25056: iwl3945-better-skb-management-in-rx-path.patch +Patch25057: iwl4965-better-skb-management-in-rx-path.patch + # END OF PATCH DEFINITIONS %endif @@ -1555,6 +1559,10 @@ ApplyPatch bridge-send-query-as-soon-as-leave-is-received.patch #rhbz 977558 ApplyPatch ath3k-dont-use-stack-memory-for-DMA.patch +#rhbz 977040 +ApplyPatch iwl3945-better-skb-management-in-rx-path.patch +ApplyPatch iwl4965-better-skb-management-in-rx-path.patch + # END OF PATCH APPLICATIONS %endif @@ -2371,6 +2379,9 @@ fi # and build. %changelog +* Wed Jul 03 2013 Josh Boyer +- Add patches to fix iwl skb managment (rhbz 977040) + * Wed Jul 03 2013 Dave Airlie - fixup QXL driver patches to make it easier to rebase - add qxl driver dynamic resize + multiple heads support From c2ff806e7960e31957e84f1d3ef2848e92b7c38c Mon Sep 17 00:00:00 2001 From: "Justin M. Forbes" Date: Wed, 3 Jul 2013 14:07:37 -0500 Subject: [PATCH 146/468] Linux v3.9.9 --- kernel.spec | 11 ++- ...-RT3290-TX-power-settings-regression.patch | 71 ------------------- sources | 2 +- 3 files changed, 5 insertions(+), 79 deletions(-) delete mode 100644 rt2800-fix-RT5390-RT3290-TX-power-settings-regression.patch diff --git a/kernel.spec b/kernel.spec index b94565ed5..14d464f68 100644 --- a/kernel.spec +++ b/kernel.spec @@ -74,7 +74,7 @@ Summary: The Linux kernel %if 0%{?released_kernel} # Do we have a -stable update to apply? -%define stable_update 8 +%define stable_update 9 # Is it a -stable RC? %define stable_rc 0 # Set rpm version accordingly @@ -779,9 +779,6 @@ Patch25038: cdrom-use-kzalloc-for-failing-hardware.patch Patch25043: vfio-Set-container-device-mode.patch Patch25044: vfio-fix-crash-on-rmmod.patch -#rhbz 950735 -Patch25045: rt2800-fix-RT5390-RT3290-TX-power-settings-regression.patch - #rhbz 969644 Patch25046: KVM-x86-handle-idiv-overflow-at-kvm_write_tsc.patch @@ -1535,9 +1532,6 @@ ApplyPatch cdrom-use-kzalloc-for-failing-hardware.patch ApplyPatch vfio-Set-container-device-mode.patch ApplyPatch vfio-fix-crash-on-rmmod.patch -#rhbz 950735 -ApplyPatch rt2800-fix-RT5390-RT3290-TX-power-settings-regression.patch - #rhbz 969644 ApplyPatch KVM-x86-handle-idiv-overflow-at-kvm_write_tsc.patch @@ -2379,6 +2373,9 @@ fi # and build. %changelog +* Wed Jul 03 2013 Justin M. Forbes 3.9.9-300 +- Linux v3.9.9 + * Wed Jul 03 2013 Josh Boyer - Add patches to fix iwl skb managment (rhbz 977040) diff --git a/rt2800-fix-RT5390-RT3290-TX-power-settings-regression.patch b/rt2800-fix-RT5390-RT3290-TX-power-settings-regression.patch deleted file mode 100644 index 354873950..000000000 --- a/rt2800-fix-RT5390-RT3290-TX-power-settings-regression.patch +++ /dev/null @@ -1,71 +0,0 @@ -My change: - -commit cee2c7315f60beeff6137ee59e99acc77d636eeb -Author: Stanislaw Gruszka -Date: Fri Oct 5 13:44:09 2012 +0200 - - rt2800: use BBP_R1 for setting tx power - -unfortunately does not work well with RT5390 and RT3290 chips as they -require different temperature compensation TX power settings (TSSI -tuning). Since that commit make wireless connection very unstable on -those chips, restore previous behavior to fix regression. Once we -implement proper TSSI tuning on 5390/3290 we can restore back setting -TX power by BBP_R1 register for those chips. - -Reported-and-tested-by: Mike Romberg -Cc: stable@vger.kernel.org -Signed-off-by: Stanislaw Gruszka ---- - drivers/net/wireless/rt2x00/rt2800lib.c | 29 ++++++++++++++++++----------- - 1 file changed, 18 insertions(+), 11 deletions(-) - -diff --git a/drivers/net/wireless/rt2x00/rt2800lib.c b/drivers/net/wireless/rt2x00/rt2800lib.c -index 92849e5..8b679df 100644 ---- a/drivers/net/wireless/rt2x00/rt2800lib.c -+++ b/drivers/net/wireless/rt2x00/rt2800lib.c -@@ -2634,19 +2634,26 @@ static void rt2800_config_txpower(struct rt2x00_dev *rt2x00dev, - * TODO: we do not use +6 dBm option to do not increase power beyond - * regulatory limit, however this could be utilized for devices with - * CAPABILITY_POWER_LIMIT. -+ * -+ * TODO: add different temperature compensation code for RT3290 & RT5390 -+ * to allow to use BBP_R1 for those chips. - */ -- rt2800_bbp_read(rt2x00dev, 1, &r1); -- if (delta <= -12) { -- power_ctrl = 2; -- delta += 12; -- } else if (delta <= -6) { -- power_ctrl = 1; -- delta += 6; -- } else { -- power_ctrl = 0; -+ if (!rt2x00_rt(rt2x00dev, RT3290) && -+ !rt2x00_rt(rt2x00dev, RT5390)) { -+ rt2800_bbp_read(rt2x00dev, 1, &r1); -+ if (delta <= -12) { -+ power_ctrl = 2; -+ delta += 12; -+ } else if (delta <= -6) { -+ power_ctrl = 1; -+ delta += 6; -+ } else { -+ power_ctrl = 0; -+ } -+ rt2x00_set_field8(&r1, BBP1_TX_POWER_CTRL, power_ctrl); -+ rt2800_bbp_write(rt2x00dev, 1, r1); - } -- rt2x00_set_field8(&r1, BBP1_TX_POWER_CTRL, power_ctrl); -- rt2800_bbp_write(rt2x00dev, 1, r1); -+ - offset = TX_PWR_CFG_0; - - for (i = 0; i < EEPROM_TXPOWER_BYRATE_SIZE; i += 2) { --- -1.7.11.7 - --- -To unsubscribe from this list: send the line "unsubscribe linux-wireless" in -the body of a message to majordomo@vger.kernel.org -More majordomo info at http://vger.kernel.org/majordomo-info.html \ No newline at end of file diff --git a/sources b/sources index 607da4fb5..372d198c3 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ 4348c9b6b2eb3144d601e87c19d5d909 linux-3.9.tar.xz -c5f2166686a913abf550bfed8b77df27 patch-3.9.8.xz +41f350c2fd6aa14414bf39f173a8e6a3 patch-3.9.9.xz From 60a8d4c543488c05e62c797879e4c2a59748acbe Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Wed, 3 Jul 2013 15:36:22 -0400 Subject: [PATCH 147/468] CVE-2013-2234 net: information leak in AF_KEY notify (rhbz 980995 981007) --- ...ey-fix-info-leaks-in-notify-messages.patch | 37 +++++++++++++++++++ kernel.spec | 9 +++++ 2 files changed, 46 insertions(+) create mode 100644 af_key-fix-info-leaks-in-notify-messages.patch diff --git a/af_key-fix-info-leaks-in-notify-messages.patch b/af_key-fix-info-leaks-in-notify-messages.patch new file mode 100644 index 000000000..9d20aec0f --- /dev/null +++ b/af_key-fix-info-leaks-in-notify-messages.patch @@ -0,0 +1,37 @@ +From a5cc68f3d63306d0d288f31edfc2ae6ef8ecd887 Mon Sep 17 00:00:00 2001 +From: Mathias Krause +Date: Wed, 26 Jun 2013 21:52:30 +0000 +Subject: af_key: fix info leaks in notify messages + +key_notify_sa_flush() and key_notify_policy_flush() miss to initialize +the sadb_msg_reserved member of the broadcasted message and thereby +leak 2 bytes of heap memory to listeners. Fix that. + +Signed-off-by: Mathias Krause +Cc: Steffen Klassert +Cc: "David S. Miller" +Cc: Herbert Xu +Signed-off-by: David S. Miller +--- +diff --git a/net/key/af_key.c b/net/key/af_key.c +index c5fbd75..9da8620 100644 +--- a/net/key/af_key.c ++++ b/net/key/af_key.c +@@ -1710,6 +1710,7 @@ static int key_notify_sa_flush(const struct km_event *c) + hdr->sadb_msg_version = PF_KEY_V2; + hdr->sadb_msg_errno = (uint8_t) 0; + hdr->sadb_msg_len = (sizeof(struct sadb_msg) / sizeof(uint64_t)); ++ hdr->sadb_msg_reserved = 0; + + pfkey_broadcast(skb, GFP_ATOMIC, BROADCAST_ALL, NULL, c->net); + +@@ -2699,6 +2700,7 @@ static int key_notify_policy_flush(const struct km_event *c) + hdr->sadb_msg_errno = (uint8_t) 0; + hdr->sadb_msg_satype = SADB_SATYPE_UNSPEC; + hdr->sadb_msg_len = (sizeof(struct sadb_msg) / sizeof(uint64_t)); ++ hdr->sadb_msg_reserved = 0; + pfkey_broadcast(skb_out, GFP_ATOMIC, BROADCAST_ALL, NULL, c->net); + return 0; + +-- +cgit v0.9.2 diff --git a/kernel.spec b/kernel.spec index 14d464f68..985739473 100644 --- a/kernel.spec +++ b/kernel.spec @@ -804,6 +804,9 @@ Patch25055: ath3k-dont-use-stack-memory-for-DMA.patch Patch25056: iwl3945-better-skb-management-in-rx-path.patch Patch25057: iwl4965-better-skb-management-in-rx-path.patch +#CVE-2013-2234 rhbz 980995 981007 +Patch25058: af_key-fix-info-leaks-in-notify-messages.patch + # END OF PATCH DEFINITIONS %endif @@ -1557,6 +1560,9 @@ ApplyPatch ath3k-dont-use-stack-memory-for-DMA.patch ApplyPatch iwl3945-better-skb-management-in-rx-path.patch ApplyPatch iwl4965-better-skb-management-in-rx-path.patch +#CVE-2013-2234 rhbz 980995 981007 +ApplyPatch af_key-fix-info-leaks-in-notify-messages.patch + # END OF PATCH APPLICATIONS %endif @@ -2373,6 +2379,9 @@ fi # and build. %changelog +* Wed Jul 03 2013 Josh Boyer +- CVE-2013-2234 net: information leak in AF_KEY notify (rhbz 980995 981007) + * Wed Jul 03 2013 Justin M. Forbes 3.9.9-300 - Linux v3.9.9 From 7ac4052f120b227c6017fe134c56a18a7280f45a Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Wed, 3 Jul 2013 16:10:09 -0400 Subject: [PATCH 148/468] CVE-2013-1059 libceph: Fix NULL pointer dereference in auth client code (rhbz 977356 980341) --- ceph-fix.patch | 24 ++++++++++++++++++++++++ kernel.spec | 7 +++++++ 2 files changed, 31 insertions(+) create mode 100644 ceph-fix.patch diff --git a/ceph-fix.patch b/ceph-fix.patch new file mode 100644 index 000000000..6515e758d --- /dev/null +++ b/ceph-fix.patch @@ -0,0 +1,24 @@ +diff --git a/net/ceph/auth_none.c b/net/ceph/auth_none.c +index 925ca58..0ef2458 100644 +--- a/net/ceph/auth_none.c ++++ b/net/ceph/auth_none.c +@@ -39,6 +39,11 @@ static int should_authenticate(struct ceph_auth_client *ac) + return xi->starting; + } + ++static int build_request(struct ceph_auth_client *ac, void *buf, void *end) ++{ ++ return 0; ++} ++ + /* + * the generic auth code decode the global_id, and we carry no actual + * authenticate state, so nothing happens here. +@@ -106,6 +111,7 @@ static const struct ceph_auth_client_ops ceph_auth_none_ops = { + .destroy = destroy, + .is_authenticated = is_authenticated, + .should_authenticate = should_authenticate, ++ .build_request = build_request, + .handle_reply = handle_reply, + .create_authorizer = ceph_auth_none_create_authorizer, + .destroy_authorizer = ceph_auth_none_destroy_authorizer, diff --git a/kernel.spec b/kernel.spec index 985739473..af56e0388 100644 --- a/kernel.spec +++ b/kernel.spec @@ -807,6 +807,9 @@ Patch25057: iwl4965-better-skb-management-in-rx-path.patch #CVE-2013-2234 rhbz 980995 981007 Patch25058: af_key-fix-info-leaks-in-notify-messages.patch +#CVE-2013-1059 rhbz 977356 980341 +Patch25059: ceph-fix.patch + # END OF PATCH DEFINITIONS %endif @@ -1563,6 +1566,9 @@ ApplyPatch iwl4965-better-skb-management-in-rx-path.patch #CVE-2013-2234 rhbz 980995 981007 ApplyPatch af_key-fix-info-leaks-in-notify-messages.patch +#CVE-2013-1059 rhbz 977356 980341 +ApplyPatch ceph-fix.patch + # END OF PATCH APPLICATIONS %endif @@ -2380,6 +2386,7 @@ fi %changelog * Wed Jul 03 2013 Josh Boyer +- CVE-2013-1059 libceph: Fix NULL pointer dereference in auth client code (rhbz 977356 980341) - CVE-2013-2234 net: information leak in AF_KEY notify (rhbz 980995 981007) * Wed Jul 03 2013 Justin M. Forbes 3.9.9-300 From a73601d17fead20c265afbf2577f41e4539d3d56 Mon Sep 17 00:00:00 2001 From: "Justin M. Forbes" Date: Thu, 4 Jul 2013 09:41:26 -0500 Subject: [PATCH 149/468] Bump release for build --- kernel.spec | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/kernel.spec b/kernel.spec index af56e0388..5cf8a72ac 100644 --- a/kernel.spec +++ b/kernel.spec @@ -62,7 +62,7 @@ Summary: The Linux kernel # For non-released -rc kernels, this will be appended after the rcX and # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3" # -%global baserelease 300 +%global baserelease 301 %global fedora_build %{baserelease} # base_sublevel is the kernel version we're starting with and patching @@ -2385,7 +2385,7 @@ fi # and build. %changelog -* Wed Jul 03 2013 Josh Boyer +* Wed Jul 03 2013 Josh Boyer 3.9.9-301 - CVE-2013-1059 libceph: Fix NULL pointer dereference in auth client code (rhbz 977356 980341) - CVE-2013-2234 net: information leak in AF_KEY notify (rhbz 980995 981007) From 4e4abd7078a5ed57576c59aa7f0f4de4d84a230e Mon Sep 17 00:00:00 2001 From: Dave Airlie Date: Thu, 4 Jul 2013 21:06:43 -0400 Subject: [PATCH 150/468] qxl: add suspend/resume and hibernate support --- drm-qxl-post-3.10-features-part-2.patch | 483 ++++++++++++++++++++++++ kernel.spec | 5 + 2 files changed, 488 insertions(+) create mode 100644 drm-qxl-post-3.10-features-part-2.patch diff --git a/drm-qxl-post-3.10-features-part-2.patch b/drm-qxl-post-3.10-features-part-2.patch new file mode 100644 index 000000000..3af9b1bb1 --- /dev/null +++ b/drm-qxl-post-3.10-features-part-2.patch @@ -0,0 +1,483 @@ +From db21a217f7de4f173aa0fb4c7a296cc9cffbd6bf Mon Sep 17 00:00:00 2001 +From: Dave Airlie +Date: Thu, 4 Jul 2013 14:46:46 +1000 +Subject: [PATCH] drm/qxl: post 3.10 features part 2 + +qxl: split monitors_config object creation out. +qxl: prepare memslot code for suspend/resume +qxl: add ring prep code for s/r +qxl: add fb and ttm entry points for use by suspend/resume. +qxl: add suspend/resume/hibernate support. +qxl: use drm helper hotplug support + +Signed-off-by: Dave Airlie +--- + drivers/gpu/drm/qxl/qxl_cmd.c | 9 ++- + drivers/gpu/drm/qxl/qxl_display.c | 58 +++++++++++++++-- + drivers/gpu/drm/qxl/qxl_drv.c | 134 +++++++++++++++++++++++++++++++++++--- + drivers/gpu/drm/qxl/qxl_drv.h | 10 +++ + drivers/gpu/drm/qxl/qxl_fb.c | 10 +++ + drivers/gpu/drm/qxl/qxl_kms.c | 24 +++++-- + drivers/gpu/drm/qxl/qxl_object.c | 10 +++ + 7 files changed, 236 insertions(+), 19 deletions(-) + +diff --git a/drivers/gpu/drm/qxl/qxl_cmd.c b/drivers/gpu/drm/qxl/qxl_cmd.c +index 0ec55e7..0ca2999 100644 +--- a/drivers/gpu/drm/qxl/qxl_cmd.c ++++ b/drivers/gpu/drm/qxl/qxl_cmd.c +@@ -49,6 +49,11 @@ void qxl_ring_free(struct qxl_ring *ring) + kfree(ring); + } + ++void qxl_ring_init_hdr(struct qxl_ring *ring) ++{ ++ ring->ring->header.notify_on_prod = ring->n_elements; ++} ++ + struct qxl_ring * + qxl_ring_create(struct qxl_ring_header *header, + int element_size, +@@ -69,7 +74,7 @@ qxl_ring_create(struct qxl_ring_header *header, + ring->prod_notify = prod_notify; + ring->push_event = push_event; + if (set_prod_notify) +- header->notify_on_prod = ring->n_elements; ++ qxl_ring_init_hdr(ring); + spin_lock_init(&ring->lock); + return ring; + } +@@ -87,7 +92,7 @@ static int qxl_check_header(struct qxl_ring *ring) + return ret; + } + +-static int qxl_check_idle(struct qxl_ring *ring) ++int qxl_check_idle(struct qxl_ring *ring) + { + int ret; + struct qxl_ring_header *header = &(ring->ring->header); +diff --git a/drivers/gpu/drm/qxl/qxl_display.c b/drivers/gpu/drm/qxl/qxl_display.c +index a127a97..b03fe6d 100644 +--- a/drivers/gpu/drm/qxl/qxl_display.c ++++ b/drivers/gpu/drm/qxl/qxl_display.c +@@ -107,7 +107,7 @@ void qxl_display_read_client_monitors_config(struct qxl_device *qdev) + qxl_io_log(qdev, "failed crc check for client_monitors_config," + " retrying\n"); + } +- drm_sysfs_hotplug_event(qdev->ddev); ++ drm_helper_hpd_irq_event(qdev->ddev); + } + + static int qxl_add_monitors_config_modes(struct drm_connector *connector) +@@ -846,6 +846,8 @@ static int qdev_output_init(struct drm_device *dev, int num_output) + drm_encoder_init(dev, &qxl_output->enc, &qxl_enc_funcs, + DRM_MODE_ENCODER_VIRTUAL); + ++ /* we get HPD via client monitors config */ ++ connector->polled = DRM_CONNECTOR_POLL_HPD; + encoder->possible_crtcs = 1 << num_output; + drm_mode_connector_attach_encoder(&qxl_output->base, + &qxl_output->enc); +@@ -885,16 +887,14 @@ static const struct drm_mode_config_funcs qxl_mode_funcs = { + .fb_create = qxl_user_framebuffer_create, + }; + +-int qxl_modeset_init(struct qxl_device *qdev) ++int qxl_create_monitors_object(struct qxl_device *qdev) + { +- int i; + int ret; + struct drm_gem_object *gobj; + int max_allowed = qxl_num_crtc; + int monitors_config_size = sizeof(struct qxl_monitors_config) + +- max_allowed * sizeof(struct qxl_head); ++ max_allowed * sizeof(struct qxl_head); + +- drm_mode_config_init(qdev->ddev); + ret = qxl_gem_object_create(qdev, monitors_config_size, 0, + QXL_GEM_DOMAIN_VRAM, + false, false, NULL, &gobj); +@@ -903,13 +903,59 @@ int qxl_modeset_init(struct qxl_device *qdev) + return -ENOMEM; + } + qdev->monitors_config_bo = gem_to_qxl_bo(gobj); ++ ++ ret = qxl_bo_reserve(qdev->monitors_config_bo, false); ++ if (ret) ++ return ret; ++ ++ ret = qxl_bo_pin(qdev->monitors_config_bo, QXL_GEM_DOMAIN_VRAM, NULL); ++ if (ret) { ++ qxl_bo_unreserve(qdev->monitors_config_bo); ++ return ret; ++ } ++ ++ qxl_bo_unreserve(qdev->monitors_config_bo); ++ + qxl_bo_kmap(qdev->monitors_config_bo, NULL); ++ + qdev->monitors_config = qdev->monitors_config_bo->kptr; + qdev->ram_header->monitors_config = + qxl_bo_physical_address(qdev, qdev->monitors_config_bo, 0); + + memset(qdev->monitors_config, 0, monitors_config_size); + qdev->monitors_config->max_allowed = max_allowed; ++ return 0; ++} ++ ++int qxl_destroy_monitors_object(struct qxl_device *qdev) ++{ ++ int ret; ++ ++ qdev->monitors_config = NULL; ++ qdev->ram_header->monitors_config = 0; ++ ++ qxl_bo_kunmap(qdev->monitors_config_bo); ++ ret = qxl_bo_reserve(qdev->monitors_config_bo, false); ++ if (ret) ++ return ret; ++ ++ qxl_bo_unpin(qdev->monitors_config_bo); ++ qxl_bo_unreserve(qdev->monitors_config_bo); ++ ++ qxl_bo_unref(&qdev->monitors_config_bo); ++ return 0; ++} ++ ++int qxl_modeset_init(struct qxl_device *qdev) ++{ ++ int i; ++ int ret; ++ ++ drm_mode_config_init(qdev->ddev); ++ ++ ret = qxl_create_monitors_object(qdev); ++ if (ret) ++ return ret; + + qdev->ddev->mode_config.funcs = (void *)&qxl_mode_funcs; + +@@ -937,6 +983,8 @@ int qxl_modeset_init(struct qxl_device *qdev) + void qxl_modeset_fini(struct qxl_device *qdev) + { + qxl_fbdev_fini(qdev); ++ ++ qxl_destroy_monitors_object(qdev); + if (qdev->mode_info.mode_config_initialized) { + drm_mode_config_cleanup(qdev->ddev); + qdev->mode_info.mode_config_initialized = false; +diff --git a/drivers/gpu/drm/qxl/qxl_drv.c b/drivers/gpu/drm/qxl/qxl_drv.c +index 00e57b76..df0b577 100644 +--- a/drivers/gpu/drm/qxl/qxl_drv.c ++++ b/drivers/gpu/drm/qxl/qxl_drv.c +@@ -33,8 +33,9 @@ + + #include "drmP.h" + #include "drm/drm.h" +- ++#include "drm_crtc_helper.h" + #include "qxl_drv.h" ++#include "qxl_object.h" + + extern int qxl_max_ioctls; + static DEFINE_PCI_DEVICE_TABLE(pciidlist) = { +@@ -77,13 +78,6 @@ qxl_pci_remove(struct pci_dev *pdev) + drm_put_dev(dev); + } + +-static struct pci_driver qxl_pci_driver = { +- .name = DRIVER_NAME, +- .id_table = pciidlist, +- .probe = qxl_pci_probe, +- .remove = qxl_pci_remove, +-}; +- + static const struct file_operations qxl_fops = { + .owner = THIS_MODULE, + .open = drm_open, +@@ -94,6 +88,130 @@ static const struct file_operations qxl_fops = { + .mmap = qxl_mmap, + }; + ++static int qxl_drm_freeze(struct drm_device *dev) ++{ ++ struct pci_dev *pdev = dev->pdev; ++ struct qxl_device *qdev = dev->dev_private; ++ struct drm_crtc *crtc; ++ ++ drm_kms_helper_poll_disable(dev); ++ ++ console_lock(); ++ qxl_fbdev_set_suspend(qdev, 1); ++ console_unlock(); ++ ++ /* unpin the front buffers */ ++ list_for_each_entry(crtc, &dev->mode_config.crtc_list, head) { ++ struct drm_crtc_helper_funcs *crtc_funcs = crtc->helper_private; ++ if (crtc->enabled) ++ (*crtc_funcs->disable)(crtc); ++ } ++ ++ qxl_destroy_monitors_object(qdev); ++ qxl_surf_evict(qdev); ++ qxl_vram_evict(qdev); ++ ++ while (!qxl_check_idle(qdev->command_ring)); ++ while (!qxl_check_idle(qdev->release_ring)) ++ qxl_queue_garbage_collect(qdev, 1); ++ ++ pci_save_state(pdev); ++ ++ return 0; ++} ++ ++static int qxl_drm_resume(struct drm_device *dev, bool thaw) ++{ ++ struct qxl_device *qdev = dev->dev_private; ++ ++ qdev->ram_header->int_mask = QXL_INTERRUPT_MASK; ++ if (!thaw) { ++ qxl_reinit_memslots(qdev); ++ qxl_ring_init_hdr(qdev->release_ring); ++ } ++ ++ qxl_create_monitors_object(qdev); ++ drm_helper_resume_force_mode(dev); ++ ++ console_lock(); ++ qxl_fbdev_set_suspend(qdev, 0); ++ console_unlock(); ++ ++ drm_kms_helper_poll_enable(dev); ++ return 0; ++} ++ ++static int qxl_pm_suspend(struct device *dev) ++{ ++ struct pci_dev *pdev = to_pci_dev(dev); ++ struct drm_device *drm_dev = pci_get_drvdata(pdev); ++ int error; ++ ++ error = qxl_drm_freeze(drm_dev); ++ if (error) ++ return error; ++ ++ pci_disable_device(pdev); ++ pci_set_power_state(pdev, PCI_D3hot); ++ return 0; ++} ++ ++static int qxl_pm_resume(struct device *dev) ++{ ++ struct pci_dev *pdev = to_pci_dev(dev); ++ struct drm_device *drm_dev = pci_get_drvdata(pdev); ++ ++ pci_set_power_state(pdev, PCI_D0); ++ pci_restore_state(pdev); ++ if (pci_enable_device(pdev)) { ++ return -EIO; ++ } ++ ++ return qxl_drm_resume(drm_dev, false); ++} ++ ++static int qxl_pm_thaw(struct device *dev) ++{ ++ struct pci_dev *pdev = to_pci_dev(dev); ++ struct drm_device *drm_dev = pci_get_drvdata(pdev); ++ ++ return qxl_drm_resume(drm_dev, true); ++} ++ ++static int qxl_pm_freeze(struct device *dev) ++{ ++ struct pci_dev *pdev = to_pci_dev(dev); ++ struct drm_device *drm_dev = pci_get_drvdata(pdev); ++ ++ return qxl_drm_freeze(drm_dev); ++} ++ ++static int qxl_pm_restore(struct device *dev) ++{ ++ struct pci_dev *pdev = to_pci_dev(dev); ++ struct drm_device *drm_dev = pci_get_drvdata(pdev); ++ struct qxl_device *qdev = drm_dev->dev_private; ++ ++ qxl_io_reset(qdev); ++ return qxl_drm_resume(drm_dev, false); ++} ++ ++static const struct dev_pm_ops qxl_pm_ops = { ++ .suspend = qxl_pm_suspend, ++ .resume = qxl_pm_resume, ++ .freeze = qxl_pm_freeze, ++ .thaw = qxl_pm_thaw, ++ .poweroff = qxl_pm_freeze, ++ .restore = qxl_pm_restore, ++}; ++static struct pci_driver qxl_pci_driver = { ++ .name = DRIVER_NAME, ++ .id_table = pciidlist, ++ .probe = qxl_pci_probe, ++ .remove = qxl_pci_remove, ++ .driver.pm = &qxl_pm_ops, ++}; ++ + static struct drm_driver qxl_driver = { + .driver_features = DRIVER_GEM | DRIVER_MODESET | + DRIVER_HAVE_IRQ | DRIVER_IRQ_SHARED, +diff --git a/drivers/gpu/drm/qxl/qxl_drv.h b/drivers/gpu/drm/qxl/qxl_drv.h +index 42ef0e2..aacb791 100644 +--- a/drivers/gpu/drm/qxl/qxl_drv.h ++++ b/drivers/gpu/drm/qxl/qxl_drv.h +@@ -331,6 +331,10 @@ void qxl_modeset_fini(struct qxl_device *qdev); + int qxl_bo_init(struct qxl_device *qdev); + void qxl_bo_fini(struct qxl_device *qdev); + ++void qxl_reinit_memslots(struct qxl_device *qdev); ++int qxl_surf_evict(struct qxl_device *qdev); ++int qxl_vram_evict(struct qxl_device *qdev); ++ + struct qxl_ring *qxl_ring_create(struct qxl_ring_header *header, + int element_size, + int n_elements, +@@ -338,6 +342,8 @@ struct qxl_ring *qxl_ring_create(struct qxl_ring_header *header, + bool set_prod_notify, + wait_queue_head_t *push_event); + void qxl_ring_free(struct qxl_ring *ring); ++void qxl_ring_init_hdr(struct qxl_ring *ring); ++int qxl_check_idle(struct qxl_ring *ring); + + static inline void * + qxl_fb_virtual_address(struct qxl_device *qdev, unsigned long physical) +@@ -365,6 +371,7 @@ void qxl_fbdev_fini(struct qxl_device *qdev); + int qxl_get_handle_for_primary_fb(struct qxl_device *qdev, + struct drm_file *file_priv, + uint32_t *handle); ++void qxl_fbdev_set_suspend(struct qxl_device *qdev, int state); + + /* qxl_display.c */ + int +@@ -374,6 +381,8 @@ qxl_framebuffer_init(struct drm_device *dev, + struct drm_gem_object *obj); + void qxl_display_read_client_monitors_config(struct qxl_device *qdev); + void qxl_send_monitors_config(struct qxl_device *qdev); ++int qxl_create_monitors_object(struct qxl_device *qdev); ++int qxl_destroy_monitors_object(struct qxl_device *qdev); + + /* used by qxl_debugfs only */ + void qxl_crtc_set_from_monitors_config(struct qxl_device *qdev); +@@ -528,6 +537,7 @@ irqreturn_t qxl_irq_handler(DRM_IRQ_ARGS); + + /* qxl_fb.c */ + int qxl_fb_init(struct qxl_device *qdev); ++bool qxl_fbdev_qobj_is_fb(struct qxl_device *qdev, struct qxl_bo *qobj); + + int qxl_debugfs_add_files(struct qxl_device *qdev, + struct drm_info_list *files, +diff --git a/drivers/gpu/drm/qxl/qxl_fb.c b/drivers/gpu/drm/qxl/qxl_fb.c +index 11ef7cb..2c3970a 100644 +--- a/drivers/gpu/drm/qxl/qxl_fb.c ++++ b/drivers/gpu/drm/qxl/qxl_fb.c +@@ -564,4 +564,14 @@ void qxl_fbdev_fini(struct qxl_device *qdev) + qdev->mode_info.qfbdev = NULL; + } + ++void qxl_fbdev_set_suspend(struct qxl_device *qdev, int state) ++{ ++ fb_set_suspend(qdev->mode_info.qfbdev->helper.fbdev, state); ++} + ++bool qxl_fbdev_qobj_is_fb(struct qxl_device *qdev, struct qxl_bo *qobj) ++{ ++ if (qobj == gem_to_qxl_bo(qdev->mode_info.qfbdev->qfb.obj)) ++ return true; ++ return false; ++} +diff --git a/drivers/gpu/drm/qxl/qxl_kms.c b/drivers/gpu/drm/qxl/qxl_kms.c +index e27ce2a..9e8da9e 100644 +--- a/drivers/gpu/drm/qxl/qxl_kms.c ++++ b/drivers/gpu/drm/qxl/qxl_kms.c +@@ -26,6 +26,7 @@ + #include "qxl_drv.h" + #include "qxl_object.h" + ++#include + #include + + int qxl_log_level; +@@ -72,21 +73,28 @@ static bool qxl_check_device(struct qxl_device *qdev) + return true; + } + ++static void setup_hw_slot(struct qxl_device *qdev, int slot_index, ++ struct qxl_memslot *slot) ++{ ++ qdev->ram_header->mem_slot.mem_start = slot->start_phys_addr; ++ qdev->ram_header->mem_slot.mem_end = slot->end_phys_addr; ++ qxl_io_memslot_add(qdev, slot_index); ++} ++ + static uint8_t setup_slot(struct qxl_device *qdev, uint8_t slot_index_offset, + unsigned long start_phys_addr, unsigned long end_phys_addr) + { + uint64_t high_bits; + struct qxl_memslot *slot; + uint8_t slot_index; +- struct qxl_ram_header *ram_header = qdev->ram_header; + + slot_index = qdev->rom->slots_start + slot_index_offset; + slot = &qdev->mem_slots[slot_index]; + slot->start_phys_addr = start_phys_addr; + slot->end_phys_addr = end_phys_addr; +- ram_header->mem_slot.mem_start = slot->start_phys_addr; +- ram_header->mem_slot.mem_end = slot->end_phys_addr; +- qxl_io_memslot_add(qdev, slot_index); ++ ++ setup_hw_slot(qdev, slot_index, slot); ++ + slot->generation = qdev->rom->slot_generation; + high_bits = slot_index << qdev->slot_gen_bits; + high_bits |= slot->generation; +@@ -95,6 +103,12 @@ static uint8_t setup_slot(struct qxl_device *qdev, uint8_t slot_index_offset, + return slot_index; + } + ++void qxl_reinit_memslots(struct qxl_device *qdev) ++{ ++ setup_hw_slot(qdev, qdev->main_mem_slot, &qdev->mem_slots[qdev->main_mem_slot]); ++ setup_hw_slot(qdev, qdev->surfaces_mem_slot, &qdev->mem_slots[qdev->surfaces_mem_slot]); ++} ++ + static void qxl_gc_work(struct work_struct *work) + { + struct qxl_device *qdev = container_of(work, struct qxl_device, gc_work); +@@ -294,6 +308,8 @@ int qxl_driver_load(struct drm_device *dev, unsigned long flags) + goto out; + } + ++ drm_kms_helper_poll_init(qdev->ddev); ++ + return 0; + out: + kfree(qdev); +diff --git a/drivers/gpu/drm/qxl/qxl_object.c b/drivers/gpu/drm/qxl/qxl_object.c +index d9b12e7..1191fe7 100644 +--- a/drivers/gpu/drm/qxl/qxl_object.c ++++ b/drivers/gpu/drm/qxl/qxl_object.c +@@ -363,3 +363,13 @@ int qxl_bo_list_add(struct qxl_reloc_list *reloc_list, struct qxl_bo *bo) + return ret; + return 0; + } ++ ++int qxl_surf_evict(struct qxl_device *qdev) ++{ ++ return ttm_bo_evict_mm(&qdev->mman.bdev, TTM_PL_PRIV0); ++} ++ ++int qxl_vram_evict(struct qxl_device *qdev) ++{ ++ return ttm_bo_evict_mm(&qdev->mman.bdev, TTM_PL_VRAM); ++} +-- +1.8.3.1 + diff --git a/kernel.spec b/kernel.spec index 5cf8a72ac..a8689e178 100644 --- a/kernel.spec +++ b/kernel.spec @@ -674,6 +674,7 @@ Patch1702: drm-qxl-driver.patch Patch1703: drm-qxl-3.10-rc7-diff.patch Patch1704: drm-qxl-access-fix.patch Patch1705: drm-qxl-post-3.10-feature-fixes.patch +Patch1706: drm-qxl-post-3.10-features-part-2.patch # nouveau + drm fixes # intel drm is all merged upstream Patch1824: drm-intel-next.patch @@ -1448,6 +1449,7 @@ ApplyPatch drm-qxl-driver.patch ApplyPatch drm-qxl-3.10-rc7-diff.patch ApplyPatch drm-qxl-access-fix.patch ApplyPatch drm-qxl-post-3.10-feature-fixes.patch +ApplyPatch drm-qxl-post-3.10-features-part-2.patch #ApplyPatch drm-edid-try-harder-to-fix-up-broken-headers.patch #ApplyPatch drm-vgem.patch @@ -2385,6 +2387,9 @@ fi # and build. %changelog +* Thu Jul 04 2013 Dave Airlie +- qxl: add suspend/resume and hibernate support + * Wed Jul 03 2013 Josh Boyer 3.9.9-301 - CVE-2013-1059 libceph: Fix NULL pointer dereference in auth client code (rhbz 977356 980341) - CVE-2013-2234 net: information leak in AF_KEY notify (rhbz 980995 981007) From 6234ebaedfb6b21d4ca25e882d9b6518da02c697 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Fri, 5 Jul 2013 08:01:24 -0400 Subject: [PATCH 151/468] CVE-2013-2232 ipv6: using ipv4 vs ipv6 structure during routing lookup in sendmsg (rhbz 981552 981564) --- ...k_dst_check-must-not-assume-ipv6-dst.patch | 52 +++++++++++++++++++ kernel.spec | 9 ++++ 2 files changed, 61 insertions(+) create mode 100644 ipv6-ip6_sk_dst_check-must-not-assume-ipv6-dst.patch diff --git a/ipv6-ip6_sk_dst_check-must-not-assume-ipv6-dst.patch b/ipv6-ip6_sk_dst_check-must-not-assume-ipv6-dst.patch new file mode 100644 index 000000000..8f6c41d28 --- /dev/null +++ b/ipv6-ip6_sk_dst_check-must-not-assume-ipv6-dst.patch @@ -0,0 +1,52 @@ +From a963a37d384d71ad43b3e9e79d68d42fbe0901f3 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Wed, 26 Jun 2013 04:15:07 -0700 +Subject: [PATCH] ipv6: ip6_sk_dst_check() must not assume ipv6 dst + +It's possible to use AF_INET6 sockets and to connect to an IPv4 +destination. After this, socket dst cache is a pointer to a rtable, +not rt6_info. + +ip6_sk_dst_check() should check the socket dst cache is IPv6, or else +various corruptions/crashes can happen. + +Dave Jones can reproduce immediate crash with +trinity -q -l off -n -c sendmsg -c connect + +With help from Hannes Frederic Sowa + +Reported-by: Dave Jones +Reported-by: Hannes Frederic Sowa +Signed-off-by: Eric Dumazet +Acked-by: Hannes Frederic Sowa +Signed-off-by: David S. Miller +--- + net/ipv6/ip6_output.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c +index 95703ba..d5d20cd 100644 +--- a/net/ipv6/ip6_output.c ++++ b/net/ipv6/ip6_output.c +@@ -821,11 +821,17 @@ static struct dst_entry *ip6_sk_dst_check(struct sock *sk, + const struct flowi6 *fl6) + { + struct ipv6_pinfo *np = inet6_sk(sk); +- struct rt6_info *rt = (struct rt6_info *)dst; ++ struct rt6_info *rt; + + if (!dst) + goto out; + ++ if (dst->ops->family != AF_INET6) { ++ dst_release(dst); ++ return NULL; ++ } ++ ++ rt = (struct rt6_info *)dst; + /* Yes, checking route validity in not connected + * case is not very simple. Take into account, + * that we do not support routing by source, TOS, +-- +1.8.2.1 + diff --git a/kernel.spec b/kernel.spec index a8689e178..d70d61f94 100644 --- a/kernel.spec +++ b/kernel.spec @@ -811,6 +811,9 @@ Patch25058: af_key-fix-info-leaks-in-notify-messages.patch #CVE-2013-1059 rhbz 977356 980341 Patch25059: ceph-fix.patch +#CVE-2013-2232 rhbz 981552 981564 +Patch25060: ipv6-ip6_sk_dst_check-must-not-assume-ipv6-dst.patch + # END OF PATCH DEFINITIONS %endif @@ -1571,6 +1574,9 @@ ApplyPatch af_key-fix-info-leaks-in-notify-messages.patch #CVE-2013-1059 rhbz 977356 980341 ApplyPatch ceph-fix.patch +#CVE-2013-2232 rhbz 981552 981564 +ApplyPatch ipv6-ip6_sk_dst_check-must-not-assume-ipv6-dst.patch + # END OF PATCH APPLICATIONS %endif @@ -2387,6 +2393,9 @@ fi # and build. %changelog +* Fri Jul 05 2013 Josh Boyer +- CVE-2013-2232 ipv6: using ipv4 vs ipv6 structure during routing lookup in sendmsg (rhbz 981552 981564) + * Thu Jul 04 2013 Dave Airlie - qxl: add suspend/resume and hibernate support From a993279a9bb538ae524fca69ec23c5c1b428f47e Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Fri, 5 Jul 2013 08:57:12 -0400 Subject: [PATCH 152/468] Add fix for timer issue in bridge code (rhbz 980254) --- bridge-timer-fix.patch | 13 +++++++++++++ kernel.spec | 6 +++++- 2 files changed, 18 insertions(+), 1 deletion(-) create mode 100644 bridge-timer-fix.patch diff --git a/bridge-timer-fix.patch b/bridge-timer-fix.patch new file mode 100644 index 000000000..888a6f009 --- /dev/null +++ b/bridge-timer-fix.patch @@ -0,0 +1,13 @@ +diff --git a/net/bridge/br_multicast.c b/net/bridge/br_multicast.c +index d6448e3..aadb596 100644 +--- a/net/bridge/br_multicast.c ++++ b/net/bridge/br_multicast.c +@@ -269,7 +269,7 @@ static void br_multicast_del_pg(struct net_bridge *br, + del_timer(&p->timer); + call_rcu_bh(&p->rcu, br_multicast_free_pg); + +- if (!mp->ports && !mp->mglist && ++ if (!mp->ports && !mp->mglist && mp->timer_armed && + netif_running(br->dev)) + mod_timer(&mp->timer, jiffies); + diff --git a/kernel.spec b/kernel.spec index d70d61f94..ada7ee68d 100644 --- a/kernel.spec +++ b/kernel.spec @@ -62,7 +62,7 @@ Summary: The Linux kernel # For non-released -rc kernels, this will be appended after the rcX and # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3" # -%global baserelease 301 +%global baserelease 302 %global fedora_build %{baserelease} # base_sublevel is the kernel version we're starting with and patching @@ -797,6 +797,8 @@ Patch25052: HID-input-return-ENODATA-if-reading-battery-attrs-fails.patch #rhbz 880035 Patch25053: bridge-only-expire-the-mdb-entry-when-query-is-received.patch Patch25054: bridge-send-query-as-soon-as-leave-is-received.patch +#rhbz 980254 +Patch25061: bridge-timer-fix.patch #rhbz 977558 Patch25055: ath3k-dont-use-stack-memory-for-DMA.patch @@ -1560,6 +1562,7 @@ ApplyPatch HID-input-return-ENODATA-if-reading-battery-attrs-fails.patch #rhbz 880035 ApplyPatch bridge-only-expire-the-mdb-entry-when-query-is-received.patch ApplyPatch bridge-send-query-as-soon-as-leave-is-received.patch +ApplyPatch bridge-timer-fix.patch #rhbz 977558 ApplyPatch ath3k-dont-use-stack-memory-for-DMA.patch @@ -2394,6 +2397,7 @@ fi %changelog * Fri Jul 05 2013 Josh Boyer +- Add fix for timer issue in bridge code (rhbz 980254) - CVE-2013-2232 ipv6: using ipv4 vs ipv6 structure during routing lookup in sendmsg (rhbz 981552 981564) * Thu Jul 04 2013 Dave Airlie From da4ebd83da1869778909f394f6ebd50850ef5fec Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Fri, 5 Jul 2013 09:01:24 -0400 Subject: [PATCH 153/468] Add vhost-net use-after-free fix (rhbz 976789 980643) --- kernel.spec | 7 ++ ...ix-use-after-free-in-vhost_net_flush.patch | 76 +++++++++++++++++++ 2 files changed, 83 insertions(+) create mode 100644 vhost-net-fix-use-after-free-in-vhost_net_flush.patch diff --git a/kernel.spec b/kernel.spec index ada7ee68d..79d2e9cf9 100644 --- a/kernel.spec +++ b/kernel.spec @@ -816,6 +816,9 @@ Patch25059: ceph-fix.patch #CVE-2013-2232 rhbz 981552 981564 Patch25060: ipv6-ip6_sk_dst_check-must-not-assume-ipv6-dst.patch +#rhbz 976789 980643 +Patch25062: vhost-net-fix-use-after-free-in-vhost_net_flush.patch + # END OF PATCH DEFINITIONS %endif @@ -1580,6 +1583,9 @@ ApplyPatch ceph-fix.patch #CVE-2013-2232 rhbz 981552 981564 ApplyPatch ipv6-ip6_sk_dst_check-must-not-assume-ipv6-dst.patch +#rhbz 976789 980643 +ApplyPatch vhost-net-fix-use-after-free-in-vhost_net_flush.patch + # END OF PATCH APPLICATIONS %endif @@ -2397,6 +2403,7 @@ fi %changelog * Fri Jul 05 2013 Josh Boyer +- Add vhost-net use-after-free fix (rhbz 976789 980643) - Add fix for timer issue in bridge code (rhbz 980254) - CVE-2013-2232 ipv6: using ipv4 vs ipv6 structure during routing lookup in sendmsg (rhbz 981552 981564) diff --git a/vhost-net-fix-use-after-free-in-vhost_net_flush.patch b/vhost-net-fix-use-after-free-in-vhost_net_flush.patch new file mode 100644 index 000000000..f9a6a7b9f --- /dev/null +++ b/vhost-net-fix-use-after-free-in-vhost_net_flush.patch @@ -0,0 +1,76 @@ +From 0c9d7f6ea817d5328a09a78e901b16e1836ca4d7 Mon Sep 17 00:00:00 2001 +From: "Michael S. Tsirkin" +Date: Tue, 25 Jun 2013 17:29:46 +0300 +Subject: [PATCH] vhost-net: fix use-after-free in vhost_net_flush + +vhost_net_ubuf_put_and_wait has a confusing name: +it will actually also free it's argument. +Thus since commit 1280c27f8e29acf4af2da914e80ec27c3dbd5c01 + "vhost-net: flush outstanding DMAs on memory change" +vhost_net_flush tries to use the argument after passing it +to vhost_net_ubuf_put_and_wait, this results +in use after free. +To fix, don't free the argument in vhost_net_ubuf_put_and_wait, +add an new API for callers that want to free ubufs. + +Acked-by: Asias He +Acked-by: Jason Wang +Signed-off-by: Michael S. Tsirkin +--- + drivers/vhost/net.c | 4 ++-- + drivers/vhost/vhost.c | 5 +++++ + drivers/vhost/vhost.h | 1 + + 3 files changed, 8 insertions(+), 2 deletions(-) + +diff --git a/drivers/vhost/net.c b/drivers/vhost/net.c +index dfff647..d8d4f57 100644 +--- a/drivers/vhost/net.c ++++ b/drivers/vhost/net.c +@@ -857,7 +857,7 @@ static long vhost_net_set_backend(struct vhost_net *n, unsigned index, int fd) + mutex_unlock(&vq->mutex); + + if (oldubufs) { +- vhost_ubuf_put_and_wait(oldubufs); ++ vhost_ubuf_put_wait_and_free(oldubufs); + mutex_lock(&vq->mutex); + vhost_zerocopy_signal_used(n, vq); + mutex_unlock(&vq->mutex); +@@ -875,7 +875,7 @@ err_used: + rcu_assign_pointer(vq->private_data, oldsock); + vhost_net_enable_vq(n, vq); + if (ubufs) +- vhost_ubuf_put_and_wait(ubufs); ++ vhost_ubuf_put_wait_and_free(ubufs); + err_ubufs: + fput(sock->file); + err_vq: +diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c +index 9759249..ff53c9e 100644 +--- a/drivers/vhost/vhost.c ++++ b/drivers/vhost/vhost.c +@@ -1581,5 +1581,10 @@ void vhost_ubuf_put_and_wait(struct vhost_ubuf_ref *ubufs) + { + kref_put(&ubufs->kref, vhost_zerocopy_done_signal); + wait_event(ubufs->wait, !atomic_read(&ubufs->kref.refcount)); ++} ++ ++void vhost_ubuf_put_wait_and_free(struct vhost_ubuf_ref *ubufs) ++{ ++ vhost_ubuf_put_and_wait(ubufs); + kfree(ubufs); + } +diff --git a/drivers/vhost/vhost.h b/drivers/vhost/vhost.h +index 17261e2..dd63b35 100644 +--- a/drivers/vhost/vhost.h ++++ b/drivers/vhost/vhost.h +@@ -63,6 +63,7 @@ struct vhost_ubuf_ref { + struct vhost_ubuf_ref *vhost_ubuf_alloc(struct vhost_virtqueue *, bool zcopy); + void vhost_ubuf_put(struct vhost_ubuf_ref *); + void vhost_ubuf_put_and_wait(struct vhost_ubuf_ref *); ++void vhost_ubuf_put_wait_and_free(struct vhost_ubuf_ref *); + + struct ubuf_info; + +-- +1.8.2.1 + From 36552a2628fd96579cc3313c3211274d381603cd Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Fri, 5 Jul 2013 09:17:32 -0400 Subject: [PATCH 154/468] Add report fixup for Genius Gila mouse from Benjamin Tissoires (rhbz 959721) --- ...t-fixup-for-Genius-Gila-Gaming-mouse.patch | 98 +++++++++++++++++++ kernel.spec | 7 ++ 2 files changed, 105 insertions(+) create mode 100644 HID-kye-Add-report-fixup-for-Genius-Gila-Gaming-mouse.patch diff --git a/HID-kye-Add-report-fixup-for-Genius-Gila-Gaming-mouse.patch b/HID-kye-Add-report-fixup-for-Genius-Gila-Gaming-mouse.patch new file mode 100644 index 000000000..6913eb520 --- /dev/null +++ b/HID-kye-Add-report-fixup-for-Genius-Gila-Gaming-mouse.patch @@ -0,0 +1,98 @@ +From 3685c18e17f12438d0a83331c1b6a5b00fade7a1 Mon Sep 17 00:00:00 2001 +From: Benjamin Tissoires +Date: Tue, 02 Jul 2013 16:10:09 +0000 +Subject: HID: kye: Add report fixup for Genius Gila Gaming mouse + +Genius Gila Gaming Mouse presents an obviously wrong report descriptor. +the Consumer control (report ID 3) is the following: +0x05, 0x0c, // Usage Page (Consumer Devices) 105 +0x09, 0x01, // Usage (Consumer Control) 107 +0xa1, 0x01, // Collection (Application) 109 +0x85, 0x03, // Report ID (3) 111 +0x19, 0x00, // Usage Minimum (0) 113 +0x2a, 0xff, 0x7f, // Usage Maximum (32767) 115 +0x15, 0x00, // Logical Minimum (0) 118 +0x26, 0xff, 0x7f, // Logical Maximum (32767) 120 +0x75, 0x10, // Report Size (16) 123 +0x95, 0x03, // Report Count (3) 125 +0x81, 0x00, // Input (Data,Arr,Abs) 127 +0x75, 0x08, // Report Size (8) 129 +0x95, 0x01, // Report Count (1) 131 +0x81, 0x01, // Input (Cnst,Arr,Abs) 133 +0xc0, // End Collection 135 + +So the first input whithin this report has a count of 3 but a usage range +of 32768. So this value is obviously wrong as it should not be greater than +the report count. + +Fixes: +https://bugzilla.redhat.com/show_bug.cgi?id=959721 + +Signed-off-by: Benjamin Tissoires +Signed-off-by: Jiri Kosina +--- +diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c +index 8f616bd..27aa7c7 100644 +--- a/drivers/hid/hid-core.c ++++ b/drivers/hid/hid-core.c +@@ -1589,6 +1589,7 @@ static const struct hid_device_id hid_have_special_driver[] = { + { HID_BLUETOOTH_DEVICE(USB_VENDOR_ID_ION, USB_DEVICE_ID_ICADE) }, + { HID_USB_DEVICE(USB_VENDOR_ID_KENSINGTON, USB_DEVICE_ID_KS_SLIMBLADE) }, + { HID_USB_DEVICE(USB_VENDOR_ID_KEYTOUCH, USB_DEVICE_ID_KEYTOUCH_IEC) }, ++ { HID_USB_DEVICE(USB_VENDOR_ID_KYE, USB_DEVICE_ID_GENIUS_GILA_GAMING_MOUSE) }, + { HID_USB_DEVICE(USB_VENDOR_ID_KYE, USB_DEVICE_ID_KYE_ERGO_525V) }, + { HID_USB_DEVICE(USB_VENDOR_ID_KYE, USB_DEVICE_ID_KYE_EASYPEN_I405X) }, + { HID_USB_DEVICE(USB_VENDOR_ID_KYE, USB_DEVICE_ID_KYE_MOUSEPEN_I608X) }, +diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h +index 3da75dd..b2b692e 100644 +--- a/drivers/hid/hid-ids.h ++++ b/drivers/hid/hid-ids.h +@@ -474,6 +474,7 @@ + + #define USB_VENDOR_ID_KYE 0x0458 + #define USB_DEVICE_ID_KYE_ERGO_525V 0x0087 ++#define USB_DEVICE_ID_GENIUS_GILA_GAMING_MOUSE 0x0138 + #define USB_DEVICE_ID_KYE_GPEN_560 0x5003 + #define USB_DEVICE_ID_KYE_EASYPEN_I405X 0x5010 + #define USB_DEVICE_ID_KYE_MOUSEPEN_I608X 0x5011 +diff --git a/drivers/hid/hid-kye.c b/drivers/hid/hid-kye.c +index 6af90db..1e2ee2aa 100644 +--- a/drivers/hid/hid-kye.c ++++ b/drivers/hid/hid-kye.c +@@ -314,6 +314,25 @@ static __u8 *kye_report_fixup(struct hid_device *hdev, __u8 *rdesc, + *rsize = sizeof(easypen_m610x_rdesc_fixed); + } + break; ++ case USB_DEVICE_ID_GENIUS_GILA_GAMING_MOUSE: ++ /* ++ * the fixup that need to be done: ++ * - change Usage Maximum in the Comsumer Control ++ * (report ID 3) to a reasonable value ++ */ ++ if (*rsize >= 135 && ++ /* Usage Page (Consumer Devices) */ ++ rdesc[104] == 0x05 && rdesc[105] == 0x0c && ++ /* Usage (Consumer Control) */ ++ rdesc[106] == 0x09 && rdesc[107] == 0x01 && ++ /* Usage Maximum > 12287 */ ++ rdesc[114] == 0x2a && rdesc[116] > 0x2f) { ++ hid_info(hdev, ++ "fixing up Genius Gila Gaming Mouse " ++ "report descriptor\n"); ++ rdesc[116] = 0x2f; ++ } ++ break; + } + return rdesc; + } +@@ -407,6 +426,8 @@ static const struct hid_device_id kye_devices[] = { + USB_DEVICE_ID_KYE_MOUSEPEN_I608X) }, + { HID_USB_DEVICE(USB_VENDOR_ID_KYE, + USB_DEVICE_ID_KYE_EASYPEN_M610X) }, ++ { HID_USB_DEVICE(USB_VENDOR_ID_KYE, ++ USB_DEVICE_ID_GENIUS_GILA_GAMING_MOUSE) }, + { } + }; + MODULE_DEVICE_TABLE(hid, kye_devices); +-- +cgit v0.9.2 diff --git a/kernel.spec b/kernel.spec index 79d2e9cf9..14660bf75 100644 --- a/kernel.spec +++ b/kernel.spec @@ -819,6 +819,9 @@ Patch25060: ipv6-ip6_sk_dst_check-must-not-assume-ipv6-dst.patch #rhbz 976789 980643 Patch25062: vhost-net-fix-use-after-free-in-vhost_net_flush.patch +#rhbz 959721 +Patch25063: HID-kye-Add-report-fixup-for-Genius-Gila-Gaming-mouse.patch + # END OF PATCH DEFINITIONS %endif @@ -1586,6 +1589,9 @@ ApplyPatch ipv6-ip6_sk_dst_check-must-not-assume-ipv6-dst.patch #rhbz 976789 980643 ApplyPatch vhost-net-fix-use-after-free-in-vhost_net_flush.patch +#rhbz 959721 +ApplyPatch HID-kye-Add-report-fixup-for-Genius-Gila-Gaming-mouse.patch + # END OF PATCH APPLICATIONS %endif @@ -2403,6 +2409,7 @@ fi %changelog * Fri Jul 05 2013 Josh Boyer +- Add report fixup for Genius Gila mouse from Benjamin Tissoires (rhbz 959721) - Add vhost-net use-after-free fix (rhbz 976789 980643) - Add fix for timer issue in bridge code (rhbz 980254) - CVE-2013-2232 ipv6: using ipv4 vs ipv6 structure during routing lookup in sendmsg (rhbz 981552 981564) From 2dea7184f10948f8ecc7dc0fe1c3c2faab0b2d4a Mon Sep 17 00:00:00 2001 From: Kyle McMartin Date: Thu, 11 Jul 2013 11:24:52 -0400 Subject: [PATCH 155/468] Enable USB on i.MX based boards, patch from Niels de Vos --- config-armv7-generic | 4 ++++ kernel.spec | 3 +++ 2 files changed, 7 insertions(+) diff --git a/config-armv7-generic b/config-armv7-generic index d1e984fce..ab94a4bb6 100644 --- a/config-armv7-generic +++ b/config-armv7-generic @@ -183,6 +183,10 @@ CONFIG_SMC91X=m CONFIG_SMC911X=m CONFIG_SMSC911X=m CONFIG_USB_ISP1760_HCD=m +CONFIG_USB_CHIPIDEA=m +CONFIG_USB_CHIPIDEA_UDC=y +CONFIG_USB_CHIPIDEA_HOST=y +# CONFIG_USB_CHIPIDEA_DEBUG is not set # Multifunction Devices CONFIG_MFD_SYSCON=y diff --git a/kernel.spec b/kernel.spec index 14660bf75..7e8b6526e 100644 --- a/kernel.spec +++ b/kernel.spec @@ -2408,6 +2408,9 @@ fi # and build. %changelog +* Thu Jul 11 2013 Kyle McMartin +- Enable USB on i.MX based boards, patch from Niels de Vos. + * Fri Jul 05 2013 Josh Boyer - Add report fixup for Genius Gila mouse from Benjamin Tissoires (rhbz 959721) - Add vhost-net use-after-free fix (rhbz 976789 980643) From 508b763fba35aed266c66ac8bf1c57acc2d494ab Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Fri, 12 Jul 2013 07:47:24 -0400 Subject: [PATCH 156/468] Add iwlwifi fix for connection issue (rhbz 885407) --- ...nd-BT_CONFIG-on-devices-wo-Bluetooth.patch | 32 +++++++++++++++++++ kernel.spec | 11 ++++++- 2 files changed, 42 insertions(+), 1 deletion(-) create mode 100644 iwlwifi-dvm-dont-send-BT_CONFIG-on-devices-wo-Bluetooth.patch diff --git a/iwlwifi-dvm-dont-send-BT_CONFIG-on-devices-wo-Bluetooth.patch b/iwlwifi-dvm-dont-send-BT_CONFIG-on-devices-wo-Bluetooth.patch new file mode 100644 index 000000000..fa4320763 --- /dev/null +++ b/iwlwifi-dvm-dont-send-BT_CONFIG-on-devices-wo-Bluetooth.patch @@ -0,0 +1,32 @@ +From 7b29fdb8cd8f92e31f550611a8c031986dba2e8f Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Fri, 03 May 2013 16:58:16 +0000 +Subject: iwlwifi: dvm: don't send BT_CONFIG on devices w/o Bluetooth + +The BT_CONFIG command that is sent to the device during +startup will enable BT coex unless the module parameter +turns it off, but on devices without Bluetooth this may +cause problems, as reported in Redhat BZ 885407. + +Fix this by sending the BT_CONFIG command only when the +device has Bluetooth. + +Cc: stable@vger.kernel.org +Reviewed-by: Emmanuel Grumbach +Signed-off-by: Johannes Berg +--- +diff --git a/drivers/net/wireless/iwlwifi/dvm/main.c b/drivers/net/wireless/iwlwifi/dvm/main.c +index 3952ddf..1531a4f 100644 +--- a/drivers/net/wireless/iwlwifi/dvm/main.c ++++ b/drivers/net/wireless/iwlwifi/dvm/main.c +@@ -758,7 +758,7 @@ int iwl_alive_start(struct iwl_priv *priv) + BT_COEX_PRIO_TBL_EVT_INIT_CALIB2); + if (ret) + return ret; +- } else { ++ } else if (priv->lib->bt_params) { + /* + * default is 2-wire BT coexexistence support + */ +-- +cgit v0.9.2 diff --git a/kernel.spec b/kernel.spec index 7e8b6526e..181c6b722 100644 --- a/kernel.spec +++ b/kernel.spec @@ -62,7 +62,7 @@ Summary: The Linux kernel # For non-released -rc kernels, this will be appended after the rcX and # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3" # -%global baserelease 302 +%global baserelease 303 %global fedora_build %{baserelease} # base_sublevel is the kernel version we're starting with and patching @@ -822,6 +822,9 @@ Patch25062: vhost-net-fix-use-after-free-in-vhost_net_flush.patch #rhbz 959721 Patch25063: HID-kye-Add-report-fixup-for-Genius-Gila-Gaming-mouse.patch +#rhbz 885407 +Patch25064: iwlwifi-dvm-dont-send-BT_CONFIG-on-devices-wo-Bluetooth.patch + # END OF PATCH DEFINITIONS %endif @@ -1592,6 +1595,9 @@ ApplyPatch vhost-net-fix-use-after-free-in-vhost_net_flush.patch #rhbz 959721 ApplyPatch HID-kye-Add-report-fixup-for-Genius-Gila-Gaming-mouse.patch +#rhbz 885407 +ApplyPatch iwlwifi-dvm-dont-send-BT_CONFIG-on-devices-wo-Bluetooth.patch + # END OF PATCH APPLICATIONS %endif @@ -2408,6 +2414,9 @@ fi # and build. %changelog +* Fri Jul 12 2013 Josh Boyer +- Add iwlwifi fix for connection issue (rhbz 885407) + * Thu Jul 11 2013 Kyle McMartin - Enable USB on i.MX based boards, patch from Niels de Vos. From 98622c1d5d035b6ae9ef55fe2a7f161fcab22d58 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Fri, 12 Jul 2013 09:34:36 -0400 Subject: [PATCH 157/468] Fix various overflow issues in ext4 (rhbz 976837) --- fix-ext4-overflows.patch | 207 +++++++++++++++++++++++++++++++++++++++ kernel.spec | 7 ++ 2 files changed, 214 insertions(+) create mode 100644 fix-ext4-overflows.patch diff --git a/fix-ext4-overflows.patch b/fix-ext4-overflows.patch new file mode 100644 index 000000000..f2a08ebc8 --- /dev/null +++ b/fix-ext4-overflows.patch @@ -0,0 +1,207 @@ +From 93f6b57df5d9dd8c0327cebc01f6c00dbcd6d2ff Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Fri, 31 May 2013 19:33:42 -0400 +Subject: [PATCH 1/4] ext4: fix data offset overflow on 32-bit archs in + ext4_inline_data_fiemap() + +On 32-bit archs when sector_t is defined as 32-bit the logic computing +data offset in ext4_inline_data_fiemap(). Fix that by properly typing +the shifted value. + +Signed-off-by: Jan Kara +Signed-off-by: Theodore Ts'o +--- + fs/ext4/inline.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/ext4/inline.c b/fs/ext4/inline.c +index c0fd1a1..c46a01e 100644 +--- a/fs/ext4/inline.c ++++ b/fs/ext4/inline.c +@@ -1702,7 +1702,7 @@ int ext4_inline_data_fiemap(struct inode *inode, + if (error) + goto out; + +- physical = iloc.bh->b_blocknr << inode->i_sb->s_blocksize_bits; ++ physical = (__u64)iloc.bh->b_blocknr << inode->i_sb->s_blocksize_bits; + physical += (char *)ext4_raw_inode(&iloc) - iloc.bh->b_data; + physical += offsetof(struct ext4_inode, i_block); + length = i_size_read(inode); +-- +1.8.3.1 + + +From 4d2cedb535bae3ada76a335540657e948f99d9c0 Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Fri, 31 May 2013 19:37:56 -0400 +Subject: [PATCH 2/4] ext4: fix overflows in SEEK_HOLE, SEEK_DATA + implementations + +ext4_lblk_t is just u32 so multiplying it by blocksize can easily +overflow for files larger than 4 GB. Fix that by properly typing the +block offsets before shifting. + +Signed-off-by: Jan Kara +Signed-off-by: Theodore Ts'o +Reviewed-by: Zheng Liu +--- + fs/ext4/file.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +diff --git a/fs/ext4/file.c b/fs/ext4/file.c +index 64848b5..b47ccf9 100644 +--- a/fs/ext4/file.c ++++ b/fs/ext4/file.c +@@ -311,7 +311,7 @@ static int ext4_find_unwritten_pgoff(struct inode *inode, + blkbits = inode->i_sb->s_blocksize_bits; + startoff = *offset; + lastoff = startoff; +- endoff = (map->m_lblk + map->m_len) << blkbits; ++ endoff = (loff_t)(map->m_lblk + map->m_len) << blkbits; + + index = startoff >> PAGE_CACHE_SHIFT; + end = endoff >> PAGE_CACHE_SHIFT; +@@ -456,7 +456,7 @@ static loff_t ext4_seek_data(struct file *file, loff_t offset, loff_t maxsize) + ret = ext4_map_blocks(NULL, inode, &map, 0); + if (ret > 0 && !(map.m_flags & EXT4_MAP_UNWRITTEN)) { + if (last != start) +- dataoff = last << blkbits; ++ dataoff = (loff_t)last << blkbits; + break; + } + +@@ -467,7 +467,7 @@ static loff_t ext4_seek_data(struct file *file, loff_t offset, loff_t maxsize) + ext4_es_find_delayed_extent(inode, last, &es); + if (es.es_len != 0 && in_range(last, es.es_lblk, es.es_len)) { + if (last != start) +- dataoff = last << blkbits; ++ dataoff = (loff_t)last << blkbits; + break; + } + +@@ -485,7 +485,7 @@ static loff_t ext4_seek_data(struct file *file, loff_t offset, loff_t maxsize) + } + + last++; +- dataoff = last << blkbits; ++ dataoff = (loff_t)last << blkbits; + } while (last <= end); + + mutex_unlock(&inode->i_mutex); +@@ -539,7 +539,7 @@ static loff_t ext4_seek_hole(struct file *file, loff_t offset, loff_t maxsize) + ret = ext4_map_blocks(NULL, inode, &map, 0); + if (ret > 0 && !(map.m_flags & EXT4_MAP_UNWRITTEN)) { + last += ret; +- holeoff = last << blkbits; ++ holeoff = (loff_t)last << blkbits; + continue; + } + +@@ -550,7 +550,7 @@ static loff_t ext4_seek_hole(struct file *file, loff_t offset, loff_t maxsize) + ext4_es_find_delayed_extent(inode, last, &es); + if (es.es_len != 0 && in_range(last, es.es_lblk, es.es_len)) { + last = es.es_lblk + es.es_len; +- holeoff = last << blkbits; ++ holeoff = (loff_t)last << blkbits; + continue; + } + +@@ -565,7 +565,7 @@ static loff_t ext4_seek_hole(struct file *file, loff_t offset, loff_t maxsize) + &map, &holeoff); + if (!unwritten) { + last += ret; +- holeoff = last << blkbits; ++ holeoff = (loff_t)last << blkbits; + continue; + } + } +-- +1.8.3.1 + + +From 114fe3b7fc9ca3ca00f774dd8705e8c802f39f14 Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Fri, 31 May 2013 19:38:56 -0400 +Subject: [PATCH 3/4] ext4: fix data offset overflow in ext4_xattr_fiemap() on + 32-bit archs + +On 32-bit architectures with 32-bit sector_t computation of data offset +in ext4_xattr_fiemap() can overflow resulting in reporting bogus data +location. Fix the problem by typing block number to proper type before +shifting. + +Signed-off-by: Jan Kara +Signed-off-by: Theodore Ts'o +--- + fs/ext4/extents.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c +index 9c6d06d..6bb303c 100644 +--- a/fs/ext4/extents.c ++++ b/fs/ext4/extents.c +@@ -4605,7 +4605,7 @@ static int ext4_xattr_fiemap(struct inode *inode, + error = ext4_get_inode_loc(inode, &iloc); + if (error) + return error; +- physical = iloc.bh->b_blocknr << blockbits; ++ physical = (__u64)iloc.bh->b_blocknr << blockbits; + offset = EXT4_GOOD_OLD_INODE_SIZE + + EXT4_I(inode)->i_extra_isize; + physical += offset; +@@ -4613,7 +4613,7 @@ static int ext4_xattr_fiemap(struct inode *inode, + flags |= FIEMAP_EXTENT_DATA_INLINE; + brelse(iloc.bh); + } else { /* external block */ +- physical = EXT4_I(inode)->i_file_acl << blockbits; ++ physical = (__u64)EXT4_I(inode)->i_file_acl << blockbits; + length = inode->i_sb->s_blocksize; + } + +-- +1.8.3.1 + + +From aeb72ff4b7fe084b4373d4a91d77d3bea8089627 Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Fri, 31 May 2013 19:39:56 -0400 +Subject: [PATCH 4/4] ext4: fix overflow when counting used blocks on 32-bit + architectures + +The arithmetics adding delalloc blocks to the number of used blocks in +ext4_getattr() can easily overflow on 32-bit archs as we first multiply +number of blocks by blocksize and then divide back by 512. Make the +arithmetics more clever and also use proper type (unsigned long long +instead of unsigned long). + +Signed-off-by: Jan Kara +Signed-off-by: Theodore Ts'o +--- + fs/ext4/inode.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c +index d69e954..e33e2d2 100644 +--- a/fs/ext4/inode.c ++++ b/fs/ext4/inode.c +@@ -4616,7 +4616,7 @@ int ext4_getattr(struct vfsmount *mnt, struct dentry *dentry, + struct kstat *stat) + { + struct inode *inode; +- unsigned long delalloc_blocks; ++ unsigned long long delalloc_blocks; + + inode = dentry->d_inode; + generic_fillattr(inode, stat); +@@ -4634,7 +4634,7 @@ int ext4_getattr(struct vfsmount *mnt, struct dentry *dentry, + delalloc_blocks = EXT4_C2B(EXT4_SB(inode->i_sb), + EXT4_I(inode)->i_reserved_data_blocks); + +- stat->blocks += (delalloc_blocks << inode->i_sb->s_blocksize_bits)>>9; ++ stat->blocks += delalloc_blocks << (inode->i_sb->s_blocksize_bits-9); + return 0; + } + +-- +1.8.3.1 + diff --git a/kernel.spec b/kernel.spec index 181c6b722..f584b3986 100644 --- a/kernel.spec +++ b/kernel.spec @@ -825,6 +825,9 @@ Patch25063: HID-kye-Add-report-fixup-for-Genius-Gila-Gaming-mouse.patch #rhbz 885407 Patch25064: iwlwifi-dvm-dont-send-BT_CONFIG-on-devices-wo-Bluetooth.patch +#rhbz 976837 +Patch25065: fix-ext4-overflows.patch + # END OF PATCH DEFINITIONS %endif @@ -1598,6 +1601,9 @@ ApplyPatch HID-kye-Add-report-fixup-for-Genius-Gila-Gaming-mouse.patch #rhbz 885407 ApplyPatch iwlwifi-dvm-dont-send-BT_CONFIG-on-devices-wo-Bluetooth.patch +#rhbz 976837 +ApplyPatch fix-ext4-overflows.patch + # END OF PATCH APPLICATIONS %endif @@ -2415,6 +2421,7 @@ fi %changelog * Fri Jul 12 2013 Josh Boyer +- Fix various overflow issues in ext4 (rhbz 976837) - Add iwlwifi fix for connection issue (rhbz 885407) * Thu Jul 11 2013 Kyle McMartin From 678d8f1cee453af2fcf89a37ba6bbea0b8c36936 Mon Sep 17 00:00:00 2001 From: Dave Jones Date: Fri, 12 Jul 2013 12:04:09 -0400 Subject: [PATCH 158/468] Disable LATENCYTOP/SCHEDSTATS in non-debug builds. --- Makefile.release | 4 ++++ config-debug | 2 ++ config-generic | 2 -- config-nodebug | 2 ++ kernel.spec | 5 ++++- 5 files changed, 12 insertions(+), 3 deletions(-) diff --git a/Makefile.release b/Makefile.release index ee811bac2..796338591 100644 --- a/Makefile.release +++ b/Makefile.release @@ -79,3 +79,7 @@ config-release: @# Disable UAS for release until it's ready. (#717633, #744099) @perl -pi -e 's/CONFIG_USB_UAS=m/# CONFIG_USB_UAS is not set/' config-generic + + @perl -pi -e 's/CONFIG_SCHEDSTATS=y/# CONFIG_SCHEDSTATS is not set/' config-nodebug + @perl -pi -e 's/CONFIG_LATENCYTOP=y/# CONFIG_LATENCYTOP is not set/' config-nodebug + diff --git a/config-debug b/config-debug index 43655a1a1..ad06116c7 100644 --- a/config-debug +++ b/config-debug @@ -115,3 +115,5 @@ CONFIG_DEBUG_KMEMLEAK_DEFAULT_OFF=y CONFIG_MAC80211_MESSAGE_TRACING=y CONFIG_EDAC_DEBUG=y +CONFIG_LATENCYTOP=y +CONFIG_SCHEDSTATS=y diff --git a/config-generic b/config-generic index 4ee4aff2c..f00a437b2 100644 --- a/config-generic +++ b/config-generic @@ -3958,7 +3958,6 @@ CONFIG_HWPOISON_INJECT=m CONFIG_CROSS_MEMORY_ATTACH=y # CONFIG_DEBUG_SECTION_MISMATCH is not set # CONFIG_BACKTRACE_SELF_TEST is not set -CONFIG_LATENCYTOP=y CONFIG_RESOURCE_COUNTERS=y # CONFIG_COMPAT_BRK is not set # CONFIG_DEBUG_VIRTUAL is not set @@ -4126,7 +4125,6 @@ CONFIG_BACKLIGHT_LP855X=m CONFIG_LCD_CLASS_DEVICE=m CONFIG_LCD_PLATFORM=m -CONFIG_SCHEDSTATS=y CONFIG_SCHED_DEBUG=y CONFIG_FAIR_GROUP_SCHED=y CONFIG_CFS_BANDWIDTH=y diff --git a/config-nodebug b/config-nodebug index aa7568c82..6db2dde22 100644 --- a/config-nodebug +++ b/config-nodebug @@ -117,3 +117,5 @@ CONFIG_DEBUG_KMEMLEAK_DEFAULT_OFF=y # CONFIG_EDAC_DEBUG is not set # CONFIG_SPI_DEBUG is not set +# CONFIG_LATENCYTOP is not set +# CONFIG_SCHEDSTATS is not set diff --git a/kernel.spec b/kernel.spec index f584b3986..397bbbd41 100644 --- a/kernel.spec +++ b/kernel.spec @@ -62,7 +62,7 @@ Summary: The Linux kernel # For non-released -rc kernels, this will be appended after the rcX and # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3" # -%global baserelease 303 +%global baserelease 304 %global fedora_build %{baserelease} # base_sublevel is the kernel version we're starting with and patching @@ -2420,6 +2420,9 @@ fi # and build. %changelog +* Fri Jul 12 2013 Dave Jones - 3.9.9-304 +- Disable LATENCYTOP/SCHEDSTATS in non-debug builds. + * Fri Jul 12 2013 Josh Boyer - Fix various overflow issues in ext4 (rhbz 976837) - Add iwlwifi fix for connection issue (rhbz 885407) From 632c2778022780a7bf06b39e8dc7c4b9e80a7843 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Sat, 13 Jul 2013 21:19:41 -0400 Subject: [PATCH 159/468] Fix wrong structure in iwlwifi dvm patch --- iwlwifi-dvm-dont-send-BT_CONFIG-on-devices-wo-Bluetooth.patch | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/iwlwifi-dvm-dont-send-BT_CONFIG-on-devices-wo-Bluetooth.patch b/iwlwifi-dvm-dont-send-BT_CONFIG-on-devices-wo-Bluetooth.patch index fa4320763..aa2ca7035 100644 --- a/iwlwifi-dvm-dont-send-BT_CONFIG-on-devices-wo-Bluetooth.patch +++ b/iwlwifi-dvm-dont-send-BT_CONFIG-on-devices-wo-Bluetooth.patch @@ -24,7 +24,7 @@ index 3952ddf..1531a4f 100644 if (ret) return ret; - } else { -+ } else if (priv->lib->bt_params) { ++ } else if (priv->cfg->bt_params) { /* * default is 2-wire BT coexexistence support */ From d4ff6bd6758f8aaf1dcdd10df0af5ada26f5adeb Mon Sep 17 00:00:00 2001 From: Dave Jones Date: Wed, 17 Jul 2013 15:23:01 -0400 Subject: [PATCH 160/468] 3.10.1 rebase --- ...-handle-host-TSC-calibration-failure.patch | 58 - ...ey-fix-info-leaks-in-notify-messages.patch | 37 - arm-omap-ehci-fix.patch | 190 - arm-omap-fixdrm.patch | 19 - ...ot-pass-disk-names-as-format-strings.patch | 64 - cdrom-use-kzalloc-for-failing-hardware.patch | 45 - config-debug | 4 + config-generic | 57 + config-nodebug | 4 + config-powerpc-generic | 2 + config-powerpc64 | 3 + config-powerpc64p7 | 3 + config-x86-generic | 11 + config-x86_64-generic | 5 + debug-bad-pte-dmi.patch | 66 - debug-bad-pte-modules.patch | 20 - drm-i915-dp-stfu.patch | 22 +- drm-qxl-3.10-rc7-diff.patch | 593 -- drm-qxl-access-fix.patch | 30 - drm-qxl-driver.patch | 7507 ----------------- drm-ttm-exports-for-qxl.patch | 86 - forcedeth-dma-error-check.patch | 134 - ...k_dst_check-must-not-assume-ipv6-dst.patch | 52 - kernel.spec | 119 +- sources | 4 +- tulip-dma-debug-error.patch | 32 - vfio-Set-container-device-mode.patch | 41 - vfio-fix-crash-on-rmmod.patch | 32 - 28 files changed, 143 insertions(+), 9097 deletions(-) delete mode 100644 VMX-x86-handle-host-TSC-calibration-failure.patch delete mode 100644 af_key-fix-info-leaks-in-notify-messages.patch delete mode 100644 arm-omap-ehci-fix.patch delete mode 100644 arm-omap-fixdrm.patch delete mode 100644 block-do-not-pass-disk-names-as-format-strings.patch delete mode 100644 cdrom-use-kzalloc-for-failing-hardware.patch delete mode 100644 debug-bad-pte-dmi.patch delete mode 100644 debug-bad-pte-modules.patch delete mode 100644 drm-qxl-3.10-rc7-diff.patch delete mode 100644 drm-qxl-access-fix.patch delete mode 100644 drm-qxl-driver.patch delete mode 100644 drm-ttm-exports-for-qxl.patch delete mode 100644 forcedeth-dma-error-check.patch delete mode 100644 ipv6-ip6_sk_dst_check-must-not-assume-ipv6-dst.patch delete mode 100644 tulip-dma-debug-error.patch delete mode 100644 vfio-Set-container-device-mode.patch delete mode 100644 vfio-fix-crash-on-rmmod.patch diff --git a/VMX-x86-handle-host-TSC-calibration-failure.patch b/VMX-x86-handle-host-TSC-calibration-failure.patch deleted file mode 100644 index 6b6ddd2d2..000000000 --- a/VMX-x86-handle-host-TSC-calibration-failure.patch +++ /dev/null @@ -1,58 +0,0 @@ -@@ -, +, @@ - VMX: x86: handle host TSC calibration failure - - If the host TSC calibration fails, tsc_khz is zero (see tsc_init.c). - Handle such case properly in KVM (instead of dividing by zero). - - https://bugzilla.redhat.com/show_bug.cgi?id=859282 - - Signed-off-by: Marcelo Tosatti - Signed-off-by: Gleb Natapov ---- a/arch/x86/kvm/x86.c -+++ a/arch/x86/kvm/x86.c -@@ -1079,6 +1079,10 @@ static void kvm_set_tsc_khz(struct kvm_vcpu *vcpu, u32 this_tsc_khz) - u32 thresh_lo, thresh_hi; - int use_scaling = 0; - -+ /* tsc_khz can be zero if TSC calibration fails */ -+ if (this_tsc_khz == 0) -+ return; -+ - /* Compute a scale to convert nanoseconds in TSC cycles */ - kvm_get_time_scale(this_tsc_khz, NSEC_PER_SEC / 1000, - &vcpu->arch.virtual_tsc_shift, -@@ -1156,20 +1160,23 @@ void kvm_write_tsc(struct kvm_vcpu *vcpu, struct msr_data *msr) - ns = get_kernel_ns(); - elapsed = ns - kvm->arch.last_tsc_nsec; - -- /* n.b - signed multiplication and division required */ -- usdiff = data - kvm->arch.last_tsc_write; -+ if (vcpu->arch.virtual_tsc_khz) { -+ /* n.b - signed multiplication and division required */ -+ usdiff = data - kvm->arch.last_tsc_write; - #ifdef CONFIG_X86_64 -- usdiff = (usdiff * 1000) / vcpu->arch.virtual_tsc_khz; -+ usdiff = (usdiff * 1000) / vcpu->arch.virtual_tsc_khz; - #else -- /* do_div() only does unsigned */ -- asm("idivl %2; xor %%edx, %%edx" -- : "=A"(usdiff) -- : "A"(usdiff * 1000), "rm"(vcpu->arch.virtual_tsc_khz)); -+ /* do_div() only does unsigned */ -+ asm("idivl %2; xor %%edx, %%edx" -+ : "=A"(usdiff) -+ : "A"(usdiff * 1000), "rm"(vcpu->arch.virtual_tsc_khz)); - #endif -- do_div(elapsed, 1000); -- usdiff -= elapsed; -- if (usdiff < 0) -- usdiff = -usdiff; -+ do_div(elapsed, 1000); -+ usdiff -= elapsed; -+ if (usdiff < 0) -+ usdiff = -usdiff; -+ } else -+ usdiff = USEC_PER_SEC; /* disable TSC match window below */ - - /* - * Special case: TSC write with a small delta (1 second) of virtual diff --git a/af_key-fix-info-leaks-in-notify-messages.patch b/af_key-fix-info-leaks-in-notify-messages.patch deleted file mode 100644 index 9d20aec0f..000000000 --- a/af_key-fix-info-leaks-in-notify-messages.patch +++ /dev/null @@ -1,37 +0,0 @@ -From a5cc68f3d63306d0d288f31edfc2ae6ef8ecd887 Mon Sep 17 00:00:00 2001 -From: Mathias Krause -Date: Wed, 26 Jun 2013 21:52:30 +0000 -Subject: af_key: fix info leaks in notify messages - -key_notify_sa_flush() and key_notify_policy_flush() miss to initialize -the sadb_msg_reserved member of the broadcasted message and thereby -leak 2 bytes of heap memory to listeners. Fix that. - -Signed-off-by: Mathias Krause -Cc: Steffen Klassert -Cc: "David S. Miller" -Cc: Herbert Xu -Signed-off-by: David S. Miller ---- -diff --git a/net/key/af_key.c b/net/key/af_key.c -index c5fbd75..9da8620 100644 ---- a/net/key/af_key.c -+++ b/net/key/af_key.c -@@ -1710,6 +1710,7 @@ static int key_notify_sa_flush(const struct km_event *c) - hdr->sadb_msg_version = PF_KEY_V2; - hdr->sadb_msg_errno = (uint8_t) 0; - hdr->sadb_msg_len = (sizeof(struct sadb_msg) / sizeof(uint64_t)); -+ hdr->sadb_msg_reserved = 0; - - pfkey_broadcast(skb, GFP_ATOMIC, BROADCAST_ALL, NULL, c->net); - -@@ -2699,6 +2700,7 @@ static int key_notify_policy_flush(const struct km_event *c) - hdr->sadb_msg_errno = (uint8_t) 0; - hdr->sadb_msg_satype = SADB_SATYPE_UNSPEC; - hdr->sadb_msg_len = (sizeof(struct sadb_msg) / sizeof(uint64_t)); -+ hdr->sadb_msg_reserved = 0; - pfkey_broadcast(skb_out, GFP_ATOMIC, BROADCAST_ALL, NULL, c->net); - return 0; - --- -cgit v0.9.2 diff --git a/arm-omap-ehci-fix.patch b/arm-omap-ehci-fix.patch deleted file mode 100644 index f6fc0a934..000000000 --- a/arm-omap-ehci-fix.patch +++ /dev/null @@ -1,190 +0,0 @@ -From 54a419668b0f27b7982807fb2376d237e0a0ce05 Mon Sep 17 00:00:00 2001 -From: Alan Stern -Date: Tue, 12 Mar 2013 10:44:39 +0000 -Subject: USB: EHCI: split ehci-omap out to a separate driver - -This patch (as1645) converts ehci-omap over to the new "ehci-hcd is a -library" approach, so that it can coexist peacefully with other EHCI -platform drivers and can make use of the private area allocated at -the end of struct ehci_hcd. - -Signed-off-by: Alan Stern -Signed-off-by: Greg Kroah-Hartman ---- -diff --git a/drivers/usb/host/Kconfig b/drivers/usb/host/Kconfig -index c59a112..62f4e9a 100644 ---- a/drivers/usb/host/Kconfig -+++ b/drivers/usb/host/Kconfig -@@ -155,7 +155,7 @@ config USB_EHCI_MXC - Variation of ARC USB block used in some Freescale chips. - - config USB_EHCI_HCD_OMAP -- bool "EHCI support for OMAP3 and later chips" -+ tristate "EHCI support for OMAP3 and later chips" - depends on USB_EHCI_HCD && ARCH_OMAP - default y - ---help--- -diff --git a/drivers/usb/host/Makefile b/drivers/usb/host/Makefile -index 001fbff..56de410 100644 ---- a/drivers/usb/host/Makefile -+++ b/drivers/usb/host/Makefile -@@ -27,6 +27,7 @@ obj-$(CONFIG_USB_EHCI_HCD) += ehci-hcd.o - obj-$(CONFIG_USB_EHCI_PCI) += ehci-pci.o - obj-$(CONFIG_USB_EHCI_HCD_PLATFORM) += ehci-platform.o - obj-$(CONFIG_USB_EHCI_MXC) += ehci-mxc.o -+obj-$(CONFIG_USB_EHCI_HCD_OMAP) += ehci-omap.o - - obj-$(CONFIG_USB_OXU210HP_HCD) += oxu210hp-hcd.o - obj-$(CONFIG_USB_ISP116X_HCD) += isp116x-hcd.o -diff --git a/drivers/usb/host/ehci-hcd.c b/drivers/usb/host/ehci-hcd.c -index b416a3f..303b022 100644 ---- a/drivers/usb/host/ehci-hcd.c -+++ b/drivers/usb/host/ehci-hcd.c -@@ -1252,11 +1252,6 @@ MODULE_LICENSE ("GPL"); - #define PLATFORM_DRIVER ehci_hcd_sh_driver - #endif - --#ifdef CONFIG_USB_EHCI_HCD_OMAP --#include "ehci-omap.c" --#define PLATFORM_DRIVER ehci_hcd_omap_driver --#endif -- - #ifdef CONFIG_PPC_PS3 - #include "ehci-ps3.c" - #define PS3_SYSTEM_BUS_DRIVER ps3_ehci_driver -@@ -1346,6 +1341,7 @@ MODULE_LICENSE ("GPL"); - !IS_ENABLED(CONFIG_USB_EHCI_HCD_PLATFORM) && \ - !IS_ENABLED(CONFIG_USB_CHIPIDEA_HOST) && \ - !IS_ENABLED(CONFIG_USB_EHCI_MXC) && \ -+ !IS_ENABLED(CONFIG_USB_EHCI_HCD_OMAP) && \ - !defined(PLATFORM_DRIVER) && \ - !defined(PS3_SYSTEM_BUS_DRIVER) && \ - !defined(OF_PLATFORM_DRIVER) && \ -diff --git a/drivers/usb/host/ehci-omap.c b/drivers/usb/host/ehci-omap.c -index 0555ee4..fa66757 100644 ---- a/drivers/usb/host/ehci-omap.c -+++ b/drivers/usb/host/ehci-omap.c -@@ -36,6 +36,9 @@ - * - convert to use hwmod and runtime PM - */ - -+#include -+#include -+#include - #include - #include - #include -@@ -43,6 +46,10 @@ - #include - #include - #include -+#include -+#include -+ -+#include "ehci.h" - - #include - -@@ -57,9 +64,11 @@ - #define EHCI_INSNREG05_ULPI_EXTREGADD_SHIFT 8 - #define EHCI_INSNREG05_ULPI_WRDATA_SHIFT 0 - --/*-------------------------------------------------------------------------*/ -+#define DRIVER_DESC "OMAP-EHCI Host Controller driver" - --static const struct hc_driver ehci_omap_hc_driver; -+static const char hcd_name[] = "ehci-omap"; -+ -+/*-------------------------------------------------------------------------*/ - - - static inline void ehci_write(void __iomem *base, u32 reg, u32 val) -@@ -166,6 +175,12 @@ static void disable_put_regulator( - /* configure so an HC device and id are always provided */ - /* always called with process context; sleeping is OK */ - -+static struct hc_driver __read_mostly ehci_omap_hc_driver; -+ -+static const struct ehci_driver_overrides ehci_omap_overrides __initdata = { -+ .reset = omap_ehci_init, -+}; -+ - /** - * ehci_hcd_omap_probe - initialize TI-based HCDs - * -@@ -315,56 +330,33 @@ static struct platform_driver ehci_hcd_omap_driver = { - /*.suspend = ehci_hcd_omap_suspend, */ - /*.resume = ehci_hcd_omap_resume, */ - .driver = { -- .name = "ehci-omap", -+ .name = hcd_name, - } - }; - - /*-------------------------------------------------------------------------*/ - --static const struct hc_driver ehci_omap_hc_driver = { -- .description = hcd_name, -- .product_desc = "OMAP-EHCI Host Controller", -- .hcd_priv_size = sizeof(struct ehci_hcd), -- -- /* -- * generic hardware linkage -- */ -- .irq = ehci_irq, -- .flags = HCD_MEMORY | HCD_USB2, -- -- /* -- * basic lifecycle operations -- */ -- .reset = omap_ehci_init, -- .start = ehci_run, -- .stop = ehci_stop, -- .shutdown = ehci_shutdown, -- -- /* -- * managing i/o requests and associated device resources -- */ -- .urb_enqueue = ehci_urb_enqueue, -- .urb_dequeue = ehci_urb_dequeue, -- .endpoint_disable = ehci_endpoint_disable, -- .endpoint_reset = ehci_endpoint_reset, -+static int __init ehci_omap_init(void) -+{ -+ if (usb_disabled()) -+ return -ENODEV; - -- /* -- * scheduling support -- */ -- .get_frame_number = ehci_get_frame, -+ pr_info("%s: " DRIVER_DESC "\n", hcd_name); - -- /* -- * root hub support -- */ -- .hub_status_data = ehci_hub_status_data, -- .hub_control = ehci_hub_control, -- .bus_suspend = ehci_bus_suspend, -- .bus_resume = ehci_bus_resume, -+ ehci_init_driver(&ehci_omap_hc_driver, &ehci_omap_overrides); -+ return platform_driver_register(&ehci_hcd_omap_driver); -+} -+module_init(ehci_omap_init); - -- .clear_tt_buffer_complete = ehci_clear_tt_buffer_complete, --}; -+static void __exit ehci_omap_cleanup(void) -+{ -+ platform_driver_unregister(&ehci_hcd_omap_driver); -+} -+module_exit(ehci_omap_cleanup); - - MODULE_ALIAS("platform:ehci-omap"); - MODULE_AUTHOR("Texas Instruments, Inc."); - MODULE_AUTHOR("Felipe Balbi "); - -+MODULE_DESCRIPTION(DRIVER_DESC); -+MODULE_LICENSE("GPL"); --- -cgit v0.9.1 diff --git a/arm-omap-fixdrm.patch b/arm-omap-fixdrm.patch deleted file mode 100644 index e0eec8061..000000000 --- a/arm-omap-fixdrm.patch +++ /dev/null @@ -1,19 +0,0 @@ -diff --git a/drivers/gpu/drm/omapdrm/omap_plane.c b/drivers/gpu/drm/omapdrm/omap_plane.c -index 2882cda..8d225d7 100644 ---- a/drivers/gpu/drm/omapdrm/omap_plane.c -+++ b/drivers/gpu/drm/omapdrm/omap_plane.c -@@ -247,6 +247,12 @@ static int omap_plane_update(struct drm_plane *plane, - { - struct omap_plane *omap_plane = to_omap_plane(plane); - omap_plane->enabled = true; -+ -+ if (plane->fb) -+ drm_framebuffer_unreference(plane->fb); -+ -+ drm_framebuffer_reference(fb); -+ - return omap_plane_mode_set(plane, crtc, fb, - crtc_x, crtc_y, crtc_w, crtc_h, - src_x, src_y, src_w, src_h, - - diff --git a/block-do-not-pass-disk-names-as-format-strings.patch b/block-do-not-pass-disk-names-as-format-strings.patch deleted file mode 100644 index 496111dcd..000000000 --- a/block-do-not-pass-disk-names-as-format-strings.patch +++ /dev/null @@ -1,64 +0,0 @@ -Disk names may contain arbitrary strings, so they must not be interpreted -as format strings. It seems that only md allows arbitrary strings to be -used for disk names, but this could allow for a local memory corruption -from uid 0 into ring 0. - -CVE-2013-2851 - -Signed-off-by: Kees Cook -Cc: stable@vger.kernel.org -Cc: Jens Axboe ---- - block/genhd.c | 2 +- - drivers/block/nbd.c | 3 ++- - drivers/scsi/osd/osd_uld.c | 2 +- - 3 files changed, 4 insertions(+), 3 deletions(-) - -diff --git a/block/genhd.c b/block/genhd.c -index 20625ee..cdeb527 100644 ---- a/block/genhd.c -+++ b/block/genhd.c -@@ -512,7 +512,7 @@ static void register_disk(struct gendisk *disk) - - ddev->parent = disk->driverfs_dev; - -- dev_set_name(ddev, disk->disk_name); -+ dev_set_name(ddev, "%s", disk->disk_name); - - /* delay uevents, until we scanned partition table */ - dev_set_uevent_suppress(ddev, 1); -diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c -index 037288e..46b35f7 100644 ---- a/drivers/block/nbd.c -+++ b/drivers/block/nbd.c -@@ -714,7 +714,8 @@ static int __nbd_ioctl(struct block_device *bdev, struct nbd_device *nbd, - else - blk_queue_flush(nbd->disk->queue, 0); - -- thread = kthread_create(nbd_thread, nbd, nbd->disk->disk_name); -+ thread = kthread_create(nbd_thread, nbd, "%s", -+ nbd->disk->disk_name); - if (IS_ERR(thread)) { - mutex_lock(&nbd->tx_lock); - return PTR_ERR(thread); -diff --git a/drivers/scsi/osd/osd_uld.c b/drivers/scsi/osd/osd_uld.c -index 0fab6b5..9d86947 100644 ---- a/drivers/scsi/osd/osd_uld.c -+++ b/drivers/scsi/osd/osd_uld.c -@@ -485,7 +485,7 @@ static int osd_probe(struct device *dev) - oud->class_dev.class = &osd_uld_class; - oud->class_dev.parent = dev; - oud->class_dev.release = __remove; -- error = dev_set_name(&oud->class_dev, disk->disk_name); -+ error = dev_set_name(&oud->class_dev, "%s", disk->disk_name); - if (error) { - OSD_ERR("dev_set_name failed => %d\n", error); - goto err_put_cdev; --- -1.7.9.5 - --- -To unsubscribe from this list: send the line "unsubscribe linux-kernel" in -the body of a message to majordomo@vger.kernel.org -More majordomo info at http://vger.kernel.org/majordomo-info.html -Please read the FAQ at http://www.tux.org/lkml/ \ No newline at end of file diff --git a/cdrom-use-kzalloc-for-failing-hardware.patch b/cdrom-use-kzalloc-for-failing-hardware.patch deleted file mode 100644 index 6afb6c4d8..000000000 --- a/cdrom-use-kzalloc-for-failing-hardware.patch +++ /dev/null @@ -1,45 +0,0 @@ -From 050e4b8fb7cdd7096c987a9cd556029c622c7fe2 Mon Sep 17 00:00:00 2001 -From: Jonathan Salwan -Date: Thu, 06 Jun 2013 00:39:39 +0000 -Subject: drivers/cdrom/cdrom.c: use kzalloc() for failing hardware - -In drivers/cdrom/cdrom.c mmc_ioctl_cdrom_read_data() allocates a memory -area with kmalloc in line 2885. - -2885 cgc->buffer = kmalloc(blocksize, GFP_KERNEL); -2886 if (cgc->buffer == NULL) -2887 return -ENOMEM; - -In line 2908 we can find the copy_to_user function: - -2908 if (!ret && copy_to_user(arg, cgc->buffer, blocksize)) - -The cgc->buffer is never cleaned and initialized before this function. If -ret = 0 with the previous basic block, it's possible to display some -memory bytes in kernel space from userspace. - -When we read a block from the disk it normally fills the ->buffer but if -the drive is malfunctioning there is a chance that it would only be -partially filled. The result is an leak information to userspace. - -Signed-off-by: Dan Carpenter -Cc: Jens Axboe -Signed-off-by: Andrew Morton ---- -(limited to 'drivers/cdrom/cdrom.c') - -diff --git a/drivers/cdrom/cdrom.c b/drivers/cdrom/cdrom.c -index d620b44..8a3aff7 100644 ---- a/drivers/cdrom/cdrom.c -+++ b/drivers/cdrom/cdrom.c -@@ -2882,7 +2882,7 @@ static noinline int mmc_ioctl_cdrom_read_data(struct cdrom_device_info *cdi, - if (lba < 0) - return -EINVAL; - -- cgc->buffer = kmalloc(blocksize, GFP_KERNEL); -+ cgc->buffer = kzalloc(blocksize, GFP_KERNEL); - if (cgc->buffer == NULL) - return -ENOMEM; - --- -cgit v0.9.2 diff --git a/config-debug b/config-debug index ad06116c7..e7f7ce147 100644 --- a/config-debug +++ b/config-debug @@ -117,3 +117,7 @@ CONFIG_MAC80211_MESSAGE_TRACING=y CONFIG_EDAC_DEBUG=y CONFIG_LATENCYTOP=y CONFIG_SCHEDSTATS=y + +CONFIG_TEST_STRING_HELPERS=m +CONFIG_XFS_WARN=y + diff --git a/config-generic b/config-generic index f00a437b2..46ba526b9 100644 --- a/config-generic +++ b/config-generic @@ -4713,3 +4713,60 @@ CONFIG_IOMMU_SUPPORT=y # CONFIG_CRYPTO_KEY_TYPE is not set # CONFIG_PGP_LIBRARY is not set # CONFIG_PGP_PRELOAD is not set + + +# F19 3.10 rebase options below + +# CONFIG_ATH6KL_TRACING is not set +CONFIG_BATMAN_ADV_NC=y +# CONFIG_BCACHE_CLOSURES_DEBUG is not set +# CONFIG_BCACHE_DEBUG is not set +# CONFIG_BCACHE_EDEBUG is not set +CONFIG_BCACHE=m +CONFIG_BINFMT_SCRIPT=y +CONFIG_BOUNCE=y +# CONFIG_BTRFS_DEBUG is not set +# CONFIG_BTRFS_FS_RUN_SANITY_TESTS is not set +CONFIG_CRYPTO_CMAC=m +# CONFIG_DUMMY_IRQ is not set +# CONFIG_FB_SIMPLE is not set +# CONFIG_GPIO_GRGPIO is not set +CONFIG_HID_APPLEIR=m +# CONFIG_INPUT_IMS_PCU is not set +CONFIG_LEDS_LP5562=m +CONFIG_LEDS_TRIGGER_CAMERA=m +# CONFIG_MFD_CROS_EC is not set +# CONFIG_MFD_SI476X_CORE is not set +CONFIG_NETLINK_DIAG=m +CONFIG_NETLINK_MMAP=y +CONFIG_NET_TEAM_MODE_RANDOM=m +# CONFIG_RCU_USER_QS is not set +# CONFIG_RESET_CONTROLLER is not set +# CONFIG_RING_BUFFER_STARTUP_TEST is not set +CONFIG_RT2800USB_RT55XX=y +# CONFIG_SCSI_UFSHCD_PLATFORM is not set +CONFIG_SENSORS_ADT7310=m +CONFIG_SENSORS_LM95234=m +CONFIG_SENSORS_NCT6775=m +# CONFIG_SERIO_APBPS2 is not set +# CONFIG_SMS_SIANO_DEBUGFS is not set +# CONFIG_SRAM is not set +# CONFIG_SSBI is not set +# CONFIG_TRACER_SNAPSHOT_PER_CPU_SWAP is not set +CONFIG_USB_DEFAULT_PERSIST=y +CONFIG_USB_PHY=y +CONFIG_USB_RTL8152=m +# CONFIG_USB_SERIAL_WISHBONE is not set +# CONFIG_W1_SLAVE_DS2408_READBACK is not set +# CONFIG_SAMSUNG_USB2PHY is not set +# CONFIG_SAMSUNG_USB3PHY is not set +CONFIG_ALX=m +CONFIG_INFINIBAND_ISERT=m +CONFIG_QLCNIC_SRIOV=y +CONFIG_RTL8188EE=m +# CONFIG_SAMSUNG_USBPHY is not set +# CONFIG_TIPC_MEDIA_IB is not set +# CONFIG_USB_DWC2 is not set +CONFIG_VHOST_SCSI=m +# CONFIG_MFD_TPS65912 is not set +# CONFIG_MFD_SYSCON is not set diff --git a/config-nodebug b/config-nodebug index 6db2dde22..12ecfcc29 100644 --- a/config-nodebug +++ b/config-nodebug @@ -119,3 +119,7 @@ CONFIG_DEBUG_KMEMLEAK_DEFAULT_OFF=y # CONFIG_SPI_DEBUG is not set # CONFIG_LATENCYTOP is not set # CONFIG_SCHEDSTATS is not set + +# CONFIG_TEST_STRING_HELPERS is not set +# CONFIG_XFS_WARN is not set + diff --git a/config-powerpc-generic b/config-powerpc-generic index b6df88ea8..e8617230e 100644 --- a/config-powerpc-generic +++ b/config-powerpc-generic @@ -392,3 +392,5 @@ CONFIG_BACKLIGHT_PWM=m CONFIG_CPU_IDLE_MULTIPLE_DRIVERS=n CONFIG_XZ_DEC_POWERPC=y + +# CONFIG_POWERNV_MSI is not set diff --git a/config-powerpc64 b/config-powerpc64 index d0e0aab5b..02a44d888 100644 --- a/config-powerpc64 +++ b/config-powerpc64 @@ -181,3 +181,6 @@ CONFIG_BPF_JIT=y # CONFIG_PPC_TRANSACTIONAL_MEM is not set # CONFIG_SND_HDA_INTEL is not set CONFIG_BLK_DEV_RSXX=m + +CONFIG_POWERNV_MSI=y +CONFIG_KVM_XICS=y diff --git a/config-powerpc64p7 b/config-powerpc64p7 index 285d9fff9..ff4471037 100644 --- a/config-powerpc64p7 +++ b/config-powerpc64p7 @@ -171,3 +171,6 @@ CONFIG_BPF_JIT=y # CONFIG_PCIEPORTBUS is not set # CONFIG_SND_HDA_INTEL is not set CONFIG_BLK_DEV_RSXX=m + +CONFIG_POWERNV_MSI=y +CONFIG_KVM_XICS=y diff --git a/config-x86-generic b/config-x86-generic index 68041357f..f00827c2e 100644 --- a/config-x86-generic +++ b/config-x86-generic @@ -459,3 +459,14 @@ CONFIG_MODULE_SIG_UEFI=y CONFIG_VMXNET3=m CONFIG_VFIO_PCI_VGA=y + +CONFIG_EFIVAR_FS=y +CONFIG_HYPERVISOR_GUEST=y +CONFIG_KVM_DEVICE_ASSIGNMENT=y +CONFIG_NFC_MEI_PHY=m +CONFIG_PVPANIC=m +CONFIG_X86_AMD_FREQ_SENSITIVITY=m +CONFIG_FB_HYPERV=m +CONFIG_NFC_MICROREAD_MEI=m +CONFIG_NFC_PN544_MEI=m + diff --git a/config-x86_64-generic b/config-x86_64-generic index 92f283073..65e6a6869 100644 --- a/config-x86_64-generic +++ b/config-x86_64-generic @@ -157,3 +157,8 @@ CONFIG_SFC_MTD=y CONFIG_MTD_CHAR=m CONFIG_MTD_BLOCK=m +CONFIG_CRYPTO_CAMELLIA_AESNI_AVX2_X86_64=m +CONFIG_CRYPTO_SERPENT_AVX2_X86_64=m +CONFIG_CRYPTO_SHA256_SSSE3=m +CONFIG_CRYPTO_SHA512_SSSE3=m + diff --git a/debug-bad-pte-dmi.patch b/debug-bad-pte-dmi.patch deleted file mode 100644 index eddd595b0..000000000 --- a/debug-bad-pte-dmi.patch +++ /dev/null @@ -1,66 +0,0 @@ ---- linux.orig/include/asm-generic/bug.h -+++ linux/include/asm-generic/bug.h -@@ -55,6 +55,8 @@ struct bug_entry { - #define BUG_ON(condition) do { if (unlikely(condition)) BUG(); } while(0) - #endif - -+void print_hardware_dmi_name(void); -+ - /* - * WARN(), WARN_ON(), WARN_ON_ONCE, and so on can be used to report - * significant issues that need prompt attention if they should ever ---- linux.orig/kernel/panic.c -+++ linux/kernel/panic.c -@@ -391,6 +391,15 @@ void oops_exit(void) - kmsg_dump(KMSG_DUMP_OOPS); - } - -+void print_hardware_dmi_name(void) -+{ -+ const char *board; -+ -+ board = dmi_get_system_info(DMI_PRODUCT_NAME); -+ if (board) -+ printk(KERN_WARNING "Hardware name: %s\n", board); -+} -+ - #ifdef WANT_WARN_ON_SLOWPATH - struct slowpath_args { - const char *fmt; -@@ -400,13 +409,10 @@ struct slowpath_args { - static void warn_slowpath_common(const char *file, int line, void *caller, - unsigned taint, struct slowpath_args *args) - { -- const char *board; -- - printk(KERN_WARNING "------------[ cut here ]------------\n"); - printk(KERN_WARNING "WARNING: at %s:%d %pS()\n", file, line, caller); -- board = dmi_get_system_info(DMI_PRODUCT_NAME); -- if (board) -- printk(KERN_WARNING "Hardware name: %s\n", board); -+ -+ print_hardware_dmi_name(); - - if (args) - vprintk(args->fmt, args->args); ---- linux.orig/mm/memory.c -+++ linux/mm/memory.c -@@ -706,6 +706,8 @@ static void print_bad_pte(struct vm_area - "BUG: Bad page map in process %s pte:%08llx pmd:%08llx\n", - current->comm, - (long long)pte_val(pte), (long long)pmd_val(*pmd)); -+ print_hardware_dmi_name(); -+ - if (page) - dump_page(page); - printk(KERN_ALERT ---- linux.orig/mm/page_alloc.c -+++ linux/mm/page_alloc.c -@@ -321,6 +321,7 @@ static void bad_page(struct page *page) - current->comm, page_to_pfn(page)); - dump_page(page); - -+ print_hardware_dmi_name(); - print_modules(); - dump_stack(); - out: diff --git a/debug-bad-pte-modules.patch b/debug-bad-pte-modules.patch deleted file mode 100644 index 88ca28043..000000000 --- a/debug-bad-pte-modules.patch +++ /dev/null @@ -1,20 +0,0 @@ -diff -durpN '--exclude-from=/home/davej/.exclude' /home/davej/src/kernel/git-trees/linux/mm/memory.c linux-dj/mm/memory.c ---- /home/davej/src/kernel/git-trees/linux/mm/memory.c 2013-02-26 14:41:18.591116577 -0500 -+++ linux-dj/mm/memory.c 2013-02-28 20:04:37.678304092 -0500 -@@ -57,6 +57,7 @@ - #include - #include - #include -+#include - #include - #include - -@@ -719,6 +722,7 @@ static void print_bad_pte(struct vm_area - if (vma->vm_file && vma->vm_file->f_op) - print_symbol(KERN_ALERT "vma->vm_file->f_op->mmap: %s\n", - (unsigned long)vma->vm_file->f_op->mmap); -+ print_modules(); - dump_stack(); - add_taint(TAINT_BAD_PAGE, LOCKDEP_NOW_UNRELIABLE); - } - diff --git a/drm-i915-dp-stfu.patch b/drm-i915-dp-stfu.patch index 78fb5fe60..fb2e58ee9 100644 --- a/drm-i915-dp-stfu.patch +++ b/drm-i915-dp-stfu.patch @@ -1,17 +1,17 @@ diff --git a/drivers/gpu/drm/i915/intel_dp.c b/drivers/gpu/drm/i915/intel_dp.c -index f61cb79..64a24c0 100644 +index fb2fbc1..0aaf67d 100644 --- a/drivers/gpu/drm/i915/intel_dp.c +++ b/drivers/gpu/drm/i915/intel_dp.c -@@ -315,7 +315,7 @@ intel_dp_check_edp(struct intel_dp *intel_dp) - if (!is_edp(intel_dp)) - return; +@@ -283,7 +283,7 @@ intel_dp_check_edp(struct intel_dp *intel_dp) + pp_ctrl_reg = IS_VALLEYVIEW(dev) ? PIPEA_PP_CONTROL : PCH_PP_CONTROL; + if (!ironlake_edp_have_panel_power(intel_dp) && !ironlake_edp_have_panel_vdd(intel_dp)) { - WARN(1, "eDP powered off while attempting aux channel communication.\n"); + DRM_ERROR("eDP powered off while attempting aux channel communication.\n"); DRM_DEBUG_KMS("Status 0x%08x Control 0x%08x\n", - I915_READ(PCH_PP_STATUS), - I915_READ(PCH_PP_CONTROL)); -@@ -446,7 +446,7 @@ intel_dp_aux_ch(struct intel_dp *intel_dp, + I915_READ(pp_stat_reg), + I915_READ(pp_ctrl_reg)); +@@ -376,7 +376,7 @@ intel_dp_aux_ch(struct intel_dp *intel_dp, } if (try == 3) { @@ -20,7 +20,7 @@ index f61cb79..64a24c0 100644 I915_READ(ch_ctl)); ret = -EBUSY; goto out; -@@ -1083,8 +1083,8 @@ void ironlake_edp_panel_vdd_on(struct intel_dp *intel_dp) +@@ -995,8 +995,8 @@ void ironlake_edp_panel_vdd_on(struct intel_dp *intel_dp) return; DRM_DEBUG_KMS("Turn eDP VDD on\n"); @@ -31,7 +31,7 @@ index f61cb79..64a24c0 100644 intel_dp->want_panel_vdd = true; -@@ -1151,7 +1151,8 @@ void ironlake_edp_panel_vdd_off(struct intel_dp *intel_dp, bool sync) +@@ -1070,7 +1070,8 @@ void ironlake_edp_panel_vdd_off(struct intel_dp *intel_dp, bool sync) return; DRM_DEBUG_KMS("Turn eDP VDD off %d\n", intel_dp->want_panel_vdd); @@ -41,7 +41,7 @@ index f61cb79..64a24c0 100644 intel_dp->want_panel_vdd = false; -@@ -1221,7 +1222,8 @@ void ironlake_edp_panel_off(struct intel_dp *intel_dp) +@@ -1144,7 +1145,8 @@ void ironlake_edp_panel_off(struct intel_dp *intel_dp) DRM_DEBUG_KMS("Turn eDP power off\n"); @@ -49,5 +49,5 @@ index f61cb79..64a24c0 100644 + if (!intel_dp->want_panel_vdd) + DRM_ERROR("Need VDD to turn off panel\n"); - pp = ironlake_get_pp_control(dev_priv); + pp = ironlake_get_pp_control(intel_dp); /* We need to switch off panel power _and_ force vdd, for otherwise some diff --git a/drm-qxl-3.10-rc7-diff.patch b/drm-qxl-3.10-rc7-diff.patch deleted file mode 100644 index 3aa53f60d..000000000 --- a/drm-qxl-3.10-rc7-diff.patch +++ /dev/null @@ -1,593 +0,0 @@ -From be71369a5b4297776fb9988e6274595136294588 Mon Sep 17 00:00:00 2001 -From: Dave Airlie -Date: Tue, 16 Apr 2013 13:24:25 +1000 -Subject: [PATCH 4/5] drm/qxl 3.10-rc7 diff - -drm/qxl: make lots of things static. -drm/qxl: fix smatch warnings -drm/qxl: fix build with debugfs turned off. -drivers, drm: fix qxl build error when debugfs is disabled -drm/qxl: fix ioport interactions for kernel submitted commands. -qxl: drop unused variable. -drm/qxl: drop active_user_framebuffer as its unneeded -qxl: fix bug with object eviction and update area -qxl: fix Kconfig deps - select FB_DEFERRED_IO -drm/qxl: fix build warnings on 32-bit - -Signed-off-by: Dave Airlie ---- - drivers/gpu/drm/qxl/Kconfig | 1 + - drivers/gpu/drm/qxl/qxl_cmd.c | 52 +++++++++++++++++---------------------- - drivers/gpu/drm/qxl/qxl_debugfs.c | 6 +++++ - drivers/gpu/drm/qxl/qxl_display.c | 36 +++++++++++---------------- - drivers/gpu/drm/qxl/qxl_drv.c | 2 +- - drivers/gpu/drm/qxl/qxl_drv.h | 7 ------ - drivers/gpu/drm/qxl/qxl_fb.c | 2 +- - drivers/gpu/drm/qxl/qxl_gem.c | 29 ---------------------- - drivers/gpu/drm/qxl/qxl_ioctl.c | 29 +++++++++++----------- - drivers/gpu/drm/qxl/qxl_kms.c | 11 +++++---- - drivers/gpu/drm/qxl/qxl_object.c | 6 ++--- - drivers/gpu/drm/qxl/qxl_release.c | 4 +-- - drivers/gpu/drm/qxl/qxl_ttm.c | 10 +++++--- - 13 files changed, 78 insertions(+), 117 deletions(-) - -diff --git a/drivers/gpu/drm/qxl/Kconfig b/drivers/gpu/drm/qxl/Kconfig -index 2f1a57e..d6c1279 100644 ---- a/drivers/gpu/drm/qxl/Kconfig -+++ b/drivers/gpu/drm/qxl/Kconfig -@@ -4,6 +4,7 @@ config DRM_QXL - select FB_SYS_FILLRECT - select FB_SYS_COPYAREA - select FB_SYS_IMAGEBLIT -+ select FB_DEFERRED_IO - select DRM_KMS_HELPER - select DRM_TTM - help -diff --git a/drivers/gpu/drm/qxl/qxl_cmd.c b/drivers/gpu/drm/qxl/qxl_cmd.c -index 804b411..02befd9 100644 ---- a/drivers/gpu/drm/qxl/qxl_cmd.c -+++ b/drivers/gpu/drm/qxl/qxl_cmd.c -@@ -144,8 +144,8 @@ int qxl_ring_push(struct qxl_ring *ring, - return 0; - } - --bool qxl_ring_pop(struct qxl_ring *ring, -- void *element) -+static bool qxl_ring_pop(struct qxl_ring *ring, -+ void *element) - { - volatile struct qxl_ring_header *header = &(ring->ring->header); - volatile uint8_t *ring_elt; -@@ -169,23 +169,6 @@ bool qxl_ring_pop(struct qxl_ring *ring, - return true; - } - --void qxl_ring_wait_idle(struct qxl_ring *ring) --{ -- struct qxl_ring_header *header = &(ring->ring->header); -- unsigned long flags; -- -- spin_lock_irqsave(&ring->lock, flags); -- if (ring->ring->header.cons < ring->ring->header.prod) { -- header->notify_on_cons = header->prod; -- mb(); -- spin_unlock_irqrestore(&ring->lock, flags); -- wait_event_interruptible(*ring->push_event, -- qxl_check_idle(ring)); -- spin_lock_irqsave(&ring->lock, flags); -- } -- spin_unlock_irqrestore(&ring->lock, flags); --} -- - int - qxl_push_command_ring_release(struct qxl_device *qdev, struct qxl_release *release, - uint32_t type, bool interruptible) -@@ -294,7 +277,7 @@ out_unref: - return 0; - } - --static int wait_for_io_cmd_user(struct qxl_device *qdev, uint8_t val, long port) -+static int wait_for_io_cmd_user(struct qxl_device *qdev, uint8_t val, long port, bool intr) - { - int irq_num; - long addr = qdev->io_base + port; -@@ -302,20 +285,29 @@ static int wait_for_io_cmd_user(struct qxl_device *qdev, uint8_t val, long port) - - mutex_lock(&qdev->async_io_mutex); - irq_num = atomic_read(&qdev->irq_received_io_cmd); -- -- - if (qdev->last_sent_io_cmd > irq_num) { -- ret = wait_event_interruptible(qdev->io_cmd_event, -- atomic_read(&qdev->irq_received_io_cmd) > irq_num); -- if (ret) -+ if (intr) -+ ret = wait_event_interruptible_timeout(qdev->io_cmd_event, -+ atomic_read(&qdev->irq_received_io_cmd) > irq_num, 5*HZ); -+ else -+ ret = wait_event_timeout(qdev->io_cmd_event, -+ atomic_read(&qdev->irq_received_io_cmd) > irq_num, 5*HZ); -+ /* 0 is timeout, just bail the "hw" has gone away */ -+ if (ret <= 0) - goto out; - irq_num = atomic_read(&qdev->irq_received_io_cmd); - } - outb(val, addr); - qdev->last_sent_io_cmd = irq_num + 1; -- ret = wait_event_interruptible(qdev->io_cmd_event, -- atomic_read(&qdev->irq_received_io_cmd) > irq_num); -+ if (intr) -+ ret = wait_event_interruptible_timeout(qdev->io_cmd_event, -+ atomic_read(&qdev->irq_received_io_cmd) > irq_num, 5*HZ); -+ else -+ ret = wait_event_timeout(qdev->io_cmd_event, -+ atomic_read(&qdev->irq_received_io_cmd) > irq_num, 5*HZ); - out: -+ if (ret > 0) -+ ret = 0; - mutex_unlock(&qdev->async_io_mutex); - return ret; - } -@@ -325,7 +317,7 @@ static void wait_for_io_cmd(struct qxl_device *qdev, uint8_t val, long port) - int ret; - - restart: -- ret = wait_for_io_cmd_user(qdev, val, port); -+ ret = wait_for_io_cmd_user(qdev, val, port, false); - if (ret == -ERESTARTSYS) - goto restart; - } -@@ -357,7 +349,7 @@ int qxl_io_update_area(struct qxl_device *qdev, struct qxl_bo *surf, - mutex_lock(&qdev->update_area_mutex); - qdev->ram_header->update_area = *area; - qdev->ram_header->update_surface = surface_id; -- ret = wait_for_io_cmd_user(qdev, 0, QXL_IO_UPDATE_AREA_ASYNC); -+ ret = wait_for_io_cmd_user(qdev, 0, QXL_IO_UPDATE_AREA_ASYNC, true); - mutex_unlock(&qdev->update_area_mutex); - return ret; - } -@@ -609,7 +601,7 @@ retry: - return ret; - } - --void qxl_surface_evict_locked(struct qxl_device *qdev, struct qxl_bo *surf, bool do_update_area) -+static void qxl_surface_evict_locked(struct qxl_device *qdev, struct qxl_bo *surf, bool do_update_area) - { - /* no need to update area if we are just freeing the surface normally */ - if (do_update_area) -diff --git a/drivers/gpu/drm/qxl/qxl_debugfs.c b/drivers/gpu/drm/qxl/qxl_debugfs.c -index c630152..c3c2bbd 100644 ---- a/drivers/gpu/drm/qxl/qxl_debugfs.c -+++ b/drivers/gpu/drm/qxl/qxl_debugfs.c -@@ -35,6 +35,7 @@ - #include "qxl_object.h" - - -+#if defined(CONFIG_DEBUG_FS) - static int - qxl_debugfs_irq_received(struct seq_file *m, void *data) - { -@@ -69,20 +70,25 @@ static struct drm_info_list qxl_debugfs_list[] = { - { "qxl_buffers", qxl_debugfs_buffers_info, 0, NULL }, - }; - #define QXL_DEBUGFS_ENTRIES ARRAY_SIZE(qxl_debugfs_list) -+#endif - - int - qxl_debugfs_init(struct drm_minor *minor) - { -+#if defined(CONFIG_DEBUG_FS) - drm_debugfs_create_files(qxl_debugfs_list, QXL_DEBUGFS_ENTRIES, - minor->debugfs_root, minor); -+#endif - return 0; - } - - void - qxl_debugfs_takedown(struct drm_minor *minor) - { -+#if defined(CONFIG_DEBUG_FS) - drm_debugfs_remove_files(qxl_debugfs_list, QXL_DEBUGFS_ENTRIES, - minor); -+#endif - } - - int qxl_debugfs_add_files(struct qxl_device *qdev, -diff --git a/drivers/gpu/drm/qxl/qxl_display.c b/drivers/gpu/drm/qxl/qxl_display.c -index c80ddfe..823d29e 100644 ---- a/drivers/gpu/drm/qxl/qxl_display.c -+++ b/drivers/gpu/drm/qxl/qxl_display.c -@@ -84,6 +84,7 @@ void qxl_alloc_client_monitors_config(struct qxl_device *qdev, unsigned count) - if (qdev->client_monitors_config && - count > qdev->client_monitors_config->count) { - kfree(qdev->client_monitors_config); -+ qdev->client_monitors_config = NULL; - } - if (!qdev->client_monitors_config) { - qdev->client_monitors_config = kzalloc( -@@ -413,11 +414,11 @@ static void qxl_user_framebuffer_destroy(struct drm_framebuffer *fb) - kfree(qxl_fb); - } - --int qxl_framebuffer_surface_dirty(struct drm_framebuffer *fb, -- struct drm_file *file_priv, -- unsigned flags, unsigned color, -- struct drm_clip_rect *clips, -- unsigned num_clips) -+static int qxl_framebuffer_surface_dirty(struct drm_framebuffer *fb, -+ struct drm_file *file_priv, -+ unsigned flags, unsigned color, -+ struct drm_clip_rect *clips, -+ unsigned num_clips) - { - /* TODO: vmwgfx where this was cribbed from had locking. Why? */ - struct qxl_framebuffer *qxl_fb = to_qxl_framebuffer(fb); -@@ -427,10 +428,10 @@ int qxl_framebuffer_surface_dirty(struct drm_framebuffer *fb, - int inc = 1; - - qobj = gem_to_qxl_bo(qxl_fb->obj); -- if (qxl_fb != qdev->active_user_framebuffer) { -- DRM_INFO("%s: qxl_fb 0x%p != qdev->active_user_framebuffer 0x%p\n", -- __func__, qxl_fb, qdev->active_user_framebuffer); -- } -+ /* if we aren't primary surface ignore this */ -+ if (!qobj->is_primary) -+ return 0; -+ - if (!num_clips) { - num_clips = 1; - clips = &norect; -@@ -603,7 +604,6 @@ static int qxl_crtc_mode_set(struct drm_crtc *crtc, - mode->hdisplay, - mode->vdisplay); - } -- qdev->mode_set = true; - return 0; - } - -@@ -619,7 +619,7 @@ static void qxl_crtc_commit(struct drm_crtc *crtc) - DRM_DEBUG("\n"); - } - --void qxl_crtc_load_lut(struct drm_crtc *crtc) -+static void qxl_crtc_load_lut(struct drm_crtc *crtc) - { - DRM_DEBUG("\n"); - } -@@ -633,7 +633,7 @@ static const struct drm_crtc_helper_funcs qxl_crtc_helper_funcs = { - .load_lut = qxl_crtc_load_lut, - }; - --int qdev_crtc_init(struct drm_device *dev, int num_crtc) -+static int qdev_crtc_init(struct drm_device *dev, int num_crtc) - { - struct qxl_crtc *qxl_crtc; - -@@ -764,7 +764,7 @@ static int qxl_conn_mode_valid(struct drm_connector *connector, - return MODE_OK; - } - --struct drm_encoder *qxl_best_encoder(struct drm_connector *connector) -+static struct drm_encoder *qxl_best_encoder(struct drm_connector *connector) - { - struct qxl_output *qxl_output = - drm_connector_to_qxl_output(connector); -@@ -855,7 +855,7 @@ static const struct drm_encoder_funcs qxl_enc_funcs = { - .destroy = qxl_enc_destroy, - }; - --int qdev_output_init(struct drm_device *dev, int num_output) -+static int qdev_output_init(struct drm_device *dev, int num_output) - { - struct qxl_output *qxl_output; - struct drm_connector *connector; -@@ -892,7 +892,6 @@ qxl_user_framebuffer_create(struct drm_device *dev, - { - struct drm_gem_object *obj; - struct qxl_framebuffer *qxl_fb; -- struct qxl_device *qdev = dev->dev_private; - int ret; - - obj = drm_gem_object_lookup(dev, file_priv, mode_cmd->handles[0]); -@@ -908,13 +907,6 @@ qxl_user_framebuffer_create(struct drm_device *dev, - return NULL; - } - -- if (qdev->active_user_framebuffer) { -- DRM_INFO("%s: active_user_framebuffer %p -> %p\n", -- __func__, -- qdev->active_user_framebuffer, qxl_fb); -- } -- qdev->active_user_framebuffer = qxl_fb; -- - return &qxl_fb->base; - } - -diff --git a/drivers/gpu/drm/qxl/qxl_drv.c b/drivers/gpu/drm/qxl/qxl_drv.c -index d337da0..aa291d8 100644 ---- a/drivers/gpu/drm/qxl/qxl_drv.c -+++ b/drivers/gpu/drm/qxl/qxl_drv.c -@@ -46,7 +46,7 @@ static DEFINE_PCI_DEVICE_TABLE(pciidlist) = { - }; - MODULE_DEVICE_TABLE(pci, pciidlist); - --int qxl_modeset = -1; -+static int qxl_modeset = -1; - - MODULE_PARM_DESC(modeset, "Disable/Enable modesetting"); - module_param_named(modeset, qxl_modeset, int, 0400); -diff --git a/drivers/gpu/drm/qxl/qxl_drv.h b/drivers/gpu/drm/qxl/qxl_drv.h -index 52b582c..43d06ab 100644 ---- a/drivers/gpu/drm/qxl/qxl_drv.h -+++ b/drivers/gpu/drm/qxl/qxl_drv.h -@@ -255,12 +255,6 @@ struct qxl_device { - struct qxl_gem gem; - struct qxl_mode_info mode_info; - -- /* -- * last created framebuffer with fb_create -- * only used by debugfs dumbppm -- */ -- struct qxl_framebuffer *active_user_framebuffer; -- - struct fb_info *fbdev_info; - struct qxl_framebuffer *fbdev_qfb; - void *ram_physical; -@@ -270,7 +264,6 @@ struct qxl_device { - struct qxl_ring *cursor_ring; - - struct qxl_ram_header *ram_header; -- bool mode_set; - - bool primary_created; - -diff --git a/drivers/gpu/drm/qxl/qxl_fb.c b/drivers/gpu/drm/qxl/qxl_fb.c -index 232b52b..b3c5127 100644 ---- a/drivers/gpu/drm/qxl/qxl_fb.c -+++ b/drivers/gpu/drm/qxl/qxl_fb.c -@@ -159,7 +159,7 @@ static void qxl_deferred_io(struct fb_info *info, - }; - - --struct fb_deferred_io qxl_defio = { -+static struct fb_deferred_io qxl_defio = { - .delay = QXL_DIRTY_DELAY, - .deferred_io = qxl_deferred_io, - }; -diff --git a/drivers/gpu/drm/qxl/qxl_gem.c b/drivers/gpu/drm/qxl/qxl_gem.c -index adc1ee2..a235693 100644 ---- a/drivers/gpu/drm/qxl/qxl_gem.c -+++ b/drivers/gpu/drm/qxl/qxl_gem.c -@@ -127,35 +127,6 @@ void qxl_gem_object_unpin(struct drm_gem_object *obj) - } - } - --int qxl_gem_set_domain(struct drm_gem_object *gobj, -- uint32_t rdomain, uint32_t wdomain) --{ -- struct qxl_bo *qobj; -- uint32_t domain; -- int r; -- -- /* FIXME: reeimplement */ -- qobj = gobj->driver_private; -- /* work out where to validate the buffer to */ -- domain = wdomain; -- if (!domain) -- domain = rdomain; -- if (!domain) { -- /* Do nothings */ -- pr_warn("Set domain withou domain !\n"); -- return 0; -- } -- if (domain == QXL_GEM_DOMAIN_CPU) { -- /* Asking for cpu access wait for object idle */ -- r = qxl_bo_wait(qobj, NULL, false); -- if (r) { -- pr_err("Failed to wait for object !\n"); -- return r; -- } -- } -- return 0; --} -- - int qxl_gem_object_open(struct drm_gem_object *obj, struct drm_file *file_priv) - { - return 0; -diff --git a/drivers/gpu/drm/qxl/qxl_ioctl.c b/drivers/gpu/drm/qxl/qxl_ioctl.c -index 83ca4f7..a4b71b2 100644 ---- a/drivers/gpu/drm/qxl/qxl_ioctl.c -+++ b/drivers/gpu/drm/qxl/qxl_ioctl.c -@@ -30,8 +30,8 @@ - * TODO: allocating a new gem(in qxl_bo) for each request. - * This is wasteful since bo's are page aligned. - */ --int qxl_alloc_ioctl(struct drm_device *dev, void *data, -- struct drm_file *file_priv) -+static int qxl_alloc_ioctl(struct drm_device *dev, void *data, -+ struct drm_file *file_priv) - { - struct qxl_device *qdev = dev->dev_private; - struct drm_qxl_alloc *qxl_alloc = data; -@@ -58,8 +58,8 @@ int qxl_alloc_ioctl(struct drm_device *dev, void *data, - return 0; - } - --int qxl_map_ioctl(struct drm_device *dev, void *data, -- struct drm_file *file_priv) -+static int qxl_map_ioctl(struct drm_device *dev, void *data, -+ struct drm_file *file_priv) - { - struct qxl_device *qdev = dev->dev_private; - struct drm_qxl_map *qxl_map = data; -@@ -101,9 +101,9 @@ apply_surf_reloc(struct qxl_device *qdev, struct qxl_bo *dst, uint64_t dst_off, - } - - /* return holding the reference to this object */ --struct qxl_bo *qxlhw_handle_to_bo(struct qxl_device *qdev, -- struct drm_file *file_priv, uint64_t handle, -- struct qxl_reloc_list *reloc_list) -+static struct qxl_bo *qxlhw_handle_to_bo(struct qxl_device *qdev, -+ struct drm_file *file_priv, uint64_t handle, -+ struct qxl_reloc_list *reloc_list) - { - struct drm_gem_object *gobj; - struct qxl_bo *qobj; -@@ -129,8 +129,8 @@ struct qxl_bo *qxlhw_handle_to_bo(struct qxl_device *qdev, - * However, the command as passed from user space must *not* contain the initial - * QXLReleaseInfo struct (first XXX bytes) - */ --int qxl_execbuffer_ioctl(struct drm_device *dev, void *data, -- struct drm_file *file_priv) -+static int qxl_execbuffer_ioctl(struct drm_device *dev, void *data, -+ struct drm_file *file_priv) - { - struct qxl_device *qdev = dev->dev_private; - struct drm_qxl_execbuffer *execbuffer = data; -@@ -151,7 +151,7 @@ int qxl_execbuffer_ioctl(struct drm_device *dev, void *data, - struct qxl_bo *cmd_bo; - int release_type; - struct drm_qxl_command *commands = -- (struct drm_qxl_command *)execbuffer->commands; -+ (struct drm_qxl_command *)(uintptr_t)execbuffer->commands; - - if (DRM_COPY_FROM_USER(&user_cmd, &commands[cmd_num], - sizeof(user_cmd))) -@@ -193,7 +193,7 @@ int qxl_execbuffer_ioctl(struct drm_device *dev, void *data, - - for (i = 0 ; i < user_cmd.relocs_num; ++i) { - if (DRM_COPY_FROM_USER(&reloc, -- &((struct drm_qxl_reloc *)user_cmd.relocs)[i], -+ &((struct drm_qxl_reloc *)(uintptr_t)user_cmd.relocs)[i], - sizeof(reloc))) { - qxl_bo_list_unreserve(&reloc_list, true); - qxl_release_unreserve(qdev, release); -@@ -266,8 +266,8 @@ int qxl_execbuffer_ioctl(struct drm_device *dev, void *data, - return 0; - } - --int qxl_update_area_ioctl(struct drm_device *dev, void *data, -- struct drm_file *file) -+static int qxl_update_area_ioctl(struct drm_device *dev, void *data, -+ struct drm_file *file) - { - struct qxl_device *qdev = dev->dev_private; - struct drm_qxl_update_area *update_area = data; -@@ -294,6 +294,7 @@ int qxl_update_area_ioctl(struct drm_device *dev, void *data, - goto out; - - if (!qobj->pin_count) { -+ qxl_ttm_placement_from_domain(qobj, qobj->type); - ret = ttm_bo_validate(&qobj->tbo, &qobj->placement, - true, false); - if (unlikely(ret)) -@@ -347,7 +348,7 @@ static int qxl_clientcap_ioctl(struct drm_device *dev, void *data, - if (qdev->pdev->revision < 4) - return -ENOSYS; - -- if (byte > 58) -+ if (byte >= 58) - return -ENOSYS; - - if (qdev->rom->client_capabilities[byte] & (1 << idx)) -diff --git a/drivers/gpu/drm/qxl/qxl_kms.c b/drivers/gpu/drm/qxl/qxl_kms.c -index 036e0de..e27ce2a 100644 ---- a/drivers/gpu/drm/qxl/qxl_kms.c -+++ b/drivers/gpu/drm/qxl/qxl_kms.c -@@ -128,12 +128,13 @@ int qxl_device_init(struct qxl_device *qdev, - - qdev->vram_mapping = io_mapping_create_wc(qdev->vram_base, pci_resource_len(pdev, 0)); - qdev->surface_mapping = io_mapping_create_wc(qdev->surfaceram_base, qdev->surfaceram_size); -- DRM_DEBUG_KMS("qxl: vram %p-%p(%dM %dk), surface %p-%p(%dM %dk)\n", -- (void *)qdev->vram_base, (void *)pci_resource_end(pdev, 0), -+ DRM_DEBUG_KMS("qxl: vram %llx-%llx(%dM %dk), surface %llx-%llx(%dM %dk)\n", -+ (unsigned long long)qdev->vram_base, -+ (unsigned long long)pci_resource_end(pdev, 0), - (int)pci_resource_len(pdev, 0) / 1024 / 1024, - (int)pci_resource_len(pdev, 0) / 1024, -- (void *)qdev->surfaceram_base, -- (void *)pci_resource_end(pdev, 1), -+ (unsigned long long)qdev->surfaceram_base, -+ (unsigned long long)pci_resource_end(pdev, 1), - (int)qdev->surfaceram_size / 1024 / 1024, - (int)qdev->surfaceram_size / 1024); - -@@ -230,7 +231,7 @@ int qxl_device_init(struct qxl_device *qdev, - return 0; - } - --void qxl_device_fini(struct qxl_device *qdev) -+static void qxl_device_fini(struct qxl_device *qdev) - { - if (qdev->current_release_bo[0]) - qxl_bo_unref(&qdev->current_release_bo[0]); -diff --git a/drivers/gpu/drm/qxl/qxl_object.c b/drivers/gpu/drm/qxl/qxl_object.c -index 51efb94..d9b12e7 100644 ---- a/drivers/gpu/drm/qxl/qxl_object.c -+++ b/drivers/gpu/drm/qxl/qxl_object.c -@@ -59,11 +59,11 @@ void qxl_ttm_placement_from_domain(struct qxl_bo *qbo, u32 domain) - qbo->placement.lpfn = 0; - qbo->placement.placement = qbo->placements; - qbo->placement.busy_placement = qbo->placements; -- if (domain & QXL_GEM_DOMAIN_VRAM) -+ if (domain == QXL_GEM_DOMAIN_VRAM) - qbo->placements[c++] = TTM_PL_FLAG_CACHED | TTM_PL_FLAG_VRAM; -- if (domain & QXL_GEM_DOMAIN_SURFACE) -+ if (domain == QXL_GEM_DOMAIN_SURFACE) - qbo->placements[c++] = TTM_PL_FLAG_CACHED | TTM_PL_FLAG_PRIV0; -- if (domain & QXL_GEM_DOMAIN_CPU) -+ if (domain == QXL_GEM_DOMAIN_CPU) - qbo->placements[c++] = TTM_PL_MASK_CACHING | TTM_PL_FLAG_SYSTEM; - if (!c) - qbo->placements[c++] = TTM_PL_MASK_CACHING | TTM_PL_FLAG_SYSTEM; -diff --git a/drivers/gpu/drm/qxl/qxl_release.c b/drivers/gpu/drm/qxl/qxl_release.c -index 1600781..c4267c7 100644 ---- a/drivers/gpu/drm/qxl/qxl_release.c -+++ b/drivers/gpu/drm/qxl/qxl_release.c -@@ -117,8 +117,8 @@ qxl_release_add_res(struct qxl_device *qdev, struct qxl_release *release, - release->bos[release->bo_count++] = qxl_bo_ref(bo); - } - --int qxl_release_bo_alloc(struct qxl_device *qdev, -- struct qxl_bo **bo) -+static int qxl_release_bo_alloc(struct qxl_device *qdev, -+ struct qxl_bo **bo) - { - int ret; - ret = qxl_bo_create(qdev, PAGE_SIZE, false, QXL_GEM_DOMAIN_VRAM, NULL, -diff --git a/drivers/gpu/drm/qxl/qxl_ttm.c b/drivers/gpu/drm/qxl/qxl_ttm.c -index aa9fb9a..489cb8c 100644 ---- a/drivers/gpu/drm/qxl/qxl_ttm.c -+++ b/drivers/gpu/drm/qxl/qxl_ttm.c -@@ -315,9 +315,9 @@ static void qxl_ttm_tt_unpopulate(struct ttm_tt *ttm) - ttm_pool_unpopulate(ttm); - } - --struct ttm_tt *qxl_ttm_tt_create(struct ttm_bo_device *bdev, -- unsigned long size, uint32_t page_flags, -- struct page *dummy_read_page) -+static struct ttm_tt *qxl_ttm_tt_create(struct ttm_bo_device *bdev, -+ unsigned long size, uint32_t page_flags, -+ struct page *dummy_read_page) - { - struct qxl_device *qdev; - struct qxl_ttm_tt *gtt; -@@ -555,6 +555,7 @@ static int qxl_mm_dump_table(struct seq_file *m, void *data) - - static int qxl_ttm_debugfs_init(struct qxl_device *qdev) - { -+#if defined(CONFIG_DEBUG_FS) - static struct drm_info_list qxl_mem_types_list[QXL_DEBUGFS_MEM_TYPES]; - static char qxl_mem_types_names[QXL_DEBUGFS_MEM_TYPES][32]; - unsigned i; -@@ -574,4 +575,7 @@ static int qxl_ttm_debugfs_init(struct qxl_device *qdev) - - } - return qxl_debugfs_add_files(qdev, qxl_mem_types_list, i); -+#else -+ return 0; -+#endif - } --- -1.8.3.1 - diff --git a/drm-qxl-access-fix.patch b/drm-qxl-access-fix.patch deleted file mode 100644 index e40a14d1b..000000000 --- a/drm-qxl-access-fix.patch +++ /dev/null @@ -1,30 +0,0 @@ -From 18097b91aaff215e843f04b84ec2c686270bb55f Mon Sep 17 00:00:00 2001 -From: Dave Airlie -Date: Fri, 28 Jun 2013 13:27:40 +1000 -Subject: [PATCH] drm/qxl: add missing access check for execbuffer ioctl - -Reported-by: Mathieu Desnoyers -Signed-off-by: Dave Airlie ---- - drivers/gpu/drm/qxl/qxl_ioctl.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/drivers/gpu/drm/qxl/qxl_ioctl.c b/drivers/gpu/drm/qxl/qxl_ioctl.c -index a4b71b2..a30f294 100644 ---- a/drivers/gpu/drm/qxl/qxl_ioctl.c -+++ b/drivers/gpu/drm/qxl/qxl_ioctl.c -@@ -171,6 +171,11 @@ static int qxl_execbuffer_ioctl(struct drm_device *dev, void *data, - if (user_cmd.command_size > PAGE_SIZE - sizeof(union qxl_release_info)) - return -EINVAL; - -+ if (!access_ok(VERIFY_READ, -+ (void *)(unsigned long)user_cmd.command, -+ user_cmd.command_size)) -+ return -EFAULT; -+ - ret = qxl_alloc_release_reserved(qdev, - sizeof(union qxl_release_info) + - user_cmd.command_size, --- -1.8.1.2 - diff --git a/drm-qxl-driver.patch b/drm-qxl-driver.patch deleted file mode 100644 index 72341a8c7..000000000 --- a/drm-qxl-driver.patch +++ /dev/null @@ -1,7507 +0,0 @@ -From bb57317d5f86a60fd5dd98b3f82241c47ae2cc5d Mon Sep 17 00:00:00 2001 -From: Dave Airlie -Date: Mon, 25 Feb 2013 14:47:55 +1000 -Subject: [PATCH] drm: add new QXL driver. (v1.4) - -QXL is a paravirtual graphics device used by the Spice virtual desktop -interface. - -The drivers uses GEM and TTM to manage memory, the qxl hw fencing however -is quite different than normal TTM expects, we have to keep track of a number -of non-linear fence ids per bo that we need to have released by the hardware. - -The releases are freed from a workqueue that wakes up and processes the -release ring. - -releases are suballocated from a BO, there are 3 release categories, drawables, -surfaces and cursor cmds. The hw also has 3 rings for commands, cursor and release handling. - -The hardware also have a surface id tracking mechnaism and the driver encapsulates it completely inside the kernel, userspace never sees the actual hw surface -ids. - -This requires a newer version of the QXL userspace driver, so shouldn't be -enabled until that has been placed into your distro of choice. - -Authors: Dave Airlie, Alon Levy - -v1.1: fixup some issues in the ioctl interface with padding -v1.2: add module device table -v1.3: fix nomodeset, fbcon leak, dumb bo create, release ring irq, - don't try flush release ring (broken hw), fix -modesetting. -v1.4: fbcon cpu usage reduction + suitable accel flags. - -Signed-off-by: Alon Levy -Signed-off-by: Dave Airlie ---- - drivers/gpu/drm/Kconfig | 2 + - drivers/gpu/drm/Makefile | 1 + - drivers/gpu/drm/qxl/Kconfig | 10 + - drivers/gpu/drm/qxl/Makefile | 9 + - drivers/gpu/drm/qxl/qxl_cmd.c | 707 +++++++++++++++++++++++++++ - drivers/gpu/drm/qxl/qxl_debugfs.c | 135 ++++++ - drivers/gpu/drm/qxl/qxl_dev.h | 879 ++++++++++++++++++++++++++++++++++ - drivers/gpu/drm/qxl/qxl_display.c | 981 ++++++++++++++++++++++++++++++++++++++ - drivers/gpu/drm/qxl/qxl_draw.c | 390 +++++++++++++++ - drivers/gpu/drm/qxl/qxl_drv.c | 145 ++++++ - drivers/gpu/drm/qxl/qxl_drv.h | 566 ++++++++++++++++++++++ - drivers/gpu/drm/qxl/qxl_dumb.c | 93 ++++ - drivers/gpu/drm/qxl/qxl_fb.c | 567 ++++++++++++++++++++++ - drivers/gpu/drm/qxl/qxl_fence.c | 97 ++++ - drivers/gpu/drm/qxl/qxl_gem.c | 178 +++++++ - drivers/gpu/drm/qxl/qxl_image.c | 176 +++++++ - drivers/gpu/drm/qxl/qxl_ioctl.c | 411 ++++++++++++++++ - drivers/gpu/drm/qxl/qxl_irq.c | 97 ++++ - drivers/gpu/drm/qxl/qxl_kms.c | 302 ++++++++++++ - drivers/gpu/drm/qxl/qxl_object.c | 365 ++++++++++++++ - drivers/gpu/drm/qxl/qxl_object.h | 112 +++++ - drivers/gpu/drm/qxl/qxl_release.c | 307 ++++++++++++ - drivers/gpu/drm/qxl/qxl_ttm.c | 577 ++++++++++++++++++++++ - include/uapi/drm/Kbuild | 1 + - include/uapi/drm/qxl_drm.h | 152 ++++++ - 25 files changed, 7260 insertions(+) - create mode 100644 drivers/gpu/drm/qxl/Kconfig - create mode 100644 drivers/gpu/drm/qxl/Makefile - create mode 100644 drivers/gpu/drm/qxl/qxl_cmd.c - create mode 100644 drivers/gpu/drm/qxl/qxl_debugfs.c - create mode 100644 drivers/gpu/drm/qxl/qxl_dev.h - create mode 100644 drivers/gpu/drm/qxl/qxl_display.c - create mode 100644 drivers/gpu/drm/qxl/qxl_draw.c - create mode 100644 drivers/gpu/drm/qxl/qxl_drv.c - create mode 100644 drivers/gpu/drm/qxl/qxl_drv.h - create mode 100644 drivers/gpu/drm/qxl/qxl_dumb.c - create mode 100644 drivers/gpu/drm/qxl/qxl_fb.c - create mode 100644 drivers/gpu/drm/qxl/qxl_fence.c - create mode 100644 drivers/gpu/drm/qxl/qxl_gem.c - create mode 100644 drivers/gpu/drm/qxl/qxl_image.c - create mode 100644 drivers/gpu/drm/qxl/qxl_ioctl.c - create mode 100644 drivers/gpu/drm/qxl/qxl_irq.c - create mode 100644 drivers/gpu/drm/qxl/qxl_kms.c - create mode 100644 drivers/gpu/drm/qxl/qxl_object.c - create mode 100644 drivers/gpu/drm/qxl/qxl_object.h - create mode 100644 drivers/gpu/drm/qxl/qxl_release.c - create mode 100644 drivers/gpu/drm/qxl/qxl_ttm.c - create mode 100644 include/uapi/drm/qxl_drm.h - -diff --git a/drivers/gpu/drm/Kconfig b/drivers/gpu/drm/Kconfig -index 1e82882..19b8e0d 100644 ---- a/drivers/gpu/drm/Kconfig -+++ b/drivers/gpu/drm/Kconfig -@@ -220,3 +220,5 @@ source "drivers/gpu/drm/tegra/Kconfig" - source "drivers/gpu/drm/omapdrm/Kconfig" - - source "drivers/gpu/drm/tilcdc/Kconfig" -+ -+source "drivers/gpu/drm/qxl/Kconfig" -diff --git a/drivers/gpu/drm/Makefile b/drivers/gpu/drm/Makefile -index 0d59b24..6a42115 100644 ---- a/drivers/gpu/drm/Makefile -+++ b/drivers/gpu/drm/Makefile -@@ -52,4 +52,5 @@ obj-$(CONFIG_DRM_SHMOBILE) +=shmobile/ - obj-$(CONFIG_DRM_TEGRA) += tegra/ - obj-$(CONFIG_DRM_OMAP) += omapdrm/ - obj-$(CONFIG_DRM_TILCDC) += tilcdc/ -+obj-$(CONFIG_DRM_QXL) += qxl/ - obj-y += i2c/ -diff --git a/drivers/gpu/drm/qxl/Kconfig b/drivers/gpu/drm/qxl/Kconfig -new file mode 100644 -index 0000000..2f1a57e ---- /dev/null -+++ b/drivers/gpu/drm/qxl/Kconfig -@@ -0,0 +1,10 @@ -+config DRM_QXL -+ tristate "QXL virtual GPU" -+ depends on DRM && PCI -+ select FB_SYS_FILLRECT -+ select FB_SYS_COPYAREA -+ select FB_SYS_IMAGEBLIT -+ select DRM_KMS_HELPER -+ select DRM_TTM -+ help -+ QXL virtual GPU for Spice virtualization desktop integration. Do not enable this driver unless your distro ships a corresponding X.org QXL driver that can handle kernel modesetting. -diff --git a/drivers/gpu/drm/qxl/Makefile b/drivers/gpu/drm/qxl/Makefile -new file mode 100644 -index 0000000..ea046ba ---- /dev/null -+++ b/drivers/gpu/drm/qxl/Makefile -@@ -0,0 +1,9 @@ -+# -+# Makefile for the drm device driver. This driver provides support for the -+# Direct Rendering Infrastructure (DRI) in XFree86 4.1.0 and higher. -+ -+ccflags-y := -Iinclude/drm -+ -+qxl-y := qxl_drv.o qxl_kms.o qxl_display.o qxl_ttm.o qxl_fb.o qxl_object.o qxl_gem.o qxl_cmd.o qxl_image.o qxl_draw.o qxl_debugfs.o qxl_irq.o qxl_dumb.o qxl_ioctl.o qxl_fence.o qxl_release.o -+ -+obj-$(CONFIG_DRM_QXL)+= qxl.o -diff --git a/drivers/gpu/drm/qxl/qxl_cmd.c b/drivers/gpu/drm/qxl/qxl_cmd.c -new file mode 100644 -index 0000000..804b411 ---- /dev/null -+++ b/drivers/gpu/drm/qxl/qxl_cmd.c -@@ -0,0 +1,707 @@ -+/* -+ * Copyright 2013 Red Hat Inc. -+ * -+ * Permission is hereby granted, free of charge, to any person obtaining a -+ * copy of this software and associated documentation files (the "Software"), -+ * to deal in the Software without restriction, including without limitation -+ * the rights to use, copy, modify, merge, publish, distribute, sublicense, -+ * and/or sell copies of the Software, and to permit persons to whom the -+ * Software is furnished to do so, subject to the following conditions: -+ * -+ * The above copyright notice and this permission notice shall be included in -+ * all copies or substantial portions of the Software. -+ * -+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL -+ * THE COPYRIGHT HOLDER(S) OR AUTHOR(S) BE LIABLE FOR ANY CLAIM, DAMAGES OR -+ * OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, -+ * ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR -+ * OTHER DEALINGS IN THE SOFTWARE. -+ * -+ * Authors: Dave Airlie -+ * Alon Levy -+ */ -+ -+/* QXL cmd/ring handling */ -+ -+#include "qxl_drv.h" -+#include "qxl_object.h" -+ -+static int qxl_reap_surface_id(struct qxl_device *qdev, int max_to_reap); -+ -+struct ring { -+ struct qxl_ring_header header; -+ uint8_t elements[0]; -+}; -+ -+struct qxl_ring { -+ struct ring *ring; -+ int element_size; -+ int n_elements; -+ int prod_notify; -+ wait_queue_head_t *push_event; -+ spinlock_t lock; -+}; -+ -+void qxl_ring_free(struct qxl_ring *ring) -+{ -+ kfree(ring); -+} -+ -+struct qxl_ring * -+qxl_ring_create(struct qxl_ring_header *header, -+ int element_size, -+ int n_elements, -+ int prod_notify, -+ bool set_prod_notify, -+ wait_queue_head_t *push_event) -+{ -+ struct qxl_ring *ring; -+ -+ ring = kmalloc(sizeof(*ring), GFP_KERNEL); -+ if (!ring) -+ return NULL; -+ -+ ring->ring = (struct ring *)header; -+ ring->element_size = element_size; -+ ring->n_elements = n_elements; -+ ring->prod_notify = prod_notify; -+ ring->push_event = push_event; -+ if (set_prod_notify) -+ header->notify_on_prod = ring->n_elements; -+ spin_lock_init(&ring->lock); -+ return ring; -+} -+ -+static int qxl_check_header(struct qxl_ring *ring) -+{ -+ int ret; -+ struct qxl_ring_header *header = &(ring->ring->header); -+ unsigned long flags; -+ spin_lock_irqsave(&ring->lock, flags); -+ ret = header->prod - header->cons < header->num_items; -+ if (ret == 0) -+ header->notify_on_cons = header->cons + 1; -+ spin_unlock_irqrestore(&ring->lock, flags); -+ return ret; -+} -+ -+static int qxl_check_idle(struct qxl_ring *ring) -+{ -+ int ret; -+ struct qxl_ring_header *header = &(ring->ring->header); -+ unsigned long flags; -+ spin_lock_irqsave(&ring->lock, flags); -+ ret = header->prod == header->cons; -+ spin_unlock_irqrestore(&ring->lock, flags); -+ return ret; -+} -+ -+int qxl_ring_push(struct qxl_ring *ring, -+ const void *new_elt, bool interruptible) -+{ -+ struct qxl_ring_header *header = &(ring->ring->header); -+ uint8_t *elt; -+ int idx, ret; -+ unsigned long flags; -+ spin_lock_irqsave(&ring->lock, flags); -+ if (header->prod - header->cons == header->num_items) { -+ header->notify_on_cons = header->cons + 1; -+ mb(); -+ spin_unlock_irqrestore(&ring->lock, flags); -+ if (!drm_can_sleep()) { -+ while (!qxl_check_header(ring)) -+ udelay(1); -+ } else { -+ if (interruptible) { -+ ret = wait_event_interruptible(*ring->push_event, -+ qxl_check_header(ring)); -+ if (ret) -+ return ret; -+ } else { -+ wait_event(*ring->push_event, -+ qxl_check_header(ring)); -+ } -+ -+ } -+ spin_lock_irqsave(&ring->lock, flags); -+ } -+ -+ idx = header->prod & (ring->n_elements - 1); -+ elt = ring->ring->elements + idx * ring->element_size; -+ -+ memcpy((void *)elt, new_elt, ring->element_size); -+ -+ header->prod++; -+ -+ mb(); -+ -+ if (header->prod == header->notify_on_prod) -+ outb(0, ring->prod_notify); -+ -+ spin_unlock_irqrestore(&ring->lock, flags); -+ return 0; -+} -+ -+bool qxl_ring_pop(struct qxl_ring *ring, -+ void *element) -+{ -+ volatile struct qxl_ring_header *header = &(ring->ring->header); -+ volatile uint8_t *ring_elt; -+ int idx; -+ unsigned long flags; -+ spin_lock_irqsave(&ring->lock, flags); -+ if (header->cons == header->prod) { -+ header->notify_on_prod = header->cons + 1; -+ spin_unlock_irqrestore(&ring->lock, flags); -+ return false; -+ } -+ -+ idx = header->cons & (ring->n_elements - 1); -+ ring_elt = ring->ring->elements + idx * ring->element_size; -+ -+ memcpy(element, (void *)ring_elt, ring->element_size); -+ -+ header->cons++; -+ -+ spin_unlock_irqrestore(&ring->lock, flags); -+ return true; -+} -+ -+void qxl_ring_wait_idle(struct qxl_ring *ring) -+{ -+ struct qxl_ring_header *header = &(ring->ring->header); -+ unsigned long flags; -+ -+ spin_lock_irqsave(&ring->lock, flags); -+ if (ring->ring->header.cons < ring->ring->header.prod) { -+ header->notify_on_cons = header->prod; -+ mb(); -+ spin_unlock_irqrestore(&ring->lock, flags); -+ wait_event_interruptible(*ring->push_event, -+ qxl_check_idle(ring)); -+ spin_lock_irqsave(&ring->lock, flags); -+ } -+ spin_unlock_irqrestore(&ring->lock, flags); -+} -+ -+int -+qxl_push_command_ring_release(struct qxl_device *qdev, struct qxl_release *release, -+ uint32_t type, bool interruptible) -+{ -+ struct qxl_command cmd; -+ -+ cmd.type = type; -+ cmd.data = qxl_bo_physical_address(qdev, release->bos[0], release->release_offset); -+ -+ return qxl_ring_push(qdev->command_ring, &cmd, interruptible); -+} -+ -+int -+qxl_push_cursor_ring_release(struct qxl_device *qdev, struct qxl_release *release, -+ uint32_t type, bool interruptible) -+{ -+ struct qxl_command cmd; -+ -+ cmd.type = type; -+ cmd.data = qxl_bo_physical_address(qdev, release->bos[0], release->release_offset); -+ -+ return qxl_ring_push(qdev->cursor_ring, &cmd, interruptible); -+} -+ -+bool qxl_queue_garbage_collect(struct qxl_device *qdev, bool flush) -+{ -+ if (!qxl_check_idle(qdev->release_ring)) { -+ queue_work(qdev->gc_queue, &qdev->gc_work); -+ if (flush) -+ flush_work(&qdev->gc_work); -+ return true; -+ } -+ return false; -+} -+ -+int qxl_garbage_collect(struct qxl_device *qdev) -+{ -+ struct qxl_release *release; -+ uint64_t id, next_id; -+ int i = 0; -+ int ret; -+ union qxl_release_info *info; -+ -+ while (qxl_ring_pop(qdev->release_ring, &id)) { -+ QXL_INFO(qdev, "popped %lld\n", id); -+ while (id) { -+ release = qxl_release_from_id_locked(qdev, id); -+ if (release == NULL) -+ break; -+ -+ ret = qxl_release_reserve(qdev, release, false); -+ if (ret) { -+ qxl_io_log(qdev, "failed to reserve release on garbage collect %lld\n", id); -+ DRM_ERROR("failed to reserve release %lld\n", id); -+ } -+ -+ info = qxl_release_map(qdev, release); -+ next_id = info->next; -+ qxl_release_unmap(qdev, release, info); -+ -+ qxl_release_unreserve(qdev, release); -+ QXL_INFO(qdev, "popped %lld, next %lld\n", id, -+ next_id); -+ -+ switch (release->type) { -+ case QXL_RELEASE_DRAWABLE: -+ case QXL_RELEASE_SURFACE_CMD: -+ case QXL_RELEASE_CURSOR_CMD: -+ break; -+ default: -+ DRM_ERROR("unexpected release type\n"); -+ break; -+ } -+ id = next_id; -+ -+ qxl_release_free(qdev, release); -+ ++i; -+ } -+ } -+ -+ QXL_INFO(qdev, "%s: %lld\n", __func__, i); -+ -+ return i; -+} -+ -+int qxl_alloc_bo_reserved(struct qxl_device *qdev, unsigned long size, -+ struct qxl_bo **_bo) -+{ -+ struct qxl_bo *bo; -+ int ret; -+ -+ ret = qxl_bo_create(qdev, size, false /* not kernel - device */, -+ QXL_GEM_DOMAIN_VRAM, NULL, &bo); -+ if (ret) { -+ DRM_ERROR("failed to allocate VRAM BO\n"); -+ return ret; -+ } -+ ret = qxl_bo_reserve(bo, false); -+ if (unlikely(ret != 0)) -+ goto out_unref; -+ -+ *_bo = bo; -+ return 0; -+out_unref: -+ qxl_bo_unref(&bo); -+ return 0; -+} -+ -+static int wait_for_io_cmd_user(struct qxl_device *qdev, uint8_t val, long port) -+{ -+ int irq_num; -+ long addr = qdev->io_base + port; -+ int ret; -+ -+ mutex_lock(&qdev->async_io_mutex); -+ irq_num = atomic_read(&qdev->irq_received_io_cmd); -+ -+ -+ if (qdev->last_sent_io_cmd > irq_num) { -+ ret = wait_event_interruptible(qdev->io_cmd_event, -+ atomic_read(&qdev->irq_received_io_cmd) > irq_num); -+ if (ret) -+ goto out; -+ irq_num = atomic_read(&qdev->irq_received_io_cmd); -+ } -+ outb(val, addr); -+ qdev->last_sent_io_cmd = irq_num + 1; -+ ret = wait_event_interruptible(qdev->io_cmd_event, -+ atomic_read(&qdev->irq_received_io_cmd) > irq_num); -+out: -+ mutex_unlock(&qdev->async_io_mutex); -+ return ret; -+} -+ -+static void wait_for_io_cmd(struct qxl_device *qdev, uint8_t val, long port) -+{ -+ int ret; -+ -+restart: -+ ret = wait_for_io_cmd_user(qdev, val, port); -+ if (ret == -ERESTARTSYS) -+ goto restart; -+} -+ -+int qxl_io_update_area(struct qxl_device *qdev, struct qxl_bo *surf, -+ const struct qxl_rect *area) -+{ -+ int surface_id; -+ uint32_t surface_width, surface_height; -+ int ret; -+ -+ if (!surf->hw_surf_alloc) -+ DRM_ERROR("got io update area with no hw surface\n"); -+ -+ if (surf->is_primary) -+ surface_id = 0; -+ else -+ surface_id = surf->surface_id; -+ surface_width = surf->surf.width; -+ surface_height = surf->surf.height; -+ -+ if (area->left < 0 || area->top < 0 || -+ area->right > surface_width || area->bottom > surface_height) { -+ qxl_io_log(qdev, "%s: not doing area update for " -+ "%d, (%d,%d,%d,%d) (%d,%d)\n", __func__, surface_id, area->left, -+ area->top, area->right, area->bottom, surface_width, surface_height); -+ return -EINVAL; -+ } -+ mutex_lock(&qdev->update_area_mutex); -+ qdev->ram_header->update_area = *area; -+ qdev->ram_header->update_surface = surface_id; -+ ret = wait_for_io_cmd_user(qdev, 0, QXL_IO_UPDATE_AREA_ASYNC); -+ mutex_unlock(&qdev->update_area_mutex); -+ return ret; -+} -+ -+void qxl_io_notify_oom(struct qxl_device *qdev) -+{ -+ outb(0, qdev->io_base + QXL_IO_NOTIFY_OOM); -+} -+ -+void qxl_io_flush_release(struct qxl_device *qdev) -+{ -+ outb(0, qdev->io_base + QXL_IO_FLUSH_RELEASE); -+} -+ -+void qxl_io_flush_surfaces(struct qxl_device *qdev) -+{ -+ wait_for_io_cmd(qdev, 0, QXL_IO_FLUSH_SURFACES_ASYNC); -+} -+ -+ -+void qxl_io_destroy_primary(struct qxl_device *qdev) -+{ -+ wait_for_io_cmd(qdev, 0, QXL_IO_DESTROY_PRIMARY_ASYNC); -+} -+ -+void qxl_io_create_primary(struct qxl_device *qdev, unsigned width, -+ unsigned height, unsigned offset, struct qxl_bo *bo) -+{ -+ struct qxl_surface_create *create; -+ -+ QXL_INFO(qdev, "%s: qdev %p, ram_header %p\n", __func__, qdev, -+ qdev->ram_header); -+ create = &qdev->ram_header->create_surface; -+ create->format = bo->surf.format; -+ create->width = width; -+ create->height = height; -+ create->stride = bo->surf.stride; -+ create->mem = qxl_bo_physical_address(qdev, bo, offset); -+ -+ QXL_INFO(qdev, "%s: mem = %llx, from %p\n", __func__, create->mem, -+ bo->kptr); -+ -+ create->flags = QXL_SURF_FLAG_KEEP_DATA; -+ create->type = QXL_SURF_TYPE_PRIMARY; -+ -+ wait_for_io_cmd(qdev, 0, QXL_IO_CREATE_PRIMARY_ASYNC); -+} -+ -+void qxl_io_memslot_add(struct qxl_device *qdev, uint8_t id) -+{ -+ QXL_INFO(qdev, "qxl_memslot_add %d\n", id); -+ wait_for_io_cmd(qdev, id, QXL_IO_MEMSLOT_ADD_ASYNC); -+} -+ -+void qxl_io_log(struct qxl_device *qdev, const char *fmt, ...) -+{ -+ va_list args; -+ -+ va_start(args, fmt); -+ vsnprintf(qdev->ram_header->log_buf, QXL_LOG_BUF_SIZE, fmt, args); -+ va_end(args); -+ /* -+ * DO not do a DRM output here - this will call printk, which will -+ * call back into qxl for rendering (qxl_fb) -+ */ -+ outb(0, qdev->io_base + QXL_IO_LOG); -+} -+ -+void qxl_io_reset(struct qxl_device *qdev) -+{ -+ outb(0, qdev->io_base + QXL_IO_RESET); -+} -+ -+void qxl_io_monitors_config(struct qxl_device *qdev) -+{ -+ qxl_io_log(qdev, "%s: %d [%dx%d+%d+%d]\n", __func__, -+ qdev->monitors_config ? -+ qdev->monitors_config->count : -1, -+ qdev->monitors_config && qdev->monitors_config->count ? -+ qdev->monitors_config->heads[0].width : -1, -+ qdev->monitors_config && qdev->monitors_config->count ? -+ qdev->monitors_config->heads[0].height : -1, -+ qdev->monitors_config && qdev->monitors_config->count ? -+ qdev->monitors_config->heads[0].x : -1, -+ qdev->monitors_config && qdev->monitors_config->count ? -+ qdev->monitors_config->heads[0].y : -1 -+ ); -+ -+ wait_for_io_cmd(qdev, 0, QXL_IO_MONITORS_CONFIG_ASYNC); -+} -+ -+int qxl_surface_id_alloc(struct qxl_device *qdev, -+ struct qxl_bo *surf) -+{ -+ uint32_t handle = -ENOMEM; -+ int idr_ret; -+ int count = 0; -+again: -+ if (idr_pre_get(&qdev->surf_id_idr, GFP_ATOMIC) == 0) { -+ DRM_ERROR("Out of memory for surf idr\n"); -+ kfree(surf); -+ goto alloc_fail; -+ } -+ -+ spin_lock(&qdev->surf_id_idr_lock); -+ idr_ret = idr_get_new_above(&qdev->surf_id_idr, NULL, 1, &handle); -+ spin_unlock(&qdev->surf_id_idr_lock); -+ -+ if (idr_ret == -EAGAIN) -+ goto again; -+ -+ if (handle >= qdev->rom->n_surfaces) { -+ count++; -+ spin_lock(&qdev->surf_id_idr_lock); -+ idr_remove(&qdev->surf_id_idr, handle); -+ spin_unlock(&qdev->surf_id_idr_lock); -+ qxl_reap_surface_id(qdev, 2); -+ goto again; -+ } -+ surf->surface_id = handle; -+ -+ spin_lock(&qdev->surf_id_idr_lock); -+ qdev->last_alloced_surf_id = handle; -+ spin_unlock(&qdev->surf_id_idr_lock); -+ alloc_fail: -+ return 0; -+} -+ -+void qxl_surface_id_dealloc(struct qxl_device *qdev, -+ uint32_t surface_id) -+{ -+ spin_lock(&qdev->surf_id_idr_lock); -+ idr_remove(&qdev->surf_id_idr, surface_id); -+ spin_unlock(&qdev->surf_id_idr_lock); -+} -+ -+int qxl_hw_surface_alloc(struct qxl_device *qdev, -+ struct qxl_bo *surf, -+ struct ttm_mem_reg *new_mem) -+{ -+ struct qxl_surface_cmd *cmd; -+ struct qxl_release *release; -+ int ret; -+ -+ if (surf->hw_surf_alloc) -+ return 0; -+ -+ ret = qxl_alloc_surface_release_reserved(qdev, QXL_SURFACE_CMD_CREATE, -+ NULL, -+ &release); -+ if (ret) -+ return ret; -+ -+ cmd = (struct qxl_surface_cmd *)qxl_release_map(qdev, release); -+ cmd->type = QXL_SURFACE_CMD_CREATE; -+ cmd->u.surface_create.format = surf->surf.format; -+ cmd->u.surface_create.width = surf->surf.width; -+ cmd->u.surface_create.height = surf->surf.height; -+ cmd->u.surface_create.stride = surf->surf.stride; -+ if (new_mem) { -+ int slot_id = surf->type == QXL_GEM_DOMAIN_VRAM ? qdev->main_mem_slot : qdev->surfaces_mem_slot; -+ struct qxl_memslot *slot = &(qdev->mem_slots[slot_id]); -+ -+ /* TODO - need to hold one of the locks to read tbo.offset */ -+ cmd->u.surface_create.data = slot->high_bits; -+ -+ cmd->u.surface_create.data |= (new_mem->start << PAGE_SHIFT) + surf->tbo.bdev->man[new_mem->mem_type].gpu_offset; -+ } else -+ cmd->u.surface_create.data = qxl_bo_physical_address(qdev, surf, 0); -+ cmd->surface_id = surf->surface_id; -+ qxl_release_unmap(qdev, release, &cmd->release_info); -+ -+ surf->surf_create = release; -+ -+ /* no need to add a release to the fence for this bo, -+ since it is only released when we ask to destroy the surface -+ and it would never signal otherwise */ -+ qxl_fence_releaseable(qdev, release); -+ -+ qxl_push_command_ring_release(qdev, release, QXL_CMD_SURFACE, false); -+ -+ qxl_release_unreserve(qdev, release); -+ -+ surf->hw_surf_alloc = true; -+ spin_lock(&qdev->surf_id_idr_lock); -+ idr_replace(&qdev->surf_id_idr, surf, surf->surface_id); -+ spin_unlock(&qdev->surf_id_idr_lock); -+ return 0; -+} -+ -+int qxl_hw_surface_dealloc(struct qxl_device *qdev, -+ struct qxl_bo *surf) -+{ -+ struct qxl_surface_cmd *cmd; -+ struct qxl_release *release; -+ int ret; -+ int id; -+ -+ if (!surf->hw_surf_alloc) -+ return 0; -+ -+ ret = qxl_alloc_surface_release_reserved(qdev, QXL_SURFACE_CMD_DESTROY, -+ surf->surf_create, -+ &release); -+ if (ret) -+ return ret; -+ -+ surf->surf_create = NULL; -+ /* remove the surface from the idr, but not the surface id yet */ -+ spin_lock(&qdev->surf_id_idr_lock); -+ idr_replace(&qdev->surf_id_idr, NULL, surf->surface_id); -+ spin_unlock(&qdev->surf_id_idr_lock); -+ surf->hw_surf_alloc = false; -+ -+ id = surf->surface_id; -+ surf->surface_id = 0; -+ -+ release->surface_release_id = id; -+ cmd = (struct qxl_surface_cmd *)qxl_release_map(qdev, release); -+ cmd->type = QXL_SURFACE_CMD_DESTROY; -+ cmd->surface_id = id; -+ qxl_release_unmap(qdev, release, &cmd->release_info); -+ -+ qxl_fence_releaseable(qdev, release); -+ -+ qxl_push_command_ring_release(qdev, release, QXL_CMD_SURFACE, false); -+ -+ qxl_release_unreserve(qdev, release); -+ -+ -+ return 0; -+} -+ -+int qxl_update_surface(struct qxl_device *qdev, struct qxl_bo *surf) -+{ -+ struct qxl_rect rect; -+ int ret; -+ -+ /* if we are evicting, we need to make sure the surface is up -+ to date */ -+ rect.left = 0; -+ rect.right = surf->surf.width; -+ rect.top = 0; -+ rect.bottom = surf->surf.height; -+retry: -+ ret = qxl_io_update_area(qdev, surf, &rect); -+ if (ret == -ERESTARTSYS) -+ goto retry; -+ return ret; -+} -+ -+void qxl_surface_evict_locked(struct qxl_device *qdev, struct qxl_bo *surf, bool do_update_area) -+{ -+ /* no need to update area if we are just freeing the surface normally */ -+ if (do_update_area) -+ qxl_update_surface(qdev, surf); -+ -+ /* nuke the surface id at the hw */ -+ qxl_hw_surface_dealloc(qdev, surf); -+} -+ -+void qxl_surface_evict(struct qxl_device *qdev, struct qxl_bo *surf, bool do_update_area) -+{ -+ mutex_lock(&qdev->surf_evict_mutex); -+ qxl_surface_evict_locked(qdev, surf, do_update_area); -+ mutex_unlock(&qdev->surf_evict_mutex); -+} -+ -+static int qxl_reap_surf(struct qxl_device *qdev, struct qxl_bo *surf, bool stall) -+{ -+ int ret; -+ -+ ret = qxl_bo_reserve(surf, false); -+ if (ret == -EBUSY) -+ return -EBUSY; -+ -+ if (surf->fence.num_active_releases > 0 && stall == false) { -+ qxl_bo_unreserve(surf); -+ return -EBUSY; -+ } -+ -+ if (stall) -+ mutex_unlock(&qdev->surf_evict_mutex); -+ -+ spin_lock(&surf->tbo.bdev->fence_lock); -+ ret = ttm_bo_wait(&surf->tbo, true, true, !stall); -+ spin_unlock(&surf->tbo.bdev->fence_lock); -+ -+ if (stall) -+ mutex_lock(&qdev->surf_evict_mutex); -+ if (ret == -EBUSY) { -+ qxl_bo_unreserve(surf); -+ return -EBUSY; -+ } -+ -+ qxl_surface_evict_locked(qdev, surf, true); -+ qxl_bo_unreserve(surf); -+ return 0; -+} -+ -+static int qxl_reap_surface_id(struct qxl_device *qdev, int max_to_reap) -+{ -+ int num_reaped = 0; -+ int i, ret; -+ bool stall = false; -+ int start = 0; -+ -+ mutex_lock(&qdev->surf_evict_mutex); -+again: -+ -+ spin_lock(&qdev->surf_id_idr_lock); -+ start = qdev->last_alloced_surf_id + 1; -+ spin_unlock(&qdev->surf_id_idr_lock); -+ -+ for (i = start; i < start + qdev->rom->n_surfaces; i++) { -+ void *objptr; -+ int surfid = i % qdev->rom->n_surfaces; -+ -+ /* this avoids the case where the objects is in the -+ idr but has been evicted half way - its makes -+ the idr lookup atomic with the eviction */ -+ spin_lock(&qdev->surf_id_idr_lock); -+ objptr = idr_find(&qdev->surf_id_idr, surfid); -+ spin_unlock(&qdev->surf_id_idr_lock); -+ -+ if (!objptr) -+ continue; -+ -+ ret = qxl_reap_surf(qdev, objptr, stall); -+ if (ret == 0) -+ num_reaped++; -+ if (num_reaped >= max_to_reap) -+ break; -+ } -+ if (num_reaped == 0 && stall == false) { -+ stall = true; -+ goto again; -+ } -+ -+ mutex_unlock(&qdev->surf_evict_mutex); -+ if (num_reaped) { -+ usleep_range(500, 1000); -+ qxl_queue_garbage_collect(qdev, true); -+ } -+ -+ return 0; -+} -diff --git a/drivers/gpu/drm/qxl/qxl_debugfs.c b/drivers/gpu/drm/qxl/qxl_debugfs.c -new file mode 100644 -index 0000000..c630152 ---- /dev/null -+++ b/drivers/gpu/drm/qxl/qxl_debugfs.c -@@ -0,0 +1,135 @@ -+/* -+ * Copyright (C) 2009 Red Hat -+ * -+ * Permission is hereby granted, free of charge, to any person obtaining -+ * a copy of this software and associated documentation files (the -+ * "Software"), to deal in the Software without restriction, including -+ * without limitation the rights to use, copy, modify, merge, publish, -+ * distribute, sublicense, and/or sell copies of the Software, and to -+ * permit persons to whom the Software is furnished to do so, subject to -+ * the following conditions: -+ * -+ * The above copyright notice and this permission notice (including the -+ * next paragraph) shall be included in all copies or substantial -+ * portions of the Software. -+ * -+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, -+ * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF -+ * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. -+ * IN NO EVENT SHALL THE COPYRIGHT OWNER(S) AND/OR ITS SUPPLIERS BE -+ * LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION -+ * OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION -+ * WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. -+ * -+ */ -+ -+/* -+ * Authors: -+ * Alon Levy -+ */ -+ -+#include -+ -+#include "drmP.h" -+#include "qxl_drv.h" -+#include "qxl_object.h" -+ -+ -+static int -+qxl_debugfs_irq_received(struct seq_file *m, void *data) -+{ -+ struct drm_info_node *node = (struct drm_info_node *) m->private; -+ struct qxl_device *qdev = node->minor->dev->dev_private; -+ -+ seq_printf(m, "%d\n", atomic_read(&qdev->irq_received)); -+ seq_printf(m, "%d\n", atomic_read(&qdev->irq_received_display)); -+ seq_printf(m, "%d\n", atomic_read(&qdev->irq_received_cursor)); -+ seq_printf(m, "%d\n", atomic_read(&qdev->irq_received_io_cmd)); -+ seq_printf(m, "%d\n", qdev->irq_received_error); -+ return 0; -+} -+ -+static int -+qxl_debugfs_buffers_info(struct seq_file *m, void *data) -+{ -+ struct drm_info_node *node = (struct drm_info_node *) m->private; -+ struct qxl_device *qdev = node->minor->dev->dev_private; -+ struct qxl_bo *bo; -+ -+ list_for_each_entry(bo, &qdev->gem.objects, list) { -+ seq_printf(m, "size %ld, pc %d, sync obj %p, num releases %d\n", -+ (unsigned long)bo->gem_base.size, bo->pin_count, -+ bo->tbo.sync_obj, bo->fence.num_active_releases); -+ } -+ return 0; -+} -+ -+static struct drm_info_list qxl_debugfs_list[] = { -+ { "irq_received", qxl_debugfs_irq_received, 0, NULL }, -+ { "qxl_buffers", qxl_debugfs_buffers_info, 0, NULL }, -+}; -+#define QXL_DEBUGFS_ENTRIES ARRAY_SIZE(qxl_debugfs_list) -+ -+int -+qxl_debugfs_init(struct drm_minor *minor) -+{ -+ drm_debugfs_create_files(qxl_debugfs_list, QXL_DEBUGFS_ENTRIES, -+ minor->debugfs_root, minor); -+ return 0; -+} -+ -+void -+qxl_debugfs_takedown(struct drm_minor *minor) -+{ -+ drm_debugfs_remove_files(qxl_debugfs_list, QXL_DEBUGFS_ENTRIES, -+ minor); -+} -+ -+int qxl_debugfs_add_files(struct qxl_device *qdev, -+ struct drm_info_list *files, -+ unsigned nfiles) -+{ -+ unsigned i; -+ -+ for (i = 0; i < qdev->debugfs_count; i++) { -+ if (qdev->debugfs[i].files == files) { -+ /* Already registered */ -+ return 0; -+ } -+ } -+ -+ i = qdev->debugfs_count + 1; -+ if (i > QXL_DEBUGFS_MAX_COMPONENTS) { -+ DRM_ERROR("Reached maximum number of debugfs components.\n"); -+ DRM_ERROR("Report so we increase QXL_DEBUGFS_MAX_COMPONENTS.\n"); -+ return -EINVAL; -+ } -+ qdev->debugfs[qdev->debugfs_count].files = files; -+ qdev->debugfs[qdev->debugfs_count].num_files = nfiles; -+ qdev->debugfs_count = i; -+#if defined(CONFIG_DEBUG_FS) -+ drm_debugfs_create_files(files, nfiles, -+ qdev->ddev->control->debugfs_root, -+ qdev->ddev->control); -+ drm_debugfs_create_files(files, nfiles, -+ qdev->ddev->primary->debugfs_root, -+ qdev->ddev->primary); -+#endif -+ return 0; -+} -+ -+void qxl_debugfs_remove_files(struct qxl_device *qdev) -+{ -+#if defined(CONFIG_DEBUG_FS) -+ unsigned i; -+ -+ for (i = 0; i < qdev->debugfs_count; i++) { -+ drm_debugfs_remove_files(qdev->debugfs[i].files, -+ qdev->debugfs[i].num_files, -+ qdev->ddev->control); -+ drm_debugfs_remove_files(qdev->debugfs[i].files, -+ qdev->debugfs[i].num_files, -+ qdev->ddev->primary); -+ } -+#endif -+} -diff --git a/drivers/gpu/drm/qxl/qxl_dev.h b/drivers/gpu/drm/qxl/qxl_dev.h -new file mode 100644 -index 0000000..94c5aec ---- /dev/null -+++ b/drivers/gpu/drm/qxl/qxl_dev.h -@@ -0,0 +1,879 @@ -+/* -+ Copyright (C) 2009 Red Hat, Inc. -+ -+ Redistribution and use in source and binary forms, with or without -+ modification, are permitted provided that the following conditions are -+ met: -+ -+ * Redistributions of source code must retain the above copyright -+ notice, this list of conditions and the following disclaimer. -+ * Redistributions in binary form must reproduce the above copyright -+ notice, this list of conditions and the following disclaimer in -+ the documentation and/or other materials provided with the -+ distribution. -+ * Neither the name of the copyright holder nor the names of its -+ contributors may be used to endorse or promote products derived -+ from this software without specific prior written permission. -+ -+ THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDER AND CONTRIBUTORS "AS -+ IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED -+ TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A -+ PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT -+ HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -+ SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT -+ LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, -+ DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -+ THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -+ (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -+ OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. -+*/ -+ -+ -+#ifndef H_QXL_DEV -+#define H_QXL_DEV -+ -+#include -+ -+/* -+ * from spice-protocol -+ * Release 0.10.0 -+ */ -+ -+/* enums.h */ -+ -+enum SpiceImageType { -+ SPICE_IMAGE_TYPE_BITMAP, -+ SPICE_IMAGE_TYPE_QUIC, -+ SPICE_IMAGE_TYPE_RESERVED, -+ SPICE_IMAGE_TYPE_LZ_PLT = 100, -+ SPICE_IMAGE_TYPE_LZ_RGB, -+ SPICE_IMAGE_TYPE_GLZ_RGB, -+ SPICE_IMAGE_TYPE_FROM_CACHE, -+ SPICE_IMAGE_TYPE_SURFACE, -+ SPICE_IMAGE_TYPE_JPEG, -+ SPICE_IMAGE_TYPE_FROM_CACHE_LOSSLESS, -+ SPICE_IMAGE_TYPE_ZLIB_GLZ_RGB, -+ SPICE_IMAGE_TYPE_JPEG_ALPHA, -+ -+ SPICE_IMAGE_TYPE_ENUM_END -+}; -+ -+enum SpiceBitmapFmt { -+ SPICE_BITMAP_FMT_INVALID, -+ SPICE_BITMAP_FMT_1BIT_LE, -+ SPICE_BITMAP_FMT_1BIT_BE, -+ SPICE_BITMAP_FMT_4BIT_LE, -+ SPICE_BITMAP_FMT_4BIT_BE, -+ SPICE_BITMAP_FMT_8BIT, -+ SPICE_BITMAP_FMT_16BIT, -+ SPICE_BITMAP_FMT_24BIT, -+ SPICE_BITMAP_FMT_32BIT, -+ SPICE_BITMAP_FMT_RGBA, -+ -+ SPICE_BITMAP_FMT_ENUM_END -+}; -+ -+enum SpiceSurfaceFmt { -+ SPICE_SURFACE_FMT_INVALID, -+ SPICE_SURFACE_FMT_1_A, -+ SPICE_SURFACE_FMT_8_A = 8, -+ SPICE_SURFACE_FMT_16_555 = 16, -+ SPICE_SURFACE_FMT_32_xRGB = 32, -+ SPICE_SURFACE_FMT_16_565 = 80, -+ SPICE_SURFACE_FMT_32_ARGB = 96, -+ -+ SPICE_SURFACE_FMT_ENUM_END -+}; -+ -+enum SpiceClipType { -+ SPICE_CLIP_TYPE_NONE, -+ SPICE_CLIP_TYPE_RECTS, -+ -+ SPICE_CLIP_TYPE_ENUM_END -+}; -+ -+enum SpiceRopd { -+ SPICE_ROPD_INVERS_SRC = (1 << 0), -+ SPICE_ROPD_INVERS_BRUSH = (1 << 1), -+ SPICE_ROPD_INVERS_DEST = (1 << 2), -+ SPICE_ROPD_OP_PUT = (1 << 3), -+ SPICE_ROPD_OP_OR = (1 << 4), -+ SPICE_ROPD_OP_AND = (1 << 5), -+ SPICE_ROPD_OP_XOR = (1 << 6), -+ SPICE_ROPD_OP_BLACKNESS = (1 << 7), -+ SPICE_ROPD_OP_WHITENESS = (1 << 8), -+ SPICE_ROPD_OP_INVERS = (1 << 9), -+ SPICE_ROPD_INVERS_RES = (1 << 10), -+ -+ SPICE_ROPD_MASK = 0x7ff -+}; -+ -+enum SpiceBrushType { -+ SPICE_BRUSH_TYPE_NONE, -+ SPICE_BRUSH_TYPE_SOLID, -+ SPICE_BRUSH_TYPE_PATTERN, -+ -+ SPICE_BRUSH_TYPE_ENUM_END -+}; -+ -+enum SpiceCursorType { -+ SPICE_CURSOR_TYPE_ALPHA, -+ SPICE_CURSOR_TYPE_MONO, -+ SPICE_CURSOR_TYPE_COLOR4, -+ SPICE_CURSOR_TYPE_COLOR8, -+ SPICE_CURSOR_TYPE_COLOR16, -+ SPICE_CURSOR_TYPE_COLOR24, -+ SPICE_CURSOR_TYPE_COLOR32, -+ -+ SPICE_CURSOR_TYPE_ENUM_END -+}; -+ -+/* qxl_dev.h */ -+ -+#pragma pack(push, 1) -+ -+#define REDHAT_PCI_VENDOR_ID 0x1b36 -+ -+/* 0x100-0x11f reserved for spice, 0x1ff used for unstable work */ -+#define QXL_DEVICE_ID_STABLE 0x0100 -+ -+enum { -+ QXL_REVISION_STABLE_V04 = 0x01, -+ QXL_REVISION_STABLE_V06 = 0x02, -+ QXL_REVISION_STABLE_V10 = 0x03, -+ QXL_REVISION_STABLE_V12 = 0x04, -+}; -+ -+#define QXL_DEVICE_ID_DEVEL 0x01ff -+#define QXL_REVISION_DEVEL 0x01 -+ -+#define QXL_ROM_MAGIC (*(uint32_t *)"QXRO") -+#define QXL_RAM_MAGIC (*(uint32_t *)"QXRA") -+ -+enum { -+ QXL_RAM_RANGE_INDEX, -+ QXL_VRAM_RANGE_INDEX, -+ QXL_ROM_RANGE_INDEX, -+ QXL_IO_RANGE_INDEX, -+ -+ QXL_PCI_RANGES -+}; -+ -+/* qxl-1 compat: append only */ -+enum { -+ QXL_IO_NOTIFY_CMD, -+ QXL_IO_NOTIFY_CURSOR, -+ QXL_IO_UPDATE_AREA, -+ QXL_IO_UPDATE_IRQ, -+ QXL_IO_NOTIFY_OOM, -+ QXL_IO_RESET, -+ QXL_IO_SET_MODE, /* qxl-1 */ -+ QXL_IO_LOG, -+ /* appended for qxl-2 */ -+ QXL_IO_MEMSLOT_ADD, -+ QXL_IO_MEMSLOT_DEL, -+ QXL_IO_DETACH_PRIMARY, -+ QXL_IO_ATTACH_PRIMARY, -+ QXL_IO_CREATE_PRIMARY, -+ QXL_IO_DESTROY_PRIMARY, -+ QXL_IO_DESTROY_SURFACE_WAIT, -+ QXL_IO_DESTROY_ALL_SURFACES, -+ /* appended for qxl-3 */ -+ QXL_IO_UPDATE_AREA_ASYNC, -+ QXL_IO_MEMSLOT_ADD_ASYNC, -+ QXL_IO_CREATE_PRIMARY_ASYNC, -+ QXL_IO_DESTROY_PRIMARY_ASYNC, -+ QXL_IO_DESTROY_SURFACE_ASYNC, -+ QXL_IO_DESTROY_ALL_SURFACES_ASYNC, -+ QXL_IO_FLUSH_SURFACES_ASYNC, -+ QXL_IO_FLUSH_RELEASE, -+ /* appended for qxl-4 */ -+ QXL_IO_MONITORS_CONFIG_ASYNC, -+ -+ QXL_IO_RANGE_SIZE -+}; -+ -+typedef uint64_t QXLPHYSICAL; -+typedef int32_t QXLFIXED; /* fixed 28.4 */ -+ -+struct qxl_point_fix { -+ QXLFIXED x; -+ QXLFIXED y; -+}; -+ -+struct qxl_point { -+ int32_t x; -+ int32_t y; -+}; -+ -+struct qxl_point_1_6 { -+ int16_t x; -+ int16_t y; -+}; -+ -+struct qxl_rect { -+ int32_t top; -+ int32_t left; -+ int32_t bottom; -+ int32_t right; -+}; -+ -+struct qxl_urect { -+ uint32_t top; -+ uint32_t left; -+ uint32_t bottom; -+ uint32_t right; -+}; -+ -+/* qxl-1 compat: append only */ -+struct qxl_rom { -+ uint32_t magic; -+ uint32_t id; -+ uint32_t update_id; -+ uint32_t compression_level; -+ uint32_t log_level; -+ uint32_t mode; /* qxl-1 */ -+ uint32_t modes_offset; -+ uint32_t num_io_pages; -+ uint32_t pages_offset; /* qxl-1 */ -+ uint32_t draw_area_offset; /* qxl-1 */ -+ uint32_t surface0_area_size; /* qxl-1 name: draw_area_size */ -+ uint32_t ram_header_offset; -+ uint32_t mm_clock; -+ /* appended for qxl-2 */ -+ uint32_t n_surfaces; -+ uint64_t flags; -+ uint8_t slots_start; -+ uint8_t slots_end; -+ uint8_t slot_gen_bits; -+ uint8_t slot_id_bits; -+ uint8_t slot_generation; -+ /* appended for qxl-4 */ -+ uint8_t client_present; -+ uint8_t client_capabilities[58]; -+ uint32_t client_monitors_config_crc; -+ struct { -+ uint16_t count; -+ uint16_t padding; -+ struct qxl_urect heads[64]; -+ } client_monitors_config; -+}; -+ -+/* qxl-1 compat: fixed */ -+struct qxl_mode { -+ uint32_t id; -+ uint32_t x_res; -+ uint32_t y_res; -+ uint32_t bits; -+ uint32_t stride; -+ uint32_t x_mili; -+ uint32_t y_mili; -+ uint32_t orientation; -+}; -+ -+/* qxl-1 compat: fixed */ -+struct qxl_modes { -+ uint32_t n_modes; -+ struct qxl_mode modes[0]; -+}; -+ -+/* qxl-1 compat: append only */ -+enum qxl_cmd_type { -+ QXL_CMD_NOP, -+ QXL_CMD_DRAW, -+ QXL_CMD_UPDATE, -+ QXL_CMD_CURSOR, -+ QXL_CMD_MESSAGE, -+ QXL_CMD_SURFACE, -+}; -+ -+/* qxl-1 compat: fixed */ -+struct qxl_command { -+ QXLPHYSICAL data; -+ uint32_t type; -+ uint32_t padding; -+}; -+ -+#define QXL_COMMAND_FLAG_COMPAT (1<<0) -+#define QXL_COMMAND_FLAG_COMPAT_16BPP (2<<0) -+ -+struct qxl_command_ext { -+ struct qxl_command cmd; -+ uint32_t group_id; -+ uint32_t flags; -+}; -+ -+struct qxl_mem_slot { -+ uint64_t mem_start; -+ uint64_t mem_end; -+}; -+ -+#define QXL_SURF_TYPE_PRIMARY 0 -+ -+#define QXL_SURF_FLAG_KEEP_DATA (1 << 0) -+ -+struct qxl_surface_create { -+ uint32_t width; -+ uint32_t height; -+ int32_t stride; -+ uint32_t format; -+ uint32_t position; -+ uint32_t mouse_mode; -+ uint32_t flags; -+ uint32_t type; -+ QXLPHYSICAL mem; -+}; -+ -+#define QXL_COMMAND_RING_SIZE 32 -+#define QXL_CURSOR_RING_SIZE 32 -+#define QXL_RELEASE_RING_SIZE 8 -+ -+#define QXL_LOG_BUF_SIZE 4096 -+ -+#define QXL_INTERRUPT_DISPLAY (1 << 0) -+#define QXL_INTERRUPT_CURSOR (1 << 1) -+#define QXL_INTERRUPT_IO_CMD (1 << 2) -+#define QXL_INTERRUPT_ERROR (1 << 3) -+#define QXL_INTERRUPT_CLIENT (1 << 4) -+#define QXL_INTERRUPT_CLIENT_MONITORS_CONFIG (1 << 5) -+ -+struct qxl_ring_header { -+ uint32_t num_items; -+ uint32_t prod; -+ uint32_t notify_on_prod; -+ uint32_t cons; -+ uint32_t notify_on_cons; -+}; -+ -+/* qxl-1 compat: append only */ -+struct qxl_ram_header { -+ uint32_t magic; -+ uint32_t int_pending; -+ uint32_t int_mask; -+ uint8_t log_buf[QXL_LOG_BUF_SIZE]; -+ struct qxl_ring_header cmd_ring_hdr; -+ struct qxl_command cmd_ring[QXL_COMMAND_RING_SIZE]; -+ struct qxl_ring_header cursor_ring_hdr; -+ struct qxl_command cursor_ring[QXL_CURSOR_RING_SIZE]; -+ struct qxl_ring_header release_ring_hdr; -+ uint64_t release_ring[QXL_RELEASE_RING_SIZE]; -+ struct qxl_rect update_area; -+ /* appended for qxl-2 */ -+ uint32_t update_surface; -+ struct qxl_mem_slot mem_slot; -+ struct qxl_surface_create create_surface; -+ uint64_t flags; -+ -+ /* appended for qxl-4 */ -+ -+ /* used by QXL_IO_MONITORS_CONFIG_ASYNC */ -+ QXLPHYSICAL monitors_config; -+ uint8_t guest_capabilities[64]; -+}; -+ -+union qxl_release_info { -+ uint64_t id; /* in */ -+ uint64_t next; /* out */ -+}; -+ -+struct qxl_release_info_ext { -+ union qxl_release_info *info; -+ uint32_t group_id; -+}; -+ -+struct qxl_data_chunk { -+ uint32_t data_size; -+ QXLPHYSICAL prev_chunk; -+ QXLPHYSICAL next_chunk; -+ uint8_t data[0]; -+}; -+ -+struct qxl_message { -+ union qxl_release_info release_info; -+ uint8_t data[0]; -+}; -+ -+struct qxl_compat_update_cmd { -+ union qxl_release_info release_info; -+ struct qxl_rect area; -+ uint32_t update_id; -+}; -+ -+struct qxl_update_cmd { -+ union qxl_release_info release_info; -+ struct qxl_rect area; -+ uint32_t update_id; -+ uint32_t surface_id; -+}; -+ -+struct qxl_cursor_header { -+ uint64_t unique; -+ uint16_t type; -+ uint16_t width; -+ uint16_t height; -+ uint16_t hot_spot_x; -+ uint16_t hot_spot_y; -+}; -+ -+struct qxl_cursor { -+ struct qxl_cursor_header header; -+ uint32_t data_size; -+ struct qxl_data_chunk chunk; -+}; -+ -+enum { -+ QXL_CURSOR_SET, -+ QXL_CURSOR_MOVE, -+ QXL_CURSOR_HIDE, -+ QXL_CURSOR_TRAIL, -+}; -+ -+#define QXL_CURSOR_DEVICE_DATA_SIZE 128 -+ -+struct qxl_cursor_cmd { -+ union qxl_release_info release_info; -+ uint8_t type; -+ union { -+ struct { -+ struct qxl_point_1_6 position; -+ uint8_t visible; -+ QXLPHYSICAL shape; -+ } set; -+ struct { -+ uint16_t length; -+ uint16_t frequency; -+ } trail; -+ struct qxl_point_1_6 position; -+ } u; -+ /* todo: dynamic size from rom */ -+ uint8_t device_data[QXL_CURSOR_DEVICE_DATA_SIZE]; -+}; -+ -+enum { -+ QXL_DRAW_NOP, -+ QXL_DRAW_FILL, -+ QXL_DRAW_OPAQUE, -+ QXL_DRAW_COPY, -+ QXL_COPY_BITS, -+ QXL_DRAW_BLEND, -+ QXL_DRAW_BLACKNESS, -+ QXL_DRAW_WHITENESS, -+ QXL_DRAW_INVERS, -+ QXL_DRAW_ROP3, -+ QXL_DRAW_STROKE, -+ QXL_DRAW_TEXT, -+ QXL_DRAW_TRANSPARENT, -+ QXL_DRAW_ALPHA_BLEND, -+ QXL_DRAW_COMPOSITE -+}; -+ -+struct qxl_raster_glyph { -+ struct qxl_point render_pos; -+ struct qxl_point glyph_origin; -+ uint16_t width; -+ uint16_t height; -+ uint8_t data[0]; -+}; -+ -+struct qxl_string { -+ uint32_t data_size; -+ uint16_t length; -+ uint16_t flags; -+ struct qxl_data_chunk chunk; -+}; -+ -+struct qxl_copy_bits { -+ struct qxl_point src_pos; -+}; -+ -+enum qxl_effect_type { -+ QXL_EFFECT_BLEND = 0, -+ QXL_EFFECT_OPAQUE = 1, -+ QXL_EFFECT_REVERT_ON_DUP = 2, -+ QXL_EFFECT_BLACKNESS_ON_DUP = 3, -+ QXL_EFFECT_WHITENESS_ON_DUP = 4, -+ QXL_EFFECT_NOP_ON_DUP = 5, -+ QXL_EFFECT_NOP = 6, -+ QXL_EFFECT_OPAQUE_BRUSH = 7 -+}; -+ -+struct qxl_pattern { -+ QXLPHYSICAL pat; -+ struct qxl_point pos; -+}; -+ -+struct qxl_brush { -+ uint32_t type; -+ union { -+ uint32_t color; -+ struct qxl_pattern pattern; -+ } u; -+}; -+ -+struct qxl_q_mask { -+ uint8_t flags; -+ struct qxl_point pos; -+ QXLPHYSICAL bitmap; -+}; -+ -+struct qxl_fill { -+ struct qxl_brush brush; -+ uint16_t rop_descriptor; -+ struct qxl_q_mask mask; -+}; -+ -+struct qxl_opaque { -+ QXLPHYSICAL src_bitmap; -+ struct qxl_rect src_area; -+ struct qxl_brush brush; -+ uint16_t rop_descriptor; -+ uint8_t scale_mode; -+ struct qxl_q_mask mask; -+}; -+ -+struct qxl_copy { -+ QXLPHYSICAL src_bitmap; -+ struct qxl_rect src_area; -+ uint16_t rop_descriptor; -+ uint8_t scale_mode; -+ struct qxl_q_mask mask; -+}; -+ -+struct qxl_transparent { -+ QXLPHYSICAL src_bitmap; -+ struct qxl_rect src_area; -+ uint32_t src_color; -+ uint32_t true_color; -+}; -+ -+struct qxl_alpha_blend { -+ uint16_t alpha_flags; -+ uint8_t alpha; -+ QXLPHYSICAL src_bitmap; -+ struct qxl_rect src_area; -+}; -+ -+struct qxl_compat_alpha_blend { -+ uint8_t alpha; -+ QXLPHYSICAL src_bitmap; -+ struct qxl_rect src_area; -+}; -+ -+struct qxl_rop_3 { -+ QXLPHYSICAL src_bitmap; -+ struct qxl_rect src_area; -+ struct qxl_brush brush; -+ uint8_t rop3; -+ uint8_t scale_mode; -+ struct qxl_q_mask mask; -+}; -+ -+struct qxl_line_attr { -+ uint8_t flags; -+ uint8_t join_style; -+ uint8_t end_style; -+ uint8_t style_nseg; -+ QXLFIXED width; -+ QXLFIXED miter_limit; -+ QXLPHYSICAL style; -+}; -+ -+struct qxl_stroke { -+ QXLPHYSICAL path; -+ struct qxl_line_attr attr; -+ struct qxl_brush brush; -+ uint16_t fore_mode; -+ uint16_t back_mode; -+}; -+ -+struct qxl_text { -+ QXLPHYSICAL str; -+ struct qxl_rect back_area; -+ struct qxl_brush fore_brush; -+ struct qxl_brush back_brush; -+ uint16_t fore_mode; -+ uint16_t back_mode; -+}; -+ -+struct qxl_mask { -+ struct qxl_q_mask mask; -+}; -+ -+struct qxl_clip { -+ uint32_t type; -+ QXLPHYSICAL data; -+}; -+ -+enum qxl_operator { -+ QXL_OP_CLEAR = 0x00, -+ QXL_OP_SOURCE = 0x01, -+ QXL_OP_DST = 0x02, -+ QXL_OP_OVER = 0x03, -+ QXL_OP_OVER_REVERSE = 0x04, -+ QXL_OP_IN = 0x05, -+ QXL_OP_IN_REVERSE = 0x06, -+ QXL_OP_OUT = 0x07, -+ QXL_OP_OUT_REVERSE = 0x08, -+ QXL_OP_ATOP = 0x09, -+ QXL_OP_ATOP_REVERSE = 0x0a, -+ QXL_OP_XOR = 0x0b, -+ QXL_OP_ADD = 0x0c, -+ QXL_OP_SATURATE = 0x0d, -+ /* Note the jump here from 0x0d to 0x30 */ -+ QXL_OP_MULTIPLY = 0x30, -+ QXL_OP_SCREEN = 0x31, -+ QXL_OP_OVERLAY = 0x32, -+ QXL_OP_DARKEN = 0x33, -+ QXL_OP_LIGHTEN = 0x34, -+ QXL_OP_COLOR_DODGE = 0x35, -+ QXL_OP_COLOR_BURN = 0x36, -+ QXL_OP_HARD_LIGHT = 0x37, -+ QXL_OP_SOFT_LIGHT = 0x38, -+ QXL_OP_DIFFERENCE = 0x39, -+ QXL_OP_EXCLUSION = 0x3a, -+ QXL_OP_HSL_HUE = 0x3b, -+ QXL_OP_HSL_SATURATION = 0x3c, -+ QXL_OP_HSL_COLOR = 0x3d, -+ QXL_OP_HSL_LUMINOSITY = 0x3e -+}; -+ -+struct qxl_transform { -+ uint32_t t00; -+ uint32_t t01; -+ uint32_t t02; -+ uint32_t t10; -+ uint32_t t11; -+ uint32_t t12; -+}; -+ -+/* The flags field has the following bit fields: -+ * -+ * operator: [ 0 - 7 ] -+ * src_filter: [ 8 - 10 ] -+ * mask_filter: [ 11 - 13 ] -+ * src_repeat: [ 14 - 15 ] -+ * mask_repeat: [ 16 - 17 ] -+ * component_alpha: [ 18 - 18 ] -+ * reserved: [ 19 - 31 ] -+ * -+ * The repeat and filter values are those of pixman: -+ * REPEAT_NONE = 0 -+ * REPEAT_NORMAL = 1 -+ * REPEAT_PAD = 2 -+ * REPEAT_REFLECT = 3 -+ * -+ * The filter values are: -+ * FILTER_NEAREST = 0 -+ * FILTER_BILINEAR = 1 -+ */ -+struct qxl_composite { -+ uint32_t flags; -+ -+ QXLPHYSICAL src; -+ QXLPHYSICAL src_transform; /* May be NULL */ -+ QXLPHYSICAL mask; /* May be NULL */ -+ QXLPHYSICAL mask_transform; /* May be NULL */ -+ struct qxl_point_1_6 src_origin; -+ struct qxl_point_1_6 mask_origin; -+}; -+ -+struct qxl_compat_drawable { -+ union qxl_release_info release_info; -+ uint8_t effect; -+ uint8_t type; -+ uint16_t bitmap_offset; -+ struct qxl_rect bitmap_area; -+ struct qxl_rect bbox; -+ struct qxl_clip clip; -+ uint32_t mm_time; -+ union { -+ struct qxl_fill fill; -+ struct qxl_opaque opaque; -+ struct qxl_copy copy; -+ struct qxl_transparent transparent; -+ struct qxl_compat_alpha_blend alpha_blend; -+ struct qxl_copy_bits copy_bits; -+ struct qxl_copy blend; -+ struct qxl_rop_3 rop3; -+ struct qxl_stroke stroke; -+ struct qxl_text text; -+ struct qxl_mask blackness; -+ struct qxl_mask invers; -+ struct qxl_mask whiteness; -+ } u; -+}; -+ -+struct qxl_drawable { -+ union qxl_release_info release_info; -+ uint32_t surface_id; -+ uint8_t effect; -+ uint8_t type; -+ uint8_t self_bitmap; -+ struct qxl_rect self_bitmap_area; -+ struct qxl_rect bbox; -+ struct qxl_clip clip; -+ uint32_t mm_time; -+ int32_t surfaces_dest[3]; -+ struct qxl_rect surfaces_rects[3]; -+ union { -+ struct qxl_fill fill; -+ struct qxl_opaque opaque; -+ struct qxl_copy copy; -+ struct qxl_transparent transparent; -+ struct qxl_alpha_blend alpha_blend; -+ struct qxl_copy_bits copy_bits; -+ struct qxl_copy blend; -+ struct qxl_rop_3 rop3; -+ struct qxl_stroke stroke; -+ struct qxl_text text; -+ struct qxl_mask blackness; -+ struct qxl_mask invers; -+ struct qxl_mask whiteness; -+ struct qxl_composite composite; -+ } u; -+}; -+ -+enum qxl_surface_cmd_type { -+ QXL_SURFACE_CMD_CREATE, -+ QXL_SURFACE_CMD_DESTROY, -+}; -+ -+struct qxl_surface { -+ uint32_t format; -+ uint32_t width; -+ uint32_t height; -+ int32_t stride; -+ QXLPHYSICAL data; -+}; -+ -+struct qxl_surface_cmd { -+ union qxl_release_info release_info; -+ uint32_t surface_id; -+ uint8_t type; -+ uint32_t flags; -+ union { -+ struct qxl_surface surface_create; -+ } u; -+}; -+ -+struct qxl_clip_rects { -+ uint32_t num_rects; -+ struct qxl_data_chunk chunk; -+}; -+ -+enum { -+ QXL_PATH_BEGIN = (1 << 0), -+ QXL_PATH_END = (1 << 1), -+ QXL_PATH_CLOSE = (1 << 3), -+ QXL_PATH_BEZIER = (1 << 4), -+}; -+ -+struct qxl_path_seg { -+ uint32_t flags; -+ uint32_t count; -+ struct qxl_point_fix points[0]; -+}; -+ -+struct qxl_path { -+ uint32_t data_size; -+ struct qxl_data_chunk chunk; -+}; -+ -+enum { -+ QXL_IMAGE_GROUP_DRIVER, -+ QXL_IMAGE_GROUP_DEVICE, -+ QXL_IMAGE_GROUP_RED, -+ QXL_IMAGE_GROUP_DRIVER_DONT_CACHE, -+}; -+ -+struct qxl_image_id { -+ uint32_t group; -+ uint32_t unique; -+}; -+ -+union qxl_image_id_union { -+ struct qxl_image_id id; -+ uint64_t value; -+}; -+ -+enum qxl_image_flags { -+ QXL_IMAGE_CACHE = (1 << 0), -+ QXL_IMAGE_HIGH_BITS_SET = (1 << 1), -+}; -+ -+enum qxl_bitmap_flags { -+ QXL_BITMAP_DIRECT = (1 << 0), -+ QXL_BITMAP_UNSTABLE = (1 << 1), -+ QXL_BITMAP_TOP_DOWN = (1 << 2), /* == SPICE_BITMAP_FLAGS_TOP_DOWN */ -+}; -+ -+#define QXL_SET_IMAGE_ID(image, _group, _unique) { \ -+ (image)->descriptor.id = (((uint64_t)_unique) << 32) | _group; \ -+} -+ -+struct qxl_image_descriptor { -+ uint64_t id; -+ uint8_t type; -+ uint8_t flags; -+ uint32_t width; -+ uint32_t height; -+}; -+ -+struct qxl_palette { -+ uint64_t unique; -+ uint16_t num_ents; -+ uint32_t ents[0]; -+}; -+ -+struct qxl_bitmap { -+ uint8_t format; -+ uint8_t flags; -+ uint32_t x; -+ uint32_t y; -+ uint32_t stride; -+ QXLPHYSICAL palette; -+ QXLPHYSICAL data; /* data[0] ? */ -+}; -+ -+struct qxl_surface_id { -+ uint32_t surface_id; -+}; -+ -+struct qxl_encoder_data { -+ uint32_t data_size; -+ uint8_t data[0]; -+}; -+ -+struct qxl_image { -+ struct qxl_image_descriptor descriptor; -+ union { /* variable length */ -+ struct qxl_bitmap bitmap; -+ struct qxl_encoder_data quic; -+ struct qxl_surface_id surface_image; -+ } u; -+}; -+ -+/* A QXLHead is a single monitor output backed by a QXLSurface. -+ * x and y offsets are unsigned since they are used in relation to -+ * the given surface, not the same as the x, y coordinates in the guest -+ * screen reference frame. */ -+struct qxl_head { -+ uint32_t id; -+ uint32_t surface_id; -+ uint32_t width; -+ uint32_t height; -+ uint32_t x; -+ uint32_t y; -+ uint32_t flags; -+}; -+ -+struct qxl_monitors_config { -+ uint16_t count; -+ uint16_t max_allowed; /* If it is 0 no fixed limit is given by the -+ driver */ -+ struct qxl_head heads[0]; -+}; -+ -+#pragma pack(pop) -+ -+#endif /* _H_QXL_DEV */ -diff --git a/drivers/gpu/drm/qxl/qxl_display.c b/drivers/gpu/drm/qxl/qxl_display.c -new file mode 100644 -index 0000000..c80ddfe ---- /dev/null -+++ b/drivers/gpu/drm/qxl/qxl_display.c -@@ -0,0 +1,981 @@ -+/* -+ * Copyright 2013 Red Hat Inc. -+ * -+ * Permission is hereby granted, free of charge, to any person obtaining a -+ * copy of this software and associated documentation files (the "Software"), -+ * to deal in the Software without restriction, including without limitation -+ * the rights to use, copy, modify, merge, publish, distribute, sublicense, -+ * and/or sell copies of the Software, and to permit persons to whom the -+ * Software is furnished to do so, subject to the following conditions: -+ * -+ * The above copyright notice and this permission notice shall be included in -+ * all copies or substantial portions of the Software. -+ * -+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL -+ * THE COPYRIGHT HOLDER(S) OR AUTHOR(S) BE LIABLE FOR ANY CLAIM, DAMAGES OR -+ * OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, -+ * ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR -+ * OTHER DEALINGS IN THE SOFTWARE. -+ * -+ * Authors: Dave Airlie -+ * Alon Levy -+ */ -+ -+ -+#include "linux/crc32.h" -+ -+#include "qxl_drv.h" -+#include "qxl_object.h" -+#include "drm_crtc_helper.h" -+ -+static void qxl_crtc_set_to_mode(struct qxl_device *qdev, -+ struct drm_connector *connector, -+ struct qxl_head *head) -+{ -+ struct drm_device *dev = connector->dev; -+ struct drm_display_mode *mode, *t; -+ int width = head->width; -+ int height = head->height; -+ -+ if (width < 320 || height < 240) { -+ qxl_io_log(qdev, "%s: bad head: %dx%d", width, height); -+ width = 1024; -+ height = 768; -+ } -+ if (width * height * 4 > 16*1024*1024) { -+ width = 1024; -+ height = 768; -+ } -+ /* TODO: go over regular modes and removed preferred? */ -+ list_for_each_entry_safe(mode, t, &connector->probed_modes, head) -+ drm_mode_remove(connector, mode); -+ mode = drm_cvt_mode(dev, width, height, 60, false, false, false); -+ mode->type |= DRM_MODE_TYPE_PREFERRED; -+ mode->status = MODE_OK; -+ drm_mode_probed_add(connector, mode); -+ qxl_io_log(qdev, "%s: %d x %d\n", __func__, width, height); -+} -+ -+void qxl_crtc_set_from_monitors_config(struct qxl_device *qdev) -+{ -+ struct drm_connector *connector; -+ int i; -+ struct drm_device *dev = qdev->ddev; -+ -+ i = 0; -+ qxl_io_log(qdev, "%s: %d, %d\n", __func__, -+ dev->mode_config.num_connector, -+ qdev->monitors_config->count); -+ list_for_each_entry(connector, &dev->mode_config.connector_list, head) { -+ if (i > qdev->monitors_config->count) { -+ /* crtc will be reported as disabled */ -+ continue; -+ } -+ qxl_crtc_set_to_mode(qdev, connector, -+ &qdev->monitors_config->heads[i]); -+ ++i; -+ } -+} -+ -+void qxl_alloc_client_monitors_config(struct qxl_device *qdev, unsigned count) -+{ -+ if (qdev->client_monitors_config && -+ count > qdev->client_monitors_config->count) { -+ kfree(qdev->client_monitors_config); -+ } -+ if (!qdev->client_monitors_config) { -+ qdev->client_monitors_config = kzalloc( -+ sizeof(struct qxl_monitors_config) + -+ sizeof(struct qxl_head) * count, GFP_KERNEL); -+ if (!qdev->client_monitors_config) { -+ qxl_io_log(qdev, -+ "%s: allocation failure for %u heads\n", -+ __func__, count); -+ return; -+ } -+ } -+ qdev->client_monitors_config->count = count; -+} -+ -+static int qxl_display_copy_rom_client_monitors_config(struct qxl_device *qdev) -+{ -+ int i; -+ int num_monitors; -+ uint32_t crc; -+ -+ BUG_ON(!qdev->monitors_config); -+ num_monitors = qdev->rom->client_monitors_config.count; -+ crc = crc32(0, (const uint8_t *)&qdev->rom->client_monitors_config, -+ sizeof(qdev->rom->client_monitors_config)); -+ if (crc != qdev->rom->client_monitors_config_crc) { -+ qxl_io_log(qdev, "crc mismatch: have %X (%d) != %X\n", crc, -+ sizeof(qdev->rom->client_monitors_config), -+ qdev->rom->client_monitors_config_crc); -+ return 1; -+ } -+ if (num_monitors > qdev->monitors_config->max_allowed) { -+ DRM_INFO("client monitors list will be truncated: %d < %d\n", -+ qdev->monitors_config->max_allowed, num_monitors); -+ num_monitors = qdev->monitors_config->max_allowed; -+ } else { -+ num_monitors = qdev->rom->client_monitors_config.count; -+ } -+ qxl_alloc_client_monitors_config(qdev, num_monitors); -+ /* we copy max from the client but it isn't used */ -+ qdev->client_monitors_config->max_allowed = -+ qdev->monitors_config->max_allowed; -+ for (i = 0 ; i < qdev->client_monitors_config->count ; ++i) { -+ struct qxl_urect *c_rect = -+ &qdev->rom->client_monitors_config.heads[i]; -+ struct qxl_head *client_head = -+ &qdev->client_monitors_config->heads[i]; -+ struct qxl_head *head = &qdev->monitors_config->heads[i]; -+ client_head->x = head->x = c_rect->left; -+ client_head->y = head->y = c_rect->top; -+ client_head->width = head->width = -+ c_rect->right - c_rect->left; -+ client_head->height = head->height = -+ c_rect->bottom - c_rect->top; -+ client_head->surface_id = head->surface_id = 0; -+ client_head->id = head->id = i; -+ client_head->flags = head->flags = 0; -+ QXL_DEBUG(qdev, "read %dx%d+%d+%d\n", head->width, head->height, -+ head->x, head->y); -+ } -+ return 0; -+} -+ -+void qxl_display_read_client_monitors_config(struct qxl_device *qdev) -+{ -+ -+ while (qxl_display_copy_rom_client_monitors_config(qdev)) { -+ qxl_io_log(qdev, "failed crc check for client_monitors_config," -+ " retrying\n"); -+ } -+ qxl_crtc_set_from_monitors_config(qdev); -+ /* fire off a uevent and let userspace tell us what to do */ -+ qxl_io_log(qdev, "calling drm_sysfs_hotplug_event\n"); -+ drm_sysfs_hotplug_event(qdev->ddev); -+} -+ -+static int qxl_add_monitors_config_modes(struct drm_connector *connector) -+{ -+ struct drm_device *dev = connector->dev; -+ struct qxl_device *qdev = dev->dev_private; -+ struct qxl_output *output = drm_connector_to_qxl_output(connector); -+ int h = output->index; -+ struct drm_display_mode *mode = NULL; -+ struct qxl_head *head; -+ -+ if (!qdev->monitors_config) -+ return 0; -+ head = &qdev->monitors_config->heads[h]; -+ -+ mode = drm_cvt_mode(dev, head->width, head->height, 60, false, false, -+ false); -+ mode->type |= DRM_MODE_TYPE_PREFERRED; -+ drm_mode_probed_add(connector, mode); -+ return 1; -+} -+ -+static int qxl_add_common_modes(struct drm_connector *connector) -+{ -+ struct drm_device *dev = connector->dev; -+ struct drm_display_mode *mode = NULL; -+ int i; -+ struct mode_size { -+ int w; -+ int h; -+ } common_modes[] = { -+ { 640, 480}, -+ { 720, 480}, -+ { 800, 600}, -+ { 848, 480}, -+ {1024, 768}, -+ {1152, 768}, -+ {1280, 720}, -+ {1280, 800}, -+ {1280, 854}, -+ {1280, 960}, -+ {1280, 1024}, -+ {1440, 900}, -+ {1400, 1050}, -+ {1680, 1050}, -+ {1600, 1200}, -+ {1920, 1080}, -+ {1920, 1200} -+ }; -+ -+ for (i = 0; i < ARRAY_SIZE(common_modes); i++) { -+ if (common_modes[i].w < 320 || common_modes[i].h < 200) -+ continue; -+ -+ mode = drm_cvt_mode(dev, common_modes[i].w, common_modes[i].h, -+ 60, false, false, false); -+ if (common_modes[i].w == 1024 && common_modes[i].h == 768) -+ mode->type |= DRM_MODE_TYPE_PREFERRED; -+ drm_mode_probed_add(connector, mode); -+ } -+ return i - 1; -+} -+ -+static void qxl_crtc_gamma_set(struct drm_crtc *crtc, u16 *red, u16 *green, -+ u16 *blue, uint32_t start, uint32_t size) -+{ -+ /* TODO */ -+} -+ -+static void qxl_crtc_destroy(struct drm_crtc *crtc) -+{ -+ struct qxl_crtc *qxl_crtc = to_qxl_crtc(crtc); -+ -+ drm_crtc_cleanup(crtc); -+ kfree(qxl_crtc); -+} -+ -+static void -+qxl_hide_cursor(struct qxl_device *qdev) -+{ -+ struct qxl_release *release; -+ struct qxl_cursor_cmd *cmd; -+ int ret; -+ -+ ret = qxl_alloc_release_reserved(qdev, sizeof(*cmd), QXL_RELEASE_CURSOR_CMD, -+ &release, NULL); -+ -+ cmd = (struct qxl_cursor_cmd *)qxl_release_map(qdev, release); -+ cmd->type = QXL_CURSOR_HIDE; -+ qxl_release_unmap(qdev, release, &cmd->release_info); -+ -+ qxl_fence_releaseable(qdev, release); -+ qxl_push_cursor_ring_release(qdev, release, QXL_CMD_CURSOR, false); -+ qxl_release_unreserve(qdev, release); -+} -+ -+static int qxl_crtc_cursor_set(struct drm_crtc *crtc, -+ struct drm_file *file_priv, -+ uint32_t handle, -+ uint32_t width, -+ uint32_t height) -+{ -+ struct drm_device *dev = crtc->dev; -+ struct qxl_device *qdev = dev->dev_private; -+ struct qxl_crtc *qcrtc = to_qxl_crtc(crtc); -+ struct drm_gem_object *obj; -+ struct qxl_cursor *cursor; -+ struct qxl_cursor_cmd *cmd; -+ struct qxl_bo *cursor_bo, *user_bo; -+ struct qxl_release *release; -+ void *user_ptr; -+ -+ int size = 64*64*4; -+ int ret = 0; -+ if (!handle) { -+ qxl_hide_cursor(qdev); -+ return 0; -+ } -+ -+ obj = drm_gem_object_lookup(crtc->dev, file_priv, handle); -+ if (!obj) { -+ DRM_ERROR("cannot find cursor object\n"); -+ return -ENOENT; -+ } -+ -+ user_bo = gem_to_qxl_bo(obj); -+ -+ ret = qxl_bo_reserve(user_bo, false); -+ if (ret) -+ goto out_unref; -+ -+ ret = qxl_bo_pin(user_bo, QXL_GEM_DOMAIN_CPU, NULL); -+ if (ret) -+ goto out_unreserve; -+ -+ ret = qxl_bo_kmap(user_bo, &user_ptr); -+ if (ret) -+ goto out_unpin; -+ -+ ret = qxl_alloc_release_reserved(qdev, sizeof(*cmd), -+ QXL_RELEASE_CURSOR_CMD, -+ &release, NULL); -+ if (ret) -+ goto out_kunmap; -+ ret = qxl_alloc_bo_reserved(qdev, sizeof(struct qxl_cursor) + size, -+ &cursor_bo); -+ if (ret) -+ goto out_free_release; -+ ret = qxl_bo_kmap(cursor_bo, (void **)&cursor); -+ if (ret) -+ goto out_free_bo; -+ -+ cursor->header.unique = 0; -+ cursor->header.type = SPICE_CURSOR_TYPE_ALPHA; -+ cursor->header.width = 64; -+ cursor->header.height = 64; -+ cursor->header.hot_spot_x = 0; -+ cursor->header.hot_spot_y = 0; -+ cursor->data_size = size; -+ cursor->chunk.next_chunk = 0; -+ cursor->chunk.prev_chunk = 0; -+ cursor->chunk.data_size = size; -+ -+ memcpy(cursor->chunk.data, user_ptr, size); -+ -+ qxl_bo_kunmap(cursor_bo); -+ -+ /* finish with the userspace bo */ -+ qxl_bo_kunmap(user_bo); -+ qxl_bo_unpin(user_bo); -+ qxl_bo_unreserve(user_bo); -+ drm_gem_object_unreference_unlocked(obj); -+ -+ cmd = (struct qxl_cursor_cmd *)qxl_release_map(qdev, release); -+ cmd->type = QXL_CURSOR_SET; -+ cmd->u.set.position.x = qcrtc->cur_x; -+ cmd->u.set.position.y = qcrtc->cur_y; -+ -+ cmd->u.set.shape = qxl_bo_physical_address(qdev, cursor_bo, 0); -+ qxl_release_add_res(qdev, release, cursor_bo); -+ -+ cmd->u.set.visible = 1; -+ qxl_release_unmap(qdev, release, &cmd->release_info); -+ -+ qxl_fence_releaseable(qdev, release); -+ qxl_push_cursor_ring_release(qdev, release, QXL_CMD_CURSOR, false); -+ qxl_release_unreserve(qdev, release); -+ -+ qxl_bo_unreserve(cursor_bo); -+ qxl_bo_unref(&cursor_bo); -+ -+ return ret; -+out_free_bo: -+ qxl_bo_unref(&cursor_bo); -+out_free_release: -+ qxl_release_unreserve(qdev, release); -+ qxl_release_free(qdev, release); -+out_kunmap: -+ qxl_bo_kunmap(user_bo); -+out_unpin: -+ qxl_bo_unpin(user_bo); -+out_unreserve: -+ qxl_bo_unreserve(user_bo); -+out_unref: -+ drm_gem_object_unreference_unlocked(obj); -+ return ret; -+} -+ -+static int qxl_crtc_cursor_move(struct drm_crtc *crtc, -+ int x, int y) -+{ -+ struct drm_device *dev = crtc->dev; -+ struct qxl_device *qdev = dev->dev_private; -+ struct qxl_crtc *qcrtc = to_qxl_crtc(crtc); -+ struct qxl_release *release; -+ struct qxl_cursor_cmd *cmd; -+ int ret; -+ -+ ret = qxl_alloc_release_reserved(qdev, sizeof(*cmd), QXL_RELEASE_CURSOR_CMD, -+ &release, NULL); -+ -+ qcrtc->cur_x = x; -+ qcrtc->cur_y = y; -+ -+ cmd = (struct qxl_cursor_cmd *)qxl_release_map(qdev, release); -+ cmd->type = QXL_CURSOR_MOVE; -+ cmd->u.position.x = qcrtc->cur_x; -+ cmd->u.position.y = qcrtc->cur_y; -+ qxl_release_unmap(qdev, release, &cmd->release_info); -+ -+ qxl_fence_releaseable(qdev, release); -+ qxl_push_cursor_ring_release(qdev, release, QXL_CMD_CURSOR, false); -+ qxl_release_unreserve(qdev, release); -+ return 0; -+} -+ -+ -+static const struct drm_crtc_funcs qxl_crtc_funcs = { -+ .cursor_set = qxl_crtc_cursor_set, -+ .cursor_move = qxl_crtc_cursor_move, -+ .gamma_set = qxl_crtc_gamma_set, -+ .set_config = drm_crtc_helper_set_config, -+ .destroy = qxl_crtc_destroy, -+}; -+ -+static void qxl_user_framebuffer_destroy(struct drm_framebuffer *fb) -+{ -+ struct qxl_framebuffer *qxl_fb = to_qxl_framebuffer(fb); -+ -+ if (qxl_fb->obj) -+ drm_gem_object_unreference_unlocked(qxl_fb->obj); -+ drm_framebuffer_cleanup(fb); -+ kfree(qxl_fb); -+} -+ -+int qxl_framebuffer_surface_dirty(struct drm_framebuffer *fb, -+ struct drm_file *file_priv, -+ unsigned flags, unsigned color, -+ struct drm_clip_rect *clips, -+ unsigned num_clips) -+{ -+ /* TODO: vmwgfx where this was cribbed from had locking. Why? */ -+ struct qxl_framebuffer *qxl_fb = to_qxl_framebuffer(fb); -+ struct qxl_device *qdev = qxl_fb->base.dev->dev_private; -+ struct drm_clip_rect norect; -+ struct qxl_bo *qobj; -+ int inc = 1; -+ -+ qobj = gem_to_qxl_bo(qxl_fb->obj); -+ if (qxl_fb != qdev->active_user_framebuffer) { -+ DRM_INFO("%s: qxl_fb 0x%p != qdev->active_user_framebuffer 0x%p\n", -+ __func__, qxl_fb, qdev->active_user_framebuffer); -+ } -+ if (!num_clips) { -+ num_clips = 1; -+ clips = &norect; -+ norect.x1 = norect.y1 = 0; -+ norect.x2 = fb->width; -+ norect.y2 = fb->height; -+ } else if (flags & DRM_MODE_FB_DIRTY_ANNOTATE_COPY) { -+ num_clips /= 2; -+ inc = 2; /* skip source rects */ -+ } -+ -+ qxl_draw_dirty_fb(qdev, qxl_fb, qobj, flags, color, -+ clips, num_clips, inc); -+ return 0; -+} -+ -+static const struct drm_framebuffer_funcs qxl_fb_funcs = { -+ .destroy = qxl_user_framebuffer_destroy, -+ .dirty = qxl_framebuffer_surface_dirty, -+/* TODO? -+ * .create_handle = qxl_user_framebuffer_create_handle, */ -+}; -+ -+int -+qxl_framebuffer_init(struct drm_device *dev, -+ struct qxl_framebuffer *qfb, -+ struct drm_mode_fb_cmd2 *mode_cmd, -+ struct drm_gem_object *obj) -+{ -+ int ret; -+ -+ qfb->obj = obj; -+ ret = drm_framebuffer_init(dev, &qfb->base, &qxl_fb_funcs); -+ if (ret) { -+ qfb->obj = NULL; -+ return ret; -+ } -+ drm_helper_mode_fill_fb_struct(&qfb->base, mode_cmd); -+ return 0; -+} -+ -+static void qxl_crtc_dpms(struct drm_crtc *crtc, int mode) -+{ -+} -+ -+static bool qxl_crtc_mode_fixup(struct drm_crtc *crtc, -+ const struct drm_display_mode *mode, -+ struct drm_display_mode *adjusted_mode) -+{ -+ struct drm_device *dev = crtc->dev; -+ struct qxl_device *qdev = dev->dev_private; -+ -+ qxl_io_log(qdev, "%s: (%d,%d) => (%d,%d)\n", -+ __func__, -+ mode->hdisplay, mode->vdisplay, -+ adjusted_mode->hdisplay, -+ adjusted_mode->vdisplay); -+ return true; -+} -+ -+void -+qxl_send_monitors_config(struct qxl_device *qdev) -+{ -+ int i; -+ -+ BUG_ON(!qdev->ram_header->monitors_config); -+ -+ if (qdev->monitors_config->count == 0) { -+ qxl_io_log(qdev, "%s: 0 monitors??\n", __func__); -+ return; -+ } -+ for (i = 0 ; i < qdev->monitors_config->count ; ++i) { -+ struct qxl_head *head = &qdev->monitors_config->heads[i]; -+ -+ if (head->y > 8192 || head->y < head->x || -+ head->width > 8192 || head->height > 8192) { -+ DRM_ERROR("head %d wrong: %dx%d+%d+%d\n", -+ i, head->width, head->height, -+ head->x, head->y); -+ return; -+ } -+ } -+ qxl_io_monitors_config(qdev); -+} -+ -+static void qxl_monitors_config_set_single(struct qxl_device *qdev, -+ unsigned x, unsigned y, -+ unsigned width, unsigned height) -+{ -+ DRM_DEBUG("%dx%d+%d+%d\n", width, height, x, y); -+ qdev->monitors_config->count = 1; -+ qdev->monitors_config->heads[0].x = x; -+ qdev->monitors_config->heads[0].y = y; -+ qdev->monitors_config->heads[0].width = width; -+ qdev->monitors_config->heads[0].height = height; -+} -+ -+static int qxl_crtc_mode_set(struct drm_crtc *crtc, -+ struct drm_display_mode *mode, -+ struct drm_display_mode *adjusted_mode, -+ int x, int y, -+ struct drm_framebuffer *old_fb) -+{ -+ struct drm_device *dev = crtc->dev; -+ struct qxl_device *qdev = dev->dev_private; -+ struct qxl_mode *m = (void *)mode->private; -+ struct qxl_framebuffer *qfb; -+ struct qxl_bo *bo, *old_bo = NULL; -+ uint32_t width, height, base_offset; -+ bool recreate_primary = false; -+ int ret; -+ -+ if (!crtc->fb) { -+ DRM_DEBUG_KMS("No FB bound\n"); -+ return 0; -+ } -+ -+ if (old_fb) { -+ qfb = to_qxl_framebuffer(old_fb); -+ old_bo = gem_to_qxl_bo(qfb->obj); -+ } -+ qfb = to_qxl_framebuffer(crtc->fb); -+ bo = gem_to_qxl_bo(qfb->obj); -+ if (!m) -+ /* and do we care? */ -+ DRM_DEBUG("%dx%d: not a native mode\n", x, y); -+ else -+ DRM_DEBUG("%dx%d: qxl id %d\n", -+ mode->hdisplay, mode->vdisplay, m->id); -+ DRM_DEBUG("+%d+%d (%d,%d) => (%d,%d)\n", -+ x, y, -+ mode->hdisplay, mode->vdisplay, -+ adjusted_mode->hdisplay, -+ adjusted_mode->vdisplay); -+ -+ recreate_primary = true; -+ -+ width = mode->hdisplay; -+ height = mode->vdisplay; -+ base_offset = 0; -+ -+ ret = qxl_bo_reserve(bo, false); -+ if (ret != 0) -+ return ret; -+ ret = qxl_bo_pin(bo, bo->type, NULL); -+ if (ret != 0) { -+ qxl_bo_unreserve(bo); -+ return -EINVAL; -+ } -+ qxl_bo_unreserve(bo); -+ if (recreate_primary) { -+ qxl_io_destroy_primary(qdev); -+ qxl_io_log(qdev, -+ "recreate primary: %dx%d (was %dx%d,%d,%d)\n", -+ width, height, bo->surf.width, -+ bo->surf.height, bo->surf.stride, bo->surf.format); -+ qxl_io_create_primary(qdev, width, height, base_offset, bo); -+ bo->is_primary = true; -+ } -+ -+ if (old_bo && old_bo != bo) { -+ old_bo->is_primary = false; -+ ret = qxl_bo_reserve(old_bo, false); -+ qxl_bo_unpin(old_bo); -+ qxl_bo_unreserve(old_bo); -+ } -+ -+ if (qdev->monitors_config->count == 0) { -+ qxl_monitors_config_set_single(qdev, x, y, -+ mode->hdisplay, -+ mode->vdisplay); -+ } -+ qdev->mode_set = true; -+ return 0; -+} -+ -+static void qxl_crtc_prepare(struct drm_crtc *crtc) -+{ -+ DRM_DEBUG("current: %dx%d+%d+%d (%d).\n", -+ crtc->mode.hdisplay, crtc->mode.vdisplay, -+ crtc->x, crtc->y, crtc->enabled); -+} -+ -+static void qxl_crtc_commit(struct drm_crtc *crtc) -+{ -+ DRM_DEBUG("\n"); -+} -+ -+void qxl_crtc_load_lut(struct drm_crtc *crtc) -+{ -+ DRM_DEBUG("\n"); -+} -+ -+static const struct drm_crtc_helper_funcs qxl_crtc_helper_funcs = { -+ .dpms = qxl_crtc_dpms, -+ .mode_fixup = qxl_crtc_mode_fixup, -+ .mode_set = qxl_crtc_mode_set, -+ .prepare = qxl_crtc_prepare, -+ .commit = qxl_crtc_commit, -+ .load_lut = qxl_crtc_load_lut, -+}; -+ -+int qdev_crtc_init(struct drm_device *dev, int num_crtc) -+{ -+ struct qxl_crtc *qxl_crtc; -+ -+ qxl_crtc = kzalloc(sizeof(struct qxl_crtc), GFP_KERNEL); -+ if (!qxl_crtc) -+ return -ENOMEM; -+ -+ drm_crtc_init(dev, &qxl_crtc->base, &qxl_crtc_funcs); -+ -+ drm_mode_crtc_set_gamma_size(&qxl_crtc->base, 256); -+ drm_crtc_helper_add(&qxl_crtc->base, &qxl_crtc_helper_funcs); -+ return 0; -+} -+ -+static void qxl_enc_dpms(struct drm_encoder *encoder, int mode) -+{ -+ DRM_DEBUG("\n"); -+} -+ -+static bool qxl_enc_mode_fixup(struct drm_encoder *encoder, -+ const struct drm_display_mode *mode, -+ struct drm_display_mode *adjusted_mode) -+{ -+ DRM_DEBUG("\n"); -+ return true; -+} -+ -+static void qxl_enc_prepare(struct drm_encoder *encoder) -+{ -+ DRM_DEBUG("\n"); -+} -+ -+static void qxl_write_monitors_config_for_encoder(struct qxl_device *qdev, -+ struct drm_encoder *encoder) -+{ -+ int i; -+ struct qxl_head *head; -+ struct drm_display_mode *mode; -+ -+ BUG_ON(!encoder); -+ /* TODO: ugly, do better */ -+ for (i = 0 ; (encoder->possible_crtcs != (1 << i)) && i < 32; ++i) -+ ; -+ if (encoder->possible_crtcs != (1 << i)) { -+ DRM_ERROR("encoder has wrong possible_crtcs: %x\n", -+ encoder->possible_crtcs); -+ return; -+ } -+ if (!qdev->monitors_config || -+ qdev->monitors_config->max_allowed <= i) { -+ DRM_ERROR( -+ "head number too large or missing monitors config: %p, %d", -+ qdev->monitors_config, -+ qdev->monitors_config ? -+ qdev->monitors_config->max_allowed : -1); -+ return; -+ } -+ if (!encoder->crtc) { -+ DRM_ERROR("missing crtc on encoder %p\n", encoder); -+ return; -+ } -+ if (i != 0) -+ DRM_DEBUG("missing for multiple monitors: no head holes\n"); -+ head = &qdev->monitors_config->heads[i]; -+ head->id = i; -+ head->surface_id = 0; -+ if (encoder->crtc->enabled) { -+ mode = &encoder->crtc->mode; -+ head->width = mode->hdisplay; -+ head->height = mode->vdisplay; -+ head->x = encoder->crtc->x; -+ head->y = encoder->crtc->y; -+ if (qdev->monitors_config->count < i + 1) -+ qdev->monitors_config->count = i + 1; -+ } else { -+ head->width = 0; -+ head->height = 0; -+ head->x = 0; -+ head->y = 0; -+ } -+ DRM_DEBUG("setting head %d to +%d+%d %dx%d\n", -+ i, head->x, head->y, head->width, head->height); -+ head->flags = 0; -+ /* TODO - somewhere else to call this for multiple monitors -+ * (config_commit?) */ -+ qxl_send_monitors_config(qdev); -+} -+ -+static void qxl_enc_commit(struct drm_encoder *encoder) -+{ -+ struct qxl_device *qdev = encoder->dev->dev_private; -+ -+ qxl_write_monitors_config_for_encoder(qdev, encoder); -+ DRM_DEBUG("\n"); -+} -+ -+static void qxl_enc_mode_set(struct drm_encoder *encoder, -+ struct drm_display_mode *mode, -+ struct drm_display_mode *adjusted_mode) -+{ -+ DRM_DEBUG("\n"); -+} -+ -+static int qxl_conn_get_modes(struct drm_connector *connector) -+{ -+ int ret = 0; -+ struct qxl_device *qdev = connector->dev->dev_private; -+ -+ DRM_DEBUG_KMS("monitors_config=%p\n", qdev->monitors_config); -+ /* TODO: what should we do here? only show the configured modes for the -+ * device, or allow the full list, or both? */ -+ if (qdev->monitors_config && qdev->monitors_config->count) { -+ ret = qxl_add_monitors_config_modes(connector); -+ if (ret < 0) -+ return ret; -+ } -+ ret += qxl_add_common_modes(connector); -+ return ret; -+} -+ -+static int qxl_conn_mode_valid(struct drm_connector *connector, -+ struct drm_display_mode *mode) -+{ -+ /* TODO: is this called for user defined modes? (xrandr --add-mode) -+ * TODO: check that the mode fits in the framebuffer */ -+ DRM_DEBUG("%s: %dx%d status=%d\n", mode->name, mode->hdisplay, -+ mode->vdisplay, mode->status); -+ return MODE_OK; -+} -+ -+struct drm_encoder *qxl_best_encoder(struct drm_connector *connector) -+{ -+ struct qxl_output *qxl_output = -+ drm_connector_to_qxl_output(connector); -+ -+ DRM_DEBUG("\n"); -+ return &qxl_output->enc; -+} -+ -+ -+static const struct drm_encoder_helper_funcs qxl_enc_helper_funcs = { -+ .dpms = qxl_enc_dpms, -+ .mode_fixup = qxl_enc_mode_fixup, -+ .prepare = qxl_enc_prepare, -+ .mode_set = qxl_enc_mode_set, -+ .commit = qxl_enc_commit, -+}; -+ -+static const struct drm_connector_helper_funcs qxl_connector_helper_funcs = { -+ .get_modes = qxl_conn_get_modes, -+ .mode_valid = qxl_conn_mode_valid, -+ .best_encoder = qxl_best_encoder, -+}; -+ -+static void qxl_conn_save(struct drm_connector *connector) -+{ -+ DRM_DEBUG("\n"); -+} -+ -+static void qxl_conn_restore(struct drm_connector *connector) -+{ -+ DRM_DEBUG("\n"); -+} -+ -+static enum drm_connector_status qxl_conn_detect( -+ struct drm_connector *connector, -+ bool force) -+{ -+ struct qxl_output *output = -+ drm_connector_to_qxl_output(connector); -+ struct drm_device *ddev = connector->dev; -+ struct qxl_device *qdev = ddev->dev_private; -+ int connected; -+ -+ /* The first monitor is always connected */ -+ connected = (output->index == 0) || -+ (qdev->monitors_config && -+ qdev->monitors_config->count > output->index); -+ -+ DRM_DEBUG("\n"); -+ return connected ? connector_status_connected -+ : connector_status_disconnected; -+} -+ -+static int qxl_conn_set_property(struct drm_connector *connector, -+ struct drm_property *property, -+ uint64_t value) -+{ -+ DRM_DEBUG("\n"); -+ return 0; -+} -+ -+static void qxl_conn_destroy(struct drm_connector *connector) -+{ -+ struct qxl_output *qxl_output = -+ drm_connector_to_qxl_output(connector); -+ -+ drm_sysfs_connector_remove(connector); -+ drm_connector_cleanup(connector); -+ kfree(qxl_output); -+} -+ -+static const struct drm_connector_funcs qxl_connector_funcs = { -+ .dpms = drm_helper_connector_dpms, -+ .save = qxl_conn_save, -+ .restore = qxl_conn_restore, -+ .detect = qxl_conn_detect, -+ .fill_modes = drm_helper_probe_single_connector_modes, -+ .set_property = qxl_conn_set_property, -+ .destroy = qxl_conn_destroy, -+}; -+ -+static void qxl_enc_destroy(struct drm_encoder *encoder) -+{ -+ drm_encoder_cleanup(encoder); -+} -+ -+static const struct drm_encoder_funcs qxl_enc_funcs = { -+ .destroy = qxl_enc_destroy, -+}; -+ -+int qdev_output_init(struct drm_device *dev, int num_output) -+{ -+ struct qxl_output *qxl_output; -+ struct drm_connector *connector; -+ struct drm_encoder *encoder; -+ -+ qxl_output = kzalloc(sizeof(struct qxl_output), GFP_KERNEL); -+ if (!qxl_output) -+ return -ENOMEM; -+ -+ qxl_output->index = num_output; -+ -+ connector = &qxl_output->base; -+ encoder = &qxl_output->enc; -+ drm_connector_init(dev, &qxl_output->base, -+ &qxl_connector_funcs, DRM_MODE_CONNECTOR_VIRTUAL); -+ -+ drm_encoder_init(dev, &qxl_output->enc, &qxl_enc_funcs, -+ DRM_MODE_ENCODER_VIRTUAL); -+ -+ encoder->possible_crtcs = 1 << num_output; -+ drm_mode_connector_attach_encoder(&qxl_output->base, -+ &qxl_output->enc); -+ drm_encoder_helper_add(encoder, &qxl_enc_helper_funcs); -+ drm_connector_helper_add(connector, &qxl_connector_helper_funcs); -+ -+ drm_sysfs_connector_add(connector); -+ return 0; -+} -+ -+static struct drm_framebuffer * -+qxl_user_framebuffer_create(struct drm_device *dev, -+ struct drm_file *file_priv, -+ struct drm_mode_fb_cmd2 *mode_cmd) -+{ -+ struct drm_gem_object *obj; -+ struct qxl_framebuffer *qxl_fb; -+ struct qxl_device *qdev = dev->dev_private; -+ int ret; -+ -+ obj = drm_gem_object_lookup(dev, file_priv, mode_cmd->handles[0]); -+ -+ qxl_fb = kzalloc(sizeof(*qxl_fb), GFP_KERNEL); -+ if (qxl_fb == NULL) -+ return NULL; -+ -+ ret = qxl_framebuffer_init(dev, qxl_fb, mode_cmd, obj); -+ if (ret) { -+ kfree(qxl_fb); -+ drm_gem_object_unreference_unlocked(obj); -+ return NULL; -+ } -+ -+ if (qdev->active_user_framebuffer) { -+ DRM_INFO("%s: active_user_framebuffer %p -> %p\n", -+ __func__, -+ qdev->active_user_framebuffer, qxl_fb); -+ } -+ qdev->active_user_framebuffer = qxl_fb; -+ -+ return &qxl_fb->base; -+} -+ -+static const struct drm_mode_config_funcs qxl_mode_funcs = { -+ .fb_create = qxl_user_framebuffer_create, -+}; -+ -+int qxl_modeset_init(struct qxl_device *qdev) -+{ -+ int i; -+ int ret; -+ struct drm_gem_object *gobj; -+ int max_allowed = QXL_NUM_OUTPUTS; -+ int monitors_config_size = sizeof(struct qxl_monitors_config) + -+ max_allowed * sizeof(struct qxl_head); -+ -+ drm_mode_config_init(qdev->ddev); -+ ret = qxl_gem_object_create(qdev, monitors_config_size, 0, -+ QXL_GEM_DOMAIN_VRAM, -+ false, false, NULL, &gobj); -+ if (ret) { -+ DRM_ERROR("%s: failed to create gem ret=%d\n", __func__, ret); -+ return -ENOMEM; -+ } -+ qdev->monitors_config_bo = gem_to_qxl_bo(gobj); -+ qxl_bo_kmap(qdev->monitors_config_bo, NULL); -+ qdev->monitors_config = qdev->monitors_config_bo->kptr; -+ qdev->ram_header->monitors_config = -+ qxl_bo_physical_address(qdev, qdev->monitors_config_bo, 0); -+ -+ memset(qdev->monitors_config, 0, monitors_config_size); -+ qdev->monitors_config->max_allowed = max_allowed; -+ -+ qdev->ddev->mode_config.funcs = (void *)&qxl_mode_funcs; -+ -+ /* modes will be validated against the framebuffer size */ -+ qdev->ddev->mode_config.min_width = 320; -+ qdev->ddev->mode_config.min_height = 200; -+ qdev->ddev->mode_config.max_width = 8192; -+ qdev->ddev->mode_config.max_height = 8192; -+ -+ qdev->ddev->mode_config.fb_base = qdev->vram_base; -+ for (i = 0 ; i < QXL_NUM_OUTPUTS; ++i) { -+ qdev_crtc_init(qdev->ddev, i); -+ qdev_output_init(qdev->ddev, i); -+ } -+ -+ qdev->mode_info.mode_config_initialized = true; -+ -+ /* primary surface must be created by this point, to allow -+ * issuing command queue commands and having them read by -+ * spice server. */ -+ qxl_fbdev_init(qdev); -+ return 0; -+} -+ -+void qxl_modeset_fini(struct qxl_device *qdev) -+{ -+ qxl_fbdev_fini(qdev); -+ if (qdev->mode_info.mode_config_initialized) { -+ drm_mode_config_cleanup(qdev->ddev); -+ qdev->mode_info.mode_config_initialized = false; -+ } -+} -diff --git a/drivers/gpu/drm/qxl/qxl_draw.c b/drivers/gpu/drm/qxl/qxl_draw.c -new file mode 100644 -index 0000000..3c8c3db ---- /dev/null -+++ b/drivers/gpu/drm/qxl/qxl_draw.c -@@ -0,0 +1,390 @@ -+/* -+ * Copyright 2011 Red Hat, Inc. -+ * -+ * Permission is hereby granted, free of charge, to any person obtaining a -+ * copy of this software and associated documentation files (the "Software"), -+ * to deal in the Software without restriction, including without limitation -+ * on the rights to use, copy, modify, merge, publish, distribute, sub -+ * license, and/or sell copies of the Software, and to permit persons to whom -+ * the Software is furnished to do so, subject to the following conditions: -+ * -+ * The above copyright notice and this permission notice (including the next -+ * paragraph) shall be included in all copies or substantial portions of the -+ * Software. -+ * -+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -+ * FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT. IN NO EVENT SHALL -+ * THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER -+ * IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN -+ * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. -+ */ -+ -+#include "qxl_drv.h" -+#include "qxl_object.h" -+ -+/* returns a pointer to the already allocated qxl_rect array inside -+ * the qxl_clip_rects. This is *not* the same as the memory allocated -+ * on the device, it is offset to qxl_clip_rects.chunk.data */ -+static struct qxl_rect *drawable_set_clipping(struct qxl_device *qdev, -+ struct qxl_drawable *drawable, -+ unsigned num_clips, -+ struct qxl_bo **clips_bo, -+ struct qxl_release *release) -+{ -+ struct qxl_clip_rects *dev_clips; -+ int ret; -+ int size = sizeof(*dev_clips) + sizeof(struct qxl_rect) * num_clips; -+ ret = qxl_alloc_bo_reserved(qdev, size, clips_bo); -+ if (ret) -+ return NULL; -+ -+ ret = qxl_bo_kmap(*clips_bo, (void **)&dev_clips); -+ if (ret) { -+ qxl_bo_unref(clips_bo); -+ return NULL; -+ } -+ dev_clips->num_rects = num_clips; -+ dev_clips->chunk.next_chunk = 0; -+ dev_clips->chunk.prev_chunk = 0; -+ dev_clips->chunk.data_size = sizeof(struct qxl_rect) * num_clips; -+ return (struct qxl_rect *)dev_clips->chunk.data; -+} -+ -+static int -+make_drawable(struct qxl_device *qdev, int surface, uint8_t type, -+ const struct qxl_rect *rect, -+ struct qxl_release **release) -+{ -+ struct qxl_drawable *drawable; -+ int i, ret; -+ -+ ret = qxl_alloc_release_reserved(qdev, sizeof(*drawable), -+ QXL_RELEASE_DRAWABLE, release, -+ NULL); -+ if (ret) -+ return ret; -+ -+ drawable = (struct qxl_drawable *)qxl_release_map(qdev, *release); -+ drawable->type = type; -+ -+ drawable->surface_id = surface; /* Only primary for now */ -+ drawable->effect = QXL_EFFECT_OPAQUE; -+ drawable->self_bitmap = 0; -+ drawable->self_bitmap_area.top = 0; -+ drawable->self_bitmap_area.left = 0; -+ drawable->self_bitmap_area.bottom = 0; -+ drawable->self_bitmap_area.right = 0; -+ /* FIXME: add clipping */ -+ drawable->clip.type = SPICE_CLIP_TYPE_NONE; -+ -+ /* -+ * surfaces_dest[i] should apparently be filled out with the -+ * surfaces that we depend on, and surface_rects should be -+ * filled with the rectangles of those surfaces that we -+ * are going to use. -+ */ -+ for (i = 0; i < 3; ++i) -+ drawable->surfaces_dest[i] = -1; -+ -+ if (rect) -+ drawable->bbox = *rect; -+ -+ drawable->mm_time = qdev->rom->mm_clock; -+ qxl_release_unmap(qdev, *release, &drawable->release_info); -+ return 0; -+} -+ -+static int qxl_palette_create_1bit(struct qxl_bo **palette_bo, -+ const struct qxl_fb_image *qxl_fb_image) -+{ -+ struct qxl_device *qdev = qxl_fb_image->qdev; -+ const struct fb_image *fb_image = &qxl_fb_image->fb_image; -+ uint32_t visual = qxl_fb_image->visual; -+ const uint32_t *pseudo_palette = qxl_fb_image->pseudo_palette; -+ struct qxl_palette *pal; -+ int ret; -+ uint32_t fgcolor, bgcolor; -+ static uint64_t unique; /* we make no attempt to actually set this -+ * correctly globaly, since that would require -+ * tracking all of our palettes. */ -+ -+ ret = qxl_alloc_bo_reserved(qdev, -+ sizeof(struct qxl_palette) + sizeof(uint32_t) * 2, -+ palette_bo); -+ -+ ret = qxl_bo_kmap(*palette_bo, (void **)&pal); -+ pal->num_ents = 2; -+ pal->unique = unique++; -+ if (visual == FB_VISUAL_TRUECOLOR || visual == FB_VISUAL_DIRECTCOLOR) { -+ /* NB: this is the only used branch currently. */ -+ fgcolor = pseudo_palette[fb_image->fg_color]; -+ bgcolor = pseudo_palette[fb_image->bg_color]; -+ } else { -+ fgcolor = fb_image->fg_color; -+ bgcolor = fb_image->bg_color; -+ } -+ pal->ents[0] = bgcolor; -+ pal->ents[1] = fgcolor; -+ qxl_bo_kunmap(*palette_bo); -+ return 0; -+} -+ -+void qxl_draw_opaque_fb(const struct qxl_fb_image *qxl_fb_image, -+ int stride /* filled in if 0 */) -+{ -+ struct qxl_device *qdev = qxl_fb_image->qdev; -+ struct qxl_drawable *drawable; -+ struct qxl_rect rect; -+ const struct fb_image *fb_image = &qxl_fb_image->fb_image; -+ int x = fb_image->dx; -+ int y = fb_image->dy; -+ int width = fb_image->width; -+ int height = fb_image->height; -+ const char *src = fb_image->data; -+ int depth = fb_image->depth; -+ struct qxl_release *release; -+ struct qxl_bo *image_bo; -+ struct qxl_image *image; -+ int ret; -+ -+ if (stride == 0) -+ stride = depth * width / 8; -+ -+ rect.left = x; -+ rect.right = x + width; -+ rect.top = y; -+ rect.bottom = y + height; -+ -+ ret = make_drawable(qdev, 0, QXL_DRAW_COPY, &rect, &release); -+ if (ret) -+ return; -+ -+ ret = qxl_image_create(qdev, release, &image_bo, -+ (const uint8_t *)src, 0, 0, -+ width, height, depth, stride); -+ if (ret) { -+ qxl_release_unreserve(qdev, release); -+ qxl_release_free(qdev, release); -+ return; -+ } -+ -+ if (depth == 1) { -+ struct qxl_bo *palette_bo; -+ void *ptr; -+ ret = qxl_palette_create_1bit(&palette_bo, qxl_fb_image); -+ qxl_release_add_res(qdev, release, palette_bo); -+ -+ ptr = qxl_bo_kmap_atomic_page(qdev, image_bo, 0); -+ image = ptr; -+ image->u.bitmap.palette = -+ qxl_bo_physical_address(qdev, palette_bo, 0); -+ qxl_bo_kunmap_atomic_page(qdev, image_bo, ptr); -+ qxl_bo_unreserve(palette_bo); -+ qxl_bo_unref(&palette_bo); -+ } -+ -+ drawable = (struct qxl_drawable *)qxl_release_map(qdev, release); -+ -+ drawable->u.copy.src_area.top = 0; -+ drawable->u.copy.src_area.bottom = height; -+ drawable->u.copy.src_area.left = 0; -+ drawable->u.copy.src_area.right = width; -+ -+ drawable->u.copy.rop_descriptor = SPICE_ROPD_OP_PUT; -+ drawable->u.copy.scale_mode = 0; -+ drawable->u.copy.mask.flags = 0; -+ drawable->u.copy.mask.pos.x = 0; -+ drawable->u.copy.mask.pos.y = 0; -+ drawable->u.copy.mask.bitmap = 0; -+ -+ drawable->u.copy.src_bitmap = -+ qxl_bo_physical_address(qdev, image_bo, 0); -+ qxl_release_unmap(qdev, release, &drawable->release_info); -+ -+ qxl_release_add_res(qdev, release, image_bo); -+ qxl_bo_unreserve(image_bo); -+ qxl_bo_unref(&image_bo); -+ -+ qxl_fence_releaseable(qdev, release); -+ qxl_push_command_ring_release(qdev, release, QXL_CMD_DRAW, false); -+ qxl_release_unreserve(qdev, release); -+} -+ -+/* push a draw command using the given clipping rectangles as -+ * the sources from the shadow framebuffer. -+ * -+ * Right now implementing with a single draw and a clip list. Clip -+ * lists are known to be a problem performance wise, this can be solved -+ * by treating them differently in the server. -+ */ -+void qxl_draw_dirty_fb(struct qxl_device *qdev, -+ struct qxl_framebuffer *qxl_fb, -+ struct qxl_bo *bo, -+ unsigned flags, unsigned color, -+ struct drm_clip_rect *clips, -+ unsigned num_clips, int inc) -+{ -+ /* -+ * TODO: if flags & DRM_MODE_FB_DIRTY_ANNOTATE_FILL then we should -+ * send a fill command instead, much cheaper. -+ * -+ * See include/drm/drm_mode.h -+ */ -+ struct drm_clip_rect *clips_ptr; -+ int i; -+ int left, right, top, bottom; -+ int width, height; -+ struct qxl_drawable *drawable; -+ struct qxl_rect drawable_rect; -+ struct qxl_rect *rects; -+ int stride = qxl_fb->base.pitches[0]; -+ /* depth is not actually interesting, we don't mask with it */ -+ int depth = qxl_fb->base.bits_per_pixel; -+ uint8_t *surface_base; -+ struct qxl_release *release; -+ struct qxl_bo *image_bo; -+ struct qxl_bo *clips_bo; -+ int ret; -+ -+ left = clips->x1; -+ right = clips->x2; -+ top = clips->y1; -+ bottom = clips->y2; -+ -+ /* skip the first clip rect */ -+ for (i = 1, clips_ptr = clips + inc; -+ i < num_clips; i++, clips_ptr += inc) { -+ left = min_t(int, left, (int)clips_ptr->x1); -+ right = max_t(int, right, (int)clips_ptr->x2); -+ top = min_t(int, top, (int)clips_ptr->y1); -+ bottom = max_t(int, bottom, (int)clips_ptr->y2); -+ } -+ -+ width = right - left; -+ height = bottom - top; -+ drawable_rect.left = left; -+ drawable_rect.right = right; -+ drawable_rect.top = top; -+ drawable_rect.bottom = bottom; -+ ret = make_drawable(qdev, 0, QXL_DRAW_COPY, &drawable_rect, -+ &release); -+ if (ret) -+ return; -+ -+ ret = qxl_bo_kmap(bo, (void **)&surface_base); -+ if (ret) -+ goto out_unref; -+ -+ ret = qxl_image_create(qdev, release, &image_bo, surface_base, -+ left, top, width, height, depth, stride); -+ qxl_bo_kunmap(bo); -+ if (ret) -+ goto out_unref; -+ -+ rects = drawable_set_clipping(qdev, drawable, num_clips, &clips_bo, release); -+ if (!rects) { -+ qxl_bo_unref(&image_bo); -+ goto out_unref; -+ } -+ drawable = (struct qxl_drawable *)qxl_release_map(qdev, release); -+ -+ drawable->clip.type = SPICE_CLIP_TYPE_RECTS; -+ drawable->clip.data = qxl_bo_physical_address(qdev, -+ clips_bo, 0); -+ qxl_release_add_res(qdev, release, clips_bo); -+ -+ drawable->u.copy.src_area.top = 0; -+ drawable->u.copy.src_area.bottom = height; -+ drawable->u.copy.src_area.left = 0; -+ drawable->u.copy.src_area.right = width; -+ -+ drawable->u.copy.rop_descriptor = SPICE_ROPD_OP_PUT; -+ drawable->u.copy.scale_mode = 0; -+ drawable->u.copy.mask.flags = 0; -+ drawable->u.copy.mask.pos.x = 0; -+ drawable->u.copy.mask.pos.y = 0; -+ drawable->u.copy.mask.bitmap = 0; -+ -+ drawable->u.copy.src_bitmap = qxl_bo_physical_address(qdev, image_bo, 0); -+ qxl_release_unmap(qdev, release, &drawable->release_info); -+ qxl_release_add_res(qdev, release, image_bo); -+ qxl_bo_unreserve(image_bo); -+ qxl_bo_unref(&image_bo); -+ clips_ptr = clips; -+ for (i = 0; i < num_clips; i++, clips_ptr += inc) { -+ rects[i].left = clips_ptr->x1; -+ rects[i].right = clips_ptr->x2; -+ rects[i].top = clips_ptr->y1; -+ rects[i].bottom = clips_ptr->y2; -+ } -+ qxl_bo_kunmap(clips_bo); -+ qxl_bo_unreserve(clips_bo); -+ qxl_bo_unref(&clips_bo); -+ -+ qxl_fence_releaseable(qdev, release); -+ qxl_push_command_ring_release(qdev, release, QXL_CMD_DRAW, false); -+ qxl_release_unreserve(qdev, release); -+ return; -+ -+out_unref: -+ qxl_release_unreserve(qdev, release); -+ qxl_release_free(qdev, release); -+} -+ -+void qxl_draw_copyarea(struct qxl_device *qdev, -+ u32 width, u32 height, -+ u32 sx, u32 sy, -+ u32 dx, u32 dy) -+{ -+ struct qxl_drawable *drawable; -+ struct qxl_rect rect; -+ struct qxl_release *release; -+ int ret; -+ -+ rect.left = dx; -+ rect.top = dy; -+ rect.right = dx + width; -+ rect.bottom = dy + height; -+ ret = make_drawable(qdev, 0, QXL_COPY_BITS, &rect, &release); -+ if (ret) -+ return; -+ -+ drawable = (struct qxl_drawable *)qxl_release_map(qdev, release); -+ drawable->u.copy_bits.src_pos.x = sx; -+ drawable->u.copy_bits.src_pos.y = sy; -+ -+ qxl_release_unmap(qdev, release, &drawable->release_info); -+ qxl_fence_releaseable(qdev, release); -+ qxl_push_command_ring_release(qdev, release, QXL_CMD_DRAW, false); -+ qxl_release_unreserve(qdev, release); -+} -+ -+void qxl_draw_fill(struct qxl_draw_fill *qxl_draw_fill_rec) -+{ -+ struct qxl_device *qdev = qxl_draw_fill_rec->qdev; -+ struct qxl_rect rect = qxl_draw_fill_rec->rect; -+ uint32_t color = qxl_draw_fill_rec->color; -+ uint16_t rop = qxl_draw_fill_rec->rop; -+ struct qxl_drawable *drawable; -+ struct qxl_release *release; -+ int ret; -+ -+ ret = make_drawable(qdev, 0, QXL_DRAW_FILL, &rect, &release); -+ if (ret) -+ return; -+ -+ drawable = (struct qxl_drawable *)qxl_release_map(qdev, release); -+ drawable->u.fill.brush.type = SPICE_BRUSH_TYPE_SOLID; -+ drawable->u.fill.brush.u.color = color; -+ drawable->u.fill.rop_descriptor = rop; -+ drawable->u.fill.mask.flags = 0; -+ drawable->u.fill.mask.pos.x = 0; -+ drawable->u.fill.mask.pos.y = 0; -+ drawable->u.fill.mask.bitmap = 0; -+ -+ qxl_release_unmap(qdev, release, &drawable->release_info); -+ qxl_fence_releaseable(qdev, release); -+ qxl_push_command_ring_release(qdev, release, QXL_CMD_DRAW, false); -+ qxl_release_unreserve(qdev, release); -+} -diff --git a/drivers/gpu/drm/qxl/qxl_drv.c b/drivers/gpu/drm/qxl/qxl_drv.c -new file mode 100644 -index 0000000..d337da0 ---- /dev/null -+++ b/drivers/gpu/drm/qxl/qxl_drv.c -@@ -0,0 +1,145 @@ -+/* vim: set ts=8 sw=8 tw=78 ai noexpandtab */ -+/* qxl_drv.c -- QXL driver -*- linux-c -*- -+ * -+ * Copyright 2011 Red Hat, Inc. -+ * All Rights Reserved. -+ * -+ * Permission is hereby granted, free of charge, to any person obtaining a -+ * copy of this software and associated documentation files (the "Software"), -+ * to deal in the Software without restriction, including without limitation -+ * the rights to use, copy, modify, merge, publish, distribute, sublicense, -+ * and/or sell copies of the Software, and to permit persons to whom the -+ * Software is furnished to do so, subject to the following conditions: -+ * -+ * The above copyright notice and this permission notice (including the next -+ * paragraph) shall be included in all copies or substantial portions of the -+ * Software. -+ * -+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL -+ * VA LINUX SYSTEMS AND/OR ITS SUPPLIERS BE LIABLE FOR ANY CLAIM, DAMAGES OR -+ * OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, -+ * ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR -+ * OTHER DEALINGS IN THE SOFTWARE. -+ * -+ * Authors: -+ * Dave Airlie -+ * Alon Levy -+ */ -+ -+#include -+#include -+ -+#include "drmP.h" -+#include "drm/drm.h" -+ -+#include "qxl_drv.h" -+ -+extern int qxl_max_ioctls; -+static DEFINE_PCI_DEVICE_TABLE(pciidlist) = { -+ { 0x1b36, 0x100, PCI_ANY_ID, PCI_ANY_ID, PCI_CLASS_DISPLAY_VGA << 8, -+ 0xffff00, 0 }, -+ { 0x1b36, 0x100, PCI_ANY_ID, PCI_ANY_ID, PCI_CLASS_DISPLAY_OTHER << 8, -+ 0xffff00, 0 }, -+ { 0, 0, 0 }, -+}; -+MODULE_DEVICE_TABLE(pci, pciidlist); -+ -+int qxl_modeset = -1; -+ -+MODULE_PARM_DESC(modeset, "Disable/Enable modesetting"); -+module_param_named(modeset, qxl_modeset, int, 0400); -+ -+static struct drm_driver qxl_driver; -+static struct pci_driver qxl_pci_driver; -+ -+static int -+qxl_pci_probe(struct pci_dev *pdev, const struct pci_device_id *ent) -+{ -+ if (pdev->revision < 4) { -+ DRM_ERROR("qxl too old, doesn't support client_monitors_config," -+ " use xf86-video-qxl in user mode"); -+ return -EINVAL; /* TODO: ENODEV ? */ -+ } -+ return drm_get_pci_dev(pdev, ent, &qxl_driver); -+} -+ -+static void -+qxl_pci_remove(struct pci_dev *pdev) -+{ -+ struct drm_device *dev = pci_get_drvdata(pdev); -+ -+ drm_put_dev(dev); -+} -+ -+static struct pci_driver qxl_pci_driver = { -+ .name = DRIVER_NAME, -+ .id_table = pciidlist, -+ .probe = qxl_pci_probe, -+ .remove = qxl_pci_remove, -+}; -+ -+static const struct file_operations qxl_fops = { -+ .owner = THIS_MODULE, -+ .open = drm_open, -+ .release = drm_release, -+ .unlocked_ioctl = drm_ioctl, -+ .poll = drm_poll, -+ .fasync = drm_fasync, -+ .mmap = qxl_mmap, -+}; -+ -+static struct drm_driver qxl_driver = { -+ .driver_features = DRIVER_GEM | DRIVER_MODESET | -+ DRIVER_HAVE_IRQ | DRIVER_IRQ_SHARED, -+ .dev_priv_size = 0, -+ .load = qxl_driver_load, -+ .unload = qxl_driver_unload, -+ -+ .dumb_create = qxl_mode_dumb_create, -+ .dumb_map_offset = qxl_mode_dumb_mmap, -+ .dumb_destroy = qxl_mode_dumb_destroy, -+#if defined(CONFIG_DEBUG_FS) -+ .debugfs_init = qxl_debugfs_init, -+ .debugfs_cleanup = qxl_debugfs_takedown, -+#endif -+ .gem_init_object = qxl_gem_object_init, -+ .gem_free_object = qxl_gem_object_free, -+ .gem_open_object = qxl_gem_object_open, -+ .gem_close_object = qxl_gem_object_close, -+ .fops = &qxl_fops, -+ .ioctls = qxl_ioctls, -+ .irq_handler = qxl_irq_handler, -+ .name = DRIVER_NAME, -+ .desc = DRIVER_DESC, -+ .date = DRIVER_DATE, -+ .major = 0, -+ .minor = 1, -+ .patchlevel = 0, -+}; -+ -+static int __init qxl_init(void) -+{ -+#ifdef CONFIG_VGA_CONSOLE -+ if (vgacon_text_force() && qxl_modeset == -1) -+ return -EINVAL; -+#endif -+ -+ if (qxl_modeset == 0) -+ return -EINVAL; -+ qxl_driver.num_ioctls = qxl_max_ioctls; -+ return drm_pci_init(&qxl_driver, &qxl_pci_driver); -+} -+ -+static void __exit qxl_exit(void) -+{ -+ drm_pci_exit(&qxl_driver, &qxl_pci_driver); -+} -+ -+module_init(qxl_init); -+module_exit(qxl_exit); -+ -+MODULE_AUTHOR(DRIVER_AUTHOR); -+MODULE_DESCRIPTION(DRIVER_DESC); -+MODULE_LICENSE("GPL and additional rights"); -diff --git a/drivers/gpu/drm/qxl/qxl_drv.h b/drivers/gpu/drm/qxl/qxl_drv.h -new file mode 100644 -index 0000000..52b582c ---- /dev/null -+++ b/drivers/gpu/drm/qxl/qxl_drv.h -@@ -0,0 +1,566 @@ -+/* -+ * Copyright 2013 Red Hat Inc. -+ * -+ * Permission is hereby granted, free of charge, to any person obtaining a -+ * copy of this software and associated documentation files (the "Software"), -+ * to deal in the Software without restriction, including without limitation -+ * the rights to use, copy, modify, merge, publish, distribute, sublicense, -+ * and/or sell copies of the Software, and to permit persons to whom the -+ * Software is furnished to do so, subject to the following conditions: -+ * -+ * The above copyright notice and this permission notice shall be included in -+ * all copies or substantial portions of the Software. -+ * -+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL -+ * THE COPYRIGHT HOLDER(S) OR AUTHOR(S) BE LIABLE FOR ANY CLAIM, DAMAGES OR -+ * OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, -+ * ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR -+ * OTHER DEALINGS IN THE SOFTWARE. -+ * -+ * Authors: Dave Airlie -+ * Alon Levy -+ */ -+ -+ -+#ifndef QXL_DRV_H -+#define QXL_DRV_H -+ -+/* -+ * Definitions taken from spice-protocol, plus kernel driver specific bits. -+ */ -+ -+#include -+#include -+#include -+ -+#include "drmP.h" -+#include "drm_crtc.h" -+#include -+#include -+#include -+#include -+ -+#include -+#include "qxl_dev.h" -+ -+#define DRIVER_AUTHOR "Dave Airlie" -+ -+#define DRIVER_NAME "qxl" -+#define DRIVER_DESC "RH QXL" -+#define DRIVER_DATE "20120117" -+ -+#define DRIVER_MAJOR 0 -+#define DRIVER_MINOR 1 -+#define DRIVER_PATCHLEVEL 0 -+ -+#define QXL_NUM_OUTPUTS 1 -+ -+#define QXL_DEBUGFS_MAX_COMPONENTS 32 -+ -+extern int qxl_log_level; -+ -+enum { -+ QXL_INFO_LEVEL = 1, -+ QXL_DEBUG_LEVEL = 2, -+}; -+ -+#define QXL_INFO(qdev, fmt, ...) do { \ -+ if (qxl_log_level >= QXL_INFO_LEVEL) { \ -+ qxl_io_log(qdev, fmt, __VA_ARGS__); \ -+ } \ -+ } while (0) -+#define QXL_DEBUG(qdev, fmt, ...) do { \ -+ if (qxl_log_level >= QXL_DEBUG_LEVEL) { \ -+ qxl_io_log(qdev, fmt, __VA_ARGS__); \ -+ } \ -+ } while (0) -+#define QXL_INFO_ONCE(qdev, fmt, ...) do { \ -+ static int done; \ -+ if (!done) { \ -+ done = 1; \ -+ QXL_INFO(qdev, fmt, __VA_ARGS__); \ -+ } \ -+ } while (0) -+ -+#define DRM_FILE_OFFSET 0x100000000ULL -+#define DRM_FILE_PAGE_OFFSET (DRM_FILE_OFFSET >> PAGE_SHIFT) -+ -+#define QXL_INTERRUPT_MASK (\ -+ QXL_INTERRUPT_DISPLAY |\ -+ QXL_INTERRUPT_CURSOR |\ -+ QXL_INTERRUPT_IO_CMD |\ -+ QXL_INTERRUPT_CLIENT_MONITORS_CONFIG) -+ -+struct qxl_fence { -+ struct qxl_device *qdev; -+ uint32_t num_active_releases; -+ uint32_t *release_ids; -+ struct radix_tree_root tree; -+}; -+ -+struct qxl_bo { -+ /* Protected by gem.mutex */ -+ struct list_head list; -+ /* Protected by tbo.reserved */ -+ u32 placements[3]; -+ struct ttm_placement placement; -+ struct ttm_buffer_object tbo; -+ struct ttm_bo_kmap_obj kmap; -+ unsigned pin_count; -+ void *kptr; -+ int type; -+ /* Constant after initialization */ -+ struct drm_gem_object gem_base; -+ bool is_primary; /* is this now a primary surface */ -+ bool hw_surf_alloc; -+ struct qxl_surface surf; -+ uint32_t surface_id; -+ struct qxl_fence fence; /* per bo fence - list of releases */ -+ struct qxl_release *surf_create; -+ atomic_t reserve_count; -+}; -+#define gem_to_qxl_bo(gobj) container_of((gobj), struct qxl_bo, gem_base) -+ -+struct qxl_gem { -+ struct mutex mutex; -+ struct list_head objects; -+}; -+ -+struct qxl_bo_list { -+ struct list_head lhead; -+ struct qxl_bo *bo; -+}; -+ -+struct qxl_reloc_list { -+ struct list_head bos; -+}; -+ -+struct qxl_crtc { -+ struct drm_crtc base; -+ int cur_x; -+ int cur_y; -+}; -+ -+struct qxl_output { -+ int index; -+ struct drm_connector base; -+ struct drm_encoder enc; -+}; -+ -+struct qxl_framebuffer { -+ struct drm_framebuffer base; -+ struct drm_gem_object *obj; -+}; -+ -+#define to_qxl_crtc(x) container_of(x, struct qxl_crtc, base) -+#define drm_connector_to_qxl_output(x) container_of(x, struct qxl_output, base) -+#define drm_encoder_to_qxl_output(x) container_of(x, struct qxl_output, base) -+#define to_qxl_framebuffer(x) container_of(x, struct qxl_framebuffer, base) -+ -+struct qxl_mman { -+ struct ttm_bo_global_ref bo_global_ref; -+ struct drm_global_reference mem_global_ref; -+ bool mem_global_referenced; -+ struct ttm_bo_device bdev; -+}; -+ -+struct qxl_mode_info { -+ int num_modes; -+ struct qxl_mode *modes; -+ bool mode_config_initialized; -+ -+ /* pointer to fbdev info structure */ -+ struct qxl_fbdev *qfbdev; -+}; -+ -+ -+struct qxl_memslot { -+ uint8_t generation; -+ uint64_t start_phys_addr; -+ uint64_t end_phys_addr; -+ uint64_t high_bits; -+}; -+ -+enum { -+ QXL_RELEASE_DRAWABLE, -+ QXL_RELEASE_SURFACE_CMD, -+ QXL_RELEASE_CURSOR_CMD, -+}; -+ -+/* drm_ prefix to differentiate from qxl_release_info in -+ * spice-protocol/qxl_dev.h */ -+#define QXL_MAX_RES 96 -+struct qxl_release { -+ int id; -+ int type; -+ int bo_count; -+ uint32_t release_offset; -+ uint32_t surface_release_id; -+ struct qxl_bo *bos[QXL_MAX_RES]; -+}; -+ -+struct qxl_fb_image { -+ struct qxl_device *qdev; -+ uint32_t pseudo_palette[16]; -+ struct fb_image fb_image; -+ uint32_t visual; -+}; -+ -+struct qxl_draw_fill { -+ struct qxl_device *qdev; -+ struct qxl_rect rect; -+ uint32_t color; -+ uint16_t rop; -+}; -+ -+/* -+ * Debugfs -+ */ -+struct qxl_debugfs { -+ struct drm_info_list *files; -+ unsigned num_files; -+}; -+ -+int qxl_debugfs_add_files(struct qxl_device *rdev, -+ struct drm_info_list *files, -+ unsigned nfiles); -+int qxl_debugfs_fence_init(struct qxl_device *rdev); -+void qxl_debugfs_remove_files(struct qxl_device *qdev); -+ -+struct qxl_device; -+ -+struct qxl_device { -+ struct device *dev; -+ struct drm_device *ddev; -+ struct pci_dev *pdev; -+ unsigned long flags; -+ -+ resource_size_t vram_base, vram_size; -+ resource_size_t surfaceram_base, surfaceram_size; -+ resource_size_t rom_base, rom_size; -+ struct qxl_rom *rom; -+ -+ struct qxl_mode *modes; -+ struct qxl_bo *monitors_config_bo; -+ struct qxl_monitors_config *monitors_config; -+ -+ /* last received client_monitors_config */ -+ struct qxl_monitors_config *client_monitors_config; -+ -+ int io_base; -+ void *ram; -+ struct qxl_mman mman; -+ struct qxl_gem gem; -+ struct qxl_mode_info mode_info; -+ -+ /* -+ * last created framebuffer with fb_create -+ * only used by debugfs dumbppm -+ */ -+ struct qxl_framebuffer *active_user_framebuffer; -+ -+ struct fb_info *fbdev_info; -+ struct qxl_framebuffer *fbdev_qfb; -+ void *ram_physical; -+ -+ struct qxl_ring *release_ring; -+ struct qxl_ring *command_ring; -+ struct qxl_ring *cursor_ring; -+ -+ struct qxl_ram_header *ram_header; -+ bool mode_set; -+ -+ bool primary_created; -+ -+ struct qxl_memslot *mem_slots; -+ uint8_t n_mem_slots; -+ -+ uint8_t main_mem_slot; -+ uint8_t surfaces_mem_slot; -+ uint8_t slot_id_bits; -+ uint8_t slot_gen_bits; -+ uint64_t va_slot_mask; -+ -+ struct idr release_idr; -+ spinlock_t release_idr_lock; -+ struct mutex async_io_mutex; -+ unsigned int last_sent_io_cmd; -+ -+ /* interrupt handling */ -+ atomic_t irq_received; -+ atomic_t irq_received_display; -+ atomic_t irq_received_cursor; -+ atomic_t irq_received_io_cmd; -+ unsigned irq_received_error; -+ wait_queue_head_t display_event; -+ wait_queue_head_t cursor_event; -+ wait_queue_head_t io_cmd_event; -+ struct work_struct client_monitors_config_work; -+ -+ /* debugfs */ -+ struct qxl_debugfs debugfs[QXL_DEBUGFS_MAX_COMPONENTS]; -+ unsigned debugfs_count; -+ -+ struct mutex update_area_mutex; -+ -+ struct idr surf_id_idr; -+ spinlock_t surf_id_idr_lock; -+ int last_alloced_surf_id; -+ -+ struct mutex surf_evict_mutex; -+ struct io_mapping *vram_mapping; -+ struct io_mapping *surface_mapping; -+ -+ /* */ -+ struct mutex release_mutex; -+ struct qxl_bo *current_release_bo[3]; -+ int current_release_bo_offset[3]; -+ -+ struct workqueue_struct *gc_queue; -+ struct work_struct gc_work; -+ -+}; -+ -+/* forward declaration for QXL_INFO_IO */ -+void qxl_io_log(struct qxl_device *qdev, const char *fmt, ...); -+ -+extern struct drm_ioctl_desc qxl_ioctls[]; -+extern int qxl_max_ioctl; -+ -+int qxl_driver_load(struct drm_device *dev, unsigned long flags); -+int qxl_driver_unload(struct drm_device *dev); -+ -+int qxl_modeset_init(struct qxl_device *qdev); -+void qxl_modeset_fini(struct qxl_device *qdev); -+ -+int qxl_bo_init(struct qxl_device *qdev); -+void qxl_bo_fini(struct qxl_device *qdev); -+ -+struct qxl_ring *qxl_ring_create(struct qxl_ring_header *header, -+ int element_size, -+ int n_elements, -+ int prod_notify, -+ bool set_prod_notify, -+ wait_queue_head_t *push_event); -+void qxl_ring_free(struct qxl_ring *ring); -+ -+static inline void * -+qxl_fb_virtual_address(struct qxl_device *qdev, unsigned long physical) -+{ -+ QXL_INFO(qdev, "not implemented (%lu)\n", physical); -+ return 0; -+} -+ -+static inline uint64_t -+qxl_bo_physical_address(struct qxl_device *qdev, struct qxl_bo *bo, -+ unsigned long offset) -+{ -+ int slot_id = bo->type == QXL_GEM_DOMAIN_VRAM ? qdev->main_mem_slot : qdev->surfaces_mem_slot; -+ struct qxl_memslot *slot = &(qdev->mem_slots[slot_id]); -+ -+ /* TODO - need to hold one of the locks to read tbo.offset */ -+ return slot->high_bits | (bo->tbo.offset + offset); -+} -+ -+/* qxl_fb.c */ -+#define QXLFB_CONN_LIMIT 1 -+ -+int qxl_fbdev_init(struct qxl_device *qdev); -+void qxl_fbdev_fini(struct qxl_device *qdev); -+int qxl_get_handle_for_primary_fb(struct qxl_device *qdev, -+ struct drm_file *file_priv, -+ uint32_t *handle); -+ -+/* qxl_display.c */ -+int -+qxl_framebuffer_init(struct drm_device *dev, -+ struct qxl_framebuffer *rfb, -+ struct drm_mode_fb_cmd2 *mode_cmd, -+ struct drm_gem_object *obj); -+void qxl_display_read_client_monitors_config(struct qxl_device *qdev); -+void qxl_send_monitors_config(struct qxl_device *qdev); -+ -+/* used by qxl_debugfs only */ -+void qxl_crtc_set_from_monitors_config(struct qxl_device *qdev); -+void qxl_alloc_client_monitors_config(struct qxl_device *qdev, unsigned count); -+ -+/* qxl_gem.c */ -+int qxl_gem_init(struct qxl_device *qdev); -+void qxl_gem_fini(struct qxl_device *qdev); -+int qxl_gem_object_create(struct qxl_device *qdev, int size, -+ int alignment, int initial_domain, -+ bool discardable, bool kernel, -+ struct qxl_surface *surf, -+ struct drm_gem_object **obj); -+int qxl_gem_object_pin(struct drm_gem_object *obj, uint32_t pin_domain, -+ uint64_t *gpu_addr); -+void qxl_gem_object_unpin(struct drm_gem_object *obj); -+int qxl_gem_object_create_with_handle(struct qxl_device *qdev, -+ struct drm_file *file_priv, -+ u32 domain, -+ size_t size, -+ struct qxl_surface *surf, -+ struct qxl_bo **qobj, -+ uint32_t *handle); -+int qxl_gem_object_init(struct drm_gem_object *obj); -+void qxl_gem_object_free(struct drm_gem_object *gobj); -+int qxl_gem_object_open(struct drm_gem_object *obj, struct drm_file *file_priv); -+void qxl_gem_object_close(struct drm_gem_object *obj, -+ struct drm_file *file_priv); -+void qxl_bo_force_delete(struct qxl_device *qdev); -+int qxl_bo_kmap(struct qxl_bo *bo, void **ptr); -+ -+/* qxl_dumb.c */ -+int qxl_mode_dumb_create(struct drm_file *file_priv, -+ struct drm_device *dev, -+ struct drm_mode_create_dumb *args); -+int qxl_mode_dumb_destroy(struct drm_file *file_priv, -+ struct drm_device *dev, -+ uint32_t handle); -+int qxl_mode_dumb_mmap(struct drm_file *filp, -+ struct drm_device *dev, -+ uint32_t handle, uint64_t *offset_p); -+ -+ -+/* qxl ttm */ -+int qxl_ttm_init(struct qxl_device *qdev); -+void qxl_ttm_fini(struct qxl_device *qdev); -+int qxl_mmap(struct file *filp, struct vm_area_struct *vma); -+ -+/* qxl image */ -+ -+int qxl_image_create(struct qxl_device *qdev, -+ struct qxl_release *release, -+ struct qxl_bo **image_bo, -+ const uint8_t *data, -+ int x, int y, int width, int height, -+ int depth, int stride); -+void qxl_update_screen(struct qxl_device *qxl); -+ -+/* qxl io operations (qxl_cmd.c) */ -+ -+void qxl_io_create_primary(struct qxl_device *qdev, -+ unsigned width, unsigned height, unsigned offset, -+ struct qxl_bo *bo); -+void qxl_io_destroy_primary(struct qxl_device *qdev); -+void qxl_io_memslot_add(struct qxl_device *qdev, uint8_t id); -+void qxl_io_notify_oom(struct qxl_device *qdev); -+ -+int qxl_io_update_area(struct qxl_device *qdev, struct qxl_bo *surf, -+ const struct qxl_rect *area); -+ -+void qxl_io_reset(struct qxl_device *qdev); -+void qxl_io_monitors_config(struct qxl_device *qdev); -+int qxl_ring_push(struct qxl_ring *ring, const void *new_elt, bool interruptible); -+void qxl_io_flush_release(struct qxl_device *qdev); -+void qxl_io_flush_surfaces(struct qxl_device *qdev); -+ -+int qxl_release_reserve(struct qxl_device *qdev, -+ struct qxl_release *release, bool no_wait); -+void qxl_release_unreserve(struct qxl_device *qdev, -+ struct qxl_release *release); -+union qxl_release_info *qxl_release_map(struct qxl_device *qdev, -+ struct qxl_release *release); -+void qxl_release_unmap(struct qxl_device *qdev, -+ struct qxl_release *release, -+ union qxl_release_info *info); -+/* -+ * qxl_bo_add_resource. -+ * -+ */ -+void qxl_bo_add_resource(struct qxl_bo *main_bo, struct qxl_bo *resource); -+ -+int qxl_alloc_surface_release_reserved(struct qxl_device *qdev, -+ enum qxl_surface_cmd_type surface_cmd_type, -+ struct qxl_release *create_rel, -+ struct qxl_release **release); -+int qxl_alloc_release_reserved(struct qxl_device *qdev, unsigned long size, -+ int type, struct qxl_release **release, -+ struct qxl_bo **rbo); -+int qxl_fence_releaseable(struct qxl_device *qdev, -+ struct qxl_release *release); -+int -+qxl_push_command_ring_release(struct qxl_device *qdev, struct qxl_release *release, -+ uint32_t type, bool interruptible); -+int -+qxl_push_cursor_ring_release(struct qxl_device *qdev, struct qxl_release *release, -+ uint32_t type, bool interruptible); -+int qxl_alloc_bo_reserved(struct qxl_device *qdev, unsigned long size, -+ struct qxl_bo **_bo); -+/* qxl drawing commands */ -+ -+void qxl_draw_opaque_fb(const struct qxl_fb_image *qxl_fb_image, -+ int stride /* filled in if 0 */); -+ -+void qxl_draw_dirty_fb(struct qxl_device *qdev, -+ struct qxl_framebuffer *qxl_fb, -+ struct qxl_bo *bo, -+ unsigned flags, unsigned color, -+ struct drm_clip_rect *clips, -+ unsigned num_clips, int inc); -+ -+void qxl_draw_fill(struct qxl_draw_fill *qxl_draw_fill_rec); -+ -+void qxl_draw_copyarea(struct qxl_device *qdev, -+ u32 width, u32 height, -+ u32 sx, u32 sy, -+ u32 dx, u32 dy); -+ -+uint64_t -+qxl_release_alloc(struct qxl_device *qdev, int type, -+ struct qxl_release **ret); -+ -+void qxl_release_free(struct qxl_device *qdev, -+ struct qxl_release *release); -+void qxl_release_add_res(struct qxl_device *qdev, -+ struct qxl_release *release, -+ struct qxl_bo *bo); -+/* used by qxl_debugfs_release */ -+struct qxl_release *qxl_release_from_id_locked(struct qxl_device *qdev, -+ uint64_t id); -+ -+bool qxl_queue_garbage_collect(struct qxl_device *qdev, bool flush); -+int qxl_garbage_collect(struct qxl_device *qdev); -+ -+/* debugfs */ -+ -+int qxl_debugfs_init(struct drm_minor *minor); -+void qxl_debugfs_takedown(struct drm_minor *minor); -+ -+/* qxl_irq.c */ -+int qxl_irq_init(struct qxl_device *qdev); -+irqreturn_t qxl_irq_handler(DRM_IRQ_ARGS); -+ -+/* qxl_fb.c */ -+int qxl_fb_init(struct qxl_device *qdev); -+ -+int qxl_debugfs_add_files(struct qxl_device *qdev, -+ struct drm_info_list *files, -+ unsigned nfiles); -+ -+int qxl_surface_id_alloc(struct qxl_device *qdev, -+ struct qxl_bo *surf); -+void qxl_surface_id_dealloc(struct qxl_device *qdev, -+ uint32_t surface_id); -+int qxl_hw_surface_alloc(struct qxl_device *qdev, -+ struct qxl_bo *surf, -+ struct ttm_mem_reg *mem); -+int qxl_hw_surface_dealloc(struct qxl_device *qdev, -+ struct qxl_bo *surf); -+ -+int qxl_bo_check_id(struct qxl_device *qdev, struct qxl_bo *bo); -+ -+struct qxl_drv_surface * -+qxl_surface_lookup(struct drm_device *dev, int surface_id); -+void qxl_surface_evict(struct qxl_device *qdev, struct qxl_bo *surf, bool freeing); -+int qxl_update_surface(struct qxl_device *qdev, struct qxl_bo *surf); -+ -+/* qxl_fence.c */ -+int qxl_fence_add_release(struct qxl_fence *qfence, uint32_t rel_id); -+int qxl_fence_remove_release(struct qxl_fence *qfence, uint32_t rel_id); -+int qxl_fence_init(struct qxl_device *qdev, struct qxl_fence *qfence); -+void qxl_fence_fini(struct qxl_fence *qfence); -+ -+#endif -diff --git a/drivers/gpu/drm/qxl/qxl_dumb.c b/drivers/gpu/drm/qxl/qxl_dumb.c -new file mode 100644 -index 0000000..847c4ee ---- /dev/null -+++ b/drivers/gpu/drm/qxl/qxl_dumb.c -@@ -0,0 +1,93 @@ -+/* -+ * Copyright 2013 Red Hat Inc. -+ * -+ * Permission is hereby granted, free of charge, to any person obtaining a -+ * copy of this software and associated documentation files (the "Software"), -+ * to deal in the Software without restriction, including without limitation -+ * the rights to use, copy, modify, merge, publish, distribute, sublicense, -+ * and/or sell copies of the Software, and to permit persons to whom the -+ * Software is furnished to do so, subject to the following conditions: -+ * -+ * The above copyright notice and this permission notice shall be included in -+ * all copies or substantial portions of the Software. -+ * -+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL -+ * THE COPYRIGHT HOLDER(S) OR AUTHOR(S) BE LIABLE FOR ANY CLAIM, DAMAGES OR -+ * OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, -+ * ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR -+ * OTHER DEALINGS IN THE SOFTWARE. -+ * -+ * Authors: Dave Airlie -+ * Alon Levy -+ */ -+ -+#include "qxl_drv.h" -+#include "qxl_object.h" -+ -+/* dumb ioctls implementation */ -+ -+int qxl_mode_dumb_create(struct drm_file *file_priv, -+ struct drm_device *dev, -+ struct drm_mode_create_dumb *args) -+{ -+ struct qxl_device *qdev = dev->dev_private; -+ struct qxl_bo *qobj; -+ uint32_t handle; -+ int r; -+ struct qxl_surface surf; -+ uint32_t pitch, format; -+ pitch = args->width * ((args->bpp + 1) / 8); -+ args->size = pitch * args->height; -+ args->size = ALIGN(args->size, PAGE_SIZE); -+ -+ switch (args->bpp) { -+ case 16: -+ format = SPICE_SURFACE_FMT_16_565; -+ break; -+ case 32: -+ format = SPICE_SURFACE_FMT_32_xRGB; -+ break; -+ default: -+ return -EINVAL; -+ } -+ -+ surf.width = args->width; -+ surf.height = args->height; -+ surf.stride = pitch; -+ surf.format = format; -+ r = qxl_gem_object_create_with_handle(qdev, file_priv, -+ QXL_GEM_DOMAIN_VRAM, -+ args->size, &surf, &qobj, -+ &handle); -+ if (r) -+ return r; -+ args->pitch = pitch; -+ args->handle = handle; -+ return 0; -+} -+ -+int qxl_mode_dumb_destroy(struct drm_file *file_priv, -+ struct drm_device *dev, -+ uint32_t handle) -+{ -+ return drm_gem_handle_delete(file_priv, handle); -+} -+ -+int qxl_mode_dumb_mmap(struct drm_file *file_priv, -+ struct drm_device *dev, -+ uint32_t handle, uint64_t *offset_p) -+{ -+ struct drm_gem_object *gobj; -+ struct qxl_bo *qobj; -+ -+ BUG_ON(!offset_p); -+ gobj = drm_gem_object_lookup(dev, file_priv, handle); -+ if (gobj == NULL) -+ return -ENOENT; -+ qobj = gem_to_qxl_bo(gobj); -+ *offset_p = qxl_bo_mmap_offset(qobj); -+ drm_gem_object_unreference_unlocked(gobj); -+ return 0; -+} -diff --git a/drivers/gpu/drm/qxl/qxl_fb.c b/drivers/gpu/drm/qxl/qxl_fb.c -new file mode 100644 -index 0000000..232b52b ---- /dev/null -+++ b/drivers/gpu/drm/qxl/qxl_fb.c -@@ -0,0 +1,567 @@ -+/* -+ * Copyright © 2013 Red Hat -+ * -+ * Permission is hereby granted, free of charge, to any person obtaining a -+ * copy of this software and associated documentation files (the "Software"), -+ * to deal in the Software without restriction, including without limitation -+ * the rights to use, copy, modify, merge, publish, distribute, sublicense, -+ * and/or sell copies of the Software, and to permit persons to whom the -+ * Software is furnished to do so, subject to the following conditions: -+ * -+ * The above copyright notice and this permission notice (including the next -+ * paragraph) shall be included in all copies or substantial portions of the -+ * Software. -+ * -+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL -+ * THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER -+ * LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING -+ * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER -+ * DEALINGS IN THE SOFTWARE. -+ * -+ * Authors: -+ * David Airlie -+ */ -+#include -+#include -+ -+#include "drmP.h" -+#include "drm/drm.h" -+#include "drm/drm_crtc.h" -+#include "drm/drm_crtc_helper.h" -+#include "qxl_drv.h" -+ -+#include "qxl_object.h" -+#include "drm_fb_helper.h" -+ -+#define QXL_DIRTY_DELAY (HZ / 30) -+ -+struct qxl_fbdev { -+ struct drm_fb_helper helper; -+ struct qxl_framebuffer qfb; -+ struct list_head fbdev_list; -+ struct qxl_device *qdev; -+ -+ void *shadow; -+ int size; -+ -+ /* dirty memory logging */ -+ struct { -+ spinlock_t lock; -+ bool active; -+ unsigned x1; -+ unsigned y1; -+ unsigned x2; -+ unsigned y2; -+ } dirty; -+}; -+ -+static void qxl_fb_image_init(struct qxl_fb_image *qxl_fb_image, -+ struct qxl_device *qdev, struct fb_info *info, -+ const struct fb_image *image) -+{ -+ qxl_fb_image->qdev = qdev; -+ if (info) { -+ qxl_fb_image->visual = info->fix.visual; -+ if (qxl_fb_image->visual == FB_VISUAL_TRUECOLOR || -+ qxl_fb_image->visual == FB_VISUAL_DIRECTCOLOR) -+ memcpy(&qxl_fb_image->pseudo_palette, -+ info->pseudo_palette, -+ sizeof(qxl_fb_image->pseudo_palette)); -+ } else { -+ /* fallback */ -+ if (image->depth == 1) -+ qxl_fb_image->visual = FB_VISUAL_MONO10; -+ else -+ qxl_fb_image->visual = FB_VISUAL_DIRECTCOLOR; -+ } -+ if (image) { -+ memcpy(&qxl_fb_image->fb_image, image, -+ sizeof(qxl_fb_image->fb_image)); -+ } -+} -+ -+static void qxl_fb_dirty_flush(struct fb_info *info) -+{ -+ struct qxl_fbdev *qfbdev = info->par; -+ struct qxl_device *qdev = qfbdev->qdev; -+ struct qxl_fb_image qxl_fb_image; -+ struct fb_image *image = &qxl_fb_image.fb_image; -+ u32 x1, x2, y1, y2; -+ -+ /* TODO: hard coding 32 bpp */ -+ int stride = qfbdev->qfb.base.pitches[0] * 4; -+ -+ x1 = qfbdev->dirty.x1; -+ x2 = qfbdev->dirty.x2; -+ y1 = qfbdev->dirty.y1; -+ y2 = qfbdev->dirty.y2; -+ /* -+ * we are using a shadow draw buffer, at qdev->surface0_shadow -+ */ -+ qxl_io_log(qdev, "dirty x[%d, %d], y[%d, %d]", x1, x2, y1, y2); -+ image->dx = x1; -+ image->dy = y1; -+ image->width = x2 - x1; -+ image->height = y2 - y1; -+ image->fg_color = 0xffffffff; /* unused, just to avoid uninitialized -+ warnings */ -+ image->bg_color = 0; -+ image->depth = 32; /* TODO: take from somewhere? */ -+ image->cmap.start = 0; -+ image->cmap.len = 0; -+ image->cmap.red = NULL; -+ image->cmap.green = NULL; -+ image->cmap.blue = NULL; -+ image->cmap.transp = NULL; -+ image->data = qfbdev->shadow + (x1 * 4) + (stride * y1); -+ -+ qxl_fb_image_init(&qxl_fb_image, qdev, info, NULL); -+ qxl_draw_opaque_fb(&qxl_fb_image, stride); -+ qfbdev->dirty.x1 = 0; -+ qfbdev->dirty.x2 = 0; -+ qfbdev->dirty.y1 = 0; -+ qfbdev->dirty.y2 = 0; -+} -+ -+static void qxl_deferred_io(struct fb_info *info, -+ struct list_head *pagelist) -+{ -+ struct qxl_fbdev *qfbdev = info->par; -+ unsigned long start, end, min, max; -+ struct page *page; -+ int y1, y2; -+ -+ min = ULONG_MAX; -+ max = 0; -+ list_for_each_entry(page, pagelist, lru) { -+ start = page->index << PAGE_SHIFT; -+ end = start + PAGE_SIZE - 1; -+ min = min(min, start); -+ max = max(max, end); -+ } -+ -+ if (min < max) { -+ y1 = min / info->fix.line_length; -+ y2 = (max / info->fix.line_length) + 1; -+ -+ /* TODO: add spin lock? */ -+ /* spin_lock_irqsave(&qfbdev->dirty.lock, flags); */ -+ qfbdev->dirty.x1 = 0; -+ qfbdev->dirty.y1 = y1; -+ qfbdev->dirty.x2 = info->var.xres; -+ qfbdev->dirty.y2 = y2; -+ /* spin_unlock_irqrestore(&qfbdev->dirty.lock, flags); */ -+ } -+ -+ qxl_fb_dirty_flush(info); -+}; -+ -+ -+struct fb_deferred_io qxl_defio = { -+ .delay = QXL_DIRTY_DELAY, -+ .deferred_io = qxl_deferred_io, -+}; -+ -+static void qxl_fb_fillrect(struct fb_info *info, -+ const struct fb_fillrect *fb_rect) -+{ -+ struct qxl_fbdev *qfbdev = info->par; -+ struct qxl_device *qdev = qfbdev->qdev; -+ struct qxl_rect rect; -+ uint32_t color; -+ int x = fb_rect->dx; -+ int y = fb_rect->dy; -+ int width = fb_rect->width; -+ int height = fb_rect->height; -+ uint16_t rop; -+ struct qxl_draw_fill qxl_draw_fill_rec; -+ -+ if (info->fix.visual == FB_VISUAL_TRUECOLOR || -+ info->fix.visual == FB_VISUAL_DIRECTCOLOR) -+ color = ((u32 *) (info->pseudo_palette))[fb_rect->color]; -+ else -+ color = fb_rect->color; -+ rect.left = x; -+ rect.right = x + width; -+ rect.top = y; -+ rect.bottom = y + height; -+ switch (fb_rect->rop) { -+ case ROP_XOR: -+ rop = SPICE_ROPD_OP_XOR; -+ break; -+ case ROP_COPY: -+ rop = SPICE_ROPD_OP_PUT; -+ break; -+ default: -+ pr_err("qxl_fb_fillrect(): unknown rop, " -+ "defaulting to SPICE_ROPD_OP_PUT\n"); -+ rop = SPICE_ROPD_OP_PUT; -+ } -+ qxl_draw_fill_rec.qdev = qdev; -+ qxl_draw_fill_rec.rect = rect; -+ qxl_draw_fill_rec.color = color; -+ qxl_draw_fill_rec.rop = rop; -+ if (!drm_can_sleep()) { -+ qxl_io_log(qdev, -+ "%s: TODO use RCU, mysterious locks with spin_lock\n", -+ __func__); -+ return; -+ } -+ qxl_draw_fill(&qxl_draw_fill_rec); -+} -+ -+static void qxl_fb_copyarea(struct fb_info *info, -+ const struct fb_copyarea *region) -+{ -+ struct qxl_fbdev *qfbdev = info->par; -+ -+ qxl_draw_copyarea(qfbdev->qdev, -+ region->width, region->height, -+ region->sx, region->sy, -+ region->dx, region->dy); -+} -+ -+static void qxl_fb_imageblit_safe(struct qxl_fb_image *qxl_fb_image) -+{ -+ qxl_draw_opaque_fb(qxl_fb_image, 0); -+} -+ -+static void qxl_fb_imageblit(struct fb_info *info, -+ const struct fb_image *image) -+{ -+ struct qxl_fbdev *qfbdev = info->par; -+ struct qxl_device *qdev = qfbdev->qdev; -+ struct qxl_fb_image qxl_fb_image; -+ -+ if (!drm_can_sleep()) { -+ /* we cannot do any ttm_bo allocation since that will fail on -+ * ioremap_wc..__get_vm_area_node, so queue the work item -+ * instead This can happen from printk inside an interrupt -+ * context, i.e.: smp_apic_timer_interrupt..check_cpu_stall */ -+ qxl_io_log(qdev, -+ "%s: TODO use RCU, mysterious locks with spin_lock\n", -+ __func__); -+ return; -+ } -+ -+ /* ensure proper order of rendering operations - TODO: must do this -+ * for everything. */ -+ qxl_fb_image_init(&qxl_fb_image, qfbdev->qdev, info, image); -+ qxl_fb_imageblit_safe(&qxl_fb_image); -+} -+ -+int qxl_fb_init(struct qxl_device *qdev) -+{ -+ return 0; -+} -+ -+static struct fb_ops qxlfb_ops = { -+ .owner = THIS_MODULE, -+ .fb_check_var = drm_fb_helper_check_var, -+ .fb_set_par = drm_fb_helper_set_par, /* TODO: copy vmwgfx */ -+ .fb_fillrect = qxl_fb_fillrect, -+ .fb_copyarea = qxl_fb_copyarea, -+ .fb_imageblit = qxl_fb_imageblit, -+ .fb_pan_display = drm_fb_helper_pan_display, -+ .fb_blank = drm_fb_helper_blank, -+ .fb_setcmap = drm_fb_helper_setcmap, -+ .fb_debug_enter = drm_fb_helper_debug_enter, -+ .fb_debug_leave = drm_fb_helper_debug_leave, -+}; -+ -+static void qxlfb_destroy_pinned_object(struct drm_gem_object *gobj) -+{ -+ struct qxl_bo *qbo = gem_to_qxl_bo(gobj); -+ int ret; -+ -+ ret = qxl_bo_reserve(qbo, false); -+ if (likely(ret == 0)) { -+ qxl_bo_kunmap(qbo); -+ qxl_bo_unpin(qbo); -+ qxl_bo_unreserve(qbo); -+ } -+ drm_gem_object_unreference_unlocked(gobj); -+} -+ -+int qxl_get_handle_for_primary_fb(struct qxl_device *qdev, -+ struct drm_file *file_priv, -+ uint32_t *handle) -+{ -+ int r; -+ struct drm_gem_object *gobj = qdev->fbdev_qfb->obj; -+ -+ BUG_ON(!gobj); -+ /* drm_get_handle_create adds a reference - good */ -+ r = drm_gem_handle_create(file_priv, gobj, handle); -+ if (r) -+ return r; -+ return 0; -+} -+ -+static int qxlfb_create_pinned_object(struct qxl_fbdev *qfbdev, -+ struct drm_mode_fb_cmd2 *mode_cmd, -+ struct drm_gem_object **gobj_p) -+{ -+ struct qxl_device *qdev = qfbdev->qdev; -+ struct drm_gem_object *gobj = NULL; -+ struct qxl_bo *qbo = NULL; -+ int ret; -+ int aligned_size, size; -+ int height = mode_cmd->height; -+ int bpp; -+ int depth; -+ -+ drm_fb_get_bpp_depth(mode_cmd->pixel_format, &bpp, &depth); -+ -+ size = mode_cmd->pitches[0] * height; -+ aligned_size = ALIGN(size, PAGE_SIZE); -+ /* TODO: unallocate and reallocate surface0 for real. Hack to just -+ * have a large enough surface0 for 1024x768 Xorg 32bpp mode */ -+ ret = qxl_gem_object_create(qdev, aligned_size, 0, -+ QXL_GEM_DOMAIN_SURFACE, -+ false, /* is discardable */ -+ false, /* is kernel (false means device) */ -+ NULL, -+ &gobj); -+ if (ret) { -+ pr_err("failed to allocate framebuffer (%d)\n", -+ aligned_size); -+ return -ENOMEM; -+ } -+ qbo = gem_to_qxl_bo(gobj); -+ -+ qbo->surf.width = mode_cmd->width; -+ qbo->surf.height = mode_cmd->height; -+ qbo->surf.stride = mode_cmd->pitches[0]; -+ qbo->surf.format = SPICE_SURFACE_FMT_32_xRGB; -+ ret = qxl_bo_reserve(qbo, false); -+ if (unlikely(ret != 0)) -+ goto out_unref; -+ ret = qxl_bo_pin(qbo, QXL_GEM_DOMAIN_SURFACE, NULL); -+ if (ret) { -+ qxl_bo_unreserve(qbo); -+ goto out_unref; -+ } -+ ret = qxl_bo_kmap(qbo, NULL); -+ qxl_bo_unreserve(qbo); /* unreserve, will be mmaped */ -+ if (ret) -+ goto out_unref; -+ -+ *gobj_p = gobj; -+ return 0; -+out_unref: -+ qxlfb_destroy_pinned_object(gobj); -+ *gobj_p = NULL; -+ return ret; -+} -+ -+static int qxlfb_create(struct qxl_fbdev *qfbdev, -+ struct drm_fb_helper_surface_size *sizes) -+{ -+ struct qxl_device *qdev = qfbdev->qdev; -+ struct fb_info *info; -+ struct drm_framebuffer *fb = NULL; -+ struct drm_mode_fb_cmd2 mode_cmd; -+ struct drm_gem_object *gobj = NULL; -+ struct qxl_bo *qbo = NULL; -+ struct device *device = &qdev->pdev->dev; -+ int ret; -+ int size; -+ int bpp = sizes->surface_bpp; -+ int depth = sizes->surface_depth; -+ void *shadow; -+ -+ mode_cmd.width = sizes->surface_width; -+ mode_cmd.height = sizes->surface_height; -+ -+ mode_cmd.pitches[0] = ALIGN(mode_cmd.width * ((bpp + 1) / 8), 64); -+ mode_cmd.pixel_format = drm_mode_legacy_fb_format(bpp, depth); -+ -+ ret = qxlfb_create_pinned_object(qfbdev, &mode_cmd, &gobj); -+ qbo = gem_to_qxl_bo(gobj); -+ QXL_INFO(qdev, "%s: %dx%d %d\n", __func__, mode_cmd.width, -+ mode_cmd.height, mode_cmd.pitches[0]); -+ -+ shadow = vmalloc(mode_cmd.pitches[0] * mode_cmd.height); -+ /* TODO: what's the usual response to memory allocation errors? */ -+ BUG_ON(!shadow); -+ QXL_INFO(qdev, -+ "surface0 at gpu offset %lld, mmap_offset %lld (virt %p, shadow %p)\n", -+ qxl_bo_gpu_offset(qbo), -+ qxl_bo_mmap_offset(qbo), -+ qbo->kptr, -+ shadow); -+ size = mode_cmd.pitches[0] * mode_cmd.height; -+ -+ info = framebuffer_alloc(0, device); -+ if (info == NULL) { -+ ret = -ENOMEM; -+ goto out_unref; -+ } -+ -+ info->par = qfbdev; -+ -+ qxl_framebuffer_init(qdev->ddev, &qfbdev->qfb, &mode_cmd, gobj); -+ -+ fb = &qfbdev->qfb.base; -+ -+ /* setup helper with fb data */ -+ qfbdev->helper.fb = fb; -+ qfbdev->helper.fbdev = info; -+ qfbdev->shadow = shadow; -+ strcpy(info->fix.id, "qxldrmfb"); -+ -+ drm_fb_helper_fill_fix(info, fb->pitches[0], fb->depth); -+ -+ info->flags = FBINFO_DEFAULT | FBINFO_HWACCEL_COPYAREA | FBINFO_HWACCEL_FILLRECT; -+ info->fbops = &qxlfb_ops; -+ -+ /* -+ * TODO: using gobj->size in various places in this function. Not sure -+ * what the difference between the different sizes is. -+ */ -+ info->fix.smem_start = qdev->vram_base; /* TODO - correct? */ -+ info->fix.smem_len = gobj->size; -+ info->screen_base = qfbdev->shadow; -+ info->screen_size = gobj->size; -+ -+ drm_fb_helper_fill_var(info, &qfbdev->helper, sizes->fb_width, -+ sizes->fb_height); -+ -+ /* setup aperture base/size for vesafb takeover */ -+ info->apertures = alloc_apertures(1); -+ if (!info->apertures) { -+ ret = -ENOMEM; -+ goto out_unref; -+ } -+ info->apertures->ranges[0].base = qdev->ddev->mode_config.fb_base; -+ info->apertures->ranges[0].size = qdev->vram_size; -+ -+ info->fix.mmio_start = 0; -+ info->fix.mmio_len = 0; -+ -+ if (info->screen_base == NULL) { -+ ret = -ENOSPC; -+ goto out_unref; -+ } -+ -+ ret = fb_alloc_cmap(&info->cmap, 256, 0); -+ if (ret) { -+ ret = -ENOMEM; -+ goto out_unref; -+ } -+ -+ info->fbdefio = &qxl_defio; -+ fb_deferred_io_init(info); -+ -+ qdev->fbdev_info = info; -+ qdev->fbdev_qfb = &qfbdev->qfb; -+ DRM_INFO("fb mappable at 0x%lX, size %lu\n", info->fix.smem_start, (unsigned long)info->screen_size); -+ DRM_INFO("fb: depth %d, pitch %d, width %d, height %d\n", fb->depth, fb->pitches[0], fb->width, fb->height); -+ return 0; -+ -+out_unref: -+ if (qbo) { -+ ret = qxl_bo_reserve(qbo, false); -+ if (likely(ret == 0)) { -+ qxl_bo_kunmap(qbo); -+ qxl_bo_unpin(qbo); -+ qxl_bo_unreserve(qbo); -+ } -+ } -+ if (fb && ret) { -+ drm_gem_object_unreference(gobj); -+ drm_framebuffer_cleanup(fb); -+ kfree(fb); -+ } -+ drm_gem_object_unreference(gobj); -+ return ret; -+} -+ -+static int qxl_fb_find_or_create_single( -+ struct drm_fb_helper *helper, -+ struct drm_fb_helper_surface_size *sizes) -+{ -+ struct qxl_fbdev *qfbdev = (struct qxl_fbdev *)helper; -+ int new_fb = 0; -+ int ret; -+ -+ if (!helper->fb) { -+ ret = qxlfb_create(qfbdev, sizes); -+ if (ret) -+ return ret; -+ new_fb = 1; -+ } -+ return new_fb; -+} -+ -+static int qxl_fbdev_destroy(struct drm_device *dev, struct qxl_fbdev *qfbdev) -+{ -+ struct fb_info *info; -+ struct qxl_framebuffer *qfb = &qfbdev->qfb; -+ -+ if (qfbdev->helper.fbdev) { -+ info = qfbdev->helper.fbdev; -+ -+ unregister_framebuffer(info); -+ framebuffer_release(info); -+ } -+ if (qfb->obj) { -+ qxlfb_destroy_pinned_object(qfb->obj); -+ qfb->obj = NULL; -+ } -+ drm_fb_helper_fini(&qfbdev->helper); -+ vfree(qfbdev->shadow); -+ drm_framebuffer_cleanup(&qfb->base); -+ -+ return 0; -+} -+ -+static struct drm_fb_helper_funcs qxl_fb_helper_funcs = { -+ /* TODO -+ .gamma_set = qxl_crtc_fb_gamma_set, -+ .gamma_get = qxl_crtc_fb_gamma_get, -+ */ -+ .fb_probe = qxl_fb_find_or_create_single, -+}; -+ -+int qxl_fbdev_init(struct qxl_device *qdev) -+{ -+ struct qxl_fbdev *qfbdev; -+ int bpp_sel = 32; /* TODO: parameter from somewhere? */ -+ int ret; -+ -+ qfbdev = kzalloc(sizeof(struct qxl_fbdev), GFP_KERNEL); -+ if (!qfbdev) -+ return -ENOMEM; -+ -+ qfbdev->qdev = qdev; -+ qdev->mode_info.qfbdev = qfbdev; -+ qfbdev->helper.funcs = &qxl_fb_helper_funcs; -+ -+ ret = drm_fb_helper_init(qdev->ddev, &qfbdev->helper, -+ 1 /* num_crtc - QXL supports just 1 */, -+ QXLFB_CONN_LIMIT); -+ if (ret) { -+ kfree(qfbdev); -+ return ret; -+ } -+ -+ drm_fb_helper_single_add_all_connectors(&qfbdev->helper); -+ drm_fb_helper_initial_config(&qfbdev->helper, bpp_sel); -+ return 0; -+} -+ -+void qxl_fbdev_fini(struct qxl_device *qdev) -+{ -+ if (!qdev->mode_info.qfbdev) -+ return; -+ -+ qxl_fbdev_destroy(qdev->ddev, qdev->mode_info.qfbdev); -+ kfree(qdev->mode_info.qfbdev); -+ qdev->mode_info.qfbdev = NULL; -+} -+ -+ -diff --git a/drivers/gpu/drm/qxl/qxl_fence.c b/drivers/gpu/drm/qxl/qxl_fence.c -new file mode 100644 -index 0000000..63c6715 ---- /dev/null -+++ b/drivers/gpu/drm/qxl/qxl_fence.c -@@ -0,0 +1,97 @@ -+/* -+ * Copyright 2013 Red Hat Inc. -+ * -+ * Permission is hereby granted, free of charge, to any person obtaining a -+ * copy of this software and associated documentation files (the "Software"), -+ * to deal in the Software without restriction, including without limitation -+ * the rights to use, copy, modify, merge, publish, distribute, sublicense, -+ * and/or sell copies of the Software, and to permit persons to whom the -+ * Software is furnished to do so, subject to the following conditions: -+ * -+ * The above copyright notice and this permission notice shall be included in -+ * all copies or substantial portions of the Software. -+ * -+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL -+ * THE COPYRIGHT HOLDER(S) OR AUTHOR(S) BE LIABLE FOR ANY CLAIM, DAMAGES OR -+ * OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, -+ * ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR -+ * OTHER DEALINGS IN THE SOFTWARE. -+ * -+ * Authors: Dave Airlie -+ * Alon Levy -+ */ -+ -+ -+#include "qxl_drv.h" -+ -+/* QXL fencing- -+ -+ When we submit operations to the GPU we pass a release reference to the GPU -+ with them, the release reference is then added to the release ring when -+ the GPU is finished with that particular operation and has removed it from -+ its tree. -+ -+ So we have can have multiple outstanding non linear fences per object. -+ -+ From a TTM POV we only care if the object has any outstanding releases on -+ it. -+ -+ we wait until all outstanding releases are processeed. -+ -+ sync object is just a list of release ids that represent that fence on -+ that buffer. -+ -+ we just add new releases onto the sync object attached to the object. -+ -+ This currently uses a radix tree to store the list of release ids. -+ -+ For some reason every so often qxl hw fails to release, things go wrong. -+*/ -+ -+ -+int qxl_fence_add_release(struct qxl_fence *qfence, uint32_t rel_id) -+{ -+ struct qxl_bo *bo = container_of(qfence, struct qxl_bo, fence); -+ -+ spin_lock(&bo->tbo.bdev->fence_lock); -+ radix_tree_insert(&qfence->tree, rel_id, qfence); -+ qfence->num_active_releases++; -+ spin_unlock(&bo->tbo.bdev->fence_lock); -+ return 0; -+} -+ -+int qxl_fence_remove_release(struct qxl_fence *qfence, uint32_t rel_id) -+{ -+ void *ret; -+ int retval = 0; -+ struct qxl_bo *bo = container_of(qfence, struct qxl_bo, fence); -+ -+ spin_lock(&bo->tbo.bdev->fence_lock); -+ -+ ret = radix_tree_delete(&qfence->tree, rel_id); -+ if (ret == qfence) -+ qfence->num_active_releases--; -+ else { -+ DRM_DEBUG("didn't find fence in radix tree for %d\n", rel_id); -+ retval = -ENOENT; -+ } -+ spin_unlock(&bo->tbo.bdev->fence_lock); -+ return retval; -+} -+ -+ -+int qxl_fence_init(struct qxl_device *qdev, struct qxl_fence *qfence) -+{ -+ qfence->qdev = qdev; -+ qfence->num_active_releases = 0; -+ INIT_RADIX_TREE(&qfence->tree, GFP_ATOMIC); -+ return 0; -+} -+ -+void qxl_fence_fini(struct qxl_fence *qfence) -+{ -+ kfree(qfence->release_ids); -+ qfence->num_active_releases = 0; -+} -diff --git a/drivers/gpu/drm/qxl/qxl_gem.c b/drivers/gpu/drm/qxl/qxl_gem.c -new file mode 100644 -index 0000000..adc1ee2 ---- /dev/null -+++ b/drivers/gpu/drm/qxl/qxl_gem.c -@@ -0,0 +1,178 @@ -+/* -+ * Copyright 2013 Red Hat Inc. -+ * -+ * Permission is hereby granted, free of charge, to any person obtaining a -+ * copy of this software and associated documentation files (the "Software"), -+ * to deal in the Software without restriction, including without limitation -+ * the rights to use, copy, modify, merge, publish, distribute, sublicense, -+ * and/or sell copies of the Software, and to permit persons to whom the -+ * Software is furnished to do so, subject to the following conditions: -+ * -+ * The above copyright notice and this permission notice shall be included in -+ * all copies or substantial portions of the Software. -+ * -+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL -+ * THE COPYRIGHT HOLDER(S) OR AUTHOR(S) BE LIABLE FOR ANY CLAIM, DAMAGES OR -+ * OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, -+ * ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR -+ * OTHER DEALINGS IN THE SOFTWARE. -+ * -+ * Authors: Dave Airlie -+ * Alon Levy -+ */ -+ -+#include "drmP.h" -+#include "drm/drm.h" -+#include "qxl_drv.h" -+#include "qxl_object.h" -+ -+int qxl_gem_object_init(struct drm_gem_object *obj) -+{ -+ /* we do nothings here */ -+ return 0; -+} -+ -+void qxl_gem_object_free(struct drm_gem_object *gobj) -+{ -+ struct qxl_bo *qobj = gem_to_qxl_bo(gobj); -+ -+ if (qobj) -+ qxl_bo_unref(&qobj); -+} -+ -+int qxl_gem_object_create(struct qxl_device *qdev, int size, -+ int alignment, int initial_domain, -+ bool discardable, bool kernel, -+ struct qxl_surface *surf, -+ struct drm_gem_object **obj) -+{ -+ struct qxl_bo *qbo; -+ int r; -+ -+ *obj = NULL; -+ /* At least align on page size */ -+ if (alignment < PAGE_SIZE) -+ alignment = PAGE_SIZE; -+ r = qxl_bo_create(qdev, size, kernel, initial_domain, surf, &qbo); -+ if (r) { -+ if (r != -ERESTARTSYS) -+ DRM_ERROR( -+ "Failed to allocate GEM object (%d, %d, %u, %d)\n", -+ size, initial_domain, alignment, r); -+ return r; -+ } -+ *obj = &qbo->gem_base; -+ -+ mutex_lock(&qdev->gem.mutex); -+ list_add_tail(&qbo->list, &qdev->gem.objects); -+ mutex_unlock(&qdev->gem.mutex); -+ -+ return 0; -+} -+ -+int qxl_gem_object_create_with_handle(struct qxl_device *qdev, -+ struct drm_file *file_priv, -+ u32 domain, -+ size_t size, -+ struct qxl_surface *surf, -+ struct qxl_bo **qobj, -+ uint32_t *handle) -+{ -+ struct drm_gem_object *gobj; -+ int r; -+ -+ BUG_ON(!qobj); -+ BUG_ON(!handle); -+ -+ r = qxl_gem_object_create(qdev, size, 0, -+ domain, -+ false, false, surf, -+ &gobj); -+ if (r) -+ return -ENOMEM; -+ r = drm_gem_handle_create(file_priv, gobj, handle); -+ if (r) -+ return r; -+ /* drop reference from allocate - handle holds it now */ -+ *qobj = gem_to_qxl_bo(gobj); -+ drm_gem_object_unreference_unlocked(gobj); -+ return 0; -+} -+ -+int qxl_gem_object_pin(struct drm_gem_object *obj, uint32_t pin_domain, -+ uint64_t *gpu_addr) -+{ -+ struct qxl_bo *qobj = obj->driver_private; -+ int r; -+ -+ r = qxl_bo_reserve(qobj, false); -+ if (unlikely(r != 0)) -+ return r; -+ r = qxl_bo_pin(qobj, pin_domain, gpu_addr); -+ qxl_bo_unreserve(qobj); -+ return r; -+} -+ -+void qxl_gem_object_unpin(struct drm_gem_object *obj) -+{ -+ struct qxl_bo *qobj = obj->driver_private; -+ int r; -+ -+ r = qxl_bo_reserve(qobj, false); -+ if (likely(r == 0)) { -+ qxl_bo_unpin(qobj); -+ qxl_bo_unreserve(qobj); -+ } -+} -+ -+int qxl_gem_set_domain(struct drm_gem_object *gobj, -+ uint32_t rdomain, uint32_t wdomain) -+{ -+ struct qxl_bo *qobj; -+ uint32_t domain; -+ int r; -+ -+ /* FIXME: reeimplement */ -+ qobj = gobj->driver_private; -+ /* work out where to validate the buffer to */ -+ domain = wdomain; -+ if (!domain) -+ domain = rdomain; -+ if (!domain) { -+ /* Do nothings */ -+ pr_warn("Set domain withou domain !\n"); -+ return 0; -+ } -+ if (domain == QXL_GEM_DOMAIN_CPU) { -+ /* Asking for cpu access wait for object idle */ -+ r = qxl_bo_wait(qobj, NULL, false); -+ if (r) { -+ pr_err("Failed to wait for object !\n"); -+ return r; -+ } -+ } -+ return 0; -+} -+ -+int qxl_gem_object_open(struct drm_gem_object *obj, struct drm_file *file_priv) -+{ -+ return 0; -+} -+ -+void qxl_gem_object_close(struct drm_gem_object *obj, -+ struct drm_file *file_priv) -+{ -+} -+ -+int qxl_gem_init(struct qxl_device *qdev) -+{ -+ INIT_LIST_HEAD(&qdev->gem.objects); -+ return 0; -+} -+ -+void qxl_gem_fini(struct qxl_device *qdev) -+{ -+ qxl_bo_force_delete(qdev); -+} -diff --git a/drivers/gpu/drm/qxl/qxl_image.c b/drivers/gpu/drm/qxl/qxl_image.c -new file mode 100644 -index 0000000..cf85620 ---- /dev/null -+++ b/drivers/gpu/drm/qxl/qxl_image.c -@@ -0,0 +1,176 @@ -+/* -+ * Copyright 2013 Red Hat Inc. -+ * -+ * Permission is hereby granted, free of charge, to any person obtaining a -+ * copy of this software and associated documentation files (the "Software"), -+ * to deal in the Software without restriction, including without limitation -+ * the rights to use, copy, modify, merge, publish, distribute, sublicense, -+ * and/or sell copies of the Software, and to permit persons to whom the -+ * Software is furnished to do so, subject to the following conditions: -+ * -+ * The above copyright notice and this permission notice shall be included in -+ * all copies or substantial portions of the Software. -+ * -+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL -+ * THE COPYRIGHT HOLDER(S) OR AUTHOR(S) BE LIABLE FOR ANY CLAIM, DAMAGES OR -+ * OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, -+ * ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR -+ * OTHER DEALINGS IN THE SOFTWARE. -+ * -+ * Authors: Dave Airlie -+ * Alon Levy -+ */ -+ -+#include -+#include -+ -+#include "qxl_drv.h" -+#include "qxl_object.h" -+ -+static int -+qxl_image_create_helper(struct qxl_device *qdev, -+ struct qxl_release *release, -+ struct qxl_bo **image_bo, -+ const uint8_t *data, -+ int width, int height, -+ int depth, unsigned int hash, -+ int stride) -+{ -+ struct qxl_image *image; -+ struct qxl_data_chunk *chunk; -+ int i; -+ int chunk_stride; -+ int linesize = width * depth / 8; -+ struct qxl_bo *chunk_bo; -+ int ret; -+ void *ptr; -+ /* Chunk */ -+ /* FIXME: Check integer overflow */ -+ /* TODO: variable number of chunks */ -+ chunk_stride = stride; /* TODO: should use linesize, but it renders -+ wrong (check the bitmaps are sent correctly -+ first) */ -+ ret = qxl_alloc_bo_reserved(qdev, sizeof(*chunk) + height * chunk_stride, -+ &chunk_bo); -+ -+ ptr = qxl_bo_kmap_atomic_page(qdev, chunk_bo, 0); -+ chunk = ptr; -+ chunk->data_size = height * chunk_stride; -+ chunk->prev_chunk = 0; -+ chunk->next_chunk = 0; -+ qxl_bo_kunmap_atomic_page(qdev, chunk_bo, ptr); -+ -+ { -+ void *k_data, *i_data; -+ int remain; -+ int page; -+ int size; -+ if (stride == linesize && chunk_stride == stride) { -+ remain = linesize * height; -+ page = 0; -+ i_data = (void *)data; -+ -+ while (remain > 0) { -+ ptr = qxl_bo_kmap_atomic_page(qdev, chunk_bo, page << PAGE_SHIFT); -+ -+ if (page == 0) { -+ chunk = ptr; -+ k_data = chunk->data; -+ size = PAGE_SIZE - offsetof(struct qxl_data_chunk, data); -+ } else { -+ k_data = ptr; -+ size = PAGE_SIZE; -+ } -+ size = min(size, remain); -+ -+ memcpy(k_data, i_data, size); -+ -+ qxl_bo_kunmap_atomic_page(qdev, chunk_bo, ptr); -+ i_data += size; -+ remain -= size; -+ page++; -+ } -+ } else { -+ unsigned page_base, page_offset, out_offset; -+ for (i = 0 ; i < height ; ++i) { -+ i_data = (void *)data + i * stride; -+ remain = linesize; -+ out_offset = offsetof(struct qxl_data_chunk, data) + i * chunk_stride; -+ -+ while (remain > 0) { -+ page_base = out_offset & PAGE_MASK; -+ page_offset = offset_in_page(out_offset); -+ -+ size = min((int)(PAGE_SIZE - page_offset), remain); -+ -+ ptr = qxl_bo_kmap_atomic_page(qdev, chunk_bo, page_base); -+ k_data = ptr + page_offset; -+ memcpy(k_data, i_data, size); -+ qxl_bo_kunmap_atomic_page(qdev, chunk_bo, ptr); -+ remain -= size; -+ i_data += size; -+ out_offset += size; -+ } -+ } -+ } -+ } -+ -+ -+ qxl_bo_kunmap(chunk_bo); -+ -+ /* Image */ -+ ret = qxl_alloc_bo_reserved(qdev, sizeof(*image), image_bo); -+ -+ ptr = qxl_bo_kmap_atomic_page(qdev, *image_bo, 0); -+ image = ptr; -+ -+ image->descriptor.id = 0; -+ image->descriptor.type = SPICE_IMAGE_TYPE_BITMAP; -+ -+ image->descriptor.flags = 0; -+ image->descriptor.width = width; -+ image->descriptor.height = height; -+ -+ switch (depth) { -+ case 1: -+ /* TODO: BE? check by arch? */ -+ image->u.bitmap.format = SPICE_BITMAP_FMT_1BIT_BE; -+ break; -+ case 24: -+ image->u.bitmap.format = SPICE_BITMAP_FMT_24BIT; -+ break; -+ case 32: -+ image->u.bitmap.format = SPICE_BITMAP_FMT_32BIT; -+ break; -+ default: -+ DRM_ERROR("unsupported image bit depth\n"); -+ return -EINVAL; /* TODO: cleanup */ -+ } -+ image->u.bitmap.flags = QXL_BITMAP_TOP_DOWN; -+ image->u.bitmap.x = width; -+ image->u.bitmap.y = height; -+ image->u.bitmap.stride = chunk_stride; -+ image->u.bitmap.palette = 0; -+ image->u.bitmap.data = qxl_bo_physical_address(qdev, chunk_bo, 0); -+ qxl_release_add_res(qdev, release, chunk_bo); -+ qxl_bo_unreserve(chunk_bo); -+ qxl_bo_unref(&chunk_bo); -+ -+ qxl_bo_kunmap_atomic_page(qdev, *image_bo, ptr); -+ -+ return 0; -+} -+ -+int qxl_image_create(struct qxl_device *qdev, -+ struct qxl_release *release, -+ struct qxl_bo **image_bo, -+ const uint8_t *data, -+ int x, int y, int width, int height, -+ int depth, int stride) -+{ -+ data += y * stride + x * (depth / 8); -+ return qxl_image_create_helper(qdev, release, image_bo, data, -+ width, height, depth, 0, stride); -+} -diff --git a/drivers/gpu/drm/qxl/qxl_ioctl.c b/drivers/gpu/drm/qxl/qxl_ioctl.c -new file mode 100644 -index 0000000..83ca4f7 ---- /dev/null -+++ b/drivers/gpu/drm/qxl/qxl_ioctl.c -@@ -0,0 +1,411 @@ -+/* -+ * Copyright 2013 Red Hat Inc. -+ * -+ * Permission is hereby granted, free of charge, to any person obtaining a -+ * copy of this software and associated documentation files (the "Software"), -+ * to deal in the Software without restriction, including without limitation -+ * the rights to use, copy, modify, merge, publish, distribute, sublicense, -+ * and/or sell copies of the Software, and to permit persons to whom the -+ * Software is furnished to do so, subject to the following conditions: -+ * -+ * The above copyright notice and this permission notice shall be included in -+ * all copies or substantial portions of the Software. -+ * -+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL -+ * THE COPYRIGHT HOLDER(S) OR AUTHOR(S) BE LIABLE FOR ANY CLAIM, DAMAGES OR -+ * OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, -+ * ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR -+ * OTHER DEALINGS IN THE SOFTWARE. -+ * -+ * Authors: Dave Airlie -+ * Alon Levy -+ */ -+ -+#include "qxl_drv.h" -+#include "qxl_object.h" -+ -+/* -+ * TODO: allocating a new gem(in qxl_bo) for each request. -+ * This is wasteful since bo's are page aligned. -+ */ -+int qxl_alloc_ioctl(struct drm_device *dev, void *data, -+ struct drm_file *file_priv) -+{ -+ struct qxl_device *qdev = dev->dev_private; -+ struct drm_qxl_alloc *qxl_alloc = data; -+ int ret; -+ struct qxl_bo *qobj; -+ uint32_t handle; -+ u32 domain = QXL_GEM_DOMAIN_VRAM; -+ -+ if (qxl_alloc->size == 0) { -+ DRM_ERROR("invalid size %d\n", qxl_alloc->size); -+ return -EINVAL; -+ } -+ ret = qxl_gem_object_create_with_handle(qdev, file_priv, -+ domain, -+ qxl_alloc->size, -+ NULL, -+ &qobj, &handle); -+ if (ret) { -+ DRM_ERROR("%s: failed to create gem ret=%d\n", -+ __func__, ret); -+ return -ENOMEM; -+ } -+ qxl_alloc->handle = handle; -+ return 0; -+} -+ -+int qxl_map_ioctl(struct drm_device *dev, void *data, -+ struct drm_file *file_priv) -+{ -+ struct qxl_device *qdev = dev->dev_private; -+ struct drm_qxl_map *qxl_map = data; -+ -+ return qxl_mode_dumb_mmap(file_priv, qdev->ddev, qxl_map->handle, -+ &qxl_map->offset); -+} -+ -+/* -+ * dst must be validated, i.e. whole bo on vram/surfacesram (right now all bo's -+ * are on vram). -+ * *(dst + dst_off) = qxl_bo_physical_address(src, src_off) -+ */ -+static void -+apply_reloc(struct qxl_device *qdev, struct qxl_bo *dst, uint64_t dst_off, -+ struct qxl_bo *src, uint64_t src_off) -+{ -+ void *reloc_page; -+ -+ reloc_page = qxl_bo_kmap_atomic_page(qdev, dst, dst_off & PAGE_MASK); -+ *(uint64_t *)(reloc_page + (dst_off & ~PAGE_MASK)) = qxl_bo_physical_address(qdev, -+ src, src_off); -+ qxl_bo_kunmap_atomic_page(qdev, dst, reloc_page); -+} -+ -+static void -+apply_surf_reloc(struct qxl_device *qdev, struct qxl_bo *dst, uint64_t dst_off, -+ struct qxl_bo *src) -+{ -+ uint32_t id = 0; -+ void *reloc_page; -+ -+ if (src && !src->is_primary) -+ id = src->surface_id; -+ -+ reloc_page = qxl_bo_kmap_atomic_page(qdev, dst, dst_off & PAGE_MASK); -+ *(uint32_t *)(reloc_page + (dst_off & ~PAGE_MASK)) = id; -+ qxl_bo_kunmap_atomic_page(qdev, dst, reloc_page); -+} -+ -+/* return holding the reference to this object */ -+struct qxl_bo *qxlhw_handle_to_bo(struct qxl_device *qdev, -+ struct drm_file *file_priv, uint64_t handle, -+ struct qxl_reloc_list *reloc_list) -+{ -+ struct drm_gem_object *gobj; -+ struct qxl_bo *qobj; -+ int ret; -+ -+ gobj = drm_gem_object_lookup(qdev->ddev, file_priv, handle); -+ if (!gobj) { -+ DRM_ERROR("bad bo handle %lld\n", handle); -+ return NULL; -+ } -+ qobj = gem_to_qxl_bo(gobj); -+ -+ ret = qxl_bo_list_add(reloc_list, qobj); -+ if (ret) -+ return NULL; -+ -+ return qobj; -+} -+ -+/* -+ * Usage of execbuffer: -+ * Relocations need to take into account the full QXLDrawable size. -+ * However, the command as passed from user space must *not* contain the initial -+ * QXLReleaseInfo struct (first XXX bytes) -+ */ -+int qxl_execbuffer_ioctl(struct drm_device *dev, void *data, -+ struct drm_file *file_priv) -+{ -+ struct qxl_device *qdev = dev->dev_private; -+ struct drm_qxl_execbuffer *execbuffer = data; -+ struct drm_qxl_command user_cmd; -+ int cmd_num; -+ struct qxl_bo *reloc_src_bo; -+ struct qxl_bo *reloc_dst_bo; -+ struct drm_qxl_reloc reloc; -+ void *fb_cmd; -+ int i, ret; -+ struct qxl_reloc_list reloc_list; -+ int unwritten; -+ uint32_t reloc_dst_offset; -+ INIT_LIST_HEAD(&reloc_list.bos); -+ -+ for (cmd_num = 0; cmd_num < execbuffer->commands_num; ++cmd_num) { -+ struct qxl_release *release; -+ struct qxl_bo *cmd_bo; -+ int release_type; -+ struct drm_qxl_command *commands = -+ (struct drm_qxl_command *)execbuffer->commands; -+ -+ if (DRM_COPY_FROM_USER(&user_cmd, &commands[cmd_num], -+ sizeof(user_cmd))) -+ return -EFAULT; -+ switch (user_cmd.type) { -+ case QXL_CMD_DRAW: -+ release_type = QXL_RELEASE_DRAWABLE; -+ break; -+ case QXL_CMD_SURFACE: -+ case QXL_CMD_CURSOR: -+ default: -+ DRM_DEBUG("Only draw commands in execbuffers\n"); -+ return -EINVAL; -+ break; -+ } -+ -+ if (user_cmd.command_size > PAGE_SIZE - sizeof(union qxl_release_info)) -+ return -EINVAL; -+ -+ ret = qxl_alloc_release_reserved(qdev, -+ sizeof(union qxl_release_info) + -+ user_cmd.command_size, -+ release_type, -+ &release, -+ &cmd_bo); -+ if (ret) -+ return ret; -+ -+ /* TODO copy slow path code from i915 */ -+ fb_cmd = qxl_bo_kmap_atomic_page(qdev, cmd_bo, (release->release_offset & PAGE_SIZE)); -+ unwritten = __copy_from_user_inatomic_nocache(fb_cmd + sizeof(union qxl_release_info) + (release->release_offset & ~PAGE_SIZE), (void *)(unsigned long)user_cmd.command, user_cmd.command_size); -+ qxl_bo_kunmap_atomic_page(qdev, cmd_bo, fb_cmd); -+ if (unwritten) { -+ DRM_ERROR("got unwritten %d\n", unwritten); -+ qxl_release_unreserve(qdev, release); -+ qxl_release_free(qdev, release); -+ return -EFAULT; -+ } -+ -+ for (i = 0 ; i < user_cmd.relocs_num; ++i) { -+ if (DRM_COPY_FROM_USER(&reloc, -+ &((struct drm_qxl_reloc *)user_cmd.relocs)[i], -+ sizeof(reloc))) { -+ qxl_bo_list_unreserve(&reloc_list, true); -+ qxl_release_unreserve(qdev, release); -+ qxl_release_free(qdev, release); -+ return -EFAULT; -+ } -+ -+ /* add the bos to the list of bos to validate - -+ need to validate first then process relocs? */ -+ if (reloc.dst_handle) { -+ reloc_dst_bo = qxlhw_handle_to_bo(qdev, file_priv, -+ reloc.dst_handle, &reloc_list); -+ if (!reloc_dst_bo) { -+ qxl_bo_list_unreserve(&reloc_list, true); -+ qxl_release_unreserve(qdev, release); -+ qxl_release_free(qdev, release); -+ return -EINVAL; -+ } -+ reloc_dst_offset = 0; -+ } else { -+ reloc_dst_bo = cmd_bo; -+ reloc_dst_offset = release->release_offset; -+ } -+ -+ /* reserve and validate the reloc dst bo */ -+ if (reloc.reloc_type == QXL_RELOC_TYPE_BO || reloc.src_handle > 0) { -+ reloc_src_bo = -+ qxlhw_handle_to_bo(qdev, file_priv, -+ reloc.src_handle, &reloc_list); -+ if (!reloc_src_bo) { -+ if (reloc_dst_bo != cmd_bo) -+ drm_gem_object_unreference_unlocked(&reloc_dst_bo->gem_base); -+ qxl_bo_list_unreserve(&reloc_list, true); -+ qxl_release_unreserve(qdev, release); -+ qxl_release_free(qdev, release); -+ return -EINVAL; -+ } -+ } else -+ reloc_src_bo = NULL; -+ if (reloc.reloc_type == QXL_RELOC_TYPE_BO) { -+ apply_reloc(qdev, reloc_dst_bo, reloc_dst_offset + reloc.dst_offset, -+ reloc_src_bo, reloc.src_offset); -+ } else if (reloc.reloc_type == QXL_RELOC_TYPE_SURF) { -+ apply_surf_reloc(qdev, reloc_dst_bo, reloc_dst_offset + reloc.dst_offset, reloc_src_bo); -+ } else { -+ DRM_ERROR("unknown reloc type %d\n", reloc.reloc_type); -+ return -EINVAL; -+ } -+ -+ if (reloc_src_bo && reloc_src_bo != cmd_bo) { -+ qxl_release_add_res(qdev, release, reloc_src_bo); -+ drm_gem_object_unreference_unlocked(&reloc_src_bo->gem_base); -+ } -+ -+ if (reloc_dst_bo != cmd_bo) -+ drm_gem_object_unreference_unlocked(&reloc_dst_bo->gem_base); -+ } -+ qxl_fence_releaseable(qdev, release); -+ -+ ret = qxl_push_command_ring_release(qdev, release, user_cmd.type, true); -+ if (ret == -ERESTARTSYS) { -+ qxl_release_unreserve(qdev, release); -+ qxl_release_free(qdev, release); -+ qxl_bo_list_unreserve(&reloc_list, true); -+ return ret; -+ } -+ qxl_release_unreserve(qdev, release); -+ } -+ qxl_bo_list_unreserve(&reloc_list, 0); -+ return 0; -+} -+ -+int qxl_update_area_ioctl(struct drm_device *dev, void *data, -+ struct drm_file *file) -+{ -+ struct qxl_device *qdev = dev->dev_private; -+ struct drm_qxl_update_area *update_area = data; -+ struct qxl_rect area = {.left = update_area->left, -+ .top = update_area->top, -+ .right = update_area->right, -+ .bottom = update_area->bottom}; -+ int ret; -+ struct drm_gem_object *gobj = NULL; -+ struct qxl_bo *qobj = NULL; -+ -+ if (update_area->left >= update_area->right || -+ update_area->top >= update_area->bottom) -+ return -EINVAL; -+ -+ gobj = drm_gem_object_lookup(dev, file, update_area->handle); -+ if (gobj == NULL) -+ return -ENOENT; -+ -+ qobj = gem_to_qxl_bo(gobj); -+ -+ ret = qxl_bo_reserve(qobj, false); -+ if (ret) -+ goto out; -+ -+ if (!qobj->pin_count) { -+ ret = ttm_bo_validate(&qobj->tbo, &qobj->placement, -+ true, false); -+ if (unlikely(ret)) -+ goto out; -+ } -+ -+ ret = qxl_bo_check_id(qdev, qobj); -+ if (ret) -+ goto out2; -+ if (!qobj->surface_id) -+ DRM_ERROR("got update area for surface with no id %d\n", update_area->handle); -+ ret = qxl_io_update_area(qdev, qobj, &area); -+ -+out2: -+ qxl_bo_unreserve(qobj); -+ -+out: -+ drm_gem_object_unreference_unlocked(gobj); -+ return ret; -+} -+ -+static int qxl_getparam_ioctl(struct drm_device *dev, void *data, -+ struct drm_file *file_priv) -+{ -+ struct qxl_device *qdev = dev->dev_private; -+ struct drm_qxl_getparam *param = data; -+ -+ switch (param->param) { -+ case QXL_PARAM_NUM_SURFACES: -+ param->value = qdev->rom->n_surfaces; -+ break; -+ case QXL_PARAM_MAX_RELOCS: -+ param->value = QXL_MAX_RES; -+ break; -+ default: -+ return -EINVAL; -+ } -+ return 0; -+} -+ -+static int qxl_clientcap_ioctl(struct drm_device *dev, void *data, -+ struct drm_file *file_priv) -+{ -+ struct qxl_device *qdev = dev->dev_private; -+ struct drm_qxl_clientcap *param = data; -+ int byte, idx; -+ -+ byte = param->index / 8; -+ idx = param->index % 8; -+ -+ if (qdev->pdev->revision < 4) -+ return -ENOSYS; -+ -+ if (byte > 58) -+ return -ENOSYS; -+ -+ if (qdev->rom->client_capabilities[byte] & (1 << idx)) -+ return 0; -+ return -ENOSYS; -+} -+ -+static int qxl_alloc_surf_ioctl(struct drm_device *dev, void *data, -+ struct drm_file *file) -+{ -+ struct qxl_device *qdev = dev->dev_private; -+ struct drm_qxl_alloc_surf *param = data; -+ struct qxl_bo *qobj; -+ int handle; -+ int ret; -+ int size, actual_stride; -+ struct qxl_surface surf; -+ -+ /* work out size allocate bo with handle */ -+ actual_stride = param->stride < 0 ? -param->stride : param->stride; -+ size = actual_stride * param->height + actual_stride; -+ -+ surf.format = param->format; -+ surf.width = param->width; -+ surf.height = param->height; -+ surf.stride = param->stride; -+ surf.data = 0; -+ -+ ret = qxl_gem_object_create_with_handle(qdev, file, -+ QXL_GEM_DOMAIN_SURFACE, -+ size, -+ &surf, -+ &qobj, &handle); -+ if (ret) { -+ DRM_ERROR("%s: failed to create gem ret=%d\n", -+ __func__, ret); -+ return -ENOMEM; -+ } else -+ param->handle = handle; -+ return ret; -+} -+ -+struct drm_ioctl_desc qxl_ioctls[] = { -+ DRM_IOCTL_DEF_DRV(QXL_ALLOC, qxl_alloc_ioctl, DRM_AUTH|DRM_UNLOCKED), -+ -+ DRM_IOCTL_DEF_DRV(QXL_MAP, qxl_map_ioctl, DRM_AUTH|DRM_UNLOCKED), -+ -+ DRM_IOCTL_DEF_DRV(QXL_EXECBUFFER, qxl_execbuffer_ioctl, -+ DRM_AUTH|DRM_UNLOCKED), -+ DRM_IOCTL_DEF_DRV(QXL_UPDATE_AREA, qxl_update_area_ioctl, -+ DRM_AUTH|DRM_UNLOCKED), -+ DRM_IOCTL_DEF_DRV(QXL_GETPARAM, qxl_getparam_ioctl, -+ DRM_AUTH|DRM_UNLOCKED), -+ DRM_IOCTL_DEF_DRV(QXL_CLIENTCAP, qxl_clientcap_ioctl, -+ DRM_AUTH|DRM_UNLOCKED), -+ -+ DRM_IOCTL_DEF_DRV(QXL_ALLOC_SURF, qxl_alloc_surf_ioctl, -+ DRM_AUTH|DRM_UNLOCKED), -+}; -+ -+int qxl_max_ioctls = DRM_ARRAY_SIZE(qxl_ioctls); -diff --git a/drivers/gpu/drm/qxl/qxl_irq.c b/drivers/gpu/drm/qxl/qxl_irq.c -new file mode 100644 -index 0000000..21393dc ---- /dev/null -+++ b/drivers/gpu/drm/qxl/qxl_irq.c -@@ -0,0 +1,97 @@ -+/* -+ * Copyright 2013 Red Hat Inc. -+ * -+ * Permission is hereby granted, free of charge, to any person obtaining a -+ * copy of this software and associated documentation files (the "Software"), -+ * to deal in the Software without restriction, including without limitation -+ * the rights to use, copy, modify, merge, publish, distribute, sublicense, -+ * and/or sell copies of the Software, and to permit persons to whom the -+ * Software is furnished to do so, subject to the following conditions: -+ * -+ * The above copyright notice and this permission notice shall be included in -+ * all copies or substantial portions of the Software. -+ * -+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL -+ * THE COPYRIGHT HOLDER(S) OR AUTHOR(S) BE LIABLE FOR ANY CLAIM, DAMAGES OR -+ * OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, -+ * ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR -+ * OTHER DEALINGS IN THE SOFTWARE. -+ * -+ * Authors: Dave Airlie -+ * Alon Levy -+ */ -+ -+#include "qxl_drv.h" -+ -+irqreturn_t qxl_irq_handler(DRM_IRQ_ARGS) -+{ -+ struct drm_device *dev = (struct drm_device *) arg; -+ struct qxl_device *qdev = (struct qxl_device *)dev->dev_private; -+ uint32_t pending; -+ -+ pending = xchg(&qdev->ram_header->int_pending, 0); -+ -+ atomic_inc(&qdev->irq_received); -+ -+ if (pending & QXL_INTERRUPT_DISPLAY) { -+ atomic_inc(&qdev->irq_received_display); -+ wake_up_all(&qdev->display_event); -+ qxl_queue_garbage_collect(qdev, false); -+ } -+ if (pending & QXL_INTERRUPT_CURSOR) { -+ atomic_inc(&qdev->irq_received_cursor); -+ wake_up_all(&qdev->cursor_event); -+ } -+ if (pending & QXL_INTERRUPT_IO_CMD) { -+ atomic_inc(&qdev->irq_received_io_cmd); -+ wake_up_all(&qdev->io_cmd_event); -+ } -+ if (pending & QXL_INTERRUPT_ERROR) { -+ /* TODO: log it, reset device (only way to exit this condition) -+ * (do it a certain number of times, afterwards admit defeat, -+ * to avoid endless loops). -+ */ -+ qdev->irq_received_error++; -+ qxl_io_log(qdev, "%s: driver is in bug mode.\n", __func__); -+ } -+ if (pending & QXL_INTERRUPT_CLIENT_MONITORS_CONFIG) { -+ qxl_io_log(qdev, "QXL_INTERRUPT_CLIENT_MONITORS_CONFIG\n"); -+ schedule_work(&qdev->client_monitors_config_work); -+ } -+ qdev->ram_header->int_mask = QXL_INTERRUPT_MASK; -+ outb(0, qdev->io_base + QXL_IO_UPDATE_IRQ); -+ return IRQ_HANDLED; -+} -+ -+static void qxl_client_monitors_config_work_func(struct work_struct *work) -+{ -+ struct qxl_device *qdev = container_of(work, struct qxl_device, -+ client_monitors_config_work); -+ -+ qxl_display_read_client_monitors_config(qdev); -+} -+ -+int qxl_irq_init(struct qxl_device *qdev) -+{ -+ int ret; -+ -+ init_waitqueue_head(&qdev->display_event); -+ init_waitqueue_head(&qdev->cursor_event); -+ init_waitqueue_head(&qdev->io_cmd_event); -+ INIT_WORK(&qdev->client_monitors_config_work, -+ qxl_client_monitors_config_work_func); -+ atomic_set(&qdev->irq_received, 0); -+ atomic_set(&qdev->irq_received_display, 0); -+ atomic_set(&qdev->irq_received_cursor, 0); -+ atomic_set(&qdev->irq_received_io_cmd, 0); -+ qdev->irq_received_error = 0; -+ ret = drm_irq_install(qdev->ddev); -+ qdev->ram_header->int_mask = QXL_INTERRUPT_MASK; -+ if (unlikely(ret != 0)) { -+ DRM_ERROR("Failed installing irq: %d\n", ret); -+ return 1; -+ } -+ return 0; -+} -diff --git a/drivers/gpu/drm/qxl/qxl_kms.c b/drivers/gpu/drm/qxl/qxl_kms.c -new file mode 100644 -index 0000000..036e0de ---- /dev/null -+++ b/drivers/gpu/drm/qxl/qxl_kms.c -@@ -0,0 +1,302 @@ -+/* -+ * Copyright 2013 Red Hat Inc. -+ * -+ * Permission is hereby granted, free of charge, to any person obtaining a -+ * copy of this software and associated documentation files (the "Software"), -+ * to deal in the Software without restriction, including without limitation -+ * the rights to use, copy, modify, merge, publish, distribute, sublicense, -+ * and/or sell copies of the Software, and to permit persons to whom the -+ * Software is furnished to do so, subject to the following conditions: -+ * -+ * The above copyright notice and this permission notice shall be included in -+ * all copies or substantial portions of the Software. -+ * -+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL -+ * THE COPYRIGHT HOLDER(S) OR AUTHOR(S) BE LIABLE FOR ANY CLAIM, DAMAGES OR -+ * OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, -+ * ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR -+ * OTHER DEALINGS IN THE SOFTWARE. -+ * -+ * Authors: Dave Airlie -+ * Alon Levy -+ */ -+ -+#include "qxl_drv.h" -+#include "qxl_object.h" -+ -+#include -+ -+int qxl_log_level; -+ -+static void qxl_dump_mode(struct qxl_device *qdev, void *p) -+{ -+ struct qxl_mode *m = p; -+ DRM_DEBUG_KMS("%d: %dx%d %d bits, stride %d, %dmm x %dmm, orientation %d\n", -+ m->id, m->x_res, m->y_res, m->bits, m->stride, m->x_mili, -+ m->y_mili, m->orientation); -+} -+ -+static bool qxl_check_device(struct qxl_device *qdev) -+{ -+ struct qxl_rom *rom = qdev->rom; -+ int mode_offset; -+ int i; -+ -+ if (rom->magic != 0x4f525851) { -+ DRM_ERROR("bad rom signature %x\n", rom->magic); -+ return false; -+ } -+ -+ DRM_INFO("Device Version %d.%d\n", rom->id, rom->update_id); -+ DRM_INFO("Compression level %d log level %d\n", rom->compression_level, -+ rom->log_level); -+ DRM_INFO("Currently using mode #%d, list at 0x%x\n", -+ rom->mode, rom->modes_offset); -+ DRM_INFO("%d io pages at offset 0x%x\n", -+ rom->num_io_pages, rom->pages_offset); -+ DRM_INFO("%d byte draw area at offset 0x%x\n", -+ rom->surface0_area_size, rom->draw_area_offset); -+ -+ qdev->vram_size = rom->surface0_area_size; -+ DRM_INFO("RAM header offset: 0x%x\n", rom->ram_header_offset); -+ -+ mode_offset = rom->modes_offset / 4; -+ qdev->mode_info.num_modes = ((u32 *)rom)[mode_offset]; -+ DRM_INFO("rom modes offset 0x%x for %d modes\n", rom->modes_offset, -+ qdev->mode_info.num_modes); -+ qdev->mode_info.modes = (void *)((uint32_t *)rom + mode_offset + 1); -+ for (i = 0; i < qdev->mode_info.num_modes; i++) -+ qxl_dump_mode(qdev, qdev->mode_info.modes + i); -+ return true; -+} -+ -+static uint8_t setup_slot(struct qxl_device *qdev, uint8_t slot_index_offset, -+ unsigned long start_phys_addr, unsigned long end_phys_addr) -+{ -+ uint64_t high_bits; -+ struct qxl_memslot *slot; -+ uint8_t slot_index; -+ struct qxl_ram_header *ram_header = qdev->ram_header; -+ -+ slot_index = qdev->rom->slots_start + slot_index_offset; -+ slot = &qdev->mem_slots[slot_index]; -+ slot->start_phys_addr = start_phys_addr; -+ slot->end_phys_addr = end_phys_addr; -+ ram_header->mem_slot.mem_start = slot->start_phys_addr; -+ ram_header->mem_slot.mem_end = slot->end_phys_addr; -+ qxl_io_memslot_add(qdev, slot_index); -+ slot->generation = qdev->rom->slot_generation; -+ high_bits = slot_index << qdev->slot_gen_bits; -+ high_bits |= slot->generation; -+ high_bits <<= (64 - (qdev->slot_gen_bits + qdev->slot_id_bits)); -+ slot->high_bits = high_bits; -+ return slot_index; -+} -+ -+static void qxl_gc_work(struct work_struct *work) -+{ -+ struct qxl_device *qdev = container_of(work, struct qxl_device, gc_work); -+ qxl_garbage_collect(qdev); -+} -+ -+int qxl_device_init(struct qxl_device *qdev, -+ struct drm_device *ddev, -+ struct pci_dev *pdev, -+ unsigned long flags) -+{ -+ int r; -+ -+ qdev->dev = &pdev->dev; -+ qdev->ddev = ddev; -+ qdev->pdev = pdev; -+ qdev->flags = flags; -+ -+ mutex_init(&qdev->gem.mutex); -+ mutex_init(&qdev->update_area_mutex); -+ mutex_init(&qdev->release_mutex); -+ mutex_init(&qdev->surf_evict_mutex); -+ INIT_LIST_HEAD(&qdev->gem.objects); -+ -+ qdev->rom_base = pci_resource_start(pdev, 2); -+ qdev->rom_size = pci_resource_len(pdev, 2); -+ qdev->vram_base = pci_resource_start(pdev, 0); -+ qdev->surfaceram_base = pci_resource_start(pdev, 1); -+ qdev->surfaceram_size = pci_resource_len(pdev, 1); -+ qdev->io_base = pci_resource_start(pdev, 3); -+ -+ qdev->vram_mapping = io_mapping_create_wc(qdev->vram_base, pci_resource_len(pdev, 0)); -+ qdev->surface_mapping = io_mapping_create_wc(qdev->surfaceram_base, qdev->surfaceram_size); -+ DRM_DEBUG_KMS("qxl: vram %p-%p(%dM %dk), surface %p-%p(%dM %dk)\n", -+ (void *)qdev->vram_base, (void *)pci_resource_end(pdev, 0), -+ (int)pci_resource_len(pdev, 0) / 1024 / 1024, -+ (int)pci_resource_len(pdev, 0) / 1024, -+ (void *)qdev->surfaceram_base, -+ (void *)pci_resource_end(pdev, 1), -+ (int)qdev->surfaceram_size / 1024 / 1024, -+ (int)qdev->surfaceram_size / 1024); -+ -+ qdev->rom = ioremap(qdev->rom_base, qdev->rom_size); -+ if (!qdev->rom) { -+ pr_err("Unable to ioremap ROM\n"); -+ return -ENOMEM; -+ } -+ -+ qxl_check_device(qdev); -+ -+ r = qxl_bo_init(qdev); -+ if (r) { -+ DRM_ERROR("bo init failed %d\n", r); -+ return r; -+ } -+ -+ qdev->ram_header = ioremap(qdev->vram_base + -+ qdev->rom->ram_header_offset, -+ sizeof(*qdev->ram_header)); -+ -+ qdev->command_ring = qxl_ring_create(&(qdev->ram_header->cmd_ring_hdr), -+ sizeof(struct qxl_command), -+ QXL_COMMAND_RING_SIZE, -+ qdev->io_base + QXL_IO_NOTIFY_CMD, -+ false, -+ &qdev->display_event); -+ -+ qdev->cursor_ring = qxl_ring_create( -+ &(qdev->ram_header->cursor_ring_hdr), -+ sizeof(struct qxl_command), -+ QXL_CURSOR_RING_SIZE, -+ qdev->io_base + QXL_IO_NOTIFY_CMD, -+ false, -+ &qdev->cursor_event); -+ -+ qdev->release_ring = qxl_ring_create( -+ &(qdev->ram_header->release_ring_hdr), -+ sizeof(uint64_t), -+ QXL_RELEASE_RING_SIZE, 0, true, -+ NULL); -+ -+ /* TODO - slot initialization should happen on reset. where is our -+ * reset handler? */ -+ qdev->n_mem_slots = qdev->rom->slots_end; -+ qdev->slot_gen_bits = qdev->rom->slot_gen_bits; -+ qdev->slot_id_bits = qdev->rom->slot_id_bits; -+ qdev->va_slot_mask = -+ (~(uint64_t)0) >> (qdev->slot_id_bits + qdev->slot_gen_bits); -+ -+ qdev->mem_slots = -+ kmalloc(qdev->n_mem_slots * sizeof(struct qxl_memslot), -+ GFP_KERNEL); -+ -+ idr_init(&qdev->release_idr); -+ spin_lock_init(&qdev->release_idr_lock); -+ -+ idr_init(&qdev->surf_id_idr); -+ spin_lock_init(&qdev->surf_id_idr_lock); -+ -+ mutex_init(&qdev->async_io_mutex); -+ -+ /* reset the device into a known state - no memslots, no primary -+ * created, no surfaces. */ -+ qxl_io_reset(qdev); -+ -+ /* must initialize irq before first async io - slot creation */ -+ r = qxl_irq_init(qdev); -+ if (r) -+ return r; -+ -+ /* -+ * Note that virtual is surface0. We rely on the single ioremap done -+ * before. -+ */ -+ qdev->main_mem_slot = setup_slot(qdev, 0, -+ (unsigned long)qdev->vram_base, -+ (unsigned long)qdev->vram_base + qdev->rom->ram_header_offset); -+ qdev->surfaces_mem_slot = setup_slot(qdev, 1, -+ (unsigned long)qdev->surfaceram_base, -+ (unsigned long)qdev->surfaceram_base + qdev->surfaceram_size); -+ DRM_INFO("main mem slot %d [%lx,%x)\n", -+ qdev->main_mem_slot, -+ (unsigned long)qdev->vram_base, qdev->rom->ram_header_offset); -+ -+ -+ qdev->gc_queue = create_singlethread_workqueue("qxl_gc"); -+ INIT_WORK(&qdev->gc_work, qxl_gc_work); -+ -+ r = qxl_fb_init(qdev); -+ if (r) -+ return r; -+ -+ return 0; -+} -+ -+void qxl_device_fini(struct qxl_device *qdev) -+{ -+ if (qdev->current_release_bo[0]) -+ qxl_bo_unref(&qdev->current_release_bo[0]); -+ if (qdev->current_release_bo[1]) -+ qxl_bo_unref(&qdev->current_release_bo[1]); -+ flush_workqueue(qdev->gc_queue); -+ destroy_workqueue(qdev->gc_queue); -+ qdev->gc_queue = NULL; -+ -+ qxl_ring_free(qdev->command_ring); -+ qxl_ring_free(qdev->cursor_ring); -+ qxl_ring_free(qdev->release_ring); -+ qxl_bo_fini(qdev); -+ io_mapping_free(qdev->surface_mapping); -+ io_mapping_free(qdev->vram_mapping); -+ iounmap(qdev->ram_header); -+ iounmap(qdev->rom); -+ qdev->rom = NULL; -+ qdev->mode_info.modes = NULL; -+ qdev->mode_info.num_modes = 0; -+ qxl_debugfs_remove_files(qdev); -+} -+ -+int qxl_driver_unload(struct drm_device *dev) -+{ -+ struct qxl_device *qdev = dev->dev_private; -+ -+ if (qdev == NULL) -+ return 0; -+ qxl_modeset_fini(qdev); -+ qxl_device_fini(qdev); -+ -+ kfree(qdev); -+ dev->dev_private = NULL; -+ return 0; -+} -+ -+int qxl_driver_load(struct drm_device *dev, unsigned long flags) -+{ -+ struct qxl_device *qdev; -+ int r; -+ -+ /* require kms */ -+ if (!drm_core_check_feature(dev, DRIVER_MODESET)) -+ return -ENODEV; -+ -+ qdev = kzalloc(sizeof(struct qxl_device), GFP_KERNEL); -+ if (qdev == NULL) -+ return -ENOMEM; -+ -+ dev->dev_private = qdev; -+ -+ r = qxl_device_init(qdev, dev, dev->pdev, flags); -+ if (r) -+ goto out; -+ -+ r = qxl_modeset_init(qdev); -+ if (r) { -+ qxl_driver_unload(dev); -+ goto out; -+ } -+ -+ return 0; -+out: -+ kfree(qdev); -+ return r; -+} -+ -+ -diff --git a/drivers/gpu/drm/qxl/qxl_object.c b/drivers/gpu/drm/qxl/qxl_object.c -new file mode 100644 -index 0000000..51efb94 ---- /dev/null -+++ b/drivers/gpu/drm/qxl/qxl_object.c -@@ -0,0 +1,365 @@ -+/* -+ * Copyright 2013 Red Hat Inc. -+ * -+ * Permission is hereby granted, free of charge, to any person obtaining a -+ * copy of this software and associated documentation files (the "Software"), -+ * to deal in the Software without restriction, including without limitation -+ * the rights to use, copy, modify, merge, publish, distribute, sublicense, -+ * and/or sell copies of the Software, and to permit persons to whom the -+ * Software is furnished to do so, subject to the following conditions: -+ * -+ * The above copyright notice and this permission notice shall be included in -+ * all copies or substantial portions of the Software. -+ * -+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL -+ * THE COPYRIGHT HOLDER(S) OR AUTHOR(S) BE LIABLE FOR ANY CLAIM, DAMAGES OR -+ * OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, -+ * ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR -+ * OTHER DEALINGS IN THE SOFTWARE. -+ * -+ * Authors: Dave Airlie -+ * Alon Levy -+ */ -+ -+#include "qxl_drv.h" -+#include "qxl_object.h" -+ -+#include -+static void qxl_ttm_bo_destroy(struct ttm_buffer_object *tbo) -+{ -+ struct qxl_bo *bo; -+ struct qxl_device *qdev; -+ -+ bo = container_of(tbo, struct qxl_bo, tbo); -+ qdev = (struct qxl_device *)bo->gem_base.dev->dev_private; -+ -+ qxl_surface_evict(qdev, bo, false); -+ qxl_fence_fini(&bo->fence); -+ mutex_lock(&qdev->gem.mutex); -+ list_del_init(&bo->list); -+ mutex_unlock(&qdev->gem.mutex); -+ drm_gem_object_release(&bo->gem_base); -+ kfree(bo); -+} -+ -+bool qxl_ttm_bo_is_qxl_bo(struct ttm_buffer_object *bo) -+{ -+ if (bo->destroy == &qxl_ttm_bo_destroy) -+ return true; -+ return false; -+} -+ -+void qxl_ttm_placement_from_domain(struct qxl_bo *qbo, u32 domain) -+{ -+ u32 c = 0; -+ -+ qbo->placement.fpfn = 0; -+ qbo->placement.lpfn = 0; -+ qbo->placement.placement = qbo->placements; -+ qbo->placement.busy_placement = qbo->placements; -+ if (domain & QXL_GEM_DOMAIN_VRAM) -+ qbo->placements[c++] = TTM_PL_FLAG_CACHED | TTM_PL_FLAG_VRAM; -+ if (domain & QXL_GEM_DOMAIN_SURFACE) -+ qbo->placements[c++] = TTM_PL_FLAG_CACHED | TTM_PL_FLAG_PRIV0; -+ if (domain & QXL_GEM_DOMAIN_CPU) -+ qbo->placements[c++] = TTM_PL_MASK_CACHING | TTM_PL_FLAG_SYSTEM; -+ if (!c) -+ qbo->placements[c++] = TTM_PL_MASK_CACHING | TTM_PL_FLAG_SYSTEM; -+ qbo->placement.num_placement = c; -+ qbo->placement.num_busy_placement = c; -+} -+ -+ -+int qxl_bo_create(struct qxl_device *qdev, -+ unsigned long size, bool kernel, u32 domain, -+ struct qxl_surface *surf, -+ struct qxl_bo **bo_ptr) -+{ -+ struct qxl_bo *bo; -+ enum ttm_bo_type type; -+ int r; -+ -+ if (unlikely(qdev->mman.bdev.dev_mapping == NULL)) -+ qdev->mman.bdev.dev_mapping = qdev->ddev->dev_mapping; -+ if (kernel) -+ type = ttm_bo_type_kernel; -+ else -+ type = ttm_bo_type_device; -+ *bo_ptr = NULL; -+ bo = kzalloc(sizeof(struct qxl_bo), GFP_KERNEL); -+ if (bo == NULL) -+ return -ENOMEM; -+ size = roundup(size, PAGE_SIZE); -+ r = drm_gem_object_init(qdev->ddev, &bo->gem_base, size); -+ if (unlikely(r)) { -+ kfree(bo); -+ return r; -+ } -+ bo->gem_base.driver_private = NULL; -+ bo->type = domain; -+ bo->pin_count = 0; -+ bo->surface_id = 0; -+ qxl_fence_init(qdev, &bo->fence); -+ INIT_LIST_HEAD(&bo->list); -+ atomic_set(&bo->reserve_count, 0); -+ if (surf) -+ bo->surf = *surf; -+ -+ qxl_ttm_placement_from_domain(bo, domain); -+ -+ r = ttm_bo_init(&qdev->mman.bdev, &bo->tbo, size, type, -+ &bo->placement, 0, !kernel, NULL, size, -+ NULL, &qxl_ttm_bo_destroy); -+ if (unlikely(r != 0)) { -+ if (r != -ERESTARTSYS) -+ dev_err(qdev->dev, -+ "object_init failed for (%lu, 0x%08X)\n", -+ size, domain); -+ return r; -+ } -+ *bo_ptr = bo; -+ return 0; -+} -+ -+int qxl_bo_kmap(struct qxl_bo *bo, void **ptr) -+{ -+ bool is_iomem; -+ int r; -+ -+ if (bo->kptr) { -+ if (ptr) -+ *ptr = bo->kptr; -+ return 0; -+ } -+ r = ttm_bo_kmap(&bo->tbo, 0, bo->tbo.num_pages, &bo->kmap); -+ if (r) -+ return r; -+ bo->kptr = ttm_kmap_obj_virtual(&bo->kmap, &is_iomem); -+ if (ptr) -+ *ptr = bo->kptr; -+ return 0; -+} -+ -+void *qxl_bo_kmap_atomic_page(struct qxl_device *qdev, -+ struct qxl_bo *bo, int page_offset) -+{ -+ struct ttm_mem_type_manager *man = &bo->tbo.bdev->man[bo->tbo.mem.mem_type]; -+ void *rptr; -+ int ret; -+ struct io_mapping *map; -+ -+ if (bo->tbo.mem.mem_type == TTM_PL_VRAM) -+ map = qdev->vram_mapping; -+ else if (bo->tbo.mem.mem_type == TTM_PL_PRIV0) -+ map = qdev->surface_mapping; -+ else -+ goto fallback; -+ -+ (void) ttm_mem_io_lock(man, false); -+ ret = ttm_mem_io_reserve(bo->tbo.bdev, &bo->tbo.mem); -+ ttm_mem_io_unlock(man); -+ -+ return io_mapping_map_atomic_wc(map, bo->tbo.mem.bus.offset + page_offset); -+fallback: -+ if (bo->kptr) { -+ rptr = bo->kptr + (page_offset * PAGE_SIZE); -+ return rptr; -+ } -+ -+ ret = qxl_bo_kmap(bo, &rptr); -+ if (ret) -+ return NULL; -+ -+ rptr += page_offset * PAGE_SIZE; -+ return rptr; -+} -+ -+void qxl_bo_kunmap(struct qxl_bo *bo) -+{ -+ if (bo->kptr == NULL) -+ return; -+ bo->kptr = NULL; -+ ttm_bo_kunmap(&bo->kmap); -+} -+ -+void qxl_bo_kunmap_atomic_page(struct qxl_device *qdev, -+ struct qxl_bo *bo, void *pmap) -+{ -+ struct ttm_mem_type_manager *man = &bo->tbo.bdev->man[bo->tbo.mem.mem_type]; -+ struct io_mapping *map; -+ -+ if (bo->tbo.mem.mem_type == TTM_PL_VRAM) -+ map = qdev->vram_mapping; -+ else if (bo->tbo.mem.mem_type == TTM_PL_PRIV0) -+ map = qdev->surface_mapping; -+ else -+ goto fallback; -+ -+ io_mapping_unmap_atomic(pmap); -+ -+ (void) ttm_mem_io_lock(man, false); -+ ttm_mem_io_free(bo->tbo.bdev, &bo->tbo.mem); -+ ttm_mem_io_unlock(man); -+ return ; -+ fallback: -+ qxl_bo_kunmap(bo); -+} -+ -+void qxl_bo_unref(struct qxl_bo **bo) -+{ -+ struct ttm_buffer_object *tbo; -+ -+ if ((*bo) == NULL) -+ return; -+ tbo = &((*bo)->tbo); -+ ttm_bo_unref(&tbo); -+ if (tbo == NULL) -+ *bo = NULL; -+} -+ -+struct qxl_bo *qxl_bo_ref(struct qxl_bo *bo) -+{ -+ ttm_bo_reference(&bo->tbo); -+ return bo; -+} -+ -+int qxl_bo_pin(struct qxl_bo *bo, u32 domain, u64 *gpu_addr) -+{ -+ struct qxl_device *qdev = (struct qxl_device *)bo->gem_base.dev->dev_private; -+ int r, i; -+ -+ if (bo->pin_count) { -+ bo->pin_count++; -+ if (gpu_addr) -+ *gpu_addr = qxl_bo_gpu_offset(bo); -+ return 0; -+ } -+ qxl_ttm_placement_from_domain(bo, domain); -+ for (i = 0; i < bo->placement.num_placement; i++) -+ bo->placements[i] |= TTM_PL_FLAG_NO_EVICT; -+ r = ttm_bo_validate(&bo->tbo, &bo->placement, false, false); -+ if (likely(r == 0)) { -+ bo->pin_count = 1; -+ if (gpu_addr != NULL) -+ *gpu_addr = qxl_bo_gpu_offset(bo); -+ } -+ if (unlikely(r != 0)) -+ dev_err(qdev->dev, "%p pin failed\n", bo); -+ return r; -+} -+ -+int qxl_bo_unpin(struct qxl_bo *bo) -+{ -+ struct qxl_device *qdev = (struct qxl_device *)bo->gem_base.dev->dev_private; -+ int r, i; -+ -+ if (!bo->pin_count) { -+ dev_warn(qdev->dev, "%p unpin not necessary\n", bo); -+ return 0; -+ } -+ bo->pin_count--; -+ if (bo->pin_count) -+ return 0; -+ for (i = 0; i < bo->placement.num_placement; i++) -+ bo->placements[i] &= ~TTM_PL_FLAG_NO_EVICT; -+ r = ttm_bo_validate(&bo->tbo, &bo->placement, false, false); -+ if (unlikely(r != 0)) -+ dev_err(qdev->dev, "%p validate failed for unpin\n", bo); -+ return r; -+} -+ -+void qxl_bo_force_delete(struct qxl_device *qdev) -+{ -+ struct qxl_bo *bo, *n; -+ -+ if (list_empty(&qdev->gem.objects)) -+ return; -+ dev_err(qdev->dev, "Userspace still has active objects !\n"); -+ list_for_each_entry_safe(bo, n, &qdev->gem.objects, list) { -+ mutex_lock(&qdev->ddev->struct_mutex); -+ dev_err(qdev->dev, "%p %p %lu %lu force free\n", -+ &bo->gem_base, bo, (unsigned long)bo->gem_base.size, -+ *((unsigned long *)&bo->gem_base.refcount)); -+ mutex_lock(&qdev->gem.mutex); -+ list_del_init(&bo->list); -+ mutex_unlock(&qdev->gem.mutex); -+ /* this should unref the ttm bo */ -+ drm_gem_object_unreference(&bo->gem_base); -+ mutex_unlock(&qdev->ddev->struct_mutex); -+ } -+} -+ -+int qxl_bo_init(struct qxl_device *qdev) -+{ -+ return qxl_ttm_init(qdev); -+} -+ -+void qxl_bo_fini(struct qxl_device *qdev) -+{ -+ qxl_ttm_fini(qdev); -+} -+ -+int qxl_bo_check_id(struct qxl_device *qdev, struct qxl_bo *bo) -+{ -+ int ret; -+ if (bo->type == QXL_GEM_DOMAIN_SURFACE && bo->surface_id == 0) { -+ /* allocate a surface id for this surface now */ -+ ret = qxl_surface_id_alloc(qdev, bo); -+ if (ret) -+ return ret; -+ -+ ret = qxl_hw_surface_alloc(qdev, bo, NULL); -+ if (ret) -+ return ret; -+ } -+ return 0; -+} -+ -+void qxl_bo_list_unreserve(struct qxl_reloc_list *reloc_list, bool failed) -+{ -+ struct qxl_bo_list *entry, *sf; -+ -+ list_for_each_entry_safe(entry, sf, &reloc_list->bos, lhead) { -+ qxl_bo_unreserve(entry->bo); -+ list_del(&entry->lhead); -+ kfree(entry); -+ } -+} -+ -+int qxl_bo_list_add(struct qxl_reloc_list *reloc_list, struct qxl_bo *bo) -+{ -+ struct qxl_bo_list *entry; -+ int ret; -+ -+ list_for_each_entry(entry, &reloc_list->bos, lhead) { -+ if (entry->bo == bo) -+ return 0; -+ } -+ -+ entry = kmalloc(sizeof(struct qxl_bo_list), GFP_KERNEL); -+ if (!entry) -+ return -ENOMEM; -+ -+ entry->bo = bo; -+ list_add(&entry->lhead, &reloc_list->bos); -+ -+ ret = qxl_bo_reserve(bo, false); -+ if (ret) -+ return ret; -+ -+ if (!bo->pin_count) { -+ qxl_ttm_placement_from_domain(bo, bo->type); -+ ret = ttm_bo_validate(&bo->tbo, &bo->placement, -+ true, false); -+ if (ret) -+ return ret; -+ } -+ -+ /* allocate a surface for reserved + validated buffers */ -+ ret = qxl_bo_check_id(bo->gem_base.dev->dev_private, bo); -+ if (ret) -+ return ret; -+ return 0; -+} -diff --git a/drivers/gpu/drm/qxl/qxl_object.h b/drivers/gpu/drm/qxl/qxl_object.h -new file mode 100644 -index 0000000..b4fd89f ---- /dev/null -+++ b/drivers/gpu/drm/qxl/qxl_object.h -@@ -0,0 +1,112 @@ -+/* -+ * Copyright 2013 Red Hat Inc. -+ * -+ * Permission is hereby granted, free of charge, to any person obtaining a -+ * copy of this software and associated documentation files (the "Software"), -+ * to deal in the Software without restriction, including without limitation -+ * the rights to use, copy, modify, merge, publish, distribute, sublicense, -+ * and/or sell copies of the Software, and to permit persons to whom the -+ * Software is furnished to do so, subject to the following conditions: -+ * -+ * The above copyright notice and this permission notice shall be included in -+ * all copies or substantial portions of the Software. -+ * -+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL -+ * THE COPYRIGHT HOLDER(S) OR AUTHOR(S) BE LIABLE FOR ANY CLAIM, DAMAGES OR -+ * OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, -+ * ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR -+ * OTHER DEALINGS IN THE SOFTWARE. -+ * -+ * Authors: Dave Airlie -+ * Alon Levy -+ */ -+#ifndef QXL_OBJECT_H -+#define QXL_OBJECT_H -+ -+#include "qxl_drv.h" -+ -+static inline int qxl_bo_reserve(struct qxl_bo *bo, bool no_wait) -+{ -+ int r; -+ -+ r = ttm_bo_reserve(&bo->tbo, true, no_wait, false, 0); -+ if (unlikely(r != 0)) { -+ if (r != -ERESTARTSYS) { -+ struct qxl_device *qdev = (struct qxl_device *)bo->gem_base.dev->dev_private; -+ dev_err(qdev->dev, "%p reserve failed\n", bo); -+ } -+ return r; -+ } -+ return 0; -+} -+ -+static inline void qxl_bo_unreserve(struct qxl_bo *bo) -+{ -+ ttm_bo_unreserve(&bo->tbo); -+} -+ -+static inline u64 qxl_bo_gpu_offset(struct qxl_bo *bo) -+{ -+ return bo->tbo.offset; -+} -+ -+static inline unsigned long qxl_bo_size(struct qxl_bo *bo) -+{ -+ return bo->tbo.num_pages << PAGE_SHIFT; -+} -+ -+static inline bool qxl_bo_is_reserved(struct qxl_bo *bo) -+{ -+ return !!atomic_read(&bo->tbo.reserved); -+} -+ -+static inline u64 qxl_bo_mmap_offset(struct qxl_bo *bo) -+{ -+ return bo->tbo.addr_space_offset; -+} -+ -+static inline int qxl_bo_wait(struct qxl_bo *bo, u32 *mem_type, -+ bool no_wait) -+{ -+ int r; -+ -+ r = ttm_bo_reserve(&bo->tbo, true, no_wait, false, 0); -+ if (unlikely(r != 0)) { -+ if (r != -ERESTARTSYS) { -+ struct qxl_device *qdev = (struct qxl_device *)bo->gem_base.dev->dev_private; -+ dev_err(qdev->dev, "%p reserve failed for wait\n", -+ bo); -+ } -+ return r; -+ } -+ spin_lock(&bo->tbo.bdev->fence_lock); -+ if (mem_type) -+ *mem_type = bo->tbo.mem.mem_type; -+ if (bo->tbo.sync_obj) -+ r = ttm_bo_wait(&bo->tbo, true, true, no_wait); -+ spin_unlock(&bo->tbo.bdev->fence_lock); -+ ttm_bo_unreserve(&bo->tbo); -+ return r; -+} -+ -+extern int qxl_bo_create(struct qxl_device *qdev, -+ unsigned long size, -+ bool kernel, u32 domain, -+ struct qxl_surface *surf, -+ struct qxl_bo **bo_ptr); -+extern int qxl_bo_kmap(struct qxl_bo *bo, void **ptr); -+extern void qxl_bo_kunmap(struct qxl_bo *bo); -+void *qxl_bo_kmap_atomic_page(struct qxl_device *qdev, struct qxl_bo *bo, int page_offset); -+void qxl_bo_kunmap_atomic_page(struct qxl_device *qdev, struct qxl_bo *bo, void *map); -+extern struct qxl_bo *qxl_bo_ref(struct qxl_bo *bo); -+extern void qxl_bo_unref(struct qxl_bo **bo); -+extern int qxl_bo_pin(struct qxl_bo *bo, u32 domain, u64 *gpu_addr); -+extern int qxl_bo_unpin(struct qxl_bo *bo); -+extern void qxl_ttm_placement_from_domain(struct qxl_bo *qbo, u32 domain); -+extern bool qxl_ttm_bo_is_qxl_bo(struct ttm_buffer_object *bo); -+ -+extern int qxl_bo_list_add(struct qxl_reloc_list *reloc_list, struct qxl_bo *bo); -+extern void qxl_bo_list_unreserve(struct qxl_reloc_list *reloc_list, bool failed); -+#endif -diff --git a/drivers/gpu/drm/qxl/qxl_release.c b/drivers/gpu/drm/qxl/qxl_release.c -new file mode 100644 -index 0000000..1600781 ---- /dev/null -+++ b/drivers/gpu/drm/qxl/qxl_release.c -@@ -0,0 +1,307 @@ -+/* -+ * Copyright 2011 Red Hat, Inc. -+ * -+ * Permission is hereby granted, free of charge, to any person obtaining a -+ * copy of this software and associated documentation files (the "Software"), -+ * to deal in the Software without restriction, including without limitation -+ * on the rights to use, copy, modify, merge, publish, distribute, sub -+ * license, and/or sell copies of the Software, and to permit persons to whom -+ * the Software is furnished to do so, subject to the following conditions: -+ * -+ * The above copyright notice and this permission notice (including the next -+ * paragraph) shall be included in all copies or substantial portions of the -+ * Software. -+ * -+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -+ * FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT. IN NO EVENT SHALL -+ * THE AUTHORS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER -+ * IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN -+ * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. -+ */ -+#include "qxl_drv.h" -+#include "qxl_object.h" -+ -+/* -+ * drawable cmd cache - allocate a bunch of VRAM pages, suballocate -+ * into 256 byte chunks for now - gives 16 cmds per page. -+ * -+ * use an ida to index into the chunks? -+ */ -+/* manage releaseables */ -+/* stack them 16 high for now -drawable object is 191 */ -+#define RELEASE_SIZE 256 -+#define RELEASES_PER_BO (4096 / RELEASE_SIZE) -+/* put an alloc/dealloc surface cmd into one bo and round up to 128 */ -+#define SURFACE_RELEASE_SIZE 128 -+#define SURFACE_RELEASES_PER_BO (4096 / SURFACE_RELEASE_SIZE) -+ -+static const int release_size_per_bo[] = { RELEASE_SIZE, SURFACE_RELEASE_SIZE, RELEASE_SIZE }; -+static const int releases_per_bo[] = { RELEASES_PER_BO, SURFACE_RELEASES_PER_BO, RELEASES_PER_BO }; -+uint64_t -+qxl_release_alloc(struct qxl_device *qdev, int type, -+ struct qxl_release **ret) -+{ -+ struct qxl_release *release; -+ int handle = 0; -+ size_t size = sizeof(*release); -+ int idr_ret; -+ -+ release = kmalloc(size, GFP_KERNEL); -+ if (!release) { -+ DRM_ERROR("Out of memory\n"); -+ return 0; -+ } -+ release->type = type; -+ release->bo_count = 0; -+ release->release_offset = 0; -+ release->surface_release_id = 0; -+again: -+ if (idr_pre_get(&qdev->release_idr, GFP_KERNEL) == 0) { -+ DRM_ERROR("Out of memory for release idr\n"); -+ kfree(release); -+ goto release_fail; -+ } -+ spin_lock(&qdev->release_idr_lock); -+ idr_ret = idr_get_new_above(&qdev->release_idr, release, 1, &handle); -+ spin_unlock(&qdev->release_idr_lock); -+ if (idr_ret == -EAGAIN) -+ goto again; -+ if (ret) -+ *ret = release; -+ QXL_INFO(qdev, "allocated release %lld\n", handle); -+ release->id = handle; -+release_fail: -+ -+ return handle; -+} -+ -+void -+qxl_release_free(struct qxl_device *qdev, -+ struct qxl_release *release) -+{ -+ int i; -+ -+ QXL_INFO(qdev, "release %d, type %d, %d bos\n", release->id, -+ release->type, release->bo_count); -+ -+ if (release->surface_release_id) -+ qxl_surface_id_dealloc(qdev, release->surface_release_id); -+ -+ for (i = 0 ; i < release->bo_count; ++i) { -+ QXL_INFO(qdev, "release %llx\n", -+ release->bos[i]->tbo.addr_space_offset -+ - DRM_FILE_OFFSET); -+ qxl_fence_remove_release(&release->bos[i]->fence, release->id); -+ qxl_bo_unref(&release->bos[i]); -+ } -+ spin_lock(&qdev->release_idr_lock); -+ idr_remove(&qdev->release_idr, release->id); -+ spin_unlock(&qdev->release_idr_lock); -+ kfree(release); -+} -+ -+void -+qxl_release_add_res(struct qxl_device *qdev, struct qxl_release *release, -+ struct qxl_bo *bo) -+{ -+ int i; -+ for (i = 0; i < release->bo_count; i++) -+ if (release->bos[i] == bo) -+ return; -+ -+ if (release->bo_count >= QXL_MAX_RES) { -+ DRM_ERROR("exceeded max resource on a qxl_release item\n"); -+ return; -+ } -+ release->bos[release->bo_count++] = qxl_bo_ref(bo); -+} -+ -+int qxl_release_bo_alloc(struct qxl_device *qdev, -+ struct qxl_bo **bo) -+{ -+ int ret; -+ ret = qxl_bo_create(qdev, PAGE_SIZE, false, QXL_GEM_DOMAIN_VRAM, NULL, -+ bo); -+ return ret; -+} -+ -+int qxl_release_reserve(struct qxl_device *qdev, -+ struct qxl_release *release, bool no_wait) -+{ -+ int ret; -+ if (atomic_inc_return(&release->bos[0]->reserve_count) == 1) { -+ ret = qxl_bo_reserve(release->bos[0], no_wait); -+ if (ret) -+ return ret; -+ } -+ return 0; -+} -+ -+void qxl_release_unreserve(struct qxl_device *qdev, -+ struct qxl_release *release) -+{ -+ if (atomic_dec_and_test(&release->bos[0]->reserve_count)) -+ qxl_bo_unreserve(release->bos[0]); -+} -+ -+int qxl_alloc_surface_release_reserved(struct qxl_device *qdev, -+ enum qxl_surface_cmd_type surface_cmd_type, -+ struct qxl_release *create_rel, -+ struct qxl_release **release) -+{ -+ int ret; -+ -+ if (surface_cmd_type == QXL_SURFACE_CMD_DESTROY && create_rel) { -+ int idr_ret; -+ struct qxl_bo *bo; -+ union qxl_release_info *info; -+ -+ /* stash the release after the create command */ -+ idr_ret = qxl_release_alloc(qdev, QXL_RELEASE_SURFACE_CMD, release); -+ bo = qxl_bo_ref(create_rel->bos[0]); -+ -+ (*release)->release_offset = create_rel->release_offset + 64; -+ -+ qxl_release_add_res(qdev, *release, bo); -+ -+ ret = qxl_release_reserve(qdev, *release, false); -+ if (ret) { -+ DRM_ERROR("release reserve failed\n"); -+ goto out_unref; -+ } -+ info = qxl_release_map(qdev, *release); -+ info->id = idr_ret; -+ qxl_release_unmap(qdev, *release, info); -+ -+ -+out_unref: -+ qxl_bo_unref(&bo); -+ return ret; -+ } -+ -+ return qxl_alloc_release_reserved(qdev, sizeof(struct qxl_surface_cmd), -+ QXL_RELEASE_SURFACE_CMD, release, NULL); -+} -+ -+int qxl_alloc_release_reserved(struct qxl_device *qdev, unsigned long size, -+ int type, struct qxl_release **release, -+ struct qxl_bo **rbo) -+{ -+ struct qxl_bo *bo; -+ int idr_ret; -+ int ret; -+ union qxl_release_info *info; -+ int cur_idx; -+ -+ if (type == QXL_RELEASE_DRAWABLE) -+ cur_idx = 0; -+ else if (type == QXL_RELEASE_SURFACE_CMD) -+ cur_idx = 1; -+ else if (type == QXL_RELEASE_CURSOR_CMD) -+ cur_idx = 2; -+ else { -+ DRM_ERROR("got illegal type: %d\n", type); -+ return -EINVAL; -+ } -+ -+ idr_ret = qxl_release_alloc(qdev, type, release); -+ -+ mutex_lock(&qdev->release_mutex); -+ if (qdev->current_release_bo_offset[cur_idx] + 1 >= releases_per_bo[cur_idx]) { -+ qxl_bo_unref(&qdev->current_release_bo[cur_idx]); -+ qdev->current_release_bo_offset[cur_idx] = 0; -+ qdev->current_release_bo[cur_idx] = NULL; -+ } -+ if (!qdev->current_release_bo[cur_idx]) { -+ ret = qxl_release_bo_alloc(qdev, &qdev->current_release_bo[cur_idx]); -+ if (ret) { -+ mutex_unlock(&qdev->release_mutex); -+ return ret; -+ } -+ -+ /* pin releases bo's they are too messy to evict */ -+ ret = qxl_bo_reserve(qdev->current_release_bo[cur_idx], false); -+ qxl_bo_pin(qdev->current_release_bo[cur_idx], QXL_GEM_DOMAIN_VRAM, NULL); -+ qxl_bo_unreserve(qdev->current_release_bo[cur_idx]); -+ } -+ -+ bo = qxl_bo_ref(qdev->current_release_bo[cur_idx]); -+ -+ (*release)->release_offset = qdev->current_release_bo_offset[cur_idx] * release_size_per_bo[cur_idx]; -+ qdev->current_release_bo_offset[cur_idx]++; -+ -+ if (rbo) -+ *rbo = bo; -+ -+ qxl_release_add_res(qdev, *release, bo); -+ -+ ret = qxl_release_reserve(qdev, *release, false); -+ mutex_unlock(&qdev->release_mutex); -+ if (ret) -+ goto out_unref; -+ -+ info = qxl_release_map(qdev, *release); -+ info->id = idr_ret; -+ qxl_release_unmap(qdev, *release, info); -+ -+out_unref: -+ qxl_bo_unref(&bo); -+ return ret; -+} -+ -+int qxl_fence_releaseable(struct qxl_device *qdev, -+ struct qxl_release *release) -+{ -+ int i, ret; -+ for (i = 0; i < release->bo_count; i++) { -+ if (!release->bos[i]->tbo.sync_obj) -+ release->bos[i]->tbo.sync_obj = &release->bos[i]->fence; -+ ret = qxl_fence_add_release(&release->bos[i]->fence, release->id); -+ if (ret) -+ return ret; -+ } -+ return 0; -+} -+ -+struct qxl_release *qxl_release_from_id_locked(struct qxl_device *qdev, -+ uint64_t id) -+{ -+ struct qxl_release *release; -+ -+ spin_lock(&qdev->release_idr_lock); -+ release = idr_find(&qdev->release_idr, id); -+ spin_unlock(&qdev->release_idr_lock); -+ if (!release) { -+ DRM_ERROR("failed to find id in release_idr\n"); -+ return NULL; -+ } -+ if (release->bo_count < 1) { -+ DRM_ERROR("read a released resource with 0 bos\n"); -+ return NULL; -+ } -+ return release; -+} -+ -+union qxl_release_info *qxl_release_map(struct qxl_device *qdev, -+ struct qxl_release *release) -+{ -+ void *ptr; -+ union qxl_release_info *info; -+ struct qxl_bo *bo = release->bos[0]; -+ -+ ptr = qxl_bo_kmap_atomic_page(qdev, bo, release->release_offset & PAGE_SIZE); -+ info = ptr + (release->release_offset & ~PAGE_SIZE); -+ return info; -+} -+ -+void qxl_release_unmap(struct qxl_device *qdev, -+ struct qxl_release *release, -+ union qxl_release_info *info) -+{ -+ struct qxl_bo *bo = release->bos[0]; -+ void *ptr; -+ -+ ptr = ((void *)info) - (release->release_offset & ~PAGE_SIZE); -+ qxl_bo_kunmap_atomic_page(qdev, bo, ptr); -+} -diff --git a/drivers/gpu/drm/qxl/qxl_ttm.c b/drivers/gpu/drm/qxl/qxl_ttm.c -new file mode 100644 -index 0000000..aa9fb9a ---- /dev/null -+++ b/drivers/gpu/drm/qxl/qxl_ttm.c -@@ -0,0 +1,577 @@ -+/* -+ * Copyright 2013 Red Hat Inc. -+ * -+ * Permission is hereby granted, free of charge, to any person obtaining a -+ * copy of this software and associated documentation files (the "Software"), -+ * to deal in the Software without restriction, including without limitation -+ * the rights to use, copy, modify, merge, publish, distribute, sublicense, -+ * and/or sell copies of the Software, and to permit persons to whom the -+ * Software is furnished to do so, subject to the following conditions: -+ * -+ * The above copyright notice and this permission notice shall be included in -+ * all copies or substantial portions of the Software. -+ * -+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL -+ * THE COPYRIGHT HOLDER(S) OR AUTHOR(S) BE LIABLE FOR ANY CLAIM, DAMAGES OR -+ * OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, -+ * ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR -+ * OTHER DEALINGS IN THE SOFTWARE. -+ * -+ * Authors: Dave Airlie -+ * Alon Levy -+ */ -+ -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include "qxl_drv.h" -+#include "qxl_object.h" -+ -+#include -+static int qxl_ttm_debugfs_init(struct qxl_device *qdev); -+ -+static struct qxl_device *qxl_get_qdev(struct ttm_bo_device *bdev) -+{ -+ struct qxl_mman *mman; -+ struct qxl_device *qdev; -+ -+ mman = container_of(bdev, struct qxl_mman, bdev); -+ qdev = container_of(mman, struct qxl_device, mman); -+ return qdev; -+} -+ -+static int qxl_ttm_mem_global_init(struct drm_global_reference *ref) -+{ -+ return ttm_mem_global_init(ref->object); -+} -+ -+static void qxl_ttm_mem_global_release(struct drm_global_reference *ref) -+{ -+ ttm_mem_global_release(ref->object); -+} -+ -+static int qxl_ttm_global_init(struct qxl_device *qdev) -+{ -+ struct drm_global_reference *global_ref; -+ int r; -+ -+ qdev->mman.mem_global_referenced = false; -+ global_ref = &qdev->mman.mem_global_ref; -+ global_ref->global_type = DRM_GLOBAL_TTM_MEM; -+ global_ref->size = sizeof(struct ttm_mem_global); -+ global_ref->init = &qxl_ttm_mem_global_init; -+ global_ref->release = &qxl_ttm_mem_global_release; -+ -+ r = drm_global_item_ref(global_ref); -+ if (r != 0) { -+ DRM_ERROR("Failed setting up TTM memory accounting " -+ "subsystem.\n"); -+ return r; -+ } -+ -+ qdev->mman.bo_global_ref.mem_glob = -+ qdev->mman.mem_global_ref.object; -+ global_ref = &qdev->mman.bo_global_ref.ref; -+ global_ref->global_type = DRM_GLOBAL_TTM_BO; -+ global_ref->size = sizeof(struct ttm_bo_global); -+ global_ref->init = &ttm_bo_global_init; -+ global_ref->release = &ttm_bo_global_release; -+ r = drm_global_item_ref(global_ref); -+ if (r != 0) { -+ DRM_ERROR("Failed setting up TTM BO subsystem.\n"); -+ drm_global_item_unref(&qdev->mman.mem_global_ref); -+ return r; -+ } -+ -+ qdev->mman.mem_global_referenced = true; -+ return 0; -+} -+ -+static void qxl_ttm_global_fini(struct qxl_device *qdev) -+{ -+ if (qdev->mman.mem_global_referenced) { -+ drm_global_item_unref(&qdev->mman.bo_global_ref.ref); -+ drm_global_item_unref(&qdev->mman.mem_global_ref); -+ qdev->mman.mem_global_referenced = false; -+ } -+} -+ -+static struct vm_operations_struct qxl_ttm_vm_ops; -+static const struct vm_operations_struct *ttm_vm_ops; -+ -+static int qxl_ttm_fault(struct vm_area_struct *vma, struct vm_fault *vmf) -+{ -+ struct ttm_buffer_object *bo; -+ struct qxl_device *qdev; -+ int r; -+ -+ bo = (struct ttm_buffer_object *)vma->vm_private_data; -+ if (bo == NULL) -+ return VM_FAULT_NOPAGE; -+ qdev = qxl_get_qdev(bo->bdev); -+ r = ttm_vm_ops->fault(vma, vmf); -+ return r; -+} -+ -+int qxl_mmap(struct file *filp, struct vm_area_struct *vma) -+{ -+ struct drm_file *file_priv; -+ struct qxl_device *qdev; -+ int r; -+ -+ if (unlikely(vma->vm_pgoff < DRM_FILE_PAGE_OFFSET)) { -+ pr_info("%s: vma->vm_pgoff (%ld) < DRM_FILE_PAGE_OFFSET\n", -+ __func__, vma->vm_pgoff); -+ return drm_mmap(filp, vma); -+ } -+ -+ file_priv = filp->private_data; -+ qdev = file_priv->minor->dev->dev_private; -+ if (qdev == NULL) { -+ DRM_ERROR( -+ "filp->private_data->minor->dev->dev_private == NULL\n"); -+ return -EINVAL; -+ } -+ QXL_INFO(qdev, "%s: filp->private_data = 0x%p, vma->vm_pgoff = %lx\n", -+ __func__, filp->private_data, vma->vm_pgoff); -+ -+ r = ttm_bo_mmap(filp, vma, &qdev->mman.bdev); -+ if (unlikely(r != 0)) -+ return r; -+ if (unlikely(ttm_vm_ops == NULL)) { -+ ttm_vm_ops = vma->vm_ops; -+ qxl_ttm_vm_ops = *ttm_vm_ops; -+ qxl_ttm_vm_ops.fault = &qxl_ttm_fault; -+ } -+ vma->vm_ops = &qxl_ttm_vm_ops; -+ return 0; -+} -+ -+static int qxl_invalidate_caches(struct ttm_bo_device *bdev, uint32_t flags) -+{ -+ return 0; -+} -+ -+static int qxl_init_mem_type(struct ttm_bo_device *bdev, uint32_t type, -+ struct ttm_mem_type_manager *man) -+{ -+ struct qxl_device *qdev; -+ -+ qdev = qxl_get_qdev(bdev); -+ -+ switch (type) { -+ case TTM_PL_SYSTEM: -+ /* System memory */ -+ man->flags = TTM_MEMTYPE_FLAG_MAPPABLE; -+ man->available_caching = TTM_PL_MASK_CACHING; -+ man->default_caching = TTM_PL_FLAG_CACHED; -+ break; -+ case TTM_PL_VRAM: -+ case TTM_PL_PRIV0: -+ /* "On-card" video ram */ -+ man->func = &ttm_bo_manager_func; -+ man->gpu_offset = 0; -+ man->flags = TTM_MEMTYPE_FLAG_FIXED | -+ TTM_MEMTYPE_FLAG_MAPPABLE; -+ man->available_caching = TTM_PL_MASK_CACHING; -+ man->default_caching = TTM_PL_FLAG_CACHED; -+ break; -+ default: -+ DRM_ERROR("Unsupported memory type %u\n", (unsigned)type); -+ return -EINVAL; -+ } -+ return 0; -+} -+ -+static void qxl_evict_flags(struct ttm_buffer_object *bo, -+ struct ttm_placement *placement) -+{ -+ struct qxl_bo *qbo; -+ static u32 placements = TTM_PL_MASK_CACHING | TTM_PL_FLAG_SYSTEM; -+ -+ if (!qxl_ttm_bo_is_qxl_bo(bo)) { -+ placement->fpfn = 0; -+ placement->lpfn = 0; -+ placement->placement = &placements; -+ placement->busy_placement = &placements; -+ placement->num_placement = 1; -+ placement->num_busy_placement = 1; -+ return; -+ } -+ qbo = container_of(bo, struct qxl_bo, tbo); -+ qxl_ttm_placement_from_domain(qbo, QXL_GEM_DOMAIN_CPU); -+ *placement = qbo->placement; -+} -+ -+static int qxl_verify_access(struct ttm_buffer_object *bo, struct file *filp) -+{ -+ return 0; -+} -+ -+static int qxl_ttm_io_mem_reserve(struct ttm_bo_device *bdev, -+ struct ttm_mem_reg *mem) -+{ -+ struct ttm_mem_type_manager *man = &bdev->man[mem->mem_type]; -+ struct qxl_device *qdev = qxl_get_qdev(bdev); -+ -+ mem->bus.addr = NULL; -+ mem->bus.offset = 0; -+ mem->bus.size = mem->num_pages << PAGE_SHIFT; -+ mem->bus.base = 0; -+ mem->bus.is_iomem = false; -+ if (!(man->flags & TTM_MEMTYPE_FLAG_MAPPABLE)) -+ return -EINVAL; -+ switch (mem->mem_type) { -+ case TTM_PL_SYSTEM: -+ /* system memory */ -+ return 0; -+ case TTM_PL_VRAM: -+ mem->bus.is_iomem = true; -+ mem->bus.base = qdev->vram_base; -+ mem->bus.offset = mem->start << PAGE_SHIFT; -+ break; -+ case TTM_PL_PRIV0: -+ mem->bus.is_iomem = true; -+ mem->bus.base = qdev->surfaceram_base; -+ mem->bus.offset = mem->start << PAGE_SHIFT; -+ break; -+ default: -+ return -EINVAL; -+ } -+ return 0; -+} -+ -+static void qxl_ttm_io_mem_free(struct ttm_bo_device *bdev, -+ struct ttm_mem_reg *mem) -+{ -+} -+ -+/* -+ * TTM backend functions. -+ */ -+struct qxl_ttm_tt { -+ struct ttm_dma_tt ttm; -+ struct qxl_device *qdev; -+ u64 offset; -+}; -+ -+static int qxl_ttm_backend_bind(struct ttm_tt *ttm, -+ struct ttm_mem_reg *bo_mem) -+{ -+ struct qxl_ttm_tt *gtt = (void *)ttm; -+ -+ gtt->offset = (unsigned long)(bo_mem->start << PAGE_SHIFT); -+ if (!ttm->num_pages) { -+ WARN(1, "nothing to bind %lu pages for mreg %p back %p!\n", -+ ttm->num_pages, bo_mem, ttm); -+ } -+ /* Not implemented */ -+ return -1; -+} -+ -+static int qxl_ttm_backend_unbind(struct ttm_tt *ttm) -+{ -+ /* Not implemented */ -+ return -1; -+} -+ -+static void qxl_ttm_backend_destroy(struct ttm_tt *ttm) -+{ -+ struct qxl_ttm_tt *gtt = (void *)ttm; -+ -+ ttm_dma_tt_fini(>t->ttm); -+ kfree(gtt); -+} -+ -+static struct ttm_backend_func qxl_backend_func = { -+ .bind = &qxl_ttm_backend_bind, -+ .unbind = &qxl_ttm_backend_unbind, -+ .destroy = &qxl_ttm_backend_destroy, -+}; -+ -+static int qxl_ttm_tt_populate(struct ttm_tt *ttm) -+{ -+ int r; -+ -+ if (ttm->state != tt_unpopulated) -+ return 0; -+ -+ r = ttm_pool_populate(ttm); -+ if (r) -+ return r; -+ -+ return 0; -+} -+ -+static void qxl_ttm_tt_unpopulate(struct ttm_tt *ttm) -+{ -+ ttm_pool_unpopulate(ttm); -+} -+ -+struct ttm_tt *qxl_ttm_tt_create(struct ttm_bo_device *bdev, -+ unsigned long size, uint32_t page_flags, -+ struct page *dummy_read_page) -+{ -+ struct qxl_device *qdev; -+ struct qxl_ttm_tt *gtt; -+ -+ qdev = qxl_get_qdev(bdev); -+ gtt = kzalloc(sizeof(struct qxl_ttm_tt), GFP_KERNEL); -+ if (gtt == NULL) -+ return NULL; -+ gtt->ttm.ttm.func = &qxl_backend_func; -+ gtt->qdev = qdev; -+ if (ttm_dma_tt_init(>t->ttm, bdev, size, page_flags, -+ dummy_read_page)) { -+ kfree(gtt); -+ return NULL; -+ } -+ return >t->ttm.ttm; -+} -+ -+static void qxl_move_null(struct ttm_buffer_object *bo, -+ struct ttm_mem_reg *new_mem) -+{ -+ struct ttm_mem_reg *old_mem = &bo->mem; -+ -+ BUG_ON(old_mem->mm_node != NULL); -+ *old_mem = *new_mem; -+ new_mem->mm_node = NULL; -+} -+ -+static int qxl_bo_move(struct ttm_buffer_object *bo, -+ bool evict, bool interruptible, -+ bool no_wait_gpu, -+ struct ttm_mem_reg *new_mem) -+{ -+ struct ttm_mem_reg *old_mem = &bo->mem; -+ if (old_mem->mem_type == TTM_PL_SYSTEM && bo->ttm == NULL) { -+ qxl_move_null(bo, new_mem); -+ return 0; -+ } -+ return ttm_bo_move_memcpy(bo, evict, no_wait_gpu, new_mem); -+} -+ -+ -+static int qxl_sync_obj_wait(void *sync_obj, -+ bool lazy, bool interruptible) -+{ -+ struct qxl_fence *qfence = (struct qxl_fence *)sync_obj; -+ int count = 0, sc = 0; -+ struct qxl_bo *bo = container_of(qfence, struct qxl_bo, fence); -+ -+ if (qfence->num_active_releases == 0) -+ return 0; -+ -+retry: -+ if (sc == 0) { -+ if (bo->type == QXL_GEM_DOMAIN_SURFACE) -+ qxl_update_surface(qfence->qdev, bo); -+ } else if (sc >= 1) { -+ qxl_io_notify_oom(qfence->qdev); -+ } -+ -+ sc++; -+ -+ for (count = 0; count < 10; count++) { -+ bool ret; -+ ret = qxl_queue_garbage_collect(qfence->qdev, true); -+ if (ret == false) -+ break; -+ -+ if (qfence->num_active_releases == 0) -+ return 0; -+ } -+ -+ if (qfence->num_active_releases) { -+ bool have_drawable_releases = false; -+ void **slot; -+ struct radix_tree_iter iter; -+ int release_id; -+ -+ radix_tree_for_each_slot(slot, &qfence->tree, &iter, 0) { -+ struct qxl_release *release; -+ -+ release_id = iter.index; -+ release = qxl_release_from_id_locked(qfence->qdev, release_id); -+ if (release == NULL) -+ continue; -+ -+ if (release->type == QXL_RELEASE_DRAWABLE) -+ have_drawable_releases = true; -+ } -+ -+ qxl_queue_garbage_collect(qfence->qdev, true); -+ -+ if (have_drawable_releases || sc < 4) { -+ if (sc > 2) -+ /* back off */ -+ usleep_range(500, 1000); -+ if (have_drawable_releases && sc > 300) { -+ WARN(1, "sync obj %d still has outstanding releases %d %d %d %ld %d\n", sc, bo->surface_id, bo->is_primary, bo->pin_count, (unsigned long)bo->gem_base.size, qfence->num_active_releases); -+ return -EBUSY; -+ } -+ goto retry; -+ } -+ } -+ return 0; -+} -+ -+static int qxl_sync_obj_flush(void *sync_obj) -+{ -+ return 0; -+} -+ -+static void qxl_sync_obj_unref(void **sync_obj) -+{ -+} -+ -+static void *qxl_sync_obj_ref(void *sync_obj) -+{ -+ return sync_obj; -+} -+ -+static bool qxl_sync_obj_signaled(void *sync_obj) -+{ -+ struct qxl_fence *qfence = (struct qxl_fence *)sync_obj; -+ return (qfence->num_active_releases == 0); -+} -+ -+static void qxl_bo_move_notify(struct ttm_buffer_object *bo, -+ struct ttm_mem_reg *new_mem) -+{ -+ struct qxl_bo *qbo; -+ struct qxl_device *qdev; -+ -+ if (!qxl_ttm_bo_is_qxl_bo(bo)) -+ return; -+ qbo = container_of(bo, struct qxl_bo, tbo); -+ qdev = qbo->gem_base.dev->dev_private; -+ -+ if (bo->mem.mem_type == TTM_PL_PRIV0 && qbo->surface_id) -+ qxl_surface_evict(qdev, qbo, new_mem ? true : false); -+} -+ -+static struct ttm_bo_driver qxl_bo_driver = { -+ .ttm_tt_create = &qxl_ttm_tt_create, -+ .ttm_tt_populate = &qxl_ttm_tt_populate, -+ .ttm_tt_unpopulate = &qxl_ttm_tt_unpopulate, -+ .invalidate_caches = &qxl_invalidate_caches, -+ .init_mem_type = &qxl_init_mem_type, -+ .evict_flags = &qxl_evict_flags, -+ .move = &qxl_bo_move, -+ .verify_access = &qxl_verify_access, -+ .io_mem_reserve = &qxl_ttm_io_mem_reserve, -+ .io_mem_free = &qxl_ttm_io_mem_free, -+ .sync_obj_signaled = &qxl_sync_obj_signaled, -+ .sync_obj_wait = &qxl_sync_obj_wait, -+ .sync_obj_flush = &qxl_sync_obj_flush, -+ .sync_obj_unref = &qxl_sync_obj_unref, -+ .sync_obj_ref = &qxl_sync_obj_ref, -+ .move_notify = &qxl_bo_move_notify, -+}; -+ -+ -+ -+int qxl_ttm_init(struct qxl_device *qdev) -+{ -+ int r; -+ int num_io_pages; /* != rom->num_io_pages, we include surface0 */ -+ -+ r = qxl_ttm_global_init(qdev); -+ if (r) -+ return r; -+ /* No others user of address space so set it to 0 */ -+ r = ttm_bo_device_init(&qdev->mman.bdev, -+ qdev->mman.bo_global_ref.ref.object, -+ &qxl_bo_driver, DRM_FILE_PAGE_OFFSET, 0); -+ if (r) { -+ DRM_ERROR("failed initializing buffer object driver(%d).\n", r); -+ return r; -+ } -+ /* NOTE: this includes the framebuffer (aka surface 0) */ -+ num_io_pages = qdev->rom->ram_header_offset / PAGE_SIZE; -+ r = ttm_bo_init_mm(&qdev->mman.bdev, TTM_PL_VRAM, -+ num_io_pages); -+ if (r) { -+ DRM_ERROR("Failed initializing VRAM heap.\n"); -+ return r; -+ } -+ r = ttm_bo_init_mm(&qdev->mman.bdev, TTM_PL_PRIV0, -+ qdev->surfaceram_size / PAGE_SIZE); -+ if (r) { -+ DRM_ERROR("Failed initializing Surfaces heap.\n"); -+ return r; -+ } -+ DRM_INFO("qxl: %uM of VRAM memory size\n", -+ (unsigned)qdev->vram_size / (1024 * 1024)); -+ DRM_INFO("qxl: %luM of IO pages memory ready (VRAM domain)\n", -+ ((unsigned)num_io_pages * PAGE_SIZE) / (1024 * 1024)); -+ if (unlikely(qdev->mman.bdev.dev_mapping == NULL)) -+ qdev->mman.bdev.dev_mapping = qdev->ddev->dev_mapping; -+ r = qxl_ttm_debugfs_init(qdev); -+ if (r) { -+ DRM_ERROR("Failed to init debugfs\n"); -+ return r; -+ } -+ return 0; -+} -+ -+void qxl_ttm_fini(struct qxl_device *qdev) -+{ -+ ttm_bo_clean_mm(&qdev->mman.bdev, TTM_PL_VRAM); -+ ttm_bo_clean_mm(&qdev->mman.bdev, TTM_PL_PRIV0); -+ ttm_bo_device_release(&qdev->mman.bdev); -+ qxl_ttm_global_fini(qdev); -+ DRM_INFO("qxl: ttm finalized\n"); -+} -+ -+ -+#define QXL_DEBUGFS_MEM_TYPES 2 -+ -+#if defined(CONFIG_DEBUG_FS) -+static int qxl_mm_dump_table(struct seq_file *m, void *data) -+{ -+ struct drm_info_node *node = (struct drm_info_node *)m->private; -+ struct drm_mm *mm = (struct drm_mm *)node->info_ent->data; -+ struct drm_device *dev = node->minor->dev; -+ struct qxl_device *rdev = dev->dev_private; -+ int ret; -+ struct ttm_bo_global *glob = rdev->mman.bdev.glob; -+ -+ spin_lock(&glob->lru_lock); -+ ret = drm_mm_dump_table(m, mm); -+ spin_unlock(&glob->lru_lock); -+ return ret; -+} -+#endif -+ -+static int qxl_ttm_debugfs_init(struct qxl_device *qdev) -+{ -+ static struct drm_info_list qxl_mem_types_list[QXL_DEBUGFS_MEM_TYPES]; -+ static char qxl_mem_types_names[QXL_DEBUGFS_MEM_TYPES][32]; -+ unsigned i; -+ -+ for (i = 0; i < QXL_DEBUGFS_MEM_TYPES; i++) { -+ if (i == 0) -+ sprintf(qxl_mem_types_names[i], "qxl_mem_mm"); -+ else -+ sprintf(qxl_mem_types_names[i], "qxl_surf_mm"); -+ qxl_mem_types_list[i].name = qxl_mem_types_names[i]; -+ qxl_mem_types_list[i].show = &qxl_mm_dump_table; -+ qxl_mem_types_list[i].driver_features = 0; -+ if (i == 0) -+ qxl_mem_types_list[i].data = qdev->mman.bdev.man[TTM_PL_VRAM].priv; -+ else -+ qxl_mem_types_list[i].data = qdev->mman.bdev.man[TTM_PL_PRIV0].priv; -+ -+ } -+ return qxl_debugfs_add_files(qdev, qxl_mem_types_list, i); -+} -diff --git a/include/uapi/drm/Kbuild b/include/uapi/drm/Kbuild -index ba99ce3..a042a95 100644 ---- a/include/uapi/drm/Kbuild -+++ b/include/uapi/drm/Kbuild -@@ -8,6 +8,7 @@ header-y += i810_drm.h - header-y += i915_drm.h - header-y += mga_drm.h - header-y += nouveau_drm.h -+header-y += qxl_drm.h - header-y += r128_drm.h - header-y += radeon_drm.h - header-y += savage_drm.h -diff --git a/include/uapi/drm/qxl_drm.h b/include/uapi/drm/qxl_drm.h -new file mode 100644 -index 0000000..ebebd36 ---- /dev/null -+++ b/include/uapi/drm/qxl_drm.h -@@ -0,0 +1,152 @@ -+/* -+ * Copyright 2013 Red Hat -+ * All Rights Reserved. -+ * -+ * Permission is hereby granted, free of charge, to any person obtaining a -+ * copy of this software and associated documentation files (the "Software"), -+ * to deal in the Software without restriction, including without limitation -+ * the rights to use, copy, modify, merge, publish, distribute, sublicense, -+ * and/or sell copies of the Software, and to permit persons to whom the -+ * Software is furnished to do so, subject to the following conditions: -+ * -+ * The above copyright notice and this permission notice (including the next -+ * paragraph) shall be included in all copies or substantial portions of the -+ * Software. -+ * -+ * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR -+ * IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, -+ * FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL -+ * THE AUTHORS AND/OR ITS SUPPLIERS BE LIABLE FOR ANY CLAIM, DAMAGES OR -+ * OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, -+ * ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR -+ * OTHER DEALINGS IN THE SOFTWARE. -+ */ -+#ifndef QXL_DRM_H -+#define QXL_DRM_H -+ -+#include -+#include "drm/drm.h" -+ -+/* Please note that modifications to all structs defined here are -+ * subject to backwards-compatibility constraints. -+ * -+ * Do not use pointers, use uint64_t instead for 32 bit / 64 bit user/kernel -+ * compatibility Keep fields aligned to their size -+ */ -+ -+#define QXL_GEM_DOMAIN_CPU 0 -+#define QXL_GEM_DOMAIN_VRAM 1 -+#define QXL_GEM_DOMAIN_SURFACE 2 -+ -+#define DRM_QXL_ALLOC 0x00 -+#define DRM_QXL_MAP 0x01 -+#define DRM_QXL_EXECBUFFER 0x02 -+#define DRM_QXL_UPDATE_AREA 0x03 -+#define DRM_QXL_GETPARAM 0x04 -+#define DRM_QXL_CLIENTCAP 0x05 -+ -+#define DRM_QXL_ALLOC_SURF 0x06 -+ -+struct drm_qxl_alloc { -+ uint32_t size; -+ uint32_t handle; /* 0 is an invalid handle */ -+}; -+ -+struct drm_qxl_map { -+ uint64_t offset; /* use for mmap system call */ -+ uint32_t handle; -+ uint32_t pad; -+}; -+ -+/* -+ * dest is the bo we are writing the relocation into -+ * src is bo we are relocating. -+ * *(dest_handle.base_addr + dest_offset) = physical_address(src_handle.addr + -+ * src_offset) -+ */ -+#define QXL_RELOC_TYPE_BO 1 -+#define QXL_RELOC_TYPE_SURF 2 -+ -+struct drm_qxl_reloc { -+ uint64_t src_offset; /* offset into src_handle or src buffer */ -+ uint64_t dst_offset; /* offset in dest handle */ -+ uint32_t src_handle; /* dest handle to compute address from */ -+ uint32_t dst_handle; /* 0 if to command buffer */ -+ uint32_t reloc_type; -+ uint32_t pad; -+}; -+ -+struct drm_qxl_command { -+ uint64_t __user command; /* void* */ -+ uint64_t __user relocs; /* struct drm_qxl_reloc* */ -+ uint32_t type; -+ uint32_t command_size; -+ uint32_t relocs_num; -+ uint32_t pad; -+}; -+ -+/* XXX: call it drm_qxl_commands? */ -+struct drm_qxl_execbuffer { -+ uint32_t flags; /* for future use */ -+ uint32_t commands_num; -+ uint64_t __user commands; /* struct drm_qxl_command* */ -+}; -+ -+struct drm_qxl_update_area { -+ uint32_t handle; -+ uint32_t top; -+ uint32_t left; -+ uint32_t bottom; -+ uint32_t right; -+ uint32_t pad; -+}; -+ -+#define QXL_PARAM_NUM_SURFACES 1 /* rom->n_surfaces */ -+#define QXL_PARAM_MAX_RELOCS 2 -+struct drm_qxl_getparam { -+ uint64_t param; -+ uint64_t value; -+}; -+ -+/* these are one bit values */ -+struct drm_qxl_clientcap { -+ uint32_t index; -+ uint32_t pad; -+}; -+ -+struct drm_qxl_alloc_surf { -+ uint32_t format; -+ uint32_t width; -+ uint32_t height; -+ int32_t stride; -+ uint32_t handle; -+ uint32_t pad; -+}; -+ -+#define DRM_IOCTL_QXL_ALLOC \ -+ DRM_IOWR(DRM_COMMAND_BASE + DRM_QXL_ALLOC, struct drm_qxl_alloc) -+ -+#define DRM_IOCTL_QXL_MAP \ -+ DRM_IOWR(DRM_COMMAND_BASE + DRM_QXL_MAP, struct drm_qxl_map) -+ -+#define DRM_IOCTL_QXL_EXECBUFFER \ -+ DRM_IOW(DRM_COMMAND_BASE + DRM_QXL_EXECBUFFER,\ -+ struct drm_qxl_execbuffer) -+ -+#define DRM_IOCTL_QXL_UPDATE_AREA \ -+ DRM_IOW(DRM_COMMAND_BASE + DRM_QXL_UPDATE_AREA,\ -+ struct drm_qxl_update_area) -+ -+#define DRM_IOCTL_QXL_GETPARAM \ -+ DRM_IOWR(DRM_COMMAND_BASE + DRM_QXL_GETPARAM,\ -+ struct drm_qxl_getparam) -+ -+#define DRM_IOCTL_QXL_CLIENTCAP \ -+ DRM_IOW(DRM_COMMAND_BASE + DRM_QXL_CLIENTCAP,\ -+ struct drm_qxl_clientcap) -+ -+#define DRM_IOCTL_QXL_ALLOC_SURF \ -+ DRM_IOWR(DRM_COMMAND_BASE + DRM_QXL_ALLOC_SURF,\ -+ struct drm_qxl_alloc_surf) -+ -+#endif --- -1.8.1.4 - diff --git a/drm-ttm-exports-for-qxl.patch b/drm-ttm-exports-for-qxl.patch deleted file mode 100644 index 6134b5119..000000000 --- a/drm-ttm-exports-for-qxl.patch +++ /dev/null @@ -1,86 +0,0 @@ -From b538d2921b8aaaa1d7abf1bf0ba3ab9330b0b0c8 Mon Sep 17 00:00:00 2001 -From: Dave Airlie -Date: Tue, 22 Jan 2013 13:56:04 +1000 -Subject: [PATCH 1/2] ttm: export functions to allow qxl do its own iomapping - -qxl wants to use io mapping like i915 gem does, for now -just export the symbols so the driver can implement atomic -page maps using io mapping. - -Signed-off-by: Dave Airlie ---- - drivers/gpu/drm/ttm/ttm_bo_util.c | 13 +++++++++---- - include/drm/ttm/ttm_bo_driver.h | 4 ++++ - 2 files changed, 13 insertions(+), 4 deletions(-) - -diff --git a/drivers/gpu/drm/ttm/ttm_bo_util.c b/drivers/gpu/drm/ttm/ttm_bo_util.c -index 44420fc..aaf6f47 100644 ---- a/drivers/gpu/drm/ttm/ttm_bo_util.c -+++ b/drivers/gpu/drm/ttm/ttm_bo_util.c -@@ -86,6 +86,7 @@ int ttm_mem_io_lock(struct ttm_mem_type_manager *man, bool interruptible) - mutex_lock(&man->io_reserve_mutex); - return 0; - } -+EXPORT_SYMBOL(ttm_mem_io_lock); - - void ttm_mem_io_unlock(struct ttm_mem_type_manager *man) - { -@@ -94,6 +95,7 @@ void ttm_mem_io_unlock(struct ttm_mem_type_manager *man) - - mutex_unlock(&man->io_reserve_mutex); - } -+EXPORT_SYMBOL(ttm_mem_io_unlock); - - static int ttm_mem_io_evict(struct ttm_mem_type_manager *man) - { -@@ -111,8 +113,9 @@ static int ttm_mem_io_evict(struct ttm_mem_type_manager *man) - return 0; - } - --static int ttm_mem_io_reserve(struct ttm_bo_device *bdev, -- struct ttm_mem_reg *mem) -+ -+int ttm_mem_io_reserve(struct ttm_bo_device *bdev, -+ struct ttm_mem_reg *mem) - { - struct ttm_mem_type_manager *man = &bdev->man[mem->mem_type]; - int ret = 0; -@@ -134,9 +137,10 @@ retry: - } - return ret; - } -+EXPORT_SYMBOL(ttm_mem_io_reserve); - --static void ttm_mem_io_free(struct ttm_bo_device *bdev, -- struct ttm_mem_reg *mem) -+void ttm_mem_io_free(struct ttm_bo_device *bdev, -+ struct ttm_mem_reg *mem) - { - struct ttm_mem_type_manager *man = &bdev->man[mem->mem_type]; - -@@ -149,6 +153,7 @@ static void ttm_mem_io_free(struct ttm_bo_device *bdev, - bdev->driver->io_mem_free(bdev, mem); - - } -+EXPORT_SYMBOL(ttm_mem_io_free); - - int ttm_mem_io_reserve_vm(struct ttm_buffer_object *bo) - { -diff --git a/include/drm/ttm/ttm_bo_driver.h b/include/drm/ttm/ttm_bo_driver.h -index 0fbd046..9c8dca7 100644 ---- a/include/drm/ttm/ttm_bo_driver.h -+++ b/include/drm/ttm/ttm_bo_driver.h -@@ -902,6 +902,10 @@ extern void ttm_bo_unreserve_locked(struct ttm_buffer_object *bo); - * ttm_bo_util.c - */ - -+int ttm_mem_io_reserve(struct ttm_bo_device *bdev, -+ struct ttm_mem_reg *mem); -+void ttm_mem_io_free(struct ttm_bo_device *bdev, -+ struct ttm_mem_reg *mem); - /** - * ttm_bo_move_ttm - * --- -1.8.1.4 - diff --git a/forcedeth-dma-error-check.patch b/forcedeth-dma-error-check.patch deleted file mode 100644 index 563fe87e0..000000000 --- a/forcedeth-dma-error-check.patch +++ /dev/null @@ -1,134 +0,0 @@ -From e33f52b67b45dd95b973260c54c6ef207ee44f84 Mon Sep 17 00:00:00 2001 -From: Neil Horman -Date: Tue, 26 Mar 2013 14:36:56 -0400 -Subject: [PATCH] forcedeth: Do a dma_mapping_error check after - skb_frag_dma_map - -This backtrace was recently reported on a 3.9 kernel: - -Actual results: from syslog /var/log/messsages: -kernel: [17539.340285] ------------[ cut here ]------------ -kernel: [17539.341012] WARNING: at lib/dma-debug.c:937 check_unmap+0x493/0x960() -kernel: [17539.341012] Hardware name: MS-7125 -kernel: [17539.341012] forcedeth 0000:00:0a.0: DMA-API: device driver failed to -check map error[device address=0x0000000013c88000] [size=544 bytes] [mapped as -page] -kernel: [17539.341012] Modules linked in: fuse ebtable_nat ipt_MASQUERADE -nf_conntrack_netbios_ns nf_conntrack_broadcast ip6table_nat nf_nat_ipv6 -ip6table_mangle ip6t_REJECT nf_conntrack_ipv6 nf_defrag_ipv6 iptable_nat -nf_nat_ipv4 nf_nat iptable_mangle nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack -nf_conntrack bnep bluetooth rfkill ebtable_filter ebtables ip6table_filter -ip6_tables snd_hda_codec_hdmi snd_cmipci snd_mpu401_uart snd_hda_intel -snd_intel8x0 snd_opl3_lib snd_ac97_codec gameport snd_hda_codec snd_rawmidi -ac97_bus snd_hwdep snd_seq snd_seq_device snd_pcm snd_page_alloc snd_timer snd -k8temp soundcore serio_raw i2c_nforce2 forcedeth ata_generic pata_acpi nouveau -video mxm_wmi wmi i2c_algo_bit drm_kms_helper ttm drm i2c_core sata_sil pata_amd -sata_nv uinput -kernel: [17539.341012] Pid: 17340, comm: sshd Not tainted -3.9.0-0.rc4.git0.1.fc19.i686.PAE #1 -kernel: [17539.341012] Call Trace: -kernel: [17539.341012] [] warn_slowpath_common+0x6c/0xa0 -kernel: [17539.341012] [] ? check_unmap+0x493/0x960 -kernel: [17539.341012] [] ? check_unmap+0x493/0x960 -kernel: [17539.341012] [] warn_slowpath_fmt+0x33/0x40 -kernel: [17539.341012] [] check_unmap+0x493/0x960 -kernel: [17539.341012] [] ? sched_clock_cpu+0xdf/0x150 -kernel: [17539.341012] [] debug_dma_unmap_page+0x67/0x70 -kernel: [17539.341012] [] nv_unmap_txskb.isra.32+0x92/0x100 - -Its pretty plainly the result of an skb fragment getting unmapped without having -its initial mapping operation checked for errors. This patch corrects that - -Signed-off-by: Neil Horman -CC: "David S. Miller" ---- - drivers/net/ethernet/nvidia/forcedeth.c | 41 ++++++++++++++++++++++++++++++++- - 1 file changed, 40 insertions(+), 1 deletion(-) - -diff --git a/drivers/net/ethernet/nvidia/forcedeth.c b/drivers/net/ethernet/nvidia/forcedeth.c -index b62262c..5ae1247 100644 ---- a/drivers/net/ethernet/nvidia/forcedeth.c -+++ b/drivers/net/ethernet/nvidia/forcedeth.c -@@ -2200,6 +2200,7 @@ static netdev_tx_t nv_start_xmit(struct sk_buff *skb, struct net_device *dev) - struct ring_desc *start_tx; - struct ring_desc *prev_tx; - struct nv_skb_map *prev_tx_ctx; -+ struct nv_skb_map *tmp_tx_ctx = NULL, *start_tx_ctx = NULL; - unsigned long flags; - - /* add fragments to entries count */ -@@ -2261,12 +2262,31 @@ static netdev_tx_t nv_start_xmit(struct sk_buff *skb, struct net_device *dev) - do { - prev_tx = put_tx; - prev_tx_ctx = np->put_tx_ctx; -+ if (!start_tx_ctx) -+ start_tx_ctx = tmp_tx_ctx = np->put_tx_ctx; -+ - bcnt = (frag_size > NV_TX2_TSO_MAX_SIZE) ? NV_TX2_TSO_MAX_SIZE : frag_size; - np->put_tx_ctx->dma = skb_frag_dma_map( - &np->pci_dev->dev, - frag, offset, - bcnt, - DMA_TO_DEVICE); -+ if (dma_mapping_error(&np->pci_dev->dev, np->put_tx_ctx->dma)) { -+ -+ /* Unwind the mapped fragments */ -+ do { -+ nv_unmap_txskb(np, start_tx_ctx); -+ if (unlikely(tmp_tx_ctx++ == np->last_tx_ctx)) -+ tmp_tx_ctx = np->first_tx_ctx; -+ } while (tmp_tx_ctx != np->put_tx_ctx); -+ kfree_skb(skb); -+ np->put_tx_ctx = start_tx_ctx; -+ u64_stats_update_begin(&np->swstats_tx_syncp); -+ np->stat_tx_dropped++; -+ u64_stats_update_end(&np->swstats_tx_syncp); -+ return NETDEV_TX_OK; -+ } -+ - np->put_tx_ctx->dma_len = bcnt; - np->put_tx_ctx->dma_single = 0; - put_tx->buf = cpu_to_le32(np->put_tx_ctx->dma); -@@ -2327,7 +2347,8 @@ static netdev_tx_t nv_start_xmit_optimized(struct sk_buff *skb, - struct ring_desc_ex *start_tx; - struct ring_desc_ex *prev_tx; - struct nv_skb_map *prev_tx_ctx; -- struct nv_skb_map *start_tx_ctx; -+ struct nv_skb_map *start_tx_ctx = NULL; -+ struct nv_skb_map *tmp_tx_ctx = NULL; - unsigned long flags; - - /* add fragments to entries count */ -@@ -2392,11 +2413,29 @@ static netdev_tx_t nv_start_xmit_optimized(struct sk_buff *skb, - prev_tx = put_tx; - prev_tx_ctx = np->put_tx_ctx; - bcnt = (frag_size > NV_TX2_TSO_MAX_SIZE) ? NV_TX2_TSO_MAX_SIZE : frag_size; -+ if (!start_tx_ctx) -+ start_tx_ctx = tmp_tx_ctx = np->put_tx_ctx; - np->put_tx_ctx->dma = skb_frag_dma_map( - &np->pci_dev->dev, - frag, offset, - bcnt, - DMA_TO_DEVICE); -+ -+ if (dma_mapping_error(&np->pci_dev->dev, np->put_tx_ctx->dma)) { -+ -+ /* Unwind the mapped fragments */ -+ do { -+ nv_unmap_txskb(np, start_tx_ctx); -+ if (unlikely(tmp_tx_ctx++ == np->last_tx_ctx)) -+ tmp_tx_ctx = np->first_tx_ctx; -+ } while (tmp_tx_ctx != np->put_tx_ctx); -+ kfree_skb(skb); -+ np->put_tx_ctx = start_tx_ctx; -+ u64_stats_update_begin(&np->swstats_tx_syncp); -+ np->stat_tx_dropped++; -+ u64_stats_update_end(&np->swstats_tx_syncp); -+ return NETDEV_TX_OK; -+ } - np->put_tx_ctx->dma_len = bcnt; - np->put_tx_ctx->dma_single = 0; - put_tx->bufhigh = cpu_to_le32(dma_high(np->put_tx_ctx->dma)); --- -1.7.11.7 - diff --git a/ipv6-ip6_sk_dst_check-must-not-assume-ipv6-dst.patch b/ipv6-ip6_sk_dst_check-must-not-assume-ipv6-dst.patch deleted file mode 100644 index 8f6c41d28..000000000 --- a/ipv6-ip6_sk_dst_check-must-not-assume-ipv6-dst.patch +++ /dev/null @@ -1,52 +0,0 @@ -From a963a37d384d71ad43b3e9e79d68d42fbe0901f3 Mon Sep 17 00:00:00 2001 -From: Eric Dumazet -Date: Wed, 26 Jun 2013 04:15:07 -0700 -Subject: [PATCH] ipv6: ip6_sk_dst_check() must not assume ipv6 dst - -It's possible to use AF_INET6 sockets and to connect to an IPv4 -destination. After this, socket dst cache is a pointer to a rtable, -not rt6_info. - -ip6_sk_dst_check() should check the socket dst cache is IPv6, or else -various corruptions/crashes can happen. - -Dave Jones can reproduce immediate crash with -trinity -q -l off -n -c sendmsg -c connect - -With help from Hannes Frederic Sowa - -Reported-by: Dave Jones -Reported-by: Hannes Frederic Sowa -Signed-off-by: Eric Dumazet -Acked-by: Hannes Frederic Sowa -Signed-off-by: David S. Miller ---- - net/ipv6/ip6_output.c | 8 +++++++- - 1 file changed, 7 insertions(+), 1 deletion(-) - -diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c -index 95703ba..d5d20cd 100644 ---- a/net/ipv6/ip6_output.c -+++ b/net/ipv6/ip6_output.c -@@ -821,11 +821,17 @@ static struct dst_entry *ip6_sk_dst_check(struct sock *sk, - const struct flowi6 *fl6) - { - struct ipv6_pinfo *np = inet6_sk(sk); -- struct rt6_info *rt = (struct rt6_info *)dst; -+ struct rt6_info *rt; - - if (!dst) - goto out; - -+ if (dst->ops->family != AF_INET6) { -+ dst_release(dst); -+ return NULL; -+ } -+ -+ rt = (struct rt6_info *)dst; - /* Yes, checking route validity in not connected - * case is not very simple. Take into account, - * that we do not support routing by source, TOS, --- -1.8.2.1 - diff --git a/kernel.spec b/kernel.spec index 397bbbd41..95da260a4 100644 --- a/kernel.spec +++ b/kernel.spec @@ -62,19 +62,19 @@ Summary: The Linux kernel # For non-released -rc kernels, this will be appended after the rcX and # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3" # -%global baserelease 304 +%global baserelease 300 %global fedora_build %{baserelease} # base_sublevel is the kernel version we're starting with and patching # on top of -- for example, 3.1-rc7-git1 starts with a 3.0 base, # which yields a base_sublevel of 0. -%define base_sublevel 9 +%define base_sublevel 10 ## If this is a released kernel ## %if 0%{?released_kernel} # Do we have a -stable update to apply? -%define stable_update 9 +%define stable_update 1 # Is it a -stable RC? %define stable_rc 0 # Set rpm version accordingly @@ -639,9 +639,6 @@ Patch100: taint-vbox.patch Patch110: vmbugon-warnon.patch -Patch200: debug-bad-pte-dmi.patch -Patch201: debug-bad-pte-modules.patch - Patch390: defaults-acpi-video.patch Patch391: acpi-video-dos.patch Patch396: acpi-sony-nonvs-blacklist.patch @@ -668,11 +665,7 @@ Patch1000: devel-pekey-secure-boot-20130306.patch # DRM #atch1700: drm-edid-try-harder-to-fix-up-broken-headers.patch #Patch1800: drm-vgem.patch -Patch1700: drm-ttm-exports-for-qxl.patch Patch1701: drm-hotspot-cursor-backport.patch -Patch1702: drm-qxl-driver.patch -Patch1703: drm-qxl-3.10-rc7-diff.patch -Patch1704: drm-qxl-access-fix.patch Patch1705: drm-qxl-post-3.10-feature-fixes.patch Patch1706: drm-qxl-post-3.10-features-part-2.patch # nouveau + drm fixes @@ -712,10 +705,7 @@ Patch21000: arm-export-read_current_timer.patch Patch21001: arm-lpae-ax88796.patch # ARM omap -Patch21002: arm-omap-ehci-fix.patch Patch21003: arm-omap-load-tfp410.patch -# https://patchwork.kernel.org/patch/2414881/ -Patch21004: arm-omap-fixdrm.patch # ARM tegra Patch21005: arm-tegra-usb-no-reset-linux33.patch @@ -737,9 +727,6 @@ Patch21247: ath9k_rx_dma_stop_check.patch Patch21273: cfg80211-mac80211-disconnect-on-suspend.patch Patch21274: mac80211_fixes_for_ieee80211_do_stop_while_suspend_v3.9.patch -#rhbz 859282 -Patch21275: VMX-x86-handle-host-TSC-calibration-failure.patch - Patch22000: weird-root-dentry-name-debug.patch Patch22010: debug-idle-sched-warn-once.patch @@ -749,9 +736,6 @@ Patch22001: selinux-apply-different-permission-to-ptrace-child.patch #rhbz 927469 Patch23006: fix-child-thread-introspection.patch -#rhbz 928024 -Patch23008: forcedeth-dma-error-check.patch - #rhbz 948262 Patch25024: intel_iommu-Downgrade-the-warning-if-enabling-irq-remapping-fails.patch @@ -767,27 +751,14 @@ Patch25032: cve-2013-2147-ciss-info-leak.patch #CVE-2013-2148 rhbz 971258 971261 Patch25033: fanotify-info-leak-in-copy_event_to_user.patch -#CVE-2013-2851 rhbz 969515 971662 -Patch25035: block-do-not-pass-disk-names-as-format-strings.patch - #rhbz 954252 Patch25036: scsi-ipr-possible-irq-lock-inversion-dependency-detected.patch -#CVE-2013-2164 rhbz 973100 973109 -Patch25038: cdrom-use-kzalloc-for-failing-hardware.patch - -#rhbz 967230 -Patch25043: vfio-Set-container-device-mode.patch -Patch25044: vfio-fix-crash-on-rmmod.patch - #rhbz 969644 Patch25046: KVM-x86-handle-idiv-overflow-at-kvm_write_tsc.patch Patch25047: drm-radeon-Disable-writeback-by-default-on-ppc.patch -#rhbz 956732 -Patch25048: tulip-dma-debug-error.patch - Patch25050: iwlwifi-pcie-fix-race-in-queue-unmapping.patch Patch25051: iwlwifi-pcie-wake-the-queue-if-stopped-when-being-unmapped.patch @@ -807,15 +778,9 @@ Patch25055: ath3k-dont-use-stack-memory-for-DMA.patch Patch25056: iwl3945-better-skb-management-in-rx-path.patch Patch25057: iwl4965-better-skb-management-in-rx-path.patch -#CVE-2013-2234 rhbz 980995 981007 -Patch25058: af_key-fix-info-leaks-in-notify-messages.patch - #CVE-2013-1059 rhbz 977356 980341 Patch25059: ceph-fix.patch -#CVE-2013-2232 rhbz 981552 981564 -Patch25060: ipv6-ip6_sk_dst_check-must-not-assume-ipv6-dst.patch - #rhbz 976789 980643 Patch25062: vhost-net-fix-use-after-free-in-vhost_net_flush.patch @@ -1374,9 +1339,6 @@ ApplyPatch taint-vbox.patch ApplyPatch vmbugon-warnon.patch -ApplyPatch debug-bad-pte-dmi.patch -ApplyPatch debug-bad-pte-modules.patch - # Architecture patches # x86(-64) @@ -1385,11 +1347,9 @@ ApplyPatch debug-bad-pte-modules.patch # ApplyPatch arm-export-read_current_timer.patch ApplyPatch arm-lpae-ax88796.patch -ApplyPatch arm-omap-ehci-fix.patch ApplyPatch arm-omap-load-tfp410.patch -ApplyPatch arm-omap-fixdrm.patch ApplyPatch arm-tegra-usb-no-reset-linux33.patch -ApplyPatch arm-tegra-fixclk.patch +#ApplyPatch arm-tegra-fixclk.patch # # bugfixes to drivers and filesystems @@ -1460,11 +1420,7 @@ ApplyPatch devel-pekey-secure-boot-20130306.patch # Assorted Virt Fixes # DRM core -ApplyPatch drm-ttm-exports-for-qxl.patch ApplyPatch drm-hotspot-cursor-backport.patch -ApplyPatch drm-qxl-driver.patch -ApplyPatch drm-qxl-3.10-rc7-diff.patch -ApplyPatch drm-qxl-access-fix.patch ApplyPatch drm-qxl-post-3.10-feature-fixes.patch ApplyPatch drm-qxl-post-3.10-features-part-2.patch #ApplyPatch drm-edid-try-harder-to-fix-up-broken-headers.patch @@ -1517,23 +1473,17 @@ ApplyPatch criu-no-expert.patch ApplyPatch ath9k_rx_dma_stop_check.patch #rhbz 856863 892599 -ApplyPatch cfg80211-mac80211-disconnect-on-suspend.patch -ApplyPatch mac80211_fixes_for_ieee80211_do_stop_while_suspend_v3.9.patch - -#rhbz 859282 -ApplyPatch VMX-x86-handle-host-TSC-calibration-failure.patch +#ApplyPatch cfg80211-mac80211-disconnect-on-suspend.patch +#ApplyPatch mac80211_fixes_for_ieee80211_do_stop_while_suspend_v3.9.patch #rhbz 927469 ApplyPatch fix-child-thread-introspection.patch -#rhbz 928024 -ApplyPatch forcedeth-dma-error-check.patch - #rhbz 948262 ApplyPatch intel_iommu-Downgrade-the-warning-if-enabling-irq-remapping-fails.patch # Needed for F19 gssproxy feature -ApplyPatch gssproxy-backport.patch +#ApplyPatch gssproxy-backport.patch #CVE-2013-2140 rhbz 971146 971148 ApplyPatch xen-blkback-Check-device-permissions-before-allowing.patch @@ -1544,27 +1494,14 @@ ApplyPatch cve-2013-2147-ciss-info-leak.patch #CVE-2013-2148 rhbz 971258 971261 ApplyPatch fanotify-info-leak-in-copy_event_to_user.patch -#CVE-2013-2851 rhbz 969515 971662 -ApplyPatch block-do-not-pass-disk-names-as-format-strings.patch - #rhbz 954252 ApplyPatch scsi-ipr-possible-irq-lock-inversion-dependency-detected.patch -#CVE-2013-2164 rhbz 973100 973109 -ApplyPatch cdrom-use-kzalloc-for-failing-hardware.patch - -#rhbz 967230 -ApplyPatch vfio-Set-container-device-mode.patch -ApplyPatch vfio-fix-crash-on-rmmod.patch - #rhbz 969644 ApplyPatch KVM-x86-handle-idiv-overflow-at-kvm_write_tsc.patch ApplyPatch drm-radeon-Disable-writeback-by-default-on-ppc.patch -#rhbz 956732 -ApplyPatch tulip-dma-debug-error.patch - ApplyPatch iwlwifi-pcie-fix-race-in-queue-unmapping.patch ApplyPatch iwlwifi-pcie-wake-the-queue-if-stopped-when-being-unmapped.patch @@ -1583,17 +1520,11 @@ ApplyPatch ath3k-dont-use-stack-memory-for-DMA.patch ApplyPatch iwl3945-better-skb-management-in-rx-path.patch ApplyPatch iwl4965-better-skb-management-in-rx-path.patch -#CVE-2013-2234 rhbz 980995 981007 -ApplyPatch af_key-fix-info-leaks-in-notify-messages.patch - #CVE-2013-1059 rhbz 977356 980341 -ApplyPatch ceph-fix.patch - -#CVE-2013-2232 rhbz 981552 981564 -ApplyPatch ipv6-ip6_sk_dst_check-must-not-assume-ipv6-dst.patch +#ApplyPatch ceph-fix.patch #rhbz 976789 980643 -ApplyPatch vhost-net-fix-use-after-free-in-vhost_net_flush.patch +#ApplyPatch vhost-net-fix-use-after-free-in-vhost_net_flush.patch #rhbz 959721 ApplyPatch HID-kye-Add-report-fixup-for-Genius-Gila-Gaming-mouse.patch @@ -1624,6 +1555,9 @@ mkdir configs rm -f kernel-%{version}-*debug.config %endif +# FIXME: ARM needs fixing. +rm -f kernel*arm*.config + # now run oldconfig over all the config files for i in *.config do @@ -2420,6 +2354,35 @@ fi # and build. %changelog +* Wed Jul 17 2013 Dave Jones +- Rebase to 3.10.1 + dropped: + debug-bad-pte-dmi.patch + debug-bad-pte-modules.patch + arm-omap-ehci-fix.patch + arm-omap-fixdrm.patch + drm-ttm-exports-for-qxl.patch + drm-qxl-driver.patch + drm-qxl-3.10-rc7-diff.patch + drm-qxl-access-fix.patch + VMX-x86-handle-host-TSC-calibration-failure.patch + forcedeth-dma-error-check.patch + block-do-not-pass-disk-names-as-format-strings.patch + cdrom-use-kzalloc-for-failing-hardware.patch + vfio-Set-container-device-mode.patch + vfio-fix-crash-on-rmmod.patch + tulip-dma-debug-error.patch + af_key-fix-info-leaks-in-notify-messages.patch + ipv6-ip6_sk_dst_check-must-not-assume-ipv6-dst.patch + needs fixing: + arm-tegra-fixclk.patch + cfg80211-mac80211-disconnect-on-suspend.patch + mac80211_fixes_for_ieee80211_do_stop_while_suspend_v3.9.patch + gssproxy-backport.patch + ceph-fix.patch + vhost-net-fix-use-after-free-in-vhost_net_flush.patch + ARM currently disabled, requires config changes. (See line 1558) + * Fri Jul 12 2013 Dave Jones - 3.9.9-304 - Disable LATENCYTOP/SCHEDSTATS in non-debug builds. diff --git a/sources b/sources index 372d198c3..c68e1b26a 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -4348c9b6b2eb3144d601e87c19d5d909 linux-3.9.tar.xz -41f350c2fd6aa14414bf39f173a8e6a3 patch-3.9.9.xz +4f25cd5bec5f8d5a7d935b3f2ccb8481 linux-3.10.tar.xz +0e7f2a767ef3b3643856c96af3409af3 patch-3.10.1.xz diff --git a/tulip-dma-debug-error.patch b/tulip-dma-debug-error.patch deleted file mode 100644 index 0ac631f0d..000000000 --- a/tulip-dma-debug-error.patch +++ /dev/null @@ -1,32 +0,0 @@ -commit 2087ac1fc6fd9bbb1f7e16889e984e0af0510b4b -Author: Neil Horman -Date: Thu Jun 13 15:25:45 2013 -0400 - - tulip: Properly check dma mapping result - - Tulip throws an error when dma debugging is enabled, as it doesn't properly - check dma mapping results with dma_mapping_error() durring tx ring refills. - - Easy fix, just add it in, and drop the frame if the mapping is bad - - Signed-off-by: Neil Horman - CC: Grant Grundler - CC: "David S. Miller" - -diff --git a/drivers/net/ethernet/dec/tulip/interrupt.c b/drivers/net/ethernet/dec/tulip/interrupt.c -index 28a5e42..92306b3 100644 ---- a/drivers/net/ethernet/dec/tulip/interrupt.c -+++ b/drivers/net/ethernet/dec/tulip/interrupt.c -@@ -76,6 +76,12 @@ int tulip_refill_rx(struct net_device *dev) - - mapping = pci_map_single(tp->pdev, skb->data, PKT_BUF_SZ, - PCI_DMA_FROMDEVICE); -+ if (dma_mapping_error(&tp->pdev->dev, mapping)) { -+ dev_kfree_skb(skb); -+ tp->rx_buffers[entry].skb = NULL; -+ break; -+ } -+ - tp->rx_buffers[entry].mapping = mapping; - - tp->rx_ring[entry].buffer1 = cpu_to_le32(mapping); diff --git a/vfio-Set-container-device-mode.patch b/vfio-Set-container-device-mode.patch deleted file mode 100644 index 68e825a28..000000000 --- a/vfio-Set-container-device-mode.patch +++ /dev/null @@ -1,41 +0,0 @@ -From 664e9386bd05dbdfecfb28d6cf2fde983aabc65c Mon Sep 17 00:00:00 2001 -From: Alex Williamson -Date: Tue, 30 Apr 2013 15:42:28 -0600 -Subject: [PATCH] vfio: Set container device mode - -Minor 0 is the VFIO container device (/dev/vfio/vfio). On it's own -the container does not provide a user with any privileged access. It -only supports API version check and extension check ioctls. Only by -attaching a VFIO group to the container does it gain any access. Set -the mode of the container to allow access. - -Signed-off-by: Alex Williamson ---- - drivers/vfio/vfio.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/drivers/vfio/vfio.c b/drivers/vfio/vfio.c -index ac7423b..acb7121 100644 ---- a/drivers/vfio/vfio.c -+++ b/drivers/vfio/vfio.c -@@ -27,6 +27,7 @@ - #include - #include - #include -+#include - #include - #include - #include -@@ -1359,6 +1360,9 @@ static const struct file_operations vfio_device_fops = { - */ - static char *vfio_devnode(struct device *dev, umode_t *mode) - { -+ if (MINOR(dev->devt) == 0) -+ *mode = S_IRUGO | S_IWUGO; -+ - return kasprintf(GFP_KERNEL, "vfio/%s", dev_name(dev)); - } - --- -1.8.1.4 - diff --git a/vfio-fix-crash-on-rmmod.patch b/vfio-fix-crash-on-rmmod.patch deleted file mode 100644 index 9f89b4d36..000000000 --- a/vfio-fix-crash-on-rmmod.patch +++ /dev/null @@ -1,32 +0,0 @@ -From 9a6aa279d3d17af73a029fa40654e92f4e75e8bb Mon Sep 17 00:00:00 2001 -From: Alexey Kardashevskiy -Date: Wed, 5 Jun 2013 08:54:16 -0600 -Subject: [PATCH] vfio: fix crash on rmmod - -devtmpfs_delete_node() calls devnode() callback with mode==NULL but -vfio still tries to write there. - -The patch fixes this. - -Signed-off-by: Alexey Kardashevskiy -Signed-off-by: Alex Williamson ---- - drivers/vfio/vfio.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/drivers/vfio/vfio.c b/drivers/vfio/vfio.c -index acb7121..6d78736 100644 ---- a/drivers/vfio/vfio.c -+++ b/drivers/vfio/vfio.c -@@ -1360,7 +1360,7 @@ static const struct file_operations vfio_device_fops = { - */ - static char *vfio_devnode(struct device *dev, umode_t *mode) - { -- if (MINOR(dev->devt) == 0) -+ if (mode && (MINOR(dev->devt) == 0)) - *mode = S_IRUGO | S_IWUGO; - - return kasprintf(GFP_KERNEL, "vfio/%s", dev_name(dev)); --- -1.8.1.4 - From 2d803e76c3712635e66b9466a6d8dab3361603b0 Mon Sep 17 00:00:00 2001 From: Peter Robinson Date: Wed, 17 Jul 2013 22:04:49 +0100 Subject: [PATCH 161/468] Re-enable ARM, Drop tegra subkernel as it's now multi-platform, Enable i.MX SoC support --- Makefile.config | 12 +-- config-arm-generic | 43 ++++++++++ config-arm-omap | 79 ------------------ config-armv7 | 185 +++++++++++++++++++++++++++++++++++++------ config-armv7-generic | 98 ++++++++++------------- config-armv7-lpae | 50 +++++++++--- config-armv7-tegra | 103 ------------------------ kernel.spec | 40 +++------- 8 files changed, 300 insertions(+), 310 deletions(-) create mode 100644 config-arm-generic delete mode 100644 config-arm-omap delete mode 100644 config-armv7-tegra diff --git a/Makefile.config b/Makefile.config index 69b12baa4..6e5e5473c 100644 --- a/Makefile.config +++ b/Makefile.config @@ -10,7 +10,6 @@ CONFIGFILES = \ $(CFG)-x86_64.config $(CFG)-x86_64-debug.config \ $(CFG)-s390x.config \ $(CFG)-armv7hl.config $(CFG)-armv7hl-lpae.config\ - $(CFG)-armv7hl-tegra.config \ $(CFG)-ppc.config $(CFG)-ppc-smp.config \ $(CFG)-ppc64.config $(CFG)-ppc64p7.config $(CFG)-ppc64-debug.config @@ -32,7 +31,10 @@ temp-generic: config-generic temp-debug-generic: config-generic cat config-generic config-debug > temp-debug-generic -temp-armv7-generic: config-armv7-generic temp-generic +temp-arm-generic: config-arm-generic temp-generic + perl merge.pl $^ > $@ + +temp-armv7-generic: config-armv7-generic temp-arm-generic perl merge.pl $^ > $@ temp-armv7: config-armv7 temp-armv7-generic @@ -41,9 +43,6 @@ temp-armv7: config-armv7 temp-armv7-generic temp-armv7-lpae: config-armv7-lpae temp-armv7-generic perl merge.pl $^ > $@ -temp-armv7-tegra: config-armv7-tegra temp-armv7-generic - perl merge.pl $^ > $@ - temp-x86-32: config-x86-32-generic config-x86-generic perl merge.pl $^ > $@ @@ -113,9 +112,6 @@ kernel-$(VERSION)-armv7hl.config: /dev/null temp-armv7 kernel-$(VERSION)-armv7hl-lpae.config: /dev/null temp-armv7-lpae perl merge.pl $^ arm > $@ -kernel-$(VERSION)-armv7hl-tegra.config: /dev/null temp-armv7-tegra - perl merge.pl $^ arm > $@ - kernel-$(VERSION)-ppc.config: /dev/null temp-powerpc32-generic perl merge.pl $^ powerpc > $@ diff --git a/config-arm-generic b/config-arm-generic new file mode 100644 index 000000000..efce65434 --- /dev/null +++ b/config-arm-generic @@ -0,0 +1,43 @@ +CONFIG_ARCH_WANT_OPTIONAL_GPIOLIB=y +CONFIG_ARM_AMBA=y +CONFIG_ARM_ARCH_TIMER=y +# CONFIG_ARM_DT_BL_CPUFREQ is not set +CONFIG_ARM_GIC=y +# CONFIG_ASYMMETRIC_KEY_TYPE is not set +CONFIG_BACKLIGHT_PWM=m +# CONFIG_COMMON_CLK_DEBUG is not set +CONFIG_COMMON_CLK=y +CONFIG_DMA_OF=y +CONFIG_DTC=y +CONFIG_EARLY_PRINTK=y +CONFIG_ETHERNET=y +CONFIG_FB_SSD1307=m +CONFIG_GENERIC_GPIO=y +CONFIG_GPIOLIB=y +CONFIG_HIGH_RES_TIMERS=y +CONFIG_HW_PERF_EVENTS=y +# CONFIG_I2C_NOMADIK is not set +CONFIG_INPUT_PWM_BEEPER=m +# CONFIG_IRQ_DOMAIN_DEBUG is not set +# CONFIG_LEDS_RENESAS_TPU is not set +CONFIG_MMC_ARMMMCI=y +# CONFIG_MMC_SDHCI_PXAV2 is not set +# CONFIG_MMC_SDHCI_PXAV3 is not set +CONFIG_MMC=y +CONFIG_NFS_FS=y +CONFIG_NLS_ISO8859_1=y +CONFIG_NO_HZ=y +CONFIG_OF_DEVICE=y +CONFIG_OF_GPIO=y +CONFIG_OF_IRQ=y +# CONFIG_OF_SELFTEST is not set +CONFIG_OF=y +CONFIG_PERF_EVENTS=y +# CONFIG_PID_IN_CONTEXTIDR is not set +CONFIG_PWM=y +CONFIG_RCU_FANOUT_LEAF=16 +# CONFIG_RTC_DRV_SNVS is not set +CONFIG_SERIAL_AMBA_PL011_CONSOLE=y +CONFIG_SERIAL_AMBA_PL011=y + +# CONFIG_CRYPTO_TEST is not set diff --git a/config-arm-omap b/config-arm-omap deleted file mode 100644 index 877f7c16b..000000000 --- a/config-arm-omap +++ /dev/null @@ -1,79 +0,0 @@ -CONFIG_OMAP_PACKAGE_CBB=y -CONFIG_OMAP_PACKAGE_CBL=y -CONFIG_OMAP_PACKAGE_CBS=y - -# -# OMAP Board Type -# -CONFIG_MACH_CM_T35=y -CONFIG_MACH_CM_T3517=y -CONFIG_MACH_CRANEBOARD=y -CONFIG_MACH_DEVKIT8000=y -CONFIG_MACH_IGEP0020=y -CONFIG_MACH_IGEP0030=y -CONFIG_MACH_OMAP_GENERIC=y -CONFIG_MACH_OMAP_LDP=y -CONFIG_MACH_OMAP_ZOOM2=y -CONFIG_MACH_OMAP_ZOOM3=y -CONFIG_MACH_OMAP_3430SDP=y -CONFIG_MACH_OMAP_3630SDP=y -CONFIG_MACH_OMAP_4430SDP=y -CONFIG_MACH_OMAP3_BEAGLE=y -CONFIG_MACH_OMAP3_PANDORA=y -CONFIG_MACH_OMAP3_TOUCHBOOK=y -CONFIG_MACH_OMAP3_TORPEDO=y -CONFIG_MACH_OMAP3_WESTBRIDGE_AST_PNAND_HAL=y -CONFIG_MACH_OMAP3EVM=y -CONFIG_MACH_OMAP3517EVM=y -CONFIG_MACH_OMAP3530_LV_SOM=y -CONFIG_MACH_OMAP4_PANDA=y -CONFIG_MACH_OVERO=y -CONFIG_MACH_SBC3530=y -CONFIG_MACH_TI8148EVM=y -CONFIG_MACH_TI8168EVM=y -CONFIG_MACH_TOUCHBOOK=y -# CONFIG_MACH_NOKIA_RM680 is not set -# CONFIG_MACH_NOKIA_RX51 is not set - - -# CONFIG_OMAP3_SDRC_AC_TIMING is not set - - -# System MMU -CONFIG_SWP_EMULATE=y -# CONFIG_CPU_BPREDICT_DISABLE is not set -# CONFIG_THUMB2_KERNEL is not set -CONFIG_ZBOOT_ROM_TEXT=0x0 -CONFIG_ZBOOT_ROM_BSS=0x0 -CONFIG_BINFMT_MISC=m -CONFIG_CAN_PM_TRACE=y -CONFIG_PM_SLEEP_SMP=y -CONFIG_ARCH_HAS_OPP=y -CONFIG_PM_OPP=y - -# -# OMAP Hardware -# - -CONFIG_LEDS_PWM=m -CONFIG_LEDS_LP8788=m -CONFIG_MTD_ONENAND_OMAP2=y -CONFIG_MFD_LP8788=y -CONFIG_MFD_TPS65910=y -CONFIG_GPIO_TPS65910=y -CONFIG_REGULATOR_LP8788=y -CONFIG_REGULATOR_TPS65217=y -CONFIG_REGULATOR_TPS65910=y - -CONFIG_LCD_CLASS_DEVICE=m -CONFIG_BACKLIGHT_LCD_SUPPORT=y -CONFIG_BACKLIGHT_CLASS_DEVICE=m -CONFIG_BACKLIGHT_LP8788=m -CONFIG_BACKLIGHT_PWM=m -CONFIG_BACKLIGHT_PANDORA=m - -# CONFIG_USB_OTG_WHITELIST is not set -# CONFIG_USB_OTG_BLACKLIST_HUB is not set - -# CONFIG_USB_GADGET_OMAP is not set -# CONFIG_ISP1301_OMAP is not set diff --git a/config-armv7 b/config-armv7 index 15b707960..1bbb3d524 100644 --- a/config-armv7 +++ b/config-armv7 @@ -1,22 +1,20 @@ # ARM unified arch kernel -CONFIG_CPU_V7=y -# CONFIG_ARCH_MULTI_V4 is not set -# CONFIG_ARCH_MULTI_V4T is not set -# CONFIG_ARCH_MULTI_V6 is not set -CONFIG_ARCH_MULTI_V6_V7=y -CONFIG_ARCH_MULTI_V7=y -# This is V6 so we'll eventually support it in v5 unified kernels + # CONFIG_ARCH_BCM is not set CONFIG_ARCH_HIGHBANK=y CONFIG_ARCH_MVEBU=y -# CONFIG_ARCH_MXC is not set +CONFIG_ARCH_MXC=y CONFIG_ARCH_OMAP2PLUS=y CONFIG_ARCH_PICOXCELL=y +# CONFIG_ARCH_SIRF is not set CONFIG_ARCH_SOCFPGA=y +# CONFIG_PLAT_SPEAR is not set CONFIG_ARCH_SUNXI=y +CONFIG_ARCH_TEGRA=y +# CONFIG_ARCH_U8500 is not set CONFIG_ARCH_VEXPRESS_CA9X4=y -CONFIG_ARCH_VEXPRESS_DT=y -CONFIG_ARCH_VIRT=y +CONFIG_ARCH_VEXPRESS=y +# CONFIG_ARCH_VIRT is not set # CONFIG_ARCH_WM8850 is not set CONFIG_ARCH_ZYNQ=y @@ -26,6 +24,9 @@ CONFIG_ARCH_ZYNQ=y # CONFIG_VIRTIO_CONSOLE is not set # CONFIG_ARM_VIRT_EXT is not set +# Generic +CONFIG_REMOTEPROC=m + # highbank # 2013/04/19 - stability issues # CONFIG_CPU_IDLE_CALXEDA is not set @@ -71,6 +72,8 @@ CONFIG_MVEBU_CLK_GATING=y CONFIG_MMC_MVSDIO=m CONFIG_SPI_ORION=m CONFIG_USB_MV_UDC=m +CONFIG_MVEBU_MBUS=y +CONFIG_ARMADA_THERMAL=m # omap CONFIG_ARCH_OMAP2PLUS_TYPICAL=y @@ -207,7 +210,7 @@ CONFIG_MTD_NAND_OMAP2=y CONFIG_MTD_NAND_OMAP_PREFETCH=y CONFIG_MTD_NAND_OMAP_PREFETCH_DMA=y CONFIG_SPI_DAVINCI=m -CONFIG_SPI_OMAP24XX=y +CONFIG_SPI_OMAP24XX=m CONFIG_MFD_TI_SSP=m CONFIG_SPI_TI_SSP=m @@ -239,7 +242,7 @@ CONFIG_CRYPTO_DEV_OMAP_SHAM=m CONFIG_CRYPTO_DEV_OMAP_AES=m CONFIG_HW_RANDOM_OMAP=m -# CONFIG_DRM_TILCDC is not set +CONFIG_DRM_TILCDC=m CONFIG_DRM_OMAP=m CONFIG_DRM_OMAP_NUM_CRTCS=2 CONFIG_OMAP2_VRAM=y @@ -319,7 +322,7 @@ CONFIG_SND_SOC_TWL4030=m CONFIG_SND_SOC_TWL6040=m CONFIG_RADIO_WL128X=m -# CONFIG_OMAP_REMOTEPROC is not set +CONFIG_OMAP_REMOTEPROC=m # CONFIG_TIDSPBRIDGE is not set # CONFIG_TIDSPBRIDGE_MEMPOOL_SIZE=0x600000 @@ -374,13 +377,48 @@ CONFIG_PINCTRL_SUNXI=y # CONFIG_RTC_DRV_SUN4I=y # imx -# CONFIG_BACKLIGHT_PWM is not set -# CONFIG_DRM_IMX is not set -# CONFIG_DRM_IMX_FB_HELPER=m -# CONFIG_DRM_IMX_PARALLEL_DISPLAY=m -# CONFIG_DRM_IMX_IPUV3_CORE=m -# CONFIG_DRM_IMX_IPUV3=m -# CONFIG_VIDEO_CODA is not set +CONFIG_MXC_IRQ_PRIOR=y +# CONFIG_MXC_DEBUG_BOARD is not set +CONFIG_MACH_IMX51_DT=y +# CONFIG_MACH_MX51_BABBAGE is not set +# CONFIG_MACH_EUKREA_CPUIMX51SD is not set +CONFIG_SOC_IMX53=y +CONFIG_SOC_IMX6Q=y +CONFIG_PATA_IMX=m +CONFIG_NET_VENDOR_FREESCALE=y +CONFIG_FEC=m +CONFIG_KEYBOARD_IMX=m +CONFIG_SERIAL_IMX=y +CONFIG_SERIAL_IMX_CONSOLE=y +CONFIG_I2C_IMX=m +CONFIG_SPI_IMX=m +CONFIG_W1_MASTER_MXC=m +CONFIG_IMX2_WDT=m +# CONFIG_FB_MX3 is not set +CONFIG_SND_IMX_SOC=m +CONFIG_SND_SOC_IMX_SGTL5000=m +CONFIG_USB_EHCI_MXC=m +CONFIG_USB_IMX21_HCD=m +CONFIG_USB_MXS_PHY=m +CONFIG_MMC_SDHCI_ESDHC_IMX=m +CONFIG_MMC_MXC=m +CONFIG_SPI_MXS=m +CONFIG_RTC_DRV_IMXDI=m +CONFIG_RTC_DRV_MXC=m +# CONFIG_MX3_IPU is not set +# CONFIG_MX3_IPU_IRQS is not set +CONFIG_IMX_SDMA=m +CONFIG_IMX_DMA=m +# CONFIG_MXS_DMA is not set +CONFIG_PWM_IMX=m +CONFIG_BACKLIGHT_PWM=m +CONFIG_DRM_IMX=m +CONFIG_DRM_IMX_FB_HELPER=m +CONFIG_DRM_IMX_PARALLEL_DISPLAY=m +CONFIG_DRM_IMX_IPUV3_CORE=m +CONFIG_DRM_IMX_IPUV3=m +CONFIG_DRM_IMX_TVE=m +CONFIG_VIDEO_CODA=m CONFIG_INPUT_PWM_BEEPER=m CONFIG_INPUT_88PM80X_ONKEY=m @@ -395,8 +433,106 @@ CONFIG_CRYPTO_DEV_PICOXCELL=m CONFIG_HW_RANDOM_PICOXCELL=m # ST Ericsson -# CONFIG_I2C_NOMADIK is not set -# CONFIG_SENSORS_LIS3_I2C is not set +CONFIG_MACH_HREFV60=y +CONFIG_MACH_SNOWBALL=y +CONFIG_MACH_UX500_DT=y + +CONFIG_ABX500_CORE=y +CONFIG_UX500_DEBUG_UART=2 +CONFIG_AB8500_CORE=y +CONFIG_STE_DMA40=y +CONFIG_HSEM_U8500=m +CONFIG_PINCTRL_ABX500=y +CONFIG_PINCTRL_AB8500=y +CONFIG_I2C_NOMADIK=m +CONFIG_KEYBOARD_NOMADIK=m +CONFIG_DB8500_CPUFREQ_COOLING=m +CONFIG_DB8500_THERMAL=y +CONFIG_UX500_WATCHDOG=m +CONFIG_INPUT_AB8500_PONKEY=m +CONFIG_REGULATOR_AB8500=y +CONFIG_AB8500_USB=m +CONFIG_RTC_DRV_AB8500=m +CONFIG_PWM_AB8500=m +CONFIG_SND_SOC_UX500=m +CONFIG_SND_SOC_UX500_PLAT_DMA=m +CONFIG_SND_SOC_UX500_MACH_MOP500=m +CONFIG_CLKSRC_DBX500_PRCMU=y +CONFIG_CLKSRC_DBX500_PRCMU_SCHED_CLOCK=y +CONFIG_CRYPTO_DEV_UX500=m +CONFIG_CRYPTO_DEV_UX500_CRYP=m +CONFIG_CRYPTO_DEV_UX500_HASH=m +CONFIG_SENSORS_LIS3_I2C=m +CONFIG_AB8500_BM=y +CONFIG_AB8500_GPADC=y +CONFIG_SENSORS_AB8500=m +CONFIG_STE_MODEM_RPROC=m + +# tegra +CONFIG_ARCH_TEGRA_2x_SOC=y +CONFIG_ARCH_TEGRA_3x_SOC=y +# CONFIG_ARCH_TEGRA_114_SOC is not set + +CONFIG_SERIAL_TEGRA=y + +CONFIG_TEGRA_PCI=y +CONFIG_TEGRA_IOMMU_GART=y +CONFIG_TEGRA_IOMMU_SMMU=y +CONFIG_MMC_SDHCI_TEGRA=m + +CONFIG_I2C_TEGRA=m + +CONFIG_TEGRA_SYSTEM_DMA=y +CONFIG_TEGRA_EMC_SCALING_ENABLE=y +CONFIG_TEGRA_AHB=y +CONFIG_TEGRA20_APB_DMA=y +# CONFIG_SPI_TEGRA114 is not set +CONFIG_SPI_TEGRA20_SFLASH=m +CONFIG_SPI_TEGRA20_SLINK=m + +CONFIG_KEYBOARD_TEGRA=m +CONFIG_PINCTRL_TEGRA=y +CONFIG_PINCTRL_TEGRA20=y +CONFIG_PINCTRL_TEGRA30=y +CONFIG_USB_EHCI_TEGRA=y +CONFIG_RTC_DRV_TEGRA=y + +CONFIG_SND_SOC_TEGRA=m +CONFIG_SND_SOC_TEGRA_ALC5632=m +CONFIG_SND_SOC_TEGRA_WM8753=m +CONFIG_SND_SOC_TEGRA_WM8903=m +CONFIG_SND_SOC_TEGRA_WM9712=m +CONFIG_SND_SOC_TEGRA_TRIMSLICE=m +CONFIG_SND_SOC_TEGRA30_AHUB=m +CONFIG_SND_SOC_TEGRA30_I2S=m +CONFIG_SND_SOC_TEGRA20_AC97=m + +# AC100 (PAZ00) +CONFIG_MFD_NVEC=y +CONFIG_MFD_TPS80031=y +CONFIG_KEYBOARD_NVEC=y +CONFIG_SERIO_NVEC_PS2=y +CONFIG_NVEC_POWER=y +CONFIG_POWER_SUPPLY=y +CONFIG_NVEC_LEDS=y +CONFIG_NVEC_PAZ00=y +CONFIG_MFD_TPS6586X=y +CONFIG_GPIO_TPS6586X=y +CONFIG_REGULATOR_TPS6586X=m +CONFIG_RTC_DRV_TPS6586X=m + +CONFIG_PWM_TEGRA=m + +CONFIG_TEGRA_HOST1X=m +CONFIG_TEGRA_HOST1X_FIREWALL=y + +CONFIG_DRM_TEGRA=y +# CONFIG_DRM_TEGRA_STAGING is not set +# CONFIG_DRM_TEGRA_DEBUG is not set + +CONFIG_CRYPTO_DEV_TEGRA_AES=m + +CONFIG_LEDS_RENESAS_TPU=y # ZYNQ CONFIG_LATTICE_ECP3_CONFIG=m @@ -420,8 +556,6 @@ CONFIG_REGULATOR_FAN53555=m # CONFIG_REGULATOR_DUMMY is not set # CONFIG_REGULATOR_VIRTUAL_CONSUMER is not set # CONFIG_REGULATOR_USERSPACE_CONSUMER is not set -CONFIG_RFKILL_REGULATOR=m -CONFIG_REGULATOR_GPIO=m CONFIG_REGULATOR_AD5398=m CONFIG_REGULATOR_ISL6271A=m CONFIG_REGULATOR_MAX1586=m @@ -500,3 +634,6 @@ CONFIG_REGULATOR_LP8755=m # CONFIG_POWER_RESET_QNAP is not set # CONFIG_POWER_RESET_RESTART is not set # CONFIG_OMAP2_DSS_DEBUG is not set +# CONFIG_DRM_TEGRA_DEBUG is not set +# CONFIG_CRYPTO_DEV_UX500_DEBUG is not set +# CONFIG_AB8500_DEBUG is not set diff --git a/config-armv7-generic b/config-armv7-generic index ab94a4bb6..897a7e3ee 100644 --- a/config-armv7-generic +++ b/config-armv7-generic @@ -2,6 +2,11 @@ # Generic ARM config options CONFIG_ARM=y +# CONFIG_ARCH_MULTI_V4 is not set +# CONFIG_ARCH_MULTI_V4T is not set +# CONFIG_ARCH_MULTI_V6 is not set +CONFIG_ARCH_MULTI_V7=y + CONFIG_CMDLINE="" CONFIG_HAVE_ARM_ARCH_TIMER=y CONFIG_HAVE_ARM_TWD=y @@ -9,10 +14,10 @@ CONFIG_AEABI=y CONFIG_VFP=y CONFIG_VFPv3=y CONFIG_NEON=y + CONFIG_ARM_UNWIND=y CONFIG_ARM_THUMB=y CONFIG_ARM_THUMBEE=y -CONFIG_ARM_GIC=y CONFIG_ARM_ASM_UNIFIED=y CONFIG_ARM_CPU_TOPOLOGY=y CONFIG_ARM_DMA_MEM_BUFFERABLE=y @@ -21,20 +26,16 @@ CONFIG_CACHE_L2X0=y CONFIG_CACHE_PL310=y CONFIG_HIGHPTE=y CONFIG_AUTO_ZRELADDR=y -CONFIG_EARLY_PRINTK=y CONFIG_ATAGS=y CONFIG_ATAGS_PROC=y CONFIG_ZBOOT_ROM_TEXT=0x0 CONFIG_ZBOOT_ROM_BSS=0x0 - CONFIG_XZ_DEC_ARMTHUMB=y -CONFIG_ARM_ARCH_TIMER=y CONFIG_ARCH_HAS_TICK_BROADCAST=y CONFIG_ALWAYS_USE_PERSISTENT_CLOCK=y +# CONFIG_MCPM is not set # CONFIG_OABI_COMPAT is not set -# CONFIG_FPE_NWFPE is not set -# CONFIG_FPE_FASTFPE is not set # CONFIG_APM_EMULATION is not set # CONFIG_CPU_ICACHE_DISABLE is not set # CONFIG_CPU_DCACHE_DISABLE is not set @@ -51,8 +52,9 @@ CONFIG_ALWAYS_USE_PERSISTENT_CLOCK=y # CONFIG_ARM_ERRATA_411920 is not set # Cortex-A8 CONFIG_ARM_ERRATA_430973=y -CONFIG_ARM_ERRATA_458693=y -CONFIG_ARM_ERRATA_460075=y +# The following two don't work with MP +# CONFIG_ARM_ERRATA_458693 is not set +# CONFIG_ARM_ERRATA_460075 is not set # Cortex-A9 CONFIG_ARM_ERRATA_643719=y CONFIG_ARM_ERRATA_720789=y @@ -69,6 +71,7 @@ CONFIG_ARM_ERRATA_775420=y # CONFIG_PL310_ERRATA_727915 is not set CONFIG_PL310_ERRATA_753970=y CONFIG_PL310_ERRATA_769419=y +CONFIG_PJ4B_ERRATA_4742=y # Cortex-A15 # CONFIG_ARM_ERRATA_798181 is not set @@ -83,7 +86,6 @@ CONFIG_SCHED_MC=y CONFIG_SCHED_SMT=y CONFIG_RCU_FANOUT=32 -CONFIG_RCU_FANOUT_LEAF=16 # 2013/04/19 - disable due to stability issues in 3.9 for the moment # CONFIG_CPU_IDLE is not set @@ -91,12 +93,11 @@ CONFIG_RCU_FANOUT_LEAF=16 # CONFIG_CPU_IDLE_GOV_MENU is not set # CONFIG_CPU_IDLE_MULTIPLE_DRIVERS is not set +# CONFIG_ARM_BIG_LITTLE_CPUFREQ is not set + CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 CONFIG_LSM_MMAP_MIN_ADDR=32768 -CONFIG_NO_HZ=y -CONFIG_HIGH_RES_TIMERS=y - CONFIG_SECCOMP=y CONFIG_STRICT_DEVMEM=y @@ -109,7 +110,6 @@ CONFIG_SUSPEND=y CONFIG_ARM_CPU_SUSPEND=y CONFIG_LOCAL_TIMERS=y -CONFIG_HW_PERF_EVENTS=y CONFIG_UACCESS_WITH_MEMCPY=y CONFIG_CC_STACKPROTECTOR=y @@ -118,30 +118,19 @@ CONFIG_IP_PNP_DHCP=y CONFIG_IP_PNP_BOOTP=y # Root as NFS, different from mainline -CONFIG_NFS_FS=y CONFIG_ROOT_NFS=y CONFIG_NLS_CODEPAGE_437=y -CONFIG_NLS_ISO8859_1=y CONFIG_LBDAF=y -CONFIG_COMMON_CLK=y - # Device tree -CONFIG_DTC=y -CONFIG_OF=y CONFIG_USE_OF=y -CONFIG_OF_DEVICE=y -CONFIG_OF_IRQ=y -CONFIG_DMA_OF=y CONFIG_ARM_ATAG_DTB_COMPAT=y CONFIG_ARM_APPENDED_DTB=y CONFIG_PROC_DEVICETREE=y -# CONFIG_OF_SELFTEST is not set CONFIG_SERIAL_OF_PLATFORM=y CONFIG_OF_PCI=y CONFIG_OF_PCI_IRQ=y -CONFIG_OF_GPIO=y CONFIG_I2C_MUX_PINCTRL=m CONFIG_OF_MDIO=m @@ -149,21 +138,18 @@ CONFIG_OF_DISPLAY_TIMING=y CONFIG_OF_VIDEOMODE=y # General vexpress ARM drivers -CONFIG_ARM_AMBA=y CONFIG_ARM_TIMER_SP804=y CONFIG_SERIO_AMBAKMI=m CONFIG_SERIAL_AMBA_PL010=y CONFIG_SERIAL_AMBA_PL010_CONSOLE=y -CONFIG_SERIAL_AMBA_PL011=y -CONFIG_SERIAL_AMBA_PL011_CONSOLE=y CONFIG_SERIAL_8250_DW=y +CONFIG_SERIAL_MRST_MAX3110=m CONFIG_RTC_DRV_PL030=y CONFIG_RTC_DRV_PL031=y -# disable because it's currently broken on highbank :-/ -# CONFIG_PL330_DMA is not set +CONFIG_PL330_DMA=m CONFIG_AMBA_PL08X=y CONFIG_ARM_SP805_WATCHDOG=m CONFIG_I2C_VERSATILE=m @@ -183,10 +169,7 @@ CONFIG_SMC91X=m CONFIG_SMC911X=m CONFIG_SMSC911X=m CONFIG_USB_ISP1760_HCD=m -CONFIG_USB_CHIPIDEA=m -CONFIG_USB_CHIPIDEA_UDC=y -CONFIG_USB_CHIPIDEA_HOST=y -# CONFIG_USB_CHIPIDEA_DEBUG is not set +# CONFIG_USB_EHCI_HCD_ORION is not set # Multifunction Devices CONFIG_MFD_SYSCON=y @@ -207,8 +190,6 @@ CONFIG_PINCTRL_SINGLE=m # GPIO CONFIG_GPIO_GENERIC_PLATFORM=m CONFIG_EXTCON_GPIO=m -CONFIG_GENERIC_GPIO=y -CONFIG_ARCH_WANT_OPTIONAL_GPIOLIB=y # CONFIG_GPIO_EM is not set CONFIG_GPIO_ADNP=m CONFIG_GPIO_MCP23S08=m @@ -219,15 +200,16 @@ CONFIG_INPUT_GPIO_TILT_POLLED=m CONFIG_MDIO_BUS_MUX_GPIO=m CONFIG_MDIO_BUS_MUX_MMIOREG=m CONFIG_LEDS_GPIO=m -CONFIG_GPIOLIB=y CONFIG_GPIO_MAX7301=m CONFIG_GPIO_MC33880=m CONFIG_GPIO_74X164=m CONFIG_GPIO_TPS65912=m +# CONFIG_GPIO_RCAR is not set CONFIG_W1_MASTER_GPIO=m CONFIG_CHARGER_GPIO=m CONFIG_SPI=y +CONFIG_SPI_MASTER=y CONFIG_SPI_GPIO=m CONFIG_SPI_BITBANG=m CONFIG_SPI_PL022=m @@ -242,6 +224,7 @@ CONFIG_SPI_XCOMM=m CONFIG_SPI_XILINX=m CONFIG_SPI_DESIGNWARE=m CONFIG_SPI_TLE62X0=m +# CONFIG_SPI_FSL_SPI is not set # HW crypto and rng CONFIG_CRYPTO_SHA1_ARM=m @@ -272,14 +255,12 @@ CONFIG_EEPROM_AT25=m CONFIG_EEPROM_93XX46=m # MMC/SD -CONFIG_MMC=y -CONFIG_MMC_ARMMMCI=y -CONFIG_MMC_SDHCI_PLTFM=m CONFIG_MMC_SPI=m CONFIG_MMC_DW=m CONFIG_MMC_DW_PLTFM=m CONFIG_MMC_DW_PCI=m CONFIG_SPI_DW_MMIO=m +CONFIG_SPI_DW_PCI=m # CONFIG_MMC_DW_EXYNOS is not set # CONFIG_MMC_DW_IDMAC is not set @@ -292,14 +273,11 @@ CONFIG_SND_DESIGNWARE_I2S=m CONFIG_SND_SIMPLE_CARD=m CONFIG_SND_SOC_CACHE_LZO=y CONFIG_SND_SOC_ALL_CODECS=m +CONFIG_SND_SOC_DMAENGINE_PCM=y +CONFIG_SND_SOC_GENERIC_DMAENGINE_PCM=y # CONFIG_SND_ATMEL_SOC is not set # Displays -CONFIG_FB_SSD1307=m - -# PWM -CONFIG_PWM=y -CONFIG_BACKLIGHT_PWM=m # RTC CONFIG_RTC_DRV_M41T93=m @@ -352,6 +330,7 @@ CONFIG_SENSORS_GPIO_FAN=m CONFIG_LCD_L4F00242T03=m CONFIG_LCD_LMS283GF05=m CONFIG_LCD_LTV350QV=m +CONFIG_LCD_ILI922X=m CONFIG_LCD_ILI9320=m CONFIG_LCD_TDO24M=m CONFIG_LCD_VGG2432A4=m @@ -361,12 +340,11 @@ CONFIG_LCD_AMS369FG06=m CONFIG_LCD_LMS501KF03=m CONFIG_LCD_HX8357=m -CONFIG_INPUT_PWM_BEEPER=m +# Input CONFIG_INPUT_GP2A=m CONFIG_INPUT_ARIZONA_HAPTICS=m CONFIG_INPUT_MC13783_PWRBUTTON=m - CONFIG_TOUCHSCREEN_ADS7846=m CONFIG_TOUCHSCREEN_AD7877=m CONFIG_TOUCHSCREEN_MC13783=m @@ -376,6 +354,18 @@ CONFIG_LEDS_DAC124S085=m CONFIG_LEDS_PWM=m CONFIG_BMP085_SPI=m +# Display + +CONFIG_CMA=y +# CONFIG_CMA_DEBUG is not set +CONFIG_CMA_SIZE_MBYTES=16 +CONFIG_CMA_SIZE_SEL_MBYTES=y +# CONFIG_CMA_SIZE_SEL_PERCENTAGE is not set +# CONFIG_CMA_SIZE_SEL_MIN is not set +# CONFIG_CMA_SIZE_SEL_MAX is not set +CONFIG_CMA_ALIGNMENT=8 +CONFIG_CMA_AREAS=7 + # Ethernet CONFIG_KS8851=m CONFIG_ENC28J60=m @@ -410,27 +400,20 @@ CONFIG_UBIFS_FS_ZLIB=y # CONFIG_UBIFS_FS_DEBUG is not set # Should be in generic -CONFIG_ETHERNET=y CONFIG_BPF_JIT=y # CONFIG_NET_VENDOR_BROADCOM is not set # CONFIG_NET_VENDOR_CIRRUS is not set # CONFIG_NET_VENDOR_MICROCHIP is not set # CONFIG_PATA_PLATFORM is not set -CONFIG_PERF_EVENTS=y -# CONFIG_RTC_DRV_SNVS is not set # CONFIG_DRM_EXYNOS is not set # CONFIG_DRM_TILCDC is not set # CONFIG_DRM_IMX is not set -# CONFIG_MMC_SDHCI_PXAV3 is not set -# CONFIG_MMC_SDHCI_PXAV2 is not set # CONFIG_CS89x0 is not set # CONFIG_DM9000 is not set # CONFIG_HW_RANDOM_ATMEL is not set # CONFIG_HW_RANDOM_EXYNOS is not set -# CONFIG_I2C_NOMADIK is not set -# CONFIG_LEDS_RENESAS_TPU is not set # CONFIG_MFD_T7L66XB is not set # CONFIG_MFD_TC6387XB is not set # CONFIG_TI_DAC7512 is not set @@ -440,14 +423,16 @@ CONFIG_PERF_EVENTS=y # CONFIG_ARM_CHARLCD is not set # CONFIG_MTD_AFS_PARTS is not set # CONFIG_IP_PNP_RARP is not set -# CONFIG_ASYMMETRIC_KEY_TYPE is not set -# CONFIG_PID_IN_CONTEXTIDR is not set # CONFIG_DEPRECATED_PARAM_STRUCT is not set # CONFIG_LATTICE_ECP3_CONFIG is not set # CONFIG_M25PXX_USE_FAST_READ is not set # CONFIG_SERIAL_MAX3100 is not set # CONFIG_SERIAL_MAX310X is not set # CONFIG_SERIAL_IFX6X60 is not set +# CONFIG_COMMON_CLK_SI5351 is not set +# CONFIG_COMMON_CLK_AXI_CLKGEN is not set +# CONFIG_SPI_TOPCLIFF_PCH is not set +# CONFIG_SPI_PXA2XX is not set # these modules all fail with missing __bad_udelay # http://www.spinics.net/lists/arm/msg15615.html provides some background @@ -466,8 +451,7 @@ CONFIG_PERF_EVENTS=y # CONFIG_MLX4_EN is not set # Debug options. We need to deal with them at some point like x86 -# CONFIG_COMMON_CLK_DEBUG is not set # CONFIG_DEBUG_USER is not set # CONFIG_DEBUG_LL is not set -# CONFIG_IRQ_DOMAIN_DEBUG is not set # CONFIG_DEBUG_PINCTRL is not set +# CONFIG_ARM_DT_BL_CPUFREQ is not set diff --git a/config-armv7-lpae b/config-armv7-lpae index 57d7d860e..f17b8616a 100644 --- a/config-armv7-lpae +++ b/config-armv7-lpae @@ -1,11 +1,12 @@ # ARM unified arch kernel -CONFIG_CPU_V7=y CONFIG_ARCH_EXYNOS=y CONFIG_ARCH_VIRT=y # CONFIG_ARCH_EXYNOS4 is not set CONFIG_ARCH_EXYNOS5=y +# CONFIG_EXYNOS_ATAGS is not set + CONFIG_ARM_LPAE=y CONFIG_VIRTIO_CONSOLE=m CONFIG_ARM_VIRT_EXT=y @@ -38,7 +39,10 @@ CONFIG_XEN_GNTDEV=y CONFIG_XEN_GRANT_DEV_ALLOC=m CONFIG_XEN_WDT=m -CONFIG_PL330_DMA=m +CONFIG_MACH_EXYNOS5_DT=y +CONFIG_SERIAL_SAMSUNG=y +CONFIG_SERIAL_SAMSUNG_CONSOLE=y +CONFIG_SERIAL_OF_PLATFORM=y CONFIG_S3C_BOOT_ERROR_RESET=y CONFIG_S3C_BOOT_UART_FORCE_FIFO=y CONFIG_S3C_LOWLEVEL_UART_PORT=0 @@ -49,9 +53,11 @@ CONFIG_S3C24XX_PWM=y # CONFIG_SAMSUNG_PM_CHECK is not set CONFIG_SOC_EXYNOS5250=y CONFIG_SOC_EXYNOS5440=y -CONFIG_MACH_EXYNOS5_DT=y CONFIG_ARM_EXYNOS_CPUFREQ=y -CONFIG_SERIAL_SAMSUNG=y +# CONFIG_GENERIC_CPUFREQ_CPU0 is not set +CONFIG_EXYNOS_THERMAL=m + +CONFIG_TCG_TIS_I2C_INFINEON=m CONFIG_I2C_S3C2410=m CONFIG_PINCTRL_EXYNOS=y CONFIG_PINCTRL_EXYNOS5440=y @@ -64,7 +70,7 @@ CONFIG_EXYNOS_VIDEO=y CONFIG_EXYNOS_MIPI_DSI=y CONFIG_EXYNOS_DP=y # CONFIG_EXYNOS_LCD_S6E8AX0 is not set -# CONFIG_DRM_EXYNOS is not set +CONFIG_DRM_EXYNOS=m CONFIG_DRM_EXYNOS_IOMMU=y CONFIG_DRM_EXYNOS_DMABUF=y CONFIG_DRM_EXYNOS_FIMD=y @@ -77,8 +83,12 @@ CONFIG_DRM_EXYNOS_ROTATOR=y CONFIG_DRM_EXYNOS_GSC=y # CONFIG_FB_S3C is not set CONFIG_SND_SOC_SAMSUNG=m -CONFIG_USB_EHCI_S5P=y +CONFIG_USB_EHCI_HCD=y +CONFIG_USB_EHCI_S5P=m CONFIG_USB_OHCI_EXYNOS=y +CONFIG_USB_DWC3=m +# CONFIG_USB_DWC3_DEBUG is not set +CONFIG_S3C_DEV_HSMMC=y CONFIG_MMC_SDHCI_S3C=m CONFIG_MMC_SDHCI_S3C_DMA=y CONFIG_RTC_DRV_S3C=m @@ -92,8 +102,26 @@ CONFIG_SENSORS_S3C_RAW=y CONFIG_FB_S3C_DEBUG_REGWRITE=y CONFIG_SND_SOC_SAMSUNG_SMDK_SPDIF=m CONFIG_USB_EHCI_S5P=y -CONFIG_SAMSUNG_USBPHY=y -CONFIG_MMC_DW=y -CONFIG_MMC_DW_PLTFM=y -CONFIG_MMC_DW_PCI=y -CONFIG_MMC_DW_EXYNOS=y +CONFIG_SAMSUNG_USBPHY=m +CONFIG_SAMSUNG_USB2PHY=m +CONFIG_SAMSUNG_USB3PHY=m +CONFIG_MMC_DW=m +CONFIG_MMC_DW_PLTFM=m +CONFIG_MMC_DW_PCI=m +CONFIG_MMC_DW_EXYNOS=m + +# Chromebook +CONFIG_MFD_CROS_EC=m +CONFIG_MFD_CROS_EC_I2C=m +CONFIG_MFD_CROS_EC_SPI=m +CONFIG_KEYBOARD_CROS_EC=m + +# Arndale/Origen +CONFIG_MFD_MAX8997=y +CONFIG_MFD_SEC_CORE=y +CONFIG_REGULATOR_MAX8997=m +CONFIG_REGULATOR_S5M8767=m +CONFIG_COMMON_CLK_MAX77686=m + +# CONFIG_EXYNOS4_SDHCI_CH0_8BIT is not set +# CONFIG_EXYNOS4_SDHCI_CH2_8BIT is not set diff --git a/config-armv7-tegra b/config-armv7-tegra deleted file mode 100644 index 67077459e..000000000 --- a/config-armv7-tegra +++ /dev/null @@ -1,103 +0,0 @@ -CONFIG_ARCH_TEGRA=y - -CONFIG_ARCH_TEGRA_2x_SOC=y -CONFIG_ARCH_TEGRA_3x_SOC=y -# CONFIG_ARCH_TEGRA_114_SOC is not set - -# CONFIG_NEON is not set -# These are supported in the LPAE kernel -# CONFIG_ARM_LPAE is not set -# CONFIG_XEN is not set -# CONFIG_VIRTIO_CONSOLE is not set -# CONFIG_ARM_VIRT_EXT is not set -# CONFIG_VIRTUALIZATION is not set - -CONFIG_TEGRA_PCI=y -CONFIG_TEGRA_IOMMU_GART=y -CONFIG_TEGRA_IOMMU_SMMU=y - -CONFIG_I2C_TEGRA=m - -# This block is temporary until we work out why the MMC modules don't work as modules -CONFIG_MMC=y -CONFIG_MMC_BLOCK=y -CONFIG_MMC_SDHCI=y -CONFIG_MMC_SDHCI_PLTFM=y -CONFIG_MMC_SDHCI_OF=y -CONFIG_MMC_SDHCI_TEGRA=y - -CONFIG_TEGRA_SYSTEM_DMA=y -CONFIG_TEGRA_EMC_SCALING_ENABLE=y -CONFIG_TEGRA_AHB=y -CONFIG_TEGRA20_APB_DMA=y -CONFIG_SPI_TEGRA20_SFLASH=m -CONFIG_SPI_TEGRA20_SLINK=m - -CONFIG_KEYBOARD_TEGRA=m -CONFIG_PINCTRL_TEGRA=y -CONFIG_PINCTRL_TEGRA20=y -CONFIG_PINCTRL_TEGRA30=y -CONFIG_USB_EHCI_TEGRA=y -CONFIG_RTC_DRV_TEGRA=y - -CONFIG_SND_SOC_TEGRA=m -CONFIG_SND_SOC_TEGRA_ALC5632=m -CONFIG_SND_SOC_TEGRA_WM8753=m -CONFIG_SND_SOC_TEGRA_WM8903=m -CONFIG_SND_SOC_TEGRA_WM9712=m -CONFIG_SND_SOC_TEGRA_TRIMSLICE=m -CONFIG_SND_SOC_TEGRA30_AHUB=m -CONFIG_SND_SOC_TEGRA30_I2S=m -CONFIG_SND_SOC_TEGRA20_AC97=m - -# AC100 (PAZ00) -CONFIG_MFD_NVEC=y -CONFIG_MFD_TPS80031=y -CONFIG_KEYBOARD_NVEC=y -CONFIG_SERIO_NVEC_PS2=y -CONFIG_NVEC_POWER=y -CONFIG_POWER_SUPPLY=y -CONFIG_NVEC_LEDS=y -CONFIG_NVEC_PAZ00=y -CONFIG_MFD_TPS6586X=y -CONFIG_GPIO_TPS6586X=y -CONFIG_REGULATOR_TPS6586X=m -CONFIG_RTC_DRV_TPS6586X=m - -# CONFIG_MFD_TPS6586X is not set -# CONFIG_RTC_DRV_TPS6586X is not set - -CONFIG_PWM_TEGRA=m - -CONFIG_CMA=y -# CONFIG_CMA_DEBUG is not set -CONFIG_CMA_SIZE_MBYTES=16 -CONFIG_CMA_SIZE_SEL_MBYTES=y -# CONFIG_CMA_SIZE_SEL_PERCENTAGE is not set -# CONFIG_CMA_SIZE_SEL_MIN is not set -# CONFIG_CMA_SIZE_SEL_MAX is not set -CONFIG_CMA_ALIGNMENT=8 -CONFIG_CMA_AREAS=7 - -CONFIG_DRM_TEGRA=m - -CONFIG_CRYPTO_DEV_TEGRA_AES=m - -CONFIG_LEDS_RENESAS_TPU=y - -CONFIG_OF=y -CONFIG_SERIAL_OF_PLATFORM=y -CONFIG_SERIAL_TEGRA=y -CONFIG_OF_GPIO=y -CONFIG_OF_PCI=y -CONFIG_OF_PCI_IRQ=y - -# CONFIG_DRM_TEGRA_DEBUG is not set -# CONFIG_TI_DAC7512 is not set -# CONFIG_SPI_TOPCLIFF_PCH is not set -# CONFIG_SPI_DW_PCI is not set -# CONFIG_SPI_PXA2XX is not set -# CONFIG_BLK_DEV_PCIESSD_MTIP32XX is not set -# CONFIG_SGI_IOC4 is not set -# CONFIG_PINCTRL_EXYNOS is not set -# CONFIG_PINCTRL_EXYNOS5440 is not set diff --git a/kernel.spec b/kernel.spec index 95da260a4..d968f856b 100644 --- a/kernel.spec +++ b/kernel.spec @@ -132,8 +132,6 @@ Summary: The Linux kernel %define with_bootwrapper %{?_without_bootwrapper: 0} %{?!_without_bootwrapper: 1} # Want to build a the vsdo directories installed %define with_vdso_install %{?_without_vdso_install: 0} %{?!_without_vdso_install: 1} -# kernel-tegra (only valid for arm) -%define with_tegra %{?_without_tegra: 0} %{?!_without_tegra: 1} # # Additional options for user-friendly one-off kernel building: # @@ -247,11 +245,6 @@ Summary: The Linux kernel %define with_pae 0 %endif -# kernel up (unified kernel target), unified LPAE, tegra are only built on armv7 hfp -%ifnarch armv7hl -%define with_tegra 0 -%endif - # if requested, only build base kernel %if %{with_baseonly} %define with_smp 0 @@ -477,6 +470,9 @@ Provides: kernel-highbank\ Provides: kernel-highbank-uname-r = %{KVERREL}%{?1:.%{1}}\ Provides: kernel-omap\ Provides: kernel-omap-uname-r = %{KVERREL}%{?1:.%{1}}\ +Provides: kernel-tegra\ +Provides: kernel-tegra-uname-r = %{KVERREL}%{?1:.%{1}}\ +Provides: kernel-omap\ Requires(pre): %{kernel_prereq}\ Requires(pre): %{initrd_prereq}\ Requires(pre): linux-firmware >= 20120206-0.1.git06c8f81\ @@ -573,10 +569,10 @@ Source54: config-powerpc64p7 Source70: config-s390x # Unified ARM kernels -Source100: config-armv7-generic -Source101: config-armv7 -Source102: config-armv7-lpae -Source103: config-armv7-tegra +Source100: config-arm-generic +Source101: config-armv7-generic +Source102: config-armv7 +Source103: config-armv7-lpae # This file is intentionally left empty in the stock kernel. Its a nicety # added for those wanting to do custom rebuilds with altered config opts. @@ -1080,12 +1076,6 @@ This variant of the kernel has numerous debugging options enabled. It should only be installed when trying to gather additional information on kernel bugs, as some of these options impact performance noticably. -%define variant_summary The Linux kernel compiled for tegra boards -%kernel_variant_package tegra -%description tegra -This package includes a version of the Linux kernel with support for -nvidia tegra based systems, i.e., trimslice, ac-100. - %prep # do a few sanity-checks for --with *only builds @@ -1555,9 +1545,6 @@ mkdir configs rm -f kernel-%{version}-*debug.config %endif -# FIXME: ARM needs fixing. -rm -f kernel*arm*.config - # now run oldconfig over all the config files for i in *.config do @@ -1881,10 +1868,6 @@ BuildKernel %make_target %kernel_image %{pae}debug BuildKernel %make_target %kernel_image %{pae} %endif -%if %{with_tegra} -BuildKernel %make_target %kernel_image tegra -%endif - %if %{with_up} BuildKernel %make_target %kernel_image %endif @@ -2202,9 +2185,6 @@ fi}\ %kernel_variant_preun debug %kernel_variant_post -v debug -%kernel_variant_preun tegra -%kernel_variant_post -v tegra - if [ -x /sbin/ldconfig ] then /sbin/ldconfig -X || exit $? @@ -2348,12 +2328,16 @@ fi %kernel_variant_files %{with_debug} debug %kernel_variant_files %{with_pae} %{pae} %kernel_variant_files %{with_pae_debug} %{pae}debug -%kernel_variant_files %{with_tegra} tegra # plz don't put in a version string unless you're going to tag # and build. %changelog +* Wed Jul 17 2013 Peter Robinson +- Re-enable ARM +- Drop tegra subkernel as it's now multi-platform +- Enable i.MX SoC support + * Wed Jul 17 2013 Dave Jones - Rebase to 3.10.1 dropped: From 96e94ca9a0ccf66fefcd47620fc5aa957c9744fe Mon Sep 17 00:00:00 2001 From: Dave Jones Date: Wed, 17 Jul 2013 18:31:23 -0400 Subject: [PATCH 162/468] compile fix MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit kernel/modsign_uefi.c: In function ‘get_cert_list’: kernel/modsign_uefi.c:23:2: error: implicit declaration of function ‘kmalloc’ [-Werror=implicit-function-declaration] db = kmalloc(lsize, GFP_KERNEL); ^ kernel/modsign_uefi.c:23:5: warning: assignment makes pointer from integer without a cast [enabled by default] db = kmalloc(lsize, GFP_KERNEL); ^ kernel/modsign_uefi.c:31:3: error: implicit declaration of function ‘kfree’ [-Werror=implicit-function-declaration] kfree(db); ^ --- secure-boot-20130218.patch | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/secure-boot-20130218.patch b/secure-boot-20130218.patch index 29ac46cd9..9b5717350 100644 --- a/secure-boot-20130218.patch +++ b/secure-boot-20130218.patch @@ -713,12 +713,13 @@ new file mode 100644 index 0000000..b9237d7 --- /dev/null +++ b/kernel/modsign_uefi.c -@@ -0,0 +1,90 @@ +@@ -0,0 +1,91 @@ +#include +#include +#include +#include +#include ++#include +#include +#include "module-internal.h" + From 97317afeb2a0045111ad6f2d36f2dfbe180f13bb Mon Sep 17 00:00:00 2001 From: Peter Robinson Date: Thu, 18 Jul 2013 14:34:29 +0100 Subject: [PATCH 163/468] drop old ARM patches --- arm-tegra-fixclk.patch | 28 ---------------------------- arm-tegra-sdhci-module-fix.patch | 11 ----------- config-armv7-lpae | 2 +- kernel.spec | 3 +-- 4 files changed, 2 insertions(+), 42 deletions(-) delete mode 100644 arm-tegra-fixclk.patch delete mode 100644 arm-tegra-sdhci-module-fix.patch diff --git a/arm-tegra-fixclk.patch b/arm-tegra-fixclk.patch deleted file mode 100644 index df0991293..000000000 --- a/arm-tegra-fixclk.patch +++ /dev/null @@ -1,28 +0,0 @@ -diff --git a/drivers/clk/tegra/clk-periph.c b/drivers/clk/tegra/clk-periph.c -index 788486e..2f4d0e3 100644 ---- a/drivers/clk/tegra/clk-periph.c -+++ b/drivers/clk/tegra/clk-periph.c -@@ -18,6 +18,7 @@ - #include - #include - #include -+#include - - #include "clk.h" - -@@ -128,6 +129,7 @@ void tegra_periph_reset_deassert(struct clk *c) - - tegra_periph_reset(gate, 0); - } -+EXPORT_SYMBOL_GPL(tegra_periph_reset_deassert); - - void tegra_periph_reset_assert(struct clk *c) - { -@@ -147,6 +149,7 @@ void tegra_periph_reset_assert(struct clk *c) - - tegra_periph_reset(gate, 1); - } -+EXPORT_SYMBOL_GPL(tegra_periph_reset_assert); - - const struct clk_ops tegra_clk_periph_ops = { - .get_parent = clk_periph_get_parent, diff --git a/arm-tegra-sdhci-module-fix.patch b/arm-tegra-sdhci-module-fix.patch deleted file mode 100644 index 24ba278ed..000000000 --- a/arm-tegra-sdhci-module-fix.patch +++ /dev/null @@ -1,11 +0,0 @@ ---- linux-3.5.0-0.rc0.git3.1.fc18.armv7hl/drivers/mmc/host/sdhci-tegra.c.orig 2012-05-23 06:59:19.797302757 -0500 -+++ linux-3.5.0-0.rc0.git3.1.fc18.armv7hl/drivers/mmc/host/sdhci-tegra.c 2012-05-22 15:26:07.154823359 -0500 -@@ -190,7 +190,7 @@ - #endif - {} - }; --MODULE_DEVICE_TABLE(of, sdhci_dt_ids); -+MODULE_DEVICE_TABLE(of, sdhci_tegra_dt_match); - - static struct tegra_sdhci_platform_data * __devinit sdhci_tegra_dt_parse_pdata( - struct platform_device *pdev) diff --git a/config-armv7-lpae b/config-armv7-lpae index f17b8616a..a7db64919 100644 --- a/config-armv7-lpae +++ b/config-armv7-lpae @@ -76,7 +76,7 @@ CONFIG_DRM_EXYNOS_DMABUF=y CONFIG_DRM_EXYNOS_FIMD=y CONFIG_DRM_EXYNOS_HDMI=y CONFIG_DRM_EXYNOS_VIDI=y -CONFIG_DRM_EXYNOS_G2D=y +# CONFIG_DRM_EXYNOS_G2D is not set CONFIG_DRM_EXYNOS_IPP=y CONFIG_DRM_EXYNOS_FIMC=y CONFIG_DRM_EXYNOS_ROTATOR=y diff --git a/kernel.spec b/kernel.spec index d968f856b..cc69c324d 100644 --- a/kernel.spec +++ b/kernel.spec @@ -705,7 +705,6 @@ Patch21003: arm-omap-load-tfp410.patch # ARM tegra Patch21005: arm-tegra-usb-no-reset-linux33.patch -Patch21006: arm-tegra-fixclk.patch #rhbz 754518 Patch21235: scsi-sd_revalidate_disk-prevent-NULL-ptr-deref.patch @@ -1339,7 +1338,6 @@ ApplyPatch arm-export-read_current_timer.patch ApplyPatch arm-lpae-ax88796.patch ApplyPatch arm-omap-load-tfp410.patch ApplyPatch arm-tegra-usb-no-reset-linux33.patch -#ApplyPatch arm-tegra-fixclk.patch # # bugfixes to drivers and filesystems @@ -2337,6 +2335,7 @@ fi - Re-enable ARM - Drop tegra subkernel as it's now multi-platform - Enable i.MX SoC support +- Drop old ARM patches * Wed Jul 17 2013 Dave Jones - Rebase to 3.10.1 From 20c2282be62cbf871b1f1b32d2ce0bd396c7c8b3 Mon Sep 17 00:00:00 2001 From: Dave Jones Date: Thu, 18 Jul 2013 18:12:20 -0400 Subject: [PATCH 164/468] post rebase fixups --- ceph-fix.patch | 24 - cfg80211-mac80211-disconnect-on-suspend.patch | 219 -- gssproxy-backport.patch | 3058 ----------------- kernel.spec | 25 +- ...ieee80211_do_stop_while_suspend_v3.9.patch | 73 - ...ix-use-after-free-in-vhost_net_flush.patch | 102 +- 6 files changed, 41 insertions(+), 3460 deletions(-) delete mode 100644 ceph-fix.patch delete mode 100644 cfg80211-mac80211-disconnect-on-suspend.patch delete mode 100644 gssproxy-backport.patch delete mode 100644 mac80211_fixes_for_ieee80211_do_stop_while_suspend_v3.9.patch diff --git a/ceph-fix.patch b/ceph-fix.patch deleted file mode 100644 index 6515e758d..000000000 --- a/ceph-fix.patch +++ /dev/null @@ -1,24 +0,0 @@ -diff --git a/net/ceph/auth_none.c b/net/ceph/auth_none.c -index 925ca58..0ef2458 100644 ---- a/net/ceph/auth_none.c -+++ b/net/ceph/auth_none.c -@@ -39,6 +39,11 @@ static int should_authenticate(struct ceph_auth_client *ac) - return xi->starting; - } - -+static int build_request(struct ceph_auth_client *ac, void *buf, void *end) -+{ -+ return 0; -+} -+ - /* - * the generic auth code decode the global_id, and we carry no actual - * authenticate state, so nothing happens here. -@@ -106,6 +111,7 @@ static const struct ceph_auth_client_ops ceph_auth_none_ops = { - .destroy = destroy, - .is_authenticated = is_authenticated, - .should_authenticate = should_authenticate, -+ .build_request = build_request, - .handle_reply = handle_reply, - .create_authorizer = ceph_auth_none_create_authorizer, - .destroy_authorizer = ceph_auth_none_destroy_authorizer, diff --git a/cfg80211-mac80211-disconnect-on-suspend.patch b/cfg80211-mac80211-disconnect-on-suspend.patch deleted file mode 100644 index b3180fb54..000000000 --- a/cfg80211-mac80211-disconnect-on-suspend.patch +++ /dev/null @@ -1,219 +0,0 @@ -From 8125696991194aacb1173b6e8196d19098b44e17 Mon Sep 17 00:00:00 2001 -From: Stanislaw Gruszka -Date: Thu, 28 Feb 2013 09:55:25 +0000 -Subject: cfg80211/mac80211: disconnect on suspend - -If possible that after suspend, cfg80211 will receive request to -disconnect what require action on interface that was removed during -suspend. - -Problem can manifest itself by various warnings similar to below one: - -WARNING: at net/mac80211/driver-ops.h:12 ieee80211_bss_info_change_notify+0x2f9/0x300 [mac80211]() -wlan0: Failed check-sdata-in-driver check, flags: 0x4 -Call Trace: - [] warn_slowpath_fmt+0x33/0x40 - [] ieee80211_bss_info_change_notify+0x2f9/0x300 [mac80211] - [] ieee80211_recalc_ps_vif+0x2a/0x30 [mac80211] - [] ieee80211_set_disassoc+0xf6/0x500 [mac80211] - [] ieee80211_mgd_deauth+0x1f1/0x280 [mac80211] - [] ieee80211_deauth+0x16/0x20 [mac80211] - [] cfg80211_mlme_down+0x70/0xc0 [cfg80211] - [] __cfg80211_disconnect+0x1b1/0x1d0 [cfg80211] - -To fix the problem disconnect from any associated network before -suspend. User space is responsible to establish connection again -after resume. This basically need to be done by user space anyway, -because associated stations can go away during suspend (for example -NetworkManager disconnects on suspend and connect on resume by default). - -Patch also handle situation when driver refuse to suspend with wowlan -configured and try to suspend again without it. - -Signed-off-by: Stanislaw Gruszka -Signed-off-by: Johannes Berg ---- -diff --git a/net/mac80211/pm.c b/net/mac80211/pm.c -index d0275f3..4d105c7 100644 ---- a/net/mac80211/pm.c -+++ b/net/mac80211/pm.c -@@ -93,7 +93,7 @@ int __ieee80211_suspend(struct ieee80211_hw *hw, struct cfg80211_wowlan *wowlan) - return err; - } else if (err > 0) { - WARN_ON(err != 1); -- local->wowlan = false; -+ return err; - } else { - list_for_each_entry(sdata, &local->interfaces, list) - if (ieee80211_sdata_running(sdata)) -diff --git a/net/wireless/core.c b/net/wireless/core.c -index ea4155f..f382cae 100644 ---- a/net/wireless/core.c -+++ b/net/wireless/core.c -@@ -814,6 +814,46 @@ void cfg80211_update_iface_num(struct cfg80211_registered_device *rdev, - rdev->num_running_monitor_ifaces += num; - } - -+void cfg80211_leave(struct cfg80211_registered_device *rdev, -+ struct wireless_dev *wdev) -+{ -+ struct net_device *dev = wdev->netdev; -+ -+ switch (wdev->iftype) { -+ case NL80211_IFTYPE_ADHOC: -+ cfg80211_leave_ibss(rdev, dev, true); -+ break; -+ case NL80211_IFTYPE_P2P_CLIENT: -+ case NL80211_IFTYPE_STATION: -+ mutex_lock(&rdev->sched_scan_mtx); -+ __cfg80211_stop_sched_scan(rdev, false); -+ mutex_unlock(&rdev->sched_scan_mtx); -+ -+ wdev_lock(wdev); -+#ifdef CONFIG_CFG80211_WEXT -+ kfree(wdev->wext.ie); -+ wdev->wext.ie = NULL; -+ wdev->wext.ie_len = 0; -+ wdev->wext.connect.auth_type = NL80211_AUTHTYPE_AUTOMATIC; -+#endif -+ __cfg80211_disconnect(rdev, dev, -+ WLAN_REASON_DEAUTH_LEAVING, true); -+ cfg80211_mlme_down(rdev, dev); -+ wdev_unlock(wdev); -+ break; -+ case NL80211_IFTYPE_MESH_POINT: -+ cfg80211_leave_mesh(rdev, dev); -+ break; -+ case NL80211_IFTYPE_AP: -+ cfg80211_stop_ap(rdev, dev); -+ break; -+ default: -+ break; -+ } -+ -+ wdev->beacon_interval = 0; -+} -+ - static int cfg80211_netdev_notifier_call(struct notifier_block *nb, - unsigned long state, - void *ndev) -@@ -882,38 +922,7 @@ static int cfg80211_netdev_notifier_call(struct notifier_block *nb, - dev->priv_flags |= IFF_DONT_BRIDGE; - break; - case NETDEV_GOING_DOWN: -- switch (wdev->iftype) { -- case NL80211_IFTYPE_ADHOC: -- cfg80211_leave_ibss(rdev, dev, true); -- break; -- case NL80211_IFTYPE_P2P_CLIENT: -- case NL80211_IFTYPE_STATION: -- mutex_lock(&rdev->sched_scan_mtx); -- __cfg80211_stop_sched_scan(rdev, false); -- mutex_unlock(&rdev->sched_scan_mtx); -- -- wdev_lock(wdev); --#ifdef CONFIG_CFG80211_WEXT -- kfree(wdev->wext.ie); -- wdev->wext.ie = NULL; -- wdev->wext.ie_len = 0; -- wdev->wext.connect.auth_type = NL80211_AUTHTYPE_AUTOMATIC; --#endif -- __cfg80211_disconnect(rdev, dev, -- WLAN_REASON_DEAUTH_LEAVING, true); -- cfg80211_mlme_down(rdev, dev); -- wdev_unlock(wdev); -- break; -- case NL80211_IFTYPE_MESH_POINT: -- cfg80211_leave_mesh(rdev, dev); -- break; -- case NL80211_IFTYPE_AP: -- cfg80211_stop_ap(rdev, dev); -- break; -- default: -- break; -- } -- wdev->beacon_interval = 0; -+ cfg80211_leave(rdev, wdev); - break; - case NETDEV_DOWN: - cfg80211_update_iface_num(rdev, wdev->iftype, -1); -diff --git a/net/wireless/core.h b/net/wireless/core.h -index 9a2be8d..d5d06fd 100644 ---- a/net/wireless/core.h -+++ b/net/wireless/core.h -@@ -503,6 +503,9 @@ int cfg80211_validate_beacon_int(struct cfg80211_registered_device *rdev, - void cfg80211_update_iface_num(struct cfg80211_registered_device *rdev, - enum nl80211_iftype iftype, int num); - -+void cfg80211_leave(struct cfg80211_registered_device *rdev, -+ struct wireless_dev *wdev); -+ - void cfg80211_stop_p2p_device(struct cfg80211_registered_device *rdev, - struct wireless_dev *wdev); - -diff --git a/net/wireless/rdev-ops.h b/net/wireless/rdev-ops.h -index 8c8b26f..d77e1c1 100644 ---- a/net/wireless/rdev-ops.h -+++ b/net/wireless/rdev-ops.h -@@ -6,11 +6,12 @@ - #include "core.h" - #include "trace.h" - --static inline int rdev_suspend(struct cfg80211_registered_device *rdev) -+static inline int rdev_suspend(struct cfg80211_registered_device *rdev, -+ struct cfg80211_wowlan *wowlan) - { - int ret; -- trace_rdev_suspend(&rdev->wiphy, rdev->wowlan); -- ret = rdev->ops->suspend(&rdev->wiphy, rdev->wowlan); -+ trace_rdev_suspend(&rdev->wiphy, wowlan); -+ ret = rdev->ops->suspend(&rdev->wiphy, wowlan); - trace_rdev_return_int(&rdev->wiphy, ret); - return ret; - } -diff --git a/net/wireless/sysfs.c b/net/wireless/sysfs.c -index 238ee49..8f28b9f 100644 ---- a/net/wireless/sysfs.c -+++ b/net/wireless/sysfs.c -@@ -83,6 +83,14 @@ static int wiphy_uevent(struct device *dev, struct kobj_uevent_env *env) - return 0; - } - -+static void cfg80211_leave_all(struct cfg80211_registered_device *rdev) -+{ -+ struct wireless_dev *wdev; -+ -+ list_for_each_entry(wdev, &rdev->wdev_list, list) -+ cfg80211_leave(rdev, wdev); -+} -+ - static int wiphy_suspend(struct device *dev, pm_message_t state) - { - struct cfg80211_registered_device *rdev = dev_to_rdev(dev); -@@ -90,12 +98,19 @@ static int wiphy_suspend(struct device *dev, pm_message_t state) - - rdev->suspend_at = get_seconds(); - -- if (rdev->ops->suspend) { -- rtnl_lock(); -- if (rdev->wiphy.registered) -- ret = rdev_suspend(rdev); -- rtnl_unlock(); -+ rtnl_lock(); -+ if (rdev->wiphy.registered) { -+ if (!rdev->wowlan) -+ cfg80211_leave_all(rdev); -+ if (rdev->ops->suspend) -+ ret = rdev_suspend(rdev, rdev->wowlan); -+ if (ret == 1) { -+ /* Driver refuse to configure wowlan */ -+ cfg80211_leave_all(rdev); -+ ret = rdev_suspend(rdev, NULL); -+ } - } -+ rtnl_unlock(); - - return ret; - } --- -cgit v0.9.1 diff --git a/gssproxy-backport.patch b/gssproxy-backport.patch deleted file mode 100644 index 17640009c..000000000 --- a/gssproxy-backport.patch +++ /dev/null @@ -1,3058 +0,0 @@ -From 7e5eee0a24ea886a0b68a8521117c5ef97668443 Mon Sep 17 00:00:00 2001 -From: Trond Myklebust -Date: Sun, 14 Apr 2013 11:42:00 -0400 -Subject: [PATCH 01/16] SUNRPC: Allow rpc_create() to request that TCP slots be - unlimited - -This is mainly for use by NFSv4.1, where the session negotiation -ultimately wants to decide how many RPC slots we can fill. - -Signed-off-by: Trond Myklebust ---- - include/linux/sunrpc/clnt.h | 1 + - include/linux/sunrpc/xprt.h | 3 +++ - net/sunrpc/clnt.c | 2 ++ - net/sunrpc/xprtsock.c | 6 +++++- - 4 files changed, 11 insertions(+), 1 deletion(-) - -diff --git a/include/linux/sunrpc/clnt.h b/include/linux/sunrpc/clnt.h -index 2cf4ffa..e7d492c 100644 ---- a/include/linux/sunrpc/clnt.h -+++ b/include/linux/sunrpc/clnt.h -@@ -124,6 +124,7 @@ struct rpc_create_args { - #define RPC_CLNT_CREATE_NOPING (1UL << 4) - #define RPC_CLNT_CREATE_DISCRTRY (1UL << 5) - #define RPC_CLNT_CREATE_QUIET (1UL << 6) -+#define RPC_CLNT_CREATE_INFINITE_SLOTS (1UL << 7) - - struct rpc_clnt *rpc_create(struct rpc_create_args *args); - struct rpc_clnt *rpc_bind_new_program(struct rpc_clnt *, -diff --git a/include/linux/sunrpc/xprt.h b/include/linux/sunrpc/xprt.h -index 30834be..12afb29 100644 ---- a/include/linux/sunrpc/xprt.h -+++ b/include/linux/sunrpc/xprt.h -@@ -255,6 +255,8 @@ static inline int bc_prealloc(struct rpc_rqst *req) - } - #endif /* CONFIG_SUNRPC_BACKCHANNEL */ - -+#define XPRT_CREATE_INFINITE_SLOTS (1U) -+ - struct xprt_create { - int ident; /* XPRT_TRANSPORT identifier */ - struct net * net; -@@ -263,6 +265,7 @@ struct xprt_create { - size_t addrlen; - const char *servername; - struct svc_xprt *bc_xprt; /* NFSv4.1 backchannel */ -+ unsigned int flags; - }; - - struct xprt_class { -diff --git a/net/sunrpc/clnt.c b/net/sunrpc/clnt.c -index d5f35f1..54b69fc 100644 ---- a/net/sunrpc/clnt.c -+++ b/net/sunrpc/clnt.c -@@ -411,6 +411,8 @@ struct rpc_clnt *rpc_create(struct rpc_create_args *args) - }; - char servername[48]; - -+ if (args->flags & RPC_CLNT_CREATE_INFINITE_SLOTS) -+ xprtargs.flags |= XPRT_CREATE_INFINITE_SLOTS; - /* - * If the caller chooses not to specify a hostname, whip - * up a string representation of the passed-in address. -diff --git a/net/sunrpc/xprtsock.c b/net/sunrpc/xprtsock.c -index 3d02130..b08d314 100644 ---- a/net/sunrpc/xprtsock.c -+++ b/net/sunrpc/xprtsock.c -@@ -2767,9 +2767,13 @@ static struct rpc_xprt *xs_setup_tcp(struct xprt_create *args) - struct rpc_xprt *xprt; - struct sock_xprt *transport; - struct rpc_xprt *ret; -+ unsigned int max_slot_table_size = xprt_max_tcp_slot_table_entries; -+ -+ if (args->flags & XPRT_CREATE_INFINITE_SLOTS) -+ max_slot_table_size = RPC_MAX_SLOT_TABLE_LIMIT; - - xprt = xs_setup_xprt(args, xprt_tcp_slot_table_entries, -- xprt_max_tcp_slot_table_entries); -+ max_slot_table_size); - if (IS_ERR(xprt)) - return xprt; - transport = container_of(xprt, struct sock_xprt, xprt); --- -1.8.1.4 - - -From 932c7301413eb94f7b60efaa1a80cb8cf0264459 Mon Sep 17 00:00:00 2001 -From: "J. Bruce Fields" -Date: Thu, 21 Feb 2013 10:14:22 -0500 -Subject: [PATCH 02/16] SUNRPC: attempt AF_LOCAL connect on setup - -In the gss-proxy case, setup time is when I know I'll have the right -namespace for the connect. - -In other cases, it might be useful to get any connection errors -earlier--though actually in practice it doesn't make any difference for -rpcbind. - -Signed-off-by: J. Bruce Fields ---- - net/sunrpc/xprtsock.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/net/sunrpc/xprtsock.c b/net/sunrpc/xprtsock.c -index b08d314..867ce36 100644 ---- a/net/sunrpc/xprtsock.c -+++ b/net/sunrpc/xprtsock.c -@@ -2655,6 +2655,9 @@ static struct rpc_xprt *xs_setup_local(struct xprt_create *args) - } - xprt_set_bound(xprt); - xs_format_peer_addresses(xprt, "local", RPCBIND_NETID_LOCAL); -+ ret = ERR_PTR(xs_local_setup_socket(transport)); -+ if (ret) -+ goto out_err; - break; - default: - ret = ERR_PTR(-EAFNOSUPPORT); --- -1.8.1.4 - - -From 915d3592cc8718cc3e83164bb78c532d3a7d1f00 Mon Sep 17 00:00:00 2001 -From: "J. Bruce Fields" -Date: Thu, 11 Apr 2013 15:06:36 -0400 -Subject: [PATCH 03/16] SUNRPC: allow disabling idle timeout - -In the gss-proxy case we don't want to have to reconnect at random--we -want to connect only on gss-proxy startup when we can steal gss-proxy's -context to do the connect in the right namespace. - -So, provide a flag that allows the rpc_create caller to turn off the -idle timeout. - -Signed-off-by: J. Bruce Fields ---- - include/linux/sunrpc/clnt.h | 1 + - include/linux/sunrpc/xprt.h | 1 + - net/sunrpc/clnt.c | 2 ++ - net/sunrpc/xprt.c | 2 ++ - 4 files changed, 6 insertions(+) - -diff --git a/include/linux/sunrpc/clnt.h b/include/linux/sunrpc/clnt.h -index e7d492c..bfe11be 100644 ---- a/include/linux/sunrpc/clnt.h -+++ b/include/linux/sunrpc/clnt.h -@@ -125,6 +125,7 @@ struct rpc_create_args { - #define RPC_CLNT_CREATE_DISCRTRY (1UL << 5) - #define RPC_CLNT_CREATE_QUIET (1UL << 6) - #define RPC_CLNT_CREATE_INFINITE_SLOTS (1UL << 7) -+#define RPC_CLNT_CREATE_NO_IDLE_TIMEOUT (1UL << 8) - - struct rpc_clnt *rpc_create(struct rpc_create_args *args); - struct rpc_clnt *rpc_bind_new_program(struct rpc_clnt *, -diff --git a/include/linux/sunrpc/xprt.h b/include/linux/sunrpc/xprt.h -index 12afb29..c8708d8 100644 ---- a/include/linux/sunrpc/xprt.h -+++ b/include/linux/sunrpc/xprt.h -@@ -256,6 +256,7 @@ static inline int bc_prealloc(struct rpc_rqst *req) - #endif /* CONFIG_SUNRPC_BACKCHANNEL */ - - #define XPRT_CREATE_INFINITE_SLOTS (1U) -+#define XPRT_CREATE_NO_IDLE_TIMEOUT (1U << 1) - - struct xprt_create { - int ident; /* XPRT_TRANSPORT identifier */ -diff --git a/net/sunrpc/clnt.c b/net/sunrpc/clnt.c -index 54b69fc..6d29b53 100644 ---- a/net/sunrpc/clnt.c -+++ b/net/sunrpc/clnt.c -@@ -413,6 +413,8 @@ struct rpc_clnt *rpc_create(struct rpc_create_args *args) - - if (args->flags & RPC_CLNT_CREATE_INFINITE_SLOTS) - xprtargs.flags |= XPRT_CREATE_INFINITE_SLOTS; -+ if (args->flags & RPC_CLNT_CREATE_NO_IDLE_TIMEOUT) -+ xprtargs.flags |= XPRT_CREATE_NO_IDLE_TIMEOUT; - /* - * If the caller chooses not to specify a hostname, whip - * up a string representation of the passed-in address. -diff --git a/net/sunrpc/xprt.c b/net/sunrpc/xprt.c -index b7478d5..33fac38 100644 ---- a/net/sunrpc/xprt.c -+++ b/net/sunrpc/xprt.c -@@ -1245,6 +1245,8 @@ found: - -PTR_ERR(xprt)); - goto out; - } -+ if (args->flags & XPRT_CREATE_NO_IDLE_TIMEOUT) -+ xprt->idle_timeout = 0; - INIT_WORK(&xprt->task_cleanup, xprt_autoclose); - if (xprt_has_timer(xprt)) - setup_timer(&xprt->timer, xprt_init_autodisconnect, --- -1.8.1.4 - - -From faa25a9e80ab40a0e923011771aca6a1ddeea30d Mon Sep 17 00:00:00 2001 -From: Simo Sorce -Date: Fri, 25 May 2012 18:09:53 -0400 -Subject: [PATCH 04/16] SUNRPC: conditionally return endtime from - import_sec_context - -We expose this parameter for a future caller. -It will be used to extract the endtime from the gss-proxy upcall mechanism, -in order to set the rsc cache expiration time. - -Signed-off-by: Simo Sorce -Signed-off-by: J. Bruce Fields ---- - include/linux/sunrpc/gss_api.h | 2 ++ - net/sunrpc/auth_gss/auth_gss.c | 2 +- - net/sunrpc/auth_gss/gss_krb5_mech.c | 7 +++++-- - net/sunrpc/auth_gss/gss_mech_switch.c | 5 +++-- - net/sunrpc/auth_gss/svcauth_gss.c | 3 ++- - 5 files changed, 13 insertions(+), 6 deletions(-) - -diff --git a/include/linux/sunrpc/gss_api.h b/include/linux/sunrpc/gss_api.h -index a19e254..04d03bb 100644 ---- a/include/linux/sunrpc/gss_api.h -+++ b/include/linux/sunrpc/gss_api.h -@@ -37,6 +37,7 @@ int gss_import_sec_context( - size_t bufsize, - struct gss_api_mech *mech, - struct gss_ctx **ctx_id, -+ time_t *endtime, - gfp_t gfp_mask); - u32 gss_get_mic( - struct gss_ctx *ctx_id, -@@ -92,6 +93,7 @@ struct gss_api_ops { - const void *input_token, - size_t bufsize, - struct gss_ctx *ctx_id, -+ time_t *endtime, - gfp_t gfp_mask); - u32 (*gss_get_mic)( - struct gss_ctx *ctx_id, -diff --git a/net/sunrpc/auth_gss/auth_gss.c b/net/sunrpc/auth_gss/auth_gss.c -index 5257d29..23563e7 100644 ---- a/net/sunrpc/auth_gss/auth_gss.c -+++ b/net/sunrpc/auth_gss/auth_gss.c -@@ -238,7 +238,7 @@ gss_fill_context(const void *p, const void *end, struct gss_cl_ctx *ctx, struct - p = ERR_PTR(-EFAULT); - goto err; - } -- ret = gss_import_sec_context(p, seclen, gm, &ctx->gc_gss_ctx, GFP_NOFS); -+ ret = gss_import_sec_context(p, seclen, gm, &ctx->gc_gss_ctx, NULL, GFP_NOFS); - if (ret < 0) { - p = ERR_PTR(ret); - goto err; -diff --git a/net/sunrpc/auth_gss/gss_krb5_mech.c b/net/sunrpc/auth_gss/gss_krb5_mech.c -index d3611f1..3bc4a23 100644 ---- a/net/sunrpc/auth_gss/gss_krb5_mech.c -+++ b/net/sunrpc/auth_gss/gss_krb5_mech.c -@@ -679,6 +679,7 @@ out_err: - static int - gss_import_sec_context_kerberos(const void *p, size_t len, - struct gss_ctx *ctx_id, -+ time_t *endtime, - gfp_t gfp_mask) - { - const void *end = (const void *)((const char *)p + len); -@@ -694,9 +695,11 @@ gss_import_sec_context_kerberos(const void *p, size_t len, - else - ret = gss_import_v2_context(p, end, ctx, gfp_mask); - -- if (ret == 0) -+ if (ret == 0) { - ctx_id->internal_ctx_id = ctx; -- else -+ if (endtime) -+ *endtime = ctx->endtime; -+ } else - kfree(ctx); - - dprintk("RPC: %s: returning %d\n", __func__, ret); -diff --git a/net/sunrpc/auth_gss/gss_mech_switch.c b/net/sunrpc/auth_gss/gss_mech_switch.c -index f0f4eee..43fd5bb 100644 ---- a/net/sunrpc/auth_gss/gss_mech_switch.c -+++ b/net/sunrpc/auth_gss/gss_mech_switch.c -@@ -325,14 +325,15 @@ int - gss_import_sec_context(const void *input_token, size_t bufsize, - struct gss_api_mech *mech, - struct gss_ctx **ctx_id, -+ time_t *endtime, - gfp_t gfp_mask) - { - if (!(*ctx_id = kzalloc(sizeof(**ctx_id), gfp_mask))) - return -ENOMEM; - (*ctx_id)->mech_type = gss_mech_get(mech); - -- return mech->gm_ops -- ->gss_import_sec_context(input_token, bufsize, *ctx_id, gfp_mask); -+ return mech->gm_ops->gss_import_sec_context(input_token, bufsize, -+ *ctx_id, endtime, gfp_mask); - } - - /* gss_get_mic: compute a mic over message and return mic_token. */ -diff --git a/net/sunrpc/auth_gss/svcauth_gss.c b/net/sunrpc/auth_gss/svcauth_gss.c -index 5ead605..20eedec 100644 ---- a/net/sunrpc/auth_gss/svcauth_gss.c -+++ b/net/sunrpc/auth_gss/svcauth_gss.c -@@ -497,7 +497,8 @@ static int rsc_parse(struct cache_detail *cd, - len = qword_get(&mesg, buf, mlen); - if (len < 0) - goto out; -- status = gss_import_sec_context(buf, len, gm, &rsci.mechctx, GFP_KERNEL); -+ status = gss_import_sec_context(buf, len, gm, &rsci.mechctx, -+ NULL, GFP_KERNEL); - if (status) - goto out; - --- -1.8.1.4 - - -From ffc614331a36038700b7bc13bc2da6b8f120b9d6 Mon Sep 17 00:00:00 2001 -From: Simo Sorce -Date: Fri, 25 May 2012 18:09:55 -0400 -Subject: [PATCH 05/16] SUNRPC: Add RPC based upcall mechanism for RPCGSS auth - -This patch implements a sunrpc client to use the services of the gssproxy -userspace daemon. - -In particular it allows to perform calls in user space using an RPC -call instead of custom hand-coded upcall/downcall messages. - -Currently only accept_sec_context is implemented as that is all is needed for -the server case. - -File server modules like NFS and CIFS can use full gssapi services this way, -once init_sec_context is also implemented. - -For the NFS server case this code allow to lift the limit of max 2k krb5 -tickets. This limit is prevents legitimate kerberos deployments from using krb5 -authentication with the Linux NFS server as they have normally ticket that are -many kilobytes large. - -It will also allow to lift the limitation on the size of the credential set -(uid,gid,gids) passed down from user space for users that have very many groups -associated. Currently the downcall mechanism used by rpc.svcgssd is limited -to around 2k secondary groups of the 65k allowed by kernel structures. - -Signed-off-by: Simo Sorce -[bfields: containerization, concurrent upcalls, misc. fixes and cleanup] -Signed-off-by: J. Bruce Fields ---- - net/sunrpc/auth_gss/Makefile | 3 +- - net/sunrpc/auth_gss/gss_rpc_upcall.c | 355 +++++++++++++++ - net/sunrpc/auth_gss/gss_rpc_upcall.h | 47 ++ - net/sunrpc/auth_gss/gss_rpc_xdr.c | 832 +++++++++++++++++++++++++++++++++++ - net/sunrpc/auth_gss/gss_rpc_xdr.h | 264 +++++++++++ - net/sunrpc/clnt.c | 1 + - net/sunrpc/netns.h | 3 + - 7 files changed, 1504 insertions(+), 1 deletion(-) - create mode 100644 net/sunrpc/auth_gss/gss_rpc_upcall.c - create mode 100644 net/sunrpc/auth_gss/gss_rpc_upcall.h - create mode 100644 net/sunrpc/auth_gss/gss_rpc_xdr.c - create mode 100644 net/sunrpc/auth_gss/gss_rpc_xdr.h - -diff --git a/net/sunrpc/auth_gss/Makefile b/net/sunrpc/auth_gss/Makefile -index 9e4cb59..14e9e53 100644 ---- a/net/sunrpc/auth_gss/Makefile -+++ b/net/sunrpc/auth_gss/Makefile -@@ -5,7 +5,8 @@ - obj-$(CONFIG_SUNRPC_GSS) += auth_rpcgss.o - - auth_rpcgss-y := auth_gss.o gss_generic_token.o \ -- gss_mech_switch.o svcauth_gss.o -+ gss_mech_switch.o svcauth_gss.o \ -+ gss_rpc_upcall.o gss_rpc_xdr.o - - obj-$(CONFIG_RPCSEC_GSS_KRB5) += rpcsec_gss_krb5.o - -diff --git a/net/sunrpc/auth_gss/gss_rpc_upcall.c b/net/sunrpc/auth_gss/gss_rpc_upcall.c -new file mode 100644 -index 0000000..2d33ddf ---- /dev/null -+++ b/net/sunrpc/auth_gss/gss_rpc_upcall.c -@@ -0,0 +1,355 @@ -+/* -+ * linux/net/sunrpc/gss_rpc_upcall.c -+ * -+ * Copyright (C) 2012 Simo Sorce -+ * -+ * This program is free software; you can redistribute it and/or modify -+ * it under the terms of the GNU General Public License as published by -+ * the Free Software Foundation; either version 2 of the License, or -+ * (at your option) any later version. -+ * -+ * This program is distributed in the hope that it will be useful, -+ * but WITHOUT ANY WARRANTY; without even the implied warranty of -+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+ * GNU General Public License for more details. -+ * -+ * You should have received a copy of the GNU General Public License -+ * along with this program; if not, write to the Free Software -+ * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. -+ */ -+ -+#include -+#include -+ -+#include -+#include "gss_rpc_upcall.h" -+ -+#define GSSPROXY_SOCK_PATHNAME "/var/run/gssproxy.sock" -+ -+#define GSSPROXY_PROGRAM (400112u) -+#define GSSPROXY_VERS_1 (1u) -+ -+/* -+ * Encoding/Decoding functions -+ */ -+ -+enum { -+ GSSX_NULL = 0, /* Unused */ -+ GSSX_INDICATE_MECHS = 1, -+ GSSX_GET_CALL_CONTEXT = 2, -+ GSSX_IMPORT_AND_CANON_NAME = 3, -+ GSSX_EXPORT_CRED = 4, -+ GSSX_IMPORT_CRED = 5, -+ GSSX_ACQUIRE_CRED = 6, -+ GSSX_STORE_CRED = 7, -+ GSSX_INIT_SEC_CONTEXT = 8, -+ GSSX_ACCEPT_SEC_CONTEXT = 9, -+ GSSX_RELEASE_HANDLE = 10, -+ GSSX_GET_MIC = 11, -+ GSSX_VERIFY = 12, -+ GSSX_WRAP = 13, -+ GSSX_UNWRAP = 14, -+ GSSX_WRAP_SIZE_LIMIT = 15, -+}; -+ -+#define PROC(proc, name) \ -+[GSSX_##proc] = { \ -+ .p_proc = GSSX_##proc, \ -+ .p_encode = (kxdreproc_t)gssx_enc_##name, \ -+ .p_decode = (kxdrdproc_t)gssx_dec_##name, \ -+ .p_arglen = GSSX_ARG_##name##_sz, \ -+ .p_replen = GSSX_RES_##name##_sz, \ -+ .p_statidx = GSSX_##proc, \ -+ .p_name = #proc, \ -+} -+ -+struct rpc_procinfo gssp_procedures[] = { -+ PROC(INDICATE_MECHS, indicate_mechs), -+ PROC(GET_CALL_CONTEXT, get_call_context), -+ PROC(IMPORT_AND_CANON_NAME, import_and_canon_name), -+ PROC(EXPORT_CRED, export_cred), -+ PROC(IMPORT_CRED, import_cred), -+ PROC(ACQUIRE_CRED, acquire_cred), -+ PROC(STORE_CRED, store_cred), -+ PROC(INIT_SEC_CONTEXT, init_sec_context), -+ PROC(ACCEPT_SEC_CONTEXT, accept_sec_context), -+ PROC(RELEASE_HANDLE, release_handle), -+ PROC(GET_MIC, get_mic), -+ PROC(VERIFY, verify), -+ PROC(WRAP, wrap), -+ PROC(UNWRAP, unwrap), -+ PROC(WRAP_SIZE_LIMIT, wrap_size_limit), -+}; -+ -+ -+ -+/* -+ * Common transport functions -+ */ -+ -+static const struct rpc_program gssp_program; -+ -+static int gssp_rpc_create(struct net *net, struct rpc_clnt **_clnt) -+{ -+ static const struct sockaddr_un gssp_localaddr = { -+ .sun_family = AF_LOCAL, -+ .sun_path = GSSPROXY_SOCK_PATHNAME, -+ }; -+ struct rpc_create_args args = { -+ .net = net, -+ .protocol = XPRT_TRANSPORT_LOCAL, -+ .address = (struct sockaddr *)&gssp_localaddr, -+ .addrsize = sizeof(gssp_localaddr), -+ .servername = "localhost", -+ .program = &gssp_program, -+ .version = GSSPROXY_VERS_1, -+ .authflavor = RPC_AUTH_NULL, -+ /* -+ * Note we want connection to be done in the caller's -+ * filesystem namespace. We therefore turn off the idle -+ * timeout, which would result in reconnections being -+ * done without the correct namespace: -+ */ -+ .flags = RPC_CLNT_CREATE_NOPING | -+ RPC_CLNT_CREATE_NO_IDLE_TIMEOUT -+ }; -+ struct rpc_clnt *clnt; -+ int result = 0; -+ -+ clnt = rpc_create(&args); -+ if (IS_ERR(clnt)) { -+ dprintk("RPC: failed to create AF_LOCAL gssproxy " -+ "client (errno %ld).\n", PTR_ERR(clnt)); -+ result = -PTR_ERR(clnt); -+ *_clnt = NULL; -+ goto out; -+ } -+ -+ dprintk("RPC: created new gssp local client (gssp_local_clnt: " -+ "%p)\n", clnt); -+ *_clnt = clnt; -+ -+out: -+ return result; -+} -+ -+void init_gssp_clnt(struct sunrpc_net *sn) -+{ -+ mutex_init(&sn->gssp_lock); -+ sn->gssp_clnt = NULL; -+} -+ -+int set_gssp_clnt(struct net *net) -+{ -+ struct sunrpc_net *sn = net_generic(net, sunrpc_net_id); -+ struct rpc_clnt *clnt; -+ int ret; -+ -+ mutex_lock(&sn->gssp_lock); -+ ret = gssp_rpc_create(net, &clnt); -+ if (!ret) { -+ if (sn->gssp_clnt) -+ rpc_shutdown_client(sn->gssp_clnt); -+ sn->gssp_clnt = clnt; -+ } -+ mutex_unlock(&sn->gssp_lock); -+ return ret; -+} -+ -+void clear_gssp_clnt(struct sunrpc_net *sn) -+{ -+ mutex_lock(&sn->gssp_lock); -+ if (sn->gssp_clnt) { -+ rpc_shutdown_client(sn->gssp_clnt); -+ sn->gssp_clnt = NULL; -+ } -+ mutex_unlock(&sn->gssp_lock); -+} -+ -+static struct rpc_clnt *get_gssp_clnt(struct sunrpc_net *sn) -+{ -+ struct rpc_clnt *clnt; -+ -+ mutex_lock(&sn->gssp_lock); -+ clnt = sn->gssp_clnt; -+ if (clnt) -+ atomic_inc(&clnt->cl_count); -+ mutex_unlock(&sn->gssp_lock); -+ return clnt; -+} -+ -+static int gssp_call(struct net *net, struct rpc_message *msg) -+{ -+ struct sunrpc_net *sn = net_generic(net, sunrpc_net_id); -+ struct rpc_clnt *clnt; -+ int status; -+ -+ clnt = get_gssp_clnt(sn); -+ if (!clnt) -+ return -EIO; -+ status = rpc_call_sync(clnt, msg, 0); -+ if (status < 0) { -+ dprintk("gssp: rpc_call returned error %d\n", -status); -+ switch (status) { -+ case -EPROTONOSUPPORT: -+ status = -EINVAL; -+ break; -+ case -ECONNREFUSED: -+ case -ETIMEDOUT: -+ case -ENOTCONN: -+ status = -EAGAIN; -+ break; -+ case -ERESTARTSYS: -+ if (signalled ()) -+ status = -EINTR; -+ break; -+ default: -+ break; -+ } -+ } -+ rpc_release_client(clnt); -+ return status; -+} -+ -+ -+/* -+ * Public functions -+ */ -+ -+/* numbers somewhat arbitrary but large enough for current needs */ -+#define GSSX_MAX_OUT_HANDLE 128 -+#define GSSX_MAX_MECH_OID 16 -+#define GSSX_MAX_SRC_PRINC 256 -+#define GSSX_KMEMBUF (GSSX_max_output_handle_sz + \ -+ GSSX_max_oid_sz + \ -+ GSSX_max_princ_sz + \ -+ sizeof(struct svc_cred)) -+ -+int gssp_accept_sec_context_upcall(struct net *net, -+ struct gssp_upcall_data *data) -+{ -+ struct gssx_ctx ctxh = { -+ .state = data->in_handle -+ }; -+ struct gssx_arg_accept_sec_context arg = { -+ .input_token = data->in_token, -+ }; -+ struct gssx_ctx rctxh = { -+ /* -+ * pass in the max length we expect for each of these -+ * buffers but let the xdr code kmalloc them: -+ */ -+ .exported_context_token.len = GSSX_max_output_handle_sz, -+ .mech.len = GSSX_max_oid_sz, -+ .src_name.display_name.len = GSSX_max_princ_sz -+ }; -+ struct gssx_res_accept_sec_context res = { -+ .context_handle = &rctxh, -+ .output_token = &data->out_token -+ }; -+ struct rpc_message msg = { -+ .rpc_proc = &gssp_procedures[GSSX_ACCEPT_SEC_CONTEXT], -+ .rpc_argp = &arg, -+ .rpc_resp = &res, -+ .rpc_cred = NULL, /* FIXME ? */ -+ }; -+ struct xdr_netobj client_name = { 0 , NULL }; -+ int ret; -+ -+ if (data->in_handle.len != 0) -+ arg.context_handle = &ctxh; -+ res.output_token->len = GSSX_max_output_token_sz; -+ -+ /* use nfs/ for targ_name ? */ -+ -+ ret = gssp_call(net, &msg); -+ -+ /* we need to fetch all data even in case of error so -+ * that we can free special strctures is they have been allocated */ -+ data->major_status = res.status.major_status; -+ data->minor_status = res.status.minor_status; -+ if (res.context_handle) { -+ data->out_handle = rctxh.exported_context_token; -+ data->mech_oid = rctxh.mech; -+ client_name = rctxh.src_name.display_name; -+ } -+ -+ if (res.options.count == 1) { -+ gssx_buffer *value = &res.options.data[0].value; -+ /* Currently we only decode CREDS_VALUE, if we add -+ * anything else we'll have to loop and match on the -+ * option name */ -+ if (value->len == 1) { -+ /* steal group info from struct svc_cred */ -+ data->creds = *(struct svc_cred *)value->data; -+ data->found_creds = 1; -+ } -+ /* whether we use it or not, free data */ -+ kfree(value->data); -+ } -+ -+ if (res.options.count != 0) { -+ kfree(res.options.data); -+ } -+ -+ /* convert to GSS_NT_HOSTBASED_SERVICE form and set into creds */ -+ if (data->found_creds && client_name.data != NULL) { -+ char *c; -+ -+ data->creds.cr_principal = kstrndup(client_name.data, -+ client_name.len, GFP_KERNEL); -+ if (data->creds.cr_principal) { -+ /* terminate and remove realm part */ -+ c = strchr(data->creds.cr_principal, '@'); -+ if (c) { -+ *c = '\0'; -+ -+ /* change service-hostname delimiter */ -+ c = strchr(data->creds.cr_principal, '/'); -+ if (c) *c = '@'; -+ } -+ if (!c) { -+ /* not a service principal */ -+ kfree(data->creds.cr_principal); -+ data->creds.cr_principal = NULL; -+ } -+ } -+ } -+ kfree(client_name.data); -+ -+ return ret; -+} -+ -+void gssp_free_upcall_data(struct gssp_upcall_data *data) -+{ -+ kfree(data->in_handle.data); -+ kfree(data->out_handle.data); -+ kfree(data->out_token.data); -+ kfree(data->mech_oid.data); -+ free_svc_cred(&data->creds); -+} -+ -+/* -+ * Initialization stuff -+ */ -+ -+static const struct rpc_version gssp_version1 = { -+ .number = GSSPROXY_VERS_1, -+ .nrprocs = ARRAY_SIZE(gssp_procedures), -+ .procs = gssp_procedures, -+}; -+ -+static const struct rpc_version *gssp_version[] = { -+ NULL, -+ &gssp_version1, -+}; -+ -+static struct rpc_stat gssp_stats; -+ -+static const struct rpc_program gssp_program = { -+ .name = "gssproxy", -+ .number = GSSPROXY_PROGRAM, -+ .nrvers = ARRAY_SIZE(gssp_version), -+ .version = gssp_version, -+ .stats = &gssp_stats, -+}; -diff --git a/net/sunrpc/auth_gss/gss_rpc_upcall.h b/net/sunrpc/auth_gss/gss_rpc_upcall.h -new file mode 100644 -index 0000000..4c2caaa ---- /dev/null -+++ b/net/sunrpc/auth_gss/gss_rpc_upcall.h -@@ -0,0 +1,47 @@ -+/* -+ * linux/net/sunrpc/gss_rpc_upcall.h -+ * -+ * Copyright (C) 2012 Simo Sorce -+ * -+ * This program is free software; you can redistribute it and/or modify -+ * it under the terms of the GNU General Public License as published by -+ * the Free Software Foundation; either version 2 of the License, or -+ * (at your option) any later version. -+ * -+ * This program is distributed in the hope that it will be useful, -+ * but WITHOUT ANY WARRANTY; without even the implied warranty of -+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+ * GNU General Public License for more details. -+ * -+ * You should have received a copy of the GNU General Public License -+ * along with this program; if not, write to the Free Software -+ * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. -+ */ -+ -+#ifndef _GSS_RPC_UPCALL_H -+#define _GSS_RPC_UPCALL_H -+ -+#include -+#include "gss_rpc_xdr.h" -+#include "../netns.h" -+ -+struct gssp_upcall_data { -+ struct xdr_netobj in_handle; -+ struct gssp_in_token in_token; -+ struct xdr_netobj out_handle; -+ struct xdr_netobj out_token; -+ struct xdr_netobj mech_oid; -+ struct svc_cred creds; -+ int found_creds; -+ int major_status; -+ int minor_status; -+}; -+ -+int gssp_accept_sec_context_upcall(struct net *net, -+ struct gssp_upcall_data *data); -+void gssp_free_upcall_data(struct gssp_upcall_data *data); -+ -+void init_gssp_clnt(struct sunrpc_net *); -+int set_gssp_clnt(struct net *); -+void clear_gssp_clnt(struct sunrpc_net *); -+#endif /* _GSS_RPC_UPCALL_H */ -diff --git a/net/sunrpc/auth_gss/gss_rpc_xdr.c b/net/sunrpc/auth_gss/gss_rpc_xdr.c -new file mode 100644 -index 0000000..d0ccdff ---- /dev/null -+++ b/net/sunrpc/auth_gss/gss_rpc_xdr.c -@@ -0,0 +1,832 @@ -+/* -+ * GSS Proxy upcall module -+ * -+ * Copyright (C) 2012 Simo Sorce -+ * -+ * This program is free software; you can redistribute it and/or modify -+ * it under the terms of the GNU General Public License as published by -+ * the Free Software Foundation; either version 2 of the License, or -+ * (at your option) any later version. -+ * -+ * This program is distributed in the hope that it will be useful, -+ * but WITHOUT ANY WARRANTY; without even the implied warranty of -+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+ * GNU General Public License for more details. -+ * -+ * You should have received a copy of the GNU General Public License -+ * along with this program; if not, write to the Free Software -+ * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. -+ */ -+ -+#include -+#include "gss_rpc_xdr.h" -+ -+static bool gssx_check_pointer(struct xdr_stream *xdr) -+{ -+ __be32 *p; -+ -+ p = xdr_reserve_space(xdr, 4); -+ if (unlikely(p == NULL)) -+ return -ENOSPC; -+ return *p?true:false; -+} -+ -+static int gssx_enc_bool(struct xdr_stream *xdr, int v) -+{ -+ __be32 *p; -+ -+ p = xdr_reserve_space(xdr, 4); -+ if (unlikely(p == NULL)) -+ return -ENOSPC; -+ *p = v ? xdr_one : xdr_zero; -+ return 0; -+} -+ -+static int gssx_dec_bool(struct xdr_stream *xdr, u32 *v) -+{ -+ __be32 *p; -+ -+ p = xdr_inline_decode(xdr, 4); -+ if (unlikely(p == NULL)) -+ return -ENOSPC; -+ *v = be32_to_cpu(*p); -+ return 0; -+} -+ -+static int gssx_enc_buffer(struct xdr_stream *xdr, -+ gssx_buffer *buf) -+{ -+ __be32 *p; -+ -+ p = xdr_reserve_space(xdr, sizeof(u32) + buf->len); -+ if (!p) -+ return -ENOSPC; -+ xdr_encode_opaque(p, buf->data, buf->len); -+ return 0; -+} -+ -+static int gssx_enc_in_token(struct xdr_stream *xdr, -+ struct gssp_in_token *in) -+{ -+ __be32 *p; -+ -+ p = xdr_reserve_space(xdr, 4); -+ if (!p) -+ return -ENOSPC; -+ *p = cpu_to_be32(in->page_len); -+ -+ /* all we need to do is to write pages */ -+ xdr_write_pages(xdr, in->pages, in->page_base, in->page_len); -+ -+ return 0; -+} -+ -+ -+static int gssx_dec_buffer(struct xdr_stream *xdr, -+ gssx_buffer *buf) -+{ -+ u32 length; -+ __be32 *p; -+ -+ p = xdr_inline_decode(xdr, 4); -+ if (unlikely(p == NULL)) -+ return -ENOSPC; -+ -+ length = be32_to_cpup(p); -+ p = xdr_inline_decode(xdr, length); -+ if (unlikely(p == NULL)) -+ return -ENOSPC; -+ -+ if (buf->len == 0) { -+ /* we intentionally are not interested in this buffer */ -+ return 0; -+ } -+ if (length > buf->len) -+ return -ENOSPC; -+ -+ if (!buf->data) { -+ buf->data = kmemdup(p, length, GFP_KERNEL); -+ if (!buf->data) -+ return -ENOMEM; -+ } else { -+ memcpy(buf->data, p, length); -+ } -+ buf->len = length; -+ return 0; -+} -+ -+static int gssx_enc_option(struct xdr_stream *xdr, -+ struct gssx_option *opt) -+{ -+ int err; -+ -+ err = gssx_enc_buffer(xdr, &opt->option); -+ if (err) -+ return err; -+ err = gssx_enc_buffer(xdr, &opt->value); -+ return err; -+} -+ -+static int gssx_dec_option(struct xdr_stream *xdr, -+ struct gssx_option *opt) -+{ -+ int err; -+ -+ err = gssx_dec_buffer(xdr, &opt->option); -+ if (err) -+ return err; -+ err = gssx_dec_buffer(xdr, &opt->value); -+ return err; -+} -+ -+static int dummy_enc_opt_array(struct xdr_stream *xdr, -+ struct gssx_option_array *oa) -+{ -+ __be32 *p; -+ -+ if (oa->count != 0) -+ return -EINVAL; -+ -+ p = xdr_reserve_space(xdr, 4); -+ if (!p) -+ return -ENOSPC; -+ *p = 0; -+ -+ return 0; -+} -+ -+static int dummy_dec_opt_array(struct xdr_stream *xdr, -+ struct gssx_option_array *oa) -+{ -+ struct gssx_option dummy; -+ u32 count, i; -+ __be32 *p; -+ -+ p = xdr_inline_decode(xdr, 4); -+ if (unlikely(p == NULL)) -+ return -ENOSPC; -+ count = be32_to_cpup(p++); -+ memset(&dummy, 0, sizeof(dummy)); -+ for (i = 0; i < count; i++) { -+ gssx_dec_option(xdr, &dummy); -+ } -+ -+ oa->count = 0; -+ oa->data = NULL; -+ return 0; -+} -+ -+static int get_s32(void **p, void *max, s32 *res) -+{ -+ void *base = *p; -+ void *next = (void *)((char *)base + sizeof(s32)); -+ if (unlikely(next > max || next < base)) -+ return -EINVAL; -+ memcpy(res, base, sizeof(s32)); -+ *p = next; -+ return 0; -+} -+ -+static int gssx_dec_linux_creds(struct xdr_stream *xdr, -+ struct svc_cred *creds) -+{ -+ u32 length; -+ __be32 *p; -+ void *q, *end; -+ s32 tmp; -+ int N, i, err; -+ -+ p = xdr_inline_decode(xdr, 4); -+ if (unlikely(p == NULL)) -+ return -ENOSPC; -+ -+ length = be32_to_cpup(p); -+ -+ /* FIXME: we do not want to use the scratch buffer for this one -+ * may need to use functions that allows us to access an io vector -+ * directly */ -+ p = xdr_inline_decode(xdr, length); -+ if (unlikely(p == NULL)) -+ return -ENOSPC; -+ -+ q = p; -+ end = q + length; -+ -+ /* uid */ -+ err = get_s32(&q, end, &tmp); -+ if (err) -+ return err; -+ creds->cr_uid = tmp; -+ -+ /* gid */ -+ err = get_s32(&q, end, &tmp); -+ if (err) -+ return err; -+ creds->cr_gid = tmp; -+ -+ /* number of additional gid's */ -+ err = get_s32(&q, end, &tmp); -+ if (err) -+ return err; -+ N = tmp; -+ creds->cr_group_info = groups_alloc(N); -+ if (creds->cr_group_info == NULL) -+ return -ENOMEM; -+ -+ /* gid's */ -+ for (i = 0; i < N; i++) { -+ err = get_s32(&q, end, &tmp); -+ if (err) { -+ groups_free(creds->cr_group_info); -+ return err; -+ } -+ GROUP_AT(creds->cr_group_info, i) = tmp; -+ } -+ -+ return 0; -+} -+ -+static int gssx_dec_option_array(struct xdr_stream *xdr, -+ struct gssx_option_array *oa) -+{ -+ struct svc_cred *creds; -+ u32 count, i; -+ __be32 *p; -+ int err; -+ -+ p = xdr_inline_decode(xdr, 4); -+ if (unlikely(p == NULL)) -+ return -ENOSPC; -+ count = be32_to_cpup(p++); -+ if (count != 0) { -+ /* we recognize only 1 currently: CREDS_VALUE */ -+ oa->count = 1; -+ -+ oa->data = kmalloc(sizeof(struct gssx_option), GFP_KERNEL); -+ if (!oa->data) -+ return -ENOMEM; -+ -+ creds = kmalloc(sizeof(struct svc_cred), GFP_KERNEL); -+ if (!creds) { -+ kfree(oa->data); -+ return -ENOMEM; -+ } -+ -+ oa->data[0].option.data = CREDS_VALUE; -+ oa->data[0].option.len = sizeof(CREDS_VALUE); -+ oa->data[0].value.data = (void *)creds; -+ oa->data[0].value.len = 0; -+ } -+ for (i = 0; i < count; i++) { -+ gssx_buffer dummy = { 0, NULL }; -+ u32 length; -+ -+ /* option buffer */ -+ p = xdr_inline_decode(xdr, 4); -+ if (unlikely(p == NULL)) -+ return -ENOSPC; -+ -+ length = be32_to_cpup(p); -+ p = xdr_inline_decode(xdr, length); -+ if (unlikely(p == NULL)) -+ return -ENOSPC; -+ -+ if (length == sizeof(CREDS_VALUE) && -+ memcmp(p, CREDS_VALUE, sizeof(CREDS_VALUE)) == 0) { -+ /* We have creds here. parse them */ -+ err = gssx_dec_linux_creds(xdr, creds); -+ if (err) -+ return err; -+ oa->data[0].value.len = 1; /* presence */ -+ } else { -+ /* consume uninteresting buffer */ -+ err = gssx_dec_buffer(xdr, &dummy); -+ if (err) -+ return err; -+ } -+ } -+ return 0; -+} -+ -+static int gssx_dec_status(struct xdr_stream *xdr, -+ struct gssx_status *status) -+{ -+ __be32 *p; -+ int err; -+ -+ /* status->major_status */ -+ p = xdr_inline_decode(xdr, 8); -+ if (unlikely(p == NULL)) -+ return -ENOSPC; -+ p = xdr_decode_hyper(p, &status->major_status); -+ -+ /* status->mech */ -+ err = gssx_dec_buffer(xdr, &status->mech); -+ if (err) -+ return err; -+ -+ /* status->minor_status */ -+ p = xdr_inline_decode(xdr, 8); -+ if (unlikely(p == NULL)) -+ return -ENOSPC; -+ p = xdr_decode_hyper(p, &status->minor_status); -+ -+ /* status->major_status_string */ -+ err = gssx_dec_buffer(xdr, &status->major_status_string); -+ if (err) -+ return err; -+ -+ /* status->minor_status_string */ -+ err = gssx_dec_buffer(xdr, &status->minor_status_string); -+ if (err) -+ return err; -+ -+ /* status->server_ctx */ -+ err = gssx_dec_buffer(xdr, &status->server_ctx); -+ if (err) -+ return err; -+ -+ /* we assume we have no options for now, so simply consume them */ -+ /* status->options */ -+ err = dummy_dec_opt_array(xdr, &status->options); -+ -+ return err; -+} -+ -+static int gssx_enc_call_ctx(struct xdr_stream *xdr, -+ struct gssx_call_ctx *ctx) -+{ -+ struct gssx_option opt; -+ __be32 *p; -+ int err; -+ -+ /* ctx->locale */ -+ err = gssx_enc_buffer(xdr, &ctx->locale); -+ if (err) -+ return err; -+ -+ /* ctx->server_ctx */ -+ err = gssx_enc_buffer(xdr, &ctx->server_ctx); -+ if (err) -+ return err; -+ -+ /* we always want to ask for lucid contexts */ -+ /* ctx->options */ -+ p = xdr_reserve_space(xdr, 4); -+ *p = cpu_to_be32(2); -+ -+ /* we want a lucid_v1 context */ -+ opt.option.data = LUCID_OPTION; -+ opt.option.len = sizeof(LUCID_OPTION); -+ opt.value.data = LUCID_VALUE; -+ opt.value.len = sizeof(LUCID_VALUE); -+ err = gssx_enc_option(xdr, &opt); -+ -+ /* ..and user creds */ -+ opt.option.data = CREDS_OPTION; -+ opt.option.len = sizeof(CREDS_OPTION); -+ opt.value.data = CREDS_VALUE; -+ opt.value.len = sizeof(CREDS_VALUE); -+ err = gssx_enc_option(xdr, &opt); -+ -+ return err; -+} -+ -+static int gssx_dec_name_attr(struct xdr_stream *xdr, -+ struct gssx_name_attr *attr) -+{ -+ int err; -+ -+ /* attr->attr */ -+ err = gssx_dec_buffer(xdr, &attr->attr); -+ if (err) -+ return err; -+ -+ /* attr->value */ -+ err = gssx_dec_buffer(xdr, &attr->value); -+ if (err) -+ return err; -+ -+ /* attr->extensions */ -+ err = dummy_dec_opt_array(xdr, &attr->extensions); -+ -+ return err; -+} -+ -+static int dummy_enc_nameattr_array(struct xdr_stream *xdr, -+ struct gssx_name_attr_array *naa) -+{ -+ __be32 *p; -+ -+ if (naa->count != 0) -+ return -EINVAL; -+ -+ p = xdr_reserve_space(xdr, 4); -+ if (!p) -+ return -ENOSPC; -+ *p = 0; -+ -+ return 0; -+} -+ -+static int dummy_dec_nameattr_array(struct xdr_stream *xdr, -+ struct gssx_name_attr_array *naa) -+{ -+ struct gssx_name_attr dummy; -+ u32 count, i; -+ __be32 *p; -+ -+ p = xdr_inline_decode(xdr, 4); -+ if (unlikely(p == NULL)) -+ return -ENOSPC; -+ count = be32_to_cpup(p++); -+ for (i = 0; i < count; i++) { -+ gssx_dec_name_attr(xdr, &dummy); -+ } -+ -+ naa->count = 0; -+ naa->data = NULL; -+ return 0; -+} -+ -+static struct xdr_netobj zero_netobj = {}; -+ -+static struct gssx_name_attr_array zero_name_attr_array = {}; -+ -+static struct gssx_option_array zero_option_array = {}; -+ -+static int gssx_enc_name(struct xdr_stream *xdr, -+ struct gssx_name *name) -+{ -+ int err; -+ -+ /* name->display_name */ -+ err = gssx_enc_buffer(xdr, &name->display_name); -+ if (err) -+ return err; -+ -+ /* name->name_type */ -+ err = gssx_enc_buffer(xdr, &zero_netobj); -+ if (err) -+ return err; -+ -+ /* name->exported_name */ -+ err = gssx_enc_buffer(xdr, &zero_netobj); -+ if (err) -+ return err; -+ -+ /* name->exported_composite_name */ -+ err = gssx_enc_buffer(xdr, &zero_netobj); -+ if (err) -+ return err; -+ -+ /* leave name_attributes empty for now, will add once we have any -+ * to pass up at all */ -+ /* name->name_attributes */ -+ err = dummy_enc_nameattr_array(xdr, &zero_name_attr_array); -+ if (err) -+ return err; -+ -+ /* leave options empty for now, will add once we have any options -+ * to pass up at all */ -+ /* name->extensions */ -+ err = dummy_enc_opt_array(xdr, &zero_option_array); -+ -+ return err; -+} -+ -+static int gssx_dec_name(struct xdr_stream *xdr, -+ struct gssx_name *name) -+{ -+ struct xdr_netobj dummy_netobj; -+ struct gssx_name_attr_array dummy_name_attr_array; -+ struct gssx_option_array dummy_option_array; -+ int err; -+ -+ /* name->display_name */ -+ err = gssx_dec_buffer(xdr, &name->display_name); -+ if (err) -+ return err; -+ -+ /* name->name_type */ -+ err = gssx_dec_buffer(xdr, &dummy_netobj); -+ if (err) -+ return err; -+ -+ /* name->exported_name */ -+ err = gssx_dec_buffer(xdr, &dummy_netobj); -+ if (err) -+ return err; -+ -+ /* name->exported_composite_name */ -+ err = gssx_dec_buffer(xdr, &dummy_netobj); -+ if (err) -+ return err; -+ -+ /* we assume we have no attributes for now, so simply consume them */ -+ /* name->name_attributes */ -+ err = dummy_dec_nameattr_array(xdr, &dummy_name_attr_array); -+ if (err) -+ return err; -+ -+ /* we assume we have no options for now, so simply consume them */ -+ /* name->extensions */ -+ err = dummy_dec_opt_array(xdr, &dummy_option_array); -+ -+ return err; -+} -+ -+static int dummy_enc_credel_array(struct xdr_stream *xdr, -+ struct gssx_cred_element_array *cea) -+{ -+ __be32 *p; -+ -+ if (cea->count != 0) -+ return -EINVAL; -+ -+ p = xdr_reserve_space(xdr, 4); -+ if (!p) -+ return -ENOSPC; -+ *p = 0; -+ -+ return 0; -+} -+ -+static int gssx_enc_cred(struct xdr_stream *xdr, -+ struct gssx_cred *cred) -+{ -+ int err; -+ -+ /* cred->desired_name */ -+ err = gssx_enc_name(xdr, &cred->desired_name); -+ if (err) -+ return err; -+ -+ /* cred->elements */ -+ err = dummy_enc_credel_array(xdr, &cred->elements); -+ -+ /* cred->cred_handle_reference */ -+ err = gssx_enc_buffer(xdr, &cred->cred_handle_reference); -+ if (err) -+ return err; -+ -+ /* cred->needs_release */ -+ err = gssx_enc_bool(xdr, cred->needs_release); -+ -+ return err; -+} -+ -+static int gssx_enc_ctx(struct xdr_stream *xdr, -+ struct gssx_ctx *ctx) -+{ -+ __be32 *p; -+ int err; -+ -+ /* ctx->exported_context_token */ -+ err = gssx_enc_buffer(xdr, &ctx->exported_context_token); -+ if (err) -+ return err; -+ -+ /* ctx->state */ -+ err = gssx_enc_buffer(xdr, &ctx->state); -+ if (err) -+ return err; -+ -+ /* ctx->need_release */ -+ err = gssx_enc_bool(xdr, ctx->need_release); -+ if (err) -+ return err; -+ -+ /* ctx->mech */ -+ err = gssx_enc_buffer(xdr, &ctx->mech); -+ if (err) -+ return err; -+ -+ /* ctx->src_name */ -+ err = gssx_enc_name(xdr, &ctx->src_name); -+ if (err) -+ return err; -+ -+ /* ctx->targ_name */ -+ err = gssx_enc_name(xdr, &ctx->targ_name); -+ if (err) -+ return err; -+ -+ /* ctx->lifetime */ -+ p = xdr_reserve_space(xdr, 8+8); -+ if (!p) -+ return -ENOSPC; -+ p = xdr_encode_hyper(p, ctx->lifetime); -+ -+ /* ctx->ctx_flags */ -+ p = xdr_encode_hyper(p, ctx->ctx_flags); -+ -+ /* ctx->locally_initiated */ -+ err = gssx_enc_bool(xdr, ctx->locally_initiated); -+ if (err) -+ return err; -+ -+ /* ctx->open */ -+ err = gssx_enc_bool(xdr, ctx->open); -+ if (err) -+ return err; -+ -+ /* leave options empty for now, will add once we have any options -+ * to pass up at all */ -+ /* ctx->options */ -+ err = dummy_enc_opt_array(xdr, &ctx->options); -+ -+ return err; -+} -+ -+static int gssx_dec_ctx(struct xdr_stream *xdr, -+ struct gssx_ctx *ctx) -+{ -+ __be32 *p; -+ int err; -+ -+ /* ctx->exported_context_token */ -+ err = gssx_dec_buffer(xdr, &ctx->exported_context_token); -+ if (err) -+ return err; -+ -+ /* ctx->state */ -+ err = gssx_dec_buffer(xdr, &ctx->state); -+ if (err) -+ return err; -+ -+ /* ctx->need_release */ -+ err = gssx_dec_bool(xdr, &ctx->need_release); -+ if (err) -+ return err; -+ -+ /* ctx->mech */ -+ err = gssx_dec_buffer(xdr, &ctx->mech); -+ if (err) -+ return err; -+ -+ /* ctx->src_name */ -+ err = gssx_dec_name(xdr, &ctx->src_name); -+ if (err) -+ return err; -+ -+ /* ctx->targ_name */ -+ err = gssx_dec_name(xdr, &ctx->targ_name); -+ if (err) -+ return err; -+ -+ /* ctx->lifetime */ -+ p = xdr_inline_decode(xdr, 8+8); -+ if (unlikely(p == NULL)) -+ return -ENOSPC; -+ p = xdr_decode_hyper(p, &ctx->lifetime); -+ -+ /* ctx->ctx_flags */ -+ p = xdr_decode_hyper(p, &ctx->ctx_flags); -+ -+ /* ctx->locally_initiated */ -+ err = gssx_dec_bool(xdr, &ctx->locally_initiated); -+ if (err) -+ return err; -+ -+ /* ctx->open */ -+ err = gssx_dec_bool(xdr, &ctx->open); -+ if (err) -+ return err; -+ -+ /* we assume we have no options for now, so simply consume them */ -+ /* ctx->options */ -+ err = dummy_dec_opt_array(xdr, &ctx->options); -+ -+ return err; -+} -+ -+static int gssx_enc_cb(struct xdr_stream *xdr, struct gssx_cb *cb) -+{ -+ __be32 *p; -+ int err; -+ -+ /* cb->initiator_addrtype */ -+ p = xdr_reserve_space(xdr, 8); -+ if (!p) -+ return -ENOSPC; -+ p = xdr_encode_hyper(p, cb->initiator_addrtype); -+ -+ /* cb->initiator_address */ -+ err = gssx_enc_buffer(xdr, &cb->initiator_address); -+ if (err) -+ return err; -+ -+ /* cb->acceptor_addrtype */ -+ p = xdr_reserve_space(xdr, 8); -+ if (!p) -+ return -ENOSPC; -+ p = xdr_encode_hyper(p, cb->acceptor_addrtype); -+ -+ /* cb->acceptor_address */ -+ err = gssx_enc_buffer(xdr, &cb->acceptor_address); -+ if (err) -+ return err; -+ -+ /* cb->application_data */ -+ err = gssx_enc_buffer(xdr, &cb->application_data); -+ -+ return err; -+} -+ -+void gssx_enc_accept_sec_context(struct rpc_rqst *req, -+ struct xdr_stream *xdr, -+ struct gssx_arg_accept_sec_context *arg) -+{ -+ int err; -+ -+ err = gssx_enc_call_ctx(xdr, &arg->call_ctx); -+ if (err) -+ goto done; -+ -+ /* arg->context_handle */ -+ if (arg->context_handle) { -+ err = gssx_enc_ctx(xdr, arg->context_handle); -+ if (err) -+ goto done; -+ } else { -+ err = gssx_enc_bool(xdr, 0); -+ } -+ -+ /* arg->cred_handle */ -+ if (arg->cred_handle) { -+ err = gssx_enc_cred(xdr, arg->cred_handle); -+ if (err) -+ goto done; -+ } else { -+ err = gssx_enc_bool(xdr, 0); -+ } -+ -+ /* arg->input_token */ -+ err = gssx_enc_in_token(xdr, &arg->input_token); -+ if (err) -+ goto done; -+ -+ /* arg->input_cb */ -+ if (arg->input_cb) { -+ err = gssx_enc_cb(xdr, arg->input_cb); -+ if (err) -+ goto done; -+ } else { -+ err = gssx_enc_bool(xdr, 0); -+ } -+ -+ err = gssx_enc_bool(xdr, arg->ret_deleg_cred); -+ if (err) -+ goto done; -+ -+ /* leave options empty for now, will add once we have any options -+ * to pass up at all */ -+ /* arg->options */ -+ err = dummy_enc_opt_array(xdr, &arg->options); -+ -+done: -+ if (err) -+ dprintk("RPC: gssx_enc_accept_sec_context: %d\n", err); -+} -+ -+int gssx_dec_accept_sec_context(struct rpc_rqst *rqstp, -+ struct xdr_stream *xdr, -+ struct gssx_res_accept_sec_context *res) -+{ -+ int err; -+ -+ /* res->status */ -+ err = gssx_dec_status(xdr, &res->status); -+ if (err) -+ return err; -+ -+ /* res->context_handle */ -+ if (gssx_check_pointer(xdr)) { -+ err = gssx_dec_ctx(xdr, res->context_handle); -+ if (err) -+ return err; -+ } else { -+ res->context_handle = NULL; -+ } -+ -+ /* res->output_token */ -+ if (gssx_check_pointer(xdr)) { -+ err = gssx_dec_buffer(xdr, res->output_token); -+ if (err) -+ return err; -+ } else { -+ res->output_token = NULL; -+ } -+ -+ /* res->delegated_cred_handle */ -+ if (gssx_check_pointer(xdr)) { -+ /* we do not support upcall servers sending this data. */ -+ return -EINVAL; -+ } -+ -+ /* res->options */ -+ err = gssx_dec_option_array(xdr, &res->options); -+ -+ return err; -+} -diff --git a/net/sunrpc/auth_gss/gss_rpc_xdr.h b/net/sunrpc/auth_gss/gss_rpc_xdr.h -new file mode 100644 -index 0000000..1c98b27 ---- /dev/null -+++ b/net/sunrpc/auth_gss/gss_rpc_xdr.h -@@ -0,0 +1,264 @@ -+/* -+ * GSS Proxy upcall module -+ * -+ * Copyright (C) 2012 Simo Sorce -+ * -+ * This program is free software; you can redistribute it and/or modify -+ * it under the terms of the GNU General Public License as published by -+ * the Free Software Foundation; either version 2 of the License, or -+ * (at your option) any later version. -+ * -+ * This program is distributed in the hope that it will be useful, -+ * but WITHOUT ANY WARRANTY; without even the implied warranty of -+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -+ * GNU General Public License for more details. -+ * -+ * You should have received a copy of the GNU General Public License -+ * along with this program; if not, write to the Free Software -+ * Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. -+ */ -+ -+#ifndef _LINUX_GSS_RPC_XDR_H -+#define _LINUX_GSS_RPC_XDR_H -+ -+#include -+#include -+#include -+ -+#ifdef RPC_DEBUG -+# define RPCDBG_FACILITY RPCDBG_AUTH -+#endif -+ -+#define LUCID_OPTION "exported_context_type" -+#define LUCID_VALUE "linux_lucid_v1" -+#define CREDS_OPTION "exported_creds_type" -+#define CREDS_VALUE "linux_creds_v1" -+ -+typedef struct xdr_netobj gssx_buffer; -+typedef struct xdr_netobj utf8string; -+typedef struct xdr_netobj gssx_OID; -+ -+enum gssx_cred_usage { -+ GSSX_C_INITIATE = 1, -+ GSSX_C_ACCEPT = 2, -+ GSSX_C_BOTH = 3, -+}; -+ -+struct gssx_option { -+ gssx_buffer option; -+ gssx_buffer value; -+}; -+ -+struct gssx_option_array { -+ u32 count; -+ struct gssx_option *data; -+}; -+ -+struct gssx_status { -+ u64 major_status; -+ gssx_OID mech; -+ u64 minor_status; -+ utf8string major_status_string; -+ utf8string minor_status_string; -+ gssx_buffer server_ctx; -+ struct gssx_option_array options; -+}; -+ -+struct gssx_call_ctx { -+ utf8string locale; -+ gssx_buffer server_ctx; -+ struct gssx_option_array options; -+}; -+ -+struct gssx_name_attr { -+ gssx_buffer attr; -+ gssx_buffer value; -+ struct gssx_option_array extensions; -+}; -+ -+struct gssx_name_attr_array { -+ u32 count; -+ struct gssx_name_attr *data; -+}; -+ -+struct gssx_name { -+ gssx_buffer display_name; -+}; -+typedef struct gssx_name gssx_name; -+ -+struct gssx_cred_element { -+ gssx_name MN; -+ gssx_OID mech; -+ u32 cred_usage; -+ u64 initiator_time_rec; -+ u64 acceptor_time_rec; -+ struct gssx_option_array options; -+}; -+ -+struct gssx_cred_element_array { -+ u32 count; -+ struct gssx_cred_element *data; -+}; -+ -+struct gssx_cred { -+ gssx_name desired_name; -+ struct gssx_cred_element_array elements; -+ gssx_buffer cred_handle_reference; -+ u32 needs_release; -+}; -+ -+struct gssx_ctx { -+ gssx_buffer exported_context_token; -+ gssx_buffer state; -+ u32 need_release; -+ gssx_OID mech; -+ gssx_name src_name; -+ gssx_name targ_name; -+ u64 lifetime; -+ u64 ctx_flags; -+ u32 locally_initiated; -+ u32 open; -+ struct gssx_option_array options; -+}; -+ -+struct gssx_cb { -+ u64 initiator_addrtype; -+ gssx_buffer initiator_address; -+ u64 acceptor_addrtype; -+ gssx_buffer acceptor_address; -+ gssx_buffer application_data; -+}; -+ -+ -+/* This structure is not defined in the protocol. -+ * It is used in the kernel to carry around a big buffer -+ * as a set of pages */ -+struct gssp_in_token { -+ struct page **pages; /* Array of contiguous pages */ -+ unsigned int page_base; /* Start of page data */ -+ unsigned int page_len; /* Length of page data */ -+}; -+ -+struct gssx_arg_accept_sec_context { -+ struct gssx_call_ctx call_ctx; -+ struct gssx_ctx *context_handle; -+ struct gssx_cred *cred_handle; -+ struct gssp_in_token input_token; -+ struct gssx_cb *input_cb; -+ u32 ret_deleg_cred; -+ struct gssx_option_array options; -+}; -+ -+struct gssx_res_accept_sec_context { -+ struct gssx_status status; -+ struct gssx_ctx *context_handle; -+ gssx_buffer *output_token; -+ /* struct gssx_cred *delegated_cred_handle; not used in kernel */ -+ struct gssx_option_array options; -+}; -+ -+ -+ -+#define gssx_enc_indicate_mechs NULL -+#define gssx_dec_indicate_mechs NULL -+#define gssx_enc_get_call_context NULL -+#define gssx_dec_get_call_context NULL -+#define gssx_enc_import_and_canon_name NULL -+#define gssx_dec_import_and_canon_name NULL -+#define gssx_enc_export_cred NULL -+#define gssx_dec_export_cred NULL -+#define gssx_enc_import_cred NULL -+#define gssx_dec_import_cred NULL -+#define gssx_enc_acquire_cred NULL -+#define gssx_dec_acquire_cred NULL -+#define gssx_enc_store_cred NULL -+#define gssx_dec_store_cred NULL -+#define gssx_enc_init_sec_context NULL -+#define gssx_dec_init_sec_context NULL -+void gssx_enc_accept_sec_context(struct rpc_rqst *req, -+ struct xdr_stream *xdr, -+ struct gssx_arg_accept_sec_context *args); -+int gssx_dec_accept_sec_context(struct rpc_rqst *rqstp, -+ struct xdr_stream *xdr, -+ struct gssx_res_accept_sec_context *res); -+#define gssx_enc_release_handle NULL -+#define gssx_dec_release_handle NULL -+#define gssx_enc_get_mic NULL -+#define gssx_dec_get_mic NULL -+#define gssx_enc_verify NULL -+#define gssx_dec_verify NULL -+#define gssx_enc_wrap NULL -+#define gssx_dec_wrap NULL -+#define gssx_enc_unwrap NULL -+#define gssx_dec_unwrap NULL -+#define gssx_enc_wrap_size_limit NULL -+#define gssx_dec_wrap_size_limit NULL -+ -+/* non implemented calls are set to 0 size */ -+#define GSSX_ARG_indicate_mechs_sz 0 -+#define GSSX_RES_indicate_mechs_sz 0 -+#define GSSX_ARG_get_call_context_sz 0 -+#define GSSX_RES_get_call_context_sz 0 -+#define GSSX_ARG_import_and_canon_name_sz 0 -+#define GSSX_RES_import_and_canon_name_sz 0 -+#define GSSX_ARG_export_cred_sz 0 -+#define GSSX_RES_export_cred_sz 0 -+#define GSSX_ARG_import_cred_sz 0 -+#define GSSX_RES_import_cred_sz 0 -+#define GSSX_ARG_acquire_cred_sz 0 -+#define GSSX_RES_acquire_cred_sz 0 -+#define GSSX_ARG_store_cred_sz 0 -+#define GSSX_RES_store_cred_sz 0 -+#define GSSX_ARG_init_sec_context_sz 0 -+#define GSSX_RES_init_sec_context_sz 0 -+ -+#define GSSX_default_in_call_ctx_sz (4 + 4 + 4 + \ -+ 8 + sizeof(LUCID_OPTION) + sizeof(LUCID_VALUE) + \ -+ 8 + sizeof(CREDS_OPTION) + sizeof(CREDS_VALUE)) -+#define GSSX_default_in_ctx_hndl_sz (4 + 4+8 + 4 + 4 + 6*4 + 6*4 + 8 + 8 + \ -+ 4 + 4 + 4) -+#define GSSX_default_in_cred_sz 4 /* we send in no cred_handle */ -+#define GSSX_default_in_token_sz 4 /* does *not* include token data */ -+#define GSSX_default_in_cb_sz 4 /* we do not use channel bindings */ -+#define GSSX_ARG_accept_sec_context_sz (GSSX_default_in_call_ctx_sz + \ -+ GSSX_default_in_ctx_hndl_sz + \ -+ GSSX_default_in_cred_sz + \ -+ GSSX_default_in_token_sz + \ -+ GSSX_default_in_cb_sz + \ -+ 4 /* no deleg creds boolean */ + \ -+ 4) /* empty options */ -+ -+/* somewhat arbitrary numbers but large enough (we ignore some of the data -+ * sent down, but it is part of the protocol so we need enough space to take -+ * it in) */ -+#define GSSX_default_status_sz 8 + 24 + 8 + 256 + 256 + 16 + 4 -+#define GSSX_max_output_handle_sz 128 -+#define GSSX_max_oid_sz 16 -+#define GSSX_max_princ_sz 256 -+#define GSSX_default_ctx_sz (GSSX_max_output_handle_sz + \ -+ 16 + 4 + GSSX_max_oid_sz + \ -+ 2 * GSSX_max_princ_sz + \ -+ 8 + 8 + 4 + 4 + 4) -+#define GSSX_max_output_token_sz 1024 -+#define GSSX_max_creds_sz (4 + 4 + 4 + NGROUPS_MAX * 4) -+#define GSSX_RES_accept_sec_context_sz (GSSX_default_status_sz + \ -+ GSSX_default_ctx_sz + \ -+ GSSX_max_output_token_sz + \ -+ 4 + GSSX_max_creds_sz) -+ -+#define GSSX_ARG_release_handle_sz 0 -+#define GSSX_RES_release_handle_sz 0 -+#define GSSX_ARG_get_mic_sz 0 -+#define GSSX_RES_get_mic_sz 0 -+#define GSSX_ARG_verify_sz 0 -+#define GSSX_RES_verify_sz 0 -+#define GSSX_ARG_wrap_sz 0 -+#define GSSX_RES_wrap_sz 0 -+#define GSSX_ARG_unwrap_sz 0 -+#define GSSX_RES_unwrap_sz 0 -+#define GSSX_ARG_wrap_size_limit_sz 0 -+#define GSSX_RES_wrap_size_limit_sz 0 -+ -+ -+ -+#endif /* _LINUX_GSS_RPC_XDR_H */ -diff --git a/net/sunrpc/clnt.c b/net/sunrpc/clnt.c -index 6d29b53..eb4cb72 100644 ---- a/net/sunrpc/clnt.c -+++ b/net/sunrpc/clnt.c -@@ -683,6 +683,7 @@ rpc_release_client(struct rpc_clnt *clnt) - if (atomic_dec_and_test(&clnt->cl_count)) - rpc_free_auth(clnt); - } -+EXPORT_SYMBOL_GPL(rpc_release_client); - - /** - * rpc_bind_new_program - bind a new RPC program to an existing client -diff --git a/net/sunrpc/netns.h b/net/sunrpc/netns.h -index ce7bd44..e9f8895 100644 ---- a/net/sunrpc/netns.h -+++ b/net/sunrpc/netns.h -@@ -23,6 +23,9 @@ struct sunrpc_net { - struct rpc_clnt *rpcb_local_clnt4; - spinlock_t rpcb_clnt_lock; - unsigned int rpcb_users; -+ -+ struct mutex gssp_lock; -+ struct rpc_clnt *gssp_clnt; - }; - - extern int sunrpc_net_id; --- -1.8.1.4 - - -From f682043df7bb81715124c82e9cea8bc68ded9667 Mon Sep 17 00:00:00 2001 -From: Simo Sorce -Date: Fri, 25 May 2012 18:09:56 -0400 -Subject: [PATCH 06/16] SUNRPC: Use gssproxy upcall for server RPCGSS - authentication. - -The main advantge of this new upcall mechanism is that it can handle -big tickets as seen in Kerberos implementations where tickets carry -authorization data like the MS-PAC buffer with AD or the Posix Authorization -Data being discussed in IETF on the krbwg working group. - -The Gssproxy program is used to perform the accept_sec_context call on the -kernel's behalf. The code is changed to also pass the input buffer straight -to upcall mechanism to avoid allocating and copying many pages as tokens can -be as big (potentially more in future) as 64KiB. - -Signed-off-by: Simo Sorce -[bfields: containerization, negotiation api] -Signed-off-by: J. Bruce Fields ---- - Documentation/filesystems/nfs/00-INDEX | 2 + - Documentation/filesystems/nfs/rpc-server-gss.txt | 91 ++++++ - net/sunrpc/auth_gss/gss_rpc_upcall.c | 2 + - net/sunrpc/auth_gss/svcauth_gss.c | 347 ++++++++++++++++++++++- - net/sunrpc/netns.h | 3 + - 5 files changed, 436 insertions(+), 9 deletions(-) - create mode 100644 Documentation/filesystems/nfs/rpc-server-gss.txt - -diff --git a/Documentation/filesystems/nfs/00-INDEX b/Documentation/filesystems/nfs/00-INDEX -index 1716874..66eb6c8 100644 ---- a/Documentation/filesystems/nfs/00-INDEX -+++ b/Documentation/filesystems/nfs/00-INDEX -@@ -20,3 +20,5 @@ rpc-cache.txt - - introduction to the caching mechanisms in the sunrpc layer. - idmapper.txt - - information for configuring request-keys to be used by idmapper -+knfsd-rpcgss.txt -+ - Information on GSS authentication support in the NFS Server -diff --git a/Documentation/filesystems/nfs/rpc-server-gss.txt b/Documentation/filesystems/nfs/rpc-server-gss.txt -new file mode 100644 -index 0000000..716f4be ---- /dev/null -+++ b/Documentation/filesystems/nfs/rpc-server-gss.txt -@@ -0,0 +1,91 @@ -+ -+rpcsec_gss support for kernel RPC servers -+========================================= -+ -+This document gives references to the standards and protocols used to -+implement RPCGSS authentication in kernel RPC servers such as the NFS -+server and the NFS client's NFSv4.0 callback server. (But note that -+NFSv4.1 and higher don't require the client to act as a server for the -+purposes of authentication.) -+ -+RPCGSS is specified in a few IETF documents: -+ - RFC2203 v1: http://tools.ietf.org/rfc/rfc2203.txt -+ - RFC5403 v2: http://tools.ietf.org/rfc/rfc5403.txt -+and there is a 3rd version being proposed: -+ - http://tools.ietf.org/id/draft-williams-rpcsecgssv3.txt -+ (At draft n. 02 at the time of writing) -+ -+Background -+---------- -+ -+The RPCGSS Authentication method describes a way to perform GSSAPI -+Authentication for NFS. Although GSSAPI is itself completely mechanism -+agnostic, in many cases only the KRB5 mechanism is supported by NFS -+implementations. -+ -+The Linux kernel, at the moment, supports only the KRB5 mechanism, and -+depends on GSSAPI extensions that are KRB5 specific. -+ -+GSSAPI is a complex library, and implementing it completely in kernel is -+unwarranted. However GSSAPI operations are fundementally separable in 2 -+parts: -+- initial context establishment -+- integrity/privacy protection (signing and encrypting of individual -+ packets) -+ -+The former is more complex and policy-independent, but less -+performance-sensitive. The latter is simpler and needs to be very fast. -+ -+Therefore, we perform per-packet integrity and privacy protection in the -+kernel, but leave the initial context establishment to userspace. We -+need upcalls to request userspace to perform context establishment. -+ -+NFS Server Legacy Upcall Mechanism -+---------------------------------- -+ -+The classic upcall mechanism uses a custom text based upcall mechanism -+to talk to a custom daemon called rpc.svcgssd that is provide by the -+nfs-utils package. -+ -+This upcall mechanism has 2 limitations: -+ -+A) It can handle tokens that are no bigger than 2KiB -+ -+In some Kerberos deployment GSSAPI tokens can be quite big, up and -+beyond 64KiB in size due to various authorization extensions attacked to -+the Kerberos tickets, that needs to be sent through the GSS layer in -+order to perform context establishment. -+ -+B) It does not properly handle creds where the user is member of more -+than a few housand groups (the current hard limit in the kernel is 65K -+groups) due to limitation on the size of the buffer that can be send -+back to the kernel (4KiB). -+ -+NFS Server New RPC Upcall Mechanism -+----------------------------------- -+ -+The newer upcall mechanism uses RPC over a unix socket to a daemon -+called gss-proxy, implemented by a userspace program called Gssproxy. -+ -+The gss_proxy RPC protocol is currently documented here: -+ -+ https://fedorahosted.org/gss-proxy/wiki/ProtocolDocumentation -+ -+This upcall mechanism uses the kernel rpc client and connects to the gssproxy -+userspace program over a regular unix socket. The gssproxy protocol does not -+suffer from the size limitations of the legacy protocol. -+ -+Negotiating Upcall Mechanisms -+----------------------------- -+ -+To provide backward compatibility, the kernel defaults to using the -+legacy mechanism. To switch to the new mechanism, gss-proxy must bind -+to /var/run/gssproxy.sock and then write "1" to -+/proc/net/rpc/use-gss-proxy. If gss-proxy dies, it must repeat both -+steps. -+ -+Once the upcall mechanism is chosen, it cannot be changed. To prevent -+locking into the legacy mechanisms, the above steps must be performed -+before starting nfsd. Whoever starts nfsd can guarantee this by reading -+from /proc/net/rpc/use-gss-proxy and checking that it contains a -+"1"--the read will block until gss-proxy has done its write to the file. -diff --git a/net/sunrpc/auth_gss/gss_rpc_upcall.c b/net/sunrpc/auth_gss/gss_rpc_upcall.c -index 2d33ddf..3f874d7 100644 ---- a/net/sunrpc/auth_gss/gss_rpc_upcall.c -+++ b/net/sunrpc/auth_gss/gss_rpc_upcall.c -@@ -137,6 +137,7 @@ void init_gssp_clnt(struct sunrpc_net *sn) - { - mutex_init(&sn->gssp_lock); - sn->gssp_clnt = NULL; -+ init_waitqueue_head(&sn->gssp_wq); - } - - int set_gssp_clnt(struct net *net) -@@ -153,6 +154,7 @@ int set_gssp_clnt(struct net *net) - sn->gssp_clnt = clnt; - } - mutex_unlock(&sn->gssp_lock); -+ wake_up(&sn->gssp_wq); - return ret; - } - -diff --git a/net/sunrpc/auth_gss/svcauth_gss.c b/net/sunrpc/auth_gss/svcauth_gss.c -index 20eedec..58f5bc3 100644 ---- a/net/sunrpc/auth_gss/svcauth_gss.c -+++ b/net/sunrpc/auth_gss/svcauth_gss.c -@@ -48,8 +48,8 @@ - #include - #include - #include -+#include "gss_rpc_upcall.h" - --#include "../netns.h" - - #ifdef RPC_DEBUG - # define RPCDBG_FACILITY RPCDBG_AUTH -@@ -988,13 +988,10 @@ gss_write_init_verf(struct cache_detail *cd, struct svc_rqst *rqstp, - } - - static inline int --gss_read_verf(struct rpc_gss_wire_cred *gc, -- struct kvec *argv, __be32 *authp, -- struct xdr_netobj *in_handle, -- struct xdr_netobj *in_token) -+gss_read_common_verf(struct rpc_gss_wire_cred *gc, -+ struct kvec *argv, __be32 *authp, -+ struct xdr_netobj *in_handle) - { -- struct xdr_netobj tmpobj; -- - /* Read the verifier; should be NULL: */ - *authp = rpc_autherr_badverf; - if (argv->iov_len < 2 * 4) -@@ -1010,6 +1007,23 @@ gss_read_verf(struct rpc_gss_wire_cred *gc, - if (dup_netobj(in_handle, &gc->gc_ctx)) - return SVC_CLOSE; - *authp = rpc_autherr_badverf; -+ -+ return 0; -+} -+ -+static inline int -+gss_read_verf(struct rpc_gss_wire_cred *gc, -+ struct kvec *argv, __be32 *authp, -+ struct xdr_netobj *in_handle, -+ struct xdr_netobj *in_token) -+{ -+ struct xdr_netobj tmpobj; -+ int res; -+ -+ res = gss_read_common_verf(gc, argv, authp, in_handle); -+ if (res) -+ return res; -+ - if (svc_safe_getnetobj(argv, &tmpobj)) { - kfree(in_handle->data); - return SVC_DENIED; -@@ -1022,6 +1036,40 @@ gss_read_verf(struct rpc_gss_wire_cred *gc, - return 0; - } - -+/* Ok this is really heavily depending on a set of semantics in -+ * how rqstp is set up by svc_recv and pages laid down by the -+ * server when reading a request. We are basically guaranteed that -+ * the token lays all down linearly across a set of pages, starting -+ * at iov_base in rq_arg.head[0] which happens to be the first of a -+ * set of pages stored in rq_pages[]. -+ * rq_arg.head[0].iov_base will provide us the page_base to pass -+ * to the upcall. -+ */ -+static inline int -+gss_read_proxy_verf(struct svc_rqst *rqstp, -+ struct rpc_gss_wire_cred *gc, __be32 *authp, -+ struct xdr_netobj *in_handle, -+ struct gssp_in_token *in_token) -+{ -+ struct kvec *argv = &rqstp->rq_arg.head[0]; -+ u32 inlen; -+ int res; -+ -+ res = gss_read_common_verf(gc, argv, authp, in_handle); -+ if (res) -+ return res; -+ -+ inlen = svc_getnl(argv); -+ if (inlen > (argv->iov_len + rqstp->rq_arg.page_len)) -+ return SVC_DENIED; -+ -+ in_token->pages = rqstp->rq_pages; -+ in_token->page_base = (ulong)argv->iov_base & ~PAGE_MASK; -+ in_token->page_len = inlen; -+ -+ return 0; -+} -+ - static inline int - gss_write_resv(struct kvec *resv, size_t size_limit, - struct xdr_netobj *out_handle, struct xdr_netobj *out_token, -@@ -1049,7 +1097,7 @@ gss_write_resv(struct kvec *resv, size_t size_limit, - * the upcall results are available, write the verifier and result. - * Otherwise, drop the request pending an answer to the upcall. - */ --static int svcauth_gss_handle_init(struct svc_rqst *rqstp, -+static int svcauth_gss_legacy_init(struct svc_rqst *rqstp, - struct rpc_gss_wire_cred *gc, __be32 *authp) - { - struct kvec *argv = &rqstp->rq_arg.head[0]; -@@ -1089,6 +1137,278 @@ out: - return ret; - } - -+static int gss_proxy_save_rsc(struct cache_detail *cd, -+ struct gssp_upcall_data *ud, -+ uint64_t *handle) -+{ -+ struct rsc rsci, *rscp = NULL; -+ static atomic64_t ctxhctr; -+ long long ctxh; -+ struct gss_api_mech *gm = NULL; -+ time_t expiry; -+ int status = -EINVAL; -+ -+ memset(&rsci, 0, sizeof(rsci)); -+ /* context handle */ -+ status = -ENOMEM; -+ /* the handle needs to be just a unique id, -+ * use a static counter */ -+ ctxh = atomic64_inc_return(&ctxhctr); -+ -+ /* make a copy for the caller */ -+ *handle = ctxh; -+ -+ /* make a copy for the rsc cache */ -+ if (dup_to_netobj(&rsci.handle, (char *)handle, sizeof(uint64_t))) -+ goto out; -+ rscp = rsc_lookup(cd, &rsci); -+ if (!rscp) -+ goto out; -+ -+ /* creds */ -+ if (!ud->found_creds) { -+ /* userspace seem buggy, we should always get at least a -+ * mapping to nobody */ -+ dprintk("RPC: No creds found, marking Negative!\n"); -+ set_bit(CACHE_NEGATIVE, &rsci.h.flags); -+ } else { -+ -+ /* steal creds */ -+ rsci.cred = ud->creds; -+ memset(&ud->creds, 0, sizeof(struct svc_cred)); -+ -+ status = -EOPNOTSUPP; -+ /* get mech handle from OID */ -+ gm = gss_mech_get_by_OID(&ud->mech_oid); -+ if (!gm) -+ goto out; -+ -+ status = -EINVAL; -+ /* mech-specific data: */ -+ status = gss_import_sec_context(ud->out_handle.data, -+ ud->out_handle.len, -+ gm, &rsci.mechctx, -+ &expiry, GFP_KERNEL); -+ if (status) -+ goto out; -+ } -+ -+ rsci.h.expiry_time = expiry; -+ rscp = rsc_update(cd, &rsci, rscp); -+ status = 0; -+out: -+ gss_mech_put(gm); -+ rsc_free(&rsci); -+ if (rscp) -+ cache_put(&rscp->h, cd); -+ else -+ status = -ENOMEM; -+ return status; -+} -+ -+static int svcauth_gss_proxy_init(struct svc_rqst *rqstp, -+ struct rpc_gss_wire_cred *gc, __be32 *authp) -+{ -+ struct kvec *resv = &rqstp->rq_res.head[0]; -+ struct xdr_netobj cli_handle; -+ struct gssp_upcall_data ud; -+ uint64_t handle; -+ int status; -+ int ret; -+ struct net *net = rqstp->rq_xprt->xpt_net; -+ struct sunrpc_net *sn = net_generic(net, sunrpc_net_id); -+ -+ memset(&ud, 0, sizeof(ud)); -+ ret = gss_read_proxy_verf(rqstp, gc, authp, -+ &ud.in_handle, &ud.in_token); -+ if (ret) -+ return ret; -+ -+ ret = SVC_CLOSE; -+ -+ /* Perform synchronous upcall to gss-proxy */ -+ status = gssp_accept_sec_context_upcall(net, &ud); -+ if (status) -+ goto out; -+ -+ dprintk("RPC: svcauth_gss: gss major status = %d\n", -+ ud.major_status); -+ -+ switch (ud.major_status) { -+ case GSS_S_CONTINUE_NEEDED: -+ cli_handle = ud.out_handle; -+ break; -+ case GSS_S_COMPLETE: -+ status = gss_proxy_save_rsc(sn->rsc_cache, &ud, &handle); -+ if (status) -+ goto out; -+ cli_handle.data = (u8 *)&handle; -+ cli_handle.len = sizeof(handle); -+ break; -+ default: -+ ret = SVC_CLOSE; -+ goto out; -+ } -+ -+ /* Got an answer to the upcall; use it: */ -+ if (gss_write_init_verf(sn->rsc_cache, rqstp, -+ &cli_handle, &ud.major_status)) -+ goto out; -+ if (gss_write_resv(resv, PAGE_SIZE, -+ &cli_handle, &ud.out_token, -+ ud.major_status, ud.minor_status)) -+ goto out; -+ -+ ret = SVC_COMPLETE; -+out: -+ gssp_free_upcall_data(&ud); -+ return ret; -+} -+ -+DEFINE_SPINLOCK(use_gssp_lock); -+ -+static bool use_gss_proxy(struct net *net) -+{ -+ struct sunrpc_net *sn = net_generic(net, sunrpc_net_id); -+ -+ if (sn->use_gss_proxy != -1) -+ return sn->use_gss_proxy; -+ spin_lock(&use_gssp_lock); -+ /* -+ * If you wanted gss-proxy, you should have said so before -+ * starting to accept requests: -+ */ -+ sn->use_gss_proxy = 0; -+ spin_unlock(&use_gssp_lock); -+ return 0; -+} -+ -+static bool set_gss_proxy(struct net *net, int type) -+{ -+ struct sunrpc_net *sn = net_generic(net, sunrpc_net_id); -+ int ret = 0; -+ -+ WARN_ON_ONCE(type != 0 && type != 1); -+ spin_lock(&use_gssp_lock); -+ if (sn->use_gss_proxy == -1 || sn->use_gss_proxy == type) -+ sn->use_gss_proxy = type; -+ else -+ ret = -EBUSY; -+ spin_unlock(&use_gssp_lock); -+ wake_up(&sn->gssp_wq); -+ return ret; -+} -+ -+static inline bool gssp_ready(struct sunrpc_net *sn) -+{ -+ switch (sn->use_gss_proxy) { -+ case -1: -+ return false; -+ case 0: -+ return true; -+ case 1: -+ return sn->gssp_clnt; -+ } -+ WARN_ON_ONCE(1); -+ return false; -+} -+ -+static int wait_for_gss_proxy(struct net *net) -+{ -+ struct sunrpc_net *sn = net_generic(net, sunrpc_net_id); -+ -+ return wait_event_interruptible(sn->gssp_wq, gssp_ready(sn)); -+} -+ -+#ifdef CONFIG_PROC_FS -+ -+static ssize_t write_gssp(struct file *file, const char __user *buf, -+ size_t count, loff_t *ppos) -+{ -+ struct net *net = PDE(file->f_path.dentry->d_inode)->data; -+ char tbuf[20]; -+ unsigned long i; -+ int res; -+ -+ if (*ppos || count > sizeof(tbuf)-1) -+ return -EINVAL; -+ if (copy_from_user(tbuf, buf, count)) -+ return -EFAULT; -+ -+ tbuf[count] = 0; -+ res = kstrtoul(tbuf, 0, &i); -+ if (res) -+ return res; -+ if (i != 1) -+ return -EINVAL; -+ res = set_gss_proxy(net, 1); -+ if (res) -+ return res; -+ res = set_gssp_clnt(net); -+ if (res) -+ return res; -+ return count; -+} -+ -+static ssize_t read_gssp(struct file *file, char __user *buf, -+ size_t count, loff_t *ppos) -+{ -+ struct net *net = PDE(file->f_path.dentry->d_inode)->data; -+ unsigned long p = *ppos; -+ char tbuf[10]; -+ size_t len; -+ int ret; -+ -+ ret = wait_for_gss_proxy(net); -+ if (ret) -+ return ret; -+ -+ snprintf(tbuf, sizeof(tbuf), "%d\n", use_gss_proxy(net)); -+ len = strlen(tbuf); -+ if (p >= len) -+ return 0; -+ len -= p; -+ if (len > count) -+ len = count; -+ if (copy_to_user(buf, (void *)(tbuf+p), len)) -+ return -EFAULT; -+ *ppos += len; -+ return len; -+} -+ -+static const struct file_operations use_gss_proxy_ops = { -+ .open = nonseekable_open, -+ .write = write_gssp, -+ .read = read_gssp, -+}; -+ -+static int create_use_gss_proxy_proc_entry(struct net *net) -+{ -+ struct sunrpc_net *sn = net_generic(net, sunrpc_net_id); -+ struct proc_dir_entry **p = &sn->use_gssp_proc; -+ -+ sn->use_gss_proxy = -1; -+ *p = proc_create_data("use-gss-proxy", S_IFREG|S_IRUSR|S_IWUSR, -+ sn->proc_net_rpc, -+ &use_gss_proxy_ops, net); -+ if (!*p) -+ return -ENOMEM; -+ init_gssp_clnt(sn); -+ return 0; -+} -+ -+static void destroy_use_gss_proxy_proc_entry(struct net *net) -+{ -+ struct sunrpc_net *sn = net_generic(net, sunrpc_net_id); -+ -+ if (sn->use_gssp_proc) { -+ remove_proc_entry("use-gss-proxy", sn->proc_net_rpc); -+ clear_gssp_clnt(sn); -+ } -+} -+ -+#endif /* CONFIG_PROC_FS */ -+ - /* - * Accept an rpcsec packet. - * If context establishment, punt to user space -@@ -1155,7 +1475,10 @@ svcauth_gss_accept(struct svc_rqst *rqstp, __be32 *authp) - switch (gc->gc_proc) { - case RPC_GSS_PROC_INIT: - case RPC_GSS_PROC_CONTINUE_INIT: -- return svcauth_gss_handle_init(rqstp, gc, authp); -+ if (use_gss_proxy(SVC_NET(rqstp))) -+ return svcauth_gss_proxy_init(rqstp, gc, authp); -+ else -+ return svcauth_gss_legacy_init(rqstp, gc, authp); - case RPC_GSS_PROC_DATA: - case RPC_GSS_PROC_DESTROY: - /* Look up the context, and check the verifier: */ -@@ -1530,7 +1853,12 @@ gss_svc_init_net(struct net *net) - rv = rsi_cache_create_net(net); - if (rv) - goto out1; -+ rv = create_use_gss_proxy_proc_entry(net); -+ if (rv) -+ goto out2; - return 0; -+out2: -+ destroy_use_gss_proxy_proc_entry(net); - out1: - rsc_cache_destroy_net(net); - return rv; -@@ -1539,6 +1867,7 @@ out1: - void - gss_svc_shutdown_net(struct net *net) - { -+ destroy_use_gss_proxy_proc_entry(net); - rsi_cache_destroy_net(net); - rsc_cache_destroy_net(net); - } -diff --git a/net/sunrpc/netns.h b/net/sunrpc/netns.h -index e9f8895..7111a4c 100644 ---- a/net/sunrpc/netns.h -+++ b/net/sunrpc/netns.h -@@ -25,7 +25,10 @@ struct sunrpc_net { - unsigned int rpcb_users; - - struct mutex gssp_lock; -+ wait_queue_head_t gssp_wq; - struct rpc_clnt *gssp_clnt; -+ int use_gss_proxy; -+ struct proc_dir_entry *use_gssp_proc; - }; - - extern int sunrpc_net_id; --- -1.8.1.4 - - -From 06404241b88b51c50427b833268d7cad7dec30f5 Mon Sep 17 00:00:00 2001 -From: "J. Bruce Fields" -Date: Mon, 29 Apr 2013 17:03:31 -0400 -Subject: [PATCH 07/16] SUNRPC: define - {create,destroy}_use_gss_proxy_proc_entry in !PROC case - -Though I wonder whether we should really just depend on CONFIG_PROC_FS -at some point. - -Reported-by: kbuild test robot ---- - net/sunrpc/auth_gss/svcauth_gss.c | 11 ++++++++++- - 1 file changed, 10 insertions(+), 1 deletion(-) - -diff --git a/net/sunrpc/auth_gss/svcauth_gss.c b/net/sunrpc/auth_gss/svcauth_gss.c -index 58f5bc3..71446b6 100644 ---- a/net/sunrpc/auth_gss/svcauth_gss.c -+++ b/net/sunrpc/auth_gss/svcauth_gss.c -@@ -1283,6 +1283,8 @@ static bool use_gss_proxy(struct net *net) - return 0; - } - -+#ifdef CONFIG_PROC_FS -+ - static bool set_gss_proxy(struct net *net, int type) - { - struct sunrpc_net *sn = net_generic(net, sunrpc_net_id); -@@ -1320,7 +1322,6 @@ static int wait_for_gss_proxy(struct net *net) - return wait_event_interruptible(sn->gssp_wq, gssp_ready(sn)); - } - --#ifdef CONFIG_PROC_FS - - static ssize_t write_gssp(struct file *file, const char __user *buf, - size_t count, loff_t *ppos) -@@ -1406,6 +1407,14 @@ static void destroy_use_gss_proxy_proc_entry(struct net *net) - clear_gssp_clnt(sn); - } - } -+#else /* CONFIG_PROC_FS */ -+ -+static int create_use_gss_proxy_proc_entry(struct net *net) -+{ -+ return 0; -+} -+ -+static void destroy_use_gss_proxy_proc_entry(struct net *net) {} - - #endif /* CONFIG_PROC_FS */ - --- -1.8.1.4 - - -From 3cc961ce9784f0b4a9cb21217dd4a8403efc220d Mon Sep 17 00:00:00 2001 -From: Fengguang Wu -Date: Mon, 29 Apr 2013 17:19:48 -0400 -Subject: [PATCH 08/16] SUNRPC: gssp_procedures[] can be static - -Cc: Simo Sorce -Signed-off-by: Fengguang Wu ---- - net/sunrpc/auth_gss/gss_rpc_upcall.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/net/sunrpc/auth_gss/gss_rpc_upcall.c b/net/sunrpc/auth_gss/gss_rpc_upcall.c -index 3f874d7..98818d6 100644 ---- a/net/sunrpc/auth_gss/gss_rpc_upcall.c -+++ b/net/sunrpc/auth_gss/gss_rpc_upcall.c -@@ -63,7 +63,7 @@ enum { - .p_name = #proc, \ - } - --struct rpc_procinfo gssp_procedures[] = { -+static struct rpc_procinfo gssp_procedures[] = { - PROC(INDICATE_MECHS, indicate_mechs), - PROC(GET_CALL_CONTEXT, get_call_context), - PROC(IMPORT_AND_CANON_NAME, import_and_canon_name), --- -1.8.1.4 - - -From d6afcafd515bbf16e39817170cd212a7debd8959 Mon Sep 17 00:00:00 2001 -From: "J. Bruce Fields" -Date: Mon, 29 Apr 2013 18:21:29 -0400 -Subject: [PATCH 09/16] svcrpc: fix gss-proxy to respect user namespaces - -Signed-off-by: J. Bruce Fields ---- - net/sunrpc/auth_gss/gss_rpc_xdr.c | 20 +++++++++++++------- - 1 file changed, 13 insertions(+), 7 deletions(-) - -diff --git a/net/sunrpc/auth_gss/gss_rpc_xdr.c b/net/sunrpc/auth_gss/gss_rpc_xdr.c -index d0ccdff..5c4c61d 100644 ---- a/net/sunrpc/auth_gss/gss_rpc_xdr.c -+++ b/net/sunrpc/auth_gss/gss_rpc_xdr.c -@@ -216,13 +216,13 @@ static int gssx_dec_linux_creds(struct xdr_stream *xdr, - err = get_s32(&q, end, &tmp); - if (err) - return err; -- creds->cr_uid = tmp; -+ creds->cr_uid = make_kuid(&init_user_ns, tmp); - - /* gid */ - err = get_s32(&q, end, &tmp); - if (err) - return err; -- creds->cr_gid = tmp; -+ creds->cr_gid = make_kgid(&init_user_ns, tmp); - - /* number of additional gid's */ - err = get_s32(&q, end, &tmp); -@@ -235,15 +235,21 @@ static int gssx_dec_linux_creds(struct xdr_stream *xdr, - - /* gid's */ - for (i = 0; i < N; i++) { -+ kgid_t kgid; - err = get_s32(&q, end, &tmp); -- if (err) { -- groups_free(creds->cr_group_info); -- return err; -- } -- GROUP_AT(creds->cr_group_info, i) = tmp; -+ if (err) -+ goto out_free_groups; -+ err = -EINVAL; -+ kgid = make_kgid(&init_user_ns, tmp); -+ if (!gid_valid(kgid)) -+ goto out_free_groups; -+ GROUP_AT(creds->cr_group_info, i) = kgid; - } - - return 0; -+out_free_groups: -+ groups_free(creds->cr_group_info); -+ return err; - } - - static int gssx_dec_option_array(struct xdr_stream *xdr, --- -1.8.1.4 - - -From e4f7a037aa575bdbe6d1e42e58283cb4d663b000 Mon Sep 17 00:00:00 2001 -From: Geert Uytterhoeven -Date: Mon, 6 May 2013 09:21:03 +0200 -Subject: [PATCH 10/16] SUNRPC: Refactor gssx_dec_option_array() to kill - uninitialized warning -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -net/sunrpc/auth_gss/gss_rpc_xdr.c: In function ‘gssx_dec_option_array’: -net/sunrpc/auth_gss/gss_rpc_xdr.c:258: warning: ‘creds’ may be used uninitialized in this function - -Return early if count is zero, to make it clearer to the compiler (and the -casual reviewer) that no more processing is done. - -Signed-off-by: Geert Uytterhoeven -Signed-off-by: J. Bruce Fields ---- - net/sunrpc/auth_gss/gss_rpc_xdr.c | 32 +++++++++++++++++--------------- - 1 file changed, 17 insertions(+), 15 deletions(-) - -diff --git a/net/sunrpc/auth_gss/gss_rpc_xdr.c b/net/sunrpc/auth_gss/gss_rpc_xdr.c -index 5c4c61d..a1e1b1a 100644 ---- a/net/sunrpc/auth_gss/gss_rpc_xdr.c -+++ b/net/sunrpc/auth_gss/gss_rpc_xdr.c -@@ -264,25 +264,27 @@ static int gssx_dec_option_array(struct xdr_stream *xdr, - if (unlikely(p == NULL)) - return -ENOSPC; - count = be32_to_cpup(p++); -- if (count != 0) { -- /* we recognize only 1 currently: CREDS_VALUE */ -- oa->count = 1; -+ if (!count) -+ return 0; - -- oa->data = kmalloc(sizeof(struct gssx_option), GFP_KERNEL); -- if (!oa->data) -- return -ENOMEM; -+ /* we recognize only 1 currently: CREDS_VALUE */ -+ oa->count = 1; - -- creds = kmalloc(sizeof(struct svc_cred), GFP_KERNEL); -- if (!creds) { -- kfree(oa->data); -- return -ENOMEM; -- } -+ oa->data = kmalloc(sizeof(struct gssx_option), GFP_KERNEL); -+ if (!oa->data) -+ return -ENOMEM; - -- oa->data[0].option.data = CREDS_VALUE; -- oa->data[0].option.len = sizeof(CREDS_VALUE); -- oa->data[0].value.data = (void *)creds; -- oa->data[0].value.len = 0; -+ creds = kmalloc(sizeof(struct svc_cred), GFP_KERNEL); -+ if (!creds) { -+ kfree(oa->data); -+ return -ENOMEM; - } -+ -+ oa->data[0].option.data = CREDS_VALUE; -+ oa->data[0].option.len = sizeof(CREDS_VALUE); -+ oa->data[0].value.data = (void *)creds; -+ oa->data[0].value.len = 0; -+ - for (i = 0; i < count; i++) { - gssx_buffer dummy = { 0, NULL }; - u32 length; --- -1.8.1.4 - - -From f174f54afb853cd818e2121a0b5dc66012a4a3eb Mon Sep 17 00:00:00 2001 -From: "J. Bruce Fields" -Date: Tue, 7 May 2013 17:45:20 -0400 -Subject: [PATCH 11/16] SUNRPC: fix decoding of optional gss-proxy xdr fields - -The current code works, but sort of by accident: it obviously didn't -intend the error return to be interpreted as "true". - -Reported-by: Dan Carpenter -Signed-off-by: J. Bruce Fields ---- - net/sunrpc/auth_gss/gss_rpc_xdr.c | 26 +++++++++++++------------- - 1 file changed, 13 insertions(+), 13 deletions(-) - -diff --git a/net/sunrpc/auth_gss/gss_rpc_xdr.c b/net/sunrpc/auth_gss/gss_rpc_xdr.c -index a1e1b1a..357f613 100644 ---- a/net/sunrpc/auth_gss/gss_rpc_xdr.c -+++ b/net/sunrpc/auth_gss/gss_rpc_xdr.c -@@ -21,16 +21,6 @@ - #include - #include "gss_rpc_xdr.h" - --static bool gssx_check_pointer(struct xdr_stream *xdr) --{ -- __be32 *p; -- -- p = xdr_reserve_space(xdr, 4); -- if (unlikely(p == NULL)) -- return -ENOSPC; -- return *p?true:false; --} -- - static int gssx_enc_bool(struct xdr_stream *xdr, int v) - { - __be32 *p; -@@ -802,6 +792,7 @@ int gssx_dec_accept_sec_context(struct rpc_rqst *rqstp, - struct xdr_stream *xdr, - struct gssx_res_accept_sec_context *res) - { -+ u32 value_follows; - int err; - - /* res->status */ -@@ -810,7 +801,10 @@ int gssx_dec_accept_sec_context(struct rpc_rqst *rqstp, - return err; - - /* res->context_handle */ -- if (gssx_check_pointer(xdr)) { -+ err = gssx_dec_bool(xdr, &value_follows); -+ if (err) -+ return err; -+ if (value_follows) { - err = gssx_dec_ctx(xdr, res->context_handle); - if (err) - return err; -@@ -819,7 +813,10 @@ int gssx_dec_accept_sec_context(struct rpc_rqst *rqstp, - } - - /* res->output_token */ -- if (gssx_check_pointer(xdr)) { -+ err = gssx_dec_bool(xdr, &value_follows); -+ if (err) -+ return err; -+ if (value_follows) { - err = gssx_dec_buffer(xdr, res->output_token); - if (err) - return err; -@@ -828,7 +825,10 @@ int gssx_dec_accept_sec_context(struct rpc_rqst *rqstp, - } - - /* res->delegated_cred_handle */ -- if (gssx_check_pointer(xdr)) { -+ err = gssx_dec_bool(xdr, &value_follows); -+ if (err) -+ return err; -+ if (value_follows) { - /* we do not support upcall servers sending this data. */ - return -EINVAL; - } --- -1.8.1.4 - - -From 653ba539c4d845b004c7d29416c9083cb74f8270 Mon Sep 17 00:00:00 2001 -From: Dan Carpenter -Date: Sat, 11 May 2013 19:13:49 +0300 -Subject: [PATCH 12/16] svcauth_gss: fix error code in use_gss_proxy() - -This should return zero on success and -EBUSY on error so the type -needs to be int instead of bool. - -Signed-off-by: Dan Carpenter -Signed-off-by: J. Bruce Fields ---- - net/sunrpc/auth_gss/svcauth_gss.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/net/sunrpc/auth_gss/svcauth_gss.c b/net/sunrpc/auth_gss/svcauth_gss.c -index 71446b6..141902e 100644 ---- a/net/sunrpc/auth_gss/svcauth_gss.c -+++ b/net/sunrpc/auth_gss/svcauth_gss.c -@@ -1285,7 +1285,7 @@ static bool use_gss_proxy(struct net *net) - - #ifdef CONFIG_PROC_FS - --static bool set_gss_proxy(struct net *net, int type) -+static int set_gss_proxy(struct net *net, int type) - { - struct sunrpc_net *sn = net_generic(net, sunrpc_net_id); - int ret = 0; --- -1.8.1.4 - - -From 66a26c8c42ebbdfb7dbf297b3d7f404f0dc86ed8 Mon Sep 17 00:00:00 2001 -From: "J. Bruce Fields" -Date: Fri, 24 May 2013 09:47:49 -0400 -Subject: [PATCH 13/16] svcrpc: implement O_NONBLOCK behavior for use-gss-proxy - -Somebody noticed LTP was complaining about O_NONBLOCK opens of -/proc/net/rpc/use-gss-proxy succeeding and then a following read -hanging. - -I'm not convinced LTP really has any business opening random proc files -and expecting them to behave a certain way. Maybe this isn't really a -bug. - -But in any case the O_NONBLOCK behavior could be useful for someone that -wants to test whether gss-proxy is up without waiting. - -Reported-by: Jan Stancek -Signed-off-by: J. Bruce Fields ---- - net/sunrpc/auth_gss/svcauth_gss.c | 6 ++++-- - 1 file changed, 4 insertions(+), 2 deletions(-) - -diff --git a/net/sunrpc/auth_gss/svcauth_gss.c b/net/sunrpc/auth_gss/svcauth_gss.c -index 141902e..a7d4dfa 100644 ---- a/net/sunrpc/auth_gss/svcauth_gss.c -+++ b/net/sunrpc/auth_gss/svcauth_gss.c -@@ -1315,10 +1315,12 @@ static inline bool gssp_ready(struct sunrpc_net *sn) - return false; - } - --static int wait_for_gss_proxy(struct net *net) -+static int wait_for_gss_proxy(struct net *net, struct file *file) - { - struct sunrpc_net *sn = net_generic(net, sunrpc_net_id); - -+ if (file->f_flags & O_NONBLOCK && !gssp_ready(sn)) -+ return -EAGAIN; - return wait_event_interruptible(sn->gssp_wq, gssp_ready(sn)); - } - -@@ -1360,7 +1362,7 @@ static ssize_t read_gssp(struct file *file, char __user *buf, - size_t len; - int ret; - -- ret = wait_for_gss_proxy(net); -+ ret = wait_for_gss_proxy(net, file); - if (ret) - return ret; - --- -1.8.1.4 - - -From 30e8ac5e689fb6de9d27eeeca080fa46ed59c856 Mon Sep 17 00:00:00 2001 -From: "J. Bruce Fields" -Date: Mon, 10 Jun 2013 16:06:44 -0400 -Subject: [PATCH 14/16] svcrpc: fix gss_rpc_upcall create error - -Signed-off-by: J. Bruce Fields ---- - net/sunrpc/auth_gss/gss_rpc_upcall.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/net/sunrpc/auth_gss/gss_rpc_upcall.c b/net/sunrpc/auth_gss/gss_rpc_upcall.c -index 98818d6..aed11b7 100644 ---- a/net/sunrpc/auth_gss/gss_rpc_upcall.c -+++ b/net/sunrpc/auth_gss/gss_rpc_upcall.c -@@ -120,7 +120,7 @@ static int gssp_rpc_create(struct net *net, struct rpc_clnt **_clnt) - if (IS_ERR(clnt)) { - dprintk("RPC: failed to create AF_LOCAL gssproxy " - "client (errno %ld).\n", PTR_ERR(clnt)); -- result = -PTR_ERR(clnt); -+ result = PTR_ERR(clnt); - *_clnt = NULL; - goto out; - } --- -1.8.1.4 - - -From aca1b52cdbef080ed3963810d2f41baeb746b8b2 Mon Sep 17 00:00:00 2001 -From: "J. Bruce Fields" -Date: Fri, 7 Jun 2013 10:11:19 -0400 -Subject: [PATCH 15/16] svcrpc: fix gss-proxy xdr decoding oops - -Uninitialized stack data was being used as the destination for memcpy's. - -Longer term we'll just delete some of this code; all we're doing is -skipping over xdr that we don't care about. - -Signed-off-by: J. Bruce Fields ---- - net/sunrpc/auth_gss/gss_rpc_xdr.c | 9 +++++---- - 1 file changed, 5 insertions(+), 4 deletions(-) - -diff --git a/net/sunrpc/auth_gss/gss_rpc_xdr.c b/net/sunrpc/auth_gss/gss_rpc_xdr.c -index 357f613..3c85d1c 100644 ---- a/net/sunrpc/auth_gss/gss_rpc_xdr.c -+++ b/net/sunrpc/auth_gss/gss_rpc_xdr.c -@@ -430,7 +430,7 @@ static int dummy_enc_nameattr_array(struct xdr_stream *xdr, - static int dummy_dec_nameattr_array(struct xdr_stream *xdr, - struct gssx_name_attr_array *naa) - { -- struct gssx_name_attr dummy; -+ struct gssx_name_attr dummy = { .attr = {.len = 0} }; - u32 count, i; - __be32 *p; - -@@ -493,12 +493,13 @@ static int gssx_enc_name(struct xdr_stream *xdr, - return err; - } - -+ - static int gssx_dec_name(struct xdr_stream *xdr, - struct gssx_name *name) - { -- struct xdr_netobj dummy_netobj; -- struct gssx_name_attr_array dummy_name_attr_array; -- struct gssx_option_array dummy_option_array; -+ struct xdr_netobj dummy_netobj = { .len = 0 }; -+ struct gssx_name_attr_array dummy_name_attr_array = { .count = 0 }; -+ struct gssx_option_array dummy_option_array = { .count = 0 }; - int err; - - /* name->display_name */ --- -1.8.1.4 - - -From 127f9cd74d532b5189b767e803eaaf6d0c5015bf Mon Sep 17 00:00:00 2001 -From: Chuck Lever -Date: Sat, 16 Mar 2013 15:54:52 -0400 -Subject: [PATCH 16/16] SUNRPC: Load GSS kernel module by OID - -The current GSS mech switch can find and load GSS pseudoflavor -modules by name ("krb5") or pseudoflavor number ("390003"), but -cannot find GSS modules by GSS tuple: - - [ "1.2.840.113554.1.2.2", GSS_C_QOP_DEFAULT, RPC_GSS_SVC_NONE ] - -This is important when dealing with a SECINFO request. A SECINFO -reply contains a list of flavors the server supports for the -requested export, but GSS flavors also have a GSS tuple that maps -to a pseudoflavor (like 390003 for krb5). - -If the GSS module that supports the OID in the tuple is not loaded, -our client is not able to load that module dynamically to support -that pseudoflavor. - -Add a way for the GSS mech switch to load GSS pseudoflavor support -by OID before searching for the pseudoflavor that matches the OID -and service. - -Signed-off-by: Chuck Lever -Cc: David Howells -Signed-off-by: Trond Myklebust ---- - net/sunrpc/Kconfig | 1 + - net/sunrpc/auth_gss/gss_krb5_mech.c | 1 + - net/sunrpc/auth_gss/gss_mech_switch.c | 7 +++++++ - 3 files changed, 9 insertions(+) - -diff --git a/net/sunrpc/Kconfig b/net/sunrpc/Kconfig -index 516fe2c..804f4f6 100644 ---- a/net/sunrpc/Kconfig -+++ b/net/sunrpc/Kconfig -@@ -3,6 +3,7 @@ config SUNRPC - - config SUNRPC_GSS - tristate -+ select OID_REGISTRY - - config SUNRPC_BACKCHANNEL - bool -diff --git a/net/sunrpc/auth_gss/gss_krb5_mech.c b/net/sunrpc/auth_gss/gss_krb5_mech.c -index 3bc4a23..69be03f 100644 ---- a/net/sunrpc/auth_gss/gss_krb5_mech.c -+++ b/net/sunrpc/auth_gss/gss_krb5_mech.c -@@ -753,6 +753,7 @@ MODULE_ALIAS("rpc-auth-gss-krb5p"); - MODULE_ALIAS("rpc-auth-gss-390003"); - MODULE_ALIAS("rpc-auth-gss-390004"); - MODULE_ALIAS("rpc-auth-gss-390005"); -+MODULE_ALIAS("rpc-auth-gss-1.2.840.113554.1.2.2"); - - static struct gss_api_mech gss_kerberos_mech = { - .gm_name = "krb5", -diff --git a/net/sunrpc/auth_gss/gss_mech_switch.c b/net/sunrpc/auth_gss/gss_mech_switch.c -index 43fd5bb..f921647 100644 ---- a/net/sunrpc/auth_gss/gss_mech_switch.c -+++ b/net/sunrpc/auth_gss/gss_mech_switch.c -@@ -36,6 +36,7 @@ - #include - #include - #include -+#include - #include - #include - #include -@@ -175,6 +176,12 @@ struct gss_api_mech * - gss_mech_get_by_OID(struct xdr_netobj *obj) - { - struct gss_api_mech *pos, *gm = NULL; -+ char buf[32]; -+ -+ if (sprint_oid(obj->data, obj->len, buf, sizeof(buf)) < 0) -+ return NULL; -+ dprintk("RPC: %s(%s)\n", __func__, buf); -+ request_module("rpc-auth-gss-%s", buf); - - spin_lock(®istered_mechs_lock); - list_for_each_entry(pos, ®istered_mechs, gm_list) { --- -1.8.1.4 - diff --git a/kernel.spec b/kernel.spec index cc69c324d..e186c172a 100644 --- a/kernel.spec +++ b/kernel.spec @@ -718,10 +718,6 @@ Patch21242: criu-no-expert.patch #rhbz 892811 Patch21247: ath9k_rx_dma_stop_check.patch -#rhbz 856863 892599 -Patch21273: cfg80211-mac80211-disconnect-on-suspend.patch -Patch21274: mac80211_fixes_for_ieee80211_do_stop_while_suspend_v3.9.patch - Patch22000: weird-root-dentry-name-debug.patch Patch22010: debug-idle-sched-warn-once.patch @@ -734,9 +730,6 @@ Patch23006: fix-child-thread-introspection.patch #rhbz 948262 Patch25024: intel_iommu-Downgrade-the-warning-if-enabling-irq-remapping-fails.patch -# Needed for F19 gssproxy feature -Patch25030: gssproxy-backport.patch - #CVE-2013-2140 rhbz 971146 971148 Patch25031: xen-blkback-Check-device-permissions-before-allowing.patch @@ -773,9 +766,6 @@ Patch25055: ath3k-dont-use-stack-memory-for-DMA.patch Patch25056: iwl3945-better-skb-management-in-rx-path.patch Patch25057: iwl4965-better-skb-management-in-rx-path.patch -#CVE-2013-1059 rhbz 977356 980341 -Patch25059: ceph-fix.patch - #rhbz 976789 980643 Patch25062: vhost-net-fix-use-after-free-in-vhost_net_flush.patch @@ -1460,19 +1450,12 @@ ApplyPatch criu-no-expert.patch #rhbz 892811 ApplyPatch ath9k_rx_dma_stop_check.patch -#rhbz 856863 892599 -#ApplyPatch cfg80211-mac80211-disconnect-on-suspend.patch -#ApplyPatch mac80211_fixes_for_ieee80211_do_stop_while_suspend_v3.9.patch - #rhbz 927469 ApplyPatch fix-child-thread-introspection.patch #rhbz 948262 ApplyPatch intel_iommu-Downgrade-the-warning-if-enabling-irq-remapping-fails.patch -# Needed for F19 gssproxy feature -#ApplyPatch gssproxy-backport.patch - #CVE-2013-2140 rhbz 971146 971148 ApplyPatch xen-blkback-Check-device-permissions-before-allowing.patch @@ -1508,11 +1491,8 @@ ApplyPatch ath3k-dont-use-stack-memory-for-DMA.patch ApplyPatch iwl3945-better-skb-management-in-rx-path.patch ApplyPatch iwl4965-better-skb-management-in-rx-path.patch -#CVE-2013-1059 rhbz 977356 980341 -#ApplyPatch ceph-fix.patch - #rhbz 976789 980643 -#ApplyPatch vhost-net-fix-use-after-free-in-vhost_net_flush.patch +ApplyPatch vhost-net-fix-use-after-free-in-vhost_net_flush.patch #rhbz 959721 ApplyPatch HID-kye-Add-report-fixup-for-Genius-Gila-Gaming-mouse.patch @@ -2357,14 +2337,11 @@ fi tulip-dma-debug-error.patch af_key-fix-info-leaks-in-notify-messages.patch ipv6-ip6_sk_dst_check-must-not-assume-ipv6-dst.patch - needs fixing: arm-tegra-fixclk.patch cfg80211-mac80211-disconnect-on-suspend.patch mac80211_fixes_for_ieee80211_do_stop_while_suspend_v3.9.patch gssproxy-backport.patch ceph-fix.patch - vhost-net-fix-use-after-free-in-vhost_net_flush.patch - ARM currently disabled, requires config changes. (See line 1558) * Fri Jul 12 2013 Dave Jones - 3.9.9-304 - Disable LATENCYTOP/SCHEDSTATS in non-debug builds. diff --git a/mac80211_fixes_for_ieee80211_do_stop_while_suspend_v3.9.patch b/mac80211_fixes_for_ieee80211_do_stop_while_suspend_v3.9.patch deleted file mode 100644 index 7d49d9834..000000000 --- a/mac80211_fixes_for_ieee80211_do_stop_while_suspend_v3.9.patch +++ /dev/null @@ -1,73 +0,0 @@ -diff --git a/net/mac80211/iface.c b/net/mac80211/iface.c -index baaa860..7a3d675 100644 ---- a/net/mac80211/iface.c -+++ b/net/mac80211/iface.c -@@ -748,8 +748,7 @@ static void ieee80211_do_stop(struct ieee80211_sub_if_data *sdata, - sdata->dev->addr_len); - spin_unlock_bh(&local->filter_lock); - netif_addr_unlock_bh(sdata->dev); -- -- ieee80211_configure_filter(local); -+ /* configure filter latter (if not suspended) */ - } - - del_timer_sync(&local->dynamic_ps_timer); -@@ -814,10 +813,7 @@ static void ieee80211_do_stop(struct ieee80211_sub_if_data *sdata, - } - - ieee80211_adjust_monitor_flags(sdata, -1); -- ieee80211_configure_filter(local); -- mutex_lock(&local->mtx); -- ieee80211_recalc_idle(local); -- mutex_unlock(&local->mtx); -+ /* tell driver latter (if not suspended) */ - break; - case NL80211_IFTYPE_P2P_DEVICE: - /* relies on synchronize_rcu() below */ -@@ -848,28 +844,31 @@ static void ieee80211_do_stop(struct ieee80211_sub_if_data *sdata, - - drv_remove_interface_debugfs(local, sdata); - -- if (going_down) -+ if (going_down && !local->suspended) - drv_remove_interface(local, sdata); - } - - sdata->bss = NULL; - -- ieee80211_recalc_ps(local, -1); -- -- if (local->open_count == 0) { -- if (local->ops->napi_poll) -- napi_disable(&local->napi); -- ieee80211_clear_tx_pending(local); -- ieee80211_stop_device(local); -- -- /* no reconfiguring after stop! */ -- hw_reconf_flags = 0; -+ if (!local->suspended) { -+ if (local->open_count == 0) { -+ if (local->ops->napi_poll) -+ napi_disable(&local->napi); -+ ieee80211_clear_tx_pending(local); -+ ieee80211_stop_device(local); -+ } else { -+ ieee80211_configure_filter(local); -+ ieee80211_recalc_ps(local, -1); -+ -+ mutex_lock(&local->mtx); -+ ieee80211_recalc_idle(local); -+ mutex_unlock(&local->mtx); -+ -+ if (hw_reconf_flags) -+ ieee80211_hw_config(local, hw_reconf_flags); -+ } - } - -- /* do after stop to avoid reconfiguring when we stop anyway */ -- if (hw_reconf_flags) -- ieee80211_hw_config(local, hw_reconf_flags); -- - spin_lock_irqsave(&local->queue_stop_reason_lock, flags); - for (i = 0; i < IEEE80211_MAX_QUEUES; i++) { - skb_queue_walk_safe(&local->pending[i], skb, tmp) { diff --git a/vhost-net-fix-use-after-free-in-vhost_net_flush.patch b/vhost-net-fix-use-after-free-in-vhost_net_flush.patch index f9a6a7b9f..aca70f0d4 100644 --- a/vhost-net-fix-use-after-free-in-vhost_net_flush.patch +++ b/vhost-net-fix-use-after-free-in-vhost_net_flush.patch @@ -1,76 +1,54 @@ -From 0c9d7f6ea817d5328a09a78e901b16e1836ca4d7 Mon Sep 17 00:00:00 2001 -From: "Michael S. Tsirkin" -Date: Tue, 25 Jun 2013 17:29:46 +0300 -Subject: [PATCH] vhost-net: fix use-after-free in vhost_net_flush +commit c38e39c378f46f00ce922dd40a91043a9925c28d +Author: Michael S. Tsirkin +Date: Tue Jun 25 17:29:46 2013 +0300 -vhost_net_ubuf_put_and_wait has a confusing name: -it will actually also free it's argument. -Thus since commit 1280c27f8e29acf4af2da914e80ec27c3dbd5c01 - "vhost-net: flush outstanding DMAs on memory change" -vhost_net_flush tries to use the argument after passing it -to vhost_net_ubuf_put_and_wait, this results -in use after free. -To fix, don't free the argument in vhost_net_ubuf_put_and_wait, -add an new API for callers that want to free ubufs. - -Acked-by: Asias He -Acked-by: Jason Wang -Signed-off-by: Michael S. Tsirkin ---- - drivers/vhost/net.c | 4 ++-- - drivers/vhost/vhost.c | 5 +++++ - drivers/vhost/vhost.h | 1 + - 3 files changed, 8 insertions(+), 2 deletions(-) + vhost-net: fix use-after-free in vhost_net_flush + + vhost_net_ubuf_put_and_wait has a confusing name: + it will actually also free it's argument. + Thus since commit 1280c27f8e29acf4af2da914e80ec27c3dbd5c01 + "vhost-net: flush outstanding DMAs on memory change" + vhost_net_flush tries to use the argument after passing it + to vhost_net_ubuf_put_and_wait, this results + in use after free. + To fix, don't free the argument in vhost_net_ubuf_put_and_wait, + add an new API for callers that want to free ubufs. + + Acked-by: Asias He + Acked-by: Jason Wang + Signed-off-by: Michael S. Tsirkin diff --git a/drivers/vhost/net.c b/drivers/vhost/net.c -index dfff647..d8d4f57 100644 +index f80d3dd..8ca5ac7 100644 --- a/drivers/vhost/net.c +++ b/drivers/vhost/net.c -@@ -857,7 +857,7 @@ static long vhost_net_set_backend(struct vhost_net *n, unsigned index, int fd) - mutex_unlock(&vq->mutex); - - if (oldubufs) { -- vhost_ubuf_put_and_wait(oldubufs); -+ vhost_ubuf_put_wait_and_free(oldubufs); - mutex_lock(&vq->mutex); - vhost_zerocopy_signal_used(n, vq); - mutex_unlock(&vq->mutex); -@@ -875,7 +875,7 @@ err_used: - rcu_assign_pointer(vq->private_data, oldsock); - vhost_net_enable_vq(n, vq); - if (ubufs) -- vhost_ubuf_put_and_wait(ubufs); -+ vhost_ubuf_put_wait_and_free(ubufs); - err_ubufs: - fput(sock->file); - err_vq: -diff --git a/drivers/vhost/vhost.c b/drivers/vhost/vhost.c -index 9759249..ff53c9e 100644 ---- a/drivers/vhost/vhost.c -+++ b/drivers/vhost/vhost.c -@@ -1581,5 +1581,10 @@ void vhost_ubuf_put_and_wait(struct vhost_ubuf_ref *ubufs) +@@ -150,6 +150,11 @@ static void vhost_net_ubuf_put_and_wait(struct vhost_net_ubuf_ref *ubufs) { - kref_put(&ubufs->kref, vhost_zerocopy_done_signal); + kref_put(&ubufs->kref, vhost_net_zerocopy_done_signal); wait_event(ubufs->wait, !atomic_read(&ubufs->kref.refcount)); +} + -+void vhost_ubuf_put_wait_and_free(struct vhost_ubuf_ref *ubufs) ++static void vhost_net_ubuf_put_wait_and_free(struct vhost_net_ubuf_ref *ubufs) +{ -+ vhost_ubuf_put_and_wait(ubufs); ++ vhost_net_ubuf_put_and_wait(ubufs); kfree(ubufs); } -diff --git a/drivers/vhost/vhost.h b/drivers/vhost/vhost.h -index 17261e2..dd63b35 100644 ---- a/drivers/vhost/vhost.h -+++ b/drivers/vhost/vhost.h -@@ -63,6 +63,7 @@ struct vhost_ubuf_ref { - struct vhost_ubuf_ref *vhost_ubuf_alloc(struct vhost_virtqueue *, bool zcopy); - void vhost_ubuf_put(struct vhost_ubuf_ref *); - void vhost_ubuf_put_and_wait(struct vhost_ubuf_ref *); -+void vhost_ubuf_put_wait_and_free(struct vhost_ubuf_ref *); - struct ubuf_info; +@@ -948,7 +953,7 @@ static long vhost_net_set_backend(struct vhost_net *n, unsigned index, int fd) + mutex_unlock(&vq->mutex); --- -1.8.2.1 - + if (oldubufs) { +- vhost_net_ubuf_put_and_wait(oldubufs); ++ vhost_net_ubuf_put_wait_and_free(oldubufs); + mutex_lock(&vq->mutex); + vhost_zerocopy_signal_used(n, vq); + mutex_unlock(&vq->mutex); +@@ -966,7 +971,7 @@ err_used: + rcu_assign_pointer(vq->private_data, oldsock); + vhost_net_enable_vq(n, vq); + if (ubufs) +- vhost_net_ubuf_put_and_wait(ubufs); ++ vhost_net_ubuf_put_wait_and_free(ubufs); + err_ubufs: + fput(sock->file); + err_vq: From 62d0f1f3e3bf909ad94df76e86cb8d8fed212cd4 Mon Sep 17 00:00:00 2001 From: Dave Jones Date: Fri, 19 Jul 2013 12:28:05 -0400 Subject: [PATCH 165/468] CVE-2013-4125 ipv6: BUG_ON in fib6_add_rt2node() (rhbz 984664) --- cve-2013-4125.patch | 79 +++++++++++++++++++++++++++++++++++++++++++++ kernel.spec | 7 ++++ 2 files changed, 86 insertions(+) create mode 100644 cve-2013-4125.patch diff --git a/cve-2013-4125.patch b/cve-2013-4125.patch new file mode 100644 index 000000000..25b7eca42 --- /dev/null +++ b/cve-2013-4125.patch @@ -0,0 +1,79 @@ +From 307f2fb95e9b96b3577916e73d92e104f8f26494 Mon Sep 17 00:00:00 2001 +From: Hannes Frederic Sowa +Date: Fri, 12 Jul 2013 21:46:33 +0000 +Subject: ipv6: only static routes qualify for equal cost multipathing + +Static routes in this case are non-expiring routes which did not get +configured by autoconf or by icmpv6 redirects. + +To make sure we actually get an ecmp route while searching for the first +one in this fib6_node's leafs, also make sure it matches the ecmp route +assumptions. + +v2: +a) Removed RTF_EXPIRE check in dst.from chain. The check of RTF_ADDRCONF + already ensures that this route, even if added again without + RTF_EXPIRES (in case of a RA announcement with infinite timeout), + does not cause the rt6i_nsiblings logic to go wrong if a later RA + updates the expiration time later. + +v3: +a) Allow RTF_EXPIRES routes to enter the ecmp route set. We have to do so, + because an pmtu event could update the RTF_EXPIRES flag and we would + not count this route, if another route joins this set. We now filter + only for RTF_GATEWAY|RTF_ADDRCONF|RTF_DYNAMIC, which are flags that + don't get changed after rt6_info construction. + +Cc: Nicolas Dichtel +Signed-off-by: Hannes Frederic Sowa +Signed-off-by: David S. Miller +--- +diff --git a/net/ipv6/ip6_fib.c b/net/ipv6/ip6_fib.c +index 192dd1a..5fc9c7a 100644 +--- a/net/ipv6/ip6_fib.c ++++ b/net/ipv6/ip6_fib.c +@@ -632,6 +632,12 @@ insert_above: + return ln; + } + ++static inline bool rt6_qualify_for_ecmp(struct rt6_info *rt) ++{ ++ return (rt->rt6i_flags & (RTF_GATEWAY|RTF_ADDRCONF|RTF_DYNAMIC)) == ++ RTF_GATEWAY; ++} ++ + /* + * Insert routing information in a node. + */ +@@ -646,6 +652,7 @@ static int fib6_add_rt2node(struct fib6_node *fn, struct rt6_info *rt, + int add = (!info->nlh || + (info->nlh->nlmsg_flags & NLM_F_CREATE)); + int found = 0; ++ bool rt_can_ecmp = rt6_qualify_for_ecmp(rt); + + ins = &fn->leaf; + +@@ -691,9 +698,8 @@ static int fib6_add_rt2node(struct fib6_node *fn, struct rt6_info *rt, + * To avoid long list, we only had siblings if the + * route have a gateway. + */ +- if (rt->rt6i_flags & RTF_GATEWAY && +- !(rt->rt6i_flags & RTF_EXPIRES) && +- !(iter->rt6i_flags & RTF_EXPIRES)) ++ if (rt_can_ecmp && ++ rt6_qualify_for_ecmp(iter)) + rt->rt6i_nsiblings++; + } + +@@ -715,7 +721,8 @@ static int fib6_add_rt2node(struct fib6_node *fn, struct rt6_info *rt, + /* Find the first route that have the same metric */ + sibling = fn->leaf; + while (sibling) { +- if (sibling->rt6i_metric == rt->rt6i_metric) { ++ if (sibling->rt6i_metric == rt->rt6i_metric && ++ rt6_qualify_for_ecmp(sibling)) { + list_add_tail(&rt->rt6i_siblings, + &sibling->rt6i_siblings); + break; +-- +cgit v0.9.2 diff --git a/kernel.spec b/kernel.spec index e186c172a..a9a1baa7f 100644 --- a/kernel.spec +++ b/kernel.spec @@ -778,6 +778,8 @@ Patch25064: iwlwifi-dvm-dont-send-BT_CONFIG-on-devices-wo-Bluetooth.patch #rhbz 976837 Patch25065: fix-ext4-overflows.patch +Patch26000: cve-2013-4125.patch + # END OF PATCH DEFINITIONS %endif @@ -1503,6 +1505,8 @@ ApplyPatch iwlwifi-dvm-dont-send-BT_CONFIG-on-devices-wo-Bluetooth.patch #rhbz 976837 ApplyPatch fix-ext4-overflows.patch +ApplyPatch cve-2013-4125.patch + # END OF PATCH APPLICATIONS %endif @@ -2311,6 +2315,9 @@ fi # and build. %changelog +* Fri Jul 19 2013 Dave Jones +- CVE-2013-4125 ipv6: BUG_ON in fib6_add_rt2node() (rhbz 984664) + * Wed Jul 17 2013 Peter Robinson - Re-enable ARM - Drop tegra subkernel as it's now multi-platform From bab409e09b2c4d87f92f6af7ec305e57ef578a25 Mon Sep 17 00:00:00 2001 From: "Justin M. Forbes" Date: Mon, 22 Jul 2013 12:33:25 -0500 Subject: [PATCH 166/468] Linux v3.10.2 --- fix-ext4-overflows.patch | 207 ------------------ ...ifi-pcie-fix-race-in-queue-unmapping.patch | 56 ----- ...queue-if-stopped-when-being-unmapped.patch | 35 --- kernel.spec | 19 +- sources | 1 + 5 files changed, 6 insertions(+), 312 deletions(-) delete mode 100644 fix-ext4-overflows.patch delete mode 100644 iwlwifi-pcie-fix-race-in-queue-unmapping.patch delete mode 100644 iwlwifi-pcie-wake-the-queue-if-stopped-when-being-unmapped.patch diff --git a/fix-ext4-overflows.patch b/fix-ext4-overflows.patch deleted file mode 100644 index f2a08ebc8..000000000 --- a/fix-ext4-overflows.patch +++ /dev/null @@ -1,207 +0,0 @@ -From 93f6b57df5d9dd8c0327cebc01f6c00dbcd6d2ff Mon Sep 17 00:00:00 2001 -From: Jan Kara -Date: Fri, 31 May 2013 19:33:42 -0400 -Subject: [PATCH 1/4] ext4: fix data offset overflow on 32-bit archs in - ext4_inline_data_fiemap() - -On 32-bit archs when sector_t is defined as 32-bit the logic computing -data offset in ext4_inline_data_fiemap(). Fix that by properly typing -the shifted value. - -Signed-off-by: Jan Kara -Signed-off-by: Theodore Ts'o ---- - fs/ext4/inline.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/fs/ext4/inline.c b/fs/ext4/inline.c -index c0fd1a1..c46a01e 100644 ---- a/fs/ext4/inline.c -+++ b/fs/ext4/inline.c -@@ -1702,7 +1702,7 @@ int ext4_inline_data_fiemap(struct inode *inode, - if (error) - goto out; - -- physical = iloc.bh->b_blocknr << inode->i_sb->s_blocksize_bits; -+ physical = (__u64)iloc.bh->b_blocknr << inode->i_sb->s_blocksize_bits; - physical += (char *)ext4_raw_inode(&iloc) - iloc.bh->b_data; - physical += offsetof(struct ext4_inode, i_block); - length = i_size_read(inode); --- -1.8.3.1 - - -From 4d2cedb535bae3ada76a335540657e948f99d9c0 Mon Sep 17 00:00:00 2001 -From: Jan Kara -Date: Fri, 31 May 2013 19:37:56 -0400 -Subject: [PATCH 2/4] ext4: fix overflows in SEEK_HOLE, SEEK_DATA - implementations - -ext4_lblk_t is just u32 so multiplying it by blocksize can easily -overflow for files larger than 4 GB. Fix that by properly typing the -block offsets before shifting. - -Signed-off-by: Jan Kara -Signed-off-by: Theodore Ts'o -Reviewed-by: Zheng Liu ---- - fs/ext4/file.c | 14 +++++++------- - 1 file changed, 7 insertions(+), 7 deletions(-) - -diff --git a/fs/ext4/file.c b/fs/ext4/file.c -index 64848b5..b47ccf9 100644 ---- a/fs/ext4/file.c -+++ b/fs/ext4/file.c -@@ -311,7 +311,7 @@ static int ext4_find_unwritten_pgoff(struct inode *inode, - blkbits = inode->i_sb->s_blocksize_bits; - startoff = *offset; - lastoff = startoff; -- endoff = (map->m_lblk + map->m_len) << blkbits; -+ endoff = (loff_t)(map->m_lblk + map->m_len) << blkbits; - - index = startoff >> PAGE_CACHE_SHIFT; - end = endoff >> PAGE_CACHE_SHIFT; -@@ -456,7 +456,7 @@ static loff_t ext4_seek_data(struct file *file, loff_t offset, loff_t maxsize) - ret = ext4_map_blocks(NULL, inode, &map, 0); - if (ret > 0 && !(map.m_flags & EXT4_MAP_UNWRITTEN)) { - if (last != start) -- dataoff = last << blkbits; -+ dataoff = (loff_t)last << blkbits; - break; - } - -@@ -467,7 +467,7 @@ static loff_t ext4_seek_data(struct file *file, loff_t offset, loff_t maxsize) - ext4_es_find_delayed_extent(inode, last, &es); - if (es.es_len != 0 && in_range(last, es.es_lblk, es.es_len)) { - if (last != start) -- dataoff = last << blkbits; -+ dataoff = (loff_t)last << blkbits; - break; - } - -@@ -485,7 +485,7 @@ static loff_t ext4_seek_data(struct file *file, loff_t offset, loff_t maxsize) - } - - last++; -- dataoff = last << blkbits; -+ dataoff = (loff_t)last << blkbits; - } while (last <= end); - - mutex_unlock(&inode->i_mutex); -@@ -539,7 +539,7 @@ static loff_t ext4_seek_hole(struct file *file, loff_t offset, loff_t maxsize) - ret = ext4_map_blocks(NULL, inode, &map, 0); - if (ret > 0 && !(map.m_flags & EXT4_MAP_UNWRITTEN)) { - last += ret; -- holeoff = last << blkbits; -+ holeoff = (loff_t)last << blkbits; - continue; - } - -@@ -550,7 +550,7 @@ static loff_t ext4_seek_hole(struct file *file, loff_t offset, loff_t maxsize) - ext4_es_find_delayed_extent(inode, last, &es); - if (es.es_len != 0 && in_range(last, es.es_lblk, es.es_len)) { - last = es.es_lblk + es.es_len; -- holeoff = last << blkbits; -+ holeoff = (loff_t)last << blkbits; - continue; - } - -@@ -565,7 +565,7 @@ static loff_t ext4_seek_hole(struct file *file, loff_t offset, loff_t maxsize) - &map, &holeoff); - if (!unwritten) { - last += ret; -- holeoff = last << blkbits; -+ holeoff = (loff_t)last << blkbits; - continue; - } - } --- -1.8.3.1 - - -From 114fe3b7fc9ca3ca00f774dd8705e8c802f39f14 Mon Sep 17 00:00:00 2001 -From: Jan Kara -Date: Fri, 31 May 2013 19:38:56 -0400 -Subject: [PATCH 3/4] ext4: fix data offset overflow in ext4_xattr_fiemap() on - 32-bit archs - -On 32-bit architectures with 32-bit sector_t computation of data offset -in ext4_xattr_fiemap() can overflow resulting in reporting bogus data -location. Fix the problem by typing block number to proper type before -shifting. - -Signed-off-by: Jan Kara -Signed-off-by: Theodore Ts'o ---- - fs/ext4/extents.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c -index 9c6d06d..6bb303c 100644 ---- a/fs/ext4/extents.c -+++ b/fs/ext4/extents.c -@@ -4605,7 +4605,7 @@ static int ext4_xattr_fiemap(struct inode *inode, - error = ext4_get_inode_loc(inode, &iloc); - if (error) - return error; -- physical = iloc.bh->b_blocknr << blockbits; -+ physical = (__u64)iloc.bh->b_blocknr << blockbits; - offset = EXT4_GOOD_OLD_INODE_SIZE + - EXT4_I(inode)->i_extra_isize; - physical += offset; -@@ -4613,7 +4613,7 @@ static int ext4_xattr_fiemap(struct inode *inode, - flags |= FIEMAP_EXTENT_DATA_INLINE; - brelse(iloc.bh); - } else { /* external block */ -- physical = EXT4_I(inode)->i_file_acl << blockbits; -+ physical = (__u64)EXT4_I(inode)->i_file_acl << blockbits; - length = inode->i_sb->s_blocksize; - } - --- -1.8.3.1 - - -From aeb72ff4b7fe084b4373d4a91d77d3bea8089627 Mon Sep 17 00:00:00 2001 -From: Jan Kara -Date: Fri, 31 May 2013 19:39:56 -0400 -Subject: [PATCH 4/4] ext4: fix overflow when counting used blocks on 32-bit - architectures - -The arithmetics adding delalloc blocks to the number of used blocks in -ext4_getattr() can easily overflow on 32-bit archs as we first multiply -number of blocks by blocksize and then divide back by 512. Make the -arithmetics more clever and also use proper type (unsigned long long -instead of unsigned long). - -Signed-off-by: Jan Kara -Signed-off-by: Theodore Ts'o ---- - fs/ext4/inode.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/fs/ext4/inode.c b/fs/ext4/inode.c -index d69e954..e33e2d2 100644 ---- a/fs/ext4/inode.c -+++ b/fs/ext4/inode.c -@@ -4616,7 +4616,7 @@ int ext4_getattr(struct vfsmount *mnt, struct dentry *dentry, - struct kstat *stat) - { - struct inode *inode; -- unsigned long delalloc_blocks; -+ unsigned long long delalloc_blocks; - - inode = dentry->d_inode; - generic_fillattr(inode, stat); -@@ -4634,7 +4634,7 @@ int ext4_getattr(struct vfsmount *mnt, struct dentry *dentry, - delalloc_blocks = EXT4_C2B(EXT4_SB(inode->i_sb), - EXT4_I(inode)->i_reserved_data_blocks); - -- stat->blocks += (delalloc_blocks << inode->i_sb->s_blocksize_bits)>>9; -+ stat->blocks += delalloc_blocks << (inode->i_sb->s_blocksize_bits-9); - return 0; - } - --- -1.8.3.1 - diff --git a/iwlwifi-pcie-fix-race-in-queue-unmapping.patch b/iwlwifi-pcie-fix-race-in-queue-unmapping.patch deleted file mode 100644 index ad9194af3..000000000 --- a/iwlwifi-pcie-fix-race-in-queue-unmapping.patch +++ /dev/null @@ -1,56 +0,0 @@ -From: Emmanuel Grumbach - -When a queue is disabled, it frees all its entries. Later, -the op_mode might still get notifications from the firmware -that triggers to free entries in the tx queue. The transport -should be prepared for these races and know to ignore -reclaim calls on queues that have been disabled and whose -entries have been freed. - -Cc: stable@vger.kernel.org -Signed-off-by: Emmanuel Grumbach -Signed-off-by: Johannes Berg ---- - drivers/net/wireless/iwlwifi/pcie/tx.c | 10 ++++++++++ - 1 file changed, 10 insertions(+) - -diff --git a/drivers/net/wireless/iwlwifi/pcie/tx.c b/drivers/net/wireless/iwlwifi/pcie/tx.c -index cb5c679..faaf77c 100644 ---- a/drivers/net/wireless/iwlwifi/pcie/tx.c -+++ b/drivers/net/wireless/iwlwifi/pcie/tx.c -@@ -578,9 +578,12 @@ static void iwl_pcie_txq_unmap(struct iwl_trans *trans, int txq_id) - - spin_lock_bh(&txq->lock); - while (q->write_ptr != q->read_ptr) { -+ IWL_DEBUG_TX_REPLY(trans, "Q %d Free %d\n", -+ txq_id, q->read_ptr); - iwl_pcie_txq_free_tfd(trans, txq); - q->read_ptr = iwl_queue_inc_wrap(q->read_ptr, q->n_bd); - } -+ txq->active = false; - spin_unlock_bh(&txq->lock); - } - -@@ -929,6 +932,12 @@ void iwl_trans_pcie_reclaim(struct iwl_trans *trans, int txq_id, int ssn, - - spin_lock_bh(&txq->lock); - -+ if (!txq->active) { -+ IWL_DEBUG_TX_QUEUES(trans, "Q %d inactive - ignoring idx %d\n", -+ txq_id, ssn); -+ goto out; -+ } -+ - if (txq->q.read_ptr == tfd_num) - goto out; - -@@ -1105,6 +1114,7 @@ void iwl_trans_pcie_txq_enable(struct iwl_trans *trans, int txq_id, int fifo, - (fifo << SCD_QUEUE_STTS_REG_POS_TXF) | - (1 << SCD_QUEUE_STTS_REG_POS_WSL) | - SCD_QUEUE_STTS_REG_MSK); -+ trans_pcie->txq[txq_id].active = true; - IWL_DEBUG_TX_QUEUES(trans, "Activate queue %d on FIFO %d WrPtr: %d\n", - txq_id, fifo, ssn & 0xff); - } --- -1.7.11.7 diff --git a/iwlwifi-pcie-wake-the-queue-if-stopped-when-being-unmapped.patch b/iwlwifi-pcie-wake-the-queue-if-stopped-when-being-unmapped.patch deleted file mode 100644 index 661fc5035..000000000 --- a/iwlwifi-pcie-wake-the-queue-if-stopped-when-being-unmapped.patch +++ /dev/null @@ -1,35 +0,0 @@ -From: Emmanuel Grumbach - -When the queue is unmapped while it was so loaded that -mac80211's was stopped, we need to wake the queue after -having freed all the packets in the queue. -Not doing so can result in weird stuff like: - -* run lots of traffic (mac80211's queue gets stopped) -* RFKILL -* de-assert RFKILL -* no traffic - -Cc: stable@vger.kernel.org -Signed-off-by: Emmanuel Grumbach -Signed-off-by: Johannes Berg ---- - drivers/net/wireless/iwlwifi/pcie/tx.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/drivers/net/wireless/iwlwifi/pcie/tx.c b/drivers/net/wireless/iwlwifi/pcie/tx.c -index faaf77c..4e7b8d4 100644 ---- a/drivers/net/wireless/iwlwifi/pcie/tx.c -+++ b/drivers/net/wireless/iwlwifi/pcie/tx.c -@@ -585,6 +585,9 @@ static void iwl_pcie_txq_unmap(struct iwl_trans *trans, int txq_id) - } - txq->active = false; - spin_unlock_bh(&txq->lock); -+ -+ /* just in case - this queue may have been stopped */ -+ iwl_wake_queue(trans, txq); - } - - /* --- -1.7.11.7 diff --git a/kernel.spec b/kernel.spec index a9a1baa7f..1b16cf7e5 100644 --- a/kernel.spec +++ b/kernel.spec @@ -74,7 +74,7 @@ Summary: The Linux kernel %if 0%{?released_kernel} # Do we have a -stable update to apply? -%define stable_update 1 +%define stable_update 2 # Is it a -stable RC? %define stable_rc 0 # Set rpm version accordingly @@ -747,9 +747,6 @@ Patch25046: KVM-x86-handle-idiv-overflow-at-kvm_write_tsc.patch Patch25047: drm-radeon-Disable-writeback-by-default-on-ppc.patch -Patch25050: iwlwifi-pcie-fix-race-in-queue-unmapping.patch -Patch25051: iwlwifi-pcie-wake-the-queue-if-stopped-when-being-unmapped.patch - #rhbz 903741 Patch25052: HID-input-return-ENODATA-if-reading-battery-attrs-fails.patch @@ -775,10 +772,7 @@ Patch25063: HID-kye-Add-report-fixup-for-Genius-Gila-Gaming-mouse.patch #rhbz 885407 Patch25064: iwlwifi-dvm-dont-send-BT_CONFIG-on-devices-wo-Bluetooth.patch -#rhbz 976837 -Patch25065: fix-ext4-overflows.patch - -Patch26000: cve-2013-4125.patch +Patch26000: cve-2013-4125.patch # END OF PATCH DEFINITIONS @@ -1475,9 +1469,6 @@ ApplyPatch KVM-x86-handle-idiv-overflow-at-kvm_write_tsc.patch ApplyPatch drm-radeon-Disable-writeback-by-default-on-ppc.patch -ApplyPatch iwlwifi-pcie-fix-race-in-queue-unmapping.patch -ApplyPatch iwlwifi-pcie-wake-the-queue-if-stopped-when-being-unmapped.patch - #rhbz 903741 ApplyPatch HID-input-return-ENODATA-if-reading-battery-attrs-fails.patch @@ -1502,9 +1493,6 @@ ApplyPatch HID-kye-Add-report-fixup-for-Genius-Gila-Gaming-mouse.patch #rhbz 885407 ApplyPatch iwlwifi-dvm-dont-send-BT_CONFIG-on-devices-wo-Bluetooth.patch -#rhbz 976837 -ApplyPatch fix-ext4-overflows.patch - ApplyPatch cve-2013-4125.patch # END OF PATCH APPLICATIONS @@ -2315,6 +2303,9 @@ fi # and build. %changelog +* Mon Jul 22 2013 Justin M. Forbes 3.10.2-300 +- Linux v3.10.2 + * Fri Jul 19 2013 Dave Jones - CVE-2013-4125 ipv6: BUG_ON in fib6_add_rt2node() (rhbz 984664) diff --git a/sources b/sources index c68e1b26a..736fd854a 100644 --- a/sources +++ b/sources @@ -1,2 +1,3 @@ 4f25cd5bec5f8d5a7d935b3f2ccb8481 linux-3.10.tar.xz 0e7f2a767ef3b3643856c96af3409af3 patch-3.10.1.xz +0c94fa440515e289495909749d04aae4 patch-3.10.2.xz From b614c1a7bcadf1f52f43ee2685a6181596b33540 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Mon, 22 Jul 2013 14:55:50 -0400 Subject: [PATCH 167/468] Fix timer issue in bridge code (rhbz 980254) --- ...-not-call-setup_timer-multiple-times.patch | 50 +++++++++++++++++++ kernel.spec | 6 +++ 2 files changed, 56 insertions(+) create mode 100644 bridge-do-not-call-setup_timer-multiple-times.patch diff --git a/bridge-do-not-call-setup_timer-multiple-times.patch b/bridge-do-not-call-setup_timer-multiple-times.patch new file mode 100644 index 000000000..c8c7bf747 --- /dev/null +++ b/bridge-do-not-call-setup_timer-multiple-times.patch @@ -0,0 +1,50 @@ +From 1faabf2aab1fdaa1ace4e8c829d1b9cf7bfec2f1 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Sat, 20 Jul 2013 03:07:16 +0000 +Subject: bridge: do not call setup_timer() multiple times + +commit 9f00b2e7cf24 ("bridge: only expire the mdb entry when query is +received") added a nasty bug as an active timer can be reinitialized. + +setup_timer() must be done once, no matter how many time mod_timer() +is called. br_multicast_new_group() is the right place to do this. + +Reported-by: Srivatsa S. Bhat +Diagnosed-by: Thomas Gleixner +Signed-off-by: Eric Dumazet +Tested-by: Srivatsa S. Bhat +Cc: Cong Wang +Signed-off-by: David S. Miller +--- +diff --git a/net/bridge/br_multicast.c b/net/bridge/br_multicast.c +index 69af490..4b99c9a 100644 +--- a/net/bridge/br_multicast.c ++++ b/net/bridge/br_multicast.c +@@ -619,6 +619,9 @@ rehash: + mp->br = br; + mp->addr = *group; + ++ setup_timer(&mp->timer, br_multicast_group_expired, ++ (unsigned long)mp); ++ + hlist_add_head_rcu(&mp->hlist[mdb->ver], &mdb->mhash[hash]); + mdb->size++; + +@@ -1126,7 +1129,6 @@ static int br_ip4_multicast_query(struct net_bridge *br, + if (!mp) + goto out; + +- setup_timer(&mp->timer, br_multicast_group_expired, (unsigned long)mp); + mod_timer(&mp->timer, now + br->multicast_membership_interval); + mp->timer_armed = true; + +@@ -1204,7 +1206,6 @@ static int br_ip6_multicast_query(struct net_bridge *br, + if (!mp) + goto out; + +- setup_timer(&mp->timer, br_multicast_group_expired, (unsigned long)mp); + mod_timer(&mp->timer, now + br->multicast_membership_interval); + mp->timer_armed = true; + +-- +cgit v0.9.2 diff --git a/kernel.spec b/kernel.spec index 1b16cf7e5..b448eb64b 100644 --- a/kernel.spec +++ b/kernel.spec @@ -755,6 +755,7 @@ Patch25053: bridge-only-expire-the-mdb-entry-when-query-is-received.patch Patch25054: bridge-send-query-as-soon-as-leave-is-received.patch #rhbz 980254 Patch25061: bridge-timer-fix.patch +Patch25066: bridge-do-not-call-setup_timer-multiple-times.patch #rhbz 977558 Patch25055: ath3k-dont-use-stack-memory-for-DMA.patch @@ -1475,7 +1476,9 @@ ApplyPatch HID-input-return-ENODATA-if-reading-battery-attrs-fails.patch #rhbz 880035 ApplyPatch bridge-only-expire-the-mdb-entry-when-query-is-received.patch ApplyPatch bridge-send-query-as-soon-as-leave-is-received.patch +#rhbz 980254 ApplyPatch bridge-timer-fix.patch +ApplyPatch bridge-do-not-call-setup_timer-multiple-times.patch #rhbz 977558 ApplyPatch ath3k-dont-use-stack-memory-for-DMA.patch @@ -2303,6 +2306,9 @@ fi # and build. %changelog +* Mon Jul 22 2013 Josh Boyer +- Fix timer issue in bridge code (rhbz 980254) + * Mon Jul 22 2013 Justin M. Forbes 3.10.2-300 - Linux v3.10.2 From e4971813cbe625768cceb856d15fe21c2e9c086e Mon Sep 17 00:00:00 2001 From: "Justin M. Forbes" Date: Mon, 22 Jul 2013 14:28:26 -0500 Subject: [PATCH 168/468] Update secureboot patch for 3.10 --- ... => devel-pekey-secure-boot-20130502.patch | 395 ++--- kernel.spec | 9 +- secure-boot-20130218.patch | 1435 ----------------- 3 files changed, 204 insertions(+), 1635 deletions(-) rename devel-pekey-secure-boot-20130306.patch => devel-pekey-secure-boot-20130502.patch (95%) delete mode 100644 secure-boot-20130218.patch diff --git a/devel-pekey-secure-boot-20130306.patch b/devel-pekey-secure-boot-20130502.patch similarity index 95% rename from devel-pekey-secure-boot-20130306.patch rename to devel-pekey-secure-boot-20130502.patch index 85bcec738..703bbf5ad 100644 --- a/devel-pekey-secure-boot-20130306.patch +++ b/devel-pekey-secure-boot-20130502.patch @@ -1,7 +1,7 @@ -From 1693ee9461cddd18c607f7126ac3d300915dbc05 Mon Sep 17 00:00:00 2001 +From 888c361d20210d39863ba6f2b71adb84e0a926a7 Mon Sep 17 00:00:00 2001 From: David Howells Date: Fri, 18 Jan 2013 13:53:35 +0000 -Subject: [PATCH 02/48] KEYS: Load *.x509 files into kernel keyring +Subject: [PATCH 01/47] KEYS: Load *.x509 files into kernel keyring Load all the files matching the pattern "*.x509" that are to be found in kernel base source dir and base build dir into the module signing keyring. @@ -15,10 +15,10 @@ Signed-off-by: David Howells 2 files changed, 30 insertions(+), 8 deletions(-) diff --git a/kernel/Makefile b/kernel/Makefile -index bbde5f1..6cb07a0 100644 +index d1574d4..64c97da 100644 --- a/kernel/Makefile +++ b/kernel/Makefile -@@ -140,17 +140,40 @@ $(obj)/timeconst.h: $(obj)/hz.bc $(src)/timeconst.bc FORCE +@@ -141,17 +141,40 @@ $(obj)/timeconst.h: $(obj)/hz.bc $(src)/timeconst.bc FORCE $(call if_changed,bc) ifeq ($(CONFIG_MODULE_SIG),y) @@ -78,13 +78,13 @@ index 246b4c6..0a60203 100644 + .incbin "kernel/x509_certificate_list" GLOBAL(modsign_certificate_list_end) -- -1.8.1.2 +1.8.1.4 -From 80e06b81dec8a01819170c4d102a05d98df4c6f7 Mon Sep 17 00:00:00 2001 +From 26a6bf8ffbe82d706c6de06746d760d9bc425ee5 Mon Sep 17 00:00:00 2001 From: David Howells Date: Tue, 15 Jan 2013 18:39:54 +0000 -Subject: [PATCH 03/48] KEYS: Separate the kernel signature checking keyring +Subject: [PATCH 02/47] KEYS: Separate the kernel signature checking keyring from module signing Separate the kernel signature checking keyring from module signing so that it @@ -136,10 +136,10 @@ index 0000000..8dabc39 + +#endif /* _KEYS_SYSTEM_KEYRING_H */ diff --git a/init/Kconfig b/init/Kconfig -index 22616cd..e988655 100644 +index a76d131..b9d8870 100644 --- a/init/Kconfig +++ b/init/Kconfig -@@ -1575,6 +1575,18 @@ config BASE_SMALL +@@ -1615,6 +1615,18 @@ config BASE_SMALL default 0 if BASE_FULL default 1 if !BASE_FULL @@ -158,7 +158,7 @@ index 22616cd..e988655 100644 menuconfig MODULES bool "Enable loadable module support" help -@@ -1647,6 +1659,7 @@ config MODULE_SRCVERSION_ALL +@@ -1687,6 +1699,7 @@ config MODULE_SRCVERSION_ALL config MODULE_SIG bool "Module signature verification" depends on MODULES @@ -167,10 +167,10 @@ index 22616cd..e988655 100644 select CRYPTO select ASYMMETRIC_KEY_TYPE diff --git a/kernel/Makefile b/kernel/Makefile -index 6cb07a0..a9ecd52 100644 +index 64c97da..ecff938 100644 --- a/kernel/Makefile +++ b/kernel/Makefile -@@ -51,8 +51,9 @@ obj-$(CONFIG_SMP) += spinlock.o +@@ -52,8 +52,9 @@ obj-$(CONFIG_SMP) += spinlock.o obj-$(CONFIG_DEBUG_SPINLOCK) += spinlock.o obj-$(CONFIG_PROVE_LOCKING) += spinlock.o obj-$(CONFIG_UID16) += uid16.o @@ -181,7 +181,7 @@ index 6cb07a0..a9ecd52 100644 obj-$(CONFIG_KALLSYMS) += kallsyms.o obj-$(CONFIG_BSD_PROCESS_ACCT) += acct.o obj-$(CONFIG_KEXEC) += kexec.o -@@ -139,13 +140,14 @@ targets += timeconst.h +@@ -140,13 +141,14 @@ targets += timeconst.h $(obj)/timeconst.h: $(obj)/hz.bc $(src)/timeconst.bc FORCE $(call if_changed,bc) @@ -199,7 +199,7 @@ index 6cb07a0..a9ecd52 100644 X509_CERTIFICATES-y := $(wildcard *.x509) $(wildcard $(srctree)/*.x509) X509_CERTIFICATES-$(CONFIG_MODULE_SIG) += signing_key.x509 X509_CERTIFICATES := $(sort $(X509_CERTIFICATES-y)) -@@ -161,10 +163,11 @@ $(shell rm $(obj)/.x509.list) +@@ -162,10 +164,11 @@ $(shell rm $(obj)/.x509.list) endif endif @@ -213,7 +213,7 @@ index 6cb07a0..a9ecd52 100644 targets += $(obj)/x509_certificate_list $(obj)/x509_certificate_list: $(X509_CERTIFICATES) $(obj)/.x509.list $(call if_changed,x509certs) -@@ -174,7 +177,9 @@ $(obj)/.x509.list: +@@ -175,7 +178,9 @@ $(obj)/.x509.list: @echo $(X509_CERTIFICATES) >$@ clean-files := x509_certificate_list .x509.list @@ -497,13 +497,13 @@ index 0000000..a3ca76f +} +late_initcall(load_system_certificate_list); -- -1.8.1.2 +1.8.1.4 -From a2512743c97ac3c236eaf9ce6b2879cb0ff61dd5 Mon Sep 17 00:00:00 2001 +From 4e2b0f425d73360fc40b8719b36e6e3ca94d458e Mon Sep 17 00:00:00 2001 From: David Howells Date: Thu, 17 Jan 2013 16:25:00 +0000 -Subject: [PATCH 04/48] KEYS: Add a 'trusted' flag and a 'trusted only' flag +Subject: [PATCH 03/47] KEYS: Add a 'trusted' flag and a 'trusted only' flag Add KEY_FLAG_TRUSTED to indicate that a key either comes from a trusted source or had a cryptographic signature chain that led back to a trusted key the @@ -626,13 +626,13 @@ index 6ece7f2..f18d7ff 100644 if (ret == 0) { ret = __key_link_check_live_key(keyring, key); -- -1.8.1.2 +1.8.1.4 -From a466fb7f25a238e646970d1dbdbb5143f9b3b066 Mon Sep 17 00:00:00 2001 +From 3deae827abdd3de9b7976b423279812d7559e580 Mon Sep 17 00:00:00 2001 From: David Howells Date: Tue, 15 Jan 2013 15:33:32 +0000 -Subject: [PATCH 05/48] KEYS: Rename public key parameter name arrays +Subject: [PATCH 04/47] KEYS: Rename public key parameter name arrays Rename the arrays of public key parameters (public key algorithm names, hash algorithm names and ID type names) so that the array name ends in "_name". @@ -781,13 +781,13 @@ index 0034e36..0b6b870 100644 key = request_asymmetric_key(sig, ms.signer_len, -- -1.8.1.2 +1.8.1.4 -From bb9a97b29085a9dfbda5b32a6dbdfaec5612e46b Mon Sep 17 00:00:00 2001 +From 2acf1a703de1213ad85515a71873f57535dc057d Mon Sep 17 00:00:00 2001 From: David Howells Date: Tue, 15 Jan 2013 15:33:33 +0000 -Subject: [PATCH 06/48] KEYS: Move the algorithm pointer array from x509 to +Subject: [PATCH 05/47] KEYS: Move the algorithm pointer array from x509 to public_key.c Move the public-key algorithm pointer array from x509_public_key.c to @@ -863,13 +863,13 @@ index 619d570..46bde25 100644 enum pkey_hash_algo { PKEY_HASH_MD4, -- -1.8.1.2 +1.8.1.4 -From 35da3ee1a151d44c8e0b38422584918f39d66298 Mon Sep 17 00:00:00 2001 +From 3cc2c6f01277dfa00106c3e4f3f3ab8184025b90 Mon Sep 17 00:00:00 2001 From: David Howells Date: Tue, 15 Jan 2013 15:33:33 +0000 -Subject: [PATCH 07/48] KEYS: Store public key algo ID in public_key struct +Subject: [PATCH 06/47] KEYS: Store public key algo ID in public_key struct Store public key algo ID in public_key struct for reference purposes. This allows it to be removed from the x509_certificate struct and used to find a @@ -948,13 +948,13 @@ index 46bde25..05778df 100644 union { MPI mpi[5]; -- -1.8.1.2 +1.8.1.4 -From a837dc33a6ca6a4c11d7485ac51951992e7ccf53 Mon Sep 17 00:00:00 2001 +From 7dcc63793a873198d3b3c4299f896e2896292d84 Mon Sep 17 00:00:00 2001 From: David Howells Date: Tue, 15 Jan 2013 15:33:34 +0000 -Subject: [PATCH 08/48] KEYS: Split public_key_verify_signature() and make +Subject: [PATCH 07/47] KEYS: Split public_key_verify_signature() and make available Modify public_key_verify_signature() so that it now takes a public_key struct @@ -1064,13 +1064,13 @@ index fac574c..8cb2f70 100644 pr_debug("Cert Verification: %d\n", ret); -- -1.8.1.2 +1.8.1.4 -From def87e748398cfd083e79ae48556aa2144873fc4 Mon Sep 17 00:00:00 2001 +From da18477d1a1987dce0f3c5f78b62e5b223e2bf90 Mon Sep 17 00:00:00 2001 From: David Howells Date: Tue, 15 Jan 2013 15:33:35 +0000 -Subject: [PATCH 09/48] KEYS: Store public key algo ID in public_key_signature +Subject: [PATCH 08/47] KEYS: Store public key algo ID in public_key_signature struct Store public key algorithm ID in public_key_signature struct for reference @@ -1097,13 +1097,13 @@ index 05778df..b34fda4 100644 union { MPI mpi[2]; -- -1.8.1.2 +1.8.1.4 -From 87230ff62f9901069b350c57aaa996dabe191165 Mon Sep 17 00:00:00 2001 +From 29d80acc90a95ef5614cf36d4e30835bcc014cc4 Mon Sep 17 00:00:00 2001 From: David Howells Date: Tue, 15 Jan 2013 15:33:35 +0000 -Subject: [PATCH 10/48] X.509: struct x509_certificate needs struct tm +Subject: [PATCH 09/47] X.509: struct x509_certificate needs struct tm declaring struct x509_certificate needs struct tm declaring by #inclusion of linux/time.h @@ -1129,13 +1129,13 @@ index e583ad0..2d01182 100644 struct x509_certificate { -- -1.8.1.2 +1.8.1.4 -From 82c121f975c92d34202a9248f94de9c9ada4f9a2 Mon Sep 17 00:00:00 2001 +From ba3ba9e41abb17a7632075668e4f0a30edb59896 Mon Sep 17 00:00:00 2001 From: David Howells Date: Tue, 15 Jan 2013 15:33:35 +0000 -Subject: [PATCH 11/48] X.509: Add bits needed for PKCS#7 +Subject: [PATCH 10/47] X.509: Add bits needed for PKCS#7 PKCS#7 validation requires access to the serial number and the raw names in an X.509 certificate. @@ -1227,13 +1227,13 @@ index 2d01182..a6ce46f 100644 /* -- -1.8.1.2 +1.8.1.4 -From 57fb22f1b578187da39d5edfdcaf22daea5fddcb Mon Sep 17 00:00:00 2001 +From 4d2f837ab3629d5b4b3bac2bbdbdf2d0060e74a8 Mon Sep 17 00:00:00 2001 From: David Howells Date: Tue, 15 Jan 2013 15:33:36 +0000 -Subject: [PATCH 12/48] X.509: Embed public_key_signature struct and create +Subject: [PATCH 11/47] X.509: Embed public_key_signature struct and create filler function Embed a public_key_signature struct in struct x509_certificate, eliminating @@ -1495,13 +1495,13 @@ index 8cb2f70..b7c81d8 100644 if (!cert->fingerprint || !cert->authority) { pr_warn("Cert for '%s' must have SubjKeyId and AuthKeyId extensions\n", -- -1.8.1.2 +1.8.1.4 -From c882d17501c48b2ea515b2c6cba21d91ad3ce4c4 Mon Sep 17 00:00:00 2001 +From 822175026ad1d4640240d1fdd77b1f45ddd9e7a9 Mon Sep 17 00:00:00 2001 From: David Howells Date: Tue, 15 Jan 2013 15:33:36 +0000 -Subject: [PATCH 13/48] X.509: Check the algorithm IDs obtained from parsing an +Subject: [PATCH 12/47] X.509: Check the algorithm IDs obtained from parsing an X.509 certificate Check that the algorithm IDs obtained from the ASN.1 parse by OID lookup @@ -1536,13 +1536,13 @@ index b7c81d8..eb368d4 100644 pr_devel("Cert Valid From: %04ld-%02d-%02d %02d:%02d:%02d\n", cert->valid_from.tm_year + 1900, cert->valid_from.tm_mon + 1, -- -1.8.1.2 +1.8.1.4 -From a5e4fc67608e4f63189263c9840eab47569ab78b Mon Sep 17 00:00:00 2001 +From 4a1a540f79d36d8b0b8970ea638648cef080057b Mon Sep 17 00:00:00 2001 From: David Howells Date: Tue, 15 Jan 2013 15:33:37 +0000 -Subject: [PATCH 14/48] X.509: Handle certificates that lack an +Subject: [PATCH 13/47] X.509: Handle certificates that lack an authorityKeyIdentifier field Handle certificates that lack an authorityKeyIdentifier field by assuming @@ -1583,13 +1583,13 @@ index eb368d4..0f55e3b 100644 if (ret < 0) goto error_free_cert; -- -1.8.1.2 +1.8.1.4 -From 91fc935afe02fedb2cbf4e77994d226f0fbd25eb Mon Sep 17 00:00:00 2001 +From f5e443e719cfb7cae2aea764ad3c9ec9ffba4f60 Mon Sep 17 00:00:00 2001 From: David Howells Date: Tue, 15 Jan 2013 15:33:37 +0000 -Subject: [PATCH 15/48] X.509: Export certificate parse and free functions +Subject: [PATCH 14/47] X.509: Export certificate parse and free functions Export certificate parse and free functions for use by modules. @@ -1629,13 +1629,13 @@ index 931f069..9cf0e16 100644 /* * Note an OID when we find one for later processing when we know how -- -1.8.1.2 +1.8.1.4 -From 14b152615af5ca6b274714b1e515d7dcf142a55b Mon Sep 17 00:00:00 2001 +From 792a56d205765cf4ece16868929ad5fbe6b89df4 Mon Sep 17 00:00:00 2001 From: David Howells Date: Tue, 15 Jan 2013 15:33:38 +0000 -Subject: [PATCH 16/48] PKCS#7: Implement a parser [RFC 2315] +Subject: [PATCH 15/47] PKCS#7: Implement a parser [RFC 2315] Implement a parser for a PKCS#7 signed-data message as described in part of RFC 2315. @@ -2242,13 +2242,13 @@ index 6926db7..edeff85 100644 /* Distinguished Name attribute IDs [RFC 2256] */ OID_commonName, /* 2.5.4.3 */ -- -1.8.1.2 +1.8.1.4 -From ec62dd1e7576f4b83d6374cd900049c7c555a7d0 Mon Sep 17 00:00:00 2001 +From 3b4b82eecde52c1bd75ab11ef7f8a5c13ec73c40 Mon Sep 17 00:00:00 2001 From: David Howells Date: Tue, 15 Jan 2013 15:33:38 +0000 -Subject: [PATCH 17/48] PKCS#7: Digest the data in a signed-data message +Subject: [PATCH 16/47] PKCS#7: Digest the data in a signed-data message Digest the data in a PKCS#7 signed-data message and attach to the public_key_signature struct contained in the pkcs7_message struct. @@ -2416,13 +2416,13 @@ index 0000000..2f9f26c +} +EXPORT_SYMBOL_GPL(pkcs7_verify); -- -1.8.1.2 +1.8.1.4 -From e90ddcd9bc29ed13b4b2808029c6580f3444c5b3 Mon Sep 17 00:00:00 2001 +From e67fed4626a30dd11967abad9187013ff4185991 Mon Sep 17 00:00:00 2001 From: David Howells Date: Tue, 15 Jan 2013 15:33:39 +0000 -Subject: [PATCH 18/48] PKCS#7: Find the right key in the PKCS#7 key list and +Subject: [PATCH 17/47] PKCS#7: Find the right key in the PKCS#7 key list and verify the signature Find the appropriate key in the PKCS#7 key list and verify the signature with @@ -2515,13 +2515,13 @@ index 2f9f26c..3f6f0e2 100644 } EXPORT_SYMBOL_GPL(pkcs7_verify); -- -1.8.1.2 +1.8.1.4 -From 8e22cd5881575b9dcdd45b29671935fce505d056 Mon Sep 17 00:00:00 2001 +From 87ec8d783c887617ee6e85f66a9ce1a03c627e87 Mon Sep 17 00:00:00 2001 From: David Howells Date: Tue, 15 Jan 2013 15:33:39 +0000 -Subject: [PATCH 19/48] PKCS#7: Verify internal certificate chain +Subject: [PATCH 18/47] PKCS#7: Verify internal certificate chain Verify certificate chain in the X.509 certificates contained within the PKCS#7 message as far as possible. If any signature that we should be able to verify @@ -2631,13 +2631,13 @@ index 6b1d877..5e35fba 100644 char *issuer; /* Name of certificate issuer */ char *subject; /* Name of certificate subject */ -- -1.8.1.2 +1.8.1.4 -From 185c80f1aa2a59a7494db7f57eba30f54a46152a Mon Sep 17 00:00:00 2001 +From cc6c40318a05330e4bb201b35378d7c0a0278aaa Mon Sep 17 00:00:00 2001 From: David Howells Date: Tue, 15 Jan 2013 15:33:42 +0000 -Subject: [PATCH 20/48] PKCS#7: Find intersection between PKCS#7 message and +Subject: [PATCH 19/47] PKCS#7: Find intersection between PKCS#7 message and known, trusted keys Find the intersection between the X.509 certificate chain contained in a PKCS#7 @@ -2838,13 +2838,13 @@ index 0000000..cc226f5 +} +EXPORT_SYMBOL_GPL(pkcs7_validate_trust); -- -1.8.1.2 +1.8.1.4 -From 5b9065e00fb0d0b5fd87f41d8e4c19522a624d6f Mon Sep 17 00:00:00 2001 +From f20b0d77771133bd0d7e89932fef494f00687607 Mon Sep 17 00:00:00 2001 From: David Howells Date: Tue, 15 Jan 2013 15:33:39 +0000 -Subject: [PATCH 21/48] Provide PE binary definitions +Subject: [PATCH 20/47] Provide PE binary definitions Provide some PE binary structural and constant definitions as taken from the pesign package sources. @@ -3311,13 +3311,13 @@ index 0000000..9234aef + +#endif /* __LINUX_PE_H */ -- -1.8.1.2 +1.8.1.4 -From 0514d1400ccf6602fa4f4a45d54e82c0386788fb Mon Sep 17 00:00:00 2001 +From d329754b0c2881b6331aacafab74a26b2d9262b3 Mon Sep 17 00:00:00 2001 From: David Howells Date: Tue, 15 Jan 2013 15:33:40 +0000 -Subject: [PATCH 22/48] pefile: Parse a PE binary to find a key and a signature +Subject: [PATCH 21/47] pefile: Parse a PE binary to find a key and a signature contained therein Parse a PE binary to find a key and a signature contained therein. Later @@ -3605,13 +3605,13 @@ index 0000000..82bcaf6 + enum pkey_hash_algo digest_algo; /* Digest algorithm */ +}; -- -1.8.1.2 +1.8.1.4 -From 84598b0ba0da9e914fe13cd8e73b4d77a77f8a8e Mon Sep 17 00:00:00 2001 +From 3794d7963e17fc0b0c2f62164306b9a45cb2254e Mon Sep 17 00:00:00 2001 From: David Howells Date: Tue, 15 Jan 2013 15:33:40 +0000 -Subject: [PATCH 23/48] pefile: Strip the wrapper off of the cert data block +Subject: [PATCH 22/47] pefile: Strip the wrapper off of the cert data block The certificate data block in a PE binary has a wrapper around the PKCS#7 signature we actually want to get at. Strip this off and check that we've got @@ -3709,13 +3709,13 @@ index fb80cf0..f2d4df0 100644 } -- -1.8.1.2 +1.8.1.4 -From 6c9fdc4a6bb91f67ba83a164bed515f86b487804 Mon Sep 17 00:00:00 2001 +From f23895761a15e08959140091dc17004e7e6e2035 Mon Sep 17 00:00:00 2001 From: David Howells Date: Tue, 15 Jan 2013 15:33:40 +0000 -Subject: [PATCH 24/48] pefile: Parse the presumed PKCS#7 content of the +Subject: [PATCH 23/47] pefile: Parse the presumed PKCS#7 content of the certificate blob Parse the content of the certificate blob, presuming it to be PKCS#7 format. @@ -3763,13 +3763,13 @@ index f2d4df0..056500f 100644 static struct asymmetric_key_parser pefile_key_parser = { -- -1.8.1.2 +1.8.1.4 -From 7816d32941300ae8ed25cc98baf13064854e6cb9 Mon Sep 17 00:00:00 2001 +From fcdb91196beb6235eed676c368a662cbdf92b804 Mon Sep 17 00:00:00 2001 From: David Howells Date: Tue, 15 Jan 2013 15:33:41 +0000 -Subject: [PATCH 25/48] pefile: Parse the "Microsoft individual code signing" +Subject: [PATCH 24/47] pefile: Parse the "Microsoft individual code signing" data blob The PKCS#7 certificate should contain a "Microsoft individual code signing" @@ -4006,13 +4006,13 @@ index edeff85..332dcf5 100644 OID_sha256, /* 2.16.840.1.101.3.4.2.1 */ -- -1.8.1.2 +1.8.1.4 -From 9e97d5c51460969ff04d3027e734a69437518cfd Mon Sep 17 00:00:00 2001 +From 63204898d9491f8ba1b90dea8660e8ff778db993 Mon Sep 17 00:00:00 2001 From: David Howells Date: Tue, 15 Jan 2013 15:33:41 +0000 -Subject: [PATCH 26/48] pefile: Digest the PE binary and compare to the PKCS#7 +Subject: [PATCH 25/47] pefile: Digest the PE binary and compare to the PKCS#7 data Digest the signed parts of the PE binary, canonicalising the section table @@ -4242,13 +4242,13 @@ index f1c8cc1..dfdb85e 100644 error: -- -1.8.1.2 +1.8.1.4 -From 2b5752323fc40cd9145150158f32b088fb0d4fa2 Mon Sep 17 00:00:00 2001 +From 17ed825e5f3f595665abd3fc11a6c180e6762b87 Mon Sep 17 00:00:00 2001 From: David Howells Date: Fri, 18 Jan 2013 13:58:35 +0000 -Subject: [PATCH 27/48] PEFILE: Validate PKCS#7 trust chain +Subject: [PATCH 26/47] PEFILE: Validate PKCS#7 trust chain Validate the PKCS#7 trust chain against the contents of the system keyring. @@ -4294,13 +4294,13 @@ index dfdb85e..edad948 100644 error: -- -1.8.1.2 +1.8.1.4 -From 1d94bb9d91322f250d870a1df94e24f9717a1660 Mon Sep 17 00:00:00 2001 +From ce9ca4236f691264a94bcbe10beda9ec5a035baf Mon Sep 17 00:00:00 2001 From: David Howells Date: Tue, 15 Jan 2013 15:33:42 +0000 -Subject: [PATCH 28/48] PEFILE: Load the contained key if we consider the +Subject: [PATCH 27/47] PEFILE: Load the contained key if we consider the container to be validly signed Load the key contained in the PE binary if the signature on the container can @@ -4385,13 +4385,13 @@ index 0f55e3b..c3e5a6d 100644 static struct asymmetric_key_parser x509_key_parser = { .owner = THIS_MODULE, -- -1.8.1.2 +1.8.1.4 -From ef929c440551421ba319fe2305a063706ce7c8a6 Mon Sep 17 00:00:00 2001 +From 395cc1b55a0645ced39f92b31ba3bcc141e59383 Mon Sep 17 00:00:00 2001 From: Chun-Yi Lee Date: Thu, 21 Feb 2013 19:23:49 +0800 -Subject: [PATCH 29/48] MODSIGN: Fix including certificate twice when the +Subject: [PATCH 28/47] MODSIGN: Fix including certificate twice when the signing_key.x509 already exists This issue was found in devel-pekey branch on linux-modsign.git tree. The @@ -4424,10 +4424,10 @@ Signed-off-by: David Howells 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/kernel/Makefile b/kernel/Makefile -index a9ecd52..c94d081 100644 +index ecff938..52f3426 100644 --- a/kernel/Makefile +++ b/kernel/Makefile -@@ -148,7 +148,10 @@ $(obj)/timeconst.h: $(obj)/hz.bc $(src)/timeconst.bc FORCE +@@ -149,7 +149,10 @@ $(obj)/timeconst.h: $(obj)/hz.bc $(src)/timeconst.bc FORCE # ############################################################################### ifeq ($(CONFIG_SYSTEM_TRUSTED_KEYRING),y) @@ -4440,13 +4440,13 @@ index a9ecd52..c94d081 100644 X509_CERTIFICATES := $(sort $(X509_CERTIFICATES-y)) -- -1.8.1.2 +1.8.1.4 -From 614232115eed153b4f56f37319114a18d590daaa Mon Sep 17 00:00:00 2001 +From 0ef575739cff3fda47dd2a9415f066ab44dcc922 Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Thu, 20 Sep 2012 10:40:56 -0400 -Subject: [PATCH 30/48] Secure boot: Add new capability +Subject: [PATCH 29/47] Secure boot: Add new capability Secure boot adds certain policy requirements, including that root must not be able to do anything that could cause the kernel to execute arbitrary code. @@ -4477,13 +4477,13 @@ index ba478fa..7109e65 100644 #define cap_valid(x) ((x) >= 0 && (x) <= CAP_LAST_CAP) -- -1.8.1.2 +1.8.1.4 -From 5c31721c6ec69d901a3f81a1cfa1518ca138ab75 Mon Sep 17 00:00:00 2001 +From 7312bed4fb9125d4880f11a64521b110079a3c0a Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Thu, 20 Sep 2012 10:41:05 -0400 -Subject: [PATCH 31/48] SELinux: define mapping for new Secure Boot capability +Subject: [PATCH 30/47] SELinux: define mapping for new Secure Boot capability Add the name of the new Secure Boot capability. This allows SELinux policies to properly map CAP_COMPROMISE_KERNEL to the appropriate @@ -4510,13 +4510,13 @@ index 14d04e6..ed99a2d 100644 { "tun_socket", { COMMON_SOCK_PERMS, "attach_queue", NULL } }, -- -1.8.1.2 +1.8.1.4 -From b7c947a5862f33eb44bc33211a89ac1d8fd32475 Mon Sep 17 00:00:00 2001 +From e99e1273b0a50d874d2a53461e95f74460e1b812 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Thu, 20 Sep 2012 10:41:02 -0400 -Subject: [PATCH 32/48] Secure boot: Add a dummy kernel parameter that will +Subject: [PATCH 31/47] Secure boot: Add a dummy kernel parameter that will switch on Secure Boot mode This forcibly drops CAP_COMPROMISE_KERNEL from both cap_permitted and cap_bset @@ -4530,10 +4530,10 @@ Signed-off-by: Josh Boyer 2 files changed, 24 insertions(+) diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt -index 4609e81..7c0b137 100644 +index 8c01a02..ee6c1ca 100644 --- a/Documentation/kernel-parameters.txt +++ b/Documentation/kernel-parameters.txt -@@ -2683,6 +2683,13 @@ bytes respectively. Such letter suffixes can also be entirely omitted. +@@ -2744,6 +2744,13 @@ bytes respectively. Such letter suffixes can also be entirely omitted. Note: increases power consumption, thus should only be enabled if running jitter sensitive (HPC/RT) workloads. @@ -4576,13 +4576,13 @@ index e0573a4..c3f4e3e 100644 * prepare_kernel_cred - Prepare a set of credentials for a kernel service * @daemon: A userspace daemon to be used as a reference -- -1.8.1.2 +1.8.1.4 -From b218aab3dcc56d27324b2fc170d620e98c726603 Mon Sep 17 00:00:00 2001 +From eeac2b5391d834eefebfae49a100244fdccc82e5 Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Thu, 20 Sep 2012 10:41:03 -0400 -Subject: [PATCH 33/48] efi: Enable secure boot lockdown automatically when +Subject: [PATCH 32/47] efi: Enable secure boot lockdown automatically when enabled in firmware The firmware has a set of flags that indicate whether secure boot is enabled @@ -4616,10 +4616,10 @@ index 199f453..ff651d3 100644 290/040 ALL edd_mbr_sig_buffer EDD MBR signatures 2D0/A00 ALL e820_map E820 memory map table diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c -index c205035..96d859d 100644 +index 35ee62f..0998ec7 100644 --- a/arch/x86/boot/compressed/eboot.c +++ b/arch/x86/boot/compressed/eboot.c -@@ -861,6 +861,36 @@ fail: +@@ -906,6 +906,36 @@ fail: return status; } @@ -4656,7 +4656,7 @@ index c205035..96d859d 100644 /* * Because the x86 boot code expects to be passed a boot_params we * need to create one ourselves (usually the bootloader would create -@@ -1155,6 +1185,8 @@ struct boot_params *efi_main(void *handle, efi_system_table_t *_table, +@@ -1200,6 +1230,8 @@ struct boot_params *efi_main(void *handle, efi_system_table_t *_table, if (sys_table->hdr.signature != EFI_SYSTEM_TABLE_SIGNATURE) goto fail; @@ -4664,12 +4664,12 @@ index c205035..96d859d 100644 + setup_graphics(boot_params); - setup_efi_pci(boot_params); + setup_efi_vars(boot_params); diff --git a/arch/x86/include/asm/bootparam_utils.h b/arch/x86/include/asm/bootparam_utils.h -index ae93f72..05ecc52 100644 +index 653668d..69a6c08 100644 --- a/arch/x86/include/asm/bootparam_utils.h +++ b/arch/x86/include/asm/bootparam_utils.h -@@ -22,9 +22,13 @@ static void sanitize_boot_params(struct boot_params *boot_params) +@@ -38,9 +38,13 @@ static void sanitize_boot_params(struct boot_params *boot_params) memset(&boot_params->olpc_ofw_header, 0, (char *)&boot_params->efi_info - (char *)&boot_params->olpc_ofw_header); @@ -4686,10 +4686,10 @@ index ae93f72..05ecc52 100644 (char *)&boot_params->edd_mbr_sig_buffer[0] - (char *)&boot_params->_pad7[0]); diff --git a/arch/x86/include/uapi/asm/bootparam.h b/arch/x86/include/uapi/asm/bootparam.h -index c15ddaf..85d7685 100644 +index 0874424..56b7d39 100644 --- a/arch/x86/include/uapi/asm/bootparam.h +++ b/arch/x86/include/uapi/asm/bootparam.h -@@ -131,7 +131,8 @@ struct boot_params { +@@ -132,7 +132,8 @@ struct boot_params { __u8 eddbuf_entries; /* 0x1e9 */ __u8 edd_mbr_sig_buf_entries; /* 0x1ea */ __u8 kbd_status; /* 0x1eb */ @@ -4700,10 +4700,10 @@ index c15ddaf..85d7685 100644 * The sentinel is set to a nonzero value (0xff) in header.S. * diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c -index 84d3285..2485897 100644 +index 56f7fcf..3af6cf8 100644 --- a/arch/x86/kernel/setup.c +++ b/arch/x86/kernel/setup.c -@@ -1098,6 +1098,13 @@ void __init setup_arch(char **cmdline_p) +@@ -1131,6 +1131,13 @@ void __init setup_arch(char **cmdline_p) io_delay_init(); @@ -4731,10 +4731,10 @@ index 04421e8..9e69542 100644 * check for validity of credentials */ diff --git a/include/linux/efi.h b/include/linux/efi.h -index 9bf2f1f..1bf382b 100644 +index 2bc0ad7..10b167a 100644 --- a/include/linux/efi.h +++ b/include/linux/efi.h -@@ -627,6 +627,7 @@ extern int __init efi_setup_pcdp_console(char *); +@@ -634,6 +634,7 @@ extern int __init efi_setup_pcdp_console(char *); #define EFI_RUNTIME_SERVICES 3 /* Can we use runtime services? */ #define EFI_MEMMAP 4 /* Can we use EFI memory map? */ #define EFI_64BIT 5 /* Is the firmware 64-bit? */ @@ -4743,13 +4743,13 @@ index 9bf2f1f..1bf382b 100644 #ifdef CONFIG_EFI # ifdef CONFIG_X86 -- -1.8.1.2 +1.8.1.4 -From c2a1ee697d989d5d5ba7c5d7c20abf6d320afe74 Mon Sep 17 00:00:00 2001 +From a1ac3b80b7a85d4fce665047b9701713fcfc1ea0 Mon Sep 17 00:00:00 2001 From: Dave Howells Date: Tue, 23 Oct 2012 09:30:54 -0400 -Subject: [PATCH 34/48] Add EFI signature data types +Subject: [PATCH 33/47] Add EFI signature data types Add the data types that are used for containing hashes, keys and certificates for cryptographic verification. @@ -4760,10 +4760,10 @@ Signed-off-by: David Howells 1 file changed, 20 insertions(+) diff --git a/include/linux/efi.h b/include/linux/efi.h -index 1bf382b..8902faf 100644 +index 10b167a..d3ef7c6 100644 --- a/include/linux/efi.h +++ b/include/linux/efi.h -@@ -388,6 +388,12 @@ typedef efi_status_t efi_query_capsule_caps_t(efi_capsule_header_t **capsules, +@@ -389,6 +389,12 @@ typedef efi_status_t efi_query_variable_store_t(u32 attributes, unsigned long si #define EFI_FILE_SYSTEM_GUID \ EFI_GUID( 0x964e5b22, 0x6459, 0x11d2, 0x8e, 0x39, 0x00, 0xa0, 0xc9, 0x69, 0x72, 0x3b ) @@ -4776,7 +4776,7 @@ index 1bf382b..8902faf 100644 typedef struct { efi_guid_t guid; u64 table; -@@ -523,6 +529,20 @@ typedef struct { +@@ -524,6 +530,20 @@ typedef struct { #define EFI_INVALID_TABLE_ADDR (~0UL) @@ -4798,13 +4798,13 @@ index 1bf382b..8902faf 100644 * All runtime access to EFI goes through this structure: */ -- -1.8.1.2 +1.8.1.4 -From 03401c77362c324756e7f4ce3b0e72f06e79e0d7 Mon Sep 17 00:00:00 2001 +From fac308c18ba449322666325f37f6a08ad818cf9f Mon Sep 17 00:00:00 2001 From: Dave Howells Date: Tue, 23 Oct 2012 09:36:28 -0400 -Subject: [PATCH 35/48] Add an EFI signature blob parser and key loader. +Subject: [PATCH 34/47] Add an EFI signature blob parser and key loader. X.509 certificates are loaded into the specified keyring as asymmetric type keys. @@ -4963,10 +4963,10 @@ index 0000000..424896a + return 0; +} diff --git a/include/linux/efi.h b/include/linux/efi.h -index 8902faf..ff3c599 100644 +index d3ef7c6..4f0fbb7 100644 --- a/include/linux/efi.h +++ b/include/linux/efi.h -@@ -612,6 +612,10 @@ extern int efi_set_rtc_mmss(unsigned long nowtime); +@@ -619,6 +619,10 @@ extern int efi_set_rtc_mmss(unsigned long nowtime); extern void efi_reserve_boot_services(void); extern struct efi_memory_map memmap; @@ -4978,13 +4978,13 @@ index 8902faf..ff3c599 100644 * efi_range_is_wc - check the WC bit on an address range * @start: starting kvirt address -- -1.8.1.2 +1.8.1.4 -From 5f7f02ad9d46cf93090a0aed55530c44ce96cb96 Mon Sep 17 00:00:00 2001 +From 75560e565cb8a4e853a3b6f6c65ed70c1ba29039 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Fri, 26 Oct 2012 12:36:24 -0400 -Subject: [PATCH 36/48] KEYS: Add a system blacklist keyring +Subject: [PATCH 35/47] KEYS: Add a system blacklist keyring This adds an additional keyring that is used to store certificates that are blacklisted. This keyring is searched first when loading signed modules @@ -5015,10 +5015,10 @@ index 8dabc39..e466de1 100644 #endif /* _KEYS_SYSTEM_KEYRING_H */ diff --git a/init/Kconfig b/init/Kconfig -index e988655..3cac597 100644 +index b9d8870..4f9771f 100644 --- a/init/Kconfig +++ b/init/Kconfig -@@ -1587,6 +1587,15 @@ config SYSTEM_TRUSTED_KEYRING +@@ -1627,6 +1627,15 @@ config SYSTEM_TRUSTED_KEYRING Keys in this keyring are used by module signature checking. @@ -5093,13 +5093,13 @@ index dae8778..2913c70 100644 } -- -1.8.1.2 +1.8.1.4 -From 4fa15a799f5955b7f82b83953fc6726f9113e385 Mon Sep 17 00:00:00 2001 +From e46bf80471882ce1ab0b75dc954b2b59deec6fbb Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Fri, 26 Oct 2012 12:42:16 -0400 -Subject: [PATCH 37/48] MODSIGN: Import certificates from UEFI Secure Boot +Subject: [PATCH 36/47] MODSIGN: Import certificates from UEFI Secure Boot Secure Boot stores a list of allowed certificates in the 'db' variable. This imports those certificates into the system trusted keyring. This @@ -5119,15 +5119,15 @@ Signed-off-by: Josh Boyer include/linux/efi.h | 6 ++++ init/Kconfig | 9 +++++ kernel/Makefile | 3 ++ - kernel/modsign_uefi.c | 91 +++++++++++++++++++++++++++++++++++++++++++++++++++ - 4 files changed, 109 insertions(+) + kernel/modsign_uefi.c | 92 +++++++++++++++++++++++++++++++++++++++++++++++++++ + 4 files changed, 110 insertions(+) create mode 100644 kernel/modsign_uefi.c diff --git a/include/linux/efi.h b/include/linux/efi.h -index ff3c599..8400949 100644 +index 4f0fbb7..7ac7a17 100644 --- a/include/linux/efi.h +++ b/include/linux/efi.h -@@ -394,6 +394,12 @@ typedef efi_status_t efi_query_capsule_caps_t(efi_capsule_header_t **capsules, +@@ -395,6 +395,12 @@ typedef efi_status_t efi_query_variable_store_t(u32 attributes, unsigned long si #define EFI_CERT_X509_GUID \ EFI_GUID( 0xa5c059a1, 0x94e4, 0x4aa7, 0x87, 0xb5, 0xab, 0x15, 0x5c, 0x2b, 0xf0, 0x72 ) @@ -5141,10 +5141,10 @@ index ff3c599..8400949 100644 efi_guid_t guid; u64 table; diff --git a/init/Kconfig b/init/Kconfig -index 3cac597..e7e0216 100644 +index 4f9771f..da92f1c 100644 --- a/init/Kconfig +++ b/init/Kconfig -@@ -1705,6 +1705,15 @@ config MODULE_SIG_ALL +@@ -1745,6 +1745,15 @@ config MODULE_SIG_ALL comment "Do not forget to sign required modules with scripts/sign-file" depends on MODULE_SIG_FORCE && !MODULE_SIG_ALL @@ -5161,10 +5161,10 @@ index 3cac597..e7e0216 100644 prompt "Which hash algorithm should modules be signed with?" depends on MODULE_SIG diff --git a/kernel/Makefile b/kernel/Makefile -index c94d081..94be1fc 100644 +index 52f3426..e2a616f 100644 --- a/kernel/Makefile +++ b/kernel/Makefile -@@ -54,6 +54,7 @@ obj-$(CONFIG_UID16) += uid16.o +@@ -55,6 +55,7 @@ obj-$(CONFIG_UID16) += uid16.o obj-$(CONFIG_SYSTEM_TRUSTED_KEYRING) += system_keyring.o system_certificates.o obj-$(CONFIG_MODULES) += module.o obj-$(CONFIG_MODULE_SIG) += module_signing.o @@ -5172,7 +5172,7 @@ index c94d081..94be1fc 100644 obj-$(CONFIG_KALLSYMS) += kallsyms.o obj-$(CONFIG_BSD_PROCESS_ACCT) += acct.o obj-$(CONFIG_KEXEC) += kexec.o -@@ -113,6 +114,8 @@ obj-$(CONFIG_CONTEXT_TRACKING) += context_tracking.o +@@ -114,6 +115,8 @@ obj-$(CONFIG_CONTEXT_TRACKING) += context_tracking.o $(obj)/configs.o: $(obj)/config_data.h @@ -5183,15 +5183,16 @@ index c94d081..94be1fc 100644 targets += config_data.gz diff --git a/kernel/modsign_uefi.c b/kernel/modsign_uefi.c new file mode 100644 -index 0000000..df831ff +index 0000000..94b0eb3 --- /dev/null +++ b/kernel/modsign_uefi.c -@@ -0,0 +1,91 @@ +@@ -0,0 +1,92 @@ +#include +#include +#include +#include +#include ++#include +#include +#include +#include "module-internal.h" @@ -5279,13 +5280,13 @@ index 0000000..df831ff +} +late_initcall(load_uefi_certs); -- -1.8.1.2 +1.8.1.4 -From 439626853a29ad3a731d5563a0ee82645eb4f012 Mon Sep 17 00:00:00 2001 +From 8724600edad99706cce510645eff15f28787561a Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Thu, 20 Sep 2012 10:40:57 -0400 -Subject: [PATCH 38/48] PCI: Lock down BAR access in secure boot environments +Subject: [PATCH 37/47] PCI: Lock down BAR access in secure boot environments Any hardware that can potentially generate DMA has to be locked down from userspace in order to avoid it being possible for an attacker to cause @@ -5300,7 +5301,7 @@ Signed-off-by: Matthew Garrett 3 files changed, 17 insertions(+), 2 deletions(-) diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c -index 9c6e9bb..b966089 100644 +index 5b4a9d9..db2ff9e 100644 --- a/drivers/pci/pci-sysfs.c +++ b/drivers/pci/pci-sysfs.c @@ -622,6 +622,9 @@ pci_write_config(struct file* filp, struct kobject *kobj, @@ -5334,11 +5335,11 @@ index 9c6e9bb..b966089 100644 } diff --git a/drivers/pci/proc.c b/drivers/pci/proc.c -index 0b00947..7639f68 100644 +index 0812608..544132d 100644 --- a/drivers/pci/proc.c +++ b/drivers/pci/proc.c -@@ -139,6 +139,9 @@ proc_bus_pci_write(struct file *file, const char __user *buf, size_t nbytes, lof - int size = dp->size; +@@ -136,6 +136,9 @@ proc_bus_pci_write(struct file *file, const char __user *buf, size_t nbytes, lof + int size = dev->cfg_size; int cnt; + if (!capable(CAP_COMPROMISE_KERNEL)) @@ -5347,7 +5348,7 @@ index 0b00947..7639f68 100644 if (pos >= size) return 0; if (nbytes >= size) -@@ -219,6 +222,9 @@ static long proc_bus_pci_ioctl(struct file *file, unsigned int cmd, +@@ -215,6 +218,9 @@ static long proc_bus_pci_ioctl(struct file *file, unsigned int cmd, #endif /* HAVE_PCI_MMAP */ int ret = 0; @@ -5357,7 +5358,7 @@ index 0b00947..7639f68 100644 switch (cmd) { case PCIIOC_CONTROLLER: ret = pci_domain_nr(dev->bus); -@@ -259,7 +265,7 @@ static int proc_bus_pci_mmap(struct file *file, struct vm_area_struct *vma) +@@ -253,7 +259,7 @@ static int proc_bus_pci_mmap(struct file *file, struct vm_area_struct *vma) struct pci_filp_private *fpriv = file->private_data; int i, ret; @@ -5380,13 +5381,13 @@ index e1c1ec5..97e785f 100644 dev = pci_get_bus_and_slot(bus, dfn); -- -1.8.1.2 +1.8.1.4 -From 55d73bfee2d162dadf4f697cfeb1235a68c90aa8 Mon Sep 17 00:00:00 2001 +From 2361c561632c00e3974a092454ecc7daafb7cdf6 Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Thu, 20 Sep 2012 10:40:58 -0400 -Subject: [PATCH 39/48] x86: Lock down IO port access in secure boot +Subject: [PATCH 38/47] x86: Lock down IO port access in secure boot environments IO port access would permit users to gain access to PCI configuration @@ -5437,13 +5438,13 @@ index 2c644af..7eee4d8 100644 return -EFAULT; while (count-- > 0 && i < 65536) { -- -1.8.1.2 +1.8.1.4 -From 985b096320b1689dbe91a97e999d0607f5461068 Mon Sep 17 00:00:00 2001 +From e97f4dd5b1baaae0854e8a5c87aa4be4d03d1854 Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Thu, 20 Sep 2012 10:40:59 -0400 -Subject: [PATCH 40/48] ACPI: Limit access to custom_method +Subject: [PATCH 39/47] ACPI: Limit access to custom_method It must be impossible for even root to get code executed in kernel context under a secure boot environment. custom_method effectively allows arbitrary @@ -5469,13 +5470,13 @@ index 12b62f2..edf0710 100644 /* parse the table header to get the table length */ if (count <= sizeof(struct acpi_table_header)) -- -1.8.1.2 +1.8.1.4 -From 6fe8ea348f67771efa9738b4484e658521f42d1e Mon Sep 17 00:00:00 2001 +From f0389c3a6d823e2386ab4e21d9e012c4ebd310ac Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Thu, 20 Sep 2012 10:41:00 -0400 -Subject: [PATCH 41/48] asus-wmi: Restrict debugfs interface +Subject: [PATCH 40/47] asus-wmi: Restrict debugfs interface We have no way of validating what all of the Asus WMI methods do on a given machine, and there's a risk that some will allow hardware state to @@ -5522,13 +5523,13 @@ index c11b242..6d5f88f 100644 1, asus->debug.method_id, &input, &output); -- -1.8.1.2 +1.8.1.4 -From ddaafd6f64c317ad0fc33d06449e01632883b4b3 Mon Sep 17 00:00:00 2001 +From 2e507337fc23547c7a15e5a102647becf20dba77 Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Thu, 20 Sep 2012 10:41:01 -0400 -Subject: [PATCH 42/48] Restrict /dev/mem and /dev/kmem in secure boot setups +Subject: [PATCH 41/47] Restrict /dev/mem and /dev/kmem in secure boot setups Allowing users to write to address space makes it possible for the kernel to be subverted. Restrict this when we need to protect the kernel. @@ -5563,13 +5564,13 @@ index 7eee4d8..772ee2b 100644 unsigned long to_write = min_t(unsigned long, count, (unsigned long)high_memory - p); -- -1.8.1.2 +1.8.1.4 -From acb828bd8b69f66957865a66420e543bf0666b21 Mon Sep 17 00:00:00 2001 +From ff22d9716846844f8c249dbc965684a8014efed0 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Thu, 20 Sep 2012 10:41:04 -0400 -Subject: [PATCH 43/48] acpi: Ignore acpi_rsdp kernel parameter in a secure +Subject: [PATCH 42/47] acpi: Ignore acpi_rsdp kernel parameter in a secure boot environment This option allows userspace to pass the RSDP address to the kernel. This @@ -5585,7 +5586,7 @@ Signed-off-by: Josh Boyer 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/drivers/acpi/osl.c b/drivers/acpi/osl.c -index 586e7e9..8950454 100644 +index e721863..ed82da7 100644 --- a/drivers/acpi/osl.c +++ b/drivers/acpi/osl.c @@ -245,7 +245,7 @@ early_param("acpi_rsdp", setup_acpi_rsdp); @@ -5598,13 +5599,13 @@ index 586e7e9..8950454 100644 #endif -- -1.8.1.2 +1.8.1.4 -From 0d76357d15402c418cf3345239462e30062a3245 Mon Sep 17 00:00:00 2001 +From b08ac626fbcf917bc219133d49c347d7d58eaae1 Mon Sep 17 00:00:00 2001 From: Matthew Garrett Date: Tue, 4 Sep 2012 11:55:13 -0400 -Subject: [PATCH 44/48] kexec: Disable in a secure boot environment +Subject: [PATCH 43/47] kexec: Disable in a secure boot environment kexec could be used as a vector for a malicious user to use a signed kernel to circumvent the secure boot trust model. In the long run we'll want to @@ -5617,10 +5618,10 @@ Signed-off-by: Matthew Garrett 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kernel/kexec.c b/kernel/kexec.c -index bddd3d7..cbdb930 100644 +index 59f7b55..8bf1336 100644 --- a/kernel/kexec.c +++ b/kernel/kexec.c -@@ -946,7 +946,7 @@ SYSCALL_DEFINE4(kexec_load, unsigned long, entry, unsigned long, nr_segments, +@@ -939,7 +939,7 @@ SYSCALL_DEFINE4(kexec_load, unsigned long, entry, unsigned long, nr_segments, int result; /* We only trust the superuser with rebooting the system. */ @@ -5630,13 +5631,13 @@ index bddd3d7..cbdb930 100644 /* -- -1.8.1.2 +1.8.1.4 -From 8ef1f60c8c529785450ee97365714c940d4f2d8e Mon Sep 17 00:00:00 2001 +From f0d9c2906c1145585882fb7eb167e47e998c2e24 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Fri, 5 Oct 2012 10:12:48 -0400 -Subject: [PATCH 45/48] MODSIGN: Always enforce module signing in a Secure Boot +Subject: [PATCH 44/47] MODSIGN: Always enforce module signing in a Secure Boot environment If a machine is booted into a Secure Boot environment, we need to @@ -5692,13 +5693,13 @@ index 0925c9a..af4a476 100644 static int param_set_bool_enable_only(const char *val, const struct kernel_param *kp) -- -1.8.1.2 +1.8.1.4 -From b1e2ed158dd5ba3e18a9542802bdeb9d762f0656 Mon Sep 17 00:00:00 2001 +From 1c6bfec7db39e46eeb456fb84e3153281690bbe0 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Fri, 26 Oct 2012 14:02:09 -0400 -Subject: [PATCH 46/48] hibernate: Disable in a Secure Boot environment +Subject: [PATCH 45/47] hibernate: Disable in a Secure Boot environment There is currently no way to verify the resume image when returning from hibernate. This might compromise the secure boot trust model, @@ -5806,13 +5807,13 @@ index 4ed81e7..b11a0f4 100644 if (!atomic_add_unless(&snapshot_device_available, -1, 0)) { -- -1.8.1.2 +1.8.1.4 -From 4c086b0bca62d3028dfd4faf6e6852ce59788333 Mon Sep 17 00:00:00 2001 +From 07cda990d2f18774522889ece30bddf67c703157 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Tue, 5 Feb 2013 19:25:05 -0500 -Subject: [PATCH 47/48] efi: Disable secure boot if shim is in insecure mode +Subject: [PATCH 46/47] efi: Disable secure boot if shim is in insecure mode A user can manually tell the shim boot loader to disable validation of images it loads. When a user does this, it creates a UEFI variable called @@ -5826,10 +5827,10 @@ Signed-off-by: Josh Boyer 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c -index 96d859d..c9ffd2f 100644 +index 0998ec7..4945ee5 100644 --- a/arch/x86/boot/compressed/eboot.c +++ b/arch/x86/boot/compressed/eboot.c -@@ -863,8 +863,9 @@ fail: +@@ -908,8 +908,9 @@ fail: static int get_secure_boot(efi_system_table_t *_table) { @@ -5840,7 +5841,7 @@ index 96d859d..c9ffd2f 100644 efi_guid_t var_guid = EFI_GLOBAL_VARIABLE_GUID; efi_status_t status; -@@ -888,6 +889,23 @@ static int get_secure_boot(efi_system_table_t *_table) +@@ -933,6 +934,23 @@ static int get_secure_boot(efi_system_table_t *_table) if (setup == 1) return 0; @@ -5865,13 +5866,13 @@ index 96d859d..c9ffd2f 100644 } -- -1.8.1.2 +1.8.1.4 -From 8225ade084c6137223579c69f17677fdd994940c Mon Sep 17 00:00:00 2001 +From e61066577405c37c2758f9b7fb2694967bdbe921 Mon Sep 17 00:00:00 2001 From: Kees Cook Date: Fri, 8 Feb 2013 11:12:13 -0800 -Subject: [PATCH 48/48] x86: Lock down MSR writing in secure boot +Subject: [PATCH 47/47] x86: Lock down MSR writing in secure boot Writing to MSRs should not be allowed unless CAP_COMPROMISE_KERNEL is set since it could lead to execution of arbitrary code in kernel mode. @@ -5907,5 +5908,5 @@ index ce13049..fa4dc6c 100644 err = -EFAULT; break; -- -1.8.1.2 +1.8.1.4 diff --git a/kernel.spec b/kernel.spec index b448eb64b..9cfdc0289 100644 --- a/kernel.spec +++ b/kernel.spec @@ -62,7 +62,7 @@ Summary: The Linux kernel # For non-released -rc kernels, this will be appended after the rcX and # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3" # -%global baserelease 300 +%global baserelease 301 %global fedora_build %{baserelease} # base_sublevel is the kernel version we're starting with and patching @@ -654,7 +654,7 @@ Patch800: crash-driver.patch # crypto/ # secure boot -Patch1000: devel-pekey-secure-boot-20130306.patch +Patch1000: devel-pekey-secure-boot-20130502.patch # virt + ksm patches @@ -1390,7 +1390,7 @@ ApplyPatch crash-driver.patch # crypto/ # secure boot -ApplyPatch devel-pekey-secure-boot-20130306.patch +ApplyPatch devel-pekey-secure-boot-20130502.patch # Assorted Virt Fixes @@ -2306,6 +2306,9 @@ fi # and build. %changelog +* Mon Jul 22 2013 Justin M. Forbes 3.10.2-301 +- Update secureboot patch for 3.10 + * Mon Jul 22 2013 Josh Boyer - Fix timer issue in bridge code (rhbz 980254) diff --git a/secure-boot-20130218.patch b/secure-boot-20130218.patch deleted file mode 100644 index 9b5717350..000000000 --- a/secure-boot-20130218.patch +++ /dev/null @@ -1,1435 +0,0 @@ -From 0c5837031a4e996877930fd023a5877dd1d615ba Mon Sep 17 00:00:00 2001 -From: Matthew Garrett -Date: Thu, 20 Sep 2012 10:40:56 -0400 -Subject: [PATCH 01/19] Secure boot: Add new capability - -Secure boot adds certain policy requirements, including that root must not -be able to do anything that could cause the kernel to execute arbitrary code. -The simplest way to handle this would seem to be to add a new capability -and gate various functionality on that. We'll then strip it from the initial -capability set if required. - -Signed-off-by: Matthew Garrett ---- - include/uapi/linux/capability.h | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - -diff --git a/include/uapi/linux/capability.h b/include/uapi/linux/capability.h -index ba478fa..7109e65 100644 ---- a/include/uapi/linux/capability.h -+++ b/include/uapi/linux/capability.h -@@ -343,7 +343,11 @@ struct vfs_cap_data { - - #define CAP_BLOCK_SUSPEND 36 - --#define CAP_LAST_CAP CAP_BLOCK_SUSPEND -+/* Allow things that trivially permit root to modify the running kernel */ -+ -+#define CAP_COMPROMISE_KERNEL 37 -+ -+#define CAP_LAST_CAP CAP_COMPROMISE_KERNEL - - #define cap_valid(x) ((x) >= 0 && (x) <= CAP_LAST_CAP) - --- -1.8.1.2 - - -From 87c8fddbcb3042fc4174b53763adbf66045a12be Mon Sep 17 00:00:00 2001 -From: Josh Boyer -Date: Thu, 20 Sep 2012 10:41:05 -0400 -Subject: [PATCH 02/19] SELinux: define mapping for new Secure Boot capability - -Add the name of the new Secure Boot capability. This allows SELinux -policies to properly map CAP_COMPROMISE_KERNEL to the appropriate -capability class. - -Signed-off-by: Josh Boyer ---- - security/selinux/include/classmap.h | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h -index 14d04e6..ed99a2d 100644 ---- a/security/selinux/include/classmap.h -+++ b/security/selinux/include/classmap.h -@@ -146,8 +146,8 @@ struct security_class_mapping secclass_map[] = { - { "memprotect", { "mmap_zero", NULL } }, - { "peer", { "recv", NULL } }, - { "capability2", -- { "mac_override", "mac_admin", "syslog", "wake_alarm", "block_suspend", -- NULL } }, -+ { "mac_override", "mac_admin", "syslog", "wake_alarm", -+ "block_suspend", "compromise_kernel", NULL } }, - { "kernel_service", { "use_as_override", "create_files_as", NULL } }, - { "tun_socket", - { COMMON_SOCK_PERMS, "attach_queue", NULL } }, --- -1.8.1.2 - - -From df14b5319bf3ed2110839e233ac61e6136745be8 Mon Sep 17 00:00:00 2001 -From: Josh Boyer -Date: Thu, 20 Sep 2012 10:41:02 -0400 -Subject: [PATCH 03/19] Secure boot: Add a dummy kernel parameter that will - switch on Secure Boot mode - -This forcibly drops CAP_COMPROMISE_KERNEL from both cap_permitted and cap_bset -in the init_cred struct, which everything else inherits from. This works on -any machine and can be used to develop even if the box doesn't have UEFI. - -Signed-off-by: Josh Boyer ---- - Documentation/kernel-parameters.txt | 7 +++++++ - kernel/cred.c | 17 +++++++++++++++++ - 2 files changed, 24 insertions(+) - -diff --git a/Documentation/kernel-parameters.txt b/Documentation/kernel-parameters.txt -index 6c72381..7dffdd5 100644 ---- a/Documentation/kernel-parameters.txt -+++ b/Documentation/kernel-parameters.txt -@@ -2654,6 +2654,13 @@ bytes respectively. Such letter suffixes can also be entirely omitted. - Note: increases power consumption, thus should only be - enabled if running jitter sensitive (HPC/RT) workloads. - -+ secureboot_enable= -+ [KNL] Enables an emulated UEFI Secure Boot mode. This -+ locks down various aspects of the kernel guarded by the -+ CAP_COMPROMISE_KERNEL capability. This includes things -+ like /dev/mem, IO port access, and other areas. It can -+ be used on non-UEFI machines for testing purposes. -+ - security= [SECURITY] Choose a security module to enable at boot. - If this boot parameter is not specified, only the first - security module asking for security registration will be -diff --git a/kernel/cred.c b/kernel/cred.c -index e0573a4..c3f4e3e 100644 ---- a/kernel/cred.c -+++ b/kernel/cred.c -@@ -565,6 +565,23 @@ void __init cred_init(void) - 0, SLAB_HWCACHE_ALIGN|SLAB_PANIC, NULL); - } - -+void __init secureboot_enable() -+{ -+ pr_info("Secure boot enabled\n"); -+ cap_lower((&init_cred)->cap_bset, CAP_COMPROMISE_KERNEL); -+ cap_lower((&init_cred)->cap_permitted, CAP_COMPROMISE_KERNEL); -+} -+ -+/* Dummy Secure Boot enable option to fake out UEFI SB=1 */ -+static int __init secureboot_enable_opt(char *str) -+{ -+ int sb_enable = !!simple_strtol(str, NULL, 0); -+ if (sb_enable) -+ secureboot_enable(); -+ return 1; -+} -+__setup("secureboot_enable=", secureboot_enable_opt); -+ - /** - * prepare_kernel_cred - Prepare a set of credentials for a kernel service - * @daemon: A userspace daemon to be used as a reference --- -1.8.1.2 - - -From 49c76a665e8a09da48cbe271ea40266ca1a226c0 Mon Sep 17 00:00:00 2001 -From: Matthew Garrett -Date: Thu, 20 Sep 2012 10:41:03 -0400 -Subject: [PATCH 04/19] efi: Enable secure boot lockdown automatically when - enabled in firmware - -The firmware has a set of flags that indicate whether secure boot is enabled -and enforcing. Use them to indicate whether the kernel should lock itself -down. We also indicate the machine is in secure boot mode by adding the -EFI_SECURE_BOOT bit for use with efi_enabled. - -Signed-off-by: Matthew Garrett -Signed-off-by: Josh Boyer ---- - Documentation/x86/zero-page.txt | 2 ++ - arch/x86/boot/compressed/eboot.c | 32 ++++++++++++++++++++++++++++++++ - arch/x86/include/uapi/asm/bootparam.h | 3 ++- - arch/x86/kernel/setup.c | 7 +++++++ - include/linux/cred.h | 2 ++ - include/linux/efi.h | 1 + - 6 files changed, 46 insertions(+), 1 deletion(-) - -diff --git a/Documentation/x86/zero-page.txt b/Documentation/x86/zero-page.txt -index 199f453..ff651d3 100644 ---- a/Documentation/x86/zero-page.txt -+++ b/Documentation/x86/zero-page.txt -@@ -30,6 +30,8 @@ Offset Proto Name Meaning - 1E9/001 ALL eddbuf_entries Number of entries in eddbuf (below) - 1EA/001 ALL edd_mbr_sig_buf_entries Number of entries in edd_mbr_sig_buffer - (below) -+1EB/001 ALL kbd_status Numlock is enabled -+1EC/001 ALL secure_boot Kernel should enable secure boot lockdowns - 1EF/001 ALL sentinel Used to detect broken bootloaders - 290/040 ALL edd_mbr_sig_buffer EDD MBR signatures - 2D0/A00 ALL e820_map E820 memory map table -diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c -index f8fa411..96bd86b 100644 ---- a/arch/x86/boot/compressed/eboot.c -+++ b/arch/x86/boot/compressed/eboot.c -@@ -849,6 +849,36 @@ fail: - return status; - } - -+static int get_secure_boot(efi_system_table_t *_table) -+{ -+ u8 sb, setup; -+ unsigned long datasize = sizeof(sb); -+ efi_guid_t var_guid = EFI_GLOBAL_VARIABLE_GUID; -+ efi_status_t status; -+ -+ status = efi_call_phys5(sys_table->runtime->get_variable, -+ L"SecureBoot", &var_guid, NULL, &datasize, &sb); -+ -+ if (status != EFI_SUCCESS) -+ return 0; -+ -+ if (sb == 0) -+ return 0; -+ -+ -+ status = efi_call_phys5(sys_table->runtime->get_variable, -+ L"SetupMode", &var_guid, NULL, &datasize, -+ &setup); -+ -+ if (status != EFI_SUCCESS) -+ return 0; -+ -+ if (setup == 1) -+ return 0; -+ -+ return 1; -+} -+ - /* - * Because the x86 boot code expects to be passed a boot_params we - * need to create one ourselves (usually the bootloader would create -@@ -1143,6 +1173,8 @@ struct boot_params *efi_main(void *handle, efi_system_table_t *_table, - if (sys_table->hdr.signature != EFI_SYSTEM_TABLE_SIGNATURE) - goto fail; - -+ boot_params->secure_boot = get_secure_boot(sys_table); -+ - setup_graphics(boot_params); - - setup_efi_pci(boot_params); -diff --git a/arch/x86/include/uapi/asm/bootparam.h b/arch/x86/include/uapi/asm/bootparam.h -index c15ddaf..85d7685 100644 ---- a/arch/x86/include/uapi/asm/bootparam.h -+++ b/arch/x86/include/uapi/asm/bootparam.h -@@ -131,7 +131,8 @@ struct boot_params { - __u8 eddbuf_entries; /* 0x1e9 */ - __u8 edd_mbr_sig_buf_entries; /* 0x1ea */ - __u8 kbd_status; /* 0x1eb */ -- __u8 _pad5[3]; /* 0x1ec */ -+ __u8 secure_boot; /* 0x1ec */ -+ __u8 _pad5[2]; /* 0x1ed */ - /* - * The sentinel is set to a nonzero value (0xff) in header.S. - * -diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c -index 8b24289..d74b441 100644 ---- a/arch/x86/kernel/setup.c -+++ b/arch/x86/kernel/setup.c -@@ -1042,6 +1042,13 @@ void __init setup_arch(char **cmdline_p) - - io_delay_init(); - -+ if (boot_params.secure_boot) { -+#ifdef CONFIG_EFI -+ set_bit(EFI_SECURE_BOOT, &x86_efi_facility); -+#endif -+ secureboot_enable(); -+ } -+ - /* - * Parse the ACPI tables for possible boot-time SMP configuration. - */ -diff --git a/include/linux/cred.h b/include/linux/cred.h -index 04421e8..9e69542 100644 ---- a/include/linux/cred.h -+++ b/include/linux/cred.h -@@ -156,6 +156,8 @@ extern int set_security_override_from_ctx(struct cred *, const char *); - extern int set_create_files_as(struct cred *, struct inode *); - extern void __init cred_init(void); - -+extern void secureboot_enable(void); -+ - /* - * check for validity of credentials - */ -diff --git a/include/linux/efi.h b/include/linux/efi.h -index 7a9498a..1ae16b6 100644 ---- a/include/linux/efi.h -+++ b/include/linux/efi.h -@@ -627,6 +627,7 @@ extern int __init efi_setup_pcdp_console(char *); - #define EFI_RUNTIME_SERVICES 3 /* Can we use runtime services? */ - #define EFI_MEMMAP 4 /* Can we use EFI memory map? */ - #define EFI_64BIT 5 /* Is the firmware 64-bit? */ -+#define EFI_SECURE_BOOT 6 /* Are we in Secure Boot mode? */ - - #ifdef CONFIG_EFI - # ifdef CONFIG_X86 --- -1.8.1.2 - - -From d4d1b3ad3e1a553c807b4ecafcbde4bf816e4db2 Mon Sep 17 00:00:00 2001 -From: Dave Howells -Date: Tue, 23 Oct 2012 09:30:54 -0400 -Subject: [PATCH 05/19] Add EFI signature data types - -Add the data types that are used for containing hashes, keys and certificates -for cryptographic verification. - -Signed-off-by: David Howells ---- - include/linux/efi.h | 20 ++++++++++++++++++++ - 1 file changed, 20 insertions(+) - -diff --git a/include/linux/efi.h b/include/linux/efi.h -index 1ae16b6..de7021d 100644 ---- a/include/linux/efi.h -+++ b/include/linux/efi.h -@@ -388,6 +388,12 @@ typedef efi_status_t efi_query_capsule_caps_t(efi_capsule_header_t **capsules, - #define EFI_FILE_SYSTEM_GUID \ - EFI_GUID( 0x964e5b22, 0x6459, 0x11d2, 0x8e, 0x39, 0x00, 0xa0, 0xc9, 0x69, 0x72, 0x3b ) - -+#define EFI_CERT_SHA256_GUID \ -+ EFI_GUID( 0xc1c41626, 0x504c, 0x4092, 0xac, 0xa9, 0x41, 0xf9, 0x36, 0x93, 0x43, 0x28 ) -+ -+#define EFI_CERT_X509_GUID \ -+ EFI_GUID( 0xa5c059a1, 0x94e4, 0x4aa7, 0x87, 0xb5, 0xab, 0x15, 0x5c, 0x2b, 0xf0, 0x72 ) -+ - typedef struct { - efi_guid_t guid; - u64 table; -@@ -523,6 +529,20 @@ typedef struct { - - #define EFI_INVALID_TABLE_ADDR (~0UL) - -+typedef struct { -+ efi_guid_t signature_owner; -+ u8 signature_data[]; -+} efi_signature_data_t; -+ -+typedef struct { -+ efi_guid_t signature_type; -+ u32 signature_list_size; -+ u32 signature_header_size; -+ u32 signature_size; -+ u8 signature_header[]; -+ /* efi_signature_data_t signatures[][] */ -+} efi_signature_list_t; -+ - /* - * All runtime access to EFI goes through this structure: - */ --- -1.8.1.2 - - -From 3cffca89eadf7e0f0a266c370f8034f33723831a Mon Sep 17 00:00:00 2001 -From: Dave Howells -Date: Tue, 23 Oct 2012 09:36:28 -0400 -Subject: [PATCH 06/19] Add an EFI signature blob parser and key loader. - -X.509 certificates are loaded into the specified keyring as asymmetric type -keys. - -Signed-off-by: David Howells ---- - crypto/asymmetric_keys/Kconfig | 8 +++ - crypto/asymmetric_keys/Makefile | 1 + - crypto/asymmetric_keys/efi_parser.c | 108 ++++++++++++++++++++++++++++++++++++ - include/linux/efi.h | 4 ++ - 4 files changed, 121 insertions(+) - create mode 100644 crypto/asymmetric_keys/efi_parser.c - -diff --git a/crypto/asymmetric_keys/Kconfig b/crypto/asymmetric_keys/Kconfig -index 6d2c2ea..ace9c30 100644 ---- a/crypto/asymmetric_keys/Kconfig -+++ b/crypto/asymmetric_keys/Kconfig -@@ -35,4 +35,12 @@ config X509_CERTIFICATE_PARSER - data and provides the ability to instantiate a crypto key from a - public key packet found inside the certificate. - -+config EFI_SIGNATURE_LIST_PARSER -+ bool "EFI signature list parser" -+ depends on EFI -+ select X509_CERTIFICATE_PARSER -+ help -+ This option provides support for parsing EFI signature lists for -+ X.509 certificates and turning them into keys. -+ - endif # ASYMMETRIC_KEY_TYPE -diff --git a/crypto/asymmetric_keys/Makefile b/crypto/asymmetric_keys/Makefile -index 0727204..cd8388e 100644 ---- a/crypto/asymmetric_keys/Makefile -+++ b/crypto/asymmetric_keys/Makefile -@@ -8,6 +8,7 @@ asymmetric_keys-y := asymmetric_type.o signature.o - - obj-$(CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE) += public_key.o - obj-$(CONFIG_PUBLIC_KEY_ALGO_RSA) += rsa.o -+obj-$(CONFIG_EFI_SIGNATURE_LIST_PARSER) += efi_parser.o - - # - # X.509 Certificate handling -diff --git a/crypto/asymmetric_keys/efi_parser.c b/crypto/asymmetric_keys/efi_parser.c -new file mode 100644 -index 0000000..636feb1 ---- /dev/null -+++ b/crypto/asymmetric_keys/efi_parser.c -@@ -0,0 +1,108 @@ -+/* EFI signature/key/certificate list parser -+ * -+ * Copyright (C) 2012 Red Hat, Inc. All Rights Reserved. -+ * Written by David Howells (dhowells@redhat.com) -+ * -+ * This program is free software; you can redistribute it and/or -+ * modify it under the terms of the GNU General Public Licence -+ * as published by the Free Software Foundation; either version -+ * 2 of the Licence, or (at your option) any later version. -+ */ -+ -+#define pr_fmt(fmt) "EFI: "fmt -+#include -+#include -+#include -+#include -+#include -+ -+static __initdata efi_guid_t efi_cert_x509_guid = EFI_CERT_X509_GUID; -+ -+/** -+ * parse_efi_signature_list - Parse an EFI signature list for certificates -+ * @data: The data blob to parse -+ * @size: The size of the data blob -+ * @keyring: The keyring to add extracted keys to -+ */ -+int __init parse_efi_signature_list(const void *data, size_t size, struct key *keyring) -+{ -+ unsigned offs = 0; -+ size_t lsize, esize, hsize, elsize; -+ -+ pr_devel("-->%s(,%zu)\n", __func__, size); -+ -+ while (size > 0) { -+ efi_signature_list_t list; -+ const efi_signature_data_t *elem; -+ key_ref_t key; -+ -+ if (size < sizeof(list)) -+ return -EBADMSG; -+ -+ memcpy(&list, data, sizeof(list)); -+ pr_devel("LIST[%04x] guid=%pUl ls=%x hs=%x ss=%x\n", -+ offs, -+ list.signature_type.b, list.signature_list_size, -+ list.signature_header_size, list.signature_size); -+ -+ lsize = list.signature_list_size; -+ hsize = list.signature_header_size; -+ esize = list.signature_size; -+ elsize = lsize - sizeof(list) - hsize; -+ -+ if (lsize > size) { -+ pr_devel("<--%s() = -EBADMSG [overrun @%x]\n", -+ __func__, offs); -+ return -EBADMSG; -+ } -+ if (lsize < sizeof(list) || -+ lsize - sizeof(list) < hsize || -+ esize < sizeof(*elem) || -+ elsize < esize || -+ elsize % esize != 0) { -+ pr_devel("- bad size combo @%x\n", offs); -+ return -EBADMSG; -+ } -+ -+ if (efi_guidcmp(list.signature_type, efi_cert_x509_guid) != 0) { -+ data += lsize; -+ size -= lsize; -+ offs += lsize; -+ continue; -+ } -+ -+ data += sizeof(list) + hsize; -+ size -= sizeof(list) + hsize; -+ offs += sizeof(list) + hsize; -+ -+ for (; elsize > 0; elsize -= esize) { -+ elem = data; -+ -+ pr_devel("ELEM[%04x]\n", offs); -+ -+ key = key_create_or_update( -+ make_key_ref(keyring, 1), -+ "asymmetric", -+ NULL, -+ &elem->signature_data, -+ esize - sizeof(*elem), -+ (KEY_POS_ALL & ~KEY_POS_SETATTR) | -+ KEY_USR_VIEW, -+ KEY_ALLOC_NOT_IN_QUOTA); -+ -+ if (IS_ERR(key)) -+ pr_err("Problem loading in-kernel X.509 certificate (%ld)\n", -+ PTR_ERR(key)); -+ else -+ pr_notice("Loaded cert '%s' linked to '%s'\n", -+ key_ref_to_ptr(key)->description, -+ keyring->description); -+ -+ data += esize; -+ size -= esize; -+ offs += esize; -+ } -+ } -+ -+ return 0; -+} -diff --git a/include/linux/efi.h b/include/linux/efi.h -index de7021d..64b3e55 100644 ---- a/include/linux/efi.h -+++ b/include/linux/efi.h -@@ -612,6 +612,10 @@ extern int efi_set_rtc_mmss(unsigned long nowtime); - extern void efi_reserve_boot_services(void); - extern struct efi_memory_map memmap; - -+struct key; -+extern int __init parse_efi_signature_list(const void *data, size_t size, -+ struct key *keyring); -+ - /** - * efi_range_is_wc - check the WC bit on an address range - * @start: starting kvirt address --- -1.8.1.2 - - -From 89ea7424726ae4f7265ab84e703cf2da77acda57 Mon Sep 17 00:00:00 2001 -From: Josh Boyer -Date: Fri, 26 Oct 2012 12:36:24 -0400 -Subject: [PATCH 07/19] MODSIGN: Add module certificate blacklist keyring - -This adds an additional keyring that is used to store certificates that -are blacklisted. This keyring is searched first when loading signed modules -and if the module's certificate is found, it will refuse to load. This is -useful in cases where third party certificates are used for module signing. - -Signed-off-by: Josh Boyer ---- - init/Kconfig | 8 ++++++++ - kernel/modsign_pubkey.c | 14 ++++++++++++++ - kernel/module-internal.h | 3 +++ - kernel/module_signing.c | 12 ++++++++++++ - 4 files changed, 37 insertions(+) - -diff --git a/init/Kconfig b/init/Kconfig -index be8b7f5..d972b77 100644 ---- a/init/Kconfig -+++ b/init/Kconfig -@@ -1665,6 +1665,14 @@ config MODULE_SIG_FORCE - Reject unsigned modules or signed modules for which we don't have a - key. Without this, such modules will simply taint the kernel. - -+config MODULE_SIG_BLACKLIST -+ bool "Support for blacklisting module signature certificates" -+ depends on MODULE_SIG -+ help -+ This adds support for keeping a blacklist of certificates that -+ should not pass module signature verification. If a module is -+ signed with something in this keyring, the load will be rejected. -+ - choice - prompt "Which hash algorithm should modules be signed with?" - depends on MODULE_SIG -diff --git a/kernel/modsign_pubkey.c b/kernel/modsign_pubkey.c -index 2b6e699..4cd408d 100644 ---- a/kernel/modsign_pubkey.c -+++ b/kernel/modsign_pubkey.c -@@ -17,6 +17,9 @@ - #include "module-internal.h" - - struct key *modsign_keyring; -+#ifdef CONFIG_MODULE_SIG_BLACKLIST -+struct key *modsign_blacklist; -+#endif - - extern __initdata const u8 modsign_certificate_list[]; - extern __initdata const u8 modsign_certificate_list_end[]; -@@ -43,6 +46,17 @@ static __init int module_verify_init(void) - if (IS_ERR(modsign_keyring)) - panic("Can't allocate module signing keyring\n"); - -+#ifdef CONFIG_MODULE_SIG_BLACKLIST -+ modsign_blacklist = keyring_alloc(".modsign_blacklist", -+ KUIDT_INIT(0), KGIDT_INIT(0), -+ current_cred(), -+ (KEY_POS_ALL & ~KEY_POS_SETATTR) | -+ KEY_USR_VIEW | KEY_USR_READ, -+ KEY_ALLOC_NOT_IN_QUOTA, NULL); -+ if (IS_ERR(modsign_blacklist)) -+ panic("Can't allocate module signing blacklist keyring\n"); -+#endif -+ - return 0; - } - -diff --git a/kernel/module-internal.h b/kernel/module-internal.h -index 24f9247..51a8380 100644 ---- a/kernel/module-internal.h -+++ b/kernel/module-internal.h -@@ -10,5 +10,8 @@ - */ - - extern struct key *modsign_keyring; -+#ifdef CONFIG_MODULE_SIG_BLACKLIST -+extern struct key *modsign_blacklist; -+#endif - - extern int mod_verify_sig(const void *mod, unsigned long *_modlen); -diff --git a/kernel/module_signing.c b/kernel/module_signing.c -index f2970bd..5423195 100644 ---- a/kernel/module_signing.c -+++ b/kernel/module_signing.c -@@ -157,6 +157,18 @@ static struct key *request_asymmetric_key(const char *signer, size_t signer_len, - - pr_debug("Look up: \"%s\"\n", id); - -+#ifdef CONFIG_MODULE_SIG_BLACKLIST -+ key = keyring_search(make_key_ref(modsign_blacklist, 1), -+ &key_type_asymmetric, id); -+ if (!IS_ERR(key)) { -+ /* module is signed with a cert in the blacklist. reject */ -+ pr_err("Module key '%s' is in blacklist\n", id); -+ key_ref_put(key); -+ kfree(id); -+ return ERR_PTR(-EKEYREJECTED); -+ } -+#endif -+ - key = keyring_search(make_key_ref(modsign_keyring, 1), - &key_type_asymmetric, id); - if (IS_ERR(key)) --- -1.8.1.2 - - -From 733a5c25b896d8d5fa0051825a671911b50cb47d Mon Sep 17 00:00:00 2001 -From: Josh Boyer -Date: Fri, 26 Oct 2012 12:42:16 -0400 -Subject: [PATCH 08/19] MODSIGN: Import certificates from UEFI Secure Boot - -Secure Boot stores a list of allowed certificates in the 'db' variable. -This imports those certificates into the module signing keyring. This -allows for a third party signing certificate to be used in conjunction -with signed modules. By importing the public certificate into the 'db' -variable, a user can allow a module signed with that certificate to -load. The shim UEFI bootloader has a similar certificate list stored -in the 'MokListRT' variable. We import those as well. - -In the opposite case, Secure Boot maintains a list of disallowed -certificates in the 'dbx' variable. We load those certificates into -the newly introduced module blacklist keyring and forbid any module -signed with those from loading. - -Signed-off-by: Josh Boyer ---- - include/linux/efi.h | 6 ++++ - init/Kconfig | 9 ++++++ - kernel/Makefile | 3 ++ - kernel/modsign_uefi.c | 90 +++++++++++++++++++++++++++++++++++++++++++++++++++ - 4 files changed, 108 insertions(+) - create mode 100644 kernel/modsign_uefi.c - -diff --git a/include/linux/efi.h b/include/linux/efi.h -index 64b3e55..76fe526 100644 ---- a/include/linux/efi.h -+++ b/include/linux/efi.h -@@ -394,6 +394,12 @@ typedef efi_status_t efi_query_capsule_caps_t(efi_capsule_header_t **capsules, - #define EFI_CERT_X509_GUID \ - EFI_GUID( 0xa5c059a1, 0x94e4, 0x4aa7, 0x87, 0xb5, 0xab, 0x15, 0x5c, 0x2b, 0xf0, 0x72 ) - -+#define EFI_IMAGE_SECURITY_DATABASE_GUID \ -+ EFI_GUID( 0xd719b2cb, 0x3d3a, 0x4596, 0xa3, 0xbc, 0xda, 0xd0, 0x0e, 0x67, 0x65, 0x6f ) -+ -+#define EFI_SHIM_LOCK_GUID \ -+ EFI_GUID( 0x605dab50, 0xe046, 0x4300, 0xab, 0xb6, 0x3d, 0xd8, 0x10, 0xdd, 0x8b, 0x23 ) -+ - typedef struct { - efi_guid_t guid; - u64 table; -diff --git a/init/Kconfig b/init/Kconfig -index d972b77..27e3a82 100644 ---- a/init/Kconfig -+++ b/init/Kconfig -@@ -1673,6 +1673,15 @@ config MODULE_SIG_BLACKLIST - should not pass module signature verification. If a module is - signed with something in this keyring, the load will be rejected. - -+config MODULE_SIG_UEFI -+ bool "Allow modules signed with certs stored in UEFI" -+ depends on MODULE_SIG && MODULE_SIG_BLACKLIST && EFI -+ select EFI_SIGNATURE_LIST_PARSER -+ help -+ This will import certificates stored in UEFI and allow modules -+ signed with those to be loaded. It will also disallow loading -+ of modules stored in the UEFI dbx variable. -+ - choice - prompt "Which hash algorithm should modules be signed with?" - depends on MODULE_SIG -diff --git a/kernel/Makefile b/kernel/Makefile -index 6c072b6..8848829 100644 ---- a/kernel/Makefile -+++ b/kernel/Makefile -@@ -55,6 +55,7 @@ obj-$(CONFIG_PROVE_LOCKING) += spinlock.o - obj-$(CONFIG_UID16) += uid16.o - obj-$(CONFIG_MODULES) += module.o - obj-$(CONFIG_MODULE_SIG) += module_signing.o modsign_pubkey.o modsign_certificate.o -+obj-$(CONFIG_MODULE_SIG_UEFI) += modsign_uefi.o - obj-$(CONFIG_KALLSYMS) += kallsyms.o - obj-$(CONFIG_BSD_PROCESS_ACCT) += acct.o - obj-$(CONFIG_KEXEC) += kexec.o -@@ -114,6 +115,8 @@ obj-$(CONFIG_CONTEXT_TRACKING) += context_tracking.o - - $(obj)/configs.o: $(obj)/config_data.h - -+$(obj)/modsign_uefi.o: KBUILD_CFLAGS += -fshort-wchar -+ - # config_data.h contains the same information as ikconfig.h but gzipped. - # Info from config_data can be extracted from /proc/config* - targets += config_data.gz -diff --git a/kernel/modsign_uefi.c b/kernel/modsign_uefi.c -new file mode 100644 -index 0000000..b9237d7 ---- /dev/null -+++ b/kernel/modsign_uefi.c -@@ -0,0 +1,91 @@ -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include "module-internal.h" -+ -+static __init void *get_cert_list(efi_char16_t *name, efi_guid_t *guid, unsigned long *size) -+{ -+ efi_status_t status; -+ unsigned long lsize = 4; -+ unsigned long tmpdb[4]; -+ void *db = NULL; -+ -+ status = efi.get_variable(name, guid, NULL, &lsize, &tmpdb); -+ if (status != EFI_BUFFER_TOO_SMALL) { -+ pr_err("Couldn't get size: 0x%lx\n", status); -+ return NULL; -+ } -+ -+ db = kmalloc(lsize, GFP_KERNEL); -+ if (!db) { -+ pr_err("Couldn't allocate memory for uefi cert list\n"); -+ goto out; -+ } -+ -+ status = efi.get_variable(name, guid, NULL, &lsize, db); -+ if (status != EFI_SUCCESS) { -+ kfree(db); -+ db = NULL; -+ pr_err("Error reading db var: 0x%lx\n", status); -+ } -+out: -+ *size = lsize; -+ return db; -+} -+ -+/* -+ * * Load the certs contained in the UEFI databases -+ * */ -+static int __init load_uefi_certs(void) -+{ -+ efi_guid_t secure_var = EFI_IMAGE_SECURITY_DATABASE_GUID; -+ efi_guid_t mok_var = EFI_SHIM_LOCK_GUID; -+ void *db = NULL, *dbx = NULL, *mok = NULL; -+ unsigned long dbsize = 0, dbxsize = 0, moksize = 0; -+ int rc = 0; -+ -+ /* Check if SB is enabled and just return if not */ -+ if (!efi_enabled(EFI_SECURE_BOOT)) -+ return 0; -+ -+ /* Get db, MokListRT, and dbx. They might not exist, so it isn't -+ * an error if we can't get them. -+ */ -+ db = get_cert_list(L"db", &secure_var, &dbsize); -+ if (!db) { -+ pr_err("MODSIGN: Couldn't get UEFI db list\n"); -+ } else { -+ rc = parse_efi_signature_list(db, dbsize, modsign_keyring); -+ if (rc) -+ pr_err("Couldn't parse db signatures: %d\n", rc); -+ kfree(db); -+ } -+ -+ mok = get_cert_list(L"MokListRT", &mok_var, &moksize); -+ if (!mok) { -+ pr_info("MODSIGN: Couldn't get UEFI MokListRT\n"); -+ } else { -+ rc = parse_efi_signature_list(mok, moksize, modsign_keyring); -+ if (rc) -+ pr_err("Couldn't parse MokListRT signatures: %d\n", rc); -+ kfree(mok); -+ } -+ -+ dbx = get_cert_list(L"dbx", &secure_var, &dbxsize); -+ if (!dbx) { -+ pr_info("MODSIGN: Couldn't get UEFI dbx list\n"); -+ } else { -+ rc = parse_efi_signature_list(dbx, dbxsize, -+ modsign_blacklist); -+ if (rc) -+ pr_err("Couldn't parse dbx signatures: %d\n", rc); -+ kfree(dbx); -+ } -+ -+ return rc; -+} -+late_initcall(load_uefi_certs); --- -1.8.1.2 - - -From 16027d676baed34a9de804dac68d48096a688b39 Mon Sep 17 00:00:00 2001 -From: Matthew Garrett -Date: Thu, 20 Sep 2012 10:40:57 -0400 -Subject: [PATCH 09/19] PCI: Lock down BAR access in secure boot environments - -Any hardware that can potentially generate DMA has to be locked down from -userspace in order to avoid it being possible for an attacker to cause -arbitrary kernel behaviour. Default to paranoid - in future we can -potentially relax this for sufficiently IOMMU-isolated devices. - -Signed-off-by: Matthew Garrett ---- - drivers/pci/pci-sysfs.c | 9 +++++++++ - drivers/pci/proc.c | 8 +++++++- - drivers/pci/syscall.c | 2 +- - 3 files changed, 17 insertions(+), 2 deletions(-) - -diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c -index 9c6e9bb..b966089 100644 ---- a/drivers/pci/pci-sysfs.c -+++ b/drivers/pci/pci-sysfs.c -@@ -622,6 +622,9 @@ pci_write_config(struct file* filp, struct kobject *kobj, - loff_t init_off = off; - u8 *data = (u8*) buf; - -+ if (!capable(CAP_COMPROMISE_KERNEL)) -+ return -EPERM; -+ - if (off > dev->cfg_size) - return 0; - if (off + count > dev->cfg_size) { -@@ -928,6 +931,9 @@ pci_mmap_resource(struct kobject *kobj, struct bin_attribute *attr, - resource_size_t start, end; - int i; - -+ if (!capable(CAP_COMPROMISE_KERNEL)) -+ return -EPERM; -+ - for (i = 0; i < PCI_ROM_RESOURCE; i++) - if (res == &pdev->resource[i]) - break; -@@ -1035,6 +1041,9 @@ pci_write_resource_io(struct file *filp, struct kobject *kobj, - struct bin_attribute *attr, char *buf, - loff_t off, size_t count) - { -+ if (!capable(CAP_COMPROMISE_KERNEL)) -+ return -EPERM; -+ - return pci_resource_io(filp, kobj, attr, buf, off, count, true); - } - -diff --git a/drivers/pci/proc.c b/drivers/pci/proc.c -index 9b8505c..35580bc 100644 ---- a/drivers/pci/proc.c -+++ b/drivers/pci/proc.c -@@ -139,6 +139,9 @@ proc_bus_pci_write(struct file *file, const char __user *buf, size_t nbytes, lof - int size = dp->size; - int cnt; - -+ if (!capable(CAP_COMPROMISE_KERNEL)) -+ return -EPERM; -+ - if (pos >= size) - return 0; - if (nbytes >= size) -@@ -219,6 +222,9 @@ static long proc_bus_pci_ioctl(struct file *file, unsigned int cmd, - #endif /* HAVE_PCI_MMAP */ - int ret = 0; - -+ if (!capable(CAP_COMPROMISE_KERNEL)) -+ return -EPERM; -+ - switch (cmd) { - case PCIIOC_CONTROLLER: - ret = pci_domain_nr(dev->bus); -@@ -259,7 +265,7 @@ static int proc_bus_pci_mmap(struct file *file, struct vm_area_struct *vma) - struct pci_filp_private *fpriv = file->private_data; - int i, ret; - -- if (!capable(CAP_SYS_RAWIO)) -+ if (!capable(CAP_SYS_RAWIO) || !capable(CAP_COMPROMISE_KERNEL)) - return -EPERM; - - /* Make sure the caller is mapping a real resource for this device */ -diff --git a/drivers/pci/syscall.c b/drivers/pci/syscall.c -index e1c1ec5..97e785f 100644 ---- a/drivers/pci/syscall.c -+++ b/drivers/pci/syscall.c -@@ -92,7 +92,7 @@ SYSCALL_DEFINE5(pciconfig_write, unsigned long, bus, unsigned long, dfn, - u32 dword; - int err = 0; - -- if (!capable(CAP_SYS_ADMIN)) -+ if (!capable(CAP_SYS_ADMIN) || !capable(CAP_COMPROMISE_KERNEL)) - return -EPERM; - - dev = pci_get_bus_and_slot(bus, dfn); --- -1.8.1.2 - - -From 9ff1537bbe8c22bbf7f992027da43d4fe8da0860 Mon Sep 17 00:00:00 2001 -From: Matthew Garrett -Date: Thu, 20 Sep 2012 10:40:58 -0400 -Subject: [PATCH 10/19] x86: Lock down IO port access in secure boot - environments - -IO port access would permit users to gain access to PCI configuration -registers, which in turn (on a lot of hardware) give access to MMIO register -space. This would potentially permit root to trigger arbitrary DMA, so lock -it down by default. - -Signed-off-by: Matthew Garrett ---- - arch/x86/kernel/ioport.c | 4 ++-- - drivers/char/mem.c | 3 +++ - 2 files changed, 5 insertions(+), 2 deletions(-) - -diff --git a/arch/x86/kernel/ioport.c b/arch/x86/kernel/ioport.c -index 8c96897..a2578c4 100644 ---- a/arch/x86/kernel/ioport.c -+++ b/arch/x86/kernel/ioport.c -@@ -28,7 +28,7 @@ asmlinkage long sys_ioperm(unsigned long from, unsigned long num, int turn_on) - - if ((from + num <= from) || (from + num > IO_BITMAP_BITS)) - return -EINVAL; -- if (turn_on && !capable(CAP_SYS_RAWIO)) -+ if (turn_on && (!capable(CAP_SYS_RAWIO) || !capable(CAP_COMPROMISE_KERNEL))) - return -EPERM; - - /* -@@ -102,7 +102,7 @@ long sys_iopl(unsigned int level, struct pt_regs *regs) - return -EINVAL; - /* Trying to gain more privileges? */ - if (level > old) { -- if (!capable(CAP_SYS_RAWIO)) -+ if (!capable(CAP_SYS_RAWIO) || !capable(CAP_COMPROMISE_KERNEL)) - return -EPERM; - } - regs->flags = (regs->flags & ~X86_EFLAGS_IOPL) | (level << 12); -diff --git a/drivers/char/mem.c b/drivers/char/mem.c -index c6fa3bc..fc28099 100644 ---- a/drivers/char/mem.c -+++ b/drivers/char/mem.c -@@ -597,6 +597,9 @@ static ssize_t write_port(struct file *file, const char __user *buf, - unsigned long i = *ppos; - const char __user * tmp = buf; - -+ if (!capable(CAP_COMPROMISE_KERNEL)) -+ return -EPERM; -+ - if (!access_ok(VERIFY_READ, buf, count)) - return -EFAULT; - while (count-- > 0 && i < 65536) { --- -1.8.1.2 - - -From 3b27408b1ced1ec83a3ce27f9d51161dbf7cea9a Mon Sep 17 00:00:00 2001 -From: Matthew Garrett -Date: Thu, 20 Sep 2012 10:40:59 -0400 -Subject: [PATCH 11/19] ACPI: Limit access to custom_method - -It must be impossible for even root to get code executed in kernel context -under a secure boot environment. custom_method effectively allows arbitrary -access to system memory, so it needs to have a capability check here. - -Signed-off-by: Matthew Garrett ---- - drivers/acpi/custom_method.c | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/drivers/acpi/custom_method.c b/drivers/acpi/custom_method.c -index 5d42c24..247d58b 100644 ---- a/drivers/acpi/custom_method.c -+++ b/drivers/acpi/custom_method.c -@@ -29,6 +29,9 @@ static ssize_t cm_write(struct file *file, const char __user * user_buf, - struct acpi_table_header table; - acpi_status status; - -+ if (!capable(CAP_COMPROMISE_KERNEL)) -+ return -EPERM; -+ - if (!(*ppos)) { - /* parse the table header to get the table length */ - if (count <= sizeof(struct acpi_table_header)) --- -1.8.1.2 - - -From fb618a04089d454b7ade68c00a2b9c7dbac013f9 Mon Sep 17 00:00:00 2001 -From: Matthew Garrett -Date: Thu, 20 Sep 2012 10:41:00 -0400 -Subject: [PATCH 12/19] asus-wmi: Restrict debugfs interface - -We have no way of validating what all of the Asus WMI methods do on a -given machine, and there's a risk that some will allow hardware state to -be manipulated in such a way that arbitrary code can be executed in the -kernel. Add a capability check to prevent that. - -Signed-off-by: Matthew Garrett ---- - drivers/platform/x86/asus-wmi.c | 9 +++++++++ - 1 file changed, 9 insertions(+) - -diff --git a/drivers/platform/x86/asus-wmi.c b/drivers/platform/x86/asus-wmi.c -index f80ae4d..059195f 100644 ---- a/drivers/platform/x86/asus-wmi.c -+++ b/drivers/platform/x86/asus-wmi.c -@@ -1521,6 +1521,9 @@ static int show_dsts(struct seq_file *m, void *data) - int err; - u32 retval = -1; - -+ if (!capable(CAP_COMPROMISE_KERNEL)) -+ return -EPERM; -+ - err = asus_wmi_get_devstate(asus, asus->debug.dev_id, &retval); - - if (err < 0) -@@ -1537,6 +1540,9 @@ static int show_devs(struct seq_file *m, void *data) - int err; - u32 retval = -1; - -+ if (!capable(CAP_COMPROMISE_KERNEL)) -+ return -EPERM; -+ - err = asus_wmi_set_devstate(asus->debug.dev_id, asus->debug.ctrl_param, - &retval); - -@@ -1561,6 +1567,9 @@ static int show_call(struct seq_file *m, void *data) - union acpi_object *obj; - acpi_status status; - -+ if (!capable(CAP_COMPROMISE_KERNEL)) -+ return -EPERM; -+ - status = wmi_evaluate_method(ASUS_WMI_MGMT_GUID, - 1, asus->debug.method_id, - &input, &output); --- -1.8.1.2 - - -From e515bbd5410d00835390fd8981aa9029e7b22b73 Mon Sep 17 00:00:00 2001 -From: Matthew Garrett -Date: Thu, 20 Sep 2012 10:41:01 -0400 -Subject: [PATCH 13/19] Restrict /dev/mem and /dev/kmem in secure boot setups - -Allowing users to write to address space makes it possible for the kernel -to be subverted. Restrict this when we need to protect the kernel. - -Signed-off-by: Matthew Garrett ---- - drivers/char/mem.c | 6 ++++++ - 1 file changed, 6 insertions(+) - -diff --git a/drivers/char/mem.c b/drivers/char/mem.c -index fc28099..b5df7a8 100644 ---- a/drivers/char/mem.c -+++ b/drivers/char/mem.c -@@ -158,6 +158,9 @@ static ssize_t write_mem(struct file *file, const char __user *buf, - unsigned long copied; - void *ptr; - -+ if (!capable(CAP_COMPROMISE_KERNEL)) -+ return -EPERM; -+ - if (!valid_phys_addr_range(p, count)) - return -EFAULT; - -@@ -530,6 +533,9 @@ static ssize_t write_kmem(struct file *file, const char __user *buf, - char * kbuf; /* k-addr because vwrite() takes vmlist_lock rwlock */ - int err = 0; - -+ if (!capable(CAP_COMPROMISE_KERNEL)) -+ return -EPERM; -+ - if (p < (unsigned long) high_memory) { - unsigned long to_write = min_t(unsigned long, count, - (unsigned long)high_memory - p); --- -1.8.1.2 - - -From fe27dd192ef250abcbaba973a14d43b21d7be497 Mon Sep 17 00:00:00 2001 -From: Josh Boyer -Date: Thu, 20 Sep 2012 10:41:04 -0400 -Subject: [PATCH 14/19] acpi: Ignore acpi_rsdp kernel parameter in a secure - boot environment - -This option allows userspace to pass the RSDP address to the kernel. This -could potentially be used to circumvent the secure boot trust model. -We ignore the setting if we don't have the CAP_COMPROMISE_KERNEL capability. - -Signed-off-by: Josh Boyer ---- - drivers/acpi/osl.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/drivers/acpi/osl.c b/drivers/acpi/osl.c -index bd22f86..88251d2 100644 ---- a/drivers/acpi/osl.c -+++ b/drivers/acpi/osl.c -@@ -246,7 +246,7 @@ early_param("acpi_rsdp", setup_acpi_rsdp); - acpi_physical_address __init acpi_os_get_root_pointer(void) - { - #ifdef CONFIG_KEXEC -- if (acpi_rsdp) -+ if (acpi_rsdp && capable(CAP_COMPROMISE_KERNEL)) - return acpi_rsdp; - #endif - --- -1.8.1.2 - - -From c937b2c8e179bfdadb6617c0028f558e4d701e46 Mon Sep 17 00:00:00 2001 -From: Matthew Garrett -Date: Tue, 4 Sep 2012 11:55:13 -0400 -Subject: [PATCH 15/19] kexec: Disable in a secure boot environment - -kexec could be used as a vector for a malicious user to use a signed kernel -to circumvent the secure boot trust model. In the long run we'll want to -support signed kexec payloads, but for the moment we should just disable -loading entirely in that situation. - -Signed-off-by: Matthew Garrett ---- - kernel/kexec.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/kernel/kexec.c b/kernel/kexec.c -index 5e4bd78..dd464e0 100644 ---- a/kernel/kexec.c -+++ b/kernel/kexec.c -@@ -943,7 +943,7 @@ SYSCALL_DEFINE4(kexec_load, unsigned long, entry, unsigned long, nr_segments, - int result; - - /* We only trust the superuser with rebooting the system. */ -- if (!capable(CAP_SYS_BOOT)) -+ if (!capable(CAP_SYS_BOOT) || !capable(CAP_COMPROMISE_KERNEL)) - return -EPERM; - - /* --- -1.8.1.2 - - -From f08e390045266d53543a55afa16ca4be5a1c6316 Mon Sep 17 00:00:00 2001 -From: Josh Boyer -Date: Fri, 5 Oct 2012 10:12:48 -0400 -Subject: [PATCH 16/19] MODSIGN: Always enforce module signing in a Secure Boot - environment - -If a machine is booted into a Secure Boot environment, we need to -protect the trust model. This requires that all modules be signed -with a key that is in the kernel's _modsign keyring. The checks for -this are already done via the 'sig_enforce' module parameter. Make -this visible within the kernel and force it to be true. - -Signed-off-by: Josh Boyer ---- - kernel/cred.c | 8 ++++++++ - kernel/module.c | 4 ++-- - 2 files changed, 10 insertions(+), 2 deletions(-) - -diff --git a/kernel/cred.c b/kernel/cred.c -index c3f4e3e..c5554e0 100644 ---- a/kernel/cred.c -+++ b/kernel/cred.c -@@ -565,11 +565,19 @@ void __init cred_init(void) - 0, SLAB_HWCACHE_ALIGN|SLAB_PANIC, NULL); - } - -+#ifdef CONFIG_MODULE_SIG -+extern bool sig_enforce; -+#endif -+ - void __init secureboot_enable() - { - pr_info("Secure boot enabled\n"); - cap_lower((&init_cred)->cap_bset, CAP_COMPROMISE_KERNEL); - cap_lower((&init_cred)->cap_permitted, CAP_COMPROMISE_KERNEL); -+#ifdef CONFIG_MODULE_SIG -+ /* Enable module signature enforcing */ -+ sig_enforce = true; -+#endif - } - - /* Dummy Secure Boot enable option to fake out UEFI SB=1 */ -diff --git a/kernel/module.c b/kernel/module.c -index eab0827..93a16dc 100644 ---- a/kernel/module.c -+++ b/kernel/module.c -@@ -109,9 +109,9 @@ struct list_head *kdb_modules = &modules; /* kdb needs the list of modules */ - - #ifdef CONFIG_MODULE_SIG - #ifdef CONFIG_MODULE_SIG_FORCE --static bool sig_enforce = true; -+bool sig_enforce = true; - #else --static bool sig_enforce = false; -+bool sig_enforce = false; - - static int param_set_bool_enable_only(const char *val, - const struct kernel_param *kp) --- -1.8.1.2 - - -From 54ba1eec5847d964b1d458a240b50271b9a356a4 Mon Sep 17 00:00:00 2001 -From: Josh Boyer -Date: Fri, 26 Oct 2012 14:02:09 -0400 -Subject: [PATCH 17/19] hibernate: Disable in a Secure Boot environment - -There is currently no way to verify the resume image when returning -from hibernate. This might compromise the secure boot trust model, -so until we can work with signed hibernate images we disable it in -a Secure Boot environment. - -Signed-off-by: Josh Boyer ---- - kernel/power/hibernate.c | 15 ++++++++++++++- - kernel/power/main.c | 7 ++++++- - kernel/power/user.c | 3 +++ - 3 files changed, 23 insertions(+), 2 deletions(-) - -diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c -index b26f5f1..7f63cb4 100644 ---- a/kernel/power/hibernate.c -+++ b/kernel/power/hibernate.c -@@ -28,6 +28,7 @@ - #include - #include - #include -+#include - - #include "power.h" - -@@ -632,6 +633,10 @@ int hibernate(void) - { - int error; - -+ if (!capable(CAP_COMPROMISE_KERNEL)) { -+ return -EPERM; -+ } -+ - lock_system_sleep(); - /* The snapshot device should not be opened while we're running */ - if (!atomic_add_unless(&snapshot_device_available, -1, 0)) { -@@ -723,7 +728,7 @@ static int software_resume(void) - /* - * If the user said "noresume".. bail out early. - */ -- if (noresume) -+ if (noresume || !capable(CAP_COMPROMISE_KERNEL)) - return 0; - - /* -@@ -889,6 +894,11 @@ static ssize_t disk_show(struct kobject *kobj, struct kobj_attribute *attr, - int i; - char *start = buf; - -+ if (efi_enabled(EFI_SECURE_BOOT)) { -+ buf += sprintf(buf, "[%s]\n", "disabled"); -+ return buf-start; -+ } -+ - for (i = HIBERNATION_FIRST; i <= HIBERNATION_MAX; i++) { - if (!hibernation_modes[i]) - continue; -@@ -923,6 +933,9 @@ static ssize_t disk_store(struct kobject *kobj, struct kobj_attribute *attr, - char *p; - int mode = HIBERNATION_INVALID; - -+ if (!capable(CAP_COMPROMISE_KERNEL)) -+ return -EPERM; -+ - p = memchr(buf, '\n', n); - len = p ? p - buf : n; - -diff --git a/kernel/power/main.c b/kernel/power/main.c -index 1c16f91..4f915fc 100644 ---- a/kernel/power/main.c -+++ b/kernel/power/main.c -@@ -15,6 +15,7 @@ - #include - #include - #include -+#include - - #include "power.h" - -@@ -301,7 +302,11 @@ static ssize_t state_show(struct kobject *kobj, struct kobj_attribute *attr, - } - #endif - #ifdef CONFIG_HIBERNATION -- s += sprintf(s, "%s\n", "disk"); -+ if (!efi_enabled(EFI_SECURE_BOOT)) { -+ s += sprintf(s, "%s\n", "disk"); -+ } else { -+ s += sprintf(s, "\n"); -+ } - #else - if (s != buf) - /* convert the last space to a newline */ -diff --git a/kernel/power/user.c b/kernel/power/user.c -index 4ed81e7..b11a0f4 100644 ---- a/kernel/power/user.c -+++ b/kernel/power/user.c -@@ -48,6 +48,9 @@ static int snapshot_open(struct inode *inode, struct file *filp) - struct snapshot_data *data; - int error; - -+ if (!capable(CAP_COMPROMISE_KERNEL)) -+ return -EPERM; -+ - lock_system_sleep(); - - if (!atomic_add_unless(&snapshot_device_available, -1, 0)) { --- -1.8.1.2 - - -From 686090054f6c3784218b318c7adcc3c1f0ca5069 Mon Sep 17 00:00:00 2001 -From: Josh Boyer -Date: Tue, 5 Feb 2013 19:25:05 -0500 -Subject: [PATCH 18/19] efi: Disable secure boot if shim is in insecure mode - -A user can manually tell the shim boot loader to disable validation of -images it loads. When a user does this, it creates a UEFI variable called -MokSBState that does not have the runtime attribute set. Given that the -user explicitly disabled validation, we can honor that and not enable -secure boot mode if that variable is set. - -Signed-off-by: Josh Boyer ---- - arch/x86/boot/compressed/eboot.c | 20 +++++++++++++++++++- - 1 file changed, 19 insertions(+), 1 deletion(-) - -diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c -index 96bd86b..6e1331c 100644 ---- a/arch/x86/boot/compressed/eboot.c -+++ b/arch/x86/boot/compressed/eboot.c -@@ -851,8 +851,9 @@ fail: - - static int get_secure_boot(efi_system_table_t *_table) - { -- u8 sb, setup; -+ u8 sb, setup, moksbstate; - unsigned long datasize = sizeof(sb); -+ u32 attr; - efi_guid_t var_guid = EFI_GLOBAL_VARIABLE_GUID; - efi_status_t status; - -@@ -876,6 +877,23 @@ static int get_secure_boot(efi_system_table_t *_table) - if (setup == 1) - return 0; - -+ /* See if a user has put shim into insecure_mode. If so, and the variable -+ * doesn't have the runtime attribute set, we might as well honor that. -+ */ -+ var_guid = EFI_SHIM_LOCK_GUID; -+ status = efi_call_phys5(sys_table->runtime->get_variable, -+ L"MokSBState", &var_guid, &attr, &datasize, -+ &moksbstate); -+ -+ /* If it fails, we don't care why. Default to secure */ -+ if (status != EFI_SUCCESS) -+ return 1; -+ -+ if (!(attr & EFI_VARIABLE_RUNTIME_ACCESS)) { -+ if (moksbstate == 1) -+ return 0; -+ } -+ - return 1; - } - --- -1.8.1.2 - - -From df607d2d5061b04f8a686cd74edd72c1f2836d8c Mon Sep 17 00:00:00 2001 -From: Kees Cook -Date: Fri, 8 Feb 2013 11:12:13 -0800 -Subject: [PATCH 19/19] x86: Lock down MSR writing in secure boot - -Writing to MSRs should not be allowed unless CAP_COMPROMISE_KERNEL is -set since it could lead to execution of arbitrary code in kernel mode. - -Signed-off-by: Kees Cook ---- - arch/x86/kernel/msr.c | 7 +++++++ - 1 file changed, 7 insertions(+) - -diff --git a/arch/x86/kernel/msr.c b/arch/x86/kernel/msr.c -index 4929502..adaab3d 100644 ---- a/arch/x86/kernel/msr.c -+++ b/arch/x86/kernel/msr.c -@@ -103,6 +103,9 @@ static ssize_t msr_write(struct file *file, const char __user *buf, - int err = 0; - ssize_t bytes = 0; - -+ if (!capable(CAP_COMPROMISE_KERNEL)) -+ return -EPERM; -+ - if (count % 8) - return -EINVAL; /* Invalid chunk size */ - -@@ -150,6 +153,10 @@ static long msr_ioctl(struct file *file, unsigned int ioc, unsigned long arg) - err = -EBADF; - break; - } -+ if (!capable(CAP_COMPROMISE_KERNEL)) { -+ err = -EPERM; -+ break; -+ } - if (copy_from_user(®s, uregs, sizeof regs)) { - err = -EFAULT; - break; --- -1.8.1.2 - From f26494e8c5563648ad030a24005a86bd8360d342 Mon Sep 17 00:00:00 2001 From: "Justin M. Forbes" Date: Wed, 24 Jul 2013 14:19:00 -0500 Subject: [PATCH 169/468] Net stable queue from davem (rhbz 987639 987656) --- cve-2013-4125.patch | 79 - kernel.spec | 15 +- net_310.mbox | 3429 +++++++++++++++++ ...ix-use-after-free-in-vhost_net_flush.patch | 54 - 4 files changed, 3436 insertions(+), 141 deletions(-) delete mode 100644 cve-2013-4125.patch create mode 100644 net_310.mbox delete mode 100644 vhost-net-fix-use-after-free-in-vhost_net_flush.patch diff --git a/cve-2013-4125.patch b/cve-2013-4125.patch deleted file mode 100644 index 25b7eca42..000000000 --- a/cve-2013-4125.patch +++ /dev/null @@ -1,79 +0,0 @@ -From 307f2fb95e9b96b3577916e73d92e104f8f26494 Mon Sep 17 00:00:00 2001 -From: Hannes Frederic Sowa -Date: Fri, 12 Jul 2013 21:46:33 +0000 -Subject: ipv6: only static routes qualify for equal cost multipathing - -Static routes in this case are non-expiring routes which did not get -configured by autoconf or by icmpv6 redirects. - -To make sure we actually get an ecmp route while searching for the first -one in this fib6_node's leafs, also make sure it matches the ecmp route -assumptions. - -v2: -a) Removed RTF_EXPIRE check in dst.from chain. The check of RTF_ADDRCONF - already ensures that this route, even if added again without - RTF_EXPIRES (in case of a RA announcement with infinite timeout), - does not cause the rt6i_nsiblings logic to go wrong if a later RA - updates the expiration time later. - -v3: -a) Allow RTF_EXPIRES routes to enter the ecmp route set. We have to do so, - because an pmtu event could update the RTF_EXPIRES flag and we would - not count this route, if another route joins this set. We now filter - only for RTF_GATEWAY|RTF_ADDRCONF|RTF_DYNAMIC, which are flags that - don't get changed after rt6_info construction. - -Cc: Nicolas Dichtel -Signed-off-by: Hannes Frederic Sowa -Signed-off-by: David S. Miller ---- -diff --git a/net/ipv6/ip6_fib.c b/net/ipv6/ip6_fib.c -index 192dd1a..5fc9c7a 100644 ---- a/net/ipv6/ip6_fib.c -+++ b/net/ipv6/ip6_fib.c -@@ -632,6 +632,12 @@ insert_above: - return ln; - } - -+static inline bool rt6_qualify_for_ecmp(struct rt6_info *rt) -+{ -+ return (rt->rt6i_flags & (RTF_GATEWAY|RTF_ADDRCONF|RTF_DYNAMIC)) == -+ RTF_GATEWAY; -+} -+ - /* - * Insert routing information in a node. - */ -@@ -646,6 +652,7 @@ static int fib6_add_rt2node(struct fib6_node *fn, struct rt6_info *rt, - int add = (!info->nlh || - (info->nlh->nlmsg_flags & NLM_F_CREATE)); - int found = 0; -+ bool rt_can_ecmp = rt6_qualify_for_ecmp(rt); - - ins = &fn->leaf; - -@@ -691,9 +698,8 @@ static int fib6_add_rt2node(struct fib6_node *fn, struct rt6_info *rt, - * To avoid long list, we only had siblings if the - * route have a gateway. - */ -- if (rt->rt6i_flags & RTF_GATEWAY && -- !(rt->rt6i_flags & RTF_EXPIRES) && -- !(iter->rt6i_flags & RTF_EXPIRES)) -+ if (rt_can_ecmp && -+ rt6_qualify_for_ecmp(iter)) - rt->rt6i_nsiblings++; - } - -@@ -715,7 +721,8 @@ static int fib6_add_rt2node(struct fib6_node *fn, struct rt6_info *rt, - /* Find the first route that have the same metric */ - sibling = fn->leaf; - while (sibling) { -- if (sibling->rt6i_metric == rt->rt6i_metric) { -+ if (sibling->rt6i_metric == rt->rt6i_metric && -+ rt6_qualify_for_ecmp(sibling)) { - list_add_tail(&rt->rt6i_siblings, - &sibling->rt6i_siblings); - break; --- -cgit v0.9.2 diff --git a/kernel.spec b/kernel.spec index 9cfdc0289..73e3582a3 100644 --- a/kernel.spec +++ b/kernel.spec @@ -764,16 +764,14 @@ Patch25055: ath3k-dont-use-stack-memory-for-DMA.patch Patch25056: iwl3945-better-skb-management-in-rx-path.patch Patch25057: iwl4965-better-skb-management-in-rx-path.patch -#rhbz 976789 980643 -Patch25062: vhost-net-fix-use-after-free-in-vhost_net_flush.patch - #rhbz 959721 Patch25063: HID-kye-Add-report-fixup-for-Genius-Gila-Gaming-mouse.patch #rhbz 885407 Patch25064: iwlwifi-dvm-dont-send-BT_CONFIG-on-devices-wo-Bluetooth.patch -Patch26000: cve-2013-4125.patch +#rhbz 987639 987656 +Patch25065: net_310.mbox # END OF PATCH DEFINITIONS @@ -1487,16 +1485,14 @@ ApplyPatch ath3k-dont-use-stack-memory-for-DMA.patch ApplyPatch iwl3945-better-skb-management-in-rx-path.patch ApplyPatch iwl4965-better-skb-management-in-rx-path.patch -#rhbz 976789 980643 -ApplyPatch vhost-net-fix-use-after-free-in-vhost_net_flush.patch - #rhbz 959721 ApplyPatch HID-kye-Add-report-fixup-for-Genius-Gila-Gaming-mouse.patch #rhbz 885407 ApplyPatch iwlwifi-dvm-dont-send-BT_CONFIG-on-devices-wo-Bluetooth.patch -ApplyPatch cve-2013-4125.patch +#rhbz 987639 987656 +ApplyPatch net_310.mbox # END OF PATCH APPLICATIONS @@ -2306,6 +2302,9 @@ fi # and build. %changelog +* Wed Jul 24 2013 Justin M. Forbes +- Net stable queue from davem (rhbz 987639 987656) + * Mon Jul 22 2013 Justin M. Forbes 3.10.2-301 - Update secureboot patch for 3.10 diff --git a/net_310.mbox b/net_310.mbox new file mode 100644 index 000000000..e602f5325 --- /dev/null +++ b/net_310.mbox @@ -0,0 +1,3429 @@ +From 79339ba50702248d19a8825906ceb527d547444f Mon Sep 17 00:00:00 2001 +From: Hannes Frederic Sowa +Date: Thu, 27 Jun 2013 22:46:04 +0200 +Subject: [PATCH 01/40] ipv6: only apply anti-spoofing checks to + not-pointopoint tunnels + +[ Upstream commit 5c29fb12e8fb8a8105ea048cb160fd79a85a52bb ] + +Because of commit 218774dc341f219bfcf940304a081b121a0e8099 ("ipv6: add +anti-spoofing checks for 6to4 and 6rd") the sit driver dropped packets +for 2002::/16 destinations and sources even when configured to work as a +tunnel with fixed endpoint. We may only apply the 6rd/6to4 anti-spoofing +checks if the device is not in pointopoint mode. + +This was an oversight from me in the above commit, sorry. Thanks to +Roman Mamedov for reporting this! + +Reported-by: Roman Mamedov +Cc: David Miller +Cc: YOSHIFUJI Hideaki +Signed-off-by: Hannes Frederic Sowa +Signed-off-by: David S. Miller +--- + net/ipv6/sit.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/ipv6/sit.c b/net/ipv6/sit.c +index 3353634..60df36d 100644 +--- a/net/ipv6/sit.c ++++ b/net/ipv6/sit.c +@@ -589,7 +589,7 @@ static int ipip6_rcv(struct sk_buff *skb) + tunnel->dev->stats.rx_errors++; + goto out; + } +- } else { ++ } else if (!(tunnel->dev->flags&IFF_POINTOPOINT)) { + if (is_spoofed_6rd(tunnel, iph->saddr, + &ipv6_hdr(skb)->saddr) || + is_spoofed_6rd(tunnel, iph->daddr, +-- +1.7.11.7 + + +From d605a92bd29513e01af93275527252e7423b2ac7 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Fri, 28 Jun 2013 02:37:42 -0700 +Subject: [PATCH 02/40] neighbour: fix a race in neigh_destroy() + +[ Upstream commit c9ab4d85de222f3390c67aedc9c18a50e767531e ] + +There is a race in neighbour code, because neigh_destroy() uses +skb_queue_purge(&neigh->arp_queue) without holding neighbour lock, +while other parts of the code assume neighbour rwlock is what +protects arp_queue + +Convert all skb_queue_purge() calls to the __skb_queue_purge() variant + +Use __skb_queue_head_init() instead of skb_queue_head_init() +to make clear we do not use arp_queue.lock + +And hold neigh->lock in neigh_destroy() to close the race. + +Reported-by: Joe Jin +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +--- + net/core/neighbour.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +diff --git a/net/core/neighbour.c b/net/core/neighbour.c +index 5c56b21..ce90b02 100644 +--- a/net/core/neighbour.c ++++ b/net/core/neighbour.c +@@ -231,7 +231,7 @@ static void neigh_flush_dev(struct neigh_table *tbl, struct net_device *dev) + we must kill timers etc. and move + it to safe state. + */ +- skb_queue_purge(&n->arp_queue); ++ __skb_queue_purge(&n->arp_queue); + n->arp_queue_len_bytes = 0; + n->output = neigh_blackhole; + if (n->nud_state & NUD_VALID) +@@ -286,7 +286,7 @@ static struct neighbour *neigh_alloc(struct neigh_table *tbl, struct net_device + if (!n) + goto out_entries; + +- skb_queue_head_init(&n->arp_queue); ++ __skb_queue_head_init(&n->arp_queue); + rwlock_init(&n->lock); + seqlock_init(&n->ha_lock); + n->updated = n->used = now; +@@ -708,7 +708,9 @@ void neigh_destroy(struct neighbour *neigh) + if (neigh_del_timer(neigh)) + pr_warn("Impossible event\n"); + +- skb_queue_purge(&neigh->arp_queue); ++ write_lock_bh(&neigh->lock); ++ __skb_queue_purge(&neigh->arp_queue); ++ write_unlock_bh(&neigh->lock); + neigh->arp_queue_len_bytes = 0; + + if (dev->netdev_ops->ndo_neigh_destroy) +@@ -858,7 +860,7 @@ static void neigh_invalidate(struct neighbour *neigh) + neigh->ops->error_report(neigh, skb); + write_lock(&neigh->lock); + } +- skb_queue_purge(&neigh->arp_queue); ++ __skb_queue_purge(&neigh->arp_queue); + neigh->arp_queue_len_bytes = 0; + } + +@@ -1210,7 +1212,7 @@ int neigh_update(struct neighbour *neigh, const u8 *lladdr, u8 new, + + write_lock_bh(&neigh->lock); + } +- skb_queue_purge(&neigh->arp_queue); ++ __skb_queue_purge(&neigh->arp_queue); + neigh->arp_queue_len_bytes = 0; + } + out: +-- +1.7.11.7 + + +From ebae8ce31e1b43d3bcf62d5e906cc9ece42428ab Mon Sep 17 00:00:00 2001 +From: Dave Jones +Date: Fri, 28 Jun 2013 12:13:52 -0400 +Subject: [PATCH 03/40] x25: Fix broken locking in ioctl error paths. + +[ Upstream commit 4ccb93ce7439b63c31bc7597bfffd13567fa483d ] + +Two of the x25 ioctl cases have error paths that break out of the function without +unlocking the socket, leading to this warning: + +================================================ +[ BUG: lock held when returning to user space! ] +3.10.0-rc7+ #36 Not tainted +------------------------------------------------ +trinity-child2/31407 is leaving the kernel with locks still held! +1 lock held by trinity-child2/31407: + #0: (sk_lock-AF_X25){+.+.+.}, at: [] x25_ioctl+0x8a/0x740 [x25] + +Signed-off-by: Dave Jones +Signed-off-by: David S. Miller +--- + net/x25/af_x25.c | 15 ++++++++------- + 1 file changed, 8 insertions(+), 7 deletions(-) + +diff --git a/net/x25/af_x25.c b/net/x25/af_x25.c +index 37ca969..22c88d2 100644 +--- a/net/x25/af_x25.c ++++ b/net/x25/af_x25.c +@@ -1583,11 +1583,11 @@ out_cud_release: + case SIOCX25CALLACCPTAPPRV: { + rc = -EINVAL; + lock_sock(sk); +- if (sk->sk_state != TCP_CLOSE) +- break; +- clear_bit(X25_ACCPT_APPRV_FLAG, &x25->flags); ++ if (sk->sk_state == TCP_CLOSE) { ++ clear_bit(X25_ACCPT_APPRV_FLAG, &x25->flags); ++ rc = 0; ++ } + release_sock(sk); +- rc = 0; + break; + } + +@@ -1595,14 +1595,15 @@ out_cud_release: + rc = -EINVAL; + lock_sock(sk); + if (sk->sk_state != TCP_ESTABLISHED) +- break; ++ goto out_sendcallaccpt_release; + /* must call accptapprv above */ + if (test_bit(X25_ACCPT_APPRV_FLAG, &x25->flags)) +- break; ++ goto out_sendcallaccpt_release; + x25_write_internal(sk, X25_CALL_ACCEPTED); + x25->state = X25_STATE_3; +- release_sock(sk); + rc = 0; ++out_sendcallaccpt_release: ++ release_sock(sk); + break; + } + +-- +1.7.11.7 + + +From 7da0d57c053a603f3cac04587ecdab2b3072d769 Mon Sep 17 00:00:00 2001 +From: Changli Gao +Date: Sat, 29 Jun 2013 00:15:51 +0800 +Subject: [PATCH 04/40] net: Swap ver and type in pppoe_hdr + +[ Upstream commit b1a5a34bd0b8767ea689e68f8ea513e9710b671e ] + +Ver and type in pppoe_hdr should be swapped as defined by RFC2516 +section-4. + +Signed-off-by: David S. Miller +--- + include/uapi/linux/if_pppox.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/include/uapi/linux/if_pppox.h b/include/uapi/linux/if_pppox.h +index 0b46fd5..e36a4ae 100644 +--- a/include/uapi/linux/if_pppox.h ++++ b/include/uapi/linux/if_pppox.h +@@ -135,11 +135,11 @@ struct pppoe_tag { + + struct pppoe_hdr { + #if defined(__LITTLE_ENDIAN_BITFIELD) +- __u8 ver : 4; + __u8 type : 4; ++ __u8 ver : 4; + #elif defined(__BIG_ENDIAN_BITFIELD) +- __u8 type : 4; + __u8 ver : 4; ++ __u8 type : 4; + #else + #error "Please fix " + #endif +-- +1.7.11.7 + + +From d9b54511307e46a8f144b20af88e9279966725f1 Mon Sep 17 00:00:00 2001 +From: Cong Wang +Date: Sat, 29 Jun 2013 12:02:59 +0800 +Subject: [PATCH 05/40] gre: fix a regression in ioctl + +[ Upstream commit 6c734fb8592f6768170e48e7102cb2f0a1bb9759 ] + +When testing GRE tunnel, I got: + + # ip tunnel show + get tunnel gre0 failed: Invalid argument + get tunnel gre1 failed: Invalid argument + +This is a regression introduced by commit c54419321455631079c7d +("GRE: Refactor GRE tunneling code.") because previously we +only check the parameters for SIOCADDTUNNEL and SIOCCHGTUNNEL, +after that commit, the check is moved for all commands. + +So, just check for SIOCADDTUNNEL and SIOCCHGTUNNEL. + +After this patch I got: + + # ip tunnel show + gre0: gre/ip remote any local any ttl inherit nopmtudisc + gre1: gre/ip remote 192.168.122.101 local 192.168.122.45 ttl inherit + +Cc: Pravin B Shelar +Cc: "David S. Miller" +Signed-off-by: Cong Wang +Signed-off-by: David S. Miller +--- + net/ipv4/ip_gre.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c +index 2a83591..855004f 100644 +--- a/net/ipv4/ip_gre.c ++++ b/net/ipv4/ip_gre.c +@@ -503,10 +503,11 @@ static int ipgre_tunnel_ioctl(struct net_device *dev, + + if (copy_from_user(&p, ifr->ifr_ifru.ifru_data, sizeof(p))) + return -EFAULT; +- if (p.iph.version != 4 || p.iph.protocol != IPPROTO_GRE || +- p.iph.ihl != 5 || (p.iph.frag_off&htons(~IP_DF)) || +- ((p.i_flags|p.o_flags)&(GRE_VERSION|GRE_ROUTING))) { +- return -EINVAL; ++ if (cmd == SIOCADDTUNNEL || cmd == SIOCCHGTUNNEL) { ++ if (p.iph.version != 4 || p.iph.protocol != IPPROTO_GRE || ++ p.iph.ihl != 5 || (p.iph.frag_off&htons(~IP_DF)) || ++ ((p.i_flags|p.o_flags)&(GRE_VERSION|GRE_ROUTING))) ++ return -EINVAL; + } + p.i_flags = gre_flags_to_tnl_flags(p.i_flags); + p.o_flags = gre_flags_to_tnl_flags(p.o_flags); +-- +1.7.11.7 + + +From 9df2226e2e019b405e6320599a6c07ef1e4be799 Mon Sep 17 00:00:00 2001 +From: Cong Wang +Date: Sat, 29 Jun 2013 13:00:57 +0800 +Subject: [PATCH 06/40] vti: remove duplicated code to fix a memory leak + +[ Upstream commit ab6c7a0a43c2eaafa57583822b619b22637b49c7 ] + +vti module allocates dev->tstats twice: in vti_fb_tunnel_init() +and in vti_tunnel_init(), this lead to a memory leak of +dev->tstats. + +Just remove the duplicated operations in vti_fb_tunnel_init(). + +(candidate for -stable) + +Cc: Stephen Hemminger +Cc: Saurabh Mohan +Cc: "David S. Miller" +Signed-off-by: Cong Wang +Acked-by: Stephen Hemminger +Signed-off-by: David S. Miller +--- + net/ipv4/ip_vti.c | 7 ------- + 1 file changed, 7 deletions(-) + +diff --git a/net/ipv4/ip_vti.c b/net/ipv4/ip_vti.c +index c118f6b..17cc0ff 100644 +--- a/net/ipv4/ip_vti.c ++++ b/net/ipv4/ip_vti.c +@@ -606,17 +606,10 @@ static int __net_init vti_fb_tunnel_init(struct net_device *dev) + struct iphdr *iph = &tunnel->parms.iph; + struct vti_net *ipn = net_generic(dev_net(dev), vti_net_id); + +- tunnel->dev = dev; +- strcpy(tunnel->parms.name, dev->name); +- + iph->version = 4; + iph->protocol = IPPROTO_IPIP; + iph->ihl = 5; + +- dev->tstats = alloc_percpu(struct pcpu_tstats); +- if (!dev->tstats) +- return -ENOMEM; +- + dev_hold(dev); + rcu_assign_pointer(ipn->tunnels_wc[0], tunnel); + return 0; +-- +1.7.11.7 + + +From 5be3a4ef6d4ada70eee9dddf402f09d5771f071b Mon Sep 17 00:00:00 2001 +From: Amerigo Wang +Date: Sat, 29 Jun 2013 21:30:49 +0800 +Subject: [PATCH 07/40] ipv6,mcast: always hold idev->lock before mca_lock + +[ Upstream commit 8965779d2c0e6ab246c82a405236b1fb2adae6b2, with + some bits from commit b7b1bfce0bb68bd8f6e62a28295922785cc63781 + ("ipv6: split duplicate address detection and router solicitation timer") + to get the __ipv6_get_lladdr() used by this patch. ] + +dingtianhong reported the following deadlock detected by lockdep: + + ====================================================== + [ INFO: possible circular locking dependency detected ] + 3.4.24.05-0.1-default #1 Not tainted + ------------------------------------------------------- + ksoftirqd/0/3 is trying to acquire lock: + (&ndev->lock){+.+...}, at: [] ipv6_get_lladdr+0x74/0x120 + + but task is already holding lock: + (&mc->mca_lock){+.+...}, at: [] mld_send_report+0x40/0x150 + + which lock already depends on the new lock. + + the existing dependency chain (in reverse order) is: + + -> #1 (&mc->mca_lock){+.+...}: + [] validate_chain+0x637/0x730 + [] __lock_acquire+0x2f7/0x500 + [] lock_acquire+0x114/0x150 + [] rt_spin_lock+0x4a/0x60 + [] igmp6_group_added+0x3b/0x120 + [] ipv6_mc_up+0x38/0x60 + [] ipv6_find_idev+0x3d/0x80 + [] addrconf_notify+0x3d5/0x4b0 + [] notifier_call_chain+0x3f/0x80 + [] raw_notifier_call_chain+0x11/0x20 + [] call_netdevice_notifiers+0x32/0x60 + [] __dev_notify_flags+0x34/0x80 + [] dev_change_flags+0x40/0x70 + [] do_setlink+0x237/0x8a0 + [] rtnl_newlink+0x3ec/0x600 + [] rtnetlink_rcv_msg+0x160/0x310 + [] netlink_rcv_skb+0x89/0xb0 + [] rtnetlink_rcv+0x27/0x40 + [] netlink_unicast+0x140/0x180 + [] netlink_sendmsg+0x33e/0x380 + [] sock_sendmsg+0x112/0x130 + [] __sys_sendmsg+0x44e/0x460 + [] sys_sendmsg+0x44/0x70 + [] system_call_fastpath+0x16/0x1b + + -> #0 (&ndev->lock){+.+...}: + [] check_prev_add+0x3de/0x440 + [] validate_chain+0x637/0x730 + [] __lock_acquire+0x2f7/0x500 + [] lock_acquire+0x114/0x150 + [] rt_read_lock+0x42/0x60 + [] ipv6_get_lladdr+0x74/0x120 + [] mld_newpack+0xb6/0x160 + [] add_grhead+0xab/0xc0 + [] add_grec+0x3ab/0x460 + [] mld_send_report+0x5a/0x150 + [] igmp6_timer_handler+0x4e/0xb0 + [] call_timer_fn+0xca/0x1d0 + [] run_timer_softirq+0x1df/0x2e0 + [] handle_pending_softirqs+0xf7/0x1f0 + [] __do_softirq_common+0x7b/0xf0 + [] __thread_do_softirq+0x1af/0x210 + [] run_ksoftirqd+0xe1/0x1f0 + [] kthread+0xae/0xc0 + [] kernel_thread_helper+0x4/0x10 + +actually we can just hold idev->lock before taking pmc->mca_lock, +and avoid taking idev->lock again when iterating idev->addr_list, +since the upper callers of mld_newpack() already take +read_lock_bh(&idev->lock). + +Reported-by: dingtianhong +Cc: dingtianhong +Cc: Hideaki YOSHIFUJI +Cc: David S. Miller +Cc: Hannes Frederic Sowa +Tested-by: Ding Tianhong +Tested-by: Chen Weilong +Signed-off-by: Cong Wang +Acked-by: Hannes Frederic Sowa +Signed-off-by: David S. Miller +--- + include/net/addrconf.h | 3 +++ + net/ipv6/addrconf.c | 28 ++++++++++++++++++---------- + net/ipv6/mcast.c | 18 ++++++++++-------- + 3 files changed, 31 insertions(+), 18 deletions(-) + +diff --git a/include/net/addrconf.h b/include/net/addrconf.h +index 21f70270..01b1a1a 100644 +--- a/include/net/addrconf.h ++++ b/include/net/addrconf.h +@@ -86,6 +86,9 @@ extern int ipv6_dev_get_saddr(struct net *net, + const struct in6_addr *daddr, + unsigned int srcprefs, + struct in6_addr *saddr); ++extern int __ipv6_get_lladdr(struct inet6_dev *idev, ++ struct in6_addr *addr, ++ unsigned char banned_flags); + extern int ipv6_get_lladdr(struct net_device *dev, + struct in6_addr *addr, + unsigned char banned_flags); +diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c +index 4ab4c38..fb8c94c 100644 +--- a/net/ipv6/addrconf.c ++++ b/net/ipv6/addrconf.c +@@ -1448,6 +1448,23 @@ try_nextdev: + } + EXPORT_SYMBOL(ipv6_dev_get_saddr); + ++int __ipv6_get_lladdr(struct inet6_dev *idev, struct in6_addr *addr, ++ unsigned char banned_flags) ++{ ++ struct inet6_ifaddr *ifp; ++ int err = -EADDRNOTAVAIL; ++ ++ list_for_each_entry(ifp, &idev->addr_list, if_list) { ++ if (ifp->scope == IFA_LINK && ++ !(ifp->flags & banned_flags)) { ++ *addr = ifp->addr; ++ err = 0; ++ break; ++ } ++ } ++ return err; ++} ++ + int ipv6_get_lladdr(struct net_device *dev, struct in6_addr *addr, + unsigned char banned_flags) + { +@@ -1457,17 +1474,8 @@ int ipv6_get_lladdr(struct net_device *dev, struct in6_addr *addr, + rcu_read_lock(); + idev = __in6_dev_get(dev); + if (idev) { +- struct inet6_ifaddr *ifp; +- + read_lock_bh(&idev->lock); +- list_for_each_entry(ifp, &idev->addr_list, if_list) { +- if (ifp->scope == IFA_LINK && +- !(ifp->flags & banned_flags)) { +- *addr = ifp->addr; +- err = 0; +- break; +- } +- } ++ err = __ipv6_get_lladdr(idev, addr, banned_flags); + read_unlock_bh(&idev->lock); + } + rcu_read_unlock(); +diff --git a/net/ipv6/mcast.c b/net/ipv6/mcast.c +index bfa6cc3..c3998c2 100644 +--- a/net/ipv6/mcast.c ++++ b/net/ipv6/mcast.c +@@ -1343,8 +1343,9 @@ static void ip6_mc_hdr(struct sock *sk, struct sk_buff *skb, + hdr->daddr = *daddr; + } + +-static struct sk_buff *mld_newpack(struct net_device *dev, int size) ++static struct sk_buff *mld_newpack(struct inet6_dev *idev, int size) + { ++ struct net_device *dev = idev->dev; + struct net *net = dev_net(dev); + struct sock *sk = net->ipv6.igmp_sk; + struct sk_buff *skb; +@@ -1369,7 +1370,7 @@ static struct sk_buff *mld_newpack(struct net_device *dev, int size) + + skb_reserve(skb, hlen); + +- if (ipv6_get_lladdr(dev, &addr_buf, IFA_F_TENTATIVE)) { ++ if (__ipv6_get_lladdr(idev, &addr_buf, IFA_F_TENTATIVE)) { + /* : + * use unspecified address as the source address + * when a valid link-local address is not available. +@@ -1465,7 +1466,7 @@ static struct sk_buff *add_grhead(struct sk_buff *skb, struct ifmcaddr6 *pmc, + struct mld2_grec *pgr; + + if (!skb) +- skb = mld_newpack(dev, dev->mtu); ++ skb = mld_newpack(pmc->idev, dev->mtu); + if (!skb) + return NULL; + pgr = (struct mld2_grec *)skb_put(skb, sizeof(struct mld2_grec)); +@@ -1485,7 +1486,8 @@ static struct sk_buff *add_grhead(struct sk_buff *skb, struct ifmcaddr6 *pmc, + static struct sk_buff *add_grec(struct sk_buff *skb, struct ifmcaddr6 *pmc, + int type, int gdeleted, int sdeleted) + { +- struct net_device *dev = pmc->idev->dev; ++ struct inet6_dev *idev = pmc->idev; ++ struct net_device *dev = idev->dev; + struct mld2_report *pmr; + struct mld2_grec *pgr = NULL; + struct ip6_sf_list *psf, *psf_next, *psf_prev, **psf_list; +@@ -1514,7 +1516,7 @@ static struct sk_buff *add_grec(struct sk_buff *skb, struct ifmcaddr6 *pmc, + AVAILABLE(skb) < grec_size(pmc, type, gdeleted, sdeleted)) { + if (skb) + mld_sendpack(skb); +- skb = mld_newpack(dev, dev->mtu); ++ skb = mld_newpack(idev, dev->mtu); + } + } + first = 1; +@@ -1541,7 +1543,7 @@ static struct sk_buff *add_grec(struct sk_buff *skb, struct ifmcaddr6 *pmc, + pgr->grec_nsrcs = htons(scount); + if (skb) + mld_sendpack(skb); +- skb = mld_newpack(dev, dev->mtu); ++ skb = mld_newpack(idev, dev->mtu); + first = 1; + scount = 0; + } +@@ -1596,8 +1598,8 @@ static void mld_send_report(struct inet6_dev *idev, struct ifmcaddr6 *pmc) + struct sk_buff *skb = NULL; + int type; + ++ read_lock_bh(&idev->lock); + if (!pmc) { +- read_lock_bh(&idev->lock); + for (pmc=idev->mc_list; pmc; pmc=pmc->next) { + if (pmc->mca_flags & MAF_NOREPORT) + continue; +@@ -1609,7 +1611,6 @@ static void mld_send_report(struct inet6_dev *idev, struct ifmcaddr6 *pmc) + skb = add_grec(skb, pmc, type, 0, 0); + spin_unlock_bh(&pmc->mca_lock); + } +- read_unlock_bh(&idev->lock); + } else { + spin_lock_bh(&pmc->mca_lock); + if (pmc->mca_sfcount[MCAST_EXCLUDE]) +@@ -1619,6 +1620,7 @@ static void mld_send_report(struct inet6_dev *idev, struct ifmcaddr6 *pmc) + skb = add_grec(skb, pmc, type, 0, 0); + spin_unlock_bh(&pmc->mca_lock); + } ++ read_unlock_bh(&idev->lock); + if (skb) + mld_sendpack(skb); + } +-- +1.7.11.7 + + +From e85dcba98ae899b9e6d26625a86750eb92c9fadc Mon Sep 17 00:00:00 2001 +From: Pravin B Shelar +Date: Tue, 2 Jul 2013 10:57:33 -0700 +Subject: [PATCH 08/40] ip_tunnels: Use skb-len to PMTU check. + +[ Upstream commit 23a3647bc4f93bac3776c66dc2c7f7f68b3cd662 ] + +In path mtu check, ip header total length works for gre device +but not for gre-tap device. Use skb len which is consistent +for all tunneling types. This is old bug in gre. +This also fixes mtu calculation bug introduced by +commit c54419321455631079c7d (GRE: Refactor GRE tunneling code). + +Reported-by: Timo Teras +Signed-off-by: Pravin B Shelar +Signed-off-by: David S. Miller +--- + net/ipv4/ip_tunnel.c | 97 +++++++++++++++++++++++++++++----------------------- + 1 file changed, 54 insertions(+), 43 deletions(-) + +diff --git a/net/ipv4/ip_tunnel.c b/net/ipv4/ip_tunnel.c +index 7fa8f08..d05bd02 100644 +--- a/net/ipv4/ip_tunnel.c ++++ b/net/ipv4/ip_tunnel.c +@@ -486,6 +486,53 @@ drop: + } + EXPORT_SYMBOL_GPL(ip_tunnel_rcv); + ++static int tnl_update_pmtu(struct net_device *dev, struct sk_buff *skb, ++ struct rtable *rt, __be16 df) ++{ ++ struct ip_tunnel *tunnel = netdev_priv(dev); ++ int pkt_size = skb->len - tunnel->hlen; ++ int mtu; ++ ++ if (df) ++ mtu = dst_mtu(&rt->dst) - dev->hard_header_len ++ - sizeof(struct iphdr) - tunnel->hlen; ++ else ++ mtu = skb_dst(skb) ? dst_mtu(skb_dst(skb)) : dev->mtu; ++ ++ if (skb_dst(skb)) ++ skb_dst(skb)->ops->update_pmtu(skb_dst(skb), NULL, skb, mtu); ++ ++ if (skb->protocol == htons(ETH_P_IP)) { ++ if (!skb_is_gso(skb) && ++ (df & htons(IP_DF)) && mtu < pkt_size) { ++ icmp_send(skb, ICMP_DEST_UNREACH, ICMP_FRAG_NEEDED, htonl(mtu)); ++ return -E2BIG; ++ } ++ } ++#if IS_ENABLED(CONFIG_IPV6) ++ else if (skb->protocol == htons(ETH_P_IPV6)) { ++ struct rt6_info *rt6 = (struct rt6_info *)skb_dst(skb); ++ ++ if (rt6 && mtu < dst_mtu(skb_dst(skb)) && ++ mtu >= IPV6_MIN_MTU) { ++ if ((tunnel->parms.iph.daddr && ++ !ipv4_is_multicast(tunnel->parms.iph.daddr)) || ++ rt6->rt6i_dst.plen == 128) { ++ rt6->rt6i_flags |= RTF_MODIFIED; ++ dst_metric_set(skb_dst(skb), RTAX_MTU, mtu); ++ } ++ } ++ ++ if (!skb_is_gso(skb) && mtu >= IPV6_MIN_MTU && ++ mtu < pkt_size) { ++ icmpv6_send(skb, ICMPV6_PKT_TOOBIG, 0, mtu); ++ return -E2BIG; ++ } ++ } ++#endif ++ return 0; ++} ++ + void ip_tunnel_xmit(struct sk_buff *skb, struct net_device *dev, + const struct iphdr *tnl_params) + { +@@ -499,7 +546,6 @@ void ip_tunnel_xmit(struct sk_buff *skb, struct net_device *dev, + struct net_device *tdev; /* Device to other host */ + unsigned int max_headroom; /* The extra header space needed */ + __be32 dst; +- int mtu; + + inner_iph = (const struct iphdr *)skb_inner_network_header(skb); + +@@ -579,50 +625,11 @@ void ip_tunnel_xmit(struct sk_buff *skb, struct net_device *dev, + goto tx_error; + } + +- df = tnl_params->frag_off; + +- if (df) +- mtu = dst_mtu(&rt->dst) - dev->hard_header_len +- - sizeof(struct iphdr); +- else +- mtu = skb_dst(skb) ? dst_mtu(skb_dst(skb)) : dev->mtu; +- +- if (skb_dst(skb)) +- skb_dst(skb)->ops->update_pmtu(skb_dst(skb), NULL, skb, mtu); +- +- if (skb->protocol == htons(ETH_P_IP)) { +- df |= (inner_iph->frag_off&htons(IP_DF)); +- +- if (!skb_is_gso(skb) && +- (inner_iph->frag_off&htons(IP_DF)) && +- mtu < ntohs(inner_iph->tot_len)) { +- icmp_send(skb, ICMP_DEST_UNREACH, ICMP_FRAG_NEEDED, htonl(mtu)); +- ip_rt_put(rt); +- goto tx_error; +- } +- } +-#if IS_ENABLED(CONFIG_IPV6) +- else if (skb->protocol == htons(ETH_P_IPV6)) { +- struct rt6_info *rt6 = (struct rt6_info *)skb_dst(skb); +- +- if (rt6 && mtu < dst_mtu(skb_dst(skb)) && +- mtu >= IPV6_MIN_MTU) { +- if ((tunnel->parms.iph.daddr && +- !ipv4_is_multicast(tunnel->parms.iph.daddr)) || +- rt6->rt6i_dst.plen == 128) { +- rt6->rt6i_flags |= RTF_MODIFIED; +- dst_metric_set(skb_dst(skb), RTAX_MTU, mtu); +- } +- } +- +- if (!skb_is_gso(skb) && mtu >= IPV6_MIN_MTU && +- mtu < skb->len) { +- icmpv6_send(skb, ICMPV6_PKT_TOOBIG, 0, mtu); +- ip_rt_put(rt); +- goto tx_error; +- } ++ if (tnl_update_pmtu(dev, skb, rt, tnl_params->frag_off)) { ++ ip_rt_put(rt); ++ goto tx_error; + } +-#endif + + if (tunnel->err_count > 0) { + if (time_before(jiffies, +@@ -646,6 +653,10 @@ void ip_tunnel_xmit(struct sk_buff *skb, struct net_device *dev, + ttl = ip4_dst_hoplimit(&rt->dst); + } + ++ df = tnl_params->frag_off; ++ if (skb->protocol == htons(ETH_P_IP)) ++ df |= (inner_iph->frag_off&htons(IP_DF)); ++ + max_headroom = LL_RESERVED_SPACE(tdev) + sizeof(struct iphdr) + + rt->dst.header_len; + if (max_headroom > dev->needed_headroom) { +-- +1.7.11.7 + + +From c6ad7374aa71d0201f266963d9b5e2cf254ad22b Mon Sep 17 00:00:00 2001 +From: Wei Yongjun +Date: Tue, 2 Jul 2013 09:02:07 +0800 +Subject: [PATCH 09/40] l2tp: add missing .owner to struct pppox_proto + +[ Upstream commit e1558a93b61962710733dc8c11a2bc765607f1cd ] + +Add missing .owner of struct pppox_proto. This prevents the +module from being removed from underneath its users. + +Signed-off-by: Wei Yongjun +Signed-off-by: David S. Miller +--- + net/l2tp/l2tp_ppp.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/l2tp/l2tp_ppp.c b/net/l2tp/l2tp_ppp.c +index 8dec687..5ebee2d 100644 +--- a/net/l2tp/l2tp_ppp.c ++++ b/net/l2tp/l2tp_ppp.c +@@ -1793,7 +1793,8 @@ static const struct proto_ops pppol2tp_ops = { + + static const struct pppox_proto pppol2tp_proto = { + .create = pppol2tp_create, +- .ioctl = pppol2tp_ioctl ++ .ioctl = pppol2tp_ioctl, ++ .owner = THIS_MODULE, + }; + + #ifdef CONFIG_L2TP_V3 +-- +1.7.11.7 + + +From 675b9402488074d7081811cb67055fb1e1f515b3 Mon Sep 17 00:00:00 2001 +From: Cong Wang +Date: Tue, 2 Jul 2013 14:49:34 +0800 +Subject: [PATCH 10/40] ipip: fix a regression in ioctl + +[ Upstream commit 3b7b514f44bff05d26a6499c4d4fac2a83938e6e ] + +This is a regression introduced by +commit fd58156e456d9f68fe0448 (IPIP: Use ip-tunneling code.) + +Similar to GRE tunnel, previously we only check the parameters +for SIOCADDTUNNEL and SIOCCHGTUNNEL, after that commit, the +check is moved for all commands. + +So, just check for SIOCADDTUNNEL and SIOCCHGTUNNEL. + +Also, the check for i_key, o_key etc. is suspicious too, +which did not exist before, reset them before passing +to ip_tunnel_ioctl(). + +Cc: Pravin B Shelar +Cc: "David S. Miller" +Signed-off-by: Cong Wang +Signed-off-by: David S. Miller +--- + net/ipv4/ipip.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +diff --git a/net/ipv4/ipip.c b/net/ipv4/ipip.c +index 77bfcce..7cfc456 100644 +--- a/net/ipv4/ipip.c ++++ b/net/ipv4/ipip.c +@@ -240,11 +240,13 @@ ipip_tunnel_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd) + if (copy_from_user(&p, ifr->ifr_ifru.ifru_data, sizeof(p))) + return -EFAULT; + +- if (p.iph.version != 4 || p.iph.protocol != IPPROTO_IPIP || +- p.iph.ihl != 5 || (p.iph.frag_off&htons(~IP_DF))) +- return -EINVAL; +- if (p.i_key || p.o_key || p.i_flags || p.o_flags) +- return -EINVAL; ++ if (cmd == SIOCADDTUNNEL || cmd == SIOCCHGTUNNEL) { ++ if (p.iph.version != 4 || p.iph.protocol != IPPROTO_IPIP || ++ p.iph.ihl != 5 || (p.iph.frag_off&htons(~IP_DF))) ++ return -EINVAL; ++ } ++ ++ p.i_key = p.o_key = p.i_flags = p.o_flags = 0; + if (p.iph.ttl) + p.iph.frag_off |= htons(IP_DF); + +-- +1.7.11.7 + + +From 0e3f585c132e7716b8b96c20c59b15a24ec2790e Mon Sep 17 00:00:00 2001 +From: Hannes Frederic Sowa +Date: Mon, 1 Jul 2013 20:21:30 +0200 +Subject: [PATCH 11/40] ipv6: call udp_push_pending_frames when uncorking a + socket with AF_INET pending data + +[ Upstream commit 8822b64a0fa64a5dd1dfcf837c5b0be83f8c05d1 ] + +We accidentally call down to ip6_push_pending_frames when uncorking +pending AF_INET data on a ipv6 socket. This results in the following +splat (from Dave Jones): + +skbuff: skb_under_panic: text:ffffffff816765f6 len:48 put:40 head:ffff88013deb6df0 data:ffff88013deb6dec tail:0x2c end:0xc0 dev: +------------[ cut here ]------------ +kernel BUG at net/core/skbuff.c:126! +invalid opcode: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC +Modules linked in: dccp_ipv4 dccp 8021q garp bridge stp dlci mpoa snd_seq_dummy sctp fuse hidp tun bnep nfnetlink scsi_transport_iscsi rfcomm can_raw can_bcm af_802154 appletalk caif_socket can caif ipt_ULOG x25 rose af_key pppoe pppox ipx phonet irda llc2 ppp_generic slhc p8023 psnap p8022 llc crc_ccitt atm bluetooth ++netrom ax25 nfc rfkill rds af_rxrpc coretemp hwmon kvm_intel kvm crc32c_intel snd_hda_codec_realtek ghash_clmulni_intel microcode pcspkr snd_hda_codec_hdmi snd_hda_intel snd_hda_codec snd_hwdep usb_debug snd_seq snd_seq_device snd_pcm e1000e snd_page_alloc snd_timer ptp snd pps_core soundcore xfs libcrc32c +CPU: 2 PID: 8095 Comm: trinity-child2 Not tainted 3.10.0-rc7+ #37 +task: ffff8801f52c2520 ti: ffff8801e6430000 task.ti: ffff8801e6430000 +RIP: 0010:[] [] skb_panic+0x63/0x65 +RSP: 0018:ffff8801e6431de8 EFLAGS: 00010282 +RAX: 0000000000000086 RBX: ffff8802353d3cc0 RCX: 0000000000000006 +RDX: 0000000000003b90 RSI: ffff8801f52c2ca0 RDI: ffff8801f52c2520 +RBP: ffff8801e6431e08 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000001 R11: 0000000000000001 R12: ffff88022ea0c800 +R13: ffff88022ea0cdf8 R14: ffff8802353ecb40 R15: ffffffff81cc7800 +FS: 00007f5720a10740(0000) GS:ffff880244c00000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +CR2: 0000000005862000 CR3: 000000022843c000 CR4: 00000000001407e0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600 +Stack: + ffff88013deb6dec 000000000000002c 00000000000000c0 ffffffff81a3f6e4 + ffff8801e6431e18 ffffffff8159a9aa ffff8801e6431e90 ffffffff816765f6 + ffffffff810b756b 0000000700000002 ffff8801e6431e40 0000fea9292aa8c0 +Call Trace: + [] skb_push+0x3a/0x40 + [] ip6_push_pending_frames+0x1f6/0x4d0 + [] ? mark_held_locks+0xbb/0x140 + [] udp_v6_push_pending_frames+0x2b9/0x3d0 + [] ? udplite_getfrag+0x20/0x20 + [] udp_lib_setsockopt+0x1aa/0x1f0 + [] ? fget_light+0x387/0x4f0 + [] udpv6_setsockopt+0x34/0x40 + [] sock_common_setsockopt+0x14/0x20 + [] SyS_setsockopt+0x71/0xd0 + [] tracesys+0xdd/0xe2 +Code: 00 00 48 89 44 24 10 8b 87 d8 00 00 00 48 89 44 24 08 48 8b 87 e8 00 00 00 48 c7 c7 c0 04 aa 81 48 89 04 24 31 c0 e8 e1 7e ff ff <0f> 0b 55 48 89 e5 0f 0b 55 48 89 e5 0f 0b 55 48 89 e5 0f 0b 55 +RIP [] skb_panic+0x63/0x65 + RSP + +This patch adds a check if the pending data is of address family AF_INET +and directly calls udp_push_ending_frames from udp_v6_push_pending_frames +if that is the case. + +This bug was found by Dave Jones with trinity. + +(Also move the initialization of fl6 below the AF_INET check, even if +not strictly necessary.) + +Cc: Dave Jones +Cc: YOSHIFUJI Hideaki +Signed-off-by: Hannes Frederic Sowa +Signed-off-by: David S. Miller +--- + include/net/udp.h | 1 + + net/ipv4/udp.c | 3 ++- + net/ipv6/udp.c | 7 ++++++- + 3 files changed, 9 insertions(+), 2 deletions(-) + +diff --git a/include/net/udp.h b/include/net/udp.h +index 065f379..ad99eed 100644 +--- a/include/net/udp.h ++++ b/include/net/udp.h +@@ -181,6 +181,7 @@ extern int udp_get_port(struct sock *sk, unsigned short snum, + extern void udp_err(struct sk_buff *, u32); + extern int udp_sendmsg(struct kiocb *iocb, struct sock *sk, + struct msghdr *msg, size_t len); ++extern int udp_push_pending_frames(struct sock *sk); + extern void udp_flush_pending_frames(struct sock *sk); + extern int udp_rcv(struct sk_buff *skb); + extern int udp_ioctl(struct sock *sk, int cmd, unsigned long arg); +diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c +index 0bf5d39..93b731d 100644 +--- a/net/ipv4/udp.c ++++ b/net/ipv4/udp.c +@@ -799,7 +799,7 @@ send: + /* + * Push out all pending data as one UDP datagram. Socket is locked. + */ +-static int udp_push_pending_frames(struct sock *sk) ++int udp_push_pending_frames(struct sock *sk) + { + struct udp_sock *up = udp_sk(sk); + struct inet_sock *inet = inet_sk(sk); +@@ -818,6 +818,7 @@ out: + up->pending = 0; + return err; + } ++EXPORT_SYMBOL(udp_push_pending_frames); + + int udp_sendmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg, + size_t len) +diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c +index 42923b1..e7b28f9 100644 +--- a/net/ipv6/udp.c ++++ b/net/ipv6/udp.c +@@ -955,11 +955,16 @@ static int udp_v6_push_pending_frames(struct sock *sk) + struct udphdr *uh; + struct udp_sock *up = udp_sk(sk); + struct inet_sock *inet = inet_sk(sk); +- struct flowi6 *fl6 = &inet->cork.fl.u.ip6; ++ struct flowi6 *fl6; + int err = 0; + int is_udplite = IS_UDPLITE(sk); + __wsum csum = 0; + ++ if (up->pending == AF_INET) ++ return udp_push_pending_frames(sk); ++ ++ fl6 = &inet->cork.fl.u.ip6; ++ + /* Grab the skbuff where UDP header space exists. */ + if ((skb = skb_peek(&sk->sk_write_queue)) == NULL) + goto out; +-- +1.7.11.7 + + +From 1fcbda94eb3ababc95eff46548962ceb14de638e Mon Sep 17 00:00:00 2001 +From: Hannes Frederic Sowa +Date: Tue, 2 Jul 2013 08:04:05 +0200 +Subject: [PATCH 12/40] ipv6: ip6_append_data_mtu did not care about pmtudisc + and frag_size + +[ Upstream commit 75a493e60ac4bbe2e977e7129d6d8cbb0dd236be ] + +If the socket had an IPV6_MTU value set, ip6_append_data_mtu lost track +of this when appending the second frame on a corked socket. This results +in the following splat: + +[37598.993962] ------------[ cut here ]------------ +[37598.994008] kernel BUG at net/core/skbuff.c:2064! +[37598.994008] invalid opcode: 0000 [#1] SMP +[37598.994008] Modules linked in: tcp_lp uvcvideo videobuf2_vmalloc videobuf2_memops videobuf2_core videodev media vfat fat usb_storage fuse ebtable_nat xt_CHECKSUM bridge stp llc ipt_MASQUERADE nf_conntrack_netbios_ns nf_conntrack_broadcast ip6table_mangle ip6t_REJECT nf_conntrack_ipv6 nf_defrag_ipv6 iptable_nat ++nf_nat_ipv4 nf_nat iptable_mangle nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack ebtable_filter ebtables ip6table_filter ip6_tables be2iscsi iscsi_boot_sysfs bnx2i cnic uio cxgb4i cxgb4 cxgb3i cxgb3 mdio libcxgbi ib_iser rdma_cm ib_addr iw_cm ib_cm ib_sa ib_mad ib_core iscsi_tcp libiscsi_tcp libiscsi ++scsi_transport_iscsi rfcomm bnep iTCO_wdt iTCO_vendor_support snd_hda_codec_conexant arc4 iwldvm mac80211 snd_hda_intel acpi_cpufreq mperf coretemp snd_hda_codec microcode cdc_wdm cdc_acm +[37598.994008] snd_hwdep cdc_ether snd_seq snd_seq_device usbnet mii joydev btusb snd_pcm bluetooth i2c_i801 e1000e lpc_ich mfd_core ptp iwlwifi pps_core snd_page_alloc mei cfg80211 snd_timer thinkpad_acpi snd tpm_tis soundcore rfkill tpm tpm_bios vhost_net tun macvtap macvlan kvm_intel kvm uinput binfmt_misc ++dm_crypt i915 i2c_algo_bit drm_kms_helper drm i2c_core wmi video +[37598.994008] CPU 0 +[37598.994008] Pid: 27320, comm: t2 Not tainted 3.9.6-200.fc18.x86_64 #1 LENOVO 27744PG/27744PG +[37598.994008] RIP: 0010:[] [] skb_copy_and_csum_bits+0x325/0x330 +[37598.994008] RSP: 0018:ffff88003670da18 EFLAGS: 00010202 +[37598.994008] RAX: ffff88018105c018 RBX: 0000000000000004 RCX: 00000000000006c0 +[37598.994008] RDX: ffff88018105a6c0 RSI: ffff88018105a000 RDI: ffff8801e1b0aa00 +[37598.994008] RBP: ffff88003670da78 R08: 0000000000000000 R09: ffff88018105c040 +[37598.994008] R10: ffff8801e1b0aa00 R11: 0000000000000000 R12: 000000000000fff8 +[37598.994008] R13: 00000000000004fc R14: 00000000ffff0504 R15: 0000000000000000 +[37598.994008] FS: 00007f28eea59740(0000) GS:ffff88023bc00000(0000) knlGS:0000000000000000 +[37598.994008] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b +[37598.994008] CR2: 0000003d935789e0 CR3: 00000000365cb000 CR4: 00000000000407f0 +[37598.994008] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[37598.994008] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 +[37598.994008] Process t2 (pid: 27320, threadinfo ffff88003670c000, task ffff88022c162ee0) +[37598.994008] Stack: +[37598.994008] ffff88022e098a00 ffff88020f973fc0 0000000000000008 00000000000004c8 +[37598.994008] ffff88020f973fc0 00000000000004c4 ffff88003670da78 ffff8801e1b0a200 +[37598.994008] 0000000000000018 00000000000004c8 ffff88020f973fc0 00000000000004c4 +[37598.994008] Call Trace: +[37598.994008] [] ip6_append_data+0xccf/0xfe0 +[37598.994008] [] ? ip_copy_metadata+0x1a0/0x1a0 +[37598.994008] [] ? _raw_spin_lock_bh+0x16/0x40 +[37598.994008] [] udpv6_sendmsg+0x1ed/0xc10 +[37598.994008] [] ? sock_has_perm+0x75/0x90 +[37598.994008] [] inet_sendmsg+0x63/0xb0 +[37598.994008] [] ? selinux_socket_sendmsg+0x23/0x30 +[37598.994008] [] sock_sendmsg+0xb0/0xe0 +[37598.994008] [] ? __switch_to+0x181/0x4a0 +[37598.994008] [] sys_sendto+0x12d/0x180 +[37598.994008] [] ? __audit_syscall_entry+0x94/0xf0 +[37598.994008] [] ? syscall_trace_enter+0x231/0x240 +[37598.994008] [] tracesys+0xdd/0xe2 +[37598.994008] Code: fe 07 00 00 48 c7 c7 04 28 a6 81 89 45 a0 4c 89 4d b8 44 89 5d a8 e8 1b ac b1 ff 44 8b 5d a8 4c 8b 4d b8 8b 45 a0 e9 cf fe ff ff <0f> 0b 66 0f 1f 84 00 00 00 00 00 66 66 66 66 90 55 48 89 e5 48 +[37598.994008] RIP [] skb_copy_and_csum_bits+0x325/0x330 +[37598.994008] RSP +[37599.007323] ---[ end trace d69f6a17f8ac8eee ]--- + +While there, also check if path mtu discovery is activated for this +socket. The logic was adapted from ip6_append_data when first writing +on the corked socket. + +This bug was introduced with commit +0c1833797a5a6ec23ea9261d979aa18078720b74 ("ipv6: fix incorrect ipsec +fragment"). + +v2: +a) Replace IPV6_PMTU_DISC_DO with IPV6_PMTUDISC_PROBE. +b) Don't pass ipv6_pinfo to ip6_append_data_mtu (suggestion by Gao + feng, thanks!). +c) Change mtu to unsigned int, else we get a warning about + non-matching types because of the min()-macro type-check. + +Acked-by: Gao feng +Cc: YOSHIFUJI Hideaki +Signed-off-by: Hannes Frederic Sowa +Signed-off-by: David S. Miller +--- + net/ipv6/ip6_output.c | 16 ++++++++++------ + 1 file changed, 10 insertions(+), 6 deletions(-) + +diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c +index d5d20cd..6e3ddf8 100644 +--- a/net/ipv6/ip6_output.c ++++ b/net/ipv6/ip6_output.c +@@ -1098,11 +1098,12 @@ static inline struct ipv6_rt_hdr *ip6_rthdr_dup(struct ipv6_rt_hdr *src, + return src ? kmemdup(src, (src->hdrlen + 1) * 8, gfp) : NULL; + } + +-static void ip6_append_data_mtu(int *mtu, ++static void ip6_append_data_mtu(unsigned int *mtu, + int *maxfraglen, + unsigned int fragheaderlen, + struct sk_buff *skb, +- struct rt6_info *rt) ++ struct rt6_info *rt, ++ bool pmtuprobe) + { + if (!(rt->dst.flags & DST_XFRM_TUNNEL)) { + if (skb == NULL) { +@@ -1114,7 +1115,9 @@ static void ip6_append_data_mtu(int *mtu, + * this fragment is not first, the headers + * space is regarded as data space. + */ +- *mtu = dst_mtu(rt->dst.path); ++ *mtu = min(*mtu, pmtuprobe ? ++ rt->dst.dev->mtu : ++ dst_mtu(rt->dst.path)); + } + *maxfraglen = ((*mtu - fragheaderlen) & ~7) + + fragheaderlen - sizeof(struct frag_hdr); +@@ -1131,11 +1134,10 @@ int ip6_append_data(struct sock *sk, int getfrag(void *from, char *to, + struct ipv6_pinfo *np = inet6_sk(sk); + struct inet_cork *cork; + struct sk_buff *skb, *skb_prev = NULL; +- unsigned int maxfraglen, fragheaderlen; ++ unsigned int maxfraglen, fragheaderlen, mtu; + int exthdrlen; + int dst_exthdrlen; + int hh_len; +- int mtu; + int copy; + int err; + int offset = 0; +@@ -1292,7 +1294,9 @@ alloc_new_skb: + /* update mtu and maxfraglen if necessary */ + if (skb == NULL || skb_prev == NULL) + ip6_append_data_mtu(&mtu, &maxfraglen, +- fragheaderlen, skb, rt); ++ fragheaderlen, skb, rt, ++ np->pmtudisc == ++ IPV6_PMTUDISC_PROBE); + + skb_prev = skb; + +-- +1.7.11.7 + + +From bd10a3abbed1d5542a0930dcdfc121973276275e Mon Sep 17 00:00:00 2001 +From: Hannes Frederic Sowa +Date: Wed, 3 Jul 2013 20:45:04 +0200 +Subject: [PATCH 13/40] ipv6: rt6_check_neigh should successfully verify neigh + if no NUD information are available + +[ Upstream commit 3630d40067a21d4dfbadc6002bb469ce26ac5d52 ] + +After the removal of rt->n we do not create a neighbour entry at route +insertion time (rt6_bind_neighbour is gone). As long as no neighbour is +created because of "useful traffic" we skip this routing entry because +rt6_check_neigh cannot pick up a valid neighbour (neigh == NULL) and +thus returns false. + +This change was introduced by commit +887c95cc1da53f66a5890fdeab13414613010097 ("ipv6: Complete neighbour +entry removal from dst_entry.") + +To quote RFC4191: +"If the host has no information about the router's reachability, then +the host assumes the router is reachable." + +and also: +"A host MUST NOT probe a router's reachability in the absence of useful +traffic that the host would have sent to the router if it were reachable." + +So, just assume the router is reachable and let's rt6_probe do the +rest. We don't need to create a neighbour on route insertion time. + +If we don't compile with CONFIG_IPV6_ROUTER_PREF (RFC4191 support) +a neighbour is only valid if its nud_state is NUD_VALID. I did not find +any references that we should probe the router on route insertion time +via the other RFCs. So skip this route in that case. + +v2: +a) use IS_ENABLED instead of #ifdefs (thanks to Sergei Shtylyov) + +Reported-by: Pierre Emeriaud +Cc: YOSHIFUJI Hideaki +Signed-off-by: Hannes Frederic Sowa +Signed-off-by: David S. Miller +--- + net/ipv6/route.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/ipv6/route.c b/net/ipv6/route.c +index ad0aa6b..7f1332f 100644 +--- a/net/ipv6/route.c ++++ b/net/ipv6/route.c +@@ -547,6 +547,8 @@ static inline bool rt6_check_neigh(struct rt6_info *rt) + ret = true; + #endif + read_unlock(&neigh->lock); ++ } else if (IS_ENABLED(CONFIG_IPV6_ROUTER_PREF)) { ++ ret = true; + } + rcu_read_unlock_bh(); + +-- +1.7.11.7 + + +From 8db99edc36ca323408ba5c5bcb8952b01be50225 Mon Sep 17 00:00:00 2001 +From: Ben Hutchings +Date: Thu, 4 Jul 2013 23:48:46 +0100 +Subject: [PATCH 14/40] sfc: Fix memory leak when discarding scattered packets + +[ Upstream commit 734d4e159b283a4ae4d007b7e7a91d84398ccb92 ] + +Commit 2768935a4660 ('sfc: reuse pages to avoid DMA mapping/unmapping +costs') did not fully take account of DMA scattering which was +introduced immediately before. If a received packet is invalid and +must be discarded, we only drop a reference to the first buffer's +page, but we need to drop a reference for each buffer the packet +used. + +I think this bug was missed partly because efx_recycle_rx_buffers() +was not renamed and so no longer does what its name says. It does not +change the state of buffers, but only prepares the underlying pages +for recycling. Rename it accordingly. + +Signed-off-by: Ben Hutchings +Signed-off-by: David S. Miller +--- + drivers/net/ethernet/sfc/rx.c | 27 ++++++++++++++++++++------- + 1 file changed, 20 insertions(+), 7 deletions(-) + +diff --git a/drivers/net/ethernet/sfc/rx.c b/drivers/net/ethernet/sfc/rx.c +index a7dfe36..5173eaa 100644 +--- a/drivers/net/ethernet/sfc/rx.c ++++ b/drivers/net/ethernet/sfc/rx.c +@@ -282,9 +282,9 @@ static void efx_fini_rx_buffer(struct efx_rx_queue *rx_queue, + } + + /* Recycle the pages that are used by buffers that have just been received. */ +-static void efx_recycle_rx_buffers(struct efx_channel *channel, +- struct efx_rx_buffer *rx_buf, +- unsigned int n_frags) ++static void efx_recycle_rx_pages(struct efx_channel *channel, ++ struct efx_rx_buffer *rx_buf, ++ unsigned int n_frags) + { + struct efx_rx_queue *rx_queue = efx_channel_get_rx_queue(channel); + +@@ -294,6 +294,20 @@ static void efx_recycle_rx_buffers(struct efx_channel *channel, + } while (--n_frags); + } + ++static void efx_discard_rx_packet(struct efx_channel *channel, ++ struct efx_rx_buffer *rx_buf, ++ unsigned int n_frags) ++{ ++ struct efx_rx_queue *rx_queue = efx_channel_get_rx_queue(channel); ++ ++ efx_recycle_rx_pages(channel, rx_buf, n_frags); ++ ++ do { ++ efx_free_rx_buffer(rx_buf); ++ rx_buf = efx_rx_buf_next(rx_queue, rx_buf); ++ } while (--n_frags); ++} ++ + /** + * efx_fast_push_rx_descriptors - push new RX descriptors quickly + * @rx_queue: RX descriptor queue +@@ -533,8 +547,7 @@ void efx_rx_packet(struct efx_rx_queue *rx_queue, unsigned int index, + */ + if (unlikely(rx_buf->flags & EFX_RX_PKT_DISCARD)) { + efx_rx_flush_packet(channel); +- put_page(rx_buf->page); +- efx_recycle_rx_buffers(channel, rx_buf, n_frags); ++ efx_discard_rx_packet(channel, rx_buf, n_frags); + return; + } + +@@ -570,9 +583,9 @@ void efx_rx_packet(struct efx_rx_queue *rx_queue, unsigned int index, + efx_sync_rx_buffer(efx, rx_buf, rx_buf->len); + } + +- /* All fragments have been DMA-synced, so recycle buffers and pages. */ ++ /* All fragments have been DMA-synced, so recycle pages. */ + rx_buf = efx_rx_buffer(rx_queue, index); +- efx_recycle_rx_buffers(channel, rx_buf, n_frags); ++ efx_recycle_rx_pages(channel, rx_buf, n_frags); + + /* Pipeline receives so that we give time for packet headers to be + * prefetched into cache. +-- +1.7.11.7 + + +From 35e568df646dc23bd2d00c8865c3118794d1835a Mon Sep 17 00:00:00 2001 +From: Jongsung Kim +Date: Tue, 9 Jul 2013 17:36:00 +0900 +Subject: [PATCH 15/40] net/cadence/macb: fix bug/typo in extracting + gem_irq_read_clear bit + +[ Upstream commit 01276ed2424eb78c95461545410923d5da154d31 ] + +Signed-off-by: Jongsung Kim +Acked-by: Nicolas Ferre +Signed-off-by: David S. Miller +--- + drivers/net/ethernet/cadence/macb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/cadence/macb.c b/drivers/net/ethernet/cadence/macb.c +index c89aa41..b4e0dc8 100644 +--- a/drivers/net/ethernet/cadence/macb.c ++++ b/drivers/net/ethernet/cadence/macb.c +@@ -1070,7 +1070,7 @@ static void macb_configure_dma(struct macb *bp) + static void macb_configure_caps(struct macb *bp) + { + if (macb_is_gem(bp)) { +- if (GEM_BF(IRQCOR, gem_readl(bp, DCFG1)) == 0) ++ if (GEM_BFEXT(IRQCOR, gem_readl(bp, DCFG1)) == 0) + bp->caps |= MACB_CAPS_ISR_CLEAR_ON_WRITE; + } + } +-- +1.7.11.7 + + +From 3af0cf8b6b161daea120a84ad3d525a121670947 Mon Sep 17 00:00:00 2001 +From: "Michael S. Tsirkin" +Date: Tue, 9 Jul 2013 13:19:18 +0300 +Subject: [PATCH 16/40] virtio: support unlocked queue poll + +[ Upstream commit cc229884d3f77ec3b1240e467e0236c3e0647c0c ] + +This adds a way to check ring empty state after enable_cb outside any +locks. Will be used by virtio_net. + +Note: there's room for more optimization: caller is likely to have a +memory barrier already, which means we might be able to get rid of a +barrier here. Deferring this optimization until we do some +benchmarking. + +Signed-off-by: Michael S. Tsirkin +Signed-off-by: David S. Miller +--- + drivers/virtio/virtio_ring.c | 56 ++++++++++++++++++++++++++++++++++---------- + include/linux/virtio.h | 4 ++++ + 2 files changed, 48 insertions(+), 12 deletions(-) + +diff --git a/drivers/virtio/virtio_ring.c b/drivers/virtio/virtio_ring.c +index 5217baf..37d58f8 100644 +--- a/drivers/virtio/virtio_ring.c ++++ b/drivers/virtio/virtio_ring.c +@@ -607,19 +607,21 @@ void virtqueue_disable_cb(struct virtqueue *_vq) + EXPORT_SYMBOL_GPL(virtqueue_disable_cb); + + /** +- * virtqueue_enable_cb - restart callbacks after disable_cb. ++ * virtqueue_enable_cb_prepare - restart callbacks after disable_cb + * @vq: the struct virtqueue we're talking about. + * +- * This re-enables callbacks; it returns "false" if there are pending +- * buffers in the queue, to detect a possible race between the driver +- * checking for more work, and enabling callbacks. ++ * This re-enables callbacks; it returns current queue state ++ * in an opaque unsigned value. This value should be later tested by ++ * virtqueue_poll, to detect a possible race between the driver checking for ++ * more work, and enabling callbacks. + * + * Caller must ensure we don't call this with other virtqueue + * operations at the same time (except where noted). + */ +-bool virtqueue_enable_cb(struct virtqueue *_vq) ++unsigned virtqueue_enable_cb_prepare(struct virtqueue *_vq) + { + struct vring_virtqueue *vq = to_vvq(_vq); ++ u16 last_used_idx; + + START_USE(vq); + +@@ -629,15 +631,45 @@ bool virtqueue_enable_cb(struct virtqueue *_vq) + * either clear the flags bit or point the event index at the next + * entry. Always do both to keep code simple. */ + vq->vring.avail->flags &= ~VRING_AVAIL_F_NO_INTERRUPT; +- vring_used_event(&vq->vring) = vq->last_used_idx; ++ vring_used_event(&vq->vring) = last_used_idx = vq->last_used_idx; ++ END_USE(vq); ++ return last_used_idx; ++} ++EXPORT_SYMBOL_GPL(virtqueue_enable_cb_prepare); ++ ++/** ++ * virtqueue_poll - query pending used buffers ++ * @vq: the struct virtqueue we're talking about. ++ * @last_used_idx: virtqueue state (from call to virtqueue_enable_cb_prepare). ++ * ++ * Returns "true" if there are pending used buffers in the queue. ++ * ++ * This does not need to be serialized. ++ */ ++bool virtqueue_poll(struct virtqueue *_vq, unsigned last_used_idx) ++{ ++ struct vring_virtqueue *vq = to_vvq(_vq); ++ + virtio_mb(vq->weak_barriers); +- if (unlikely(more_used(vq))) { +- END_USE(vq); +- return false; +- } ++ return (u16)last_used_idx != vq->vring.used->idx; ++} ++EXPORT_SYMBOL_GPL(virtqueue_poll); + +- END_USE(vq); +- return true; ++/** ++ * virtqueue_enable_cb - restart callbacks after disable_cb. ++ * @vq: the struct virtqueue we're talking about. ++ * ++ * This re-enables callbacks; it returns "false" if there are pending ++ * buffers in the queue, to detect a possible race between the driver ++ * checking for more work, and enabling callbacks. ++ * ++ * Caller must ensure we don't call this with other virtqueue ++ * operations at the same time (except where noted). ++ */ ++bool virtqueue_enable_cb(struct virtqueue *_vq) ++{ ++ unsigned last_used_idx = virtqueue_enable_cb_prepare(_vq); ++ return !virtqueue_poll(_vq, last_used_idx); + } + EXPORT_SYMBOL_GPL(virtqueue_enable_cb); + +diff --git a/include/linux/virtio.h b/include/linux/virtio.h +index 9ff8645..72398ee 100644 +--- a/include/linux/virtio.h ++++ b/include/linux/virtio.h +@@ -70,6 +70,10 @@ void virtqueue_disable_cb(struct virtqueue *vq); + + bool virtqueue_enable_cb(struct virtqueue *vq); + ++unsigned virtqueue_enable_cb_prepare(struct virtqueue *vq); ++ ++bool virtqueue_poll(struct virtqueue *vq, unsigned); ++ + bool virtqueue_enable_cb_delayed(struct virtqueue *vq); + + void *virtqueue_detach_unused_buf(struct virtqueue *vq); +-- +1.7.11.7 + + +From e6a032bca44cd54a168939ee66be707c9b679bec Mon Sep 17 00:00:00 2001 +From: "Michael S. Tsirkin" +Date: Tue, 9 Jul 2013 08:13:04 +0300 +Subject: [PATCH 17/40] virtio_net: fix race in RX VQ processing + +[ Upstream commit cbdadbbf0c790f79350a8f36029208944c5487d0 ] + +virtio net called virtqueue_enable_cq on RX path after napi_complete, so +with NAPI_STATE_SCHED clear - outside the implicit napi lock. +This violates the requirement to synchronize virtqueue_enable_cq wrt +virtqueue_add_buf. In particular, used event can move backwards, +causing us to lose interrupts. +In a debug build, this can trigger panic within START_USE. + +Jason Wang reports that he can trigger the races artificially, +by adding udelay() in virtqueue_enable_cb() after virtio_mb(). + +However, we must call napi_complete to clear NAPI_STATE_SCHED before +polling the virtqueue for used buffers, otherwise napi_schedule_prep in +a callback will fail, causing us to lose RX events. + +To fix, call virtqueue_enable_cb_prepare with NAPI_STATE_SCHED +set (under napi lock), later call virtqueue_poll with +NAPI_STATE_SCHED clear (outside the lock). + +Reported-by: Jason Wang +Tested-by: Jason Wang +Acked-by: Jason Wang +Signed-off-by: Michael S. Tsirkin +Signed-off-by: David S. Miller +--- + drivers/net/virtio_net.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c +index c9e0038..42d670a 100644 +--- a/drivers/net/virtio_net.c ++++ b/drivers/net/virtio_net.c +@@ -602,7 +602,7 @@ static int virtnet_poll(struct napi_struct *napi, int budget) + container_of(napi, struct receive_queue, napi); + struct virtnet_info *vi = rq->vq->vdev->priv; + void *buf; +- unsigned int len, received = 0; ++ unsigned int r, len, received = 0; + + again: + while (received < budget && +@@ -619,8 +619,9 @@ again: + + /* Out of packets? */ + if (received < budget) { ++ r = virtqueue_enable_cb_prepare(rq->vq); + napi_complete(napi); +- if (unlikely(!virtqueue_enable_cb(rq->vq)) && ++ if (unlikely(virtqueue_poll(rq->vq, r)) && + napi_schedule_prep(napi)) { + virtqueue_disable_cb(rq->vq); + __napi_schedule(napi); +-- +1.7.11.7 + + +From d0347c6cbf229fe352006a5463eb2d0cb2150afb Mon Sep 17 00:00:00 2001 +From: "Michael S. Tsirkin" +Date: Tue, 25 Jun 2013 17:29:46 +0300 +Subject: [PATCH 18/40] vhost-net: fix use-after-free in vhost_net_flush + +[ Upstream commit c38e39c378f46f00ce922dd40a91043a9925c28d ] + +vhost_net_ubuf_put_and_wait has a confusing name: +it will actually also free it's argument. +Thus since commit 1280c27f8e29acf4af2da914e80ec27c3dbd5c01 + "vhost-net: flush outstanding DMAs on memory change" +vhost_net_flush tries to use the argument after passing it +to vhost_net_ubuf_put_and_wait, this results +in use after free. +To fix, don't free the argument in vhost_net_ubuf_put_and_wait, +add an new API for callers that want to free ubufs. + +Acked-by: Asias He +Acked-by: Jason Wang +Signed-off-by: Michael S. Tsirkin +--- + drivers/vhost/net.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +diff --git a/drivers/vhost/net.c b/drivers/vhost/net.c +index f80d3dd..8ca5ac7 100644 +--- a/drivers/vhost/net.c ++++ b/drivers/vhost/net.c +@@ -150,6 +150,11 @@ static void vhost_net_ubuf_put_and_wait(struct vhost_net_ubuf_ref *ubufs) + { + kref_put(&ubufs->kref, vhost_net_zerocopy_done_signal); + wait_event(ubufs->wait, !atomic_read(&ubufs->kref.refcount)); ++} ++ ++static void vhost_net_ubuf_put_wait_and_free(struct vhost_net_ubuf_ref *ubufs) ++{ ++ vhost_net_ubuf_put_and_wait(ubufs); + kfree(ubufs); + } + +@@ -948,7 +953,7 @@ static long vhost_net_set_backend(struct vhost_net *n, unsigned index, int fd) + mutex_unlock(&vq->mutex); + + if (oldubufs) { +- vhost_net_ubuf_put_and_wait(oldubufs); ++ vhost_net_ubuf_put_wait_and_free(oldubufs); + mutex_lock(&vq->mutex); + vhost_zerocopy_signal_used(n, vq); + mutex_unlock(&vq->mutex); +@@ -966,7 +971,7 @@ err_used: + rcu_assign_pointer(vq->private_data, oldsock); + vhost_net_enable_vq(n, vq); + if (ubufs) +- vhost_net_ubuf_put_and_wait(ubufs); ++ vhost_net_ubuf_put_wait_and_free(ubufs); + err_ubufs: + fput(sock->file); + err_vq: +-- +1.7.11.7 + + +From b1036ae16395f14a4e50b96bf09cc36d4bb5c802 Mon Sep 17 00:00:00 2001 +From: Dave Kleikamp +Date: Mon, 1 Jul 2013 16:49:22 -0500 +Subject: [PATCH 19/40] sunvnet: vnet_port_remove must call unregister_netdev + +[ Upstream commit aabb9875d02559ab9b928cd6f259a5cc4c21a589 ] + +The missing call to unregister_netdev() leaves the interface active +after the driver is unloaded by rmmod. + +Signed-off-by: Dave Kleikamp +Signed-off-by: David S. Miller +--- + drivers/net/ethernet/sun/sunvnet.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/net/ethernet/sun/sunvnet.c b/drivers/net/ethernet/sun/sunvnet.c +index 1df0ff3..3df5684 100644 +--- a/drivers/net/ethernet/sun/sunvnet.c ++++ b/drivers/net/ethernet/sun/sunvnet.c +@@ -1239,6 +1239,8 @@ static int vnet_port_remove(struct vio_dev *vdev) + dev_set_drvdata(&vdev->dev, NULL); + + kfree(port); ++ ++ unregister_netdev(vp->dev); + } + return 0; + } +-- +1.7.11.7 + + +From b99eebace35b3d3ae6ddcc2af5659e3ab7a2921c Mon Sep 17 00:00:00 2001 +From: dingtianhong +Date: Wed, 10 Jul 2013 12:04:02 +0800 +Subject: [PATCH 20/40] ifb: fix rcu_sched self-detected stalls + +[ Upstream commit 440d57bc5ff55ec1efb3efc9cbe9420b4bbdfefa ] + +According to the commit 16b0dc29c1af9df341428f4c49ada4f626258082 +(dummy: fix rcu_sched self-detected stalls) + +Eric Dumazet fix the problem in dummy, but the ifb will occur the +same problem like the dummy modules. + +Trying to "modprobe ifb numifbs=30000" triggers : + +INFO: rcu_sched self-detected stall on CPU + +After this splat, RTNL is locked and reboot is needed. + +We must call cond_resched() to avoid this, even holding RTNL. + +Signed-off-by: Ding Tianhong +Signed-off-by: David S. Miller +--- + drivers/net/ifb.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ifb.c b/drivers/net/ifb.c +index dc9f6a4..a11f7a4 100644 +--- a/drivers/net/ifb.c ++++ b/drivers/net/ifb.c +@@ -292,8 +292,10 @@ static int __init ifb_init_module(void) + rtnl_lock(); + err = __rtnl_link_register(&ifb_link_ops); + +- for (i = 0; i < numifbs && !err; i++) ++ for (i = 0; i < numifbs && !err; i++) { + err = ifb_init_one(i); ++ cond_resched(); ++ } + if (err) + __rtnl_link_unregister(&ifb_link_ops); + rtnl_unlock(); +-- +1.7.11.7 + + +From 4782f7d41346ac49c6aa58ee9da6a7ff896cbe4c Mon Sep 17 00:00:00 2001 +From: Jason Wang +Date: Wed, 10 Jul 2013 13:43:27 +0800 +Subject: [PATCH 21/40] tuntap: correctly linearize skb when zerocopy is used + +[ Upstream commit 3dd5c3308e8b671e8e8882ba972f51cefbe9fd0d ] + +Userspace may produce vectors greater than MAX_SKB_FRAGS. When we try to +linearize parts of the skb to let the rest of iov to be fit in +the frags, we need count copylen into linear when calling tun_alloc_skb() +instead of partly counting it into data_len. Since this breaks +zerocopy_sg_from_iovec() since its inner counter assumes nr_frags should +be zero at beginning. This cause nr_frags to be increased wrongly without +setting the correct frags. + +This bug were introduced from 0690899b4d4501b3505be069b9a687e68ccbe15b +(tun: experimental zero copy tx support) + +Cc: Michael S. Tsirkin +Signed-off-by: Jason Wang +Acked-by: Michael S. Tsirkin +Signed-off-by: David S. Miller +--- + drivers/net/tun.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/tun.c b/drivers/net/tun.c +index 9c61f87..c3cb60b 100644 +--- a/drivers/net/tun.c ++++ b/drivers/net/tun.c +@@ -1044,7 +1044,7 @@ static ssize_t tun_get_user(struct tun_struct *tun, struct tun_file *tfile, + { + struct tun_pi pi = { 0, cpu_to_be16(ETH_P_IP) }; + struct sk_buff *skb; +- size_t len = total_len, align = NET_SKB_PAD; ++ size_t len = total_len, align = NET_SKB_PAD, linear; + struct virtio_net_hdr gso = { 0 }; + int offset = 0; + int copylen; +@@ -1108,10 +1108,13 @@ static ssize_t tun_get_user(struct tun_struct *tun, struct tun_file *tfile, + copylen = gso.hdr_len; + if (!copylen) + copylen = GOODCOPY_LEN; +- } else ++ linear = copylen; ++ } else { + copylen = len; ++ linear = gso.hdr_len; ++ } + +- skb = tun_alloc_skb(tfile, align, copylen, gso.hdr_len, noblock); ++ skb = tun_alloc_skb(tfile, align, copylen, linear, noblock); + if (IS_ERR(skb)) { + if (PTR_ERR(skb) != -EAGAIN) + tun->dev->stats.rx_dropped++; +-- +1.7.11.7 + + +From ebf6764da166478c0c059e5083b12f0f577decdc Mon Sep 17 00:00:00 2001 +From: Jason Wang +Date: Wed, 10 Jul 2013 13:43:28 +0800 +Subject: [PATCH 22/40] macvtap: correctly linearize skb when zerocopy is used + +[ Upstream commit 61d46bf979d5cd7c164709a80ad5676a35494aae ] + +Userspace may produce vectors greater than MAX_SKB_FRAGS. When we try to +linearize parts of the skb to let the rest of iov to be fit in +the frags, we need count copylen into linear when calling macvtap_alloc_skb() +instead of partly counting it into data_len. Since this breaks +zerocopy_sg_from_iovec() since its inner counter assumes nr_frags should +be zero at beginning. This cause nr_frags to be increased wrongly without +setting the correct frags. + +This bug were introduced from b92946e2919134ebe2a4083e4302236295ea2a73 +(macvtap: zerocopy: validate vectors before building skb). + +Cc: Michael S. Tsirkin +Signed-off-by: Jason Wang +Acked-by: Michael S. Tsirkin +Signed-off-by: David S. Miller +--- + drivers/net/macvtap.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/macvtap.c b/drivers/net/macvtap.c +index b6dd6a7..502d948 100644 +--- a/drivers/net/macvtap.c ++++ b/drivers/net/macvtap.c +@@ -647,6 +647,7 @@ static ssize_t macvtap_get_user(struct macvtap_queue *q, struct msghdr *m, + int vnet_hdr_len = 0; + int copylen = 0; + bool zerocopy = false; ++ size_t linear; + + if (q->flags & IFF_VNET_HDR) { + vnet_hdr_len = q->vnet_hdr_sz; +@@ -701,11 +702,14 @@ static ssize_t macvtap_get_user(struct macvtap_queue *q, struct msghdr *m, + copylen = vnet_hdr.hdr_len; + if (!copylen) + copylen = GOODCOPY_LEN; +- } else ++ linear = copylen; ++ } else { + copylen = len; ++ linear = vnet_hdr.hdr_len; ++ } + + skb = macvtap_alloc_skb(&q->sk, NET_IP_ALIGN, copylen, +- vnet_hdr.hdr_len, noblock, &err); ++ linear, noblock, &err); + if (!skb) + goto err; + +-- +1.7.11.7 + + +From 3e86a493305637e79d72541f571ec4f852ef2024 Mon Sep 17 00:00:00 2001 +From: Hannes Frederic Sowa +Date: Wed, 10 Jul 2013 23:00:57 +0200 +Subject: [PATCH 23/40] ipv6: in case of link failure remove route directly + instead of letting it expire + +[ Upstream commit 1eb4f758286884e7566627164bca4c4a16952a83 ] + +We could end up expiring a route which is part of an ecmp route set. Doing +so would invalidate the rt->rt6i_nsiblings calculations and could provoke +the following panic: + +[ 80.144667] ------------[ cut here ]------------ +[ 80.145172] kernel BUG at net/ipv6/ip6_fib.c:733! +[ 80.145172] invalid opcode: 0000 [#1] SMP +[ 80.145172] Modules linked in: 8021q nf_conntrack_netbios_ns nf_conntrack_broadcast ipt_MASQUERADE ip6table_mangle ip6t_REJECT nf_conntrack_ipv6 nf_defrag_ipv6 iptable_nat nf_nat_ipv4 nf_nat iptable_mangle nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack ebtable_filter ebtables ip6table_filter ip6_tables ++snd_hda_intel snd_hda_codec snd_hwdep snd_seq snd_seq_device snd_pcm snd_page_alloc snd_timer virtio_balloon snd soundcore i2c_piix4 i2c_core virtio_net virtio_blk +[ 80.145172] CPU: 1 PID: 786 Comm: ping6 Not tainted 3.10.0+ #118 +[ 80.145172] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 +[ 80.145172] task: ffff880117fa0000 ti: ffff880118770000 task.ti: ffff880118770000 +[ 80.145172] RIP: 0010:[] [] fib6_add+0x75d/0x830 +[ 80.145172] RSP: 0018:ffff880118771798 EFLAGS: 00010202 +[ 80.145172] RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff88011350e480 +[ 80.145172] RDX: ffff88011350e238 RSI: 0000000000000004 RDI: ffff88011350f738 +[ 80.145172] RBP: ffff880118771848 R08: ffff880117903280 R09: 0000000000000001 +[ 80.145172] R10: 0000000000000000 R11: 0000000000000000 R12: ffff88011350f680 +[ 80.145172] R13: ffff880117903280 R14: ffff880118771890 R15: ffff88011350ef90 +[ 80.145172] FS: 00007f02b5127740(0000) GS:ffff88011fd00000(0000) knlGS:0000000000000000 +[ 80.145172] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b +[ 80.145172] CR2: 00007f981322a000 CR3: 00000001181b1000 CR4: 00000000000006e0 +[ 80.145172] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 80.145172] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 +[ 80.145172] Stack: +[ 80.145172] 0000000000000001 ffff880100000000 ffff880100000000 ffff880117903280 +[ 80.145172] 0000000000000000 ffff880119a4cf00 0000000000000400 00000000000007fa +[ 80.145172] 0000000000000000 0000000000000000 0000000000000000 ffff88011350f680 +[ 80.145172] Call Trace: +[ 80.145172] [] ? rt6_bind_peer+0x4b/0x90 +[ 80.145172] [] __ip6_ins_rt+0x45/0x70 +[ 80.145172] [] ip6_ins_rt+0x35/0x40 +[ 80.145172] [] ip6_pol_route.isra.44+0x3a4/0x4b0 +[ 80.145172] [] ip6_pol_route_output+0x2a/0x30 +[ 80.145172] [] fib6_rule_action+0xd7/0x210 +[ 80.145172] [] ? ip6_pol_route_input+0x30/0x30 +[ 80.145172] [] fib_rules_lookup+0xc6/0x140 +[ 80.145172] [] fib6_rule_lookup+0x44/0x80 +[ 80.145172] [] ? ip6_pol_route_input+0x30/0x30 +[ 80.145172] [] ip6_route_output+0x73/0xb0 +[ 80.145172] [] ip6_dst_lookup_tail+0x2c3/0x2e0 +[ 80.145172] [] ? list_del+0x11/0x40 +[ 80.145172] [] ? remove_wait_queue+0x3c/0x50 +[ 80.145172] [] ip6_dst_lookup_flow+0x3d/0xa0 +[ 80.145172] [] rawv6_sendmsg+0x267/0xc20 +[ 80.145172] [] inet_sendmsg+0x63/0xb0 +[ 80.145172] [] ? selinux_socket_sendmsg+0x23/0x30 +[ 80.145172] [] sock_sendmsg+0xa6/0xd0 +[ 80.145172] [] SYSC_sendto+0x128/0x180 +[ 80.145172] [] ? update_curr+0xec/0x170 +[ 80.145172] [] ? kvm_clock_get_cycles+0x9/0x10 +[ 80.145172] [] ? __getnstimeofday+0x3e/0xd0 +[ 80.145172] [] SyS_sendto+0xe/0x10 +[ 80.145172] [] system_call_fastpath+0x16/0x1b +[ 80.145172] Code: fe ff ff 41 f6 45 2a 06 0f 85 ca fe ff ff 49 8b 7e 08 4c 89 ee e8 94 ef ff ff e9 b9 fe ff ff 48 8b 82 28 05 00 00 e9 01 ff ff ff <0f> 0b 49 8b 54 24 30 0d 00 00 40 00 89 83 14 01 00 00 48 89 53 +[ 80.145172] RIP [] fib6_add+0x75d/0x830 +[ 80.145172] RSP +[ 80.387413] ---[ end trace 02f20b7a8b81ed95 ]--- +[ 80.390154] Kernel panic - not syncing: Fatal exception in interrupt + +Cc: Nicolas Dichtel +Cc: YOSHIFUJI Hideaki +Signed-off-by: Hannes Frederic Sowa +Signed-off-by: David S. Miller +--- + net/ipv6/route.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/net/ipv6/route.c b/net/ipv6/route.c +index 7f1332f..262d6d8 100644 +--- a/net/ipv6/route.c ++++ b/net/ipv6/route.c +@@ -1076,10 +1076,13 @@ static void ip6_link_failure(struct sk_buff *skb) + + rt = (struct rt6_info *) skb_dst(skb); + if (rt) { +- if (rt->rt6i_flags & RTF_CACHE) +- rt6_update_expires(rt, 0); +- else if (rt->rt6i_node && (rt->rt6i_flags & RTF_DEFAULT)) ++ if (rt->rt6i_flags & RTF_CACHE) { ++ dst_hold(&rt->dst); ++ if (ip6_del_rt(rt)) ++ dst_free(&rt->dst); ++ } else if (rt->rt6i_node && (rt->rt6i_flags & RTF_DEFAULT)) { + rt->rt6i_node->fn_sernum = -1; ++ } + } + } + +-- +1.7.11.7 + + +From db75617408ddf6d4fa8a65c030861ad0cd7e92ea Mon Sep 17 00:00:00 2001 +From: Sasha Levin +Date: Thu, 11 Jul 2013 13:16:54 -0400 +Subject: [PATCH 24/40] 9p: fix off by one causing access violations and + memory corruption + +[ Upstream commit 110ecd69a9feea82a152bbf9b12aba57e6396883 ] + +p9_release_pages() would attempt to dereference one value past the end of +pages[]. This would cause the following crashes: + +[ 6293.171817] BUG: unable to handle kernel paging request at ffff8807c96f3000 +[ 6293.174146] IP: [] p9_release_pages+0x3b/0x60 +[ 6293.176447] PGD 79c5067 PUD 82c1e3067 PMD 82c197067 PTE 80000007c96f3060 +[ 6293.180060] Oops: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC +[ 6293.180060] Modules linked in: +[ 6293.180060] CPU: 62 PID: 174043 Comm: modprobe Tainted: G W 3.10.0-next-20130710-sasha #3954 +[ 6293.180060] task: ffff8807b803b000 ti: ffff880787dde000 task.ti: ffff880787dde000 +[ 6293.180060] RIP: 0010:[] [] p9_release_pages+0x3b/0x60 +[ 6293.214316] RSP: 0000:ffff880787ddfc28 EFLAGS: 00010202 +[ 6293.214316] RAX: 0000000000000001 RBX: ffff8807c96f2ff8 RCX: 0000000000000000 +[ 6293.222017] RDX: ffff8807b803b000 RSI: 0000000000000001 RDI: ffffea001c7e3d40 +[ 6293.222017] RBP: ffff880787ddfc48 R08: 0000000000000000 R09: 0000000000000000 +[ 6293.222017] R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000001 +[ 6293.222017] R13: 0000000000000001 R14: ffff8807cc50c070 R15: ffff8807cc50c070 +[ 6293.222017] FS: 00007f572641d700(0000) GS:ffff8807f3600000(0000) knlGS:0000000000000000 +[ 6293.256784] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b +[ 6293.256784] CR2: ffff8807c96f3000 CR3: 00000007c8e81000 CR4: 00000000000006e0 +[ 6293.256784] Stack: +[ 6293.256784] ffff880787ddfcc8 ffff880787ddfcc8 0000000000000000 ffff880787ddfcc8 +[ 6293.256784] ffff880787ddfd48 ffffffff84128be8 ffff880700000002 0000000000000001 +[ 6293.256784] ffff8807b803b000 ffff880787ddfce0 0000100000000000 0000000000000000 +[ 6293.256784] Call Trace: +[ 6293.256784] [] p9_virtio_zc_request+0x598/0x630 +[ 6293.256784] [] ? wake_up_bit+0x40/0x40 +[ 6293.256784] [] p9_client_zc_rpc+0x111/0x3a0 +[ 6293.256784] [] ? sched_clock_cpu+0x108/0x120 +[ 6293.256784] [] p9_client_read+0xe1/0x2c0 +[ 6293.256784] [] v9fs_file_read+0x90/0xc0 +[ 6293.256784] [] vfs_read+0xc3/0x130 +[ 6293.256784] [] ? trace_hardirqs_on+0xd/0x10 +[ 6293.256784] [] SyS_read+0x62/0xa0 +[ 6293.256784] [] tracesys+0xdd/0xe2 +[ 6293.256784] Code: 66 90 48 89 fb 41 89 f5 48 8b 3f 48 85 ff 74 29 85 f6 74 25 45 31 e4 66 0f 1f 84 00 00 00 00 00 e8 eb 14 12 fd 41 ff c4 49 63 c4 <48> 8b 3c c3 48 85 ff 74 05 45 39 e5 75 e7 48 83 c4 08 5b 41 5c +[ 6293.256784] RIP [] p9_release_pages+0x3b/0x60 +[ 6293.256784] RSP +[ 6293.256784] CR2: ffff8807c96f3000 +[ 6293.256784] ---[ end trace 50822ee72cd360fc ]--- + +Signed-off-by: Sasha Levin +Signed-off-by: David S. Miller +--- + net/9p/trans_common.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/net/9p/trans_common.c b/net/9p/trans_common.c +index de8df95..2ee3879 100644 +--- a/net/9p/trans_common.c ++++ b/net/9p/trans_common.c +@@ -24,11 +24,11 @@ + */ + void p9_release_pages(struct page **pages, int nr_pages) + { +- int i = 0; +- while (pages[i] && nr_pages--) { +- put_page(pages[i]); +- i++; +- } ++ int i; ++ ++ for (i = 0; i < nr_pages; i++) ++ if (pages[i]) ++ put_page(pages[i]); + } + EXPORT_SYMBOL(p9_release_pages); + +-- +1.7.11.7 + + +From d0772a6314c2ed4d04ab0163c50b3ef6ff9eba40 Mon Sep 17 00:00:00 2001 +From: Maarten Lankhorst +Date: Thu, 11 Jul 2013 15:53:21 +0200 +Subject: [PATCH 25/40] alx: fix lockdep annotation + +[ Upstream commit a8798a5c77c9981e88caef1373a3310bf8aed219 ] + +Move spin_lock_init to be called before the spinlocks are used, preventing a lockdep splat. + +Signed-off-by: Maarten Lankhorst +Signed-off-by: David S. Miller +--- + drivers/net/ethernet/atheros/alx/main.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/atheros/alx/main.c b/drivers/net/ethernet/atheros/alx/main.c +index 418de8b..d30085c 100644 +--- a/drivers/net/ethernet/atheros/alx/main.c ++++ b/drivers/net/ethernet/atheros/alx/main.c +@@ -1303,6 +1303,8 @@ static int alx_probe(struct pci_dev *pdev, const struct pci_device_id *ent) + + SET_NETDEV_DEV(netdev, &pdev->dev); + alx = netdev_priv(netdev); ++ spin_lock_init(&alx->hw.mdio_lock); ++ spin_lock_init(&alx->irq_lock); + alx->dev = netdev; + alx->hw.pdev = pdev; + alx->msg_enable = NETIF_MSG_LINK | NETIF_MSG_HW | NETIF_MSG_IFUP | +@@ -1385,9 +1387,6 @@ static int alx_probe(struct pci_dev *pdev, const struct pci_device_id *ent) + + INIT_WORK(&alx->link_check_wk, alx_link_check); + INIT_WORK(&alx->reset_wk, alx_reset); +- spin_lock_init(&alx->hw.mdio_lock); +- spin_lock_init(&alx->irq_lock); +- + netif_carrier_off(netdev); + + err = register_netdev(netdev); +-- +1.7.11.7 + + +From 1ea4568e699d6f1a231c14d5f084b4eb97298b7b Mon Sep 17 00:00:00 2001 +From: Hannes Frederic Sowa +Date: Thu, 11 Jul 2013 12:43:42 +0200 +Subject: [PATCH 26/40] ipv6: fix route selection if kernel is not compiled + with CONFIG_IPV6_ROUTER_PREF + +[ Upstream commit afc154e978de1eb11c555bc8bcec1552f75ebc43 ] + +This is a follow-up patch to 3630d40067a21d4dfbadc6002bb469ce26ac5d52 +("ipv6: rt6_check_neigh should successfully verify neigh if no NUD +information are available"). + +Since the removal of rt->n in rt6_info we can end up with a dst == +NULL in rt6_check_neigh. In case the kernel is not compiled with +CONFIG_IPV6_ROUTER_PREF we should also select a route with unkown +NUD state but we must not avoid doing round robin selection on routes +with the same target. So introduce and pass down a boolean ``do_rr'' to +indicate when we should update rt->rr_ptr. As soon as no route is valid +we do backtracking and do a lookup on a higher level in the fib trie. + +v2: +a) Improved rt6_check_neigh logic (no need to create neighbour there) + and documented return values. + +v3: +a) Introduce enum rt6_nud_state to get rid of the magic numbers + (thanks to David Miller). +b) Update and shorten commit message a bit to actualy reflect + the source. + +Reported-by: Pierre Emeriaud +Cc: YOSHIFUJI Hideaki +Signed-off-by: Hannes Frederic Sowa +Signed-off-by: David S. Miller +--- + net/ipv6/route.c | 63 +++++++++++++++++++++++++++++++++++--------------------- + 1 file changed, 40 insertions(+), 23 deletions(-) + +diff --git a/net/ipv6/route.c b/net/ipv6/route.c +index 262d6d8..bacce6c 100644 +--- a/net/ipv6/route.c ++++ b/net/ipv6/route.c +@@ -65,6 +65,12 @@ + #include + #endif + ++enum rt6_nud_state { ++ RT6_NUD_FAIL_HARD = -2, ++ RT6_NUD_FAIL_SOFT = -1, ++ RT6_NUD_SUCCEED = 1 ++}; ++ + static struct rt6_info *ip6_rt_copy(struct rt6_info *ort, + const struct in6_addr *dest); + static struct dst_entry *ip6_dst_check(struct dst_entry *dst, u32 cookie); +@@ -527,28 +533,29 @@ static inline int rt6_check_dev(struct rt6_info *rt, int oif) + return 0; + } + +-static inline bool rt6_check_neigh(struct rt6_info *rt) ++static inline enum rt6_nud_state rt6_check_neigh(struct rt6_info *rt) + { + struct neighbour *neigh; +- bool ret = false; ++ enum rt6_nud_state ret = RT6_NUD_FAIL_HARD; + + if (rt->rt6i_flags & RTF_NONEXTHOP || + !(rt->rt6i_flags & RTF_GATEWAY)) +- return true; ++ return RT6_NUD_SUCCEED; + + rcu_read_lock_bh(); + neigh = __ipv6_neigh_lookup_noref(rt->dst.dev, &rt->rt6i_gateway); + if (neigh) { + read_lock(&neigh->lock); + if (neigh->nud_state & NUD_VALID) +- ret = true; ++ ret = RT6_NUD_SUCCEED; + #ifdef CONFIG_IPV6_ROUTER_PREF + else if (!(neigh->nud_state & NUD_FAILED)) +- ret = true; ++ ret = RT6_NUD_SUCCEED; + #endif + read_unlock(&neigh->lock); +- } else if (IS_ENABLED(CONFIG_IPV6_ROUTER_PREF)) { +- ret = true; ++ } else { ++ ret = IS_ENABLED(CONFIG_IPV6_ROUTER_PREF) ? ++ RT6_NUD_SUCCEED : RT6_NUD_FAIL_SOFT; + } + rcu_read_unlock_bh(); + +@@ -562,43 +569,52 @@ static int rt6_score_route(struct rt6_info *rt, int oif, + + m = rt6_check_dev(rt, oif); + if (!m && (strict & RT6_LOOKUP_F_IFACE)) +- return -1; ++ return RT6_NUD_FAIL_HARD; + #ifdef CONFIG_IPV6_ROUTER_PREF + m |= IPV6_DECODE_PREF(IPV6_EXTRACT_PREF(rt->rt6i_flags)) << 2; + #endif +- if (!rt6_check_neigh(rt) && (strict & RT6_LOOKUP_F_REACHABLE)) +- return -1; ++ if (strict & RT6_LOOKUP_F_REACHABLE) { ++ int n = rt6_check_neigh(rt); ++ if (n < 0) ++ return n; ++ } + return m; + } + + static struct rt6_info *find_match(struct rt6_info *rt, int oif, int strict, +- int *mpri, struct rt6_info *match) ++ int *mpri, struct rt6_info *match, ++ bool *do_rr) + { + int m; ++ bool match_do_rr = false; + + if (rt6_check_expired(rt)) + goto out; + + m = rt6_score_route(rt, oif, strict); +- if (m < 0) ++ if (m == RT6_NUD_FAIL_SOFT && !IS_ENABLED(CONFIG_IPV6_ROUTER_PREF)) { ++ match_do_rr = true; ++ m = 0; /* lowest valid score */ ++ } else if (m < 0) { + goto out; ++ } ++ ++ if (strict & RT6_LOOKUP_F_REACHABLE) ++ rt6_probe(rt); + + if (m > *mpri) { +- if (strict & RT6_LOOKUP_F_REACHABLE) +- rt6_probe(match); ++ *do_rr = match_do_rr; + *mpri = m; + match = rt; +- } else if (strict & RT6_LOOKUP_F_REACHABLE) { +- rt6_probe(rt); + } +- + out: + return match; + } + + static struct rt6_info *find_rr_leaf(struct fib6_node *fn, + struct rt6_info *rr_head, +- u32 metric, int oif, int strict) ++ u32 metric, int oif, int strict, ++ bool *do_rr) + { + struct rt6_info *rt, *match; + int mpri = -1; +@@ -606,10 +622,10 @@ static struct rt6_info *find_rr_leaf(struct fib6_node *fn, + match = NULL; + for (rt = rr_head; rt && rt->rt6i_metric == metric; + rt = rt->dst.rt6_next) +- match = find_match(rt, oif, strict, &mpri, match); ++ match = find_match(rt, oif, strict, &mpri, match, do_rr); + for (rt = fn->leaf; rt && rt != rr_head && rt->rt6i_metric == metric; + rt = rt->dst.rt6_next) +- match = find_match(rt, oif, strict, &mpri, match); ++ match = find_match(rt, oif, strict, &mpri, match, do_rr); + + return match; + } +@@ -618,15 +634,16 @@ static struct rt6_info *rt6_select(struct fib6_node *fn, int oif, int strict) + { + struct rt6_info *match, *rt0; + struct net *net; ++ bool do_rr = false; + + rt0 = fn->rr_ptr; + if (!rt0) + fn->rr_ptr = rt0 = fn->leaf; + +- match = find_rr_leaf(fn, rt0, rt0->rt6i_metric, oif, strict); ++ match = find_rr_leaf(fn, rt0, rt0->rt6i_metric, oif, strict, ++ &do_rr); + +- if (!match && +- (strict & RT6_LOOKUP_F_REACHABLE)) { ++ if (do_rr) { + struct rt6_info *next = rt0->dst.rt6_next; + + /* no entries matched; do round-robin */ +-- +1.7.11.7 + + +From a3bd2b75636d9e8ce1105521a210039fca6433c2 Mon Sep 17 00:00:00 2001 +From: dingtianhong +Date: Thu, 11 Jul 2013 19:04:02 +0800 +Subject: [PATCH 27/40] dummy: fix oops when loading the dummy failed + +[ Upstream commit 2c8a01894a12665d8059fad8f0a293c98a264121 ] + +We rename the dummy in modprobe.conf like this: + +install dummy0 /sbin/modprobe -o dummy0 --ignore-install dummy +install dummy1 /sbin/modprobe -o dummy1 --ignore-install dummy + +We got oops when we run the command: + +modprobe dummy0 +modprobe dummy1 + +------------[ cut here ]------------ + +[ 3302.187584] BUG: unable to handle kernel NULL pointer dereference at 0000000000000008 +[ 3302.195411] IP: [] __rtnl_link_unregister+0x9a/0xd0 +[ 3302.201844] PGD 85c94a067 PUD 8517bd067 PMD 0 +[ 3302.206305] Oops: 0002 [#1] SMP +[ 3302.299737] task: ffff88105ccea300 ti: ffff880eba4a0000 task.ti: ffff880eba4a0000 +[ 3302.307186] RIP: 0010:[] [] __rtnl_link_unregister+0x9a/0xd0 +[ 3302.316044] RSP: 0018:ffff880eba4a1dd8 EFLAGS: 00010246 +[ 3302.321332] RAX: 0000000000000000 RBX: ffffffff81a9d738 RCX: 0000000000000002 +[ 3302.328436] RDX: 0000000000000000 RSI: ffffffffa04d602c RDI: ffff880eba4a1dd8 +[ 3302.335541] RBP: ffff880eba4a1e18 R08: dead000000200200 R09: dead000000100100 +[ 3302.342644] R10: 0000000000000080 R11: 0000000000000003 R12: ffffffff81a9d788 +[ 3302.349748] R13: ffffffffa04d7020 R14: ffffffff81a9d670 R15: ffff880eba4a1dd8 +[ 3302.364910] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 3302.370630] CR2: 0000000000000008 CR3: 000000085e15e000 CR4: 00000000000427e0 +[ 3302.377734] DR0: 0000000000000003 DR1: 00000000000000b0 DR2: 0000000000000001 +[ 3302.384838] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 +[ 3302.391940] Stack: +[ 3302.393944] ffff880eba4a1dd8 ffff880eba4a1dd8 ffff880eba4a1e18 ffffffffa04d70c0 +[ 3302.401350] 00000000ffffffef ffffffffa01a8000 0000000000000000 ffffffff816111c8 +[ 3302.408758] ffff880eba4a1e48 ffffffffa01a80be ffff880eba4a1e48 ffffffffa04d70c0 +[ 3302.416164] Call Trace: +[ 3302.418605] [] ? 0xffffffffa01a7fff +[ 3302.423727] [] dummy_init_module+0xbe/0x1000 [dummy0] +[ 3302.430405] [] ? 0xffffffffa01a7fff +[ 3302.435535] [] do_one_initcall+0x152/0x1b0 +[ 3302.441263] [] do_init_module+0x7b/0x200 +[ 3302.446824] [] load_module+0x4e2/0x530 +[ 3302.452215] [] ? ddebug_dyndbg_boot_param_cb+0x60/0x60 +[ 3302.458979] [] SyS_init_module+0xd1/0x130 +[ 3302.464627] [] system_call_fastpath+0x16/0x1b +[ 3302.490090] RIP [] __rtnl_link_unregister+0x9a/0xd0 +[ 3302.496607] RSP +[ 3302.500084] CR2: 0000000000000008 +[ 3302.503466] ---[ end trace 8342d49cd49f78ed ]--- + +The reason is that when loading dummy, if __rtnl_link_register() return failed, +the init_module should return and avoid take the wrong path. + +Signed-off-by: Tan Xiaojun +Signed-off-by: Ding Tianhong +Signed-off-by: David S. Miller +--- + drivers/net/dummy.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/net/dummy.c b/drivers/net/dummy.c +index 42aa54a..b710c6b 100644 +--- a/drivers/net/dummy.c ++++ b/drivers/net/dummy.c +@@ -185,6 +185,8 @@ static int __init dummy_init_module(void) + + rtnl_lock(); + err = __rtnl_link_register(&dummy_link_ops); ++ if (err < 0) ++ goto out; + + for (i = 0; i < numdummies && !err; i++) { + err = dummy_init_one(); +@@ -192,6 +194,8 @@ static int __init dummy_init_module(void) + } + if (err < 0) + __rtnl_link_unregister(&dummy_link_ops); ++ ++out: + rtnl_unlock(); + + return err; +-- +1.7.11.7 + + +From 44780fa991640ee8c5fc4f4c47d5033a5c98895d Mon Sep 17 00:00:00 2001 +From: dingtianhong +Date: Thu, 11 Jul 2013 19:04:06 +0800 +Subject: [PATCH 28/40] ifb: fix oops when loading the ifb failed + +[ Upstream commit f2966cd5691058b8674a20766525bedeaea9cbcf ] + +If __rtnl_link_register() return faild when loading the ifb, it will +take the wrong path and get oops, so fix it just like dummy. + +Signed-off-by: Ding Tianhong +Signed-off-by: David S. Miller +--- + drivers/net/ifb.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/net/ifb.c b/drivers/net/ifb.c +index a11f7a4..a3bed28 100644 +--- a/drivers/net/ifb.c ++++ b/drivers/net/ifb.c +@@ -291,6 +291,8 @@ static int __init ifb_init_module(void) + + rtnl_lock(); + err = __rtnl_link_register(&ifb_link_ops); ++ if (err < 0) ++ goto out; + + for (i = 0; i < numifbs && !err; i++) { + err = ifb_init_one(i); +@@ -298,6 +300,8 @@ static int __init ifb_init_module(void) + } + if (err) + __rtnl_link_unregister(&ifb_link_ops); ++ ++out: + rtnl_unlock(); + + return err; +-- +1.7.11.7 + + +From 60731ca136b36cde13dd6b021711f031d70e061f Mon Sep 17 00:00:00 2001 +From: Alexander Duyck +Date: Thu, 11 Jul 2013 13:12:22 -0700 +Subject: [PATCH 29/40] gre: Fix MTU sizing check for gretap tunnels + +[ Upstream commit 8c91e162e058bb91b7766f26f4d5823a21941026 ] + +This change fixes an MTU sizing issue seen with gretap tunnels when non-gso +packets are sent from the interface. + +In my case I was able to reproduce the issue by simply sending a ping of +1421 bytes with the gretap interface created on a device with a standard +1500 mtu. + +This fix is based on the fact that the tunnel mtu is already adjusted by +dev->hard_header_len so it would make sense that any packets being compared +against that mtu should also be adjusted by hard_header_len and the tunnel +header instead of just the tunnel header. + +Signed-off-by: Alexander Duyck +Reported-by: Cong Wang +Acked-by: Eric Dumazet +Signed-off-by: David S. Miller +--- + net/ipv4/ip_tunnel.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/ipv4/ip_tunnel.c b/net/ipv4/ip_tunnel.c +index d05bd02..cbfc37f 100644 +--- a/net/ipv4/ip_tunnel.c ++++ b/net/ipv4/ip_tunnel.c +@@ -490,7 +490,7 @@ static int tnl_update_pmtu(struct net_device *dev, struct sk_buff *skb, + struct rtable *rt, __be16 df) + { + struct ip_tunnel *tunnel = netdev_priv(dev); +- int pkt_size = skb->len - tunnel->hlen; ++ int pkt_size = skb->len - tunnel->hlen - dev->hard_header_len; + int mtu; + + if (df) +-- +1.7.11.7 + + +From 8bd8eef9c03de3dc458d95069adaecc5960f9f66 Mon Sep 17 00:00:00 2001 +From: Hannes Frederic Sowa +Date: Fri, 12 Jul 2013 23:46:33 +0200 +Subject: [PATCH 30/40] ipv6: only static routes qualify for equal cost + multipathing + +[ Upstream commit 307f2fb95e9b96b3577916e73d92e104f8f26494 ] + +Static routes in this case are non-expiring routes which did not get +configured by autoconf or by icmpv6 redirects. + +To make sure we actually get an ecmp route while searching for the first +one in this fib6_node's leafs, also make sure it matches the ecmp route +assumptions. + +v2: +a) Removed RTF_EXPIRE check in dst.from chain. The check of RTF_ADDRCONF + already ensures that this route, even if added again without + RTF_EXPIRES (in case of a RA announcement with infinite timeout), + does not cause the rt6i_nsiblings logic to go wrong if a later RA + updates the expiration time later. + +v3: +a) Allow RTF_EXPIRES routes to enter the ecmp route set. We have to do so, + because an pmtu event could update the RTF_EXPIRES flag and we would + not count this route, if another route joins this set. We now filter + only for RTF_GATEWAY|RTF_ADDRCONF|RTF_DYNAMIC, which are flags that + don't get changed after rt6_info construction. + +Cc: Nicolas Dichtel +Signed-off-by: Hannes Frederic Sowa +Signed-off-by: David S. Miller +--- + net/ipv6/ip6_fib.c | 15 +++++++++++---- + 1 file changed, 11 insertions(+), 4 deletions(-) + +diff --git a/net/ipv6/ip6_fib.c b/net/ipv6/ip6_fib.c +index 192dd1a..5fc9c7a 100644 +--- a/net/ipv6/ip6_fib.c ++++ b/net/ipv6/ip6_fib.c +@@ -632,6 +632,12 @@ insert_above: + return ln; + } + ++static inline bool rt6_qualify_for_ecmp(struct rt6_info *rt) ++{ ++ return (rt->rt6i_flags & (RTF_GATEWAY|RTF_ADDRCONF|RTF_DYNAMIC)) == ++ RTF_GATEWAY; ++} ++ + /* + * Insert routing information in a node. + */ +@@ -646,6 +652,7 @@ static int fib6_add_rt2node(struct fib6_node *fn, struct rt6_info *rt, + int add = (!info->nlh || + (info->nlh->nlmsg_flags & NLM_F_CREATE)); + int found = 0; ++ bool rt_can_ecmp = rt6_qualify_for_ecmp(rt); + + ins = &fn->leaf; + +@@ -691,9 +698,8 @@ static int fib6_add_rt2node(struct fib6_node *fn, struct rt6_info *rt, + * To avoid long list, we only had siblings if the + * route have a gateway. + */ +- if (rt->rt6i_flags & RTF_GATEWAY && +- !(rt->rt6i_flags & RTF_EXPIRES) && +- !(iter->rt6i_flags & RTF_EXPIRES)) ++ if (rt_can_ecmp && ++ rt6_qualify_for_ecmp(iter)) + rt->rt6i_nsiblings++; + } + +@@ -715,7 +721,8 @@ static int fib6_add_rt2node(struct fib6_node *fn, struct rt6_info *rt, + /* Find the first route that have the same metric */ + sibling = fn->leaf; + while (sibling) { +- if (sibling->rt6i_metric == rt->rt6i_metric) { ++ if (sibling->rt6i_metric == rt->rt6i_metric && ++ rt6_qualify_for_ecmp(sibling)) { + list_add_tail(&rt->rt6i_siblings, + &sibling->rt6i_siblings); + break; +-- +1.7.11.7 + + +From bf6a9aa8649eefee6a93b18d827bd2bbee2dd1ae Mon Sep 17 00:00:00 2001 +From: Neil Horman +Date: Fri, 12 Jul 2013 10:58:48 -0400 +Subject: [PATCH 31/40] atl1e: fix dma mapping warnings + +[ Upstream commit 352900b583b2852152a1e05ea0e8b579292e731e ] + +Recently had this backtrace reported: +WARNING: at lib/dma-debug.c:937 check_unmap+0x47d/0x930() +Hardware name: System Product Name +ATL1E 0000:02:00.0: DMA-API: device driver failed to check map error[device +address=0x00000000cbfd1000] [size=90 bytes] [mapped as single] +Modules linked in: xt_conntrack nf_conntrack ebtable_filter ebtables +ip6table_filter ip6_tables snd_hda_codec_hdmi snd_hda_codec_realtek iTCO_wdt +iTCO_vendor_support snd_hda_intel acpi_cpufreq mperf coretemp btrfs zlib_deflate +snd_hda_codec snd_hwdep microcode raid6_pq libcrc32c snd_seq usblp serio_raw xor +snd_seq_device joydev snd_pcm snd_page_alloc snd_timer snd lpc_ich i2c_i801 +soundcore mfd_core atl1e asus_atk0110 ata_generic pata_acpi radeon i2c_algo_bit +drm_kms_helper ttm drm i2c_core pata_marvell uinput +Pid: 314, comm: systemd-journal Not tainted 3.9.0-0.rc6.git2.3.fc19.x86_64 #1 +Call Trace: + [] warn_slowpath_common+0x66/0x80 + [] warn_slowpath_fmt+0x4c/0x50 + [] check_unmap+0x47d/0x930 + [] ? sched_clock_cpu+0xa8/0x100 + [] debug_dma_unmap_page+0x5f/0x70 + [] ? unmap_single+0x20/0x30 + [] atl1e_intr+0x3a1/0x5b0 [atl1e] + [] ? trace_hardirqs_off+0xd/0x10 + [] handle_irq_event_percpu+0x56/0x390 + [] handle_irq_event+0x3d/0x60 + [] handle_fasteoi_irq+0x5a/0x100 + [] handle_irq+0xbf/0x150 + [] ? file_sb_list_del+0x3f/0x50 + [] ? irq_enter+0x50/0xa0 + [] do_IRQ+0x4d/0xc0 + [] ? file_sb_list_del+0x3f/0x50 + [] common_interrupt+0x72/0x72 + [] ? lock_release+0xc2/0x310 + [] lg_local_unlock_cpu+0x24/0x50 + [] file_sb_list_del+0x3f/0x50 + [] fput+0x2d/0xc0 + [] filp_close+0x61/0x90 + [] __close_fd+0x8d/0x150 + [] sys_close+0x20/0x50 + [] system_call_fastpath+0x16/0x1b + +The usual straighforward failure to check for dma_mapping_error after a map +operation is completed. + +This patch should fix it, the reporter wandered off after filing this bz: +https://bugzilla.redhat.com/show_bug.cgi?id=954170 + +and I don't have hardware to test, but the fix is pretty straightforward, so I +figured I'd post it for review. + +Signed-off-by: Neil Horman +CC: Jay Cliburn +CC: Chris Snook +CC: "David S. Miller" +Signed-off-by: David S. Miller +--- + drivers/net/ethernet/atheros/atl1e/atl1e_main.c | 28 ++++++++++++++++++++++--- + 1 file changed, 25 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/atheros/atl1e/atl1e_main.c b/drivers/net/ethernet/atheros/atl1e/atl1e_main.c +index 0688bb8..8116cb8 100644 +--- a/drivers/net/ethernet/atheros/atl1e/atl1e_main.c ++++ b/drivers/net/ethernet/atheros/atl1e/atl1e_main.c +@@ -1665,8 +1665,8 @@ check_sum: + return 0; + } + +-static void atl1e_tx_map(struct atl1e_adapter *adapter, +- struct sk_buff *skb, struct atl1e_tpd_desc *tpd) ++static int atl1e_tx_map(struct atl1e_adapter *adapter, ++ struct sk_buff *skb, struct atl1e_tpd_desc *tpd) + { + struct atl1e_tpd_desc *use_tpd = NULL; + struct atl1e_tx_buffer *tx_buffer = NULL; +@@ -1677,6 +1677,7 @@ static void atl1e_tx_map(struct atl1e_adapter *adapter, + u16 nr_frags; + u16 f; + int segment; ++ int ring_start = adapter->tx_ring.next_to_use; + + nr_frags = skb_shinfo(skb)->nr_frags; + segment = (tpd->word3 >> TPD_SEGMENT_EN_SHIFT) & TPD_SEGMENT_EN_MASK; +@@ -1689,6 +1690,9 @@ static void atl1e_tx_map(struct atl1e_adapter *adapter, + tx_buffer->length = map_len; + tx_buffer->dma = pci_map_single(adapter->pdev, + skb->data, hdr_len, PCI_DMA_TODEVICE); ++ if (dma_mapping_error(&adapter->pdev->dev, tx_buffer->dma)) ++ return -ENOSPC; ++ + ATL1E_SET_PCIMAP_TYPE(tx_buffer, ATL1E_TX_PCIMAP_SINGLE); + mapped_len += map_len; + use_tpd->buffer_addr = cpu_to_le64(tx_buffer->dma); +@@ -1715,6 +1719,13 @@ static void atl1e_tx_map(struct atl1e_adapter *adapter, + tx_buffer->dma = + pci_map_single(adapter->pdev, skb->data + mapped_len, + map_len, PCI_DMA_TODEVICE); ++ ++ if (dma_mapping_error(&adapter->pdev->dev, tx_buffer->dma)) { ++ /* Reset the tx rings next pointer */ ++ adapter->tx_ring.next_to_use = ring_start; ++ return -ENOSPC; ++ } ++ + ATL1E_SET_PCIMAP_TYPE(tx_buffer, ATL1E_TX_PCIMAP_SINGLE); + mapped_len += map_len; + use_tpd->buffer_addr = cpu_to_le64(tx_buffer->dma); +@@ -1750,6 +1761,13 @@ static void atl1e_tx_map(struct atl1e_adapter *adapter, + (i * MAX_TX_BUF_LEN), + tx_buffer->length, + DMA_TO_DEVICE); ++ ++ if (dma_mapping_error(&adapter->pdev->dev, tx_buffer->dma)) { ++ /* Reset the ring next to use pointer */ ++ adapter->tx_ring.next_to_use = ring_start; ++ return -ENOSPC; ++ } ++ + ATL1E_SET_PCIMAP_TYPE(tx_buffer, ATL1E_TX_PCIMAP_PAGE); + use_tpd->buffer_addr = cpu_to_le64(tx_buffer->dma); + use_tpd->word2 = (use_tpd->word2 & (~TPD_BUFLEN_MASK)) | +@@ -1767,6 +1785,7 @@ static void atl1e_tx_map(struct atl1e_adapter *adapter, + /* The last buffer info contain the skb address, + so it will be free after unmap */ + tx_buffer->skb = skb; ++ return 0; + } + + static void atl1e_tx_queue(struct atl1e_adapter *adapter, u16 count, +@@ -1834,10 +1853,13 @@ static netdev_tx_t atl1e_xmit_frame(struct sk_buff *skb, + return NETDEV_TX_OK; + } + +- atl1e_tx_map(adapter, skb, tpd); ++ if (atl1e_tx_map(adapter, skb, tpd)) ++ goto out; ++ + atl1e_tx_queue(adapter, tpd_req, tpd); + + netdev->trans_start = jiffies; /* NETIF_F_LLTX driver :( */ ++out: + spin_unlock_irqrestore(&adapter->tx_lock, flags); + return NETDEV_TX_OK; + } +-- +1.7.11.7 + + +From 326eb306b8445bccf894e99ccde478eb4731b726 Mon Sep 17 00:00:00 2001 +From: Neil Horman +Date: Tue, 16 Jul 2013 10:49:41 -0400 +Subject: [PATCH 32/40] atl1e: unmap partially mapped skb on dma error and + free skb + +[ Upstream commit 584ec4355355ffac43571b02a314d43eb2f7fcbf ] + +Ben Hutchings pointed out that my recent update to atl1e +in commit 352900b583b2852152a1e05ea0e8b579292e731e +("atl1e: fix dma mapping warnings") was missing a bit of code. + +Specifically it reset the hardware tx ring to its origional state when +we hit a dma error, but didn't unmap any exiting mappings from the +operation. This patch fixes that up. It also remembers to free the +skb in the event that an error occurs, so we don't leak. Untested, as +I don't have hardware. I think its pretty straightforward, but please +review closely. + +Signed-off-by: Neil Horman +CC: Ben Hutchings +CC: Jay Cliburn +CC: Chris Snook +CC: "David S. Miller" +Signed-off-by: David S. Miller +--- + drivers/net/ethernet/atheros/atl1e/atl1e_main.c | 24 +++++++++++++++++++++++- + 1 file changed, 23 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/atheros/atl1e/atl1e_main.c b/drivers/net/ethernet/atheros/atl1e/atl1e_main.c +index 8116cb8..c23bb02 100644 +--- a/drivers/net/ethernet/atheros/atl1e/atl1e_main.c ++++ b/drivers/net/ethernet/atheros/atl1e/atl1e_main.c +@@ -1678,6 +1678,7 @@ static int atl1e_tx_map(struct atl1e_adapter *adapter, + u16 f; + int segment; + int ring_start = adapter->tx_ring.next_to_use; ++ int ring_end; + + nr_frags = skb_shinfo(skb)->nr_frags; + segment = (tpd->word3 >> TPD_SEGMENT_EN_SHIFT) & TPD_SEGMENT_EN_MASK; +@@ -1721,6 +1722,15 @@ static int atl1e_tx_map(struct atl1e_adapter *adapter, + map_len, PCI_DMA_TODEVICE); + + if (dma_mapping_error(&adapter->pdev->dev, tx_buffer->dma)) { ++ /* We need to unwind the mappings we've done */ ++ ring_end = adapter->tx_ring.next_to_use; ++ adapter->tx_ring.next_to_use = ring_start; ++ while (adapter->tx_ring.next_to_use != ring_end) { ++ tpd = atl1e_get_tpd(adapter); ++ tx_buffer = atl1e_get_tx_buffer(adapter, tpd); ++ pci_unmap_single(adapter->pdev, tx_buffer->dma, ++ tx_buffer->length, PCI_DMA_TODEVICE); ++ } + /* Reset the tx rings next pointer */ + adapter->tx_ring.next_to_use = ring_start; + return -ENOSPC; +@@ -1763,6 +1773,16 @@ static int atl1e_tx_map(struct atl1e_adapter *adapter, + DMA_TO_DEVICE); + + if (dma_mapping_error(&adapter->pdev->dev, tx_buffer->dma)) { ++ /* We need to unwind the mappings we've done */ ++ ring_end = adapter->tx_ring.next_to_use; ++ adapter->tx_ring.next_to_use = ring_start; ++ while (adapter->tx_ring.next_to_use != ring_end) { ++ tpd = atl1e_get_tpd(adapter); ++ tx_buffer = atl1e_get_tx_buffer(adapter, tpd); ++ dma_unmap_page(&adapter->pdev->dev, tx_buffer->dma, ++ tx_buffer->length, DMA_TO_DEVICE); ++ } ++ + /* Reset the ring next to use pointer */ + adapter->tx_ring.next_to_use = ring_start; + return -ENOSPC; +@@ -1853,8 +1873,10 @@ static netdev_tx_t atl1e_xmit_frame(struct sk_buff *skb, + return NETDEV_TX_OK; + } + +- if (atl1e_tx_map(adapter, skb, tpd)) ++ if (atl1e_tx_map(adapter, skb, tpd)) { ++ dev_kfree_skb_any(skb); + goto out; ++ } + + atl1e_tx_queue(adapter, tpd_req, tpd); + +-- +1.7.11.7 + + +From 4ff552ad9b0463045a9211c5548288fa70649474 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Mon, 15 Jul 2013 20:03:19 -0700 +Subject: [PATCH 33/40] ipv4: set transport header earlier + +[ Upstream commit 21d1196a35f5686c4323e42a62fdb4b23b0ab4a3 ] + +commit 45f00f99d6e ("ipv4: tcp: clean up tcp_v4_early_demux()") added a +performance regression for non GRO traffic, basically disabling +IP early demux. + +IPv6 stack resets transport header in ip6_rcv() before calling +IP early demux in ip6_rcv_finish(), while IPv4 does this only in +ip_local_deliver_finish(), _after_ IP early demux. + +GRO traffic happened to enable IP early demux because transport header +is also set in inet_gro_receive() + +Instead of reverting the faulty commit, we can make IPv4/IPv6 behave the +same : transport_header should be set in ip_rcv() instead of +ip_local_deliver_finish() + +ip_local_deliver_finish() can also use skb_network_header_len() which is +faster than ip_hdrlen() + +Signed-off-by: Eric Dumazet +Cc: Neal Cardwell +Cc: Tom Herbert +Signed-off-by: David S. Miller +--- + net/ipv4/ip_input.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +diff --git a/net/ipv4/ip_input.c b/net/ipv4/ip_input.c +index 3da817b..15e3e68 100644 +--- a/net/ipv4/ip_input.c ++++ b/net/ipv4/ip_input.c +@@ -190,10 +190,7 @@ static int ip_local_deliver_finish(struct sk_buff *skb) + { + struct net *net = dev_net(skb->dev); + +- __skb_pull(skb, ip_hdrlen(skb)); +- +- /* Point into the IP datagram, just past the header. */ +- skb_reset_transport_header(skb); ++ __skb_pull(skb, skb_network_header_len(skb)); + + rcu_read_lock(); + { +@@ -437,6 +434,8 @@ int ip_rcv(struct sk_buff *skb, struct net_device *dev, struct packet_type *pt, + goto drop; + } + ++ skb->transport_header = skb->network_header + iph->ihl*4; ++ + /* Remove any debris in the socket control block */ + memset(IPCB(skb), 0, sizeof(struct inet_skb_parm)); + +-- +1.7.11.7 + + +From b88b4272651cb4ee68c7a32cfc256fd4e8fdf735 Mon Sep 17 00:00:00 2001 +From: Sarveshwar Bandi +Date: Tue, 16 Jul 2013 12:44:02 +0530 +Subject: [PATCH 34/40] be2net: Fix to avoid hardware workaround when not + needed + +[ Upstream commit 52fe29e4bb614367c108b717c6d7fe5953eb7af3 ] + +Hardware workaround requesting hardware to skip vlan insertion is necessary +only when umc or qnq is enabled. Enabling this workaround in other scenarios +could cause controller to stall. + +Signed-off-by: Sarveshwar Bandi +Signed-off-by: David S. Miller +--- + drivers/net/ethernet/emulex/benet/be_main.c | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/ethernet/emulex/benet/be_main.c b/drivers/net/ethernet/emulex/benet/be_main.c +index a0b4be5..6e43426 100644 +--- a/drivers/net/ethernet/emulex/benet/be_main.c ++++ b/drivers/net/ethernet/emulex/benet/be_main.c +@@ -782,16 +782,22 @@ static struct sk_buff *be_insert_vlan_in_pkt(struct be_adapter *adapter, + + if (vlan_tx_tag_present(skb)) + vlan_tag = be_get_tx_vlan_tag(adapter, skb); +- else if (qnq_async_evt_rcvd(adapter) && adapter->pvid) +- vlan_tag = adapter->pvid; ++ ++ if (qnq_async_evt_rcvd(adapter) && adapter->pvid) { ++ if (!vlan_tag) ++ vlan_tag = adapter->pvid; ++ /* f/w workaround to set skip_hw_vlan = 1, informs the F/W to ++ * skip VLAN insertion ++ */ ++ if (skip_hw_vlan) ++ *skip_hw_vlan = true; ++ } + + if (vlan_tag) { + skb = __vlan_put_tag(skb, htons(ETH_P_8021Q), vlan_tag); + if (unlikely(!skb)) + return skb; + skb->vlan_tci = 0; +- if (skip_hw_vlan) +- *skip_hw_vlan = true; + } + + /* Insert the outer VLAN, if any */ +-- +1.7.11.7 + + +From fe7d570e2db88a8b10c61122d17cb0effd04e3c0 Mon Sep 17 00:00:00 2001 +From: Haiyang Zhang +Date: Tue, 16 Jul 2013 23:01:20 -0700 +Subject: [PATCH 35/40] hyperv: Fix the NETIF_F_SG flag setting in netvsc + +[ Upstream commit f45708209dc445bac0844f6ce86e315a2ffe8a29 ] + +SG mode is not currently supported by netvsc, so remove this flag for now. +Otherwise, it will be unconditionally enabled by commit ec5f0615642 + "Kill link between CSUM and SG features" +Previously, the SG feature is disabled because CSUM is not set here. + +Signed-off-by: Haiyang Zhang +Reviewed-by: K. Y. Srinivasan +Signed-off-by: David S. Miller +--- + drivers/net/hyperv/netvsc_drv.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/hyperv/netvsc_drv.c b/drivers/net/hyperv/netvsc_drv.c +index 4dccead..23a0fff 100644 +--- a/drivers/net/hyperv/netvsc_drv.c ++++ b/drivers/net/hyperv/netvsc_drv.c +@@ -431,8 +431,8 @@ static int netvsc_probe(struct hv_device *dev, + net->netdev_ops = &device_ops; + + /* TODO: Add GSO and Checksum offload */ +- net->hw_features = NETIF_F_SG; +- net->features = NETIF_F_SG | NETIF_F_HW_VLAN_CTAG_TX; ++ net->hw_features = 0; ++ net->features = NETIF_F_HW_VLAN_CTAG_TX; + + SET_ETHTOOL_OPS(net, ðtool_ops); + SET_NETDEV_DEV(net, &dev->device); +-- +1.7.11.7 + + +From 5f65eb80604e70df56b97008538069892bb81205 Mon Sep 17 00:00:00 2001 +From: Paolo Valente +Date: Tue, 16 Jul 2013 08:52:30 +0200 +Subject: [PATCH 36/40] pkt_sched: sch_qfq: remove a source of high packet + delay/jitter + +[ Upstream commit 87f40dd6ce7042caca0b3b557e8923127f51f902 ] + +QFQ+ inherits from QFQ a design choice that may cause a high packet +delay/jitter and a severe short-term unfairness. As QFQ, QFQ+ uses a +special quantity, the system virtual time, to track the service +provided by the ideal system it approximates. When a packet is +dequeued, this quantity must be incremented by the size of the packet, +divided by the sum of the weights of the aggregates waiting to be +served. Tracking this sum correctly is a non-trivial task, because, to +preserve tight service guarantees, the decrement of this sum must be +delayed in a special way [1]: this sum can be decremented only after +that its value would decrease also in the ideal system approximated by +QFQ+. For efficiency, QFQ+ keeps track only of the 'instantaneous' +weight sum, increased and decreased immediately as the weight of an +aggregate changes, and as an aggregate is created or destroyed (which, +in its turn, happens as a consequence of some class being +created/destroyed/changed). However, to avoid the problems caused to +service guarantees by these immediate decreases, QFQ+ increments the +system virtual time using the maximum value allowed for the weight +sum, 2^10, in place of the dynamic, instantaneous value. The +instantaneous value of the weight sum is used only to check whether a +request of weight increase or a class creation can be satisfied. + +Unfortunately, the problems caused by this choice are worse than the +temporary degradation of the service guarantees that may occur, when a +class is changed or destroyed, if the instantaneous value of the +weight sum was used to update the system virtual time. In fact, the +fraction of the link bandwidth guaranteed by QFQ+ to each aggregate is +equal to the ratio between the weight of the aggregate and the sum of +the weights of the competing aggregates. The packet delay guaranteed +to the aggregate is instead inversely proportional to the guaranteed +bandwidth. By using the maximum possible value, and not the actual +value of the weight sum, QFQ+ provides each aggregate with the worst +possible service guarantees, and not with service guarantees related +to the actual set of competing aggregates. To see the consequences of +this fact, consider the following simple example. + +Suppose that only the following aggregates are backlogged, i.e., that +only the classes in the following aggregates have packets to transmit: +one aggregate with weight 10, say A, and ten aggregates with weight 1, +say B1, B2, ..., B10. In particular, suppose that these aggregates are +always backlogged. Given the weight distribution, the smoothest and +fairest service order would be: +A B1 A B2 A B3 A B4 A B5 A B6 A B7 A B8 A B9 A B10 A B1 A B2 ... + +QFQ+ would provide exactly this optimal service if it used the actual +value for the weight sum instead of the maximum possible value, i.e., +11 instead of 2^10. In contrast, since QFQ+ uses the latter value, it +serves aggregates as follows (easy to prove and to reproduce +experimentally): +A B1 B2 B3 B4 B5 B6 B7 B8 B9 B10 A A A A A A A A A A B1 B2 ... B10 A A ... + +By replacing 10 with N in the above example, and by increasing N, one +can increase at will the maximum packet delay and the jitter +experienced by the classes in aggregate A. + +This patch addresses this issue by just using the above +'instantaneous' value of the weight sum, instead of the maximum +possible value, when updating the system virtual time. After the +instantaneous weight sum is decreased, QFQ+ may deviate from the ideal +service for a time interval in the order of the time to serve one +maximum-size packet for each backlogged class. The worst-case extent +of the deviation exhibited by QFQ+ during this time interval [1] is +basically the same as of the deviation described above (but, without +this patch, QFQ+ suffers from such a deviation all the time). Finally, +this patch modifies the comment to the function qfq_slot_insert, to +make it coherent with the fact that the weight sum used by QFQ+ can +now be lower than the maximum possible value. + +[1] P. Valente, "Extending WF2Q+ to support a dynamic traffic mix", +Proceedings of AAA-IDEA'05, June 2005. + +Signed-off-by: Paolo Valente +Signed-off-by: David S. Miller +--- + net/sched/sch_qfq.c | 85 +++++++++++++++++++++++++++++++++++------------------ + 1 file changed, 56 insertions(+), 29 deletions(-) + +diff --git a/net/sched/sch_qfq.c b/net/sched/sch_qfq.c +index d51852b..5792252 100644 +--- a/net/sched/sch_qfq.c ++++ b/net/sched/sch_qfq.c +@@ -113,7 +113,6 @@ + + #define FRAC_BITS 30 /* fixed point arithmetic */ + #define ONE_FP (1UL << FRAC_BITS) +-#define IWSUM (ONE_FP/QFQ_MAX_WSUM) + + #define QFQ_MTU_SHIFT 16 /* to support TSO/GSO */ + #define QFQ_MIN_LMAX 512 /* see qfq_slot_insert */ +@@ -189,6 +188,7 @@ struct qfq_sched { + struct qfq_aggregate *in_serv_agg; /* Aggregate being served. */ + u32 num_active_agg; /* Num. of active aggregates */ + u32 wsum; /* weight sum */ ++ u32 iwsum; /* inverse weight sum */ + + unsigned long bitmaps[QFQ_MAX_STATE]; /* Group bitmaps. */ + struct qfq_group groups[QFQ_MAX_INDEX + 1]; /* The groups. */ +@@ -314,6 +314,7 @@ static void qfq_update_agg(struct qfq_sched *q, struct qfq_aggregate *agg, + + q->wsum += + (int) agg->class_weight * (new_num_classes - agg->num_classes); ++ q->iwsum = ONE_FP / q->wsum; + + agg->num_classes = new_num_classes; + } +@@ -340,6 +341,10 @@ static void qfq_destroy_agg(struct qfq_sched *q, struct qfq_aggregate *agg) + { + if (!hlist_unhashed(&agg->nonfull_next)) + hlist_del_init(&agg->nonfull_next); ++ q->wsum -= agg->class_weight; ++ if (q->wsum != 0) ++ q->iwsum = ONE_FP / q->wsum; ++ + if (q->in_serv_agg == agg) + q->in_serv_agg = qfq_choose_next_agg(q); + kfree(agg); +@@ -827,38 +832,60 @@ static void qfq_make_eligible(struct qfq_sched *q) + } + } + +- + /* +- * The index of the slot in which the aggregate is to be inserted must +- * not be higher than QFQ_MAX_SLOTS-2. There is a '-2' and not a '-1' +- * because the start time of the group may be moved backward by one +- * slot after the aggregate has been inserted, and this would cause +- * non-empty slots to be right-shifted by one position. ++ * The index of the slot in which the input aggregate agg is to be ++ * inserted must not be higher than QFQ_MAX_SLOTS-2. There is a '-2' ++ * and not a '-1' because the start time of the group may be moved ++ * backward by one slot after the aggregate has been inserted, and ++ * this would cause non-empty slots to be right-shifted by one ++ * position. ++ * ++ * QFQ+ fully satisfies this bound to the slot index if the parameters ++ * of the classes are not changed dynamically, and if QFQ+ never ++ * happens to postpone the service of agg unjustly, i.e., it never ++ * happens that the aggregate becomes backlogged and eligible, or just ++ * eligible, while an aggregate with a higher approximated finish time ++ * is being served. In particular, in this case QFQ+ guarantees that ++ * the timestamps of agg are low enough that the slot index is never ++ * higher than 2. Unfortunately, QFQ+ cannot provide the same ++ * guarantee if it happens to unjustly postpone the service of agg, or ++ * if the parameters of some class are changed. ++ * ++ * As for the first event, i.e., an out-of-order service, the ++ * upper bound to the slot index guaranteed by QFQ+ grows to ++ * 2 + ++ * QFQ_MAX_AGG_CLASSES * ((1<budget -= len; + +- q->V += (u64)len * IWSUM; ++ q->V += (u64)len * q->iwsum; + pr_debug("qfq dequeue: len %u F %lld now %lld\n", + len, (unsigned long long) in_serv_agg->F, + (unsigned long long) q->V); +-- +1.7.11.7 + + +From 9055660d71ce3255b6e2f3ce0050ce722ac4e594 Mon Sep 17 00:00:00 2001 +From: Jason Wang +Date: Thu, 18 Jul 2013 10:55:15 +0800 +Subject: [PATCH 37/40] tuntap: do not zerocopy if iov needs more pages than + MAX_SKB_FRAGS + +[ Upstream commit 885291761dba2bfe04df4c0f7bb75e4c920ab82e ] + +We try to linearize part of the skb when the number of iov is greater than +MAX_SKB_FRAGS. This is not enough since each single vector may occupy more than +one pages, so zerocopy_sg_fromiovec() may still fail and may break the guest +network. + +Solve this problem by calculate the pages needed for iov before trying to do +zerocopy and switch to use copy instead of zerocopy if it needs more than +MAX_SKB_FRAGS. + +This is done through introducing a new helper to count the pages for iov, and +call uarg->callback() manually when switching from zerocopy to copy to notify +vhost. + +We can do further optimization on top. + +The bug were introduced from commit 0690899b4d4501b3505be069b9a687e68ccbe15b +(tun: experimental zero copy tx support) + +Cc: Michael S. Tsirkin +Signed-off-by: Jason Wang +Signed-off-by: David S. Miller +--- + drivers/net/tun.c | 62 ++++++++++++++++++++++++++++++++++--------------------- + 1 file changed, 38 insertions(+), 24 deletions(-) + +diff --git a/drivers/net/tun.c b/drivers/net/tun.c +index c3cb60b..2491eb2 100644 +--- a/drivers/net/tun.c ++++ b/drivers/net/tun.c +@@ -1037,6 +1037,29 @@ static int zerocopy_sg_from_iovec(struct sk_buff *skb, const struct iovec *from, + return 0; + } + ++static unsigned long iov_pages(const struct iovec *iv, int offset, ++ unsigned long nr_segs) ++{ ++ unsigned long seg, base; ++ int pages = 0, len, size; ++ ++ while (nr_segs && (offset >= iv->iov_len)) { ++ offset -= iv->iov_len; ++ ++iv; ++ --nr_segs; ++ } ++ ++ for (seg = 0; seg < nr_segs; seg++) { ++ base = (unsigned long)iv[seg].iov_base + offset; ++ len = iv[seg].iov_len - offset; ++ size = ((base & ~PAGE_MASK) + len + ~PAGE_MASK) >> PAGE_SHIFT; ++ pages += size; ++ offset = 0; ++ } ++ ++ return pages; ++} ++ + /* Get packet from user space buffer */ + static ssize_t tun_get_user(struct tun_struct *tun, struct tun_file *tfile, + void *msg_control, const struct iovec *iv, +@@ -1084,32 +1107,18 @@ static ssize_t tun_get_user(struct tun_struct *tun, struct tun_file *tfile, + return -EINVAL; + } + +- if (msg_control) +- zerocopy = true; +- +- if (zerocopy) { +- /* Userspace may produce vectors with count greater than +- * MAX_SKB_FRAGS, so we need to linearize parts of the skb +- * to let the rest of data to be fit in the frags. +- */ +- if (count > MAX_SKB_FRAGS) { +- copylen = iov_length(iv, count - MAX_SKB_FRAGS); +- if (copylen < offset) +- copylen = 0; +- else +- copylen -= offset; +- } else +- copylen = 0; +- /* There are 256 bytes to be copied in skb, so there is enough +- * room for skb expand head in case it is used. ++ if (msg_control) { ++ /* There are 256 bytes to be copied in skb, so there is ++ * enough room for skb expand head in case it is used. + * The rest of the buffer is mapped from userspace. + */ +- if (copylen < gso.hdr_len) +- copylen = gso.hdr_len; +- if (!copylen) +- copylen = GOODCOPY_LEN; ++ copylen = gso.hdr_len ? gso.hdr_len : GOODCOPY_LEN; + linear = copylen; +- } else { ++ if (iov_pages(iv, offset + copylen, count) <= MAX_SKB_FRAGS) ++ zerocopy = true; ++ } ++ ++ if (!zerocopy) { + copylen = len; + linear = gso.hdr_len; + } +@@ -1123,8 +1132,13 @@ static ssize_t tun_get_user(struct tun_struct *tun, struct tun_file *tfile, + + if (zerocopy) + err = zerocopy_sg_from_iovec(skb, iv, offset, count); +- else ++ else { + err = skb_copy_datagram_from_iovec(skb, 0, iv, offset, len); ++ if (!err && msg_control) { ++ struct ubuf_info *uarg = msg_control; ++ uarg->callback(uarg, false); ++ } ++ } + + if (err) { + tun->dev->stats.rx_dropped++; +-- +1.7.11.7 + + +From 8270a0a6bfec886971fdece9d4087d4f5e4f62b6 Mon Sep 17 00:00:00 2001 +From: Jason Wang +Date: Thu, 18 Jul 2013 10:55:16 +0800 +Subject: [PATCH 38/40] macvtap: do not zerocopy if iov needs more pages than + MAX_SKB_FRAGS + +[ Upstream commit ece793fcfc417b3925844be88a6a6dc82ae8f7c6 ] + +We try to linearize part of the skb when the number of iov is greater than +MAX_SKB_FRAGS. This is not enough since each single vector may occupy more than +one pages, so zerocopy_sg_fromiovec() may still fail and may break the guest +network. + +Solve this problem by calculate the pages needed for iov before trying to do +zerocopy and switch to use copy instead of zerocopy if it needs more than +MAX_SKB_FRAGS. + +This is done through introducing a new helper to count the pages for iov, and +call uarg->callback() manually when switching from zerocopy to copy to notify +vhost. + +We can do further optimization on top. + +This bug were introduced from b92946e2919134ebe2a4083e4302236295ea2a73 +(macvtap: zerocopy: validate vectors before building skb). + +Cc: Michael S. Tsirkin +Signed-off-by: Jason Wang +Signed-off-by: David S. Miller +--- + drivers/net/macvtap.c | 62 ++++++++++++++++++++++++++++++--------------------- + 1 file changed, 37 insertions(+), 25 deletions(-) + +diff --git a/drivers/net/macvtap.c b/drivers/net/macvtap.c +index 502d948..523d6b2 100644 +--- a/drivers/net/macvtap.c ++++ b/drivers/net/macvtap.c +@@ -633,6 +633,28 @@ static int macvtap_skb_to_vnet_hdr(const struct sk_buff *skb, + return 0; + } + ++static unsigned long iov_pages(const struct iovec *iv, int offset, ++ unsigned long nr_segs) ++{ ++ unsigned long seg, base; ++ int pages = 0, len, size; ++ ++ while (nr_segs && (offset >= iv->iov_len)) { ++ offset -= iv->iov_len; ++ ++iv; ++ --nr_segs; ++ } ++ ++ for (seg = 0; seg < nr_segs; seg++) { ++ base = (unsigned long)iv[seg].iov_base + offset; ++ len = iv[seg].iov_len - offset; ++ size = ((base & ~PAGE_MASK) + len + ~PAGE_MASK) >> PAGE_SHIFT; ++ pages += size; ++ offset = 0; ++ } ++ ++ return pages; ++} + + /* Get packet from user space buffer */ + static ssize_t macvtap_get_user(struct macvtap_queue *q, struct msghdr *m, +@@ -679,31 +701,15 @@ static ssize_t macvtap_get_user(struct macvtap_queue *q, struct msghdr *m, + if (unlikely(count > UIO_MAXIOV)) + goto err; + +- if (m && m->msg_control && sock_flag(&q->sk, SOCK_ZEROCOPY)) +- zerocopy = true; +- +- if (zerocopy) { +- /* Userspace may produce vectors with count greater than +- * MAX_SKB_FRAGS, so we need to linearize parts of the skb +- * to let the rest of data to be fit in the frags. +- */ +- if (count > MAX_SKB_FRAGS) { +- copylen = iov_length(iv, count - MAX_SKB_FRAGS); +- if (copylen < vnet_hdr_len) +- copylen = 0; +- else +- copylen -= vnet_hdr_len; +- } +- /* There are 256 bytes to be copied in skb, so there is enough +- * room for skb expand head in case it is used. +- * The rest buffer is mapped from userspace. +- */ +- if (copylen < vnet_hdr.hdr_len) +- copylen = vnet_hdr.hdr_len; +- if (!copylen) +- copylen = GOODCOPY_LEN; ++ if (m && m->msg_control && sock_flag(&q->sk, SOCK_ZEROCOPY)) { ++ copylen = vnet_hdr.hdr_len ? vnet_hdr.hdr_len : GOODCOPY_LEN; + linear = copylen; +- } else { ++ if (iov_pages(iv, vnet_hdr_len + copylen, count) ++ <= MAX_SKB_FRAGS) ++ zerocopy = true; ++ } ++ ++ if (!zerocopy) { + copylen = len; + linear = vnet_hdr.hdr_len; + } +@@ -715,9 +721,15 @@ static ssize_t macvtap_get_user(struct macvtap_queue *q, struct msghdr *m, + + if (zerocopy) + err = zerocopy_sg_from_iovec(skb, iv, vnet_hdr_len, count); +- else ++ else { + err = skb_copy_datagram_from_iovec(skb, 0, iv, vnet_hdr_len, + len); ++ if (!err && m && m->msg_control) { ++ struct ubuf_info *uarg = m->msg_control; ++ uarg->callback(uarg, false); ++ } ++ } ++ + if (err) + goto err_kfree; + +-- +1.7.11.7 + + +From d001214123790aea1c3e77dd0b92136f0443a93a Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Thu, 18 Jul 2013 07:19:26 -0700 +Subject: [PATCH 39/40] vlan: mask vlan prio bits + +[ Upstream commit d4b812dea4a236f729526facf97df1a9d18e191c ] + +In commit 48cc32d38a52d0b68f91a171a8d00531edc6a46e +("vlan: don't deliver frames for unknown vlans to protocols") +Florian made sure we set pkt_type to PACKET_OTHERHOST +if the vlan id is set and we could find a vlan device for this +particular id. + +But we also have a problem if prio bits are set. + +Steinar reported an issue on a router receiving IPv6 frames with a +vlan tag of 4000 (id 0, prio 2), and tunneled into a sit device, +because skb->vlan_tci is set. + +Forwarded frame is completely corrupted : We can see (8100:4000) +being inserted in the middle of IPv6 source address : + +16:48:00.780413 IP6 2001:16d8:8100:4000:ee1c:0:9d9:bc87 > +9f94:4d95:2001:67c:29f4::: ICMP6, unknown icmp6 type (0), length 64 + 0x0000: 0000 0029 8000 c7c3 7103 0001 a0ae e651 + 0x0010: 0000 0000 ccce 0b00 0000 0000 1011 1213 + 0x0020: 1415 1617 1819 1a1b 1c1d 1e1f 2021 2223 + 0x0030: 2425 2627 2829 2a2b 2c2d 2e2f 3031 3233 + +It seems we are not really ready to properly cope with this right now. + +We can probably do better in future kernels : +vlan_get_ingress_priority() should be a netdev property instead of +a per vlan_dev one. + +For stable kernels, lets clear vlan_tci to fix the bugs. + +Reported-by: Steinar H. Gunderson +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +--- + include/linux/if_vlan.h | 3 +-- + net/8021q/vlan_core.c | 2 +- + net/core/dev.c | 11 +++++++++-- + 3 files changed, 11 insertions(+), 5 deletions(-) + +diff --git a/include/linux/if_vlan.h b/include/linux/if_vlan.h +index 637fa71d..0b34988 100644 +--- a/include/linux/if_vlan.h ++++ b/include/linux/if_vlan.h +@@ -79,9 +79,8 @@ static inline int is_vlan_dev(struct net_device *dev) + } + + #define vlan_tx_tag_present(__skb) ((__skb)->vlan_tci & VLAN_TAG_PRESENT) +-#define vlan_tx_nonzero_tag_present(__skb) \ +- (vlan_tx_tag_present(__skb) && ((__skb)->vlan_tci & VLAN_VID_MASK)) + #define vlan_tx_tag_get(__skb) ((__skb)->vlan_tci & ~VLAN_TAG_PRESENT) ++#define vlan_tx_tag_get_id(__skb) ((__skb)->vlan_tci & VLAN_VID_MASK) + + #if defined(CONFIG_VLAN_8021Q) || defined(CONFIG_VLAN_8021Q_MODULE) + +diff --git a/net/8021q/vlan_core.c b/net/8021q/vlan_core.c +index 8a15eaa..4a78c4d 100644 +--- a/net/8021q/vlan_core.c ++++ b/net/8021q/vlan_core.c +@@ -9,7 +9,7 @@ bool vlan_do_receive(struct sk_buff **skbp) + { + struct sk_buff *skb = *skbp; + __be16 vlan_proto = skb->vlan_proto; +- u16 vlan_id = skb->vlan_tci & VLAN_VID_MASK; ++ u16 vlan_id = vlan_tx_tag_get_id(skb); + struct net_device *vlan_dev; + struct vlan_pcpu_stats *rx_stats; + +diff --git a/net/core/dev.c b/net/core/dev.c +index faebb39..7ddbb31 100644 +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -3513,8 +3513,15 @@ ncls: + } + } + +- if (vlan_tx_nonzero_tag_present(skb)) +- skb->pkt_type = PACKET_OTHERHOST; ++ if (unlikely(vlan_tx_tag_present(skb))) { ++ if (vlan_tx_tag_get_id(skb)) ++ skb->pkt_type = PACKET_OTHERHOST; ++ /* Note: we might in the future use prio bits ++ * and set skb->priority like in vlan_do_receive() ++ * For the time being, just ignore Priority Code Point ++ */ ++ skb->vlan_tci = 0; ++ } + + /* deliver only exact match when indicated */ + null_or_dev = deliver_exact ? skb->dev : NULL; +-- +1.7.11.7 + + +From d766645d1d1f64631ef50df36c47c37bded82051 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Thu, 18 Jul 2013 09:35:10 -0700 +Subject: [PATCH 40/40] vlan: fix a race in egress prio management + +[ Upstream commit 3e3aac497513c669e1c62c71e1d552ea85c1d974 ] + +egress_priority_map[] hash table updates are protected by rtnl, +and we never remove elements until device is dismantled. + +We have to make sure that before inserting an new element in hash table, +all its fields are committed to memory or else another cpu could +find corrupt values and crash. + +Signed-off-by: Eric Dumazet +Cc: Patrick McHardy +Signed-off-by: David S. Miller +--- + net/8021q/vlan_dev.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/net/8021q/vlan_dev.c b/net/8021q/vlan_dev.c +index 3a8c8fd..1cd3d2a 100644 +--- a/net/8021q/vlan_dev.c ++++ b/net/8021q/vlan_dev.c +@@ -73,6 +73,8 @@ vlan_dev_get_egress_qos_mask(struct net_device *dev, struct sk_buff *skb) + { + struct vlan_priority_tci_mapping *mp; + ++ smp_rmb(); /* coupled with smp_wmb() in vlan_dev_set_egress_priority() */ ++ + mp = vlan_dev_priv(dev)->egress_priority_map[(skb->priority & 0xF)]; + while (mp) { + if (mp->priority == skb->priority) { +@@ -249,6 +251,11 @@ int vlan_dev_set_egress_priority(const struct net_device *dev, + np->next = mp; + np->priority = skb_prio; + np->vlan_qos = vlan_qos; ++ /* Before inserting this element in hash table, make sure all its fields ++ * are committed to memory. ++ * coupled with smp_rmb() in vlan_dev_get_egress_qos_mask() ++ */ ++ smp_wmb(); + vlan->egress_priority_map[skb_prio & 0xF] = np; + if (vlan_qos) + vlan->nr_egress_mappings++; +-- +1.7.11.7 + diff --git a/vhost-net-fix-use-after-free-in-vhost_net_flush.patch b/vhost-net-fix-use-after-free-in-vhost_net_flush.patch deleted file mode 100644 index aca70f0d4..000000000 --- a/vhost-net-fix-use-after-free-in-vhost_net_flush.patch +++ /dev/null @@ -1,54 +0,0 @@ -commit c38e39c378f46f00ce922dd40a91043a9925c28d -Author: Michael S. Tsirkin -Date: Tue Jun 25 17:29:46 2013 +0300 - - vhost-net: fix use-after-free in vhost_net_flush - - vhost_net_ubuf_put_and_wait has a confusing name: - it will actually also free it's argument. - Thus since commit 1280c27f8e29acf4af2da914e80ec27c3dbd5c01 - "vhost-net: flush outstanding DMAs on memory change" - vhost_net_flush tries to use the argument after passing it - to vhost_net_ubuf_put_and_wait, this results - in use after free. - To fix, don't free the argument in vhost_net_ubuf_put_and_wait, - add an new API for callers that want to free ubufs. - - Acked-by: Asias He - Acked-by: Jason Wang - Signed-off-by: Michael S. Tsirkin - -diff --git a/drivers/vhost/net.c b/drivers/vhost/net.c -index f80d3dd..8ca5ac7 100644 ---- a/drivers/vhost/net.c -+++ b/drivers/vhost/net.c -@@ -150,6 +150,11 @@ static void vhost_net_ubuf_put_and_wait(struct vhost_net_ubuf_ref *ubufs) - { - kref_put(&ubufs->kref, vhost_net_zerocopy_done_signal); - wait_event(ubufs->wait, !atomic_read(&ubufs->kref.refcount)); -+} -+ -+static void vhost_net_ubuf_put_wait_and_free(struct vhost_net_ubuf_ref *ubufs) -+{ -+ vhost_net_ubuf_put_and_wait(ubufs); - kfree(ubufs); - } - -@@ -948,7 +953,7 @@ static long vhost_net_set_backend(struct vhost_net *n, unsigned index, int fd) - mutex_unlock(&vq->mutex); - - if (oldubufs) { -- vhost_net_ubuf_put_and_wait(oldubufs); -+ vhost_net_ubuf_put_wait_and_free(oldubufs); - mutex_lock(&vq->mutex); - vhost_zerocopy_signal_used(n, vq); - mutex_unlock(&vq->mutex); -@@ -966,7 +971,7 @@ err_used: - rcu_assign_pointer(vq->private_data, oldsock); - vhost_net_enable_vq(n, vq); - if (ubufs) -- vhost_net_ubuf_put_and_wait(ubufs); -+ vhost_net_ubuf_put_wait_and_free(ubufs); - err_ubufs: - fput(sock->file); - err_vq: From 783f6b18814afda28c7e89b25668e7339bd72efa Mon Sep 17 00:00:00 2001 From: "Justin M. Forbes" Date: Thu, 25 Jul 2013 18:36:04 -0500 Subject: [PATCH 170/468] Linux v3.10.3 --- kernel.spec | 7 +++++-- sources | 3 +-- 2 files changed, 6 insertions(+), 4 deletions(-) diff --git a/kernel.spec b/kernel.spec index 73e3582a3..1f40b2723 100644 --- a/kernel.spec +++ b/kernel.spec @@ -62,7 +62,7 @@ Summary: The Linux kernel # For non-released -rc kernels, this will be appended after the rcX and # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3" # -%global baserelease 301 +%global baserelease 300 %global fedora_build %{baserelease} # base_sublevel is the kernel version we're starting with and patching @@ -74,7 +74,7 @@ Summary: The Linux kernel %if 0%{?released_kernel} # Do we have a -stable update to apply? -%define stable_update 2 +%define stable_update 3 # Is it a -stable RC? %define stable_rc 0 # Set rpm version accordingly @@ -2302,6 +2302,9 @@ fi # and build. %changelog +* Thu Jul 25 2013 Justin M. Forbes 3.10.3-300 +- Linux v3.10.3 + * Wed Jul 24 2013 Justin M. Forbes - Net stable queue from davem (rhbz 987639 987656) diff --git a/sources b/sources index 736fd854a..9619b65bb 100644 --- a/sources +++ b/sources @@ -1,3 +1,2 @@ 4f25cd5bec5f8d5a7d935b3f2ccb8481 linux-3.10.tar.xz -0e7f2a767ef3b3643856c96af3409af3 patch-3.10.1.xz -0c94fa440515e289495909749d04aae4 patch-3.10.2.xz +2120557e0a6209d48d854ad0df9314e0 patch-3.10.3.xz From 242df50877a0bd7f233bf7f8992f2fd00ac281d1 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Fri, 26 Jul 2013 10:43:52 -0400 Subject: [PATCH 171/468] Add patch to fix NULL deref in iwlwifi (rhbz 979581) --- ...ng-ieee80211_chswitch_done-with-NULL.patch | 58 +++++++++++++++++++ kernel.spec | 9 +++ 2 files changed, 67 insertions(+) create mode 100644 iwlwifi-dvm-fix-calling-ieee80211_chswitch_done-with-NULL.patch diff --git a/iwlwifi-dvm-fix-calling-ieee80211_chswitch_done-with-NULL.patch b/iwlwifi-dvm-fix-calling-ieee80211_chswitch_done-with-NULL.patch new file mode 100644 index 000000000..84d6aa06d --- /dev/null +++ b/iwlwifi-dvm-fix-calling-ieee80211_chswitch_done-with-NULL.patch @@ -0,0 +1,58 @@ +If channel switch is pending and we remove interface we can +crash like showed below due to passing NULL vif to mac80211: + +BUG: unable to handle kernel paging request at fffffffffffff8cc +IP: [] strnlen+0xd/0x40 +Call Trace: + [] string.isra.3+0x3e/0xd0 + [] vsnprintf+0x219/0x640 + [] vscnprintf+0x11/0x30 + [] vprintk_emit+0x115/0x4f0 + [] printk+0x61/0x63 + [] ieee80211_chswitch_done+0xaf/0xd0 [mac80211] + [] iwl_chswitch_done+0x34/0x40 [iwldvm] + [] iwlagn_commit_rxon+0x2a3/0xdc0 [iwldvm] + [] ? iwlagn_set_rxon_chain+0x180/0x2c0 [iwldvm] + [] iwl_set_mode+0x36/0x40 [iwldvm] + [] iwlagn_mac_remove_interface+0x8d/0x1b0 [iwldvm] + [] ieee80211_do_stop+0x29d/0x7f0 [mac80211] + +This is because we nulify ctx->vif in iwlagn_mac_remove_interface() +before calling some other functions that teardown interface. To fix +just check ctx->vif on iwl_chswitch_done(). We should not call +ieee80211_chswitch_done() as channel switch works were already canceled +by mac80211 in ieee80211_do_stop() -> ieee80211_mgd_stop(). + +Resolve: +https://bugzilla.redhat.com/show_bug.cgi?id=979581 + +Cc: stable@vger.kernel.org +Reported-by: Lukasz Jagiello +Signed-off-by: Stanislaw Gruszka +--- + drivers/net/wireless/iwlwifi/dvm/mac80211.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/iwlwifi/dvm/mac80211.c b/drivers/net/wireless/iwlwifi/dvm/mac80211.c +index 323e4a3..9a817df 100644 +--- a/drivers/net/wireless/iwlwifi/dvm/mac80211.c ++++ b/drivers/net/wireless/iwlwifi/dvm/mac80211.c +@@ -1046,7 +1046,10 @@ void iwl_chswitch_done(struct iwl_priv *priv, bool is_success) + if (test_bit(STATUS_EXIT_PENDING, &priv->status)) + return; + +- if (test_and_clear_bit(STATUS_CHANNEL_SWITCH_PENDING, &priv->status)) ++ if (!test_and_clear_bit(STATUS_CHANNEL_SWITCH_PENDING, &priv->status)) ++ return; ++ ++ if (ctx->vif) + ieee80211_chswitch_done(ctx->vif, is_success); + } + +-- +1.7.11.7 + +-- +To unsubscribe from this list: send the line "unsubscribe linux-wireless" in +the body of a message to majordomo@vger.kernel.org +More majordomo info at http://vger.kernel.org/majordomo-info.html \ No newline at end of file diff --git a/kernel.spec b/kernel.spec index 1f40b2723..8f533cbd9 100644 --- a/kernel.spec +++ b/kernel.spec @@ -773,6 +773,9 @@ Patch25064: iwlwifi-dvm-dont-send-BT_CONFIG-on-devices-wo-Bluetooth.patch #rhbz 987639 987656 Patch25065: net_310.mbox +#rhbz 979581 +Patch25069: iwlwifi-dvm-fix-calling-ieee80211_chswitch_done-with-NULL.patch + # END OF PATCH DEFINITIONS %endif @@ -1494,6 +1497,9 @@ ApplyPatch iwlwifi-dvm-dont-send-BT_CONFIG-on-devices-wo-Bluetooth.patch #rhbz 987639 987656 ApplyPatch net_310.mbox +#rhbz 979581 +ApplyPatch iwlwifi-dvm-fix-calling-ieee80211_chswitch_done-with-NULL.patch + # END OF PATCH APPLICATIONS %endif @@ -2302,6 +2308,9 @@ fi # and build. %changelog +* Fri Jul 26 2013 Josh Boyer +- Add patch to fix NULL deref in iwlwifi (rhbz 979581) + * Thu Jul 25 2013 Justin M. Forbes 3.10.3-300 - Linux v3.10.3 From afb79ca6239d622c9b929bd9e238d5536292cc41 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Mon, 29 Jul 2013 08:29:29 -0400 Subject: [PATCH 172/468] Add support for elantech v7 devices (rhbz 969473) --- ...h-fix-for-newer-hardware-versions-v7.patch | 70 +++++++++++++++++++ kernel.spec | 9 +++ 2 files changed, 79 insertions(+) create mode 100644 Input-elantech-fix-for-newer-hardware-versions-v7.patch diff --git a/Input-elantech-fix-for-newer-hardware-versions-v7.patch b/Input-elantech-fix-for-newer-hardware-versions-v7.patch new file mode 100644 index 000000000..b9495d75d --- /dev/null +++ b/Input-elantech-fix-for-newer-hardware-versions-v7.patch @@ -0,0 +1,70 @@ +From 9eebed7de660c0b5ab129a9de4f89d20b60de68c Mon Sep 17 00:00:00 2001 +From: Matteo Delfino +Date: Sat, 6 Jul 2013 21:52:26 -0700 +Subject: [PATCH] Input: elantech - fix for newer hardware versions (v7) + +* Fix version recognition in elantech_set_properties + + The new hardware reports itself as v7 but the packets' + structure is unaltered. + +* Fix packet type recognition in elantech_packet_check_v4 + + The bitmask used for v6 is too wide, only the last three bits of + the third byte in a packet (packet[3] & 0x03) are actually used to + distinguish between packet types. + Starting from v7, additional information (to be interpreted) is + stored in the remaining bits (packets[3] & 0x1c). + In addition, the value stored in (packet[0] & 0x0c) is no longer + a constant but contains additional information yet to be deciphered. + This change should be backwards compatible with v6 hardware. + +Additional-author: Giovanni Frigione +Signed-off-by: Matteo Delfino +Signed-off-by: Dmitry Torokhov +--- + drivers/input/mouse/elantech.c | 17 +++++++++-------- + 1 file changed, 9 insertions(+), 8 deletions(-) + +diff --git a/drivers/input/mouse/elantech.c b/drivers/input/mouse/elantech.c +index 1e8e42f..57b2637 100644 +--- a/drivers/input/mouse/elantech.c ++++ b/drivers/input/mouse/elantech.c +@@ -694,18 +694,18 @@ static int elantech_packet_check_v3(struct psmouse *psmouse) + static int elantech_packet_check_v4(struct psmouse *psmouse) + { + unsigned char *packet = psmouse->packet; ++ unsigned char packet_type = packet[3] & 0x03; + +- if ((packet[0] & 0x0c) == 0x04 && +- (packet[3] & 0x1f) == 0x11) ++ switch (packet_type) { ++ case 0: ++ return PACKET_V4_STATUS; ++ ++ case 1: + return PACKET_V4_HEAD; + +- if ((packet[0] & 0x0c) == 0x04 && +- (packet[3] & 0x1f) == 0x12) ++ case 2: + return PACKET_V4_MOTION; +- +- if ((packet[0] & 0x0c) == 0x04 && +- (packet[3] & 0x1f) == 0x10) +- return PACKET_V4_STATUS; ++ } + + return PACKET_UNKNOWN; + } +@@ -1282,6 +1282,7 @@ static int elantech_set_properties(struct elantech_data *etd) + etd->hw_version = 3; + break; + case 6: ++ case 7: + etd->hw_version = 4; + break; + default: +-- +1.8.3.1 + diff --git a/kernel.spec b/kernel.spec index 8f533cbd9..1b68506a0 100644 --- a/kernel.spec +++ b/kernel.spec @@ -776,6 +776,9 @@ Patch25065: net_310.mbox #rhbz 979581 Patch25069: iwlwifi-dvm-fix-calling-ieee80211_chswitch_done-with-NULL.patch +#rhbz 969473 +Patch25070: Input-elantech-fix-for-newer-hardware-versions-v7.patch + # END OF PATCH DEFINITIONS %endif @@ -1500,6 +1503,9 @@ ApplyPatch net_310.mbox #rhbz 979581 ApplyPatch iwlwifi-dvm-fix-calling-ieee80211_chswitch_done-with-NULL.patch +#rhbz 969473 +ApplyPatch Input-elantech-fix-for-newer-hardware-versions-v7.patch + # END OF PATCH APPLICATIONS %endif @@ -2308,6 +2314,9 @@ fi # and build. %changelog +* Mon Jul 29 2013 Josh Boyer +- Add support for elantech v7 devices (rhbz 969473) + * Fri Jul 26 2013 Josh Boyer - Add patch to fix NULL deref in iwlwifi (rhbz 979581) From db38fb0308a1b5cd02192a86efb59f47aabdbed7 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Mon, 29 Jul 2013 08:36:37 -0400 Subject: [PATCH 173/468] Linux v3.10.4 --- kernel.spec | 9 +- net_310.mbox | 3429 -------------------------------------------------- sources | 2 +- 3 files changed, 3 insertions(+), 3437 deletions(-) delete mode 100644 net_310.mbox diff --git a/kernel.spec b/kernel.spec index 1b68506a0..439a7e2ab 100644 --- a/kernel.spec +++ b/kernel.spec @@ -74,7 +74,7 @@ Summary: The Linux kernel %if 0%{?released_kernel} # Do we have a -stable update to apply? -%define stable_update 3 +%define stable_update 4 # Is it a -stable RC? %define stable_rc 0 # Set rpm version accordingly @@ -770,9 +770,6 @@ Patch25063: HID-kye-Add-report-fixup-for-Genius-Gila-Gaming-mouse.patch #rhbz 885407 Patch25064: iwlwifi-dvm-dont-send-BT_CONFIG-on-devices-wo-Bluetooth.patch -#rhbz 987639 987656 -Patch25065: net_310.mbox - #rhbz 979581 Patch25069: iwlwifi-dvm-fix-calling-ieee80211_chswitch_done-with-NULL.patch @@ -1497,9 +1494,6 @@ ApplyPatch HID-kye-Add-report-fixup-for-Genius-Gila-Gaming-mouse.patch #rhbz 885407 ApplyPatch iwlwifi-dvm-dont-send-BT_CONFIG-on-devices-wo-Bluetooth.patch -#rhbz 987639 987656 -ApplyPatch net_310.mbox - #rhbz 979581 ApplyPatch iwlwifi-dvm-fix-calling-ieee80211_chswitch_done-with-NULL.patch @@ -2315,6 +2309,7 @@ fi %changelog * Mon Jul 29 2013 Josh Boyer +- Linux v3.10.4 - Add support for elantech v7 devices (rhbz 969473) * Fri Jul 26 2013 Josh Boyer diff --git a/net_310.mbox b/net_310.mbox deleted file mode 100644 index e602f5325..000000000 --- a/net_310.mbox +++ /dev/null @@ -1,3429 +0,0 @@ -From 79339ba50702248d19a8825906ceb527d547444f Mon Sep 17 00:00:00 2001 -From: Hannes Frederic Sowa -Date: Thu, 27 Jun 2013 22:46:04 +0200 -Subject: [PATCH 01/40] ipv6: only apply anti-spoofing checks to - not-pointopoint tunnels - -[ Upstream commit 5c29fb12e8fb8a8105ea048cb160fd79a85a52bb ] - -Because of commit 218774dc341f219bfcf940304a081b121a0e8099 ("ipv6: add -anti-spoofing checks for 6to4 and 6rd") the sit driver dropped packets -for 2002::/16 destinations and sources even when configured to work as a -tunnel with fixed endpoint. We may only apply the 6rd/6to4 anti-spoofing -checks if the device is not in pointopoint mode. - -This was an oversight from me in the above commit, sorry. Thanks to -Roman Mamedov for reporting this! - -Reported-by: Roman Mamedov -Cc: David Miller -Cc: YOSHIFUJI Hideaki -Signed-off-by: Hannes Frederic Sowa -Signed-off-by: David S. Miller ---- - net/ipv6/sit.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/net/ipv6/sit.c b/net/ipv6/sit.c -index 3353634..60df36d 100644 ---- a/net/ipv6/sit.c -+++ b/net/ipv6/sit.c -@@ -589,7 +589,7 @@ static int ipip6_rcv(struct sk_buff *skb) - tunnel->dev->stats.rx_errors++; - goto out; - } -- } else { -+ } else if (!(tunnel->dev->flags&IFF_POINTOPOINT)) { - if (is_spoofed_6rd(tunnel, iph->saddr, - &ipv6_hdr(skb)->saddr) || - is_spoofed_6rd(tunnel, iph->daddr, --- -1.7.11.7 - - -From d605a92bd29513e01af93275527252e7423b2ac7 Mon Sep 17 00:00:00 2001 -From: Eric Dumazet -Date: Fri, 28 Jun 2013 02:37:42 -0700 -Subject: [PATCH 02/40] neighbour: fix a race in neigh_destroy() - -[ Upstream commit c9ab4d85de222f3390c67aedc9c18a50e767531e ] - -There is a race in neighbour code, because neigh_destroy() uses -skb_queue_purge(&neigh->arp_queue) without holding neighbour lock, -while other parts of the code assume neighbour rwlock is what -protects arp_queue - -Convert all skb_queue_purge() calls to the __skb_queue_purge() variant - -Use __skb_queue_head_init() instead of skb_queue_head_init() -to make clear we do not use arp_queue.lock - -And hold neigh->lock in neigh_destroy() to close the race. - -Reported-by: Joe Jin -Signed-off-by: Eric Dumazet -Signed-off-by: David S. Miller ---- - net/core/neighbour.c | 12 +++++++----- - 1 file changed, 7 insertions(+), 5 deletions(-) - -diff --git a/net/core/neighbour.c b/net/core/neighbour.c -index 5c56b21..ce90b02 100644 ---- a/net/core/neighbour.c -+++ b/net/core/neighbour.c -@@ -231,7 +231,7 @@ static void neigh_flush_dev(struct neigh_table *tbl, struct net_device *dev) - we must kill timers etc. and move - it to safe state. - */ -- skb_queue_purge(&n->arp_queue); -+ __skb_queue_purge(&n->arp_queue); - n->arp_queue_len_bytes = 0; - n->output = neigh_blackhole; - if (n->nud_state & NUD_VALID) -@@ -286,7 +286,7 @@ static struct neighbour *neigh_alloc(struct neigh_table *tbl, struct net_device - if (!n) - goto out_entries; - -- skb_queue_head_init(&n->arp_queue); -+ __skb_queue_head_init(&n->arp_queue); - rwlock_init(&n->lock); - seqlock_init(&n->ha_lock); - n->updated = n->used = now; -@@ -708,7 +708,9 @@ void neigh_destroy(struct neighbour *neigh) - if (neigh_del_timer(neigh)) - pr_warn("Impossible event\n"); - -- skb_queue_purge(&neigh->arp_queue); -+ write_lock_bh(&neigh->lock); -+ __skb_queue_purge(&neigh->arp_queue); -+ write_unlock_bh(&neigh->lock); - neigh->arp_queue_len_bytes = 0; - - if (dev->netdev_ops->ndo_neigh_destroy) -@@ -858,7 +860,7 @@ static void neigh_invalidate(struct neighbour *neigh) - neigh->ops->error_report(neigh, skb); - write_lock(&neigh->lock); - } -- skb_queue_purge(&neigh->arp_queue); -+ __skb_queue_purge(&neigh->arp_queue); - neigh->arp_queue_len_bytes = 0; - } - -@@ -1210,7 +1212,7 @@ int neigh_update(struct neighbour *neigh, const u8 *lladdr, u8 new, - - write_lock_bh(&neigh->lock); - } -- skb_queue_purge(&neigh->arp_queue); -+ __skb_queue_purge(&neigh->arp_queue); - neigh->arp_queue_len_bytes = 0; - } - out: --- -1.7.11.7 - - -From ebae8ce31e1b43d3bcf62d5e906cc9ece42428ab Mon Sep 17 00:00:00 2001 -From: Dave Jones -Date: Fri, 28 Jun 2013 12:13:52 -0400 -Subject: [PATCH 03/40] x25: Fix broken locking in ioctl error paths. - -[ Upstream commit 4ccb93ce7439b63c31bc7597bfffd13567fa483d ] - -Two of the x25 ioctl cases have error paths that break out of the function without -unlocking the socket, leading to this warning: - -================================================ -[ BUG: lock held when returning to user space! ] -3.10.0-rc7+ #36 Not tainted ------------------------------------------------- -trinity-child2/31407 is leaving the kernel with locks still held! -1 lock held by trinity-child2/31407: - #0: (sk_lock-AF_X25){+.+.+.}, at: [] x25_ioctl+0x8a/0x740 [x25] - -Signed-off-by: Dave Jones -Signed-off-by: David S. Miller ---- - net/x25/af_x25.c | 15 ++++++++------- - 1 file changed, 8 insertions(+), 7 deletions(-) - -diff --git a/net/x25/af_x25.c b/net/x25/af_x25.c -index 37ca969..22c88d2 100644 ---- a/net/x25/af_x25.c -+++ b/net/x25/af_x25.c -@@ -1583,11 +1583,11 @@ out_cud_release: - case SIOCX25CALLACCPTAPPRV: { - rc = -EINVAL; - lock_sock(sk); -- if (sk->sk_state != TCP_CLOSE) -- break; -- clear_bit(X25_ACCPT_APPRV_FLAG, &x25->flags); -+ if (sk->sk_state == TCP_CLOSE) { -+ clear_bit(X25_ACCPT_APPRV_FLAG, &x25->flags); -+ rc = 0; -+ } - release_sock(sk); -- rc = 0; - break; - } - -@@ -1595,14 +1595,15 @@ out_cud_release: - rc = -EINVAL; - lock_sock(sk); - if (sk->sk_state != TCP_ESTABLISHED) -- break; -+ goto out_sendcallaccpt_release; - /* must call accptapprv above */ - if (test_bit(X25_ACCPT_APPRV_FLAG, &x25->flags)) -- break; -+ goto out_sendcallaccpt_release; - x25_write_internal(sk, X25_CALL_ACCEPTED); - x25->state = X25_STATE_3; -- release_sock(sk); - rc = 0; -+out_sendcallaccpt_release: -+ release_sock(sk); - break; - } - --- -1.7.11.7 - - -From 7da0d57c053a603f3cac04587ecdab2b3072d769 Mon Sep 17 00:00:00 2001 -From: Changli Gao -Date: Sat, 29 Jun 2013 00:15:51 +0800 -Subject: [PATCH 04/40] net: Swap ver and type in pppoe_hdr - -[ Upstream commit b1a5a34bd0b8767ea689e68f8ea513e9710b671e ] - -Ver and type in pppoe_hdr should be swapped as defined by RFC2516 -section-4. - -Signed-off-by: David S. Miller ---- - include/uapi/linux/if_pppox.h | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/include/uapi/linux/if_pppox.h b/include/uapi/linux/if_pppox.h -index 0b46fd5..e36a4ae 100644 ---- a/include/uapi/linux/if_pppox.h -+++ b/include/uapi/linux/if_pppox.h -@@ -135,11 +135,11 @@ struct pppoe_tag { - - struct pppoe_hdr { - #if defined(__LITTLE_ENDIAN_BITFIELD) -- __u8 ver : 4; - __u8 type : 4; -+ __u8 ver : 4; - #elif defined(__BIG_ENDIAN_BITFIELD) -- __u8 type : 4; - __u8 ver : 4; -+ __u8 type : 4; - #else - #error "Please fix " - #endif --- -1.7.11.7 - - -From d9b54511307e46a8f144b20af88e9279966725f1 Mon Sep 17 00:00:00 2001 -From: Cong Wang -Date: Sat, 29 Jun 2013 12:02:59 +0800 -Subject: [PATCH 05/40] gre: fix a regression in ioctl - -[ Upstream commit 6c734fb8592f6768170e48e7102cb2f0a1bb9759 ] - -When testing GRE tunnel, I got: - - # ip tunnel show - get tunnel gre0 failed: Invalid argument - get tunnel gre1 failed: Invalid argument - -This is a regression introduced by commit c54419321455631079c7d -("GRE: Refactor GRE tunneling code.") because previously we -only check the parameters for SIOCADDTUNNEL and SIOCCHGTUNNEL, -after that commit, the check is moved for all commands. - -So, just check for SIOCADDTUNNEL and SIOCCHGTUNNEL. - -After this patch I got: - - # ip tunnel show - gre0: gre/ip remote any local any ttl inherit nopmtudisc - gre1: gre/ip remote 192.168.122.101 local 192.168.122.45 ttl inherit - -Cc: Pravin B Shelar -Cc: "David S. Miller" -Signed-off-by: Cong Wang -Signed-off-by: David S. Miller ---- - net/ipv4/ip_gre.c | 9 +++++---- - 1 file changed, 5 insertions(+), 4 deletions(-) - -diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c -index 2a83591..855004f 100644 ---- a/net/ipv4/ip_gre.c -+++ b/net/ipv4/ip_gre.c -@@ -503,10 +503,11 @@ static int ipgre_tunnel_ioctl(struct net_device *dev, - - if (copy_from_user(&p, ifr->ifr_ifru.ifru_data, sizeof(p))) - return -EFAULT; -- if (p.iph.version != 4 || p.iph.protocol != IPPROTO_GRE || -- p.iph.ihl != 5 || (p.iph.frag_off&htons(~IP_DF)) || -- ((p.i_flags|p.o_flags)&(GRE_VERSION|GRE_ROUTING))) { -- return -EINVAL; -+ if (cmd == SIOCADDTUNNEL || cmd == SIOCCHGTUNNEL) { -+ if (p.iph.version != 4 || p.iph.protocol != IPPROTO_GRE || -+ p.iph.ihl != 5 || (p.iph.frag_off&htons(~IP_DF)) || -+ ((p.i_flags|p.o_flags)&(GRE_VERSION|GRE_ROUTING))) -+ return -EINVAL; - } - p.i_flags = gre_flags_to_tnl_flags(p.i_flags); - p.o_flags = gre_flags_to_tnl_flags(p.o_flags); --- -1.7.11.7 - - -From 9df2226e2e019b405e6320599a6c07ef1e4be799 Mon Sep 17 00:00:00 2001 -From: Cong Wang -Date: Sat, 29 Jun 2013 13:00:57 +0800 -Subject: [PATCH 06/40] vti: remove duplicated code to fix a memory leak - -[ Upstream commit ab6c7a0a43c2eaafa57583822b619b22637b49c7 ] - -vti module allocates dev->tstats twice: in vti_fb_tunnel_init() -and in vti_tunnel_init(), this lead to a memory leak of -dev->tstats. - -Just remove the duplicated operations in vti_fb_tunnel_init(). - -(candidate for -stable) - -Cc: Stephen Hemminger -Cc: Saurabh Mohan -Cc: "David S. Miller" -Signed-off-by: Cong Wang -Acked-by: Stephen Hemminger -Signed-off-by: David S. Miller ---- - net/ipv4/ip_vti.c | 7 ------- - 1 file changed, 7 deletions(-) - -diff --git a/net/ipv4/ip_vti.c b/net/ipv4/ip_vti.c -index c118f6b..17cc0ff 100644 ---- a/net/ipv4/ip_vti.c -+++ b/net/ipv4/ip_vti.c -@@ -606,17 +606,10 @@ static int __net_init vti_fb_tunnel_init(struct net_device *dev) - struct iphdr *iph = &tunnel->parms.iph; - struct vti_net *ipn = net_generic(dev_net(dev), vti_net_id); - -- tunnel->dev = dev; -- strcpy(tunnel->parms.name, dev->name); -- - iph->version = 4; - iph->protocol = IPPROTO_IPIP; - iph->ihl = 5; - -- dev->tstats = alloc_percpu(struct pcpu_tstats); -- if (!dev->tstats) -- return -ENOMEM; -- - dev_hold(dev); - rcu_assign_pointer(ipn->tunnels_wc[0], tunnel); - return 0; --- -1.7.11.7 - - -From 5be3a4ef6d4ada70eee9dddf402f09d5771f071b Mon Sep 17 00:00:00 2001 -From: Amerigo Wang -Date: Sat, 29 Jun 2013 21:30:49 +0800 -Subject: [PATCH 07/40] ipv6,mcast: always hold idev->lock before mca_lock - -[ Upstream commit 8965779d2c0e6ab246c82a405236b1fb2adae6b2, with - some bits from commit b7b1bfce0bb68bd8f6e62a28295922785cc63781 - ("ipv6: split duplicate address detection and router solicitation timer") - to get the __ipv6_get_lladdr() used by this patch. ] - -dingtianhong reported the following deadlock detected by lockdep: - - ====================================================== - [ INFO: possible circular locking dependency detected ] - 3.4.24.05-0.1-default #1 Not tainted - ------------------------------------------------------- - ksoftirqd/0/3 is trying to acquire lock: - (&ndev->lock){+.+...}, at: [] ipv6_get_lladdr+0x74/0x120 - - but task is already holding lock: - (&mc->mca_lock){+.+...}, at: [] mld_send_report+0x40/0x150 - - which lock already depends on the new lock. - - the existing dependency chain (in reverse order) is: - - -> #1 (&mc->mca_lock){+.+...}: - [] validate_chain+0x637/0x730 - [] __lock_acquire+0x2f7/0x500 - [] lock_acquire+0x114/0x150 - [] rt_spin_lock+0x4a/0x60 - [] igmp6_group_added+0x3b/0x120 - [] ipv6_mc_up+0x38/0x60 - [] ipv6_find_idev+0x3d/0x80 - [] addrconf_notify+0x3d5/0x4b0 - [] notifier_call_chain+0x3f/0x80 - [] raw_notifier_call_chain+0x11/0x20 - [] call_netdevice_notifiers+0x32/0x60 - [] __dev_notify_flags+0x34/0x80 - [] dev_change_flags+0x40/0x70 - [] do_setlink+0x237/0x8a0 - [] rtnl_newlink+0x3ec/0x600 - [] rtnetlink_rcv_msg+0x160/0x310 - [] netlink_rcv_skb+0x89/0xb0 - [] rtnetlink_rcv+0x27/0x40 - [] netlink_unicast+0x140/0x180 - [] netlink_sendmsg+0x33e/0x380 - [] sock_sendmsg+0x112/0x130 - [] __sys_sendmsg+0x44e/0x460 - [] sys_sendmsg+0x44/0x70 - [] system_call_fastpath+0x16/0x1b - - -> #0 (&ndev->lock){+.+...}: - [] check_prev_add+0x3de/0x440 - [] validate_chain+0x637/0x730 - [] __lock_acquire+0x2f7/0x500 - [] lock_acquire+0x114/0x150 - [] rt_read_lock+0x42/0x60 - [] ipv6_get_lladdr+0x74/0x120 - [] mld_newpack+0xb6/0x160 - [] add_grhead+0xab/0xc0 - [] add_grec+0x3ab/0x460 - [] mld_send_report+0x5a/0x150 - [] igmp6_timer_handler+0x4e/0xb0 - [] call_timer_fn+0xca/0x1d0 - [] run_timer_softirq+0x1df/0x2e0 - [] handle_pending_softirqs+0xf7/0x1f0 - [] __do_softirq_common+0x7b/0xf0 - [] __thread_do_softirq+0x1af/0x210 - [] run_ksoftirqd+0xe1/0x1f0 - [] kthread+0xae/0xc0 - [] kernel_thread_helper+0x4/0x10 - -actually we can just hold idev->lock before taking pmc->mca_lock, -and avoid taking idev->lock again when iterating idev->addr_list, -since the upper callers of mld_newpack() already take -read_lock_bh(&idev->lock). - -Reported-by: dingtianhong -Cc: dingtianhong -Cc: Hideaki YOSHIFUJI -Cc: David S. Miller -Cc: Hannes Frederic Sowa -Tested-by: Ding Tianhong -Tested-by: Chen Weilong -Signed-off-by: Cong Wang -Acked-by: Hannes Frederic Sowa -Signed-off-by: David S. Miller ---- - include/net/addrconf.h | 3 +++ - net/ipv6/addrconf.c | 28 ++++++++++++++++++---------- - net/ipv6/mcast.c | 18 ++++++++++-------- - 3 files changed, 31 insertions(+), 18 deletions(-) - -diff --git a/include/net/addrconf.h b/include/net/addrconf.h -index 21f70270..01b1a1a 100644 ---- a/include/net/addrconf.h -+++ b/include/net/addrconf.h -@@ -86,6 +86,9 @@ extern int ipv6_dev_get_saddr(struct net *net, - const struct in6_addr *daddr, - unsigned int srcprefs, - struct in6_addr *saddr); -+extern int __ipv6_get_lladdr(struct inet6_dev *idev, -+ struct in6_addr *addr, -+ unsigned char banned_flags); - extern int ipv6_get_lladdr(struct net_device *dev, - struct in6_addr *addr, - unsigned char banned_flags); -diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c -index 4ab4c38..fb8c94c 100644 ---- a/net/ipv6/addrconf.c -+++ b/net/ipv6/addrconf.c -@@ -1448,6 +1448,23 @@ try_nextdev: - } - EXPORT_SYMBOL(ipv6_dev_get_saddr); - -+int __ipv6_get_lladdr(struct inet6_dev *idev, struct in6_addr *addr, -+ unsigned char banned_flags) -+{ -+ struct inet6_ifaddr *ifp; -+ int err = -EADDRNOTAVAIL; -+ -+ list_for_each_entry(ifp, &idev->addr_list, if_list) { -+ if (ifp->scope == IFA_LINK && -+ !(ifp->flags & banned_flags)) { -+ *addr = ifp->addr; -+ err = 0; -+ break; -+ } -+ } -+ return err; -+} -+ - int ipv6_get_lladdr(struct net_device *dev, struct in6_addr *addr, - unsigned char banned_flags) - { -@@ -1457,17 +1474,8 @@ int ipv6_get_lladdr(struct net_device *dev, struct in6_addr *addr, - rcu_read_lock(); - idev = __in6_dev_get(dev); - if (idev) { -- struct inet6_ifaddr *ifp; -- - read_lock_bh(&idev->lock); -- list_for_each_entry(ifp, &idev->addr_list, if_list) { -- if (ifp->scope == IFA_LINK && -- !(ifp->flags & banned_flags)) { -- *addr = ifp->addr; -- err = 0; -- break; -- } -- } -+ err = __ipv6_get_lladdr(idev, addr, banned_flags); - read_unlock_bh(&idev->lock); - } - rcu_read_unlock(); -diff --git a/net/ipv6/mcast.c b/net/ipv6/mcast.c -index bfa6cc3..c3998c2 100644 ---- a/net/ipv6/mcast.c -+++ b/net/ipv6/mcast.c -@@ -1343,8 +1343,9 @@ static void ip6_mc_hdr(struct sock *sk, struct sk_buff *skb, - hdr->daddr = *daddr; - } - --static struct sk_buff *mld_newpack(struct net_device *dev, int size) -+static struct sk_buff *mld_newpack(struct inet6_dev *idev, int size) - { -+ struct net_device *dev = idev->dev; - struct net *net = dev_net(dev); - struct sock *sk = net->ipv6.igmp_sk; - struct sk_buff *skb; -@@ -1369,7 +1370,7 @@ static struct sk_buff *mld_newpack(struct net_device *dev, int size) - - skb_reserve(skb, hlen); - -- if (ipv6_get_lladdr(dev, &addr_buf, IFA_F_TENTATIVE)) { -+ if (__ipv6_get_lladdr(idev, &addr_buf, IFA_F_TENTATIVE)) { - /* : - * use unspecified address as the source address - * when a valid link-local address is not available. -@@ -1465,7 +1466,7 @@ static struct sk_buff *add_grhead(struct sk_buff *skb, struct ifmcaddr6 *pmc, - struct mld2_grec *pgr; - - if (!skb) -- skb = mld_newpack(dev, dev->mtu); -+ skb = mld_newpack(pmc->idev, dev->mtu); - if (!skb) - return NULL; - pgr = (struct mld2_grec *)skb_put(skb, sizeof(struct mld2_grec)); -@@ -1485,7 +1486,8 @@ static struct sk_buff *add_grhead(struct sk_buff *skb, struct ifmcaddr6 *pmc, - static struct sk_buff *add_grec(struct sk_buff *skb, struct ifmcaddr6 *pmc, - int type, int gdeleted, int sdeleted) - { -- struct net_device *dev = pmc->idev->dev; -+ struct inet6_dev *idev = pmc->idev; -+ struct net_device *dev = idev->dev; - struct mld2_report *pmr; - struct mld2_grec *pgr = NULL; - struct ip6_sf_list *psf, *psf_next, *psf_prev, **psf_list; -@@ -1514,7 +1516,7 @@ static struct sk_buff *add_grec(struct sk_buff *skb, struct ifmcaddr6 *pmc, - AVAILABLE(skb) < grec_size(pmc, type, gdeleted, sdeleted)) { - if (skb) - mld_sendpack(skb); -- skb = mld_newpack(dev, dev->mtu); -+ skb = mld_newpack(idev, dev->mtu); - } - } - first = 1; -@@ -1541,7 +1543,7 @@ static struct sk_buff *add_grec(struct sk_buff *skb, struct ifmcaddr6 *pmc, - pgr->grec_nsrcs = htons(scount); - if (skb) - mld_sendpack(skb); -- skb = mld_newpack(dev, dev->mtu); -+ skb = mld_newpack(idev, dev->mtu); - first = 1; - scount = 0; - } -@@ -1596,8 +1598,8 @@ static void mld_send_report(struct inet6_dev *idev, struct ifmcaddr6 *pmc) - struct sk_buff *skb = NULL; - int type; - -+ read_lock_bh(&idev->lock); - if (!pmc) { -- read_lock_bh(&idev->lock); - for (pmc=idev->mc_list; pmc; pmc=pmc->next) { - if (pmc->mca_flags & MAF_NOREPORT) - continue; -@@ -1609,7 +1611,6 @@ static void mld_send_report(struct inet6_dev *idev, struct ifmcaddr6 *pmc) - skb = add_grec(skb, pmc, type, 0, 0); - spin_unlock_bh(&pmc->mca_lock); - } -- read_unlock_bh(&idev->lock); - } else { - spin_lock_bh(&pmc->mca_lock); - if (pmc->mca_sfcount[MCAST_EXCLUDE]) -@@ -1619,6 +1620,7 @@ static void mld_send_report(struct inet6_dev *idev, struct ifmcaddr6 *pmc) - skb = add_grec(skb, pmc, type, 0, 0); - spin_unlock_bh(&pmc->mca_lock); - } -+ read_unlock_bh(&idev->lock); - if (skb) - mld_sendpack(skb); - } --- -1.7.11.7 - - -From e85dcba98ae899b9e6d26625a86750eb92c9fadc Mon Sep 17 00:00:00 2001 -From: Pravin B Shelar -Date: Tue, 2 Jul 2013 10:57:33 -0700 -Subject: [PATCH 08/40] ip_tunnels: Use skb-len to PMTU check. - -[ Upstream commit 23a3647bc4f93bac3776c66dc2c7f7f68b3cd662 ] - -In path mtu check, ip header total length works for gre device -but not for gre-tap device. Use skb len which is consistent -for all tunneling types. This is old bug in gre. -This also fixes mtu calculation bug introduced by -commit c54419321455631079c7d (GRE: Refactor GRE tunneling code). - -Reported-by: Timo Teras -Signed-off-by: Pravin B Shelar -Signed-off-by: David S. Miller ---- - net/ipv4/ip_tunnel.c | 97 +++++++++++++++++++++++++++++----------------------- - 1 file changed, 54 insertions(+), 43 deletions(-) - -diff --git a/net/ipv4/ip_tunnel.c b/net/ipv4/ip_tunnel.c -index 7fa8f08..d05bd02 100644 ---- a/net/ipv4/ip_tunnel.c -+++ b/net/ipv4/ip_tunnel.c -@@ -486,6 +486,53 @@ drop: - } - EXPORT_SYMBOL_GPL(ip_tunnel_rcv); - -+static int tnl_update_pmtu(struct net_device *dev, struct sk_buff *skb, -+ struct rtable *rt, __be16 df) -+{ -+ struct ip_tunnel *tunnel = netdev_priv(dev); -+ int pkt_size = skb->len - tunnel->hlen; -+ int mtu; -+ -+ if (df) -+ mtu = dst_mtu(&rt->dst) - dev->hard_header_len -+ - sizeof(struct iphdr) - tunnel->hlen; -+ else -+ mtu = skb_dst(skb) ? dst_mtu(skb_dst(skb)) : dev->mtu; -+ -+ if (skb_dst(skb)) -+ skb_dst(skb)->ops->update_pmtu(skb_dst(skb), NULL, skb, mtu); -+ -+ if (skb->protocol == htons(ETH_P_IP)) { -+ if (!skb_is_gso(skb) && -+ (df & htons(IP_DF)) && mtu < pkt_size) { -+ icmp_send(skb, ICMP_DEST_UNREACH, ICMP_FRAG_NEEDED, htonl(mtu)); -+ return -E2BIG; -+ } -+ } -+#if IS_ENABLED(CONFIG_IPV6) -+ else if (skb->protocol == htons(ETH_P_IPV6)) { -+ struct rt6_info *rt6 = (struct rt6_info *)skb_dst(skb); -+ -+ if (rt6 && mtu < dst_mtu(skb_dst(skb)) && -+ mtu >= IPV6_MIN_MTU) { -+ if ((tunnel->parms.iph.daddr && -+ !ipv4_is_multicast(tunnel->parms.iph.daddr)) || -+ rt6->rt6i_dst.plen == 128) { -+ rt6->rt6i_flags |= RTF_MODIFIED; -+ dst_metric_set(skb_dst(skb), RTAX_MTU, mtu); -+ } -+ } -+ -+ if (!skb_is_gso(skb) && mtu >= IPV6_MIN_MTU && -+ mtu < pkt_size) { -+ icmpv6_send(skb, ICMPV6_PKT_TOOBIG, 0, mtu); -+ return -E2BIG; -+ } -+ } -+#endif -+ return 0; -+} -+ - void ip_tunnel_xmit(struct sk_buff *skb, struct net_device *dev, - const struct iphdr *tnl_params) - { -@@ -499,7 +546,6 @@ void ip_tunnel_xmit(struct sk_buff *skb, struct net_device *dev, - struct net_device *tdev; /* Device to other host */ - unsigned int max_headroom; /* The extra header space needed */ - __be32 dst; -- int mtu; - - inner_iph = (const struct iphdr *)skb_inner_network_header(skb); - -@@ -579,50 +625,11 @@ void ip_tunnel_xmit(struct sk_buff *skb, struct net_device *dev, - goto tx_error; - } - -- df = tnl_params->frag_off; - -- if (df) -- mtu = dst_mtu(&rt->dst) - dev->hard_header_len -- - sizeof(struct iphdr); -- else -- mtu = skb_dst(skb) ? dst_mtu(skb_dst(skb)) : dev->mtu; -- -- if (skb_dst(skb)) -- skb_dst(skb)->ops->update_pmtu(skb_dst(skb), NULL, skb, mtu); -- -- if (skb->protocol == htons(ETH_P_IP)) { -- df |= (inner_iph->frag_off&htons(IP_DF)); -- -- if (!skb_is_gso(skb) && -- (inner_iph->frag_off&htons(IP_DF)) && -- mtu < ntohs(inner_iph->tot_len)) { -- icmp_send(skb, ICMP_DEST_UNREACH, ICMP_FRAG_NEEDED, htonl(mtu)); -- ip_rt_put(rt); -- goto tx_error; -- } -- } --#if IS_ENABLED(CONFIG_IPV6) -- else if (skb->protocol == htons(ETH_P_IPV6)) { -- struct rt6_info *rt6 = (struct rt6_info *)skb_dst(skb); -- -- if (rt6 && mtu < dst_mtu(skb_dst(skb)) && -- mtu >= IPV6_MIN_MTU) { -- if ((tunnel->parms.iph.daddr && -- !ipv4_is_multicast(tunnel->parms.iph.daddr)) || -- rt6->rt6i_dst.plen == 128) { -- rt6->rt6i_flags |= RTF_MODIFIED; -- dst_metric_set(skb_dst(skb), RTAX_MTU, mtu); -- } -- } -- -- if (!skb_is_gso(skb) && mtu >= IPV6_MIN_MTU && -- mtu < skb->len) { -- icmpv6_send(skb, ICMPV6_PKT_TOOBIG, 0, mtu); -- ip_rt_put(rt); -- goto tx_error; -- } -+ if (tnl_update_pmtu(dev, skb, rt, tnl_params->frag_off)) { -+ ip_rt_put(rt); -+ goto tx_error; - } --#endif - - if (tunnel->err_count > 0) { - if (time_before(jiffies, -@@ -646,6 +653,10 @@ void ip_tunnel_xmit(struct sk_buff *skb, struct net_device *dev, - ttl = ip4_dst_hoplimit(&rt->dst); - } - -+ df = tnl_params->frag_off; -+ if (skb->protocol == htons(ETH_P_IP)) -+ df |= (inner_iph->frag_off&htons(IP_DF)); -+ - max_headroom = LL_RESERVED_SPACE(tdev) + sizeof(struct iphdr) - + rt->dst.header_len; - if (max_headroom > dev->needed_headroom) { --- -1.7.11.7 - - -From c6ad7374aa71d0201f266963d9b5e2cf254ad22b Mon Sep 17 00:00:00 2001 -From: Wei Yongjun -Date: Tue, 2 Jul 2013 09:02:07 +0800 -Subject: [PATCH 09/40] l2tp: add missing .owner to struct pppox_proto - -[ Upstream commit e1558a93b61962710733dc8c11a2bc765607f1cd ] - -Add missing .owner of struct pppox_proto. This prevents the -module from being removed from underneath its users. - -Signed-off-by: Wei Yongjun -Signed-off-by: David S. Miller ---- - net/l2tp/l2tp_ppp.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/net/l2tp/l2tp_ppp.c b/net/l2tp/l2tp_ppp.c -index 8dec687..5ebee2d 100644 ---- a/net/l2tp/l2tp_ppp.c -+++ b/net/l2tp/l2tp_ppp.c -@@ -1793,7 +1793,8 @@ static const struct proto_ops pppol2tp_ops = { - - static const struct pppox_proto pppol2tp_proto = { - .create = pppol2tp_create, -- .ioctl = pppol2tp_ioctl -+ .ioctl = pppol2tp_ioctl, -+ .owner = THIS_MODULE, - }; - - #ifdef CONFIG_L2TP_V3 --- -1.7.11.7 - - -From 675b9402488074d7081811cb67055fb1e1f515b3 Mon Sep 17 00:00:00 2001 -From: Cong Wang -Date: Tue, 2 Jul 2013 14:49:34 +0800 -Subject: [PATCH 10/40] ipip: fix a regression in ioctl - -[ Upstream commit 3b7b514f44bff05d26a6499c4d4fac2a83938e6e ] - -This is a regression introduced by -commit fd58156e456d9f68fe0448 (IPIP: Use ip-tunneling code.) - -Similar to GRE tunnel, previously we only check the parameters -for SIOCADDTUNNEL and SIOCCHGTUNNEL, after that commit, the -check is moved for all commands. - -So, just check for SIOCADDTUNNEL and SIOCCHGTUNNEL. - -Also, the check for i_key, o_key etc. is suspicious too, -which did not exist before, reset them before passing -to ip_tunnel_ioctl(). - -Cc: Pravin B Shelar -Cc: "David S. Miller" -Signed-off-by: Cong Wang -Signed-off-by: David S. Miller ---- - net/ipv4/ipip.c | 12 +++++++----- - 1 file changed, 7 insertions(+), 5 deletions(-) - -diff --git a/net/ipv4/ipip.c b/net/ipv4/ipip.c -index 77bfcce..7cfc456 100644 ---- a/net/ipv4/ipip.c -+++ b/net/ipv4/ipip.c -@@ -240,11 +240,13 @@ ipip_tunnel_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd) - if (copy_from_user(&p, ifr->ifr_ifru.ifru_data, sizeof(p))) - return -EFAULT; - -- if (p.iph.version != 4 || p.iph.protocol != IPPROTO_IPIP || -- p.iph.ihl != 5 || (p.iph.frag_off&htons(~IP_DF))) -- return -EINVAL; -- if (p.i_key || p.o_key || p.i_flags || p.o_flags) -- return -EINVAL; -+ if (cmd == SIOCADDTUNNEL || cmd == SIOCCHGTUNNEL) { -+ if (p.iph.version != 4 || p.iph.protocol != IPPROTO_IPIP || -+ p.iph.ihl != 5 || (p.iph.frag_off&htons(~IP_DF))) -+ return -EINVAL; -+ } -+ -+ p.i_key = p.o_key = p.i_flags = p.o_flags = 0; - if (p.iph.ttl) - p.iph.frag_off |= htons(IP_DF); - --- -1.7.11.7 - - -From 0e3f585c132e7716b8b96c20c59b15a24ec2790e Mon Sep 17 00:00:00 2001 -From: Hannes Frederic Sowa -Date: Mon, 1 Jul 2013 20:21:30 +0200 -Subject: [PATCH 11/40] ipv6: call udp_push_pending_frames when uncorking a - socket with AF_INET pending data - -[ Upstream commit 8822b64a0fa64a5dd1dfcf837c5b0be83f8c05d1 ] - -We accidentally call down to ip6_push_pending_frames when uncorking -pending AF_INET data on a ipv6 socket. This results in the following -splat (from Dave Jones): - -skbuff: skb_under_panic: text:ffffffff816765f6 len:48 put:40 head:ffff88013deb6df0 data:ffff88013deb6dec tail:0x2c end:0xc0 dev: -------------[ cut here ]------------ -kernel BUG at net/core/skbuff.c:126! -invalid opcode: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC -Modules linked in: dccp_ipv4 dccp 8021q garp bridge stp dlci mpoa snd_seq_dummy sctp fuse hidp tun bnep nfnetlink scsi_transport_iscsi rfcomm can_raw can_bcm af_802154 appletalk caif_socket can caif ipt_ULOG x25 rose af_key pppoe pppox ipx phonet irda llc2 ppp_generic slhc p8023 psnap p8022 llc crc_ccitt atm bluetooth -+netrom ax25 nfc rfkill rds af_rxrpc coretemp hwmon kvm_intel kvm crc32c_intel snd_hda_codec_realtek ghash_clmulni_intel microcode pcspkr snd_hda_codec_hdmi snd_hda_intel snd_hda_codec snd_hwdep usb_debug snd_seq snd_seq_device snd_pcm e1000e snd_page_alloc snd_timer ptp snd pps_core soundcore xfs libcrc32c -CPU: 2 PID: 8095 Comm: trinity-child2 Not tainted 3.10.0-rc7+ #37 -task: ffff8801f52c2520 ti: ffff8801e6430000 task.ti: ffff8801e6430000 -RIP: 0010:[] [] skb_panic+0x63/0x65 -RSP: 0018:ffff8801e6431de8 EFLAGS: 00010282 -RAX: 0000000000000086 RBX: ffff8802353d3cc0 RCX: 0000000000000006 -RDX: 0000000000003b90 RSI: ffff8801f52c2ca0 RDI: ffff8801f52c2520 -RBP: ffff8801e6431e08 R08: 0000000000000000 R09: 0000000000000000 -R10: 0000000000000001 R11: 0000000000000001 R12: ffff88022ea0c800 -R13: ffff88022ea0cdf8 R14: ffff8802353ecb40 R15: ffffffff81cc7800 -FS: 00007f5720a10740(0000) GS:ffff880244c00000(0000) knlGS:0000000000000000 -CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 -CR2: 0000000005862000 CR3: 000000022843c000 CR4: 00000000001407e0 -DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 -DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000600 -Stack: - ffff88013deb6dec 000000000000002c 00000000000000c0 ffffffff81a3f6e4 - ffff8801e6431e18 ffffffff8159a9aa ffff8801e6431e90 ffffffff816765f6 - ffffffff810b756b 0000000700000002 ffff8801e6431e40 0000fea9292aa8c0 -Call Trace: - [] skb_push+0x3a/0x40 - [] ip6_push_pending_frames+0x1f6/0x4d0 - [] ? mark_held_locks+0xbb/0x140 - [] udp_v6_push_pending_frames+0x2b9/0x3d0 - [] ? udplite_getfrag+0x20/0x20 - [] udp_lib_setsockopt+0x1aa/0x1f0 - [] ? fget_light+0x387/0x4f0 - [] udpv6_setsockopt+0x34/0x40 - [] sock_common_setsockopt+0x14/0x20 - [] SyS_setsockopt+0x71/0xd0 - [] tracesys+0xdd/0xe2 -Code: 00 00 48 89 44 24 10 8b 87 d8 00 00 00 48 89 44 24 08 48 8b 87 e8 00 00 00 48 c7 c7 c0 04 aa 81 48 89 04 24 31 c0 e8 e1 7e ff ff <0f> 0b 55 48 89 e5 0f 0b 55 48 89 e5 0f 0b 55 48 89 e5 0f 0b 55 -RIP [] skb_panic+0x63/0x65 - RSP - -This patch adds a check if the pending data is of address family AF_INET -and directly calls udp_push_ending_frames from udp_v6_push_pending_frames -if that is the case. - -This bug was found by Dave Jones with trinity. - -(Also move the initialization of fl6 below the AF_INET check, even if -not strictly necessary.) - -Cc: Dave Jones -Cc: YOSHIFUJI Hideaki -Signed-off-by: Hannes Frederic Sowa -Signed-off-by: David S. Miller ---- - include/net/udp.h | 1 + - net/ipv4/udp.c | 3 ++- - net/ipv6/udp.c | 7 ++++++- - 3 files changed, 9 insertions(+), 2 deletions(-) - -diff --git a/include/net/udp.h b/include/net/udp.h -index 065f379..ad99eed 100644 ---- a/include/net/udp.h -+++ b/include/net/udp.h -@@ -181,6 +181,7 @@ extern int udp_get_port(struct sock *sk, unsigned short snum, - extern void udp_err(struct sk_buff *, u32); - extern int udp_sendmsg(struct kiocb *iocb, struct sock *sk, - struct msghdr *msg, size_t len); -+extern int udp_push_pending_frames(struct sock *sk); - extern void udp_flush_pending_frames(struct sock *sk); - extern int udp_rcv(struct sk_buff *skb); - extern int udp_ioctl(struct sock *sk, int cmd, unsigned long arg); -diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c -index 0bf5d39..93b731d 100644 ---- a/net/ipv4/udp.c -+++ b/net/ipv4/udp.c -@@ -799,7 +799,7 @@ send: - /* - * Push out all pending data as one UDP datagram. Socket is locked. - */ --static int udp_push_pending_frames(struct sock *sk) -+int udp_push_pending_frames(struct sock *sk) - { - struct udp_sock *up = udp_sk(sk); - struct inet_sock *inet = inet_sk(sk); -@@ -818,6 +818,7 @@ out: - up->pending = 0; - return err; - } -+EXPORT_SYMBOL(udp_push_pending_frames); - - int udp_sendmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg, - size_t len) -diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c -index 42923b1..e7b28f9 100644 ---- a/net/ipv6/udp.c -+++ b/net/ipv6/udp.c -@@ -955,11 +955,16 @@ static int udp_v6_push_pending_frames(struct sock *sk) - struct udphdr *uh; - struct udp_sock *up = udp_sk(sk); - struct inet_sock *inet = inet_sk(sk); -- struct flowi6 *fl6 = &inet->cork.fl.u.ip6; -+ struct flowi6 *fl6; - int err = 0; - int is_udplite = IS_UDPLITE(sk); - __wsum csum = 0; - -+ if (up->pending == AF_INET) -+ return udp_push_pending_frames(sk); -+ -+ fl6 = &inet->cork.fl.u.ip6; -+ - /* Grab the skbuff where UDP header space exists. */ - if ((skb = skb_peek(&sk->sk_write_queue)) == NULL) - goto out; --- -1.7.11.7 - - -From 1fcbda94eb3ababc95eff46548962ceb14de638e Mon Sep 17 00:00:00 2001 -From: Hannes Frederic Sowa -Date: Tue, 2 Jul 2013 08:04:05 +0200 -Subject: [PATCH 12/40] ipv6: ip6_append_data_mtu did not care about pmtudisc - and frag_size - -[ Upstream commit 75a493e60ac4bbe2e977e7129d6d8cbb0dd236be ] - -If the socket had an IPV6_MTU value set, ip6_append_data_mtu lost track -of this when appending the second frame on a corked socket. This results -in the following splat: - -[37598.993962] ------------[ cut here ]------------ -[37598.994008] kernel BUG at net/core/skbuff.c:2064! -[37598.994008] invalid opcode: 0000 [#1] SMP -[37598.994008] Modules linked in: tcp_lp uvcvideo videobuf2_vmalloc videobuf2_memops videobuf2_core videodev media vfat fat usb_storage fuse ebtable_nat xt_CHECKSUM bridge stp llc ipt_MASQUERADE nf_conntrack_netbios_ns nf_conntrack_broadcast ip6table_mangle ip6t_REJECT nf_conntrack_ipv6 nf_defrag_ipv6 iptable_nat -+nf_nat_ipv4 nf_nat iptable_mangle nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack ebtable_filter ebtables ip6table_filter ip6_tables be2iscsi iscsi_boot_sysfs bnx2i cnic uio cxgb4i cxgb4 cxgb3i cxgb3 mdio libcxgbi ib_iser rdma_cm ib_addr iw_cm ib_cm ib_sa ib_mad ib_core iscsi_tcp libiscsi_tcp libiscsi -+scsi_transport_iscsi rfcomm bnep iTCO_wdt iTCO_vendor_support snd_hda_codec_conexant arc4 iwldvm mac80211 snd_hda_intel acpi_cpufreq mperf coretemp snd_hda_codec microcode cdc_wdm cdc_acm -[37598.994008] snd_hwdep cdc_ether snd_seq snd_seq_device usbnet mii joydev btusb snd_pcm bluetooth i2c_i801 e1000e lpc_ich mfd_core ptp iwlwifi pps_core snd_page_alloc mei cfg80211 snd_timer thinkpad_acpi snd tpm_tis soundcore rfkill tpm tpm_bios vhost_net tun macvtap macvlan kvm_intel kvm uinput binfmt_misc -+dm_crypt i915 i2c_algo_bit drm_kms_helper drm i2c_core wmi video -[37598.994008] CPU 0 -[37598.994008] Pid: 27320, comm: t2 Not tainted 3.9.6-200.fc18.x86_64 #1 LENOVO 27744PG/27744PG -[37598.994008] RIP: 0010:[] [] skb_copy_and_csum_bits+0x325/0x330 -[37598.994008] RSP: 0018:ffff88003670da18 EFLAGS: 00010202 -[37598.994008] RAX: ffff88018105c018 RBX: 0000000000000004 RCX: 00000000000006c0 -[37598.994008] RDX: ffff88018105a6c0 RSI: ffff88018105a000 RDI: ffff8801e1b0aa00 -[37598.994008] RBP: ffff88003670da78 R08: 0000000000000000 R09: ffff88018105c040 -[37598.994008] R10: ffff8801e1b0aa00 R11: 0000000000000000 R12: 000000000000fff8 -[37598.994008] R13: 00000000000004fc R14: 00000000ffff0504 R15: 0000000000000000 -[37598.994008] FS: 00007f28eea59740(0000) GS:ffff88023bc00000(0000) knlGS:0000000000000000 -[37598.994008] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b -[37598.994008] CR2: 0000003d935789e0 CR3: 00000000365cb000 CR4: 00000000000407f0 -[37598.994008] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 -[37598.994008] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 -[37598.994008] Process t2 (pid: 27320, threadinfo ffff88003670c000, task ffff88022c162ee0) -[37598.994008] Stack: -[37598.994008] ffff88022e098a00 ffff88020f973fc0 0000000000000008 00000000000004c8 -[37598.994008] ffff88020f973fc0 00000000000004c4 ffff88003670da78 ffff8801e1b0a200 -[37598.994008] 0000000000000018 00000000000004c8 ffff88020f973fc0 00000000000004c4 -[37598.994008] Call Trace: -[37598.994008] [] ip6_append_data+0xccf/0xfe0 -[37598.994008] [] ? ip_copy_metadata+0x1a0/0x1a0 -[37598.994008] [] ? _raw_spin_lock_bh+0x16/0x40 -[37598.994008] [] udpv6_sendmsg+0x1ed/0xc10 -[37598.994008] [] ? sock_has_perm+0x75/0x90 -[37598.994008] [] inet_sendmsg+0x63/0xb0 -[37598.994008] [] ? selinux_socket_sendmsg+0x23/0x30 -[37598.994008] [] sock_sendmsg+0xb0/0xe0 -[37598.994008] [] ? __switch_to+0x181/0x4a0 -[37598.994008] [] sys_sendto+0x12d/0x180 -[37598.994008] [] ? __audit_syscall_entry+0x94/0xf0 -[37598.994008] [] ? syscall_trace_enter+0x231/0x240 -[37598.994008] [] tracesys+0xdd/0xe2 -[37598.994008] Code: fe 07 00 00 48 c7 c7 04 28 a6 81 89 45 a0 4c 89 4d b8 44 89 5d a8 e8 1b ac b1 ff 44 8b 5d a8 4c 8b 4d b8 8b 45 a0 e9 cf fe ff ff <0f> 0b 66 0f 1f 84 00 00 00 00 00 66 66 66 66 90 55 48 89 e5 48 -[37598.994008] RIP [] skb_copy_and_csum_bits+0x325/0x330 -[37598.994008] RSP -[37599.007323] ---[ end trace d69f6a17f8ac8eee ]--- - -While there, also check if path mtu discovery is activated for this -socket. The logic was adapted from ip6_append_data when first writing -on the corked socket. - -This bug was introduced with commit -0c1833797a5a6ec23ea9261d979aa18078720b74 ("ipv6: fix incorrect ipsec -fragment"). - -v2: -a) Replace IPV6_PMTU_DISC_DO with IPV6_PMTUDISC_PROBE. -b) Don't pass ipv6_pinfo to ip6_append_data_mtu (suggestion by Gao - feng, thanks!). -c) Change mtu to unsigned int, else we get a warning about - non-matching types because of the min()-macro type-check. - -Acked-by: Gao feng -Cc: YOSHIFUJI Hideaki -Signed-off-by: Hannes Frederic Sowa -Signed-off-by: David S. Miller ---- - net/ipv6/ip6_output.c | 16 ++++++++++------ - 1 file changed, 10 insertions(+), 6 deletions(-) - -diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c -index d5d20cd..6e3ddf8 100644 ---- a/net/ipv6/ip6_output.c -+++ b/net/ipv6/ip6_output.c -@@ -1098,11 +1098,12 @@ static inline struct ipv6_rt_hdr *ip6_rthdr_dup(struct ipv6_rt_hdr *src, - return src ? kmemdup(src, (src->hdrlen + 1) * 8, gfp) : NULL; - } - --static void ip6_append_data_mtu(int *mtu, -+static void ip6_append_data_mtu(unsigned int *mtu, - int *maxfraglen, - unsigned int fragheaderlen, - struct sk_buff *skb, -- struct rt6_info *rt) -+ struct rt6_info *rt, -+ bool pmtuprobe) - { - if (!(rt->dst.flags & DST_XFRM_TUNNEL)) { - if (skb == NULL) { -@@ -1114,7 +1115,9 @@ static void ip6_append_data_mtu(int *mtu, - * this fragment is not first, the headers - * space is regarded as data space. - */ -- *mtu = dst_mtu(rt->dst.path); -+ *mtu = min(*mtu, pmtuprobe ? -+ rt->dst.dev->mtu : -+ dst_mtu(rt->dst.path)); - } - *maxfraglen = ((*mtu - fragheaderlen) & ~7) - + fragheaderlen - sizeof(struct frag_hdr); -@@ -1131,11 +1134,10 @@ int ip6_append_data(struct sock *sk, int getfrag(void *from, char *to, - struct ipv6_pinfo *np = inet6_sk(sk); - struct inet_cork *cork; - struct sk_buff *skb, *skb_prev = NULL; -- unsigned int maxfraglen, fragheaderlen; -+ unsigned int maxfraglen, fragheaderlen, mtu; - int exthdrlen; - int dst_exthdrlen; - int hh_len; -- int mtu; - int copy; - int err; - int offset = 0; -@@ -1292,7 +1294,9 @@ alloc_new_skb: - /* update mtu and maxfraglen if necessary */ - if (skb == NULL || skb_prev == NULL) - ip6_append_data_mtu(&mtu, &maxfraglen, -- fragheaderlen, skb, rt); -+ fragheaderlen, skb, rt, -+ np->pmtudisc == -+ IPV6_PMTUDISC_PROBE); - - skb_prev = skb; - --- -1.7.11.7 - - -From bd10a3abbed1d5542a0930dcdfc121973276275e Mon Sep 17 00:00:00 2001 -From: Hannes Frederic Sowa -Date: Wed, 3 Jul 2013 20:45:04 +0200 -Subject: [PATCH 13/40] ipv6: rt6_check_neigh should successfully verify neigh - if no NUD information are available - -[ Upstream commit 3630d40067a21d4dfbadc6002bb469ce26ac5d52 ] - -After the removal of rt->n we do not create a neighbour entry at route -insertion time (rt6_bind_neighbour is gone). As long as no neighbour is -created because of "useful traffic" we skip this routing entry because -rt6_check_neigh cannot pick up a valid neighbour (neigh == NULL) and -thus returns false. - -This change was introduced by commit -887c95cc1da53f66a5890fdeab13414613010097 ("ipv6: Complete neighbour -entry removal from dst_entry.") - -To quote RFC4191: -"If the host has no information about the router's reachability, then -the host assumes the router is reachable." - -and also: -"A host MUST NOT probe a router's reachability in the absence of useful -traffic that the host would have sent to the router if it were reachable." - -So, just assume the router is reachable and let's rt6_probe do the -rest. We don't need to create a neighbour on route insertion time. - -If we don't compile with CONFIG_IPV6_ROUTER_PREF (RFC4191 support) -a neighbour is only valid if its nud_state is NUD_VALID. I did not find -any references that we should probe the router on route insertion time -via the other RFCs. So skip this route in that case. - -v2: -a) use IS_ENABLED instead of #ifdefs (thanks to Sergei Shtylyov) - -Reported-by: Pierre Emeriaud -Cc: YOSHIFUJI Hideaki -Signed-off-by: Hannes Frederic Sowa -Signed-off-by: David S. Miller ---- - net/ipv6/route.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/net/ipv6/route.c b/net/ipv6/route.c -index ad0aa6b..7f1332f 100644 ---- a/net/ipv6/route.c -+++ b/net/ipv6/route.c -@@ -547,6 +547,8 @@ static inline bool rt6_check_neigh(struct rt6_info *rt) - ret = true; - #endif - read_unlock(&neigh->lock); -+ } else if (IS_ENABLED(CONFIG_IPV6_ROUTER_PREF)) { -+ ret = true; - } - rcu_read_unlock_bh(); - --- -1.7.11.7 - - -From 8db99edc36ca323408ba5c5bcb8952b01be50225 Mon Sep 17 00:00:00 2001 -From: Ben Hutchings -Date: Thu, 4 Jul 2013 23:48:46 +0100 -Subject: [PATCH 14/40] sfc: Fix memory leak when discarding scattered packets - -[ Upstream commit 734d4e159b283a4ae4d007b7e7a91d84398ccb92 ] - -Commit 2768935a4660 ('sfc: reuse pages to avoid DMA mapping/unmapping -costs') did not fully take account of DMA scattering which was -introduced immediately before. If a received packet is invalid and -must be discarded, we only drop a reference to the first buffer's -page, but we need to drop a reference for each buffer the packet -used. - -I think this bug was missed partly because efx_recycle_rx_buffers() -was not renamed and so no longer does what its name says. It does not -change the state of buffers, but only prepares the underlying pages -for recycling. Rename it accordingly. - -Signed-off-by: Ben Hutchings -Signed-off-by: David S. Miller ---- - drivers/net/ethernet/sfc/rx.c | 27 ++++++++++++++++++++------- - 1 file changed, 20 insertions(+), 7 deletions(-) - -diff --git a/drivers/net/ethernet/sfc/rx.c b/drivers/net/ethernet/sfc/rx.c -index a7dfe36..5173eaa 100644 ---- a/drivers/net/ethernet/sfc/rx.c -+++ b/drivers/net/ethernet/sfc/rx.c -@@ -282,9 +282,9 @@ static void efx_fini_rx_buffer(struct efx_rx_queue *rx_queue, - } - - /* Recycle the pages that are used by buffers that have just been received. */ --static void efx_recycle_rx_buffers(struct efx_channel *channel, -- struct efx_rx_buffer *rx_buf, -- unsigned int n_frags) -+static void efx_recycle_rx_pages(struct efx_channel *channel, -+ struct efx_rx_buffer *rx_buf, -+ unsigned int n_frags) - { - struct efx_rx_queue *rx_queue = efx_channel_get_rx_queue(channel); - -@@ -294,6 +294,20 @@ static void efx_recycle_rx_buffers(struct efx_channel *channel, - } while (--n_frags); - } - -+static void efx_discard_rx_packet(struct efx_channel *channel, -+ struct efx_rx_buffer *rx_buf, -+ unsigned int n_frags) -+{ -+ struct efx_rx_queue *rx_queue = efx_channel_get_rx_queue(channel); -+ -+ efx_recycle_rx_pages(channel, rx_buf, n_frags); -+ -+ do { -+ efx_free_rx_buffer(rx_buf); -+ rx_buf = efx_rx_buf_next(rx_queue, rx_buf); -+ } while (--n_frags); -+} -+ - /** - * efx_fast_push_rx_descriptors - push new RX descriptors quickly - * @rx_queue: RX descriptor queue -@@ -533,8 +547,7 @@ void efx_rx_packet(struct efx_rx_queue *rx_queue, unsigned int index, - */ - if (unlikely(rx_buf->flags & EFX_RX_PKT_DISCARD)) { - efx_rx_flush_packet(channel); -- put_page(rx_buf->page); -- efx_recycle_rx_buffers(channel, rx_buf, n_frags); -+ efx_discard_rx_packet(channel, rx_buf, n_frags); - return; - } - -@@ -570,9 +583,9 @@ void efx_rx_packet(struct efx_rx_queue *rx_queue, unsigned int index, - efx_sync_rx_buffer(efx, rx_buf, rx_buf->len); - } - -- /* All fragments have been DMA-synced, so recycle buffers and pages. */ -+ /* All fragments have been DMA-synced, so recycle pages. */ - rx_buf = efx_rx_buffer(rx_queue, index); -- efx_recycle_rx_buffers(channel, rx_buf, n_frags); -+ efx_recycle_rx_pages(channel, rx_buf, n_frags); - - /* Pipeline receives so that we give time for packet headers to be - * prefetched into cache. --- -1.7.11.7 - - -From 35e568df646dc23bd2d00c8865c3118794d1835a Mon Sep 17 00:00:00 2001 -From: Jongsung Kim -Date: Tue, 9 Jul 2013 17:36:00 +0900 -Subject: [PATCH 15/40] net/cadence/macb: fix bug/typo in extracting - gem_irq_read_clear bit - -[ Upstream commit 01276ed2424eb78c95461545410923d5da154d31 ] - -Signed-off-by: Jongsung Kim -Acked-by: Nicolas Ferre -Signed-off-by: David S. Miller ---- - drivers/net/ethernet/cadence/macb.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/drivers/net/ethernet/cadence/macb.c b/drivers/net/ethernet/cadence/macb.c -index c89aa41..b4e0dc8 100644 ---- a/drivers/net/ethernet/cadence/macb.c -+++ b/drivers/net/ethernet/cadence/macb.c -@@ -1070,7 +1070,7 @@ static void macb_configure_dma(struct macb *bp) - static void macb_configure_caps(struct macb *bp) - { - if (macb_is_gem(bp)) { -- if (GEM_BF(IRQCOR, gem_readl(bp, DCFG1)) == 0) -+ if (GEM_BFEXT(IRQCOR, gem_readl(bp, DCFG1)) == 0) - bp->caps |= MACB_CAPS_ISR_CLEAR_ON_WRITE; - } - } --- -1.7.11.7 - - -From 3af0cf8b6b161daea120a84ad3d525a121670947 Mon Sep 17 00:00:00 2001 -From: "Michael S. Tsirkin" -Date: Tue, 9 Jul 2013 13:19:18 +0300 -Subject: [PATCH 16/40] virtio: support unlocked queue poll - -[ Upstream commit cc229884d3f77ec3b1240e467e0236c3e0647c0c ] - -This adds a way to check ring empty state after enable_cb outside any -locks. Will be used by virtio_net. - -Note: there's room for more optimization: caller is likely to have a -memory barrier already, which means we might be able to get rid of a -barrier here. Deferring this optimization until we do some -benchmarking. - -Signed-off-by: Michael S. Tsirkin -Signed-off-by: David S. Miller ---- - drivers/virtio/virtio_ring.c | 56 ++++++++++++++++++++++++++++++++++---------- - include/linux/virtio.h | 4 ++++ - 2 files changed, 48 insertions(+), 12 deletions(-) - -diff --git a/drivers/virtio/virtio_ring.c b/drivers/virtio/virtio_ring.c -index 5217baf..37d58f8 100644 ---- a/drivers/virtio/virtio_ring.c -+++ b/drivers/virtio/virtio_ring.c -@@ -607,19 +607,21 @@ void virtqueue_disable_cb(struct virtqueue *_vq) - EXPORT_SYMBOL_GPL(virtqueue_disable_cb); - - /** -- * virtqueue_enable_cb - restart callbacks after disable_cb. -+ * virtqueue_enable_cb_prepare - restart callbacks after disable_cb - * @vq: the struct virtqueue we're talking about. - * -- * This re-enables callbacks; it returns "false" if there are pending -- * buffers in the queue, to detect a possible race between the driver -- * checking for more work, and enabling callbacks. -+ * This re-enables callbacks; it returns current queue state -+ * in an opaque unsigned value. This value should be later tested by -+ * virtqueue_poll, to detect a possible race between the driver checking for -+ * more work, and enabling callbacks. - * - * Caller must ensure we don't call this with other virtqueue - * operations at the same time (except where noted). - */ --bool virtqueue_enable_cb(struct virtqueue *_vq) -+unsigned virtqueue_enable_cb_prepare(struct virtqueue *_vq) - { - struct vring_virtqueue *vq = to_vvq(_vq); -+ u16 last_used_idx; - - START_USE(vq); - -@@ -629,15 +631,45 @@ bool virtqueue_enable_cb(struct virtqueue *_vq) - * either clear the flags bit or point the event index at the next - * entry. Always do both to keep code simple. */ - vq->vring.avail->flags &= ~VRING_AVAIL_F_NO_INTERRUPT; -- vring_used_event(&vq->vring) = vq->last_used_idx; -+ vring_used_event(&vq->vring) = last_used_idx = vq->last_used_idx; -+ END_USE(vq); -+ return last_used_idx; -+} -+EXPORT_SYMBOL_GPL(virtqueue_enable_cb_prepare); -+ -+/** -+ * virtqueue_poll - query pending used buffers -+ * @vq: the struct virtqueue we're talking about. -+ * @last_used_idx: virtqueue state (from call to virtqueue_enable_cb_prepare). -+ * -+ * Returns "true" if there are pending used buffers in the queue. -+ * -+ * This does not need to be serialized. -+ */ -+bool virtqueue_poll(struct virtqueue *_vq, unsigned last_used_idx) -+{ -+ struct vring_virtqueue *vq = to_vvq(_vq); -+ - virtio_mb(vq->weak_barriers); -- if (unlikely(more_used(vq))) { -- END_USE(vq); -- return false; -- } -+ return (u16)last_used_idx != vq->vring.used->idx; -+} -+EXPORT_SYMBOL_GPL(virtqueue_poll); - -- END_USE(vq); -- return true; -+/** -+ * virtqueue_enable_cb - restart callbacks after disable_cb. -+ * @vq: the struct virtqueue we're talking about. -+ * -+ * This re-enables callbacks; it returns "false" if there are pending -+ * buffers in the queue, to detect a possible race between the driver -+ * checking for more work, and enabling callbacks. -+ * -+ * Caller must ensure we don't call this with other virtqueue -+ * operations at the same time (except where noted). -+ */ -+bool virtqueue_enable_cb(struct virtqueue *_vq) -+{ -+ unsigned last_used_idx = virtqueue_enable_cb_prepare(_vq); -+ return !virtqueue_poll(_vq, last_used_idx); - } - EXPORT_SYMBOL_GPL(virtqueue_enable_cb); - -diff --git a/include/linux/virtio.h b/include/linux/virtio.h -index 9ff8645..72398ee 100644 ---- a/include/linux/virtio.h -+++ b/include/linux/virtio.h -@@ -70,6 +70,10 @@ void virtqueue_disable_cb(struct virtqueue *vq); - - bool virtqueue_enable_cb(struct virtqueue *vq); - -+unsigned virtqueue_enable_cb_prepare(struct virtqueue *vq); -+ -+bool virtqueue_poll(struct virtqueue *vq, unsigned); -+ - bool virtqueue_enable_cb_delayed(struct virtqueue *vq); - - void *virtqueue_detach_unused_buf(struct virtqueue *vq); --- -1.7.11.7 - - -From e6a032bca44cd54a168939ee66be707c9b679bec Mon Sep 17 00:00:00 2001 -From: "Michael S. Tsirkin" -Date: Tue, 9 Jul 2013 08:13:04 +0300 -Subject: [PATCH 17/40] virtio_net: fix race in RX VQ processing - -[ Upstream commit cbdadbbf0c790f79350a8f36029208944c5487d0 ] - -virtio net called virtqueue_enable_cq on RX path after napi_complete, so -with NAPI_STATE_SCHED clear - outside the implicit napi lock. -This violates the requirement to synchronize virtqueue_enable_cq wrt -virtqueue_add_buf. In particular, used event can move backwards, -causing us to lose interrupts. -In a debug build, this can trigger panic within START_USE. - -Jason Wang reports that he can trigger the races artificially, -by adding udelay() in virtqueue_enable_cb() after virtio_mb(). - -However, we must call napi_complete to clear NAPI_STATE_SCHED before -polling the virtqueue for used buffers, otherwise napi_schedule_prep in -a callback will fail, causing us to lose RX events. - -To fix, call virtqueue_enable_cb_prepare with NAPI_STATE_SCHED -set (under napi lock), later call virtqueue_poll with -NAPI_STATE_SCHED clear (outside the lock). - -Reported-by: Jason Wang -Tested-by: Jason Wang -Acked-by: Jason Wang -Signed-off-by: Michael S. Tsirkin -Signed-off-by: David S. Miller ---- - drivers/net/virtio_net.c | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - -diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c -index c9e0038..42d670a 100644 ---- a/drivers/net/virtio_net.c -+++ b/drivers/net/virtio_net.c -@@ -602,7 +602,7 @@ static int virtnet_poll(struct napi_struct *napi, int budget) - container_of(napi, struct receive_queue, napi); - struct virtnet_info *vi = rq->vq->vdev->priv; - void *buf; -- unsigned int len, received = 0; -+ unsigned int r, len, received = 0; - - again: - while (received < budget && -@@ -619,8 +619,9 @@ again: - - /* Out of packets? */ - if (received < budget) { -+ r = virtqueue_enable_cb_prepare(rq->vq); - napi_complete(napi); -- if (unlikely(!virtqueue_enable_cb(rq->vq)) && -+ if (unlikely(virtqueue_poll(rq->vq, r)) && - napi_schedule_prep(napi)) { - virtqueue_disable_cb(rq->vq); - __napi_schedule(napi); --- -1.7.11.7 - - -From d0347c6cbf229fe352006a5463eb2d0cb2150afb Mon Sep 17 00:00:00 2001 -From: "Michael S. Tsirkin" -Date: Tue, 25 Jun 2013 17:29:46 +0300 -Subject: [PATCH 18/40] vhost-net: fix use-after-free in vhost_net_flush - -[ Upstream commit c38e39c378f46f00ce922dd40a91043a9925c28d ] - -vhost_net_ubuf_put_and_wait has a confusing name: -it will actually also free it's argument. -Thus since commit 1280c27f8e29acf4af2da914e80ec27c3dbd5c01 - "vhost-net: flush outstanding DMAs on memory change" -vhost_net_flush tries to use the argument after passing it -to vhost_net_ubuf_put_and_wait, this results -in use after free. -To fix, don't free the argument in vhost_net_ubuf_put_and_wait, -add an new API for callers that want to free ubufs. - -Acked-by: Asias He -Acked-by: Jason Wang -Signed-off-by: Michael S. Tsirkin ---- - drivers/vhost/net.c | 9 +++++++-- - 1 file changed, 7 insertions(+), 2 deletions(-) - -diff --git a/drivers/vhost/net.c b/drivers/vhost/net.c -index f80d3dd..8ca5ac7 100644 ---- a/drivers/vhost/net.c -+++ b/drivers/vhost/net.c -@@ -150,6 +150,11 @@ static void vhost_net_ubuf_put_and_wait(struct vhost_net_ubuf_ref *ubufs) - { - kref_put(&ubufs->kref, vhost_net_zerocopy_done_signal); - wait_event(ubufs->wait, !atomic_read(&ubufs->kref.refcount)); -+} -+ -+static void vhost_net_ubuf_put_wait_and_free(struct vhost_net_ubuf_ref *ubufs) -+{ -+ vhost_net_ubuf_put_and_wait(ubufs); - kfree(ubufs); - } - -@@ -948,7 +953,7 @@ static long vhost_net_set_backend(struct vhost_net *n, unsigned index, int fd) - mutex_unlock(&vq->mutex); - - if (oldubufs) { -- vhost_net_ubuf_put_and_wait(oldubufs); -+ vhost_net_ubuf_put_wait_and_free(oldubufs); - mutex_lock(&vq->mutex); - vhost_zerocopy_signal_used(n, vq); - mutex_unlock(&vq->mutex); -@@ -966,7 +971,7 @@ err_used: - rcu_assign_pointer(vq->private_data, oldsock); - vhost_net_enable_vq(n, vq); - if (ubufs) -- vhost_net_ubuf_put_and_wait(ubufs); -+ vhost_net_ubuf_put_wait_and_free(ubufs); - err_ubufs: - fput(sock->file); - err_vq: --- -1.7.11.7 - - -From b1036ae16395f14a4e50b96bf09cc36d4bb5c802 Mon Sep 17 00:00:00 2001 -From: Dave Kleikamp -Date: Mon, 1 Jul 2013 16:49:22 -0500 -Subject: [PATCH 19/40] sunvnet: vnet_port_remove must call unregister_netdev - -[ Upstream commit aabb9875d02559ab9b928cd6f259a5cc4c21a589 ] - -The missing call to unregister_netdev() leaves the interface active -after the driver is unloaded by rmmod. - -Signed-off-by: Dave Kleikamp -Signed-off-by: David S. Miller ---- - drivers/net/ethernet/sun/sunvnet.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/drivers/net/ethernet/sun/sunvnet.c b/drivers/net/ethernet/sun/sunvnet.c -index 1df0ff3..3df5684 100644 ---- a/drivers/net/ethernet/sun/sunvnet.c -+++ b/drivers/net/ethernet/sun/sunvnet.c -@@ -1239,6 +1239,8 @@ static int vnet_port_remove(struct vio_dev *vdev) - dev_set_drvdata(&vdev->dev, NULL); - - kfree(port); -+ -+ unregister_netdev(vp->dev); - } - return 0; - } --- -1.7.11.7 - - -From b99eebace35b3d3ae6ddcc2af5659e3ab7a2921c Mon Sep 17 00:00:00 2001 -From: dingtianhong -Date: Wed, 10 Jul 2013 12:04:02 +0800 -Subject: [PATCH 20/40] ifb: fix rcu_sched self-detected stalls - -[ Upstream commit 440d57bc5ff55ec1efb3efc9cbe9420b4bbdfefa ] - -According to the commit 16b0dc29c1af9df341428f4c49ada4f626258082 -(dummy: fix rcu_sched self-detected stalls) - -Eric Dumazet fix the problem in dummy, but the ifb will occur the -same problem like the dummy modules. - -Trying to "modprobe ifb numifbs=30000" triggers : - -INFO: rcu_sched self-detected stall on CPU - -After this splat, RTNL is locked and reboot is needed. - -We must call cond_resched() to avoid this, even holding RTNL. - -Signed-off-by: Ding Tianhong -Signed-off-by: David S. Miller ---- - drivers/net/ifb.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/drivers/net/ifb.c b/drivers/net/ifb.c -index dc9f6a4..a11f7a4 100644 ---- a/drivers/net/ifb.c -+++ b/drivers/net/ifb.c -@@ -292,8 +292,10 @@ static int __init ifb_init_module(void) - rtnl_lock(); - err = __rtnl_link_register(&ifb_link_ops); - -- for (i = 0; i < numifbs && !err; i++) -+ for (i = 0; i < numifbs && !err; i++) { - err = ifb_init_one(i); -+ cond_resched(); -+ } - if (err) - __rtnl_link_unregister(&ifb_link_ops); - rtnl_unlock(); --- -1.7.11.7 - - -From 4782f7d41346ac49c6aa58ee9da6a7ff896cbe4c Mon Sep 17 00:00:00 2001 -From: Jason Wang -Date: Wed, 10 Jul 2013 13:43:27 +0800 -Subject: [PATCH 21/40] tuntap: correctly linearize skb when zerocopy is used - -[ Upstream commit 3dd5c3308e8b671e8e8882ba972f51cefbe9fd0d ] - -Userspace may produce vectors greater than MAX_SKB_FRAGS. When we try to -linearize parts of the skb to let the rest of iov to be fit in -the frags, we need count copylen into linear when calling tun_alloc_skb() -instead of partly counting it into data_len. Since this breaks -zerocopy_sg_from_iovec() since its inner counter assumes nr_frags should -be zero at beginning. This cause nr_frags to be increased wrongly without -setting the correct frags. - -This bug were introduced from 0690899b4d4501b3505be069b9a687e68ccbe15b -(tun: experimental zero copy tx support) - -Cc: Michael S. Tsirkin -Signed-off-by: Jason Wang -Acked-by: Michael S. Tsirkin -Signed-off-by: David S. Miller ---- - drivers/net/tun.c | 9 ++++++--- - 1 file changed, 6 insertions(+), 3 deletions(-) - -diff --git a/drivers/net/tun.c b/drivers/net/tun.c -index 9c61f87..c3cb60b 100644 ---- a/drivers/net/tun.c -+++ b/drivers/net/tun.c -@@ -1044,7 +1044,7 @@ static ssize_t tun_get_user(struct tun_struct *tun, struct tun_file *tfile, - { - struct tun_pi pi = { 0, cpu_to_be16(ETH_P_IP) }; - struct sk_buff *skb; -- size_t len = total_len, align = NET_SKB_PAD; -+ size_t len = total_len, align = NET_SKB_PAD, linear; - struct virtio_net_hdr gso = { 0 }; - int offset = 0; - int copylen; -@@ -1108,10 +1108,13 @@ static ssize_t tun_get_user(struct tun_struct *tun, struct tun_file *tfile, - copylen = gso.hdr_len; - if (!copylen) - copylen = GOODCOPY_LEN; -- } else -+ linear = copylen; -+ } else { - copylen = len; -+ linear = gso.hdr_len; -+ } - -- skb = tun_alloc_skb(tfile, align, copylen, gso.hdr_len, noblock); -+ skb = tun_alloc_skb(tfile, align, copylen, linear, noblock); - if (IS_ERR(skb)) { - if (PTR_ERR(skb) != -EAGAIN) - tun->dev->stats.rx_dropped++; --- -1.7.11.7 - - -From ebf6764da166478c0c059e5083b12f0f577decdc Mon Sep 17 00:00:00 2001 -From: Jason Wang -Date: Wed, 10 Jul 2013 13:43:28 +0800 -Subject: [PATCH 22/40] macvtap: correctly linearize skb when zerocopy is used - -[ Upstream commit 61d46bf979d5cd7c164709a80ad5676a35494aae ] - -Userspace may produce vectors greater than MAX_SKB_FRAGS. When we try to -linearize parts of the skb to let the rest of iov to be fit in -the frags, we need count copylen into linear when calling macvtap_alloc_skb() -instead of partly counting it into data_len. Since this breaks -zerocopy_sg_from_iovec() since its inner counter assumes nr_frags should -be zero at beginning. This cause nr_frags to be increased wrongly without -setting the correct frags. - -This bug were introduced from b92946e2919134ebe2a4083e4302236295ea2a73 -(macvtap: zerocopy: validate vectors before building skb). - -Cc: Michael S. Tsirkin -Signed-off-by: Jason Wang -Acked-by: Michael S. Tsirkin -Signed-off-by: David S. Miller ---- - drivers/net/macvtap.c | 8 ++++++-- - 1 file changed, 6 insertions(+), 2 deletions(-) - -diff --git a/drivers/net/macvtap.c b/drivers/net/macvtap.c -index b6dd6a7..502d948 100644 ---- a/drivers/net/macvtap.c -+++ b/drivers/net/macvtap.c -@@ -647,6 +647,7 @@ static ssize_t macvtap_get_user(struct macvtap_queue *q, struct msghdr *m, - int vnet_hdr_len = 0; - int copylen = 0; - bool zerocopy = false; -+ size_t linear; - - if (q->flags & IFF_VNET_HDR) { - vnet_hdr_len = q->vnet_hdr_sz; -@@ -701,11 +702,14 @@ static ssize_t macvtap_get_user(struct macvtap_queue *q, struct msghdr *m, - copylen = vnet_hdr.hdr_len; - if (!copylen) - copylen = GOODCOPY_LEN; -- } else -+ linear = copylen; -+ } else { - copylen = len; -+ linear = vnet_hdr.hdr_len; -+ } - - skb = macvtap_alloc_skb(&q->sk, NET_IP_ALIGN, copylen, -- vnet_hdr.hdr_len, noblock, &err); -+ linear, noblock, &err); - if (!skb) - goto err; - --- -1.7.11.7 - - -From 3e86a493305637e79d72541f571ec4f852ef2024 Mon Sep 17 00:00:00 2001 -From: Hannes Frederic Sowa -Date: Wed, 10 Jul 2013 23:00:57 +0200 -Subject: [PATCH 23/40] ipv6: in case of link failure remove route directly - instead of letting it expire - -[ Upstream commit 1eb4f758286884e7566627164bca4c4a16952a83 ] - -We could end up expiring a route which is part of an ecmp route set. Doing -so would invalidate the rt->rt6i_nsiblings calculations and could provoke -the following panic: - -[ 80.144667] ------------[ cut here ]------------ -[ 80.145172] kernel BUG at net/ipv6/ip6_fib.c:733! -[ 80.145172] invalid opcode: 0000 [#1] SMP -[ 80.145172] Modules linked in: 8021q nf_conntrack_netbios_ns nf_conntrack_broadcast ipt_MASQUERADE ip6table_mangle ip6t_REJECT nf_conntrack_ipv6 nf_defrag_ipv6 iptable_nat nf_nat_ipv4 nf_nat iptable_mangle nf_conntrack_ipv4 nf_defrag_ipv4 xt_conntrack nf_conntrack ebtable_filter ebtables ip6table_filter ip6_tables -+snd_hda_intel snd_hda_codec snd_hwdep snd_seq snd_seq_device snd_pcm snd_page_alloc snd_timer virtio_balloon snd soundcore i2c_piix4 i2c_core virtio_net virtio_blk -[ 80.145172] CPU: 1 PID: 786 Comm: ping6 Not tainted 3.10.0+ #118 -[ 80.145172] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 -[ 80.145172] task: ffff880117fa0000 ti: ffff880118770000 task.ti: ffff880118770000 -[ 80.145172] RIP: 0010:[] [] fib6_add+0x75d/0x830 -[ 80.145172] RSP: 0018:ffff880118771798 EFLAGS: 00010202 -[ 80.145172] RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffff88011350e480 -[ 80.145172] RDX: ffff88011350e238 RSI: 0000000000000004 RDI: ffff88011350f738 -[ 80.145172] RBP: ffff880118771848 R08: ffff880117903280 R09: 0000000000000001 -[ 80.145172] R10: 0000000000000000 R11: 0000000000000000 R12: ffff88011350f680 -[ 80.145172] R13: ffff880117903280 R14: ffff880118771890 R15: ffff88011350ef90 -[ 80.145172] FS: 00007f02b5127740(0000) GS:ffff88011fd00000(0000) knlGS:0000000000000000 -[ 80.145172] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b -[ 80.145172] CR2: 00007f981322a000 CR3: 00000001181b1000 CR4: 00000000000006e0 -[ 80.145172] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 -[ 80.145172] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 -[ 80.145172] Stack: -[ 80.145172] 0000000000000001 ffff880100000000 ffff880100000000 ffff880117903280 -[ 80.145172] 0000000000000000 ffff880119a4cf00 0000000000000400 00000000000007fa -[ 80.145172] 0000000000000000 0000000000000000 0000000000000000 ffff88011350f680 -[ 80.145172] Call Trace: -[ 80.145172] [] ? rt6_bind_peer+0x4b/0x90 -[ 80.145172] [] __ip6_ins_rt+0x45/0x70 -[ 80.145172] [] ip6_ins_rt+0x35/0x40 -[ 80.145172] [] ip6_pol_route.isra.44+0x3a4/0x4b0 -[ 80.145172] [] ip6_pol_route_output+0x2a/0x30 -[ 80.145172] [] fib6_rule_action+0xd7/0x210 -[ 80.145172] [] ? ip6_pol_route_input+0x30/0x30 -[ 80.145172] [] fib_rules_lookup+0xc6/0x140 -[ 80.145172] [] fib6_rule_lookup+0x44/0x80 -[ 80.145172] [] ? ip6_pol_route_input+0x30/0x30 -[ 80.145172] [] ip6_route_output+0x73/0xb0 -[ 80.145172] [] ip6_dst_lookup_tail+0x2c3/0x2e0 -[ 80.145172] [] ? list_del+0x11/0x40 -[ 80.145172] [] ? remove_wait_queue+0x3c/0x50 -[ 80.145172] [] ip6_dst_lookup_flow+0x3d/0xa0 -[ 80.145172] [] rawv6_sendmsg+0x267/0xc20 -[ 80.145172] [] inet_sendmsg+0x63/0xb0 -[ 80.145172] [] ? selinux_socket_sendmsg+0x23/0x30 -[ 80.145172] [] sock_sendmsg+0xa6/0xd0 -[ 80.145172] [] SYSC_sendto+0x128/0x180 -[ 80.145172] [] ? update_curr+0xec/0x170 -[ 80.145172] [] ? kvm_clock_get_cycles+0x9/0x10 -[ 80.145172] [] ? __getnstimeofday+0x3e/0xd0 -[ 80.145172] [] SyS_sendto+0xe/0x10 -[ 80.145172] [] system_call_fastpath+0x16/0x1b -[ 80.145172] Code: fe ff ff 41 f6 45 2a 06 0f 85 ca fe ff ff 49 8b 7e 08 4c 89 ee e8 94 ef ff ff e9 b9 fe ff ff 48 8b 82 28 05 00 00 e9 01 ff ff ff <0f> 0b 49 8b 54 24 30 0d 00 00 40 00 89 83 14 01 00 00 48 89 53 -[ 80.145172] RIP [] fib6_add+0x75d/0x830 -[ 80.145172] RSP -[ 80.387413] ---[ end trace 02f20b7a8b81ed95 ]--- -[ 80.390154] Kernel panic - not syncing: Fatal exception in interrupt - -Cc: Nicolas Dichtel -Cc: YOSHIFUJI Hideaki -Signed-off-by: Hannes Frederic Sowa -Signed-off-by: David S. Miller ---- - net/ipv6/route.c | 9 ++++++--- - 1 file changed, 6 insertions(+), 3 deletions(-) - -diff --git a/net/ipv6/route.c b/net/ipv6/route.c -index 7f1332f..262d6d8 100644 ---- a/net/ipv6/route.c -+++ b/net/ipv6/route.c -@@ -1076,10 +1076,13 @@ static void ip6_link_failure(struct sk_buff *skb) - - rt = (struct rt6_info *) skb_dst(skb); - if (rt) { -- if (rt->rt6i_flags & RTF_CACHE) -- rt6_update_expires(rt, 0); -- else if (rt->rt6i_node && (rt->rt6i_flags & RTF_DEFAULT)) -+ if (rt->rt6i_flags & RTF_CACHE) { -+ dst_hold(&rt->dst); -+ if (ip6_del_rt(rt)) -+ dst_free(&rt->dst); -+ } else if (rt->rt6i_node && (rt->rt6i_flags & RTF_DEFAULT)) { - rt->rt6i_node->fn_sernum = -1; -+ } - } - } - --- -1.7.11.7 - - -From db75617408ddf6d4fa8a65c030861ad0cd7e92ea Mon Sep 17 00:00:00 2001 -From: Sasha Levin -Date: Thu, 11 Jul 2013 13:16:54 -0400 -Subject: [PATCH 24/40] 9p: fix off by one causing access violations and - memory corruption - -[ Upstream commit 110ecd69a9feea82a152bbf9b12aba57e6396883 ] - -p9_release_pages() would attempt to dereference one value past the end of -pages[]. This would cause the following crashes: - -[ 6293.171817] BUG: unable to handle kernel paging request at ffff8807c96f3000 -[ 6293.174146] IP: [] p9_release_pages+0x3b/0x60 -[ 6293.176447] PGD 79c5067 PUD 82c1e3067 PMD 82c197067 PTE 80000007c96f3060 -[ 6293.180060] Oops: 0000 [#1] PREEMPT SMP DEBUG_PAGEALLOC -[ 6293.180060] Modules linked in: -[ 6293.180060] CPU: 62 PID: 174043 Comm: modprobe Tainted: G W 3.10.0-next-20130710-sasha #3954 -[ 6293.180060] task: ffff8807b803b000 ti: ffff880787dde000 task.ti: ffff880787dde000 -[ 6293.180060] RIP: 0010:[] [] p9_release_pages+0x3b/0x60 -[ 6293.214316] RSP: 0000:ffff880787ddfc28 EFLAGS: 00010202 -[ 6293.214316] RAX: 0000000000000001 RBX: ffff8807c96f2ff8 RCX: 0000000000000000 -[ 6293.222017] RDX: ffff8807b803b000 RSI: 0000000000000001 RDI: ffffea001c7e3d40 -[ 6293.222017] RBP: ffff880787ddfc48 R08: 0000000000000000 R09: 0000000000000000 -[ 6293.222017] R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000001 -[ 6293.222017] R13: 0000000000000001 R14: ffff8807cc50c070 R15: ffff8807cc50c070 -[ 6293.222017] FS: 00007f572641d700(0000) GS:ffff8807f3600000(0000) knlGS:0000000000000000 -[ 6293.256784] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b -[ 6293.256784] CR2: ffff8807c96f3000 CR3: 00000007c8e81000 CR4: 00000000000006e0 -[ 6293.256784] Stack: -[ 6293.256784] ffff880787ddfcc8 ffff880787ddfcc8 0000000000000000 ffff880787ddfcc8 -[ 6293.256784] ffff880787ddfd48 ffffffff84128be8 ffff880700000002 0000000000000001 -[ 6293.256784] ffff8807b803b000 ffff880787ddfce0 0000100000000000 0000000000000000 -[ 6293.256784] Call Trace: -[ 6293.256784] [] p9_virtio_zc_request+0x598/0x630 -[ 6293.256784] [] ? wake_up_bit+0x40/0x40 -[ 6293.256784] [] p9_client_zc_rpc+0x111/0x3a0 -[ 6293.256784] [] ? sched_clock_cpu+0x108/0x120 -[ 6293.256784] [] p9_client_read+0xe1/0x2c0 -[ 6293.256784] [] v9fs_file_read+0x90/0xc0 -[ 6293.256784] [] vfs_read+0xc3/0x130 -[ 6293.256784] [] ? trace_hardirqs_on+0xd/0x10 -[ 6293.256784] [] SyS_read+0x62/0xa0 -[ 6293.256784] [] tracesys+0xdd/0xe2 -[ 6293.256784] Code: 66 90 48 89 fb 41 89 f5 48 8b 3f 48 85 ff 74 29 85 f6 74 25 45 31 e4 66 0f 1f 84 00 00 00 00 00 e8 eb 14 12 fd 41 ff c4 49 63 c4 <48> 8b 3c c3 48 85 ff 74 05 45 39 e5 75 e7 48 83 c4 08 5b 41 5c -[ 6293.256784] RIP [] p9_release_pages+0x3b/0x60 -[ 6293.256784] RSP -[ 6293.256784] CR2: ffff8807c96f3000 -[ 6293.256784] ---[ end trace 50822ee72cd360fc ]--- - -Signed-off-by: Sasha Levin -Signed-off-by: David S. Miller ---- - net/9p/trans_common.c | 10 +++++----- - 1 file changed, 5 insertions(+), 5 deletions(-) - -diff --git a/net/9p/trans_common.c b/net/9p/trans_common.c -index de8df95..2ee3879 100644 ---- a/net/9p/trans_common.c -+++ b/net/9p/trans_common.c -@@ -24,11 +24,11 @@ - */ - void p9_release_pages(struct page **pages, int nr_pages) - { -- int i = 0; -- while (pages[i] && nr_pages--) { -- put_page(pages[i]); -- i++; -- } -+ int i; -+ -+ for (i = 0; i < nr_pages; i++) -+ if (pages[i]) -+ put_page(pages[i]); - } - EXPORT_SYMBOL(p9_release_pages); - --- -1.7.11.7 - - -From d0772a6314c2ed4d04ab0163c50b3ef6ff9eba40 Mon Sep 17 00:00:00 2001 -From: Maarten Lankhorst -Date: Thu, 11 Jul 2013 15:53:21 +0200 -Subject: [PATCH 25/40] alx: fix lockdep annotation - -[ Upstream commit a8798a5c77c9981e88caef1373a3310bf8aed219 ] - -Move spin_lock_init to be called before the spinlocks are used, preventing a lockdep splat. - -Signed-off-by: Maarten Lankhorst -Signed-off-by: David S. Miller ---- - drivers/net/ethernet/atheros/alx/main.c | 5 ++--- - 1 file changed, 2 insertions(+), 3 deletions(-) - -diff --git a/drivers/net/ethernet/atheros/alx/main.c b/drivers/net/ethernet/atheros/alx/main.c -index 418de8b..d30085c 100644 ---- a/drivers/net/ethernet/atheros/alx/main.c -+++ b/drivers/net/ethernet/atheros/alx/main.c -@@ -1303,6 +1303,8 @@ static int alx_probe(struct pci_dev *pdev, const struct pci_device_id *ent) - - SET_NETDEV_DEV(netdev, &pdev->dev); - alx = netdev_priv(netdev); -+ spin_lock_init(&alx->hw.mdio_lock); -+ spin_lock_init(&alx->irq_lock); - alx->dev = netdev; - alx->hw.pdev = pdev; - alx->msg_enable = NETIF_MSG_LINK | NETIF_MSG_HW | NETIF_MSG_IFUP | -@@ -1385,9 +1387,6 @@ static int alx_probe(struct pci_dev *pdev, const struct pci_device_id *ent) - - INIT_WORK(&alx->link_check_wk, alx_link_check); - INIT_WORK(&alx->reset_wk, alx_reset); -- spin_lock_init(&alx->hw.mdio_lock); -- spin_lock_init(&alx->irq_lock); -- - netif_carrier_off(netdev); - - err = register_netdev(netdev); --- -1.7.11.7 - - -From 1ea4568e699d6f1a231c14d5f084b4eb97298b7b Mon Sep 17 00:00:00 2001 -From: Hannes Frederic Sowa -Date: Thu, 11 Jul 2013 12:43:42 +0200 -Subject: [PATCH 26/40] ipv6: fix route selection if kernel is not compiled - with CONFIG_IPV6_ROUTER_PREF - -[ Upstream commit afc154e978de1eb11c555bc8bcec1552f75ebc43 ] - -This is a follow-up patch to 3630d40067a21d4dfbadc6002bb469ce26ac5d52 -("ipv6: rt6_check_neigh should successfully verify neigh if no NUD -information are available"). - -Since the removal of rt->n in rt6_info we can end up with a dst == -NULL in rt6_check_neigh. In case the kernel is not compiled with -CONFIG_IPV6_ROUTER_PREF we should also select a route with unkown -NUD state but we must not avoid doing round robin selection on routes -with the same target. So introduce and pass down a boolean ``do_rr'' to -indicate when we should update rt->rr_ptr. As soon as no route is valid -we do backtracking and do a lookup on a higher level in the fib trie. - -v2: -a) Improved rt6_check_neigh logic (no need to create neighbour there) - and documented return values. - -v3: -a) Introduce enum rt6_nud_state to get rid of the magic numbers - (thanks to David Miller). -b) Update and shorten commit message a bit to actualy reflect - the source. - -Reported-by: Pierre Emeriaud -Cc: YOSHIFUJI Hideaki -Signed-off-by: Hannes Frederic Sowa -Signed-off-by: David S. Miller ---- - net/ipv6/route.c | 63 +++++++++++++++++++++++++++++++++++--------------------- - 1 file changed, 40 insertions(+), 23 deletions(-) - -diff --git a/net/ipv6/route.c b/net/ipv6/route.c -index 262d6d8..bacce6c 100644 ---- a/net/ipv6/route.c -+++ b/net/ipv6/route.c -@@ -65,6 +65,12 @@ - #include - #endif - -+enum rt6_nud_state { -+ RT6_NUD_FAIL_HARD = -2, -+ RT6_NUD_FAIL_SOFT = -1, -+ RT6_NUD_SUCCEED = 1 -+}; -+ - static struct rt6_info *ip6_rt_copy(struct rt6_info *ort, - const struct in6_addr *dest); - static struct dst_entry *ip6_dst_check(struct dst_entry *dst, u32 cookie); -@@ -527,28 +533,29 @@ static inline int rt6_check_dev(struct rt6_info *rt, int oif) - return 0; - } - --static inline bool rt6_check_neigh(struct rt6_info *rt) -+static inline enum rt6_nud_state rt6_check_neigh(struct rt6_info *rt) - { - struct neighbour *neigh; -- bool ret = false; -+ enum rt6_nud_state ret = RT6_NUD_FAIL_HARD; - - if (rt->rt6i_flags & RTF_NONEXTHOP || - !(rt->rt6i_flags & RTF_GATEWAY)) -- return true; -+ return RT6_NUD_SUCCEED; - - rcu_read_lock_bh(); - neigh = __ipv6_neigh_lookup_noref(rt->dst.dev, &rt->rt6i_gateway); - if (neigh) { - read_lock(&neigh->lock); - if (neigh->nud_state & NUD_VALID) -- ret = true; -+ ret = RT6_NUD_SUCCEED; - #ifdef CONFIG_IPV6_ROUTER_PREF - else if (!(neigh->nud_state & NUD_FAILED)) -- ret = true; -+ ret = RT6_NUD_SUCCEED; - #endif - read_unlock(&neigh->lock); -- } else if (IS_ENABLED(CONFIG_IPV6_ROUTER_PREF)) { -- ret = true; -+ } else { -+ ret = IS_ENABLED(CONFIG_IPV6_ROUTER_PREF) ? -+ RT6_NUD_SUCCEED : RT6_NUD_FAIL_SOFT; - } - rcu_read_unlock_bh(); - -@@ -562,43 +569,52 @@ static int rt6_score_route(struct rt6_info *rt, int oif, - - m = rt6_check_dev(rt, oif); - if (!m && (strict & RT6_LOOKUP_F_IFACE)) -- return -1; -+ return RT6_NUD_FAIL_HARD; - #ifdef CONFIG_IPV6_ROUTER_PREF - m |= IPV6_DECODE_PREF(IPV6_EXTRACT_PREF(rt->rt6i_flags)) << 2; - #endif -- if (!rt6_check_neigh(rt) && (strict & RT6_LOOKUP_F_REACHABLE)) -- return -1; -+ if (strict & RT6_LOOKUP_F_REACHABLE) { -+ int n = rt6_check_neigh(rt); -+ if (n < 0) -+ return n; -+ } - return m; - } - - static struct rt6_info *find_match(struct rt6_info *rt, int oif, int strict, -- int *mpri, struct rt6_info *match) -+ int *mpri, struct rt6_info *match, -+ bool *do_rr) - { - int m; -+ bool match_do_rr = false; - - if (rt6_check_expired(rt)) - goto out; - - m = rt6_score_route(rt, oif, strict); -- if (m < 0) -+ if (m == RT6_NUD_FAIL_SOFT && !IS_ENABLED(CONFIG_IPV6_ROUTER_PREF)) { -+ match_do_rr = true; -+ m = 0; /* lowest valid score */ -+ } else if (m < 0) { - goto out; -+ } -+ -+ if (strict & RT6_LOOKUP_F_REACHABLE) -+ rt6_probe(rt); - - if (m > *mpri) { -- if (strict & RT6_LOOKUP_F_REACHABLE) -- rt6_probe(match); -+ *do_rr = match_do_rr; - *mpri = m; - match = rt; -- } else if (strict & RT6_LOOKUP_F_REACHABLE) { -- rt6_probe(rt); - } -- - out: - return match; - } - - static struct rt6_info *find_rr_leaf(struct fib6_node *fn, - struct rt6_info *rr_head, -- u32 metric, int oif, int strict) -+ u32 metric, int oif, int strict, -+ bool *do_rr) - { - struct rt6_info *rt, *match; - int mpri = -1; -@@ -606,10 +622,10 @@ static struct rt6_info *find_rr_leaf(struct fib6_node *fn, - match = NULL; - for (rt = rr_head; rt && rt->rt6i_metric == metric; - rt = rt->dst.rt6_next) -- match = find_match(rt, oif, strict, &mpri, match); -+ match = find_match(rt, oif, strict, &mpri, match, do_rr); - for (rt = fn->leaf; rt && rt != rr_head && rt->rt6i_metric == metric; - rt = rt->dst.rt6_next) -- match = find_match(rt, oif, strict, &mpri, match); -+ match = find_match(rt, oif, strict, &mpri, match, do_rr); - - return match; - } -@@ -618,15 +634,16 @@ static struct rt6_info *rt6_select(struct fib6_node *fn, int oif, int strict) - { - struct rt6_info *match, *rt0; - struct net *net; -+ bool do_rr = false; - - rt0 = fn->rr_ptr; - if (!rt0) - fn->rr_ptr = rt0 = fn->leaf; - -- match = find_rr_leaf(fn, rt0, rt0->rt6i_metric, oif, strict); -+ match = find_rr_leaf(fn, rt0, rt0->rt6i_metric, oif, strict, -+ &do_rr); - -- if (!match && -- (strict & RT6_LOOKUP_F_REACHABLE)) { -+ if (do_rr) { - struct rt6_info *next = rt0->dst.rt6_next; - - /* no entries matched; do round-robin */ --- -1.7.11.7 - - -From a3bd2b75636d9e8ce1105521a210039fca6433c2 Mon Sep 17 00:00:00 2001 -From: dingtianhong -Date: Thu, 11 Jul 2013 19:04:02 +0800 -Subject: [PATCH 27/40] dummy: fix oops when loading the dummy failed - -[ Upstream commit 2c8a01894a12665d8059fad8f0a293c98a264121 ] - -We rename the dummy in modprobe.conf like this: - -install dummy0 /sbin/modprobe -o dummy0 --ignore-install dummy -install dummy1 /sbin/modprobe -o dummy1 --ignore-install dummy - -We got oops when we run the command: - -modprobe dummy0 -modprobe dummy1 - -------------[ cut here ]------------ - -[ 3302.187584] BUG: unable to handle kernel NULL pointer dereference at 0000000000000008 -[ 3302.195411] IP: [] __rtnl_link_unregister+0x9a/0xd0 -[ 3302.201844] PGD 85c94a067 PUD 8517bd067 PMD 0 -[ 3302.206305] Oops: 0002 [#1] SMP -[ 3302.299737] task: ffff88105ccea300 ti: ffff880eba4a0000 task.ti: ffff880eba4a0000 -[ 3302.307186] RIP: 0010:[] [] __rtnl_link_unregister+0x9a/0xd0 -[ 3302.316044] RSP: 0018:ffff880eba4a1dd8 EFLAGS: 00010246 -[ 3302.321332] RAX: 0000000000000000 RBX: ffffffff81a9d738 RCX: 0000000000000002 -[ 3302.328436] RDX: 0000000000000000 RSI: ffffffffa04d602c RDI: ffff880eba4a1dd8 -[ 3302.335541] RBP: ffff880eba4a1e18 R08: dead000000200200 R09: dead000000100100 -[ 3302.342644] R10: 0000000000000080 R11: 0000000000000003 R12: ffffffff81a9d788 -[ 3302.349748] R13: ffffffffa04d7020 R14: ffffffff81a9d670 R15: ffff880eba4a1dd8 -[ 3302.364910] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 -[ 3302.370630] CR2: 0000000000000008 CR3: 000000085e15e000 CR4: 00000000000427e0 -[ 3302.377734] DR0: 0000000000000003 DR1: 00000000000000b0 DR2: 0000000000000001 -[ 3302.384838] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 -[ 3302.391940] Stack: -[ 3302.393944] ffff880eba4a1dd8 ffff880eba4a1dd8 ffff880eba4a1e18 ffffffffa04d70c0 -[ 3302.401350] 00000000ffffffef ffffffffa01a8000 0000000000000000 ffffffff816111c8 -[ 3302.408758] ffff880eba4a1e48 ffffffffa01a80be ffff880eba4a1e48 ffffffffa04d70c0 -[ 3302.416164] Call Trace: -[ 3302.418605] [] ? 0xffffffffa01a7fff -[ 3302.423727] [] dummy_init_module+0xbe/0x1000 [dummy0] -[ 3302.430405] [] ? 0xffffffffa01a7fff -[ 3302.435535] [] do_one_initcall+0x152/0x1b0 -[ 3302.441263] [] do_init_module+0x7b/0x200 -[ 3302.446824] [] load_module+0x4e2/0x530 -[ 3302.452215] [] ? ddebug_dyndbg_boot_param_cb+0x60/0x60 -[ 3302.458979] [] SyS_init_module+0xd1/0x130 -[ 3302.464627] [] system_call_fastpath+0x16/0x1b -[ 3302.490090] RIP [] __rtnl_link_unregister+0x9a/0xd0 -[ 3302.496607] RSP -[ 3302.500084] CR2: 0000000000000008 -[ 3302.503466] ---[ end trace 8342d49cd49f78ed ]--- - -The reason is that when loading dummy, if __rtnl_link_register() return failed, -the init_module should return and avoid take the wrong path. - -Signed-off-by: Tan Xiaojun -Signed-off-by: Ding Tianhong -Signed-off-by: David S. Miller ---- - drivers/net/dummy.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/drivers/net/dummy.c b/drivers/net/dummy.c -index 42aa54a..b710c6b 100644 ---- a/drivers/net/dummy.c -+++ b/drivers/net/dummy.c -@@ -185,6 +185,8 @@ static int __init dummy_init_module(void) - - rtnl_lock(); - err = __rtnl_link_register(&dummy_link_ops); -+ if (err < 0) -+ goto out; - - for (i = 0; i < numdummies && !err; i++) { - err = dummy_init_one(); -@@ -192,6 +194,8 @@ static int __init dummy_init_module(void) - } - if (err < 0) - __rtnl_link_unregister(&dummy_link_ops); -+ -+out: - rtnl_unlock(); - - return err; --- -1.7.11.7 - - -From 44780fa991640ee8c5fc4f4c47d5033a5c98895d Mon Sep 17 00:00:00 2001 -From: dingtianhong -Date: Thu, 11 Jul 2013 19:04:06 +0800 -Subject: [PATCH 28/40] ifb: fix oops when loading the ifb failed - -[ Upstream commit f2966cd5691058b8674a20766525bedeaea9cbcf ] - -If __rtnl_link_register() return faild when loading the ifb, it will -take the wrong path and get oops, so fix it just like dummy. - -Signed-off-by: Ding Tianhong -Signed-off-by: David S. Miller ---- - drivers/net/ifb.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/drivers/net/ifb.c b/drivers/net/ifb.c -index a11f7a4..a3bed28 100644 ---- a/drivers/net/ifb.c -+++ b/drivers/net/ifb.c -@@ -291,6 +291,8 @@ static int __init ifb_init_module(void) - - rtnl_lock(); - err = __rtnl_link_register(&ifb_link_ops); -+ if (err < 0) -+ goto out; - - for (i = 0; i < numifbs && !err; i++) { - err = ifb_init_one(i); -@@ -298,6 +300,8 @@ static int __init ifb_init_module(void) - } - if (err) - __rtnl_link_unregister(&ifb_link_ops); -+ -+out: - rtnl_unlock(); - - return err; --- -1.7.11.7 - - -From 60731ca136b36cde13dd6b021711f031d70e061f Mon Sep 17 00:00:00 2001 -From: Alexander Duyck -Date: Thu, 11 Jul 2013 13:12:22 -0700 -Subject: [PATCH 29/40] gre: Fix MTU sizing check for gretap tunnels - -[ Upstream commit 8c91e162e058bb91b7766f26f4d5823a21941026 ] - -This change fixes an MTU sizing issue seen with gretap tunnels when non-gso -packets are sent from the interface. - -In my case I was able to reproduce the issue by simply sending a ping of -1421 bytes with the gretap interface created on a device with a standard -1500 mtu. - -This fix is based on the fact that the tunnel mtu is already adjusted by -dev->hard_header_len so it would make sense that any packets being compared -against that mtu should also be adjusted by hard_header_len and the tunnel -header instead of just the tunnel header. - -Signed-off-by: Alexander Duyck -Reported-by: Cong Wang -Acked-by: Eric Dumazet -Signed-off-by: David S. Miller ---- - net/ipv4/ip_tunnel.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/net/ipv4/ip_tunnel.c b/net/ipv4/ip_tunnel.c -index d05bd02..cbfc37f 100644 ---- a/net/ipv4/ip_tunnel.c -+++ b/net/ipv4/ip_tunnel.c -@@ -490,7 +490,7 @@ static int tnl_update_pmtu(struct net_device *dev, struct sk_buff *skb, - struct rtable *rt, __be16 df) - { - struct ip_tunnel *tunnel = netdev_priv(dev); -- int pkt_size = skb->len - tunnel->hlen; -+ int pkt_size = skb->len - tunnel->hlen - dev->hard_header_len; - int mtu; - - if (df) --- -1.7.11.7 - - -From 8bd8eef9c03de3dc458d95069adaecc5960f9f66 Mon Sep 17 00:00:00 2001 -From: Hannes Frederic Sowa -Date: Fri, 12 Jul 2013 23:46:33 +0200 -Subject: [PATCH 30/40] ipv6: only static routes qualify for equal cost - multipathing - -[ Upstream commit 307f2fb95e9b96b3577916e73d92e104f8f26494 ] - -Static routes in this case are non-expiring routes which did not get -configured by autoconf or by icmpv6 redirects. - -To make sure we actually get an ecmp route while searching for the first -one in this fib6_node's leafs, also make sure it matches the ecmp route -assumptions. - -v2: -a) Removed RTF_EXPIRE check in dst.from chain. The check of RTF_ADDRCONF - already ensures that this route, even if added again without - RTF_EXPIRES (in case of a RA announcement with infinite timeout), - does not cause the rt6i_nsiblings logic to go wrong if a later RA - updates the expiration time later. - -v3: -a) Allow RTF_EXPIRES routes to enter the ecmp route set. We have to do so, - because an pmtu event could update the RTF_EXPIRES flag and we would - not count this route, if another route joins this set. We now filter - only for RTF_GATEWAY|RTF_ADDRCONF|RTF_DYNAMIC, which are flags that - don't get changed after rt6_info construction. - -Cc: Nicolas Dichtel -Signed-off-by: Hannes Frederic Sowa -Signed-off-by: David S. Miller ---- - net/ipv6/ip6_fib.c | 15 +++++++++++---- - 1 file changed, 11 insertions(+), 4 deletions(-) - -diff --git a/net/ipv6/ip6_fib.c b/net/ipv6/ip6_fib.c -index 192dd1a..5fc9c7a 100644 ---- a/net/ipv6/ip6_fib.c -+++ b/net/ipv6/ip6_fib.c -@@ -632,6 +632,12 @@ insert_above: - return ln; - } - -+static inline bool rt6_qualify_for_ecmp(struct rt6_info *rt) -+{ -+ return (rt->rt6i_flags & (RTF_GATEWAY|RTF_ADDRCONF|RTF_DYNAMIC)) == -+ RTF_GATEWAY; -+} -+ - /* - * Insert routing information in a node. - */ -@@ -646,6 +652,7 @@ static int fib6_add_rt2node(struct fib6_node *fn, struct rt6_info *rt, - int add = (!info->nlh || - (info->nlh->nlmsg_flags & NLM_F_CREATE)); - int found = 0; -+ bool rt_can_ecmp = rt6_qualify_for_ecmp(rt); - - ins = &fn->leaf; - -@@ -691,9 +698,8 @@ static int fib6_add_rt2node(struct fib6_node *fn, struct rt6_info *rt, - * To avoid long list, we only had siblings if the - * route have a gateway. - */ -- if (rt->rt6i_flags & RTF_GATEWAY && -- !(rt->rt6i_flags & RTF_EXPIRES) && -- !(iter->rt6i_flags & RTF_EXPIRES)) -+ if (rt_can_ecmp && -+ rt6_qualify_for_ecmp(iter)) - rt->rt6i_nsiblings++; - } - -@@ -715,7 +721,8 @@ static int fib6_add_rt2node(struct fib6_node *fn, struct rt6_info *rt, - /* Find the first route that have the same metric */ - sibling = fn->leaf; - while (sibling) { -- if (sibling->rt6i_metric == rt->rt6i_metric) { -+ if (sibling->rt6i_metric == rt->rt6i_metric && -+ rt6_qualify_for_ecmp(sibling)) { - list_add_tail(&rt->rt6i_siblings, - &sibling->rt6i_siblings); - break; --- -1.7.11.7 - - -From bf6a9aa8649eefee6a93b18d827bd2bbee2dd1ae Mon Sep 17 00:00:00 2001 -From: Neil Horman -Date: Fri, 12 Jul 2013 10:58:48 -0400 -Subject: [PATCH 31/40] atl1e: fix dma mapping warnings - -[ Upstream commit 352900b583b2852152a1e05ea0e8b579292e731e ] - -Recently had this backtrace reported: -WARNING: at lib/dma-debug.c:937 check_unmap+0x47d/0x930() -Hardware name: System Product Name -ATL1E 0000:02:00.0: DMA-API: device driver failed to check map error[device -address=0x00000000cbfd1000] [size=90 bytes] [mapped as single] -Modules linked in: xt_conntrack nf_conntrack ebtable_filter ebtables -ip6table_filter ip6_tables snd_hda_codec_hdmi snd_hda_codec_realtek iTCO_wdt -iTCO_vendor_support snd_hda_intel acpi_cpufreq mperf coretemp btrfs zlib_deflate -snd_hda_codec snd_hwdep microcode raid6_pq libcrc32c snd_seq usblp serio_raw xor -snd_seq_device joydev snd_pcm snd_page_alloc snd_timer snd lpc_ich i2c_i801 -soundcore mfd_core atl1e asus_atk0110 ata_generic pata_acpi radeon i2c_algo_bit -drm_kms_helper ttm drm i2c_core pata_marvell uinput -Pid: 314, comm: systemd-journal Not tainted 3.9.0-0.rc6.git2.3.fc19.x86_64 #1 -Call Trace: - [] warn_slowpath_common+0x66/0x80 - [] warn_slowpath_fmt+0x4c/0x50 - [] check_unmap+0x47d/0x930 - [] ? sched_clock_cpu+0xa8/0x100 - [] debug_dma_unmap_page+0x5f/0x70 - [] ? unmap_single+0x20/0x30 - [] atl1e_intr+0x3a1/0x5b0 [atl1e] - [] ? trace_hardirqs_off+0xd/0x10 - [] handle_irq_event_percpu+0x56/0x390 - [] handle_irq_event+0x3d/0x60 - [] handle_fasteoi_irq+0x5a/0x100 - [] handle_irq+0xbf/0x150 - [] ? file_sb_list_del+0x3f/0x50 - [] ? irq_enter+0x50/0xa0 - [] do_IRQ+0x4d/0xc0 - [] ? file_sb_list_del+0x3f/0x50 - [] common_interrupt+0x72/0x72 - [] ? lock_release+0xc2/0x310 - [] lg_local_unlock_cpu+0x24/0x50 - [] file_sb_list_del+0x3f/0x50 - [] fput+0x2d/0xc0 - [] filp_close+0x61/0x90 - [] __close_fd+0x8d/0x150 - [] sys_close+0x20/0x50 - [] system_call_fastpath+0x16/0x1b - -The usual straighforward failure to check for dma_mapping_error after a map -operation is completed. - -This patch should fix it, the reporter wandered off after filing this bz: -https://bugzilla.redhat.com/show_bug.cgi?id=954170 - -and I don't have hardware to test, but the fix is pretty straightforward, so I -figured I'd post it for review. - -Signed-off-by: Neil Horman -CC: Jay Cliburn -CC: Chris Snook -CC: "David S. Miller" -Signed-off-by: David S. Miller ---- - drivers/net/ethernet/atheros/atl1e/atl1e_main.c | 28 ++++++++++++++++++++++--- - 1 file changed, 25 insertions(+), 3 deletions(-) - -diff --git a/drivers/net/ethernet/atheros/atl1e/atl1e_main.c b/drivers/net/ethernet/atheros/atl1e/atl1e_main.c -index 0688bb8..8116cb8 100644 ---- a/drivers/net/ethernet/atheros/atl1e/atl1e_main.c -+++ b/drivers/net/ethernet/atheros/atl1e/atl1e_main.c -@@ -1665,8 +1665,8 @@ check_sum: - return 0; - } - --static void atl1e_tx_map(struct atl1e_adapter *adapter, -- struct sk_buff *skb, struct atl1e_tpd_desc *tpd) -+static int atl1e_tx_map(struct atl1e_adapter *adapter, -+ struct sk_buff *skb, struct atl1e_tpd_desc *tpd) - { - struct atl1e_tpd_desc *use_tpd = NULL; - struct atl1e_tx_buffer *tx_buffer = NULL; -@@ -1677,6 +1677,7 @@ static void atl1e_tx_map(struct atl1e_adapter *adapter, - u16 nr_frags; - u16 f; - int segment; -+ int ring_start = adapter->tx_ring.next_to_use; - - nr_frags = skb_shinfo(skb)->nr_frags; - segment = (tpd->word3 >> TPD_SEGMENT_EN_SHIFT) & TPD_SEGMENT_EN_MASK; -@@ -1689,6 +1690,9 @@ static void atl1e_tx_map(struct atl1e_adapter *adapter, - tx_buffer->length = map_len; - tx_buffer->dma = pci_map_single(adapter->pdev, - skb->data, hdr_len, PCI_DMA_TODEVICE); -+ if (dma_mapping_error(&adapter->pdev->dev, tx_buffer->dma)) -+ return -ENOSPC; -+ - ATL1E_SET_PCIMAP_TYPE(tx_buffer, ATL1E_TX_PCIMAP_SINGLE); - mapped_len += map_len; - use_tpd->buffer_addr = cpu_to_le64(tx_buffer->dma); -@@ -1715,6 +1719,13 @@ static void atl1e_tx_map(struct atl1e_adapter *adapter, - tx_buffer->dma = - pci_map_single(adapter->pdev, skb->data + mapped_len, - map_len, PCI_DMA_TODEVICE); -+ -+ if (dma_mapping_error(&adapter->pdev->dev, tx_buffer->dma)) { -+ /* Reset the tx rings next pointer */ -+ adapter->tx_ring.next_to_use = ring_start; -+ return -ENOSPC; -+ } -+ - ATL1E_SET_PCIMAP_TYPE(tx_buffer, ATL1E_TX_PCIMAP_SINGLE); - mapped_len += map_len; - use_tpd->buffer_addr = cpu_to_le64(tx_buffer->dma); -@@ -1750,6 +1761,13 @@ static void atl1e_tx_map(struct atl1e_adapter *adapter, - (i * MAX_TX_BUF_LEN), - tx_buffer->length, - DMA_TO_DEVICE); -+ -+ if (dma_mapping_error(&adapter->pdev->dev, tx_buffer->dma)) { -+ /* Reset the ring next to use pointer */ -+ adapter->tx_ring.next_to_use = ring_start; -+ return -ENOSPC; -+ } -+ - ATL1E_SET_PCIMAP_TYPE(tx_buffer, ATL1E_TX_PCIMAP_PAGE); - use_tpd->buffer_addr = cpu_to_le64(tx_buffer->dma); - use_tpd->word2 = (use_tpd->word2 & (~TPD_BUFLEN_MASK)) | -@@ -1767,6 +1785,7 @@ static void atl1e_tx_map(struct atl1e_adapter *adapter, - /* The last buffer info contain the skb address, - so it will be free after unmap */ - tx_buffer->skb = skb; -+ return 0; - } - - static void atl1e_tx_queue(struct atl1e_adapter *adapter, u16 count, -@@ -1834,10 +1853,13 @@ static netdev_tx_t atl1e_xmit_frame(struct sk_buff *skb, - return NETDEV_TX_OK; - } - -- atl1e_tx_map(adapter, skb, tpd); -+ if (atl1e_tx_map(adapter, skb, tpd)) -+ goto out; -+ - atl1e_tx_queue(adapter, tpd_req, tpd); - - netdev->trans_start = jiffies; /* NETIF_F_LLTX driver :( */ -+out: - spin_unlock_irqrestore(&adapter->tx_lock, flags); - return NETDEV_TX_OK; - } --- -1.7.11.7 - - -From 326eb306b8445bccf894e99ccde478eb4731b726 Mon Sep 17 00:00:00 2001 -From: Neil Horman -Date: Tue, 16 Jul 2013 10:49:41 -0400 -Subject: [PATCH 32/40] atl1e: unmap partially mapped skb on dma error and - free skb - -[ Upstream commit 584ec4355355ffac43571b02a314d43eb2f7fcbf ] - -Ben Hutchings pointed out that my recent update to atl1e -in commit 352900b583b2852152a1e05ea0e8b579292e731e -("atl1e: fix dma mapping warnings") was missing a bit of code. - -Specifically it reset the hardware tx ring to its origional state when -we hit a dma error, but didn't unmap any exiting mappings from the -operation. This patch fixes that up. It also remembers to free the -skb in the event that an error occurs, so we don't leak. Untested, as -I don't have hardware. I think its pretty straightforward, but please -review closely. - -Signed-off-by: Neil Horman -CC: Ben Hutchings -CC: Jay Cliburn -CC: Chris Snook -CC: "David S. Miller" -Signed-off-by: David S. Miller ---- - drivers/net/ethernet/atheros/atl1e/atl1e_main.c | 24 +++++++++++++++++++++++- - 1 file changed, 23 insertions(+), 1 deletion(-) - -diff --git a/drivers/net/ethernet/atheros/atl1e/atl1e_main.c b/drivers/net/ethernet/atheros/atl1e/atl1e_main.c -index 8116cb8..c23bb02 100644 ---- a/drivers/net/ethernet/atheros/atl1e/atl1e_main.c -+++ b/drivers/net/ethernet/atheros/atl1e/atl1e_main.c -@@ -1678,6 +1678,7 @@ static int atl1e_tx_map(struct atl1e_adapter *adapter, - u16 f; - int segment; - int ring_start = adapter->tx_ring.next_to_use; -+ int ring_end; - - nr_frags = skb_shinfo(skb)->nr_frags; - segment = (tpd->word3 >> TPD_SEGMENT_EN_SHIFT) & TPD_SEGMENT_EN_MASK; -@@ -1721,6 +1722,15 @@ static int atl1e_tx_map(struct atl1e_adapter *adapter, - map_len, PCI_DMA_TODEVICE); - - if (dma_mapping_error(&adapter->pdev->dev, tx_buffer->dma)) { -+ /* We need to unwind the mappings we've done */ -+ ring_end = adapter->tx_ring.next_to_use; -+ adapter->tx_ring.next_to_use = ring_start; -+ while (adapter->tx_ring.next_to_use != ring_end) { -+ tpd = atl1e_get_tpd(adapter); -+ tx_buffer = atl1e_get_tx_buffer(adapter, tpd); -+ pci_unmap_single(adapter->pdev, tx_buffer->dma, -+ tx_buffer->length, PCI_DMA_TODEVICE); -+ } - /* Reset the tx rings next pointer */ - adapter->tx_ring.next_to_use = ring_start; - return -ENOSPC; -@@ -1763,6 +1773,16 @@ static int atl1e_tx_map(struct atl1e_adapter *adapter, - DMA_TO_DEVICE); - - if (dma_mapping_error(&adapter->pdev->dev, tx_buffer->dma)) { -+ /* We need to unwind the mappings we've done */ -+ ring_end = adapter->tx_ring.next_to_use; -+ adapter->tx_ring.next_to_use = ring_start; -+ while (adapter->tx_ring.next_to_use != ring_end) { -+ tpd = atl1e_get_tpd(adapter); -+ tx_buffer = atl1e_get_tx_buffer(adapter, tpd); -+ dma_unmap_page(&adapter->pdev->dev, tx_buffer->dma, -+ tx_buffer->length, DMA_TO_DEVICE); -+ } -+ - /* Reset the ring next to use pointer */ - adapter->tx_ring.next_to_use = ring_start; - return -ENOSPC; -@@ -1853,8 +1873,10 @@ static netdev_tx_t atl1e_xmit_frame(struct sk_buff *skb, - return NETDEV_TX_OK; - } - -- if (atl1e_tx_map(adapter, skb, tpd)) -+ if (atl1e_tx_map(adapter, skb, tpd)) { -+ dev_kfree_skb_any(skb); - goto out; -+ } - - atl1e_tx_queue(adapter, tpd_req, tpd); - --- -1.7.11.7 - - -From 4ff552ad9b0463045a9211c5548288fa70649474 Mon Sep 17 00:00:00 2001 -From: Eric Dumazet -Date: Mon, 15 Jul 2013 20:03:19 -0700 -Subject: [PATCH 33/40] ipv4: set transport header earlier - -[ Upstream commit 21d1196a35f5686c4323e42a62fdb4b23b0ab4a3 ] - -commit 45f00f99d6e ("ipv4: tcp: clean up tcp_v4_early_demux()") added a -performance regression for non GRO traffic, basically disabling -IP early demux. - -IPv6 stack resets transport header in ip6_rcv() before calling -IP early demux in ip6_rcv_finish(), while IPv4 does this only in -ip_local_deliver_finish(), _after_ IP early demux. - -GRO traffic happened to enable IP early demux because transport header -is also set in inet_gro_receive() - -Instead of reverting the faulty commit, we can make IPv4/IPv6 behave the -same : transport_header should be set in ip_rcv() instead of -ip_local_deliver_finish() - -ip_local_deliver_finish() can also use skb_network_header_len() which is -faster than ip_hdrlen() - -Signed-off-by: Eric Dumazet -Cc: Neal Cardwell -Cc: Tom Herbert -Signed-off-by: David S. Miller ---- - net/ipv4/ip_input.c | 7 +++---- - 1 file changed, 3 insertions(+), 4 deletions(-) - -diff --git a/net/ipv4/ip_input.c b/net/ipv4/ip_input.c -index 3da817b..15e3e68 100644 ---- a/net/ipv4/ip_input.c -+++ b/net/ipv4/ip_input.c -@@ -190,10 +190,7 @@ static int ip_local_deliver_finish(struct sk_buff *skb) - { - struct net *net = dev_net(skb->dev); - -- __skb_pull(skb, ip_hdrlen(skb)); -- -- /* Point into the IP datagram, just past the header. */ -- skb_reset_transport_header(skb); -+ __skb_pull(skb, skb_network_header_len(skb)); - - rcu_read_lock(); - { -@@ -437,6 +434,8 @@ int ip_rcv(struct sk_buff *skb, struct net_device *dev, struct packet_type *pt, - goto drop; - } - -+ skb->transport_header = skb->network_header + iph->ihl*4; -+ - /* Remove any debris in the socket control block */ - memset(IPCB(skb), 0, sizeof(struct inet_skb_parm)); - --- -1.7.11.7 - - -From b88b4272651cb4ee68c7a32cfc256fd4e8fdf735 Mon Sep 17 00:00:00 2001 -From: Sarveshwar Bandi -Date: Tue, 16 Jul 2013 12:44:02 +0530 -Subject: [PATCH 34/40] be2net: Fix to avoid hardware workaround when not - needed - -[ Upstream commit 52fe29e4bb614367c108b717c6d7fe5953eb7af3 ] - -Hardware workaround requesting hardware to skip vlan insertion is necessary -only when umc or qnq is enabled. Enabling this workaround in other scenarios -could cause controller to stall. - -Signed-off-by: Sarveshwar Bandi -Signed-off-by: David S. Miller ---- - drivers/net/ethernet/emulex/benet/be_main.c | 14 ++++++++++---- - 1 file changed, 10 insertions(+), 4 deletions(-) - -diff --git a/drivers/net/ethernet/emulex/benet/be_main.c b/drivers/net/ethernet/emulex/benet/be_main.c -index a0b4be5..6e43426 100644 ---- a/drivers/net/ethernet/emulex/benet/be_main.c -+++ b/drivers/net/ethernet/emulex/benet/be_main.c -@@ -782,16 +782,22 @@ static struct sk_buff *be_insert_vlan_in_pkt(struct be_adapter *adapter, - - if (vlan_tx_tag_present(skb)) - vlan_tag = be_get_tx_vlan_tag(adapter, skb); -- else if (qnq_async_evt_rcvd(adapter) && adapter->pvid) -- vlan_tag = adapter->pvid; -+ -+ if (qnq_async_evt_rcvd(adapter) && adapter->pvid) { -+ if (!vlan_tag) -+ vlan_tag = adapter->pvid; -+ /* f/w workaround to set skip_hw_vlan = 1, informs the F/W to -+ * skip VLAN insertion -+ */ -+ if (skip_hw_vlan) -+ *skip_hw_vlan = true; -+ } - - if (vlan_tag) { - skb = __vlan_put_tag(skb, htons(ETH_P_8021Q), vlan_tag); - if (unlikely(!skb)) - return skb; - skb->vlan_tci = 0; -- if (skip_hw_vlan) -- *skip_hw_vlan = true; - } - - /* Insert the outer VLAN, if any */ --- -1.7.11.7 - - -From fe7d570e2db88a8b10c61122d17cb0effd04e3c0 Mon Sep 17 00:00:00 2001 -From: Haiyang Zhang -Date: Tue, 16 Jul 2013 23:01:20 -0700 -Subject: [PATCH 35/40] hyperv: Fix the NETIF_F_SG flag setting in netvsc - -[ Upstream commit f45708209dc445bac0844f6ce86e315a2ffe8a29 ] - -SG mode is not currently supported by netvsc, so remove this flag for now. -Otherwise, it will be unconditionally enabled by commit ec5f0615642 - "Kill link between CSUM and SG features" -Previously, the SG feature is disabled because CSUM is not set here. - -Signed-off-by: Haiyang Zhang -Reviewed-by: K. Y. Srinivasan -Signed-off-by: David S. Miller ---- - drivers/net/hyperv/netvsc_drv.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/drivers/net/hyperv/netvsc_drv.c b/drivers/net/hyperv/netvsc_drv.c -index 4dccead..23a0fff 100644 ---- a/drivers/net/hyperv/netvsc_drv.c -+++ b/drivers/net/hyperv/netvsc_drv.c -@@ -431,8 +431,8 @@ static int netvsc_probe(struct hv_device *dev, - net->netdev_ops = &device_ops; - - /* TODO: Add GSO and Checksum offload */ -- net->hw_features = NETIF_F_SG; -- net->features = NETIF_F_SG | NETIF_F_HW_VLAN_CTAG_TX; -+ net->hw_features = 0; -+ net->features = NETIF_F_HW_VLAN_CTAG_TX; - - SET_ETHTOOL_OPS(net, ðtool_ops); - SET_NETDEV_DEV(net, &dev->device); --- -1.7.11.7 - - -From 5f65eb80604e70df56b97008538069892bb81205 Mon Sep 17 00:00:00 2001 -From: Paolo Valente -Date: Tue, 16 Jul 2013 08:52:30 +0200 -Subject: [PATCH 36/40] pkt_sched: sch_qfq: remove a source of high packet - delay/jitter - -[ Upstream commit 87f40dd6ce7042caca0b3b557e8923127f51f902 ] - -QFQ+ inherits from QFQ a design choice that may cause a high packet -delay/jitter and a severe short-term unfairness. As QFQ, QFQ+ uses a -special quantity, the system virtual time, to track the service -provided by the ideal system it approximates. When a packet is -dequeued, this quantity must be incremented by the size of the packet, -divided by the sum of the weights of the aggregates waiting to be -served. Tracking this sum correctly is a non-trivial task, because, to -preserve tight service guarantees, the decrement of this sum must be -delayed in a special way [1]: this sum can be decremented only after -that its value would decrease also in the ideal system approximated by -QFQ+. For efficiency, QFQ+ keeps track only of the 'instantaneous' -weight sum, increased and decreased immediately as the weight of an -aggregate changes, and as an aggregate is created or destroyed (which, -in its turn, happens as a consequence of some class being -created/destroyed/changed). However, to avoid the problems caused to -service guarantees by these immediate decreases, QFQ+ increments the -system virtual time using the maximum value allowed for the weight -sum, 2^10, in place of the dynamic, instantaneous value. The -instantaneous value of the weight sum is used only to check whether a -request of weight increase or a class creation can be satisfied. - -Unfortunately, the problems caused by this choice are worse than the -temporary degradation of the service guarantees that may occur, when a -class is changed or destroyed, if the instantaneous value of the -weight sum was used to update the system virtual time. In fact, the -fraction of the link bandwidth guaranteed by QFQ+ to each aggregate is -equal to the ratio between the weight of the aggregate and the sum of -the weights of the competing aggregates. The packet delay guaranteed -to the aggregate is instead inversely proportional to the guaranteed -bandwidth. By using the maximum possible value, and not the actual -value of the weight sum, QFQ+ provides each aggregate with the worst -possible service guarantees, and not with service guarantees related -to the actual set of competing aggregates. To see the consequences of -this fact, consider the following simple example. - -Suppose that only the following aggregates are backlogged, i.e., that -only the classes in the following aggregates have packets to transmit: -one aggregate with weight 10, say A, and ten aggregates with weight 1, -say B1, B2, ..., B10. In particular, suppose that these aggregates are -always backlogged. Given the weight distribution, the smoothest and -fairest service order would be: -A B1 A B2 A B3 A B4 A B5 A B6 A B7 A B8 A B9 A B10 A B1 A B2 ... - -QFQ+ would provide exactly this optimal service if it used the actual -value for the weight sum instead of the maximum possible value, i.e., -11 instead of 2^10. In contrast, since QFQ+ uses the latter value, it -serves aggregates as follows (easy to prove and to reproduce -experimentally): -A B1 B2 B3 B4 B5 B6 B7 B8 B9 B10 A A A A A A A A A A B1 B2 ... B10 A A ... - -By replacing 10 with N in the above example, and by increasing N, one -can increase at will the maximum packet delay and the jitter -experienced by the classes in aggregate A. - -This patch addresses this issue by just using the above -'instantaneous' value of the weight sum, instead of the maximum -possible value, when updating the system virtual time. After the -instantaneous weight sum is decreased, QFQ+ may deviate from the ideal -service for a time interval in the order of the time to serve one -maximum-size packet for each backlogged class. The worst-case extent -of the deviation exhibited by QFQ+ during this time interval [1] is -basically the same as of the deviation described above (but, without -this patch, QFQ+ suffers from such a deviation all the time). Finally, -this patch modifies the comment to the function qfq_slot_insert, to -make it coherent with the fact that the weight sum used by QFQ+ can -now be lower than the maximum possible value. - -[1] P. Valente, "Extending WF2Q+ to support a dynamic traffic mix", -Proceedings of AAA-IDEA'05, June 2005. - -Signed-off-by: Paolo Valente -Signed-off-by: David S. Miller ---- - net/sched/sch_qfq.c | 85 +++++++++++++++++++++++++++++++++++------------------ - 1 file changed, 56 insertions(+), 29 deletions(-) - -diff --git a/net/sched/sch_qfq.c b/net/sched/sch_qfq.c -index d51852b..5792252 100644 ---- a/net/sched/sch_qfq.c -+++ b/net/sched/sch_qfq.c -@@ -113,7 +113,6 @@ - - #define FRAC_BITS 30 /* fixed point arithmetic */ - #define ONE_FP (1UL << FRAC_BITS) --#define IWSUM (ONE_FP/QFQ_MAX_WSUM) - - #define QFQ_MTU_SHIFT 16 /* to support TSO/GSO */ - #define QFQ_MIN_LMAX 512 /* see qfq_slot_insert */ -@@ -189,6 +188,7 @@ struct qfq_sched { - struct qfq_aggregate *in_serv_agg; /* Aggregate being served. */ - u32 num_active_agg; /* Num. of active aggregates */ - u32 wsum; /* weight sum */ -+ u32 iwsum; /* inverse weight sum */ - - unsigned long bitmaps[QFQ_MAX_STATE]; /* Group bitmaps. */ - struct qfq_group groups[QFQ_MAX_INDEX + 1]; /* The groups. */ -@@ -314,6 +314,7 @@ static void qfq_update_agg(struct qfq_sched *q, struct qfq_aggregate *agg, - - q->wsum += - (int) agg->class_weight * (new_num_classes - agg->num_classes); -+ q->iwsum = ONE_FP / q->wsum; - - agg->num_classes = new_num_classes; - } -@@ -340,6 +341,10 @@ static void qfq_destroy_agg(struct qfq_sched *q, struct qfq_aggregate *agg) - { - if (!hlist_unhashed(&agg->nonfull_next)) - hlist_del_init(&agg->nonfull_next); -+ q->wsum -= agg->class_weight; -+ if (q->wsum != 0) -+ q->iwsum = ONE_FP / q->wsum; -+ - if (q->in_serv_agg == agg) - q->in_serv_agg = qfq_choose_next_agg(q); - kfree(agg); -@@ -827,38 +832,60 @@ static void qfq_make_eligible(struct qfq_sched *q) - } - } - -- - /* -- * The index of the slot in which the aggregate is to be inserted must -- * not be higher than QFQ_MAX_SLOTS-2. There is a '-2' and not a '-1' -- * because the start time of the group may be moved backward by one -- * slot after the aggregate has been inserted, and this would cause -- * non-empty slots to be right-shifted by one position. -+ * The index of the slot in which the input aggregate agg is to be -+ * inserted must not be higher than QFQ_MAX_SLOTS-2. There is a '-2' -+ * and not a '-1' because the start time of the group may be moved -+ * backward by one slot after the aggregate has been inserted, and -+ * this would cause non-empty slots to be right-shifted by one -+ * position. -+ * -+ * QFQ+ fully satisfies this bound to the slot index if the parameters -+ * of the classes are not changed dynamically, and if QFQ+ never -+ * happens to postpone the service of agg unjustly, i.e., it never -+ * happens that the aggregate becomes backlogged and eligible, or just -+ * eligible, while an aggregate with a higher approximated finish time -+ * is being served. In particular, in this case QFQ+ guarantees that -+ * the timestamps of agg are low enough that the slot index is never -+ * higher than 2. Unfortunately, QFQ+ cannot provide the same -+ * guarantee if it happens to unjustly postpone the service of agg, or -+ * if the parameters of some class are changed. -+ * -+ * As for the first event, i.e., an out-of-order service, the -+ * upper bound to the slot index guaranteed by QFQ+ grows to -+ * 2 + -+ * QFQ_MAX_AGG_CLASSES * ((1<budget -= len; - -- q->V += (u64)len * IWSUM; -+ q->V += (u64)len * q->iwsum; - pr_debug("qfq dequeue: len %u F %lld now %lld\n", - len, (unsigned long long) in_serv_agg->F, - (unsigned long long) q->V); --- -1.7.11.7 - - -From 9055660d71ce3255b6e2f3ce0050ce722ac4e594 Mon Sep 17 00:00:00 2001 -From: Jason Wang -Date: Thu, 18 Jul 2013 10:55:15 +0800 -Subject: [PATCH 37/40] tuntap: do not zerocopy if iov needs more pages than - MAX_SKB_FRAGS - -[ Upstream commit 885291761dba2bfe04df4c0f7bb75e4c920ab82e ] - -We try to linearize part of the skb when the number of iov is greater than -MAX_SKB_FRAGS. This is not enough since each single vector may occupy more than -one pages, so zerocopy_sg_fromiovec() may still fail and may break the guest -network. - -Solve this problem by calculate the pages needed for iov before trying to do -zerocopy and switch to use copy instead of zerocopy if it needs more than -MAX_SKB_FRAGS. - -This is done through introducing a new helper to count the pages for iov, and -call uarg->callback() manually when switching from zerocopy to copy to notify -vhost. - -We can do further optimization on top. - -The bug were introduced from commit 0690899b4d4501b3505be069b9a687e68ccbe15b -(tun: experimental zero copy tx support) - -Cc: Michael S. Tsirkin -Signed-off-by: Jason Wang -Signed-off-by: David S. Miller ---- - drivers/net/tun.c | 62 ++++++++++++++++++++++++++++++++++--------------------- - 1 file changed, 38 insertions(+), 24 deletions(-) - -diff --git a/drivers/net/tun.c b/drivers/net/tun.c -index c3cb60b..2491eb2 100644 ---- a/drivers/net/tun.c -+++ b/drivers/net/tun.c -@@ -1037,6 +1037,29 @@ static int zerocopy_sg_from_iovec(struct sk_buff *skb, const struct iovec *from, - return 0; - } - -+static unsigned long iov_pages(const struct iovec *iv, int offset, -+ unsigned long nr_segs) -+{ -+ unsigned long seg, base; -+ int pages = 0, len, size; -+ -+ while (nr_segs && (offset >= iv->iov_len)) { -+ offset -= iv->iov_len; -+ ++iv; -+ --nr_segs; -+ } -+ -+ for (seg = 0; seg < nr_segs; seg++) { -+ base = (unsigned long)iv[seg].iov_base + offset; -+ len = iv[seg].iov_len - offset; -+ size = ((base & ~PAGE_MASK) + len + ~PAGE_MASK) >> PAGE_SHIFT; -+ pages += size; -+ offset = 0; -+ } -+ -+ return pages; -+} -+ - /* Get packet from user space buffer */ - static ssize_t tun_get_user(struct tun_struct *tun, struct tun_file *tfile, - void *msg_control, const struct iovec *iv, -@@ -1084,32 +1107,18 @@ static ssize_t tun_get_user(struct tun_struct *tun, struct tun_file *tfile, - return -EINVAL; - } - -- if (msg_control) -- zerocopy = true; -- -- if (zerocopy) { -- /* Userspace may produce vectors with count greater than -- * MAX_SKB_FRAGS, so we need to linearize parts of the skb -- * to let the rest of data to be fit in the frags. -- */ -- if (count > MAX_SKB_FRAGS) { -- copylen = iov_length(iv, count - MAX_SKB_FRAGS); -- if (copylen < offset) -- copylen = 0; -- else -- copylen -= offset; -- } else -- copylen = 0; -- /* There are 256 bytes to be copied in skb, so there is enough -- * room for skb expand head in case it is used. -+ if (msg_control) { -+ /* There are 256 bytes to be copied in skb, so there is -+ * enough room for skb expand head in case it is used. - * The rest of the buffer is mapped from userspace. - */ -- if (copylen < gso.hdr_len) -- copylen = gso.hdr_len; -- if (!copylen) -- copylen = GOODCOPY_LEN; -+ copylen = gso.hdr_len ? gso.hdr_len : GOODCOPY_LEN; - linear = copylen; -- } else { -+ if (iov_pages(iv, offset + copylen, count) <= MAX_SKB_FRAGS) -+ zerocopy = true; -+ } -+ -+ if (!zerocopy) { - copylen = len; - linear = gso.hdr_len; - } -@@ -1123,8 +1132,13 @@ static ssize_t tun_get_user(struct tun_struct *tun, struct tun_file *tfile, - - if (zerocopy) - err = zerocopy_sg_from_iovec(skb, iv, offset, count); -- else -+ else { - err = skb_copy_datagram_from_iovec(skb, 0, iv, offset, len); -+ if (!err && msg_control) { -+ struct ubuf_info *uarg = msg_control; -+ uarg->callback(uarg, false); -+ } -+ } - - if (err) { - tun->dev->stats.rx_dropped++; --- -1.7.11.7 - - -From 8270a0a6bfec886971fdece9d4087d4f5e4f62b6 Mon Sep 17 00:00:00 2001 -From: Jason Wang -Date: Thu, 18 Jul 2013 10:55:16 +0800 -Subject: [PATCH 38/40] macvtap: do not zerocopy if iov needs more pages than - MAX_SKB_FRAGS - -[ Upstream commit ece793fcfc417b3925844be88a6a6dc82ae8f7c6 ] - -We try to linearize part of the skb when the number of iov is greater than -MAX_SKB_FRAGS. This is not enough since each single vector may occupy more than -one pages, so zerocopy_sg_fromiovec() may still fail and may break the guest -network. - -Solve this problem by calculate the pages needed for iov before trying to do -zerocopy and switch to use copy instead of zerocopy if it needs more than -MAX_SKB_FRAGS. - -This is done through introducing a new helper to count the pages for iov, and -call uarg->callback() manually when switching from zerocopy to copy to notify -vhost. - -We can do further optimization on top. - -This bug were introduced from b92946e2919134ebe2a4083e4302236295ea2a73 -(macvtap: zerocopy: validate vectors before building skb). - -Cc: Michael S. Tsirkin -Signed-off-by: Jason Wang -Signed-off-by: David S. Miller ---- - drivers/net/macvtap.c | 62 ++++++++++++++++++++++++++++++--------------------- - 1 file changed, 37 insertions(+), 25 deletions(-) - -diff --git a/drivers/net/macvtap.c b/drivers/net/macvtap.c -index 502d948..523d6b2 100644 ---- a/drivers/net/macvtap.c -+++ b/drivers/net/macvtap.c -@@ -633,6 +633,28 @@ static int macvtap_skb_to_vnet_hdr(const struct sk_buff *skb, - return 0; - } - -+static unsigned long iov_pages(const struct iovec *iv, int offset, -+ unsigned long nr_segs) -+{ -+ unsigned long seg, base; -+ int pages = 0, len, size; -+ -+ while (nr_segs && (offset >= iv->iov_len)) { -+ offset -= iv->iov_len; -+ ++iv; -+ --nr_segs; -+ } -+ -+ for (seg = 0; seg < nr_segs; seg++) { -+ base = (unsigned long)iv[seg].iov_base + offset; -+ len = iv[seg].iov_len - offset; -+ size = ((base & ~PAGE_MASK) + len + ~PAGE_MASK) >> PAGE_SHIFT; -+ pages += size; -+ offset = 0; -+ } -+ -+ return pages; -+} - - /* Get packet from user space buffer */ - static ssize_t macvtap_get_user(struct macvtap_queue *q, struct msghdr *m, -@@ -679,31 +701,15 @@ static ssize_t macvtap_get_user(struct macvtap_queue *q, struct msghdr *m, - if (unlikely(count > UIO_MAXIOV)) - goto err; - -- if (m && m->msg_control && sock_flag(&q->sk, SOCK_ZEROCOPY)) -- zerocopy = true; -- -- if (zerocopy) { -- /* Userspace may produce vectors with count greater than -- * MAX_SKB_FRAGS, so we need to linearize parts of the skb -- * to let the rest of data to be fit in the frags. -- */ -- if (count > MAX_SKB_FRAGS) { -- copylen = iov_length(iv, count - MAX_SKB_FRAGS); -- if (copylen < vnet_hdr_len) -- copylen = 0; -- else -- copylen -= vnet_hdr_len; -- } -- /* There are 256 bytes to be copied in skb, so there is enough -- * room for skb expand head in case it is used. -- * The rest buffer is mapped from userspace. -- */ -- if (copylen < vnet_hdr.hdr_len) -- copylen = vnet_hdr.hdr_len; -- if (!copylen) -- copylen = GOODCOPY_LEN; -+ if (m && m->msg_control && sock_flag(&q->sk, SOCK_ZEROCOPY)) { -+ copylen = vnet_hdr.hdr_len ? vnet_hdr.hdr_len : GOODCOPY_LEN; - linear = copylen; -- } else { -+ if (iov_pages(iv, vnet_hdr_len + copylen, count) -+ <= MAX_SKB_FRAGS) -+ zerocopy = true; -+ } -+ -+ if (!zerocopy) { - copylen = len; - linear = vnet_hdr.hdr_len; - } -@@ -715,9 +721,15 @@ static ssize_t macvtap_get_user(struct macvtap_queue *q, struct msghdr *m, - - if (zerocopy) - err = zerocopy_sg_from_iovec(skb, iv, vnet_hdr_len, count); -- else -+ else { - err = skb_copy_datagram_from_iovec(skb, 0, iv, vnet_hdr_len, - len); -+ if (!err && m && m->msg_control) { -+ struct ubuf_info *uarg = m->msg_control; -+ uarg->callback(uarg, false); -+ } -+ } -+ - if (err) - goto err_kfree; - --- -1.7.11.7 - - -From d001214123790aea1c3e77dd0b92136f0443a93a Mon Sep 17 00:00:00 2001 -From: Eric Dumazet -Date: Thu, 18 Jul 2013 07:19:26 -0700 -Subject: [PATCH 39/40] vlan: mask vlan prio bits - -[ Upstream commit d4b812dea4a236f729526facf97df1a9d18e191c ] - -In commit 48cc32d38a52d0b68f91a171a8d00531edc6a46e -("vlan: don't deliver frames for unknown vlans to protocols") -Florian made sure we set pkt_type to PACKET_OTHERHOST -if the vlan id is set and we could find a vlan device for this -particular id. - -But we also have a problem if prio bits are set. - -Steinar reported an issue on a router receiving IPv6 frames with a -vlan tag of 4000 (id 0, prio 2), and tunneled into a sit device, -because skb->vlan_tci is set. - -Forwarded frame is completely corrupted : We can see (8100:4000) -being inserted in the middle of IPv6 source address : - -16:48:00.780413 IP6 2001:16d8:8100:4000:ee1c:0:9d9:bc87 > -9f94:4d95:2001:67c:29f4::: ICMP6, unknown icmp6 type (0), length 64 - 0x0000: 0000 0029 8000 c7c3 7103 0001 a0ae e651 - 0x0010: 0000 0000 ccce 0b00 0000 0000 1011 1213 - 0x0020: 1415 1617 1819 1a1b 1c1d 1e1f 2021 2223 - 0x0030: 2425 2627 2829 2a2b 2c2d 2e2f 3031 3233 - -It seems we are not really ready to properly cope with this right now. - -We can probably do better in future kernels : -vlan_get_ingress_priority() should be a netdev property instead of -a per vlan_dev one. - -For stable kernels, lets clear vlan_tci to fix the bugs. - -Reported-by: Steinar H. Gunderson -Signed-off-by: Eric Dumazet -Signed-off-by: David S. Miller ---- - include/linux/if_vlan.h | 3 +-- - net/8021q/vlan_core.c | 2 +- - net/core/dev.c | 11 +++++++++-- - 3 files changed, 11 insertions(+), 5 deletions(-) - -diff --git a/include/linux/if_vlan.h b/include/linux/if_vlan.h -index 637fa71d..0b34988 100644 ---- a/include/linux/if_vlan.h -+++ b/include/linux/if_vlan.h -@@ -79,9 +79,8 @@ static inline int is_vlan_dev(struct net_device *dev) - } - - #define vlan_tx_tag_present(__skb) ((__skb)->vlan_tci & VLAN_TAG_PRESENT) --#define vlan_tx_nonzero_tag_present(__skb) \ -- (vlan_tx_tag_present(__skb) && ((__skb)->vlan_tci & VLAN_VID_MASK)) - #define vlan_tx_tag_get(__skb) ((__skb)->vlan_tci & ~VLAN_TAG_PRESENT) -+#define vlan_tx_tag_get_id(__skb) ((__skb)->vlan_tci & VLAN_VID_MASK) - - #if defined(CONFIG_VLAN_8021Q) || defined(CONFIG_VLAN_8021Q_MODULE) - -diff --git a/net/8021q/vlan_core.c b/net/8021q/vlan_core.c -index 8a15eaa..4a78c4d 100644 ---- a/net/8021q/vlan_core.c -+++ b/net/8021q/vlan_core.c -@@ -9,7 +9,7 @@ bool vlan_do_receive(struct sk_buff **skbp) - { - struct sk_buff *skb = *skbp; - __be16 vlan_proto = skb->vlan_proto; -- u16 vlan_id = skb->vlan_tci & VLAN_VID_MASK; -+ u16 vlan_id = vlan_tx_tag_get_id(skb); - struct net_device *vlan_dev; - struct vlan_pcpu_stats *rx_stats; - -diff --git a/net/core/dev.c b/net/core/dev.c -index faebb39..7ddbb31 100644 ---- a/net/core/dev.c -+++ b/net/core/dev.c -@@ -3513,8 +3513,15 @@ ncls: - } - } - -- if (vlan_tx_nonzero_tag_present(skb)) -- skb->pkt_type = PACKET_OTHERHOST; -+ if (unlikely(vlan_tx_tag_present(skb))) { -+ if (vlan_tx_tag_get_id(skb)) -+ skb->pkt_type = PACKET_OTHERHOST; -+ /* Note: we might in the future use prio bits -+ * and set skb->priority like in vlan_do_receive() -+ * For the time being, just ignore Priority Code Point -+ */ -+ skb->vlan_tci = 0; -+ } - - /* deliver only exact match when indicated */ - null_or_dev = deliver_exact ? skb->dev : NULL; --- -1.7.11.7 - - -From d766645d1d1f64631ef50df36c47c37bded82051 Mon Sep 17 00:00:00 2001 -From: Eric Dumazet -Date: Thu, 18 Jul 2013 09:35:10 -0700 -Subject: [PATCH 40/40] vlan: fix a race in egress prio management - -[ Upstream commit 3e3aac497513c669e1c62c71e1d552ea85c1d974 ] - -egress_priority_map[] hash table updates are protected by rtnl, -and we never remove elements until device is dismantled. - -We have to make sure that before inserting an new element in hash table, -all its fields are committed to memory or else another cpu could -find corrupt values and crash. - -Signed-off-by: Eric Dumazet -Cc: Patrick McHardy -Signed-off-by: David S. Miller ---- - net/8021q/vlan_dev.c | 7 +++++++ - 1 file changed, 7 insertions(+) - -diff --git a/net/8021q/vlan_dev.c b/net/8021q/vlan_dev.c -index 3a8c8fd..1cd3d2a 100644 ---- a/net/8021q/vlan_dev.c -+++ b/net/8021q/vlan_dev.c -@@ -73,6 +73,8 @@ vlan_dev_get_egress_qos_mask(struct net_device *dev, struct sk_buff *skb) - { - struct vlan_priority_tci_mapping *mp; - -+ smp_rmb(); /* coupled with smp_wmb() in vlan_dev_set_egress_priority() */ -+ - mp = vlan_dev_priv(dev)->egress_priority_map[(skb->priority & 0xF)]; - while (mp) { - if (mp->priority == skb->priority) { -@@ -249,6 +251,11 @@ int vlan_dev_set_egress_priority(const struct net_device *dev, - np->next = mp; - np->priority = skb_prio; - np->vlan_qos = vlan_qos; -+ /* Before inserting this element in hash table, make sure all its fields -+ * are committed to memory. -+ * coupled with smp_rmb() in vlan_dev_get_egress_qos_mask() -+ */ -+ smp_wmb(); - vlan->egress_priority_map[skb_prio & 0xF] = np; - if (vlan_qos) - vlan->nr_egress_mappings++; --- -1.7.11.7 - diff --git a/sources b/sources index 9619b65bb..a87e5a10a 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ 4f25cd5bec5f8d5a7d935b3f2ccb8481 linux-3.10.tar.xz -2120557e0a6209d48d854ad0df9314e0 patch-3.10.3.xz +2e46ab138670b3171b52b849568cb42f patch-3.10.4.xz From 780b3202105049669ecf30aee20fad02a7b0f934 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Mon, 29 Jul 2013 08:41:29 -0400 Subject: [PATCH 174/468] Fix i915 suspend/resume regression in 3.10 (rhbz 989093) --- ...ly-restore-fences-with-objects-attac.patch | 113 ++++++++++++++++++ kernel.spec | 7 ++ 2 files changed, 120 insertions(+) create mode 100644 drm-i915-correctly-restore-fences-with-objects-attac.patch diff --git a/drm-i915-correctly-restore-fences-with-objects-attac.patch b/drm-i915-correctly-restore-fences-with-objects-attac.patch new file mode 100644 index 000000000..69bb93fa5 --- /dev/null +++ b/drm-i915-correctly-restore-fences-with-objects-attac.patch @@ -0,0 +1,113 @@ +From 94a335dba34ff47cad3d6d0c29b452d43a1be3c8 Mon Sep 17 00:00:00 2001 +From: Daniel Vetter +Date: Wed, 17 Jul 2013 14:51:28 +0200 +Subject: [PATCH] drm/i915: correctly restore fences with objects attached +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +To avoid stalls we delay tiling changes and especially hold of +committing the new fence state for as long as possible. +Synchronization points are in the execbuf code and in our gtt fault +handler. + +Unfortunately we've missed that tricky detail when adding proper fence +restore code in + +commit 19b2dbde5732170a03bd82cc8bd442cf88d856f7 +Author: Chris Wilson +Date: Wed Jun 12 10:15:12 2013 +0100 + + drm/i915: Restore fences after resume and GPU resets + +The result was that we've restored fences for objects with no tiling, +since the object<->fence link still existed after resume. Now that +wouldn't have been too bad since any subsequent access would have +fixed things up, but if we've changed from tiled to untiled real havoc +happened: + +The tiling stride is stored -1 in the fence register, so a stride of 0 +resulted in all 1s in the top 32bits, and so a completely bogus fence +spanning everything from the start of the object to the top of the +GTT. The tell-tale in the register dumps looks like: + + FENCE START 2: 0x0214d001 + FENCE END 2: 0xfffff3ff + +Bit 11 isn't set since the hw doesn't store it, even when writing all +1s (at least on my snb here). + +To prevent such a gaffle in the future add a sanity check for fences +with an untiled object attached in i915_gem_write_fence. + +v2: Fix the WARN, spotted by Chris. + +v3: Trying to reuse get_fences looked ugly and obfuscated the code. +Instead reuse update_fence and to make it really dtrt also move the +fence dirty state clearing into update_fence. + +Cc: Chris Wilson +Cc: Stéphane Marchesin +Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=60530 +Cc: stable@vger.kernel.org (for 3.10 only) +Reviewed-by: Chris Wilson +Tested-by: Matthew Garrett +Tested-by: Björn Bidar +Signed-off-by: Daniel Vetter +--- + drivers/gpu/drm/i915/i915_gem.c | 18 ++++++++++++++++-- + 1 file changed, 16 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/i915/i915_gem.c b/drivers/gpu/drm/i915/i915_gem.c +index 97afd26..d9e2208 100644 +--- a/drivers/gpu/drm/i915/i915_gem.c ++++ b/drivers/gpu/drm/i915/i915_gem.c +@@ -2258,7 +2258,17 @@ void i915_gem_restore_fences(struct drm_device *dev) + + for (i = 0; i < dev_priv->num_fence_regs; i++) { + struct drm_i915_fence_reg *reg = &dev_priv->fence_regs[i]; +- i915_gem_write_fence(dev, i, reg->obj); ++ ++ /* ++ * Commit delayed tiling changes if we have an object still ++ * attached to the fence, otherwise just clear the fence. ++ */ ++ if (reg->obj) { ++ i915_gem_object_update_fence(reg->obj, reg, ++ reg->obj->tiling_mode); ++ } else { ++ i915_gem_write_fence(dev, i, NULL); ++ } + } + } + +@@ -2795,6 +2805,10 @@ static void i915_gem_write_fence(struct drm_device *dev, int reg, + if (i915_gem_object_needs_mb(dev_priv->fence_regs[reg].obj)) + mb(); + ++ WARN(obj && (!obj->stride || !obj->tiling_mode), ++ "bogus fence setup with stride: 0x%x, tiling mode: %i\n", ++ obj->stride, obj->tiling_mode); ++ + switch (INTEL_INFO(dev)->gen) { + case 7: + case 6: +@@ -2836,6 +2850,7 @@ static void i915_gem_object_update_fence(struct drm_i915_gem_object *obj, + fence->obj = NULL; + list_del_init(&fence->lru_list); + } ++ obj->fence_dirty = false; + } + + static int +@@ -2965,7 +2980,6 @@ i915_gem_object_get_fence(struct drm_i915_gem_object *obj) + return 0; + + i915_gem_object_update_fence(obj, reg, enable); +- obj->fence_dirty = false; + + return 0; + } +-- +1.8.3.1 + diff --git a/kernel.spec b/kernel.spec index 439a7e2ab..06510761c 100644 --- a/kernel.spec +++ b/kernel.spec @@ -776,6 +776,9 @@ Patch25069: iwlwifi-dvm-fix-calling-ieee80211_chswitch_done-with-NULL.patch #rhbz 969473 Patch25070: Input-elantech-fix-for-newer-hardware-versions-v7.patch +#rhbz 989093 +Patch25071: drm-i915-correctly-restore-fences-with-objects-attac.patch + # END OF PATCH DEFINITIONS %endif @@ -1500,6 +1503,9 @@ ApplyPatch iwlwifi-dvm-fix-calling-ieee80211_chswitch_done-with-NULL.patch #rhbz 969473 ApplyPatch Input-elantech-fix-for-newer-hardware-versions-v7.patch +#rhbz 989093 +ApplyPatch drm-i915-correctly-restore-fences-with-objects-attac.patch + # END OF PATCH APPLICATIONS %endif @@ -2309,6 +2315,7 @@ fi %changelog * Mon Jul 29 2013 Josh Boyer +- Fix i915 suspend/resume regression in 3.10 (rhbz 989093) - Linux v3.10.4 - Add support for elantech v7 devices (rhbz 969473) From 9baeced0d2dd34b07badeac84c4ac6d53ab9bb67 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Tue, 30 Jul 2013 06:42:45 -0400 Subject: [PATCH 175/468] Revert some changes to make Logitech devices function properly (rhbz 989138) --- ...ech-dj-missing-Unifying-device-issue.patch | 172 ++++++++++++++++++ ...ch-dj-querying_devices-was-never-set.patch | 30 +++ kernel.spec | 11 ++ 3 files changed, 213 insertions(+) create mode 100644 HID-Revert-Revert-HID-Fix-logitech-dj-missing-Unifying-device-issue.patch create mode 100644 HID-hid-logitech-dj-querying_devices-was-never-set.patch diff --git a/HID-Revert-Revert-HID-Fix-logitech-dj-missing-Unifying-device-issue.patch b/HID-Revert-Revert-HID-Fix-logitech-dj-missing-Unifying-device-issue.patch new file mode 100644 index 000000000..1c112ccde --- /dev/null +++ b/HID-Revert-Revert-HID-Fix-logitech-dj-missing-Unifying-device-issue.patch @@ -0,0 +1,172 @@ +From c63e0e370028d7e4033bd40165f18499872b5183 Mon Sep 17 00:00:00 2001 +From: Nestor Lopez Casado +Date: Thu, 18 Jul 2013 13:21:30 +0000 +Subject: HID: Revert "Revert "HID: Fix logitech-dj: missing Unifying device issue"" + +This reverts commit 8af6c08830b1ae114d1a8b548b1f8b056e068887. + +This patch re-adds the workaround introduced by 596264082f10dd4 +which was reverted by 8af6c08830b1ae114. + +The original patch 596264 was needed to overcome a situation where +the hid-core would drop incoming reports while probe() was being +executed. + +This issue was solved by c849a6143bec520af which added +hid_device_io_start() and hid_device_io_stop() that enable a specific +hid driver to opt-in for input reports while its probe() is being +executed. + +Commit a9dd22b730857347 modified hid-logitech-dj so as to use the +functionality added to hid-core. Having done that, workaround 596264 +was no longer necessary and was reverted by 8af6c08. + +We now encounter a different problem that ends up 'again' thwarting +the Unifying receiver enumeration. The problem is time and usb controller +dependent. Ocasionally the reports sent to the usb receiver to start +the paired devices enumeration fail with -EPIPE and the receiver never +gets to enumerate the paired devices. + +With dcd9006b1b053c7b1c the problem was "hidden" as the call to the usb +driver became asynchronous and none was catching the error from the +failing URB. + +As the root cause for this failing SET_REPORT is not understood yet, +-possibly a race on the usb controller drivers or a problem with the +Unifying receiver- reintroducing this workaround solves the problem. + +Overall what this workaround does is: If an input report from an +unknown device is received, then a (re)enumeration is performed. + +related bug: +https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1194649 + +Signed-off-by: Nestor Lopez Casado +Signed-off-by: Jiri Kosina +--- +diff --git a/drivers/hid/hid-logitech-dj.c b/drivers/hid/hid-logitech-dj.c +index 5207591a..cd33084 100644 +--- a/drivers/hid/hid-logitech-dj.c ++++ b/drivers/hid/hid-logitech-dj.c +@@ -192,6 +192,7 @@ static struct hid_ll_driver logi_dj_ll_driver; + static int logi_dj_output_hidraw_report(struct hid_device *hid, u8 * buf, + size_t count, + unsigned char report_type); ++static int logi_dj_recv_query_paired_devices(struct dj_receiver_dev *djrcv_dev); + + static void logi_dj_recv_destroy_djhid_device(struct dj_receiver_dev *djrcv_dev, + struct dj_report *dj_report) +@@ -232,6 +233,7 @@ static void logi_dj_recv_add_djhid_device(struct dj_receiver_dev *djrcv_dev, + if (dj_report->report_params[DEVICE_PAIRED_PARAM_SPFUNCTION] & + SPFUNCTION_DEVICE_LIST_EMPTY) { + dbg_hid("%s: device list is empty\n", __func__); ++ djrcv_dev->querying_devices = false; + return; + } + +@@ -242,6 +244,12 @@ static void logi_dj_recv_add_djhid_device(struct dj_receiver_dev *djrcv_dev, + return; + } + ++ if (djrcv_dev->paired_dj_devices[dj_report->device_index]) { ++ /* The device is already known. No need to reallocate it. */ ++ dbg_hid("%s: device is already known\n", __func__); ++ return; ++ } ++ + dj_hiddev = hid_allocate_device(); + if (IS_ERR(dj_hiddev)) { + dev_err(&djrcv_hdev->dev, "%s: hid_allocate_device failed\n", +@@ -305,6 +313,7 @@ static void delayedwork_callback(struct work_struct *work) + struct dj_report dj_report; + unsigned long flags; + int count; ++ int retval; + + dbg_hid("%s\n", __func__); + +@@ -337,6 +346,25 @@ static void delayedwork_callback(struct work_struct *work) + logi_dj_recv_destroy_djhid_device(djrcv_dev, &dj_report); + break; + default: ++ /* A normal report (i. e. not belonging to a pair/unpair notification) ++ * arriving here, means that the report arrived but we did not have a ++ * paired dj_device associated to the report's device_index, this ++ * means that the original "device paired" notification corresponding ++ * to this dj_device never arrived to this driver. The reason is that ++ * hid-core discards all packets coming from a device while probe() is ++ * executing. */ ++ if (!djrcv_dev->paired_dj_devices[dj_report.device_index]) { ++ /* ok, we don't know the device, just re-ask the ++ * receiver for the list of connected devices. */ ++ retval = logi_dj_recv_query_paired_devices(djrcv_dev); ++ if (!retval) { ++ /* everything went fine, so just leave */ ++ break; ++ } ++ dev_err(&djrcv_dev->hdev->dev, ++ "%s:logi_dj_recv_query_paired_devices " ++ "error:%d\n", __func__, retval); ++ } + dbg_hid("%s: unexpected report type\n", __func__); + } + } +@@ -367,6 +395,12 @@ static void logi_dj_recv_forward_null_report(struct dj_receiver_dev *djrcv_dev, + if (!djdev) { + dbg_hid("djrcv_dev->paired_dj_devices[dj_report->device_index]" + " is NULL, index %d\n", dj_report->device_index); ++ kfifo_in(&djrcv_dev->notif_fifo, dj_report, sizeof(struct dj_report)); ++ ++ if (schedule_work(&djrcv_dev->work) == 0) { ++ dbg_hid("%s: did not schedule the work item, was already " ++ "queued\n", __func__); ++ } + return; + } + +@@ -397,6 +431,12 @@ static void logi_dj_recv_forward_report(struct dj_receiver_dev *djrcv_dev, + if (dj_device == NULL) { + dbg_hid("djrcv_dev->paired_dj_devices[dj_report->device_index]" + " is NULL, index %d\n", dj_report->device_index); ++ kfifo_in(&djrcv_dev->notif_fifo, dj_report, sizeof(struct dj_report)); ++ ++ if (schedule_work(&djrcv_dev->work) == 0) { ++ dbg_hid("%s: did not schedule the work item, was already " ++ "queued\n", __func__); ++ } + return; + } + +@@ -444,6 +484,10 @@ static int logi_dj_recv_query_paired_devices(struct dj_receiver_dev *djrcv_dev) + struct dj_report *dj_report; + int retval; + ++ /* no need to protect djrcv_dev->querying_devices */ ++ if (djrcv_dev->querying_devices) ++ return 0; ++ + dj_report = kzalloc(sizeof(struct dj_report), GFP_KERNEL); + if (!dj_report) + return -ENOMEM; +@@ -455,6 +499,7 @@ static int logi_dj_recv_query_paired_devices(struct dj_receiver_dev *djrcv_dev) + return retval; + } + ++ + static int logi_dj_recv_switch_to_dj_mode(struct dj_receiver_dev *djrcv_dev, + unsigned timeout) + { +diff --git a/drivers/hid/hid-logitech-dj.h b/drivers/hid/hid-logitech-dj.h +index fd28a5e..4a40003 100644 +--- a/drivers/hid/hid-logitech-dj.h ++++ b/drivers/hid/hid-logitech-dj.h +@@ -101,6 +101,7 @@ struct dj_receiver_dev { + struct work_struct work; + struct kfifo notif_fifo; + spinlock_t lock; ++ bool querying_devices; + }; + + struct dj_device { +-- +cgit v0.9.2 diff --git a/HID-hid-logitech-dj-querying_devices-was-never-set.patch b/HID-hid-logitech-dj-querying_devices-was-never-set.patch new file mode 100644 index 000000000..0c79b6a5b --- /dev/null +++ b/HID-hid-logitech-dj-querying_devices-was-never-set.patch @@ -0,0 +1,30 @@ +From 407a2c2a4d85100c8c67953e4bac2f4a6c942335 Mon Sep 17 00:00:00 2001 +From: Nestor Lopez Casado +Date: Thu, 18 Jul 2013 13:21:31 +0000 +Subject: HID: hid-logitech-dj: querying_devices was never set + +Set querying_devices flag to true when we start the enumeration +process. + +This was missing from the original patch. It never produced +undesirable effects as it is highly improbable to have a second +enumeration triggered while a first one was still in progress. + +Signed-off-by: Nestor Lopez Casado +Signed-off-by: Jiri Kosina +--- +diff --git a/drivers/hid/hid-logitech-dj.c b/drivers/hid/hid-logitech-dj.c +index cd33084..7a57648 100644 +--- a/drivers/hid/hid-logitech-dj.c ++++ b/drivers/hid/hid-logitech-dj.c +@@ -488,6 +488,8 @@ static int logi_dj_recv_query_paired_devices(struct dj_receiver_dev *djrcv_dev) + if (djrcv_dev->querying_devices) + return 0; + ++ djrcv_dev->querying_devices = true; ++ + dj_report = kzalloc(sizeof(struct dj_report), GFP_KERNEL); + if (!dj_report) + return -ENOMEM; +-- +cgit v0.9.2 diff --git a/kernel.spec b/kernel.spec index 06510761c..ca9440c88 100644 --- a/kernel.spec +++ b/kernel.spec @@ -779,6 +779,10 @@ Patch25070: Input-elantech-fix-for-newer-hardware-versions-v7.patch #rhbz 989093 Patch25071: drm-i915-correctly-restore-fences-with-objects-attac.patch +#rhbz 989138 +Patch25072: HID-Revert-Revert-HID-Fix-logitech-dj-missing-Unifying-device-issue.patch +Patch25073: HID-hid-logitech-dj-querying_devices-was-never-set.patch + # END OF PATCH DEFINITIONS %endif @@ -1506,6 +1510,10 @@ ApplyPatch Input-elantech-fix-for-newer-hardware-versions-v7.patch #rhbz 989093 ApplyPatch drm-i915-correctly-restore-fences-with-objects-attac.patch +#rhbz 989138 +ApplyPatch HID-Revert-Revert-HID-Fix-logitech-dj-missing-Unifying-device-issue.patch +ApplyPatch HID-hid-logitech-dj-querying_devices-was-never-set.patch + # END OF PATCH APPLICATIONS %endif @@ -2314,6 +2322,9 @@ fi # and build. %changelog +* Tue Jul 30 2013 Josh Boyer +- Revert some changes to make Logitech devices function properly (rhbz 989138) + * Mon Jul 29 2013 Josh Boyer - Fix i915 suspend/resume regression in 3.10 (rhbz 989093) - Linux v3.10.4 From 877787e884f88d9a60b9bdf2b2553479e14742cd Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Tue, 30 Jul 2013 07:13:56 -0400 Subject: [PATCH 176/468] Add verrel for build --- kernel.spec | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/kernel.spec b/kernel.spec index ca9440c88..03940f0af 100644 --- a/kernel.spec +++ b/kernel.spec @@ -2322,7 +2322,7 @@ fi # and build. %changelog -* Tue Jul 30 2013 Josh Boyer +* Tue Jul 30 2013 Josh Boyer - 3.10.4-300 - Revert some changes to make Logitech devices function properly (rhbz 989138) * Mon Jul 29 2013 Josh Boyer From 22aa2b2ba7c8a203f8a3983af96bb840c956bdb3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dan=20Hor=C3=A1k?= Date: Wed, 17 Jul 2013 16:32:42 -0400 Subject: [PATCH 177/468] update s390x config - disable various drivers not relevant for s390x - enable kdump support --- config-s390x | 36 +++++++++++++++++++++++++++++++----- kernel.spec | 3 +++ 2 files changed, 34 insertions(+), 5 deletions(-) diff --git a/config-s390x b/config-s390x index 9ab57f8aa..ec4fd04e5 100644 --- a/config-s390x +++ b/config-s390x @@ -38,6 +38,7 @@ CONFIG_CMM=m CONFIG_CMM_PROC=y # CONFIG_NETIUCV is not set CONFIG_SMSGIUCV=m +CONFIG_CRASH_DUMP=y # # SCSI low-level drivers @@ -250,21 +251,35 @@ CONFIG_SCM_BLOCK=m CONFIG_SCM_BLOCK_CLUSTER_WRITE=y # CONFIG_S390_PTDUMP is not set # CONFIG_ASYMMETRIC_KEY_TYPE is not set -CONFIG_PCI_NR_FUNCTIONS=64 -CONFIG_HOTPLUG_PCI=m -# CONFIG_HOTPLUG_PCI_CPCI is not set -# CONFIG_HOTPLUG_PCI_SHPC is not set -CONFIG_HOTPLUG_PCI_S390=m +# CONFIG_PCI is not set # CONFIG_BLK_DEV_PCIESSD_MTIP32XX is not set # CONFIG_SGI_IOC4 is not set # CONFIG_GPIO_GENERIC_PLATFORM is not set # CONFIG_GPIO_MCP23S08 is not set +# CONFIG_NEW_LEDS is not set +# CONFIG_HID is not set + +# CONFIG_INPUT is not set +# CONFIG_INPUT_JOYDEV is not set +# CONFIG_INPUT_KEYBOARD is not set +# CONFIG_INPUT_MOUSE is not set +# CONFIG_INPUT_JOYSTICK is not set +# CONFIG_INPUT_TABLET is not set +# CONFIG_INPUT_TOUCHSCREEN is not set +# CONFIG_INPUT_MISC is not set + +# CONFIG_ACCESSIBILITY is not set +# CONFIG_AUXDISPLAY is not set +# CONFIG_POWER_SUPPLY is not set +# CONFIG_STAGING is not set +# CONFIG_MEMSTICK is not set # CONFIG_MEDIA_SUPPORT is not set # CONFIG_USB_SUPPORT is not set # CONFIG_DRM is not set # CONFIG_SOUND is not set # CONFIG_DW_DMAC is not set +# CONFIG_I2C is not set # CONFIG_I2C_SMBUS is not set # CONFIG_I2C_STUB is not set # CONFIG_I2C_HELPER_AUTO is not set @@ -272,3 +287,14 @@ CONFIG_HOTPLUG_PCI_S390=m # CONFIG_I2C_PARPORT_LIGHT is not set # CONFIG_I2C_NFORCE2 is not set +# CONFIG_PHYLIB is not set +# CONFIG_ATM_DRIVERS is not set +# CONFIG_NET_VENDOR_ARC is not set +# CONFIG_NET_VENDOR_INTEL is not set +# CONFIG_NET_VENDOR_MARVELL is not set +# CONFIG_NET_VENDOR_NATSEMI is not set +# CONFIG_SH_ETH is not set +# CONFIG_NET_VENDOR_VIA is not set +# CONFIG_IEEE802154_DRIVERS is not set + +# CONFIG_FMC is not set diff --git a/kernel.spec b/kernel.spec index 03940f0af..5197c9eb4 100644 --- a/kernel.spec +++ b/kernel.spec @@ -2322,6 +2322,9 @@ fi # and build. %changelog +* Wed Jul 31 2013 Josh Boyer +- update s390x config [Dan Horák] + * Tue Jul 30 2013 Josh Boyer - 3.10.4-300 - Revert some changes to make Logitech devices function properly (rhbz 989138) From 60007af702b726bced8095649b80e4bf1c938200 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Thu, 1 Aug 2013 08:22:52 -0400 Subject: [PATCH 178/468] Drop hid-logitech-dj patch that was breaking enumeration (rhbz 989138) --- ...ch-dj-querying_devices-was-never-set.patch | 30 ------------------- kernel.spec | 7 +++-- 2 files changed, 4 insertions(+), 33 deletions(-) delete mode 100644 HID-hid-logitech-dj-querying_devices-was-never-set.patch diff --git a/HID-hid-logitech-dj-querying_devices-was-never-set.patch b/HID-hid-logitech-dj-querying_devices-was-never-set.patch deleted file mode 100644 index 0c79b6a5b..000000000 --- a/HID-hid-logitech-dj-querying_devices-was-never-set.patch +++ /dev/null @@ -1,30 +0,0 @@ -From 407a2c2a4d85100c8c67953e4bac2f4a6c942335 Mon Sep 17 00:00:00 2001 -From: Nestor Lopez Casado -Date: Thu, 18 Jul 2013 13:21:31 +0000 -Subject: HID: hid-logitech-dj: querying_devices was never set - -Set querying_devices flag to true when we start the enumeration -process. - -This was missing from the original patch. It never produced -undesirable effects as it is highly improbable to have a second -enumeration triggered while a first one was still in progress. - -Signed-off-by: Nestor Lopez Casado -Signed-off-by: Jiri Kosina ---- -diff --git a/drivers/hid/hid-logitech-dj.c b/drivers/hid/hid-logitech-dj.c -index cd33084..7a57648 100644 ---- a/drivers/hid/hid-logitech-dj.c -+++ b/drivers/hid/hid-logitech-dj.c -@@ -488,6 +488,8 @@ static int logi_dj_recv_query_paired_devices(struct dj_receiver_dev *djrcv_dev) - if (djrcv_dev->querying_devices) - return 0; - -+ djrcv_dev->querying_devices = true; -+ - dj_report = kzalloc(sizeof(struct dj_report), GFP_KERNEL); - if (!dj_report) - return -ENOMEM; --- -cgit v0.9.2 diff --git a/kernel.spec b/kernel.spec index 5197c9eb4..bf12965db 100644 --- a/kernel.spec +++ b/kernel.spec @@ -62,7 +62,7 @@ Summary: The Linux kernel # For non-released -rc kernels, this will be appended after the rcX and # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3" # -%global baserelease 300 +%global baserelease 301 %global fedora_build %{baserelease} # base_sublevel is the kernel version we're starting with and patching @@ -781,7 +781,6 @@ Patch25071: drm-i915-correctly-restore-fences-with-objects-attac.patch #rhbz 989138 Patch25072: HID-Revert-Revert-HID-Fix-logitech-dj-missing-Unifying-device-issue.patch -Patch25073: HID-hid-logitech-dj-querying_devices-was-never-set.patch # END OF PATCH DEFINITIONS @@ -1512,7 +1511,6 @@ ApplyPatch drm-i915-correctly-restore-fences-with-objects-attac.patch #rhbz 989138 ApplyPatch HID-Revert-Revert-HID-Fix-logitech-dj-missing-Unifying-device-issue.patch -ApplyPatch HID-hid-logitech-dj-querying_devices-was-never-set.patch # END OF PATCH APPLICATIONS @@ -2322,6 +2320,9 @@ fi # and build. %changelog +* Thu Aug 01 2013 Josh Boyer +- Drop hid-logitech-dj patch that was breaking enumeration (rhbz 989138) + * Wed Jul 31 2013 Josh Boyer - update s390x config [Dan Horák] From b1910f005883d71d591cc65353467b027e2c5d95 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Thu, 1 Aug 2013 08:34:36 -0400 Subject: [PATCH 179/468] Fix firmware issues with iwl4965 and rfkill (rhbz 977053) --- iwl4965-reset-firmware-after-rfkill-off.patch | 56 +++++++++++++++++++ kernel.spec | 7 +++ 2 files changed, 63 insertions(+) create mode 100644 iwl4965-reset-firmware-after-rfkill-off.patch diff --git a/iwl4965-reset-firmware-after-rfkill-off.patch b/iwl4965-reset-firmware-after-rfkill-off.patch new file mode 100644 index 000000000..08b360d10 --- /dev/null +++ b/iwl4965-reset-firmware-after-rfkill-off.patch @@ -0,0 +1,56 @@ +Using rfkill switch can make firmware unstable, what cause various +Microcode errors and kernel warnings. Reseting firmware just after +rfkill off (radio on) helped with that. + +Resolve: +https://bugzilla.redhat.com/show_bug.cgi?id=977053 + +Reported-and-tested-by: Justin Pearce +Cc: stable@vger.kernel.org +Signed-off-by: Stanislaw Gruszka +--- + drivers/net/wireless/iwlegacy/4965-mac.c | 10 +++++----- + drivers/net/wireless/iwlegacy/common.c | 1 + + 2 files changed, 6 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/wireless/iwlegacy/4965-mac.c b/drivers/net/wireless/iwlegacy/4965-mac.c +index f0b7794..f2ed62e 100644 +--- a/drivers/net/wireless/iwlegacy/4965-mac.c ++++ b/drivers/net/wireless/iwlegacy/4965-mac.c +@@ -4460,12 +4460,12 @@ il4965_irq_tasklet(struct il_priv *il) + * is killed. Hence update the killswitch state here. The + * rfkill handler will care about restarting if needed. + */ +- if (!test_bit(S_ALIVE, &il->status)) { +- if (hw_rf_kill) +- set_bit(S_RFKILL, &il->status); +- else +- clear_bit(S_RFKILL, &il->status); ++ if (hw_rf_kill) { ++ set_bit(S_RFKILL, &il->status); ++ } else { ++ clear_bit(S_RFKILL, &il->status); + wiphy_rfkill_set_hw_state(il->hw->wiphy, hw_rf_kill); ++ il_force_reset(il, true); + } + + handled |= CSR_INT_BIT_RF_KILL; +diff --git a/drivers/net/wireless/iwlegacy/common.c b/drivers/net/wireless/iwlegacy/common.c +index 3195aad..b03e22e 100644 +--- a/drivers/net/wireless/iwlegacy/common.c ++++ b/drivers/net/wireless/iwlegacy/common.c +@@ -4660,6 +4660,7 @@ il_force_reset(struct il_priv *il, bool external) + + return 0; + } ++EXPORT_SYMBOL(il_force_reset); + + int + il_mac_change_interface(struct ieee80211_hw *hw, struct ieee80211_vif *vif, +-- +1.7.11.7 + +-- +To unsubscribe from this list: send the line "unsubscribe linux-wireless" in +the body of a message to majordomo@vger.kernel.org +More majordomo info at http://vger.kernel.org/majordomo-info.html \ No newline at end of file diff --git a/kernel.spec b/kernel.spec index bf12965db..b24e6d4d7 100644 --- a/kernel.spec +++ b/kernel.spec @@ -782,6 +782,9 @@ Patch25071: drm-i915-correctly-restore-fences-with-objects-attac.patch #rhbz 989138 Patch25072: HID-Revert-Revert-HID-Fix-logitech-dj-missing-Unifying-device-issue.patch +#rhbz 977053 +Patch25073: iwl4965-reset-firmware-after-rfkill-off.patch + # END OF PATCH DEFINITIONS %endif @@ -1512,6 +1515,9 @@ ApplyPatch drm-i915-correctly-restore-fences-with-objects-attac.patch #rhbz 989138 ApplyPatch HID-Revert-Revert-HID-Fix-logitech-dj-missing-Unifying-device-issue.patch +#rhbz 977053 +ApplyPatch iwl4965-reset-firmware-after-rfkill-off.patch + # END OF PATCH APPLICATIONS %endif @@ -2321,6 +2327,7 @@ fi %changelog * Thu Aug 01 2013 Josh Boyer +- Fix firmware issues with iwl4965 and rfkill (rhbz 977053) - Drop hid-logitech-dj patch that was breaking enumeration (rhbz 989138) * Wed Jul 31 2013 Josh Boyer From ca72d3df4fc04c69bcc085c46a37f4ca440f2c04 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Thu, 1 Aug 2013 08:49:55 -0400 Subject: [PATCH 180/468] Fix mac80211 connection issues (rhbz 981445) --- kernel.spec | 11 ++ ...ng-disabled-channels-while-connected.patch | 43 +++++++ ...loop-in-ieee80211_determine_chantype.patch | 32 +++++ ...e-HT-primary-channel-while-connected.patch | 121 ++++++++++++++++++ 4 files changed, 207 insertions(+) create mode 100644 mac80211-continue-using-disabled-channels-while-connected.patch create mode 100644 mac80211-fix-infinite-loop-in-ieee80211_determine_chantype.patch create mode 100644 mac80211-ignore-HT-primary-channel-while-connected.patch diff --git a/kernel.spec b/kernel.spec index b24e6d4d7..962b8ab84 100644 --- a/kernel.spec +++ b/kernel.spec @@ -785,6 +785,11 @@ Patch25072: HID-Revert-Revert-HID-Fix-logitech-dj-missing-Unifying-device-issue. #rhbz 977053 Patch25073: iwl4965-reset-firmware-after-rfkill-off.patch +#rhbz 981445 +Patch25074: mac80211-fix-infinite-loop-in-ieee80211_determine_chantype.patch +Patch25075: mac80211-ignore-HT-primary-channel-while-connected.patch +Patch25076: mac80211-continue-using-disabled-channels-while-connected.patch + # END OF PATCH DEFINITIONS %endif @@ -1518,6 +1523,11 @@ ApplyPatch HID-Revert-Revert-HID-Fix-logitech-dj-missing-Unifying-device-issue.p #rhbz 977053 ApplyPatch iwl4965-reset-firmware-after-rfkill-off.patch +#rhbz 981445 +ApplyPatch mac80211-fix-infinite-loop-in-ieee80211_determine_chantype.patch +ApplyPatch mac80211-ignore-HT-primary-channel-while-connected.patch +ApplyPatch mac80211-continue-using-disabled-channels-while-connected.patch + # END OF PATCH APPLICATIONS %endif @@ -2327,6 +2337,7 @@ fi %changelog * Thu Aug 01 2013 Josh Boyer +- Fix mac80211 connection issues (rhbz 981445) - Fix firmware issues with iwl4965 and rfkill (rhbz 977053) - Drop hid-logitech-dj patch that was breaking enumeration (rhbz 989138) diff --git a/mac80211-continue-using-disabled-channels-while-connected.patch b/mac80211-continue-using-disabled-channels-while-connected.patch new file mode 100644 index 000000000..91dd1d7db --- /dev/null +++ b/mac80211-continue-using-disabled-channels-while-connected.patch @@ -0,0 +1,43 @@ +From ddfe49b42d8ad4bfdf92d63d4a74f162660d878d Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Wed, 31 Jul 2013 18:52:03 +0000 +Subject: mac80211: continue using disabled channels while connected + +In case the AP has different regulatory information than we do, +it can happen that we connect to an AP based on e.g. the world +roaming regulatory data, and then update our database with the +AP's country information disables the channel the AP is using. +If this happens on an HT AP, the bandwidth tracking code will +hit the WARN_ON() and disconnect. Since that's not very useful, +ignore the channel-disable flag in bandwidth tracking. + +Cc: stable@vger.kernel.org +Reported-by: Chris Wright +Tested-by: Chris Wright +Signed-off-by: Johannes Berg +--- +diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c +index 077a953..cc9e02d 100644 +--- a/net/mac80211/mlme.c ++++ b/net/mac80211/mlme.c +@@ -335,8 +335,17 @@ out: + if (ret & IEEE80211_STA_DISABLE_VHT) + vht_chandef = *chandef; + ++ /* ++ * Ignore the DISABLED flag when we're already connected and only ++ * tracking the APs beacon for bandwidth changes - otherwise we ++ * might get disconnected here if we connect to an AP, update our ++ * regulatory information based on the AP's country IE and the ++ * information we have is wrong/outdated and disables the channel ++ * that we're actually using for the connection to the AP. ++ */ + while (!cfg80211_chandef_usable(sdata->local->hw.wiphy, chandef, +- IEEE80211_CHAN_DISABLED)) { ++ tracking ? 0 : ++ IEEE80211_CHAN_DISABLED)) { + if (WARN_ON(chandef->width == NL80211_CHAN_WIDTH_20_NOHT)) { + ret = IEEE80211_STA_DISABLE_HT | + IEEE80211_STA_DISABLE_VHT; +-- +cgit v0.9.2 diff --git a/mac80211-fix-infinite-loop-in-ieee80211_determine_chantype.patch b/mac80211-fix-infinite-loop-in-ieee80211_determine_chantype.patch new file mode 100644 index 000000000..49115f969 --- /dev/null +++ b/mac80211-fix-infinite-loop-in-ieee80211_determine_chantype.patch @@ -0,0 +1,32 @@ +From b56e4b857c5210e848bfb80e074e5756a36cd523 Mon Sep 17 00:00:00 2001 +From: Chris Wright +Date: Wed, 31 Jul 2013 19:12:24 +0000 +Subject: mac80211: fix infinite loop in ieee80211_determine_chantype + +Commit "3d9646d mac80211: fix channel selection bug" introduced a possible +infinite loop by moving the out target above the chandef_downgrade +while loop. When we downgrade to NL80211_CHAN_WIDTH_20_NOHT, we jump +back up to re-run the while loop...indefinitely. Replace goto with +break and carry on. This may not be sufficient to connect to the AP, +but will at least keep the cpu from livelocking. Thanks to Derek Atkins +as an extra pair of debugging eyes. + +Cc: stable@kernel.org +Signed-off-by: Chris Wright +Signed-off-by: Johannes Berg +--- +diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c +index ae31968..e3e7d2b 100644 +--- a/net/mac80211/mlme.c ++++ b/net/mac80211/mlme.c +@@ -338,7 +338,7 @@ out: + if (WARN_ON(chandef->width == NL80211_CHAN_WIDTH_20_NOHT)) { + ret = IEEE80211_STA_DISABLE_HT | + IEEE80211_STA_DISABLE_VHT; +- goto out; ++ break; + } + + ret |= chandef_downgrade(chandef); +-- +cgit v0.9.2 diff --git a/mac80211-ignore-HT-primary-channel-while-connected.patch b/mac80211-ignore-HT-primary-channel-while-connected.patch new file mode 100644 index 000000000..ba5d2a478 --- /dev/null +++ b/mac80211-ignore-HT-primary-channel-while-connected.patch @@ -0,0 +1,121 @@ +From 5cdaed1e878d723d56d04ae0be1738124acf9f46 Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Wed, 31 Jul 2013 09:23:06 +0000 +Subject: mac80211: ignore HT primary channel while connected + +While we're connected, the AP shouldn't change the primary channel +in the HT information. We checked this, and dropped the connection +if it did change it. + +Unfortunately, this is causing problems on some APs, e.g. on the +Netgear WRT610NL: the beacons seem to always contain a bad channel +and if we made a connection using a probe response (correct data) +we drop the connection immediately and can basically not connect +properly at all. + +Work around this by ignoring the HT primary channel information in +beacons if we're already connected. + +Also print out more verbose messages in the other situations to +help diagnose similar bugs quicker in the future. + +Cc: stable@vger.kernel.org [3.10] +Acked-by: Andy Isaacson +Signed-off-by: Johannes Berg +--- +diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c +index e5c3cf4..077a953 100644 +--- a/net/mac80211/mlme.c ++++ b/net/mac80211/mlme.c +@@ -211,8 +211,9 @@ ieee80211_determine_chantype(struct ieee80211_sub_if_data *sdata, + struct ieee80211_channel *channel, + const struct ieee80211_ht_operation *ht_oper, + const struct ieee80211_vht_operation *vht_oper, +- struct cfg80211_chan_def *chandef, bool verbose) ++ struct cfg80211_chan_def *chandef, bool tracking) + { ++ struct ieee80211_if_managed *ifmgd = &sdata->u.mgd; + struct cfg80211_chan_def vht_chandef; + u32 ht_cfreq, ret; + +@@ -231,7 +232,7 @@ ieee80211_determine_chantype(struct ieee80211_sub_if_data *sdata, + ht_cfreq = ieee80211_channel_to_frequency(ht_oper->primary_chan, + channel->band); + /* check that channel matches the right operating channel */ +- if (channel->center_freq != ht_cfreq) { ++ if (!tracking && channel->center_freq != ht_cfreq) { + /* + * It's possible that some APs are confused here; + * Netgear WNDR3700 sometimes reports 4 higher than +@@ -239,11 +240,10 @@ ieee80211_determine_chantype(struct ieee80211_sub_if_data *sdata, + * since we look at probe response/beacon data here + * it should be OK. + */ +- if (verbose) +- sdata_info(sdata, +- "Wrong control channel: center-freq: %d ht-cfreq: %d ht->primary_chan: %d band: %d - Disabling HT\n", +- channel->center_freq, ht_cfreq, +- ht_oper->primary_chan, channel->band); ++ sdata_info(sdata, ++ "Wrong control channel: center-freq: %d ht-cfreq: %d ht->primary_chan: %d band: %d - Disabling HT\n", ++ channel->center_freq, ht_cfreq, ++ ht_oper->primary_chan, channel->band); + ret = IEEE80211_STA_DISABLE_HT | IEEE80211_STA_DISABLE_VHT; + goto out; + } +@@ -297,7 +297,7 @@ ieee80211_determine_chantype(struct ieee80211_sub_if_data *sdata, + channel->band); + break; + default: +- if (verbose) ++ if (!(ifmgd->flags & IEEE80211_STA_DISABLE_VHT)) + sdata_info(sdata, + "AP VHT operation IE has invalid channel width (%d), disable VHT\n", + vht_oper->chan_width); +@@ -306,7 +306,7 @@ ieee80211_determine_chantype(struct ieee80211_sub_if_data *sdata, + } + + if (!cfg80211_chandef_valid(&vht_chandef)) { +- if (verbose) ++ if (!(ifmgd->flags & IEEE80211_STA_DISABLE_VHT)) + sdata_info(sdata, + "AP VHT information is invalid, disable VHT\n"); + ret = IEEE80211_STA_DISABLE_VHT; +@@ -319,7 +319,7 @@ ieee80211_determine_chantype(struct ieee80211_sub_if_data *sdata, + } + + if (!cfg80211_chandef_compatible(chandef, &vht_chandef)) { +- if (verbose) ++ if (!(ifmgd->flags & IEEE80211_STA_DISABLE_VHT)) + sdata_info(sdata, + "AP VHT information doesn't match HT, disable VHT\n"); + ret = IEEE80211_STA_DISABLE_VHT; +@@ -346,7 +346,7 @@ out: + ret |= chandef_downgrade(chandef); + } + +- if (chandef->width != vht_chandef.width && verbose) ++ if (chandef->width != vht_chandef.width && !tracking) + sdata_info(sdata, + "capabilities/regulatory prevented using AP HT/VHT configuration, downgraded\n"); + +@@ -386,7 +386,7 @@ static int ieee80211_config_bw(struct ieee80211_sub_if_data *sdata, + + /* calculate new channel (type) based on HT/VHT operation IEs */ + flags = ieee80211_determine_chantype(sdata, sband, chan, ht_oper, +- vht_oper, &chandef, false); ++ vht_oper, &chandef, true); + + /* + * Downgrade the new channel if we associated with restricted +@@ -3838,7 +3838,7 @@ static int ieee80211_prep_channel(struct ieee80211_sub_if_data *sdata, + ifmgd->flags |= ieee80211_determine_chantype(sdata, sband, + cbss->channel, + ht_oper, vht_oper, +- &chandef, true); ++ &chandef, false); + + sdata->needed_rx_chains = min(ieee80211_ht_vht_rx_chains(sdata, cbss), + local->rx_chains); +-- +cgit v0.9.2 From 849a6739138df5c35251202be4725ad2cbd7fddb Mon Sep 17 00:00:00 2001 From: "Justin M. Forbes" Date: Mon, 5 Aug 2013 09:29:53 -0500 Subject: [PATCH 181/468] Linux v3.10.5 --- ...ly-restore-fences-with-objects-attac.patch | 113 ------------------ kernel.spec | 19 +-- sources | 1 + ...k-device-permissions-before-allowing.patch | 54 --------- 4 files changed, 6 insertions(+), 181 deletions(-) delete mode 100644 drm-i915-correctly-restore-fences-with-objects-attac.patch delete mode 100644 xen-blkback-Check-device-permissions-before-allowing.patch diff --git a/drm-i915-correctly-restore-fences-with-objects-attac.patch b/drm-i915-correctly-restore-fences-with-objects-attac.patch deleted file mode 100644 index 69bb93fa5..000000000 --- a/drm-i915-correctly-restore-fences-with-objects-attac.patch +++ /dev/null @@ -1,113 +0,0 @@ -From 94a335dba34ff47cad3d6d0c29b452d43a1be3c8 Mon Sep 17 00:00:00 2001 -From: Daniel Vetter -Date: Wed, 17 Jul 2013 14:51:28 +0200 -Subject: [PATCH] drm/i915: correctly restore fences with objects attached -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -To avoid stalls we delay tiling changes and especially hold of -committing the new fence state for as long as possible. -Synchronization points are in the execbuf code and in our gtt fault -handler. - -Unfortunately we've missed that tricky detail when adding proper fence -restore code in - -commit 19b2dbde5732170a03bd82cc8bd442cf88d856f7 -Author: Chris Wilson -Date: Wed Jun 12 10:15:12 2013 +0100 - - drm/i915: Restore fences after resume and GPU resets - -The result was that we've restored fences for objects with no tiling, -since the object<->fence link still existed after resume. Now that -wouldn't have been too bad since any subsequent access would have -fixed things up, but if we've changed from tiled to untiled real havoc -happened: - -The tiling stride is stored -1 in the fence register, so a stride of 0 -resulted in all 1s in the top 32bits, and so a completely bogus fence -spanning everything from the start of the object to the top of the -GTT. The tell-tale in the register dumps looks like: - - FENCE START 2: 0x0214d001 - FENCE END 2: 0xfffff3ff - -Bit 11 isn't set since the hw doesn't store it, even when writing all -1s (at least on my snb here). - -To prevent such a gaffle in the future add a sanity check for fences -with an untiled object attached in i915_gem_write_fence. - -v2: Fix the WARN, spotted by Chris. - -v3: Trying to reuse get_fences looked ugly and obfuscated the code. -Instead reuse update_fence and to make it really dtrt also move the -fence dirty state clearing into update_fence. - -Cc: Chris Wilson -Cc: Stéphane Marchesin -Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=60530 -Cc: stable@vger.kernel.org (for 3.10 only) -Reviewed-by: Chris Wilson -Tested-by: Matthew Garrett -Tested-by: Björn Bidar -Signed-off-by: Daniel Vetter ---- - drivers/gpu/drm/i915/i915_gem.c | 18 ++++++++++++++++-- - 1 file changed, 16 insertions(+), 2 deletions(-) - -diff --git a/drivers/gpu/drm/i915/i915_gem.c b/drivers/gpu/drm/i915/i915_gem.c -index 97afd26..d9e2208 100644 ---- a/drivers/gpu/drm/i915/i915_gem.c -+++ b/drivers/gpu/drm/i915/i915_gem.c -@@ -2258,7 +2258,17 @@ void i915_gem_restore_fences(struct drm_device *dev) - - for (i = 0; i < dev_priv->num_fence_regs; i++) { - struct drm_i915_fence_reg *reg = &dev_priv->fence_regs[i]; -- i915_gem_write_fence(dev, i, reg->obj); -+ -+ /* -+ * Commit delayed tiling changes if we have an object still -+ * attached to the fence, otherwise just clear the fence. -+ */ -+ if (reg->obj) { -+ i915_gem_object_update_fence(reg->obj, reg, -+ reg->obj->tiling_mode); -+ } else { -+ i915_gem_write_fence(dev, i, NULL); -+ } - } - } - -@@ -2795,6 +2805,10 @@ static void i915_gem_write_fence(struct drm_device *dev, int reg, - if (i915_gem_object_needs_mb(dev_priv->fence_regs[reg].obj)) - mb(); - -+ WARN(obj && (!obj->stride || !obj->tiling_mode), -+ "bogus fence setup with stride: 0x%x, tiling mode: %i\n", -+ obj->stride, obj->tiling_mode); -+ - switch (INTEL_INFO(dev)->gen) { - case 7: - case 6: -@@ -2836,6 +2850,7 @@ static void i915_gem_object_update_fence(struct drm_i915_gem_object *obj, - fence->obj = NULL; - list_del_init(&fence->lru_list); - } -+ obj->fence_dirty = false; - } - - static int -@@ -2965,7 +2980,6 @@ i915_gem_object_get_fence(struct drm_i915_gem_object *obj) - return 0; - - i915_gem_object_update_fence(obj, reg, enable); -- obj->fence_dirty = false; - - return 0; - } --- -1.8.3.1 - diff --git a/kernel.spec b/kernel.spec index 962b8ab84..957fd7982 100644 --- a/kernel.spec +++ b/kernel.spec @@ -62,7 +62,7 @@ Summary: The Linux kernel # For non-released -rc kernels, this will be appended after the rcX and # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3" # -%global baserelease 301 +%global baserelease 200 %global fedora_build %{baserelease} # base_sublevel is the kernel version we're starting with and patching @@ -74,7 +74,7 @@ Summary: The Linux kernel %if 0%{?released_kernel} # Do we have a -stable update to apply? -%define stable_update 4 +%define stable_update 5 # Is it a -stable RC? %define stable_rc 0 # Set rpm version accordingly @@ -730,9 +730,6 @@ Patch23006: fix-child-thread-introspection.patch #rhbz 948262 Patch25024: intel_iommu-Downgrade-the-warning-if-enabling-irq-remapping-fails.patch -#CVE-2013-2140 rhbz 971146 971148 -Patch25031: xen-blkback-Check-device-permissions-before-allowing.patch - #CVE-2013-2147 rhbz 971242 971249 Patch25032: cve-2013-2147-ciss-info-leak.patch @@ -776,9 +773,6 @@ Patch25069: iwlwifi-dvm-fix-calling-ieee80211_chswitch_done-with-NULL.patch #rhbz 969473 Patch25070: Input-elantech-fix-for-newer-hardware-versions-v7.patch -#rhbz 989093 -Patch25071: drm-i915-correctly-restore-fences-with-objects-attac.patch - #rhbz 989138 Patch25072: HID-Revert-Revert-HID-Fix-logitech-dj-missing-Unifying-device-issue.patch @@ -1468,9 +1462,6 @@ ApplyPatch fix-child-thread-introspection.patch #rhbz 948262 ApplyPatch intel_iommu-Downgrade-the-warning-if-enabling-irq-remapping-fails.patch -#CVE-2013-2140 rhbz 971146 971148 -ApplyPatch xen-blkback-Check-device-permissions-before-allowing.patch - #CVE-2013-2147 rhbz 971242 971249 ApplyPatch cve-2013-2147-ciss-info-leak.patch @@ -1514,9 +1505,6 @@ ApplyPatch iwlwifi-dvm-fix-calling-ieee80211_chswitch_done-with-NULL.patch #rhbz 969473 ApplyPatch Input-elantech-fix-for-newer-hardware-versions-v7.patch -#rhbz 989093 -ApplyPatch drm-i915-correctly-restore-fences-with-objects-attac.patch - #rhbz 989138 ApplyPatch HID-Revert-Revert-HID-Fix-logitech-dj-missing-Unifying-device-issue.patch @@ -2336,6 +2324,9 @@ fi # and build. %changelog +* Mon Aug 04 2013 Justin M. Forbes +- Linux v3.10.5 + * Thu Aug 01 2013 Josh Boyer - Fix mac80211 connection issues (rhbz 981445) - Fix firmware issues with iwl4965 and rfkill (rhbz 977053) diff --git a/sources b/sources index a87e5a10a..f0c5c03a6 100644 --- a/sources +++ b/sources @@ -1,2 +1,3 @@ 4f25cd5bec5f8d5a7d935b3f2ccb8481 linux-3.10.tar.xz 2e46ab138670b3171b52b849568cb42f patch-3.10.4.xz +6366a8d4b0429ab6836c296ba298fb0e patch-3.10.5.xz diff --git a/xen-blkback-Check-device-permissions-before-allowing.patch b/xen-blkback-Check-device-permissions-before-allowing.patch deleted file mode 100644 index 933e82890..000000000 --- a/xen-blkback-Check-device-permissions-before-allowing.patch +++ /dev/null @@ -1,54 +0,0 @@ -From e029d62efa5eb46831a9e1414468e582379b743f Mon Sep 17 00:00:00 2001 -From: Konrad Rzeszutek Wilk -Date: Wed, 16 Jan 2013 11:33:52 -0500 -Subject: [PATCH] xen/blkback: Check device permissions before allowing - OP_DISCARD - -We need to make sure that the device is not RO or that -the request is not past the number of sectors we want to -issue the DISCARD operation for. - -Cc: stable () vger kernel org -Acked-by: Jan Beulich -Acked-by: Ian Campbell -[v1: Made it pr_warn instead of pr_debug] -Signed-off-by: Konrad Rzeszutek Wilk ---- - drivers/block/xen-blkback/blkback.c | 13 ++++++++++++- - 1 file changed, 12 insertions(+), 1 deletion(-) - -diff --git a/drivers/block/xen-blkback/blkback.c b/drivers/block/xen-blkback/blkback.c -index e79ab45..4119bcd 100644 ---- a/drivers/block/xen-blkback/blkback.c -+++ b/drivers/block/xen-blkback/blkback.c -@@ -876,7 +876,18 @@ static int dispatch_discard_io(struct xen_blkif *blkif, - int status = BLKIF_RSP_OKAY; - struct block_device *bdev = blkif->vbd.bdev; - unsigned long secure; -+ struct phys_req preq; -+ -+ preq.sector_number = req->u.discard.sector_number; -+ preq.nr_sects = req->u.discard.nr_sectors; - -+ err = xen_vbd_translate(&preq, blkif, WRITE); -+ if (err) { -+ pr_warn(DRV_PFX "access denied: DISCARD [%llu->%llu] on dev=%04x\n", -+ preq.sector_number, -+ preq.sector_number + preq.nr_sects, blkif->vbd.pdevice); -+ goto fail_response; -+ } - blkif->st_ds_req++; - - xen_blkif_get(blkif); -@@ -887,7 +898,7 @@ static int dispatch_discard_io(struct xen_blkif *blkif, - err = blkdev_issue_discard(bdev, req->u.discard.sector_number, - req->u.discard.nr_sectors, - GFP_KERNEL, secure); -- -+fail_response: - if (err == -EOPNOTSUPP) { - pr_debug(DRV_PFX "discard op failed, not supported\n"); - status = BLKIF_RSP_EOPNOTSUPP; --- -1.8.1.4 - From 282ea30013787417a8ec0fe67b9ed790e547336a Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Mon, 5 Aug 2013 11:13:57 -0400 Subject: [PATCH 182/468] Build MEI_ME as a module. Upstream changed it to a module from an add-on option to the MEI driver. Build it as a module so that people can blacklist it because it's a piece of crap. --- config-x86-generic | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/config-x86-generic b/config-x86-generic index f00827c2e..983028436 100644 --- a/config-x86-generic +++ b/config-x86-generic @@ -431,7 +431,7 @@ CONFIG_DRM_GMA3600=y CONFIG_RCU_FANOUT_LEAF=16 CONFIG_INTEL_MEI=m -CONFIG_INTEL_MEI_ME=y +CONFIG_INTEL_MEI_ME=m # Maybe enable in debug kernels? # CONFIG_DEBUG_NMI_SELFTEST is not set From 31780f9cbd54228b78a636787a75c7fe6ac70520 Mon Sep 17 00:00:00 2001 From: "Justin M. Forbes" Date: Tue, 6 Aug 2013 15:58:54 -0500 Subject: [PATCH 183/468] update s390x config --- config-s390x | 3 +++ kernel.spec | 5 ++++- 2 files changed, 7 insertions(+), 1 deletion(-) diff --git a/config-s390x b/config-s390x index ec4fd04e5..35aec886f 100644 --- a/config-s390x +++ b/config-s390x @@ -250,6 +250,7 @@ CONFIG_EADM_SCH=m CONFIG_SCM_BLOCK=m CONFIG_SCM_BLOCK_CLUSTER_WRITE=y # CONFIG_S390_PTDUMP is not set +# CONFIG_SCSI_UFSHCD is not set # CONFIG_ASYMMETRIC_KEY_TYPE is not set # CONFIG_PCI is not set # CONFIG_BLK_DEV_PCIESSD_MTIP32XX is not set @@ -271,6 +272,8 @@ CONFIG_SCM_BLOCK_CLUSTER_WRITE=y # CONFIG_ACCESSIBILITY is not set # CONFIG_AUXDISPLAY is not set +# CONFIG_PTP_1588_CLOCK is not set +# CONFIG_PTP_1588_CLOCK_PCH is not set # CONFIG_POWER_SUPPLY is not set # CONFIG_STAGING is not set # CONFIG_MEMSTICK is not set diff --git a/kernel.spec b/kernel.spec index 957fd7982..4d4a81d9f 100644 --- a/kernel.spec +++ b/kernel.spec @@ -2324,7 +2324,10 @@ fi # and build. %changelog -* Mon Aug 04 2013 Justin M. Forbes +* Tue Aug 06 2013 Justin M. Forbes 3.10.5-200 +- update s390x config [Dan Horák] + +* Mon Aug 05 2013 Justin M. Forbes - Linux v3.10.5 * Thu Aug 01 2013 Josh Boyer From 8248d931541c6fa5d3a0f3ac549cd24a1ff41411 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Wed, 7 Aug 2013 09:45:49 -0400 Subject: [PATCH 184/468] Add zero file length check to make sure pesign didn't fail (rhbz 991808) --- kernel.spec | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/kernel.spec b/kernel.spec index 4d4a81d9f..1d76e92bf 100644 --- a/kernel.spec +++ b/kernel.spec @@ -1671,6 +1671,10 @@ BuildKernel() { %if %{signmodules} # Sign the image if we're using EFI %pesign -s -i $KernelImage -o vmlinuz.signed + if [ ! -s vmlinuz.signed ]; then + echo "pesigning failed" + exit 1 + fi mv vmlinuz.signed $KernelImage %endif $CopyKernel $KernelImage \ @@ -2324,6 +2328,9 @@ fi # and build. %changelog +* Wed Aug 07 2013 Josh Boyer +- Add zero file length check to make sure pesign didn't fail (rhbz 991808) + * Tue Aug 06 2013 Justin M. Forbes 3.10.5-200 - update s390x config [Dan Horák] From 3139b19becac88590a83ca5b0d53b1af70746b1b Mon Sep 17 00:00:00 2001 From: "Justin M. Forbes" Date: Wed, 7 Aug 2013 09:54:42 -0500 Subject: [PATCH 185/468] Bump for rebuild after koji hiccup --- kernel.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/kernel.spec b/kernel.spec index 1d76e92bf..ab25220c5 100644 --- a/kernel.spec +++ b/kernel.spec @@ -62,7 +62,7 @@ Summary: The Linux kernel # For non-released -rc kernels, this will be appended after the rcX and # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3" # -%global baserelease 200 +%global baserelease 201 %global fedora_build %{baserelease} # base_sublevel is the kernel version we're starting with and patching @@ -2328,6 +2328,9 @@ fi # and build. %changelog +* Wed Aug 07 2013 Justin M. Forbes 3.10.5-201 +- Bump for rebuild after koji hiccup + * Wed Aug 07 2013 Josh Boyer - Add zero file length check to make sure pesign didn't fail (rhbz 991808) From 41d2d1bbef635a160fff6ce57a6c825d21eb286a Mon Sep 17 00:00:00 2001 From: "Justin M. Forbes" Date: Mon, 12 Aug 2013 09:18:41 -0500 Subject: [PATCH 186/468] Linux v3.10.6 --- ath3k-dont-use-stack-memory-for-DMA.patch | 72 ------------------- config-arm-generic | 1 + ...tify-info-leak-in-copy_event_to_user.patch | 14 ---- ...nd-BT_CONFIG-on-devices-wo-Bluetooth.patch | 32 --------- kernel.spec | 25 ++----- sources | 3 +- 6 files changed, 7 insertions(+), 140 deletions(-) delete mode 100644 ath3k-dont-use-stack-memory-for-DMA.patch delete mode 100644 fanotify-info-leak-in-copy_event_to_user.patch delete mode 100644 iwlwifi-dvm-dont-send-BT_CONFIG-on-devices-wo-Bluetooth.patch diff --git a/ath3k-dont-use-stack-memory-for-DMA.patch b/ath3k-dont-use-stack-memory-for-DMA.patch deleted file mode 100644 index 610a00067..000000000 --- a/ath3k-dont-use-stack-memory-for-DMA.patch +++ /dev/null @@ -1,72 +0,0 @@ -Memory allocated by vmalloc (including stack) can not be used for DMA, -i.e. data pointer on usb_control_msg() should not point to stack memory. - -Resolves: -https://bugzilla.redhat.com/show_bug.cgi?id=977558 - -Reported-and-tested-by: Andy Lawrence -Signed-off-by: Stanislaw Gruszka ---- - drivers/bluetooth/ath3k.c | 38 +++++++++++++++++++++++++++++--------- - 1 file changed, 29 insertions(+), 9 deletions(-) - -diff --git a/drivers/bluetooth/ath3k.c b/drivers/bluetooth/ath3k.c -index 11f467c..81b636c 100644 ---- a/drivers/bluetooth/ath3k.c -+++ b/drivers/bluetooth/ath3k.c -@@ -193,24 +193,44 @@ error: - - static int ath3k_get_state(struct usb_device *udev, unsigned char *state) - { -- int pipe = 0; -+ int ret, pipe = 0; -+ char *buf; -+ -+ buf = kmalloc(1, GFP_KERNEL); -+ if (!buf) -+ return -ENOMEM; - - pipe = usb_rcvctrlpipe(udev, 0); -- return usb_control_msg(udev, pipe, ATH3K_GETSTATE, -- USB_TYPE_VENDOR | USB_DIR_IN, 0, 0, -- state, 0x01, USB_CTRL_SET_TIMEOUT); -+ ret = usb_control_msg(udev, pipe, ATH3K_GETSTATE, -+ USB_TYPE_VENDOR | USB_DIR_IN, 0, 0, -+ buf, 1, USB_CTRL_SET_TIMEOUT); -+ -+ *state = *buf; -+ kfree(buf); -+ -+ return ret; - } - - static int ath3k_get_version(struct usb_device *udev, - struct ath3k_version *version) - { -- int pipe = 0; -+ int ret, pipe = 0; -+ char *buf; -+ const int size = sizeof(struct ath3k_version); -+ -+ buf = kmalloc(size, GFP_KERNEL); -+ if (!buf) -+ return -ENOMEM; - - pipe = usb_rcvctrlpipe(udev, 0); -- return usb_control_msg(udev, pipe, ATH3K_GETVERSION, -- USB_TYPE_VENDOR | USB_DIR_IN, 0, 0, version, -- sizeof(struct ath3k_version), -- USB_CTRL_SET_TIMEOUT); -+ ret = usb_control_msg(udev, pipe, ATH3K_GETVERSION, -+ USB_TYPE_VENDOR | USB_DIR_IN, 0, 0, -+ buf, size, USB_CTRL_SET_TIMEOUT); -+ -+ memcpy(version, buf, size); -+ kfree(buf); -+ -+ return ret; - } - - static int ath3k_load_fwfile(struct usb_device *udev, --- -1.7.11.7 diff --git a/config-arm-generic b/config-arm-generic index efce65434..7aa5a852a 100644 --- a/config-arm-generic +++ b/config-arm-generic @@ -41,3 +41,4 @@ CONFIG_SERIAL_AMBA_PL011_CONSOLE=y CONFIG_SERIAL_AMBA_PL011=y # CONFIG_CRYPTO_TEST is not set +CONFIG_KUSER_HELPERS=y diff --git a/fanotify-info-leak-in-copy_event_to_user.patch b/fanotify-info-leak-in-copy_event_to_user.patch deleted file mode 100644 index 92b218b1c..000000000 --- a/fanotify-info-leak-in-copy_event_to_user.patch +++ /dev/null @@ -1,14 +0,0 @@ -diff --git a/fs/notify/fanotify/fanotify_user.c b/fs/notify/fanotify/fanotify_user.c -index 6c80083..77cc85d 100644 ---- a/fs/notify/fanotify/fanotify_user.c -+++ b/fs/notify/fanotify/fanotify_user.c -@@ -122,6 +122,7 @@ static int fill_event_metadata(struct fsnotify_group *group, - metadata->event_len = FAN_EVENT_METADATA_LEN; - metadata->metadata_len = FAN_EVENT_METADATA_LEN; - metadata->vers = FANOTIFY_METADATA_VERSION; -+ metadata->reserved = 0; - metadata->mask = event->mask & FAN_ALL_OUTGOING_EVENTS; - metadata->pid = pid_vnr(event->tgid); - if (unlikely(event->mask & FAN_Q_OVERFLOW)) - - \ No newline at end of file diff --git a/iwlwifi-dvm-dont-send-BT_CONFIG-on-devices-wo-Bluetooth.patch b/iwlwifi-dvm-dont-send-BT_CONFIG-on-devices-wo-Bluetooth.patch deleted file mode 100644 index aa2ca7035..000000000 --- a/iwlwifi-dvm-dont-send-BT_CONFIG-on-devices-wo-Bluetooth.patch +++ /dev/null @@ -1,32 +0,0 @@ -From 7b29fdb8cd8f92e31f550611a8c031986dba2e8f Mon Sep 17 00:00:00 2001 -From: Johannes Berg -Date: Fri, 03 May 2013 16:58:16 +0000 -Subject: iwlwifi: dvm: don't send BT_CONFIG on devices w/o Bluetooth - -The BT_CONFIG command that is sent to the device during -startup will enable BT coex unless the module parameter -turns it off, but on devices without Bluetooth this may -cause problems, as reported in Redhat BZ 885407. - -Fix this by sending the BT_CONFIG command only when the -device has Bluetooth. - -Cc: stable@vger.kernel.org -Reviewed-by: Emmanuel Grumbach -Signed-off-by: Johannes Berg ---- -diff --git a/drivers/net/wireless/iwlwifi/dvm/main.c b/drivers/net/wireless/iwlwifi/dvm/main.c -index 3952ddf..1531a4f 100644 ---- a/drivers/net/wireless/iwlwifi/dvm/main.c -+++ b/drivers/net/wireless/iwlwifi/dvm/main.c -@@ -758,7 +758,7 @@ int iwl_alive_start(struct iwl_priv *priv) - BT_COEX_PRIO_TBL_EVT_INIT_CALIB2); - if (ret) - return ret; -- } else { -+ } else if (priv->cfg->bt_params) { - /* - * default is 2-wire BT coexexistence support - */ --- -cgit v0.9.2 diff --git a/kernel.spec b/kernel.spec index ab25220c5..8bffad122 100644 --- a/kernel.spec +++ b/kernel.spec @@ -62,7 +62,7 @@ Summary: The Linux kernel # For non-released -rc kernels, this will be appended after the rcX and # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3" # -%global baserelease 201 +%global baserelease 200 %global fedora_build %{baserelease} # base_sublevel is the kernel version we're starting with and patching @@ -74,7 +74,7 @@ Summary: The Linux kernel %if 0%{?released_kernel} # Do we have a -stable update to apply? -%define stable_update 5 +%define stable_update 6 # Is it a -stable RC? %define stable_rc 0 # Set rpm version accordingly @@ -733,9 +733,6 @@ Patch25024: intel_iommu-Downgrade-the-warning-if-enabling-irq-remapping-fails.pa #CVE-2013-2147 rhbz 971242 971249 Patch25032: cve-2013-2147-ciss-info-leak.patch -#CVE-2013-2148 rhbz 971258 971261 -Patch25033: fanotify-info-leak-in-copy_event_to_user.patch - #rhbz 954252 Patch25036: scsi-ipr-possible-irq-lock-inversion-dependency-detected.patch @@ -754,9 +751,6 @@ Patch25054: bridge-send-query-as-soon-as-leave-is-received.patch Patch25061: bridge-timer-fix.patch Patch25066: bridge-do-not-call-setup_timer-multiple-times.patch -#rhbz 977558 -Patch25055: ath3k-dont-use-stack-memory-for-DMA.patch - #rhbz 977040 Patch25056: iwl3945-better-skb-management-in-rx-path.patch Patch25057: iwl4965-better-skb-management-in-rx-path.patch @@ -764,9 +758,6 @@ Patch25057: iwl4965-better-skb-management-in-rx-path.patch #rhbz 959721 Patch25063: HID-kye-Add-report-fixup-for-Genius-Gila-Gaming-mouse.patch -#rhbz 885407 -Patch25064: iwlwifi-dvm-dont-send-BT_CONFIG-on-devices-wo-Bluetooth.patch - #rhbz 979581 Patch25069: iwlwifi-dvm-fix-calling-ieee80211_chswitch_done-with-NULL.patch @@ -1465,9 +1456,6 @@ ApplyPatch intel_iommu-Downgrade-the-warning-if-enabling-irq-remapping-fails.pat #CVE-2013-2147 rhbz 971242 971249 ApplyPatch cve-2013-2147-ciss-info-leak.patch -#CVE-2013-2148 rhbz 971258 971261 -ApplyPatch fanotify-info-leak-in-copy_event_to_user.patch - #rhbz 954252 ApplyPatch scsi-ipr-possible-irq-lock-inversion-dependency-detected.patch @@ -1486,9 +1474,6 @@ ApplyPatch bridge-send-query-as-soon-as-leave-is-received.patch ApplyPatch bridge-timer-fix.patch ApplyPatch bridge-do-not-call-setup_timer-multiple-times.patch -#rhbz 977558 -ApplyPatch ath3k-dont-use-stack-memory-for-DMA.patch - #rhbz 977040 ApplyPatch iwl3945-better-skb-management-in-rx-path.patch ApplyPatch iwl4965-better-skb-management-in-rx-path.patch @@ -1496,9 +1481,6 @@ ApplyPatch iwl4965-better-skb-management-in-rx-path.patch #rhbz 959721 ApplyPatch HID-kye-Add-report-fixup-for-Genius-Gila-Gaming-mouse.patch -#rhbz 885407 -ApplyPatch iwlwifi-dvm-dont-send-BT_CONFIG-on-devices-wo-Bluetooth.patch - #rhbz 979581 ApplyPatch iwlwifi-dvm-fix-calling-ieee80211_chswitch_done-with-NULL.patch @@ -2328,6 +2310,9 @@ fi # and build. %changelog +* Mon Aug 12 2013 Justin M. Forbes 3.10.6-200 +- Linux v3.10.6 + * Wed Aug 07 2013 Justin M. Forbes 3.10.5-201 - Bump for rebuild after koji hiccup diff --git a/sources b/sources index f0c5c03a6..c11108ab4 100644 --- a/sources +++ b/sources @@ -1,3 +1,2 @@ 4f25cd5bec5f8d5a7d935b3f2ccb8481 linux-3.10.tar.xz -2e46ab138670b3171b52b849568cb42f patch-3.10.4.xz -6366a8d4b0429ab6836c296ba298fb0e patch-3.10.5.xz +b41c06c1154592045cc2a9d88363de14 patch-3.10.6.xz From 61c53e57cf878026cd13b193bdb9e5201a80dc71 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Thu, 15 Aug 2013 09:04:23 -0400 Subject: [PATCH 187/468] Linux v3.10.7 --- kernel.spec | 5 ++++- sources | 2 +- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/kernel.spec b/kernel.spec index 8bffad122..27f4af4ed 100644 --- a/kernel.spec +++ b/kernel.spec @@ -74,7 +74,7 @@ Summary: The Linux kernel %if 0%{?released_kernel} # Do we have a -stable update to apply? -%define stable_update 6 +%define stable_update 7 # Is it a -stable RC? %define stable_rc 0 # Set rpm version accordingly @@ -2310,6 +2310,9 @@ fi # and build. %changelog +* Thu Aug 15 2013 Josh Boyer - 3.6.10.7-200 +- Linux v3.10.7 + * Mon Aug 12 2013 Justin M. Forbes 3.10.6-200 - Linux v3.10.6 diff --git a/sources b/sources index c11108ab4..cc0f04112 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ 4f25cd5bec5f8d5a7d935b3f2ccb8481 linux-3.10.tar.xz -b41c06c1154592045cc2a9d88363de14 patch-3.10.6.xz +6b1b6b62044fcf3624f067154d5c1666 patch-3.10.7.xz From 5dfb32b75b12fdadb7778cda78cfeecde9076d79 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Thu, 15 Aug 2013 09:08:24 -0400 Subject: [PATCH 188/468] Add patch to fix regression on TeVII S471 devices (rhbz 963715) --- kernel.spec | 7 +++++ ...ression-since-introduction-of-ts2020.patch | 30 +++++++++++++++++++ 2 files changed, 37 insertions(+) create mode 100644 media-cx23885-Fix-TeVii-S471-regression-since-introduction-of-ts2020.patch diff --git a/kernel.spec b/kernel.spec index 27f4af4ed..4c3f3b99f 100644 --- a/kernel.spec +++ b/kernel.spec @@ -775,6 +775,9 @@ Patch25074: mac80211-fix-infinite-loop-in-ieee80211_determine_chantype.patch Patch25075: mac80211-ignore-HT-primary-channel-while-connected.patch Patch25076: mac80211-continue-using-disabled-channels-while-connected.patch +#rhbz 963715 +Patch25077: media-cx23885-Fix-TeVii-S471-regression-since-introduction-of-ts2020.patch + # END OF PATCH DEFINITIONS %endif @@ -1498,6 +1501,9 @@ ApplyPatch mac80211-fix-infinite-loop-in-ieee80211_determine_chantype.patch ApplyPatch mac80211-ignore-HT-primary-channel-while-connected.patch ApplyPatch mac80211-continue-using-disabled-channels-while-connected.patch +#rhbz 963715 +ApplyPatch media-cx23885-Fix-TeVii-S471-regression-since-introduction-of-ts2020.patch + # END OF PATCH APPLICATIONS %endif @@ -2311,6 +2317,7 @@ fi %changelog * Thu Aug 15 2013 Josh Boyer - 3.6.10.7-200 +- Add patch to fix regression on TeVII S471 devices (rhbz 963715) - Linux v3.10.7 * Mon Aug 12 2013 Justin M. Forbes 3.10.6-200 diff --git a/media-cx23885-Fix-TeVii-S471-regression-since-introduction-of-ts2020.patch b/media-cx23885-Fix-TeVii-S471-regression-since-introduction-of-ts2020.patch new file mode 100644 index 000000000..2a28a2fe1 --- /dev/null +++ b/media-cx23885-Fix-TeVii-S471-regression-since-introduction-of-ts2020.patch @@ -0,0 +1,30 @@ +From b43ea8068d2090cb1e44632c8a938ab40d2c7419 Mon Sep 17 00:00:00 2001 +From: Johannes Koch +Date: Wed, 17 Jul 2013 17:28:16 +0000 +Subject: [media] cx23885: Fix TeVii S471 regression since introduction of ts2020 + +Patch to make TeVii S471 cards use the ts2020 tuner, since ds3000 driver no +longer contains tuning code. + +Signed-off-by: Johannes Koch +Signed-off-by: Mauro Carvalho Chehab +--- +(limited to 'drivers/media/pci/cx23885/cx23885-dvb.c') + +diff --git a/drivers/media/pci/cx23885/cx23885-dvb.c b/drivers/media/pci/cx23885/cx23885-dvb.c +index 9c5ed10..bb291c6 100644 +--- a/drivers/media/pci/cx23885/cx23885-dvb.c ++++ b/drivers/media/pci/cx23885/cx23885-dvb.c +@@ -1249,6 +1249,10 @@ static int dvb_register(struct cx23885_tsport *port) + fe0->dvb.frontend = dvb_attach(ds3000_attach, + &tevii_ds3000_config, + &i2c_bus->i2c_adap); ++ if (fe0->dvb.frontend != NULL) { ++ dvb_attach(ts2020_attach, fe0->dvb.frontend, ++ &tevii_ts2020_config, &i2c_bus->i2c_adap); ++ } + break; + case CX23885_BOARD_PROF_8000: + i2c_bus = &dev->i2c_bus[0]; +-- +cgit v0.9.2 From 98291540fff47c35fa6057b37f4577b6b5115d0c Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Thu, 15 Aug 2013 10:33:57 -0400 Subject: [PATCH 189/468] Enable memory cgroup swap accounting (rhbz 982808) --- config-generic | 4 ++-- kernel.spec | 1 + 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/config-generic b/config-generic index 46ba526b9..7e1ecf1cf 100644 --- a/config-generic +++ b/config-generic @@ -4142,8 +4142,8 @@ CONFIG_CGROUP_DEVICE=y CONFIG_CGROUP_FREEZER=y CONFIG_CGROUP_SCHED=y CONFIG_MEMCG=y -CONFIG_MEMCG_SWAP=y # XXX disabled by default, pass 'swapaccount' -# CONFIG_MEMCG_SWAP_ENABLED is not set +CONFIG_MEMCG_SWAP=y +CONFIG_MEMCG_SWAP_ENABLED=y CONFIG_MEMCG_KMEM=y # CONFIG_CGROUP_HUGETLB is not set CONFIG_CGROUP_PERF=y diff --git a/kernel.spec b/kernel.spec index 4c3f3b99f..623822c8e 100644 --- a/kernel.spec +++ b/kernel.spec @@ -2317,6 +2317,7 @@ fi %changelog * Thu Aug 15 2013 Josh Boyer - 3.6.10.7-200 +- Enable memory cgroup swap accounting (rhbz 982808) - Add patch to fix regression on TeVII S471 devices (rhbz 963715) - Linux v3.10.7 From 54b9668780dbf8774be15d826f1bb3bdb5e3c5fe Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Fri, 16 Aug 2013 09:50:52 -0400 Subject: [PATCH 190/468] Add patch from Nathanael Noblet to fix mic on Gateway LT27 (rhbz 845699) --- ALSA-hda-Add-a-fixup-for-Gateway-LT27.patch | 25 +++++++++++++++++++++ kernel.spec | 9 ++++++++ 2 files changed, 34 insertions(+) create mode 100644 ALSA-hda-Add-a-fixup-for-Gateway-LT27.patch diff --git a/ALSA-hda-Add-a-fixup-for-Gateway-LT27.patch b/ALSA-hda-Add-a-fixup-for-Gateway-LT27.patch new file mode 100644 index 000000000..9ce3433f9 --- /dev/null +++ b/ALSA-hda-Add-a-fixup-for-Gateway-LT27.patch @@ -0,0 +1,25 @@ +From 1801928e0f99d94c55e33c584c5eb2ff5e246ee6 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Fri, 16 Aug 2013 06:17:05 +0000 +Subject: ALSA: hda - Add a fixup for Gateway LT27 + +Gateway LT27 needs a fixup for the inverted digital mic. + +Reported-by: "Nathanael D. Noblet" +Cc: +Signed-off-by: Takashi Iwai +--- +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index 5b22bf9..f303cd8 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -4339,6 +4339,7 @@ static const struct snd_pci_quirk alc662_fixup_tbl[] = { + SND_PCI_QUIRK(0x1025, 0x0308, "Acer Aspire 8942G", ALC662_FIXUP_ASPIRE), + SND_PCI_QUIRK(0x1025, 0x031c, "Gateway NV79", ALC662_FIXUP_SKU_IGNORE), + SND_PCI_QUIRK(0x1025, 0x0349, "eMachines eM250", ALC662_FIXUP_INV_DMIC), ++ SND_PCI_QUIRK(0x1025, 0x034a, "Gateway LT27", ALC662_FIXUP_INV_DMIC), + SND_PCI_QUIRK(0x1025, 0x038b, "Acer Aspire 8943G", ALC662_FIXUP_ASPIRE), + SND_PCI_QUIRK(0x1028, 0x05d8, "Dell", ALC668_FIXUP_DELL_MIC_NO_PRESENCE), + SND_PCI_QUIRK(0x1028, 0x05db, "Dell", ALC668_FIXUP_DELL_MIC_NO_PRESENCE), +-- +cgit v0.9.2 diff --git a/kernel.spec b/kernel.spec index 623822c8e..8efe24ca5 100644 --- a/kernel.spec +++ b/kernel.spec @@ -778,6 +778,9 @@ Patch25076: mac80211-continue-using-disabled-channels-while-connected.patch #rhbz 963715 Patch25077: media-cx23885-Fix-TeVii-S471-regression-since-introduction-of-ts2020.patch +#rhbz 845699 +Patch25078: ALSA-hda-Add-a-fixup-for-Gateway-LT27.patch + # END OF PATCH DEFINITIONS %endif @@ -1504,6 +1507,9 @@ ApplyPatch mac80211-continue-using-disabled-channels-while-connected.patch #rhbz 963715 ApplyPatch media-cx23885-Fix-TeVii-S471-regression-since-introduction-of-ts2020.patch +#rhbz 845699 +ApplyPatch ALSA-hda-Add-a-fixup-for-Gateway-LT27.patch + # END OF PATCH APPLICATIONS %endif @@ -2316,6 +2322,9 @@ fi # and build. %changelog +* Fri Aug 16 2013 Josh Boyer +- Add patch from Nathanael Noblet to fix mic on Gateway LT27 (rhbz 845699) + * Thu Aug 15 2013 Josh Boyer - 3.6.10.7-200 - Enable memory cgroup swap accounting (rhbz 982808) - Add patch to fix regression on TeVII S471 devices (rhbz 963715) From 91f0a755f8fb9e11a907088fabe3127adeec9069 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Tue, 20 Aug 2013 12:44:08 -0400 Subject: [PATCH 191/468] Linux v3.10.8 - CVE-2013-4254 ARM: perf: NULL pointer dereference in validate_event (rhbz 998878 998881) --- ALSA-hda-Add-a-fixup-for-Gateway-LT27.patch | 25 ---- iwl4965-reset-firmware-after-rfkill-off.patch | 56 -------- kernel.spec | 30 +---- ...ng-disabled-channels-while-connected.patch | 43 ------- ...loop-in-ieee80211_determine_chantype.patch | 32 ----- ...e-HT-primary-channel-while-connected.patch | 121 ------------------ sources | 2 +- 7 files changed, 7 insertions(+), 302 deletions(-) delete mode 100644 ALSA-hda-Add-a-fixup-for-Gateway-LT27.patch delete mode 100644 iwl4965-reset-firmware-after-rfkill-off.patch delete mode 100644 mac80211-continue-using-disabled-channels-while-connected.patch delete mode 100644 mac80211-fix-infinite-loop-in-ieee80211_determine_chantype.patch delete mode 100644 mac80211-ignore-HT-primary-channel-while-connected.patch diff --git a/ALSA-hda-Add-a-fixup-for-Gateway-LT27.patch b/ALSA-hda-Add-a-fixup-for-Gateway-LT27.patch deleted file mode 100644 index 9ce3433f9..000000000 --- a/ALSA-hda-Add-a-fixup-for-Gateway-LT27.patch +++ /dev/null @@ -1,25 +0,0 @@ -From 1801928e0f99d94c55e33c584c5eb2ff5e246ee6 Mon Sep 17 00:00:00 2001 -From: Takashi Iwai -Date: Fri, 16 Aug 2013 06:17:05 +0000 -Subject: ALSA: hda - Add a fixup for Gateway LT27 - -Gateway LT27 needs a fixup for the inverted digital mic. - -Reported-by: "Nathanael D. Noblet" -Cc: -Signed-off-by: Takashi Iwai ---- -diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c -index 5b22bf9..f303cd8 100644 ---- a/sound/pci/hda/patch_realtek.c -+++ b/sound/pci/hda/patch_realtek.c -@@ -4339,6 +4339,7 @@ static const struct snd_pci_quirk alc662_fixup_tbl[] = { - SND_PCI_QUIRK(0x1025, 0x0308, "Acer Aspire 8942G", ALC662_FIXUP_ASPIRE), - SND_PCI_QUIRK(0x1025, 0x031c, "Gateway NV79", ALC662_FIXUP_SKU_IGNORE), - SND_PCI_QUIRK(0x1025, 0x0349, "eMachines eM250", ALC662_FIXUP_INV_DMIC), -+ SND_PCI_QUIRK(0x1025, 0x034a, "Gateway LT27", ALC662_FIXUP_INV_DMIC), - SND_PCI_QUIRK(0x1025, 0x038b, "Acer Aspire 8943G", ALC662_FIXUP_ASPIRE), - SND_PCI_QUIRK(0x1028, 0x05d8, "Dell", ALC668_FIXUP_DELL_MIC_NO_PRESENCE), - SND_PCI_QUIRK(0x1028, 0x05db, "Dell", ALC668_FIXUP_DELL_MIC_NO_PRESENCE), --- -cgit v0.9.2 diff --git a/iwl4965-reset-firmware-after-rfkill-off.patch b/iwl4965-reset-firmware-after-rfkill-off.patch deleted file mode 100644 index 08b360d10..000000000 --- a/iwl4965-reset-firmware-after-rfkill-off.patch +++ /dev/null @@ -1,56 +0,0 @@ -Using rfkill switch can make firmware unstable, what cause various -Microcode errors and kernel warnings. Reseting firmware just after -rfkill off (radio on) helped with that. - -Resolve: -https://bugzilla.redhat.com/show_bug.cgi?id=977053 - -Reported-and-tested-by: Justin Pearce -Cc: stable@vger.kernel.org -Signed-off-by: Stanislaw Gruszka ---- - drivers/net/wireless/iwlegacy/4965-mac.c | 10 +++++----- - drivers/net/wireless/iwlegacy/common.c | 1 + - 2 files changed, 6 insertions(+), 5 deletions(-) - -diff --git a/drivers/net/wireless/iwlegacy/4965-mac.c b/drivers/net/wireless/iwlegacy/4965-mac.c -index f0b7794..f2ed62e 100644 ---- a/drivers/net/wireless/iwlegacy/4965-mac.c -+++ b/drivers/net/wireless/iwlegacy/4965-mac.c -@@ -4460,12 +4460,12 @@ il4965_irq_tasklet(struct il_priv *il) - * is killed. Hence update the killswitch state here. The - * rfkill handler will care about restarting if needed. - */ -- if (!test_bit(S_ALIVE, &il->status)) { -- if (hw_rf_kill) -- set_bit(S_RFKILL, &il->status); -- else -- clear_bit(S_RFKILL, &il->status); -+ if (hw_rf_kill) { -+ set_bit(S_RFKILL, &il->status); -+ } else { -+ clear_bit(S_RFKILL, &il->status); - wiphy_rfkill_set_hw_state(il->hw->wiphy, hw_rf_kill); -+ il_force_reset(il, true); - } - - handled |= CSR_INT_BIT_RF_KILL; -diff --git a/drivers/net/wireless/iwlegacy/common.c b/drivers/net/wireless/iwlegacy/common.c -index 3195aad..b03e22e 100644 ---- a/drivers/net/wireless/iwlegacy/common.c -+++ b/drivers/net/wireless/iwlegacy/common.c -@@ -4660,6 +4660,7 @@ il_force_reset(struct il_priv *il, bool external) - - return 0; - } -+EXPORT_SYMBOL(il_force_reset); - - int - il_mac_change_interface(struct ieee80211_hw *hw, struct ieee80211_vif *vif, --- -1.7.11.7 - --- -To unsubscribe from this list: send the line "unsubscribe linux-wireless" in -the body of a message to majordomo@vger.kernel.org -More majordomo info at http://vger.kernel.org/majordomo-info.html \ No newline at end of file diff --git a/kernel.spec b/kernel.spec index 8efe24ca5..6447be549 100644 --- a/kernel.spec +++ b/kernel.spec @@ -74,7 +74,7 @@ Summary: The Linux kernel %if 0%{?released_kernel} # Do we have a -stable update to apply? -%define stable_update 7 +%define stable_update 8 # Is it a -stable RC? %define stable_rc 0 # Set rpm version accordingly @@ -767,20 +767,9 @@ Patch25070: Input-elantech-fix-for-newer-hardware-versions-v7.patch #rhbz 989138 Patch25072: HID-Revert-Revert-HID-Fix-logitech-dj-missing-Unifying-device-issue.patch -#rhbz 977053 -Patch25073: iwl4965-reset-firmware-after-rfkill-off.patch - -#rhbz 981445 -Patch25074: mac80211-fix-infinite-loop-in-ieee80211_determine_chantype.patch -Patch25075: mac80211-ignore-HT-primary-channel-while-connected.patch -Patch25076: mac80211-continue-using-disabled-channels-while-connected.patch - #rhbz 963715 Patch25077: media-cx23885-Fix-TeVii-S471-regression-since-introduction-of-ts2020.patch -#rhbz 845699 -Patch25078: ALSA-hda-Add-a-fixup-for-Gateway-LT27.patch - # END OF PATCH DEFINITIONS %endif @@ -1496,20 +1485,9 @@ ApplyPatch Input-elantech-fix-for-newer-hardware-versions-v7.patch #rhbz 989138 ApplyPatch HID-Revert-Revert-HID-Fix-logitech-dj-missing-Unifying-device-issue.patch -#rhbz 977053 -ApplyPatch iwl4965-reset-firmware-after-rfkill-off.patch - -#rhbz 981445 -ApplyPatch mac80211-fix-infinite-loop-in-ieee80211_determine_chantype.patch -ApplyPatch mac80211-ignore-HT-primary-channel-while-connected.patch -ApplyPatch mac80211-continue-using-disabled-channels-while-connected.patch - #rhbz 963715 ApplyPatch media-cx23885-Fix-TeVii-S471-regression-since-introduction-of-ts2020.patch -#rhbz 845699 -ApplyPatch ALSA-hda-Add-a-fixup-for-Gateway-LT27.patch - # END OF PATCH APPLICATIONS %endif @@ -2322,10 +2300,14 @@ fi # and build. %changelog +* Tue Aug 20 2013 Josh Boyer - 3.10.8-200 +- Linux v3.10.8 +- CVE-2013-4254 ARM: perf: NULL pointer dereference in validate_event (rhbz 998878 998881) + * Fri Aug 16 2013 Josh Boyer - Add patch from Nathanael Noblet to fix mic on Gateway LT27 (rhbz 845699) -* Thu Aug 15 2013 Josh Boyer - 3.6.10.7-200 +* Thu Aug 15 2013 Josh Boyer - 3.10.7-200 - Enable memory cgroup swap accounting (rhbz 982808) - Add patch to fix regression on TeVII S471 devices (rhbz 963715) - Linux v3.10.7 diff --git a/mac80211-continue-using-disabled-channels-while-connected.patch b/mac80211-continue-using-disabled-channels-while-connected.patch deleted file mode 100644 index 91dd1d7db..000000000 --- a/mac80211-continue-using-disabled-channels-while-connected.patch +++ /dev/null @@ -1,43 +0,0 @@ -From ddfe49b42d8ad4bfdf92d63d4a74f162660d878d Mon Sep 17 00:00:00 2001 -From: Johannes Berg -Date: Wed, 31 Jul 2013 18:52:03 +0000 -Subject: mac80211: continue using disabled channels while connected - -In case the AP has different regulatory information than we do, -it can happen that we connect to an AP based on e.g. the world -roaming regulatory data, and then update our database with the -AP's country information disables the channel the AP is using. -If this happens on an HT AP, the bandwidth tracking code will -hit the WARN_ON() and disconnect. Since that's not very useful, -ignore the channel-disable flag in bandwidth tracking. - -Cc: stable@vger.kernel.org -Reported-by: Chris Wright -Tested-by: Chris Wright -Signed-off-by: Johannes Berg ---- -diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c -index 077a953..cc9e02d 100644 ---- a/net/mac80211/mlme.c -+++ b/net/mac80211/mlme.c -@@ -335,8 +335,17 @@ out: - if (ret & IEEE80211_STA_DISABLE_VHT) - vht_chandef = *chandef; - -+ /* -+ * Ignore the DISABLED flag when we're already connected and only -+ * tracking the APs beacon for bandwidth changes - otherwise we -+ * might get disconnected here if we connect to an AP, update our -+ * regulatory information based on the AP's country IE and the -+ * information we have is wrong/outdated and disables the channel -+ * that we're actually using for the connection to the AP. -+ */ - while (!cfg80211_chandef_usable(sdata->local->hw.wiphy, chandef, -- IEEE80211_CHAN_DISABLED)) { -+ tracking ? 0 : -+ IEEE80211_CHAN_DISABLED)) { - if (WARN_ON(chandef->width == NL80211_CHAN_WIDTH_20_NOHT)) { - ret = IEEE80211_STA_DISABLE_HT | - IEEE80211_STA_DISABLE_VHT; --- -cgit v0.9.2 diff --git a/mac80211-fix-infinite-loop-in-ieee80211_determine_chantype.patch b/mac80211-fix-infinite-loop-in-ieee80211_determine_chantype.patch deleted file mode 100644 index 49115f969..000000000 --- a/mac80211-fix-infinite-loop-in-ieee80211_determine_chantype.patch +++ /dev/null @@ -1,32 +0,0 @@ -From b56e4b857c5210e848bfb80e074e5756a36cd523 Mon Sep 17 00:00:00 2001 -From: Chris Wright -Date: Wed, 31 Jul 2013 19:12:24 +0000 -Subject: mac80211: fix infinite loop in ieee80211_determine_chantype - -Commit "3d9646d mac80211: fix channel selection bug" introduced a possible -infinite loop by moving the out target above the chandef_downgrade -while loop. When we downgrade to NL80211_CHAN_WIDTH_20_NOHT, we jump -back up to re-run the while loop...indefinitely. Replace goto with -break and carry on. This may not be sufficient to connect to the AP, -but will at least keep the cpu from livelocking. Thanks to Derek Atkins -as an extra pair of debugging eyes. - -Cc: stable@kernel.org -Signed-off-by: Chris Wright -Signed-off-by: Johannes Berg ---- -diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c -index ae31968..e3e7d2b 100644 ---- a/net/mac80211/mlme.c -+++ b/net/mac80211/mlme.c -@@ -338,7 +338,7 @@ out: - if (WARN_ON(chandef->width == NL80211_CHAN_WIDTH_20_NOHT)) { - ret = IEEE80211_STA_DISABLE_HT | - IEEE80211_STA_DISABLE_VHT; -- goto out; -+ break; - } - - ret |= chandef_downgrade(chandef); --- -cgit v0.9.2 diff --git a/mac80211-ignore-HT-primary-channel-while-connected.patch b/mac80211-ignore-HT-primary-channel-while-connected.patch deleted file mode 100644 index ba5d2a478..000000000 --- a/mac80211-ignore-HT-primary-channel-while-connected.patch +++ /dev/null @@ -1,121 +0,0 @@ -From 5cdaed1e878d723d56d04ae0be1738124acf9f46 Mon Sep 17 00:00:00 2001 -From: Johannes Berg -Date: Wed, 31 Jul 2013 09:23:06 +0000 -Subject: mac80211: ignore HT primary channel while connected - -While we're connected, the AP shouldn't change the primary channel -in the HT information. We checked this, and dropped the connection -if it did change it. - -Unfortunately, this is causing problems on some APs, e.g. on the -Netgear WRT610NL: the beacons seem to always contain a bad channel -and if we made a connection using a probe response (correct data) -we drop the connection immediately and can basically not connect -properly at all. - -Work around this by ignoring the HT primary channel information in -beacons if we're already connected. - -Also print out more verbose messages in the other situations to -help diagnose similar bugs quicker in the future. - -Cc: stable@vger.kernel.org [3.10] -Acked-by: Andy Isaacson -Signed-off-by: Johannes Berg ---- -diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c -index e5c3cf4..077a953 100644 ---- a/net/mac80211/mlme.c -+++ b/net/mac80211/mlme.c -@@ -211,8 +211,9 @@ ieee80211_determine_chantype(struct ieee80211_sub_if_data *sdata, - struct ieee80211_channel *channel, - const struct ieee80211_ht_operation *ht_oper, - const struct ieee80211_vht_operation *vht_oper, -- struct cfg80211_chan_def *chandef, bool verbose) -+ struct cfg80211_chan_def *chandef, bool tracking) - { -+ struct ieee80211_if_managed *ifmgd = &sdata->u.mgd; - struct cfg80211_chan_def vht_chandef; - u32 ht_cfreq, ret; - -@@ -231,7 +232,7 @@ ieee80211_determine_chantype(struct ieee80211_sub_if_data *sdata, - ht_cfreq = ieee80211_channel_to_frequency(ht_oper->primary_chan, - channel->band); - /* check that channel matches the right operating channel */ -- if (channel->center_freq != ht_cfreq) { -+ if (!tracking && channel->center_freq != ht_cfreq) { - /* - * It's possible that some APs are confused here; - * Netgear WNDR3700 sometimes reports 4 higher than -@@ -239,11 +240,10 @@ ieee80211_determine_chantype(struct ieee80211_sub_if_data *sdata, - * since we look at probe response/beacon data here - * it should be OK. - */ -- if (verbose) -- sdata_info(sdata, -- "Wrong control channel: center-freq: %d ht-cfreq: %d ht->primary_chan: %d band: %d - Disabling HT\n", -- channel->center_freq, ht_cfreq, -- ht_oper->primary_chan, channel->band); -+ sdata_info(sdata, -+ "Wrong control channel: center-freq: %d ht-cfreq: %d ht->primary_chan: %d band: %d - Disabling HT\n", -+ channel->center_freq, ht_cfreq, -+ ht_oper->primary_chan, channel->band); - ret = IEEE80211_STA_DISABLE_HT | IEEE80211_STA_DISABLE_VHT; - goto out; - } -@@ -297,7 +297,7 @@ ieee80211_determine_chantype(struct ieee80211_sub_if_data *sdata, - channel->band); - break; - default: -- if (verbose) -+ if (!(ifmgd->flags & IEEE80211_STA_DISABLE_VHT)) - sdata_info(sdata, - "AP VHT operation IE has invalid channel width (%d), disable VHT\n", - vht_oper->chan_width); -@@ -306,7 +306,7 @@ ieee80211_determine_chantype(struct ieee80211_sub_if_data *sdata, - } - - if (!cfg80211_chandef_valid(&vht_chandef)) { -- if (verbose) -+ if (!(ifmgd->flags & IEEE80211_STA_DISABLE_VHT)) - sdata_info(sdata, - "AP VHT information is invalid, disable VHT\n"); - ret = IEEE80211_STA_DISABLE_VHT; -@@ -319,7 +319,7 @@ ieee80211_determine_chantype(struct ieee80211_sub_if_data *sdata, - } - - if (!cfg80211_chandef_compatible(chandef, &vht_chandef)) { -- if (verbose) -+ if (!(ifmgd->flags & IEEE80211_STA_DISABLE_VHT)) - sdata_info(sdata, - "AP VHT information doesn't match HT, disable VHT\n"); - ret = IEEE80211_STA_DISABLE_VHT; -@@ -346,7 +346,7 @@ out: - ret |= chandef_downgrade(chandef); - } - -- if (chandef->width != vht_chandef.width && verbose) -+ if (chandef->width != vht_chandef.width && !tracking) - sdata_info(sdata, - "capabilities/regulatory prevented using AP HT/VHT configuration, downgraded\n"); - -@@ -386,7 +386,7 @@ static int ieee80211_config_bw(struct ieee80211_sub_if_data *sdata, - - /* calculate new channel (type) based on HT/VHT operation IEs */ - flags = ieee80211_determine_chantype(sdata, sband, chan, ht_oper, -- vht_oper, &chandef, false); -+ vht_oper, &chandef, true); - - /* - * Downgrade the new channel if we associated with restricted -@@ -3838,7 +3838,7 @@ static int ieee80211_prep_channel(struct ieee80211_sub_if_data *sdata, - ifmgd->flags |= ieee80211_determine_chantype(sdata, sband, - cbss->channel, - ht_oper, vht_oper, -- &chandef, true); -+ &chandef, false); - - sdata->needed_rx_chains = min(ieee80211_ht_vht_rx_chains(sdata, cbss), - local->rx_chains); --- -cgit v0.9.2 diff --git a/sources b/sources index cc0f04112..f1361d486 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ 4f25cd5bec5f8d5a7d935b3f2ccb8481 linux-3.10.tar.xz -6b1b6b62044fcf3624f067154d5c1666 patch-3.10.7.xz +f62214b2847eef5fc22cfc9f1e2d28a3 patch-3.10.8.xz From f37a09228818bcf1a4465e0570cbca3e8ddc7d21 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Tue, 20 Aug 2013 19:29:52 -0400 Subject: [PATCH 192/468] Linux v3.10.9 --- kernel.spec | 5 ++++- sources | 2 +- 2 files changed, 5 insertions(+), 2 deletions(-) diff --git a/kernel.spec b/kernel.spec index 6447be549..5b6d7dd1d 100644 --- a/kernel.spec +++ b/kernel.spec @@ -74,7 +74,7 @@ Summary: The Linux kernel %if 0%{?released_kernel} # Do we have a -stable update to apply? -%define stable_update 8 +%define stable_update 9 # Is it a -stable RC? %define stable_rc 0 # Set rpm version accordingly @@ -2300,6 +2300,9 @@ fi # and build. %changelog +* Tue Aug 20 2013 Josh Boyer - 3.10.9-200 +- Linux v3.10.9 + * Tue Aug 20 2013 Josh Boyer - 3.10.8-200 - Linux v3.10.8 - CVE-2013-4254 ARM: perf: NULL pointer dereference in validate_event (rhbz 998878 998881) diff --git a/sources b/sources index f1361d486..25af45e94 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ 4f25cd5bec5f8d5a7d935b3f2ccb8481 linux-3.10.tar.xz -f62214b2847eef5fc22cfc9f1e2d28a3 patch-3.10.8.xz +868d7f5315f95da5e48ed56691a36263 patch-3.10.9.xz From 7739f0b9ab9a3df007a345af4301c7ccd37805d7 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Wed, 21 Aug 2013 09:14:20 -0400 Subject: [PATCH 193/468] CVE-2013-0343 handling of IPv6 temporary addresses (rhbz 914664 999380) --- ...sses-check-from-ipv6_create_tempaddr.patch | 63 +++++++++++++++++++ kernel.spec | 12 +++- 2 files changed, 74 insertions(+), 1 deletion(-) create mode 100644 ipv6-remove-max_addresses-check-from-ipv6_create_tempaddr.patch diff --git a/ipv6-remove-max_addresses-check-from-ipv6_create_tempaddr.patch b/ipv6-remove-max_addresses-check-from-ipv6_create_tempaddr.patch new file mode 100644 index 000000000..0c4fc2484 --- /dev/null +++ b/ipv6-remove-max_addresses-check-from-ipv6_create_tempaddr.patch @@ -0,0 +1,63 @@ +From 2712c283acc085b5438fa1b22053423a0158468d Mon Sep 17 00:00:00 2001 +From: Hannes Frederic Sowa +Date: Fri, 16 Aug 2013 11:02:27 +0000 +Subject: [PATCH] ipv6: remove max_addresses check from ipv6_create_tempaddr + +Because of the max_addresses check attackers were able to disable privacy +extensions on an interface by creating enough autoconfigured addresses: + + + +But the check is not actually needed: max_addresses protects the +kernel to install too many ipv6 addresses on an interface and guards +addrconf_prefix_rcv to install further addresses as soon as this limit +is reached. We only generate temporary addresses in direct response of +a new address showing up. As soon as we filled up the maximum number of +addresses of an interface, we stop installing more addresses and thus +also stop generating more temp addresses. + +Even if the attacker tries to generate a lot of temporary addresses +by announcing a prefix and removing it again (lifetime == 0) we won't +install more temp addresses, because the temporary addresses do count +to the maximum number of addresses, thus we would stop installing new +autoconfigured addresses when the limit is reached. + +This patch fixes CVE-2013-0343 (but other layer-2 attacks are still +possible). + +Thanks to Ding Tianhong to bring this topic up again. + +Cc: Ding Tianhong +Cc: George Kargiotakis +Cc: P J P +Cc: YOSHIFUJI Hideaki +Signed-off-by: Hannes Frederic Sowa +Acked-by: Ding Tianhong +Signed-off-by: David S. Miller +--- + net/ipv6/addrconf.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c +index fb8c94c..21b7a87 100644 +--- a/net/ipv6/addrconf.c ++++ b/net/ipv6/addrconf.c +@@ -1124,12 +1124,10 @@ retry: + if (ifp->flags & IFA_F_OPTIMISTIC) + addr_flags |= IFA_F_OPTIMISTIC; + +- ift = !max_addresses || +- ipv6_count_addresses(idev) < max_addresses ? +- ipv6_add_addr(idev, &addr, tmp_plen, ++ ift = ipv6_add_addr(idev, &addr, tmp_plen, + ipv6_addr_type(&addr)&IPV6_ADDR_SCOPE_MASK, +- addr_flags) : NULL; +- if (IS_ERR_OR_NULL(ift)) { ++ addr_flags); ++ if (IS_ERR(ift)) { + in6_ifa_put(ifp); + in6_dev_put(idev); + pr_info("%s: retry temporary address regeneration\n", __func__); +-- +1.8.3.1 + diff --git a/kernel.spec b/kernel.spec index 5b6d7dd1d..68a7ac646 100644 --- a/kernel.spec +++ b/kernel.spec @@ -770,6 +770,10 @@ Patch25072: HID-Revert-Revert-HID-Fix-logitech-dj-missing-Unifying-device-issue. #rhbz 963715 Patch25077: media-cx23885-Fix-TeVii-S471-regression-since-introduction-of-ts2020.patch +#CVE-2013-0343 rhbz 914664 999380 +Patch25078: ipv6-remove-max_addresses-check-from-ipv6_create_tempaddr.patch + + # END OF PATCH DEFINITIONS %endif @@ -1488,6 +1492,9 @@ ApplyPatch HID-Revert-Revert-HID-Fix-logitech-dj-missing-Unifying-device-issue.p #rhbz 963715 ApplyPatch media-cx23885-Fix-TeVii-S471-regression-since-introduction-of-ts2020.patch +#CVE-2013-0343 rhbz 914664 999380 +ApplyPatch ipv6-remove-max_addresses-check-from-ipv6_create_tempaddr.patch + # END OF PATCH APPLICATIONS %endif @@ -2300,7 +2307,10 @@ fi # and build. %changelog -* Tue Aug 20 2013 Josh Boyer - 3.10.9-200 +* Wed Aug 21 2013 Josh Boyer +- CVE-2013-0343 handling of IPv6 temporary addresses (rhbz 914664 999380) + +* Tue Aug 20 2013 Josh Boyer - Linux v3.10.9 * Tue Aug 20 2013 Josh Boyer - 3.10.8-200 From ccd2c5831afe47343217519f7b7817986839dde2 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Wed, 21 Aug 2013 13:37:46 -0400 Subject: [PATCH 194/468] Add patch to fix brcmsmac oops (rhbz 989269) --- 3.10.-6-7-crashes-on-network-activity.patch | 140 ++++++++++++++++++++ kernel.spec | 6 + 2 files changed, 146 insertions(+) create mode 100644 3.10.-6-7-crashes-on-network-activity.patch diff --git a/3.10.-6-7-crashes-on-network-activity.patch b/3.10.-6-7-crashes-on-network-activity.patch new file mode 100644 index 000000000..2e6b0d2ec --- /dev/null +++ b/3.10.-6-7-crashes-on-network-activity.patch @@ -0,0 +1,140 @@ +From 6aeddf9d409f3d9938b05b545d65810739237b2e Mon Sep 17 00:00:00 2001 +From: Felix Fietkau +Date: Tue, 20 Aug 2013 06:56:08 +0200 +Subject: [PATCH] 3.10.{6,7} crashes on network activity + +On 2013-08-20 2:28 AM, Greg Kroah-Hartman wrote: +> On Tue, Aug 20, 2013 at 08:26:11AM +0800, Tom Gundersen wrote: +>> On Tue, Aug 20, 2013 at 8:03 AM, Greg Kroah-Hartman +>> wrote: +>> > On Tue, Aug 20, 2013 at 07:59:47AM +0800, Tom Gundersen wrote: +>> >> Hi guys, +>> >> +>> >> Starting with 3.10.6 (and still present in .7) I get an oops on +>> >> connecting to the network. +>> >> +>> >> The attached picture shows the oops. In case it does not reach the ML, +>> >> the top of the call trace reads: +>> >> +>> >> brcms_c_compute_rtscts_dur +>> >> brcms_c_ampdu_finalize +>> >> ampdu_finalize +>> >> dma_txfast +>> >> brcms_c_txfifo +>> >> brcms_c_sendpkt_mac80211 +>> >> brcms_ops_tx +>> >> __ieee80211_tx +>> >> +>> >> I bisected the problem and the first bad commit is +>> >> +>> >> commit ef47a5e4f1aaf1d0e2e6875e34b2c9595897bef6 +>> >> Author: Felix Fietkau +>> >> Date: Fri Jun 28 21:04:35 2013 +0200 +>> >> +>> >> mac80211/minstrel_ht: fix cck rate sampling +>> >> +>> >> commit 1cd158573951f737fbc878a35cb5eb47bf9af3d5 upstream. +>> >> +>> >> Reverting it on top of .7 fixes the problem. +>> >> +>> >> I had the same (I suppose) problem on mainline some time ago, but I +>> >> have not bisected it, verified that the problem still occurs there, or +>> >> checked if reverting the upstream patch fixes it. I'd be happy to do +>> >> that if it would help though. +>> >> +>> >> Let me know if you need any more information. +>> > +>> > Do you have this same problem with 3.11-rc6 as well? +>> +>> Yes, I just confirmed. I also confirmed that reverting the mainline +>> commit on top of -rc6 fixes the problem. +> +> Great, thanks. +> +> Felix and Johannes, any chance we can get this reverted in Linus tree +> soon, and push that revert back to the 3.10 stable tree as well? +I'd like to avoid a revert, since that will simply replace one set of +issues with another. Let's limit the use of the feature that brcmsmac +can't handle to drivers that are known to work with it. Tom, Please +test this patch to see if it fixes your issue. + +- Felix +--- + drivers/net/wireless/ath/ath9k/init.c | 3 ++- + drivers/net/wireless/ath/carl9170/main.c | 3 ++- + drivers/net/wireless/rt2x00/rt2800lib.c | 3 ++- + include/net/mac80211.h | 1 + + net/mac80211/rc80211_minstrel_ht.c | 3 +++ + 5 files changed, 10 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/wireless/ath/ath9k/init.c b/drivers/net/wireless/ath/ath9k/init.c +index 2ba4945..bd126c2 100644 +--- a/drivers/net/wireless/ath/ath9k/init.c ++++ b/drivers/net/wireless/ath/ath9k/init.c +@@ -767,7 +767,8 @@ void ath9k_set_hw_capab(struct ath_softc *sc, struct ieee80211_hw *hw) + IEEE80211_HW_PS_NULLFUNC_STACK | + IEEE80211_HW_SPECTRUM_MGMT | + IEEE80211_HW_REPORTS_TX_ACK_STATUS | +- IEEE80211_HW_SUPPORTS_RC_TABLE; ++ IEEE80211_HW_SUPPORTS_RC_TABLE | ++ IEEE80211_HW_SUPPORTS_HT_CCK_RATES; + + if (sc->sc_ah->caps.hw_caps & ATH9K_HW_CAP_HT) + hw->flags |= IEEE80211_HW_AMPDU_AGGREGATION; +diff --git a/drivers/net/wireless/ath/carl9170/main.c b/drivers/net/wireless/ath/carl9170/main.c +index e9010a4..0686375 100644 +--- a/drivers/net/wireless/ath/carl9170/main.c ++++ b/drivers/net/wireless/ath/carl9170/main.c +@@ -1857,7 +1857,8 @@ void *carl9170_alloc(size_t priv_size) + IEEE80211_HW_SUPPORTS_PS | + IEEE80211_HW_PS_NULLFUNC_STACK | + IEEE80211_HW_NEED_DTIM_BEFORE_ASSOC | +- IEEE80211_HW_SIGNAL_DBM; ++ IEEE80211_HW_SIGNAL_DBM | ++ IEEE80211_HW_SUPPORTS_HT_CCK_RATES; + + if (!modparam_noht) { + /* +diff --git a/drivers/net/wireless/rt2x00/rt2800lib.c b/drivers/net/wireless/rt2x00/rt2800lib.c +index 705aa33..7e66a90 100644 +--- a/drivers/net/wireless/rt2x00/rt2800lib.c ++++ b/drivers/net/wireless/rt2x00/rt2800lib.c +@@ -5912,7 +5912,8 @@ static int rt2800_probe_hw_mode(struct rt2x00_dev *rt2x00dev) + IEEE80211_HW_SUPPORTS_PS | + IEEE80211_HW_PS_NULLFUNC_STACK | + IEEE80211_HW_AMPDU_AGGREGATION | +- IEEE80211_HW_REPORTS_TX_ACK_STATUS; ++ IEEE80211_HW_REPORTS_TX_ACK_STATUS | ++ IEEE80211_HW_SUPPORTS_HT_CCK_RATES; + + /* + * Don't set IEEE80211_HW_HOST_BROADCAST_PS_BUFFERING for USB devices +diff --git a/include/net/mac80211.h b/include/net/mac80211.h +index 885898a..4e50d36 100644 +--- a/include/net/mac80211.h ++++ b/include/net/mac80211.h +@@ -1484,6 +1484,7 @@ enum ieee80211_hw_flags { + IEEE80211_HW_SUPPORTS_RC_TABLE = 1<<24, + IEEE80211_HW_P2P_DEV_ADDR_FOR_INTF = 1<<25, + IEEE80211_HW_TIMING_BEACON_ONLY = 1<<26, ++ IEEE80211_HW_SUPPORTS_HT_CCK_RATES = 1<<27, + }; + + /** +diff --git a/net/mac80211/rc80211_minstrel_ht.c b/net/mac80211/rc80211_minstrel_ht.c +index f5aed96..f3bbea1 100644 +--- a/net/mac80211/rc80211_minstrel_ht.c ++++ b/net/mac80211/rc80211_minstrel_ht.c +@@ -828,6 +828,9 @@ minstrel_ht_update_cck(struct minstrel_priv *mp, struct minstrel_ht_sta *mi, + if (sband->band != IEEE80211_BAND_2GHZ) + return; + ++ if (!(mp->hw->flags & IEEE80211_HW_SUPPORTS_HT_CCK_RATES)) ++ return; ++ + mi->cck_supported = 0; + mi->cck_supported_short = 0; + for (i = 0; i < 4; i++) { +-- +1.8.3.1 + diff --git a/kernel.spec b/kernel.spec index 68a7ac646..4aee1dab6 100644 --- a/kernel.spec +++ b/kernel.spec @@ -773,6 +773,8 @@ Patch25077: media-cx23885-Fix-TeVii-S471-regression-since-introduction-of-ts2020 #CVE-2013-0343 rhbz 914664 999380 Patch25078: ipv6-remove-max_addresses-check-from-ipv6_create_tempaddr.patch +#rhbz 989269 +Patch25079: 3.10.-6-7-crashes-on-network-activity.patch # END OF PATCH DEFINITIONS @@ -1495,6 +1497,9 @@ ApplyPatch media-cx23885-Fix-TeVii-S471-regression-since-introduction-of-ts2020. #CVE-2013-0343 rhbz 914664 999380 ApplyPatch ipv6-remove-max_addresses-check-from-ipv6_create_tempaddr.patch +#rhbz 989269 +ApplyPatch 3.10.-6-7-crashes-on-network-activity.patch + # END OF PATCH APPLICATIONS %endif @@ -2308,6 +2313,7 @@ fi %changelog * Wed Aug 21 2013 Josh Boyer +- Add patch to fix brcmsmac oops (rhbz 989269) - CVE-2013-0343 handling of IPv6 temporary addresses (rhbz 914664 999380) * Tue Aug 20 2013 Josh Boyer From fc929e0b7dabf6f1734ac5f3b48f193c30a73fc9 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Wed, 28 Aug 2013 14:33:47 -0400 Subject: [PATCH 195/468] Add mei patches that fix various s/r issues (rhbz 994824 989373) --- kernel.spec | 9 +- mei-3.10.y.patch | 357 +++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 365 insertions(+), 1 deletion(-) create mode 100644 mei-3.10.y.patch diff --git a/kernel.spec b/kernel.spec index 4aee1dab6..05da6ebf7 100644 --- a/kernel.spec +++ b/kernel.spec @@ -62,7 +62,7 @@ Summary: The Linux kernel # For non-released -rc kernels, this will be appended after the rcX and # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3" # -%global baserelease 200 +%global baserelease 201 %global fedora_build %{baserelease} # base_sublevel is the kernel version we're starting with and patching @@ -776,6 +776,8 @@ Patch25078: ipv6-remove-max_addresses-check-from-ipv6_create_tempaddr.patch #rhbz 989269 Patch25079: 3.10.-6-7-crashes-on-network-activity.patch +Patch25090: mei-3.10.y.patch + # END OF PATCH DEFINITIONS %endif @@ -1500,6 +1502,8 @@ ApplyPatch ipv6-remove-max_addresses-check-from-ipv6_create_tempaddr.patch #rhbz 989269 ApplyPatch 3.10.-6-7-crashes-on-network-activity.patch +ApplyPatch mei-3.10.y.patch + # END OF PATCH APPLICATIONS %endif @@ -2312,6 +2316,9 @@ fi # and build. %changelog +* Wed Aug 28 2013 Josh Boyer +- Add mei patches that fix various s/r issues (rhbz 994824 989373) + * Wed Aug 21 2013 Josh Boyer - Add patch to fix brcmsmac oops (rhbz 989269) - CVE-2013-0343 handling of IPv6 temporary addresses (rhbz 914664 999380) diff --git a/mei-3.10.y.patch b/mei-3.10.y.patch new file mode 100644 index 000000000..210adac5a --- /dev/null +++ b/mei-3.10.y.patch @@ -0,0 +1,357 @@ + +Delivered-To: jwboyer@gmail.com +Received: by 10.76.168.104 with SMTP id zv8csp116476oab; + Sun, 25 Aug 2013 02:53:05 -0700 (PDT) +X-Received: by 10.68.212.37 with SMTP id nh5mr9408188pbc.16.1377424384710; + Sun, 25 Aug 2013 02:53:04 -0700 (PDT) +Return-Path: +Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) + by mx.google.com with ESMTP id qf5si6944869pac.66.1969.12.31.16.00.00; + Sun, 25 Aug 2013 02:53:04 -0700 (PDT) +Received-SPF: pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; +Authentication-Results: mx.google.com; + spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mail=stable-owner@vger.kernel.org +Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand + id S1756376Ab3HYJwV (ORCPT + + 58 others); Sun, 25 Aug 2013 05:52:21 -0400 +Received: from mga03.intel.com ([143.182.124.21]:34236 "EHLO mga03.intel.com" + rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP + id S1756234Ab3HYJwM (ORCPT ); + Sun, 25 Aug 2013 05:52:12 -0400 +Received: from azsmga001.ch.intel.com ([10.2.17.19]) + by azsmga101.ch.intel.com with ESMTP; 25 Aug 2013 02:52:12 -0700 +X-ExtLoop1: 1 +X-IronPort-AV: E=Sophos;i="4.89,951,1367996400"; + d="scan'208";a="351301658" +Received: from twinkler-dhg.jer.intel.com ([10.12.87.84]) + by azsmga001.ch.intel.com with ESMTP; 25 Aug 2013 02:52:10 -0700 +From: Tomas Winkler +To: gregkh@linuxfoundation.org +Cc: arnd@arndb.de, linux-kernel@vger.kernel.org, + Tomas Winkler , stable@vger.kernel.org +Subject: [3.10][PATCH 1/4] mei: me: fix reset state machine +Date: Sun, 25 Aug 2013 12:49:46 +0300 +Message-Id: <1377424189-5508-2-git-send-email-tomas.winkler@intel.com> +X-Mailer: git-send-email 1.8.1.2 +In-Reply-To: <1377424189-5508-1-git-send-email-tomas.winkler@intel.com> +References: <1377424189-5508-1-git-send-email-tomas.winkler@intel.com> +Sender: stable-owner@vger.kernel.org +Precedence: bulk +List-ID: +X-Mailing-List: stable@vger.kernel.org + +stable: 3.10 +commit 315a383ad7dbd484fafb93ef08038e3dbafbb7a8 upstream + + +ME HW ready bit is down after hw reset was asserted or on error. +Only on error we need to enter the reset flow, additional reset +need to be prevented when reset was triggered during +initialization , power up/down or a reset is already in progress + +Cc: stable@vger.kernel.org +Tested-by: Shuah Khan +Signed-off-by: Tomas Winkler +Signed-off-by: Greg Kroah-Hartman +--- + drivers/misc/mei/hw-me.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/misc/mei/hw-me.c b/drivers/misc/mei/hw-me.c +index 822170f..0310859 100644 +--- a/drivers/misc/mei/hw-me.c ++++ b/drivers/misc/mei/hw-me.c +@@ -482,7 +482,9 @@ irqreturn_t mei_me_irq_thread_handler(int irq, void *dev_id) + /* check if ME wants a reset */ + if (!mei_hw_is_ready(dev) && + dev->dev_state != MEI_DEV_RESETTING && +- dev->dev_state != MEI_DEV_INITIALIZING) { ++ dev->dev_state != MEI_DEV_INITIALIZING && ++ dev->dev_state != MEI_DEV_POWER_DOWN && ++ dev->dev_state != MEI_DEV_POWER_UP) { + dev_dbg(&dev->pdev->dev, "FW not ready.\n"); + mei_reset(dev, 1); + mutex_unlock(&dev->device_lock); +-- +1.8.1.2 + +-- +To unsubscribe from this list: send the line "unsubscribe stable" in +the body of a message to majordomo@vger.kernel.org +More majordomo info at http://vger.kernel.org/majordomo-info.html + +Delivered-To: jwboyer@gmail.com +Received: by 10.76.168.104 with SMTP id zv8csp116479oab; + Sun, 25 Aug 2013 02:53:12 -0700 (PDT) +X-Received: by 10.68.219.104 with SMTP id pn8mr9271522pbc.81.1377424392029; + Sun, 25 Aug 2013 02:53:12 -0700 (PDT) +Return-Path: +Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) + by mx.google.com with ESMTP id ut10si6347816pbc.210.1969.12.31.16.00.00; + Sun, 25 Aug 2013 02:53:12 -0700 (PDT) +Received-SPF: pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; +Authentication-Results: mx.google.com; + spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mail=stable-owner@vger.kernel.org +Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand + id S1756385Ab3HYJwW (ORCPT + + 58 others); Sun, 25 Aug 2013 05:52:22 -0400 +Received: from mga03.intel.com ([143.182.124.21]:34236 "EHLO mga03.intel.com" + rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP + id S1756301Ab3HYJwO (ORCPT ); + Sun, 25 Aug 2013 05:52:14 -0400 +Received: from azsmga001.ch.intel.com ([10.2.17.19]) + by azsmga101.ch.intel.com with ESMTP; 25 Aug 2013 02:52:14 -0700 +X-ExtLoop1: 1 +X-IronPort-AV: E=Sophos;i="4.89,951,1367996400"; + d="scan'208";a="351301662" +Received: from twinkler-dhg.jer.intel.com ([10.12.87.84]) + by azsmga001.ch.intel.com with ESMTP; 25 Aug 2013 02:52:12 -0700 +From: Tomas Winkler +To: gregkh@linuxfoundation.org +Cc: arnd@arndb.de, linux-kernel@vger.kernel.org, + Tomas Winkler , stable@vger.kernel.org +Subject: [3.10][PATCH 2/4] mei: don't have to clean the state on power up +Date: Sun, 25 Aug 2013 12:49:47 +0300 +Message-Id: <1377424189-5508-3-git-send-email-tomas.winkler@intel.com> +X-Mailer: git-send-email 1.8.1.2 +In-Reply-To: <1377424189-5508-1-git-send-email-tomas.winkler@intel.com> +References: <1377424189-5508-1-git-send-email-tomas.winkler@intel.com> +Sender: stable-owner@vger.kernel.org +Precedence: bulk +List-ID: +X-Mailing-List: stable@vger.kernel.org + +stable: 3.10 +commit 99f22c4ef24cf87b0dae6aabe6b5e620b62961d9 upstream + +When powering up, we don't have to clean up the device state +nothing is connected. + +Cc: stable@vger.kernel.org +Tested-by: Shuah Khan +Signed-off-by: Tomas Winkler +Signed-off-by: Greg Kroah-Hartman +--- + drivers/misc/mei/init.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/misc/mei/init.c b/drivers/misc/mei/init.c +index f580d30..6eec689 100644 +--- a/drivers/misc/mei/init.c ++++ b/drivers/misc/mei/init.c +@@ -143,7 +143,8 @@ void mei_reset(struct mei_device *dev, int interrupts_enabled) + + dev->hbm_state = MEI_HBM_IDLE; + +- if (dev->dev_state != MEI_DEV_INITIALIZING) { ++ if (dev->dev_state != MEI_DEV_INITIALIZING && ++ dev->dev_state != MEI_DEV_POWER_UP) { + if (dev->dev_state != MEI_DEV_DISABLED && + dev->dev_state != MEI_DEV_POWER_DOWN) + dev->dev_state = MEI_DEV_RESETTING; +-- +1.8.1.2 + +-- +To unsubscribe from this list: send the line "unsubscribe stable" in +the body of a message to majordomo@vger.kernel.org +More majordomo info at http://vger.kernel.org/majordomo-info.html + +Delivered-To: jwboyer@gmail.com +Received: by 10.76.168.104 with SMTP id zv8csp116502oab; + Sun, 25 Aug 2013 02:54:30 -0700 (PDT) +X-Received: by 10.68.102.165 with SMTP id fp5mr9198656pbb.83.1377424469866; + Sun, 25 Aug 2013 02:54:29 -0700 (PDT) +Return-Path: +Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) + by mx.google.com with ESMTP id yk3si6904106pac.244.1969.12.31.16.00.00; + Sun, 25 Aug 2013 02:54:29 -0700 (PDT) +Received-SPF: pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; +Authentication-Results: mx.google.com; + spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mail=stable-owner@vger.kernel.org +Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand + id S1756437Ab3HYJwo (ORCPT + + 58 others); Sun, 25 Aug 2013 05:52:44 -0400 +Received: from mga03.intel.com ([143.182.124.21]:34236 "EHLO mga03.intel.com" + rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP + id S1756338Ab3HYJwQ (ORCPT ); + Sun, 25 Aug 2013 05:52:16 -0400 +Received: from azsmga001.ch.intel.com ([10.2.17.19]) + by azsmga101.ch.intel.com with ESMTP; 25 Aug 2013 02:52:16 -0700 +X-ExtLoop1: 1 +X-IronPort-AV: E=Sophos;i="4.89,951,1367996400"; + d="scan'208";a="351301665" +Received: from twinkler-dhg.jer.intel.com ([10.12.87.84]) + by azsmga001.ch.intel.com with ESMTP; 25 Aug 2013 02:52:14 -0700 +From: Tomas Winkler +To: gregkh@linuxfoundation.org +Cc: arnd@arndb.de, linux-kernel@vger.kernel.org, + Tomas Winkler , stable@vger.kernel.org +Subject: [3.10][PATCH 3/4] mei: me: fix waiting for hw ready +Date: Sun, 25 Aug 2013 12:49:48 +0300 +Message-Id: <1377424189-5508-4-git-send-email-tomas.winkler@intel.com> +X-Mailer: git-send-email 1.8.1.2 +In-Reply-To: <1377424189-5508-1-git-send-email-tomas.winkler@intel.com> +References: <1377424189-5508-1-git-send-email-tomas.winkler@intel.com> +Sender: stable-owner@vger.kernel.org +Precedence: bulk +List-ID: +X-Mailing-List: stable@vger.kernel.org + +stable: 3.10 +commit dab9bf41b23fe700c4a74133e41eb6a21706031e upstream + + +1. MEI_INTEROP_TIMEOUT is in seconds not in jiffies +so we use mei_secs_to_jiffies macro +While cold boot is fast this is relevant in resume +2. wait_event_interruptible_timeout can return with +-ERESTARTSYS so do not override it with -ETIMEDOUT +3.Adjust error message + +Cc: stable@vger.kernel.org +Tested-by: Shuah Khan +Signed-off-by: Tomas Winkler +Signed-off-by: Greg Kroah-Hartman +--- + drivers/misc/mei/hw-me.c | 10 +++++++--- + 1 file changed, 7 insertions(+), 3 deletions(-) + +diff --git a/drivers/misc/mei/hw-me.c b/drivers/misc/mei/hw-me.c +index 0310859..700fe55 100644 +--- a/drivers/misc/mei/hw-me.c ++++ b/drivers/misc/mei/hw-me.c +@@ -238,14 +238,18 @@ static int mei_me_hw_ready_wait(struct mei_device *dev) + if (mei_me_hw_is_ready(dev)) + return 0; + ++ dev->recvd_hw_ready = false; + mutex_unlock(&dev->device_lock); + err = wait_event_interruptible_timeout(dev->wait_hw_ready, +- dev->recvd_hw_ready, MEI_INTEROP_TIMEOUT); ++ dev->recvd_hw_ready, ++ mei_secs_to_jiffies(MEI_INTEROP_TIMEOUT)); + mutex_lock(&dev->device_lock); + if (!err && !dev->recvd_hw_ready) { ++ if (!err) ++ err = -ETIMEDOUT; + dev_err(&dev->pdev->dev, +- "wait hw ready failed. status = 0x%x\n", err); +- return -ETIMEDOUT; ++ "wait hw ready failed. status = %d\n", err); ++ return err; + } + + dev->recvd_hw_ready = false; +-- +1.8.1.2 + +-- +To unsubscribe from this list: send the line "unsubscribe stable" in +the body of a message to majordomo@vger.kernel.org +More majordomo info at http://vger.kernel.org/majordomo-info.html + +Delivered-To: jwboyer@gmail.com +Received: by 10.76.168.104 with SMTP id zv8csp116477oab; + Sun, 25 Aug 2013 02:53:06 -0700 (PDT) +X-Received: by 10.66.146.42 with SMTP id sz10mr8515943pab.78.1377424384757; + Sun, 25 Aug 2013 02:53:04 -0700 (PDT) +Return-Path: +Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) + by mx.google.com with ESMTP id zu9si6326866pbc.308.1969.12.31.16.00.00; + Sun, 25 Aug 2013 02:53:04 -0700 (PDT) +Received-SPF: pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; +Authentication-Results: mx.google.com; + spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mail=stable-owner@vger.kernel.org +Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand + id S1756391Ab3HYJwW (ORCPT + + 58 others); Sun, 25 Aug 2013 05:52:22 -0400 +Received: from mga03.intel.com ([143.182.124.21]:34236 "EHLO mga03.intel.com" + rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP + id S1756361Ab3HYJwT (ORCPT ); + Sun, 25 Aug 2013 05:52:19 -0400 +Received: from azsmga001.ch.intel.com ([10.2.17.19]) + by azsmga101.ch.intel.com with ESMTP; 25 Aug 2013 02:52:18 -0700 +X-ExtLoop1: 1 +X-IronPort-AV: E=Sophos;i="4.89,951,1367996400"; + d="scan'208";a="351301674" +Received: from twinkler-dhg.jer.intel.com ([10.12.87.84]) + by azsmga001.ch.intel.com with ESMTP; 25 Aug 2013 02:52:16 -0700 +From: Tomas Winkler +To: gregkh@linuxfoundation.org +Cc: arnd@arndb.de, linux-kernel@vger.kernel.org, + Tomas Winkler , + stable@vger.kernel.org, Shuah Khan , + Konstantin Khlebnikov +Subject: [3.10][PATCH 4/4] mei: me: fix hardware reset flow +Date: Sun, 25 Aug 2013 12:49:49 +0300 +Message-Id: <1377424189-5508-5-git-send-email-tomas.winkler@intel.com> +X-Mailer: git-send-email 1.8.1.2 +In-Reply-To: <1377424189-5508-1-git-send-email-tomas.winkler@intel.com> +References: <1377424189-5508-1-git-send-email-tomas.winkler@intel.com> +Sender: stable-owner@vger.kernel.org +Precedence: bulk +List-ID: +X-Mailing-List: stable@vger.kernel.org + +stable: 3.10 +commit ff96066e3171acdea356b331163495957cb833d0 char-misc + + +Both H_IS and H_IE needs to be set to receive H_RDY +interrupt + +1. Assert H_IS to clear the interrupts during hw reset +and use mei_me_reg_write instead of mei_hcsr_set as the later +strips down the H_IS + +2. fix interrupt disablement embarrassing typo + hcsr |= ~H_IE -> hcsr &= ~H_IE; +this will remove the unwanted interrupt on power down + +3. remove useless debug print outs + +Cc: stable@vger.kernel.org +Cc: Shuah Khan +Cc: Konstantin Khlebnikov +Signed-off-by: Tomas Winkler +Signed-off-by: Greg Kroah-Hartman + +Conflicts: + drivers/misc/mei/hw-me.c + +--- + drivers/misc/mei/hw-me.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +diff --git a/drivers/misc/mei/hw-me.c b/drivers/misc/mei/hw-me.c +index 700fe55..1bf3f8b 100644 +--- a/drivers/misc/mei/hw-me.c ++++ b/drivers/misc/mei/hw-me.c +@@ -176,16 +176,14 @@ static void mei_me_hw_reset(struct mei_device *dev, bool intr_enable) + struct mei_me_hw *hw = to_me_hw(dev); + u32 hcsr = mei_hcsr_read(hw); + +- dev_dbg(&dev->pdev->dev, "before reset HCSR = 0x%08x.\n", hcsr); +- +- hcsr |= (H_RST | H_IG); ++ hcsr |= H_RST | H_IG | H_IS; + + if (intr_enable) + hcsr |= H_IE; + else +- hcsr |= ~H_IE; ++ hcsr &= ~H_IE; + +- mei_hcsr_set(hw, hcsr); ++ mei_me_reg_write(hw, H_CSR, hcsr); + + if (dev->dev_state == MEI_DEV_POWER_DOWN) + mei_me_hw_reset_release(dev); +-- +1.8.1.2 + +-- +To unsubscribe from this list: send the line "unsubscribe stable" in +the body of a message to majordomo@vger.kernel.org +More majordomo info at http://vger.kernel.org/majordomo-info.html From f009258a3639ba951b83e9b9e3c109a494c26e19 Mon Sep 17 00:00:00 2001 From: "Justin M. Forbes" Date: Thu, 29 Aug 2013 13:51:01 -0500 Subject: [PATCH 196/468] Linux v3.10.10 --- devel-pekey-secure-boot-20130502.patch | 4 +- ...ng-ieee80211_chswitch_done-with-NULL.patch | 58 ---- kernel.spec | 13 +- mei-3.10.y.patch | 253 ------------------ sources | 2 +- 5 files changed, 8 insertions(+), 322 deletions(-) delete mode 100644 iwlwifi-dvm-fix-calling-ieee80211_chswitch_done-with-NULL.patch diff --git a/devel-pekey-secure-boot-20130502.patch b/devel-pekey-secure-boot-20130502.patch index 703bbf5ad..0a5342f83 100644 --- a/devel-pekey-secure-boot-20130502.patch +++ b/devel-pekey-secure-boot-20130502.patch @@ -4670,9 +4670,9 @@ index 653668d..69a6c08 100644 --- a/arch/x86/include/asm/bootparam_utils.h +++ b/arch/x86/include/asm/bootparam_utils.h @@ -38,9 +38,13 @@ static void sanitize_boot_params(struct boot_params *boot_params) - memset(&boot_params->olpc_ofw_header, 0, + memset(&boot_params->ext_ramdisk_image, 0, (char *)&boot_params->efi_info - - (char *)&boot_params->olpc_ofw_header); + (char *)&boot_params->ext_ramdisk_image); - memset(&boot_params->kbd_status, 0, + memset(&boot_params->kbd_status, 0, sizeof(boot_params->kbd_status)); + /* don't clear boot_params->secure_boot. we set that ourselves diff --git a/iwlwifi-dvm-fix-calling-ieee80211_chswitch_done-with-NULL.patch b/iwlwifi-dvm-fix-calling-ieee80211_chswitch_done-with-NULL.patch deleted file mode 100644 index 84d6aa06d..000000000 --- a/iwlwifi-dvm-fix-calling-ieee80211_chswitch_done-with-NULL.patch +++ /dev/null @@ -1,58 +0,0 @@ -If channel switch is pending and we remove interface we can -crash like showed below due to passing NULL vif to mac80211: - -BUG: unable to handle kernel paging request at fffffffffffff8cc -IP: [] strnlen+0xd/0x40 -Call Trace: - [] string.isra.3+0x3e/0xd0 - [] vsnprintf+0x219/0x640 - [] vscnprintf+0x11/0x30 - [] vprintk_emit+0x115/0x4f0 - [] printk+0x61/0x63 - [] ieee80211_chswitch_done+0xaf/0xd0 [mac80211] - [] iwl_chswitch_done+0x34/0x40 [iwldvm] - [] iwlagn_commit_rxon+0x2a3/0xdc0 [iwldvm] - [] ? iwlagn_set_rxon_chain+0x180/0x2c0 [iwldvm] - [] iwl_set_mode+0x36/0x40 [iwldvm] - [] iwlagn_mac_remove_interface+0x8d/0x1b0 [iwldvm] - [] ieee80211_do_stop+0x29d/0x7f0 [mac80211] - -This is because we nulify ctx->vif in iwlagn_mac_remove_interface() -before calling some other functions that teardown interface. To fix -just check ctx->vif on iwl_chswitch_done(). We should not call -ieee80211_chswitch_done() as channel switch works were already canceled -by mac80211 in ieee80211_do_stop() -> ieee80211_mgd_stop(). - -Resolve: -https://bugzilla.redhat.com/show_bug.cgi?id=979581 - -Cc: stable@vger.kernel.org -Reported-by: Lukasz Jagiello -Signed-off-by: Stanislaw Gruszka ---- - drivers/net/wireless/iwlwifi/dvm/mac80211.c | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - -diff --git a/drivers/net/wireless/iwlwifi/dvm/mac80211.c b/drivers/net/wireless/iwlwifi/dvm/mac80211.c -index 323e4a3..9a817df 100644 ---- a/drivers/net/wireless/iwlwifi/dvm/mac80211.c -+++ b/drivers/net/wireless/iwlwifi/dvm/mac80211.c -@@ -1046,7 +1046,10 @@ void iwl_chswitch_done(struct iwl_priv *priv, bool is_success) - if (test_bit(STATUS_EXIT_PENDING, &priv->status)) - return; - -- if (test_and_clear_bit(STATUS_CHANNEL_SWITCH_PENDING, &priv->status)) -+ if (!test_and_clear_bit(STATUS_CHANNEL_SWITCH_PENDING, &priv->status)) -+ return; -+ -+ if (ctx->vif) - ieee80211_chswitch_done(ctx->vif, is_success); - } - --- -1.7.11.7 - --- -To unsubscribe from this list: send the line "unsubscribe linux-wireless" in -the body of a message to majordomo@vger.kernel.org -More majordomo info at http://vger.kernel.org/majordomo-info.html \ No newline at end of file diff --git a/kernel.spec b/kernel.spec index 05da6ebf7..0d8445f4d 100644 --- a/kernel.spec +++ b/kernel.spec @@ -62,7 +62,7 @@ Summary: The Linux kernel # For non-released -rc kernels, this will be appended after the rcX and # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3" # -%global baserelease 201 +%global baserelease 200 %global fedora_build %{baserelease} # base_sublevel is the kernel version we're starting with and patching @@ -74,7 +74,7 @@ Summary: The Linux kernel %if 0%{?released_kernel} # Do we have a -stable update to apply? -%define stable_update 9 +%define stable_update 10 # Is it a -stable RC? %define stable_rc 0 # Set rpm version accordingly @@ -758,9 +758,6 @@ Patch25057: iwl4965-better-skb-management-in-rx-path.patch #rhbz 959721 Patch25063: HID-kye-Add-report-fixup-for-Genius-Gila-Gaming-mouse.patch -#rhbz 979581 -Patch25069: iwlwifi-dvm-fix-calling-ieee80211_chswitch_done-with-NULL.patch - #rhbz 969473 Patch25070: Input-elantech-fix-for-newer-hardware-versions-v7.patch @@ -1484,9 +1481,6 @@ ApplyPatch iwl4965-better-skb-management-in-rx-path.patch #rhbz 959721 ApplyPatch HID-kye-Add-report-fixup-for-Genius-Gila-Gaming-mouse.patch -#rhbz 979581 -ApplyPatch iwlwifi-dvm-fix-calling-ieee80211_chswitch_done-with-NULL.patch - #rhbz 969473 ApplyPatch Input-elantech-fix-for-newer-hardware-versions-v7.patch @@ -2316,6 +2310,9 @@ fi # and build. %changelog +* Thu Aug 29 2013 Justin M. Forbes 3.10.10-200 +- Linux v3.10.10 + * Wed Aug 28 2013 Josh Boyer - Add mei patches that fix various s/r issues (rhbz 994824 989373) diff --git a/mei-3.10.y.patch b/mei-3.10.y.patch index 210adac5a..b0c6c34b5 100644 --- a/mei-3.10.y.patch +++ b/mei-3.10.y.patch @@ -1,256 +1,3 @@ - -Delivered-To: jwboyer@gmail.com -Received: by 10.76.168.104 with SMTP id zv8csp116476oab; - Sun, 25 Aug 2013 02:53:05 -0700 (PDT) -X-Received: by 10.68.212.37 with SMTP id nh5mr9408188pbc.16.1377424384710; - Sun, 25 Aug 2013 02:53:04 -0700 (PDT) -Return-Path: -Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) - by mx.google.com with ESMTP id qf5si6944869pac.66.1969.12.31.16.00.00; - Sun, 25 Aug 2013 02:53:04 -0700 (PDT) -Received-SPF: pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; -Authentication-Results: mx.google.com; - spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mail=stable-owner@vger.kernel.org -Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand - id S1756376Ab3HYJwV (ORCPT - + 58 others); Sun, 25 Aug 2013 05:52:21 -0400 -Received: from mga03.intel.com ([143.182.124.21]:34236 "EHLO mga03.intel.com" - rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP - id S1756234Ab3HYJwM (ORCPT ); - Sun, 25 Aug 2013 05:52:12 -0400 -Received: from azsmga001.ch.intel.com ([10.2.17.19]) - by azsmga101.ch.intel.com with ESMTP; 25 Aug 2013 02:52:12 -0700 -X-ExtLoop1: 1 -X-IronPort-AV: E=Sophos;i="4.89,951,1367996400"; - d="scan'208";a="351301658" -Received: from twinkler-dhg.jer.intel.com ([10.12.87.84]) - by azsmga001.ch.intel.com with ESMTP; 25 Aug 2013 02:52:10 -0700 -From: Tomas Winkler -To: gregkh@linuxfoundation.org -Cc: arnd@arndb.de, linux-kernel@vger.kernel.org, - Tomas Winkler , stable@vger.kernel.org -Subject: [3.10][PATCH 1/4] mei: me: fix reset state machine -Date: Sun, 25 Aug 2013 12:49:46 +0300 -Message-Id: <1377424189-5508-2-git-send-email-tomas.winkler@intel.com> -X-Mailer: git-send-email 1.8.1.2 -In-Reply-To: <1377424189-5508-1-git-send-email-tomas.winkler@intel.com> -References: <1377424189-5508-1-git-send-email-tomas.winkler@intel.com> -Sender: stable-owner@vger.kernel.org -Precedence: bulk -List-ID: -X-Mailing-List: stable@vger.kernel.org - -stable: 3.10 -commit 315a383ad7dbd484fafb93ef08038e3dbafbb7a8 upstream - - -ME HW ready bit is down after hw reset was asserted or on error. -Only on error we need to enter the reset flow, additional reset -need to be prevented when reset was triggered during -initialization , power up/down or a reset is already in progress - -Cc: stable@vger.kernel.org -Tested-by: Shuah Khan -Signed-off-by: Tomas Winkler -Signed-off-by: Greg Kroah-Hartman ---- - drivers/misc/mei/hw-me.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/drivers/misc/mei/hw-me.c b/drivers/misc/mei/hw-me.c -index 822170f..0310859 100644 ---- a/drivers/misc/mei/hw-me.c -+++ b/drivers/misc/mei/hw-me.c -@@ -482,7 +482,9 @@ irqreturn_t mei_me_irq_thread_handler(int irq, void *dev_id) - /* check if ME wants a reset */ - if (!mei_hw_is_ready(dev) && - dev->dev_state != MEI_DEV_RESETTING && -- dev->dev_state != MEI_DEV_INITIALIZING) { -+ dev->dev_state != MEI_DEV_INITIALIZING && -+ dev->dev_state != MEI_DEV_POWER_DOWN && -+ dev->dev_state != MEI_DEV_POWER_UP) { - dev_dbg(&dev->pdev->dev, "FW not ready.\n"); - mei_reset(dev, 1); - mutex_unlock(&dev->device_lock); --- -1.8.1.2 - --- -To unsubscribe from this list: send the line "unsubscribe stable" in -the body of a message to majordomo@vger.kernel.org -More majordomo info at http://vger.kernel.org/majordomo-info.html - -Delivered-To: jwboyer@gmail.com -Received: by 10.76.168.104 with SMTP id zv8csp116479oab; - Sun, 25 Aug 2013 02:53:12 -0700 (PDT) -X-Received: by 10.68.219.104 with SMTP id pn8mr9271522pbc.81.1377424392029; - Sun, 25 Aug 2013 02:53:12 -0700 (PDT) -Return-Path: -Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) - by mx.google.com with ESMTP id ut10si6347816pbc.210.1969.12.31.16.00.00; - Sun, 25 Aug 2013 02:53:12 -0700 (PDT) -Received-SPF: pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; -Authentication-Results: mx.google.com; - spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mail=stable-owner@vger.kernel.org -Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand - id S1756385Ab3HYJwW (ORCPT - + 58 others); Sun, 25 Aug 2013 05:52:22 -0400 -Received: from mga03.intel.com ([143.182.124.21]:34236 "EHLO mga03.intel.com" - rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP - id S1756301Ab3HYJwO (ORCPT ); - Sun, 25 Aug 2013 05:52:14 -0400 -Received: from azsmga001.ch.intel.com ([10.2.17.19]) - by azsmga101.ch.intel.com with ESMTP; 25 Aug 2013 02:52:14 -0700 -X-ExtLoop1: 1 -X-IronPort-AV: E=Sophos;i="4.89,951,1367996400"; - d="scan'208";a="351301662" -Received: from twinkler-dhg.jer.intel.com ([10.12.87.84]) - by azsmga001.ch.intel.com with ESMTP; 25 Aug 2013 02:52:12 -0700 -From: Tomas Winkler -To: gregkh@linuxfoundation.org -Cc: arnd@arndb.de, linux-kernel@vger.kernel.org, - Tomas Winkler , stable@vger.kernel.org -Subject: [3.10][PATCH 2/4] mei: don't have to clean the state on power up -Date: Sun, 25 Aug 2013 12:49:47 +0300 -Message-Id: <1377424189-5508-3-git-send-email-tomas.winkler@intel.com> -X-Mailer: git-send-email 1.8.1.2 -In-Reply-To: <1377424189-5508-1-git-send-email-tomas.winkler@intel.com> -References: <1377424189-5508-1-git-send-email-tomas.winkler@intel.com> -Sender: stable-owner@vger.kernel.org -Precedence: bulk -List-ID: -X-Mailing-List: stable@vger.kernel.org - -stable: 3.10 -commit 99f22c4ef24cf87b0dae6aabe6b5e620b62961d9 upstream - -When powering up, we don't have to clean up the device state -nothing is connected. - -Cc: stable@vger.kernel.org -Tested-by: Shuah Khan -Signed-off-by: Tomas Winkler -Signed-off-by: Greg Kroah-Hartman ---- - drivers/misc/mei/init.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/drivers/misc/mei/init.c b/drivers/misc/mei/init.c -index f580d30..6eec689 100644 ---- a/drivers/misc/mei/init.c -+++ b/drivers/misc/mei/init.c -@@ -143,7 +143,8 @@ void mei_reset(struct mei_device *dev, int interrupts_enabled) - - dev->hbm_state = MEI_HBM_IDLE; - -- if (dev->dev_state != MEI_DEV_INITIALIZING) { -+ if (dev->dev_state != MEI_DEV_INITIALIZING && -+ dev->dev_state != MEI_DEV_POWER_UP) { - if (dev->dev_state != MEI_DEV_DISABLED && - dev->dev_state != MEI_DEV_POWER_DOWN) - dev->dev_state = MEI_DEV_RESETTING; --- -1.8.1.2 - --- -To unsubscribe from this list: send the line "unsubscribe stable" in -the body of a message to majordomo@vger.kernel.org -More majordomo info at http://vger.kernel.org/majordomo-info.html - -Delivered-To: jwboyer@gmail.com -Received: by 10.76.168.104 with SMTP id zv8csp116502oab; - Sun, 25 Aug 2013 02:54:30 -0700 (PDT) -X-Received: by 10.68.102.165 with SMTP id fp5mr9198656pbb.83.1377424469866; - Sun, 25 Aug 2013 02:54:29 -0700 (PDT) -Return-Path: -Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) - by mx.google.com with ESMTP id yk3si6904106pac.244.1969.12.31.16.00.00; - Sun, 25 Aug 2013 02:54:29 -0700 (PDT) -Received-SPF: pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; -Authentication-Results: mx.google.com; - spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mail=stable-owner@vger.kernel.org -Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand - id S1756437Ab3HYJwo (ORCPT - + 58 others); Sun, 25 Aug 2013 05:52:44 -0400 -Received: from mga03.intel.com ([143.182.124.21]:34236 "EHLO mga03.intel.com" - rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP - id S1756338Ab3HYJwQ (ORCPT ); - Sun, 25 Aug 2013 05:52:16 -0400 -Received: from azsmga001.ch.intel.com ([10.2.17.19]) - by azsmga101.ch.intel.com with ESMTP; 25 Aug 2013 02:52:16 -0700 -X-ExtLoop1: 1 -X-IronPort-AV: E=Sophos;i="4.89,951,1367996400"; - d="scan'208";a="351301665" -Received: from twinkler-dhg.jer.intel.com ([10.12.87.84]) - by azsmga001.ch.intel.com with ESMTP; 25 Aug 2013 02:52:14 -0700 -From: Tomas Winkler -To: gregkh@linuxfoundation.org -Cc: arnd@arndb.de, linux-kernel@vger.kernel.org, - Tomas Winkler , stable@vger.kernel.org -Subject: [3.10][PATCH 3/4] mei: me: fix waiting for hw ready -Date: Sun, 25 Aug 2013 12:49:48 +0300 -Message-Id: <1377424189-5508-4-git-send-email-tomas.winkler@intel.com> -X-Mailer: git-send-email 1.8.1.2 -In-Reply-To: <1377424189-5508-1-git-send-email-tomas.winkler@intel.com> -References: <1377424189-5508-1-git-send-email-tomas.winkler@intel.com> -Sender: stable-owner@vger.kernel.org -Precedence: bulk -List-ID: -X-Mailing-List: stable@vger.kernel.org - -stable: 3.10 -commit dab9bf41b23fe700c4a74133e41eb6a21706031e upstream - - -1. MEI_INTEROP_TIMEOUT is in seconds not in jiffies -so we use mei_secs_to_jiffies macro -While cold boot is fast this is relevant in resume -2. wait_event_interruptible_timeout can return with --ERESTARTSYS so do not override it with -ETIMEDOUT -3.Adjust error message - -Cc: stable@vger.kernel.org -Tested-by: Shuah Khan -Signed-off-by: Tomas Winkler -Signed-off-by: Greg Kroah-Hartman ---- - drivers/misc/mei/hw-me.c | 10 +++++++--- - 1 file changed, 7 insertions(+), 3 deletions(-) - -diff --git a/drivers/misc/mei/hw-me.c b/drivers/misc/mei/hw-me.c -index 0310859..700fe55 100644 ---- a/drivers/misc/mei/hw-me.c -+++ b/drivers/misc/mei/hw-me.c -@@ -238,14 +238,18 @@ static int mei_me_hw_ready_wait(struct mei_device *dev) - if (mei_me_hw_is_ready(dev)) - return 0; - -+ dev->recvd_hw_ready = false; - mutex_unlock(&dev->device_lock); - err = wait_event_interruptible_timeout(dev->wait_hw_ready, -- dev->recvd_hw_ready, MEI_INTEROP_TIMEOUT); -+ dev->recvd_hw_ready, -+ mei_secs_to_jiffies(MEI_INTEROP_TIMEOUT)); - mutex_lock(&dev->device_lock); - if (!err && !dev->recvd_hw_ready) { -+ if (!err) -+ err = -ETIMEDOUT; - dev_err(&dev->pdev->dev, -- "wait hw ready failed. status = 0x%x\n", err); -- return -ETIMEDOUT; -+ "wait hw ready failed. status = %d\n", err); -+ return err; - } - - dev->recvd_hw_ready = false; --- -1.8.1.2 - --- -To unsubscribe from this list: send the line "unsubscribe stable" in -the body of a message to majordomo@vger.kernel.org -More majordomo info at http://vger.kernel.org/majordomo-info.html - Delivered-To: jwboyer@gmail.com Received: by 10.76.168.104 with SMTP id zv8csp116477oab; Sun, 25 Aug 2013 02:53:06 -0700 (PDT) diff --git a/sources b/sources index 25af45e94..0479b31a7 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ 4f25cd5bec5f8d5a7d935b3f2ccb8481 linux-3.10.tar.xz -868d7f5315f95da5e48ed56691a36263 patch-3.10.9.xz +d010ef17d3e577fd1bdcb6887f2b9836 patch-3.10.10.xz From 9a4816675a8ddc842d088fc19fa860545e331a0e Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Fri, 30 Aug 2013 13:03:20 -0400 Subject: [PATCH 197/468] Fix HID CVEs. Absurd. - CVE-2013-2888 rhbz 1000451 1002543 CVE-2013-2889 rhbz 999890 1002548 - CVE-2013-2891 rhbz 999960 1002555 CVE-2013-2892 rhbz 1000429 1002570 - CVE-2013-2893 rhbz 1000414 1002575 CVE-2013-2894 rhbz 1000137 1002579 - CVE-2013-2895 rhbz 1000360 1002581 CVE-2013-2896 rhbz 1000494 1002594 - CVE-2013-2897 rhbz 1000536 1002600 CVE-2013-2899 rhbz 1000373 1002604 --- HID-CVE-fixes.patch | 1405 +++++++++++++++++++++++++++++++++++++++++++ kernel.spec | 22 + 2 files changed, 1427 insertions(+) create mode 100644 HID-CVE-fixes.patch diff --git a/HID-CVE-fixes.patch b/HID-CVE-fixes.patch new file mode 100644 index 000000000..2b52d013f --- /dev/null +++ b/HID-CVE-fixes.patch @@ -0,0 +1,1405 @@ +Path: news.gmane.org!not-for-mail +From: Jiri Kosina +Newsgroups: gmane.linux.kernel.input +Subject: [PATCH 01/14] HID: validate HID report id size +Date: Wed, 28 Aug 2013 22:29:55 +0200 (CEST) +Lines: 81 +Approved: news@gmane.org +Message-ID: +NNTP-Posting-Host: plane.gmane.org +Mime-Version: 1.0 +Content-Type: TEXT/PLAIN; charset=US-ASCII +X-Trace: ger.gmane.org 1377721804 9521 80.91.229.3 (28 Aug 2013 20:30:04 GMT) +X-Complaints-To: usenet@ger.gmane.org +NNTP-Posting-Date: Wed, 28 Aug 2013 20:30:04 +0000 (UTC) +Cc: Kees Cook +To: linux-input@vger.kernel.org +Original-X-From: linux-input-owner@vger.kernel.org Wed Aug 28 22:30:06 2013 +Return-path: +Envelope-to: glki-linux-input-2@plane.gmane.org +Original-Received: from vger.kernel.org ([209.132.180.67]) + by plane.gmane.org with esmtp (Exim 4.69) + (envelope-from ) + id 1VEmNR-0008U8-2t + for glki-linux-input-2@plane.gmane.org; Wed, 28 Aug 2013 22:30:05 +0200 +Original-Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand + id S1754658Ab3H1UaD (ORCPT ); + Wed, 28 Aug 2013 16:30:03 -0400 +Original-Received: from cantor2.suse.de ([195.135.220.15]:57907 "EHLO mx2.suse.de" + rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP + id S1752748Ab3H1UaD (ORCPT ); + Wed, 28 Aug 2013 16:30:03 -0400 +Original-Received: from relay2.suse.de (unknown [195.135.220.254]) + by mx2.suse.de (Postfix) with ESMTP id 1C5ACA535B; + Wed, 28 Aug 2013 22:30:01 +0200 (CEST) +User-Agent: Alpine 2.00 (LNX 1167 2008-08-23) +Original-Sender: linux-input-owner@vger.kernel.org +Precedence: bulk +List-ID: +X-Mailing-List: linux-input@vger.kernel.org +Xref: news.gmane.org gmane.linux.kernel.input:31652 +Archived-At: + +From: Kees Cook + +The "Report ID" field of a HID report is used to build indexes of +reports. The kernel's index of these is limited to 256 entries, so any +malicious device that sets a Report ID greater than 255 will trigger +memory corruption on the host: + +[ 1347.156239] BUG: unable to handle kernel paging request at ffff88094958a878 +[ 1347.156261] IP: [] hid_register_report+0x2a/0x8b + +CVE-2013-2888 + +Signed-off-by: Kees Cook +Cc: stable@kernel.org +--- + drivers/hid/hid-core.c | 10 +++++++--- + include/linux/hid.h | 4 +++- + 2 files changed, 10 insertions(+), 4 deletions(-) + +diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c +index 36668d1..5ea7d51 100644 +--- a/drivers/hid/hid-core.c ++++ b/drivers/hid/hid-core.c +@@ -63,6 +63,8 @@ struct hid_report *hid_register_report(struct hid_device *device, unsigned type, + struct hid_report_enum *report_enum = device->report_enum + type; + struct hid_report *report; + ++ if (id >= HID_MAX_IDS) ++ return NULL; + if (report_enum->report_id_hash[id]) + return report_enum->report_id_hash[id]; + +@@ -404,8 +406,10 @@ static int hid_parser_global(struct hid_parser *parser, struct hid_item *item) + + case HID_GLOBAL_ITEM_TAG_REPORT_ID: + parser->global.report_id = item_udata(item); +- if (parser->global.report_id == 0) { +- hid_err(parser->device, "report_id 0 is invalid\n"); ++ if (parser->global.report_id == 0 || ++ parser->global.report_id >= HID_MAX_IDS) { ++ hid_err(parser->device, "report_id %u is invalid\n", ++ parser->global.report_id); + return -1; + } + return 0; +@@ -575,7 +579,7 @@ static void hid_close_report(struct hid_device *device) + for (i = 0; i < HID_REPORT_TYPES; i++) { + struct hid_report_enum *report_enum = device->report_enum + i; + +- for (j = 0; j < 256; j++) { ++ for (j = 0; j < HID_MAX_IDS; j++) { + struct hid_report *report = report_enum->report_id_hash[j]; + if (report) + hid_free_report(report); +diff --git a/include/linux/hid.h b/include/linux/hid.h +index 0c48991..ff545cc 100644 +--- a/include/linux/hid.h ++++ b/include/linux/hid.h +@@ -393,10 +393,12 @@ struct hid_report { + struct hid_device *device; /* associated device */ + }; + ++#define HID_MAX_IDS 256 ++ + struct hid_report_enum { + unsigned numbered; + struct list_head report_list; +- struct hid_report *report_id_hash[256]; ++ struct hid_report *report_id_hash[HID_MAX_IDS]; + }; + + #define HID_REPORT_TYPES 3 + +-- +Jiri Kosina +SUSE Labs +-- +To unsubscribe from this list: send the line "unsubscribe linux-input" in +the body of a message to majordomo@vger.kernel.org +More majordomo info at http://vger.kernel.org/majordomo-info.html + +Path: news.gmane.org!not-for-mail +From: Jiri Kosina +Newsgroups: gmane.linux.kernel.input +Subject: [PATCH 02/14] HID: provide a helper for validating hid reports +Date: Wed, 28 Aug 2013 22:30:06 +0200 (CEST) +Lines: 99 +Approved: news@gmane.org +Message-ID: +NNTP-Posting-Host: plane.gmane.org +Mime-Version: 1.0 +Content-Type: TEXT/PLAIN; charset=US-ASCII +X-Trace: ger.gmane.org 1377721810 9564 80.91.229.3 (28 Aug 2013 20:30:10 GMT) +X-Complaints-To: usenet@ger.gmane.org +NNTP-Posting-Date: Wed, 28 Aug 2013 20:30:10 +0000 (UTC) +Cc: Kees Cook +To: linux-input@vger.kernel.org +Original-X-From: linux-input-owner@vger.kernel.org Wed Aug 28 22:30:12 2013 +Return-path: +Envelope-to: glki-linux-input-2@plane.gmane.org +Original-Received: from vger.kernel.org ([209.132.180.67]) + by plane.gmane.org with esmtp (Exim 4.69) + (envelope-from ) + id 1VEmNX-0008U8-Cg + for glki-linux-input-2@plane.gmane.org; Wed, 28 Aug 2013 22:30:11 +0200 +Original-Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand + id S1754750Ab3H1UaK (ORCPT ); + Wed, 28 Aug 2013 16:30:10 -0400 +Original-Received: from cantor2.suse.de ([195.135.220.15]:57911 "EHLO mx2.suse.de" + rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP + id S1752748Ab3H1UaK (ORCPT ); + Wed, 28 Aug 2013 16:30:10 -0400 +Original-Received: from relay1.suse.de (unknown [195.135.220.254]) + by mx2.suse.de (Postfix) with ESMTP id 3C054A531D; + Wed, 28 Aug 2013 22:30:09 +0200 (CEST) +User-Agent: Alpine 2.00 (LNX 1167 2008-08-23) +Original-Sender: linux-input-owner@vger.kernel.org +Precedence: bulk +List-ID: +X-Mailing-List: linux-input@vger.kernel.org +Xref: news.gmane.org gmane.linux.kernel.input:31653 +Archived-At: + +From: Kees Cook + +Many drivers need to validate the characteristics of their HID report +during initialization to avoid misusing the reports. This adds a common +helper to perform validation of the report, its field count, and the +value count within the fields. + +Signed-off-by: Kees Cook +Cc: stable@kernel.org +--- + drivers/hid/hid-core.c | 50 ++++++++++++++++++++++++++++++++++++++++++++++++ + include/linux/hid.h | 4 ++++ + 2 files changed, 54 insertions(+) + +diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c +index 5ea7d51..55798b2 100644 +--- a/drivers/hid/hid-core.c ++++ b/drivers/hid/hid-core.c +@@ -759,6 +759,56 @@ int hid_parse_report(struct hid_device *hid, __u8 *start, unsigned size) + } + EXPORT_SYMBOL_GPL(hid_parse_report); + ++static const char * const hid_report_names[] = { ++ "HID_INPUT_REPORT", ++ "HID_OUTPUT_REPORT", ++ "HID_FEATURE_REPORT", ++}; ++/** ++ * hid_validate_report - validate existing device report ++ * ++ * @device: hid device ++ * @type: which report type to examine ++ * @id: which report ID to examine (0 for first) ++ * @fields: expected number of fields ++ * @report_counts: expected number of values per field ++ * ++ * Validate the report details after parsing. ++ */ ++struct hid_report *hid_validate_report(struct hid_device *hid, ++ unsigned int type, unsigned int id, ++ unsigned int fields, ++ unsigned int report_counts) ++{ ++ struct hid_report *report; ++ unsigned int i; ++ ++ if (type > HID_FEATURE_REPORT) { ++ hid_err(hid, "invalid HID report %u\n", type); ++ return NULL; ++ } ++ ++ report = hid->report_enum[type].report_id_hash[id]; ++ if (!report) { ++ hid_err(hid, "missing %s %u\n", hid_report_names[type], id); ++ return NULL; ++ } ++ if (report->maxfield < fields) { ++ hid_err(hid, "not enough fields in %s %u\n", ++ hid_report_names[type], id); ++ return NULL; ++ } ++ for (i = 0; i < fields; i++) { ++ if (report->field[i]->report_count < report_counts) { ++ hid_err(hid, "not enough values in %s %u fields\n", ++ hid_report_names[type], id); ++ return NULL; ++ } ++ } ++ return report; ++} ++EXPORT_SYMBOL_GPL(hid_validate_report); ++ + /** + * hid_open_report - open a driver-specific device report + * +diff --git a/include/linux/hid.h b/include/linux/hid.h +index ff545cc..76e41d8 100644 +--- a/include/linux/hid.h ++++ b/include/linux/hid.h +@@ -749,6 +749,10 @@ void hid_output_report(struct hid_report *report, __u8 *data); + struct hid_device *hid_allocate_device(void); + struct hid_report *hid_register_report(struct hid_device *device, unsigned type, unsigned id); + int hid_parse_report(struct hid_device *hid, __u8 *start, unsigned size); ++struct hid_report *hid_validate_report(struct hid_device *hid, ++ unsigned int type, unsigned int id, ++ unsigned int fields, ++ unsigned int report_counts); + int hid_open_report(struct hid_device *device); + int hid_check_keys_pressed(struct hid_device *hid); + int hid_connect(struct hid_device *hid, unsigned int connect_mask); + +-- +Jiri Kosina +SUSE Labs +-- +To unsubscribe from this list: send the line "unsubscribe linux-input" in +the body of a message to majordomo@vger.kernel.org +More majordomo info at http://vger.kernel.org/majordomo-info.html + +Path: news.gmane.org!not-for-mail +From: Jiri Kosina +Newsgroups: gmane.linux.kernel.input +Subject: [PATCH 03/14] HID: zeroplus: validate output report details +Date: Wed, 28 Aug 2013 22:30:15 +0200 (CEST) +Lines: 57 +Approved: news@gmane.org +Message-ID: +NNTP-Posting-Host: plane.gmane.org +Mime-Version: 1.0 +Content-Type: TEXT/PLAIN; charset=US-ASCII +X-Trace: ger.gmane.org 1377721819 9648 80.91.229.3 (28 Aug 2013 20:30:19 GMT) +X-Complaints-To: usenet@ger.gmane.org +NNTP-Posting-Date: Wed, 28 Aug 2013 20:30:19 +0000 (UTC) +Cc: Kees Cook +To: linux-input@vger.kernel.org +Original-X-From: linux-input-owner@vger.kernel.org Wed Aug 28 22:30:21 2013 +Return-path: +Envelope-to: glki-linux-input-2@plane.gmane.org +Original-Received: from vger.kernel.org ([209.132.180.67]) + by plane.gmane.org with esmtp (Exim 4.69) + (envelope-from ) + id 1VEmNg-0008U8-24 + for glki-linux-input-2@plane.gmane.org; Wed, 28 Aug 2013 22:30:21 +0200 +Original-Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand + id S1754896Ab3H1UaT (ORCPT ); + Wed, 28 Aug 2013 16:30:19 -0400 +Original-Received: from cantor2.suse.de ([195.135.220.15]:57913 "EHLO mx2.suse.de" + rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP + id S1752748Ab3H1UaS (ORCPT ); + Wed, 28 Aug 2013 16:30:18 -0400 +Original-Received: from relay2.suse.de (unknown [195.135.220.254]) + by mx2.suse.de (Postfix) with ESMTP id A94ACA531D; + Wed, 28 Aug 2013 22:30:17 +0200 (CEST) +User-Agent: Alpine 2.00 (LNX 1167 2008-08-23) +Original-Sender: linux-input-owner@vger.kernel.org +Precedence: bulk +List-ID: +X-Mailing-List: linux-input@vger.kernel.org +Xref: news.gmane.org gmane.linux.kernel.input:31654 +Archived-At: + +From: Kees Cook + +The zeroplus HID driver was not checking the size of allocated values +in fields it used. A HID device could send a malicious output report +that would cause the driver to write beyond the output report allocation +during initialization, causing a heap overflow: + +[ 1442.728680] usb 1-1: New USB device found, idVendor=0c12, idProduct=0005 +... +[ 1466.243173] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten + +CVE-2013-2889 + +Signed-off-by: Kees Cook +Cc: stable@kernel.org +--- + drivers/hid/hid-zpff.c | 14 ++------------ + 1 file changed, 2 insertions(+), 12 deletions(-) + +diff --git a/drivers/hid/hid-zpff.c b/drivers/hid/hid-zpff.c +index 6ec28a3..b124991 100644 +--- a/drivers/hid/hid-zpff.c ++++ b/drivers/hid/hid-zpff.c +@@ -68,22 +68,12 @@ static int zpff_init(struct hid_device *hid) + struct hid_report *report; + struct hid_input *hidinput = list_entry(hid->inputs.next, + struct hid_input, list); +- struct list_head *report_list = +- &hid->report_enum[HID_OUTPUT_REPORT].report_list; + struct input_dev *dev = hidinput->input; + int error; + +- if (list_empty(report_list)) { +- hid_err(hid, "no output report found\n"); ++ report = hid_validate_report(hid, HID_OUTPUT_REPORT, 0, 4, 1); ++ if (!report) + return -ENODEV; +- } +- +- report = list_entry(report_list->next, struct hid_report, list); +- +- if (report->maxfield < 4) { +- hid_err(hid, "not enough fields in report\n"); +- return -ENODEV; +- } + + zpff = kzalloc(sizeof(struct zpff_device), GFP_KERNEL); + if (!zpff) + +-- +Jiri Kosina +SUSE Labs +-- +To unsubscribe from this list: send the line "unsubscribe linux-input" in +the body of a message to majordomo@vger.kernel.org +More majordomo info at http://vger.kernel.org/majordomo-info.html + +Path: news.gmane.org!not-for-mail +From: Jiri Kosina +Newsgroups: gmane.linux.kernel.input +Subject: [PATCH 05/14] HID: steelseries: validate output report details +Date: Wed, 28 Aug 2013 22:30:37 +0200 (CEST) +Lines: 43 +Approved: news@gmane.org +Message-ID: +NNTP-Posting-Host: plane.gmane.org +Mime-Version: 1.0 +Content-Type: TEXT/PLAIN; charset=US-ASCII +X-Trace: ger.gmane.org 1377721849 9885 80.91.229.3 (28 Aug 2013 20:30:49 GMT) +X-Complaints-To: usenet@ger.gmane.org +NNTP-Posting-Date: Wed, 28 Aug 2013 20:30:49 +0000 (UTC) +Cc: Kees Cook , Simon Wood +To: linux-input@vger.kernel.org +Original-X-From: linux-input-owner@vger.kernel.org Wed Aug 28 22:30:51 2013 +Return-path: +Envelope-to: glki-linux-input-2@plane.gmane.org +Original-Received: from vger.kernel.org ([209.132.180.67]) + by plane.gmane.org with esmtp (Exim 4.69) + (envelope-from ) + id 1VEmO7-0000cl-Po + for glki-linux-input-2@plane.gmane.org; Wed, 28 Aug 2013 22:30:48 +0200 +Original-Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand + id S1755238Ab3H1Uam (ORCPT ); + Wed, 28 Aug 2013 16:30:42 -0400 +Original-Received: from cantor2.suse.de ([195.135.220.15]:57942 "EHLO mx2.suse.de" + rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP + id S1754222Ab3H1Uak (ORCPT ); + Wed, 28 Aug 2013 16:30:40 -0400 +Original-Received: from relay1.suse.de (unknown [195.135.220.254]) + by mx2.suse.de (Postfix) with ESMTP id EFDE1A531D; + Wed, 28 Aug 2013 22:30:39 +0200 (CEST) +User-Agent: Alpine 2.00 (LNX 1167 2008-08-23) +Original-Sender: linux-input-owner@vger.kernel.org +Precedence: bulk +List-ID: +X-Mailing-List: linux-input@vger.kernel.org +Xref: news.gmane.org gmane.linux.kernel.input:31656 +Archived-At: + +From: Kees Cook + +A HID device could send a malicious output report that would cause the +steelseries HID driver to write beyond the output report allocation +during initialization, causing a heap overflow: + +[ 167.981534] usb 1-1: New USB device found, idVendor=1038, idProduct=1410 +... +[ 182.050547] BUG kmalloc-256 (Tainted: G W ): Redzone overwritten + +CVE-2013-2891 + +Signed-off-by: Kees Cook +Cc: stable@kernel.org +--- + drivers/hid/hid-steelseries.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/hid/hid-steelseries.c b/drivers/hid/hid-steelseries.c +index d164911..ef42e86 100644 +--- a/drivers/hid/hid-steelseries.c ++++ b/drivers/hid/hid-steelseries.c +@@ -249,6 +249,11 @@ static int steelseries_srws1_probe(struct hid_device *hdev, + goto err_free; + } + ++ if (!hid_validate_report(hdev, HID_OUTPUT_REPORT, 0, 1, 16)) { ++ ret = -ENODEV; ++ goto err_free; ++ } ++ + ret = hid_hw_start(hdev, HID_CONNECT_DEFAULT); + if (ret) { + hid_err(hdev, "hw start failed\n"); + +-- +Jiri Kosina +SUSE Labs +-- +To unsubscribe from this list: send the line "unsubscribe linux-input" in +the body of a message to majordomo@vger.kernel.org +More majordomo info at http://vger.kernel.org/majordomo-info.html + +Path: news.gmane.org!not-for-mail +From: Jiri Kosina +Newsgroups: gmane.linux.kernel.input +Subject: [PATCH 06/14] HID: pantherlord: validate output report details +Date: Wed, 28 Aug 2013 22:30:49 +0200 (CEST) +Lines: 47 +Approved: news@gmane.org +Message-ID: +NNTP-Posting-Host: plane.gmane.org +Mime-Version: 1.0 +Content-Type: TEXT/PLAIN; charset=US-ASCII +X-Trace: ger.gmane.org 1377721853 9919 80.91.229.3 (28 Aug 2013 20:30:53 GMT) +X-Complaints-To: usenet@ger.gmane.org +NNTP-Posting-Date: Wed, 28 Aug 2013 20:30:53 +0000 (UTC) +Cc: Kees Cook +To: linux-input@vger.kernel.org +Original-X-From: linux-input-owner@vger.kernel.org Wed Aug 28 22:30:55 2013 +Return-path: +Envelope-to: glki-linux-input-2@plane.gmane.org +Original-Received: from vger.kernel.org ([209.132.180.67]) + by plane.gmane.org with esmtp (Exim 4.69) + (envelope-from ) + id 1VEmOD-0000cl-Qd + for glki-linux-input-2@plane.gmane.org; Wed, 28 Aug 2013 22:30:54 +0200 +Original-Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand + id S1754500Ab3H1Uax (ORCPT ); + Wed, 28 Aug 2013 16:30:53 -0400 +Original-Received: from cantor2.suse.de ([195.135.220.15]:57948 "EHLO mx2.suse.de" + rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP + id S1753468Ab3H1Uaw (ORCPT ); + Wed, 28 Aug 2013 16:30:52 -0400 +Original-Received: from relay2.suse.de (unknown [195.135.220.254]) + by mx2.suse.de (Postfix) with ESMTP id 21315A531D; + Wed, 28 Aug 2013 22:30:52 +0200 (CEST) +User-Agent: Alpine 2.00 (LNX 1167 2008-08-23) +Original-Sender: linux-input-owner@vger.kernel.org +Precedence: bulk +List-ID: +X-Mailing-List: linux-input@vger.kernel.org +Xref: news.gmane.org gmane.linux.kernel.input:31657 +Archived-At: + +From: Kees Cook + +A HID device could send a malicious output report that would cause the +pantherlord HID driver to write beyond the output report allocation +during initialization, causing a heap overflow: + +[ 310.939483] usb 1-1: New USB device found, idVendor=0e8f, idProduct=0003 +... +[ 315.980774] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten + +CVE-2013-2892 + +Signed-off-by: Kees Cook +Cc: stable@kernel.org +--- + drivers/hid/hid-pl.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/drivers/hid/hid-pl.c b/drivers/hid/hid-pl.c +index d29112f..2dcd7d9 100644 +--- a/drivers/hid/hid-pl.c ++++ b/drivers/hid/hid-pl.c +@@ -132,8 +132,14 @@ static int plff_init(struct hid_device *hid) + strong = &report->field[0]->value[2]; + weak = &report->field[0]->value[3]; + debug("detected single-field device"); +- } else if (report->maxfield >= 4 && report->field[0]->maxusage == 1 && +- report->field[0]->usage[0].hid == (HID_UP_LED | 0x43)) { ++ } else if (report->field[0]->maxusage == 1 && ++ report->field[0]->usage[0].hid == ++ (HID_UP_LED | 0x43) && ++ report->maxfield >= 4 && ++ report->field[0]->report_count >= 1 && ++ report->field[1]->report_count >= 1 && ++ report->field[2]->report_count >= 1 && ++ report->field[3]->report_count >= 1) { + report->field[0]->value[0] = 0x00; + report->field[1]->value[0] = 0x00; + strong = &report->field[2]->value[0]; +-- +Jiri Kosina +SUSE Labs +-- +To unsubscribe from this list: send the line "unsubscribe linux-input" in +the body of a message to majordomo@vger.kernel.org +More majordomo info at http://vger.kernel.org/majordomo-info.html + +Path: news.gmane.org!not-for-mail +From: Jiri Kosina +Newsgroups: gmane.linux.kernel.input +Subject: [PATCH 07/14] HID: LG: validate HID output report details +Date: Wed, 28 Aug 2013 22:31:00 +0200 (CEST) +Lines: 194 +Approved: news@gmane.org +Message-ID: +NNTP-Posting-Host: plane.gmane.org +Mime-Version: 1.0 +Content-Type: TEXT/PLAIN; charset=US-ASCII +X-Trace: ger.gmane.org 1377721865 10099 80.91.229.3 (28 Aug 2013 20:31:05 GMT) +X-Complaints-To: usenet@ger.gmane.org +NNTP-Posting-Date: Wed, 28 Aug 2013 20:31:05 +0000 (UTC) +Cc: Kees Cook +To: linux-input@vger.kernel.org +Original-X-From: linux-input-owner@vger.kernel.org Wed Aug 28 22:31:07 2013 +Return-path: +Envelope-to: glki-linux-input-2@plane.gmane.org +Original-Received: from vger.kernel.org ([209.132.180.67]) + by plane.gmane.org with esmtp (Exim 4.69) + (envelope-from ) + id 1VEmOQ-0000cl-Fi + for glki-linux-input-2@plane.gmane.org; Wed, 28 Aug 2013 22:31:06 +0200 +Original-Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand + id S1753468Ab3H1UbF (ORCPT ); + Wed, 28 Aug 2013 16:31:05 -0400 +Original-Received: from cantor2.suse.de ([195.135.220.15]:57957 "EHLO mx2.suse.de" + rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP + id S1752780Ab3H1UbE (ORCPT ); + Wed, 28 Aug 2013 16:31:04 -0400 +Original-Received: from relay2.suse.de (unknown [195.135.220.254]) + by mx2.suse.de (Postfix) with ESMTP id 5F1F5A531D; + Wed, 28 Aug 2013 22:31:03 +0200 (CEST) +User-Agent: Alpine 2.00 (LNX 1167 2008-08-23) +Original-Sender: linux-input-owner@vger.kernel.org +Precedence: bulk +List-ID: +X-Mailing-List: linux-input@vger.kernel.org +Xref: news.gmane.org gmane.linux.kernel.input:31658 +Archived-At: + +From: Kees Cook + +A HID device could send a malicious output report that would cause the +lg, lg3, and lg4 HID drivers to write beyond the output report allocation +during an event, causing a heap overflow: + +[ 325.245240] usb 1-1: New USB device found, idVendor=046d, idProduct=c287 +... +[ 414.518960] BUG kmalloc-4096 (Not tainted): Redzone overwritten + +Additionally, while lg2 did correctly validate the report details, it was +cleaned up and shortened. + +CVE-2013-2893 + +Signed-off-by: Kees Cook +Cc: stable@kernel.org +--- + drivers/hid/hid-lg2ff.c | 19 +++---------------- + drivers/hid/hid-lg3ff.c | 29 ++++++----------------------- + drivers/hid/hid-lg4ff.c | 20 +------------------- + drivers/hid/hid-lgff.c | 17 ++--------------- + 4 files changed, 12 insertions(+), 73 deletions(-) + +diff --git a/drivers/hid/hid-lg2ff.c b/drivers/hid/hid-lg2ff.c +index b3cd150..9805197 100644 +--- a/drivers/hid/hid-lg2ff.c ++++ b/drivers/hid/hid-lg2ff.c +@@ -64,26 +64,13 @@ int lg2ff_init(struct hid_device *hid) + struct hid_report *report; + struct hid_input *hidinput = list_entry(hid->inputs.next, + struct hid_input, list); +- struct list_head *report_list = +- &hid->report_enum[HID_OUTPUT_REPORT].report_list; + struct input_dev *dev = hidinput->input; + int error; + +- if (list_empty(report_list)) { +- hid_err(hid, "no output report found\n"); ++ /* Check that the report looks ok */ ++ report = hid_validate_report(hid, HID_OUTPUT_REPORT, 0, 1, 7); ++ if (!report) + return -ENODEV; +- } +- +- report = list_entry(report_list->next, struct hid_report, list); +- +- if (report->maxfield < 1) { +- hid_err(hid, "output report is empty\n"); +- return -ENODEV; +- } +- if (report->field[0]->report_count < 7) { +- hid_err(hid, "not enough values in the field\n"); +- return -ENODEV; +- } + + lg2ff = kmalloc(sizeof(struct lg2ff_device), GFP_KERNEL); + if (!lg2ff) +diff --git a/drivers/hid/hid-lg3ff.c b/drivers/hid/hid-lg3ff.c +index e52f181..53ac79b 100644 +--- a/drivers/hid/hid-lg3ff.c ++++ b/drivers/hid/hid-lg3ff.c +@@ -66,10 +66,11 @@ static int hid_lg3ff_play(struct input_dev *dev, void *data, + int x, y; + + /* +- * Maxusage should always be 63 (maximum fields) +- * likely a better way to ensure this data is clean ++ * Available values in the field should always be 63, but we only use up to ++ * 35. Instead, clear the entire area, however big it is. + */ +- memset(report->field[0]->value, 0, sizeof(__s32)*report->field[0]->maxusage); ++ memset(report->field[0]->value, 0, ++ sizeof(__s32) * report->field[0]->report_count); + + switch (effect->type) { + case FF_CONSTANT: +@@ -129,32 +130,14 @@ static const signed short ff3_joystick_ac[] = { + int lg3ff_init(struct hid_device *hid) + { + struct hid_input *hidinput = list_entry(hid->inputs.next, struct hid_input, list); +- struct list_head *report_list = &hid->report_enum[HID_OUTPUT_REPORT].report_list; + struct input_dev *dev = hidinput->input; +- struct hid_report *report; +- struct hid_field *field; + const signed short *ff_bits = ff3_joystick_ac; + int error; + int i; + +- /* Find the report to use */ +- if (list_empty(report_list)) { +- hid_err(hid, "No output report found\n"); +- return -1; +- } +- + /* Check that the report looks ok */ +- report = list_entry(report_list->next, struct hid_report, list); +- if (!report) { +- hid_err(hid, "NULL output report\n"); +- return -1; +- } +- +- field = report->field[0]; +- if (!field) { +- hid_err(hid, "NULL field\n"); +- return -1; +- } ++ if (!hid_validate_report(hid, HID_OUTPUT_REPORT, 0, 1, 35)) ++ return -ENODEV; + + /* Assume single fixed device G940 */ + for (i = 0; ff_bits[i] >= 0; i++) +diff --git a/drivers/hid/hid-lg4ff.c b/drivers/hid/hid-lg4ff.c +index 0ddae2a..8b89f0f 100644 +--- a/drivers/hid/hid-lg4ff.c ++++ b/drivers/hid/hid-lg4ff.c +@@ -484,34 +484,16 @@ static enum led_brightness lg4ff_led_get_brightness(struct led_classdev *led_cde + int lg4ff_init(struct hid_device *hid) + { + struct hid_input *hidinput = list_entry(hid->inputs.next, struct hid_input, list); +- struct list_head *report_list = &hid->report_enum[HID_OUTPUT_REPORT].report_list; + struct input_dev *dev = hidinput->input; +- struct hid_report *report; +- struct hid_field *field; + struct lg4ff_device_entry *entry; + struct lg_drv_data *drv_data; + struct usb_device_descriptor *udesc; + int error, i, j; + __u16 bcdDevice, rev_maj, rev_min; + +- /* Find the report to use */ +- if (list_empty(report_list)) { +- hid_err(hid, "No output report found\n"); +- return -1; +- } +- + /* Check that the report looks ok */ +- report = list_entry(report_list->next, struct hid_report, list); +- if (!report) { +- hid_err(hid, "NULL output report\n"); ++ if (!hid_validate_report(hid, HID_OUTPUT_REPORT, 0, 1, 7)) + return -1; +- } +- +- field = report->field[0]; +- if (!field) { +- hid_err(hid, "NULL field\n"); +- return -1; +- } + + /* Check what wheel has been connected */ + for (i = 0; i < ARRAY_SIZE(lg4ff_devices); i++) { +diff --git a/drivers/hid/hid-lgff.c b/drivers/hid/hid-lgff.c +index d7ea8c8..a84fb40 100644 +--- a/drivers/hid/hid-lgff.c ++++ b/drivers/hid/hid-lgff.c +@@ -128,27 +128,14 @@ static void hid_lgff_set_autocenter(struct input_dev *dev, u16 magnitude) + int lgff_init(struct hid_device* hid) + { + struct hid_input *hidinput = list_entry(hid->inputs.next, struct hid_input, list); +- struct list_head *report_list = &hid->report_enum[HID_OUTPUT_REPORT].report_list; + struct input_dev *dev = hidinput->input; +- struct hid_report *report; +- struct hid_field *field; + const signed short *ff_bits = ff_joystick; + int error; + int i; + +- /* Find the report to use */ +- if (list_empty(report_list)) { +- hid_err(hid, "No output report found\n"); +- return -1; +- } +- + /* Check that the report looks ok */ +- report = list_entry(report_list->next, struct hid_report, list); +- field = report->field[0]; +- if (!field) { +- hid_err(hid, "NULL field\n"); +- return -1; +- } ++ if (!hid_validate_report(hid, HID_OUTPUT_REPORT, 0, 1, 7)) ++ return -ENODEV; + + for (i = 0; i < ARRAY_SIZE(devices); i++) { + if (dev->id.vendor == devices[i].idVendor && +-- +Jiri Kosina +SUSE Labs +-- +To unsubscribe from this list: send the line "unsubscribe linux-input" in +the body of a message to majordomo@vger.kernel.org +More majordomo info at http://vger.kernel.org/majordomo-info.html + +Path: news.gmane.org!not-for-mail +From: Jiri Kosina +Newsgroups: gmane.linux.kernel.input +Subject: [PATCH 08/14] HID: lenovo-tpkbd: validate output report details +Date: Wed, 28 Aug 2013 22:31:10 +0200 (CEST) +Lines: 42 +Approved: news@gmane.org +Message-ID: +NNTP-Posting-Host: plane.gmane.org +Mime-Version: 1.0 +Content-Type: TEXT/PLAIN; charset=US-ASCII +X-Trace: ger.gmane.org 1377721874 10167 80.91.229.3 (28 Aug 2013 20:31:14 GMT) +X-Complaints-To: usenet@ger.gmane.org +NNTP-Posting-Date: Wed, 28 Aug 2013 20:31:14 +0000 (UTC) +Cc: Kees Cook , + Bernhard Seibold +To: linux-input@vger.kernel.org +Original-X-From: linux-input-owner@vger.kernel.org Wed Aug 28 22:31:16 2013 +Return-path: +Envelope-to: glki-linux-input-2@plane.gmane.org +Original-Received: from vger.kernel.org ([209.132.180.67]) + by plane.gmane.org with esmtp (Exim 4.69) + (envelope-from ) + id 1VEmOY-0000cl-HM + for glki-linux-input-2@plane.gmane.org; Wed, 28 Aug 2013 22:31:14 +0200 +Original-Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand + id S1754122Ab3H1UbN (ORCPT ); + Wed, 28 Aug 2013 16:31:13 -0400 +Original-Received: from cantor2.suse.de ([195.135.220.15]:57965 "EHLO mx2.suse.de" + rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP + id S1752780Ab3H1UbN (ORCPT ); + Wed, 28 Aug 2013 16:31:13 -0400 +Original-Received: from relay1.suse.de (unknown [195.135.220.254]) + by mx2.suse.de (Postfix) with ESMTP id 982A1A531D; + Wed, 28 Aug 2013 22:31:12 +0200 (CEST) +User-Agent: Alpine 2.00 (LNX 1167 2008-08-23) +Original-Sender: linux-input-owner@vger.kernel.org +Precedence: bulk +List-ID: +X-Mailing-List: linux-input@vger.kernel.org +Xref: news.gmane.org gmane.linux.kernel.input:31659 +Archived-At: + +From: Kees Cook + +A HID device could send a malicious output report that would cause the +lenovo-tpkbd HID driver to write just beyond the output report allocation +during initialization, causing a heap overflow: + +[ 76.109807] usb 1-1: New USB device found, idVendor=17ef, idProduct=6009 +... +[ 80.462540] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten + +CVE-2013-2894 + +Signed-off-by: Kees Cook +Cc: stable@kernel.org +--- + drivers/hid/hid-lenovo-tpkbd.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/hid/hid-lenovo-tpkbd.c b/drivers/hid/hid-lenovo-tpkbd.c +index 07837f5..b697ada 100644 +--- a/drivers/hid/hid-lenovo-tpkbd.c ++++ b/drivers/hid/hid-lenovo-tpkbd.c +@@ -341,6 +341,11 @@ static int tpkbd_probe_tp(struct hid_device *hdev) + char *name_mute, *name_micmute; + int ret; + ++ /* Validate required reports. */ ++ if (!hid_validate_report(hdev, HID_OUTPUT_REPORT, 4, 4, 1) || ++ !hid_validate_report(hdev, HID_OUTPUT_REPORT, 3, 1, 2)) ++ return -ENODEV; ++ + if (sysfs_create_group(&hdev->dev.kobj, + &tpkbd_attr_group_pointer)) { + hid_warn(hdev, "Could not create sysfs group\n"); +-- +Jiri Kosina +SUSE Labs +-- +To unsubscribe from this list: send the line "unsubscribe linux-input" in +the body of a message to majordomo@vger.kernel.org +More majordomo info at http://vger.kernel.org/majordomo-info.html + +Path: news.gmane.org!not-for-mail +From: Jiri Kosina +Newsgroups: gmane.linux.kernel.input +Subject: [PATCH 09/14] HID: logitech-dj: validate output report details +Date: Wed, 28 Aug 2013 22:31:18 +0200 (CEST) +Lines: 65 +Approved: news@gmane.org +Message-ID: +NNTP-Posting-Host: plane.gmane.org +Mime-Version: 1.0 +Content-Type: TEXT/PLAIN; charset=US-ASCII +X-Trace: ger.gmane.org 1377721883 10249 80.91.229.3 (28 Aug 2013 20:31:23 GMT) +X-Complaints-To: usenet@ger.gmane.org +NNTP-Posting-Date: Wed, 28 Aug 2013 20:31:23 +0000 (UTC) +Cc: Kees Cook , + Nestor Lopez Casado +To: linux-input@vger.kernel.org +Original-X-From: linux-input-owner@vger.kernel.org Wed Aug 28 22:31:25 2013 +Return-path: +Envelope-to: glki-linux-input-2@plane.gmane.org +Original-Received: from vger.kernel.org ([209.132.180.67]) + by plane.gmane.org with esmtp (Exim 4.69) + (envelope-from ) + id 1VEmOg-0000cl-O9 + for glki-linux-input-2@plane.gmane.org; Wed, 28 Aug 2013 22:31:23 +0200 +Original-Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand + id S1752780Ab3H1UbW (ORCPT ); + Wed, 28 Aug 2013 16:31:22 -0400 +Original-Received: from cantor2.suse.de ([195.135.220.15]:57976 "EHLO mx2.suse.de" + rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP + id S1751971Ab3H1UbV (ORCPT ); + Wed, 28 Aug 2013 16:31:21 -0400 +Original-Received: from relay2.suse.de (unknown [195.135.220.254]) + by mx2.suse.de (Postfix) with ESMTP id D53F8A531D; + Wed, 28 Aug 2013 22:31:20 +0200 (CEST) +User-Agent: Alpine 2.00 (LNX 1167 2008-08-23) +Original-Sender: linux-input-owner@vger.kernel.org +Precedence: bulk +List-ID: +X-Mailing-List: linux-input@vger.kernel.org +Xref: news.gmane.org gmane.linux.kernel.input:31660 +Archived-At: + +From: Kees Cook + +A HID device could send a malicious output report that would cause the +logitech-dj HID driver to leak kernel memory contents to the device, or +trigger a NULL dereference during initialization: + +[ 304.424553] usb 1-1: New USB device found, idVendor=046d, idProduct=c52b +... +[ 304.780467] BUG: unable to handle kernel NULL pointer dereference at 0000000000000028 +[ 304.781409] IP: [] logi_dj_recv_send_report.isra.11+0x1a/0x90 + +CVE-2013-2895 + +Signed-off-by: Kees Cook +Cc: stable@kernel.org +--- + drivers/hid/hid-logitech-dj.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/drivers/hid/hid-logitech-dj.c b/drivers/hid/hid-logitech-dj.c +index cd33084..7b99c2a 100644 +--- a/drivers/hid/hid-logitech-dj.c ++++ b/drivers/hid/hid-logitech-dj.c +@@ -461,7 +461,7 @@ static int logi_dj_recv_send_report(struct dj_receiver_dev *djrcv_dev, + struct hid_report *report; + struct hid_report_enum *output_report_enum; + u8 *data = (u8 *)(&dj_report->device_index); +- int i; ++ unsigned int i, length; + + output_report_enum = &hdev->report_enum[HID_OUTPUT_REPORT]; + report = output_report_enum->report_id_hash[REPORT_ID_DJ_SHORT]; +@@ -471,7 +471,9 @@ static int logi_dj_recv_send_report(struct dj_receiver_dev *djrcv_dev, + return -ENODEV; + } + +- for (i = 0; i < report->field[0]->report_count; i++) ++ length = min_t(size_t, sizeof(*dj_report) - 1, ++ report->field[0]->report_count); ++ for (i = 0; i < length; i++) + report->field[0]->value[i] = data[i]; + + hid_hw_request(hdev, report, HID_REQ_SET_REPORT); +@@ -783,6 +785,12 @@ static int logi_dj_probe(struct hid_device *hdev, + goto hid_parse_fail; + } + ++ if (!hid_validate_report(hdev, HID_OUTPUT_REPORT, REPORT_ID_DJ_SHORT, ++ 1, 3)) { ++ retval = -ENODEV; ++ goto hid_parse_fail; ++ } ++ + /* Starts the usb device and connects to upper interfaces hiddev and + * hidraw */ + retval = hid_hw_start(hdev, HID_CONNECT_DEFAULT); + +-- +Jiri Kosina +SUSE Labs +-- +To unsubscribe from this list: send the line "unsubscribe linux-input" in +the body of a message to majordomo@vger.kernel.org +More majordomo info at http://vger.kernel.org/majordomo-info.html + +Path: news.gmane.org!not-for-mail +From: Jiri Kosina +Newsgroups: gmane.linux.kernel.input +Subject: [PATCH 10/14] HID: ntrig: validate feature report details +Date: Wed, 28 Aug 2013 22:31:28 +0200 (CEST) +Lines: 41 +Approved: news@gmane.org +Message-ID: +NNTP-Posting-Host: plane.gmane.org +Mime-Version: 1.0 +Content-Type: TEXT/PLAIN; charset=US-ASCII +X-Trace: ger.gmane.org 1377721895 10362 80.91.229.3 (28 Aug 2013 20:31:35 GMT) +X-Complaints-To: usenet@ger.gmane.org +NNTP-Posting-Date: Wed, 28 Aug 2013 20:31:35 +0000 (UTC) +Cc: Kees Cook , Rafi Rubin +To: linux-input@vger.kernel.org +Original-X-From: linux-input-owner@vger.kernel.org Wed Aug 28 22:31:36 2013 +Return-path: +Envelope-to: glki-linux-input-2@plane.gmane.org +Original-Received: from vger.kernel.org ([209.132.180.67]) + by plane.gmane.org with esmtp (Exim 4.69) + (envelope-from ) + id 1VEmOq-0000cl-KK + for glki-linux-input-2@plane.gmane.org; Wed, 28 Aug 2013 22:31:32 +0200 +Original-Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand + id S1753024Ab3H1Ubc (ORCPT ); + Wed, 28 Aug 2013 16:31:32 -0400 +Original-Received: from cantor2.suse.de ([195.135.220.15]:57985 "EHLO mx2.suse.de" + rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP + id S1751971Ab3H1Ubb (ORCPT ); + Wed, 28 Aug 2013 16:31:31 -0400 +Original-Received: from relay1.suse.de (unknown [195.135.220.254]) + by mx2.suse.de (Postfix) with ESMTP id C4DDAA531D; + Wed, 28 Aug 2013 22:31:30 +0200 (CEST) +User-Agent: Alpine 2.00 (LNX 1167 2008-08-23) +Original-Sender: linux-input-owner@vger.kernel.org +Precedence: bulk +List-ID: +X-Mailing-List: linux-input@vger.kernel.org +Xref: news.gmane.org gmane.linux.kernel.input:31661 +Archived-At: + +From: Kees Cook + +A HID device could send a malicious feature report that would cause the +ntrig HID driver to trigger a NULL dereference during initialization: + +[57383.031190] usb 3-1: New USB device found, idVendor=1b96, idProduct=0001 +... +[57383.315193] BUG: unable to handle kernel NULL pointer dereference at 0000000000000030 +[57383.315308] IP: [] ntrig_probe+0x25e/0x420 [hid_ntrig] + +CVE-2013-2896 + +Signed-off-by: Kees Cook +Cc: stable@kernel.org +--- + drivers/hid/hid-ntrig.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/hid/hid-ntrig.c b/drivers/hid/hid-ntrig.c +index ef95102..5482156 100644 +--- a/drivers/hid/hid-ntrig.c ++++ b/drivers/hid/hid-ntrig.c +@@ -115,7 +115,8 @@ static inline int ntrig_get_mode(struct hid_device *hdev) + struct hid_report *report = hdev->report_enum[HID_FEATURE_REPORT]. + report_id_hash[0x0d]; + +- if (!report) ++ if (!report || report->maxfield < 1 || ++ report->field[0]->report_count < 1) + return -EINVAL; + + hid_hw_request(hdev, report, HID_REQ_GET_REPORT); + +-- +Jiri Kosina +SUSE Labs +-- +To unsubscribe from this list: send the line "unsubscribe linux-input" in +the body of a message to majordomo@vger.kernel.org +More majordomo info at http://vger.kernel.org/majordomo-info.html + +Path: news.gmane.org!not-for-mail +From: Jiri Kosina +Newsgroups: gmane.linux.kernel.input +Subject: [PATCH 11/14] HID: multitouch: validate feature report details +Date: Wed, 28 Aug 2013 22:31:37 +0200 (CEST) +Lines: 77 +Approved: news@gmane.org +Message-ID: +NNTP-Posting-Host: plane.gmane.org +Mime-Version: 1.0 +Content-Type: TEXT/PLAIN; charset=US-ASCII +X-Trace: ger.gmane.org 1377721900 10409 80.91.229.3 (28 Aug 2013 20:31:40 GMT) +X-Complaints-To: usenet@ger.gmane.org +NNTP-Posting-Date: Wed, 28 Aug 2013 20:31:40 +0000 (UTC) +Cc: Kees Cook , + Henrik Rydberg , + Benjamin Tissoires +To: linux-input@vger.kernel.org +Original-X-From: linux-input-owner@vger.kernel.org Wed Aug 28 22:31:42 2013 +Return-path: +Envelope-to: glki-linux-input-2@plane.gmane.org +Original-Received: from vger.kernel.org ([209.132.180.67]) + by plane.gmane.org with esmtp (Exim 4.69) + (envelope-from ) + id 1VEmOz-0000cl-Ku + for glki-linux-input-2@plane.gmane.org; Wed, 28 Aug 2013 22:31:42 +0200 +Original-Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand + id S1754253Ab3H1Ubl (ORCPT ); + Wed, 28 Aug 2013 16:31:41 -0400 +Original-Received: from cantor2.suse.de ([195.135.220.15]:57991 "EHLO mx2.suse.de" + rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP + id S1754222Ab3H1Ubk (ORCPT ); + Wed, 28 Aug 2013 16:31:40 -0400 +Original-Received: from relay1.suse.de (unknown [195.135.220.254]) + by mx2.suse.de (Postfix) with ESMTP id BA511A535B; + Wed, 28 Aug 2013 22:31:39 +0200 (CEST) +User-Agent: Alpine 2.00 (LNX 1167 2008-08-23) +Original-Sender: linux-input-owner@vger.kernel.org +Precedence: bulk +List-ID: +X-Mailing-List: linux-input@vger.kernel.org +Xref: news.gmane.org gmane.linux.kernel.input:31662 +Archived-At: + +From: Kees Cook + +When working on report indexes, always validate that they are in bounds. +Without this, a HID device could report a malicious feature report that +could trick the driver into a heap overflow: + +[ 634.885003] usb 1-1: New USB device found, idVendor=0596, idProduct=0500 +... +[ 676.469629] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten + +CVE-2013-2897 + +Signed-off-by: Kees Cook +Cc: stable@kernel.org +--- + drivers/hid/hid-multitouch.c | 25 ++++++++++++++++++++----- + 1 file changed, 20 insertions(+), 5 deletions(-) + +diff --git a/drivers/hid/hid-multitouch.c b/drivers/hid/hid-multitouch.c +index cb0e361..2aa275e 100644 +--- a/drivers/hid/hid-multitouch.c ++++ b/drivers/hid/hid-multitouch.c +@@ -330,9 +330,18 @@ static void mt_feature_mapping(struct hid_device *hdev, + break; + } + } ++ /* Ignore if value index is out of bounds. */ ++ if (td->inputmode_index < 0 || ++ td->inputmode_index >= field->report_count) { ++ dev_err(&hdev->dev, "HID_DG_INPUTMODE out of range\n"); ++ td->inputmode = -1; ++ } + + break; + case HID_DG_CONTACTMAX: ++ /* Ignore if value count is out of bounds. */ ++ if (field->report_count < 1) ++ break; + td->maxcontact_report_id = field->report->id; + td->maxcontacts = field->value[0]; + if (!td->maxcontacts && +@@ -743,15 +752,21 @@ static void mt_touch_report(struct hid_device *hid, struct hid_report *report) + unsigned count; + int r, n; + ++ if (report->maxfield == 0) ++ return; ++ + /* + * Includes multi-packet support where subsequent + * packets are sent with zero contactcount. + */ +- if (td->cc_index >= 0) { +- struct hid_field *field = report->field[td->cc_index]; +- int value = field->value[td->cc_value_index]; +- if (value) +- td->num_expected = value; ++ if (td->cc_index >= 0 && td->cc_index < report->maxfield) { ++ field = report->field[td->cc_index]; ++ if (td->cc_value_index >= 0 && ++ td->cc_value_index < field->report_count) { ++ int value = field->value[td->cc_value_index]; ++ if (value) ++ td->num_expected = value; ++ } + } + + for (r = 0; r < report->maxfield; r++) { + +-- +Jiri Kosina +SUSE Labs +-- +To unsubscribe from this list: send the line "unsubscribe linux-input" in +the body of a message to majordomo@vger.kernel.org +More majordomo info at http://vger.kernel.org/majordomo-info.html + +Path: news.gmane.org!not-for-mail +From: Jiri Kosina +Newsgroups: gmane.linux.kernel.input +Subject: [PATCH 12/14] HID: sensor-hub: validate feature report details +Date: Wed, 28 Aug 2013 22:31:44 +0200 (CEST) +Lines: 36 +Approved: news@gmane.org +Message-ID: +NNTP-Posting-Host: plane.gmane.org +Mime-Version: 1.0 +Content-Type: TEXT/PLAIN; charset=US-ASCII +X-Trace: ger.gmane.org 1377721907 10489 80.91.229.3 (28 Aug 2013 20:31:47 GMT) +X-Complaints-To: usenet@ger.gmane.org +NNTP-Posting-Date: Wed, 28 Aug 2013 20:31:47 +0000 (UTC) +Cc: Kees Cook , + Mika Westerberg , + srinivas pandruvada +To: linux-input@vger.kernel.org +Original-X-From: linux-input-owner@vger.kernel.org Wed Aug 28 22:31:51 2013 +Return-path: +Envelope-to: glki-linux-input-2@plane.gmane.org +Original-Received: from vger.kernel.org ([209.132.180.67]) + by plane.gmane.org with esmtp (Exim 4.69) + (envelope-from ) + id 1VEmP8-0000cl-9D + for glki-linux-input-2@plane.gmane.org; Wed, 28 Aug 2013 22:31:50 +0200 +Original-Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand + id S1754788Ab3H1Ubt (ORCPT ); + Wed, 28 Aug 2013 16:31:49 -0400 +Original-Received: from cantor2.suse.de ([195.135.220.15]:58000 "EHLO mx2.suse.de" + rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP + id S1754228Ab3H1Ubt (ORCPT ); + Wed, 28 Aug 2013 16:31:49 -0400 +Original-Received: from relay2.suse.de (unknown [195.135.220.254]) + by mx2.suse.de (Postfix) with ESMTP id BBD85A535B; + Wed, 28 Aug 2013 22:31:47 +0200 (CEST) +User-Agent: Alpine 2.00 (LNX 1167 2008-08-23) +Original-Sender: linux-input-owner@vger.kernel.org +Precedence: bulk +List-ID: +X-Mailing-List: linux-input@vger.kernel.org +Xref: news.gmane.org gmane.linux.kernel.input:31663 +Archived-At: + +From: Kees Cook + +A HID device could send a malicious feature report that would cause the +sensor-hub HID driver to read past the end of heap allocation, leaking +kernel memory contents to the caller. + +CVE-2013-2898 + +Signed-off-by: Kees Cook +Cc: stable@kernel.org +--- + drivers/hid/hid-sensor-hub.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/hid/hid-sensor-hub.c b/drivers/hid/hid-sensor-hub.c +index ca749810..aa34755 100644 +--- a/drivers/hid/hid-sensor-hub.c ++++ b/drivers/hid/hid-sensor-hub.c +@@ -221,7 +221,8 @@ int sensor_hub_get_feature(struct hid_sensor_hub_device *hsdev, u32 report_id, + + mutex_lock(&data->mutex); + report = sensor_hub_report(report_id, hsdev->hdev, HID_FEATURE_REPORT); +- if (!report || (field_index >= report->maxfield)) { ++ if (!report || (field_index >= report->maxfield) || ++ report->field[field_index]->report_count < 1) { + ret = -EINVAL; + goto done_proc; + } +-- +Jiri Kosina +SUSE Labs +-- +To unsubscribe from this list: send the line "unsubscribe linux-input" in +the body of a message to majordomo@vger.kernel.org +More majordomo info at http://vger.kernel.org/majordomo-info.html + +Path: news.gmane.org!not-for-mail +From: Jiri Kosina +Newsgroups: gmane.linux.kernel.input +Subject: [PATCH 13/14] HID: picolcd_core: validate output report details +Date: Wed, 28 Aug 2013 22:31:52 +0200 (CEST) +Lines: 34 +Approved: news@gmane.org +Message-ID: +NNTP-Posting-Host: plane.gmane.org +Mime-Version: 1.0 +Content-Type: TEXT/PLAIN; charset=US-ASCII +X-Trace: ger.gmane.org 1377721917 10573 80.91.229.3 (28 Aug 2013 20:31:57 GMT) +X-Complaints-To: usenet@ger.gmane.org +NNTP-Posting-Date: Wed, 28 Aug 2013 20:31:57 +0000 (UTC) +Cc: Kees Cook , + =?ISO-8859-15?Q?Bruno_Pr=E9mont?= +To: linux-input@vger.kernel.org +Original-X-From: linux-input-owner@vger.kernel.org Wed Aug 28 22:31:59 2013 +Return-path: +Envelope-to: glki-linux-input-2@plane.gmane.org +Original-Received: from vger.kernel.org ([209.132.180.67]) + by plane.gmane.org with esmtp (Exim 4.69) + (envelope-from ) + id 1VEmPE-0000cl-T8 + for glki-linux-input-2@plane.gmane.org; Wed, 28 Aug 2013 22:31:57 +0200 +Original-Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand + id S1754901Ab3H1Ub4 (ORCPT ); + Wed, 28 Aug 2013 16:31:56 -0400 +Original-Received: from cantor2.suse.de ([195.135.220.15]:58006 "EHLO mx2.suse.de" + rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP + id S1754228Ab3H1Ub4 (ORCPT ); + Wed, 28 Aug 2013 16:31:56 -0400 +Original-Received: from relay2.suse.de (unknown [195.135.220.254]) + by mx2.suse.de (Postfix) with ESMTP id 2720DA531D; + Wed, 28 Aug 2013 22:31:55 +0200 (CEST) +User-Agent: Alpine 2.00 (LNX 1167 2008-08-23) +Original-Sender: linux-input-owner@vger.kernel.org +Precedence: bulk +List-ID: +X-Mailing-List: linux-input@vger.kernel.org +Xref: news.gmane.org gmane.linux.kernel.input:31664 +Archived-At: + +From: Kees Cook + +A HID device could send a malicious output report that would cause the +picolcd HID driver to trigger a NULL dereference during attr file writing. + +CVE-2013-2899 + +Signed-off-by: Kees Cook +Cc: stable@kernel.org +--- + drivers/hid/hid-picolcd_core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/hid/hid-picolcd_core.c b/drivers/hid/hid-picolcd_core.c +index b48092d..72bba1e 100644 +--- a/drivers/hid/hid-picolcd_core.c ++++ b/drivers/hid/hid-picolcd_core.c +@@ -290,7 +290,7 @@ static ssize_t picolcd_operation_mode_store(struct device *dev, + buf += 10; + cnt -= 10; + } +- if (!report) ++ if (!report || report->maxfield < 1) + return -EINVAL; + + while (cnt > 0 && (buf[cnt-1] == '\n' || buf[cnt-1] == '\r')) +-- +Jiri Kosina +SUSE Labs +-- +To unsubscribe from this list: send the line "unsubscribe linux-input" in +the body of a message to majordomo@vger.kernel.org +More majordomo info at http://vger.kernel.org/majordomo-info.html + +Path: news.gmane.org!not-for-mail +From: Jiri Kosina +Newsgroups: gmane.linux.kernel.input +Subject: [PATCH 14/14] HID: check for NULL field when setting values +Date: Wed, 28 Aug 2013 22:32:01 +0200 (CEST) +Lines: 36 +Approved: news@gmane.org +Message-ID: +NNTP-Posting-Host: plane.gmane.org +Mime-Version: 1.0 +Content-Type: TEXT/PLAIN; charset=US-ASCII +X-Trace: ger.gmane.org 1377721927 10651 80.91.229.3 (28 Aug 2013 20:32:07 GMT) +X-Complaints-To: usenet@ger.gmane.org +NNTP-Posting-Date: Wed, 28 Aug 2013 20:32:07 +0000 (UTC) +Cc: Kees Cook +To: linux-input@vger.kernel.org +Original-X-From: linux-input-owner@vger.kernel.org Wed Aug 28 22:32:06 2013 +Return-path: +Envelope-to: glki-linux-input-2@plane.gmane.org +Original-Received: from vger.kernel.org ([209.132.180.67]) + by plane.gmane.org with esmtp (Exim 4.69) + (envelope-from ) + id 1VEmPO-0000cl-40 + for glki-linux-input-2@plane.gmane.org; Wed, 28 Aug 2013 22:32:06 +0200 +Original-Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand + id S1754959Ab3H1UcF (ORCPT ); + Wed, 28 Aug 2013 16:32:05 -0400 +Original-Received: from cantor2.suse.de ([195.135.220.15]:58016 "EHLO mx2.suse.de" + rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP + id S1754282Ab3H1UcE (ORCPT ); + Wed, 28 Aug 2013 16:32:04 -0400 +Original-Received: from relay1.suse.de (unknown [195.135.220.254]) + by mx2.suse.de (Postfix) with ESMTP id 6D278A531D; + Wed, 28 Aug 2013 22:32:03 +0200 (CEST) +User-Agent: Alpine 2.00 (LNX 1167 2008-08-23) +Original-Sender: linux-input-owner@vger.kernel.org +Precedence: bulk +List-ID: +X-Mailing-List: linux-input@vger.kernel.org +Xref: news.gmane.org gmane.linux.kernel.input:31665 +Archived-At: + +From: Kees Cook + +Defensively check that the field to be worked on is not NULL. + +Signed-off-by: Kees Cook +Cc: stable@kernel.org +--- + drivers/hid/hid-core.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c +index 55798b2..192be6b 100644 +--- a/drivers/hid/hid-core.c ++++ b/drivers/hid/hid-core.c +@@ -1206,7 +1206,12 @@ EXPORT_SYMBOL_GPL(hid_output_report); + + int hid_set_field(struct hid_field *field, unsigned offset, __s32 value) + { +- unsigned size = field->report_size; ++ unsigned size; ++ ++ if (!field) ++ return -1; ++ ++ size = field->report_size; + + hid_dump_input(field->report->device, field->usage + offset, value); + +-- +Jiri Kosina +SUSE Labs +-- +To unsubscribe from this list: send the line "unsubscribe linux-input" in +the body of a message to majordomo@vger.kernel.org +More majordomo info at http://vger.kernel.org/majordomo-info.html + diff --git a/kernel.spec b/kernel.spec index 0d8445f4d..bd5e3244e 100644 --- a/kernel.spec +++ b/kernel.spec @@ -775,6 +775,13 @@ Patch25079: 3.10.-6-7-crashes-on-network-activity.patch Patch25090: mei-3.10.y.patch +#CVE-2013-2888 rhbz 1000451 1002543 CVE-2013-2889 rhbz 999890 1002548 +#CVE-2013-2891 rhbz 999960 1002555 CVE-2013-2892 rhbz 1000429 1002570 +#CVE-2013-2893 rhbz 1000414 1002575 CVE-2013-2894 rhbz 1000137 1002579 +#CVE-2013-2895 rhbz 1000360 1002581 CVE-2013-2896 rhbz 1000494 1002594 +#CVE-2013-2897 rhbz 1000536 1002600 CVE-2013-2899 rhbz 1000373 1002604 +Patch25099: HID-CVE-fixes.patch + # END OF PATCH DEFINITIONS %endif @@ -1498,6 +1505,13 @@ ApplyPatch 3.10.-6-7-crashes-on-network-activity.patch ApplyPatch mei-3.10.y.patch +#CVE-2013-2888 rhbz 1000451 1002543 CVE-2013-2889 rhbz 999890 1002548 +#CVE-2013-2891 rhbz 999960 1002555 CVE-2013-2892 rhbz 1000429 1002570 +#CVE-2013-2893 rhbz 1000414 1002575 CVE-2013-2894 rhbz 1000137 1002579 +#CVE-2013-2895 rhbz 1000360 1002581 CVE-2013-2896 rhbz 1000494 1002594 +#CVE-2013-2897 rhbz 1000536 1002600 CVE-2013-2899 rhbz 1000373 1002604 +ApplyPatch HID-CVE-fixes.patch + # END OF PATCH APPLICATIONS %endif @@ -2310,6 +2324,14 @@ fi # and build. %changelog +* Fri Aug 30 2013 Josh Boyer +- Fix HID CVEs. Absurd. +- CVE-2013-2888 rhbz 1000451 1002543 CVE-2013-2889 rhbz 999890 1002548 +- CVE-2013-2891 rhbz 999960 1002555 CVE-2013-2892 rhbz 1000429 1002570 +- CVE-2013-2893 rhbz 1000414 1002575 CVE-2013-2894 rhbz 1000137 1002579 +- CVE-2013-2895 rhbz 1000360 1002581 CVE-2013-2896 rhbz 1000494 1002594 +- CVE-2013-2897 rhbz 1000536 1002600 CVE-2013-2899 rhbz 1000373 1002604 + * Thu Aug 29 2013 Justin M. Forbes 3.10.10-200 - Linux v3.10.10 From ef9abbf29c721edc82fe0186a5cb237a4b96e9ef Mon Sep 17 00:00:00 2001 From: "Justin M. Forbes" Date: Mon, 9 Sep 2013 07:24:58 -0500 Subject: [PATCH 198/468] Linux v3.10.11 --- 3.10.-6-7-crashes-on-network-activity.patch | 140 -------------------- kernel.spec | 15 +-- mei-3.10.y.patch | 104 --------------- sources | 2 +- 4 files changed, 5 insertions(+), 256 deletions(-) delete mode 100644 3.10.-6-7-crashes-on-network-activity.patch delete mode 100644 mei-3.10.y.patch diff --git a/3.10.-6-7-crashes-on-network-activity.patch b/3.10.-6-7-crashes-on-network-activity.patch deleted file mode 100644 index 2e6b0d2ec..000000000 --- a/3.10.-6-7-crashes-on-network-activity.patch +++ /dev/null @@ -1,140 +0,0 @@ -From 6aeddf9d409f3d9938b05b545d65810739237b2e Mon Sep 17 00:00:00 2001 -From: Felix Fietkau -Date: Tue, 20 Aug 2013 06:56:08 +0200 -Subject: [PATCH] 3.10.{6,7} crashes on network activity - -On 2013-08-20 2:28 AM, Greg Kroah-Hartman wrote: -> On Tue, Aug 20, 2013 at 08:26:11AM +0800, Tom Gundersen wrote: ->> On Tue, Aug 20, 2013 at 8:03 AM, Greg Kroah-Hartman ->> wrote: ->> > On Tue, Aug 20, 2013 at 07:59:47AM +0800, Tom Gundersen wrote: ->> >> Hi guys, ->> >> ->> >> Starting with 3.10.6 (and still present in .7) I get an oops on ->> >> connecting to the network. ->> >> ->> >> The attached picture shows the oops. In case it does not reach the ML, ->> >> the top of the call trace reads: ->> >> ->> >> brcms_c_compute_rtscts_dur ->> >> brcms_c_ampdu_finalize ->> >> ampdu_finalize ->> >> dma_txfast ->> >> brcms_c_txfifo ->> >> brcms_c_sendpkt_mac80211 ->> >> brcms_ops_tx ->> >> __ieee80211_tx ->> >> ->> >> I bisected the problem and the first bad commit is ->> >> ->> >> commit ef47a5e4f1aaf1d0e2e6875e34b2c9595897bef6 ->> >> Author: Felix Fietkau ->> >> Date: Fri Jun 28 21:04:35 2013 +0200 ->> >> ->> >> mac80211/minstrel_ht: fix cck rate sampling ->> >> ->> >> commit 1cd158573951f737fbc878a35cb5eb47bf9af3d5 upstream. ->> >> ->> >> Reverting it on top of .7 fixes the problem. ->> >> ->> >> I had the same (I suppose) problem on mainline some time ago, but I ->> >> have not bisected it, verified that the problem still occurs there, or ->> >> checked if reverting the upstream patch fixes it. I'd be happy to do ->> >> that if it would help though. ->> >> ->> >> Let me know if you need any more information. ->> > ->> > Do you have this same problem with 3.11-rc6 as well? ->> ->> Yes, I just confirmed. I also confirmed that reverting the mainline ->> commit on top of -rc6 fixes the problem. -> -> Great, thanks. -> -> Felix and Johannes, any chance we can get this reverted in Linus tree -> soon, and push that revert back to the 3.10 stable tree as well? -I'd like to avoid a revert, since that will simply replace one set of -issues with another. Let's limit the use of the feature that brcmsmac -can't handle to drivers that are known to work with it. Tom, Please -test this patch to see if it fixes your issue. - -- Felix ---- - drivers/net/wireless/ath/ath9k/init.c | 3 ++- - drivers/net/wireless/ath/carl9170/main.c | 3 ++- - drivers/net/wireless/rt2x00/rt2800lib.c | 3 ++- - include/net/mac80211.h | 1 + - net/mac80211/rc80211_minstrel_ht.c | 3 +++ - 5 files changed, 10 insertions(+), 3 deletions(-) - -diff --git a/drivers/net/wireless/ath/ath9k/init.c b/drivers/net/wireless/ath/ath9k/init.c -index 2ba4945..bd126c2 100644 ---- a/drivers/net/wireless/ath/ath9k/init.c -+++ b/drivers/net/wireless/ath/ath9k/init.c -@@ -767,7 +767,8 @@ void ath9k_set_hw_capab(struct ath_softc *sc, struct ieee80211_hw *hw) - IEEE80211_HW_PS_NULLFUNC_STACK | - IEEE80211_HW_SPECTRUM_MGMT | - IEEE80211_HW_REPORTS_TX_ACK_STATUS | -- IEEE80211_HW_SUPPORTS_RC_TABLE; -+ IEEE80211_HW_SUPPORTS_RC_TABLE | -+ IEEE80211_HW_SUPPORTS_HT_CCK_RATES; - - if (sc->sc_ah->caps.hw_caps & ATH9K_HW_CAP_HT) - hw->flags |= IEEE80211_HW_AMPDU_AGGREGATION; -diff --git a/drivers/net/wireless/ath/carl9170/main.c b/drivers/net/wireless/ath/carl9170/main.c -index e9010a4..0686375 100644 ---- a/drivers/net/wireless/ath/carl9170/main.c -+++ b/drivers/net/wireless/ath/carl9170/main.c -@@ -1857,7 +1857,8 @@ void *carl9170_alloc(size_t priv_size) - IEEE80211_HW_SUPPORTS_PS | - IEEE80211_HW_PS_NULLFUNC_STACK | - IEEE80211_HW_NEED_DTIM_BEFORE_ASSOC | -- IEEE80211_HW_SIGNAL_DBM; -+ IEEE80211_HW_SIGNAL_DBM | -+ IEEE80211_HW_SUPPORTS_HT_CCK_RATES; - - if (!modparam_noht) { - /* -diff --git a/drivers/net/wireless/rt2x00/rt2800lib.c b/drivers/net/wireless/rt2x00/rt2800lib.c -index 705aa33..7e66a90 100644 ---- a/drivers/net/wireless/rt2x00/rt2800lib.c -+++ b/drivers/net/wireless/rt2x00/rt2800lib.c -@@ -5912,7 +5912,8 @@ static int rt2800_probe_hw_mode(struct rt2x00_dev *rt2x00dev) - IEEE80211_HW_SUPPORTS_PS | - IEEE80211_HW_PS_NULLFUNC_STACK | - IEEE80211_HW_AMPDU_AGGREGATION | -- IEEE80211_HW_REPORTS_TX_ACK_STATUS; -+ IEEE80211_HW_REPORTS_TX_ACK_STATUS | -+ IEEE80211_HW_SUPPORTS_HT_CCK_RATES; - - /* - * Don't set IEEE80211_HW_HOST_BROADCAST_PS_BUFFERING for USB devices -diff --git a/include/net/mac80211.h b/include/net/mac80211.h -index 885898a..4e50d36 100644 ---- a/include/net/mac80211.h -+++ b/include/net/mac80211.h -@@ -1484,6 +1484,7 @@ enum ieee80211_hw_flags { - IEEE80211_HW_SUPPORTS_RC_TABLE = 1<<24, - IEEE80211_HW_P2P_DEV_ADDR_FOR_INTF = 1<<25, - IEEE80211_HW_TIMING_BEACON_ONLY = 1<<26, -+ IEEE80211_HW_SUPPORTS_HT_CCK_RATES = 1<<27, - }; - - /** -diff --git a/net/mac80211/rc80211_minstrel_ht.c b/net/mac80211/rc80211_minstrel_ht.c -index f5aed96..f3bbea1 100644 ---- a/net/mac80211/rc80211_minstrel_ht.c -+++ b/net/mac80211/rc80211_minstrel_ht.c -@@ -828,6 +828,9 @@ minstrel_ht_update_cck(struct minstrel_priv *mp, struct minstrel_ht_sta *mi, - if (sband->band != IEEE80211_BAND_2GHZ) - return; - -+ if (!(mp->hw->flags & IEEE80211_HW_SUPPORTS_HT_CCK_RATES)) -+ return; -+ - mi->cck_supported = 0; - mi->cck_supported_short = 0; - for (i = 0; i < 4; i++) { --- -1.8.3.1 - diff --git a/kernel.spec b/kernel.spec index bd5e3244e..8564cc07e 100644 --- a/kernel.spec +++ b/kernel.spec @@ -74,7 +74,7 @@ Summary: The Linux kernel %if 0%{?released_kernel} # Do we have a -stable update to apply? -%define stable_update 10 +%define stable_update 11 # Is it a -stable RC? %define stable_rc 0 # Set rpm version accordingly @@ -770,11 +770,6 @@ Patch25077: media-cx23885-Fix-TeVii-S471-regression-since-introduction-of-ts2020 #CVE-2013-0343 rhbz 914664 999380 Patch25078: ipv6-remove-max_addresses-check-from-ipv6_create_tempaddr.patch -#rhbz 989269 -Patch25079: 3.10.-6-7-crashes-on-network-activity.patch - -Patch25090: mei-3.10.y.patch - #CVE-2013-2888 rhbz 1000451 1002543 CVE-2013-2889 rhbz 999890 1002548 #CVE-2013-2891 rhbz 999960 1002555 CVE-2013-2892 rhbz 1000429 1002570 #CVE-2013-2893 rhbz 1000414 1002575 CVE-2013-2894 rhbz 1000137 1002579 @@ -1500,11 +1495,6 @@ ApplyPatch media-cx23885-Fix-TeVii-S471-regression-since-introduction-of-ts2020. #CVE-2013-0343 rhbz 914664 999380 ApplyPatch ipv6-remove-max_addresses-check-from-ipv6_create_tempaddr.patch -#rhbz 989269 -ApplyPatch 3.10.-6-7-crashes-on-network-activity.patch - -ApplyPatch mei-3.10.y.patch - #CVE-2013-2888 rhbz 1000451 1002543 CVE-2013-2889 rhbz 999890 1002548 #CVE-2013-2891 rhbz 999960 1002555 CVE-2013-2892 rhbz 1000429 1002570 #CVE-2013-2893 rhbz 1000414 1002575 CVE-2013-2894 rhbz 1000137 1002579 @@ -2324,6 +2314,9 @@ fi # and build. %changelog +* Thu Sep 09 2013 Justin M. Forbes 3.10.11-200 +- Linux v3.10.11 + * Fri Aug 30 2013 Josh Boyer - Fix HID CVEs. Absurd. - CVE-2013-2888 rhbz 1000451 1002543 CVE-2013-2889 rhbz 999890 1002548 diff --git a/mei-3.10.y.patch b/mei-3.10.y.patch deleted file mode 100644 index b0c6c34b5..000000000 --- a/mei-3.10.y.patch +++ /dev/null @@ -1,104 +0,0 @@ -Delivered-To: jwboyer@gmail.com -Received: by 10.76.168.104 with SMTP id zv8csp116477oab; - Sun, 25 Aug 2013 02:53:06 -0700 (PDT) -X-Received: by 10.66.146.42 with SMTP id sz10mr8515943pab.78.1377424384757; - Sun, 25 Aug 2013 02:53:04 -0700 (PDT) -Return-Path: -Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) - by mx.google.com with ESMTP id zu9si6326866pbc.308.1969.12.31.16.00.00; - Sun, 25 Aug 2013 02:53:04 -0700 (PDT) -Received-SPF: pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; -Authentication-Results: mx.google.com; - spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mail=stable-owner@vger.kernel.org -Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand - id S1756391Ab3HYJwW (ORCPT - + 58 others); Sun, 25 Aug 2013 05:52:22 -0400 -Received: from mga03.intel.com ([143.182.124.21]:34236 "EHLO mga03.intel.com" - rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP - id S1756361Ab3HYJwT (ORCPT ); - Sun, 25 Aug 2013 05:52:19 -0400 -Received: from azsmga001.ch.intel.com ([10.2.17.19]) - by azsmga101.ch.intel.com with ESMTP; 25 Aug 2013 02:52:18 -0700 -X-ExtLoop1: 1 -X-IronPort-AV: E=Sophos;i="4.89,951,1367996400"; - d="scan'208";a="351301674" -Received: from twinkler-dhg.jer.intel.com ([10.12.87.84]) - by azsmga001.ch.intel.com with ESMTP; 25 Aug 2013 02:52:16 -0700 -From: Tomas Winkler -To: gregkh@linuxfoundation.org -Cc: arnd@arndb.de, linux-kernel@vger.kernel.org, - Tomas Winkler , - stable@vger.kernel.org, Shuah Khan , - Konstantin Khlebnikov -Subject: [3.10][PATCH 4/4] mei: me: fix hardware reset flow -Date: Sun, 25 Aug 2013 12:49:49 +0300 -Message-Id: <1377424189-5508-5-git-send-email-tomas.winkler@intel.com> -X-Mailer: git-send-email 1.8.1.2 -In-Reply-To: <1377424189-5508-1-git-send-email-tomas.winkler@intel.com> -References: <1377424189-5508-1-git-send-email-tomas.winkler@intel.com> -Sender: stable-owner@vger.kernel.org -Precedence: bulk -List-ID: -X-Mailing-List: stable@vger.kernel.org - -stable: 3.10 -commit ff96066e3171acdea356b331163495957cb833d0 char-misc - - -Both H_IS and H_IE needs to be set to receive H_RDY -interrupt - -1. Assert H_IS to clear the interrupts during hw reset -and use mei_me_reg_write instead of mei_hcsr_set as the later -strips down the H_IS - -2. fix interrupt disablement embarrassing typo - hcsr |= ~H_IE -> hcsr &= ~H_IE; -this will remove the unwanted interrupt on power down - -3. remove useless debug print outs - -Cc: stable@vger.kernel.org -Cc: Shuah Khan -Cc: Konstantin Khlebnikov -Signed-off-by: Tomas Winkler -Signed-off-by: Greg Kroah-Hartman - -Conflicts: - drivers/misc/mei/hw-me.c - ---- - drivers/misc/mei/hw-me.c | 8 +++----- - 1 file changed, 3 insertions(+), 5 deletions(-) - -diff --git a/drivers/misc/mei/hw-me.c b/drivers/misc/mei/hw-me.c -index 700fe55..1bf3f8b 100644 ---- a/drivers/misc/mei/hw-me.c -+++ b/drivers/misc/mei/hw-me.c -@@ -176,16 +176,14 @@ static void mei_me_hw_reset(struct mei_device *dev, bool intr_enable) - struct mei_me_hw *hw = to_me_hw(dev); - u32 hcsr = mei_hcsr_read(hw); - -- dev_dbg(&dev->pdev->dev, "before reset HCSR = 0x%08x.\n", hcsr); -- -- hcsr |= (H_RST | H_IG); -+ hcsr |= H_RST | H_IG | H_IS; - - if (intr_enable) - hcsr |= H_IE; - else -- hcsr |= ~H_IE; -+ hcsr &= ~H_IE; - -- mei_hcsr_set(hw, hcsr); -+ mei_me_reg_write(hw, H_CSR, hcsr); - - if (dev->dev_state == MEI_DEV_POWER_DOWN) - mei_me_hw_reset_release(dev); --- -1.8.1.2 - --- -To unsubscribe from this list: send the line "unsubscribe stable" in -the body of a message to majordomo@vger.kernel.org -More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/sources b/sources index 0479b31a7..fb3a8ac24 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ 4f25cd5bec5f8d5a7d935b3f2ccb8481 linux-3.10.tar.xz -d010ef17d3e577fd1bdcb6887f2b9836 patch-3.10.10.xz +9aadf2325fed53e971fe59bc6c7c3b89 patch-3.10.11.xz From 72812240f1e095e85945ebc4ddfb9a884c573fb1 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Mon, 9 Sep 2013 08:35:58 -0400 Subject: [PATCH 199/468] Fix system freeze due to incorrect rt2800 initialization (rhbz 1000679) --- kernel.spec | 9 +++++ ...0-rearrange-bbp-rfcsr-initialization.patch | 35 +++++++++++++++++++ 2 files changed, 44 insertions(+) create mode 100644 rt2800-rearrange-bbp-rfcsr-initialization.patch diff --git a/kernel.spec b/kernel.spec index 8564cc07e..e259974a2 100644 --- a/kernel.spec +++ b/kernel.spec @@ -770,6 +770,9 @@ Patch25077: media-cx23885-Fix-TeVii-S471-regression-since-introduction-of-ts2020 #CVE-2013-0343 rhbz 914664 999380 Patch25078: ipv6-remove-max_addresses-check-from-ipv6_create_tempaddr.patch +#rhbz 1000679 +Patch25079: rt2800-rearrange-bbp-rfcsr-initialization.patch + #CVE-2013-2888 rhbz 1000451 1002543 CVE-2013-2889 rhbz 999890 1002548 #CVE-2013-2891 rhbz 999960 1002555 CVE-2013-2892 rhbz 1000429 1002570 #CVE-2013-2893 rhbz 1000414 1002575 CVE-2013-2894 rhbz 1000137 1002579 @@ -1502,6 +1505,9 @@ ApplyPatch ipv6-remove-max_addresses-check-from-ipv6_create_tempaddr.patch #CVE-2013-2897 rhbz 1000536 1002600 CVE-2013-2899 rhbz 1000373 1002604 ApplyPatch HID-CVE-fixes.patch +#rhbz 1000679 +ApplyPatch rt2800-rearrange-bbp-rfcsr-initialization.patch + # END OF PATCH APPLICATIONS %endif @@ -2314,6 +2320,9 @@ fi # and build. %changelog +* Mon Sep 09 2013 Josh Boyer +- Fix system freeze due to incorrect rt2800 initialization (rhbz 1000679) + * Thu Sep 09 2013 Justin M. Forbes 3.10.11-200 - Linux v3.10.11 diff --git a/rt2800-rearrange-bbp-rfcsr-initialization.patch b/rt2800-rearrange-bbp-rfcsr-initialization.patch new file mode 100644 index 000000000..c782fc5d4 --- /dev/null +++ b/rt2800-rearrange-bbp-rfcsr-initialization.patch @@ -0,0 +1,35 @@ +diff --git a/drivers/net/wireless/rt2x00/rt2800lib.c b/drivers/net/wireless/rt2x00/rt2800lib.c +index 7e66a90..6a70c27 100644 +--- a/drivers/net/wireless/rt2x00/rt2800lib.c ++++ b/drivers/net/wireless/rt2x00/rt2800lib.c +@@ -4041,8 +4041,7 @@ static int rt2800_init_bbp(struct rt2x00_dev *rt2x00dev) + u8 reg_id; + u8 value; + +- if (unlikely(rt2800_wait_bbp_rf_ready(rt2x00dev) || +- rt2800_wait_bbp_ready(rt2x00dev))) ++ if (unlikely(rt2800_wait_bbp_ready(rt2x00dev))) + return -EACCES; + + if (rt2x00_rt(rt2x00dev, RT5592)) { +@@ -5185,15 +5184,17 @@ int rt2800_enable_radio(struct rt2x00_dev *rt2x00dev) + rt2800_init_registers(rt2x00dev))) + return -EIO; + ++ if (unlikely(rt2800_wait_bbp_rf_ready(rt2x00dev))) ++ return -EIO; ++ + /* + * Send signal to firmware during boot time. + */ + rt2800_register_write(rt2x00dev, H2M_BBP_AGENT, 0); + rt2800_register_write(rt2x00dev, H2M_MAILBOX_CSR, 0); +- if (rt2x00_is_usb(rt2x00dev)) { ++ if (rt2x00_is_usb(rt2x00dev)) + rt2800_register_write(rt2x00dev, H2M_INT_SRC, 0); +- rt2800_mcu_request(rt2x00dev, MCU_BOOT_SIGNAL, 0, 0, 0); +- } ++ rt2800_mcu_request(rt2x00dev, MCU_BOOT_SIGNAL, 0, 0, 0); + msleep(1); + + if (unlikely(rt2800_init_bbp(rt2x00dev))) From 2716cfff5007773c23efca1c2d7c9b6522695f7c Mon Sep 17 00:00:00 2001 From: "Justin M. Forbes" Date: Mon, 9 Sep 2013 07:47:56 -0500 Subject: [PATCH 200/468] Tag actual build --- kernel.spec | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/kernel.spec b/kernel.spec index e259974a2..94ae83bba 100644 --- a/kernel.spec +++ b/kernel.spec @@ -2320,10 +2320,10 @@ fi # and build. %changelog -* Mon Sep 09 2013 Josh Boyer +* Mon Sep 09 2013 Josh Boyer 3.10.11-200 - Fix system freeze due to incorrect rt2800 initialization (rhbz 1000679) -* Thu Sep 09 2013 Justin M. Forbes 3.10.11-200 +* Mon Sep 09 2013 Justin M. Forbes - Linux v3.10.11 * Fri Aug 30 2013 Josh Boyer From 02005b979fbb6eda190c7690498bfd157c37fce3 Mon Sep 17 00:00:00 2001 From: "Justin M. Forbes" Date: Wed, 11 Sep 2013 10:07:25 -0500 Subject: [PATCH 201/468] Linux v3.11 rebase --- ...ech-dj-missing-Unifying-device-issue.patch | 172 ------ ...ODATA-if-reading-battery-attrs-fails.patch | 55 -- ...t-fixup-for-Genius-Gila-Gaming-mouse.patch | 98 ---- ...h-fix-for-newer-hardware-versions-v7.patch | 70 --- ...andle-idiv-overflow-at-kvm_write_tsc.patch | 45 -- acpi-video-dos.patch | 17 - ...-not-call-setup_timer-multiple-times.patch | 50 -- ...the-mdb-entry-when-query-is-received.patch | 159 ------ ...d-query-as-soon-as-leave-is-received.patch | 57 -- bridge-timer-fix.patch | 13 - config-arm-generic | 115 +++- config-armv7 | 209 ++++--- config-armv7-generic | 62 ++- config-armv7-lpae | 64 ++- config-debug | 12 +- config-generic | 209 ++++--- config-nodebug | 14 +- config-powerpc-generic | 20 +- config-powerpc32-generic | 6 - config-powerpc32-smp | 1 - config-powerpc64 | 14 +- config-powerpc64p7 | 14 +- config-s390x | 25 +- config-x86-32-generic | 4 +- config-x86-generic | 55 +- config-x86_64-generic | 17 +- drm-hotspot-cursor-backport.patch | 164 ------ drm-qxl-post-3.10-feature-fixes.patch | 517 ------------------ drm-qxl-post-3.10-features-part-2.patch | 483 ---------------- ...ning-if-enabling-irq-remapping-fails.patch | 25 - ...sses-check-from-ipv6_create_tempaddr.patch | 63 --- kernel.spec | 81 +-- nowatchdog-on-virt.patch | 10 +- ...0-rearrange-bbp-rfcsr-initialization.patch | 60 +- ...q-lock-inversion-dependency-detected.patch | 83 --- sources | 3 +- 36 files changed, 549 insertions(+), 2517 deletions(-) delete mode 100644 HID-Revert-Revert-HID-Fix-logitech-dj-missing-Unifying-device-issue.patch delete mode 100644 HID-input-return-ENODATA-if-reading-battery-attrs-fails.patch delete mode 100644 HID-kye-Add-report-fixup-for-Genius-Gila-Gaming-mouse.patch delete mode 100644 Input-elantech-fix-for-newer-hardware-versions-v7.patch delete mode 100644 KVM-x86-handle-idiv-overflow-at-kvm_write_tsc.patch delete mode 100644 acpi-video-dos.patch delete mode 100644 bridge-do-not-call-setup_timer-multiple-times.patch delete mode 100644 bridge-only-expire-the-mdb-entry-when-query-is-received.patch delete mode 100644 bridge-send-query-as-soon-as-leave-is-received.patch delete mode 100644 bridge-timer-fix.patch delete mode 100644 drm-hotspot-cursor-backport.patch delete mode 100644 drm-qxl-post-3.10-feature-fixes.patch delete mode 100644 drm-qxl-post-3.10-features-part-2.patch delete mode 100644 intel_iommu-Downgrade-the-warning-if-enabling-irq-remapping-fails.patch delete mode 100644 ipv6-remove-max_addresses-check-from-ipv6_create_tempaddr.patch delete mode 100644 scsi-ipr-possible-irq-lock-inversion-dependency-detected.patch diff --git a/HID-Revert-Revert-HID-Fix-logitech-dj-missing-Unifying-device-issue.patch b/HID-Revert-Revert-HID-Fix-logitech-dj-missing-Unifying-device-issue.patch deleted file mode 100644 index 1c112ccde..000000000 --- a/HID-Revert-Revert-HID-Fix-logitech-dj-missing-Unifying-device-issue.patch +++ /dev/null @@ -1,172 +0,0 @@ -From c63e0e370028d7e4033bd40165f18499872b5183 Mon Sep 17 00:00:00 2001 -From: Nestor Lopez Casado -Date: Thu, 18 Jul 2013 13:21:30 +0000 -Subject: HID: Revert "Revert "HID: Fix logitech-dj: missing Unifying device issue"" - -This reverts commit 8af6c08830b1ae114d1a8b548b1f8b056e068887. - -This patch re-adds the workaround introduced by 596264082f10dd4 -which was reverted by 8af6c08830b1ae114. - -The original patch 596264 was needed to overcome a situation where -the hid-core would drop incoming reports while probe() was being -executed. - -This issue was solved by c849a6143bec520af which added -hid_device_io_start() and hid_device_io_stop() that enable a specific -hid driver to opt-in for input reports while its probe() is being -executed. - -Commit a9dd22b730857347 modified hid-logitech-dj so as to use the -functionality added to hid-core. Having done that, workaround 596264 -was no longer necessary and was reverted by 8af6c08. - -We now encounter a different problem that ends up 'again' thwarting -the Unifying receiver enumeration. The problem is time and usb controller -dependent. Ocasionally the reports sent to the usb receiver to start -the paired devices enumeration fail with -EPIPE and the receiver never -gets to enumerate the paired devices. - -With dcd9006b1b053c7b1c the problem was "hidden" as the call to the usb -driver became asynchronous and none was catching the error from the -failing URB. - -As the root cause for this failing SET_REPORT is not understood yet, --possibly a race on the usb controller drivers or a problem with the -Unifying receiver- reintroducing this workaround solves the problem. - -Overall what this workaround does is: If an input report from an -unknown device is received, then a (re)enumeration is performed. - -related bug: -https://bugs.launchpad.net/ubuntu/+source/linux/+bug/1194649 - -Signed-off-by: Nestor Lopez Casado -Signed-off-by: Jiri Kosina ---- -diff --git a/drivers/hid/hid-logitech-dj.c b/drivers/hid/hid-logitech-dj.c -index 5207591a..cd33084 100644 ---- a/drivers/hid/hid-logitech-dj.c -+++ b/drivers/hid/hid-logitech-dj.c -@@ -192,6 +192,7 @@ static struct hid_ll_driver logi_dj_ll_driver; - static int logi_dj_output_hidraw_report(struct hid_device *hid, u8 * buf, - size_t count, - unsigned char report_type); -+static int logi_dj_recv_query_paired_devices(struct dj_receiver_dev *djrcv_dev); - - static void logi_dj_recv_destroy_djhid_device(struct dj_receiver_dev *djrcv_dev, - struct dj_report *dj_report) -@@ -232,6 +233,7 @@ static void logi_dj_recv_add_djhid_device(struct dj_receiver_dev *djrcv_dev, - if (dj_report->report_params[DEVICE_PAIRED_PARAM_SPFUNCTION] & - SPFUNCTION_DEVICE_LIST_EMPTY) { - dbg_hid("%s: device list is empty\n", __func__); -+ djrcv_dev->querying_devices = false; - return; - } - -@@ -242,6 +244,12 @@ static void logi_dj_recv_add_djhid_device(struct dj_receiver_dev *djrcv_dev, - return; - } - -+ if (djrcv_dev->paired_dj_devices[dj_report->device_index]) { -+ /* The device is already known. No need to reallocate it. */ -+ dbg_hid("%s: device is already known\n", __func__); -+ return; -+ } -+ - dj_hiddev = hid_allocate_device(); - if (IS_ERR(dj_hiddev)) { - dev_err(&djrcv_hdev->dev, "%s: hid_allocate_device failed\n", -@@ -305,6 +313,7 @@ static void delayedwork_callback(struct work_struct *work) - struct dj_report dj_report; - unsigned long flags; - int count; -+ int retval; - - dbg_hid("%s\n", __func__); - -@@ -337,6 +346,25 @@ static void delayedwork_callback(struct work_struct *work) - logi_dj_recv_destroy_djhid_device(djrcv_dev, &dj_report); - break; - default: -+ /* A normal report (i. e. not belonging to a pair/unpair notification) -+ * arriving here, means that the report arrived but we did not have a -+ * paired dj_device associated to the report's device_index, this -+ * means that the original "device paired" notification corresponding -+ * to this dj_device never arrived to this driver. The reason is that -+ * hid-core discards all packets coming from a device while probe() is -+ * executing. */ -+ if (!djrcv_dev->paired_dj_devices[dj_report.device_index]) { -+ /* ok, we don't know the device, just re-ask the -+ * receiver for the list of connected devices. */ -+ retval = logi_dj_recv_query_paired_devices(djrcv_dev); -+ if (!retval) { -+ /* everything went fine, so just leave */ -+ break; -+ } -+ dev_err(&djrcv_dev->hdev->dev, -+ "%s:logi_dj_recv_query_paired_devices " -+ "error:%d\n", __func__, retval); -+ } - dbg_hid("%s: unexpected report type\n", __func__); - } - } -@@ -367,6 +395,12 @@ static void logi_dj_recv_forward_null_report(struct dj_receiver_dev *djrcv_dev, - if (!djdev) { - dbg_hid("djrcv_dev->paired_dj_devices[dj_report->device_index]" - " is NULL, index %d\n", dj_report->device_index); -+ kfifo_in(&djrcv_dev->notif_fifo, dj_report, sizeof(struct dj_report)); -+ -+ if (schedule_work(&djrcv_dev->work) == 0) { -+ dbg_hid("%s: did not schedule the work item, was already " -+ "queued\n", __func__); -+ } - return; - } - -@@ -397,6 +431,12 @@ static void logi_dj_recv_forward_report(struct dj_receiver_dev *djrcv_dev, - if (dj_device == NULL) { - dbg_hid("djrcv_dev->paired_dj_devices[dj_report->device_index]" - " is NULL, index %d\n", dj_report->device_index); -+ kfifo_in(&djrcv_dev->notif_fifo, dj_report, sizeof(struct dj_report)); -+ -+ if (schedule_work(&djrcv_dev->work) == 0) { -+ dbg_hid("%s: did not schedule the work item, was already " -+ "queued\n", __func__); -+ } - return; - } - -@@ -444,6 +484,10 @@ static int logi_dj_recv_query_paired_devices(struct dj_receiver_dev *djrcv_dev) - struct dj_report *dj_report; - int retval; - -+ /* no need to protect djrcv_dev->querying_devices */ -+ if (djrcv_dev->querying_devices) -+ return 0; -+ - dj_report = kzalloc(sizeof(struct dj_report), GFP_KERNEL); - if (!dj_report) - return -ENOMEM; -@@ -455,6 +499,7 @@ static int logi_dj_recv_query_paired_devices(struct dj_receiver_dev *djrcv_dev) - return retval; - } - -+ - static int logi_dj_recv_switch_to_dj_mode(struct dj_receiver_dev *djrcv_dev, - unsigned timeout) - { -diff --git a/drivers/hid/hid-logitech-dj.h b/drivers/hid/hid-logitech-dj.h -index fd28a5e..4a40003 100644 ---- a/drivers/hid/hid-logitech-dj.h -+++ b/drivers/hid/hid-logitech-dj.h -@@ -101,6 +101,7 @@ struct dj_receiver_dev { - struct work_struct work; - struct kfifo notif_fifo; - spinlock_t lock; -+ bool querying_devices; - }; - - struct dj_device { --- -cgit v0.9.2 diff --git a/HID-input-return-ENODATA-if-reading-battery-attrs-fails.patch b/HID-input-return-ENODATA-if-reading-battery-attrs-fails.patch deleted file mode 100644 index acdd66d48..000000000 --- a/HID-input-return-ENODATA-if-reading-battery-attrs-fails.patch +++ /dev/null @@ -1,55 +0,0 @@ -From d0a934b764c67b4bf626f5b7cf725a6e3066afd2 Mon Sep 17 00:00:00 2001 -From: David Herrmann -Date: Mon, 13 May 2013 15:01:30 +0000 -Subject: HID: input: return ENODATA if reading battery attrs fails - -power_supply core has the bad habit of calling our battery callbacks -from within power_supply_register(). Furthermore, if the callbacks -fail with an unhandled error code, it will skip any uevent that it -might currently process. -So if HID-core registers battery devices, an "add" uevent is generated -and the battery callbacks are called. These will gracefully fail due -to timeouts as they might still hold locks on event processing. One -could argue that this should be fixed in power_supply core, but the -least we can do is to signal ENODATA so power_supply core will just -skip the property and continue with the uevent. - -This fixes a bug where "add" and "remove" uevents are skipped for -battery devices. upower is unable to track these devices and currently -needs to ignore them. - -This patch also overwrites any other error code. I cannot see any reason -why we should forward protocol- or I/O-errors to the power_supply core. -We handle these errors in hid_ll_driver later, anyway, so just skip -them. power_supply core cannot do anything useful with them, anyway, -and we avoid skipping important uevents and confusing user-space. - -Thanks a lot to Daniel Nicoletti for pushing and investigating -on this. - -Cc: Jiri Kosina -Cc: Anton Vorontsov -Cc: David Woodhouse -Reported-by: Daniel Nicoletti -Signed-off-by: David Herrmann -Signed-off-by: Jiri Kosina ---- -diff --git a/drivers/hid/hid-input.c b/drivers/hid/hid-input.c -index 945b815..c526a3c 100644 ---- a/drivers/hid/hid-input.c -+++ b/drivers/hid/hid-input.c -@@ -354,10 +354,10 @@ static int hidinput_get_battery_property(struct power_supply *psy, - dev->battery_report_type); - - if (ret != 2) { -- if (ret >= 0) -- ret = -EINVAL; -+ ret = -ENODATA; - break; - } -+ ret = 0; - - if (dev->battery_min < dev->battery_max && - buf[1] >= dev->battery_min && --- -cgit v0.9.2 diff --git a/HID-kye-Add-report-fixup-for-Genius-Gila-Gaming-mouse.patch b/HID-kye-Add-report-fixup-for-Genius-Gila-Gaming-mouse.patch deleted file mode 100644 index 6913eb520..000000000 --- a/HID-kye-Add-report-fixup-for-Genius-Gila-Gaming-mouse.patch +++ /dev/null @@ -1,98 +0,0 @@ -From 3685c18e17f12438d0a83331c1b6a5b00fade7a1 Mon Sep 17 00:00:00 2001 -From: Benjamin Tissoires -Date: Tue, 02 Jul 2013 16:10:09 +0000 -Subject: HID: kye: Add report fixup for Genius Gila Gaming mouse - -Genius Gila Gaming Mouse presents an obviously wrong report descriptor. -the Consumer control (report ID 3) is the following: -0x05, 0x0c, // Usage Page (Consumer Devices) 105 -0x09, 0x01, // Usage (Consumer Control) 107 -0xa1, 0x01, // Collection (Application) 109 -0x85, 0x03, // Report ID (3) 111 -0x19, 0x00, // Usage Minimum (0) 113 -0x2a, 0xff, 0x7f, // Usage Maximum (32767) 115 -0x15, 0x00, // Logical Minimum (0) 118 -0x26, 0xff, 0x7f, // Logical Maximum (32767) 120 -0x75, 0x10, // Report Size (16) 123 -0x95, 0x03, // Report Count (3) 125 -0x81, 0x00, // Input (Data,Arr,Abs) 127 -0x75, 0x08, // Report Size (8) 129 -0x95, 0x01, // Report Count (1) 131 -0x81, 0x01, // Input (Cnst,Arr,Abs) 133 -0xc0, // End Collection 135 - -So the first input whithin this report has a count of 3 but a usage range -of 32768. So this value is obviously wrong as it should not be greater than -the report count. - -Fixes: -https://bugzilla.redhat.com/show_bug.cgi?id=959721 - -Signed-off-by: Benjamin Tissoires -Signed-off-by: Jiri Kosina ---- -diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c -index 8f616bd..27aa7c7 100644 ---- a/drivers/hid/hid-core.c -+++ b/drivers/hid/hid-core.c -@@ -1589,6 +1589,7 @@ static const struct hid_device_id hid_have_special_driver[] = { - { HID_BLUETOOTH_DEVICE(USB_VENDOR_ID_ION, USB_DEVICE_ID_ICADE) }, - { HID_USB_DEVICE(USB_VENDOR_ID_KENSINGTON, USB_DEVICE_ID_KS_SLIMBLADE) }, - { HID_USB_DEVICE(USB_VENDOR_ID_KEYTOUCH, USB_DEVICE_ID_KEYTOUCH_IEC) }, -+ { HID_USB_DEVICE(USB_VENDOR_ID_KYE, USB_DEVICE_ID_GENIUS_GILA_GAMING_MOUSE) }, - { HID_USB_DEVICE(USB_VENDOR_ID_KYE, USB_DEVICE_ID_KYE_ERGO_525V) }, - { HID_USB_DEVICE(USB_VENDOR_ID_KYE, USB_DEVICE_ID_KYE_EASYPEN_I405X) }, - { HID_USB_DEVICE(USB_VENDOR_ID_KYE, USB_DEVICE_ID_KYE_MOUSEPEN_I608X) }, -diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h -index 3da75dd..b2b692e 100644 ---- a/drivers/hid/hid-ids.h -+++ b/drivers/hid/hid-ids.h -@@ -474,6 +474,7 @@ - - #define USB_VENDOR_ID_KYE 0x0458 - #define USB_DEVICE_ID_KYE_ERGO_525V 0x0087 -+#define USB_DEVICE_ID_GENIUS_GILA_GAMING_MOUSE 0x0138 - #define USB_DEVICE_ID_KYE_GPEN_560 0x5003 - #define USB_DEVICE_ID_KYE_EASYPEN_I405X 0x5010 - #define USB_DEVICE_ID_KYE_MOUSEPEN_I608X 0x5011 -diff --git a/drivers/hid/hid-kye.c b/drivers/hid/hid-kye.c -index 6af90db..1e2ee2aa 100644 ---- a/drivers/hid/hid-kye.c -+++ b/drivers/hid/hid-kye.c -@@ -314,6 +314,25 @@ static __u8 *kye_report_fixup(struct hid_device *hdev, __u8 *rdesc, - *rsize = sizeof(easypen_m610x_rdesc_fixed); - } - break; -+ case USB_DEVICE_ID_GENIUS_GILA_GAMING_MOUSE: -+ /* -+ * the fixup that need to be done: -+ * - change Usage Maximum in the Comsumer Control -+ * (report ID 3) to a reasonable value -+ */ -+ if (*rsize >= 135 && -+ /* Usage Page (Consumer Devices) */ -+ rdesc[104] == 0x05 && rdesc[105] == 0x0c && -+ /* Usage (Consumer Control) */ -+ rdesc[106] == 0x09 && rdesc[107] == 0x01 && -+ /* Usage Maximum > 12287 */ -+ rdesc[114] == 0x2a && rdesc[116] > 0x2f) { -+ hid_info(hdev, -+ "fixing up Genius Gila Gaming Mouse " -+ "report descriptor\n"); -+ rdesc[116] = 0x2f; -+ } -+ break; - } - return rdesc; - } -@@ -407,6 +426,8 @@ static const struct hid_device_id kye_devices[] = { - USB_DEVICE_ID_KYE_MOUSEPEN_I608X) }, - { HID_USB_DEVICE(USB_VENDOR_ID_KYE, - USB_DEVICE_ID_KYE_EASYPEN_M610X) }, -+ { HID_USB_DEVICE(USB_VENDOR_ID_KYE, -+ USB_DEVICE_ID_GENIUS_GILA_GAMING_MOUSE) }, - { } - }; - MODULE_DEVICE_TABLE(hid, kye_devices); --- -cgit v0.9.2 diff --git a/Input-elantech-fix-for-newer-hardware-versions-v7.patch b/Input-elantech-fix-for-newer-hardware-versions-v7.patch deleted file mode 100644 index b9495d75d..000000000 --- a/Input-elantech-fix-for-newer-hardware-versions-v7.patch +++ /dev/null @@ -1,70 +0,0 @@ -From 9eebed7de660c0b5ab129a9de4f89d20b60de68c Mon Sep 17 00:00:00 2001 -From: Matteo Delfino -Date: Sat, 6 Jul 2013 21:52:26 -0700 -Subject: [PATCH] Input: elantech - fix for newer hardware versions (v7) - -* Fix version recognition in elantech_set_properties - - The new hardware reports itself as v7 but the packets' - structure is unaltered. - -* Fix packet type recognition in elantech_packet_check_v4 - - The bitmask used for v6 is too wide, only the last three bits of - the third byte in a packet (packet[3] & 0x03) are actually used to - distinguish between packet types. - Starting from v7, additional information (to be interpreted) is - stored in the remaining bits (packets[3] & 0x1c). - In addition, the value stored in (packet[0] & 0x0c) is no longer - a constant but contains additional information yet to be deciphered. - This change should be backwards compatible with v6 hardware. - -Additional-author: Giovanni Frigione -Signed-off-by: Matteo Delfino -Signed-off-by: Dmitry Torokhov ---- - drivers/input/mouse/elantech.c | 17 +++++++++-------- - 1 file changed, 9 insertions(+), 8 deletions(-) - -diff --git a/drivers/input/mouse/elantech.c b/drivers/input/mouse/elantech.c -index 1e8e42f..57b2637 100644 ---- a/drivers/input/mouse/elantech.c -+++ b/drivers/input/mouse/elantech.c -@@ -694,18 +694,18 @@ static int elantech_packet_check_v3(struct psmouse *psmouse) - static int elantech_packet_check_v4(struct psmouse *psmouse) - { - unsigned char *packet = psmouse->packet; -+ unsigned char packet_type = packet[3] & 0x03; - -- if ((packet[0] & 0x0c) == 0x04 && -- (packet[3] & 0x1f) == 0x11) -+ switch (packet_type) { -+ case 0: -+ return PACKET_V4_STATUS; -+ -+ case 1: - return PACKET_V4_HEAD; - -- if ((packet[0] & 0x0c) == 0x04 && -- (packet[3] & 0x1f) == 0x12) -+ case 2: - return PACKET_V4_MOTION; -- -- if ((packet[0] & 0x0c) == 0x04 && -- (packet[3] & 0x1f) == 0x10) -- return PACKET_V4_STATUS; -+ } - - return PACKET_UNKNOWN; - } -@@ -1282,6 +1282,7 @@ static int elantech_set_properties(struct elantech_data *etd) - etd->hw_version = 3; - break; - case 6: -+ case 7: - etd->hw_version = 4; - break; - default: --- -1.8.3.1 - diff --git a/KVM-x86-handle-idiv-overflow-at-kvm_write_tsc.patch b/KVM-x86-handle-idiv-overflow-at-kvm_write_tsc.patch deleted file mode 100644 index 678e82953..000000000 --- a/KVM-x86-handle-idiv-overflow-at-kvm_write_tsc.patch +++ /dev/null @@ -1,45 +0,0 @@ -diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c -index 094b5d9..64a4b03 100644 ---- a/arch/x86/kvm/x86.c -+++ b/arch/x86/kvm/x86.c -@@ -1194,20 +1194,37 @@ void kvm_write_tsc(struct kvm_vcpu *vcpu, struct msr_data *msr) - elapsed = ns - kvm->arch.last_tsc_nsec; - - if (vcpu->arch.virtual_tsc_khz) { -+ int faulted = 0; -+ - /* n.b - signed multiplication and division required */ - usdiff = data - kvm->arch.last_tsc_write; - #ifdef CONFIG_X86_64 - usdiff = (usdiff * 1000) / vcpu->arch.virtual_tsc_khz; - #else - /* do_div() only does unsigned */ -- asm("idivl %2; xor %%edx, %%edx" -- : "=A"(usdiff) -- : "A"(usdiff * 1000), "rm"(vcpu->arch.virtual_tsc_khz)); -+ asm("1: idivl %[divisor]\n" -+ "2: xor %%edx, %%edx\n" -+ " movl $0, %[faulted]\n" -+ "3:\n" -+ ".section .fixup,\"ax\"\n" -+ "4: movl $1, %[faulted]\n" -+ " jmp 3b\n" -+ ".previous\n" -+ -+ _ASM_EXTABLE(1b, 4b) -+ -+ : "=A"(usdiff), [faulted] "=r" (faulted) -+ : "A"(usdiff * 1000), [divisor] "rm"(vcpu->arch.virtual_tsc_khz)); -+ - #endif - do_div(elapsed, 1000); - usdiff -= elapsed; - if (usdiff < 0) - usdiff = -usdiff; -+ -+ /* idivl overflow => difference is larger than USEC_PER_SEC */ -+ if (faulted) -+ usdiff = USEC_PER_SEC; - } else - usdiff = USEC_PER_SEC; /* disable TSC match window below */ - diff --git a/acpi-video-dos.patch b/acpi-video-dos.patch deleted file mode 100644 index 3e2085193..000000000 --- a/acpi-video-dos.patch +++ /dev/null @@ -1,17 +0,0 @@ -Disable firmware video brightness change on AC/Battery switch by default - --- mjg59 - -diff --git a/drivers/acpi/video.c b/drivers/acpi/video.c -index bac2901..93b1a9e 100644 ---- a/drivers/acpi/video.c -+++ b/drivers/acpi/video.c -@@ -1818,7 +1818,7 @@ static int acpi_video_bus_put_devices(struct acpi_video_bus *video) - - static int acpi_video_bus_start_devices(struct acpi_video_bus *video) - { -- return acpi_video_bus_DOS(video, 0, 0); -+ return acpi_video_bus_DOS(video, 0, 1); - } - - static int acpi_video_bus_stop_devices(struct acpi_video_bus *video) diff --git a/bridge-do-not-call-setup_timer-multiple-times.patch b/bridge-do-not-call-setup_timer-multiple-times.patch deleted file mode 100644 index c8c7bf747..000000000 --- a/bridge-do-not-call-setup_timer-multiple-times.patch +++ /dev/null @@ -1,50 +0,0 @@ -From 1faabf2aab1fdaa1ace4e8c829d1b9cf7bfec2f1 Mon Sep 17 00:00:00 2001 -From: Eric Dumazet -Date: Sat, 20 Jul 2013 03:07:16 +0000 -Subject: bridge: do not call setup_timer() multiple times - -commit 9f00b2e7cf24 ("bridge: only expire the mdb entry when query is -received") added a nasty bug as an active timer can be reinitialized. - -setup_timer() must be done once, no matter how many time mod_timer() -is called. br_multicast_new_group() is the right place to do this. - -Reported-by: Srivatsa S. Bhat -Diagnosed-by: Thomas Gleixner -Signed-off-by: Eric Dumazet -Tested-by: Srivatsa S. Bhat -Cc: Cong Wang -Signed-off-by: David S. Miller ---- -diff --git a/net/bridge/br_multicast.c b/net/bridge/br_multicast.c -index 69af490..4b99c9a 100644 ---- a/net/bridge/br_multicast.c -+++ b/net/bridge/br_multicast.c -@@ -619,6 +619,9 @@ rehash: - mp->br = br; - mp->addr = *group; - -+ setup_timer(&mp->timer, br_multicast_group_expired, -+ (unsigned long)mp); -+ - hlist_add_head_rcu(&mp->hlist[mdb->ver], &mdb->mhash[hash]); - mdb->size++; - -@@ -1126,7 +1129,6 @@ static int br_ip4_multicast_query(struct net_bridge *br, - if (!mp) - goto out; - -- setup_timer(&mp->timer, br_multicast_group_expired, (unsigned long)mp); - mod_timer(&mp->timer, now + br->multicast_membership_interval); - mp->timer_armed = true; - -@@ -1204,7 +1206,6 @@ static int br_ip6_multicast_query(struct net_bridge *br, - if (!mp) - goto out; - -- setup_timer(&mp->timer, br_multicast_group_expired, (unsigned long)mp); - mod_timer(&mp->timer, now + br->multicast_membership_interval); - mp->timer_armed = true; - --- -cgit v0.9.2 diff --git a/bridge-only-expire-the-mdb-entry-when-query-is-received.patch b/bridge-only-expire-the-mdb-entry-when-query-is-received.patch deleted file mode 100644 index b58b57083..000000000 --- a/bridge-only-expire-the-mdb-entry-when-query-is-received.patch +++ /dev/null @@ -1,159 +0,0 @@ -From 9f00b2e7cf241fa389733d41b615efdaa2cb0f5b Mon Sep 17 00:00:00 2001 -From: Cong Wang -Date: Tue, 21 May 2013 21:52:55 +0000 -Subject: bridge: only expire the mdb entry when query is received - -Currently we arm the expire timer when the mdb entry is added, -however, this causes problem when there is no querier sent -out after that. - -So we should only arm the timer when a corresponding query is -received, as suggested by Herbert. - -And he also mentioned "if there is no querier then group -subscriptions shouldn't expire. There has to be at least one querier -in the network for this thing to work. Otherwise it just degenerates -into a non-snooping switch, which is OK." - -Cc: Herbert Xu -Cc: Stephen Hemminger -Cc: "David S. Miller" -Cc: Adam Baker -Signed-off-by: Cong Wang -Acked-by: Herbert Xu -Signed-off-by: David S. Miller ---- -(limited to 'net/bridge') - -diff --git a/net/bridge/br_multicast.c b/net/bridge/br_multicast.c -index 2475147..40bda80 100644 ---- a/net/bridge/br_multicast.c -+++ b/net/bridge/br_multicast.c -@@ -617,8 +617,6 @@ rehash: - - mp->br = br; - mp->addr = *group; -- setup_timer(&mp->timer, br_multicast_group_expired, -- (unsigned long)mp); - - hlist_add_head_rcu(&mp->hlist[mdb->ver], &mdb->mhash[hash]); - mdb->size++; -@@ -656,7 +654,6 @@ static int br_multicast_add_group(struct net_bridge *br, - struct net_bridge_mdb_entry *mp; - struct net_bridge_port_group *p; - struct net_bridge_port_group __rcu **pp; -- unsigned long now = jiffies; - int err; - - spin_lock(&br->multicast_lock); -@@ -671,7 +668,6 @@ static int br_multicast_add_group(struct net_bridge *br, - - if (!port) { - mp->mglist = true; -- mod_timer(&mp->timer, now + br->multicast_membership_interval); - goto out; - } - -@@ -679,7 +675,7 @@ static int br_multicast_add_group(struct net_bridge *br, - (p = mlock_dereference(*pp, br)) != NULL; - pp = &p->next) { - if (p->port == port) -- goto found; -+ goto out; - if ((unsigned long)p->port < (unsigned long)port) - break; - } -@@ -690,8 +686,6 @@ static int br_multicast_add_group(struct net_bridge *br, - rcu_assign_pointer(*pp, p); - br_mdb_notify(br->dev, port, group, RTM_NEWMDB); - --found: -- mod_timer(&p->timer, now + br->multicast_membership_interval); - out: - err = 0; - -@@ -1131,6 +1125,10 @@ static int br_ip4_multicast_query(struct net_bridge *br, - if (!mp) - goto out; - -+ setup_timer(&mp->timer, br_multicast_group_expired, (unsigned long)mp); -+ mod_timer(&mp->timer, now + br->multicast_membership_interval); -+ mp->timer_armed = true; -+ - max_delay *= br->multicast_last_member_count; - - if (mp->mglist && -@@ -1205,6 +1203,10 @@ static int br_ip6_multicast_query(struct net_bridge *br, - if (!mp) - goto out; - -+ setup_timer(&mp->timer, br_multicast_group_expired, (unsigned long)mp); -+ mod_timer(&mp->timer, now + br->multicast_membership_interval); -+ mp->timer_armed = true; -+ - max_delay *= br->multicast_last_member_count; - if (mp->mglist && - (timer_pending(&mp->timer) ? -@@ -1263,7 +1265,7 @@ static void br_multicast_leave_group(struct net_bridge *br, - call_rcu_bh(&p->rcu, br_multicast_free_pg); - br_mdb_notify(br->dev, port, group, RTM_DELMDB); - -- if (!mp->ports && !mp->mglist && -+ if (!mp->ports && !mp->mglist && mp->timer_armed && - netif_running(br->dev)) - mod_timer(&mp->timer, jiffies); - } -@@ -1275,30 +1277,12 @@ static void br_multicast_leave_group(struct net_bridge *br, - br->multicast_last_member_interval; - - if (!port) { -- if (mp->mglist && -+ if (mp->mglist && mp->timer_armed && - (timer_pending(&mp->timer) ? - time_after(mp->timer.expires, time) : - try_to_del_timer_sync(&mp->timer) >= 0)) { - mod_timer(&mp->timer, time); - } -- -- goto out; -- } -- -- for (p = mlock_dereference(mp->ports, br); -- p != NULL; -- p = mlock_dereference(p->next, br)) { -- if (p->port != port) -- continue; -- -- if (!hlist_unhashed(&p->mglist) && -- (timer_pending(&p->timer) ? -- time_after(p->timer.expires, time) : -- try_to_del_timer_sync(&p->timer) >= 0)) { -- mod_timer(&p->timer, time); -- } -- -- break; - } - - out: -@@ -1674,6 +1658,7 @@ void br_multicast_stop(struct net_bridge *br) - hlist_for_each_entry_safe(mp, n, &mdb->mhash[i], - hlist[ver]) { - del_timer(&mp->timer); -+ mp->timer_armed = false; - call_rcu_bh(&mp->rcu, br_multicast_free_group); - } - } -diff --git a/net/bridge/br_private.h b/net/bridge/br_private.h -index e260710..1b0ac95 100644 ---- a/net/bridge/br_private.h -+++ b/net/bridge/br_private.h -@@ -112,6 +112,7 @@ struct net_bridge_mdb_entry - struct timer_list timer; - struct br_ip addr; - bool mglist; -+ bool timer_armed; - }; - - struct net_bridge_mdb_htable --- -cgit v0.9.2 diff --git a/bridge-send-query-as-soon-as-leave-is-received.patch b/bridge-send-query-as-soon-as-leave-is-received.patch deleted file mode 100644 index 8b6652e7e..000000000 --- a/bridge-send-query-as-soon-as-leave-is-received.patch +++ /dev/null @@ -1,57 +0,0 @@ -From 6b7df111ece130fa979a0c4f58e53674c1e47d3e Mon Sep 17 00:00:00 2001 -From: Cong Wang -Date: Tue, 21 May 2013 21:52:56 +0000 -Subject: bridge: send query as soon as leave is received - -Continue sending queries when leave is received if the user marks -it as a querier. - -Cc: Herbert Xu -Cc: Stephen Hemminger -Cc: "David S. Miller" -Cc: Adam Baker -Signed-off-by: Cong Wang -Acked-by: Herbert Xu -Signed-off-by: David S. Miller ---- -(limited to 'net/bridge') - -diff --git a/net/bridge/br_multicast.c b/net/bridge/br_multicast.c -index 40bda80..37a4676 100644 ---- a/net/bridge/br_multicast.c -+++ b/net/bridge/br_multicast.c -@@ -1250,6 +1250,32 @@ static void br_multicast_leave_group(struct net_bridge *br, - if (!mp) - goto out; - -+ if (br->multicast_querier && -+ !timer_pending(&br->multicast_querier_timer)) { -+ __br_multicast_send_query(br, port, &mp->addr); -+ -+ time = jiffies + br->multicast_last_member_count * -+ br->multicast_last_member_interval; -+ mod_timer(port ? &port->multicast_query_timer : -+ &br->multicast_query_timer, time); -+ -+ for (p = mlock_dereference(mp->ports, br); -+ p != NULL; -+ p = mlock_dereference(p->next, br)) { -+ if (p->port != port) -+ continue; -+ -+ if (!hlist_unhashed(&p->mglist) && -+ (timer_pending(&p->timer) ? -+ time_after(p->timer.expires, time) : -+ try_to_del_timer_sync(&p->timer) >= 0)) { -+ mod_timer(&p->timer, time); -+ } -+ -+ break; -+ } -+ } -+ - if (port && (port->flags & BR_MULTICAST_FAST_LEAVE)) { - struct net_bridge_port_group __rcu **pp; - --- -cgit v0.9.2 diff --git a/bridge-timer-fix.patch b/bridge-timer-fix.patch deleted file mode 100644 index 888a6f009..000000000 --- a/bridge-timer-fix.patch +++ /dev/null @@ -1,13 +0,0 @@ -diff --git a/net/bridge/br_multicast.c b/net/bridge/br_multicast.c -index d6448e3..aadb596 100644 ---- a/net/bridge/br_multicast.c -+++ b/net/bridge/br_multicast.c -@@ -269,7 +269,7 @@ static void br_multicast_del_pg(struct net_bridge *br, - del_timer(&p->timer); - call_rcu_bh(&p->rcu, br_multicast_free_pg); - -- if (!mp->ports && !mp->mglist && -+ if (!mp->ports && !mp->mglist && mp->timer_armed && - netif_running(br->dev)) - mod_timer(&mp->timer, jiffies); - diff --git a/config-arm-generic b/config-arm-generic index 7aa5a852a..5000b5b5a 100644 --- a/config-arm-generic +++ b/config-arm-generic @@ -1,44 +1,103 @@ -CONFIG_ARCH_WANT_OPTIONAL_GPIOLIB=y -CONFIG_ARM_AMBA=y -CONFIG_ARM_ARCH_TIMER=y -# CONFIG_ARM_DT_BL_CPUFREQ is not set -CONFIG_ARM_GIC=y +CONFIG_KUSER_HELPERS=y # CONFIG_ASYMMETRIC_KEY_TYPE is not set -CONFIG_BACKLIGHT_PWM=m # CONFIG_COMMON_CLK_DEBUG is not set CONFIG_COMMON_CLK=y -CONFIG_DMA_OF=y -CONFIG_DTC=y CONFIG_EARLY_PRINTK=y -CONFIG_ETHERNET=y CONFIG_FB_SSD1307=m -CONFIG_GENERIC_GPIO=y -CONFIG_GPIOLIB=y -CONFIG_HIGH_RES_TIMERS=y CONFIG_HW_PERF_EVENTS=y -# CONFIG_I2C_NOMADIK is not set -CONFIG_INPUT_PWM_BEEPER=m -# CONFIG_IRQ_DOMAIN_DEBUG is not set -# CONFIG_LEDS_RENESAS_TPU is not set -CONFIG_MMC_ARMMMCI=y -# CONFIG_MMC_SDHCI_PXAV2 is not set -# CONFIG_MMC_SDHCI_PXAV3 is not set CONFIG_MMC=y CONFIG_NFS_FS=y -CONFIG_NLS_ISO8859_1=y -CONFIG_NO_HZ=y -CONFIG_OF_DEVICE=y -CONFIG_OF_GPIO=y -CONFIG_OF_IRQ=y -# CONFIG_OF_SELFTEST is not set -CONFIG_OF=y -CONFIG_PERF_EVENTS=y # CONFIG_PID_IN_CONTEXTIDR is not set CONFIG_PWM=y CONFIG_RCU_FANOUT_LEAF=16 # CONFIG_RTC_DRV_SNVS is not set +CONFIG_BACKLIGHT_PWM=m +CONFIG_INPUT_PWM_BEEPER=m +CONFIG_ARM_SP805_WATCHDOG=m +CONFIG_ARM_ARCH_TIMER=y +# CONFIG_ARM_DT_BL_CPUFREQ is not set +CONFIG_NR_CPUS=8 +CONFIG_ARM_DMA_USE_IOMMU=y + +# ARM AMBA generic HW +CONFIG_ARM_AMBA=y +CONFIG_ARM_GIC=y +CONFIG_MMC_ARMMMCI=y CONFIG_SERIAL_AMBA_PL011_CONSOLE=y CONFIG_SERIAL_AMBA_PL011=y +CONFIG_SERIO_AMBAKMI=y +CONFIG_OC_ETM=y + +# ARM VExpress +CONFIG_ARCH_VEXPRESS=y +CONFIG_VEXPRESS_CONFIG=y +CONFIG_COMMON_CLK_VERSATILE=y +CONFIG_I2C_VERSATILE=m +CONFIG_POWER_RESET_VEXPRESS=y +CONFIG_REGULATOR_VEXPRESS=m +CONFIG_SENSORS_VEXPRESS=m + +# Device tree +CONFIG_DTC=y +CONFIG_DMA_OF=y +CONFIG_PROC_DEVICETREE=y +CONFIG_OF=y +CONFIG_OF_ADDRESS=y +CONFIG_OF_DEVICE=y +CONFIG_OF_EARLY_FLATTREE=y +CONFIG_OF_FLATTREE=y +CONFIG_OF_GPIO=y +CONFIG_OF_I2C=m +CONFIG_OF_IRQ=y +CONFIG_OF_MDIO=m +CONFIG_OF_MTD=y +CONFIG_OF_NET=y +CONFIG_OF_PCI_IRQ=m +CONFIG_OF_PCI=m +# CONFIG_OF_SELFTEST is not set +CONFIG_SERIAL_OF_PLATFORM=y + +# MTD +CONFIG_MTD_BLKDEVS=m +CONFIG_MTD_BLOCK=m +CONFIG_MTD_CHAR=m +CONFIG_MTD_CFI=m +CONFIG_MTD_CFI_INTELEXT=m +CONFIG_MTD_CFI_AMDSTD=m +CONFIG_MTD_CFI_STAA=m +CONFIG_MTD_OF_PARTS=m +# CONFIG_MTD_CFI_ADV_OPTIONS is not set +CONFIG_MTD_PHYSMAP=m +CONFIG_MTD_PHYSMAP_OF=m +# CONFIG_MTD_PHYSMAP_COMPAT is not set +CONFIG_OF_MTD=y + +# GPIO +CONFIG_GENERIC_GPIO=y +CONFIG_GPIOLIB=y +CONFIG_ARCH_WANT_OPTIONAL_GPIOLIB=y +CONFIG_MDIO_GPIO=m +CONFIG_POWER_RESET_GPIO=y +CONFIG_RFKILL_GPIO=m + +# MFD +CONFIG_MFD_CORE=m + +CONFIG_SMC91X=m +CONFIG_SMC911X=m # CONFIG_CRYPTO_TEST is not set -CONFIG_KUSER_HELPERS=y +# CONFIG_TRANSPARENT_HUGEPAGE is not set +# CONFIG_XEN is not set +# CONFIG_DRM_RCAR_DU is not set +# CONFIG_DRM_SHMOBILE is not set +# CONFIG_MMC_DW_SOCFPGA is not set +# CONFIG_ARM_SMMU is not set +# CONFIG_I2C_NOMADIK is not set +# CONFIG_IRQ_DOMAIN_DEBUG is not set +# CONFIG_LEDS_RENESAS_TPU is not set +# CONFIG_MMC_SDHCI_PXAV2 is not set +# CONFIG_MMC_SDHCI_PXAV3 is not set +# CONFIG_COMMON_CLK_SI5351 is not set +# CONFIG_LOCK_STAT is not set +# CONFIG_PCIEPORTBUS is not set diff --git a/config-armv7 b/config-armv7 index 1bbb3d524..5fb4e9380 100644 --- a/config-armv7 +++ b/config-armv7 @@ -1,21 +1,17 @@ # ARM unified arch kernel -# CONFIG_ARCH_BCM is not set -CONFIG_ARCH_HIGHBANK=y +# CONFIG_ARCH_EXYNOS_MULTI is not set +# CONFIG_ARCH_KEYSTONE is not set CONFIG_ARCH_MVEBU=y CONFIG_ARCH_MXC=y CONFIG_ARCH_OMAP2PLUS=y CONFIG_ARCH_PICOXCELL=y -# CONFIG_ARCH_SIRF is not set +CONFIG_ARCH_ROCKCHIP=y CONFIG_ARCH_SOCFPGA=y -# CONFIG_PLAT_SPEAR is not set CONFIG_ARCH_SUNXI=y CONFIG_ARCH_TEGRA=y # CONFIG_ARCH_U8500 is not set -CONFIG_ARCH_VEXPRESS_CA9X4=y -CONFIG_ARCH_VEXPRESS=y # CONFIG_ARCH_VIRT is not set -# CONFIG_ARCH_WM8850 is not set CONFIG_ARCH_ZYNQ=y # These are supported in the LPAE kernel @@ -27,16 +23,7 @@ CONFIG_ARCH_ZYNQ=y # Generic CONFIG_REMOTEPROC=m -# highbank -# 2013/04/19 - stability issues -# CONFIG_CPU_IDLE_CALXEDA is not set -CONFIG_EDAC_HIGHBANK_MC=m -CONFIG_EDAC_HIGHBANK_L2=m -CONFIG_SATA_HIGHBANK=m -CONFIG_ARM_HIGHBANK_CPUFREQ=m - -# versatile -CONFIG_VEXPRESS_CONFIG=y +# FIXME should be generic (I think it's enabled by default) CONFIG_FB=y CONFIG_FB_ARMCLCD=m CONFIG_FB_CFB_COPYAREA=m @@ -45,13 +32,14 @@ CONFIG_FB_CFB_IMAGEBLIT=m CONFIG_TOUCHSCREEN_ADS7846=m CONFIG_OC_ETM=y -CONFIG_ARCH_VEXPRESS_CORTEX_A5_A9_ERRATA=y # mvebu CONFIG_MACH_ARMADA_370_XP=y CONFIG_MACH_ARMADA_370=y CONFIG_MACH_ARMADA_XP=y +CONFIG_MVEBU_DEVBUS=y +CONFIG_PCI_MVEBU=y CONFIG_CACHE_TAUROS2=y CONFIG_MV_XOR=y CONFIG_CRYPTO_DEV_MV_CESA=m @@ -86,6 +74,7 @@ CONFIG_SOC_OMAP5=y CONFIG_SOC_OMAP3430=y CONFIG_SOC_TI81XX=y CONFIG_SOC_AM33XX=y +CONFIG_SOC_AM43XX=y CONFIG_MACH_OMAP_GENERIC=y CONFIG_MACH_OMAP3_BEAGLE=y CONFIG_MACH_DEVKIT8000=y @@ -111,8 +100,6 @@ CONFIG_MACH_SBC3530=y CONFIG_MACH_OMAP_3630SDP=y CONFIG_MACH_TI8168EVM=y CONFIG_MACH_TI8148EVM=y -CONFIG_MACH_OMAP_4430SDP=y -CONFIG_MACH_OMAP4_PANDA=y CONFIG_SOC_HAS_REALTIME_COUNTER=y CONFIG_OMAP_RESET_CLOCKS=y @@ -123,17 +110,23 @@ CONFIG_OMAP_32K_TIMER_HZ=128 # CONFIG_OMAP3_L2_AUX_SECURE_SAVE_RESTORE is not set CONFIG_OMAP_MCBSP=y +CONFIG_OMAP2PLUS_MBOX=m CONFIG_OMAP_MBOX_FWK=m CONFIG_OMAP_MBOX_KFIFO_SIZE=256 CONFIG_OMAP_DM_TIMER=y CONFIG_OMAP_PM_NOOP=y +CONFIG_DMA_OMAP=y CONFIG_OMAP_IOMMU=y CONFIG_OMAP_IOVMM=m +CONFIG_HWSPINLOCK_OMAP=m CONFIG_OMAP3_EMU=y # CONFIG_OMAP3_SDRC_AC_TIMING is not set -CONFIG_ARM_OMAP2PLUS_CPUFREQ=y +CONFIG_OMAP_WATCHDOG=m +CONFIG_TWL4030_WATCHDOG=m CONFIG_TI_ST=m +CONFIG_TI_EDMA=y +CONFIG_TI_SOC_THERMAL=m CONFIG_TI_DAC7512=m CONFIG_TI_DAVINCI_EMAC=m CONFIG_TI_DAVINCI_MDIO=m @@ -142,6 +135,7 @@ CONFIG_TI_CPSW=m CONFIG_TI_CPTS=y CONFIG_TI_EMIF=m CONFIG_MFD_TPS65217=m +CONFIG_REGULATOR_TI_ABB=y CONFIG_REGULATOR_TPS65217=m CONFIG_BACKLIGHT_TPS65217=m @@ -156,7 +150,6 @@ CONFIG_OMAP_WATCHDOG=m CONFIG_TWL4030_CORE=y CONFIG_TWL4030_MADC=m CONFIG_TWL4030_POWER=y -CONFIG_TWL4030_CODEC=y CONFIG_TWL4030_WATCHDOG=m CONFIG_TWL4030_USB=m CONFIG_TWL6030_USB=m @@ -172,8 +165,10 @@ CONFIG_HDQ_MASTER_OMAP=m CONFIG_REGULATOR_TWL4030=y CONFIG_BACKLIGHT_PANDORA=m CONFIG_OMAP_OCP2SCP=m -CONFIG_USB_EHCI_HCD_OMAP=y -CONFIG_USB_OHCI_HCD_PLATFORM=y +CONFIG_OMAP_USB2=m +CONFIG_OMAP_USB3=m +CONFIG_USB_EHCI_HCD_OMAP=m +CONFIG_USB_OHCI_HCD_PLATFORM=m CONFIG_USB_OHCI_HCD_OMAP3=y CONFIG_USB_MUSB_AM35X=m CONFIG_USB_MUSB_OMAP2PLUS=m @@ -182,17 +177,12 @@ CONFIG_USB_GADGET_MUSB_HDRC=m # CONFIG_MUSB_PIO_ONLY is not set # CONFIG_USB_MUSB_DEBUG is not set CONFIG_OMAP_CONTROL_USB=m -CONFIG_NOP_USB_XCEIV=m CONFIG_MMC_OMAP=y CONFIG_MMC_OMAP_HS=y CONFIG_RTC_DRV_MAX8907=m # CONFIG_RTC_DRV_TWL92330 is not set -CONFIG_RTC_DRV_TWL4030=m -CONFIG_RTC_DRV_OMAP=m -# Note needs to be compiled in until we build MMC modular -CONFIG_DMA_OMAP=y -CONFIG_OMAP_IOVMM=m -CONFIG_HWSPINLOCK_OMAP=m +CONFIG_RTC_DRV_TWL4030=y +CONFIG_RTC_DRV_OMAP=y CONFIG_SENSORS_TWL4030_MADC=m CONFIG_WL_TI=y @@ -206,9 +196,7 @@ CONFIG_WILINK_PLATFORM_DATA=y CONFIG_MFD_WL1273_CORE=m CONFIG_NFC_WILINK=m -CONFIG_MTD_NAND_OMAP2=y -CONFIG_MTD_NAND_OMAP_PREFETCH=y -CONFIG_MTD_NAND_OMAP_PREFETCH_DMA=y +CONFIG_MTD_NAND_OMAP2=m CONFIG_SPI_DAVINCI=m CONFIG_SPI_OMAP24XX=m CONFIG_MFD_TI_SSP=m @@ -245,8 +233,6 @@ CONFIG_HW_RANDOM_OMAP=m CONFIG_DRM_TILCDC=m CONFIG_DRM_OMAP=m CONFIG_DRM_OMAP_NUM_CRTCS=2 -CONFIG_OMAP2_VRAM=y -CONFIG_OMAP2_VRAM_SIZE=0 CONFIG_OMAP2_VRFB=y # CONFIG_FB_OMAP_BOOTLOADER_INIT is not set # CONFIG_FB_OMAP_LCD_VGA is not set @@ -278,6 +264,19 @@ CONFIG_PANEL_LGPHILIPS_LB035Q02=m CONFIG_PANEL_ACX565AKM=m # CONFIG_PANEL_N8X0 is not set +CONFIG_DISPLAY_ENCODER_TFP410=m +CONFIG_DISPLAY_ENCODER_TPD12S015=m +CONFIG_DISPLAY_CONNECTOR_DVI=m +CONFIG_DISPLAY_CONNECTOR_HDMI=m +CONFIG_DISPLAY_CONNECTOR_ANALOG_TV=m +CONFIG_DISPLAY_PANEL_DPI=m +CONFIG_DISPLAY_PANEL_DSI_CM=m +CONFIG_DISPLAY_PANEL_SONY_ACX565AKM=m +CONFIG_DISPLAY_PANEL_LGPHILIPS_LB035Q02=m +CONFIG_DISPLAY_PANEL_SHARP_LS037V7DW01=m +CONFIG_DISPLAY_PANEL_TPO_TD043MTEA1=m +CONFIG_DISPLAY_PANEL_NEC_NL8048HL11=m + # Enable V4L2 drivers for OMAP2+ CONFIG_MEDIA_CONTROLLER=y CONFIG_VIDEO_V4L2_SUBDEV_API=y @@ -320,6 +319,7 @@ CONFIG_SND_SOC_TLV320AIC23=m CONFIG_SND_SOC_TLV320AIC3X=m CONFIG_SND_SOC_TWL4030=m CONFIG_SND_SOC_TWL6040=m +CONFIG_SND_SOC_PCM1792A=m CONFIG_RADIO_WL128X=m CONFIG_OMAP_REMOTEPROC=m @@ -341,40 +341,9 @@ CONFIG_OMAP_REMOTEPROC=m # Allwinner a1x CONFIG_PINCTRL_SUNXI=y -# CONFIG_SUNXI_RFKILL=y -# CONFIG_SUNXI_NAND=y -# CONFIG_SUNXI_DBGREG=m -# CONFIG_WEMAC_SUN4I=y -# CONFIG_KEYBOARD_SUN4IKEYPAD=m -# CONFIG_KEYBOARD_SUN4I_KEYBOARD=m -# CONFIG_IR_SUN4I=m -# CONFIG_TOUCHSCREEN_SUN4I_TS=m -# CONFIG_SUN4I_G2D=y -# CONFIG_I2C_SUN4I=y -# CONFIG_DRM_MALI=m -# CONFIG_MALI=m -# CONFIG_FB_SUNXI=m -# CONFIG_FB_SUNXI_UMP=y -# CONFIG_FB_SUNXI_LCD=m -# CONFIG_FB_SUNXI_HDMI=m -# CONFIG_SOUND_SUN4I=y -# CONFIG_SND_SUN4I_SOC_CODEC=y -# CONFIG_SND_SUN4I_SOC_HDMIAUDIO=y -# CONFIG_SND_SUN4I_SOC_SPDIF=m -# CONFIG_SND_SUN4I_SOC_I2S_INTERFACE=m -# CONFIG_SND_SOC_I2C_AND_SPI=y -# CONFIG_USB_SW_SUN4I_HCD=y -# CONFIG_USB_SW_SUN4I_HCD0=y -# CONFIG_USB_SW_SUN4I_HCI=y -# CONFIG_USB_SW_SUN4I_EHCI0=y -# CONFIG_USB_SW_SUN4I_EHCI1=y -# CONFIG_USB_SW_SUN4I_OHCI0=y -# CONFIG_USB_SW_SUN4I_OHCI1=y -# CONFIG_USB_SW_SUN4I_USB=y -# CONFIG_USB_SW_SUN4I_USB_MANAGER=y -# CONFIG_MMC_SUNXI_POWER_CONTROL=y -# CONFIG_MMC_SUNXI=y -# CONFIG_RTC_DRV_SUN4I=y +CONFIG_MDIO_SUN4I=m +CONFIG_NET_VENDOR_ALLWINNER=y +CONFIG_SUN4I_EMAC=m # imx CONFIG_MXC_IRQ_PRIOR=y @@ -384,7 +353,12 @@ CONFIG_MACH_IMX51_DT=y # CONFIG_MACH_EUKREA_CPUIMX51SD is not set CONFIG_SOC_IMX53=y CONFIG_SOC_IMX6Q=y +CONFIG_SOC_IMX6SL=y CONFIG_PATA_IMX=m +CONFIG_USB_CHIPIDEA=m +CONFIG_USB_CHIPIDEA_UDC=y +CONFIG_USB_CHIPIDEA_HOST=y +# CONFIG_USB_CHIPIDEA_DEBUG is not set CONFIG_NET_VENDOR_FREESCALE=y CONFIG_FEC=m CONFIG_KEYBOARD_IMX=m @@ -392,11 +366,23 @@ CONFIG_SERIAL_IMX=y CONFIG_SERIAL_IMX_CONSOLE=y CONFIG_I2C_IMX=m CONFIG_SPI_IMX=m +CONFIG_MFD_MC13783=m +CONFIG_MFD_MC13XXX_SPI=m CONFIG_W1_MASTER_MXC=m +CONFIG_IMX_WEIM=y CONFIG_IMX2_WDT=m +CONFIG_CRYPTO_DEV_SAHARA=m # CONFIG_FB_MX3 is not set CONFIG_SND_IMX_SOC=m +CONFIG_SND_SOC_FSL_SSI=m +CONFIG_SND_SOC_FSL_UTILS=m +CONFIG_SND_SOC_IMX_SSI=m +CONFIG_SND_SOC_IMX_AUDMUX=m +CONFIG_SND_SOC_IMX_PCM_FIQ=m +CONFIG_SND_SOC_IMX_PCM_DMA=m CONFIG_SND_SOC_IMX_SGTL5000=m +CONFIG_SND_SOC_IMX_WM8962=m +CONFIG_SND_SOC_IMX_MC13783=m CONFIG_USB_EHCI_MXC=m CONFIG_USB_IMX21_HCD=m CONFIG_USB_MXS_PHY=m @@ -409,16 +395,23 @@ CONFIG_RTC_DRV_MXC=m # CONFIG_MX3_IPU_IRQS is not set CONFIG_IMX_SDMA=m CONFIG_IMX_DMA=m +CONFIG_AHCI_IMX=m # CONFIG_MXS_DMA is not set CONFIG_PWM_IMX=m CONFIG_BACKLIGHT_PWM=m CONFIG_DRM_IMX=m CONFIG_DRM_IMX_FB_HELPER=m -CONFIG_DRM_IMX_PARALLEL_DISPLAY=m CONFIG_DRM_IMX_IPUV3_CORE=m CONFIG_DRM_IMX_IPUV3=m +# CONFIG_DRM_IMX_LDB is not set +CONFIG_DRM_IMX_PARALLEL_DISPLAY=m CONFIG_DRM_IMX_TVE=m CONFIG_VIDEO_CODA=m +CONFIG_SENSORS_MC13783_ADC=m +CONFIG_REGULATOR_MC13783=m +CONFIG_REGULATOR_MC13892=m +CONFIG_LEDS_MC13783=m +CONFIG_RTC_DRV_MC13XXX=m CONFIG_INPUT_PWM_BEEPER=m CONFIG_INPUT_88PM80X_ONKEY=m @@ -467,11 +460,18 @@ CONFIG_AB8500_BM=y CONFIG_AB8500_GPADC=y CONFIG_SENSORS_AB8500=m CONFIG_STE_MODEM_RPROC=m +CONFIG_CW1200=m +CONFIG_CW1200_WLAN_SDIO=m +CONFIG_CW1200_WLAN_SPI=m +CONFIG_UX500_WATCHDOG=m # tegra CONFIG_ARCH_TEGRA_2x_SOC=y CONFIG_ARCH_TEGRA_3x_SOC=y # CONFIG_ARCH_TEGRA_114_SOC is not set +CONFIG_ARM_TEGRA_CPUFREQ=y +CONFIG_TEGRA20_MC=y +CONFIG_TEGRA30_MC=y CONFIG_SERIAL_TEGRA=y @@ -494,18 +494,19 @@ CONFIG_KEYBOARD_TEGRA=m CONFIG_PINCTRL_TEGRA=y CONFIG_PINCTRL_TEGRA20=y CONFIG_PINCTRL_TEGRA30=y -CONFIG_USB_EHCI_TEGRA=y -CONFIG_RTC_DRV_TEGRA=y +CONFIG_USB_EHCI_TEGRA=m +CONFIG_RTC_DRV_TEGRA=m CONFIG_SND_SOC_TEGRA=m CONFIG_SND_SOC_TEGRA_ALC5632=m +CONFIG_SND_SOC_TEGRA_RT5640=m +CONFIG_SND_SOC_TEGRA_TRIMSLICE=m CONFIG_SND_SOC_TEGRA_WM8753=m CONFIG_SND_SOC_TEGRA_WM8903=m CONFIG_SND_SOC_TEGRA_WM9712=m -CONFIG_SND_SOC_TEGRA_TRIMSLICE=m +CONFIG_SND_SOC_TEGRA20_AC97=m CONFIG_SND_SOC_TEGRA30_AHUB=m CONFIG_SND_SOC_TEGRA30_I2S=m -CONFIG_SND_SOC_TEGRA20_AC97=m # AC100 (PAZ00) CONFIG_MFD_NVEC=y @@ -534,8 +535,21 @@ CONFIG_CRYPTO_DEV_TEGRA_AES=m CONFIG_LEDS_RENESAS_TPU=y -# ZYNQ +# OLPC XO +CONFIG_SERIO_OLPC_APSP=m + +# Zynq-7xxx +# likely needs usb/mmc still +CONFIG_SERIAL_XILINX_PS_UART=y +CONFIG_SERIAL_XILINX_PS_UART_CONSOLE=y +CONFIG_COMMON_CLK_AXI_CLKGEN=m +CONFIG_CPU_IDLE_ZYNQ=y CONFIG_LATTICE_ECP3_CONFIG=m +CONFIG_NET_VENDOR_XILINX=y +CONFIG_XILINX_EMACLITE=m +CONFIG_GPIO_XILINX=y +CONFIG_I2C_XILINX=m +CONFIG_SPI_XILINX=m # MMC/SD CONFIG_MMC_TMIO=m @@ -543,8 +557,6 @@ CONFIG_MMC_SDHCI_PXAV3=m CONFIG_MMC_SDHCI_PXAV2=m # Multi function devices -CONFIG_MFD_CORE=m -CONFIG_MFD_SYSCON=y CONFIG_MFD_88PM800=m CONFIG_MFD_88PM805=m CONFIG_MFD_T7L66XB=y @@ -575,12 +587,39 @@ CONFIG_REGULATOR_MAX8907=m CONFIG_REGULATOR_LP872X=y CONFIG_REGULATOR_LP8755=m +# usb gadget +CONFIG_USB_GADGET=m +CONFIG_USB_GADGET_VBUS_DRAW=100 +CONFIG_USB_GADGET_STORAGE_NUM_BUFFERS=2 +# CONFIG_USB_FSL_USB2 is not set +# CONFIG_USB_FUSB300 is not set +# CONFIG_USB_RENESAS_USBHS is not set +# CONFIG_USB_GADGET_DEBUG is not set +# CONFIG_USB_GADGET_DEBUG_FILES is not set +# CONFIG_USB_GADGET_DEBUG_FS is not set +# CONFIG_USB_GADGET_VBUS_DRAW is not set +# CONFIG_USB_GADGET_STORAGE_NUM_BUFFERS is not set +# CONFIG_USB_FOTG210_UDC is not set +# CONFIG_USB_R8A66597 is not set +# CONFIG_USB_PXA27X is not set +# CONFIG_USB_MV_UDC is not set +# CONFIG_USB_MV_U3D is not set +# CONFIG_USB_M66592 is not set +# CONFIG_USB_AMD5536UDC is not set +# CONFIG_USB_NET2272 is not set +# CONFIG_USB_NET2280 is not set +# CONFIG_USB_GOKU is not set +# CONFIG_USB_EG20T is not set +# CONFIG_USB_DUMMY_HCD is not set +# CONFIG_USB_ZERO_HNPTEST is not set +# CONFIG_USB_ETH_RNDIS is not set +# CONFIG_USB_ETH_EEM is not set + # Needs work/investigation # CONFIG_ARM_CHARLCD is not set # CONFIG_MTD_AFS_PARTS is not set # CONFIG_IP_PNP_RARP is not set -# CONFIG_ASYMMETRIC_KEY_TYPE is not set # CONFIG_PID_IN_CONTEXTIDR is not set # CONFIG_DEPRECATED_PARAM_STRUCT is not set @@ -588,10 +627,6 @@ CONFIG_REGULATOR_LP8755=m # Defined config options we don't use yet # CONFIG_PINCTRL_IMX35 is not set -# CONFIG_DRM_IMX_FB_HELPER is not set -# CONFIG_DRM_IMX_PARALLEL_DISPLAY is not set -# CONFIG_DRM_IMX_IPUV3_CORE is not set -# CONFIG_DRM_IMX_IPUV3 is not set # CONFIG_REGULATOR_ANATOP is not set # CONFIG_BATTERY_RX51 is not set @@ -619,8 +654,6 @@ CONFIG_REGULATOR_LP8755=m # CONFIG_PMIC_ADP5520 is not set # CONFIG_REGULATOR_LP3972 is not set # CONFIG_REGULATOR_LP872X is not set -# CONFIG_SGI_IOC4 is not set -# CONFIG_BLK_DEV_PCIESSD_MTIP32XX is not set # CONFIG_DVB_USB_PCTV452E is not set # We need to fix these as they should be either generic includes or kconfig fixes @@ -637,3 +670,9 @@ CONFIG_REGULATOR_LP8755=m # CONFIG_DRM_TEGRA_DEBUG is not set # CONFIG_CRYPTO_DEV_UX500_DEBUG is not set # CONFIG_AB8500_DEBUG is not set + +# CONFIG_SOC_VF610 is not set +# CONFIG_ARM_CCI is not set +# CONFIG_GPIO_XILINX is not set +# CONFIG_SERIAL_UARTLITE is not set + diff --git a/config-armv7-generic b/config-armv7-generic index 897a7e3ee..663f86b82 100644 --- a/config-armv7-generic +++ b/config-armv7-generic @@ -46,6 +46,25 @@ CONFIG_ALWAYS_USE_PERSISTENT_CLOCK=y # CONFIG_XIP_KERNEL is not set # CONFIG_ARM_VIRT_EXT is not set +# Platforms enabled/disabled globally on ARMv7 +CONFIG_ARCH_HIGHBANK=y +CONFIG_ARCH_VEXPRESS_CA9X4=y +CONFIG_ARCH_VEXPRESS_CORTEX_A5_A9_ERRATA=y +# CONFIG_ARCH_BCM is not set +# CONFIG_PLAT_SPEAR is not set +# CONFIG_ARCH_STI is not set +# CONFIG_ARCH_SIRF is not set +# CONFIG_ARCH_U8500 is not set +# CONFIG_ARCH_WM8850 is not set + +# highbank +# 2013/04/19 - stability issues +# CONFIG_CPU_IDLE_CALXEDA is not set +CONFIG_EDAC_HIGHBANK_MC=m +CONFIG_EDAC_HIGHBANK_L2=m +CONFIG_SATA_HIGHBANK=m +CONFIG_ARM_HIGHBANK_CPUFREQ=m + # errata # v5/v6 # CONFIG_ARM_ERRATA_326103 is not set @@ -76,8 +95,6 @@ CONFIG_PJ4B_ERRATA_4742=y # CONFIG_ARM_ERRATA_798181 is not set # generic that deviates from or should be merged into config-generic -CONFIG_SMP=y -CONFIG_NR_CPUS=8 CONFIG_SMP_ON_UP=y CONFIG_HIGHMEM=y CONFIG_CC_OPTIMIZE_FOR_SIZE=y @@ -98,15 +115,8 @@ CONFIG_RCU_FANOUT=32 CONFIG_DEFAULT_MMAP_MIN_ADDR=32768 CONFIG_LSM_MMAP_MIN_ADDR=32768 -CONFIG_SECCOMP=y -CONFIG_STRICT_DEVMEM=y - CONFIG_XZ_DEC_ARM=y -CONFIG_OC_ETM=y -CONFIG_PM=y -CONFIG_PM_STD_PARTITION="" -CONFIG_SUSPEND=y CONFIG_ARM_CPU_SUSPEND=y CONFIG_LOCAL_TIMERS=y @@ -119,7 +129,6 @@ CONFIG_IP_PNP_BOOTP=y # Root as NFS, different from mainline CONFIG_ROOT_NFS=y -CONFIG_NLS_CODEPAGE_437=y CONFIG_LBDAF=y @@ -127,15 +136,7 @@ CONFIG_LBDAF=y CONFIG_USE_OF=y CONFIG_ARM_ATAG_DTB_COMPAT=y CONFIG_ARM_APPENDED_DTB=y -CONFIG_PROC_DEVICETREE=y -CONFIG_SERIAL_OF_PLATFORM=y -CONFIG_OF_PCI=y -CONFIG_OF_PCI_IRQ=y CONFIG_I2C_MUX_PINCTRL=m -CONFIG_OF_MDIO=m - -CONFIG_OF_DISPLAY_TIMING=y -CONFIG_OF_VIDEOMODE=y # General vexpress ARM drivers CONFIG_ARM_TIMER_SP804=y @@ -152,11 +153,8 @@ CONFIG_RTC_DRV_PL031=y CONFIG_PL330_DMA=m CONFIG_AMBA_PL08X=y CONFIG_ARM_SP805_WATCHDOG=m -CONFIG_I2C_VERSATILE=m CONFIG_GPIO_PL061=y -CONFIG_SENSORS_VEXPRESS=m CONFIG_FB_ARMCLCD=m -CONFIG_REGULATOR_VEXPRESS=m # usb CONFIG_USB_OTG=y @@ -165,9 +163,6 @@ CONFIG_USB_OTG=y CONFIG_USB_ULPI=y CONFIG_AX88796=m CONFIG_AX88796_93CX6=y -CONFIG_SMC91X=m -CONFIG_SMC911X=m -CONFIG_SMSC911X=m CONFIG_USB_ISP1760_HCD=m # CONFIG_USB_EHCI_HCD_ORION is not set @@ -183,7 +178,7 @@ CONFIG_MFD_TPS65912_SPI=y CONFIG_PINMUX=y CONFIG_PINCONF=y CONFIG_PINCTRL=y -CONFIG_PINCTRL_SINGLE=m +CONFIG_PINCTRL_SINGLE=y # CONFIG_PINCTRL_SAMSUNG is not set # CONFIG_PINCTRL_EXYNOS4 is not set @@ -194,7 +189,6 @@ CONFIG_EXTCON_GPIO=m CONFIG_GPIO_ADNP=m CONFIG_GPIO_MCP23S08=m CONFIG_POWER_RESET_GPIO=y -CONFIG_RFKILL_GPIO=m CONFIG_SERIAL_8250_EM=m CONFIG_INPUT_GPIO_TILT_POLLED=m CONFIG_MDIO_BUS_MUX_GPIO=m @@ -226,6 +220,8 @@ CONFIG_SPI_DESIGNWARE=m CONFIG_SPI_TLE62X0=m # CONFIG_SPI_FSL_SPI is not set +CONFIG_NFC_NCI_SPI=y + # HW crypto and rng CONFIG_CRYPTO_SHA1_ARM=m CONFIG_CRYPTO_AES_ARM=m @@ -244,7 +240,6 @@ CONFIG_POWER_RESET_RESTART=y CONFIG_ARM_PSCI=y # MTD -CONFIG_MTD_OF_PARTS=y # CONFIG_MG_DISK is not set CONFIG_MTD_DATAFLASH=m CONFIG_MTD_DATAFLASH_WRITE_VERIFY=y @@ -256,13 +251,20 @@ CONFIG_EEPROM_93XX46=m # MMC/SD CONFIG_MMC_SPI=m + +# Designware (used by numerous devices) CONFIG_MMC_DW=m CONFIG_MMC_DW_PLTFM=m CONFIG_MMC_DW_PCI=m CONFIG_SPI_DW_MMIO=m CONFIG_SPI_DW_PCI=m +CONFIG_MMC_DW_SOCFPGA=m # CONFIG_MMC_DW_EXYNOS is not set # CONFIG_MMC_DW_IDMAC is not set +CONFIG_USB_DWC2=m +CONFIG_USB_DWC3=m +# CONFIG_USB_DWC3_DEBUG is not set +CONFIG_DW_WATCHDOG=m # Sound CONFIG_SND_ARM=y @@ -401,7 +403,6 @@ CONFIG_UBIFS_FS_ZLIB=y # Should be in generic CONFIG_BPF_JIT=y -# CONFIG_NET_VENDOR_BROADCOM is not set # CONFIG_NET_VENDOR_CIRRUS is not set # CONFIG_NET_VENDOR_MICROCHIP is not set @@ -410,6 +411,7 @@ CONFIG_BPF_JIT=y # CONFIG_DRM_EXYNOS is not set # CONFIG_DRM_TILCDC is not set # CONFIG_DRM_IMX is not set +# CONFIG_AHCI_IMX is not set # CONFIG_CS89x0 is not set # CONFIG_DM9000 is not set # CONFIG_HW_RANDOM_ATMEL is not set @@ -429,7 +431,6 @@ CONFIG_BPF_JIT=y # CONFIG_SERIAL_MAX3100 is not set # CONFIG_SERIAL_MAX310X is not set # CONFIG_SERIAL_IFX6X60 is not set -# CONFIG_COMMON_CLK_SI5351 is not set # CONFIG_COMMON_CLK_AXI_CLKGEN is not set # CONFIG_SPI_TOPCLIFF_PCH is not set # CONFIG_SPI_PXA2XX is not set @@ -455,3 +456,6 @@ CONFIG_BPF_JIT=y # CONFIG_DEBUG_LL is not set # CONFIG_DEBUG_PINCTRL is not set # CONFIG_ARM_DT_BL_CPUFREQ is not set + +# FIX ME +# CONFIG_FB_XILINX is not set diff --git a/config-armv7-lpae b/config-armv7-lpae index a7db64919..c4febfc94 100644 --- a/config-armv7-lpae +++ b/config-armv7-lpae @@ -1,16 +1,35 @@ -# ARM unified arch kernel -CONFIG_ARCH_EXYNOS=y +# ARM A15 lpae unified arch kernel +CONFIG_ARCH_EXYNOS_MULTI=y +CONFIG_ARCH_KEYSTONE=y CONFIG_ARCH_VIRT=y +CONFIG_ARCH_EXYNOS5=y + +# CONFIG_ARCH_MVEBU is not set +# CONFIG_ARCH_MXC is not set +# CONFIG_ARCH_OMAP3 is not set +# CONFIG_ARCH_OMAP4 is not set +# CONFIG_SOC_OMAP5 is not set +# CONFIG_SOC_AM33XX is not set +# CONFIG_SOC_AM43XX is not set +# CONFIG_ARCH_ROCKCHIP is not set +# CONFIG_ARCH_SOCFPGA is not set +# CONFIG_ARCH_SUNXI is not set +# CONFIG_ARCH_TEGRA is not set +# CONFIG_ARCH_ZYNQ is not set + # CONFIG_ARCH_EXYNOS4 is not set -CONFIG_ARCH_EXYNOS5=y # CONFIG_EXYNOS_ATAGS is not set CONFIG_ARM_LPAE=y +CONFIG_SYS_SUPPORTS_HUGETLBFS=y +CONFIG_HAVE_ARCH_TRANSPARENT_HUGEPAGE=y CONFIG_VIRTIO_CONSOLE=m CONFIG_ARM_VIRT_EXT=y CONFIG_VIRTUALIZATION=y +CONFIG_ARM_SMMU=y +CONFIG_ARM_DMA_IOMMU_ALIGNMENT=8 # Cortex-A15 CONFIG_ARM_ERRATA_798181=y @@ -42,26 +61,22 @@ CONFIG_XEN_WDT=m CONFIG_MACH_EXYNOS5_DT=y CONFIG_SERIAL_SAMSUNG=y CONFIG_SERIAL_SAMSUNG_CONSOLE=y -CONFIG_SERIAL_OF_PLATFORM=y -CONFIG_S3C_BOOT_ERROR_RESET=y -CONFIG_S3C_BOOT_UART_FORCE_FIFO=y -CONFIG_S3C_LOWLEVEL_UART_PORT=0 -CONFIG_S3C_GPIO_SPACE=8 -CONFIG_S3C_ADC=y -CONFIG_S3C24XX_PWM=y # CONFIG_SAMSUNG_PM_DEBUG is not set # CONFIG_SAMSUNG_PM_CHECK is not set CONFIG_SOC_EXYNOS5250=y +CONFIG_SOC_EXYNOS5420=y CONFIG_SOC_EXYNOS5440=y CONFIG_ARM_EXYNOS_CPUFREQ=y # CONFIG_GENERIC_CPUFREQ_CPU0 is not set CONFIG_EXYNOS_THERMAL=m +CONFIG_PCI_EXYNOS=y +CONFIG_ARM_CCI=y CONFIG_TCG_TIS_I2C_INFINEON=m -CONFIG_I2C_S3C2410=m + CONFIG_PINCTRL_EXYNOS=y CONFIG_PINCTRL_EXYNOS5440=y -CONFIG_S3C2410_WATCHDOG=m +CONFIG_EXYNOS_IOMMU=y CONFIG_VIDEO_SAMSUNG_S5P_G2D=m CONFIG_VIDEO_SAMSUNG_S5P_JPEG=m CONFIG_VIDEO_SAMSUNG_S5P_MFC=m @@ -76,7 +91,7 @@ CONFIG_DRM_EXYNOS_DMABUF=y CONFIG_DRM_EXYNOS_FIMD=y CONFIG_DRM_EXYNOS_HDMI=y CONFIG_DRM_EXYNOS_VIDI=y -# CONFIG_DRM_EXYNOS_G2D is not set +CONFIG_DRM_EXYNOS_G2D=y CONFIG_DRM_EXYNOS_IPP=y CONFIG_DRM_EXYNOS_FIMC=y CONFIG_DRM_EXYNOS_ROTATOR=y @@ -86,29 +101,16 @@ CONFIG_SND_SOC_SAMSUNG=m CONFIG_USB_EHCI_HCD=y CONFIG_USB_EHCI_S5P=m CONFIG_USB_OHCI_EXYNOS=y -CONFIG_USB_DWC3=m -# CONFIG_USB_DWC3_DEBUG is not set -CONFIG_S3C_DEV_HSMMC=y -CONFIG_MMC_SDHCI_S3C=m -CONFIG_MMC_SDHCI_S3C_DMA=y -CONFIG_RTC_DRV_S3C=m CONFIG_PWM_SAMSUNG=m -CONFIG_S3C_BOOT_WATCHDOG=y CONFIG_SAMSUNG_GPIO_EXTRA=8 CONFIG_SERIAL_SAMSUNG_CONSOLE=y -CONFIG_BATTERY_S3C_ADC=m -CONFIG_SENSORS_S3C=m -CONFIG_SENSORS_S3C_RAW=y -CONFIG_FB_S3C_DEBUG_REGWRITE=y CONFIG_SND_SOC_SAMSUNG_SMDK_SPDIF=m CONFIG_USB_EHCI_S5P=y CONFIG_SAMSUNG_USBPHY=m CONFIG_SAMSUNG_USB2PHY=m CONFIG_SAMSUNG_USB3PHY=m -CONFIG_MMC_DW=m -CONFIG_MMC_DW_PLTFM=m -CONFIG_MMC_DW_PCI=m CONFIG_MMC_DW_EXYNOS=m +CONFIG_RTC_DRV_S3C=m # Chromebook CONFIG_MFD_CROS_EC=m @@ -123,5 +125,13 @@ CONFIG_REGULATOR_MAX8997=m CONFIG_REGULATOR_S5M8767=m CONFIG_COMMON_CLK_MAX77686=m +CONFIG_S3C_LOWLEVEL_UART_PORT=1 # CONFIG_EXYNOS4_SDHCI_CH0_8BIT is not set # CONFIG_EXYNOS4_SDHCI_CH2_8BIT is not set + +# CONFIG_S3C_BOOT_ERROR_RESET is not set +# CONFIG_S3C_BOOT_UART_FORCE_FIFO is not set +# CONFIG_I2C_S3C2410 is not set +# CONFIG_S3C2410_WATCHDOG is not set +# CONFIG_MMC_SDHCI_S3C is not set +# CONFIG_TEGRA_HOST1X is not set diff --git a/config-debug b/config-debug index e7f7ce147..fb7df3e38 100644 --- a/config-debug +++ b/config-debug @@ -5,6 +5,7 @@ CONFIG_SND_PCM_XRUN_DEBUG=y CONFIG_DEBUG_ATOMIC_SLEEP=y CONFIG_DEBUG_MUTEXES=y +CONFIG_DEBUG_WW_MUTEX_SLOWPATH=y CONFIG_DEBUG_RT_MUTEXES=y CONFIG_DEBUG_LOCK_ALLOC=y CONFIG_PROVE_LOCKING=y @@ -64,6 +65,8 @@ CONFIG_DEBUG_CREDENTIALS=y CONFIG_EXT4_DEBUG=y +CONFIG_XFS_WARN=y + CONFIG_DEBUG_PERF_USE_VMALLOC=y # off in both production debug and nodebug builds, @@ -82,6 +85,8 @@ CONFIG_ATH_DEBUG=y CONFIG_CARL9170_DEBUGFS=y CONFIG_IWLWIFI_DEVICE_TRACING=y +CONFIG_RTLWIFI_DEBUG=y + CONFIG_DEBUG_OBJECTS_WORK=y CONFIG_DMADEVICES_DEBUG=y @@ -100,6 +105,7 @@ CONFIG_KDB_CONTINUE_CATASTROPHIC=0 CONFIG_DEBUG_OBJECTS_PERCPU_COUNTER=y CONFIG_TEST_LIST_SORT=y +CONFIG_TEST_STRING_HELPERS=m CONFIG_DETECT_HUNG_TASK=y CONFIG_DEFAULT_HUNG_TASK_TIMEOUT=120 @@ -115,9 +121,7 @@ CONFIG_DEBUG_KMEMLEAK_DEFAULT_OFF=y CONFIG_MAC80211_MESSAGE_TRACING=y CONFIG_EDAC_DEBUG=y + +CONFIG_X86_DEBUG_STATIC_CPU_HAS=y CONFIG_LATENCYTOP=y CONFIG_SCHEDSTATS=y - -CONFIG_TEST_STRING_HELPERS=m -CONFIG_XFS_WARN=y - diff --git a/config-generic b/config-generic index 7e1ecf1cf..182d8a273 100644 --- a/config-generic +++ b/config-generic @@ -35,6 +35,7 @@ CONFIG_SWAP=y CONFIG_SYSVIPC=y CONFIG_BSD_PROCESS_ACCT=y CONFIG_BSD_PROCESS_ACCT_V3=y +# CONFIG_COMPILE_TEST is not set CONFIG_FHANDLE=y CONFIG_TASKSTATS=y CONFIG_TASK_DELAY_ACCT=y @@ -67,6 +68,7 @@ CONFIG_PREEMPT_VOLUNTARY=y # CONFIG_PREEMPT is not set CONFIG_SLUB=y +CONFIG_SLUB_CPU_PARTIAL=y # CONFIG_SLUB_STATS is not set # CONFIG_AD525X_DPOT is not set @@ -101,6 +103,9 @@ CONFIG_PCIEAER_INJECT=m CONFIG_HOTPLUG_PCI_PCIE=y CONFIG_HOTPLUG_PCI_FAKE=m +# CONFIG_SGI_IOC4 is not set +# + # CONFIG_ISA is not set # CONFIG_SCx200 is not set @@ -156,6 +161,7 @@ CONFIG_INFINIBAND_USER_MAD=m CONFIG_INFINIBAND_USER_ACCESS=m CONFIG_INFINIBAND_IPATH=m CONFIG_INFINIBAND_ISER=m +CONFIG_INFINIBAND_ISERT=m CONFIG_INFINIBAND_AMSO1100=m # CONFIG_INFINIBAND_AMSO1100_DEBUG is not set CONFIG_INFINIBAND_CXGB3=m @@ -164,9 +170,11 @@ CONFIG_SCSI_CXGB3_ISCSI=m CONFIG_SCSI_CXGB4_ISCSI=m # CONFIG_INFINIBAND_CXGB3_DEBUG is not set CONFIG_MLX4_INFINIBAND=m +CONFIG_MLX5_INFINIBAND=m CONFIG_INFINIBAND_NES=m # CONFIG_INFINIBAND_NES_DEBUG is not set CONFIG_INFINIBAND_QIB=m +CONFIG_INFINIBAND_QIB_DCA=y # CONFIG_INFINIBAND_OCRDMA is not set # @@ -175,6 +183,7 @@ CONFIG_INFINIBAND_QIB=m CONFIG_BINFMT_ELF=y CONFIG_CORE_DUMP_DEFAULT_ELF_HEADERS=y # CONFIG_BINFMT_AOUT is not set +CONFIG_BINFMT_SCRIPT=y CONFIG_BINFMT_MISC=m # @@ -298,6 +307,7 @@ CONFIG_BLK_CPQ_DA=m CONFIG_BLK_CPQ_CISS_DA=m CONFIG_CISS_SCSI_TAPE=y CONFIG_BLK_DEV_DAC960=m +# CONFIG_BLK_DEV_PCIESSD_MTIP32XX is not set CONFIG_BLK_DEV_DRBD=m CONFIG_BLK_DEV_UMEM=m CONFIG_BLK_DEV_LOOP=y @@ -337,6 +347,7 @@ CONFIG_HW_RANDOM_VIRTIO=m CONFIG_VIRTIO_CONSOLE=y CONFIG_VHOST_NET=m CONFIG_TCM_VHOST=m +CONFIG_VHOST_SCSI=m # # SCSI device support @@ -434,6 +445,7 @@ CONFIG_SCSI_MPT3SAS_LOGGING=y CONFIG_SCSI_UFSHCD=m CONFIG_SCSI_UFSHCD_PCI=m +# CONFIG_SCSI_UFSHCD_PLATFORM is not set CONFIG_SCSI_MVUMI=m @@ -510,6 +522,7 @@ CONFIG_SATA_NV=m CONFIG_SATA_PMP=y CONFIG_SATA_PROMISE=m CONFIG_SATA_QSTOR=m +CONFIG_SATA_RCAR=m CONFIG_SATA_SIL=m CONFIG_SATA_SIL24=m CONFIG_SATA_SIS=m @@ -587,6 +600,12 @@ CONFIG_MD_RAID10=m CONFIG_MD_RAID456=m # CONFIG_MULTICORE_RAID456 is not set CONFIG_ASYNC_RAID6_TEST=m + +CONFIG_BCACHE=m +# CONFIG_BCACHE_DEBUG is not set +# CONFIG_BCACHE_EDEBUG is not set +# CONFIG_BCACHE_CLOSURES_DEBUG is not set + CONFIG_BLK_DEV_DM=y CONFIG_DM_CRYPT=m CONFIG_DM_DEBUG=y @@ -608,6 +627,7 @@ CONFIG_DM_MULTIPATH_ST=m CONFIG_DM_RAID=m CONFIG_DM_FLAKEY=m CONFIG_DM_VERITY=m +CONFIG_DM_SWITCH=m # # Fusion MPT device support @@ -654,6 +674,9 @@ CONFIG_NET=y CONFIG_NET_DMA=y +CONFIG_NETLINK_MMAP=y +CONFIG_NETLINK_DIAG=m + CONFIG_TCP_CONG_ADVANCED=y CONFIG_TCP_CONG_BIC=m CONFIG_TCP_CONG_CUBIC=y @@ -1039,6 +1062,7 @@ CONFIG_IP_DCCP_CCID3=y # CONFIG_TIPC=m CONFIG_TIPC_PORTS=8192 +# CONFIG_TIPC_MEDIA_IB is not set # CONFIG_TIPC_ADVANCED is not set # CONFIG_TIPC_DEBUG is not set @@ -1109,8 +1133,10 @@ CONFIG_DNS_RESOLVER=m CONFIG_BATMAN_ADV=m CONFIG_BATMAN_ADV_BLA=y CONFIG_BATMAN_ADV_DAT=y +CONFIG_BATMAN_ADV_NC=y # CONFIG_BATMAN_ADV_DEBUG is not set CONFIG_OPENVSWITCH=m +CONFIG_OPENVSWITCH_GRE=y CONFIG_VSOCKETS=m CONFIG_NETPRIO_CGROUP=m @@ -1135,6 +1161,7 @@ CONFIG_NET_TEAM_MODE_ROUNDROBIN=m CONFIG_NET_TEAM_MODE_ACTIVEBACKUP=m CONFIG_NET_TEAM_MODE_LOADBALANCE=m CONFIG_NET_TEAM_MODE_BROADCAST=m +CONFIG_NET_TEAM_MODE_RANDOM=m CONFIG_DUMMY=m CONFIG_BONDING=m CONFIG_MACVLAN=m @@ -1143,6 +1170,7 @@ CONFIG_VXLAN=m CONFIG_EQUALIZER=m CONFIG_TUN=m CONFIG_VETH=m +CONFIG_NLMON=m # # ATM @@ -1199,6 +1227,8 @@ CONFIG_L2TP_ETH=m CONFIG_RFKILL=m CONFIG_RFKILL_INPUT=y +CONFIG_ETHERNET=y + # # Ethernet (10 or 100Mbit) # @@ -1215,7 +1245,11 @@ CONFIG_PCNET32=m CONFIG_AMD8111_ETH=m CONFIG_PCMCIA_NMCLAN=m +CONFIG_NET_VENDOR_ARC=y +CONFIG_ARC_EMAC=m + CONFIG_NET_VENDOR_ATHEROS=y +CONFIG_ALX=m CONFIG_ATL2=m CONFIG_ATL1=m CONFIG_ATL1C=m @@ -1334,6 +1368,7 @@ CONFIG_YELLOWFIN=m CONFIG_NET_VENDOR_QLOGIC=y CONFIG_QLA3XXX=m CONFIG_QLCNIC=m +CONFIG_QLCNIC_SRIOV=y CONFIG_QLGE=m CONFIG_NETXEN_NIC=m @@ -1347,6 +1382,8 @@ CONFIG_8139TOO_8129=y # CONFIG_8139_OLD_RX_RESET is not set CONFIG_R8169=m +CONFIG_SH_ETH=m + CONFIG_NET_VENDOR_RDC=y CONFIG_R6040=m @@ -1362,6 +1399,7 @@ CONFIG_SIS190=m CONFIG_NET_VENDOR_SMSC=y CONFIG_PCMCIA_SMC91C92=m CONFIG_EPIC100=m +CONFIG_SMSC911X=m CONFIG_SMSC9420=m CONFIG_NET_VENDOR_STMICRO=y @@ -1420,6 +1458,7 @@ CONFIG_VITESSE_PHY=m CONFIG_MICREL_PHY=m CONFIG_MII=m +CONFIG_NET_CORE=y CONFIG_NET_VENDOR_3COM=y CONFIG_VORTEX=m CONFIG_TYPHOON=m @@ -1524,6 +1563,7 @@ CONFIG_ATH6KL=m CONFIG_ATH6KL_DEBUG=y CONFIG_ATH6KL_SDIO=m CONFIG_ATH6KL_USB=m +# CONFIG_ATH6KL_TRACING is not set CONFIG_AR5523=m CONFIG_ATH9K=m CONFIG_ATH9K_PCI=y @@ -1534,9 +1574,15 @@ CONFIG_ATH9K_DEBUGFS=y CONFIG_ATH9K_HTC=m CONFIG_ATH9K_BTCOEX_SUPPORT=y # CONFIG_ATH9K_HTC_DEBUGFS is not set -CONFIG_ATH9K_LEGACY_RATE_CONTROL=y +# CONFIG_ATH9K_LEGACY_RATE_CONTROL is not set +CONFIG_ATH10K=m +CONFIG_ATH10K_PCI=m +# CONFIG_ATH10K_DEBUG is not set +# CONFIG_ATH10K_TRACING is not set +CONFIG_ATH10K_DEBUGFS=y CONFIG_WIL6210=m CONFIG_WIL6210_ISR_COR=y +# CONFIG_WIL6210_TRACING is not set CONFIG_CARL9170=m CONFIG_CARL9170_LEDS=y # CONFIG_CARL9170_HWRNG is not set @@ -1544,6 +1590,7 @@ CONFIG_AT76C50X_USB=m # CONFIG_AIRO is not set # CONFIG_AIRO_CS is not set # CONFIG_ATMEL is not set +CONFIG_NET_VENDOR_BROADCOM=y CONFIG_B43=m CONFIG_B43_PCMCIA=y CONFIG_B43_SDIO=y @@ -1580,6 +1627,9 @@ CONFIG_PCMCIA_HERMES=m CONFIG_ORINOCO_USB=m # CONFIG_TMD_HERMES is not set # CONFIG_PCMCIA_SPECTRUM is not set +CONFIG_CW1200=m +CONFIG_CW1200_WLAN_SDIO=m +CONFIG_CW1200_WLAN_SPI=m # CONFIG_HOSTAP is not set # CONFIG_IPW2100 is not set # CONFIG_IPW2200 is not set @@ -1628,6 +1678,7 @@ CONFIG_RT2800USB=m CONFIG_RT2800USB_RT33XX=y CONFIG_RT2800USB_RT35XX=y CONFIG_RT2800USB_RT53XX=y +CONFIG_RT2800USB_RT55XX=y CONFIG_RT2800USB_UNKNOWN=y CONFIG_RT2800PCI=m CONFIG_RT2800PCI_RT3290=y @@ -1657,13 +1708,14 @@ CONFIG_WL1251=m CONFIG_WL1251_SPI=m CONFIG_WL1251_SDIO=m +CONFIG_RTL_CARDS=m CONFIG_RTLWIFI=m -# CONFIG_RTLWIFI_DEBUG is not set CONFIG_RTL8192CE=m CONFIG_RTL8192SE=m CONFIG_RTL8192CU=m CONFIG_RTL8192DE=m CONFIG_RTL8723AE=m +CONFIG_RTL8188EE=m CONFIG_MWIFIEX=m CONFIG_MWIFIEX_SDIO=m @@ -1715,6 +1767,7 @@ CONFIG_NFC_NCI=m CONFIG_NFC_HCI=m CONFIG_NFC_SHDLC=y CONFIG_NFC_LLCP=y +CONFIG_NFC_SIM=m # # Near Field Communication (NFC) devices @@ -1959,6 +2012,7 @@ CONFIG_INPUT_POLLDEV=m CONFIG_INPUT_SPARSEKMAP=m # CONFIG_INPUT_ADXL34X is not set # CONFIG_INPUT_BMA150 is not set +# CONFIG_INPUT_IMS_PCU is not set CONFIG_INPUT_CMA3000=m CONFIG_INPUT_CMA3000_I2C=m @@ -1977,8 +2031,10 @@ CONFIG_SERIO_RAW=m CONFIG_SERIO_ALTERA_PS2=m # CONFIG_SERIO_PS2MULT is not set CONFIG_SERIO_ARC_PS2=m +# CONFIG_SERIO_APBPS2 is not set # CONFIG_SERIO_CT82C710 is not set +# CONFIG_SERIO_OLPC_APSP is not set # CONFIG_SERIO_PARKBD is not set # CONFIG_SERIO_PCIPS2 is not set @@ -2056,6 +2112,7 @@ CONFIG_INPUT_TOUCHSCREEN=y CONFIG_TOUCHSCREEN_AD7879_I2C=m # CONFIG_TOUCHSCREEN_CY8CTMG110 is not set # CONFIG_TOUCHSCREEN_CYTTSP_CORE is not set +# CONFIG_TOUCHSCREEN_CYTTSP4_CORE is not set CONFIG_TOUCHSCREEN_DYNAPRO=m CONFIG_TOUCHSCREEN_EDT_FT5X06=m CONFIG_TOUCHSCREEN_EETI=m @@ -2130,6 +2187,7 @@ CONFIG_N_HDLC=m CONFIG_N_GSM=m # CONFIG_TRACE_SINK is not set # CONFIG_STALDRV is not set +# CONFIG_DUMMY_IRQ is not set # CONFIG_IBM_ASM is not set CONFIG_TIFM_CORE=m CONFIG_TIFM_7XX1=m @@ -2264,6 +2322,7 @@ CONFIG_SENSORS_ADM1026=m CONFIG_SENSORS_ADM1029=m CONFIG_SENSORS_ADM1031=m CONFIG_SENSORS_ADM9240=m +CONFIG_SENSORS_ADT7310=m CONFIG_SENSORS_ADT7410=m CONFIG_SENSORS_ADS7828=m CONFIG_SENSORS_ADT7462=m @@ -2281,6 +2340,7 @@ CONFIG_SENSORS_F71882FG=m CONFIG_SENSORS_F75375S=m CONFIG_SENSORS_FSCHMD=m CONFIG_SENSORS_G760A=m +CONFIG_SENSORS_G762=m CONFIG_SENSORS_GL518SM=m CONFIG_SENSORS_GL520SM=m CONFIG_SENSORS_HDAPS=m @@ -2305,11 +2365,13 @@ CONFIG_SENSORS_LM87=m CONFIG_SENSORS_LM90=m CONFIG_SENSORS_LM92=m CONFIG_SENSORS_LM93=m +CONFIG_SENSORS_LM95234=m CONFIG_SENSORS_LTC4245=m CONFIG_SENSORS_MAX1619=m CONFIG_SENSORS_MAX6650=m CONFIG_SENSORS_MAX6697=m CONFIG_SENSORS_MCP3021=m +CONFIG_SENSORS_NCT6775=m CONFIG_SENSORS_NTC_THERMISTOR=m CONFIG_SENSORS_PC87360=m CONFIG_SENSORS_PC87427=m @@ -2394,9 +2456,11 @@ CONFIG_SENSORS_MAX197=m # CONFIG_PCH_PHUB is not set # CONFIG_SERIAL_PCH_UART is not set # CONFIG_USB_SWITCH_FSA9480 is not set +# CONFIG_SRAM is not set CONFIG_SERIAL_ARC=m CONFIG_SERIAL_ARC_NR_PORTS=1 # CONFIG_SERIAL_RP2 is not set +# CONFIG_SERIAL_FSL_LPUART is not set CONFIG_W1=m CONFIG_W1_CON=y @@ -2408,6 +2472,7 @@ CONFIG_W1_MASTER_DS1WM=m CONFIG_W1_SLAVE_THERM=m CONFIG_W1_SLAVE_SMEM=m CONFIG_W1_SLAVE_DS2408=m +# CONFIG_W1_SLAVE_DS2408_READBACK is not set CONFIG_W1_SLAVE_DS2413=m CONFIG_W1_SLAVE_DS2423=m CONFIG_W1_SLAVE_DS2431=m @@ -2474,6 +2539,7 @@ CONFIG_WM831X_WATCHDOG=m # CONFIG_MAX63XX_WATCHDOG is not set # CONFIG_DW_WATCHDOG is not set CONFIG_W83697UG_WDT=m +# CONFIG_MEN_A21_WDT is not set CONFIG_HW_RANDOM=y CONFIG_HW_RANDOM_TIMERIOMEM=m @@ -2505,6 +2571,7 @@ CONFIG_RTC_DRV_M41T80_WDT=y CONFIG_RTC_DRV_M48T59=m CONFIG_RTC_DRV_MAX6900=m # CONFIG_RTC_DRV_M48T86 is not set +CONFIG_RTC_DRV_PCF2127=m CONFIG_RTC_DRV_PCF8563=m CONFIG_RTC_DRV_PCF8583=m CONFIG_RTC_DRV_RS5C372=m @@ -2698,6 +2765,7 @@ CONFIG_VIDEO_TLG2300=m # CONFIG_VIDEO_TIMBERDALE is not set # CONFIG_VIDEO_M5MOLS is not set # CONFIG_EXYNOS_VIDEO is not set +CONFIG_VIDEO_USBTV=m CONFIG_USB_VIDEO_CLASS=m CONFIG_USB_VIDEO_CLASS_INPUT_EVDEV=y @@ -2742,6 +2810,7 @@ CONFIG_DVB_BUDGET_CORE=m CONFIG_DVB_PLUTO2=m CONFIG_SMS_SIANO_MDTV=m CONFIG_SMS_SIANO_RC=y +# CONFIG_SMS_SIANO_DEBUGFS is not set CONFIG_MEDIA_SUBDRV_AUTOSELECT=y CONFIG_SMS_USB_DRV=m CONFIG_SMS_SDIO_DRV=m @@ -2918,6 +2987,7 @@ CONFIG_FB_I810_I2C=y # CONFIG_FB_S1D13XXX is not set # CONFIG_FB_S3 is not set # CONFIG_FB_SAVAGE is not set +# CONFIG_FB_SIMPLE is not set # CONFIG_FB_SIS is not set # CONFIG_FB_SM501 is not set # CONFIG_FB_SMSCUFX is not set @@ -2987,6 +3057,7 @@ CONFIG_SND_PCM_OSS=y CONFIG_SND_PCM_OSS_PLUGINS=y CONFIG_SND_RTCTIMER=y CONFIG_SND_DYNAMIC_MINORS=y +CONFIG_SND_MAX_CARDS=32 # CONFIG_SND_SUPPORT_OLD_API is not set # @@ -3062,6 +3133,7 @@ CONFIG_SND_HDA_CODEC_CONEXANT=y CONFIG_SND_HDA_CODEC_CMEDIA=y CONFIG_SND_HDA_CODEC_SI3054=y CONFIG_SND_HDA_CODEC_HDMI=y +CONFIG_SND_HDA_I915=y CONFIG_SND_HDA_CODEC_CA0132=y CONFIG_SND_HDA_CODEC_CA0132_DSP=y CONFIG_SND_HDA_GENERIC=y @@ -3109,6 +3181,7 @@ CONFIG_SND_USB_USX2Y=m CONFIG_SND_USB_US122L=m CONFIG_SND_USB_UA101=m CONFIG_SND_USB_6FIRE=m +CONFIG_SND_USB_HIFACE=m # # PCMCIA devices @@ -3143,6 +3216,7 @@ CONFIG_USB_SUPPORT=y # Deprecated. # CONFIG_USB_DEVICEFS is not set +CONFIG_USB_DEFAULT_PERSIST=y # CONFIG_USB_DYNAMIC_MINORS is not set CONFIG_USB_SUSPEND=y @@ -3155,6 +3229,7 @@ CONFIG_USB_EHCI_TT_NEWSCHED=y # CONFIG_USB_EHCI_MV is not set # CONFIG_USB_EHCI_HCD_PLATFORM is not set CONFIG_USB_OHCI_HCD=y +CONFIG_USB_OHCI_HCD_PCI=y # CONFIG_USB_OHCI_HCD_SSB is not set # CONFIG_USB_OHCI_HCD_PLATFORM is not set CONFIG_USB_UHCI_HCD=y @@ -3165,6 +3240,7 @@ CONFIG_USB_SL811_HCD_ISO=y CONFIG_USB_XHCI_HCD=y # CONFIG_USB_XHCI_HCD_DEBUGGING is not set CONFIG_USB_ISP1362_HCD=m +CONFIG_USB_FUSBH200_HCD=m # # USB Device Class drivers @@ -3256,9 +3332,10 @@ CONFIG_HID_THINGM=m CONFIG_HID_THRUSTMASTER=m CONFIG_HID_ZEROPLUS=m CONFIG_HID_ZYDACRON=m -# CONFIG_HID_SENSOR_HUB is not set +CONFIG_HID_SENSOR_HUB=m CONFIG_HID_EMS_FF=m CONFIG_HID_ELECOM=m +CONFIG_HID_ELO=m CONFIG_HID_UCLOGIC=m CONFIG_HID_WALTOP=m CONFIG_HID_ROCCAT_PYRA=m @@ -3273,6 +3350,7 @@ CONFIG_HID_ROCCAT_ISKU=m CONFIG_HID_ROCCAT_KOVAPLUS=m CONFIG_HID_HOLTEK=m CONFIG_HOLTEK_FF=y +CONFIG_HID_HUION=m CONFIG_HID_SPEEDLINK=m CONFIG_HID_WIIMOTE=m CONFIG_HID_WIIMOTE_EXT=y @@ -3281,6 +3359,7 @@ CONFIG_HID_SAITEK=m CONFIG_HID_TIVO=m CONFIG_HID_GENERIC=y CONFIG_HID_AUREAL=m +CONFIG_HID_APPLEIR=m # @@ -3358,6 +3437,7 @@ CONFIG_USB_HSO=m CONFIG_USB_KAWETH=m CONFIG_USB_PEGASUS=m CONFIG_USB_RTL8150=m +CONFIG_USB_RTL8152=m CONFIG_USB_USBNET=m CONFIG_USB_SPEEDTOUCH=m CONFIG_USB_NET_AX8817X=m @@ -3450,6 +3530,7 @@ CONFIG_USB_SERIAL_MCT_U232=m CONFIG_USB_SERIAL_MOS7720=m CONFIG_USB_SERIAL_MOS7715_PARPORT=y # CONFIG_USB_SERIAL_ZIO is not set +# CONFIG_USB_SERIAL_WISHBONE is not set # CONFIG_USB_SERIAL_ZTE is not set CONFIG_USB_SERIAL_MOS7840=m CONFIG_USB_SERIAL_MOTOROLA=m @@ -3475,7 +3556,8 @@ CONFIG_USB_SERIAL_XSENS_MT=m CONFIG_USB_SERIAL_DEBUG=m CONFIG_USB_SERIAL_SSU100=m CONFIG_USB_SERIAL_QT2=m - +CONFIG_USB_SERIAL_FLASHLOADER=m +CONFIG_USB_SERIAL_SUUNTO=m CONFIG_USB_SERIAL_CONSOLE=y CONFIG_USB_EZUSB=y @@ -3492,9 +3574,16 @@ CONFIG_USB_ADUTUX=m CONFIG_USB_SEVSEG=m CONFIG_USB_ALI_M5632=y CONFIG_USB_APPLEDISPLAY=m + +# Physical Layer USB driver +CONFIG_USB_PHY=y + # CONFIG_OMAP_USB2 is not set # CONFIG_OMAP_USB3 is not set # CONFIG_OMAP_CONTROL_USB is not set +# CONFIG_SAMSUNG_USBPHY is not set +# CONFIG_SAMSUNG_USB2PHY is not set +# CONFIG_SAMSUNG_USB3PHY is not set CONFIG_USB_RCAR_PHY=m CONFIG_USB_ATM=m CONFIG_USB_CXACRU=m @@ -3542,6 +3631,8 @@ CONFIG_USB_UEAGLEATM=m CONFIG_USB_XUSBATM=m CONFIG_USB_ZERO=m +# CONFIG_USB_DWC2 is not set + CONFIG_USB_ANNOUNCE_NEW_DEVICES=y # CONFIG_USB_ISP1301 is not set @@ -3595,6 +3686,7 @@ CONFIG_MFD_VIPERBOARD=m # CONFIG_ABX500_CORE is not set # CONFIG_MFD_RDC321X is not set # CONFIG_MFD_JANZ_CMODIO is not set +# CONFIG_MFD_KEMPLD is not set # CONFIG_MFD_WM831X_I2C is not set # CONFIG_MFD_CS5535 is not set # CONFIG_MFD_STMPE is not set @@ -3607,6 +3699,10 @@ CONFIG_MFD_VIPERBOARD=m # CONFIG_MFD_MC13XXX_I2C is not set # CONFIG_MFD_ARIZONA is not set # CONFIG_MFD_ARIZONA_I2C is not set +# CONFIG_MFD_CROS_EC is not set +# CONFIG_MFD_SI476X_CORE is not set +# CONFIG_MFD_TPS65912 is not set +# CONFIG_MFD_SYSCON is not set # # File systems @@ -3735,6 +3831,7 @@ CONFIG_UFS_FS=m CONFIG_9P_FS=m CONFIG_9P_FSCACHE=y CONFIG_9P_FS_POSIX_ACL=y +CONFIG_9P_FS_SECURITY=y CONFIG_FUSE_FS=m # CONFIG_OMFS_FS is not set CONFIG_CUSE=m @@ -3749,13 +3846,15 @@ CONFIG_NFS_V2=y CONFIG_NFS_V3=y CONFIG_NFS_V3_ACL=y CONFIG_NFS_V4=y -# CONFIG_NFS_SWAP is not set +CONFIG_NFS_SWAP=y CONFIG_NFS_V4_1=y CONFIG_NFS_V4_1_IMPLEMENTATION_ID_DOMAIN="kernel.org" +CONFIG_NFS_V4_2=y CONFIG_NFSD=m CONFIG_NFSD_V3=y CONFIG_NFSD_V3_ACL=y CONFIG_NFSD_V4=y +CONFIG_NFSD_V4_SECURITY_LABEL=y CONFIG_NFS_FSCACHE=y # CONFIG_NFS_USE_LEGACY_DNS is not set CONFIG_PNFS_OBJLAYOUT=m @@ -3806,6 +3905,8 @@ CONFIG_BTRFS_FS=m CONFIG_BTRFS_FS_POSIX_ACL=y # Maybe see if we want this on for debug kernels? # CONFIG_BTRFS_FS_CHECK_INTEGRITY is not set +# CONFIG_BTRFS_FS_RUN_SANITY_TESTS is not set +# CONFIG_BTRFS_DEBUG is not set CONFIG_CONFIGFS_FS=y @@ -3825,6 +3926,7 @@ CONFIG_UBIFS_FS_XATTR=y # CONFIG_PARTITION_ADVANCED=y # CONFIG_ACORN_PARTITION is not set +CONFIG_AIX_PARTITION=y CONFIG_AMIGA_PARTITION=y # CONFIG_ATARI_PARTITION is not set CONFIG_BSD_DISKLABEL=y @@ -4002,6 +4104,11 @@ CONFIG_AUDITSYSCALL=y # http://lists.fedoraproject.org/pipermail/kernel/2013-February/004125.html CONFIG_AUDIT_LOGINUID_IMMUTABLE=y +CONFIG_SECCOMP=y +CONFIG_STRICT_DEVMEM=y + +# CONFIG_SSBI is not set + # # Cryptographic options # @@ -4035,10 +4142,13 @@ CONFIG_CRYPTO_ECB=y CONFIG_CRYPTO_FCRYPT=m CONFIG_CRYPTO_GCM=m CONFIG_CRYPTO_GF128MUL=m +CONFIG_CRYPTO_CMAC=m CONFIG_CRYPTO_HMAC=y CONFIG_CRYPTO_KHAZAD=m CONFIG_CRYPTO_LRW=m CONFIG_CRYPTO_LZO=m +CONFIG_CRYPTO_LZ4=m +CONFIG_CRYPTO_LZ4HC=m CONFIG_CRYPTO_MD4=m CONFIG_CRYPTO_MD5=m CONFIG_CRYPTO_MICHAEL_MIC=m @@ -4097,6 +4207,8 @@ CONFIG_ZLIB_DEFLATE=m CONFIG_INITRAMFS_SOURCE="" CONFIG_KEYS=y +CONFIG_PERSISTENT_KEYRINGS=y +CONFIG_BIG_KEYS=m CONFIG_TRUSTED_KEYS=m CONFIG_ENCRYPTED_KEYS=m CONFIG_KEYS_DEBUG_PROC_KEYS=y @@ -4183,6 +4295,8 @@ CONFIG_PROC_EVENTS=y CONFIG_IBMASR=m +CONFIG_PM=y +CONFIG_PM_STD_PARTITION="" CONFIG_PM_DEBUG=y CONFIG_PM_TRACE=y CONFIG_PM_TRACE_RTC=y @@ -4191,6 +4305,9 @@ CONFIG_PM_RUNTIME=y # CONFIG_PM_OPP is not set # CONFIG_PM_AUTOSLEEP is not set # CONFIG_PM_WAKELOCKS is not set +CONFIG_HIBERNATION=y +# CONFIG_WQ_POWER_EFFICIENT_DEFAULT is not set +CONFIG_SUSPEND=y CONFIG_CPU_FREQ=y CONFIG_CPU_FREQ_GOV_PERFORMANCE=y @@ -4248,6 +4365,7 @@ CONFIG_SND_INDIGODJX=m CONFIG_BALLOON_COMPACTION=y CONFIG_COMPACTION=y CONFIG_MIGRATION=y +CONFIG_BOUNCE=y CONFIG_NEW_LEDS=y CONFIG_LEDS_CLASS=y # CONFIG_LEDS_AMS_DELTA is not set @@ -4273,6 +4391,7 @@ CONFIG_LEDS_TRIGGER_BACKLIGHT=m # CONFIG_LEDS_TRIGGER_CPU is not set CONFIG_LEDS_TRIGGER_DEFAULT_ON=m CONFIG_LEDS_TRIGGER_TRANSIENT=m +CONFIG_LEDS_TRIGGER_CAMERA=m CONFIG_LEDS_ALIX2=m CONFIG_LEDS_CLEVO_MAIL=m CONFIG_LEDS_INTEL_SS4200=m @@ -4283,6 +4402,7 @@ CONFIG_LEDS_BLINKM=m CONFIG_LEDS_LP3944=m CONFIG_LEDS_LP5521=m CONFIG_LEDS_LP5523=m +CONFIG_LEDS_LP5562=m CONFIG_LEDS_LT3593=m CONFIG_LEDS_REGULATOR=m CONFIG_LEDS_TRIGGER_GPIO=m @@ -4291,7 +4411,9 @@ CONFIG_LEDS_WM831X_STATUS=m CONFIG_DMADEVICES=y CONFIG_DMA_ENGINE=y +CONFIG_DW_DMAC_CORE=m CONFIG_DW_DMAC=m +CONFIG_DW_DMAC_PCI=m # CONFIG_DW_DMAC_BIG_ENDIAN_IO is not set # CONFIG_TIMB_DMA is not set # CONFIG_DMATEST is not set @@ -4307,12 +4429,14 @@ CONFIG_DYNAMIC_FTRACE=y CONFIG_SCHED_TRACER=y CONFIG_CONTEXT_SWITCH_TRACER=y CONFIG_TRACER_SNAPSHOT=y +# CONFIG_TRACER_SNAPSHOT_PER_CPU_SWAP is not set CONFIG_FTRACE_SYSCALLS=y CONFIG_FTRACE_MCOUNT_RECORD=y # CONFIG_FTRACE_STARTUP_TEST is not set # CONFIG_TRACE_BRANCH_PROFILING is not set CONFIG_FUNCTION_PROFILER=y CONFIG_RING_BUFFER_BENCHMARK=m +# CONFIG_RING_BUFFER_STARTUP_TEST is not set # CONFIG_RBTREE_TEST is not set # CONFIG_INTERVAL_TREE_TEST is not set CONFIG_FUNCTION_TRACER=y @@ -4326,8 +4450,12 @@ CONFIG_JUMP_LABEL=y CONFIG_OPTPROBES=y CONFIG_HZ_1000=y +CONFIG_NO_HZ=y CONFIG_TIMER_STATS=y +CONFIG_HIGH_RES_TIMERS=y +CONFIG_PERF_EVENTS=y +CONFIG_PERF_COUNTERS=y # Auxillary displays CONFIG_KS0108=m @@ -4519,6 +4647,7 @@ CONFIG_R8712U=m # Larry Finger maintains this (rhbz 699618) # CONFIG_ATH6K_LEGACY is not set # CONFIG_USB_ENESTORAGE is not set # CONFIG_BCM_WIMAX is not set +# CONFIG_USB_BTMTK is not set # CONFIG_FT1000 is not set # CONFIG_SPEAKUP is not set # CONFIG_DX_SEP is not set @@ -4567,6 +4696,7 @@ CONFIG_IMA_LSM_RULES=y # CONFIG_EVM is not set # CONFIG_PWM is not set +# CONFIG_PWM_PCA9685 is not set CONFIG_LSM_MMAP_MIN_ADDR=65536 @@ -4580,6 +4710,7 @@ CONFIG_RCU_CPU_STALL_TIMEOUT=60 # CONFIG_RCU_TORTURE_TEST is not set # CONFIG_RCU_TRACE is not set # CONFIG_RCU_CPU_STALL_INFO is not set +# CONFIG_RCU_USER_QS is not set CONFIG_SPARSE_RCU_POINTER=y CONFIG_KSM=y @@ -4596,6 +4727,7 @@ CONFIG_IEEE802154_FAKEHARD=m CONFIG_IEEE802154_FAKELB=m CONFIG_MAC802154=m +CONFIG_NET_MPLS_GSO=m # CONFIG_EXTCON is not set # CONFIG_MEMORY is not set @@ -4614,6 +4746,7 @@ CONFIG_PTP_1588_CLOCK_PCH=m CONFIG_CLEANCACHE=y CONFIG_FRONTSWAP=y +CONFIG_ZSWAP=y # CONFIG_MDIO_GPIO is not set # CONFIG_KEYBOARD_GPIO is not set @@ -4649,6 +4782,7 @@ CONFIG_GPIO_VIPERBOARD=m # CONFIG_GPIO_AMD8111 is not set # CONFIG_GPIO_BT8XX is not set # CONFIG_GPIO_SX150X is not set +# CONFIG_GPIO_GRGPIO is not set # FIXME: Why? CONFIG_EVENT_POWER_TRACING_DEPRECATED=y @@ -4703,6 +4837,14 @@ CONFIG_IOMMU_SUPPORT=y # CONFIG_MAILBOX is not set +# CONFIG_RESET_CONTROLLER is not set + +CONFIG_FMC=m +CONFIG_FMC_FAKEDEV=m +CONFIG_FMC_TRIVIAL=m +CONFIG_FMC_WRITE_EEPROM=m +CONFIG_FMC_CHARDEV=m + # CONFIG_HSI is not set # CONFIG_PM_DEVFREQ is not set @@ -4713,60 +4855,3 @@ CONFIG_IOMMU_SUPPORT=y # CONFIG_CRYPTO_KEY_TYPE is not set # CONFIG_PGP_LIBRARY is not set # CONFIG_PGP_PRELOAD is not set - - -# F19 3.10 rebase options below - -# CONFIG_ATH6KL_TRACING is not set -CONFIG_BATMAN_ADV_NC=y -# CONFIG_BCACHE_CLOSURES_DEBUG is not set -# CONFIG_BCACHE_DEBUG is not set -# CONFIG_BCACHE_EDEBUG is not set -CONFIG_BCACHE=m -CONFIG_BINFMT_SCRIPT=y -CONFIG_BOUNCE=y -# CONFIG_BTRFS_DEBUG is not set -# CONFIG_BTRFS_FS_RUN_SANITY_TESTS is not set -CONFIG_CRYPTO_CMAC=m -# CONFIG_DUMMY_IRQ is not set -# CONFIG_FB_SIMPLE is not set -# CONFIG_GPIO_GRGPIO is not set -CONFIG_HID_APPLEIR=m -# CONFIG_INPUT_IMS_PCU is not set -CONFIG_LEDS_LP5562=m -CONFIG_LEDS_TRIGGER_CAMERA=m -# CONFIG_MFD_CROS_EC is not set -# CONFIG_MFD_SI476X_CORE is not set -CONFIG_NETLINK_DIAG=m -CONFIG_NETLINK_MMAP=y -CONFIG_NET_TEAM_MODE_RANDOM=m -# CONFIG_RCU_USER_QS is not set -# CONFIG_RESET_CONTROLLER is not set -# CONFIG_RING_BUFFER_STARTUP_TEST is not set -CONFIG_RT2800USB_RT55XX=y -# CONFIG_SCSI_UFSHCD_PLATFORM is not set -CONFIG_SENSORS_ADT7310=m -CONFIG_SENSORS_LM95234=m -CONFIG_SENSORS_NCT6775=m -# CONFIG_SERIO_APBPS2 is not set -# CONFIG_SMS_SIANO_DEBUGFS is not set -# CONFIG_SRAM is not set -# CONFIG_SSBI is not set -# CONFIG_TRACER_SNAPSHOT_PER_CPU_SWAP is not set -CONFIG_USB_DEFAULT_PERSIST=y -CONFIG_USB_PHY=y -CONFIG_USB_RTL8152=m -# CONFIG_USB_SERIAL_WISHBONE is not set -# CONFIG_W1_SLAVE_DS2408_READBACK is not set -# CONFIG_SAMSUNG_USB2PHY is not set -# CONFIG_SAMSUNG_USB3PHY is not set -CONFIG_ALX=m -CONFIG_INFINIBAND_ISERT=m -CONFIG_QLCNIC_SRIOV=y -CONFIG_RTL8188EE=m -# CONFIG_SAMSUNG_USBPHY is not set -# CONFIG_TIPC_MEDIA_IB is not set -# CONFIG_USB_DWC2 is not set -CONFIG_VHOST_SCSI=m -# CONFIG_MFD_TPS65912 is not set -# CONFIG_MFD_SYSCON is not set diff --git a/config-nodebug b/config-nodebug index 12ecfcc29..75fc2200b 100644 --- a/config-nodebug +++ b/config-nodebug @@ -5,6 +5,7 @@ CONFIG_SND_PCM_XRUN_DEBUG=y # CONFIG_DEBUG_ATOMIC_SLEEP is not set # CONFIG_DEBUG_MUTEXES is not set +# CONFIG_DEBUG_WW_MUTEX_SLOWPATH is not set # CONFIG_DEBUG_RT_MUTEXES is not set # CONFIG_DEBUG_LOCK_ALLOC is not set # CONFIG_PROVE_LOCKING is not set @@ -68,6 +69,8 @@ CONFIG_DEBUG_OBJECTS_ENABLE_DEFAULT=1 # CONFIG_EXT4_DEBUG is not set +# CONFIG_XFS_WARN is not set + # CONFIG_DEBUG_PERF_USE_VMALLOC is not set # CONFIG_JBD2_DEBUG is not set @@ -82,6 +85,8 @@ CONFIG_DEBUG_OBJECTS_ENABLE_DEFAULT=1 # CONFIG_CARL9170_DEBUGFS is not set # CONFIG_IWLWIFI_DEVICE_TRACING is not set +# CONFIG_RTLWIFI_DEBUG is not set + # CONFIG_DEBUG_OBJECTS_WORK is not set # CONFIG_DMADEVICES_DEBUG is not set @@ -100,6 +105,7 @@ CONFIG_KDB_CONTINUE_CATASTROPHIC=0 # CONFIG_DEBUG_OBJECTS_PERCPU_COUNTER is not set # CONFIG_TEST_LIST_SORT is not set +# CONFIG_TEST_STRING_HELPERS is not set # CONFIG_DETECT_HUNG_TASK is not set CONFIG_DEFAULT_HUNG_TASK_TIMEOUT=120 @@ -117,9 +123,9 @@ CONFIG_DEBUG_KMEMLEAK_DEFAULT_OFF=y # CONFIG_EDAC_DEBUG is not set # CONFIG_SPI_DEBUG is not set -# CONFIG_LATENCYTOP is not set + +# CONFIG_X86_DEBUG_STATIC_CPU_HAS is not set + # CONFIG_SCHEDSTATS is not set - -# CONFIG_TEST_STRING_HELPERS is not set -# CONFIG_XFS_WARN is not set +# CONFIG_LATENCYTOP is not set diff --git a/config-powerpc-generic b/config-powerpc-generic index e8617230e..2f26fb4ba 100644 --- a/config-powerpc-generic +++ b/config-powerpc-generic @@ -1,5 +1,4 @@ # Most PowerPC kernels we build are SMP -CONFIG_SMP=y CONFIG_IRQ_ALL_CPUS=y CONFIG_PPC=y CONFIG_WATCHDOG_RTAS=m @@ -11,14 +10,6 @@ CONFIG_TAU=y # CONFIG_TAU_INT is not set CONFIG_TAU_AVERAGE=y -CONFIG_SECCOMP=y - -CONFIG_PM=y - -CONFIG_PM_STD_PARTITION="" - -CONFIG_SUSPEND=y -CONFIG_HIBERNATION=y # CONFIG_RTC is not set # CONFIG_GEN_RTC is not set # CONFIG_GEN_RTC_X is not set @@ -100,9 +91,6 @@ CONFIG_LEDS_TRIGGER_TIMER=m CONFIG_LEDS_TRIGGER_HEARTBEAT=m CONFIG_LEDS_TRIGGER_GPIO=m -# FIXME: Should depend on IA64/x86 -# CONFIG_SGI_IOC4 is not set - CONFIG_PPC_EFIKA=y CONFIG_PPC_MEDIA5200=y @@ -363,7 +351,6 @@ CONFIG_RFKILL_GPIO=m # CONFIG_TOUCHSCREEN_AUO_PIXCIR is not set # CONFIG_INPUT_GP2A is not set # CONFIG_INPUT_GPIO_TILT_POLLED is not set -CONFIG_STRICT_DEVMEM=y CONFIG_RCU_FANOUT_LEAF=16 @@ -371,9 +358,10 @@ CONFIG_RCU_FANOUT_LEAF=16 # CONFIG_MPIC_MSGR is not set # CONFIG_FA_DUMP is not set # CONFIG_MDIO_BUS_MUX_GPIO is not set -# CONFIG_BLK_DEV_PCIESSD_MTIP32XX is not set # CONFIG_FAIL_IOMMU is not set +# CONFIG_SPAPR_TCE_IOMMU is not set +# CONFIG_TRANSPARENT_HUGEPAGE is not set # CONFIG_PPC_DENORMALISATION is not set # CONFIG_MDIO_BUS_MUX_MMIOREG is not set @@ -385,6 +373,8 @@ CONFIG_RCU_FANOUT_LEAF=16 # CONFIG_OF_DISPLAY_TIMING is not set # CONFIG_OF_VIDEOMODE is not set +# CONFIG_POWERNV_MSI is not set + CONFIG_POWER_RESET_GPIO=y CONFIG_FB_SSD1307=m CONFIG_INPUT_PWM_BEEPER=m @@ -392,5 +382,3 @@ CONFIG_BACKLIGHT_PWM=m CONFIG_CPU_IDLE_MULTIPLE_DRIVERS=n CONFIG_XZ_DEC_POWERPC=y - -# CONFIG_POWERNV_MSI is not set diff --git a/config-powerpc32-generic b/config-powerpc32-generic index 935aab420..61e3236b1 100644 --- a/config-powerpc32-generic +++ b/config-powerpc32-generic @@ -95,8 +95,6 @@ CONFIG_SERIAL_OF_PLATFORM=y CONFIG_DEBUG_STACKOVERFLOW=y # CONFIG_EMBEDDED6xx is not set -CONFIG_NO_HZ=y -CONFIG_HIGH_RES_TIMERS=y # CONFIG_BLK_DEV_PLATFORM is not set # CONFIG_BLK_DEV_4DRIVES is not set @@ -175,10 +173,6 @@ CONFIG_CRYPTO_DEV_TALITOS=m CONFIG_RCU_FANOUT=32 -CONFIG_PERF_COUNTERS=y -CONFIG_PERF_EVENTS=y -CONFIG_EVENT_PROFILE=y - CONFIG_KVM_BOOK3S_32=m # CONFIG_SCSI_QLA_ISCSI is not set diff --git a/config-powerpc32-smp b/config-powerpc32-smp index e60f59cdf..5dbe87f7f 100644 --- a/config-powerpc32-smp +++ b/config-powerpc32-smp @@ -1,4 +1,3 @@ -CONFIG_SMP=y # CONFIG_HOTPLUG_CPU is not set CONFIG_NR_CPUS=4 # CONFIG_BATTERY_PMU is not set diff --git a/config-powerpc64 b/config-powerpc64 index 02a44d888..705a7ea2b 100644 --- a/config-powerpc64 +++ b/config-powerpc64 @@ -12,6 +12,7 @@ CONFIG_PPC_MAPLE=y CONFIG_PPC_PSERIES=y CONFIG_PPC_PMAC=y CONFIG_PPC_POWERNV=y +CONFIG_POWERNV_MSI=y CONFIG_PPC_POWERNV_RTAS=y # CONFIG_PPC_PASEMI is not set # CONFIG_PPC_PASEMI_IOMMU_DMA_FORCE is not set @@ -110,11 +111,7 @@ CONFIG_XMON_DISASSEMBLY=y CONFIG_SCSI_IBMVSCSIS=m -CONFIG_SECCOMP=y - # CONFIG_TUNE_CELL is not set -CONFIG_NO_HZ=y -CONFIG_HIGH_RES_TIMERS=y # CONFIG_BLK_DEV_PLATFORM is not set # CONFIG_VIRQ_DEBUG is not set @@ -137,13 +134,10 @@ CONFIG_RELOCATABLE=y CONFIG_RCU_FANOUT=64 -CONFIG_PERF_COUNTERS=y -CONFIG_PERF_EVENTS=y -CONFIG_EVENT_PROFILE=y - CONFIG_KVM_BOOK3S_64=m CONFIG_KVM_BOOK3S_64_HV=y # CONFIG_KVM_EXIT_TIMING is not set +CONFIG_KVM_XICS=y #-- bz#607175 #-- active memory sharing @@ -176,11 +170,7 @@ CONFIG_CRYPTO_DEV_NX_COMPRESS=m CONFIG_BPF_JIT=y # CONFIG_PPC_ICSWX_PID is not set # CONFIG_PPC_ICSWX_USE_SIGILL is not set -# CONFIG_BLK_DEV_PCIESSD_MTIP32XX is not set # CONFIG_PCIEPORTBUS is not set # CONFIG_PPC_TRANSACTIONAL_MEM is not set # CONFIG_SND_HDA_INTEL is not set CONFIG_BLK_DEV_RSXX=m - -CONFIG_POWERNV_MSI=y -CONFIG_KVM_XICS=y diff --git a/config-powerpc64p7 b/config-powerpc64p7 index ff4471037..7ab19187b 100644 --- a/config-powerpc64p7 +++ b/config-powerpc64p7 @@ -8,6 +8,7 @@ CONFIG_POWER7_CPU=y CONFIG_PPC_PSERIES=y # CONFIG_PPC_PMAC is not set CONFIG_PPC_POWERNV=y +CONFIG_POWERNV_MSI=y CONFIG_PPC_POWERNV_RTAS=y # CONFIG_PPC_PASEMI is not set # CONFIG_PPC_PASEMI_IOMMU_DMA_FORCE is not set @@ -101,11 +102,7 @@ CONFIG_XMON_DISASSEMBLY=y CONFIG_SCSI_IBMVSCSIS=m -CONFIG_SECCOMP=y - # CONFIG_TUNE_CELL is not set -CONFIG_NO_HZ=y -CONFIG_HIGH_RES_TIMERS=y # CONFIG_BLK_DEV_PLATFORM is not set # CONFIG_VIRQ_DEBUG is not set @@ -128,13 +125,10 @@ CONFIG_RELOCATABLE=y CONFIG_RCU_FANOUT=64 -CONFIG_PERF_COUNTERS=y -CONFIG_PERF_EVENTS=y -CONFIG_EVENT_PROFILE=y - CONFIG_KVM_BOOK3S_64=m CONFIG_KVM_BOOK3S_64_HV=y # CONFIG_KVM_EXIT_TIMING is not set +CONFIG_KVM_XICS=y #-- bz#607175 #-- active memory sharing @@ -167,10 +161,6 @@ CONFIG_CRYPTO_DEV_NX_COMPRESS=m CONFIG_BPF_JIT=y # CONFIG_PPC_ICSWX_PID is not set # CONFIG_PPC_ICSWX_USE_SIGILL is not set -# CONFIG_BLK_DEV_PCIESSD_MTIP32XX is not set # CONFIG_PCIEPORTBUS is not set # CONFIG_SND_HDA_INTEL is not set CONFIG_BLK_DEV_RSXX=m - -CONFIG_POWERNV_MSI=y -CONFIG_KVM_XICS=y diff --git a/config-s390x b/config-s390x index 35aec886f..a292f425e 100644 --- a/config-s390x +++ b/config-s390x @@ -13,13 +13,9 @@ CONFIG_HZ_100=y # See bug 496605 # CONFIG_CC_OPTIMIZE_FOR_SIZE is not set -CONFIG_MMU=y - CONFIG_LOG_BUF_SHIFT=16 CONFIG_NO_IDLE_HZ=y -CONFIG_SMP=y - # # I/O subsystem configuration # @@ -190,8 +186,6 @@ CONFIG_S390_VMUR=m # CONFIG_THERMAL is not set -CONFIG_NO_HZ=y -CONFIG_HIGH_RES_TIMERS=y CONFIG_CTCM=m CONFIG_QETH_L2=m CONFIG_QETH_L3=m @@ -214,15 +208,7 @@ CONFIG_HVC_IUCV=y CONFIG_RCU_FANOUT=64 CONFIG_RCU_FANOUT_LEAF=16 -CONFIG_SECCOMP=y - -CONFIG_PM=y -CONFIG_HIBERNATION=y -CONFIG_PM_STD_PARTITION="/dev/jokes" - -CONFIG_PERF_COUNTERS=y -CONFIG_PERF_EVENTS=y -CONFIG_EVENT_PROFILE=y +# CONFIG_SUSPEND is not set CONFIG_SMSGIUCV_EVENT=m @@ -235,13 +221,9 @@ CONFIG_ZFCP_DIF=y CONFIG_SCHED_MC=y CONFIG_SCHED_BOOK=y -CONFIG_STRICT_DEVMEM=y - # CONFIG_WARN_DYNAMIC_STACK is not set CONFIG_CRYPTO_GHASH_S390=m -CONFIG_NET_CORE=y -CONFIG_ETHERNET=y CONFIG_BPF_JIT=y # CONFIG_TRANSPARENT_HUGEPAGE is not set @@ -250,11 +232,8 @@ CONFIG_EADM_SCH=m CONFIG_SCM_BLOCK=m CONFIG_SCM_BLOCK_CLUSTER_WRITE=y # CONFIG_S390_PTDUMP is not set -# CONFIG_SCSI_UFSHCD is not set # CONFIG_ASYMMETRIC_KEY_TYPE is not set # CONFIG_PCI is not set -# CONFIG_BLK_DEV_PCIESSD_MTIP32XX is not set -# CONFIG_SGI_IOC4 is not set # CONFIG_GPIO_GENERIC_PLATFORM is not set # CONFIG_GPIO_MCP23S08 is not set @@ -272,8 +251,6 @@ CONFIG_SCM_BLOCK_CLUSTER_WRITE=y # CONFIG_ACCESSIBILITY is not set # CONFIG_AUXDISPLAY is not set -# CONFIG_PTP_1588_CLOCK is not set -# CONFIG_PTP_1588_CLOCK_PCH is not set # CONFIG_POWER_SUPPLY is not set # CONFIG_STAGING is not set # CONFIG_MEMSTICK is not set diff --git a/config-x86-32-generic b/config-x86-32-generic index 6b6c60d30..3cd496569 100644 --- a/config-x86-32-generic +++ b/config-x86-32-generic @@ -122,8 +122,6 @@ CONFIG_SND_ES18XX=m CONFIG_HW_RANDOM_GEODE=m -# CONFIG_SGI_IOC4 is not set - CONFIG_TC1100_WMI=m CONFIG_IB700_WDT=m @@ -230,3 +228,5 @@ CONFIG_BACKLIGHT_PWM=m # CONFIG_RTC_DRV_SNVS is not set # CONFIG_OF_DISPLAY_TIMING is not set # CONFIG_OF_VIDEOMODE is not set + +# CONFIG_MLX5_INFINIBAND is not set diff --git a/config-x86-generic b/config-x86-generic index 983028436..881ef82d1 100644 --- a/config-x86-generic +++ b/config-x86-generic @@ -2,8 +2,6 @@ CONFIG_UID16=y CONFIG_X86_EXTENDED_PLATFORM=y -CONFIG_SMP=y - CONFIG_X86_GENERIC=y CONFIG_HPET=y @@ -37,6 +35,7 @@ CONFIG_X86_PM_TIMER=y CONFIG_EFI=y CONFIG_EFI_STUB=y CONFIG_EFI_VARS=y +CONFIG_EFIVAR_FS=y CONFIG_EFI_VARS_PSTORE=y CONFIG_EFI_VARS_PSTORE_DEFAULT_DISABLE=y CONFIG_EFI_PCDP=y @@ -51,8 +50,6 @@ CONFIG_INTEL_IOMMU_FLOPPY_WA=y # CONFIG_INTEL_IOMMU_DEFAULT_ON is not set CONFIG_SCSI_ADVANSYS=m -CONFIG_SECCOMP=y - CONFIG_CAPI_EICON=y # @@ -99,9 +96,10 @@ CONFIG_ACPI_BGRT=y CONFIG_X86_INTEL_PSTATE=y CONFIG_X86_ACPI_CPUFREQ=m -CONFIG_X86_PCC_CPUFREQ=m CONFIG_X86_ACPI_CPUFREQ_CPB=y +CONFIG_X86_PCC_CPUFREQ=m CONFIG_X86_POWERNOW_K8=m +CONFIG_X86_AMD_FREQ_SENSITIVITY=m CONFIG_X86_P4_CLOCKMOD=m # CONFIG_X86_SPEEDSTEP_CENTRINO is not set @@ -115,10 +113,6 @@ CONFIG_CRYPTO_DEV_PADLOCK_SHA=m CONFIG_GENERIC_ISA_DMA=y -CONFIG_SUSPEND=y -CONFIG_HIBERNATION=y -CONFIG_PM_STD_PARTITION="" - CONFIG_PCI_MMCONFIG=y CONFIG_PCI_BIOS=y CONFIG_PCI_IOAPIC=y @@ -129,8 +123,6 @@ CONFIG_HOTPLUG_PCI_COMPAQ=m CONFIG_HOTPLUG_PCI_IBM=m # CONFIG_HOTPLUG_PCI_CPCI is not set -CONFIG_PM=y - CONFIG_IPW2100=m CONFIG_IPW2100_MONITOR=y CONFIG_IPW2200=m @@ -154,7 +146,8 @@ CONFIG_I2C_SIS96X=m CONFIG_I2C_VIA=m CONFIG_I2C_VIAPRO=m -CONFIG_DELL_RBU=m +#rhbz 997149 +# CONFIG_DELL_RBU is not set CONFIG_DCDBAS=m CONFIG_EDAC=y @@ -211,7 +204,6 @@ CONFIG_SAMSUNG_LAPTOP=m CONFIG_SONY_LAPTOP=m CONFIG_TOPSTAR_LAPTOP=m - CONFIG_ACPI_WMI=m CONFIG_ACER_WMI=m CONFIG_ACERHDF=m @@ -226,6 +218,9 @@ CONFIG_INTEL_OAKTRAIL=m CONFIG_SAMSUNG_Q10=m CONFIG_APPLE_GMUX=m CONFIG_XO15_EBOOK=m +CONFIG_INTEL_RST=m +CONFIG_INTEL_SMARTCONNECT=y +CONFIG_PVPANIC=m # CONFIG_TOUCHSCREEN_INTEL_MID is not set @@ -242,10 +237,11 @@ CONFIG_VIRTUALIZATION=y CONFIG_KVM=m CONFIG_KVM_INTEL=m CONFIG_KVM_AMD=m +CONFIG_KVM_DEVICE_ASSIGNMENT=y CONFIG_LGUEST=m CONFIG_LGUEST_GUEST=y -CONFIG_PARAVIRT_GUEST=y +CONFIG_HYPERVISOR_GUEST=y CONFIG_PARAVIRT=y CONFIG_PARAVIRT_TIME_ACCOUNTING=y # CONFIG_PARAVIRT_DEBUG is not set @@ -286,8 +282,6 @@ CONFIG_XEN_ACPI_PROCESSOR=m CONFIG_MTD_ESB2ROM=m CONFIG_MTD_CK804XROM=m -CONFIG_NO_HZ=y -CONFIG_HIGH_RES_TIMERS=y CONFIG_CPU_IDLE=y # CONFIG_CPU_IDLE_MULTIPLE_DRIVERS is not set # CONFIG_CPU_IDLE_GOV_LADDER is not set @@ -322,8 +316,6 @@ CONFIG_HP_WATCHDOG=m CONFIG_NV_TCO=m CONFIG_SP5100_TCO=m -CONFIG_STRICT_DEVMEM=y - # CONFIG_NO_BOOTMEM is not set # CONFIG_MEMTEST is not set @@ -346,9 +338,6 @@ CONFIG_X86_REROUTE_FOR_BROKEN_BOOT_IRQS=y # CONFIG_IOMMU_STRESS is not set -CONFIG_PERF_COUNTERS=y -CONFIG_PERF_EVENTS=y - CONFIG_X86_MCE=y CONFIG_X86_MCE_INTEL=y CONFIG_X86_MCE_AMD=y @@ -420,6 +409,7 @@ CONFIG_HID_HYPERV_MOUSE=m CONFIG_HYPERV_NET=m CONFIG_HYPERV_STORAGE=m CONFIG_HYPERV_BALLOON=m +CONFIG_FB_HYPERV=m # Depends on HOTPLUG_PCI_PCIE CONFIG_BLK_DEV_PCIESSD_MTIP32XX=m @@ -433,12 +423,17 @@ CONFIG_RCU_FANOUT_LEAF=16 CONFIG_INTEL_MEI=m CONFIG_INTEL_MEI_ME=m +CONFIG_NFC_MEI_PHY=m +CONFIG_NFC_PN544_MEI=m +CONFIG_NFC_MICROREAD_MEI=m + # Maybe enable in debug kernels? # CONFIG_DEBUG_NMI_SELFTEST is not set # CONFIG_X86_INTEL_LPSS is not set # CONFIG_INTEL_POWERCLAMP is not set +CONFIG_X86_PKG_TEMP_THERMAL=m CONFIG_VMWARE_VMCI=m CONFIG_VMWARE_VMCI_VSOCKETS=m @@ -447,26 +442,20 @@ CONFIG_XZ_DEC_X86=y CONFIG_MPILIB=y CONFIG_PKCS7_MESSAGE_PARSER=y +CONFIG_EFI_SIGNATURE_LIST_PARSER=y CONFIG_PE_FILE_PARSER=y +CONFIG_SYSTEM_TRUSTED_KEYRING=y +CONFIG_SYSTEM_BLACKLIST_KEYRING=y CONFIG_MODULE_SIG=y CONFIG_MODULE_SIG_ALL=y # CONFIG_MODULE_SIG_SHA1 is not set CONFIG_MODULE_SIG_SHA256=y # CONFIG_MODULE_SIG_FORCE is not set -CONFIG_SYSTEM_BLACKLIST_KEYRING=y +CONFIG_MODULE_SIG_BLACKLIST=y +CONFIG_EFI_SECURE_BOOT_SIG_ENFORCE=y +CONFIG_EFI_SIGNATURE_LIST_PARSER=y CONFIG_MODULE_SIG_UEFI=y CONFIG_VMXNET3=m CONFIG_VFIO_PCI_VGA=y - -CONFIG_EFIVAR_FS=y -CONFIG_HYPERVISOR_GUEST=y -CONFIG_KVM_DEVICE_ASSIGNMENT=y -CONFIG_NFC_MEI_PHY=m -CONFIG_PVPANIC=m -CONFIG_X86_AMD_FREQ_SENSITIVITY=m -CONFIG_FB_HYPERV=m -CONFIG_NFC_MICROREAD_MEI=m -CONFIG_NFC_PN544_MEI=m - diff --git a/config-x86_64-generic b/config-x86_64-generic index 65e6a6869..85f588bc1 100644 --- a/config-x86_64-generic +++ b/config-x86_64-generic @@ -30,11 +30,12 @@ CONFIG_SWIOTLB=y # CONFIG_CALGARY_IOMMU is not set CONFIG_TRANSPARENT_HUGEPAGE=y +CONFIG_MEM_SOFT_DIRTY=y CONFIG_KEXEC_JUMP=y CONFIG_ACPI_BLACKLIST_YEAR=0 -CONFIG_ACPI_HOTPLUG_MEMORY=m +CONFIG_ACPI_HOTPLUG_MEMORY=y # CONFIG_INTEL_SCU_IPC is not set @@ -47,14 +48,21 @@ CONFIG_CRYPTO_TWOFISH_X86_64=m CONFIG_CRYPTO_SALSA20_X86_64=m CONFIG_CRYPTO_GHASH_CLMUL_NI_INTEL=m CONFIG_CRYPTO_SHA1_SSSE3=m +CONFIG_CRYPTO_SHA256_SSSE3=m +CONFIG_CRYPTO_SHA512_SSSE3=m CONFIG_CRYPTO_BLOWFISH_X86_64=m +CONFIG_CRYPTO_BLOWFISH_AVX2_X86_64=m CONFIG_CRYPTO_TWOFISH_X86_64_3WAY=m CONFIG_CRYPTO_CAMELLIA_X86_64=m +CONFIG_CRYPTO_CAMELLIA_AESNI_AVX_X86_64=m +CONFIG_CRYPTO_CAMELLIA_AESNI_AVX2_X86_64=m CONFIG_CRYPTO_CAST5_AVX_X86_64=m CONFIG_CRYPTO_CAST6_AVX_X86_64=m +CONFIG_CRYPTO_CRCT10DIF_PCLMUL=m CONFIG_CRYPTO_SERPENT_AVX_X86_64=m +CONFIG_CRYPTO_SERPENT_AVX2_X86_64=m CONFIG_CRYPTO_TWOFISH_AVX_X86_64=m -CONFIG_CRYPTO_CAMELLIA_AESNI_AVX_X86_64=m +CONFIG_CRYPTO_TWOFISH_AVX2_X86_64=m # CONFIG_I2C_ALI1535 is not set # CONFIG_I2C_ALI1563 is not set @@ -157,8 +165,3 @@ CONFIG_SFC_MTD=y CONFIG_MTD_CHAR=m CONFIG_MTD_BLOCK=m -CONFIG_CRYPTO_CAMELLIA_AESNI_AVX2_X86_64=m -CONFIG_CRYPTO_SERPENT_AVX2_X86_64=m -CONFIG_CRYPTO_SHA256_SSSE3=m -CONFIG_CRYPTO_SHA512_SSSE3=m - diff --git a/drm-hotspot-cursor-backport.patch b/drm-hotspot-cursor-backport.patch deleted file mode 100644 index f3dc82042..000000000 --- a/drm-hotspot-cursor-backport.patch +++ /dev/null @@ -1,164 +0,0 @@ -From f2a2b3496b6024a5df546f0aedd60705b896a464 Mon Sep 17 00:00:00 2001 -From: Dave Airlie -Date: Thu, 20 Jun 2013 11:48:52 +1000 -Subject: [PATCH 2/5] drm: add hotspot support for cursors. - -So it looks like for virtual hw cursors on QXL we need to inform -the "hw" device what the cursor hotspot parameters are. This -makes sense if you think the host has to draw the cursor and interpret -clicks from it. However the current modesetting interface doesn't support -passing the hotspot information from userspace. - -This implements a new cursor ioctl, that takes the hotspot info as well, -userspace can try calling the new interface and if it gets -ENOSYS it means -its on an older kernel and can just fallback. - -Reviewed-by: Daniel Vetter -Signed-off-by: Dave Airlie ---- - drivers/gpu/drm/drm_crtc.c | 35 +++++++++++++++++++++++++++++------ - drivers/gpu/drm/drm_drv.c | 1 + - include/drm/drm_crtc.h | 5 +++++ - include/uapi/drm/drm.h | 1 + - include/uapi/drm/drm_mode.h | 13 +++++++++++++ - 5 files changed, 49 insertions(+), 6 deletions(-) - -diff --git a/drivers/gpu/drm/drm_crtc.c b/drivers/gpu/drm/drm_crtc.c -index dd64a06..21e71a8 100644 ---- a/drivers/gpu/drm/drm_crtc.c -+++ b/drivers/gpu/drm/drm_crtc.c -@@ -2202,10 +2202,10 @@ out: - return ret; - } - --int drm_mode_cursor_ioctl(struct drm_device *dev, -- void *data, struct drm_file *file_priv) -+static int drm_mode_cursor_common(struct drm_device *dev, -+ struct drm_mode_cursor2 *req, -+ struct drm_file *file_priv) - { -- struct drm_mode_cursor *req = data; - struct drm_mode_object *obj; - struct drm_crtc *crtc; - int ret = 0; -@@ -2225,13 +2225,17 @@ int drm_mode_cursor_ioctl(struct drm_device *dev, - - mutex_lock(&crtc->mutex); - if (req->flags & DRM_MODE_CURSOR_BO) { -- if (!crtc->funcs->cursor_set) { -+ if (!crtc->funcs->cursor_set && !crtc->funcs->cursor_set2) { - ret = -ENXIO; - goto out; - } - /* Turns off the cursor if handle is 0 */ -- ret = crtc->funcs->cursor_set(crtc, file_priv, req->handle, -- req->width, req->height); -+ if (crtc->funcs->cursor_set2) -+ ret = crtc->funcs->cursor_set2(crtc, file_priv, req->handle, -+ req->width, req->height, req->hot_x, req->hot_y); -+ else -+ ret = crtc->funcs->cursor_set(crtc, file_priv, req->handle, -+ req->width, req->height); - } - - if (req->flags & DRM_MODE_CURSOR_MOVE) { -@@ -2246,6 +2250,25 @@ out: - mutex_unlock(&crtc->mutex); - - return ret; -+ -+} -+int drm_mode_cursor_ioctl(struct drm_device *dev, -+ void *data, struct drm_file *file_priv) -+{ -+ struct drm_mode_cursor *req = data; -+ struct drm_mode_cursor2 new_req; -+ -+ memcpy(&new_req, req, sizeof(struct drm_mode_cursor)); -+ new_req.hot_x = new_req.hot_y = 0; -+ -+ return drm_mode_cursor_common(dev, &new_req, file_priv); -+} -+ -+int drm_mode_cursor2_ioctl(struct drm_device *dev, -+ void *data, struct drm_file *file_priv) -+{ -+ struct drm_mode_cursor2 *req = data; -+ return drm_mode_cursor_common(dev, req, file_priv); - } - - /* Original addfb only supported RGB formats, so figure out which one */ -diff --git a/drivers/gpu/drm/drm_drv.c b/drivers/gpu/drm/drm_drv.c -index 25f91cd..cb4470b 100644 ---- a/drivers/gpu/drm/drm_drv.c -+++ b/drivers/gpu/drm/drm_drv.c -@@ -166,6 +166,7 @@ static struct drm_ioctl_desc drm_ioctls[] = { - DRM_IOCTL_DEF(DRM_IOCTL_MODE_DESTROY_DUMB, drm_mode_destroy_dumb_ioctl, DRM_CONTROL_ALLOW|DRM_UNLOCKED), - DRM_IOCTL_DEF(DRM_IOCTL_MODE_OBJ_GETPROPERTIES, drm_mode_obj_get_properties_ioctl, DRM_CONTROL_ALLOW|DRM_UNLOCKED), - DRM_IOCTL_DEF(DRM_IOCTL_MODE_OBJ_SETPROPERTY, drm_mode_obj_set_property_ioctl, DRM_MASTER|DRM_CONTROL_ALLOW|DRM_UNLOCKED), -+ DRM_IOCTL_DEF(DRM_IOCTL_MODE_CURSOR2, drm_mode_cursor2_ioctl, DRM_MASTER|DRM_CONTROL_ALLOW|DRM_UNLOCKED), - }; - - #define DRM_CORE_IOCTL_COUNT ARRAY_SIZE( drm_ioctls ) -diff --git a/include/drm/drm_crtc.h b/include/drm/drm_crtc.h -index e3e0d65..eba931b 100644 ---- a/include/drm/drm_crtc.h -+++ b/include/drm/drm_crtc.h -@@ -339,6 +339,9 @@ struct drm_crtc_funcs { - /* cursor controls */ - int (*cursor_set)(struct drm_crtc *crtc, struct drm_file *file_priv, - uint32_t handle, uint32_t width, uint32_t height); -+ int (*cursor_set2)(struct drm_crtc *crtc, struct drm_file *file_priv, -+ uint32_t handle, uint32_t width, uint32_t height, -+ int32_t hot_x, int32_t hot_y); - int (*cursor_move)(struct drm_crtc *crtc, int x, int y); - - /* Set gamma on the CRTC */ -@@ -1025,6 +1028,8 @@ extern int drm_mode_setplane(struct drm_device *dev, - void *data, struct drm_file *file_priv); - extern int drm_mode_cursor_ioctl(struct drm_device *dev, - void *data, struct drm_file *file_priv); -+extern int drm_mode_cursor2_ioctl(struct drm_device *dev, -+ void *data, struct drm_file *file_priv); - extern int drm_mode_addfb(struct drm_device *dev, - void *data, struct drm_file *file_priv); - extern int drm_mode_addfb2(struct drm_device *dev, -diff --git a/include/uapi/drm/drm.h b/include/uapi/drm/drm.h -index 8d1e2bb..5182a2d 100644 ---- a/include/uapi/drm/drm.h -+++ b/include/uapi/drm/drm.h -@@ -732,6 +732,7 @@ struct drm_prime_handle { - #define DRM_IOCTL_MODE_ADDFB2 DRM_IOWR(0xB8, struct drm_mode_fb_cmd2) - #define DRM_IOCTL_MODE_OBJ_GETPROPERTIES DRM_IOWR(0xB9, struct drm_mode_obj_get_properties) - #define DRM_IOCTL_MODE_OBJ_SETPROPERTY DRM_IOWR(0xBA, struct drm_mode_obj_set_property) -+#define DRM_IOCTL_MODE_CURSOR2 DRM_IOWR(0xBB, struct drm_mode_cursor2) - - /** - * Device specific ioctls should only be in their respective headers -diff --git a/include/uapi/drm/drm_mode.h b/include/uapi/drm/drm_mode.h -index 3d6301b..ecde539 100644 ---- a/include/uapi/drm/drm_mode.h -+++ b/include/uapi/drm/drm_mode.h -@@ -388,6 +388,19 @@ struct drm_mode_cursor { - __u32 handle; - }; - -+struct drm_mode_cursor2 { -+ __u32 flags; -+ __u32 crtc_id; -+ __s32 x; -+ __s32 y; -+ __u32 width; -+ __u32 height; -+ /* driver specific handle */ -+ __u32 handle; -+ __s32 hot_x; -+ __s32 hot_y; -+}; -+ - struct drm_mode_crtc_lut { - __u32 crtc_id; - __u32 gamma_size; --- -1.8.3.1 - diff --git a/drm-qxl-post-3.10-feature-fixes.patch b/drm-qxl-post-3.10-feature-fixes.patch deleted file mode 100644 index cf747c4b2..000000000 --- a/drm-qxl-post-3.10-feature-fixes.patch +++ /dev/null @@ -1,517 +0,0 @@ -From cd402bae4566410f38780e1ce94248b92c3403c0 Mon Sep 17 00:00:00 2001 -From: Dave Airlie -Date: Mon, 1 Jul 2013 14:14:38 +1000 -Subject: [PATCH 5/5] drm/qxl: post 3.10 feature fixes - -drm/qxl: make dynamic resizing work properly. -drm/qxl: add support for cursor hotspot. -drm/qxl: add support for > 1 output -drm/qxl: set time on drawables from userspace ---- - drivers/gpu/drm/qxl/qxl_cmd.c | 8 +- - drivers/gpu/drm/qxl/qxl_display.c | 187 ++++++++++++++++---------------------- - drivers/gpu/drm/qxl/qxl_drv.c | 4 + - drivers/gpu/drm/qxl/qxl_drv.h | 8 +- - drivers/gpu/drm/qxl/qxl_fb.c | 2 +- - drivers/gpu/drm/qxl/qxl_ioctl.c | 6 ++ - 6 files changed, 98 insertions(+), 117 deletions(-) - -diff --git a/drivers/gpu/drm/qxl/qxl_cmd.c b/drivers/gpu/drm/qxl/qxl_cmd.c -index 02befd9..0ec55e7 100644 ---- a/drivers/gpu/drm/qxl/qxl_cmd.c -+++ b/drivers/gpu/drm/qxl/qxl_cmd.c -@@ -375,8 +375,8 @@ void qxl_io_destroy_primary(struct qxl_device *qdev) - wait_for_io_cmd(qdev, 0, QXL_IO_DESTROY_PRIMARY_ASYNC); - } - --void qxl_io_create_primary(struct qxl_device *qdev, unsigned width, -- unsigned height, unsigned offset, struct qxl_bo *bo) -+void qxl_io_create_primary(struct qxl_device *qdev, -+ unsigned offset, struct qxl_bo *bo) - { - struct qxl_surface_create *create; - -@@ -384,8 +384,8 @@ void qxl_io_create_primary(struct qxl_device *qdev, unsigned width, - qdev->ram_header); - create = &qdev->ram_header->create_surface; - create->format = bo->surf.format; -- create->width = width; -- create->height = height; -+ create->width = bo->surf.width; -+ create->height = bo->surf.height; - create->stride = bo->surf.stride; - create->mem = qxl_bo_physical_address(qdev, bo, offset); - -diff --git a/drivers/gpu/drm/qxl/qxl_display.c b/drivers/gpu/drm/qxl/qxl_display.c -index 823d29e..a127a97 100644 ---- a/drivers/gpu/drm/qxl/qxl_display.c -+++ b/drivers/gpu/drm/qxl/qxl_display.c -@@ -30,53 +30,9 @@ - #include "qxl_object.h" - #include "drm_crtc_helper.h" - --static void qxl_crtc_set_to_mode(struct qxl_device *qdev, -- struct drm_connector *connector, -- struct qxl_head *head) -+static bool qxl_head_enabled(struct qxl_head *head) - { -- struct drm_device *dev = connector->dev; -- struct drm_display_mode *mode, *t; -- int width = head->width; -- int height = head->height; -- -- if (width < 320 || height < 240) { -- qxl_io_log(qdev, "%s: bad head: %dx%d", width, height); -- width = 1024; -- height = 768; -- } -- if (width * height * 4 > 16*1024*1024) { -- width = 1024; -- height = 768; -- } -- /* TODO: go over regular modes and removed preferred? */ -- list_for_each_entry_safe(mode, t, &connector->probed_modes, head) -- drm_mode_remove(connector, mode); -- mode = drm_cvt_mode(dev, width, height, 60, false, false, false); -- mode->type |= DRM_MODE_TYPE_PREFERRED; -- mode->status = MODE_OK; -- drm_mode_probed_add(connector, mode); -- qxl_io_log(qdev, "%s: %d x %d\n", __func__, width, height); --} -- --void qxl_crtc_set_from_monitors_config(struct qxl_device *qdev) --{ -- struct drm_connector *connector; -- int i; -- struct drm_device *dev = qdev->ddev; -- -- i = 0; -- qxl_io_log(qdev, "%s: %d, %d\n", __func__, -- dev->mode_config.num_connector, -- qdev->monitors_config->count); -- list_for_each_entry(connector, &dev->mode_config.connector_list, head) { -- if (i > qdev->monitors_config->count) { -- /* crtc will be reported as disabled */ -- continue; -- } -- qxl_crtc_set_to_mode(qdev, connector, -- &qdev->monitors_config->heads[i]); -- ++i; -- } -+ return head->width && head->height; - } - - void qxl_alloc_client_monitors_config(struct qxl_device *qdev, unsigned count) -@@ -106,7 +62,6 @@ static int qxl_display_copy_rom_client_monitors_config(struct qxl_device *qdev) - int num_monitors; - uint32_t crc; - -- BUG_ON(!qdev->monitors_config); - num_monitors = qdev->rom->client_monitors_config.count; - crc = crc32(0, (const uint8_t *)&qdev->rom->client_monitors_config, - sizeof(qdev->rom->client_monitors_config)); -@@ -117,8 +72,8 @@ static int qxl_display_copy_rom_client_monitors_config(struct qxl_device *qdev) - return 1; - } - if (num_monitors > qdev->monitors_config->max_allowed) { -- DRM_INFO("client monitors list will be truncated: %d < %d\n", -- qdev->monitors_config->max_allowed, num_monitors); -+ DRM_DEBUG_KMS("client monitors list will be truncated: %d < %d\n", -+ qdev->monitors_config->max_allowed, num_monitors); - num_monitors = qdev->monitors_config->max_allowed; - } else { - num_monitors = qdev->rom->client_monitors_config.count; -@@ -132,18 +87,15 @@ static int qxl_display_copy_rom_client_monitors_config(struct qxl_device *qdev) - &qdev->rom->client_monitors_config.heads[i]; - struct qxl_head *client_head = - &qdev->client_monitors_config->heads[i]; -- struct qxl_head *head = &qdev->monitors_config->heads[i]; -- client_head->x = head->x = c_rect->left; -- client_head->y = head->y = c_rect->top; -- client_head->width = head->width = -- c_rect->right - c_rect->left; -- client_head->height = head->height = -- c_rect->bottom - c_rect->top; -- client_head->surface_id = head->surface_id = 0; -- client_head->id = head->id = i; -- client_head->flags = head->flags = 0; -- QXL_DEBUG(qdev, "read %dx%d+%d+%d\n", head->width, head->height, -- head->x, head->y); -+ client_head->x = c_rect->left; -+ client_head->y = c_rect->top; -+ client_head->width = c_rect->right - c_rect->left; -+ client_head->height = c_rect->bottom - c_rect->top; -+ client_head->surface_id = 0; -+ client_head->id = i; -+ client_head->flags = 0; -+ DRM_DEBUG_KMS("read %dx%d+%d+%d\n", client_head->width, client_head->height, -+ client_head->x, client_head->y); - } - return 0; - } -@@ -155,9 +107,6 @@ void qxl_display_read_client_monitors_config(struct qxl_device *qdev) - qxl_io_log(qdev, "failed crc check for client_monitors_config," - " retrying\n"); - } -- qxl_crtc_set_from_monitors_config(qdev); -- /* fire off a uevent and let userspace tell us what to do */ -- qxl_io_log(qdev, "calling drm_sysfs_hotplug_event\n"); - drm_sysfs_hotplug_event(qdev->ddev); - } - -@@ -170,9 +119,9 @@ static int qxl_add_monitors_config_modes(struct drm_connector *connector) - struct drm_display_mode *mode = NULL; - struct qxl_head *head; - -- if (!qdev->monitors_config) -+ if (!qdev->client_monitors_config) - return 0; -- head = &qdev->monitors_config->heads[h]; -+ head = &qdev->client_monitors_config->heads[h]; - - mode = drm_cvt_mode(dev, head->width, head->height, 60, false, false, - false); -@@ -255,11 +204,11 @@ qxl_hide_cursor(struct qxl_device *qdev) - qxl_release_unreserve(qdev, release); - } - --static int qxl_crtc_cursor_set(struct drm_crtc *crtc, -- struct drm_file *file_priv, -- uint32_t handle, -- uint32_t width, -- uint32_t height) -+static int qxl_crtc_cursor_set2(struct drm_crtc *crtc, -+ struct drm_file *file_priv, -+ uint32_t handle, -+ uint32_t width, -+ uint32_t height, int32_t hot_x, int32_t hot_y) - { - struct drm_device *dev = crtc->dev; - struct qxl_device *qdev = dev->dev_private; -@@ -315,8 +264,8 @@ static int qxl_crtc_cursor_set(struct drm_crtc *crtc, - cursor->header.type = SPICE_CURSOR_TYPE_ALPHA; - cursor->header.width = 64; - cursor->header.height = 64; -- cursor->header.hot_spot_x = 0; -- cursor->header.hot_spot_y = 0; -+ cursor->header.hot_spot_x = hot_x; -+ cursor->header.hot_spot_y = hot_y; - cursor->data_size = size; - cursor->chunk.next_chunk = 0; - cursor->chunk.prev_chunk = 0; -@@ -397,7 +346,7 @@ static int qxl_crtc_cursor_move(struct drm_crtc *crtc, - - - static const struct drm_crtc_funcs qxl_crtc_funcs = { -- .cursor_set = qxl_crtc_cursor_set, -+ .cursor_set2 = qxl_crtc_cursor_set2, - .cursor_move = qxl_crtc_cursor_move, - .gamma_set = qxl_crtc_gamma_set, - .set_config = drm_crtc_helper_set_config, -@@ -506,7 +455,7 @@ qxl_send_monitors_config(struct qxl_device *qdev) - for (i = 0 ; i < qdev->monitors_config->count ; ++i) { - struct qxl_head *head = &qdev->monitors_config->heads[i]; - -- if (head->y > 8192 || head->y < head->x || -+ if (head->y > 8192 || head->x > 8192 || - head->width > 8192 || head->height > 8192) { - DRM_ERROR("head %d wrong: %dx%d+%d+%d\n", - i, head->width, head->height, -@@ -517,16 +466,19 @@ qxl_send_monitors_config(struct qxl_device *qdev) - qxl_io_monitors_config(qdev); - } - --static void qxl_monitors_config_set_single(struct qxl_device *qdev, -- unsigned x, unsigned y, -- unsigned width, unsigned height) -+static void qxl_monitors_config_set(struct qxl_device *qdev, -+ int index, -+ unsigned x, unsigned y, -+ unsigned width, unsigned height, -+ unsigned surf_id) - { -- DRM_DEBUG("%dx%d+%d+%d\n", width, height, x, y); -- qdev->monitors_config->count = 1; -- qdev->monitors_config->heads[0].x = x; -- qdev->monitors_config->heads[0].y = y; -- qdev->monitors_config->heads[0].width = width; -- qdev->monitors_config->heads[0].height = height; -+ DRM_DEBUG_KMS("%d:%dx%d+%d+%d\n", index, width, height, x, y); -+ qdev->monitors_config->heads[index].x = x; -+ qdev->monitors_config->heads[index].y = y; -+ qdev->monitors_config->heads[index].width = width; -+ qdev->monitors_config->heads[index].height = height; -+ qdev->monitors_config->heads[index].surface_id = surf_id; -+ - } - - static int qxl_crtc_mode_set(struct drm_crtc *crtc, -@@ -540,10 +492,11 @@ static int qxl_crtc_mode_set(struct drm_crtc *crtc, - struct qxl_mode *m = (void *)mode->private; - struct qxl_framebuffer *qfb; - struct qxl_bo *bo, *old_bo = NULL; -+ struct qxl_crtc *qcrtc = to_qxl_crtc(crtc); - uint32_t width, height, base_offset; - bool recreate_primary = false; - int ret; -- -+ int surf_id; - if (!crtc->fb) { - DRM_DEBUG_KMS("No FB bound\n"); - return 0; -@@ -567,7 +520,8 @@ static int qxl_crtc_mode_set(struct drm_crtc *crtc, - adjusted_mode->hdisplay, - adjusted_mode->vdisplay); - -- recreate_primary = true; -+ if (qcrtc->index == 0) -+ recreate_primary = true; - - width = mode->hdisplay; - height = mode->vdisplay; -@@ -588,8 +542,11 @@ static int qxl_crtc_mode_set(struct drm_crtc *crtc, - "recreate primary: %dx%d (was %dx%d,%d,%d)\n", - width, height, bo->surf.width, - bo->surf.height, bo->surf.stride, bo->surf.format); -- qxl_io_create_primary(qdev, width, height, base_offset, bo); -+ qxl_io_create_primary(qdev, base_offset, bo); - bo->is_primary = true; -+ surf_id = 0; -+ } else { -+ surf_id = bo->surface_id; - } - - if (old_bo && old_bo != bo) { -@@ -599,11 +556,9 @@ static int qxl_crtc_mode_set(struct drm_crtc *crtc, - qxl_bo_unreserve(old_bo); - } - -- if (qdev->monitors_config->count == 0) { -- qxl_monitors_config_set_single(qdev, x, y, -- mode->hdisplay, -- mode->vdisplay); -- } -+ qxl_monitors_config_set(qdev, qcrtc->index, x, y, -+ mode->hdisplay, -+ mode->vdisplay, surf_id); - return 0; - } - -@@ -619,6 +574,26 @@ static void qxl_crtc_commit(struct drm_crtc *crtc) - DRM_DEBUG("\n"); - } - -+static void qxl_crtc_disable(struct drm_crtc *crtc) -+{ -+ struct qxl_crtc *qcrtc = to_qxl_crtc(crtc); -+ struct drm_device *dev = crtc->dev; -+ struct qxl_device *qdev = dev->dev_private; -+ if (crtc->fb) { -+ struct qxl_framebuffer *qfb = to_qxl_framebuffer(crtc->fb); -+ struct qxl_bo *bo = gem_to_qxl_bo(qfb->obj); -+ int ret; -+ ret = qxl_bo_reserve(bo, false); -+ qxl_bo_unpin(bo); -+ qxl_bo_unreserve(bo); -+ crtc->fb = NULL; -+ } -+ -+ qxl_monitors_config_set(qdev, qcrtc->index, 0, 0, 0, 0, 0); -+ -+ qxl_send_monitors_config(qdev); -+} -+ - static void qxl_crtc_load_lut(struct drm_crtc *crtc) - { - DRM_DEBUG("\n"); -@@ -626,6 +601,7 @@ static void qxl_crtc_load_lut(struct drm_crtc *crtc) - - static const struct drm_crtc_helper_funcs qxl_crtc_helper_funcs = { - .dpms = qxl_crtc_dpms, -+ .disable = qxl_crtc_disable, - .mode_fixup = qxl_crtc_mode_fixup, - .mode_set = qxl_crtc_mode_set, - .prepare = qxl_crtc_prepare, -@@ -633,7 +609,7 @@ static const struct drm_crtc_helper_funcs qxl_crtc_helper_funcs = { - .load_lut = qxl_crtc_load_lut, - }; - --static int qdev_crtc_init(struct drm_device *dev, int num_crtc) -+static int qdev_crtc_init(struct drm_device *dev, int crtc_id) - { - struct qxl_crtc *qxl_crtc; - -@@ -642,7 +618,7 @@ static int qdev_crtc_init(struct drm_device *dev, int num_crtc) - return -ENOMEM; - - drm_crtc_init(dev, &qxl_crtc->base, &qxl_crtc_funcs); -- -+ qxl_crtc->index = crtc_id; - drm_mode_crtc_set_gamma_size(&qxl_crtc->base, 256); - drm_crtc_helper_add(&qxl_crtc->base, &qxl_crtc_helper_funcs); - return 0; -@@ -670,18 +646,13 @@ static void qxl_write_monitors_config_for_encoder(struct qxl_device *qdev, - struct drm_encoder *encoder) - { - int i; -+ struct qxl_output *output = drm_encoder_to_qxl_output(encoder); - struct qxl_head *head; - struct drm_display_mode *mode; - - BUG_ON(!encoder); - /* TODO: ugly, do better */ -- for (i = 0 ; (encoder->possible_crtcs != (1 << i)) && i < 32; ++i) -- ; -- if (encoder->possible_crtcs != (1 << i)) { -- DRM_ERROR("encoder has wrong possible_crtcs: %x\n", -- encoder->possible_crtcs); -- return; -- } -+ i = output->index; - if (!qdev->monitors_config || - qdev->monitors_config->max_allowed <= i) { - DRM_ERROR( -@@ -699,7 +670,6 @@ static void qxl_write_monitors_config_for_encoder(struct qxl_device *qdev, - DRM_DEBUG("missing for multiple monitors: no head holes\n"); - head = &qdev->monitors_config->heads[i]; - head->id = i; -- head->surface_id = 0; - if (encoder->crtc->enabled) { - mode = &encoder->crtc->mode; - head->width = mode->hdisplay; -@@ -714,8 +684,8 @@ static void qxl_write_monitors_config_for_encoder(struct qxl_device *qdev, - head->x = 0; - head->y = 0; - } -- DRM_DEBUG("setting head %d to +%d+%d %dx%d\n", -- i, head->x, head->y, head->width, head->height); -+ DRM_DEBUG_KMS("setting head %d to +%d+%d %dx%d out of %d\n", -+ i, head->x, head->y, head->width, head->height, qdev->monitors_config->count); - head->flags = 0; - /* TODO - somewhere else to call this for multiple monitors - * (config_commit?) */ -@@ -810,8 +780,9 @@ static enum drm_connector_status qxl_conn_detect( - - /* The first monitor is always connected */ - connected = (output->index == 0) || -- (qdev->monitors_config && -- qdev->monitors_config->count > output->index); -+ (qdev->client_monitors_config && -+ qdev->client_monitors_config->count > output->index && -+ qxl_head_enabled(&qdev->client_monitors_config->heads[output->index])); - - DRM_DEBUG("\n"); - return connected ? connector_status_connected -@@ -919,7 +890,7 @@ int qxl_modeset_init(struct qxl_device *qdev) - int i; - int ret; - struct drm_gem_object *gobj; -- int max_allowed = QXL_NUM_OUTPUTS; -+ int max_allowed = qxl_num_crtc; - int monitors_config_size = sizeof(struct qxl_monitors_config) + - max_allowed * sizeof(struct qxl_head); - -@@ -949,7 +920,7 @@ int qxl_modeset_init(struct qxl_device *qdev) - qdev->ddev->mode_config.max_height = 8192; - - qdev->ddev->mode_config.fb_base = qdev->vram_base; -- for (i = 0 ; i < QXL_NUM_OUTPUTS; ++i) { -+ for (i = 0 ; i < qxl_num_crtc; ++i) { - qdev_crtc_init(qdev->ddev, i); - qdev_output_init(qdev->ddev, i); - } -diff --git a/drivers/gpu/drm/qxl/qxl_drv.c b/drivers/gpu/drm/qxl/qxl_drv.c -index aa291d8..00e57b76 100644 ---- a/drivers/gpu/drm/qxl/qxl_drv.c -+++ b/drivers/gpu/drm/qxl/qxl_drv.c -@@ -47,10 +47,14 @@ static DEFINE_PCI_DEVICE_TABLE(pciidlist) = { - MODULE_DEVICE_TABLE(pci, pciidlist); - - static int qxl_modeset = -1; -+int qxl_num_crtc = 4; - - MODULE_PARM_DESC(modeset, "Disable/Enable modesetting"); - module_param_named(modeset, qxl_modeset, int, 0400); - -+MODULE_PARM_DESC(num_heads, "Number of virtual crtcs to expose (default 4)"); -+module_param_named(num_heads, qxl_num_crtc, int, 0400); -+ - static struct drm_driver qxl_driver; - static struct pci_driver qxl_pci_driver; - -diff --git a/drivers/gpu/drm/qxl/qxl_drv.h b/drivers/gpu/drm/qxl/qxl_drv.h -index 43d06ab..42ef0e2 100644 ---- a/drivers/gpu/drm/qxl/qxl_drv.h -+++ b/drivers/gpu/drm/qxl/qxl_drv.h -@@ -55,11 +55,10 @@ - #define DRIVER_MINOR 1 - #define DRIVER_PATCHLEVEL 0 - --#define QXL_NUM_OUTPUTS 1 -- - #define QXL_DEBUGFS_MAX_COMPONENTS 32 - - extern int qxl_log_level; -+extern int qxl_num_crtc; - - enum { - QXL_INFO_LEVEL = 1, -@@ -139,6 +138,7 @@ struct qxl_reloc_list { - - struct qxl_crtc { - struct drm_crtc base; -+ int index; - int cur_x; - int cur_y; - }; -@@ -156,7 +156,7 @@ struct qxl_framebuffer { - - #define to_qxl_crtc(x) container_of(x, struct qxl_crtc, base) - #define drm_connector_to_qxl_output(x) container_of(x, struct qxl_output, base) --#define drm_encoder_to_qxl_output(x) container_of(x, struct qxl_output, base) -+#define drm_encoder_to_qxl_output(x) container_of(x, struct qxl_output, enc) - #define to_qxl_framebuffer(x) container_of(x, struct qxl_framebuffer, base) - - struct qxl_mman { -@@ -435,7 +435,7 @@ void qxl_update_screen(struct qxl_device *qxl); - /* qxl io operations (qxl_cmd.c) */ - - void qxl_io_create_primary(struct qxl_device *qdev, -- unsigned width, unsigned height, unsigned offset, -+ unsigned offset, - struct qxl_bo *bo); - void qxl_io_destroy_primary(struct qxl_device *qdev); - void qxl_io_memslot_add(struct qxl_device *qdev, uint8_t id); -diff --git a/drivers/gpu/drm/qxl/qxl_fb.c b/drivers/gpu/drm/qxl/qxl_fb.c -index b3c5127..11ef7cb 100644 ---- a/drivers/gpu/drm/qxl/qxl_fb.c -+++ b/drivers/gpu/drm/qxl/qxl_fb.c -@@ -542,7 +542,7 @@ int qxl_fbdev_init(struct qxl_device *qdev) - qfbdev->helper.funcs = &qxl_fb_helper_funcs; - - ret = drm_fb_helper_init(qdev->ddev, &qfbdev->helper, -- 1 /* num_crtc - QXL supports just 1 */, -+ qxl_num_crtc /* num_crtc - QXL supports just 1 */, - QXLFB_CONN_LIMIT); - if (ret) { - kfree(qfbdev); -diff --git a/drivers/gpu/drm/qxl/qxl_ioctl.c b/drivers/gpu/drm/qxl/qxl_ioctl.c -index a4b71b2..6ba49d9 100644 ---- a/drivers/gpu/drm/qxl/qxl_ioctl.c -+++ b/drivers/gpu/drm/qxl/qxl_ioctl.c -@@ -183,6 +183,12 @@ static int qxl_execbuffer_ioctl(struct drm_device *dev, void *data, - /* TODO copy slow path code from i915 */ - fb_cmd = qxl_bo_kmap_atomic_page(qdev, cmd_bo, (release->release_offset & PAGE_SIZE)); - unwritten = __copy_from_user_inatomic_nocache(fb_cmd + sizeof(union qxl_release_info) + (release->release_offset & ~PAGE_SIZE), (void *)(unsigned long)user_cmd.command, user_cmd.command_size); -+ -+ { -+ struct qxl_drawable *draw = fb_cmd; -+ -+ draw->mm_time = qdev->rom->mm_clock; -+ } - qxl_bo_kunmap_atomic_page(qdev, cmd_bo, fb_cmd); - if (unwritten) { - DRM_ERROR("got unwritten %d\n", unwritten); --- -1.8.3.1 - diff --git a/drm-qxl-post-3.10-features-part-2.patch b/drm-qxl-post-3.10-features-part-2.patch deleted file mode 100644 index 3af9b1bb1..000000000 --- a/drm-qxl-post-3.10-features-part-2.patch +++ /dev/null @@ -1,483 +0,0 @@ -From db21a217f7de4f173aa0fb4c7a296cc9cffbd6bf Mon Sep 17 00:00:00 2001 -From: Dave Airlie -Date: Thu, 4 Jul 2013 14:46:46 +1000 -Subject: [PATCH] drm/qxl: post 3.10 features part 2 - -qxl: split monitors_config object creation out. -qxl: prepare memslot code for suspend/resume -qxl: add ring prep code for s/r -qxl: add fb and ttm entry points for use by suspend/resume. -qxl: add suspend/resume/hibernate support. -qxl: use drm helper hotplug support - -Signed-off-by: Dave Airlie ---- - drivers/gpu/drm/qxl/qxl_cmd.c | 9 ++- - drivers/gpu/drm/qxl/qxl_display.c | 58 +++++++++++++++-- - drivers/gpu/drm/qxl/qxl_drv.c | 134 +++++++++++++++++++++++++++++++++++--- - drivers/gpu/drm/qxl/qxl_drv.h | 10 +++ - drivers/gpu/drm/qxl/qxl_fb.c | 10 +++ - drivers/gpu/drm/qxl/qxl_kms.c | 24 +++++-- - drivers/gpu/drm/qxl/qxl_object.c | 10 +++ - 7 files changed, 236 insertions(+), 19 deletions(-) - -diff --git a/drivers/gpu/drm/qxl/qxl_cmd.c b/drivers/gpu/drm/qxl/qxl_cmd.c -index 0ec55e7..0ca2999 100644 ---- a/drivers/gpu/drm/qxl/qxl_cmd.c -+++ b/drivers/gpu/drm/qxl/qxl_cmd.c -@@ -49,6 +49,11 @@ void qxl_ring_free(struct qxl_ring *ring) - kfree(ring); - } - -+void qxl_ring_init_hdr(struct qxl_ring *ring) -+{ -+ ring->ring->header.notify_on_prod = ring->n_elements; -+} -+ - struct qxl_ring * - qxl_ring_create(struct qxl_ring_header *header, - int element_size, -@@ -69,7 +74,7 @@ qxl_ring_create(struct qxl_ring_header *header, - ring->prod_notify = prod_notify; - ring->push_event = push_event; - if (set_prod_notify) -- header->notify_on_prod = ring->n_elements; -+ qxl_ring_init_hdr(ring); - spin_lock_init(&ring->lock); - return ring; - } -@@ -87,7 +92,7 @@ static int qxl_check_header(struct qxl_ring *ring) - return ret; - } - --static int qxl_check_idle(struct qxl_ring *ring) -+int qxl_check_idle(struct qxl_ring *ring) - { - int ret; - struct qxl_ring_header *header = &(ring->ring->header); -diff --git a/drivers/gpu/drm/qxl/qxl_display.c b/drivers/gpu/drm/qxl/qxl_display.c -index a127a97..b03fe6d 100644 ---- a/drivers/gpu/drm/qxl/qxl_display.c -+++ b/drivers/gpu/drm/qxl/qxl_display.c -@@ -107,7 +107,7 @@ void qxl_display_read_client_monitors_config(struct qxl_device *qdev) - qxl_io_log(qdev, "failed crc check for client_monitors_config," - " retrying\n"); - } -- drm_sysfs_hotplug_event(qdev->ddev); -+ drm_helper_hpd_irq_event(qdev->ddev); - } - - static int qxl_add_monitors_config_modes(struct drm_connector *connector) -@@ -846,6 +846,8 @@ static int qdev_output_init(struct drm_device *dev, int num_output) - drm_encoder_init(dev, &qxl_output->enc, &qxl_enc_funcs, - DRM_MODE_ENCODER_VIRTUAL); - -+ /* we get HPD via client monitors config */ -+ connector->polled = DRM_CONNECTOR_POLL_HPD; - encoder->possible_crtcs = 1 << num_output; - drm_mode_connector_attach_encoder(&qxl_output->base, - &qxl_output->enc); -@@ -885,16 +887,14 @@ static const struct drm_mode_config_funcs qxl_mode_funcs = { - .fb_create = qxl_user_framebuffer_create, - }; - --int qxl_modeset_init(struct qxl_device *qdev) -+int qxl_create_monitors_object(struct qxl_device *qdev) - { -- int i; - int ret; - struct drm_gem_object *gobj; - int max_allowed = qxl_num_crtc; - int monitors_config_size = sizeof(struct qxl_monitors_config) + -- max_allowed * sizeof(struct qxl_head); -+ max_allowed * sizeof(struct qxl_head); - -- drm_mode_config_init(qdev->ddev); - ret = qxl_gem_object_create(qdev, monitors_config_size, 0, - QXL_GEM_DOMAIN_VRAM, - false, false, NULL, &gobj); -@@ -903,13 +903,59 @@ int qxl_modeset_init(struct qxl_device *qdev) - return -ENOMEM; - } - qdev->monitors_config_bo = gem_to_qxl_bo(gobj); -+ -+ ret = qxl_bo_reserve(qdev->monitors_config_bo, false); -+ if (ret) -+ return ret; -+ -+ ret = qxl_bo_pin(qdev->monitors_config_bo, QXL_GEM_DOMAIN_VRAM, NULL); -+ if (ret) { -+ qxl_bo_unreserve(qdev->monitors_config_bo); -+ return ret; -+ } -+ -+ qxl_bo_unreserve(qdev->monitors_config_bo); -+ - qxl_bo_kmap(qdev->monitors_config_bo, NULL); -+ - qdev->monitors_config = qdev->monitors_config_bo->kptr; - qdev->ram_header->monitors_config = - qxl_bo_physical_address(qdev, qdev->monitors_config_bo, 0); - - memset(qdev->monitors_config, 0, monitors_config_size); - qdev->monitors_config->max_allowed = max_allowed; -+ return 0; -+} -+ -+int qxl_destroy_monitors_object(struct qxl_device *qdev) -+{ -+ int ret; -+ -+ qdev->monitors_config = NULL; -+ qdev->ram_header->monitors_config = 0; -+ -+ qxl_bo_kunmap(qdev->monitors_config_bo); -+ ret = qxl_bo_reserve(qdev->monitors_config_bo, false); -+ if (ret) -+ return ret; -+ -+ qxl_bo_unpin(qdev->monitors_config_bo); -+ qxl_bo_unreserve(qdev->monitors_config_bo); -+ -+ qxl_bo_unref(&qdev->monitors_config_bo); -+ return 0; -+} -+ -+int qxl_modeset_init(struct qxl_device *qdev) -+{ -+ int i; -+ int ret; -+ -+ drm_mode_config_init(qdev->ddev); -+ -+ ret = qxl_create_monitors_object(qdev); -+ if (ret) -+ return ret; - - qdev->ddev->mode_config.funcs = (void *)&qxl_mode_funcs; - -@@ -937,6 +983,8 @@ int qxl_modeset_init(struct qxl_device *qdev) - void qxl_modeset_fini(struct qxl_device *qdev) - { - qxl_fbdev_fini(qdev); -+ -+ qxl_destroy_monitors_object(qdev); - if (qdev->mode_info.mode_config_initialized) { - drm_mode_config_cleanup(qdev->ddev); - qdev->mode_info.mode_config_initialized = false; -diff --git a/drivers/gpu/drm/qxl/qxl_drv.c b/drivers/gpu/drm/qxl/qxl_drv.c -index 00e57b76..df0b577 100644 ---- a/drivers/gpu/drm/qxl/qxl_drv.c -+++ b/drivers/gpu/drm/qxl/qxl_drv.c -@@ -33,8 +33,9 @@ - - #include "drmP.h" - #include "drm/drm.h" -- -+#include "drm_crtc_helper.h" - #include "qxl_drv.h" -+#include "qxl_object.h" - - extern int qxl_max_ioctls; - static DEFINE_PCI_DEVICE_TABLE(pciidlist) = { -@@ -77,13 +78,6 @@ qxl_pci_remove(struct pci_dev *pdev) - drm_put_dev(dev); - } - --static struct pci_driver qxl_pci_driver = { -- .name = DRIVER_NAME, -- .id_table = pciidlist, -- .probe = qxl_pci_probe, -- .remove = qxl_pci_remove, --}; -- - static const struct file_operations qxl_fops = { - .owner = THIS_MODULE, - .open = drm_open, -@@ -94,6 +88,130 @@ static const struct file_operations qxl_fops = { - .mmap = qxl_mmap, - }; - -+static int qxl_drm_freeze(struct drm_device *dev) -+{ -+ struct pci_dev *pdev = dev->pdev; -+ struct qxl_device *qdev = dev->dev_private; -+ struct drm_crtc *crtc; -+ -+ drm_kms_helper_poll_disable(dev); -+ -+ console_lock(); -+ qxl_fbdev_set_suspend(qdev, 1); -+ console_unlock(); -+ -+ /* unpin the front buffers */ -+ list_for_each_entry(crtc, &dev->mode_config.crtc_list, head) { -+ struct drm_crtc_helper_funcs *crtc_funcs = crtc->helper_private; -+ if (crtc->enabled) -+ (*crtc_funcs->disable)(crtc); -+ } -+ -+ qxl_destroy_monitors_object(qdev); -+ qxl_surf_evict(qdev); -+ qxl_vram_evict(qdev); -+ -+ while (!qxl_check_idle(qdev->command_ring)); -+ while (!qxl_check_idle(qdev->release_ring)) -+ qxl_queue_garbage_collect(qdev, 1); -+ -+ pci_save_state(pdev); -+ -+ return 0; -+} -+ -+static int qxl_drm_resume(struct drm_device *dev, bool thaw) -+{ -+ struct qxl_device *qdev = dev->dev_private; -+ -+ qdev->ram_header->int_mask = QXL_INTERRUPT_MASK; -+ if (!thaw) { -+ qxl_reinit_memslots(qdev); -+ qxl_ring_init_hdr(qdev->release_ring); -+ } -+ -+ qxl_create_monitors_object(qdev); -+ drm_helper_resume_force_mode(dev); -+ -+ console_lock(); -+ qxl_fbdev_set_suspend(qdev, 0); -+ console_unlock(); -+ -+ drm_kms_helper_poll_enable(dev); -+ return 0; -+} -+ -+static int qxl_pm_suspend(struct device *dev) -+{ -+ struct pci_dev *pdev = to_pci_dev(dev); -+ struct drm_device *drm_dev = pci_get_drvdata(pdev); -+ int error; -+ -+ error = qxl_drm_freeze(drm_dev); -+ if (error) -+ return error; -+ -+ pci_disable_device(pdev); -+ pci_set_power_state(pdev, PCI_D3hot); -+ return 0; -+} -+ -+static int qxl_pm_resume(struct device *dev) -+{ -+ struct pci_dev *pdev = to_pci_dev(dev); -+ struct drm_device *drm_dev = pci_get_drvdata(pdev); -+ -+ pci_set_power_state(pdev, PCI_D0); -+ pci_restore_state(pdev); -+ if (pci_enable_device(pdev)) { -+ return -EIO; -+ } -+ -+ return qxl_drm_resume(drm_dev, false); -+} -+ -+static int qxl_pm_thaw(struct device *dev) -+{ -+ struct pci_dev *pdev = to_pci_dev(dev); -+ struct drm_device *drm_dev = pci_get_drvdata(pdev); -+ -+ return qxl_drm_resume(drm_dev, true); -+} -+ -+static int qxl_pm_freeze(struct device *dev) -+{ -+ struct pci_dev *pdev = to_pci_dev(dev); -+ struct drm_device *drm_dev = pci_get_drvdata(pdev); -+ -+ return qxl_drm_freeze(drm_dev); -+} -+ -+static int qxl_pm_restore(struct device *dev) -+{ -+ struct pci_dev *pdev = to_pci_dev(dev); -+ struct drm_device *drm_dev = pci_get_drvdata(pdev); -+ struct qxl_device *qdev = drm_dev->dev_private; -+ -+ qxl_io_reset(qdev); -+ return qxl_drm_resume(drm_dev, false); -+} -+ -+static const struct dev_pm_ops qxl_pm_ops = { -+ .suspend = qxl_pm_suspend, -+ .resume = qxl_pm_resume, -+ .freeze = qxl_pm_freeze, -+ .thaw = qxl_pm_thaw, -+ .poweroff = qxl_pm_freeze, -+ .restore = qxl_pm_restore, -+}; -+static struct pci_driver qxl_pci_driver = { -+ .name = DRIVER_NAME, -+ .id_table = pciidlist, -+ .probe = qxl_pci_probe, -+ .remove = qxl_pci_remove, -+ .driver.pm = &qxl_pm_ops, -+}; -+ - static struct drm_driver qxl_driver = { - .driver_features = DRIVER_GEM | DRIVER_MODESET | - DRIVER_HAVE_IRQ | DRIVER_IRQ_SHARED, -diff --git a/drivers/gpu/drm/qxl/qxl_drv.h b/drivers/gpu/drm/qxl/qxl_drv.h -index 42ef0e2..aacb791 100644 ---- a/drivers/gpu/drm/qxl/qxl_drv.h -+++ b/drivers/gpu/drm/qxl/qxl_drv.h -@@ -331,6 +331,10 @@ void qxl_modeset_fini(struct qxl_device *qdev); - int qxl_bo_init(struct qxl_device *qdev); - void qxl_bo_fini(struct qxl_device *qdev); - -+void qxl_reinit_memslots(struct qxl_device *qdev); -+int qxl_surf_evict(struct qxl_device *qdev); -+int qxl_vram_evict(struct qxl_device *qdev); -+ - struct qxl_ring *qxl_ring_create(struct qxl_ring_header *header, - int element_size, - int n_elements, -@@ -338,6 +342,8 @@ struct qxl_ring *qxl_ring_create(struct qxl_ring_header *header, - bool set_prod_notify, - wait_queue_head_t *push_event); - void qxl_ring_free(struct qxl_ring *ring); -+void qxl_ring_init_hdr(struct qxl_ring *ring); -+int qxl_check_idle(struct qxl_ring *ring); - - static inline void * - qxl_fb_virtual_address(struct qxl_device *qdev, unsigned long physical) -@@ -365,6 +371,7 @@ void qxl_fbdev_fini(struct qxl_device *qdev); - int qxl_get_handle_for_primary_fb(struct qxl_device *qdev, - struct drm_file *file_priv, - uint32_t *handle); -+void qxl_fbdev_set_suspend(struct qxl_device *qdev, int state); - - /* qxl_display.c */ - int -@@ -374,6 +381,8 @@ qxl_framebuffer_init(struct drm_device *dev, - struct drm_gem_object *obj); - void qxl_display_read_client_monitors_config(struct qxl_device *qdev); - void qxl_send_monitors_config(struct qxl_device *qdev); -+int qxl_create_monitors_object(struct qxl_device *qdev); -+int qxl_destroy_monitors_object(struct qxl_device *qdev); - - /* used by qxl_debugfs only */ - void qxl_crtc_set_from_monitors_config(struct qxl_device *qdev); -@@ -528,6 +537,7 @@ irqreturn_t qxl_irq_handler(DRM_IRQ_ARGS); - - /* qxl_fb.c */ - int qxl_fb_init(struct qxl_device *qdev); -+bool qxl_fbdev_qobj_is_fb(struct qxl_device *qdev, struct qxl_bo *qobj); - - int qxl_debugfs_add_files(struct qxl_device *qdev, - struct drm_info_list *files, -diff --git a/drivers/gpu/drm/qxl/qxl_fb.c b/drivers/gpu/drm/qxl/qxl_fb.c -index 11ef7cb..2c3970a 100644 ---- a/drivers/gpu/drm/qxl/qxl_fb.c -+++ b/drivers/gpu/drm/qxl/qxl_fb.c -@@ -564,4 +564,14 @@ void qxl_fbdev_fini(struct qxl_device *qdev) - qdev->mode_info.qfbdev = NULL; - } - -+void qxl_fbdev_set_suspend(struct qxl_device *qdev, int state) -+{ -+ fb_set_suspend(qdev->mode_info.qfbdev->helper.fbdev, state); -+} - -+bool qxl_fbdev_qobj_is_fb(struct qxl_device *qdev, struct qxl_bo *qobj) -+{ -+ if (qobj == gem_to_qxl_bo(qdev->mode_info.qfbdev->qfb.obj)) -+ return true; -+ return false; -+} -diff --git a/drivers/gpu/drm/qxl/qxl_kms.c b/drivers/gpu/drm/qxl/qxl_kms.c -index e27ce2a..9e8da9e 100644 ---- a/drivers/gpu/drm/qxl/qxl_kms.c -+++ b/drivers/gpu/drm/qxl/qxl_kms.c -@@ -26,6 +26,7 @@ - #include "qxl_drv.h" - #include "qxl_object.h" - -+#include - #include - - int qxl_log_level; -@@ -72,21 +73,28 @@ static bool qxl_check_device(struct qxl_device *qdev) - return true; - } - -+static void setup_hw_slot(struct qxl_device *qdev, int slot_index, -+ struct qxl_memslot *slot) -+{ -+ qdev->ram_header->mem_slot.mem_start = slot->start_phys_addr; -+ qdev->ram_header->mem_slot.mem_end = slot->end_phys_addr; -+ qxl_io_memslot_add(qdev, slot_index); -+} -+ - static uint8_t setup_slot(struct qxl_device *qdev, uint8_t slot_index_offset, - unsigned long start_phys_addr, unsigned long end_phys_addr) - { - uint64_t high_bits; - struct qxl_memslot *slot; - uint8_t slot_index; -- struct qxl_ram_header *ram_header = qdev->ram_header; - - slot_index = qdev->rom->slots_start + slot_index_offset; - slot = &qdev->mem_slots[slot_index]; - slot->start_phys_addr = start_phys_addr; - slot->end_phys_addr = end_phys_addr; -- ram_header->mem_slot.mem_start = slot->start_phys_addr; -- ram_header->mem_slot.mem_end = slot->end_phys_addr; -- qxl_io_memslot_add(qdev, slot_index); -+ -+ setup_hw_slot(qdev, slot_index, slot); -+ - slot->generation = qdev->rom->slot_generation; - high_bits = slot_index << qdev->slot_gen_bits; - high_bits |= slot->generation; -@@ -95,6 +103,12 @@ static uint8_t setup_slot(struct qxl_device *qdev, uint8_t slot_index_offset, - return slot_index; - } - -+void qxl_reinit_memslots(struct qxl_device *qdev) -+{ -+ setup_hw_slot(qdev, qdev->main_mem_slot, &qdev->mem_slots[qdev->main_mem_slot]); -+ setup_hw_slot(qdev, qdev->surfaces_mem_slot, &qdev->mem_slots[qdev->surfaces_mem_slot]); -+} -+ - static void qxl_gc_work(struct work_struct *work) - { - struct qxl_device *qdev = container_of(work, struct qxl_device, gc_work); -@@ -294,6 +308,8 @@ int qxl_driver_load(struct drm_device *dev, unsigned long flags) - goto out; - } - -+ drm_kms_helper_poll_init(qdev->ddev); -+ - return 0; - out: - kfree(qdev); -diff --git a/drivers/gpu/drm/qxl/qxl_object.c b/drivers/gpu/drm/qxl/qxl_object.c -index d9b12e7..1191fe7 100644 ---- a/drivers/gpu/drm/qxl/qxl_object.c -+++ b/drivers/gpu/drm/qxl/qxl_object.c -@@ -363,3 +363,13 @@ int qxl_bo_list_add(struct qxl_reloc_list *reloc_list, struct qxl_bo *bo) - return ret; - return 0; - } -+ -+int qxl_surf_evict(struct qxl_device *qdev) -+{ -+ return ttm_bo_evict_mm(&qdev->mman.bdev, TTM_PL_PRIV0); -+} -+ -+int qxl_vram_evict(struct qxl_device *qdev) -+{ -+ return ttm_bo_evict_mm(&qdev->mman.bdev, TTM_PL_VRAM); -+} --- -1.8.3.1 - diff --git a/intel_iommu-Downgrade-the-warning-if-enabling-irq-remapping-fails.patch b/intel_iommu-Downgrade-the-warning-if-enabling-irq-remapping-fails.patch deleted file mode 100644 index 424d60350..000000000 --- a/intel_iommu-Downgrade-the-warning-if-enabling-irq-remapping-fails.patch +++ /dev/null @@ -1,25 +0,0 @@ -This triggers on a MacBook Pro. - -Signed-off-by: Andy Lutomirski -https://bugzilla.redhat.com/show_bug.cgi?id=948262 ---- - drivers/iommu/intel_irq_remapping.c | 3 +-- - 1 file changed, 1 insertion(+), 2 deletions(-) - -diff --git a/drivers/iommu/intel_irq_remapping.c b/drivers/iommu/intel_irq_remapping.c -index f3b8f23..a7e0ad1 100644 ---- a/drivers/iommu/intel_irq_remapping.c -+++ b/drivers/iommu/intel_irq_remapping.c -@@ -654,8 +654,7 @@ error: - */ - - if (x2apic_present) -- WARN(1, KERN_WARNING -- "Failed to enable irq remapping. You are vulnerable to irq-injection attacks.\n"); -+ pr_warn("Failed to enable irq remapping. You are vulnerable to irq-injection attacks.\n"); - - return -1; - } --- -1.8.1.4 - diff --git a/ipv6-remove-max_addresses-check-from-ipv6_create_tempaddr.patch b/ipv6-remove-max_addresses-check-from-ipv6_create_tempaddr.patch deleted file mode 100644 index 0c4fc2484..000000000 --- a/ipv6-remove-max_addresses-check-from-ipv6_create_tempaddr.patch +++ /dev/null @@ -1,63 +0,0 @@ -From 2712c283acc085b5438fa1b22053423a0158468d Mon Sep 17 00:00:00 2001 -From: Hannes Frederic Sowa -Date: Fri, 16 Aug 2013 11:02:27 +0000 -Subject: [PATCH] ipv6: remove max_addresses check from ipv6_create_tempaddr - -Because of the max_addresses check attackers were able to disable privacy -extensions on an interface by creating enough autoconfigured addresses: - - - -But the check is not actually needed: max_addresses protects the -kernel to install too many ipv6 addresses on an interface and guards -addrconf_prefix_rcv to install further addresses as soon as this limit -is reached. We only generate temporary addresses in direct response of -a new address showing up. As soon as we filled up the maximum number of -addresses of an interface, we stop installing more addresses and thus -also stop generating more temp addresses. - -Even if the attacker tries to generate a lot of temporary addresses -by announcing a prefix and removing it again (lifetime == 0) we won't -install more temp addresses, because the temporary addresses do count -to the maximum number of addresses, thus we would stop installing new -autoconfigured addresses when the limit is reached. - -This patch fixes CVE-2013-0343 (but other layer-2 attacks are still -possible). - -Thanks to Ding Tianhong to bring this topic up again. - -Cc: Ding Tianhong -Cc: George Kargiotakis -Cc: P J P -Cc: YOSHIFUJI Hideaki -Signed-off-by: Hannes Frederic Sowa -Acked-by: Ding Tianhong -Signed-off-by: David S. Miller ---- - net/ipv6/addrconf.c | 8 +++----- - 1 file changed, 3 insertions(+), 5 deletions(-) - -diff --git a/net/ipv6/addrconf.c b/net/ipv6/addrconf.c -index fb8c94c..21b7a87 100644 ---- a/net/ipv6/addrconf.c -+++ b/net/ipv6/addrconf.c -@@ -1124,12 +1124,10 @@ retry: - if (ifp->flags & IFA_F_OPTIMISTIC) - addr_flags |= IFA_F_OPTIMISTIC; - -- ift = !max_addresses || -- ipv6_count_addresses(idev) < max_addresses ? -- ipv6_add_addr(idev, &addr, tmp_plen, -+ ift = ipv6_add_addr(idev, &addr, tmp_plen, - ipv6_addr_type(&addr)&IPV6_ADDR_SCOPE_MASK, -- addr_flags) : NULL; -- if (IS_ERR_OR_NULL(ift)) { -+ addr_flags); -+ if (IS_ERR(ift)) { - in6_ifa_put(ifp); - in6_dev_put(idev); - pr_info("%s: retry temporary address regeneration\n", __func__); --- -1.8.3.1 - diff --git a/kernel.spec b/kernel.spec index 94ae83bba..aae273169 100644 --- a/kernel.spec +++ b/kernel.spec @@ -68,13 +68,13 @@ Summary: The Linux kernel # base_sublevel is the kernel version we're starting with and patching # on top of -- for example, 3.1-rc7-git1 starts with a 3.0 base, # which yields a base_sublevel of 0. -%define base_sublevel 10 +%define base_sublevel 11 ## If this is a released kernel ## %if 0%{?released_kernel} # Do we have a -stable update to apply? -%define stable_update 11 +%define stable_update 0 # Is it a -stable RC? %define stable_rc 0 # Set rpm version accordingly @@ -93,7 +93,7 @@ Summary: The Linux kernel # The next upstream release sublevel (base_sublevel+1) %define upstream_sublevel %(echo $((%{base_sublevel} + 1))) # The rc snapshot level -%define rcrev 8 +%define rcrev 0 # The git snapshot level %define gitrev 0 # Set rpm version accordingly @@ -475,7 +475,7 @@ Provides: kernel-tegra-uname-r = %{KVERREL}%{?1:.%{1}}\ Provides: kernel-omap\ Requires(pre): %{kernel_prereq}\ Requires(pre): %{initrd_prereq}\ -Requires(pre): linux-firmware >= 20120206-0.1.git06c8f81\ +Requires(pre): linux-firmware >= 20130724-29.git31f6b30\ Requires(post): /sbin/new-kernel-pkg\ Requires(preun): /sbin/new-kernel-pkg\ Conflicts: %{kernel_dot_org_conflicts}\ @@ -636,7 +636,6 @@ Patch100: taint-vbox.patch Patch110: vmbugon-warnon.patch Patch390: defaults-acpi-video.patch -Patch391: acpi-video-dos.patch Patch396: acpi-sony-nonvs-blacklist.patch Patch450: input-kill-stupid-messages.patch @@ -661,9 +660,6 @@ Patch1000: devel-pekey-secure-boot-20130502.patch # DRM #atch1700: drm-edid-try-harder-to-fix-up-broken-headers.patch #Patch1800: drm-vgem.patch -Patch1701: drm-hotspot-cursor-backport.patch -Patch1705: drm-qxl-post-3.10-feature-fixes.patch -Patch1706: drm-qxl-post-3.10-features-part-2.patch # nouveau + drm fixes # intel drm is all merged upstream Patch1824: drm-intel-next.patch @@ -727,49 +723,18 @@ Patch22001: selinux-apply-different-permission-to-ptrace-child.patch #rhbz 927469 Patch23006: fix-child-thread-introspection.patch -#rhbz 948262 -Patch25024: intel_iommu-Downgrade-the-warning-if-enabling-irq-remapping-fails.patch - #CVE-2013-2147 rhbz 971242 971249 Patch25032: cve-2013-2147-ciss-info-leak.patch -#rhbz 954252 -Patch25036: scsi-ipr-possible-irq-lock-inversion-dependency-detected.patch - -#rhbz 969644 -Patch25046: KVM-x86-handle-idiv-overflow-at-kvm_write_tsc.patch - Patch25047: drm-radeon-Disable-writeback-by-default-on-ppc.patch -#rhbz 903741 -Patch25052: HID-input-return-ENODATA-if-reading-battery-attrs-fails.patch - -#rhbz 880035 -Patch25053: bridge-only-expire-the-mdb-entry-when-query-is-received.patch -Patch25054: bridge-send-query-as-soon-as-leave-is-received.patch -#rhbz 980254 -Patch25061: bridge-timer-fix.patch -Patch25066: bridge-do-not-call-setup_timer-multiple-times.patch - #rhbz 977040 Patch25056: iwl3945-better-skb-management-in-rx-path.patch Patch25057: iwl4965-better-skb-management-in-rx-path.patch -#rhbz 959721 -Patch25063: HID-kye-Add-report-fixup-for-Genius-Gila-Gaming-mouse.patch - -#rhbz 969473 -Patch25070: Input-elantech-fix-for-newer-hardware-versions-v7.patch - -#rhbz 989138 -Patch25072: HID-Revert-Revert-HID-Fix-logitech-dj-missing-Unifying-device-issue.patch - #rhbz 963715 Patch25077: media-cx23885-Fix-TeVii-S471-regression-since-introduction-of-ts2020.patch -#CVE-2013-0343 rhbz 914664 999380 -Patch25078: ipv6-remove-max_addresses-check-from-ipv6_create_tempaddr.patch - #rhbz 1000679 Patch25079: rt2800-rearrange-bbp-rfcsr-initialization.patch @@ -1351,7 +1316,6 @@ ApplyPatch arm-tegra-usb-no-reset-linux33.patch # ACPI ApplyPatch defaults-acpi-video.patch -ApplyPatch acpi-video-dos.patch ApplyPatch acpi-sony-nonvs-blacklist.patch # @@ -1400,9 +1364,6 @@ ApplyPatch devel-pekey-secure-boot-20130502.patch # Assorted Virt Fixes # DRM core -ApplyPatch drm-hotspot-cursor-backport.patch -ApplyPatch drm-qxl-post-3.10-feature-fixes.patch -ApplyPatch drm-qxl-post-3.10-features-part-2.patch #ApplyPatch drm-edid-try-harder-to-fix-up-broken-headers.patch #ApplyPatch drm-vgem.patch @@ -1455,49 +1416,18 @@ ApplyPatch ath9k_rx_dma_stop_check.patch #rhbz 927469 ApplyPatch fix-child-thread-introspection.patch -#rhbz 948262 -ApplyPatch intel_iommu-Downgrade-the-warning-if-enabling-irq-remapping-fails.patch - #CVE-2013-2147 rhbz 971242 971249 ApplyPatch cve-2013-2147-ciss-info-leak.patch -#rhbz 954252 -ApplyPatch scsi-ipr-possible-irq-lock-inversion-dependency-detected.patch - -#rhbz 969644 -ApplyPatch KVM-x86-handle-idiv-overflow-at-kvm_write_tsc.patch - ApplyPatch drm-radeon-Disable-writeback-by-default-on-ppc.patch -#rhbz 903741 -ApplyPatch HID-input-return-ENODATA-if-reading-battery-attrs-fails.patch - -#rhbz 880035 -ApplyPatch bridge-only-expire-the-mdb-entry-when-query-is-received.patch -ApplyPatch bridge-send-query-as-soon-as-leave-is-received.patch -#rhbz 980254 -ApplyPatch bridge-timer-fix.patch -ApplyPatch bridge-do-not-call-setup_timer-multiple-times.patch - #rhbz 977040 ApplyPatch iwl3945-better-skb-management-in-rx-path.patch ApplyPatch iwl4965-better-skb-management-in-rx-path.patch -#rhbz 959721 -ApplyPatch HID-kye-Add-report-fixup-for-Genius-Gila-Gaming-mouse.patch - -#rhbz 969473 -ApplyPatch Input-elantech-fix-for-newer-hardware-versions-v7.patch - -#rhbz 989138 -ApplyPatch HID-Revert-Revert-HID-Fix-logitech-dj-missing-Unifying-device-issue.patch - #rhbz 963715 ApplyPatch media-cx23885-Fix-TeVii-S471-regression-since-introduction-of-ts2020.patch -#CVE-2013-0343 rhbz 914664 999380 -ApplyPatch ipv6-remove-max_addresses-check-from-ipv6_create_tempaddr.patch - #CVE-2013-2888 rhbz 1000451 1002543 CVE-2013-2889 rhbz 999890 1002548 #CVE-2013-2891 rhbz 999960 1002555 CVE-2013-2892 rhbz 1000429 1002570 #CVE-2013-2893 rhbz 1000414 1002575 CVE-2013-2894 rhbz 1000137 1002579 @@ -2320,6 +2250,9 @@ fi # and build. %changelog +* Wed Sep 11 2013 Justin M. Forbes +- Linux v3.11 rebase + * Mon Sep 09 2013 Josh Boyer 3.10.11-200 - Fix system freeze due to incorrect rt2800 initialization (rhbz 1000679) diff --git a/nowatchdog-on-virt.patch b/nowatchdog-on-virt.patch index b20642204..87ab11a0f 100644 --- a/nowatchdog-on-virt.patch +++ b/nowatchdog-on-virt.patch @@ -12,7 +12,7 @@ Just disable the detector on VMs. Signed-off-by: Dave Jones diff --git a/kernel/watchdog.c b/kernel/watchdog.c -index 05039e3..a28aab9 100644 +index 1241d8c..b2dc4e4 100644 --- a/kernel/watchdog.c +++ b/kernel/watchdog.c @@ -24,6 +24,7 @@ @@ -30,7 +30,7 @@ index 05039e3..a28aab9 100644 +static int disable_watchdog(const struct dmi_system_id *d) +{ + printk(KERN_INFO "watchdog: disabled (inside virtual machine)\n"); -+ watchdog_enabled = 0; ++ watchdog_user_enabled = 0; + return 0; +} + @@ -56,12 +56,12 @@ index 05039e3..a28aab9 100644 /* * Hard-lockup warnings should be triggered after just a few seconds. Soft- * lockups can have false positives under extreme conditions. So we generally -@@ -543,6 +570,8 @@ static struct smp_hotplug_thread watchdog_threads = { +@@ -551,6 +578,8 @@ int proc_dowatchdog(struct ctl_table *table, int write, void __init lockup_detector_init(void) { + dmi_check_system(watchdog_virt_dmi_table); + set_sample_period(); - if (smpboot_register_percpu_thread(&watchdog_threads)) { - pr_err("Failed to create watchdog threads, disabled\n"); + + #ifdef CONFIG_NO_HZ_FULL diff --git a/rt2800-rearrange-bbp-rfcsr-initialization.patch b/rt2800-rearrange-bbp-rfcsr-initialization.patch index c782fc5d4..5b1e27c23 100644 --- a/rt2800-rearrange-bbp-rfcsr-initialization.patch +++ b/rt2800-rearrange-bbp-rfcsr-initialization.patch @@ -1,18 +1,40 @@ +My commit + +commit c630ccf1a127578421a928489d51e99c05037054 +Author: Stanislaw Gruszka +Date: Sat Mar 16 19:19:46 2013 +0100 + + rt2800: rearrange bbp/rfcsr initialization + +make Maxim machine freeze when try to start wireless device. + +Initialization order and sending MCU_BOOT_SIGNAL request, changed in +above commit, is important. Doing things incorrectly make PCIe bus +problems, which can froze the machine. + +This patch change initialization sequence like vendor driver do: +function NICInitializeAsic() from +2011_1007_RT5390_RT5392_Linux_STA_V2.5.0.3_DPO (PCI devices) and +DPO_RT5572_LinuxSTA_2.6.1.3_20121022 (according Mediatek, latest driver +for RT8070/RT3070/RT3370/RT3572/RT5370/RT5372/RT5572 USB devices). +It fixes freezes on Maxim system. + +Resolve: +https://bugzilla.redhat.com/show_bug.cgi?id=1000679 + +Reported-and-tested-by: Maxim Polyakov +Bisected-by: Igor Gnatenko +Cc: stable@vger.kernel.org # 3.10+ +Signed-off-by: Stanislaw Gruszka +--- + drivers/net/wireless/rt2x00/rt2800lib.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + diff --git a/drivers/net/wireless/rt2x00/rt2800lib.c b/drivers/net/wireless/rt2x00/rt2800lib.c -index 7e66a90..6a70c27 100644 +index d217c9e..8f6820a 100644 --- a/drivers/net/wireless/rt2x00/rt2800lib.c +++ b/drivers/net/wireless/rt2x00/rt2800lib.c -@@ -4041,8 +4041,7 @@ static int rt2800_init_bbp(struct rt2x00_dev *rt2x00dev) - u8 reg_id; - u8 value; - -- if (unlikely(rt2800_wait_bbp_rf_ready(rt2x00dev) || -- rt2800_wait_bbp_ready(rt2x00dev))) -+ if (unlikely(rt2800_wait_bbp_ready(rt2x00dev))) - return -EACCES; - - if (rt2x00_rt(rt2x00dev, RT5592)) { -@@ -5185,15 +5184,17 @@ int rt2800_enable_radio(struct rt2x00_dev *rt2x00dev) +@@ -6631,19 +6631,20 @@ int rt2800_enable_radio(struct rt2x00_dev *rt2x00dev) rt2800_init_registers(rt2x00dev))) return -EIO; @@ -32,4 +54,16 @@ index 7e66a90..6a70c27 100644 + rt2800_mcu_request(rt2x00dev, MCU_BOOT_SIGNAL, 0, 0, 0); msleep(1); - if (unlikely(rt2800_init_bbp(rt2x00dev))) +- if (unlikely(rt2800_wait_bbp_rf_ready(rt2x00dev) || +- rt2800_wait_bbp_ready(rt2x00dev))) ++ if (unlikely(rt2800_wait_bbp_ready(rt2x00dev))) + return -EIO; + + rt2800_init_bbp(rt2x00dev); +-- +1.7.11.7 + +-- +To unsubscribe from this list: send the line "unsubscribe linux-wireless" in +the body of a message to majordomo@vger.kernel.org +More majordomo info at http://vger.kernel.org/majordomo-info.html \ No newline at end of file diff --git a/scsi-ipr-possible-irq-lock-inversion-dependency-detected.patch b/scsi-ipr-possible-irq-lock-inversion-dependency-detected.patch deleted file mode 100644 index d89b9f8e8..000000000 --- a/scsi-ipr-possible-irq-lock-inversion-dependency-detected.patch +++ /dev/null @@ -1,83 +0,0 @@ -When enable lockdep, seeing "possible irq lock inversion dependency detected" -error. This patch fixes the issue. - -Signed-off-by: Wen Xiong ---- - drivers/scsi/ipr.c | 17 +++++++++-------- - 1 file changed, 9 insertions(+), 8 deletions(-) - -Index: b/drivers/scsi/ipr.c -=================================================================== ---- a/drivers/scsi/ipr.c 2013-05-20 09:55:23.000000000 -0500 -+++ b/drivers/scsi/ipr.c 2013-05-20 10:00:34.548380858 -0500 -@@ -9408,7 +9408,7 @@ static int ipr_probe_ioa(struct pci_dev - void __iomem *ipr_regs; - int rc = PCIBIOS_SUCCESSFUL; - volatile u32 mask, uproc, interrupts; -- unsigned long lock_flags; -+ unsigned long lock_flags, driver_lock_flags; - - ENTER; - -@@ -9631,9 +9631,9 @@ static int ipr_probe_ioa(struct pci_dev - } else - ioa_cfg->reset = ipr_reset_start_bist; - -- spin_lock(&ipr_driver_lock); -+ spin_lock_irqsave(&ipr_driver_lock, driver_lock_flags); - list_add_tail(&ioa_cfg->queue, &ipr_ioa_head); -- spin_unlock(&ipr_driver_lock); -+ spin_unlock_irqrestore(&ipr_driver_lock, driver_lock_flags); - - LEAVE; - out: -@@ -9716,6 +9716,7 @@ static void __ipr_remove(struct pci_dev - unsigned long host_lock_flags = 0; - struct ipr_ioa_cfg *ioa_cfg = pci_get_drvdata(pdev); - int i; -+ unsigned long driver_lock_flags; - ENTER; - - spin_lock_irqsave(ioa_cfg->host->host_lock, host_lock_flags); -@@ -9739,9 +9740,9 @@ static void __ipr_remove(struct pci_dev - INIT_LIST_HEAD(&ioa_cfg->used_res_q); - spin_lock_irqsave(ioa_cfg->host->host_lock, host_lock_flags); - -- spin_lock(&ipr_driver_lock); -+ spin_lock_irqsave(&ipr_driver_lock, driver_lock_flags); - list_del(&ioa_cfg->queue); -- spin_unlock(&ipr_driver_lock); -+ spin_unlock_irqrestore(&ipr_driver_lock, driver_lock_flags); - - if (ioa_cfg->sdt_state == ABORT_DUMP) - ioa_cfg->sdt_state = WAIT_FOR_DUMP; -@@ -10007,12 +10008,12 @@ static int ipr_halt(struct notifier_bloc - { - struct ipr_cmnd *ipr_cmd; - struct ipr_ioa_cfg *ioa_cfg; -- unsigned long flags = 0; -+ unsigned long flags = 0, driver_lock_flags; - - if (event != SYS_RESTART && event != SYS_HALT && event != SYS_POWER_OFF) - return NOTIFY_DONE; - -- spin_lock(&ipr_driver_lock); -+ spin_lock_irqsave(&ipr_driver_lock, driver_lock_flags); - - list_for_each_entry(ioa_cfg, &ipr_ioa_head, queue) { - spin_lock_irqsave(ioa_cfg->host->host_lock, flags); -@@ -10030,7 +10031,7 @@ static int ipr_halt(struct notifier_bloc - ipr_do_req(ipr_cmd, ipr_halt_done, ipr_timeout, IPR_DEVICE_RESET_TIMEOUT); - spin_unlock_irqrestore(ioa_cfg->host->host_lock, flags); - } -- spin_unlock(&ipr_driver_lock); -+ spin_unlock_irqrestore(&ipr_driver_lock, driver_lock_flags); - - return NOTIFY_OK; - } - --- --- -To unsubscribe from this list: send the line "unsubscribe linux-scsi" in -the body of a message to majordomo@vger.kernel.org -More majordomo info at http://vger.kernel.org/majordomo-info.html \ No newline at end of file diff --git a/sources b/sources index fb3a8ac24..97f72c19a 100644 --- a/sources +++ b/sources @@ -1,2 +1 @@ -4f25cd5bec5f8d5a7d935b3f2ccb8481 linux-3.10.tar.xz -9aadf2325fed53e971fe59bc6c7c3b89 patch-3.10.11.xz +fea363551ff45fbe4cb88497b863b261 linux-3.11.tar.xz From 2ce57862768ba30423df43db00160a9250e83ec4 Mon Sep 17 00:00:00 2001 From: Neil Horman Date: Wed, 11 Sep 2013 14:46:31 -0400 Subject: [PATCH 202/468] Resolves: rhbz 963991 --- acpi-pcie-hotplug-conflict.patch | 149 +++++++++++++++++++++++++++++++ kernel.spec | 9 ++ 2 files changed, 158 insertions(+) create mode 100644 acpi-pcie-hotplug-conflict.patch diff --git a/acpi-pcie-hotplug-conflict.patch b/acpi-pcie-hotplug-conflict.patch new file mode 100644 index 000000000..4815b99fc --- /dev/null +++ b/acpi-pcie-hotplug-conflict.patch @@ -0,0 +1,149 @@ +commit 3dc48af310709b85d07c8b0d3aa8f1ead02829d3 +Author: Neil Horman +Date: Thu Aug 29 16:17:05 2013 -0400 + + PCI/ACPI: Fix _OSC ordering to allow PCIe hotplug use when available + + This fixes the problem of acpiphp claiming slots that should be managed + by pciehp, which may keep ExpressCard slots from working. + + The acpiphp driver claims PCIe slots unless the BIOS has granted us + control of PCIe native hotplug via _OSC. Prior to v3.10, the acpiphp + .add method (add_bridge()) was always called *after* we had requested + native hotplug control with _OSC. + + But after 3b63aaa70e ("PCI: acpiphp: Do not use ACPI PCI subdriver + mechanism"), which appeared in v3.10, acpiphp initialization is done + during the bus scan via the pcibios_add_bus() hook, and this happens + *before* we request native hotplug control. + + Therefore, acpiphp doesn't know yet whether the BIOS will grant control, + and it claims slots that we should be handling with native hotplug. + + This patch requests native hotplug control earlier, so we know whether + the BIOS granted it to us before we initialize acpiphp. + + To avoid reintroducing the ASPM issue fixed by b8178f130e ('Revert + "PCI/ACPI: Request _OSC control before scanning PCI root bus"'), we run + _OSC earlier but defer the actual ASPM calls until after the bus scan is + complete. + + Tested successfully by myself. + + [bhelgaas: changelog, mark for stable] + Reference: https://bugzilla.kernel.org/show_bug.cgi?id=60736 + Signed-off-by: Neil Horman + Signed-off-by: Bjorn Helgaas + Acked-by: Yinghai Lu + CC: stable@vger.kernel.org # v3.10+ + CC: Len Brown + CC: "Rafael J. Wysocki" + +diff --git a/drivers/acpi/pci_root.c b/drivers/acpi/pci_root.c +index 5917839..a67853e 100644 +--- a/drivers/acpi/pci_root.c ++++ b/drivers/acpi/pci_root.c +@@ -378,6 +378,7 @@ static int acpi_pci_root_add(struct acpi_device *device, + struct acpi_pci_root *root; + u32 flags, base_flags; + acpi_handle handle = device->handle; ++ bool no_aspm = false, clear_aspm = false; + + root = kzalloc(sizeof(struct acpi_pci_root), GFP_KERNEL); + if (!root) +@@ -437,27 +438,6 @@ static int acpi_pci_root_add(struct acpi_device *device, + flags = base_flags = OSC_PCI_SEGMENT_GROUPS_SUPPORT; + acpi_pci_osc_support(root, flags); + +- /* +- * TBD: Need PCI interface for enumeration/configuration of roots. +- */ +- +- /* +- * Scan the Root Bridge +- * -------------------- +- * Must do this prior to any attempt to bind the root device, as the +- * PCI namespace does not get created until this call is made (and +- * thus the root bridge's pci_dev does not exist). +- */ +- root->bus = pci_acpi_scan_root(root); +- if (!root->bus) { +- dev_err(&device->dev, +- "Bus %04x:%02x not present in PCI namespace\n", +- root->segment, (unsigned int)root->secondary.start); +- result = -ENODEV; +- goto end; +- } +- +- /* Indicate support for various _OSC capabilities. */ + if (pci_ext_cfg_avail()) + flags |= OSC_EXT_PCI_CONFIG_SUPPORT; + if (pcie_aspm_support_enabled()) { +@@ -471,7 +451,7 @@ static int acpi_pci_root_add(struct acpi_device *device, + if (ACPI_FAILURE(status)) { + dev_info(&device->dev, "ACPI _OSC support " + "notification failed, disabling PCIe ASPM\n"); +- pcie_no_aspm(); ++ no_aspm = true; + flags = base_flags; + } + } +@@ -503,7 +483,7 @@ static int acpi_pci_root_add(struct acpi_device *device, + * We have ASPM control, but the FADT indicates + * that it's unsupported. Clear it. + */ +- pcie_clear_aspm(root->bus); ++ clear_aspm = true; + } + } else { + dev_info(&device->dev, +@@ -512,7 +492,14 @@ static int acpi_pci_root_add(struct acpi_device *device, + acpi_format_exception(status), flags); + dev_info(&device->dev, + "ACPI _OSC control for PCIe not granted, disabling ASPM\n"); +- pcie_no_aspm(); ++ /* ++ * We want to disable ASPM here, but aspm_disabled ++ * needs to remain in its state from boot so that we ++ * properly handle PCIe 1.1 devices. So we set this ++ * flag here, to defer the action until after the ACPI ++ * root scan. ++ */ ++ no_aspm = true; + } + } else { + dev_info(&device->dev, +@@ -520,6 +507,33 @@ static int acpi_pci_root_add(struct acpi_device *device, + "(_OSC support mask: 0x%02x)\n", flags); + } + ++ /* ++ * TBD: Need PCI interface for enumeration/configuration of roots. ++ */ ++ ++ /* ++ * Scan the Root Bridge ++ * -------------------- ++ * Must do this prior to any attempt to bind the root device, as the ++ * PCI namespace does not get created until this call is made (and ++ * thus the root bridge's pci_dev does not exist). ++ */ ++ root->bus = pci_acpi_scan_root(root); ++ if (!root->bus) { ++ dev_err(&device->dev, ++ "Bus %04x:%02x not present in PCI namespace\n", ++ root->segment, (unsigned int)root->secondary.start); ++ result = -ENODEV; ++ goto end; ++ } ++ ++ if (clear_aspm) { ++ dev_info(&device->dev, "Disabling ASPM (FADT indicates it is unsupported)\n"); ++ pcie_clear_aspm(root->bus); ++ } ++ if (no_aspm) ++ pcie_no_aspm(); ++ + pci_acpi_add_bus_pm_notifier(device, root->bus); + if (device->wakeup.flags.run_wake) + device_set_run_wake(root->bus->bridge, true); diff --git a/kernel.spec b/kernel.spec index aae273169..838bb8f1c 100644 --- a/kernel.spec +++ b/kernel.spec @@ -745,6 +745,9 @@ Patch25079: rt2800-rearrange-bbp-rfcsr-initialization.patch #CVE-2013-2897 rhbz 1000536 1002600 CVE-2013-2899 rhbz 1000373 1002604 Patch25099: HID-CVE-fixes.patch +#rhbz 963991 +Patch26000: acpi-pcie-hotplug-conflict.patch + # END OF PATCH DEFINITIONS %endif @@ -1438,6 +1441,9 @@ ApplyPatch HID-CVE-fixes.patch #rhbz 1000679 ApplyPatch rt2800-rearrange-bbp-rfcsr-initialization.patch +#rhbz 963991 +ApplyPatch acpi-pcie-hotplug-conflict.patch + # END OF PATCH APPLICATIONS %endif @@ -2250,6 +2256,9 @@ fi # and build. %changelog +* Wed Sep 11 2013 Neil Horman +- Fix pcie/acpi hotplug conflict (rhbz 963991) + * Wed Sep 11 2013 Justin M. Forbes - Linux v3.11 rebase From 648716ae0362ff78f9022e9fde6bff072d27f382 Mon Sep 17 00:00:00 2001 From: Neil Horman Date: Wed, 11 Sep 2013 11:03:20 -0400 Subject: [PATCH 203/468] Resolves: rhbz1002351 --- crypto-fix-race-in-larval-lookup.patch | 44 ++++++++++++++++++++++++++ kernel.spec | 7 ++++ 2 files changed, 51 insertions(+) create mode 100644 crypto-fix-race-in-larval-lookup.patch diff --git a/crypto-fix-race-in-larval-lookup.patch b/crypto-fix-race-in-larval-lookup.patch new file mode 100644 index 000000000..d1b19419e --- /dev/null +++ b/crypto-fix-race-in-larval-lookup.patch @@ -0,0 +1,44 @@ +commit 77dbd7a95e4a4f15264c333a9e9ab97ee27dc2aa +Author: Herbert Xu +Date: Sun Sep 8 14:33:50 2013 +1000 + + crypto: api - Fix race condition in larval lookup + + crypto_larval_lookup should only return a larval if it created one. + Any larval created by another entity must be processed through + crypto_larval_wait before being returned. + + Otherwise this will lead to a larval being killed twice, which + will most likely lead to a crash. + + Cc: stable@vger.kernel.org + Reported-by: Kees Cook + Tested-by: Kees Cook + Signed-off-by: Herbert Xu + +diff --git a/crypto/api.c b/crypto/api.c +index 320ea4d..a2b39c5 100644 +--- a/crypto/api.c ++++ b/crypto/api.c +@@ -34,6 +34,8 @@ EXPORT_SYMBOL_GPL(crypto_alg_sem); + BLOCKING_NOTIFIER_HEAD(crypto_chain); + EXPORT_SYMBOL_GPL(crypto_chain); + ++static struct crypto_alg *crypto_larval_wait(struct crypto_alg *alg); ++ + struct crypto_alg *crypto_mod_get(struct crypto_alg *alg) + { + return try_module_get(alg->cra_module) ? crypto_alg_get(alg) : NULL; +@@ -144,8 +146,11 @@ static struct crypto_alg *crypto_larval_add(const char *name, u32 type, + } + up_write(&crypto_alg_sem); + +- if (alg != &larval->alg) ++ if (alg != &larval->alg) { + kfree(larval); ++ if (crypto_is_larval(alg)) ++ alg = crypto_larval_wait(alg); ++ } + + return alg; + } diff --git a/kernel.spec b/kernel.spec index 838bb8f1c..44f4ffcbf 100644 --- a/kernel.spec +++ b/kernel.spec @@ -748,6 +748,9 @@ Patch25099: HID-CVE-fixes.patch #rhbz 963991 Patch26000: acpi-pcie-hotplug-conflict.patch +#rhbz 1002351 +Patch25100: crypto-fix-race-in-larval-lookup.patch + # END OF PATCH DEFINITIONS %endif @@ -1444,6 +1447,9 @@ ApplyPatch rt2800-rearrange-bbp-rfcsr-initialization.patch #rhbz 963991 ApplyPatch acpi-pcie-hotplug-conflict.patch +#rhbz1002351 +ApplyPatch crypto-fix-race-in-larval-lookup.patch + # END OF PATCH APPLICATIONS %endif @@ -2258,6 +2264,7 @@ fi %changelog * Wed Sep 11 2013 Neil Horman - Fix pcie/acpi hotplug conflict (rhbz 963991) +- Fix race in crypto larval lookup * Wed Sep 11 2013 Justin M. Forbes - Linux v3.11 rebase From 2a317eec163baf88ca893ed6f2813f7f00739eb4 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Thu, 12 Sep 2013 08:28:23 -0400 Subject: [PATCH 204/468] Fix spec warnings warning: Macro %kernel_modules needs whitespace before body --- kernel.spec | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/kernel.spec b/kernel.spec index 44f4ffcbf..01a7d462b 100644 --- a/kernel.spec +++ b/kernel.spec @@ -944,9 +944,9 @@ against the %{?2:%{2} }kernel package.\ # # This macro creates a kernel--modules-extra package. -# %%kernel_modules-extra_package +# %%kernel_modules_extra_package # -%define kernel_modules-extra_package() \ +%define kernel_modules_extra_package() \ %package %{?1:%{1}-}modules-extra\ Summary: Extra kernel modules to match the %{?2:%{2} }kernel\ Group: System Environment/Kernel\ @@ -972,14 +972,14 @@ Summary: %{variant_summary}\ Group: System Environment/Kernel\ %kernel_reqprovconf\ %{expand:%%kernel_devel_package %1 %{!?-n:%1}%{?-n:%{-n*}}}\ -%{expand:%%kernel_modules-extra_package %1 %{!?-n:%1}%{?-n:%{-n*}}}\ +%{expand:%%kernel_modules_extra_package %1 %{!?-n:%1}%{?-n:%{-n*}}}\ %{expand:%%kernel_debuginfo_package %1}\ %{nil} # First the auxiliary packages of the main kernel package. %kernel_devel_package -%kernel_modules-extra_package +%kernel_modules_extra_package %kernel_debuginfo_package @@ -2053,7 +2053,7 @@ fi\ # # This macro defines a %%post script for a kernel*-modules-extra package. -# %%kernel_modules-extra_post [] +# %%kernel_modules_extra_post [] # %define kernel_modules_extra_post() \ %{expand:%%post %{?1:%{1}-}modules-extra}\ From 56e2e2da39b5d453da894eaf8caf3e8649cd7c8d Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Thu, 12 Sep 2013 09:20:08 -0400 Subject: [PATCH 205/468] Update HID CVE fixes to fix crash from lenovo-tpkbd driver (rhbz 1003998) --- HID-CVE-fixes-3.11.patch | 1119 ++++++++++++++++++++++++++++++ HID-CVE-fixes.patch | 1405 -------------------------------------- kernel.spec | 9 +- 3 files changed, 1125 insertions(+), 1408 deletions(-) create mode 100644 HID-CVE-fixes-3.11.patch delete mode 100644 HID-CVE-fixes.patch diff --git a/HID-CVE-fixes-3.11.patch b/HID-CVE-fixes-3.11.patch new file mode 100644 index 000000000..b2d7f1990 --- /dev/null +++ b/HID-CVE-fixes-3.11.patch @@ -0,0 +1,1119 @@ +From aab9cb0a00ecdd937273f3b9649311d81bf4f0cb Mon Sep 17 00:00:00 2001 +From: Kees Cook +Date: Wed, 28 Aug 2013 22:29:55 +0200 +Subject: [PATCH 01/16] HID: validate HID report id size + +The "Report ID" field of a HID report is used to build indexes of +reports. The kernel's index of these is limited to 256 entries, so any +malicious device that sets a Report ID greater than 255 will trigger +memory corruption on the host: + +[ 1347.156239] BUG: unable to handle kernel paging request at ffff88094958a878 +[ 1347.156261] IP: [] hid_register_report+0x2a/0x8b + +CVE-2013-2888 + +Signed-off-by: Kees Cook +Cc: stable@kernel.org +Signed-off-by: Jiri Kosina +--- + drivers/hid/hid-core.c | 10 +++++++--- + include/linux/hid.h | 4 +++- + 2 files changed, 10 insertions(+), 4 deletions(-) + +diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c +index 36668d1..5ea7d51 100644 +--- a/drivers/hid/hid-core.c ++++ b/drivers/hid/hid-core.c +@@ -63,6 +63,8 @@ struct hid_report *hid_register_report(struct hid_device *device, unsigned type, + struct hid_report_enum *report_enum = device->report_enum + type; + struct hid_report *report; + ++ if (id >= HID_MAX_IDS) ++ return NULL; + if (report_enum->report_id_hash[id]) + return report_enum->report_id_hash[id]; + +@@ -404,8 +406,10 @@ static int hid_parser_global(struct hid_parser *parser, struct hid_item *item) + + case HID_GLOBAL_ITEM_TAG_REPORT_ID: + parser->global.report_id = item_udata(item); +- if (parser->global.report_id == 0) { +- hid_err(parser->device, "report_id 0 is invalid\n"); ++ if (parser->global.report_id == 0 || ++ parser->global.report_id >= HID_MAX_IDS) { ++ hid_err(parser->device, "report_id %u is invalid\n", ++ parser->global.report_id); + return -1; + } + return 0; +@@ -575,7 +579,7 @@ static void hid_close_report(struct hid_device *device) + for (i = 0; i < HID_REPORT_TYPES; i++) { + struct hid_report_enum *report_enum = device->report_enum + i; + +- for (j = 0; j < 256; j++) { ++ for (j = 0; j < HID_MAX_IDS; j++) { + struct hid_report *report = report_enum->report_id_hash[j]; + if (report) + hid_free_report(report); +diff --git a/include/linux/hid.h b/include/linux/hid.h +index 0c48991..ff545cc 100644 +--- a/include/linux/hid.h ++++ b/include/linux/hid.h +@@ -393,10 +393,12 @@ struct hid_report { + struct hid_device *device; /* associated device */ + }; + ++#define HID_MAX_IDS 256 ++ + struct hid_report_enum { + unsigned numbered; + struct list_head report_list; +- struct hid_report *report_id_hash[256]; ++ struct hid_report *report_id_hash[HID_MAX_IDS]; + }; + + #define HID_REPORT_TYPES 3 +-- +1.8.3.1 + + +From ba6d8d44eaeb0ee58082f4b4c95138416e1f58a5 Mon Sep 17 00:00:00 2001 +From: Kees Cook +Date: Wed, 11 Sep 2013 21:56:50 +0200 +Subject: [PATCH 02/16] HID: provide a helper for validating hid reports + +Many drivers need to validate the characteristics of their HID report +during initialization to avoid misusing the reports. This adds a common +helper to perform validation of the report exisitng, the field existing, +and the expected number of values within the field. + +Signed-off-by: Kees Cook +Cc: stable@vger.kernel.org +Reviewed-by: Benjamin Tissoires +--- + drivers/hid/hid-core.c | 58 ++++++++++++++++++++++++++++++++++++++++++++++++++ + include/linux/hid.h | 4 ++++ + 2 files changed, 62 insertions(+) + +diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c +index 5ea7d51..65ee459 100644 +--- a/drivers/hid/hid-core.c ++++ b/drivers/hid/hid-core.c +@@ -759,6 +759,64 @@ int hid_parse_report(struct hid_device *hid, __u8 *start, unsigned size) + } + EXPORT_SYMBOL_GPL(hid_parse_report); + ++static const char * const hid_report_names[] = { ++ "HID_INPUT_REPORT", ++ "HID_OUTPUT_REPORT", ++ "HID_FEATURE_REPORT", ++}; ++/** ++ * hid_validate_values - validate existing device report's value indexes ++ * ++ * @device: hid device ++ * @type: which report type to examine ++ * @id: which report ID to examine (0 for first) ++ * @field_index: which report field to examine ++ * @report_counts: expected number of values ++ * ++ * Validate the number of values in a given field of a given report, after ++ * parsing. ++ */ ++struct hid_report *hid_validate_values(struct hid_device *hid, ++ unsigned int type, unsigned int id, ++ unsigned int field_index, ++ unsigned int report_counts) ++{ ++ struct hid_report *report; ++ ++ if (type > HID_FEATURE_REPORT) { ++ hid_err(hid, "invalid HID report type %u\n", type); ++ return NULL; ++ } ++ ++ if (id >= HID_MAX_IDS) { ++ hid_err(hid, "invalid HID report id %u\n", id); ++ return NULL; ++ } ++ ++ /* ++ * Explicitly not using hid_get_report() here since it depends on ++ * ->numbered being checked, which may not always be the case when ++ * drivers go to access report values. ++ */ ++ report = hid->report_enum[type].report_id_hash[id]; ++ if (!report) { ++ hid_err(hid, "missing %s %u\n", hid_report_names[type], id); ++ return NULL; ++ } ++ if (report->maxfield <= field_index) { ++ hid_err(hid, "not enough fields in %s %u\n", ++ hid_report_names[type], id); ++ return NULL; ++ } ++ if (report->field[field_index]->report_count < report_counts) { ++ hid_err(hid, "not enough values in %s %u field %u\n", ++ hid_report_names[type], id, field_index); ++ return NULL; ++ } ++ return report; ++} ++EXPORT_SYMBOL_GPL(hid_validate_values); ++ + /** + * hid_open_report - open a driver-specific device report + * +diff --git a/include/linux/hid.h b/include/linux/hid.h +index ff545cc..6e18550 100644 +--- a/include/linux/hid.h ++++ b/include/linux/hid.h +@@ -749,6 +749,10 @@ void hid_output_report(struct hid_report *report, __u8 *data); + struct hid_device *hid_allocate_device(void); + struct hid_report *hid_register_report(struct hid_device *device, unsigned type, unsigned id); + int hid_parse_report(struct hid_device *hid, __u8 *start, unsigned size); ++struct hid_report *hid_validate_values(struct hid_device *hid, ++ unsigned int type, unsigned int id, ++ unsigned int field_index, ++ unsigned int report_counts); + int hid_open_report(struct hid_device *device); + int hid_check_keys_pressed(struct hid_device *hid); + int hid_connect(struct hid_device *hid, unsigned int connect_mask); +-- +1.8.3.1 + + +From 51bc0244e9e62b25e4f64f7cb87764a0c0692131 Mon Sep 17 00:00:00 2001 +From: Kees Cook +Date: Wed, 11 Sep 2013 21:56:51 +0200 +Subject: [PATCH 03/16] HID: zeroplus: validate output report details + +The zeroplus HID driver was not checking the size of allocated values +in fields it used. A HID device could send a malicious output report +that would cause the driver to write beyond the output report allocation +during initialization, causing a heap overflow: + +[ 1442.728680] usb 1-1: New USB device found, idVendor=0c12, idProduct=0005 +... +[ 1466.243173] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten + +CVE-2013-2889 + +Signed-off-by: Kees Cook +Cc: stable@vger.kernel.org +Reviewed-by: Benjamin Tissoires +--- + drivers/hid/hid-zpff.c | 18 +++++------------- + 1 file changed, 5 insertions(+), 13 deletions(-) + +diff --git a/drivers/hid/hid-zpff.c b/drivers/hid/hid-zpff.c +index 6ec28a3..a29756c 100644 +--- a/drivers/hid/hid-zpff.c ++++ b/drivers/hid/hid-zpff.c +@@ -68,21 +68,13 @@ static int zpff_init(struct hid_device *hid) + struct hid_report *report; + struct hid_input *hidinput = list_entry(hid->inputs.next, + struct hid_input, list); +- struct list_head *report_list = +- &hid->report_enum[HID_OUTPUT_REPORT].report_list; + struct input_dev *dev = hidinput->input; +- int error; ++ int i, error; + +- if (list_empty(report_list)) { +- hid_err(hid, "no output report found\n"); +- return -ENODEV; +- } +- +- report = list_entry(report_list->next, struct hid_report, list); +- +- if (report->maxfield < 4) { +- hid_err(hid, "not enough fields in report\n"); +- return -ENODEV; ++ for (i = 0; i < 4; i++) { ++ report = hid_validate_values(hid, HID_OUTPUT_REPORT, 0, i, 1); ++ if (!report) ++ return -ENODEV; + } + + zpff = kzalloc(sizeof(struct zpff_device), GFP_KERNEL); +-- +1.8.3.1 + + +From 0d998969132672bab9942e3308058d212574a2f8 Mon Sep 17 00:00:00 2001 +From: Kees Cook +Date: Wed, 11 Sep 2013 21:56:52 +0200 +Subject: [PATCH 04/16] HID: sony: validate HID output report details + +This driver must validate the availability of the HID output report and +its size before it can write LED states via buzz_set_leds(). This stops +a heap overflow that is possible if a device provides a malicious HID +output report: + +[ 108.171280] usb 1-1: New USB device found, idVendor=054c, idProduct=0002 +... +[ 117.507877] BUG kmalloc-192 (Not tainted): Redzone overwritten + +CVE-2013-2890 + +Signed-off-by: Kees Cook +Cc: stable@vger.kernel.org +Reviewed-by: Benjamin Tissoires +--- + drivers/hid/hid-sony.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/hid/hid-sony.c b/drivers/hid/hid-sony.c +index 87fbe29..334a4b5 100644 +--- a/drivers/hid/hid-sony.c ++++ b/drivers/hid/hid-sony.c +@@ -537,6 +537,10 @@ static int buzz_init(struct hid_device *hdev) + drv_data = hid_get_drvdata(hdev); + BUG_ON(!(drv_data->quirks & BUZZ_CONTROLLER)); + ++ /* Validate expected report characteristics. */ ++ if (!hid_validate_values(hdev, HID_OUTPUT_REPORT, 0, 0, 7)) ++ return -ENODEV; ++ + buzz = kzalloc(sizeof(*buzz), GFP_KERNEL); + if (!buzz) { + hid_err(hdev, "Insufficient memory, cannot allocate driver data\n"); +-- +1.8.3.1 + + +From 5b029acf571f94193ff8a757340fd37a7f88ae0b Mon Sep 17 00:00:00 2001 +From: Kees Cook +Date: Wed, 11 Sep 2013 21:56:53 +0200 +Subject: [PATCH 05/16] HID: steelseries: validate output report details + +A HID device could send a malicious output report that would cause the +steelseries HID driver to write beyond the output report allocation +during initialization, causing a heap overflow: + +[ 167.981534] usb 1-1: New USB device found, idVendor=1038, idProduct=1410 +... +[ 182.050547] BUG kmalloc-256 (Tainted: G W ): Redzone overwritten + +CVE-2013-2891 + +Signed-off-by: Kees Cook +Cc: stable@vger.kernel.org +Reviewed-by: Benjamin Tissoires +--- + drivers/hid/hid-steelseries.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/hid/hid-steelseries.c b/drivers/hid/hid-steelseries.c +index d164911..29f328f 100644 +--- a/drivers/hid/hid-steelseries.c ++++ b/drivers/hid/hid-steelseries.c +@@ -249,6 +249,11 @@ static int steelseries_srws1_probe(struct hid_device *hdev, + goto err_free; + } + ++ if (!hid_validate_values(hdev, HID_OUTPUT_REPORT, 0, 0, 16)) { ++ ret = -ENODEV; ++ goto err_free; ++ } ++ + ret = hid_hw_start(hdev, HID_CONNECT_DEFAULT); + if (ret) { + hid_err(hdev, "hw start failed\n"); +-- +1.8.3.1 + + +From e846e9b33d65246ed807156a114c65cdfece0d12 Mon Sep 17 00:00:00 2001 +From: Kees Cook +Date: Wed, 11 Sep 2013 21:56:54 +0200 +Subject: [PATCH 06/16] HID: LG: validate HID output report details + +A HID device could send a malicious output report that would cause the +lg, lg3, and lg4 HID drivers to write beyond the output report allocation +during an event, causing a heap overflow: + +[ 325.245240] usb 1-1: New USB device found, idVendor=046d, idProduct=c287 +... +[ 414.518960] BUG kmalloc-4096 (Not tainted): Redzone overwritten + +Additionally, while lg2 did correctly validate the report details, it was +cleaned up and shortened. + +CVE-2013-2893 + +Signed-off-by: Kees Cook +Cc: stable@vger.kernel.org +Reviewed-by: Benjamin Tissoires +--- + drivers/hid/hid-lg2ff.c | 19 +++---------------- + drivers/hid/hid-lg3ff.c | 29 ++++++----------------------- + drivers/hid/hid-lg4ff.c | 20 +------------------- + drivers/hid/hid-lgff.c | 17 ++--------------- + 4 files changed, 12 insertions(+), 73 deletions(-) + +diff --git a/drivers/hid/hid-lg2ff.c b/drivers/hid/hid-lg2ff.c +index b3cd150..1a42eaa 100644 +--- a/drivers/hid/hid-lg2ff.c ++++ b/drivers/hid/hid-lg2ff.c +@@ -64,26 +64,13 @@ int lg2ff_init(struct hid_device *hid) + struct hid_report *report; + struct hid_input *hidinput = list_entry(hid->inputs.next, + struct hid_input, list); +- struct list_head *report_list = +- &hid->report_enum[HID_OUTPUT_REPORT].report_list; + struct input_dev *dev = hidinput->input; + int error; + +- if (list_empty(report_list)) { +- hid_err(hid, "no output report found\n"); ++ /* Check that the report looks ok */ ++ report = hid_validate_values(hid, HID_OUTPUT_REPORT, 0, 0, 7); ++ if (!report) + return -ENODEV; +- } +- +- report = list_entry(report_list->next, struct hid_report, list); +- +- if (report->maxfield < 1) { +- hid_err(hid, "output report is empty\n"); +- return -ENODEV; +- } +- if (report->field[0]->report_count < 7) { +- hid_err(hid, "not enough values in the field\n"); +- return -ENODEV; +- } + + lg2ff = kmalloc(sizeof(struct lg2ff_device), GFP_KERNEL); + if (!lg2ff) +diff --git a/drivers/hid/hid-lg3ff.c b/drivers/hid/hid-lg3ff.c +index e52f181..8c2da18 100644 +--- a/drivers/hid/hid-lg3ff.c ++++ b/drivers/hid/hid-lg3ff.c +@@ -66,10 +66,11 @@ static int hid_lg3ff_play(struct input_dev *dev, void *data, + int x, y; + + /* +- * Maxusage should always be 63 (maximum fields) +- * likely a better way to ensure this data is clean ++ * Available values in the field should always be 63, but we only use up to ++ * 35. Instead, clear the entire area, however big it is. + */ +- memset(report->field[0]->value, 0, sizeof(__s32)*report->field[0]->maxusage); ++ memset(report->field[0]->value, 0, ++ sizeof(__s32) * report->field[0]->report_count); + + switch (effect->type) { + case FF_CONSTANT: +@@ -129,32 +130,14 @@ static const signed short ff3_joystick_ac[] = { + int lg3ff_init(struct hid_device *hid) + { + struct hid_input *hidinput = list_entry(hid->inputs.next, struct hid_input, list); +- struct list_head *report_list = &hid->report_enum[HID_OUTPUT_REPORT].report_list; + struct input_dev *dev = hidinput->input; +- struct hid_report *report; +- struct hid_field *field; + const signed short *ff_bits = ff3_joystick_ac; + int error; + int i; + +- /* Find the report to use */ +- if (list_empty(report_list)) { +- hid_err(hid, "No output report found\n"); +- return -1; +- } +- + /* Check that the report looks ok */ +- report = list_entry(report_list->next, struct hid_report, list); +- if (!report) { +- hid_err(hid, "NULL output report\n"); +- return -1; +- } +- +- field = report->field[0]; +- if (!field) { +- hid_err(hid, "NULL field\n"); +- return -1; +- } ++ if (!hid_validate_values(hid, HID_OUTPUT_REPORT, 0, 0, 35)) ++ return -ENODEV; + + /* Assume single fixed device G940 */ + for (i = 0; ff_bits[i] >= 0; i++) +diff --git a/drivers/hid/hid-lg4ff.c b/drivers/hid/hid-lg4ff.c +index 0ddae2a..8782fe1 100644 +--- a/drivers/hid/hid-lg4ff.c ++++ b/drivers/hid/hid-lg4ff.c +@@ -484,34 +484,16 @@ static enum led_brightness lg4ff_led_get_brightness(struct led_classdev *led_cde + int lg4ff_init(struct hid_device *hid) + { + struct hid_input *hidinput = list_entry(hid->inputs.next, struct hid_input, list); +- struct list_head *report_list = &hid->report_enum[HID_OUTPUT_REPORT].report_list; + struct input_dev *dev = hidinput->input; +- struct hid_report *report; +- struct hid_field *field; + struct lg4ff_device_entry *entry; + struct lg_drv_data *drv_data; + struct usb_device_descriptor *udesc; + int error, i, j; + __u16 bcdDevice, rev_maj, rev_min; + +- /* Find the report to use */ +- if (list_empty(report_list)) { +- hid_err(hid, "No output report found\n"); +- return -1; +- } +- + /* Check that the report looks ok */ +- report = list_entry(report_list->next, struct hid_report, list); +- if (!report) { +- hid_err(hid, "NULL output report\n"); ++ if (!hid_validate_values(hid, HID_OUTPUT_REPORT, 0, 0, 7)) + return -1; +- } +- +- field = report->field[0]; +- if (!field) { +- hid_err(hid, "NULL field\n"); +- return -1; +- } + + /* Check what wheel has been connected */ + for (i = 0; i < ARRAY_SIZE(lg4ff_devices); i++) { +diff --git a/drivers/hid/hid-lgff.c b/drivers/hid/hid-lgff.c +index d7ea8c8..e1394af 100644 +--- a/drivers/hid/hid-lgff.c ++++ b/drivers/hid/hid-lgff.c +@@ -128,27 +128,14 @@ static void hid_lgff_set_autocenter(struct input_dev *dev, u16 magnitude) + int lgff_init(struct hid_device* hid) + { + struct hid_input *hidinput = list_entry(hid->inputs.next, struct hid_input, list); +- struct list_head *report_list = &hid->report_enum[HID_OUTPUT_REPORT].report_list; + struct input_dev *dev = hidinput->input; +- struct hid_report *report; +- struct hid_field *field; + const signed short *ff_bits = ff_joystick; + int error; + int i; + +- /* Find the report to use */ +- if (list_empty(report_list)) { +- hid_err(hid, "No output report found\n"); +- return -1; +- } +- + /* Check that the report looks ok */ +- report = list_entry(report_list->next, struct hid_report, list); +- field = report->field[0]; +- if (!field) { +- hid_err(hid, "NULL field\n"); +- return -1; +- } ++ if (!hid_validate_values(hid, HID_OUTPUT_REPORT, 0, 0, 7)) ++ return -ENODEV; + + for (i = 0; i < ARRAY_SIZE(devices); i++) { + if (dev->id.vendor == devices[i].idVendor && +-- +1.8.3.1 + + +From 0317e971d90e3e2e312074386a2349b2ef48d1d0 Mon Sep 17 00:00:00 2001 +From: Kees Cook +Date: Wed, 11 Sep 2013 21:56:55 +0200 +Subject: [PATCH 07/16] HID: lenovo-tpkbd: validate output report details + +From: Kees Cook + +A HID device could send a malicious output report that would cause the +lenovo-tpkbd HID driver to write just beyond the output report allocation +during initialization, causing a heap overflow: + +[ 76.109807] usb 1-1: New USB device found, idVendor=17ef, idProduct=6009 +... +[ 80.462540] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten + +CVE-2013-2894 + +Signed-off-by: Kees Cook +Cc: stable@vger.kernel.org +Signed-off-by: Benjamin Tissoires +--- + drivers/hid/hid-lenovo-tpkbd.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +diff --git a/drivers/hid/hid-lenovo-tpkbd.c b/drivers/hid/hid-lenovo-tpkbd.c +index 07837f5..762d988 100644 +--- a/drivers/hid/hid-lenovo-tpkbd.c ++++ b/drivers/hid/hid-lenovo-tpkbd.c +@@ -339,7 +339,15 @@ static int tpkbd_probe_tp(struct hid_device *hdev) + struct tpkbd_data_pointer *data_pointer; + size_t name_sz = strlen(dev_name(dev)) + 16; + char *name_mute, *name_micmute; +- int ret; ++ int i, ret; ++ ++ /* Validate required reports. */ ++ for (i = 0; i < 4; i++) { ++ if (!hid_validate_values(hdev, HID_FEATURE_REPORT, 4, i, 1)) ++ return -ENODEV; ++ } ++ if (!hid_validate_values(hdev, HID_OUTPUT_REPORT, 3, 0, 2)) ++ return -ENODEV; + + if (sysfs_create_group(&hdev->dev.kobj, + &tpkbd_attr_group_pointer)) { +-- +1.8.3.1 + + +From 978474c73af6764f1c2c5409585221e6d438b16c Mon Sep 17 00:00:00 2001 +From: Kees Cook +Date: Wed, 11 Sep 2013 21:56:56 +0200 +Subject: [PATCH 08/16] HID: logitech-dj: validate output report details + +A HID device could send a malicious output report that would cause the +logitech-dj HID driver to leak kernel memory contents to the device, or +trigger a NULL dereference during initialization: + +[ 304.424553] usb 1-1: New USB device found, idVendor=046d, idProduct=c52b +... +[ 304.780467] BUG: unable to handle kernel NULL pointer dereference at 0000000000000028 +[ 304.781409] IP: [] logi_dj_recv_send_report.isra.11+0x1a/0x90 + +CVE-2013-2895 + +Signed-off-by: Kees Cook +Cc: stable@vger.kernel.org +Signed-off-by: Benjamin Tissoires +--- + drivers/hid/hid-logitech-dj.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/drivers/hid/hid-logitech-dj.c b/drivers/hid/hid-logitech-dj.c +index cd33084..a2469b5 100644 +--- a/drivers/hid/hid-logitech-dj.c ++++ b/drivers/hid/hid-logitech-dj.c +@@ -461,7 +461,7 @@ static int logi_dj_recv_send_report(struct dj_receiver_dev *djrcv_dev, + struct hid_report *report; + struct hid_report_enum *output_report_enum; + u8 *data = (u8 *)(&dj_report->device_index); +- int i; ++ unsigned int i; + + output_report_enum = &hdev->report_enum[HID_OUTPUT_REPORT]; + report = output_report_enum->report_id_hash[REPORT_ID_DJ_SHORT]; +@@ -471,7 +471,7 @@ static int logi_dj_recv_send_report(struct dj_receiver_dev *djrcv_dev, + return -ENODEV; + } + +- for (i = 0; i < report->field[0]->report_count; i++) ++ for (i = 0; i < DJREPORT_SHORT_LENGTH - 1; i++) + report->field[0]->value[i] = data[i]; + + hid_hw_request(hdev, report, HID_REQ_SET_REPORT); +@@ -783,6 +783,12 @@ static int logi_dj_probe(struct hid_device *hdev, + goto hid_parse_fail; + } + ++ if (!hid_validate_values(hdev, HID_OUTPUT_REPORT, REPORT_ID_DJ_SHORT, ++ 0, DJREPORT_SHORT_LENGTH - 1)) { ++ retval = -ENODEV; ++ goto hid_parse_fail; ++ } ++ + /* Starts the usb device and connects to upper interfaces hiddev and + * hidraw */ + retval = hid_hw_start(hdev, HID_CONNECT_DEFAULT); +-- +1.8.3.1 + + +From 9445e3a28eb6365c54dae729d184c4c3b6b43d60 Mon Sep 17 00:00:00 2001 +From: Benjamin Tissoires +Date: Wed, 11 Sep 2013 21:56:57 +0200 +Subject: [PATCH 09/16] HID: validate feature and input report details + +When dealing with usage_index, be sure to properly use unsigned instead of +int to avoid overflows. + +When working on report fields, always validate that their report_counts are +in bounds. +Without this, a HID device could report a malicious feature report that +could trick the driver into a heap overflow: + +[ 634.885003] usb 1-1: New USB device found, idVendor=0596, idProduct=0500 +... +[ 676.469629] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten + +CVE-2013-2897 + +Cc: stable@vger.kernel.org +Signed-off-by: Benjamin Tissoires +--- + drivers/hid/hid-core.c | 16 +++++++--------- + drivers/hid/hid-input.c | 11 ++++++++++- + 2 files changed, 17 insertions(+), 10 deletions(-) + +diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c +index 65ee459..08500bc 100644 +--- a/drivers/hid/hid-core.c ++++ b/drivers/hid/hid-core.c +@@ -94,7 +94,6 @@ EXPORT_SYMBOL_GPL(hid_register_report); + static struct hid_field *hid_register_field(struct hid_report *report, unsigned usages, unsigned values) + { + struct hid_field *field; +- int i; + + if (report->maxfield == HID_MAX_FIELDS) { + hid_err(report->device, "too many fields in report\n"); +@@ -113,9 +112,6 @@ static struct hid_field *hid_register_field(struct hid_report *report, unsigned + field->value = (s32 *)(field->usage + usages); + field->report = report; + +- for (i = 0; i < usages; i++) +- field->usage[i].usage_index = i; +- + return field; + } + +@@ -226,9 +222,9 @@ static int hid_add_field(struct hid_parser *parser, unsigned report_type, unsign + { + struct hid_report *report; + struct hid_field *field; +- int usages; ++ unsigned usages; + unsigned offset; +- int i; ++ unsigned i; + + report = hid_register_report(parser->device, report_type, parser->global.report_id); + if (!report) { +@@ -255,7 +251,8 @@ static int hid_add_field(struct hid_parser *parser, unsigned report_type, unsign + if (!parser->local.usage_index) /* Ignore padding fields */ + return 0; + +- usages = max_t(int, parser->local.usage_index, parser->global.report_count); ++ usages = max_t(unsigned, parser->local.usage_index, ++ parser->global.report_count); + + field = hid_register_field(report, usages, parser->global.report_count); + if (!field) +@@ -266,13 +263,14 @@ static int hid_add_field(struct hid_parser *parser, unsigned report_type, unsign + field->application = hid_lookup_collection(parser, HID_COLLECTION_APPLICATION); + + for (i = 0; i < usages; i++) { +- int j = i; ++ unsigned j = i; + /* Duplicate the last usage we parsed if we have excess values */ + if (i >= parser->local.usage_index) + j = parser->local.usage_index - 1; + field->usage[i].hid = parser->local.usage[j]; + field->usage[i].collection_index = + parser->local.collection_index[j]; ++ field->usage[i].usage_index = i; + } + + field->maxusage = usages; +@@ -1290,7 +1288,7 @@ int hid_report_raw_event(struct hid_device *hid, int type, u8 *data, int size, + goto out; + } + +- if (hid->claimed != HID_CLAIMED_HIDRAW) { ++ if (hid->claimed != HID_CLAIMED_HIDRAW && report->maxfield) { + for (a = 0; a < report->maxfield; a++) + hid_input_field(hid, report->field[a], cdata, interrupt); + hdrv = hid->driver; +diff --git a/drivers/hid/hid-input.c b/drivers/hid/hid-input.c +index 7480799..3ac2138 100644 +--- a/drivers/hid/hid-input.c ++++ b/drivers/hid/hid-input.c +@@ -477,6 +477,10 @@ static void hidinput_configure_usage(struct hid_input *hidinput, struct hid_fiel + if (field->flags & HID_MAIN_ITEM_CONSTANT) + goto ignore; + ++ /* Ignore if report count is out of bounds. */ ++ if (field->report_count < 1) ++ goto ignore; ++ + /* only LED usages are supported in output fields */ + if (field->report_type == HID_OUTPUT_REPORT && + (usage->hid & HID_USAGE_PAGE) != HID_UP_LED) { +@@ -1160,7 +1164,11 @@ static void report_features(struct hid_device *hid) + + rep_enum = &hid->report_enum[HID_FEATURE_REPORT]; + list_for_each_entry(rep, &rep_enum->report_list, list) +- for (i = 0; i < rep->maxfield; i++) ++ for (i = 0; i < rep->maxfield; i++) { ++ /* Ignore if report count is out of bounds. */ ++ if (rep->field[i]->report_count < 1) ++ continue; ++ + for (j = 0; j < rep->field[i]->maxusage; j++) { + /* Verify if Battery Strength feature is available */ + hidinput_setup_battery(hid, HID_FEATURE_REPORT, rep->field[i]); +@@ -1169,6 +1177,7 @@ static void report_features(struct hid_device *hid) + drv->feature_mapping(hid, rep->field[i], + rep->field[i]->usage + j); + } ++ } + } + + static struct hid_input *hidinput_allocate(struct hid_device *hid) +-- +1.8.3.1 + + +From cc8d6c5e14fbffc3349dcd35c21fa46f1143070d Mon Sep 17 00:00:00 2001 +From: Benjamin Tissoires +Date: Wed, 11 Sep 2013 21:56:58 +0200 +Subject: [PATCH 10/16] HID: multitouch: validate indexes details + +When working on report indexes, always validate that they are in bounds. +Without this, a HID device could report a malicious feature report that +could trick the driver into a heap overflow: + +[ 634.885003] usb 1-1: New USB device found, idVendor=0596, idProduct=0500 +... +[ 676.469629] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten + +Note that we need to change the indexes from s8 to s16 as they can +be between -1 and 255. + +CVE-2013-2897 + +Cc: stable@vger.kernel.org +Signed-off-by: Benjamin Tissoires +--- + drivers/hid/hid-multitouch.c | 26 ++++++++++++++------------ + 1 file changed, 14 insertions(+), 12 deletions(-) + +diff --git a/drivers/hid/hid-multitouch.c b/drivers/hid/hid-multitouch.c +index cb0e361..2d3677c 100644 +--- a/drivers/hid/hid-multitouch.c ++++ b/drivers/hid/hid-multitouch.c +@@ -101,9 +101,9 @@ struct mt_device { + unsigned last_slot_field; /* the last field of a slot */ + unsigned mt_report_id; /* the report ID of the multitouch device */ + unsigned pen_report_id; /* the report ID of the pen device */ +- __s8 inputmode; /* InputMode HID feature, -1 if non-existent */ +- __s8 inputmode_index; /* InputMode HID feature index in the report */ +- __s8 maxcontact_report_id; /* Maximum Contact Number HID feature, ++ __s16 inputmode; /* InputMode HID feature, -1 if non-existent */ ++ __s16 inputmode_index; /* InputMode HID feature index in the report */ ++ __s16 maxcontact_report_id; /* Maximum Contact Number HID feature, + -1 if non-existent */ + __u8 num_received; /* how many contacts we received */ + __u8 num_expected; /* expected last contact index */ +@@ -317,20 +317,18 @@ static void mt_feature_mapping(struct hid_device *hdev, + struct hid_field *field, struct hid_usage *usage) + { + struct mt_device *td = hid_get_drvdata(hdev); +- int i; + + switch (usage->hid) { + case HID_DG_INPUTMODE: +- td->inputmode = field->report->id; +- td->inputmode_index = 0; /* has to be updated below */ +- +- for (i=0; i < field->maxusage; i++) { +- if (field->usage[i].hid == usage->hid) { +- td->inputmode_index = i; +- break; +- } ++ /* Ignore if value index is out of bounds. */ ++ if (usage->usage_index >= field->report_count) { ++ dev_err(&hdev->dev, "HID_DG_INPUTMODE out of range\n"); ++ break; + } + ++ td->inputmode = field->report->id; ++ td->inputmode_index = usage->usage_index; ++ + break; + case HID_DG_CONTACTMAX: + td->maxcontact_report_id = field->report->id; +@@ -536,6 +534,10 @@ static int mt_touch_input_mapping(struct hid_device *hdev, struct hid_input *hi, + mt_store_field(usage, td, hi); + return 1; + case HID_DG_CONTACTCOUNT: ++ /* Ignore if indexes are out of bounds. */ ++ if (field->index >= field->report->maxfield || ++ usage->usage_index >= field->report_count) ++ return 1; + td->cc_index = field->index; + td->cc_value_index = usage->usage_index; + return 1; +-- +1.8.3.1 + + +From 01b52229ddc746c56b2a7756eed46b1f98673bea Mon Sep 17 00:00:00 2001 +From: Benjamin Tissoires +Date: Wed, 11 Sep 2013 21:56:59 +0200 +Subject: [PATCH 11/16] HID: lenovo-tpkbd: fix leak if tpkbd_probe_tp fails + +If tpkbd_probe_tp() bails out, the probe() function return an error, +but hid_hw_stop() is never called. + +fixes: +https://bugzilla.redhat.com/show_bug.cgi?id=1003998 + +Cc: stable@vger.kernel.org +Signed-off-by: Benjamin Tissoires +--- + drivers/hid/hid-lenovo-tpkbd.c | 15 ++++++++++----- + 1 file changed, 10 insertions(+), 5 deletions(-) + +diff --git a/drivers/hid/hid-lenovo-tpkbd.c b/drivers/hid/hid-lenovo-tpkbd.c +index 762d988..31cf29a 100644 +--- a/drivers/hid/hid-lenovo-tpkbd.c ++++ b/drivers/hid/hid-lenovo-tpkbd.c +@@ -414,22 +414,27 @@ static int tpkbd_probe(struct hid_device *hdev, + ret = hid_parse(hdev); + if (ret) { + hid_err(hdev, "hid_parse failed\n"); +- goto err_free; ++ goto err; + } + + ret = hid_hw_start(hdev, HID_CONNECT_DEFAULT); + if (ret) { + hid_err(hdev, "hid_hw_start failed\n"); +- goto err_free; ++ goto err; + } + + uhdev = (struct usbhid_device *) hdev->driver_data; + +- if (uhdev->ifnum == 1) +- return tpkbd_probe_tp(hdev); ++ if (uhdev->ifnum == 1) { ++ ret = tpkbd_probe_tp(hdev); ++ if (ret) ++ goto err_hid; ++ } + + return 0; +-err_free: ++err_hid: ++ hid_hw_stop(hdev); ++err: + return ret; + } + +-- +1.8.3.1 + + +From b2438ded3cdd8d6d6af77d9bce38d2d8f353a790 Mon Sep 17 00:00:00 2001 +From: Kees Cook +Date: Wed, 28 Aug 2013 22:32:01 +0200 +Subject: [PATCH 12/16] HID: check for NULL field when setting values + +Defensively check that the field to be worked on is not NULL. + +Signed-off-by: Kees Cook +Cc: stable@kernel.org +Signed-off-by: Jiri Kosina +--- + drivers/hid/hid-core.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c +index 08500bc..e331cb1 100644 +--- a/drivers/hid/hid-core.c ++++ b/drivers/hid/hid-core.c +@@ -1212,7 +1212,12 @@ EXPORT_SYMBOL_GPL(hid_output_report); + + int hid_set_field(struct hid_field *field, unsigned offset, __s32 value) + { +- unsigned size = field->report_size; ++ unsigned size; ++ ++ if (!field) ++ return -1; ++ ++ size = field->report_size; + + hid_dump_input(field->report->device, field->usage + offset, value); + +-- +1.8.3.1 + + +From d0502783cdafcdb0a677492c43a373748d900d50 Mon Sep 17 00:00:00 2001 +From: Kees Cook +Date: Wed, 28 Aug 2013 22:30:49 +0200 +Subject: [PATCH 13/16] HID: pantherlord: validate output report details + +A HID device could send a malicious output report that would cause the +pantherlord HID driver to write beyond the output report allocation +during initialization, causing a heap overflow: + +[ 310.939483] usb 1-1: New USB device found, idVendor=0e8f, idProduct=0003 +... +[ 315.980774] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten + +CVE-2013-2892 + +Signed-off-by: Kees Cook +Cc: stable@kernel.org +Signed-off-by: Jiri Kosina +--- + drivers/hid/hid-pl.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/drivers/hid/hid-pl.c b/drivers/hid/hid-pl.c +index d29112f..2dcd7d9 100644 +--- a/drivers/hid/hid-pl.c ++++ b/drivers/hid/hid-pl.c +@@ -132,8 +132,14 @@ static int plff_init(struct hid_device *hid) + strong = &report->field[0]->value[2]; + weak = &report->field[0]->value[3]; + debug("detected single-field device"); +- } else if (report->maxfield >= 4 && report->field[0]->maxusage == 1 && +- report->field[0]->usage[0].hid == (HID_UP_LED | 0x43)) { ++ } else if (report->field[0]->maxusage == 1 && ++ report->field[0]->usage[0].hid == ++ (HID_UP_LED | 0x43) && ++ report->maxfield >= 4 && ++ report->field[0]->report_count >= 1 && ++ report->field[1]->report_count >= 1 && ++ report->field[2]->report_count >= 1 && ++ report->field[3]->report_count >= 1) { + report->field[0]->value[0] = 0x00; + report->field[1]->value[0] = 0x00; + strong = &report->field[2]->value[0]; +-- +1.8.3.1 + + +From dc4db3b624cc7bf6972817615af88e250a8526cc Mon Sep 17 00:00:00 2001 +From: Kees Cook +Date: Wed, 28 Aug 2013 22:31:28 +0200 +Subject: [PATCH 14/16] HID: ntrig: validate feature report details + +A HID device could send a malicious feature report that would cause the +ntrig HID driver to trigger a NULL dereference during initialization: + +[57383.031190] usb 3-1: New USB device found, idVendor=1b96, idProduct=0001 +... +[57383.315193] BUG: unable to handle kernel NULL pointer dereference at 0000000000000030 +[57383.315308] IP: [] ntrig_probe+0x25e/0x420 [hid_ntrig] + +CVE-2013-2896 + +Signed-off-by: Kees Cook +Cc: stable@kernel.org +Signed-off-by: Rafi Rubin +Signed-off-by: Jiri Kosina +--- + drivers/hid/hid-ntrig.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/hid/hid-ntrig.c b/drivers/hid/hid-ntrig.c +index ef95102..5482156 100644 +--- a/drivers/hid/hid-ntrig.c ++++ b/drivers/hid/hid-ntrig.c +@@ -115,7 +115,8 @@ static inline int ntrig_get_mode(struct hid_device *hdev) + struct hid_report *report = hdev->report_enum[HID_FEATURE_REPORT]. + report_id_hash[0x0d]; + +- if (!report) ++ if (!report || report->maxfield < 1 || ++ report->field[0]->report_count < 1) + return -EINVAL; + + hid_hw_request(hdev, report, HID_REQ_GET_REPORT); +-- +1.8.3.1 + + +From 34490675479f16680a60726632ad2e808eab54bd Mon Sep 17 00:00:00 2001 +From: Kees Cook +Date: Wed, 28 Aug 2013 22:31:44 +0200 +Subject: [PATCH 15/16] HID: sensor-hub: validate feature report details + +A HID device could send a malicious feature report that would cause the +sensor-hub HID driver to read past the end of heap allocation, leaking +kernel memory contents to the caller. + +CVE-2013-2898 + +Signed-off-by: Kees Cook +Cc: stable@kernel.org +Reviewed-by: Mika Westerberg +Signed-off-by: Jiri Kosina +--- + drivers/hid/hid-sensor-hub.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/hid/hid-sensor-hub.c b/drivers/hid/hid-sensor-hub.c +index ca749810..aa34755 100644 +--- a/drivers/hid/hid-sensor-hub.c ++++ b/drivers/hid/hid-sensor-hub.c +@@ -221,7 +221,8 @@ int sensor_hub_get_feature(struct hid_sensor_hub_device *hsdev, u32 report_id, + + mutex_lock(&data->mutex); + report = sensor_hub_report(report_id, hsdev->hdev, HID_FEATURE_REPORT); +- if (!report || (field_index >= report->maxfield)) { ++ if (!report || (field_index >= report->maxfield) || ++ report->field[field_index]->report_count < 1) { + ret = -EINVAL; + goto done_proc; + } +-- +1.8.3.1 + + +From a0155e41d3a7a9bd901368271d86ee1bb28d100f Mon Sep 17 00:00:00 2001 +From: Kees Cook +Date: Wed, 28 Aug 2013 22:31:52 +0200 +Subject: [PATCH 16/16] HID: picolcd_core: validate output report details +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +A HID device could send a malicious output report that would cause the +picolcd HID driver to trigger a NULL dereference during attr file writing. + +[jkosina@suse.cz: changed + + report->maxfield < 1 + +to + + report->maxfield != 1 + +as suggested by Bruno]. + +CVE-2013-2899 + +Signed-off-by: Kees Cook +Cc: stable@kernel.org +Reviewed-by: Bruno Prémont +Acked-by: Bruno Prémont +Signed-off-by: Jiri Kosina +--- + drivers/hid/hid-picolcd_core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/hid/hid-picolcd_core.c b/drivers/hid/hid-picolcd_core.c +index b48092d..acbb0210 100644 +--- a/drivers/hid/hid-picolcd_core.c ++++ b/drivers/hid/hid-picolcd_core.c +@@ -290,7 +290,7 @@ static ssize_t picolcd_operation_mode_store(struct device *dev, + buf += 10; + cnt -= 10; + } +- if (!report) ++ if (!report || report->maxfield != 1) + return -EINVAL; + + while (cnt > 0 && (buf[cnt-1] == '\n' || buf[cnt-1] == '\r')) +-- +1.8.3.1 + diff --git a/HID-CVE-fixes.patch b/HID-CVE-fixes.patch deleted file mode 100644 index 2b52d013f..000000000 --- a/HID-CVE-fixes.patch +++ /dev/null @@ -1,1405 +0,0 @@ -Path: news.gmane.org!not-for-mail -From: Jiri Kosina -Newsgroups: gmane.linux.kernel.input -Subject: [PATCH 01/14] HID: validate HID report id size -Date: Wed, 28 Aug 2013 22:29:55 +0200 (CEST) -Lines: 81 -Approved: news@gmane.org -Message-ID: -NNTP-Posting-Host: plane.gmane.org -Mime-Version: 1.0 -Content-Type: TEXT/PLAIN; charset=US-ASCII -X-Trace: ger.gmane.org 1377721804 9521 80.91.229.3 (28 Aug 2013 20:30:04 GMT) -X-Complaints-To: usenet@ger.gmane.org -NNTP-Posting-Date: Wed, 28 Aug 2013 20:30:04 +0000 (UTC) -Cc: Kees Cook -To: linux-input@vger.kernel.org -Original-X-From: linux-input-owner@vger.kernel.org Wed Aug 28 22:30:06 2013 -Return-path: -Envelope-to: glki-linux-input-2@plane.gmane.org -Original-Received: from vger.kernel.org ([209.132.180.67]) - by plane.gmane.org with esmtp (Exim 4.69) - (envelope-from ) - id 1VEmNR-0008U8-2t - for glki-linux-input-2@plane.gmane.org; Wed, 28 Aug 2013 22:30:05 +0200 -Original-Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand - id S1754658Ab3H1UaD (ORCPT ); - Wed, 28 Aug 2013 16:30:03 -0400 -Original-Received: from cantor2.suse.de ([195.135.220.15]:57907 "EHLO mx2.suse.de" - rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP - id S1752748Ab3H1UaD (ORCPT ); - Wed, 28 Aug 2013 16:30:03 -0400 -Original-Received: from relay2.suse.de (unknown [195.135.220.254]) - by mx2.suse.de (Postfix) with ESMTP id 1C5ACA535B; - Wed, 28 Aug 2013 22:30:01 +0200 (CEST) -User-Agent: Alpine 2.00 (LNX 1167 2008-08-23) -Original-Sender: linux-input-owner@vger.kernel.org -Precedence: bulk -List-ID: -X-Mailing-List: linux-input@vger.kernel.org -Xref: news.gmane.org gmane.linux.kernel.input:31652 -Archived-At: - -From: Kees Cook - -The "Report ID" field of a HID report is used to build indexes of -reports. The kernel's index of these is limited to 256 entries, so any -malicious device that sets a Report ID greater than 255 will trigger -memory corruption on the host: - -[ 1347.156239] BUG: unable to handle kernel paging request at ffff88094958a878 -[ 1347.156261] IP: [] hid_register_report+0x2a/0x8b - -CVE-2013-2888 - -Signed-off-by: Kees Cook -Cc: stable@kernel.org ---- - drivers/hid/hid-core.c | 10 +++++++--- - include/linux/hid.h | 4 +++- - 2 files changed, 10 insertions(+), 4 deletions(-) - -diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c -index 36668d1..5ea7d51 100644 ---- a/drivers/hid/hid-core.c -+++ b/drivers/hid/hid-core.c -@@ -63,6 +63,8 @@ struct hid_report *hid_register_report(struct hid_device *device, unsigned type, - struct hid_report_enum *report_enum = device->report_enum + type; - struct hid_report *report; - -+ if (id >= HID_MAX_IDS) -+ return NULL; - if (report_enum->report_id_hash[id]) - return report_enum->report_id_hash[id]; - -@@ -404,8 +406,10 @@ static int hid_parser_global(struct hid_parser *parser, struct hid_item *item) - - case HID_GLOBAL_ITEM_TAG_REPORT_ID: - parser->global.report_id = item_udata(item); -- if (parser->global.report_id == 0) { -- hid_err(parser->device, "report_id 0 is invalid\n"); -+ if (parser->global.report_id == 0 || -+ parser->global.report_id >= HID_MAX_IDS) { -+ hid_err(parser->device, "report_id %u is invalid\n", -+ parser->global.report_id); - return -1; - } - return 0; -@@ -575,7 +579,7 @@ static void hid_close_report(struct hid_device *device) - for (i = 0; i < HID_REPORT_TYPES; i++) { - struct hid_report_enum *report_enum = device->report_enum + i; - -- for (j = 0; j < 256; j++) { -+ for (j = 0; j < HID_MAX_IDS; j++) { - struct hid_report *report = report_enum->report_id_hash[j]; - if (report) - hid_free_report(report); -diff --git a/include/linux/hid.h b/include/linux/hid.h -index 0c48991..ff545cc 100644 ---- a/include/linux/hid.h -+++ b/include/linux/hid.h -@@ -393,10 +393,12 @@ struct hid_report { - struct hid_device *device; /* associated device */ - }; - -+#define HID_MAX_IDS 256 -+ - struct hid_report_enum { - unsigned numbered; - struct list_head report_list; -- struct hid_report *report_id_hash[256]; -+ struct hid_report *report_id_hash[HID_MAX_IDS]; - }; - - #define HID_REPORT_TYPES 3 - --- -Jiri Kosina -SUSE Labs --- -To unsubscribe from this list: send the line "unsubscribe linux-input" in -the body of a message to majordomo@vger.kernel.org -More majordomo info at http://vger.kernel.org/majordomo-info.html - -Path: news.gmane.org!not-for-mail -From: Jiri Kosina -Newsgroups: gmane.linux.kernel.input -Subject: [PATCH 02/14] HID: provide a helper for validating hid reports -Date: Wed, 28 Aug 2013 22:30:06 +0200 (CEST) -Lines: 99 -Approved: news@gmane.org -Message-ID: -NNTP-Posting-Host: plane.gmane.org -Mime-Version: 1.0 -Content-Type: TEXT/PLAIN; charset=US-ASCII -X-Trace: ger.gmane.org 1377721810 9564 80.91.229.3 (28 Aug 2013 20:30:10 GMT) -X-Complaints-To: usenet@ger.gmane.org -NNTP-Posting-Date: Wed, 28 Aug 2013 20:30:10 +0000 (UTC) -Cc: Kees Cook -To: linux-input@vger.kernel.org -Original-X-From: linux-input-owner@vger.kernel.org Wed Aug 28 22:30:12 2013 -Return-path: -Envelope-to: glki-linux-input-2@plane.gmane.org -Original-Received: from vger.kernel.org ([209.132.180.67]) - by plane.gmane.org with esmtp (Exim 4.69) - (envelope-from ) - id 1VEmNX-0008U8-Cg - for glki-linux-input-2@plane.gmane.org; Wed, 28 Aug 2013 22:30:11 +0200 -Original-Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand - id S1754750Ab3H1UaK (ORCPT ); - Wed, 28 Aug 2013 16:30:10 -0400 -Original-Received: from cantor2.suse.de ([195.135.220.15]:57911 "EHLO mx2.suse.de" - rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP - id S1752748Ab3H1UaK (ORCPT ); - Wed, 28 Aug 2013 16:30:10 -0400 -Original-Received: from relay1.suse.de (unknown [195.135.220.254]) - by mx2.suse.de (Postfix) with ESMTP id 3C054A531D; - Wed, 28 Aug 2013 22:30:09 +0200 (CEST) -User-Agent: Alpine 2.00 (LNX 1167 2008-08-23) -Original-Sender: linux-input-owner@vger.kernel.org -Precedence: bulk -List-ID: -X-Mailing-List: linux-input@vger.kernel.org -Xref: news.gmane.org gmane.linux.kernel.input:31653 -Archived-At: - -From: Kees Cook - -Many drivers need to validate the characteristics of their HID report -during initialization to avoid misusing the reports. This adds a common -helper to perform validation of the report, its field count, and the -value count within the fields. - -Signed-off-by: Kees Cook -Cc: stable@kernel.org ---- - drivers/hid/hid-core.c | 50 ++++++++++++++++++++++++++++++++++++++++++++++++ - include/linux/hid.h | 4 ++++ - 2 files changed, 54 insertions(+) - -diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c -index 5ea7d51..55798b2 100644 ---- a/drivers/hid/hid-core.c -+++ b/drivers/hid/hid-core.c -@@ -759,6 +759,56 @@ int hid_parse_report(struct hid_device *hid, __u8 *start, unsigned size) - } - EXPORT_SYMBOL_GPL(hid_parse_report); - -+static const char * const hid_report_names[] = { -+ "HID_INPUT_REPORT", -+ "HID_OUTPUT_REPORT", -+ "HID_FEATURE_REPORT", -+}; -+/** -+ * hid_validate_report - validate existing device report -+ * -+ * @device: hid device -+ * @type: which report type to examine -+ * @id: which report ID to examine (0 for first) -+ * @fields: expected number of fields -+ * @report_counts: expected number of values per field -+ * -+ * Validate the report details after parsing. -+ */ -+struct hid_report *hid_validate_report(struct hid_device *hid, -+ unsigned int type, unsigned int id, -+ unsigned int fields, -+ unsigned int report_counts) -+{ -+ struct hid_report *report; -+ unsigned int i; -+ -+ if (type > HID_FEATURE_REPORT) { -+ hid_err(hid, "invalid HID report %u\n", type); -+ return NULL; -+ } -+ -+ report = hid->report_enum[type].report_id_hash[id]; -+ if (!report) { -+ hid_err(hid, "missing %s %u\n", hid_report_names[type], id); -+ return NULL; -+ } -+ if (report->maxfield < fields) { -+ hid_err(hid, "not enough fields in %s %u\n", -+ hid_report_names[type], id); -+ return NULL; -+ } -+ for (i = 0; i < fields; i++) { -+ if (report->field[i]->report_count < report_counts) { -+ hid_err(hid, "not enough values in %s %u fields\n", -+ hid_report_names[type], id); -+ return NULL; -+ } -+ } -+ return report; -+} -+EXPORT_SYMBOL_GPL(hid_validate_report); -+ - /** - * hid_open_report - open a driver-specific device report - * -diff --git a/include/linux/hid.h b/include/linux/hid.h -index ff545cc..76e41d8 100644 ---- a/include/linux/hid.h -+++ b/include/linux/hid.h -@@ -749,6 +749,10 @@ void hid_output_report(struct hid_report *report, __u8 *data); - struct hid_device *hid_allocate_device(void); - struct hid_report *hid_register_report(struct hid_device *device, unsigned type, unsigned id); - int hid_parse_report(struct hid_device *hid, __u8 *start, unsigned size); -+struct hid_report *hid_validate_report(struct hid_device *hid, -+ unsigned int type, unsigned int id, -+ unsigned int fields, -+ unsigned int report_counts); - int hid_open_report(struct hid_device *device); - int hid_check_keys_pressed(struct hid_device *hid); - int hid_connect(struct hid_device *hid, unsigned int connect_mask); - --- -Jiri Kosina -SUSE Labs --- -To unsubscribe from this list: send the line "unsubscribe linux-input" in -the body of a message to majordomo@vger.kernel.org -More majordomo info at http://vger.kernel.org/majordomo-info.html - -Path: news.gmane.org!not-for-mail -From: Jiri Kosina -Newsgroups: gmane.linux.kernel.input -Subject: [PATCH 03/14] HID: zeroplus: validate output report details -Date: Wed, 28 Aug 2013 22:30:15 +0200 (CEST) -Lines: 57 -Approved: news@gmane.org -Message-ID: -NNTP-Posting-Host: plane.gmane.org -Mime-Version: 1.0 -Content-Type: TEXT/PLAIN; charset=US-ASCII -X-Trace: ger.gmane.org 1377721819 9648 80.91.229.3 (28 Aug 2013 20:30:19 GMT) -X-Complaints-To: usenet@ger.gmane.org -NNTP-Posting-Date: Wed, 28 Aug 2013 20:30:19 +0000 (UTC) -Cc: Kees Cook -To: linux-input@vger.kernel.org -Original-X-From: linux-input-owner@vger.kernel.org Wed Aug 28 22:30:21 2013 -Return-path: -Envelope-to: glki-linux-input-2@plane.gmane.org -Original-Received: from vger.kernel.org ([209.132.180.67]) - by plane.gmane.org with esmtp (Exim 4.69) - (envelope-from ) - id 1VEmNg-0008U8-24 - for glki-linux-input-2@plane.gmane.org; Wed, 28 Aug 2013 22:30:21 +0200 -Original-Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand - id S1754896Ab3H1UaT (ORCPT ); - Wed, 28 Aug 2013 16:30:19 -0400 -Original-Received: from cantor2.suse.de ([195.135.220.15]:57913 "EHLO mx2.suse.de" - rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP - id S1752748Ab3H1UaS (ORCPT ); - Wed, 28 Aug 2013 16:30:18 -0400 -Original-Received: from relay2.suse.de (unknown [195.135.220.254]) - by mx2.suse.de (Postfix) with ESMTP id A94ACA531D; - Wed, 28 Aug 2013 22:30:17 +0200 (CEST) -User-Agent: Alpine 2.00 (LNX 1167 2008-08-23) -Original-Sender: linux-input-owner@vger.kernel.org -Precedence: bulk -List-ID: -X-Mailing-List: linux-input@vger.kernel.org -Xref: news.gmane.org gmane.linux.kernel.input:31654 -Archived-At: - -From: Kees Cook - -The zeroplus HID driver was not checking the size of allocated values -in fields it used. A HID device could send a malicious output report -that would cause the driver to write beyond the output report allocation -during initialization, causing a heap overflow: - -[ 1442.728680] usb 1-1: New USB device found, idVendor=0c12, idProduct=0005 -... -[ 1466.243173] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten - -CVE-2013-2889 - -Signed-off-by: Kees Cook -Cc: stable@kernel.org ---- - drivers/hid/hid-zpff.c | 14 ++------------ - 1 file changed, 2 insertions(+), 12 deletions(-) - -diff --git a/drivers/hid/hid-zpff.c b/drivers/hid/hid-zpff.c -index 6ec28a3..b124991 100644 ---- a/drivers/hid/hid-zpff.c -+++ b/drivers/hid/hid-zpff.c -@@ -68,22 +68,12 @@ static int zpff_init(struct hid_device *hid) - struct hid_report *report; - struct hid_input *hidinput = list_entry(hid->inputs.next, - struct hid_input, list); -- struct list_head *report_list = -- &hid->report_enum[HID_OUTPUT_REPORT].report_list; - struct input_dev *dev = hidinput->input; - int error; - -- if (list_empty(report_list)) { -- hid_err(hid, "no output report found\n"); -+ report = hid_validate_report(hid, HID_OUTPUT_REPORT, 0, 4, 1); -+ if (!report) - return -ENODEV; -- } -- -- report = list_entry(report_list->next, struct hid_report, list); -- -- if (report->maxfield < 4) { -- hid_err(hid, "not enough fields in report\n"); -- return -ENODEV; -- } - - zpff = kzalloc(sizeof(struct zpff_device), GFP_KERNEL); - if (!zpff) - --- -Jiri Kosina -SUSE Labs --- -To unsubscribe from this list: send the line "unsubscribe linux-input" in -the body of a message to majordomo@vger.kernel.org -More majordomo info at http://vger.kernel.org/majordomo-info.html - -Path: news.gmane.org!not-for-mail -From: Jiri Kosina -Newsgroups: gmane.linux.kernel.input -Subject: [PATCH 05/14] HID: steelseries: validate output report details -Date: Wed, 28 Aug 2013 22:30:37 +0200 (CEST) -Lines: 43 -Approved: news@gmane.org -Message-ID: -NNTP-Posting-Host: plane.gmane.org -Mime-Version: 1.0 -Content-Type: TEXT/PLAIN; charset=US-ASCII -X-Trace: ger.gmane.org 1377721849 9885 80.91.229.3 (28 Aug 2013 20:30:49 GMT) -X-Complaints-To: usenet@ger.gmane.org -NNTP-Posting-Date: Wed, 28 Aug 2013 20:30:49 +0000 (UTC) -Cc: Kees Cook , Simon Wood -To: linux-input@vger.kernel.org -Original-X-From: linux-input-owner@vger.kernel.org Wed Aug 28 22:30:51 2013 -Return-path: -Envelope-to: glki-linux-input-2@plane.gmane.org -Original-Received: from vger.kernel.org ([209.132.180.67]) - by plane.gmane.org with esmtp (Exim 4.69) - (envelope-from ) - id 1VEmO7-0000cl-Po - for glki-linux-input-2@plane.gmane.org; Wed, 28 Aug 2013 22:30:48 +0200 -Original-Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand - id S1755238Ab3H1Uam (ORCPT ); - Wed, 28 Aug 2013 16:30:42 -0400 -Original-Received: from cantor2.suse.de ([195.135.220.15]:57942 "EHLO mx2.suse.de" - rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP - id S1754222Ab3H1Uak (ORCPT ); - Wed, 28 Aug 2013 16:30:40 -0400 -Original-Received: from relay1.suse.de (unknown [195.135.220.254]) - by mx2.suse.de (Postfix) with ESMTP id EFDE1A531D; - Wed, 28 Aug 2013 22:30:39 +0200 (CEST) -User-Agent: Alpine 2.00 (LNX 1167 2008-08-23) -Original-Sender: linux-input-owner@vger.kernel.org -Precedence: bulk -List-ID: -X-Mailing-List: linux-input@vger.kernel.org -Xref: news.gmane.org gmane.linux.kernel.input:31656 -Archived-At: - -From: Kees Cook - -A HID device could send a malicious output report that would cause the -steelseries HID driver to write beyond the output report allocation -during initialization, causing a heap overflow: - -[ 167.981534] usb 1-1: New USB device found, idVendor=1038, idProduct=1410 -... -[ 182.050547] BUG kmalloc-256 (Tainted: G W ): Redzone overwritten - -CVE-2013-2891 - -Signed-off-by: Kees Cook -Cc: stable@kernel.org ---- - drivers/hid/hid-steelseries.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/drivers/hid/hid-steelseries.c b/drivers/hid/hid-steelseries.c -index d164911..ef42e86 100644 ---- a/drivers/hid/hid-steelseries.c -+++ b/drivers/hid/hid-steelseries.c -@@ -249,6 +249,11 @@ static int steelseries_srws1_probe(struct hid_device *hdev, - goto err_free; - } - -+ if (!hid_validate_report(hdev, HID_OUTPUT_REPORT, 0, 1, 16)) { -+ ret = -ENODEV; -+ goto err_free; -+ } -+ - ret = hid_hw_start(hdev, HID_CONNECT_DEFAULT); - if (ret) { - hid_err(hdev, "hw start failed\n"); - --- -Jiri Kosina -SUSE Labs --- -To unsubscribe from this list: send the line "unsubscribe linux-input" in -the body of a message to majordomo@vger.kernel.org -More majordomo info at http://vger.kernel.org/majordomo-info.html - -Path: news.gmane.org!not-for-mail -From: Jiri Kosina -Newsgroups: gmane.linux.kernel.input -Subject: [PATCH 06/14] HID: pantherlord: validate output report details -Date: Wed, 28 Aug 2013 22:30:49 +0200 (CEST) -Lines: 47 -Approved: news@gmane.org -Message-ID: -NNTP-Posting-Host: plane.gmane.org -Mime-Version: 1.0 -Content-Type: TEXT/PLAIN; charset=US-ASCII -X-Trace: ger.gmane.org 1377721853 9919 80.91.229.3 (28 Aug 2013 20:30:53 GMT) -X-Complaints-To: usenet@ger.gmane.org -NNTP-Posting-Date: Wed, 28 Aug 2013 20:30:53 +0000 (UTC) -Cc: Kees Cook -To: linux-input@vger.kernel.org -Original-X-From: linux-input-owner@vger.kernel.org Wed Aug 28 22:30:55 2013 -Return-path: -Envelope-to: glki-linux-input-2@plane.gmane.org -Original-Received: from vger.kernel.org ([209.132.180.67]) - by plane.gmane.org with esmtp (Exim 4.69) - (envelope-from ) - id 1VEmOD-0000cl-Qd - for glki-linux-input-2@plane.gmane.org; Wed, 28 Aug 2013 22:30:54 +0200 -Original-Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand - id S1754500Ab3H1Uax (ORCPT ); - Wed, 28 Aug 2013 16:30:53 -0400 -Original-Received: from cantor2.suse.de ([195.135.220.15]:57948 "EHLO mx2.suse.de" - rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP - id S1753468Ab3H1Uaw (ORCPT ); - Wed, 28 Aug 2013 16:30:52 -0400 -Original-Received: from relay2.suse.de (unknown [195.135.220.254]) - by mx2.suse.de (Postfix) with ESMTP id 21315A531D; - Wed, 28 Aug 2013 22:30:52 +0200 (CEST) -User-Agent: Alpine 2.00 (LNX 1167 2008-08-23) -Original-Sender: linux-input-owner@vger.kernel.org -Precedence: bulk -List-ID: -X-Mailing-List: linux-input@vger.kernel.org -Xref: news.gmane.org gmane.linux.kernel.input:31657 -Archived-At: - -From: Kees Cook - -A HID device could send a malicious output report that would cause the -pantherlord HID driver to write beyond the output report allocation -during initialization, causing a heap overflow: - -[ 310.939483] usb 1-1: New USB device found, idVendor=0e8f, idProduct=0003 -... -[ 315.980774] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten - -CVE-2013-2892 - -Signed-off-by: Kees Cook -Cc: stable@kernel.org ---- - drivers/hid/hid-pl.c | 10 ++++++++-- - 1 file changed, 8 insertions(+), 2 deletions(-) - -diff --git a/drivers/hid/hid-pl.c b/drivers/hid/hid-pl.c -index d29112f..2dcd7d9 100644 ---- a/drivers/hid/hid-pl.c -+++ b/drivers/hid/hid-pl.c -@@ -132,8 +132,14 @@ static int plff_init(struct hid_device *hid) - strong = &report->field[0]->value[2]; - weak = &report->field[0]->value[3]; - debug("detected single-field device"); -- } else if (report->maxfield >= 4 && report->field[0]->maxusage == 1 && -- report->field[0]->usage[0].hid == (HID_UP_LED | 0x43)) { -+ } else if (report->field[0]->maxusage == 1 && -+ report->field[0]->usage[0].hid == -+ (HID_UP_LED | 0x43) && -+ report->maxfield >= 4 && -+ report->field[0]->report_count >= 1 && -+ report->field[1]->report_count >= 1 && -+ report->field[2]->report_count >= 1 && -+ report->field[3]->report_count >= 1) { - report->field[0]->value[0] = 0x00; - report->field[1]->value[0] = 0x00; - strong = &report->field[2]->value[0]; --- -Jiri Kosina -SUSE Labs --- -To unsubscribe from this list: send the line "unsubscribe linux-input" in -the body of a message to majordomo@vger.kernel.org -More majordomo info at http://vger.kernel.org/majordomo-info.html - -Path: news.gmane.org!not-for-mail -From: Jiri Kosina -Newsgroups: gmane.linux.kernel.input -Subject: [PATCH 07/14] HID: LG: validate HID output report details -Date: Wed, 28 Aug 2013 22:31:00 +0200 (CEST) -Lines: 194 -Approved: news@gmane.org -Message-ID: -NNTP-Posting-Host: plane.gmane.org -Mime-Version: 1.0 -Content-Type: TEXT/PLAIN; charset=US-ASCII -X-Trace: ger.gmane.org 1377721865 10099 80.91.229.3 (28 Aug 2013 20:31:05 GMT) -X-Complaints-To: usenet@ger.gmane.org -NNTP-Posting-Date: Wed, 28 Aug 2013 20:31:05 +0000 (UTC) -Cc: Kees Cook -To: linux-input@vger.kernel.org -Original-X-From: linux-input-owner@vger.kernel.org Wed Aug 28 22:31:07 2013 -Return-path: -Envelope-to: glki-linux-input-2@plane.gmane.org -Original-Received: from vger.kernel.org ([209.132.180.67]) - by plane.gmane.org with esmtp (Exim 4.69) - (envelope-from ) - id 1VEmOQ-0000cl-Fi - for glki-linux-input-2@plane.gmane.org; Wed, 28 Aug 2013 22:31:06 +0200 -Original-Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand - id S1753468Ab3H1UbF (ORCPT ); - Wed, 28 Aug 2013 16:31:05 -0400 -Original-Received: from cantor2.suse.de ([195.135.220.15]:57957 "EHLO mx2.suse.de" - rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP - id S1752780Ab3H1UbE (ORCPT ); - Wed, 28 Aug 2013 16:31:04 -0400 -Original-Received: from relay2.suse.de (unknown [195.135.220.254]) - by mx2.suse.de (Postfix) with ESMTP id 5F1F5A531D; - Wed, 28 Aug 2013 22:31:03 +0200 (CEST) -User-Agent: Alpine 2.00 (LNX 1167 2008-08-23) -Original-Sender: linux-input-owner@vger.kernel.org -Precedence: bulk -List-ID: -X-Mailing-List: linux-input@vger.kernel.org -Xref: news.gmane.org gmane.linux.kernel.input:31658 -Archived-At: - -From: Kees Cook - -A HID device could send a malicious output report that would cause the -lg, lg3, and lg4 HID drivers to write beyond the output report allocation -during an event, causing a heap overflow: - -[ 325.245240] usb 1-1: New USB device found, idVendor=046d, idProduct=c287 -... -[ 414.518960] BUG kmalloc-4096 (Not tainted): Redzone overwritten - -Additionally, while lg2 did correctly validate the report details, it was -cleaned up and shortened. - -CVE-2013-2893 - -Signed-off-by: Kees Cook -Cc: stable@kernel.org ---- - drivers/hid/hid-lg2ff.c | 19 +++---------------- - drivers/hid/hid-lg3ff.c | 29 ++++++----------------------- - drivers/hid/hid-lg4ff.c | 20 +------------------- - drivers/hid/hid-lgff.c | 17 ++--------------- - 4 files changed, 12 insertions(+), 73 deletions(-) - -diff --git a/drivers/hid/hid-lg2ff.c b/drivers/hid/hid-lg2ff.c -index b3cd150..9805197 100644 ---- a/drivers/hid/hid-lg2ff.c -+++ b/drivers/hid/hid-lg2ff.c -@@ -64,26 +64,13 @@ int lg2ff_init(struct hid_device *hid) - struct hid_report *report; - struct hid_input *hidinput = list_entry(hid->inputs.next, - struct hid_input, list); -- struct list_head *report_list = -- &hid->report_enum[HID_OUTPUT_REPORT].report_list; - struct input_dev *dev = hidinput->input; - int error; - -- if (list_empty(report_list)) { -- hid_err(hid, "no output report found\n"); -+ /* Check that the report looks ok */ -+ report = hid_validate_report(hid, HID_OUTPUT_REPORT, 0, 1, 7); -+ if (!report) - return -ENODEV; -- } -- -- report = list_entry(report_list->next, struct hid_report, list); -- -- if (report->maxfield < 1) { -- hid_err(hid, "output report is empty\n"); -- return -ENODEV; -- } -- if (report->field[0]->report_count < 7) { -- hid_err(hid, "not enough values in the field\n"); -- return -ENODEV; -- } - - lg2ff = kmalloc(sizeof(struct lg2ff_device), GFP_KERNEL); - if (!lg2ff) -diff --git a/drivers/hid/hid-lg3ff.c b/drivers/hid/hid-lg3ff.c -index e52f181..53ac79b 100644 ---- a/drivers/hid/hid-lg3ff.c -+++ b/drivers/hid/hid-lg3ff.c -@@ -66,10 +66,11 @@ static int hid_lg3ff_play(struct input_dev *dev, void *data, - int x, y; - - /* -- * Maxusage should always be 63 (maximum fields) -- * likely a better way to ensure this data is clean -+ * Available values in the field should always be 63, but we only use up to -+ * 35. Instead, clear the entire area, however big it is. - */ -- memset(report->field[0]->value, 0, sizeof(__s32)*report->field[0]->maxusage); -+ memset(report->field[0]->value, 0, -+ sizeof(__s32) * report->field[0]->report_count); - - switch (effect->type) { - case FF_CONSTANT: -@@ -129,32 +130,14 @@ static const signed short ff3_joystick_ac[] = { - int lg3ff_init(struct hid_device *hid) - { - struct hid_input *hidinput = list_entry(hid->inputs.next, struct hid_input, list); -- struct list_head *report_list = &hid->report_enum[HID_OUTPUT_REPORT].report_list; - struct input_dev *dev = hidinput->input; -- struct hid_report *report; -- struct hid_field *field; - const signed short *ff_bits = ff3_joystick_ac; - int error; - int i; - -- /* Find the report to use */ -- if (list_empty(report_list)) { -- hid_err(hid, "No output report found\n"); -- return -1; -- } -- - /* Check that the report looks ok */ -- report = list_entry(report_list->next, struct hid_report, list); -- if (!report) { -- hid_err(hid, "NULL output report\n"); -- return -1; -- } -- -- field = report->field[0]; -- if (!field) { -- hid_err(hid, "NULL field\n"); -- return -1; -- } -+ if (!hid_validate_report(hid, HID_OUTPUT_REPORT, 0, 1, 35)) -+ return -ENODEV; - - /* Assume single fixed device G940 */ - for (i = 0; ff_bits[i] >= 0; i++) -diff --git a/drivers/hid/hid-lg4ff.c b/drivers/hid/hid-lg4ff.c -index 0ddae2a..8b89f0f 100644 ---- a/drivers/hid/hid-lg4ff.c -+++ b/drivers/hid/hid-lg4ff.c -@@ -484,34 +484,16 @@ static enum led_brightness lg4ff_led_get_brightness(struct led_classdev *led_cde - int lg4ff_init(struct hid_device *hid) - { - struct hid_input *hidinput = list_entry(hid->inputs.next, struct hid_input, list); -- struct list_head *report_list = &hid->report_enum[HID_OUTPUT_REPORT].report_list; - struct input_dev *dev = hidinput->input; -- struct hid_report *report; -- struct hid_field *field; - struct lg4ff_device_entry *entry; - struct lg_drv_data *drv_data; - struct usb_device_descriptor *udesc; - int error, i, j; - __u16 bcdDevice, rev_maj, rev_min; - -- /* Find the report to use */ -- if (list_empty(report_list)) { -- hid_err(hid, "No output report found\n"); -- return -1; -- } -- - /* Check that the report looks ok */ -- report = list_entry(report_list->next, struct hid_report, list); -- if (!report) { -- hid_err(hid, "NULL output report\n"); -+ if (!hid_validate_report(hid, HID_OUTPUT_REPORT, 0, 1, 7)) - return -1; -- } -- -- field = report->field[0]; -- if (!field) { -- hid_err(hid, "NULL field\n"); -- return -1; -- } - - /* Check what wheel has been connected */ - for (i = 0; i < ARRAY_SIZE(lg4ff_devices); i++) { -diff --git a/drivers/hid/hid-lgff.c b/drivers/hid/hid-lgff.c -index d7ea8c8..a84fb40 100644 ---- a/drivers/hid/hid-lgff.c -+++ b/drivers/hid/hid-lgff.c -@@ -128,27 +128,14 @@ static void hid_lgff_set_autocenter(struct input_dev *dev, u16 magnitude) - int lgff_init(struct hid_device* hid) - { - struct hid_input *hidinput = list_entry(hid->inputs.next, struct hid_input, list); -- struct list_head *report_list = &hid->report_enum[HID_OUTPUT_REPORT].report_list; - struct input_dev *dev = hidinput->input; -- struct hid_report *report; -- struct hid_field *field; - const signed short *ff_bits = ff_joystick; - int error; - int i; - -- /* Find the report to use */ -- if (list_empty(report_list)) { -- hid_err(hid, "No output report found\n"); -- return -1; -- } -- - /* Check that the report looks ok */ -- report = list_entry(report_list->next, struct hid_report, list); -- field = report->field[0]; -- if (!field) { -- hid_err(hid, "NULL field\n"); -- return -1; -- } -+ if (!hid_validate_report(hid, HID_OUTPUT_REPORT, 0, 1, 7)) -+ return -ENODEV; - - for (i = 0; i < ARRAY_SIZE(devices); i++) { - if (dev->id.vendor == devices[i].idVendor && --- -Jiri Kosina -SUSE Labs --- -To unsubscribe from this list: send the line "unsubscribe linux-input" in -the body of a message to majordomo@vger.kernel.org -More majordomo info at http://vger.kernel.org/majordomo-info.html - -Path: news.gmane.org!not-for-mail -From: Jiri Kosina -Newsgroups: gmane.linux.kernel.input -Subject: [PATCH 08/14] HID: lenovo-tpkbd: validate output report details -Date: Wed, 28 Aug 2013 22:31:10 +0200 (CEST) -Lines: 42 -Approved: news@gmane.org -Message-ID: -NNTP-Posting-Host: plane.gmane.org -Mime-Version: 1.0 -Content-Type: TEXT/PLAIN; charset=US-ASCII -X-Trace: ger.gmane.org 1377721874 10167 80.91.229.3 (28 Aug 2013 20:31:14 GMT) -X-Complaints-To: usenet@ger.gmane.org -NNTP-Posting-Date: Wed, 28 Aug 2013 20:31:14 +0000 (UTC) -Cc: Kees Cook , - Bernhard Seibold -To: linux-input@vger.kernel.org -Original-X-From: linux-input-owner@vger.kernel.org Wed Aug 28 22:31:16 2013 -Return-path: -Envelope-to: glki-linux-input-2@plane.gmane.org -Original-Received: from vger.kernel.org ([209.132.180.67]) - by plane.gmane.org with esmtp (Exim 4.69) - (envelope-from ) - id 1VEmOY-0000cl-HM - for glki-linux-input-2@plane.gmane.org; Wed, 28 Aug 2013 22:31:14 +0200 -Original-Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand - id S1754122Ab3H1UbN (ORCPT ); - Wed, 28 Aug 2013 16:31:13 -0400 -Original-Received: from cantor2.suse.de ([195.135.220.15]:57965 "EHLO mx2.suse.de" - rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP - id S1752780Ab3H1UbN (ORCPT ); - Wed, 28 Aug 2013 16:31:13 -0400 -Original-Received: from relay1.suse.de (unknown [195.135.220.254]) - by mx2.suse.de (Postfix) with ESMTP id 982A1A531D; - Wed, 28 Aug 2013 22:31:12 +0200 (CEST) -User-Agent: Alpine 2.00 (LNX 1167 2008-08-23) -Original-Sender: linux-input-owner@vger.kernel.org -Precedence: bulk -List-ID: -X-Mailing-List: linux-input@vger.kernel.org -Xref: news.gmane.org gmane.linux.kernel.input:31659 -Archived-At: - -From: Kees Cook - -A HID device could send a malicious output report that would cause the -lenovo-tpkbd HID driver to write just beyond the output report allocation -during initialization, causing a heap overflow: - -[ 76.109807] usb 1-1: New USB device found, idVendor=17ef, idProduct=6009 -... -[ 80.462540] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten - -CVE-2013-2894 - -Signed-off-by: Kees Cook -Cc: stable@kernel.org ---- - drivers/hid/hid-lenovo-tpkbd.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/drivers/hid/hid-lenovo-tpkbd.c b/drivers/hid/hid-lenovo-tpkbd.c -index 07837f5..b697ada 100644 ---- a/drivers/hid/hid-lenovo-tpkbd.c -+++ b/drivers/hid/hid-lenovo-tpkbd.c -@@ -341,6 +341,11 @@ static int tpkbd_probe_tp(struct hid_device *hdev) - char *name_mute, *name_micmute; - int ret; - -+ /* Validate required reports. */ -+ if (!hid_validate_report(hdev, HID_OUTPUT_REPORT, 4, 4, 1) || -+ !hid_validate_report(hdev, HID_OUTPUT_REPORT, 3, 1, 2)) -+ return -ENODEV; -+ - if (sysfs_create_group(&hdev->dev.kobj, - &tpkbd_attr_group_pointer)) { - hid_warn(hdev, "Could not create sysfs group\n"); --- -Jiri Kosina -SUSE Labs --- -To unsubscribe from this list: send the line "unsubscribe linux-input" in -the body of a message to majordomo@vger.kernel.org -More majordomo info at http://vger.kernel.org/majordomo-info.html - -Path: news.gmane.org!not-for-mail -From: Jiri Kosina -Newsgroups: gmane.linux.kernel.input -Subject: [PATCH 09/14] HID: logitech-dj: validate output report details -Date: Wed, 28 Aug 2013 22:31:18 +0200 (CEST) -Lines: 65 -Approved: news@gmane.org -Message-ID: -NNTP-Posting-Host: plane.gmane.org -Mime-Version: 1.0 -Content-Type: TEXT/PLAIN; charset=US-ASCII -X-Trace: ger.gmane.org 1377721883 10249 80.91.229.3 (28 Aug 2013 20:31:23 GMT) -X-Complaints-To: usenet@ger.gmane.org -NNTP-Posting-Date: Wed, 28 Aug 2013 20:31:23 +0000 (UTC) -Cc: Kees Cook , - Nestor Lopez Casado -To: linux-input@vger.kernel.org -Original-X-From: linux-input-owner@vger.kernel.org Wed Aug 28 22:31:25 2013 -Return-path: -Envelope-to: glki-linux-input-2@plane.gmane.org -Original-Received: from vger.kernel.org ([209.132.180.67]) - by plane.gmane.org with esmtp (Exim 4.69) - (envelope-from ) - id 1VEmOg-0000cl-O9 - for glki-linux-input-2@plane.gmane.org; Wed, 28 Aug 2013 22:31:23 +0200 -Original-Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand - id S1752780Ab3H1UbW (ORCPT ); - Wed, 28 Aug 2013 16:31:22 -0400 -Original-Received: from cantor2.suse.de ([195.135.220.15]:57976 "EHLO mx2.suse.de" - rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP - id S1751971Ab3H1UbV (ORCPT ); - Wed, 28 Aug 2013 16:31:21 -0400 -Original-Received: from relay2.suse.de (unknown [195.135.220.254]) - by mx2.suse.de (Postfix) with ESMTP id D53F8A531D; - Wed, 28 Aug 2013 22:31:20 +0200 (CEST) -User-Agent: Alpine 2.00 (LNX 1167 2008-08-23) -Original-Sender: linux-input-owner@vger.kernel.org -Precedence: bulk -List-ID: -X-Mailing-List: linux-input@vger.kernel.org -Xref: news.gmane.org gmane.linux.kernel.input:31660 -Archived-At: - -From: Kees Cook - -A HID device could send a malicious output report that would cause the -logitech-dj HID driver to leak kernel memory contents to the device, or -trigger a NULL dereference during initialization: - -[ 304.424553] usb 1-1: New USB device found, idVendor=046d, idProduct=c52b -... -[ 304.780467] BUG: unable to handle kernel NULL pointer dereference at 0000000000000028 -[ 304.781409] IP: [] logi_dj_recv_send_report.isra.11+0x1a/0x90 - -CVE-2013-2895 - -Signed-off-by: Kees Cook -Cc: stable@kernel.org ---- - drivers/hid/hid-logitech-dj.c | 12 ++++++++++-- - 1 file changed, 10 insertions(+), 2 deletions(-) - -diff --git a/drivers/hid/hid-logitech-dj.c b/drivers/hid/hid-logitech-dj.c -index cd33084..7b99c2a 100644 ---- a/drivers/hid/hid-logitech-dj.c -+++ b/drivers/hid/hid-logitech-dj.c -@@ -461,7 +461,7 @@ static int logi_dj_recv_send_report(struct dj_receiver_dev *djrcv_dev, - struct hid_report *report; - struct hid_report_enum *output_report_enum; - u8 *data = (u8 *)(&dj_report->device_index); -- int i; -+ unsigned int i, length; - - output_report_enum = &hdev->report_enum[HID_OUTPUT_REPORT]; - report = output_report_enum->report_id_hash[REPORT_ID_DJ_SHORT]; -@@ -471,7 +471,9 @@ static int logi_dj_recv_send_report(struct dj_receiver_dev *djrcv_dev, - return -ENODEV; - } - -- for (i = 0; i < report->field[0]->report_count; i++) -+ length = min_t(size_t, sizeof(*dj_report) - 1, -+ report->field[0]->report_count); -+ for (i = 0; i < length; i++) - report->field[0]->value[i] = data[i]; - - hid_hw_request(hdev, report, HID_REQ_SET_REPORT); -@@ -783,6 +785,12 @@ static int logi_dj_probe(struct hid_device *hdev, - goto hid_parse_fail; - } - -+ if (!hid_validate_report(hdev, HID_OUTPUT_REPORT, REPORT_ID_DJ_SHORT, -+ 1, 3)) { -+ retval = -ENODEV; -+ goto hid_parse_fail; -+ } -+ - /* Starts the usb device and connects to upper interfaces hiddev and - * hidraw */ - retval = hid_hw_start(hdev, HID_CONNECT_DEFAULT); - --- -Jiri Kosina -SUSE Labs --- -To unsubscribe from this list: send the line "unsubscribe linux-input" in -the body of a message to majordomo@vger.kernel.org -More majordomo info at http://vger.kernel.org/majordomo-info.html - -Path: news.gmane.org!not-for-mail -From: Jiri Kosina -Newsgroups: gmane.linux.kernel.input -Subject: [PATCH 10/14] HID: ntrig: validate feature report details -Date: Wed, 28 Aug 2013 22:31:28 +0200 (CEST) -Lines: 41 -Approved: news@gmane.org -Message-ID: -NNTP-Posting-Host: plane.gmane.org -Mime-Version: 1.0 -Content-Type: TEXT/PLAIN; charset=US-ASCII -X-Trace: ger.gmane.org 1377721895 10362 80.91.229.3 (28 Aug 2013 20:31:35 GMT) -X-Complaints-To: usenet@ger.gmane.org -NNTP-Posting-Date: Wed, 28 Aug 2013 20:31:35 +0000 (UTC) -Cc: Kees Cook , Rafi Rubin -To: linux-input@vger.kernel.org -Original-X-From: linux-input-owner@vger.kernel.org Wed Aug 28 22:31:36 2013 -Return-path: -Envelope-to: glki-linux-input-2@plane.gmane.org -Original-Received: from vger.kernel.org ([209.132.180.67]) - by plane.gmane.org with esmtp (Exim 4.69) - (envelope-from ) - id 1VEmOq-0000cl-KK - for glki-linux-input-2@plane.gmane.org; Wed, 28 Aug 2013 22:31:32 +0200 -Original-Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand - id S1753024Ab3H1Ubc (ORCPT ); - Wed, 28 Aug 2013 16:31:32 -0400 -Original-Received: from cantor2.suse.de ([195.135.220.15]:57985 "EHLO mx2.suse.de" - rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP - id S1751971Ab3H1Ubb (ORCPT ); - Wed, 28 Aug 2013 16:31:31 -0400 -Original-Received: from relay1.suse.de (unknown [195.135.220.254]) - by mx2.suse.de (Postfix) with ESMTP id C4DDAA531D; - Wed, 28 Aug 2013 22:31:30 +0200 (CEST) -User-Agent: Alpine 2.00 (LNX 1167 2008-08-23) -Original-Sender: linux-input-owner@vger.kernel.org -Precedence: bulk -List-ID: -X-Mailing-List: linux-input@vger.kernel.org -Xref: news.gmane.org gmane.linux.kernel.input:31661 -Archived-At: - -From: Kees Cook - -A HID device could send a malicious feature report that would cause the -ntrig HID driver to trigger a NULL dereference during initialization: - -[57383.031190] usb 3-1: New USB device found, idVendor=1b96, idProduct=0001 -... -[57383.315193] BUG: unable to handle kernel NULL pointer dereference at 0000000000000030 -[57383.315308] IP: [] ntrig_probe+0x25e/0x420 [hid_ntrig] - -CVE-2013-2896 - -Signed-off-by: Kees Cook -Cc: stable@kernel.org ---- - drivers/hid/hid-ntrig.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/drivers/hid/hid-ntrig.c b/drivers/hid/hid-ntrig.c -index ef95102..5482156 100644 ---- a/drivers/hid/hid-ntrig.c -+++ b/drivers/hid/hid-ntrig.c -@@ -115,7 +115,8 @@ static inline int ntrig_get_mode(struct hid_device *hdev) - struct hid_report *report = hdev->report_enum[HID_FEATURE_REPORT]. - report_id_hash[0x0d]; - -- if (!report) -+ if (!report || report->maxfield < 1 || -+ report->field[0]->report_count < 1) - return -EINVAL; - - hid_hw_request(hdev, report, HID_REQ_GET_REPORT); - --- -Jiri Kosina -SUSE Labs --- -To unsubscribe from this list: send the line "unsubscribe linux-input" in -the body of a message to majordomo@vger.kernel.org -More majordomo info at http://vger.kernel.org/majordomo-info.html - -Path: news.gmane.org!not-for-mail -From: Jiri Kosina -Newsgroups: gmane.linux.kernel.input -Subject: [PATCH 11/14] HID: multitouch: validate feature report details -Date: Wed, 28 Aug 2013 22:31:37 +0200 (CEST) -Lines: 77 -Approved: news@gmane.org -Message-ID: -NNTP-Posting-Host: plane.gmane.org -Mime-Version: 1.0 -Content-Type: TEXT/PLAIN; charset=US-ASCII -X-Trace: ger.gmane.org 1377721900 10409 80.91.229.3 (28 Aug 2013 20:31:40 GMT) -X-Complaints-To: usenet@ger.gmane.org -NNTP-Posting-Date: Wed, 28 Aug 2013 20:31:40 +0000 (UTC) -Cc: Kees Cook , - Henrik Rydberg , - Benjamin Tissoires -To: linux-input@vger.kernel.org -Original-X-From: linux-input-owner@vger.kernel.org Wed Aug 28 22:31:42 2013 -Return-path: -Envelope-to: glki-linux-input-2@plane.gmane.org -Original-Received: from vger.kernel.org ([209.132.180.67]) - by plane.gmane.org with esmtp (Exim 4.69) - (envelope-from ) - id 1VEmOz-0000cl-Ku - for glki-linux-input-2@plane.gmane.org; Wed, 28 Aug 2013 22:31:42 +0200 -Original-Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand - id S1754253Ab3H1Ubl (ORCPT ); - Wed, 28 Aug 2013 16:31:41 -0400 -Original-Received: from cantor2.suse.de ([195.135.220.15]:57991 "EHLO mx2.suse.de" - rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP - id S1754222Ab3H1Ubk (ORCPT ); - Wed, 28 Aug 2013 16:31:40 -0400 -Original-Received: from relay1.suse.de (unknown [195.135.220.254]) - by mx2.suse.de (Postfix) with ESMTP id BA511A535B; - Wed, 28 Aug 2013 22:31:39 +0200 (CEST) -User-Agent: Alpine 2.00 (LNX 1167 2008-08-23) -Original-Sender: linux-input-owner@vger.kernel.org -Precedence: bulk -List-ID: -X-Mailing-List: linux-input@vger.kernel.org -Xref: news.gmane.org gmane.linux.kernel.input:31662 -Archived-At: - -From: Kees Cook - -When working on report indexes, always validate that they are in bounds. -Without this, a HID device could report a malicious feature report that -could trick the driver into a heap overflow: - -[ 634.885003] usb 1-1: New USB device found, idVendor=0596, idProduct=0500 -... -[ 676.469629] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten - -CVE-2013-2897 - -Signed-off-by: Kees Cook -Cc: stable@kernel.org ---- - drivers/hid/hid-multitouch.c | 25 ++++++++++++++++++++----- - 1 file changed, 20 insertions(+), 5 deletions(-) - -diff --git a/drivers/hid/hid-multitouch.c b/drivers/hid/hid-multitouch.c -index cb0e361..2aa275e 100644 ---- a/drivers/hid/hid-multitouch.c -+++ b/drivers/hid/hid-multitouch.c -@@ -330,9 +330,18 @@ static void mt_feature_mapping(struct hid_device *hdev, - break; - } - } -+ /* Ignore if value index is out of bounds. */ -+ if (td->inputmode_index < 0 || -+ td->inputmode_index >= field->report_count) { -+ dev_err(&hdev->dev, "HID_DG_INPUTMODE out of range\n"); -+ td->inputmode = -1; -+ } - - break; - case HID_DG_CONTACTMAX: -+ /* Ignore if value count is out of bounds. */ -+ if (field->report_count < 1) -+ break; - td->maxcontact_report_id = field->report->id; - td->maxcontacts = field->value[0]; - if (!td->maxcontacts && -@@ -743,15 +752,21 @@ static void mt_touch_report(struct hid_device *hid, struct hid_report *report) - unsigned count; - int r, n; - -+ if (report->maxfield == 0) -+ return; -+ - /* - * Includes multi-packet support where subsequent - * packets are sent with zero contactcount. - */ -- if (td->cc_index >= 0) { -- struct hid_field *field = report->field[td->cc_index]; -- int value = field->value[td->cc_value_index]; -- if (value) -- td->num_expected = value; -+ if (td->cc_index >= 0 && td->cc_index < report->maxfield) { -+ field = report->field[td->cc_index]; -+ if (td->cc_value_index >= 0 && -+ td->cc_value_index < field->report_count) { -+ int value = field->value[td->cc_value_index]; -+ if (value) -+ td->num_expected = value; -+ } - } - - for (r = 0; r < report->maxfield; r++) { - --- -Jiri Kosina -SUSE Labs --- -To unsubscribe from this list: send the line "unsubscribe linux-input" in -the body of a message to majordomo@vger.kernel.org -More majordomo info at http://vger.kernel.org/majordomo-info.html - -Path: news.gmane.org!not-for-mail -From: Jiri Kosina -Newsgroups: gmane.linux.kernel.input -Subject: [PATCH 12/14] HID: sensor-hub: validate feature report details -Date: Wed, 28 Aug 2013 22:31:44 +0200 (CEST) -Lines: 36 -Approved: news@gmane.org -Message-ID: -NNTP-Posting-Host: plane.gmane.org -Mime-Version: 1.0 -Content-Type: TEXT/PLAIN; charset=US-ASCII -X-Trace: ger.gmane.org 1377721907 10489 80.91.229.3 (28 Aug 2013 20:31:47 GMT) -X-Complaints-To: usenet@ger.gmane.org -NNTP-Posting-Date: Wed, 28 Aug 2013 20:31:47 +0000 (UTC) -Cc: Kees Cook , - Mika Westerberg , - srinivas pandruvada -To: linux-input@vger.kernel.org -Original-X-From: linux-input-owner@vger.kernel.org Wed Aug 28 22:31:51 2013 -Return-path: -Envelope-to: glki-linux-input-2@plane.gmane.org -Original-Received: from vger.kernel.org ([209.132.180.67]) - by plane.gmane.org with esmtp (Exim 4.69) - (envelope-from ) - id 1VEmP8-0000cl-9D - for glki-linux-input-2@plane.gmane.org; Wed, 28 Aug 2013 22:31:50 +0200 -Original-Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand - id S1754788Ab3H1Ubt (ORCPT ); - Wed, 28 Aug 2013 16:31:49 -0400 -Original-Received: from cantor2.suse.de ([195.135.220.15]:58000 "EHLO mx2.suse.de" - rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP - id S1754228Ab3H1Ubt (ORCPT ); - Wed, 28 Aug 2013 16:31:49 -0400 -Original-Received: from relay2.suse.de (unknown [195.135.220.254]) - by mx2.suse.de (Postfix) with ESMTP id BBD85A535B; - Wed, 28 Aug 2013 22:31:47 +0200 (CEST) -User-Agent: Alpine 2.00 (LNX 1167 2008-08-23) -Original-Sender: linux-input-owner@vger.kernel.org -Precedence: bulk -List-ID: -X-Mailing-List: linux-input@vger.kernel.org -Xref: news.gmane.org gmane.linux.kernel.input:31663 -Archived-At: - -From: Kees Cook - -A HID device could send a malicious feature report that would cause the -sensor-hub HID driver to read past the end of heap allocation, leaking -kernel memory contents to the caller. - -CVE-2013-2898 - -Signed-off-by: Kees Cook -Cc: stable@kernel.org ---- - drivers/hid/hid-sensor-hub.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/drivers/hid/hid-sensor-hub.c b/drivers/hid/hid-sensor-hub.c -index ca749810..aa34755 100644 ---- a/drivers/hid/hid-sensor-hub.c -+++ b/drivers/hid/hid-sensor-hub.c -@@ -221,7 +221,8 @@ int sensor_hub_get_feature(struct hid_sensor_hub_device *hsdev, u32 report_id, - - mutex_lock(&data->mutex); - report = sensor_hub_report(report_id, hsdev->hdev, HID_FEATURE_REPORT); -- if (!report || (field_index >= report->maxfield)) { -+ if (!report || (field_index >= report->maxfield) || -+ report->field[field_index]->report_count < 1) { - ret = -EINVAL; - goto done_proc; - } --- -Jiri Kosina -SUSE Labs --- -To unsubscribe from this list: send the line "unsubscribe linux-input" in -the body of a message to majordomo@vger.kernel.org -More majordomo info at http://vger.kernel.org/majordomo-info.html - -Path: news.gmane.org!not-for-mail -From: Jiri Kosina -Newsgroups: gmane.linux.kernel.input -Subject: [PATCH 13/14] HID: picolcd_core: validate output report details -Date: Wed, 28 Aug 2013 22:31:52 +0200 (CEST) -Lines: 34 -Approved: news@gmane.org -Message-ID: -NNTP-Posting-Host: plane.gmane.org -Mime-Version: 1.0 -Content-Type: TEXT/PLAIN; charset=US-ASCII -X-Trace: ger.gmane.org 1377721917 10573 80.91.229.3 (28 Aug 2013 20:31:57 GMT) -X-Complaints-To: usenet@ger.gmane.org -NNTP-Posting-Date: Wed, 28 Aug 2013 20:31:57 +0000 (UTC) -Cc: Kees Cook , - =?ISO-8859-15?Q?Bruno_Pr=E9mont?= -To: linux-input@vger.kernel.org -Original-X-From: linux-input-owner@vger.kernel.org Wed Aug 28 22:31:59 2013 -Return-path: -Envelope-to: glki-linux-input-2@plane.gmane.org -Original-Received: from vger.kernel.org ([209.132.180.67]) - by plane.gmane.org with esmtp (Exim 4.69) - (envelope-from ) - id 1VEmPE-0000cl-T8 - for glki-linux-input-2@plane.gmane.org; Wed, 28 Aug 2013 22:31:57 +0200 -Original-Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand - id S1754901Ab3H1Ub4 (ORCPT ); - Wed, 28 Aug 2013 16:31:56 -0400 -Original-Received: from cantor2.suse.de ([195.135.220.15]:58006 "EHLO mx2.suse.de" - rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP - id S1754228Ab3H1Ub4 (ORCPT ); - Wed, 28 Aug 2013 16:31:56 -0400 -Original-Received: from relay2.suse.de (unknown [195.135.220.254]) - by mx2.suse.de (Postfix) with ESMTP id 2720DA531D; - Wed, 28 Aug 2013 22:31:55 +0200 (CEST) -User-Agent: Alpine 2.00 (LNX 1167 2008-08-23) -Original-Sender: linux-input-owner@vger.kernel.org -Precedence: bulk -List-ID: -X-Mailing-List: linux-input@vger.kernel.org -Xref: news.gmane.org gmane.linux.kernel.input:31664 -Archived-At: - -From: Kees Cook - -A HID device could send a malicious output report that would cause the -picolcd HID driver to trigger a NULL dereference during attr file writing. - -CVE-2013-2899 - -Signed-off-by: Kees Cook -Cc: stable@kernel.org ---- - drivers/hid/hid-picolcd_core.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/drivers/hid/hid-picolcd_core.c b/drivers/hid/hid-picolcd_core.c -index b48092d..72bba1e 100644 ---- a/drivers/hid/hid-picolcd_core.c -+++ b/drivers/hid/hid-picolcd_core.c -@@ -290,7 +290,7 @@ static ssize_t picolcd_operation_mode_store(struct device *dev, - buf += 10; - cnt -= 10; - } -- if (!report) -+ if (!report || report->maxfield < 1) - return -EINVAL; - - while (cnt > 0 && (buf[cnt-1] == '\n' || buf[cnt-1] == '\r')) --- -Jiri Kosina -SUSE Labs --- -To unsubscribe from this list: send the line "unsubscribe linux-input" in -the body of a message to majordomo@vger.kernel.org -More majordomo info at http://vger.kernel.org/majordomo-info.html - -Path: news.gmane.org!not-for-mail -From: Jiri Kosina -Newsgroups: gmane.linux.kernel.input -Subject: [PATCH 14/14] HID: check for NULL field when setting values -Date: Wed, 28 Aug 2013 22:32:01 +0200 (CEST) -Lines: 36 -Approved: news@gmane.org -Message-ID: -NNTP-Posting-Host: plane.gmane.org -Mime-Version: 1.0 -Content-Type: TEXT/PLAIN; charset=US-ASCII -X-Trace: ger.gmane.org 1377721927 10651 80.91.229.3 (28 Aug 2013 20:32:07 GMT) -X-Complaints-To: usenet@ger.gmane.org -NNTP-Posting-Date: Wed, 28 Aug 2013 20:32:07 +0000 (UTC) -Cc: Kees Cook -To: linux-input@vger.kernel.org -Original-X-From: linux-input-owner@vger.kernel.org Wed Aug 28 22:32:06 2013 -Return-path: -Envelope-to: glki-linux-input-2@plane.gmane.org -Original-Received: from vger.kernel.org ([209.132.180.67]) - by plane.gmane.org with esmtp (Exim 4.69) - (envelope-from ) - id 1VEmPO-0000cl-40 - for glki-linux-input-2@plane.gmane.org; Wed, 28 Aug 2013 22:32:06 +0200 -Original-Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand - id S1754959Ab3H1UcF (ORCPT ); - Wed, 28 Aug 2013 16:32:05 -0400 -Original-Received: from cantor2.suse.de ([195.135.220.15]:58016 "EHLO mx2.suse.de" - rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP - id S1754282Ab3H1UcE (ORCPT ); - Wed, 28 Aug 2013 16:32:04 -0400 -Original-Received: from relay1.suse.de (unknown [195.135.220.254]) - by mx2.suse.de (Postfix) with ESMTP id 6D278A531D; - Wed, 28 Aug 2013 22:32:03 +0200 (CEST) -User-Agent: Alpine 2.00 (LNX 1167 2008-08-23) -Original-Sender: linux-input-owner@vger.kernel.org -Precedence: bulk -List-ID: -X-Mailing-List: linux-input@vger.kernel.org -Xref: news.gmane.org gmane.linux.kernel.input:31665 -Archived-At: - -From: Kees Cook - -Defensively check that the field to be worked on is not NULL. - -Signed-off-by: Kees Cook -Cc: stable@kernel.org ---- - drivers/hid/hid-core.c | 7 ++++++- - 1 file changed, 6 insertions(+), 1 deletion(-) - -diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c -index 55798b2..192be6b 100644 ---- a/drivers/hid/hid-core.c -+++ b/drivers/hid/hid-core.c -@@ -1206,7 +1206,12 @@ EXPORT_SYMBOL_GPL(hid_output_report); - - int hid_set_field(struct hid_field *field, unsigned offset, __s32 value) - { -- unsigned size = field->report_size; -+ unsigned size; -+ -+ if (!field) -+ return -1; -+ -+ size = field->report_size; - - hid_dump_input(field->report->device, field->usage + offset, value); - --- -Jiri Kosina -SUSE Labs --- -To unsubscribe from this list: send the line "unsubscribe linux-input" in -the body of a message to majordomo@vger.kernel.org -More majordomo info at http://vger.kernel.org/majordomo-info.html - diff --git a/kernel.spec b/kernel.spec index 01a7d462b..0a1cd7402 100644 --- a/kernel.spec +++ b/kernel.spec @@ -62,7 +62,7 @@ Summary: The Linux kernel # For non-released -rc kernels, this will be appended after the rcX and # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3" # -%global baserelease 200 +%global baserelease 201 %global fedora_build %{baserelease} # base_sublevel is the kernel version we're starting with and patching @@ -743,7 +743,7 @@ Patch25079: rt2800-rearrange-bbp-rfcsr-initialization.patch #CVE-2013-2893 rhbz 1000414 1002575 CVE-2013-2894 rhbz 1000137 1002579 #CVE-2013-2895 rhbz 1000360 1002581 CVE-2013-2896 rhbz 1000494 1002594 #CVE-2013-2897 rhbz 1000536 1002600 CVE-2013-2899 rhbz 1000373 1002604 -Patch25099: HID-CVE-fixes.patch +Patch25099: HID-CVE-fixes-3.11.patch #rhbz 963991 Patch26000: acpi-pcie-hotplug-conflict.patch @@ -1439,7 +1439,7 @@ ApplyPatch media-cx23885-Fix-TeVii-S471-regression-since-introduction-of-ts2020. #CVE-2013-2893 rhbz 1000414 1002575 CVE-2013-2894 rhbz 1000137 1002579 #CVE-2013-2895 rhbz 1000360 1002581 CVE-2013-2896 rhbz 1000494 1002594 #CVE-2013-2897 rhbz 1000536 1002600 CVE-2013-2899 rhbz 1000373 1002604 -ApplyPatch HID-CVE-fixes.patch +ApplyPatch HID-CVE-fixes-3.11.patch #rhbz 1000679 ApplyPatch rt2800-rearrange-bbp-rfcsr-initialization.patch @@ -2262,6 +2262,9 @@ fi # and build. %changelog +* Thu Sep 12 2013 Josh Boyer +- Update HID CVE fixes to fix crash from lenovo-tpkbd driver (rhbz 1003998) + * Wed Sep 11 2013 Neil Horman - Fix pcie/acpi hotplug conflict (rhbz 963991) - Fix race in crypto larval lookup From b2766296767dc2ef705f3ea5e17c9b3f260558ba Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Fri, 13 Sep 2013 07:38:51 -0400 Subject: [PATCH 206/468] CVE-2013-4343 net: use-after-free TUNSETIFF (rhbz 1007733 1007741) --- kernel.spec | 9 +++ ...orrectly-handle-error-in-tun_set_iff.patch | 57 +++++++++++++++++++ 2 files changed, 66 insertions(+) create mode 100644 tuntap-correctly-handle-error-in-tun_set_iff.patch diff --git a/kernel.spec b/kernel.spec index 0a1cd7402..5092b0963 100644 --- a/kernel.spec +++ b/kernel.spec @@ -751,6 +751,9 @@ Patch26000: acpi-pcie-hotplug-conflict.patch #rhbz 1002351 Patch25100: crypto-fix-race-in-larval-lookup.patch +#CVE-2013-4343 rhbz 1007733 1007741 +Patch25101: tuntap-correctly-handle-error-in-tun_set_iff.patch + # END OF PATCH DEFINITIONS %endif @@ -1450,6 +1453,9 @@ ApplyPatch acpi-pcie-hotplug-conflict.patch #rhbz1002351 ApplyPatch crypto-fix-race-in-larval-lookup.patch +#CVE-2013-4343 rhbz 1007733 1007741 +ApplyPatch tuntap-correctly-handle-error-in-tun_set_iff.patch + # END OF PATCH APPLICATIONS %endif @@ -2262,6 +2268,9 @@ fi # and build. %changelog +* Fri Sep 13 2013 Josh Boyer +- CVE-2013-4343 net: use-after-free TUNSETIFF (rhbz 1007733 1007741) + * Thu Sep 12 2013 Josh Boyer - Update HID CVE fixes to fix crash from lenovo-tpkbd driver (rhbz 1003998) diff --git a/tuntap-correctly-handle-error-in-tun_set_iff.patch b/tuntap-correctly-handle-error-in-tun_set_iff.patch new file mode 100644 index 000000000..563526765 --- /dev/null +++ b/tuntap-correctly-handle-error-in-tun_set_iff.patch @@ -0,0 +1,57 @@ +From dff4e504b2addc8053fc47712d44a21f733ef51b Mon Sep 17 00:00:00 2001 +From: Jason Wang +Date: Wed, 11 Sep 2013 18:09:48 +0800 +Subject: [PATCH] tuntap: correctly handle error in tun_set_iff() + +Commit c8d68e6be1c3b242f1c598595830890b65cea64a +(tuntap: multiqueue support) only call free_netdev() on error in +tun_set_iff(). This causes several issues: + +- memory of tun security were leaked +- use after free since the flow gc timer was not deleted and the tfile + were not detached + +This patch solves the above issues. + +Reported-by: Wannes Rombouts +Cc: Michael S. Tsirkin +Signed-off-by: Jason Wang +--- + drivers/net/tun.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +diff --git a/drivers/net/tun.c b/drivers/net/tun.c +index 71af122..68b9aa3 100644 +--- a/drivers/net/tun.c ++++ b/drivers/net/tun.c +@@ -1691,11 +1691,11 @@ static int tun_set_iff(struct net *net, struct file *file, struct ifreq *ifr) + INIT_LIST_HEAD(&tun->disabled); + err = tun_attach(tun, file); + if (err < 0) +- goto err_free_dev; ++ goto err_free_flow; + + err = register_netdevice(tun->dev); + if (err < 0) +- goto err_free_dev; ++ goto err_detach; + + if (device_create_file(&tun->dev->dev, &dev_attr_tun_flags) || + device_create_file(&tun->dev->dev, &dev_attr_owner) || +@@ -1739,7 +1739,12 @@ static int tun_set_iff(struct net *net, struct file *file, struct ifreq *ifr) + strcpy(ifr->ifr_name, tun->dev->name); + return 0; + +- err_free_dev: ++err_detach: ++ tun_detach_all(dev); ++err_free_flow: ++ tun_flow_uninit(tun); ++ security_tun_dev_free_security(tun->security); ++err_free_dev: + free_netdev(dev); + return err; + } +-- +1.8.3.1 + From c7587b5edaf3c8038ac58680145b6eb353a926fa Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Fri, 13 Sep 2013 11:16:43 -0400 Subject: [PATCH 207/468] CVE-2013-XXXX net: sctp: ipv6 ipsec encryption bug in sctp_v6_xmit (rhbz 1007872 1007903) --- kernel.spec | 7 + ...ipsec-encryption-bug-in-sctp_v6_xmit.patch | 186 ++++++++++++++++++ 2 files changed, 193 insertions(+) create mode 100644 net-sctp-fix-ipv6-ipsec-encryption-bug-in-sctp_v6_xmit.patch diff --git a/kernel.spec b/kernel.spec index 5092b0963..c6b30bac1 100644 --- a/kernel.spec +++ b/kernel.spec @@ -754,6 +754,9 @@ Patch25100: crypto-fix-race-in-larval-lookup.patch #CVE-2013-4343 rhbz 1007733 1007741 Patch25101: tuntap-correctly-handle-error-in-tun_set_iff.patch +#CVE-2013-XXXX rhbz 1007872 1007903 +Patch25102: net-sctp-fix-ipv6-ipsec-encryption-bug-in-sctp_v6_xmit.patch + # END OF PATCH DEFINITIONS %endif @@ -1456,6 +1459,9 @@ ApplyPatch crypto-fix-race-in-larval-lookup.patch #CVE-2013-4343 rhbz 1007733 1007741 ApplyPatch tuntap-correctly-handle-error-in-tun_set_iff.patch +#CVE-2013-XXXX rhbz 1007872 1007903 +ApplyPatch net-sctp-fix-ipv6-ipsec-encryption-bug-in-sctp_v6_xmit.patch + # END OF PATCH APPLICATIONS %endif @@ -2269,6 +2275,7 @@ fi %changelog * Fri Sep 13 2013 Josh Boyer +- CVE-2013-XXXX net: sctp: ipv6 ipsec encryption bug in sctp_v6_xmit (rhbz 1007872 1007903) - CVE-2013-4343 net: use-after-free TUNSETIFF (rhbz 1007733 1007741) * Thu Sep 12 2013 Josh Boyer diff --git a/net-sctp-fix-ipv6-ipsec-encryption-bug-in-sctp_v6_xmit.patch b/net-sctp-fix-ipv6-ipsec-encryption-bug-in-sctp_v6_xmit.patch new file mode 100644 index 000000000..671ee98db --- /dev/null +++ b/net-sctp-fix-ipv6-ipsec-encryption-bug-in-sctp_v6_xmit.patch @@ -0,0 +1,186 @@ +From 95ee62083cb6453e056562d91f597552021e6ae7 Mon Sep 17 00:00:00 2001 +From: Daniel Borkmann +Date: Wed, 11 Sep 2013 14:58:36 +0000 +Subject: net: sctp: fix ipv6 ipsec encryption bug in sctp_v6_xmit + +Alan Chester reported an issue with IPv6 on SCTP that IPsec traffic is not +being encrypted, whereas on IPv4 it is. Setting up an AH + ESP transport +does not seem to have the desired effect: + +SCTP + IPv4: + + 22:14:20.809645 IP (tos 0x2,ECT(0), ttl 64, id 0, offset 0, flags [DF], proto AH (51), length 116) + 192.168.0.2 > 192.168.0.5: AH(spi=0x00000042,sumlen=16,seq=0x1): ESP(spi=0x00000044,seq=0x1), length 72 + 22:14:20.813270 IP (tos 0x2,ECT(0), ttl 64, id 0, offset 0, flags [DF], proto AH (51), length 340) + 192.168.0.5 > 192.168.0.2: AH(spi=0x00000043,sumlen=16,seq=0x1): + +SCTP + IPv6: + + 22:31:19.215029 IP6 (class 0x02, hlim 64, next-header SCTP (132) payload length: 364) + fe80::222:15ff:fe87:7fc.3333 > fe80::92e6:baff:fe0d:5a54.36767: sctp + 1) [INIT ACK] [init tag: 747759530] [rwnd: 62464] [OS: 10] [MIS: 10] + +Moreover, Alan says: + + This problem was seen with both Racoon and Racoon2. Other people have seen + this with OpenSwan. When IPsec is configured to encrypt all upper layer + protocols the SCTP connection does not initialize. After using Wireshark to + follow packets, this is because the SCTP packet leaves Box A unencrypted and + Box B believes all upper layer protocols are to be encrypted so it drops + this packet, causing the SCTP connection to fail to initialize. When IPsec + is configured to encrypt just SCTP, the SCTP packets are observed unencrypted. + +In fact, using `socat sctp6-listen:3333 -` on one end and transferring "plaintext" +string on the other end, results in cleartext on the wire where SCTP eventually +does not report any errors, thus in the latter case that Alan reports, the +non-paranoid user might think he's communicating over an encrypted transport on +SCTP although he's not (tcpdump ... -X): + + ... + 0x0030: 5d70 8e1a 0003 001a 177d eb6c 0000 0000 ]p.......}.l.... + 0x0040: 0000 0000 706c 6169 6e74 6578 740a 0000 ....plaintext... + +Only in /proc/net/xfrm_stat we can see XfrmInTmplMismatch increasing on the +receiver side. Initial follow-up analysis from Alan's bug report was done by +Alexey Dobriyan. Also thanks to Vlad Yasevich for feedback on this. + +SCTP has its own implementation of sctp_v6_xmit() not calling inet6_csk_xmit(). +This has the implication that it probably never really got updated along with +changes in inet6_csk_xmit() and therefore does not seem to invoke xfrm handlers. + +SCTP's IPv4 xmit however, properly calls ip_queue_xmit() to do the work. Since +a call to inet6_csk_xmit() would solve this problem, but result in unecessary +route lookups, let us just use the cached flowi6 instead that we got through +sctp_v6_get_dst(). Since all SCTP packets are being sent through sctp_packet_transmit(), +we do the route lookup / flow caching in sctp_transport_route(), hold it in +tp->dst and skb_dst_set() right after that. If we would alter fl6->daddr in +sctp_v6_xmit() to np->opt->srcrt, we possibly could run into the same effect +of not having xfrm layer pick it up, hence, use fl6_update_dst() in sctp_v6_get_dst() +instead to get the correct source routed dst entry, which we assign to the skb. + +Also source address routing example from 625034113 ("sctp: fix sctp to work with +ipv6 source address routing") still works with this patch! Nevertheless, in RFC5095 +it is actually 'recommended' to not use that anyway due to traffic amplification [1]. +So it seems we're not supposed to do that anyway in sctp_v6_xmit(). Moreover, if +we overwrite the flow destination here, the lower IPv6 layer will be unable to +put the correct destination address into IP header, as routing header is added in +ipv6_push_nfrag_opts() but then probably with wrong final destination. Things aside, +result of this patch is that we do not have any XfrmInTmplMismatch increase plus on +the wire with this patch it now looks like: + +SCTP + IPv6: + + 08:17:47.074080 IP6 2620:52:0:102f:7a2b:cbff:fe27:1b0a > 2620:52:0:102f:213:72ff:fe32:7eba: + AH(spi=0x00005fb4,seq=0x1): ESP(spi=0x00005fb5,seq=0x1), length 72 + 08:17:47.074264 IP6 2620:52:0:102f:213:72ff:fe32:7eba > 2620:52:0:102f:7a2b:cbff:fe27:1b0a: + AH(spi=0x00003d54,seq=0x1): ESP(spi=0x00003d55,seq=0x1), length 296 + +This fixes Kernel Bugzilla 24412. This security issue seems to be present since +2.6.18 kernels. Lets just hope some big passive adversary in the wild didn't have +its fun with that. lksctp-tools IPv6 regression test suite passes as well with +this patch. + + [1] http://www.secdev.org/conf/IPv6_RH_security-csw07.pdf + +Reported-by: Alan Chester +Reported-by: Alexey Dobriyan +Signed-off-by: Daniel Borkmann +Cc: Steffen Klassert +Cc: Hannes Frederic Sowa +Acked-by: Vlad Yasevich +Signed-off-by: David S. Miller +--- +diff --git a/net/sctp/ipv6.c b/net/sctp/ipv6.c +index da613ce..4f52e2c 100644 +--- a/net/sctp/ipv6.c ++++ b/net/sctp/ipv6.c +@@ -204,44 +204,23 @@ out: + in6_dev_put(idev); + } + +-/* Based on tcp_v6_xmit() in tcp_ipv6.c. */ + static int sctp_v6_xmit(struct sk_buff *skb, struct sctp_transport *transport) + { + struct sock *sk = skb->sk; + struct ipv6_pinfo *np = inet6_sk(sk); +- struct flowi6 fl6; +- +- memset(&fl6, 0, sizeof(fl6)); +- +- fl6.flowi6_proto = sk->sk_protocol; +- +- /* Fill in the dest address from the route entry passed with the skb +- * and the source address from the transport. +- */ +- fl6.daddr = transport->ipaddr.v6.sin6_addr; +- fl6.saddr = transport->saddr.v6.sin6_addr; +- +- fl6.flowlabel = np->flow_label; +- IP6_ECN_flow_xmit(sk, fl6.flowlabel); +- if (ipv6_addr_type(&fl6.saddr) & IPV6_ADDR_LINKLOCAL) +- fl6.flowi6_oif = transport->saddr.v6.sin6_scope_id; +- else +- fl6.flowi6_oif = sk->sk_bound_dev_if; +- +- if (np->opt && np->opt->srcrt) { +- struct rt0_hdr *rt0 = (struct rt0_hdr *) np->opt->srcrt; +- fl6.daddr = *rt0->addr; +- } ++ struct flowi6 *fl6 = &transport->fl.u.ip6; + + pr_debug("%s: skb:%p, len:%d, src:%pI6 dst:%pI6\n", __func__, skb, +- skb->len, &fl6.saddr, &fl6.daddr); ++ skb->len, &fl6->saddr, &fl6->daddr); + +- SCTP_INC_STATS(sock_net(sk), SCTP_MIB_OUTSCTPPACKS); ++ IP6_ECN_flow_xmit(sk, fl6->flowlabel); + + if (!(transport->param_flags & SPP_PMTUD_ENABLE)) + skb->local_df = 1; + +- return ip6_xmit(sk, skb, &fl6, np->opt, np->tclass); ++ SCTP_INC_STATS(sock_net(sk), SCTP_MIB_OUTSCTPPACKS); ++ ++ return ip6_xmit(sk, skb, fl6, np->opt, np->tclass); + } + + /* Returns the dst cache entry for the given source and destination ip +@@ -254,10 +233,12 @@ static void sctp_v6_get_dst(struct sctp_transport *t, union sctp_addr *saddr, + struct dst_entry *dst = NULL; + struct flowi6 *fl6 = &fl->u.ip6; + struct sctp_bind_addr *bp; ++ struct ipv6_pinfo *np = inet6_sk(sk); + struct sctp_sockaddr_entry *laddr; + union sctp_addr *baddr = NULL; + union sctp_addr *daddr = &t->ipaddr; + union sctp_addr dst_saddr; ++ struct in6_addr *final_p, final; + __u8 matchlen = 0; + __u8 bmatchlen; + sctp_scope_t scope; +@@ -281,7 +262,8 @@ static void sctp_v6_get_dst(struct sctp_transport *t, union sctp_addr *saddr, + pr_debug("src=%pI6 - ", &fl6->saddr); + } + +- dst = ip6_dst_lookup_flow(sk, fl6, NULL, false); ++ final_p = fl6_update_dst(fl6, np->opt, &final); ++ dst = ip6_dst_lookup_flow(sk, fl6, final_p, false); + if (!asoc || saddr) + goto out; + +@@ -333,10 +315,12 @@ static void sctp_v6_get_dst(struct sctp_transport *t, union sctp_addr *saddr, + } + } + rcu_read_unlock(); ++ + if (baddr) { + fl6->saddr = baddr->v6.sin6_addr; + fl6->fl6_sport = baddr->v6.sin6_port; +- dst = ip6_dst_lookup_flow(sk, fl6, NULL, false); ++ final_p = fl6_update_dst(fl6, np->opt, &final); ++ dst = ip6_dst_lookup_flow(sk, fl6, final_p, false); + } + + out: +-- +cgit v0.9.2 From c93b40ccfd037880b138c823d86694c9ac28f840 Mon Sep 17 00:00:00 2001 From: Kyle McMartin Date: Wed, 10 Jul 2013 10:33:31 -0400 Subject: [PATCH 208/468] Fix crash-driver.patch to properly use page_is_ram. --- crash-driver.patch | 17 +---------------- kernel.spec | 3 +++ 2 files changed, 4 insertions(+), 16 deletions(-) diff --git a/crash-driver.patch b/crash-driver.patch index 239f0f6a0..a7b7b72f9 100644 --- a/crash-driver.patch +++ b/crash-driver.patch @@ -131,7 +131,7 @@ new file mode 100644 index 0000000..dfcc006 --- /dev/null +++ b/arch/x86/include/asm/crash.h -@@ -0,0 +1,75 @@ +@@ -0,0 +1,73 @@ +#ifndef _ASM_I386_CRASH_H +#define _ASM_I386_CRASH_H + @@ -162,8 +162,6 @@ index 0000000..dfcc006 +#include +#include + -+extern int page_is_ram(unsigned long); -+ +static inline void * +map_virtual(u64 offset, struct page **pp) +{ @@ -207,19 +205,6 @@ index 0000000..dfcc006 +#endif /* __KERNEL__ */ + +#endif /* _ASM_I386_CRASH_H */ -diff --git a/arch/x86/mm/ioremap.c b/arch/x86/mm/ioremap.c -index be1ef57..ac659f7 100644 ---- a/arch/x86/mm/ioremap.c -+++ b/arch/x86/mm/ioremap.c -@@ -24,6 +24,8 @@ - - #include "physaddr.h" - -+EXPORT_SYMBOL_GPL(page_is_ram); -+ - /* - * Fix up the linear direct mapping of the kernel to avoid cache attribute - * conflicts. diff --git a/drivers/char/Kconfig b/drivers/char/Kconfig index 423fd56..e04a561 100644 --- a/drivers/char/Kconfig diff --git a/kernel.spec b/kernel.spec index c6b30bac1..966479ff9 100644 --- a/kernel.spec +++ b/kernel.spec @@ -2274,6 +2274,9 @@ fi # and build. %changelog +* Fri Sep 13 2013 Kyle McMartin +- Fix crash-driver.patch to properly use page_is_ram. + * Fri Sep 13 2013 Josh Boyer - CVE-2013-XXXX net: sctp: ipv6 ipsec encryption bug in sctp_v6_xmit (rhbz 1007872 1007903) - CVE-2013-4343 net: use-after-free TUNSETIFF (rhbz 1007733 1007741) From 53623a80bacfe4740db88abcf601e3dd43df510b Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Fri, 13 Sep 2013 15:47:37 -0400 Subject: [PATCH 209/468] Correct CVE number for sctp IPv6 issue --- kernel.spec | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/kernel.spec b/kernel.spec index 966479ff9..ec33374f4 100644 --- a/kernel.spec +++ b/kernel.spec @@ -754,7 +754,7 @@ Patch25100: crypto-fix-race-in-larval-lookup.patch #CVE-2013-4343 rhbz 1007733 1007741 Patch25101: tuntap-correctly-handle-error-in-tun_set_iff.patch -#CVE-2013-XXXX rhbz 1007872 1007903 +#CVE-2013-4053 rhbz 1007872 1007903 Patch25102: net-sctp-fix-ipv6-ipsec-encryption-bug-in-sctp_v6_xmit.patch # END OF PATCH DEFINITIONS @@ -1459,7 +1459,7 @@ ApplyPatch crypto-fix-race-in-larval-lookup.patch #CVE-2013-4343 rhbz 1007733 1007741 ApplyPatch tuntap-correctly-handle-error-in-tun_set_iff.patch -#CVE-2013-XXXX rhbz 1007872 1007903 +#CVE-2013-4350 rhbz 1007872 1007903 ApplyPatch net-sctp-fix-ipv6-ipsec-encryption-bug-in-sctp_v6_xmit.patch # END OF PATCH APPLICATIONS @@ -2278,7 +2278,7 @@ fi - Fix crash-driver.patch to properly use page_is_ram. * Fri Sep 13 2013 Josh Boyer -- CVE-2013-XXXX net: sctp: ipv6 ipsec encryption bug in sctp_v6_xmit (rhbz 1007872 1007903) +- CVE-2013-4053 net: sctp: ipv6 ipsec encryption bug in sctp_v6_xmit (rhbz 1007872 1007903) - CVE-2013-4343 net: use-after-free TUNSETIFF (rhbz 1007733 1007741) * Thu Sep 12 2013 Josh Boyer From 4242e8f0a802f9754b144f1a8650f88d097477fa Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Fri, 13 Sep 2013 15:51:15 -0400 Subject: [PATCH 210/468] 1/3 is a crappy correction rate --- kernel.spec | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/kernel.spec b/kernel.spec index ec33374f4..43773a57b 100644 --- a/kernel.spec +++ b/kernel.spec @@ -754,7 +754,7 @@ Patch25100: crypto-fix-race-in-larval-lookup.patch #CVE-2013-4343 rhbz 1007733 1007741 Patch25101: tuntap-correctly-handle-error-in-tun_set_iff.patch -#CVE-2013-4053 rhbz 1007872 1007903 +#CVE-2013-4350 rhbz 1007872 1007903 Patch25102: net-sctp-fix-ipv6-ipsec-encryption-bug-in-sctp_v6_xmit.patch # END OF PATCH DEFINITIONS @@ -2278,7 +2278,7 @@ fi - Fix crash-driver.patch to properly use page_is_ram. * Fri Sep 13 2013 Josh Boyer -- CVE-2013-4053 net: sctp: ipv6 ipsec encryption bug in sctp_v6_xmit (rhbz 1007872 1007903) +- CVE-2013-4350 net: sctp: ipv6 ipsec encryption bug in sctp_v6_xmit (rhbz 1007872 1007903) - CVE-2013-4343 net: use-after-free TUNSETIFF (rhbz 1007733 1007741) * Thu Sep 12 2013 Josh Boyer From 98f27f5d18721da050f5a76eede3e763912c2cbf Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Sat, 14 Sep 2013 10:41:51 -0400 Subject: [PATCH 211/468] Linux v3.11.1 --- kernel.spec | 7 +++++-- sources | 1 + 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/kernel.spec b/kernel.spec index 43773a57b..c1f67ddde 100644 --- a/kernel.spec +++ b/kernel.spec @@ -62,7 +62,7 @@ Summary: The Linux kernel # For non-released -rc kernels, this will be appended after the rcX and # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3" # -%global baserelease 201 +%global baserelease 200 %global fedora_build %{baserelease} # base_sublevel is the kernel version we're starting with and patching @@ -74,7 +74,7 @@ Summary: The Linux kernel %if 0%{?released_kernel} # Do we have a -stable update to apply? -%define stable_update 0 +%define stable_update 1 # Is it a -stable RC? %define stable_rc 0 # Set rpm version accordingly @@ -2274,6 +2274,9 @@ fi # and build. %changelog +* Sat Sep 14 2013 Josh Boyer - 3.11.1-200 +- Linux v3.11.1 + * Fri Sep 13 2013 Kyle McMartin - Fix crash-driver.patch to properly use page_is_ram. diff --git a/sources b/sources index 97f72c19a..1bb8782ae 100644 --- a/sources +++ b/sources @@ -1 +1,2 @@ fea363551ff45fbe4cb88497b863b261 linux-3.11.tar.xz +43331cad943b9540afea49ad8ce5cf46 patch-3.11.1.xz From c06b67421958493edc3533d3c468e059b557a99f Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Tue, 17 Sep 2013 15:57:07 -0400 Subject: [PATCH 212/468] CVE-2013-4345 ansi_cprng: off by one error in non-block size request (rhbz 1007690 1009136) --- ...-one-error-in-non-block-size-request.patch | 40 +++++++++++++++++++ kernel.spec | 9 +++++ 2 files changed, 49 insertions(+) create mode 100644 ansi_cprng-Fix-off-by-one-error-in-non-block-size-request.patch diff --git a/ansi_cprng-Fix-off-by-one-error-in-non-block-size-request.patch b/ansi_cprng-Fix-off-by-one-error-in-non-block-size-request.patch new file mode 100644 index 000000000..c8d015491 --- /dev/null +++ b/ansi_cprng-Fix-off-by-one-error-in-non-block-size-request.patch @@ -0,0 +1,40 @@ +Stephan Mueller reported to me recently a error in random number generation in +the ansi cprng. If several small requests are made that are less than the +instances block size, the remainder for loop code doesn't increment +rand_data_valid in the last iteration, meaning that the last bytes in the +rand_data buffer gets reused on the subsequent smaller-than-a-block request for +random data. + +The fix is pretty easy, just re-code the for loop to make sure that +rand_data_valid gets incremented appropriately + +Signed-off-by: Neil Horman +Reported-by: Stephan Mueller +CC: Stephan Mueller +CC: Petr Matousek +CC: Herbert Xu +CC: "David S. Miller" +--- + crypto/ansi_cprng.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/crypto/ansi_cprng.c b/crypto/ansi_cprng.c +index c0bb377..666f196 100644 +--- a/crypto/ansi_cprng.c ++++ b/crypto/ansi_cprng.c +@@ -230,11 +230,11 @@ remainder: + */ + if (byte_count < DEFAULT_BLK_SZ) { + empty_rbuf: +- for (; ctx->rand_data_valid < DEFAULT_BLK_SZ; +- ctx->rand_data_valid++) { ++ while (ctx->rand_data_valid < DEFAULT_BLK_SZ) { + *ptr = ctx->rand_data[ctx->rand_data_valid]; + ptr++; + byte_count--; ++ ctx->rand_data_valid++; + if (byte_count == 0) + goto done; + } +-- +1.8.3.1 diff --git a/kernel.spec b/kernel.spec index c1f67ddde..112621126 100644 --- a/kernel.spec +++ b/kernel.spec @@ -757,6 +757,9 @@ Patch25101: tuntap-correctly-handle-error-in-tun_set_iff.patch #CVE-2013-4350 rhbz 1007872 1007903 Patch25102: net-sctp-fix-ipv6-ipsec-encryption-bug-in-sctp_v6_xmit.patch +#CVE-2013-4345 rhbz 1007690 1009136 +Patch25104: ansi_cprng-Fix-off-by-one-error-in-non-block-size-request.patch + # END OF PATCH DEFINITIONS %endif @@ -1462,6 +1465,9 @@ ApplyPatch tuntap-correctly-handle-error-in-tun_set_iff.patch #CVE-2013-4350 rhbz 1007872 1007903 ApplyPatch net-sctp-fix-ipv6-ipsec-encryption-bug-in-sctp_v6_xmit.patch +#CVE-2013-4345 rhbz 1007690 1009136 +ApplyPatch ansi_cprng-Fix-off-by-one-error-in-non-block-size-request.patch + # END OF PATCH APPLICATIONS %endif @@ -2274,6 +2280,9 @@ fi # and build. %changelog +* Tue Sep 17 2013 Josh Boyer +- CVE-2013-4345 ansi_cprng: off by one error in non-block size request (rhbz 1007690 1009136) + * Sat Sep 14 2013 Josh Boyer - 3.11.1-200 - Linux v3.11.1 From 1b87d09575961c9256b47b0ad728205cb61833b5 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Fri, 20 Sep 2013 10:15:09 -0400 Subject: [PATCH 213/468] Fix multimedia keys on Genius GX keyboard (rhbz 928561) --- ...rt-fixup-for-Genius-Gx-Imperator-Key.patch | 118 ++++++++++++++++++ kernel.spec | 9 ++ 2 files changed, 127 insertions(+) create mode 100644 0001-HID-kye-Add-report-fixup-for-Genius-Gx-Imperator-Key.patch diff --git a/0001-HID-kye-Add-report-fixup-for-Genius-Gx-Imperator-Key.patch b/0001-HID-kye-Add-report-fixup-for-Genius-Gx-Imperator-Key.patch new file mode 100644 index 000000000..b7bbf77b6 --- /dev/null +++ b/0001-HID-kye-Add-report-fixup-for-Genius-Gx-Imperator-Key.patch @@ -0,0 +1,118 @@ +From 0adb9c2c5ed42f199cb2a630c37d18dee385fae2 Mon Sep 17 00:00:00 2001 +From: Benjamin Tissoires +Date: Mon, 15 Jul 2013 10:12:18 +0200 +Subject: [PATCH] HID: kye: Add report fixup for Genius Gx Imperator Keyboard + +Genius Gx Imperator Keyboard presents the same problem in its report +descriptors than Genius Gila Gaming Mouse. +Use the same fixup for both. + +Fixes: +https://bugzilla.redhat.com/show_bug.cgi?id=928561 + +Reported-and-tested-by: Honza Brazdil +Signed-off-by: Benjamin Tissoires +Signed-off-by: Jiri Kosina +--- + drivers/hid/hid-core.c | 1 + + drivers/hid/hid-ids.h | 1 + + drivers/hid/hid-kye.c | 45 ++++++++++++++++++++++++++++----------------- + 3 files changed, 30 insertions(+), 17 deletions(-) + +diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c +index 8de5cb8..b0f2f45 100644 +--- a/drivers/hid/hid-core.c ++++ b/drivers/hid/hid-core.c +@@ -1594,6 +1594,7 @@ static const struct hid_device_id hid_have_special_driver[] = { + { HID_USB_DEVICE(USB_VENDOR_ID_KENSINGTON, USB_DEVICE_ID_KS_SLIMBLADE) }, + { HID_USB_DEVICE(USB_VENDOR_ID_KEYTOUCH, USB_DEVICE_ID_KEYTOUCH_IEC) }, + { HID_USB_DEVICE(USB_VENDOR_ID_KYE, USB_DEVICE_ID_GENIUS_GILA_GAMING_MOUSE) }, ++ { HID_USB_DEVICE(USB_VENDOR_ID_KYE, USB_DEVICE_ID_GENIUS_GX_IMPERATOR) }, + { HID_USB_DEVICE(USB_VENDOR_ID_KYE, USB_DEVICE_ID_KYE_ERGO_525V) }, + { HID_USB_DEVICE(USB_VENDOR_ID_KYE, USB_DEVICE_ID_KYE_EASYPEN_I405X) }, + { HID_USB_DEVICE(USB_VENDOR_ID_KYE, USB_DEVICE_ID_KYE_MOUSEPEN_I608X) }, +diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h +index c5aea29..0288531 100644 +--- a/drivers/hid/hid-ids.h ++++ b/drivers/hid/hid-ids.h +@@ -479,6 +479,7 @@ + #define USB_VENDOR_ID_KYE 0x0458 + #define USB_DEVICE_ID_KYE_ERGO_525V 0x0087 + #define USB_DEVICE_ID_GENIUS_GILA_GAMING_MOUSE 0x0138 ++#define USB_DEVICE_ID_GENIUS_GX_IMPERATOR 0x4018 + #define USB_DEVICE_ID_KYE_GPEN_560 0x5003 + #define USB_DEVICE_ID_KYE_EASYPEN_I405X 0x5010 + #define USB_DEVICE_ID_KYE_MOUSEPEN_I608X 0x5011 +diff --git a/drivers/hid/hid-kye.c b/drivers/hid/hid-kye.c +index 1e2ee2aa..7384512 100644 +--- a/drivers/hid/hid-kye.c ++++ b/drivers/hid/hid-kye.c +@@ -268,6 +268,26 @@ static __u8 easypen_m610x_rdesc_fixed[] = { + 0xC0 /* End Collection */ + }; + ++static __u8 *kye_consumer_control_fixup(struct hid_device *hdev, __u8 *rdesc, ++ unsigned int *rsize, int offset, const char *device_name) { ++ /* ++ * the fixup that need to be done: ++ * - change Usage Maximum in the Comsumer Control ++ * (report ID 3) to a reasonable value ++ */ ++ if (*rsize >= offset + 31 && ++ /* Usage Page (Consumer Devices) */ ++ rdesc[offset] == 0x05 && rdesc[offset + 1] == 0x0c && ++ /* Usage (Consumer Control) */ ++ rdesc[offset + 2] == 0x09 && rdesc[offset + 3] == 0x01 && ++ /* Usage Maximum > 12287 */ ++ rdesc[offset + 10] == 0x2a && rdesc[offset + 12] > 0x2f) { ++ hid_info(hdev, "fixing up %s report descriptor\n", device_name); ++ rdesc[offset + 12] = 0x2f; ++ } ++ return rdesc; ++} ++ + static __u8 *kye_report_fixup(struct hid_device *hdev, __u8 *rdesc, + unsigned int *rsize) + { +@@ -315,23 +335,12 @@ static __u8 *kye_report_fixup(struct hid_device *hdev, __u8 *rdesc, + } + break; + case USB_DEVICE_ID_GENIUS_GILA_GAMING_MOUSE: +- /* +- * the fixup that need to be done: +- * - change Usage Maximum in the Comsumer Control +- * (report ID 3) to a reasonable value +- */ +- if (*rsize >= 135 && +- /* Usage Page (Consumer Devices) */ +- rdesc[104] == 0x05 && rdesc[105] == 0x0c && +- /* Usage (Consumer Control) */ +- rdesc[106] == 0x09 && rdesc[107] == 0x01 && +- /* Usage Maximum > 12287 */ +- rdesc[114] == 0x2a && rdesc[116] > 0x2f) { +- hid_info(hdev, +- "fixing up Genius Gila Gaming Mouse " +- "report descriptor\n"); +- rdesc[116] = 0x2f; +- } ++ rdesc = kye_consumer_control_fixup(hdev, rdesc, rsize, 104, ++ "Genius Gila Gaming Mouse"); ++ break; ++ case USB_DEVICE_ID_GENIUS_GX_IMPERATOR: ++ rdesc = kye_consumer_control_fixup(hdev, rdesc, rsize, 83, ++ "Genius Gx Imperator Keyboard"); + break; + } + return rdesc; +@@ -428,6 +437,8 @@ static const struct hid_device_id kye_devices[] = { + USB_DEVICE_ID_KYE_EASYPEN_M610X) }, + { HID_USB_DEVICE(USB_VENDOR_ID_KYE, + USB_DEVICE_ID_GENIUS_GILA_GAMING_MOUSE) }, ++ { HID_USB_DEVICE(USB_VENDOR_ID_KYE, ++ USB_DEVICE_ID_GENIUS_GX_IMPERATOR) }, + { } + }; + MODULE_DEVICE_TABLE(hid, kye_devices); +-- +1.8.3.1 + diff --git a/kernel.spec b/kernel.spec index 112621126..35ae09519 100644 --- a/kernel.spec +++ b/kernel.spec @@ -760,6 +760,9 @@ Patch25102: net-sctp-fix-ipv6-ipsec-encryption-bug-in-sctp_v6_xmit.patch #CVE-2013-4345 rhbz 1007690 1009136 Patch25104: ansi_cprng-Fix-off-by-one-error-in-non-block-size-request.patch +#rhbz 928561 +Patch25105: 0001-HID-kye-Add-report-fixup-for-Genius-Gx-Imperator-Key.patch + # END OF PATCH DEFINITIONS %endif @@ -1468,6 +1471,9 @@ ApplyPatch net-sctp-fix-ipv6-ipsec-encryption-bug-in-sctp_v6_xmit.patch #CVE-2013-4345 rhbz 1007690 1009136 ApplyPatch ansi_cprng-Fix-off-by-one-error-in-non-block-size-request.patch +#rhbz 928561 +ApplyPatch 0001-HID-kye-Add-report-fixup-for-Genius-Gx-Imperator-Key.patch + # END OF PATCH APPLICATIONS %endif @@ -2280,6 +2286,9 @@ fi # and build. %changelog +* Fri Sep 20 2013 Josh Boyer +- Fix multimedia keys on Genius GX keyboard (rhbz 928561) + * Tue Sep 17 2013 Josh Boyer - CVE-2013-4345 ansi_cprng: off by one error in non-block size request (rhbz 1007690 1009136) From 80641a0bb88af2f7b66eba73394db2e92490c181 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Fri, 20 Sep 2013 10:31:39 -0400 Subject: [PATCH 214/468] Fix large order rpc allocations (rhbz 997705) - Fix multimedia keys on Genius GX keyboard (rhbz 928561) --- kernel.spec | 13 ++ ...-up-decoding-of-gssproxy-linux-creds.patch | 110 +++++++++++++++++ ..._cred-encoding-treat-all-as-unsigned.patch | 90 ++++++++++++++ rpc-fix-huge-kmallocs-in-gss-proxy.patch | 113 ++++++++++++++++++ ...yer-allocate-gssproxy-receieve-pages.patch | 52 ++++++++ 5 files changed, 378 insertions(+) create mode 100644 rpc-clean-up-decoding-of-gssproxy-linux-creds.patch create mode 100644 rpc-comment-on-linux_cred-encoding-treat-all-as-unsigned.patch create mode 100644 rpc-fix-huge-kmallocs-in-gss-proxy.patch create mode 100644 rpc-let-xdr-layer-allocate-gssproxy-receieve-pages.patch diff --git a/kernel.spec b/kernel.spec index 35ae09519..238396680 100644 --- a/kernel.spec +++ b/kernel.spec @@ -763,6 +763,12 @@ Patch25104: ansi_cprng-Fix-off-by-one-error-in-non-block-size-request.patch #rhbz 928561 Patch25105: 0001-HID-kye-Add-report-fixup-for-Genius-Gx-Imperator-Key.patch +#rhbz 997705 +Patch25110: rpc-clean-up-decoding-of-gssproxy-linux-creds.patch +Patch25111: rpc-comment-on-linux_cred-encoding-treat-all-as-unsigned.patch +Patch25112: rpc-fix-huge-kmallocs-in-gss-proxy.patch +Patch25113: rpc-let-xdr-layer-allocate-gssproxy-receieve-pages.patch + # END OF PATCH DEFINITIONS %endif @@ -1474,6 +1480,12 @@ ApplyPatch ansi_cprng-Fix-off-by-one-error-in-non-block-size-request.patch #rhbz 928561 ApplyPatch 0001-HID-kye-Add-report-fixup-for-Genius-Gx-Imperator-Key.patch +#rhbz 997705 +ApplyPatch rpc-clean-up-decoding-of-gssproxy-linux-creds.patch +ApplyPatch rpc-comment-on-linux_cred-encoding-treat-all-as-unsigned.patch +ApplyPatch rpc-fix-huge-kmallocs-in-gss-proxy.patch +ApplyPatch rpc-let-xdr-layer-allocate-gssproxy-receieve-pages.patch + # END OF PATCH APPLICATIONS %endif @@ -2287,6 +2299,7 @@ fi %changelog * Fri Sep 20 2013 Josh Boyer +- Fix large order rpc allocations (rhbz 997705) - Fix multimedia keys on Genius GX keyboard (rhbz 928561) * Tue Sep 17 2013 Josh Boyer diff --git a/rpc-clean-up-decoding-of-gssproxy-linux-creds.patch b/rpc-clean-up-decoding-of-gssproxy-linux-creds.patch new file mode 100644 index 000000000..ffafde8f1 --- /dev/null +++ b/rpc-clean-up-decoding-of-gssproxy-linux-creds.patch @@ -0,0 +1,110 @@ +From: "J. Bruce Fields" + +commit 778e512bb1d3315c6b55832248cd30c566c081d7 upstream. + +We can use the normal coding infrastructure here. + +Two minor behavior changes: + + - we're assuming no wasted space at the end of the linux cred. + That seems to match gss-proxy's behavior, and I can't see why + it would need to do differently in the future. + + - NGROUPS_MAX check added: note groups_alloc doesn't do this, + this is the caller's responsibility. + +Tested-by: Simo Sorce +Signed-off-by: J. Bruce Fields +--- + net/sunrpc/auth_gss/gss_rpc_xdr.c | 32 +++++++++++++------------------- + 1 file changed, 13 insertions(+), 19 deletions(-) + +diff --git a/net/sunrpc/auth_gss/gss_rpc_xdr.c b/net/sunrpc/auth_gss/gss_rpc_xdr.c +index 3c85d1c..f5067b2 100644 +--- a/net/sunrpc/auth_gss/gss_rpc_xdr.c ++++ b/net/sunrpc/auth_gss/gss_rpc_xdr.c +@@ -166,14 +166,14 @@ static int dummy_dec_opt_array(struct xdr_stream *xdr, + return 0; + } + +-static int get_s32(void **p, void *max, s32 *res) ++static int get_s32(struct xdr_stream *xdr, s32 *res) + { +- void *base = *p; +- void *next = (void *)((char *)base + sizeof(s32)); +- if (unlikely(next > max || next < base)) ++ __be32 *p; ++ ++ p = xdr_inline_decode(xdr, 4); ++ if (!p) + return -EINVAL; +- memcpy(res, base, sizeof(s32)); +- *p = next; ++ memcpy(res, p, sizeof(s32)); + return 0; + } + +@@ -182,7 +182,6 @@ static int gssx_dec_linux_creds(struct xdr_stream *xdr, + { + u32 length; + __be32 *p; +- void *q, *end; + s32 tmp; + int N, i, err; + +@@ -192,33 +191,28 @@ static int gssx_dec_linux_creds(struct xdr_stream *xdr, + + length = be32_to_cpup(p); + +- /* FIXME: we do not want to use the scratch buffer for this one +- * may need to use functions that allows us to access an io vector +- * directly */ +- p = xdr_inline_decode(xdr, length); +- if (unlikely(p == NULL)) ++ if (length > (3 + NGROUPS_MAX) * sizeof(u32)) + return -ENOSPC; + +- q = p; +- end = q + length; +- + /* uid */ +- err = get_s32(&q, end, &tmp); ++ err = get_s32(xdr, &tmp); + if (err) + return err; + creds->cr_uid = make_kuid(&init_user_ns, tmp); + + /* gid */ +- err = get_s32(&q, end, &tmp); ++ err = get_s32(xdr, &tmp); + if (err) + return err; + creds->cr_gid = make_kgid(&init_user_ns, tmp); + + /* number of additional gid's */ +- err = get_s32(&q, end, &tmp); ++ err = get_s32(xdr, &tmp); + if (err) + return err; + N = tmp; ++ if ((3 + N) * sizeof(u32) != length) ++ return -EINVAL; + creds->cr_group_info = groups_alloc(N); + if (creds->cr_group_info == NULL) + return -ENOMEM; +@@ -226,7 +220,7 @@ static int gssx_dec_linux_creds(struct xdr_stream *xdr, + /* gid's */ + for (i = 0; i < N; i++) { + kgid_t kgid; +- err = get_s32(&q, end, &tmp); ++ err = get_s32(xdr, &tmp); + if (err) + goto out_free_groups; + err = -EINVAL; +-- +1.7.9.5 + +-- +To unsubscribe from this list: send the line "unsubscribe linux-nfs" in +the body of a message to majordomo@vger.kernel.org +More majordomo info at http://vger.kernel.org/majordomo-info.html \ No newline at end of file diff --git a/rpc-comment-on-linux_cred-encoding-treat-all-as-unsigned.patch b/rpc-comment-on-linux_cred-encoding-treat-all-as-unsigned.patch new file mode 100644 index 000000000..b4f9291b1 --- /dev/null +++ b/rpc-comment-on-linux_cred-encoding-treat-all-as-unsigned.patch @@ -0,0 +1,90 @@ +From: "J. Bruce Fields" + +commit 6a36978e6931e6601be586eb313375335f2cfaa3 upstream. + +The encoding of linux creds is a bit confusing. + +Also: I think in practice it doesn't really matter whether we treat any +of these things as signed or unsigned, but unsigned seems more +straightforward: uid_t/gid_t are unsigned and it simplifies the ngroups +overflow check. + +Tested-by: Simo Sorce +Signed-off-by: J. Bruce Fields +--- + net/sunrpc/auth_gss/gss_rpc_xdr.c | 18 ++++++++++-------- + 1 file changed, 10 insertions(+), 8 deletions(-) + +diff --git a/net/sunrpc/auth_gss/gss_rpc_xdr.c b/net/sunrpc/auth_gss/gss_rpc_xdr.c +index f5067b2..3c19c7d 100644 +--- a/net/sunrpc/auth_gss/gss_rpc_xdr.c ++++ b/net/sunrpc/auth_gss/gss_rpc_xdr.c +@@ -166,14 +166,15 @@ static int dummy_dec_opt_array(struct xdr_stream *xdr, + return 0; + } + +-static int get_s32(struct xdr_stream *xdr, s32 *res) ++static int get_host_u32(struct xdr_stream *xdr, u32 *res) + { + __be32 *p; + + p = xdr_inline_decode(xdr, 4); + if (!p) + return -EINVAL; +- memcpy(res, p, sizeof(s32)); ++ /* Contents of linux creds are all host-endian: */ ++ memcpy(res, p, sizeof(u32)); + return 0; + } + +@@ -182,8 +183,9 @@ static int gssx_dec_linux_creds(struct xdr_stream *xdr, + { + u32 length; + __be32 *p; +- s32 tmp; +- int N, i, err; ++ u32 tmp; ++ u32 N; ++ int i, err; + + p = xdr_inline_decode(xdr, 4); + if (unlikely(p == NULL)) +@@ -195,19 +197,19 @@ static int gssx_dec_linux_creds(struct xdr_stream *xdr, + return -ENOSPC; + + /* uid */ +- err = get_s32(xdr, &tmp); ++ err = get_host_u32(xdr, &tmp); + if (err) + return err; + creds->cr_uid = make_kuid(&init_user_ns, tmp); + + /* gid */ +- err = get_s32(xdr, &tmp); ++ err = get_host_u32(xdr, &tmp); + if (err) + return err; + creds->cr_gid = make_kgid(&init_user_ns, tmp); + + /* number of additional gid's */ +- err = get_s32(xdr, &tmp); ++ err = get_host_u32(xdr, &tmp); + if (err) + return err; + N = tmp; +@@ -220,7 +222,7 @@ static int gssx_dec_linux_creds(struct xdr_stream *xdr, + /* gid's */ + for (i = 0; i < N; i++) { + kgid_t kgid; +- err = get_s32(xdr, &tmp); ++ err = get_host_u32(xdr, &tmp); + if (err) + goto out_free_groups; + err = -EINVAL; +-- +1.7.9.5 + +-- +To unsubscribe from this list: send the line "unsubscribe linux-nfs" in +the body of a message to majordomo@vger.kernel.org +More majordomo info at http://vger.kernel.org/majordomo-info.html \ No newline at end of file diff --git a/rpc-fix-huge-kmallocs-in-gss-proxy.patch b/rpc-fix-huge-kmallocs-in-gss-proxy.patch new file mode 100644 index 000000000..6257f45ea --- /dev/null +++ b/rpc-fix-huge-kmallocs-in-gss-proxy.patch @@ -0,0 +1,113 @@ +From: "J. Bruce Fields" + +commit 9dfd87da1aeb0fd364167ad199f40fe96a6a87be upstream. + +The reply to a gssproxy can include up to NGROUPS_MAX gid's, which will +take up more than a page. We therefore need to allocate an array of +pages to hold the reply instead of trying to allocate a single huge +buffer. + +Tested-by: Simo Sorce +Signed-off-by: J. Bruce Fields +--- + net/sunrpc/auth_gss/gss_rpc_upcall.c | 30 ++++++++++++++++++++++++++++++ + net/sunrpc/auth_gss/gss_rpc_xdr.c | 3 +++ + net/sunrpc/auth_gss/gss_rpc_xdr.h | 5 ++++- + 3 files changed, 37 insertions(+), 1 deletion(-) + +diff --git a/net/sunrpc/auth_gss/gss_rpc_upcall.c b/net/sunrpc/auth_gss/gss_rpc_upcall.c +index af7ffd4..be95af3 100644 +--- a/net/sunrpc/auth_gss/gss_rpc_upcall.c ++++ b/net/sunrpc/auth_gss/gss_rpc_upcall.c +@@ -213,6 +213,30 @@ static int gssp_call(struct net *net, struct rpc_message *msg) + return status; + } + ++static void gssp_free_receive_pages(struct gssx_arg_accept_sec_context *arg) ++{ ++ int i; ++ ++ for (i = 0; i < arg->npages && arg->pages[i]; i++) ++ __free_page(arg->pages[i]); ++} ++ ++static int gssp_alloc_receive_pages(struct gssx_arg_accept_sec_context *arg) ++{ ++ int i; ++ ++ arg->npages = DIV_ROUND_UP(NGROUPS_MAX * 4, PAGE_SIZE); ++ arg->pages = kzalloc(arg->npages * sizeof(struct page *), GFP_KERNEL); ++ ++ for (i=0; i < arg->npages; i++) { ++ arg->pages[i] = alloc_page(GFP_KERNEL); ++ if (arg->pages[i] == NULL) { ++ gssp_free_receive_pages(arg); ++ return -ENOMEM; ++ } ++ } ++ return 0; ++} + + /* + * Public functions +@@ -261,10 +285,16 @@ int gssp_accept_sec_context_upcall(struct net *net, + arg.context_handle = &ctxh; + res.output_token->len = GSSX_max_output_token_sz; + ++ ret = gssp_alloc_receive_pages(&arg); ++ if (ret) ++ return ret; ++ + /* use nfs/ for targ_name ? */ + + ret = gssp_call(net, &msg); + ++ gssp_free_receive_pages(&arg); ++ + /* we need to fetch all data even in case of error so + * that we can free special strctures is they have been allocated */ + data->major_status = res.status.major_status; +diff --git a/net/sunrpc/auth_gss/gss_rpc_xdr.c b/net/sunrpc/auth_gss/gss_rpc_xdr.c +index 3c19c7d..f0f78c5 100644 +--- a/net/sunrpc/auth_gss/gss_rpc_xdr.c ++++ b/net/sunrpc/auth_gss/gss_rpc_xdr.c +@@ -780,6 +780,9 @@ void gssx_enc_accept_sec_context(struct rpc_rqst *req, + /* arg->options */ + err = dummy_enc_opt_array(xdr, &arg->options); + ++ xdr_inline_pages(&req->rq_rcv_buf, ++ PAGE_SIZE/2 /* pretty arbitrary */, ++ arg->pages, 0 /* page base */, arg->npages * PAGE_SIZE); + done: + if (err) + dprintk("RPC: gssx_enc_accept_sec_context: %d\n", err); +diff --git a/net/sunrpc/auth_gss/gss_rpc_xdr.h b/net/sunrpc/auth_gss/gss_rpc_xdr.h +index 1c98b27..685a688 100644 +--- a/net/sunrpc/auth_gss/gss_rpc_xdr.h ++++ b/net/sunrpc/auth_gss/gss_rpc_xdr.h +@@ -147,6 +147,8 @@ struct gssx_arg_accept_sec_context { + struct gssx_cb *input_cb; + u32 ret_deleg_cred; + struct gssx_option_array options; ++ struct page **pages; ++ unsigned int npages; + }; + + struct gssx_res_accept_sec_context { +@@ -240,7 +242,8 @@ int gssx_dec_accept_sec_context(struct rpc_rqst *rqstp, + 2 * GSSX_max_princ_sz + \ + 8 + 8 + 4 + 4 + 4) + #define GSSX_max_output_token_sz 1024 +-#define GSSX_max_creds_sz (4 + 4 + 4 + NGROUPS_MAX * 4) ++/* grouplist not included; we allocate separate pages for that: */ ++#define GSSX_max_creds_sz (4 + 4 + 4 /* + NGROUPS_MAX*4 */) + #define GSSX_RES_accept_sec_context_sz (GSSX_default_status_sz + \ + GSSX_default_ctx_sz + \ + GSSX_max_output_token_sz + \ +-- +1.7.9.5 + +-- +To unsubscribe from this list: send the line "unsubscribe linux-nfs" in +the body of a message to majordomo@vger.kernel.org +More majordomo info at http://vger.kernel.org/majordomo-info.html \ No newline at end of file diff --git a/rpc-let-xdr-layer-allocate-gssproxy-receieve-pages.patch b/rpc-let-xdr-layer-allocate-gssproxy-receieve-pages.patch new file mode 100644 index 000000000..fae0dcd60 --- /dev/null +++ b/rpc-let-xdr-layer-allocate-gssproxy-receieve-pages.patch @@ -0,0 +1,52 @@ +From: "J. Bruce Fields" + +commit d4a516560fc96a9d486a9939bcb567e3fdce8f49 upstream. + +In theory the linux cred in a gssproxy reply can include up to +NGROUPS_MAX data, 256K of data. In the common case we expect it to be +shorter. So do as the nfsv3 ACL code does and let the xdr code allocate +the pages as they come in, instead of allocating a lot of pages that +won't typically be used. + +Tested-by: Simo Sorce +Signed-off-by: J. Bruce Fields +--- + net/sunrpc/auth_gss/gss_rpc_upcall.c | 16 ++++++---------- + 1 file changed, 6 insertions(+), 10 deletions(-) + +diff --git a/net/sunrpc/auth_gss/gss_rpc_upcall.c b/net/sunrpc/auth_gss/gss_rpc_upcall.c +index be95af3..f1eb0d1 100644 +--- a/net/sunrpc/auth_gss/gss_rpc_upcall.c ++++ b/net/sunrpc/auth_gss/gss_rpc_upcall.c +@@ -223,18 +223,14 @@ static void gssp_free_receive_pages(struct gssx_arg_accept_sec_context *arg) + + static int gssp_alloc_receive_pages(struct gssx_arg_accept_sec_context *arg) + { +- int i; +- + arg->npages = DIV_ROUND_UP(NGROUPS_MAX * 4, PAGE_SIZE); + arg->pages = kzalloc(arg->npages * sizeof(struct page *), GFP_KERNEL); +- +- for (i=0; i < arg->npages; i++) { +- arg->pages[i] = alloc_page(GFP_KERNEL); +- if (arg->pages[i] == NULL) { +- gssp_free_receive_pages(arg); +- return -ENOMEM; +- } +- } ++ /* ++ * XXX: actual pages are allocated by xdr layer in ++ * xdr_partial_copy_from_skb. ++ */ ++ if (!arg->pages) ++ return -ENOMEM; + return 0; + } + +-- +1.7.9.5 + +-- +To unsubscribe from this list: send the line "unsubscribe linux-nfs" in +the body of a message to majordomo@vger.kernel.org +More majordomo info at http://vger.kernel.org/majordomo-info.html \ No newline at end of file From 2f00632219515781ea4a23369cd498abe3a0535b Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Fri, 20 Sep 2013 10:36:00 -0400 Subject: [PATCH 215/468] Fix broken skge driver (rhbz 1008328) --- 0001-skge-fix-broken-driver.patch | 62 +++++++++++++++++++++++++++++++ kernel.spec | 7 ++++ 2 files changed, 69 insertions(+) create mode 100644 0001-skge-fix-broken-driver.patch diff --git a/0001-skge-fix-broken-driver.patch b/0001-skge-fix-broken-driver.patch new file mode 100644 index 000000000..7ca3dec4a --- /dev/null +++ b/0001-skge-fix-broken-driver.patch @@ -0,0 +1,62 @@ +From c194992cbe71c20bb3623a566af8d11b0bfaa721 Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Thu, 19 Sep 2013 14:13:17 -0400 +Subject: [PATCH] skge: fix broken driver + +The patch 136d8f377e1575463b47840bc5f1b22d94bf8f63 broke the skge driver. +Note this part of the patch: ++ if (skge_rx_setup(skge, e, nskb, skge->rx_buf_size) < 0) { ++ dev_kfree_skb(nskb); ++ goto resubmit; ++ } ++ + pci_unmap_single(skge->hw->pdev, + dma_unmap_addr(e, mapaddr), + dma_unmap_len(e, maplen), + PCI_DMA_FROMDEVICE); + skb = e->skb; + prefetch(skb->data); +- skge_rx_setup(skge, e, nskb, skge->rx_buf_size); + +The function skge_rx_setup modifies e->skb to point to the new skb. Thus, +after this change, the new buffer, not the old, is returned to the +networking stack. + +This bug is present in kernels 3.11, 3.11.1 and 3.12-rc1. The patch should +be queued for 3.11-stable. + +Signed-off-by: Mikulas Patocka +Reported-by: Mikulas Patocka +Reported-by: Vasiliy Glazov +Tested-by: Mikulas Patocka +Signed-off-by: David S. Miller +--- + drivers/net/ethernet/marvell/skge.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/marvell/skge.c b/drivers/net/ethernet/marvell/skge.c +index ef94a59..1a9c4f6 100644 +--- a/drivers/net/ethernet/marvell/skge.c ++++ b/drivers/net/ethernet/marvell/skge.c +@@ -3092,6 +3092,9 @@ static struct sk_buff *skge_rx_get(struct net_device *dev, + if (!nskb) + goto resubmit; + ++ skb = e->skb; ++ prefetch(skb->data); ++ + if (skge_rx_setup(skge, e, nskb, skge->rx_buf_size) < 0) { + dev_kfree_skb(nskb); + goto resubmit; +@@ -3101,8 +3104,6 @@ static struct sk_buff *skge_rx_get(struct net_device *dev, + dma_unmap_addr(e, mapaddr), + dma_unmap_len(e, maplen), + PCI_DMA_FROMDEVICE); +- skb = e->skb; +- prefetch(skb->data); + } + + skb_put(skb, len); +-- +1.8.3.1 + diff --git a/kernel.spec b/kernel.spec index 238396680..58511a42f 100644 --- a/kernel.spec +++ b/kernel.spec @@ -763,6 +763,9 @@ Patch25104: ansi_cprng-Fix-off-by-one-error-in-non-block-size-request.patch #rhbz 928561 Patch25105: 0001-HID-kye-Add-report-fixup-for-Genius-Gx-Imperator-Key.patch +#rhbz 1008323 +Patch25106: 0001-skge-fix-broken-driver.patch + #rhbz 997705 Patch25110: rpc-clean-up-decoding-of-gssproxy-linux-creds.patch Patch25111: rpc-comment-on-linux_cred-encoding-treat-all-as-unsigned.patch @@ -1486,6 +1489,9 @@ ApplyPatch rpc-comment-on-linux_cred-encoding-treat-all-as-unsigned.patch ApplyPatch rpc-fix-huge-kmallocs-in-gss-proxy.patch ApplyPatch rpc-let-xdr-layer-allocate-gssproxy-receieve-pages.patch +#rhbz 1008323 +ApplyPatch 0001-skge-fix-broken-driver.patch + # END OF PATCH APPLICATIONS %endif @@ -2299,6 +2305,7 @@ fi %changelog * Fri Sep 20 2013 Josh Boyer +- Fix broken skge driver (rhbz 1008328) - Fix large order rpc allocations (rhbz 997705) - Fix multimedia keys on Genius GX keyboard (rhbz 928561) From c55da11e53733d0d305174b697d29ccfde27b74d Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Fri, 20 Sep 2013 11:18:49 -0400 Subject: [PATCH 216/468] Fix RTC updates from ntp (rhbz 985522) --- kernel.spec | 7 +++ ...ke-periodic-RTC-update-more-reliable.patch | 44 +++++++++++++++++++ 2 files changed, 51 insertions(+) create mode 100644 ntp-Make-periodic-RTC-update-more-reliable.patch diff --git a/kernel.spec b/kernel.spec index 58511a42f..c406a2f4a 100644 --- a/kernel.spec +++ b/kernel.spec @@ -766,6 +766,9 @@ Patch25105: 0001-HID-kye-Add-report-fixup-for-Genius-Gx-Imperator-Key.patch #rhbz 1008323 Patch25106: 0001-skge-fix-broken-driver.patch +#rhbz 985522 +Patch25107: ntp-Make-periodic-RTC-update-more-reliable.patch + #rhbz 997705 Patch25110: rpc-clean-up-decoding-of-gssproxy-linux-creds.patch Patch25111: rpc-comment-on-linux_cred-encoding-treat-all-as-unsigned.patch @@ -1483,6 +1486,9 @@ ApplyPatch ansi_cprng-Fix-off-by-one-error-in-non-block-size-request.patch #rhbz 928561 ApplyPatch 0001-HID-kye-Add-report-fixup-for-Genius-Gx-Imperator-Key.patch +#rhbz 985522 +ApplyPatch ntp-Make-periodic-RTC-update-more-reliable.patch + #rhbz 997705 ApplyPatch rpc-clean-up-decoding-of-gssproxy-linux-creds.patch ApplyPatch rpc-comment-on-linux_cred-encoding-treat-all-as-unsigned.patch @@ -2305,6 +2311,7 @@ fi %changelog * Fri Sep 20 2013 Josh Boyer +- Fix RTC updates from ntp (rhbz 985522) - Fix broken skge driver (rhbz 1008328) - Fix large order rpc allocations (rhbz 997705) - Fix multimedia keys on Genius GX keyboard (rhbz 928561) diff --git a/ntp-Make-periodic-RTC-update-more-reliable.patch b/ntp-Make-periodic-RTC-update-more-reliable.patch new file mode 100644 index 000000000..59179e719 --- /dev/null +++ b/ntp-Make-periodic-RTC-update-more-reliable.patch @@ -0,0 +1,44 @@ +From a97ad0c4b447a132a322cedc3a5f7fa4cab4b304 Mon Sep 17 00:00:00 2001 +From: Miroslav Lichvar +Date: Thu, 1 Aug 2013 19:31:35 +0200 +Subject: [PATCH] ntp: Make periodic RTC update more reliable + +The current code requires that the scheduled update of the RTC happens +in the closest tick to the half of the second. This seems to be +difficult to achieve reliably. The scheduled work may be missing the +target time by a tick or two and be constantly rescheduled every second. + +Relax the limit to 10 ticks. As a typical RTC drifts in the 11-minute +update interval by several milliseconds, this shouldn't affect the +overall accuracy of the RTC much. + +Signed-off-by: Miroslav Lichvar +Signed-off-by: John Stultz +--- + kernel/time/ntp.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/kernel/time/ntp.c b/kernel/time/ntp.c +index 8f5b3b9..ab1fa7c 100644 +--- a/kernel/time/ntp.c ++++ b/kernel/time/ntp.c +@@ -475,6 +475,7 @@ static void sync_cmos_clock(struct work_struct *work) + * called as close as possible to 500 ms before the new second starts. + * This code is run on a timer. If the clock is set, that timer + * may not expire at the correct time. Thus, we adjust... ++ * We want the clock to be within a couple of ticks from the target. + */ + if (!ntp_synced()) { + /* +@@ -485,7 +486,7 @@ static void sync_cmos_clock(struct work_struct *work) + } + + getnstimeofday(&now); +- if (abs(now.tv_nsec - (NSEC_PER_SEC / 2)) <= tick_nsec / 2) { ++ if (abs(now.tv_nsec - (NSEC_PER_SEC / 2)) <= tick_nsec * 5) { + struct timespec adjust = now; + + fail = -ENODEV; +-- +1.7.9.5 + From fb45a1ba5539392a89d800eac7a6e6fe08b9a3a5 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Mon, 23 Sep 2013 09:40:51 -0400 Subject: [PATCH 217/468] Revert rt2x00 commit that breaks connectivity (rhbz 1010431) --- ...00pci-Use-PCI-MSIs-whenever-possible.patch | 59 +++++++++++++++++++ kernel.spec | 9 +++ 2 files changed, 68 insertions(+) create mode 100644 Revert-rt2x00pci-Use-PCI-MSIs-whenever-possible.patch diff --git a/Revert-rt2x00pci-Use-PCI-MSIs-whenever-possible.patch b/Revert-rt2x00pci-Use-PCI-MSIs-whenever-possible.patch new file mode 100644 index 000000000..4e48620ec --- /dev/null +++ b/Revert-rt2x00pci-Use-PCI-MSIs-whenever-possible.patch @@ -0,0 +1,59 @@ +This reverts commit 9483f40d8d01918b399b4e24d0c1111db0afffeb. + +Some devices stop to connect with above commit, see: +https://bugzilla.kernel.org/show_bug.cgi?id=61621 + +Since there is no clear benefit of having MSI enabled, just revert +change to fix the problem. + +Cc: stable@vger.kernel.org # 3.11+ +Signed-off-by: Stanislaw Gruszka +--- + drivers/net/wireless/rt2x00/rt2x00pci.c | 9 +-------- + 1 file changed, 1 insertion(+), 8 deletions(-) + +diff --git a/drivers/net/wireless/rt2x00/rt2x00pci.c b/drivers/net/wireless/rt2x00/rt2x00pci.c +index 76d95de..dc49e52 100644 +--- a/drivers/net/wireless/rt2x00/rt2x00pci.c ++++ b/drivers/net/wireless/rt2x00/rt2x00pci.c +@@ -105,13 +105,11 @@ int rt2x00pci_probe(struct pci_dev *pci_dev, const struct rt2x00_ops *ops) + goto exit_release_regions; + } + +- pci_enable_msi(pci_dev); +- + hw = ieee80211_alloc_hw(sizeof(struct rt2x00_dev), ops->hw); + if (!hw) { + rt2x00_probe_err("Failed to allocate hardware\n"); + retval = -ENOMEM; +- goto exit_disable_msi; ++ goto exit_release_regions; + } + + pci_set_drvdata(pci_dev, hw); +@@ -152,9 +150,6 @@ exit_free_reg: + exit_free_device: + ieee80211_free_hw(hw); + +-exit_disable_msi: +- pci_disable_msi(pci_dev); +- + exit_release_regions: + pci_release_regions(pci_dev); + +@@ -179,8 +174,6 @@ void rt2x00pci_remove(struct pci_dev *pci_dev) + rt2x00pci_free_reg(rt2x00dev); + ieee80211_free_hw(hw); + +- pci_disable_msi(pci_dev); +- + /* + * Free the PCI device data. + */ +-- +1.8.3.1 + +-- +To unsubscribe from this list: send the line "unsubscribe linux-wireless" in +the body of a message to majordomo@vger.kernel.org +More majordomo info at http://vger.kernel.org/majordomo-info.html \ No newline at end of file diff --git a/kernel.spec b/kernel.spec index c406a2f4a..8b1a7753f 100644 --- a/kernel.spec +++ b/kernel.spec @@ -769,6 +769,9 @@ Patch25106: 0001-skge-fix-broken-driver.patch #rhbz 985522 Patch25107: ntp-Make-periodic-RTC-update-more-reliable.patch +#rhbz 1010431 +Patch25108: Revert-rt2x00pci-Use-PCI-MSIs-whenever-possible.patch + #rhbz 997705 Patch25110: rpc-clean-up-decoding-of-gssproxy-linux-creds.patch Patch25111: rpc-comment-on-linux_cred-encoding-treat-all-as-unsigned.patch @@ -1489,6 +1492,9 @@ ApplyPatch 0001-HID-kye-Add-report-fixup-for-Genius-Gx-Imperator-Key.patch #rhbz 985522 ApplyPatch ntp-Make-periodic-RTC-update-more-reliable.patch +#rhbz 1010431 +ApplyPatch Revert-rt2x00pci-Use-PCI-MSIs-whenever-possible.patch + #rhbz 997705 ApplyPatch rpc-clean-up-decoding-of-gssproxy-linux-creds.patch ApplyPatch rpc-comment-on-linux_cred-encoding-treat-all-as-unsigned.patch @@ -2310,6 +2316,9 @@ fi # and build. %changelog +* Mon Sep 23 2013 Josh Boyer +- Revert rt2x00 commit that breaks connectivity (rhbz 1010431) + * Fri Sep 20 2013 Josh Boyer - Fix RTC updates from ntp (rhbz 985522) - Fix broken skge driver (rhbz 1008328) From 49c2aee58d4cfc712383a4f9771ec01284d48408 Mon Sep 17 00:00:00 2001 From: Neil Horman Date: Mon, 23 Sep 2013 10:46:25 -0400 Subject: [PATCH 218/468] Resolves: rhbz 971893 --- bonding-driver-alb-learning.patch | 155 ++++++++++++++++++++++++++++++ kernel.spec | 9 ++ 2 files changed, 164 insertions(+) create mode 100644 bonding-driver-alb-learning.patch diff --git a/bonding-driver-alb-learning.patch b/bonding-driver-alb-learning.patch new file mode 100644 index 000000000..c7f8e8f6b --- /dev/null +++ b/bonding-driver-alb-learning.patch @@ -0,0 +1,155 @@ +commit 7eacd03810960823393521063734fc8188446bca +Author: Neil Horman +Date: Fri Sep 13 11:05:33 2013 -0400 + + bonding: Make alb learning packet interval configurable + + running bonding in ALB mode requires that learning packets be sent periodically, + so that the switch knows where to send responding traffic. However, depending + on switch configuration, there may not be any need to send traffic at the + default rate of 3 packets per second, which represents little more than wasted + data. Allow the ALB learning packet interval to be made configurable via sysfs + + Signed-off-by: Neil Horman + Acked-by: Acked-by: Veaceslav Falico + CC: Jay Vosburgh + CC: Andy Gospodarek + CC: "David S. Miller" + Signed-off-by: Andy Gospodarek + Signed-off-by: David S. Miller + +diff --git a/Documentation/networking/bonding.txt b/Documentation/networking/bonding.txt +index 87bbcfe..9b28e71 100644 +--- a/Documentation/networking/bonding.txt ++++ b/Documentation/networking/bonding.txt +@@ -1362,6 +1362,12 @@ To add ARP targets: + To remove an ARP target: + # echo -192.168.0.100 > /sys/class/net/bond0/bonding/arp_ip_target + ++To configure the interval between learning packet transmits: ++# echo 12 > /sys/class/net/bond0/bonding/lp_interval ++ NOTE: the lp_inteval is the number of seconds between instances where ++the bonding driver sends learning packets to each slaves peer switch. The ++default interval is 1 second. ++ + Example Configuration + --------------------- + We begin with the same example that is shown in section 3.3, +diff --git a/drivers/net/bonding/bond_alb.c b/drivers/net/bonding/bond_alb.c +index 91f179d..f428ef57 100644 +--- a/drivers/net/bonding/bond_alb.c ++++ b/drivers/net/bonding/bond_alb.c +@@ -1472,7 +1472,7 @@ void bond_alb_monitor(struct work_struct *work) + bond_info->lp_counter++; + + /* send learning packets */ +- if (bond_info->lp_counter >= BOND_ALB_LP_TICKS) { ++ if (bond_info->lp_counter >= BOND_ALB_LP_TICKS(bond)) { + /* change of curr_active_slave involves swapping of mac addresses. + * in order to avoid this swapping from happening while + * sending the learning packets, the curr_slave_lock must be held for +diff --git a/drivers/net/bonding/bond_alb.h b/drivers/net/bonding/bond_alb.h +index 28d8e4c..c5eff5d 100644 +--- a/drivers/net/bonding/bond_alb.h ++++ b/drivers/net/bonding/bond_alb.h +@@ -36,14 +36,15 @@ struct slave; + * Used for division - never set + * to zero !!! + */ +-#define BOND_ALB_LP_INTERVAL 1 /* In seconds, periodic send of +- * learning packets to the switch +- */ ++#define BOND_ALB_DEFAULT_LP_INTERVAL 1 ++#define BOND_ALB_LP_INTERVAL(bond) (bond->params.lp_interval) /* In seconds, periodic send of ++ * learning packets to the switch ++ */ + + #define BOND_TLB_REBALANCE_TICKS (BOND_TLB_REBALANCE_INTERVAL \ + * ALB_TIMER_TICKS_PER_SEC) + +-#define BOND_ALB_LP_TICKS (BOND_ALB_LP_INTERVAL \ ++#define BOND_ALB_LP_TICKS(bond) (BOND_ALB_LP_INTERVAL(bond) \ + * ALB_TIMER_TICKS_PER_SEC) + + #define TLB_HASH_TABLE_SIZE 256 /* The size of the clients hash table. +diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c +index 72df399..55bbb8b 100644 +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -4416,6 +4416,7 @@ static int bond_check_params(struct bond_params *params) + params->all_slaves_active = all_slaves_active; + params->resend_igmp = resend_igmp; + params->min_links = min_links; ++ params->lp_interval = BOND_ALB_DEFAULT_LP_INTERVAL; + + if (primary) { + strncpy(params->primary, primary, IFNAMSIZ); +diff --git a/drivers/net/bonding/bond_sysfs.c b/drivers/net/bonding/bond_sysfs.c +index eeab40b..c29b836 100644 +--- a/drivers/net/bonding/bond_sysfs.c ++++ b/drivers/net/bonding/bond_sysfs.c +@@ -1699,6 +1699,44 @@ out: + static DEVICE_ATTR(resend_igmp, S_IRUGO | S_IWUSR, + bonding_show_resend_igmp, bonding_store_resend_igmp); + ++ ++static ssize_t bonding_show_lp_interval(struct device *d, ++ struct device_attribute *attr, ++ char *buf) ++{ ++ struct bonding *bond = to_bond(d); ++ return sprintf(buf, "%d\n", bond->params.lp_interval); ++} ++ ++static ssize_t bonding_store_lp_interval(struct device *d, ++ struct device_attribute *attr, ++ const char *buf, size_t count) ++{ ++ struct bonding *bond = to_bond(d); ++ int new_value, ret = count; ++ ++ if (sscanf(buf, "%d", &new_value) != 1) { ++ pr_err("%s: no lp interval value specified.\n", ++ bond->dev->name); ++ ret = -EINVAL; ++ goto out; ++ } ++ ++ if (new_value <= 0) { ++ pr_err ("%s: lp_interval must be between 1 and %d\n", ++ bond->dev->name, INT_MAX); ++ ret = -EINVAL; ++ goto out; ++ } ++ ++ bond->params.lp_interval = new_value; ++out: ++ return ret; ++} ++ ++static DEVICE_ATTR(lp_interval, S_IRUGO | S_IWUSR, ++ bonding_show_lp_interval, bonding_store_lp_interval); ++ + static struct attribute *per_bond_attrs[] = { + &dev_attr_slaves.attr, + &dev_attr_mode.attr, +@@ -1729,6 +1767,7 @@ static struct attribute *per_bond_attrs[] = { + &dev_attr_all_slaves_active.attr, + &dev_attr_resend_igmp.attr, + &dev_attr_min_links.attr, ++ &dev_attr_lp_interval.attr, + NULL, + }; + +diff --git a/drivers/net/bonding/bonding.h b/drivers/net/bonding/bonding.h +index 7ad8bd5..03cf3fd 100644 +--- a/drivers/net/bonding/bonding.h ++++ b/drivers/net/bonding/bonding.h +@@ -176,6 +176,7 @@ struct bond_params { + int tx_queues; + int all_slaves_active; + int resend_igmp; ++ int lp_interval; + }; + + struct bond_parm_tbl { diff --git a/kernel.spec b/kernel.spec index 8b1a7753f..c88c7760e 100644 --- a/kernel.spec +++ b/kernel.spec @@ -772,6 +772,9 @@ Patch25107: ntp-Make-periodic-RTC-update-more-reliable.patch #rhbz 1010431 Patch25108: Revert-rt2x00pci-Use-PCI-MSIs-whenever-possible.patch +#rhbz 971893 +Patch25109: bonding-driver-alb-learning.patch + #rhbz 997705 Patch25110: rpc-clean-up-decoding-of-gssproxy-linux-creds.patch Patch25111: rpc-comment-on-linux_cred-encoding-treat-all-as-unsigned.patch @@ -1495,6 +1498,9 @@ ApplyPatch ntp-Make-periodic-RTC-update-more-reliable.patch #rhbz 1010431 ApplyPatch Revert-rt2x00pci-Use-PCI-MSIs-whenever-possible.patch +#rhbz 971893 +ApplyPatch bonding-driver-alb-learning.patch + #rhbz 997705 ApplyPatch rpc-clean-up-decoding-of-gssproxy-linux-creds.patch ApplyPatch rpc-comment-on-linux_cred-encoding-treat-all-as-unsigned.patch @@ -2316,6 +2322,9 @@ fi # and build. %changelog +* Mon Sep 23 2013 Neil Horman +- Add alb learning packet config knob (rhbz 971893) + * Mon Sep 23 2013 Josh Boyer - Revert rt2x00 commit that breaks connectivity (rhbz 1010431) From 6dc9f1171b0fff53fd405cf6813086fd93a07425 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Wed, 25 Sep 2013 10:18:45 -0400 Subject: [PATCH 219/468] Add another fix for skge (rhbz 1008323) --- kernel.spec | 5 ++ ...alid-value-passed-to-pci_unmap_sigle.patch | 61 +++++++++++++++++++ 2 files changed, 66 insertions(+) create mode 100644 skge-fix-invalid-value-passed-to-pci_unmap_sigle.patch diff --git a/kernel.spec b/kernel.spec index c88c7760e..0f6b4196a 100644 --- a/kernel.spec +++ b/kernel.spec @@ -765,6 +765,7 @@ Patch25105: 0001-HID-kye-Add-report-fixup-for-Genius-Gx-Imperator-Key.patch #rhbz 1008323 Patch25106: 0001-skge-fix-broken-driver.patch +Patch25120: skge-fix-invalid-value-passed-to-pci_unmap_sigle.patch #rhbz 985522 Patch25107: ntp-Make-periodic-RTC-update-more-reliable.patch @@ -1509,6 +1510,7 @@ ApplyPatch rpc-let-xdr-layer-allocate-gssproxy-receieve-pages.patch #rhbz 1008323 ApplyPatch 0001-skge-fix-broken-driver.patch +ApplyPatch skge-fix-invalid-value-passed-to-pci_unmap_sigle.patch # END OF PATCH APPLICATIONS @@ -2322,6 +2324,9 @@ fi # and build. %changelog +* Wed Sep 25 2013 Josh Boyer +- Add another fix for skge (rhbz 1008323) + * Mon Sep 23 2013 Neil Horman - Add alb learning packet config knob (rhbz 971893) diff --git a/skge-fix-invalid-value-passed-to-pci_unmap_sigle.patch b/skge-fix-invalid-value-passed-to-pci_unmap_sigle.patch new file mode 100644 index 000000000..908e0c751 --- /dev/null +++ b/skge-fix-invalid-value-passed-to-pci_unmap_sigle.patch @@ -0,0 +1,61 @@ +From 3361dc9538832a2a9150a8c722374ca844bf8dc8 Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Fri, 20 Sep 2013 17:53:22 +0000 +Subject: skge: fix invalid value passed to pci_unmap_sigle + +In my patch c194992cbe71c20bb3623a566af8d11b0bfaa721 ("skge: fix +broken driver") I didn't fix the skge bug correctly. The value of the +new mapping (not old) was passed to pci_unmap_single. + +If we enable CONFIG_DMA_API_DEBUG, it results in this warning: +WARNING: CPU: 0 PID: 0 at lib/dma-debug.c:986 check_sync+0x4c4/0x580() +skge 0000:02:07.0: DMA-API: device driver tries to sync DMA memory it has +not allocated [device address=0x000000023a0096c0] [size=1536 bytes] + +This patch makes the skge driver pass the correct value to +pci_unmap_single and fixes the warning. It copies the old descriptor to +on-stack variable "ee" and unmaps it if mapping of the new descriptor +succeeded. + +This patch should be backported to 3.11-stable. + +Signed-off-by: Mikulas Patocka +Reported-by: Francois Romieu +Tested-by: Mikulas Patocka +Signed-off-by: David S. Miller +--- +diff --git a/drivers/net/ethernet/marvell/skge.c b/drivers/net/ethernet/marvell/skge.c +index 1a9c4f6..ecc7f7b 100644 +--- a/drivers/net/ethernet/marvell/skge.c ++++ b/drivers/net/ethernet/marvell/skge.c +@@ -3086,13 +3086,16 @@ static struct sk_buff *skge_rx_get(struct net_device *dev, + PCI_DMA_FROMDEVICE); + skge_rx_reuse(e, skge->rx_buf_size); + } else { ++ struct skge_element ee; + struct sk_buff *nskb; + + nskb = netdev_alloc_skb_ip_align(dev, skge->rx_buf_size); + if (!nskb) + goto resubmit; + +- skb = e->skb; ++ ee = *e; ++ ++ skb = ee.skb; + prefetch(skb->data); + + if (skge_rx_setup(skge, e, nskb, skge->rx_buf_size) < 0) { +@@ -3101,8 +3104,8 @@ static struct sk_buff *skge_rx_get(struct net_device *dev, + } + + pci_unmap_single(skge->hw->pdev, +- dma_unmap_addr(e, mapaddr), +- dma_unmap_len(e, maplen), ++ dma_unmap_addr(&ee, mapaddr), ++ dma_unmap_len(&ee, maplen), + PCI_DMA_FROMDEVICE); + } + +-- +cgit v0.9.2 From b74dc3c3f03c8283d69996346124d183c97c6ecc Mon Sep 17 00:00:00 2001 From: "Justin M. Forbes" Date: Wed, 25 Sep 2013 10:16:57 -0500 Subject: [PATCH 220/468] bump baserelease for test build --- kernel.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/kernel.spec b/kernel.spec index 0f6b4196a..0abba30bc 100644 --- a/kernel.spec +++ b/kernel.spec @@ -62,7 +62,7 @@ Summary: The Linux kernel # For non-released -rc kernels, this will be appended after the rcX and # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3" # -%global baserelease 200 +%global baserelease 201 %global fedora_build %{baserelease} # base_sublevel is the kernel version we're starting with and patching @@ -2324,6 +2324,9 @@ fi # and build. %changelog +* Wed Sep 25 2013 Justin M. Forbes +- Bump baserelease for test build + * Wed Sep 25 2013 Josh Boyer - Add another fix for skge (rhbz 1008323) From 2ef266362a6baa750df9401ee157974a2fec93ad Mon Sep 17 00:00:00 2001 From: "Justin M. Forbes" Date: Fri, 27 Sep 2013 06:58:24 -0500 Subject: [PATCH 221/468] Linux v3.11.2 --- ...rt-fixup-for-Genius-Gx-Imperator-Key.patch | 118 ------- HID-CVE-fixes-3.11.patch | 291 ------------------ acpi-pcie-hotplug-conflict.patch | 149 --------- crypto-fix-race-in-larval-lookup.patch | 44 --- kernel.spec | 21 +- sources | 2 +- 6 files changed, 4 insertions(+), 621 deletions(-) delete mode 100644 0001-HID-kye-Add-report-fixup-for-Genius-Gx-Imperator-Key.patch delete mode 100644 acpi-pcie-hotplug-conflict.patch delete mode 100644 crypto-fix-race-in-larval-lookup.patch diff --git a/0001-HID-kye-Add-report-fixup-for-Genius-Gx-Imperator-Key.patch b/0001-HID-kye-Add-report-fixup-for-Genius-Gx-Imperator-Key.patch deleted file mode 100644 index b7bbf77b6..000000000 --- a/0001-HID-kye-Add-report-fixup-for-Genius-Gx-Imperator-Key.patch +++ /dev/null @@ -1,118 +0,0 @@ -From 0adb9c2c5ed42f199cb2a630c37d18dee385fae2 Mon Sep 17 00:00:00 2001 -From: Benjamin Tissoires -Date: Mon, 15 Jul 2013 10:12:18 +0200 -Subject: [PATCH] HID: kye: Add report fixup for Genius Gx Imperator Keyboard - -Genius Gx Imperator Keyboard presents the same problem in its report -descriptors than Genius Gila Gaming Mouse. -Use the same fixup for both. - -Fixes: -https://bugzilla.redhat.com/show_bug.cgi?id=928561 - -Reported-and-tested-by: Honza Brazdil -Signed-off-by: Benjamin Tissoires -Signed-off-by: Jiri Kosina ---- - drivers/hid/hid-core.c | 1 + - drivers/hid/hid-ids.h | 1 + - drivers/hid/hid-kye.c | 45 ++++++++++++++++++++++++++++----------------- - 3 files changed, 30 insertions(+), 17 deletions(-) - -diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c -index 8de5cb8..b0f2f45 100644 ---- a/drivers/hid/hid-core.c -+++ b/drivers/hid/hid-core.c -@@ -1594,6 +1594,7 @@ static const struct hid_device_id hid_have_special_driver[] = { - { HID_USB_DEVICE(USB_VENDOR_ID_KENSINGTON, USB_DEVICE_ID_KS_SLIMBLADE) }, - { HID_USB_DEVICE(USB_VENDOR_ID_KEYTOUCH, USB_DEVICE_ID_KEYTOUCH_IEC) }, - { HID_USB_DEVICE(USB_VENDOR_ID_KYE, USB_DEVICE_ID_GENIUS_GILA_GAMING_MOUSE) }, -+ { HID_USB_DEVICE(USB_VENDOR_ID_KYE, USB_DEVICE_ID_GENIUS_GX_IMPERATOR) }, - { HID_USB_DEVICE(USB_VENDOR_ID_KYE, USB_DEVICE_ID_KYE_ERGO_525V) }, - { HID_USB_DEVICE(USB_VENDOR_ID_KYE, USB_DEVICE_ID_KYE_EASYPEN_I405X) }, - { HID_USB_DEVICE(USB_VENDOR_ID_KYE, USB_DEVICE_ID_KYE_MOUSEPEN_I608X) }, -diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h -index c5aea29..0288531 100644 ---- a/drivers/hid/hid-ids.h -+++ b/drivers/hid/hid-ids.h -@@ -479,6 +479,7 @@ - #define USB_VENDOR_ID_KYE 0x0458 - #define USB_DEVICE_ID_KYE_ERGO_525V 0x0087 - #define USB_DEVICE_ID_GENIUS_GILA_GAMING_MOUSE 0x0138 -+#define USB_DEVICE_ID_GENIUS_GX_IMPERATOR 0x4018 - #define USB_DEVICE_ID_KYE_GPEN_560 0x5003 - #define USB_DEVICE_ID_KYE_EASYPEN_I405X 0x5010 - #define USB_DEVICE_ID_KYE_MOUSEPEN_I608X 0x5011 -diff --git a/drivers/hid/hid-kye.c b/drivers/hid/hid-kye.c -index 1e2ee2aa..7384512 100644 ---- a/drivers/hid/hid-kye.c -+++ b/drivers/hid/hid-kye.c -@@ -268,6 +268,26 @@ static __u8 easypen_m610x_rdesc_fixed[] = { - 0xC0 /* End Collection */ - }; - -+static __u8 *kye_consumer_control_fixup(struct hid_device *hdev, __u8 *rdesc, -+ unsigned int *rsize, int offset, const char *device_name) { -+ /* -+ * the fixup that need to be done: -+ * - change Usage Maximum in the Comsumer Control -+ * (report ID 3) to a reasonable value -+ */ -+ if (*rsize >= offset + 31 && -+ /* Usage Page (Consumer Devices) */ -+ rdesc[offset] == 0x05 && rdesc[offset + 1] == 0x0c && -+ /* Usage (Consumer Control) */ -+ rdesc[offset + 2] == 0x09 && rdesc[offset + 3] == 0x01 && -+ /* Usage Maximum > 12287 */ -+ rdesc[offset + 10] == 0x2a && rdesc[offset + 12] > 0x2f) { -+ hid_info(hdev, "fixing up %s report descriptor\n", device_name); -+ rdesc[offset + 12] = 0x2f; -+ } -+ return rdesc; -+} -+ - static __u8 *kye_report_fixup(struct hid_device *hdev, __u8 *rdesc, - unsigned int *rsize) - { -@@ -315,23 +335,12 @@ static __u8 *kye_report_fixup(struct hid_device *hdev, __u8 *rdesc, - } - break; - case USB_DEVICE_ID_GENIUS_GILA_GAMING_MOUSE: -- /* -- * the fixup that need to be done: -- * - change Usage Maximum in the Comsumer Control -- * (report ID 3) to a reasonable value -- */ -- if (*rsize >= 135 && -- /* Usage Page (Consumer Devices) */ -- rdesc[104] == 0x05 && rdesc[105] == 0x0c && -- /* Usage (Consumer Control) */ -- rdesc[106] == 0x09 && rdesc[107] == 0x01 && -- /* Usage Maximum > 12287 */ -- rdesc[114] == 0x2a && rdesc[116] > 0x2f) { -- hid_info(hdev, -- "fixing up Genius Gila Gaming Mouse " -- "report descriptor\n"); -- rdesc[116] = 0x2f; -- } -+ rdesc = kye_consumer_control_fixup(hdev, rdesc, rsize, 104, -+ "Genius Gila Gaming Mouse"); -+ break; -+ case USB_DEVICE_ID_GENIUS_GX_IMPERATOR: -+ rdesc = kye_consumer_control_fixup(hdev, rdesc, rsize, 83, -+ "Genius Gx Imperator Keyboard"); - break; - } - return rdesc; -@@ -428,6 +437,8 @@ static const struct hid_device_id kye_devices[] = { - USB_DEVICE_ID_KYE_EASYPEN_M610X) }, - { HID_USB_DEVICE(USB_VENDOR_ID_KYE, - USB_DEVICE_ID_GENIUS_GILA_GAMING_MOUSE) }, -+ { HID_USB_DEVICE(USB_VENDOR_ID_KYE, -+ USB_DEVICE_ID_GENIUS_GX_IMPERATOR) }, - { } - }; - MODULE_DEVICE_TABLE(hid, kye_devices); --- -1.8.3.1 - diff --git a/HID-CVE-fixes-3.11.patch b/HID-CVE-fixes-3.11.patch index b2d7f1990..4cdc59429 100644 --- a/HID-CVE-fixes-3.11.patch +++ b/HID-CVE-fixes-3.11.patch @@ -1,83 +1,3 @@ -From aab9cb0a00ecdd937273f3b9649311d81bf4f0cb Mon Sep 17 00:00:00 2001 -From: Kees Cook -Date: Wed, 28 Aug 2013 22:29:55 +0200 -Subject: [PATCH 01/16] HID: validate HID report id size - -The "Report ID" field of a HID report is used to build indexes of -reports. The kernel's index of these is limited to 256 entries, so any -malicious device that sets a Report ID greater than 255 will trigger -memory corruption on the host: - -[ 1347.156239] BUG: unable to handle kernel paging request at ffff88094958a878 -[ 1347.156261] IP: [] hid_register_report+0x2a/0x8b - -CVE-2013-2888 - -Signed-off-by: Kees Cook -Cc: stable@kernel.org -Signed-off-by: Jiri Kosina ---- - drivers/hid/hid-core.c | 10 +++++++--- - include/linux/hid.h | 4 +++- - 2 files changed, 10 insertions(+), 4 deletions(-) - -diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c -index 36668d1..5ea7d51 100644 ---- a/drivers/hid/hid-core.c -+++ b/drivers/hid/hid-core.c -@@ -63,6 +63,8 @@ struct hid_report *hid_register_report(struct hid_device *device, unsigned type, - struct hid_report_enum *report_enum = device->report_enum + type; - struct hid_report *report; - -+ if (id >= HID_MAX_IDS) -+ return NULL; - if (report_enum->report_id_hash[id]) - return report_enum->report_id_hash[id]; - -@@ -404,8 +406,10 @@ static int hid_parser_global(struct hid_parser *parser, struct hid_item *item) - - case HID_GLOBAL_ITEM_TAG_REPORT_ID: - parser->global.report_id = item_udata(item); -- if (parser->global.report_id == 0) { -- hid_err(parser->device, "report_id 0 is invalid\n"); -+ if (parser->global.report_id == 0 || -+ parser->global.report_id >= HID_MAX_IDS) { -+ hid_err(parser->device, "report_id %u is invalid\n", -+ parser->global.report_id); - return -1; - } - return 0; -@@ -575,7 +579,7 @@ static void hid_close_report(struct hid_device *device) - for (i = 0; i < HID_REPORT_TYPES; i++) { - struct hid_report_enum *report_enum = device->report_enum + i; - -- for (j = 0; j < 256; j++) { -+ for (j = 0; j < HID_MAX_IDS; j++) { - struct hid_report *report = report_enum->report_id_hash[j]; - if (report) - hid_free_report(report); -diff --git a/include/linux/hid.h b/include/linux/hid.h -index 0c48991..ff545cc 100644 ---- a/include/linux/hid.h -+++ b/include/linux/hid.h -@@ -393,10 +393,12 @@ struct hid_report { - struct hid_device *device; /* associated device */ - }; - -+#define HID_MAX_IDS 256 -+ - struct hid_report_enum { - unsigned numbered; - struct list_head report_list; -- struct hid_report *report_id_hash[256]; -+ struct hid_report *report_id_hash[HID_MAX_IDS]; - }; - - #define HID_REPORT_TYPES 3 --- -1.8.3.1 - - From ba6d8d44eaeb0ee58082f4b4c95138416e1f58a5 Mon Sep 17 00:00:00 2001 From: Kees Cook Date: Wed, 11 Sep 2013 21:56:50 +0200 @@ -906,214 +826,3 @@ index 762d988..31cf29a 100644 -- 1.8.3.1 - - -From b2438ded3cdd8d6d6af77d9bce38d2d8f353a790 Mon Sep 17 00:00:00 2001 -From: Kees Cook -Date: Wed, 28 Aug 2013 22:32:01 +0200 -Subject: [PATCH 12/16] HID: check for NULL field when setting values - -Defensively check that the field to be worked on is not NULL. - -Signed-off-by: Kees Cook -Cc: stable@kernel.org -Signed-off-by: Jiri Kosina ---- - drivers/hid/hid-core.c | 7 ++++++- - 1 file changed, 6 insertions(+), 1 deletion(-) - -diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c -index 08500bc..e331cb1 100644 ---- a/drivers/hid/hid-core.c -+++ b/drivers/hid/hid-core.c -@@ -1212,7 +1212,12 @@ EXPORT_SYMBOL_GPL(hid_output_report); - - int hid_set_field(struct hid_field *field, unsigned offset, __s32 value) - { -- unsigned size = field->report_size; -+ unsigned size; -+ -+ if (!field) -+ return -1; -+ -+ size = field->report_size; - - hid_dump_input(field->report->device, field->usage + offset, value); - --- -1.8.3.1 - - -From d0502783cdafcdb0a677492c43a373748d900d50 Mon Sep 17 00:00:00 2001 -From: Kees Cook -Date: Wed, 28 Aug 2013 22:30:49 +0200 -Subject: [PATCH 13/16] HID: pantherlord: validate output report details - -A HID device could send a malicious output report that would cause the -pantherlord HID driver to write beyond the output report allocation -during initialization, causing a heap overflow: - -[ 310.939483] usb 1-1: New USB device found, idVendor=0e8f, idProduct=0003 -... -[ 315.980774] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten - -CVE-2013-2892 - -Signed-off-by: Kees Cook -Cc: stable@kernel.org -Signed-off-by: Jiri Kosina ---- - drivers/hid/hid-pl.c | 10 ++++++++-- - 1 file changed, 8 insertions(+), 2 deletions(-) - -diff --git a/drivers/hid/hid-pl.c b/drivers/hid/hid-pl.c -index d29112f..2dcd7d9 100644 ---- a/drivers/hid/hid-pl.c -+++ b/drivers/hid/hid-pl.c -@@ -132,8 +132,14 @@ static int plff_init(struct hid_device *hid) - strong = &report->field[0]->value[2]; - weak = &report->field[0]->value[3]; - debug("detected single-field device"); -- } else if (report->maxfield >= 4 && report->field[0]->maxusage == 1 && -- report->field[0]->usage[0].hid == (HID_UP_LED | 0x43)) { -+ } else if (report->field[0]->maxusage == 1 && -+ report->field[0]->usage[0].hid == -+ (HID_UP_LED | 0x43) && -+ report->maxfield >= 4 && -+ report->field[0]->report_count >= 1 && -+ report->field[1]->report_count >= 1 && -+ report->field[2]->report_count >= 1 && -+ report->field[3]->report_count >= 1) { - report->field[0]->value[0] = 0x00; - report->field[1]->value[0] = 0x00; - strong = &report->field[2]->value[0]; --- -1.8.3.1 - - -From dc4db3b624cc7bf6972817615af88e250a8526cc Mon Sep 17 00:00:00 2001 -From: Kees Cook -Date: Wed, 28 Aug 2013 22:31:28 +0200 -Subject: [PATCH 14/16] HID: ntrig: validate feature report details - -A HID device could send a malicious feature report that would cause the -ntrig HID driver to trigger a NULL dereference during initialization: - -[57383.031190] usb 3-1: New USB device found, idVendor=1b96, idProduct=0001 -... -[57383.315193] BUG: unable to handle kernel NULL pointer dereference at 0000000000000030 -[57383.315308] IP: [] ntrig_probe+0x25e/0x420 [hid_ntrig] - -CVE-2013-2896 - -Signed-off-by: Kees Cook -Cc: stable@kernel.org -Signed-off-by: Rafi Rubin -Signed-off-by: Jiri Kosina ---- - drivers/hid/hid-ntrig.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/drivers/hid/hid-ntrig.c b/drivers/hid/hid-ntrig.c -index ef95102..5482156 100644 ---- a/drivers/hid/hid-ntrig.c -+++ b/drivers/hid/hid-ntrig.c -@@ -115,7 +115,8 @@ static inline int ntrig_get_mode(struct hid_device *hdev) - struct hid_report *report = hdev->report_enum[HID_FEATURE_REPORT]. - report_id_hash[0x0d]; - -- if (!report) -+ if (!report || report->maxfield < 1 || -+ report->field[0]->report_count < 1) - return -EINVAL; - - hid_hw_request(hdev, report, HID_REQ_GET_REPORT); --- -1.8.3.1 - - -From 34490675479f16680a60726632ad2e808eab54bd Mon Sep 17 00:00:00 2001 -From: Kees Cook -Date: Wed, 28 Aug 2013 22:31:44 +0200 -Subject: [PATCH 15/16] HID: sensor-hub: validate feature report details - -A HID device could send a malicious feature report that would cause the -sensor-hub HID driver to read past the end of heap allocation, leaking -kernel memory contents to the caller. - -CVE-2013-2898 - -Signed-off-by: Kees Cook -Cc: stable@kernel.org -Reviewed-by: Mika Westerberg -Signed-off-by: Jiri Kosina ---- - drivers/hid/hid-sensor-hub.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/drivers/hid/hid-sensor-hub.c b/drivers/hid/hid-sensor-hub.c -index ca749810..aa34755 100644 ---- a/drivers/hid/hid-sensor-hub.c -+++ b/drivers/hid/hid-sensor-hub.c -@@ -221,7 +221,8 @@ int sensor_hub_get_feature(struct hid_sensor_hub_device *hsdev, u32 report_id, - - mutex_lock(&data->mutex); - report = sensor_hub_report(report_id, hsdev->hdev, HID_FEATURE_REPORT); -- if (!report || (field_index >= report->maxfield)) { -+ if (!report || (field_index >= report->maxfield) || -+ report->field[field_index]->report_count < 1) { - ret = -EINVAL; - goto done_proc; - } --- -1.8.3.1 - - -From a0155e41d3a7a9bd901368271d86ee1bb28d100f Mon Sep 17 00:00:00 2001 -From: Kees Cook -Date: Wed, 28 Aug 2013 22:31:52 +0200 -Subject: [PATCH 16/16] HID: picolcd_core: validate output report details -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -A HID device could send a malicious output report that would cause the -picolcd HID driver to trigger a NULL dereference during attr file writing. - -[jkosina@suse.cz: changed - - report->maxfield < 1 - -to - - report->maxfield != 1 - -as suggested by Bruno]. - -CVE-2013-2899 - -Signed-off-by: Kees Cook -Cc: stable@kernel.org -Reviewed-by: Bruno Prémont -Acked-by: Bruno Prémont -Signed-off-by: Jiri Kosina ---- - drivers/hid/hid-picolcd_core.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/drivers/hid/hid-picolcd_core.c b/drivers/hid/hid-picolcd_core.c -index b48092d..acbb0210 100644 ---- a/drivers/hid/hid-picolcd_core.c -+++ b/drivers/hid/hid-picolcd_core.c -@@ -290,7 +290,7 @@ static ssize_t picolcd_operation_mode_store(struct device *dev, - buf += 10; - cnt -= 10; - } -- if (!report) -+ if (!report || report->maxfield != 1) - return -EINVAL; - - while (cnt > 0 && (buf[cnt-1] == '\n' || buf[cnt-1] == '\r')) --- -1.8.3.1 - diff --git a/acpi-pcie-hotplug-conflict.patch b/acpi-pcie-hotplug-conflict.patch deleted file mode 100644 index 4815b99fc..000000000 --- a/acpi-pcie-hotplug-conflict.patch +++ /dev/null @@ -1,149 +0,0 @@ -commit 3dc48af310709b85d07c8b0d3aa8f1ead02829d3 -Author: Neil Horman -Date: Thu Aug 29 16:17:05 2013 -0400 - - PCI/ACPI: Fix _OSC ordering to allow PCIe hotplug use when available - - This fixes the problem of acpiphp claiming slots that should be managed - by pciehp, which may keep ExpressCard slots from working. - - The acpiphp driver claims PCIe slots unless the BIOS has granted us - control of PCIe native hotplug via _OSC. Prior to v3.10, the acpiphp - .add method (add_bridge()) was always called *after* we had requested - native hotplug control with _OSC. - - But after 3b63aaa70e ("PCI: acpiphp: Do not use ACPI PCI subdriver - mechanism"), which appeared in v3.10, acpiphp initialization is done - during the bus scan via the pcibios_add_bus() hook, and this happens - *before* we request native hotplug control. - - Therefore, acpiphp doesn't know yet whether the BIOS will grant control, - and it claims slots that we should be handling with native hotplug. - - This patch requests native hotplug control earlier, so we know whether - the BIOS granted it to us before we initialize acpiphp. - - To avoid reintroducing the ASPM issue fixed by b8178f130e ('Revert - "PCI/ACPI: Request _OSC control before scanning PCI root bus"'), we run - _OSC earlier but defer the actual ASPM calls until after the bus scan is - complete. - - Tested successfully by myself. - - [bhelgaas: changelog, mark for stable] - Reference: https://bugzilla.kernel.org/show_bug.cgi?id=60736 - Signed-off-by: Neil Horman - Signed-off-by: Bjorn Helgaas - Acked-by: Yinghai Lu - CC: stable@vger.kernel.org # v3.10+ - CC: Len Brown - CC: "Rafael J. Wysocki" - -diff --git a/drivers/acpi/pci_root.c b/drivers/acpi/pci_root.c -index 5917839..a67853e 100644 ---- a/drivers/acpi/pci_root.c -+++ b/drivers/acpi/pci_root.c -@@ -378,6 +378,7 @@ static int acpi_pci_root_add(struct acpi_device *device, - struct acpi_pci_root *root; - u32 flags, base_flags; - acpi_handle handle = device->handle; -+ bool no_aspm = false, clear_aspm = false; - - root = kzalloc(sizeof(struct acpi_pci_root), GFP_KERNEL); - if (!root) -@@ -437,27 +438,6 @@ static int acpi_pci_root_add(struct acpi_device *device, - flags = base_flags = OSC_PCI_SEGMENT_GROUPS_SUPPORT; - acpi_pci_osc_support(root, flags); - -- /* -- * TBD: Need PCI interface for enumeration/configuration of roots. -- */ -- -- /* -- * Scan the Root Bridge -- * -------------------- -- * Must do this prior to any attempt to bind the root device, as the -- * PCI namespace does not get created until this call is made (and -- * thus the root bridge's pci_dev does not exist). -- */ -- root->bus = pci_acpi_scan_root(root); -- if (!root->bus) { -- dev_err(&device->dev, -- "Bus %04x:%02x not present in PCI namespace\n", -- root->segment, (unsigned int)root->secondary.start); -- result = -ENODEV; -- goto end; -- } -- -- /* Indicate support for various _OSC capabilities. */ - if (pci_ext_cfg_avail()) - flags |= OSC_EXT_PCI_CONFIG_SUPPORT; - if (pcie_aspm_support_enabled()) { -@@ -471,7 +451,7 @@ static int acpi_pci_root_add(struct acpi_device *device, - if (ACPI_FAILURE(status)) { - dev_info(&device->dev, "ACPI _OSC support " - "notification failed, disabling PCIe ASPM\n"); -- pcie_no_aspm(); -+ no_aspm = true; - flags = base_flags; - } - } -@@ -503,7 +483,7 @@ static int acpi_pci_root_add(struct acpi_device *device, - * We have ASPM control, but the FADT indicates - * that it's unsupported. Clear it. - */ -- pcie_clear_aspm(root->bus); -+ clear_aspm = true; - } - } else { - dev_info(&device->dev, -@@ -512,7 +492,14 @@ static int acpi_pci_root_add(struct acpi_device *device, - acpi_format_exception(status), flags); - dev_info(&device->dev, - "ACPI _OSC control for PCIe not granted, disabling ASPM\n"); -- pcie_no_aspm(); -+ /* -+ * We want to disable ASPM here, but aspm_disabled -+ * needs to remain in its state from boot so that we -+ * properly handle PCIe 1.1 devices. So we set this -+ * flag here, to defer the action until after the ACPI -+ * root scan. -+ */ -+ no_aspm = true; - } - } else { - dev_info(&device->dev, -@@ -520,6 +507,33 @@ static int acpi_pci_root_add(struct acpi_device *device, - "(_OSC support mask: 0x%02x)\n", flags); - } - -+ /* -+ * TBD: Need PCI interface for enumeration/configuration of roots. -+ */ -+ -+ /* -+ * Scan the Root Bridge -+ * -------------------- -+ * Must do this prior to any attempt to bind the root device, as the -+ * PCI namespace does not get created until this call is made (and -+ * thus the root bridge's pci_dev does not exist). -+ */ -+ root->bus = pci_acpi_scan_root(root); -+ if (!root->bus) { -+ dev_err(&device->dev, -+ "Bus %04x:%02x not present in PCI namespace\n", -+ root->segment, (unsigned int)root->secondary.start); -+ result = -ENODEV; -+ goto end; -+ } -+ -+ if (clear_aspm) { -+ dev_info(&device->dev, "Disabling ASPM (FADT indicates it is unsupported)\n"); -+ pcie_clear_aspm(root->bus); -+ } -+ if (no_aspm) -+ pcie_no_aspm(); -+ - pci_acpi_add_bus_pm_notifier(device, root->bus); - if (device->wakeup.flags.run_wake) - device_set_run_wake(root->bus->bridge, true); diff --git a/crypto-fix-race-in-larval-lookup.patch b/crypto-fix-race-in-larval-lookup.patch deleted file mode 100644 index d1b19419e..000000000 --- a/crypto-fix-race-in-larval-lookup.patch +++ /dev/null @@ -1,44 +0,0 @@ -commit 77dbd7a95e4a4f15264c333a9e9ab97ee27dc2aa -Author: Herbert Xu -Date: Sun Sep 8 14:33:50 2013 +1000 - - crypto: api - Fix race condition in larval lookup - - crypto_larval_lookup should only return a larval if it created one. - Any larval created by another entity must be processed through - crypto_larval_wait before being returned. - - Otherwise this will lead to a larval being killed twice, which - will most likely lead to a crash. - - Cc: stable@vger.kernel.org - Reported-by: Kees Cook - Tested-by: Kees Cook - Signed-off-by: Herbert Xu - -diff --git a/crypto/api.c b/crypto/api.c -index 320ea4d..a2b39c5 100644 ---- a/crypto/api.c -+++ b/crypto/api.c -@@ -34,6 +34,8 @@ EXPORT_SYMBOL_GPL(crypto_alg_sem); - BLOCKING_NOTIFIER_HEAD(crypto_chain); - EXPORT_SYMBOL_GPL(crypto_chain); - -+static struct crypto_alg *crypto_larval_wait(struct crypto_alg *alg); -+ - struct crypto_alg *crypto_mod_get(struct crypto_alg *alg) - { - return try_module_get(alg->cra_module) ? crypto_alg_get(alg) : NULL; -@@ -144,8 +146,11 @@ static struct crypto_alg *crypto_larval_add(const char *name, u32 type, - } - up_write(&crypto_alg_sem); - -- if (alg != &larval->alg) -+ if (alg != &larval->alg) { - kfree(larval); -+ if (crypto_is_larval(alg)) -+ alg = crypto_larval_wait(alg); -+ } - - return alg; - } diff --git a/kernel.spec b/kernel.spec index 0abba30bc..3c8721d42 100644 --- a/kernel.spec +++ b/kernel.spec @@ -745,12 +745,6 @@ Patch25079: rt2800-rearrange-bbp-rfcsr-initialization.patch #CVE-2013-2897 rhbz 1000536 1002600 CVE-2013-2899 rhbz 1000373 1002604 Patch25099: HID-CVE-fixes-3.11.patch -#rhbz 963991 -Patch26000: acpi-pcie-hotplug-conflict.patch - -#rhbz 1002351 -Patch25100: crypto-fix-race-in-larval-lookup.patch - #CVE-2013-4343 rhbz 1007733 1007741 Patch25101: tuntap-correctly-handle-error-in-tun_set_iff.patch @@ -760,9 +754,6 @@ Patch25102: net-sctp-fix-ipv6-ipsec-encryption-bug-in-sctp_v6_xmit.patch #CVE-2013-4345 rhbz 1007690 1009136 Patch25104: ansi_cprng-Fix-off-by-one-error-in-non-block-size-request.patch -#rhbz 928561 -Patch25105: 0001-HID-kye-Add-report-fixup-for-Genius-Gx-Imperator-Key.patch - #rhbz 1008323 Patch25106: 0001-skge-fix-broken-driver.patch Patch25120: skge-fix-invalid-value-passed-to-pci_unmap_sigle.patch @@ -1475,12 +1466,6 @@ ApplyPatch HID-CVE-fixes-3.11.patch #rhbz 1000679 ApplyPatch rt2800-rearrange-bbp-rfcsr-initialization.patch -#rhbz 963991 -ApplyPatch acpi-pcie-hotplug-conflict.patch - -#rhbz1002351 -ApplyPatch crypto-fix-race-in-larval-lookup.patch - #CVE-2013-4343 rhbz 1007733 1007741 ApplyPatch tuntap-correctly-handle-error-in-tun_set_iff.patch @@ -1490,9 +1475,6 @@ ApplyPatch net-sctp-fix-ipv6-ipsec-encryption-bug-in-sctp_v6_xmit.patch #CVE-2013-4345 rhbz 1007690 1009136 ApplyPatch ansi_cprng-Fix-off-by-one-error-in-non-block-size-request.patch -#rhbz 928561 -ApplyPatch 0001-HID-kye-Add-report-fixup-for-Genius-Gx-Imperator-Key.patch - #rhbz 985522 ApplyPatch ntp-Make-periodic-RTC-update-more-reliable.patch @@ -2324,6 +2306,9 @@ fi # and build. %changelog +* Fri Sep 27 2013 Justin M. Forbes +- Linux v3.11.2 + * Wed Sep 25 2013 Justin M. Forbes - Bump baserelease for test build diff --git a/sources b/sources index 1bb8782ae..9c3b8793c 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ fea363551ff45fbe4cb88497b863b261 linux-3.11.tar.xz -43331cad943b9540afea49ad8ce5cf46 patch-3.11.1.xz +5aa3286dcc7d70ceb50c3cbc64bc1cd8 patch-3.11.2.xz From ba69e82dc2b8770f3040814731abd99d5863b7c4 Mon Sep 17 00:00:00 2001 From: "Justin M. Forbes" Date: Fri, 27 Sep 2013 07:00:53 -0500 Subject: [PATCH 222/468] Fix the versioning, perhaps it is too early to be making changes... --- kernel.spec | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/kernel.spec b/kernel.spec index 3c8721d42..895db185f 100644 --- a/kernel.spec +++ b/kernel.spec @@ -62,7 +62,7 @@ Summary: The Linux kernel # For non-released -rc kernels, this will be appended after the rcX and # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3" # -%global baserelease 201 +%global baserelease 200 %global fedora_build %{baserelease} # base_sublevel is the kernel version we're starting with and patching @@ -74,7 +74,7 @@ Summary: The Linux kernel %if 0%{?released_kernel} # Do we have a -stable update to apply? -%define stable_update 1 +%define stable_update 2 # Is it a -stable RC? %define stable_rc 0 # Set rpm version accordingly @@ -2306,7 +2306,7 @@ fi # and build. %changelog -* Fri Sep 27 2013 Justin M. Forbes +* Fri Sep 27 2013 Justin M. Forbes - 3.11.2-200 - Linux v3.11.2 * Wed Sep 25 2013 Justin M. Forbes From ccf7bdaaadcaf353f77986c0ee3bd44a446e4d5b Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Fri, 27 Sep 2013 09:22:47 -0400 Subject: [PATCH 223/468] Add patches to fix soft lockup from elevator changes (rhbz 902012) --- ...-a-race-in-elevator-switching-and-md.patch | 162 ++++++++++++++++++ ...uire-q-sysfs_lock-in-elevator_change.patch | 121 +++++++++++++ kernel.spec | 11 ++ 3 files changed, 294 insertions(+) create mode 100644 elevator-Fix-a-race-in-elevator-switching-and-md.patch create mode 100644 elevator-acquire-q-sysfs_lock-in-elevator_change.patch diff --git a/elevator-Fix-a-race-in-elevator-switching-and-md.patch b/elevator-Fix-a-race-in-elevator-switching-and-md.patch new file mode 100644 index 000000000..5517687ff --- /dev/null +++ b/elevator-Fix-a-race-in-elevator-switching-and-md.patch @@ -0,0 +1,162 @@ + +Delivered-To: jwboyer@gmail.com +Received: by 10.76.168.104 with SMTP id zv8csp55663oab; + Fri, 30 Aug 2013 15:52:46 -0700 (PDT) +X-Received: by 10.68.244.168 with SMTP id xh8mr12419215pbc.3.1377903166373; + Fri, 30 Aug 2013 15:52:46 -0700 (PDT) +Return-Path: +Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) + by mx.google.com with ESMTP id qc9si280431pac.269.1969.12.31.16.00.00; + Fri, 30 Aug 2013 15:52:46 -0700 (PDT) +Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; +Authentication-Results: mx.google.com; + spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mail=linux-kernel-owner@vger.kernel.org; + dkim=neutral (bad format) header.i=@hds.com +Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand + id S1753535Ab3H3WrV (ORCPT + + 99 others); Fri, 30 Aug 2013 18:47:21 -0400 +Received: from usindpps04.hds.com ([207.126.252.17]:35636 "EHLO + usindpps04.hds.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org + with ESMTP id S1752650Ab3H3WrU (ORCPT + ); + Fri, 30 Aug 2013 18:47:20 -0400 +DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=hds.com; h=subject : to : from : cc + : date : message-id : mime-version : content-type : + content-transfer-encoding; s=mail1; + bh=VofHN8IMnygn2hbqnFjLmX0PPEPbvpzE377u1RxpGOY=; + b=piW6J78W57qDXBPJJuodWw/tvf0T//JbxKX6sLPvpuaOG2nBLMHzDqUeTYwFEQqUvdmf + ZTkiwsKi0WEku3MKcxJ7veR7wvTZcQ4fGMETFTf1c2J/1JOKpXLnft4ERuW89/FAxw25 + wQM1ulsuQ3Cncl0I/sIaqMlaMOtvuQ/C8rsHorp+75eFiL6yx1jU5wMbuti4D/NprIET + 3r57cPZ0YCh6sLjvOgjay6mKyktMToyjHPx6X1TWCSWcwes33Popc1hpadxUdFI/0npL + mN3Tttbe7e2RcmkXAZbwg8xj+FwSu3nIRC4G9UpFCsMz518C/AWZj4puwWE6VHZWVvVZ Rg== +Received: from usindmail01.hds.com (usindmail03 [207.126.252.22]) + by usindpps04.hds.com (8.14.5/8.14.5) with ESMTP id r7UMlBjr025492; + Fri, 30 Aug 2013 18:47:11 -0400 +Received: from hds.com (usindnetf5d-vlan47float.corp.hds.com [10.74.73.11]) + by usindmail01.hds.com (8.14.1/8.14.1) with ESMTP id r7UMl8SG058466; + Fri, 30 Aug 2013 18:47:10 -0400 (EDT) +Subject: [PATCH v2 1/2] elevator: Fix a race in elevator switching and md + device initialization +To: linux-kernel@vger.kernel.org +From: Tomoki Sekiyama +Cc: axboe@kernel.dk, tj@kernel.org, seiji.aguchi@hds.com, + vgoyal@redhat.com, majianpeng@gmail.com +Date: Fri, 30 Aug 2013 18:47:07 -0400 +Message-ID: <20130830224707.21812.63516.stgit@hds.com> +User-Agent: StGit/0.16 +MIME-Version: 1.0 +Content-Type: text/plain; charset="utf-8" +Content-Transfer-Encoding: 7bit +X-Proofpoint-SPF-Result: pass +X-Proofpoint-SPF-Record: v=spf1 mx ip4:207.126.244.0/26 ip4:207.126.252.0/25 include:mktomail.com + include:cloud.hds.com ~all +X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.10.8794,1.0.431,0.0.0000 + definitions=2013-08-30_09:2013-08-30,2013-08-30,1970-01-01 signatures=0 +X-Proofpoint-Spam-Details: rule=notspam policy=outbound_policy score=0 spamscore=0 suspectscore=1 + phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx + scancount=1 engine=7.0.1-1305240000 definitions=main-1308300162 +Sender: linux-kernel-owner@vger.kernel.org +Precedence: bulk +List-ID: +X-Mailing-List: linux-kernel@vger.kernel.org + +The soft lockup below happens at the boot time of the system using dm +multipath and the udev rules to switch scheduler. + +[ 356.127001] BUG: soft lockup - CPU#3 stuck for 22s! [sh:483] +[ 356.127001] RIP: 0010:[] [] lock_timer_base.isra.35+0x1d/0x50 +... +[ 356.127001] Call Trace: +[ 356.127001] [] try_to_del_timer_sync+0x20/0x70 +[ 356.127001] [] ? kmem_cache_alloc_node_trace+0x20a/0x230 +[ 356.127001] [] del_timer_sync+0x52/0x60 +[ 356.127001] [] cfq_exit_queue+0x32/0xf0 +[ 356.127001] [] elevator_exit+0x2f/0x50 +[ 356.127001] [] elevator_change+0xf1/0x1c0 +[ 356.127001] [] elv_iosched_store+0x20/0x50 +[ 356.127001] [] queue_attr_store+0x59/0xb0 +[ 356.127001] [] sysfs_write_file+0xc6/0x140 +[ 356.127001] [] vfs_write+0xbd/0x1e0 +[ 356.127001] [] SyS_write+0x49/0xa0 +[ 356.127001] [] system_call_fastpath+0x16/0x1b + +This is caused by a race between md device initialization by multipathd and +shell script to switch the scheduler using sysfs. + + - multipathd: + SyS_ioctl -> do_vfs_ioctl -> dm_ctl_ioctl -> ctl_ioctl -> table_load + -> dm_setup_md_queue -> blk_init_allocated_queue -> elevator_init + q->elevator = elevator_alloc(q, e); // not yet initialized + + - sh -c 'echo deadline > /sys/$DEVPATH/queue/scheduler': + elevator_switch (in the call trace above) + struct elevator_queue *old = q->elevator; + q->elevator = elevator_alloc(q, new_e); + elevator_exit(old); // lockup! (*) + + - multipathd: (cont.) + err = e->ops.elevator_init_fn(q); // init fails; q->elevator is modified + +(*) When del_timer_sync() is called, lock_timer_base() will loop infinitely +while timer->base == NULL. In this case, as timer will never initialized, +it results in lockup. + +This patch introduces acquisition of q->sysfs_lock around elevator_init() +into blk_init_allocated_queue(), to provide mutual exclusion between +initialization of the q->scheduler and switching of the scheduler. + +This should fix this bugzilla: +https://bugzilla.redhat.com/show_bug.cgi?id=902012 + +Signed-off-by: Tomoki Sekiyama +--- + block/blk-core.c | 10 +++++++++- + block/elevator.c | 6 ++++++ + 2 files changed, 15 insertions(+), 1 deletion(-) + +diff --git a/block/blk-core.c b/block/blk-core.c +index 93a18d1..2f6275f 100644 +--- a/block/blk-core.c ++++ b/block/blk-core.c +@@ -739,9 +739,17 @@ blk_init_allocated_queue(struct request_queue *q, request_fn_proc *rfn, + + q->sg_reserved_size = INT_MAX; + ++ /* Protect q->elevator from elevator_change */ ++ mutex_lock(&q->sysfs_lock); ++ + /* init elevator */ +- if (elevator_init(q, NULL)) ++ if (elevator_init(q, NULL)) { ++ mutex_unlock(&q->sysfs_lock); + return NULL; ++ } ++ ++ mutex_unlock(&q->sysfs_lock); ++ + return q; + } + EXPORT_SYMBOL(blk_init_allocated_queue); +diff --git a/block/elevator.c b/block/elevator.c +index 668394d..02d4390 100644 +--- a/block/elevator.c ++++ b/block/elevator.c +@@ -186,6 +186,12 @@ int elevator_init(struct request_queue *q, char *name) + struct elevator_type *e = NULL; + int err; + ++ /* ++ * q->sysfs_lock must be held to provide mutual exclusion between ++ * elevator_switch() and here. ++ */ ++ lockdep_assert_held(&q->sysfs_lock); ++ + if (unlikely(q->elevator)) + return 0; + + +-- +To unsubscribe from this list: send the line "unsubscribe linux-kernel" in +the body of a message to majordomo@vger.kernel.org +More majordomo info at http://vger.kernel.org/majordomo-info.html +Please read the FAQ at http://www.tux.org/lkml/ diff --git a/elevator-acquire-q-sysfs_lock-in-elevator_change.patch b/elevator-acquire-q-sysfs_lock-in-elevator_change.patch new file mode 100644 index 000000000..6f112b81c --- /dev/null +++ b/elevator-acquire-q-sysfs_lock-in-elevator_change.patch @@ -0,0 +1,121 @@ + +Delivered-To: jwboyer@gmail.com +Received: by 10.76.168.104 with SMTP id zv8csp55623oab; + Fri, 30 Aug 2013 15:51:42 -0700 (PDT) +X-Received: by 10.67.30.70 with SMTP id kc6mr13149193pad.32.1377903101609; + Fri, 30 Aug 2013 15:51:41 -0700 (PDT) +Return-Path: +Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) + by mx.google.com with ESMTP id gg2si304840pac.217.1969.12.31.16.00.00; + Fri, 30 Aug 2013 15:51:41 -0700 (PDT) +Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; +Authentication-Results: mx.google.com; + spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mail=linux-kernel-owner@vger.kernel.org; + dkim=neutral (bad format) header.i=@hds.com +Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand + id S1756106Ab3H3WrX (ORCPT + + 99 others); Fri, 30 Aug 2013 18:47:23 -0400 +Received: from usindpps04.hds.com ([207.126.252.17]:35640 "EHLO + usindpps04.hds.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org + with ESMTP id S1752650Ab3H3WrW (ORCPT + ); + Fri, 30 Aug 2013 18:47:22 -0400 +DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=hds.com; h=subject : to : from : cc + : date : message-id : in-reply-to : references : mime-version : + content-type : content-transfer-encoding; s=mail1; + bh=xbQuWVaSJrPfWG5E7bXFAbOFjf/sBaRZsPmpVgy0CYk=; + b=NW/A8Imu32MXoBi5FLrQ0FsK66RTWMQo1bFRtgQplVEQQIAXyf1XhCaAZyTkTplc0iEx + ovyGZHvLbmGL6w3I3pxkCFz1BPJCqoZtvQITir/WvfzyadYOK1cz+vuBUQSCmfkacvS/ + w37h1jLAjsvWXkl0GY7pxB9HJMXdeLnhhuWxtNU8m8rKZ7t3LSByMeQi5/3OTkNojDEe + 70cKeZXCPQ/UIDJAF4cpSVXia5FwoJISjXvQIrvqkYhFelzq3OHMcC482PdpqNB475h3 + yHHJ83HFOLRulUQdOG5ZVTB9qRg0zxRx/oedeXwzturFke68noRRa4f4izQ8sCwsWOCI Dw== +Received: from usindmail01.hds.com (usindmail03 [207.126.252.22]) + by usindpps04.hds.com (8.14.5/8.14.5) with ESMTP id r7UMlHIc025543; + Fri, 30 Aug 2013 18:47:17 -0400 +Received: from hds.com (usindnetf5d-vlan47float.corp.hds.com [10.74.73.11]) + by usindmail01.hds.com (8.14.1/8.14.1) with ESMTP id r7UMlGiC058545; + Fri, 30 Aug 2013 18:47:17 -0400 (EDT) +Subject: [PATCH v2 2/2] elevator: acquire q->sysfs_lock in elevator_change() +To: linux-kernel@vger.kernel.org +From: Tomoki Sekiyama +Cc: axboe@kernel.dk, tj@kernel.org, seiji.aguchi@hds.com, + vgoyal@redhat.com, majianpeng@gmail.com +Date: Fri, 30 Aug 2013 18:47:16 -0400 +Message-ID: <20130830224716.21812.99333.stgit@hds.com> +In-Reply-To: <20130830224707.21812.63516.stgit@hds.com> +References: <20130830224707.21812.63516.stgit@hds.com> +User-Agent: StGit/0.16 +MIME-Version: 1.0 +Content-Type: text/plain; charset="utf-8" +Content-Transfer-Encoding: 7bit +X-Proofpoint-SPF-Result: pass +X-Proofpoint-SPF-Record: v=spf1 mx ip4:207.126.244.0/26 ip4:207.126.252.0/25 include:mktomail.com + include:cloud.hds.com ~all +X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.10.8794,1.0.431,0.0.0000 + definitions=2013-08-30_09:2013-08-30,2013-08-30,1970-01-01 signatures=0 +X-Proofpoint-Spam-Details: rule=notspam policy=outbound_policy score=0 spamscore=0 suspectscore=1 + phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx + scancount=1 engine=7.0.1-1305240000 definitions=main-1308300162 +Sender: linux-kernel-owner@vger.kernel.org +Precedence: bulk +List-ID: +X-Mailing-List: linux-kernel@vger.kernel.org + +Add locking of q->sysfs_lock into elevator_change() (an exported function) +to ensure it is held to protect q->elevator from elevator_init(), even if +elevator_change() is called from non-sysfs paths. +sysfs path (elv_iosched_store) uses __elevator_change(), non-locking +version, as the lock is already taken by elv_iosched_store(). + +Signed-off-by: Tomoki Sekiyama +--- + block/elevator.c | 16 ++++++++++++++-- + 1 file changed, 14 insertions(+), 2 deletions(-) + +diff --git a/block/elevator.c b/block/elevator.c +index 02d4390..6d765f7 100644 +--- a/block/elevator.c ++++ b/block/elevator.c +@@ -965,7 +965,7 @@ fail_init: + /* + * Switch this queue to the given IO scheduler. + */ +-int elevator_change(struct request_queue *q, const char *name) ++static int __elevator_change(struct request_queue *q, const char *name) + { + char elevator_name[ELV_NAME_MAX]; + struct elevator_type *e; +@@ -987,6 +987,18 @@ int elevator_change(struct request_queue *q, const char *name) + + return elevator_switch(q, e); + } ++ ++int elevator_change(struct request_queue *q, const char *name) ++{ ++ int ret; ++ ++ /* Protect q->elevator from elevator_init() */ ++ mutex_lock(&q->sysfs_lock); ++ ret = __elevator_change(q, name); ++ mutex_unlock(&q->sysfs_lock); ++ ++ return ret; ++} + EXPORT_SYMBOL(elevator_change); + + ssize_t elv_iosched_store(struct request_queue *q, const char *name, +@@ -997,7 +1009,7 @@ ssize_t elv_iosched_store(struct request_queue *q, const char *name, + if (!q->elevator) + return count; + +- ret = elevator_change(q, name); ++ ret = __elevator_change(q, name); + if (!ret) + return count; + + +-- +To unsubscribe from this list: send the line "unsubscribe linux-kernel" in +the body of a message to majordomo@vger.kernel.org +More majordomo info at http://vger.kernel.org/majordomo-info.html +Please read the FAQ at http://www.tux.org/lkml/ diff --git a/kernel.spec b/kernel.spec index 895db185f..3b6b1316c 100644 --- a/kernel.spec +++ b/kernel.spec @@ -773,6 +773,10 @@ Patch25111: rpc-comment-on-linux_cred-encoding-treat-all-as-unsigned.patch Patch25112: rpc-fix-huge-kmallocs-in-gss-proxy.patch Patch25113: rpc-let-xdr-layer-allocate-gssproxy-receieve-pages.patch +#rhbz 902012 +Patch25114: elevator-Fix-a-race-in-elevator-switching-and-md.patch +Patch25115: elevator-acquire-q-sysfs_lock-in-elevator_change.patch + # END OF PATCH DEFINITIONS %endif @@ -1494,6 +1498,10 @@ ApplyPatch rpc-let-xdr-layer-allocate-gssproxy-receieve-pages.patch ApplyPatch 0001-skge-fix-broken-driver.patch ApplyPatch skge-fix-invalid-value-passed-to-pci_unmap_sigle.patch +#rhbz 902012 +ApplyPatch elevator-Fix-a-race-in-elevator-switching-and-md.patch +ApplyPatch elevator-acquire-q-sysfs_lock-in-elevator_change.patch + # END OF PATCH APPLICATIONS %endif @@ -2306,6 +2314,9 @@ fi # and build. %changelog +* Fri Sep 27 2013 Josh Boyer +- Add patches to fix soft lockup from elevator changes (rhbz 902012) + * Fri Sep 27 2013 Justin M. Forbes - 3.11.2-200 - Linux v3.11.2 From d4ad8aae96cc4af2152b2b65f414e5fcc53399c1 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Fri, 27 Sep 2013 12:24:29 -0400 Subject: [PATCH 224/468] Add patch to fix oops from applesmc (rhbz 1011719) --- ...mc-Check-key-count-before-proceeding.patch | 49 +++++++++++++++++++ kernel.spec | 7 +++ 2 files changed, 56 insertions(+) create mode 100644 hwmon-applesmc-Check-key-count-before-proceeding.patch diff --git a/hwmon-applesmc-Check-key-count-before-proceeding.patch b/hwmon-applesmc-Check-key-count-before-proceeding.patch new file mode 100644 index 000000000..76e7fe25f --- /dev/null +++ b/hwmon-applesmc-Check-key-count-before-proceeding.patch @@ -0,0 +1,49 @@ +From 5f4513864304672e6ea9eac60583eeac32e679f2 Mon Sep 17 00:00:00 2001 +From: Henrik Rydberg +Date: Thu, 26 Sep 2013 06:33:16 +0000 +Subject: hwmon: (applesmc) Check key count before proceeding + +After reports from Chris and Josh Boyer of a rare crash in applesmc, +Guenter pointed at the initialization problem fixed below. The patch +has not been verified to fix the crash, but should be applied +regardless. + +Reported-by: +Suggested-by: Guenter Roeck +Signed-off-by: Henrik Rydberg +Cc: stable@vger.kernel.org +Signed-off-by: Guenter Roeck +--- +diff --git a/drivers/hwmon/applesmc.c b/drivers/hwmon/applesmc.c +index 62c2e32..98814d1 100644 +--- a/drivers/hwmon/applesmc.c ++++ b/drivers/hwmon/applesmc.c +@@ -525,16 +525,25 @@ static int applesmc_init_smcreg_try(void) + { + struct applesmc_registers *s = &smcreg; + bool left_light_sensor, right_light_sensor; ++ unsigned int count; + u8 tmp[1]; + int ret; + + if (s->init_complete) + return 0; + +- ret = read_register_count(&s->key_count); ++ ret = read_register_count(&count); + if (ret) + return ret; + ++ if (s->cache && s->key_count != count) { ++ pr_warn("key count changed from %d to %d\n", ++ s->key_count, count); ++ kfree(s->cache); ++ s->cache = NULL; ++ } ++ s->key_count = count; ++ + if (!s->cache) + s->cache = kcalloc(s->key_count, sizeof(*s->cache), GFP_KERNEL); + if (!s->cache) +-- +cgit v0.9.2 diff --git a/kernel.spec b/kernel.spec index 3b6b1316c..2055b0e8a 100644 --- a/kernel.spec +++ b/kernel.spec @@ -777,6 +777,9 @@ Patch25113: rpc-let-xdr-layer-allocate-gssproxy-receieve-pages.patch Patch25114: elevator-Fix-a-race-in-elevator-switching-and-md.patch Patch25115: elevator-acquire-q-sysfs_lock-in-elevator_change.patch +#rhbz 1011719 +Patch25116: hwmon-applesmc-Check-key-count-before-proceeding.patch + # END OF PATCH DEFINITIONS %endif @@ -1502,6 +1505,9 @@ ApplyPatch skge-fix-invalid-value-passed-to-pci_unmap_sigle.patch ApplyPatch elevator-Fix-a-race-in-elevator-switching-and-md.patch ApplyPatch elevator-acquire-q-sysfs_lock-in-elevator_change.patch +#rhbz 1011719 +ApplyPatch hwmon-applesmc-Check-key-count-before-proceeding.patch + # END OF PATCH APPLICATIONS %endif @@ -2315,6 +2321,7 @@ fi %changelog * Fri Sep 27 2013 Josh Boyer +- Add patch to fix oops from applesmc (rhbz 1011719) - Add patches to fix soft lockup from elevator changes (rhbz 902012) * Fri Sep 27 2013 Justin M. Forbes - 3.11.2-200 From 6ee2b2add0ae61c3ec13c9cf5bcf9b8a7df664f8 Mon Sep 17 00:00:00 2001 From: "Justin M. Forbes" Date: Fri, 27 Sep 2013 14:00:26 -0500 Subject: [PATCH 225/468] Bump and tag for build --- kernel.spec | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/kernel.spec b/kernel.spec index 2055b0e8a..3dfdeb0d2 100644 --- a/kernel.spec +++ b/kernel.spec @@ -62,7 +62,7 @@ Summary: The Linux kernel # For non-released -rc kernels, this will be appended after the rcX and # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3" # -%global baserelease 200 +%global baserelease 201 %global fedora_build %{baserelease} # base_sublevel is the kernel version we're starting with and patching @@ -2320,6 +2320,9 @@ fi # and build. %changelog +* Fri Sep 27 2013 Justin M. Forbes - 3.11.2-201 +- Bump and tag for build + * Fri Sep 27 2013 Josh Boyer - Add patch to fix oops from applesmc (rhbz 1011719) - Add patches to fix soft lockup from elevator changes (rhbz 902012) From 6393d282cada9ff470414242e7396e18eff7f2b6 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Mon, 30 Sep 2013 09:28:54 -0400 Subject: [PATCH 226/468] Drop VC_MUTE (rhbz 859485) systemd doesn't muck with VTs underneath of Xorg any longer, so this shouldn't be needed. It's in git if that turns out to be wrong. --- kernel.spec | 9 +- vt-Drop-K_OFF-for-VC_MUTE.patch | 250 -------------------------------- 2 files changed, 3 insertions(+), 256 deletions(-) delete mode 100644 vt-Drop-K_OFF-for-VC_MUTE.patch diff --git a/kernel.spec b/kernel.spec index 3dfdeb0d2..845755c6d 100644 --- a/kernel.spec +++ b/kernel.spec @@ -705,9 +705,6 @@ Patch21005: arm-tegra-usb-no-reset-linux33.patch #rhbz 754518 Patch21235: scsi-sd_revalidate_disk-prevent-NULL-ptr-deref.patch -#rhbz 859485 -Patch21226: vt-Drop-K_OFF-for-VC_MUTE.patch - # https://fedoraproject.org/wiki/Features/Checkpoint_Restore Patch21242: criu-no-expert.patch @@ -1439,9 +1436,6 @@ ApplyPatch debug-idle-sched-warn-once.patch #selinux ptrace child permissions ApplyPatch selinux-apply-different-permission-to-ptrace-child.patch -#rhbz 859485 -ApplyPatch vt-Drop-K_OFF-for-VC_MUTE.patch - # https://fedoraproject.org/wiki/Features/Checkpoint_Restore ApplyPatch criu-no-expert.patch @@ -2320,6 +2314,9 @@ fi # and build. %changelog +* Mon Sep 30 2013 Josh Boyer +- Drop VC_MUTE patch (rhbz 859485) + * Fri Sep 27 2013 Justin M. Forbes - 3.11.2-201 - Bump and tag for build diff --git a/vt-Drop-K_OFF-for-VC_MUTE.patch b/vt-Drop-K_OFF-for-VC_MUTE.patch deleted file mode 100644 index e9bc4fffa..000000000 --- a/vt-Drop-K_OFF-for-VC_MUTE.patch +++ /dev/null @@ -1,250 +0,0 @@ -Path: news.gmane.org!not-for-mail -From: Adam Jackson -Newsgroups: gmane.linux.kernel -Subject: [PATCH] vt: Drop K_OFF for VC_MUTE -Date: Fri, 16 Nov 2012 13:32:34 -0500 -Lines: 205 -Approved: news@gmane.org -Message-ID: <1353090754-30233-1-git-send-email-ajax@redhat.com> -NNTP-Posting-Host: plane.gmane.org -X-Trace: ger.gmane.org 1353090772 20663 80.91.229.3 (16 Nov 2012 18:32:52 GMT) -X-Complaints-To: usenet@ger.gmane.org -NNTP-Posting-Date: Fri, 16 Nov 2012 18:32:52 +0000 (UTC) -Cc: Arthur Taylor , - Greg Kroah-Hartman -To: linux-kernel@vger.kernel.org -Original-X-From: linux-kernel-owner@vger.kernel.org Fri Nov 16 19:33:03 2012 -Return-path: -Envelope-to: glk-linux-kernel-3@plane.gmane.org -Original-Received: from vger.kernel.org ([209.132.180.67]) - by plane.gmane.org with esmtp (Exim 4.69) - (envelope-from ) - id 1TZQim-0000aG-BI - for glk-linux-kernel-3@plane.gmane.org; Fri, 16 Nov 2012 19:32:56 +0100 -Original-Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand - id S1753232Ab2KPSck (ORCPT ); - Fri, 16 Nov 2012 13:32:40 -0500 -Original-Received: from mx1.redhat.com ([209.132.183.28]:32172 "EHLO mx1.redhat.com" - rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP - id S1752810Ab2KPSci (ORCPT ); - Fri, 16 Nov 2012 13:32:38 -0500 -Original-Received: from int-mx01.intmail.prod.int.phx2.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11]) - by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id qAGIWaM7020116 - (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); - Fri, 16 Nov 2012 13:32:36 -0500 -Original-Received: from ihatethathostname.lab.bos.redhat.com (ihatethathostname.lab.bos.redhat.com [10.16.43.238]) - by int-mx01.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id qAGIWZD7010099; - Fri, 16 Nov 2012 13:32:35 -0500 -X-Scanned-By: MIMEDefang 2.67 on 10.5.11.11 -Original-Sender: linux-kernel-owner@vger.kernel.org -Precedence: bulk -List-ID: -X-Mailing-List: linux-kernel@vger.kernel.org -Xref: news.gmane.org gmane.linux.kernel:1395620 -Archived-At: - -The "don't enqueue stuff" semantics of K_OFF shouldn't be a function of -the keyboard map state; we should be able to switch among cooked/raw/ -unicode without changing whether events are delivered. Otherwise - if -changing to K_UNICODE undoes K_OFF - then suddenly Alt-F2 under -Gnome will switch VT instead of summoning the "run command" dialog. - -Drop the K_OFF handling and replace it with a new "mute" ioctl pair. -Anybody using K_OFF would already need to be prepared to handle it -throwing -EINVAL for old kernel compatibility, so userspace will degrade -gracefully. - -Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=859485 -Cc: Arthur Taylor -Cc: Greg Kroah-Hartman -Tested-by: Josh Boyer -Signed-off-by: Adam Jackson ---- - drivers/tty/vt/keyboard.c | 40 +++++++++++++++++++++++++++++++++------- - drivers/tty/vt/vt_ioctl.c | 13 +++++++++++++ - include/linux/kbd_kern.h | 6 +++--- - include/linux/vt_kern.h | 2 ++ - include/uapi/linux/kd.h | 5 +++++ - 5 files changed, 56 insertions(+), 10 deletions(-) - -diff --git a/drivers/tty/vt/keyboard.c b/drivers/tty/vt/keyboard.c -index 681765b..08d1d57 100644 ---- a/drivers/tty/vt/keyboard.c -+++ b/drivers/tty/vt/keyboard.c -@@ -657,7 +657,7 @@ static void k_spec(struct vc_data *vc, unsigned char value, char up_flag) - return; - if ((kbd->kbdmode == VC_RAW || - kbd->kbdmode == VC_MEDIUMRAW || -- kbd->kbdmode == VC_OFF) && -+ vc_kbd_mode(kbd, VC_MUTE)) && - value != KVAL(K_SAK)) - return; /* SAK is allowed even in raw mode */ - fn_handler[value](vc); -@@ -1381,7 +1381,7 @@ static void kbd_keycode(unsigned int keycode, int down, int hw_raw) - if (rc == NOTIFY_STOP) - return; - -- if ((raw_mode || kbd->kbdmode == VC_OFF) && type != KT_SPEC && type != KT_SHIFT) -+ if ((raw_mode || vc_kbd_mode(kbd, VC_MUTE)) && type != KT_SPEC && type != KT_SHIFT) - return; - - (*k_handler[type])(vc, keysym & 0xff, !down); -@@ -1731,9 +1731,6 @@ int vt_do_kdskbmode(int console, unsigned int arg) - kbd->kbdmode = VC_UNICODE; - do_compute_shiftstate(); - break; -- case K_OFF: -- kbd->kbdmode = VC_OFF; -- break; - default: - ret = -EINVAL; - } -@@ -1742,6 +1739,30 @@ int vt_do_kdskbmode(int console, unsigned int arg) - } - - /** -+ * vt_do_kdskbmute - set keyboard event mute -+ * @console: the console to use -+ * @arg: the requested mode -+ * -+ * Update the keyboard mute state while holding the correct locks. -+ * Return 0 for success or an error code. -+ */ -+int vt_do_kdskbmute(int console, unsigned int arg) -+{ -+ struct kbd_struct * kbd = kbd_table + console; -+ int ret = 0; -+ unsigned long flags; -+ -+ spin_lock_irqsave(&kbd_event_lock, flags); -+ if (arg) -+ set_vc_kbd_mode(kbd, VC_MUTE); -+ else -+ clr_vc_kbd_mode(kbd, VC_MUTE); -+ spin_unlock_irqrestore(&kbd_event_lock, flags); -+ return ret; -+} -+ -+ -+/** - * vt_do_kdskbmeta - set keyboard meta state - * @console: the console to use - * @arg: the requested meta state -@@ -2068,13 +2089,18 @@ int vt_do_kdgkbmode(int console) - return K_MEDIUMRAW; - case VC_UNICODE: - return K_UNICODE; -- case VC_OFF: -- return K_OFF; - default: - return K_XLATE; - } - } - -+int vt_do_kdgkbmute(int console) -+{ -+ struct kbd_struct * kbd = kbd_table + console; -+ /* This is a spot read so needs no locking */ -+ return vc_kbd_mode(kbd, VC_MUTE); -+} -+ - /** - * vt_do_kdgkbmeta - report meta status - * @console: console to report -diff --git a/drivers/tty/vt/vt_ioctl.c b/drivers/tty/vt/vt_ioctl.c -index b841f56..f0951e2 100644 ---- a/drivers/tty/vt/vt_ioctl.c -+++ b/drivers/tty/vt/vt_ioctl.c -@@ -477,6 +477,19 @@ int vt_ioctl(struct tty_struct *tty, - ret = put_user(uival, (int __user *)arg); - break; - -+ case KDSKBMUTE: -+ if (!perm) -+ return -EPERM; -+ ret = vt_do_kdskbmute(console, arg); -+ if (ret == 0) -+ tty_ldisc_flush(tty); -+ break; -+ -+ case KDGKBMUTE: -+ uival = vt_do_kdgkbmute(console); -+ ret = put_user(uival, (int __user *)arg); -+ break; -+ - /* this could be folded into KDSKBMODE, but for compatibility - reasons it is not so easy to fold KDGKBMETA into KDGKBMODE */ - case KDSKBMETA: -diff --git a/include/linux/kbd_kern.h b/include/linux/kbd_kern.h -index b7c8cdc..9386143 100644 ---- a/include/linux/kbd_kern.h -+++ b/include/linux/kbd_kern.h -@@ -48,19 +48,19 @@ struct kbd_struct { - #define VC_CAPSLOCK 2 /* capslock mode */ - #define VC_KANALOCK 3 /* kanalock mode */ - -- unsigned char kbdmode:3; /* one 3-bit value */ -+ unsigned char kbdmode:2; /* one 2-bit value */ - #define VC_XLATE 0 /* translate keycodes using keymap */ - #define VC_MEDIUMRAW 1 /* medium raw (keycode) mode */ - #define VC_RAW 2 /* raw (scancode) mode */ - #define VC_UNICODE 3 /* Unicode mode */ --#define VC_OFF 4 /* disabled mode */ - -- unsigned char modeflags:5; -+ unsigned char modeflags:6; - #define VC_APPLIC 0 /* application key mode */ - #define VC_CKMODE 1 /* cursor key mode */ - #define VC_REPEAT 2 /* keyboard repeat */ - #define VC_CRLF 3 /* 0 - enter sends CR, 1 - enter sends CRLF */ - #define VC_META 4 /* 0 - meta, 1 - meta=prefix with ESC */ -+#define VC_MUTE 5 /* don't generate events */ - }; - - extern int kbd_init(void); -diff --git a/include/linux/vt_kern.h b/include/linux/vt_kern.h -index 50ae7d0..a886915 100644 ---- a/include/linux/vt_kern.h -+++ b/include/linux/vt_kern.h -@@ -168,6 +168,7 @@ extern void hide_boot_cursor(bool hide); - - /* keyboard provided interfaces */ - extern int vt_do_diacrit(unsigned int cmd, void __user *up, int eperm); -+extern int vt_do_kdskbmute(int console, unsigned int arg); - extern int vt_do_kdskbmode(int console, unsigned int arg); - extern int vt_do_kdskbmeta(int console, unsigned int arg); - extern int vt_do_kbkeycode_ioctl(int cmd, struct kbkeycode __user *user_kbkc, -@@ -177,6 +178,7 @@ extern int vt_do_kdsk_ioctl(int cmd, struct kbentry __user *user_kbe, - extern int vt_do_kdgkb_ioctl(int cmd, struct kbsentry __user *user_kdgkb, - int perm); - extern int vt_do_kdskled(int console, int cmd, unsigned long arg, int perm); -+extern int vt_do_kdgkbmute(int console); - extern int vt_do_kdgkbmode(int console); - extern int vt_do_kdgkbmeta(int console); - extern void vt_reset_unicode(int console); -diff --git a/include/uapi/linux/kd.h b/include/uapi/linux/kd.h -index 87b7cc4..c3de63c 100644 ---- a/include/uapi/linux/kd.h -+++ b/include/uapi/linux/kd.h -@@ -81,6 +81,7 @@ struct unimapinit { - #define K_XLATE 0x01 - #define K_MEDIUMRAW 0x02 - #define K_UNICODE 0x03 -+/* K_OFF is no longer implemented, but preserved for source compatibility */ - #define K_OFF 0x04 - #define KDGKBMODE 0x4B44 /* gets current keyboard mode */ - #define KDSKBMODE 0x4B45 /* sets current keyboard mode */ -@@ -150,6 +151,10 @@ struct kbd_repeat { - /* earlier this field was misnamed "rate" */ - }; - -+/* get/set event mute */ -+#define KDGKBMUTE 0x4B50 -+#define KDSKBMUTE 0x4B51 -+ - #define KDKBDREP 0x4B52 /* set keyboard delay/repeat rate; - * actually used values are returned */ - --- -1.7.11.7 - From 7f68f83dae66efe45d51f319acb2abd63a4f3b85 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Mon, 30 Sep 2013 09:39:49 -0400 Subject: [PATCH 227/468] Add support for rf3070 devices from Stanislaw Gruszka (rhbz 974072) --- kernel.spec | 7 +++ rt2800-add-support-for-rf3070.patch | 80 +++++++++++++++++++++++++++++ 2 files changed, 87 insertions(+) create mode 100644 rt2800-add-support-for-rf3070.patch diff --git a/kernel.spec b/kernel.spec index 845755c6d..78552564e 100644 --- a/kernel.spec +++ b/kernel.spec @@ -777,6 +777,9 @@ Patch25115: elevator-acquire-q-sysfs_lock-in-elevator_change.patch #rhbz 1011719 Patch25116: hwmon-applesmc-Check-key-count-before-proceeding.patch +#rhbz 974072 +Patch25117: rt2800-add-support-for-rf3070.patch + # END OF PATCH DEFINITIONS %endif @@ -1502,6 +1505,9 @@ ApplyPatch elevator-acquire-q-sysfs_lock-in-elevator_change.patch #rhbz 1011719 ApplyPatch hwmon-applesmc-Check-key-count-before-proceeding.patch +#rhbz 974072 +ApplyPatch rt2800-add-support-for-rf3070.patch + # END OF PATCH APPLICATIONS %endif @@ -2315,6 +2321,7 @@ fi %changelog * Mon Sep 30 2013 Josh Boyer +- Add support for rf3070 devices from Stanislaw Gruszka (rhbz 974072) - Drop VC_MUTE patch (rhbz 859485) * Fri Sep 27 2013 Justin M. Forbes - 3.11.2-201 diff --git a/rt2800-add-support-for-rf3070.patch b/rt2800-add-support-for-rf3070.patch new file mode 100644 index 000000000..24c16cb9c --- /dev/null +++ b/rt2800-add-support-for-rf3070.patch @@ -0,0 +1,80 @@ +diff --git a/drivers/net/wireless/rt2x00/rt2800.h b/drivers/net/wireless/rt2x00/rt2800.h +index d78c495..2132830 100644 +--- a/drivers/net/wireless/rt2x00/rt2800.h ++++ b/drivers/net/wireless/rt2x00/rt2800.h +@@ -65,6 +65,7 @@ + #define RF3021 0x0007 + #define RF3022 0x0008 + #define RF3052 0x0009 ++#define RF3070 0x3070 + #define RF2853 0x000a + #define RF3320 0x000b + #define RF3322 0x000c +diff --git a/drivers/net/wireless/rt2x00/rt2800lib.c b/drivers/net/wireless/rt2x00/rt2800lib.c +index 1b41c8e..2958265 100644 +--- a/drivers/net/wireless/rt2x00/rt2800lib.c ++++ b/drivers/net/wireless/rt2x00/rt2800lib.c +@@ -2597,6 +2597,7 @@ static void rt2800_config_channel(struct rt2x00_dev *rt2x00dev, + case RF3322: + rt2800_config_channel_rf3322(rt2x00dev, conf, rf, info); + break; ++ case RF3070: + case RF5360: + case RF5370: + case RF5372: +@@ -2611,7 +2612,8 @@ static void rt2800_config_channel(struct rt2x00_dev *rt2x00dev, + rt2800_config_channel_rf2xxx(rt2x00dev, conf, rf, info); + } + +- if (rt2x00_rf(rt2x00dev, RF3290) || ++ if (rt2x00_rf(rt2x00dev, RF3070) || ++ rt2x00_rf(rt2x00dev, RF3290) || + rt2x00_rf(rt2x00dev, RF3322) || + rt2x00_rf(rt2x00dev, RF5360) || + rt2x00_rf(rt2x00dev, RF5370) || +@@ -3219,6 +3221,7 @@ void rt2800_vco_calibration(struct rt2x00_dev *rt2x00dev) + rt2x00_set_field8(&rfcsr, RFCSR7_RF_TUNING, 1); + rt2800_rfcsr_write(rt2x00dev, 7, rfcsr); + break; ++ case RF3070: + case RF3290: + case RF5360: + case RF5370: +@@ -5731,6 +5734,7 @@ static int rt2800_init_eeprom(struct rt2x00_dev *rt2x00dev) + case RF3021: + case RF3022: + case RF3052: ++ case RF3070: + case RF3290: + case RF3320: + case RF3322: +@@ -6186,6 +6190,7 @@ static int rt2800_probe_hw_mode(struct rt2x00_dev *rt2x00dev) + rt2x00_rf(rt2x00dev, RF2020) || + rt2x00_rf(rt2x00dev, RF3021) || + rt2x00_rf(rt2x00dev, RF3022) || ++ rt2x00_rf(rt2x00dev, RF3070) || + rt2x00_rf(rt2x00dev, RF3290) || + rt2x00_rf(rt2x00dev, RF3320) || + rt2x00_rf(rt2x00dev, RF3322) || +@@ -6219,10 +6224,11 @@ static int rt2800_probe_hw_mode(struct rt2x00_dev *rt2x00dev) + /* + * Initialize HT information. + */ +- if (!rt2x00_rf(rt2x00dev, RF2020)) ++ if (!rt2x00_rf(rt2x00dev, RF2020)) { + spec->ht.ht_supported = true; +- else ++ } else { + spec->ht.ht_supported = false; ++ } + + spec->ht.cap = + IEEE80211_HT_CAP_SUP_WIDTH_20_40 | +@@ -6290,6 +6296,7 @@ static int rt2800_probe_hw_mode(struct rt2x00_dev *rt2x00dev) + case RF3022: + case RF3320: + case RF3052: ++ case RF3070: + case RF3290: + case RF5360: + case RF5370: From 7def6fca21b333a0acd64445eecfbc5558613580 Mon Sep 17 00:00:00 2001 From: Neil Horman Date: Wed, 2 Oct 2013 11:15:23 -0400 Subject: [PATCH 228/468] resolves bz 1005567 --- bonding-driver-promisc.patch | 73 ++++++++++++++++++++++++++++++++++++ kernel.spec | 9 +++++ 2 files changed, 82 insertions(+) create mode 100644 bonding-driver-promisc.patch diff --git a/bonding-driver-promisc.patch b/bonding-driver-promisc.patch new file mode 100644 index 000000000..38315c906 --- /dev/null +++ b/bonding-driver-promisc.patch @@ -0,0 +1,73 @@ +commit 5a0068deb611109c5ba77358be533f763f395ee4 +Author: Neil Horman +Date: Fri Sep 27 12:22:15 2013 -0400 + + bonding: Fix broken promiscuity reference counting issue + + Recently grabbed this report: + https://bugzilla.redhat.com/show_bug.cgi?id=1005567 + + Of an issue in which the bonding driver, with an attached vlan encountered the + following errors when bond0 was taken down and back up: + + dummy1: promiscuity touches roof, set promiscuity failed. promiscuity feature of + device might be broken. + + The error occurs because, during __bond_release_one, if we release our last + slave, we take on a random mac address and issue a NETDEV_CHANGEADDR + notification. With an attached vlan, the vlan may see that the vlan and bond + mac address were in sync, but no longer are. This triggers a call to dev_uc_add + and dev_set_rx_mode, which enables IFF_PROMISC on the bond device. Then, when + we complete __bond_release_one, we use the current state of the bond flags to + determine if we should decrement the promiscuity of the releasing slave. But + since the bond changed promiscuity state during the release operation, we + incorrectly decrement the slave promisc count when it wasn't in promiscuous mode + to begin with, causing the above error + + Fix is pretty simple, just cache the bonding flags at the start of the function + and use those when determining the need to set promiscuity. + + This is also needed for the ALLMULTI flag + + CC: Jay Vosburgh + CC: Andy Gospodarek + CC: Mark Wu + CC: "David S. Miller" + Reported-by: Mark Wu + + Signed-off-by: David S. Miller + +diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c +index 55bbb8b..e883bfe 100644 +--- a/drivers/net/bonding/bond_main.c ++++ b/drivers/net/bonding/bond_main.c +@@ -1724,6 +1724,7 @@ static int __bond_release_one(struct net_device *bond_dev, + struct bonding *bond = netdev_priv(bond_dev); + struct slave *slave, *oldcurrent; + struct sockaddr addr; ++ int old_flags = bond_dev->flags; + netdev_features_t old_features = bond_dev->features; + + /* slave is not a slave or master is not master of this slave */ +@@ -1855,12 +1856,18 @@ static int __bond_release_one(struct net_device *bond_dev, + * bond_change_active_slave(..., NULL) + */ + if (!USES_PRIMARY(bond->params.mode)) { +- /* unset promiscuity level from slave */ +- if (bond_dev->flags & IFF_PROMISC) ++ /* unset promiscuity level from slave ++ * NOTE: The NETDEV_CHANGEADDR call above may change the value ++ * of the IFF_PROMISC flag in the bond_dev, but we need the ++ * value of that flag before that change, as that was the value ++ * when this slave was attached, so we cache at the start of the ++ * function and use it here. Same goes for ALLMULTI below ++ */ ++ if (old_flags & IFF_PROMISC) + dev_set_promiscuity(slave_dev, -1); + + /* unset allmulti level from slave */ +- if (bond_dev->flags & IFF_ALLMULTI) ++ if (old_flags & IFF_ALLMULTI) + dev_set_allmulti(slave_dev, -1); + + bond_hw_addr_flush(bond_dev, slave_dev); diff --git a/kernel.spec b/kernel.spec index 78552564e..800153d66 100644 --- a/kernel.spec +++ b/kernel.spec @@ -780,6 +780,9 @@ Patch25116: hwmon-applesmc-Check-key-count-before-proceeding.patch #rhbz 974072 Patch25117: rt2800-add-support-for-rf3070.patch +#rhbz 1005567 +Patch25118: bonding-driver-promisc.patch + # END OF PATCH DEFINITIONS %endif @@ -1508,6 +1511,9 @@ ApplyPatch hwmon-applesmc-Check-key-count-before-proceeding.patch #rhbz 974072 ApplyPatch rt2800-add-support-for-rf3070.patch +#rhbz 1005567 +ApplyPatch bonding-driver-promisc.patch + # END OF PATCH APPLICATIONS %endif @@ -2320,6 +2326,9 @@ fi # and build. %changelog +* Wed Oct 02 2013 Neil Horman +- Add promiscuity fix for vlans plus bonding (rhbz 1005567) + * Mon Sep 30 2013 Josh Boyer - Add support for rf3070 devices from Stanislaw Gruszka (rhbz 974072) - Drop VC_MUTE patch (rhbz 859485) From 83606f0ce5ee78550ba63c88cf912dae676e8f9e Mon Sep 17 00:00:00 2001 From: "Justin M. Forbes" Date: Wed, 2 Oct 2013 11:12:59 -0500 Subject: [PATCH 229/468] Linux v3.11.3 --- 0001-skge-fix-broken-driver.patch | 62 -- HID-CVE-fixes-3.11.patch | 828 ------------------ kernel.spec | 41 +- ...-up-decoding-of-gssproxy-linux-creds.patch | 110 --- ..._cred-encoding-treat-all-as-unsigned.patch | 90 -- rpc-fix-huge-kmallocs-in-gss-proxy.patch | 113 --- ...yer-allocate-gssproxy-receieve-pages.patch | 52 -- ...0-rearrange-bbp-rfcsr-initialization.patch | 69 -- sources | 2 +- 9 files changed, 6 insertions(+), 1361 deletions(-) delete mode 100644 0001-skge-fix-broken-driver.patch delete mode 100644 HID-CVE-fixes-3.11.patch delete mode 100644 rpc-clean-up-decoding-of-gssproxy-linux-creds.patch delete mode 100644 rpc-comment-on-linux_cred-encoding-treat-all-as-unsigned.patch delete mode 100644 rpc-fix-huge-kmallocs-in-gss-proxy.patch delete mode 100644 rpc-let-xdr-layer-allocate-gssproxy-receieve-pages.patch delete mode 100644 rt2800-rearrange-bbp-rfcsr-initialization.patch diff --git a/0001-skge-fix-broken-driver.patch b/0001-skge-fix-broken-driver.patch deleted file mode 100644 index 7ca3dec4a..000000000 --- a/0001-skge-fix-broken-driver.patch +++ /dev/null @@ -1,62 +0,0 @@ -From c194992cbe71c20bb3623a566af8d11b0bfaa721 Mon Sep 17 00:00:00 2001 -From: Mikulas Patocka -Date: Thu, 19 Sep 2013 14:13:17 -0400 -Subject: [PATCH] skge: fix broken driver - -The patch 136d8f377e1575463b47840bc5f1b22d94bf8f63 broke the skge driver. -Note this part of the patch: -+ if (skge_rx_setup(skge, e, nskb, skge->rx_buf_size) < 0) { -+ dev_kfree_skb(nskb); -+ goto resubmit; -+ } -+ - pci_unmap_single(skge->hw->pdev, - dma_unmap_addr(e, mapaddr), - dma_unmap_len(e, maplen), - PCI_DMA_FROMDEVICE); - skb = e->skb; - prefetch(skb->data); -- skge_rx_setup(skge, e, nskb, skge->rx_buf_size); - -The function skge_rx_setup modifies e->skb to point to the new skb. Thus, -after this change, the new buffer, not the old, is returned to the -networking stack. - -This bug is present in kernels 3.11, 3.11.1 and 3.12-rc1. The patch should -be queued for 3.11-stable. - -Signed-off-by: Mikulas Patocka -Reported-by: Mikulas Patocka -Reported-by: Vasiliy Glazov -Tested-by: Mikulas Patocka -Signed-off-by: David S. Miller ---- - drivers/net/ethernet/marvell/skge.c | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - -diff --git a/drivers/net/ethernet/marvell/skge.c b/drivers/net/ethernet/marvell/skge.c -index ef94a59..1a9c4f6 100644 ---- a/drivers/net/ethernet/marvell/skge.c -+++ b/drivers/net/ethernet/marvell/skge.c -@@ -3092,6 +3092,9 @@ static struct sk_buff *skge_rx_get(struct net_device *dev, - if (!nskb) - goto resubmit; - -+ skb = e->skb; -+ prefetch(skb->data); -+ - if (skge_rx_setup(skge, e, nskb, skge->rx_buf_size) < 0) { - dev_kfree_skb(nskb); - goto resubmit; -@@ -3101,8 +3104,6 @@ static struct sk_buff *skge_rx_get(struct net_device *dev, - dma_unmap_addr(e, mapaddr), - dma_unmap_len(e, maplen), - PCI_DMA_FROMDEVICE); -- skb = e->skb; -- prefetch(skb->data); - } - - skb_put(skb, len); --- -1.8.3.1 - diff --git a/HID-CVE-fixes-3.11.patch b/HID-CVE-fixes-3.11.patch deleted file mode 100644 index 4cdc59429..000000000 --- a/HID-CVE-fixes-3.11.patch +++ /dev/null @@ -1,828 +0,0 @@ -From ba6d8d44eaeb0ee58082f4b4c95138416e1f58a5 Mon Sep 17 00:00:00 2001 -From: Kees Cook -Date: Wed, 11 Sep 2013 21:56:50 +0200 -Subject: [PATCH 02/16] HID: provide a helper for validating hid reports - -Many drivers need to validate the characteristics of their HID report -during initialization to avoid misusing the reports. This adds a common -helper to perform validation of the report exisitng, the field existing, -and the expected number of values within the field. - -Signed-off-by: Kees Cook -Cc: stable@vger.kernel.org -Reviewed-by: Benjamin Tissoires ---- - drivers/hid/hid-core.c | 58 ++++++++++++++++++++++++++++++++++++++++++++++++++ - include/linux/hid.h | 4 ++++ - 2 files changed, 62 insertions(+) - -diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c -index 5ea7d51..65ee459 100644 ---- a/drivers/hid/hid-core.c -+++ b/drivers/hid/hid-core.c -@@ -759,6 +759,64 @@ int hid_parse_report(struct hid_device *hid, __u8 *start, unsigned size) - } - EXPORT_SYMBOL_GPL(hid_parse_report); - -+static const char * const hid_report_names[] = { -+ "HID_INPUT_REPORT", -+ "HID_OUTPUT_REPORT", -+ "HID_FEATURE_REPORT", -+}; -+/** -+ * hid_validate_values - validate existing device report's value indexes -+ * -+ * @device: hid device -+ * @type: which report type to examine -+ * @id: which report ID to examine (0 for first) -+ * @field_index: which report field to examine -+ * @report_counts: expected number of values -+ * -+ * Validate the number of values in a given field of a given report, after -+ * parsing. -+ */ -+struct hid_report *hid_validate_values(struct hid_device *hid, -+ unsigned int type, unsigned int id, -+ unsigned int field_index, -+ unsigned int report_counts) -+{ -+ struct hid_report *report; -+ -+ if (type > HID_FEATURE_REPORT) { -+ hid_err(hid, "invalid HID report type %u\n", type); -+ return NULL; -+ } -+ -+ if (id >= HID_MAX_IDS) { -+ hid_err(hid, "invalid HID report id %u\n", id); -+ return NULL; -+ } -+ -+ /* -+ * Explicitly not using hid_get_report() here since it depends on -+ * ->numbered being checked, which may not always be the case when -+ * drivers go to access report values. -+ */ -+ report = hid->report_enum[type].report_id_hash[id]; -+ if (!report) { -+ hid_err(hid, "missing %s %u\n", hid_report_names[type], id); -+ return NULL; -+ } -+ if (report->maxfield <= field_index) { -+ hid_err(hid, "not enough fields in %s %u\n", -+ hid_report_names[type], id); -+ return NULL; -+ } -+ if (report->field[field_index]->report_count < report_counts) { -+ hid_err(hid, "not enough values in %s %u field %u\n", -+ hid_report_names[type], id, field_index); -+ return NULL; -+ } -+ return report; -+} -+EXPORT_SYMBOL_GPL(hid_validate_values); -+ - /** - * hid_open_report - open a driver-specific device report - * -diff --git a/include/linux/hid.h b/include/linux/hid.h -index ff545cc..6e18550 100644 ---- a/include/linux/hid.h -+++ b/include/linux/hid.h -@@ -749,6 +749,10 @@ void hid_output_report(struct hid_report *report, __u8 *data); - struct hid_device *hid_allocate_device(void); - struct hid_report *hid_register_report(struct hid_device *device, unsigned type, unsigned id); - int hid_parse_report(struct hid_device *hid, __u8 *start, unsigned size); -+struct hid_report *hid_validate_values(struct hid_device *hid, -+ unsigned int type, unsigned int id, -+ unsigned int field_index, -+ unsigned int report_counts); - int hid_open_report(struct hid_device *device); - int hid_check_keys_pressed(struct hid_device *hid); - int hid_connect(struct hid_device *hid, unsigned int connect_mask); --- -1.8.3.1 - - -From 51bc0244e9e62b25e4f64f7cb87764a0c0692131 Mon Sep 17 00:00:00 2001 -From: Kees Cook -Date: Wed, 11 Sep 2013 21:56:51 +0200 -Subject: [PATCH 03/16] HID: zeroplus: validate output report details - -The zeroplus HID driver was not checking the size of allocated values -in fields it used. A HID device could send a malicious output report -that would cause the driver to write beyond the output report allocation -during initialization, causing a heap overflow: - -[ 1442.728680] usb 1-1: New USB device found, idVendor=0c12, idProduct=0005 -... -[ 1466.243173] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten - -CVE-2013-2889 - -Signed-off-by: Kees Cook -Cc: stable@vger.kernel.org -Reviewed-by: Benjamin Tissoires ---- - drivers/hid/hid-zpff.c | 18 +++++------------- - 1 file changed, 5 insertions(+), 13 deletions(-) - -diff --git a/drivers/hid/hid-zpff.c b/drivers/hid/hid-zpff.c -index 6ec28a3..a29756c 100644 ---- a/drivers/hid/hid-zpff.c -+++ b/drivers/hid/hid-zpff.c -@@ -68,21 +68,13 @@ static int zpff_init(struct hid_device *hid) - struct hid_report *report; - struct hid_input *hidinput = list_entry(hid->inputs.next, - struct hid_input, list); -- struct list_head *report_list = -- &hid->report_enum[HID_OUTPUT_REPORT].report_list; - struct input_dev *dev = hidinput->input; -- int error; -+ int i, error; - -- if (list_empty(report_list)) { -- hid_err(hid, "no output report found\n"); -- return -ENODEV; -- } -- -- report = list_entry(report_list->next, struct hid_report, list); -- -- if (report->maxfield < 4) { -- hid_err(hid, "not enough fields in report\n"); -- return -ENODEV; -+ for (i = 0; i < 4; i++) { -+ report = hid_validate_values(hid, HID_OUTPUT_REPORT, 0, i, 1); -+ if (!report) -+ return -ENODEV; - } - - zpff = kzalloc(sizeof(struct zpff_device), GFP_KERNEL); --- -1.8.3.1 - - -From 0d998969132672bab9942e3308058d212574a2f8 Mon Sep 17 00:00:00 2001 -From: Kees Cook -Date: Wed, 11 Sep 2013 21:56:52 +0200 -Subject: [PATCH 04/16] HID: sony: validate HID output report details - -This driver must validate the availability of the HID output report and -its size before it can write LED states via buzz_set_leds(). This stops -a heap overflow that is possible if a device provides a malicious HID -output report: - -[ 108.171280] usb 1-1: New USB device found, idVendor=054c, idProduct=0002 -... -[ 117.507877] BUG kmalloc-192 (Not tainted): Redzone overwritten - -CVE-2013-2890 - -Signed-off-by: Kees Cook -Cc: stable@vger.kernel.org -Reviewed-by: Benjamin Tissoires ---- - drivers/hid/hid-sony.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/drivers/hid/hid-sony.c b/drivers/hid/hid-sony.c -index 87fbe29..334a4b5 100644 ---- a/drivers/hid/hid-sony.c -+++ b/drivers/hid/hid-sony.c -@@ -537,6 +537,10 @@ static int buzz_init(struct hid_device *hdev) - drv_data = hid_get_drvdata(hdev); - BUG_ON(!(drv_data->quirks & BUZZ_CONTROLLER)); - -+ /* Validate expected report characteristics. */ -+ if (!hid_validate_values(hdev, HID_OUTPUT_REPORT, 0, 0, 7)) -+ return -ENODEV; -+ - buzz = kzalloc(sizeof(*buzz), GFP_KERNEL); - if (!buzz) { - hid_err(hdev, "Insufficient memory, cannot allocate driver data\n"); --- -1.8.3.1 - - -From 5b029acf571f94193ff8a757340fd37a7f88ae0b Mon Sep 17 00:00:00 2001 -From: Kees Cook -Date: Wed, 11 Sep 2013 21:56:53 +0200 -Subject: [PATCH 05/16] HID: steelseries: validate output report details - -A HID device could send a malicious output report that would cause the -steelseries HID driver to write beyond the output report allocation -during initialization, causing a heap overflow: - -[ 167.981534] usb 1-1: New USB device found, idVendor=1038, idProduct=1410 -... -[ 182.050547] BUG kmalloc-256 (Tainted: G W ): Redzone overwritten - -CVE-2013-2891 - -Signed-off-by: Kees Cook -Cc: stable@vger.kernel.org -Reviewed-by: Benjamin Tissoires ---- - drivers/hid/hid-steelseries.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/drivers/hid/hid-steelseries.c b/drivers/hid/hid-steelseries.c -index d164911..29f328f 100644 ---- a/drivers/hid/hid-steelseries.c -+++ b/drivers/hid/hid-steelseries.c -@@ -249,6 +249,11 @@ static int steelseries_srws1_probe(struct hid_device *hdev, - goto err_free; - } - -+ if (!hid_validate_values(hdev, HID_OUTPUT_REPORT, 0, 0, 16)) { -+ ret = -ENODEV; -+ goto err_free; -+ } -+ - ret = hid_hw_start(hdev, HID_CONNECT_DEFAULT); - if (ret) { - hid_err(hdev, "hw start failed\n"); --- -1.8.3.1 - - -From e846e9b33d65246ed807156a114c65cdfece0d12 Mon Sep 17 00:00:00 2001 -From: Kees Cook -Date: Wed, 11 Sep 2013 21:56:54 +0200 -Subject: [PATCH 06/16] HID: LG: validate HID output report details - -A HID device could send a malicious output report that would cause the -lg, lg3, and lg4 HID drivers to write beyond the output report allocation -during an event, causing a heap overflow: - -[ 325.245240] usb 1-1: New USB device found, idVendor=046d, idProduct=c287 -... -[ 414.518960] BUG kmalloc-4096 (Not tainted): Redzone overwritten - -Additionally, while lg2 did correctly validate the report details, it was -cleaned up and shortened. - -CVE-2013-2893 - -Signed-off-by: Kees Cook -Cc: stable@vger.kernel.org -Reviewed-by: Benjamin Tissoires ---- - drivers/hid/hid-lg2ff.c | 19 +++---------------- - drivers/hid/hid-lg3ff.c | 29 ++++++----------------------- - drivers/hid/hid-lg4ff.c | 20 +------------------- - drivers/hid/hid-lgff.c | 17 ++--------------- - 4 files changed, 12 insertions(+), 73 deletions(-) - -diff --git a/drivers/hid/hid-lg2ff.c b/drivers/hid/hid-lg2ff.c -index b3cd150..1a42eaa 100644 ---- a/drivers/hid/hid-lg2ff.c -+++ b/drivers/hid/hid-lg2ff.c -@@ -64,26 +64,13 @@ int lg2ff_init(struct hid_device *hid) - struct hid_report *report; - struct hid_input *hidinput = list_entry(hid->inputs.next, - struct hid_input, list); -- struct list_head *report_list = -- &hid->report_enum[HID_OUTPUT_REPORT].report_list; - struct input_dev *dev = hidinput->input; - int error; - -- if (list_empty(report_list)) { -- hid_err(hid, "no output report found\n"); -+ /* Check that the report looks ok */ -+ report = hid_validate_values(hid, HID_OUTPUT_REPORT, 0, 0, 7); -+ if (!report) - return -ENODEV; -- } -- -- report = list_entry(report_list->next, struct hid_report, list); -- -- if (report->maxfield < 1) { -- hid_err(hid, "output report is empty\n"); -- return -ENODEV; -- } -- if (report->field[0]->report_count < 7) { -- hid_err(hid, "not enough values in the field\n"); -- return -ENODEV; -- } - - lg2ff = kmalloc(sizeof(struct lg2ff_device), GFP_KERNEL); - if (!lg2ff) -diff --git a/drivers/hid/hid-lg3ff.c b/drivers/hid/hid-lg3ff.c -index e52f181..8c2da18 100644 ---- a/drivers/hid/hid-lg3ff.c -+++ b/drivers/hid/hid-lg3ff.c -@@ -66,10 +66,11 @@ static int hid_lg3ff_play(struct input_dev *dev, void *data, - int x, y; - - /* -- * Maxusage should always be 63 (maximum fields) -- * likely a better way to ensure this data is clean -+ * Available values in the field should always be 63, but we only use up to -+ * 35. Instead, clear the entire area, however big it is. - */ -- memset(report->field[0]->value, 0, sizeof(__s32)*report->field[0]->maxusage); -+ memset(report->field[0]->value, 0, -+ sizeof(__s32) * report->field[0]->report_count); - - switch (effect->type) { - case FF_CONSTANT: -@@ -129,32 +130,14 @@ static const signed short ff3_joystick_ac[] = { - int lg3ff_init(struct hid_device *hid) - { - struct hid_input *hidinput = list_entry(hid->inputs.next, struct hid_input, list); -- struct list_head *report_list = &hid->report_enum[HID_OUTPUT_REPORT].report_list; - struct input_dev *dev = hidinput->input; -- struct hid_report *report; -- struct hid_field *field; - const signed short *ff_bits = ff3_joystick_ac; - int error; - int i; - -- /* Find the report to use */ -- if (list_empty(report_list)) { -- hid_err(hid, "No output report found\n"); -- return -1; -- } -- - /* Check that the report looks ok */ -- report = list_entry(report_list->next, struct hid_report, list); -- if (!report) { -- hid_err(hid, "NULL output report\n"); -- return -1; -- } -- -- field = report->field[0]; -- if (!field) { -- hid_err(hid, "NULL field\n"); -- return -1; -- } -+ if (!hid_validate_values(hid, HID_OUTPUT_REPORT, 0, 0, 35)) -+ return -ENODEV; - - /* Assume single fixed device G940 */ - for (i = 0; ff_bits[i] >= 0; i++) -diff --git a/drivers/hid/hid-lg4ff.c b/drivers/hid/hid-lg4ff.c -index 0ddae2a..8782fe1 100644 ---- a/drivers/hid/hid-lg4ff.c -+++ b/drivers/hid/hid-lg4ff.c -@@ -484,34 +484,16 @@ static enum led_brightness lg4ff_led_get_brightness(struct led_classdev *led_cde - int lg4ff_init(struct hid_device *hid) - { - struct hid_input *hidinput = list_entry(hid->inputs.next, struct hid_input, list); -- struct list_head *report_list = &hid->report_enum[HID_OUTPUT_REPORT].report_list; - struct input_dev *dev = hidinput->input; -- struct hid_report *report; -- struct hid_field *field; - struct lg4ff_device_entry *entry; - struct lg_drv_data *drv_data; - struct usb_device_descriptor *udesc; - int error, i, j; - __u16 bcdDevice, rev_maj, rev_min; - -- /* Find the report to use */ -- if (list_empty(report_list)) { -- hid_err(hid, "No output report found\n"); -- return -1; -- } -- - /* Check that the report looks ok */ -- report = list_entry(report_list->next, struct hid_report, list); -- if (!report) { -- hid_err(hid, "NULL output report\n"); -+ if (!hid_validate_values(hid, HID_OUTPUT_REPORT, 0, 0, 7)) - return -1; -- } -- -- field = report->field[0]; -- if (!field) { -- hid_err(hid, "NULL field\n"); -- return -1; -- } - - /* Check what wheel has been connected */ - for (i = 0; i < ARRAY_SIZE(lg4ff_devices); i++) { -diff --git a/drivers/hid/hid-lgff.c b/drivers/hid/hid-lgff.c -index d7ea8c8..e1394af 100644 ---- a/drivers/hid/hid-lgff.c -+++ b/drivers/hid/hid-lgff.c -@@ -128,27 +128,14 @@ static void hid_lgff_set_autocenter(struct input_dev *dev, u16 magnitude) - int lgff_init(struct hid_device* hid) - { - struct hid_input *hidinput = list_entry(hid->inputs.next, struct hid_input, list); -- struct list_head *report_list = &hid->report_enum[HID_OUTPUT_REPORT].report_list; - struct input_dev *dev = hidinput->input; -- struct hid_report *report; -- struct hid_field *field; - const signed short *ff_bits = ff_joystick; - int error; - int i; - -- /* Find the report to use */ -- if (list_empty(report_list)) { -- hid_err(hid, "No output report found\n"); -- return -1; -- } -- - /* Check that the report looks ok */ -- report = list_entry(report_list->next, struct hid_report, list); -- field = report->field[0]; -- if (!field) { -- hid_err(hid, "NULL field\n"); -- return -1; -- } -+ if (!hid_validate_values(hid, HID_OUTPUT_REPORT, 0, 0, 7)) -+ return -ENODEV; - - for (i = 0; i < ARRAY_SIZE(devices); i++) { - if (dev->id.vendor == devices[i].idVendor && --- -1.8.3.1 - - -From 0317e971d90e3e2e312074386a2349b2ef48d1d0 Mon Sep 17 00:00:00 2001 -From: Kees Cook -Date: Wed, 11 Sep 2013 21:56:55 +0200 -Subject: [PATCH 07/16] HID: lenovo-tpkbd: validate output report details - -From: Kees Cook - -A HID device could send a malicious output report that would cause the -lenovo-tpkbd HID driver to write just beyond the output report allocation -during initialization, causing a heap overflow: - -[ 76.109807] usb 1-1: New USB device found, idVendor=17ef, idProduct=6009 -... -[ 80.462540] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten - -CVE-2013-2894 - -Signed-off-by: Kees Cook -Cc: stable@vger.kernel.org -Signed-off-by: Benjamin Tissoires ---- - drivers/hid/hid-lenovo-tpkbd.c | 10 +++++++++- - 1 file changed, 9 insertions(+), 1 deletion(-) - -diff --git a/drivers/hid/hid-lenovo-tpkbd.c b/drivers/hid/hid-lenovo-tpkbd.c -index 07837f5..762d988 100644 ---- a/drivers/hid/hid-lenovo-tpkbd.c -+++ b/drivers/hid/hid-lenovo-tpkbd.c -@@ -339,7 +339,15 @@ static int tpkbd_probe_tp(struct hid_device *hdev) - struct tpkbd_data_pointer *data_pointer; - size_t name_sz = strlen(dev_name(dev)) + 16; - char *name_mute, *name_micmute; -- int ret; -+ int i, ret; -+ -+ /* Validate required reports. */ -+ for (i = 0; i < 4; i++) { -+ if (!hid_validate_values(hdev, HID_FEATURE_REPORT, 4, i, 1)) -+ return -ENODEV; -+ } -+ if (!hid_validate_values(hdev, HID_OUTPUT_REPORT, 3, 0, 2)) -+ return -ENODEV; - - if (sysfs_create_group(&hdev->dev.kobj, - &tpkbd_attr_group_pointer)) { --- -1.8.3.1 - - -From 978474c73af6764f1c2c5409585221e6d438b16c Mon Sep 17 00:00:00 2001 -From: Kees Cook -Date: Wed, 11 Sep 2013 21:56:56 +0200 -Subject: [PATCH 08/16] HID: logitech-dj: validate output report details - -A HID device could send a malicious output report that would cause the -logitech-dj HID driver to leak kernel memory contents to the device, or -trigger a NULL dereference during initialization: - -[ 304.424553] usb 1-1: New USB device found, idVendor=046d, idProduct=c52b -... -[ 304.780467] BUG: unable to handle kernel NULL pointer dereference at 0000000000000028 -[ 304.781409] IP: [] logi_dj_recv_send_report.isra.11+0x1a/0x90 - -CVE-2013-2895 - -Signed-off-by: Kees Cook -Cc: stable@vger.kernel.org -Signed-off-by: Benjamin Tissoires ---- - drivers/hid/hid-logitech-dj.c | 10 ++++++++-- - 1 file changed, 8 insertions(+), 2 deletions(-) - -diff --git a/drivers/hid/hid-logitech-dj.c b/drivers/hid/hid-logitech-dj.c -index cd33084..a2469b5 100644 ---- a/drivers/hid/hid-logitech-dj.c -+++ b/drivers/hid/hid-logitech-dj.c -@@ -461,7 +461,7 @@ static int logi_dj_recv_send_report(struct dj_receiver_dev *djrcv_dev, - struct hid_report *report; - struct hid_report_enum *output_report_enum; - u8 *data = (u8 *)(&dj_report->device_index); -- int i; -+ unsigned int i; - - output_report_enum = &hdev->report_enum[HID_OUTPUT_REPORT]; - report = output_report_enum->report_id_hash[REPORT_ID_DJ_SHORT]; -@@ -471,7 +471,7 @@ static int logi_dj_recv_send_report(struct dj_receiver_dev *djrcv_dev, - return -ENODEV; - } - -- for (i = 0; i < report->field[0]->report_count; i++) -+ for (i = 0; i < DJREPORT_SHORT_LENGTH - 1; i++) - report->field[0]->value[i] = data[i]; - - hid_hw_request(hdev, report, HID_REQ_SET_REPORT); -@@ -783,6 +783,12 @@ static int logi_dj_probe(struct hid_device *hdev, - goto hid_parse_fail; - } - -+ if (!hid_validate_values(hdev, HID_OUTPUT_REPORT, REPORT_ID_DJ_SHORT, -+ 0, DJREPORT_SHORT_LENGTH - 1)) { -+ retval = -ENODEV; -+ goto hid_parse_fail; -+ } -+ - /* Starts the usb device and connects to upper interfaces hiddev and - * hidraw */ - retval = hid_hw_start(hdev, HID_CONNECT_DEFAULT); --- -1.8.3.1 - - -From 9445e3a28eb6365c54dae729d184c4c3b6b43d60 Mon Sep 17 00:00:00 2001 -From: Benjamin Tissoires -Date: Wed, 11 Sep 2013 21:56:57 +0200 -Subject: [PATCH 09/16] HID: validate feature and input report details - -When dealing with usage_index, be sure to properly use unsigned instead of -int to avoid overflows. - -When working on report fields, always validate that their report_counts are -in bounds. -Without this, a HID device could report a malicious feature report that -could trick the driver into a heap overflow: - -[ 634.885003] usb 1-1: New USB device found, idVendor=0596, idProduct=0500 -... -[ 676.469629] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten - -CVE-2013-2897 - -Cc: stable@vger.kernel.org -Signed-off-by: Benjamin Tissoires ---- - drivers/hid/hid-core.c | 16 +++++++--------- - drivers/hid/hid-input.c | 11 ++++++++++- - 2 files changed, 17 insertions(+), 10 deletions(-) - -diff --git a/drivers/hid/hid-core.c b/drivers/hid/hid-core.c -index 65ee459..08500bc 100644 ---- a/drivers/hid/hid-core.c -+++ b/drivers/hid/hid-core.c -@@ -94,7 +94,6 @@ EXPORT_SYMBOL_GPL(hid_register_report); - static struct hid_field *hid_register_field(struct hid_report *report, unsigned usages, unsigned values) - { - struct hid_field *field; -- int i; - - if (report->maxfield == HID_MAX_FIELDS) { - hid_err(report->device, "too many fields in report\n"); -@@ -113,9 +112,6 @@ static struct hid_field *hid_register_field(struct hid_report *report, unsigned - field->value = (s32 *)(field->usage + usages); - field->report = report; - -- for (i = 0; i < usages; i++) -- field->usage[i].usage_index = i; -- - return field; - } - -@@ -226,9 +222,9 @@ static int hid_add_field(struct hid_parser *parser, unsigned report_type, unsign - { - struct hid_report *report; - struct hid_field *field; -- int usages; -+ unsigned usages; - unsigned offset; -- int i; -+ unsigned i; - - report = hid_register_report(parser->device, report_type, parser->global.report_id); - if (!report) { -@@ -255,7 +251,8 @@ static int hid_add_field(struct hid_parser *parser, unsigned report_type, unsign - if (!parser->local.usage_index) /* Ignore padding fields */ - return 0; - -- usages = max_t(int, parser->local.usage_index, parser->global.report_count); -+ usages = max_t(unsigned, parser->local.usage_index, -+ parser->global.report_count); - - field = hid_register_field(report, usages, parser->global.report_count); - if (!field) -@@ -266,13 +263,14 @@ static int hid_add_field(struct hid_parser *parser, unsigned report_type, unsign - field->application = hid_lookup_collection(parser, HID_COLLECTION_APPLICATION); - - for (i = 0; i < usages; i++) { -- int j = i; -+ unsigned j = i; - /* Duplicate the last usage we parsed if we have excess values */ - if (i >= parser->local.usage_index) - j = parser->local.usage_index - 1; - field->usage[i].hid = parser->local.usage[j]; - field->usage[i].collection_index = - parser->local.collection_index[j]; -+ field->usage[i].usage_index = i; - } - - field->maxusage = usages; -@@ -1290,7 +1288,7 @@ int hid_report_raw_event(struct hid_device *hid, int type, u8 *data, int size, - goto out; - } - -- if (hid->claimed != HID_CLAIMED_HIDRAW) { -+ if (hid->claimed != HID_CLAIMED_HIDRAW && report->maxfield) { - for (a = 0; a < report->maxfield; a++) - hid_input_field(hid, report->field[a], cdata, interrupt); - hdrv = hid->driver; -diff --git a/drivers/hid/hid-input.c b/drivers/hid/hid-input.c -index 7480799..3ac2138 100644 ---- a/drivers/hid/hid-input.c -+++ b/drivers/hid/hid-input.c -@@ -477,6 +477,10 @@ static void hidinput_configure_usage(struct hid_input *hidinput, struct hid_fiel - if (field->flags & HID_MAIN_ITEM_CONSTANT) - goto ignore; - -+ /* Ignore if report count is out of bounds. */ -+ if (field->report_count < 1) -+ goto ignore; -+ - /* only LED usages are supported in output fields */ - if (field->report_type == HID_OUTPUT_REPORT && - (usage->hid & HID_USAGE_PAGE) != HID_UP_LED) { -@@ -1160,7 +1164,11 @@ static void report_features(struct hid_device *hid) - - rep_enum = &hid->report_enum[HID_FEATURE_REPORT]; - list_for_each_entry(rep, &rep_enum->report_list, list) -- for (i = 0; i < rep->maxfield; i++) -+ for (i = 0; i < rep->maxfield; i++) { -+ /* Ignore if report count is out of bounds. */ -+ if (rep->field[i]->report_count < 1) -+ continue; -+ - for (j = 0; j < rep->field[i]->maxusage; j++) { - /* Verify if Battery Strength feature is available */ - hidinput_setup_battery(hid, HID_FEATURE_REPORT, rep->field[i]); -@@ -1169,6 +1177,7 @@ static void report_features(struct hid_device *hid) - drv->feature_mapping(hid, rep->field[i], - rep->field[i]->usage + j); - } -+ } - } - - static struct hid_input *hidinput_allocate(struct hid_device *hid) --- -1.8.3.1 - - -From cc8d6c5e14fbffc3349dcd35c21fa46f1143070d Mon Sep 17 00:00:00 2001 -From: Benjamin Tissoires -Date: Wed, 11 Sep 2013 21:56:58 +0200 -Subject: [PATCH 10/16] HID: multitouch: validate indexes details - -When working on report indexes, always validate that they are in bounds. -Without this, a HID device could report a malicious feature report that -could trick the driver into a heap overflow: - -[ 634.885003] usb 1-1: New USB device found, idVendor=0596, idProduct=0500 -... -[ 676.469629] BUG kmalloc-192 (Tainted: G W ): Redzone overwritten - -Note that we need to change the indexes from s8 to s16 as they can -be between -1 and 255. - -CVE-2013-2897 - -Cc: stable@vger.kernel.org -Signed-off-by: Benjamin Tissoires ---- - drivers/hid/hid-multitouch.c | 26 ++++++++++++++------------ - 1 file changed, 14 insertions(+), 12 deletions(-) - -diff --git a/drivers/hid/hid-multitouch.c b/drivers/hid/hid-multitouch.c -index cb0e361..2d3677c 100644 ---- a/drivers/hid/hid-multitouch.c -+++ b/drivers/hid/hid-multitouch.c -@@ -101,9 +101,9 @@ struct mt_device { - unsigned last_slot_field; /* the last field of a slot */ - unsigned mt_report_id; /* the report ID of the multitouch device */ - unsigned pen_report_id; /* the report ID of the pen device */ -- __s8 inputmode; /* InputMode HID feature, -1 if non-existent */ -- __s8 inputmode_index; /* InputMode HID feature index in the report */ -- __s8 maxcontact_report_id; /* Maximum Contact Number HID feature, -+ __s16 inputmode; /* InputMode HID feature, -1 if non-existent */ -+ __s16 inputmode_index; /* InputMode HID feature index in the report */ -+ __s16 maxcontact_report_id; /* Maximum Contact Number HID feature, - -1 if non-existent */ - __u8 num_received; /* how many contacts we received */ - __u8 num_expected; /* expected last contact index */ -@@ -317,20 +317,18 @@ static void mt_feature_mapping(struct hid_device *hdev, - struct hid_field *field, struct hid_usage *usage) - { - struct mt_device *td = hid_get_drvdata(hdev); -- int i; - - switch (usage->hid) { - case HID_DG_INPUTMODE: -- td->inputmode = field->report->id; -- td->inputmode_index = 0; /* has to be updated below */ -- -- for (i=0; i < field->maxusage; i++) { -- if (field->usage[i].hid == usage->hid) { -- td->inputmode_index = i; -- break; -- } -+ /* Ignore if value index is out of bounds. */ -+ if (usage->usage_index >= field->report_count) { -+ dev_err(&hdev->dev, "HID_DG_INPUTMODE out of range\n"); -+ break; - } - -+ td->inputmode = field->report->id; -+ td->inputmode_index = usage->usage_index; -+ - break; - case HID_DG_CONTACTMAX: - td->maxcontact_report_id = field->report->id; -@@ -536,6 +534,10 @@ static int mt_touch_input_mapping(struct hid_device *hdev, struct hid_input *hi, - mt_store_field(usage, td, hi); - return 1; - case HID_DG_CONTACTCOUNT: -+ /* Ignore if indexes are out of bounds. */ -+ if (field->index >= field->report->maxfield || -+ usage->usage_index >= field->report_count) -+ return 1; - td->cc_index = field->index; - td->cc_value_index = usage->usage_index; - return 1; --- -1.8.3.1 - - -From 01b52229ddc746c56b2a7756eed46b1f98673bea Mon Sep 17 00:00:00 2001 -From: Benjamin Tissoires -Date: Wed, 11 Sep 2013 21:56:59 +0200 -Subject: [PATCH 11/16] HID: lenovo-tpkbd: fix leak if tpkbd_probe_tp fails - -If tpkbd_probe_tp() bails out, the probe() function return an error, -but hid_hw_stop() is never called. - -fixes: -https://bugzilla.redhat.com/show_bug.cgi?id=1003998 - -Cc: stable@vger.kernel.org -Signed-off-by: Benjamin Tissoires ---- - drivers/hid/hid-lenovo-tpkbd.c | 15 ++++++++++----- - 1 file changed, 10 insertions(+), 5 deletions(-) - -diff --git a/drivers/hid/hid-lenovo-tpkbd.c b/drivers/hid/hid-lenovo-tpkbd.c -index 762d988..31cf29a 100644 ---- a/drivers/hid/hid-lenovo-tpkbd.c -+++ b/drivers/hid/hid-lenovo-tpkbd.c -@@ -414,22 +414,27 @@ static int tpkbd_probe(struct hid_device *hdev, - ret = hid_parse(hdev); - if (ret) { - hid_err(hdev, "hid_parse failed\n"); -- goto err_free; -+ goto err; - } - - ret = hid_hw_start(hdev, HID_CONNECT_DEFAULT); - if (ret) { - hid_err(hdev, "hid_hw_start failed\n"); -- goto err_free; -+ goto err; - } - - uhdev = (struct usbhid_device *) hdev->driver_data; - -- if (uhdev->ifnum == 1) -- return tpkbd_probe_tp(hdev); -+ if (uhdev->ifnum == 1) { -+ ret = tpkbd_probe_tp(hdev); -+ if (ret) -+ goto err_hid; -+ } - - return 0; --err_free: -+err_hid: -+ hid_hw_stop(hdev); -+err: - return ret; - } - --- -1.8.3.1 diff --git a/kernel.spec b/kernel.spec index 800153d66..d70520818 100644 --- a/kernel.spec +++ b/kernel.spec @@ -62,7 +62,7 @@ Summary: The Linux kernel # For non-released -rc kernels, this will be appended after the rcX and # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3" # -%global baserelease 201 +%global baserelease 200 %global fedora_build %{baserelease} # base_sublevel is the kernel version we're starting with and patching @@ -74,7 +74,7 @@ Summary: The Linux kernel %if 0%{?released_kernel} # Do we have a -stable update to apply? -%define stable_update 2 +%define stable_update 3 # Is it a -stable RC? %define stable_rc 0 # Set rpm version accordingly @@ -732,16 +732,6 @@ Patch25057: iwl4965-better-skb-management-in-rx-path.patch #rhbz 963715 Patch25077: media-cx23885-Fix-TeVii-S471-regression-since-introduction-of-ts2020.patch -#rhbz 1000679 -Patch25079: rt2800-rearrange-bbp-rfcsr-initialization.patch - -#CVE-2013-2888 rhbz 1000451 1002543 CVE-2013-2889 rhbz 999890 1002548 -#CVE-2013-2891 rhbz 999960 1002555 CVE-2013-2892 rhbz 1000429 1002570 -#CVE-2013-2893 rhbz 1000414 1002575 CVE-2013-2894 rhbz 1000137 1002579 -#CVE-2013-2895 rhbz 1000360 1002581 CVE-2013-2896 rhbz 1000494 1002594 -#CVE-2013-2897 rhbz 1000536 1002600 CVE-2013-2899 rhbz 1000373 1002604 -Patch25099: HID-CVE-fixes-3.11.patch - #CVE-2013-4343 rhbz 1007733 1007741 Patch25101: tuntap-correctly-handle-error-in-tun_set_iff.patch @@ -752,7 +742,6 @@ Patch25102: net-sctp-fix-ipv6-ipsec-encryption-bug-in-sctp_v6_xmit.patch Patch25104: ansi_cprng-Fix-off-by-one-error-in-non-block-size-request.patch #rhbz 1008323 -Patch25106: 0001-skge-fix-broken-driver.patch Patch25120: skge-fix-invalid-value-passed-to-pci_unmap_sigle.patch #rhbz 985522 @@ -764,12 +753,6 @@ Patch25108: Revert-rt2x00pci-Use-PCI-MSIs-whenever-possible.patch #rhbz 971893 Patch25109: bonding-driver-alb-learning.patch -#rhbz 997705 -Patch25110: rpc-clean-up-decoding-of-gssproxy-linux-creds.patch -Patch25111: rpc-comment-on-linux_cred-encoding-treat-all-as-unsigned.patch -Patch25112: rpc-fix-huge-kmallocs-in-gss-proxy.patch -Patch25113: rpc-let-xdr-layer-allocate-gssproxy-receieve-pages.patch - #rhbz 902012 Patch25114: elevator-Fix-a-race-in-elevator-switching-and-md.patch Patch25115: elevator-acquire-q-sysfs_lock-in-elevator_change.patch @@ -1463,16 +1446,6 @@ ApplyPatch iwl4965-better-skb-management-in-rx-path.patch #rhbz 963715 ApplyPatch media-cx23885-Fix-TeVii-S471-regression-since-introduction-of-ts2020.patch -#CVE-2013-2888 rhbz 1000451 1002543 CVE-2013-2889 rhbz 999890 1002548 -#CVE-2013-2891 rhbz 999960 1002555 CVE-2013-2892 rhbz 1000429 1002570 -#CVE-2013-2893 rhbz 1000414 1002575 CVE-2013-2894 rhbz 1000137 1002579 -#CVE-2013-2895 rhbz 1000360 1002581 CVE-2013-2896 rhbz 1000494 1002594 -#CVE-2013-2897 rhbz 1000536 1002600 CVE-2013-2899 rhbz 1000373 1002604 -ApplyPatch HID-CVE-fixes-3.11.patch - -#rhbz 1000679 -ApplyPatch rt2800-rearrange-bbp-rfcsr-initialization.patch - #CVE-2013-4343 rhbz 1007733 1007741 ApplyPatch tuntap-correctly-handle-error-in-tun_set_iff.patch @@ -1491,14 +1464,7 @@ ApplyPatch Revert-rt2x00pci-Use-PCI-MSIs-whenever-possible.patch #rhbz 971893 ApplyPatch bonding-driver-alb-learning.patch -#rhbz 997705 -ApplyPatch rpc-clean-up-decoding-of-gssproxy-linux-creds.patch -ApplyPatch rpc-comment-on-linux_cred-encoding-treat-all-as-unsigned.patch -ApplyPatch rpc-fix-huge-kmallocs-in-gss-proxy.patch -ApplyPatch rpc-let-xdr-layer-allocate-gssproxy-receieve-pages.patch - #rhbz 1008323 -ApplyPatch 0001-skge-fix-broken-driver.patch ApplyPatch skge-fix-invalid-value-passed-to-pci_unmap_sigle.patch #rhbz 902012 @@ -2326,6 +2292,9 @@ fi # and build. %changelog +* Wed Oct 2 2013 Justin M. Forbes - 3.11.3-200 +- Linux v3.11.3 + * Wed Oct 02 2013 Neil Horman - Add promiscuity fix for vlans plus bonding (rhbz 1005567) diff --git a/rpc-clean-up-decoding-of-gssproxy-linux-creds.patch b/rpc-clean-up-decoding-of-gssproxy-linux-creds.patch deleted file mode 100644 index ffafde8f1..000000000 --- a/rpc-clean-up-decoding-of-gssproxy-linux-creds.patch +++ /dev/null @@ -1,110 +0,0 @@ -From: "J. Bruce Fields" - -commit 778e512bb1d3315c6b55832248cd30c566c081d7 upstream. - -We can use the normal coding infrastructure here. - -Two minor behavior changes: - - - we're assuming no wasted space at the end of the linux cred. - That seems to match gss-proxy's behavior, and I can't see why - it would need to do differently in the future. - - - NGROUPS_MAX check added: note groups_alloc doesn't do this, - this is the caller's responsibility. - -Tested-by: Simo Sorce -Signed-off-by: J. Bruce Fields ---- - net/sunrpc/auth_gss/gss_rpc_xdr.c | 32 +++++++++++++------------------- - 1 file changed, 13 insertions(+), 19 deletions(-) - -diff --git a/net/sunrpc/auth_gss/gss_rpc_xdr.c b/net/sunrpc/auth_gss/gss_rpc_xdr.c -index 3c85d1c..f5067b2 100644 ---- a/net/sunrpc/auth_gss/gss_rpc_xdr.c -+++ b/net/sunrpc/auth_gss/gss_rpc_xdr.c -@@ -166,14 +166,14 @@ static int dummy_dec_opt_array(struct xdr_stream *xdr, - return 0; - } - --static int get_s32(void **p, void *max, s32 *res) -+static int get_s32(struct xdr_stream *xdr, s32 *res) - { -- void *base = *p; -- void *next = (void *)((char *)base + sizeof(s32)); -- if (unlikely(next > max || next < base)) -+ __be32 *p; -+ -+ p = xdr_inline_decode(xdr, 4); -+ if (!p) - return -EINVAL; -- memcpy(res, base, sizeof(s32)); -- *p = next; -+ memcpy(res, p, sizeof(s32)); - return 0; - } - -@@ -182,7 +182,6 @@ static int gssx_dec_linux_creds(struct xdr_stream *xdr, - { - u32 length; - __be32 *p; -- void *q, *end; - s32 tmp; - int N, i, err; - -@@ -192,33 +191,28 @@ static int gssx_dec_linux_creds(struct xdr_stream *xdr, - - length = be32_to_cpup(p); - -- /* FIXME: we do not want to use the scratch buffer for this one -- * may need to use functions that allows us to access an io vector -- * directly */ -- p = xdr_inline_decode(xdr, length); -- if (unlikely(p == NULL)) -+ if (length > (3 + NGROUPS_MAX) * sizeof(u32)) - return -ENOSPC; - -- q = p; -- end = q + length; -- - /* uid */ -- err = get_s32(&q, end, &tmp); -+ err = get_s32(xdr, &tmp); - if (err) - return err; - creds->cr_uid = make_kuid(&init_user_ns, tmp); - - /* gid */ -- err = get_s32(&q, end, &tmp); -+ err = get_s32(xdr, &tmp); - if (err) - return err; - creds->cr_gid = make_kgid(&init_user_ns, tmp); - - /* number of additional gid's */ -- err = get_s32(&q, end, &tmp); -+ err = get_s32(xdr, &tmp); - if (err) - return err; - N = tmp; -+ if ((3 + N) * sizeof(u32) != length) -+ return -EINVAL; - creds->cr_group_info = groups_alloc(N); - if (creds->cr_group_info == NULL) - return -ENOMEM; -@@ -226,7 +220,7 @@ static int gssx_dec_linux_creds(struct xdr_stream *xdr, - /* gid's */ - for (i = 0; i < N; i++) { - kgid_t kgid; -- err = get_s32(&q, end, &tmp); -+ err = get_s32(xdr, &tmp); - if (err) - goto out_free_groups; - err = -EINVAL; --- -1.7.9.5 - --- -To unsubscribe from this list: send the line "unsubscribe linux-nfs" in -the body of a message to majordomo@vger.kernel.org -More majordomo info at http://vger.kernel.org/majordomo-info.html \ No newline at end of file diff --git a/rpc-comment-on-linux_cred-encoding-treat-all-as-unsigned.patch b/rpc-comment-on-linux_cred-encoding-treat-all-as-unsigned.patch deleted file mode 100644 index b4f9291b1..000000000 --- a/rpc-comment-on-linux_cred-encoding-treat-all-as-unsigned.patch +++ /dev/null @@ -1,90 +0,0 @@ -From: "J. Bruce Fields" - -commit 6a36978e6931e6601be586eb313375335f2cfaa3 upstream. - -The encoding of linux creds is a bit confusing. - -Also: I think in practice it doesn't really matter whether we treat any -of these things as signed or unsigned, but unsigned seems more -straightforward: uid_t/gid_t are unsigned and it simplifies the ngroups -overflow check. - -Tested-by: Simo Sorce -Signed-off-by: J. Bruce Fields ---- - net/sunrpc/auth_gss/gss_rpc_xdr.c | 18 ++++++++++-------- - 1 file changed, 10 insertions(+), 8 deletions(-) - -diff --git a/net/sunrpc/auth_gss/gss_rpc_xdr.c b/net/sunrpc/auth_gss/gss_rpc_xdr.c -index f5067b2..3c19c7d 100644 ---- a/net/sunrpc/auth_gss/gss_rpc_xdr.c -+++ b/net/sunrpc/auth_gss/gss_rpc_xdr.c -@@ -166,14 +166,15 @@ static int dummy_dec_opt_array(struct xdr_stream *xdr, - return 0; - } - --static int get_s32(struct xdr_stream *xdr, s32 *res) -+static int get_host_u32(struct xdr_stream *xdr, u32 *res) - { - __be32 *p; - - p = xdr_inline_decode(xdr, 4); - if (!p) - return -EINVAL; -- memcpy(res, p, sizeof(s32)); -+ /* Contents of linux creds are all host-endian: */ -+ memcpy(res, p, sizeof(u32)); - return 0; - } - -@@ -182,8 +183,9 @@ static int gssx_dec_linux_creds(struct xdr_stream *xdr, - { - u32 length; - __be32 *p; -- s32 tmp; -- int N, i, err; -+ u32 tmp; -+ u32 N; -+ int i, err; - - p = xdr_inline_decode(xdr, 4); - if (unlikely(p == NULL)) -@@ -195,19 +197,19 @@ static int gssx_dec_linux_creds(struct xdr_stream *xdr, - return -ENOSPC; - - /* uid */ -- err = get_s32(xdr, &tmp); -+ err = get_host_u32(xdr, &tmp); - if (err) - return err; - creds->cr_uid = make_kuid(&init_user_ns, tmp); - - /* gid */ -- err = get_s32(xdr, &tmp); -+ err = get_host_u32(xdr, &tmp); - if (err) - return err; - creds->cr_gid = make_kgid(&init_user_ns, tmp); - - /* number of additional gid's */ -- err = get_s32(xdr, &tmp); -+ err = get_host_u32(xdr, &tmp); - if (err) - return err; - N = tmp; -@@ -220,7 +222,7 @@ static int gssx_dec_linux_creds(struct xdr_stream *xdr, - /* gid's */ - for (i = 0; i < N; i++) { - kgid_t kgid; -- err = get_s32(xdr, &tmp); -+ err = get_host_u32(xdr, &tmp); - if (err) - goto out_free_groups; - err = -EINVAL; --- -1.7.9.5 - --- -To unsubscribe from this list: send the line "unsubscribe linux-nfs" in -the body of a message to majordomo@vger.kernel.org -More majordomo info at http://vger.kernel.org/majordomo-info.html \ No newline at end of file diff --git a/rpc-fix-huge-kmallocs-in-gss-proxy.patch b/rpc-fix-huge-kmallocs-in-gss-proxy.patch deleted file mode 100644 index 6257f45ea..000000000 --- a/rpc-fix-huge-kmallocs-in-gss-proxy.patch +++ /dev/null @@ -1,113 +0,0 @@ -From: "J. Bruce Fields" - -commit 9dfd87da1aeb0fd364167ad199f40fe96a6a87be upstream. - -The reply to a gssproxy can include up to NGROUPS_MAX gid's, which will -take up more than a page. We therefore need to allocate an array of -pages to hold the reply instead of trying to allocate a single huge -buffer. - -Tested-by: Simo Sorce -Signed-off-by: J. Bruce Fields ---- - net/sunrpc/auth_gss/gss_rpc_upcall.c | 30 ++++++++++++++++++++++++++++++ - net/sunrpc/auth_gss/gss_rpc_xdr.c | 3 +++ - net/sunrpc/auth_gss/gss_rpc_xdr.h | 5 ++++- - 3 files changed, 37 insertions(+), 1 deletion(-) - -diff --git a/net/sunrpc/auth_gss/gss_rpc_upcall.c b/net/sunrpc/auth_gss/gss_rpc_upcall.c -index af7ffd4..be95af3 100644 ---- a/net/sunrpc/auth_gss/gss_rpc_upcall.c -+++ b/net/sunrpc/auth_gss/gss_rpc_upcall.c -@@ -213,6 +213,30 @@ static int gssp_call(struct net *net, struct rpc_message *msg) - return status; - } - -+static void gssp_free_receive_pages(struct gssx_arg_accept_sec_context *arg) -+{ -+ int i; -+ -+ for (i = 0; i < arg->npages && arg->pages[i]; i++) -+ __free_page(arg->pages[i]); -+} -+ -+static int gssp_alloc_receive_pages(struct gssx_arg_accept_sec_context *arg) -+{ -+ int i; -+ -+ arg->npages = DIV_ROUND_UP(NGROUPS_MAX * 4, PAGE_SIZE); -+ arg->pages = kzalloc(arg->npages * sizeof(struct page *), GFP_KERNEL); -+ -+ for (i=0; i < arg->npages; i++) { -+ arg->pages[i] = alloc_page(GFP_KERNEL); -+ if (arg->pages[i] == NULL) { -+ gssp_free_receive_pages(arg); -+ return -ENOMEM; -+ } -+ } -+ return 0; -+} - - /* - * Public functions -@@ -261,10 +285,16 @@ int gssp_accept_sec_context_upcall(struct net *net, - arg.context_handle = &ctxh; - res.output_token->len = GSSX_max_output_token_sz; - -+ ret = gssp_alloc_receive_pages(&arg); -+ if (ret) -+ return ret; -+ - /* use nfs/ for targ_name ? */ - - ret = gssp_call(net, &msg); - -+ gssp_free_receive_pages(&arg); -+ - /* we need to fetch all data even in case of error so - * that we can free special strctures is they have been allocated */ - data->major_status = res.status.major_status; -diff --git a/net/sunrpc/auth_gss/gss_rpc_xdr.c b/net/sunrpc/auth_gss/gss_rpc_xdr.c -index 3c19c7d..f0f78c5 100644 ---- a/net/sunrpc/auth_gss/gss_rpc_xdr.c -+++ b/net/sunrpc/auth_gss/gss_rpc_xdr.c -@@ -780,6 +780,9 @@ void gssx_enc_accept_sec_context(struct rpc_rqst *req, - /* arg->options */ - err = dummy_enc_opt_array(xdr, &arg->options); - -+ xdr_inline_pages(&req->rq_rcv_buf, -+ PAGE_SIZE/2 /* pretty arbitrary */, -+ arg->pages, 0 /* page base */, arg->npages * PAGE_SIZE); - done: - if (err) - dprintk("RPC: gssx_enc_accept_sec_context: %d\n", err); -diff --git a/net/sunrpc/auth_gss/gss_rpc_xdr.h b/net/sunrpc/auth_gss/gss_rpc_xdr.h -index 1c98b27..685a688 100644 ---- a/net/sunrpc/auth_gss/gss_rpc_xdr.h -+++ b/net/sunrpc/auth_gss/gss_rpc_xdr.h -@@ -147,6 +147,8 @@ struct gssx_arg_accept_sec_context { - struct gssx_cb *input_cb; - u32 ret_deleg_cred; - struct gssx_option_array options; -+ struct page **pages; -+ unsigned int npages; - }; - - struct gssx_res_accept_sec_context { -@@ -240,7 +242,8 @@ int gssx_dec_accept_sec_context(struct rpc_rqst *rqstp, - 2 * GSSX_max_princ_sz + \ - 8 + 8 + 4 + 4 + 4) - #define GSSX_max_output_token_sz 1024 --#define GSSX_max_creds_sz (4 + 4 + 4 + NGROUPS_MAX * 4) -+/* grouplist not included; we allocate separate pages for that: */ -+#define GSSX_max_creds_sz (4 + 4 + 4 /* + NGROUPS_MAX*4 */) - #define GSSX_RES_accept_sec_context_sz (GSSX_default_status_sz + \ - GSSX_default_ctx_sz + \ - GSSX_max_output_token_sz + \ --- -1.7.9.5 - --- -To unsubscribe from this list: send the line "unsubscribe linux-nfs" in -the body of a message to majordomo@vger.kernel.org -More majordomo info at http://vger.kernel.org/majordomo-info.html \ No newline at end of file diff --git a/rpc-let-xdr-layer-allocate-gssproxy-receieve-pages.patch b/rpc-let-xdr-layer-allocate-gssproxy-receieve-pages.patch deleted file mode 100644 index fae0dcd60..000000000 --- a/rpc-let-xdr-layer-allocate-gssproxy-receieve-pages.patch +++ /dev/null @@ -1,52 +0,0 @@ -From: "J. Bruce Fields" - -commit d4a516560fc96a9d486a9939bcb567e3fdce8f49 upstream. - -In theory the linux cred in a gssproxy reply can include up to -NGROUPS_MAX data, 256K of data. In the common case we expect it to be -shorter. So do as the nfsv3 ACL code does and let the xdr code allocate -the pages as they come in, instead of allocating a lot of pages that -won't typically be used. - -Tested-by: Simo Sorce -Signed-off-by: J. Bruce Fields ---- - net/sunrpc/auth_gss/gss_rpc_upcall.c | 16 ++++++---------- - 1 file changed, 6 insertions(+), 10 deletions(-) - -diff --git a/net/sunrpc/auth_gss/gss_rpc_upcall.c b/net/sunrpc/auth_gss/gss_rpc_upcall.c -index be95af3..f1eb0d1 100644 ---- a/net/sunrpc/auth_gss/gss_rpc_upcall.c -+++ b/net/sunrpc/auth_gss/gss_rpc_upcall.c -@@ -223,18 +223,14 @@ static void gssp_free_receive_pages(struct gssx_arg_accept_sec_context *arg) - - static int gssp_alloc_receive_pages(struct gssx_arg_accept_sec_context *arg) - { -- int i; -- - arg->npages = DIV_ROUND_UP(NGROUPS_MAX * 4, PAGE_SIZE); - arg->pages = kzalloc(arg->npages * sizeof(struct page *), GFP_KERNEL); -- -- for (i=0; i < arg->npages; i++) { -- arg->pages[i] = alloc_page(GFP_KERNEL); -- if (arg->pages[i] == NULL) { -- gssp_free_receive_pages(arg); -- return -ENOMEM; -- } -- } -+ /* -+ * XXX: actual pages are allocated by xdr layer in -+ * xdr_partial_copy_from_skb. -+ */ -+ if (!arg->pages) -+ return -ENOMEM; - return 0; - } - --- -1.7.9.5 - --- -To unsubscribe from this list: send the line "unsubscribe linux-nfs" in -the body of a message to majordomo@vger.kernel.org -More majordomo info at http://vger.kernel.org/majordomo-info.html \ No newline at end of file diff --git a/rt2800-rearrange-bbp-rfcsr-initialization.patch b/rt2800-rearrange-bbp-rfcsr-initialization.patch deleted file mode 100644 index 5b1e27c23..000000000 --- a/rt2800-rearrange-bbp-rfcsr-initialization.patch +++ /dev/null @@ -1,69 +0,0 @@ -My commit - -commit c630ccf1a127578421a928489d51e99c05037054 -Author: Stanislaw Gruszka -Date: Sat Mar 16 19:19:46 2013 +0100 - - rt2800: rearrange bbp/rfcsr initialization - -make Maxim machine freeze when try to start wireless device. - -Initialization order and sending MCU_BOOT_SIGNAL request, changed in -above commit, is important. Doing things incorrectly make PCIe bus -problems, which can froze the machine. - -This patch change initialization sequence like vendor driver do: -function NICInitializeAsic() from -2011_1007_RT5390_RT5392_Linux_STA_V2.5.0.3_DPO (PCI devices) and -DPO_RT5572_LinuxSTA_2.6.1.3_20121022 (according Mediatek, latest driver -for RT8070/RT3070/RT3370/RT3572/RT5370/RT5372/RT5572 USB devices). -It fixes freezes on Maxim system. - -Resolve: -https://bugzilla.redhat.com/show_bug.cgi?id=1000679 - -Reported-and-tested-by: Maxim Polyakov -Bisected-by: Igor Gnatenko -Cc: stable@vger.kernel.org # 3.10+ -Signed-off-by: Stanislaw Gruszka ---- - drivers/net/wireless/rt2x00/rt2800lib.c | 11 ++++++----- - 1 file changed, 6 insertions(+), 5 deletions(-) - -diff --git a/drivers/net/wireless/rt2x00/rt2800lib.c b/drivers/net/wireless/rt2x00/rt2800lib.c -index d217c9e..8f6820a 100644 ---- a/drivers/net/wireless/rt2x00/rt2800lib.c -+++ b/drivers/net/wireless/rt2x00/rt2800lib.c -@@ -6631,19 +6631,20 @@ int rt2800_enable_radio(struct rt2x00_dev *rt2x00dev) - rt2800_init_registers(rt2x00dev))) - return -EIO; - -+ if (unlikely(rt2800_wait_bbp_rf_ready(rt2x00dev))) -+ return -EIO; -+ - /* - * Send signal to firmware during boot time. - */ - rt2800_register_write(rt2x00dev, H2M_BBP_AGENT, 0); - rt2800_register_write(rt2x00dev, H2M_MAILBOX_CSR, 0); -- if (rt2x00_is_usb(rt2x00dev)) { -+ if (rt2x00_is_usb(rt2x00dev)) - rt2800_register_write(rt2x00dev, H2M_INT_SRC, 0); -- rt2800_mcu_request(rt2x00dev, MCU_BOOT_SIGNAL, 0, 0, 0); -- } -+ rt2800_mcu_request(rt2x00dev, MCU_BOOT_SIGNAL, 0, 0, 0); - msleep(1); - -- if (unlikely(rt2800_wait_bbp_rf_ready(rt2x00dev) || -- rt2800_wait_bbp_ready(rt2x00dev))) -+ if (unlikely(rt2800_wait_bbp_ready(rt2x00dev))) - return -EIO; - - rt2800_init_bbp(rt2x00dev); --- -1.7.11.7 - --- -To unsubscribe from this list: send the line "unsubscribe linux-wireless" in -the body of a message to majordomo@vger.kernel.org -More majordomo info at http://vger.kernel.org/majordomo-info.html \ No newline at end of file diff --git a/sources b/sources index 9c3b8793c..447f35f3d 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ fea363551ff45fbe4cb88497b863b261 linux-3.11.tar.xz -5aa3286dcc7d70ceb50c3cbc64bc1cd8 patch-3.11.2.xz +b098457c2d9e9626faacfda931deefb6 patch-3.11.3.xz From 38a44f7acb3f46194fc0ca0f0a663742420e85c1 Mon Sep 17 00:00:00 2001 From: "Justin M. Forbes" Date: Wed, 2 Oct 2013 17:02:42 -0500 Subject: [PATCH 230/468] drm/radeon: don't set default clocks for SI when DPM is disabled (rhbz 1013814) --- ...t-clocks-for-SI-when-DPM-is-disabled.patch | 58 +++++++++++++++++++ kernel.spec | 11 +++- 2 files changed, 68 insertions(+), 1 deletion(-) create mode 100644 drm-radeon-dont-set-default-clocks-for-SI-when-DPM-is-disabled.patch diff --git a/drm-radeon-dont-set-default-clocks-for-SI-when-DPM-is-disabled.patch b/drm-radeon-dont-set-default-clocks-for-SI-when-DPM-is-disabled.patch new file mode 100644 index 000000000..b7516b794 --- /dev/null +++ b/drm-radeon-dont-set-default-clocks-for-SI-when-DPM-is-disabled.patch @@ -0,0 +1,58 @@ +commit 360991867d83e10827d907ef67206986a98953b3 +Author: Alex Deucher +Date: Sat Sep 21 14:37:49 2013 -0400 + + drm/radeon: don't set default clocks for SI when DPM is disabled + + This is a partial revert of c6cf7777a32da874fabec4fd1c2a579f0ba4e4dd. + + We need to take into account the clk voltage dependencies of the + board. Not doing so can lead to stability issues on certain + boards if the clks exceed the levels in the dep tables. + + DPM already takes that into account, so for optimal performance, + use DPM. + + Signed-off-by: Alex Deucher + Cc: stable@vger.kernel.org + +diff --git a/drivers/gpu/drm/radeon/radeon_pm.c b/drivers/gpu/drm/radeon/radeon_pm.c +index 87e1d69..ac07ad1 100644 +--- a/drivers/gpu/drm/radeon/radeon_pm.c ++++ b/drivers/gpu/drm/radeon/radeon_pm.c +@@ -1002,7 +1002,7 @@ static void radeon_pm_resume_old(struct radeon_device *rdev) + { + /* set up the default clocks if the MC ucode is loaded */ + if ((rdev->family >= CHIP_BARTS) && +- (rdev->family <= CHIP_HAINAN) && ++ (rdev->family <= CHIP_CAYMAN) && + rdev->mc_fw) { + if (rdev->pm.default_vddc) + radeon_atom_set_voltage(rdev, rdev->pm.default_vddc, +@@ -1046,7 +1046,7 @@ static void radeon_pm_resume_dpm(struct radeon_device *rdev) + if (ret) { + DRM_ERROR("radeon: dpm resume failed\n"); + if ((rdev->family >= CHIP_BARTS) && +- (rdev->family <= CHIP_HAINAN) && ++ (rdev->family <= CHIP_CAYMAN) && + rdev->mc_fw) { + if (rdev->pm.default_vddc) + radeon_atom_set_voltage(rdev, rdev->pm.default_vddc, +@@ -1097,7 +1097,7 @@ static int radeon_pm_init_old(struct radeon_device *rdev) + radeon_pm_init_profile(rdev); + /* set up the default clocks if the MC ucode is loaded */ + if ((rdev->family >= CHIP_BARTS) && +- (rdev->family <= CHIP_HAINAN) && ++ (rdev->family <= CHIP_CAYMAN) && + rdev->mc_fw) { + if (rdev->pm.default_vddc) + radeon_atom_set_voltage(rdev, rdev->pm.default_vddc, +@@ -1183,7 +1183,7 @@ static int radeon_pm_init_dpm(struct radeon_device *rdev) + if (ret) { + rdev->pm.dpm_enabled = false; + if ((rdev->family >= CHIP_BARTS) && +- (rdev->family <= CHIP_HAINAN) && ++ (rdev->family <= CHIP_CAYMAN) && + rdev->mc_fw) { + if (rdev->pm.default_vddc) + radeon_atom_set_voltage(rdev, rdev->pm.default_vddc, diff --git a/kernel.spec b/kernel.spec index d70520818..d0ca49550 100644 --- a/kernel.spec +++ b/kernel.spec @@ -62,7 +62,7 @@ Summary: The Linux kernel # For non-released -rc kernels, this will be appended after the rcX and # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3" # -%global baserelease 200 +%global baserelease 201 %global fedora_build %{baserelease} # base_sublevel is the kernel version we're starting with and patching @@ -766,6 +766,9 @@ Patch25117: rt2800-add-support-for-rf3070.patch #rhbz 1005567 Patch25118: bonding-driver-promisc.patch +#rhbz 1013814 +Patch25119: drm-radeon-dont-set-default-clocks-for-SI-when-DPM-is-disabled.patch + # END OF PATCH DEFINITIONS %endif @@ -1480,6 +1483,9 @@ ApplyPatch rt2800-add-support-for-rf3070.patch #rhbz 1005567 ApplyPatch bonding-driver-promisc.patch +#rhbz 1013814 +ApplyPatch drm-radeon-dont-set-default-clocks-for-SI-when-DPM-is-disabled.patch + # END OF PATCH APPLICATIONS %endif @@ -2292,6 +2298,9 @@ fi # and build. %changelog +* Wed Oct 2 2013 Justin M. Forbes +- drm/radeon: don't set default clocks for SI when DPM is disabled (rhbz 1013814) + * Wed Oct 2 2013 Justin M. Forbes - 3.11.3-200 - Linux v3.11.3 From 2614669cd57988e819ffb1a14ef7a02748d359ac Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Thu, 3 Oct 2013 10:47:31 -0400 Subject: [PATCH 231/468] CVE-2013-4387 ipv6: panic when UFO=On for an interface (rhbz 1011927 1015166) --- ...-following-an-UFO-enqueued-packet-ne.patch | 123 ++++++++++++++++++ kernel.spec | 9 ++ 2 files changed, 132 insertions(+) create mode 100644 ipv6-udp-packets-following-an-UFO-enqueued-packet-ne.patch diff --git a/ipv6-udp-packets-following-an-UFO-enqueued-packet-ne.patch b/ipv6-udp-packets-following-an-UFO-enqueued-packet-ne.patch new file mode 100644 index 000000000..9310e05a7 --- /dev/null +++ b/ipv6-udp-packets-following-an-UFO-enqueued-packet-ne.patch @@ -0,0 +1,123 @@ +From 2811ebac2521ceac84f2bdae402455baa6a7fb47 Mon Sep 17 00:00:00 2001 +From: Hannes Frederic Sowa +Date: Sat, 21 Sep 2013 06:27:00 +0200 +Subject: [PATCH] ipv6: udp packets following an UFO enqueued packet need also + be handled by UFO + +In the following scenario the socket is corked: +If the first UDP packet is larger then the mtu we try to append it to the +write queue via ip6_ufo_append_data. A following packet, which is smaller +than the mtu would be appended to the already queued up gso-skb via +plain ip6_append_data. This causes random memory corruptions. + +In ip6_ufo_append_data we also have to be careful to not queue up the +same skb multiple times. So setup the gso frame only when no first skb +is available. + +This also fixes a shortcoming where we add the current packet's length to +cork->length but return early because of a packet > mtu with dontfrag set +(instead of sutracting it again). + +Found with trinity. + +Cc: YOSHIFUJI Hideaki +Signed-off-by: Hannes Frederic Sowa +Reported-by: Dmitry Vyukov +Signed-off-by: David S. Miller +--- + net/ipv6/ip6_output.c | 53 +++++++++++++++++++++------------------------------ + 1 file changed, 22 insertions(+), 31 deletions(-) + +diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c +index 3a692d5..a54c45c 100644 +--- a/net/ipv6/ip6_output.c ++++ b/net/ipv6/ip6_output.c +@@ -1015,6 +1015,8 @@ static inline int ip6_ufo_append_data(struct sock *sk, + * udp datagram + */ + if ((skb = skb_peek_tail(&sk->sk_write_queue)) == NULL) { ++ struct frag_hdr fhdr; ++ + skb = sock_alloc_send_skb(sk, + hh_len + fragheaderlen + transhdrlen + 20, + (flags & MSG_DONTWAIT), &err); +@@ -1036,12 +1038,6 @@ static inline int ip6_ufo_append_data(struct sock *sk, + skb->protocol = htons(ETH_P_IPV6); + skb->ip_summed = CHECKSUM_PARTIAL; + skb->csum = 0; +- } +- +- err = skb_append_datato_frags(sk,skb, getfrag, from, +- (length - transhdrlen)); +- if (!err) { +- struct frag_hdr fhdr; + + /* Specify the length of each IPv6 datagram fragment. + * It has to be a multiple of 8. +@@ -1052,15 +1048,10 @@ static inline int ip6_ufo_append_data(struct sock *sk, + ipv6_select_ident(&fhdr, rt); + skb_shinfo(skb)->ip6_frag_id = fhdr.identification; + __skb_queue_tail(&sk->sk_write_queue, skb); +- +- return 0; + } +- /* There is not enough support do UPD LSO, +- * so follow normal path +- */ +- kfree_skb(skb); + +- return err; ++ return skb_append_datato_frags(sk, skb, getfrag, from, ++ (length - transhdrlen)); + } + + static inline struct ipv6_opt_hdr *ip6_opt_dup(struct ipv6_opt_hdr *src, +@@ -1227,27 +1218,27 @@ int ip6_append_data(struct sock *sk, int getfrag(void *from, char *to, + * --yoshfuji + */ + +- cork->length += length; +- if (length > mtu) { +- int proto = sk->sk_protocol; +- if (dontfrag && (proto == IPPROTO_UDP || proto == IPPROTO_RAW)){ +- ipv6_local_rxpmtu(sk, fl6, mtu-exthdrlen); +- return -EMSGSIZE; +- } +- +- if (proto == IPPROTO_UDP && +- (rt->dst.dev->features & NETIF_F_UFO)) { ++ if ((length > mtu) && dontfrag && (sk->sk_protocol == IPPROTO_UDP || ++ sk->sk_protocol == IPPROTO_RAW)) { ++ ipv6_local_rxpmtu(sk, fl6, mtu-exthdrlen); ++ return -EMSGSIZE; ++ } + +- err = ip6_ufo_append_data(sk, getfrag, from, length, +- hh_len, fragheaderlen, +- transhdrlen, mtu, flags, rt); +- if (err) +- goto error; +- return 0; +- } ++ skb = skb_peek_tail(&sk->sk_write_queue); ++ cork->length += length; ++ if (((length > mtu) || ++ (skb && skb_is_gso(skb))) && ++ (sk->sk_protocol == IPPROTO_UDP) && ++ (rt->dst.dev->features & NETIF_F_UFO)) { ++ err = ip6_ufo_append_data(sk, getfrag, from, length, ++ hh_len, fragheaderlen, ++ transhdrlen, mtu, flags, rt); ++ if (err) ++ goto error; ++ return 0; + } + +- if ((skb = skb_peek_tail(&sk->sk_write_queue)) == NULL) ++ if (!skb) + goto alloc_new_skb; + + while (length > 0) { +-- +1.8.3.1 + diff --git a/kernel.spec b/kernel.spec index d0ca49550..0de21795f 100644 --- a/kernel.spec +++ b/kernel.spec @@ -769,6 +769,9 @@ Patch25118: bonding-driver-promisc.patch #rhbz 1013814 Patch25119: drm-radeon-dont-set-default-clocks-for-SI-when-DPM-is-disabled.patch +#CVE-2013-4387 rhbz 1011927 1015166 +Patch25121: ipv6-udp-packets-following-an-UFO-enqueued-packet-ne.patch + # END OF PATCH DEFINITIONS %endif @@ -1486,6 +1489,9 @@ ApplyPatch bonding-driver-promisc.patch #rhbz 1013814 ApplyPatch drm-radeon-dont-set-default-clocks-for-SI-when-DPM-is-disabled.patch +#CVE-2013-4387 rhbz 1011927 1015166 +ApplyPatch ipv6-udp-packets-following-an-UFO-enqueued-packet-ne.patch + # END OF PATCH APPLICATIONS %endif @@ -2298,6 +2304,9 @@ fi # and build. %changelog +* Thu Oct 3 2013 Josh Boyer +- CVE-2013-4387 ipv6: panic when UFO=On for an interface (rhbz 1011927 1015166) + * Wed Oct 2 2013 Justin M. Forbes - drm/radeon: don't set default clocks for SI when DPM is disabled (rhbz 1013814) From 01b5b507a850264faca50ba4d8af0cb275cd4435 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Sat, 5 Oct 2013 10:08:07 -0400 Subject: [PATCH 232/468] Drop long carried selinux ptraceme patch Nobody is working on this in Fedora at the moment, and it really needs to come from upstream. --- kernel.spec | 6 - ...different-permission-to-ptrace-child.patch | 162 ------------------ 2 files changed, 168 deletions(-) delete mode 100644 selinux-apply-different-permission-to-ptrace-child.patch diff --git a/kernel.spec b/kernel.spec index 0de21795f..60f34a6e0 100644 --- a/kernel.spec +++ b/kernel.spec @@ -714,9 +714,6 @@ Patch21247: ath9k_rx_dma_stop_check.patch Patch22000: weird-root-dentry-name-debug.patch Patch22010: debug-idle-sched-warn-once.patch -#selinux ptrace child permissions -Patch22001: selinux-apply-different-permission-to-ptrace-child.patch - #rhbz 927469 Patch23006: fix-child-thread-introspection.patch @@ -1428,9 +1425,6 @@ ApplyPatch scsi-sd_revalidate_disk-prevent-NULL-ptr-deref.patch ApplyPatch weird-root-dentry-name-debug.patch ApplyPatch debug-idle-sched-warn-once.patch -#selinux ptrace child permissions -ApplyPatch selinux-apply-different-permission-to-ptrace-child.patch - # https://fedoraproject.org/wiki/Features/Checkpoint_Restore ApplyPatch criu-no-expert.patch diff --git a/selinux-apply-different-permission-to-ptrace-child.patch b/selinux-apply-different-permission-to-ptrace-child.patch deleted file mode 100644 index 90baad840..000000000 --- a/selinux-apply-different-permission-to-ptrace-child.patch +++ /dev/null @@ -1,162 +0,0 @@ -Some applications, like gdb, are able to ptrace both children or other -completely unrelated tasks. We would like to be able to discern these two -things and to be able to allow gdb to ptrace it's children, but not to be -able to ptrace unrelated tasks for security reasons. - -Upstream is a bit weary of this patch as it may be incomplete. They are -not fundamentally opposed to the patch, I was just ask to see if I could -flush out any needed refinement in Fedora where we already had the -problem. We may find that we need to emulate the YAMA non-child -registration module in order to completely deal with 'normal' ptrace on -a system. At the moment however, this patch will at least let us get -gdb working for many users in Fedora (See fedora-devel-list for a -discussion of the current issues people are complaining about in F17 -without this) - ---- - - security/selinux/hooks.c | 38 +++++++++++++++++++++++++++++++++++ - security/selinux/include/classmap.h | 2 +- - security/selinux/include/security.h | 2 ++ - security/selinux/selinuxfs.c | 3 ++- - security/selinux/ss/services.c | 3 +++ - 5 files changed, 46 insertions(+), 2 deletions(-) - -diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c -index 1a4acf4..b226f26 100644 ---- a/security/selinux/hooks.c -+++ b/security/selinux/hooks.c -@@ -1805,6 +1805,39 @@ static inline u32 open_file_to_av(struct file *file) - - /* Hook functions begin here. */ - -+/** -+ * task_is_descendant - walk up a process family tree looking for a match -+ * @parent: the process to compare against while walking up from child -+ * @child: the process to start from while looking upwards for parent -+ * -+ * Returns 1 if child is a descendant of parent, 0 if not. -+ */ -+static int task_is_descendant(struct task_struct *parent, -+ struct task_struct *child) -+{ -+ int rc = 0; -+ struct task_struct *walker = child; -+ -+ if (!parent || !child) -+ return 0; -+ -+ rcu_read_lock(); -+ if (!thread_group_leader(parent)) -+ parent = rcu_dereference(parent->group_leader); -+ while (walker->pid > 0) { -+ if (!thread_group_leader(walker)) -+ walker = rcu_dereference(walker->group_leader); -+ if (walker == parent) { -+ rc = 1; -+ break; -+ } -+ walker = rcu_dereference(walker->real_parent); -+ } -+ rcu_read_unlock(); -+ -+ return rc; -+} -+ - static int selinux_ptrace_access_check(struct task_struct *child, - unsigned int mode) - { -@@ -1820,6 +1853,9 @@ static int selinux_ptrace_access_check(struct task_struct *child, - return avc_has_perm(sid, csid, SECCLASS_FILE, FILE__READ, NULL); - } - -+ -+ if (selinux_policycap_ptrace_child && task_is_descendant(current, child)) -+ return current_has_perm(child, PROCESS__PTRACE_CHILD); - return current_has_perm(child, PROCESS__PTRACE); - } - -@@ -1831,6 +1867,8 @@ static int selinux_ptrace_traceme(struct task_struct *parent) - if (rc) - return rc; - -+ if (selinux_policycap_ptrace_child && task_is_descendant(parent, current)) -+ return task_has_perm(parent, current, PROCESS__PTRACE_CHILD); - return task_has_perm(parent, current, PROCESS__PTRACE); - } - -diff --git a/security/selinux/include/classmap.h b/security/selinux/include/classmap.h -index 39e678c..72c08b9 100644 ---- a/security/selinux/include/classmap.h -+++ b/security/selinux/include/classmap.h -@@ -29,7 +29,7 @@ struct security_class_mapping secclass_map[] = { - "getattr", "setexec", "setfscreate", "noatsecure", "siginh", - "setrlimit", "rlimitinh", "dyntransition", "setcurrent", - "execmem", "execstack", "execheap", "setkeycreate", -- "setsockcreate", NULL } }, -+ "setsockcreate", "ptrace_child", NULL } }, - { "system", - { "ipc_info", "syslog_read", "syslog_mod", - "syslog_console", "module_request", NULL } }, -diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h -index dde2005..ac14b0a 100644 ---- a/security/selinux/include/security.h -+++ b/security/selinux/include/security.h -@@ -68,12 +68,14 @@ extern int selinux_enabled; - enum { - POLICYDB_CAPABILITY_NETPEER, - POLICYDB_CAPABILITY_OPENPERM, -+ POLICYDB_CAPABILITY_PTRACE_CHILD, - __POLICYDB_CAPABILITY_MAX - }; - #define POLICYDB_CAPABILITY_MAX (__POLICYDB_CAPABILITY_MAX - 1) - - extern int selinux_policycap_netpeer; - extern int selinux_policycap_openperm; -+extern int selinux_policycap_ptrace_child; - - /* - * type_datum properties -diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c -index 4e93f9e..3379765 100644 ---- a/security/selinux/selinuxfs.c -+++ b/security/selinux/selinuxfs.c -@@ -44,7 +44,8 @@ - /* Policy capability filenames */ - static char *policycap_names[] = { - "network_peer_controls", -- "open_perms" -+ "open_perms", -+ "ptrace_child", - }; - - unsigned int selinux_checkreqprot = CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE; -diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c -index 9b7e7ed..4d12a6e 100644 ---- a/security/selinux/ss/services.c -+++ b/security/selinux/ss/services.c -@@ -72,6 +72,7 @@ - - int selinux_policycap_netpeer; - int selinux_policycap_openperm; -+int selinux_policycap_ptrace_child; - - static DEFINE_RWLOCK(policy_rwlock); - -@@ -1812,6 +1813,8 @@ static void security_load_policycaps(void) - POLICYDB_CAPABILITY_NETPEER); - selinux_policycap_openperm = ebitmap_get_bit(&policydb.policycaps, - POLICYDB_CAPABILITY_OPENPERM); -+ selinux_policycap_ptrace_child = ebitmap_get_bit(&policydb.policycaps, -+ POLICYDB_CAPABILITY_PTRACE_CHILD); - } - - static int security_preserve_bools(struct policydb *p); - - - - -_______________________________________________ -kernel mailing list -kernel@lists.fedoraproject.org -https://admin.fedoraproject.org/mailman/listinfo/kernel From 80224cd206ddb9a1b44f2085ca8d1b9520349363 Mon Sep 17 00:00:00 2001 From: "Justin M. Forbes" Date: Mon, 7 Oct 2013 07:21:19 -0500 Subject: [PATCH 233/468] Linux v3.11.4 --- ...t-clocks-for-SI-when-DPM-is-disabled.patch | 58 ------------------- ...mc-Check-key-count-before-proceeding.patch | 49 ---------------- kernel.spec | 19 ++---- sources | 2 +- 4 files changed, 6 insertions(+), 122 deletions(-) delete mode 100644 drm-radeon-dont-set-default-clocks-for-SI-when-DPM-is-disabled.patch delete mode 100644 hwmon-applesmc-Check-key-count-before-proceeding.patch diff --git a/drm-radeon-dont-set-default-clocks-for-SI-when-DPM-is-disabled.patch b/drm-radeon-dont-set-default-clocks-for-SI-when-DPM-is-disabled.patch deleted file mode 100644 index b7516b794..000000000 --- a/drm-radeon-dont-set-default-clocks-for-SI-when-DPM-is-disabled.patch +++ /dev/null @@ -1,58 +0,0 @@ -commit 360991867d83e10827d907ef67206986a98953b3 -Author: Alex Deucher -Date: Sat Sep 21 14:37:49 2013 -0400 - - drm/radeon: don't set default clocks for SI when DPM is disabled - - This is a partial revert of c6cf7777a32da874fabec4fd1c2a579f0ba4e4dd. - - We need to take into account the clk voltage dependencies of the - board. Not doing so can lead to stability issues on certain - boards if the clks exceed the levels in the dep tables. - - DPM already takes that into account, so for optimal performance, - use DPM. - - Signed-off-by: Alex Deucher - Cc: stable@vger.kernel.org - -diff --git a/drivers/gpu/drm/radeon/radeon_pm.c b/drivers/gpu/drm/radeon/radeon_pm.c -index 87e1d69..ac07ad1 100644 ---- a/drivers/gpu/drm/radeon/radeon_pm.c -+++ b/drivers/gpu/drm/radeon/radeon_pm.c -@@ -1002,7 +1002,7 @@ static void radeon_pm_resume_old(struct radeon_device *rdev) - { - /* set up the default clocks if the MC ucode is loaded */ - if ((rdev->family >= CHIP_BARTS) && -- (rdev->family <= CHIP_HAINAN) && -+ (rdev->family <= CHIP_CAYMAN) && - rdev->mc_fw) { - if (rdev->pm.default_vddc) - radeon_atom_set_voltage(rdev, rdev->pm.default_vddc, -@@ -1046,7 +1046,7 @@ static void radeon_pm_resume_dpm(struct radeon_device *rdev) - if (ret) { - DRM_ERROR("radeon: dpm resume failed\n"); - if ((rdev->family >= CHIP_BARTS) && -- (rdev->family <= CHIP_HAINAN) && -+ (rdev->family <= CHIP_CAYMAN) && - rdev->mc_fw) { - if (rdev->pm.default_vddc) - radeon_atom_set_voltage(rdev, rdev->pm.default_vddc, -@@ -1097,7 +1097,7 @@ static int radeon_pm_init_old(struct radeon_device *rdev) - radeon_pm_init_profile(rdev); - /* set up the default clocks if the MC ucode is loaded */ - if ((rdev->family >= CHIP_BARTS) && -- (rdev->family <= CHIP_HAINAN) && -+ (rdev->family <= CHIP_CAYMAN) && - rdev->mc_fw) { - if (rdev->pm.default_vddc) - radeon_atom_set_voltage(rdev, rdev->pm.default_vddc, -@@ -1183,7 +1183,7 @@ static int radeon_pm_init_dpm(struct radeon_device *rdev) - if (ret) { - rdev->pm.dpm_enabled = false; - if ((rdev->family >= CHIP_BARTS) && -- (rdev->family <= CHIP_HAINAN) && -+ (rdev->family <= CHIP_CAYMAN) && - rdev->mc_fw) { - if (rdev->pm.default_vddc) - radeon_atom_set_voltage(rdev, rdev->pm.default_vddc, diff --git a/hwmon-applesmc-Check-key-count-before-proceeding.patch b/hwmon-applesmc-Check-key-count-before-proceeding.patch deleted file mode 100644 index 76e7fe25f..000000000 --- a/hwmon-applesmc-Check-key-count-before-proceeding.patch +++ /dev/null @@ -1,49 +0,0 @@ -From 5f4513864304672e6ea9eac60583eeac32e679f2 Mon Sep 17 00:00:00 2001 -From: Henrik Rydberg -Date: Thu, 26 Sep 2013 06:33:16 +0000 -Subject: hwmon: (applesmc) Check key count before proceeding - -After reports from Chris and Josh Boyer of a rare crash in applesmc, -Guenter pointed at the initialization problem fixed below. The patch -has not been verified to fix the crash, but should be applied -regardless. - -Reported-by: -Suggested-by: Guenter Roeck -Signed-off-by: Henrik Rydberg -Cc: stable@vger.kernel.org -Signed-off-by: Guenter Roeck ---- -diff --git a/drivers/hwmon/applesmc.c b/drivers/hwmon/applesmc.c -index 62c2e32..98814d1 100644 ---- a/drivers/hwmon/applesmc.c -+++ b/drivers/hwmon/applesmc.c -@@ -525,16 +525,25 @@ static int applesmc_init_smcreg_try(void) - { - struct applesmc_registers *s = &smcreg; - bool left_light_sensor, right_light_sensor; -+ unsigned int count; - u8 tmp[1]; - int ret; - - if (s->init_complete) - return 0; - -- ret = read_register_count(&s->key_count); -+ ret = read_register_count(&count); - if (ret) - return ret; - -+ if (s->cache && s->key_count != count) { -+ pr_warn("key count changed from %d to %d\n", -+ s->key_count, count); -+ kfree(s->cache); -+ s->cache = NULL; -+ } -+ s->key_count = count; -+ - if (!s->cache) - s->cache = kcalloc(s->key_count, sizeof(*s->cache), GFP_KERNEL); - if (!s->cache) --- -cgit v0.9.2 diff --git a/kernel.spec b/kernel.spec index 60f34a6e0..5067edaec 100644 --- a/kernel.spec +++ b/kernel.spec @@ -62,7 +62,7 @@ Summary: The Linux kernel # For non-released -rc kernels, this will be appended after the rcX and # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3" # -%global baserelease 201 +%global baserelease 200 %global fedora_build %{baserelease} # base_sublevel is the kernel version we're starting with and patching @@ -74,7 +74,7 @@ Summary: The Linux kernel %if 0%{?released_kernel} # Do we have a -stable update to apply? -%define stable_update 3 +%define stable_update 4 # Is it a -stable RC? %define stable_rc 0 # Set rpm version accordingly @@ -754,18 +754,12 @@ Patch25109: bonding-driver-alb-learning.patch Patch25114: elevator-Fix-a-race-in-elevator-switching-and-md.patch Patch25115: elevator-acquire-q-sysfs_lock-in-elevator_change.patch -#rhbz 1011719 -Patch25116: hwmon-applesmc-Check-key-count-before-proceeding.patch - #rhbz 974072 Patch25117: rt2800-add-support-for-rf3070.patch #rhbz 1005567 Patch25118: bonding-driver-promisc.patch -#rhbz 1013814 -Patch25119: drm-radeon-dont-set-default-clocks-for-SI-when-DPM-is-disabled.patch - #CVE-2013-4387 rhbz 1011927 1015166 Patch25121: ipv6-udp-packets-following-an-UFO-enqueued-packet-ne.patch @@ -1471,18 +1465,12 @@ ApplyPatch skge-fix-invalid-value-passed-to-pci_unmap_sigle.patch ApplyPatch elevator-Fix-a-race-in-elevator-switching-and-md.patch ApplyPatch elevator-acquire-q-sysfs_lock-in-elevator_change.patch -#rhbz 1011719 -ApplyPatch hwmon-applesmc-Check-key-count-before-proceeding.patch - #rhbz 974072 ApplyPatch rt2800-add-support-for-rf3070.patch #rhbz 1005567 ApplyPatch bonding-driver-promisc.patch -#rhbz 1013814 -ApplyPatch drm-radeon-dont-set-default-clocks-for-SI-when-DPM-is-disabled.patch - #CVE-2013-4387 rhbz 1011927 1015166 ApplyPatch ipv6-udp-packets-following-an-UFO-enqueued-packet-ne.patch @@ -2298,6 +2286,9 @@ fi # and build. %changelog +* Mon Oct 7 2013 Justin M. Forbes +- Linux v3.11.4 + * Thu Oct 3 2013 Josh Boyer - CVE-2013-4387 ipv6: panic when UFO=On for an interface (rhbz 1011927 1015166) diff --git a/sources b/sources index 447f35f3d..85810a7b6 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ fea363551ff45fbe4cb88497b863b261 linux-3.11.tar.xz -b098457c2d9e9626faacfda931deefb6 patch-3.11.3.xz +5147e7f82600452c5438f8309c07eccd patch-3.11.4.xz From b7939eea68395774562b750fac36e082deb7d24e Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Tue, 8 Oct 2013 08:39:57 -0400 Subject: [PATCH 234/468] Use RCU safe kfree for conntrack (rhbz 1015989) --- kernel.spec | 11 +++++- ...ntrack-use-RCU-safe-kfree-for-conntr.patch | 35 +++++++++++++++++++ 2 files changed, 45 insertions(+), 1 deletion(-) create mode 100644 netfilter-nf_conntrack-use-RCU-safe-kfree-for-conntr.patch diff --git a/kernel.spec b/kernel.spec index 5067edaec..b9e815bbe 100644 --- a/kernel.spec +++ b/kernel.spec @@ -62,7 +62,7 @@ Summary: The Linux kernel # For non-released -rc kernels, this will be appended after the rcX and # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3" # -%global baserelease 200 +%global baserelease 201 %global fedora_build %{baserelease} # base_sublevel is the kernel version we're starting with and patching @@ -763,6 +763,9 @@ Patch25118: bonding-driver-promisc.patch #CVE-2013-4387 rhbz 1011927 1015166 Patch25121: ipv6-udp-packets-following-an-UFO-enqueued-packet-ne.patch +#rhbz 1015989 +Patch25122: netfilter-nf_conntrack-use-RCU-safe-kfree-for-conntr.patch + # END OF PATCH DEFINITIONS %endif @@ -1474,6 +1477,9 @@ ApplyPatch bonding-driver-promisc.patch #CVE-2013-4387 rhbz 1011927 1015166 ApplyPatch ipv6-udp-packets-following-an-UFO-enqueued-packet-ne.patch +#rhbz 1015989 +ApplyPatch netfilter-nf_conntrack-use-RCU-safe-kfree-for-conntr.patch + # END OF PATCH APPLICATIONS %endif @@ -2286,6 +2292,9 @@ fi # and build. %changelog +* Tue Oct 08 2013 Josh Boyer +- Use RCU safe kfree for conntrack (rhbz 1015989) + * Mon Oct 7 2013 Justin M. Forbes - Linux v3.11.4 diff --git a/netfilter-nf_conntrack-use-RCU-safe-kfree-for-conntr.patch b/netfilter-nf_conntrack-use-RCU-safe-kfree-for-conntr.patch new file mode 100644 index 000000000..fd8351fa4 --- /dev/null +++ b/netfilter-nf_conntrack-use-RCU-safe-kfree-for-conntr.patch @@ -0,0 +1,35 @@ +From c13a84a830a208fb3443628773c8ca0557773cc7 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Michal=20Kube=C4=8Dek?= +Date: Wed, 11 Sep 2013 10:17:27 +0200 +Subject: [PATCH] netfilter: nf_conntrack: use RCU safe kfree for conntrack + extensions + +Commit 68b80f11 (netfilter: nf_nat: fix RCU races) introduced +RCU protection for freeing extension data when reallocation +moves them to a new location. We need the same protection when +freeing them in nf_ct_ext_free() in order to prevent a +use-after-free by other threads referencing a NAT extension data +via bysource list. + +Signed-off-by: Michal Kubecek +Signed-off-by: Pablo Neira Ayuso +--- + include/net/netfilter/nf_conntrack_extend.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/net/netfilter/nf_conntrack_extend.h b/include/net/netfilter/nf_conntrack_extend.h +index ff95434..88a1d40 100644 +--- a/include/net/netfilter/nf_conntrack_extend.h ++++ b/include/net/netfilter/nf_conntrack_extend.h +@@ -86,7 +86,7 @@ static inline void nf_ct_ext_destroy(struct nf_conn *ct) + static inline void nf_ct_ext_free(struct nf_conn *ct) + { + if (ct->ext) +- kfree(ct->ext); ++ kfree_rcu(ct->ext, rcu); + } + + /* Add this type, returns pointer to data or NULL. */ +-- +1.8.3.1 + From 2dbadccd719718183549643d0cc5ca460b2b6692 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Tue, 8 Oct 2013 08:43:27 -0400 Subject: [PATCH 235/468] Quiet irq remapping stack trace (rhbz 982153) - Use RCU safe kfree for conntrack (rhbz 1015989) --- ...ce-from-broken-irq-remapping-warning.patch | 47 +++++++++++++++++++ kernel.spec | 7 +++ 2 files changed, 54 insertions(+) create mode 100644 iommu-Remove-stack-trace-from-broken-irq-remapping-warning.patch diff --git a/iommu-Remove-stack-trace-from-broken-irq-remapping-warning.patch b/iommu-Remove-stack-trace-from-broken-irq-remapping-warning.patch new file mode 100644 index 000000000..9e88893ae --- /dev/null +++ b/iommu-Remove-stack-trace-from-broken-irq-remapping-warning.patch @@ -0,0 +1,47 @@ +From 05104a4e8713b27291c7bb49c1e7e68b4e243571 Mon Sep 17 00:00:00 2001 +From: Neil Horman +Date: Fri, 27 Sep 2013 16:53:35 +0000 +Subject: iommu: Remove stack trace from broken irq remapping warning + +The warning for the irq remapping broken check in intel_irq_remapping.c is +pretty pointless. We need the warning, but we know where its comming from, the +stack trace will always be the same, and it needlessly triggers things like +Abrt. This changes the warning to just print a text warning about BIOS being +broken, without the stack trace, then sets the appropriate taint bit. Since we +automatically disable irq remapping, theres no need to contiue making Abrt jump +at this problem + +Signed-off-by: Neil Horman +CC: Joerg Roedel +CC: Bjorn Helgaas +CC: Andy Lutomirski +CC: Konrad Rzeszutek Wilk +CC: Sebastian Andrzej Siewior +Signed-off-by: Joerg Roedel +--- +diff --git a/drivers/iommu/intel_irq_remapping.c b/drivers/iommu/intel_irq_remapping.c +index f71673d..b97d70b 100644 +--- a/drivers/iommu/intel_irq_remapping.c ++++ b/drivers/iommu/intel_irq_remapping.c +@@ -525,12 +525,13 @@ static int __init intel_irq_remapping_supported(void) + if (disable_irq_remap) + return 0; + if (irq_remap_broken) { +- WARN_TAINT(1, TAINT_FIRMWARE_WORKAROUND, +- "This system BIOS has enabled interrupt remapping\n" +- "on a chipset that contains an erratum making that\n" +- "feature unstable. To maintain system stability\n" +- "interrupt remapping is being disabled. Please\n" +- "contact your BIOS vendor for an update\n"); ++ printk(KERN_WARNING ++ "This system BIOS has enabled interrupt remapping\n" ++ "on a chipset that contains an erratum making that\n" ++ "feature unstable. To maintain system stability\n" ++ "interrupt remapping is being disabled. Please\n" ++ "contact your BIOS vendor for an update\n"); ++ add_taint(TAINT_FIRMWARE_WORKAROUND, LOCKDEP_STILL_OK); + disable_irq_remap = 1; + return 0; + } +-- +cgit v0.9.2 diff --git a/kernel.spec b/kernel.spec index b9e815bbe..6b2bb8452 100644 --- a/kernel.spec +++ b/kernel.spec @@ -766,6 +766,9 @@ Patch25121: ipv6-udp-packets-following-an-UFO-enqueued-packet-ne.patch #rhbz 1015989 Patch25122: netfilter-nf_conntrack-use-RCU-safe-kfree-for-conntr.patch +#rhbz 982153 +Patch25123: iommu-Remove-stack-trace-from-broken-irq-remapping-warning.patch + # END OF PATCH DEFINITIONS %endif @@ -1480,6 +1483,9 @@ ApplyPatch ipv6-udp-packets-following-an-UFO-enqueued-packet-ne.patch #rhbz 1015989 ApplyPatch netfilter-nf_conntrack-use-RCU-safe-kfree-for-conntr.patch +#rhbz 982153 +ApplyPatch iommu-Remove-stack-trace-from-broken-irq-remapping-warning.patch + # END OF PATCH APPLICATIONS %endif @@ -2293,6 +2299,7 @@ fi %changelog * Tue Oct 08 2013 Josh Boyer +- Quiet irq remapping stack trace (rhbz 982153) - Use RCU safe kfree for conntrack (rhbz 1015989) * Mon Oct 7 2013 Justin M. Forbes From f6573b9067ef116c596ec13d9e0772c04ee44fb2 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Tue, 8 Oct 2013 11:56:16 -0400 Subject: [PATCH 236/468] Add patch to fix nouveau crash (rhbz 1015920) --- drm-nouveau-bios-init-stub-opcode-0xaa.patch | 109 +++++++++++++++++++ kernel.spec | 7 ++ 2 files changed, 116 insertions(+) create mode 100644 drm-nouveau-bios-init-stub-opcode-0xaa.patch diff --git a/drm-nouveau-bios-init-stub-opcode-0xaa.patch b/drm-nouveau-bios-init-stub-opcode-0xaa.patch new file mode 100644 index 000000000..2daa6ed1d --- /dev/null +++ b/drm-nouveau-bios-init-stub-opcode-0xaa.patch @@ -0,0 +1,109 @@ + +Delivered-To: jwboyer@gmail.com +Received: by 10.76.11.131 with SMTP id q3csp149379oab; + Mon, 7 Oct 2013 23:45:24 -0700 (PDT) +X-Received: by 10.68.185.36 with SMTP id ez4mr69490pbc.144.1381214724506; + Mon, 07 Oct 2013 23:45:24 -0700 (PDT) +Return-Path: +Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) + by mx.google.com with ESMTP id rz6si25872020pab.249.1969.12.31.16.00.00; + Mon, 07 Oct 2013 23:45:24 -0700 (PDT) +Received-SPF: pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; +Authentication-Results: mx.google.com; + spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mail=stable-owner@vger.kernel.org; + dkim=neutral (bad format) header.i=@gmail.com; + dmarc=fail (p=NONE dis=NONE) header.from=gmail.com +Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand + id S1754014Ab3JHGow (ORCPT + 60 others); + Tue, 8 Oct 2013 02:44:52 -0400 +Received: from mail-pa0-f42.google.com ([209.85.220.42]:35990 "EHLO + mail-pa0-f42.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org + with ESMTP id S1753696Ab3JHGov (ORCPT + ); Tue, 8 Oct 2013 02:44:51 -0400 +Received: by mail-pa0-f42.google.com with SMTP id lj1so8433751pab.15 + for ; Mon, 07 Oct 2013 23:44:51 -0700 (PDT) +DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; + d=gmail.com; s=20120113; + h=from:to:cc:subject:date:message-id; + bh=DRveULH9ZaYYXMJRsSw3WWLRMs5ifsnU9G+VUu1PKtk=; + b=oCDYfvF1KXEUN6PZU0jit8kMHSKTzIWcR078uMTxLpTjheGcoLWW0efoqsO4Dac3jp + +4dHm3NSdeqk4e+aCjnvZw7He+nMGmbWhrf1vx49XCOE4s+YvC/AgSI78pku8BQE/plZ + w8F+64e+wNze1FfRAxPPM/PoLdBiuBfvUL18htMmYi/rgq0VRkNk2UwbzvGk5AJE+vwL + esavQLjvCuJZTc7i2J9Us53dUcY4aQuYlESFvOUlbDnkkgm5Htrsnyd2Eq7k61/hr0MR + /nIFNBXuhIadU5bvf6jpMT+toIK+PA176Yt9eyEgdOAxNXdn5g15mO93/WEyXf7idBfk + JLZA== +X-Received: by 10.68.232.132 with SMTP id to4mr7840579pbc.141.1381214691006; + Mon, 07 Oct 2013 23:44:51 -0700 (PDT) +Received: from turiel.redhat.com (124-148-32-6.dyn.iinet.net.au. [124.148.32.6]) + by mx.google.com with ESMTPSA id j9sm44764711paj.18.1969.12.31.16.00.00 + (version=TLSv1.2 cipher=ECDHE-RSA-RC4-SHA bits=128/128); + Mon, 07 Oct 2013 23:44:50 -0700 (PDT) +From: Ben Skeggs +To: stable@vger.kernel.org +Cc: Ben Skeggs +Subject: [PATCH] drm/nouveau/bios/init: stub opcode 0xaa +Date: Tue, 8 Oct 2013 16:45:08 +1000 +Message-Id: <1381214708-2990-1-git-send-email-skeggsb@gmail.com> +X-Mailer: git-send-email 1.8.3.2 +Sender: stable-owner@vger.kernel.org +Precedence: bulk +List-ID: +X-Mailing-List: stable@vger.kernel.org + +From: Ben Skeggs + +Seen on a large number of recent boards, when triggered results in +nouveau aborting the card cold boot, giving unpredictable results +(oopses in the reported cases) later. + +commit 5495e39fb3695182b9f2a72fe4169056cada37a1 upstream + +Signed-off-by: Ben Skeggs +--- + drivers/gpu/drm/nouveau/core/subdev/bios/init.c | 19 +++++++++++++++++-- + 1 file changed, 17 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/nouveau/core/subdev/bios/init.c b/drivers/gpu/drm/nouveau/core/subdev/bios/init.c +index 0687e64..8f06cca 100644 +--- a/drivers/gpu/drm/nouveau/core/subdev/bios/init.c ++++ b/drivers/gpu/drm/nouveau/core/subdev/bios/init.c +@@ -579,8 +579,22 @@ static void + init_reserved(struct nvbios_init *init) + { + u8 opcode = nv_ro08(init->bios, init->offset); +- trace("RESERVED\t0x%02x\n", opcode); +- init->offset += 1; ++ u8 length, i; ++ ++ switch (opcode) { ++ case 0xaa: ++ length = 4; ++ break; ++ default: ++ length = 1; ++ break; ++ } ++ ++ trace("RESERVED 0x%02x\t", opcode); ++ for (i = 1; i < length; i++) ++ cont(" 0x%02x", nv_ro08(init->bios, init->offset + i)); ++ cont("\n"); ++ init->offset += length; + } + + /** +@@ -2135,6 +2149,7 @@ static struct nvbios_init_opcode { + [0x99] = { init_zm_auxch }, + [0x9a] = { init_i2c_long_if }, + [0xa9] = { init_gpio_ne }, ++ [0xaa] = { init_reserved }, + }; + + #define init_opcode_nr (sizeof(init_opcode) / sizeof(init_opcode[0])) +-- +1.8.3.2 + +-- +To unsubscribe from this list: send the line "unsubscribe stable" in +the body of a message to majordomo@vger.kernel.org +More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/kernel.spec b/kernel.spec index 6b2bb8452..e1ce98113 100644 --- a/kernel.spec +++ b/kernel.spec @@ -769,6 +769,9 @@ Patch25122: netfilter-nf_conntrack-use-RCU-safe-kfree-for-conntr.patch #rhbz 982153 Patch25123: iommu-Remove-stack-trace-from-broken-irq-remapping-warning.patch +#rhbz 1015920 +Patch25124: drm-nouveau-bios-init-stub-opcode-0xaa.patch + # END OF PATCH DEFINITIONS %endif @@ -1486,6 +1489,9 @@ ApplyPatch netfilter-nf_conntrack-use-RCU-safe-kfree-for-conntr.patch #rhbz 982153 ApplyPatch iommu-Remove-stack-trace-from-broken-irq-remapping-warning.patch +#rhbz 1015920 +ApplyPatch drm-nouveau-bios-init-stub-opcode-0xaa.patch + # END OF PATCH APPLICATIONS %endif @@ -2299,6 +2305,7 @@ fi %changelog * Tue Oct 08 2013 Josh Boyer +- Add patch to fix nouveau crash (rhbz 1015920) - Quiet irq remapping stack trace (rhbz 982153) - Use RCU safe kfree for conntrack (rhbz 1015989) From 2094dd65dfe07b71fa5f61cc7b3aa811663a3286 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Wed, 9 Oct 2013 09:01:38 -0400 Subject: [PATCH 237/468] Add patch to fix VFIO IOMMU crash (rhbz 998732) --- kernel.spec | 9 +++++ ...ed-interaction-of-VFIO_IOMMU_MAP_DMA.patch | 39 +++++++++++++++++++ 2 files changed, 48 insertions(+) create mode 100644 vfio-iommu-Fixed-interaction-of-VFIO_IOMMU_MAP_DMA.patch diff --git a/kernel.spec b/kernel.spec index e1ce98113..7b4627741 100644 --- a/kernel.spec +++ b/kernel.spec @@ -772,6 +772,9 @@ Patch25123: iommu-Remove-stack-trace-from-broken-irq-remapping-warning.patch #rhbz 1015920 Patch25124: drm-nouveau-bios-init-stub-opcode-0xaa.patch +#rhbz 998732 +Patch25125: vfio-iommu-Fixed-interaction-of-VFIO_IOMMU_MAP_DMA.patch + # END OF PATCH DEFINITIONS %endif @@ -1492,6 +1495,9 @@ ApplyPatch iommu-Remove-stack-trace-from-broken-irq-remapping-warning.patch #rhbz 1015920 ApplyPatch drm-nouveau-bios-init-stub-opcode-0xaa.patch +#rhbz 998732 +ApplyPatch vfio-iommu-Fixed-interaction-of-VFIO_IOMMU_MAP_DMA.patch + # END OF PATCH APPLICATIONS %endif @@ -2304,6 +2310,9 @@ fi # and build. %changelog +* Wed Oct 09 2013 Josh Boyer +- Add patch to fix VFIO IOMMU crash (rhbz 998732) + * Tue Oct 08 2013 Josh Boyer - Add patch to fix nouveau crash (rhbz 1015920) - Quiet irq remapping stack trace (rhbz 982153) diff --git a/vfio-iommu-Fixed-interaction-of-VFIO_IOMMU_MAP_DMA.patch b/vfio-iommu-Fixed-interaction-of-VFIO_IOMMU_MAP_DMA.patch new file mode 100644 index 000000000..0b5fa8a7a --- /dev/null +++ b/vfio-iommu-Fixed-interaction-of-VFIO_IOMMU_MAP_DMA.patch @@ -0,0 +1,39 @@ +From: Julian Stecklina +Subject: [PATCH] vfio, iommu: Fixed interaction of VFIO_IOMMU_MAP_DMA with IOMMU address limits + +The BUG_ON in drivers/iommu/intel-iommu.c:785 can be triggered from userspace via +VFIO by calling the VFIO_IOMMU_MAP_DMA ioctl on a vfio device with any address +beyond the addressing capabilities of the IOMMU. The problem is that the ioctl code +calls iommu_iova_to_phys before it calls iommu_map. iommu_map handles the case that +it gets addresses beyond the addressing capabilities of its IOMMU. +intel_iommu_iova_to_phys does not. + +This patch fixes iommu_iova_to_phys to return NULL for addresses beyond what the +IOMMU can handle. This in turn causes the ioctl call to fail in iommu_map and +(correctly) return EFAULT to the user with a helpful warning message in the kernel +log. + +Signed-off-by: Julian Stecklina +--- + drivers/iommu/intel-iommu.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/iommu/intel-iommu.c b/drivers/iommu/intel-iommu.c +index eec0d3e..61303db 100644 +--- a/drivers/iommu/intel-iommu.c ++++ b/drivers/iommu/intel-iommu.c +@@ -782,7 +782,11 @@ static struct dma_pte *pfn_to_dma_pte(struct dmar_domain *domain, + int offset; + + BUG_ON(!domain->pgd); +- BUG_ON(addr_width < BITS_PER_LONG && pfn >> addr_width); ++ ++ if (addr_width < BITS_PER_LONG && pfn >> addr_width) ++ /* Address beyond IOMMU's addressing capabilities. */ ++ return NULL; ++ + parent = domain->pgd; + + while (level > 0) { +-- +1.8.3.1 From 618b1a3c3fe1796d86451dcda5101b66f5c4cccc Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Wed, 9 Oct 2013 10:28:35 -0400 Subject: [PATCH 238/468] Don't trigger a stack trace on crashing iwlwifi firmware (rhbz 896695) --- ...RN-on-host-commands-sent-when-firmwa.patch | 35 +++++++ ...ifi-don-t-WARN-on-bad-firmware-state.patch | 98 +++++++++++++++++++ kernel.spec | 9 ++ 3 files changed, 142 insertions(+) create mode 100644 0001-iwlwifi-don-t-WARN-on-host-commands-sent-when-firmwa.patch create mode 100644 0002-iwlwifi-don-t-WARN-on-bad-firmware-state.patch diff --git a/0001-iwlwifi-don-t-WARN-on-host-commands-sent-when-firmwa.patch b/0001-iwlwifi-don-t-WARN-on-host-commands-sent-when-firmwa.patch new file mode 100644 index 000000000..241b7d750 --- /dev/null +++ b/0001-iwlwifi-don-t-WARN-on-host-commands-sent-when-firmwa.patch @@ -0,0 +1,35 @@ +From 8ca95995e64f5d270889badb3e449dca91106a2b Mon Sep 17 00:00:00 2001 +From: Emmanuel Grumbach +Date: Sun, 15 Sep 2013 11:37:17 +0300 +Subject: [PATCH] iwlwifi: don't WARN on host commands sent when firmware is dead + +This triggers automatic bug reports and add no valuable +information. Print a simple error instead and drop the +host command. + +Signed-off-by: Emmanuel Grumbach +Signed-off-by: Johannes Berg +--- + drivers/net/wireless/iwlwifi/iwl-trans.h | 6 ++++-- + 1 files changed, 4 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/wireless/iwlwifi/iwl-trans.h b/drivers/net/wireless/iwlwifi/iwl-trans.h +index dd57a36..80b4750 100644 +--- a/drivers/net/wireless/iwlwifi/iwl-trans.h ++++ b/drivers/net/wireless/iwlwifi/iwl-trans.h +@@ -601,8 +601,10 @@ static inline int iwl_trans_send_cmd(struct iwl_trans *trans, + { + int ret; + +- WARN_ONCE(trans->state != IWL_TRANS_FW_ALIVE, +- "%s bad state = %d", __func__, trans->state); ++ if (trans->state != IWL_TRANS_FW_ALIVE) { ++ IWL_ERR(trans, "%s bad state = %d", __func__, trans->state); ++ return -EIO; ++ } + + if (!(cmd->flags & CMD_ASYNC)) + lock_map_acquire_read(&trans->sync_cmd_lockdep_map); +-- +1.7.1 + diff --git a/0002-iwlwifi-don-t-WARN-on-bad-firmware-state.patch b/0002-iwlwifi-don-t-WARN-on-bad-firmware-state.patch new file mode 100644 index 000000000..499c34a63 --- /dev/null +++ b/0002-iwlwifi-don-t-WARN-on-bad-firmware-state.patch @@ -0,0 +1,98 @@ +From 3efd689c41080b0d4a9cc263a51f2868e3d5a37b Mon Sep 17 00:00:00 2001 +From: Stanislaw Gruszka +Date: Wed, 9 Oct 2013 15:03:57 +0200 +Subject: [PATCH] iwlwifi: don't WARN on bad firmware state + +When we restart firmware is possible and hance firmware is marked as not +alive, we can still get calls from mac80211. Don't WARN on in this +situation as this triggers automatic bug reports with no valuable +information. + +This extend change from: + +commit 8ca95995e64f5d270889badb3e449dca91106a2b +Author: Emmanuel Grumbach +Date: Sun Sep 15 11:37:17 2013 +0300 + + iwlwifi: don't WARN on host commands sent when firmware is dead + +which remove WARN_ONCE from one place, but those warnings are also +triggered from other functions. + +Patch adds also unlikely() statement. + +Signed-off-by: Stanislaw Gruszka +--- + drivers/net/wireless/iwlwifi/iwl-trans.h | 22 +++++++++++----------- + 1 files changed, 11 insertions(+), 11 deletions(-) + +diff --git a/drivers/net/wireless/iwlwifi/iwl-trans.h b/drivers/net/wireless/iwlwifi/iwl-trans.h +index 80b4750..c6bac7c 100644 +--- a/drivers/net/wireless/iwlwifi/iwl-trans.h ++++ b/drivers/net/wireless/iwlwifi/iwl-trans.h +@@ -601,7 +601,7 @@ static inline int iwl_trans_send_cmd(struct iwl_trans *trans, + { + int ret; + +- if (trans->state != IWL_TRANS_FW_ALIVE) { ++ if (unlikely(trans->state != IWL_TRANS_FW_ALIVE)) { + IWL_ERR(trans, "%s bad state = %d", __func__, trans->state); + return -EIO; + } +@@ -640,8 +640,8 @@ static inline void iwl_trans_free_tx_cmd(struct iwl_trans *trans, + static inline int iwl_trans_tx(struct iwl_trans *trans, struct sk_buff *skb, + struct iwl_device_cmd *dev_cmd, int queue) + { +- WARN_ONCE(trans->state != IWL_TRANS_FW_ALIVE, +- "%s bad state = %d", __func__, trans->state); ++ if (unlikely(trans->state != IWL_TRANS_FW_ALIVE)) ++ IWL_ERR(trans, "%s bad state = %d", __func__, trans->state); + + return trans->ops->tx(trans, skb, dev_cmd, queue); + } +@@ -649,16 +649,16 @@ static inline int iwl_trans_tx(struct iwl_trans *trans, struct sk_buff *skb, + static inline void iwl_trans_reclaim(struct iwl_trans *trans, int queue, + int ssn, struct sk_buff_head *skbs) + { +- WARN_ONCE(trans->state != IWL_TRANS_FW_ALIVE, +- "%s bad state = %d", __func__, trans->state); ++ if (unlikely(trans->state != IWL_TRANS_FW_ALIVE)) ++ IWL_ERR(trans, "%s bad state = %d", __func__, trans->state); + + trans->ops->reclaim(trans, queue, ssn, skbs); + } + + static inline void iwl_trans_txq_disable(struct iwl_trans *trans, int queue) + { +- WARN_ONCE(trans->state != IWL_TRANS_FW_ALIVE, +- "%s bad state = %d", __func__, trans->state); ++ if (unlikely(trans->state != IWL_TRANS_FW_ALIVE)) ++ IWL_ERR(trans, "%s bad state = %d", __func__, trans->state); + + trans->ops->txq_disable(trans, queue); + } +@@ -669,8 +669,8 @@ static inline void iwl_trans_txq_enable(struct iwl_trans *trans, int queue, + { + might_sleep(); + +- WARN_ONCE(trans->state != IWL_TRANS_FW_ALIVE, +- "%s bad state = %d", __func__, trans->state); ++ if (unlikely((trans->state != IWL_TRANS_FW_ALIVE))) ++ IWL_ERR(trans, "%s bad state = %d", __func__, trans->state); + + trans->ops->txq_enable(trans, queue, fifo, sta_id, tid, + frame_limit, ssn); +@@ -685,8 +685,8 @@ static inline void iwl_trans_ac_txq_enable(struct iwl_trans *trans, int queue, + + static inline int iwl_trans_wait_tx_queue_empty(struct iwl_trans *trans) + { +- WARN_ONCE(trans->state != IWL_TRANS_FW_ALIVE, +- "%s bad state = %d", __func__, trans->state); ++ if (unlikely(trans->state != IWL_TRANS_FW_ALIVE)) ++ IWL_ERR(trans, "%s bad state = %d", __func__, trans->state); + + return trans->ops->wait_tx_queue_empty(trans); + } +-- +1.7.1 + diff --git a/kernel.spec b/kernel.spec index 7b4627741..facf13b2d 100644 --- a/kernel.spec +++ b/kernel.spec @@ -775,6 +775,10 @@ Patch25124: drm-nouveau-bios-init-stub-opcode-0xaa.patch #rhbz 998732 Patch25125: vfio-iommu-Fixed-interaction-of-VFIO_IOMMU_MAP_DMA.patch +#rhbz 896695 +Patch25126: 0001-iwlwifi-don-t-WARN-on-host-commands-sent-when-firmwa.patch +Patch25127: 0002-iwlwifi-don-t-WARN-on-bad-firmware-state.patch + # END OF PATCH DEFINITIONS %endif @@ -1498,6 +1502,10 @@ ApplyPatch drm-nouveau-bios-init-stub-opcode-0xaa.patch #rhbz 998732 ApplyPatch vfio-iommu-Fixed-interaction-of-VFIO_IOMMU_MAP_DMA.patch +#rhbz 896695 +ApplyPatch 0001-iwlwifi-don-t-WARN-on-host-commands-sent-when-firmwa.patch +ApplyPatch 0002-iwlwifi-don-t-WARN-on-bad-firmware-state.patch + # END OF PATCH APPLICATIONS %endif @@ -2311,6 +2319,7 @@ fi %changelog * Wed Oct 09 2013 Josh Boyer +- Don't trigger a stack trace on crashing iwlwifi firmware (rhbz 896695) - Add patch to fix VFIO IOMMU crash (rhbz 998732) * Tue Oct 08 2013 Josh Boyer From da5215b9ca04850d7d959d8cd8680c4e74854694 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Thu, 10 Oct 2013 08:53:35 -0400 Subject: [PATCH 239/468] Fix large order allocation in dm mq policy (rhbz 993744) --- ...fix-large-scale-table-allocation-bug.patch | 31 +++++++++++++++++++ kernel.spec | 9 ++++++ 2 files changed, 40 insertions(+) create mode 100644 dm-cache-policy-mq_fix-large-scale-table-allocation-bug.patch diff --git a/dm-cache-policy-mq_fix-large-scale-table-allocation-bug.patch b/dm-cache-policy-mq_fix-large-scale-table-allocation-bug.patch new file mode 100644 index 000000000..71234c1a7 --- /dev/null +++ b/dm-cache-policy-mq_fix-large-scale-table-allocation-bug.patch @@ -0,0 +1,31 @@ +diff --git a/drivers/md/dm-cache-policy-mq.c b/drivers/md/dm-cache-policy-mq.c +index cab6dd2..ec79c8f 100644 +--- a/drivers/md/dm-cache-policy-mq.c ++++ b/drivers/md/dm-cache-policy-mq.c +@@ -868,7 +868,7 @@ static void mq_destroy(struct dm_cache_policy *p) + struct mq_policy *mq = to_mq_policy(p); + + free_bitset(mq->allocation_bitset); +- kfree(mq->table); ++ vfree(mq->table); + free_entries(mq); + kfree(mq); + } +@@ -1189,7 +1189,7 @@ static struct dm_cache_policy *mq_create(dm_cblock_t cache_size, + + mq->nr_buckets = next_power(from_cblock(cache_size) / 2, 16); + mq->hash_bits = ffs(mq->nr_buckets) - 1; +- mq->table = kzalloc(sizeof(*mq->table) * mq->nr_buckets, GFP_KERNEL); ++ mq->table = vzalloc(sizeof(*mq->table) * mq->nr_buckets); + if (!mq->table) + goto bad_alloc_table; + +@@ -1200,7 +1200,7 @@ static struct dm_cache_policy *mq_create(dm_cblock_t cache_size, + return &mq->policy; + + bad_alloc_bitset: +- kfree(mq->table); ++ vfree(mq->table); + bad_alloc_table: + free_entries(mq); + bad_cache_alloc: diff --git a/kernel.spec b/kernel.spec index facf13b2d..4852238ab 100644 --- a/kernel.spec +++ b/kernel.spec @@ -779,6 +779,9 @@ Patch25125: vfio-iommu-Fixed-interaction-of-VFIO_IOMMU_MAP_DMA.patch Patch25126: 0001-iwlwifi-don-t-WARN-on-host-commands-sent-when-firmwa.patch Patch25127: 0002-iwlwifi-don-t-WARN-on-bad-firmware-state.patch +#rhbz 993744 +Patch25128: dm-cache-policy-mq_fix-large-scale-table-allocation-bug.patch + # END OF PATCH DEFINITIONS %endif @@ -1506,6 +1509,9 @@ ApplyPatch vfio-iommu-Fixed-interaction-of-VFIO_IOMMU_MAP_DMA.patch ApplyPatch 0001-iwlwifi-don-t-WARN-on-host-commands-sent-when-firmwa.patch ApplyPatch 0002-iwlwifi-don-t-WARN-on-bad-firmware-state.patch +#rhbz 993744 +ApplyPatch dm-cache-policy-mq_fix-large-scale-table-allocation-bug.patch + # END OF PATCH APPLICATIONS %endif @@ -2318,6 +2324,9 @@ fi # and build. %changelog +* Thu Oct 10 2013 Josh Boyer +- Fix large order allocation in dm mq policy (rhbz 993744) + * Wed Oct 09 2013 Josh Boyer - Don't trigger a stack trace on crashing iwlwifi firmware (rhbz 896695) - Add patch to fix VFIO IOMMU crash (rhbz 998732) From 7645cdb61ebcd7220ec6c52a0cb045ab2a1a4ee0 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Thu, 10 Oct 2013 09:45:17 -0400 Subject: [PATCH 240/468] USB OHCI accept very late isochronous URBs (in 3.11.4) (rhbz 975158) --- kernel.spec | 1 + 1 file changed, 1 insertion(+) diff --git a/kernel.spec b/kernel.spec index 4852238ab..54f6b996b 100644 --- a/kernel.spec +++ b/kernel.spec @@ -2325,6 +2325,7 @@ fi %changelog * Thu Oct 10 2013 Josh Boyer +- USB OHCI accept very late isochronous URBs (in 3.11.4) (rhbz 975158) - Fix large order allocation in dm mq policy (rhbz 993744) * Wed Oct 09 2013 Josh Boyer From 3bdeb9813b7a34adb8b43777f3595b828c5bbe88 Mon Sep 17 00:00:00 2001 From: "Justin M. Forbes" Date: Thu, 10 Oct 2013 08:41:57 -0500 Subject: [PATCH 241/468] Tag for build --- kernel.spec | 3 +++ 1 file changed, 3 insertions(+) diff --git a/kernel.spec b/kernel.spec index 54f6b996b..2c9027118 100644 --- a/kernel.spec +++ b/kernel.spec @@ -2324,6 +2324,9 @@ fi # and build. %changelog +* Thu Oct 10 2013 Justin M. Forbes - 3.11.4-201 +- Tag for build + * Thu Oct 10 2013 Josh Boyer - USB OHCI accept very late isochronous URBs (in 3.11.4) (rhbz 975158) - Fix large order allocation in dm mq policy (rhbz 993744) From 3a677fbd4414c54334faaa694e3dd30f5baf69a9 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Fri, 11 Oct 2013 08:53:10 -0400 Subject: [PATCH 242/468] Fix segfault in cpupower set (rhbz 1000439) --- ...fault-due-to-incorrect-getopt_long-a.patch | 40 +++++++++++++++++++ kernel.spec | 9 +++++ 2 files changed, 49 insertions(+) create mode 100644 cpupower-Fix-segfault-due-to-incorrect-getopt_long-a.patch diff --git a/cpupower-Fix-segfault-due-to-incorrect-getopt_long-a.patch b/cpupower-Fix-segfault-due-to-incorrect-getopt_long-a.patch new file mode 100644 index 000000000..dcc6b84b6 --- /dev/null +++ b/cpupower-Fix-segfault-due-to-incorrect-getopt_long-a.patch @@ -0,0 +1,40 @@ +From cb8e390d258b7f8073afafcbb163976e27346e9d Mon Sep 17 00:00:00 2001 +From: Josh Boyer +Date: Fri, 11 Oct 2013 08:37:53 -0400 +Subject: [PATCH] cpupower: Fix segfault due to incorrect getopt_long arugments + +If a user calls 'cpupower set --perf-bias 15', the process will end with a +SIGSEGV in libc because cpupower-set passes a NULL optarg to the atoi call. +This is because the getopt_long structure currently has all of the options +as having an optional_argument when they really have a required argument. +We change the structure to use required_argument to match the short options +and it resolves the issue. + +This fixes https://bugzilla.redhat.com/show_bug.cgi?id=1000439 + +Cc: stable@vger.kernel.org +Signed-off-by: Josh Boyer +--- + tools/power/cpupower/utils/cpupower-set.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/tools/power/cpupower/utils/cpupower-set.c b/tools/power/cpupower/utils/cpupower-set.c +index dc4de37..bcf1d2f 100644 +--- a/tools/power/cpupower/utils/cpupower-set.c ++++ b/tools/power/cpupower/utils/cpupower-set.c +@@ -18,9 +18,9 @@ + #include "helpers/bitmask.h" + + static struct option set_opts[] = { +- { .name = "perf-bias", .has_arg = optional_argument, .flag = NULL, .val = 'b'}, +- { .name = "sched-mc", .has_arg = optional_argument, .flag = NULL, .val = 'm'}, +- { .name = "sched-smt", .has_arg = optional_argument, .flag = NULL, .val = 's'}, ++ { .name = "perf-bias", .has_arg = required_argument, .flag = NULL, .val = 'b'}, ++ { .name = "sched-mc", .has_arg = required_argument, .flag = NULL, .val = 'm'}, ++ { .name = "sched-smt", .has_arg = required_argument, .flag = NULL, .val = 's'}, + { }, + }; + +-- +1.8.3.1 + diff --git a/kernel.spec b/kernel.spec index 2c9027118..069371126 100644 --- a/kernel.spec +++ b/kernel.spec @@ -782,6 +782,9 @@ Patch25127: 0002-iwlwifi-don-t-WARN-on-bad-firmware-state.patch #rhbz 993744 Patch25128: dm-cache-policy-mq_fix-large-scale-table-allocation-bug.patch +#rhbz 1000439 +Patch25129: cpupower-Fix-segfault-due-to-incorrect-getopt_long-a.patch + # END OF PATCH DEFINITIONS %endif @@ -1512,6 +1515,9 @@ ApplyPatch 0002-iwlwifi-don-t-WARN-on-bad-firmware-state.patch #rhbz 993744 ApplyPatch dm-cache-policy-mq_fix-large-scale-table-allocation-bug.patch +#rhbz 1000439 +ApplyPatch cpupower-Fix-segfault-due-to-incorrect-getopt_long-a.patch + # END OF PATCH APPLICATIONS %endif @@ -2324,6 +2330,9 @@ fi # and build. %changelog +* Fri Oct 11 2013 Josh Boyer +- Fix segfault in cpupower set (rhbz 1000439) + * Thu Oct 10 2013 Justin M. Forbes - 3.11.4-201 - Tag for build From 6bd5874c5a552d75460364e61133ad7172f159aa Mon Sep 17 00:00:00 2001 From: "Justin M. Forbes" Date: Mon, 14 Oct 2013 07:58:01 -0500 Subject: [PATCH 243/468] Linux v3.11.5 --- bonding-driver-promisc.patch | 73 ------- cve-2013-2147-ciss-info-leak.patch | 27 --- drm-nouveau-bios-init-stub-opcode-0xaa.patch | 109 ---------- ...-following-an-UFO-enqueued-packet-ne.patch | 123 ------------ kernel.spec | 49 +---- ...ipsec-encryption-bug-in-sctp_v6_xmit.patch | 186 ------------------ ...alid-value-passed-to-pci_unmap_sigle.patch | 61 ------ sources | 2 +- ...orrectly-handle-error-in-tun_set_iff.patch | 57 ------ 9 files changed, 6 insertions(+), 681 deletions(-) delete mode 100644 bonding-driver-promisc.patch delete mode 100644 cve-2013-2147-ciss-info-leak.patch delete mode 100644 drm-nouveau-bios-init-stub-opcode-0xaa.patch delete mode 100644 ipv6-udp-packets-following-an-UFO-enqueued-packet-ne.patch delete mode 100644 net-sctp-fix-ipv6-ipsec-encryption-bug-in-sctp_v6_xmit.patch delete mode 100644 skge-fix-invalid-value-passed-to-pci_unmap_sigle.patch delete mode 100644 tuntap-correctly-handle-error-in-tun_set_iff.patch diff --git a/bonding-driver-promisc.patch b/bonding-driver-promisc.patch deleted file mode 100644 index 38315c906..000000000 --- a/bonding-driver-promisc.patch +++ /dev/null @@ -1,73 +0,0 @@ -commit 5a0068deb611109c5ba77358be533f763f395ee4 -Author: Neil Horman -Date: Fri Sep 27 12:22:15 2013 -0400 - - bonding: Fix broken promiscuity reference counting issue - - Recently grabbed this report: - https://bugzilla.redhat.com/show_bug.cgi?id=1005567 - - Of an issue in which the bonding driver, with an attached vlan encountered the - following errors when bond0 was taken down and back up: - - dummy1: promiscuity touches roof, set promiscuity failed. promiscuity feature of - device might be broken. - - The error occurs because, during __bond_release_one, if we release our last - slave, we take on a random mac address and issue a NETDEV_CHANGEADDR - notification. With an attached vlan, the vlan may see that the vlan and bond - mac address were in sync, but no longer are. This triggers a call to dev_uc_add - and dev_set_rx_mode, which enables IFF_PROMISC on the bond device. Then, when - we complete __bond_release_one, we use the current state of the bond flags to - determine if we should decrement the promiscuity of the releasing slave. But - since the bond changed promiscuity state during the release operation, we - incorrectly decrement the slave promisc count when it wasn't in promiscuous mode - to begin with, causing the above error - - Fix is pretty simple, just cache the bonding flags at the start of the function - and use those when determining the need to set promiscuity. - - This is also needed for the ALLMULTI flag - - CC: Jay Vosburgh - CC: Andy Gospodarek - CC: Mark Wu - CC: "David S. Miller" - Reported-by: Mark Wu - - Signed-off-by: David S. Miller - -diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c -index 55bbb8b..e883bfe 100644 ---- a/drivers/net/bonding/bond_main.c -+++ b/drivers/net/bonding/bond_main.c -@@ -1724,6 +1724,7 @@ static int __bond_release_one(struct net_device *bond_dev, - struct bonding *bond = netdev_priv(bond_dev); - struct slave *slave, *oldcurrent; - struct sockaddr addr; -+ int old_flags = bond_dev->flags; - netdev_features_t old_features = bond_dev->features; - - /* slave is not a slave or master is not master of this slave */ -@@ -1855,12 +1856,18 @@ static int __bond_release_one(struct net_device *bond_dev, - * bond_change_active_slave(..., NULL) - */ - if (!USES_PRIMARY(bond->params.mode)) { -- /* unset promiscuity level from slave */ -- if (bond_dev->flags & IFF_PROMISC) -+ /* unset promiscuity level from slave -+ * NOTE: The NETDEV_CHANGEADDR call above may change the value -+ * of the IFF_PROMISC flag in the bond_dev, but we need the -+ * value of that flag before that change, as that was the value -+ * when this slave was attached, so we cache at the start of the -+ * function and use it here. Same goes for ALLMULTI below -+ */ -+ if (old_flags & IFF_PROMISC) - dev_set_promiscuity(slave_dev, -1); - - /* unset allmulti level from slave */ -- if (bond_dev->flags & IFF_ALLMULTI) -+ if (old_flags & IFF_ALLMULTI) - dev_set_allmulti(slave_dev, -1); - - bond_hw_addr_flush(bond_dev, slave_dev); diff --git a/cve-2013-2147-ciss-info-leak.patch b/cve-2013-2147-ciss-info-leak.patch deleted file mode 100644 index ee49d3bfb..000000000 --- a/cve-2013-2147-ciss-info-leak.patch +++ /dev/null @@ -1,27 +0,0 @@ -diff --git a/drivers/block/cpqarray.c b/drivers/block/cpqarray.c -index 639d26b..2b94403 100644 ---- a/drivers/block/cpqarray.c -+++ b/drivers/block/cpqarray.c -@@ -1193,6 +1193,7 @@ out_passthru: - ida_pci_info_struct pciinfo; - - if (!arg) return -EINVAL; -+ memset(&pciinfo, 0, sizeof(pciinfo)); - pciinfo.bus = host->pci_dev->bus->number; - pciinfo.dev_fn = host->pci_dev->devfn; - pciinfo.board_id = host->board_id; - - diff --git a/drivers/block/cciss.c b/drivers/block/cciss.c -index 6374dc1..34971aa 100644 ---- a/drivers/block/cciss.c -+++ b/drivers/block/cciss.c -@@ -1201,6 +1201,7 @@ static int cciss_ioctl32_passthru(struct block_device *bdev, fmode_t mode, - int err; - u32 cp; - -+ memset(&arg64, 0, sizeof(arg64)); - err = 0; - err |= - copy_from_user(&arg64.LUN_info, &arg32->LUN_info, - - \ No newline at end of file diff --git a/drm-nouveau-bios-init-stub-opcode-0xaa.patch b/drm-nouveau-bios-init-stub-opcode-0xaa.patch deleted file mode 100644 index 2daa6ed1d..000000000 --- a/drm-nouveau-bios-init-stub-opcode-0xaa.patch +++ /dev/null @@ -1,109 +0,0 @@ - -Delivered-To: jwboyer@gmail.com -Received: by 10.76.11.131 with SMTP id q3csp149379oab; - Mon, 7 Oct 2013 23:45:24 -0700 (PDT) -X-Received: by 10.68.185.36 with SMTP id ez4mr69490pbc.144.1381214724506; - Mon, 07 Oct 2013 23:45:24 -0700 (PDT) -Return-Path: -Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) - by mx.google.com with ESMTP id rz6si25872020pab.249.1969.12.31.16.00.00; - Mon, 07 Oct 2013 23:45:24 -0700 (PDT) -Received-SPF: pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; -Authentication-Results: mx.google.com; - spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mail=stable-owner@vger.kernel.org; - dkim=neutral (bad format) header.i=@gmail.com; - dmarc=fail (p=NONE dis=NONE) header.from=gmail.com -Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand - id S1754014Ab3JHGow (ORCPT + 60 others); - Tue, 8 Oct 2013 02:44:52 -0400 -Received: from mail-pa0-f42.google.com ([209.85.220.42]:35990 "EHLO - mail-pa0-f42.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org - with ESMTP id S1753696Ab3JHGov (ORCPT - ); Tue, 8 Oct 2013 02:44:51 -0400 -Received: by mail-pa0-f42.google.com with SMTP id lj1so8433751pab.15 - for ; Mon, 07 Oct 2013 23:44:51 -0700 (PDT) -DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; - d=gmail.com; s=20120113; - h=from:to:cc:subject:date:message-id; - bh=DRveULH9ZaYYXMJRsSw3WWLRMs5ifsnU9G+VUu1PKtk=; - b=oCDYfvF1KXEUN6PZU0jit8kMHSKTzIWcR078uMTxLpTjheGcoLWW0efoqsO4Dac3jp - +4dHm3NSdeqk4e+aCjnvZw7He+nMGmbWhrf1vx49XCOE4s+YvC/AgSI78pku8BQE/plZ - w8F+64e+wNze1FfRAxPPM/PoLdBiuBfvUL18htMmYi/rgq0VRkNk2UwbzvGk5AJE+vwL - esavQLjvCuJZTc7i2J9Us53dUcY4aQuYlESFvOUlbDnkkgm5Htrsnyd2Eq7k61/hr0MR - /nIFNBXuhIadU5bvf6jpMT+toIK+PA176Yt9eyEgdOAxNXdn5g15mO93/WEyXf7idBfk - JLZA== -X-Received: by 10.68.232.132 with SMTP id to4mr7840579pbc.141.1381214691006; - Mon, 07 Oct 2013 23:44:51 -0700 (PDT) -Received: from turiel.redhat.com (124-148-32-6.dyn.iinet.net.au. [124.148.32.6]) - by mx.google.com with ESMTPSA id j9sm44764711paj.18.1969.12.31.16.00.00 - (version=TLSv1.2 cipher=ECDHE-RSA-RC4-SHA bits=128/128); - Mon, 07 Oct 2013 23:44:50 -0700 (PDT) -From: Ben Skeggs -To: stable@vger.kernel.org -Cc: Ben Skeggs -Subject: [PATCH] drm/nouveau/bios/init: stub opcode 0xaa -Date: Tue, 8 Oct 2013 16:45:08 +1000 -Message-Id: <1381214708-2990-1-git-send-email-skeggsb@gmail.com> -X-Mailer: git-send-email 1.8.3.2 -Sender: stable-owner@vger.kernel.org -Precedence: bulk -List-ID: -X-Mailing-List: stable@vger.kernel.org - -From: Ben Skeggs - -Seen on a large number of recent boards, when triggered results in -nouveau aborting the card cold boot, giving unpredictable results -(oopses in the reported cases) later. - -commit 5495e39fb3695182b9f2a72fe4169056cada37a1 upstream - -Signed-off-by: Ben Skeggs ---- - drivers/gpu/drm/nouveau/core/subdev/bios/init.c | 19 +++++++++++++++++-- - 1 file changed, 17 insertions(+), 2 deletions(-) - -diff --git a/drivers/gpu/drm/nouveau/core/subdev/bios/init.c b/drivers/gpu/drm/nouveau/core/subdev/bios/init.c -index 0687e64..8f06cca 100644 ---- a/drivers/gpu/drm/nouveau/core/subdev/bios/init.c -+++ b/drivers/gpu/drm/nouveau/core/subdev/bios/init.c -@@ -579,8 +579,22 @@ static void - init_reserved(struct nvbios_init *init) - { - u8 opcode = nv_ro08(init->bios, init->offset); -- trace("RESERVED\t0x%02x\n", opcode); -- init->offset += 1; -+ u8 length, i; -+ -+ switch (opcode) { -+ case 0xaa: -+ length = 4; -+ break; -+ default: -+ length = 1; -+ break; -+ } -+ -+ trace("RESERVED 0x%02x\t", opcode); -+ for (i = 1; i < length; i++) -+ cont(" 0x%02x", nv_ro08(init->bios, init->offset + i)); -+ cont("\n"); -+ init->offset += length; - } - - /** -@@ -2135,6 +2149,7 @@ static struct nvbios_init_opcode { - [0x99] = { init_zm_auxch }, - [0x9a] = { init_i2c_long_if }, - [0xa9] = { init_gpio_ne }, -+ [0xaa] = { init_reserved }, - }; - - #define init_opcode_nr (sizeof(init_opcode) / sizeof(init_opcode[0])) --- -1.8.3.2 - --- -To unsubscribe from this list: send the line "unsubscribe stable" in -the body of a message to majordomo@vger.kernel.org -More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/ipv6-udp-packets-following-an-UFO-enqueued-packet-ne.patch b/ipv6-udp-packets-following-an-UFO-enqueued-packet-ne.patch deleted file mode 100644 index 9310e05a7..000000000 --- a/ipv6-udp-packets-following-an-UFO-enqueued-packet-ne.patch +++ /dev/null @@ -1,123 +0,0 @@ -From 2811ebac2521ceac84f2bdae402455baa6a7fb47 Mon Sep 17 00:00:00 2001 -From: Hannes Frederic Sowa -Date: Sat, 21 Sep 2013 06:27:00 +0200 -Subject: [PATCH] ipv6: udp packets following an UFO enqueued packet need also - be handled by UFO - -In the following scenario the socket is corked: -If the first UDP packet is larger then the mtu we try to append it to the -write queue via ip6_ufo_append_data. A following packet, which is smaller -than the mtu would be appended to the already queued up gso-skb via -plain ip6_append_data. This causes random memory corruptions. - -In ip6_ufo_append_data we also have to be careful to not queue up the -same skb multiple times. So setup the gso frame only when no first skb -is available. - -This also fixes a shortcoming where we add the current packet's length to -cork->length but return early because of a packet > mtu with dontfrag set -(instead of sutracting it again). - -Found with trinity. - -Cc: YOSHIFUJI Hideaki -Signed-off-by: Hannes Frederic Sowa -Reported-by: Dmitry Vyukov -Signed-off-by: David S. Miller ---- - net/ipv6/ip6_output.c | 53 +++++++++++++++++++++------------------------------ - 1 file changed, 22 insertions(+), 31 deletions(-) - -diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c -index 3a692d5..a54c45c 100644 ---- a/net/ipv6/ip6_output.c -+++ b/net/ipv6/ip6_output.c -@@ -1015,6 +1015,8 @@ static inline int ip6_ufo_append_data(struct sock *sk, - * udp datagram - */ - if ((skb = skb_peek_tail(&sk->sk_write_queue)) == NULL) { -+ struct frag_hdr fhdr; -+ - skb = sock_alloc_send_skb(sk, - hh_len + fragheaderlen + transhdrlen + 20, - (flags & MSG_DONTWAIT), &err); -@@ -1036,12 +1038,6 @@ static inline int ip6_ufo_append_data(struct sock *sk, - skb->protocol = htons(ETH_P_IPV6); - skb->ip_summed = CHECKSUM_PARTIAL; - skb->csum = 0; -- } -- -- err = skb_append_datato_frags(sk,skb, getfrag, from, -- (length - transhdrlen)); -- if (!err) { -- struct frag_hdr fhdr; - - /* Specify the length of each IPv6 datagram fragment. - * It has to be a multiple of 8. -@@ -1052,15 +1048,10 @@ static inline int ip6_ufo_append_data(struct sock *sk, - ipv6_select_ident(&fhdr, rt); - skb_shinfo(skb)->ip6_frag_id = fhdr.identification; - __skb_queue_tail(&sk->sk_write_queue, skb); -- -- return 0; - } -- /* There is not enough support do UPD LSO, -- * so follow normal path -- */ -- kfree_skb(skb); - -- return err; -+ return skb_append_datato_frags(sk, skb, getfrag, from, -+ (length - transhdrlen)); - } - - static inline struct ipv6_opt_hdr *ip6_opt_dup(struct ipv6_opt_hdr *src, -@@ -1227,27 +1218,27 @@ int ip6_append_data(struct sock *sk, int getfrag(void *from, char *to, - * --yoshfuji - */ - -- cork->length += length; -- if (length > mtu) { -- int proto = sk->sk_protocol; -- if (dontfrag && (proto == IPPROTO_UDP || proto == IPPROTO_RAW)){ -- ipv6_local_rxpmtu(sk, fl6, mtu-exthdrlen); -- return -EMSGSIZE; -- } -- -- if (proto == IPPROTO_UDP && -- (rt->dst.dev->features & NETIF_F_UFO)) { -+ if ((length > mtu) && dontfrag && (sk->sk_protocol == IPPROTO_UDP || -+ sk->sk_protocol == IPPROTO_RAW)) { -+ ipv6_local_rxpmtu(sk, fl6, mtu-exthdrlen); -+ return -EMSGSIZE; -+ } - -- err = ip6_ufo_append_data(sk, getfrag, from, length, -- hh_len, fragheaderlen, -- transhdrlen, mtu, flags, rt); -- if (err) -- goto error; -- return 0; -- } -+ skb = skb_peek_tail(&sk->sk_write_queue); -+ cork->length += length; -+ if (((length > mtu) || -+ (skb && skb_is_gso(skb))) && -+ (sk->sk_protocol == IPPROTO_UDP) && -+ (rt->dst.dev->features & NETIF_F_UFO)) { -+ err = ip6_ufo_append_data(sk, getfrag, from, length, -+ hh_len, fragheaderlen, -+ transhdrlen, mtu, flags, rt); -+ if (err) -+ goto error; -+ return 0; - } - -- if ((skb = skb_peek_tail(&sk->sk_write_queue)) == NULL) -+ if (!skb) - goto alloc_new_skb; - - while (length > 0) { --- -1.8.3.1 - diff --git a/kernel.spec b/kernel.spec index 069371126..ec6f0925b 100644 --- a/kernel.spec +++ b/kernel.spec @@ -62,7 +62,7 @@ Summary: The Linux kernel # For non-released -rc kernels, this will be appended after the rcX and # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3" # -%global baserelease 201 +%global baserelease 200 %global fedora_build %{baserelease} # base_sublevel is the kernel version we're starting with and patching @@ -74,7 +74,7 @@ Summary: The Linux kernel %if 0%{?released_kernel} # Do we have a -stable update to apply? -%define stable_update 4 +%define stable_update 5 # Is it a -stable RC? %define stable_rc 0 # Set rpm version accordingly @@ -717,9 +717,6 @@ Patch22010: debug-idle-sched-warn-once.patch #rhbz 927469 Patch23006: fix-child-thread-introspection.patch -#CVE-2013-2147 rhbz 971242 971249 -Patch25032: cve-2013-2147-ciss-info-leak.patch - Patch25047: drm-radeon-Disable-writeback-by-default-on-ppc.patch #rhbz 977040 @@ -729,18 +726,9 @@ Patch25057: iwl4965-better-skb-management-in-rx-path.patch #rhbz 963715 Patch25077: media-cx23885-Fix-TeVii-S471-regression-since-introduction-of-ts2020.patch -#CVE-2013-4343 rhbz 1007733 1007741 -Patch25101: tuntap-correctly-handle-error-in-tun_set_iff.patch - -#CVE-2013-4350 rhbz 1007872 1007903 -Patch25102: net-sctp-fix-ipv6-ipsec-encryption-bug-in-sctp_v6_xmit.patch - #CVE-2013-4345 rhbz 1007690 1009136 Patch25104: ansi_cprng-Fix-off-by-one-error-in-non-block-size-request.patch -#rhbz 1008323 -Patch25120: skge-fix-invalid-value-passed-to-pci_unmap_sigle.patch - #rhbz 985522 Patch25107: ntp-Make-periodic-RTC-update-more-reliable.patch @@ -757,21 +745,12 @@ Patch25115: elevator-acquire-q-sysfs_lock-in-elevator_change.patch #rhbz 974072 Patch25117: rt2800-add-support-for-rf3070.patch -#rhbz 1005567 -Patch25118: bonding-driver-promisc.patch - -#CVE-2013-4387 rhbz 1011927 1015166 -Patch25121: ipv6-udp-packets-following-an-UFO-enqueued-packet-ne.patch - #rhbz 1015989 Patch25122: netfilter-nf_conntrack-use-RCU-safe-kfree-for-conntr.patch #rhbz 982153 Patch25123: iommu-Remove-stack-trace-from-broken-irq-remapping-warning.patch -#rhbz 1015920 -Patch25124: drm-nouveau-bios-init-stub-opcode-0xaa.patch - #rhbz 998732 Patch25125: vfio-iommu-Fixed-interaction-of-VFIO_IOMMU_MAP_DMA.patch @@ -1450,9 +1429,6 @@ ApplyPatch ath9k_rx_dma_stop_check.patch #rhbz 927469 ApplyPatch fix-child-thread-introspection.patch -#CVE-2013-2147 rhbz 971242 971249 -ApplyPatch cve-2013-2147-ciss-info-leak.patch - ApplyPatch drm-radeon-Disable-writeback-by-default-on-ppc.patch #rhbz 977040 @@ -1462,12 +1438,6 @@ ApplyPatch iwl4965-better-skb-management-in-rx-path.patch #rhbz 963715 ApplyPatch media-cx23885-Fix-TeVii-S471-regression-since-introduction-of-ts2020.patch -#CVE-2013-4343 rhbz 1007733 1007741 -ApplyPatch tuntap-correctly-handle-error-in-tun_set_iff.patch - -#CVE-2013-4350 rhbz 1007872 1007903 -ApplyPatch net-sctp-fix-ipv6-ipsec-encryption-bug-in-sctp_v6_xmit.patch - #CVE-2013-4345 rhbz 1007690 1009136 ApplyPatch ansi_cprng-Fix-off-by-one-error-in-non-block-size-request.patch @@ -1480,9 +1450,6 @@ ApplyPatch Revert-rt2x00pci-Use-PCI-MSIs-whenever-possible.patch #rhbz 971893 ApplyPatch bonding-driver-alb-learning.patch -#rhbz 1008323 -ApplyPatch skge-fix-invalid-value-passed-to-pci_unmap_sigle.patch - #rhbz 902012 ApplyPatch elevator-Fix-a-race-in-elevator-switching-and-md.patch ApplyPatch elevator-acquire-q-sysfs_lock-in-elevator_change.patch @@ -1490,21 +1457,12 @@ ApplyPatch elevator-acquire-q-sysfs_lock-in-elevator_change.patch #rhbz 974072 ApplyPatch rt2800-add-support-for-rf3070.patch -#rhbz 1005567 -ApplyPatch bonding-driver-promisc.patch - -#CVE-2013-4387 rhbz 1011927 1015166 -ApplyPatch ipv6-udp-packets-following-an-UFO-enqueued-packet-ne.patch - #rhbz 1015989 ApplyPatch netfilter-nf_conntrack-use-RCU-safe-kfree-for-conntr.patch #rhbz 982153 ApplyPatch iommu-Remove-stack-trace-from-broken-irq-remapping-warning.patch -#rhbz 1015920 -ApplyPatch drm-nouveau-bios-init-stub-opcode-0xaa.patch - #rhbz 998732 ApplyPatch vfio-iommu-Fixed-interaction-of-VFIO_IOMMU_MAP_DMA.patch @@ -2330,6 +2288,9 @@ fi # and build. %changelog +* Mon Oct 14 2013 Justin M. Forbes - 3.11.5-200 +- Linux v3.11.5 + * Fri Oct 11 2013 Josh Boyer - Fix segfault in cpupower set (rhbz 1000439) diff --git a/net-sctp-fix-ipv6-ipsec-encryption-bug-in-sctp_v6_xmit.patch b/net-sctp-fix-ipv6-ipsec-encryption-bug-in-sctp_v6_xmit.patch deleted file mode 100644 index 671ee98db..000000000 --- a/net-sctp-fix-ipv6-ipsec-encryption-bug-in-sctp_v6_xmit.patch +++ /dev/null @@ -1,186 +0,0 @@ -From 95ee62083cb6453e056562d91f597552021e6ae7 Mon Sep 17 00:00:00 2001 -From: Daniel Borkmann -Date: Wed, 11 Sep 2013 14:58:36 +0000 -Subject: net: sctp: fix ipv6 ipsec encryption bug in sctp_v6_xmit - -Alan Chester reported an issue with IPv6 on SCTP that IPsec traffic is not -being encrypted, whereas on IPv4 it is. Setting up an AH + ESP transport -does not seem to have the desired effect: - -SCTP + IPv4: - - 22:14:20.809645 IP (tos 0x2,ECT(0), ttl 64, id 0, offset 0, flags [DF], proto AH (51), length 116) - 192.168.0.2 > 192.168.0.5: AH(spi=0x00000042,sumlen=16,seq=0x1): ESP(spi=0x00000044,seq=0x1), length 72 - 22:14:20.813270 IP (tos 0x2,ECT(0), ttl 64, id 0, offset 0, flags [DF], proto AH (51), length 340) - 192.168.0.5 > 192.168.0.2: AH(spi=0x00000043,sumlen=16,seq=0x1): - -SCTP + IPv6: - - 22:31:19.215029 IP6 (class 0x02, hlim 64, next-header SCTP (132) payload length: 364) - fe80::222:15ff:fe87:7fc.3333 > fe80::92e6:baff:fe0d:5a54.36767: sctp - 1) [INIT ACK] [init tag: 747759530] [rwnd: 62464] [OS: 10] [MIS: 10] - -Moreover, Alan says: - - This problem was seen with both Racoon and Racoon2. Other people have seen - this with OpenSwan. When IPsec is configured to encrypt all upper layer - protocols the SCTP connection does not initialize. After using Wireshark to - follow packets, this is because the SCTP packet leaves Box A unencrypted and - Box B believes all upper layer protocols are to be encrypted so it drops - this packet, causing the SCTP connection to fail to initialize. When IPsec - is configured to encrypt just SCTP, the SCTP packets are observed unencrypted. - -In fact, using `socat sctp6-listen:3333 -` on one end and transferring "plaintext" -string on the other end, results in cleartext on the wire where SCTP eventually -does not report any errors, thus in the latter case that Alan reports, the -non-paranoid user might think he's communicating over an encrypted transport on -SCTP although he's not (tcpdump ... -X): - - ... - 0x0030: 5d70 8e1a 0003 001a 177d eb6c 0000 0000 ]p.......}.l.... - 0x0040: 0000 0000 706c 6169 6e74 6578 740a 0000 ....plaintext... - -Only in /proc/net/xfrm_stat we can see XfrmInTmplMismatch increasing on the -receiver side. Initial follow-up analysis from Alan's bug report was done by -Alexey Dobriyan. Also thanks to Vlad Yasevich for feedback on this. - -SCTP has its own implementation of sctp_v6_xmit() not calling inet6_csk_xmit(). -This has the implication that it probably never really got updated along with -changes in inet6_csk_xmit() and therefore does not seem to invoke xfrm handlers. - -SCTP's IPv4 xmit however, properly calls ip_queue_xmit() to do the work. Since -a call to inet6_csk_xmit() would solve this problem, but result in unecessary -route lookups, let us just use the cached flowi6 instead that we got through -sctp_v6_get_dst(). Since all SCTP packets are being sent through sctp_packet_transmit(), -we do the route lookup / flow caching in sctp_transport_route(), hold it in -tp->dst and skb_dst_set() right after that. If we would alter fl6->daddr in -sctp_v6_xmit() to np->opt->srcrt, we possibly could run into the same effect -of not having xfrm layer pick it up, hence, use fl6_update_dst() in sctp_v6_get_dst() -instead to get the correct source routed dst entry, which we assign to the skb. - -Also source address routing example from 625034113 ("sctp: fix sctp to work with -ipv6 source address routing") still works with this patch! Nevertheless, in RFC5095 -it is actually 'recommended' to not use that anyway due to traffic amplification [1]. -So it seems we're not supposed to do that anyway in sctp_v6_xmit(). Moreover, if -we overwrite the flow destination here, the lower IPv6 layer will be unable to -put the correct destination address into IP header, as routing header is added in -ipv6_push_nfrag_opts() but then probably with wrong final destination. Things aside, -result of this patch is that we do not have any XfrmInTmplMismatch increase plus on -the wire with this patch it now looks like: - -SCTP + IPv6: - - 08:17:47.074080 IP6 2620:52:0:102f:7a2b:cbff:fe27:1b0a > 2620:52:0:102f:213:72ff:fe32:7eba: - AH(spi=0x00005fb4,seq=0x1): ESP(spi=0x00005fb5,seq=0x1), length 72 - 08:17:47.074264 IP6 2620:52:0:102f:213:72ff:fe32:7eba > 2620:52:0:102f:7a2b:cbff:fe27:1b0a: - AH(spi=0x00003d54,seq=0x1): ESP(spi=0x00003d55,seq=0x1), length 296 - -This fixes Kernel Bugzilla 24412. This security issue seems to be present since -2.6.18 kernels. Lets just hope some big passive adversary in the wild didn't have -its fun with that. lksctp-tools IPv6 regression test suite passes as well with -this patch. - - [1] http://www.secdev.org/conf/IPv6_RH_security-csw07.pdf - -Reported-by: Alan Chester -Reported-by: Alexey Dobriyan -Signed-off-by: Daniel Borkmann -Cc: Steffen Klassert -Cc: Hannes Frederic Sowa -Acked-by: Vlad Yasevich -Signed-off-by: David S. Miller ---- -diff --git a/net/sctp/ipv6.c b/net/sctp/ipv6.c -index da613ce..4f52e2c 100644 ---- a/net/sctp/ipv6.c -+++ b/net/sctp/ipv6.c -@@ -204,44 +204,23 @@ out: - in6_dev_put(idev); - } - --/* Based on tcp_v6_xmit() in tcp_ipv6.c. */ - static int sctp_v6_xmit(struct sk_buff *skb, struct sctp_transport *transport) - { - struct sock *sk = skb->sk; - struct ipv6_pinfo *np = inet6_sk(sk); -- struct flowi6 fl6; -- -- memset(&fl6, 0, sizeof(fl6)); -- -- fl6.flowi6_proto = sk->sk_protocol; -- -- /* Fill in the dest address from the route entry passed with the skb -- * and the source address from the transport. -- */ -- fl6.daddr = transport->ipaddr.v6.sin6_addr; -- fl6.saddr = transport->saddr.v6.sin6_addr; -- -- fl6.flowlabel = np->flow_label; -- IP6_ECN_flow_xmit(sk, fl6.flowlabel); -- if (ipv6_addr_type(&fl6.saddr) & IPV6_ADDR_LINKLOCAL) -- fl6.flowi6_oif = transport->saddr.v6.sin6_scope_id; -- else -- fl6.flowi6_oif = sk->sk_bound_dev_if; -- -- if (np->opt && np->opt->srcrt) { -- struct rt0_hdr *rt0 = (struct rt0_hdr *) np->opt->srcrt; -- fl6.daddr = *rt0->addr; -- } -+ struct flowi6 *fl6 = &transport->fl.u.ip6; - - pr_debug("%s: skb:%p, len:%d, src:%pI6 dst:%pI6\n", __func__, skb, -- skb->len, &fl6.saddr, &fl6.daddr); -+ skb->len, &fl6->saddr, &fl6->daddr); - -- SCTP_INC_STATS(sock_net(sk), SCTP_MIB_OUTSCTPPACKS); -+ IP6_ECN_flow_xmit(sk, fl6->flowlabel); - - if (!(transport->param_flags & SPP_PMTUD_ENABLE)) - skb->local_df = 1; - -- return ip6_xmit(sk, skb, &fl6, np->opt, np->tclass); -+ SCTP_INC_STATS(sock_net(sk), SCTP_MIB_OUTSCTPPACKS); -+ -+ return ip6_xmit(sk, skb, fl6, np->opt, np->tclass); - } - - /* Returns the dst cache entry for the given source and destination ip -@@ -254,10 +233,12 @@ static void sctp_v6_get_dst(struct sctp_transport *t, union sctp_addr *saddr, - struct dst_entry *dst = NULL; - struct flowi6 *fl6 = &fl->u.ip6; - struct sctp_bind_addr *bp; -+ struct ipv6_pinfo *np = inet6_sk(sk); - struct sctp_sockaddr_entry *laddr; - union sctp_addr *baddr = NULL; - union sctp_addr *daddr = &t->ipaddr; - union sctp_addr dst_saddr; -+ struct in6_addr *final_p, final; - __u8 matchlen = 0; - __u8 bmatchlen; - sctp_scope_t scope; -@@ -281,7 +262,8 @@ static void sctp_v6_get_dst(struct sctp_transport *t, union sctp_addr *saddr, - pr_debug("src=%pI6 - ", &fl6->saddr); - } - -- dst = ip6_dst_lookup_flow(sk, fl6, NULL, false); -+ final_p = fl6_update_dst(fl6, np->opt, &final); -+ dst = ip6_dst_lookup_flow(sk, fl6, final_p, false); - if (!asoc || saddr) - goto out; - -@@ -333,10 +315,12 @@ static void sctp_v6_get_dst(struct sctp_transport *t, union sctp_addr *saddr, - } - } - rcu_read_unlock(); -+ - if (baddr) { - fl6->saddr = baddr->v6.sin6_addr; - fl6->fl6_sport = baddr->v6.sin6_port; -- dst = ip6_dst_lookup_flow(sk, fl6, NULL, false); -+ final_p = fl6_update_dst(fl6, np->opt, &final); -+ dst = ip6_dst_lookup_flow(sk, fl6, final_p, false); - } - - out: --- -cgit v0.9.2 diff --git a/skge-fix-invalid-value-passed-to-pci_unmap_sigle.patch b/skge-fix-invalid-value-passed-to-pci_unmap_sigle.patch deleted file mode 100644 index 908e0c751..000000000 --- a/skge-fix-invalid-value-passed-to-pci_unmap_sigle.patch +++ /dev/null @@ -1,61 +0,0 @@ -From 3361dc9538832a2a9150a8c722374ca844bf8dc8 Mon Sep 17 00:00:00 2001 -From: Mikulas Patocka -Date: Fri, 20 Sep 2013 17:53:22 +0000 -Subject: skge: fix invalid value passed to pci_unmap_sigle - -In my patch c194992cbe71c20bb3623a566af8d11b0bfaa721 ("skge: fix -broken driver") I didn't fix the skge bug correctly. The value of the -new mapping (not old) was passed to pci_unmap_single. - -If we enable CONFIG_DMA_API_DEBUG, it results in this warning: -WARNING: CPU: 0 PID: 0 at lib/dma-debug.c:986 check_sync+0x4c4/0x580() -skge 0000:02:07.0: DMA-API: device driver tries to sync DMA memory it has -not allocated [device address=0x000000023a0096c0] [size=1536 bytes] - -This patch makes the skge driver pass the correct value to -pci_unmap_single and fixes the warning. It copies the old descriptor to -on-stack variable "ee" and unmaps it if mapping of the new descriptor -succeeded. - -This patch should be backported to 3.11-stable. - -Signed-off-by: Mikulas Patocka -Reported-by: Francois Romieu -Tested-by: Mikulas Patocka -Signed-off-by: David S. Miller ---- -diff --git a/drivers/net/ethernet/marvell/skge.c b/drivers/net/ethernet/marvell/skge.c -index 1a9c4f6..ecc7f7b 100644 ---- a/drivers/net/ethernet/marvell/skge.c -+++ b/drivers/net/ethernet/marvell/skge.c -@@ -3086,13 +3086,16 @@ static struct sk_buff *skge_rx_get(struct net_device *dev, - PCI_DMA_FROMDEVICE); - skge_rx_reuse(e, skge->rx_buf_size); - } else { -+ struct skge_element ee; - struct sk_buff *nskb; - - nskb = netdev_alloc_skb_ip_align(dev, skge->rx_buf_size); - if (!nskb) - goto resubmit; - -- skb = e->skb; -+ ee = *e; -+ -+ skb = ee.skb; - prefetch(skb->data); - - if (skge_rx_setup(skge, e, nskb, skge->rx_buf_size) < 0) { -@@ -3101,8 +3104,8 @@ static struct sk_buff *skge_rx_get(struct net_device *dev, - } - - pci_unmap_single(skge->hw->pdev, -- dma_unmap_addr(e, mapaddr), -- dma_unmap_len(e, maplen), -+ dma_unmap_addr(&ee, mapaddr), -+ dma_unmap_len(&ee, maplen), - PCI_DMA_FROMDEVICE); - } - --- -cgit v0.9.2 diff --git a/sources b/sources index 85810a7b6..ba90d655f 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ fea363551ff45fbe4cb88497b863b261 linux-3.11.tar.xz -5147e7f82600452c5438f8309c07eccd patch-3.11.4.xz +628876a432c0d4090013b383abac20e4 patch-3.11.5.xz diff --git a/tuntap-correctly-handle-error-in-tun_set_iff.patch b/tuntap-correctly-handle-error-in-tun_set_iff.patch deleted file mode 100644 index 563526765..000000000 --- a/tuntap-correctly-handle-error-in-tun_set_iff.patch +++ /dev/null @@ -1,57 +0,0 @@ -From dff4e504b2addc8053fc47712d44a21f733ef51b Mon Sep 17 00:00:00 2001 -From: Jason Wang -Date: Wed, 11 Sep 2013 18:09:48 +0800 -Subject: [PATCH] tuntap: correctly handle error in tun_set_iff() - -Commit c8d68e6be1c3b242f1c598595830890b65cea64a -(tuntap: multiqueue support) only call free_netdev() on error in -tun_set_iff(). This causes several issues: - -- memory of tun security were leaked -- use after free since the flow gc timer was not deleted and the tfile - were not detached - -This patch solves the above issues. - -Reported-by: Wannes Rombouts -Cc: Michael S. Tsirkin -Signed-off-by: Jason Wang ---- - drivers/net/tun.c | 11 ++++++++--- - 1 file changed, 8 insertions(+), 3 deletions(-) - -diff --git a/drivers/net/tun.c b/drivers/net/tun.c -index 71af122..68b9aa3 100644 ---- a/drivers/net/tun.c -+++ b/drivers/net/tun.c -@@ -1691,11 +1691,11 @@ static int tun_set_iff(struct net *net, struct file *file, struct ifreq *ifr) - INIT_LIST_HEAD(&tun->disabled); - err = tun_attach(tun, file); - if (err < 0) -- goto err_free_dev; -+ goto err_free_flow; - - err = register_netdevice(tun->dev); - if (err < 0) -- goto err_free_dev; -+ goto err_detach; - - if (device_create_file(&tun->dev->dev, &dev_attr_tun_flags) || - device_create_file(&tun->dev->dev, &dev_attr_owner) || -@@ -1739,7 +1739,12 @@ static int tun_set_iff(struct net *net, struct file *file, struct ifreq *ifr) - strcpy(ifr->ifr_name, tun->dev->name); - return 0; - -- err_free_dev: -+err_detach: -+ tun_detach_all(dev); -+err_free_flow: -+ tun_flow_uninit(tun); -+ security_tun_dev_free_security(tun->security); -+err_free_dev: - free_netdev(dev); - return err; - } --- -1.8.3.1 - From 9bb17f8197a020c5d56bd44b0405ed1f9ece890b Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Tue, 15 Oct 2013 11:50:58 -0400 Subject: [PATCH 244/468] Fix regression in radeon sound (rhbz 1010679) --- fix-radeon-sound.patch | 154 +++++++++++++++++++++++++++++++++++++++++ kernel.spec | 9 +++ 2 files changed, 163 insertions(+) create mode 100644 fix-radeon-sound.patch diff --git a/fix-radeon-sound.patch b/fix-radeon-sound.patch new file mode 100644 index 000000000..6e59256bb --- /dev/null +++ b/fix-radeon-sound.patch @@ -0,0 +1,154 @@ +From 062c2e4363451d49ef840232fe65e8bff0dde2a5 Mon Sep 17 00:00:00 2001 +From: Alex Deucher +Date: Fri, 27 Sep 2013 18:09:54 -0400 +Subject: [PATCH 1/4] drm/radeon: use 64-bit math to calculate CTS values for + audio (v2) + +Avoid losing precision. See bug: +https://bugs.freedesktop.org/show_bug.cgi?id=69675 + +v2: fix math as per Anssi's comments. + +Signed-off-by: Alex Deucher +--- + drivers/gpu/drm/radeon/r600_hdmi.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/radeon/r600_hdmi.c b/drivers/gpu/drm/radeon/r600_hdmi.c +index b0fa600..49043a5 100644 +--- a/drivers/gpu/drm/radeon/r600_hdmi.c ++++ b/drivers/gpu/drm/radeon/r600_hdmi.c +@@ -75,8 +75,15 @@ static const struct radeon_hdmi_acr r600_hdmi_predefined_acr[] = { + */ + static void r600_hdmi_calc_cts(uint32_t clock, int *CTS, int N, int freq) + { +- if (*CTS == 0) +- *CTS = clock * N / (128 * freq) * 1000; ++ u64 n; ++ u32 d; ++ ++ if (*CTS == 0) { ++ n = (u64)clock * (u64)N * 1000ULL; ++ d = 128 * freq; ++ do_div(n, d); ++ *CTS = n; ++ } + DRM_DEBUG("Using ACR timing N=%d CTS=%d for frequency %d\n", + N, *CTS, freq); + } +-- +1.8.3.1 + + +From e7d12c2f98ae1e68c7298e5028048d150fa553a1 Mon Sep 17 00:00:00 2001 +From: Alex Deucher +Date: Fri, 27 Sep 2013 18:19:42 -0400 +Subject: [PATCH 2/4] drm/radeon: fix N/CTS clock matching for audio + +The drm code that calculates the 1001 clocks rounds up +rather than truncating. This allows the table to match +properly on those modes. + +See bug: +https://bugs.freedesktop.org/show_bug.cgi?id=69675 + +Signed-off-by: Alex Deucher +--- + drivers/gpu/drm/radeon/r600_hdmi.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/radeon/r600_hdmi.c b/drivers/gpu/drm/radeon/r600_hdmi.c +index 49043a5..567703f 100644 +--- a/drivers/gpu/drm/radeon/r600_hdmi.c ++++ b/drivers/gpu/drm/radeon/r600_hdmi.c +@@ -57,15 +57,15 @@ enum r600_hdmi_iec_status_bits { + static const struct radeon_hdmi_acr r600_hdmi_predefined_acr[] = { + /* 32kHz 44.1kHz 48kHz */ + /* Clock N CTS N CTS N CTS */ +- { 25174, 4576, 28125, 7007, 31250, 6864, 28125 }, /* 25,20/1.001 MHz */ ++ { 25175, 4576, 28125, 7007, 31250, 6864, 28125 }, /* 25,20/1.001 MHz */ + { 25200, 4096, 25200, 6272, 28000, 6144, 25200 }, /* 25.20 MHz */ + { 27000, 4096, 27000, 6272, 30000, 6144, 27000 }, /* 27.00 MHz */ + { 27027, 4096, 27027, 6272, 30030, 6144, 27027 }, /* 27.00*1.001 MHz */ + { 54000, 4096, 54000, 6272, 60000, 6144, 54000 }, /* 54.00 MHz */ + { 54054, 4096, 54054, 6272, 60060, 6144, 54054 }, /* 54.00*1.001 MHz */ +- { 74175, 11648, 210937, 17836, 234375, 11648, 140625 }, /* 74.25/1.001 MHz */ ++ { 74176, 11648, 210937, 17836, 234375, 11648, 140625 }, /* 74.25/1.001 MHz */ + { 74250, 4096, 74250, 6272, 82500, 6144, 74250 }, /* 74.25 MHz */ +- { 148351, 11648, 421875, 8918, 234375, 5824, 140625 }, /* 148.50/1.001 MHz */ ++ { 148352, 11648, 421875, 8918, 234375, 5824, 140625 }, /* 148.50/1.001 MHz */ + { 148500, 4096, 148500, 6272, 165000, 6144, 148500 }, /* 148.50 MHz */ + { 0, 4096, 0, 6272, 0, 6144, 0 } /* Other */ + }; +-- +1.8.3.1 + + +From ee0fec312a1c4e26f255955da942562cd8908a4b Mon Sep 17 00:00:00 2001 +From: Alex Deucher +Date: Fri, 27 Sep 2013 18:22:15 -0400 +Subject: [PATCH 3/4] drm/radeon: use hw generated CTS/N values for audio + +Use the hw generated values rather than calculating +them in the driver. There may be some older r6xx +asics where this doesn't work correctly. This remains +to be seen. + +See bug: +https://bugs.freedesktop.org/show_bug.cgi?id=69675 + +Signed-off-by: Alex Deucher +--- + drivers/gpu/drm/radeon/r600_hdmi.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/gpu/drm/radeon/r600_hdmi.c b/drivers/gpu/drm/radeon/r600_hdmi.c +index 567703f..e2ae1c2 100644 +--- a/drivers/gpu/drm/radeon/r600_hdmi.c ++++ b/drivers/gpu/drm/radeon/r600_hdmi.c +@@ -451,8 +451,7 @@ void r600_hdmi_setmode(struct drm_encoder *encoder, struct drm_display_mode *mod + } + + WREG32(HDMI0_ACR_PACKET_CONTROL + offset, +- HDMI0_ACR_AUTO_SEND | /* allow hw to sent ACR packets when required */ +- HDMI0_ACR_SOURCE); /* select SW CTS value */ ++ HDMI0_ACR_AUTO_SEND); /* allow hw to sent ACR packets when required */ + + WREG32(HDMI0_VBI_PACKET_CONTROL + offset, + HDMI0_NULL_SEND | /* send null packets when required */ +-- +1.8.3.1 + + +From b852c985010a77c850b7548d64bbb964ca462b02 Mon Sep 17 00:00:00 2001 +From: Alex Deucher +Date: Thu, 10 Oct 2013 11:47:01 -0400 +Subject: [PATCH 4/4] drm/radeon: re-enable sw ACR support on pre-DCE4 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +HW ACR support may have issues on some older chips, so +use SW ACR for now until we've tested further. + +Signed-off-by: Alex Deucher +CC: Rafał Miłecki +--- + drivers/gpu/drm/radeon/r600_hdmi.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/gpu/drm/radeon/r600_hdmi.c b/drivers/gpu/drm/radeon/r600_hdmi.c +index e2ae1c2..5b72931 100644 +--- a/drivers/gpu/drm/radeon/r600_hdmi.c ++++ b/drivers/gpu/drm/radeon/r600_hdmi.c +@@ -451,6 +451,7 @@ void r600_hdmi_setmode(struct drm_encoder *encoder, struct drm_display_mode *mod + } + + WREG32(HDMI0_ACR_PACKET_CONTROL + offset, ++ HDMI0_ACR_SOURCE | /* select SW CTS value - XXX verify that hw CTS works on all families */ + HDMI0_ACR_AUTO_SEND); /* allow hw to sent ACR packets when required */ + + WREG32(HDMI0_VBI_PACKET_CONTROL + offset, +-- +1.8.3.1 + diff --git a/kernel.spec b/kernel.spec index ec6f0925b..c83454af0 100644 --- a/kernel.spec +++ b/kernel.spec @@ -764,6 +764,9 @@ Patch25128: dm-cache-policy-mq_fix-large-scale-table-allocation-bug.patch #rhbz 1000439 Patch25129: cpupower-Fix-segfault-due-to-incorrect-getopt_long-a.patch +#rhbz 1010679 +Patch25130: fix-radeon-sound.patch + # END OF PATCH DEFINITIONS %endif @@ -1476,6 +1479,9 @@ ApplyPatch dm-cache-policy-mq_fix-large-scale-table-allocation-bug.patch #rhbz 1000439 ApplyPatch cpupower-Fix-segfault-due-to-incorrect-getopt_long-a.patch +#rhbz 1010679 +ApplyPatch fix-radeon-sound.patch + # END OF PATCH APPLICATIONS %endif @@ -2288,6 +2294,9 @@ fi # and build. %changelog +* Tue Oct 15 2013 Josh Boyer +- Fix regression in radeon sound (rhbz 1010679) + * Mon Oct 14 2013 Justin M. Forbes - 3.11.5-200 - Linux v3.11.5 From 42ae5788199cf1c02c0fc97963a24f935bb7cdaf Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Wed, 16 Oct 2013 13:50:26 -0400 Subject: [PATCH 245/468] Fix btrfs balance/scrub issue (rhbz 1011714) --- ...ate-csums-properly-with-prealloc-ext.patch | 60 +++++++++++++++++++ kernel.spec | 11 +++- 2 files changed, 70 insertions(+), 1 deletion(-) create mode 100644 btrfs-relocate-csums-properly-with-prealloc-ext.patch diff --git a/btrfs-relocate-csums-properly-with-prealloc-ext.patch b/btrfs-relocate-csums-properly-with-prealloc-ext.patch new file mode 100644 index 000000000..e103f703a --- /dev/null +++ b/btrfs-relocate-csums-properly-with-prealloc-ext.patch @@ -0,0 +1,60 @@ +A user reported a problem where they were getting csum errors when running a +balance and running systemd's journal. This is because systemd is awesome and +fallocate()'s its log space and writes into it. Unfortunately we assume that +when we read in all the csums for an extent that they are sequential starting at +the bytenr we care about. This obviously isn't the case for prealloc extents, +where we could have written to the middle of the prealloc extent only, which +means the csum would be for the bytenr in the middle of our range and not the +front of our range. Fix this by offsetting the new bytenr we are logging to +based on the original bytenr the csum was for. With this patch I no longer see +the csum errors I was seeing. Thanks, + +Cc: stable@xxxxxxxxxxxxxxx +Reported-by: Chris Murphy +Signed-off-by: Josef Bacik +--- + fs/btrfs/relocation.c | 18 +++++++++++++++--- + 1 file changed, 15 insertions(+), 3 deletions(-) + +diff --git a/fs/btrfs/relocation.c b/fs/btrfs/relocation.c +index 5ca7ea9..b7afeaa 100644 +--- a/fs/btrfs/relocation.c ++++ b/fs/btrfs/relocation.c +@@ -4472,6 +4472,7 @@ int btrfs_reloc_clone_csums(struct inode *inode, u64 file_pos, u64 len) + struct btrfs_root *root = BTRFS_I(inode)->root; + int ret; + u64 disk_bytenr; ++ u64 new_bytenr; + LIST_HEAD(list); + + ordered = btrfs_lookup_ordered_extent(inode, file_pos); +@@ -4483,13 +4484,24 @@ int btrfs_reloc_clone_csums(struct inode *inode, u64 file_pos, u64 len) + if (ret) + goto out; + +- disk_bytenr = ordered->start; + while (!list_empty(&list)) { + sums = list_entry(list.next, struct btrfs_ordered_sum, list); + list_del_init(&sums->list); + +- sums->bytenr = disk_bytenr; +- disk_bytenr += sums->len; ++ /* ++ * We need to offset the new_bytenr based on where the csum is. ++ * We need to do this because we will read in entire prealloc ++ * extents but we may have written to say the middle of the ++ * prealloc extent, so we need to make sure the csum goes with ++ * the right disk offset. ++ * ++ * We can do this because the data reloc inode refers strictly ++ * to the on disk bytes, so we don't have to worry about ++ * disk_len vs real len like with real inodes since it's all ++ * disk length. ++ */ ++ new_bytenr = ordered->start + (sums->bytenr - disk_bytenr); ++ sums->bytenr = new_bytenr; + + btrfs_add_ordered_sum(inode, ordered, sums); + } +-- +1.8.3.1 diff --git a/kernel.spec b/kernel.spec index c83454af0..57b9ed93b 100644 --- a/kernel.spec +++ b/kernel.spec @@ -62,7 +62,7 @@ Summary: The Linux kernel # For non-released -rc kernels, this will be appended after the rcX and # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3" # -%global baserelease 200 +%global baserelease 201 %global fedora_build %{baserelease} # base_sublevel is the kernel version we're starting with and patching @@ -767,6 +767,9 @@ Patch25129: cpupower-Fix-segfault-due-to-incorrect-getopt_long-a.patch #rhbz 1010679 Patch25130: fix-radeon-sound.patch +#rhbz 1011714 +Patch25131: btrfs-relocate-csums-properly-with-prealloc-ext.patch + # END OF PATCH DEFINITIONS %endif @@ -1482,6 +1485,9 @@ ApplyPatch cpupower-Fix-segfault-due-to-incorrect-getopt_long-a.patch #rhbz 1010679 ApplyPatch fix-radeon-sound.patch +#rhbz 1011714 +ApplyPatch btrfs-relocate-csums-properly-with-prealloc-ext.patch + # END OF PATCH APPLICATIONS %endif @@ -2294,6 +2300,9 @@ fi # and build. %changelog +* Wed Oct 16 2013 Josh Boyer +- Fix btrfs balance/scrub issue (rhbz 1011714) + * Tue Oct 15 2013 Josh Boyer - Fix regression in radeon sound (rhbz 1010679) From f3dc8d3b717c968e909e4b318809d51fe468d546 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Thu, 17 Oct 2013 08:12:25 -0400 Subject: [PATCH 246/468] Fix rt2800usb polling timeouts and throughput issues (rhbz 984696) --- kernel.spec | 9 ++++ rt2800usb-slow-down-TX-status-polling.patch | 53 +++++++++++++++++++++ 2 files changed, 62 insertions(+) create mode 100644 rt2800usb-slow-down-TX-status-polling.patch diff --git a/kernel.spec b/kernel.spec index 57b9ed93b..413ce8828 100644 --- a/kernel.spec +++ b/kernel.spec @@ -770,6 +770,9 @@ Patch25130: fix-radeon-sound.patch #rhbz 1011714 Patch25131: btrfs-relocate-csums-properly-with-prealloc-ext.patch +#rhbz 984696 +Patch25132: rt2800usb-slow-down-TX-status-polling.patch + # END OF PATCH DEFINITIONS %endif @@ -1488,6 +1491,9 @@ ApplyPatch fix-radeon-sound.patch #rhbz 1011714 ApplyPatch btrfs-relocate-csums-properly-with-prealloc-ext.patch +#rhbz 984696 +ApplyPatch rt2800usb-slow-down-TX-status-polling.patch + # END OF PATCH APPLICATIONS %endif @@ -2300,6 +2306,9 @@ fi # and build. %changelog +* Thu Oct 17 2013 Josh Boyer +- Fix rt2800usb polling timeouts and throughput issues (rhbz 984696) + * Wed Oct 16 2013 Josh Boyer - Fix btrfs balance/scrub issue (rhbz 1011714) diff --git a/rt2800usb-slow-down-TX-status-polling.patch b/rt2800usb-slow-down-TX-status-polling.patch new file mode 100644 index 000000000..a76f9b847 --- /dev/null +++ b/rt2800usb-slow-down-TX-status-polling.patch @@ -0,0 +1,53 @@ +Polling TX statuses too frequently has two negative effects. First is +randomly peek CPU usage, causing overall system functioning delays. +Second bad effect is that device is not able to fill TX statuses in +H/W register on some workloads and we get lot of timeouts like below: + +ieee80211 phy4: rt2800usb_entry_txstatus_timeout: Warning - TX status timeout for entry 7 in queue 2 +ieee80211 phy4: rt2800usb_entry_txstatus_timeout: Warning - TX status timeout for entry 7 in queue 2 +ieee80211 phy4: rt2800usb_txdone: Warning - Got TX status for an empty queue 2, dropping + +This not only cause flood of messages in dmesg, but also bad throughput, +since rate scaling algorithm can not work optimally. + +In the future, we should probably make polling interval be adjusted +automatically, but for now just increase values, this make mentioned +problems gone. + +Resolve: +https://bugzilla.kernel.org/show_bug.cgi?id=62781 + +Cc: stable@vger.kernel.org +Signed-off-by: Stanislaw Gruszka +--- + drivers/net/wireless/rt2x00/rt2800usb.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/drivers/net/wireless/rt2x00/rt2800usb.c b/drivers/net/wireless/rt2x00/rt2800usb.c +index 96677ce5..e095e61 100644 +--- a/drivers/net/wireless/rt2x00/rt2800usb.c ++++ b/drivers/net/wireless/rt2x00/rt2800usb.c +@@ -176,8 +176,8 @@ static bool rt2800usb_tx_sta_fifo_read_completed(struct rt2x00_dev *rt2x00dev, + queue_work(rt2x00dev->workqueue, &rt2x00dev->txdone_work); + + if (rt2800usb_txstatus_pending(rt2x00dev)) { +- /* Read register after 250 us */ +- hrtimer_start(&rt2x00dev->txstatus_timer, ktime_set(0, 250000), ++ /* Read register after 1 ms */ ++ hrtimer_start(&rt2x00dev->txstatus_timer, ktime_set(0, 1000000), + HRTIMER_MODE_REL); + return false; + } +@@ -202,8 +202,8 @@ static void rt2800usb_async_read_tx_status(struct rt2x00_dev *rt2x00dev) + if (test_and_set_bit(TX_STATUS_READING, &rt2x00dev->flags)) + return; + +- /* Read TX_STA_FIFO register after 500 us */ +- hrtimer_start(&rt2x00dev->txstatus_timer, ktime_set(0, 500000), ++ /* Read TX_STA_FIFO register after 2 ms */ ++ hrtimer_start(&rt2x00dev->txstatus_timer, ktime_set(0, 2000000), + HRTIMER_MODE_REL); + } + +-- +1.8.3.1 From 8663ad49b04a31ef179dd4ac50ad8bfebec05bfa Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Thu, 17 Oct 2013 10:16:07 -0400 Subject: [PATCH 247/468] Add patch to fix BusLogic error (rhbz 1015558) --- fix-buslogic.patch | 121 +++++++++++++++++++++++++++++++++++++++++++++ kernel.spec | 7 +++ 2 files changed, 128 insertions(+) create mode 100644 fix-buslogic.patch diff --git a/fix-buslogic.patch b/fix-buslogic.patch new file mode 100644 index 000000000..0862d00aa --- /dev/null +++ b/fix-buslogic.patch @@ -0,0 +1,121 @@ +This fixes an oops caused by buslogic driver when initializing a BusLogic +MultiMaster adapter. Initialization code used scope of a variable +incorrectly which created a NULL pointer. Oops message is below: + +BUG: unable to handle kernel NULL pointer dereference at 0000000c +IP: [] blogic_init_mm_probeinfo.isra.17+0x20a/0x583 +*pde = 00000000 +Oops: 002 [#1] PREEMPT SMP +Modules linked in: +CPU: 1 PID: 1 Comm: swapper/0 Not tainted 3.11.1.puz1 #1 +Hardware name: /Canterwood, BIOS 6.00 PG 05/16/2003 +task: f7050000 ti: f7054000 task.ti: f7054000 +EIP: 0060:[] EFLAGS: 00010246 CPU:1 +EIP is at blogic_init_mm_probeinfo.isra.17+0x20a/0x583 +EAX: 00000013 EBX: 00000000 ECX: 00000000 EDX: f8001000 +ESI: f71cb800 EDI: f7388000 EBP: 00007800 ESP: f7055c84 + DS: 007b ES: 007b FS: 00d8 GS: 0000 SS: 0068 +CR0: 8005003b CR2: 0000000c CR3: 0154f000 CR4: 000007d0 +Stack: + 0000001c 00000000 c11a59f6 f7055c98 00008130 ffffffff ffffffff 00000000 + 00000003 00000000 00000000 00000000 00000013 f8001000 00000001 000003d0 + 00000000 00000000 00000000 c14e3f84 f78803c8 00000000 f738c000 000000e9 +Call Trace: + [] ? pci_get_subsys+0x33/0x38 + [] ? blogic_init_probeinfo_list+0x4b/0x19e + [] ? __alloc_pages_nodemask+0xe3/0x623 + [] ? __alloc_pages_nodemask+0xe3/0x623 + [] ? sysfs_link_sibling+0x61/0x8d + [] ? kmem_cache_alloc+0x8b/0xb5 + [] ? blogic_init+0xa1/0x10e8 + [] ? sysfs_add_one+0x10/0x9d + [] ? sysfs_addrm_finish+0x12/0x85 + [] ? sysfs_do_create_link_sd+0x9d/0x1b4 + [] ? blk_register_queue+0x69/0xb3 + [] ? sysfs_create_link+0x1a/0x2c + [] ? add_disk+0x1a1/0x3c7 + [] ? klist_next+0x60/0xc3 + [] ? scsi_dh_detach+0x68/0x68 + [] ? bus_for_each_dev+0x51/0x61 + [] ? do_one_initcall+0x22/0x12c + [] ? __proc_create+0x8c/0xba + [] ? blogic_setup+0x5f6/0x5f6 + [] ? repair_env_string+0xf/0x4d + [] ? do_early_param+0x71/0x71 + [] ? parse_args+0x21f/0x33d + [] ? kernel_init_freeable+0xdf/0x17d + [] ? do_early_param+0x71/0x71 + [] ? kernel_init+0x8/0xc0 + [] ? ret_from_kernel_thread+0x6/0x28 + [] ? ret_from_kernel_thread+0x1b/0x28 + [] ? rest_init+0x6c/0x6c +Code: 89 44 24 10 0f b6 44 24 3d 89 44 24 0c c7 44 24 08 00 00 00 00 c7 44 24 04 38 62 46 c1 c7 04 24 02 00 00 00 e8 78 13 d2 ff 31 db <89> 6b 0c b0 20 89 ea ee + c7 44 24 08 04 00 00 00 8d 44 24 4c 89 +EIP: [] blogic_init_mm_probeinfo.isra.17+0x20a/0x583 SS:ESP 0068:f7055c84 +CR2: 000000000000000c +---[ end trace 17f45f5196d40487 ]--- +Kernel panic - not syncing: Attempted to kill init! exitcode=0x00000009 + +Signed-off-by: Khalid Aziz +Cc: # 3.11.x +Cc: Khalid Aziz +Reported-by: Pierre Uszynski +Tested-by: Pierre Uszynski +--- + drivers/scsi/BusLogic.c | 16 ++++++++-------- + 1 file changed, 8 insertions(+), 8 deletions(-) + +diff --git a/drivers/scsi/BusLogic.c b/drivers/scsi/BusLogic.c +index feab3a5..757eb07 100644 +--- a/drivers/scsi/BusLogic.c ++++ b/drivers/scsi/BusLogic.c +@@ -696,7 +696,7 @@ static int __init blogic_init_mm_probeinfo(struct blogic_adapter *adapter) + while ((pci_device = pci_get_device(PCI_VENDOR_ID_BUSLOGIC, + PCI_DEVICE_ID_BUSLOGIC_MULTIMASTER, + pci_device)) != NULL) { +- struct blogic_adapter *adapter = adapter; ++ struct blogic_adapter *host_adapter = adapter; + struct blogic_adapter_info adapter_info; + enum blogic_isa_ioport mod_ioaddr_req; + unsigned char bus; +@@ -744,9 +744,9 @@ static int __init blogic_init_mm_probeinfo(struct blogic_adapter *adapter) + known and enabled, note that the particular Standard ISA I/O + Address should not be probed. + */ +- adapter->io_addr = io_addr; +- blogic_intreset(adapter); +- if (blogic_cmd(adapter, BLOGIC_INQ_PCI_INFO, NULL, 0, ++ host_adapter->io_addr = io_addr; ++ blogic_intreset(host_adapter); ++ if (blogic_cmd(host_adapter, BLOGIC_INQ_PCI_INFO, NULL, 0, + &adapter_info, sizeof(adapter_info)) == + sizeof(adapter_info)) { + if (adapter_info.isa_port < 6) +@@ -762,7 +762,7 @@ static int __init blogic_init_mm_probeinfo(struct blogic_adapter *adapter) + I/O Address assigned at system initialization. + */ + mod_ioaddr_req = BLOGIC_IO_DISABLE; +- blogic_cmd(adapter, BLOGIC_MOD_IOADDR, &mod_ioaddr_req, ++ blogic_cmd(host_adapter, BLOGIC_MOD_IOADDR, &mod_ioaddr_req, + sizeof(mod_ioaddr_req), NULL, 0); + /* + For the first MultiMaster Host Adapter enumerated, +@@ -779,12 +779,12 @@ static int __init blogic_init_mm_probeinfo(struct blogic_adapter *adapter) + + fetch_localram.offset = BLOGIC_AUTOSCSI_BASE + 45; + fetch_localram.count = sizeof(autoscsi_byte45); +- blogic_cmd(adapter, BLOGIC_FETCH_LOCALRAM, ++ blogic_cmd(host_adapter, BLOGIC_FETCH_LOCALRAM, + &fetch_localram, sizeof(fetch_localram), + &autoscsi_byte45, + sizeof(autoscsi_byte45)); +- blogic_cmd(adapter, BLOGIC_GET_BOARD_ID, NULL, 0, &id, +- sizeof(id)); ++ blogic_cmd(host_adapter, BLOGIC_GET_BOARD_ID, NULL, 0, ++ &id, sizeof(id)); + if (id.fw_ver_digit1 == '5') + force_scan_order = + autoscsi_byte45.force_scan_order; +-- +1.7.10.4 + diff --git a/kernel.spec b/kernel.spec index 413ce8828..a361b57fb 100644 --- a/kernel.spec +++ b/kernel.spec @@ -773,6 +773,9 @@ Patch25131: btrfs-relocate-csums-properly-with-prealloc-ext.patch #rhbz 984696 Patch25132: rt2800usb-slow-down-TX-status-polling.patch +#rhbz 1015558 +Patch25133: fix-buslogic.patch + # END OF PATCH DEFINITIONS %endif @@ -1494,6 +1497,9 @@ ApplyPatch btrfs-relocate-csums-properly-with-prealloc-ext.patch #rhbz 984696 ApplyPatch rt2800usb-slow-down-TX-status-polling.patch +#rhbz 1015558 +ApplyPatch fix-buslogic.patch + # END OF PATCH APPLICATIONS %endif @@ -2307,6 +2313,7 @@ fi %changelog * Thu Oct 17 2013 Josh Boyer +- Add patch to fix BusLogic error (rhbz 1015558) - Fix rt2800usb polling timeouts and throughput issues (rhbz 984696) * Wed Oct 16 2013 Josh Boyer From 2e7393942fd10f3baa489e09830b7b2b81ace681 Mon Sep 17 00:00:00 2001 From: "Justin M. Forbes" Date: Fri, 18 Oct 2013 17:12:38 -0500 Subject: [PATCH 248/468] Linux v3.11.6 --- kernel.spec | 7 +++++-- sources | 2 +- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/kernel.spec b/kernel.spec index a361b57fb..300bf8007 100644 --- a/kernel.spec +++ b/kernel.spec @@ -62,7 +62,7 @@ Summary: The Linux kernel # For non-released -rc kernels, this will be appended after the rcX and # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3" # -%global baserelease 201 +%global baserelease 200 %global fedora_build %{baserelease} # base_sublevel is the kernel version we're starting with and patching @@ -74,7 +74,7 @@ Summary: The Linux kernel %if 0%{?released_kernel} # Do we have a -stable update to apply? -%define stable_update 5 +%define stable_update 6 # Is it a -stable RC? %define stable_rc 0 # Set rpm version accordingly @@ -2312,6 +2312,9 @@ fi # and build. %changelog +* Fri Oct 18 2013 Justin M. Forbes - 3.11.6-200 +- Linux v3.11.6 + * Thu Oct 17 2013 Josh Boyer - Add patch to fix BusLogic error (rhbz 1015558) - Fix rt2800usb polling timeouts and throughput issues (rhbz 984696) diff --git a/sources b/sources index ba90d655f..91571dae8 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ fea363551ff45fbe4cb88497b863b261 linux-3.11.tar.xz -628876a432c0d4090013b383abac20e4 patch-3.11.5.xz +c44ebb225fe9956b636b79ab6b61aa42 patch-3.11.6.xz From f8286a2413a8fd780f76eaa38883c56738077199 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Tue, 22 Oct 2013 10:24:30 -0400 Subject: [PATCH 249/468] Add patch to fix warning in tcp_fastretrans_alert (rhbz 989251) --- kernel.spec | 9 ++ ...ncorrect-ca_state-in-tail-loss-probe.patch | 107 ++++++++++++++++++ 2 files changed, 116 insertions(+) create mode 100644 tcp-fix-incorrect-ca_state-in-tail-loss-probe.patch diff --git a/kernel.spec b/kernel.spec index 300bf8007..f9c7297f0 100644 --- a/kernel.spec +++ b/kernel.spec @@ -776,6 +776,9 @@ Patch25132: rt2800usb-slow-down-TX-status-polling.patch #rhbz 1015558 Patch25133: fix-buslogic.patch +#rhbz 989251 +Patch25134: tcp-fix-incorrect-ca_state-in-tail-loss-probe.patch + # END OF PATCH DEFINITIONS %endif @@ -1500,6 +1503,9 @@ ApplyPatch rt2800usb-slow-down-TX-status-polling.patch #rhbz 1015558 ApplyPatch fix-buslogic.patch +#rhbz 989251 +ApplyPatch tcp-fix-incorrect-ca_state-in-tail-loss-probe.patch + # END OF PATCH APPLICATIONS %endif @@ -2312,6 +2318,9 @@ fi # and build. %changelog +* Tue Oct 22 2013 Josh Boyer +- Add patch to fix warning in tcp_fastretrans_alert (rhbz 989251) + * Fri Oct 18 2013 Justin M. Forbes - 3.11.6-200 - Linux v3.11.6 diff --git a/tcp-fix-incorrect-ca_state-in-tail-loss-probe.patch b/tcp-fix-incorrect-ca_state-in-tail-loss-probe.patch new file mode 100644 index 000000000..1a1264ffa --- /dev/null +++ b/tcp-fix-incorrect-ca_state-in-tail-loss-probe.patch @@ -0,0 +1,107 @@ +Path: news.gmane.org!not-for-mail +From: Yuchung Cheng +Newsgroups: gmane.linux.network +Subject: [PATCH net] tcp: fix incorrect ca_state in tail loss probe +Date: Sat, 12 Oct 2013 10:16:27 -0700 +Lines: 34 +Approved: news@gmane.org +Message-ID: <1381598187-9681-1-git-send-email-ycheng@google.com> +NNTP-Posting-Host: plane.gmane.org +X-Trace: ger.gmane.org 1381598242 29686 80.91.229.3 (12 Oct 2013 17:17:22 GMT) +X-Complaints-To: usenet@ger.gmane.org +NNTP-Posting-Date: Sat, 12 Oct 2013 17:17:22 +0000 (UTC) +Cc: netdev@vger.kernel.org, michael@sterretts.net, + jwboyer@fedoraproject.org, sesse@google.com, dormando@rydia.net, + Yuchung Cheng +To: davem@davemloft.net, ncardwell@google.com, nanditad@google.com +Original-X-From: netdev-owner@vger.kernel.org Sat Oct 12 19:17:23 2013 +Return-path: +Envelope-to: linux-netdev-2@plane.gmane.org +Original-Received: from vger.kernel.org ([209.132.180.67]) + by plane.gmane.org with esmtp (Exim 4.69) + (envelope-from ) + id 1VV2od-0004tp-02 + for linux-netdev-2@plane.gmane.org; Sat, 12 Oct 2013 19:17:23 +0200 +Original-Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand + id S1753183Ab3JLRRU (ORCPT ); + Sat, 12 Oct 2013 13:17:20 -0400 +Original-Received: from mail-pb0-f74.google.com ([209.85.160.74]:35839 "EHLO + mail-pb0-f74.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org + with ESMTP id S1752493Ab3JLRRS (ORCPT + ); Sat, 12 Oct 2013 13:17:18 -0400 +Original-Received: by mail-pb0-f74.google.com with SMTP id rq2so543459pbb.1 + for ; Sat, 12 Oct 2013 10:17:18 -0700 (PDT) +DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; + d=google.com; s=20120113; + h=from:to:cc:subject:date:message-id; + bh=YSBIMZEgVuqyP2cau1199a1sz5d28JA7LPPsF6w9FYQ=; + b=cCkXgePT7f0kRy+VBGvs3DZSLhVn0z7O74B7OHYpdZkQBznhNZ2b6ZGbkDqaKJXyLT + GEsq/JXCgtwpC7aGSz9dPdAZU6kondKOAmfhh54u6f2+ymcZJ4zHpoA6mWuKJ4zlTF2w + 6tRhnT+/N5RkfIfYD/mcDx97X41kRT3NKJ6bsCoiNJIO2+6j8SrOi8C27InOkdIRY/AT + I1uu2bvai1CfrC5yQ6UfpKUg2jioFDOi7i5nSEon+JnWeJavHpO01JMHuar7ZeGnAKJg + kVLwyiRujU9Fz0CKIMPZihAngQu/0OgqORQIjygeqz+GPgtTxDGQP7IUNR/d+JOPVUse + XlSA== +X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; + d=1e100.net; s=20130820; + h=x-gm-message-state:from:to:cc:subject:date:message-id; + bh=YSBIMZEgVuqyP2cau1199a1sz5d28JA7LPPsF6w9FYQ=; + b=d95i7RXY0ff5vnWvrGqxWfSvvAE8SC6YAaBn3ZqbARIZm5GgynIAB/WYnrIOqpqGV6 + 56jVM40bfzLrols1UZzyJWqPIgxee1zPrESh+WrSsDP2tTdYKl/zk13lbt/u7nOn9o3u + HrAo2aY4DtV3P0ABEq1lKdazmmPACTc6256QQ2nxtHs5n7s7P1ERkpX7NGNqNf1zDBSv + 60xeoswRpMkh0G5ZUgpPYsIbXws9F64n5ytq34O2UDZPv5oPEd8I7P34HpqWkNsLoEBs + XXTxs1SLc8TI3vdduhaQ+rmEvcE5vTaqjVCQAT2mMKTJJ9xIFueF5zExfI892PHAcJQ8 + jiaw== +X-Gm-Message-State: ALoCoQkeL+3MY64KlpZKI1BuYMU+yTQcYF1C+U5u+kPpqROoekUMzIaH45qERBARAi/0vgJ5YM1Cwm+43d66vZMn/WdHPurbMHfFn3PYqeZSAzOEeuSA2jGTSZUkpuH8YwFqiNhABtj93ahsBXrA6POrXb531UvuahU+rnFLTGNLxVHv/08PW3l5PbN8UaTNpUI1qcf6O6MarFcB+fZLYPb339v4EIrLxg== +X-Received: by 10.66.5.226 with SMTP id v2mr8825633pav.22.1381598238410; + Sat, 12 Oct 2013 10:17:18 -0700 (PDT) +Original-Received: from corp2gmr1-2.hot.corp.google.com (corp2gmr1-2.hot.corp.google.com [172.24.189.93]) + by gmr-mx.google.com with ESMTPS id a24si3247317yhl.1.1969.12.31.16.00.00 + (version=TLSv1.1 cipher=AES128-SHA bits=128/128); + Sat, 12 Oct 2013 10:17:18 -0700 (PDT) +Original-Received: from blast2.mtv.corp.google.com (blast2.mtv.corp.google.com [172.17.132.164]) + by corp2gmr1-2.hot.corp.google.com (Postfix) with ESMTP id 2F2B45A41A0; + Sat, 12 Oct 2013 10:17:18 -0700 (PDT) +Original-Received: by blast2.mtv.corp.google.com (Postfix, from userid 5463) + id C6A85220C26; Sat, 12 Oct 2013 10:17:17 -0700 (PDT) +X-Mailer: git-send-email 1.8.4 +Original-Sender: netdev-owner@vger.kernel.org +Precedence: bulk +List-ID: +X-Mailing-List: netdev@vger.kernel.org +Xref: news.gmane.org gmane.linux.network:286793 +Archived-At: + +On receiving an ACK that covers the loss probe sequence, TLP +immediately sets the congestion state to Open, even though some packets +are not recovered and retransmisssion are on the way. The later ACks +may trigger a WARN_ON check in step D of tcp_fastretrans_alert(), e.g., +https://bugzilla.redhat.com/show_bug.cgi?id=989251 + +The fix is to follow the similar procedure in recovery by calling +tcp_try_keep_open(). The sender switches to Open state if no packets +are retransmissted. Otherwise it goes to Disorder and let subsequent +ACKs move the state to Recovery or Open. + +Reported-By: Michael Sterrett +Tested-By: Dormando +Signed-off-by: Yuchung Cheng +--- + net/ipv4/tcp_input.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c +index 113dc5f..53974c7 100644 +--- a/net/ipv4/tcp_input.c ++++ b/net/ipv4/tcp_input.c +@@ -3291,7 +3291,7 @@ static void tcp_process_tlp_ack(struct sock *sk, u32 ack, int flag) + tcp_init_cwnd_reduction(sk, true); + tcp_set_ca_state(sk, TCP_CA_CWR); + tcp_end_cwnd_reduction(sk); +- tcp_set_ca_state(sk, TCP_CA_Open); ++ tcp_try_keep_open(sk); + NET_INC_STATS_BH(sock_net(sk), + LINUX_MIB_TCPLOSSPROBERECOVERY); + } +-- +1.8.4 + From ddad4977f682e9d131f4537c1a4520a7bbe5a14b Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Fri, 25 Oct 2013 12:43:16 -0400 Subject: [PATCH 250/468] Add touchpad support for Dell XT2 (rhbz 1023413) --- alps-Support-for-Dell-XT2-model.patch | 25 +++++++++++++++++++++++++ kernel.spec | 9 +++++++++ 2 files changed, 34 insertions(+) create mode 100644 alps-Support-for-Dell-XT2-model.patch diff --git a/alps-Support-for-Dell-XT2-model.patch b/alps-Support-for-Dell-XT2-model.patch new file mode 100644 index 000000000..453a6983a --- /dev/null +++ b/alps-Support-for-Dell-XT2-model.patch @@ -0,0 +1,25 @@ +From 7673be51f16e978a438bca8ac1bf9e939b7ed7a6 Mon Sep 17 00:00:00 2001 +From: Yunkang Tang +Date: Thu, 24 Oct 2013 13:39:08 +0800 +Subject: [PATCH] Support for Dell XT2 model + +Signed-off-by: Yunkang Tang +--- + drivers/input/mouse/alps.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/input/mouse/alps.c b/drivers/input/mouse/alps.c +index ca7a26f..24b3626 100644 +--- a/drivers/input/mouse/alps.c ++++ b/drivers/input/mouse/alps.c +@@ -103,6 +103,7 @@ static const struct alps_model_info alps_model_data[] = { + /* Dell Latitude E5500, E6400, E6500, Precision M4400 */ + { { 0x62, 0x02, 0x14 }, 0x00, ALPS_PROTO_V2, 0xcf, 0xcf, + ALPS_PASS | ALPS_DUALPOINT | ALPS_PS2_INTERLEAVED }, ++ { { 0x73, 0x00, 0x14 }, 0x00, ALPS_PROTO_V2, 0xcf, 0xcf, ALPS_DUALPOINT }, /* Dell XT2 */ + { { 0x73, 0x02, 0x50 }, 0x00, ALPS_PROTO_V2, 0xcf, 0xcf, ALPS_FOUR_BUTTONS }, /* Dell Vostro 1400 */ + { { 0x52, 0x01, 0x14 }, 0x00, ALPS_PROTO_V2, 0xff, 0xff, + ALPS_PASS | ALPS_DUALPOINT | ALPS_PS2_INTERLEAVED }, /* Toshiba Tecra A11-11L */ +-- +1.8.1.2 + diff --git a/kernel.spec b/kernel.spec index f9c7297f0..7c12d3801 100644 --- a/kernel.spec +++ b/kernel.spec @@ -779,6 +779,9 @@ Patch25133: fix-buslogic.patch #rhbz 989251 Patch25134: tcp-fix-incorrect-ca_state-in-tail-loss-probe.patch +#rhbz 1023413 +Patch25135: alps-Support-for-Dell-XT2-model.patch + # END OF PATCH DEFINITIONS %endif @@ -1506,6 +1509,9 @@ ApplyPatch fix-buslogic.patch #rhbz 989251 ApplyPatch tcp-fix-incorrect-ca_state-in-tail-loss-probe.patch +#rhbz 1023413 +ApplyPatch alps-Support-for-Dell-XT2-model.patch + # END OF PATCH APPLICATIONS %endif @@ -2318,6 +2324,9 @@ fi # and build. %changelog +* Fri Oct 25 2013 Josh Boyer +- Add touchpad support for Dell XT2 (rhbz 1023413) + * Tue Oct 22 2013 Josh Boyer - Add patch to fix warning in tcp_fastretrans_alert (rhbz 989251) From 145107f726776aaee654e492c1c5e9d582302dc7 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Fri, 25 Oct 2013 12:57:09 -0400 Subject: [PATCH 251/468] CVE-2013-XXXX net: memory corruption with UDP_CORK and UFO (rhbz 1023477 1023495) --- kernel.spec | 13 +- net_311.mbox | 3794 +++++++++++++++++ ...ncorrect-ca_state-in-tail-loss-probe.patch | 107 - 3 files changed, 3801 insertions(+), 113 deletions(-) create mode 100644 net_311.mbox delete mode 100644 tcp-fix-incorrect-ca_state-in-tail-loss-probe.patch diff --git a/kernel.spec b/kernel.spec index 7c12d3801..a1205baa3 100644 --- a/kernel.spec +++ b/kernel.spec @@ -776,12 +776,12 @@ Patch25132: rt2800usb-slow-down-TX-status-polling.patch #rhbz 1015558 Patch25133: fix-buslogic.patch -#rhbz 989251 -Patch25134: tcp-fix-incorrect-ca_state-in-tail-loss-probe.patch - #rhbz 1023413 Patch25135: alps-Support-for-Dell-XT2-model.patch +#CVE-2013-XXXX rhbz 1023477 1023495 +Patch25136: net_311.mbox + # END OF PATCH DEFINITIONS %endif @@ -1506,12 +1506,12 @@ ApplyPatch rt2800usb-slow-down-TX-status-polling.patch #rhbz 1015558 ApplyPatch fix-buslogic.patch -#rhbz 989251 -ApplyPatch tcp-fix-incorrect-ca_state-in-tail-loss-probe.patch - #rhbz 1023413 ApplyPatch alps-Support-for-Dell-XT2-model.patch +#CVE-2013-XXXX rhbz 1023477 1023495 +ApplyPatch net_311.mbox + # END OF PATCH APPLICATIONS %endif @@ -2325,6 +2325,7 @@ fi %changelog * Fri Oct 25 2013 Josh Boyer +- CVE-2013-XXXX net: memory corruption with UDP_CORK and UFO (rhbz 1023477 1023495) - Add touchpad support for Dell XT2 (rhbz 1023413) * Tue Oct 22 2013 Josh Boyer diff --git a/net_311.mbox b/net_311.mbox new file mode 100644 index 000000000..d420777dd --- /dev/null +++ b/net_311.mbox @@ -0,0 +1,3794 @@ +From 5444e381f5784d32d741864312909d2a6afe428e Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Tue, 27 Aug 2013 05:46:32 -0700 +Subject: [PATCH 01/47] tcp: TSO packets automatic sizing + +[ Upstream commits 6d36824e730f247b602c90e8715a792003e3c5a7, + 02cf4ebd82ff0ac7254b88e466820a290ed8289a, and parts of + 7eec4174ff29cd42f2acfae8112f51c228545d40 ] + +After hearing many people over past years complaining against TSO being +bursty or even buggy, we are proud to present automatic sizing of TSO +packets. + +One part of the problem is that tcp_tso_should_defer() uses an heuristic +relying on upcoming ACKS instead of a timer, but more generally, having +big TSO packets makes little sense for low rates, as it tends to create +micro bursts on the network, and general consensus is to reduce the +buffering amount. + +This patch introduces a per socket sk_pacing_rate, that approximates +the current sending rate, and allows us to size the TSO packets so +that we try to send one packet every ms. + +This field could be set by other transports. + +Patch has no impact for high speed flows, where having large TSO packets +makes sense to reach line rate. + +For other flows, this helps better packet scheduling and ACK clocking. + +This patch increases performance of TCP flows in lossy environments. + +A new sysctl (tcp_min_tso_segs) is added, to specify the +minimal size of a TSO packet (default being 2). + +A follow-up patch will provide a new packet scheduler (FQ), using +sk_pacing_rate as an input to perform optional per flow pacing. + +This explains why we chose to set sk_pacing_rate to twice the current +rate, allowing 'slow start' ramp up. + +sk_pacing_rate = 2 * cwnd * mss / srtt + +v2: Neal Cardwell reported a suspect deferring of last two segments on +initial write of 10 MSS, I had to change tcp_tso_should_defer() to take +into account tp->xmit_size_goal_segs + +Signed-off-by: Eric Dumazet +Cc: Neal Cardwell +Cc: Yuchung Cheng +Cc: Van Jacobson +Cc: Tom Herbert +Acked-by: Yuchung Cheng +Acked-by: Neal Cardwell +Signed-off-by: David S. Miller +--- + Documentation/networking/ip-sysctl.txt | 9 +++++++++ + include/net/sock.h | 2 ++ + include/net/tcp.h | 1 + + net/core/sock.c | 1 + + net/ipv4/sysctl_net_ipv4.c | 10 ++++++++++ + net/ipv4/tcp.c | 28 +++++++++++++++++++++++----- + net/ipv4/tcp_input.c | 34 +++++++++++++++++++++++++++++++++- + net/ipv4/tcp_output.c | 2 +- + 8 files changed, 80 insertions(+), 7 deletions(-) + +diff --git a/Documentation/networking/ip-sysctl.txt b/Documentation/networking/ip-sysctl.txt +index 1074290..b522883 100644 +--- a/Documentation/networking/ip-sysctl.txt ++++ b/Documentation/networking/ip-sysctl.txt +@@ -478,6 +478,15 @@ tcp_syn_retries - INTEGER + tcp_timestamps - BOOLEAN + Enable timestamps as defined in RFC1323. + ++tcp_min_tso_segs - INTEGER ++ Minimal number of segments per TSO frame. ++ Since linux-3.12, TCP does an automatic sizing of TSO frames, ++ depending on flow rate, instead of filling 64Kbytes packets. ++ For specific usages, it's possible to force TCP to build big ++ TSO frames. Note that TCP stack might split too big TSO packets ++ if available window is too small. ++ Default: 2 ++ + tcp_tso_win_divisor - INTEGER + This allows control over what percentage of the congestion window + can be consumed by a single TSO frame. +diff --git a/include/net/sock.h b/include/net/sock.h +index 31d5cfb..04e148f 100644 +--- a/include/net/sock.h ++++ b/include/net/sock.h +@@ -232,6 +232,7 @@ struct cg_proto; + * @sk_napi_id: id of the last napi context to receive data for sk + * @sk_ll_usec: usecs to busypoll when there is no data + * @sk_allocation: allocation mode ++ * @sk_pacing_rate: Pacing rate (if supported by transport/packet scheduler) + * @sk_sndbuf: size of send buffer in bytes + * @sk_flags: %SO_LINGER (l_onoff), %SO_BROADCAST, %SO_KEEPALIVE, + * %SO_OOBINLINE settings, %SO_TIMESTAMPING settings +@@ -361,6 +362,7 @@ struct sock { + kmemcheck_bitfield_end(flags); + int sk_wmem_queued; + gfp_t sk_allocation; ++ u32 sk_pacing_rate; /* bytes per second */ + netdev_features_t sk_route_caps; + netdev_features_t sk_route_nocaps; + int sk_gso_type; +diff --git a/include/net/tcp.h b/include/net/tcp.h +index d198005..46cb8a4 100644 +--- a/include/net/tcp.h ++++ b/include/net/tcp.h +@@ -284,6 +284,7 @@ extern int sysctl_tcp_thin_dupack; + extern int sysctl_tcp_early_retrans; + extern int sysctl_tcp_limit_output_bytes; + extern int sysctl_tcp_challenge_ack_limit; ++extern int sysctl_tcp_min_tso_segs; + + extern atomic_long_t tcp_memory_allocated; + extern struct percpu_counter tcp_sockets_allocated; +diff --git a/net/core/sock.c b/net/core/sock.c +index 2c097c5..8729d91 100644 +--- a/net/core/sock.c ++++ b/net/core/sock.c +@@ -2297,6 +2297,7 @@ void sock_init_data(struct socket *sock, struct sock *sk) + sk->sk_ll_usec = sysctl_net_busy_read; + #endif + ++ sk->sk_pacing_rate = ~0U; + /* + * Before updating sk_refcnt, we must commit prior changes to memory + * (Documentation/RCU/rculist_nulls.txt for details) +diff --git a/net/ipv4/sysctl_net_ipv4.c b/net/ipv4/sysctl_net_ipv4.c +index 610e324..6900b8b 100644 +--- a/net/ipv4/sysctl_net_ipv4.c ++++ b/net/ipv4/sysctl_net_ipv4.c +@@ -29,6 +29,7 @@ + static int zero; + static int one = 1; + static int four = 4; ++static int gso_max_segs = GSO_MAX_SEGS; + static int tcp_retr1_max = 255; + static int ip_local_port_range_min[] = { 1, 1 }; + static int ip_local_port_range_max[] = { 65535, 65535 }; +@@ -754,6 +755,15 @@ static struct ctl_table ipv4_table[] = { + .extra2 = &four, + }, + { ++ .procname = "tcp_min_tso_segs", ++ .data = &sysctl_tcp_min_tso_segs, ++ .maxlen = sizeof(int), ++ .mode = 0644, ++ .proc_handler = proc_dointvec_minmax, ++ .extra1 = &zero, ++ .extra2 = &gso_max_segs, ++ }, ++ { + .procname = "udp_mem", + .data = &sysctl_udp_mem, + .maxlen = sizeof(sysctl_udp_mem), +diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c +index 95544e4..ec586e5 100644 +--- a/net/ipv4/tcp.c ++++ b/net/ipv4/tcp.c +@@ -283,6 +283,8 @@ + + int sysctl_tcp_fin_timeout __read_mostly = TCP_FIN_TIMEOUT; + ++int sysctl_tcp_min_tso_segs __read_mostly = 2; ++ + struct percpu_counter tcp_orphan_count; + EXPORT_SYMBOL_GPL(tcp_orphan_count); + +@@ -789,12 +791,28 @@ static unsigned int tcp_xmit_size_goal(struct sock *sk, u32 mss_now, + xmit_size_goal = mss_now; + + if (large_allowed && sk_can_gso(sk)) { +- xmit_size_goal = ((sk->sk_gso_max_size - 1) - +- inet_csk(sk)->icsk_af_ops->net_header_len - +- inet_csk(sk)->icsk_ext_hdr_len - +- tp->tcp_header_len); ++ u32 gso_size, hlen; ++ ++ /* Maybe we should/could use sk->sk_prot->max_header here ? */ ++ hlen = inet_csk(sk)->icsk_af_ops->net_header_len + ++ inet_csk(sk)->icsk_ext_hdr_len + ++ tp->tcp_header_len; ++ ++ /* Goal is to send at least one packet per ms, ++ * not one big TSO packet every 100 ms. ++ * This preserves ACK clocking and is consistent ++ * with tcp_tso_should_defer() heuristic. ++ */ ++ gso_size = sk->sk_pacing_rate / (2 * MSEC_PER_SEC); ++ gso_size = max_t(u32, gso_size, ++ sysctl_tcp_min_tso_segs * mss_now); ++ ++ xmit_size_goal = min_t(u32, gso_size, ++ sk->sk_gso_max_size - 1 - hlen); + +- /* TSQ : try to have two TSO segments in flight */ ++ /* TSQ : try to have at least two segments in flight ++ * (one in NIC TX ring, another in Qdisc) ++ */ + xmit_size_goal = min_t(u32, xmit_size_goal, + sysctl_tcp_limit_output_bytes >> 1); + +diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c +index 3ca2139..2f0e94b 100644 +--- a/net/ipv4/tcp_input.c ++++ b/net/ipv4/tcp_input.c +@@ -688,6 +688,34 @@ static void tcp_rtt_estimator(struct sock *sk, const __u32 mrtt) + } + } + ++/* Set the sk_pacing_rate to allow proper sizing of TSO packets. ++ * Note: TCP stack does not yet implement pacing. ++ * FQ packet scheduler can be used to implement cheap but effective ++ * TCP pacing, to smooth the burst on large writes when packets ++ * in flight is significantly lower than cwnd (or rwin) ++ */ ++static void tcp_update_pacing_rate(struct sock *sk) ++{ ++ const struct tcp_sock *tp = tcp_sk(sk); ++ u64 rate; ++ ++ /* set sk_pacing_rate to 200 % of current rate (mss * cwnd / srtt) */ ++ rate = (u64)tp->mss_cache * 2 * (HZ << 3); ++ ++ rate *= max(tp->snd_cwnd, tp->packets_out); ++ ++ /* Correction for small srtt : minimum srtt being 8 (1 jiffy << 3), ++ * be conservative and assume srtt = 1 (125 us instead of 1.25 ms) ++ * We probably need usec resolution in the future. ++ * Note: This also takes care of possible srtt=0 case, ++ * when tcp_rtt_estimator() was not yet called. ++ */ ++ if (tp->srtt > 8 + 2) ++ do_div(rate, tp->srtt); ++ ++ sk->sk_pacing_rate = min_t(u64, rate, ~0U); ++} ++ + /* Calculate rto without backoff. This is the second half of Van Jacobson's + * routine referred to above. + */ +@@ -3269,7 +3297,7 @@ static int tcp_ack(struct sock *sk, const struct sk_buff *skb, int flag) + u32 ack_seq = TCP_SKB_CB(skb)->seq; + u32 ack = TCP_SKB_CB(skb)->ack_seq; + bool is_dupack = false; +- u32 prior_in_flight; ++ u32 prior_in_flight, prior_cwnd = tp->snd_cwnd, prior_rtt = tp->srtt; + u32 prior_fackets; + int prior_packets = tp->packets_out; + const int prior_unsacked = tp->packets_out - tp->sacked_out; +@@ -3375,6 +3403,8 @@ static int tcp_ack(struct sock *sk, const struct sk_buff *skb, int flag) + + if (icsk->icsk_pending == ICSK_TIME_RETRANS) + tcp_schedule_loss_probe(sk); ++ if (tp->srtt != prior_rtt || tp->snd_cwnd != prior_cwnd) ++ tcp_update_pacing_rate(sk); + return 1; + + no_queue: +@@ -5671,6 +5701,8 @@ int tcp_rcv_state_process(struct sock *sk, struct sk_buff *skb, + } else + tcp_init_metrics(sk); + ++ tcp_update_pacing_rate(sk); ++ + /* Prevent spurious tcp_cwnd_restart() on first data packet */ + tp->lsndtime = tcp_time_stamp; + +diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c +index 170737a..7b263c3 100644 +--- a/net/ipv4/tcp_output.c ++++ b/net/ipv4/tcp_output.c +@@ -1628,7 +1628,7 @@ static bool tcp_tso_should_defer(struct sock *sk, struct sk_buff *skb) + + /* If a full-sized TSO skb can be sent, do it. */ + if (limit >= min_t(unsigned int, sk->sk_gso_max_size, +- sk->sk_gso_max_segs * tp->mss_cache)) ++ tp->xmit_size_goal_segs * tp->mss_cache)) + goto send_now; + + /* Middle in queue won't get any more data, full sendable already? */ +-- +1.7.11.7 + + +From 1b6c7d9979e1db1d42bd0545452a9d204c019582 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Fri, 27 Sep 2013 03:28:54 -0700 +Subject: [PATCH 02/47] tcp: TSQ can use a dynamic limit + +[ Upstream commit c9eeec26e32e087359160406f96e0949b3cc6f10 ] + +When TCP Small Queues was added, we used a sysctl to limit amount of +packets queues on Qdisc/device queues for a given TCP flow. + +Problem is this limit is either too big for low rates, or too small +for high rates. + +Now TCP stack has rate estimation in sk->sk_pacing_rate, and TSO +auto sizing, it can better control number of packets in Qdisc/device +queues. + +New limit is two packets or at least 1 to 2 ms worth of packets. + +Low rates flows benefit from this patch by having even smaller +number of packets in queues, allowing for faster recovery, +better RTT estimations. + +High rates flows benefit from this patch by allowing more than 2 packets +in flight as we had reports this was a limiting factor to reach line +rate. [ In particular if TX completion is delayed because of coalescing +parameters ] + +Example for a single flow on 10Gbp link controlled by FQ/pacing + +14 packets in flight instead of 2 + +$ tc -s -d qd +qdisc fq 8001: dev eth0 root refcnt 32 limit 10000p flow_limit 100p +buckets 1024 quantum 3028 initial_quantum 15140 + Sent 1168459366606 bytes 771822841 pkt (dropped 0, overlimits 0 +requeues 6822476) + rate 9346Mbit 771713pps backlog 953820b 14p requeues 6822476 + 2047 flow, 2046 inactive, 1 throttled, delay 15673 ns + 2372 gc, 0 highprio, 0 retrans, 9739249 throttled, 0 flows_plimit + +Note that sk_pacing_rate is currently set to twice the actual rate, but +this might be refined in the future when a flow is in congestion +avoidance. + +Additional change : skb->destructor should be set to tcp_wfree(). + +A future patch (for linux 3.13+) might remove tcp_limit_output_bytes + +Signed-off-by: Eric Dumazet +Cc: Wei Liu +Cc: Cong Wang +Cc: Yuchung Cheng +Cc: Neal Cardwell +Acked-by: Neal Cardwell +Signed-off-by: David S. Miller +--- + net/ipv4/tcp_output.c | 17 +++++++++++------ + 1 file changed, 11 insertions(+), 6 deletions(-) + +diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c +index 7b263c3..fe897ed 100644 +--- a/net/ipv4/tcp_output.c ++++ b/net/ipv4/tcp_output.c +@@ -892,8 +892,7 @@ static int tcp_transmit_skb(struct sock *sk, struct sk_buff *skb, int clone_it, + + skb_orphan(skb); + skb->sk = sk; +- skb->destructor = (sysctl_tcp_limit_output_bytes > 0) ? +- tcp_wfree : sock_wfree; ++ skb->destructor = tcp_wfree; + atomic_add(skb->truesize, &sk->sk_wmem_alloc); + + /* Build TCP header and checksum it. */ +@@ -1837,7 +1836,6 @@ static bool tcp_write_xmit(struct sock *sk, unsigned int mss_now, int nonagle, + while ((skb = tcp_send_head(sk))) { + unsigned int limit; + +- + tso_segs = tcp_init_tso_segs(sk, skb, mss_now); + BUG_ON(!tso_segs); + +@@ -1866,13 +1864,20 @@ static bool tcp_write_xmit(struct sock *sk, unsigned int mss_now, int nonagle, + break; + } + +- /* TSQ : sk_wmem_alloc accounts skb truesize, +- * including skb overhead. But thats OK. ++ /* TCP Small Queues : ++ * Control number of packets in qdisc/devices to two packets / or ~1 ms. ++ * This allows for : ++ * - better RTT estimation and ACK scheduling ++ * - faster recovery ++ * - high rates + */ +- if (atomic_read(&sk->sk_wmem_alloc) >= sysctl_tcp_limit_output_bytes) { ++ limit = max(skb->truesize, sk->sk_pacing_rate >> 10); ++ ++ if (atomic_read(&sk->sk_wmem_alloc) > limit) { + set_bit(TSQ_THROTTLED, &tp->tsq_flags); + break; + } ++ + limit = mss_now; + if (tso_segs > 1 && !tcp_urg_mode(tp)) + limit = tcp_mss_split_point(sk, skb, mss_now, +-- +1.7.11.7 + + +From 4f25abff83e2780265eaa17d437b7659ea543bd5 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Tue, 15 Oct 2013 11:54:30 -0700 +Subject: [PATCH 03/47] tcp: must unclone packets before mangling them + +[ Upstream commit c52e2421f7368fd36cbe330d2cf41b10452e39a9 ] + +TCP stack should make sure it owns skbs before mangling them. + +We had various crashes using bnx2x, and it turned out gso_size +was cleared right before bnx2x driver was populating TC descriptor +of the _previous_ packet send. TCP stack can sometime retransmit +packets that are still in Qdisc. + +Of course we could make bnx2x driver more robust (using +ACCESS_ONCE(shinfo->gso_size) for example), but the bug is TCP stack. + +We have identified two points where skb_unclone() was needed. + +This patch adds a WARN_ON_ONCE() to warn us if we missed another +fix of this kind. + +Kudos to Neal for finding the root cause of this bug. Its visible +using small MSS. + +Signed-off-by: Eric Dumazet +Signed-off-by: Neal Cardwell +Cc: Yuchung Cheng +Signed-off-by: David S. Miller +--- + net/ipv4/tcp_output.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c +index fe897ed..28c0d6a 100644 +--- a/net/ipv4/tcp_output.c ++++ b/net/ipv4/tcp_output.c +@@ -981,6 +981,9 @@ static void tcp_queue_skb(struct sock *sk, struct sk_buff *skb) + static void tcp_set_skb_tso_segs(const struct sock *sk, struct sk_buff *skb, + unsigned int mss_now) + { ++ /* Make sure we own this skb before messing gso_size/gso_segs */ ++ WARN_ON_ONCE(skb_cloned(skb)); ++ + if (skb->len <= mss_now || !sk_can_gso(sk) || + skb->ip_summed == CHECKSUM_NONE) { + /* Avoid the costly divide in the normal +@@ -1062,9 +1065,7 @@ int tcp_fragment(struct sock *sk, struct sk_buff *skb, u32 len, + if (nsize < 0) + nsize = 0; + +- if (skb_cloned(skb) && +- skb_is_nonlinear(skb) && +- pskb_expand_head(skb, 0, 0, GFP_ATOMIC)) ++ if (skb_unclone(skb, GFP_ATOMIC)) + return -ENOMEM; + + /* Get a new skb... force flag on. */ +@@ -2339,6 +2340,8 @@ int __tcp_retransmit_skb(struct sock *sk, struct sk_buff *skb) + int oldpcount = tcp_skb_pcount(skb); + + if (unlikely(oldpcount > 1)) { ++ if (skb_unclone(skb, GFP_ATOMIC)) ++ return -ENOMEM; + tcp_init_tso_segs(sk, skb, cur_mss); + tcp_adjust_pcount(sk, skb, oldpcount - tcp_skb_pcount(skb)); + } +-- +1.7.11.7 + + +From 8731e25f7527ca851045eb0715d998d1ac07aadb Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Fri, 4 Oct 2013 10:31:41 -0700 +Subject: [PATCH 04/47] tcp: do not forget FIN in tcp_shifted_skb() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit 5e8a402f831dbe7ee831340a91439e46f0d38acd ] + +Yuchung found following problem : + + There are bugs in the SACK processing code, merging part in + tcp_shift_skb_data(), that incorrectly resets or ignores the sacked + skbs FIN flag. When a receiver first SACK the FIN sequence, and later + throw away ofo queue (e.g., sack-reneging), the sender will stop + retransmitting the FIN flag, and hangs forever. + +Following packetdrill test can be used to reproduce the bug. + +$ cat sack-merge-bug.pkt +`sysctl -q net.ipv4.tcp_fack=0` + +// Establish a connection and send 10 MSS. +0.000 socket(..., SOCK_STREAM, IPPROTO_TCP) = 3 ++.000 setsockopt(3, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0 ++.000 bind(3, ..., ...) = 0 ++.000 listen(3, 1) = 0 + ++.050 < S 0:0(0) win 32792 ++.000 > S. 0:0(0) ack 1 ++.001 < . 1:1(0) ack 1 win 1024 ++.000 accept(3, ..., ...) = 4 + ++.100 write(4, ..., 12000) = 12000 ++.000 shutdown(4, SHUT_WR) = 0 ++.000 > . 1:10001(10000) ack 1 ++.050 < . 1:1(0) ack 2001 win 257 ++.000 > FP. 10001:12001(2000) ack 1 ++.050 < . 1:1(0) ack 2001 win 257 ++.050 < . 1:1(0) ack 2001 win 257 +// SACK reneg ++.050 < . 1:1(0) ack 12001 win 257 ++0 %{ print "unacked: ",tcpi_unacked }% ++5 %{ print "" }% + +First, a typo inverted left/right of one OR operation, then +code forgot to advance end_seq if the merged skb carried FIN. + +Bug was added in 2.6.29 by commit 832d11c5cd076ab +("tcp: Try to restore large SKBs while SACK processing") + +Signed-off-by: Eric Dumazet +Signed-off-by: Yuchung Cheng +Acked-by: Neal Cardwell +Cc: Ilpo Järvinen +Acked-by: Ilpo Järvinen +Signed-off-by: David S. Miller +--- + net/ipv4/tcp_input.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c +index 2f0e94b..61e2360 100644 +--- a/net/ipv4/tcp_input.c ++++ b/net/ipv4/tcp_input.c +@@ -1279,7 +1279,10 @@ static bool tcp_shifted_skb(struct sock *sk, struct sk_buff *skb, + tp->lost_cnt_hint -= tcp_skb_pcount(prev); + } + +- TCP_SKB_CB(skb)->tcp_flags |= TCP_SKB_CB(prev)->tcp_flags; ++ TCP_SKB_CB(prev)->tcp_flags |= TCP_SKB_CB(skb)->tcp_flags; ++ if (TCP_SKB_CB(skb)->tcp_flags & TCPHDR_FIN) ++ TCP_SKB_CB(prev)->end_seq++; ++ + if (skb == tcp_highest_sack(sk)) + tcp_advance_highest_sack(sk, skb); + +-- +1.7.11.7 + + +From bfc0a00d669a4fa0835c417f01c50c18996d1e60 Mon Sep 17 00:00:00 2001 +From: Yuchung Cheng +Date: Sat, 12 Oct 2013 10:16:27 -0700 +Subject: [PATCH 05/47] tcp: fix incorrect ca_state in tail loss probe + +[ Upstream commit 031afe4990a7c9dbff41a3a742c44d3e740ea0a1 ] + +On receiving an ACK that covers the loss probe sequence, TLP +immediately sets the congestion state to Open, even though some packets +are not recovered and retransmisssion are on the way. The later ACks +may trigger a WARN_ON check in step D of tcp_fastretrans_alert(), e.g., +https://bugzilla.redhat.com/show_bug.cgi?id=989251 + +The fix is to follow the similar procedure in recovery by calling +tcp_try_keep_open(). The sender switches to Open state if no packets +are retransmissted. Otherwise it goes to Disorder and let subsequent +ACKs move the state to Recovery or Open. + +Reported-By: Michael Sterrett +Tested-By: Dormando +Signed-off-by: Yuchung Cheng +Acked-by: Neal Cardwell +Signed-off-by: David S. Miller +--- + net/ipv4/tcp_input.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c +index 61e2360..723951a 100644 +--- a/net/ipv4/tcp_input.c ++++ b/net/ipv4/tcp_input.c +@@ -3284,7 +3284,7 @@ static void tcp_process_tlp_ack(struct sock *sk, u32 ack, int flag) + tcp_init_cwnd_reduction(sk, true); + tcp_set_ca_state(sk, TCP_CA_CWR); + tcp_end_cwnd_reduction(sk); +- tcp_set_ca_state(sk, TCP_CA_Open); ++ tcp_try_keep_open(sk); + NET_INC_STATS_BH(sock_net(sk), + LINUX_MIB_TCPLOSSPROBERECOVERY); + } +-- +1.7.11.7 + + +From 05c9fdfad860abd64136d8ccd88dbf84e40bd5f5 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Tue, 1 Oct 2013 21:04:11 -0700 +Subject: [PATCH 06/47] net: do not call sock_put() on TIMEWAIT sockets + +[ Upstream commit 80ad1d61e72d626e30ebe8529a0455e660ca4693 ] + +commit 3ab5aee7fe84 ("net: Convert TCP & DCCP hash tables to use RCU / +hlist_nulls") incorrectly used sock_put() on TIMEWAIT sockets. + +We should instead use inet_twsk_put() + +Signed-off-by: Eric Dumazet +Signed-off-by: David S. Miller +--- + net/ipv4/inet_hashtables.c | 2 +- + net/ipv6/inet6_hashtables.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/ipv4/inet_hashtables.c b/net/ipv4/inet_hashtables.c +index 7bd8983..96da9c7 100644 +--- a/net/ipv4/inet_hashtables.c ++++ b/net/ipv4/inet_hashtables.c +@@ -287,7 +287,7 @@ begintw: + if (unlikely(!INET_TW_MATCH(sk, net, acookie, + saddr, daddr, ports, + dif))) { +- sock_put(sk); ++ inet_twsk_put(inet_twsk(sk)); + goto begintw; + } + goto out; +diff --git a/net/ipv6/inet6_hashtables.c b/net/ipv6/inet6_hashtables.c +index 32b4a16..066640e 100644 +--- a/net/ipv6/inet6_hashtables.c ++++ b/net/ipv6/inet6_hashtables.c +@@ -116,7 +116,7 @@ begintw: + } + if (unlikely(!INET6_TW_MATCH(sk, net, saddr, daddr, + ports, dif))) { +- sock_put(sk); ++ inet_twsk_put(inet_twsk(sk)); + goto begintw; + } + goto out; +-- +1.7.11.7 + + +From bc7fd34d31c17b0e4c100013e77277a2ed7e15cf Mon Sep 17 00:00:00 2001 +From: Matthias Schiffer +Date: Fri, 27 Sep 2013 18:03:39 +0200 +Subject: [PATCH 07/47] batman-adv: set up network coding packet handlers + during module init + +[ Upstream commit 6c519bad7b19a2c14a075b400edabaa630330123 ] + +batman-adv saves its table of packet handlers as a global state, so handlers +must be set up only once (and setting them up a second time will fail). + +The recently-added network coding support tries to set up its handler each time +a new softif is registered, which obviously fails when more that one softif is +used (and in consequence, the softif creation fails). + +Fix this by splitting up batadv_nc_init into batadv_nc_init (which is called +only once) and batadv_nc_mesh_init (which is called for each softif); in +addition batadv_nc_free is renamed to batadv_nc_mesh_free to keep naming +consistent. + +Signed-off-by: Matthias Schiffer +Signed-off-by: Marek Lindner +Signed-off-by: Antonio Quartulli +--- + net/batman-adv/main.c | 5 +++-- + net/batman-adv/network-coding.c | 28 ++++++++++++++++++---------- + net/batman-adv/network-coding.h | 14 ++++++++++---- + 3 files changed, 31 insertions(+), 16 deletions(-) + +diff --git a/net/batman-adv/main.c b/net/batman-adv/main.c +index 08125f3..c8e0671 100644 +--- a/net/batman-adv/main.c ++++ b/net/batman-adv/main.c +@@ -61,6 +61,7 @@ static int __init batadv_init(void) + batadv_recv_handler_init(); + + batadv_iv_init(); ++ batadv_nc_init(); + + batadv_event_workqueue = create_singlethread_workqueue("bat_events"); + +@@ -138,7 +139,7 @@ int batadv_mesh_init(struct net_device *soft_iface) + if (ret < 0) + goto err; + +- ret = batadv_nc_init(bat_priv); ++ ret = batadv_nc_mesh_init(bat_priv); + if (ret < 0) + goto err; + +@@ -163,7 +164,7 @@ void batadv_mesh_free(struct net_device *soft_iface) + batadv_vis_quit(bat_priv); + + batadv_gw_node_purge(bat_priv); +- batadv_nc_free(bat_priv); ++ batadv_nc_mesh_free(bat_priv); + batadv_dat_free(bat_priv); + batadv_bla_free(bat_priv); + +diff --git a/net/batman-adv/network-coding.c b/net/batman-adv/network-coding.c +index a487d46..4ecc0b6 100644 +--- a/net/batman-adv/network-coding.c ++++ b/net/batman-adv/network-coding.c +@@ -35,6 +35,20 @@ static int batadv_nc_recv_coded_packet(struct sk_buff *skb, + struct batadv_hard_iface *recv_if); + + /** ++ * batadv_nc_init - one-time initialization for network coding ++ */ ++int __init batadv_nc_init(void) ++{ ++ int ret; ++ ++ /* Register our packet type */ ++ ret = batadv_recv_handler_register(BATADV_CODED, ++ batadv_nc_recv_coded_packet); ++ ++ return ret; ++} ++ ++/** + * batadv_nc_start_timer - initialise the nc periodic worker + * @bat_priv: the bat priv with all the soft interface information + */ +@@ -45,10 +59,10 @@ static void batadv_nc_start_timer(struct batadv_priv *bat_priv) + } + + /** +- * batadv_nc_init - initialise coding hash table and start house keeping ++ * batadv_nc_mesh_init - initialise coding hash table and start house keeping + * @bat_priv: the bat priv with all the soft interface information + */ +-int batadv_nc_init(struct batadv_priv *bat_priv) ++int batadv_nc_mesh_init(struct batadv_priv *bat_priv) + { + bat_priv->nc.timestamp_fwd_flush = jiffies; + bat_priv->nc.timestamp_sniffed_purge = jiffies; +@@ -70,11 +84,6 @@ int batadv_nc_init(struct batadv_priv *bat_priv) + batadv_hash_set_lock_class(bat_priv->nc.coding_hash, + &batadv_nc_decoding_hash_lock_class_key); + +- /* Register our packet type */ +- if (batadv_recv_handler_register(BATADV_CODED, +- batadv_nc_recv_coded_packet) < 0) +- goto err; +- + INIT_DELAYED_WORK(&bat_priv->nc.work, batadv_nc_worker); + batadv_nc_start_timer(bat_priv); + +@@ -1721,12 +1730,11 @@ free_nc_packet: + } + + /** +- * batadv_nc_free - clean up network coding memory ++ * batadv_nc_mesh_free - clean up network coding memory + * @bat_priv: the bat priv with all the soft interface information + */ +-void batadv_nc_free(struct batadv_priv *bat_priv) ++void batadv_nc_mesh_free(struct batadv_priv *bat_priv) + { +- batadv_recv_handler_unregister(BATADV_CODED); + cancel_delayed_work_sync(&bat_priv->nc.work); + + batadv_nc_purge_paths(bat_priv, bat_priv->nc.coding_hash, NULL); +diff --git a/net/batman-adv/network-coding.h b/net/batman-adv/network-coding.h +index 85a4ec8..ddfa618 100644 +--- a/net/batman-adv/network-coding.h ++++ b/net/batman-adv/network-coding.h +@@ -22,8 +22,9 @@ + + #ifdef CONFIG_BATMAN_ADV_NC + +-int batadv_nc_init(struct batadv_priv *bat_priv); +-void batadv_nc_free(struct batadv_priv *bat_priv); ++int batadv_nc_init(void); ++int batadv_nc_mesh_init(struct batadv_priv *bat_priv); ++void batadv_nc_mesh_free(struct batadv_priv *bat_priv); + void batadv_nc_update_nc_node(struct batadv_priv *bat_priv, + struct batadv_orig_node *orig_node, + struct batadv_orig_node *orig_neigh_node, +@@ -46,12 +47,17 @@ int batadv_nc_init_debugfs(struct batadv_priv *bat_priv); + + #else /* ifdef CONFIG_BATMAN_ADV_NC */ + +-static inline int batadv_nc_init(struct batadv_priv *bat_priv) ++static inline int batadv_nc_init(void) + { + return 0; + } + +-static inline void batadv_nc_free(struct batadv_priv *bat_priv) ++static inline int batadv_nc_mesh_init(struct batadv_priv *bat_priv) ++{ ++ return 0; ++} ++ ++static inline void batadv_nc_mesh_free(struct batadv_priv *bat_priv) + { + return; + } +-- +1.7.11.7 + + +From 8be4005ed947924104df5850944a20b7f6570137 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Fran=C3=A7ois=20Cachereul?= +Date: Wed, 2 Oct 2013 10:16:02 +0200 +Subject: [PATCH 08/47] l2tp: fix kernel panic when using IPv4-mapped IPv6 + addresses +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit e18503f41f9b12132c95d7c31ca6ee5155e44e5c ] + +IPv4 mapped addresses cause kernel panic. +The patch juste check whether the IPv6 address is an IPv4 mapped +address. If so, use IPv4 API instead of IPv6. + +[ 940.026915] general protection fault: 0000 [#1] +[ 940.026915] Modules linked in: l2tp_ppp l2tp_netlink l2tp_core pppox ppp_generic slhc loop psmouse +[ 940.026915] CPU: 0 PID: 3184 Comm: memcheck-amd64- Not tainted 3.11.0+ #1 +[ 940.026915] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2007 +[ 940.026915] task: ffff880007130e20 ti: ffff88000737e000 task.ti: ffff88000737e000 +[ 940.026915] RIP: 0010:[] [] ip6_xmit+0x276/0x326 +[ 940.026915] RSP: 0018:ffff88000737fd28 EFLAGS: 00010286 +[ 940.026915] RAX: c748521a75ceff48 RBX: ffff880000c30800 RCX: 0000000000000000 +[ 940.026915] RDX: ffff88000075cc4e RSI: 0000000000000028 RDI: ffff8800060e5a40 +[ 940.026915] RBP: ffff8800060e5a40 R08: 0000000000000000 R09: ffff88000075cc90 +[ 940.026915] R10: 0000000000000000 R11: 0000000000000000 R12: ffff88000737fda0 +[ 940.026915] R13: 0000000000000000 R14: 0000000000002000 R15: ffff880005d3b580 +[ 940.026915] FS: 00007f163dc5e800(0000) GS:ffffffff81623000(0000) knlGS:0000000000000000 +[ 940.026915] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 940.026915] CR2: 00000004032dc940 CR3: 0000000005c25000 CR4: 00000000000006f0 +[ 940.026915] Stack: +[ 940.026915] ffff88000075cc4e ffffffff81694e90 ffff880000c30b38 0000000000000020 +[ 940.026915] 11000000523c4bac ffff88000737fdb4 0000000000000000 ffff880000c30800 +[ 940.026915] ffff880005d3b580 ffff880000c30b38 ffff8800060e5a40 0000000000000020 +[ 940.026915] Call Trace: +[ 940.026915] [] ? inet6_csk_xmit+0xa4/0xc4 +[ 940.026915] [] ? l2tp_xmit_skb+0x503/0x55a [l2tp_core] +[ 940.026915] [] ? pskb_expand_head+0x161/0x214 +[ 940.026915] [] ? pppol2tp_xmit+0xf2/0x143 [l2tp_ppp] +[ 940.026915] [] ? ppp_channel_push+0x36/0x8b [ppp_generic] +[ 940.026915] [] ? ppp_write+0xaf/0xc5 [ppp_generic] +[ 940.026915] [] ? vfs_write+0xa2/0x106 +[ 940.026915] [] ? SyS_write+0x56/0x8a +[ 940.026915] [] ? system_call_fastpath+0x16/0x1b +[ 940.026915] Code: 00 49 8b 8f d8 00 00 00 66 83 7c 11 02 00 74 60 49 +8b 47 58 48 83 e0 fe 48 8b 80 18 01 00 00 48 85 c0 74 13 48 8b 80 78 02 +00 00 <48> ff 40 28 41 8b 57 68 48 01 50 30 48 8b 54 24 08 49 c7 c1 51 +[ 940.026915] RIP [] ip6_xmit+0x276/0x326 +[ 940.026915] RSP +[ 940.057945] ---[ end trace be8aba9a61c8b7f3 ]--- +[ 940.058583] Kernel panic - not syncing: Fatal exception in interrupt + +Signed-off-by: François CACHEREUL +Signed-off-by: David S. Miller +--- + net/l2tp/l2tp_core.c | 27 +++++++++++++++++++++++---- + net/l2tp/l2tp_core.h | 3 +++ + 2 files changed, 26 insertions(+), 4 deletions(-) + +diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c +index feae495..aedaa2c 100644 +--- a/net/l2tp/l2tp_core.c ++++ b/net/l2tp/l2tp_core.c +@@ -496,6 +496,7 @@ out: + static inline int l2tp_verify_udp_checksum(struct sock *sk, + struct sk_buff *skb) + { ++ struct l2tp_tunnel *tunnel = (struct l2tp_tunnel *)sk->sk_user_data; + struct udphdr *uh = udp_hdr(skb); + u16 ulen = ntohs(uh->len); + __wsum psum; +@@ -504,7 +505,7 @@ static inline int l2tp_verify_udp_checksum(struct sock *sk, + return 0; + + #if IS_ENABLED(CONFIG_IPV6) +- if (sk->sk_family == PF_INET6) { ++ if (sk->sk_family == PF_INET6 && !tunnel->v4mapped) { + if (!uh->check) { + LIMIT_NETDEBUG(KERN_INFO "L2TP: IPv6: checksum is 0\n"); + return 1; +@@ -1128,7 +1129,7 @@ static int l2tp_xmit_core(struct l2tp_session *session, struct sk_buff *skb, + /* Queue the packet to IP for output */ + skb->local_df = 1; + #if IS_ENABLED(CONFIG_IPV6) +- if (skb->sk->sk_family == PF_INET6) ++ if (skb->sk->sk_family == PF_INET6 && !tunnel->v4mapped) + error = inet6_csk_xmit(skb, NULL); + else + #endif +@@ -1255,7 +1256,7 @@ int l2tp_xmit_skb(struct l2tp_session *session, struct sk_buff *skb, int hdr_len + + /* Calculate UDP checksum if configured to do so */ + #if IS_ENABLED(CONFIG_IPV6) +- if (sk->sk_family == PF_INET6) ++ if (sk->sk_family == PF_INET6 && !tunnel->v4mapped) + l2tp_xmit_ipv6_csum(sk, skb, udp_len); + else + #endif +@@ -1704,6 +1705,24 @@ int l2tp_tunnel_create(struct net *net, int fd, int version, u32 tunnel_id, u32 + if (cfg != NULL) + tunnel->debug = cfg->debug; + ++#if IS_ENABLED(CONFIG_IPV6) ++ if (sk->sk_family == PF_INET6) { ++ struct ipv6_pinfo *np = inet6_sk(sk); ++ ++ if (ipv6_addr_v4mapped(&np->saddr) && ++ ipv6_addr_v4mapped(&np->daddr)) { ++ struct inet_sock *inet = inet_sk(sk); ++ ++ tunnel->v4mapped = true; ++ inet->inet_saddr = np->saddr.s6_addr32[3]; ++ inet->inet_rcv_saddr = np->rcv_saddr.s6_addr32[3]; ++ inet->inet_daddr = np->daddr.s6_addr32[3]; ++ } else { ++ tunnel->v4mapped = false; ++ } ++ } ++#endif ++ + /* Mark socket as an encapsulation socket. See net/ipv4/udp.c */ + tunnel->encap = encap; + if (encap == L2TP_ENCAPTYPE_UDP) { +@@ -1712,7 +1731,7 @@ int l2tp_tunnel_create(struct net *net, int fd, int version, u32 tunnel_id, u32 + udp_sk(sk)->encap_rcv = l2tp_udp_encap_recv; + udp_sk(sk)->encap_destroy = l2tp_udp_encap_destroy; + #if IS_ENABLED(CONFIG_IPV6) +- if (sk->sk_family == PF_INET6) ++ if (sk->sk_family == PF_INET6 && !tunnel->v4mapped) + udpv6_encap_enable(); + else + #endif +diff --git a/net/l2tp/l2tp_core.h b/net/l2tp/l2tp_core.h +index 66a559b..6f251cb 100644 +--- a/net/l2tp/l2tp_core.h ++++ b/net/l2tp/l2tp_core.h +@@ -194,6 +194,9 @@ struct l2tp_tunnel { + struct sock *sock; /* Parent socket */ + int fd; /* Parent fd, if tunnel socket + * was created by userspace */ ++#if IS_ENABLED(CONFIG_IPV6) ++ bool v4mapped; ++#endif + + struct work_struct del_work; + +-- +1.7.11.7 + + +From 0ec2b01190b1a2ba020241ab89730bf7e7d77b9c Mon Sep 17 00:00:00 2001 +From: "David S. Miller" +Date: Tue, 8 Oct 2013 15:44:26 -0400 +Subject: [PATCH 09/47] l2tp: Fix build warning with ipv6 disabled. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit 8d8a51e26a6d415e1470759f2cf5f3ee3ee86196 ] + +net/l2tp/l2tp_core.c: In function ‘l2tp_verify_udp_checksum’: +net/l2tp/l2tp_core.c:499:22: warning: unused variable ‘tunnel’ [-Wunused-variable] + +Create a helper "l2tp_tunnel()" to facilitate this, and as a side +effect get rid of a bunch of unnecessary void pointer casts. + +Signed-off-by: David S. Miller +--- + net/l2tp/l2tp_core.c | 13 ++++++++----- + 1 file changed, 8 insertions(+), 5 deletions(-) + +diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c +index aedaa2c..b076e83 100644 +--- a/net/l2tp/l2tp_core.c ++++ b/net/l2tp/l2tp_core.c +@@ -115,6 +115,11 @@ struct l2tp_net { + static void l2tp_session_set_header_len(struct l2tp_session *session, int version); + static void l2tp_tunnel_free(struct l2tp_tunnel *tunnel); + ++static inline struct l2tp_tunnel *l2tp_tunnel(struct sock *sk) ++{ ++ return sk->sk_user_data; ++} ++ + static inline struct l2tp_net *l2tp_pernet(struct net *net) + { + BUG_ON(!net); +@@ -496,7 +501,6 @@ out: + static inline int l2tp_verify_udp_checksum(struct sock *sk, + struct sk_buff *skb) + { +- struct l2tp_tunnel *tunnel = (struct l2tp_tunnel *)sk->sk_user_data; + struct udphdr *uh = udp_hdr(skb); + u16 ulen = ntohs(uh->len); + __wsum psum; +@@ -505,7 +509,7 @@ static inline int l2tp_verify_udp_checksum(struct sock *sk, + return 0; + + #if IS_ENABLED(CONFIG_IPV6) +- if (sk->sk_family == PF_INET6 && !tunnel->v4mapped) { ++ if (sk->sk_family == PF_INET6 && !l2tp_tunnel(sk)->v4mapped) { + if (!uh->check) { + LIMIT_NETDEBUG(KERN_INFO "L2TP: IPv6: checksum is 0\n"); + return 1; +@@ -1305,10 +1309,9 @@ EXPORT_SYMBOL_GPL(l2tp_xmit_skb); + */ + static void l2tp_tunnel_destruct(struct sock *sk) + { +- struct l2tp_tunnel *tunnel; ++ struct l2tp_tunnel *tunnel = l2tp_tunnel(sk); + struct l2tp_net *pn; + +- tunnel = sk->sk_user_data; + if (tunnel == NULL) + goto end; + +@@ -1676,7 +1679,7 @@ int l2tp_tunnel_create(struct net *net, int fd, int version, u32 tunnel_id, u32 + } + + /* Check if this socket has already been prepped */ +- tunnel = (struct l2tp_tunnel *)sk->sk_user_data; ++ tunnel = l2tp_tunnel(sk); + if (tunnel != NULL) { + /* This socket has already been prepped */ + err = -EBUSY; +-- +1.7.11.7 + + +From 35e64a9e465a85ffacd373439c1caa757e407656 Mon Sep 17 00:00:00 2001 +From: Sebastian Hesselbarth +Date: Wed, 2 Oct 2013 12:57:20 +0200 +Subject: [PATCH 10/47] net: mv643xx_eth: update statistics timer from timer + context only + +[ Upstream commit 041b4ddb84989f06ff1df0ca869b950f1ee3cb1c ] + +Each port driver installs a periodic timer to update port statistics +by calling mib_counters_update. As mib_counters_update is also called +from non-timer context, we should not reschedule the timer there but +rather move it to timer-only context. + +Signed-off-by: Sebastian Hesselbarth +Acked-by: Jason Cooper +Signed-off-by: David S. Miller +--- + drivers/net/ethernet/marvell/mv643xx_eth.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/drivers/net/ethernet/marvell/mv643xx_eth.c b/drivers/net/ethernet/marvell/mv643xx_eth.c +index c35db73..51c138b 100644 +--- a/drivers/net/ethernet/marvell/mv643xx_eth.c ++++ b/drivers/net/ethernet/marvell/mv643xx_eth.c +@@ -1131,15 +1131,13 @@ static void mib_counters_update(struct mv643xx_eth_private *mp) + p->rx_discard += rdlp(mp, RX_DISCARD_FRAME_CNT); + p->rx_overrun += rdlp(mp, RX_OVERRUN_FRAME_CNT); + spin_unlock_bh(&mp->mib_counters_lock); +- +- mod_timer(&mp->mib_counters_timer, jiffies + 30 * HZ); + } + + static void mib_counters_timer_wrapper(unsigned long _mp) + { + struct mv643xx_eth_private *mp = (void *)_mp; +- + mib_counters_update(mp); ++ mod_timer(&mp->mib_counters_timer, jiffies + 30 * HZ); + } + + +-- +1.7.11.7 + + +From b6b20d9c54b23ba35c5807e45ff7d9579503bffa Mon Sep 17 00:00:00 2001 +From: Sebastian Hesselbarth +Date: Wed, 2 Oct 2013 12:57:21 +0200 +Subject: [PATCH 11/47] net: mv643xx_eth: fix orphaned statistics timer crash + +[ Upstream commit f564412c935111c583b787bcc18157377b208e2e ] + +The periodic statistics timer gets started at port _probe() time, but +is stopped on _stop() only. In a modular environment, this can cause +the timer to access already deallocated memory, if the module is unloaded +without starting the eth device. To fix this, we add the timer right +before the port is started, instead of at _probe() time. + +Signed-off-by: Sebastian Hesselbarth +Acked-by: Jason Cooper +Signed-off-by: David S. Miller +--- + drivers/net/ethernet/marvell/mv643xx_eth.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/marvell/mv643xx_eth.c b/drivers/net/ethernet/marvell/mv643xx_eth.c +index 51c138b..39334d4 100644 +--- a/drivers/net/ethernet/marvell/mv643xx_eth.c ++++ b/drivers/net/ethernet/marvell/mv643xx_eth.c +@@ -2235,6 +2235,7 @@ static int mv643xx_eth_open(struct net_device *dev) + mp->int_mask |= INT_TX_END_0 << i; + } + ++ add_timer(&mp->mib_counters_timer); + port_start(mp); + + wrlp(mp, INT_MASK_EXT, INT_EXT_LINK_PHY | INT_EXT_TX); +@@ -2914,7 +2915,6 @@ static int mv643xx_eth_probe(struct platform_device *pdev) + mp->mib_counters_timer.data = (unsigned long)mp; + mp->mib_counters_timer.function = mib_counters_timer_wrapper; + mp->mib_counters_timer.expires = jiffies + 30 * HZ; +- add_timer(&mp->mib_counters_timer); + + spin_lock_init(&mp->mib_counters_lock); + +-- +1.7.11.7 + + +From b8baf1c21a214c1b836eef390c9d6e153293fef9 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Thu, 3 Oct 2013 00:27:20 +0300 +Subject: [PATCH 12/47] net: heap overflow in __audit_sockaddr() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit 1661bf364ae9c506bc8795fef70d1532931be1e8 ] + +We need to cap ->msg_namelen or it leads to a buffer overflow when we +to the memcpy() in __audit_sockaddr(). It requires CAP_AUDIT_CONTROL to +exploit this bug. + +The call tree is: +___sys_recvmsg() + move_addr_to_user() + audit_sockaddr() + __audit_sockaddr() + +Reported-by: Jüri Aedla +Signed-off-by: Dan Carpenter +Signed-off-by: David S. Miller +--- + net/compat.c | 2 ++ + net/socket.c | 24 ++++++++++++++++++++---- + 2 files changed, 22 insertions(+), 4 deletions(-) + +diff --git a/net/compat.c b/net/compat.c +index f0a1ba6..8903258 100644 +--- a/net/compat.c ++++ b/net/compat.c +@@ -71,6 +71,8 @@ int get_compat_msghdr(struct msghdr *kmsg, struct compat_msghdr __user *umsg) + __get_user(kmsg->msg_controllen, &umsg->msg_controllen) || + __get_user(kmsg->msg_flags, &umsg->msg_flags)) + return -EFAULT; ++ if (kmsg->msg_namelen > sizeof(struct sockaddr_storage)) ++ return -EINVAL; + kmsg->msg_name = compat_ptr(tmp1); + kmsg->msg_iov = compat_ptr(tmp2); + kmsg->msg_control = compat_ptr(tmp3); +diff --git a/net/socket.c b/net/socket.c +index b2d7c62..4b94643 100644 +--- a/net/socket.c ++++ b/net/socket.c +@@ -1973,6 +1973,16 @@ struct used_address { + unsigned int name_len; + }; + ++static int copy_msghdr_from_user(struct msghdr *kmsg, ++ struct msghdr __user *umsg) ++{ ++ if (copy_from_user(kmsg, umsg, sizeof(struct msghdr))) ++ return -EFAULT; ++ if (kmsg->msg_namelen > sizeof(struct sockaddr_storage)) ++ return -EINVAL; ++ return 0; ++} ++ + static int ___sys_sendmsg(struct socket *sock, struct msghdr __user *msg, + struct msghdr *msg_sys, unsigned int flags, + struct used_address *used_address) +@@ -1991,8 +2001,11 @@ static int ___sys_sendmsg(struct socket *sock, struct msghdr __user *msg, + if (MSG_CMSG_COMPAT & flags) { + if (get_compat_msghdr(msg_sys, msg_compat)) + return -EFAULT; +- } else if (copy_from_user(msg_sys, msg, sizeof(struct msghdr))) +- return -EFAULT; ++ } else { ++ err = copy_msghdr_from_user(msg_sys, msg); ++ if (err) ++ return err; ++ } + + if (msg_sys->msg_iovlen > UIO_FASTIOV) { + err = -EMSGSIZE; +@@ -2200,8 +2213,11 @@ static int ___sys_recvmsg(struct socket *sock, struct msghdr __user *msg, + if (MSG_CMSG_COMPAT & flags) { + if (get_compat_msghdr(msg_sys, msg_compat)) + return -EFAULT; +- } else if (copy_from_user(msg_sys, msg, sizeof(struct msghdr))) +- return -EFAULT; ++ } else { ++ err = copy_msghdr_from_user(msg_sys, msg); ++ if (err) ++ return err; ++ } + + if (msg_sys->msg_iovlen > UIO_FASTIOV) { + err = -EMSGSIZE; +-- +1.7.11.7 + + +From 6e24497ef79e18f5b1ddce66712d55093a6cf3e9 Mon Sep 17 00:00:00 2001 +From: Willem de Bruijn +Date: Tue, 22 Oct 2013 10:59:18 -0400 +Subject: [PATCH 13/47] sit: amend "allow to use rtnl ops on fb tunnel" + +Amend backport to 3.11.y of + + [ Upstream commit 205983c43700ac3a81e7625273a3fa83cd2759b5 ] + +The discussion thread in the upstream commit mentions that in +backports to stable-* branches, the line + + - unregister_netdevice_queue(sitn->fb_tunnel_dev, &list); + +must be omitted if that branch does not have commit 5e6700b3bf98 +("sit: add support of x-netns"). This line has correctly been omitted +in the backport to 3.10, which indeed does not have that commit. + +It was also removed in the backport to 3.11.y, which does have that +commit. + +This causes the following steps to hit a BUG at net/core/dev.c:5039: + + `modprobe sit; rmmod sit` + +The bug demonstrates that it causes a device to be unregistered twice. +The simple fix is to apply the one line in the upstream commit that +was dropped in the backport to 3.11 (3783100374653e2e7fbdf68c710f5). +This brings the logic in line with upstream linux, net and net-next +branches. + +Signed-off-by: Willem de Bruijn +Acked-by: Nicolas Dichtel +Reviewed-by: Veaceslav Falico +--- + net/ipv6/sit.c | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/net/ipv6/sit.c b/net/ipv6/sit.c +index 86f639b..a51ad07 100644 +--- a/net/ipv6/sit.c ++++ b/net/ipv6/sit.c +@@ -1708,7 +1708,6 @@ static void __net_exit sit_exit_net(struct net *net) + + rtnl_lock(); + sit_destroy_tunnels(sitn, &list); +- unregister_netdevice_queue(sitn->fb_tunnel_dev, &list); + unregister_netdevice_many(&list); + rtnl_unlock(); + } +-- +1.7.11.7 + + +From 6c7e3c3382670fe98debedf2ddaff8abf2944bb4 Mon Sep 17 00:00:00 2001 +From: Mathias Krause +Date: Mon, 30 Sep 2013 22:03:06 +0200 +Subject: [PATCH 14/47] proc connector: fix info leaks + +[ Upstream commit e727ca82e0e9616ab4844301e6bae60ca7327682 ] + +Initialize event_data for all possible message types to prevent leaking +kernel stack contents to userland (up to 20 bytes). Also set the flags +member of the connector message to 0 to prevent leaking two more stack +bytes this way. + +Cc: stable@vger.kernel.org # v2.6.15+ +Signed-off-by: Mathias Krause +Signed-off-by: David S. Miller +--- + drivers/connector/cn_proc.c | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +diff --git a/drivers/connector/cn_proc.c b/drivers/connector/cn_proc.c +index 08ae128..c73fc2b 100644 +--- a/drivers/connector/cn_proc.c ++++ b/drivers/connector/cn_proc.c +@@ -65,6 +65,7 @@ void proc_fork_connector(struct task_struct *task) + + msg = (struct cn_msg *)buffer; + ev = (struct proc_event *)msg->data; ++ memset(&ev->event_data, 0, sizeof(ev->event_data)); + get_seq(&msg->seq, &ev->cpu); + ktime_get_ts(&ts); /* get high res monotonic timestamp */ + put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns); +@@ -80,6 +81,7 @@ void proc_fork_connector(struct task_struct *task) + memcpy(&msg->id, &cn_proc_event_id, sizeof(msg->id)); + msg->ack = 0; /* not used */ + msg->len = sizeof(*ev); ++ msg->flags = 0; /* not used */ + /* If cn_netlink_send() failed, the data is not sent */ + cn_netlink_send(msg, CN_IDX_PROC, GFP_KERNEL); + } +@@ -96,6 +98,7 @@ void proc_exec_connector(struct task_struct *task) + + msg = (struct cn_msg *)buffer; + ev = (struct proc_event *)msg->data; ++ memset(&ev->event_data, 0, sizeof(ev->event_data)); + get_seq(&msg->seq, &ev->cpu); + ktime_get_ts(&ts); /* get high res monotonic timestamp */ + put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns); +@@ -106,6 +109,7 @@ void proc_exec_connector(struct task_struct *task) + memcpy(&msg->id, &cn_proc_event_id, sizeof(msg->id)); + msg->ack = 0; /* not used */ + msg->len = sizeof(*ev); ++ msg->flags = 0; /* not used */ + cn_netlink_send(msg, CN_IDX_PROC, GFP_KERNEL); + } + +@@ -122,6 +126,7 @@ void proc_id_connector(struct task_struct *task, int which_id) + + msg = (struct cn_msg *)buffer; + ev = (struct proc_event *)msg->data; ++ memset(&ev->event_data, 0, sizeof(ev->event_data)); + ev->what = which_id; + ev->event_data.id.process_pid = task->pid; + ev->event_data.id.process_tgid = task->tgid; +@@ -145,6 +150,7 @@ void proc_id_connector(struct task_struct *task, int which_id) + memcpy(&msg->id, &cn_proc_event_id, sizeof(msg->id)); + msg->ack = 0; /* not used */ + msg->len = sizeof(*ev); ++ msg->flags = 0; /* not used */ + cn_netlink_send(msg, CN_IDX_PROC, GFP_KERNEL); + } + +@@ -160,6 +166,7 @@ void proc_sid_connector(struct task_struct *task) + + msg = (struct cn_msg *)buffer; + ev = (struct proc_event *)msg->data; ++ memset(&ev->event_data, 0, sizeof(ev->event_data)); + get_seq(&msg->seq, &ev->cpu); + ktime_get_ts(&ts); /* get high res monotonic timestamp */ + put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns); +@@ -170,6 +177,7 @@ void proc_sid_connector(struct task_struct *task) + memcpy(&msg->id, &cn_proc_event_id, sizeof(msg->id)); + msg->ack = 0; /* not used */ + msg->len = sizeof(*ev); ++ msg->flags = 0; /* not used */ + cn_netlink_send(msg, CN_IDX_PROC, GFP_KERNEL); + } + +@@ -185,6 +193,7 @@ void proc_ptrace_connector(struct task_struct *task, int ptrace_id) + + msg = (struct cn_msg *)buffer; + ev = (struct proc_event *)msg->data; ++ memset(&ev->event_data, 0, sizeof(ev->event_data)); + get_seq(&msg->seq, &ev->cpu); + ktime_get_ts(&ts); /* get high res monotonic timestamp */ + put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns); +@@ -203,6 +212,7 @@ void proc_ptrace_connector(struct task_struct *task, int ptrace_id) + memcpy(&msg->id, &cn_proc_event_id, sizeof(msg->id)); + msg->ack = 0; /* not used */ + msg->len = sizeof(*ev); ++ msg->flags = 0; /* not used */ + cn_netlink_send(msg, CN_IDX_PROC, GFP_KERNEL); + } + +@@ -218,6 +228,7 @@ void proc_comm_connector(struct task_struct *task) + + msg = (struct cn_msg *)buffer; + ev = (struct proc_event *)msg->data; ++ memset(&ev->event_data, 0, sizeof(ev->event_data)); + get_seq(&msg->seq, &ev->cpu); + ktime_get_ts(&ts); /* get high res monotonic timestamp */ + put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns); +@@ -229,6 +240,7 @@ void proc_comm_connector(struct task_struct *task) + memcpy(&msg->id, &cn_proc_event_id, sizeof(msg->id)); + msg->ack = 0; /* not used */ + msg->len = sizeof(*ev); ++ msg->flags = 0; /* not used */ + cn_netlink_send(msg, CN_IDX_PROC, GFP_KERNEL); + } + +@@ -244,6 +256,7 @@ void proc_coredump_connector(struct task_struct *task) + + msg = (struct cn_msg *)buffer; + ev = (struct proc_event *)msg->data; ++ memset(&ev->event_data, 0, sizeof(ev->event_data)); + get_seq(&msg->seq, &ev->cpu); + ktime_get_ts(&ts); /* get high res monotonic timestamp */ + put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns); +@@ -254,6 +267,7 @@ void proc_coredump_connector(struct task_struct *task) + memcpy(&msg->id, &cn_proc_event_id, sizeof(msg->id)); + msg->ack = 0; /* not used */ + msg->len = sizeof(*ev); ++ msg->flags = 0; /* not used */ + cn_netlink_send(msg, CN_IDX_PROC, GFP_KERNEL); + } + +@@ -269,6 +283,7 @@ void proc_exit_connector(struct task_struct *task) + + msg = (struct cn_msg *)buffer; + ev = (struct proc_event *)msg->data; ++ memset(&ev->event_data, 0, sizeof(ev->event_data)); + get_seq(&msg->seq, &ev->cpu); + ktime_get_ts(&ts); /* get high res monotonic timestamp */ + put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns); +@@ -281,6 +296,7 @@ void proc_exit_connector(struct task_struct *task) + memcpy(&msg->id, &cn_proc_event_id, sizeof(msg->id)); + msg->ack = 0; /* not used */ + msg->len = sizeof(*ev); ++ msg->flags = 0; /* not used */ + cn_netlink_send(msg, CN_IDX_PROC, GFP_KERNEL); + } + +@@ -304,6 +320,7 @@ static void cn_proc_ack(int err, int rcvd_seq, int rcvd_ack) + + msg = (struct cn_msg *)buffer; + ev = (struct proc_event *)msg->data; ++ memset(&ev->event_data, 0, sizeof(ev->event_data)); + msg->seq = rcvd_seq; + ktime_get_ts(&ts); /* get high res monotonic timestamp */ + put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns); +@@ -313,6 +330,7 @@ static void cn_proc_ack(int err, int rcvd_seq, int rcvd_ack) + memcpy(&msg->id, &cn_proc_event_id, sizeof(msg->id)); + msg->ack = rcvd_ack + 1; + msg->len = sizeof(*ev); ++ msg->flags = 0; /* not used */ + cn_netlink_send(msg, CN_IDX_PROC, GFP_KERNEL); + } + +-- +1.7.11.7 + + +From f3d398e2465b3b74987a3a2fc42ea3e8c83d2166 Mon Sep 17 00:00:00 2001 +From: Jiri Benc +Date: Fri, 4 Oct 2013 17:04:48 +0200 +Subject: [PATCH 15/47] ipv4: fix ineffective source address selection + +[ Upstream commit 0a7e22609067ff524fc7bbd45c6951dd08561667 ] + +When sending out multicast messages, the source address in inet->mc_addr is +ignored and rewritten by an autoselected one. This is caused by a typo in +commit 813b3b5db831 ("ipv4: Use caller's on-stack flowi as-is in output +route lookups"). + +Signed-off-by: Jiri Benc +Acked-by: Eric Dumazet +Signed-off-by: David S. Miller +--- + net/ipv4/route.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/ipv4/route.c b/net/ipv4/route.c +index a9a54a2..2de16d9 100644 +--- a/net/ipv4/route.c ++++ b/net/ipv4/route.c +@@ -2074,7 +2074,7 @@ struct rtable *__ip_route_output_key(struct net *net, struct flowi4 *fl4) + RT_SCOPE_LINK); + goto make_route; + } +- if (fl4->saddr) { ++ if (!fl4->saddr) { + if (ipv4_is_multicast(fl4->daddr)) + fl4->saddr = inet_select_addr(dev_out, 0, + fl4->flowi4_scope); +-- +1.7.11.7 + + +From 8fd516716afeb4631cf790a2be7ca30d0a664b01 Mon Sep 17 00:00:00 2001 +From: Marc Kleine-Budde +Date: Sat, 5 Oct 2013 21:25:17 +0200 +Subject: [PATCH 16/47] can: dev: fix nlmsg size calculation in can_get_size() + +[ Upstream commit fe119a05f8ca481623a8d02efcc984332e612528 ] + +This patch fixes the calculation of the nlmsg size, by adding the missing +nla_total_size(). + +Signed-off-by: Marc Kleine-Budde +Signed-off-by: David S. Miller +--- + drivers/net/can/dev.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/can/dev.c b/drivers/net/can/dev.c +index f9cba41..1870c47 100644 +--- a/drivers/net/can/dev.c ++++ b/drivers/net/can/dev.c +@@ -705,14 +705,14 @@ static size_t can_get_size(const struct net_device *dev) + size_t size; + + size = nla_total_size(sizeof(u32)); /* IFLA_CAN_STATE */ +- size += sizeof(struct can_ctrlmode); /* IFLA_CAN_CTRLMODE */ ++ size += nla_total_size(sizeof(struct can_ctrlmode)); /* IFLA_CAN_CTRLMODE */ + size += nla_total_size(sizeof(u32)); /* IFLA_CAN_RESTART_MS */ +- size += sizeof(struct can_bittiming); /* IFLA_CAN_BITTIMING */ +- size += sizeof(struct can_clock); /* IFLA_CAN_CLOCK */ ++ size += nla_total_size(sizeof(struct can_bittiming)); /* IFLA_CAN_BITTIMING */ ++ size += nla_total_size(sizeof(struct can_clock)); /* IFLA_CAN_CLOCK */ + if (priv->do_get_berr_counter) /* IFLA_CAN_BERR_COUNTER */ +- size += sizeof(struct can_berr_counter); ++ size += nla_total_size(sizeof(struct can_berr_counter)); + if (priv->bittiming_const) /* IFLA_CAN_BITTIMING_CONST */ +- size += sizeof(struct can_bittiming_const); ++ size += nla_total_size(sizeof(struct can_bittiming_const)); + + return size; + } +-- +1.7.11.7 + + +From 1b3231ca7e26084580145c904dd10a60cac35c63 Mon Sep 17 00:00:00 2001 +From: Fabio Estevam +Date: Sat, 5 Oct 2013 17:56:59 -0300 +Subject: [PATCH 17/47] net: secure_seq: Fix warning when CONFIG_IPV6 and + CONFIG_INET are not selected + +[ Upstream commit cb03db9d0e964568407fb08ea46cc2b6b7f67587 ] + +net_secret() is only used when CONFIG_IPV6 or CONFIG_INET are selected. + +Building a defconfig with both of these symbols unselected (Using the ARM +at91sam9rl_defconfig, for example) leads to the following build warning: + +$ make at91sam9rl_defconfig +# +# configuration written to .config +# + +$ make net/core/secure_seq.o +scripts/kconfig/conf --silentoldconfig Kconfig + CHK include/config/kernel.release + CHK include/generated/uapi/linux/version.h + CHK include/generated/utsrelease.h +make[1]: `include/generated/mach-types.h' is up to date. + CALL scripts/checksyscalls.sh + CC net/core/secure_seq.o +net/core/secure_seq.c:17:13: warning: 'net_secret_init' defined but not used [-Wunused-function] + +Fix this warning by protecting the definition of net_secret() with these +symbols. + +Reported-by: Olof Johansson +Signed-off-by: Fabio Estevam +Signed-off-by: David S. Miller +--- + net/core/secure_seq.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/net/core/secure_seq.c b/net/core/secure_seq.c +index 3f1ec15..8d9d05e 100644 +--- a/net/core/secure_seq.c ++++ b/net/core/secure_seq.c +@@ -10,6 +10,7 @@ + + #include + ++#if IS_ENABLED(CONFIG_IPV6) || IS_ENABLED(CONFIG_INET) + #define NET_SECRET_SIZE (MD5_MESSAGE_BYTES / 4) + + static u32 net_secret[NET_SECRET_SIZE] ____cacheline_aligned; +@@ -29,6 +30,7 @@ static void net_secret_init(void) + cmpxchg(&net_secret[--i], 0, tmp); + } + } ++#endif + + #ifdef CONFIG_INET + static u32 seq_scale(u32 seq) +-- +1.7.11.7 + + +From 538680b534f30fe6531099f87267bb676c935351 Mon Sep 17 00:00:00 2001 +From: Paul Durrant +Date: Tue, 8 Oct 2013 14:56:44 +0100 +Subject: [PATCH 18/47] xen-netback: Don't destroy the netdev until the vif is + shut down + +[ upstream commit id: 279f438e36c0a70b23b86d2090aeec50155034a9 ] + +Without this patch, if a frontend cycles through states Closing +and Closed (which Windows frontends need to do) then the netdev +will be destroyed and requires re-invocation of hotplug scripts +to restore state before the frontend can move to Connected. Thus +when udev is not in use the backend gets stuck in InitWait. + +With this patch, the netdev is left alone whilst the backend is +still online and is only de-registered and freed just prior to +destroying the vif (which is also nicely symmetrical with the +netdev allocation and registration being done during probe) so +no re-invocation of hotplug scripts is required. + +Signed-off-by: Paul Durrant +Cc: David Vrabel +Cc: Wei Liu +Cc: Ian Campbell +--- + drivers/net/xen-netback/common.h | 1 + + drivers/net/xen-netback/interface.c | 23 +++++++++-------------- + drivers/net/xen-netback/xenbus.c | 17 ++++++++++++----- + 3 files changed, 22 insertions(+), 19 deletions(-) + +diff --git a/drivers/net/xen-netback/common.h b/drivers/net/xen-netback/common.h +index 8a4d77e..4d9a5e7 100644 +--- a/drivers/net/xen-netback/common.h ++++ b/drivers/net/xen-netback/common.h +@@ -120,6 +120,7 @@ int xenvif_connect(struct xenvif *vif, unsigned long tx_ring_ref, + unsigned long rx_ring_ref, unsigned int tx_evtchn, + unsigned int rx_evtchn); + void xenvif_disconnect(struct xenvif *vif); ++void xenvif_free(struct xenvif *vif); + + void xenvif_get(struct xenvif *vif); + void xenvif_put(struct xenvif *vif); +diff --git a/drivers/net/xen-netback/interface.c b/drivers/net/xen-netback/interface.c +index 087d2db..73336c1 100644 +--- a/drivers/net/xen-netback/interface.c ++++ b/drivers/net/xen-netback/interface.c +@@ -326,6 +326,9 @@ struct xenvif *xenvif_alloc(struct device *parent, domid_t domid, + } + + netdev_dbg(dev, "Successfully created xenvif\n"); ++ ++ __module_get(THIS_MODULE); ++ + return vif; + } + +@@ -413,12 +416,6 @@ void xenvif_carrier_off(struct xenvif *vif) + + void xenvif_disconnect(struct xenvif *vif) + { +- /* Disconnect funtion might get called by generic framework +- * even before vif connects, so we need to check if we really +- * need to do a module_put. +- */ +- int need_module_put = 0; +- + if (netif_carrier_ok(vif->dev)) + xenvif_carrier_off(vif); + +@@ -432,18 +429,16 @@ void xenvif_disconnect(struct xenvif *vif) + unbind_from_irqhandler(vif->tx_irq, vif); + unbind_from_irqhandler(vif->rx_irq, vif); + } +- /* vif->irq is valid, we had a module_get in +- * xenvif_connect. +- */ +- need_module_put = 1; + } + +- unregister_netdev(vif->dev); +- + xen_netbk_unmap_frontend_rings(vif); ++} ++ ++void xenvif_free(struct xenvif *vif) ++{ ++ unregister_netdev(vif->dev); + + free_netdev(vif->dev); + +- if (need_module_put) +- module_put(THIS_MODULE); ++ module_put(THIS_MODULE); + } +diff --git a/drivers/net/xen-netback/xenbus.c b/drivers/net/xen-netback/xenbus.c +index 1fe48fe3..a53782e 100644 +--- a/drivers/net/xen-netback/xenbus.c ++++ b/drivers/net/xen-netback/xenbus.c +@@ -42,7 +42,7 @@ static int netback_remove(struct xenbus_device *dev) + if (be->vif) { + kobject_uevent(&dev->dev.kobj, KOBJ_OFFLINE); + xenbus_rm(XBT_NIL, dev->nodename, "hotplug-status"); +- xenvif_disconnect(be->vif); ++ xenvif_free(be->vif); + be->vif = NULL; + } + kfree(be); +@@ -213,9 +213,18 @@ static void disconnect_backend(struct xenbus_device *dev) + { + struct backend_info *be = dev_get_drvdata(&dev->dev); + ++ if (be->vif) ++ xenvif_disconnect(be->vif); ++} ++ ++static void destroy_backend(struct xenbus_device *dev) ++{ ++ struct backend_info *be = dev_get_drvdata(&dev->dev); ++ + if (be->vif) { ++ kobject_uevent(&dev->dev.kobj, KOBJ_OFFLINE); + xenbus_rm(XBT_NIL, dev->nodename, "hotplug-status"); +- xenvif_disconnect(be->vif); ++ xenvif_free(be->vif); + be->vif = NULL; + } + } +@@ -246,14 +255,11 @@ static void frontend_changed(struct xenbus_device *dev, + case XenbusStateConnected: + if (dev->state == XenbusStateConnected) + break; +- backend_create_xenvif(be); + if (be->vif) + connect(be); + break; + + case XenbusStateClosing: +- if (be->vif) +- kobject_uevent(&dev->dev.kobj, KOBJ_OFFLINE); + disconnect_backend(dev); + xenbus_switch_state(dev, XenbusStateClosing); + break; +@@ -262,6 +268,7 @@ static void frontend_changed(struct xenbus_device *dev, + xenbus_switch_state(dev, XenbusStateClosed); + if (xenbus_dev_is_online(dev)) + break; ++ destroy_backend(dev); + /* fall through if not online */ + case XenbusStateUnknown: + device_unregister(&dev->dev); +-- +1.7.11.7 + + +From 29bb21656d747e62d55b9e1929b23eadcd6be324 Mon Sep 17 00:00:00 2001 +From: Amir Vadai +Date: Mon, 7 Oct 2013 13:38:12 +0200 +Subject: [PATCH 19/47] net/mlx4_en: Rename name of mlx4_en_rx_alloc members + +[ Upstream commit 70fbe0794393829d9acd686428d87c27b6f6984b ] + +Add page prefix to page related members: @size and @offset into +@page_size and @page_offset + +CC: Eric Dumazet +Signed-off-by: Amir Vadai +Acked-by: Eric Dumazet +Signed-off-by: David S. Miller +--- + drivers/net/ethernet/mellanox/mlx4/en_rx.c | 40 ++++++++++++++++------------ + drivers/net/ethernet/mellanox/mlx4/mlx4_en.h | 4 +-- + 2 files changed, 25 insertions(+), 19 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx4/en_rx.c b/drivers/net/ethernet/mellanox/mlx4/en_rx.c +index dec455c..066fc27 100644 +--- a/drivers/net/ethernet/mellanox/mlx4/en_rx.c ++++ b/drivers/net/ethernet/mellanox/mlx4/en_rx.c +@@ -70,14 +70,15 @@ static int mlx4_alloc_pages(struct mlx4_en_priv *priv, + put_page(page); + return -ENOMEM; + } +- page_alloc->size = PAGE_SIZE << order; ++ page_alloc->page_size = PAGE_SIZE << order; + page_alloc->page = page; + page_alloc->dma = dma; +- page_alloc->offset = frag_info->frag_align; ++ page_alloc->page_offset = frag_info->frag_align; + /* Not doing get_page() for each frag is a big win + * on asymetric workloads. + */ +- atomic_set(&page->_count, page_alloc->size / frag_info->frag_stride); ++ atomic_set(&page->_count, ++ page_alloc->page_size / frag_info->frag_stride); + return 0; + } + +@@ -96,16 +97,19 @@ static int mlx4_en_alloc_frags(struct mlx4_en_priv *priv, + for (i = 0; i < priv->num_frags; i++) { + frag_info = &priv->frag_info[i]; + page_alloc[i] = ring_alloc[i]; +- page_alloc[i].offset += frag_info->frag_stride; +- if (page_alloc[i].offset + frag_info->frag_stride <= ring_alloc[i].size) ++ page_alloc[i].page_offset += frag_info->frag_stride; ++ ++ if (page_alloc[i].page_offset + frag_info->frag_stride <= ++ ring_alloc[i].page_size) + continue; ++ + if (mlx4_alloc_pages(priv, &page_alloc[i], frag_info, gfp)) + goto out; + } + + for (i = 0; i < priv->num_frags; i++) { + frags[i] = ring_alloc[i]; +- dma = ring_alloc[i].dma + ring_alloc[i].offset; ++ dma = ring_alloc[i].dma + ring_alloc[i].page_offset; + ring_alloc[i] = page_alloc[i]; + rx_desc->data[i].addr = cpu_to_be64(dma); + } +@@ -117,7 +121,7 @@ out: + frag_info = &priv->frag_info[i]; + if (page_alloc[i].page != ring_alloc[i].page) { + dma_unmap_page(priv->ddev, page_alloc[i].dma, +- page_alloc[i].size, PCI_DMA_FROMDEVICE); ++ page_alloc[i].page_size, PCI_DMA_FROMDEVICE); + page = page_alloc[i].page; + atomic_set(&page->_count, 1); + put_page(page); +@@ -132,9 +136,10 @@ static void mlx4_en_free_frag(struct mlx4_en_priv *priv, + { + const struct mlx4_en_frag_info *frag_info = &priv->frag_info[i]; + +- if (frags[i].offset + frag_info->frag_stride > frags[i].size) +- dma_unmap_page(priv->ddev, frags[i].dma, frags[i].size, +- PCI_DMA_FROMDEVICE); ++ if (frags[i].page_offset + frag_info->frag_stride > ++ frags[i].page_size) ++ dma_unmap_page(priv->ddev, frags[i].dma, frags[i].page_size, ++ PCI_DMA_FROMDEVICE); + + if (frags[i].page) + put_page(frags[i].page); +@@ -161,7 +166,7 @@ out: + + page_alloc = &ring->page_alloc[i]; + dma_unmap_page(priv->ddev, page_alloc->dma, +- page_alloc->size, PCI_DMA_FROMDEVICE); ++ page_alloc->page_size, PCI_DMA_FROMDEVICE); + page = page_alloc->page; + atomic_set(&page->_count, 1); + put_page(page); +@@ -184,10 +189,11 @@ static void mlx4_en_destroy_allocator(struct mlx4_en_priv *priv, + i, page_count(page_alloc->page)); + + dma_unmap_page(priv->ddev, page_alloc->dma, +- page_alloc->size, PCI_DMA_FROMDEVICE); +- while (page_alloc->offset + frag_info->frag_stride < page_alloc->size) { ++ page_alloc->page_size, PCI_DMA_FROMDEVICE); ++ while (page_alloc->page_offset + frag_info->frag_stride < ++ page_alloc->page_size) { + put_page(page_alloc->page); +- page_alloc->offset += frag_info->frag_stride; ++ page_alloc->page_offset += frag_info->frag_stride; + } + page_alloc->page = NULL; + } +@@ -478,7 +484,7 @@ static int mlx4_en_complete_rx_desc(struct mlx4_en_priv *priv, + /* Save page reference in skb */ + __skb_frag_set_page(&skb_frags_rx[nr], frags[nr].page); + skb_frag_size_set(&skb_frags_rx[nr], frag_info->frag_size); +- skb_frags_rx[nr].page_offset = frags[nr].offset; ++ skb_frags_rx[nr].page_offset = frags[nr].page_offset; + skb->truesize += frag_info->frag_stride; + frags[nr].page = NULL; + } +@@ -517,7 +523,7 @@ static struct sk_buff *mlx4_en_rx_skb(struct mlx4_en_priv *priv, + + /* Get pointer to first fragment so we could copy the headers into the + * (linear part of the) skb */ +- va = page_address(frags[0].page) + frags[0].offset; ++ va = page_address(frags[0].page) + frags[0].page_offset; + + if (length <= SMALL_PACKET_SIZE) { + /* We are copying all relevant data to the skb - temporarily +@@ -645,7 +651,7 @@ int mlx4_en_process_rx_cq(struct net_device *dev, struct mlx4_en_cq *cq, int bud + dma_sync_single_for_cpu(priv->ddev, dma, sizeof(*ethh), + DMA_FROM_DEVICE); + ethh = (struct ethhdr *)(page_address(frags[0].page) + +- frags[0].offset); ++ frags[0].page_offset); + + if (is_multicast_ether_addr(ethh->h_dest)) { + struct mlx4_mac_entry *entry; +diff --git a/drivers/net/ethernet/mellanox/mlx4/mlx4_en.h b/drivers/net/ethernet/mellanox/mlx4/mlx4_en.h +index 5e0aa56..bf06e36 100644 +--- a/drivers/net/ethernet/mellanox/mlx4/mlx4_en.h ++++ b/drivers/net/ethernet/mellanox/mlx4/mlx4_en.h +@@ -237,8 +237,8 @@ struct mlx4_en_tx_desc { + struct mlx4_en_rx_alloc { + struct page *page; + dma_addr_t dma; +- u32 offset; +- u32 size; ++ u32 page_offset; ++ u32 page_size; + }; + + struct mlx4_en_tx_ring { +-- +1.7.11.7 + + +From 4bd2cc99115d31513bfe3c2bd7bcfe67fc081ae8 Mon Sep 17 00:00:00 2001 +From: Amir Vadai +Date: Mon, 7 Oct 2013 13:38:13 +0200 +Subject: [PATCH 20/47] net/mlx4_en: Fix pages never dma unmapped on rx + +[ Upstream commit 021f1107ffdae7a82af6c53f4c52654062e365c6 ] + +This patch fixes a bug introduced by commit 51151a16 (mlx4: allow +order-0 memory allocations in RX path). + +dma_unmap_page never reached because condition to detect last fragment +in page is wrong. offset+frag_stride can't be greater than size, need to +make sure no additional frag will fit in page => compare offset + +frag_stride + next_frag_size instead. +next_frag_size is the same as the current one, since page is shared only +with frags of the same size. + +CC: Eric Dumazet +Signed-off-by: Amir Vadai +Acked-by: Eric Dumazet +Signed-off-by: David S. Miller +--- + drivers/net/ethernet/mellanox/mlx4/en_rx.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/mellanox/mlx4/en_rx.c b/drivers/net/ethernet/mellanox/mlx4/en_rx.c +index 066fc27..afe2efa 100644 +--- a/drivers/net/ethernet/mellanox/mlx4/en_rx.c ++++ b/drivers/net/ethernet/mellanox/mlx4/en_rx.c +@@ -135,9 +135,10 @@ static void mlx4_en_free_frag(struct mlx4_en_priv *priv, + int i) + { + const struct mlx4_en_frag_info *frag_info = &priv->frag_info[i]; ++ u32 next_frag_end = frags[i].page_offset + 2 * frag_info->frag_stride; + +- if (frags[i].page_offset + frag_info->frag_stride > +- frags[i].page_size) ++ ++ if (next_frag_end > frags[i].page_size) + dma_unmap_page(priv->ddev, frags[i].dma, frags[i].page_size, + PCI_DMA_FROMDEVICE); + +-- +1.7.11.7 + + +From af64f33fff313187ca01ddb7db09b537a89208dd Mon Sep 17 00:00:00 2001 +From: Marc Kleine-Budde +Date: Mon, 7 Oct 2013 23:19:58 +0200 +Subject: [PATCH 21/47] net: vlan: fix nlmsg size calculation in + vlan_get_size() + +[ Upstream commit c33a39c575068c2ea9bffb22fd6de2df19c74b89 ] + +This patch fixes the calculation of the nlmsg size, by adding the missing +nla_total_size(). + +Cc: Patrick McHardy +Signed-off-by: Marc Kleine-Budde +Signed-off-by: David S. Miller +--- + net/8021q/vlan_netlink.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/8021q/vlan_netlink.c b/net/8021q/vlan_netlink.c +index 3091297..c7e634a 100644 +--- a/net/8021q/vlan_netlink.c ++++ b/net/8021q/vlan_netlink.c +@@ -171,7 +171,7 @@ static size_t vlan_get_size(const struct net_device *dev) + + return nla_total_size(2) + /* IFLA_VLAN_PROTOCOL */ + nla_total_size(2) + /* IFLA_VLAN_ID */ +- sizeof(struct ifla_vlan_flags) + /* IFLA_VLAN_FLAGS */ ++ nla_total_size(sizeof(struct ifla_vlan_flags)) + /* IFLA_VLAN_FLAGS */ + vlan_qos_map_size(vlan->nr_ingress_mappings) + + vlan_qos_map_size(vlan->nr_egress_mappings); + } +-- +1.7.11.7 + + +From 74869292aeb07213144e34b0e21e23f7e3c9f61f Mon Sep 17 00:00:00 2001 +From: Vlad Yasevich +Date: Thu, 10 Oct 2013 15:57:59 -0400 +Subject: [PATCH 22/47] bridge: update mdb expiration timer upon reports. + +[ Upstream commit f144febd93d5ee534fdf23505ab091b2b9088edc ] + +commit 9f00b2e7cf241fa389733d41b615efdaa2cb0f5b + bridge: only expire the mdb entry when query is received +changed the mdb expiration timer to be armed only when QUERY is +received. Howerver, this causes issues in an environment where +the multicast server socket comes and goes very fast while a client +is trying to send traffic to it. + +The root cause is a race where a sequence of LEAVE followed by REPORT +messages can race against QUERY messages generated in response to LEAVE. +The QUERY ends up starting the expiration timer, and that timer can +potentially expire after the new REPORT message has been received signaling +the new join operation. This leads to a significant drop in multicast +traffic and possible complete stall. + +The solution is to have REPORT messages update the expiration timer +on entries that already exist. + +CC: Cong Wang +CC: Herbert Xu +CC: Stephen Hemminger +Signed-off-by: Vlad Yasevich +Acked-by: Herbert Xu +Signed-off-by: David S. Miller +--- + net/bridge/br_multicast.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +diff --git a/net/bridge/br_multicast.c b/net/bridge/br_multicast.c +index bbcb435..0e3fea7 100644 +--- a/net/bridge/br_multicast.c ++++ b/net/bridge/br_multicast.c +@@ -610,6 +610,9 @@ rehash: + break; + + default: ++ /* If we have an existing entry, update it's expire timer */ ++ mod_timer(&mp->timer, ++ jiffies + br->multicast_membership_interval); + goto out; + } + +@@ -679,8 +682,12 @@ static int br_multicast_add_group(struct net_bridge *br, + for (pp = &mp->ports; + (p = mlock_dereference(*pp, br)) != NULL; + pp = &p->next) { +- if (p->port == port) ++ if (p->port == port) { ++ /* We already have a portgroup, update the timer. */ ++ mod_timer(&p->timer, ++ jiffies + br->multicast_membership_interval); + goto out; ++ } + if ((unsigned long)p->port < (unsigned long)port) + break; + } +-- +1.7.11.7 + + +From d9f02cfe59400677feea276d4b27981f6d91825a Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Linus=20L=C3=BCssing?= +Date: Sun, 20 Oct 2013 00:58:57 +0200 +Subject: [PATCH 23/47] Revert "bridge: only expire the mdb entry when query + is received" +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit 454594f3b93a49ef568cd190c5af31376b105a7b ] + +While this commit was a good attempt to fix issues occuring when no +multicast querier is present, this commit still has two more issues: + +1) There are cases where mdb entries do not expire even if there is a +querier present. The bridge will unnecessarily continue flooding +multicast packets on the according ports. + +2) Never removing an mdb entry could be exploited for a Denial of +Service by an attacker on the local link, slowly, but steadily eating up +all memory. + +Actually, this commit became obsolete with +"bridge: disable snooping if there is no querier" (b00589af3b) +which included fixes for a few more cases. + +Therefore reverting the following commits (the commit stated in the +commit message plus three of its follow up fixes): + +==================== +Revert "bridge: update mdb expiration timer upon reports." +This reverts commit f144febd93d5ee534fdf23505ab091b2b9088edc. +Revert "bridge: do not call setup_timer() multiple times" +This reverts commit 1faabf2aab1fdaa1ace4e8c829d1b9cf7bfec2f1. +Revert "bridge: fix some kernel warning in multicast timer" +This reverts commit c7e8e8a8f7a70b343ca1e0f90a31e35ab2d16de1. +Revert "bridge: only expire the mdb entry when query is received" +This reverts commit 9f00b2e7cf241fa389733d41b615efdaa2cb0f5b. +==================== + +CC: Cong Wang +Signed-off-by: Linus Lüssing +Reviewed-by: Vlad Yasevich +Signed-off-by: David S. Miller +--- + net/bridge/br_mdb.c | 2 +- + net/bridge/br_multicast.c | 47 +++++++++++++++++++++++++++-------------------- + net/bridge/br_private.h | 1 - + 3 files changed, 28 insertions(+), 22 deletions(-) + +diff --git a/net/bridge/br_mdb.c b/net/bridge/br_mdb.c +index 6319c43..de3a0e7 100644 +--- a/net/bridge/br_mdb.c ++++ b/net/bridge/br_mdb.c +@@ -451,7 +451,7 @@ static int __br_mdb_del(struct net_bridge *br, struct br_mdb_entry *entry) + call_rcu_bh(&p->rcu, br_multicast_free_pg); + err = 0; + +- if (!mp->ports && !mp->mglist && mp->timer_armed && ++ if (!mp->ports && !mp->mglist && + netif_running(br->dev)) + mod_timer(&mp->timer, jiffies); + break; +diff --git a/net/bridge/br_multicast.c b/net/bridge/br_multicast.c +index 0e3fea7..fbad619 100644 +--- a/net/bridge/br_multicast.c ++++ b/net/bridge/br_multicast.c +@@ -271,7 +271,7 @@ static void br_multicast_del_pg(struct net_bridge *br, + del_timer(&p->timer); + call_rcu_bh(&p->rcu, br_multicast_free_pg); + +- if (!mp->ports && !mp->mglist && mp->timer_armed && ++ if (!mp->ports && !mp->mglist && + netif_running(br->dev)) + mod_timer(&mp->timer, jiffies); + +@@ -610,9 +610,6 @@ rehash: + break; + + default: +- /* If we have an existing entry, update it's expire timer */ +- mod_timer(&mp->timer, +- jiffies + br->multicast_membership_interval); + goto out; + } + +@@ -622,7 +619,6 @@ rehash: + + mp->br = br; + mp->addr = *group; +- + setup_timer(&mp->timer, br_multicast_group_expired, + (unsigned long)mp); + +@@ -662,6 +658,7 @@ static int br_multicast_add_group(struct net_bridge *br, + struct net_bridge_mdb_entry *mp; + struct net_bridge_port_group *p; + struct net_bridge_port_group __rcu **pp; ++ unsigned long now = jiffies; + int err; + + spin_lock(&br->multicast_lock); +@@ -676,18 +673,15 @@ static int br_multicast_add_group(struct net_bridge *br, + + if (!port) { + mp->mglist = true; ++ mod_timer(&mp->timer, now + br->multicast_membership_interval); + goto out; + } + + for (pp = &mp->ports; + (p = mlock_dereference(*pp, br)) != NULL; + pp = &p->next) { +- if (p->port == port) { +- /* We already have a portgroup, update the timer. */ +- mod_timer(&p->timer, +- jiffies + br->multicast_membership_interval); +- goto out; +- } ++ if (p->port == port) ++ goto found; + if ((unsigned long)p->port < (unsigned long)port) + break; + } +@@ -698,6 +692,8 @@ static int br_multicast_add_group(struct net_bridge *br, + rcu_assign_pointer(*pp, p); + br_mdb_notify(br->dev, port, group, RTM_NEWMDB); + ++found: ++ mod_timer(&p->timer, now + br->multicast_membership_interval); + out: + err = 0; + +@@ -1197,9 +1193,6 @@ static int br_ip4_multicast_query(struct net_bridge *br, + if (!mp) + goto out; + +- mod_timer(&mp->timer, now + br->multicast_membership_interval); +- mp->timer_armed = true; +- + max_delay *= br->multicast_last_member_count; + + if (mp->mglist && +@@ -1276,9 +1269,6 @@ static int br_ip6_multicast_query(struct net_bridge *br, + if (!mp) + goto out; + +- mod_timer(&mp->timer, now + br->multicast_membership_interval); +- mp->timer_armed = true; +- + max_delay *= br->multicast_last_member_count; + if (mp->mglist && + (timer_pending(&mp->timer) ? +@@ -1364,7 +1354,7 @@ static void br_multicast_leave_group(struct net_bridge *br, + call_rcu_bh(&p->rcu, br_multicast_free_pg); + br_mdb_notify(br->dev, port, group, RTM_DELMDB); + +- if (!mp->ports && !mp->mglist && mp->timer_armed && ++ if (!mp->ports && !mp->mglist && + netif_running(br->dev)) + mod_timer(&mp->timer, jiffies); + } +@@ -1376,12 +1366,30 @@ static void br_multicast_leave_group(struct net_bridge *br, + br->multicast_last_member_interval; + + if (!port) { +- if (mp->mglist && mp->timer_armed && ++ if (mp->mglist && + (timer_pending(&mp->timer) ? + time_after(mp->timer.expires, time) : + try_to_del_timer_sync(&mp->timer) >= 0)) { + mod_timer(&mp->timer, time); + } ++ ++ goto out; ++ } ++ ++ for (p = mlock_dereference(mp->ports, br); ++ p != NULL; ++ p = mlock_dereference(p->next, br)) { ++ if (p->port != port) ++ continue; ++ ++ if (!hlist_unhashed(&p->mglist) && ++ (timer_pending(&p->timer) ? ++ time_after(p->timer.expires, time) : ++ try_to_del_timer_sync(&p->timer) >= 0)) { ++ mod_timer(&p->timer, time); ++ } ++ ++ break; + } + out: + spin_unlock(&br->multicast_lock); +@@ -1798,7 +1806,6 @@ void br_multicast_stop(struct net_bridge *br) + hlist_for_each_entry_safe(mp, n, &mdb->mhash[i], + hlist[ver]) { + del_timer(&mp->timer); +- mp->timer_armed = false; + call_rcu_bh(&mp->rcu, br_multicast_free_group); + } + } +diff --git a/net/bridge/br_private.h b/net/bridge/br_private.h +index cde1eb1..aa05bd8 100644 +--- a/net/bridge/br_private.h ++++ b/net/bridge/br_private.h +@@ -126,7 +126,6 @@ struct net_bridge_mdb_entry + struct timer_list timer; + struct br_ip addr; + bool mglist; +- bool timer_armed; + }; + + struct net_bridge_mdb_htable +-- +1.7.11.7 + + +From 40420baad983147cd23e6de95c958c96b96be727 Mon Sep 17 00:00:00 2001 +From: Christophe Gouault +Date: Tue, 8 Oct 2013 17:21:22 +0200 +Subject: [PATCH 24/47] vti: get rid of nf mark rule in prerouting + +[ Upstream commit 7263a5187f9e9de45fcb51349cf0e031142c19a1 ] + +This patch fixes and improves the use of vti interfaces (while +lightly changing the way of configuring them). + +Currently: + +- it is necessary to identify and mark inbound IPsec + packets destined to each vti interface, via netfilter rules in + the mangle table at prerouting hook. + +- the vti module cannot retrieve the right tunnel in input since + commit b9959fd3: vti tunnels all have an i_key, but the tunnel lookup + is done with flag TUNNEL_NO_KEY, so there no chance to retrieve them. + +- the i_key is used by the outbound processing as a mark to lookup + for the right SP and SA bundle. + +This patch uses the o_key to store the vti mark (instead of i_key) and +enables: + +- to avoid the need for previously marking the inbound skbuffs via a + netfilter rule. +- to properly retrieve the right tunnel in input, only based on the IPsec + packet outer addresses. +- to properly perform an inbound policy check (using the tunnel o_key + as a mark). +- to properly perform an outbound SPD and SAD lookup (using the tunnel + o_key as a mark). +- to keep the current mark of the skbuff. The skbuff mark is neither + used nor changed by the vti interface. Only the vti interface o_key + is used. + +SAs have a wildcard mark. +SPs have a mark equal to the vti interface o_key. + +The vti interface must be created as follows (i_key = 0, o_key = mark): + + ip link add vti1 mode vti local 1.1.1.1 remote 2.2.2.2 okey 1 + +The SPs attached to vti1 must be created as follows (mark = vti1 o_key): + + ip xfrm policy add dir out mark 1 tmpl src 1.1.1.1 dst 2.2.2.2 \ + proto esp mode tunnel + ip xfrm policy add dir in mark 1 tmpl src 2.2.2.2 dst 1.1.1.1 \ + proto esp mode tunnel + +The SAs are created with the default wildcard mark. There is no +distinction between global vs. vti SAs. Just their addresses will +possibly link them to a vti interface: + + ip xfrm state add src 1.1.1.1 dst 2.2.2.2 proto esp spi 1000 mode tunnel \ + enc "cbc(aes)" "azertyuiopqsdfgh" + + ip xfrm state add src 2.2.2.2 dst 1.1.1.1 proto esp spi 2000 mode tunnel \ + enc "cbc(aes)" "sqbdhgqsdjqjsdfh" + +To avoid matching "global" (not vti) SPs in vti interfaces, global SPs +should no use the default wildcard mark, but explicitly match mark 0. + +To avoid a double SPD lookup in input and output (in global and vti SPDs), +the NOPOLICY and NOXFRM options should be set on the vti interfaces: + + echo 1 > /proc/sys/net/ipv4/conf/vti1/disable_policy + echo 1 > /proc/sys/net/ipv4/conf/vti1/disable_xfrm + +The outgoing traffic is steered to vti1 by a route via the vti interface: + + ip route add 192.168.0.0/16 dev vti1 + +The incoming IPsec traffic is steered to vti1 because its outer addresses +match the vti1 tunnel configuration. + +Signed-off-by: Christophe Gouault +Signed-off-by: David S. Miller +--- + net/ipv4/ip_vti.c | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +diff --git a/net/ipv4/ip_vti.c b/net/ipv4/ip_vti.c +index 17cc0ff..0656041 100644 +--- a/net/ipv4/ip_vti.c ++++ b/net/ipv4/ip_vti.c +@@ -285,8 +285,17 @@ static int vti_rcv(struct sk_buff *skb) + tunnel = vti_tunnel_lookup(dev_net(skb->dev), iph->saddr, iph->daddr); + if (tunnel != NULL) { + struct pcpu_tstats *tstats; ++ u32 oldmark = skb->mark; ++ int ret; + +- if (!xfrm4_policy_check(NULL, XFRM_POLICY_IN, skb)) ++ ++ /* temporarily mark the skb with the tunnel o_key, to ++ * only match policies with this mark. ++ */ ++ skb->mark = be32_to_cpu(tunnel->parms.o_key); ++ ret = xfrm4_policy_check(NULL, XFRM_POLICY_IN, skb); ++ skb->mark = oldmark; ++ if (!ret) + return -1; + + tstats = this_cpu_ptr(tunnel->dev->tstats); +@@ -295,7 +304,6 @@ static int vti_rcv(struct sk_buff *skb) + tstats->rx_bytes += skb->len; + u64_stats_update_end(&tstats->syncp); + +- skb->mark = 0; + secpath_reset(skb); + skb->dev = tunnel->dev; + return 1; +@@ -327,7 +335,7 @@ static netdev_tx_t vti_tunnel_xmit(struct sk_buff *skb, struct net_device *dev) + + memset(&fl4, 0, sizeof(fl4)); + flowi4_init_output(&fl4, tunnel->parms.link, +- be32_to_cpu(tunnel->parms.i_key), RT_TOS(tos), ++ be32_to_cpu(tunnel->parms.o_key), RT_TOS(tos), + RT_SCOPE_UNIVERSE, + IPPROTO_IPIP, 0, + dst, tiph->saddr, 0, 0); +-- +1.7.11.7 + + +From d74d8a563ec79425464d7a8aeaa1796724fea7bc Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Thu, 10 Oct 2013 06:30:09 -0700 +Subject: [PATCH 25/47] l2tp: must disable bh before calling l2tp_xmit_skb() +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit 455cc32bf128e114455d11ad919321ab89a2c312 ] + +François Cachereul made a very nice bug report and suspected +the bh_lock_sock() / bh_unlok_sock() pair used in l2tp_xmit_skb() from +process context was not good. + +This problem was added by commit 6af88da14ee284aaad6e4326da09a89191ab6165 +("l2tp: Fix locking in l2tp_core.c"). + +l2tp_eth_dev_xmit() runs from BH context, so we must disable BH +from other l2tp_xmit_skb() users. + +[ 452.060011] BUG: soft lockup - CPU#1 stuck for 23s! [accel-pppd:6662] +[ 452.061757] Modules linked in: l2tp_ppp l2tp_netlink l2tp_core pppoe pppox +ppp_generic slhc ipv6 ext3 mbcache jbd virtio_balloon xfs exportfs dm_mod +virtio_blk ata_generic virtio_net floppy ata_piix libata virtio_pci virtio_ring virtio [last unloaded: scsi_wait_scan] +[ 452.064012] CPU 1 +[ 452.080015] BUG: soft lockup - CPU#2 stuck for 23s! [accel-pppd:6643] +[ 452.080015] CPU 2 +[ 452.080015] +[ 452.080015] Pid: 6643, comm: accel-pppd Not tainted 3.2.46.mini #1 Bochs Bochs +[ 452.080015] RIP: 0010:[] [] do_raw_spin_lock+0x17/0x1f +[ 452.080015] RSP: 0018:ffff88007125fc18 EFLAGS: 00000293 +[ 452.080015] RAX: 000000000000aba9 RBX: ffffffff811d0703 RCX: 0000000000000000 +[ 452.080015] RDX: 00000000000000ab RSI: ffff8800711f6896 RDI: ffff8800745c8110 +[ 452.080015] RBP: ffff88007125fc18 R08: 0000000000000020 R09: 0000000000000000 +[ 452.080015] R10: 0000000000000000 R11: 0000000000000280 R12: 0000000000000286 +[ 452.080015] R13: 0000000000000020 R14: 0000000000000240 R15: 0000000000000000 +[ 452.080015] FS: 00007fdc0cc24700(0000) GS:ffff8800b6f00000(0000) knlGS:0000000000000000 +[ 452.080015] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 452.080015] CR2: 00007fdb054899b8 CR3: 0000000074404000 CR4: 00000000000006a0 +[ 452.080015] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 452.080015] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 +[ 452.080015] Process accel-pppd (pid: 6643, threadinfo ffff88007125e000, task ffff8800b27e6dd0) +[ 452.080015] Stack: +[ 452.080015] ffff88007125fc28 ffffffff81256559 ffff88007125fc98 ffffffffa01b2bd1 +[ 452.080015] ffff88007125fc58 000000000000000c 00000000029490d0 0000009c71dbe25e +[ 452.080015] 000000000000005c 000000080000000e 0000000000000000 ffff880071170600 +[ 452.080015] Call Trace: +[ 452.080015] [] _raw_spin_lock+0xe/0x10 +[ 452.080015] [] l2tp_xmit_skb+0x189/0x4ac [l2tp_core] +[ 452.080015] [] pppol2tp_sendmsg+0x15e/0x19c [l2tp_ppp] +[ 452.080015] [] __sock_sendmsg_nosec+0x22/0x24 +[ 452.080015] [] sock_sendmsg+0xa1/0xb6 +[ 452.080015] [] ? __schedule+0x5c1/0x616 +[ 452.080015] [] ? __dequeue_signal+0xb7/0x10c +[ 452.080015] [] ? fget_light+0x75/0x89 +[ 452.080015] [] ? sockfd_lookup_light+0x20/0x56 +[ 452.080015] [] sys_sendto+0x10c/0x13b +[ 452.080015] [] system_call_fastpath+0x16/0x1b +[ 452.080015] Code: 81 48 89 e5 72 0c 31 c0 48 81 ff 45 66 25 81 0f 92 c0 5d c3 55 b8 00 01 00 00 48 89 e5 f0 66 0f c1 07 0f b6 d4 38 d0 74 06 f3 90 <8a> 07 eb f6 5d c3 90 90 55 48 89 e5 9c 58 0f 1f 44 00 00 5d c3 +[ 452.080015] Call Trace: +[ 452.080015] [] _raw_spin_lock+0xe/0x10 +[ 452.080015] [] l2tp_xmit_skb+0x189/0x4ac [l2tp_core] +[ 452.080015] [] pppol2tp_sendmsg+0x15e/0x19c [l2tp_ppp] +[ 452.080015] [] __sock_sendmsg_nosec+0x22/0x24 +[ 452.080015] [] sock_sendmsg+0xa1/0xb6 +[ 452.080015] [] ? __schedule+0x5c1/0x616 +[ 452.080015] [] ? __dequeue_signal+0xb7/0x10c +[ 452.080015] [] ? fget_light+0x75/0x89 +[ 452.080015] [] ? sockfd_lookup_light+0x20/0x56 +[ 452.080015] [] sys_sendto+0x10c/0x13b +[ 452.080015] [] system_call_fastpath+0x16/0x1b +[ 452.064012] +[ 452.064012] Pid: 6662, comm: accel-pppd Not tainted 3.2.46.mini #1 Bochs Bochs +[ 452.064012] RIP: 0010:[] [] do_raw_spin_lock+0x19/0x1f +[ 452.064012] RSP: 0018:ffff8800b6e83ba0 EFLAGS: 00000297 +[ 452.064012] RAX: 000000000000aaa9 RBX: ffff8800b6e83b40 RCX: 0000000000000002 +[ 452.064012] RDX: 00000000000000aa RSI: 000000000000000a RDI: ffff8800745c8110 +[ 452.064012] RBP: ffff8800b6e83ba0 R08: 000000000000c802 R09: 000000000000001c +[ 452.064012] R10: ffff880071096c4e R11: 0000000000000006 R12: ffff8800b6e83b18 +[ 452.064012] R13: ffffffff8125d51e R14: ffff8800b6e83ba0 R15: ffff880072a589c0 +[ 452.064012] FS: 00007fdc0b81e700(0000) GS:ffff8800b6e80000(0000) knlGS:0000000000000000 +[ 452.064012] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 452.064012] CR2: 0000000000625208 CR3: 0000000074404000 CR4: 00000000000006a0 +[ 452.064012] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +[ 452.064012] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 +[ 452.064012] Process accel-pppd (pid: 6662, threadinfo ffff88007129a000, task ffff8800744f7410) +[ 452.064012] Stack: +[ 452.064012] ffff8800b6e83bb0 ffffffff81256559 ffff8800b6e83bc0 ffffffff8121c64a +[ 452.064012] ffff8800b6e83bf0 ffffffff8121ec7a ffff880072a589c0 ffff880071096c62 +[ 452.064012] 0000000000000011 ffffffff81430024 ffff8800b6e83c80 ffffffff8121f276 +[ 452.064012] Call Trace: +[ 452.064012] +[ 452.064012] [] _raw_spin_lock+0xe/0x10 +[ 452.064012] [] spin_lock+0x9/0xb +[ 452.064012] [] udp_queue_rcv_skb+0x186/0x269 +[ 452.064012] [] __udp4_lib_rcv+0x297/0x4ae +[ 452.064012] [] ? raw_rcv+0xe9/0xf0 +[ 452.064012] [] udp_rcv+0x1a/0x1c +[ 452.064012] [] ip_local_deliver_finish+0x12b/0x1a5 +[ 452.064012] [] ip_local_deliver+0x53/0x84 +[ 452.064012] [] ip_rcv_finish+0x2bc/0x2f3 +[ 452.064012] [] ip_rcv+0x210/0x269 +[ 452.064012] [] ? kvm_clock_get_cycles+0x9/0xb +[ 452.064012] [] __netif_receive_skb+0x3a5/0x3f7 +[ 452.064012] [] netif_receive_skb+0x57/0x5e +[ 452.064012] [] ? __netdev_alloc_skb+0x1f/0x3b +[ 452.064012] [] virtnet_poll+0x4ba/0x5a4 [virtio_net] +[ 452.064012] [] net_rx_action+0x73/0x184 +[ 452.064012] [] ? l2tp_xmit_skb+0x27a/0x4ac [l2tp_core] +[ 452.064012] [] __do_softirq+0xc3/0x1a8 +[ 452.064012] [] ? ack_APIC_irq+0x10/0x12 +[ 452.064012] [] ? _raw_spin_lock+0xe/0x10 +[ 452.064012] [] call_softirq+0x1c/0x26 +[ 452.064012] [] do_softirq+0x45/0x82 +[ 452.064012] [] irq_exit+0x42/0x9c +[ 452.064012] [] do_IRQ+0x8e/0xa5 +[ 452.064012] [] common_interrupt+0x6e/0x6e +[ 452.064012] +[ 452.064012] [] ? kfree+0x8a/0xa3 +[ 452.064012] [] ? l2tp_xmit_skb+0x27a/0x4ac [l2tp_core] +[ 452.064012] [] ? l2tp_xmit_skb+0x1dd/0x4ac [l2tp_core] +[ 452.064012] [] pppol2tp_sendmsg+0x15e/0x19c [l2tp_ppp] +[ 452.064012] [] __sock_sendmsg_nosec+0x22/0x24 +[ 452.064012] [] sock_sendmsg+0xa1/0xb6 +[ 452.064012] [] ? __schedule+0x5c1/0x616 +[ 452.064012] [] ? __dequeue_signal+0xb7/0x10c +[ 452.064012] [] ? fget_light+0x75/0x89 +[ 452.064012] [] ? sockfd_lookup_light+0x20/0x56 +[ 452.064012] [] sys_sendto+0x10c/0x13b +[ 452.064012] [] system_call_fastpath+0x16/0x1b +[ 452.064012] Code: 89 e5 72 0c 31 c0 48 81 ff 45 66 25 81 0f 92 c0 5d c3 55 b8 00 01 00 00 48 89 e5 f0 66 0f c1 07 0f b6 d4 38 d0 74 06 f3 90 8a 07 f6 5d c3 90 90 55 48 89 e5 9c 58 0f 1f 44 00 00 5d c3 55 48 +[ 452.064012] Call Trace: +[ 452.064012] [] _raw_spin_lock+0xe/0x10 +[ 452.064012] [] spin_lock+0x9/0xb +[ 452.064012] [] udp_queue_rcv_skb+0x186/0x269 +[ 452.064012] [] __udp4_lib_rcv+0x297/0x4ae +[ 452.064012] [] ? raw_rcv+0xe9/0xf0 +[ 452.064012] [] udp_rcv+0x1a/0x1c +[ 452.064012] [] ip_local_deliver_finish+0x12b/0x1a5 +[ 452.064012] [] ip_local_deliver+0x53/0x84 +[ 452.064012] [] ip_rcv_finish+0x2bc/0x2f3 +[ 452.064012] [] ip_rcv+0x210/0x269 +[ 452.064012] [] ? kvm_clock_get_cycles+0x9/0xb +[ 452.064012] [] __netif_receive_skb+0x3a5/0x3f7 +[ 452.064012] [] netif_receive_skb+0x57/0x5e +[ 452.064012] [] ? __netdev_alloc_skb+0x1f/0x3b +[ 452.064012] [] virtnet_poll+0x4ba/0x5a4 [virtio_net] +[ 452.064012] [] net_rx_action+0x73/0x184 +[ 452.064012] [] ? l2tp_xmit_skb+0x27a/0x4ac [l2tp_core] +[ 452.064012] [] __do_softirq+0xc3/0x1a8 +[ 452.064012] [] ? ack_APIC_irq+0x10/0x12 +[ 452.064012] [] ? _raw_spin_lock+0xe/0x10 +[ 452.064012] [] call_softirq+0x1c/0x26 +[ 452.064012] [] do_softirq+0x45/0x82 +[ 452.064012] [] irq_exit+0x42/0x9c +[ 452.064012] [] do_IRQ+0x8e/0xa5 +[ 452.064012] [] common_interrupt+0x6e/0x6e +[ 452.064012] [] ? kfree+0x8a/0xa3 +[ 452.064012] [] ? l2tp_xmit_skb+0x27a/0x4ac [l2tp_core] +[ 452.064012] [] ? l2tp_xmit_skb+0x1dd/0x4ac [l2tp_core] +[ 452.064012] [] pppol2tp_sendmsg+0x15e/0x19c [l2tp_ppp] +[ 452.064012] [] __sock_sendmsg_nosec+0x22/0x24 +[ 452.064012] [] sock_sendmsg+0xa1/0xb6 +[ 452.064012] [] ? __schedule+0x5c1/0x616 +[ 452.064012] [] ? __dequeue_signal+0xb7/0x10c +[ 452.064012] [] ? fget_light+0x75/0x89 +[ 452.064012] [] ? sockfd_lookup_light+0x20/0x56 +[ 452.064012] [] sys_sendto+0x10c/0x13b +[ 452.064012] [] system_call_fastpath+0x16/0x1b + +Reported-by: François Cachereul +Tested-by: François Cachereul +Signed-off-by: Eric Dumazet +Cc: James Chapman +Signed-off-by: David S. Miller +--- + net/l2tp/l2tp_ppp.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/net/l2tp/l2tp_ppp.c b/net/l2tp/l2tp_ppp.c +index 5ebee2d..8c46b27 100644 +--- a/net/l2tp/l2tp_ppp.c ++++ b/net/l2tp/l2tp_ppp.c +@@ -353,7 +353,9 @@ static int pppol2tp_sendmsg(struct kiocb *iocb, struct socket *sock, struct msgh + goto error_put_sess_tun; + } + ++ local_bh_disable(); + l2tp_xmit_skb(session, skb, session->hdr_len); ++ local_bh_enable(); + + sock_put(ps->tunnel_sock); + sock_put(sk); +@@ -422,7 +424,9 @@ static int pppol2tp_xmit(struct ppp_channel *chan, struct sk_buff *skb) + skb->data[0] = ppph[0]; + skb->data[1] = ppph[1]; + ++ local_bh_disable(); + l2tp_xmit_skb(session, skb, session->hdr_len); ++ local_bh_enable(); + + sock_put(sk_tun); + sock_put(sk); +-- +1.7.11.7 + + +From 5bf1c228293765ff84e4121cf2f92395403b7e33 Mon Sep 17 00:00:00 2001 +From: stephen hemminger +Date: Sun, 6 Oct 2013 15:15:33 -0700 +Subject: [PATCH 26/47] netem: update backlog after drop +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit 638a52b801e40ed276ceb69b73579ad99365361a ] + +When packet is dropped from rb-tree netem the backlog statistic should +also be updated. + +Reported-by: Сергеев Сергей +Signed-off-by: Stephen Hemminger +Acked-by: Eric Dumazet +Signed-off-by: David S. Miller +--- + net/sched/sch_netem.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/sched/sch_netem.c b/net/sched/sch_netem.c +index 82f6016..7dc79940 100644 +--- a/net/sched/sch_netem.c ++++ b/net/sched/sch_netem.c +@@ -523,6 +523,7 @@ static unsigned int netem_drop(struct Qdisc *sch) + skb->next = NULL; + skb->prev = NULL; + len = qdisc_pkt_len(skb); ++ sch->qstats.backlog -= len; + kfree_skb(skb); + } + } +-- +1.7.11.7 + + +From ddc30868db0e31c0c2ab4691131a050f9136f3bf Mon Sep 17 00:00:00 2001 +From: stephen hemminger +Date: Sun, 6 Oct 2013 15:16:49 -0700 +Subject: [PATCH 27/47] netem: free skb's in tree on reset +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit ff704050f2fc0f3382b5a70bba56a51a3feca79d ] + +Netem can leak memory because packets get stored in red-black +tree and it is not cleared on reset. + +Reported by: Сергеев Сергей +Signed-off-by: Stephen Hemminger +Signed-off-by: David S. Miller +--- + net/sched/sch_netem.c | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +diff --git a/net/sched/sch_netem.c b/net/sched/sch_netem.c +index 7dc79940..3626010 100644 +--- a/net/sched/sch_netem.c ++++ b/net/sched/sch_netem.c +@@ -358,6 +358,21 @@ static psched_time_t packet_len_2_sched_time(unsigned int len, struct netem_sche + return PSCHED_NS2TICKS(ticks); + } + ++static void tfifo_reset(struct Qdisc *sch) ++{ ++ struct netem_sched_data *q = qdisc_priv(sch); ++ struct rb_node *p; ++ ++ while ((p = rb_first(&q->t_root))) { ++ struct sk_buff *skb = netem_rb_to_skb(p); ++ ++ rb_erase(p, &q->t_root); ++ skb->next = NULL; ++ skb->prev = NULL; ++ kfree_skb(skb); ++ } ++} ++ + static void tfifo_enqueue(struct sk_buff *nskb, struct Qdisc *sch) + { + struct netem_sched_data *q = qdisc_priv(sch); +@@ -613,6 +628,7 @@ static void netem_reset(struct Qdisc *sch) + struct netem_sched_data *q = qdisc_priv(sch); + + qdisc_reset_queue(sch); ++ tfifo_reset(sch); + if (q->qdisc) + qdisc_reset(q->qdisc); + qdisc_watchdog_cancel(&q->watchdog); +-- +1.7.11.7 + + +From c871c477136615360e283471acdb33df95d70470 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Salva=20Peir=C3=B3?= +Date: Fri, 11 Oct 2013 12:50:03 +0300 +Subject: [PATCH 28/47] farsync: fix info leak in ioctl + +[ Upstream commit 96b340406724d87e4621284ebac5e059d67b2194 ] + +The fst_get_iface() code fails to initialize the two padding bytes of +struct sync_serial_settings after the ->loopback member. Add an explicit +memset(0) before filling the structure to avoid the info leak. + +Signed-off-by: Dan Carpenter +Signed-off-by: David S. Miller +--- + drivers/net/wan/farsync.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/wan/farsync.c b/drivers/net/wan/farsync.c +index 3f0c4f2..bcfff0d 100644 +--- a/drivers/net/wan/farsync.c ++++ b/drivers/net/wan/farsync.c +@@ -1972,6 +1972,7 @@ fst_get_iface(struct fst_card_info *card, struct fst_port_info *port, + } + + i = port->index; ++ memset(&sync, 0, sizeof(sync)); + sync.clock_rate = FST_RDL(card, portConfig[i].lineSpeed); + /* Lucky card and linux use same encoding here */ + sync.clock_type = FST_RDB(card, portConfig[i].internalClock) == +-- +1.7.11.7 + + +From e69ccba66791d0edd0d596520de268369aaab610 Mon Sep 17 00:00:00 2001 +From: Mathias Krause +Date: Mon, 30 Sep 2013 22:05:40 +0200 +Subject: [PATCH 29/47] unix_diag: fix info leak + +[ Upstream commit 6865d1e834be84ddd5808d93d5035b492346c64a ] + +When filling the netlink message we miss to wipe the pad field, +therefore leak one byte of heap memory to userland. Fix this by +setting pad to 0. + +Signed-off-by: Mathias Krause +Signed-off-by: David S. Miller +--- + net/unix/diag.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/net/unix/diag.c b/net/unix/diag.c +index d591091..86fa0f3 100644 +--- a/net/unix/diag.c ++++ b/net/unix/diag.c +@@ -124,6 +124,7 @@ static int sk_diag_fill(struct sock *sk, struct sk_buff *skb, struct unix_diag_r + rep->udiag_family = AF_UNIX; + rep->udiag_type = sk->sk_type; + rep->udiag_state = sk->sk_state; ++ rep->pad = 0; + rep->udiag_ino = sk_ino; + sock_diag_save_cookie(sk, rep->udiag_cookie); + +-- +1.7.11.7 + + +From 00fa721e6873ccbb36fc008558bb7d23e9e3c21f Mon Sep 17 00:00:00 2001 +From: Mathias Krause +Date: Mon, 30 Sep 2013 22:03:07 +0200 +Subject: [PATCH 30/47] connector: use nlmsg_len() to check message length + +[ Upstream commit 162b2bedc084d2d908a04c93383ba02348b648b0 ] + +The current code tests the length of the whole netlink message to be +at least as long to fit a cn_msg. This is wrong as nlmsg_len includes +the length of the netlink message header. Use nlmsg_len() instead to +fix this "off-by-NLMSG_HDRLEN" size check. + +Cc: stable@vger.kernel.org # v2.6.14+ +Signed-off-by: Mathias Krause +Signed-off-by: David S. Miller +--- + drivers/connector/connector.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git a/drivers/connector/connector.c b/drivers/connector/connector.c +index 6ecfa75..0daa11e 100644 +--- a/drivers/connector/connector.c ++++ b/drivers/connector/connector.c +@@ -157,17 +157,18 @@ static int cn_call_callback(struct sk_buff *skb) + static void cn_rx_skb(struct sk_buff *__skb) + { + struct nlmsghdr *nlh; +- int err; + struct sk_buff *skb; ++ int len, err; + + skb = skb_get(__skb); + + if (skb->len >= NLMSG_HDRLEN) { + nlh = nlmsg_hdr(skb); ++ len = nlmsg_len(nlh); + +- if (nlh->nlmsg_len < sizeof(struct cn_msg) || ++ if (len < (int)sizeof(struct cn_msg) || + skb->len < nlh->nlmsg_len || +- nlh->nlmsg_len > CONNECTOR_MAX_MSG_SIZE) { ++ len > CONNECTOR_MAX_MSG_SIZE) { + kfree_skb(skb); + return; + } +-- +1.7.11.7 + + +From d99d51100021c9f8b335fc1931880618eaa448e3 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Sat, 12 Oct 2013 14:08:34 -0700 +Subject: [PATCH 31/47] bnx2x: record rx queue for LRO packets + +[ Upstream commit 60e66fee56b2256dcb1dc2ea1b2ddcb6e273857d ] + +RPS support is kind of broken on bnx2x, because only non LRO packets +get proper rx queue information. This triggers reorders, as it seems +bnx2x like to generate a non LRO packet for segment including TCP PUSH +flag : (this might be pure coincidence, but all the reorders I've +seen involve segments with a PUSH) + +11:13:34.335847 IP A > B: . 415808:447136(31328) ack 1 win 457 +11:13:34.335992 IP A > B: . 447136:448560(1424) ack 1 win 457 +11:13:34.336391 IP A > B: . 448560:479888(31328) ack 1 win 457 +11:13:34.336425 IP A > B: P 511216:512640(1424) ack 1 win 457 +11:13:34.336423 IP A > B: . 479888:511216(31328) ack 1 win 457 +11:13:34.336924 IP A > B: . 512640:543968(31328) ack 1 win 457 +11:13:34.336963 IP A > B: . 543968:575296(31328) ack 1 win 457 + +We must call skb_record_rx_queue() to properly give to RPS (and more +generally for TX queue selection on forward path) the receive queue +information. + +Similar fix is needed for skb_mark_napi_id(), but will be handled +in a separate patch to ease stable backports. + +Signed-off-by: Eric Dumazet +Cc: Willem de Bruijn +Cc: Eilon Greenstein +Acked-by: Dmitry Kravkov +Signed-off-by: David S. Miller +--- + drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c +index 0cc2611..4b0877e 100644 +--- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c ++++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c +@@ -676,6 +676,7 @@ static void bnx2x_gro_receive(struct bnx2x *bp, struct bnx2x_fastpath *fp, + } + } + #endif ++ skb_record_rx_queue(skb, fp->rx_queue); + napi_gro_receive(&fp->napi, skb); + } + +-- +1.7.11.7 + + +From 3f1db36c01909701d0e34cd2413a1127e144bcc3 Mon Sep 17 00:00:00 2001 +From: Jason Wang +Date: Tue, 15 Oct 2013 11:18:58 +0800 +Subject: [PATCH 32/47] virtio-net: don't respond to cpu hotplug notifier if + we're not ready + +[ Upstream commit 3ab098df35f8b98b6553edc2e40234af512ba877 ] + +We're trying to re-configure the affinity unconditionally in cpu hotplug +callback. This may lead the issue during resuming from s3/s4 since + +- virt queues haven't been allocated at that time. +- it's unnecessary since thaw method will re-configure the affinity. + +Fix this issue by checking the config_enable and do nothing is we're not ready. + +The bug were introduced by commit 8de4b2f3ae90c8fc0f17eeaab87d5a951b66ee17 +(virtio-net: reset virtqueue affinity when doing cpu hotplug). + +Cc: Rusty Russell +Cc: Michael S. Tsirkin +Cc: Wanlong Gao +Acked-by: Michael S. Tsirkin +Reviewed-by: Wanlong Gao +Signed-off-by: Jason Wang +Signed-off-by: David S. Miller +--- + drivers/net/virtio_net.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c +index 3d2a90a..43a71d9 100644 +--- a/drivers/net/virtio_net.c ++++ b/drivers/net/virtio_net.c +@@ -1094,6 +1094,11 @@ static int virtnet_cpu_callback(struct notifier_block *nfb, + { + struct virtnet_info *vi = container_of(nfb, struct virtnet_info, nb); + ++ mutex_lock(&vi->config_lock); ++ ++ if (!vi->config_enable) ++ goto done; ++ + switch(action & ~CPU_TASKS_FROZEN) { + case CPU_ONLINE: + case CPU_DOWN_FAILED: +@@ -1106,6 +1111,9 @@ static int virtnet_cpu_callback(struct notifier_block *nfb, + default: + break; + } ++ ++done: ++ mutex_unlock(&vi->config_lock); + return NOTIFY_OK; + } + +-- +1.7.11.7 + + +From 24ef3b7cfd16ce5ac263deebfecb661d1c784670 Mon Sep 17 00:00:00 2001 +From: Jason Wang +Date: Tue, 15 Oct 2013 11:18:59 +0800 +Subject: [PATCH 33/47] virtio-net: refill only when device is up during + setting queues + +[ Upstream commit 35ed159bfd96a7547ec277ed8b550c7cbd9841b6 ] + +We used to schedule the refill work unconditionally after changing the +number of queues. This may lead an issue if the device is not +up. Since we only try to cancel the work in ndo_stop(), this may cause +the refill work still work after removing the device. Fix this by only +schedule the work when device is up. + +The bug were introduce by commit 9b9cd8024a2882e896c65222aa421d461354e3f2. +(virtio-net: fix the race between channels setting and refill) + +Cc: Rusty Russell +Cc: Michael S. Tsirkin +Signed-off-by: Jason Wang +Signed-off-by: David S. Miller +--- + drivers/net/virtio_net.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c +index 43a71d9..1d01534 100644 +--- a/drivers/net/virtio_net.c ++++ b/drivers/net/virtio_net.c +@@ -916,7 +916,9 @@ static int virtnet_set_queues(struct virtnet_info *vi, u16 queue_pairs) + return -EINVAL; + } else { + vi->curr_queue_pairs = queue_pairs; +- schedule_delayed_work(&vi->refill, 0); ++ /* virtnet_open() will refill when device is going to up. */ ++ if (dev->flags & IFF_UP) ++ schedule_delayed_work(&vi->refill, 0); + } + + return 0; +@@ -1714,7 +1716,9 @@ static int virtnet_restore(struct virtio_device *vdev) + vi->config_enable = true; + mutex_unlock(&vi->config_lock); + ++ rtnl_lock(); + virtnet_set_queues(vi, vi->curr_queue_pairs); ++ rtnl_unlock(); + + return 0; + } +-- +1.7.11.7 + + +From d616bd8bf902f82ea742462a29bf4080aaa8f497 Mon Sep 17 00:00:00 2001 +From: Vlad Yasevich +Date: Tue, 15 Oct 2013 14:57:45 -0400 +Subject: [PATCH 34/47] bridge: Correctly clamp MAX forward_delay when + enabling STP + +[ Upstream commit 4b6c7879d84ad06a2ac5b964808ed599187a188d ] + +Commit be4f154d5ef0ca147ab6bcd38857a774133f5450 + bridge: Clamp forward_delay when enabling STP +had a typo when attempting to clamp maximum forward delay. + +It is possible to set bridge_forward_delay to be higher then +permitted maximum when STP is off. When turning STP on, the +higher then allowed delay has to be clamed down to max value. + +CC: Herbert Xu +CC: Stephen Hemminger +Signed-off-by: Vlad Yasevich +Reviewed-by: Veaceslav Falico +Acked-by: Herbert Xu +Signed-off-by: David S. Miller +--- + net/bridge/br_stp_if.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/bridge/br_stp_if.c b/net/bridge/br_stp_if.c +index 108084a..656a6f3 100644 +--- a/net/bridge/br_stp_if.c ++++ b/net/bridge/br_stp_if.c +@@ -134,7 +134,7 @@ static void br_stp_start(struct net_bridge *br) + + if (br->bridge_forward_delay < BR_MIN_FORWARD_DELAY) + __br_set_forward_delay(br, BR_MIN_FORWARD_DELAY); +- else if (br->bridge_forward_delay < BR_MAX_FORWARD_DELAY) ++ else if (br->bridge_forward_delay > BR_MAX_FORWARD_DELAY) + __br_set_forward_delay(br, BR_MAX_FORWARD_DELAY); + + if (r == 0) { +-- +1.7.11.7 + + +From 803490b7c577add0b976aa08e4bbfdd95f505270 Mon Sep 17 00:00:00 2001 +From: Vlad Yasevich +Date: Tue, 15 Oct 2013 22:01:29 -0400 +Subject: [PATCH 35/47] net: dst: provide accessor function to dst->xfrm + +[ Upstream commit e87b3998d795123b4139bc3f25490dd236f68212 ] + +dst->xfrm is conditionally defined. Provide accessor funtion that +is always available. + +Signed-off-by: Vlad Yasevich +Acked-by: Neil Horman +Signed-off-by: David S. Miller +--- + include/net/dst.h | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/include/net/dst.h b/include/net/dst.h +index 1f8fd10..e0c97f5 100644 +--- a/include/net/dst.h ++++ b/include/net/dst.h +@@ -477,10 +477,22 @@ static inline struct dst_entry *xfrm_lookup(struct net *net, + { + return dst_orig; + } ++ ++static inline struct xfrm_state *dst_xfrm(const struct dst_entry *dst) ++{ ++ return NULL; ++} ++ + #else + extern struct dst_entry *xfrm_lookup(struct net *net, struct dst_entry *dst_orig, + const struct flowi *fl, struct sock *sk, + int flags); ++ ++/* skb attached with this dst needs transformation if dst->xfrm is valid */ ++static inline struct xfrm_state *dst_xfrm(const struct dst_entry *dst) ++{ ++ return dst->xfrm; ++} + #endif + + #endif /* _NET_DST_H */ +-- +1.7.11.7 + + +From 371a65903ccb75fc71fd42b30a310a28c42e54a3 Mon Sep 17 00:00:00 2001 +From: Fan Du +Date: Tue, 15 Oct 2013 22:01:30 -0400 +Subject: [PATCH 36/47] sctp: Use software crc32 checksum when xfrm transform + will happen. + +[ Upstream commit 27127a82561a2a3ed955ce207048e1b066a80a2a ] + +igb/ixgbe have hardware sctp checksum support, when this feature is enabled +and also IPsec is armed to protect sctp traffic, ugly things happened as +xfrm_output checks CHECKSUM_PARTIAL to do checksum operation(sum every thing +up and pack the 16bits result in the checksum field). The result is fail +establishment of sctp communication. + +Cc: Neil Horman +Cc: Steffen Klassert +Signed-off-by: Fan Du +Signed-off-by: Vlad Yasevich +Acked-by: Neil Horman +Signed-off-by: David S. Miller +--- + net/sctp/output.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/sctp/output.c b/net/sctp/output.c +index a46d1eb..a06a9b6 100644 +--- a/net/sctp/output.c ++++ b/net/sctp/output.c +@@ -542,7 +542,8 @@ int sctp_packet_transmit(struct sctp_packet *packet) + * by CRC32-C as described in . + */ + if (!sctp_checksum_disable) { +- if (!(dst->dev->features & NETIF_F_SCTP_CSUM)) { ++ if (!(dst->dev->features & NETIF_F_SCTP_CSUM) || ++ (dst_xfrm(dst) != NULL)) { + __u32 crc32 = sctp_start_cksum((__u8 *)sh, cksum_buf_len); + + /* 3) Put the resultant value into the checksum field in the +-- +1.7.11.7 + + +From 9067790bb296fb5818894222d7e85407238e9843 Mon Sep 17 00:00:00 2001 +From: Vlad Yasevich +Date: Tue, 15 Oct 2013 22:01:31 -0400 +Subject: [PATCH 37/47] sctp: Perform software checksum if packet has to be + fragmented. + +[ Upstream commit d2dbbba77e95dff4b4f901fee236fef6d9552072 ] + +IP/IPv6 fragmentation knows how to compute only TCP/UDP checksum. +This causes problems if SCTP packets has to be fragmented and +ipsummed has been set to PARTIAL due to checksum offload support. +This condition can happen when retransmitting after MTU discover, +or when INIT or other control chunks are larger then MTU. +Check for the rare fragmentation condition in SCTP and use software +checksum calculation in this case. + +CC: Fan Du +Signed-off-by: Vlad Yasevich +Acked-by: Neil Horman +Signed-off-by: David S. Miller +--- + net/sctp/output.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/sctp/output.c b/net/sctp/output.c +index a06a9b6..013a07d 100644 +--- a/net/sctp/output.c ++++ b/net/sctp/output.c +@@ -543,7 +543,7 @@ int sctp_packet_transmit(struct sctp_packet *packet) + */ + if (!sctp_checksum_disable) { + if (!(dst->dev->features & NETIF_F_SCTP_CSUM) || +- (dst_xfrm(dst) != NULL)) { ++ (dst_xfrm(dst) != NULL) || packet->ipfragok) { + __u32 crc32 = sctp_start_cksum((__u8 *)sh, cksum_buf_len); + + /* 3) Put the resultant value into the checksum field in the +-- +1.7.11.7 + + +From 22e825ed8144360271614511563166f37fef9f90 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Salva=20Peir=C3=B3?= +Date: Wed, 16 Oct 2013 12:46:50 +0200 +Subject: [PATCH 38/47] wanxl: fix info leak in ioctl +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +[ Upstream commit 2b13d06c9584b4eb773f1e80bbaedab9a1c344e1 ] + +The wanxl_ioctl() code fails to initialize the two padding bytes of +struct sync_serial_settings after the ->loopback member. Add an explicit +memset(0) before filling the structure to avoid the info leak. + +Signed-off-by: Salva Peiró +Signed-off-by: David S. Miller +--- + drivers/net/wan/wanxl.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/net/wan/wanxl.c b/drivers/net/wan/wanxl.c +index 6a24a5a..4c0a697 100644 +--- a/drivers/net/wan/wanxl.c ++++ b/drivers/net/wan/wanxl.c +@@ -355,6 +355,7 @@ static int wanxl_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd) + ifr->ifr_settings.size = size; /* data size wanted */ + return -ENOBUFS; + } ++ memset(&line, 0, sizeof(line)); + line.clock_type = get_status(port)->clocking; + line.clock_rate = 0; + line.loopback = 0; +-- +1.7.11.7 + + +From b16dd2cff7a4eb3881f43371d71ed242332877dc Mon Sep 17 00:00:00 2001 +From: Vasundhara Volam +Date: Thu, 17 Oct 2013 11:47:14 +0530 +Subject: [PATCH 39/47] be2net: pass if_id for v1 and V2 versions of TX_CREATE + cmd + +[ Upstream commit 0fb88d61bc60779dde88b0fc268da17eb81d0412 ] + +It is a required field for all TX_CREATE cmd versions > 0. +This fixes a driver initialization failure, caused by recent SH-R Firmwares +(versions > 10.0.639.0) failing the TX_CREATE cmd when if_id field is +not passed. + +Signed-off-by: Sathya Perla +Signed-off-by: David S. Miller +--- + drivers/net/ethernet/emulex/benet/be_cmds.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/ethernet/emulex/benet/be_cmds.c b/drivers/net/ethernet/emulex/benet/be_cmds.c +index 8ec5d74..13ac104 100644 +--- a/drivers/net/ethernet/emulex/benet/be_cmds.c ++++ b/drivers/net/ethernet/emulex/benet/be_cmds.c +@@ -1150,7 +1150,6 @@ int be_cmd_txq_create(struct be_adapter *adapter, struct be_tx_obj *txo) + + if (lancer_chip(adapter)) { + req->hdr.version = 1; +- req->if_id = cpu_to_le16(adapter->if_handle); + } else if (BEx_chip(adapter)) { + if (adapter->function_caps & BE_FUNCTION_CAPS_SUPER_NIC) + req->hdr.version = 2; +@@ -1158,6 +1157,8 @@ int be_cmd_txq_create(struct be_adapter *adapter, struct be_tx_obj *txo) + req->hdr.version = 2; + } + ++ if (req->hdr.version > 0) ++ req->if_id = cpu_to_le16(adapter->if_handle); + req->num_pages = PAGES_4K_SPANNED(q_mem->va, q_mem->size); + req->ulp_num = BE_ULP1_NUM; + req->type = BE_ETH_TX_RING_TYPE_STANDARD; +-- +1.7.11.7 + + +From 9829aac8208e7a31e4e42e7d2e7e165593c05202 Mon Sep 17 00:00:00 2001 +From: Daniel Borkmann +Date: Thu, 17 Oct 2013 22:51:31 +0200 +Subject: [PATCH 40/47] net: unix: inherit SOCK_PASS{CRED, SEC} flags from + socket to fix race + +[ Upstream commit 90c6bd34f884cd9cee21f1d152baf6c18bcac949 ] + +In the case of credentials passing in unix stream sockets (dgram +sockets seem not affected), we get a rather sparse race after +commit 16e5726 ("af_unix: dont send SCM_CREDENTIALS by default"). + +We have a stream server on receiver side that requests credential +passing from senders (e.g. nc -U). Since we need to set SO_PASSCRED +on each spawned/accepted socket on server side to 1 first (as it's +not inherited), it can happen that in the time between accept() and +setsockopt() we get interrupted, the sender is being scheduled and +continues with passing data to our receiver. At that time SO_PASSCRED +is neither set on sender nor receiver side, hence in cmsg's +SCM_CREDENTIALS we get eventually pid:0, uid:65534, gid:65534 +(== overflow{u,g}id) instead of what we actually would like to see. + +On the sender side, here nc -U, the tests in maybe_add_creds() +invoked through unix_stream_sendmsg() would fail, as at that exact +time, as mentioned, the sender has neither SO_PASSCRED on his side +nor sees it on the server side, and we have a valid 'other' socket +in place. Thus, sender believes it would just look like a normal +connection, not needing/requesting SO_PASSCRED at that time. + +As reverting 16e5726 would not be an option due to the significant +performance regression reported when having creds always passed, +one way/trade-off to prevent that would be to set SO_PASSCRED on +the listener socket and allow inheriting these flags to the spawned +socket on server side in accept(). It seems also logical to do so +if we'd tell the listener socket to pass those flags onwards, and +would fix the race. + +Before, strace: + +recvmsg(4, {msg_name(0)=NULL, msg_iov(1)=[{"blub\n", 4096}], + msg_controllen=32, {cmsg_len=28, cmsg_level=SOL_SOCKET, + cmsg_type=SCM_CREDENTIALS{pid=0, uid=65534, gid=65534}}, + msg_flags=0}, 0) = 5 + +After, strace: + +recvmsg(4, {msg_name(0)=NULL, msg_iov(1)=[{"blub\n", 4096}], + msg_controllen=32, {cmsg_len=28, cmsg_level=SOL_SOCKET, + cmsg_type=SCM_CREDENTIALS{pid=11580, uid=1000, gid=1000}}, + msg_flags=0}, 0) = 5 + +Signed-off-by: Daniel Borkmann +Cc: Eric Dumazet +Cc: Eric W. Biederman +Signed-off-by: David S. Miller +--- + net/unix/af_unix.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c +index c4ce243..e64bbcf 100644 +--- a/net/unix/af_unix.c ++++ b/net/unix/af_unix.c +@@ -1246,6 +1246,15 @@ static int unix_socketpair(struct socket *socka, struct socket *sockb) + return 0; + } + ++static void unix_sock_inherit_flags(const struct socket *old, ++ struct socket *new) ++{ ++ if (test_bit(SOCK_PASSCRED, &old->flags)) ++ set_bit(SOCK_PASSCRED, &new->flags); ++ if (test_bit(SOCK_PASSSEC, &old->flags)) ++ set_bit(SOCK_PASSSEC, &new->flags); ++} ++ + static int unix_accept(struct socket *sock, struct socket *newsock, int flags) + { + struct sock *sk = sock->sk; +@@ -1280,6 +1289,7 @@ static int unix_accept(struct socket *sock, struct socket *newsock, int flags) + /* attach accepted sock to socket */ + unix_state_lock(tsk); + newsock->state = SS_CONNECTED; ++ unix_sock_inherit_flags(sock, newsock); + sock_graft(tsk, newsock); + unix_state_unlock(tsk); + return 0; +-- +1.7.11.7 + + +From 7b48750febb4c3387db39fd0b547936c53ba7364 Mon Sep 17 00:00:00 2001 +From: Seif Mazareeb +Date: Thu, 17 Oct 2013 20:33:21 -0700 +Subject: [PATCH 41/47] net: fix cipso packet validation when !NETLABEL + +[ Upstream commit f2e5ddcc0d12f9c4c7b254358ad245c9dddce13b ] + +When CONFIG_NETLABEL is disabled, the cipso_v4_validate() function could loop +forever in the main loop if opt[opt_iter +1] == 0, this will causing a kernel +crash in an SMP system, since the CPU executing this function will +stall /not respond to IPIs. + +This problem can be reproduced by running the IP Stack Integrity Checker +(http://isic.sourceforge.net) using the following command on a Linux machine +connected to DUT: + +"icmpsic -s rand -d -r 123456" +wait (1-2 min) + +Signed-off-by: Seif Mazareeb +Acked-by: Paul Moore +Signed-off-by: David S. Miller +--- + include/net/cipso_ipv4.h | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git a/include/net/cipso_ipv4.h b/include/net/cipso_ipv4.h +index a7a683e..a8c2ef6 100644 +--- a/include/net/cipso_ipv4.h ++++ b/include/net/cipso_ipv4.h +@@ -290,6 +290,7 @@ static inline int cipso_v4_validate(const struct sk_buff *skb, + unsigned char err_offset = 0; + u8 opt_len = opt[1]; + u8 opt_iter; ++ u8 tag_len; + + if (opt_len < 8) { + err_offset = 1; +@@ -302,11 +303,12 @@ static inline int cipso_v4_validate(const struct sk_buff *skb, + } + + for (opt_iter = 6; opt_iter < opt_len;) { +- if (opt[opt_iter + 1] > (opt_len - opt_iter)) { ++ tag_len = opt[opt_iter + 1]; ++ if ((tag_len == 0) || (opt[opt_iter + 1] > (opt_len - opt_iter))) { + err_offset = opt_iter + 1; + goto out; + } +- opt_iter += opt[opt_iter + 1]; ++ opt_iter += tag_len; + } + + out: +-- +1.7.11.7 + + +From 27e33640a8905b1aeefe9998242551caf24e84a6 Mon Sep 17 00:00:00 2001 +From: Hannes Frederic Sowa +Date: Tue, 22 Oct 2013 00:07:47 +0200 +Subject: [PATCH 42/47] inet: fix possible memory corruption with UDP_CORK and + UFO + +[ This is a simplified -stable version of a set of upstream commits. ] + +This is a replacement patch only for stable which does fix the problems +handled by the following two commits in -net: + +"ip_output: do skb ufo init for peeked non ufo skb as well" (e93b7d748be887cd7639b113ba7d7ef792a7efb9) +"ip6_output: do skb ufo init for peeked non ufo skb as well" (c547dbf55d5f8cf615ccc0e7265e98db27d3fb8b) + +Three frames are written on a corked udp socket for which the output +netdevice has UFO enabled. If the first and third frame are smaller than +the mtu and the second one is bigger, we enqueue the second frame with +skb_append_datato_frags without initializing the gso fields. This leads +to the third frame appended regulary and thus constructing an invalid skb. + +This fixes the problem by always using skb_append_datato_frags as soon +as the first frag got enqueued to the skb without marking the packet +as SKB_GSO_UDP. + +The problem with only two frames for ipv6 was fixed by "ipv6: udp +packets following an UFO enqueued packet need also be handled by UFO" +(2811ebac2521ceac84f2bdae402455baa6a7fb47). + +Cc: Jiri Pirko +Cc: Eric Dumazet +Cc: David Miller +Signed-off-by: Hannes Frederic Sowa +--- + include/linux/skbuff.h | 5 +++++ + net/ipv4/ip_output.c | 2 +- + net/ipv6/ip6_output.c | 2 +- + 3 files changed, 7 insertions(+), 2 deletions(-) + +diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h +index 3b71a4e..6bd165b 100644 +--- a/include/linux/skbuff.h ++++ b/include/linux/skbuff.h +@@ -1316,6 +1316,11 @@ static inline int skb_pagelen(const struct sk_buff *skb) + return len + skb_headlen(skb); + } + ++static inline bool skb_has_frags(const struct sk_buff *skb) ++{ ++ return skb_shinfo(skb)->nr_frags; ++} ++ + /** + * __skb_fill_page_desc - initialise a paged fragment in an skb + * @skb: buffer containing fragment to be initialised +diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c +index a04d872..7f4ab5d 100644 +--- a/net/ipv4/ip_output.c ++++ b/net/ipv4/ip_output.c +@@ -836,7 +836,7 @@ static int __ip_append_data(struct sock *sk, + csummode = CHECKSUM_PARTIAL; + + cork->length += length; +- if (((length > mtu) || (skb && skb_is_gso(skb))) && ++ if (((length > mtu) || (skb && skb_has_frags(skb))) && + (sk->sk_protocol == IPPROTO_UDP) && + (rt->dst.dev->features & NETIF_F_UFO) && !rt->dst.header_len) { + err = ip_ufo_append_data(sk, queue, getfrag, from, length, +diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c +index 44df1c9..2e542d0 100644 +--- a/net/ipv6/ip6_output.c ++++ b/net/ipv6/ip6_output.c +@@ -1252,7 +1252,7 @@ int ip6_append_data(struct sock *sk, int getfrag(void *from, char *to, + skb = skb_peek_tail(&sk->sk_write_queue); + cork->length += length; + if (((length > mtu) || +- (skb && skb_is_gso(skb))) && ++ (skb && skb_has_frags(skb))) && + (sk->sk_protocol == IPPROTO_UDP) && + (rt->dst.dev->features & NETIF_F_UFO)) { + err = ip6_ufo_append_data(sk, getfrag, from, length, +-- +1.7.11.7 + + +From 689f77d13532698739438b2288ec8eac2f667584 Mon Sep 17 00:00:00 2001 +From: Julian Anastasov +Date: Sun, 20 Oct 2013 15:43:03 +0300 +Subject: [PATCH 43/47] ipv6: always prefer rt6i_gateway if present + +[ Upstream commit 96dc809514fb2328605198a0602b67554d8cce7b ] + +In v3.9 6fd6ce2056de2709 ("ipv6: Do not depend on rt->n in +ip6_finish_output2()." changed the behaviour of ip6_finish_output2() +such that the recently introduced rt6_nexthop() is used +instead of an assigned neighbor. + +As rt6_nexthop() prefers rt6i_gateway only for gatewayed +routes this causes a problem for users like IPVS, xt_TEE and +RAW(hdrincl) if they want to use different address for routing +compared to the destination address. + +Another case is when redirect can create RTF_DYNAMIC +route without RTF_GATEWAY flag, we ignore the rt6i_gateway +in rt6_nexthop(). + +Fix the above problems by considering the rt6i_gateway if +present, so that traffic routed to address on local subnet is +not wrongly diverted to the destination address. + +Thanks to Simon Horman and Phil Oester for spotting the +problematic commit. + +Thanks to Hannes Frederic Sowa for his review and help in testing. + +Reported-by: Phil Oester +Reported-by: Mark Brooks +Signed-off-by: Julian Anastasov +Acked-by: Hannes Frederic Sowa +Signed-off-by: David S. Miller +--- + include/net/ip6_route.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/include/net/ip6_route.h b/include/net/ip6_route.h +index f667248..0aaf0ec 100644 +--- a/include/net/ip6_route.h ++++ b/include/net/ip6_route.h +@@ -198,7 +198,7 @@ static inline int ip6_skb_dst_mtu(struct sk_buff *skb) + + static inline struct in6_addr *rt6_nexthop(struct rt6_info *rt, struct in6_addr *dest) + { +- if (rt->rt6i_flags & RTF_GATEWAY) ++ if (rt->rt6i_flags & RTF_GATEWAY || !ipv6_addr_any(&rt->rt6i_gateway)) + return &rt->rt6i_gateway; + return dest; + } +-- +1.7.11.7 + + +From 471dd605429d6645f990becd29c877740d3b32e7 Mon Sep 17 00:00:00 2001 +From: Julian Anastasov +Date: Sun, 20 Oct 2013 15:43:04 +0300 +Subject: [PATCH 44/47] ipv6: fill rt6i_gateway with nexthop address + +[ Upstream commit 550bab42f83308c9d6ab04a980cc4333cef1c8fa ] + +Make sure rt6i_gateway contains nexthop information in +all routes returned from lookup or when routes are directly +attached to skb for generated ICMP packets. + +The effect of this patch should be a faster version of +rt6_nexthop() and the consideration of local addresses as +nexthop. + +Signed-off-by: Julian Anastasov +Acked-by: Hannes Frederic Sowa +Signed-off-by: David S. Miller +--- + include/net/ip6_route.h | 6 ++---- + net/ipv6/ip6_output.c | 4 ++-- + net/ipv6/route.c | 8 ++++++-- + 3 files changed, 10 insertions(+), 8 deletions(-) + +diff --git a/include/net/ip6_route.h b/include/net/ip6_route.h +index 0aaf0ec..c7b8860 100644 +--- a/include/net/ip6_route.h ++++ b/include/net/ip6_route.h +@@ -196,11 +196,9 @@ static inline int ip6_skb_dst_mtu(struct sk_buff *skb) + skb_dst(skb)->dev->mtu : dst_mtu(skb_dst(skb)); + } + +-static inline struct in6_addr *rt6_nexthop(struct rt6_info *rt, struct in6_addr *dest) ++static inline struct in6_addr *rt6_nexthop(struct rt6_info *rt) + { +- if (rt->rt6i_flags & RTF_GATEWAY || !ipv6_addr_any(&rt->rt6i_gateway)) +- return &rt->rt6i_gateway; +- return dest; ++ return &rt->rt6i_gateway; + } + + #endif +diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c +index 2e542d0..5b25f85 100644 +--- a/net/ipv6/ip6_output.c ++++ b/net/ipv6/ip6_output.c +@@ -130,7 +130,7 @@ static int ip6_finish_output2(struct sk_buff *skb) + } + + rcu_read_lock_bh(); +- nexthop = rt6_nexthop((struct rt6_info *)dst, &ipv6_hdr(skb)->daddr); ++ nexthop = rt6_nexthop((struct rt6_info *)dst); + neigh = __ipv6_neigh_lookup_noref(dst->dev, nexthop); + if (unlikely(!neigh)) + neigh = __neigh_create(&nd_tbl, nexthop, dst->dev, false); +@@ -899,7 +899,7 @@ static int ip6_dst_lookup_tail(struct sock *sk, + */ + rt = (struct rt6_info *) *dst; + rcu_read_lock_bh(); +- n = __ipv6_neigh_lookup_noref(rt->dst.dev, rt6_nexthop(rt, &fl6->daddr)); ++ n = __ipv6_neigh_lookup_noref(rt->dst.dev, rt6_nexthop(rt)); + err = n && !(n->nud_state & NUD_VALID) ? -EINVAL : 0; + rcu_read_unlock_bh(); + +diff --git a/net/ipv6/route.c b/net/ipv6/route.c +index 8d9a93ed..08e6c40 100644 +--- a/net/ipv6/route.c ++++ b/net/ipv6/route.c +@@ -852,7 +852,6 @@ static struct rt6_info *rt6_alloc_cow(struct rt6_info *ort, + if (ort->rt6i_dst.plen != 128 && + ipv6_addr_equal(&ort->rt6i_dst.addr, daddr)) + rt->rt6i_flags |= RTF_ANYCAST; +- rt->rt6i_gateway = *daddr; + } + + rt->rt6i_flags |= RTF_CACHE; +@@ -1270,6 +1269,7 @@ struct dst_entry *icmp6_dst_alloc(struct net_device *dev, + rt->dst.flags |= DST_HOST; + rt->dst.output = ip6_output; + atomic_set(&rt->dst.__refcnt, 1); ++ rt->rt6i_gateway = fl6->daddr; + rt->rt6i_dst.addr = fl6->daddr; + rt->rt6i_dst.plen = 128; + rt->rt6i_idev = idev; +@@ -1824,7 +1824,10 @@ static struct rt6_info *ip6_rt_copy(struct rt6_info *ort, + in6_dev_hold(rt->rt6i_idev); + rt->dst.lastuse = jiffies; + +- rt->rt6i_gateway = ort->rt6i_gateway; ++ if (ort->rt6i_flags & RTF_GATEWAY) ++ rt->rt6i_gateway = ort->rt6i_gateway; ++ else ++ rt->rt6i_gateway = *dest; + rt->rt6i_flags = ort->rt6i_flags; + if ((ort->rt6i_flags & (RTF_DEFAULT | RTF_ADDRCONF)) == + (RTF_DEFAULT | RTF_ADDRCONF)) +@@ -2111,6 +2114,7 @@ struct rt6_info *addrconf_dst_alloc(struct inet6_dev *idev, + else + rt->rt6i_flags |= RTF_LOCAL; + ++ rt->rt6i_gateway = *addr; + rt->rt6i_dst.addr = *addr; + rt->rt6i_dst.plen = 128; + rt->rt6i_table = fib6_get_table(net, RT6_TABLE_LOCAL); +-- +1.7.11.7 + + +From d01c3be45be54261f56ba63197d94e3d756befdf Mon Sep 17 00:00:00 2001 +From: Julian Anastasov +Date: Sun, 20 Oct 2013 15:43:05 +0300 +Subject: [PATCH 45/47] netfilter: nf_conntrack: fix rt6i_gateway checks for + H.323 helper + +[ Upstream commit 56e42441ed54b092d6c7411138ce60d049e7c731 ] + +Now when rt6_nexthop() can return nexthop address we can use it +for proper nexthop comparison of directly connected destinations. +For more information refer to commit bbb5823cf742a7 +("netfilter: nf_conntrack: fix rt_gateway checks for H.323 helper"). + +Signed-off-by: Julian Anastasov +Acked-by: Hannes Frederic Sowa +Signed-off-by: David S. Miller +--- + net/netfilter/nf_conntrack_h323_main.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/net/netfilter/nf_conntrack_h323_main.c b/net/netfilter/nf_conntrack_h323_main.c +index bdebd03..70866d1 100644 +--- a/net/netfilter/nf_conntrack_h323_main.c ++++ b/net/netfilter/nf_conntrack_h323_main.c +@@ -778,8 +778,8 @@ static int callforward_do_filter(const union nf_inet_addr *src, + flowi6_to_flowi(&fl1), false)) { + if (!afinfo->route(&init_net, (struct dst_entry **)&rt2, + flowi6_to_flowi(&fl2), false)) { +- if (!memcmp(&rt1->rt6i_gateway, &rt2->rt6i_gateway, +- sizeof(rt1->rt6i_gateway)) && ++ if (ipv6_addr_equal(rt6_nexthop(rt1), ++ rt6_nexthop(rt2)) && + rt1->dst.dev == rt2->dst.dev) + ret = 1; + dst_release(&rt2->dst); +-- +1.7.11.7 + + +From 1d98ddb501bedeee62c916d3d6999109f0a22198 Mon Sep 17 00:00:00 2001 +From: Hannes Frederic Sowa +Date: Mon, 21 Oct 2013 06:17:15 +0200 +Subject: [PATCH 46/47] ipv6: probe routes asynchronous in rt6_probe + +[ Upstream commit c2f17e827b419918c856131f592df9521e1a38e3 ] + +Routes need to be probed asynchronous otherwise the call stack gets +exhausted when the kernel attemps to deliver another skb inline, like +e.g. xt_TEE does, and we probe at the same time. + +We update neigh->updated still at once, otherwise we would send to +many probes. + +Cc: Julian Anastasov +Signed-off-by: Hannes Frederic Sowa +Signed-off-by: David S. Miller +--- + net/ipv6/route.c | 38 +++++++++++++++++++++++++++++++------- + 1 file changed, 31 insertions(+), 7 deletions(-) + +diff --git a/net/ipv6/route.c b/net/ipv6/route.c +index 08e6c40..1e32d5c 100644 +--- a/net/ipv6/route.c ++++ b/net/ipv6/route.c +@@ -477,6 +477,24 @@ out: + } + + #ifdef CONFIG_IPV6_ROUTER_PREF ++struct __rt6_probe_work { ++ struct work_struct work; ++ struct in6_addr target; ++ struct net_device *dev; ++}; ++ ++static void rt6_probe_deferred(struct work_struct *w) ++{ ++ struct in6_addr mcaddr; ++ struct __rt6_probe_work *work = ++ container_of(w, struct __rt6_probe_work, work); ++ ++ addrconf_addr_solict_mult(&work->target, &mcaddr); ++ ndisc_send_ns(work->dev, NULL, &work->target, &mcaddr, NULL); ++ dev_put(work->dev); ++ kfree(w); ++} ++ + static void rt6_probe(struct rt6_info *rt) + { + struct neighbour *neigh; +@@ -500,17 +518,23 @@ static void rt6_probe(struct rt6_info *rt) + + if (!neigh || + time_after(jiffies, neigh->updated + rt->rt6i_idev->cnf.rtr_probe_interval)) { +- struct in6_addr mcaddr; +- struct in6_addr *target; ++ struct __rt6_probe_work *work; ++ ++ work = kmalloc(sizeof(*work), GFP_ATOMIC); + +- if (neigh) { ++ if (neigh && work) + neigh->updated = jiffies; ++ ++ if (neigh) + write_unlock(&neigh->lock); +- } + +- target = (struct in6_addr *)&rt->rt6i_gateway; +- addrconf_addr_solict_mult(target, &mcaddr); +- ndisc_send_ns(rt->dst.dev, NULL, target, &mcaddr, NULL); ++ if (work) { ++ INIT_WORK(&work->work, rt6_probe_deferred); ++ work->target = rt->rt6i_gateway; ++ dev_hold(rt->dst.dev); ++ work->dev = rt->dst.dev; ++ schedule_work(&work->work); ++ } + } else { + out: + write_unlock(&neigh->lock); +-- +1.7.11.7 + + +From d7710f5e65b37ec3ac09dde758141e81fa47315d Mon Sep 17 00:00:00 2001 +From: Mariusz Ceier +Date: Mon, 21 Oct 2013 19:45:04 +0200 +Subject: [PATCH 47/47] davinci_emac.c: Fix IFF_ALLMULTI setup + +[ Upstream commit d69e0f7ea95fef8059251325a79c004bac01f018 ] + +When IFF_ALLMULTI flag is set on interface and IFF_PROMISC isn't, +emac_dev_mcast_set should only enable RX of multicasts and reset +MACHASH registers. + +It does this, but afterwards it either sets up multicast MACs +filtering or disables RX of multicasts and resets MACHASH registers +again, rendering IFF_ALLMULTI flag useless. + +This patch fixes emac_dev_mcast_set, so that multicast MACs filtering and +disabling of RX of multicasts are skipped when IFF_ALLMULTI flag is set. + +Tested with kernel 2.6.37. + +Signed-off-by: Mariusz Ceier +Acked-by: Mugunthan V N +Signed-off-by: David S. Miller +--- + drivers/net/ethernet/ti/davinci_emac.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/drivers/net/ethernet/ti/davinci_emac.c b/drivers/net/ethernet/ti/davinci_emac.c +index 1a222bce..45c167f 100644 +--- a/drivers/net/ethernet/ti/davinci_emac.c ++++ b/drivers/net/ethernet/ti/davinci_emac.c +@@ -876,8 +876,7 @@ static void emac_dev_mcast_set(struct net_device *ndev) + netdev_mc_count(ndev) > EMAC_DEF_MAX_MULTICAST_ADDRESSES) { + mbp_enable = (mbp_enable | EMAC_MBP_RXMCAST); + emac_add_mcast(priv, EMAC_ALL_MULTI_SET, NULL); +- } +- if (!netdev_mc_empty(ndev)) { ++ } else if (!netdev_mc_empty(ndev)) { + struct netdev_hw_addr *ha; + + mbp_enable = (mbp_enable | EMAC_MBP_RXMCAST); +-- +1.7.11.7 + diff --git a/tcp-fix-incorrect-ca_state-in-tail-loss-probe.patch b/tcp-fix-incorrect-ca_state-in-tail-loss-probe.patch deleted file mode 100644 index 1a1264ffa..000000000 --- a/tcp-fix-incorrect-ca_state-in-tail-loss-probe.patch +++ /dev/null @@ -1,107 +0,0 @@ -Path: news.gmane.org!not-for-mail -From: Yuchung Cheng -Newsgroups: gmane.linux.network -Subject: [PATCH net] tcp: fix incorrect ca_state in tail loss probe -Date: Sat, 12 Oct 2013 10:16:27 -0700 -Lines: 34 -Approved: news@gmane.org -Message-ID: <1381598187-9681-1-git-send-email-ycheng@google.com> -NNTP-Posting-Host: plane.gmane.org -X-Trace: ger.gmane.org 1381598242 29686 80.91.229.3 (12 Oct 2013 17:17:22 GMT) -X-Complaints-To: usenet@ger.gmane.org -NNTP-Posting-Date: Sat, 12 Oct 2013 17:17:22 +0000 (UTC) -Cc: netdev@vger.kernel.org, michael@sterretts.net, - jwboyer@fedoraproject.org, sesse@google.com, dormando@rydia.net, - Yuchung Cheng -To: davem@davemloft.net, ncardwell@google.com, nanditad@google.com -Original-X-From: netdev-owner@vger.kernel.org Sat Oct 12 19:17:23 2013 -Return-path: -Envelope-to: linux-netdev-2@plane.gmane.org -Original-Received: from vger.kernel.org ([209.132.180.67]) - by plane.gmane.org with esmtp (Exim 4.69) - (envelope-from ) - id 1VV2od-0004tp-02 - for linux-netdev-2@plane.gmane.org; Sat, 12 Oct 2013 19:17:23 +0200 -Original-Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand - id S1753183Ab3JLRRU (ORCPT ); - Sat, 12 Oct 2013 13:17:20 -0400 -Original-Received: from mail-pb0-f74.google.com ([209.85.160.74]:35839 "EHLO - mail-pb0-f74.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org - with ESMTP id S1752493Ab3JLRRS (ORCPT - ); Sat, 12 Oct 2013 13:17:18 -0400 -Original-Received: by mail-pb0-f74.google.com with SMTP id rq2so543459pbb.1 - for ; Sat, 12 Oct 2013 10:17:18 -0700 (PDT) -DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; - d=google.com; s=20120113; - h=from:to:cc:subject:date:message-id; - bh=YSBIMZEgVuqyP2cau1199a1sz5d28JA7LPPsF6w9FYQ=; - b=cCkXgePT7f0kRy+VBGvs3DZSLhVn0z7O74B7OHYpdZkQBznhNZ2b6ZGbkDqaKJXyLT - GEsq/JXCgtwpC7aGSz9dPdAZU6kondKOAmfhh54u6f2+ymcZJ4zHpoA6mWuKJ4zlTF2w - 6tRhnT+/N5RkfIfYD/mcDx97X41kRT3NKJ6bsCoiNJIO2+6j8SrOi8C27InOkdIRY/AT - I1uu2bvai1CfrC5yQ6UfpKUg2jioFDOi7i5nSEon+JnWeJavHpO01JMHuar7ZeGnAKJg - kVLwyiRujU9Fz0CKIMPZihAngQu/0OgqORQIjygeqz+GPgtTxDGQP7IUNR/d+JOPVUse - XlSA== -X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; - d=1e100.net; s=20130820; - h=x-gm-message-state:from:to:cc:subject:date:message-id; - bh=YSBIMZEgVuqyP2cau1199a1sz5d28JA7LPPsF6w9FYQ=; - b=d95i7RXY0ff5vnWvrGqxWfSvvAE8SC6YAaBn3ZqbARIZm5GgynIAB/WYnrIOqpqGV6 - 56jVM40bfzLrols1UZzyJWqPIgxee1zPrESh+WrSsDP2tTdYKl/zk13lbt/u7nOn9o3u - HrAo2aY4DtV3P0ABEq1lKdazmmPACTc6256QQ2nxtHs5n7s7P1ERkpX7NGNqNf1zDBSv - 60xeoswRpMkh0G5ZUgpPYsIbXws9F64n5ytq34O2UDZPv5oPEd8I7P34HpqWkNsLoEBs - XXTxs1SLc8TI3vdduhaQ+rmEvcE5vTaqjVCQAT2mMKTJJ9xIFueF5zExfI892PHAcJQ8 - jiaw== -X-Gm-Message-State: ALoCoQkeL+3MY64KlpZKI1BuYMU+yTQcYF1C+U5u+kPpqROoekUMzIaH45qERBARAi/0vgJ5YM1Cwm+43d66vZMn/WdHPurbMHfFn3PYqeZSAzOEeuSA2jGTSZUkpuH8YwFqiNhABtj93ahsBXrA6POrXb531UvuahU+rnFLTGNLxVHv/08PW3l5PbN8UaTNpUI1qcf6O6MarFcB+fZLYPb339v4EIrLxg== -X-Received: by 10.66.5.226 with SMTP id v2mr8825633pav.22.1381598238410; - Sat, 12 Oct 2013 10:17:18 -0700 (PDT) -Original-Received: from corp2gmr1-2.hot.corp.google.com (corp2gmr1-2.hot.corp.google.com [172.24.189.93]) - by gmr-mx.google.com with ESMTPS id a24si3247317yhl.1.1969.12.31.16.00.00 - (version=TLSv1.1 cipher=AES128-SHA bits=128/128); - Sat, 12 Oct 2013 10:17:18 -0700 (PDT) -Original-Received: from blast2.mtv.corp.google.com (blast2.mtv.corp.google.com [172.17.132.164]) - by corp2gmr1-2.hot.corp.google.com (Postfix) with ESMTP id 2F2B45A41A0; - Sat, 12 Oct 2013 10:17:18 -0700 (PDT) -Original-Received: by blast2.mtv.corp.google.com (Postfix, from userid 5463) - id C6A85220C26; Sat, 12 Oct 2013 10:17:17 -0700 (PDT) -X-Mailer: git-send-email 1.8.4 -Original-Sender: netdev-owner@vger.kernel.org -Precedence: bulk -List-ID: -X-Mailing-List: netdev@vger.kernel.org -Xref: news.gmane.org gmane.linux.network:286793 -Archived-At: - -On receiving an ACK that covers the loss probe sequence, TLP -immediately sets the congestion state to Open, even though some packets -are not recovered and retransmisssion are on the way. The later ACks -may trigger a WARN_ON check in step D of tcp_fastretrans_alert(), e.g., -https://bugzilla.redhat.com/show_bug.cgi?id=989251 - -The fix is to follow the similar procedure in recovery by calling -tcp_try_keep_open(). The sender switches to Open state if no packets -are retransmissted. Otherwise it goes to Disorder and let subsequent -ACKs move the state to Recovery or Open. - -Reported-By: Michael Sterrett -Tested-By: Dormando -Signed-off-by: Yuchung Cheng ---- - net/ipv4/tcp_input.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c -index 113dc5f..53974c7 100644 ---- a/net/ipv4/tcp_input.c -+++ b/net/ipv4/tcp_input.c -@@ -3291,7 +3291,7 @@ static void tcp_process_tlp_ack(struct sock *sk, u32 ack, int flag) - tcp_init_cwnd_reduction(sk, true); - tcp_set_ca_state(sk, TCP_CA_CWR); - tcp_end_cwnd_reduction(sk); -- tcp_set_ca_state(sk, TCP_CA_Open); -+ tcp_try_keep_open(sk); - NET_INC_STATS_BH(sock_net(sk), - LINUX_MIB_TCPLOSSPROBERECOVERY); - } --- -1.8.4 - From 6d6c5b9a2405b6a7d4b7a5ba7296a01badba1e79 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Fri, 25 Oct 2013 17:50:07 -0400 Subject: [PATCH 252/468] Fix CVE number --- kernel.spec | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/kernel.spec b/kernel.spec index a1205baa3..2a0fa67ce 100644 --- a/kernel.spec +++ b/kernel.spec @@ -779,7 +779,7 @@ Patch25133: fix-buslogic.patch #rhbz 1023413 Patch25135: alps-Support-for-Dell-XT2-model.patch -#CVE-2013-XXXX rhbz 1023477 1023495 +#CVE-2013-4470 rhbz 1023477 1023495 Patch25136: net_311.mbox # END OF PATCH DEFINITIONS @@ -1509,7 +1509,7 @@ ApplyPatch fix-buslogic.patch #rhbz 1023413 ApplyPatch alps-Support-for-Dell-XT2-model.patch -#CVE-2013-XXXX rhbz 1023477 1023495 +#CVE-2013-4470 rhbz 1023477 1023495 ApplyPatch net_311.mbox # END OF PATCH APPLICATIONS @@ -2325,7 +2325,7 @@ fi %changelog * Fri Oct 25 2013 Josh Boyer -- CVE-2013-XXXX net: memory corruption with UDP_CORK and UFO (rhbz 1023477 1023495) +- CVE-2013-4470 net: memory corruption with UDP_CORK and UFO (rhbz 1023477 1023495) - Add touchpad support for Dell XT2 (rhbz 1023413) * Tue Oct 22 2013 Josh Boyer From d030b241c6339d5fa7c70190f53ba49467f7139e Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Tue, 29 Oct 2013 14:22:30 -0400 Subject: [PATCH 253/468] Fix plaintext auth regression in cifs (rhbz 1011621) --- ...auth-for-unencapsulated-auth-methods.patch | 39 +++++++++++++++++++ kernel.spec | 9 +++++ 2 files changed, 48 insertions(+) create mode 100644 cifs-Allow-LANMAN-auth-for-unencapsulated-auth-methods.patch diff --git a/cifs-Allow-LANMAN-auth-for-unencapsulated-auth-methods.patch b/cifs-Allow-LANMAN-auth-for-unencapsulated-auth-methods.patch new file mode 100644 index 000000000..51ce50f87 --- /dev/null +++ b/cifs-Allow-LANMAN-auth-for-unencapsulated-auth-methods.patch @@ -0,0 +1,39 @@ +From dde2356c8466298bd77fa699e0ea296372eed47b Mon Sep 17 00:00:00 2001 +From: Sachin Prabhu +Date: Fri, 27 Sep 2013 17:35:42 +0000 +Subject: cifs: Allow LANMAN auth method for servers supporting unencapsulated authentication methods + +This allows users to use LANMAN authentication on servers which support +unencapsulated authentication. + +The patch fixes a regression where users using plaintext authentication +were no longer able to do so because of changed bought in by patch +3f618223dc0bdcbc8d510350e78ee2195ff93768 + +https://bugzilla.redhat.com/show_bug.cgi?id=1011621 + +Reported-by: Panos Kavalagios +Reviewed-by: Jeff Layton +Signed-off-by: Sachin Prabhu +Signed-off-by: Steve French +--- +(limited to 'fs/cifs') + +diff --git a/fs/cifs/sess.c b/fs/cifs/sess.c +index 352358d..e87387d 100644 +--- a/fs/cifs/sess.c ++++ b/fs/cifs/sess.c +@@ -500,9 +500,9 @@ select_sectype(struct TCP_Server_Info *server, enum securityEnum requested) + return NTLMv2; + if (global_secflags & CIFSSEC_MAY_NTLM) + return NTLM; +- /* Fallthrough */ + default: +- return Unspecified; ++ /* Fallthrough to attempt LANMAN authentication next */ ++ break; + } + case CIFS_NEGFLAVOR_LANMAN: + switch (requested) { +-- +cgit v0.9.2 diff --git a/kernel.spec b/kernel.spec index 2a0fa67ce..afe6a9480 100644 --- a/kernel.spec +++ b/kernel.spec @@ -782,6 +782,9 @@ Patch25135: alps-Support-for-Dell-XT2-model.patch #CVE-2013-4470 rhbz 1023477 1023495 Patch25136: net_311.mbox +#rhbz 1011621 +Patch25137: cifs-Allow-LANMAN-auth-for-unencapsulated-auth-methods.patch + # END OF PATCH DEFINITIONS %endif @@ -1512,6 +1515,9 @@ ApplyPatch alps-Support-for-Dell-XT2-model.patch #CVE-2013-4470 rhbz 1023477 1023495 ApplyPatch net_311.mbox +#rhbz 1011621 +ApplyPatch cifs-Allow-LANMAN-auth-for-unencapsulated-auth-methods.patch + # END OF PATCH APPLICATIONS %endif @@ -2324,6 +2330,9 @@ fi # and build. %changelog +* Tue Oct 29 2013 Josh Boyer +- Fix plaintext auth regression in cifs (rhbz 1011621) + * Fri Oct 25 2013 Josh Boyer - CVE-2013-4470 net: memory corruption with UDP_CORK and UFO (rhbz 1023477 1023495) - Add touchpad support for Dell XT2 (rhbz 1023413) From 67bd5d9e34b9fa143dd84f9a617add4506e8c0f3 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Fri, 1 Nov 2013 08:14:33 -0400 Subject: [PATCH 254/468] Fix display regression on Dell XPS 13 machines (rhbz 995782) --- intel-3.12-stable-fixes.patch | 574 ++++++++++++++++++++++++++++++++++ kernel.spec | 9 + 2 files changed, 583 insertions(+) create mode 100644 intel-3.12-stable-fixes.patch diff --git a/intel-3.12-stable-fixes.patch b/intel-3.12-stable-fixes.patch new file mode 100644 index 000000000..35335423e --- /dev/null +++ b/intel-3.12-stable-fixes.patch @@ -0,0 +1,574 @@ +From 39bb622a9804de9fa51cae31f07104a19067483a Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ville=20Syrj=C3=A4l=C3=A4?= +Date: Mon, 21 Oct 2013 10:52:06 +0300 +Subject: [PATCH 1/5] drm/i915: Add support for pipe_bpp readout +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +On CTG+ read out the pipe bpp setting from hardware and fill it into +pipe config. Also check it appropriately. + +v2: Don't do the pipe_bpp extraction inside the PCH only code block on + ILK+. + Avoid the PIPECONF read as we already have read it for the + PIPECONF_EANBLE check. + +Note: This is already in drm-intel-next-queued as +commit 42571aefafb1d330ef84eb29418832f72e7dfb4c +Author: Ville Syrjälä +Date: Fri Sep 6 23:29:00 2013 +0300 + + drm/i915: Add support for pipe_bpp readout + +but is needed for the following bugfix. + +Signed-off-by: Ville Syrjälä +Reviewed-by: Jani Nikula +Cc: stable@vger.kernel.org +Signed-off-by: Daniel Vetter +--- + drivers/gpu/drm/i915/intel_ddi.c | 17 +++++++++++++++++ + drivers/gpu/drm/i915/intel_display.c | 36 ++++++++++++++++++++++++++++++++++++ + 2 files changed, 53 insertions(+) + +diff --git a/drivers/gpu/drm/i915/intel_ddi.c b/drivers/gpu/drm/i915/intel_ddi.c +index b042ee5..83e413b 100644 +--- a/drivers/gpu/drm/i915/intel_ddi.c ++++ b/drivers/gpu/drm/i915/intel_ddi.c +@@ -1280,6 +1280,23 @@ static void intel_ddi_get_config(struct intel_encoder *encoder, + flags |= DRM_MODE_FLAG_NVSYNC; + + pipe_config->adjusted_mode.flags |= flags; ++ ++ switch (temp & TRANS_DDI_BPC_MASK) { ++ case TRANS_DDI_BPC_6: ++ pipe_config->pipe_bpp = 18; ++ break; ++ case TRANS_DDI_BPC_8: ++ pipe_config->pipe_bpp = 24; ++ break; ++ case TRANS_DDI_BPC_10: ++ pipe_config->pipe_bpp = 30; ++ break; ++ case TRANS_DDI_BPC_12: ++ pipe_config->pipe_bpp = 36; ++ break; ++ default: ++ break; ++ } + } + + static void intel_ddi_destroy(struct drm_encoder *encoder) +diff --git a/drivers/gpu/drm/i915/intel_display.c b/drivers/gpu/drm/i915/intel_display.c +index 90a7c17..4aaccd3 100644 +--- a/drivers/gpu/drm/i915/intel_display.c ++++ b/drivers/gpu/drm/i915/intel_display.c +@@ -4943,6 +4943,22 @@ static bool i9xx_get_pipe_config(struct intel_crtc *crtc, + if (!(tmp & PIPECONF_ENABLE)) + return false; + ++ if (IS_G4X(dev) || IS_VALLEYVIEW(dev)) { ++ switch (tmp & PIPECONF_BPC_MASK) { ++ case PIPECONF_6BPC: ++ pipe_config->pipe_bpp = 18; ++ break; ++ case PIPECONF_8BPC: ++ pipe_config->pipe_bpp = 24; ++ break; ++ case PIPECONF_10BPC: ++ pipe_config->pipe_bpp = 30; ++ break; ++ default: ++ break; ++ } ++ } ++ + intel_get_pipe_timings(crtc, pipe_config); + + i9xx_get_pfit_config(crtc, pipe_config); +@@ -5821,6 +5837,23 @@ static bool ironlake_get_pipe_config(struct intel_crtc *crtc, + if (!(tmp & PIPECONF_ENABLE)) + return false; + ++ switch (tmp & PIPECONF_BPC_MASK) { ++ case PIPECONF_6BPC: ++ pipe_config->pipe_bpp = 18; ++ break; ++ case PIPECONF_8BPC: ++ pipe_config->pipe_bpp = 24; ++ break; ++ case PIPECONF_10BPC: ++ pipe_config->pipe_bpp = 30; ++ break; ++ case PIPECONF_12BPC: ++ pipe_config->pipe_bpp = 36; ++ break; ++ default: ++ break; ++ } ++ + if (I915_READ(PCH_TRANSCONF(crtc->pipe)) & TRANS_ENABLE) { + struct intel_shared_dpll *pll; + +@@ -8147,6 +8180,9 @@ intel_pipe_config_compare(struct drm_device *dev, + PIPE_CONF_CHECK_X(dpll_hw_state.fp0); + PIPE_CONF_CHECK_X(dpll_hw_state.fp1); + ++ if (IS_G4X(dev) || INTEL_INFO(dev)->gen >= 5) ++ PIPE_CONF_CHECK_I(pipe_bpp); ++ + #undef PIPE_CONF_CHECK_X + #undef PIPE_CONF_CHECK_I + #undef PIPE_CONF_CHECK_FLAGS +-- +1.8.3.1 + + +From b59da942a708f7cf1c421a7cb666f98fd8172208 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Ville=20Syrj=C3=A4l=C3=A4?= +Date: Tue, 24 Sep 2013 14:24:05 +0300 +Subject: [PATCH 2/5] drm/i915: Add HSW CRT output readout support +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Call intel_ddi_get_config() to get the pipe_bpp settings from +DDI. + +The sync polarity settings from DDI are irrelevant for CRT +output, so override them with data from the ADPA register. + +Note: This is already merged in drm-intel-next-queued as + +commit 6801c18c0a43386bb44712cbc028a7e05adb9f0d +Author: Ville Syrjälä +Date: Tue Sep 24 14:24:05 2013 +0300 + + drm/i915: Add HSW CRT output readout support + +but is required for the following edp bpp bugfix. + +v2: Extract intel_crt_get_flags() + +Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=69691 +Tested-by: Qingshuai Tian +Signed-off-by: Ville Syrjälä +Cc: stable@vger.kernel.org +Signed-off-by: Daniel Vetter +--- + drivers/gpu/drm/i915/intel_crt.c | 30 ++++++++++++++++++++++++++---- + drivers/gpu/drm/i915/intel_ddi.c | 4 ++-- + drivers/gpu/drm/i915/intel_drv.h | 2 ++ + 3 files changed, 30 insertions(+), 6 deletions(-) + +diff --git a/drivers/gpu/drm/i915/intel_crt.c b/drivers/gpu/drm/i915/intel_crt.c +index 3acec8c..6aa6ebd 100644 +--- a/drivers/gpu/drm/i915/intel_crt.c ++++ b/drivers/gpu/drm/i915/intel_crt.c +@@ -84,8 +84,7 @@ static bool intel_crt_get_hw_state(struct intel_encoder *encoder, + return true; + } + +-static void intel_crt_get_config(struct intel_encoder *encoder, +- struct intel_crtc_config *pipe_config) ++static unsigned int intel_crt_get_flags(struct intel_encoder *encoder) + { + struct drm_i915_private *dev_priv = encoder->base.dev->dev_private; + struct intel_crt *crt = intel_encoder_to_crt(encoder); +@@ -103,7 +102,27 @@ static void intel_crt_get_config(struct intel_encoder *encoder, + else + flags |= DRM_MODE_FLAG_NVSYNC; + +- pipe_config->adjusted_mode.flags |= flags; ++ return flags; ++} ++ ++static void intel_crt_get_config(struct intel_encoder *encoder, ++ struct intel_crtc_config *pipe_config) ++{ ++ struct drm_device *dev = encoder->base.dev; ++ ++ pipe_config->adjusted_mode.flags |= intel_crt_get_flags(encoder); ++} ++ ++static void hsw_crt_get_config(struct intel_encoder *encoder, ++ struct intel_crtc_config *pipe_config) ++{ ++ intel_ddi_get_config(encoder, pipe_config); ++ ++ pipe_config->adjusted_mode.flags &= ~(DRM_MODE_FLAG_PHSYNC | ++ DRM_MODE_FLAG_NHSYNC | ++ DRM_MODE_FLAG_PVSYNC | ++ DRM_MODE_FLAG_NVSYNC); ++ pipe_config->adjusted_mode.flags |= intel_crt_get_flags(encoder); + } + + /* Note: The caller is required to filter out dpms modes not supported by the +@@ -802,7 +821,10 @@ void intel_crt_init(struct drm_device *dev) + crt->base.compute_config = intel_crt_compute_config; + crt->base.disable = intel_disable_crt; + crt->base.enable = intel_enable_crt; +- crt->base.get_config = intel_crt_get_config; ++ if (IS_HASWELL(dev)) ++ crt->base.get_config = hsw_crt_get_config; ++ else ++ crt->base.get_config = intel_crt_get_config; + if (I915_HAS_HOTPLUG(dev)) + crt->base.hpd_pin = HPD_CRT; + if (HAS_DDI(dev)) +diff --git a/drivers/gpu/drm/i915/intel_ddi.c b/drivers/gpu/drm/i915/intel_ddi.c +index 83e413b..5a6368d 100644 +--- a/drivers/gpu/drm/i915/intel_ddi.c ++++ b/drivers/gpu/drm/i915/intel_ddi.c +@@ -1261,8 +1261,8 @@ static void intel_ddi_hot_plug(struct intel_encoder *intel_encoder) + intel_dp_check_link_status(intel_dp); + } + +-static void intel_ddi_get_config(struct intel_encoder *encoder, +- struct intel_crtc_config *pipe_config) ++void intel_ddi_get_config(struct intel_encoder *encoder, ++ struct intel_crtc_config *pipe_config) + { + struct drm_i915_private *dev_priv = encoder->base.dev->dev_private; + struct intel_crtc *intel_crtc = to_intel_crtc(encoder->base.crtc); +diff --git a/drivers/gpu/drm/i915/intel_drv.h b/drivers/gpu/drm/i915/intel_drv.h +index b7d6e09..ddf7e2f 100644 +--- a/drivers/gpu/drm/i915/intel_drv.h ++++ b/drivers/gpu/drm/i915/intel_drv.h +@@ -816,6 +816,8 @@ extern void intel_ddi_prepare_link_retrain(struct drm_encoder *encoder); + extern bool + intel_ddi_connector_get_hw_state(struct intel_connector *intel_connector); + extern void intel_ddi_fdi_disable(struct drm_crtc *crtc); ++extern void intel_ddi_get_config(struct intel_encoder *encoder, ++ struct intel_crtc_config *pipe_config); + + extern void intel_display_handle_reset(struct drm_device *dev); + extern bool intel_set_cpu_fifo_underrun_reporting(struct drm_device *dev, +-- +1.8.3.1 + + +From 92c64493f41092185230c552c277b42bf6113140 Mon Sep 17 00:00:00 2001 +From: Jani Nikula +Date: Mon, 21 Oct 2013 10:52:07 +0300 +Subject: [PATCH 3/5] drm/i915/dp: workaround BIOS eDP bpp clamping issue + +This isn't a real fix to the problem, but rather a stopgap measure while +trying to find a proper solution. + +There are several laptops out there that fail to light up the eDP panel +in UEFI boot mode. They seem to be mostly IVB machines, including but +apparently not limited to Dell XPS 13, Asus TX300, Asus UX31A, Asus +UX32VD, Acer Aspire S7. They seem to work in CSM or legacy boot. + +The difference between UEFI and CSM is that the BIOS provides a +different VBT to the kernel. The UEFI VBT typically specifies 18 bpp and +1.62 GHz link for eDP, while CSM VBT has 24 bpp and 2.7 GHz link. We end +up clamping to 18 bpp in UEFI mode, which we can fit in the 1.62 Ghz +link, and for reasons yet unknown fail to light up the panel. + +Dithering from 24 to 18 bpp itself seems to work; if we use 18 bpp with +2.7 GHz link, the eDP panel lights up. So essentially this is a link +speed issue, and *not* a bpp clamping issue. + +The bug raised its head since +commit 657445fe8660100ad174600ebfa61536392b7624 +Author: Daniel Vetter +Date: Sat May 4 10:09:18 2013 +0200 + + Revert "drm/i915: revert eDP bpp clamping code changes" + +which started clamping bpp *before* computing the link requirements, and +thus affecting the required bandwidth. Clamping after the computations +kept the link at 2.7 GHz. + +Even though the BIOS tells us to use 18 bpp through the VBT, it happily +boots up at 24 bpp and 2.7 GHz itself! Use this information to +selectively ignore the VBT provided value. + +We can't ignore the VBT eDP bpp altogether, as there are other laptops +that do require the clamping to be used due to EDID reporting higher bpp +than the panel can support. + +Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=59841 +Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=67950 +Tested-by: Ulf Winkelvos +Tested-by: jkp +CC: stable@vger.kernel.org +Signed-off-by: Jani Nikula +Signed-off-by: Daniel Vetter +--- + drivers/gpu/drm/i915/intel_dp.c | 20 ++++++++++++++++++++ + 1 file changed, 20 insertions(+) + +diff --git a/drivers/gpu/drm/i915/intel_dp.c b/drivers/gpu/drm/i915/intel_dp.c +index 3aed1fe..07eb447 100644 +--- a/drivers/gpu/drm/i915/intel_dp.c ++++ b/drivers/gpu/drm/i915/intel_dp.c +@@ -1371,6 +1371,26 @@ static void intel_dp_get_config(struct intel_encoder *encoder, + } + + pipe_config->adjusted_mode.flags |= flags; ++ ++ if (is_edp(intel_dp) && dev_priv->vbt.edp_bpp && ++ pipe_config->pipe_bpp > dev_priv->vbt.edp_bpp) { ++ /* ++ * This is a big fat ugly hack. ++ * ++ * Some machines in UEFI boot mode provide us a VBT that has 18 ++ * bpp and 1.62 GHz link bandwidth for eDP, which for reasons ++ * unknown we fail to light up. Yet the same BIOS boots up with ++ * 24 bpp and 2.7 GHz link. Use the same bpp as the BIOS uses as ++ * max, not what it tells us to use. ++ * ++ * Note: This will still be broken if the eDP panel is not lit ++ * up by the BIOS, and thus we can't get the mode at module ++ * load. ++ */ ++ DRM_DEBUG_KMS("pipe has %d bpp for eDP panel, overriding BIOS-provided max %d bpp\n", ++ pipe_config->pipe_bpp, dev_priv->vbt.edp_bpp); ++ dev_priv->vbt.edp_bpp = pipe_config->pipe_bpp; ++ } + } + + static void intel_disable_dp(struct intel_encoder *encoder) +-- +1.8.3.1 + + +From 1e5ec9a5628cfd23443a91f80dea2118efb21afd Mon Sep 17 00:00:00 2001 +From: Rob Pearce +Date: Sun, 27 Oct 2013 16:13:42 +0000 +Subject: [PATCH 4/5] drm/i915: No LVDS hardware on Intel D410PT and D425KT + +The Intel D410PT(LW) and D425KT Mini-ITX desktop boards both show up as +having LVDS but the hardware is not populated. This patch adds them to +the list of such systems. Patch is against 3.11.4 + +v2: Patch revised to match the D425KT exactly as the D425KTW does have +LVDS. According to Intel's documentation, the D410PTL and D410PLTW +don't. + +Signed-off-by: Rob Pearce +Cc: stable@vger.kernel.org +[danvet: Pimp commit message to my liking and add cc: stable.] +Signed-off-by: Daniel Vetter +--- + drivers/gpu/drm/i915/intel_lvds.c | 16 ++++++++++++++++ + 1 file changed, 16 insertions(+) + +diff --git a/drivers/gpu/drm/i915/intel_lvds.c b/drivers/gpu/drm/i915/intel_lvds.c +index 61348ea..44533dd 100644 +--- a/drivers/gpu/drm/i915/intel_lvds.c ++++ b/drivers/gpu/drm/i915/intel_lvds.c +@@ -696,6 +696,22 @@ static const struct dmi_system_id intel_no_lvds[] = { + }, + { + .callback = intel_no_lvds_dmi_callback, ++ .ident = "Intel D410PT", ++ .matches = { ++ DMI_MATCH(DMI_BOARD_VENDOR, "Intel"), ++ DMI_MATCH(DMI_BOARD_NAME, "D410PT"), ++ }, ++ }, ++ { ++ .callback = intel_no_lvds_dmi_callback, ++ .ident = "Intel D425KT", ++ .matches = { ++ DMI_MATCH(DMI_BOARD_VENDOR, "Intel"), ++ DMI_EXACT_MATCH(DMI_BOARD_NAME, "D425KT"), ++ }, ++ }, ++ { ++ .callback = intel_no_lvds_dmi_callback, + .ident = "Intel D510MO", + .matches = { + DMI_MATCH(DMI_BOARD_VENDOR, "Intel"), +-- +1.8.3.1 + + +From 239319357b4a2d085e5f5c27b46aab5f612c5036 Mon Sep 17 00:00:00 2001 +From: Daniel Vetter +Date: Tue, 29 Oct 2013 12:04:08 +0100 +Subject: [PATCH 5/5] drm/i915: Fix the PPT fdi lane bifurcate state handling + on ivb +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +Originally I've thought that this is leftover hw state dirt from the +BIOS. But after way too much helpless flailing around on my part I've +noticed that the actual bug is when we change the state of an already +active pipe. + +For example when we change the fdi lines from 2 to 3 without switching +off outputs in-between we'll never see the crucial on->off transition +in the ->modeset_global_resources hook the current logic relies on. + +Patch version 2 got this right by instead also checking whether the +pipe is indeed active. But that in turn broke things when pipes have +been turned off through dpms since the bifurcate enabling is done in +the ->crtc_mode_set callback. + +To address this issues discussed with Ville in the patch review move +the setting of the bifurcate bit into the ->crtc_enable hook. That way +we won't wreak havoc with this state when userspace puts all other +outputs into dpms off state. This also moves us forward with our +overall goal to unify the modeset and dpms on paths (which we need to +have to allow runtime pm in the dpms off state). + +Unfortunately this requires us to move the bifurcate helpers around a +bit. + +Also update the commit message, I've misanalyzed the bug rather badly. + +Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=70507 +Tested-by: Jan-Michael Brummer +Cc: stable@vger.kernel.org +Cc: Ville Syrjälä +Reviewed-by: Ville Syrjälä +Signed-off-by: Daniel Vetter +--- + drivers/gpu/drm/i915/intel_display.c | 95 ++++++++++++++++++------------------ + 1 file changed, 48 insertions(+), 47 deletions(-) + +diff --git a/drivers/gpu/drm/i915/intel_display.c b/drivers/gpu/drm/i915/intel_display.c +index 4aaccd3..ad2a258 100644 +--- a/drivers/gpu/drm/i915/intel_display.c ++++ b/drivers/gpu/drm/i915/intel_display.c +@@ -2251,9 +2251,10 @@ static void intel_fdi_normal_train(struct drm_crtc *crtc) + FDI_FE_ERRC_ENABLE); + } + +-static bool pipe_has_enabled_pch(struct intel_crtc *intel_crtc) ++static bool pipe_has_enabled_pch(struct intel_crtc *crtc) + { +- return intel_crtc->base.enabled && intel_crtc->config.has_pch_encoder; ++ return crtc->base.enabled && crtc->active && ++ crtc->config.has_pch_encoder; + } + + static void ivb_modeset_global_resources(struct drm_device *dev) +@@ -2901,6 +2902,48 @@ static void ironlake_pch_transcoder_set_timings(struct intel_crtc *crtc, + I915_READ(VSYNCSHIFT(cpu_transcoder))); + } + ++static void cpt_enable_fdi_bc_bifurcation(struct drm_device *dev) ++{ ++ struct drm_i915_private *dev_priv = dev->dev_private; ++ uint32_t temp; ++ ++ temp = I915_READ(SOUTH_CHICKEN1); ++ if (temp & FDI_BC_BIFURCATION_SELECT) ++ return; ++ ++ WARN_ON(I915_READ(FDI_RX_CTL(PIPE_B)) & FDI_RX_ENABLE); ++ WARN_ON(I915_READ(FDI_RX_CTL(PIPE_C)) & FDI_RX_ENABLE); ++ ++ temp |= FDI_BC_BIFURCATION_SELECT; ++ DRM_DEBUG_KMS("enabling fdi C rx\n"); ++ I915_WRITE(SOUTH_CHICKEN1, temp); ++ POSTING_READ(SOUTH_CHICKEN1); ++} ++ ++static void ivybridge_update_fdi_bc_bifurcation(struct intel_crtc *intel_crtc) ++{ ++ struct drm_device *dev = intel_crtc->base.dev; ++ struct drm_i915_private *dev_priv = dev->dev_private; ++ ++ switch (intel_crtc->pipe) { ++ case PIPE_A: ++ break; ++ case PIPE_B: ++ if (intel_crtc->config.fdi_lanes > 2) ++ WARN_ON(I915_READ(SOUTH_CHICKEN1) & FDI_BC_BIFURCATION_SELECT); ++ else ++ cpt_enable_fdi_bc_bifurcation(dev); ++ ++ break; ++ case PIPE_C: ++ cpt_enable_fdi_bc_bifurcation(dev); ++ ++ break; ++ default: ++ BUG(); ++ } ++} ++ + /* + * Enable PCH resources required for PCH ports: + * - PCH PLLs +@@ -2919,6 +2962,9 @@ static void ironlake_pch_enable(struct drm_crtc *crtc) + + assert_pch_transcoder_disabled(dev_priv, pipe); + ++ if (IS_IVYBRIDGE(dev)) ++ ivybridge_update_fdi_bc_bifurcation(intel_crtc); ++ + /* Write the TU size bits before fdi link training, so that error + * detection works. */ + I915_WRITE(FDI_RX_TUSIZE1(pipe), +@@ -5512,48 +5558,6 @@ static bool ironlake_compute_clocks(struct drm_crtc *crtc, + return true; + } + +-static void cpt_enable_fdi_bc_bifurcation(struct drm_device *dev) +-{ +- struct drm_i915_private *dev_priv = dev->dev_private; +- uint32_t temp; +- +- temp = I915_READ(SOUTH_CHICKEN1); +- if (temp & FDI_BC_BIFURCATION_SELECT) +- return; +- +- WARN_ON(I915_READ(FDI_RX_CTL(PIPE_B)) & FDI_RX_ENABLE); +- WARN_ON(I915_READ(FDI_RX_CTL(PIPE_C)) & FDI_RX_ENABLE); +- +- temp |= FDI_BC_BIFURCATION_SELECT; +- DRM_DEBUG_KMS("enabling fdi C rx\n"); +- I915_WRITE(SOUTH_CHICKEN1, temp); +- POSTING_READ(SOUTH_CHICKEN1); +-} +- +-static void ivybridge_update_fdi_bc_bifurcation(struct intel_crtc *intel_crtc) +-{ +- struct drm_device *dev = intel_crtc->base.dev; +- struct drm_i915_private *dev_priv = dev->dev_private; +- +- switch (intel_crtc->pipe) { +- case PIPE_A: +- break; +- case PIPE_B: +- if (intel_crtc->config.fdi_lanes > 2) +- WARN_ON(I915_READ(SOUTH_CHICKEN1) & FDI_BC_BIFURCATION_SELECT); +- else +- cpt_enable_fdi_bc_bifurcation(dev); +- +- break; +- case PIPE_C: +- cpt_enable_fdi_bc_bifurcation(dev); +- +- break; +- default: +- BUG(); +- } +-} +- + int ironlake_get_lanes_required(int target_clock, int link_bw, int bpp) + { + /* +@@ -5768,9 +5772,6 @@ static int ironlake_crtc_mode_set(struct drm_crtc *crtc, + &intel_crtc->config.fdi_m_n); + } + +- if (IS_IVYBRIDGE(dev)) +- ivybridge_update_fdi_bc_bifurcation(intel_crtc); +- + ironlake_set_pipeconf(crtc); + + /* Set up the display plane register */ +-- +1.8.3.1 + diff --git a/kernel.spec b/kernel.spec index afe6a9480..9be7c39de 100644 --- a/kernel.spec +++ b/kernel.spec @@ -785,6 +785,9 @@ Patch25136: net_311.mbox #rhbz 1011621 Patch25137: cifs-Allow-LANMAN-auth-for-unencapsulated-auth-methods.patch +#rhbz 995782 +Patch25138: intel-3.12-stable-fixes.patch + # END OF PATCH DEFINITIONS %endif @@ -1518,6 +1521,9 @@ ApplyPatch net_311.mbox #rhbz 1011621 ApplyPatch cifs-Allow-LANMAN-auth-for-unencapsulated-auth-methods.patch +#rhbz 995782 +ApplyPatch intel-3.12-stable-fixes.patch + # END OF PATCH APPLICATIONS %endif @@ -2330,6 +2336,9 @@ fi # and build. %changelog +* Thu Oct 31 2013 Josh Boyer +- Fix display regression on Dell XPS 13 machines (rhbz 995782) + * Tue Oct 29 2013 Josh Boyer - Fix plaintext auth regression in cifs (rhbz 1011621) From 70f3dba04a185ba0c60a99284061da8d9d826440 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Fri, 1 Nov 2013 08:23:10 -0400 Subject: [PATCH 255/468] CVE-2013-4348 net: deadloop path in skb_flow_dissect (rhbz 1007939 1025647) --- kernel.spec | 9 ++ net-flow_dissector-fail-on-evil-iph-ihl.patch | 82 +++++++++++++++++++ 2 files changed, 91 insertions(+) create mode 100644 net-flow_dissector-fail-on-evil-iph-ihl.patch diff --git a/kernel.spec b/kernel.spec index 9be7c39de..c49b0eb06 100644 --- a/kernel.spec +++ b/kernel.spec @@ -788,6 +788,9 @@ Patch25137: cifs-Allow-LANMAN-auth-for-unencapsulated-auth-methods.patch #rhbz 995782 Patch25138: intel-3.12-stable-fixes.patch +#CVE-2013-4348 rhbz 1007939 1025647 +Patch25139: net-flow_dissector-fail-on-evil-iph-ihl.patch + # END OF PATCH DEFINITIONS %endif @@ -1524,6 +1527,9 @@ ApplyPatch cifs-Allow-LANMAN-auth-for-unencapsulated-auth-methods.patch #rhbz 995782 ApplyPatch intel-3.12-stable-fixes.patch +#CVE-2013-4348 rhbz 1007939 1025647 +ApplyPatch net-flow_dissector-fail-on-evil-iph-ihl.patch + # END OF PATCH APPLICATIONS %endif @@ -2336,6 +2342,9 @@ fi # and build. %changelog +* Fri Nov 01 2013 Josh Boyer +- CVE-2013-4348 net: deadloop path in skb_flow_dissect (rhbz 1007939 1025647) + * Thu Oct 31 2013 Josh Boyer - Fix display regression on Dell XPS 13 machines (rhbz 995782) diff --git a/net-flow_dissector-fail-on-evil-iph-ihl.patch b/net-flow_dissector-fail-on-evil-iph-ihl.patch new file mode 100644 index 000000000..aba3ea88b --- /dev/null +++ b/net-flow_dissector-fail-on-evil-iph-ihl.patch @@ -0,0 +1,82 @@ +Path: news.gmane.org!not-for-mail +From: Jason Wang +Newsgroups: gmane.linux.kernel,gmane.linux.network +Subject: [PATCH net] net: flow_dissector: fail on evil iph->ihl +Date: Fri, 1 Nov 2013 15:01:10 +0800 +Lines: 34 +Approved: news@gmane.org +Message-ID: <1383289270-18952-1-git-send-email-jasowang@redhat.com> +NNTP-Posting-Host: plane.gmane.org +X-Trace: ger.gmane.org 1383289296 18578 80.91.229.3 (1 Nov 2013 07:01:36 GMT) +X-Complaints-To: usenet@ger.gmane.org +NNTP-Posting-Date: Fri, 1 Nov 2013 07:01:36 +0000 (UTC) +Cc: Jason Wang , + Petr Matousek , + "Michael S. Tsirkin" , + Daniel Borkmann +To: davem@davemloft.net, edumazet@google.com, netdev@vger.kernel.org, + linux-kernel@vger.kernel.org +Original-X-From: linux-kernel-owner@vger.kernel.org Fri Nov 01 08:01:39 2013 +Return-path: +Envelope-to: glk-linux-kernel-3@plane.gmane.org +Original-Received: from vger.kernel.org ([209.132.180.67]) + by plane.gmane.org with esmtp (Exim 4.69) + (envelope-from ) + id 1Vc8jh-00034h-9Y + for glk-linux-kernel-3@plane.gmane.org; Fri, 01 Nov 2013 08:01:37 +0100 +Original-Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand + id S1753899Ab3KAHB3 (ORCPT ); + Fri, 1 Nov 2013 03:01:29 -0400 +Original-Received: from mx1.redhat.com ([209.132.183.28]:8081 "EHLO mx1.redhat.com" + rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP + id S1752399Ab3KAHB1 (ORCPT ); + Fri, 1 Nov 2013 03:01:27 -0400 +Original-Received: from int-mx02.intmail.prod.int.phx2.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) + by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id rA171QgE005079 + (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); + Fri, 1 Nov 2013 03:01:26 -0400 +Original-Received: from jason-ThinkPad-T430s.nay.redhat.com (dhcp-66-71-71.eng.nay.redhat.com [10.66.71.71] (may be forged)) + by int-mx02.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id rA171Jpr015790; + Fri, 1 Nov 2013 03:01:20 -0400 +X-Scanned-By: MIMEDefang 2.67 on 10.5.11.12 +Original-Sender: linux-kernel-owner@vger.kernel.org +Precedence: bulk +List-ID: +X-Mailing-List: linux-kernel@vger.kernel.org +Xref: news.gmane.org gmane.linux.kernel:1588387 gmane.linux.network:289242 +Archived-At: + +We don't validate iph->ihl which may lead a dead loop if we meet a IPIP +skb whose iph->ihl is zero. Fix this by failing immediately when iph->ihl +is evil (less than 5). + +This issue were introduced by commit ec5efe7946280d1e84603389a1030ccec0a767ae +(rps: support IPIP encapsulation). + +Cc: Eric Dumazet +Cc: Petr Matousek +Cc: Michael S. Tsirkin +Cc: Daniel Borkmann +Signed-off-by: Jason Wang +--- +This patch is needed for stable. +--- + net/core/flow_dissector.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/core/flow_dissector.c b/net/core/flow_dissector.c +index 8d7d0dd..143b6fd 100644 +--- a/net/core/flow_dissector.c ++++ b/net/core/flow_dissector.c +@@ -40,7 +40,7 @@ again: + struct iphdr _iph; + ip: + iph = skb_header_pointer(skb, nhoff, sizeof(_iph), &_iph); +- if (!iph) ++ if (!iph || iph->ihl < 5) + return false; + + if (ip_is_fragment(iph)) +-- +1.8.1.2 + From ce888b42cf37134c1b651e255ef5b672b9b2482b Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Sat, 2 Nov 2013 08:40:14 -0400 Subject: [PATCH 256/468] Revert blocking patches causing systemd to crash on resume (rhbz 1010603) --- ...rt-epoll-use-freezable-blocking-call.patch | 49 +++++++++++++++++ ...t-select-use-freezable-blocking-call.patch | 55 +++++++++++++++++++ kernel.spec | 13 ++++- 3 files changed, 115 insertions(+), 2 deletions(-) create mode 100644 0001-Revert-epoll-use-freezable-blocking-call.patch create mode 100644 0001-Revert-select-use-freezable-blocking-call.patch diff --git a/0001-Revert-epoll-use-freezable-blocking-call.patch b/0001-Revert-epoll-use-freezable-blocking-call.patch new file mode 100644 index 000000000..eda58ee28 --- /dev/null +++ b/0001-Revert-epoll-use-freezable-blocking-call.patch @@ -0,0 +1,49 @@ +From c511851de162e8ec03d62e7d7feecbdf590d881d Mon Sep 17 00:00:00 2001 +From: "Rafael J. Wysocki" +Date: Tue, 29 Oct 2013 13:12:56 +0100 +Subject: [PATCH] Revert "epoll: use freezable blocking call" + +This reverts commit 1c441e921201 (epoll: use freezable blocking call) +which is reported to cause user space memory corruption to happen +after suspend to RAM. + +Since it appears to be extremely difficult to root cause this +problem, it is best to revert the offending commit and try to address +the original issue in a better way later. + +References: https://bugzilla.kernel.org/show_bug.cgi?id=61781 +Reported-by: Natrio +Reported-by: Jeff Pohlmeyer +Bisected-by: Leo Wolf +Fixes: 1c441e921201 (epoll: use freezable blocking call) +Signed-off-by: Rafael J. Wysocki +Cc: 3.11+ # 3.11+ +--- + fs/eventpoll.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +diff --git a/fs/eventpoll.c b/fs/eventpoll.c +index 473e09d..810c28f 100644 +--- a/fs/eventpoll.c ++++ b/fs/eventpoll.c +@@ -34,7 +34,6 @@ + #include + #include + #include +-#include + #include + #include + #include +@@ -1605,8 +1604,7 @@ fetch_events: + } + + spin_unlock_irqrestore(&ep->lock, flags); +- if (!freezable_schedule_hrtimeout_range(to, slack, +- HRTIMER_MODE_ABS)) ++ if (!schedule_hrtimeout_range(to, slack, HRTIMER_MODE_ABS)) + timed_out = 1; + + spin_lock_irqsave(&ep->lock, flags); +-- +1.8.3.1 + diff --git a/0001-Revert-select-use-freezable-blocking-call.patch b/0001-Revert-select-use-freezable-blocking-call.patch new file mode 100644 index 000000000..0ab5152a0 --- /dev/null +++ b/0001-Revert-select-use-freezable-blocking-call.patch @@ -0,0 +1,55 @@ +From 59612d187912750f416fbffe0c00bc0811c54ab5 Mon Sep 17 00:00:00 2001 +From: "Rafael J. Wysocki" +Date: Tue, 29 Oct 2013 23:43:08 +0100 +Subject: [PATCH] Revert "select: use freezable blocking call" + +This reverts commit 9745cdb36da8 (select: use freezable blocking call) +that triggers problems during resume from suspend to RAM on Paul Bolle's +32-bit x86 machines. Paul says: + + Ever since I tried running (release candidates of) v3.11 on the two + working i686s I still have lying around I ran into issues on resuming + from suspend. Reverting 9745cdb36da8 (select: use freezable blocking + call) resolves those issues. + + Resuming from suspend on i686 on (release candidates of) v3.11 and + later triggers issues like: + + traps: systemd[1] general protection ip:b738e490 sp:bf882fc0 error:0 in libc-2.16.so[b731c000+1b0000] + + and + + traps: rtkit-daemon[552] general protection ip:804d6e5 sp:b6cb32f0 error:0 in rtkit-daemon[8048000+d000] + + Once I hit the systemd error I can only get out of the mess that the + system is at that point by power cycling it. + +Since we are reverting another freezer-related change causing similar +problems to happen, this one should be reverted as well. + +References: https://lkml.org/lkml/2013/10/29/583 +Reported-by: Paul Bolle +Fixes: 9745cdb36da8 (select: use freezable blocking call) +Signed-off-by: Rafael J. Wysocki +Cc: 3.11+ # 3.11+ +--- + fs/select.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/fs/select.c b/fs/select.c +index 35d4adc7..dfd5cb1 100644 +--- a/fs/select.c ++++ b/fs/select.c +@@ -238,8 +238,7 @@ int poll_schedule_timeout(struct poll_wqueues *pwq, int state, + + set_current_state(state); + if (!pwq->triggered) +- rc = freezable_schedule_hrtimeout_range(expires, slack, +- HRTIMER_MODE_ABS); ++ rc = schedule_hrtimeout_range(expires, slack, HRTIMER_MODE_ABS); + __set_current_state(TASK_RUNNING); + + /* +-- +1.8.3.1 + diff --git a/kernel.spec b/kernel.spec index c49b0eb06..d4bf0ea9b 100644 --- a/kernel.spec +++ b/kernel.spec @@ -62,7 +62,7 @@ Summary: The Linux kernel # For non-released -rc kernels, this will be appended after the rcX and # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3" # -%global baserelease 200 +%global baserelease 201 %global fedora_build %{baserelease} # base_sublevel is the kernel version we're starting with and patching @@ -791,6 +791,10 @@ Patch25138: intel-3.12-stable-fixes.patch #CVE-2013-4348 rhbz 1007939 1025647 Patch25139: net-flow_dissector-fail-on-evil-iph-ihl.patch +#rhbz 1010603 +Patch25140: 0001-Revert-epoll-use-freezable-blocking-call.patch +Patch25141: 0001-Revert-select-use-freezable-blocking-call.patch + # END OF PATCH DEFINITIONS %endif @@ -1530,6 +1534,10 @@ ApplyPatch intel-3.12-stable-fixes.patch #CVE-2013-4348 rhbz 1007939 1025647 ApplyPatch net-flow_dissector-fail-on-evil-iph-ihl.patch +#rhbz 1010603 +ApplyPatch 0001-Revert-epoll-use-freezable-blocking-call.patch +ApplyPatch 0001-Revert-select-use-freezable-blocking-call.patch + # END OF PATCH APPLICATIONS %endif @@ -2342,7 +2350,8 @@ fi # and build. %changelog -* Fri Nov 01 2013 Josh Boyer +* Fri Nov 01 2013 Josh Boyer - 3.11.6-201 +- Revert blocking patches causing systemd to crash on resume (rhbz 1010603) - CVE-2013-4348 net: deadloop path in skb_flow_dissect (rhbz 1007939 1025647) * Thu Oct 31 2013 Josh Boyer From 384057ff16cddd25950790aa25eee0057d26edc0 Mon Sep 17 00:00:00 2001 From: "Justin M. Forbes" Date: Mon, 4 Nov 2013 07:42:46 -0600 Subject: [PATCH 257/468] Linux v3.11.7 --- kernel.spec | 13 +- net_311.mbox | 3794 -------------------------------------------------- sources | 2 +- 3 files changed, 6 insertions(+), 3803 deletions(-) delete mode 100644 net_311.mbox diff --git a/kernel.spec b/kernel.spec index d4bf0ea9b..c895d2b55 100644 --- a/kernel.spec +++ b/kernel.spec @@ -62,7 +62,7 @@ Summary: The Linux kernel # For non-released -rc kernels, this will be appended after the rcX and # gitX tags, so a 3 here would become part of release "0.rcX.gitX.3" # -%global baserelease 201 +%global baserelease 200 %global fedora_build %{baserelease} # base_sublevel is the kernel version we're starting with and patching @@ -74,7 +74,7 @@ Summary: The Linux kernel %if 0%{?released_kernel} # Do we have a -stable update to apply? -%define stable_update 6 +%define stable_update 7 # Is it a -stable RC? %define stable_rc 0 # Set rpm version accordingly @@ -779,9 +779,6 @@ Patch25133: fix-buslogic.patch #rhbz 1023413 Patch25135: alps-Support-for-Dell-XT2-model.patch -#CVE-2013-4470 rhbz 1023477 1023495 -Patch25136: net_311.mbox - #rhbz 1011621 Patch25137: cifs-Allow-LANMAN-auth-for-unencapsulated-auth-methods.patch @@ -1522,9 +1519,6 @@ ApplyPatch fix-buslogic.patch #rhbz 1023413 ApplyPatch alps-Support-for-Dell-XT2-model.patch -#CVE-2013-4470 rhbz 1023477 1023495 -ApplyPatch net_311.mbox - #rhbz 1011621 ApplyPatch cifs-Allow-LANMAN-auth-for-unencapsulated-auth-methods.patch @@ -2350,6 +2344,9 @@ fi # and build. %changelog +* Mon Nov 04 2013 Justin M. Forbes - 3.11.7-200 +- Linux v3.11.7 + * Fri Nov 01 2013 Josh Boyer - 3.11.6-201 - Revert blocking patches causing systemd to crash on resume (rhbz 1010603) - CVE-2013-4348 net: deadloop path in skb_flow_dissect (rhbz 1007939 1025647) diff --git a/net_311.mbox b/net_311.mbox deleted file mode 100644 index d420777dd..000000000 --- a/net_311.mbox +++ /dev/null @@ -1,3794 +0,0 @@ -From 5444e381f5784d32d741864312909d2a6afe428e Mon Sep 17 00:00:00 2001 -From: Eric Dumazet -Date: Tue, 27 Aug 2013 05:46:32 -0700 -Subject: [PATCH 01/47] tcp: TSO packets automatic sizing - -[ Upstream commits 6d36824e730f247b602c90e8715a792003e3c5a7, - 02cf4ebd82ff0ac7254b88e466820a290ed8289a, and parts of - 7eec4174ff29cd42f2acfae8112f51c228545d40 ] - -After hearing many people over past years complaining against TSO being -bursty or even buggy, we are proud to present automatic sizing of TSO -packets. - -One part of the problem is that tcp_tso_should_defer() uses an heuristic -relying on upcoming ACKS instead of a timer, but more generally, having -big TSO packets makes little sense for low rates, as it tends to create -micro bursts on the network, and general consensus is to reduce the -buffering amount. - -This patch introduces a per socket sk_pacing_rate, that approximates -the current sending rate, and allows us to size the TSO packets so -that we try to send one packet every ms. - -This field could be set by other transports. - -Patch has no impact for high speed flows, where having large TSO packets -makes sense to reach line rate. - -For other flows, this helps better packet scheduling and ACK clocking. - -This patch increases performance of TCP flows in lossy environments. - -A new sysctl (tcp_min_tso_segs) is added, to specify the -minimal size of a TSO packet (default being 2). - -A follow-up patch will provide a new packet scheduler (FQ), using -sk_pacing_rate as an input to perform optional per flow pacing. - -This explains why we chose to set sk_pacing_rate to twice the current -rate, allowing 'slow start' ramp up. - -sk_pacing_rate = 2 * cwnd * mss / srtt - -v2: Neal Cardwell reported a suspect deferring of last two segments on -initial write of 10 MSS, I had to change tcp_tso_should_defer() to take -into account tp->xmit_size_goal_segs - -Signed-off-by: Eric Dumazet -Cc: Neal Cardwell -Cc: Yuchung Cheng -Cc: Van Jacobson -Cc: Tom Herbert -Acked-by: Yuchung Cheng -Acked-by: Neal Cardwell -Signed-off-by: David S. Miller ---- - Documentation/networking/ip-sysctl.txt | 9 +++++++++ - include/net/sock.h | 2 ++ - include/net/tcp.h | 1 + - net/core/sock.c | 1 + - net/ipv4/sysctl_net_ipv4.c | 10 ++++++++++ - net/ipv4/tcp.c | 28 +++++++++++++++++++++++----- - net/ipv4/tcp_input.c | 34 +++++++++++++++++++++++++++++++++- - net/ipv4/tcp_output.c | 2 +- - 8 files changed, 80 insertions(+), 7 deletions(-) - -diff --git a/Documentation/networking/ip-sysctl.txt b/Documentation/networking/ip-sysctl.txt -index 1074290..b522883 100644 ---- a/Documentation/networking/ip-sysctl.txt -+++ b/Documentation/networking/ip-sysctl.txt -@@ -478,6 +478,15 @@ tcp_syn_retries - INTEGER - tcp_timestamps - BOOLEAN - Enable timestamps as defined in RFC1323. - -+tcp_min_tso_segs - INTEGER -+ Minimal number of segments per TSO frame. -+ Since linux-3.12, TCP does an automatic sizing of TSO frames, -+ depending on flow rate, instead of filling 64Kbytes packets. -+ For specific usages, it's possible to force TCP to build big -+ TSO frames. Note that TCP stack might split too big TSO packets -+ if available window is too small. -+ Default: 2 -+ - tcp_tso_win_divisor - INTEGER - This allows control over what percentage of the congestion window - can be consumed by a single TSO frame. -diff --git a/include/net/sock.h b/include/net/sock.h -index 31d5cfb..04e148f 100644 ---- a/include/net/sock.h -+++ b/include/net/sock.h -@@ -232,6 +232,7 @@ struct cg_proto; - * @sk_napi_id: id of the last napi context to receive data for sk - * @sk_ll_usec: usecs to busypoll when there is no data - * @sk_allocation: allocation mode -+ * @sk_pacing_rate: Pacing rate (if supported by transport/packet scheduler) - * @sk_sndbuf: size of send buffer in bytes - * @sk_flags: %SO_LINGER (l_onoff), %SO_BROADCAST, %SO_KEEPALIVE, - * %SO_OOBINLINE settings, %SO_TIMESTAMPING settings -@@ -361,6 +362,7 @@ struct sock { - kmemcheck_bitfield_end(flags); - int sk_wmem_queued; - gfp_t sk_allocation; -+ u32 sk_pacing_rate; /* bytes per second */ - netdev_features_t sk_route_caps; - netdev_features_t sk_route_nocaps; - int sk_gso_type; -diff --git a/include/net/tcp.h b/include/net/tcp.h -index d198005..46cb8a4 100644 ---- a/include/net/tcp.h -+++ b/include/net/tcp.h -@@ -284,6 +284,7 @@ extern int sysctl_tcp_thin_dupack; - extern int sysctl_tcp_early_retrans; - extern int sysctl_tcp_limit_output_bytes; - extern int sysctl_tcp_challenge_ack_limit; -+extern int sysctl_tcp_min_tso_segs; - - extern atomic_long_t tcp_memory_allocated; - extern struct percpu_counter tcp_sockets_allocated; -diff --git a/net/core/sock.c b/net/core/sock.c -index 2c097c5..8729d91 100644 ---- a/net/core/sock.c -+++ b/net/core/sock.c -@@ -2297,6 +2297,7 @@ void sock_init_data(struct socket *sock, struct sock *sk) - sk->sk_ll_usec = sysctl_net_busy_read; - #endif - -+ sk->sk_pacing_rate = ~0U; - /* - * Before updating sk_refcnt, we must commit prior changes to memory - * (Documentation/RCU/rculist_nulls.txt for details) -diff --git a/net/ipv4/sysctl_net_ipv4.c b/net/ipv4/sysctl_net_ipv4.c -index 610e324..6900b8b 100644 ---- a/net/ipv4/sysctl_net_ipv4.c -+++ b/net/ipv4/sysctl_net_ipv4.c -@@ -29,6 +29,7 @@ - static int zero; - static int one = 1; - static int four = 4; -+static int gso_max_segs = GSO_MAX_SEGS; - static int tcp_retr1_max = 255; - static int ip_local_port_range_min[] = { 1, 1 }; - static int ip_local_port_range_max[] = { 65535, 65535 }; -@@ -754,6 +755,15 @@ static struct ctl_table ipv4_table[] = { - .extra2 = &four, - }, - { -+ .procname = "tcp_min_tso_segs", -+ .data = &sysctl_tcp_min_tso_segs, -+ .maxlen = sizeof(int), -+ .mode = 0644, -+ .proc_handler = proc_dointvec_minmax, -+ .extra1 = &zero, -+ .extra2 = &gso_max_segs, -+ }, -+ { - .procname = "udp_mem", - .data = &sysctl_udp_mem, - .maxlen = sizeof(sysctl_udp_mem), -diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c -index 95544e4..ec586e5 100644 ---- a/net/ipv4/tcp.c -+++ b/net/ipv4/tcp.c -@@ -283,6 +283,8 @@ - - int sysctl_tcp_fin_timeout __read_mostly = TCP_FIN_TIMEOUT; - -+int sysctl_tcp_min_tso_segs __read_mostly = 2; -+ - struct percpu_counter tcp_orphan_count; - EXPORT_SYMBOL_GPL(tcp_orphan_count); - -@@ -789,12 +791,28 @@ static unsigned int tcp_xmit_size_goal(struct sock *sk, u32 mss_now, - xmit_size_goal = mss_now; - - if (large_allowed && sk_can_gso(sk)) { -- xmit_size_goal = ((sk->sk_gso_max_size - 1) - -- inet_csk(sk)->icsk_af_ops->net_header_len - -- inet_csk(sk)->icsk_ext_hdr_len - -- tp->tcp_header_len); -+ u32 gso_size, hlen; -+ -+ /* Maybe we should/could use sk->sk_prot->max_header here ? */ -+ hlen = inet_csk(sk)->icsk_af_ops->net_header_len + -+ inet_csk(sk)->icsk_ext_hdr_len + -+ tp->tcp_header_len; -+ -+ /* Goal is to send at least one packet per ms, -+ * not one big TSO packet every 100 ms. -+ * This preserves ACK clocking and is consistent -+ * with tcp_tso_should_defer() heuristic. -+ */ -+ gso_size = sk->sk_pacing_rate / (2 * MSEC_PER_SEC); -+ gso_size = max_t(u32, gso_size, -+ sysctl_tcp_min_tso_segs * mss_now); -+ -+ xmit_size_goal = min_t(u32, gso_size, -+ sk->sk_gso_max_size - 1 - hlen); - -- /* TSQ : try to have two TSO segments in flight */ -+ /* TSQ : try to have at least two segments in flight -+ * (one in NIC TX ring, another in Qdisc) -+ */ - xmit_size_goal = min_t(u32, xmit_size_goal, - sysctl_tcp_limit_output_bytes >> 1); - -diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c -index 3ca2139..2f0e94b 100644 ---- a/net/ipv4/tcp_input.c -+++ b/net/ipv4/tcp_input.c -@@ -688,6 +688,34 @@ static void tcp_rtt_estimator(struct sock *sk, const __u32 mrtt) - } - } - -+/* Set the sk_pacing_rate to allow proper sizing of TSO packets. -+ * Note: TCP stack does not yet implement pacing. -+ * FQ packet scheduler can be used to implement cheap but effective -+ * TCP pacing, to smooth the burst on large writes when packets -+ * in flight is significantly lower than cwnd (or rwin) -+ */ -+static void tcp_update_pacing_rate(struct sock *sk) -+{ -+ const struct tcp_sock *tp = tcp_sk(sk); -+ u64 rate; -+ -+ /* set sk_pacing_rate to 200 % of current rate (mss * cwnd / srtt) */ -+ rate = (u64)tp->mss_cache * 2 * (HZ << 3); -+ -+ rate *= max(tp->snd_cwnd, tp->packets_out); -+ -+ /* Correction for small srtt : minimum srtt being 8 (1 jiffy << 3), -+ * be conservative and assume srtt = 1 (125 us instead of 1.25 ms) -+ * We probably need usec resolution in the future. -+ * Note: This also takes care of possible srtt=0 case, -+ * when tcp_rtt_estimator() was not yet called. -+ */ -+ if (tp->srtt > 8 + 2) -+ do_div(rate, tp->srtt); -+ -+ sk->sk_pacing_rate = min_t(u64, rate, ~0U); -+} -+ - /* Calculate rto without backoff. This is the second half of Van Jacobson's - * routine referred to above. - */ -@@ -3269,7 +3297,7 @@ static int tcp_ack(struct sock *sk, const struct sk_buff *skb, int flag) - u32 ack_seq = TCP_SKB_CB(skb)->seq; - u32 ack = TCP_SKB_CB(skb)->ack_seq; - bool is_dupack = false; -- u32 prior_in_flight; -+ u32 prior_in_flight, prior_cwnd = tp->snd_cwnd, prior_rtt = tp->srtt; - u32 prior_fackets; - int prior_packets = tp->packets_out; - const int prior_unsacked = tp->packets_out - tp->sacked_out; -@@ -3375,6 +3403,8 @@ static int tcp_ack(struct sock *sk, const struct sk_buff *skb, int flag) - - if (icsk->icsk_pending == ICSK_TIME_RETRANS) - tcp_schedule_loss_probe(sk); -+ if (tp->srtt != prior_rtt || tp->snd_cwnd != prior_cwnd) -+ tcp_update_pacing_rate(sk); - return 1; - - no_queue: -@@ -5671,6 +5701,8 @@ int tcp_rcv_state_process(struct sock *sk, struct sk_buff *skb, - } else - tcp_init_metrics(sk); - -+ tcp_update_pacing_rate(sk); -+ - /* Prevent spurious tcp_cwnd_restart() on first data packet */ - tp->lsndtime = tcp_time_stamp; - -diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c -index 170737a..7b263c3 100644 ---- a/net/ipv4/tcp_output.c -+++ b/net/ipv4/tcp_output.c -@@ -1628,7 +1628,7 @@ static bool tcp_tso_should_defer(struct sock *sk, struct sk_buff *skb) - - /* If a full-sized TSO skb can be sent, do it. */ - if (limit >= min_t(unsigned int, sk->sk_gso_max_size, -- sk->sk_gso_max_segs * tp->mss_cache)) -+ tp->xmit_size_goal_segs * tp->mss_cache)) - goto send_now; - - /* Middle in queue won't get any more data, full sendable already? */ --- -1.7.11.7 - - -From 1b6c7d9979e1db1d42bd0545452a9d204c019582 Mon Sep 17 00:00:00 2001 -From: Eric Dumazet -Date: Fri, 27 Sep 2013 03:28:54 -0700 -Subject: [PATCH 02/47] tcp: TSQ can use a dynamic limit - -[ Upstream commit c9eeec26e32e087359160406f96e0949b3cc6f10 ] - -When TCP Small Queues was added, we used a sysctl to limit amount of -packets queues on Qdisc/device queues for a given TCP flow. - -Problem is this limit is either too big for low rates, or too small -for high rates. - -Now TCP stack has rate estimation in sk->sk_pacing_rate, and TSO -auto sizing, it can better control number of packets in Qdisc/device -queues. - -New limit is two packets or at least 1 to 2 ms worth of packets. - -Low rates flows benefit from this patch by having even smaller -number of packets in queues, allowing for faster recovery, -better RTT estimations. - -High rates flows benefit from this patch by allowing more than 2 packets -in flight as we had reports this was a limiting factor to reach line -rate. [ In particular if TX completion is delayed because of coalescing -parameters ] - -Example for a single flow on 10Gbp link controlled by FQ/pacing - -14 packets in flight instead of 2 - -$ tc -s -d qd -qdisc fq 8001: dev eth0 root refcnt 32 limit 10000p flow_limit 100p -buckets 1024 quantum 3028 initial_quantum 15140 - Sent 1168459366606 bytes 771822841 pkt (dropped 0, overlimits 0 -requeues 6822476) - rate 9346Mbit 771713pps backlog 953820b 14p requeues 6822476 - 2047 flow, 2046 inactive, 1 throttled, delay 15673 ns - 2372 gc, 0 highprio, 0 retrans, 9739249 throttled, 0 flows_plimit - -Note that sk_pacing_rate is currently set to twice the actual rate, but -this might be refined in the future when a flow is in congestion -avoidance. - -Additional change : skb->destructor should be set to tcp_wfree(). - -A future patch (for linux 3.13+) might remove tcp_limit_output_bytes - -Signed-off-by: Eric Dumazet -Cc: Wei Liu -Cc: Cong Wang -Cc: Yuchung Cheng -Cc: Neal Cardwell -Acked-by: Neal Cardwell -Signed-off-by: David S. Miller ---- - net/ipv4/tcp_output.c | 17 +++++++++++------ - 1 file changed, 11 insertions(+), 6 deletions(-) - -diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c -index 7b263c3..fe897ed 100644 ---- a/net/ipv4/tcp_output.c -+++ b/net/ipv4/tcp_output.c -@@ -892,8 +892,7 @@ static int tcp_transmit_skb(struct sock *sk, struct sk_buff *skb, int clone_it, - - skb_orphan(skb); - skb->sk = sk; -- skb->destructor = (sysctl_tcp_limit_output_bytes > 0) ? -- tcp_wfree : sock_wfree; -+ skb->destructor = tcp_wfree; - atomic_add(skb->truesize, &sk->sk_wmem_alloc); - - /* Build TCP header and checksum it. */ -@@ -1837,7 +1836,6 @@ static bool tcp_write_xmit(struct sock *sk, unsigned int mss_now, int nonagle, - while ((skb = tcp_send_head(sk))) { - unsigned int limit; - -- - tso_segs = tcp_init_tso_segs(sk, skb, mss_now); - BUG_ON(!tso_segs); - -@@ -1866,13 +1864,20 @@ static bool tcp_write_xmit(struct sock *sk, unsigned int mss_now, int nonagle, - break; - } - -- /* TSQ : sk_wmem_alloc accounts skb truesize, -- * including skb overhead. But thats OK. -+ /* TCP Small Queues : -+ * Control number of packets in qdisc/devices to two packets / or ~1 ms. -+ * This allows for : -+ * - better RTT estimation and ACK scheduling -+ * - faster recovery -+ * - high rates - */ -- if (atomic_read(&sk->sk_wmem_alloc) >= sysctl_tcp_limit_output_bytes) { -+ limit = max(skb->truesize, sk->sk_pacing_rate >> 10); -+ -+ if (atomic_read(&sk->sk_wmem_alloc) > limit) { - set_bit(TSQ_THROTTLED, &tp->tsq_flags); - break; - } -+ - limit = mss_now; - if (tso_segs > 1 && !tcp_urg_mode(tp)) - limit = tcp_mss_split_point(sk, skb, mss_now, --- -1.7.11.7 - - -From 4f25abff83e2780265eaa17d437b7659ea543bd5 Mon Sep 17 00:00:00 2001 -From: Eric Dumazet -Date: Tue, 15 Oct 2013 11:54:30 -0700 -Subject: [PATCH 03/47] tcp: must unclone packets before mangling them - -[ Upstream commit c52e2421f7368fd36cbe330d2cf41b10452e39a9 ] - -TCP stack should make sure it owns skbs before mangling them. - -We had various crashes using bnx2x, and it turned out gso_size -was cleared right before bnx2x driver was populating TC descriptor -of the _previous_ packet send. TCP stack can sometime retransmit -packets that are still in Qdisc. - -Of course we could make bnx2x driver more robust (using -ACCESS_ONCE(shinfo->gso_size) for example), but the bug is TCP stack. - -We have identified two points where skb_unclone() was needed. - -This patch adds a WARN_ON_ONCE() to warn us if we missed another -fix of this kind. - -Kudos to Neal for finding the root cause of this bug. Its visible -using small MSS. - -Signed-off-by: Eric Dumazet -Signed-off-by: Neal Cardwell -Cc: Yuchung Cheng -Signed-off-by: David S. Miller ---- - net/ipv4/tcp_output.c | 9 ++++++--- - 1 file changed, 6 insertions(+), 3 deletions(-) - -diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c -index fe897ed..28c0d6a 100644 ---- a/net/ipv4/tcp_output.c -+++ b/net/ipv4/tcp_output.c -@@ -981,6 +981,9 @@ static void tcp_queue_skb(struct sock *sk, struct sk_buff *skb) - static void tcp_set_skb_tso_segs(const struct sock *sk, struct sk_buff *skb, - unsigned int mss_now) - { -+ /* Make sure we own this skb before messing gso_size/gso_segs */ -+ WARN_ON_ONCE(skb_cloned(skb)); -+ - if (skb->len <= mss_now || !sk_can_gso(sk) || - skb->ip_summed == CHECKSUM_NONE) { - /* Avoid the costly divide in the normal -@@ -1062,9 +1065,7 @@ int tcp_fragment(struct sock *sk, struct sk_buff *skb, u32 len, - if (nsize < 0) - nsize = 0; - -- if (skb_cloned(skb) && -- skb_is_nonlinear(skb) && -- pskb_expand_head(skb, 0, 0, GFP_ATOMIC)) -+ if (skb_unclone(skb, GFP_ATOMIC)) - return -ENOMEM; - - /* Get a new skb... force flag on. */ -@@ -2339,6 +2340,8 @@ int __tcp_retransmit_skb(struct sock *sk, struct sk_buff *skb) - int oldpcount = tcp_skb_pcount(skb); - - if (unlikely(oldpcount > 1)) { -+ if (skb_unclone(skb, GFP_ATOMIC)) -+ return -ENOMEM; - tcp_init_tso_segs(sk, skb, cur_mss); - tcp_adjust_pcount(sk, skb, oldpcount - tcp_skb_pcount(skb)); - } --- -1.7.11.7 - - -From 8731e25f7527ca851045eb0715d998d1ac07aadb Mon Sep 17 00:00:00 2001 -From: Eric Dumazet -Date: Fri, 4 Oct 2013 10:31:41 -0700 -Subject: [PATCH 04/47] tcp: do not forget FIN in tcp_shifted_skb() -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -[ Upstream commit 5e8a402f831dbe7ee831340a91439e46f0d38acd ] - -Yuchung found following problem : - - There are bugs in the SACK processing code, merging part in - tcp_shift_skb_data(), that incorrectly resets or ignores the sacked - skbs FIN flag. When a receiver first SACK the FIN sequence, and later - throw away ofo queue (e.g., sack-reneging), the sender will stop - retransmitting the FIN flag, and hangs forever. - -Following packetdrill test can be used to reproduce the bug. - -$ cat sack-merge-bug.pkt -`sysctl -q net.ipv4.tcp_fack=0` - -// Establish a connection and send 10 MSS. -0.000 socket(..., SOCK_STREAM, IPPROTO_TCP) = 3 -+.000 setsockopt(3, SOL_SOCKET, SO_REUSEADDR, [1], 4) = 0 -+.000 bind(3, ..., ...) = 0 -+.000 listen(3, 1) = 0 - -+.050 < S 0:0(0) win 32792 -+.000 > S. 0:0(0) ack 1 -+.001 < . 1:1(0) ack 1 win 1024 -+.000 accept(3, ..., ...) = 4 - -+.100 write(4, ..., 12000) = 12000 -+.000 shutdown(4, SHUT_WR) = 0 -+.000 > . 1:10001(10000) ack 1 -+.050 < . 1:1(0) ack 2001 win 257 -+.000 > FP. 10001:12001(2000) ack 1 -+.050 < . 1:1(0) ack 2001 win 257 -+.050 < . 1:1(0) ack 2001 win 257 -// SACK reneg -+.050 < . 1:1(0) ack 12001 win 257 -+0 %{ print "unacked: ",tcpi_unacked }% -+5 %{ print "" }% - -First, a typo inverted left/right of one OR operation, then -code forgot to advance end_seq if the merged skb carried FIN. - -Bug was added in 2.6.29 by commit 832d11c5cd076ab -("tcp: Try to restore large SKBs while SACK processing") - -Signed-off-by: Eric Dumazet -Signed-off-by: Yuchung Cheng -Acked-by: Neal Cardwell -Cc: Ilpo Järvinen -Acked-by: Ilpo Järvinen -Signed-off-by: David S. Miller ---- - net/ipv4/tcp_input.c | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - -diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c -index 2f0e94b..61e2360 100644 ---- a/net/ipv4/tcp_input.c -+++ b/net/ipv4/tcp_input.c -@@ -1279,7 +1279,10 @@ static bool tcp_shifted_skb(struct sock *sk, struct sk_buff *skb, - tp->lost_cnt_hint -= tcp_skb_pcount(prev); - } - -- TCP_SKB_CB(skb)->tcp_flags |= TCP_SKB_CB(prev)->tcp_flags; -+ TCP_SKB_CB(prev)->tcp_flags |= TCP_SKB_CB(skb)->tcp_flags; -+ if (TCP_SKB_CB(skb)->tcp_flags & TCPHDR_FIN) -+ TCP_SKB_CB(prev)->end_seq++; -+ - if (skb == tcp_highest_sack(sk)) - tcp_advance_highest_sack(sk, skb); - --- -1.7.11.7 - - -From bfc0a00d669a4fa0835c417f01c50c18996d1e60 Mon Sep 17 00:00:00 2001 -From: Yuchung Cheng -Date: Sat, 12 Oct 2013 10:16:27 -0700 -Subject: [PATCH 05/47] tcp: fix incorrect ca_state in tail loss probe - -[ Upstream commit 031afe4990a7c9dbff41a3a742c44d3e740ea0a1 ] - -On receiving an ACK that covers the loss probe sequence, TLP -immediately sets the congestion state to Open, even though some packets -are not recovered and retransmisssion are on the way. The later ACks -may trigger a WARN_ON check in step D of tcp_fastretrans_alert(), e.g., -https://bugzilla.redhat.com/show_bug.cgi?id=989251 - -The fix is to follow the similar procedure in recovery by calling -tcp_try_keep_open(). The sender switches to Open state if no packets -are retransmissted. Otherwise it goes to Disorder and let subsequent -ACKs move the state to Recovery or Open. - -Reported-By: Michael Sterrett -Tested-By: Dormando -Signed-off-by: Yuchung Cheng -Acked-by: Neal Cardwell -Signed-off-by: David S. Miller ---- - net/ipv4/tcp_input.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c -index 61e2360..723951a 100644 ---- a/net/ipv4/tcp_input.c -+++ b/net/ipv4/tcp_input.c -@@ -3284,7 +3284,7 @@ static void tcp_process_tlp_ack(struct sock *sk, u32 ack, int flag) - tcp_init_cwnd_reduction(sk, true); - tcp_set_ca_state(sk, TCP_CA_CWR); - tcp_end_cwnd_reduction(sk); -- tcp_set_ca_state(sk, TCP_CA_Open); -+ tcp_try_keep_open(sk); - NET_INC_STATS_BH(sock_net(sk), - LINUX_MIB_TCPLOSSPROBERECOVERY); - } --- -1.7.11.7 - - -From 05c9fdfad860abd64136d8ccd88dbf84e40bd5f5 Mon Sep 17 00:00:00 2001 -From: Eric Dumazet -Date: Tue, 1 Oct 2013 21:04:11 -0700 -Subject: [PATCH 06/47] net: do not call sock_put() on TIMEWAIT sockets - -[ Upstream commit 80ad1d61e72d626e30ebe8529a0455e660ca4693 ] - -commit 3ab5aee7fe84 ("net: Convert TCP & DCCP hash tables to use RCU / -hlist_nulls") incorrectly used sock_put() on TIMEWAIT sockets. - -We should instead use inet_twsk_put() - -Signed-off-by: Eric Dumazet -Signed-off-by: David S. Miller ---- - net/ipv4/inet_hashtables.c | 2 +- - net/ipv6/inet6_hashtables.c | 2 +- - 2 files changed, 2 insertions(+), 2 deletions(-) - -diff --git a/net/ipv4/inet_hashtables.c b/net/ipv4/inet_hashtables.c -index 7bd8983..96da9c7 100644 ---- a/net/ipv4/inet_hashtables.c -+++ b/net/ipv4/inet_hashtables.c -@@ -287,7 +287,7 @@ begintw: - if (unlikely(!INET_TW_MATCH(sk, net, acookie, - saddr, daddr, ports, - dif))) { -- sock_put(sk); -+ inet_twsk_put(inet_twsk(sk)); - goto begintw; - } - goto out; -diff --git a/net/ipv6/inet6_hashtables.c b/net/ipv6/inet6_hashtables.c -index 32b4a16..066640e 100644 ---- a/net/ipv6/inet6_hashtables.c -+++ b/net/ipv6/inet6_hashtables.c -@@ -116,7 +116,7 @@ begintw: - } - if (unlikely(!INET6_TW_MATCH(sk, net, saddr, daddr, - ports, dif))) { -- sock_put(sk); -+ inet_twsk_put(inet_twsk(sk)); - goto begintw; - } - goto out; --- -1.7.11.7 - - -From bc7fd34d31c17b0e4c100013e77277a2ed7e15cf Mon Sep 17 00:00:00 2001 -From: Matthias Schiffer -Date: Fri, 27 Sep 2013 18:03:39 +0200 -Subject: [PATCH 07/47] batman-adv: set up network coding packet handlers - during module init - -[ Upstream commit 6c519bad7b19a2c14a075b400edabaa630330123 ] - -batman-adv saves its table of packet handlers as a global state, so handlers -must be set up only once (and setting them up a second time will fail). - -The recently-added network coding support tries to set up its handler each time -a new softif is registered, which obviously fails when more that one softif is -used (and in consequence, the softif creation fails). - -Fix this by splitting up batadv_nc_init into batadv_nc_init (which is called -only once) and batadv_nc_mesh_init (which is called for each softif); in -addition batadv_nc_free is renamed to batadv_nc_mesh_free to keep naming -consistent. - -Signed-off-by: Matthias Schiffer -Signed-off-by: Marek Lindner -Signed-off-by: Antonio Quartulli ---- - net/batman-adv/main.c | 5 +++-- - net/batman-adv/network-coding.c | 28 ++++++++++++++++++---------- - net/batman-adv/network-coding.h | 14 ++++++++++---- - 3 files changed, 31 insertions(+), 16 deletions(-) - -diff --git a/net/batman-adv/main.c b/net/batman-adv/main.c -index 08125f3..c8e0671 100644 ---- a/net/batman-adv/main.c -+++ b/net/batman-adv/main.c -@@ -61,6 +61,7 @@ static int __init batadv_init(void) - batadv_recv_handler_init(); - - batadv_iv_init(); -+ batadv_nc_init(); - - batadv_event_workqueue = create_singlethread_workqueue("bat_events"); - -@@ -138,7 +139,7 @@ int batadv_mesh_init(struct net_device *soft_iface) - if (ret < 0) - goto err; - -- ret = batadv_nc_init(bat_priv); -+ ret = batadv_nc_mesh_init(bat_priv); - if (ret < 0) - goto err; - -@@ -163,7 +164,7 @@ void batadv_mesh_free(struct net_device *soft_iface) - batadv_vis_quit(bat_priv); - - batadv_gw_node_purge(bat_priv); -- batadv_nc_free(bat_priv); -+ batadv_nc_mesh_free(bat_priv); - batadv_dat_free(bat_priv); - batadv_bla_free(bat_priv); - -diff --git a/net/batman-adv/network-coding.c b/net/batman-adv/network-coding.c -index a487d46..4ecc0b6 100644 ---- a/net/batman-adv/network-coding.c -+++ b/net/batman-adv/network-coding.c -@@ -35,6 +35,20 @@ static int batadv_nc_recv_coded_packet(struct sk_buff *skb, - struct batadv_hard_iface *recv_if); - - /** -+ * batadv_nc_init - one-time initialization for network coding -+ */ -+int __init batadv_nc_init(void) -+{ -+ int ret; -+ -+ /* Register our packet type */ -+ ret = batadv_recv_handler_register(BATADV_CODED, -+ batadv_nc_recv_coded_packet); -+ -+ return ret; -+} -+ -+/** - * batadv_nc_start_timer - initialise the nc periodic worker - * @bat_priv: the bat priv with all the soft interface information - */ -@@ -45,10 +59,10 @@ static void batadv_nc_start_timer(struct batadv_priv *bat_priv) - } - - /** -- * batadv_nc_init - initialise coding hash table and start house keeping -+ * batadv_nc_mesh_init - initialise coding hash table and start house keeping - * @bat_priv: the bat priv with all the soft interface information - */ --int batadv_nc_init(struct batadv_priv *bat_priv) -+int batadv_nc_mesh_init(struct batadv_priv *bat_priv) - { - bat_priv->nc.timestamp_fwd_flush = jiffies; - bat_priv->nc.timestamp_sniffed_purge = jiffies; -@@ -70,11 +84,6 @@ int batadv_nc_init(struct batadv_priv *bat_priv) - batadv_hash_set_lock_class(bat_priv->nc.coding_hash, - &batadv_nc_decoding_hash_lock_class_key); - -- /* Register our packet type */ -- if (batadv_recv_handler_register(BATADV_CODED, -- batadv_nc_recv_coded_packet) < 0) -- goto err; -- - INIT_DELAYED_WORK(&bat_priv->nc.work, batadv_nc_worker); - batadv_nc_start_timer(bat_priv); - -@@ -1721,12 +1730,11 @@ free_nc_packet: - } - - /** -- * batadv_nc_free - clean up network coding memory -+ * batadv_nc_mesh_free - clean up network coding memory - * @bat_priv: the bat priv with all the soft interface information - */ --void batadv_nc_free(struct batadv_priv *bat_priv) -+void batadv_nc_mesh_free(struct batadv_priv *bat_priv) - { -- batadv_recv_handler_unregister(BATADV_CODED); - cancel_delayed_work_sync(&bat_priv->nc.work); - - batadv_nc_purge_paths(bat_priv, bat_priv->nc.coding_hash, NULL); -diff --git a/net/batman-adv/network-coding.h b/net/batman-adv/network-coding.h -index 85a4ec8..ddfa618 100644 ---- a/net/batman-adv/network-coding.h -+++ b/net/batman-adv/network-coding.h -@@ -22,8 +22,9 @@ - - #ifdef CONFIG_BATMAN_ADV_NC - --int batadv_nc_init(struct batadv_priv *bat_priv); --void batadv_nc_free(struct batadv_priv *bat_priv); -+int batadv_nc_init(void); -+int batadv_nc_mesh_init(struct batadv_priv *bat_priv); -+void batadv_nc_mesh_free(struct batadv_priv *bat_priv); - void batadv_nc_update_nc_node(struct batadv_priv *bat_priv, - struct batadv_orig_node *orig_node, - struct batadv_orig_node *orig_neigh_node, -@@ -46,12 +47,17 @@ int batadv_nc_init_debugfs(struct batadv_priv *bat_priv); - - #else /* ifdef CONFIG_BATMAN_ADV_NC */ - --static inline int batadv_nc_init(struct batadv_priv *bat_priv) -+static inline int batadv_nc_init(void) - { - return 0; - } - --static inline void batadv_nc_free(struct batadv_priv *bat_priv) -+static inline int batadv_nc_mesh_init(struct batadv_priv *bat_priv) -+{ -+ return 0; -+} -+ -+static inline void batadv_nc_mesh_free(struct batadv_priv *bat_priv) - { - return; - } --- -1.7.11.7 - - -From 8be4005ed947924104df5850944a20b7f6570137 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Fran=C3=A7ois=20Cachereul?= -Date: Wed, 2 Oct 2013 10:16:02 +0200 -Subject: [PATCH 08/47] l2tp: fix kernel panic when using IPv4-mapped IPv6 - addresses -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -[ Upstream commit e18503f41f9b12132c95d7c31ca6ee5155e44e5c ] - -IPv4 mapped addresses cause kernel panic. -The patch juste check whether the IPv6 address is an IPv4 mapped -address. If so, use IPv4 API instead of IPv6. - -[ 940.026915] general protection fault: 0000 [#1] -[ 940.026915] Modules linked in: l2tp_ppp l2tp_netlink l2tp_core pppox ppp_generic slhc loop psmouse -[ 940.026915] CPU: 0 PID: 3184 Comm: memcheck-amd64- Not tainted 3.11.0+ #1 -[ 940.026915] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2007 -[ 940.026915] task: ffff880007130e20 ti: ffff88000737e000 task.ti: ffff88000737e000 -[ 940.026915] RIP: 0010:[] [] ip6_xmit+0x276/0x326 -[ 940.026915] RSP: 0018:ffff88000737fd28 EFLAGS: 00010286 -[ 940.026915] RAX: c748521a75ceff48 RBX: ffff880000c30800 RCX: 0000000000000000 -[ 940.026915] RDX: ffff88000075cc4e RSI: 0000000000000028 RDI: ffff8800060e5a40 -[ 940.026915] RBP: ffff8800060e5a40 R08: 0000000000000000 R09: ffff88000075cc90 -[ 940.026915] R10: 0000000000000000 R11: 0000000000000000 R12: ffff88000737fda0 -[ 940.026915] R13: 0000000000000000 R14: 0000000000002000 R15: ffff880005d3b580 -[ 940.026915] FS: 00007f163dc5e800(0000) GS:ffffffff81623000(0000) knlGS:0000000000000000 -[ 940.026915] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 -[ 940.026915] CR2: 00000004032dc940 CR3: 0000000005c25000 CR4: 00000000000006f0 -[ 940.026915] Stack: -[ 940.026915] ffff88000075cc4e ffffffff81694e90 ffff880000c30b38 0000000000000020 -[ 940.026915] 11000000523c4bac ffff88000737fdb4 0000000000000000 ffff880000c30800 -[ 940.026915] ffff880005d3b580 ffff880000c30b38 ffff8800060e5a40 0000000000000020 -[ 940.026915] Call Trace: -[ 940.026915] [] ? inet6_csk_xmit+0xa4/0xc4 -[ 940.026915] [] ? l2tp_xmit_skb+0x503/0x55a [l2tp_core] -[ 940.026915] [] ? pskb_expand_head+0x161/0x214 -[ 940.026915] [] ? pppol2tp_xmit+0xf2/0x143 [l2tp_ppp] -[ 940.026915] [] ? ppp_channel_push+0x36/0x8b [ppp_generic] -[ 940.026915] [] ? ppp_write+0xaf/0xc5 [ppp_generic] -[ 940.026915] [] ? vfs_write+0xa2/0x106 -[ 940.026915] [] ? SyS_write+0x56/0x8a -[ 940.026915] [] ? system_call_fastpath+0x16/0x1b -[ 940.026915] Code: 00 49 8b 8f d8 00 00 00 66 83 7c 11 02 00 74 60 49 -8b 47 58 48 83 e0 fe 48 8b 80 18 01 00 00 48 85 c0 74 13 48 8b 80 78 02 -00 00 <48> ff 40 28 41 8b 57 68 48 01 50 30 48 8b 54 24 08 49 c7 c1 51 -[ 940.026915] RIP [] ip6_xmit+0x276/0x326 -[ 940.026915] RSP -[ 940.057945] ---[ end trace be8aba9a61c8b7f3 ]--- -[ 940.058583] Kernel panic - not syncing: Fatal exception in interrupt - -Signed-off-by: François CACHEREUL -Signed-off-by: David S. Miller ---- - net/l2tp/l2tp_core.c | 27 +++++++++++++++++++++++---- - net/l2tp/l2tp_core.h | 3 +++ - 2 files changed, 26 insertions(+), 4 deletions(-) - -diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c -index feae495..aedaa2c 100644 ---- a/net/l2tp/l2tp_core.c -+++ b/net/l2tp/l2tp_core.c -@@ -496,6 +496,7 @@ out: - static inline int l2tp_verify_udp_checksum(struct sock *sk, - struct sk_buff *skb) - { -+ struct l2tp_tunnel *tunnel = (struct l2tp_tunnel *)sk->sk_user_data; - struct udphdr *uh = udp_hdr(skb); - u16 ulen = ntohs(uh->len); - __wsum psum; -@@ -504,7 +505,7 @@ static inline int l2tp_verify_udp_checksum(struct sock *sk, - return 0; - - #if IS_ENABLED(CONFIG_IPV6) -- if (sk->sk_family == PF_INET6) { -+ if (sk->sk_family == PF_INET6 && !tunnel->v4mapped) { - if (!uh->check) { - LIMIT_NETDEBUG(KERN_INFO "L2TP: IPv6: checksum is 0\n"); - return 1; -@@ -1128,7 +1129,7 @@ static int l2tp_xmit_core(struct l2tp_session *session, struct sk_buff *skb, - /* Queue the packet to IP for output */ - skb->local_df = 1; - #if IS_ENABLED(CONFIG_IPV6) -- if (skb->sk->sk_family == PF_INET6) -+ if (skb->sk->sk_family == PF_INET6 && !tunnel->v4mapped) - error = inet6_csk_xmit(skb, NULL); - else - #endif -@@ -1255,7 +1256,7 @@ int l2tp_xmit_skb(struct l2tp_session *session, struct sk_buff *skb, int hdr_len - - /* Calculate UDP checksum if configured to do so */ - #if IS_ENABLED(CONFIG_IPV6) -- if (sk->sk_family == PF_INET6) -+ if (sk->sk_family == PF_INET6 && !tunnel->v4mapped) - l2tp_xmit_ipv6_csum(sk, skb, udp_len); - else - #endif -@@ -1704,6 +1705,24 @@ int l2tp_tunnel_create(struct net *net, int fd, int version, u32 tunnel_id, u32 - if (cfg != NULL) - tunnel->debug = cfg->debug; - -+#if IS_ENABLED(CONFIG_IPV6) -+ if (sk->sk_family == PF_INET6) { -+ struct ipv6_pinfo *np = inet6_sk(sk); -+ -+ if (ipv6_addr_v4mapped(&np->saddr) && -+ ipv6_addr_v4mapped(&np->daddr)) { -+ struct inet_sock *inet = inet_sk(sk); -+ -+ tunnel->v4mapped = true; -+ inet->inet_saddr = np->saddr.s6_addr32[3]; -+ inet->inet_rcv_saddr = np->rcv_saddr.s6_addr32[3]; -+ inet->inet_daddr = np->daddr.s6_addr32[3]; -+ } else { -+ tunnel->v4mapped = false; -+ } -+ } -+#endif -+ - /* Mark socket as an encapsulation socket. See net/ipv4/udp.c */ - tunnel->encap = encap; - if (encap == L2TP_ENCAPTYPE_UDP) { -@@ -1712,7 +1731,7 @@ int l2tp_tunnel_create(struct net *net, int fd, int version, u32 tunnel_id, u32 - udp_sk(sk)->encap_rcv = l2tp_udp_encap_recv; - udp_sk(sk)->encap_destroy = l2tp_udp_encap_destroy; - #if IS_ENABLED(CONFIG_IPV6) -- if (sk->sk_family == PF_INET6) -+ if (sk->sk_family == PF_INET6 && !tunnel->v4mapped) - udpv6_encap_enable(); - else - #endif -diff --git a/net/l2tp/l2tp_core.h b/net/l2tp/l2tp_core.h -index 66a559b..6f251cb 100644 ---- a/net/l2tp/l2tp_core.h -+++ b/net/l2tp/l2tp_core.h -@@ -194,6 +194,9 @@ struct l2tp_tunnel { - struct sock *sock; /* Parent socket */ - int fd; /* Parent fd, if tunnel socket - * was created by userspace */ -+#if IS_ENABLED(CONFIG_IPV6) -+ bool v4mapped; -+#endif - - struct work_struct del_work; - --- -1.7.11.7 - - -From 0ec2b01190b1a2ba020241ab89730bf7e7d77b9c Mon Sep 17 00:00:00 2001 -From: "David S. Miller" -Date: Tue, 8 Oct 2013 15:44:26 -0400 -Subject: [PATCH 09/47] l2tp: Fix build warning with ipv6 disabled. -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -[ Upstream commit 8d8a51e26a6d415e1470759f2cf5f3ee3ee86196 ] - -net/l2tp/l2tp_core.c: In function ‘l2tp_verify_udp_checksum’: -net/l2tp/l2tp_core.c:499:22: warning: unused variable ‘tunnel’ [-Wunused-variable] - -Create a helper "l2tp_tunnel()" to facilitate this, and as a side -effect get rid of a bunch of unnecessary void pointer casts. - -Signed-off-by: David S. Miller ---- - net/l2tp/l2tp_core.c | 13 ++++++++----- - 1 file changed, 8 insertions(+), 5 deletions(-) - -diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c -index aedaa2c..b076e83 100644 ---- a/net/l2tp/l2tp_core.c -+++ b/net/l2tp/l2tp_core.c -@@ -115,6 +115,11 @@ struct l2tp_net { - static void l2tp_session_set_header_len(struct l2tp_session *session, int version); - static void l2tp_tunnel_free(struct l2tp_tunnel *tunnel); - -+static inline struct l2tp_tunnel *l2tp_tunnel(struct sock *sk) -+{ -+ return sk->sk_user_data; -+} -+ - static inline struct l2tp_net *l2tp_pernet(struct net *net) - { - BUG_ON(!net); -@@ -496,7 +501,6 @@ out: - static inline int l2tp_verify_udp_checksum(struct sock *sk, - struct sk_buff *skb) - { -- struct l2tp_tunnel *tunnel = (struct l2tp_tunnel *)sk->sk_user_data; - struct udphdr *uh = udp_hdr(skb); - u16 ulen = ntohs(uh->len); - __wsum psum; -@@ -505,7 +509,7 @@ static inline int l2tp_verify_udp_checksum(struct sock *sk, - return 0; - - #if IS_ENABLED(CONFIG_IPV6) -- if (sk->sk_family == PF_INET6 && !tunnel->v4mapped) { -+ if (sk->sk_family == PF_INET6 && !l2tp_tunnel(sk)->v4mapped) { - if (!uh->check) { - LIMIT_NETDEBUG(KERN_INFO "L2TP: IPv6: checksum is 0\n"); - return 1; -@@ -1305,10 +1309,9 @@ EXPORT_SYMBOL_GPL(l2tp_xmit_skb); - */ - static void l2tp_tunnel_destruct(struct sock *sk) - { -- struct l2tp_tunnel *tunnel; -+ struct l2tp_tunnel *tunnel = l2tp_tunnel(sk); - struct l2tp_net *pn; - -- tunnel = sk->sk_user_data; - if (tunnel == NULL) - goto end; - -@@ -1676,7 +1679,7 @@ int l2tp_tunnel_create(struct net *net, int fd, int version, u32 tunnel_id, u32 - } - - /* Check if this socket has already been prepped */ -- tunnel = (struct l2tp_tunnel *)sk->sk_user_data; -+ tunnel = l2tp_tunnel(sk); - if (tunnel != NULL) { - /* This socket has already been prepped */ - err = -EBUSY; --- -1.7.11.7 - - -From 35e64a9e465a85ffacd373439c1caa757e407656 Mon Sep 17 00:00:00 2001 -From: Sebastian Hesselbarth -Date: Wed, 2 Oct 2013 12:57:20 +0200 -Subject: [PATCH 10/47] net: mv643xx_eth: update statistics timer from timer - context only - -[ Upstream commit 041b4ddb84989f06ff1df0ca869b950f1ee3cb1c ] - -Each port driver installs a periodic timer to update port statistics -by calling mib_counters_update. As mib_counters_update is also called -from non-timer context, we should not reschedule the timer there but -rather move it to timer-only context. - -Signed-off-by: Sebastian Hesselbarth -Acked-by: Jason Cooper -Signed-off-by: David S. Miller ---- - drivers/net/ethernet/marvell/mv643xx_eth.c | 4 +--- - 1 file changed, 1 insertion(+), 3 deletions(-) - -diff --git a/drivers/net/ethernet/marvell/mv643xx_eth.c b/drivers/net/ethernet/marvell/mv643xx_eth.c -index c35db73..51c138b 100644 ---- a/drivers/net/ethernet/marvell/mv643xx_eth.c -+++ b/drivers/net/ethernet/marvell/mv643xx_eth.c -@@ -1131,15 +1131,13 @@ static void mib_counters_update(struct mv643xx_eth_private *mp) - p->rx_discard += rdlp(mp, RX_DISCARD_FRAME_CNT); - p->rx_overrun += rdlp(mp, RX_OVERRUN_FRAME_CNT); - spin_unlock_bh(&mp->mib_counters_lock); -- -- mod_timer(&mp->mib_counters_timer, jiffies + 30 * HZ); - } - - static void mib_counters_timer_wrapper(unsigned long _mp) - { - struct mv643xx_eth_private *mp = (void *)_mp; -- - mib_counters_update(mp); -+ mod_timer(&mp->mib_counters_timer, jiffies + 30 * HZ); - } - - --- -1.7.11.7 - - -From b6b20d9c54b23ba35c5807e45ff7d9579503bffa Mon Sep 17 00:00:00 2001 -From: Sebastian Hesselbarth -Date: Wed, 2 Oct 2013 12:57:21 +0200 -Subject: [PATCH 11/47] net: mv643xx_eth: fix orphaned statistics timer crash - -[ Upstream commit f564412c935111c583b787bcc18157377b208e2e ] - -The periodic statistics timer gets started at port _probe() time, but -is stopped on _stop() only. In a modular environment, this can cause -the timer to access already deallocated memory, if the module is unloaded -without starting the eth device. To fix this, we add the timer right -before the port is started, instead of at _probe() time. - -Signed-off-by: Sebastian Hesselbarth -Acked-by: Jason Cooper -Signed-off-by: David S. Miller ---- - drivers/net/ethernet/marvell/mv643xx_eth.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/drivers/net/ethernet/marvell/mv643xx_eth.c b/drivers/net/ethernet/marvell/mv643xx_eth.c -index 51c138b..39334d4 100644 ---- a/drivers/net/ethernet/marvell/mv643xx_eth.c -+++ b/drivers/net/ethernet/marvell/mv643xx_eth.c -@@ -2235,6 +2235,7 @@ static int mv643xx_eth_open(struct net_device *dev) - mp->int_mask |= INT_TX_END_0 << i; - } - -+ add_timer(&mp->mib_counters_timer); - port_start(mp); - - wrlp(mp, INT_MASK_EXT, INT_EXT_LINK_PHY | INT_EXT_TX); -@@ -2914,7 +2915,6 @@ static int mv643xx_eth_probe(struct platform_device *pdev) - mp->mib_counters_timer.data = (unsigned long)mp; - mp->mib_counters_timer.function = mib_counters_timer_wrapper; - mp->mib_counters_timer.expires = jiffies + 30 * HZ; -- add_timer(&mp->mib_counters_timer); - - spin_lock_init(&mp->mib_counters_lock); - --- -1.7.11.7 - - -From b8baf1c21a214c1b836eef390c9d6e153293fef9 Mon Sep 17 00:00:00 2001 -From: Dan Carpenter -Date: Thu, 3 Oct 2013 00:27:20 +0300 -Subject: [PATCH 12/47] net: heap overflow in __audit_sockaddr() -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -[ Upstream commit 1661bf364ae9c506bc8795fef70d1532931be1e8 ] - -We need to cap ->msg_namelen or it leads to a buffer overflow when we -to the memcpy() in __audit_sockaddr(). It requires CAP_AUDIT_CONTROL to -exploit this bug. - -The call tree is: -___sys_recvmsg() - move_addr_to_user() - audit_sockaddr() - __audit_sockaddr() - -Reported-by: Jüri Aedla -Signed-off-by: Dan Carpenter -Signed-off-by: David S. Miller ---- - net/compat.c | 2 ++ - net/socket.c | 24 ++++++++++++++++++++---- - 2 files changed, 22 insertions(+), 4 deletions(-) - -diff --git a/net/compat.c b/net/compat.c -index f0a1ba6..8903258 100644 ---- a/net/compat.c -+++ b/net/compat.c -@@ -71,6 +71,8 @@ int get_compat_msghdr(struct msghdr *kmsg, struct compat_msghdr __user *umsg) - __get_user(kmsg->msg_controllen, &umsg->msg_controllen) || - __get_user(kmsg->msg_flags, &umsg->msg_flags)) - return -EFAULT; -+ if (kmsg->msg_namelen > sizeof(struct sockaddr_storage)) -+ return -EINVAL; - kmsg->msg_name = compat_ptr(tmp1); - kmsg->msg_iov = compat_ptr(tmp2); - kmsg->msg_control = compat_ptr(tmp3); -diff --git a/net/socket.c b/net/socket.c -index b2d7c62..4b94643 100644 ---- a/net/socket.c -+++ b/net/socket.c -@@ -1973,6 +1973,16 @@ struct used_address { - unsigned int name_len; - }; - -+static int copy_msghdr_from_user(struct msghdr *kmsg, -+ struct msghdr __user *umsg) -+{ -+ if (copy_from_user(kmsg, umsg, sizeof(struct msghdr))) -+ return -EFAULT; -+ if (kmsg->msg_namelen > sizeof(struct sockaddr_storage)) -+ return -EINVAL; -+ return 0; -+} -+ - static int ___sys_sendmsg(struct socket *sock, struct msghdr __user *msg, - struct msghdr *msg_sys, unsigned int flags, - struct used_address *used_address) -@@ -1991,8 +2001,11 @@ static int ___sys_sendmsg(struct socket *sock, struct msghdr __user *msg, - if (MSG_CMSG_COMPAT & flags) { - if (get_compat_msghdr(msg_sys, msg_compat)) - return -EFAULT; -- } else if (copy_from_user(msg_sys, msg, sizeof(struct msghdr))) -- return -EFAULT; -+ } else { -+ err = copy_msghdr_from_user(msg_sys, msg); -+ if (err) -+ return err; -+ } - - if (msg_sys->msg_iovlen > UIO_FASTIOV) { - err = -EMSGSIZE; -@@ -2200,8 +2213,11 @@ static int ___sys_recvmsg(struct socket *sock, struct msghdr __user *msg, - if (MSG_CMSG_COMPAT & flags) { - if (get_compat_msghdr(msg_sys, msg_compat)) - return -EFAULT; -- } else if (copy_from_user(msg_sys, msg, sizeof(struct msghdr))) -- return -EFAULT; -+ } else { -+ err = copy_msghdr_from_user(msg_sys, msg); -+ if (err) -+ return err; -+ } - - if (msg_sys->msg_iovlen > UIO_FASTIOV) { - err = -EMSGSIZE; --- -1.7.11.7 - - -From 6e24497ef79e18f5b1ddce66712d55093a6cf3e9 Mon Sep 17 00:00:00 2001 -From: Willem de Bruijn -Date: Tue, 22 Oct 2013 10:59:18 -0400 -Subject: [PATCH 13/47] sit: amend "allow to use rtnl ops on fb tunnel" - -Amend backport to 3.11.y of - - [ Upstream commit 205983c43700ac3a81e7625273a3fa83cd2759b5 ] - -The discussion thread in the upstream commit mentions that in -backports to stable-* branches, the line - - - unregister_netdevice_queue(sitn->fb_tunnel_dev, &list); - -must be omitted if that branch does not have commit 5e6700b3bf98 -("sit: add support of x-netns"). This line has correctly been omitted -in the backport to 3.10, which indeed does not have that commit. - -It was also removed in the backport to 3.11.y, which does have that -commit. - -This causes the following steps to hit a BUG at net/core/dev.c:5039: - - `modprobe sit; rmmod sit` - -The bug demonstrates that it causes a device to be unregistered twice. -The simple fix is to apply the one line in the upstream commit that -was dropped in the backport to 3.11 (3783100374653e2e7fbdf68c710f5). -This brings the logic in line with upstream linux, net and net-next -branches. - -Signed-off-by: Willem de Bruijn -Acked-by: Nicolas Dichtel -Reviewed-by: Veaceslav Falico ---- - net/ipv6/sit.c | 1 - - 1 file changed, 1 deletion(-) - -diff --git a/net/ipv6/sit.c b/net/ipv6/sit.c -index 86f639b..a51ad07 100644 ---- a/net/ipv6/sit.c -+++ b/net/ipv6/sit.c -@@ -1708,7 +1708,6 @@ static void __net_exit sit_exit_net(struct net *net) - - rtnl_lock(); - sit_destroy_tunnels(sitn, &list); -- unregister_netdevice_queue(sitn->fb_tunnel_dev, &list); - unregister_netdevice_many(&list); - rtnl_unlock(); - } --- -1.7.11.7 - - -From 6c7e3c3382670fe98debedf2ddaff8abf2944bb4 Mon Sep 17 00:00:00 2001 -From: Mathias Krause -Date: Mon, 30 Sep 2013 22:03:06 +0200 -Subject: [PATCH 14/47] proc connector: fix info leaks - -[ Upstream commit e727ca82e0e9616ab4844301e6bae60ca7327682 ] - -Initialize event_data for all possible message types to prevent leaking -kernel stack contents to userland (up to 20 bytes). Also set the flags -member of the connector message to 0 to prevent leaking two more stack -bytes this way. - -Cc: stable@vger.kernel.org # v2.6.15+ -Signed-off-by: Mathias Krause -Signed-off-by: David S. Miller ---- - drivers/connector/cn_proc.c | 18 ++++++++++++++++++ - 1 file changed, 18 insertions(+) - -diff --git a/drivers/connector/cn_proc.c b/drivers/connector/cn_proc.c -index 08ae128..c73fc2b 100644 ---- a/drivers/connector/cn_proc.c -+++ b/drivers/connector/cn_proc.c -@@ -65,6 +65,7 @@ void proc_fork_connector(struct task_struct *task) - - msg = (struct cn_msg *)buffer; - ev = (struct proc_event *)msg->data; -+ memset(&ev->event_data, 0, sizeof(ev->event_data)); - get_seq(&msg->seq, &ev->cpu); - ktime_get_ts(&ts); /* get high res monotonic timestamp */ - put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns); -@@ -80,6 +81,7 @@ void proc_fork_connector(struct task_struct *task) - memcpy(&msg->id, &cn_proc_event_id, sizeof(msg->id)); - msg->ack = 0; /* not used */ - msg->len = sizeof(*ev); -+ msg->flags = 0; /* not used */ - /* If cn_netlink_send() failed, the data is not sent */ - cn_netlink_send(msg, CN_IDX_PROC, GFP_KERNEL); - } -@@ -96,6 +98,7 @@ void proc_exec_connector(struct task_struct *task) - - msg = (struct cn_msg *)buffer; - ev = (struct proc_event *)msg->data; -+ memset(&ev->event_data, 0, sizeof(ev->event_data)); - get_seq(&msg->seq, &ev->cpu); - ktime_get_ts(&ts); /* get high res monotonic timestamp */ - put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns); -@@ -106,6 +109,7 @@ void proc_exec_connector(struct task_struct *task) - memcpy(&msg->id, &cn_proc_event_id, sizeof(msg->id)); - msg->ack = 0; /* not used */ - msg->len = sizeof(*ev); -+ msg->flags = 0; /* not used */ - cn_netlink_send(msg, CN_IDX_PROC, GFP_KERNEL); - } - -@@ -122,6 +126,7 @@ void proc_id_connector(struct task_struct *task, int which_id) - - msg = (struct cn_msg *)buffer; - ev = (struct proc_event *)msg->data; -+ memset(&ev->event_data, 0, sizeof(ev->event_data)); - ev->what = which_id; - ev->event_data.id.process_pid = task->pid; - ev->event_data.id.process_tgid = task->tgid; -@@ -145,6 +150,7 @@ void proc_id_connector(struct task_struct *task, int which_id) - memcpy(&msg->id, &cn_proc_event_id, sizeof(msg->id)); - msg->ack = 0; /* not used */ - msg->len = sizeof(*ev); -+ msg->flags = 0; /* not used */ - cn_netlink_send(msg, CN_IDX_PROC, GFP_KERNEL); - } - -@@ -160,6 +166,7 @@ void proc_sid_connector(struct task_struct *task) - - msg = (struct cn_msg *)buffer; - ev = (struct proc_event *)msg->data; -+ memset(&ev->event_data, 0, sizeof(ev->event_data)); - get_seq(&msg->seq, &ev->cpu); - ktime_get_ts(&ts); /* get high res monotonic timestamp */ - put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns); -@@ -170,6 +177,7 @@ void proc_sid_connector(struct task_struct *task) - memcpy(&msg->id, &cn_proc_event_id, sizeof(msg->id)); - msg->ack = 0; /* not used */ - msg->len = sizeof(*ev); -+ msg->flags = 0; /* not used */ - cn_netlink_send(msg, CN_IDX_PROC, GFP_KERNEL); - } - -@@ -185,6 +193,7 @@ void proc_ptrace_connector(struct task_struct *task, int ptrace_id) - - msg = (struct cn_msg *)buffer; - ev = (struct proc_event *)msg->data; -+ memset(&ev->event_data, 0, sizeof(ev->event_data)); - get_seq(&msg->seq, &ev->cpu); - ktime_get_ts(&ts); /* get high res monotonic timestamp */ - put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns); -@@ -203,6 +212,7 @@ void proc_ptrace_connector(struct task_struct *task, int ptrace_id) - memcpy(&msg->id, &cn_proc_event_id, sizeof(msg->id)); - msg->ack = 0; /* not used */ - msg->len = sizeof(*ev); -+ msg->flags = 0; /* not used */ - cn_netlink_send(msg, CN_IDX_PROC, GFP_KERNEL); - } - -@@ -218,6 +228,7 @@ void proc_comm_connector(struct task_struct *task) - - msg = (struct cn_msg *)buffer; - ev = (struct proc_event *)msg->data; -+ memset(&ev->event_data, 0, sizeof(ev->event_data)); - get_seq(&msg->seq, &ev->cpu); - ktime_get_ts(&ts); /* get high res monotonic timestamp */ - put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns); -@@ -229,6 +240,7 @@ void proc_comm_connector(struct task_struct *task) - memcpy(&msg->id, &cn_proc_event_id, sizeof(msg->id)); - msg->ack = 0; /* not used */ - msg->len = sizeof(*ev); -+ msg->flags = 0; /* not used */ - cn_netlink_send(msg, CN_IDX_PROC, GFP_KERNEL); - } - -@@ -244,6 +256,7 @@ void proc_coredump_connector(struct task_struct *task) - - msg = (struct cn_msg *)buffer; - ev = (struct proc_event *)msg->data; -+ memset(&ev->event_data, 0, sizeof(ev->event_data)); - get_seq(&msg->seq, &ev->cpu); - ktime_get_ts(&ts); /* get high res monotonic timestamp */ - put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns); -@@ -254,6 +267,7 @@ void proc_coredump_connector(struct task_struct *task) - memcpy(&msg->id, &cn_proc_event_id, sizeof(msg->id)); - msg->ack = 0; /* not used */ - msg->len = sizeof(*ev); -+ msg->flags = 0; /* not used */ - cn_netlink_send(msg, CN_IDX_PROC, GFP_KERNEL); - } - -@@ -269,6 +283,7 @@ void proc_exit_connector(struct task_struct *task) - - msg = (struct cn_msg *)buffer; - ev = (struct proc_event *)msg->data; -+ memset(&ev->event_data, 0, sizeof(ev->event_data)); - get_seq(&msg->seq, &ev->cpu); - ktime_get_ts(&ts); /* get high res monotonic timestamp */ - put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns); -@@ -281,6 +296,7 @@ void proc_exit_connector(struct task_struct *task) - memcpy(&msg->id, &cn_proc_event_id, sizeof(msg->id)); - msg->ack = 0; /* not used */ - msg->len = sizeof(*ev); -+ msg->flags = 0; /* not used */ - cn_netlink_send(msg, CN_IDX_PROC, GFP_KERNEL); - } - -@@ -304,6 +320,7 @@ static void cn_proc_ack(int err, int rcvd_seq, int rcvd_ack) - - msg = (struct cn_msg *)buffer; - ev = (struct proc_event *)msg->data; -+ memset(&ev->event_data, 0, sizeof(ev->event_data)); - msg->seq = rcvd_seq; - ktime_get_ts(&ts); /* get high res monotonic timestamp */ - put_unaligned(timespec_to_ns(&ts), (__u64 *)&ev->timestamp_ns); -@@ -313,6 +330,7 @@ static void cn_proc_ack(int err, int rcvd_seq, int rcvd_ack) - memcpy(&msg->id, &cn_proc_event_id, sizeof(msg->id)); - msg->ack = rcvd_ack + 1; - msg->len = sizeof(*ev); -+ msg->flags = 0; /* not used */ - cn_netlink_send(msg, CN_IDX_PROC, GFP_KERNEL); - } - --- -1.7.11.7 - - -From f3d398e2465b3b74987a3a2fc42ea3e8c83d2166 Mon Sep 17 00:00:00 2001 -From: Jiri Benc -Date: Fri, 4 Oct 2013 17:04:48 +0200 -Subject: [PATCH 15/47] ipv4: fix ineffective source address selection - -[ Upstream commit 0a7e22609067ff524fc7bbd45c6951dd08561667 ] - -When sending out multicast messages, the source address in inet->mc_addr is -ignored and rewritten by an autoselected one. This is caused by a typo in -commit 813b3b5db831 ("ipv4: Use caller's on-stack flowi as-is in output -route lookups"). - -Signed-off-by: Jiri Benc -Acked-by: Eric Dumazet -Signed-off-by: David S. Miller ---- - net/ipv4/route.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/net/ipv4/route.c b/net/ipv4/route.c -index a9a54a2..2de16d9 100644 ---- a/net/ipv4/route.c -+++ b/net/ipv4/route.c -@@ -2074,7 +2074,7 @@ struct rtable *__ip_route_output_key(struct net *net, struct flowi4 *fl4) - RT_SCOPE_LINK); - goto make_route; - } -- if (fl4->saddr) { -+ if (!fl4->saddr) { - if (ipv4_is_multicast(fl4->daddr)) - fl4->saddr = inet_select_addr(dev_out, 0, - fl4->flowi4_scope); --- -1.7.11.7 - - -From 8fd516716afeb4631cf790a2be7ca30d0a664b01 Mon Sep 17 00:00:00 2001 -From: Marc Kleine-Budde -Date: Sat, 5 Oct 2013 21:25:17 +0200 -Subject: [PATCH 16/47] can: dev: fix nlmsg size calculation in can_get_size() - -[ Upstream commit fe119a05f8ca481623a8d02efcc984332e612528 ] - -This patch fixes the calculation of the nlmsg size, by adding the missing -nla_total_size(). - -Signed-off-by: Marc Kleine-Budde -Signed-off-by: David S. Miller ---- - drivers/net/can/dev.c | 10 +++++----- - 1 file changed, 5 insertions(+), 5 deletions(-) - -diff --git a/drivers/net/can/dev.c b/drivers/net/can/dev.c -index f9cba41..1870c47 100644 ---- a/drivers/net/can/dev.c -+++ b/drivers/net/can/dev.c -@@ -705,14 +705,14 @@ static size_t can_get_size(const struct net_device *dev) - size_t size; - - size = nla_total_size(sizeof(u32)); /* IFLA_CAN_STATE */ -- size += sizeof(struct can_ctrlmode); /* IFLA_CAN_CTRLMODE */ -+ size += nla_total_size(sizeof(struct can_ctrlmode)); /* IFLA_CAN_CTRLMODE */ - size += nla_total_size(sizeof(u32)); /* IFLA_CAN_RESTART_MS */ -- size += sizeof(struct can_bittiming); /* IFLA_CAN_BITTIMING */ -- size += sizeof(struct can_clock); /* IFLA_CAN_CLOCK */ -+ size += nla_total_size(sizeof(struct can_bittiming)); /* IFLA_CAN_BITTIMING */ -+ size += nla_total_size(sizeof(struct can_clock)); /* IFLA_CAN_CLOCK */ - if (priv->do_get_berr_counter) /* IFLA_CAN_BERR_COUNTER */ -- size += sizeof(struct can_berr_counter); -+ size += nla_total_size(sizeof(struct can_berr_counter)); - if (priv->bittiming_const) /* IFLA_CAN_BITTIMING_CONST */ -- size += sizeof(struct can_bittiming_const); -+ size += nla_total_size(sizeof(struct can_bittiming_const)); - - return size; - } --- -1.7.11.7 - - -From 1b3231ca7e26084580145c904dd10a60cac35c63 Mon Sep 17 00:00:00 2001 -From: Fabio Estevam -Date: Sat, 5 Oct 2013 17:56:59 -0300 -Subject: [PATCH 17/47] net: secure_seq: Fix warning when CONFIG_IPV6 and - CONFIG_INET are not selected - -[ Upstream commit cb03db9d0e964568407fb08ea46cc2b6b7f67587 ] - -net_secret() is only used when CONFIG_IPV6 or CONFIG_INET are selected. - -Building a defconfig with both of these symbols unselected (Using the ARM -at91sam9rl_defconfig, for example) leads to the following build warning: - -$ make at91sam9rl_defconfig -# -# configuration written to .config -# - -$ make net/core/secure_seq.o -scripts/kconfig/conf --silentoldconfig Kconfig - CHK include/config/kernel.release - CHK include/generated/uapi/linux/version.h - CHK include/generated/utsrelease.h -make[1]: `include/generated/mach-types.h' is up to date. - CALL scripts/checksyscalls.sh - CC net/core/secure_seq.o -net/core/secure_seq.c:17:13: warning: 'net_secret_init' defined but not used [-Wunused-function] - -Fix this warning by protecting the definition of net_secret() with these -symbols. - -Reported-by: Olof Johansson -Signed-off-by: Fabio Estevam -Signed-off-by: David S. Miller ---- - net/core/secure_seq.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/net/core/secure_seq.c b/net/core/secure_seq.c -index 3f1ec15..8d9d05e 100644 ---- a/net/core/secure_seq.c -+++ b/net/core/secure_seq.c -@@ -10,6 +10,7 @@ - - #include - -+#if IS_ENABLED(CONFIG_IPV6) || IS_ENABLED(CONFIG_INET) - #define NET_SECRET_SIZE (MD5_MESSAGE_BYTES / 4) - - static u32 net_secret[NET_SECRET_SIZE] ____cacheline_aligned; -@@ -29,6 +30,7 @@ static void net_secret_init(void) - cmpxchg(&net_secret[--i], 0, tmp); - } - } -+#endif - - #ifdef CONFIG_INET - static u32 seq_scale(u32 seq) --- -1.7.11.7 - - -From 538680b534f30fe6531099f87267bb676c935351 Mon Sep 17 00:00:00 2001 -From: Paul Durrant -Date: Tue, 8 Oct 2013 14:56:44 +0100 -Subject: [PATCH 18/47] xen-netback: Don't destroy the netdev until the vif is - shut down - -[ upstream commit id: 279f438e36c0a70b23b86d2090aeec50155034a9 ] - -Without this patch, if a frontend cycles through states Closing -and Closed (which Windows frontends need to do) then the netdev -will be destroyed and requires re-invocation of hotplug scripts -to restore state before the frontend can move to Connected. Thus -when udev is not in use the backend gets stuck in InitWait. - -With this patch, the netdev is left alone whilst the backend is -still online and is only de-registered and freed just prior to -destroying the vif (which is also nicely symmetrical with the -netdev allocation and registration being done during probe) so -no re-invocation of hotplug scripts is required. - -Signed-off-by: Paul Durrant -Cc: David Vrabel -Cc: Wei Liu -Cc: Ian Campbell ---- - drivers/net/xen-netback/common.h | 1 + - drivers/net/xen-netback/interface.c | 23 +++++++++-------------- - drivers/net/xen-netback/xenbus.c | 17 ++++++++++++----- - 3 files changed, 22 insertions(+), 19 deletions(-) - -diff --git a/drivers/net/xen-netback/common.h b/drivers/net/xen-netback/common.h -index 8a4d77e..4d9a5e7 100644 ---- a/drivers/net/xen-netback/common.h -+++ b/drivers/net/xen-netback/common.h -@@ -120,6 +120,7 @@ int xenvif_connect(struct xenvif *vif, unsigned long tx_ring_ref, - unsigned long rx_ring_ref, unsigned int tx_evtchn, - unsigned int rx_evtchn); - void xenvif_disconnect(struct xenvif *vif); -+void xenvif_free(struct xenvif *vif); - - void xenvif_get(struct xenvif *vif); - void xenvif_put(struct xenvif *vif); -diff --git a/drivers/net/xen-netback/interface.c b/drivers/net/xen-netback/interface.c -index 087d2db..73336c1 100644 ---- a/drivers/net/xen-netback/interface.c -+++ b/drivers/net/xen-netback/interface.c -@@ -326,6 +326,9 @@ struct xenvif *xenvif_alloc(struct device *parent, domid_t domid, - } - - netdev_dbg(dev, "Successfully created xenvif\n"); -+ -+ __module_get(THIS_MODULE); -+ - return vif; - } - -@@ -413,12 +416,6 @@ void xenvif_carrier_off(struct xenvif *vif) - - void xenvif_disconnect(struct xenvif *vif) - { -- /* Disconnect funtion might get called by generic framework -- * even before vif connects, so we need to check if we really -- * need to do a module_put. -- */ -- int need_module_put = 0; -- - if (netif_carrier_ok(vif->dev)) - xenvif_carrier_off(vif); - -@@ -432,18 +429,16 @@ void xenvif_disconnect(struct xenvif *vif) - unbind_from_irqhandler(vif->tx_irq, vif); - unbind_from_irqhandler(vif->rx_irq, vif); - } -- /* vif->irq is valid, we had a module_get in -- * xenvif_connect. -- */ -- need_module_put = 1; - } - -- unregister_netdev(vif->dev); -- - xen_netbk_unmap_frontend_rings(vif); -+} -+ -+void xenvif_free(struct xenvif *vif) -+{ -+ unregister_netdev(vif->dev); - - free_netdev(vif->dev); - -- if (need_module_put) -- module_put(THIS_MODULE); -+ module_put(THIS_MODULE); - } -diff --git a/drivers/net/xen-netback/xenbus.c b/drivers/net/xen-netback/xenbus.c -index 1fe48fe3..a53782e 100644 ---- a/drivers/net/xen-netback/xenbus.c -+++ b/drivers/net/xen-netback/xenbus.c -@@ -42,7 +42,7 @@ static int netback_remove(struct xenbus_device *dev) - if (be->vif) { - kobject_uevent(&dev->dev.kobj, KOBJ_OFFLINE); - xenbus_rm(XBT_NIL, dev->nodename, "hotplug-status"); -- xenvif_disconnect(be->vif); -+ xenvif_free(be->vif); - be->vif = NULL; - } - kfree(be); -@@ -213,9 +213,18 @@ static void disconnect_backend(struct xenbus_device *dev) - { - struct backend_info *be = dev_get_drvdata(&dev->dev); - -+ if (be->vif) -+ xenvif_disconnect(be->vif); -+} -+ -+static void destroy_backend(struct xenbus_device *dev) -+{ -+ struct backend_info *be = dev_get_drvdata(&dev->dev); -+ - if (be->vif) { -+ kobject_uevent(&dev->dev.kobj, KOBJ_OFFLINE); - xenbus_rm(XBT_NIL, dev->nodename, "hotplug-status"); -- xenvif_disconnect(be->vif); -+ xenvif_free(be->vif); - be->vif = NULL; - } - } -@@ -246,14 +255,11 @@ static void frontend_changed(struct xenbus_device *dev, - case XenbusStateConnected: - if (dev->state == XenbusStateConnected) - break; -- backend_create_xenvif(be); - if (be->vif) - connect(be); - break; - - case XenbusStateClosing: -- if (be->vif) -- kobject_uevent(&dev->dev.kobj, KOBJ_OFFLINE); - disconnect_backend(dev); - xenbus_switch_state(dev, XenbusStateClosing); - break; -@@ -262,6 +268,7 @@ static void frontend_changed(struct xenbus_device *dev, - xenbus_switch_state(dev, XenbusStateClosed); - if (xenbus_dev_is_online(dev)) - break; -+ destroy_backend(dev); - /* fall through if not online */ - case XenbusStateUnknown: - device_unregister(&dev->dev); --- -1.7.11.7 - - -From 29bb21656d747e62d55b9e1929b23eadcd6be324 Mon Sep 17 00:00:00 2001 -From: Amir Vadai -Date: Mon, 7 Oct 2013 13:38:12 +0200 -Subject: [PATCH 19/47] net/mlx4_en: Rename name of mlx4_en_rx_alloc members - -[ Upstream commit 70fbe0794393829d9acd686428d87c27b6f6984b ] - -Add page prefix to page related members: @size and @offset into -@page_size and @page_offset - -CC: Eric Dumazet -Signed-off-by: Amir Vadai -Acked-by: Eric Dumazet -Signed-off-by: David S. Miller ---- - drivers/net/ethernet/mellanox/mlx4/en_rx.c | 40 ++++++++++++++++------------ - drivers/net/ethernet/mellanox/mlx4/mlx4_en.h | 4 +-- - 2 files changed, 25 insertions(+), 19 deletions(-) - -diff --git a/drivers/net/ethernet/mellanox/mlx4/en_rx.c b/drivers/net/ethernet/mellanox/mlx4/en_rx.c -index dec455c..066fc27 100644 ---- a/drivers/net/ethernet/mellanox/mlx4/en_rx.c -+++ b/drivers/net/ethernet/mellanox/mlx4/en_rx.c -@@ -70,14 +70,15 @@ static int mlx4_alloc_pages(struct mlx4_en_priv *priv, - put_page(page); - return -ENOMEM; - } -- page_alloc->size = PAGE_SIZE << order; -+ page_alloc->page_size = PAGE_SIZE << order; - page_alloc->page = page; - page_alloc->dma = dma; -- page_alloc->offset = frag_info->frag_align; -+ page_alloc->page_offset = frag_info->frag_align; - /* Not doing get_page() for each frag is a big win - * on asymetric workloads. - */ -- atomic_set(&page->_count, page_alloc->size / frag_info->frag_stride); -+ atomic_set(&page->_count, -+ page_alloc->page_size / frag_info->frag_stride); - return 0; - } - -@@ -96,16 +97,19 @@ static int mlx4_en_alloc_frags(struct mlx4_en_priv *priv, - for (i = 0; i < priv->num_frags; i++) { - frag_info = &priv->frag_info[i]; - page_alloc[i] = ring_alloc[i]; -- page_alloc[i].offset += frag_info->frag_stride; -- if (page_alloc[i].offset + frag_info->frag_stride <= ring_alloc[i].size) -+ page_alloc[i].page_offset += frag_info->frag_stride; -+ -+ if (page_alloc[i].page_offset + frag_info->frag_stride <= -+ ring_alloc[i].page_size) - continue; -+ - if (mlx4_alloc_pages(priv, &page_alloc[i], frag_info, gfp)) - goto out; - } - - for (i = 0; i < priv->num_frags; i++) { - frags[i] = ring_alloc[i]; -- dma = ring_alloc[i].dma + ring_alloc[i].offset; -+ dma = ring_alloc[i].dma + ring_alloc[i].page_offset; - ring_alloc[i] = page_alloc[i]; - rx_desc->data[i].addr = cpu_to_be64(dma); - } -@@ -117,7 +121,7 @@ out: - frag_info = &priv->frag_info[i]; - if (page_alloc[i].page != ring_alloc[i].page) { - dma_unmap_page(priv->ddev, page_alloc[i].dma, -- page_alloc[i].size, PCI_DMA_FROMDEVICE); -+ page_alloc[i].page_size, PCI_DMA_FROMDEVICE); - page = page_alloc[i].page; - atomic_set(&page->_count, 1); - put_page(page); -@@ -132,9 +136,10 @@ static void mlx4_en_free_frag(struct mlx4_en_priv *priv, - { - const struct mlx4_en_frag_info *frag_info = &priv->frag_info[i]; - -- if (frags[i].offset + frag_info->frag_stride > frags[i].size) -- dma_unmap_page(priv->ddev, frags[i].dma, frags[i].size, -- PCI_DMA_FROMDEVICE); -+ if (frags[i].page_offset + frag_info->frag_stride > -+ frags[i].page_size) -+ dma_unmap_page(priv->ddev, frags[i].dma, frags[i].page_size, -+ PCI_DMA_FROMDEVICE); - - if (frags[i].page) - put_page(frags[i].page); -@@ -161,7 +166,7 @@ out: - - page_alloc = &ring->page_alloc[i]; - dma_unmap_page(priv->ddev, page_alloc->dma, -- page_alloc->size, PCI_DMA_FROMDEVICE); -+ page_alloc->page_size, PCI_DMA_FROMDEVICE); - page = page_alloc->page; - atomic_set(&page->_count, 1); - put_page(page); -@@ -184,10 +189,11 @@ static void mlx4_en_destroy_allocator(struct mlx4_en_priv *priv, - i, page_count(page_alloc->page)); - - dma_unmap_page(priv->ddev, page_alloc->dma, -- page_alloc->size, PCI_DMA_FROMDEVICE); -- while (page_alloc->offset + frag_info->frag_stride < page_alloc->size) { -+ page_alloc->page_size, PCI_DMA_FROMDEVICE); -+ while (page_alloc->page_offset + frag_info->frag_stride < -+ page_alloc->page_size) { - put_page(page_alloc->page); -- page_alloc->offset += frag_info->frag_stride; -+ page_alloc->page_offset += frag_info->frag_stride; - } - page_alloc->page = NULL; - } -@@ -478,7 +484,7 @@ static int mlx4_en_complete_rx_desc(struct mlx4_en_priv *priv, - /* Save page reference in skb */ - __skb_frag_set_page(&skb_frags_rx[nr], frags[nr].page); - skb_frag_size_set(&skb_frags_rx[nr], frag_info->frag_size); -- skb_frags_rx[nr].page_offset = frags[nr].offset; -+ skb_frags_rx[nr].page_offset = frags[nr].page_offset; - skb->truesize += frag_info->frag_stride; - frags[nr].page = NULL; - } -@@ -517,7 +523,7 @@ static struct sk_buff *mlx4_en_rx_skb(struct mlx4_en_priv *priv, - - /* Get pointer to first fragment so we could copy the headers into the - * (linear part of the) skb */ -- va = page_address(frags[0].page) + frags[0].offset; -+ va = page_address(frags[0].page) + frags[0].page_offset; - - if (length <= SMALL_PACKET_SIZE) { - /* We are copying all relevant data to the skb - temporarily -@@ -645,7 +651,7 @@ int mlx4_en_process_rx_cq(struct net_device *dev, struct mlx4_en_cq *cq, int bud - dma_sync_single_for_cpu(priv->ddev, dma, sizeof(*ethh), - DMA_FROM_DEVICE); - ethh = (struct ethhdr *)(page_address(frags[0].page) + -- frags[0].offset); -+ frags[0].page_offset); - - if (is_multicast_ether_addr(ethh->h_dest)) { - struct mlx4_mac_entry *entry; -diff --git a/drivers/net/ethernet/mellanox/mlx4/mlx4_en.h b/drivers/net/ethernet/mellanox/mlx4/mlx4_en.h -index 5e0aa56..bf06e36 100644 ---- a/drivers/net/ethernet/mellanox/mlx4/mlx4_en.h -+++ b/drivers/net/ethernet/mellanox/mlx4/mlx4_en.h -@@ -237,8 +237,8 @@ struct mlx4_en_tx_desc { - struct mlx4_en_rx_alloc { - struct page *page; - dma_addr_t dma; -- u32 offset; -- u32 size; -+ u32 page_offset; -+ u32 page_size; - }; - - struct mlx4_en_tx_ring { --- -1.7.11.7 - - -From 4bd2cc99115d31513bfe3c2bd7bcfe67fc081ae8 Mon Sep 17 00:00:00 2001 -From: Amir Vadai -Date: Mon, 7 Oct 2013 13:38:13 +0200 -Subject: [PATCH 20/47] net/mlx4_en: Fix pages never dma unmapped on rx - -[ Upstream commit 021f1107ffdae7a82af6c53f4c52654062e365c6 ] - -This patch fixes a bug introduced by commit 51151a16 (mlx4: allow -order-0 memory allocations in RX path). - -dma_unmap_page never reached because condition to detect last fragment -in page is wrong. offset+frag_stride can't be greater than size, need to -make sure no additional frag will fit in page => compare offset + -frag_stride + next_frag_size instead. -next_frag_size is the same as the current one, since page is shared only -with frags of the same size. - -CC: Eric Dumazet -Signed-off-by: Amir Vadai -Acked-by: Eric Dumazet -Signed-off-by: David S. Miller ---- - drivers/net/ethernet/mellanox/mlx4/en_rx.c | 5 +++-- - 1 file changed, 3 insertions(+), 2 deletions(-) - -diff --git a/drivers/net/ethernet/mellanox/mlx4/en_rx.c b/drivers/net/ethernet/mellanox/mlx4/en_rx.c -index 066fc27..afe2efa 100644 ---- a/drivers/net/ethernet/mellanox/mlx4/en_rx.c -+++ b/drivers/net/ethernet/mellanox/mlx4/en_rx.c -@@ -135,9 +135,10 @@ static void mlx4_en_free_frag(struct mlx4_en_priv *priv, - int i) - { - const struct mlx4_en_frag_info *frag_info = &priv->frag_info[i]; -+ u32 next_frag_end = frags[i].page_offset + 2 * frag_info->frag_stride; - -- if (frags[i].page_offset + frag_info->frag_stride > -- frags[i].page_size) -+ -+ if (next_frag_end > frags[i].page_size) - dma_unmap_page(priv->ddev, frags[i].dma, frags[i].page_size, - PCI_DMA_FROMDEVICE); - --- -1.7.11.7 - - -From af64f33fff313187ca01ddb7db09b537a89208dd Mon Sep 17 00:00:00 2001 -From: Marc Kleine-Budde -Date: Mon, 7 Oct 2013 23:19:58 +0200 -Subject: [PATCH 21/47] net: vlan: fix nlmsg size calculation in - vlan_get_size() - -[ Upstream commit c33a39c575068c2ea9bffb22fd6de2df19c74b89 ] - -This patch fixes the calculation of the nlmsg size, by adding the missing -nla_total_size(). - -Cc: Patrick McHardy -Signed-off-by: Marc Kleine-Budde -Signed-off-by: David S. Miller ---- - net/8021q/vlan_netlink.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/net/8021q/vlan_netlink.c b/net/8021q/vlan_netlink.c -index 3091297..c7e634a 100644 ---- a/net/8021q/vlan_netlink.c -+++ b/net/8021q/vlan_netlink.c -@@ -171,7 +171,7 @@ static size_t vlan_get_size(const struct net_device *dev) - - return nla_total_size(2) + /* IFLA_VLAN_PROTOCOL */ - nla_total_size(2) + /* IFLA_VLAN_ID */ -- sizeof(struct ifla_vlan_flags) + /* IFLA_VLAN_FLAGS */ -+ nla_total_size(sizeof(struct ifla_vlan_flags)) + /* IFLA_VLAN_FLAGS */ - vlan_qos_map_size(vlan->nr_ingress_mappings) + - vlan_qos_map_size(vlan->nr_egress_mappings); - } --- -1.7.11.7 - - -From 74869292aeb07213144e34b0e21e23f7e3c9f61f Mon Sep 17 00:00:00 2001 -From: Vlad Yasevich -Date: Thu, 10 Oct 2013 15:57:59 -0400 -Subject: [PATCH 22/47] bridge: update mdb expiration timer upon reports. - -[ Upstream commit f144febd93d5ee534fdf23505ab091b2b9088edc ] - -commit 9f00b2e7cf241fa389733d41b615efdaa2cb0f5b - bridge: only expire the mdb entry when query is received -changed the mdb expiration timer to be armed only when QUERY is -received. Howerver, this causes issues in an environment where -the multicast server socket comes and goes very fast while a client -is trying to send traffic to it. - -The root cause is a race where a sequence of LEAVE followed by REPORT -messages can race against QUERY messages generated in response to LEAVE. -The QUERY ends up starting the expiration timer, and that timer can -potentially expire after the new REPORT message has been received signaling -the new join operation. This leads to a significant drop in multicast -traffic and possible complete stall. - -The solution is to have REPORT messages update the expiration timer -on entries that already exist. - -CC: Cong Wang -CC: Herbert Xu -CC: Stephen Hemminger -Signed-off-by: Vlad Yasevich -Acked-by: Herbert Xu -Signed-off-by: David S. Miller ---- - net/bridge/br_multicast.c | 9 ++++++++- - 1 file changed, 8 insertions(+), 1 deletion(-) - -diff --git a/net/bridge/br_multicast.c b/net/bridge/br_multicast.c -index bbcb435..0e3fea7 100644 ---- a/net/bridge/br_multicast.c -+++ b/net/bridge/br_multicast.c -@@ -610,6 +610,9 @@ rehash: - break; - - default: -+ /* If we have an existing entry, update it's expire timer */ -+ mod_timer(&mp->timer, -+ jiffies + br->multicast_membership_interval); - goto out; - } - -@@ -679,8 +682,12 @@ static int br_multicast_add_group(struct net_bridge *br, - for (pp = &mp->ports; - (p = mlock_dereference(*pp, br)) != NULL; - pp = &p->next) { -- if (p->port == port) -+ if (p->port == port) { -+ /* We already have a portgroup, update the timer. */ -+ mod_timer(&p->timer, -+ jiffies + br->multicast_membership_interval); - goto out; -+ } - if ((unsigned long)p->port < (unsigned long)port) - break; - } --- -1.7.11.7 - - -From d9f02cfe59400677feea276d4b27981f6d91825a Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Linus=20L=C3=BCssing?= -Date: Sun, 20 Oct 2013 00:58:57 +0200 -Subject: [PATCH 23/47] Revert "bridge: only expire the mdb entry when query - is received" -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -[ Upstream commit 454594f3b93a49ef568cd190c5af31376b105a7b ] - -While this commit was a good attempt to fix issues occuring when no -multicast querier is present, this commit still has two more issues: - -1) There are cases where mdb entries do not expire even if there is a -querier present. The bridge will unnecessarily continue flooding -multicast packets on the according ports. - -2) Never removing an mdb entry could be exploited for a Denial of -Service by an attacker on the local link, slowly, but steadily eating up -all memory. - -Actually, this commit became obsolete with -"bridge: disable snooping if there is no querier" (b00589af3b) -which included fixes for a few more cases. - -Therefore reverting the following commits (the commit stated in the -commit message plus three of its follow up fixes): - -==================== -Revert "bridge: update mdb expiration timer upon reports." -This reverts commit f144febd93d5ee534fdf23505ab091b2b9088edc. -Revert "bridge: do not call setup_timer() multiple times" -This reverts commit 1faabf2aab1fdaa1ace4e8c829d1b9cf7bfec2f1. -Revert "bridge: fix some kernel warning in multicast timer" -This reverts commit c7e8e8a8f7a70b343ca1e0f90a31e35ab2d16de1. -Revert "bridge: only expire the mdb entry when query is received" -This reverts commit 9f00b2e7cf241fa389733d41b615efdaa2cb0f5b. -==================== - -CC: Cong Wang -Signed-off-by: Linus Lüssing -Reviewed-by: Vlad Yasevich -Signed-off-by: David S. Miller ---- - net/bridge/br_mdb.c | 2 +- - net/bridge/br_multicast.c | 47 +++++++++++++++++++++++++++-------------------- - net/bridge/br_private.h | 1 - - 3 files changed, 28 insertions(+), 22 deletions(-) - -diff --git a/net/bridge/br_mdb.c b/net/bridge/br_mdb.c -index 6319c43..de3a0e7 100644 ---- a/net/bridge/br_mdb.c -+++ b/net/bridge/br_mdb.c -@@ -451,7 +451,7 @@ static int __br_mdb_del(struct net_bridge *br, struct br_mdb_entry *entry) - call_rcu_bh(&p->rcu, br_multicast_free_pg); - err = 0; - -- if (!mp->ports && !mp->mglist && mp->timer_armed && -+ if (!mp->ports && !mp->mglist && - netif_running(br->dev)) - mod_timer(&mp->timer, jiffies); - break; -diff --git a/net/bridge/br_multicast.c b/net/bridge/br_multicast.c -index 0e3fea7..fbad619 100644 ---- a/net/bridge/br_multicast.c -+++ b/net/bridge/br_multicast.c -@@ -271,7 +271,7 @@ static void br_multicast_del_pg(struct net_bridge *br, - del_timer(&p->timer); - call_rcu_bh(&p->rcu, br_multicast_free_pg); - -- if (!mp->ports && !mp->mglist && mp->timer_armed && -+ if (!mp->ports && !mp->mglist && - netif_running(br->dev)) - mod_timer(&mp->timer, jiffies); - -@@ -610,9 +610,6 @@ rehash: - break; - - default: -- /* If we have an existing entry, update it's expire timer */ -- mod_timer(&mp->timer, -- jiffies + br->multicast_membership_interval); - goto out; - } - -@@ -622,7 +619,6 @@ rehash: - - mp->br = br; - mp->addr = *group; -- - setup_timer(&mp->timer, br_multicast_group_expired, - (unsigned long)mp); - -@@ -662,6 +658,7 @@ static int br_multicast_add_group(struct net_bridge *br, - struct net_bridge_mdb_entry *mp; - struct net_bridge_port_group *p; - struct net_bridge_port_group __rcu **pp; -+ unsigned long now = jiffies; - int err; - - spin_lock(&br->multicast_lock); -@@ -676,18 +673,15 @@ static int br_multicast_add_group(struct net_bridge *br, - - if (!port) { - mp->mglist = true; -+ mod_timer(&mp->timer, now + br->multicast_membership_interval); - goto out; - } - - for (pp = &mp->ports; - (p = mlock_dereference(*pp, br)) != NULL; - pp = &p->next) { -- if (p->port == port) { -- /* We already have a portgroup, update the timer. */ -- mod_timer(&p->timer, -- jiffies + br->multicast_membership_interval); -- goto out; -- } -+ if (p->port == port) -+ goto found; - if ((unsigned long)p->port < (unsigned long)port) - break; - } -@@ -698,6 +692,8 @@ static int br_multicast_add_group(struct net_bridge *br, - rcu_assign_pointer(*pp, p); - br_mdb_notify(br->dev, port, group, RTM_NEWMDB); - -+found: -+ mod_timer(&p->timer, now + br->multicast_membership_interval); - out: - err = 0; - -@@ -1197,9 +1193,6 @@ static int br_ip4_multicast_query(struct net_bridge *br, - if (!mp) - goto out; - -- mod_timer(&mp->timer, now + br->multicast_membership_interval); -- mp->timer_armed = true; -- - max_delay *= br->multicast_last_member_count; - - if (mp->mglist && -@@ -1276,9 +1269,6 @@ static int br_ip6_multicast_query(struct net_bridge *br, - if (!mp) - goto out; - -- mod_timer(&mp->timer, now + br->multicast_membership_interval); -- mp->timer_armed = true; -- - max_delay *= br->multicast_last_member_count; - if (mp->mglist && - (timer_pending(&mp->timer) ? -@@ -1364,7 +1354,7 @@ static void br_multicast_leave_group(struct net_bridge *br, - call_rcu_bh(&p->rcu, br_multicast_free_pg); - br_mdb_notify(br->dev, port, group, RTM_DELMDB); - -- if (!mp->ports && !mp->mglist && mp->timer_armed && -+ if (!mp->ports && !mp->mglist && - netif_running(br->dev)) - mod_timer(&mp->timer, jiffies); - } -@@ -1376,12 +1366,30 @@ static void br_multicast_leave_group(struct net_bridge *br, - br->multicast_last_member_interval; - - if (!port) { -- if (mp->mglist && mp->timer_armed && -+ if (mp->mglist && - (timer_pending(&mp->timer) ? - time_after(mp->timer.expires, time) : - try_to_del_timer_sync(&mp->timer) >= 0)) { - mod_timer(&mp->timer, time); - } -+ -+ goto out; -+ } -+ -+ for (p = mlock_dereference(mp->ports, br); -+ p != NULL; -+ p = mlock_dereference(p->next, br)) { -+ if (p->port != port) -+ continue; -+ -+ if (!hlist_unhashed(&p->mglist) && -+ (timer_pending(&p->timer) ? -+ time_after(p->timer.expires, time) : -+ try_to_del_timer_sync(&p->timer) >= 0)) { -+ mod_timer(&p->timer, time); -+ } -+ -+ break; - } - out: - spin_unlock(&br->multicast_lock); -@@ -1798,7 +1806,6 @@ void br_multicast_stop(struct net_bridge *br) - hlist_for_each_entry_safe(mp, n, &mdb->mhash[i], - hlist[ver]) { - del_timer(&mp->timer); -- mp->timer_armed = false; - call_rcu_bh(&mp->rcu, br_multicast_free_group); - } - } -diff --git a/net/bridge/br_private.h b/net/bridge/br_private.h -index cde1eb1..aa05bd8 100644 ---- a/net/bridge/br_private.h -+++ b/net/bridge/br_private.h -@@ -126,7 +126,6 @@ struct net_bridge_mdb_entry - struct timer_list timer; - struct br_ip addr; - bool mglist; -- bool timer_armed; - }; - - struct net_bridge_mdb_htable --- -1.7.11.7 - - -From 40420baad983147cd23e6de95c958c96b96be727 Mon Sep 17 00:00:00 2001 -From: Christophe Gouault -Date: Tue, 8 Oct 2013 17:21:22 +0200 -Subject: [PATCH 24/47] vti: get rid of nf mark rule in prerouting - -[ Upstream commit 7263a5187f9e9de45fcb51349cf0e031142c19a1 ] - -This patch fixes and improves the use of vti interfaces (while -lightly changing the way of configuring them). - -Currently: - -- it is necessary to identify and mark inbound IPsec - packets destined to each vti interface, via netfilter rules in - the mangle table at prerouting hook. - -- the vti module cannot retrieve the right tunnel in input since - commit b9959fd3: vti tunnels all have an i_key, but the tunnel lookup - is done with flag TUNNEL_NO_KEY, so there no chance to retrieve them. - -- the i_key is used by the outbound processing as a mark to lookup - for the right SP and SA bundle. - -This patch uses the o_key to store the vti mark (instead of i_key) and -enables: - -- to avoid the need for previously marking the inbound skbuffs via a - netfilter rule. -- to properly retrieve the right tunnel in input, only based on the IPsec - packet outer addresses. -- to properly perform an inbound policy check (using the tunnel o_key - as a mark). -- to properly perform an outbound SPD and SAD lookup (using the tunnel - o_key as a mark). -- to keep the current mark of the skbuff. The skbuff mark is neither - used nor changed by the vti interface. Only the vti interface o_key - is used. - -SAs have a wildcard mark. -SPs have a mark equal to the vti interface o_key. - -The vti interface must be created as follows (i_key = 0, o_key = mark): - - ip link add vti1 mode vti local 1.1.1.1 remote 2.2.2.2 okey 1 - -The SPs attached to vti1 must be created as follows (mark = vti1 o_key): - - ip xfrm policy add dir out mark 1 tmpl src 1.1.1.1 dst 2.2.2.2 \ - proto esp mode tunnel - ip xfrm policy add dir in mark 1 tmpl src 2.2.2.2 dst 1.1.1.1 \ - proto esp mode tunnel - -The SAs are created with the default wildcard mark. There is no -distinction between global vs. vti SAs. Just their addresses will -possibly link them to a vti interface: - - ip xfrm state add src 1.1.1.1 dst 2.2.2.2 proto esp spi 1000 mode tunnel \ - enc "cbc(aes)" "azertyuiopqsdfgh" - - ip xfrm state add src 2.2.2.2 dst 1.1.1.1 proto esp spi 2000 mode tunnel \ - enc "cbc(aes)" "sqbdhgqsdjqjsdfh" - -To avoid matching "global" (not vti) SPs in vti interfaces, global SPs -should no use the default wildcard mark, but explicitly match mark 0. - -To avoid a double SPD lookup in input and output (in global and vti SPDs), -the NOPOLICY and NOXFRM options should be set on the vti interfaces: - - echo 1 > /proc/sys/net/ipv4/conf/vti1/disable_policy - echo 1 > /proc/sys/net/ipv4/conf/vti1/disable_xfrm - -The outgoing traffic is steered to vti1 by a route via the vti interface: - - ip route add 192.168.0.0/16 dev vti1 - -The incoming IPsec traffic is steered to vti1 because its outer addresses -match the vti1 tunnel configuration. - -Signed-off-by: Christophe Gouault -Signed-off-by: David S. Miller ---- - net/ipv4/ip_vti.c | 14 +++++++++++--- - 1 file changed, 11 insertions(+), 3 deletions(-) - -diff --git a/net/ipv4/ip_vti.c b/net/ipv4/ip_vti.c -index 17cc0ff..0656041 100644 ---- a/net/ipv4/ip_vti.c -+++ b/net/ipv4/ip_vti.c -@@ -285,8 +285,17 @@ static int vti_rcv(struct sk_buff *skb) - tunnel = vti_tunnel_lookup(dev_net(skb->dev), iph->saddr, iph->daddr); - if (tunnel != NULL) { - struct pcpu_tstats *tstats; -+ u32 oldmark = skb->mark; -+ int ret; - -- if (!xfrm4_policy_check(NULL, XFRM_POLICY_IN, skb)) -+ -+ /* temporarily mark the skb with the tunnel o_key, to -+ * only match policies with this mark. -+ */ -+ skb->mark = be32_to_cpu(tunnel->parms.o_key); -+ ret = xfrm4_policy_check(NULL, XFRM_POLICY_IN, skb); -+ skb->mark = oldmark; -+ if (!ret) - return -1; - - tstats = this_cpu_ptr(tunnel->dev->tstats); -@@ -295,7 +304,6 @@ static int vti_rcv(struct sk_buff *skb) - tstats->rx_bytes += skb->len; - u64_stats_update_end(&tstats->syncp); - -- skb->mark = 0; - secpath_reset(skb); - skb->dev = tunnel->dev; - return 1; -@@ -327,7 +335,7 @@ static netdev_tx_t vti_tunnel_xmit(struct sk_buff *skb, struct net_device *dev) - - memset(&fl4, 0, sizeof(fl4)); - flowi4_init_output(&fl4, tunnel->parms.link, -- be32_to_cpu(tunnel->parms.i_key), RT_TOS(tos), -+ be32_to_cpu(tunnel->parms.o_key), RT_TOS(tos), - RT_SCOPE_UNIVERSE, - IPPROTO_IPIP, 0, - dst, tiph->saddr, 0, 0); --- -1.7.11.7 - - -From d74d8a563ec79425464d7a8aeaa1796724fea7bc Mon Sep 17 00:00:00 2001 -From: Eric Dumazet -Date: Thu, 10 Oct 2013 06:30:09 -0700 -Subject: [PATCH 25/47] l2tp: must disable bh before calling l2tp_xmit_skb() -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -[ Upstream commit 455cc32bf128e114455d11ad919321ab89a2c312 ] - -François Cachereul made a very nice bug report and suspected -the bh_lock_sock() / bh_unlok_sock() pair used in l2tp_xmit_skb() from -process context was not good. - -This problem was added by commit 6af88da14ee284aaad6e4326da09a89191ab6165 -("l2tp: Fix locking in l2tp_core.c"). - -l2tp_eth_dev_xmit() runs from BH context, so we must disable BH -from other l2tp_xmit_skb() users. - -[ 452.060011] BUG: soft lockup - CPU#1 stuck for 23s! [accel-pppd:6662] -[ 452.061757] Modules linked in: l2tp_ppp l2tp_netlink l2tp_core pppoe pppox -ppp_generic slhc ipv6 ext3 mbcache jbd virtio_balloon xfs exportfs dm_mod -virtio_blk ata_generic virtio_net floppy ata_piix libata virtio_pci virtio_ring virtio [last unloaded: scsi_wait_scan] -[ 452.064012] CPU 1 -[ 452.080015] BUG: soft lockup - CPU#2 stuck for 23s! [accel-pppd:6643] -[ 452.080015] CPU 2 -[ 452.080015] -[ 452.080015] Pid: 6643, comm: accel-pppd Not tainted 3.2.46.mini #1 Bochs Bochs -[ 452.080015] RIP: 0010:[] [] do_raw_spin_lock+0x17/0x1f -[ 452.080015] RSP: 0018:ffff88007125fc18 EFLAGS: 00000293 -[ 452.080015] RAX: 000000000000aba9 RBX: ffffffff811d0703 RCX: 0000000000000000 -[ 452.080015] RDX: 00000000000000ab RSI: ffff8800711f6896 RDI: ffff8800745c8110 -[ 452.080015] RBP: ffff88007125fc18 R08: 0000000000000020 R09: 0000000000000000 -[ 452.080015] R10: 0000000000000000 R11: 0000000000000280 R12: 0000000000000286 -[ 452.080015] R13: 0000000000000020 R14: 0000000000000240 R15: 0000000000000000 -[ 452.080015] FS: 00007fdc0cc24700(0000) GS:ffff8800b6f00000(0000) knlGS:0000000000000000 -[ 452.080015] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 -[ 452.080015] CR2: 00007fdb054899b8 CR3: 0000000074404000 CR4: 00000000000006a0 -[ 452.080015] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 -[ 452.080015] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 -[ 452.080015] Process accel-pppd (pid: 6643, threadinfo ffff88007125e000, task ffff8800b27e6dd0) -[ 452.080015] Stack: -[ 452.080015] ffff88007125fc28 ffffffff81256559 ffff88007125fc98 ffffffffa01b2bd1 -[ 452.080015] ffff88007125fc58 000000000000000c 00000000029490d0 0000009c71dbe25e -[ 452.080015] 000000000000005c 000000080000000e 0000000000000000 ffff880071170600 -[ 452.080015] Call Trace: -[ 452.080015] [] _raw_spin_lock+0xe/0x10 -[ 452.080015] [] l2tp_xmit_skb+0x189/0x4ac [l2tp_core] -[ 452.080015] [] pppol2tp_sendmsg+0x15e/0x19c [l2tp_ppp] -[ 452.080015] [] __sock_sendmsg_nosec+0x22/0x24 -[ 452.080015] [] sock_sendmsg+0xa1/0xb6 -[ 452.080015] [] ? __schedule+0x5c1/0x616 -[ 452.080015] [] ? __dequeue_signal+0xb7/0x10c -[ 452.080015] [] ? fget_light+0x75/0x89 -[ 452.080015] [] ? sockfd_lookup_light+0x20/0x56 -[ 452.080015] [] sys_sendto+0x10c/0x13b -[ 452.080015] [] system_call_fastpath+0x16/0x1b -[ 452.080015] Code: 81 48 89 e5 72 0c 31 c0 48 81 ff 45 66 25 81 0f 92 c0 5d c3 55 b8 00 01 00 00 48 89 e5 f0 66 0f c1 07 0f b6 d4 38 d0 74 06 f3 90 <8a> 07 eb f6 5d c3 90 90 55 48 89 e5 9c 58 0f 1f 44 00 00 5d c3 -[ 452.080015] Call Trace: -[ 452.080015] [] _raw_spin_lock+0xe/0x10 -[ 452.080015] [] l2tp_xmit_skb+0x189/0x4ac [l2tp_core] -[ 452.080015] [] pppol2tp_sendmsg+0x15e/0x19c [l2tp_ppp] -[ 452.080015] [] __sock_sendmsg_nosec+0x22/0x24 -[ 452.080015] [] sock_sendmsg+0xa1/0xb6 -[ 452.080015] [] ? __schedule+0x5c1/0x616 -[ 452.080015] [] ? __dequeue_signal+0xb7/0x10c -[ 452.080015] [] ? fget_light+0x75/0x89 -[ 452.080015] [] ? sockfd_lookup_light+0x20/0x56 -[ 452.080015] [] sys_sendto+0x10c/0x13b -[ 452.080015] [] system_call_fastpath+0x16/0x1b -[ 452.064012] -[ 452.064012] Pid: 6662, comm: accel-pppd Not tainted 3.2.46.mini #1 Bochs Bochs -[ 452.064012] RIP: 0010:[] [] do_raw_spin_lock+0x19/0x1f -[ 452.064012] RSP: 0018:ffff8800b6e83ba0 EFLAGS: 00000297 -[ 452.064012] RAX: 000000000000aaa9 RBX: ffff8800b6e83b40 RCX: 0000000000000002 -[ 452.064012] RDX: 00000000000000aa RSI: 000000000000000a RDI: ffff8800745c8110 -[ 452.064012] RBP: ffff8800b6e83ba0 R08: 000000000000c802 R09: 000000000000001c -[ 452.064012] R10: ffff880071096c4e R11: 0000000000000006 R12: ffff8800b6e83b18 -[ 452.064012] R13: ffffffff8125d51e R14: ffff8800b6e83ba0 R15: ffff880072a589c0 -[ 452.064012] FS: 00007fdc0b81e700(0000) GS:ffff8800b6e80000(0000) knlGS:0000000000000000 -[ 452.064012] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 -[ 452.064012] CR2: 0000000000625208 CR3: 0000000074404000 CR4: 00000000000006a0 -[ 452.064012] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 -[ 452.064012] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 -[ 452.064012] Process accel-pppd (pid: 6662, threadinfo ffff88007129a000, task ffff8800744f7410) -[ 452.064012] Stack: -[ 452.064012] ffff8800b6e83bb0 ffffffff81256559 ffff8800b6e83bc0 ffffffff8121c64a -[ 452.064012] ffff8800b6e83bf0 ffffffff8121ec7a ffff880072a589c0 ffff880071096c62 -[ 452.064012] 0000000000000011 ffffffff81430024 ffff8800b6e83c80 ffffffff8121f276 -[ 452.064012] Call Trace: -[ 452.064012] -[ 452.064012] [] _raw_spin_lock+0xe/0x10 -[ 452.064012] [] spin_lock+0x9/0xb -[ 452.064012] [] udp_queue_rcv_skb+0x186/0x269 -[ 452.064012] [] __udp4_lib_rcv+0x297/0x4ae -[ 452.064012] [] ? raw_rcv+0xe9/0xf0 -[ 452.064012] [] udp_rcv+0x1a/0x1c -[ 452.064012] [] ip_local_deliver_finish+0x12b/0x1a5 -[ 452.064012] [] ip_local_deliver+0x53/0x84 -[ 452.064012] [] ip_rcv_finish+0x2bc/0x2f3 -[ 452.064012] [] ip_rcv+0x210/0x269 -[ 452.064012] [] ? kvm_clock_get_cycles+0x9/0xb -[ 452.064012] [] __netif_receive_skb+0x3a5/0x3f7 -[ 452.064012] [] netif_receive_skb+0x57/0x5e -[ 452.064012] [] ? __netdev_alloc_skb+0x1f/0x3b -[ 452.064012] [] virtnet_poll+0x4ba/0x5a4 [virtio_net] -[ 452.064012] [] net_rx_action+0x73/0x184 -[ 452.064012] [] ? l2tp_xmit_skb+0x27a/0x4ac [l2tp_core] -[ 452.064012] [] __do_softirq+0xc3/0x1a8 -[ 452.064012] [] ? ack_APIC_irq+0x10/0x12 -[ 452.064012] [] ? _raw_spin_lock+0xe/0x10 -[ 452.064012] [] call_softirq+0x1c/0x26 -[ 452.064012] [] do_softirq+0x45/0x82 -[ 452.064012] [] irq_exit+0x42/0x9c -[ 452.064012] [] do_IRQ+0x8e/0xa5 -[ 452.064012] [] common_interrupt+0x6e/0x6e -[ 452.064012] -[ 452.064012] [] ? kfree+0x8a/0xa3 -[ 452.064012] [] ? l2tp_xmit_skb+0x27a/0x4ac [l2tp_core] -[ 452.064012] [] ? l2tp_xmit_skb+0x1dd/0x4ac [l2tp_core] -[ 452.064012] [] pppol2tp_sendmsg+0x15e/0x19c [l2tp_ppp] -[ 452.064012] [] __sock_sendmsg_nosec+0x22/0x24 -[ 452.064012] [] sock_sendmsg+0xa1/0xb6 -[ 452.064012] [] ? __schedule+0x5c1/0x616 -[ 452.064012] [] ? __dequeue_signal+0xb7/0x10c -[ 452.064012] [] ? fget_light+0x75/0x89 -[ 452.064012] [] ? sockfd_lookup_light+0x20/0x56 -[ 452.064012] [] sys_sendto+0x10c/0x13b -[ 452.064012] [] system_call_fastpath+0x16/0x1b -[ 452.064012] Code: 89 e5 72 0c 31 c0 48 81 ff 45 66 25 81 0f 92 c0 5d c3 55 b8 00 01 00 00 48 89 e5 f0 66 0f c1 07 0f b6 d4 38 d0 74 06 f3 90 8a 07 f6 5d c3 90 90 55 48 89 e5 9c 58 0f 1f 44 00 00 5d c3 55 48 -[ 452.064012] Call Trace: -[ 452.064012] [] _raw_spin_lock+0xe/0x10 -[ 452.064012] [] spin_lock+0x9/0xb -[ 452.064012] [] udp_queue_rcv_skb+0x186/0x269 -[ 452.064012] [] __udp4_lib_rcv+0x297/0x4ae -[ 452.064012] [] ? raw_rcv+0xe9/0xf0 -[ 452.064012] [] udp_rcv+0x1a/0x1c -[ 452.064012] [] ip_local_deliver_finish+0x12b/0x1a5 -[ 452.064012] [] ip_local_deliver+0x53/0x84 -[ 452.064012] [] ip_rcv_finish+0x2bc/0x2f3 -[ 452.064012] [] ip_rcv+0x210/0x269 -[ 452.064012] [] ? kvm_clock_get_cycles+0x9/0xb -[ 452.064012] [] __netif_receive_skb+0x3a5/0x3f7 -[ 452.064012] [] netif_receive_skb+0x57/0x5e -[ 452.064012] [] ? __netdev_alloc_skb+0x1f/0x3b -[ 452.064012] [] virtnet_poll+0x4ba/0x5a4 [virtio_net] -[ 452.064012] [] net_rx_action+0x73/0x184 -[ 452.064012] [] ? l2tp_xmit_skb+0x27a/0x4ac [l2tp_core] -[ 452.064012] [] __do_softirq+0xc3/0x1a8 -[ 452.064012] [] ? ack_APIC_irq+0x10/0x12 -[ 452.064012] [] ? _raw_spin_lock+0xe/0x10 -[ 452.064012] [] call_softirq+0x1c/0x26 -[ 452.064012] [] do_softirq+0x45/0x82 -[ 452.064012] [] irq_exit+0x42/0x9c -[ 452.064012] [] do_IRQ+0x8e/0xa5 -[ 452.064012] [] common_interrupt+0x6e/0x6e -[ 452.064012] [] ? kfree+0x8a/0xa3 -[ 452.064012] [] ? l2tp_xmit_skb+0x27a/0x4ac [l2tp_core] -[ 452.064012] [] ? l2tp_xmit_skb+0x1dd/0x4ac [l2tp_core] -[ 452.064012] [] pppol2tp_sendmsg+0x15e/0x19c [l2tp_ppp] -[ 452.064012] [] __sock_sendmsg_nosec+0x22/0x24 -[ 452.064012] [] sock_sendmsg+0xa1/0xb6 -[ 452.064012] [] ? __schedule+0x5c1/0x616 -[ 452.064012] [] ? __dequeue_signal+0xb7/0x10c -[ 452.064012] [] ? fget_light+0x75/0x89 -[ 452.064012] [] ? sockfd_lookup_light+0x20/0x56 -[ 452.064012] [] sys_sendto+0x10c/0x13b -[ 452.064012] [] system_call_fastpath+0x16/0x1b - -Reported-by: François Cachereul -Tested-by: François Cachereul -Signed-off-by: Eric Dumazet -Cc: James Chapman -Signed-off-by: David S. Miller ---- - net/l2tp/l2tp_ppp.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/net/l2tp/l2tp_ppp.c b/net/l2tp/l2tp_ppp.c -index 5ebee2d..8c46b27 100644 ---- a/net/l2tp/l2tp_ppp.c -+++ b/net/l2tp/l2tp_ppp.c -@@ -353,7 +353,9 @@ static int pppol2tp_sendmsg(struct kiocb *iocb, struct socket *sock, struct msgh - goto error_put_sess_tun; - } - -+ local_bh_disable(); - l2tp_xmit_skb(session, skb, session->hdr_len); -+ local_bh_enable(); - - sock_put(ps->tunnel_sock); - sock_put(sk); -@@ -422,7 +424,9 @@ static int pppol2tp_xmit(struct ppp_channel *chan, struct sk_buff *skb) - skb->data[0] = ppph[0]; - skb->data[1] = ppph[1]; - -+ local_bh_disable(); - l2tp_xmit_skb(session, skb, session->hdr_len); -+ local_bh_enable(); - - sock_put(sk_tun); - sock_put(sk); --- -1.7.11.7 - - -From 5bf1c228293765ff84e4121cf2f92395403b7e33 Mon Sep 17 00:00:00 2001 -From: stephen hemminger -Date: Sun, 6 Oct 2013 15:15:33 -0700 -Subject: [PATCH 26/47] netem: update backlog after drop -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -[ Upstream commit 638a52b801e40ed276ceb69b73579ad99365361a ] - -When packet is dropped from rb-tree netem the backlog statistic should -also be updated. - -Reported-by: Сергеев Сергей -Signed-off-by: Stephen Hemminger -Acked-by: Eric Dumazet -Signed-off-by: David S. Miller ---- - net/sched/sch_netem.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/net/sched/sch_netem.c b/net/sched/sch_netem.c -index 82f6016..7dc79940 100644 ---- a/net/sched/sch_netem.c -+++ b/net/sched/sch_netem.c -@@ -523,6 +523,7 @@ static unsigned int netem_drop(struct Qdisc *sch) - skb->next = NULL; - skb->prev = NULL; - len = qdisc_pkt_len(skb); -+ sch->qstats.backlog -= len; - kfree_skb(skb); - } - } --- -1.7.11.7 - - -From ddc30868db0e31c0c2ab4691131a050f9136f3bf Mon Sep 17 00:00:00 2001 -From: stephen hemminger -Date: Sun, 6 Oct 2013 15:16:49 -0700 -Subject: [PATCH 27/47] netem: free skb's in tree on reset -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -[ Upstream commit ff704050f2fc0f3382b5a70bba56a51a3feca79d ] - -Netem can leak memory because packets get stored in red-black -tree and it is not cleared on reset. - -Reported by: Сергеев Сергей -Signed-off-by: Stephen Hemminger -Signed-off-by: David S. Miller ---- - net/sched/sch_netem.c | 16 ++++++++++++++++ - 1 file changed, 16 insertions(+) - -diff --git a/net/sched/sch_netem.c b/net/sched/sch_netem.c -index 7dc79940..3626010 100644 ---- a/net/sched/sch_netem.c -+++ b/net/sched/sch_netem.c -@@ -358,6 +358,21 @@ static psched_time_t packet_len_2_sched_time(unsigned int len, struct netem_sche - return PSCHED_NS2TICKS(ticks); - } - -+static void tfifo_reset(struct Qdisc *sch) -+{ -+ struct netem_sched_data *q = qdisc_priv(sch); -+ struct rb_node *p; -+ -+ while ((p = rb_first(&q->t_root))) { -+ struct sk_buff *skb = netem_rb_to_skb(p); -+ -+ rb_erase(p, &q->t_root); -+ skb->next = NULL; -+ skb->prev = NULL; -+ kfree_skb(skb); -+ } -+} -+ - static void tfifo_enqueue(struct sk_buff *nskb, struct Qdisc *sch) - { - struct netem_sched_data *q = qdisc_priv(sch); -@@ -613,6 +628,7 @@ static void netem_reset(struct Qdisc *sch) - struct netem_sched_data *q = qdisc_priv(sch); - - qdisc_reset_queue(sch); -+ tfifo_reset(sch); - if (q->qdisc) - qdisc_reset(q->qdisc); - qdisc_watchdog_cancel(&q->watchdog); --- -1.7.11.7 - - -From c871c477136615360e283471acdb33df95d70470 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Salva=20Peir=C3=B3?= -Date: Fri, 11 Oct 2013 12:50:03 +0300 -Subject: [PATCH 28/47] farsync: fix info leak in ioctl - -[ Upstream commit 96b340406724d87e4621284ebac5e059d67b2194 ] - -The fst_get_iface() code fails to initialize the two padding bytes of -struct sync_serial_settings after the ->loopback member. Add an explicit -memset(0) before filling the structure to avoid the info leak. - -Signed-off-by: Dan Carpenter -Signed-off-by: David S. Miller ---- - drivers/net/wan/farsync.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/drivers/net/wan/farsync.c b/drivers/net/wan/farsync.c -index 3f0c4f2..bcfff0d 100644 ---- a/drivers/net/wan/farsync.c -+++ b/drivers/net/wan/farsync.c -@@ -1972,6 +1972,7 @@ fst_get_iface(struct fst_card_info *card, struct fst_port_info *port, - } - - i = port->index; -+ memset(&sync, 0, sizeof(sync)); - sync.clock_rate = FST_RDL(card, portConfig[i].lineSpeed); - /* Lucky card and linux use same encoding here */ - sync.clock_type = FST_RDB(card, portConfig[i].internalClock) == --- -1.7.11.7 - - -From e69ccba66791d0edd0d596520de268369aaab610 Mon Sep 17 00:00:00 2001 -From: Mathias Krause -Date: Mon, 30 Sep 2013 22:05:40 +0200 -Subject: [PATCH 29/47] unix_diag: fix info leak - -[ Upstream commit 6865d1e834be84ddd5808d93d5035b492346c64a ] - -When filling the netlink message we miss to wipe the pad field, -therefore leak one byte of heap memory to userland. Fix this by -setting pad to 0. - -Signed-off-by: Mathias Krause -Signed-off-by: David S. Miller ---- - net/unix/diag.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/net/unix/diag.c b/net/unix/diag.c -index d591091..86fa0f3 100644 ---- a/net/unix/diag.c -+++ b/net/unix/diag.c -@@ -124,6 +124,7 @@ static int sk_diag_fill(struct sock *sk, struct sk_buff *skb, struct unix_diag_r - rep->udiag_family = AF_UNIX; - rep->udiag_type = sk->sk_type; - rep->udiag_state = sk->sk_state; -+ rep->pad = 0; - rep->udiag_ino = sk_ino; - sock_diag_save_cookie(sk, rep->udiag_cookie); - --- -1.7.11.7 - - -From 00fa721e6873ccbb36fc008558bb7d23e9e3c21f Mon Sep 17 00:00:00 2001 -From: Mathias Krause -Date: Mon, 30 Sep 2013 22:03:07 +0200 -Subject: [PATCH 30/47] connector: use nlmsg_len() to check message length - -[ Upstream commit 162b2bedc084d2d908a04c93383ba02348b648b0 ] - -The current code tests the length of the whole netlink message to be -at least as long to fit a cn_msg. This is wrong as nlmsg_len includes -the length of the netlink message header. Use nlmsg_len() instead to -fix this "off-by-NLMSG_HDRLEN" size check. - -Cc: stable@vger.kernel.org # v2.6.14+ -Signed-off-by: Mathias Krause -Signed-off-by: David S. Miller ---- - drivers/connector/connector.c | 7 ++++--- - 1 file changed, 4 insertions(+), 3 deletions(-) - -diff --git a/drivers/connector/connector.c b/drivers/connector/connector.c -index 6ecfa75..0daa11e 100644 ---- a/drivers/connector/connector.c -+++ b/drivers/connector/connector.c -@@ -157,17 +157,18 @@ static int cn_call_callback(struct sk_buff *skb) - static void cn_rx_skb(struct sk_buff *__skb) - { - struct nlmsghdr *nlh; -- int err; - struct sk_buff *skb; -+ int len, err; - - skb = skb_get(__skb); - - if (skb->len >= NLMSG_HDRLEN) { - nlh = nlmsg_hdr(skb); -+ len = nlmsg_len(nlh); - -- if (nlh->nlmsg_len < sizeof(struct cn_msg) || -+ if (len < (int)sizeof(struct cn_msg) || - skb->len < nlh->nlmsg_len || -- nlh->nlmsg_len > CONNECTOR_MAX_MSG_SIZE) { -+ len > CONNECTOR_MAX_MSG_SIZE) { - kfree_skb(skb); - return; - } --- -1.7.11.7 - - -From d99d51100021c9f8b335fc1931880618eaa448e3 Mon Sep 17 00:00:00 2001 -From: Eric Dumazet -Date: Sat, 12 Oct 2013 14:08:34 -0700 -Subject: [PATCH 31/47] bnx2x: record rx queue for LRO packets - -[ Upstream commit 60e66fee56b2256dcb1dc2ea1b2ddcb6e273857d ] - -RPS support is kind of broken on bnx2x, because only non LRO packets -get proper rx queue information. This triggers reorders, as it seems -bnx2x like to generate a non LRO packet for segment including TCP PUSH -flag : (this might be pure coincidence, but all the reorders I've -seen involve segments with a PUSH) - -11:13:34.335847 IP A > B: . 415808:447136(31328) ack 1 win 457 -11:13:34.335992 IP A > B: . 447136:448560(1424) ack 1 win 457 -11:13:34.336391 IP A > B: . 448560:479888(31328) ack 1 win 457 -11:13:34.336425 IP A > B: P 511216:512640(1424) ack 1 win 457 -11:13:34.336423 IP A > B: . 479888:511216(31328) ack 1 win 457 -11:13:34.336924 IP A > B: . 512640:543968(31328) ack 1 win 457 -11:13:34.336963 IP A > B: . 543968:575296(31328) ack 1 win 457 - -We must call skb_record_rx_queue() to properly give to RPS (and more -generally for TX queue selection on forward path) the receive queue -information. - -Similar fix is needed for skb_mark_napi_id(), but will be handled -in a separate patch to ease stable backports. - -Signed-off-by: Eric Dumazet -Cc: Willem de Bruijn -Cc: Eilon Greenstein -Acked-by: Dmitry Kravkov -Signed-off-by: David S. Miller ---- - drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c -index 0cc2611..4b0877e 100644 ---- a/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c -+++ b/drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c -@@ -676,6 +676,7 @@ static void bnx2x_gro_receive(struct bnx2x *bp, struct bnx2x_fastpath *fp, - } - } - #endif -+ skb_record_rx_queue(skb, fp->rx_queue); - napi_gro_receive(&fp->napi, skb); - } - --- -1.7.11.7 - - -From 3f1db36c01909701d0e34cd2413a1127e144bcc3 Mon Sep 17 00:00:00 2001 -From: Jason Wang -Date: Tue, 15 Oct 2013 11:18:58 +0800 -Subject: [PATCH 32/47] virtio-net: don't respond to cpu hotplug notifier if - we're not ready - -[ Upstream commit 3ab098df35f8b98b6553edc2e40234af512ba877 ] - -We're trying to re-configure the affinity unconditionally in cpu hotplug -callback. This may lead the issue during resuming from s3/s4 since - -- virt queues haven't been allocated at that time. -- it's unnecessary since thaw method will re-configure the affinity. - -Fix this issue by checking the config_enable and do nothing is we're not ready. - -The bug were introduced by commit 8de4b2f3ae90c8fc0f17eeaab87d5a951b66ee17 -(virtio-net: reset virtqueue affinity when doing cpu hotplug). - -Cc: Rusty Russell -Cc: Michael S. Tsirkin -Cc: Wanlong Gao -Acked-by: Michael S. Tsirkin -Reviewed-by: Wanlong Gao -Signed-off-by: Jason Wang -Signed-off-by: David S. Miller ---- - drivers/net/virtio_net.c | 8 ++++++++ - 1 file changed, 8 insertions(+) - -diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c -index 3d2a90a..43a71d9 100644 ---- a/drivers/net/virtio_net.c -+++ b/drivers/net/virtio_net.c -@@ -1094,6 +1094,11 @@ static int virtnet_cpu_callback(struct notifier_block *nfb, - { - struct virtnet_info *vi = container_of(nfb, struct virtnet_info, nb); - -+ mutex_lock(&vi->config_lock); -+ -+ if (!vi->config_enable) -+ goto done; -+ - switch(action & ~CPU_TASKS_FROZEN) { - case CPU_ONLINE: - case CPU_DOWN_FAILED: -@@ -1106,6 +1111,9 @@ static int virtnet_cpu_callback(struct notifier_block *nfb, - default: - break; - } -+ -+done: -+ mutex_unlock(&vi->config_lock); - return NOTIFY_OK; - } - --- -1.7.11.7 - - -From 24ef3b7cfd16ce5ac263deebfecb661d1c784670 Mon Sep 17 00:00:00 2001 -From: Jason Wang -Date: Tue, 15 Oct 2013 11:18:59 +0800 -Subject: [PATCH 33/47] virtio-net: refill only when device is up during - setting queues - -[ Upstream commit 35ed159bfd96a7547ec277ed8b550c7cbd9841b6 ] - -We used to schedule the refill work unconditionally after changing the -number of queues. This may lead an issue if the device is not -up. Since we only try to cancel the work in ndo_stop(), this may cause -the refill work still work after removing the device. Fix this by only -schedule the work when device is up. - -The bug were introduce by commit 9b9cd8024a2882e896c65222aa421d461354e3f2. -(virtio-net: fix the race between channels setting and refill) - -Cc: Rusty Russell -Cc: Michael S. Tsirkin -Signed-off-by: Jason Wang -Signed-off-by: David S. Miller ---- - drivers/net/virtio_net.c | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - -diff --git a/drivers/net/virtio_net.c b/drivers/net/virtio_net.c -index 43a71d9..1d01534 100644 ---- a/drivers/net/virtio_net.c -+++ b/drivers/net/virtio_net.c -@@ -916,7 +916,9 @@ static int virtnet_set_queues(struct virtnet_info *vi, u16 queue_pairs) - return -EINVAL; - } else { - vi->curr_queue_pairs = queue_pairs; -- schedule_delayed_work(&vi->refill, 0); -+ /* virtnet_open() will refill when device is going to up. */ -+ if (dev->flags & IFF_UP) -+ schedule_delayed_work(&vi->refill, 0); - } - - return 0; -@@ -1714,7 +1716,9 @@ static int virtnet_restore(struct virtio_device *vdev) - vi->config_enable = true; - mutex_unlock(&vi->config_lock); - -+ rtnl_lock(); - virtnet_set_queues(vi, vi->curr_queue_pairs); -+ rtnl_unlock(); - - return 0; - } --- -1.7.11.7 - - -From d616bd8bf902f82ea742462a29bf4080aaa8f497 Mon Sep 17 00:00:00 2001 -From: Vlad Yasevich -Date: Tue, 15 Oct 2013 14:57:45 -0400 -Subject: [PATCH 34/47] bridge: Correctly clamp MAX forward_delay when - enabling STP - -[ Upstream commit 4b6c7879d84ad06a2ac5b964808ed599187a188d ] - -Commit be4f154d5ef0ca147ab6bcd38857a774133f5450 - bridge: Clamp forward_delay when enabling STP -had a typo when attempting to clamp maximum forward delay. - -It is possible to set bridge_forward_delay to be higher then -permitted maximum when STP is off. When turning STP on, the -higher then allowed delay has to be clamed down to max value. - -CC: Herbert Xu -CC: Stephen Hemminger -Signed-off-by: Vlad Yasevich -Reviewed-by: Veaceslav Falico -Acked-by: Herbert Xu -Signed-off-by: David S. Miller ---- - net/bridge/br_stp_if.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/net/bridge/br_stp_if.c b/net/bridge/br_stp_if.c -index 108084a..656a6f3 100644 ---- a/net/bridge/br_stp_if.c -+++ b/net/bridge/br_stp_if.c -@@ -134,7 +134,7 @@ static void br_stp_start(struct net_bridge *br) - - if (br->bridge_forward_delay < BR_MIN_FORWARD_DELAY) - __br_set_forward_delay(br, BR_MIN_FORWARD_DELAY); -- else if (br->bridge_forward_delay < BR_MAX_FORWARD_DELAY) -+ else if (br->bridge_forward_delay > BR_MAX_FORWARD_DELAY) - __br_set_forward_delay(br, BR_MAX_FORWARD_DELAY); - - if (r == 0) { --- -1.7.11.7 - - -From 803490b7c577add0b976aa08e4bbfdd95f505270 Mon Sep 17 00:00:00 2001 -From: Vlad Yasevich -Date: Tue, 15 Oct 2013 22:01:29 -0400 -Subject: [PATCH 35/47] net: dst: provide accessor function to dst->xfrm - -[ Upstream commit e87b3998d795123b4139bc3f25490dd236f68212 ] - -dst->xfrm is conditionally defined. Provide accessor funtion that -is always available. - -Signed-off-by: Vlad Yasevich -Acked-by: Neil Horman -Signed-off-by: David S. Miller ---- - include/net/dst.h | 12 ++++++++++++ - 1 file changed, 12 insertions(+) - -diff --git a/include/net/dst.h b/include/net/dst.h -index 1f8fd10..e0c97f5 100644 ---- a/include/net/dst.h -+++ b/include/net/dst.h -@@ -477,10 +477,22 @@ static inline struct dst_entry *xfrm_lookup(struct net *net, - { - return dst_orig; - } -+ -+static inline struct xfrm_state *dst_xfrm(const struct dst_entry *dst) -+{ -+ return NULL; -+} -+ - #else - extern struct dst_entry *xfrm_lookup(struct net *net, struct dst_entry *dst_orig, - const struct flowi *fl, struct sock *sk, - int flags); -+ -+/* skb attached with this dst needs transformation if dst->xfrm is valid */ -+static inline struct xfrm_state *dst_xfrm(const struct dst_entry *dst) -+{ -+ return dst->xfrm; -+} - #endif - - #endif /* _NET_DST_H */ --- -1.7.11.7 - - -From 371a65903ccb75fc71fd42b30a310a28c42e54a3 Mon Sep 17 00:00:00 2001 -From: Fan Du -Date: Tue, 15 Oct 2013 22:01:30 -0400 -Subject: [PATCH 36/47] sctp: Use software crc32 checksum when xfrm transform - will happen. - -[ Upstream commit 27127a82561a2a3ed955ce207048e1b066a80a2a ] - -igb/ixgbe have hardware sctp checksum support, when this feature is enabled -and also IPsec is armed to protect sctp traffic, ugly things happened as -xfrm_output checks CHECKSUM_PARTIAL to do checksum operation(sum every thing -up and pack the 16bits result in the checksum field). The result is fail -establishment of sctp communication. - -Cc: Neil Horman -Cc: Steffen Klassert -Signed-off-by: Fan Du -Signed-off-by: Vlad Yasevich -Acked-by: Neil Horman -Signed-off-by: David S. Miller ---- - net/sctp/output.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/net/sctp/output.c b/net/sctp/output.c -index a46d1eb..a06a9b6 100644 ---- a/net/sctp/output.c -+++ b/net/sctp/output.c -@@ -542,7 +542,8 @@ int sctp_packet_transmit(struct sctp_packet *packet) - * by CRC32-C as described in . - */ - if (!sctp_checksum_disable) { -- if (!(dst->dev->features & NETIF_F_SCTP_CSUM)) { -+ if (!(dst->dev->features & NETIF_F_SCTP_CSUM) || -+ (dst_xfrm(dst) != NULL)) { - __u32 crc32 = sctp_start_cksum((__u8 *)sh, cksum_buf_len); - - /* 3) Put the resultant value into the checksum field in the --- -1.7.11.7 - - -From 9067790bb296fb5818894222d7e85407238e9843 Mon Sep 17 00:00:00 2001 -From: Vlad Yasevich -Date: Tue, 15 Oct 2013 22:01:31 -0400 -Subject: [PATCH 37/47] sctp: Perform software checksum if packet has to be - fragmented. - -[ Upstream commit d2dbbba77e95dff4b4f901fee236fef6d9552072 ] - -IP/IPv6 fragmentation knows how to compute only TCP/UDP checksum. -This causes problems if SCTP packets has to be fragmented and -ipsummed has been set to PARTIAL due to checksum offload support. -This condition can happen when retransmitting after MTU discover, -or when INIT or other control chunks are larger then MTU. -Check for the rare fragmentation condition in SCTP and use software -checksum calculation in this case. - -CC: Fan Du -Signed-off-by: Vlad Yasevich -Acked-by: Neil Horman -Signed-off-by: David S. Miller ---- - net/sctp/output.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/net/sctp/output.c b/net/sctp/output.c -index a06a9b6..013a07d 100644 ---- a/net/sctp/output.c -+++ b/net/sctp/output.c -@@ -543,7 +543,7 @@ int sctp_packet_transmit(struct sctp_packet *packet) - */ - if (!sctp_checksum_disable) { - if (!(dst->dev->features & NETIF_F_SCTP_CSUM) || -- (dst_xfrm(dst) != NULL)) { -+ (dst_xfrm(dst) != NULL) || packet->ipfragok) { - __u32 crc32 = sctp_start_cksum((__u8 *)sh, cksum_buf_len); - - /* 3) Put the resultant value into the checksum field in the --- -1.7.11.7 - - -From 22e825ed8144360271614511563166f37fef9f90 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Salva=20Peir=C3=B3?= -Date: Wed, 16 Oct 2013 12:46:50 +0200 -Subject: [PATCH 38/47] wanxl: fix info leak in ioctl -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -[ Upstream commit 2b13d06c9584b4eb773f1e80bbaedab9a1c344e1 ] - -The wanxl_ioctl() code fails to initialize the two padding bytes of -struct sync_serial_settings after the ->loopback member. Add an explicit -memset(0) before filling the structure to avoid the info leak. - -Signed-off-by: Salva Peiró -Signed-off-by: David S. Miller ---- - drivers/net/wan/wanxl.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/drivers/net/wan/wanxl.c b/drivers/net/wan/wanxl.c -index 6a24a5a..4c0a697 100644 ---- a/drivers/net/wan/wanxl.c -+++ b/drivers/net/wan/wanxl.c -@@ -355,6 +355,7 @@ static int wanxl_ioctl(struct net_device *dev, struct ifreq *ifr, int cmd) - ifr->ifr_settings.size = size; /* data size wanted */ - return -ENOBUFS; - } -+ memset(&line, 0, sizeof(line)); - line.clock_type = get_status(port)->clocking; - line.clock_rate = 0; - line.loopback = 0; --- -1.7.11.7 - - -From b16dd2cff7a4eb3881f43371d71ed242332877dc Mon Sep 17 00:00:00 2001 -From: Vasundhara Volam -Date: Thu, 17 Oct 2013 11:47:14 +0530 -Subject: [PATCH 39/47] be2net: pass if_id for v1 and V2 versions of TX_CREATE - cmd - -[ Upstream commit 0fb88d61bc60779dde88b0fc268da17eb81d0412 ] - -It is a required field for all TX_CREATE cmd versions > 0. -This fixes a driver initialization failure, caused by recent SH-R Firmwares -(versions > 10.0.639.0) failing the TX_CREATE cmd when if_id field is -not passed. - -Signed-off-by: Sathya Perla -Signed-off-by: David S. Miller ---- - drivers/net/ethernet/emulex/benet/be_cmds.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/drivers/net/ethernet/emulex/benet/be_cmds.c b/drivers/net/ethernet/emulex/benet/be_cmds.c -index 8ec5d74..13ac104 100644 ---- a/drivers/net/ethernet/emulex/benet/be_cmds.c -+++ b/drivers/net/ethernet/emulex/benet/be_cmds.c -@@ -1150,7 +1150,6 @@ int be_cmd_txq_create(struct be_adapter *adapter, struct be_tx_obj *txo) - - if (lancer_chip(adapter)) { - req->hdr.version = 1; -- req->if_id = cpu_to_le16(adapter->if_handle); - } else if (BEx_chip(adapter)) { - if (adapter->function_caps & BE_FUNCTION_CAPS_SUPER_NIC) - req->hdr.version = 2; -@@ -1158,6 +1157,8 @@ int be_cmd_txq_create(struct be_adapter *adapter, struct be_tx_obj *txo) - req->hdr.version = 2; - } - -+ if (req->hdr.version > 0) -+ req->if_id = cpu_to_le16(adapter->if_handle); - req->num_pages = PAGES_4K_SPANNED(q_mem->va, q_mem->size); - req->ulp_num = BE_ULP1_NUM; - req->type = BE_ETH_TX_RING_TYPE_STANDARD; --- -1.7.11.7 - - -From 9829aac8208e7a31e4e42e7d2e7e165593c05202 Mon Sep 17 00:00:00 2001 -From: Daniel Borkmann -Date: Thu, 17 Oct 2013 22:51:31 +0200 -Subject: [PATCH 40/47] net: unix: inherit SOCK_PASS{CRED, SEC} flags from - socket to fix race - -[ Upstream commit 90c6bd34f884cd9cee21f1d152baf6c18bcac949 ] - -In the case of credentials passing in unix stream sockets (dgram -sockets seem not affected), we get a rather sparse race after -commit 16e5726 ("af_unix: dont send SCM_CREDENTIALS by default"). - -We have a stream server on receiver side that requests credential -passing from senders (e.g. nc -U). Since we need to set SO_PASSCRED -on each spawned/accepted socket on server side to 1 first (as it's -not inherited), it can happen that in the time between accept() and -setsockopt() we get interrupted, the sender is being scheduled and -continues with passing data to our receiver. At that time SO_PASSCRED -is neither set on sender nor receiver side, hence in cmsg's -SCM_CREDENTIALS we get eventually pid:0, uid:65534, gid:65534 -(== overflow{u,g}id) instead of what we actually would like to see. - -On the sender side, here nc -U, the tests in maybe_add_creds() -invoked through unix_stream_sendmsg() would fail, as at that exact -time, as mentioned, the sender has neither SO_PASSCRED on his side -nor sees it on the server side, and we have a valid 'other' socket -in place. Thus, sender believes it would just look like a normal -connection, not needing/requesting SO_PASSCRED at that time. - -As reverting 16e5726 would not be an option due to the significant -performance regression reported when having creds always passed, -one way/trade-off to prevent that would be to set SO_PASSCRED on -the listener socket and allow inheriting these flags to the spawned -socket on server side in accept(). It seems also logical to do so -if we'd tell the listener socket to pass those flags onwards, and -would fix the race. - -Before, strace: - -recvmsg(4, {msg_name(0)=NULL, msg_iov(1)=[{"blub\n", 4096}], - msg_controllen=32, {cmsg_len=28, cmsg_level=SOL_SOCKET, - cmsg_type=SCM_CREDENTIALS{pid=0, uid=65534, gid=65534}}, - msg_flags=0}, 0) = 5 - -After, strace: - -recvmsg(4, {msg_name(0)=NULL, msg_iov(1)=[{"blub\n", 4096}], - msg_controllen=32, {cmsg_len=28, cmsg_level=SOL_SOCKET, - cmsg_type=SCM_CREDENTIALS{pid=11580, uid=1000, gid=1000}}, - msg_flags=0}, 0) = 5 - -Signed-off-by: Daniel Borkmann -Cc: Eric Dumazet -Cc: Eric W. Biederman -Signed-off-by: David S. Miller ---- - net/unix/af_unix.c | 10 ++++++++++ - 1 file changed, 10 insertions(+) - -diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c -index c4ce243..e64bbcf 100644 ---- a/net/unix/af_unix.c -+++ b/net/unix/af_unix.c -@@ -1246,6 +1246,15 @@ static int unix_socketpair(struct socket *socka, struct socket *sockb) - return 0; - } - -+static void unix_sock_inherit_flags(const struct socket *old, -+ struct socket *new) -+{ -+ if (test_bit(SOCK_PASSCRED, &old->flags)) -+ set_bit(SOCK_PASSCRED, &new->flags); -+ if (test_bit(SOCK_PASSSEC, &old->flags)) -+ set_bit(SOCK_PASSSEC, &new->flags); -+} -+ - static int unix_accept(struct socket *sock, struct socket *newsock, int flags) - { - struct sock *sk = sock->sk; -@@ -1280,6 +1289,7 @@ static int unix_accept(struct socket *sock, struct socket *newsock, int flags) - /* attach accepted sock to socket */ - unix_state_lock(tsk); - newsock->state = SS_CONNECTED; -+ unix_sock_inherit_flags(sock, newsock); - sock_graft(tsk, newsock); - unix_state_unlock(tsk); - return 0; --- -1.7.11.7 - - -From 7b48750febb4c3387db39fd0b547936c53ba7364 Mon Sep 17 00:00:00 2001 -From: Seif Mazareeb -Date: Thu, 17 Oct 2013 20:33:21 -0700 -Subject: [PATCH 41/47] net: fix cipso packet validation when !NETLABEL - -[ Upstream commit f2e5ddcc0d12f9c4c7b254358ad245c9dddce13b ] - -When CONFIG_NETLABEL is disabled, the cipso_v4_validate() function could loop -forever in the main loop if opt[opt_iter +1] == 0, this will causing a kernel -crash in an SMP system, since the CPU executing this function will -stall /not respond to IPIs. - -This problem can be reproduced by running the IP Stack Integrity Checker -(http://isic.sourceforge.net) using the following command on a Linux machine -connected to DUT: - -"icmpsic -s rand -d -r 123456" -wait (1-2 min) - -Signed-off-by: Seif Mazareeb -Acked-by: Paul Moore -Signed-off-by: David S. Miller ---- - include/net/cipso_ipv4.h | 6 ++++-- - 1 file changed, 4 insertions(+), 2 deletions(-) - -diff --git a/include/net/cipso_ipv4.h b/include/net/cipso_ipv4.h -index a7a683e..a8c2ef6 100644 ---- a/include/net/cipso_ipv4.h -+++ b/include/net/cipso_ipv4.h -@@ -290,6 +290,7 @@ static inline int cipso_v4_validate(const struct sk_buff *skb, - unsigned char err_offset = 0; - u8 opt_len = opt[1]; - u8 opt_iter; -+ u8 tag_len; - - if (opt_len < 8) { - err_offset = 1; -@@ -302,11 +303,12 @@ static inline int cipso_v4_validate(const struct sk_buff *skb, - } - - for (opt_iter = 6; opt_iter < opt_len;) { -- if (opt[opt_iter + 1] > (opt_len - opt_iter)) { -+ tag_len = opt[opt_iter + 1]; -+ if ((tag_len == 0) || (opt[opt_iter + 1] > (opt_len - opt_iter))) { - err_offset = opt_iter + 1; - goto out; - } -- opt_iter += opt[opt_iter + 1]; -+ opt_iter += tag_len; - } - - out: --- -1.7.11.7 - - -From 27e33640a8905b1aeefe9998242551caf24e84a6 Mon Sep 17 00:00:00 2001 -From: Hannes Frederic Sowa -Date: Tue, 22 Oct 2013 00:07:47 +0200 -Subject: [PATCH 42/47] inet: fix possible memory corruption with UDP_CORK and - UFO - -[ This is a simplified -stable version of a set of upstream commits. ] - -This is a replacement patch only for stable which does fix the problems -handled by the following two commits in -net: - -"ip_output: do skb ufo init for peeked non ufo skb as well" (e93b7d748be887cd7639b113ba7d7ef792a7efb9) -"ip6_output: do skb ufo init for peeked non ufo skb as well" (c547dbf55d5f8cf615ccc0e7265e98db27d3fb8b) - -Three frames are written on a corked udp socket for which the output -netdevice has UFO enabled. If the first and third frame are smaller than -the mtu and the second one is bigger, we enqueue the second frame with -skb_append_datato_frags without initializing the gso fields. This leads -to the third frame appended regulary and thus constructing an invalid skb. - -This fixes the problem by always using skb_append_datato_frags as soon -as the first frag got enqueued to the skb without marking the packet -as SKB_GSO_UDP. - -The problem with only two frames for ipv6 was fixed by "ipv6: udp -packets following an UFO enqueued packet need also be handled by UFO" -(2811ebac2521ceac84f2bdae402455baa6a7fb47). - -Cc: Jiri Pirko -Cc: Eric Dumazet -Cc: David Miller -Signed-off-by: Hannes Frederic Sowa ---- - include/linux/skbuff.h | 5 +++++ - net/ipv4/ip_output.c | 2 +- - net/ipv6/ip6_output.c | 2 +- - 3 files changed, 7 insertions(+), 2 deletions(-) - -diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h -index 3b71a4e..6bd165b 100644 ---- a/include/linux/skbuff.h -+++ b/include/linux/skbuff.h -@@ -1316,6 +1316,11 @@ static inline int skb_pagelen(const struct sk_buff *skb) - return len + skb_headlen(skb); - } - -+static inline bool skb_has_frags(const struct sk_buff *skb) -+{ -+ return skb_shinfo(skb)->nr_frags; -+} -+ - /** - * __skb_fill_page_desc - initialise a paged fragment in an skb - * @skb: buffer containing fragment to be initialised -diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c -index a04d872..7f4ab5d 100644 ---- a/net/ipv4/ip_output.c -+++ b/net/ipv4/ip_output.c -@@ -836,7 +836,7 @@ static int __ip_append_data(struct sock *sk, - csummode = CHECKSUM_PARTIAL; - - cork->length += length; -- if (((length > mtu) || (skb && skb_is_gso(skb))) && -+ if (((length > mtu) || (skb && skb_has_frags(skb))) && - (sk->sk_protocol == IPPROTO_UDP) && - (rt->dst.dev->features & NETIF_F_UFO) && !rt->dst.header_len) { - err = ip_ufo_append_data(sk, queue, getfrag, from, length, -diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c -index 44df1c9..2e542d0 100644 ---- a/net/ipv6/ip6_output.c -+++ b/net/ipv6/ip6_output.c -@@ -1252,7 +1252,7 @@ int ip6_append_data(struct sock *sk, int getfrag(void *from, char *to, - skb = skb_peek_tail(&sk->sk_write_queue); - cork->length += length; - if (((length > mtu) || -- (skb && skb_is_gso(skb))) && -+ (skb && skb_has_frags(skb))) && - (sk->sk_protocol == IPPROTO_UDP) && - (rt->dst.dev->features & NETIF_F_UFO)) { - err = ip6_ufo_append_data(sk, getfrag, from, length, --- -1.7.11.7 - - -From 689f77d13532698739438b2288ec8eac2f667584 Mon Sep 17 00:00:00 2001 -From: Julian Anastasov -Date: Sun, 20 Oct 2013 15:43:03 +0300 -Subject: [PATCH 43/47] ipv6: always prefer rt6i_gateway if present - -[ Upstream commit 96dc809514fb2328605198a0602b67554d8cce7b ] - -In v3.9 6fd6ce2056de2709 ("ipv6: Do not depend on rt->n in -ip6_finish_output2()." changed the behaviour of ip6_finish_output2() -such that the recently introduced rt6_nexthop() is used -instead of an assigned neighbor. - -As rt6_nexthop() prefers rt6i_gateway only for gatewayed -routes this causes a problem for users like IPVS, xt_TEE and -RAW(hdrincl) if they want to use different address for routing -compared to the destination address. - -Another case is when redirect can create RTF_DYNAMIC -route without RTF_GATEWAY flag, we ignore the rt6i_gateway -in rt6_nexthop(). - -Fix the above problems by considering the rt6i_gateway if -present, so that traffic routed to address on local subnet is -not wrongly diverted to the destination address. - -Thanks to Simon Horman and Phil Oester for spotting the -problematic commit. - -Thanks to Hannes Frederic Sowa for his review and help in testing. - -Reported-by: Phil Oester -Reported-by: Mark Brooks -Signed-off-by: Julian Anastasov -Acked-by: Hannes Frederic Sowa -Signed-off-by: David S. Miller ---- - include/net/ip6_route.h | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/include/net/ip6_route.h b/include/net/ip6_route.h -index f667248..0aaf0ec 100644 ---- a/include/net/ip6_route.h -+++ b/include/net/ip6_route.h -@@ -198,7 +198,7 @@ static inline int ip6_skb_dst_mtu(struct sk_buff *skb) - - static inline struct in6_addr *rt6_nexthop(struct rt6_info *rt, struct in6_addr *dest) - { -- if (rt->rt6i_flags & RTF_GATEWAY) -+ if (rt->rt6i_flags & RTF_GATEWAY || !ipv6_addr_any(&rt->rt6i_gateway)) - return &rt->rt6i_gateway; - return dest; - } --- -1.7.11.7 - - -From 471dd605429d6645f990becd29c877740d3b32e7 Mon Sep 17 00:00:00 2001 -From: Julian Anastasov -Date: Sun, 20 Oct 2013 15:43:04 +0300 -Subject: [PATCH 44/47] ipv6: fill rt6i_gateway with nexthop address - -[ Upstream commit 550bab42f83308c9d6ab04a980cc4333cef1c8fa ] - -Make sure rt6i_gateway contains nexthop information in -all routes returned from lookup or when routes are directly -attached to skb for generated ICMP packets. - -The effect of this patch should be a faster version of -rt6_nexthop() and the consideration of local addresses as -nexthop. - -Signed-off-by: Julian Anastasov -Acked-by: Hannes Frederic Sowa -Signed-off-by: David S. Miller ---- - include/net/ip6_route.h | 6 ++---- - net/ipv6/ip6_output.c | 4 ++-- - net/ipv6/route.c | 8 ++++++-- - 3 files changed, 10 insertions(+), 8 deletions(-) - -diff --git a/include/net/ip6_route.h b/include/net/ip6_route.h -index 0aaf0ec..c7b8860 100644 ---- a/include/net/ip6_route.h -+++ b/include/net/ip6_route.h -@@ -196,11 +196,9 @@ static inline int ip6_skb_dst_mtu(struct sk_buff *skb) - skb_dst(skb)->dev->mtu : dst_mtu(skb_dst(skb)); - } - --static inline struct in6_addr *rt6_nexthop(struct rt6_info *rt, struct in6_addr *dest) -+static inline struct in6_addr *rt6_nexthop(struct rt6_info *rt) - { -- if (rt->rt6i_flags & RTF_GATEWAY || !ipv6_addr_any(&rt->rt6i_gateway)) -- return &rt->rt6i_gateway; -- return dest; -+ return &rt->rt6i_gateway; - } - - #endif -diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c -index 2e542d0..5b25f85 100644 ---- a/net/ipv6/ip6_output.c -+++ b/net/ipv6/ip6_output.c -@@ -130,7 +130,7 @@ static int ip6_finish_output2(struct sk_buff *skb) - } - - rcu_read_lock_bh(); -- nexthop = rt6_nexthop((struct rt6_info *)dst, &ipv6_hdr(skb)->daddr); -+ nexthop = rt6_nexthop((struct rt6_info *)dst); - neigh = __ipv6_neigh_lookup_noref(dst->dev, nexthop); - if (unlikely(!neigh)) - neigh = __neigh_create(&nd_tbl, nexthop, dst->dev, false); -@@ -899,7 +899,7 @@ static int ip6_dst_lookup_tail(struct sock *sk, - */ - rt = (struct rt6_info *) *dst; - rcu_read_lock_bh(); -- n = __ipv6_neigh_lookup_noref(rt->dst.dev, rt6_nexthop(rt, &fl6->daddr)); -+ n = __ipv6_neigh_lookup_noref(rt->dst.dev, rt6_nexthop(rt)); - err = n && !(n->nud_state & NUD_VALID) ? -EINVAL : 0; - rcu_read_unlock_bh(); - -diff --git a/net/ipv6/route.c b/net/ipv6/route.c -index 8d9a93ed..08e6c40 100644 ---- a/net/ipv6/route.c -+++ b/net/ipv6/route.c -@@ -852,7 +852,6 @@ static struct rt6_info *rt6_alloc_cow(struct rt6_info *ort, - if (ort->rt6i_dst.plen != 128 && - ipv6_addr_equal(&ort->rt6i_dst.addr, daddr)) - rt->rt6i_flags |= RTF_ANYCAST; -- rt->rt6i_gateway = *daddr; - } - - rt->rt6i_flags |= RTF_CACHE; -@@ -1270,6 +1269,7 @@ struct dst_entry *icmp6_dst_alloc(struct net_device *dev, - rt->dst.flags |= DST_HOST; - rt->dst.output = ip6_output; - atomic_set(&rt->dst.__refcnt, 1); -+ rt->rt6i_gateway = fl6->daddr; - rt->rt6i_dst.addr = fl6->daddr; - rt->rt6i_dst.plen = 128; - rt->rt6i_idev = idev; -@@ -1824,7 +1824,10 @@ static struct rt6_info *ip6_rt_copy(struct rt6_info *ort, - in6_dev_hold(rt->rt6i_idev); - rt->dst.lastuse = jiffies; - -- rt->rt6i_gateway = ort->rt6i_gateway; -+ if (ort->rt6i_flags & RTF_GATEWAY) -+ rt->rt6i_gateway = ort->rt6i_gateway; -+ else -+ rt->rt6i_gateway = *dest; - rt->rt6i_flags = ort->rt6i_flags; - if ((ort->rt6i_flags & (RTF_DEFAULT | RTF_ADDRCONF)) == - (RTF_DEFAULT | RTF_ADDRCONF)) -@@ -2111,6 +2114,7 @@ struct rt6_info *addrconf_dst_alloc(struct inet6_dev *idev, - else - rt->rt6i_flags |= RTF_LOCAL; - -+ rt->rt6i_gateway = *addr; - rt->rt6i_dst.addr = *addr; - rt->rt6i_dst.plen = 128; - rt->rt6i_table = fib6_get_table(net, RT6_TABLE_LOCAL); --- -1.7.11.7 - - -From d01c3be45be54261f56ba63197d94e3d756befdf Mon Sep 17 00:00:00 2001 -From: Julian Anastasov -Date: Sun, 20 Oct 2013 15:43:05 +0300 -Subject: [PATCH 45/47] netfilter: nf_conntrack: fix rt6i_gateway checks for - H.323 helper - -[ Upstream commit 56e42441ed54b092d6c7411138ce60d049e7c731 ] - -Now when rt6_nexthop() can return nexthop address we can use it -for proper nexthop comparison of directly connected destinations. -For more information refer to commit bbb5823cf742a7 -("netfilter: nf_conntrack: fix rt_gateway checks for H.323 helper"). - -Signed-off-by: Julian Anastasov -Acked-by: Hannes Frederic Sowa -Signed-off-by: David S. Miller ---- - net/netfilter/nf_conntrack_h323_main.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/net/netfilter/nf_conntrack_h323_main.c b/net/netfilter/nf_conntrack_h323_main.c -index bdebd03..70866d1 100644 ---- a/net/netfilter/nf_conntrack_h323_main.c -+++ b/net/netfilter/nf_conntrack_h323_main.c -@@ -778,8 +778,8 @@ static int callforward_do_filter(const union nf_inet_addr *src, - flowi6_to_flowi(&fl1), false)) { - if (!afinfo->route(&init_net, (struct dst_entry **)&rt2, - flowi6_to_flowi(&fl2), false)) { -- if (!memcmp(&rt1->rt6i_gateway, &rt2->rt6i_gateway, -- sizeof(rt1->rt6i_gateway)) && -+ if (ipv6_addr_equal(rt6_nexthop(rt1), -+ rt6_nexthop(rt2)) && - rt1->dst.dev == rt2->dst.dev) - ret = 1; - dst_release(&rt2->dst); --- -1.7.11.7 - - -From 1d98ddb501bedeee62c916d3d6999109f0a22198 Mon Sep 17 00:00:00 2001 -From: Hannes Frederic Sowa -Date: Mon, 21 Oct 2013 06:17:15 +0200 -Subject: [PATCH 46/47] ipv6: probe routes asynchronous in rt6_probe - -[ Upstream commit c2f17e827b419918c856131f592df9521e1a38e3 ] - -Routes need to be probed asynchronous otherwise the call stack gets -exhausted when the kernel attemps to deliver another skb inline, like -e.g. xt_TEE does, and we probe at the same time. - -We update neigh->updated still at once, otherwise we would send to -many probes. - -Cc: Julian Anastasov -Signed-off-by: Hannes Frederic Sowa -Signed-off-by: David S. Miller ---- - net/ipv6/route.c | 38 +++++++++++++++++++++++++++++++------- - 1 file changed, 31 insertions(+), 7 deletions(-) - -diff --git a/net/ipv6/route.c b/net/ipv6/route.c -index 08e6c40..1e32d5c 100644 ---- a/net/ipv6/route.c -+++ b/net/ipv6/route.c -@@ -477,6 +477,24 @@ out: - } - - #ifdef CONFIG_IPV6_ROUTER_PREF -+struct __rt6_probe_work { -+ struct work_struct work; -+ struct in6_addr target; -+ struct net_device *dev; -+}; -+ -+static void rt6_probe_deferred(struct work_struct *w) -+{ -+ struct in6_addr mcaddr; -+ struct __rt6_probe_work *work = -+ container_of(w, struct __rt6_probe_work, work); -+ -+ addrconf_addr_solict_mult(&work->target, &mcaddr); -+ ndisc_send_ns(work->dev, NULL, &work->target, &mcaddr, NULL); -+ dev_put(work->dev); -+ kfree(w); -+} -+ - static void rt6_probe(struct rt6_info *rt) - { - struct neighbour *neigh; -@@ -500,17 +518,23 @@ static void rt6_probe(struct rt6_info *rt) - - if (!neigh || - time_after(jiffies, neigh->updated + rt->rt6i_idev->cnf.rtr_probe_interval)) { -- struct in6_addr mcaddr; -- struct in6_addr *target; -+ struct __rt6_probe_work *work; -+ -+ work = kmalloc(sizeof(*work), GFP_ATOMIC); - -- if (neigh) { -+ if (neigh && work) - neigh->updated = jiffies; -+ -+ if (neigh) - write_unlock(&neigh->lock); -- } - -- target = (struct in6_addr *)&rt->rt6i_gateway; -- addrconf_addr_solict_mult(target, &mcaddr); -- ndisc_send_ns(rt->dst.dev, NULL, target, &mcaddr, NULL); -+ if (work) { -+ INIT_WORK(&work->work, rt6_probe_deferred); -+ work->target = rt->rt6i_gateway; -+ dev_hold(rt->dst.dev); -+ work->dev = rt->dst.dev; -+ schedule_work(&work->work); -+ } - } else { - out: - write_unlock(&neigh->lock); --- -1.7.11.7 - - -From d7710f5e65b37ec3ac09dde758141e81fa47315d Mon Sep 17 00:00:00 2001 -From: Mariusz Ceier -Date: Mon, 21 Oct 2013 19:45:04 +0200 -Subject: [PATCH 47/47] davinci_emac.c: Fix IFF_ALLMULTI setup - -[ Upstream commit d69e0f7ea95fef8059251325a79c004bac01f018 ] - -When IFF_ALLMULTI flag is set on interface and IFF_PROMISC isn't, -emac_dev_mcast_set should only enable RX of multicasts and reset -MACHASH registers. - -It does this, but afterwards it either sets up multicast MACs -filtering or disables RX of multicasts and resets MACHASH registers -again, rendering IFF_ALLMULTI flag useless. - -This patch fixes emac_dev_mcast_set, so that multicast MACs filtering and -disabling of RX of multicasts are skipped when IFF_ALLMULTI flag is set. - -Tested with kernel 2.6.37. - -Signed-off-by: Mariusz Ceier -Acked-by: Mugunthan V N -Signed-off-by: David S. Miller ---- - drivers/net/ethernet/ti/davinci_emac.c | 3 +-- - 1 file changed, 1 insertion(+), 2 deletions(-) - -diff --git a/drivers/net/ethernet/ti/davinci_emac.c b/drivers/net/ethernet/ti/davinci_emac.c -index 1a222bce..45c167f 100644 ---- a/drivers/net/ethernet/ti/davinci_emac.c -+++ b/drivers/net/ethernet/ti/davinci_emac.c -@@ -876,8 +876,7 @@ static void emac_dev_mcast_set(struct net_device *ndev) - netdev_mc_count(ndev) > EMAC_DEF_MAX_MULTICAST_ADDRESSES) { - mbp_enable = (mbp_enable | EMAC_MBP_RXMCAST); - emac_add_mcast(priv, EMAC_ALL_MULTI_SET, NULL); -- } -- if (!netdev_mc_empty(ndev)) { -+ } else if (!netdev_mc_empty(ndev)) { - struct netdev_hw_addr *ha; - - mbp_enable = (mbp_enable | EMAC_MBP_RXMCAST); --- -1.7.11.7 - diff --git a/sources b/sources index 91571dae8..585450e45 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ fea363551ff45fbe4cb88497b863b261 linux-3.11.tar.xz -c44ebb225fe9956b636b79ab6b61aa42 patch-3.11.6.xz +42361474ed56948d8f52e72958b2cdf0 patch-3.11.7.xz From a2083106afe16d73d2c9ae0f80b5863c5c3a8f49 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Mon, 4 Nov 2013 08:46:19 -0500 Subject: [PATCH 258/468] Add patch to fix iwlwifi queue settings backtrace (rhbz 1025769) --- ...dont-override-mac80211-queue-setting.patch | 98 +++++++++++++++++++ kernel.spec | 11 ++- 2 files changed, 108 insertions(+), 1 deletion(-) create mode 100644 iwlwifi-dvm-dont-override-mac80211-queue-setting.patch diff --git a/iwlwifi-dvm-dont-override-mac80211-queue-setting.patch b/iwlwifi-dvm-dont-override-mac80211-queue-setting.patch new file mode 100644 index 000000000..ce5f00b0b --- /dev/null +++ b/iwlwifi-dvm-dont-override-mac80211-queue-setting.patch @@ -0,0 +1,98 @@ +From f6b129527ca15bae29ffb9417ddaa1c9d99ffc5d Mon Sep 17 00:00:00 2001 +From: Emmanuel Grumbach +Date: Tue, 15 Oct 2013 19:04:54 +0000 +Subject: iwlwifi: dvm: don't override mac80211's queue setting + +Since we set IEEE80211_HW_QUEUE_CONTROL, we can let +mac80211 do the queue assignement and don't need to +override its decisions. +While reassiging the same values is harmless of course, +it triggered a WARNING when iwlwifi and mac80211 came +to different conclusions. This happened when mac80211 set +IEEE80211_TX_CTL_SEND_AFTER_DTIM, but didn't route the +packet to the cab_queue because no stations were asleep. + +iwlwifi should not override mac80211's decicions for +offchannel packets and packets to be sent after DTIM, +but it should override mac80211's decision for AMPDUs +since we have a special queue for them. So for AMPDU, +we still override info->hw_queue by the AMPDU queue. + +This avoids: +------------[ cut here ]------------ +WARNING: CPU: 0 PID: 2531 at drivers/net/wireless/iwlwifi/dvm/tx.c:456 iwlagn_tx_skb+0x6c5/0x883() +Modules linked in: +CPU: 0 PID: 2531 Comm: hostapd Not tainted 3.12.0-rc5+ #1 +Hardware name: /D53427RKE, BIOS RKPPT10H.86A.0017.2013.0425.1251 04/25/2013 + 0000000000000000 0000000000000009 ffffffff8189aa62 0000000000000000 + ffffffff8105a4f2 ffff880058339a48 ffffffff815f8a04 0000000000000000 + ffff8800560097b0 0000000000000208 0000000000000000 ffff8800561a9e5e +Call Trace: + [] ? dump_stack+0x41/0x51 + [] ? warn_slowpath_common+0x78/0x90 + [] ? iwlagn_tx_skb+0x6c5/0x883 + [] ? iwlagn_tx_skb+0x6c5/0x883 + [] ? put_cred+0x15/0x15 + [] ? iwlagn_mac_tx+0x19/0x2f + [] ? __ieee80211_tx+0x226/0x29b + [] ? ieee80211_tx+0xa6/0xb5 + [] ? ieee80211_monitor_start_xmit+0x1e9/0x204 + [] ? dev_hard_start_xmit+0x271/0x3ec + [] ? sch_direct_xmit+0x66/0x164 + [] ? dev_queue_xmit+0x1e5/0x3c8 + [] ? packet_sendmsg+0xac5/0xb3d + [] ? sock_sendmsg+0x37/0x52 + [] ? __do_fault+0x338/0x36b + [] ? verify_iovec+0x44/0x94 + [] ? ___sys_sendmsg+0x1f1/0x283 + [] ? __inode_wait_for_writeback+0x67/0xae + [] ? __cache_free.isra.46+0x178/0x187 + [] ? kmem_cache_free+0x44/0x84 + [] ? dentry_kill+0x13d/0x149 + [] ? dput+0xe5/0xef + [] ? fget_light+0x2e/0x7c + [] ? __sys_sendmsg+0x39/0x57 + [] ? system_call_fastpath+0x16/0x1b +---[ end trace 1b3eb79359c1d1e6 ]--- + +Reported-by: Sander Eikelenboom +Reviewed-by: Johannes Berg +Signed-off-by: Johannes Berg +--- +diff --git a/drivers/net/wireless/iwlwifi/dvm/tx.c b/drivers/net/wireless/iwlwifi/dvm/tx.c +index da442b8..1fef524 100644 +--- a/drivers/net/wireless/iwlwifi/dvm/tx.c ++++ b/drivers/net/wireless/iwlwifi/dvm/tx.c +@@ -433,27 +433,19 @@ int iwlagn_tx_skb(struct iwl_priv *priv, + /* Copy MAC header from skb into command buffer */ + memcpy(tx_cmd->hdr, hdr, hdr_len); + ++ txq_id = info->hw_queue; ++ + if (is_agg) + txq_id = priv->tid_data[sta_id][tid].agg.txq_id; + else if (info->flags & IEEE80211_TX_CTL_SEND_AFTER_DTIM) { + /* +- * Send this frame after DTIM -- there's a special queue +- * reserved for this for contexts that support AP mode. +- */ +- txq_id = ctx->mcast_queue; +- +- /* + * The microcode will clear the more data + * bit in the last frame it transmits. + */ + hdr->frame_control |= + cpu_to_le16(IEEE80211_FCTL_MOREDATA); +- } else if (info->flags & IEEE80211_TX_CTL_TX_OFFCHAN) +- txq_id = IWL_AUX_QUEUE; +- else +- txq_id = ctx->ac_to_queue[skb_get_queue_mapping(skb)]; ++ } + +- WARN_ON_ONCE(!is_agg && txq_id != info->hw_queue); + WARN_ON_ONCE(is_agg && + priv->queue_to_mac80211[txq_id] != info->hw_queue); + +-- +cgit v0.9.2 diff --git a/kernel.spec b/kernel.spec index c895d2b55..48670f3da 100644 --- a/kernel.spec +++ b/kernel.spec @@ -792,6 +792,9 @@ Patch25139: net-flow_dissector-fail-on-evil-iph-ihl.patch Patch25140: 0001-Revert-epoll-use-freezable-blocking-call.patch Patch25141: 0001-Revert-select-use-freezable-blocking-call.patch +#rhbz 1025769 +Patch25142: iwlwifi-dvm-dont-override-mac80211-queue-setting.patch + # END OF PATCH DEFINITIONS %endif @@ -1532,6 +1535,9 @@ ApplyPatch net-flow_dissector-fail-on-evil-iph-ihl.patch ApplyPatch 0001-Revert-epoll-use-freezable-blocking-call.patch ApplyPatch 0001-Revert-select-use-freezable-blocking-call.patch +#rhbz 1025769 +ApplyPatch iwlwifi-dvm-dont-override-mac80211-queue-setting.patch + # END OF PATCH APPLICATIONS %endif @@ -2344,7 +2350,10 @@ fi # and build. %changelog -* Mon Nov 04 2013 Justin M. Forbes - 3.11.7-200 +* Mon Nov 04 2013 Josh Boyer - 3.11.7-200 +- Add patch to fix iwlwifi queue settings backtrace (rhbz 1025769) + +* Mon Nov 04 2013 Justin M. Forbes - Linux v3.11.7 * Fri Nov 01 2013 Josh Boyer - 3.11.6-201 From a8d117eaca98cd2046485d7225162f5d7943434c Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Sat, 9 Nov 2013 09:30:06 -0500 Subject: [PATCH 259/468] Add qxl backport fixes from Dave Airlie --- drm-qxl-backport-fixes-for-Fedora.patch | 226 ++++++++++++++++++++++++ kernel.spec | 7 + 2 files changed, 233 insertions(+) create mode 100644 drm-qxl-backport-fixes-for-Fedora.patch diff --git a/drm-qxl-backport-fixes-for-Fedora.patch b/drm-qxl-backport-fixes-for-Fedora.patch new file mode 100644 index 000000000..c46060d64 --- /dev/null +++ b/drm-qxl-backport-fixes-for-Fedora.patch @@ -0,0 +1,226 @@ +Bugzilla: N/A +Upstream-status: Queued for 3.13 + +From db8edc33193879f39c1b52521e20f4d6eb4e9858 Mon Sep 17 00:00:00 2001 +From: Dave Airlie +Date: Fri, 08 Nov 2013 06:36:45 +0000 +Subject: drm/qxl: backport fixes for Fedora + +This pulls these changes from drm-next back into Fedora. + +drm/qxl: prefer the monitor config resolution (b080742393e2c1) +drm/qxl: remove unnecessary check (a40a60d912a101e8dfb08ee1) +drm/qxl: fix disabling extra monitors from client (5cab51cb3381157) +qxl: avoid an oops in the deferred io code. (cc87509d87696d7cd39) +drm/qxl: support 64bit surface bar (35541782dcc1e502) +qxl: add a connector property to denote hotplug should rescan modes. (4695b03970df37) + +Signed-off-by: Dave Airlie +--- +diff --git a/drivers/gpu/drm/qxl/qxl_display.c b/drivers/gpu/drm/qxl/qxl_display.c +index 835caba..1d975eb 100644 +--- a/drivers/gpu/drm/qxl/qxl_display.c ++++ b/drivers/gpu/drm/qxl/qxl_display.c +@@ -110,7 +110,9 @@ void qxl_display_read_client_monitors_config(struct qxl_device *qdev) + drm_helper_hpd_irq_event(qdev->ddev); + } + +-static int qxl_add_monitors_config_modes(struct drm_connector *connector) ++static int qxl_add_monitors_config_modes(struct drm_connector *connector, ++ unsigned *pwidth, ++ unsigned *pheight) + { + struct drm_device *dev = connector->dev; + struct qxl_device *qdev = dev->dev_private; +@@ -126,11 +128,15 @@ static int qxl_add_monitors_config_modes(struct drm_connector *connector) + mode = drm_cvt_mode(dev, head->width, head->height, 60, false, false, + false); + mode->type |= DRM_MODE_TYPE_PREFERRED; ++ *pwidth = head->width; ++ *pheight = head->height; + drm_mode_probed_add(connector, mode); + return 1; + } + +-static int qxl_add_common_modes(struct drm_connector *connector) ++static int qxl_add_common_modes(struct drm_connector *connector, ++ unsigned pwidth, ++ unsigned pheight) + { + struct drm_device *dev = connector->dev; + struct drm_display_mode *mode = NULL; +@@ -159,12 +165,9 @@ static int qxl_add_common_modes(struct drm_connector *connector) + }; + + for (i = 0; i < ARRAY_SIZE(common_modes); i++) { +- if (common_modes[i].w < 320 || common_modes[i].h < 200) +- continue; +- + mode = drm_cvt_mode(dev, common_modes[i].w, common_modes[i].h, + 60, false, false, false); +- if (common_modes[i].w == 1024 && common_modes[i].h == 768) ++ if (common_modes[i].w == pwidth && common_modes[i].h == pheight) + mode->type |= DRM_MODE_TYPE_PREFERRED; + drm_mode_probed_add(connector, mode); + } +@@ -720,16 +723,18 @@ static int qxl_conn_get_modes(struct drm_connector *connector) + { + int ret = 0; + struct qxl_device *qdev = connector->dev->dev_private; ++ unsigned pwidth = 1024; ++ unsigned pheight = 768; + + DRM_DEBUG_KMS("monitors_config=%p\n", qdev->monitors_config); + /* TODO: what should we do here? only show the configured modes for the + * device, or allow the full list, or both? */ + if (qdev->monitors_config && qdev->monitors_config->count) { +- ret = qxl_add_monitors_config_modes(connector); ++ ret = qxl_add_monitors_config_modes(connector, &pwidth, &pheight); + if (ret < 0) + return ret; + } +- ret += qxl_add_common_modes(connector); ++ ret += qxl_add_common_modes(connector, pwidth, pheight); + return ret; + } + +@@ -793,7 +798,10 @@ static enum drm_connector_status qxl_conn_detect( + qdev->client_monitors_config->count > output->index && + qxl_head_enabled(&qdev->client_monitors_config->heads[output->index])); + +- DRM_DEBUG("\n"); ++ DRM_DEBUG("#%d connected: %d\n", output->index, connected); ++ if (!connected) ++ qxl_monitors_config_set(qdev, output->index, 0, 0, 0, 0, 0); ++ + return connected ? connector_status_connected + : connector_status_disconnected; + } +@@ -835,8 +843,21 @@ static const struct drm_encoder_funcs qxl_enc_funcs = { + .destroy = qxl_enc_destroy, + }; + ++static int qxl_mode_create_hotplug_mode_update_property(struct qxl_device *qdev) ++{ ++ if (qdev->hotplug_mode_update_property) ++ return 0; ++ ++ qdev->hotplug_mode_update_property = ++ drm_property_create_range(qdev->ddev, DRM_MODE_PROP_IMMUTABLE, ++ "hotplug_mode_update", 0, 1); ++ ++ return 0; ++} ++ + static int qdev_output_init(struct drm_device *dev, int num_output) + { ++ struct qxl_device *qdev = dev->dev_private; + struct qxl_output *qxl_output; + struct drm_connector *connector; + struct drm_encoder *encoder; +@@ -863,6 +884,8 @@ static int qdev_output_init(struct drm_device *dev, int num_output) + drm_encoder_helper_add(encoder, &qxl_enc_helper_funcs); + drm_connector_helper_add(connector, &qxl_connector_helper_funcs); + ++ drm_object_attach_property(&connector->base, ++ qdev->hotplug_mode_update_property, 0); + drm_sysfs_connector_add(connector); + return 0; + } +@@ -975,6 +998,9 @@ int qxl_modeset_init(struct qxl_device *qdev) + qdev->ddev->mode_config.max_height = 8192; + + qdev->ddev->mode_config.fb_base = qdev->vram_base; ++ ++ qxl_mode_create_hotplug_mode_update_property(qdev); ++ + for (i = 0 ; i < qxl_num_crtc; ++i) { + qdev_crtc_init(qdev->ddev, i); + qdev_output_init(qdev->ddev, i); +diff --git a/drivers/gpu/drm/qxl/qxl_drv.h b/drivers/gpu/drm/qxl/qxl_drv.h +index 7e96f4f..18c599d 100644 +--- a/drivers/gpu/drm/qxl/qxl_drv.h ++++ b/drivers/gpu/drm/qxl/qxl_drv.h +@@ -323,6 +323,8 @@ struct qxl_device { + struct work_struct gc_work; + + struct work_struct fb_work; ++ ++ struct drm_property *hotplug_mode_update_property; + }; + + /* forward declaration for QXL_INFO_IO */ +diff --git a/drivers/gpu/drm/qxl/qxl_fb.c b/drivers/gpu/drm/qxl/qxl_fb.c +index 88722f2..f437b30 100644 +--- a/drivers/gpu/drm/qxl/qxl_fb.c ++++ b/drivers/gpu/drm/qxl/qxl_fb.c +@@ -108,7 +108,7 @@ static void qxl_fb_dirty_flush(struct fb_info *info) + u32 x1, x2, y1, y2; + + /* TODO: hard coding 32 bpp */ +- int stride = qfbdev->qfb.base.pitches[0] * 4; ++ int stride = qfbdev->qfb.base.pitches[0]; + + x1 = qfbdev->dirty.x1; + x2 = qfbdev->dirty.x2; +diff --git a/drivers/gpu/drm/qxl/qxl_kms.c b/drivers/gpu/drm/qxl/qxl_kms.c +index 9e8da9e..e0ddd5b 100644 +--- a/drivers/gpu/drm/qxl/qxl_kms.c ++++ b/drivers/gpu/drm/qxl/qxl_kms.c +@@ -120,7 +120,7 @@ int qxl_device_init(struct qxl_device *qdev, + struct pci_dev *pdev, + unsigned long flags) + { +- int r; ++ int r, sb; + + qdev->dev = &pdev->dev; + qdev->ddev = ddev; +@@ -136,21 +136,39 @@ int qxl_device_init(struct qxl_device *qdev, + qdev->rom_base = pci_resource_start(pdev, 2); + qdev->rom_size = pci_resource_len(pdev, 2); + qdev->vram_base = pci_resource_start(pdev, 0); +- qdev->surfaceram_base = pci_resource_start(pdev, 1); +- qdev->surfaceram_size = pci_resource_len(pdev, 1); + qdev->io_base = pci_resource_start(pdev, 3); + + qdev->vram_mapping = io_mapping_create_wc(qdev->vram_base, pci_resource_len(pdev, 0)); +- qdev->surface_mapping = io_mapping_create_wc(qdev->surfaceram_base, qdev->surfaceram_size); +- DRM_DEBUG_KMS("qxl: vram %llx-%llx(%dM %dk), surface %llx-%llx(%dM %dk)\n", ++ ++ if (pci_resource_len(pdev, 4) > 0) { ++ /* 64bit surface bar present */ ++ sb = 4; ++ qdev->surfaceram_base = pci_resource_start(pdev, sb); ++ qdev->surfaceram_size = pci_resource_len(pdev, sb); ++ qdev->surface_mapping = ++ io_mapping_create_wc(qdev->surfaceram_base, ++ qdev->surfaceram_size); ++ } ++ if (qdev->surface_mapping == NULL) { ++ /* 64bit surface bar not present (or mapping failed) */ ++ sb = 1; ++ qdev->surfaceram_base = pci_resource_start(pdev, sb); ++ qdev->surfaceram_size = pci_resource_len(pdev, sb); ++ qdev->surface_mapping = ++ io_mapping_create_wc(qdev->surfaceram_base, ++ qdev->surfaceram_size); ++ } ++ ++ DRM_DEBUG_KMS("qxl: vram %llx-%llx(%dM %dk), surface %llx-%llx(%dM %dk, %s)\n", + (unsigned long long)qdev->vram_base, + (unsigned long long)pci_resource_end(pdev, 0), + (int)pci_resource_len(pdev, 0) / 1024 / 1024, + (int)pci_resource_len(pdev, 0) / 1024, + (unsigned long long)qdev->surfaceram_base, +- (unsigned long long)pci_resource_end(pdev, 1), ++ (unsigned long long)pci_resource_end(pdev, sb), + (int)qdev->surfaceram_size / 1024 / 1024, +- (int)qdev->surfaceram_size / 1024); ++ (int)qdev->surfaceram_size / 1024, ++ (sb == 4) ? "64bit" : "32bit"); + + qdev->rom = ioremap(qdev->rom_base, qdev->rom_size); + if (!qdev->rom) { +-- +cgit v0.9.0.2-2-gbebe diff --git a/kernel.spec b/kernel.spec index 48670f3da..4a01de3a1 100644 --- a/kernel.spec +++ b/kernel.spec @@ -795,6 +795,8 @@ Patch25141: 0001-Revert-select-use-freezable-blocking-call.patch #rhbz 1025769 Patch25142: iwlwifi-dvm-dont-override-mac80211-queue-setting.patch +Patch25143: drm-qxl-backport-fixes-for-Fedora.patch + # END OF PATCH DEFINITIONS %endif @@ -1538,6 +1540,8 @@ ApplyPatch 0001-Revert-select-use-freezable-blocking-call.patch #rhbz 1025769 ApplyPatch iwlwifi-dvm-dont-override-mac80211-queue-setting.patch +ApplyPatch drm-qxl-backport-fixes-for-Fedora.patch + # END OF PATCH APPLICATIONS %endif @@ -2350,6 +2354,9 @@ fi # and build. %changelog +* Sat Nov 09 2013 Josh Boyer +- Add qxl backport fixes from Dave Airlie + * Mon Nov 04 2013 Josh Boyer - 3.11.7-200 - Add patch to fix iwlwifi queue settings backtrace (rhbz 1025769) From 089e5541bc29cd81b7d49cab0e56098d9d3b68ef Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Sat, 9 Nov 2013 09:38:53 -0500 Subject: [PATCH 260/468] Add patch from Daniel Stone to avoid high order allocations in evdev --- ...k-to-vmalloc-for-client-event-buffer.patch | 64 +++++++++++++++++++ kernel.spec | 5 ++ 2 files changed, 69 insertions(+) create mode 100644 Input-evdev-fall-back-to-vmalloc-for-client-event-buffer.patch diff --git a/Input-evdev-fall-back-to-vmalloc-for-client-event-buffer.patch b/Input-evdev-fall-back-to-vmalloc-for-client-event-buffer.patch new file mode 100644 index 000000000..da1b92ed8 --- /dev/null +++ b/Input-evdev-fall-back-to-vmalloc-for-client-event-buffer.patch @@ -0,0 +1,64 @@ +From 92eb77d0ffbaa71b501a0a8dabf09a351bf4267f Mon Sep 17 00:00:00 2001 +From: Daniel Stone +Date: Thu, 31 Oct 2013 07:25:34 +0000 +Subject: Input: evdev - fall back to vmalloc for client event buffer + +evdev always tries to allocate the event buffer for clients using +kzalloc rather than vmalloc, presumably to avoid mapping overhead where +possible. However, drivers like bcm5974, which claims support for +reporting 16 fingers simultaneously, can have an extraordinarily large +buffer. The resultant contiguous order-4 allocation attempt fails due +to fragmentation, and the device is thus unusable until reboot. + +Try kzalloc if we can to avoid the mapping overhead, but if that fails, +fall back to vzalloc. + +Signed-off-by: Daniel Stone +Signed-off-by: Dmitry Torokhov +--- +diff --git a/drivers/input/evdev.c b/drivers/input/evdev.c +index b6ded17..a06e125 100644 +--- a/drivers/input/evdev.c ++++ b/drivers/input/evdev.c +@@ -18,6 +18,8 @@ + #include + #include + #include ++#include ++#include + #include + #include + #include +@@ -369,7 +371,11 @@ static int evdev_release(struct inode *inode, struct file *file) + mutex_unlock(&evdev->mutex); + + evdev_detach_client(evdev, client); +- kfree(client); ++ ++ if (is_vmalloc_addr(client)) ++ vfree(client); ++ else ++ kfree(client); + + evdev_close_device(evdev); + +@@ -389,12 +395,14 @@ static int evdev_open(struct inode *inode, struct file *file) + { + struct evdev *evdev = container_of(inode->i_cdev, struct evdev, cdev); + unsigned int bufsize = evdev_compute_buffer_size(evdev->handle.dev); ++ unsigned int size = sizeof(struct evdev_client) + ++ bufsize * sizeof(struct input_event); + struct evdev_client *client; + int error; + +- client = kzalloc(sizeof(struct evdev_client) + +- bufsize * sizeof(struct input_event), +- GFP_KERNEL); ++ client = kzalloc(size, GFP_KERNEL | __GFP_NOWARN); ++ if (!client) ++ client = vzalloc(size); + if (!client) + return -ENOMEM; + +-- +cgit v0.9.2 diff --git a/kernel.spec b/kernel.spec index 4a01de3a1..18b9df260 100644 --- a/kernel.spec +++ b/kernel.spec @@ -797,6 +797,8 @@ Patch25142: iwlwifi-dvm-dont-override-mac80211-queue-setting.patch Patch25143: drm-qxl-backport-fixes-for-Fedora.patch +Patch25144: Input-evdev-fall-back-to-vmalloc-for-client-event-buffer.patch + # END OF PATCH DEFINITIONS %endif @@ -1542,6 +1544,8 @@ ApplyPatch iwlwifi-dvm-dont-override-mac80211-queue-setting.patch ApplyPatch drm-qxl-backport-fixes-for-Fedora.patch +ApplyPatch Input-evdev-fall-back-to-vmalloc-for-client-event-buffer.patch + # END OF PATCH APPLICATIONS %endif @@ -2355,6 +2359,7 @@ fi %changelog * Sat Nov 09 2013 Josh Boyer +- Add patch from Daniel Stone to avoid high order allocations in evdev - Add qxl backport fixes from Dave Airlie * Mon Nov 04 2013 Josh Boyer - 3.11.7-200 From 54e7683bf8b6c2e03f582e4dc1f1c91944fcd491 Mon Sep 17 00:00:00 2001 From: "Justin M. Forbes" Date: Wed, 13 Nov 2013 09:52:07 -0600 Subject: [PATCH 261/468] Linux v3.11.8 --- ...rt-epoll-use-freezable-blocking-call.patch | 49 -- ...t-select-use-freezable-blocking-call.patch | 55 -- ...00pci-Use-PCI-MSIs-whenever-possible.patch | 59 --- fix-buslogic.patch | 121 ----- intel-3.12-stable-fixes.patch | 488 ------------------ kernel.spec | 25 +- sources | 2 +- 7 files changed, 5 insertions(+), 794 deletions(-) delete mode 100644 0001-Revert-epoll-use-freezable-blocking-call.patch delete mode 100644 0001-Revert-select-use-freezable-blocking-call.patch delete mode 100644 Revert-rt2x00pci-Use-PCI-MSIs-whenever-possible.patch delete mode 100644 fix-buslogic.patch diff --git a/0001-Revert-epoll-use-freezable-blocking-call.patch b/0001-Revert-epoll-use-freezable-blocking-call.patch deleted file mode 100644 index eda58ee28..000000000 --- a/0001-Revert-epoll-use-freezable-blocking-call.patch +++ /dev/null @@ -1,49 +0,0 @@ -From c511851de162e8ec03d62e7d7feecbdf590d881d Mon Sep 17 00:00:00 2001 -From: "Rafael J. Wysocki" -Date: Tue, 29 Oct 2013 13:12:56 +0100 -Subject: [PATCH] Revert "epoll: use freezable blocking call" - -This reverts commit 1c441e921201 (epoll: use freezable blocking call) -which is reported to cause user space memory corruption to happen -after suspend to RAM. - -Since it appears to be extremely difficult to root cause this -problem, it is best to revert the offending commit and try to address -the original issue in a better way later. - -References: https://bugzilla.kernel.org/show_bug.cgi?id=61781 -Reported-by: Natrio -Reported-by: Jeff Pohlmeyer -Bisected-by: Leo Wolf -Fixes: 1c441e921201 (epoll: use freezable blocking call) -Signed-off-by: Rafael J. Wysocki -Cc: 3.11+ # 3.11+ ---- - fs/eventpoll.c | 4 +--- - 1 file changed, 1 insertion(+), 3 deletions(-) - -diff --git a/fs/eventpoll.c b/fs/eventpoll.c -index 473e09d..810c28f 100644 ---- a/fs/eventpoll.c -+++ b/fs/eventpoll.c -@@ -34,7 +34,6 @@ - #include - #include - #include --#include - #include - #include - #include -@@ -1605,8 +1604,7 @@ fetch_events: - } - - spin_unlock_irqrestore(&ep->lock, flags); -- if (!freezable_schedule_hrtimeout_range(to, slack, -- HRTIMER_MODE_ABS)) -+ if (!schedule_hrtimeout_range(to, slack, HRTIMER_MODE_ABS)) - timed_out = 1; - - spin_lock_irqsave(&ep->lock, flags); --- -1.8.3.1 - diff --git a/0001-Revert-select-use-freezable-blocking-call.patch b/0001-Revert-select-use-freezable-blocking-call.patch deleted file mode 100644 index 0ab5152a0..000000000 --- a/0001-Revert-select-use-freezable-blocking-call.patch +++ /dev/null @@ -1,55 +0,0 @@ -From 59612d187912750f416fbffe0c00bc0811c54ab5 Mon Sep 17 00:00:00 2001 -From: "Rafael J. Wysocki" -Date: Tue, 29 Oct 2013 23:43:08 +0100 -Subject: [PATCH] Revert "select: use freezable blocking call" - -This reverts commit 9745cdb36da8 (select: use freezable blocking call) -that triggers problems during resume from suspend to RAM on Paul Bolle's -32-bit x86 machines. Paul says: - - Ever since I tried running (release candidates of) v3.11 on the two - working i686s I still have lying around I ran into issues on resuming - from suspend. Reverting 9745cdb36da8 (select: use freezable blocking - call) resolves those issues. - - Resuming from suspend on i686 on (release candidates of) v3.11 and - later triggers issues like: - - traps: systemd[1] general protection ip:b738e490 sp:bf882fc0 error:0 in libc-2.16.so[b731c000+1b0000] - - and - - traps: rtkit-daemon[552] general protection ip:804d6e5 sp:b6cb32f0 error:0 in rtkit-daemon[8048000+d000] - - Once I hit the systemd error I can only get out of the mess that the - system is at that point by power cycling it. - -Since we are reverting another freezer-related change causing similar -problems to happen, this one should be reverted as well. - -References: https://lkml.org/lkml/2013/10/29/583 -Reported-by: Paul Bolle -Fixes: 9745cdb36da8 (select: use freezable blocking call) -Signed-off-by: Rafael J. Wysocki -Cc: 3.11+ # 3.11+ ---- - fs/select.c | 3 +-- - 1 file changed, 1 insertion(+), 2 deletions(-) - -diff --git a/fs/select.c b/fs/select.c -index 35d4adc7..dfd5cb1 100644 ---- a/fs/select.c -+++ b/fs/select.c -@@ -238,8 +238,7 @@ int poll_schedule_timeout(struct poll_wqueues *pwq, int state, - - set_current_state(state); - if (!pwq->triggered) -- rc = freezable_schedule_hrtimeout_range(expires, slack, -- HRTIMER_MODE_ABS); -+ rc = schedule_hrtimeout_range(expires, slack, HRTIMER_MODE_ABS); - __set_current_state(TASK_RUNNING); - - /* --- -1.8.3.1 - diff --git a/Revert-rt2x00pci-Use-PCI-MSIs-whenever-possible.patch b/Revert-rt2x00pci-Use-PCI-MSIs-whenever-possible.patch deleted file mode 100644 index 4e48620ec..000000000 --- a/Revert-rt2x00pci-Use-PCI-MSIs-whenever-possible.patch +++ /dev/null @@ -1,59 +0,0 @@ -This reverts commit 9483f40d8d01918b399b4e24d0c1111db0afffeb. - -Some devices stop to connect with above commit, see: -https://bugzilla.kernel.org/show_bug.cgi?id=61621 - -Since there is no clear benefit of having MSI enabled, just revert -change to fix the problem. - -Cc: stable@vger.kernel.org # 3.11+ -Signed-off-by: Stanislaw Gruszka ---- - drivers/net/wireless/rt2x00/rt2x00pci.c | 9 +-------- - 1 file changed, 1 insertion(+), 8 deletions(-) - -diff --git a/drivers/net/wireless/rt2x00/rt2x00pci.c b/drivers/net/wireless/rt2x00/rt2x00pci.c -index 76d95de..dc49e52 100644 ---- a/drivers/net/wireless/rt2x00/rt2x00pci.c -+++ b/drivers/net/wireless/rt2x00/rt2x00pci.c -@@ -105,13 +105,11 @@ int rt2x00pci_probe(struct pci_dev *pci_dev, const struct rt2x00_ops *ops) - goto exit_release_regions; - } - -- pci_enable_msi(pci_dev); -- - hw = ieee80211_alloc_hw(sizeof(struct rt2x00_dev), ops->hw); - if (!hw) { - rt2x00_probe_err("Failed to allocate hardware\n"); - retval = -ENOMEM; -- goto exit_disable_msi; -+ goto exit_release_regions; - } - - pci_set_drvdata(pci_dev, hw); -@@ -152,9 +150,6 @@ exit_free_reg: - exit_free_device: - ieee80211_free_hw(hw); - --exit_disable_msi: -- pci_disable_msi(pci_dev); -- - exit_release_regions: - pci_release_regions(pci_dev); - -@@ -179,8 +174,6 @@ void rt2x00pci_remove(struct pci_dev *pci_dev) - rt2x00pci_free_reg(rt2x00dev); - ieee80211_free_hw(hw); - -- pci_disable_msi(pci_dev); -- - /* - * Free the PCI device data. - */ --- -1.8.3.1 - --- -To unsubscribe from this list: send the line "unsubscribe linux-wireless" in -the body of a message to majordomo@vger.kernel.org -More majordomo info at http://vger.kernel.org/majordomo-info.html \ No newline at end of file diff --git a/fix-buslogic.patch b/fix-buslogic.patch deleted file mode 100644 index 0862d00aa..000000000 --- a/fix-buslogic.patch +++ /dev/null @@ -1,121 +0,0 @@ -This fixes an oops caused by buslogic driver when initializing a BusLogic -MultiMaster adapter. Initialization code used scope of a variable -incorrectly which created a NULL pointer. Oops message is below: - -BUG: unable to handle kernel NULL pointer dereference at 0000000c -IP: [] blogic_init_mm_probeinfo.isra.17+0x20a/0x583 -*pde = 00000000 -Oops: 002 [#1] PREEMPT SMP -Modules linked in: -CPU: 1 PID: 1 Comm: swapper/0 Not tainted 3.11.1.puz1 #1 -Hardware name: /Canterwood, BIOS 6.00 PG 05/16/2003 -task: f7050000 ti: f7054000 task.ti: f7054000 -EIP: 0060:[] EFLAGS: 00010246 CPU:1 -EIP is at blogic_init_mm_probeinfo.isra.17+0x20a/0x583 -EAX: 00000013 EBX: 00000000 ECX: 00000000 EDX: f8001000 -ESI: f71cb800 EDI: f7388000 EBP: 00007800 ESP: f7055c84 - DS: 007b ES: 007b FS: 00d8 GS: 0000 SS: 0068 -CR0: 8005003b CR2: 0000000c CR3: 0154f000 CR4: 000007d0 -Stack: - 0000001c 00000000 c11a59f6 f7055c98 00008130 ffffffff ffffffff 00000000 - 00000003 00000000 00000000 00000000 00000013 f8001000 00000001 000003d0 - 00000000 00000000 00000000 c14e3f84 f78803c8 00000000 f738c000 000000e9 -Call Trace: - [] ? pci_get_subsys+0x33/0x38 - [] ? blogic_init_probeinfo_list+0x4b/0x19e - [] ? __alloc_pages_nodemask+0xe3/0x623 - [] ? __alloc_pages_nodemask+0xe3/0x623 - [] ? sysfs_link_sibling+0x61/0x8d - [] ? kmem_cache_alloc+0x8b/0xb5 - [] ? blogic_init+0xa1/0x10e8 - [] ? sysfs_add_one+0x10/0x9d - [] ? sysfs_addrm_finish+0x12/0x85 - [] ? sysfs_do_create_link_sd+0x9d/0x1b4 - [] ? blk_register_queue+0x69/0xb3 - [] ? sysfs_create_link+0x1a/0x2c - [] ? add_disk+0x1a1/0x3c7 - [] ? klist_next+0x60/0xc3 - [] ? scsi_dh_detach+0x68/0x68 - [] ? bus_for_each_dev+0x51/0x61 - [] ? do_one_initcall+0x22/0x12c - [] ? __proc_create+0x8c/0xba - [] ? blogic_setup+0x5f6/0x5f6 - [] ? repair_env_string+0xf/0x4d - [] ? do_early_param+0x71/0x71 - [] ? parse_args+0x21f/0x33d - [] ? kernel_init_freeable+0xdf/0x17d - [] ? do_early_param+0x71/0x71 - [] ? kernel_init+0x8/0xc0 - [] ? ret_from_kernel_thread+0x6/0x28 - [] ? ret_from_kernel_thread+0x1b/0x28 - [] ? rest_init+0x6c/0x6c -Code: 89 44 24 10 0f b6 44 24 3d 89 44 24 0c c7 44 24 08 00 00 00 00 c7 44 24 04 38 62 46 c1 c7 04 24 02 00 00 00 e8 78 13 d2 ff 31 db <89> 6b 0c b0 20 89 ea ee - c7 44 24 08 04 00 00 00 8d 44 24 4c 89 -EIP: [] blogic_init_mm_probeinfo.isra.17+0x20a/0x583 SS:ESP 0068:f7055c84 -CR2: 000000000000000c ----[ end trace 17f45f5196d40487 ]--- -Kernel panic - not syncing: Attempted to kill init! exitcode=0x00000009 - -Signed-off-by: Khalid Aziz -Cc: # 3.11.x -Cc: Khalid Aziz -Reported-by: Pierre Uszynski -Tested-by: Pierre Uszynski ---- - drivers/scsi/BusLogic.c | 16 ++++++++-------- - 1 file changed, 8 insertions(+), 8 deletions(-) - -diff --git a/drivers/scsi/BusLogic.c b/drivers/scsi/BusLogic.c -index feab3a5..757eb07 100644 ---- a/drivers/scsi/BusLogic.c -+++ b/drivers/scsi/BusLogic.c -@@ -696,7 +696,7 @@ static int __init blogic_init_mm_probeinfo(struct blogic_adapter *adapter) - while ((pci_device = pci_get_device(PCI_VENDOR_ID_BUSLOGIC, - PCI_DEVICE_ID_BUSLOGIC_MULTIMASTER, - pci_device)) != NULL) { -- struct blogic_adapter *adapter = adapter; -+ struct blogic_adapter *host_adapter = adapter; - struct blogic_adapter_info adapter_info; - enum blogic_isa_ioport mod_ioaddr_req; - unsigned char bus; -@@ -744,9 +744,9 @@ static int __init blogic_init_mm_probeinfo(struct blogic_adapter *adapter) - known and enabled, note that the particular Standard ISA I/O - Address should not be probed. - */ -- adapter->io_addr = io_addr; -- blogic_intreset(adapter); -- if (blogic_cmd(adapter, BLOGIC_INQ_PCI_INFO, NULL, 0, -+ host_adapter->io_addr = io_addr; -+ blogic_intreset(host_adapter); -+ if (blogic_cmd(host_adapter, BLOGIC_INQ_PCI_INFO, NULL, 0, - &adapter_info, sizeof(adapter_info)) == - sizeof(adapter_info)) { - if (adapter_info.isa_port < 6) -@@ -762,7 +762,7 @@ static int __init blogic_init_mm_probeinfo(struct blogic_adapter *adapter) - I/O Address assigned at system initialization. - */ - mod_ioaddr_req = BLOGIC_IO_DISABLE; -- blogic_cmd(adapter, BLOGIC_MOD_IOADDR, &mod_ioaddr_req, -+ blogic_cmd(host_adapter, BLOGIC_MOD_IOADDR, &mod_ioaddr_req, - sizeof(mod_ioaddr_req), NULL, 0); - /* - For the first MultiMaster Host Adapter enumerated, -@@ -779,12 +779,12 @@ static int __init blogic_init_mm_probeinfo(struct blogic_adapter *adapter) - - fetch_localram.offset = BLOGIC_AUTOSCSI_BASE + 45; - fetch_localram.count = sizeof(autoscsi_byte45); -- blogic_cmd(adapter, BLOGIC_FETCH_LOCALRAM, -+ blogic_cmd(host_adapter, BLOGIC_FETCH_LOCALRAM, - &fetch_localram, sizeof(fetch_localram), - &autoscsi_byte45, - sizeof(autoscsi_byte45)); -- blogic_cmd(adapter, BLOGIC_GET_BOARD_ID, NULL, 0, &id, -- sizeof(id)); -+ blogic_cmd(host_adapter, BLOGIC_GET_BOARD_ID, NULL, 0, -+ &id, sizeof(id)); - if (id.fw_ver_digit1 == '5') - force_scan_order = - autoscsi_byte45.force_scan_order; --- -1.7.10.4 - diff --git a/intel-3.12-stable-fixes.patch b/intel-3.12-stable-fixes.patch index 35335423e..24a80dc0f 100644 --- a/intel-3.12-stable-fixes.patch +++ b/intel-3.12-stable-fixes.patch @@ -1,254 +1,3 @@ -From 39bb622a9804de9fa51cae31f07104a19067483a Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Ville=20Syrj=C3=A4l=C3=A4?= -Date: Mon, 21 Oct 2013 10:52:06 +0300 -Subject: [PATCH 1/5] drm/i915: Add support for pipe_bpp readout -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -On CTG+ read out the pipe bpp setting from hardware and fill it into -pipe config. Also check it appropriately. - -v2: Don't do the pipe_bpp extraction inside the PCH only code block on - ILK+. - Avoid the PIPECONF read as we already have read it for the - PIPECONF_EANBLE check. - -Note: This is already in drm-intel-next-queued as -commit 42571aefafb1d330ef84eb29418832f72e7dfb4c -Author: Ville Syrjälä -Date: Fri Sep 6 23:29:00 2013 +0300 - - drm/i915: Add support for pipe_bpp readout - -but is needed for the following bugfix. - -Signed-off-by: Ville Syrjälä -Reviewed-by: Jani Nikula -Cc: stable@vger.kernel.org -Signed-off-by: Daniel Vetter ---- - drivers/gpu/drm/i915/intel_ddi.c | 17 +++++++++++++++++ - drivers/gpu/drm/i915/intel_display.c | 36 ++++++++++++++++++++++++++++++++++++ - 2 files changed, 53 insertions(+) - -diff --git a/drivers/gpu/drm/i915/intel_ddi.c b/drivers/gpu/drm/i915/intel_ddi.c -index b042ee5..83e413b 100644 ---- a/drivers/gpu/drm/i915/intel_ddi.c -+++ b/drivers/gpu/drm/i915/intel_ddi.c -@@ -1280,6 +1280,23 @@ static void intel_ddi_get_config(struct intel_encoder *encoder, - flags |= DRM_MODE_FLAG_NVSYNC; - - pipe_config->adjusted_mode.flags |= flags; -+ -+ switch (temp & TRANS_DDI_BPC_MASK) { -+ case TRANS_DDI_BPC_6: -+ pipe_config->pipe_bpp = 18; -+ break; -+ case TRANS_DDI_BPC_8: -+ pipe_config->pipe_bpp = 24; -+ break; -+ case TRANS_DDI_BPC_10: -+ pipe_config->pipe_bpp = 30; -+ break; -+ case TRANS_DDI_BPC_12: -+ pipe_config->pipe_bpp = 36; -+ break; -+ default: -+ break; -+ } - } - - static void intel_ddi_destroy(struct drm_encoder *encoder) -diff --git a/drivers/gpu/drm/i915/intel_display.c b/drivers/gpu/drm/i915/intel_display.c -index 90a7c17..4aaccd3 100644 ---- a/drivers/gpu/drm/i915/intel_display.c -+++ b/drivers/gpu/drm/i915/intel_display.c -@@ -4943,6 +4943,22 @@ static bool i9xx_get_pipe_config(struct intel_crtc *crtc, - if (!(tmp & PIPECONF_ENABLE)) - return false; - -+ if (IS_G4X(dev) || IS_VALLEYVIEW(dev)) { -+ switch (tmp & PIPECONF_BPC_MASK) { -+ case PIPECONF_6BPC: -+ pipe_config->pipe_bpp = 18; -+ break; -+ case PIPECONF_8BPC: -+ pipe_config->pipe_bpp = 24; -+ break; -+ case PIPECONF_10BPC: -+ pipe_config->pipe_bpp = 30; -+ break; -+ default: -+ break; -+ } -+ } -+ - intel_get_pipe_timings(crtc, pipe_config); - - i9xx_get_pfit_config(crtc, pipe_config); -@@ -5821,6 +5837,23 @@ static bool ironlake_get_pipe_config(struct intel_crtc *crtc, - if (!(tmp & PIPECONF_ENABLE)) - return false; - -+ switch (tmp & PIPECONF_BPC_MASK) { -+ case PIPECONF_6BPC: -+ pipe_config->pipe_bpp = 18; -+ break; -+ case PIPECONF_8BPC: -+ pipe_config->pipe_bpp = 24; -+ break; -+ case PIPECONF_10BPC: -+ pipe_config->pipe_bpp = 30; -+ break; -+ case PIPECONF_12BPC: -+ pipe_config->pipe_bpp = 36; -+ break; -+ default: -+ break; -+ } -+ - if (I915_READ(PCH_TRANSCONF(crtc->pipe)) & TRANS_ENABLE) { - struct intel_shared_dpll *pll; - -@@ -8147,6 +8180,9 @@ intel_pipe_config_compare(struct drm_device *dev, - PIPE_CONF_CHECK_X(dpll_hw_state.fp0); - PIPE_CONF_CHECK_X(dpll_hw_state.fp1); - -+ if (IS_G4X(dev) || INTEL_INFO(dev)->gen >= 5) -+ PIPE_CONF_CHECK_I(pipe_bpp); -+ - #undef PIPE_CONF_CHECK_X - #undef PIPE_CONF_CHECK_I - #undef PIPE_CONF_CHECK_FLAGS --- -1.8.3.1 - - -From b59da942a708f7cf1c421a7cb666f98fd8172208 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Ville=20Syrj=C3=A4l=C3=A4?= -Date: Tue, 24 Sep 2013 14:24:05 +0300 -Subject: [PATCH 2/5] drm/i915: Add HSW CRT output readout support -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Call intel_ddi_get_config() to get the pipe_bpp settings from -DDI. - -The sync polarity settings from DDI are irrelevant for CRT -output, so override them with data from the ADPA register. - -Note: This is already merged in drm-intel-next-queued as - -commit 6801c18c0a43386bb44712cbc028a7e05adb9f0d -Author: Ville Syrjälä -Date: Tue Sep 24 14:24:05 2013 +0300 - - drm/i915: Add HSW CRT output readout support - -but is required for the following edp bpp bugfix. - -v2: Extract intel_crt_get_flags() - -Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=69691 -Tested-by: Qingshuai Tian -Signed-off-by: Ville Syrjälä -Cc: stable@vger.kernel.org -Signed-off-by: Daniel Vetter ---- - drivers/gpu/drm/i915/intel_crt.c | 30 ++++++++++++++++++++++++++---- - drivers/gpu/drm/i915/intel_ddi.c | 4 ++-- - drivers/gpu/drm/i915/intel_drv.h | 2 ++ - 3 files changed, 30 insertions(+), 6 deletions(-) - -diff --git a/drivers/gpu/drm/i915/intel_crt.c b/drivers/gpu/drm/i915/intel_crt.c -index 3acec8c..6aa6ebd 100644 ---- a/drivers/gpu/drm/i915/intel_crt.c -+++ b/drivers/gpu/drm/i915/intel_crt.c -@@ -84,8 +84,7 @@ static bool intel_crt_get_hw_state(struct intel_encoder *encoder, - return true; - } - --static void intel_crt_get_config(struct intel_encoder *encoder, -- struct intel_crtc_config *pipe_config) -+static unsigned int intel_crt_get_flags(struct intel_encoder *encoder) - { - struct drm_i915_private *dev_priv = encoder->base.dev->dev_private; - struct intel_crt *crt = intel_encoder_to_crt(encoder); -@@ -103,7 +102,27 @@ static void intel_crt_get_config(struct intel_encoder *encoder, - else - flags |= DRM_MODE_FLAG_NVSYNC; - -- pipe_config->adjusted_mode.flags |= flags; -+ return flags; -+} -+ -+static void intel_crt_get_config(struct intel_encoder *encoder, -+ struct intel_crtc_config *pipe_config) -+{ -+ struct drm_device *dev = encoder->base.dev; -+ -+ pipe_config->adjusted_mode.flags |= intel_crt_get_flags(encoder); -+} -+ -+static void hsw_crt_get_config(struct intel_encoder *encoder, -+ struct intel_crtc_config *pipe_config) -+{ -+ intel_ddi_get_config(encoder, pipe_config); -+ -+ pipe_config->adjusted_mode.flags &= ~(DRM_MODE_FLAG_PHSYNC | -+ DRM_MODE_FLAG_NHSYNC | -+ DRM_MODE_FLAG_PVSYNC | -+ DRM_MODE_FLAG_NVSYNC); -+ pipe_config->adjusted_mode.flags |= intel_crt_get_flags(encoder); - } - - /* Note: The caller is required to filter out dpms modes not supported by the -@@ -802,7 +821,10 @@ void intel_crt_init(struct drm_device *dev) - crt->base.compute_config = intel_crt_compute_config; - crt->base.disable = intel_disable_crt; - crt->base.enable = intel_enable_crt; -- crt->base.get_config = intel_crt_get_config; -+ if (IS_HASWELL(dev)) -+ crt->base.get_config = hsw_crt_get_config; -+ else -+ crt->base.get_config = intel_crt_get_config; - if (I915_HAS_HOTPLUG(dev)) - crt->base.hpd_pin = HPD_CRT; - if (HAS_DDI(dev)) -diff --git a/drivers/gpu/drm/i915/intel_ddi.c b/drivers/gpu/drm/i915/intel_ddi.c -index 83e413b..5a6368d 100644 ---- a/drivers/gpu/drm/i915/intel_ddi.c -+++ b/drivers/gpu/drm/i915/intel_ddi.c -@@ -1261,8 +1261,8 @@ static void intel_ddi_hot_plug(struct intel_encoder *intel_encoder) - intel_dp_check_link_status(intel_dp); - } - --static void intel_ddi_get_config(struct intel_encoder *encoder, -- struct intel_crtc_config *pipe_config) -+void intel_ddi_get_config(struct intel_encoder *encoder, -+ struct intel_crtc_config *pipe_config) - { - struct drm_i915_private *dev_priv = encoder->base.dev->dev_private; - struct intel_crtc *intel_crtc = to_intel_crtc(encoder->base.crtc); -diff --git a/drivers/gpu/drm/i915/intel_drv.h b/drivers/gpu/drm/i915/intel_drv.h -index b7d6e09..ddf7e2f 100644 ---- a/drivers/gpu/drm/i915/intel_drv.h -+++ b/drivers/gpu/drm/i915/intel_drv.h -@@ -816,6 +816,8 @@ extern void intel_ddi_prepare_link_retrain(struct drm_encoder *encoder); - extern bool - intel_ddi_connector_get_hw_state(struct intel_connector *intel_connector); - extern void intel_ddi_fdi_disable(struct drm_crtc *crtc); -+extern void intel_ddi_get_config(struct intel_encoder *encoder, -+ struct intel_crtc_config *pipe_config); - - extern void intel_display_handle_reset(struct drm_device *dev); - extern bool intel_set_cpu_fifo_underrun_reporting(struct drm_device *dev, --- -1.8.3.1 - - From 92c64493f41092185230c552c277b42bf6113140 Mon Sep 17 00:00:00 2001 From: Jani Nikula Date: Mon, 21 Oct 2013 10:52:07 +0300 @@ -335,240 +84,3 @@ index 3aed1fe..07eb447 100644 static void intel_disable_dp(struct intel_encoder *encoder) -- 1.8.3.1 - - -From 1e5ec9a5628cfd23443a91f80dea2118efb21afd Mon Sep 17 00:00:00 2001 -From: Rob Pearce -Date: Sun, 27 Oct 2013 16:13:42 +0000 -Subject: [PATCH 4/5] drm/i915: No LVDS hardware on Intel D410PT and D425KT - -The Intel D410PT(LW) and D425KT Mini-ITX desktop boards both show up as -having LVDS but the hardware is not populated. This patch adds them to -the list of such systems. Patch is against 3.11.4 - -v2: Patch revised to match the D425KT exactly as the D425KTW does have -LVDS. According to Intel's documentation, the D410PTL and D410PLTW -don't. - -Signed-off-by: Rob Pearce -Cc: stable@vger.kernel.org -[danvet: Pimp commit message to my liking and add cc: stable.] -Signed-off-by: Daniel Vetter ---- - drivers/gpu/drm/i915/intel_lvds.c | 16 ++++++++++++++++ - 1 file changed, 16 insertions(+) - -diff --git a/drivers/gpu/drm/i915/intel_lvds.c b/drivers/gpu/drm/i915/intel_lvds.c -index 61348ea..44533dd 100644 ---- a/drivers/gpu/drm/i915/intel_lvds.c -+++ b/drivers/gpu/drm/i915/intel_lvds.c -@@ -696,6 +696,22 @@ static const struct dmi_system_id intel_no_lvds[] = { - }, - { - .callback = intel_no_lvds_dmi_callback, -+ .ident = "Intel D410PT", -+ .matches = { -+ DMI_MATCH(DMI_BOARD_VENDOR, "Intel"), -+ DMI_MATCH(DMI_BOARD_NAME, "D410PT"), -+ }, -+ }, -+ { -+ .callback = intel_no_lvds_dmi_callback, -+ .ident = "Intel D425KT", -+ .matches = { -+ DMI_MATCH(DMI_BOARD_VENDOR, "Intel"), -+ DMI_EXACT_MATCH(DMI_BOARD_NAME, "D425KT"), -+ }, -+ }, -+ { -+ .callback = intel_no_lvds_dmi_callback, - .ident = "Intel D510MO", - .matches = { - DMI_MATCH(DMI_BOARD_VENDOR, "Intel"), --- -1.8.3.1 - - -From 239319357b4a2d085e5f5c27b46aab5f612c5036 Mon Sep 17 00:00:00 2001 -From: Daniel Vetter -Date: Tue, 29 Oct 2013 12:04:08 +0100 -Subject: [PATCH 5/5] drm/i915: Fix the PPT fdi lane bifurcate state handling - on ivb -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Originally I've thought that this is leftover hw state dirt from the -BIOS. But after way too much helpless flailing around on my part I've -noticed that the actual bug is when we change the state of an already -active pipe. - -For example when we change the fdi lines from 2 to 3 without switching -off outputs in-between we'll never see the crucial on->off transition -in the ->modeset_global_resources hook the current logic relies on. - -Patch version 2 got this right by instead also checking whether the -pipe is indeed active. But that in turn broke things when pipes have -been turned off through dpms since the bifurcate enabling is done in -the ->crtc_mode_set callback. - -To address this issues discussed with Ville in the patch review move -the setting of the bifurcate bit into the ->crtc_enable hook. That way -we won't wreak havoc with this state when userspace puts all other -outputs into dpms off state. This also moves us forward with our -overall goal to unify the modeset and dpms on paths (which we need to -have to allow runtime pm in the dpms off state). - -Unfortunately this requires us to move the bifurcate helpers around a -bit. - -Also update the commit message, I've misanalyzed the bug rather badly. - -Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=70507 -Tested-by: Jan-Michael Brummer -Cc: stable@vger.kernel.org -Cc: Ville Syrjälä -Reviewed-by: Ville Syrjälä -Signed-off-by: Daniel Vetter ---- - drivers/gpu/drm/i915/intel_display.c | 95 ++++++++++++++++++------------------ - 1 file changed, 48 insertions(+), 47 deletions(-) - -diff --git a/drivers/gpu/drm/i915/intel_display.c b/drivers/gpu/drm/i915/intel_display.c -index 4aaccd3..ad2a258 100644 ---- a/drivers/gpu/drm/i915/intel_display.c -+++ b/drivers/gpu/drm/i915/intel_display.c -@@ -2251,9 +2251,10 @@ static void intel_fdi_normal_train(struct drm_crtc *crtc) - FDI_FE_ERRC_ENABLE); - } - --static bool pipe_has_enabled_pch(struct intel_crtc *intel_crtc) -+static bool pipe_has_enabled_pch(struct intel_crtc *crtc) - { -- return intel_crtc->base.enabled && intel_crtc->config.has_pch_encoder; -+ return crtc->base.enabled && crtc->active && -+ crtc->config.has_pch_encoder; - } - - static void ivb_modeset_global_resources(struct drm_device *dev) -@@ -2901,6 +2902,48 @@ static void ironlake_pch_transcoder_set_timings(struct intel_crtc *crtc, - I915_READ(VSYNCSHIFT(cpu_transcoder))); - } - -+static void cpt_enable_fdi_bc_bifurcation(struct drm_device *dev) -+{ -+ struct drm_i915_private *dev_priv = dev->dev_private; -+ uint32_t temp; -+ -+ temp = I915_READ(SOUTH_CHICKEN1); -+ if (temp & FDI_BC_BIFURCATION_SELECT) -+ return; -+ -+ WARN_ON(I915_READ(FDI_RX_CTL(PIPE_B)) & FDI_RX_ENABLE); -+ WARN_ON(I915_READ(FDI_RX_CTL(PIPE_C)) & FDI_RX_ENABLE); -+ -+ temp |= FDI_BC_BIFURCATION_SELECT; -+ DRM_DEBUG_KMS("enabling fdi C rx\n"); -+ I915_WRITE(SOUTH_CHICKEN1, temp); -+ POSTING_READ(SOUTH_CHICKEN1); -+} -+ -+static void ivybridge_update_fdi_bc_bifurcation(struct intel_crtc *intel_crtc) -+{ -+ struct drm_device *dev = intel_crtc->base.dev; -+ struct drm_i915_private *dev_priv = dev->dev_private; -+ -+ switch (intel_crtc->pipe) { -+ case PIPE_A: -+ break; -+ case PIPE_B: -+ if (intel_crtc->config.fdi_lanes > 2) -+ WARN_ON(I915_READ(SOUTH_CHICKEN1) & FDI_BC_BIFURCATION_SELECT); -+ else -+ cpt_enable_fdi_bc_bifurcation(dev); -+ -+ break; -+ case PIPE_C: -+ cpt_enable_fdi_bc_bifurcation(dev); -+ -+ break; -+ default: -+ BUG(); -+ } -+} -+ - /* - * Enable PCH resources required for PCH ports: - * - PCH PLLs -@@ -2919,6 +2962,9 @@ static void ironlake_pch_enable(struct drm_crtc *crtc) - - assert_pch_transcoder_disabled(dev_priv, pipe); - -+ if (IS_IVYBRIDGE(dev)) -+ ivybridge_update_fdi_bc_bifurcation(intel_crtc); -+ - /* Write the TU size bits before fdi link training, so that error - * detection works. */ - I915_WRITE(FDI_RX_TUSIZE1(pipe), -@@ -5512,48 +5558,6 @@ static bool ironlake_compute_clocks(struct drm_crtc *crtc, - return true; - } - --static void cpt_enable_fdi_bc_bifurcation(struct drm_device *dev) --{ -- struct drm_i915_private *dev_priv = dev->dev_private; -- uint32_t temp; -- -- temp = I915_READ(SOUTH_CHICKEN1); -- if (temp & FDI_BC_BIFURCATION_SELECT) -- return; -- -- WARN_ON(I915_READ(FDI_RX_CTL(PIPE_B)) & FDI_RX_ENABLE); -- WARN_ON(I915_READ(FDI_RX_CTL(PIPE_C)) & FDI_RX_ENABLE); -- -- temp |= FDI_BC_BIFURCATION_SELECT; -- DRM_DEBUG_KMS("enabling fdi C rx\n"); -- I915_WRITE(SOUTH_CHICKEN1, temp); -- POSTING_READ(SOUTH_CHICKEN1); --} -- --static void ivybridge_update_fdi_bc_bifurcation(struct intel_crtc *intel_crtc) --{ -- struct drm_device *dev = intel_crtc->base.dev; -- struct drm_i915_private *dev_priv = dev->dev_private; -- -- switch (intel_crtc->pipe) { -- case PIPE_A: -- break; -- case PIPE_B: -- if (intel_crtc->config.fdi_lanes > 2) -- WARN_ON(I915_READ(SOUTH_CHICKEN1) & FDI_BC_BIFURCATION_SELECT); -- else -- cpt_enable_fdi_bc_bifurcation(dev); -- -- break; -- case PIPE_C: -- cpt_enable_fdi_bc_bifurcation(dev); -- -- break; -- default: -- BUG(); -- } --} -- - int ironlake_get_lanes_required(int target_clock, int link_bw, int bpp) - { - /* -@@ -5768,9 +5772,6 @@ static int ironlake_crtc_mode_set(struct drm_crtc *crtc, - &intel_crtc->config.fdi_m_n); - } - -- if (IS_IVYBRIDGE(dev)) -- ivybridge_update_fdi_bc_bifurcation(intel_crtc); -- - ironlake_set_pipeconf(crtc); - - /* Set up the display plane register */ --- -1.8.3.1 - diff --git a/kernel.spec b/kernel.spec index 18b9df260..da1310dbd 100644 --- a/kernel.spec +++ b/kernel.spec @@ -74,7 +74,7 @@ Summary: The Linux kernel %if 0%{?released_kernel} # Do we have a -stable update to apply? -%define stable_update 7 +%define stable_update 8 # Is it a -stable RC? %define stable_rc 0 # Set rpm version accordingly @@ -732,9 +732,6 @@ Patch25104: ansi_cprng-Fix-off-by-one-error-in-non-block-size-request.patch #rhbz 985522 Patch25107: ntp-Make-periodic-RTC-update-more-reliable.patch -#rhbz 1010431 -Patch25108: Revert-rt2x00pci-Use-PCI-MSIs-whenever-possible.patch - #rhbz 971893 Patch25109: bonding-driver-alb-learning.patch @@ -773,9 +770,6 @@ Patch25131: btrfs-relocate-csums-properly-with-prealloc-ext.patch #rhbz 984696 Patch25132: rt2800usb-slow-down-TX-status-polling.patch -#rhbz 1015558 -Patch25133: fix-buslogic.patch - #rhbz 1023413 Patch25135: alps-Support-for-Dell-XT2-model.patch @@ -788,10 +782,6 @@ Patch25138: intel-3.12-stable-fixes.patch #CVE-2013-4348 rhbz 1007939 1025647 Patch25139: net-flow_dissector-fail-on-evil-iph-ihl.patch -#rhbz 1010603 -Patch25140: 0001-Revert-epoll-use-freezable-blocking-call.patch -Patch25141: 0001-Revert-select-use-freezable-blocking-call.patch - #rhbz 1025769 Patch25142: iwlwifi-dvm-dont-override-mac80211-queue-setting.patch @@ -1479,9 +1469,6 @@ ApplyPatch ansi_cprng-Fix-off-by-one-error-in-non-block-size-request.patch #rhbz 985522 ApplyPatch ntp-Make-periodic-RTC-update-more-reliable.patch -#rhbz 1010431 -ApplyPatch Revert-rt2x00pci-Use-PCI-MSIs-whenever-possible.patch - #rhbz 971893 ApplyPatch bonding-driver-alb-learning.patch @@ -1520,9 +1507,6 @@ ApplyPatch btrfs-relocate-csums-properly-with-prealloc-ext.patch #rhbz 984696 ApplyPatch rt2800usb-slow-down-TX-status-polling.patch -#rhbz 1015558 -ApplyPatch fix-buslogic.patch - #rhbz 1023413 ApplyPatch alps-Support-for-Dell-XT2-model.patch @@ -1535,10 +1519,6 @@ ApplyPatch intel-3.12-stable-fixes.patch #CVE-2013-4348 rhbz 1007939 1025647 ApplyPatch net-flow_dissector-fail-on-evil-iph-ihl.patch -#rhbz 1010603 -ApplyPatch 0001-Revert-epoll-use-freezable-blocking-call.patch -ApplyPatch 0001-Revert-select-use-freezable-blocking-call.patch - #rhbz 1025769 ApplyPatch iwlwifi-dvm-dont-override-mac80211-queue-setting.patch @@ -2358,6 +2338,9 @@ fi # and build. %changelog +* Wed Nov 13 2013 Justin M. Forbes - 3.11.8-200 +- Linux v3.11.8 + * Sat Nov 09 2013 Josh Boyer - Add patch from Daniel Stone to avoid high order allocations in evdev - Add qxl backport fixes from Dave Airlie diff --git a/sources b/sources index 585450e45..4a8174344 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ fea363551ff45fbe4cb88497b863b261 linux-3.11.tar.xz -42361474ed56948d8f52e72958b2cdf0 patch-3.11.7.xz +e6c14ecc86eab4cfaf498ba3c70b3f04 patch-3.11.8.xz From 67ce21f87516f12b26b6898fc625fa7d8820072c Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Thu, 14 Nov 2013 14:32:25 -0500 Subject: [PATCH 262/468] CVE-2013-4563: net: large udp packet over IPv6 over UFO-enabled device with TBF qdisc panic (rhbz 1030015 1030017) --- ...oom-calculation-in-udp6_ufo_fragment.patch | 43 +++++++++++++++++++ kernel.spec | 9 ++++ 2 files changed, 52 insertions(+) create mode 100644 ipv6-fix-headroom-calculation-in-udp6_ufo_fragment.patch diff --git a/ipv6-fix-headroom-calculation-in-udp6_ufo_fragment.patch b/ipv6-fix-headroom-calculation-in-udp6_ufo_fragment.patch new file mode 100644 index 000000000..2b030387b --- /dev/null +++ b/ipv6-fix-headroom-calculation-in-udp6_ufo_fragment.patch @@ -0,0 +1,43 @@ +Bugzilla: 1030015 1030017 +Upstream-status: 3.13 + +From aeb45260747b0a1bf4d374d5e65298cc254cb4f5 Mon Sep 17 00:00:00 2001 +From: Hannes Frederic Sowa +Date: Tue, 5 Nov 2013 02:41:27 +0100 +Subject: [PATCH] ipv6: fix headroom calculation in udp6_ufo_fragment + +Commit 1e2bd517c108816220f262d7954b697af03b5f9c ("udp6: Fix udp +fragmentation for tunnel traffic.") changed the calculation if +there is enough space to include a fragment header in the skb from a +skb->mac_header dervived one to skb_headroom. Because we already peeled +off the skb to transport_header this is wrong. Change this back to check +if we have enough room before the mac_header. + +This fixes a panic Saran Neti reported. He used the tbf scheduler which +skb_gso_segments the skb. The offsets get negative and we panic in memcpy +because the skb was erroneously not expanded at the head. + +Reported-by: Saran Neti +Cc: Pravin B Shelar +Signed-off-by: Hannes Frederic Sowa +Signed-off-by: David S. Miller +--- + net/ipv6/udp_offload.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/ipv6/udp_offload.c b/net/ipv6/udp_offload.c +index 5d1b8d7..657914b 100644 +--- a/net/ipv6/udp_offload.c ++++ b/net/ipv6/udp_offload.c +@@ -86,7 +86,7 @@ static struct sk_buff *udp6_ufo_fragment(struct sk_buff *skb, + + /* Check if there is enough headroom to insert fragment header. */ + tnl_hlen = skb_tnl_header_len(skb); +- if (skb_headroom(skb) < (tnl_hlen + frag_hdr_sz)) { ++ if (skb->mac_header < (tnl_hlen + frag_hdr_sz)) { + if (gso_pskb_expand_head(skb, tnl_hlen + frag_hdr_sz)) + goto out; + } +-- +1.8.3.1 + diff --git a/kernel.spec b/kernel.spec index da1310dbd..d09c246bc 100644 --- a/kernel.spec +++ b/kernel.spec @@ -789,6 +789,9 @@ Patch25143: drm-qxl-backport-fixes-for-Fedora.patch Patch25144: Input-evdev-fall-back-to-vmalloc-for-client-event-buffer.patch +#CVE-2013-4563 rhbz 1030015 1030017 +Patch25145: ipv6-fix-headroom-calculation-in-udp6_ufo_fragment.patch + # END OF PATCH DEFINITIONS %endif @@ -1526,6 +1529,9 @@ ApplyPatch drm-qxl-backport-fixes-for-Fedora.patch ApplyPatch Input-evdev-fall-back-to-vmalloc-for-client-event-buffer.patch +#CVE-2013-4563 rhbz 1030015 1030017 +ApplyPatch ipv6-fix-headroom-calculation-in-udp6_ufo_fragment.patch + # END OF PATCH APPLICATIONS %endif @@ -2338,6 +2344,9 @@ fi # and build. %changelog +* Thu Nov 14 2013 Josh Boyer +- CVE-2013-4563: net: large udp packet over IPv6 over UFO-enabled device with TBF qdisc panic (rhbz 1030015 1030017) + * Wed Nov 13 2013 Justin M. Forbes - 3.11.8-200 - Linux v3.11.8 From 09060dc6a412628a5a150dcdade0ac57b2f18c1a Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Mon, 18 Nov 2013 10:47:47 -0500 Subject: [PATCH 263/468] Fix ipv6 sit panic with packet size > mtu (from Michele Baldessari) (rbhz 1015905) --- ...ent-outgoing-reassembled-skb-properl.patch | 39 ++ ...easm-skb-through-instead-of-original.patch | 499 ++++++++++++++++++ kernel.spec | 11 + 3 files changed, 549 insertions(+) create mode 100644 0001-ip6_output-fragment-outgoing-reassembled-skb-properl.patch create mode 100644 0002-netfilter-push-reasm-skb-through-instead-of-original.patch diff --git a/0001-ip6_output-fragment-outgoing-reassembled-skb-properl.patch b/0001-ip6_output-fragment-outgoing-reassembled-skb-properl.patch new file mode 100644 index 000000000..a19217d12 --- /dev/null +++ b/0001-ip6_output-fragment-outgoing-reassembled-skb-properl.patch @@ -0,0 +1,39 @@ +Bugzilla: 1015905 +Upstream-status: 3.13 (should hit stable) + +From 90e4e23d52fd04f228eed2c3d341136c50058b37 Mon Sep 17 00:00:00 2001 +From: Jiri Pirko +Date: Wed, 6 Nov 2013 17:52:19 +0100 +Subject: [PATCH 1/2] ip6_output: fragment outgoing reassembled skb properly + +If reassembled packet would fit into outdev MTU, it is not fragmented +according the original frag size and it is send as single big packet. + +The second case is if skb is gso. In that case fragmentation does not happen +according to the original frag size. + +This patch fixes these. + +Signed-off-by: Jiri Pirko +Signed-off-by: David S. Miller +--- + net/ipv6/ip6_output.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c +index 5b25f85..f80f2fa 100644 +--- a/net/ipv6/ip6_output.c ++++ b/net/ipv6/ip6_output.c +@@ -150,7 +150,8 @@ static int ip6_finish_output2(struct sk_buff *skb) + static int ip6_finish_output(struct sk_buff *skb) + { + if ((skb->len > ip6_skb_dst_mtu(skb) && !skb_is_gso(skb)) || +- dst_allfrag(skb_dst(skb))) ++ dst_allfrag(skb_dst(skb)) || ++ (IP6CB(skb)->frag_max_size && skb->len > IP6CB(skb)->frag_max_size)) + return ip6_fragment(skb, ip6_finish_output2); + else + return ip6_finish_output2(skb); +-- +1.8.3.1 + diff --git a/0002-netfilter-push-reasm-skb-through-instead-of-original.patch b/0002-netfilter-push-reasm-skb-through-instead-of-original.patch new file mode 100644 index 000000000..27fee5173 --- /dev/null +++ b/0002-netfilter-push-reasm-skb-through-instead-of-original.patch @@ -0,0 +1,499 @@ +Bugzilla: 1015905 +Upstream-status: 3.13 (should hit stable) + +From 5c0df04613dd39fba5d2a43eaf90a2dc1dcd8899 Mon Sep 17 00:00:00 2001 +From: Jiri Pirko +Date: Wed, 6 Nov 2013 17:52:20 +0100 +Subject: [PATCH 2/2] netfilter: push reasm skb through instead of original + frag skbs + +Pushing original fragments through causes several problems. For example +for matching, frags may not be matched correctly. Take following +example: + + +On HOSTA do: +ip6tables -I INPUT -p icmpv6 -j DROP +ip6tables -I INPUT -p icmpv6 -m icmp6 --icmpv6-type 128 -j ACCEPT + +and on HOSTB you do: +ping6 HOSTA -s2000 (MTU is 1500) + +Incoming echo requests will be filtered out on HOSTA. This issue does +not occur with smaller packets than MTU (where fragmentation does not happen) + + +As was discussed previously, the only correct solution seems to be to use +reassembled skb instead of separete frags. Doing this has positive side +effects in reducing sk_buff by one pointer (nfct_reasm) and also the reams +dances in ipvs and conntrack can be removed. + +Future plan is to remove net/ipv6/netfilter/nf_conntrack_reasm.c +entirely and use code in net/ipv6/reassembly.c instead. + +Signed-off-by: Jiri Pirko +Acked-by: Julian Anastasov +Signed-off-by: Marcelo Ricardo Leitner +Signed-off-by: David S. Miller + +Conflicts: + include/net/netfilter/ipv6/nf_defrag_ipv6.h + net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c + net/ipv6/netfilter/nf_defrag_ipv6_hooks.c + net/netfilter/ipvs/ip_vs_core.c +--- + include/linux/skbuff.h | 32 --------------- + include/net/ip_vs.h | 32 +-------------- + include/net/netfilter/ipv6/nf_defrag_ipv6.h | 5 +-- + net/core/skbuff.c | 3 -- + net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c | 54 +------------------------ + net/ipv6/netfilter/nf_conntrack_reasm.c | 19 +-------- + net/ipv6/netfilter/nf_defrag_ipv6_hooks.c | 7 +++- + net/netfilter/ipvs/ip_vs_core.c | 55 +------------------------- + net/netfilter/ipvs/ip_vs_pe_sip.c | 8 +--- + 9 files changed, 13 insertions(+), 202 deletions(-) + +diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h +index 6bd165b..37b4517 100644 +--- a/include/linux/skbuff.h ++++ b/include/linux/skbuff.h +@@ -333,11 +333,6 @@ typedef unsigned int sk_buff_data_t; + typedef unsigned char *sk_buff_data_t; + #endif + +-#if defined(CONFIG_NF_DEFRAG_IPV4) || defined(CONFIG_NF_DEFRAG_IPV4_MODULE) || \ +- defined(CONFIG_NF_DEFRAG_IPV6) || defined(CONFIG_NF_DEFRAG_IPV6_MODULE) +-#define NET_SKBUFF_NF_DEFRAG_NEEDED 1 +-#endif +- + /** + * struct sk_buff - socket buffer + * @next: Next buffer in list +@@ -370,7 +365,6 @@ typedef unsigned char *sk_buff_data_t; + * @protocol: Packet protocol from driver + * @destructor: Destruct function + * @nfct: Associated connection, if any +- * @nfct_reasm: netfilter conntrack re-assembly pointer + * @nf_bridge: Saved data about a bridged frame - see br_netfilter.c + * @skb_iif: ifindex of device we arrived on + * @tc_index: Traffic control index +@@ -459,9 +453,6 @@ struct sk_buff { + #if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE) + struct nf_conntrack *nfct; + #endif +-#ifdef NET_SKBUFF_NF_DEFRAG_NEEDED +- struct sk_buff *nfct_reasm; +-#endif + #ifdef CONFIG_BRIDGE_NETFILTER + struct nf_bridge_info *nf_bridge; + #endif +@@ -2603,18 +2594,6 @@ static inline void nf_conntrack_get(struct nf_conntrack *nfct) + atomic_inc(&nfct->use); + } + #endif +-#ifdef NET_SKBUFF_NF_DEFRAG_NEEDED +-static inline void nf_conntrack_get_reasm(struct sk_buff *skb) +-{ +- if (skb) +- atomic_inc(&skb->users); +-} +-static inline void nf_conntrack_put_reasm(struct sk_buff *skb) +-{ +- if (skb) +- kfree_skb(skb); +-} +-#endif + #ifdef CONFIG_BRIDGE_NETFILTER + static inline void nf_bridge_put(struct nf_bridge_info *nf_bridge) + { +@@ -2633,10 +2612,6 @@ static inline void nf_reset(struct sk_buff *skb) + nf_conntrack_put(skb->nfct); + skb->nfct = NULL; + #endif +-#ifdef NET_SKBUFF_NF_DEFRAG_NEEDED +- nf_conntrack_put_reasm(skb->nfct_reasm); +- skb->nfct_reasm = NULL; +-#endif + #ifdef CONFIG_BRIDGE_NETFILTER + nf_bridge_put(skb->nf_bridge); + skb->nf_bridge = NULL; +@@ -2658,10 +2633,6 @@ static inline void __nf_copy(struct sk_buff *dst, const struct sk_buff *src) + nf_conntrack_get(src->nfct); + dst->nfctinfo = src->nfctinfo; + #endif +-#ifdef NET_SKBUFF_NF_DEFRAG_NEEDED +- dst->nfct_reasm = src->nfct_reasm; +- nf_conntrack_get_reasm(src->nfct_reasm); +-#endif + #ifdef CONFIG_BRIDGE_NETFILTER + dst->nf_bridge = src->nf_bridge; + nf_bridge_get(src->nf_bridge); +@@ -2673,9 +2644,6 @@ static inline void nf_copy(struct sk_buff *dst, const struct sk_buff *src) + #if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE) + nf_conntrack_put(dst->nfct); + #endif +-#ifdef NET_SKBUFF_NF_DEFRAG_NEEDED +- nf_conntrack_put_reasm(dst->nfct_reasm); +-#endif + #ifdef CONFIG_BRIDGE_NETFILTER + nf_bridge_put(dst->nf_bridge); + #endif +diff --git a/include/net/ip_vs.h b/include/net/ip_vs.h +index f0d70f0..ff21521 100644 +--- a/include/net/ip_vs.h ++++ b/include/net/ip_vs.h +@@ -109,7 +109,6 @@ extern int ip_vs_conn_tab_size; + struct ip_vs_iphdr { + __u32 len; /* IPv4 simply where L4 starts + IPv6 where L4 Transport Header starts */ +- __u32 thoff_reasm; /* Transport Header Offset in nfct_reasm skb */ + __u16 fragoffs; /* IPv6 fragment offset, 0 if first frag (or not frag)*/ + __s16 protocol; + __s32 flags; +@@ -117,34 +116,12 @@ struct ip_vs_iphdr { + union nf_inet_addr daddr; + }; + +-/* Dependency to module: nf_defrag_ipv6 */ +-#if defined(CONFIG_NF_DEFRAG_IPV6) || defined(CONFIG_NF_DEFRAG_IPV6_MODULE) +-static inline struct sk_buff *skb_nfct_reasm(const struct sk_buff *skb) +-{ +- return skb->nfct_reasm; +-} +-static inline void *frag_safe_skb_hp(const struct sk_buff *skb, int offset, +- int len, void *buffer, +- const struct ip_vs_iphdr *ipvsh) +-{ +- if (unlikely(ipvsh->fragoffs && skb_nfct_reasm(skb))) +- return skb_header_pointer(skb_nfct_reasm(skb), +- ipvsh->thoff_reasm, len, buffer); +- +- return skb_header_pointer(skb, offset, len, buffer); +-} +-#else +-static inline struct sk_buff *skb_nfct_reasm(const struct sk_buff *skb) +-{ +- return NULL; +-} + static inline void *frag_safe_skb_hp(const struct sk_buff *skb, int offset, + int len, void *buffer, + const struct ip_vs_iphdr *ipvsh) + { + return skb_header_pointer(skb, offset, len, buffer); + } +-#endif + + static inline void + ip_vs_fill_ip4hdr(const void *nh, struct ip_vs_iphdr *iphdr) +@@ -171,19 +148,12 @@ ip_vs_fill_iph_skb(int af, const struct sk_buff *skb, struct ip_vs_iphdr *iphdr) + (struct ipv6hdr *)skb_network_header(skb); + iphdr->saddr.in6 = iph->saddr; + iphdr->daddr.in6 = iph->daddr; +- /* ipv6_find_hdr() updates len, flags, thoff_reasm */ +- iphdr->thoff_reasm = 0; ++ /* ipv6_find_hdr() updates len, flags */ + iphdr->len = 0; + iphdr->flags = 0; + iphdr->protocol = ipv6_find_hdr(skb, &iphdr->len, -1, + &iphdr->fragoffs, + &iphdr->flags); +- /* get proto from re-assembled packet and it's offset */ +- if (skb_nfct_reasm(skb)) +- iphdr->protocol = ipv6_find_hdr(skb_nfct_reasm(skb), +- &iphdr->thoff_reasm, +- -1, NULL, NULL); +- + } else + #endif + { +diff --git a/include/net/netfilter/ipv6/nf_defrag_ipv6.h b/include/net/netfilter/ipv6/nf_defrag_ipv6.h +index fd79c9a..17920d8 100644 +--- a/include/net/netfilter/ipv6/nf_defrag_ipv6.h ++++ b/include/net/netfilter/ipv6/nf_defrag_ipv6.h +@@ -6,10 +6,7 @@ extern void nf_defrag_ipv6_enable(void); + extern int nf_ct_frag6_init(void); + extern void nf_ct_frag6_cleanup(void); + extern struct sk_buff *nf_ct_frag6_gather(struct sk_buff *skb, u32 user); +-extern void nf_ct_frag6_output(unsigned int hooknum, struct sk_buff *skb, +- struct net_device *in, +- struct net_device *out, +- int (*okfn)(struct sk_buff *)); ++extern void nf_ct_frag6_consume_orig(struct sk_buff *skb); + + struct inet_frags_ctl; + +diff --git a/net/core/skbuff.c b/net/core/skbuff.c +index 2c3d0f5..a75022e 100644 +--- a/net/core/skbuff.c ++++ b/net/core/skbuff.c +@@ -580,9 +580,6 @@ static void skb_release_head_state(struct sk_buff *skb) + #if IS_ENABLED(CONFIG_NF_CONNTRACK) + nf_conntrack_put(skb->nfct); + #endif +-#ifdef NET_SKBUFF_NF_DEFRAG_NEEDED +- nf_conntrack_put_reasm(skb->nfct_reasm); +-#endif + #ifdef CONFIG_BRIDGE_NETFILTER + nf_bridge_put(skb->nf_bridge); + #endif +diff --git a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c +index c9b6a6e..97cd750 100644 +--- a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c ++++ b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c +@@ -172,63 +172,13 @@ out: + return nf_conntrack_confirm(skb); + } + +-static unsigned int __ipv6_conntrack_in(struct net *net, +- unsigned int hooknum, +- struct sk_buff *skb, +- const struct net_device *in, +- const struct net_device *out, +- int (*okfn)(struct sk_buff *)) +-{ +- struct sk_buff *reasm = skb->nfct_reasm; +- const struct nf_conn_help *help; +- struct nf_conn *ct; +- enum ip_conntrack_info ctinfo; +- +- /* This packet is fragmented and has reassembled packet. */ +- if (reasm) { +- /* Reassembled packet isn't parsed yet ? */ +- if (!reasm->nfct) { +- unsigned int ret; +- +- ret = nf_conntrack_in(net, PF_INET6, hooknum, reasm); +- if (ret != NF_ACCEPT) +- return ret; +- } +- +- /* Conntrack helpers need the entire reassembled packet in the +- * POST_ROUTING hook. In case of unconfirmed connections NAT +- * might reassign a helper, so the entire packet is also +- * required. +- */ +- ct = nf_ct_get(reasm, &ctinfo); +- if (ct != NULL && !nf_ct_is_untracked(ct)) { +- help = nfct_help(ct); +- if ((help && help->helper) || !nf_ct_is_confirmed(ct)) { +- nf_conntrack_get_reasm(reasm); +- NF_HOOK_THRESH(NFPROTO_IPV6, hooknum, reasm, +- (struct net_device *)in, +- (struct net_device *)out, +- okfn, NF_IP6_PRI_CONNTRACK + 1); +- return NF_DROP_ERR(-ECANCELED); +- } +- } +- +- nf_conntrack_get(reasm->nfct); +- skb->nfct = reasm->nfct; +- skb->nfctinfo = reasm->nfctinfo; +- return NF_ACCEPT; +- } +- +- return nf_conntrack_in(net, PF_INET6, hooknum, skb); +-} +- + static unsigned int ipv6_conntrack_in(unsigned int hooknum, + struct sk_buff *skb, + const struct net_device *in, + const struct net_device *out, + int (*okfn)(struct sk_buff *)) + { +- return __ipv6_conntrack_in(dev_net(in), hooknum, skb, in, out, okfn); ++ return nf_conntrack_in(dev_net(in), PF_INET6, hooknum, skb); + } + + static unsigned int ipv6_conntrack_local(unsigned int hooknum, +@@ -242,7 +192,7 @@ static unsigned int ipv6_conntrack_local(unsigned int hooknum, + net_notice_ratelimited("ipv6_conntrack_local: packet too short\n"); + return NF_ACCEPT; + } +- return __ipv6_conntrack_in(dev_net(out), hooknum, skb, in, out, okfn); ++ return nf_conntrack_in(dev_net(out), PF_INET6, hooknum, skb); + } + + static struct nf_hook_ops ipv6_conntrack_ops[] __read_mostly = { +diff --git a/net/ipv6/netfilter/nf_conntrack_reasm.c b/net/ipv6/netfilter/nf_conntrack_reasm.c +index dffdc1a..253566a 100644 +--- a/net/ipv6/netfilter/nf_conntrack_reasm.c ++++ b/net/ipv6/netfilter/nf_conntrack_reasm.c +@@ -621,31 +621,16 @@ ret_orig: + return skb; + } + +-void nf_ct_frag6_output(unsigned int hooknum, struct sk_buff *skb, +- struct net_device *in, struct net_device *out, +- int (*okfn)(struct sk_buff *)) ++void nf_ct_frag6_consume_orig(struct sk_buff *skb) + { + struct sk_buff *s, *s2; +- unsigned int ret = 0; + + for (s = NFCT_FRAG6_CB(skb)->orig; s;) { +- nf_conntrack_put_reasm(s->nfct_reasm); +- nf_conntrack_get_reasm(skb); +- s->nfct_reasm = skb; +- + s2 = s->next; + s->next = NULL; +- +- if (ret != -ECANCELED) +- ret = NF_HOOK_THRESH(NFPROTO_IPV6, hooknum, s, +- in, out, okfn, +- NF_IP6_PRI_CONNTRACK_DEFRAG + 1); +- else +- kfree_skb(s); +- ++ consume_skb(s); + s = s2; + } +- nf_conntrack_put_reasm(skb); + } + + static int nf_ct_net_init(struct net *net) +diff --git a/net/ipv6/netfilter/nf_defrag_ipv6_hooks.c b/net/ipv6/netfilter/nf_defrag_ipv6_hooks.c +index aacd121..581dd9e 100644 +--- a/net/ipv6/netfilter/nf_defrag_ipv6_hooks.c ++++ b/net/ipv6/netfilter/nf_defrag_ipv6_hooks.c +@@ -75,8 +75,11 @@ static unsigned int ipv6_defrag(unsigned int hooknum, + if (reasm == skb) + return NF_ACCEPT; + +- nf_ct_frag6_output(hooknum, reasm, (struct net_device *)in, +- (struct net_device *)out, okfn); ++ nf_ct_frag6_consume_orig(reasm); ++ ++ NF_HOOK_THRESH(NFPROTO_IPV6, hooknum, reasm, ++ (struct net_device *) in, (struct net_device *) out, ++ okfn, NF_IP6_PRI_CONNTRACK_DEFRAG + 1); + + return NF_STOLEN; + } +diff --git a/net/netfilter/ipvs/ip_vs_core.c b/net/netfilter/ipvs/ip_vs_core.c +index 4f69e83..1517b50 100644 +--- a/net/netfilter/ipvs/ip_vs_core.c ++++ b/net/netfilter/ipvs/ip_vs_core.c +@@ -1131,12 +1131,6 @@ ip_vs_out(unsigned int hooknum, struct sk_buff *skb, int af) + ip_vs_fill_iph_skb(af, skb, &iph); + #ifdef CONFIG_IP_VS_IPV6 + if (af == AF_INET6) { +- if (!iph.fragoffs && skb_nfct_reasm(skb)) { +- struct sk_buff *reasm = skb_nfct_reasm(skb); +- /* Save fw mark for coming frags */ +- reasm->ipvs_property = 1; +- reasm->mark = skb->mark; +- } + if (unlikely(iph.protocol == IPPROTO_ICMPV6)) { + int related; + int verdict = ip_vs_out_icmp_v6(skb, &related, +@@ -1606,12 +1600,6 @@ ip_vs_in(unsigned int hooknum, struct sk_buff *skb, int af) + + #ifdef CONFIG_IP_VS_IPV6 + if (af == AF_INET6) { +- if (!iph.fragoffs && skb_nfct_reasm(skb)) { +- struct sk_buff *reasm = skb_nfct_reasm(skb); +- /* Save fw mark for coming frags. */ +- reasm->ipvs_property = 1; +- reasm->mark = skb->mark; +- } + if (unlikely(iph.protocol == IPPROTO_ICMPV6)) { + int related; + int verdict = ip_vs_in_icmp_v6(skb, &related, hooknum, +@@ -1663,9 +1651,8 @@ ip_vs_in(unsigned int hooknum, struct sk_buff *skb, int af) + /* sorry, all this trouble for a no-hit :) */ + IP_VS_DBG_PKT(12, af, pp, skb, 0, + "ip_vs_in: packet continues traversal as normal"); +- if (iph.fragoffs && !skb_nfct_reasm(skb)) { ++ if (iph.fragoffs) { + /* Fragment that couldn't be mapped to a conn entry +- * and don't have any pointer to a reasm skb + * is missing module nf_defrag_ipv6 + */ + IP_VS_DBG_RL("Unhandled frag, load nf_defrag_ipv6\n"); +@@ -1748,38 +1735,6 @@ ip_vs_local_request4(unsigned int hooknum, struct sk_buff *skb, + #ifdef CONFIG_IP_VS_IPV6 + + /* +- * AF_INET6 fragment handling +- * Copy info from first fragment, to the rest of them. +- */ +-static unsigned int +-ip_vs_preroute_frag6(unsigned int hooknum, struct sk_buff *skb, +- const struct net_device *in, +- const struct net_device *out, +- int (*okfn)(struct sk_buff *)) +-{ +- struct sk_buff *reasm = skb_nfct_reasm(skb); +- struct net *net; +- +- /* Skip if not a "replay" from nf_ct_frag6_output or first fragment. +- * ipvs_property is set when checking first fragment +- * in ip_vs_in() and ip_vs_out(). +- */ +- if (reasm) +- IP_VS_DBG(2, "Fragment recv prop:%d\n", reasm->ipvs_property); +- if (!reasm || !reasm->ipvs_property) +- return NF_ACCEPT; +- +- net = skb_net(skb); +- if (!net_ipvs(net)->enable) +- return NF_ACCEPT; +- +- /* Copy stored fw mark, saved in ip_vs_{in,out} */ +- skb->mark = reasm->mark; +- +- return NF_ACCEPT; +-} +- +-/* + * AF_INET6 handler in NF_INET_LOCAL_IN chain + * Schedule and forward packets from remote clients + */ +@@ -1916,14 +1871,6 @@ static struct nf_hook_ops ip_vs_ops[] __read_mostly = { + .priority = 100, + }, + #ifdef CONFIG_IP_VS_IPV6 +- /* After mangle & nat fetch 2:nd fragment and following */ +- { +- .hook = ip_vs_preroute_frag6, +- .owner = THIS_MODULE, +- .pf = NFPROTO_IPV6, +- .hooknum = NF_INET_PRE_ROUTING, +- .priority = NF_IP6_PRI_NAT_DST + 1, +- }, + /* After packet filtering, change source only for VS/NAT */ + { + .hook = ip_vs_reply6, +diff --git a/net/netfilter/ipvs/ip_vs_pe_sip.c b/net/netfilter/ipvs/ip_vs_pe_sip.c +index 9ef22bd..bed5f70 100644 +--- a/net/netfilter/ipvs/ip_vs_pe_sip.c ++++ b/net/netfilter/ipvs/ip_vs_pe_sip.c +@@ -65,7 +65,6 @@ static int get_callid(const char *dptr, unsigned int dataoff, + static int + ip_vs_sip_fill_param(struct ip_vs_conn_param *p, struct sk_buff *skb) + { +- struct sk_buff *reasm = skb_nfct_reasm(skb); + struct ip_vs_iphdr iph; + unsigned int dataoff, datalen, matchoff, matchlen; + const char *dptr; +@@ -79,15 +78,10 @@ ip_vs_sip_fill_param(struct ip_vs_conn_param *p, struct sk_buff *skb) + /* todo: IPv6 fragments: + * I think this only should be done for the first fragment. /HS + */ +- if (reasm) { +- skb = reasm; +- dataoff = iph.thoff_reasm + sizeof(struct udphdr); +- } else +- dataoff = iph.len + sizeof(struct udphdr); ++ dataoff = iph.len + sizeof(struct udphdr); + + if (dataoff >= skb->len) + return -EINVAL; +- /* todo: Check if this will mess-up the reasm skb !!! /HS */ + retc = skb_linearize(skb); + if (retc < 0) + return retc; +-- +1.8.3.1 + diff --git a/kernel.spec b/kernel.spec index d09c246bc..b3f8acb92 100644 --- a/kernel.spec +++ b/kernel.spec @@ -792,6 +792,10 @@ Patch25144: Input-evdev-fall-back-to-vmalloc-for-client-event-buffer.patch #CVE-2013-4563 rhbz 1030015 1030017 Patch25145: ipv6-fix-headroom-calculation-in-udp6_ufo_fragment.patch +#rhbz 1015905 +Patch25146: 0001-ip6_output-fragment-outgoing-reassembled-skb-properl.patch +Patch25147: 0002-netfilter-push-reasm-skb-through-instead-of-original.patch + # END OF PATCH DEFINITIONS %endif @@ -1532,6 +1536,10 @@ ApplyPatch Input-evdev-fall-back-to-vmalloc-for-client-event-buffer.patch #CVE-2013-4563 rhbz 1030015 1030017 ApplyPatch ipv6-fix-headroom-calculation-in-udp6_ufo_fragment.patch +#rhbz 1015905 +ApplyPatch 0001-ip6_output-fragment-outgoing-reassembled-skb-properl.patch +ApplyPatch 0002-netfilter-push-reasm-skb-through-instead-of-original.patch + # END OF PATCH APPLICATIONS %endif @@ -2344,6 +2352,9 @@ fi # and build. %changelog +* Mon Nov 18 2013 Josh Boyer +- Fix ipv6 sit panic with packet size > mtu (from Michele Baldessari) (rbhz 1015905) + * Thu Nov 14 2013 Josh Boyer - CVE-2013-4563: net: large udp packet over IPv6 over UFO-enabled device with TBF qdisc panic (rhbz 1030015 1030017) From 0b654a623c48d130e2501985ca262994bfa0a472 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Mon, 18 Nov 2013 10:55:44 -0500 Subject: [PATCH 264/468] Add patch to fix ALX phy issues after resume (rhbz 1011362) --- alx-Reset-phy-speed-after-resume.patch | 33 ++++++++++++++++++++++++++ kernel.spec | 7 ++++++ 2 files changed, 40 insertions(+) create mode 100644 alx-Reset-phy-speed-after-resume.patch diff --git a/alx-Reset-phy-speed-after-resume.patch b/alx-Reset-phy-speed-after-resume.patch new file mode 100644 index 000000000..3af169f78 --- /dev/null +++ b/alx-Reset-phy-speed-after-resume.patch @@ -0,0 +1,33 @@ +Bugzilla: 1011362 +Upstream-status: queued for 3.13 + +From b54629e226d196e802abdd30c5e34f2a47cddcf2 Mon Sep 17 00:00:00 2001 +From: hahnjo +Date: Tue, 12 Nov 2013 17:19:24 +0000 +Subject: alx: Reset phy speed after resume + +This fixes bug 62491 (https://bugzilla.kernel.org/show_bug.cgi?id=62491). +After resuming some users got the following error flooding the kernel log: +alx 0000:02:00.0: invalid PHY speed/duplex: 0xffff + +Signed-off-by: Jonas Hahnfeld +Signed-off-by: David S. Miller +--- +(limited to 'drivers/net/ethernet/atheros/alx') + +diff --git a/drivers/net/ethernet/atheros/alx/main.c b/drivers/net/ethernet/atheros/alx/main.c +index 5aa5e81..c3c4c26 100644 +--- a/drivers/net/ethernet/atheros/alx/main.c ++++ b/drivers/net/ethernet/atheros/alx/main.c +@@ -1388,6 +1388,9 @@ static int alx_resume(struct device *dev) + { + struct pci_dev *pdev = to_pci_dev(dev); + struct alx_priv *alx = pci_get_drvdata(pdev); ++ struct alx_hw *hw = &alx->hw; ++ ++ alx_reset_phy(hw); + + if (!netif_running(alx->dev)) + return 0; +-- +cgit v0.9.2 diff --git a/kernel.spec b/kernel.spec index b3f8acb92..970d07a55 100644 --- a/kernel.spec +++ b/kernel.spec @@ -796,6 +796,9 @@ Patch25145: ipv6-fix-headroom-calculation-in-udp6_ufo_fragment.patch Patch25146: 0001-ip6_output-fragment-outgoing-reassembled-skb-properl.patch Patch25147: 0002-netfilter-push-reasm-skb-through-instead-of-original.patch +#rhbz 1011362 +Patch25148: alx-Reset-phy-speed-after-resume.patch + # END OF PATCH DEFINITIONS %endif @@ -1540,6 +1543,9 @@ ApplyPatch ipv6-fix-headroom-calculation-in-udp6_ufo_fragment.patch ApplyPatch 0001-ip6_output-fragment-outgoing-reassembled-skb-properl.patch ApplyPatch 0002-netfilter-push-reasm-skb-through-instead-of-original.patch +#rhbz 1011362 +ApplyPatch alx-Reset-phy-speed-after-resume.patch + # END OF PATCH APPLICATIONS %endif @@ -2353,6 +2359,7 @@ fi %changelog * Mon Nov 18 2013 Josh Boyer +- Add patch to fix ALX phy issues after resume (rhbz 1011362) - Fix ipv6 sit panic with packet size > mtu (from Michele Baldessari) (rbhz 1015905) * Thu Nov 14 2013 Josh Boyer From 59378ff2dd4437c6a44438860c58e466ebc207ab Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Mon, 18 Nov 2013 11:25:28 -0500 Subject: [PATCH 265/468] Add patches from Pierre Ossman to fix 24Hz/24p radeon audio (rhbz 1010679) --- drm-radeon-24hz-audio-fixes.patch | 170 ++++++++++++++++++++++++++++++ kernel.spec | 3 + 2 files changed, 173 insertions(+) create mode 100644 drm-radeon-24hz-audio-fixes.patch diff --git a/drm-radeon-24hz-audio-fixes.patch b/drm-radeon-24hz-audio-fixes.patch new file mode 100644 index 000000000..b2ecf9332 --- /dev/null +++ b/drm-radeon-24hz-audio-fixes.patch @@ -0,0 +1,170 @@ +From 908171aa738b5bbcc6241cec46f73fcd57dd00d4 Mon Sep 17 00:00:00 2001 +From: Pierre Ossman +Date: Wed, 6 Nov 2013 20:00:32 +0100 +Subject: [PATCH 1/2] drm/radeon/audio: correct ACR table + +The values were taken from the HDMI spec, but they assumed +exact x/1.001 clocks. Since we round the clocks, we also need +to calculate different N and CTS values. + +Note that the N for 25.2/1.001 MHz at 44.1 kHz audio is out of +spec. Hopefully this mode is rarely used and/or HDMI sinks +tolerate overly large values of N. + +bug: +https://bugs.freedesktop.org/show_bug.cgi?id=69675 + +Signed-off-by: Pierre Ossman +Signed-off-by: Alex Deucher +--- + drivers/gpu/drm/radeon/r600_hdmi.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/gpu/drm/radeon/r600_hdmi.c b/drivers/gpu/drm/radeon/r600_hdmi.c +index 4140fe8..e8ca095 100644 +--- a/drivers/gpu/drm/radeon/r600_hdmi.c ++++ b/drivers/gpu/drm/radeon/r600_hdmi.c +@@ -57,15 +57,15 @@ enum r600_hdmi_iec_status_bits { + static const struct radeon_hdmi_acr r600_hdmi_predefined_acr[] = { + /* 32kHz 44.1kHz 48kHz */ + /* Clock N CTS N CTS N CTS */ +- { 25175, 4576, 28125, 7007, 31250, 6864, 28125 }, /* 25,20/1.001 MHz */ ++ { 25175, 4096, 25175, 28224, 125875, 6144, 25175 }, /* 25,20/1.001 MHz */ + { 25200, 4096, 25200, 6272, 28000, 6144, 25200 }, /* 25.20 MHz */ + { 27000, 4096, 27000, 6272, 30000, 6144, 27000 }, /* 27.00 MHz */ + { 27027, 4096, 27027, 6272, 30030, 6144, 27027 }, /* 27.00*1.001 MHz */ + { 54000, 4096, 54000, 6272, 60000, 6144, 54000 }, /* 54.00 MHz */ + { 54054, 4096, 54054, 6272, 60060, 6144, 54054 }, /* 54.00*1.001 MHz */ +- { 74176, 11648, 210937, 17836, 234375, 11648, 140625 }, /* 74.25/1.001 MHz */ ++ { 74176, 4096, 74176, 5733, 75335, 6144, 74176 }, /* 74.25/1.001 MHz */ + { 74250, 4096, 74250, 6272, 82500, 6144, 74250 }, /* 74.25 MHz */ +- { 148352, 11648, 421875, 8918, 234375, 5824, 140625 }, /* 148.50/1.001 MHz */ ++ { 148352, 4096, 148352, 5733, 150670, 6144, 148352 }, /* 148.50/1.001 MHz */ + { 148500, 4096, 148500, 6272, 165000, 6144, 148500 }, /* 148.50 MHz */ + { 0, 4096, 0, 6272, 0, 6144, 0 } /* Other */ + }; +-- +1.8.3.1 + + +From 05e4776357fe7217e531cbaaa163e24f688d10ce Mon Sep 17 00:00:00 2001 +From: Pierre Ossman +Date: Wed, 6 Nov 2013 20:09:08 +0100 +Subject: [PATCH 2/2] drm/radeon/audio: improve ACR calculation + +In order to have any realistic chance of calculating proper +ACR values, we need to be able to calculate both N and CTS, +not just CTS. We still aim for the ideal N as specified in +the HDMI spec though. + +bug: +https://bugs.freedesktop.org/show_bug.cgi?id=69675 + +Signed-off-by: Pierre Ossman +Signed-off-by: Alex Deucher +--- + drivers/gpu/drm/radeon/r600_hdmi.c | 68 ++++++++++++++++++++++++++------------ + 1 file changed, 46 insertions(+), 22 deletions(-) + +diff --git a/drivers/gpu/drm/radeon/r600_hdmi.c b/drivers/gpu/drm/radeon/r600_hdmi.c +index e8ca095..92c6df7 100644 +--- a/drivers/gpu/drm/radeon/r600_hdmi.c ++++ b/drivers/gpu/drm/radeon/r600_hdmi.c +@@ -24,6 +24,7 @@ + * Authors: Christian König + */ + #include ++#include + #include + #include + #include "radeon.h" +@@ -67,25 +68,47 @@ static const struct radeon_hdmi_acr r600_hdmi_predefined_acr[] = { + { 74250, 4096, 74250, 6272, 82500, 6144, 74250 }, /* 74.25 MHz */ + { 148352, 4096, 148352, 5733, 150670, 6144, 148352 }, /* 148.50/1.001 MHz */ + { 148500, 4096, 148500, 6272, 165000, 6144, 148500 }, /* 148.50 MHz */ +- { 0, 4096, 0, 6272, 0, 6144, 0 } /* Other */ + }; + ++ + /* +- * calculate CTS value if it's not found in the table ++ * calculate CTS and N values if they are not found in the table + */ +-static void r600_hdmi_calc_cts(uint32_t clock, int *CTS, int N, int freq) ++static void r600_hdmi_calc_cts(uint32_t clock, int *CTS, int *N, int freq) + { +- u64 n; +- u32 d; +- +- if (*CTS == 0) { +- n = (u64)clock * (u64)N * 1000ULL; +- d = 128 * freq; +- do_div(n, d); +- *CTS = n; +- } +- DRM_DEBUG("Using ACR timing N=%d CTS=%d for frequency %d\n", +- N, *CTS, freq); ++ int n, cts; ++ unsigned long div, mul; ++ ++ /* Safe, but overly large values */ ++ n = 128 * freq; ++ cts = clock * 1000; ++ ++ /* Smallest valid fraction */ ++ div = gcd(n, cts); ++ ++ n /= div; ++ cts /= div; ++ ++ /* ++ * The optimal N is 128*freq/1000. Calculate the closest larger ++ * value that doesn't truncate any bits. ++ */ ++ mul = ((128*freq/1000) + (n-1))/n; ++ ++ n *= mul; ++ cts *= mul; ++ ++ /* Check that we are in spec (not always possible) */ ++ if (n < (128*freq/1500)) ++ printk(KERN_WARNING "Calculated ACR N value is too small. You may experience audio problems.\n"); ++ if (n > (128*freq/300)) ++ printk(KERN_WARNING "Calculated ACR N value is too large. You may experience audio problems.\n"); ++ ++ *N = n; ++ *CTS = cts; ++ ++ DRM_DEBUG("Calculated ACR timing N=%d CTS=%d for frequency %d\n", ++ *N, *CTS, freq); + } + + struct radeon_hdmi_acr r600_hdmi_acr(uint32_t clock) +@@ -93,15 +116,16 @@ struct radeon_hdmi_acr r600_hdmi_acr(uint32_t clock) + struct radeon_hdmi_acr res; + u8 i; + +- for (i = 0; r600_hdmi_predefined_acr[i].clock != clock && +- r600_hdmi_predefined_acr[i].clock != 0; i++) +- ; +- res = r600_hdmi_predefined_acr[i]; ++ /* Precalculated values for common clocks */ ++ for (i = 0; i < ARRAY_SIZE(r600_hdmi_predefined_acr); i++) { ++ if (r600_hdmi_predefined_acr[i].clock == clock) ++ return r600_hdmi_predefined_acr[i]; ++ } + +- /* In case some CTS are missing */ +- r600_hdmi_calc_cts(clock, &res.cts_32khz, res.n_32khz, 32000); +- r600_hdmi_calc_cts(clock, &res.cts_44_1khz, res.n_44_1khz, 44100); +- r600_hdmi_calc_cts(clock, &res.cts_48khz, res.n_48khz, 48000); ++ /* And odd clocks get manually calculated */ ++ r600_hdmi_calc_cts(clock, &res.cts_32khz, &res.n_32khz, 32000); ++ r600_hdmi_calc_cts(clock, &res.cts_44_1khz, &res.n_44_1khz, 44100); ++ r600_hdmi_calc_cts(clock, &res.cts_48khz, &res.n_48khz, 48000); + + return res; + } +-- +1.8.3.1 + diff --git a/kernel.spec b/kernel.spec index 970d07a55..ae11c4a81 100644 --- a/kernel.spec +++ b/kernel.spec @@ -763,6 +763,7 @@ Patch25129: cpupower-Fix-segfault-due-to-incorrect-getopt_long-a.patch #rhbz 1010679 Patch25130: fix-radeon-sound.patch +Patch25149: drm-radeon-24hz-audio-fixes.patch #rhbz 1011714 Patch25131: btrfs-relocate-csums-properly-with-prealloc-ext.patch @@ -1510,6 +1511,7 @@ ApplyPatch cpupower-Fix-segfault-due-to-incorrect-getopt_long-a.patch #rhbz 1010679 ApplyPatch fix-radeon-sound.patch +ApplyPatch drm-radeon-24hz-audio-fixes.patch #rhbz 1011714 ApplyPatch btrfs-relocate-csums-properly-with-prealloc-ext.patch @@ -2359,6 +2361,7 @@ fi %changelog * Mon Nov 18 2013 Josh Boyer +- Add patches from Pierre Ossman to fix 24Hz/24p radeon audio (rhbz 1010679) - Add patch to fix ALX phy issues after resume (rhbz 1011362) - Fix ipv6 sit panic with packet size > mtu (from Michele Baldessari) (rbhz 1015905) From 4c2b97b732cebd34c00296ab6265601d16ea2dd0 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Mon, 18 Nov 2013 11:37:26 -0500 Subject: [PATCH 266/468] Add patch to fix crash from slab when using md-raid mirrors (rhbz 1031086) --- kernel.spec | 7 ++ ...o-not-check-for-duplicate-slab-names.patch | 71 +++++++++++++++++++ 2 files changed, 78 insertions(+) create mode 100644 slab_common-Do-not-check-for-duplicate-slab-names.patch diff --git a/kernel.spec b/kernel.spec index ae11c4a81..581faf2b9 100644 --- a/kernel.spec +++ b/kernel.spec @@ -800,6 +800,9 @@ Patch25147: 0002-netfilter-push-reasm-skb-through-instead-of-original.patch #rhbz 1011362 Patch25148: alx-Reset-phy-speed-after-resume.patch +#rhbz 1031086 +Patch25150: slab_common-Do-not-check-for-duplicate-slab-names.patch + # END OF PATCH DEFINITIONS %endif @@ -1548,6 +1551,9 @@ ApplyPatch 0002-netfilter-push-reasm-skb-through-instead-of-original.patch #rhbz 1011362 ApplyPatch alx-Reset-phy-speed-after-resume.patch +#rhbz 1031086 +ApplyPatch slab_common-Do-not-check-for-duplicate-slab-names.patch + # END OF PATCH APPLICATIONS %endif @@ -2361,6 +2367,7 @@ fi %changelog * Mon Nov 18 2013 Josh Boyer +- Add patch to fix crash from slab when using md-raid mirrors (rhbz 1031086) - Add patches from Pierre Ossman to fix 24Hz/24p radeon audio (rhbz 1010679) - Add patch to fix ALX phy issues after resume (rhbz 1011362) - Fix ipv6 sit panic with packet size > mtu (from Michele Baldessari) (rbhz 1015905) diff --git a/slab_common-Do-not-check-for-duplicate-slab-names.patch b/slab_common-Do-not-check-for-duplicate-slab-names.patch new file mode 100644 index 000000000..c99303cc0 --- /dev/null +++ b/slab_common-Do-not-check-for-duplicate-slab-names.patch @@ -0,0 +1,71 @@ +Bugzilla: 1031086 +Upstream-status: 3.12 + +From cd8fa0170867ce6e6e2d7edba1dc1a0b87485854 Mon Sep 17 00:00:00 2001 +From: Christoph Lameter +Date: Sat, 21 Sep 2013 21:56:34 +0000 +Subject: [PATCH] slab_common: Do not check for duplicate slab names + +SLUB can alias multiple slab kmem_create_requests to one slab cache to save +memory and increase the cache hotness. As a result the name of the slab can be +stale. Only check the name for duplicates if we are in debug mode where we do +not merge multiple caches. + +This fixes the following problem reported by Jonathan Brassow: + + The problem with kmem_cache* is this: + + *) Assume CONFIG_SLUB is set + 1) kmem_cache_create(name="foo-a") + - creates new kmem_cache structure + 2) kmem_cache_create(name="foo-b") + - If identical cache characteristics, it will be merged with the previously + created cache associated with "foo-a". The cache's refcount will be + incremented and an alias will be created via sysfs_slab_alias(). + 3) kmem_cache_destroy() + - Attempting to destroy cache associated with "foo-a", but instead the + refcount is simply decremented. I don't even think the sysfs aliases are + ever removed... + 4) kmem_cache_create(name="foo-a") + - This FAILS because kmem_cache_sanity_check colides with the existing + name ("foo-a") associated with the non-removed cache. + + This is a problem for RAID (specifically dm-raid) because the name used + for the kmem_cache_create is ("raid%d-%p", level, mddev). If the cache + persists for long enough, the memory address of an old mddev will be + reused for a new mddev - causing an identical formulation of the cache + name. Even though kmem_cache_destory had long ago been used to delete + the old cache, the merging of caches has cause the name and cache of that + old instance to be preserved and causes a colision (and thus failure) in + kmem_cache_create(). I see this regularly in my testing. + +Reported-by: Jonathan Brassow +Signed-off-by: Christoph Lameter +Signed-off-by: Pekka Enberg +--- + mm/slab_common.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/mm/slab_common.c b/mm/slab_common.c +index 538bade..d434771 100644 +--- a/mm/slab_common.c ++++ b/mm/slab_common.c +@@ -55,6 +55,7 @@ static int kmem_cache_sanity_check(struct mem_cgroup *memcg, const char *name, + continue; + } + ++#if !defined(CONFIG_SLUB) || !defined(CONFIG_SLUB_DEBUG_ON) + /* + * For simplicity, we won't check this in the list of memcg + * caches. We have control over memcg naming, and if there +@@ -68,6 +69,7 @@ static int kmem_cache_sanity_check(struct mem_cgroup *memcg, const char *name, + s = NULL; + return -EINVAL; + } ++#endif + } + + WARN_ON(strchr(name, ' ')); /* It confuses parsers */ +-- +1.8.3.1 + From 0daff1613e5930fa557a6001c3b1411defd29887 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Mon, 18 Nov 2013 11:39:30 -0500 Subject: [PATCH 267/468] Add bugzilla/upstream-status notes to 24hz audio patch --- drm-radeon-24hz-audio-fixes.patch | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drm-radeon-24hz-audio-fixes.patch b/drm-radeon-24hz-audio-fixes.patch index b2ecf9332..4fd8341ed 100644 --- a/drm-radeon-24hz-audio-fixes.patch +++ b/drm-radeon-24hz-audio-fixes.patch @@ -1,3 +1,6 @@ +Bugzilla: 1010679 +Upstream-status: 3.13 + From 908171aa738b5bbcc6241cec46f73fcd57dd00d4 Mon Sep 17 00:00:00 2001 From: Pierre Ossman Date: Wed, 6 Nov 2013 20:00:32 +0100 From e1db685c44ac96d749c11c2295c8d43d7dd9e96a Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Mon, 18 Nov 2013 14:19:27 -0500 Subject: [PATCH 268/468] Add patch to fix rhel5.9 KVM guests (rhbz 967652) --- KVM-x86-fix-emulation-of-movzbl-bpl-eax.patch | 53 +++++++++++++++++++ kernel.spec | 7 +++ 2 files changed, 60 insertions(+) create mode 100644 KVM-x86-fix-emulation-of-movzbl-bpl-eax.patch diff --git a/KVM-x86-fix-emulation-of-movzbl-bpl-eax.patch b/KVM-x86-fix-emulation-of-movzbl-bpl-eax.patch new file mode 100644 index 000000000..65a48c349 --- /dev/null +++ b/KVM-x86-fix-emulation-of-movzbl-bpl-eax.patch @@ -0,0 +1,53 @@ +Bugzilla: 967652 +Upstream-status: 3.13 (should hit stable) + +From daf727225b8abfdfe424716abac3d15a3ac5626a Mon Sep 17 00:00:00 2001 +From: Paolo Bonzini +Date: Thu, 31 Oct 2013 23:05:24 +0100 +Subject: [PATCH] KVM: x86: fix emulation of "movzbl %bpl, %eax" + +When I was looking at RHEL5.9's failure to start with +unrestricted_guest=0/emulate_invalid_guest_state=1, I got it working with a +slightly older tree than kvm.git. I now debugged the remaining failure, +which was introduced by commit 660696d1 (KVM: X86 emulator: fix +source operand decoding for 8bit mov[zs]x instructions, 2013-04-24) +introduced a similar mis-emulation to the one in commit 8acb4207 (KVM: +fix sil/dil/bpl/spl in the mod/rm fields, 2013-05-30). The incorrect +decoding occurs in 8-bit movzx/movsx instructions whose 8-bit operand +is sil/dil/bpl/spl. + +Needless to say, "movzbl %bpl, %eax" does occur in RHEL5.9's decompression +prolog, just a handful of instructions before finally giving control to +the decompressed vmlinux and getting out of the invalid guest state. + +Because OpMem8 bypasses decode_modrm, the same handling of the REX prefix +must be applied to OpMem8. + +Reported-by: Michele Baldessari +Cc: stable@vger.kernel.org +Cc: Gleb Natapov +Signed-off-by: Paolo Bonzini +Signed-off-by: Gleb Natapov +--- + arch/x86/kvm/emulate.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c +index 16c037e..282d28c 100644 +--- a/arch/x86/kvm/emulate.c ++++ b/arch/x86/kvm/emulate.c +@@ -4117,7 +4117,10 @@ static int decode_operand(struct x86_emulate_ctxt *ctxt, struct operand *op, + case OpMem8: + ctxt->memop.bytes = 1; + if (ctxt->memop.type == OP_REG) { +- ctxt->memop.addr.reg = decode_register(ctxt, ctxt->modrm_rm, 1); ++ int highbyte_regs = ctxt->rex_prefix == 0; ++ ++ ctxt->memop.addr.reg = decode_register(ctxt, ctxt->modrm_rm, ++ highbyte_regs); + fetch_register_operand(&ctxt->memop); + } + goto mem_common; +-- +1.8.3.1 + diff --git a/kernel.spec b/kernel.spec index 581faf2b9..9b92f1065 100644 --- a/kernel.spec +++ b/kernel.spec @@ -803,6 +803,9 @@ Patch25148: alx-Reset-phy-speed-after-resume.patch #rhbz 1031086 Patch25150: slab_common-Do-not-check-for-duplicate-slab-names.patch +#rhbz 967652 +Patch25151: KVM-x86-fix-emulation-of-movzbl-bpl-eax.patch + # END OF PATCH DEFINITIONS %endif @@ -1554,6 +1557,9 @@ ApplyPatch alx-Reset-phy-speed-after-resume.patch #rhbz 1031086 ApplyPatch slab_common-Do-not-check-for-duplicate-slab-names.patch +#rhbz 967652 +ApplyPatch KVM-x86-fix-emulation-of-movzbl-bpl-eax.patch + # END OF PATCH APPLICATIONS %endif @@ -2367,6 +2373,7 @@ fi %changelog * Mon Nov 18 2013 Josh Boyer +- Add patch to fix rhel5.9 KVM guests (rhbz 967652) - Add patch to fix crash from slab when using md-raid mirrors (rhbz 1031086) - Add patches from Pierre Ossman to fix 24Hz/24p radeon audio (rhbz 1010679) - Add patch to fix ALX phy issues after resume (rhbz 1011362) From f48d5975b1a8c83d371738db06ea33cd2463ac0f Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Wed, 20 Nov 2013 16:00:22 -0500 Subject: [PATCH 269/468] Linux v3.11.9 --- intel-3.12-stable-fixes.patch | 86 ------------------- kernel.spec | 17 +--- net-flow_dissector-fail-on-evil-iph-ihl.patch | 82 ------------------ sources | 2 +- 4 files changed, 5 insertions(+), 182 deletions(-) delete mode 100644 intel-3.12-stable-fixes.patch delete mode 100644 net-flow_dissector-fail-on-evil-iph-ihl.patch diff --git a/intel-3.12-stable-fixes.patch b/intel-3.12-stable-fixes.patch deleted file mode 100644 index 24a80dc0f..000000000 --- a/intel-3.12-stable-fixes.patch +++ /dev/null @@ -1,86 +0,0 @@ -From 92c64493f41092185230c552c277b42bf6113140 Mon Sep 17 00:00:00 2001 -From: Jani Nikula -Date: Mon, 21 Oct 2013 10:52:07 +0300 -Subject: [PATCH 3/5] drm/i915/dp: workaround BIOS eDP bpp clamping issue - -This isn't a real fix to the problem, but rather a stopgap measure while -trying to find a proper solution. - -There are several laptops out there that fail to light up the eDP panel -in UEFI boot mode. They seem to be mostly IVB machines, including but -apparently not limited to Dell XPS 13, Asus TX300, Asus UX31A, Asus -UX32VD, Acer Aspire S7. They seem to work in CSM or legacy boot. - -The difference between UEFI and CSM is that the BIOS provides a -different VBT to the kernel. The UEFI VBT typically specifies 18 bpp and -1.62 GHz link for eDP, while CSM VBT has 24 bpp and 2.7 GHz link. We end -up clamping to 18 bpp in UEFI mode, which we can fit in the 1.62 Ghz -link, and for reasons yet unknown fail to light up the panel. - -Dithering from 24 to 18 bpp itself seems to work; if we use 18 bpp with -2.7 GHz link, the eDP panel lights up. So essentially this is a link -speed issue, and *not* a bpp clamping issue. - -The bug raised its head since -commit 657445fe8660100ad174600ebfa61536392b7624 -Author: Daniel Vetter -Date: Sat May 4 10:09:18 2013 +0200 - - Revert "drm/i915: revert eDP bpp clamping code changes" - -which started clamping bpp *before* computing the link requirements, and -thus affecting the required bandwidth. Clamping after the computations -kept the link at 2.7 GHz. - -Even though the BIOS tells us to use 18 bpp through the VBT, it happily -boots up at 24 bpp and 2.7 GHz itself! Use this information to -selectively ignore the VBT provided value. - -We can't ignore the VBT eDP bpp altogether, as there are other laptops -that do require the clamping to be used due to EDID reporting higher bpp -than the panel can support. - -Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=59841 -Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=67950 -Tested-by: Ulf Winkelvos -Tested-by: jkp -CC: stable@vger.kernel.org -Signed-off-by: Jani Nikula -Signed-off-by: Daniel Vetter ---- - drivers/gpu/drm/i915/intel_dp.c | 20 ++++++++++++++++++++ - 1 file changed, 20 insertions(+) - -diff --git a/drivers/gpu/drm/i915/intel_dp.c b/drivers/gpu/drm/i915/intel_dp.c -index 3aed1fe..07eb447 100644 ---- a/drivers/gpu/drm/i915/intel_dp.c -+++ b/drivers/gpu/drm/i915/intel_dp.c -@@ -1371,6 +1371,26 @@ static void intel_dp_get_config(struct intel_encoder *encoder, - } - - pipe_config->adjusted_mode.flags |= flags; -+ -+ if (is_edp(intel_dp) && dev_priv->vbt.edp_bpp && -+ pipe_config->pipe_bpp > dev_priv->vbt.edp_bpp) { -+ /* -+ * This is a big fat ugly hack. -+ * -+ * Some machines in UEFI boot mode provide us a VBT that has 18 -+ * bpp and 1.62 GHz link bandwidth for eDP, which for reasons -+ * unknown we fail to light up. Yet the same BIOS boots up with -+ * 24 bpp and 2.7 GHz link. Use the same bpp as the BIOS uses as -+ * max, not what it tells us to use. -+ * -+ * Note: This will still be broken if the eDP panel is not lit -+ * up by the BIOS, and thus we can't get the mode at module -+ * load. -+ */ -+ DRM_DEBUG_KMS("pipe has %d bpp for eDP panel, overriding BIOS-provided max %d bpp\n", -+ pipe_config->pipe_bpp, dev_priv->vbt.edp_bpp); -+ dev_priv->vbt.edp_bpp = pipe_config->pipe_bpp; -+ } - } - - static void intel_disable_dp(struct intel_encoder *encoder) --- -1.8.3.1 diff --git a/kernel.spec b/kernel.spec index 9b92f1065..82c2817b2 100644 --- a/kernel.spec +++ b/kernel.spec @@ -74,7 +74,7 @@ Summary: The Linux kernel %if 0%{?released_kernel} # Do we have a -stable update to apply? -%define stable_update 8 +%define stable_update 9 # Is it a -stable RC? %define stable_rc 0 # Set rpm version accordingly @@ -777,12 +777,6 @@ Patch25135: alps-Support-for-Dell-XT2-model.patch #rhbz 1011621 Patch25137: cifs-Allow-LANMAN-auth-for-unencapsulated-auth-methods.patch -#rhbz 995782 -Patch25138: intel-3.12-stable-fixes.patch - -#CVE-2013-4348 rhbz 1007939 1025647 -Patch25139: net-flow_dissector-fail-on-evil-iph-ihl.patch - #rhbz 1025769 Patch25142: iwlwifi-dvm-dont-override-mac80211-queue-setting.patch @@ -1531,12 +1525,6 @@ ApplyPatch alps-Support-for-Dell-XT2-model.patch #rhbz 1011621 ApplyPatch cifs-Allow-LANMAN-auth-for-unencapsulated-auth-methods.patch -#rhbz 995782 -ApplyPatch intel-3.12-stable-fixes.patch - -#CVE-2013-4348 rhbz 1007939 1025647 -ApplyPatch net-flow_dissector-fail-on-evil-iph-ihl.patch - #rhbz 1025769 ApplyPatch iwlwifi-dvm-dont-override-mac80211-queue-setting.patch @@ -2372,6 +2360,9 @@ fi # and build. %changelog +* Wed Nov 20 2013 Josh Boyer - 3.11.9-200 +- Linux v3.11.9 + * Mon Nov 18 2013 Josh Boyer - Add patch to fix rhel5.9 KVM guests (rhbz 967652) - Add patch to fix crash from slab when using md-raid mirrors (rhbz 1031086) diff --git a/net-flow_dissector-fail-on-evil-iph-ihl.patch b/net-flow_dissector-fail-on-evil-iph-ihl.patch deleted file mode 100644 index aba3ea88b..000000000 --- a/net-flow_dissector-fail-on-evil-iph-ihl.patch +++ /dev/null @@ -1,82 +0,0 @@ -Path: news.gmane.org!not-for-mail -From: Jason Wang -Newsgroups: gmane.linux.kernel,gmane.linux.network -Subject: [PATCH net] net: flow_dissector: fail on evil iph->ihl -Date: Fri, 1 Nov 2013 15:01:10 +0800 -Lines: 34 -Approved: news@gmane.org -Message-ID: <1383289270-18952-1-git-send-email-jasowang@redhat.com> -NNTP-Posting-Host: plane.gmane.org -X-Trace: ger.gmane.org 1383289296 18578 80.91.229.3 (1 Nov 2013 07:01:36 GMT) -X-Complaints-To: usenet@ger.gmane.org -NNTP-Posting-Date: Fri, 1 Nov 2013 07:01:36 +0000 (UTC) -Cc: Jason Wang , - Petr Matousek , - "Michael S. Tsirkin" , - Daniel Borkmann -To: davem@davemloft.net, edumazet@google.com, netdev@vger.kernel.org, - linux-kernel@vger.kernel.org -Original-X-From: linux-kernel-owner@vger.kernel.org Fri Nov 01 08:01:39 2013 -Return-path: -Envelope-to: glk-linux-kernel-3@plane.gmane.org -Original-Received: from vger.kernel.org ([209.132.180.67]) - by plane.gmane.org with esmtp (Exim 4.69) - (envelope-from ) - id 1Vc8jh-00034h-9Y - for glk-linux-kernel-3@plane.gmane.org; Fri, 01 Nov 2013 08:01:37 +0100 -Original-Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand - id S1753899Ab3KAHB3 (ORCPT ); - Fri, 1 Nov 2013 03:01:29 -0400 -Original-Received: from mx1.redhat.com ([209.132.183.28]:8081 "EHLO mx1.redhat.com" - rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP - id S1752399Ab3KAHB1 (ORCPT ); - Fri, 1 Nov 2013 03:01:27 -0400 -Original-Received: from int-mx02.intmail.prod.int.phx2.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) - by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id rA171QgE005079 - (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); - Fri, 1 Nov 2013 03:01:26 -0400 -Original-Received: from jason-ThinkPad-T430s.nay.redhat.com (dhcp-66-71-71.eng.nay.redhat.com [10.66.71.71] (may be forged)) - by int-mx02.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id rA171Jpr015790; - Fri, 1 Nov 2013 03:01:20 -0400 -X-Scanned-By: MIMEDefang 2.67 on 10.5.11.12 -Original-Sender: linux-kernel-owner@vger.kernel.org -Precedence: bulk -List-ID: -X-Mailing-List: linux-kernel@vger.kernel.org -Xref: news.gmane.org gmane.linux.kernel:1588387 gmane.linux.network:289242 -Archived-At: - -We don't validate iph->ihl which may lead a dead loop if we meet a IPIP -skb whose iph->ihl is zero. Fix this by failing immediately when iph->ihl -is evil (less than 5). - -This issue were introduced by commit ec5efe7946280d1e84603389a1030ccec0a767ae -(rps: support IPIP encapsulation). - -Cc: Eric Dumazet -Cc: Petr Matousek -Cc: Michael S. Tsirkin -Cc: Daniel Borkmann -Signed-off-by: Jason Wang ---- -This patch is needed for stable. ---- - net/core/flow_dissector.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/net/core/flow_dissector.c b/net/core/flow_dissector.c -index 8d7d0dd..143b6fd 100644 ---- a/net/core/flow_dissector.c -+++ b/net/core/flow_dissector.c -@@ -40,7 +40,7 @@ again: - struct iphdr _iph; - ip: - iph = skb_header_pointer(skb, nhoff, sizeof(_iph), &_iph); -- if (!iph) -+ if (!iph || iph->ihl < 5) - return false; - - if (ip_is_fragment(iph)) --- -1.8.1.2 - diff --git a/sources b/sources index 4a8174344..391b9ff05 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ fea363551ff45fbe4cb88497b863b261 linux-3.11.tar.xz -e6c14ecc86eab4cfaf498ba3c70b3f04 patch-3.11.8.xz +6cea7db9419cefdf4c3a4bcc89bf904b patch-3.11.9.xz From 6142d53dbe77431a4cc54f7ec80413b06f4ab182 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Fri, 22 Nov 2013 13:35:39 -0500 Subject: [PATCH 270/468] Add patches from Jeff Layton to fix 15sec NFS mount hang --- kernel.spec | 13 + ...check-gssd-running-before-krb5i-auth.patch | 46 ++++ ...new-dummy-pipe-for-gssd-to-hold-open.patch | 231 ++++++++++++++++++ ...ssd_running-with-more-reliable-check.patch | 132 ++++++++++ 4 files changed, 422 insertions(+) create mode 100644 nfs-check-gssd-running-before-krb5i-auth.patch create mode 100644 sunrpc-create-a-new-dummy-pipe-for-gssd-to-hold-open.patch create mode 100644 sunrpc-replace-gssd_running-with-more-reliable-check.patch diff --git a/kernel.spec b/kernel.spec index 82c2817b2..7bb504a45 100644 --- a/kernel.spec +++ b/kernel.spec @@ -800,6 +800,11 @@ Patch25150: slab_common-Do-not-check-for-duplicate-slab-names.patch #rhbz 967652 Patch25151: KVM-x86-fix-emulation-of-movzbl-bpl-eax.patch +# Fix 15sec NFS mount delay +Patch25152: sunrpc-create-a-new-dummy-pipe-for-gssd-to-hold-open.patch +Patch25153: sunrpc-replace-gssd_running-with-more-reliable-check.patch +Patch25154: nfs-check-gssd-running-before-krb5i-auth.patch + # END OF PATCH DEFINITIONS %endif @@ -1548,6 +1553,11 @@ ApplyPatch slab_common-Do-not-check-for-duplicate-slab-names.patch #rhbz 967652 ApplyPatch KVM-x86-fix-emulation-of-movzbl-bpl-eax.patch +# Fix 15sec NFS mount delay +ApplyPatch sunrpc-create-a-new-dummy-pipe-for-gssd-to-hold-open.patch +ApplyPatch sunrpc-replace-gssd_running-with-more-reliable-check.patch +ApplyPatch nfs-check-gssd-running-before-krb5i-auth.patch + # END OF PATCH APPLICATIONS %endif @@ -2360,6 +2370,9 @@ fi # and build. %changelog +* Fri Nov 22 2013 Josh Boyer +- Add patches from Jeff Layton to fix 15sec NFS mount hang + * Wed Nov 20 2013 Josh Boyer - 3.11.9-200 - Linux v3.11.9 diff --git a/nfs-check-gssd-running-before-krb5i-auth.patch b/nfs-check-gssd-running-before-krb5i-auth.patch new file mode 100644 index 000000000..d26d51233 --- /dev/null +++ b/nfs-check-gssd-running-before-krb5i-auth.patch @@ -0,0 +1,46 @@ + +Currently, the client will attempt to use krb5i in the SETCLIENTID call +even if rpc.gssd isn't running. When that fails, it'll then fall back to +RPC_AUTH_UNIX. This introduced a delay when mounting if rpc.gssd isn't +running, and causes warning messages to pop up in the ring buffer. + +Check to see if rpc.gssd is running before even attempting to use krb5i +auth, and just silently skip trying to do so if it isn't. In the event +that the admin is actually trying to mount with krb5*, it will still +fail at a later stage of the mount attempt. + +Signed-off-by: Jeff Layton +Signed-off-by: Trond Myklebust +--- + fs/nfs/nfs4client.c | 7 ++++++- + 1 files changed, 6 insertions(+), 1 deletions(-) + +diff -up linux-3.11.9-200.fc19.x86_64/fs/nfs/nfs4client.c.orig linux-3.11.9-200.fc19.x86_64/fs/nfs/nfs4client.c +--- linux-3.11.9-200.fc19.x86_64/fs/nfs/nfs4client.c.orig 2013-09-02 16:46:10.000000000 -0400 ++++ linux-3.11.9-200.fc19.x86_64/fs/nfs/nfs4client.c 2013-11-21 10:20:27.288286000 -0500 +@@ -10,6 +10,7 @@ + #include + #include + #include ++#include + #include "internal.h" + #include "callback.h" + #include "delegation.h" +@@ -206,7 +207,11 @@ struct nfs_client *nfs4_init_client(stru + if (clp->cl_minorversion != 0) + __set_bit(NFS_CS_INFINITE_SLOTS, &clp->cl_flags); + __set_bit(NFS_CS_DISCRTRY, &clp->cl_flags); +- error = nfs_create_rpc_client(clp, timeparms, RPC_AUTH_GSS_KRB5I); ++ ++ error = -EINVAL; ++ if (gssd_running(clp->cl_net)) ++ error = nfs_create_rpc_client(clp, timeparms, ++ RPC_AUTH_GSS_KRB5I); + if (error == -EINVAL) + error = nfs_create_rpc_client(clp, timeparms, RPC_AUTH_UNIX); + if (error < 0) + +_______________________________________________ +kernel mailing list +kernel@lists.fedoraproject.org +https://admin.fedoraproject.org/mailman/listinfo/kernel \ No newline at end of file diff --git a/sunrpc-create-a-new-dummy-pipe-for-gssd-to-hold-open.patch b/sunrpc-create-a-new-dummy-pipe-for-gssd-to-hold-open.patch new file mode 100644 index 000000000..559477fc2 --- /dev/null +++ b/sunrpc-create-a-new-dummy-pipe-for-gssd-to-hold-open.patch @@ -0,0 +1,231 @@ + +rpc.gssd will naturally hold open any pipe named */clnt*/gssd that shows +up under rpc_pipefs. That behavior gives us a reliable mechanism to tell +whether it's actually running or not. + +Create a new toplevel "gssd" directory in rpc_pipefs when it's mounted. +Under that directory create another directory called "clntXX", and then +within that a pipe called "gssd". + +We'll never send an upcall along that pipe, and any downcall written to +it will just return -EINVAL. + +Signed-off-by: Jeff Layton +Signed-off-by: Trond Myklebust +--- + include/linux/sunrpc/rpc_pipe_fs.h | 3 +- + net/sunrpc/netns.h | 1 + + net/sunrpc/rpc_pipe.c | 93 ++++++++++++++++++++++++++++++++++- + net/sunrpc/sunrpc_syms.c | 8 +++- + 4 files changed, 100 insertions(+), 5 deletions(-) + +diff -up linux-3.11.9-200.fc19.x86_64/include/linux/sunrpc/rpc_pipe_fs.h.orig linux-3.11.9-200.fc19.x86_64/include/linux/sunrpc/rpc_pipe_fs.h +--- linux-3.11.9-200.fc19.x86_64/include/linux/sunrpc/rpc_pipe_fs.h.orig 2013-09-02 16:46:10.000000000 -0400 ++++ linux-3.11.9-200.fc19.x86_64/include/linux/sunrpc/rpc_pipe_fs.h 2013-11-21 10:11:17.893026000 -0500 +@@ -64,7 +64,8 @@ enum { + + extern struct dentry *rpc_d_lookup_sb(const struct super_block *sb, + const unsigned char *dir_name); +-extern void rpc_pipefs_init_net(struct net *net); ++extern int rpc_pipefs_init_net(struct net *net); ++extern void rpc_pipefs_exit_net(struct net *net); + extern struct super_block *rpc_get_sb_net(const struct net *net); + extern void rpc_put_sb_net(const struct net *net); + +diff -up linux-3.11.9-200.fc19.x86_64/net/sunrpc/netns.h.orig linux-3.11.9-200.fc19.x86_64/net/sunrpc/netns.h +--- linux-3.11.9-200.fc19.x86_64/net/sunrpc/netns.h.orig 2013-09-02 16:46:10.000000000 -0400 ++++ linux-3.11.9-200.fc19.x86_64/net/sunrpc/netns.h 2013-11-21 10:11:17.897029000 -0500 +@@ -14,6 +14,7 @@ struct sunrpc_net { + struct cache_detail *rsi_cache; + + struct super_block *pipefs_sb; ++ struct rpc_pipe *gssd_dummy; + struct mutex pipefs_sb_lock; + + struct list_head all_clients; +diff -up linux-3.11.9-200.fc19.x86_64/net/sunrpc/rpc_pipe.c.orig linux-3.11.9-200.fc19.x86_64/net/sunrpc/rpc_pipe.c +--- linux-3.11.9-200.fc19.x86_64/net/sunrpc/rpc_pipe.c.orig 2013-09-02 16:46:10.000000000 -0400 ++++ linux-3.11.9-200.fc19.x86_64/net/sunrpc/rpc_pipe.c 2013-11-21 10:11:17.903026000 -0500 +@@ -38,7 +38,7 @@ + #define NET_NAME(net) ((net == &init_net) ? " (init_net)" : "") + + static struct file_system_type rpc_pipe_fs_type; +- ++static const struct rpc_pipe_ops gssd_dummy_pipe_ops; + + static struct kmem_cache *rpc_inode_cachep __read_mostly; + +@@ -1019,6 +1019,7 @@ enum { + RPCAUTH_nfsd4_cb, + RPCAUTH_cache, + RPCAUTH_nfsd, ++ RPCAUTH_gssd, + RPCAUTH_RootEOF + }; + +@@ -1055,6 +1056,10 @@ static const struct rpc_filelist files[] + .name = "nfsd", + .mode = S_IFDIR | S_IRUGO | S_IXUGO, + }, ++ [RPCAUTH_gssd] = { ++ .name = "gssd", ++ .mode = S_IFDIR | S_IRUGO | S_IXUGO, ++ }, + }; + + /* +@@ -1068,13 +1073,25 @@ struct dentry *rpc_d_lookup_sb(const str + } + EXPORT_SYMBOL_GPL(rpc_d_lookup_sb); + +-void rpc_pipefs_init_net(struct net *net) ++int rpc_pipefs_init_net(struct net *net) + { + struct sunrpc_net *sn = net_generic(net, sunrpc_net_id); + ++ sn->gssd_dummy = rpc_mkpipe_data(&gssd_dummy_pipe_ops, 0); ++ if (IS_ERR(sn->gssd_dummy)) ++ return PTR_ERR(sn->gssd_dummy); ++ + mutex_init(&sn->pipefs_sb_lock); + sn->gssd_running = 1; + sn->pipe_version = -1; ++ return 0; ++} ++ ++void rpc_pipefs_exit_net(struct net *net) ++{ ++ struct sunrpc_net *sn = net_generic(net, sunrpc_net_id); ++ ++ rpc_destroy_pipe_data(sn->gssd_dummy); + } + + /* +@@ -1104,11 +1121,73 @@ void rpc_put_sb_net(const struct net *ne + } + EXPORT_SYMBOL_GPL(rpc_put_sb_net); + ++static const struct rpc_filelist gssd_dummy_clnt_dir[] = { ++ [0] = { ++ .name = "clntXX", ++ .mode = S_IFDIR | S_IRUGO | S_IXUGO, ++ }, ++}; ++ ++static ssize_t ++dummy_downcall(struct file *filp, const char __user *src, size_t len) ++{ ++ return -EINVAL; ++} ++ ++static const struct rpc_pipe_ops gssd_dummy_pipe_ops = { ++ .upcall = rpc_pipe_generic_upcall, ++ .downcall = dummy_downcall, ++}; ++ ++/** ++ * rpc_gssd_dummy_populate - create a dummy gssd pipe ++ * @root: root of the rpc_pipefs filesystem ++ * @pipe_data: pipe data created when netns is initialized ++ * ++ * Create a dummy set of directories and a pipe that gssd can hold open to ++ * indicate that it is up and running. ++ */ ++static struct dentry * ++rpc_gssd_dummy_populate(struct dentry *root, struct rpc_pipe *pipe_data) ++{ ++ int ret = 0; ++ struct dentry *gssd_dentry; ++ struct dentry *clnt_dentry = NULL; ++ struct dentry *pipe_dentry = NULL; ++ struct qstr q = QSTR_INIT(files[RPCAUTH_gssd].name, ++ strlen(files[RPCAUTH_gssd].name)); ++ ++ /* We should never get this far if "gssd" doesn't exist */ ++ gssd_dentry = d_hash_and_lookup(root, &q); ++ if (!gssd_dentry) ++ return ERR_PTR(-ENOENT); ++ ++ ret = rpc_populate(gssd_dentry, gssd_dummy_clnt_dir, 0, 1, NULL); ++ if (ret) { ++ pipe_dentry = ERR_PTR(ret); ++ goto out; ++ } ++ ++ q.name = gssd_dummy_clnt_dir[0].name; ++ q.len = strlen(gssd_dummy_clnt_dir[0].name); ++ clnt_dentry = d_hash_and_lookup(gssd_dentry, &q); ++ if (!clnt_dentry) { ++ pipe_dentry = ERR_PTR(-ENOENT); ++ goto out; ++ } ++ ++ pipe_dentry = rpc_mkpipe_dentry(clnt_dentry, "gssd", NULL, pipe_data); ++out: ++ dput(clnt_dentry); ++ dput(gssd_dentry); ++ return pipe_dentry; ++} ++ + static int + rpc_fill_super(struct super_block *sb, void *data, int silent) + { + struct inode *inode; +- struct dentry *root; ++ struct dentry *root, *gssd_dentry; + struct net *net = data; + struct sunrpc_net *sn = net_generic(net, sunrpc_net_id); + int err; +@@ -1126,6 +1205,13 @@ rpc_fill_super(struct super_block *sb, v + return -ENOMEM; + if (rpc_populate(root, files, RPCAUTH_lockd, RPCAUTH_RootEOF, NULL)) + return -ENOMEM; ++ ++ gssd_dentry = rpc_gssd_dummy_populate(root, sn->gssd_dummy); ++ if (IS_ERR(gssd_dentry)) { ++ __rpc_depopulate(root, files, RPCAUTH_lockd, RPCAUTH_RootEOF); ++ return PTR_ERR(gssd_dentry); ++ } ++ + dprintk("RPC: sending pipefs MOUNT notification for net %p%s\n", + net, NET_NAME(net)); + mutex_lock(&sn->pipefs_sb_lock); +@@ -1140,6 +1226,7 @@ rpc_fill_super(struct super_block *sb, v + return 0; + + err_depopulate: ++ dput(gssd_dentry); + blocking_notifier_call_chain(&rpc_pipefs_notifier_list, + RPC_PIPEFS_UMOUNT, + sb); +diff -up linux-3.11.9-200.fc19.x86_64/net/sunrpc/sunrpc_syms.c.orig linux-3.11.9-200.fc19.x86_64/net/sunrpc/sunrpc_syms.c +--- linux-3.11.9-200.fc19.x86_64/net/sunrpc/sunrpc_syms.c.orig 2013-09-02 16:46:10.000000000 -0400 ++++ linux-3.11.9-200.fc19.x86_64/net/sunrpc/sunrpc_syms.c 2013-11-21 10:11:17.908026000 -0500 +@@ -44,12 +44,17 @@ static __net_init int sunrpc_init_net(st + if (err) + goto err_unixgid; + +- rpc_pipefs_init_net(net); ++ err = rpc_pipefs_init_net(net); ++ if (err) ++ goto err_pipefs; ++ + INIT_LIST_HEAD(&sn->all_clients); + spin_lock_init(&sn->rpc_client_lock); + spin_lock_init(&sn->rpcb_clnt_lock); + return 0; + ++err_pipefs: ++ unix_gid_cache_destroy(net); + err_unixgid: + ip_map_cache_destroy(net); + err_ipmap: +@@ -60,6 +65,7 @@ err_proc: + + static __net_exit void sunrpc_exit_net(struct net *net) + { ++ rpc_pipefs_exit_net(net); + unix_gid_cache_destroy(net); + ip_map_cache_destroy(net); + rpc_proc_exit(net); + diff --git a/sunrpc-replace-gssd_running-with-more-reliable-check.patch b/sunrpc-replace-gssd_running-with-more-reliable-check.patch new file mode 100644 index 000000000..82dd0853e --- /dev/null +++ b/sunrpc-replace-gssd_running-with-more-reliable-check.patch @@ -0,0 +1,132 @@ + +Now that we have a more reliable method to tell if gssd is running, we +can replace the sn->gssd_running flag with a function that will query to +see if it's up and running. + +There's also no need to attempt an upcall that we know will fail, so +just return -EACCES if gssd isn't running. Finally, fix the warn_gss() +message not to claim that that the upcall timed out since we don't +necesarily perform one now when gssd isn't running, and remove the +extraneous newline from the message. + +Signed-off-by: Jeff Layton +Signed-off-by: Trond Myklebust +--- + include/linux/sunrpc/rpc_pipe_fs.h | 2 ++ + net/sunrpc/auth_gss/auth_gss.c | 17 +++++++---------- + net/sunrpc/netns.h | 2 -- + net/sunrpc/rpc_pipe.c | 14 ++++++++++---- + 4 files changed, 19 insertions(+), 16 deletions(-) + +diff -up linux-3.11.9-200.fc19.x86_64/include/linux/sunrpc/rpc_pipe_fs.h.orig linux-3.11.9-200.fc19.x86_64/include/linux/sunrpc/rpc_pipe_fs.h +--- linux-3.11.9-200.fc19.x86_64/include/linux/sunrpc/rpc_pipe_fs.h.orig 2013-11-21 10:11:17.893026000 -0500 ++++ linux-3.11.9-200.fc19.x86_64/include/linux/sunrpc/rpc_pipe_fs.h 2013-11-21 10:14:17.709348000 -0500 +@@ -94,5 +94,7 @@ extern int rpc_unlink(struct dentry *); + extern int register_rpc_pipefs(void); + extern void unregister_rpc_pipefs(void); + ++extern bool gssd_running(struct net *net); ++ + #endif + #endif +diff -up linux-3.11.9-200.fc19.x86_64/net/sunrpc/auth_gss/auth_gss.c.orig linux-3.11.9-200.fc19.x86_64/net/sunrpc/auth_gss/auth_gss.c +--- linux-3.11.9-200.fc19.x86_64/net/sunrpc/auth_gss/auth_gss.c.orig 2013-09-02 16:46:10.000000000 -0400 ++++ linux-3.11.9-200.fc19.x86_64/net/sunrpc/auth_gss/auth_gss.c 2013-11-21 10:18:33.681923000 -0500 +@@ -507,8 +507,7 @@ static void warn_gssd(void) + unsigned long now = jiffies; + + if (time_after(now, ratelimit)) { +- printk(KERN_WARNING "RPC: AUTH_GSS upcall timed out.\n" +- "Please check user daemon is running.\n"); ++ pr_warn("RPC: AUTH_GSS upcall failed. Please check user daemon is running.\n"); + ratelimit = now + 15*HZ; + } + } +@@ -571,7 +570,6 @@ gss_create_upcall(struct gss_auth *gss_a + struct rpc_pipe *pipe; + struct rpc_cred *cred = &gss_cred->gc_base; + struct gss_upcall_msg *gss_msg; +- unsigned long timeout; + DEFINE_WAIT(wait); + int err; + +@@ -579,17 +577,16 @@ gss_create_upcall(struct gss_auth *gss_a + __func__, from_kuid(&init_user_ns, cred->cr_uid)); + retry: + err = 0; +- /* Default timeout is 15s unless we know that gssd is not running */ +- timeout = 15 * HZ; +- if (!sn->gssd_running) +- timeout = HZ >> 2; ++ /* if gssd is down, just skip upcalling altogether */ ++ if (!gssd_running(net)) { ++ warn_gssd(); ++ return -EACCES; ++ } + gss_msg = gss_setup_upcall(gss_auth->client, gss_auth, cred); + if (PTR_ERR(gss_msg) == -EAGAIN) { + err = wait_event_interruptible_timeout(pipe_version_waitqueue, +- sn->pipe_version >= 0, timeout); ++ sn->pipe_version >= 0, 15 * HZ); + if (sn->pipe_version < 0) { +- if (err == 0) +- sn->gssd_running = 0; + warn_gssd(); + err = -EACCES; + } +diff -up linux-3.11.9-200.fc19.x86_64/net/sunrpc/netns.h.orig linux-3.11.9-200.fc19.x86_64/net/sunrpc/netns.h +--- linux-3.11.9-200.fc19.x86_64/net/sunrpc/netns.h.orig 2013-11-21 10:11:17.897029000 -0500 ++++ linux-3.11.9-200.fc19.x86_64/net/sunrpc/netns.h 2013-11-21 10:14:17.722351000 -0500 +@@ -33,8 +33,6 @@ struct sunrpc_net { + int pipe_version; + atomic_t pipe_users; + struct proc_dir_entry *use_gssp_proc; +- +- unsigned int gssd_running; + }; + + extern int sunrpc_net_id; +diff -up linux-3.11.9-200.fc19.x86_64/net/sunrpc/rpc_pipe.c.orig linux-3.11.9-200.fc19.x86_64/net/sunrpc/rpc_pipe.c +--- linux-3.11.9-200.fc19.x86_64/net/sunrpc/rpc_pipe.c.orig 2013-11-21 10:11:17.903026000 -0500 ++++ linux-3.11.9-200.fc19.x86_64/net/sunrpc/rpc_pipe.c 2013-11-21 10:14:17.727348000 -0500 +@@ -216,14 +216,11 @@ rpc_destroy_inode(struct inode *inode) + static int + rpc_pipe_open(struct inode *inode, struct file *filp) + { +- struct net *net = inode->i_sb->s_fs_info; +- struct sunrpc_net *sn = net_generic(net, sunrpc_net_id); + struct rpc_pipe *pipe; + int first_open; + int res = -ENXIO; + + mutex_lock(&inode->i_mutex); +- sn->gssd_running = 1; + pipe = RPC_I(inode)->pipe; + if (pipe == NULL) + goto out; +@@ -1082,7 +1079,6 @@ int rpc_pipefs_init_net(struct net *net) + return PTR_ERR(sn->gssd_dummy); + + mutex_init(&sn->pipefs_sb_lock); +- sn->gssd_running = 1; + sn->pipe_version = -1; + return 0; + } +@@ -1236,6 +1232,16 @@ err_depopulate: + return err; + } + ++bool ++gssd_running(struct net *net) ++{ ++ struct sunrpc_net *sn = net_generic(net, sunrpc_net_id); ++ struct rpc_pipe *pipe = sn->gssd_dummy; ++ ++ return pipe->nreaders || pipe->nwriters; ++} ++EXPORT_SYMBOL_GPL(gssd_running); ++ + static struct dentry * + rpc_mount(struct file_system_type *fs_type, + int flags, const char *dev_name, void *data) + From c870ae81ba0ec00985edef2ed307d5f50f5f854c Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Fri, 22 Nov 2013 14:23:22 -0500 Subject: [PATCH 271/468] Add bugzilla and upstream-status fields to nfs patches --- nfs-check-gssd-running-before-krb5i-auth.patch | 4 +++- sunrpc-create-a-new-dummy-pipe-for-gssd-to-hold-open.patch | 2 ++ sunrpc-replace-gssd_running-with-more-reliable-check.patch | 2 ++ 3 files changed, 7 insertions(+), 1 deletion(-) diff --git a/nfs-check-gssd-running-before-krb5i-auth.patch b/nfs-check-gssd-running-before-krb5i-auth.patch index d26d51233..be81fec76 100644 --- a/nfs-check-gssd-running-before-krb5i-auth.patch +++ b/nfs-check-gssd-running-before-krb5i-auth.patch @@ -1,3 +1,5 @@ +Bugzilla: N/A +Upstream-status: queued in NFS git tree (for 3.13/3.14?) Currently, the client will attempt to use krb5i in the SETCLIENTID call even if rpc.gssd isn't running. When that fails, it'll then fall back to @@ -43,4 +45,4 @@ diff -up linux-3.11.9-200.fc19.x86_64/fs/nfs/nfs4client.c.orig linux-3.11.9-200. _______________________________________________ kernel mailing list kernel@lists.fedoraproject.org -https://admin.fedoraproject.org/mailman/listinfo/kernel \ No newline at end of file +https://admin.fedoraproject.org/mailman/listinfo/kernel diff --git a/sunrpc-create-a-new-dummy-pipe-for-gssd-to-hold-open.patch b/sunrpc-create-a-new-dummy-pipe-for-gssd-to-hold-open.patch index 559477fc2..805498a70 100644 --- a/sunrpc-create-a-new-dummy-pipe-for-gssd-to-hold-open.patch +++ b/sunrpc-create-a-new-dummy-pipe-for-gssd-to-hold-open.patch @@ -1,3 +1,5 @@ +Bugzilla: N/A +Upstream-status: queued in NFS git tree (for 3.13/3.14?) rpc.gssd will naturally hold open any pipe named */clnt*/gssd that shows up under rpc_pipefs. That behavior gives us a reliable mechanism to tell diff --git a/sunrpc-replace-gssd_running-with-more-reliable-check.patch b/sunrpc-replace-gssd_running-with-more-reliable-check.patch index 82dd0853e..f2ca18555 100644 --- a/sunrpc-replace-gssd_running-with-more-reliable-check.patch +++ b/sunrpc-replace-gssd_running-with-more-reliable-check.patch @@ -1,3 +1,5 @@ +Bugzilla: N/A +Upstream-status: queued in NFS git tree (for 3.13/3.14?) Now that we have a more reliable method to tell if gssd is running, we can replace the sn->gssd_running flag with a function that will query to From 9eac74d5a687c803db18fe9961180572469b0b81 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Mon, 25 Nov 2013 08:21:51 -0500 Subject: [PATCH 272/468] CVE-2013-6378 libertas: potential oops in debugfs (rhbz 1033578 1034183) --- kernel.spec | 9 +++++ libertas-potential-oops-in-debugfs.patch | 50 ++++++++++++++++++++++++ 2 files changed, 59 insertions(+) create mode 100644 libertas-potential-oops-in-debugfs.patch diff --git a/kernel.spec b/kernel.spec index 7bb504a45..99d9122db 100644 --- a/kernel.spec +++ b/kernel.spec @@ -805,6 +805,9 @@ Patch25152: sunrpc-create-a-new-dummy-pipe-for-gssd-to-hold-open.patch Patch25153: sunrpc-replace-gssd_running-with-more-reliable-check.patch Patch25154: nfs-check-gssd-running-before-krb5i-auth.patch +#CVE-2013-6378 rhbz 1033578 1034183 +Patch25155: libertas-potential-oops-in-debugfs.patch + # END OF PATCH DEFINITIONS %endif @@ -1558,6 +1561,9 @@ ApplyPatch sunrpc-create-a-new-dummy-pipe-for-gssd-to-hold-open.patch ApplyPatch sunrpc-replace-gssd_running-with-more-reliable-check.patch ApplyPatch nfs-check-gssd-running-before-krb5i-auth.patch +#CVE-2013-6378 rhbz 1033578 1034183 +ApplyPatch libertas-potential-oops-in-debugfs.patch + # END OF PATCH APPLICATIONS %endif @@ -2370,6 +2376,9 @@ fi # and build. %changelog +* Mon Nov 25 2013 Josh Boyer +- CVE-2013-6378 libertas: potential oops in debugfs (rhbz 1033578 1034183) + * Fri Nov 22 2013 Josh Boyer - Add patches from Jeff Layton to fix 15sec NFS mount hang diff --git a/libertas-potential-oops-in-debugfs.patch b/libertas-potential-oops-in-debugfs.patch new file mode 100644 index 000000000..02e72d8f9 --- /dev/null +++ b/libertas-potential-oops-in-debugfs.patch @@ -0,0 +1,50 @@ +Bugzilla: 1034183 +Upstream-status: 3.13 + +From a497e47d4aec37aaf8f13509f3ef3d1f6a717d88 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Wed, 30 Oct 2013 20:12:51 +0300 +Subject: [PATCH] libertas: potential oops in debugfs + +If we do a zero size allocation then it will oops. Also we can't be +sure the user passes us a NUL terminated string so I've added a +terminator. + +This code can only be triggered by root. + +Reported-by: Nico Golde +Reported-by: Fabian Yamaguchi +Signed-off-by: Dan Carpenter +Acked-by: Dan Williams +Signed-off-by: John W. Linville +--- + drivers/net/wireless/libertas/debugfs.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/net/wireless/libertas/debugfs.c b/drivers/net/wireless/libertas/debugfs.c +index 668dd27..cc6a0a5 100644 +--- a/drivers/net/wireless/libertas/debugfs.c ++++ b/drivers/net/wireless/libertas/debugfs.c +@@ -913,7 +913,10 @@ static ssize_t lbs_debugfs_write(struct file *f, const char __user *buf, + char *p2; + struct debug_data *d = f->private_data; + +- pdata = kmalloc(cnt, GFP_KERNEL); ++ if (cnt == 0) ++ return 0; ++ ++ pdata = kmalloc(cnt + 1, GFP_KERNEL); + if (pdata == NULL) + return 0; + +@@ -922,6 +925,7 @@ static ssize_t lbs_debugfs_write(struct file *f, const char __user *buf, + kfree(pdata); + return 0; + } ++ pdata[cnt] = '\0'; + + p0 = pdata; + for (i = 0; i < num_of_items; i++) { +-- +1.8.3.1 + From 0d92b0338920d6b585a2236396463fb4855034d1 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Mon, 25 Nov 2013 11:34:44 -0500 Subject: [PATCH 273/468] CVE-2013-6380 aacraid: invalid pointer dereference (rhbz 1033593 1034304) --- ...-prevent-invalid-pointer-dereference.patch | 42 +++++++++++++++++++ kernel.spec | 7 ++++ 2 files changed, 49 insertions(+) create mode 100644 aacraid-prevent-invalid-pointer-dereference.patch diff --git a/aacraid-prevent-invalid-pointer-dereference.patch b/aacraid-prevent-invalid-pointer-dereference.patch new file mode 100644 index 000000000..f5517aba9 --- /dev/null +++ b/aacraid-prevent-invalid-pointer-dereference.patch @@ -0,0 +1,42 @@ +Bugzilla: 1033593 +Upstream-status: 3.13 + +From b4789b8e6be3151a955ade74872822f30e8cd914 Mon Sep 17 00:00:00 2001 +From: Mahesh Rajashekhara +Date: Thu, 31 Oct 2013 14:01:02 +0530 +Subject: [PATCH] aacraid: prevent invalid pointer dereference + +It appears that driver runs into a problem here if fibsize is too small +because we allocate user_srbcmd with fibsize size only but later we +access it until user_srbcmd->sg.count to copy it over to srbcmd. + +It is not correct to test (fibsize < sizeof(*user_srbcmd)) because this +structure already includes one sg element and this is not needed for +commands without data. So, we would recommend to add the following +(instead of test for fibsize == 0). + +Signed-off-by: Mahesh Rajashekhara +Reported-by: Nico Golde +Reported-by: Fabian Yamaguchi +Signed-off-by: Linus Torvalds +--- + drivers/scsi/aacraid/commctrl.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/scsi/aacraid/commctrl.c b/drivers/scsi/aacraid/commctrl.c +index d85ac1a..fbcd48d 100644 +--- a/drivers/scsi/aacraid/commctrl.c ++++ b/drivers/scsi/aacraid/commctrl.c +@@ -511,7 +511,8 @@ static int aac_send_raw_srb(struct aac_dev* dev, void __user * arg) + goto cleanup; + } + +- if (fibsize > (dev->max_fib_size - sizeof(struct aac_fibhdr))) { ++ if ((fibsize < (sizeof(struct user_aac_srb) - sizeof(struct user_sgentry))) || ++ (fibsize > (dev->max_fib_size - sizeof(struct aac_fibhdr)))) { + rcode = -EINVAL; + goto cleanup; + } +-- +1.8.3.1 + diff --git a/kernel.spec b/kernel.spec index 99d9122db..4fcd66a92 100644 --- a/kernel.spec +++ b/kernel.spec @@ -808,6 +808,9 @@ Patch25154: nfs-check-gssd-running-before-krb5i-auth.patch #CVE-2013-6378 rhbz 1033578 1034183 Patch25155: libertas-potential-oops-in-debugfs.patch +#CVE-2013-6380 rhbz 1033593 1034304 +Patch25156: aacraid-prevent-invalid-pointer-dereference.patch + # END OF PATCH DEFINITIONS %endif @@ -1564,6 +1567,9 @@ ApplyPatch nfs-check-gssd-running-before-krb5i-auth.patch #CVE-2013-6378 rhbz 1033578 1034183 ApplyPatch libertas-potential-oops-in-debugfs.patch +#CVE-2013-6380 rhbz 1033593 1034304 +ApplyPatch aacraid-prevent-invalid-pointer-dereference.patch + # END OF PATCH APPLICATIONS %endif @@ -2377,6 +2383,7 @@ fi %changelog * Mon Nov 25 2013 Josh Boyer +- CVE-2013-6380 aacraid: invalid pointer dereference (rhbz 1033593 1034304) - CVE-2013-6378 libertas: potential oops in debugfs (rhbz 1033578 1034183) * Fri Nov 22 2013 Josh Boyer From a3c585d7cff451dabad544fd64ded9f9e01b7076 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dan=20Hor=C3=A1k?= Date: Tue, 26 Nov 2013 14:10:37 +0100 Subject: [PATCH 274/468] x86_64-generic - remove duplicate options --- config-x86_64-generic | 5 ----- 1 file changed, 5 deletions(-) diff --git a/config-x86_64-generic b/config-x86_64-generic index 85f588bc1..b1bfed734 100644 --- a/config-x86_64-generic +++ b/config-x86_64-generic @@ -145,11 +145,6 @@ CONFIG_CHECKPOINT_RESTORE=y CONFIG_NTB=m CONFIG_NTB_NETDEV=m -CONFIG_SFC=m -CONFIG_SFC_MCDI_MON=y -CONFIG_SFC_SRIOV=y -CONFIG_SFC_PTP=y - # 10GigE # CONFIG_IP1000=m From ce59a0d14b0421a8fd8d8cd2d1781fa178e70af7 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Tue, 26 Nov 2013 12:20:03 -0500 Subject: [PATCH 275/468] CVE-2013-6382 xfs: missing check for ZERO_SIZE_PTR (rhbz 1033603 1034670) --- kernel.spec | 9 ++ ...erflow-bug-in-xfs_attrlist_by_handle.patch | 149 ++++++++++++++++++ 2 files changed, 158 insertions(+) create mode 100644 xfs-underflow-bug-in-xfs_attrlist_by_handle.patch diff --git a/kernel.spec b/kernel.spec index 4fcd66a92..ff91733ff 100644 --- a/kernel.spec +++ b/kernel.spec @@ -811,6 +811,9 @@ Patch25155: libertas-potential-oops-in-debugfs.patch #CVE-2013-6380 rhbz 1033593 1034304 Patch25156: aacraid-prevent-invalid-pointer-dereference.patch +#CVE-2013-6382 rhbz 1033603 1034670 +Patch25157: xfs-underflow-bug-in-xfs_attrlist_by_handle.patch + # END OF PATCH DEFINITIONS %endif @@ -1570,6 +1573,9 @@ ApplyPatch libertas-potential-oops-in-debugfs.patch #CVE-2013-6380 rhbz 1033593 1034304 ApplyPatch aacraid-prevent-invalid-pointer-dereference.patch +#CVE-2013-6382 rhbz 1033603 1034670 +ApplyPatch xfs-underflow-bug-in-xfs_attrlist_by_handle.patch + # END OF PATCH APPLICATIONS %endif @@ -2382,6 +2388,9 @@ fi # and build. %changelog +* Tue Nov 26 2013 Josh Boyer +- CVE-2013-6382 xfs: missing check for ZERO_SIZE_PTR (rhbz 1033603 1034670) + * Mon Nov 25 2013 Josh Boyer - CVE-2013-6380 aacraid: invalid pointer dereference (rhbz 1033593 1034304) - CVE-2013-6378 libertas: potential oops in debugfs (rhbz 1033578 1034183) diff --git a/xfs-underflow-bug-in-xfs_attrlist_by_handle.patch b/xfs-underflow-bug-in-xfs_attrlist_by_handle.patch new file mode 100644 index 000000000..6c7f60dd9 --- /dev/null +++ b/xfs-underflow-bug-in-xfs_attrlist_by_handle.patch @@ -0,0 +1,149 @@ +Bugzilla: 1033603 +Upstream-status: Submitted but not queued http://thread.gmane.org/gmane.comp.file-systems.xfs.general/57654 + +Path: news.gmane.org!not-for-mail +From: Dan Carpenter +Newsgroups: gmane.comp.file-systems.xfs.general +Subject: [patch] xfs: underflow bug in xfs_attrlist_by_handle() +Date: Thu, 31 Oct 2013 21:00:10 +0300 +Lines: 43 +Approved: news@gmane.org +Message-ID: <20131031180010.GA24839@longonot.mountain> +References: <20131025144452.GA28451@ngolde.de> +NNTP-Posting-Host: plane.gmane.org +Mime-Version: 1.0 +Content-Type: text/plain; charset="us-ascii" +Content-Transfer-Encoding: 7bit +X-Trace: ger.gmane.org 1383242609 27303 80.91.229.3 (31 Oct 2013 18:03:29 GMT) +X-Complaints-To: usenet@ger.gmane.org +NNTP-Posting-Date: Thu, 31 Oct 2013 18:03:29 +0000 (UTC) +Cc: Fabian Yamaguchi , security@kernel.org, + Alex Elder , Nico Golde , xfs@oss.sgi.com +To: Ben Myers +Original-X-From: xfs-bounces@oss.sgi.com Thu Oct 31 19:03:33 2013 +Return-path: +Envelope-to: sgi-linux-xfs@gmane.org +Original-Received: from oss.sgi.com ([192.48.182.195]) + by plane.gmane.org with esmtp (Exim 4.69) + (envelope-from ) + id 1Vbwag-0001Ow-Sv + for sgi-linux-xfs@gmane.org; Thu, 31 Oct 2013 19:03:31 +0100 +Original-Received: from oss.sgi.com (localhost [IPv6:::1]) + by oss.sgi.com (Postfix) with ESMTP id DB14A7F85; + Thu, 31 Oct 2013 13:03:28 -0500 (CDT) +X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on oss.sgi.com +X-Spam-Level: +X-Spam-Status: No, score=0.0 required=5.0 tests=UNPARSEABLE_RELAY + autolearn=ham version=3.3.1 +X-Original-To: xfs@oss.sgi.com +Delivered-To: xfs@oss.sgi.com +Original-Received: from relay.sgi.com (relay1.corp.sgi.com [137.38.102.111]) + by oss.sgi.com (Postfix) with ESMTP id A0ED87F83 + for ; Thu, 31 Oct 2013 13:03:27 -0500 (CDT) +Original-Received: from cuda.sgi.com (cuda1.sgi.com [192.48.157.11]) + by relay1.corp.sgi.com (Postfix) with ESMTP id 71E0A8F804B + for ; Thu, 31 Oct 2013 11:03:24 -0700 (PDT) +X-ASG-Debug-ID: 1383242599-04bdf0789a41ef30001-NocioJ +Original-Received: from userp1040.oracle.com (userp1040.oracle.com [156.151.31.81]) by + cuda.sgi.com with ESMTP id CWKetu2Mc6MhJZij (version=TLSv1 + cipher=AES256-SHA bits=256 verify=NO); + Thu, 31 Oct 2013 11:03:20 -0700 (PDT) +X-Barracuda-Envelope-From: dan.carpenter@oracle.com +X-Barracuda-Apparent-Source-IP: 156.151.31.81 +Original-Received: from acsinet22.oracle.com (acsinet22.oracle.com [141.146.126.238]) + by userp1040.oracle.com (Sentrion-MTA-4.3.1/Sentrion-MTA-4.3.1) with + ESMTP id r9VI3AZn009606 + (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); + Thu, 31 Oct 2013 18:03:11 GMT +Original-Received: from aserz7022.oracle.com (aserz7022.oracle.com [141.146.126.231]) + by acsinet22.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id + r9VI39qG016923 + (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); + Thu, 31 Oct 2013 18:03:10 GMT +Original-Received: from abhmt101.oracle.com (abhmt101.oracle.com [141.146.116.53]) + by aserz7022.oracle.com (8.14.4+Sun/8.14.4) with ESMTP id + r9VI395m016915; Thu, 31 Oct 2013 18:03:09 GMT +Original-Received: from longonot.mountain (/105.160.144.228) + by default (Oracle Beehive Gateway v4.0) + with ESMTP ; Thu, 31 Oct 2013 11:03:08 -0700 +X-ASG-Orig-Subj: [patch] xfs: underflow bug in xfs_attrlist_by_handle() +Content-Disposition: inline +In-Reply-To: <20131025144452.GA28451@ngolde.de> +User-Agent: Mutt/1.5.21 (2010-09-15) +X-Source-IP: acsinet22.oracle.com [141.146.126.238] +X-Barracuda-Connect: userp1040.oracle.com[156.151.31.81] +X-Barracuda-Start-Time: 1383242600 +X-Barracuda-Encrypted: AES256-SHA +X-Barracuda-URL: http://192.48.157.11:80/cgi-mod/mark.cgi +X-Virus-Scanned: by bsmtpd at sgi.com +X-Barracuda-BRTS-Status: 1 +X-Barracuda-Spam-Score: 0.00 +X-Barracuda-Spam-Status: No, + SCORE=0.00 using per-user scores of TAG_LEVEL=1000.0 + QUARANTINE_LEVEL=1000.0 KILL_LEVEL=2.7 tests=UNPARSEABLE_RELAY +X-Barracuda-Spam-Report: Code version 3.2, rules version 3.2.2.141937 + Rule breakdown below + pts rule name description + ---- ---------------------- + -------------------------------------------------- + 0.00 UNPARSEABLE_RELAY Informational: message has unparseable relay + lines +X-BeenThere: xfs@oss.sgi.com +X-Mailman-Version: 2.1.14 +Precedence: list +List-Id: XFS Filesystem from SGI +List-Unsubscribe: , + +List-Archive: +List-Post: +List-Help: +List-Subscribe: , + +Errors-To: xfs-bounces@oss.sgi.com +Original-Sender: xfs-bounces@oss.sgi.com +Xref: news.gmane.org gmane.comp.file-systems.xfs.general:57654 +Archived-At: + +If we allocate less than sizeof(struct attrlist) then we end up +corrupting memory or doing a ZERO_PTR_SIZE dereference. + +This can only be triggered with CAP_SYS_ADMIN. + +Reported-by: Nico Golde +Reported-by: Fabian Yamaguchi +Signed-off-by: Dan Carpenter + +diff --git a/fs/xfs/xfs_ioctl.c b/fs/xfs/xfs_ioctl.c +index 4d61340..33ad9a7 100644 +--- a/fs/xfs/xfs_ioctl.c ++++ b/fs/xfs/xfs_ioctl.c +@@ -442,7 +442,8 @@ xfs_attrlist_by_handle( + return -XFS_ERROR(EPERM); + if (copy_from_user(&al_hreq, arg, sizeof(xfs_fsop_attrlist_handlereq_t))) + return -XFS_ERROR(EFAULT); +- if (al_hreq.buflen > XATTR_LIST_MAX) ++ if (al_hreq.buflen < sizeof(struct attrlist) || ++ al_hreq.buflen > XATTR_LIST_MAX) + return -XFS_ERROR(EINVAL); + + /* +diff --git a/fs/xfs/xfs_ioctl32.c b/fs/xfs/xfs_ioctl32.c +index e8fb123..a7992f8 100644 +--- a/fs/xfs/xfs_ioctl32.c ++++ b/fs/xfs/xfs_ioctl32.c +@@ -356,7 +356,8 @@ xfs_compat_attrlist_by_handle( + if (copy_from_user(&al_hreq, arg, + sizeof(compat_xfs_fsop_attrlist_handlereq_t))) + return -XFS_ERROR(EFAULT); +- if (al_hreq.buflen > XATTR_LIST_MAX) ++ if (al_hreq.buflen < sizeof(struct attrlist) || ++ al_hreq.buflen > XATTR_LIST_MAX) + return -XFS_ERROR(EINVAL); + + /* + +_______________________________________________ +xfs mailing list +xfs@oss.sgi.com +http://oss.sgi.com/mailman/listinfo/xfs + From 3b424ab866aa6f872157d8db11433db9dcac6d35 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Tue, 26 Nov 2013 13:59:14 -0500 Subject: [PATCH 276/468] Fix crash in via-velocity driver (rhbz 1022733) --- kernel.spec | 7 + ...netif_receive_skb-use-in-irq-disable.patch | 121 ++++++++++++++++++ 2 files changed, 128 insertions(+) create mode 100644 via-velocity-fix-netif_receive_skb-use-in-irq-disable.patch diff --git a/kernel.spec b/kernel.spec index ff91733ff..4a0db1f89 100644 --- a/kernel.spec +++ b/kernel.spec @@ -814,6 +814,9 @@ Patch25156: aacraid-prevent-invalid-pointer-dereference.patch #CVE-2013-6382 rhbz 1033603 1034670 Patch25157: xfs-underflow-bug-in-xfs_attrlist_by_handle.patch +#rhbz 1022733 +Patch25158: via-velocity-fix-netif_receive_skb-use-in-irq-disable.patch + # END OF PATCH DEFINITIONS %endif @@ -1576,6 +1579,9 @@ ApplyPatch aacraid-prevent-invalid-pointer-dereference.patch #CVE-2013-6382 rhbz 1033603 1034670 ApplyPatch xfs-underflow-bug-in-xfs_attrlist_by_handle.patch +#rhbz 1022733 +ApplyPatch via-velocity-fix-netif_receive_skb-use-in-irq-disable.patch + # END OF PATCH APPLICATIONS %endif @@ -2389,6 +2395,7 @@ fi %changelog * Tue Nov 26 2013 Josh Boyer +- Fix crash in via-velocity driver (rhbz 1022733) - CVE-2013-6382 xfs: missing check for ZERO_SIZE_PTR (rhbz 1033603 1034670) * Mon Nov 25 2013 Josh Boyer diff --git a/via-velocity-fix-netif_receive_skb-use-in-irq-disable.patch b/via-velocity-fix-netif_receive_skb-use-in-irq-disable.patch new file mode 100644 index 000000000..820f47056 --- /dev/null +++ b/via-velocity-fix-netif_receive_skb-use-in-irq-disable.patch @@ -0,0 +1,121 @@ +Bugzilla: 1022733 +Upstream: Submitted for 3.13 and 3.12.y stable +Delivered-To: jwboyer@gmail.com +Received: by 10.76.104.107 with SMTP id gd11csp116929oab; + Mon, 25 Nov 2013 15:45:36 -0800 (PST) +X-Received: by 10.68.254.105 with SMTP id ah9mr20726084pbd.87.1385423136297; + Mon, 25 Nov 2013 15:45:36 -0800 (PST) +Return-Path: +Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) + by mx.google.com with ESMTP id am2si28999873pad.96.2013.11.25.15.44.53 + for ; + Mon, 25 Nov 2013 15:45:36 -0800 (PST) +Received-SPF: pass (google.com: best guess record for domain of netdev-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; +Authentication-Results: mx.google.com; + spf=pass (google.com: best guess record for domain of netdev-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mail=netdev-owner@vger.kernel.org +Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand + id S1753536Ab3KYXl6 (ORCPT + 99 others); + Mon, 25 Nov 2013 18:41:58 -0500 +Received: from violet.fr.zoreil.com ([92.243.8.30]:57806 "EHLO + violet.fr.zoreil.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org + with ESMTP id S1751913Ab3KYXlz (ORCPT + ); Mon, 25 Nov 2013 18:41:55 -0500 +Received: from violet.fr.zoreil.com (localhost [127.0.0.1]) + by violet.fr.zoreil.com (8.14.5/8.14.5) with ESMTP id rAPNewrt012676; + Tue, 26 Nov 2013 00:40:58 +0100 +Received: (from romieu@localhost) + by violet.fr.zoreil.com (8.14.5/8.14.5/Submit) id rAPNewbX012675; + Tue, 26 Nov 2013 00:40:58 +0100 +Date: Tue, 26 Nov 2013 00:40:58 +0100 +From: Francois Romieu +To: netdev@vger.kernel.org +Cc: David Miller , + "Alex A. Schmidt" , + Michele Baldessari , + Jamie Heilman , + Julia Lawall +Subject: [PATCH net 1/1] via-velocity: fix netif_receive_skb use in irq + disabled section. +Message-ID: <20131125234058.GA12566@electric-eye.fr.zoreil.com> +MIME-Version: 1.0 +Content-Type: text/plain; charset=us-ascii +Content-Disposition: inline +X-Organisation: Land of Sunshine Inc. +User-Agent: Mutt/1.5.21 (2010-09-15) +Sender: netdev-owner@vger.kernel.org +Precedence: bulk +List-ID: +X-Mailing-List: netdev@vger.kernel.org + +2fdac010bdcf10a30711b6924612dfc40daf19b8 ("via-velocity.c: update napi +implementation") overlooked an irq disabling spinlock when the Rx part +of the NAPI poll handler was converted from netif_rx to netif_receive_skb. + +NAPI Rx processing can be taken out of the locked section with a pair of +napi_{disable / enable} since it only races with the MTU change function. + +An heavier rework of the NAPI locking would be able to perform NAPI Tx +before Rx where I simply removed one of velocity_tx_srv calls. + +References: https://bugzilla.redhat.com/show_bug.cgi?id=1022733 +Fixes: 2fdac010bdcf (via-velocity.c: update napi implementation) +Signed-off-by: Francois Romieu +Tested-by: Alex A. Schmidt +Cc: Jamie Heilman +Cc: Michele Baldessari +Cc: Julia Lawall +--- + + It is relevant for stable 3.11.x and 3.12.y. + + drivers/net/ethernet/via/via-velocity.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/drivers/net/ethernet/via/via-velocity.c b/drivers/net/ethernet/via/via-velocity.c +index d022bf9..ad61d26 100644 +--- a/drivers/net/ethernet/via/via-velocity.c ++++ b/drivers/net/ethernet/via/via-velocity.c +@@ -2172,16 +2172,13 @@ static int velocity_poll(struct napi_struct *napi, int budget) + unsigned int rx_done; + unsigned long flags; + +- spin_lock_irqsave(&vptr->lock, flags); + /* + * Do rx and tx twice for performance (taken from the VIA + * out-of-tree driver). + */ +- rx_done = velocity_rx_srv(vptr, budget / 2); +- velocity_tx_srv(vptr); +- rx_done += velocity_rx_srv(vptr, budget - rx_done); ++ rx_done = velocity_rx_srv(vptr, budget); ++ spin_lock_irqsave(&vptr->lock, flags); + velocity_tx_srv(vptr); +- + /* If budget not fully consumed, exit the polling mode */ + if (rx_done < budget) { + napi_complete(napi); +@@ -2342,6 +2339,8 @@ static int velocity_change_mtu(struct net_device *dev, int new_mtu) + if (ret < 0) + goto out_free_tmp_vptr_1; + ++ napi_disable(&vptr->napi); ++ + spin_lock_irqsave(&vptr->lock, flags); + + netif_stop_queue(dev); +@@ -2362,6 +2361,8 @@ static int velocity_change_mtu(struct net_device *dev, int new_mtu) + + velocity_give_many_rx_descs(vptr); + ++ napi_enable(&vptr->napi); ++ + mac_enable_int(vptr->mac_regs); + netif_start_queue(dev); + +-- +1.8.3.1 + +-- +To unsubscribe from this list: send the line "unsubscribe netdev" in +the body of a message to majordomo@vger.kernel.org +More majordomo info at http://vger.kernel.org/majordomo-info.html From e2cdf9e2a83e261c38df656c8c91904a5353e80e Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Tue, 26 Nov 2013 14:22:21 -0500 Subject: [PATCH 277/468] Add patch to fix usbnet URB handling (rhbz 998342) --- kernel.spec | 7 ++++ ...et-fix-status-interrupt-urb-handling.patch | 37 +++++++++++++++++++ 2 files changed, 44 insertions(+) create mode 100644 usbnet-fix-status-interrupt-urb-handling.patch diff --git a/kernel.spec b/kernel.spec index 4a0db1f89..aa318b36f 100644 --- a/kernel.spec +++ b/kernel.spec @@ -817,6 +817,9 @@ Patch25157: xfs-underflow-bug-in-xfs_attrlist_by_handle.patch #rhbz 1022733 Patch25158: via-velocity-fix-netif_receive_skb-use-in-irq-disable.patch +#rhbz 998342 +Patch25159: usbnet-fix-status-interrupt-urb-handling.patch + # END OF PATCH DEFINITIONS %endif @@ -1582,6 +1585,9 @@ ApplyPatch xfs-underflow-bug-in-xfs_attrlist_by_handle.patch #rhbz 1022733 ApplyPatch via-velocity-fix-netif_receive_skb-use-in-irq-disable.patch +#rhbz 998342 +ApplyPatch usbnet-fix-status-interrupt-urb-handling.patch + # END OF PATCH APPLICATIONS %endif @@ -2395,6 +2401,7 @@ fi %changelog * Tue Nov 26 2013 Josh Boyer +- Add patch to fix usbnet URB handling (rhbz 998342) - Fix crash in via-velocity driver (rhbz 1022733) - CVE-2013-6382 xfs: missing check for ZERO_SIZE_PTR (rhbz 1033603 1034670) diff --git a/usbnet-fix-status-interrupt-urb-handling.patch b/usbnet-fix-status-interrupt-urb-handling.patch new file mode 100644 index 000000000..74bf3978d --- /dev/null +++ b/usbnet-fix-status-interrupt-urb-handling.patch @@ -0,0 +1,37 @@ +From 52f48d0d9aaa621ffa5e08d79da99a3f8c93b848 Mon Sep 17 00:00:00 2001 +From: Felix Fietkau +Date: Tue, 12 Nov 2013 16:34:41 +0100 +Subject: [PATCH] usbnet: fix status interrupt urb handling + +Since commit 7b0c5f21f348a66de495868b8df0284e8dfd6bbf +"sierra_net: keep status interrupt URB active", sierra_net triggers +status interrupt polling before the net_device is opened (in order to +properly receive the sync message response). + +To be able to receive further interrupts, the interrupt urb needs to be +re-submitted, so this patch removes the bogus check for netif_running(). + +Signed-off-by: Felix Fietkau +Tested-by: Dan Williams +Signed-off-by: David S. Miller +--- + drivers/net/usb/usbnet.c | 3 --- + 1 file changed, 3 deletions(-) + +diff --git a/drivers/net/usb/usbnet.c b/drivers/net/usb/usbnet.c +index 90a429b..8494bb5 100644 +--- a/drivers/net/usb/usbnet.c ++++ b/drivers/net/usb/usbnet.c +@@ -204,9 +204,6 @@ static void intr_complete (struct urb *urb) + break; + } + +- if (!netif_running (dev->net)) +- return; +- + status = usb_submit_urb (urb, GFP_ATOMIC); + if (status != 0) + netif_err(dev, timer, dev->net, +-- +1.8.3.1 + From 2ca6c5e549b3755c38ba0194a5d553c887457330 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Fri, 29 Nov 2013 10:23:44 -0500 Subject: [PATCH 278/468] Fix memory leak in qxl (from Dave Airlie) --- ...memory-leak-in-release-list-handling.patch | 27 +++++++++++++++++++ kernel.spec | 5 ++++ 2 files changed, 32 insertions(+) create mode 100644 drm-qxl-fix-memory-leak-in-release-list-handling.patch diff --git a/drm-qxl-fix-memory-leak-in-release-list-handling.patch b/drm-qxl-fix-memory-leak-in-release-list-handling.patch new file mode 100644 index 000000000..542d0276d --- /dev/null +++ b/drm-qxl-fix-memory-leak-in-release-list-handling.patch @@ -0,0 +1,27 @@ +From 1b28c3e628315ac0d9ef2d3fac0403f05ae692db Mon Sep 17 00:00:00 2001 +From: Dave Airlie +Date: Thu, 28 Nov 2013 05:39:03 +0000 +Subject: drm/qxl: fix memory leak in release list handling + +wow no idea how I got this far without seeing this, +leaking the entries in the list makes kmalloc-64 slab grow. + +References: https://bugzilla.kernel.org/show_bug.cgi?id=65121 +Cc: stable@vger.kernel.org +Reported-by: Matthew Stapleton +Signed-off-by: Dave Airlie +--- +diff --git a/drivers/gpu/drm/qxl/qxl_release.c b/drivers/gpu/drm/qxl/qxl_release.c +index 0109a96..821ab7b 100644 +--- a/drivers/gpu/drm/qxl/qxl_release.c ++++ b/drivers/gpu/drm/qxl/qxl_release.c +@@ -92,6 +92,7 @@ qxl_release_free(struct qxl_device *qdev, + - DRM_FILE_OFFSET); + qxl_fence_remove_release(&bo->fence, release->id); + qxl_bo_unref(&bo); ++ kfree(entry); + } + spin_lock(&qdev->release_idr_lock); + idr_remove(&qdev->release_idr, release->id); +-- +cgit v0.9.0.2-2-gbebe diff --git a/kernel.spec b/kernel.spec index aa318b36f..79afc58c3 100644 --- a/kernel.spec +++ b/kernel.spec @@ -781,6 +781,7 @@ Patch25137: cifs-Allow-LANMAN-auth-for-unencapsulated-auth-methods.patch Patch25142: iwlwifi-dvm-dont-override-mac80211-queue-setting.patch Patch25143: drm-qxl-backport-fixes-for-Fedora.patch +Patch25160: drm-qxl-fix-memory-leak-in-release-list-handling.patch Patch25144: Input-evdev-fall-back-to-vmalloc-for-client-event-buffer.patch @@ -1549,6 +1550,7 @@ ApplyPatch cifs-Allow-LANMAN-auth-for-unencapsulated-auth-methods.patch ApplyPatch iwlwifi-dvm-dont-override-mac80211-queue-setting.patch ApplyPatch drm-qxl-backport-fixes-for-Fedora.patch +ApplyPatch drm-qxl-fix-memory-leak-in-release-list-handling.patch ApplyPatch Input-evdev-fall-back-to-vmalloc-for-client-event-buffer.patch @@ -2400,6 +2402,9 @@ fi # and build. %changelog +* Fri Nov 29 2013 Josh Boyer +- Fix memory leak in qxl (from Dave Airlie) + * Tue Nov 26 2013 Josh Boyer - Add patch to fix usbnet URB handling (rhbz 998342) - Fix crash in via-velocity driver (rhbz 1022733) From 7a153f806f154bbd54be9ca98812f407ef68f7c8 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Fri, 29 Nov 2013 14:00:07 -0500 Subject: [PATCH 279/468] Linux v3.11.10 --- ...-prevent-invalid-pointer-dereference.patch | 42 ------------- ...-one-error-in-non-block-size-request.patch | 40 ------------- ...ate-csums-properly-with-prealloc-ext.patch | 60 ------------------- kernel.spec | 29 +-------- libertas-potential-oops-in-debugfs.patch | 50 ---------------- sources | 2 +- 6 files changed, 4 insertions(+), 219 deletions(-) delete mode 100644 aacraid-prevent-invalid-pointer-dereference.patch delete mode 100644 ansi_cprng-Fix-off-by-one-error-in-non-block-size-request.patch delete mode 100644 btrfs-relocate-csums-properly-with-prealloc-ext.patch delete mode 100644 libertas-potential-oops-in-debugfs.patch diff --git a/aacraid-prevent-invalid-pointer-dereference.patch b/aacraid-prevent-invalid-pointer-dereference.patch deleted file mode 100644 index f5517aba9..000000000 --- a/aacraid-prevent-invalid-pointer-dereference.patch +++ /dev/null @@ -1,42 +0,0 @@ -Bugzilla: 1033593 -Upstream-status: 3.13 - -From b4789b8e6be3151a955ade74872822f30e8cd914 Mon Sep 17 00:00:00 2001 -From: Mahesh Rajashekhara -Date: Thu, 31 Oct 2013 14:01:02 +0530 -Subject: [PATCH] aacraid: prevent invalid pointer dereference - -It appears that driver runs into a problem here if fibsize is too small -because we allocate user_srbcmd with fibsize size only but later we -access it until user_srbcmd->sg.count to copy it over to srbcmd. - -It is not correct to test (fibsize < sizeof(*user_srbcmd)) because this -structure already includes one sg element and this is not needed for -commands without data. So, we would recommend to add the following -(instead of test for fibsize == 0). - -Signed-off-by: Mahesh Rajashekhara -Reported-by: Nico Golde -Reported-by: Fabian Yamaguchi -Signed-off-by: Linus Torvalds ---- - drivers/scsi/aacraid/commctrl.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/drivers/scsi/aacraid/commctrl.c b/drivers/scsi/aacraid/commctrl.c -index d85ac1a..fbcd48d 100644 ---- a/drivers/scsi/aacraid/commctrl.c -+++ b/drivers/scsi/aacraid/commctrl.c -@@ -511,7 +511,8 @@ static int aac_send_raw_srb(struct aac_dev* dev, void __user * arg) - goto cleanup; - } - -- if (fibsize > (dev->max_fib_size - sizeof(struct aac_fibhdr))) { -+ if ((fibsize < (sizeof(struct user_aac_srb) - sizeof(struct user_sgentry))) || -+ (fibsize > (dev->max_fib_size - sizeof(struct aac_fibhdr)))) { - rcode = -EINVAL; - goto cleanup; - } --- -1.8.3.1 - diff --git a/ansi_cprng-Fix-off-by-one-error-in-non-block-size-request.patch b/ansi_cprng-Fix-off-by-one-error-in-non-block-size-request.patch deleted file mode 100644 index c8d015491..000000000 --- a/ansi_cprng-Fix-off-by-one-error-in-non-block-size-request.patch +++ /dev/null @@ -1,40 +0,0 @@ -Stephan Mueller reported to me recently a error in random number generation in -the ansi cprng. If several small requests are made that are less than the -instances block size, the remainder for loop code doesn't increment -rand_data_valid in the last iteration, meaning that the last bytes in the -rand_data buffer gets reused on the subsequent smaller-than-a-block request for -random data. - -The fix is pretty easy, just re-code the for loop to make sure that -rand_data_valid gets incremented appropriately - -Signed-off-by: Neil Horman -Reported-by: Stephan Mueller -CC: Stephan Mueller -CC: Petr Matousek -CC: Herbert Xu -CC: "David S. Miller" ---- - crypto/ansi_cprng.c | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/crypto/ansi_cprng.c b/crypto/ansi_cprng.c -index c0bb377..666f196 100644 ---- a/crypto/ansi_cprng.c -+++ b/crypto/ansi_cprng.c -@@ -230,11 +230,11 @@ remainder: - */ - if (byte_count < DEFAULT_BLK_SZ) { - empty_rbuf: -- for (; ctx->rand_data_valid < DEFAULT_BLK_SZ; -- ctx->rand_data_valid++) { -+ while (ctx->rand_data_valid < DEFAULT_BLK_SZ) { - *ptr = ctx->rand_data[ctx->rand_data_valid]; - ptr++; - byte_count--; -+ ctx->rand_data_valid++; - if (byte_count == 0) - goto done; - } --- -1.8.3.1 diff --git a/btrfs-relocate-csums-properly-with-prealloc-ext.patch b/btrfs-relocate-csums-properly-with-prealloc-ext.patch deleted file mode 100644 index e103f703a..000000000 --- a/btrfs-relocate-csums-properly-with-prealloc-ext.patch +++ /dev/null @@ -1,60 +0,0 @@ -A user reported a problem where they were getting csum errors when running a -balance and running systemd's journal. This is because systemd is awesome and -fallocate()'s its log space and writes into it. Unfortunately we assume that -when we read in all the csums for an extent that they are sequential starting at -the bytenr we care about. This obviously isn't the case for prealloc extents, -where we could have written to the middle of the prealloc extent only, which -means the csum would be for the bytenr in the middle of our range and not the -front of our range. Fix this by offsetting the new bytenr we are logging to -based on the original bytenr the csum was for. With this patch I no longer see -the csum errors I was seeing. Thanks, - -Cc: stable@xxxxxxxxxxxxxxx -Reported-by: Chris Murphy -Signed-off-by: Josef Bacik ---- - fs/btrfs/relocation.c | 18 +++++++++++++++--- - 1 file changed, 15 insertions(+), 3 deletions(-) - -diff --git a/fs/btrfs/relocation.c b/fs/btrfs/relocation.c -index 5ca7ea9..b7afeaa 100644 ---- a/fs/btrfs/relocation.c -+++ b/fs/btrfs/relocation.c -@@ -4472,6 +4472,7 @@ int btrfs_reloc_clone_csums(struct inode *inode, u64 file_pos, u64 len) - struct btrfs_root *root = BTRFS_I(inode)->root; - int ret; - u64 disk_bytenr; -+ u64 new_bytenr; - LIST_HEAD(list); - - ordered = btrfs_lookup_ordered_extent(inode, file_pos); -@@ -4483,13 +4484,24 @@ int btrfs_reloc_clone_csums(struct inode *inode, u64 file_pos, u64 len) - if (ret) - goto out; - -- disk_bytenr = ordered->start; - while (!list_empty(&list)) { - sums = list_entry(list.next, struct btrfs_ordered_sum, list); - list_del_init(&sums->list); - -- sums->bytenr = disk_bytenr; -- disk_bytenr += sums->len; -+ /* -+ * We need to offset the new_bytenr based on where the csum is. -+ * We need to do this because we will read in entire prealloc -+ * extents but we may have written to say the middle of the -+ * prealloc extent, so we need to make sure the csum goes with -+ * the right disk offset. -+ * -+ * We can do this because the data reloc inode refers strictly -+ * to the on disk bytes, so we don't have to worry about -+ * disk_len vs real len like with real inodes since it's all -+ * disk length. -+ */ -+ new_bytenr = ordered->start + (sums->bytenr - disk_bytenr); -+ sums->bytenr = new_bytenr; - - btrfs_add_ordered_sum(inode, ordered, sums); - } --- -1.8.3.1 diff --git a/kernel.spec b/kernel.spec index 79afc58c3..0c22f7196 100644 --- a/kernel.spec +++ b/kernel.spec @@ -74,7 +74,7 @@ Summary: The Linux kernel %if 0%{?released_kernel} # Do we have a -stable update to apply? -%define stable_update 9 +%define stable_update 10 # Is it a -stable RC? %define stable_rc 0 # Set rpm version accordingly @@ -726,9 +726,6 @@ Patch25057: iwl4965-better-skb-management-in-rx-path.patch #rhbz 963715 Patch25077: media-cx23885-Fix-TeVii-S471-regression-since-introduction-of-ts2020.patch -#CVE-2013-4345 rhbz 1007690 1009136 -Patch25104: ansi_cprng-Fix-off-by-one-error-in-non-block-size-request.patch - #rhbz 985522 Patch25107: ntp-Make-periodic-RTC-update-more-reliable.patch @@ -765,9 +762,6 @@ Patch25129: cpupower-Fix-segfault-due-to-incorrect-getopt_long-a.patch Patch25130: fix-radeon-sound.patch Patch25149: drm-radeon-24hz-audio-fixes.patch -#rhbz 1011714 -Patch25131: btrfs-relocate-csums-properly-with-prealloc-ext.patch - #rhbz 984696 Patch25132: rt2800usb-slow-down-TX-status-polling.patch @@ -806,12 +800,6 @@ Patch25152: sunrpc-create-a-new-dummy-pipe-for-gssd-to-hold-open.patch Patch25153: sunrpc-replace-gssd_running-with-more-reliable-check.patch Patch25154: nfs-check-gssd-running-before-krb5i-auth.patch -#CVE-2013-6378 rhbz 1033578 1034183 -Patch25155: libertas-potential-oops-in-debugfs.patch - -#CVE-2013-6380 rhbz 1033593 1034304 -Patch25156: aacraid-prevent-invalid-pointer-dereference.patch - #CVE-2013-6382 rhbz 1033603 1034670 Patch25157: xfs-underflow-bug-in-xfs_attrlist_by_handle.patch @@ -1495,9 +1483,6 @@ ApplyPatch iwl4965-better-skb-management-in-rx-path.patch #rhbz 963715 ApplyPatch media-cx23885-Fix-TeVii-S471-regression-since-introduction-of-ts2020.patch -#CVE-2013-4345 rhbz 1007690 1009136 -ApplyPatch ansi_cprng-Fix-off-by-one-error-in-non-block-size-request.patch - #rhbz 985522 ApplyPatch ntp-Make-periodic-RTC-update-more-reliable.patch @@ -1534,9 +1519,6 @@ ApplyPatch cpupower-Fix-segfault-due-to-incorrect-getopt_long-a.patch ApplyPatch fix-radeon-sound.patch ApplyPatch drm-radeon-24hz-audio-fixes.patch -#rhbz 1011714 -ApplyPatch btrfs-relocate-csums-properly-with-prealloc-ext.patch - #rhbz 984696 ApplyPatch rt2800usb-slow-down-TX-status-polling.patch @@ -1575,12 +1557,6 @@ ApplyPatch sunrpc-create-a-new-dummy-pipe-for-gssd-to-hold-open.patch ApplyPatch sunrpc-replace-gssd_running-with-more-reliable-check.patch ApplyPatch nfs-check-gssd-running-before-krb5i-auth.patch -#CVE-2013-6378 rhbz 1033578 1034183 -ApplyPatch libertas-potential-oops-in-debugfs.patch - -#CVE-2013-6380 rhbz 1033593 1034304 -ApplyPatch aacraid-prevent-invalid-pointer-dereference.patch - #CVE-2013-6382 rhbz 1033603 1034670 ApplyPatch xfs-underflow-bug-in-xfs_attrlist_by_handle.patch @@ -2402,7 +2378,8 @@ fi # and build. %changelog -* Fri Nov 29 2013 Josh Boyer +* Fri Nov 29 2013 Josh Boyer - 3.11.10-200 +- Linux v3.11.10 - Fix memory leak in qxl (from Dave Airlie) * Tue Nov 26 2013 Josh Boyer diff --git a/libertas-potential-oops-in-debugfs.patch b/libertas-potential-oops-in-debugfs.patch deleted file mode 100644 index 02e72d8f9..000000000 --- a/libertas-potential-oops-in-debugfs.patch +++ /dev/null @@ -1,50 +0,0 @@ -Bugzilla: 1034183 -Upstream-status: 3.13 - -From a497e47d4aec37aaf8f13509f3ef3d1f6a717d88 Mon Sep 17 00:00:00 2001 -From: Dan Carpenter -Date: Wed, 30 Oct 2013 20:12:51 +0300 -Subject: [PATCH] libertas: potential oops in debugfs - -If we do a zero size allocation then it will oops. Also we can't be -sure the user passes us a NUL terminated string so I've added a -terminator. - -This code can only be triggered by root. - -Reported-by: Nico Golde -Reported-by: Fabian Yamaguchi -Signed-off-by: Dan Carpenter -Acked-by: Dan Williams -Signed-off-by: John W. Linville ---- - drivers/net/wireless/libertas/debugfs.c | 6 +++++- - 1 file changed, 5 insertions(+), 1 deletion(-) - -diff --git a/drivers/net/wireless/libertas/debugfs.c b/drivers/net/wireless/libertas/debugfs.c -index 668dd27..cc6a0a5 100644 ---- a/drivers/net/wireless/libertas/debugfs.c -+++ b/drivers/net/wireless/libertas/debugfs.c -@@ -913,7 +913,10 @@ static ssize_t lbs_debugfs_write(struct file *f, const char __user *buf, - char *p2; - struct debug_data *d = f->private_data; - -- pdata = kmalloc(cnt, GFP_KERNEL); -+ if (cnt == 0) -+ return 0; -+ -+ pdata = kmalloc(cnt + 1, GFP_KERNEL); - if (pdata == NULL) - return 0; - -@@ -922,6 +925,7 @@ static ssize_t lbs_debugfs_write(struct file *f, const char __user *buf, - kfree(pdata); - return 0; - } -+ pdata[cnt] = '\0'; - - p0 = pdata; - for (i = 0; i < num_of_items; i++) { --- -1.8.3.1 - diff --git a/sources b/sources index 391b9ff05..c634d10c0 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ fea363551ff45fbe4cb88497b863b261 linux-3.11.tar.xz -6cea7db9419cefdf4c3a4bcc89bf904b patch-3.11.9.xz +c918da07cf5ad4240945ae56c4de3bc0 patch-3.11.10.xz From ac4525b5ee34a38915282e0b25cd2b4edc6355d0 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Sat, 30 Nov 2013 09:12:19 -0500 Subject: [PATCH 280/468] Add bugzilla and upstream-status fields to qxl memory leak patch --- drm-qxl-fix-memory-leak-in-release-list-handling.patch | 3 +++ 1 file changed, 3 insertions(+) diff --git a/drm-qxl-fix-memory-leak-in-release-list-handling.patch b/drm-qxl-fix-memory-leak-in-release-list-handling.patch index 542d0276d..8ed4819f2 100644 --- a/drm-qxl-fix-memory-leak-in-release-list-handling.patch +++ b/drm-qxl-fix-memory-leak-in-release-list-handling.patch @@ -1,3 +1,6 @@ +Bugzilla: N/A +Upstream-status: 3.13 + From 1b28c3e628315ac0d9ef2d3fac0403f05ae692db Mon Sep 17 00:00:00 2001 From: Dave Airlie Date: Thu, 28 Nov 2013 05:39:03 +0000 From 0273faa5e460494f9722e59e8b81f324f1010966 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Sat, 30 Nov 2013 13:35:27 -0500 Subject: [PATCH 281/468] CVE-2013-6405 net: leak of uninited mem to userspace via recv syscalls (rhbz 1035875 1035887) --- ...t-in-recv_error-and-rxpmtu-functions.patch | 253 +++++++++++++++++ ...kage-of-uninitialized-memory-to-user.patch | 256 ++++++++++++++++++ kernel.spec | 11 + 3 files changed, 520 insertions(+) create mode 100644 inet-fix-addr_len-msg_namelen-assignment-in-recv_error-and-rxpmtu-functions.patch create mode 100644 inet-prevent-leakage-of-uninitialized-memory-to-user.patch diff --git a/inet-fix-addr_len-msg_namelen-assignment-in-recv_error-and-rxpmtu-functions.patch b/inet-fix-addr_len-msg_namelen-assignment-in-recv_error-and-rxpmtu-functions.patch new file mode 100644 index 000000000..b76fd2a36 --- /dev/null +++ b/inet-fix-addr_len-msg_namelen-assignment-in-recv_error-and-rxpmtu-functions.patch @@ -0,0 +1,253 @@ +Bugzilla: 1035887 +Upstream-status: 3.13 + +From 4be402ba6158068d53ab0268f1affa9d82dae2ec Mon Sep 17 00:00:00 2001 +From: Hannes Frederic Sowa +Date: Fri, 22 Nov 2013 23:46:12 +0000 +Subject: [PATCH] inet: fix addr_len/msg->msg_namelen assignment in recv_error + and rxpmtu functions + +Commit bceaa90240b6019ed73b49965eac7d167610be69 ("inet: prevent leakage +of uninitialized memory to user in recv syscalls") conditionally updated +addr_len if the msg_name is written to. The recv_error and rxpmtu +functions relied on the recvmsg functions to set up addr_len before. + +As this does not happen any more we have to pass addr_len to those +functions as well and set it to the size of the corresponding sockaddr +length. + +This broke traceroute and such. + +Fixes: bceaa90240b6 ("inet: prevent leakage of uninitialized memory to user in recv syscalls") +Reported-by: Brad Spengler +Reported-by: Tom Labanowski +Cc: mpb +Cc: David S. Miller +Cc: Eric Dumazet +Signed-off-by: Hannes Frederic Sowa +Signed-off-by: David S. Miller +--- + include/net/ip.h | 2 +- + include/net/ipv6.h | 4 ++-- + include/net/ping.h | 3 ++- + net/ipv4/ip_sockglue.c | 3 ++- + net/ipv4/ping.c | 5 +++-- + net/ipv4/raw.c | 2 +- + net/ipv4/udp.c | 2 +- + net/ipv6/datagram.c | 7 +++++-- + net/ipv6/ping.c | 3 ++- + net/ipv6/raw.c | 4 ++-- + net/ipv6/udp.c | 4 ++-- + net/l2tp/l2tp_ip6.c | 2 +- + 12 files changed, 24 insertions(+), 17 deletions(-) + +diff --git a/include/net/ip.h b/include/net/ip.h +index 5e52688..301f10c 100644 +--- a/include/net/ip.h ++++ b/include/net/ip.h +@@ -464,7 +464,7 @@ extern int compat_ip_getsockopt(struct sock *sk, int level, + int optname, char __user *optval, int __user *optlen); + extern int ip_ra_control(struct sock *sk, unsigned char on, void (*destructor)(struct sock *)); + +-extern int ip_recv_error(struct sock *sk, struct msghdr *msg, int len); ++extern int ip_recv_error(struct sock *sk, struct msghdr *msg, int len, int *addr_len); + extern void ip_icmp_error(struct sock *sk, struct sk_buff *skb, int err, + __be16 port, u32 info, u8 *payload); + extern void ip_local_error(struct sock *sk, int err, __be32 daddr, __be16 dport, +diff --git a/include/net/ipv6.h b/include/net/ipv6.h +index bbf1c8f..5529d79 100644 +--- a/include/net/ipv6.h ++++ b/include/net/ipv6.h +@@ -802,8 +802,8 @@ extern int compat_ipv6_getsockopt(struct sock *sk, + extern int ip6_datagram_connect(struct sock *sk, + struct sockaddr *addr, int addr_len); + +-extern int ipv6_recv_error(struct sock *sk, struct msghdr *msg, int len); +-extern int ipv6_recv_rxpmtu(struct sock *sk, struct msghdr *msg, int len); ++extern int ipv6_recv_error(struct sock *sk, struct msghdr *msg, int len, int *addr_len); ++extern int ipv6_recv_rxpmtu(struct sock *sk, struct msghdr *msg, int len, int *addr_len); + extern void ipv6_icmp_error(struct sock *sk, struct sk_buff *skb, int err, __be16 port, + u32 info, u8 *payload); + extern void ipv6_local_error(struct sock *sk, int err, struct flowi6 *fl6, u32 info); +diff --git a/include/net/ping.h b/include/net/ping.h +index 5db0224..2b496e9 100644 +--- a/include/net/ping.h ++++ b/include/net/ping.h +@@ -31,7 +31,8 @@ + + /* Compatibility glue so we can support IPv6 when it's compiled as a module */ + struct pingv6_ops { +- int (*ipv6_recv_error)(struct sock *sk, struct msghdr *msg, int len); ++ int (*ipv6_recv_error)(struct sock *sk, struct msghdr *msg, int len, ++ int *addr_len); + int (*ip6_datagram_recv_ctl)(struct sock *sk, struct msghdr *msg, + struct sk_buff *skb); + int (*icmpv6_err_convert)(u8 type, u8 code, int *err); +diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c +index d9c4f11..23e6ab0 100644 +--- a/net/ipv4/ip_sockglue.c ++++ b/net/ipv4/ip_sockglue.c +@@ -368,7 +368,7 @@ void ip_local_error(struct sock *sk, int err, __be32 daddr, __be16 port, u32 inf + /* + * Handle MSG_ERRQUEUE + */ +-int ip_recv_error(struct sock *sk, struct msghdr *msg, int len) ++int ip_recv_error(struct sock *sk, struct msghdr *msg, int len, int *addr_len) + { + struct sock_exterr_skb *serr; + struct sk_buff *skb, *skb2; +@@ -405,6 +405,7 @@ int ip_recv_error(struct sock *sk, struct msghdr *msg, int len) + serr->addr_offset); + sin->sin_port = serr->port; + memset(&sin->sin_zero, 0, sizeof(sin->sin_zero)); ++ *addr_len = sizeof(*sin); + } + + memcpy(&errhdr.ee, &serr->ee, sizeof(struct sock_extended_err)); +diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c +index 92fb6ff..ac31877 100644 +--- a/net/ipv4/ping.c ++++ b/net/ipv4/ping.c +@@ -838,10 +838,11 @@ int ping_recvmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg, + + if (flags & MSG_ERRQUEUE) { + if (family == AF_INET) { +- return ip_recv_error(sk, msg, len); ++ return ip_recv_error(sk, msg, len, addr_len); + #if IS_ENABLED(CONFIG_IPV6) + } else if (family == AF_INET6) { +- return pingv6_ops.ipv6_recv_error(sk, msg, len); ++ return pingv6_ops.ipv6_recv_error(sk, msg, len, ++ addr_len); + #endif + } + } +diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c +index ca4c3f1..7d3db78 100644 +--- a/net/ipv4/raw.c ++++ b/net/ipv4/raw.c +@@ -695,7 +695,7 @@ static int raw_recvmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg, + goto out; + + if (flags & MSG_ERRQUEUE) { +- err = ip_recv_error(sk, msg, len); ++ err = ip_recv_error(sk, msg, len, addr_len); + goto out; + } + +diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c +index a7003de..1ef8794 100644 +--- a/net/ipv4/udp.c ++++ b/net/ipv4/udp.c +@@ -1210,7 +1210,7 @@ int udp_recvmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg, + bool slow; + + if (flags & MSG_ERRQUEUE) +- return ip_recv_error(sk, msg, len); ++ return ip_recv_error(sk, msg, len, addr_len); + + try_again: + skb = __skb_recv_datagram(sk, flags | (noblock ? MSG_DONTWAIT : 0), +diff --git a/net/ipv6/datagram.c b/net/ipv6/datagram.c +index 48b6bd2..7a0fd80 100644 +--- a/net/ipv6/datagram.c ++++ b/net/ipv6/datagram.c +@@ -318,7 +318,7 @@ void ipv6_local_rxpmtu(struct sock *sk, struct flowi6 *fl6, u32 mtu) + /* + * Handle MSG_ERRQUEUE + */ +-int ipv6_recv_error(struct sock *sk, struct msghdr *msg, int len) ++int ipv6_recv_error(struct sock *sk, struct msghdr *msg, int len, int *addr_len) + { + struct ipv6_pinfo *np = inet6_sk(sk); + struct sock_exterr_skb *serr; +@@ -369,6 +369,7 @@ int ipv6_recv_error(struct sock *sk, struct msghdr *msg, int len) + &sin->sin6_addr); + sin->sin6_scope_id = 0; + } ++ *addr_len = sizeof(*sin); + } + + memcpy(&errhdr.ee, &serr->ee, sizeof(struct sock_extended_err)); +@@ -423,7 +424,8 @@ EXPORT_SYMBOL_GPL(ipv6_recv_error); + /* + * Handle IPV6_RECVPATHMTU + */ +-int ipv6_recv_rxpmtu(struct sock *sk, struct msghdr *msg, int len) ++int ipv6_recv_rxpmtu(struct sock *sk, struct msghdr *msg, int len, ++ int *addr_len) + { + struct ipv6_pinfo *np = inet6_sk(sk); + struct sk_buff *skb; +@@ -457,6 +459,7 @@ int ipv6_recv_rxpmtu(struct sock *sk, struct msghdr *msg, int len) + sin->sin6_port = 0; + sin->sin6_scope_id = mtu_info.ip6m_addr.sin6_scope_id; + sin->sin6_addr = mtu_info.ip6m_addr.sin6_addr; ++ *addr_len = sizeof(*sin); + } + + put_cmsg(msg, SOL_IPV6, IPV6_PATHMTU, sizeof(mtu_info), &mtu_info); +diff --git a/net/ipv6/ping.c b/net/ipv6/ping.c +index 18f19df..7856e96 100644 +--- a/net/ipv6/ping.c ++++ b/net/ipv6/ping.c +@@ -57,7 +57,8 @@ static struct inet_protosw pingv6_protosw = { + + + /* Compatibility glue so we can support IPv6 when it's compiled as a module */ +-static int dummy_ipv6_recv_error(struct sock *sk, struct msghdr *msg, int len) ++static int dummy_ipv6_recv_error(struct sock *sk, struct msghdr *msg, int len, ++ int *addr_len) + { + return -EAFNOSUPPORT; + } +diff --git a/net/ipv6/raw.c b/net/ipv6/raw.c +index 2f303bf..430067c 100644 +--- a/net/ipv6/raw.c ++++ b/net/ipv6/raw.c +@@ -467,10 +467,10 @@ static int rawv6_recvmsg(struct kiocb *iocb, struct sock *sk, + return -EOPNOTSUPP; + + if (flags & MSG_ERRQUEUE) +- return ipv6_recv_error(sk, msg, len); ++ return ipv6_recv_error(sk, msg, len, addr_len); + + if (np->rxpmtu && np->rxopt.bits.rxpmtu) +- return ipv6_recv_rxpmtu(sk, msg, len); ++ return ipv6_recv_rxpmtu(sk, msg, len, addr_len); + + skb = skb_recv_datagram(sk, flags, noblock, &err); + if (!skb) +diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c +index a59beed..3d2758d 100644 +--- a/net/ipv6/udp.c ++++ b/net/ipv6/udp.c +@@ -375,10 +375,10 @@ int udpv6_recvmsg(struct kiocb *iocb, struct sock *sk, + bool slow; + + if (flags & MSG_ERRQUEUE) +- return ipv6_recv_error(sk, msg, len); ++ return ipv6_recv_error(sk, msg, len, addr_len); + + if (np->rxpmtu && np->rxopt.bits.rxpmtu) +- return ipv6_recv_rxpmtu(sk, msg, len); ++ return ipv6_recv_rxpmtu(sk, msg, len, addr_len); + + try_again: + skb = __skb_recv_datagram(sk, flags | (noblock ? MSG_DONTWAIT : 0), +diff --git a/net/l2tp/l2tp_ip6.c b/net/l2tp/l2tp_ip6.c +index b8a6039..e6e8408 100644 +--- a/net/l2tp/l2tp_ip6.c ++++ b/net/l2tp/l2tp_ip6.c +@@ -665,7 +665,7 @@ static int l2tp_ip6_recvmsg(struct kiocb *iocb, struct sock *sk, + *addr_len = sizeof(*lsa); + + if (flags & MSG_ERRQUEUE) +- return ipv6_recv_error(sk, msg, len); ++ return ipv6_recv_error(sk, msg, len, addr_len); + + skb = skb_recv_datagram(sk, flags, noblock, &err); + if (!skb) +-- +1.8.3.1 + diff --git a/inet-prevent-leakage-of-uninitialized-memory-to-user.patch b/inet-prevent-leakage-of-uninitialized-memory-to-user.patch new file mode 100644 index 000000000..c5b941134 --- /dev/null +++ b/inet-prevent-leakage-of-uninitialized-memory-to-user.patch @@ -0,0 +1,256 @@ +Bugzilla: 1035887 +Upstream-status: 3.13 + +From bceaa90240b6019ed73b49965eac7d167610be69 Mon Sep 17 00:00:00 2001 +From: Hannes Frederic Sowa +Date: Mon, 18 Nov 2013 04:20:45 +0100 +Subject: [PATCH] inet: prevent leakage of uninitialized memory to user in recv + syscalls + +Only update *addr_len when we actually fill in sockaddr, otherwise we +can return uninitialized memory from the stack to the caller in the +recvfrom, recvmmsg and recvmsg syscalls. Drop the the (addr_len == NULL) +checks because we only get called with a valid addr_len pointer either +from sock_common_recvmsg or inet_recvmsg. + +If a blocking read waits on a socket which is concurrently shut down we +now return zero and set msg_msgnamelen to 0. + +Reported-by: mpb +Suggested-by: Eric Dumazet +Signed-off-by: Hannes Frederic Sowa +Signed-off-by: David S. Miller +--- + net/ieee802154/dgram.c | 3 +-- + net/ipv4/ping.c | 19 +++++++------------ + net/ipv4/raw.c | 4 +--- + net/ipv4/udp.c | 7 +------ + net/ipv6/raw.c | 4 +--- + net/ipv6/udp.c | 5 +---- + net/l2tp/l2tp_ip.c | 4 +--- + net/phonet/datagram.c | 9 ++++----- + 8 files changed, 17 insertions(+), 38 deletions(-) + +diff --git a/net/ieee802154/dgram.c b/net/ieee802154/dgram.c +index 581a595..1865fdf 100644 +--- a/net/ieee802154/dgram.c ++++ b/net/ieee802154/dgram.c +@@ -315,9 +315,8 @@ static int dgram_recvmsg(struct kiocb *iocb, struct sock *sk, + if (saddr) { + saddr->family = AF_IEEE802154; + saddr->addr = mac_cb(skb)->sa; +- } +- if (addr_len) + *addr_len = sizeof(*saddr); ++ } + + if (flags & MSG_TRUNC) + copied = skb->len; +diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c +index 9afbdb1..aacefa0 100644 +--- a/net/ipv4/ping.c ++++ b/net/ipv4/ping.c +@@ -830,8 +830,6 @@ int ping_recvmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg, + { + struct inet_sock *isk = inet_sk(sk); + int family = sk->sk_family; +- struct sockaddr_in *sin; +- struct sockaddr_in6 *sin6; + struct sk_buff *skb; + int copied, err; + +@@ -841,13 +839,6 @@ int ping_recvmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg, + if (flags & MSG_OOB) + goto out; + +- if (addr_len) { +- if (family == AF_INET) +- *addr_len = sizeof(*sin); +- else if (family == AF_INET6 && addr_len) +- *addr_len = sizeof(*sin6); +- } +- + if (flags & MSG_ERRQUEUE) { + if (family == AF_INET) { + return ip_recv_error(sk, msg, len); +@@ -877,11 +868,13 @@ int ping_recvmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg, + + /* Copy the address and add cmsg data. */ + if (family == AF_INET) { +- sin = (struct sockaddr_in *) msg->msg_name; ++ struct sockaddr_in *sin = (struct sockaddr_in *)msg->msg_name; ++ + sin->sin_family = AF_INET; + sin->sin_port = 0 /* skb->h.uh->source */; + sin->sin_addr.s_addr = ip_hdr(skb)->saddr; + memset(sin->sin_zero, 0, sizeof(sin->sin_zero)); ++ *addr_len = sizeof(*sin); + + if (isk->cmsg_flags) + ip_cmsg_recv(msg, skb); +@@ -890,17 +883,19 @@ int ping_recvmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg, + } else if (family == AF_INET6) { + struct ipv6_pinfo *np = inet6_sk(sk); + struct ipv6hdr *ip6 = ipv6_hdr(skb); +- sin6 = (struct sockaddr_in6 *) msg->msg_name; ++ struct sockaddr_in6 *sin6 = ++ (struct sockaddr_in6 *)msg->msg_name; ++ + sin6->sin6_family = AF_INET6; + sin6->sin6_port = 0; + sin6->sin6_addr = ip6->saddr; +- + sin6->sin6_flowinfo = 0; + if (np->sndflow) + sin6->sin6_flowinfo = ip6_flowinfo(ip6); + + sin6->sin6_scope_id = ipv6_iface_scope_id(&sin6->sin6_addr, + IP6CB(skb)->iif); ++ *addr_len = sizeof(*sin6); + + if (inet6_sk(sk)->rxopt.all) + pingv6_ops.ip6_datagram_recv_ctl(sk, msg, skb); +diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c +index 41e1d28..5cb8ddb 100644 +--- a/net/ipv4/raw.c ++++ b/net/ipv4/raw.c +@@ -696,9 +696,6 @@ static int raw_recvmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg, + if (flags & MSG_OOB) + goto out; + +- if (addr_len) +- *addr_len = sizeof(*sin); +- + if (flags & MSG_ERRQUEUE) { + err = ip_recv_error(sk, msg, len); + goto out; +@@ -726,6 +723,7 @@ static int raw_recvmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg, + sin->sin_addr.s_addr = ip_hdr(skb)->saddr; + sin->sin_port = 0; + memset(&sin->sin_zero, 0, sizeof(sin->sin_zero)); ++ *addr_len = sizeof(*sin); + } + if (inet->cmsg_flags) + ip_cmsg_recv(msg, skb); +diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c +index 89909dd..998431c 100644 +--- a/net/ipv4/udp.c ++++ b/net/ipv4/udp.c +@@ -1235,12 +1235,6 @@ int udp_recvmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg, + int is_udplite = IS_UDPLITE(sk); + bool slow; + +- /* +- * Check any passed addresses +- */ +- if (addr_len) +- *addr_len = sizeof(*sin); +- + if (flags & MSG_ERRQUEUE) + return ip_recv_error(sk, msg, len); + +@@ -1302,6 +1296,7 @@ try_again: + sin->sin_port = udp_hdr(skb)->source; + sin->sin_addr.s_addr = ip_hdr(skb)->saddr; + memset(sin->sin_zero, 0, sizeof(sin->sin_zero)); ++ *addr_len = sizeof(*sin); + } + if (inet->cmsg_flags) + ip_cmsg_recv(msg, skb); +diff --git a/net/ipv6/raw.c b/net/ipv6/raw.c +index 3c00842..e24ff1d 100644 +--- a/net/ipv6/raw.c ++++ b/net/ipv6/raw.c +@@ -465,9 +465,6 @@ static int rawv6_recvmsg(struct kiocb *iocb, struct sock *sk, + if (flags & MSG_OOB) + return -EOPNOTSUPP; + +- if (addr_len) +- *addr_len=sizeof(*sin6); +- + if (flags & MSG_ERRQUEUE) + return ipv6_recv_error(sk, msg, len); + +@@ -506,6 +503,7 @@ static int rawv6_recvmsg(struct kiocb *iocb, struct sock *sk, + sin6->sin6_flowinfo = 0; + sin6->sin6_scope_id = ipv6_iface_scope_id(&sin6->sin6_addr, + IP6CB(skb)->iif); ++ *addr_len = sizeof(*sin6); + } + + sock_recv_ts_and_drops(msg, sk, skb); +diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c +index f3893e8..81eb8cf 100644 +--- a/net/ipv6/udp.c ++++ b/net/ipv6/udp.c +@@ -392,9 +392,6 @@ int udpv6_recvmsg(struct kiocb *iocb, struct sock *sk, + int is_udp4; + bool slow; + +- if (addr_len) +- *addr_len = sizeof(struct sockaddr_in6); +- + if (flags & MSG_ERRQUEUE) + return ipv6_recv_error(sk, msg, len); + +@@ -480,7 +477,7 @@ try_again: + ipv6_iface_scope_id(&sin6->sin6_addr, + IP6CB(skb)->iif); + } +- ++ *addr_len = sizeof(*sin6); + } + if (is_udp4) { + if (inet->cmsg_flags) +diff --git a/net/l2tp/l2tp_ip.c b/net/l2tp/l2tp_ip.c +index 571db8d..da1a1ce 100644 +--- a/net/l2tp/l2tp_ip.c ++++ b/net/l2tp/l2tp_ip.c +@@ -518,9 +518,6 @@ static int l2tp_ip_recvmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *m + if (flags & MSG_OOB) + goto out; + +- if (addr_len) +- *addr_len = sizeof(*sin); +- + skb = skb_recv_datagram(sk, flags, noblock, &err); + if (!skb) + goto out; +@@ -543,6 +540,7 @@ static int l2tp_ip_recvmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *m + sin->sin_addr.s_addr = ip_hdr(skb)->saddr; + sin->sin_port = 0; + memset(&sin->sin_zero, 0, sizeof(sin->sin_zero)); ++ *addr_len = sizeof(*sin); + } + if (inet->cmsg_flags) + ip_cmsg_recv(msg, skb); +diff --git a/net/phonet/datagram.c b/net/phonet/datagram.c +index 12c30f3..38946b2 100644 +--- a/net/phonet/datagram.c ++++ b/net/phonet/datagram.c +@@ -139,9 +139,6 @@ static int pn_recvmsg(struct kiocb *iocb, struct sock *sk, + MSG_CMSG_COMPAT)) + goto out_nofree; + +- if (addr_len) +- *addr_len = sizeof(sa); +- + skb = skb_recv_datagram(sk, flags, noblock, &rval); + if (skb == NULL) + goto out_nofree; +@@ -162,8 +159,10 @@ static int pn_recvmsg(struct kiocb *iocb, struct sock *sk, + + rval = (flags & MSG_TRUNC) ? skb->len : copylen; + +- if (msg->msg_name != NULL) +- memcpy(msg->msg_name, &sa, sizeof(struct sockaddr_pn)); ++ if (msg->msg_name != NULL) { ++ memcpy(msg->msg_name, &sa, sizeof(sa)); ++ *addr_len = sizeof(sa); ++ } + + out: + skb_free_datagram(sk, skb); +-- +1.8.3.1 + diff --git a/kernel.spec b/kernel.spec index 0c22f7196..523f95ac7 100644 --- a/kernel.spec +++ b/kernel.spec @@ -809,6 +809,10 @@ Patch25158: via-velocity-fix-netif_receive_skb-use-in-irq-disable.patch #rhbz 998342 Patch25159: usbnet-fix-status-interrupt-urb-handling.patch +#CVE-2013-6405 rhbz 1035875 1035887 +Patch25161: inet-prevent-leakage-of-uninitialized-memory-to-user.patch +Patch25162: inet-fix-addr_len-msg_namelen-assignment-in-recv_error-and-rxpmtu-functions.patch + # END OF PATCH DEFINITIONS %endif @@ -1566,6 +1570,10 @@ ApplyPatch via-velocity-fix-netif_receive_skb-use-in-irq-disable.patch #rhbz 998342 ApplyPatch usbnet-fix-status-interrupt-urb-handling.patch +#CVE-2013-6405 rhbz 1035875 1035887 +ApplyPatch inet-prevent-leakage-of-uninitialized-memory-to-user.patch +ApplyPatch inet-fix-addr_len-msg_namelen-assignment-in-recv_error-and-rxpmtu-functions.patch + # END OF PATCH APPLICATIONS %endif @@ -2378,6 +2386,9 @@ fi # and build. %changelog +* Sat Nov 30 2013 Josh Boyer +- CVE-2013-6405 net: leak of uninited mem to userspace via recv syscalls (rhbz 1035875 1035887) + * Fri Nov 29 2013 Josh Boyer - 3.11.10-200 - Linux v3.11.10 - Fix memory leak in qxl (from Dave Airlie) From 98c97deecfbfe2d195534e9077ffb074e860927a Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Tue, 3 Dec 2013 09:09:55 -0500 Subject: [PATCH 282/468] Add patches to fix rfkill switch on Dell machines (rhbz 958826) --- ...evert-dell-laptop-Remove-rfkill-code.patch | 399 ++++++++++++++++++ ...ptop-Only-enable-rfkill-on-Latitudes.patch | 104 +++++ kernel.spec | 11 + 3 files changed, 514 insertions(+) create mode 100644 0001-Revert-dell-laptop-Remove-rfkill-code.patch create mode 100644 0002-dell-laptop-Only-enable-rfkill-on-Latitudes.patch diff --git a/0001-Revert-dell-laptop-Remove-rfkill-code.patch b/0001-Revert-dell-laptop-Remove-rfkill-code.patch new file mode 100644 index 000000000..c9bf8c5ab --- /dev/null +++ b/0001-Revert-dell-laptop-Remove-rfkill-code.patch @@ -0,0 +1,399 @@ +Bugzilla: 958826 +Upstream-status: 3.13 + +From 4cc8a57425c623753b10b77b15392e5b83baa5a3 Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Sun, 17 Nov 2013 14:00:16 +0100 +Subject: [PATCH 1/2] Revert "dell-laptop: Remove rfkill code" + +Without rfkill functionality in dell-laptop I have the following problems: +-If the hardware radio switch is set to disable the radio, then userspace + will still think it can use wireless and bluetooth. +-The wwan / 3g modem cannot be soft blocked without the dell-laptop rfkill + functionality + +I know the rfkill functionality was removed from the dell-laptop driver because +it caused more problems then it fixed, and the blacklist for it was growing out +of control. + +But in the thread discussing this Dell mentioned that they only QA the rfkill +acpi interface on Latitudes and indeed there have been no blacklist entries +for Latitudes. Therefor I would like to bring the rfkill functionality back +only for Latitudes. This patch is a straight-forward revert. The next patch +in this set will drop the blacklist and replace it with a Latitude check. + +This reverts commit a6c2390cd6d2083d27a2359658e08f2d3df375ac. + +Conflicts: + drivers/platform/x86/dell-laptop.c + +Signed-off-by: Hans de Goede +Signed-off-by: Matthew Garrett +--- + drivers/platform/x86/dell-laptop.c | 289 +++++++++++++++++++++++++++++++++++++ + 1 file changed, 289 insertions(+) + +diff --git a/drivers/platform/x86/dell-laptop.c b/drivers/platform/x86/dell-laptop.c +index bb77e18..55f75a2 100644 +--- a/drivers/platform/x86/dell-laptop.c ++++ b/drivers/platform/x86/dell-laptop.c +@@ -21,6 +21,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -89,6 +90,9 @@ static struct platform_driver platform_driver = { + + static struct platform_device *platform_device; + static struct backlight_device *dell_backlight_device; ++static struct rfkill *wifi_rfkill; ++static struct rfkill *bluetooth_rfkill; ++static struct rfkill *wwan_rfkill; + + static const struct dmi_system_id dell_device_table[] __initconst = { + { +@@ -115,6 +119,53 @@ static const struct dmi_system_id dell_device_table[] __initconst = { + }; + MODULE_DEVICE_TABLE(dmi, dell_device_table); + ++static struct dmi_system_id dell_blacklist[] = { ++ /* Supported by compal-laptop */ ++ { ++ .ident = "Dell Mini 9", ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."), ++ DMI_MATCH(DMI_PRODUCT_NAME, "Inspiron 910"), ++ }, ++ }, ++ { ++ .ident = "Dell Mini 10", ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."), ++ DMI_MATCH(DMI_PRODUCT_NAME, "Inspiron 1010"), ++ }, ++ }, ++ { ++ .ident = "Dell Mini 10v", ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."), ++ DMI_MATCH(DMI_PRODUCT_NAME, "Inspiron 1011"), ++ }, ++ }, ++ { ++ .ident = "Dell Mini 1012", ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."), ++ DMI_MATCH(DMI_PRODUCT_NAME, "Inspiron 1012"), ++ }, ++ }, ++ { ++ .ident = "Dell Inspiron 11z", ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."), ++ DMI_MATCH(DMI_PRODUCT_NAME, "Inspiron 1110"), ++ }, ++ }, ++ { ++ .ident = "Dell Mini 12", ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."), ++ DMI_MATCH(DMI_PRODUCT_NAME, "Inspiron 1210"), ++ }, ++ }, ++ {} ++}; ++ + static struct dmi_system_id dell_quirks[] = { + { + .callback = dmi_matched, +@@ -355,6 +406,94 @@ dell_send_request(struct calling_interface_buffer *buffer, int class, + return buffer; + } + ++/* Derived from information in DellWirelessCtl.cpp: ++ Class 17, select 11 is radio control. It returns an array of 32-bit values. ++ ++ Input byte 0 = 0: Wireless information ++ ++ result[0]: return code ++ result[1]: ++ Bit 0: Hardware switch supported ++ Bit 1: Wifi locator supported ++ Bit 2: Wifi is supported ++ Bit 3: Bluetooth is supported ++ Bit 4: WWAN is supported ++ Bit 5: Wireless keyboard supported ++ Bits 6-7: Reserved ++ Bit 8: Wifi is installed ++ Bit 9: Bluetooth is installed ++ Bit 10: WWAN is installed ++ Bits 11-15: Reserved ++ Bit 16: Hardware switch is on ++ Bit 17: Wifi is blocked ++ Bit 18: Bluetooth is blocked ++ Bit 19: WWAN is blocked ++ Bits 20-31: Reserved ++ result[2]: NVRAM size in bytes ++ result[3]: NVRAM format version number ++ ++ Input byte 0 = 2: Wireless switch configuration ++ result[0]: return code ++ result[1]: ++ Bit 0: Wifi controlled by switch ++ Bit 1: Bluetooth controlled by switch ++ Bit 2: WWAN controlled by switch ++ Bits 3-6: Reserved ++ Bit 7: Wireless switch config locked ++ Bit 8: Wifi locator enabled ++ Bits 9-14: Reserved ++ Bit 15: Wifi locator setting locked ++ Bits 16-31: Reserved ++*/ ++ ++static int dell_rfkill_set(void *data, bool blocked) ++{ ++ int disable = blocked ? 1 : 0; ++ unsigned long radio = (unsigned long)data; ++ int hwswitch_bit = (unsigned long)data - 1; ++ int ret = 0; ++ ++ get_buffer(); ++ dell_send_request(buffer, 17, 11); ++ ++ /* If the hardware switch controls this radio, and the hardware ++ switch is disabled, don't allow changing the software state */ ++ if ((hwswitch_state & BIT(hwswitch_bit)) && ++ !(buffer->output[1] & BIT(16))) { ++ ret = -EINVAL; ++ goto out; ++ } ++ ++ buffer->input[0] = (1 | (radio<<8) | (disable << 16)); ++ dell_send_request(buffer, 17, 11); ++ ++out: ++ release_buffer(); ++ return ret; ++} ++ ++static void dell_rfkill_query(struct rfkill *rfkill, void *data) ++{ ++ int status; ++ int bit = (unsigned long)data + 16; ++ int hwswitch_bit = (unsigned long)data - 1; ++ ++ get_buffer(); ++ dell_send_request(buffer, 17, 11); ++ status = buffer->output[1]; ++ release_buffer(); ++ ++ rfkill_set_sw_state(rfkill, !!(status & BIT(bit))); ++ ++ if (hwswitch_state & (BIT(hwswitch_bit))) ++ rfkill_set_hw_state(rfkill, !(status & BIT(16))); ++} ++ ++static const struct rfkill_ops dell_rfkill_ops = { ++ .set_block = dell_rfkill_set, ++ .query = dell_rfkill_query, ++}; ++ + static struct dentry *dell_laptop_dir; + + static int dell_debugfs_show(struct seq_file *s, void *data) +@@ -424,6 +563,108 @@ static const struct file_operations dell_debugfs_fops = { + .release = single_release, + }; + ++static void dell_update_rfkill(struct work_struct *ignored) ++{ ++ if (wifi_rfkill) ++ dell_rfkill_query(wifi_rfkill, (void *)1); ++ if (bluetooth_rfkill) ++ dell_rfkill_query(bluetooth_rfkill, (void *)2); ++ if (wwan_rfkill) ++ dell_rfkill_query(wwan_rfkill, (void *)3); ++} ++static DECLARE_DELAYED_WORK(dell_rfkill_work, dell_update_rfkill); ++ ++ ++static int __init dell_setup_rfkill(void) ++{ ++ int status; ++ int ret; ++ ++ if (dmi_check_system(dell_blacklist)) { ++ pr_info("Blacklisted hardware detected - not enabling rfkill\n"); ++ return 0; ++ } ++ ++ get_buffer(); ++ dell_send_request(buffer, 17, 11); ++ status = buffer->output[1]; ++ buffer->input[0] = 0x2; ++ dell_send_request(buffer, 17, 11); ++ hwswitch_state = buffer->output[1]; ++ release_buffer(); ++ ++ if ((status & (1<<2|1<<8)) == (1<<2|1<<8)) { ++ wifi_rfkill = rfkill_alloc("dell-wifi", &platform_device->dev, ++ RFKILL_TYPE_WLAN, ++ &dell_rfkill_ops, (void *) 1); ++ if (!wifi_rfkill) { ++ ret = -ENOMEM; ++ goto err_wifi; ++ } ++ ret = rfkill_register(wifi_rfkill); ++ if (ret) ++ goto err_wifi; ++ } ++ ++ if ((status & (1<<3|1<<9)) == (1<<3|1<<9)) { ++ bluetooth_rfkill = rfkill_alloc("dell-bluetooth", ++ &platform_device->dev, ++ RFKILL_TYPE_BLUETOOTH, ++ &dell_rfkill_ops, (void *) 2); ++ if (!bluetooth_rfkill) { ++ ret = -ENOMEM; ++ goto err_bluetooth; ++ } ++ ret = rfkill_register(bluetooth_rfkill); ++ if (ret) ++ goto err_bluetooth; ++ } ++ ++ if ((status & (1<<4|1<<10)) == (1<<4|1<<10)) { ++ wwan_rfkill = rfkill_alloc("dell-wwan", ++ &platform_device->dev, ++ RFKILL_TYPE_WWAN, ++ &dell_rfkill_ops, (void *) 3); ++ if (!wwan_rfkill) { ++ ret = -ENOMEM; ++ goto err_wwan; ++ } ++ ret = rfkill_register(wwan_rfkill); ++ if (ret) ++ goto err_wwan; ++ } ++ ++ return 0; ++err_wwan: ++ rfkill_destroy(wwan_rfkill); ++ if (bluetooth_rfkill) ++ rfkill_unregister(bluetooth_rfkill); ++err_bluetooth: ++ rfkill_destroy(bluetooth_rfkill); ++ if (wifi_rfkill) ++ rfkill_unregister(wifi_rfkill); ++err_wifi: ++ rfkill_destroy(wifi_rfkill); ++ ++ return ret; ++} ++ ++static void dell_cleanup_rfkill(void) ++{ ++ if (wifi_rfkill) { ++ rfkill_unregister(wifi_rfkill); ++ rfkill_destroy(wifi_rfkill); ++ } ++ if (bluetooth_rfkill) { ++ rfkill_unregister(bluetooth_rfkill); ++ rfkill_destroy(bluetooth_rfkill); ++ } ++ if (wwan_rfkill) { ++ rfkill_unregister(wwan_rfkill); ++ rfkill_destroy(wwan_rfkill); ++ } ++} ++ + static int dell_send_intensity(struct backlight_device *bd) + { + int ret = 0; +@@ -515,6 +756,30 @@ static void touchpad_led_exit(void) + led_classdev_unregister(&touchpad_led); + } + ++static bool dell_laptop_i8042_filter(unsigned char data, unsigned char str, ++ struct serio *port) ++{ ++ static bool extended; ++ ++ if (str & 0x20) ++ return false; ++ ++ if (unlikely(data == 0xe0)) { ++ extended = true; ++ return false; ++ } else if (unlikely(extended)) { ++ switch (data) { ++ case 0x8: ++ schedule_delayed_work(&dell_rfkill_work, ++ round_jiffies_relative(HZ)); ++ break; ++ } ++ extended = false; ++ } ++ ++ return false; ++} ++ + static int __init dell_init(void) + { + int max_intensity = 0; +@@ -557,10 +822,26 @@ static int __init dell_init(void) + } + buffer = page_address(bufferpage); + ++ ret = dell_setup_rfkill(); ++ ++ if (ret) { ++ pr_warn("Unable to setup rfkill\n"); ++ goto fail_rfkill; ++ } ++ ++ ret = i8042_install_filter(dell_laptop_i8042_filter); ++ if (ret) { ++ pr_warn("Unable to install key filter\n"); ++ goto fail_filter; ++ } ++ + if (quirks && quirks->touchpad_led) + touchpad_led_init(&platform_device->dev); + + dell_laptop_dir = debugfs_create_dir("dell_laptop", NULL); ++ if (dell_laptop_dir != NULL) ++ debugfs_create_file("rfkill", 0444, dell_laptop_dir, NULL, ++ &dell_debugfs_fops); + + #ifdef CONFIG_ACPI + /* In the event of an ACPI backlight being available, don't +@@ -603,6 +884,11 @@ static int __init dell_init(void) + return 0; + + fail_backlight: ++ i8042_remove_filter(dell_laptop_i8042_filter); ++ cancel_delayed_work_sync(&dell_rfkill_work); ++fail_filter: ++ dell_cleanup_rfkill(); ++fail_rfkill: + free_page((unsigned long)bufferpage); + fail_buffer: + platform_device_del(platform_device); +@@ -620,7 +906,10 @@ static void __exit dell_exit(void) + debugfs_remove_recursive(dell_laptop_dir); + if (quirks && quirks->touchpad_led) + touchpad_led_exit(); ++ i8042_remove_filter(dell_laptop_i8042_filter); ++ cancel_delayed_work_sync(&dell_rfkill_work); + backlight_device_unregister(dell_backlight_device); ++ dell_cleanup_rfkill(); + if (platform_device) { + platform_device_unregister(platform_device); + platform_driver_unregister(&platform_driver); +-- +1.8.3.1 + diff --git a/0002-dell-laptop-Only-enable-rfkill-on-Latitudes.patch b/0002-dell-laptop-Only-enable-rfkill-on-Latitudes.patch new file mode 100644 index 000000000..5a80e28be --- /dev/null +++ b/0002-dell-laptop-Only-enable-rfkill-on-Latitudes.patch @@ -0,0 +1,104 @@ +Bugzilla: 958826 +Upstream-status: 3.13 + +From 2a92551845bbbc8421ba908cd14bbdf065e0f454 Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Sun, 17 Nov 2013 14:00:17 +0100 +Subject: [PATCH 2/2] dell-laptop: Only enable rfkill on Latitudes + +The rfkill functionality was removed from the dell-laptop driver because it +was causing problems on various non Latitude models, and the blacklist kept +growing and growing. In the thread discussing this Dell mentioned that they +only QA the rfkill acpi interface on Latitudes and indeed there have been +no blacklist entries for Latitudes. + +Note that the blacklist contained no Vostros either, and most Vostros have +a hardware switch too, so we could consider supporting Vostros with a +hardware switch too. + +Signed-off-by: Hans de Goede +Signed-off-by: Matthew Garrett +--- + drivers/platform/x86/dell-laptop.c | 57 +++++--------------------------------- + 1 file changed, 7 insertions(+), 50 deletions(-) + +diff --git a/drivers/platform/x86/dell-laptop.c b/drivers/platform/x86/dell-laptop.c +index 55f75a2..bae932b 100644 +--- a/drivers/platform/x86/dell-laptop.c ++++ b/drivers/platform/x86/dell-laptop.c +@@ -119,53 +119,6 @@ static const struct dmi_system_id dell_device_table[] __initconst = { + }; + MODULE_DEVICE_TABLE(dmi, dell_device_table); + +-static struct dmi_system_id dell_blacklist[] = { +- /* Supported by compal-laptop */ +- { +- .ident = "Dell Mini 9", +- .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."), +- DMI_MATCH(DMI_PRODUCT_NAME, "Inspiron 910"), +- }, +- }, +- { +- .ident = "Dell Mini 10", +- .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."), +- DMI_MATCH(DMI_PRODUCT_NAME, "Inspiron 1010"), +- }, +- }, +- { +- .ident = "Dell Mini 10v", +- .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."), +- DMI_MATCH(DMI_PRODUCT_NAME, "Inspiron 1011"), +- }, +- }, +- { +- .ident = "Dell Mini 1012", +- .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."), +- DMI_MATCH(DMI_PRODUCT_NAME, "Inspiron 1012"), +- }, +- }, +- { +- .ident = "Dell Inspiron 11z", +- .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."), +- DMI_MATCH(DMI_PRODUCT_NAME, "Inspiron 1110"), +- }, +- }, +- { +- .ident = "Dell Mini 12", +- .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."), +- DMI_MATCH(DMI_PRODUCT_NAME, "Inspiron 1210"), +- }, +- }, +- {} +-}; +- + static struct dmi_system_id dell_quirks[] = { + { + .callback = dmi_matched, +@@ -579,11 +532,15 @@ static int __init dell_setup_rfkill(void) + { + int status; + int ret; ++ const char *product; + +- if (dmi_check_system(dell_blacklist)) { +- pr_info("Blacklisted hardware detected - not enabling rfkill\n"); ++ /* ++ * rfkill causes trouble on various non Latitudes, according to Dell ++ * actually testing the rfkill functionality is only done on Latitudes. ++ */ ++ product = dmi_get_system_info(DMI_PRODUCT_NAME); ++ if (!product || strncmp(product, "Latitude", 8)) + return 0; +- } + + get_buffer(); + dell_send_request(buffer, 17, 11); +-- +1.8.3.1 + diff --git a/kernel.spec b/kernel.spec index 523f95ac7..a8c02ad2b 100644 --- a/kernel.spec +++ b/kernel.spec @@ -813,6 +813,10 @@ Patch25159: usbnet-fix-status-interrupt-urb-handling.patch Patch25161: inet-prevent-leakage-of-uninitialized-memory-to-user.patch Patch25162: inet-fix-addr_len-msg_namelen-assignment-in-recv_error-and-rxpmtu-functions.patch +#rhbz 958826 +Patch25164: 0001-Revert-dell-laptop-Remove-rfkill-code.patch +Patch25165: 0002-dell-laptop-Only-enable-rfkill-on-Latitudes.patch + # END OF PATCH DEFINITIONS %endif @@ -1574,6 +1578,10 @@ ApplyPatch usbnet-fix-status-interrupt-urb-handling.patch ApplyPatch inet-prevent-leakage-of-uninitialized-memory-to-user.patch ApplyPatch inet-fix-addr_len-msg_namelen-assignment-in-recv_error-and-rxpmtu-functions.patch +#rhbz 958826 +ApplyPatch 0001-Revert-dell-laptop-Remove-rfkill-code.patch +ApplyPatch 0002-dell-laptop-Only-enable-rfkill-on-Latitudes.patch + # END OF PATCH APPLICATIONS %endif @@ -2386,6 +2394,9 @@ fi # and build. %changelog +* Tue Dec 03 2013 Josh Boyer +- Add patches to fix rfkill switch on Dell machines (rhbz 958826) + * Sat Nov 30 2013 Josh Boyer - CVE-2013-6405 net: leak of uninited mem to userspace via recv syscalls (rhbz 1035875 1035887) From 4e70dbe2ad8ad2bf0f04b030cdb4ca0f349ba451 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Wed, 4 Dec 2013 08:20:09 -0500 Subject: [PATCH 283/468] Update dell-laptop patches with whole series from 3.13 All of them are needed so it works on most Latitude machines. Otherwise it's hit or miss --- ...evert-dell-laptop-Remove-rfkill-code.patch | 399 ------- ...ptop-Only-enable-rfkill-on-Latitudes.patch | 104 -- dell-laptop.patch | 1017 +++++++++++++++++ kernel.spec | 6 +- 4 files changed, 1019 insertions(+), 507 deletions(-) delete mode 100644 0001-Revert-dell-laptop-Remove-rfkill-code.patch delete mode 100644 0002-dell-laptop-Only-enable-rfkill-on-Latitudes.patch create mode 100644 dell-laptop.patch diff --git a/0001-Revert-dell-laptop-Remove-rfkill-code.patch b/0001-Revert-dell-laptop-Remove-rfkill-code.patch deleted file mode 100644 index c9bf8c5ab..000000000 --- a/0001-Revert-dell-laptop-Remove-rfkill-code.patch +++ /dev/null @@ -1,399 +0,0 @@ -Bugzilla: 958826 -Upstream-status: 3.13 - -From 4cc8a57425c623753b10b77b15392e5b83baa5a3 Mon Sep 17 00:00:00 2001 -From: Hans de Goede -Date: Sun, 17 Nov 2013 14:00:16 +0100 -Subject: [PATCH 1/2] Revert "dell-laptop: Remove rfkill code" - -Without rfkill functionality in dell-laptop I have the following problems: --If the hardware radio switch is set to disable the radio, then userspace - will still think it can use wireless and bluetooth. --The wwan / 3g modem cannot be soft blocked without the dell-laptop rfkill - functionality - -I know the rfkill functionality was removed from the dell-laptop driver because -it caused more problems then it fixed, and the blacklist for it was growing out -of control. - -But in the thread discussing this Dell mentioned that they only QA the rfkill -acpi interface on Latitudes and indeed there have been no blacklist entries -for Latitudes. Therefor I would like to bring the rfkill functionality back -only for Latitudes. This patch is a straight-forward revert. The next patch -in this set will drop the blacklist and replace it with a Latitude check. - -This reverts commit a6c2390cd6d2083d27a2359658e08f2d3df375ac. - -Conflicts: - drivers/platform/x86/dell-laptop.c - -Signed-off-by: Hans de Goede -Signed-off-by: Matthew Garrett ---- - drivers/platform/x86/dell-laptop.c | 289 +++++++++++++++++++++++++++++++++++++ - 1 file changed, 289 insertions(+) - -diff --git a/drivers/platform/x86/dell-laptop.c b/drivers/platform/x86/dell-laptop.c -index bb77e18..55f75a2 100644 ---- a/drivers/platform/x86/dell-laptop.c -+++ b/drivers/platform/x86/dell-laptop.c -@@ -21,6 +21,7 @@ - #include - #include - #include -+#include - #include - #include - #include -@@ -89,6 +90,9 @@ static struct platform_driver platform_driver = { - - static struct platform_device *platform_device; - static struct backlight_device *dell_backlight_device; -+static struct rfkill *wifi_rfkill; -+static struct rfkill *bluetooth_rfkill; -+static struct rfkill *wwan_rfkill; - - static const struct dmi_system_id dell_device_table[] __initconst = { - { -@@ -115,6 +119,53 @@ static const struct dmi_system_id dell_device_table[] __initconst = { - }; - MODULE_DEVICE_TABLE(dmi, dell_device_table); - -+static struct dmi_system_id dell_blacklist[] = { -+ /* Supported by compal-laptop */ -+ { -+ .ident = "Dell Mini 9", -+ .matches = { -+ DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."), -+ DMI_MATCH(DMI_PRODUCT_NAME, "Inspiron 910"), -+ }, -+ }, -+ { -+ .ident = "Dell Mini 10", -+ .matches = { -+ DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."), -+ DMI_MATCH(DMI_PRODUCT_NAME, "Inspiron 1010"), -+ }, -+ }, -+ { -+ .ident = "Dell Mini 10v", -+ .matches = { -+ DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."), -+ DMI_MATCH(DMI_PRODUCT_NAME, "Inspiron 1011"), -+ }, -+ }, -+ { -+ .ident = "Dell Mini 1012", -+ .matches = { -+ DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."), -+ DMI_MATCH(DMI_PRODUCT_NAME, "Inspiron 1012"), -+ }, -+ }, -+ { -+ .ident = "Dell Inspiron 11z", -+ .matches = { -+ DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."), -+ DMI_MATCH(DMI_PRODUCT_NAME, "Inspiron 1110"), -+ }, -+ }, -+ { -+ .ident = "Dell Mini 12", -+ .matches = { -+ DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."), -+ DMI_MATCH(DMI_PRODUCT_NAME, "Inspiron 1210"), -+ }, -+ }, -+ {} -+}; -+ - static struct dmi_system_id dell_quirks[] = { - { - .callback = dmi_matched, -@@ -355,6 +406,94 @@ dell_send_request(struct calling_interface_buffer *buffer, int class, - return buffer; - } - -+/* Derived from information in DellWirelessCtl.cpp: -+ Class 17, select 11 is radio control. It returns an array of 32-bit values. -+ -+ Input byte 0 = 0: Wireless information -+ -+ result[0]: return code -+ result[1]: -+ Bit 0: Hardware switch supported -+ Bit 1: Wifi locator supported -+ Bit 2: Wifi is supported -+ Bit 3: Bluetooth is supported -+ Bit 4: WWAN is supported -+ Bit 5: Wireless keyboard supported -+ Bits 6-7: Reserved -+ Bit 8: Wifi is installed -+ Bit 9: Bluetooth is installed -+ Bit 10: WWAN is installed -+ Bits 11-15: Reserved -+ Bit 16: Hardware switch is on -+ Bit 17: Wifi is blocked -+ Bit 18: Bluetooth is blocked -+ Bit 19: WWAN is blocked -+ Bits 20-31: Reserved -+ result[2]: NVRAM size in bytes -+ result[3]: NVRAM format version number -+ -+ Input byte 0 = 2: Wireless switch configuration -+ result[0]: return code -+ result[1]: -+ Bit 0: Wifi controlled by switch -+ Bit 1: Bluetooth controlled by switch -+ Bit 2: WWAN controlled by switch -+ Bits 3-6: Reserved -+ Bit 7: Wireless switch config locked -+ Bit 8: Wifi locator enabled -+ Bits 9-14: Reserved -+ Bit 15: Wifi locator setting locked -+ Bits 16-31: Reserved -+*/ -+ -+static int dell_rfkill_set(void *data, bool blocked) -+{ -+ int disable = blocked ? 1 : 0; -+ unsigned long radio = (unsigned long)data; -+ int hwswitch_bit = (unsigned long)data - 1; -+ int ret = 0; -+ -+ get_buffer(); -+ dell_send_request(buffer, 17, 11); -+ -+ /* If the hardware switch controls this radio, and the hardware -+ switch is disabled, don't allow changing the software state */ -+ if ((hwswitch_state & BIT(hwswitch_bit)) && -+ !(buffer->output[1] & BIT(16))) { -+ ret = -EINVAL; -+ goto out; -+ } -+ -+ buffer->input[0] = (1 | (radio<<8) | (disable << 16)); -+ dell_send_request(buffer, 17, 11); -+ -+out: -+ release_buffer(); -+ return ret; -+} -+ -+static void dell_rfkill_query(struct rfkill *rfkill, void *data) -+{ -+ int status; -+ int bit = (unsigned long)data + 16; -+ int hwswitch_bit = (unsigned long)data - 1; -+ -+ get_buffer(); -+ dell_send_request(buffer, 17, 11); -+ status = buffer->output[1]; -+ release_buffer(); -+ -+ rfkill_set_sw_state(rfkill, !!(status & BIT(bit))); -+ -+ if (hwswitch_state & (BIT(hwswitch_bit))) -+ rfkill_set_hw_state(rfkill, !(status & BIT(16))); -+} -+ -+static const struct rfkill_ops dell_rfkill_ops = { -+ .set_block = dell_rfkill_set, -+ .query = dell_rfkill_query, -+}; -+ - static struct dentry *dell_laptop_dir; - - static int dell_debugfs_show(struct seq_file *s, void *data) -@@ -424,6 +563,108 @@ static const struct file_operations dell_debugfs_fops = { - .release = single_release, - }; - -+static void dell_update_rfkill(struct work_struct *ignored) -+{ -+ if (wifi_rfkill) -+ dell_rfkill_query(wifi_rfkill, (void *)1); -+ if (bluetooth_rfkill) -+ dell_rfkill_query(bluetooth_rfkill, (void *)2); -+ if (wwan_rfkill) -+ dell_rfkill_query(wwan_rfkill, (void *)3); -+} -+static DECLARE_DELAYED_WORK(dell_rfkill_work, dell_update_rfkill); -+ -+ -+static int __init dell_setup_rfkill(void) -+{ -+ int status; -+ int ret; -+ -+ if (dmi_check_system(dell_blacklist)) { -+ pr_info("Blacklisted hardware detected - not enabling rfkill\n"); -+ return 0; -+ } -+ -+ get_buffer(); -+ dell_send_request(buffer, 17, 11); -+ status = buffer->output[1]; -+ buffer->input[0] = 0x2; -+ dell_send_request(buffer, 17, 11); -+ hwswitch_state = buffer->output[1]; -+ release_buffer(); -+ -+ if ((status & (1<<2|1<<8)) == (1<<2|1<<8)) { -+ wifi_rfkill = rfkill_alloc("dell-wifi", &platform_device->dev, -+ RFKILL_TYPE_WLAN, -+ &dell_rfkill_ops, (void *) 1); -+ if (!wifi_rfkill) { -+ ret = -ENOMEM; -+ goto err_wifi; -+ } -+ ret = rfkill_register(wifi_rfkill); -+ if (ret) -+ goto err_wifi; -+ } -+ -+ if ((status & (1<<3|1<<9)) == (1<<3|1<<9)) { -+ bluetooth_rfkill = rfkill_alloc("dell-bluetooth", -+ &platform_device->dev, -+ RFKILL_TYPE_BLUETOOTH, -+ &dell_rfkill_ops, (void *) 2); -+ if (!bluetooth_rfkill) { -+ ret = -ENOMEM; -+ goto err_bluetooth; -+ } -+ ret = rfkill_register(bluetooth_rfkill); -+ if (ret) -+ goto err_bluetooth; -+ } -+ -+ if ((status & (1<<4|1<<10)) == (1<<4|1<<10)) { -+ wwan_rfkill = rfkill_alloc("dell-wwan", -+ &platform_device->dev, -+ RFKILL_TYPE_WWAN, -+ &dell_rfkill_ops, (void *) 3); -+ if (!wwan_rfkill) { -+ ret = -ENOMEM; -+ goto err_wwan; -+ } -+ ret = rfkill_register(wwan_rfkill); -+ if (ret) -+ goto err_wwan; -+ } -+ -+ return 0; -+err_wwan: -+ rfkill_destroy(wwan_rfkill); -+ if (bluetooth_rfkill) -+ rfkill_unregister(bluetooth_rfkill); -+err_bluetooth: -+ rfkill_destroy(bluetooth_rfkill); -+ if (wifi_rfkill) -+ rfkill_unregister(wifi_rfkill); -+err_wifi: -+ rfkill_destroy(wifi_rfkill); -+ -+ return ret; -+} -+ -+static void dell_cleanup_rfkill(void) -+{ -+ if (wifi_rfkill) { -+ rfkill_unregister(wifi_rfkill); -+ rfkill_destroy(wifi_rfkill); -+ } -+ if (bluetooth_rfkill) { -+ rfkill_unregister(bluetooth_rfkill); -+ rfkill_destroy(bluetooth_rfkill); -+ } -+ if (wwan_rfkill) { -+ rfkill_unregister(wwan_rfkill); -+ rfkill_destroy(wwan_rfkill); -+ } -+} -+ - static int dell_send_intensity(struct backlight_device *bd) - { - int ret = 0; -@@ -515,6 +756,30 @@ static void touchpad_led_exit(void) - led_classdev_unregister(&touchpad_led); - } - -+static bool dell_laptop_i8042_filter(unsigned char data, unsigned char str, -+ struct serio *port) -+{ -+ static bool extended; -+ -+ if (str & 0x20) -+ return false; -+ -+ if (unlikely(data == 0xe0)) { -+ extended = true; -+ return false; -+ } else if (unlikely(extended)) { -+ switch (data) { -+ case 0x8: -+ schedule_delayed_work(&dell_rfkill_work, -+ round_jiffies_relative(HZ)); -+ break; -+ } -+ extended = false; -+ } -+ -+ return false; -+} -+ - static int __init dell_init(void) - { - int max_intensity = 0; -@@ -557,10 +822,26 @@ static int __init dell_init(void) - } - buffer = page_address(bufferpage); - -+ ret = dell_setup_rfkill(); -+ -+ if (ret) { -+ pr_warn("Unable to setup rfkill\n"); -+ goto fail_rfkill; -+ } -+ -+ ret = i8042_install_filter(dell_laptop_i8042_filter); -+ if (ret) { -+ pr_warn("Unable to install key filter\n"); -+ goto fail_filter; -+ } -+ - if (quirks && quirks->touchpad_led) - touchpad_led_init(&platform_device->dev); - - dell_laptop_dir = debugfs_create_dir("dell_laptop", NULL); -+ if (dell_laptop_dir != NULL) -+ debugfs_create_file("rfkill", 0444, dell_laptop_dir, NULL, -+ &dell_debugfs_fops); - - #ifdef CONFIG_ACPI - /* In the event of an ACPI backlight being available, don't -@@ -603,6 +884,11 @@ static int __init dell_init(void) - return 0; - - fail_backlight: -+ i8042_remove_filter(dell_laptop_i8042_filter); -+ cancel_delayed_work_sync(&dell_rfkill_work); -+fail_filter: -+ dell_cleanup_rfkill(); -+fail_rfkill: - free_page((unsigned long)bufferpage); - fail_buffer: - platform_device_del(platform_device); -@@ -620,7 +906,10 @@ static void __exit dell_exit(void) - debugfs_remove_recursive(dell_laptop_dir); - if (quirks && quirks->touchpad_led) - touchpad_led_exit(); -+ i8042_remove_filter(dell_laptop_i8042_filter); -+ cancel_delayed_work_sync(&dell_rfkill_work); - backlight_device_unregister(dell_backlight_device); -+ dell_cleanup_rfkill(); - if (platform_device) { - platform_device_unregister(platform_device); - platform_driver_unregister(&platform_driver); --- -1.8.3.1 - diff --git a/0002-dell-laptop-Only-enable-rfkill-on-Latitudes.patch b/0002-dell-laptop-Only-enable-rfkill-on-Latitudes.patch deleted file mode 100644 index 5a80e28be..000000000 --- a/0002-dell-laptop-Only-enable-rfkill-on-Latitudes.patch +++ /dev/null @@ -1,104 +0,0 @@ -Bugzilla: 958826 -Upstream-status: 3.13 - -From 2a92551845bbbc8421ba908cd14bbdf065e0f454 Mon Sep 17 00:00:00 2001 -From: Hans de Goede -Date: Sun, 17 Nov 2013 14:00:17 +0100 -Subject: [PATCH 2/2] dell-laptop: Only enable rfkill on Latitudes - -The rfkill functionality was removed from the dell-laptop driver because it -was causing problems on various non Latitude models, and the blacklist kept -growing and growing. In the thread discussing this Dell mentioned that they -only QA the rfkill acpi interface on Latitudes and indeed there have been -no blacklist entries for Latitudes. - -Note that the blacklist contained no Vostros either, and most Vostros have -a hardware switch too, so we could consider supporting Vostros with a -hardware switch too. - -Signed-off-by: Hans de Goede -Signed-off-by: Matthew Garrett ---- - drivers/platform/x86/dell-laptop.c | 57 +++++--------------------------------- - 1 file changed, 7 insertions(+), 50 deletions(-) - -diff --git a/drivers/platform/x86/dell-laptop.c b/drivers/platform/x86/dell-laptop.c -index 55f75a2..bae932b 100644 ---- a/drivers/platform/x86/dell-laptop.c -+++ b/drivers/platform/x86/dell-laptop.c -@@ -119,53 +119,6 @@ static const struct dmi_system_id dell_device_table[] __initconst = { - }; - MODULE_DEVICE_TABLE(dmi, dell_device_table); - --static struct dmi_system_id dell_blacklist[] = { -- /* Supported by compal-laptop */ -- { -- .ident = "Dell Mini 9", -- .matches = { -- DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."), -- DMI_MATCH(DMI_PRODUCT_NAME, "Inspiron 910"), -- }, -- }, -- { -- .ident = "Dell Mini 10", -- .matches = { -- DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."), -- DMI_MATCH(DMI_PRODUCT_NAME, "Inspiron 1010"), -- }, -- }, -- { -- .ident = "Dell Mini 10v", -- .matches = { -- DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."), -- DMI_MATCH(DMI_PRODUCT_NAME, "Inspiron 1011"), -- }, -- }, -- { -- .ident = "Dell Mini 1012", -- .matches = { -- DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."), -- DMI_MATCH(DMI_PRODUCT_NAME, "Inspiron 1012"), -- }, -- }, -- { -- .ident = "Dell Inspiron 11z", -- .matches = { -- DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."), -- DMI_MATCH(DMI_PRODUCT_NAME, "Inspiron 1110"), -- }, -- }, -- { -- .ident = "Dell Mini 12", -- .matches = { -- DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."), -- DMI_MATCH(DMI_PRODUCT_NAME, "Inspiron 1210"), -- }, -- }, -- {} --}; -- - static struct dmi_system_id dell_quirks[] = { - { - .callback = dmi_matched, -@@ -579,11 +532,15 @@ static int __init dell_setup_rfkill(void) - { - int status; - int ret; -+ const char *product; - -- if (dmi_check_system(dell_blacklist)) { -- pr_info("Blacklisted hardware detected - not enabling rfkill\n"); -+ /* -+ * rfkill causes trouble on various non Latitudes, according to Dell -+ * actually testing the rfkill functionality is only done on Latitudes. -+ */ -+ product = dmi_get_system_info(DMI_PRODUCT_NAME); -+ if (!product || strncmp(product, "Latitude", 8)) - return 0; -- } - - get_buffer(); - dell_send_request(buffer, 17, 11); --- -1.8.3.1 - diff --git a/dell-laptop.patch b/dell-laptop.patch new file mode 100644 index 000000000..906d93519 --- /dev/null +++ b/dell-laptop.patch @@ -0,0 +1,1017 @@ +Bugzilla: 958826 +Upstream-status: 3.13 + +From 4cc8a57425c623753b10b77b15392e5b83baa5a3 Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Sun, 17 Nov 2013 14:00:16 +0100 +Subject: [PATCH 01/12] Revert "dell-laptop: Remove rfkill code" + +Without rfkill functionality in dell-laptop I have the following problems: +-If the hardware radio switch is set to disable the radio, then userspace + will still think it can use wireless and bluetooth. +-The wwan / 3g modem cannot be soft blocked without the dell-laptop rfkill + functionality + +I know the rfkill functionality was removed from the dell-laptop driver because +it caused more problems then it fixed, and the blacklist for it was growing out +of control. + +But in the thread discussing this Dell mentioned that they only QA the rfkill +acpi interface on Latitudes and indeed there have been no blacklist entries +for Latitudes. Therefor I would like to bring the rfkill functionality back +only for Latitudes. This patch is a straight-forward revert. The next patch +in this set will drop the blacklist and replace it with a Latitude check. + +This reverts commit a6c2390cd6d2083d27a2359658e08f2d3df375ac. + +Conflicts: + drivers/platform/x86/dell-laptop.c + +Signed-off-by: Hans de Goede +Signed-off-by: Matthew Garrett +--- + drivers/platform/x86/dell-laptop.c | 289 +++++++++++++++++++++++++++++++++++++ + 1 file changed, 289 insertions(+) + +diff --git a/drivers/platform/x86/dell-laptop.c b/drivers/platform/x86/dell-laptop.c +index bb77e18..55f75a2 100644 +--- a/drivers/platform/x86/dell-laptop.c ++++ b/drivers/platform/x86/dell-laptop.c +@@ -21,6 +21,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -89,6 +90,9 @@ static struct platform_driver platform_driver = { + + static struct platform_device *platform_device; + static struct backlight_device *dell_backlight_device; ++static struct rfkill *wifi_rfkill; ++static struct rfkill *bluetooth_rfkill; ++static struct rfkill *wwan_rfkill; + + static const struct dmi_system_id dell_device_table[] __initconst = { + { +@@ -115,6 +119,53 @@ static const struct dmi_system_id dell_device_table[] __initconst = { + }; + MODULE_DEVICE_TABLE(dmi, dell_device_table); + ++static struct dmi_system_id dell_blacklist[] = { ++ /* Supported by compal-laptop */ ++ { ++ .ident = "Dell Mini 9", ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."), ++ DMI_MATCH(DMI_PRODUCT_NAME, "Inspiron 910"), ++ }, ++ }, ++ { ++ .ident = "Dell Mini 10", ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."), ++ DMI_MATCH(DMI_PRODUCT_NAME, "Inspiron 1010"), ++ }, ++ }, ++ { ++ .ident = "Dell Mini 10v", ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."), ++ DMI_MATCH(DMI_PRODUCT_NAME, "Inspiron 1011"), ++ }, ++ }, ++ { ++ .ident = "Dell Mini 1012", ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."), ++ DMI_MATCH(DMI_PRODUCT_NAME, "Inspiron 1012"), ++ }, ++ }, ++ { ++ .ident = "Dell Inspiron 11z", ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."), ++ DMI_MATCH(DMI_PRODUCT_NAME, "Inspiron 1110"), ++ }, ++ }, ++ { ++ .ident = "Dell Mini 12", ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."), ++ DMI_MATCH(DMI_PRODUCT_NAME, "Inspiron 1210"), ++ }, ++ }, ++ {} ++}; ++ + static struct dmi_system_id dell_quirks[] = { + { + .callback = dmi_matched, +@@ -355,6 +406,94 @@ dell_send_request(struct calling_interface_buffer *buffer, int class, + return buffer; + } + ++/* Derived from information in DellWirelessCtl.cpp: ++ Class 17, select 11 is radio control. It returns an array of 32-bit values. ++ ++ Input byte 0 = 0: Wireless information ++ ++ result[0]: return code ++ result[1]: ++ Bit 0: Hardware switch supported ++ Bit 1: Wifi locator supported ++ Bit 2: Wifi is supported ++ Bit 3: Bluetooth is supported ++ Bit 4: WWAN is supported ++ Bit 5: Wireless keyboard supported ++ Bits 6-7: Reserved ++ Bit 8: Wifi is installed ++ Bit 9: Bluetooth is installed ++ Bit 10: WWAN is installed ++ Bits 11-15: Reserved ++ Bit 16: Hardware switch is on ++ Bit 17: Wifi is blocked ++ Bit 18: Bluetooth is blocked ++ Bit 19: WWAN is blocked ++ Bits 20-31: Reserved ++ result[2]: NVRAM size in bytes ++ result[3]: NVRAM format version number ++ ++ Input byte 0 = 2: Wireless switch configuration ++ result[0]: return code ++ result[1]: ++ Bit 0: Wifi controlled by switch ++ Bit 1: Bluetooth controlled by switch ++ Bit 2: WWAN controlled by switch ++ Bits 3-6: Reserved ++ Bit 7: Wireless switch config locked ++ Bit 8: Wifi locator enabled ++ Bits 9-14: Reserved ++ Bit 15: Wifi locator setting locked ++ Bits 16-31: Reserved ++*/ ++ ++static int dell_rfkill_set(void *data, bool blocked) ++{ ++ int disable = blocked ? 1 : 0; ++ unsigned long radio = (unsigned long)data; ++ int hwswitch_bit = (unsigned long)data - 1; ++ int ret = 0; ++ ++ get_buffer(); ++ dell_send_request(buffer, 17, 11); ++ ++ /* If the hardware switch controls this radio, and the hardware ++ switch is disabled, don't allow changing the software state */ ++ if ((hwswitch_state & BIT(hwswitch_bit)) && ++ !(buffer->output[1] & BIT(16))) { ++ ret = -EINVAL; ++ goto out; ++ } ++ ++ buffer->input[0] = (1 | (radio<<8) | (disable << 16)); ++ dell_send_request(buffer, 17, 11); ++ ++out: ++ release_buffer(); ++ return ret; ++} ++ ++static void dell_rfkill_query(struct rfkill *rfkill, void *data) ++{ ++ int status; ++ int bit = (unsigned long)data + 16; ++ int hwswitch_bit = (unsigned long)data - 1; ++ ++ get_buffer(); ++ dell_send_request(buffer, 17, 11); ++ status = buffer->output[1]; ++ release_buffer(); ++ ++ rfkill_set_sw_state(rfkill, !!(status & BIT(bit))); ++ ++ if (hwswitch_state & (BIT(hwswitch_bit))) ++ rfkill_set_hw_state(rfkill, !(status & BIT(16))); ++} ++ ++static const struct rfkill_ops dell_rfkill_ops = { ++ .set_block = dell_rfkill_set, ++ .query = dell_rfkill_query, ++}; ++ + static struct dentry *dell_laptop_dir; + + static int dell_debugfs_show(struct seq_file *s, void *data) +@@ -424,6 +563,108 @@ static const struct file_operations dell_debugfs_fops = { + .release = single_release, + }; + ++static void dell_update_rfkill(struct work_struct *ignored) ++{ ++ if (wifi_rfkill) ++ dell_rfkill_query(wifi_rfkill, (void *)1); ++ if (bluetooth_rfkill) ++ dell_rfkill_query(bluetooth_rfkill, (void *)2); ++ if (wwan_rfkill) ++ dell_rfkill_query(wwan_rfkill, (void *)3); ++} ++static DECLARE_DELAYED_WORK(dell_rfkill_work, dell_update_rfkill); ++ ++ ++static int __init dell_setup_rfkill(void) ++{ ++ int status; ++ int ret; ++ ++ if (dmi_check_system(dell_blacklist)) { ++ pr_info("Blacklisted hardware detected - not enabling rfkill\n"); ++ return 0; ++ } ++ ++ get_buffer(); ++ dell_send_request(buffer, 17, 11); ++ status = buffer->output[1]; ++ buffer->input[0] = 0x2; ++ dell_send_request(buffer, 17, 11); ++ hwswitch_state = buffer->output[1]; ++ release_buffer(); ++ ++ if ((status & (1<<2|1<<8)) == (1<<2|1<<8)) { ++ wifi_rfkill = rfkill_alloc("dell-wifi", &platform_device->dev, ++ RFKILL_TYPE_WLAN, ++ &dell_rfkill_ops, (void *) 1); ++ if (!wifi_rfkill) { ++ ret = -ENOMEM; ++ goto err_wifi; ++ } ++ ret = rfkill_register(wifi_rfkill); ++ if (ret) ++ goto err_wifi; ++ } ++ ++ if ((status & (1<<3|1<<9)) == (1<<3|1<<9)) { ++ bluetooth_rfkill = rfkill_alloc("dell-bluetooth", ++ &platform_device->dev, ++ RFKILL_TYPE_BLUETOOTH, ++ &dell_rfkill_ops, (void *) 2); ++ if (!bluetooth_rfkill) { ++ ret = -ENOMEM; ++ goto err_bluetooth; ++ } ++ ret = rfkill_register(bluetooth_rfkill); ++ if (ret) ++ goto err_bluetooth; ++ } ++ ++ if ((status & (1<<4|1<<10)) == (1<<4|1<<10)) { ++ wwan_rfkill = rfkill_alloc("dell-wwan", ++ &platform_device->dev, ++ RFKILL_TYPE_WWAN, ++ &dell_rfkill_ops, (void *) 3); ++ if (!wwan_rfkill) { ++ ret = -ENOMEM; ++ goto err_wwan; ++ } ++ ret = rfkill_register(wwan_rfkill); ++ if (ret) ++ goto err_wwan; ++ } ++ ++ return 0; ++err_wwan: ++ rfkill_destroy(wwan_rfkill); ++ if (bluetooth_rfkill) ++ rfkill_unregister(bluetooth_rfkill); ++err_bluetooth: ++ rfkill_destroy(bluetooth_rfkill); ++ if (wifi_rfkill) ++ rfkill_unregister(wifi_rfkill); ++err_wifi: ++ rfkill_destroy(wifi_rfkill); ++ ++ return ret; ++} ++ ++static void dell_cleanup_rfkill(void) ++{ ++ if (wifi_rfkill) { ++ rfkill_unregister(wifi_rfkill); ++ rfkill_destroy(wifi_rfkill); ++ } ++ if (bluetooth_rfkill) { ++ rfkill_unregister(bluetooth_rfkill); ++ rfkill_destroy(bluetooth_rfkill); ++ } ++ if (wwan_rfkill) { ++ rfkill_unregister(wwan_rfkill); ++ rfkill_destroy(wwan_rfkill); ++ } ++} ++ + static int dell_send_intensity(struct backlight_device *bd) + { + int ret = 0; +@@ -515,6 +756,30 @@ static void touchpad_led_exit(void) + led_classdev_unregister(&touchpad_led); + } + ++static bool dell_laptop_i8042_filter(unsigned char data, unsigned char str, ++ struct serio *port) ++{ ++ static bool extended; ++ ++ if (str & 0x20) ++ return false; ++ ++ if (unlikely(data == 0xe0)) { ++ extended = true; ++ return false; ++ } else if (unlikely(extended)) { ++ switch (data) { ++ case 0x8: ++ schedule_delayed_work(&dell_rfkill_work, ++ round_jiffies_relative(HZ)); ++ break; ++ } ++ extended = false; ++ } ++ ++ return false; ++} ++ + static int __init dell_init(void) + { + int max_intensity = 0; +@@ -557,10 +822,26 @@ static int __init dell_init(void) + } + buffer = page_address(bufferpage); + ++ ret = dell_setup_rfkill(); ++ ++ if (ret) { ++ pr_warn("Unable to setup rfkill\n"); ++ goto fail_rfkill; ++ } ++ ++ ret = i8042_install_filter(dell_laptop_i8042_filter); ++ if (ret) { ++ pr_warn("Unable to install key filter\n"); ++ goto fail_filter; ++ } ++ + if (quirks && quirks->touchpad_led) + touchpad_led_init(&platform_device->dev); + + dell_laptop_dir = debugfs_create_dir("dell_laptop", NULL); ++ if (dell_laptop_dir != NULL) ++ debugfs_create_file("rfkill", 0444, dell_laptop_dir, NULL, ++ &dell_debugfs_fops); + + #ifdef CONFIG_ACPI + /* In the event of an ACPI backlight being available, don't +@@ -603,6 +884,11 @@ static int __init dell_init(void) + return 0; + + fail_backlight: ++ i8042_remove_filter(dell_laptop_i8042_filter); ++ cancel_delayed_work_sync(&dell_rfkill_work); ++fail_filter: ++ dell_cleanup_rfkill(); ++fail_rfkill: + free_page((unsigned long)bufferpage); + fail_buffer: + platform_device_del(platform_device); +@@ -620,7 +906,10 @@ static void __exit dell_exit(void) + debugfs_remove_recursive(dell_laptop_dir); + if (quirks && quirks->touchpad_led) + touchpad_led_exit(); ++ i8042_remove_filter(dell_laptop_i8042_filter); ++ cancel_delayed_work_sync(&dell_rfkill_work); + backlight_device_unregister(dell_backlight_device); ++ dell_cleanup_rfkill(); + if (platform_device) { + platform_device_unregister(platform_device); + platform_driver_unregister(&platform_driver); +-- +1.8.3.1 + + +From 2a92551845bbbc8421ba908cd14bbdf065e0f454 Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Sun, 17 Nov 2013 14:00:17 +0100 +Subject: [PATCH 02/12] dell-laptop: Only enable rfkill on Latitudes + +The rfkill functionality was removed from the dell-laptop driver because it +was causing problems on various non Latitude models, and the blacklist kept +growing and growing. In the thread discussing this Dell mentioned that they +only QA the rfkill acpi interface on Latitudes and indeed there have been +no blacklist entries for Latitudes. + +Note that the blacklist contained no Vostros either, and most Vostros have +a hardware switch too, so we could consider supporting Vostros with a +hardware switch too. + +Signed-off-by: Hans de Goede +Signed-off-by: Matthew Garrett +--- + drivers/platform/x86/dell-laptop.c | 57 +++++--------------------------------- + 1 file changed, 7 insertions(+), 50 deletions(-) + +diff --git a/drivers/platform/x86/dell-laptop.c b/drivers/platform/x86/dell-laptop.c +index 55f75a2..bae932b 100644 +--- a/drivers/platform/x86/dell-laptop.c ++++ b/drivers/platform/x86/dell-laptop.c +@@ -119,53 +119,6 @@ static const struct dmi_system_id dell_device_table[] __initconst = { + }; + MODULE_DEVICE_TABLE(dmi, dell_device_table); + +-static struct dmi_system_id dell_blacklist[] = { +- /* Supported by compal-laptop */ +- { +- .ident = "Dell Mini 9", +- .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."), +- DMI_MATCH(DMI_PRODUCT_NAME, "Inspiron 910"), +- }, +- }, +- { +- .ident = "Dell Mini 10", +- .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."), +- DMI_MATCH(DMI_PRODUCT_NAME, "Inspiron 1010"), +- }, +- }, +- { +- .ident = "Dell Mini 10v", +- .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."), +- DMI_MATCH(DMI_PRODUCT_NAME, "Inspiron 1011"), +- }, +- }, +- { +- .ident = "Dell Mini 1012", +- .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."), +- DMI_MATCH(DMI_PRODUCT_NAME, "Inspiron 1012"), +- }, +- }, +- { +- .ident = "Dell Inspiron 11z", +- .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."), +- DMI_MATCH(DMI_PRODUCT_NAME, "Inspiron 1110"), +- }, +- }, +- { +- .ident = "Dell Mini 12", +- .matches = { +- DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."), +- DMI_MATCH(DMI_PRODUCT_NAME, "Inspiron 1210"), +- }, +- }, +- {} +-}; +- + static struct dmi_system_id dell_quirks[] = { + { + .callback = dmi_matched, +@@ -579,11 +532,15 @@ static int __init dell_setup_rfkill(void) + { + int status; + int ret; ++ const char *product; + +- if (dmi_check_system(dell_blacklist)) { +- pr_info("Blacklisted hardware detected - not enabling rfkill\n"); ++ /* ++ * rfkill causes trouble on various non Latitudes, according to Dell ++ * actually testing the rfkill functionality is only done on Latitudes. ++ */ ++ product = dmi_get_system_info(DMI_PRODUCT_NAME); ++ if (!product || strncmp(product, "Latitude", 8)) + return 0; +- } + + get_buffer(); + dell_send_request(buffer, 17, 11); +-- +1.8.3.1 + + +From ddde708217af6d5fe43c0086247c05ed317076b4 Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Sun, 17 Nov 2013 14:00:18 +0100 +Subject: [PATCH 03/12] dell-laptop: If there is no hwswitch, then clear all + hw-controlled bits + +To ensure we don't enter any hw-switch related code paths on machines without +a hw-switch. + +Signed-off-by: Hans de Goede +Signed-off-by: Matthew Garrett +--- + drivers/platform/x86/dell-laptop.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/platform/x86/dell-laptop.c b/drivers/platform/x86/dell-laptop.c +index bae932b..48fabf6 100644 +--- a/drivers/platform/x86/dell-laptop.c ++++ b/drivers/platform/x86/dell-laptop.c +@@ -548,6 +548,9 @@ static int __init dell_setup_rfkill(void) + buffer->input[0] = 0x2; + dell_send_request(buffer, 17, 11); + hwswitch_state = buffer->output[1]; ++ /* If there is no hwswitch, then clear all hw-controlled bits */ ++ if (!(status & BIT(0))) ++ hwswitch_state &= ~7; + release_buffer(); + + if ((status & (1<<2|1<<8)) == (1<<2|1<<8)) { +-- +1.8.3.1 + + +From d038880efd9dd222c67fd31fbfca3440d0db3a06 Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Sun, 17 Nov 2013 14:00:19 +0100 +Subject: [PATCH 04/12] dell-laptop: Only get status from BIOS once when + updating + +Signed-off-by: Hans de Goede +Signed-off-by: Matthew Garrett +--- + drivers/platform/x86/dell-laptop.c | 28 +++++++++++++++++++--------- + 1 file changed, 19 insertions(+), 9 deletions(-) + +diff --git a/drivers/platform/x86/dell-laptop.c b/drivers/platform/x86/dell-laptop.c +index 48fabf6..06f281b 100644 +--- a/drivers/platform/x86/dell-laptop.c ++++ b/drivers/platform/x86/dell-laptop.c +@@ -425,21 +425,24 @@ out: + return ret; + } + ++static void dell_rfkill_update(struct rfkill *rfkill, int radio, int status) ++{ ++ rfkill_set_sw_state(rfkill, !!(status & BIT(radio + 16))); ++ ++ if (hwswitch_state & (BIT(radio - 1))) ++ rfkill_set_hw_state(rfkill, !(status & BIT(16))); ++} ++ + static void dell_rfkill_query(struct rfkill *rfkill, void *data) + { + int status; +- int bit = (unsigned long)data + 16; +- int hwswitch_bit = (unsigned long)data - 1; + + get_buffer(); + dell_send_request(buffer, 17, 11); + status = buffer->output[1]; + release_buffer(); + +- rfkill_set_sw_state(rfkill, !!(status & BIT(bit))); +- +- if (hwswitch_state & (BIT(hwswitch_bit))) +- rfkill_set_hw_state(rfkill, !(status & BIT(16))); ++ dell_rfkill_update(rfkill, (unsigned long)data, status); + } + + static const struct rfkill_ops dell_rfkill_ops = { +@@ -518,12 +521,19 @@ static const struct file_operations dell_debugfs_fops = { + + static void dell_update_rfkill(struct work_struct *ignored) + { ++ int status; ++ ++ get_buffer(); ++ dell_send_request(buffer, 17, 11); ++ status = buffer->output[1]; ++ release_buffer(); ++ + if (wifi_rfkill) +- dell_rfkill_query(wifi_rfkill, (void *)1); ++ dell_rfkill_update(wifi_rfkill, 1, status); + if (bluetooth_rfkill) +- dell_rfkill_query(bluetooth_rfkill, (void *)2); ++ dell_rfkill_update(bluetooth_rfkill, 2, status); + if (wwan_rfkill) +- dell_rfkill_query(wwan_rfkill, (void *)3); ++ dell_rfkill_update(wwan_rfkill, 3, status); + } + static DECLARE_DELAYED_WORK(dell_rfkill_work, dell_update_rfkill); + +-- +1.8.3.1 + + +From 33f9359abb9f6ded3e7b6dc98b1468c83404af49 Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Sun, 17 Nov 2013 14:00:20 +0100 +Subject: [PATCH 05/12] dell-laptop: Don't set sw_state from the query callback + +The query callback should only update the hw_state, see the comment in +net/rfkill/core.c in rfkill_set_block, which is its only caller. + +rfkill_set_block will modify the sw_state directly after calling query so +calling set_sw_state is an expensive NOP. + +Signed-off-by: Hans de Goede +Signed-off-by: Matthew Garrett +--- + drivers/platform/x86/dell-laptop.c | 27 +++++++++++++++++++-------- + 1 file changed, 19 insertions(+), 8 deletions(-) + +diff --git a/drivers/platform/x86/dell-laptop.c b/drivers/platform/x86/dell-laptop.c +index 06f281b..7f47396 100644 +--- a/drivers/platform/x86/dell-laptop.c ++++ b/drivers/platform/x86/dell-laptop.c +@@ -425,10 +425,15 @@ out: + return ret; + } + +-static void dell_rfkill_update(struct rfkill *rfkill, int radio, int status) ++static void dell_rfkill_update_sw_state(struct rfkill *rfkill, int radio, ++ int status) + { + rfkill_set_sw_state(rfkill, !!(status & BIT(radio + 16))); ++} + ++static void dell_rfkill_update_hw_state(struct rfkill *rfkill, int radio, ++ int status) ++{ + if (hwswitch_state & (BIT(radio - 1))) + rfkill_set_hw_state(rfkill, !(status & BIT(16))); + } +@@ -442,7 +447,7 @@ static void dell_rfkill_query(struct rfkill *rfkill, void *data) + status = buffer->output[1]; + release_buffer(); + +- dell_rfkill_update(rfkill, (unsigned long)data, status); ++ dell_rfkill_update_hw_state(rfkill, (unsigned long)data, status); + } + + static const struct rfkill_ops dell_rfkill_ops = { +@@ -528,12 +533,18 @@ static void dell_update_rfkill(struct work_struct *ignored) + status = buffer->output[1]; + release_buffer(); + +- if (wifi_rfkill) +- dell_rfkill_update(wifi_rfkill, 1, status); +- if (bluetooth_rfkill) +- dell_rfkill_update(bluetooth_rfkill, 2, status); +- if (wwan_rfkill) +- dell_rfkill_update(wwan_rfkill, 3, status); ++ if (wifi_rfkill) { ++ dell_rfkill_update_hw_state(wifi_rfkill, 1, status); ++ dell_rfkill_update_sw_state(wifi_rfkill, 1, status); ++ } ++ if (bluetooth_rfkill) { ++ dell_rfkill_update_hw_state(bluetooth_rfkill, 2, status); ++ dell_rfkill_update_sw_state(bluetooth_rfkill, 2, status); ++ } ++ if (wwan_rfkill) { ++ dell_rfkill_update_hw_state(wwan_rfkill, 3, status); ++ dell_rfkill_update_sw_state(wwan_rfkill, 3, status); ++ } + } + static DECLARE_DELAYED_WORK(dell_rfkill_work, dell_update_rfkill); + +-- +1.8.3.1 + + +From 3f56588a79a06a0499db0077cad6675762ddc40e Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Sun, 17 Nov 2013 14:00:21 +0100 +Subject: [PATCH 06/12] dell-laptop: Don't read-back sw_state on machines with + a hardware switch + +On machines with a hardware switch, the blocking settings can not be changed +through a Fn + wireless-key combo, so there is no reason to read back the +blocking state from the BIOS. + +Reading back is not only not necessary it is actually harmful, since on some +machines the blocking state will be cleared to all 0 after a wireless switch +toggle, even for radios not controlled by the hw-switch (yeah firmware bugs). + +This causes "magic" changes to the sw_state. This is inconsistent with other +rfkill drivers which preserve the sw_state over a hw kill on / off. + +Signed-off-by: Hans de Goede +Signed-off-by: Matthew Garrett +--- + drivers/platform/x86/dell-laptop.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/drivers/platform/x86/dell-laptop.c b/drivers/platform/x86/dell-laptop.c +index 7f47396..80de0cc 100644 +--- a/drivers/platform/x86/dell-laptop.c ++++ b/drivers/platform/x86/dell-laptop.c +@@ -428,7 +428,10 @@ out: + static void dell_rfkill_update_sw_state(struct rfkill *rfkill, int radio, + int status) + { +- rfkill_set_sw_state(rfkill, !!(status & BIT(radio + 16))); ++ if (!(status & BIT(0))) { ++ /* No hw-switch, sync BIOS state to sw_state */ ++ rfkill_set_sw_state(rfkill, !!(status & BIT(radio + 16))); ++ } + } + + static void dell_rfkill_update_hw_state(struct rfkill *rfkill, int radio, +-- +1.8.3.1 + + +From 4d39d88ceb83e88953a76df8b1fa10f43f328038 Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Sun, 17 Nov 2013 14:00:22 +0100 +Subject: [PATCH 07/12] dell-laptop: Allow changing the sw_state while the + radio is blocked by hw + +This makes dell-laptop's rfkill code consistent with other drivers which +allow sw_state changes while hw blocked. + +Signed-off-by: Hans de Goede +Signed-off-by: Matthew Garrett +--- + drivers/platform/x86/dell-laptop.c | 7 ++----- + 1 file changed, 2 insertions(+), 5 deletions(-) + +diff --git a/drivers/platform/x86/dell-laptop.c b/drivers/platform/x86/dell-laptop.c +index 80de0cc..834f499 100644 +--- a/drivers/platform/x86/dell-laptop.c ++++ b/drivers/platform/x86/dell-laptop.c +@@ -404,7 +404,6 @@ static int dell_rfkill_set(void *data, bool blocked) + int disable = blocked ? 1 : 0; + unsigned long radio = (unsigned long)data; + int hwswitch_bit = (unsigned long)data - 1; +- int ret = 0; + + get_buffer(); + dell_send_request(buffer, 17, 11); +@@ -412,17 +411,15 @@ static int dell_rfkill_set(void *data, bool blocked) + /* If the hardware switch controls this radio, and the hardware + switch is disabled, don't allow changing the software state */ + if ((hwswitch_state & BIT(hwswitch_bit)) && +- !(buffer->output[1] & BIT(16))) { +- ret = -EINVAL; ++ !(buffer->output[1] & BIT(16))) + goto out; +- } + + buffer->input[0] = (1 | (radio<<8) | (disable << 16)); + dell_send_request(buffer, 17, 11); + + out: + release_buffer(); +- return ret; ++ return 0; + } + + static void dell_rfkill_update_sw_state(struct rfkill *rfkill, int radio, +-- +1.8.3.1 + + +From 04c9a3a06c47b337b90a91e458716262cc45b103 Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Sun, 17 Nov 2013 14:00:23 +0100 +Subject: [PATCH 08/12] dell-laptop: Sync current block state to BIOS on hw + switch change + +This is necessary for 3 reasons: +1) To apply sw_state changes made while hw-blocked +2) To set all the blocked bits for hw-switch controlled radios to 1 when the + switch gets changed to off, this is necessary on some models to actually + turn the radio status LEDs off. +3) On some models non hw-switch controlled radios will have their block bit + cleared (potentially undoing a soft-block) on hw-switch toggle, this + restores the sw-block in this case. + +Signed-off-by: Hans de Goede +Signed-off-by: Matthew Garrett +--- + drivers/platform/x86/dell-laptop.c | 14 +++++++++++--- + 1 file changed, 11 insertions(+), 3 deletions(-) + +diff --git a/drivers/platform/x86/dell-laptop.c b/drivers/platform/x86/dell-laptop.c +index 834f499..7f59624 100644 +--- a/drivers/platform/x86/dell-laptop.c ++++ b/drivers/platform/x86/dell-laptop.c +@@ -422,10 +422,16 @@ out: + return 0; + } + ++/* Must be called with the buffer held */ + static void dell_rfkill_update_sw_state(struct rfkill *rfkill, int radio, + int status) + { +- if (!(status & BIT(0))) { ++ if (status & BIT(0)) { ++ /* Has hw-switch, sync sw_state to BIOS */ ++ int block = rfkill_blocked(rfkill); ++ buffer->input[0] = (1 | (radio << 8) | (block << 16)); ++ dell_send_request(buffer, 17, 11); ++ } else { + /* No hw-switch, sync BIOS state to sw_state */ + rfkill_set_sw_state(rfkill, !!(status & BIT(radio + 16))); + } +@@ -445,9 +451,10 @@ static void dell_rfkill_query(struct rfkill *rfkill, void *data) + get_buffer(); + dell_send_request(buffer, 17, 11); + status = buffer->output[1]; +- release_buffer(); + + dell_rfkill_update_hw_state(rfkill, (unsigned long)data, status); ++ ++ release_buffer(); + } + + static const struct rfkill_ops dell_rfkill_ops = { +@@ -531,7 +538,6 @@ static void dell_update_rfkill(struct work_struct *ignored) + get_buffer(); + dell_send_request(buffer, 17, 11); + status = buffer->output[1]; +- release_buffer(); + + if (wifi_rfkill) { + dell_rfkill_update_hw_state(wifi_rfkill, 1, status); +@@ -545,6 +551,8 @@ static void dell_update_rfkill(struct work_struct *ignored) + dell_rfkill_update_hw_state(wwan_rfkill, 3, status); + dell_rfkill_update_sw_state(wwan_rfkill, 3, status); + } ++ ++ release_buffer(); + } + static DECLARE_DELAYED_WORK(dell_rfkill_work, dell_update_rfkill); + +-- +1.8.3.1 + + +From ed1128989ab242f44664b446702a512e5695c4b7 Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Sun, 17 Nov 2013 14:00:24 +0100 +Subject: [PATCH 09/12] dell-laptop: Do not skip setting blocked bit rfkill_set + while hw-blocked + +Instead when hw-blocked always write 1 to the blocked bit for the radio in +question. This is necessary to properly set all the blocked bits for hw-switch +controlled radios to 1 after power-on and resume. + +Signed-off-by: Hans de Goede +Signed-off-by: Matthew Garrett +--- + drivers/platform/x86/dell-laptop.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +diff --git a/drivers/platform/x86/dell-laptop.c b/drivers/platform/x86/dell-laptop.c +index 7f59624..b33b779 100644 +--- a/drivers/platform/x86/dell-laptop.c ++++ b/drivers/platform/x86/dell-laptop.c +@@ -409,15 +409,14 @@ static int dell_rfkill_set(void *data, bool blocked) + dell_send_request(buffer, 17, 11); + + /* If the hardware switch controls this radio, and the hardware +- switch is disabled, don't allow changing the software state */ ++ switch is disabled, always disable the radio */ + if ((hwswitch_state & BIT(hwswitch_bit)) && + !(buffer->output[1] & BIT(16))) +- goto out; ++ disable = 1; + + buffer->input[0] = (1 | (radio<<8) | (disable << 16)); + dell_send_request(buffer, 17, 11); + +-out: + release_buffer(); + return 0; + } +-- +1.8.3.1 + + +From 26c22d63a70f62e0832c6d9f2a2690ab0155d584 Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Sun, 17 Nov 2013 14:00:25 +0100 +Subject: [PATCH 10/12] dell-laptop: Wait less long before updating rfkill + after an rfkill keypress + +Some time is needed for the BIOS to do its work, but 250ms should be plenty. + +Signed-off-by: Hans de Goede +Signed-off-by: Matthew Garrett +--- + drivers/platform/x86/dell-laptop.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/platform/x86/dell-laptop.c b/drivers/platform/x86/dell-laptop.c +index b33b779..fe20f67 100644 +--- a/drivers/platform/x86/dell-laptop.c ++++ b/drivers/platform/x86/dell-laptop.c +@@ -759,7 +759,7 @@ static bool dell_laptop_i8042_filter(unsigned char data, unsigned char str, + switch (data) { + case 0x8: + schedule_delayed_work(&dell_rfkill_work, +- round_jiffies_relative(HZ)); ++ round_jiffies_relative(HZ / 4)); + break; + } + extended = false; +-- +1.8.3.1 + + +From 8e0e668d0aa09d2eb0a7a260b6c7801796e01bd3 Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Sun, 17 Nov 2013 14:00:26 +0100 +Subject: [PATCH 11/12] dell-laptop: Add a force_rfkill module parameter + +Setting force_rfkill will cause the dell-laptop rfkill code to skip its +whitelist checks, this will allow individual users to override the whitelist, +as well as to gather info from users to improve the checks. + +Signed-off-by: Hans de Goede +Signed-off-by: Matthew Garrett +--- + drivers/platform/x86/dell-laptop.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/platform/x86/dell-laptop.c b/drivers/platform/x86/dell-laptop.c +index fe20f67..bd67c89 100644 +--- a/drivers/platform/x86/dell-laptop.c ++++ b/drivers/platform/x86/dell-laptop.c +@@ -93,6 +93,10 @@ static struct backlight_device *dell_backlight_device; + static struct rfkill *wifi_rfkill; + static struct rfkill *bluetooth_rfkill; + static struct rfkill *wwan_rfkill; ++static bool force_rfkill; ++ ++module_param(force_rfkill, bool, 0444); ++MODULE_PARM_DESC(force_rfkill, "enable rfkill on non whitelisted models"); + + static const struct dmi_system_id dell_device_table[] __initconst = { + { +@@ -567,7 +571,7 @@ static int __init dell_setup_rfkill(void) + * actually testing the rfkill functionality is only done on Latitudes. + */ + product = dmi_get_system_info(DMI_PRODUCT_NAME); +- if (!product || strncmp(product, "Latitude", 8)) ++ if (!force_rfkill && (!product || strncmp(product, "Latitude", 8))) + return 0; + + get_buffer(); +-- +1.8.3.1 + + +From 2bd4ac139259bb605fc0325a7dda33e2fbb67ae3 Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Sun, 17 Nov 2013 14:00:27 +0100 +Subject: [PATCH 12/12] dell-laptop: Only enable rfkill functionality on + laptops with a hw killswitch + +All my testing has been on laptops with a hw killswitch, so to be on the +safe side disable rfkill functionality on models without a hw killswitch for +now. Once we gather some feedback on laptops without a hw killswitch this +decision maybe reconsidered. + +Signed-off-by: Hans de Goede +Signed-off-by: Matthew Garrett +--- + drivers/platform/x86/dell-laptop.c | 13 ++++++++++--- + 1 file changed, 10 insertions(+), 3 deletions(-) + +diff --git a/drivers/platform/x86/dell-laptop.c b/drivers/platform/x86/dell-laptop.c +index bd67c89..c608b1d 100644 +--- a/drivers/platform/x86/dell-laptop.c ++++ b/drivers/platform/x86/dell-laptop.c +@@ -580,11 +580,18 @@ static int __init dell_setup_rfkill(void) + buffer->input[0] = 0x2; + dell_send_request(buffer, 17, 11); + hwswitch_state = buffer->output[1]; +- /* If there is no hwswitch, then clear all hw-controlled bits */ +- if (!(status & BIT(0))) +- hwswitch_state &= ~7; + release_buffer(); + ++ if (!(status & BIT(0))) { ++ if (force_rfkill) { ++ /* No hwsitch, clear all hw-controlled bits */ ++ hwswitch_state &= ~7; ++ } else { ++ /* rfkill is only tested on laptops with a hwswitch */ ++ return 0; ++ } ++ } ++ + if ((status & (1<<2|1<<8)) == (1<<2|1<<8)) { + wifi_rfkill = rfkill_alloc("dell-wifi", &platform_device->dev, + RFKILL_TYPE_WLAN, +-- +1.8.3.1 + diff --git a/kernel.spec b/kernel.spec index a8c02ad2b..d284700af 100644 --- a/kernel.spec +++ b/kernel.spec @@ -814,8 +814,7 @@ Patch25161: inet-prevent-leakage-of-uninitialized-memory-to-user.patch Patch25162: inet-fix-addr_len-msg_namelen-assignment-in-recv_error-and-rxpmtu-functions.patch #rhbz 958826 -Patch25164: 0001-Revert-dell-laptop-Remove-rfkill-code.patch -Patch25165: 0002-dell-laptop-Only-enable-rfkill-on-Latitudes.patch +Patch25164: dell-laptop.patch # END OF PATCH DEFINITIONS @@ -1579,8 +1578,7 @@ ApplyPatch inet-prevent-leakage-of-uninitialized-memory-to-user.patch ApplyPatch inet-fix-addr_len-msg_namelen-assignment-in-recv_error-and-rxpmtu-functions.patch #rhbz 958826 -ApplyPatch 0001-Revert-dell-laptop-Remove-rfkill-code.patch -ApplyPatch 0002-dell-laptop-Only-enable-rfkill-on-Latitudes.patch +ApplyPatch dell-laptop.patch # END OF PATCH APPLICATIONS From aa907ebf3a848c68f37b7fc1c958979dd8de4c2e Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Tue, 10 Dec 2013 08:50:43 -0500 Subject: [PATCH 284/468] CVE-2013-XXXX net: memory leak in recvmsg (rhbz 1039845 1039874) --- kernel.spec | 10 + ...sg-handler-msg_name-and-msg_namelen-.patch | 771 ++++++++++++++++++ 2 files changed, 781 insertions(+) create mode 100644 net-rework-recvmsg-handler-msg_name-and-msg_namelen-.patch diff --git a/kernel.spec b/kernel.spec index d284700af..356ed3d48 100644 --- a/kernel.spec +++ b/kernel.spec @@ -816,6 +816,10 @@ Patch25162: inet-fix-addr_len-msg_namelen-assignment-in-recv_error-and-rxpmtu-fu #rhbz 958826 Patch25164: dell-laptop.patch +#CVE-2013-XXXX rhbz 1039845 1039874 +Patch25165: net-rework-recvmsg-handler-msg_name-and-msg_namelen-.patch + + # END OF PATCH DEFINITIONS %endif @@ -1580,6 +1584,9 @@ ApplyPatch inet-fix-addr_len-msg_namelen-assignment-in-recv_error-and-rxpmtu-fun #rhbz 958826 ApplyPatch dell-laptop.patch +#CVE-2013-XXXX rhbz 1039845 1039874 +ApplyPatch net-rework-recvmsg-handler-msg_name-and-msg_namelen-.patch + # END OF PATCH APPLICATIONS %endif @@ -2392,6 +2399,9 @@ fi # and build. %changelog +* Tue Dec 10 2013 Josh Boyer +- CVE-2013-XXXX net: memory leak in recvmsg (rhbz 1039845 1039874) + * Tue Dec 03 2013 Josh Boyer - Add patches to fix rfkill switch on Dell machines (rhbz 958826) diff --git a/net-rework-recvmsg-handler-msg_name-and-msg_namelen-.patch b/net-rework-recvmsg-handler-msg_name-and-msg_namelen-.patch new file mode 100644 index 000000000..08c6302f6 --- /dev/null +++ b/net-rework-recvmsg-handler-msg_name-and-msg_namelen-.patch @@ -0,0 +1,771 @@ +From 9cb9fb275f8794546dc31a79f2f02127fed5baf2 Mon Sep 17 00:00:00 2001 +From: Hannes Frederic Sowa +Date: Thu, 21 Nov 2013 03:14:22 +0100 +Subject: [PATCH] net: rework recvmsg handler msg_name and msg_namelen logic + +[ Upstream commit f3d3342602f8bcbf37d7c46641cb9bca7618eb1c ] + +This patch now always passes msg->msg_namelen as 0. recvmsg handlers must +set msg_namelen to the proper size <= sizeof(struct sockaddr_storage) +to return msg_name to the user. + +This prevents numerous uninitialized memory leaks we had in the +recvmsg handlers and makes it harder for new code to accidentally leak +uninitialized memory. + +Optimize for the case recvfrom is called with NULL as address. We don't +need to copy the address at all, so set it to NULL before invoking the +recvmsg handler. We can do so, because all the recvmsg handlers must +cope with the case a plain read() is called on them. read() also sets +msg_name to NULL. + +Also document these changes in include/linux/net.h as suggested by David +Miller. + +Changes since RFC: + +Set msg->msg_name = NULL if user specified a NULL in msg_name but had a +non-null msg_namelen in verify_iovec/verify_compat_iovec. This doesn't +affect sendto as it would bail out earlier while trying to copy-in the +address. It also more naturally reflects the logic by the callers of +verify_iovec. + +With this change in place I could remove " +if (!uaddr || msg_sys->msg_namelen == 0) + msg->msg_name = NULL +". + +This change does not alter the user visible error logic as we ignore +msg_namelen as long as msg_name is NULL. + +Also remove two unnecessary curly brackets in ___sys_recvmsg and change +comments to netdev style. + +Cc: David Miller +Suggested-by: Eric Dumazet +Signed-off-by: Hannes Frederic Sowa +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman +--- + crypto/algif_hash.c | 2 -- + crypto/algif_skcipher.c | 1 - + drivers/isdn/mISDN/socket.c | 13 ++++--------- + drivers/net/ppp/pppoe.c | 2 -- + include/linux/net.h | 8 ++++++++ + net/appletalk/ddp.c | 16 +++++++--------- + net/atm/common.c | 2 -- + net/ax25/af_ax25.c | 4 ++-- + net/bluetooth/af_bluetooth.c | 4 ---- + net/bluetooth/hci_sock.c | 2 -- + net/bluetooth/rfcomm/sock.c | 1 - + net/bluetooth/sco.c | 1 - + net/caif/caif_socket.c | 4 ---- + net/compat.c | 3 ++- + net/core/iovec.c | 3 ++- + net/ipx/af_ipx.c | 3 +-- + net/irda/af_irda.c | 4 ---- + net/iucv/af_iucv.c | 2 -- + net/key/af_key.c | 1 - + net/l2tp/l2tp_ppp.c | 2 -- + net/llc/af_llc.c | 2 -- + net/netlink/af_netlink.c | 2 -- + net/netrom/af_netrom.c | 3 +-- + net/nfc/llcp_sock.c | 2 -- + net/nfc/rawsock.c | 2 -- + net/packet/af_packet.c | 32 +++++++++++++++----------------- + net/rds/recv.c | 2 -- + net/rose/af_rose.c | 8 +++++--- + net/rxrpc/ar-recvmsg.c | 9 ++++++--- + net/socket.c | 19 +++++++++++-------- + net/tipc/socket.c | 6 ------ + net/unix/af_unix.c | 5 ----- + net/vmw_vsock/af_vsock.c | 2 -- + net/vmw_vsock/vmci_transport.c | 2 -- + net/x25/af_x25.c | 3 +-- + 35 files changed, 65 insertions(+), 112 deletions(-) + +diff --git a/crypto/algif_hash.c b/crypto/algif_hash.c +index 0262210..ef5356c 100644 +--- a/crypto/algif_hash.c ++++ b/crypto/algif_hash.c +@@ -161,8 +161,6 @@ static int hash_recvmsg(struct kiocb *unused, struct socket *sock, + else if (len < ds) + msg->msg_flags |= MSG_TRUNC; + +- msg->msg_namelen = 0; +- + lock_sock(sk); + if (ctx->more) { + ctx->more = 0; +diff --git a/crypto/algif_skcipher.c b/crypto/algif_skcipher.c +index a1c4f0a..6a6dfc0 100644 +--- a/crypto/algif_skcipher.c ++++ b/crypto/algif_skcipher.c +@@ -432,7 +432,6 @@ static int skcipher_recvmsg(struct kiocb *unused, struct socket *sock, + long copied = 0; + + lock_sock(sk); +- msg->msg_namelen = 0; + for (iov = msg->msg_iov, iovlen = msg->msg_iovlen; iovlen > 0; + iovlen--, iov++) { + unsigned long seglen = iov->iov_len; +diff --git a/drivers/isdn/mISDN/socket.c b/drivers/isdn/mISDN/socket.c +index e47dcb9..5cefb47 100644 +--- a/drivers/isdn/mISDN/socket.c ++++ b/drivers/isdn/mISDN/socket.c +@@ -117,7 +117,6 @@ mISDN_sock_recvmsg(struct kiocb *iocb, struct socket *sock, + { + struct sk_buff *skb; + struct sock *sk = sock->sk; +- struct sockaddr_mISDN *maddr; + + int copied, err; + +@@ -135,9 +134,9 @@ mISDN_sock_recvmsg(struct kiocb *iocb, struct socket *sock, + if (!skb) + return err; + +- if (msg->msg_namelen >= sizeof(struct sockaddr_mISDN)) { +- msg->msg_namelen = sizeof(struct sockaddr_mISDN); +- maddr = (struct sockaddr_mISDN *)msg->msg_name; ++ if (msg->msg_name) { ++ struct sockaddr_mISDN *maddr = msg->msg_name; ++ + maddr->family = AF_ISDN; + maddr->dev = _pms(sk)->dev->id; + if ((sk->sk_protocol == ISDN_P_LAPD_TE) || +@@ -150,11 +149,7 @@ mISDN_sock_recvmsg(struct kiocb *iocb, struct socket *sock, + maddr->sapi = _pms(sk)->ch.addr & 0xFF; + maddr->tei = (_pms(sk)->ch.addr >> 8) & 0xFF; + } +- } else { +- if (msg->msg_namelen) +- printk(KERN_WARNING "%s: too small namelen %d\n", +- __func__, msg->msg_namelen); +- msg->msg_namelen = 0; ++ msg->msg_namelen = sizeof(*maddr); + } + + copied = skb->len + MISDN_HEADER_LEN; +diff --git a/drivers/net/ppp/pppoe.c b/drivers/net/ppp/pppoe.c +index 5f66e30..82ee6ed 100644 +--- a/drivers/net/ppp/pppoe.c ++++ b/drivers/net/ppp/pppoe.c +@@ -979,8 +979,6 @@ static int pppoe_recvmsg(struct kiocb *iocb, struct socket *sock, + if (error < 0) + goto end; + +- m->msg_namelen = 0; +- + if (skb) { + total_len = min_t(size_t, total_len, skb->len); + error = skb_copy_datagram_iovec(skb, 0, m->msg_iov, total_len); +diff --git a/include/linux/net.h b/include/linux/net.h +index 4f27575..8bd9d92 100644 +--- a/include/linux/net.h ++++ b/include/linux/net.h +@@ -163,6 +163,14 @@ struct proto_ops { + #endif + int (*sendmsg) (struct kiocb *iocb, struct socket *sock, + struct msghdr *m, size_t total_len); ++ /* Notes for implementing recvmsg: ++ * =============================== ++ * msg->msg_namelen should get updated by the recvmsg handlers ++ * iff msg_name != NULL. It is by default 0 to prevent ++ * returning uninitialized memory to user space. The recvfrom ++ * handlers can assume that msg.msg_name is either NULL or has ++ * a minimum size of sizeof(struct sockaddr_storage). ++ */ + int (*recvmsg) (struct kiocb *iocb, struct socket *sock, + struct msghdr *m, size_t total_len, + int flags); +diff --git a/net/appletalk/ddp.c b/net/appletalk/ddp.c +index 7fee50d..7d424ac 100644 +--- a/net/appletalk/ddp.c ++++ b/net/appletalk/ddp.c +@@ -1735,7 +1735,6 @@ static int atalk_recvmsg(struct kiocb *iocb, struct socket *sock, struct msghdr + size_t size, int flags) + { + struct sock *sk = sock->sk; +- struct sockaddr_at *sat = (struct sockaddr_at *)msg->msg_name; + struct ddpehdr *ddp; + int copied = 0; + int offset = 0; +@@ -1764,14 +1763,13 @@ static int atalk_recvmsg(struct kiocb *iocb, struct socket *sock, struct msghdr + } + err = skb_copy_datagram_iovec(skb, offset, msg->msg_iov, copied); + +- if (!err) { +- if (sat) { +- sat->sat_family = AF_APPLETALK; +- sat->sat_port = ddp->deh_sport; +- sat->sat_addr.s_node = ddp->deh_snode; +- sat->sat_addr.s_net = ddp->deh_snet; +- } +- msg->msg_namelen = sizeof(*sat); ++ if (!err && msg->msg_name) { ++ struct sockaddr_at *sat = msg->msg_name; ++ sat->sat_family = AF_APPLETALK; ++ sat->sat_port = ddp->deh_sport; ++ sat->sat_addr.s_node = ddp->deh_snode; ++ sat->sat_addr.s_net = ddp->deh_snet; ++ msg->msg_namelen = sizeof(*sat); + } + + skb_free_datagram(sk, skb); /* Free the datagram. */ +diff --git a/net/atm/common.c b/net/atm/common.c +index 737bef5..7b49100 100644 +--- a/net/atm/common.c ++++ b/net/atm/common.c +@@ -531,8 +531,6 @@ int vcc_recvmsg(struct kiocb *iocb, struct socket *sock, struct msghdr *msg, + struct sk_buff *skb; + int copied, error = -EINVAL; + +- msg->msg_namelen = 0; +- + if (sock->state != SS_CONNECTED) + return -ENOTCONN; + +diff --git a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c +index 4b4d2b7..78c474f 100644 +--- a/net/ax25/af_ax25.c ++++ b/net/ax25/af_ax25.c +@@ -1636,11 +1636,11 @@ static int ax25_recvmsg(struct kiocb *iocb, struct socket *sock, + + skb_copy_datagram_iovec(skb, 0, msg->msg_iov, copied); + +- if (msg->msg_namelen != 0) { +- struct sockaddr_ax25 *sax = (struct sockaddr_ax25 *)msg->msg_name; ++ if (msg->msg_name) { + ax25_digi digi; + ax25_address src; + const unsigned char *mac = skb_mac_header(skb); ++ struct sockaddr_ax25 *sax = msg->msg_name; + + memset(sax, 0, sizeof(struct full_sockaddr_ax25)); + ax25_addr_parse(mac + 1, skb->data - mac - 1, &src, NULL, +diff --git a/net/bluetooth/af_bluetooth.c b/net/bluetooth/af_bluetooth.c +index 9096137..6629cdc 100644 +--- a/net/bluetooth/af_bluetooth.c ++++ b/net/bluetooth/af_bluetooth.c +@@ -221,8 +221,6 @@ int bt_sock_recvmsg(struct kiocb *iocb, struct socket *sock, + if (flags & (MSG_OOB)) + return -EOPNOTSUPP; + +- msg->msg_namelen = 0; +- + skb = skb_recv_datagram(sk, flags, noblock, &err); + if (!skb) { + if (sk->sk_shutdown & RCV_SHUTDOWN) +@@ -287,8 +285,6 @@ int bt_sock_stream_recvmsg(struct kiocb *iocb, struct socket *sock, + if (flags & MSG_OOB) + return -EOPNOTSUPP; + +- msg->msg_namelen = 0; +- + BT_DBG("sk %p size %zu", sk, size); + + lock_sock(sk); +diff --git a/net/bluetooth/hci_sock.c b/net/bluetooth/hci_sock.c +index 9bd7d95..fa4bf66 100644 +--- a/net/bluetooth/hci_sock.c ++++ b/net/bluetooth/hci_sock.c +@@ -752,8 +752,6 @@ static int hci_sock_recvmsg(struct kiocb *iocb, struct socket *sock, + if (!skb) + return err; + +- msg->msg_namelen = 0; +- + copied = skb->len; + if (len < copied) { + msg->msg_flags |= MSG_TRUNC; +diff --git a/net/bluetooth/rfcomm/sock.c b/net/bluetooth/rfcomm/sock.c +index 30b3721..c1c6028 100644 +--- a/net/bluetooth/rfcomm/sock.c ++++ b/net/bluetooth/rfcomm/sock.c +@@ -608,7 +608,6 @@ static int rfcomm_sock_recvmsg(struct kiocb *iocb, struct socket *sock, + + if (test_and_clear_bit(RFCOMM_DEFER_SETUP, &d->flags)) { + rfcomm_dlc_accept(d); +- msg->msg_namelen = 0; + return 0; + } + +diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c +index e7bd4ee..2bb1d3a 100644 +--- a/net/bluetooth/sco.c ++++ b/net/bluetooth/sco.c +@@ -700,7 +700,6 @@ static int sco_sock_recvmsg(struct kiocb *iocb, struct socket *sock, + test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) { + sco_conn_defer_accept(pi->conn->hcon, 0); + sk->sk_state = BT_CONFIG; +- msg->msg_namelen = 0; + + release_sock(sk); + return 0; +diff --git a/net/caif/caif_socket.c b/net/caif/caif_socket.c +index 05a41c7..d6be3ed 100644 +--- a/net/caif/caif_socket.c ++++ b/net/caif/caif_socket.c +@@ -286,8 +286,6 @@ static int caif_seqpkt_recvmsg(struct kiocb *iocb, struct socket *sock, + if (m->msg_flags&MSG_OOB) + goto read_error; + +- m->msg_namelen = 0; +- + skb = skb_recv_datagram(sk, flags, 0 , &ret); + if (!skb) + goto read_error; +@@ -361,8 +359,6 @@ static int caif_stream_recvmsg(struct kiocb *iocb, struct socket *sock, + if (flags&MSG_OOB) + goto out; + +- msg->msg_namelen = 0; +- + /* + * Lock the socket to prevent queue disordering + * while sleeps in memcpy_tomsg +diff --git a/net/compat.c b/net/compat.c +index 8903258..618c6a8 100644 +--- a/net/compat.c ++++ b/net/compat.c +@@ -93,7 +93,8 @@ int verify_compat_iovec(struct msghdr *kern_msg, struct iovec *kern_iov, + if (err < 0) + return err; + } +- kern_msg->msg_name = kern_address; ++ if (kern_msg->msg_name) ++ kern_msg->msg_name = kern_address; + } else + kern_msg->msg_name = NULL; + +diff --git a/net/core/iovec.c b/net/core/iovec.c +index de178e4..9a31515 100644 +--- a/net/core/iovec.c ++++ b/net/core/iovec.c +@@ -48,7 +48,8 @@ int verify_iovec(struct msghdr *m, struct iovec *iov, struct sockaddr_storage *a + if (err < 0) + return err; + } +- m->msg_name = address; ++ if (m->msg_name) ++ m->msg_name = address; + } else { + m->msg_name = NULL; + } +diff --git a/net/ipx/af_ipx.c b/net/ipx/af_ipx.c +index 7a1e0fc..e096025 100644 +--- a/net/ipx/af_ipx.c ++++ b/net/ipx/af_ipx.c +@@ -1823,8 +1823,6 @@ static int ipx_recvmsg(struct kiocb *iocb, struct socket *sock, + if (skb->tstamp.tv64) + sk->sk_stamp = skb->tstamp; + +- msg->msg_namelen = sizeof(*sipx); +- + if (sipx) { + sipx->sipx_family = AF_IPX; + sipx->sipx_port = ipx->ipx_source.sock; +@@ -1832,6 +1830,7 @@ static int ipx_recvmsg(struct kiocb *iocb, struct socket *sock, + sipx->sipx_network = IPX_SKB_CB(skb)->ipx_source_net; + sipx->sipx_type = ipx->ipx_type; + sipx->sipx_zero = 0; ++ msg->msg_namelen = sizeof(*sipx); + } + rc = copied; + +diff --git a/net/irda/af_irda.c b/net/irda/af_irda.c +index 0578d4f..a5e62ef5 100644 +--- a/net/irda/af_irda.c ++++ b/net/irda/af_irda.c +@@ -1385,8 +1385,6 @@ static int irda_recvmsg_dgram(struct kiocb *iocb, struct socket *sock, + + IRDA_DEBUG(4, "%s()\n", __func__); + +- msg->msg_namelen = 0; +- + skb = skb_recv_datagram(sk, flags & ~MSG_DONTWAIT, + flags & MSG_DONTWAIT, &err); + if (!skb) +@@ -1451,8 +1449,6 @@ static int irda_recvmsg_stream(struct kiocb *iocb, struct socket *sock, + target = sock_rcvlowat(sk, flags & MSG_WAITALL, size); + timeo = sock_rcvtimeo(sk, noblock); + +- msg->msg_namelen = 0; +- + do { + int chunk; + struct sk_buff *skb = skb_dequeue(&sk->sk_receive_queue); +diff --git a/net/iucv/af_iucv.c b/net/iucv/af_iucv.c +index 168aff5..c4b7218 100644 +--- a/net/iucv/af_iucv.c ++++ b/net/iucv/af_iucv.c +@@ -1324,8 +1324,6 @@ static int iucv_sock_recvmsg(struct kiocb *iocb, struct socket *sock, + int err = 0; + u32 offset; + +- msg->msg_namelen = 0; +- + if ((sk->sk_state == IUCV_DISCONN) && + skb_queue_empty(&iucv->backlog_skb_q) && + skb_queue_empty(&sk->sk_receive_queue) && +diff --git a/net/key/af_key.c b/net/key/af_key.c +index ab8bd2c..66f51c5 100644 +--- a/net/key/af_key.c ++++ b/net/key/af_key.c +@@ -3623,7 +3623,6 @@ static int pfkey_recvmsg(struct kiocb *kiocb, + if (flags & ~(MSG_PEEK|MSG_DONTWAIT|MSG_TRUNC|MSG_CMSG_COMPAT)) + goto out; + +- msg->msg_namelen = 0; + skb = skb_recv_datagram(sk, flags, flags & MSG_DONTWAIT, &err); + if (skb == NULL) + goto out; +diff --git a/net/l2tp/l2tp_ppp.c b/net/l2tp/l2tp_ppp.c +index 8c46b27..44441c0 100644 +--- a/net/l2tp/l2tp_ppp.c ++++ b/net/l2tp/l2tp_ppp.c +@@ -197,8 +197,6 @@ static int pppol2tp_recvmsg(struct kiocb *iocb, struct socket *sock, + if (sk->sk_state & PPPOX_BOUND) + goto end; + +- msg->msg_namelen = 0; +- + err = 0; + skb = skb_recv_datagram(sk, flags & ~MSG_DONTWAIT, + flags & MSG_DONTWAIT, &err); +diff --git a/net/llc/af_llc.c b/net/llc/af_llc.c +index 48aaa89..8870988 100644 +--- a/net/llc/af_llc.c ++++ b/net/llc/af_llc.c +@@ -720,8 +720,6 @@ static int llc_ui_recvmsg(struct kiocb *iocb, struct socket *sock, + int target; /* Read at least this many bytes */ + long timeo; + +- msg->msg_namelen = 0; +- + lock_sock(sk); + copied = -ENOTCONN; + if (unlikely(sk->sk_type == SOCK_STREAM && sk->sk_state == TCP_LISTEN)) +diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c +index 0c61b59..90b654b 100644 +--- a/net/netlink/af_netlink.c ++++ b/net/netlink/af_netlink.c +@@ -2317,8 +2317,6 @@ static int netlink_recvmsg(struct kiocb *kiocb, struct socket *sock, + } + #endif + +- msg->msg_namelen = 0; +- + copied = data_skb->len; + if (len < copied) { + msg->msg_flags |= MSG_TRUNC; +diff --git a/net/netrom/af_netrom.c b/net/netrom/af_netrom.c +index 698814b..53c19a3 100644 +--- a/net/netrom/af_netrom.c ++++ b/net/netrom/af_netrom.c +@@ -1179,10 +1179,9 @@ static int nr_recvmsg(struct kiocb *iocb, struct socket *sock, + sax->sax25_family = AF_NETROM; + skb_copy_from_linear_data_offset(skb, 7, sax->sax25_call.ax25_call, + AX25_ADDR_LEN); ++ msg->msg_namelen = sizeof(*sax); + } + +- msg->msg_namelen = sizeof(*sax); +- + skb_free_datagram(sk, skb); + + release_sock(sk); +diff --git a/net/nfc/llcp_sock.c b/net/nfc/llcp_sock.c +index d308402..824c605 100644 +--- a/net/nfc/llcp_sock.c ++++ b/net/nfc/llcp_sock.c +@@ -807,8 +807,6 @@ static int llcp_sock_recvmsg(struct kiocb *iocb, struct socket *sock, + + pr_debug("%p %zu\n", sk, len); + +- msg->msg_namelen = 0; +- + lock_sock(sk); + + if (sk->sk_state == LLCP_CLOSED && +diff --git a/net/nfc/rawsock.c b/net/nfc/rawsock.c +index 313bf1b..5d11f4a 100644 +--- a/net/nfc/rawsock.c ++++ b/net/nfc/rawsock.c +@@ -241,8 +241,6 @@ static int rawsock_recvmsg(struct kiocb *iocb, struct socket *sock, + if (!skb) + return rc; + +- msg->msg_namelen = 0; +- + copied = skb->len; + if (len < copied) { + msg->msg_flags |= MSG_TRUNC; +diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c +index 75c8bbf..739c50d 100644 +--- a/net/packet/af_packet.c ++++ b/net/packet/af_packet.c +@@ -2694,7 +2694,6 @@ static int packet_recvmsg(struct kiocb *iocb, struct socket *sock, + struct sock *sk = sock->sk; + struct sk_buff *skb; + int copied, err; +- struct sockaddr_ll *sll; + int vnet_hdr_len = 0; + + err = -EINVAL; +@@ -2777,22 +2776,10 @@ static int packet_recvmsg(struct kiocb *iocb, struct socket *sock, + goto out_free; + } + +- /* +- * If the address length field is there to be filled in, we fill +- * it in now. +- */ +- +- sll = &PACKET_SKB_CB(skb)->sa.ll; +- if (sock->type == SOCK_PACKET) +- msg->msg_namelen = sizeof(struct sockaddr_pkt); +- else +- msg->msg_namelen = sll->sll_halen + offsetof(struct sockaddr_ll, sll_addr); +- +- /* +- * You lose any data beyond the buffer you gave. If it worries a +- * user program they can ask the device for its MTU anyway. ++ /* You lose any data beyond the buffer you gave. If it worries ++ * a user program they can ask the device for its MTU ++ * anyway. + */ +- + copied = skb->len; + if (copied > len) { + copied = len; +@@ -2805,9 +2792,20 @@ static int packet_recvmsg(struct kiocb *iocb, struct socket *sock, + + sock_recv_ts_and_drops(msg, sk, skb); + +- if (msg->msg_name) ++ if (msg->msg_name) { ++ /* If the address length field is there to be filled ++ * in, we fill it in now. ++ */ ++ if (sock->type == SOCK_PACKET) { ++ msg->msg_namelen = sizeof(struct sockaddr_pkt); ++ } else { ++ struct sockaddr_ll *sll = &PACKET_SKB_CB(skb)->sa.ll; ++ msg->msg_namelen = sll->sll_halen + ++ offsetof(struct sockaddr_ll, sll_addr); ++ } + memcpy(msg->msg_name, &PACKET_SKB_CB(skb)->sa, + msg->msg_namelen); ++ } + + if (pkt_sk(sk)->auxdata) { + struct tpacket_auxdata aux; +diff --git a/net/rds/recv.c b/net/rds/recv.c +index 9f0f17c..de339b2 100644 +--- a/net/rds/recv.c ++++ b/net/rds/recv.c +@@ -410,8 +410,6 @@ int rds_recvmsg(struct kiocb *iocb, struct socket *sock, struct msghdr *msg, + + rdsdebug("size %zu flags 0x%x timeo %ld\n", size, msg_flags, timeo); + +- msg->msg_namelen = 0; +- + if (msg_flags & MSG_OOB) + goto out; + +diff --git a/net/rose/af_rose.c b/net/rose/af_rose.c +index e98fcfb..33af772 100644 +--- a/net/rose/af_rose.c ++++ b/net/rose/af_rose.c +@@ -1216,7 +1216,6 @@ static int rose_recvmsg(struct kiocb *iocb, struct socket *sock, + { + struct sock *sk = sock->sk; + struct rose_sock *rose = rose_sk(sk); +- struct sockaddr_rose *srose = (struct sockaddr_rose *)msg->msg_name; + size_t copied; + unsigned char *asmptr; + struct sk_buff *skb; +@@ -1252,8 +1251,11 @@ static int rose_recvmsg(struct kiocb *iocb, struct socket *sock, + + skb_copy_datagram_iovec(skb, 0, msg->msg_iov, copied); + +- if (srose != NULL) { +- memset(srose, 0, msg->msg_namelen); ++ if (msg->msg_name) { ++ struct sockaddr_rose *srose; ++ ++ memset(msg->msg_name, 0, sizeof(struct full_sockaddr_rose)); ++ srose = msg->msg_name; + srose->srose_family = AF_ROSE; + srose->srose_addr = rose->dest_addr; + srose->srose_call = rose->dest_call; +diff --git a/net/rxrpc/ar-recvmsg.c b/net/rxrpc/ar-recvmsg.c +index 4b48687..898492a 100644 +--- a/net/rxrpc/ar-recvmsg.c ++++ b/net/rxrpc/ar-recvmsg.c +@@ -143,10 +143,13 @@ int rxrpc_recvmsg(struct kiocb *iocb, struct socket *sock, + + /* copy the peer address and timestamp */ + if (!continue_call) { +- if (msg->msg_name && msg->msg_namelen > 0) ++ if (msg->msg_name) { ++ size_t len = ++ sizeof(call->conn->trans->peer->srx); + memcpy(msg->msg_name, +- &call->conn->trans->peer->srx, +- sizeof(call->conn->trans->peer->srx)); ++ &call->conn->trans->peer->srx, len); ++ msg->msg_namelen = len; ++ } + sock_recv_ts_and_drops(msg, &rx->sk, skb); + } + +diff --git a/net/socket.c b/net/socket.c +index 4b94643..5158ff7 100644 +--- a/net/socket.c ++++ b/net/socket.c +@@ -1849,8 +1849,10 @@ SYSCALL_DEFINE6(recvfrom, int, fd, void __user *, ubuf, size_t, size, + msg.msg_iov = &iov; + iov.iov_len = size; + iov.iov_base = ubuf; +- msg.msg_name = (struct sockaddr *)&address; +- msg.msg_namelen = sizeof(address); ++ /* Save some cycles and don't copy the address if not needed */ ++ msg.msg_name = addr ? (struct sockaddr *)&address : NULL; ++ /* We assume all kernel code knows the size of sockaddr_storage */ ++ msg.msg_namelen = 0; + if (sock->file->f_flags & O_NONBLOCK) + flags |= MSG_DONTWAIT; + err = sock_recvmsg(sock, &msg, size, flags); +@@ -2230,16 +2232,14 @@ static int ___sys_recvmsg(struct socket *sock, struct msghdr __user *msg, + goto out; + } + +- /* +- * Save the user-mode address (verify_iovec will change the +- * kernel msghdr to use the kernel address space) ++ /* Save the user-mode address (verify_iovec will change the ++ * kernel msghdr to use the kernel address space) + */ +- + uaddr = (__force void __user *)msg_sys->msg_name; + uaddr_len = COMPAT_NAMELEN(msg); +- if (MSG_CMSG_COMPAT & flags) { ++ if (MSG_CMSG_COMPAT & flags) + err = verify_compat_iovec(msg_sys, iov, &addr, VERIFY_WRITE); +- } else ++ else + err = verify_iovec(msg_sys, iov, &addr, VERIFY_WRITE); + if (err < 0) + goto out_freeiov; +@@ -2248,6 +2248,9 @@ static int ___sys_recvmsg(struct socket *sock, struct msghdr __user *msg, + cmsg_ptr = (unsigned long)msg_sys->msg_control; + msg_sys->msg_flags = flags & (MSG_CMSG_CLOEXEC|MSG_CMSG_COMPAT); + ++ /* We assume all kernel code knows the size of sockaddr_storage */ ++ msg_sys->msg_namelen = 0; ++ + if (sock->file->f_flags & O_NONBLOCK) + flags |= MSG_DONTWAIT; + err = (nosec ? sock_recvmsg_nosec : sock_recvmsg)(sock, msg_sys, +diff --git a/net/tipc/socket.c b/net/tipc/socket.c +index 6cc7ddd..dffdbea 100644 +--- a/net/tipc/socket.c ++++ b/net/tipc/socket.c +@@ -984,9 +984,6 @@ static int recv_msg(struct kiocb *iocb, struct socket *sock, + goto exit; + } + +- /* will be updated in set_orig_addr() if needed */ +- m->msg_namelen = 0; +- + timeout = sock_rcvtimeo(sk, flags & MSG_DONTWAIT); + restart: + +@@ -1095,9 +1092,6 @@ static int recv_stream(struct kiocb *iocb, struct socket *sock, + goto exit; + } + +- /* will be updated in set_orig_addr() if needed */ +- m->msg_namelen = 0; +- + target = sock_rcvlowat(sk, flags & MSG_WAITALL, buf_len); + timeout = sock_rcvtimeo(sk, flags & MSG_DONTWAIT); + +diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c +index e64bbcf..6c66e8d 100644 +--- a/net/unix/af_unix.c ++++ b/net/unix/af_unix.c +@@ -1762,7 +1762,6 @@ static void unix_copy_addr(struct msghdr *msg, struct sock *sk) + { + struct unix_sock *u = unix_sk(sk); + +- msg->msg_namelen = 0; + if (u->addr) { + msg->msg_namelen = u->addr->len; + memcpy(msg->msg_name, u->addr->name, u->addr->len); +@@ -1786,8 +1785,6 @@ static int unix_dgram_recvmsg(struct kiocb *iocb, struct socket *sock, + if (flags&MSG_OOB) + goto out; + +- msg->msg_namelen = 0; +- + err = mutex_lock_interruptible(&u->readlock); + if (err) { + err = sock_intr_errno(sock_rcvtimeo(sk, noblock)); +@@ -1927,8 +1924,6 @@ static int unix_stream_recvmsg(struct kiocb *iocb, struct socket *sock, + target = sock_rcvlowat(sk, flags&MSG_WAITALL, size); + timeo = sock_rcvtimeo(sk, flags&MSG_DONTWAIT); + +- msg->msg_namelen = 0; +- + /* Lock the socket to prevent queue disordering + * while sleeps in memcpy_tomsg + */ +diff --git a/net/vmw_vsock/af_vsock.c b/net/vmw_vsock/af_vsock.c +index 4d93346..16f721c 100644 +--- a/net/vmw_vsock/af_vsock.c ++++ b/net/vmw_vsock/af_vsock.c +@@ -1663,8 +1663,6 @@ vsock_stream_recvmsg(struct kiocb *kiocb, + vsk = vsock_sk(sk); + err = 0; + +- msg->msg_namelen = 0; +- + lock_sock(sk); + + if (sk->sk_state != SS_CONNECTED) { +diff --git a/net/vmw_vsock/vmci_transport.c b/net/vmw_vsock/vmci_transport.c +index ffc11df..73ca104 100644 +--- a/net/vmw_vsock/vmci_transport.c ++++ b/net/vmw_vsock/vmci_transport.c +@@ -1746,8 +1746,6 @@ static int vmci_transport_dgram_dequeue(struct kiocb *kiocb, + if (flags & MSG_OOB || flags & MSG_ERRQUEUE) + return -EOPNOTSUPP; + +- msg->msg_namelen = 0; +- + /* Retrieve the head sk_buff from the socket's receive queue. */ + err = 0; + skb = skb_recv_datagram(&vsk->sk, flags, noblock, &err); +diff --git a/net/x25/af_x25.c b/net/x25/af_x25.c +index 45a3ab5..7622789 100644 +--- a/net/x25/af_x25.c ++++ b/net/x25/af_x25.c +@@ -1340,10 +1340,9 @@ static int x25_recvmsg(struct kiocb *iocb, struct socket *sock, + if (sx25) { + sx25->sx25_family = AF_X25; + sx25->sx25_addr = x25->dest_addr; ++ msg->msg_namelen = sizeof(*sx25); + } + +- msg->msg_namelen = sizeof(struct sockaddr_x25); +- + x25_check_rbuf(sk); + rc = copied; + out_free_dgram: +-- +1.8.3.1 + From e4fc8417179589f00100155eed6cff640f8188e9 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Tue, 10 Dec 2013 08:53:51 -0500 Subject: [PATCH 285/468] Add patch fields --- net-rework-recvmsg-handler-msg_name-and-msg_namelen-.patch | 3 +++ 1 file changed, 3 insertions(+) diff --git a/net-rework-recvmsg-handler-msg_name-and-msg_namelen-.patch b/net-rework-recvmsg-handler-msg_name-and-msg_namelen-.patch index 08c6302f6..3ec6d0194 100644 --- a/net-rework-recvmsg-handler-msg_name-and-msg_namelen-.patch +++ b/net-rework-recvmsg-handler-msg_name-and-msg_namelen-.patch @@ -1,3 +1,6 @@ +Bugzilla: 1039874 +Upstream-status: 3.13 and 3.12.4 + From 9cb9fb275f8794546dc31a79f2f02127fed5baf2 Mon Sep 17 00:00:00 2001 From: Hannes Frederic Sowa Date: Thu, 21 Nov 2013 03:14:22 +0100 From de4d480ba40888bd221217659206755c9ece7c98 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Wed, 11 Dec 2013 08:47:06 -0500 Subject: [PATCH 286/468] Add patches to support ETPS/2 Elantech touchpads (rhbz 1030802) --- ...dd-support-for-newer-August-2013-dev.patch | 36 ++++++ ...y-differentiate-between-clickpads-an.patch | 110 ++++++++++++++++++ kernel.spec | 10 ++ 3 files changed, 156 insertions(+) create mode 100644 Input-elantech-add-support-for-newer-August-2013-dev.patch create mode 100644 elantech-Properly-differentiate-between-clickpads-an.patch diff --git a/Input-elantech-add-support-for-newer-August-2013-dev.patch b/Input-elantech-add-support-for-newer-August-2013-dev.patch new file mode 100644 index 000000000..e67f2800a --- /dev/null +++ b/Input-elantech-add-support-for-newer-August-2013-dev.patch @@ -0,0 +1,36 @@ +Bugzilla: 1030802 +Upstream-status: 3.13 + +From 9cb80b965eaf7af1369f6e16f48a05fbaaccc021 Mon Sep 17 00:00:00 2001 +From: Matt Walker +Date: Thu, 5 Dec 2013 12:39:02 -0800 +Subject: [PATCH] Input: elantech - add support for newer (August 2013) devices + +Added detection for newer Elantech touchpads, so that kernel doesn't +fall-back to default PS/2 driver. Supports touchpads released after +~August 2013. Fixes bug: +https://lists.launchpad.net/kernel-packages/msg18481.html + +Tested on an Acer Aspire S7-392-6302. + +Signed-off by: Matt Walker +Signed-off-by: Dmitry Torokhov +--- + drivers/input/mouse/elantech.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/drivers/input/mouse/elantech.c b/drivers/input/mouse/elantech.c +index 8551dca..597e9b8 100644 +--- a/drivers/input/mouse/elantech.c ++++ b/drivers/input/mouse/elantech.c +@@ -1313,6 +1313,7 @@ static int elantech_set_properties(struct elantech_data *etd) + break; + case 6: + case 7: ++ case 8: + etd->hw_version = 4; + break; + default: +-- +1.8.3.1 + diff --git a/elantech-Properly-differentiate-between-clickpads-an.patch b/elantech-Properly-differentiate-between-clickpads-an.patch new file mode 100644 index 000000000..3fc49980b --- /dev/null +++ b/elantech-Properly-differentiate-between-clickpads-an.patch @@ -0,0 +1,110 @@ +Bugzilla: 1030802 +Upstream-status: http://www.mail-archive.com/linux-input@vger.kernel.org/msg07220.html + +From e1c7fa5fbb6688bd464658ff8a93bdf23c442065 Mon Sep 17 00:00:00 2001 +From: Hans de Goede +Date: Mon, 9 Dec 2013 15:18:04 +0100 +Subject: [PATCH v2] elantech: Properly differentiate between clickpads and + normal touchpads + +The current assumption in the elantech driver that hw version 3 touchpads are +never clickpads and hw version 4 touchpads are always clickpads is wrong. + +There are several bug reports for this, ie: +https://bugzilla.redhat.com/show_bug.cgi?id=1030802 +http://superuser.com/questions/619582/right-elantech-touchpad-button-not-working-in-linux + +I've spend a couple of hours wading through various bugzillas, +launchpads and forum posts to create a list of fw-versions and capabilities +for different laptop models to find a good method to differentiate between +clickpads and versions with separate hardware buttons. + +Which shows that a device being a clickpad is reliable indicated by bit 12 +being set in the fw_version. I've included the gathered list inside the driver, +so that we've this info at hand if we need to revisit this later. + +Signed-off-by: Hans de Goede +--- + drivers/input/mouse/elantech.c | 45 +++++++++++++++++++++++++++++++++++++++--- + 1 file changed, 42 insertions(+), 3 deletions(-) + +diff --git a/drivers/input/mouse/elantech.c b/drivers/input/mouse/elantech.c +index 597e9b8..ef1cf52 100644 +--- a/drivers/input/mouse/elantech.c ++++ b/drivers/input/mouse/elantech.c +@@ -486,6 +486,7 @@ static void elantech_input_sync_v4(struct psmouse *psmouse) + unsigned char *packet = psmouse->packet; + + input_report_key(dev, BTN_LEFT, packet[0] & 0x01); ++ input_report_key(dev, BTN_RIGHT, packet[0] & 0x02); + input_mt_report_pointer_emulation(dev, true); + input_sync(dev); + } +@@ -984,6 +985,44 @@ static int elantech_get_resolution_v4(struct psmouse *psmouse, + } + + /* ++ * Advertise INPUT_PROP_BUTTONPAD for clickpads. The testing of bit 12 in ++ * fw_version for this is based on the following fw_version & caps table: ++ * ++ * Laptop-model: fw_version: caps: buttons: ++ * Acer S3 0x461f00 10, 13, 0e clickpad ++ * Acer S7-392 0x581f01 50, 17, 0d clickpad ++ * Acer V5-131 0x461f02 01, 16, 0c clickpad ++ * Acer V5-551 0x461f00 ? clickpad ++ * Asus K53SV 0x450f01 78, 15, 0c 2 hw buttons ++ * Asus G46VW 0x460f02 00, 18, 0c 2 hw buttons ++ * Asus G750JX 0x360f00 00, 16, 0c 2 hw buttons ++ * Asus UX31 0x361f00 20, 15, 0e clickpad ++ * Asus UX32VD 0x361f02 00, 15, 0e clickpad ++ * Avatar AVIU-145A2 0x361f00 ? clickpad ++ * Gigabyte U2442 0x450f01 58, 17, 0c 2 hw buttons ++ * Lenovo L430 0x350f02 b9, 15, 0c 2 hw buttons (*) ++ * Samsung NF210 0x150b00 78, 14, 0a 2 hw buttons ++ * Samsung NP770Z5E 0x575f01 10, 15, 0f clickpad ++ * Samsung NP700Z5B 0x361f06 21, 15, 0f clickpad ++ * Samsung NP900X3E-A02 0x575f03 ? clickpad ++ * Samsung NP-QX410 0x851b00 19, 14, 0c clickpad ++ * Samsung RC512 0x450f00 08, 15, 0c 2 hw buttons ++ * Samsung RF710 0x450f00 ? 2 hw buttons ++ * System76 Pangolin 0x250f01 ? 2 hw buttons ++ * (*) + 3 trackpoint buttons ++ */ ++static void elantech_set_buttonpad_prop(struct psmouse *psmouse) ++{ ++ struct input_dev *dev = psmouse->dev; ++ struct elantech_data *etd = psmouse->private; ++ ++ if (etd->fw_version & 0x001000) { ++ __set_bit(INPUT_PROP_BUTTONPAD, dev->propbit); ++ __clear_bit(BTN_RIGHT, dev->keybit); ++ } ++} ++ ++/* + * Set the appropriate event bits for the input subsystem + */ + static int elantech_set_input_params(struct psmouse *psmouse) +@@ -1026,6 +1065,8 @@ static int elantech_set_input_params(struct psmouse *psmouse) + __set_bit(INPUT_PROP_SEMI_MT, dev->propbit); + /* fall through */ + case 3: ++ if (etd->hw_version == 3) ++ elantech_set_buttonpad_prop(psmouse); + input_set_abs_params(dev, ABS_X, x_min, x_max, 0, 0); + input_set_abs_params(dev, ABS_Y, y_min, y_max, 0, 0); + if (etd->reports_pressure) { +@@ -1047,9 +1088,7 @@ static int elantech_set_input_params(struct psmouse *psmouse) + */ + psmouse_warn(psmouse, "couldn't query resolution data.\n"); + } +- /* v4 is clickpad, with only one button. */ +- __set_bit(INPUT_PROP_BUTTONPAD, dev->propbit); +- __clear_bit(BTN_RIGHT, dev->keybit); ++ elantech_set_buttonpad_prop(psmouse); + __set_bit(BTN_TOOL_QUADTAP, dev->keybit); + /* For X to recognize me as touchpad. */ + input_set_abs_params(dev, ABS_X, x_min, x_max, 0, 0); +-- +1.8.4.2 + diff --git a/kernel.spec b/kernel.spec index 356ed3d48..b1f1fe1ea 100644 --- a/kernel.spec +++ b/kernel.spec @@ -819,6 +819,9 @@ Patch25164: dell-laptop.patch #CVE-2013-XXXX rhbz 1039845 1039874 Patch25165: net-rework-recvmsg-handler-msg_name-and-msg_namelen-.patch +#rhbz 1030802 +Patch25170: Input-elantech-add-support-for-newer-August-2013-dev.patch +Patch25171: elantech-Properly-differentiate-between-clickpads-an.patch # END OF PATCH DEFINITIONS @@ -1587,6 +1590,10 @@ ApplyPatch dell-laptop.patch #CVE-2013-XXXX rhbz 1039845 1039874 ApplyPatch net-rework-recvmsg-handler-msg_name-and-msg_namelen-.patch +#rhbz 1030802 +ApplyPatch Input-elantech-add-support-for-newer-August-2013-dev.patch +ApplyPatch elantech-Properly-differentiate-between-clickpads-an.patch + # END OF PATCH APPLICATIONS %endif @@ -2399,6 +2406,9 @@ fi # and build. %changelog +* Wed Dec 11 2013 Josh Boyer +- Add patches to support ETPS/2 Elantech touchpads (rhbz 1030802) + * Tue Dec 10 2013 Josh Boyer - CVE-2013-XXXX net: memory leak in recvmsg (rhbz 1039845 1039874) From 00dc7043c34f13b63b56270d1998a00df04e35dc Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Thu, 12 Dec 2013 16:06:22 -0500 Subject: [PATCH 287/468] CVE-2013-6367 kvm: division by 0 in apic_get_tmcct (rhbz 1032207 1042081) --- ...6-Fix-potential-divide-by-0-in-lapic.patch | 102 ++++++++++++++++++ kernel.spec | 9 ++ 2 files changed, 111 insertions(+) create mode 100644 KVM-x86-Fix-potential-divide-by-0-in-lapic.patch diff --git a/KVM-x86-Fix-potential-divide-by-0-in-lapic.patch b/KVM-x86-Fix-potential-divide-by-0-in-lapic.patch new file mode 100644 index 000000000..8e144dff4 --- /dev/null +++ b/KVM-x86-Fix-potential-divide-by-0-in-lapic.patch @@ -0,0 +1,102 @@ +Bugzilla: 1042081 +Upstream-status: 3.13 and sent for stable +Delivered-To: jwboyer@gmail.com +Received: by 10.76.104.107 with SMTP id gd11csp361402oab; + Thu, 12 Dec 2013 12:43:43 -0800 (PST) +X-Received: by 10.68.241.134 with SMTP id wi6mr15423072pbc.44.1386881023599; + Thu, 12 Dec 2013 12:43:43 -0800 (PST) +Return-Path: +Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) + by mx.google.com with ESMTP id w3si17375457pbh.89.2013.12.12.12.43.07 + for ; + Thu, 12 Dec 2013 12:43:43 -0800 (PST) +Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; +Authentication-Results: mx.google.com; + spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mail=linux-kernel-owner@vger.kernel.org; + dkim=neutral (bad format) header.i=@gmail.com +Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand + id S1752145Ab3LLUiu (ORCPT + + 99 others); Thu, 12 Dec 2013 15:38:50 -0500 +Received: from mail-ee0-f45.google.com ([74.125.83.45]:47138 "EHLO + mail-ee0-f45.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org + with ESMTP id S1751902Ab3LLUhP (ORCPT + ); + Thu, 12 Dec 2013 15:37:15 -0500 +Received: by mail-ee0-f45.google.com with SMTP id d49so478739eek.32 + for ; Thu, 12 Dec 2013 12:37:13 -0800 (PST) +DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; + d=gmail.com; s=20120113; + h=sender:from:to:cc:subject:date:message-id; + bh=Fa9qXXe9oER+jgB6WXA5v2LyR8O2Vaag7ZsOsv67MLg=; + b=WbBUzKN8o3OzB75st3w60z/rVczWaaxrvWc2URlwJwZ0lgqObvbXvAb3ophFJxsr/O + P3rEj33CGt5vFAmZWsrST8I4pVb7IPZYqmPuBklMhDmvegy2um2xEDCyIuI0oybwgple + n1dYPBTNqBhiiLgIUeKgEf88yU5dsAgKOZSTnkMYhDSy9pnGxRda4WtErJ+SHjvcMaX3 + t2Vt97egJ2n+e+2BvnpS8xZ8biqp6/l3EzvdsL4W849fUUshAKva4Npu0T/D4E3JIp2O + 3uY+geb/txJL2rOCacT3RljUb3+zAy2zhqGSjKR3AHePFNIX9RxfMi/vlPmTjO0vfmCP + H86Q== +X-Received: by 10.14.2.73 with SMTP id 49mr10139590eee.15.1386880633625; + Thu, 12 Dec 2013 12:37:13 -0800 (PST) +Received: from playground.com (net-2-35-202-54.cust.dsl.vodafone.it. [2.35.202.54]) + by mx.google.com with ESMTPSA id o47sm70323739eem.21.2013.12.12.12.37.11 + for + (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); + Thu, 12 Dec 2013 12:37:12 -0800 (PST) +From: Paolo Bonzini +To: linux-kernel@vger.kernel.org +Cc: gleb@redhat.com, kvm@vger.kernel.org, pmatouse@redhat.com, + Andy Honig , stable@vger.kernel.org +Subject: [PATCH] KVM: x86: Fix potential divide by 0 in lapic (CVE-2013-6367) +Date: Thu, 12 Dec 2013 21:36:52 +0100 +Message-Id: <1386880614-23300-2-git-send-email-pbonzini@redhat.com> +X-Mailer: git-send-email 1.8.3.1 +Sender: linux-kernel-owner@vger.kernel.org +Precedence: bulk +List-ID: +X-Mailing-List: linux-kernel@vger.kernel.org + +From: Andy Honig + +Under guest controllable circumstances apic_get_tmcct will execute a +divide by zero and cause a crash. If the guest cpuid support +tsc deadline timers and performs the following sequence of requests +the host will crash. +- Set the mode to periodic +- Set the TMICT to 0 +- Set the mode bits to 11 (neither periodic, nor one shot, nor tsc deadline) +- Set the TMICT to non-zero. +Then the lapic_timer.period will be 0, but the TMICT will not be. If the +guest then reads from the TMCCT then the host will perform a divide by 0. + +This patch ensures that if the lapic_timer.period is 0, then the division +does not occur. + +Reported-by: Andrew Honig +Cc: stable@vger.kernel.org +Signed-off-by: Andrew Honig +Signed-off-by: Paolo Bonzini +--- + arch/x86/kvm/lapic.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c +index 5439117d5c4c..89b52ec7d09c 100644 +--- a/arch/x86/kvm/lapic.c ++++ b/arch/x86/kvm/lapic.c +@@ -841,7 +841,8 @@ static u32 apic_get_tmcct(struct kvm_lapic *apic) + ASSERT(apic != NULL); + + /* if initial count is 0, current count should also be 0 */ +- if (kvm_apic_get_reg(apic, APIC_TMICT) == 0) ++ if (kvm_apic_get_reg(apic, APIC_TMICT) == 0 || ++ apic->lapic_timer.period == 0) + return 0; + + remaining = hrtimer_get_remaining(&apic->lapic_timer.timer); +-- +1.8.3.1 + +-- +To unsubscribe from this list: send the line "unsubscribe linux-kernel" in +the body of a message to majordomo@vger.kernel.org +More majordomo info at http://vger.kernel.org/majordomo-info.html +Please read the FAQ at http://www.tux.org/lkml/ diff --git a/kernel.spec b/kernel.spec index b1f1fe1ea..08d95c168 100644 --- a/kernel.spec +++ b/kernel.spec @@ -823,6 +823,9 @@ Patch25165: net-rework-recvmsg-handler-msg_name-and-msg_namelen-.patch Patch25170: Input-elantech-add-support-for-newer-August-2013-dev.patch Patch25171: elantech-Properly-differentiate-between-clickpads-an.patch +#CVE-2013-6367 rhbz 1032207 1042081 +Patch25172: KVM-x86-Fix-potential-divide-by-0-in-lapic.patch + # END OF PATCH DEFINITIONS %endif @@ -1594,6 +1597,9 @@ ApplyPatch net-rework-recvmsg-handler-msg_name-and-msg_namelen-.patch ApplyPatch Input-elantech-add-support-for-newer-August-2013-dev.patch ApplyPatch elantech-Properly-differentiate-between-clickpads-an.patch +#CVE-2013-6367 rhbz 1032207 1042081 +ApplyPatch KVM-x86-Fix-potential-divide-by-0-in-lapic.patch + # END OF PATCH APPLICATIONS %endif @@ -2406,6 +2412,9 @@ fi # and build. %changelog +* Thu Dec 12 2013 Josh Boyer +- CVE-2013-6367 kvm: division by 0 in apic_get_tmcct (rhbz 1032207 1042081) + * Wed Dec 11 2013 Josh Boyer - Add patches to support ETPS/2 Elantech touchpads (rhbz 1030802) From 5116048ce5378a71d93c7ba40ed9fdce5ab48113 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Thu, 12 Dec 2013 16:15:05 -0500 Subject: [PATCH 288/468] CVE-2013-6368 kvm: cross page vapic_addr access (rhbz 1032210 1042090) --- ...synchronization-to-_cached-functions.patch | 247 ++++++++++++++++++ kernel.spec | 7 + 2 files changed, 254 insertions(+) create mode 100644 KVM-x86-Convert-vapic-synchronization-to-_cached-functions.patch diff --git a/KVM-x86-Convert-vapic-synchronization-to-_cached-functions.patch b/KVM-x86-Convert-vapic-synchronization-to-_cached-functions.patch new file mode 100644 index 000000000..a37d4cf29 --- /dev/null +++ b/KVM-x86-Convert-vapic-synchronization-to-_cached-functions.patch @@ -0,0 +1,247 @@ +Bugzilla: 1042090 +Upstream-status: 3.13 and sent for stable +Delivered-To: jwboyer@gmail.com +Received: by 10.76.104.107 with SMTP id gd11csp361293oab; + Thu, 12 Dec 2013 12:41:12 -0800 (PST) +X-Received: by 10.68.244.2 with SMTP id xc2mr15600217pbc.58.1386880872483; + Thu, 12 Dec 2013 12:41:12 -0800 (PST) +Return-Path: +Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) + by mx.google.com with ESMTP id 5si8126292pbj.245.2013.12.12.12.40.49 + for ; + Thu, 12 Dec 2013 12:41:12 -0800 (PST) +Received-SPF: pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; +Authentication-Results: mx.google.com; + spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mail=stable-owner@vger.kernel.org; + dkim=neutral (bad format) header.i=@gmail.com +Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand + id S1751901Ab3LLUiK (ORCPT + 64 others); + Thu, 12 Dec 2013 15:38:10 -0500 +Received: from mail-ea0-f169.google.com ([209.85.215.169]:43997 "EHLO + mail-ea0-f169.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org + with ESMTP id S1751940Ab3LLUhR (ORCPT + ); Thu, 12 Dec 2013 15:37:17 -0500 +Received: by mail-ea0-f169.google.com with SMTP id l9so411843eaj.0 + for ; Thu, 12 Dec 2013 12:37:15 -0800 (PST) +DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; + d=gmail.com; s=20120113; + h=sender:from:to:cc:subject:date:message-id; + bh=2MLmYgVGbv9FpnyP90yrPKk21SJoXFj93yQcaRn4G8Y=; + b=ouBadI22VTf1UuezbySC80FWJYdpF/8Ks6I8f5rq1/7SDQPTpScjOYjZX0UtIf1ihj + aeQ7IHqpmIYGKWadUbH2l88ZP1+rP7T+f2dZQeCb3HLNsPum0Ix8dzm/koeDnuS3dx75 + 50E9ZcFXO13Hx24tM8p0SAuYZ1DvbCNnPRK0yxHOmCtCWe+mQLBIgig1rg8TzSAazWm7 + 8LhpztDlIzNyZcfzKQvtdqTOBdnhadx5x39fxOe54Yw4JbppDa7R+BY5Jz6GOd3U0Op1 + Nf97rU0pe/jeyOtjF0LVs/d9iyPPeRoSE+VAr91iT8qj9S2PFEN1QxxWL8sdvsDPZK6B + ZCmw== +X-Received: by 10.14.182.199 with SMTP id o47mr10030582eem.7.1386880635352; + Thu, 12 Dec 2013 12:37:15 -0800 (PST) +Received: from playground.com (net-2-35-202-54.cust.dsl.vodafone.it. [2.35.202.54]) + by mx.google.com with ESMTPSA id o47sm70323739eem.21.2013.12.12.12.37.13 + for + (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); + Thu, 12 Dec 2013 12:37:14 -0800 (PST) +From: Paolo Bonzini +To: linux-kernel@vger.kernel.org +Cc: gleb@redhat.com, kvm@vger.kernel.org, pmatouse@redhat.com, + Andy Honig , stable@vger.kernel.org +Subject: [PATCH] KVM: x86: Convert vapic synchronization to _cached functions (CVE-2013-6368) +Date: Thu, 12 Dec 2013 21:36:53 +0100 +Message-Id: <1386880614-23300-3-git-send-email-pbonzini@redhat.com> +X-Mailer: git-send-email 1.8.3.1 +Sender: stable-owner@vger.kernel.org +Precedence: bulk +List-ID: +X-Mailing-List: stable@vger.kernel.org + +From: Andy Honig + +In kvm_lapic_sync_from_vapic and kvm_lapic_sync_to_vapic there is the +potential to corrupt kernel memory if userspace provides an address that +is at the end of a page. This patches concerts those functions to use +kvm_write_guest_cached and kvm_read_guest_cached. It also checks the +vapic_address specified by userspace during ioctl processing and returns +an error to userspace if the address is not a valid GPA. + +This is generally not guest triggerable, because the required write is +done by firmware that runs before the guest. Also, it only affects AMD +processors and oldish Intel that do not have the FlexPriority feature +(unless you disable FlexPriority, of course; then newer processors are +also affected). + +Fixes: b93463aa59d6 ('KVM: Accelerated apic support') + +Reported-by: Andrew Honig +Cc: stable@vger.kernel.org +Signed-off-by: Andrew Honig +Signed-off-by: Paolo Bonzini +--- + arch/x86/kvm/lapic.c | 27 +++++++++++++++------------ + arch/x86/kvm/lapic.h | 4 ++-- + arch/x86/kvm/x86.c | 40 +--------------------------------------- + 3 files changed, 18 insertions(+), 53 deletions(-) + +diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c +index 89b52ec7d09c..b8bec45c1610 100644 +--- a/arch/x86/kvm/lapic.c ++++ b/arch/x86/kvm/lapic.c +@@ -1692,7 +1692,6 @@ static void apic_sync_pv_eoi_from_guest(struct kvm_vcpu *vcpu, + void kvm_lapic_sync_from_vapic(struct kvm_vcpu *vcpu) + { + u32 data; +- void *vapic; + + if (test_bit(KVM_APIC_PV_EOI_PENDING, &vcpu->arch.apic_attention)) + apic_sync_pv_eoi_from_guest(vcpu, vcpu->arch.apic); +@@ -1700,9 +1699,8 @@ void kvm_lapic_sync_from_vapic(struct kvm_vcpu *vcpu) + if (!test_bit(KVM_APIC_CHECK_VAPIC, &vcpu->arch.apic_attention)) + return; + +- vapic = kmap_atomic(vcpu->arch.apic->vapic_page); +- data = *(u32 *)(vapic + offset_in_page(vcpu->arch.apic->vapic_addr)); +- kunmap_atomic(vapic); ++ kvm_read_guest_cached(vcpu->kvm, &vcpu->arch.apic->vapic_cache, &data, ++ sizeof(u32)); + + apic_set_tpr(vcpu->arch.apic, data & 0xff); + } +@@ -1738,7 +1736,6 @@ void kvm_lapic_sync_to_vapic(struct kvm_vcpu *vcpu) + u32 data, tpr; + int max_irr, max_isr; + struct kvm_lapic *apic = vcpu->arch.apic; +- void *vapic; + + apic_sync_pv_eoi_to_guest(vcpu, apic); + +@@ -1754,18 +1751,24 @@ void kvm_lapic_sync_to_vapic(struct kvm_vcpu *vcpu) + max_isr = 0; + data = (tpr & 0xff) | ((max_isr & 0xf0) << 8) | (max_irr << 24); + +- vapic = kmap_atomic(vcpu->arch.apic->vapic_page); +- *(u32 *)(vapic + offset_in_page(vcpu->arch.apic->vapic_addr)) = data; +- kunmap_atomic(vapic); ++ kvm_write_guest_cached(vcpu->kvm, &vcpu->arch.apic->vapic_cache, &data, ++ sizeof(u32)); + } + +-void kvm_lapic_set_vapic_addr(struct kvm_vcpu *vcpu, gpa_t vapic_addr) ++int kvm_lapic_set_vapic_addr(struct kvm_vcpu *vcpu, gpa_t vapic_addr) + { +- vcpu->arch.apic->vapic_addr = vapic_addr; +- if (vapic_addr) ++ if (vapic_addr) { ++ if (kvm_gfn_to_hva_cache_init(vcpu->kvm, ++ &vcpu->arch.apic->vapic_cache, ++ vapic_addr, sizeof(u32))) ++ return -EINVAL; + __set_bit(KVM_APIC_CHECK_VAPIC, &vcpu->arch.apic_attention); +- else ++ } else { + __clear_bit(KVM_APIC_CHECK_VAPIC, &vcpu->arch.apic_attention); ++ } ++ ++ vcpu->arch.apic->vapic_addr = vapic_addr; ++ return 0; + } + + int kvm_x2apic_msr_write(struct kvm_vcpu *vcpu, u32 msr, u64 data) +diff --git a/arch/x86/kvm/lapic.h b/arch/x86/kvm/lapic.h +index c730ac9fe801..c8b0d0d2da5c 100644 +--- a/arch/x86/kvm/lapic.h ++++ b/arch/x86/kvm/lapic.h +@@ -34,7 +34,7 @@ struct kvm_lapic { + */ + void *regs; + gpa_t vapic_addr; +- struct page *vapic_page; ++ struct gfn_to_hva_cache vapic_cache; + unsigned long pending_events; + unsigned int sipi_vector; + }; +@@ -76,7 +76,7 @@ void kvm_set_lapic_tscdeadline_msr(struct kvm_vcpu *vcpu, u64 data); + void kvm_apic_write_nodecode(struct kvm_vcpu *vcpu, u32 offset); + void kvm_apic_set_eoi_accelerated(struct kvm_vcpu *vcpu, int vector); + +-void kvm_lapic_set_vapic_addr(struct kvm_vcpu *vcpu, gpa_t vapic_addr); ++int kvm_lapic_set_vapic_addr(struct kvm_vcpu *vcpu, gpa_t vapic_addr); + void kvm_lapic_sync_from_vapic(struct kvm_vcpu *vcpu); + void kvm_lapic_sync_to_vapic(struct kvm_vcpu *vcpu); + +diff --git a/arch/x86/kvm/x86.c b/arch/x86/kvm/x86.c +index 21ef1ba184ae..5d004da1e35d 100644 +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -3214,8 +3214,7 @@ long kvm_arch_vcpu_ioctl(struct file *filp, + r = -EFAULT; + if (copy_from_user(&va, argp, sizeof va)) + goto out; +- r = 0; +- kvm_lapic_set_vapic_addr(vcpu, va.vapic_addr); ++ r = kvm_lapic_set_vapic_addr(vcpu, va.vapic_addr); + break; + } + case KVM_X86_SETUP_MCE: { +@@ -5739,36 +5738,6 @@ static void post_kvm_run_save(struct kvm_vcpu *vcpu) + !kvm_event_needs_reinjection(vcpu); + } + +-static int vapic_enter(struct kvm_vcpu *vcpu) +-{ +- struct kvm_lapic *apic = vcpu->arch.apic; +- struct page *page; +- +- if (!apic || !apic->vapic_addr) +- return 0; +- +- page = gfn_to_page(vcpu->kvm, apic->vapic_addr >> PAGE_SHIFT); +- if (is_error_page(page)) +- return -EFAULT; +- +- vcpu->arch.apic->vapic_page = page; +- return 0; +-} +- +-static void vapic_exit(struct kvm_vcpu *vcpu) +-{ +- struct kvm_lapic *apic = vcpu->arch.apic; +- int idx; +- +- if (!apic || !apic->vapic_addr) +- return; +- +- idx = srcu_read_lock(&vcpu->kvm->srcu); +- kvm_release_page_dirty(apic->vapic_page); +- mark_page_dirty(vcpu->kvm, apic->vapic_addr >> PAGE_SHIFT); +- srcu_read_unlock(&vcpu->kvm->srcu, idx); +-} +- + static void update_cr8_intercept(struct kvm_vcpu *vcpu) + { + int max_irr, tpr; +@@ -6069,11 +6038,6 @@ static int __vcpu_run(struct kvm_vcpu *vcpu) + struct kvm *kvm = vcpu->kvm; + + vcpu->srcu_idx = srcu_read_lock(&kvm->srcu); +- r = vapic_enter(vcpu); +- if (r) { +- srcu_read_unlock(&kvm->srcu, vcpu->srcu_idx); +- return r; +- } + + r = 1; + while (r > 0) { +@@ -6132,8 +6096,6 @@ static int __vcpu_run(struct kvm_vcpu *vcpu) + + srcu_read_unlock(&kvm->srcu, vcpu->srcu_idx); + +- vapic_exit(vcpu); +- + return r; + } + +-- +1.8.3.1 + +-- +To unsubscribe from this list: send the line "unsubscribe stable" in +the body of a message to majordomo@vger.kernel.org +More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/kernel.spec b/kernel.spec index 08d95c168..f755ab5d7 100644 --- a/kernel.spec +++ b/kernel.spec @@ -826,6 +826,9 @@ Patch25171: elantech-Properly-differentiate-between-clickpads-an.patch #CVE-2013-6367 rhbz 1032207 1042081 Patch25172: KVM-x86-Fix-potential-divide-by-0-in-lapic.patch +#CVE-2013-6368 rhbz 1032210 1042090 +Patch25173: KVM-x86-Convert-vapic-synchronization-to-_cached-functions.patch + # END OF PATCH DEFINITIONS %endif @@ -1600,6 +1603,9 @@ ApplyPatch elantech-Properly-differentiate-between-clickpads-an.patch #CVE-2013-6367 rhbz 1032207 1042081 ApplyPatch KVM-x86-Fix-potential-divide-by-0-in-lapic.patch +#CVE-2013-6368 rhbz 1032210 1042090 +ApplyPatch KVM-x86-Convert-vapic-synchronization-to-_cached-functions.patch + # END OF PATCH APPLICATIONS %endif @@ -2413,6 +2419,7 @@ fi %changelog * Thu Dec 12 2013 Josh Boyer +- CVE-2013-6368 kvm: cross page vapic_addr access (rhbz 1032210 1042090) - CVE-2013-6367 kvm: division by 0 in apic_get_tmcct (rhbz 1032207 1042081) * Wed Dec 11 2013 Josh Boyer From 3ef3b885267768b89f329f670e7e402313f3065b Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Thu, 12 Dec 2013 16:19:51 -0500 Subject: [PATCH 289/468] CVE-2013-6376 kvm: BUG_ON in apic_cluster_id (rhbz 1033106 1042099) --- ...ix-guest-initiated-crash-with-x2apic.patch | 109 ++++++++++++++++++ kernel.spec | 7 ++ 2 files changed, 116 insertions(+) create mode 100644 KVM-x86-fix-guest-initiated-crash-with-x2apic.patch diff --git a/KVM-x86-fix-guest-initiated-crash-with-x2apic.patch b/KVM-x86-fix-guest-initiated-crash-with-x2apic.patch new file mode 100644 index 000000000..c84fc61b9 --- /dev/null +++ b/KVM-x86-fix-guest-initiated-crash-with-x2apic.patch @@ -0,0 +1,109 @@ +Bugzilla: 1042099 +Upstream-status: 3.13 and sent for stable +Delivered-To: jwboyer@gmail.com +Received: by 10.76.104.107 with SMTP id gd11csp361370oab; + Thu, 12 Dec 2013 12:42:56 -0800 (PST) +X-Received: by 10.43.172.4 with SMTP id nw4mr8453091icc.25.1386880976232; + Thu, 12 Dec 2013 12:42:56 -0800 (PST) +Return-Path: +Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) + by mx.google.com with ESMTP id 2si15667240pax.109.2013.12.12.12.42.31 + for ; + Thu, 12 Dec 2013 12:42:56 -0800 (PST) +Received-SPF: pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; +Authentication-Results: mx.google.com; + spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mail=stable-owner@vger.kernel.org; + dkim=neutral (bad format) header.i=@gmail.com +Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand + id S1751853Ab3LLUiJ (ORCPT + 64 others); + Thu, 12 Dec 2013 15:38:09 -0500 +Received: from mail-ee0-f54.google.com ([74.125.83.54]:48290 "EHLO + mail-ee0-f54.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org + with ESMTP id S1751884Ab3LLUhS (ORCPT + ); Thu, 12 Dec 2013 15:37:18 -0500 +Received: by mail-ee0-f54.google.com with SMTP id e51so406857eek.13 + for ; Thu, 12 Dec 2013 12:37:17 -0800 (PST) +DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; + d=gmail.com; s=20120113; + h=sender:from:to:cc:subject:date:message-id; + bh=VG00enyRpNYeJLwAwqWOGuy3mCBmvpmEBgLPB1IiKNo=; + b=p0BlraPBMTIxTXGUuJyYTYRxuMKATenNpVX01fyzNpSYZsMruyMU/sJ8gdc2991eao + ZU+66Xlnbd+AyQiuq4P9sMv6Gvax6MvJg04SMZWnLWoZGonmIIwSPch1UKLSJzRN7K+N + +Ot3jLtNBYBoREljPkbscbMVOJ2y+S7N61oOZ7IHZNyXVFWDlW8aunduSgc3cytBEhkx + UMUUbHVLo+XrXtuggFrmn8oUfJ1hiHQSpOyx8bi0ztxlEjL4DEFpJsKbjRe4sGRgeUy6 + dRk+7dEcILKBTRVvXaJSriXG5bhZTbcZ5gZab27Ilm1H8Va5Z6R+9C1AwX2x5CQA7Mb1 + Edug== +X-Received: by 10.14.107.3 with SMTP id n3mr9951281eeg.67.1386880636981; + Thu, 12 Dec 2013 12:37:16 -0800 (PST) +Received: from playground.com (net-2-35-202-54.cust.dsl.vodafone.it. [2.35.202.54]) + by mx.google.com with ESMTPSA id o47sm70323739eem.21.2013.12.12.12.37.15 + for + (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); + Thu, 12 Dec 2013 12:37:16 -0800 (PST) +From: Paolo Bonzini +To: linux-kernel@vger.kernel.org +Cc: gleb@redhat.com, kvm@vger.kernel.org, pmatouse@redhat.com, + stable@vger.kernel.org +Subject: [PATCH] KVM: x86: fix guest-initiated crash with x2apic (CVE-2013-6376) +Date: Thu, 12 Dec 2013 21:36:54 +0100 +Message-Id: <1386880614-23300-4-git-send-email-pbonzini@redhat.com> +X-Mailer: git-send-email 1.8.3.1 +Sender: stable-owner@vger.kernel.org +Precedence: bulk +List-ID: +X-Mailing-List: stable@vger.kernel.org + +From: Gleb Natapov + +A guest can cause a BUG_ON() leading to a host kernel crash. +When the guest writes to the ICR to request an IPI, while in x2apic +mode the following things happen, the destination is read from +ICR2, which is a register that the guest can control. + +kvm_irq_delivery_to_apic_fast uses the high 16 bits of ICR2 as the +cluster id. A BUG_ON is triggered, which is a protection against +accessing map->logical_map with an out-of-bounds access and manages +to avoid that anything really unsafe occurs. + +The logic in the code is correct from real HW point of view. The problem +is that KVM supports only one cluster with ID 0 in clustered mode, but +the code that has the bug does not take this into account. + +Reported-by: Lars Bull +Cc: stable@vger.kernel.org +Signed-off-by: Gleb Natapov +Signed-off-by: Paolo Bonzini +--- + arch/x86/kvm/lapic.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/arch/x86/kvm/lapic.c b/arch/x86/kvm/lapic.c +index b8bec45c1610..801dc3fd66e1 100644 +--- a/arch/x86/kvm/lapic.c ++++ b/arch/x86/kvm/lapic.c +@@ -143,6 +143,8 @@ static inline int kvm_apic_id(struct kvm_lapic *apic) + return (kvm_apic_get_reg(apic, APIC_ID) >> 24) & 0xff; + } + ++#define KMV_X2APIC_CID_BITS 0 ++ + static void recalculate_apic_map(struct kvm *kvm) + { + struct kvm_apic_map *new, *old = NULL; +@@ -180,7 +182,8 @@ static void recalculate_apic_map(struct kvm *kvm) + if (apic_x2apic_mode(apic)) { + new->ldr_bits = 32; + new->cid_shift = 16; +- new->cid_mask = new->lid_mask = 0xffff; ++ new->cid_mask = (1 << KMV_X2APIC_CID_BITS) - 1; ++ new->lid_mask = 0xffff; + } else if (kvm_apic_sw_enabled(apic) && + !new->cid_mask /* flat mode */ && + kvm_apic_get_reg(apic, APIC_DFR) == APIC_DFR_CLUSTER) { +-- +1.8.3.1 + +-- +To unsubscribe from this list: send the line "unsubscribe stable" in +the body of a message to majordomo@vger.kernel.org +More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/kernel.spec b/kernel.spec index f755ab5d7..65be86106 100644 --- a/kernel.spec +++ b/kernel.spec @@ -829,6 +829,9 @@ Patch25172: KVM-x86-Fix-potential-divide-by-0-in-lapic.patch #CVE-2013-6368 rhbz 1032210 1042090 Patch25173: KVM-x86-Convert-vapic-synchronization-to-_cached-functions.patch +#CVE-2013-6376 rhbz 1033106 1042099 +Patch25174: KVM-x86-fix-guest-initiated-crash-with-x2apic.patch + # END OF PATCH DEFINITIONS %endif @@ -1606,6 +1609,9 @@ ApplyPatch KVM-x86-Fix-potential-divide-by-0-in-lapic.patch #CVE-2013-6368 rhbz 1032210 1042090 ApplyPatch KVM-x86-Convert-vapic-synchronization-to-_cached-functions.patch +#CVE-2013-6376 rhbz 1033106 1042099 +ApplyPatch KVM-x86-fix-guest-initiated-crash-with-x2apic.patch + # END OF PATCH APPLICATIONS %endif @@ -2419,6 +2425,7 @@ fi %changelog * Thu Dec 12 2013 Josh Boyer +- CVE-2013-6376 kvm: BUG_ON in apic_cluster_id (rhbz 1033106 1042099) - CVE-2013-6368 kvm: cross page vapic_addr access (rhbz 1032210 1042090) - CVE-2013-6367 kvm: division by 0 in apic_get_tmcct (rhbz 1032207 1042081) From 695535467b15e1e31b28738f694cd223b5232423 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Thu, 12 Dec 2013 16:23:58 -0500 Subject: [PATCH 290/468] CVE-2013-4587 kvm: out-of-bounds access (rhbz 1030986 1042071) --- KVM-Improve-create-VCPU-parameter.patch | 93 +++++++++++++++++++++++++ kernel.spec | 7 ++ 2 files changed, 100 insertions(+) create mode 100644 KVM-Improve-create-VCPU-parameter.patch diff --git a/KVM-Improve-create-VCPU-parameter.patch b/KVM-Improve-create-VCPU-parameter.patch new file mode 100644 index 000000000..5c5746259 --- /dev/null +++ b/KVM-Improve-create-VCPU-parameter.patch @@ -0,0 +1,93 @@ +Bugzilla: 1042071 +Upstream-status: 3.13 and sent to stable +Delivered-To: jwboyer@gmail.com +Received: by 10.76.104.107 with SMTP id gd11csp361298oab; + Thu, 12 Dec 2013 12:41:21 -0800 (PST) +X-Received: by 10.50.109.132 with SMTP id hs4mr33803866igb.34.1386880880893; + Thu, 12 Dec 2013 12:41:20 -0800 (PST) +Return-Path: +Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) + by mx.google.com with ESMTP id q8si17378346pav.173.2013.12.12.12.40.57 + for ; + Thu, 12 Dec 2013 12:41:20 -0800 (PST) +Received-SPF: pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; +Authentication-Results: mx.google.com; + spf=pass (google.com: best guess record for domain of stable-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mail=stable-owner@vger.kernel.org; + dkim=neutral (bad format) header.i=@gmail.com +Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand + id S1752041Ab3LLUhR (ORCPT + 64 others); + Thu, 12 Dec 2013 15:37:17 -0500 +Received: from mail-ea0-f179.google.com ([209.85.215.179]:43785 "EHLO + mail-ea0-f179.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org + with ESMTP id S1751761Ab3LLUhN (ORCPT + ); Thu, 12 Dec 2013 15:37:13 -0500 +Received: by mail-ea0-f179.google.com with SMTP id r15so485140ead.24 + for ; Thu, 12 Dec 2013 12:37:11 -0800 (PST) +DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; + d=gmail.com; s=20120113; + h=sender:from:to:cc:subject:date:message-id; + bh=3nLdta59rbActmGe9iq6aMqjNBfzfF7lqy0gb7EeI0I=; + b=fWKHZKszZQjXAVDzYAlwX8s4+UNEomYiCAX0zvDzW7A5Yiy28MUt0QbNu6288Pu+Qs + NJ38SpDcPLWzGknYOLggLa21nXsv4tX9vp4FFEY4i3H5iCVpXbvxIc+n9ZVOzWY2wkxK + HR1Xf24kJ9FPuV/LoIyu5RlHZUm95BoAe7TxRZWlkcxQ0vEOSAyZQwH4EIj6SS7fXI1d + PoqZKm7100ib0/wm6I49cF2b0EXRTSOYrgZneyniPVGpfTkpN2atNcEgdLSvAWQKEI+p + 79Dt0/BJd2CIuqgUbZBlA8pH6a119FtfrVqxVWJAmVvsv9lpkMIjJrFTj9yqpUFKeeYB + XTeA== +X-Received: by 10.14.6.136 with SMTP id 8mr9978716een.11.1386880631657; + Thu, 12 Dec 2013 12:37:11 -0800 (PST) +Received: from playground.com (net-2-35-202-54.cust.dsl.vodafone.it. [2.35.202.54]) + by mx.google.com with ESMTPSA id o47sm70323739eem.21.2013.12.12.12.37.00 + for + (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); + Thu, 12 Dec 2013 12:37:01 -0800 (PST) +From: Paolo Bonzini +To: linux-kernel@vger.kernel.org +Cc: gleb@redhat.com, kvm@vger.kernel.org, pmatouse@redhat.com, + Andy Honig , stable@vger.kernel.org +Subject: [PATCH] KVM: Improve create VCPU parameter +Date: Thu, 12 Dec 2013 21:36:51 +0100 +Message-Id: <1386880614-23300-1-git-send-email-pbonzini@redhat.com> +X-Mailer: git-send-email 1.8.3.1 +Sender: stable-owner@vger.kernel.org +Precedence: bulk +List-ID: +X-Mailing-List: stable@vger.kernel.org + +From: Andy Honig + +In multiple functions the vcpu_id is used as an offset into a bitfield. Ag +malicious user could specify a vcpu_id greater than 255 in order to set or +clear bits in kernel memory. This could be used to elevate priveges in the +kernel. This patch verifies that the vcpu_id provided is less than 255. +The api documentation already specifies that the vcpu_id must be less than +max_vcpus, but this is currently not checked. + +Reported-by: Andrew Honig +Cc: stable@vger.kernel.org +Signed-off-by: Andrew Honig +Signed-off-by: Paolo Bonzini +--- + virt/kvm/kvm_main.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/virt/kvm/kvm_main.c b/virt/kvm/kvm_main.c +index a0aa84b5941a..4f588bc94186 100644 +--- a/virt/kvm/kvm_main.c ++++ b/virt/kvm/kvm_main.c +@@ -1898,6 +1898,9 @@ static int kvm_vm_ioctl_create_vcpu(struct kvm *kvm, u32 id) + int r; + struct kvm_vcpu *vcpu, *v; + ++ if (id >= KVM_MAX_VCPUS) ++ return -EINVAL; ++ + vcpu = kvm_arch_vcpu_create(kvm, id); + if (IS_ERR(vcpu)) + return PTR_ERR(vcpu); +-- +1.8.3.1 + +-- +To unsubscribe from this list: send the line "unsubscribe stable" in +the body of a message to majordomo@vger.kernel.org +More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/kernel.spec b/kernel.spec index 65be86106..de61a155f 100644 --- a/kernel.spec +++ b/kernel.spec @@ -832,6 +832,9 @@ Patch25173: KVM-x86-Convert-vapic-synchronization-to-_cached-functions.patch #CVE-2013-6376 rhbz 1033106 1042099 Patch25174: KVM-x86-fix-guest-initiated-crash-with-x2apic.patch +#CVE-2013-4587 rhbz 1030986 1042071 +Patch25175: KVM-Improve-create-VCPU-parameter.patch + # END OF PATCH DEFINITIONS %endif @@ -1612,6 +1615,9 @@ ApplyPatch KVM-x86-Convert-vapic-synchronization-to-_cached-functions.patch #CVE-2013-6376 rhbz 1033106 1042099 ApplyPatch KVM-x86-fix-guest-initiated-crash-with-x2apic.patch +#CVE-2013-4587 rhbz 1030986 1042071 +ApplyPatch KVM-Improve-create-VCPU-parameter.patch + # END OF PATCH APPLICATIONS %endif @@ -2425,6 +2431,7 @@ fi %changelog * Thu Dec 12 2013 Josh Boyer +- CVE-2013-4587 kvm: out-of-bounds access (rhbz 1030986 1042071) - CVE-2013-6376 kvm: BUG_ON in apic_cluster_id (rhbz 1033106 1042099) - CVE-2013-6368 kvm: cross page vapic_addr access (rhbz 1032210 1042090) - CVE-2013-6367 kvm: division by 0 in apic_get_tmcct (rhbz 1032207 1042081) From efa81d6b2a37ae6a272101c98ae18268b5f1fcbc Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Mon, 16 Dec 2013 10:51:18 -0500 Subject: [PATCH 291/468] Fix host lockup in bridge code when starting from virt guest (rhbz 1025770) --- ..._handler_data-in-code-executed-on-no.patch | 83 +++++++++++++++++++ kernel.spec | 9 ++ 2 files changed, 92 insertions(+) create mode 100644 br-fix-use-of-rx_handler_data-in-code-executed-on-no.patch diff --git a/br-fix-use-of-rx_handler_data-in-code-executed-on-no.patch b/br-fix-use-of-rx_handler_data-in-code-executed-on-no.patch new file mode 100644 index 000000000..21e749291 --- /dev/null +++ b/br-fix-use-of-rx_handler_data-in-code-executed-on-no.patch @@ -0,0 +1,83 @@ +Bugzilla: 1025770 +Upstream-status: 3.13 (commit 859828c0ea476b42f3a) + +From 1a62121ead27a218d4b02b7130a6f5f6ca9c247e Mon Sep 17 00:00:00 2001 +From: Jiri Pirko +Date: Thu, 5 Dec 2013 16:27:37 +0100 +Subject: [PATCH] br: fix use of ->rx_handler_data in code executed on + non-rx_handler path + +br_stp_rcv() is reached by non-rx_handler path. That means there is no +guarantee that dev is bridge port and therefore simple NULL check of +->rx_handler_data is not enough. There is need to check if dev is really +bridge port and since only rcu read lock is held here, do it by checking +->rx_handler pointer. + +Note that synchronize_net() in netdev_rx_handler_unregister() ensures +this approach as valid. + +Introduced originally by: +commit f350a0a87374418635689471606454abc7beaa3a + "bridge: use rx_handler_data pointer to store net_bridge_port pointer" + +Fixed but not in the best way by: +commit b5ed54e94d324f17c97852296d61a143f01b227a + "bridge: fix RCU races with bridge port" + +Reintroduced by: +commit 716ec052d2280d511e10e90ad54a86f5b5d4dcc2 + "bridge: fix NULL pointer deref of br_port_get_rcu" + +Please apply to stable trees as well. Thanks. + +RH bugzilla reference: https://bugzilla.redhat.com/show_bug.cgi?id=1025770 + +Reported-by: Laine Stump +Debugged-by: Michael S. Tsirkin +Signed-off-by: Michael S. Tsirkin +Signed-off-by: Jiri Pirko +Acked-by: Michael S. Tsirkin +Acked-by: Eric Dumazet +Signed-off-by: David S. Miller +--- + net/bridge/br_private.h | 10 ++++++++++ + net/bridge/br_stp_bpdu.c | 2 +- + 2 files changed, 11 insertions(+), 1 deletion(-) + +diff --git a/net/bridge/br_private.h b/net/bridge/br_private.h +index e14c33b..9a63c42 100644 +--- a/net/bridge/br_private.h ++++ b/net/bridge/br_private.h +@@ -442,6 +442,16 @@ extern netdev_features_t br_features_recompute(struct net_bridge *br, + extern int br_handle_frame_finish(struct sk_buff *skb); + extern rx_handler_result_t br_handle_frame(struct sk_buff **pskb); + ++static inline bool br_rx_handler_check_rcu(const struct net_device *dev) ++{ ++ return rcu_dereference(dev->rx_handler) == br_handle_frame; ++} ++ ++static inline struct net_bridge_port *br_port_get_check_rcu(const struct net_device *dev) ++{ ++ return br_rx_handler_check_rcu(dev) ? br_port_get_rcu(dev) : NULL; ++} ++ + /* br_ioctl.c */ + extern int br_dev_ioctl(struct net_device *dev, struct ifreq *rq, int cmd); + extern int br_ioctl_deviceless_stub(struct net *net, unsigned int cmd, void __user *arg); +diff --git a/net/bridge/br_stp_bpdu.c b/net/bridge/br_stp_bpdu.c +index 8660ea3..bdb459d 100644 +--- a/net/bridge/br_stp_bpdu.c ++++ b/net/bridge/br_stp_bpdu.c +@@ -153,7 +153,7 @@ void br_stp_rcv(const struct stp_proto *proto, struct sk_buff *skb, + if (buf[0] != 0 || buf[1] != 0 || buf[2] != 0) + goto err; + +- p = br_port_get_rcu(dev); ++ p = br_port_get_check_rcu(dev); + if (!p) + goto err; + +-- +1.8.3.1 + diff --git a/kernel.spec b/kernel.spec index de61a155f..1200ae13c 100644 --- a/kernel.spec +++ b/kernel.spec @@ -835,6 +835,9 @@ Patch25174: KVM-x86-fix-guest-initiated-crash-with-x2apic.patch #CVE-2013-4587 rhbz 1030986 1042071 Patch25175: KVM-Improve-create-VCPU-parameter.patch +#rhbz 1025770 +Patch25176: br-fix-use-of-rx_handler_data-in-code-executed-on-no.patch + # END OF PATCH DEFINITIONS %endif @@ -1618,6 +1621,9 @@ ApplyPatch KVM-x86-fix-guest-initiated-crash-with-x2apic.patch #CVE-2013-4587 rhbz 1030986 1042071 ApplyPatch KVM-Improve-create-VCPU-parameter.patch +#rhbz 1025770 +ApplyPatch br-fix-use-of-rx_handler_data-in-code-executed-on-no.patch + # END OF PATCH APPLICATIONS %endif @@ -2430,6 +2436,9 @@ fi # and build. %changelog +* Mon Dec 16 2013 Josh Boyer +- Fix host lockup in bridge code when starting from virt guest (rhbz 1025770) + * Thu Dec 12 2013 Josh Boyer - CVE-2013-4587 kvm: out-of-bounds access (rhbz 1030986 1042071) - CVE-2013-6376 kvm: BUG_ON in apic_cluster_id (rhbz 1033106 1042099) From 89d8614f3ed463e79477a2d19a9bee1e49ceedc3 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Tue, 17 Dec 2013 10:01:07 -0500 Subject: [PATCH 292/468] Drop acpi-sony-nonvs-blacklist.patch This still applies through some confounding patch magic, but the entries were added to the upstream kernel with commits ddf6ce45a7b and d11c78e97e1d46a93e. Over 2 years ago. Sigh. --- acpi-sony-nonvs-blacklist.patch | 38 --------------------------------- kernel.spec | 2 -- 2 files changed, 40 deletions(-) delete mode 100644 acpi-sony-nonvs-blacklist.patch diff --git a/acpi-sony-nonvs-blacklist.patch b/acpi-sony-nonvs-blacklist.patch deleted file mode 100644 index db500e8bf..000000000 --- a/acpi-sony-nonvs-blacklist.patch +++ /dev/null @@ -1,38 +0,0 @@ -diff --git a/drivers/acpi/sleep.c b/drivers/acpi/sleep.c -index 3ed80b2..17fc718 100644 ---- a/drivers/acpi/sleep.c -+++ b/drivers/acpi/sleep.c -@@ -390,6 +390,14 @@ static struct dmi_system_id __initdata acpisleep_dmi_table[] = { - }, - { - .callback = init_nvs_nosave, -+ .ident = "Sony Vaio VGN-FW21E", -+ .matches = { -+ DMI_MATCH(DMI_SYS_VENDOR, "Sony Corporation"), -+ DMI_MATCH(DMI_PRODUCT_NAME, "VGN-FW21E"), -+ }, -+ }, -+ { -+ .callback = init_nvs_nosave, - .ident = "Sony Vaio VGN-SR11M", - .matches = { - DMI_MATCH(DMI_SYS_VENDOR, "Sony Corporation"), -diff --git a/drivers/acpi/sleep.c b/drivers/acpi/sleep.c -index 0e46fae..6d9a3ab 100644 ---- a/drivers/acpi/sleep.c -+++ b/drivers/acpi/sleep.c -@@ -398,6 +398,14 @@ static struct dmi_system_id __initdata acpisleep_dmi_table[] = { - }, - { - .callback = init_nvs_nosave, -+ .ident = "Sony Vaio VPCEB17FX", -+ .matches = { -+ DMI_MATCH(DMI_SYS_VENDOR, "Sony Corporation"), -+ DMI_MATCH(DMI_PRODUCT_NAME, "VPCEB17FX"), -+ }, -+ }, -+ { -+ .callback = init_nvs_nosave, - .ident = "Sony Vaio VGN-SR11M", - .matches = { - DMI_MATCH(DMI_SYS_VENDOR, "Sony Corporation"), diff --git a/kernel.spec b/kernel.spec index 1200ae13c..ceba0b808 100644 --- a/kernel.spec +++ b/kernel.spec @@ -636,7 +636,6 @@ Patch100: taint-vbox.patch Patch110: vmbugon-warnon.patch Patch390: defaults-acpi-video.patch -Patch396: acpi-sony-nonvs-blacklist.patch Patch450: input-kill-stupid-messages.patch Patch452: no-pcspkr-modalias.patch @@ -1409,7 +1408,6 @@ ApplyPatch arm-tegra-usb-no-reset-linux33.patch # ACPI ApplyPatch defaults-acpi-video.patch -ApplyPatch acpi-sony-nonvs-blacklist.patch # # PCI From 7287700fb046c789a2372a246c6e1b58a3ab0db6 Mon Sep 17 00:00:00 2001 From: Josh Boyer Date: Tue, 17 Dec 2013 11:24:37 -0500 Subject: [PATCH 293/468] Drop drm-i915-dp-stfu.patch (On Dec 17, 2013) 10:35 < jwb> ajax, drm-i915-dp-stfu.patch 10:36 < jwb> ajax, is that something upstreamable? 10:37 <@ajax> it's probably worth dropping at this point 10:37 <@ajax> if it's still as noisy as it was then it's probably worth investigating --- drm-i915-dp-stfu.patch | 53 ------------------------------------------ kernel.spec | 2 -- 2 files changed, 55 deletions(-) delete mode 100644 drm-i915-dp-stfu.patch diff --git a/drm-i915-dp-stfu.patch b/drm-i915-dp-stfu.patch deleted file mode 100644 index fb2e58ee9..000000000 --- a/drm-i915-dp-stfu.patch +++ /dev/null @@ -1,53 +0,0 @@ -diff --git a/drivers/gpu/drm/i915/intel_dp.c b/drivers/gpu/drm/i915/intel_dp.c -index fb2fbc1..0aaf67d 100644 ---- a/drivers/gpu/drm/i915/intel_dp.c -+++ b/drivers/gpu/drm/i915/intel_dp.c -@@ -283,7 +283,7 @@ intel_dp_check_edp(struct intel_dp *intel_dp) - pp_ctrl_reg = IS_VALLEYVIEW(dev) ? PIPEA_PP_CONTROL : PCH_PP_CONTROL; - - if (!ironlake_edp_have_panel_power(intel_dp) && !ironlake_edp_have_panel_vdd(intel_dp)) { -- WARN(1, "eDP powered off while attempting aux channel communication.\n"); -+ DRM_ERROR("eDP powered off while attempting aux channel communication.\n"); - DRM_DEBUG_KMS("Status 0x%08x Control 0x%08x\n", - I915_READ(pp_stat_reg), - I915_READ(pp_ctrl_reg)); -@@ -376,7 +376,7 @@ intel_dp_aux_ch(struct intel_dp *intel_dp, - } - - if (try == 3) { -- WARN(1, "dp_aux_ch not started status 0x%08x\n", -+ DRM_ERROR("dp_aux_ch not started status 0x%08x\n", - I915_READ(ch_ctl)); - ret = -EBUSY; - goto out; -@@ -995,8 +995,8 @@ void ironlake_edp_panel_vdd_on(struct intel_dp *intel_dp) - return; - DRM_DEBUG_KMS("Turn eDP VDD on\n"); - -- WARN(intel_dp->want_panel_vdd, -- "eDP VDD already requested on\n"); -+ if (intel_dp->want_panel_vdd) -+ DRM_ERROR("eDP VDD already requested on\n"); - - intel_dp->want_panel_vdd = true; - -@@ -1070,7 +1070,8 @@ void ironlake_edp_panel_vdd_off(struct intel_dp *intel_dp, bool sync) - return; - - DRM_DEBUG_KMS("Turn eDP VDD off %d\n", intel_dp->want_panel_vdd); -- WARN(!intel_dp->want_panel_vdd, "eDP VDD not forced on"); -+ if (!intel_dp->want_panel_vdd) -+ DRM_ERROR("eDP VDD not forced on"); - - intel_dp->want_panel_vdd = false; - -@@ -1144,7 +1145,8 @@ void ironlake_edp_panel_off(struct intel_dp *intel_dp) - - DRM_DEBUG_KMS("Turn eDP power off\n"); - -- WARN(!intel_dp->want_panel_vdd, "Need VDD to turn off panel\n"); -+ if (!intel_dp->want_panel_vdd) -+ DRM_ERROR("Need VDD to turn off panel\n"); - - pp = ironlake_get_pp_control(intel_dp); - /* We need to switch off panel power _and_ force vdd, for otherwise some diff --git a/kernel.spec b/kernel.spec index ceba0b808..79f7b92d8 100644 --- a/kernel.spec +++ b/kernel.spec @@ -662,7 +662,6 @@ Patch1000: devel-pekey-secure-boot-20130502.patch # nouveau + drm fixes # intel drm is all merged upstream Patch1824: drm-intel-next.patch -Patch1825: drm-i915-dp-stfu.patch # radeon drm fix # Quiet boot fixes @@ -1462,7 +1461,6 @@ ApplyPatch devel-pekey-secure-boot-20130502.patch # Intel DRM ApplyOptionalPatch drm-intel-next.patch -ApplyPatch drm-i915-dp-stfu.patch # silence the ACPI blacklist code ApplyPatch silence-acpi-blacklist.patch From bdb12fedf74ca543f63d04319f3598094d204ed8 Mon Sep 17 00:00:00 2001 From: "Justin M. Forbes" Date: Tue, 17 Dec 2013 16:01:28 -0600 Subject: [PATCH 294/468] Linux v3.12.5 --- ...ent-outgoing-reassembled-skb-properl.patch | 39 - ...RN-on-host-commands-sent-when-firmwa.patch | 35 - ...easm-skb-through-instead-of-original.patch | 499 ---- ...k-to-vmalloc-for-client-event-buffer.patch | 64 - KVM-x86-fix-emulation-of-movzbl-bpl-eax.patch | 53 - alps-Support-for-Dell-XT2-model.patch | 25 - arm-am33xx-arm-soc-upstream.patch | 2468 +++++++++++++++++ arm-am33xx-bblack.patch | 610 ++++ arm-am33xx-cpsw.patch | 23 + arm-export-read_current_timer.patch | 10 - arm-imx6-utilite.patch | 95 + arm-omap-load-tfp410.patch | 28 +- ...ung-dma-avoid-another-64bit-division.patch | 13 + bonding-driver-alb-learning.patch | 155 -- ...auth-for-unencapsulated-auth-methods.patch | 39 - config-arm-generic | 66 +- config-armv7 | 264 +- config-armv7-generic | 164 +- config-armv7-lpae | 9 +- config-generic | 238 +- config-powerpc-generic | 5 +- config-powerpc64 | 4 + config-powerpc64p7 | 4 + config-s390x | 8 +- config-x86-32-generic | 3 +- config-x86-generic | 17 +- config-x86_64-generic | 5 +- debug-idle-sched-warn-once.patch | 19 - devel-pekey-secure-boot-20130502.patch | 6 +- drm-qxl-backport-fixes-for-Fedora.patch | 13 - ...memory-leak-in-release-list-handling.patch | 30 - drm-radeon-24hz-audio-fixes.patch | 173 -- ...-a-race-in-elevator-switching-and-md.patch | 162 -- ...uire-q-sysfs_lock-in-elevator_change.patch | 121 - fix-child-thread-introspection.patch | 76 - fix-radeon-sound.patch | 154 - ...t-in-recv_error-and-rxpmtu-functions.patch | 253 -- ...kage-of-uninitialized-memory-to-user.patch | 256 -- ...ce-from-broken-irq-remapping-warning.patch | 47 - ...oom-calculation-in-udp6_ufo_fragment.patch | 43 - ...945-better-skb-management-in-rx-path.patch | 97 - ...965-better-skb-management-in-rx-path.patch | 65 - ...dont-override-mac80211-queue-setting.patch | 98 - kernel.spec | 238 +- ...TRIM-and-apply-it-to-Micro-M500-SSDs.patch | 71 + ...ression-since-introduction-of-ts2020.patch | 30 - modsign-uefi.patch | 621 +++++ ...sg-handler-msg_name-and-msg_namelen-.patch | 774 ------ ...ntrack-use-RCU-safe-kfree-for-conntr.patch | 35 - ...ke-periodic-RTC-update-more-reliable.patch | 44 - rt2800-add-support-for-rf3070.patch | 80 - rt2800usb-slow-down-TX-status-polling.patch | 53 - sb-hibernate.patch | 112 + secure-modules.patch | 874 ++++++ silence-noise.patch | 20 +- ...o-not-check-for-duplicate-slab-names.patch | 71 - sources | 4 +- ...ssd_running-with-more-reliable-check.patch | 45 +- sysrq-secure-boot.patch | 243 ++ taint-vbox.patch | 15 - ...et-fix-status-interrupt-urb-handling.patch | 37 - ...ed-interaction-of-VFIO_IOMMU_MAP_DMA.patch | 39 - ...netif_receive_skb-use-in-irq-disable.patch | 121 - vmbugon-warnon.patch | 20 - x86-allow-1024-cpus.patch | 13 + 65 files changed, 5802 insertions(+), 4314 deletions(-) delete mode 100644 0001-ip6_output-fragment-outgoing-reassembled-skb-properl.patch delete mode 100644 0001-iwlwifi-don-t-WARN-on-host-commands-sent-when-firmwa.patch delete mode 100644 0002-netfilter-push-reasm-skb-through-instead-of-original.patch delete mode 100644 Input-evdev-fall-back-to-vmalloc-for-client-event-buffer.patch delete mode 100644 KVM-x86-fix-emulation-of-movzbl-bpl-eax.patch delete mode 100644 alps-Support-for-Dell-XT2-model.patch create mode 100644 arm-am33xx-arm-soc-upstream.patch create mode 100644 arm-am33xx-bblack.patch create mode 100644 arm-am33xx-cpsw.patch delete mode 100644 arm-export-read_current_timer.patch create mode 100644 arm-imx6-utilite.patch create mode 100644 arm-sound-soc-samsung-dma-avoid-another-64bit-division.patch delete mode 100644 bonding-driver-alb-learning.patch delete mode 100644 cifs-Allow-LANMAN-auth-for-unencapsulated-auth-methods.patch delete mode 100644 debug-idle-sched-warn-once.patch delete mode 100644 drm-qxl-fix-memory-leak-in-release-list-handling.patch delete mode 100644 drm-radeon-24hz-audio-fixes.patch delete mode 100644 elevator-Fix-a-race-in-elevator-switching-and-md.patch delete mode 100644 elevator-acquire-q-sysfs_lock-in-elevator_change.patch delete mode 100644 fix-child-thread-introspection.patch delete mode 100644 fix-radeon-sound.patch delete mode 100644 inet-fix-addr_len-msg_namelen-assignment-in-recv_error-and-rxpmtu-functions.patch delete mode 100644 inet-prevent-leakage-of-uninitialized-memory-to-user.patch delete mode 100644 iommu-Remove-stack-trace-from-broken-irq-remapping-warning.patch delete mode 100644 ipv6-fix-headroom-calculation-in-udp6_ufo_fragment.patch delete mode 100644 iwl3945-better-skb-management-in-rx-path.patch delete mode 100644 iwl4965-better-skb-management-in-rx-path.patch delete mode 100644 iwlwifi-dvm-dont-override-mac80211-queue-setting.patch create mode 100644 libata-implement-ATA_HORKAGE_NO_NCQ_TRIM-and-apply-it-to-Micro-M500-SSDs.patch delete mode 100644 media-cx23885-Fix-TeVii-S471-regression-since-introduction-of-ts2020.patch create mode 100644 modsign-uefi.patch delete mode 100644 net-rework-recvmsg-handler-msg_name-and-msg_namelen-.patch delete mode 100644 netfilter-nf_conntrack-use-RCU-safe-kfree-for-conntr.patch delete mode 100644 ntp-Make-periodic-RTC-update-more-reliable.patch delete mode 100644 rt2800-add-support-for-rf3070.patch delete mode 100644 rt2800usb-slow-down-TX-status-polling.patch create mode 100644 sb-hibernate.patch create mode 100644 secure-modules.patch delete mode 100644 slab_common-Do-not-check-for-duplicate-slab-names.patch create mode 100644 sysrq-secure-boot.patch delete mode 100644 taint-vbox.patch delete mode 100644 usbnet-fix-status-interrupt-urb-handling.patch delete mode 100644 vfio-iommu-Fixed-interaction-of-VFIO_IOMMU_MAP_DMA.patch delete mode 100644 via-velocity-fix-netif_receive_skb-use-in-irq-disable.patch delete mode 100644 vmbugon-warnon.patch create mode 100644 x86-allow-1024-cpus.patch diff --git a/0001-ip6_output-fragment-outgoing-reassembled-skb-properl.patch b/0001-ip6_output-fragment-outgoing-reassembled-skb-properl.patch deleted file mode 100644 index a19217d12..000000000 --- a/0001-ip6_output-fragment-outgoing-reassembled-skb-properl.patch +++ /dev/null @@ -1,39 +0,0 @@ -Bugzilla: 1015905 -Upstream-status: 3.13 (should hit stable) - -From 90e4e23d52fd04f228eed2c3d341136c50058b37 Mon Sep 17 00:00:00 2001 -From: Jiri Pirko -Date: Wed, 6 Nov 2013 17:52:19 +0100 -Subject: [PATCH 1/2] ip6_output: fragment outgoing reassembled skb properly - -If reassembled packet would fit into outdev MTU, it is not fragmented -according the original frag size and it is send as single big packet. - -The second case is if skb is gso. In that case fragmentation does not happen -according to the original frag size. - -This patch fixes these. - -Signed-off-by: Jiri Pirko -Signed-off-by: David S. Miller ---- - net/ipv6/ip6_output.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c -index 5b25f85..f80f2fa 100644 ---- a/net/ipv6/ip6_output.c -+++ b/net/ipv6/ip6_output.c -@@ -150,7 +150,8 @@ static int ip6_finish_output2(struct sk_buff *skb) - static int ip6_finish_output(struct sk_buff *skb) - { - if ((skb->len > ip6_skb_dst_mtu(skb) && !skb_is_gso(skb)) || -- dst_allfrag(skb_dst(skb))) -+ dst_allfrag(skb_dst(skb)) || -+ (IP6CB(skb)->frag_max_size && skb->len > IP6CB(skb)->frag_max_size)) - return ip6_fragment(skb, ip6_finish_output2); - else - return ip6_finish_output2(skb); --- -1.8.3.1 - diff --git a/0001-iwlwifi-don-t-WARN-on-host-commands-sent-when-firmwa.patch b/0001-iwlwifi-don-t-WARN-on-host-commands-sent-when-firmwa.patch deleted file mode 100644 index 241b7d750..000000000 --- a/0001-iwlwifi-don-t-WARN-on-host-commands-sent-when-firmwa.patch +++ /dev/null @@ -1,35 +0,0 @@ -From 8ca95995e64f5d270889badb3e449dca91106a2b Mon Sep 17 00:00:00 2001 -From: Emmanuel Grumbach -Date: Sun, 15 Sep 2013 11:37:17 +0300 -Subject: [PATCH] iwlwifi: don't WARN on host commands sent when firmware is dead - -This triggers automatic bug reports and add no valuable -information. Print a simple error instead and drop the -host command. - -Signed-off-by: Emmanuel Grumbach -Signed-off-by: Johannes Berg ---- - drivers/net/wireless/iwlwifi/iwl-trans.h | 6 ++++-- - 1 files changed, 4 insertions(+), 2 deletions(-) - -diff --git a/drivers/net/wireless/iwlwifi/iwl-trans.h b/drivers/net/wireless/iwlwifi/iwl-trans.h -index dd57a36..80b4750 100644 ---- a/drivers/net/wireless/iwlwifi/iwl-trans.h -+++ b/drivers/net/wireless/iwlwifi/iwl-trans.h -@@ -601,8 +601,10 @@ static inline int iwl_trans_send_cmd(struct iwl_trans *trans, - { - int ret; - -- WARN_ONCE(trans->state != IWL_TRANS_FW_ALIVE, -- "%s bad state = %d", __func__, trans->state); -+ if (trans->state != IWL_TRANS_FW_ALIVE) { -+ IWL_ERR(trans, "%s bad state = %d", __func__, trans->state); -+ return -EIO; -+ } - - if (!(cmd->flags & CMD_ASYNC)) - lock_map_acquire_read(&trans->sync_cmd_lockdep_map); --- -1.7.1 - diff --git a/0002-netfilter-push-reasm-skb-through-instead-of-original.patch b/0002-netfilter-push-reasm-skb-through-instead-of-original.patch deleted file mode 100644 index 27fee5173..000000000 --- a/0002-netfilter-push-reasm-skb-through-instead-of-original.patch +++ /dev/null @@ -1,499 +0,0 @@ -Bugzilla: 1015905 -Upstream-status: 3.13 (should hit stable) - -From 5c0df04613dd39fba5d2a43eaf90a2dc1dcd8899 Mon Sep 17 00:00:00 2001 -From: Jiri Pirko -Date: Wed, 6 Nov 2013 17:52:20 +0100 -Subject: [PATCH 2/2] netfilter: push reasm skb through instead of original - frag skbs - -Pushing original fragments through causes several problems. For example -for matching, frags may not be matched correctly. Take following -example: - - -On HOSTA do: -ip6tables -I INPUT -p icmpv6 -j DROP -ip6tables -I INPUT -p icmpv6 -m icmp6 --icmpv6-type 128 -j ACCEPT - -and on HOSTB you do: -ping6 HOSTA -s2000 (MTU is 1500) - -Incoming echo requests will be filtered out on HOSTA. This issue does -not occur with smaller packets than MTU (where fragmentation does not happen) - - -As was discussed previously, the only correct solution seems to be to use -reassembled skb instead of separete frags. Doing this has positive side -effects in reducing sk_buff by one pointer (nfct_reasm) and also the reams -dances in ipvs and conntrack can be removed. - -Future plan is to remove net/ipv6/netfilter/nf_conntrack_reasm.c -entirely and use code in net/ipv6/reassembly.c instead. - -Signed-off-by: Jiri Pirko -Acked-by: Julian Anastasov -Signed-off-by: Marcelo Ricardo Leitner -Signed-off-by: David S. Miller - -Conflicts: - include/net/netfilter/ipv6/nf_defrag_ipv6.h - net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c - net/ipv6/netfilter/nf_defrag_ipv6_hooks.c - net/netfilter/ipvs/ip_vs_core.c ---- - include/linux/skbuff.h | 32 --------------- - include/net/ip_vs.h | 32 +-------------- - include/net/netfilter/ipv6/nf_defrag_ipv6.h | 5 +-- - net/core/skbuff.c | 3 -- - net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c | 54 +------------------------ - net/ipv6/netfilter/nf_conntrack_reasm.c | 19 +-------- - net/ipv6/netfilter/nf_defrag_ipv6_hooks.c | 7 +++- - net/netfilter/ipvs/ip_vs_core.c | 55 +------------------------- - net/netfilter/ipvs/ip_vs_pe_sip.c | 8 +--- - 9 files changed, 13 insertions(+), 202 deletions(-) - -diff --git a/include/linux/skbuff.h b/include/linux/skbuff.h -index 6bd165b..37b4517 100644 ---- a/include/linux/skbuff.h -+++ b/include/linux/skbuff.h -@@ -333,11 +333,6 @@ typedef unsigned int sk_buff_data_t; - typedef unsigned char *sk_buff_data_t; - #endif - --#if defined(CONFIG_NF_DEFRAG_IPV4) || defined(CONFIG_NF_DEFRAG_IPV4_MODULE) || \ -- defined(CONFIG_NF_DEFRAG_IPV6) || defined(CONFIG_NF_DEFRAG_IPV6_MODULE) --#define NET_SKBUFF_NF_DEFRAG_NEEDED 1 --#endif -- - /** - * struct sk_buff - socket buffer - * @next: Next buffer in list -@@ -370,7 +365,6 @@ typedef unsigned char *sk_buff_data_t; - * @protocol: Packet protocol from driver - * @destructor: Destruct function - * @nfct: Associated connection, if any -- * @nfct_reasm: netfilter conntrack re-assembly pointer - * @nf_bridge: Saved data about a bridged frame - see br_netfilter.c - * @skb_iif: ifindex of device we arrived on - * @tc_index: Traffic control index -@@ -459,9 +453,6 @@ struct sk_buff { - #if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE) - struct nf_conntrack *nfct; - #endif --#ifdef NET_SKBUFF_NF_DEFRAG_NEEDED -- struct sk_buff *nfct_reasm; --#endif - #ifdef CONFIG_BRIDGE_NETFILTER - struct nf_bridge_info *nf_bridge; - #endif -@@ -2603,18 +2594,6 @@ static inline void nf_conntrack_get(struct nf_conntrack *nfct) - atomic_inc(&nfct->use); - } - #endif --#ifdef NET_SKBUFF_NF_DEFRAG_NEEDED --static inline void nf_conntrack_get_reasm(struct sk_buff *skb) --{ -- if (skb) -- atomic_inc(&skb->users); --} --static inline void nf_conntrack_put_reasm(struct sk_buff *skb) --{ -- if (skb) -- kfree_skb(skb); --} --#endif - #ifdef CONFIG_BRIDGE_NETFILTER - static inline void nf_bridge_put(struct nf_bridge_info *nf_bridge) - { -@@ -2633,10 +2612,6 @@ static inline void nf_reset(struct sk_buff *skb) - nf_conntrack_put(skb->nfct); - skb->nfct = NULL; - #endif --#ifdef NET_SKBUFF_NF_DEFRAG_NEEDED -- nf_conntrack_put_reasm(skb->nfct_reasm); -- skb->nfct_reasm = NULL; --#endif - #ifdef CONFIG_BRIDGE_NETFILTER - nf_bridge_put(skb->nf_bridge); - skb->nf_bridge = NULL; -@@ -2658,10 +2633,6 @@ static inline void __nf_copy(struct sk_buff *dst, const struct sk_buff *src) - nf_conntrack_get(src->nfct); - dst->nfctinfo = src->nfctinfo; - #endif --#ifdef NET_SKBUFF_NF_DEFRAG_NEEDED -- dst->nfct_reasm = src->nfct_reasm; -- nf_conntrack_get_reasm(src->nfct_reasm); --#endif - #ifdef CONFIG_BRIDGE_NETFILTER - dst->nf_bridge = src->nf_bridge; - nf_bridge_get(src->nf_bridge); -@@ -2673,9 +2644,6 @@ static inline void nf_copy(struct sk_buff *dst, const struct sk_buff *src) - #if defined(CONFIG_NF_CONNTRACK) || defined(CONFIG_NF_CONNTRACK_MODULE) - nf_conntrack_put(dst->nfct); - #endif --#ifdef NET_SKBUFF_NF_DEFRAG_NEEDED -- nf_conntrack_put_reasm(dst->nfct_reasm); --#endif - #ifdef CONFIG_BRIDGE_NETFILTER - nf_bridge_put(dst->nf_bridge); - #endif -diff --git a/include/net/ip_vs.h b/include/net/ip_vs.h -index f0d70f0..ff21521 100644 ---- a/include/net/ip_vs.h -+++ b/include/net/ip_vs.h -@@ -109,7 +109,6 @@ extern int ip_vs_conn_tab_size; - struct ip_vs_iphdr { - __u32 len; /* IPv4 simply where L4 starts - IPv6 where L4 Transport Header starts */ -- __u32 thoff_reasm; /* Transport Header Offset in nfct_reasm skb */ - __u16 fragoffs; /* IPv6 fragment offset, 0 if first frag (or not frag)*/ - __s16 protocol; - __s32 flags; -@@ -117,34 +116,12 @@ struct ip_vs_iphdr { - union nf_inet_addr daddr; - }; - --/* Dependency to module: nf_defrag_ipv6 */ --#if defined(CONFIG_NF_DEFRAG_IPV6) || defined(CONFIG_NF_DEFRAG_IPV6_MODULE) --static inline struct sk_buff *skb_nfct_reasm(const struct sk_buff *skb) --{ -- return skb->nfct_reasm; --} --static inline void *frag_safe_skb_hp(const struct sk_buff *skb, int offset, -- int len, void *buffer, -- const struct ip_vs_iphdr *ipvsh) --{ -- if (unlikely(ipvsh->fragoffs && skb_nfct_reasm(skb))) -- return skb_header_pointer(skb_nfct_reasm(skb), -- ipvsh->thoff_reasm, len, buffer); -- -- return skb_header_pointer(skb, offset, len, buffer); --} --#else --static inline struct sk_buff *skb_nfct_reasm(const struct sk_buff *skb) --{ -- return NULL; --} - static inline void *frag_safe_skb_hp(const struct sk_buff *skb, int offset, - int len, void *buffer, - const struct ip_vs_iphdr *ipvsh) - { - return skb_header_pointer(skb, offset, len, buffer); - } --#endif - - static inline void - ip_vs_fill_ip4hdr(const void *nh, struct ip_vs_iphdr *iphdr) -@@ -171,19 +148,12 @@ ip_vs_fill_iph_skb(int af, const struct sk_buff *skb, struct ip_vs_iphdr *iphdr) - (struct ipv6hdr *)skb_network_header(skb); - iphdr->saddr.in6 = iph->saddr; - iphdr->daddr.in6 = iph->daddr; -- /* ipv6_find_hdr() updates len, flags, thoff_reasm */ -- iphdr->thoff_reasm = 0; -+ /* ipv6_find_hdr() updates len, flags */ - iphdr->len = 0; - iphdr->flags = 0; - iphdr->protocol = ipv6_find_hdr(skb, &iphdr->len, -1, - &iphdr->fragoffs, - &iphdr->flags); -- /* get proto from re-assembled packet and it's offset */ -- if (skb_nfct_reasm(skb)) -- iphdr->protocol = ipv6_find_hdr(skb_nfct_reasm(skb), -- &iphdr->thoff_reasm, -- -1, NULL, NULL); -- - } else - #endif - { -diff --git a/include/net/netfilter/ipv6/nf_defrag_ipv6.h b/include/net/netfilter/ipv6/nf_defrag_ipv6.h -index fd79c9a..17920d8 100644 ---- a/include/net/netfilter/ipv6/nf_defrag_ipv6.h -+++ b/include/net/netfilter/ipv6/nf_defrag_ipv6.h -@@ -6,10 +6,7 @@ extern void nf_defrag_ipv6_enable(void); - extern int nf_ct_frag6_init(void); - extern void nf_ct_frag6_cleanup(void); - extern struct sk_buff *nf_ct_frag6_gather(struct sk_buff *skb, u32 user); --extern void nf_ct_frag6_output(unsigned int hooknum, struct sk_buff *skb, -- struct net_device *in, -- struct net_device *out, -- int (*okfn)(struct sk_buff *)); -+extern void nf_ct_frag6_consume_orig(struct sk_buff *skb); - - struct inet_frags_ctl; - -diff --git a/net/core/skbuff.c b/net/core/skbuff.c -index 2c3d0f5..a75022e 100644 ---- a/net/core/skbuff.c -+++ b/net/core/skbuff.c -@@ -580,9 +580,6 @@ static void skb_release_head_state(struct sk_buff *skb) - #if IS_ENABLED(CONFIG_NF_CONNTRACK) - nf_conntrack_put(skb->nfct); - #endif --#ifdef NET_SKBUFF_NF_DEFRAG_NEEDED -- nf_conntrack_put_reasm(skb->nfct_reasm); --#endif - #ifdef CONFIG_BRIDGE_NETFILTER - nf_bridge_put(skb->nf_bridge); - #endif -diff --git a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c -index c9b6a6e..97cd750 100644 ---- a/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c -+++ b/net/ipv6/netfilter/nf_conntrack_l3proto_ipv6.c -@@ -172,63 +172,13 @@ out: - return nf_conntrack_confirm(skb); - } - --static unsigned int __ipv6_conntrack_in(struct net *net, -- unsigned int hooknum, -- struct sk_buff *skb, -- const struct net_device *in, -- const struct net_device *out, -- int (*okfn)(struct sk_buff *)) --{ -- struct sk_buff *reasm = skb->nfct_reasm; -- const struct nf_conn_help *help; -- struct nf_conn *ct; -- enum ip_conntrack_info ctinfo; -- -- /* This packet is fragmented and has reassembled packet. */ -- if (reasm) { -- /* Reassembled packet isn't parsed yet ? */ -- if (!reasm->nfct) { -- unsigned int ret; -- -- ret = nf_conntrack_in(net, PF_INET6, hooknum, reasm); -- if (ret != NF_ACCEPT) -- return ret; -- } -- -- /* Conntrack helpers need the entire reassembled packet in the -- * POST_ROUTING hook. In case of unconfirmed connections NAT -- * might reassign a helper, so the entire packet is also -- * required. -- */ -- ct = nf_ct_get(reasm, &ctinfo); -- if (ct != NULL && !nf_ct_is_untracked(ct)) { -- help = nfct_help(ct); -- if ((help && help->helper) || !nf_ct_is_confirmed(ct)) { -- nf_conntrack_get_reasm(reasm); -- NF_HOOK_THRESH(NFPROTO_IPV6, hooknum, reasm, -- (struct net_device *)in, -- (struct net_device *)out, -- okfn, NF_IP6_PRI_CONNTRACK + 1); -- return NF_DROP_ERR(-ECANCELED); -- } -- } -- -- nf_conntrack_get(reasm->nfct); -- skb->nfct = reasm->nfct; -- skb->nfctinfo = reasm->nfctinfo; -- return NF_ACCEPT; -- } -- -- return nf_conntrack_in(net, PF_INET6, hooknum, skb); --} -- - static unsigned int ipv6_conntrack_in(unsigned int hooknum, - struct sk_buff *skb, - const struct net_device *in, - const struct net_device *out, - int (*okfn)(struct sk_buff *)) - { -- return __ipv6_conntrack_in(dev_net(in), hooknum, skb, in, out, okfn); -+ return nf_conntrack_in(dev_net(in), PF_INET6, hooknum, skb); - } - - static unsigned int ipv6_conntrack_local(unsigned int hooknum, -@@ -242,7 +192,7 @@ static unsigned int ipv6_conntrack_local(unsigned int hooknum, - net_notice_ratelimited("ipv6_conntrack_local: packet too short\n"); - return NF_ACCEPT; - } -- return __ipv6_conntrack_in(dev_net(out), hooknum, skb, in, out, okfn); -+ return nf_conntrack_in(dev_net(out), PF_INET6, hooknum, skb); - } - - static struct nf_hook_ops ipv6_conntrack_ops[] __read_mostly = { -diff --git a/net/ipv6/netfilter/nf_conntrack_reasm.c b/net/ipv6/netfilter/nf_conntrack_reasm.c -index dffdc1a..253566a 100644 ---- a/net/ipv6/netfilter/nf_conntrack_reasm.c -+++ b/net/ipv6/netfilter/nf_conntrack_reasm.c -@@ -621,31 +621,16 @@ ret_orig: - return skb; - } - --void nf_ct_frag6_output(unsigned int hooknum, struct sk_buff *skb, -- struct net_device *in, struct net_device *out, -- int (*okfn)(struct sk_buff *)) -+void nf_ct_frag6_consume_orig(struct sk_buff *skb) - { - struct sk_buff *s, *s2; -- unsigned int ret = 0; - - for (s = NFCT_FRAG6_CB(skb)->orig; s;) { -- nf_conntrack_put_reasm(s->nfct_reasm); -- nf_conntrack_get_reasm(skb); -- s->nfct_reasm = skb; -- - s2 = s->next; - s->next = NULL; -- -- if (ret != -ECANCELED) -- ret = NF_HOOK_THRESH(NFPROTO_IPV6, hooknum, s, -- in, out, okfn, -- NF_IP6_PRI_CONNTRACK_DEFRAG + 1); -- else -- kfree_skb(s); -- -+ consume_skb(s); - s = s2; - } -- nf_conntrack_put_reasm(skb); - } - - static int nf_ct_net_init(struct net *net) -diff --git a/net/ipv6/netfilter/nf_defrag_ipv6_hooks.c b/net/ipv6/netfilter/nf_defrag_ipv6_hooks.c -index aacd121..581dd9e 100644 ---- a/net/ipv6/netfilter/nf_defrag_ipv6_hooks.c -+++ b/net/ipv6/netfilter/nf_defrag_ipv6_hooks.c -@@ -75,8 +75,11 @@ static unsigned int ipv6_defrag(unsigned int hooknum, - if (reasm == skb) - return NF_ACCEPT; - -- nf_ct_frag6_output(hooknum, reasm, (struct net_device *)in, -- (struct net_device *)out, okfn); -+ nf_ct_frag6_consume_orig(reasm); -+ -+ NF_HOOK_THRESH(NFPROTO_IPV6, hooknum, reasm, -+ (struct net_device *) in, (struct net_device *) out, -+ okfn, NF_IP6_PRI_CONNTRACK_DEFRAG + 1); - - return NF_STOLEN; - } -diff --git a/net/netfilter/ipvs/ip_vs_core.c b/net/netfilter/ipvs/ip_vs_core.c -index 4f69e83..1517b50 100644 ---- a/net/netfilter/ipvs/ip_vs_core.c -+++ b/net/netfilter/ipvs/ip_vs_core.c -@@ -1131,12 +1131,6 @@ ip_vs_out(unsigned int hooknum, struct sk_buff *skb, int af) - ip_vs_fill_iph_skb(af, skb, &iph); - #ifdef CONFIG_IP_VS_IPV6 - if (af == AF_INET6) { -- if (!iph.fragoffs && skb_nfct_reasm(skb)) { -- struct sk_buff *reasm = skb_nfct_reasm(skb); -- /* Save fw mark for coming frags */ -- reasm->ipvs_property = 1; -- reasm->mark = skb->mark; -- } - if (unlikely(iph.protocol == IPPROTO_ICMPV6)) { - int related; - int verdict = ip_vs_out_icmp_v6(skb, &related, -@@ -1606,12 +1600,6 @@ ip_vs_in(unsigned int hooknum, struct sk_buff *skb, int af) - - #ifdef CONFIG_IP_VS_IPV6 - if (af == AF_INET6) { -- if (!iph.fragoffs && skb_nfct_reasm(skb)) { -- struct sk_buff *reasm = skb_nfct_reasm(skb); -- /* Save fw mark for coming frags. */ -- reasm->ipvs_property = 1; -- reasm->mark = skb->mark; -- } - if (unlikely(iph.protocol == IPPROTO_ICMPV6)) { - int related; - int verdict = ip_vs_in_icmp_v6(skb, &related, hooknum, -@@ -1663,9 +1651,8 @@ ip_vs_in(unsigned int hooknum, struct sk_buff *skb, int af) - /* sorry, all this trouble for a no-hit :) */ - IP_VS_DBG_PKT(12, af, pp, skb, 0, - "ip_vs_in: packet continues traversal as normal"); -- if (iph.fragoffs && !skb_nfct_reasm(skb)) { -+ if (iph.fragoffs) { - /* Fragment that couldn't be mapped to a conn entry -- * and don't have any pointer to a reasm skb - * is missing module nf_defrag_ipv6 - */ - IP_VS_DBG_RL("Unhandled frag, load nf_defrag_ipv6\n"); -@@ -1748,38 +1735,6 @@ ip_vs_local_request4(unsigned int hooknum, struct sk_buff *skb, - #ifdef CONFIG_IP_VS_IPV6 - - /* -- * AF_INET6 fragment handling -- * Copy info from first fragment, to the rest of them. -- */ --static unsigned int --ip_vs_preroute_frag6(unsigned int hooknum, struct sk_buff *skb, -- const struct net_device *in, -- const struct net_device *out, -- int (*okfn)(struct sk_buff *)) --{ -- struct sk_buff *reasm = skb_nfct_reasm(skb); -- struct net *net; -- -- /* Skip if not a "replay" from nf_ct_frag6_output or first fragment. -- * ipvs_property is set when checking first fragment -- * in ip_vs_in() and ip_vs_out(). -- */ -- if (reasm) -- IP_VS_DBG(2, "Fragment recv prop:%d\n", reasm->ipvs_property); -- if (!reasm || !reasm->ipvs_property) -- return NF_ACCEPT; -- -- net = skb_net(skb); -- if (!net_ipvs(net)->enable) -- return NF_ACCEPT; -- -- /* Copy stored fw mark, saved in ip_vs_{in,out} */ -- skb->mark = reasm->mark; -- -- return NF_ACCEPT; --} -- --/* - * AF_INET6 handler in NF_INET_LOCAL_IN chain - * Schedule and forward packets from remote clients - */ -@@ -1916,14 +1871,6 @@ static struct nf_hook_ops ip_vs_ops[] __read_mostly = { - .priority = 100, - }, - #ifdef CONFIG_IP_VS_IPV6 -- /* After mangle & nat fetch 2:nd fragment and following */ -- { -- .hook = ip_vs_preroute_frag6, -- .owner = THIS_MODULE, -- .pf = NFPROTO_IPV6, -- .hooknum = NF_INET_PRE_ROUTING, -- .priority = NF_IP6_PRI_NAT_DST + 1, -- }, - /* After packet filtering, change source only for VS/NAT */ - { - .hook = ip_vs_reply6, -diff --git a/net/netfilter/ipvs/ip_vs_pe_sip.c b/net/netfilter/ipvs/ip_vs_pe_sip.c -index 9ef22bd..bed5f70 100644 ---- a/net/netfilter/ipvs/ip_vs_pe_sip.c -+++ b/net/netfilter/ipvs/ip_vs_pe_sip.c -@@ -65,7 +65,6 @@ static int get_callid(const char *dptr, unsigned int dataoff, - static int - ip_vs_sip_fill_param(struct ip_vs_conn_param *p, struct sk_buff *skb) - { -- struct sk_buff *reasm = skb_nfct_reasm(skb); - struct ip_vs_iphdr iph; - unsigned int dataoff, datalen, matchoff, matchlen; - const char *dptr; -@@ -79,15 +78,10 @@ ip_vs_sip_fill_param(struct ip_vs_conn_param *p, struct sk_buff *skb) - /* todo: IPv6 fragments: - * I think this only should be done for the first fragment. /HS - */ -- if (reasm) { -- skb = reasm; -- dataoff = iph.thoff_reasm + sizeof(struct udphdr); -- } else -- dataoff = iph.len + sizeof(struct udphdr); -+ dataoff = iph.len + sizeof(struct udphdr); - - if (dataoff >= skb->len) - return -EINVAL; -- /* todo: Check if this will mess-up the reasm skb !!! /HS */ - retc = skb_linearize(skb); - if (retc < 0) - return retc; --- -1.8.3.1 - diff --git a/Input-evdev-fall-back-to-vmalloc-for-client-event-buffer.patch b/Input-evdev-fall-back-to-vmalloc-for-client-event-buffer.patch deleted file mode 100644 index da1b92ed8..000000000 --- a/Input-evdev-fall-back-to-vmalloc-for-client-event-buffer.patch +++ /dev/null @@ -1,64 +0,0 @@ -From 92eb77d0ffbaa71b501a0a8dabf09a351bf4267f Mon Sep 17 00:00:00 2001 -From: Daniel Stone -Date: Thu, 31 Oct 2013 07:25:34 +0000 -Subject: Input: evdev - fall back to vmalloc for client event buffer - -evdev always tries to allocate the event buffer for clients using -kzalloc rather than vmalloc, presumably to avoid mapping overhead where -possible. However, drivers like bcm5974, which claims support for -reporting 16 fingers simultaneously, can have an extraordinarily large -buffer. The resultant contiguous order-4 allocation attempt fails due -to fragmentation, and the device is thus unusable until reboot. - -Try kzalloc if we can to avoid the mapping overhead, but if that fails, -fall back to vzalloc. - -Signed-off-by: Daniel Stone -Signed-off-by: Dmitry Torokhov ---- -diff --git a/drivers/input/evdev.c b/drivers/input/evdev.c -index b6ded17..a06e125 100644 ---- a/drivers/input/evdev.c -+++ b/drivers/input/evdev.c -@@ -18,6 +18,8 @@ - #include - #include - #include -+#include -+#include - #include - #include - #include -@@ -369,7 +371,11 @@ static int evdev_release(struct inode *inode, struct file *file) - mutex_unlock(&evdev->mutex); - - evdev_detach_client(evdev, client); -- kfree(client); -+ -+ if (is_vmalloc_addr(client)) -+ vfree(client); -+ else -+ kfree(client); - - evdev_close_device(evdev); - -@@ -389,12 +395,14 @@ static int evdev_open(struct inode *inode, struct file *file) - { - struct evdev *evdev = container_of(inode->i_cdev, struct evdev, cdev); - unsigned int bufsize = evdev_compute_buffer_size(evdev->handle.dev); -+ unsigned int size = sizeof(struct evdev_client) + -+ bufsize * sizeof(struct input_event); - struct evdev_client *client; - int error; - -- client = kzalloc(sizeof(struct evdev_client) + -- bufsize * sizeof(struct input_event), -- GFP_KERNEL); -+ client = kzalloc(size, GFP_KERNEL | __GFP_NOWARN); -+ if (!client) -+ client = vzalloc(size); - if (!client) - return -ENOMEM; - --- -cgit v0.9.2 diff --git a/KVM-x86-fix-emulation-of-movzbl-bpl-eax.patch b/KVM-x86-fix-emulation-of-movzbl-bpl-eax.patch deleted file mode 100644 index 65a48c349..000000000 --- a/KVM-x86-fix-emulation-of-movzbl-bpl-eax.patch +++ /dev/null @@ -1,53 +0,0 @@ -Bugzilla: 967652 -Upstream-status: 3.13 (should hit stable) - -From daf727225b8abfdfe424716abac3d15a3ac5626a Mon Sep 17 00:00:00 2001 -From: Paolo Bonzini -Date: Thu, 31 Oct 2013 23:05:24 +0100 -Subject: [PATCH] KVM: x86: fix emulation of "movzbl %bpl, %eax" - -When I was looking at RHEL5.9's failure to start with -unrestricted_guest=0/emulate_invalid_guest_state=1, I got it working with a -slightly older tree than kvm.git. I now debugged the remaining failure, -which was introduced by commit 660696d1 (KVM: X86 emulator: fix -source operand decoding for 8bit mov[zs]x instructions, 2013-04-24) -introduced a similar mis-emulation to the one in commit 8acb4207 (KVM: -fix sil/dil/bpl/spl in the mod/rm fields, 2013-05-30). The incorrect -decoding occurs in 8-bit movzx/movsx instructions whose 8-bit operand -is sil/dil/bpl/spl. - -Needless to say, "movzbl %bpl, %eax" does occur in RHEL5.9's decompression -prolog, just a handful of instructions before finally giving control to -the decompressed vmlinux and getting out of the invalid guest state. - -Because OpMem8 bypasses decode_modrm, the same handling of the REX prefix -must be applied to OpMem8. - -Reported-by: Michele Baldessari -Cc: stable@vger.kernel.org -Cc: Gleb Natapov -Signed-off-by: Paolo Bonzini -Signed-off-by: Gleb Natapov ---- - arch/x86/kvm/emulate.c | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - -diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c -index 16c037e..282d28c 100644 ---- a/arch/x86/kvm/emulate.c -+++ b/arch/x86/kvm/emulate.c -@@ -4117,7 +4117,10 @@ static int decode_operand(struct x86_emulate_ctxt *ctxt, struct operand *op, - case OpMem8: - ctxt->memop.bytes = 1; - if (ctxt->memop.type == OP_REG) { -- ctxt->memop.addr.reg = decode_register(ctxt, ctxt->modrm_rm, 1); -+ int highbyte_regs = ctxt->rex_prefix == 0; -+ -+ ctxt->memop.addr.reg = decode_register(ctxt, ctxt->modrm_rm, -+ highbyte_regs); - fetch_register_operand(&ctxt->memop); - } - goto mem_common; --- -1.8.3.1 - diff --git a/alps-Support-for-Dell-XT2-model.patch b/alps-Support-for-Dell-XT2-model.patch deleted file mode 100644 index 453a6983a..000000000 --- a/alps-Support-for-Dell-XT2-model.patch +++ /dev/null @@ -1,25 +0,0 @@ -From 7673be51f16e978a438bca8ac1bf9e939b7ed7a6 Mon Sep 17 00:00:00 2001 -From: Yunkang Tang -Date: Thu, 24 Oct 2013 13:39:08 +0800 -Subject: [PATCH] Support for Dell XT2 model - -Signed-off-by: Yunkang Tang ---- - drivers/input/mouse/alps.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/drivers/input/mouse/alps.c b/drivers/input/mouse/alps.c -index ca7a26f..24b3626 100644 ---- a/drivers/input/mouse/alps.c -+++ b/drivers/input/mouse/alps.c -@@ -103,6 +103,7 @@ static const struct alps_model_info alps_model_data[] = { - /* Dell Latitude E5500, E6400, E6500, Precision M4400 */ - { { 0x62, 0x02, 0x14 }, 0x00, ALPS_PROTO_V2, 0xcf, 0xcf, - ALPS_PASS | ALPS_DUALPOINT | ALPS_PS2_INTERLEAVED }, -+ { { 0x73, 0x00, 0x14 }, 0x00, ALPS_PROTO_V2, 0xcf, 0xcf, ALPS_DUALPOINT }, /* Dell XT2 */ - { { 0x73, 0x02, 0x50 }, 0x00, ALPS_PROTO_V2, 0xcf, 0xcf, ALPS_FOUR_BUTTONS }, /* Dell Vostro 1400 */ - { { 0x52, 0x01, 0x14 }, 0x00, ALPS_PROTO_V2, 0xff, 0xff, - ALPS_PASS | ALPS_DUALPOINT | ALPS_PS2_INTERLEAVED }, /* Toshiba Tecra A11-11L */ --- -1.8.1.2 - diff --git a/arm-am33xx-arm-soc-upstream.patch b/arm-am33xx-arm-soc-upstream.patch new file mode 100644 index 000000000..3129c1a7a --- /dev/null +++ b/arm-am33xx-arm-soc-upstream.patch @@ -0,0 +1,2468 @@ +Bugzilla: 1012025 +Upstream-status: Landed in 3.13-rc1 + +From 9096ef3ab805b2e9fda732f3128a761810c1dea4 Mon Sep 17 00:00:00 2001 +From: Alexandre Belloni +Date: Sat, 3 Aug 2013 20:00:54 +0200 +Subject: [PATCH 01/15] ARM: dts: AM33XX: Add PMU support + +ARM Performance Monitor Units are available on the am33xx, +add the support in the dtsi. + +Tested with perf and oprofile on a regular beaglebone. + +Signed-off-by: Alexandre Belloni +Signed-off-by: Benoit Cousson +--- + arch/arm/boot/dts/am33xx.dtsi | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/arch/arm/boot/dts/am33xx.dtsi b/arch/arm/boot/dts/am33xx.dtsi +index f9c5da9..4d1c632 100644 +--- a/arch/arm/boot/dts/am33xx.dtsi ++++ b/arch/arm/boot/dts/am33xx.dtsi +@@ -57,6 +57,11 @@ + }; + }; + ++ pmu { ++ compatible = "arm,cortex-a8-pmu"; ++ interrupts = <3>; ++ }; ++ + /* + * The soc node represents the soc top level view. It is uses for IPs + * that are not memory mapped in the MPU view or for the MPU itself. +-- +1.8.4.rc3 + +From 41bae5a6301ff1cd48fd0c4ff32146059b8e1b73 Mon Sep 17 00:00:00 2001 +From: Lars Poeschel +Date: Wed, 7 Aug 2013 13:06:32 +0200 +Subject: [PATCH 02/15] ARM: dts: AM33xx: Correct gpio #interrupt-cells + property + +Following commit ff5c9059 and therefore other omap platforms using +the gpio-omap driver correct the #interrupt-cells property on am33xx +too. The omap gpio binding documentaion also states that +the #interrupt-cells property should be 2. + +Signed-off-by: Lars Poeschel +Reviewed-by: Javier Martinez Canillas +Acked-by: Mark Rutland +Signed-off-by: Benoit Cousson +--- + arch/arm/boot/dts/am33xx.dtsi | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/arch/arm/boot/dts/am33xx.dtsi b/arch/arm/boot/dts/am33xx.dtsi +index 4d1c632..a7731ea 100644 +--- a/arch/arm/boot/dts/am33xx.dtsi ++++ b/arch/arm/boot/dts/am33xx.dtsi +@@ -111,7 +111,7 @@ + gpio-controller; + #gpio-cells = <2>; + interrupt-controller; +- #interrupt-cells = <1>; ++ #interrupt-cells = <2>; + reg = <0x44e07000 0x1000>; + interrupts = <96>; + }; +@@ -122,7 +122,7 @@ + gpio-controller; + #gpio-cells = <2>; + interrupt-controller; +- #interrupt-cells = <1>; ++ #interrupt-cells = <2>; + reg = <0x4804c000 0x1000>; + interrupts = <98>; + }; +@@ -133,7 +133,7 @@ + gpio-controller; + #gpio-cells = <2>; + interrupt-controller; +- #interrupt-cells = <1>; ++ #interrupt-cells = <2>; + reg = <0x481ac000 0x1000>; + interrupts = <32>; + }; +@@ -144,7 +144,7 @@ + gpio-controller; + #gpio-cells = <2>; + interrupt-controller; +- #interrupt-cells = <1>; ++ #interrupt-cells = <2>; + reg = <0x481ae000 0x1000>; + interrupts = <62>; + }; +-- +1.8.4.rc3 + +From 200835d6072367d401cc6eb76b05fef2a2919291 Mon Sep 17 00:00:00 2001 +From: Matt Porter +Date: Tue, 10 Sep 2013 14:24:37 -0500 +Subject: [PATCH 03/15] ARM: dts: AM33XX: Add EDMA support + +Adds AM33XX EDMA support to the am33xx.dtsi as documented in +Documentation/devicetree/bindings/dma/ti-edma.txt + +[Joel Fernandes ] +Drop DT entries that are non-hardware-description as discussed in [1] + +[1] https://patchwork.kernel.org/patch/2226761/ + +Signed-off-by: Matt Porter +Signed-off-by: Joel A Fernandes +Signed-off-by: Benoit Cousson +--- + arch/arm/boot/dts/am33xx.dtsi | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +diff --git a/arch/arm/boot/dts/am33xx.dtsi b/arch/arm/boot/dts/am33xx.dtsi +index a7731ea..7a53e07 100644 +--- a/arch/arm/boot/dts/am33xx.dtsi ++++ b/arch/arm/boot/dts/am33xx.dtsi +@@ -105,6 +105,18 @@ + reg = <0x48200000 0x1000>; + }; + ++ edma: edma@49000000 { ++ compatible = "ti,edma3"; ++ ti,hwmods = "tpcc", "tptc0", "tptc1", "tptc2"; ++ reg = <0x49000000 0x10000>, ++ <0x44e10f90 0x10>; ++ interrupts = <12 13 14>; ++ #dma-cells = <1>; ++ dma-channels = <64>; ++ ti,edma-regions = <4>; ++ ti,edma-slots = <256>; ++ }; ++ + gpio0: gpio@44e07000 { + compatible = "ti,omap4-gpio"; + ti,hwmods = "gpio1"; +-- +1.8.4.rc3 + +From 62ca70c0e2dfc1a4e9225b801cd769fd92f6de7c Mon Sep 17 00:00:00 2001 +From: Matt Porter +Date: Tue, 10 Sep 2013 14:24:38 -0500 +Subject: [PATCH 04/15] ARM: dts: AM33XX: Add SPI DMA support + +Adds DMA resources to the AM33XX SPI nodes. + +Signed-off-by: Matt Porter +Signed-off-by: Joel A Fernandes +Signed-off-by: Benoit Cousson +--- + arch/arm/boot/dts/am33xx.dtsi | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/arch/arm/boot/dts/am33xx.dtsi b/arch/arm/boot/dts/am33xx.dtsi +index 7a53e07..9cd60bf 100644 +--- a/arch/arm/boot/dts/am33xx.dtsi ++++ b/arch/arm/boot/dts/am33xx.dtsi +@@ -340,6 +340,11 @@ + interrupts = <65>; + ti,spi-num-cs = <2>; + ti,hwmods = "spi0"; ++ dmas = <&edma 16 ++ &edma 17 ++ &edma 18 ++ &edma 19>; ++ dma-names = "tx0", "rx0", "tx1", "rx1"; + status = "disabled"; + }; + +@@ -351,6 +356,11 @@ + interrupts = <125>; + ti,spi-num-cs = <2>; + ti,hwmods = "spi1"; ++ dmas = <&edma 42 ++ &edma 43 ++ &edma 44 ++ &edma 45>; ++ dma-names = "tx0", "rx0", "tx1", "rx1"; + status = "disabled"; + }; + +-- +1.8.4.rc3 + +From de80038efb2254fd72e77f848eb867fc193b5a74 Mon Sep 17 00:00:00 2001 +From: Matt Porter +Date: Tue, 10 Sep 2013 14:24:39 -0500 +Subject: [PATCH 05/15] ARM: dts: AM33XX: Add MMC support and documentation + +Adds AM33XX MMC support for am335x-bone, am335x-evm and am335x-evmsk boards. + +Also added is the DMA binding definitions based on the generic DMA request +binding. + +Additional changes made to DTS: +* Interrupt, reg and compatible properties added +* ti,needs-special-hs-handling added + +Signed-off-by: Matt Porter +Acked-by: Tony Lindgren +Signed-off-by: Joel Fernandes +Signed-off-by: Benoit Cousson +--- + .../devicetree/bindings/mmc/ti-omap-hsmmc.txt | 26 ++++++++++++++- + arch/arm/boot/dts/am335x-bone.dts | 11 +++++++ + arch/arm/boot/dts/am335x-evm.dts | 7 ++++ + arch/arm/boot/dts/am335x-evmsk.dts | 7 ++++ + arch/arm/boot/dts/am33xx.dtsi | 38 ++++++++++++++++++++++ + 5 files changed, 88 insertions(+), 1 deletion(-) + +diff --git a/Documentation/devicetree/bindings/mmc/ti-omap-hsmmc.txt b/Documentation/devicetree/bindings/mmc/ti-omap-hsmmc.txt +index ed271fc..8c8908a 100644 +--- a/Documentation/devicetree/bindings/mmc/ti-omap-hsmmc.txt ++++ b/Documentation/devicetree/bindings/mmc/ti-omap-hsmmc.txt +@@ -20,8 +20,29 @@ ti,dual-volt: boolean, supports dual voltage cards + ti,non-removable: non-removable slot (like eMMC) + ti,needs-special-reset: Requires a special softreset sequence + ti,needs-special-hs-handling: HSMMC IP needs special setting for handling High Speed ++dmas: List of DMA specifiers with the controller specific format ++as described in the generic DMA client binding. A tx and rx ++specifier is required. ++dma-names: List of DMA request names. These strings correspond ++1:1 with the DMA specifiers listed in dmas. The string naming is ++to be "rx" and "tx" for RX and TX DMA requests, respectively. ++ ++Examples: ++ ++[hwmod populated DMA resources] ++ ++ mmc1: mmc@0x4809c000 { ++ compatible = "ti,omap4-hsmmc"; ++ reg = <0x4809c000 0x400>; ++ ti,hwmods = "mmc1"; ++ ti,dual-volt; ++ bus-width = <4>; ++ vmmc-supply = <&vmmc>; /* phandle to regulator node */ ++ ti,non-removable; ++ }; ++ ++[generic DMA request binding] + +-Example: + mmc1: mmc@0x4809c000 { + compatible = "ti,omap4-hsmmc"; + reg = <0x4809c000 0x400>; +@@ -30,4 +51,7 @@ Example: + bus-width = <4>; + vmmc-supply = <&vmmc>; /* phandle to regulator node */ + ti,non-removable; ++ dmas = <&edma 24 ++ &edma 25>; ++ dma-names = "tx", "rx"; + }; +diff --git a/arch/arm/boot/dts/am335x-bone.dts b/arch/arm/boot/dts/am335x-bone.dts +index 7993c48..d5f43fe 100644 +--- a/arch/arm/boot/dts/am335x-bone.dts ++++ b/arch/arm/boot/dts/am335x-bone.dts +@@ -9,3 +9,14 @@ + + #include "am33xx.dtsi" + #include "am335x-bone-common.dtsi" ++ ++&ldo3_reg { ++ regulator-min-microvolt = <1800000>; ++ regulator-max-microvolt = <3300000>; ++ regulator-always-on; ++}; ++ ++&mmc1 { ++ status = "okay"; ++ vmmc-supply = <&ldo3_reg>; ++}; +diff --git a/arch/arm/boot/dts/am335x-evm.dts b/arch/arm/boot/dts/am335x-evm.dts +index e8ec875..bc4a69d 100644 +--- a/arch/arm/boot/dts/am335x-evm.dts ++++ b/arch/arm/boot/dts/am335x-evm.dts +@@ -477,6 +477,8 @@ + }; + + vmmc_reg: regulator@12 { ++ regulator-min-microvolt = <1800000>; ++ regulator-max-microvolt = <3300000>; + regulator-always-on; + }; + }; +@@ -517,3 +519,8 @@ + ti,adc-channels = <4 5 6 7>; + }; + }; ++ ++&mmc1 { ++ status = "okay"; ++ vmmc-supply = <&vmmc_reg>; ++}; +diff --git a/arch/arm/boot/dts/am335x-evmsk.dts b/arch/arm/boot/dts/am335x-evmsk.dts +index 4f339fa..55fd194 100644 +--- a/arch/arm/boot/dts/am335x-evmsk.dts ++++ b/arch/arm/boot/dts/am335x-evmsk.dts +@@ -393,6 +393,8 @@ + }; + + vmmc_reg: regulator@12 { ++ regulator-min-microvolt = <1800000>; ++ regulator-max-microvolt = <3300000>; + regulator-always-on; + }; + }; +@@ -419,3 +421,8 @@ + phy_id = <&davinci_mdio>, <1>; + phy-mode = "rgmii-txid"; + }; ++ ++&mmc1 { ++ status = "okay"; ++ vmmc-supply = <&vmmc_reg>; ++}; +diff --git a/arch/arm/boot/dts/am33xx.dtsi b/arch/arm/boot/dts/am33xx.dtsi +index 9cd60bf..553adc6 100644 +--- a/arch/arm/boot/dts/am33xx.dtsi ++++ b/arch/arm/boot/dts/am33xx.dtsi +@@ -245,6 +245,44 @@ + status = "disabled"; + }; + ++ mmc1: mmc@48060000 { ++ compatible = "ti,omap4-hsmmc"; ++ ti,hwmods = "mmc1"; ++ ti,dual-volt; ++ ti,needs-special-reset; ++ ti,needs-special-hs-handling; ++ dmas = <&edma 24 ++ &edma 25>; ++ dma-names = "tx", "rx"; ++ interrupts = <64>; ++ interrupt-parent = <&intc>; ++ reg = <0x48060000 0x1000>; ++ status = "disabled"; ++ }; ++ ++ mmc2: mmc@481d8000 { ++ compatible = "ti,omap4-hsmmc"; ++ ti,hwmods = "mmc2"; ++ ti,needs-special-reset; ++ dmas = <&edma 2 ++ &edma 3>; ++ dma-names = "tx", "rx"; ++ interrupts = <28>; ++ interrupt-parent = <&intc>; ++ reg = <0x481d8000 0x1000>; ++ status = "disabled"; ++ }; ++ ++ mmc3: mmc@47810000 { ++ compatible = "ti,omap4-hsmmc"; ++ ti,hwmods = "mmc3"; ++ ti,needs-special-reset; ++ interrupts = <29>; ++ interrupt-parent = <&intc>; ++ reg = <0x47810000 0x1000>; ++ status = "disabled"; ++ }; ++ + wdt2: wdt@44e35000 { + compatible = "ti,omap3-wdt"; + ti,hwmods = "wd_timer2"; +-- +1.8.4.rc3 + +From 889d5b18a88681d7d1e5a1d1b5d2ffda07c506df Mon Sep 17 00:00:00 2001 +From: Alexander Holler +Date: Thu, 12 Sep 2013 20:35:32 +0200 +Subject: [PATCH 06/15] ARM: dts: am335x-bone: add CD for mmc1 + +This enables the use of MMC cards even when no card was inserted at boot. + +Signed-off-by: Alexander Holler +Signed-off-by: Koen Kooi +Tested-by: Kevin Hilman +Reviewed-by: Nishanth Menon +Signed-off-by: Benoit Cousson +--- + arch/arm/boot/dts/am335x-bone-common.dtsi | 14 ++++++++++++++ + arch/arm/boot/dts/am335x-bone.dts | 1 - + 2 files changed, 14 insertions(+), 1 deletion(-) + +diff --git a/arch/arm/boot/dts/am335x-bone-common.dtsi b/arch/arm/boot/dts/am335x-bone-common.dtsi +index 2f66ded..0d95d54 100644 +--- a/arch/arm/boot/dts/am335x-bone-common.dtsi ++++ b/arch/arm/boot/dts/am335x-bone-common.dtsi +@@ -107,6 +107,12 @@ + 0x14c (PIN_INPUT_PULLDOWN | MUX_MODE7) + >; + }; ++ ++ mmc1_pins: pinmux_mmc1_pins { ++ pinctrl-single,pins = < ++ 0x160 (PIN_INPUT | MUX_MODE7) /* GPIO0_6 */ ++ >; ++ }; + }; + + ocp { +@@ -260,3 +266,11 @@ + pinctrl-0 = <&davinci_mdio_default>; + pinctrl-1 = <&davinci_mdio_sleep>; + }; ++ ++&mmc1 { ++ status = "okay"; ++ pinctrl-names = "default"; ++ pinctrl-0 = <&mmc1_pins>; ++ cd-gpios = <&gpio0 6 GPIO_ACTIVE_HIGH>; ++ cd-inverted; ++}; +diff --git a/arch/arm/boot/dts/am335x-bone.dts b/arch/arm/boot/dts/am335x-bone.dts +index d5f43fe..0d63348 100644 +--- a/arch/arm/boot/dts/am335x-bone.dts ++++ b/arch/arm/boot/dts/am335x-bone.dts +@@ -17,6 +17,5 @@ + }; + + &mmc1 { +- status = "okay"; + vmmc-supply = <&ldo3_reg>; + }; +-- +1.8.4.rc3 + +From 7e60fa2391c2e89f07452c2037209235dee67aee Mon Sep 17 00:00:00 2001 +From: Koen Kooi +Date: Thu, 12 Sep 2013 20:35:33 +0200 +Subject: [PATCH 07/15] ARM: dts: am335x-boneblack: add eMMC DT entry + +The pinmux is specified in am335x-bone-common.dtsi to be +reused by the eMMC cape. + +Signed-off-by: Koen Kooi +Tested-by: Kevin Hilman +Reviewed-by: Nishanth Menon +[bcousson@baylibre.com: Fix traling spaces and useless comments] +Signed-off-by: Benoit Cousson +--- + arch/arm/boot/dts/am335x-bone-common.dtsi | 22 ++++++++++++++++++++++ + arch/arm/boot/dts/am335x-boneblack.dts | 13 +++++++++++++ + 2 files changed, 35 insertions(+) + +diff --git a/arch/arm/boot/dts/am335x-bone-common.dtsi b/arch/arm/boot/dts/am335x-bone-common.dtsi +index 0d95d54..c560cb7 100644 +--- a/arch/arm/boot/dts/am335x-bone-common.dtsi ++++ b/arch/arm/boot/dts/am335x-bone-common.dtsi +@@ -113,6 +113,21 @@ + 0x160 (PIN_INPUT | MUX_MODE7) /* GPIO0_6 */ + >; + }; ++ ++ emmc_pins: pinmux_emmc_pins { ++ pinctrl-single,pins = < ++ 0x80 (PIN_INPUT_PULLUP | MUX_MODE2) /* gpmc_csn1.mmc1_clk */ ++ 0x84 (PIN_INPUT_PULLUP | MUX_MODE1) /* gpmc_csn2.mmc1_cmd */ ++ 0x00 (PIN_INPUT_PULLUP | MUX_MODE1) /* gpmc_ad0.mmc1_dat0 */ ++ 0x04 (PIN_INPUT_PULLUP | MUX_MODE1) /* gpmc_ad1.mmc1_dat1 */ ++ 0x08 (PIN_INPUT_PULLUP | MUX_MODE1) /* gpmc_ad2.mmc1_dat2 */ ++ 0x0c (PIN_INPUT_PULLUP | MUX_MODE1) /* gpmc_ad3.mmc1_dat3 */ ++ 0x10 (PIN_INPUT_PULLUP | MUX_MODE1) /* gpmc_ad4.mmc1_dat4 */ ++ 0x14 (PIN_INPUT_PULLUP | MUX_MODE1) /* gpmc_ad5.mmc1_dat5 */ ++ 0x18 (PIN_INPUT_PULLUP | MUX_MODE1) /* gpmc_ad6.mmc1_dat6 */ ++ 0x1c (PIN_INPUT_PULLUP | MUX_MODE1) /* gpmc_ad7.mmc1_dat7 */ ++ >; ++ }; + }; + + ocp { +@@ -242,6 +257,13 @@ + regulator-always-on; + }; + }; ++ ++ vmmcsd_fixed: fixedregulator@0 { ++ compatible = "regulator-fixed"; ++ regulator-name = "vmmcsd_fixed"; ++ regulator-min-microvolt = <3300000>; ++ regulator-max-microvolt = <3300000>; ++ }; + }; + + &cpsw_emac0 { +diff --git a/arch/arm/boot/dts/am335x-boneblack.dts b/arch/arm/boot/dts/am335x-boneblack.dts +index 197cadf..16b3bea 100644 +--- a/arch/arm/boot/dts/am335x-boneblack.dts ++++ b/arch/arm/boot/dts/am335x-boneblack.dts +@@ -15,3 +15,16 @@ + regulator-max-microvolt = <1800000>; + regulator-always-on; + }; ++ ++&mmc1 { ++ vmmc-supply = <&vmmcsd_fixed>; ++}; ++ ++&mmc2 { ++ vmmc-supply = <&vmmcsd_fixed>; ++ pinctrl-names = "default"; ++ pinctrl-0 = <&emmc_pins>; ++ bus-width = <8>; ++ status = "okay"; ++ ti,vcc-aux-disable-is-sleep; ++}; +-- +1.8.4.rc3 + +From 2b3a35fea12469734e2216a06c7fea6d5cb0d4d8 Mon Sep 17 00:00:00 2001 +From: Koen Kooi +Date: Thu, 12 Sep 2013 20:35:34 +0200 +Subject: [PATCH 08/15] ARM: dts: am335x-bone-common: switch mmc1 to 4-bit mode + +The micro-SD slot hooks up all four data pins so lets' use them. + +Signed-off-by: Koen Kooi +Tested-by: Kevin Hilman +Reviewed-by: Nishanth Menon +Signed-off-by: Benoit Cousson +--- + arch/arm/boot/dts/am335x-bone-common.dtsi | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/arch/arm/boot/dts/am335x-bone-common.dtsi b/arch/arm/boot/dts/am335x-bone-common.dtsi +index c560cb7..fbb11dd 100644 +--- a/arch/arm/boot/dts/am335x-bone-common.dtsi ++++ b/arch/arm/boot/dts/am335x-bone-common.dtsi +@@ -291,6 +291,7 @@ + + &mmc1 { + status = "okay"; ++ bus-width = <0x4>; + pinctrl-names = "default"; + pinctrl-0 = <&mmc1_pins>; + cd-gpios = <&gpio0 6 GPIO_ACTIVE_HIGH>; +-- +1.8.4.rc3 + +From 387d315741b4126f228ee788094f9a00ecf8fde0 Mon Sep 17 00:00:00 2001 +From: Koen Kooi +Date: Thu, 12 Sep 2013 20:35:35 +0200 +Subject: [PATCH 09/15] ARM: dts: am335x-bone-common: add cpu0 and mmc1 + triggers + +This matches the vendor 3.8.x configuration that is shipping +with the boards. + +The LED layout is now: + USR0: heartbeat + USR1: mmc0 (micro-SD slot) + USR2: cpu0 + USR3: mmc1 (eMMC) + +The cpu0 triggers was put in between the mmc triggers to make +is easier to see where the disk activity is. + +Signed-off-by: Koen Kooi +Tested-by: Kevin Hilman +Reviewed-by: Nishanth Menon +Signed-off-by: Benoit Cousson +--- + arch/arm/boot/dts/am335x-bone-common.dtsi | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/arch/arm/boot/dts/am335x-bone-common.dtsi b/arch/arm/boot/dts/am335x-bone-common.dtsi +index fbb11dd..56361ce 100644 +--- a/arch/arm/boot/dts/am335x-bone-common.dtsi ++++ b/arch/arm/boot/dts/am335x-bone-common.dtsi +@@ -204,12 +204,14 @@ + led@4 { + label = "beaglebone:green:usr2"; + gpios = <&gpio1 23 GPIO_ACTIVE_HIGH>; ++ linux,default-trigger = "cpu0"; + default-state = "off"; + }; + + led@5 { + label = "beaglebone:green:usr3"; + gpios = <&gpio1 24 GPIO_ACTIVE_HIGH>; ++ linux,default-trigger = "mmc1"; + default-state = "off"; + }; + }; +-- +1.8.4.rc3 + +From 28d36734db6d9682208ced9032de9ebda568da96 Mon Sep 17 00:00:00 2001 +From: Javier Martinez Canillas +Date: Fri, 20 Sep 2013 17:00:00 +0200 +Subject: [PATCH 10/15] ARM: dts: AM33XX: use pinmux node defined in included + file + +am33xx boards DTS include the am33xx.dtsi Device Tree +source file that already define a pinmux device node for +the AM33XX SoC Pin Multiplex. + +Redefining this for each board makes the Device Tree files +harder to modify and maintain so let's just use what is +already defined in the included .dtsi file. + +Signed-off-by: Javier Martinez Canillas +Signed-off-by: Benoit Cousson +--- + arch/arm/boot/dts/am335x-bone-common.dtsi | 218 ++++++++++++------------- + arch/arm/boot/dts/am335x-evm.dts | 254 ++++++++++++++--------------- + arch/arm/boot/dts/am335x-evmsk.dts | 258 +++++++++++++++--------------- + 3 files changed, 365 insertions(+), 365 deletions(-) + +diff --git a/arch/arm/boot/dts/am335x-bone-common.dtsi b/arch/arm/boot/dts/am335x-bone-common.dtsi +index 56361ce..29799ac 100644 +--- a/arch/arm/boot/dts/am335x-bone-common.dtsi ++++ b/arch/arm/boot/dts/am335x-bone-common.dtsi +@@ -21,115 +21,6 @@ + reg = <0x80000000 0x10000000>; /* 256 MB */ + }; + +- am33xx_pinmux: pinmux@44e10800 { +- pinctrl-names = "default"; +- pinctrl-0 = <&clkout2_pin>; +- +- user_leds_s0: user_leds_s0 { +- pinctrl-single,pins = < +- 0x54 (PIN_OUTPUT_PULLDOWN | MUX_MODE7) /* gpmc_a5.gpio1_21 */ +- 0x58 (PIN_OUTPUT_PULLUP | MUX_MODE7) /* gpmc_a6.gpio1_22 */ +- 0x5c (PIN_OUTPUT_PULLDOWN | MUX_MODE7) /* gpmc_a7.gpio1_23 */ +- 0x60 (PIN_OUTPUT_PULLUP | MUX_MODE7) /* gpmc_a8.gpio1_24 */ +- >; +- }; +- +- i2c0_pins: pinmux_i2c0_pins { +- pinctrl-single,pins = < +- 0x188 (PIN_INPUT_PULLUP | MUX_MODE0) /* i2c0_sda.i2c0_sda */ +- 0x18c (PIN_INPUT_PULLUP | MUX_MODE0) /* i2c0_scl.i2c0_scl */ +- >; +- }; +- +- uart0_pins: pinmux_uart0_pins { +- pinctrl-single,pins = < +- 0x170 (PIN_INPUT_PULLUP | MUX_MODE0) /* uart0_rxd.uart0_rxd */ +- 0x174 (PIN_OUTPUT_PULLDOWN | MUX_MODE0) /* uart0_txd.uart0_txd */ +- >; +- }; +- +- clkout2_pin: pinmux_clkout2_pin { +- pinctrl-single,pins = < +- 0x1b4 (PIN_OUTPUT_PULLDOWN | MUX_MODE3) /* xdma_event_intr1.clkout2 */ +- >; +- }; +- +- cpsw_default: cpsw_default { +- pinctrl-single,pins = < +- /* Slave 1 */ +- 0x110 (PIN_INPUT_PULLUP | MUX_MODE0) /* mii1_rxerr.mii1_rxerr */ +- 0x114 (PIN_OUTPUT_PULLDOWN | MUX_MODE0) /* mii1_txen.mii1_txen */ +- 0x118 (PIN_INPUT_PULLUP | MUX_MODE0) /* mii1_rxdv.mii1_rxdv */ +- 0x11c (PIN_OUTPUT_PULLDOWN | MUX_MODE0) /* mii1_txd3.mii1_txd3 */ +- 0x120 (PIN_OUTPUT_PULLDOWN | MUX_MODE0) /* mii1_txd2.mii1_txd2 */ +- 0x124 (PIN_OUTPUT_PULLDOWN | MUX_MODE0) /* mii1_txd1.mii1_txd1 */ +- 0x128 (PIN_OUTPUT_PULLDOWN | MUX_MODE0) /* mii1_txd0.mii1_txd0 */ +- 0x12c (PIN_INPUT_PULLUP | MUX_MODE0) /* mii1_txclk.mii1_txclk */ +- 0x130 (PIN_INPUT_PULLUP | MUX_MODE0) /* mii1_rxclk.mii1_rxclk */ +- 0x134 (PIN_INPUT_PULLUP | MUX_MODE0) /* mii1_rxd3.mii1_rxd3 */ +- 0x138 (PIN_INPUT_PULLUP | MUX_MODE0) /* mii1_rxd2.mii1_rxd2 */ +- 0x13c (PIN_INPUT_PULLUP | MUX_MODE0) /* mii1_rxd1.mii1_rxd1 */ +- 0x140 (PIN_INPUT_PULLUP | MUX_MODE0) /* mii1_rxd0.mii1_rxd0 */ +- >; +- }; +- +- cpsw_sleep: cpsw_sleep { +- pinctrl-single,pins = < +- /* Slave 1 reset value */ +- 0x110 (PIN_INPUT_PULLDOWN | MUX_MODE7) +- 0x114 (PIN_INPUT_PULLDOWN | MUX_MODE7) +- 0x118 (PIN_INPUT_PULLDOWN | MUX_MODE7) +- 0x11c (PIN_INPUT_PULLDOWN | MUX_MODE7) +- 0x120 (PIN_INPUT_PULLDOWN | MUX_MODE7) +- 0x124 (PIN_INPUT_PULLDOWN | MUX_MODE7) +- 0x128 (PIN_INPUT_PULLDOWN | MUX_MODE7) +- 0x12c (PIN_INPUT_PULLDOWN | MUX_MODE7) +- 0x130 (PIN_INPUT_PULLDOWN | MUX_MODE7) +- 0x134 (PIN_INPUT_PULLDOWN | MUX_MODE7) +- 0x138 (PIN_INPUT_PULLDOWN | MUX_MODE7) +- 0x13c (PIN_INPUT_PULLDOWN | MUX_MODE7) +- 0x140 (PIN_INPUT_PULLDOWN | MUX_MODE7) +- >; +- }; +- +- davinci_mdio_default: davinci_mdio_default { +- pinctrl-single,pins = < +- /* MDIO */ +- 0x148 (PIN_INPUT_PULLUP | SLEWCTRL_FAST | MUX_MODE0) /* mdio_data.mdio_data */ +- 0x14c (PIN_OUTPUT_PULLUP | MUX_MODE0) /* mdio_clk.mdio_clk */ +- >; +- }; +- +- davinci_mdio_sleep: davinci_mdio_sleep { +- pinctrl-single,pins = < +- /* MDIO reset value */ +- 0x148 (PIN_INPUT_PULLDOWN | MUX_MODE7) +- 0x14c (PIN_INPUT_PULLDOWN | MUX_MODE7) +- >; +- }; +- +- mmc1_pins: pinmux_mmc1_pins { +- pinctrl-single,pins = < +- 0x160 (PIN_INPUT | MUX_MODE7) /* GPIO0_6 */ +- >; +- }; +- +- emmc_pins: pinmux_emmc_pins { +- pinctrl-single,pins = < +- 0x80 (PIN_INPUT_PULLUP | MUX_MODE2) /* gpmc_csn1.mmc1_clk */ +- 0x84 (PIN_INPUT_PULLUP | MUX_MODE1) /* gpmc_csn2.mmc1_cmd */ +- 0x00 (PIN_INPUT_PULLUP | MUX_MODE1) /* gpmc_ad0.mmc1_dat0 */ +- 0x04 (PIN_INPUT_PULLUP | MUX_MODE1) /* gpmc_ad1.mmc1_dat1 */ +- 0x08 (PIN_INPUT_PULLUP | MUX_MODE1) /* gpmc_ad2.mmc1_dat2 */ +- 0x0c (PIN_INPUT_PULLUP | MUX_MODE1) /* gpmc_ad3.mmc1_dat3 */ +- 0x10 (PIN_INPUT_PULLUP | MUX_MODE1) /* gpmc_ad4.mmc1_dat4 */ +- 0x14 (PIN_INPUT_PULLUP | MUX_MODE1) /* gpmc_ad5.mmc1_dat5 */ +- 0x18 (PIN_INPUT_PULLUP | MUX_MODE1) /* gpmc_ad6.mmc1_dat6 */ +- 0x1c (PIN_INPUT_PULLUP | MUX_MODE1) /* gpmc_ad7.mmc1_dat7 */ +- >; +- }; +- }; +- + ocp { + uart0: serial@44e09000 { + pinctrl-names = "default"; +@@ -217,6 +108,115 @@ + }; + }; + ++&am33xx_pinmux { ++ pinctrl-names = "default"; ++ pinctrl-0 = <&clkout2_pin>; ++ ++ user_leds_s0: user_leds_s0 { ++ pinctrl-single,pins = < ++ 0x54 (PIN_OUTPUT_PULLDOWN | MUX_MODE7) /* gpmc_a5.gpio1_21 */ ++ 0x58 (PIN_OUTPUT_PULLUP | MUX_MODE7) /* gpmc_a6.gpio1_22 */ ++ 0x5c (PIN_OUTPUT_PULLDOWN | MUX_MODE7) /* gpmc_a7.gpio1_23 */ ++ 0x60 (PIN_OUTPUT_PULLUP | MUX_MODE7) /* gpmc_a8.gpio1_24 */ ++ >; ++ }; ++ ++ i2c0_pins: pinmux_i2c0_pins { ++ pinctrl-single,pins = < ++ 0x188 (PIN_INPUT_PULLUP | MUX_MODE0) /* i2c0_sda.i2c0_sda */ ++ 0x18c (PIN_INPUT_PULLUP | MUX_MODE0) /* i2c0_scl.i2c0_scl */ ++ >; ++ }; ++ ++ uart0_pins: pinmux_uart0_pins { ++ pinctrl-single,pins = < ++ 0x170 (PIN_INPUT_PULLUP | MUX_MODE0) /* uart0_rxd.uart0_rxd */ ++ 0x174 (PIN_OUTPUT_PULLDOWN | MUX_MODE0) /* uart0_txd.uart0_txd */ ++ >; ++ }; ++ ++ clkout2_pin: pinmux_clkout2_pin { ++ pinctrl-single,pins = < ++ 0x1b4 (PIN_OUTPUT_PULLDOWN | MUX_MODE3) /* xdma_event_intr1.clkout2 */ ++ >; ++ }; ++ ++ cpsw_default: cpsw_default { ++ pinctrl-single,pins = < ++ /* Slave 1 */ ++ 0x110 (PIN_INPUT_PULLUP | MUX_MODE0) /* mii1_rxerr.mii1_rxerr */ ++ 0x114 (PIN_OUTPUT_PULLDOWN | MUX_MODE0) /* mii1_txen.mii1_txen */ ++ 0x118 (PIN_INPUT_PULLUP | MUX_MODE0) /* mii1_rxdv.mii1_rxdv */ ++ 0x11c (PIN_OUTPUT_PULLDOWN | MUX_MODE0) /* mii1_txd3.mii1_txd3 */ ++ 0x120 (PIN_OUTPUT_PULLDOWN | MUX_MODE0) /* mii1_txd2.mii1_txd2 */ ++ 0x124 (PIN_OUTPUT_PULLDOWN | MUX_MODE0) /* mii1_txd1.mii1_txd1 */ ++ 0x128 (PIN_OUTPUT_PULLDOWN | MUX_MODE0) /* mii1_txd0.mii1_txd0 */ ++ 0x12c (PIN_INPUT_PULLUP | MUX_MODE0) /* mii1_txclk.mii1_txclk */ ++ 0x130 (PIN_INPUT_PULLUP | MUX_MODE0) /* mii1_rxclk.mii1_rxclk */ ++ 0x134 (PIN_INPUT_PULLUP | MUX_MODE0) /* mii1_rxd3.mii1_rxd3 */ ++ 0x138 (PIN_INPUT_PULLUP | MUX_MODE0) /* mii1_rxd2.mii1_rxd2 */ ++ 0x13c (PIN_INPUT_PULLUP | MUX_MODE0) /* mii1_rxd1.mii1_rxd1 */ ++ 0x140 (PIN_INPUT_PULLUP | MUX_MODE0) /* mii1_rxd0.mii1_rxd0 */ ++ >; ++ }; ++ ++ cpsw_sleep: cpsw_sleep { ++ pinctrl-single,pins = < ++ /* Slave 1 reset value */ ++ 0x110 (PIN_INPUT_PULLDOWN | MUX_MODE7) ++ 0x114 (PIN_INPUT_PULLDOWN | MUX_MODE7) ++ 0x118 (PIN_INPUT_PULLDOWN | MUX_MODE7) ++ 0x11c (PIN_INPUT_PULLDOWN | MUX_MODE7) ++ 0x120 (PIN_INPUT_PULLDOWN | MUX_MODE7) ++ 0x124 (PIN_INPUT_PULLDOWN | MUX_MODE7) ++ 0x128 (PIN_INPUT_PULLDOWN | MUX_MODE7) ++ 0x12c (PIN_INPUT_PULLDOWN | MUX_MODE7) ++ 0x130 (PIN_INPUT_PULLDOWN | MUX_MODE7) ++ 0x134 (PIN_INPUT_PULLDOWN | MUX_MODE7) ++ 0x138 (PIN_INPUT_PULLDOWN | MUX_MODE7) ++ 0x13c (PIN_INPUT_PULLDOWN | MUX_MODE7) ++ 0x140 (PIN_INPUT_PULLDOWN | MUX_MODE7) ++ >; ++ }; ++ ++ davinci_mdio_default: davinci_mdio_default { ++ pinctrl-single,pins = < ++ /* MDIO */ ++ 0x148 (PIN_INPUT_PULLUP | SLEWCTRL_FAST | MUX_MODE0) /* mdio_data.mdio_data */ ++ 0x14c (PIN_OUTPUT_PULLUP | MUX_MODE0) /* mdio_clk.mdio_clk */ ++ >; ++ }; ++ ++ davinci_mdio_sleep: davinci_mdio_sleep { ++ pinctrl-single,pins = < ++ /* MDIO reset value */ ++ 0x148 (PIN_INPUT_PULLDOWN | MUX_MODE7) ++ 0x14c (PIN_INPUT_PULLDOWN | MUX_MODE7) ++ >; ++ }; ++ ++ mmc1_pins: pinmux_mmc1_pins { ++ pinctrl-single,pins = < ++ 0x160 (PIN_INPUT | MUX_MODE7) /* GPIO0_6 */ ++ >; ++ }; ++ ++ emmc_pins: pinmux_emmc_pins { ++ pinctrl-single,pins = < ++ 0x80 (PIN_INPUT_PULLUP | MUX_MODE2) /* gpmc_csn1.mmc1_clk */ ++ 0x84 (PIN_INPUT_PULLUP | MUX_MODE1) /* gpmc_csn2.mmc1_cmd */ ++ 0x00 (PIN_INPUT_PULLUP | MUX_MODE1) /* gpmc_ad0.mmc1_dat0 */ ++ 0x04 (PIN_INPUT_PULLUP | MUX_MODE1) /* gpmc_ad1.mmc1_dat1 */ ++ 0x08 (PIN_INPUT_PULLUP | MUX_MODE1) /* gpmc_ad2.mmc1_dat2 */ ++ 0x0c (PIN_INPUT_PULLUP | MUX_MODE1) /* gpmc_ad3.mmc1_dat3 */ ++ 0x10 (PIN_INPUT_PULLUP | MUX_MODE1) /* gpmc_ad4.mmc1_dat4 */ ++ 0x14 (PIN_INPUT_PULLUP | MUX_MODE1) /* gpmc_ad5.mmc1_dat5 */ ++ 0x18 (PIN_INPUT_PULLUP | MUX_MODE1) /* gpmc_ad6.mmc1_dat6 */ ++ 0x1c (PIN_INPUT_PULLUP | MUX_MODE1) /* gpmc_ad7.mmc1_dat7 */ ++ >; ++ }; ++}; ++ + /include/ "tps65217.dtsi" + + &tps { +diff --git a/arch/arm/boot/dts/am335x-evm.dts b/arch/arm/boot/dts/am335x-evm.dts +index bc4a69d..1525cd6 100644 +--- a/arch/arm/boot/dts/am335x-evm.dts ++++ b/arch/arm/boot/dts/am335x-evm.dts +@@ -24,133 +24,6 @@ + reg = <0x80000000 0x10000000>; /* 256 MB */ + }; + +- am33xx_pinmux: pinmux@44e10800 { +- pinctrl-names = "default"; +- pinctrl-0 = <&matrix_keypad_s0 &volume_keys_s0 &clkout2_pin>; +- +- matrix_keypad_s0: matrix_keypad_s0 { +- pinctrl-single,pins = < +- 0x54 (PIN_OUTPUT_PULLDOWN | MUX_MODE7) /* gpmc_a5.gpio1_21 */ +- 0x58 (PIN_OUTPUT_PULLDOWN | MUX_MODE7) /* gpmc_a6.gpio1_22 */ +- 0x64 (PIN_INPUT_PULLDOWN | MUX_MODE7) /* gpmc_a9.gpio1_25 */ +- 0x68 (PIN_INPUT_PULLDOWN | MUX_MODE7) /* gpmc_a10.gpio1_26 */ +- 0x6c (PIN_INPUT_PULLDOWN | MUX_MODE7) /* gpmc_a11.gpio1_27 */ +- >; +- }; +- +- volume_keys_s0: volume_keys_s0 { +- pinctrl-single,pins = < +- 0x150 (PIN_INPUT_PULLDOWN | MUX_MODE7) /* spi0_sclk.gpio0_2 */ +- 0x154 (PIN_INPUT_PULLDOWN | MUX_MODE7) /* spi0_d0.gpio0_3 */ +- >; +- }; +- +- i2c0_pins: pinmux_i2c0_pins { +- pinctrl-single,pins = < +- 0x188 (PIN_INPUT_PULLUP | MUX_MODE0) /* i2c0_sda.i2c0_sda */ +- 0x18c (PIN_INPUT_PULLUP | MUX_MODE0) /* i2c0_scl.i2c0_scl */ +- >; +- }; +- +- i2c1_pins: pinmux_i2c1_pins { +- pinctrl-single,pins = < +- 0x158 (PIN_INPUT_PULLUP | MUX_MODE2) /* spi0_d1.i2c1_sda */ +- 0x15c (PIN_INPUT_PULLUP | MUX_MODE2) /* spi0_cs0.i2c1_scl */ +- >; +- }; +- +- uart0_pins: pinmux_uart0_pins { +- pinctrl-single,pins = < +- 0x170 (PIN_INPUT_PULLUP | MUX_MODE0) /* uart0_rxd.uart0_rxd */ +- 0x174 (PIN_OUTPUT_PULLDOWN | MUX_MODE0) /* uart0_txd.uart0_txd */ +- >; +- }; +- +- clkout2_pin: pinmux_clkout2_pin { +- pinctrl-single,pins = < +- 0x1b4 (PIN_OUTPUT_PULLDOWN | MUX_MODE3) /* xdma_event_intr1.clkout2 */ +- >; +- }; +- +- nandflash_pins_s0: nandflash_pins_s0 { +- pinctrl-single,pins = < +- 0x0 (PIN_INPUT_PULLUP | MUX_MODE0) /* gpmc_ad0.gpmc_ad0 */ +- 0x4 (PIN_INPUT_PULLUP | MUX_MODE0) /* gpmc_ad1.gpmc_ad1 */ +- 0x8 (PIN_INPUT_PULLUP | MUX_MODE0) /* gpmc_ad2.gpmc_ad2 */ +- 0xc (PIN_INPUT_PULLUP | MUX_MODE0) /* gpmc_ad3.gpmc_ad3 */ +- 0x10 (PIN_INPUT_PULLUP | MUX_MODE0) /* gpmc_ad4.gpmc_ad4 */ +- 0x14 (PIN_INPUT_PULLUP | MUX_MODE0) /* gpmc_ad5.gpmc_ad5 */ +- 0x18 (PIN_INPUT_PULLUP | MUX_MODE0) /* gpmc_ad6.gpmc_ad6 */ +- 0x1c (PIN_INPUT_PULLUP | MUX_MODE0) /* gpmc_ad7.gpmc_ad7 */ +- 0x70 (PIN_INPUT_PULLUP | MUX_MODE0) /* gpmc_wait0.gpmc_wait0 */ +- 0x74 (PIN_INPUT_PULLUP | MUX_MODE7) /* gpmc_wpn.gpio0_30 */ +- 0x7c (PIN_OUTPUT | MUX_MODE0) /* gpmc_csn0.gpmc_csn0 */ +- 0x90 (PIN_OUTPUT | MUX_MODE0) /* gpmc_advn_ale.gpmc_advn_ale */ +- 0x94 (PIN_OUTPUT | MUX_MODE0) /* gpmc_oen_ren.gpmc_oen_ren */ +- 0x98 (PIN_OUTPUT | MUX_MODE0) /* gpmc_wen.gpmc_wen */ +- 0x9c (PIN_OUTPUT | MUX_MODE0) /* gpmc_be0n_cle.gpmc_be0n_cle */ +- >; +- }; +- +- ecap0_pins: backlight_pins { +- pinctrl-single,pins = < +- 0x164 0x0 /* eCAP0_in_PWM0_out.eCAP0_in_PWM0_out MODE0 */ +- >; +- }; +- +- cpsw_default: cpsw_default { +- pinctrl-single,pins = < +- /* Slave 1 */ +- 0x114 (PIN_OUTPUT_PULLDOWN | MUX_MODE2) /* mii1_txen.rgmii1_tctl */ +- 0x118 (PIN_INPUT_PULLDOWN | MUX_MODE2) /* mii1_rxdv.rgmii1_rctl */ +- 0x11c (PIN_OUTPUT_PULLDOWN | MUX_MODE2) /* mii1_txd3.rgmii1_td3 */ +- 0x120 (PIN_OUTPUT_PULLDOWN | MUX_MODE2) /* mii1_txd2.rgmii1_td2 */ +- 0x124 (PIN_OUTPUT_PULLDOWN | MUX_MODE2) /* mii1_txd1.rgmii1_td1 */ +- 0x128 (PIN_OUTPUT_PULLDOWN | MUX_MODE2) /* mii1_txd0.rgmii1_td0 */ +- 0x12c (PIN_OUTPUT_PULLDOWN | MUX_MODE2) /* mii1_txclk.rgmii1_tclk */ +- 0x130 (PIN_INPUT_PULLDOWN | MUX_MODE2) /* mii1_rxclk.rgmii1_rclk */ +- 0x134 (PIN_INPUT_PULLDOWN | MUX_MODE2) /* mii1_rxd3.rgmii1_rd3 */ +- 0x138 (PIN_INPUT_PULLDOWN | MUX_MODE2) /* mii1_rxd2.rgmii1_rd2 */ +- 0x13c (PIN_INPUT_PULLDOWN | MUX_MODE2) /* mii1_rxd1.rgmii1_rd1 */ +- 0x140 (PIN_INPUT_PULLDOWN | MUX_MODE2) /* mii1_rxd0.rgmii1_rd0 */ +- >; +- }; +- +- cpsw_sleep: cpsw_sleep { +- pinctrl-single,pins = < +- /* Slave 1 reset value */ +- 0x114 (PIN_INPUT_PULLDOWN | MUX_MODE7) +- 0x118 (PIN_INPUT_PULLDOWN | MUX_MODE7) +- 0x11c (PIN_INPUT_PULLDOWN | MUX_MODE7) +- 0x120 (PIN_INPUT_PULLDOWN | MUX_MODE7) +- 0x124 (PIN_INPUT_PULLDOWN | MUX_MODE7) +- 0x128 (PIN_INPUT_PULLDOWN | MUX_MODE7) +- 0x12c (PIN_INPUT_PULLDOWN | MUX_MODE7) +- 0x130 (PIN_INPUT_PULLDOWN | MUX_MODE7) +- 0x134 (PIN_INPUT_PULLDOWN | MUX_MODE7) +- 0x138 (PIN_INPUT_PULLDOWN | MUX_MODE7) +- 0x13c (PIN_INPUT_PULLDOWN | MUX_MODE7) +- 0x140 (PIN_INPUT_PULLDOWN | MUX_MODE7) +- >; +- }; +- +- davinci_mdio_default: davinci_mdio_default { +- pinctrl-single,pins = < +- /* MDIO */ +- 0x148 (PIN_INPUT_PULLUP | SLEWCTRL_FAST | MUX_MODE0) /* mdio_data.mdio_data */ +- 0x14c (PIN_OUTPUT_PULLUP | MUX_MODE0) /* mdio_clk.mdio_clk */ +- >; +- }; +- +- davinci_mdio_sleep: davinci_mdio_sleep { +- pinctrl-single,pins = < +- /* MDIO reset value */ +- 0x148 (PIN_INPUT_PULLDOWN | MUX_MODE7) +- 0x14c (PIN_INPUT_PULLDOWN | MUX_MODE7) +- >; +- }; +- }; +- + ocp { + uart0: serial@44e09000 { + pinctrl-names = "default"; +@@ -405,6 +278,133 @@ + }; + }; + ++&am33xx_pinmux { ++ pinctrl-names = "default"; ++ pinctrl-0 = <&matrix_keypad_s0 &volume_keys_s0 &clkout2_pin>; ++ ++ matrix_keypad_s0: matrix_keypad_s0 { ++ pinctrl-single,pins = < ++ 0x54 (PIN_OUTPUT_PULLDOWN | MUX_MODE7) /* gpmc_a5.gpio1_21 */ ++ 0x58 (PIN_OUTPUT_PULLDOWN | MUX_MODE7) /* gpmc_a6.gpio1_22 */ ++ 0x64 (PIN_INPUT_PULLDOWN | MUX_MODE7) /* gpmc_a9.gpio1_25 */ ++ 0x68 (PIN_INPUT_PULLDOWN | MUX_MODE7) /* gpmc_a10.gpio1_26 */ ++ 0x6c (PIN_INPUT_PULLDOWN | MUX_MODE7) /* gpmc_a11.gpio1_27 */ ++ >; ++ }; ++ ++ volume_keys_s0: volume_keys_s0 { ++ pinctrl-single,pins = < ++ 0x150 (PIN_INPUT_PULLDOWN | MUX_MODE7) /* spi0_sclk.gpio0_2 */ ++ 0x154 (PIN_INPUT_PULLDOWN | MUX_MODE7) /* spi0_d0.gpio0_3 */ ++ >; ++ }; ++ ++ i2c0_pins: pinmux_i2c0_pins { ++ pinctrl-single,pins = < ++ 0x188 (PIN_INPUT_PULLUP | MUX_MODE0) /* i2c0_sda.i2c0_sda */ ++ 0x18c (PIN_INPUT_PULLUP | MUX_MODE0) /* i2c0_scl.i2c0_scl */ ++ >; ++ }; ++ ++ i2c1_pins: pinmux_i2c1_pins { ++ pinctrl-single,pins = < ++ 0x158 (PIN_INPUT_PULLUP | MUX_MODE2) /* spi0_d1.i2c1_sda */ ++ 0x15c (PIN_INPUT_PULLUP | MUX_MODE2) /* spi0_cs0.i2c1_scl */ ++ >; ++ }; ++ ++ uart0_pins: pinmux_uart0_pins { ++ pinctrl-single,pins = < ++ 0x170 (PIN_INPUT_PULLUP | MUX_MODE0) /* uart0_rxd.uart0_rxd */ ++ 0x174 (PIN_OUTPUT_PULLDOWN | MUX_MODE0) /* uart0_txd.uart0_txd */ ++ >; ++ }; ++ ++ clkout2_pin: pinmux_clkout2_pin { ++ pinctrl-single,pins = < ++ 0x1b4 (PIN_OUTPUT_PULLDOWN | MUX_MODE3) /* xdma_event_intr1.clkout2 */ ++ >; ++ }; ++ ++ nandflash_pins_s0: nandflash_pins_s0 { ++ pinctrl-single,pins = < ++ 0x0 (PIN_INPUT_PULLUP | MUX_MODE0) /* gpmc_ad0.gpmc_ad0 */ ++ 0x4 (PIN_INPUT_PULLUP | MUX_MODE0) /* gpmc_ad1.gpmc_ad1 */ ++ 0x8 (PIN_INPUT_PULLUP | MUX_MODE0) /* gpmc_ad2.gpmc_ad2 */ ++ 0xc (PIN_INPUT_PULLUP | MUX_MODE0) /* gpmc_ad3.gpmc_ad3 */ ++ 0x10 (PIN_INPUT_PULLUP | MUX_MODE0) /* gpmc_ad4.gpmc_ad4 */ ++ 0x14 (PIN_INPUT_PULLUP | MUX_MODE0) /* gpmc_ad5.gpmc_ad5 */ ++ 0x18 (PIN_INPUT_PULLUP | MUX_MODE0) /* gpmc_ad6.gpmc_ad6 */ ++ 0x1c (PIN_INPUT_PULLUP | MUX_MODE0) /* gpmc_ad7.gpmc_ad7 */ ++ 0x70 (PIN_INPUT_PULLUP | MUX_MODE0) /* gpmc_wait0.gpmc_wait0 */ ++ 0x74 (PIN_INPUT_PULLUP | MUX_MODE7) /* gpmc_wpn.gpio0_30 */ ++ 0x7c (PIN_OUTPUT | MUX_MODE0) /* gpmc_csn0.gpmc_csn0 */ ++ 0x90 (PIN_OUTPUT | MUX_MODE0) /* gpmc_advn_ale.gpmc_advn_ale */ ++ 0x94 (PIN_OUTPUT | MUX_MODE0) /* gpmc_oen_ren.gpmc_oen_ren */ ++ 0x98 (PIN_OUTPUT | MUX_MODE0) /* gpmc_wen.gpmc_wen */ ++ 0x9c (PIN_OUTPUT | MUX_MODE0) /* gpmc_be0n_cle.gpmc_be0n_cle */ ++ >; ++ }; ++ ++ ecap0_pins: backlight_pins { ++ pinctrl-single,pins = < ++ 0x164 0x0 /* eCAP0_in_PWM0_out.eCAP0_in_PWM0_out MODE0 */ ++ >; ++ }; ++ ++ cpsw_default: cpsw_default { ++ pinctrl-single,pins = < ++ /* Slave 1 */ ++ 0x114 (PIN_OUTPUT_PULLDOWN | MUX_MODE2) /* mii1_txen.rgmii1_tctl */ ++ 0x118 (PIN_INPUT_PULLDOWN | MUX_MODE2) /* mii1_rxdv.rgmii1_rctl */ ++ 0x11c (PIN_OUTPUT_PULLDOWN | MUX_MODE2) /* mii1_txd3.rgmii1_td3 */ ++ 0x120 (PIN_OUTPUT_PULLDOWN | MUX_MODE2) /* mii1_txd2.rgmii1_td2 */ ++ 0x124 (PIN_OUTPUT_PULLDOWN | MUX_MODE2) /* mii1_txd1.rgmii1_td1 */ ++ 0x128 (PIN_OUTPUT_PULLDOWN | MUX_MODE2) /* mii1_txd0.rgmii1_td0 */ ++ 0x12c (PIN_OUTPUT_PULLDOWN | MUX_MODE2) /* mii1_txclk.rgmii1_tclk */ ++ 0x130 (PIN_INPUT_PULLDOWN | MUX_MODE2) /* mii1_rxclk.rgmii1_rclk */ ++ 0x134 (PIN_INPUT_PULLDOWN | MUX_MODE2) /* mii1_rxd3.rgmii1_rd3 */ ++ 0x138 (PIN_INPUT_PULLDOWN | MUX_MODE2) /* mii1_rxd2.rgmii1_rd2 */ ++ 0x13c (PIN_INPUT_PULLDOWN | MUX_MODE2) /* mii1_rxd1.rgmii1_rd1 */ ++ 0x140 (PIN_INPUT_PULLDOWN | MUX_MODE2) /* mii1_rxd0.rgmii1_rd0 */ ++ >; ++ }; ++ ++ cpsw_sleep: cpsw_sleep { ++ pinctrl-single,pins = < ++ /* Slave 1 reset value */ ++ 0x114 (PIN_INPUT_PULLDOWN | MUX_MODE7) ++ 0x118 (PIN_INPUT_PULLDOWN | MUX_MODE7) ++ 0x11c (PIN_INPUT_PULLDOWN | MUX_MODE7) ++ 0x120 (PIN_INPUT_PULLDOWN | MUX_MODE7) ++ 0x124 (PIN_INPUT_PULLDOWN | MUX_MODE7) ++ 0x128 (PIN_INPUT_PULLDOWN | MUX_MODE7) ++ 0x12c (PIN_INPUT_PULLDOWN | MUX_MODE7) ++ 0x130 (PIN_INPUT_PULLDOWN | MUX_MODE7) ++ 0x134 (PIN_INPUT_PULLDOWN | MUX_MODE7) ++ 0x138 (PIN_INPUT_PULLDOWN | MUX_MODE7) ++ 0x13c (PIN_INPUT_PULLDOWN | MUX_MODE7) ++ 0x140 (PIN_INPUT_PULLDOWN | MUX_MODE7) ++ >; ++ }; ++ ++ davinci_mdio_default: davinci_mdio_default { ++ pinctrl-single,pins = < ++ /* MDIO */ ++ 0x148 (PIN_INPUT_PULLUP | SLEWCTRL_FAST | MUX_MODE0) /* mdio_data.mdio_data */ ++ 0x14c (PIN_OUTPUT_PULLUP | MUX_MODE0) /* mdio_clk.mdio_clk */ ++ >; ++ }; ++ ++ davinci_mdio_sleep: davinci_mdio_sleep { ++ pinctrl-single,pins = < ++ /* MDIO reset value */ ++ 0x148 (PIN_INPUT_PULLDOWN | MUX_MODE7) ++ 0x14c (PIN_INPUT_PULLDOWN | MUX_MODE7) ++ >; ++ }; ++}; ++ + #include "tps65910.dtsi" + + &tps { +diff --git a/arch/arm/boot/dts/am335x-evmsk.dts b/arch/arm/boot/dts/am335x-evmsk.dts +index 55fd194..f0066fe 100644 +--- a/arch/arm/boot/dts/am335x-evmsk.dts ++++ b/arch/arm/boot/dts/am335x-evmsk.dts +@@ -31,135 +31,6 @@ + reg = <0x80000000 0x10000000>; /* 256 MB */ + }; + +- am33xx_pinmux: pinmux@44e10800 { +- pinctrl-names = "default"; +- pinctrl-0 = <&gpio_keys_s0 &clkout2_pin>; +- +- user_leds_s0: user_leds_s0 { +- pinctrl-single,pins = < +- 0x10 (PIN_OUTPUT_PULLDOWN | MUX_MODE7) /* gpmc_ad4.gpio1_4 */ +- 0x14 (PIN_OUTPUT_PULLDOWN | MUX_MODE7) /* gpmc_ad5.gpio1_5 */ +- 0x18 (PIN_OUTPUT_PULLDOWN | MUX_MODE7) /* gpmc_ad6.gpio1_6 */ +- 0x1c (PIN_OUTPUT_PULLDOWN | MUX_MODE7) /* gpmc_ad7.gpio1_7 */ +- >; +- }; +- +- gpio_keys_s0: gpio_keys_s0 { +- pinctrl-single,pins = < +- 0x94 (PIN_INPUT_PULLDOWN | MUX_MODE7) /* gpmc_oen_ren.gpio2_3 */ +- 0x90 (PIN_INPUT_PULLDOWN | MUX_MODE7) /* gpmc_advn_ale.gpio2_2 */ +- 0x70 (PIN_INPUT_PULLDOWN | MUX_MODE7) /* gpmc_wait0.gpio0_30 */ +- 0x9c (PIN_INPUT_PULLDOWN | MUX_MODE7) /* gpmc_ben0_cle.gpio2_5 */ +- >; +- }; +- +- i2c0_pins: pinmux_i2c0_pins { +- pinctrl-single,pins = < +- 0x188 (PIN_INPUT_PULLUP | MUX_MODE0) /* i2c0_sda.i2c0_sda */ +- 0x18c (PIN_INPUT_PULLUP | MUX_MODE0) /* i2c0_scl.i2c0_scl */ +- >; +- }; +- +- uart0_pins: pinmux_uart0_pins { +- pinctrl-single,pins = < +- 0x170 (PIN_INPUT_PULLUP | MUX_MODE0) /* uart0_rxd.uart0_rxd */ +- 0x174 (PIN_OUTPUT_PULLDOWN | MUX_MODE0) /* uart0_txd.uart0_txd */ +- >; +- }; +- +- clkout2_pin: pinmux_clkout2_pin { +- pinctrl-single,pins = < +- 0x1b4 (PIN_OUTPUT_PULLDOWN | MUX_MODE3) /* xdma_event_intr1.clkout2 */ +- >; +- }; +- +- ecap2_pins: backlight_pins { +- pinctrl-single,pins = < +- 0x19c 0x4 /* mcasp0_ahclkr.ecap2_in_pwm2_out MODE4 */ +- >; +- }; +- +- cpsw_default: cpsw_default { +- pinctrl-single,pins = < +- /* Slave 1 */ +- 0x114 (PIN_OUTPUT_PULLDOWN | MUX_MODE2) /* mii1_txen.rgmii1_tctl */ +- 0x118 (PIN_INPUT_PULLDOWN | MUX_MODE2) /* mii1_rxdv.rgmii1_rctl */ +- 0x11c (PIN_OUTPUT_PULLDOWN | MUX_MODE2) /* mii1_txd3.rgmii1_td3 */ +- 0x120 (PIN_OUTPUT_PULLDOWN | MUX_MODE2) /* mii1_txd2.rgmii1_td2 */ +- 0x124 (PIN_OUTPUT_PULLDOWN | MUX_MODE2) /* mii1_txd1.rgmii1_td1 */ +- 0x128 (PIN_OUTPUT_PULLDOWN | MUX_MODE2) /* mii1_txd0.rgmii1_td0 */ +- 0x12c (PIN_OUTPUT_PULLDOWN | MUX_MODE2) /* mii1_txclk.rgmii1_tclk */ +- 0x130 (PIN_INPUT_PULLDOWN | MUX_MODE2) /* mii1_rxclk.rgmii1_rclk */ +- 0x134 (PIN_INPUT_PULLDOWN | MUX_MODE2) /* mii1_rxd3.rgmii1_rd3 */ +- 0x138 (PIN_INPUT_PULLDOWN | MUX_MODE2) /* mii1_rxd2.rgmii1_rd2 */ +- 0x13c (PIN_INPUT_PULLDOWN | MUX_MODE2) /* mii1_rxd1.rgmii1_rd1 */ +- 0x140 (PIN_INPUT_PULLDOWN | MUX_MODE2) /* mii1_rxd0.rgmii1_rd0 */ +- +- /* Slave 2 */ +- 0x40 (PIN_OUTPUT_PULLDOWN | MUX_MODE2) /* gpmc_a0.rgmii2_tctl */ +- 0x44 (PIN_INPUT_PULLDOWN | MUX_MODE2) /* gpmc_a1.rgmii2_rctl */ +- 0x48 (PIN_OUTPUT_PULLDOWN | MUX_MODE2) /* gpmc_a2.rgmii2_td3 */ +- 0x4c (PIN_OUTPUT_PULLDOWN | MUX_MODE2) /* gpmc_a3.rgmii2_td2 */ +- 0x50 (PIN_OUTPUT_PULLDOWN | MUX_MODE2) /* gpmc_a4.rgmii2_td1 */ +- 0x54 (PIN_OUTPUT_PULLDOWN | MUX_MODE2) /* gpmc_a5.rgmii2_td0 */ +- 0x58 (PIN_OUTPUT_PULLDOWN | MUX_MODE2) /* gpmc_a6.rgmii2_tclk */ +- 0x5c (PIN_INPUT_PULLDOWN | MUX_MODE2) /* gpmc_a7.rgmii2_rclk */ +- 0x60 (PIN_INPUT_PULLDOWN | MUX_MODE2) /* gpmc_a8.rgmii2_rd3 */ +- 0x64 (PIN_INPUT_PULLDOWN | MUX_MODE2) /* gpmc_a9.rgmii2_rd2 */ +- 0x68 (PIN_INPUT_PULLDOWN | MUX_MODE2) /* gpmc_a10.rgmii2_rd1 */ +- 0x6c (PIN_INPUT_PULLDOWN | MUX_MODE2) /* gpmc_a11.rgmii2_rd0 */ +- >; +- }; +- +- cpsw_sleep: cpsw_sleep { +- pinctrl-single,pins = < +- /* Slave 1 reset value */ +- 0x114 (PIN_INPUT_PULLDOWN | MUX_MODE7) +- 0x118 (PIN_INPUT_PULLDOWN | MUX_MODE7) +- 0x11c (PIN_INPUT_PULLDOWN | MUX_MODE7) +- 0x120 (PIN_INPUT_PULLDOWN | MUX_MODE7) +- 0x124 (PIN_INPUT_PULLDOWN | MUX_MODE7) +- 0x128 (PIN_INPUT_PULLDOWN | MUX_MODE7) +- 0x12c (PIN_INPUT_PULLDOWN | MUX_MODE7) +- 0x130 (PIN_INPUT_PULLDOWN | MUX_MODE7) +- 0x134 (PIN_INPUT_PULLDOWN | MUX_MODE7) +- 0x138 (PIN_INPUT_PULLDOWN | MUX_MODE7) +- 0x13c (PIN_INPUT_PULLDOWN | MUX_MODE7) +- 0x140 (PIN_INPUT_PULLDOWN | MUX_MODE7) +- +- /* Slave 2 reset value*/ +- 0x40 (PIN_INPUT_PULLDOWN | MUX_MODE7) +- 0x44 (PIN_INPUT_PULLDOWN | MUX_MODE7) +- 0x48 (PIN_INPUT_PULLDOWN | MUX_MODE7) +- 0x4c (PIN_INPUT_PULLDOWN | MUX_MODE7) +- 0x50 (PIN_INPUT_PULLDOWN | MUX_MODE7) +- 0x54 (PIN_INPUT_PULLDOWN | MUX_MODE7) +- 0x58 (PIN_INPUT_PULLDOWN | MUX_MODE7) +- 0x5c (PIN_INPUT_PULLDOWN | MUX_MODE7) +- 0x60 (PIN_INPUT_PULLDOWN | MUX_MODE7) +- 0x64 (PIN_INPUT_PULLDOWN | MUX_MODE7) +- 0x68 (PIN_INPUT_PULLDOWN | MUX_MODE7) +- 0x6c (PIN_INPUT_PULLDOWN | MUX_MODE7) +- >; +- }; +- +- davinci_mdio_default: davinci_mdio_default { +- pinctrl-single,pins = < +- /* MDIO */ +- 0x148 (PIN_INPUT_PULLUP | SLEWCTRL_FAST | MUX_MODE0) /* mdio_data.mdio_data */ +- 0x14c (PIN_OUTPUT_PULLUP | MUX_MODE0) /* mdio_clk.mdio_clk */ +- >; +- }; +- +- davinci_mdio_sleep: davinci_mdio_sleep { +- pinctrl-single,pins = < +- /* MDIO reset value */ +- 0x148 (PIN_INPUT_PULLDOWN | MUX_MODE7) +- 0x14c (PIN_INPUT_PULLDOWN | MUX_MODE7) +- >; +- }; +- }; +- + ocp { + uart0: serial@44e09000 { + pinctrl-names = "default"; +@@ -321,6 +192,135 @@ + }; + }; + ++&am33xx_pinmux { ++ pinctrl-names = "default"; ++ pinctrl-0 = <&gpio_keys_s0 &clkout2_pin>; ++ ++ user_leds_s0: user_leds_s0 { ++ pinctrl-single,pins = < ++ 0x10 (PIN_OUTPUT_PULLDOWN | MUX_MODE7) /* gpmc_ad4.gpio1_4 */ ++ 0x14 (PIN_OUTPUT_PULLDOWN | MUX_MODE7) /* gpmc_ad5.gpio1_5 */ ++ 0x18 (PIN_OUTPUT_PULLDOWN | MUX_MODE7) /* gpmc_ad6.gpio1_6 */ ++ 0x1c (PIN_OUTPUT_PULLDOWN | MUX_MODE7) /* gpmc_ad7.gpio1_7 */ ++ >; ++ }; ++ ++ gpio_keys_s0: gpio_keys_s0 { ++ pinctrl-single,pins = < ++ 0x94 (PIN_INPUT_PULLDOWN | MUX_MODE7) /* gpmc_oen_ren.gpio2_3 */ ++ 0x90 (PIN_INPUT_PULLDOWN | MUX_MODE7) /* gpmc_advn_ale.gpio2_2 */ ++ 0x70 (PIN_INPUT_PULLDOWN | MUX_MODE7) /* gpmc_wait0.gpio0_30 */ ++ 0x9c (PIN_INPUT_PULLDOWN | MUX_MODE7) /* gpmc_ben0_cle.gpio2_5 */ ++ >; ++ }; ++ ++ i2c0_pins: pinmux_i2c0_pins { ++ pinctrl-single,pins = < ++ 0x188 (PIN_INPUT_PULLUP | MUX_MODE0) /* i2c0_sda.i2c0_sda */ ++ 0x18c (PIN_INPUT_PULLUP | MUX_MODE0) /* i2c0_scl.i2c0_scl */ ++ >; ++ }; ++ ++ uart0_pins: pinmux_uart0_pins { ++ pinctrl-single,pins = < ++ 0x170 (PIN_INPUT_PULLUP | MUX_MODE0) /* uart0_rxd.uart0_rxd */ ++ 0x174 (PIN_OUTPUT_PULLDOWN | MUX_MODE0) /* uart0_txd.uart0_txd */ ++ >; ++ }; ++ ++ clkout2_pin: pinmux_clkout2_pin { ++ pinctrl-single,pins = < ++ 0x1b4 (PIN_OUTPUT_PULLDOWN | MUX_MODE3) /* xdma_event_intr1.clkout2 */ ++ >; ++ }; ++ ++ ecap2_pins: backlight_pins { ++ pinctrl-single,pins = < ++ 0x19c 0x4 /* mcasp0_ahclkr.ecap2_in_pwm2_out MODE4 */ ++ >; ++ }; ++ ++ cpsw_default: cpsw_default { ++ pinctrl-single,pins = < ++ /* Slave 1 */ ++ 0x114 (PIN_OUTPUT_PULLDOWN | MUX_MODE2) /* mii1_txen.rgmii1_tctl */ ++ 0x118 (PIN_INPUT_PULLDOWN | MUX_MODE2) /* mii1_rxdv.rgmii1_rctl */ ++ 0x11c (PIN_OUTPUT_PULLDOWN | MUX_MODE2) /* mii1_txd3.rgmii1_td3 */ ++ 0x120 (PIN_OUTPUT_PULLDOWN | MUX_MODE2) /* mii1_txd2.rgmii1_td2 */ ++ 0x124 (PIN_OUTPUT_PULLDOWN | MUX_MODE2) /* mii1_txd1.rgmii1_td1 */ ++ 0x128 (PIN_OUTPUT_PULLDOWN | MUX_MODE2) /* mii1_txd0.rgmii1_td0 */ ++ 0x12c (PIN_OUTPUT_PULLDOWN | MUX_MODE2) /* mii1_txclk.rgmii1_tclk */ ++ 0x130 (PIN_INPUT_PULLDOWN | MUX_MODE2) /* mii1_rxclk.rgmii1_rclk */ ++ 0x134 (PIN_INPUT_PULLDOWN | MUX_MODE2) /* mii1_rxd3.rgmii1_rd3 */ ++ 0x138 (PIN_INPUT_PULLDOWN | MUX_MODE2) /* mii1_rxd2.rgmii1_rd2 */ ++ 0x13c (PIN_INPUT_PULLDOWN | MUX_MODE2) /* mii1_rxd1.rgmii1_rd1 */ ++ 0x140 (PIN_INPUT_PULLDOWN | MUX_MODE2) /* mii1_rxd0.rgmii1_rd0 */ ++ ++ /* Slave 2 */ ++ 0x40 (PIN_OUTPUT_PULLDOWN | MUX_MODE2) /* gpmc_a0.rgmii2_tctl */ ++ 0x44 (PIN_INPUT_PULLDOWN | MUX_MODE2) /* gpmc_a1.rgmii2_rctl */ ++ 0x48 (PIN_OUTPUT_PULLDOWN | MUX_MODE2) /* gpmc_a2.rgmii2_td3 */ ++ 0x4c (PIN_OUTPUT_PULLDOWN | MUX_MODE2) /* gpmc_a3.rgmii2_td2 */ ++ 0x50 (PIN_OUTPUT_PULLDOWN | MUX_MODE2) /* gpmc_a4.rgmii2_td1 */ ++ 0x54 (PIN_OUTPUT_PULLDOWN | MUX_MODE2) /* gpmc_a5.rgmii2_td0 */ ++ 0x58 (PIN_OUTPUT_PULLDOWN | MUX_MODE2) /* gpmc_a6.rgmii2_tclk */ ++ 0x5c (PIN_INPUT_PULLDOWN | MUX_MODE2) /* gpmc_a7.rgmii2_rclk */ ++ 0x60 (PIN_INPUT_PULLDOWN | MUX_MODE2) /* gpmc_a8.rgmii2_rd3 */ ++ 0x64 (PIN_INPUT_PULLDOWN | MUX_MODE2) /* gpmc_a9.rgmii2_rd2 */ ++ 0x68 (PIN_INPUT_PULLDOWN | MUX_MODE2) /* gpmc_a10.rgmii2_rd1 */ ++ 0x6c (PIN_INPUT_PULLDOWN | MUX_MODE2) /* gpmc_a11.rgmii2_rd0 */ ++ >; ++ }; ++ ++ cpsw_sleep: cpsw_sleep { ++ pinctrl-single,pins = < ++ /* Slave 1 reset value */ ++ 0x114 (PIN_INPUT_PULLDOWN | MUX_MODE7) ++ 0x118 (PIN_INPUT_PULLDOWN | MUX_MODE7) ++ 0x11c (PIN_INPUT_PULLDOWN | MUX_MODE7) ++ 0x120 (PIN_INPUT_PULLDOWN | MUX_MODE7) ++ 0x124 (PIN_INPUT_PULLDOWN | MUX_MODE7) ++ 0x128 (PIN_INPUT_PULLDOWN | MUX_MODE7) ++ 0x12c (PIN_INPUT_PULLDOWN | MUX_MODE7) ++ 0x130 (PIN_INPUT_PULLDOWN | MUX_MODE7) ++ 0x134 (PIN_INPUT_PULLDOWN | MUX_MODE7) ++ 0x138 (PIN_INPUT_PULLDOWN | MUX_MODE7) ++ 0x13c (PIN_INPUT_PULLDOWN | MUX_MODE7) ++ 0x140 (PIN_INPUT_PULLDOWN | MUX_MODE7) ++ ++ /* Slave 2 reset value*/ ++ 0x40 (PIN_INPUT_PULLDOWN | MUX_MODE7) ++ 0x44 (PIN_INPUT_PULLDOWN | MUX_MODE7) ++ 0x48 (PIN_INPUT_PULLDOWN | MUX_MODE7) ++ 0x4c (PIN_INPUT_PULLDOWN | MUX_MODE7) ++ 0x50 (PIN_INPUT_PULLDOWN | MUX_MODE7) ++ 0x54 (PIN_INPUT_PULLDOWN | MUX_MODE7) ++ 0x58 (PIN_INPUT_PULLDOWN | MUX_MODE7) ++ 0x5c (PIN_INPUT_PULLDOWN | MUX_MODE7) ++ 0x60 (PIN_INPUT_PULLDOWN | MUX_MODE7) ++ 0x64 (PIN_INPUT_PULLDOWN | MUX_MODE7) ++ 0x68 (PIN_INPUT_PULLDOWN | MUX_MODE7) ++ 0x6c (PIN_INPUT_PULLDOWN | MUX_MODE7) ++ >; ++ }; ++ ++ davinci_mdio_default: davinci_mdio_default { ++ pinctrl-single,pins = < ++ /* MDIO */ ++ 0x148 (PIN_INPUT_PULLUP | SLEWCTRL_FAST | MUX_MODE0) /* mdio_data.mdio_data */ ++ 0x14c (PIN_OUTPUT_PULLUP | MUX_MODE0) /* mdio_clk.mdio_clk */ ++ >; ++ }; ++ ++ davinci_mdio_sleep: davinci_mdio_sleep { ++ pinctrl-single,pins = < ++ /* MDIO reset value */ ++ 0x148 (PIN_INPUT_PULLDOWN | MUX_MODE7) ++ 0x14c (PIN_INPUT_PULLDOWN | MUX_MODE7) ++ >; ++ }; ++}; ++ + #include "tps65910.dtsi" + + &tps { +-- +1.8.4.rc3 + +From ff7a46710ffc245a5c8e32cf1843aa3fea7aa1ff Mon Sep 17 00:00:00 2001 +From: Javier Martinez Canillas +Date: Fri, 20 Sep 2013 17:42:19 +0200 +Subject: [PATCH 11/15] ARM: dts: AM33XX: don't redefine OCP bus and device + nodes + +The On Chip Peripherals (OCP) device node is a simplified +representation of the AM33XX SoC interconnect. An OCP dev +node is already defined in the am33xx.dtsi Device Tree +source file included by am33xx based boards so there is +no need to redefine this on each board DT file. + +Also, the OCP and IP modules directly connected to it are SoC +internal details that is better to keep outside of board files. + +Signed-off-by: Javier Martinez Canillas +Signed-off-by: Benoit Cousson +--- + arch/arm/boot/dts/am335x-bone-common.dtsi | 100 ++++---- + arch/arm/boot/dts/am335x-evm.dts | 380 +++++++++++++++--------------- + arch/arm/boot/dts/am335x-evmsk.dts | 148 ++++++------ + 3 files changed, 311 insertions(+), 317 deletions(-) + +diff --git a/arch/arm/boot/dts/am335x-bone-common.dtsi b/arch/arm/boot/dts/am335x-bone-common.dtsi +index 29799ac..ff5c3ca 100644 +--- a/arch/arm/boot/dts/am335x-bone-common.dtsi ++++ b/arch/arm/boot/dts/am335x-bone-common.dtsi +@@ -21,57 +21,6 @@ + reg = <0x80000000 0x10000000>; /* 256 MB */ + }; + +- ocp { +- uart0: serial@44e09000 { +- pinctrl-names = "default"; +- pinctrl-0 = <&uart0_pins>; +- +- status = "okay"; +- }; +- +- musb: usb@47400000 { +- status = "okay"; +- +- control@44e10000 { +- status = "okay"; +- }; +- +- usb-phy@47401300 { +- status = "okay"; +- }; +- +- usb-phy@47401b00 { +- status = "okay"; +- }; +- +- usb@47401000 { +- status = "okay"; +- }; +- +- usb@47401800 { +- status = "okay"; +- dr_mode = "host"; +- }; +- +- dma-controller@07402000 { +- status = "okay"; +- }; +- }; +- +- i2c0: i2c@44e0b000 { +- pinctrl-names = "default"; +- pinctrl-0 = <&i2c0_pins>; +- +- status = "okay"; +- clock-frequency = <400000>; +- +- tps: tps@24 { +- reg = <0x24>; +- }; +- +- }; +- }; +- + leds { + pinctrl-names = "default"; + pinctrl-0 = <&user_leds_s0>; +@@ -217,6 +166,55 @@ + }; + }; + ++&uart0 { ++ pinctrl-names = "default"; ++ pinctrl-0 = <&uart0_pins>; ++ ++ status = "okay"; ++}; ++ ++&usb { ++ status = "okay"; ++ ++ control@44e10000 { ++ status = "okay"; ++ }; ++ ++ usb-phy@47401300 { ++ status = "okay"; ++ }; ++ ++ usb-phy@47401b00 { ++ status = "okay"; ++ }; ++ ++ usb@47401000 { ++ status = "okay"; ++ }; ++ ++ usb@47401800 { ++ status = "okay"; ++ dr_mode = "host"; ++ }; ++ ++ dma-controller@07402000 { ++ status = "okay"; ++ }; ++}; ++ ++&i2c0 { ++ pinctrl-names = "default"; ++ pinctrl-0 = <&i2c0_pins>; ++ ++ status = "okay"; ++ clock-frequency = <400000>; ++ ++ tps: tps@24 { ++ reg = <0x24>; ++ }; ++ ++}; ++ + /include/ "tps65217.dtsi" + + &tps { +diff --git a/arch/arm/boot/dts/am335x-evm.dts b/arch/arm/boot/dts/am335x-evm.dts +index 1525cd6..23b0a3e 100644 +--- a/arch/arm/boot/dts/am335x-evm.dts ++++ b/arch/arm/boot/dts/am335x-evm.dts +@@ -24,197 +24,6 @@ + reg = <0x80000000 0x10000000>; /* 256 MB */ + }; + +- ocp { +- uart0: serial@44e09000 { +- pinctrl-names = "default"; +- pinctrl-0 = <&uart0_pins>; +- +- status = "okay"; +- }; +- +- i2c0: i2c@44e0b000 { +- pinctrl-names = "default"; +- pinctrl-0 = <&i2c0_pins>; +- +- status = "okay"; +- clock-frequency = <400000>; +- +- tps: tps@2d { +- reg = <0x2d>; +- }; +- }; +- +- musb: usb@47400000 { +- status = "okay"; +- +- control@44e10000 { +- status = "okay"; +- }; +- +- usb-phy@47401300 { +- status = "okay"; +- }; +- +- usb-phy@47401b00 { +- status = "okay"; +- }; +- +- usb@47401000 { +- status = "okay"; +- }; +- +- usb@47401800 { +- status = "okay"; +- dr_mode = "host"; +- }; +- +- dma-controller@07402000 { +- status = "okay"; +- }; +- }; +- +- i2c1: i2c@4802a000 { +- pinctrl-names = "default"; +- pinctrl-0 = <&i2c1_pins>; +- +- status = "okay"; +- clock-frequency = <100000>; +- +- lis331dlh: lis331dlh@18 { +- compatible = "st,lis331dlh", "st,lis3lv02d"; +- reg = <0x18>; +- Vdd-supply = <&lis3_reg>; +- Vdd_IO-supply = <&lis3_reg>; +- +- st,click-single-x; +- st,click-single-y; +- st,click-single-z; +- st,click-thresh-x = <10>; +- st,click-thresh-y = <10>; +- st,click-thresh-z = <10>; +- st,irq1-click; +- st,irq2-click; +- st,wakeup-x-lo; +- st,wakeup-x-hi; +- st,wakeup-y-lo; +- st,wakeup-y-hi; +- st,wakeup-z-lo; +- st,wakeup-z-hi; +- st,min-limit-x = <120>; +- st,min-limit-y = <120>; +- st,min-limit-z = <140>; +- st,max-limit-x = <550>; +- st,max-limit-y = <550>; +- st,max-limit-z = <750>; +- }; +- +- tsl2550: tsl2550@39 { +- compatible = "taos,tsl2550"; +- reg = <0x39>; +- }; +- +- tmp275: tmp275@48 { +- compatible = "ti,tmp275"; +- reg = <0x48>; +- }; +- }; +- +- elm: elm@48080000 { +- status = "okay"; +- }; +- +- epwmss0: epwmss@48300000 { +- status = "okay"; +- +- ecap0: ecap@48300100 { +- status = "okay"; +- pinctrl-names = "default"; +- pinctrl-0 = <&ecap0_pins>; +- }; +- }; +- +- gpmc: gpmc@50000000 { +- status = "okay"; +- pinctrl-names = "default"; +- pinctrl-0 = <&nandflash_pins_s0>; +- ranges = <0 0 0x08000000 0x10000000>; /* CS0: NAND */ +- nand@0,0 { +- reg = <0 0 0>; /* CS0, offset 0 */ +- nand-bus-width = <8>; +- ti,nand-ecc-opt = "bch8"; +- gpmc,device-nand = "true"; +- gpmc,device-width = <1>; +- gpmc,sync-clk-ps = <0>; +- gpmc,cs-on-ns = <0>; +- gpmc,cs-rd-off-ns = <44>; +- gpmc,cs-wr-off-ns = <44>; +- gpmc,adv-on-ns = <6>; +- gpmc,adv-rd-off-ns = <34>; +- gpmc,adv-wr-off-ns = <44>; +- gpmc,we-on-ns = <0>; +- gpmc,we-off-ns = <40>; +- gpmc,oe-on-ns = <0>; +- gpmc,oe-off-ns = <54>; +- gpmc,access-ns = <64>; +- gpmc,rd-cycle-ns = <82>; +- gpmc,wr-cycle-ns = <82>; +- gpmc,wait-on-read = "true"; +- gpmc,wait-on-write = "true"; +- gpmc,bus-turnaround-ns = <0>; +- gpmc,cycle2cycle-delay-ns = <0>; +- gpmc,clk-activation-ns = <0>; +- gpmc,wait-monitoring-ns = <0>; +- gpmc,wr-access-ns = <40>; +- gpmc,wr-data-mux-bus-ns = <0>; +- +- #address-cells = <1>; +- #size-cells = <1>; +- elm_id = <&elm>; +- +- /* MTD partition table */ +- partition@0 { +- label = "SPL1"; +- reg = <0x00000000 0x000020000>; +- }; +- +- partition@1 { +- label = "SPL2"; +- reg = <0x00020000 0x00020000>; +- }; +- +- partition@2 { +- label = "SPL3"; +- reg = <0x00040000 0x00020000>; +- }; +- +- partition@3 { +- label = "SPL4"; +- reg = <0x00060000 0x00020000>; +- }; +- +- partition@4 { +- label = "U-boot"; +- reg = <0x00080000 0x001e0000>; +- }; +- +- partition@5 { +- label = "environment"; +- reg = <0x00260000 0x00020000>; +- }; +- +- partition@6 { +- label = "Kernel"; +- reg = <0x00280000 0x00500000>; +- }; +- +- partition@7 { +- label = "File-System"; +- reg = <0x00780000 0x0F880000>; +- }; +- }; +- }; +- }; +- + vbat: fixedregulator@0 { + compatible = "regulator-fixed"; + regulator-name = "vbat"; +@@ -405,6 +214,195 @@ + }; + }; + ++&uart0 { ++ pinctrl-names = "default"; ++ pinctrl-0 = <&uart0_pins>; ++ ++ status = "okay"; ++}; ++ ++&i2c0 { ++ pinctrl-names = "default"; ++ pinctrl-0 = <&i2c0_pins>; ++ ++ status = "okay"; ++ clock-frequency = <400000>; ++ ++ tps: tps@2d { ++ reg = <0x2d>; ++ }; ++}; ++ ++&usb { ++ status = "okay"; ++ ++ control@44e10000 { ++ status = "okay"; ++ }; ++ ++ usb-phy@47401300 { ++ status = "okay"; ++ }; ++ ++ usb-phy@47401b00 { ++ status = "okay"; ++ }; ++ ++ usb@47401000 { ++ status = "okay"; ++ }; ++ ++ usb@47401800 { ++ status = "okay"; ++ dr_mode = "host"; ++ }; ++ ++ dma-controller@07402000 { ++ status = "okay"; ++ }; ++}; ++ ++&i2c1 { ++ pinctrl-names = "default"; ++ pinctrl-0 = <&i2c1_pins>; ++ ++ status = "okay"; ++ clock-frequency = <100000>; ++ ++ lis331dlh: lis331dlh@18 { ++ compatible = "st,lis331dlh", "st,lis3lv02d"; ++ reg = <0x18>; ++ Vdd-supply = <&lis3_reg>; ++ Vdd_IO-supply = <&lis3_reg>; ++ ++ st,click-single-x; ++ st,click-single-y; ++ st,click-single-z; ++ st,click-thresh-x = <10>; ++ st,click-thresh-y = <10>; ++ st,click-thresh-z = <10>; ++ st,irq1-click; ++ st,irq2-click; ++ st,wakeup-x-lo; ++ st,wakeup-x-hi; ++ st,wakeup-y-lo; ++ st,wakeup-y-hi; ++ st,wakeup-z-lo; ++ st,wakeup-z-hi; ++ st,min-limit-x = <120>; ++ st,min-limit-y = <120>; ++ st,min-limit-z = <140>; ++ st,max-limit-x = <550>; ++ st,max-limit-y = <550>; ++ st,max-limit-z = <750>; ++ }; ++ ++ tsl2550: tsl2550@39 { ++ compatible = "taos,tsl2550"; ++ reg = <0x39>; ++ }; ++ ++ tmp275: tmp275@48 { ++ compatible = "ti,tmp275"; ++ reg = <0x48>; ++ }; ++}; ++ ++&elm { ++ status = "okay"; ++}; ++ ++&epwmss0 { ++ status = "okay"; ++ ++ ecap0: ecap@48300100 { ++ status = "okay"; ++ pinctrl-names = "default"; ++ pinctrl-0 = <&ecap0_pins>; ++ }; ++}; ++ ++&gpmc { ++ status = "okay"; ++ pinctrl-names = "default"; ++ pinctrl-0 = <&nandflash_pins_s0>; ++ ranges = <0 0 0x08000000 0x10000000>; /* CS0: NAND */ ++ nand@0,0 { ++ reg = <0 0 0>; /* CS0, offset 0 */ ++ nand-bus-width = <8>; ++ ti,nand-ecc-opt = "bch8"; ++ gpmc,device-nand = "true"; ++ gpmc,device-width = <1>; ++ gpmc,sync-clk-ps = <0>; ++ gpmc,cs-on-ns = <0>; ++ gpmc,cs-rd-off-ns = <44>; ++ gpmc,cs-wr-off-ns = <44>; ++ gpmc,adv-on-ns = <6>; ++ gpmc,adv-rd-off-ns = <34>; ++ gpmc,adv-wr-off-ns = <44>; ++ gpmc,we-on-ns = <0>; ++ gpmc,we-off-ns = <40>; ++ gpmc,oe-on-ns = <0>; ++ gpmc,oe-off-ns = <54>; ++ gpmc,access-ns = <64>; ++ gpmc,rd-cycle-ns = <82>; ++ gpmc,wr-cycle-ns = <82>; ++ gpmc,wait-on-read = "true"; ++ gpmc,wait-on-write = "true"; ++ gpmc,bus-turnaround-ns = <0>; ++ gpmc,cycle2cycle-delay-ns = <0>; ++ gpmc,clk-activation-ns = <0>; ++ gpmc,wait-monitoring-ns = <0>; ++ gpmc,wr-access-ns = <40>; ++ gpmc,wr-data-mux-bus-ns = <0>; ++ ++ #address-cells = <1>; ++ #size-cells = <1>; ++ elm_id = <&elm>; ++ ++ /* MTD partition table */ ++ partition@0 { ++ label = "SPL1"; ++ reg = <0x00000000 0x000020000>; ++ }; ++ ++ partition@1 { ++ label = "SPL2"; ++ reg = <0x00020000 0x00020000>; ++ }; ++ ++ partition@2 { ++ label = "SPL3"; ++ reg = <0x00040000 0x00020000>; ++ }; ++ ++ partition@3 { ++ label = "SPL4"; ++ reg = <0x00060000 0x00020000>; ++ }; ++ ++ partition@4 { ++ label = "U-boot"; ++ reg = <0x00080000 0x001e0000>; ++ }; ++ ++ partition@5 { ++ label = "environment"; ++ reg = <0x00260000 0x00020000>; ++ }; ++ ++ partition@6 { ++ label = "Kernel"; ++ reg = <0x00280000 0x00500000>; ++ }; ++ ++ partition@7 { ++ label = "File-System"; ++ reg = <0x00780000 0x0F880000>; ++ }; ++ }; ++}; ++ + #include "tps65910.dtsi" + + &tps { +diff --git a/arch/arm/boot/dts/am335x-evmsk.dts b/arch/arm/boot/dts/am335x-evmsk.dts +index f0066fe..bc93895 100644 +--- a/arch/arm/boot/dts/am335x-evmsk.dts ++++ b/arch/arm/boot/dts/am335x-evmsk.dts +@@ -31,81 +31,6 @@ + reg = <0x80000000 0x10000000>; /* 256 MB */ + }; + +- ocp { +- uart0: serial@44e09000 { +- pinctrl-names = "default"; +- pinctrl-0 = <&uart0_pins>; +- +- status = "okay"; +- }; +- +- i2c0: i2c@44e0b000 { +- pinctrl-names = "default"; +- pinctrl-0 = <&i2c0_pins>; +- +- status = "okay"; +- clock-frequency = <400000>; +- +- tps: tps@2d { +- reg = <0x2d>; +- }; +- +- lis331dlh: lis331dlh@18 { +- compatible = "st,lis331dlh", "st,lis3lv02d"; +- reg = <0x18>; +- Vdd-supply = <&lis3_reg>; +- Vdd_IO-supply = <&lis3_reg>; +- +- st,click-single-x; +- st,click-single-y; +- st,click-single-z; +- st,click-thresh-x = <10>; +- st,click-thresh-y = <10>; +- st,click-thresh-z = <10>; +- st,irq1-click; +- st,irq2-click; +- st,wakeup-x-lo; +- st,wakeup-x-hi; +- st,wakeup-y-lo; +- st,wakeup-y-hi; +- st,wakeup-z-lo; +- st,wakeup-z-hi; +- st,min-limit-x = <120>; +- st,min-limit-y = <120>; +- st,min-limit-z = <140>; +- st,max-limit-x = <550>; +- st,max-limit-y = <550>; +- st,max-limit-z = <750>; +- }; +- }; +- +- musb: usb@47400000 { +- status = "okay"; +- +- control@44e10000 { +- status = "okay"; +- }; +- +- usb-phy@47401300 { +- status = "okay"; +- }; +- +- usb@47401000 { +- status = "okay"; +- }; +- }; +- +- epwmss2: epwmss@48304000 { +- status = "okay"; +- +- ecap2: ecap@48304100 { +- status = "okay"; +- pinctrl-names = "default"; +- pinctrl-0 = <&ecap2_pins>; +- }; +- }; +- }; +- + vbat: fixedregulator@0 { + compatible = "regulator-fixed"; + regulator-name = "vbat"; +@@ -321,6 +246,79 @@ + }; + }; + ++&uart0 { ++ pinctrl-names = "default"; ++ pinctrl-0 = <&uart0_pins>; ++ ++ status = "okay"; ++}; ++ ++&i2c0 { ++ pinctrl-names = "default"; ++ pinctrl-0 = <&i2c0_pins>; ++ ++ status = "okay"; ++ clock-frequency = <400000>; ++ ++ tps: tps@2d { ++ reg = <0x2d>; ++ }; ++ ++ lis331dlh: lis331dlh@18 { ++ compatible = "st,lis331dlh", "st,lis3lv02d"; ++ reg = <0x18>; ++ Vdd-supply = <&lis3_reg>; ++ Vdd_IO-supply = <&lis3_reg>; ++ ++ st,click-single-x; ++ st,click-single-y; ++ st,click-single-z; ++ st,click-thresh-x = <10>; ++ st,click-thresh-y = <10>; ++ st,click-thresh-z = <10>; ++ st,irq1-click; ++ st,irq2-click; ++ st,wakeup-x-lo; ++ st,wakeup-x-hi; ++ st,wakeup-y-lo; ++ st,wakeup-y-hi; ++ st,wakeup-z-lo; ++ st,wakeup-z-hi; ++ st,min-limit-x = <120>; ++ st,min-limit-y = <120>; ++ st,min-limit-z = <140>; ++ st,max-limit-x = <550>; ++ st,max-limit-y = <550>; ++ st,max-limit-z = <750>; ++ }; ++}; ++ ++&usb { ++ status = "okay"; ++ ++ control@44e10000 { ++ status = "okay"; ++ }; ++ ++ usb-phy@47401300 { ++ status = "okay"; ++ }; ++ ++ usb@47401000 { ++ status = "okay"; ++ }; ++}; ++ ++&epwmss2 { ++ status = "okay"; ++ ++ ecap2: ecap@48304100 { ++ status = "okay"; ++ pinctrl-names = "default"; ++ pinctrl-0 = <&ecap2_pins>; ++ }; ++}; ++ + #include "tps65910.dtsi" + + &tps { +-- +1.8.4.rc3 + +From a9a966a91ca0304de63c03ef5131c08b1d19f60d Mon Sep 17 00:00:00 2001 +From: Dan Murphy +Date: Wed, 2 Oct 2013 12:58:33 -0500 +Subject: [PATCH 12/15] ARM: dts: AM33XX: add ethernet alias's for am33xx + +Set the alias for ethernet0 and ethernet1 so that uBoot +can set the MAC address appropriately. + +Currently u-boot cannot find the alias and there for does +not set the MAC address. + +Signed-off-by: Dan Murphy +Tested-by: Mugunthan V N +Signed-off-by: Benoit Cousson +--- + arch/arm/boot/dts/am33xx.dtsi | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/arch/arm/boot/dts/am33xx.dtsi b/arch/arm/boot/dts/am33xx.dtsi +index 553adc6..8aabaa0 100644 +--- a/arch/arm/boot/dts/am33xx.dtsi ++++ b/arch/arm/boot/dts/am33xx.dtsi +@@ -30,6 +30,8 @@ + usb1 = &usb1; + phy0 = &usb0_phy; + phy1 = &usb1_phy; ++ ethernet0 = &cpsw_emac0; ++ ethernet1 = &cpsw_emac1; + }; + + cpus { +-- +1.8.4.rc3 + +From 5339e0ba31b312715a5542a53c6a46c3e9a5f53b Mon Sep 17 00:00:00 2001 +From: Nishanth Menon +Date: Mon, 30 Sep 2013 09:40:16 -0500 +Subject: [PATCH 13/15] ARM: dts: am335x-boneblack: move fixed regulator to + board level + +3.3V fixed regulator does not belong to TPS node - as a result +the fixed regulator is never probed and MMC is continually deferred +due to lack of regulator. + +Move the fixed regulator to be at root of platform. + +Cc: Joel Fernandes +Cc: Sekhar Nori +Cc: Koen Kooi +Signed-off-by: Nishanth Menon +Tested-by: Felipe Balbi +Tested-by: Balaji T K +Signed-off-by: Benoit Cousson +--- + arch/arm/boot/dts/am335x-bone-common.dtsi | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +diff --git a/arch/arm/boot/dts/am335x-bone-common.dtsi b/arch/arm/boot/dts/am335x-bone-common.dtsi +index ff5c3ca..b3e6fcf 100644 +--- a/arch/arm/boot/dts/am335x-bone-common.dtsi ++++ b/arch/arm/boot/dts/am335x-bone-common.dtsi +@@ -55,6 +55,13 @@ + default-state = "off"; + }; + }; ++ ++ vmmcsd_fixed: fixedregulator@0 { ++ compatible = "regulator-fixed"; ++ regulator-name = "vmmcsd_fixed"; ++ regulator-min-microvolt = <3300000>; ++ regulator-max-microvolt = <3300000>; ++ }; + }; + + &am33xx_pinmux { +@@ -257,13 +264,6 @@ + regulator-always-on; + }; + }; +- +- vmmcsd_fixed: fixedregulator@0 { +- compatible = "regulator-fixed"; +- regulator-name = "vmmcsd_fixed"; +- regulator-min-microvolt = <3300000>; +- regulator-max-microvolt = <3300000>; +- }; + }; + + &cpsw_emac0 { +-- +1.8.4.rc3 + +From 085e4e139ae508aab69c568d6bf2a6860a0bd607 Mon Sep 17 00:00:00 2001 +From: Balaji T K +Date: Fri, 27 Sep 2013 17:05:09 +0530 +Subject: [PATCH 14/15] ARM: dts: am335x-bone-common: correct mux mode for cmd + line + +Set pinmux_emmc_pins mux mode for cmd line to MODE2 in order +to detect eMMC on BBB and BBW + eMMC cape. + +Signed-off-by: Balaji T K +Tested-by: Felipe Balbi +Signed-off-by: Benoit Cousson +--- + arch/arm/boot/dts/am335x-bone-common.dtsi | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/arm/boot/dts/am335x-bone-common.dtsi b/arch/arm/boot/dts/am335x-bone-common.dtsi +index b3e6fcf..e3f27ec 100644 +--- a/arch/arm/boot/dts/am335x-bone-common.dtsi ++++ b/arch/arm/boot/dts/am335x-bone-common.dtsi +@@ -160,7 +160,7 @@ + emmc_pins: pinmux_emmc_pins { + pinctrl-single,pins = < + 0x80 (PIN_INPUT_PULLUP | MUX_MODE2) /* gpmc_csn1.mmc1_clk */ +- 0x84 (PIN_INPUT_PULLUP | MUX_MODE1) /* gpmc_csn2.mmc1_cmd */ ++ 0x84 (PIN_INPUT_PULLUP | MUX_MODE2) /* gpmc_csn2.mmc1_cmd */ + 0x00 (PIN_INPUT_PULLUP | MUX_MODE1) /* gpmc_ad0.mmc1_dat0 */ + 0x04 (PIN_INPUT_PULLUP | MUX_MODE1) /* gpmc_ad1.mmc1_dat1 */ + 0x08 (PIN_INPUT_PULLUP | MUX_MODE1) /* gpmc_ad2.mmc1_dat2 */ +-- +1.8.4.rc3 + +commit d6cfc1e266d34d5b1f8a26bb272d2d2c466d89b8 +Author: Benoit Parrot +Date: Thu Aug 8 18:28:14 2013 -0500 + + ARM: dts: AM33XX: Add LCDC info into am335x-evm + + Add LCDC device node in DT for am33xx + Add LCDC and Panel info in DT for am335x-evm + + Changes: + - remove redundant/unnecessary SoC specific setting in the board dts + - resolved conflicts on for_3.13/dts + + Signed-off-by: Benoit Parrot + Signed-off-by: Joel Fernandes + Signed-off-by: Benoit Cousson + +diff --git a/arch/arm/boot/dts/am335x-evm.dts b/arch/arm/boot/dts/am335x-evm.dts +index ff834ad..eabacf9 100644 +--- a/arch/arm/boot/dts/am335x-evm.dts ++++ b/arch/arm/boot/dts/am335x-evm.dts +@@ -85,6 +85,40 @@ + brightness-levels = <0 51 53 56 62 75 101 152 255>; + default-brightness-level = <8>; + }; ++ ++ panel { ++ compatible = "ti,tilcdc,panel"; ++ status = "okay"; ++ pinctrl-names = "default"; ++ pinctrl-0 = <&lcd_pins_s0>; ++ panel-info { ++ ac-bias = <255>; ++ ac-bias-intrpt = <0>; ++ dma-burst-sz = <16>; ++ bpp = <32>; ++ fdd = <0x80>; ++ sync-edge = <0>; ++ sync-ctrl = <1>; ++ raster-order = <0>; ++ fifo-th = <0>; ++ }; ++ ++ display-timings { ++ 800x480p62 { ++ clock-frequency = <30000000>; ++ hactive = <800>; ++ vactive = <480>; ++ hfront-porch = <39>; ++ hback-porch = <39>; ++ hsync-len = <47>; ++ vback-porch = <29>; ++ vfront-porch = <13>; ++ vsync-len = <2>; ++ hsync-active = <1>; ++ vsync-active = <1>; ++ }; ++ }; ++ }; + }; + + &am33xx_pinmux { +@@ -212,6 +246,39 @@ + 0x14c (PIN_INPUT_PULLDOWN | MUX_MODE7) + >; + }; ++ ++ lcd_pins_s0: lcd_pins_s0 { ++ pinctrl-single,pins = < ++ 0x20 0x01 /* gpmc_ad8.lcd_data16, OUTPUT | MODE1 */ ++ 0x24 0x01 /* gpmc_ad9.lcd_data17, OUTPUT | MODE1 */ ++ 0x28 0x01 /* gpmc_ad10.lcd_data18, OUTPUT | MODE1 */ ++ 0x2c 0x01 /* gpmc_ad11.lcd_data19, OUTPUT | MODE1 */ ++ 0x30 0x01 /* gpmc_ad12.lcd_data20, OUTPUT | MODE1 */ ++ 0x34 0x01 /* gpmc_ad13.lcd_data21, OUTPUT | MODE1 */ ++ 0x38 0x01 /* gpmc_ad14.lcd_data22, OUTPUT | MODE1 */ ++ 0x3c 0x01 /* gpmc_ad15.lcd_data23, OUTPUT | MODE1 */ ++ 0xa0 0x00 /* lcd_data0.lcd_data0, OUTPUT | MODE0 */ ++ 0xa4 0x00 /* lcd_data1.lcd_data1, OUTPUT | MODE0 */ ++ 0xa8 0x00 /* lcd_data2.lcd_data2, OUTPUT | MODE0 */ ++ 0xac 0x00 /* lcd_data3.lcd_data3, OUTPUT | MODE0 */ ++ 0xb0 0x00 /* lcd_data4.lcd_data4, OUTPUT | MODE0 */ ++ 0xb4 0x00 /* lcd_data5.lcd_data5, OUTPUT | MODE0 */ ++ 0xb8 0x00 /* lcd_data6.lcd_data6, OUTPUT | MODE0 */ ++ 0xbc 0x00 /* lcd_data7.lcd_data7, OUTPUT | MODE0 */ ++ 0xc0 0x00 /* lcd_data8.lcd_data8, OUTPUT | MODE0 */ ++ 0xc4 0x00 /* lcd_data9.lcd_data9, OUTPUT | MODE0 */ ++ 0xc8 0x00 /* lcd_data10.lcd_data10, OUTPUT | MODE0 */ ++ 0xcc 0x00 /* lcd_data11.lcd_data11, OUTPUT | MODE0 */ ++ 0xd0 0x00 /* lcd_data12.lcd_data12, OUTPUT | MODE0 */ ++ 0xd4 0x00 /* lcd_data13.lcd_data13, OUTPUT | MODE0 */ ++ 0xd8 0x00 /* lcd_data14.lcd_data14, OUTPUT | MODE0 */ ++ 0xdc 0x00 /* lcd_data15.lcd_data15, OUTPUT | MODE0 */ ++ 0xe0 0x00 /* lcd_vsync.lcd_vsync, OUTPUT | MODE0 */ ++ 0xe4 0x00 /* lcd_hsync.lcd_hsync, OUTPUT | MODE0 */ ++ 0xe8 0x00 /* lcd_pclk.lcd_pclk, OUTPUT | MODE0 */ ++ 0xec 0x00 /* lcd_ac_bias_en.lcd_ac_bias_en, OUTPUT | MODE0 */ ++ >; ++ }; + }; + + &uart0 { +@@ -308,6 +375,10 @@ + }; + }; + ++&lcdc { ++ status = "okay"; ++}; ++ + &elm { + status = "okay"; + }; +diff --git a/arch/arm/boot/dts/am33xx.dtsi b/arch/arm/boot/dts/am33xx.dtsi +index c87bf4b..7db3c81 100644 +--- a/arch/arm/boot/dts/am33xx.dtsi ++++ b/arch/arm/boot/dts/am33xx.dtsi +@@ -684,6 +684,15 @@ + status = "disabled"; + }; + ++ lcdc: lcdc@4830e000 { ++ compatible = "ti,am33xx-tilcdc"; ++ reg = <0x4830e000 0x1000>; ++ interrupt-parent = <&intc>; ++ interrupts = <36>; ++ ti,hwmods = "lcdc"; ++ status = "disabled"; ++ }; ++ + tscadc: tscadc@44e0d000 { + compatible = "ti,am3359-tscadc"; + reg = <0x44e0d000 0x1000>; +commit 559a08e89350e269a4bba93629f39da5dd8e4fef +Author: Darren Etheridge +Date: Fri Sep 20 15:01:42 2013 -0500 + + ARM: dts: AM33XX beagle black: add pinmux and hdmi node to enable display + + Enable the hdmi output and the LCD Controller on BeagleBone + Black. Also configure the correct pinmux for output of + video data from the SoC to the HDMI encoder. + + Signed-off-by: Darren Etheridge + Signed-off-by: Joel Fernandes + Signed-off-by: Benoit Cousson + +diff --git a/arch/arm/boot/dts/am335x-boneblack.dts b/arch/arm/boot/dts/am335x-boneblack.dts +index 16b3bea..6b71ad9 100644 +--- a/arch/arm/boot/dts/am335x-boneblack.dts ++++ b/arch/arm/boot/dts/am335x-boneblack.dts +@@ -28,3 +28,51 @@ + status = "okay"; + ti,vcc-aux-disable-is-sleep; + }; ++ ++&am33xx_pinmux { ++ nxp_hdmi_bonelt_pins: nxp_hdmi_bonelt_pins { ++ pinctrl-single,pins = < ++ 0x1b0 0x03 /* xdma_event_intr0, OMAP_MUX_MODE3 | AM33XX_PIN_OUTPUT */ ++ 0xa0 0x08 /* lcd_data0.lcd_data0, OMAP_MUX_MODE0 | AM33XX_PIN_OUTPUT | AM33XX_PULL_DISA */ ++ 0xa4 0x08 /* lcd_data1.lcd_data1, OMAP_MUX_MODE0 | AM33XX_PIN_OUTPUT | AM33XX_PULL_DISA */ ++ 0xa8 0x08 /* lcd_data2.lcd_data2, OMAP_MUX_MODE0 | AM33XX_PIN_OUTPUT | AM33XX_PULL_DISA */ ++ 0xac 0x08 /* lcd_data3.lcd_data3, OMAP_MUX_MODE0 | AM33XX_PIN_OUTPUT | AM33XX_PULL_DISA */ ++ 0xb0 0x08 /* lcd_data4.lcd_data4, OMAP_MUX_MODE0 | AM33XX_PIN_OUTPUT | AM33XX_PULL_DISA */ ++ 0xb4 0x08 /* lcd_data5.lcd_data5, OMAP_MUX_MODE0 | AM33XX_PIN_OUTPUT | AM33XX_PULL_DISA */ ++ 0xb8 0x08 /* lcd_data6.lcd_data6, OMAP_MUX_MODE0 | AM33XX_PIN_OUTPUT | AM33XX_PULL_DISA */ ++ 0xbc 0x08 /* lcd_data7.lcd_data7, OMAP_MUX_MODE0 | AM33XX_PIN_OUTPUT | AM33XX_PULL_DISA */ ++ 0xc0 0x08 /* lcd_data8.lcd_data8, OMAP_MUX_MODE0 | AM33XX_PIN_OUTPUT | AM33XX_PULL_DISA */ ++ 0xc4 0x08 /* lcd_data9.lcd_data9, OMAP_MUX_MODE0 | AM33XX_PIN_OUTPUT | AM33XX_PULL_DISA */ ++ 0xc8 0x08 /* lcd_data10.lcd_data10, OMAP_MUX_MODE0 | AM33XX_PIN_OUTPUT | AM33XX_PULL_DISA */ ++ 0xcc 0x08 /* lcd_data11.lcd_data11, OMAP_MUX_MODE0 | AM33XX_PIN_OUTPUT | AM33XX_PULL_DISA */ ++ 0xd0 0x08 /* lcd_data12.lcd_data12, OMAP_MUX_MODE0 | AM33XX_PIN_OUTPUT | AM33XX_PULL_DISA */ ++ 0xd4 0x08 /* lcd_data13.lcd_data13, OMAP_MUX_MODE0 | AM33XX_PIN_OUTPUT | AM33XX_PULL_DISA */ ++ 0xd8 0x08 /* lcd_data14.lcd_data14, OMAP_MUX_MODE0 | AM33XX_PIN_OUTPUT | AM33XX_PULL_DISA */ ++ 0xdc 0x08 /* lcd_data15.lcd_data15, OMAP_MUX_MODE0 | AM33XX_PIN_OUTPUT | AM33XX_PULL_DISA */ ++ 0xe0 0x00 /* lcd_vsync.lcd_vsync, OMAP_MUX_MODE0 | AM33XX_PIN_OUTPUT */ ++ 0xe4 0x00 /* lcd_hsync.lcd_hsync, OMAP_MUX_MODE0 | AM33XX_PIN_OUTPUT */ ++ 0xe8 0x00 /* lcd_pclk.lcd_pclk, OMAP_MUX_MODE0 | AM33XX_PIN_OUTPUT */ ++ 0xec 0x00 /* lcd_ac_bias_en.lcd_ac_bias_en, OMAP_MUX_MODE0 | AM33XX_PIN_OUTPUT */ ++ >; ++ }; ++ nxp_hdmi_bonelt_off_pins: nxp_hdmi_bonelt_off_pins { ++ pinctrl-single,pins = < ++ 0x1b0 0x03 /* xdma_event_intr0, OMAP_MUX_MODE3 | AM33XX_PIN_OUTPUT */ ++ >; ++ }; ++}; ++ ++&lcdc { ++ status = "okay"; ++}; ++ ++/ { ++ hdmi { ++ compatible = "ti,tilcdc,slave"; ++ i2c = <&i2c0>; ++ pinctrl-names = "default", "off"; ++ pinctrl-0 = <&nxp_hdmi_bonelt_pins>; ++ pinctrl-1 = <&nxp_hdmi_bonelt_off_pins>; ++ status = "okay"; ++ }; ++}; +commit d4cbe80db468dcfaa058f9f00a332784e5dff316 +Author: Suman Anna +Date: Thu Oct 10 16:15:35 2013 -0500 + + ARM: dts: AM33XX: Add hwspinlock node + + Add the hwspinlock device tree node for AM33xx family + of SoCs. + + Signed-off-by: Suman Anna + Signed-off-by: Tony Lindgren + +diff --git a/arch/arm/boot/dts/am33xx.dtsi b/arch/arm/boot/dts/am33xx.dtsi +index 0ca13ad..9ae258e 100644 +--- a/arch/arm/boot/dts/am33xx.dtsi ++++ b/arch/arm/boot/dts/am33xx.dtsi +@@ -288,6 +288,12 @@ + status = "disabled"; + }; + ++ hwspinlock: spinlock@480ca000 { ++ compatible = "ti,omap4-hwspinlock"; ++ reg = <0x480ca000 0x1000>; ++ ti,hwmods = "spinlock"; ++ }; ++ + wdt2: wdt@44e35000 { + compatible = "ti,omap3-wdt"; + ti,hwmods = "wd_timer2"; diff --git a/arm-am33xx-bblack.patch b/arm-am33xx-bblack.patch new file mode 100644 index 000000000..4f62c9dd5 --- /dev/null +++ b/arm-am33xx-bblack.patch @@ -0,0 +1,610 @@ +Bugzilla: 1012025 +Upstream-status: In beagle github repository https://github.com/beagleboard/kernel + +From 82fe302f565e00cfde3e96c6132df93b39525e7b Mon Sep 17 00:00:00 2001 +From: Philipp Zabel +Date: Tue, 28 May 2013 17:06:15 +0200 +Subject: [PATCH] reset: Add driver for gpio-controlled reset pins + +This driver implements a reset controller device that toggle a gpio +connected to a reset pin of a peripheral IC. The delay between assertion +and de-assertion of the reset signal can be configured via device tree. + +Signed-off-by: Philipp Zabel +Reviewed-by: Stephen Warren +--- + .../devicetree/bindings/reset/gpio-reset.txt | 35 +++++ + drivers/reset/Kconfig | 11 ++ + drivers/reset/Makefile | 1 + + drivers/reset/gpio-reset.c | 169 +++++++++++++++++++++ + 4 files changed, 216 insertions(+) + create mode 100644 Documentation/devicetree/bindings/reset/gpio-reset.txt + create mode 100644 drivers/reset/gpio-reset.c + +diff --git a/Documentation/devicetree/bindings/reset/gpio-reset.txt b/Documentation/devicetree/bindings/reset/gpio-reset.txt +new file mode 100644 +index 0000000..bca5348 +--- /dev/null ++++ b/Documentation/devicetree/bindings/reset/gpio-reset.txt +@@ -0,0 +1,35 @@ ++GPIO reset controller ++===================== ++ ++A GPIO reset controller controls a single GPIO that is connected to the reset ++pin of a peripheral IC. Please also refer to reset.txt in this directory for ++common reset controller binding usage. ++ ++Required properties: ++- compatible: Should be "gpio-reset" ++- reset-gpios: A gpio used as reset line. The gpio specifier for this property ++ depends on the gpio controller that provides the gpio. ++- #reset-cells: 0, see below ++ ++Optional properties: ++- reset-delay-us: delay in microseconds. The gpio reset line will be asserted for ++ this duration to reset. ++- initially-in-reset: boolean. If not set, the initial state should be a ++ deasserted reset line. If this property exists, the ++ reset line should be kept in reset. ++ ++example: ++ ++sii902x_reset: gpio-reset { ++ compatible = "gpio-reset"; ++ reset-gpios = <&gpio5 0 GPIO_ACTIVE_LOW>; ++ reset-delay-us = <10000>; ++ initially-in-reset; ++ #reset-cells = <0>; ++}; ++ ++/* Device with nRESET pin connected to GPIO5_0 */ ++sii902x@39 { ++ /* ... */ ++ resets = <&sii902x_reset>; /* active-low GPIO5_0, 10 ms delay */ ++}; +diff --git a/drivers/reset/Kconfig b/drivers/reset/Kconfig +index c9d04f7..1a862df 100644 +--- a/drivers/reset/Kconfig ++++ b/drivers/reset/Kconfig +@@ -11,3 +11,14 @@ menuconfig RESET_CONTROLLER + via GPIOs or SoC-internal reset controller modules. + + If unsure, say no. ++ ++if RESET_CONTROLLER ++ ++config RESET_GPIO ++ tristate "GPIO reset controller support" ++ depends on GPIOLIB && OF ++ help ++ This driver provides support for reset lines that are controlled ++ directly by GPIOs. ++ ++endif +diff --git a/drivers/reset/Makefile b/drivers/reset/Makefile +index 1e2d83f..b854f20 100644 +--- a/drivers/reset/Makefile ++++ b/drivers/reset/Makefile +@@ -1 +1,2 @@ + obj-$(CONFIG_RESET_CONTROLLER) += core.o ++obj-$(CONFIG_RESET_GPIO) += gpio-reset.o +diff --git a/drivers/reset/gpio-reset.c b/drivers/reset/gpio-reset.c +new file mode 100644 +index 0000000..acc1076 +--- /dev/null ++++ b/drivers/reset/gpio-reset.c +@@ -0,0 +1,169 @@ ++/* ++ * GPIO Reset Controller driver ++ * ++ * Copyright 2013 Philipp Zabel, Pengutronix ++ * ++ * This program is free software; you can redistribute it and/or modify ++ * it under the terms of the GNU General Public License as published by ++ * the Free Software Foundation; either version 2 of the License, or ++ * (at your option) any later version. ++ */ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++ ++struct gpio_reset_data { ++ struct reset_controller_dev rcdev; ++ unsigned int gpio; ++ bool active_low; ++ u32 delay_us; ++}; ++ ++static void __gpio_reset_set(struct reset_controller_dev *rcdev, int asserted) ++{ ++ struct gpio_reset_data *drvdata = container_of(rcdev, ++ struct gpio_reset_data, rcdev); ++ int value = asserted; ++ ++ if (drvdata->active_low) ++ value = !value; ++ ++ gpio_set_value(drvdata->gpio, value); ++} ++ ++static int gpio_reset(struct reset_controller_dev *rcdev, unsigned long id) ++{ ++ struct gpio_reset_data *drvdata = container_of(rcdev, ++ struct gpio_reset_data, rcdev); ++ ++ if (drvdata->delay_us < 0) ++ return -ENOSYS; ++ ++ __gpio_reset_set(rcdev, 1); ++ udelay(drvdata->delay_us); ++ __gpio_reset_set(rcdev, 0); ++ ++ return 0; ++} ++ ++static int gpio_reset_assert(struct reset_controller_dev *rcdev, ++ unsigned long id) ++{ ++ __gpio_reset_set(rcdev, 1); ++ ++ return 0; ++} ++ ++static int gpio_reset_deassert(struct reset_controller_dev *rcdev, ++ unsigned long id) ++{ ++ __gpio_reset_set(rcdev, 0); ++ ++ return 0; ++} ++ ++static struct reset_control_ops gpio_reset_ops = { ++ .reset = gpio_reset, ++ .assert = gpio_reset_assert, ++ .deassert = gpio_reset_deassert, ++}; ++ ++static int of_gpio_reset_xlate(struct reset_controller_dev *rcdev, ++ const struct of_phandle_args *reset_spec) ++{ ++ if (WARN_ON(reset_spec->args_count != 0)) ++ return -EINVAL; ++ ++ return 0; ++} ++ ++static int gpio_reset_probe(struct platform_device *pdev) ++{ ++ struct device_node *np = pdev->dev.of_node; ++ struct gpio_reset_data *drvdata; ++ enum of_gpio_flags flags; ++ unsigned long gpio_flags; ++ bool initially_in_reset; ++ int ret; ++ ++ drvdata = devm_kzalloc(&pdev->dev, sizeof(*drvdata), GFP_KERNEL); ++ if (drvdata == NULL) ++ return -ENOMEM; ++ ++ if (of_gpio_named_count(np, "reset-gpios") != 1) ++ return -EINVAL; ++ ++ drvdata->gpio = of_get_named_gpio_flags(np, "reset-gpios", 0, &flags); ++ if (drvdata->gpio == -EPROBE_DEFER) { ++ return drvdata->gpio; ++ } else if (!gpio_is_valid(drvdata->gpio)) { ++ dev_err(&pdev->dev, "invalid reset gpio: %d\n", drvdata->gpio); ++ return drvdata->gpio; ++ } ++ ++ drvdata->active_low = flags & OF_GPIO_ACTIVE_LOW; ++ ++ ret = of_property_read_u32(np, "reset-delay-us", &drvdata->delay_us); ++ if (ret < 0) ++ return ret; ++ ++ initially_in_reset = of_property_read_bool(np, "initially-in-reset"); ++ if (drvdata->active_low ^ initially_in_reset) ++ gpio_flags = GPIOF_OUT_INIT_HIGH; ++ else ++ gpio_flags = GPIOF_OUT_INIT_LOW; ++ ++ ret = devm_gpio_request_one(&pdev->dev, drvdata->gpio, gpio_flags, NULL); ++ if (ret < 0) { ++ dev_err(&pdev->dev, "failed to request gpio %d: %d\n", ++ drvdata->gpio, ret); ++ return ret; ++ } ++ ++ drvdata->rcdev.of_node = np; ++ drvdata->rcdev.owner = THIS_MODULE; ++ drvdata->rcdev.nr_resets = 1; ++ drvdata->rcdev.ops = &gpio_reset_ops; ++ drvdata->rcdev.of_xlate = of_gpio_reset_xlate; ++ reset_controller_register(&drvdata->rcdev); ++ ++ platform_set_drvdata(pdev, drvdata); ++ ++ return 0; ++} ++ ++static int gpio_reset_remove(struct platform_device *pdev) ++{ ++ struct gpio_reset_data *drvdata = platform_get_drvdata(pdev); ++ ++ reset_controller_unregister(&drvdata->rcdev); ++ ++ return 0; ++} ++ ++static struct of_device_id gpio_reset_dt_ids[] = { ++ { .compatible = "gpio-reset" }, ++ { } ++}; ++ ++static struct platform_driver gpio_reset_driver = { ++ .probe = gpio_reset_probe, ++ .remove = gpio_reset_remove, ++ .driver = { ++ .name = "gpio-reset", ++ .owner = THIS_MODULE, ++ .of_match_table = of_match_ptr(gpio_reset_dt_ids), ++ }, ++}; ++ ++module_platform_driver(gpio_reset_driver); ++ ++MODULE_AUTHOR("Philipp Zabel "); ++MODULE_DESCRIPTION("gpio reset controller"); ++MODULE_LICENSE("GPL"); ++MODULE_ALIAS("platform:gpio-reset"); ++MODULE_DEVICE_TABLE(of, gpio_reset_dt_ids); +-- +1.8.2.1 + +From 03664ac63b20b55af9522449bbad048476d259d5 Mon Sep 17 00:00:00 2001 +From: Joel Fernandes +Date: Wed, 3 Jul 2013 17:29:44 -0500 +Subject: [PATCH 2/2] sound: soc: soc-dmaengine-pcm: Add support for new + DMAEngine request API + +Formerly these resources were coming HWMOD on OMAP-like SoCs. With the +impending removal of HWMOD data, drivers are being converted to use the +"of-dma" method of requesting DMA channels which from DT and can be obtained +using the dma_request_slave_channel API. Add support to the soc-dmaengine-pcm +helpers so that we can fetch and open channels using this method. + +Signed-off-by: Joel Fernandes +--- + sound/core/pcm_dmaengine.c | 22 ++++++++++++++++++++++ + 1 file changed, 22 insertions(+) + +diff --git a/sound/core/pcm_dmaengine.c b/sound/core/pcm_dmaengine.c +index aa924d9..461fe4f 100644 +--- a/sound/core/pcm_dmaengine.c ++++ b/sound/core/pcm_dmaengine.c +@@ -276,6 +276,16 @@ struct dma_chan *snd_dmaengine_pcm_request_channel(dma_filter_fn filter_fn, + } + EXPORT_SYMBOL_GPL(snd_dmaengine_pcm_request_channel); + ++struct dma_chan *snd_dmaengine_pcm_request_slave_channel( ++ struct snd_pcm_substream *substream, char *name) ++{ ++ struct snd_soc_pcm_runtime *rtd = substream->private_data; ++ struct device *dev = snd_soc_dai_get_drvdata(rtd->cpu_dai); ++ ++ return dma_request_slave_channel(dev, name); ++} ++EXPORT_SYMBOL_GPL(snd_dmaengine_pcm_request_slave_channel); ++ + /** + * snd_dmaengine_pcm_open - Open a dmaengine based PCM substream + * @substream: PCM substream +@@ -334,6 +344,18 @@ int snd_dmaengine_pcm_open_request_chan(struct snd_pcm_substream *substream, + } + EXPORT_SYMBOL_GPL(snd_dmaengine_pcm_open_request_chan); + ++int snd_dmaengine_pcm_open_request_slave_chan(struct snd_pcm_substream *substream, char *name) ++{ ++ if(substream->stream == SNDRV_PCM_STREAM_PLAYBACK) { ++ return snd_dmaengine_pcm_open(substream, ++ snd_dmaengine_pcm_request_slave_channel(substream, "tx")); ++ } else { ++ return snd_dmaengine_pcm_open(substream, ++ snd_dmaengine_pcm_request_slave_channel(substream, "rx")); ++ } ++} ++EXPORT_SYMBOL_GPL(snd_dmaengine_pcm_open_request_slave_chan); ++ + /** + * snd_dmaengine_pcm_close - Close a dmaengine based PCM substream + * @substream: PCM substream +-- +1.8.4.rc3 + +From ae38683badc8c80b29ccc8aa4e059f900b603551 Mon Sep 17 00:00:00 2001 +From: Pantelis Antoniou +Date: Fri, 26 Oct 2012 15:48:00 +0300 +Subject: [PATCH 1/2] omap-hsmmc: Correct usage of of_find_node_by_name + +of_find_node_by_name expect to have the parent node reference taken. +--- + drivers/mmc/host/omap_hsmmc.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +diff --git a/drivers/mmc/host/omap_hsmmc.c b/drivers/mmc/host/omap_hsmmc.c +index 6ac63df..f5b660c 100644 +--- a/drivers/mmc/host/omap_hsmmc.c ++++ b/drivers/mmc/host/omap_hsmmc.c +@@ -1893,6 +1893,16 @@ static int omap_hsmmc_probe(struct platform_device *pdev) + * as we want. */ + mmc->max_segs = 1024; + ++ /* Eventually we should get our max_segs limitation for EDMA by ++ * querying the dmaengine API */ ++ if (pdev->dev.of_node) { ++ struct device_node *parent = of_node_get(pdev->dev.of_node->parent); ++ struct device_node *node; ++ node = of_find_node_by_name(parent, "edma"); ++ if (node) ++ mmc->max_segs = 16; ++ } ++ + mmc->max_blk_size = 512; /* Block Length at max can be 1024 */ + mmc->max_blk_count = 0xFFFF; /* No. of Blocks is 16 bits */ + mmc->max_req_size = mmc->max_blk_size * mmc->max_blk_count; +-- +1.8.2.1 + +From 5d93a65cfc4ff6aaf78ab49f71daa2a644ea2ace Mon Sep 17 00:00:00 2001 +From: Pantelis Antoniou +Date: Fri, 30 Nov 2012 12:18:16 +0200 +Subject: [PATCH 2/2] omap_hsmmc: Add reset gpio + +Add a gpio property for controlling reset of the mmc device. +eMMC on the beaglebone black requires it. + +Signed-off-by: Pantelis Antoniou +--- + drivers/mmc/host/omap_hsmmc.c | 40 +++++++++++++++++++++++++++++++++- + include/linux/platform_data/mmc-omap.h | 3 +++ + 2 files changed, 42 insertions(+), 1 deletion(-) + +diff --git a/drivers/mmc/host/omap_hsmmc.c b/drivers/mmc/host/omap_hsmmc.c +index f5b660c..1bdb90f 100644 +--- a/drivers/mmc/host/omap_hsmmc.c ++++ b/drivers/mmc/host/omap_hsmmc.c +@@ -41,6 +41,8 @@ + #include + #include + #include ++#include ++#include + + /* OMAP HSMMC Host Controller Registers */ + #define OMAP_HSMMC_SYSSTATUS 0x0014 +@@ -392,6 +394,7 @@ static inline int omap_hsmmc_have_reg(void) + static int omap_hsmmc_gpio_init(struct omap_mmc_platform_data *pdata) + { + int ret; ++ unsigned long flags; + + if (gpio_is_valid(pdata->slots[0].switch_pin)) { + if (pdata->slots[0].cover) +@@ -421,6 +424,24 @@ static int omap_hsmmc_gpio_init(struct omap_mmc_platform_data *pdata) + } else + pdata->slots[0].gpio_wp = -EINVAL; + ++ if (gpio_is_valid(pdata->slots[0].gpio_reset)) { ++ flags = pdata->slots[0].gpio_reset_active_low ? ++ GPIOF_OUT_INIT_LOW : GPIOF_OUT_INIT_HIGH; ++ ret = gpio_request_one(pdata->slots[0].gpio_reset, flags, ++ "mmc_reset"); ++ if (ret) ++ goto err_free_wp; ++ ++ /* hold reset */ ++ udelay(pdata->slots[0].gpio_reset_hold_us); ++ ++ gpio_set_value(pdata->slots[0].gpio_reset, ++ !pdata->slots[0].gpio_reset_active_low); ++ ++ } else ++ pdata->slots[0].gpio_reset = -EINVAL; ++ ++ + return 0; + + err_free_wp: +@@ -434,6 +455,8 @@ err_free_sp: + + static void omap_hsmmc_gpio_free(struct omap_mmc_platform_data *pdata) + { ++ if (gpio_is_valid(pdata->slots[0].gpio_reset)) ++ gpio_free(pdata->slots[0].gpio_reset); + if (gpio_is_valid(pdata->slots[0].gpio_wp)) + gpio_free(pdata->slots[0].gpio_wp); + if (gpio_is_valid(pdata->slots[0].switch_pin)) +@@ -788,7 +811,7 @@ omap_hsmmc_start_command(struct omap_hsmmc_host *host, struct mmc_command *cmd, + * ac, bc, adtc, bcr. Only commands ending an open ended transfer need + * a val of 0x3, rest 0x0. + */ +- if (cmd == host->mrq->stop) ++ if (host->mrq && cmd == host->mrq->stop) + cmdtype = 0x3; + + cmdreg = (cmd->opcode << 24) | (resptype << 16) | (cmdtype << 22); +@@ -830,6 +853,8 @@ static void omap_hsmmc_request_done(struct omap_hsmmc_host *host, struct mmc_req + int dma_ch; + unsigned long flags; + ++ BUG_ON(mrq == NULL); ++ + spin_lock_irqsave(&host->irq_lock, flags); + host->req_in_progress = 0; + dma_ch = host->dma_ch; +@@ -1720,6 +1745,7 @@ static struct omap_mmc_platform_data *of_get_hsmmc_pdata(struct device *dev) + struct device_node *np = dev->of_node; + u32 bus_width, max_freq; + int cd_gpio, wp_gpio; ++ enum of_gpio_flags reset_flags; + + cd_gpio = of_get_named_gpio(np, "cd-gpios", 0); + wp_gpio = of_get_named_gpio(np, "wp-gpios", 0); +@@ -1737,6 +1763,14 @@ static struct omap_mmc_platform_data *of_get_hsmmc_pdata(struct device *dev) + pdata->nr_slots = 1; + pdata->slots[0].switch_pin = cd_gpio; + pdata->slots[0].gpio_wp = wp_gpio; ++ reset_flags = 0; ++ pdata->slots[0].gpio_reset = of_get_named_gpio_flags(np, ++ "reset-gpios", 0, &reset_flags); ++ pdata->slots[0].gpio_reset_active_low = ++ (reset_flags & OF_GPIO_ACTIVE_LOW) != 0; ++ pdata->slots[0].gpio_reset_hold_us = 100; /* default */ ++ of_property_read_u32(np, "reset-gpio-hold-us", ++ &pdata->slots[0].gpio_reset_hold_us); + + if (of_find_property(np, "ti,non-removable", NULL)) { + pdata->slots[0].nonremovable = true; +@@ -1802,6 +1836,10 @@ static int omap_hsmmc_probe(struct platform_device *pdev) + return -ENXIO; + } + ++ pinctrl = devm_pinctrl_get_select_default(&pdev->dev); ++ if (IS_ERR(pinctrl)) ++ dev_warn(&pdev->dev, "unable to select pin group\n"); ++ + res = platform_get_resource(pdev, IORESOURCE_MEM, 0); + irq = platform_get_irq(pdev, 0); + if (res == NULL || irq < 0) +diff --git a/include/linux/platform_data/mmc-omap.h b/include/linux/platform_data/mmc-omap.h +index 2bf1b30..d548994 100644 +--- a/include/linux/platform_data/mmc-omap.h ++++ b/include/linux/platform_data/mmc-omap.h +@@ -115,6 +115,9 @@ struct omap_mmc_platform_data { + + int switch_pin; /* gpio (card detect) */ + int gpio_wp; /* gpio (write protect) */ ++ int gpio_reset; /* gpio (reset) */ ++ int gpio_reset_active_low; /* 1 if reset is active low */ ++ u32 gpio_reset_hold_us; /* time to hold in us */ + + int (*set_bus_mode)(struct device *dev, int slot, int bus_mode); + int (*set_power)(struct device *dev, int slot, +-- +1.8.2.1 + +From b45e4df71f07f2178db133db540e3f15e0b4ec05 Mon Sep 17 00:00:00 2001 +From: Pantelis Antoniou +Date: Sat, 15 Sep 2012 12:00:41 +0300 +Subject: [PATCH] pinctrl: pinctrl-single must be initialized early. + +When using pinctrl-single to handle i2c initialization, it has +to be done early. Whether this is the best way to do so, is an +exercise left to the reader. +--- + drivers/pinctrl/pinctrl-single.c | 12 +++++++++++- + 1 file changed, 11 insertions(+), 1 deletion(-) + +diff --git a/drivers/pinctrl/pinctrl-single.c b/drivers/pinctrl/pinctrl-single.c +index a82ace4..aeef35d 100644 +--- a/drivers/pinctrl/pinctrl-single.c ++++ b/drivers/pinctrl/pinctrl-single.c +@@ -1673,7 +1673,17 @@ static struct platform_driver pcs_driver = { + #endif + }; + +-module_platform_driver(pcs_driver); ++static int __init pcs_init(void) ++{ ++ return platform_driver_register(&pcs_driver); ++} ++postcore_initcall(pcs_init); ++ ++static void __exit pcs_exit(void) ++{ ++ platform_driver_unregister(&pcs_driver); ++} ++module_exit(pcs_exit); + + MODULE_AUTHOR("Tony Lindgren "); + MODULE_DESCRIPTION("One-register-per-pin type device tree based pinctrl driver"); +-- +1.8.2.1 + +From e5e7abd2de7d8d4c74b5a1ccc6d47988250bd17d Mon Sep 17 00:00:00 2001 +From: Pantelis Antoniou +Date: Fri, 28 Jun 2013 18:39:55 +0300 +Subject: [PATCH 1/4] dts: beaglebone: Add I2C definitions for EEPROMs & capes + +Add the I2C definitions for the EEPROM devices on the baseboard +and on the possibly connected capes. + +Signed-off-by: Pantelis Antoniou +--- + arch/arm/boot/dts/am335x-bone-common.dtsi | 39 +++++++++++++++++++++++++++++++ + 1 file changed, 39 insertions(+) + +diff --git a/arch/arm/boot/dts/am335x-bone-common.dtsi b/arch/arm/boot/dts/am335x-bone-common.dtsi +index e3f27ec..2d12775 100644 +--- a/arch/arm/boot/dts/am335x-bone-common.dtsi ++++ b/arch/arm/boot/dts/am335x-bone-common.dtsi +@@ -84,6 +84,13 @@ + >; + }; + ++ i2c2_pins: pinmux_i2c2_pins { ++ pinctrl-single,pins = < ++ 0x178 0x73 /* uart1_ctsn.i2c2_sda, SLEWCTRL_SLOW | INPUT_PULLUP | MODE3 */ ++ 0x17c 0x73 /* uart1_rtsn.i2c2_scl, SLEWCTRL_SLOW | INPUT_PULLUP | MODE3 */ ++ >; ++ }; ++ + uart0_pins: pinmux_uart0_pins { + pinctrl-single,pins = < + 0x170 (PIN_INPUT_PULLUP | MUX_MODE0) /* uart0_rxd.uart0_rxd */ +@@ -220,6 +227,38 @@ + reg = <0x24>; + }; + ++ baseboard_eeprom: baseboard_eeprom@50 { ++ compatible = "at,24c256"; ++ reg = <0x50>; ++ }; ++}; ++ ++&i2c2 { ++ pinctrl-names = "default"; ++ pinctrl-0 = <&i2c2_pins>; ++ ++ status = "okay"; ++ clock-frequency = <100000>; ++ ++ cape_eeprom0: cape_eeprom0@54 { ++ compatible = "at,24c256"; ++ reg = <0x54>; ++ }; ++ ++ cape_eeprom1: cape_eeprom1@55 { ++ compatible = "at,24c256"; ++ reg = <0x55>; ++ }; ++ ++ cape_eeprom2: cape_eeprom2@56 { ++ compatible = "at,24c256"; ++ reg = <0x56>; ++ }; ++ ++ cape_eeprom3: cape_eeprom3@57 { ++ compatible = "at,24c256"; ++ reg = <0x57>; ++ }; + }; + + /include/ "tps65217.dtsi" +-- +1.8.4.rc3 diff --git a/arm-am33xx-cpsw.patch b/arm-am33xx-cpsw.patch new file mode 100644 index 000000000..1a38cdd2b --- /dev/null +++ b/arm-am33xx-cpsw.patch @@ -0,0 +1,23 @@ +Bugzilla: 1012025 +Upstream-status: An initial work around for the cpsw driver issue trying to access HW registers +with clock disabled. Upstream is working on a proper fix with the hope to land it in 3.13. + +--- linux-3.12.4-1.fc20.x86_64/drivers/net/ethernet/ti/cpsw.c.orig 2013-12-11 20:52:41.576478796 +0000 ++++ linux-3.12.4-1.fc20.x86_64/drivers/net/ethernet/ti/cpsw.c 2013-12-11 20:55:14.418692261 +0000 +@@ -2001,6 +2001,8 @@ + goto clean_cpsw_iores_ret; + } + priv->regs = ss_regs; ++ ++ pm_runtime_get_sync(&pdev->dev); + priv->version = __raw_readl(&priv->regs->id_ver); + priv->host_port = HOST_PORT_NUM; + +@@ -2161,6 +2163,7 @@ + goto clean_irq_ret; + } + } ++ pm_runtime_put_sync(&pdev->dev); + + return 0; + diff --git a/arm-export-read_current_timer.patch b/arm-export-read_current_timer.patch deleted file mode 100644 index 5059d6862..000000000 --- a/arm-export-read_current_timer.patch +++ /dev/null @@ -1,10 +0,0 @@ ---- linux-3.7.0-0.rc2.git1.2.fc19.x86_64/arch/arm/kernel/armksyms.c.orig 2012-10-01 00:47:46.000000000 +0100 -+++ linux-3.7.0-0.rc2.git1.2.fc19.x86_64/arch/arm/kernel/armksyms.c 2012-10-24 09:06:46.570452677 +0100 -@@ -50,6 +50,7 @@ - - /* platform dependent support */ - EXPORT_SYMBOL(arm_delay_ops); -+EXPORT_SYMBOL(read_current_timer); - - /* networking */ - EXPORT_SYMBOL(csum_partial); diff --git a/arm-imx6-utilite.patch b/arm-imx6-utilite.patch new file mode 100644 index 000000000..58a839a6e --- /dev/null +++ b/arm-imx6-utilite.patch @@ -0,0 +1,95 @@ +Add initial support for cm-fx6 module. + +cm-fx6 is a module based on mx6q SoC with the following features: +- Up to 4GB of DDR3 +- 1 LCD/DVI output port +- 1 HDMI output port +- 2 LVDS LCD ports +- Gigabit Ethernet +- Analog Audio +- CAN +- SATA +- NAND +- PCIE + +This patch allows to boot up the module, configures the serial console, +the Ethernet adapter and the hearbeat led. + +Signed-off-by: Valentin Raevsky +Acked-by: Igor Grinberg +--- + arch/arm/boot/dts/imx6q-cm-fx6.dts | 51 ++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 51 insertions(+) + create mode 100644 arch/arm/boot/dts/imx6q-cm-fx6.dts + +diff --git a/arch/arm/boot/dts/imx6q-cm-fx6.dts b/arch/arm/boot/dts/imx6q-cm-fx6.dts +new file mode 100644 +index 0000000..1080215 +--- /dev/null ++++ b/arch/arm/boot/dts/imx6q-cm-fx6.dts +@@ -0,0 +1,51 @@ ++/* ++ * Copyright 2013 CompuLab Ltd. ++ * ++ * The code contained herein is licensed under the GNU General Public ++ * License. You may obtain a copy of the GNU General Public License ++ * Version 2 or later at the following locations: ++ * ++ * http://www.opensource.org/licenses/gpl-license.html ++ * http://www.gnu.org/copyleft/gpl.html ++ */ ++ ++/dts-v1/; ++#include "imx6q.dtsi" ++ ++/ { ++ model = "CompuLab CM-FX6"; ++ compatible = "compulab,cm-fx6", "fsl,imx6q"; ++ ++ memory { ++ reg = <0x10000000 0x80000000>; ++ }; ++ ++ leds { ++ compatible = "gpio-leds"; ++ ++ debug-led { ++ label = "Heartbeat"; ++ gpios = <&gpio2 31 0>; ++ linux,default-trigger = "heartbeat"; ++ }; ++ }; ++}; ++ ++&gpmi { ++ pinctrl-names = "default"; ++ pinctrl-0 = <&pinctrl_gpmi_nand_1>; ++ status = "okay"; ++}; ++ ++&fec { ++ pinctrl-names = "default"; ++ pinctrl-0 = <&pinctrl_enet_1>; ++ phy-mode = "rgmii"; ++ status = "okay"; ++}; ++ ++&uart4 { ++ pinctrl-names = "default"; ++ pinctrl-0 = <&pinctrl_uart4_1>; ++ status = "okay"; ++}; +diff --git a/arch/arm/boot/dts/Makefile b/arch/arm/boot/dts/Makefile +--- a/arch/arm/boot/dts/Makefile ++++ b/arch/arm/boot/dts/Makefile +@@ -137,6 +137,7 @@ + imx6dl-sabresd.dtb \ + imx6dl-wandboard.dtb \ + imx6q-arm2.dtb \ ++ imx6q-cm-fx6.dtb \ + imx6q-phytec-pbab01.dtb \ + imx6q-sabreauto.dtb \ + imx6q-sabrelite.dtb \ +-- +1.7.9.5 + diff --git a/arm-omap-load-tfp410.patch b/arm-omap-load-tfp410.patch index 0f2ba5457..3ef21a062 100644 --- a/arm-omap-load-tfp410.patch +++ b/arm-omap-load-tfp410.patch @@ -1,14 +1,14 @@ -diff -urNp linux-3.9.4-300.fc19.armv7hl_orig/drivers/video/omap2/dss/core.c linux-3.9.4-300.fc19.armv7hl/drivers/video/omap2/dss/core.c ---- linux-3.9.4-300.fc19.armv7hl_orig/drivers/video/omap2/dss/core.c 2013-04-28 20:36:01.000000000 -0400 -+++ linux-3.9.4-300.fc19.armv7hl/drivers/video/omap2/dss/core.c 2013-05-31 12:24:07.711334359 -0400 -@@ -596,6 +596,9 @@ static int __init omap_dss_init(void) - { - int r; - -+ /* hack to load panel-tfp410 driver */ -+ request_module("panel-tfp410"); -+ - r = omap_dss_bus_register(); - if (r) - return r; -Binary files linux-3.9.4-300.fc19.armv7hl_orig/drivers/video/omap2/dss/.Makefile.swp and linux-3.9.4-300.fc19.armv7hl/drivers/video/omap2/dss/.Makefile.swp differ +diff --git a/drivers/video/omap2/dss/core.c b/drivers/video/omap2/dss/core.c +index 60d3958..0e304ce 100644 +--- a/drivers/video/omap2/dss/core.c ++++ b/drivers/video/omap2/dss/core.c +@@ -298,6 +298,9 @@ static int __init omap_dss_init(void) + int r; + int i; + ++ /* hack to load encoder-tfp410 driver */ ++ request_module("encoder-tfp410"); ++ + r = platform_driver_probe(&omap_dss_driver, omap_dss_probe); + if (r) + return r; diff --git a/arm-sound-soc-samsung-dma-avoid-another-64bit-division.patch b/arm-sound-soc-samsung-dma-avoid-another-64bit-division.patch new file mode 100644 index 000000000..d6de76989 --- /dev/null +++ b/arm-sound-soc-samsung-dma-avoid-another-64bit-division.patch @@ -0,0 +1,13 @@ +diff --git a/sound/soc/samsung/dma.c b/sound/soc/samsung/dma.c +index 21b7926..19e6662 100644 +--- a/sound/soc/samsung/dma.c ++++ b/sound/soc/samsung/dma.c +@@ -76,7 +76,7 @@ static void dma_enqueue(struct snd_pcm_substream *substream) + + pr_debug("Entered %s\n", __func__); + +- limit = (prtd->dma_end - prtd->dma_start) / prtd->dma_period; ++ limit = (u32)(prtd->dma_end - prtd->dma_start) / prtd->dma_period; + + pr_debug("%s: loaded %d, limit %d\n", + __func__, prtd->dma_loaded, limit); diff --git a/bonding-driver-alb-learning.patch b/bonding-driver-alb-learning.patch deleted file mode 100644 index c7f8e8f6b..000000000 --- a/bonding-driver-alb-learning.patch +++ /dev/null @@ -1,155 +0,0 @@ -commit 7eacd03810960823393521063734fc8188446bca -Author: Neil Horman -Date: Fri Sep 13 11:05:33 2013 -0400 - - bonding: Make alb learning packet interval configurable - - running bonding in ALB mode requires that learning packets be sent periodically, - so that the switch knows where to send responding traffic. However, depending - on switch configuration, there may not be any need to send traffic at the - default rate of 3 packets per second, which represents little more than wasted - data. Allow the ALB learning packet interval to be made configurable via sysfs - - Signed-off-by: Neil Horman - Acked-by: Acked-by: Veaceslav Falico - CC: Jay Vosburgh - CC: Andy Gospodarek - CC: "David S. Miller" - Signed-off-by: Andy Gospodarek - Signed-off-by: David S. Miller - -diff --git a/Documentation/networking/bonding.txt b/Documentation/networking/bonding.txt -index 87bbcfe..9b28e71 100644 ---- a/Documentation/networking/bonding.txt -+++ b/Documentation/networking/bonding.txt -@@ -1362,6 +1362,12 @@ To add ARP targets: - To remove an ARP target: - # echo -192.168.0.100 > /sys/class/net/bond0/bonding/arp_ip_target - -+To configure the interval between learning packet transmits: -+# echo 12 > /sys/class/net/bond0/bonding/lp_interval -+ NOTE: the lp_inteval is the number of seconds between instances where -+the bonding driver sends learning packets to each slaves peer switch. The -+default interval is 1 second. -+ - Example Configuration - --------------------- - We begin with the same example that is shown in section 3.3, -diff --git a/drivers/net/bonding/bond_alb.c b/drivers/net/bonding/bond_alb.c -index 91f179d..f428ef57 100644 ---- a/drivers/net/bonding/bond_alb.c -+++ b/drivers/net/bonding/bond_alb.c -@@ -1472,7 +1472,7 @@ void bond_alb_monitor(struct work_struct *work) - bond_info->lp_counter++; - - /* send learning packets */ -- if (bond_info->lp_counter >= BOND_ALB_LP_TICKS) { -+ if (bond_info->lp_counter >= BOND_ALB_LP_TICKS(bond)) { - /* change of curr_active_slave involves swapping of mac addresses. - * in order to avoid this swapping from happening while - * sending the learning packets, the curr_slave_lock must be held for -diff --git a/drivers/net/bonding/bond_alb.h b/drivers/net/bonding/bond_alb.h -index 28d8e4c..c5eff5d 100644 ---- a/drivers/net/bonding/bond_alb.h -+++ b/drivers/net/bonding/bond_alb.h -@@ -36,14 +36,15 @@ struct slave; - * Used for division - never set - * to zero !!! - */ --#define BOND_ALB_LP_INTERVAL 1 /* In seconds, periodic send of -- * learning packets to the switch -- */ -+#define BOND_ALB_DEFAULT_LP_INTERVAL 1 -+#define BOND_ALB_LP_INTERVAL(bond) (bond->params.lp_interval) /* In seconds, periodic send of -+ * learning packets to the switch -+ */ - - #define BOND_TLB_REBALANCE_TICKS (BOND_TLB_REBALANCE_INTERVAL \ - * ALB_TIMER_TICKS_PER_SEC) - --#define BOND_ALB_LP_TICKS (BOND_ALB_LP_INTERVAL \ -+#define BOND_ALB_LP_TICKS(bond) (BOND_ALB_LP_INTERVAL(bond) \ - * ALB_TIMER_TICKS_PER_SEC) - - #define TLB_HASH_TABLE_SIZE 256 /* The size of the clients hash table. -diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c -index 72df399..55bbb8b 100644 ---- a/drivers/net/bonding/bond_main.c -+++ b/drivers/net/bonding/bond_main.c -@@ -4416,6 +4416,7 @@ static int bond_check_params(struct bond_params *params) - params->all_slaves_active = all_slaves_active; - params->resend_igmp = resend_igmp; - params->min_links = min_links; -+ params->lp_interval = BOND_ALB_DEFAULT_LP_INTERVAL; - - if (primary) { - strncpy(params->primary, primary, IFNAMSIZ); -diff --git a/drivers/net/bonding/bond_sysfs.c b/drivers/net/bonding/bond_sysfs.c -index eeab40b..c29b836 100644 ---- a/drivers/net/bonding/bond_sysfs.c -+++ b/drivers/net/bonding/bond_sysfs.c -@@ -1699,6 +1699,44 @@ out: - static DEVICE_ATTR(resend_igmp, S_IRUGO | S_IWUSR, - bonding_show_resend_igmp, bonding_store_resend_igmp); - -+ -+static ssize_t bonding_show_lp_interval(struct device *d, -+ struct device_attribute *attr, -+ char *buf) -+{ -+ struct bonding *bond = to_bond(d); -+ return sprintf(buf, "%d\n", bond->params.lp_interval); -+} -+ -+static ssize_t bonding_store_lp_interval(struct device *d, -+ struct device_attribute *attr, -+ const char *buf, size_t count) -+{ -+ struct bonding *bond = to_bond(d); -+ int new_value, ret = count; -+ -+ if (sscanf(buf, "%d", &new_value) != 1) { -+ pr_err("%s: no lp interval value specified.\n", -+ bond->dev->name); -+ ret = -EINVAL; -+ goto out; -+ } -+ -+ if (new_value <= 0) { -+ pr_err ("%s: lp_interval must be between 1 and %d\n", -+ bond->dev->name, INT_MAX); -+ ret = -EINVAL; -+ goto out; -+ } -+ -+ bond->params.lp_interval = new_value; -+out: -+ return ret; -+} -+ -+static DEVICE_ATTR(lp_interval, S_IRUGO | S_IWUSR, -+ bonding_show_lp_interval, bonding_store_lp_interval); -+ - static struct attribute *per_bond_attrs[] = { - &dev_attr_slaves.attr, - &dev_attr_mode.attr, -@@ -1729,6 +1767,7 @@ static struct attribute *per_bond_attrs[] = { - &dev_attr_all_slaves_active.attr, - &dev_attr_resend_igmp.attr, - &dev_attr_min_links.attr, -+ &dev_attr_lp_interval.attr, - NULL, - }; - -diff --git a/drivers/net/bonding/bonding.h b/drivers/net/bonding/bonding.h -index 7ad8bd5..03cf3fd 100644 ---- a/drivers/net/bonding/bonding.h -+++ b/drivers/net/bonding/bonding.h -@@ -176,6 +176,7 @@ struct bond_params { - int tx_queues; - int all_slaves_active; - int resend_igmp; -+ int lp_interval; - }; - - struct bond_parm_tbl { diff --git a/cifs-Allow-LANMAN-auth-for-unencapsulated-auth-methods.patch b/cifs-Allow-LANMAN-auth-for-unencapsulated-auth-methods.patch deleted file mode 100644 index 51ce50f87..000000000 --- a/cifs-Allow-LANMAN-auth-for-unencapsulated-auth-methods.patch +++ /dev/null @@ -1,39 +0,0 @@ -From dde2356c8466298bd77fa699e0ea296372eed47b Mon Sep 17 00:00:00 2001 -From: Sachin Prabhu -Date: Fri, 27 Sep 2013 17:35:42 +0000 -Subject: cifs: Allow LANMAN auth method for servers supporting unencapsulated authentication methods - -This allows users to use LANMAN authentication on servers which support -unencapsulated authentication. - -The patch fixes a regression where users using plaintext authentication -were no longer able to do so because of changed bought in by patch -3f618223dc0bdcbc8d510350e78ee2195ff93768 - -https://bugzilla.redhat.com/show_bug.cgi?id=1011621 - -Reported-by: Panos Kavalagios -Reviewed-by: Jeff Layton -Signed-off-by: Sachin Prabhu -Signed-off-by: Steve French ---- -(limited to 'fs/cifs') - -diff --git a/fs/cifs/sess.c b/fs/cifs/sess.c -index 352358d..e87387d 100644 ---- a/fs/cifs/sess.c -+++ b/fs/cifs/sess.c -@@ -500,9 +500,9 @@ select_sectype(struct TCP_Server_Info *server, enum securityEnum requested) - return NTLMv2; - if (global_secflags & CIFSSEC_MAY_NTLM) - return NTLM; -- /* Fallthrough */ - default: -- return Unspecified; -+ /* Fallthrough to attempt LANMAN authentication next */ -+ break; - } - case CIFS_NEGFLAVOR_LANMAN: - switch (requested) { --- -cgit v0.9.2 diff --git a/config-arm-generic b/config-arm-generic index 5000b5b5a..a0cf6e6f8 100644 --- a/config-arm-generic +++ b/config-arm-generic @@ -1,6 +1,5 @@ CONFIG_KUSER_HELPERS=y # CONFIG_ASYMMETRIC_KEY_TYPE is not set -# CONFIG_COMMON_CLK_DEBUG is not set CONFIG_COMMON_CLK=y CONFIG_EARLY_PRINTK=y CONFIG_FB_SSD1307=m @@ -8,7 +7,13 @@ CONFIG_HW_PERF_EVENTS=y CONFIG_MMC=y CONFIG_NFS_FS=y # CONFIG_PID_IN_CONTEXTIDR is not set + CONFIG_PWM=y +CONFIG_PWM_SYSFS=y + +CONFIG_RESET_CONTROLLER=y +CONFIG_RESET_GPIO=y + CONFIG_RCU_FANOUT_LEAF=16 # CONFIG_RTC_DRV_SNVS is not set CONFIG_BACKLIGHT_PWM=m @@ -18,6 +23,7 @@ CONFIG_ARM_ARCH_TIMER=y # CONFIG_ARM_DT_BL_CPUFREQ is not set CONFIG_NR_CPUS=8 CONFIG_ARM_DMA_USE_IOMMU=y +CONFIG_DMA_VIRTUAL_CHANNELS=y # ARM AMBA generic HW CONFIG_ARM_AMBA=y @@ -27,6 +33,7 @@ CONFIG_SERIAL_AMBA_PL011_CONSOLE=y CONFIG_SERIAL_AMBA_PL011=y CONFIG_SERIO_AMBAKMI=y CONFIG_OC_ETM=y +CONFIG_FB_ARMCLCD=y # ARM VExpress CONFIG_ARCH_VEXPRESS=y @@ -44,6 +51,7 @@ CONFIG_PROC_DEVICETREE=y CONFIG_OF=y CONFIG_OF_ADDRESS=y CONFIG_OF_DEVICE=y +CONFIG_OF_DYNAMIC=y CONFIG_OF_EARLY_FLATTREE=y CONFIG_OF_FLATTREE=y CONFIG_OF_GPIO=y @@ -57,6 +65,12 @@ CONFIG_OF_PCI=m # CONFIG_OF_SELFTEST is not set CONFIG_SERIAL_OF_PLATFORM=y +# External Connectors +CONFIG_EXTCON=m +CONFIG_OF_EXTCON=m +CONFIG_EXTCON_GPIO=m +CONFIG_EXTCON_ADC_JACK=m + # MTD CONFIG_MTD_BLKDEVS=m CONFIG_MTD_BLOCK=m @@ -70,15 +84,29 @@ CONFIG_MTD_OF_PARTS=m CONFIG_MTD_PHYSMAP=m CONFIG_MTD_PHYSMAP_OF=m # CONFIG_MTD_PHYSMAP_COMPAT is not set -CONFIG_OF_MTD=y # GPIO -CONFIG_GENERIC_GPIO=y +CONFIG_GPIO_DEVRES=y +CONFIG_GPIO_GENERIC=m CONFIG_GPIOLIB=y CONFIG_ARCH_WANT_OPTIONAL_GPIOLIB=y +CONFIG_ARCH_REQUIRE_GPIOLIB=y CONFIG_MDIO_GPIO=m CONFIG_POWER_RESET_GPIO=y -CONFIG_RFKILL_GPIO=m +CONFIG_POWER_RESET_RESTART=y + +#i2c +CONFIG_I2C_BOARDINFO=y +CONFIG_I2C_GPIO=m +CONFIG_I2C_MUX=m +# CONFIG_I2C_ARB_GPIO_CHALLENGE is not set +CONFIG_I2C_MUX_GPIO=m +CONFIG_I2C_MUX_PINCTRL=m +CONFIG_I2C_MUX_PCA9541=m + +# Sensors +CONFIG_SENSORS_IIO_HWMON=m +CONFIG_IIO_SYSFS_TRIGGER=m # MFD CONFIG_MFD_CORE=m @@ -96,8 +124,30 @@ CONFIG_SMC911X=m # CONFIG_I2C_NOMADIK is not set # CONFIG_IRQ_DOMAIN_DEBUG is not set # CONFIG_LEDS_RENESAS_TPU is not set -# CONFIG_MMC_SDHCI_PXAV2 is not set -# CONFIG_MMC_SDHCI_PXAV3 is not set -# CONFIG_COMMON_CLK_SI5351 is not set # CONFIG_LOCK_STAT is not set -# CONFIG_PCIEPORTBUS is not set + +### turn off things which make no sense on embedded SoC + +# core + +# CONFIG_INFINIBAND is not set +# CONFIG_ISDN is not set + +# netdrv + +# CONFIG_NET_VENDOR_DEC is not set +# CONFIG_NET_VENDOR_CHELSIO is not set +# CONFIG_NET_VENDOR_EXAR is not set +# CONFIG_NET_VENDOR_INTEL is not set +# CONFIG_NET_VENDOR_MELLANOX is not set + +# scsi + +# CONFIG_BLK_DEV_3W_XXXX_RAID is not set +# CONFIG_SCSI_3W_SAS is not set +# CONFIG_SCSI_PM8001 is not set +# CONFIG_SCSI_IPS is not set +# CONFIG_SCSI_CXGB3_ISCSI is not set +# CONFIG_SCSI_CXGB4_ISCSI is not set + +CONFIG_CRASH=m diff --git a/config-armv7 b/config-armv7 index 5fb4e9380..5df800c14 100644 --- a/config-armv7 +++ b/config-armv7 @@ -10,29 +10,15 @@ CONFIG_ARCH_ROCKCHIP=y CONFIG_ARCH_SOCFPGA=y CONFIG_ARCH_SUNXI=y CONFIG_ARCH_TEGRA=y -# CONFIG_ARCH_U8500 is not set +CONFIG_ARCH_U8500=y # CONFIG_ARCH_VIRT is not set CONFIG_ARCH_ZYNQ=y # These are supported in the LPAE kernel # CONFIG_ARM_LPAE is not set # CONFIG_XEN is not set -# CONFIG_VIRTIO_CONSOLE is not set # CONFIG_ARM_VIRT_EXT is not set -# Generic -CONFIG_REMOTEPROC=m - -# FIXME should be generic (I think it's enabled by default) -CONFIG_FB=y -CONFIG_FB_ARMCLCD=m -CONFIG_FB_CFB_COPYAREA=m -CONFIG_FB_CFB_FILLRECT=m -CONFIG_FB_CFB_IMAGEBLIT=m -CONFIG_TOUCHSCREEN_ADS7846=m - -CONFIG_OC_ETM=y - # mvebu CONFIG_MACH_ARMADA_370_XP=y CONFIG_MACH_ARMADA_370=y @@ -69,12 +55,11 @@ CONFIG_ARCH_OMAP2PLUS_TYPICAL=y CONFIG_ARCH_OMAP3=y CONFIG_ARCH_OMAP4=y CONFIG_SOC_OMAP5=y +# CONFIG_SOC_DRA7XX is not set # CONFIG_SOC_OMAP2420 is not set # CONFIG_SOC_OMAP2430 is not set CONFIG_SOC_OMAP3430=y CONFIG_SOC_TI81XX=y -CONFIG_SOC_AM33XX=y -CONFIG_SOC_AM43XX=y CONFIG_MACH_OMAP_GENERIC=y CONFIG_MACH_OMAP3_BEAGLE=y CONFIG_MACH_DEVKIT8000=y @@ -82,8 +67,8 @@ CONFIG_MACH_OMAP_LDP=y CONFIG_MACH_OMAP3530_LV_SOM=y CONFIG_MACH_OMAP3_TORPEDO=y CONFIG_MACH_OVERO=y -CONFIG_MACH_OMAP3EVM=y -CONFIG_MACH_OMAP3517EVM=y +# CONFIG_MACH_OMAP3EVM is not set +# CONFIG_MACH_OMAP3517EVM is not set CONFIG_MACH_CRANEBOARD=y CONFIG_MACH_OMAP3_PANDORA=y CONFIG_MACH_TOUCHBOOK=y @@ -98,8 +83,8 @@ CONFIG_MACH_CM_T3517=y CONFIG_MACH_IGEP0030=y CONFIG_MACH_SBC3530=y CONFIG_MACH_OMAP_3630SDP=y -CONFIG_MACH_TI8168EVM=y -CONFIG_MACH_TI8148EVM=y +# CONFIG_MACH_TI8168EVM is not set +# CONFIG_MACH_TI8148EVM is not set CONFIG_SOC_HAS_REALTIME_COUNTER=y CONFIG_OMAP_RESET_CLOCKS=y @@ -124,21 +109,6 @@ CONFIG_OMAP3_EMU=y CONFIG_OMAP_WATCHDOG=m CONFIG_TWL4030_WATCHDOG=m -CONFIG_TI_ST=m -CONFIG_TI_EDMA=y -CONFIG_TI_SOC_THERMAL=m -CONFIG_TI_DAC7512=m -CONFIG_TI_DAVINCI_EMAC=m -CONFIG_TI_DAVINCI_MDIO=m -CONFIG_TI_DAVINCI_CPDMA=m -CONFIG_TI_CPSW=m -CONFIG_TI_CPTS=y -CONFIG_TI_EMIF=m -CONFIG_MFD_TPS65217=m -CONFIG_REGULATOR_TI_ABB=y -CONFIG_REGULATOR_TPS65217=m -CONFIG_BACKLIGHT_TPS65217=m - CONFIG_SERIAL_OMAP=y CONFIG_SERIAL_OMAP_CONSOLE=y @@ -151,31 +121,26 @@ CONFIG_TWL4030_CORE=y CONFIG_TWL4030_MADC=m CONFIG_TWL4030_POWER=y CONFIG_TWL4030_WATCHDOG=m +CONFIG_BATTERY_TWL4030_MADC=m +CONFIG_OMAP_USB2=m +CONFIG_OMAP_USB3=m CONFIG_TWL4030_USB=m CONFIG_TWL6030_USB=m CONFIG_TWL6030_PWM=m CONFIG_TWL6040_CORE=y CONFIG_CLK_TWL6040=m CONFIG_OMAP_INTERCONNECT=m -# CONFIG_MFD_TPS80031 is not set -CONFIG_MFD_TI_AM335X_TSCADC=m CONFIG_MFD_OMAP_USB_HOST=y CONFIG_MTD_ONENAND_OMAP2=m CONFIG_HDQ_MASTER_OMAP=m CONFIG_REGULATOR_TWL4030=y CONFIG_BACKLIGHT_PANDORA=m CONFIG_OMAP_OCP2SCP=m -CONFIG_OMAP_USB2=m -CONFIG_OMAP_USB3=m CONFIG_USB_EHCI_HCD_OMAP=m CONFIG_USB_OHCI_HCD_PLATFORM=m CONFIG_USB_OHCI_HCD_OMAP3=y CONFIG_USB_MUSB_AM35X=m CONFIG_USB_MUSB_OMAP2PLUS=m -CONFIG_USB_MUSB_HDRC=m -CONFIG_USB_GADGET_MUSB_HDRC=m -# CONFIG_MUSB_PIO_ONLY is not set -# CONFIG_USB_MUSB_DEBUG is not set CONFIG_OMAP_CONTROL_USB=m CONFIG_MMC_OMAP=y CONFIG_MMC_OMAP_HS=y @@ -184,23 +149,29 @@ CONFIG_RTC_DRV_MAX8907=m CONFIG_RTC_DRV_TWL4030=y CONFIG_RTC_DRV_OMAP=y CONFIG_SENSORS_TWL4030_MADC=m +CONFIG_TWL6030_GPADC=m + +# OMAP5 (possibly other devices too) +CONFIG_MFD_PALMAS=y +CONFIG_PINCTRL_PALMAS=y +CONFIG_EXTCON_PALMAS=m +CONFIG_RTC_DRV_PALMAS=m +CONFIG_REGULATOR_PALMAS=m +CONFIG_GPIO_PALMAS=y CONFIG_WL_TI=y CONFIG_WLCORE_SDIO=m CONFIG_WLCORE_SPI=m -CONFIG_WL1251_SPI=m -CONFIG_WL12XX_SPI=m -CONFIG_WL12XX_SDIO_TEST=m CONFIG_WL18XX=m CONFIG_WILINK_PLATFORM_DATA=y CONFIG_MFD_WL1273_CORE=m CONFIG_NFC_WILINK=m CONFIG_MTD_NAND_OMAP2=m -CONFIG_SPI_DAVINCI=m CONFIG_SPI_OMAP24XX=m CONFIG_MFD_TI_SSP=m CONFIG_SPI_TI_SSP=m +CONFIG_SPI_TI_QSPI=m CONFIG_INPUT_TWL4030_PWRBUTTON=m CONFIG_INPUT_TWL4030_VIBRA=m @@ -211,6 +182,8 @@ CONFIG_TOUCHSCREEN_TI_TSCADC=m # OMAP thermal temp. Can likely be built as module but doesn't autoload so build in to ensure performance on PandaES CONFIG_OMAP_BANDGAP=y +CONFIG_TI_SOC_THERMAL=m +CONFIG_TI_THERMAL=y CONFIG_OMAP4_THERMAL=y CONFIG_OMAP5_THERMAL=y @@ -230,7 +203,6 @@ CONFIG_CRYPTO_DEV_OMAP_SHAM=m CONFIG_CRYPTO_DEV_OMAP_AES=m CONFIG_HW_RANDOM_OMAP=m -CONFIG_DRM_TILCDC=m CONFIG_DRM_OMAP=m CONFIG_DRM_OMAP_NUM_CRTCS=2 CONFIG_OMAP2_VRFB=y @@ -253,17 +225,6 @@ CONFIG_OMAP2_DSS_MIN_FCK_PER_PCK=0 CONFIG_OMAP2_DSS_SLEEP_BEFORE_RESET=y CONFIG_OMAP2_DSS_SLEEP_AFTER_VENC_RESET=y -CONFIG_PANEL_GENERIC_DPI=m -CONFIG_PANEL_TFP410=m -CONFIG_PANEL_SHARP_LS037V7DW01=m -CONFIG_PANEL_PICODLP=m -CONFIG_PANEL_TAAL=m -CONFIG_PANEL_NEC_NL8048HL11_01B=m -CONFIG_PANEL_TPO_TD043MTEA1=m -CONFIG_PANEL_LGPHILIPS_LB035Q02=m -CONFIG_PANEL_ACX565AKM=m -# CONFIG_PANEL_N8X0 is not set - CONFIG_DISPLAY_ENCODER_TFP410=m CONFIG_DISPLAY_ENCODER_TPD12S015=m CONFIG_DISPLAY_CONNECTOR_DVI=m @@ -294,15 +255,11 @@ CONFIG_V4L_PLATFORM_DRIVERS=y CONFIG_V4L_TEST_DRIVERS=y CONFIG_VIDEO_VIVI=m -CONFIG_SND_OMAP_SOC_OMAP_ABE_TWL6040=m -CONFIG_SND_OMAP_SOC_OMAP_HDMI=m -CONFIG_SND_OMAP_SOC_OMAP_TWL4030=m -CONFIG_SND_OMAP_SOC_OMAP3_PANDORA=m - CONFIG_SND_OMAP_SOC=m CONFIG_SND_SOC_I2C_AND_SPI=m CONFIG_SND_OMAP_SOC_AM3517EVM=m CONFIG_SND_OMAP_SOC_DMIC=m +CONFIG_SND_OMAP_SOC_HDMI=m CONFIG_SND_OMAP_SOC_IGEP0020=m CONFIG_SND_OMAP_SOC_MCBSP=m CONFIG_SND_OMAP_SOC_MCPDM=m @@ -339,31 +296,65 @@ CONFIG_OMAP_REMOTEPROC=m # CONFIG_OMAP_MUX_DEBUG is not set # CONFIG_VIDEO_OMAP3_DEBUG is not set +# AM33xx +CONFIG_SOC_AM33XX=y +CONFIG_SOC_AM43XX=y +CONFIG_AM335X_CONTROL_USB=m +CONFIG_AM335X_PHY_USB=m +CONFIG_USB_MUSB_AM335X_CHILD=y +CONFIG_MFD_TI_AM335X_TSCADC=m +CONFIG_TI_ST=m +CONFIG_TI_DAC7512=m +CONFIG_TI_DAVINCI_EMAC=m +CONFIG_TI_DAVINCI_MDIO=m +CONFIG_TI_DAVINCI_CPDMA=m +CONFIG_TI_CPSW=m +CONFIG_TI_CPTS=y +CONFIG_TI_EMIF=m +CONFIG_DRM_TILCDC=m +CONFIG_SPI_DAVINCI=m +CONFIG_REGULATOR_TI_ABB=m +CONFIG_TI_PRIV_EDMA=y +CONFIG_TI_EDMA=y +# Terribly unstable so disable for now +# CONFIG_USB_TI_CPPI41_DMA is not set +# CONFIG_TI_CPPI41 is not set +CONFIG_MFD_TI_AM335X_TSCADC=m +CONFIG_CHARGER_BQ24190=m +CONFIG_TI_ADC081C=m +CONFIG_TI_AM335X_ADC=m +CONFIG_PWM_TIPWMSS=y + # Allwinner a1x CONFIG_PINCTRL_SUNXI=y +CONFIG_SUNXI_WATCHDOG=m CONFIG_MDIO_SUN4I=m CONFIG_NET_VENDOR_ALLWINNER=y CONFIG_SUN4I_EMAC=m -# imx +# i.MX CONFIG_MXC_IRQ_PRIOR=y # CONFIG_MXC_DEBUG_BOARD is not set -CONFIG_MACH_IMX51_DT=y -# CONFIG_MACH_MX51_BABBAGE is not set -# CONFIG_MACH_EUKREA_CPUIMX51SD is not set CONFIG_SOC_IMX53=y CONFIG_SOC_IMX6Q=y CONFIG_SOC_IMX6SL=y +CONFIG_MACH_IMX51_DT=y +# CONFIG_MACH_MX51_BABBAGE is not set +# CONFIG_MACH_EUKREA_CPUIMX51SD is not set +CONFIG_ARM_IMX6Q_CPUFREQ=m +CONFIG_IMX_THERMAL=m CONFIG_PATA_IMX=m CONFIG_USB_CHIPIDEA=m CONFIG_USB_CHIPIDEA_UDC=y CONFIG_USB_CHIPIDEA_HOST=y # CONFIG_USB_CHIPIDEA_DEBUG is not set +CONFIG_USB_FSL_USB2=m CONFIG_NET_VENDOR_FREESCALE=y CONFIG_FEC=m CONFIG_KEYBOARD_IMX=m CONFIG_SERIAL_IMX=y CONFIG_SERIAL_IMX_CONSOLE=y +CONFIG_PINCTRL_IMX6SL=y CONFIG_I2C_IMX=m CONFIG_SPI_IMX=m CONFIG_MFD_MC13783=m @@ -371,8 +362,11 @@ CONFIG_MFD_MC13XXX_SPI=m CONFIG_W1_MASTER_MXC=m CONFIG_IMX_WEIM=y CONFIG_IMX2_WDT=m +CONFIG_HW_RANDOM_MXC_RNGA=m CONFIG_CRYPTO_DEV_SAHARA=m +CONFIG_RTC_DRV_SNVS=m # CONFIG_FB_MX3 is not set + CONFIG_SND_IMX_SOC=m CONFIG_SND_SOC_FSL_SSI=m CONFIG_SND_SOC_FSL_UTILS=m @@ -383,9 +377,12 @@ CONFIG_SND_SOC_IMX_PCM_DMA=m CONFIG_SND_SOC_IMX_SGTL5000=m CONFIG_SND_SOC_IMX_WM8962=m CONFIG_SND_SOC_IMX_MC13783=m +CONFIG_SND_SOC_IMX_SPDIF=m + CONFIG_USB_EHCI_MXC=m CONFIG_USB_IMX21_HCD=m CONFIG_USB_MXS_PHY=m +CONFIG_MMC_DW_SOCFPGA=m CONFIG_MMC_SDHCI_ESDHC_IMX=m CONFIG_MMC_MXC=m CONFIG_SPI_MXS=m @@ -397,29 +394,51 @@ CONFIG_IMX_SDMA=m CONFIG_IMX_DMA=m CONFIG_AHCI_IMX=m # CONFIG_MXS_DMA is not set + CONFIG_PWM_IMX=m CONFIG_BACKLIGHT_PWM=m CONFIG_DRM_IMX=m CONFIG_DRM_IMX_FB_HELPER=m +CONFIG_DRM_IMX_HDMI=m CONFIG_DRM_IMX_IPUV3_CORE=m CONFIG_DRM_IMX_IPUV3=m # CONFIG_DRM_IMX_LDB is not set CONFIG_DRM_IMX_PARALLEL_DISPLAY=m CONFIG_DRM_IMX_TVE=m CONFIG_VIDEO_CODA=m + +CONFIG_MFD_SYSCON=y CONFIG_SENSORS_MC13783_ADC=m +CONFIG_REGULATOR_ANATOP=m CONFIG_REGULATOR_MC13783=m CONFIG_REGULATOR_MC13892=m CONFIG_LEDS_MC13783=m CONFIG_RTC_DRV_MC13XXX=m +CONFIG_CAN_FLEXCAN=m CONFIG_INPUT_PWM_BEEPER=m CONFIG_INPUT_88PM80X_ONKEY=m -# exynos -# CONFIG_DRM_EXYNOS is not set -# CONFIG_PINCTRL_EXYNOS5440 is not set -# CONFIG_PINCTRL_EXYNOS is not set +# i.MX6Q (and likely Samsung among others) +CONFIG_MFD_DA9052_I2C=y +CONFIG_MFD_DA9052_SPI=y +CONFIG_MFD_DA9055=y +CONFIG_TOUCHSCREEN_DA9052=m +CONFIG_INPUT_DA9052_ONKEY=m +CONFIG_INPUT_DA9055_ONKEY=m +CONFIG_GPIO_DA9052=m +CONFIG_GPIO_DA9055=m +CONFIG_BATTERY_DA9052=m +CONFIG_SENSORS_DA9052_ADC=m +CONFIG_SENSORS_DA9055=m +CONFIG_DA9052_WATCHDOG=m +CONFIG_DA9055_WATCHDOG=m +CONFIG_BACKLIGHT_DA9052=m +CONFIG_LEDS_DA9052=m +CONFIG_RTC_DRV_DA9052=m +CONFIG_RTC_DRV_DA9055=m +CONFIG_REGULATOR_DA9052=m +CONFIG_REGULATOR_DA9055=m # picoxcell CONFIG_CRYPTO_DEV_PICOXCELL=m @@ -431,6 +450,7 @@ CONFIG_MACH_SNOWBALL=y CONFIG_MACH_UX500_DT=y CONFIG_ABX500_CORE=y +CONFIG_ARM_U8500_CPUIDLE=y CONFIG_UX500_DEBUG_UART=2 CONFIG_AB8500_CORE=y CONFIG_STE_DMA40=y @@ -464,6 +484,19 @@ CONFIG_CW1200=m CONFIG_CW1200_WLAN_SDIO=m CONFIG_CW1200_WLAN_SPI=m CONFIG_UX500_WATCHDOG=m +CONFIG_IIO_ST_ACCEL_3AXIS=m +CONFIG_IIO_ST_GYRO_3AXIS=m +CONFIG_IIO_ST_GYRO_I2C_3AXIS=m +CONFIG_IIO_ST_GYRO_SPI_3AXIS=m +CONFIG_IIO_ST_MAGN_3AXIS=m +CONFIG_IIO_ST_MAGN_I2C_3AXIS=m +CONFIG_IIO_ST_MAGN_SPI_3AXIS=m +CONFIG_IIO_ST_PRESS=m +CONFIG_IIO_ST_PRESS_I2C=m +CONFIG_IIO_ST_PRESS_SPI=m +CONFIG_IIO_ST_SENSORS_I2C=m +CONFIG_IIO_ST_SENSORS_SPI=m +CONFIG_IIO_ST_SENSORS_CORE=m # tegra CONFIG_ARCH_TEGRA_2x_SOC=y @@ -475,7 +508,7 @@ CONFIG_TEGRA30_MC=y CONFIG_SERIAL_TEGRA=y -CONFIG_TEGRA_PCI=y +CONFIG_PCI_TEGRA=y CONFIG_TEGRA_IOMMU_GART=y CONFIG_TEGRA_IOMMU_SMMU=y CONFIG_MMC_SDHCI_TEGRA=m @@ -490,6 +523,7 @@ CONFIG_TEGRA20_APB_DMA=y CONFIG_SPI_TEGRA20_SFLASH=m CONFIG_SPI_TEGRA20_SLINK=m +CONFIG_MFD_MAX8907=m CONFIG_KEYBOARD_TEGRA=m CONFIG_PINCTRL_TEGRA=y CONFIG_PINCTRL_TEGRA20=y @@ -519,7 +553,6 @@ CONFIG_NVEC_LEDS=y CONFIG_NVEC_PAZ00=y CONFIG_MFD_TPS6586X=y CONFIG_GPIO_TPS6586X=y -CONFIG_REGULATOR_TPS6586X=m CONFIG_RTC_DRV_TPS6586X=m CONFIG_PWM_TEGRA=m @@ -534,16 +567,19 @@ CONFIG_DRM_TEGRA=y CONFIG_CRYPTO_DEV_TEGRA_AES=m CONFIG_LEDS_RENESAS_TPU=y +CONFIG_GPIO_PCA953X=m # OLPC XO CONFIG_SERIO_OLPC_APSP=m # Zynq-7xxx # likely needs usb/mmc still +CONFIG_SERIAL_UARTLITE=y +CONFIG_SERIAL_UARTLITE_CONSOLE=y CONFIG_SERIAL_XILINX_PS_UART=y CONFIG_SERIAL_XILINX_PS_UART_CONSOLE=y CONFIG_COMMON_CLK_AXI_CLKGEN=m -CONFIG_CPU_IDLE_ZYNQ=y +CONFIG_ARM_ZYNQ_CPUIDLE=y CONFIG_LATTICE_ECP3_CONFIG=m CONFIG_NET_VENDOR_XILINX=y CONFIG_XILINX_EMACLITE=m @@ -551,73 +587,32 @@ CONFIG_GPIO_XILINX=y CONFIG_I2C_XILINX=m CONFIG_SPI_XILINX=m -# MMC/SD -CONFIG_MMC_TMIO=m -CONFIG_MMC_SDHCI_PXAV3=m -CONFIG_MMC_SDHCI_PXAV2=m - # Multi function devices CONFIG_MFD_88PM800=m CONFIG_MFD_88PM805=m CONFIG_MFD_T7L66XB=y CONFIG_MFD_TC6387XB=y +# Generic drivers +CONFIG_REMOTEPROC=m + # Regulator drivers CONFIG_REGULATOR_FAN53555=m -# CONFIG_CHARGER_MANAGER is not set -# CONFIG_REGULATOR_DUMMY is not set -# CONFIG_REGULATOR_VIRTUAL_CONSUMER is not set -# CONFIG_REGULATOR_USERSPACE_CONSUMER is not set +# CONFIG_REGULATOR_88PM800 is not set CONFIG_REGULATOR_AD5398=m CONFIG_REGULATOR_ISL6271A=m +CONFIG_REGULATOR_LP3971=m +CONFIG_REGULATOR_LP3972=m +CONFIG_REGULATOR_LP872X=y +CONFIG_REGULATOR_LP8755=m CONFIG_REGULATOR_MAX1586=m CONFIG_REGULATOR_MAX8649=m CONFIG_REGULATOR_MAX8660=m +CONFIG_REGULATOR_MAX8907=m CONFIG_REGULATOR_MAX8952=m CONFIG_REGULATOR_MAX8973=m -CONFIG_REGULATOR_LP3971=m -CONFIG_REGULATOR_LP3972=m -CONFIG_REGULATOR_TPS51632=m -CONFIG_REGULATOR_TPS62360=m -CONFIG_REGULATOR_TPS65023=m -CONFIG_REGULATOR_TPS6524X=m -CONFIG_REGULATOR_TPS6507X=m -CONFIG_REGULATOR_TPS65912=m -CONFIG_REGULATOR_MAX8907=m -CONFIG_REGULATOR_LP872X=y -CONFIG_REGULATOR_LP8755=m - -# usb gadget -CONFIG_USB_GADGET=m -CONFIG_USB_GADGET_VBUS_DRAW=100 -CONFIG_USB_GADGET_STORAGE_NUM_BUFFERS=2 -# CONFIG_USB_FSL_USB2 is not set -# CONFIG_USB_FUSB300 is not set -# CONFIG_USB_RENESAS_USBHS is not set -# CONFIG_USB_GADGET_DEBUG is not set -# CONFIG_USB_GADGET_DEBUG_FILES is not set -# CONFIG_USB_GADGET_DEBUG_FS is not set -# CONFIG_USB_GADGET_VBUS_DRAW is not set -# CONFIG_USB_GADGET_STORAGE_NUM_BUFFERS is not set -# CONFIG_USB_FOTG210_UDC is not set -# CONFIG_USB_R8A66597 is not set -# CONFIG_USB_PXA27X is not set -# CONFIG_USB_MV_UDC is not set -# CONFIG_USB_MV_U3D is not set -# CONFIG_USB_M66592 is not set -# CONFIG_USB_AMD5536UDC is not set -# CONFIG_USB_NET2272 is not set -# CONFIG_USB_NET2280 is not set -# CONFIG_USB_GOKU is not set -# CONFIG_USB_EG20T is not set -# CONFIG_USB_DUMMY_HCD is not set -# CONFIG_USB_ZERO_HNPTEST is not set -# CONFIG_USB_ETH_RNDIS is not set -# CONFIG_USB_ETH_EEM is not set # Needs work/investigation - -# CONFIG_ARM_CHARLCD is not set # CONFIG_MTD_AFS_PARTS is not set # CONFIG_IP_PNP_RARP is not set # CONFIG_PID_IN_CONTEXTIDR is not set @@ -627,33 +622,22 @@ CONFIG_USB_GADGET_STORAGE_NUM_BUFFERS=2 # Defined config options we don't use yet # CONFIG_PINCTRL_IMX35 is not set -# CONFIG_REGULATOR_ANATOP is not set # CONFIG_BATTERY_RX51 is not set # CONFIG_IR_RX51 is not set # CONFIG_GENERIC_CPUFREQ_CPU0 is not set # CONFIG_MFD_SMSC is not set # CONFIG_MFD_SEC_CORE is not set -# CONFIG_MFD_DA9055 is not set # CONFIG_MFD_LP8788 is not set -# CONFIG_MFD_MAX8907 is not set -# CONFIG_MFD_TPS65912_I2C is not set -# CONFIG_MFD_DA9052_I2C is not set # CONFIG_MFD_MAX77686 is not set # CONFIG_MFD_MAX77693 is not set # CONFIG_MFD_MAX8997 is not set -# CONFIG_MFD_TPS65090 is not set # CONFIG_MFD_AAT2870_CORE is not set # CONFIG_MFD_RC5T583 is not set -# CONFIG_MFD_PALMAS is not set -# CONFIG_MFD_DA9055 is not set # CONFIG_MFD_SMSC is not set -# CONFIG_MFD_TPS65910 is not set # CONFIG_MFD_AS3711 is not set # CONFIG_PMIC_DA903X is not set # CONFIG_PMIC_ADP5520 is not set -# CONFIG_REGULATOR_LP3972 is not set -# CONFIG_REGULATOR_LP872X is not set # CONFIG_DVB_USB_PCTV452E is not set # We need to fix these as they should be either generic includes or kconfig fixes @@ -663,9 +647,7 @@ CONFIG_USB_GADGET_STORAGE_NUM_BUFFERS=2 # CONFIG_TOUCHSCREEN_AUO_PIXCIR is not set # CONFIG_VIRTUALIZATION is not set -# CONFIG_CHARGER_MANAGER is not set # CONFIG_POWER_RESET_QNAP is not set -# CONFIG_POWER_RESET_RESTART is not set # CONFIG_OMAP2_DSS_DEBUG is not set # CONFIG_DRM_TEGRA_DEBUG is not set # CONFIG_CRYPTO_DEV_UX500_DEBUG is not set @@ -673,6 +655,4 @@ CONFIG_USB_GADGET_STORAGE_NUM_BUFFERS=2 # CONFIG_SOC_VF610 is not set # CONFIG_ARM_CCI is not set -# CONFIG_GPIO_XILINX is not set -# CONFIG_SERIAL_UARTLITE is not set - +# CONFIG_MMC_TMIO is not set diff --git a/config-armv7-generic b/config-armv7-generic index 663f86b82..7800af27f 100644 --- a/config-armv7-generic +++ b/config-armv7-generic @@ -14,6 +14,7 @@ CONFIG_AEABI=y CONFIG_VFP=y CONFIG_VFPv3=y CONFIG_NEON=y +CONFIG_KERNEL_MODE_NEON=y CONFIG_ARM_UNWIND=y CONFIG_ARM_THUMB=y @@ -56,14 +57,15 @@ CONFIG_ARCH_VEXPRESS_CORTEX_A5_A9_ERRATA=y # CONFIG_ARCH_SIRF is not set # CONFIG_ARCH_U8500 is not set # CONFIG_ARCH_WM8850 is not set +# CONFIG_ARCH_SHMOBILE_MULTI is not set # highbank # 2013/04/19 - stability issues -# CONFIG_CPU_IDLE_CALXEDA is not set CONFIG_EDAC_HIGHBANK_MC=m CONFIG_EDAC_HIGHBANK_L2=m CONFIG_SATA_HIGHBANK=m CONFIG_ARM_HIGHBANK_CPUFREQ=m +CONFIG_ARM_HIGHBANK_CPUIDLE=y # errata # v5/v6 @@ -93,6 +95,7 @@ CONFIG_PL310_ERRATA_769419=y CONFIG_PJ4B_ERRATA_4742=y # Cortex-A15 # CONFIG_ARM_ERRATA_798181 is not set +# CONFIG_ARM_ERRATA_773022 is not set # generic that deviates from or should be merged into config-generic CONFIG_SMP_ON_UP=y @@ -104,11 +107,10 @@ CONFIG_SCHED_SMT=y CONFIG_RCU_FANOUT=32 -# 2013/04/19 - disable due to stability issues in 3.9 for the moment -# CONFIG_CPU_IDLE is not set -## CONFIG_CPU_IDLE_GOV_LADDER is not set -# CONFIG_CPU_IDLE_GOV_MENU is not set -# CONFIG_CPU_IDLE_MULTIPLE_DRIVERS is not set +CONFIG_CPU_IDLE=y +# CONFIG_CPU_IDLE_GOV_LADDER is not set +CONFIG_CPU_IDLE_GOV_MENU=y +CONFIG_CPU_IDLE_MULTIPLE_DRIVERS=y # CONFIG_ARM_BIG_LITTLE_CPUFREQ is not set @@ -136,7 +138,6 @@ CONFIG_LBDAF=y CONFIG_USE_OF=y CONFIG_ARM_ATAG_DTB_COMPAT=y CONFIG_ARM_APPENDED_DTB=y -CONFIG_I2C_MUX_PINCTRL=m # General vexpress ARM drivers CONFIG_ARM_TIMER_SP804=y @@ -154,7 +155,7 @@ CONFIG_PL330_DMA=m CONFIG_AMBA_PL08X=y CONFIG_ARM_SP805_WATCHDOG=m CONFIG_GPIO_PL061=y -CONFIG_FB_ARMCLCD=m +CONFIG_PL320_MBOX=y # usb CONFIG_USB_OTG=y @@ -166,8 +167,68 @@ CONFIG_AX88796_93CX6=y CONFIG_USB_ISP1760_HCD=m # CONFIG_USB_EHCI_HCD_ORION is not set +# usb gadget +CONFIG_USB_GADGET=m +CONFIG_USB_GADGET_MUSB_HDRC=m +CONFIG_USB_GADGET_VBUS_DRAW=100 +CONFIG_USB_GADGET_STORAGE_NUM_BUFFERS=2 +CONFIG_USB_MUSB_HDRC=m +CONFIG_USB_MUSB_DUAL_ROLE=y +CONFIG_USB_MUSB_DSPS=m +CONFIG_USB_GPIO_VBUS=m +CONFIG_USB_G_ACM_MS=m +CONFIG_USB_G_DBGP=m +CONFIG_USB_G_DBGP_PRINTK=y +CONFIG_USB_G_DBGP_SERIAL=y +CONFIG_USB_G_MULTI=m +CONFIG_USB_G_MULTI_CDC=y +# CONFIG_USB_G_MULTI_RNDIS is not set +CONFIG_USB_G_NCM=m +CONFIG_USB_G_SERIAL=m +CONFIG_USB_ETH_EEM=y +# CONFIG_USB_ETH_RNDIS is not set +CONFIG_USB_CDC_COMPOSITE=m +CONFIG_USB_GADGET_TARGET=m +CONFIG_USB_MASS_STORAGE=m +CONFIG_USB_CONFIGFS=m +CONFIG_USB_CONFIGFS_ACM=y +CONFIG_USB_CONFIGFS_ECM=y +CONFIG_USB_CONFIGFS_ECM_SUBSET=y +CONFIG_USB_CONFIGFS_EEM=y +CONFIG_USB_CONFIGFS_MASS_STORAGE=y +CONFIG_USB_CONFIGFS_NCM=y +CONFIG_USB_CONFIGFS_OBEX=y +# CONFIG_USB_CONFIGFS_RNDIS is not set +CONFIG_USB_CONFIGFS_SERIAL=y +CONFIG_USB_CONFIGFS_STORAGE=y + +# CONFIG_MUSB_PIO_ONLY is not set +# CONFIG_USB_MUSB_DEBUG is not set +# CONFIG_USB_GADGET_DEBUG is not set +# CONFIG_USB_GADGET_DEBUG_FILES is not set +# CONFIG_USB_GADGET_DEBUG_FS is not set +# CONFIG_USB_FUSB300 is not set +# CONFIG_USB_RENESAS_USBHS is not set +# CONFIG_USB_FOTG210_UDC is not set +# CONFIG_USB_R8A66597 is not set +# CONFIG_USB_PXA27X is not set +# CONFIG_USB_MV_UDC is not set +# CONFIG_USB_MV_U3D is not set +# CONFIG_USB_M66592 is not set +# CONFIG_USB_AMD5536UDC is not set +# CONFIG_USB_NET2272 is not set +# CONFIG_USB_NET2280 is not set +# CONFIG_USB_GOKU is not set +# CONFIG_USB_EG20T is not set +# CONFIG_USB_DUMMY_HCD is not set +# CONFIG_USB_ZERO_HNPTEST is not set + # Multifunction Devices -CONFIG_MFD_SYSCON=y +CONFIG_MFD_TPS65090=y +CONFIG_MFD_TPS65217=y +CONFIG_MFD_TPS65910=y +CONFIG_MFD_TPS65912=y +CONFIG_MFD_TPS65912_I2C=y CONFIG_MFD_TPS65912_SPI=y # CONFIG_MFD_DA9052_SPI is not set # CONFIG_MFD_ARIZONA_SPI is not set @@ -179,16 +240,15 @@ CONFIG_PINMUX=y CONFIG_PINCONF=y CONFIG_PINCTRL=y CONFIG_PINCTRL_SINGLE=y +CONFIG_GENERIC_PINCONF=y # CONFIG_PINCTRL_SAMSUNG is not set # CONFIG_PINCTRL_EXYNOS4 is not set # GPIO CONFIG_GPIO_GENERIC_PLATFORM=m -CONFIG_EXTCON_GPIO=m # CONFIG_GPIO_EM is not set CONFIG_GPIO_ADNP=m CONFIG_GPIO_MCP23S08=m -CONFIG_POWER_RESET_GPIO=y CONFIG_SERIAL_8250_EM=m CONFIG_INPUT_GPIO_TILT_POLLED=m CONFIG_MDIO_BUS_MUX_GPIO=m @@ -197,11 +257,13 @@ CONFIG_LEDS_GPIO=m CONFIG_GPIO_MAX7301=m CONFIG_GPIO_MC33880=m CONFIG_GPIO_74X164=m +CONFIG_GPIO_TPS65910=y CONFIG_GPIO_TPS65912=m # CONFIG_GPIO_RCAR is not set CONFIG_W1_MASTER_GPIO=m CONFIG_CHARGER_GPIO=m +# SPI CONFIG_SPI=y CONFIG_SPI_MASTER=y CONFIG_SPI_GPIO=m @@ -222,6 +284,10 @@ CONFIG_SPI_TLE62X0=m CONFIG_NFC_NCI_SPI=y +# i2c +CONFIG_I2C_DESIGNWARE_CORE=m +CONFIG_I2C_DESIGNWARE_PLATFORM=m + # HW crypto and rng CONFIG_CRYPTO_SHA1_ARM=m CONFIG_CRYPTO_AES_ARM=m @@ -236,9 +302,11 @@ CONFIG_MPCORE_WATCHDOG=m # Thermal / powersaving CONFIG_THERMAL=y -CONFIG_POWER_RESET_RESTART=y CONFIG_ARM_PSCI=y +# Mailbox +CONFIG_MAILBOX=y + # MTD # CONFIG_MG_DISK is not set CONFIG_MTD_DATAFLASH=m @@ -258,76 +326,104 @@ CONFIG_MMC_DW_PLTFM=m CONFIG_MMC_DW_PCI=m CONFIG_SPI_DW_MMIO=m CONFIG_SPI_DW_PCI=m -CONFIG_MMC_DW_SOCFPGA=m +# CONFIG_MMC_DW_SOCFPGA is not set # CONFIG_MMC_DW_EXYNOS is not set # CONFIG_MMC_DW_IDMAC is not set CONFIG_USB_DWC2=m +# CONFIG_USB_DWC2_DEBUG is not set +# CONFIG_USB_DWC2_TRACK_MISSED_SOFS is not set CONFIG_USB_DWC3=m +CONFIG_USB_DWC3_OMAP=m +CONFIG_USB_DWC3_EXYNOS=m +CONFIG_USB_DWC3_PCI=m # CONFIG_USB_DWC3_DEBUG is not set CONFIG_DW_WATCHDOG=m # Sound -CONFIG_SND_ARM=y -CONFIG_SND_ARMAACI=m CONFIG_SND_SOC=m CONFIG_SND_SPI=y +CONFIG_SND_ARM=y +CONFIG_SND_ARMAACI=m +CONFIG_SND_COMPRESS_OFFLOAD=m CONFIG_SND_DESIGNWARE_I2S=m +CONFIG_SND_DMAENGINE_PCM=m +CONFIG_SND_JACK=y CONFIG_SND_SIMPLE_CARD=m -CONFIG_SND_SOC_CACHE_LZO=y CONFIG_SND_SOC_ALL_CODECS=m -CONFIG_SND_SOC_DMAENGINE_PCM=y +CONFIG_SND_SOC_CACHE_LZO=y +CONFIG_SND_SOC_DMIC=m CONFIG_SND_SOC_GENERIC_DMAENGINE_PCM=y # CONFIG_SND_ATMEL_SOC is not set # Displays +CONFIG_BACKLIGHT_TPS65217=m # RTC -CONFIG_RTC_DRV_M41T93=m -CONFIG_RTC_DRV_M41T94=m CONFIG_RTC_DRV_DS1305=m CONFIG_RTC_DRV_DS1390=m +CONFIG_RTC_DRV_DS3234=m +CONFIG_RTC_DRV_M41T93=m +CONFIG_RTC_DRV_M41T94=m CONFIG_RTC_DRV_MAX6902=m +CONFIG_RTC_DRV_PCF2123=m CONFIG_RTC_DRV_R9701=m CONFIG_RTC_DRV_RS5C348=m -CONFIG_RTC_DRV_DS3234=m -CONFIG_RTC_DRV_PCF2123=m CONFIG_RTC_DRV_RX4581=m +CONFIG_RTC_DRV_TPS65910=m +CONFIG_RTC_DRV_TPS80031=m # Regulators CONFIG_REGULATOR=y CONFIG_RFKILL_REGULATOR=m -CONFIG_CHARGER_MANAGER=y # CONFIG_REGULATOR_DUMMY is not set CONFIG_REGULATOR_FIXED_VOLTAGE=m CONFIG_REGULATOR_VIRTUAL_CONSUMER=m CONFIG_REGULATOR_USERSPACE_CONSUMER=m CONFIG_REGULATOR_GPIO=m CONFIG_REGULATOR_AD5398=m +CONFIG_REGULATOR_DA9210=m CONFIG_REGULATOR_FAN53555=m -CONFIG_REGULATOR_ANATOP=m CONFIG_REGULATOR_ISL6271A=m +CONFIG_REGULATOR_LP3971=m +CONFIG_REGULATOR_LP3972=m +CONFIG_REGULATOR_LP872X=m +CONFIG_REGULATOR_LP8755=m CONFIG_REGULATOR_MAX1586=m CONFIG_REGULATOR_MAX8649=m CONFIG_REGULATOR_MAX8660=m CONFIG_REGULATOR_MAX8952=m CONFIG_REGULATOR_MAX8973=m -CONFIG_REGULATOR_LP3971=m -CONFIG_REGULATOR_LP3972=m -CONFIG_REGULATOR_LP8755=m +CONFIG_REGULATOR_PFUZE100=m CONFIG_REGULATOR_TPS51632=m CONFIG_REGULATOR_TPS62360=m CONFIG_REGULATOR_TPS65023=m CONFIG_REGULATOR_TPS6507X=m +CONFIG_REGULATOR_TPS65090=m +CONFIG_REGULATOR_TPS65217=m CONFIG_REGULATOR_TPS6524X=m +CONFIG_REGULATOR_TPS6586X=m +CONFIG_REGULATOR_TPS65910=m CONFIG_REGULATOR_TPS65912=m +CONFIG_REGULATOR_TPS80031=m +CONFIG_CHARGER_MANAGER=y +CONFIG_CHARGER_TPS65090=m +CONFIG_PDA_POWER=m +CONFIG_GENERIC_ADC_BATTERY=m + +# Sensors +CONFIG_TMP006=m +CONFIG_BMP085=y +CONFIG_BMP085_I2C=m +CONFIG_BMP085_SPI=m CONFIG_SENSORS_AD7314=m CONFIG_SENSORS_ADCXX=m +CONFIG_SENSORS_ADS7871=m +CONFIG_SENSORS_GPIO_FAN=m +CONFIG_SENSORS_HTU21=m +CONFIG_SENSORS_LIS3_SPI=m CONFIG_SENSORS_LM70=m CONFIG_SENSORS_MAX1111=m -CONFIG_SENSORS_ADS7871=m -CONFIG_SENSORS_LIS3_SPI=m -CONFIG_SENSORS_GPIO_FAN=m CONFIG_LCD_L4F00242T03=m CONFIG_LCD_LMS283GF05=m @@ -356,9 +452,10 @@ CONFIG_LEDS_DAC124S085=m CONFIG_LEDS_PWM=m CONFIG_BMP085_SPI=m -# Display - +# Contiguous Memory Allocator +CONFIG_OF_RESERVED_MEM=y CONFIG_CMA=y +CONFIG_DMA_CMA=y # CONFIG_CMA_DEBUG is not set CONFIG_CMA_SIZE_MBYTES=16 CONFIG_CMA_SIZE_SEL_MBYTES=y @@ -367,6 +464,7 @@ CONFIG_CMA_SIZE_SEL_MBYTES=y # CONFIG_CMA_SIZE_SEL_MAX is not set CONFIG_CMA_ALIGNMENT=8 CONFIG_CMA_AREAS=7 +CONFIG_SRAM=y # Ethernet CONFIG_KS8851=m @@ -401,6 +499,9 @@ CONFIG_UBIFS_FS_LZO=y CONFIG_UBIFS_FS_ZLIB=y # CONFIG_UBIFS_FS_DEBUG is not set +# Sensors +CONFIG_SENSORS_HTU21=m + # Should be in generic CONFIG_BPF_JIT=y # CONFIG_NET_VENDOR_CIRRUS is not set @@ -434,6 +535,7 @@ CONFIG_BPF_JIT=y # CONFIG_COMMON_CLK_AXI_CLKGEN is not set # CONFIG_SPI_TOPCLIFF_PCH is not set # CONFIG_SPI_PXA2XX is not set +# CONFIG_SPI_FSL_DSPI is not set # these modules all fail with missing __bad_udelay # http://www.spinics.net/lists/arm/msg15615.html provides some background diff --git a/config-armv7-lpae b/config-armv7-lpae index c4febfc94..f2cfb02f2 100644 --- a/config-armv7-lpae +++ b/config-armv7-lpae @@ -25,7 +25,6 @@ CONFIG_ARCH_EXYNOS5=y CONFIG_ARM_LPAE=y CONFIG_SYS_SUPPORTS_HUGETLBFS=y CONFIG_HAVE_ARCH_TRANSPARENT_HUGEPAGE=y -CONFIG_VIRTIO_CONSOLE=m CONFIG_ARM_VIRT_EXT=y CONFIG_VIRTUALIZATION=y CONFIG_ARM_SMMU=y @@ -33,6 +32,7 @@ CONFIG_ARM_DMA_IOMMU_ALIGNMENT=8 # Cortex-A15 CONFIG_ARM_ERRATA_798181=y +CONFIG_ARM_ERRATA_773022=y CONFIG_KVM=y CONFIG_KVM_ARM_HOST=y @@ -66,7 +66,9 @@ CONFIG_SERIAL_SAMSUNG_CONSOLE=y CONFIG_SOC_EXYNOS5250=y CONFIG_SOC_EXYNOS5420=y CONFIG_SOC_EXYNOS5440=y -CONFIG_ARM_EXYNOS_CPUFREQ=y +# CONFIG_ARM_EXYNOS5250_CPUFREQ is not set +# CONFIG_ARM_EXYNOS5440_CPUFREQ is not set +# CONFIG_ARM_EXYNOS_CPUFREQ is not set # CONFIG_GENERIC_CPUFREQ_CPU0 is not set CONFIG_EXYNOS_THERMAL=m CONFIG_PCI_EXYNOS=y @@ -135,3 +137,6 @@ CONFIG_S3C_LOWLEVEL_UART_PORT=1 # CONFIG_S3C2410_WATCHDOG is not set # CONFIG_MMC_SDHCI_S3C is not set # CONFIG_TEGRA_HOST1X is not set +# CONFIG_SPI_DAVINCI is not set +# CONFIG_I2C_DAVINCI is not set +# CONFIG_TI_SOC_THERMAL is not set diff --git a/config-generic b/config-generic index 182d8a273..900f6e3cd 100644 --- a/config-generic +++ b/config-generic @@ -61,6 +61,8 @@ CONFIG_PID_NS=y CONFIG_UTS_NS=y CONFIG_IPC_NS=y CONFIG_NET_NS=y +# CONFIG_USER_NS is not set +# CONFIG_UIDGID_STRICT_TYPE_CHECKS is not set CONFIG_POSIX_MQUEUE=y # CONFIG_PREEMPT_NONE is not set @@ -104,7 +106,6 @@ CONFIG_HOTPLUG_PCI_PCIE=y CONFIG_HOTPLUG_PCI_FAKE=m # CONFIG_SGI_IOC4 is not set -# # CONFIG_ISA is not set # CONFIG_SCx200 is not set @@ -144,6 +145,9 @@ CONFIG_MMC_RICOH_MMC=y CONFIG_MMC_USHC=m CONFIG_MMC_REALTEK_PCI=m CONFIG_MMC_VUB300=m +# CONFIG_MMC_SDHCI_PXAV2 is not set +# CONFIG_MMC_SDHCI_PXAV3 is not set + CONFIG_CB710_CORE=m # CONFIG_CB710_DEBUG is not set @@ -159,6 +163,7 @@ CONFIG_INFINIBAND_SRP=m CONFIG_INFINIBAND_SRPT=m CONFIG_INFINIBAND_USER_MAD=m CONFIG_INFINIBAND_USER_ACCESS=m +# CONFIG_INFINIBAND_EXPERIMENTAL_UVERBS_FLOW_STEERING is not set #staging CONFIG_INFINIBAND_IPATH=m CONFIG_INFINIBAND_ISER=m CONFIG_INFINIBAND_ISERT=m @@ -190,6 +195,9 @@ CONFIG_BINFMT_MISC=m # Device Drivers # +# CONFIG_COMMON_CLK_DEBUG is not set +# CONFIG_COMMON_CLK_SI5351 is not set + # # Generic Driver Options # @@ -201,6 +209,7 @@ CONFIG_EXTRA_FIRMWARE="" # CONFIG_FW_LOADER_USER_HELPER is not set # CONFIG_CMA is not set +# CONFIG_DMA_CMA is not set # CONFIG_SPI is not set @@ -310,9 +319,10 @@ CONFIG_BLK_DEV_DAC960=m # CONFIG_BLK_DEV_PCIESSD_MTIP32XX is not set CONFIG_BLK_DEV_DRBD=m CONFIG_BLK_DEV_UMEM=m -CONFIG_BLK_DEV_LOOP=y -CONFIG_BLK_DEV_LOOP_MIN_COUNT=8 -CONFIG_BLK_DEV_CRYPTOLOOP=m +CONFIG_BLK_DEV_LOOP=m +CONFIG_BLK_DEV_LOOP_MIN_COUNT=0 +# Fedora 18 util-linux is the last release that supports cryptoloop devices +# CONFIG_BLK_DEV_CRYPTOLOOP is not set CONFIG_BLK_DEV_NBD=m CONFIG_BLK_DEV_NVME=m CONFIG_BLK_DEV_OSD=m @@ -326,6 +336,7 @@ CONFIG_BLK_DEV_BSG=y CONFIG_BLK_DEV_BSGLIB=y CONFIG_BLK_DEV_INTEGRITY=y CONFIG_BLK_DEV_THROTTLING=y +# CONFIG_BLK_CMDLINE_PARSER is not set # @@ -338,13 +349,13 @@ CONFIG_BLK_DEV_THROTTLING=y CONFIG_SCSI_VIRTIO=m CONFIG_VIRTIO_BLK=m -CONFIG_VIRTIO_PCI=y +CONFIG_VIRTIO_PCI=m CONFIG_VIRTIO_BALLOON=m CONFIG_VIRTIO_MMIO=m # CONFIG_VIRTIO_MMIO_CMDLINE_DEVICES is not set CONFIG_VIRTIO_NET=m CONFIG_HW_RANDOM_VIRTIO=m -CONFIG_VIRTIO_CONSOLE=y +CONFIG_VIRTIO_CONSOLE=m CONFIG_VHOST_NET=m CONFIG_TCM_VHOST=m CONFIG_VHOST_SCSI=m @@ -433,6 +444,7 @@ CONFIG_MEGARAID_MM=m CONFIG_MEGARAID_MAILBOX=m CONFIG_MEGARAID_LEGACY=m CONFIG_MEGARAID_SAS=m +CONFIG_SCSI_ESAS2R=m CONFIG_SCSI_MVSAS=m # CONFIG_SCSI_MVSAS_DEBUG is not set CONFIG_SCSI_MVSAS_TASKLET=y @@ -598,14 +610,14 @@ CONFIG_MD_RAID0=m CONFIG_MD_RAID1=m CONFIG_MD_RAID10=m CONFIG_MD_RAID456=m -# CONFIG_MULTICORE_RAID456 is not set -CONFIG_ASYNC_RAID6_TEST=m CONFIG_BCACHE=m # CONFIG_BCACHE_DEBUG is not set # CONFIG_BCACHE_EDEBUG is not set # CONFIG_BCACHE_CLOSURES_DEBUG is not set +# CONFIG_MULTICORE_RAID456 is not set +CONFIG_ASYNC_RAID6_TEST=m CONFIG_BLK_DEV_DM=y CONFIG_DM_CRYPT=m CONFIG_DM_DEBUG=y @@ -930,6 +942,7 @@ CONFIG_IP_NF_TARGET_ECN=m CONFIG_IP_NF_TARGET_LOG=m CONFIG_IP_NF_TARGET_ULOG=m CONFIG_IP_NF_TARGET_REJECT=y +CONFIG_IP_NF_TARGET_SYNPROXY=m CONFIG_IP_NF_TARGET_TTL=m CONFIG_NF_NAT_IPV4=m CONFIG_IP_NF_TARGET_MASQUERADE=m @@ -963,6 +976,7 @@ CONFIG_IP6_NF_RAW=m CONFIG_IP6_NF_SECURITY=m CONFIG_IP6_NF_TARGET_LOG=m CONFIG_IP6_NF_TARGET_REJECT=m +CONFIG_IP6_NF_TARGET_SYNPROXY=m CONFIG_IP6_NF_TARGET_HL=m CONFIG_NF_NAT_IPV6=m CONFIG_IP6_NF_TARGET_MASQUERADE=m @@ -1092,6 +1106,7 @@ CONFIG_NET_SCH_CHOKE=m CONFIG_NET_SCH_QFQ=m CONFIG_NET_SCH_CODEL=m CONFIG_NET_SCH_FQ_CODEL=m +CONFIG_NET_SCH_FQ=m CONFIG_NET_SCH_PLUG=m CONFIG_NET_CLS=y CONFIG_NET_CLS_ACT=y @@ -1134,9 +1149,11 @@ CONFIG_BATMAN_ADV=m CONFIG_BATMAN_ADV_BLA=y CONFIG_BATMAN_ADV_DAT=y CONFIG_BATMAN_ADV_NC=y + # CONFIG_BATMAN_ADV_DEBUG is not set CONFIG_OPENVSWITCH=m CONFIG_OPENVSWITCH_GRE=y +CONFIG_OPENVSWITCH_VXLAN=y CONFIG_VSOCKETS=m CONFIG_NETPRIO_CGROUP=m @@ -1225,6 +1242,7 @@ CONFIG_L2TP_ETH=m # CONFIG_CAIF is not set CONFIG_RFKILL=m +CONFIG_RFKILL_GPIO=m CONFIG_RFKILL_INPUT=y CONFIG_ETHERNET=y @@ -1324,7 +1342,7 @@ CONFIG_IXGBE_DCA=y CONFIG_IXGBE_DCB=y CONFIG_IXGBE_HWMON=y CONFIG_IXGBE_PTP=y - +CONFIG_I40E=m # CONFIG_NET_VENDOR_I825XX is not set CONFIG_NET_VENDOR_MARVELL=y @@ -1369,6 +1387,7 @@ CONFIG_NET_VENDOR_QLOGIC=y CONFIG_QLA3XXX=m CONFIG_QLCNIC=m CONFIG_QLCNIC_SRIOV=y +CONFIG_QLCNIC_DCB=y CONFIG_QLGE=m CONFIG_NETXEN_NIC=m @@ -1546,12 +1565,7 @@ CONFIG_MAC80211_LEDS=y CONFIG_MAC80211_DEBUGFS=y # CONFIG_MAC80211_DEBUG_MENU is not set -CONFIG_WIMAX=m -CONFIG_WIMAX_DEBUG_LEVEL=8 -CONFIG_WIMAX_I2400M_USB=m -CONFIG_WIMAX_I2400M_SDIO=m -CONFIG_WIMAX_I2400M_DEBUG_LEVEL=8 -# CONFIG_WIMAX_IWMC3200_SDIO is not set +# CONFIG_WIMAX is not set # CONFIG_ADM8211 is not set CONFIG_ATH_COMMON=m @@ -1677,6 +1691,7 @@ CONFIG_RT2500USB=m CONFIG_RT2800USB=m CONFIG_RT2800USB_RT33XX=y CONFIG_RT2800USB_RT35XX=y +CONFIG_RT2800USB_RT3573=y CONFIG_RT2800USB_RT53XX=y CONFIG_RT2800USB_RT55XX=y CONFIG_RT2800USB_UNKNOWN=y @@ -1697,12 +1712,9 @@ CONFIG_USB_NET_SMSC75XX=m CONFIG_ZD1211RW=m # CONFIG_ZD1211RW_DEBUG is not set -CONFIG_WL12XX_MENU=m CONFIG_WL12XX=m -# CONFIG_WL12XX_HT is not set CONFIG_WL12XX_SPI=m CONFIG_WL12XX_SDIO=m -# CONFIG_WL12XX_SDIO_TEST is not set CONFIG_WL1251=m CONFIG_WL1251_SPI=m @@ -2015,6 +2027,7 @@ CONFIG_INPUT_SPARSEKMAP=m # CONFIG_INPUT_IMS_PCU is not set CONFIG_INPUT_CMA3000=m CONFIG_INPUT_CMA3000_I2C=m +CONFIG_INPUT_IDEAPAD_SLIDEBAR=m # # Input I/O drivers @@ -2198,6 +2211,7 @@ CONFIG_TCG_NSC=m CONFIG_TCG_ATMEL=m # CONFIG_TCG_INFINEON is not set # CONFIG_TCG_ST33_I2C is not set +# CONFIG_TCG_XEN is not set CONFIG_TELCLOCK=m # @@ -2236,6 +2250,13 @@ CONFIG_SERIAL_CORE=y CONFIG_SERIAL_CORE_CONSOLE=y # CONFIG_SERIAL_XILINX_PS_UART is not set # CONFIG_SERIAL_TIMBERDALE is not set +CONFIG_SERIAL_ARC=m +CONFIG_SERIAL_ARC_NR_PORTS=1 +# CONFIG_SERIAL_RP2 is not set +# CONFIG_SERIAL_FSL_LPUART is not set +# CONFIG_SERIAL_ST_ASC is not set +# CONFIG_SERIAL_PCH_UART is not set + CONFIG_UNIX98_PTYS=y CONFIG_DEVPTS_MULTIPLE_INSTANCES=y # CONFIG_LEGACY_PTYS is not set @@ -2345,10 +2366,12 @@ CONFIG_SENSORS_GL518SM=m CONFIG_SENSORS_GL520SM=m CONFIG_SENSORS_HDAPS=m # CONFIG_SENSORS_HIH6130 is not set +# CONFIG_SENSORS_HTU21 is not set # CONFIG_SENSORS_I5K_AMB is not set # FIXME: IBMAEM x86 only? CONFIG_SENSORS_IBMAEM=m CONFIG_SENSORS_IBMPEX=m +# CONFIG_SENSORS_IIO_HWMON is not set CONFIG_SENSORS_IT87=m CONFIG_SENSORS_K8TEMP=m CONFIG_SENSORS_K10TEMP=m @@ -2450,17 +2473,125 @@ CONFIG_SENSORS_MAX8688=m CONFIG_SENSORS_MAX1668=m CONFIG_SENSORS_MAX197=m +# Industrial I/O subsystem configuration +CONFIG_IIO=m +CONFIG_IIO_BUFFER=y +CONFIG_IIO_BUFFER_CB=y +# CONFIG_IIO_KFIFO_BUF is not set +CONFIG_IIO_TRIGGERED_BUFFER=m +CONFIG_IIO_TRIGGER=y +CONFIG_IIO_CONSUMERS_PER_TRIGGER=2 +CONFIG_IIO_INTERRUPT_TRIGGER=m +CONFIG_HID_SENSOR_IIO_COMMON=m +CONFIG_HID_SENSOR_IIO_TRIGGER=m +CONFIG_HID_SENSOR_ENUM_BASE_QUIRKS=y +# CONFIG_IIO_SYSFS_TRIGGER is not set +# CONFIG_AD5446 is not set +# CONFIG_AD5380 is not set +# CONFIG_AD5064 is not set +# CONFIG_BMA180 is not set +# CONFIG_MAX1363 is not set +# CONFIG_MAX517 is not set +# CONFIG_MCP4725 is not set +# CONFIG_ITG3200 is not set +# CONFIG_APDS9300 is not set +# CONFIG_TSL2583 is not set +# CONFIG_TSL2x7x is not set +# CONFIG_NAU7802 is not set +# CONFIG_TI_ADC081C is not set +# CONFIG_EXYNOS_ADC is not set +# CONFIG_VIPERBOARD_ADC is not set +# CONFIG_INV_MPU6050_IIO is not set +CONFIG_IIO_ST_GYRO_3AXIS=m +CONFIG_IIO_ST_MAGN_3AXIS=m +CONFIG_IIO_ST_ACCEL_3AXIS=m +# CONFIG_ADJD_S311 is not set +# CONFIG_SENSORS_TSL2563 is not set +# CONFIG_VCNL4000 is not set +# CONFIG_AK8975 is not set +# CONFIG_TMP006 is not set +# CONFIG_IIO_ST_PRESS is not set +# CONFIG_KXSD9 is not set +# CONFIG_AD7266 is not set +# CONFIG_AD7298 is not set +# CONFIG_AD7476 is not set +# CONFIG_AD7791 is not set +# CONFIG_AD7793 is not set +# CONFIG_AD7887 is not set +# CONFIG_AD7923 is not set +# CONFIG_MCP320X is not set +# CONFIG_AD8366 is not set +# CONFIG_AD5360 is not set +# CONFIG_AD5421 is not set +# CONFIG_AD5449 is not set +# CONFIG_AD5504 is not set +# CONFIG_AD5624R_SPI is not set +# CONFIG_AD5686 is not set +# CONFIG_AD5755 is not set +# CONFIG_AD5764 is not set +# CONFIG_AD5791 is not set +# CONFIG_AD7303 is not set +# CONFIG_AD9523 is not set +# CONFIG_ADF4350 is not set +# CONFIG_ADIS16080 is not set +# CONFIG_ADIS16130 is not set +# CONFIG_ADIS16136 is not set +# CONFIG_ADIS16260 is not set +# CONFIG_ADXRS450 is not set +# CONFIG_ADIS16400 is not set +# CONFIG_ADIS16480 is not set + +# staging IIO drivers +# CONFIG_AD7291 is not set +# CONFIG_AD7606 is not set +# CONFIG_AD799X is not set +# CONFIG_ADT7316 is not set +# CONFIG_AD7150 is not set +# CONFIG_AD7152 is not set +# CONFIG_AD7746 is not set +# CONFIG_AD5933 is not set +# CONFIG_ADE7854 is not set +# CONFIG_SENSORS_ISL29018 is not set +# CONFIG_SENSORS_ISL29028 is not set +# CONFIG_SENSORS_HMC5843 is not set +# CONFIG_IIO_PERIODIC_RTC_TRIGGER is not set +# CONFIG_IIO_SIMPLE_DUMMY is not set +# CONFIG_ADIS16201 is not set +# CONFIG_ADIS16203 is not set +# CONFIG_ADIS16204 is not set +# CONFIG_ADIS16209 is not set +# CONFIG_ADIS16220 is not set +# CONFIG_ADIS16240 is not set +# CONFIG_LIS3L02DQ is not set +# CONFIG_SCA3000 is not set +# CONFIG_AD7780 is not set +# CONFIG_AD7816 is not set +# CONFIG_AD7192 is not set +# CONFIG_AD7280 is not set +# CONFIG_AD5930 is not set +# CONFIG_AD9832 is not set +# CONFIG_AD9834 is not set +# CONFIG_AD9850 is not set +# CONFIG_AD9852 is not set +# CONFIG_AD9910 is not set +# CONFIG_AD9951 is not set +# CONFIG_ADIS16060 is not set +# CONFIG_ADE7753 is not set +# CONFIG_ADE7754 is not set +# CONFIG_ADE7758 is not set +# CONFIG_ADE7759 is not set +# CONFIG_AD2S90 is not set +# CONFIG_AD2S1200 is not set +# CONFIG_AD2S1210 is not set + + + # CONFIG_HMC6352 is not set # CONFIG_BMP085 is not set # CONFIG_BMP085_I2C is not set # CONFIG_PCH_PHUB is not set -# CONFIG_SERIAL_PCH_UART is not set # CONFIG_USB_SWITCH_FSA9480 is not set # CONFIG_SRAM is not set -CONFIG_SERIAL_ARC=m -CONFIG_SERIAL_ARC_NR_PORTS=1 -# CONFIG_SERIAL_RP2 is not set -# CONFIG_SERIAL_FSL_LPUART is not set CONFIG_W1=m CONFIG_W1_CON=y @@ -2544,6 +2675,8 @@ CONFIG_W83697UG_WDT=m CONFIG_HW_RANDOM=y CONFIG_HW_RANDOM_TIMERIOMEM=m CONFIG_HW_RANDOM_TPM=m +# CONFIG_HW_RANDOM_ATMEL is not set +# CONFIG_HW_RANDOM_EXYNOS is not set # CONFIG_NVRAM is not set # CONFIG_RTC is not set # CONFIG_RTC_DEBUG is not set @@ -2600,6 +2733,7 @@ CONFIG_RTC_DRV_PCF50633=m CONFIG_RTC_DRV_DS3232=m CONFIG_RTC_DRV_ISL12022=m # CONFIG_RTC_DRV_HID_SENSOR_TIME is not set +# CONFIG_RTC_DRV_MOXART is not set CONFIG_R3964=m # CONFIG_APPLICOM is not set @@ -2641,6 +2775,7 @@ CONFIG_DRM_MGAG200=m # do not enable on f17 or older # CONFIG_DRM_SAVAGE is not set CONFIG_DRM_I915=m CONFIG_DRM_I915_KMS=y +# CONFIG_DRM_I915_PRELIMINARY_HW_SUPPORT is not set CONFIG_DRM_VIA=m CONFIG_DRM_NOUVEAU=m CONFIG_NOUVEAU_DEBUG=5 @@ -2654,7 +2789,6 @@ CONFIG_DRM_I2C_NXP_TDA998X=m CONFIG_DRM_UDL=m CONFIG_DRM_VMWGFX=m CONFIG_DRM_VMWGFX_FBCON=y -CONFIG_DRM_VGEM=m CONFIG_DRM_QXL=m # @@ -2719,6 +2853,7 @@ CONFIG_VIDEO_CX88=m CONFIG_VIDEO_CX88_DVB=m CONFIG_VIDEO_CX88_ALSA=m CONFIG_VIDEO_CX88_BLACKBIRD=m +CONFIG_VIDEO_CX88_ENABLE_VP3054=y CONFIG_VIDEO_CX88_VP3054=m CONFIG_VIDEO_EM28XX=m CONFIG_VIDEO_EM28XX_ALSA=m @@ -2743,6 +2878,7 @@ CONFIG_VIDEO_SAA7134_ALSA=m CONFIG_VIDEO_SAA7134_DVB=m CONFIG_VIDEO_SAA7134_RC=y CONFIG_VIDEO_USBVISION=m +CONFIG_VIDEO_STK1160_COMMON=m CONFIG_VIDEO_STK1160=m CONFIG_VIDEO_STK1160_AC97=y CONFIG_VIDEO_W9966=m @@ -2923,6 +3059,7 @@ CONFIG_IR_GPIO_CIR=m CONFIG_V4L_MEM2MEM_DRIVERS=y # CONFIG_VIDEO_MEM2MEM_DEINTERLACE is not set # CONFIG_VIDEO_SH_VEU is not set +# CONFIG_VIDEO_RENESAS_VSP1 is not set # CONFIG_V4L_TEST_DRIVERS is not set # CONFIG_VIDEO_MEM2MEM_TESTDEV is not set @@ -2998,7 +3135,7 @@ CONFIG_FB_TILEBLITTING=y CONFIG_FB_VESA=y CONFIG_FB_VGA16=m CONFIG_FB_VIRTUAL=m -CONFIG_FB_VOODOO1=m +# CONFIG_FB_VOODOO1 is not set # CONFIG_FB_VT8623 is not set CONFIG_FB_EFI=y # CONFIG_FB_VIA is not set @@ -3228,9 +3365,15 @@ CONFIG_USB_EHCI_ROOT_HUB_TT=y CONFIG_USB_EHCI_TT_NEWSCHED=y # CONFIG_USB_EHCI_MV is not set # CONFIG_USB_EHCI_HCD_PLATFORM is not set +# CONFIG_USB_ISP116X_HCD is not set +# CONFIG_USB_ISP1760_HCD is not set +CONFIG_USB_ISP1362_HCD=m +CONFIG_USB_FUSBH200_HCD=m +# CONFIG_USB_FOTG210_HCD is not set CONFIG_USB_OHCI_HCD=y CONFIG_USB_OHCI_HCD_PCI=y # CONFIG_USB_OHCI_HCD_SSB is not set +# CONFIG_USB_HCD_TEST_MODE is not set # CONFIG_USB_OHCI_HCD_PLATFORM is not set CONFIG_USB_UHCI_HCD=y CONFIG_USB_SL811_HCD=m @@ -3239,8 +3382,6 @@ CONFIG_USB_SL811_HCD_ISO=y # CONFIG_USB_R8A66597_HCD is not set CONFIG_USB_XHCI_HCD=y # CONFIG_USB_XHCI_HCD_DEBUGGING is not set -CONFIG_USB_ISP1362_HCD=m -CONFIG_USB_FUSBH200_HCD=m # # USB Device Class drivers @@ -3330,9 +3471,14 @@ CONFIG_HID_SMARTJOYPLUS=m CONFIG_HID_TOPSEED=m CONFIG_HID_THINGM=m CONFIG_HID_THRUSTMASTER=m +CONFIG_HID_XINMO=m CONFIG_HID_ZEROPLUS=m CONFIG_HID_ZYDACRON=m CONFIG_HID_SENSOR_HUB=m +CONFIG_HID_SENSOR_GYRO_3D=m +CONFIG_HID_SENSOR_MAGNETOMETER_3D=m +CONFIG_HID_SENSOR_ALS=m +CONFIG_HID_SENSOR_ACCEL_3D=m CONFIG_HID_EMS_FF=m CONFIG_HID_ELECOM=m CONFIG_HID_ELO=m @@ -3400,6 +3546,7 @@ CONFIG_USB_GSPCA_SPCA506=m CONFIG_USB_GSPCA_SPCA508=m CONFIG_USB_GSPCA_SPCA561=m CONFIG_USB_GSPCA_STK014=m +CONFIG_USB_GSPCA_STK1135=m CONFIG_USB_GSPCA_SUNPLUS=m CONFIG_USB_GSPCA_T613=m CONFIG_USB_GSPCA_TOPRO=m @@ -3443,6 +3590,7 @@ CONFIG_USB_SPEEDTOUCH=m CONFIG_USB_NET_AX8817X=m CONFIG_USB_NET_AX88179_178A=m CONFIG_USB_NET_DM9601=m +CONFIG_USB_NET_SR9700=m CONFIG_USB_NET_SMSC95XX=m CONFIG_USB_NET_GL620A=m CONFIG_USB_NET_NET1080=m @@ -3487,6 +3635,7 @@ CONFIG_USB_USS720=m # CONFIG_USB_SERIAL=y CONFIG_USB_SERIAL_GENERIC=y +CONFIG_USB_SERIAL_SIMPLE=m CONFIG_USB_SERIAL_AIRCABLE=m CONFIG_USB_SERIAL_ARK3116=m CONFIG_USB_SERIAL_BELKIN=m @@ -3581,6 +3730,7 @@ CONFIG_USB_PHY=y # CONFIG_OMAP_USB2 is not set # CONFIG_OMAP_USB3 is not set # CONFIG_OMAP_CONTROL_USB is not set +# CONFIG_AM335X_PHY_USB is not set # CONFIG_SAMSUNG_USBPHY is not set # CONFIG_SAMSUNG_USB2PHY is not set # CONFIG_SAMSUNG_USB3PHY is not set @@ -3597,8 +3747,6 @@ CONFIG_USB_FILE_STORAGE=m # CONFIG_USB_GADGET is not set # CONFIG_USB_DWC3 is not set # CONFIG_USB_GADGETFS is not set -# CONFIG_USB_ISP116X_HCD is not set -# CONFIG_USB_ISP1760_HCD is not set # CONFIG_USB_OXU210HP_HCD is not set CONFIG_USB_IOWARRIOR=m CONFIG_USB_ISIGHTFW=m @@ -3625,6 +3773,7 @@ CONFIG_RADIO_SI4713=m CONFIG_USB_MR800=m CONFIG_USB_STKWEBCAM=m # CONFIG_USB_TEST is not set +# CONFIG_USB_EHSET_TEST_FIXTURE is not set CONFIG_USB_TRANCEVIBRATOR=m CONFIG_USB_U132_HCD=m CONFIG_USB_UEAGLEATM=m @@ -3703,6 +3852,7 @@ CONFIG_MFD_VIPERBOARD=m # CONFIG_MFD_SI476X_CORE is not set # CONFIG_MFD_TPS65912 is not set # CONFIG_MFD_SYSCON is not set +# CONFIG_MFD_DA9063 is not set # # File systems @@ -3752,6 +3902,7 @@ CONFIG_AUTOFS4_FS=y CONFIG_NILFS2_FS=m # CONFIG_LOGFS is not set CONFIG_CEPH_FS=m +CONFIG_CEPH_FSCACHE=y CONFIG_BLK_DEV_RBD=m CONFIG_CEPH_LIB=m # CONFIG_CEPH_LIB_USE_DNS_RESOLVER is not set @@ -3806,6 +3957,7 @@ CONFIG_ECRYPT_FS=m # CONFIG_ECRYPT_FS_MESSAGING is not set CONFIG_HFS_FS=m CONFIG_HFSPLUS_FS=m +# CONFIG_HFSPLUS_FS_POSIX_ACL is not set CONFIG_BEFS_FS=m # CONFIG_BEFS_DEBUG is not set # CONFIG_BFS_FS is not set @@ -3907,6 +4059,7 @@ CONFIG_BTRFS_FS_POSIX_ACL=y # CONFIG_BTRFS_FS_CHECK_INTEGRITY is not set # CONFIG_BTRFS_FS_RUN_SANITY_TESTS is not set # CONFIG_BTRFS_DEBUG is not set +# CONFIG_BTRFS_ASSERT is not set CONFIG_CONFIGFS_FS=y @@ -3944,6 +4097,7 @@ CONFIG_SUN_PARTITION=y # CONFIG_SYSV68_PARTITION is not set CONFIG_UNIXWARE_DISKLABEL=y # CONFIG_ULTRIX_PARTITION is not set +# CONFIG_CMDLINE_PARTITION is not set CONFIG_NLS=y @@ -4032,6 +4186,9 @@ CONFIG_HEADERS_CHECK=y # This generates a huge amount of dmesg spew # CONFIG_DEBUG_KOBJECT is not set # +# This breaks booting until the module patches are in-tree +# CONFIG_DEBUG_KOBJECT_RELEASE is not set +# # # These debug options are deliberatly left on (even in 'make release' kernels). # They aren't that much of a performance impact, and the value @@ -4233,6 +4390,9 @@ CONFIG_FB_ATY_BACKLIGHT=y # CONFIG_BACKLIGHT_SAHARA is not set CONFIG_BACKLIGHT_WM831X=m CONFIG_BACKLIGHT_LP855X=m +# CONFIG_BACKLIGHT_GPIO is not set +# CONFIG_BACKLIGHT_LV5207LP is not set +# CONFIG_BACKLIGHT_BD6107 is not set CONFIG_LCD_CLASS_DEVICE=m CONFIG_LCD_PLATFORM=m @@ -4382,6 +4542,8 @@ CONFIG_LEDS_DELL_NETBOOKS=m # CONFIG_LEDS_LM355x is not set # CONFIG_LEDS_OT200 is not set # CONFIG_LEDS_PWM is not set +# CONFIG_LEDS_LP8501 is not set +# CONFIG_LEDS_PCA963X is not set CONFIG_LEDS_TRIGGERS=y CONFIG_LEDS_TRIGGER_TIMER=m CONFIG_LEDS_TRIGGER_ONESHOT=m @@ -4471,6 +4633,7 @@ CONFIG_POWER_SUPPLY=y # CONFIG_TEST_POWER is not set CONFIG_APM_POWER=m +# CONFIG_GENERIC_ADC_BATTERY is not set # CONFIG_WM831X_POWER is not set # CONFIG_BATTERY_DS2760 is not set @@ -4490,6 +4653,7 @@ CONFIG_APM_POWER=m # CONFIG_CHARGER_GPIO is not set # CONFIG_CHARGER_PCF50633 is not set # CONFIG_CHARGER_BQ2415X is not set +# CONFIG_CHARGER_BQ24190 is not set CONFIG_POWER_RESET=y # CONFIG_PDA_POWER is not set @@ -4505,6 +4669,7 @@ CONFIG_UIO_AEC=m CONFIG_UIO_SERCOS3=m CONFIG_UIO_PCI_GENERIC=m # CONFIG_UIO_NETX is not set +# CONFIG_UIO_MF624 is not set CONFIG_VFIO=m CONFIG_VFIO_IOMMU_TYPE1=m @@ -4544,6 +4709,7 @@ CONFIG_MEMSTICK=m # CONFIG_MEMSTICK_DEBUG is not set # CONFIG_MEMSTICK_UNSAFE_RESUME is not set CONFIG_MSPRO_BLOCK=m +# CONFIG_MS_BLOCK is not set CONFIG_MEMSTICK_TIFM_MS=m CONFIG_MEMSTICK_JMICRON_38X=m CONFIG_MEMSTICK_R592=m @@ -4563,6 +4729,9 @@ CONFIG_OPTIMIZE_INLINING=y # CONFIG_GPIOLIB is not set # CONFIG_PINCTRL is not set +# CONFIG_DEBUG_PINCTRL is not set +# CONFIG_PINMUX is not set +# CONFIG_PINCONF is not set CONFIG_NET_DSA=m CONFIG_NET_DSA_MV88E6060=m @@ -4609,6 +4778,7 @@ CONFIG_STAGING_MEDIA=y # CONFIG_TI_ST is not set # CONFIG_FB_XGI is not set # CONFIG_VIDEO_GO7007 is not set +# CONFIG_USB_MSI3101 is not set # CONFIG_DT3155 is not set # CONFIG_W35UND is not set # CONFIG_PRISM2_USB is not set @@ -4621,7 +4791,6 @@ CONFIG_USB_ATMEL=m # CONFIG_POHMELFS is not set # CONFIG_IDE_PHISON is not set # CONFIG_LINE6_USB is not set -# CONFIG_IIO is not set # CONFIG_VME_BUS is not set # CONFIG_RAR_REGISTER is not set # CONFIG_VT6656 is not set @@ -4635,6 +4804,7 @@ CONFIG_RTL8192E=m # CONFIG_INPUT_GPIO is not set # CONFIG_VIDEO_CX25821 is not set # CONFIG_R8187SE is not set +# CONFIG_R8188EU is not set # CONFIG_RTL8192U is not set # CONFIG_FB_SM7XX is not set # CONFIG_SPECTRA is not set @@ -4642,6 +4812,7 @@ CONFIG_RTL8192E=m # CONFIG_EASYCAP is not set # CONFIG_SOLO6X10 is not set # CONFIG_ACPI_QUICKSTART is not set +# CONFIG_LTE_GDM724X is not set CONFIG_R8712U=m # Larry Finger maintains this (rhbz 699618) # CONFIG_R8712_AP is not set # CONFIG_ATH6K_LEGACY is not set @@ -4675,6 +4846,10 @@ CONFIG_ALTERA_STAPL=m # CONFIG_CED1401 is not set # CONFIG_DGRP is not set # CONFIG_SB105X is not set +# CONFIG_LUSTRE_FS is not set +# CONFIG_XILLYBUS is not set +# CONFIG_DGAP is not set +# CONFIG_DGNC is not set # END OF STAGING # @@ -4730,6 +4905,7 @@ CONFIG_MAC802154=m CONFIG_NET_MPLS_GSO=m # CONFIG_EXTCON is not set +# CONFIG_EXTCON_ADC_JACK is not set # CONFIG_MEMORY is not set CONFIG_PPS=m @@ -4759,6 +4935,7 @@ CONFIG_ZSWAP=y # CONFIG_W1_MASTER_GPIO is not set # CONFIG_LEDS_GPIO is not set CONFIG_GPIO_SYSFS=y +# CONFIG_GPIO_GENERIC_PLATFORM is not set # CONFIG_GPIO_MAX732X is not set # CONFIG_GPIO_PCA953X is not set # CONFIG_GPIO_PCF857X is not set @@ -4827,6 +5004,7 @@ CONFIG_BCMA=m CONFIG_BCMA_BLOCKIO=y CONFIG_BCMA_HOST_PCI_POSSIBLE=y CONFIG_BCMA_HOST_PCI=y +# CONFIG_BCMA_HOST_SOC is not set CONFIG_BCMA_DRIVER_GMAC_CMN=y CONFIG_BCMA_DRIVER_GPIO=y # CONFIG_BCMA_DEBUG is not set diff --git a/config-powerpc-generic b/config-powerpc-generic index 2f26fb4ba..7ba1a5da5 100644 --- a/config-powerpc-generic +++ b/config-powerpc-generic @@ -331,12 +331,9 @@ CONFIG_I2C_MPC=m # CONFIG_IMA is not set # CONFIG_TCG_TPM is not set -CONFIG_RFKILL_GPIO=m - # CONFIG_CRYPTO_DEV_FSL_CAAM is not set # CONFIG_CRYPTO_SHA1_PPC is not set -# CONFIG_GPIO_GENERIC_PLATFORM is not set # CONFIG_GPIO_MCP23S08 is not set # CONFIG_CAN_FLEXCAN is not set @@ -382,3 +379,5 @@ CONFIG_BACKLIGHT_PWM=m CONFIG_CPU_IDLE_MULTIPLE_DRIVERS=n CONFIG_XZ_DEC_POWERPC=y + +CONFIG_CRASH=m diff --git a/config-powerpc64 b/config-powerpc64 index 705a7ea2b..b430449e0 100644 --- a/config-powerpc64 +++ b/config-powerpc64 @@ -97,6 +97,8 @@ CONFIG_HZ_100=y CONFIG_MEMORY_HOTREMOVE=y +CONFIG_CGROUP_HUGETLB=y + # CONFIG_MV643XX_ETH is not set CONFIG_IRQSTACKS=y CONFIG_DEBUG_STACKOVERFLOW=y @@ -134,6 +136,8 @@ CONFIG_RELOCATABLE=y CONFIG_RCU_FANOUT=64 +CONFIG_CMA=y +# CONFIG_CMA_DEBUG is not set CONFIG_KVM_BOOK3S_64=m CONFIG_KVM_BOOK3S_64_HV=y # CONFIG_KVM_EXIT_TIMING is not set diff --git a/config-powerpc64p7 b/config-powerpc64p7 index 7ab19187b..0e0d957ec 100644 --- a/config-powerpc64p7 +++ b/config-powerpc64p7 @@ -88,6 +88,8 @@ CONFIG_HZ_100=y CONFIG_MEMORY_HOTREMOVE=y +CONFIG_CGROUP_HUGETLB=y + # CONFIG_MV643XX_ETH is not set CONFIG_IRQSTACKS=y CONFIG_DEBUG_STACKOVERFLOW=y @@ -125,6 +127,8 @@ CONFIG_RELOCATABLE=y CONFIG_RCU_FANOUT=64 +CONFIG_CMA=y +# CONFIG_CMA_DEBUG is not set CONFIG_KVM_BOOK3S_64=m CONFIG_KVM_BOOK3S_64_HV=y # CONFIG_KVM_EXIT_TIMING is not set diff --git a/config-s390x b/config-s390x index a292f425e..6f3d3253e 100644 --- a/config-s390x +++ b/config-s390x @@ -194,6 +194,7 @@ CONFIG_VIRTUALIZATION=y CONFIG_KVM=m # CONFIG_KVM_S390_UCONTROL is not set CONFIG_S390_GUEST=y +CONFIG_VIRTIO_CONSOLE=y CONFIG_MEMORY_HOTPLUG=y @@ -234,8 +235,6 @@ CONFIG_SCM_BLOCK_CLUSTER_WRITE=y # CONFIG_S390_PTDUMP is not set # CONFIG_ASYMMETRIC_KEY_TYPE is not set # CONFIG_PCI is not set -# CONFIG_GPIO_GENERIC_PLATFORM is not set -# CONFIG_GPIO_MCP23S08 is not set # CONFIG_NEW_LEDS is not set # CONFIG_HID is not set @@ -248,6 +247,7 @@ CONFIG_SCM_BLOCK_CLUSTER_WRITE=y # CONFIG_INPUT_TABLET is not set # CONFIG_INPUT_TOUCHSCREEN is not set # CONFIG_INPUT_MISC is not set +# CONFIG_SERIO is not set # CONFIG_ACCESSIBILITY is not set # CONFIG_AUXDISPLAY is not set @@ -266,6 +266,8 @@ CONFIG_SCM_BLOCK_CLUSTER_WRITE=y # CONFIG_I2C_PARPORT is not set # CONFIG_I2C_PARPORT_LIGHT is not set # CONFIG_I2C_NFORCE2 is not set +# CONFIG_PTP_1588_CLOCK is not set +# CONFIG_PPS is not set # CONFIG_PHYLIB is not set # CONFIG_ATM_DRIVERS is not set @@ -278,3 +280,5 @@ CONFIG_SCM_BLOCK_CLUSTER_WRITE=y # CONFIG_IEEE802154_DRIVERS is not set # CONFIG_FMC is not set + +CONFIG_CRASH=m diff --git a/config-x86-32-generic b/config-x86-32-generic index 3cd496569..868a7e3d4 100644 --- a/config-x86-32-generic +++ b/config-x86-32-generic @@ -1,6 +1,6 @@ # CONFIG_64BIT is not set -CONFIG_X86_32_NON_STANDARD=y +# CONFIG_X86_32_NON_STANDARD is not set # CONFIG_X86_ELAN is not set # CONFIG_X86_GOLDFISH is not set @@ -230,3 +230,4 @@ CONFIG_BACKLIGHT_PWM=m # CONFIG_OF_VIDEOMODE is not set # CONFIG_MLX5_INFINIBAND is not set +# CONFIG_PINCTRL_SINGLE is not set diff --git a/config-x86-generic b/config-x86-generic index 881ef82d1..4250e17da 100644 --- a/config-x86-generic +++ b/config-x86-generic @@ -40,6 +40,8 @@ CONFIG_EFI_VARS_PSTORE=y CONFIG_EFI_VARS_PSTORE_DEFAULT_DISABLE=y CONFIG_EFI_PCDP=y CONFIG_FB_EFI=y +# needs FB_SIMPLE to work correctly +# CONFIG_X86_SYSFB is not set # FIXME: 32bit only? # CONFIG_FB_N411 is not set @@ -145,6 +147,8 @@ CONFIG_I2C_PIIX4=m CONFIG_I2C_SIS96X=m CONFIG_I2C_VIA=m CONFIG_I2C_VIAPRO=m +CONFIG_I2C_DESIGNWARE_CORE=m +CONFIG_I2C_DESIGNWARE_PLATFORM=m #rhbz 997149 # CONFIG_DELL_RBU is not set @@ -252,6 +256,7 @@ CONFIG_PARAVIRT_TIME_ACCOUNTING=y CONFIG_KVM_CLOCK=y CONFIG_KVM_GUEST=y CONFIG_KVM_MMU_AUDIT=y # default $x would be nice... +# CONFIG_KVM_DEBUG_FS is not set CONFIG_XEN=y # CONFIG_XEN_DEBUG is not set @@ -360,6 +365,9 @@ CONFIG_LPC_ICH=m CONFIG_GPIO_ICH=m # CONFIG_GPIO_LYNXPOINT is not set +# CONFIG_GPIO_MCP23S08 is not set +# CONFIG_GPIO_F7188X is not set + CONFIG_PCI_CNB20LE_QUIRK=y @@ -396,9 +404,6 @@ CONFIG_HP_ACCEL=m # CONFIG_RAPIDIO is not set -# CONFIG_GPIO_GENERIC_PLATFORM is not set -# CONFIG_GPIO_MCP23S08 is not set - CONFIG_SCHED_SMT=y CONFIG_CC_STACKPROTECTOR=y CONFIG_RELOCATABLE=y @@ -430,7 +435,9 @@ CONFIG_NFC_MICROREAD_MEI=m # Maybe enable in debug kernels? # CONFIG_DEBUG_NMI_SELFTEST is not set -# CONFIG_X86_INTEL_LPSS is not set +CONFIG_X86_INTEL_LPSS=y +CONFIG_PINCTRL=y +CONFIG_PINCTRL_BAYTRAIL=y # CONFIG_INTEL_POWERCLAMP is not set CONFIG_X86_PKG_TEMP_THERMAL=m @@ -459,3 +466,5 @@ CONFIG_MODULE_SIG_UEFI=y CONFIG_VMXNET3=m CONFIG_VFIO_PCI_VGA=y + +# CONFIG_NTB is not set diff --git a/config-x86_64-generic b/config-x86_64-generic index b1bfed734..4f36d4d89 100644 --- a/config-x86_64-generic +++ b/config-x86_64-generic @@ -16,8 +16,10 @@ CONFIG_X86_64_ACPI_NUMA=y CONFIG_NUMA_BALANCING_DEFAULT_ENABLED=y CONFIG_NUMA_BALANCING=y -CONFIG_NR_CPUS=128 +# https://lists.fedoraproject.org/pipermail/kernel/2013-November/004601.html +CONFIG_NR_CPUS=1024 CONFIG_PHYSICAL_START=0x1000000 +CONFIG_PHYSICAL_ALIGN=0x1000000 CONFIG_IA32_EMULATION=y # CONFIG_IA32_AOUT is not set @@ -30,6 +32,7 @@ CONFIG_SWIOTLB=y # CONFIG_CALGARY_IOMMU is not set CONFIG_TRANSPARENT_HUGEPAGE=y +CONFIG_CGROUP_HUGETLB=y CONFIG_MEM_SOFT_DIRTY=y CONFIG_KEXEC_JUMP=y diff --git a/debug-idle-sched-warn-once.patch b/debug-idle-sched-warn-once.patch deleted file mode 100644 index 1dd30496e..000000000 --- a/debug-idle-sched-warn-once.patch +++ /dev/null @@ -1,19 +0,0 @@ -Instead of spewing this over and over, and scrolling useful info -off the screen, just print it once. - ---- linux-3.9.0-0.rc3.git0.2.fc19.x86_64/kernel/sched/idle_task.c~ 2013-03-21 10:44:17.935087323 -0400 -+++ linux-3.9.0-0.rc3.git0.2.fc19.x86_64/kernel/sched/idle_task.c 2013-03-21 10:44:41.936092782 -0400 -@@ -35,6 +35,13 @@ static struct task_struct *pick_next_tas - static void - dequeue_task_idle(struct rq *rq, struct task_struct *p, int flags) - { -+ static bool once = 0; -+ -+ if (once == 1) -+ return; -+ -+ once = 1; -+ - raw_spin_unlock_irq(&rq->lock); - printk(KERN_ERR "bad: scheduling from the idle thread!\n"); - dump_stack(); diff --git a/devel-pekey-secure-boot-20130502.patch b/devel-pekey-secure-boot-20130502.patch index 0a5342f83..5641902f7 100644 --- a/devel-pekey-secure-boot-20130502.patch +++ b/devel-pekey-secure-boot-20130502.patch @@ -249,14 +249,14 @@ index 2b6e699..0000000 - -struct key *modsign_keyring; - --extern __initdata const u8 modsign_certificate_list[]; --extern __initdata const u8 modsign_certificate_list_end[]; +-extern __initconst const u8 modsign_certificate_list[]; +-extern __initconst const u8 modsign_certificate_list_end[]; - -/* - * We need to make sure ccache doesn't cache the .o file as it doesn't notice - * if modsign.pub changes. - */ --static __initdata const char annoy_ccache[] = __TIME__ "foo"; +-static __initconst const char annoy_ccache[] = __TIME__ "foo"; - -/* - * Load the compiled-in keys diff --git a/drm-qxl-backport-fixes-for-Fedora.patch b/drm-qxl-backport-fixes-for-Fedora.patch index c46060d64..04848b529 100644 --- a/drm-qxl-backport-fixes-for-Fedora.patch +++ b/drm-qxl-backport-fixes-for-Fedora.patch @@ -150,19 +150,6 @@ index 7e96f4f..18c599d 100644 }; /* forward declaration for QXL_INFO_IO */ -diff --git a/drivers/gpu/drm/qxl/qxl_fb.c b/drivers/gpu/drm/qxl/qxl_fb.c -index 88722f2..f437b30 100644 ---- a/drivers/gpu/drm/qxl/qxl_fb.c -+++ b/drivers/gpu/drm/qxl/qxl_fb.c -@@ -108,7 +108,7 @@ static void qxl_fb_dirty_flush(struct fb_info *info) - u32 x1, x2, y1, y2; - - /* TODO: hard coding 32 bpp */ -- int stride = qfbdev->qfb.base.pitches[0] * 4; -+ int stride = qfbdev->qfb.base.pitches[0]; - - x1 = qfbdev->dirty.x1; - x2 = qfbdev->dirty.x2; diff --git a/drivers/gpu/drm/qxl/qxl_kms.c b/drivers/gpu/drm/qxl/qxl_kms.c index 9e8da9e..e0ddd5b 100644 --- a/drivers/gpu/drm/qxl/qxl_kms.c diff --git a/drm-qxl-fix-memory-leak-in-release-list-handling.patch b/drm-qxl-fix-memory-leak-in-release-list-handling.patch deleted file mode 100644 index 8ed4819f2..000000000 --- a/drm-qxl-fix-memory-leak-in-release-list-handling.patch +++ /dev/null @@ -1,30 +0,0 @@ -Bugzilla: N/A -Upstream-status: 3.13 - -From 1b28c3e628315ac0d9ef2d3fac0403f05ae692db Mon Sep 17 00:00:00 2001 -From: Dave Airlie -Date: Thu, 28 Nov 2013 05:39:03 +0000 -Subject: drm/qxl: fix memory leak in release list handling - -wow no idea how I got this far without seeing this, -leaking the entries in the list makes kmalloc-64 slab grow. - -References: https://bugzilla.kernel.org/show_bug.cgi?id=65121 -Cc: stable@vger.kernel.org -Reported-by: Matthew Stapleton -Signed-off-by: Dave Airlie ---- -diff --git a/drivers/gpu/drm/qxl/qxl_release.c b/drivers/gpu/drm/qxl/qxl_release.c -index 0109a96..821ab7b 100644 ---- a/drivers/gpu/drm/qxl/qxl_release.c -+++ b/drivers/gpu/drm/qxl/qxl_release.c -@@ -92,6 +92,7 @@ qxl_release_free(struct qxl_device *qdev, - - DRM_FILE_OFFSET); - qxl_fence_remove_release(&bo->fence, release->id); - qxl_bo_unref(&bo); -+ kfree(entry); - } - spin_lock(&qdev->release_idr_lock); - idr_remove(&qdev->release_idr, release->id); --- -cgit v0.9.0.2-2-gbebe diff --git a/drm-radeon-24hz-audio-fixes.patch b/drm-radeon-24hz-audio-fixes.patch deleted file mode 100644 index 4fd8341ed..000000000 --- a/drm-radeon-24hz-audio-fixes.patch +++ /dev/null @@ -1,173 +0,0 @@ -Bugzilla: 1010679 -Upstream-status: 3.13 - -From 908171aa738b5bbcc6241cec46f73fcd57dd00d4 Mon Sep 17 00:00:00 2001 -From: Pierre Ossman -Date: Wed, 6 Nov 2013 20:00:32 +0100 -Subject: [PATCH 1/2] drm/radeon/audio: correct ACR table - -The values were taken from the HDMI spec, but they assumed -exact x/1.001 clocks. Since we round the clocks, we also need -to calculate different N and CTS values. - -Note that the N for 25.2/1.001 MHz at 44.1 kHz audio is out of -spec. Hopefully this mode is rarely used and/or HDMI sinks -tolerate overly large values of N. - -bug: -https://bugs.freedesktop.org/show_bug.cgi?id=69675 - -Signed-off-by: Pierre Ossman -Signed-off-by: Alex Deucher ---- - drivers/gpu/drm/radeon/r600_hdmi.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/drivers/gpu/drm/radeon/r600_hdmi.c b/drivers/gpu/drm/radeon/r600_hdmi.c -index 4140fe8..e8ca095 100644 ---- a/drivers/gpu/drm/radeon/r600_hdmi.c -+++ b/drivers/gpu/drm/radeon/r600_hdmi.c -@@ -57,15 +57,15 @@ enum r600_hdmi_iec_status_bits { - static const struct radeon_hdmi_acr r600_hdmi_predefined_acr[] = { - /* 32kHz 44.1kHz 48kHz */ - /* Clock N CTS N CTS N CTS */ -- { 25175, 4576, 28125, 7007, 31250, 6864, 28125 }, /* 25,20/1.001 MHz */ -+ { 25175, 4096, 25175, 28224, 125875, 6144, 25175 }, /* 25,20/1.001 MHz */ - { 25200, 4096, 25200, 6272, 28000, 6144, 25200 }, /* 25.20 MHz */ - { 27000, 4096, 27000, 6272, 30000, 6144, 27000 }, /* 27.00 MHz */ - { 27027, 4096, 27027, 6272, 30030, 6144, 27027 }, /* 27.00*1.001 MHz */ - { 54000, 4096, 54000, 6272, 60000, 6144, 54000 }, /* 54.00 MHz */ - { 54054, 4096, 54054, 6272, 60060, 6144, 54054 }, /* 54.00*1.001 MHz */ -- { 74176, 11648, 210937, 17836, 234375, 11648, 140625 }, /* 74.25/1.001 MHz */ -+ { 74176, 4096, 74176, 5733, 75335, 6144, 74176 }, /* 74.25/1.001 MHz */ - { 74250, 4096, 74250, 6272, 82500, 6144, 74250 }, /* 74.25 MHz */ -- { 148352, 11648, 421875, 8918, 234375, 5824, 140625 }, /* 148.50/1.001 MHz */ -+ { 148352, 4096, 148352, 5733, 150670, 6144, 148352 }, /* 148.50/1.001 MHz */ - { 148500, 4096, 148500, 6272, 165000, 6144, 148500 }, /* 148.50 MHz */ - { 0, 4096, 0, 6272, 0, 6144, 0 } /* Other */ - }; --- -1.8.3.1 - - -From 05e4776357fe7217e531cbaaa163e24f688d10ce Mon Sep 17 00:00:00 2001 -From: Pierre Ossman -Date: Wed, 6 Nov 2013 20:09:08 +0100 -Subject: [PATCH 2/2] drm/radeon/audio: improve ACR calculation - -In order to have any realistic chance of calculating proper -ACR values, we need to be able to calculate both N and CTS, -not just CTS. We still aim for the ideal N as specified in -the HDMI spec though. - -bug: -https://bugs.freedesktop.org/show_bug.cgi?id=69675 - -Signed-off-by: Pierre Ossman -Signed-off-by: Alex Deucher ---- - drivers/gpu/drm/radeon/r600_hdmi.c | 68 ++++++++++++++++++++++++++------------ - 1 file changed, 46 insertions(+), 22 deletions(-) - -diff --git a/drivers/gpu/drm/radeon/r600_hdmi.c b/drivers/gpu/drm/radeon/r600_hdmi.c -index e8ca095..92c6df7 100644 ---- a/drivers/gpu/drm/radeon/r600_hdmi.c -+++ b/drivers/gpu/drm/radeon/r600_hdmi.c -@@ -24,6 +24,7 @@ - * Authors: Christian König - */ - #include -+#include - #include - #include - #include "radeon.h" -@@ -67,25 +68,47 @@ static const struct radeon_hdmi_acr r600_hdmi_predefined_acr[] = { - { 74250, 4096, 74250, 6272, 82500, 6144, 74250 }, /* 74.25 MHz */ - { 148352, 4096, 148352, 5733, 150670, 6144, 148352 }, /* 148.50/1.001 MHz */ - { 148500, 4096, 148500, 6272, 165000, 6144, 148500 }, /* 148.50 MHz */ -- { 0, 4096, 0, 6272, 0, 6144, 0 } /* Other */ - }; - -+ - /* -- * calculate CTS value if it's not found in the table -+ * calculate CTS and N values if they are not found in the table - */ --static void r600_hdmi_calc_cts(uint32_t clock, int *CTS, int N, int freq) -+static void r600_hdmi_calc_cts(uint32_t clock, int *CTS, int *N, int freq) - { -- u64 n; -- u32 d; -- -- if (*CTS == 0) { -- n = (u64)clock * (u64)N * 1000ULL; -- d = 128 * freq; -- do_div(n, d); -- *CTS = n; -- } -- DRM_DEBUG("Using ACR timing N=%d CTS=%d for frequency %d\n", -- N, *CTS, freq); -+ int n, cts; -+ unsigned long div, mul; -+ -+ /* Safe, but overly large values */ -+ n = 128 * freq; -+ cts = clock * 1000; -+ -+ /* Smallest valid fraction */ -+ div = gcd(n, cts); -+ -+ n /= div; -+ cts /= div; -+ -+ /* -+ * The optimal N is 128*freq/1000. Calculate the closest larger -+ * value that doesn't truncate any bits. -+ */ -+ mul = ((128*freq/1000) + (n-1))/n; -+ -+ n *= mul; -+ cts *= mul; -+ -+ /* Check that we are in spec (not always possible) */ -+ if (n < (128*freq/1500)) -+ printk(KERN_WARNING "Calculated ACR N value is too small. You may experience audio problems.\n"); -+ if (n > (128*freq/300)) -+ printk(KERN_WARNING "Calculated ACR N value is too large. You may experience audio problems.\n"); -+ -+ *N = n; -+ *CTS = cts; -+ -+ DRM_DEBUG("Calculated ACR timing N=%d CTS=%d for frequency %d\n", -+ *N, *CTS, freq); - } - - struct radeon_hdmi_acr r600_hdmi_acr(uint32_t clock) -@@ -93,15 +116,16 @@ struct radeon_hdmi_acr r600_hdmi_acr(uint32_t clock) - struct radeon_hdmi_acr res; - u8 i; - -- for (i = 0; r600_hdmi_predefined_acr[i].clock != clock && -- r600_hdmi_predefined_acr[i].clock != 0; i++) -- ; -- res = r600_hdmi_predefined_acr[i]; -+ /* Precalculated values for common clocks */ -+ for (i = 0; i < ARRAY_SIZE(r600_hdmi_predefined_acr); i++) { -+ if (r600_hdmi_predefined_acr[i].clock == clock) -+ return r600_hdmi_predefined_acr[i]; -+ } - -- /* In case some CTS are missing */ -- r600_hdmi_calc_cts(clock, &res.cts_32khz, res.n_32khz, 32000); -- r600_hdmi_calc_cts(clock, &res.cts_44_1khz, res.n_44_1khz, 44100); -- r600_hdmi_calc_cts(clock, &res.cts_48khz, res.n_48khz, 48000); -+ /* And odd clocks get manually calculated */ -+ r600_hdmi_calc_cts(clock, &res.cts_32khz, &res.n_32khz, 32000); -+ r600_hdmi_calc_cts(clock, &res.cts_44_1khz, &res.n_44_1khz, 44100); -+ r600_hdmi_calc_cts(clock, &res.cts_48khz, &res.n_48khz, 48000); - - return res; - } --- -1.8.3.1 - diff --git a/elevator-Fix-a-race-in-elevator-switching-and-md.patch b/elevator-Fix-a-race-in-elevator-switching-and-md.patch deleted file mode 100644 index 5517687ff..000000000 --- a/elevator-Fix-a-race-in-elevator-switching-and-md.patch +++ /dev/null @@ -1,162 +0,0 @@ - -Delivered-To: jwboyer@gmail.com -Received: by 10.76.168.104 with SMTP id zv8csp55663oab; - Fri, 30 Aug 2013 15:52:46 -0700 (PDT) -X-Received: by 10.68.244.168 with SMTP id xh8mr12419215pbc.3.1377903166373; - Fri, 30 Aug 2013 15:52:46 -0700 (PDT) -Return-Path: -Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) - by mx.google.com with ESMTP id qc9si280431pac.269.1969.12.31.16.00.00; - Fri, 30 Aug 2013 15:52:46 -0700 (PDT) -Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; -Authentication-Results: mx.google.com; - spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mail=linux-kernel-owner@vger.kernel.org; - dkim=neutral (bad format) header.i=@hds.com -Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand - id S1753535Ab3H3WrV (ORCPT - + 99 others); Fri, 30 Aug 2013 18:47:21 -0400 -Received: from usindpps04.hds.com ([207.126.252.17]:35636 "EHLO - usindpps04.hds.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org - with ESMTP id S1752650Ab3H3WrU (ORCPT - ); - Fri, 30 Aug 2013 18:47:20 -0400 -DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=hds.com; h=subject : to : from : cc - : date : message-id : mime-version : content-type : - content-transfer-encoding; s=mail1; - bh=VofHN8IMnygn2hbqnFjLmX0PPEPbvpzE377u1RxpGOY=; - b=piW6J78W57qDXBPJJuodWw/tvf0T//JbxKX6sLPvpuaOG2nBLMHzDqUeTYwFEQqUvdmf - ZTkiwsKi0WEku3MKcxJ7veR7wvTZcQ4fGMETFTf1c2J/1JOKpXLnft4ERuW89/FAxw25 - wQM1ulsuQ3Cncl0I/sIaqMlaMOtvuQ/C8rsHorp+75eFiL6yx1jU5wMbuti4D/NprIET - 3r57cPZ0YCh6sLjvOgjay6mKyktMToyjHPx6X1TWCSWcwes33Popc1hpadxUdFI/0npL - mN3Tttbe7e2RcmkXAZbwg8xj+FwSu3nIRC4G9UpFCsMz518C/AWZj4puwWE6VHZWVvVZ Rg== -Received: from usindmail01.hds.com (usindmail03 [207.126.252.22]) - by usindpps04.hds.com (8.14.5/8.14.5) with ESMTP id r7UMlBjr025492; - Fri, 30 Aug 2013 18:47:11 -0400 -Received: from hds.com (usindnetf5d-vlan47float.corp.hds.com [10.74.73.11]) - by usindmail01.hds.com (8.14.1/8.14.1) with ESMTP id r7UMl8SG058466; - Fri, 30 Aug 2013 18:47:10 -0400 (EDT) -Subject: [PATCH v2 1/2] elevator: Fix a race in elevator switching and md - device initialization -To: linux-kernel@vger.kernel.org -From: Tomoki Sekiyama -Cc: axboe@kernel.dk, tj@kernel.org, seiji.aguchi@hds.com, - vgoyal@redhat.com, majianpeng@gmail.com -Date: Fri, 30 Aug 2013 18:47:07 -0400 -Message-ID: <20130830224707.21812.63516.stgit@hds.com> -User-Agent: StGit/0.16 -MIME-Version: 1.0 -Content-Type: text/plain; charset="utf-8" -Content-Transfer-Encoding: 7bit -X-Proofpoint-SPF-Result: pass -X-Proofpoint-SPF-Record: v=spf1 mx ip4:207.126.244.0/26 ip4:207.126.252.0/25 include:mktomail.com - include:cloud.hds.com ~all -X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.10.8794,1.0.431,0.0.0000 - definitions=2013-08-30_09:2013-08-30,2013-08-30,1970-01-01 signatures=0 -X-Proofpoint-Spam-Details: rule=notspam policy=outbound_policy score=0 spamscore=0 suspectscore=1 - phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx - scancount=1 engine=7.0.1-1305240000 definitions=main-1308300162 -Sender: linux-kernel-owner@vger.kernel.org -Precedence: bulk -List-ID: -X-Mailing-List: linux-kernel@vger.kernel.org - -The soft lockup below happens at the boot time of the system using dm -multipath and the udev rules to switch scheduler. - -[ 356.127001] BUG: soft lockup - CPU#3 stuck for 22s! [sh:483] -[ 356.127001] RIP: 0010:[] [] lock_timer_base.isra.35+0x1d/0x50 -... -[ 356.127001] Call Trace: -[ 356.127001] [] try_to_del_timer_sync+0x20/0x70 -[ 356.127001] [] ? kmem_cache_alloc_node_trace+0x20a/0x230 -[ 356.127001] [] del_timer_sync+0x52/0x60 -[ 356.127001] [] cfq_exit_queue+0x32/0xf0 -[ 356.127001] [] elevator_exit+0x2f/0x50 -[ 356.127001] [] elevator_change+0xf1/0x1c0 -[ 356.127001] [] elv_iosched_store+0x20/0x50 -[ 356.127001] [] queue_attr_store+0x59/0xb0 -[ 356.127001] [] sysfs_write_file+0xc6/0x140 -[ 356.127001] [] vfs_write+0xbd/0x1e0 -[ 356.127001] [] SyS_write+0x49/0xa0 -[ 356.127001] [] system_call_fastpath+0x16/0x1b - -This is caused by a race between md device initialization by multipathd and -shell script to switch the scheduler using sysfs. - - - multipathd: - SyS_ioctl -> do_vfs_ioctl -> dm_ctl_ioctl -> ctl_ioctl -> table_load - -> dm_setup_md_queue -> blk_init_allocated_queue -> elevator_init - q->elevator = elevator_alloc(q, e); // not yet initialized - - - sh -c 'echo deadline > /sys/$DEVPATH/queue/scheduler': - elevator_switch (in the call trace above) - struct elevator_queue *old = q->elevator; - q->elevator = elevator_alloc(q, new_e); - elevator_exit(old); // lockup! (*) - - - multipathd: (cont.) - err = e->ops.elevator_init_fn(q); // init fails; q->elevator is modified - -(*) When del_timer_sync() is called, lock_timer_base() will loop infinitely -while timer->base == NULL. In this case, as timer will never initialized, -it results in lockup. - -This patch introduces acquisition of q->sysfs_lock around elevator_init() -into blk_init_allocated_queue(), to provide mutual exclusion between -initialization of the q->scheduler and switching of the scheduler. - -This should fix this bugzilla: -https://bugzilla.redhat.com/show_bug.cgi?id=902012 - -Signed-off-by: Tomoki Sekiyama ---- - block/blk-core.c | 10 +++++++++- - block/elevator.c | 6 ++++++ - 2 files changed, 15 insertions(+), 1 deletion(-) - -diff --git a/block/blk-core.c b/block/blk-core.c -index 93a18d1..2f6275f 100644 ---- a/block/blk-core.c -+++ b/block/blk-core.c -@@ -739,9 +739,17 @@ blk_init_allocated_queue(struct request_queue *q, request_fn_proc *rfn, - - q->sg_reserved_size = INT_MAX; - -+ /* Protect q->elevator from elevator_change */ -+ mutex_lock(&q->sysfs_lock); -+ - /* init elevator */ -- if (elevator_init(q, NULL)) -+ if (elevator_init(q, NULL)) { -+ mutex_unlock(&q->sysfs_lock); - return NULL; -+ } -+ -+ mutex_unlock(&q->sysfs_lock); -+ - return q; - } - EXPORT_SYMBOL(blk_init_allocated_queue); -diff --git a/block/elevator.c b/block/elevator.c -index 668394d..02d4390 100644 ---- a/block/elevator.c -+++ b/block/elevator.c -@@ -186,6 +186,12 @@ int elevator_init(struct request_queue *q, char *name) - struct elevator_type *e = NULL; - int err; - -+ /* -+ * q->sysfs_lock must be held to provide mutual exclusion between -+ * elevator_switch() and here. -+ */ -+ lockdep_assert_held(&q->sysfs_lock); -+ - if (unlikely(q->elevator)) - return 0; - - --- -To unsubscribe from this list: send the line "unsubscribe linux-kernel" in -the body of a message to majordomo@vger.kernel.org -More majordomo info at http://vger.kernel.org/majordomo-info.html -Please read the FAQ at http://www.tux.org/lkml/ diff --git a/elevator-acquire-q-sysfs_lock-in-elevator_change.patch b/elevator-acquire-q-sysfs_lock-in-elevator_change.patch deleted file mode 100644 index 6f112b81c..000000000 --- a/elevator-acquire-q-sysfs_lock-in-elevator_change.patch +++ /dev/null @@ -1,121 +0,0 @@ - -Delivered-To: jwboyer@gmail.com -Received: by 10.76.168.104 with SMTP id zv8csp55623oab; - Fri, 30 Aug 2013 15:51:42 -0700 (PDT) -X-Received: by 10.67.30.70 with SMTP id kc6mr13149193pad.32.1377903101609; - Fri, 30 Aug 2013 15:51:41 -0700 (PDT) -Return-Path: -Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) - by mx.google.com with ESMTP id gg2si304840pac.217.1969.12.31.16.00.00; - Fri, 30 Aug 2013 15:51:41 -0700 (PDT) -Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; -Authentication-Results: mx.google.com; - spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mail=linux-kernel-owner@vger.kernel.org; - dkim=neutral (bad format) header.i=@hds.com -Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand - id S1756106Ab3H3WrX (ORCPT - + 99 others); Fri, 30 Aug 2013 18:47:23 -0400 -Received: from usindpps04.hds.com ([207.126.252.17]:35640 "EHLO - usindpps04.hds.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org - with ESMTP id S1752650Ab3H3WrW (ORCPT - ); - Fri, 30 Aug 2013 18:47:22 -0400 -DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=hds.com; h=subject : to : from : cc - : date : message-id : in-reply-to : references : mime-version : - content-type : content-transfer-encoding; s=mail1; - bh=xbQuWVaSJrPfWG5E7bXFAbOFjf/sBaRZsPmpVgy0CYk=; - b=NW/A8Imu32MXoBi5FLrQ0FsK66RTWMQo1bFRtgQplVEQQIAXyf1XhCaAZyTkTplc0iEx - ovyGZHvLbmGL6w3I3pxkCFz1BPJCqoZtvQITir/WvfzyadYOK1cz+vuBUQSCmfkacvS/ - w37h1jLAjsvWXkl0GY7pxB9HJMXdeLnhhuWxtNU8m8rKZ7t3LSByMeQi5/3OTkNojDEe - 70cKeZXCPQ/UIDJAF4cpSVXia5FwoJISjXvQIrvqkYhFelzq3OHMcC482PdpqNB475h3 - yHHJ83HFOLRulUQdOG5ZVTB9qRg0zxRx/oedeXwzturFke68noRRa4f4izQ8sCwsWOCI Dw== -Received: from usindmail01.hds.com (usindmail03 [207.126.252.22]) - by usindpps04.hds.com (8.14.5/8.14.5) with ESMTP id r7UMlHIc025543; - Fri, 30 Aug 2013 18:47:17 -0400 -Received: from hds.com (usindnetf5d-vlan47float.corp.hds.com [10.74.73.11]) - by usindmail01.hds.com (8.14.1/8.14.1) with ESMTP id r7UMlGiC058545; - Fri, 30 Aug 2013 18:47:17 -0400 (EDT) -Subject: [PATCH v2 2/2] elevator: acquire q->sysfs_lock in elevator_change() -To: linux-kernel@vger.kernel.org -From: Tomoki Sekiyama -Cc: axboe@kernel.dk, tj@kernel.org, seiji.aguchi@hds.com, - vgoyal@redhat.com, majianpeng@gmail.com -Date: Fri, 30 Aug 2013 18:47:16 -0400 -Message-ID: <20130830224716.21812.99333.stgit@hds.com> -In-Reply-To: <20130830224707.21812.63516.stgit@hds.com> -References: <20130830224707.21812.63516.stgit@hds.com> -User-Agent: StGit/0.16 -MIME-Version: 1.0 -Content-Type: text/plain; charset="utf-8" -Content-Transfer-Encoding: 7bit -X-Proofpoint-SPF-Result: pass -X-Proofpoint-SPF-Record: v=spf1 mx ip4:207.126.244.0/26 ip4:207.126.252.0/25 include:mktomail.com - include:cloud.hds.com ~all -X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:5.10.8794,1.0.431,0.0.0000 - definitions=2013-08-30_09:2013-08-30,2013-08-30,1970-01-01 signatures=0 -X-Proofpoint-Spam-Details: rule=notspam policy=outbound_policy score=0 spamscore=0 suspectscore=1 - phishscore=0 adultscore=0 bulkscore=0 classifier=spam adjust=0 reason=mlx - scancount=1 engine=7.0.1-1305240000 definitions=main-1308300162 -Sender: linux-kernel-owner@vger.kernel.org -Precedence: bulk -List-ID: -X-Mailing-List: linux-kernel@vger.kernel.org - -Add locking of q->sysfs_lock into elevator_change() (an exported function) -to ensure it is held to protect q->elevator from elevator_init(), even if -elevator_change() is called from non-sysfs paths. -sysfs path (elv_iosched_store) uses __elevator_change(), non-locking -version, as the lock is already taken by elv_iosched_store(). - -Signed-off-by: Tomoki Sekiyama ---- - block/elevator.c | 16 ++++++++++++++-- - 1 file changed, 14 insertions(+), 2 deletions(-) - -diff --git a/block/elevator.c b/block/elevator.c -index 02d4390..6d765f7 100644 ---- a/block/elevator.c -+++ b/block/elevator.c -@@ -965,7 +965,7 @@ fail_init: - /* - * Switch this queue to the given IO scheduler. - */ --int elevator_change(struct request_queue *q, const char *name) -+static int __elevator_change(struct request_queue *q, const char *name) - { - char elevator_name[ELV_NAME_MAX]; - struct elevator_type *e; -@@ -987,6 +987,18 @@ int elevator_change(struct request_queue *q, const char *name) - - return elevator_switch(q, e); - } -+ -+int elevator_change(struct request_queue *q, const char *name) -+{ -+ int ret; -+ -+ /* Protect q->elevator from elevator_init() */ -+ mutex_lock(&q->sysfs_lock); -+ ret = __elevator_change(q, name); -+ mutex_unlock(&q->sysfs_lock); -+ -+ return ret; -+} - EXPORT_SYMBOL(elevator_change); - - ssize_t elv_iosched_store(struct request_queue *q, const char *name, -@@ -997,7 +1009,7 @@ ssize_t elv_iosched_store(struct request_queue *q, const char *name, - if (!q->elevator) - return count; - -- ret = elevator_change(q, name); -+ ret = __elevator_change(q, name); - if (!ret) - return count; - - --- -To unsubscribe from this list: send the line "unsubscribe linux-kernel" in -the body of a message to majordomo@vger.kernel.org -More majordomo info at http://vger.kernel.org/majordomo-info.html -Please read the FAQ at http://www.tux.org/lkml/ diff --git a/fix-child-thread-introspection.patch b/fix-child-thread-introspection.patch deleted file mode 100644 index 4c0bad1a6..000000000 --- a/fix-child-thread-introspection.patch +++ /dev/null @@ -1,76 +0,0 @@ -Allow threads other than the main thread to do introspection of files in -proc without relying on read permissions. proc_pid_follow_link() calls -proc_fd_access_allowed() which ultimately calls __ptrace_may_access(). - -Though this allows additional access to some proc files, we do not -believe that this has any unintended security implications. However it -probably needs to be looked at carefully. - -The original problem was a thread of a process whose permissions were -111 couldn't open its own /proc/self/exe This was interfering with a -special purpose debugging tool. A simple reproducer is below.: - -#include -#include -#include -#include -#include -#include - -#define BUFSIZE 2048 - -void *thread_main(void *arg){ - char *str=(char*)arg; - char buf[BUFSIZE]; - ssize_t len=readlink("/proc/self/exe", buf, BUFSIZE); - if(len==-1) - printf("/proc/self/exe in %s: %s\n", str,sys_errlist[errno]); - else - printf("/proc/self/exe in %s: OK\n", str); - - return 0; -} - -int main(){ - pthread_t thread; - - int retval=pthread_create( &thread, NULL, thread_main, "thread"); - if(retval!=0) - exit(1); - - thread_main("main"); - pthread_join(thread, NULL); - - exit(0); -} - -Signed-off-by: Ben Woodard -Signed-off-by: Mark Grondona ---- - kernel/ptrace.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/kernel/ptrace.c b/kernel/ptrace.c -index acbd284..347c4c7 100644 ---- a/kernel/ptrace.c -+++ b/kernel/ptrace.c -diff -ruNp linux-3.8.4-103.fc17.noarch/kernel/ptrace.c linux-3.8.4-103.fc17.ptrace/kernel/ptrace.c ---- linux-3.8.4-103.fc17.noarch/kernel/ptrace.c 2013-02-18 17:58:34.000000000 -0600 -+++ linux-3.8.4-103.fc17.ptrace/kernel/ptrace.c 2013-03-26 14:59:01.939396346 -0500 -@@ -234,7 +234,7 @@ static int __ptrace_may_access(struct ta - */ - int dumpable = 0; - /* Don't let security modules deny introspection */ -- if (task == current) -+ if (same_thread_group(task, current)) - return 0; - rcu_read_lock(); - tcred = __task_cred(task); --- -1.8.1.4 - --- -To unsubscribe from this list: send the line "unsubscribe linux-kernel" in -the body of a message to majordomo@vger.kernel.org -More majordomo info at http://vger.kernel.org/majordomo-info.html -Please read the FAQ at http://www.tux.org/lkml/ diff --git a/fix-radeon-sound.patch b/fix-radeon-sound.patch deleted file mode 100644 index 6e59256bb..000000000 --- a/fix-radeon-sound.patch +++ /dev/null @@ -1,154 +0,0 @@ -From 062c2e4363451d49ef840232fe65e8bff0dde2a5 Mon Sep 17 00:00:00 2001 -From: Alex Deucher -Date: Fri, 27 Sep 2013 18:09:54 -0400 -Subject: [PATCH 1/4] drm/radeon: use 64-bit math to calculate CTS values for - audio (v2) - -Avoid losing precision. See bug: -https://bugs.freedesktop.org/show_bug.cgi?id=69675 - -v2: fix math as per Anssi's comments. - -Signed-off-by: Alex Deucher ---- - drivers/gpu/drm/radeon/r600_hdmi.c | 11 +++++++++-- - 1 file changed, 9 insertions(+), 2 deletions(-) - -diff --git a/drivers/gpu/drm/radeon/r600_hdmi.c b/drivers/gpu/drm/radeon/r600_hdmi.c -index b0fa600..49043a5 100644 ---- a/drivers/gpu/drm/radeon/r600_hdmi.c -+++ b/drivers/gpu/drm/radeon/r600_hdmi.c -@@ -75,8 +75,15 @@ static const struct radeon_hdmi_acr r600_hdmi_predefined_acr[] = { - */ - static void r600_hdmi_calc_cts(uint32_t clock, int *CTS, int N, int freq) - { -- if (*CTS == 0) -- *CTS = clock * N / (128 * freq) * 1000; -+ u64 n; -+ u32 d; -+ -+ if (*CTS == 0) { -+ n = (u64)clock * (u64)N * 1000ULL; -+ d = 128 * freq; -+ do_div(n, d); -+ *CTS = n; -+ } - DRM_DEBUG("Using ACR timing N=%d CTS=%d for frequency %d\n", - N, *CTS, freq); - } --- -1.8.3.1 - - -From e7d12c2f98ae1e68c7298e5028048d150fa553a1 Mon Sep 17 00:00:00 2001 -From: Alex Deucher -Date: Fri, 27 Sep 2013 18:19:42 -0400 -Subject: [PATCH 2/4] drm/radeon: fix N/CTS clock matching for audio - -The drm code that calculates the 1001 clocks rounds up -rather than truncating. This allows the table to match -properly on those modes. - -See bug: -https://bugs.freedesktop.org/show_bug.cgi?id=69675 - -Signed-off-by: Alex Deucher ---- - drivers/gpu/drm/radeon/r600_hdmi.c | 6 +++--- - 1 file changed, 3 insertions(+), 3 deletions(-) - -diff --git a/drivers/gpu/drm/radeon/r600_hdmi.c b/drivers/gpu/drm/radeon/r600_hdmi.c -index 49043a5..567703f 100644 ---- a/drivers/gpu/drm/radeon/r600_hdmi.c -+++ b/drivers/gpu/drm/radeon/r600_hdmi.c -@@ -57,15 +57,15 @@ enum r600_hdmi_iec_status_bits { - static const struct radeon_hdmi_acr r600_hdmi_predefined_acr[] = { - /* 32kHz 44.1kHz 48kHz */ - /* Clock N CTS N CTS N CTS */ -- { 25174, 4576, 28125, 7007, 31250, 6864, 28125 }, /* 25,20/1.001 MHz */ -+ { 25175, 4576, 28125, 7007, 31250, 6864, 28125 }, /* 25,20/1.001 MHz */ - { 25200, 4096, 25200, 6272, 28000, 6144, 25200 }, /* 25.20 MHz */ - { 27000, 4096, 27000, 6272, 30000, 6144, 27000 }, /* 27.00 MHz */ - { 27027, 4096, 27027, 6272, 30030, 6144, 27027 }, /* 27.00*1.001 MHz */ - { 54000, 4096, 54000, 6272, 60000, 6144, 54000 }, /* 54.00 MHz */ - { 54054, 4096, 54054, 6272, 60060, 6144, 54054 }, /* 54.00*1.001 MHz */ -- { 74175, 11648, 210937, 17836, 234375, 11648, 140625 }, /* 74.25/1.001 MHz */ -+ { 74176, 11648, 210937, 17836, 234375, 11648, 140625 }, /* 74.25/1.001 MHz */ - { 74250, 4096, 74250, 6272, 82500, 6144, 74250 }, /* 74.25 MHz */ -- { 148351, 11648, 421875, 8918, 234375, 5824, 140625 }, /* 148.50/1.001 MHz */ -+ { 148352, 11648, 421875, 8918, 234375, 5824, 140625 }, /* 148.50/1.001 MHz */ - { 148500, 4096, 148500, 6272, 165000, 6144, 148500 }, /* 148.50 MHz */ - { 0, 4096, 0, 6272, 0, 6144, 0 } /* Other */ - }; --- -1.8.3.1 - - -From ee0fec312a1c4e26f255955da942562cd8908a4b Mon Sep 17 00:00:00 2001 -From: Alex Deucher -Date: Fri, 27 Sep 2013 18:22:15 -0400 -Subject: [PATCH 3/4] drm/radeon: use hw generated CTS/N values for audio - -Use the hw generated values rather than calculating -them in the driver. There may be some older r6xx -asics where this doesn't work correctly. This remains -to be seen. - -See bug: -https://bugs.freedesktop.org/show_bug.cgi?id=69675 - -Signed-off-by: Alex Deucher ---- - drivers/gpu/drm/radeon/r600_hdmi.c | 3 +-- - 1 file changed, 1 insertion(+), 2 deletions(-) - -diff --git a/drivers/gpu/drm/radeon/r600_hdmi.c b/drivers/gpu/drm/radeon/r600_hdmi.c -index 567703f..e2ae1c2 100644 ---- a/drivers/gpu/drm/radeon/r600_hdmi.c -+++ b/drivers/gpu/drm/radeon/r600_hdmi.c -@@ -451,8 +451,7 @@ void r600_hdmi_setmode(struct drm_encoder *encoder, struct drm_display_mode *mod - } - - WREG32(HDMI0_ACR_PACKET_CONTROL + offset, -- HDMI0_ACR_AUTO_SEND | /* allow hw to sent ACR packets when required */ -- HDMI0_ACR_SOURCE); /* select SW CTS value */ -+ HDMI0_ACR_AUTO_SEND); /* allow hw to sent ACR packets when required */ - - WREG32(HDMI0_VBI_PACKET_CONTROL + offset, - HDMI0_NULL_SEND | /* send null packets when required */ --- -1.8.3.1 - - -From b852c985010a77c850b7548d64bbb964ca462b02 Mon Sep 17 00:00:00 2001 -From: Alex Deucher -Date: Thu, 10 Oct 2013 11:47:01 -0400 -Subject: [PATCH 4/4] drm/radeon: re-enable sw ACR support on pre-DCE4 -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -HW ACR support may have issues on some older chips, so -use SW ACR for now until we've tested further. - -Signed-off-by: Alex Deucher -CC: RafaÅ‚ MiÅ‚ecki ---- - drivers/gpu/drm/radeon/r600_hdmi.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/drivers/gpu/drm/radeon/r600_hdmi.c b/drivers/gpu/drm/radeon/r600_hdmi.c -index e2ae1c2..5b72931 100644 ---- a/drivers/gpu/drm/radeon/r600_hdmi.c -+++ b/drivers/gpu/drm/radeon/r600_hdmi.c -@@ -451,6 +451,7 @@ void r600_hdmi_setmode(struct drm_encoder *encoder, struct drm_display_mode *mod - } - - WREG32(HDMI0_ACR_PACKET_CONTROL + offset, -+ HDMI0_ACR_SOURCE | /* select SW CTS value - XXX verify that hw CTS works on all families */ - HDMI0_ACR_AUTO_SEND); /* allow hw to sent ACR packets when required */ - - WREG32(HDMI0_VBI_PACKET_CONTROL + offset, --- -1.8.3.1 - diff --git a/inet-fix-addr_len-msg_namelen-assignment-in-recv_error-and-rxpmtu-functions.patch b/inet-fix-addr_len-msg_namelen-assignment-in-recv_error-and-rxpmtu-functions.patch deleted file mode 100644 index b76fd2a36..000000000 --- a/inet-fix-addr_len-msg_namelen-assignment-in-recv_error-and-rxpmtu-functions.patch +++ /dev/null @@ -1,253 +0,0 @@ -Bugzilla: 1035887 -Upstream-status: 3.13 - -From 4be402ba6158068d53ab0268f1affa9d82dae2ec Mon Sep 17 00:00:00 2001 -From: Hannes Frederic Sowa -Date: Fri, 22 Nov 2013 23:46:12 +0000 -Subject: [PATCH] inet: fix addr_len/msg->msg_namelen assignment in recv_error - and rxpmtu functions - -Commit bceaa90240b6019ed73b49965eac7d167610be69 ("inet: prevent leakage -of uninitialized memory to user in recv syscalls") conditionally updated -addr_len if the msg_name is written to. The recv_error and rxpmtu -functions relied on the recvmsg functions to set up addr_len before. - -As this does not happen any more we have to pass addr_len to those -functions as well and set it to the size of the corresponding sockaddr -length. - -This broke traceroute and such. - -Fixes: bceaa90240b6 ("inet: prevent leakage of uninitialized memory to user in recv syscalls") -Reported-by: Brad Spengler -Reported-by: Tom Labanowski -Cc: mpb -Cc: David S. Miller -Cc: Eric Dumazet -Signed-off-by: Hannes Frederic Sowa -Signed-off-by: David S. Miller ---- - include/net/ip.h | 2 +- - include/net/ipv6.h | 4 ++-- - include/net/ping.h | 3 ++- - net/ipv4/ip_sockglue.c | 3 ++- - net/ipv4/ping.c | 5 +++-- - net/ipv4/raw.c | 2 +- - net/ipv4/udp.c | 2 +- - net/ipv6/datagram.c | 7 +++++-- - net/ipv6/ping.c | 3 ++- - net/ipv6/raw.c | 4 ++-- - net/ipv6/udp.c | 4 ++-- - net/l2tp/l2tp_ip6.c | 2 +- - 12 files changed, 24 insertions(+), 17 deletions(-) - -diff --git a/include/net/ip.h b/include/net/ip.h -index 5e52688..301f10c 100644 ---- a/include/net/ip.h -+++ b/include/net/ip.h -@@ -464,7 +464,7 @@ extern int compat_ip_getsockopt(struct sock *sk, int level, - int optname, char __user *optval, int __user *optlen); - extern int ip_ra_control(struct sock *sk, unsigned char on, void (*destructor)(struct sock *)); - --extern int ip_recv_error(struct sock *sk, struct msghdr *msg, int len); -+extern int ip_recv_error(struct sock *sk, struct msghdr *msg, int len, int *addr_len); - extern void ip_icmp_error(struct sock *sk, struct sk_buff *skb, int err, - __be16 port, u32 info, u8 *payload); - extern void ip_local_error(struct sock *sk, int err, __be32 daddr, __be16 dport, -diff --git a/include/net/ipv6.h b/include/net/ipv6.h -index bbf1c8f..5529d79 100644 ---- a/include/net/ipv6.h -+++ b/include/net/ipv6.h -@@ -802,8 +802,8 @@ extern int compat_ipv6_getsockopt(struct sock *sk, - extern int ip6_datagram_connect(struct sock *sk, - struct sockaddr *addr, int addr_len); - --extern int ipv6_recv_error(struct sock *sk, struct msghdr *msg, int len); --extern int ipv6_recv_rxpmtu(struct sock *sk, struct msghdr *msg, int len); -+extern int ipv6_recv_error(struct sock *sk, struct msghdr *msg, int len, int *addr_len); -+extern int ipv6_recv_rxpmtu(struct sock *sk, struct msghdr *msg, int len, int *addr_len); - extern void ipv6_icmp_error(struct sock *sk, struct sk_buff *skb, int err, __be16 port, - u32 info, u8 *payload); - extern void ipv6_local_error(struct sock *sk, int err, struct flowi6 *fl6, u32 info); -diff --git a/include/net/ping.h b/include/net/ping.h -index 5db0224..2b496e9 100644 ---- a/include/net/ping.h -+++ b/include/net/ping.h -@@ -31,7 +31,8 @@ - - /* Compatibility glue so we can support IPv6 when it's compiled as a module */ - struct pingv6_ops { -- int (*ipv6_recv_error)(struct sock *sk, struct msghdr *msg, int len); -+ int (*ipv6_recv_error)(struct sock *sk, struct msghdr *msg, int len, -+ int *addr_len); - int (*ip6_datagram_recv_ctl)(struct sock *sk, struct msghdr *msg, - struct sk_buff *skb); - int (*icmpv6_err_convert)(u8 type, u8 code, int *err); -diff --git a/net/ipv4/ip_sockglue.c b/net/ipv4/ip_sockglue.c -index d9c4f11..23e6ab0 100644 ---- a/net/ipv4/ip_sockglue.c -+++ b/net/ipv4/ip_sockglue.c -@@ -368,7 +368,7 @@ void ip_local_error(struct sock *sk, int err, __be32 daddr, __be16 port, u32 inf - /* - * Handle MSG_ERRQUEUE - */ --int ip_recv_error(struct sock *sk, struct msghdr *msg, int len) -+int ip_recv_error(struct sock *sk, struct msghdr *msg, int len, int *addr_len) - { - struct sock_exterr_skb *serr; - struct sk_buff *skb, *skb2; -@@ -405,6 +405,7 @@ int ip_recv_error(struct sock *sk, struct msghdr *msg, int len) - serr->addr_offset); - sin->sin_port = serr->port; - memset(&sin->sin_zero, 0, sizeof(sin->sin_zero)); -+ *addr_len = sizeof(*sin); - } - - memcpy(&errhdr.ee, &serr->ee, sizeof(struct sock_extended_err)); -diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c -index 92fb6ff..ac31877 100644 ---- a/net/ipv4/ping.c -+++ b/net/ipv4/ping.c -@@ -838,10 +838,11 @@ int ping_recvmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg, - - if (flags & MSG_ERRQUEUE) { - if (family == AF_INET) { -- return ip_recv_error(sk, msg, len); -+ return ip_recv_error(sk, msg, len, addr_len); - #if IS_ENABLED(CONFIG_IPV6) - } else if (family == AF_INET6) { -- return pingv6_ops.ipv6_recv_error(sk, msg, len); -+ return pingv6_ops.ipv6_recv_error(sk, msg, len, -+ addr_len); - #endif - } - } -diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c -index ca4c3f1..7d3db78 100644 ---- a/net/ipv4/raw.c -+++ b/net/ipv4/raw.c -@@ -695,7 +695,7 @@ static int raw_recvmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg, - goto out; - - if (flags & MSG_ERRQUEUE) { -- err = ip_recv_error(sk, msg, len); -+ err = ip_recv_error(sk, msg, len, addr_len); - goto out; - } - -diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c -index a7003de..1ef8794 100644 ---- a/net/ipv4/udp.c -+++ b/net/ipv4/udp.c -@@ -1210,7 +1210,7 @@ int udp_recvmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg, - bool slow; - - if (flags & MSG_ERRQUEUE) -- return ip_recv_error(sk, msg, len); -+ return ip_recv_error(sk, msg, len, addr_len); - - try_again: - skb = __skb_recv_datagram(sk, flags | (noblock ? MSG_DONTWAIT : 0), -diff --git a/net/ipv6/datagram.c b/net/ipv6/datagram.c -index 48b6bd2..7a0fd80 100644 ---- a/net/ipv6/datagram.c -+++ b/net/ipv6/datagram.c -@@ -318,7 +318,7 @@ void ipv6_local_rxpmtu(struct sock *sk, struct flowi6 *fl6, u32 mtu) - /* - * Handle MSG_ERRQUEUE - */ --int ipv6_recv_error(struct sock *sk, struct msghdr *msg, int len) -+int ipv6_recv_error(struct sock *sk, struct msghdr *msg, int len, int *addr_len) - { - struct ipv6_pinfo *np = inet6_sk(sk); - struct sock_exterr_skb *serr; -@@ -369,6 +369,7 @@ int ipv6_recv_error(struct sock *sk, struct msghdr *msg, int len) - &sin->sin6_addr); - sin->sin6_scope_id = 0; - } -+ *addr_len = sizeof(*sin); - } - - memcpy(&errhdr.ee, &serr->ee, sizeof(struct sock_extended_err)); -@@ -423,7 +424,8 @@ EXPORT_SYMBOL_GPL(ipv6_recv_error); - /* - * Handle IPV6_RECVPATHMTU - */ --int ipv6_recv_rxpmtu(struct sock *sk, struct msghdr *msg, int len) -+int ipv6_recv_rxpmtu(struct sock *sk, struct msghdr *msg, int len, -+ int *addr_len) - { - struct ipv6_pinfo *np = inet6_sk(sk); - struct sk_buff *skb; -@@ -457,6 +459,7 @@ int ipv6_recv_rxpmtu(struct sock *sk, struct msghdr *msg, int len) - sin->sin6_port = 0; - sin->sin6_scope_id = mtu_info.ip6m_addr.sin6_scope_id; - sin->sin6_addr = mtu_info.ip6m_addr.sin6_addr; -+ *addr_len = sizeof(*sin); - } - - put_cmsg(msg, SOL_IPV6, IPV6_PATHMTU, sizeof(mtu_info), &mtu_info); -diff --git a/net/ipv6/ping.c b/net/ipv6/ping.c -index 18f19df..7856e96 100644 ---- a/net/ipv6/ping.c -+++ b/net/ipv6/ping.c -@@ -57,7 +57,8 @@ static struct inet_protosw pingv6_protosw = { - - - /* Compatibility glue so we can support IPv6 when it's compiled as a module */ --static int dummy_ipv6_recv_error(struct sock *sk, struct msghdr *msg, int len) -+static int dummy_ipv6_recv_error(struct sock *sk, struct msghdr *msg, int len, -+ int *addr_len) - { - return -EAFNOSUPPORT; - } -diff --git a/net/ipv6/raw.c b/net/ipv6/raw.c -index 2f303bf..430067c 100644 ---- a/net/ipv6/raw.c -+++ b/net/ipv6/raw.c -@@ -467,10 +467,10 @@ static int rawv6_recvmsg(struct kiocb *iocb, struct sock *sk, - return -EOPNOTSUPP; - - if (flags & MSG_ERRQUEUE) -- return ipv6_recv_error(sk, msg, len); -+ return ipv6_recv_error(sk, msg, len, addr_len); - - if (np->rxpmtu && np->rxopt.bits.rxpmtu) -- return ipv6_recv_rxpmtu(sk, msg, len); -+ return ipv6_recv_rxpmtu(sk, msg, len, addr_len); - - skb = skb_recv_datagram(sk, flags, noblock, &err); - if (!skb) -diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c -index a59beed..3d2758d 100644 ---- a/net/ipv6/udp.c -+++ b/net/ipv6/udp.c -@@ -375,10 +375,10 @@ int udpv6_recvmsg(struct kiocb *iocb, struct sock *sk, - bool slow; - - if (flags & MSG_ERRQUEUE) -- return ipv6_recv_error(sk, msg, len); -+ return ipv6_recv_error(sk, msg, len, addr_len); - - if (np->rxpmtu && np->rxopt.bits.rxpmtu) -- return ipv6_recv_rxpmtu(sk, msg, len); -+ return ipv6_recv_rxpmtu(sk, msg, len, addr_len); - - try_again: - skb = __skb_recv_datagram(sk, flags | (noblock ? MSG_DONTWAIT : 0), -diff --git a/net/l2tp/l2tp_ip6.c b/net/l2tp/l2tp_ip6.c -index b8a6039..e6e8408 100644 ---- a/net/l2tp/l2tp_ip6.c -+++ b/net/l2tp/l2tp_ip6.c -@@ -665,7 +665,7 @@ static int l2tp_ip6_recvmsg(struct kiocb *iocb, struct sock *sk, - *addr_len = sizeof(*lsa); - - if (flags & MSG_ERRQUEUE) -- return ipv6_recv_error(sk, msg, len); -+ return ipv6_recv_error(sk, msg, len, addr_len); - - skb = skb_recv_datagram(sk, flags, noblock, &err); - if (!skb) --- -1.8.3.1 - diff --git a/inet-prevent-leakage-of-uninitialized-memory-to-user.patch b/inet-prevent-leakage-of-uninitialized-memory-to-user.patch deleted file mode 100644 index c5b941134..000000000 --- a/inet-prevent-leakage-of-uninitialized-memory-to-user.patch +++ /dev/null @@ -1,256 +0,0 @@ -Bugzilla: 1035887 -Upstream-status: 3.13 - -From bceaa90240b6019ed73b49965eac7d167610be69 Mon Sep 17 00:00:00 2001 -From: Hannes Frederic Sowa -Date: Mon, 18 Nov 2013 04:20:45 +0100 -Subject: [PATCH] inet: prevent leakage of uninitialized memory to user in recv - syscalls - -Only update *addr_len when we actually fill in sockaddr, otherwise we -can return uninitialized memory from the stack to the caller in the -recvfrom, recvmmsg and recvmsg syscalls. Drop the the (addr_len == NULL) -checks because we only get called with a valid addr_len pointer either -from sock_common_recvmsg or inet_recvmsg. - -If a blocking read waits on a socket which is concurrently shut down we -now return zero and set msg_msgnamelen to 0. - -Reported-by: mpb -Suggested-by: Eric Dumazet -Signed-off-by: Hannes Frederic Sowa -Signed-off-by: David S. Miller ---- - net/ieee802154/dgram.c | 3 +-- - net/ipv4/ping.c | 19 +++++++------------ - net/ipv4/raw.c | 4 +--- - net/ipv4/udp.c | 7 +------ - net/ipv6/raw.c | 4 +--- - net/ipv6/udp.c | 5 +---- - net/l2tp/l2tp_ip.c | 4 +--- - net/phonet/datagram.c | 9 ++++----- - 8 files changed, 17 insertions(+), 38 deletions(-) - -diff --git a/net/ieee802154/dgram.c b/net/ieee802154/dgram.c -index 581a595..1865fdf 100644 ---- a/net/ieee802154/dgram.c -+++ b/net/ieee802154/dgram.c -@@ -315,9 +315,8 @@ static int dgram_recvmsg(struct kiocb *iocb, struct sock *sk, - if (saddr) { - saddr->family = AF_IEEE802154; - saddr->addr = mac_cb(skb)->sa; -- } -- if (addr_len) - *addr_len = sizeof(*saddr); -+ } - - if (flags & MSG_TRUNC) - copied = skb->len; -diff --git a/net/ipv4/ping.c b/net/ipv4/ping.c -index 9afbdb1..aacefa0 100644 ---- a/net/ipv4/ping.c -+++ b/net/ipv4/ping.c -@@ -830,8 +830,6 @@ int ping_recvmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg, - { - struct inet_sock *isk = inet_sk(sk); - int family = sk->sk_family; -- struct sockaddr_in *sin; -- struct sockaddr_in6 *sin6; - struct sk_buff *skb; - int copied, err; - -@@ -841,13 +839,6 @@ int ping_recvmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg, - if (flags & MSG_OOB) - goto out; - -- if (addr_len) { -- if (family == AF_INET) -- *addr_len = sizeof(*sin); -- else if (family == AF_INET6 && addr_len) -- *addr_len = sizeof(*sin6); -- } -- - if (flags & MSG_ERRQUEUE) { - if (family == AF_INET) { - return ip_recv_error(sk, msg, len); -@@ -877,11 +868,13 @@ int ping_recvmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg, - - /* Copy the address and add cmsg data. */ - if (family == AF_INET) { -- sin = (struct sockaddr_in *) msg->msg_name; -+ struct sockaddr_in *sin = (struct sockaddr_in *)msg->msg_name; -+ - sin->sin_family = AF_INET; - sin->sin_port = 0 /* skb->h.uh->source */; - sin->sin_addr.s_addr = ip_hdr(skb)->saddr; - memset(sin->sin_zero, 0, sizeof(sin->sin_zero)); -+ *addr_len = sizeof(*sin); - - if (isk->cmsg_flags) - ip_cmsg_recv(msg, skb); -@@ -890,17 +883,19 @@ int ping_recvmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg, - } else if (family == AF_INET6) { - struct ipv6_pinfo *np = inet6_sk(sk); - struct ipv6hdr *ip6 = ipv6_hdr(skb); -- sin6 = (struct sockaddr_in6 *) msg->msg_name; -+ struct sockaddr_in6 *sin6 = -+ (struct sockaddr_in6 *)msg->msg_name; -+ - sin6->sin6_family = AF_INET6; - sin6->sin6_port = 0; - sin6->sin6_addr = ip6->saddr; -- - sin6->sin6_flowinfo = 0; - if (np->sndflow) - sin6->sin6_flowinfo = ip6_flowinfo(ip6); - - sin6->sin6_scope_id = ipv6_iface_scope_id(&sin6->sin6_addr, - IP6CB(skb)->iif); -+ *addr_len = sizeof(*sin6); - - if (inet6_sk(sk)->rxopt.all) - pingv6_ops.ip6_datagram_recv_ctl(sk, msg, skb); -diff --git a/net/ipv4/raw.c b/net/ipv4/raw.c -index 41e1d28..5cb8ddb 100644 ---- a/net/ipv4/raw.c -+++ b/net/ipv4/raw.c -@@ -696,9 +696,6 @@ static int raw_recvmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg, - if (flags & MSG_OOB) - goto out; - -- if (addr_len) -- *addr_len = sizeof(*sin); -- - if (flags & MSG_ERRQUEUE) { - err = ip_recv_error(sk, msg, len); - goto out; -@@ -726,6 +723,7 @@ static int raw_recvmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg, - sin->sin_addr.s_addr = ip_hdr(skb)->saddr; - sin->sin_port = 0; - memset(&sin->sin_zero, 0, sizeof(sin->sin_zero)); -+ *addr_len = sizeof(*sin); - } - if (inet->cmsg_flags) - ip_cmsg_recv(msg, skb); -diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c -index 89909dd..998431c 100644 ---- a/net/ipv4/udp.c -+++ b/net/ipv4/udp.c -@@ -1235,12 +1235,6 @@ int udp_recvmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *msg, - int is_udplite = IS_UDPLITE(sk); - bool slow; - -- /* -- * Check any passed addresses -- */ -- if (addr_len) -- *addr_len = sizeof(*sin); -- - if (flags & MSG_ERRQUEUE) - return ip_recv_error(sk, msg, len); - -@@ -1302,6 +1296,7 @@ try_again: - sin->sin_port = udp_hdr(skb)->source; - sin->sin_addr.s_addr = ip_hdr(skb)->saddr; - memset(sin->sin_zero, 0, sizeof(sin->sin_zero)); -+ *addr_len = sizeof(*sin); - } - if (inet->cmsg_flags) - ip_cmsg_recv(msg, skb); -diff --git a/net/ipv6/raw.c b/net/ipv6/raw.c -index 3c00842..e24ff1d 100644 ---- a/net/ipv6/raw.c -+++ b/net/ipv6/raw.c -@@ -465,9 +465,6 @@ static int rawv6_recvmsg(struct kiocb *iocb, struct sock *sk, - if (flags & MSG_OOB) - return -EOPNOTSUPP; - -- if (addr_len) -- *addr_len=sizeof(*sin6); -- - if (flags & MSG_ERRQUEUE) - return ipv6_recv_error(sk, msg, len); - -@@ -506,6 +503,7 @@ static int rawv6_recvmsg(struct kiocb *iocb, struct sock *sk, - sin6->sin6_flowinfo = 0; - sin6->sin6_scope_id = ipv6_iface_scope_id(&sin6->sin6_addr, - IP6CB(skb)->iif); -+ *addr_len = sizeof(*sin6); - } - - sock_recv_ts_and_drops(msg, sk, skb); -diff --git a/net/ipv6/udp.c b/net/ipv6/udp.c -index f3893e8..81eb8cf 100644 ---- a/net/ipv6/udp.c -+++ b/net/ipv6/udp.c -@@ -392,9 +392,6 @@ int udpv6_recvmsg(struct kiocb *iocb, struct sock *sk, - int is_udp4; - bool slow; - -- if (addr_len) -- *addr_len = sizeof(struct sockaddr_in6); -- - if (flags & MSG_ERRQUEUE) - return ipv6_recv_error(sk, msg, len); - -@@ -480,7 +477,7 @@ try_again: - ipv6_iface_scope_id(&sin6->sin6_addr, - IP6CB(skb)->iif); - } -- -+ *addr_len = sizeof(*sin6); - } - if (is_udp4) { - if (inet->cmsg_flags) -diff --git a/net/l2tp/l2tp_ip.c b/net/l2tp/l2tp_ip.c -index 571db8d..da1a1ce 100644 ---- a/net/l2tp/l2tp_ip.c -+++ b/net/l2tp/l2tp_ip.c -@@ -518,9 +518,6 @@ static int l2tp_ip_recvmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *m - if (flags & MSG_OOB) - goto out; - -- if (addr_len) -- *addr_len = sizeof(*sin); -- - skb = skb_recv_datagram(sk, flags, noblock, &err); - if (!skb) - goto out; -@@ -543,6 +540,7 @@ static int l2tp_ip_recvmsg(struct kiocb *iocb, struct sock *sk, struct msghdr *m - sin->sin_addr.s_addr = ip_hdr(skb)->saddr; - sin->sin_port = 0; - memset(&sin->sin_zero, 0, sizeof(sin->sin_zero)); -+ *addr_len = sizeof(*sin); - } - if (inet->cmsg_flags) - ip_cmsg_recv(msg, skb); -diff --git a/net/phonet/datagram.c b/net/phonet/datagram.c -index 12c30f3..38946b2 100644 ---- a/net/phonet/datagram.c -+++ b/net/phonet/datagram.c -@@ -139,9 +139,6 @@ static int pn_recvmsg(struct kiocb *iocb, struct sock *sk, - MSG_CMSG_COMPAT)) - goto out_nofree; - -- if (addr_len) -- *addr_len = sizeof(sa); -- - skb = skb_recv_datagram(sk, flags, noblock, &rval); - if (skb == NULL) - goto out_nofree; -@@ -162,8 +159,10 @@ static int pn_recvmsg(struct kiocb *iocb, struct sock *sk, - - rval = (flags & MSG_TRUNC) ? skb->len : copylen; - -- if (msg->msg_name != NULL) -- memcpy(msg->msg_name, &sa, sizeof(struct sockaddr_pn)); -+ if (msg->msg_name != NULL) { -+ memcpy(msg->msg_name, &sa, sizeof(sa)); -+ *addr_len = sizeof(sa); -+ } - - out: - skb_free_datagram(sk, skb); --- -1.8.3.1 - diff --git a/iommu-Remove-stack-trace-from-broken-irq-remapping-warning.patch b/iommu-Remove-stack-trace-from-broken-irq-remapping-warning.patch deleted file mode 100644 index 9e88893ae..000000000 --- a/iommu-Remove-stack-trace-from-broken-irq-remapping-warning.patch +++ /dev/null @@ -1,47 +0,0 @@ -From 05104a4e8713b27291c7bb49c1e7e68b4e243571 Mon Sep 17 00:00:00 2001 -From: Neil Horman -Date: Fri, 27 Sep 2013 16:53:35 +0000 -Subject: iommu: Remove stack trace from broken irq remapping warning - -The warning for the irq remapping broken check in intel_irq_remapping.c is -pretty pointless. We need the warning, but we know where its comming from, the -stack trace will always be the same, and it needlessly triggers things like -Abrt. This changes the warning to just print a text warning about BIOS being -broken, without the stack trace, then sets the appropriate taint bit. Since we -automatically disable irq remapping, theres no need to contiue making Abrt jump -at this problem - -Signed-off-by: Neil Horman -CC: Joerg Roedel -CC: Bjorn Helgaas -CC: Andy Lutomirski -CC: Konrad Rzeszutek Wilk -CC: Sebastian Andrzej Siewior -Signed-off-by: Joerg Roedel ---- -diff --git a/drivers/iommu/intel_irq_remapping.c b/drivers/iommu/intel_irq_remapping.c -index f71673d..b97d70b 100644 ---- a/drivers/iommu/intel_irq_remapping.c -+++ b/drivers/iommu/intel_irq_remapping.c -@@ -525,12 +525,13 @@ static int __init intel_irq_remapping_supported(void) - if (disable_irq_remap) - return 0; - if (irq_remap_broken) { -- WARN_TAINT(1, TAINT_FIRMWARE_WORKAROUND, -- "This system BIOS has enabled interrupt remapping\n" -- "on a chipset that contains an erratum making that\n" -- "feature unstable. To maintain system stability\n" -- "interrupt remapping is being disabled. Please\n" -- "contact your BIOS vendor for an update\n"); -+ printk(KERN_WARNING -+ "This system BIOS has enabled interrupt remapping\n" -+ "on a chipset that contains an erratum making that\n" -+ "feature unstable. To maintain system stability\n" -+ "interrupt remapping is being disabled. Please\n" -+ "contact your BIOS vendor for an update\n"); -+ add_taint(TAINT_FIRMWARE_WORKAROUND, LOCKDEP_STILL_OK); - disable_irq_remap = 1; - return 0; - } --- -cgit v0.9.2 diff --git a/ipv6-fix-headroom-calculation-in-udp6_ufo_fragment.patch b/ipv6-fix-headroom-calculation-in-udp6_ufo_fragment.patch deleted file mode 100644 index 2b030387b..000000000 --- a/ipv6-fix-headroom-calculation-in-udp6_ufo_fragment.patch +++ /dev/null @@ -1,43 +0,0 @@ -Bugzilla: 1030015 1030017 -Upstream-status: 3.13 - -From aeb45260747b0a1bf4d374d5e65298cc254cb4f5 Mon Sep 17 00:00:00 2001 -From: Hannes Frederic Sowa -Date: Tue, 5 Nov 2013 02:41:27 +0100 -Subject: [PATCH] ipv6: fix headroom calculation in udp6_ufo_fragment - -Commit 1e2bd517c108816220f262d7954b697af03b5f9c ("udp6: Fix udp -fragmentation for tunnel traffic.") changed the calculation if -there is enough space to include a fragment header in the skb from a -skb->mac_header dervived one to skb_headroom. Because we already peeled -off the skb to transport_header this is wrong. Change this back to check -if we have enough room before the mac_header. - -This fixes a panic Saran Neti reported. He used the tbf scheduler which -skb_gso_segments the skb. The offsets get negative and we panic in memcpy -because the skb was erroneously not expanded at the head. - -Reported-by: Saran Neti -Cc: Pravin B Shelar -Signed-off-by: Hannes Frederic Sowa -Signed-off-by: David S. Miller ---- - net/ipv6/udp_offload.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/net/ipv6/udp_offload.c b/net/ipv6/udp_offload.c -index 5d1b8d7..657914b 100644 ---- a/net/ipv6/udp_offload.c -+++ b/net/ipv6/udp_offload.c -@@ -86,7 +86,7 @@ static struct sk_buff *udp6_ufo_fragment(struct sk_buff *skb, - - /* Check if there is enough headroom to insert fragment header. */ - tnl_hlen = skb_tnl_header_len(skb); -- if (skb_headroom(skb) < (tnl_hlen + frag_hdr_sz)) { -+ if (skb->mac_header < (tnl_hlen + frag_hdr_sz)) { - if (gso_pskb_expand_head(skb, tnl_hlen + frag_hdr_sz)) - goto out; - } --- -1.8.3.1 - diff --git a/iwl3945-better-skb-management-in-rx-path.patch b/iwl3945-better-skb-management-in-rx-path.patch deleted file mode 100644 index 5d85af7d4..000000000 --- a/iwl3945-better-skb-management-in-rx-path.patch +++ /dev/null @@ -1,97 +0,0 @@ -From: Eric Dumazet - -Steinar reported reallocations of skb->head with IPv6, leading to -a warning in skb_try_coalesce() - -It turns out iwl3945 has several problems : - -1) skb->truesize is underestimated. - We really consume PAGE_SIZE bytes for a fragment, - not the frame length. -2) 128 bytes of initial headroom is a bit low and forces reallocations. -3) We can avoid consuming a full page for small enough frames. - -Reported-by: Steinar H. Gunderson -Signed-off-by: Eric Dumazet -Cc: Paul Stewart ---- -v3: use regular memcpy(skb_put(...),...) -v2: SMALL_PACKET_SIZE define - - drivers/net/wireless/iwlegacy/3945.c | 31 +++++++++++++++---------- - 1 file changed, 19 insertions(+), 12 deletions(-) - -diff --git a/drivers/net/wireless/iwlegacy/3945.c b/drivers/net/wireless/iwlegacy/3945.c -index c092033..f09e257 100644 ---- a/drivers/net/wireless/iwlegacy/3945.c -+++ b/drivers/net/wireless/iwlegacy/3945.c -@@ -475,6 +475,8 @@ il3945_is_network_packet(struct il_priv *il, struct ieee80211_hdr *header) - } - } - -+#define SMALL_PACKET_SIZE 256 -+ - static void - il3945_pass_packet_to_mac80211(struct il_priv *il, struct il_rx_buf *rxb, - struct ieee80211_rx_status *stats) -@@ -483,14 +485,13 @@ il3945_pass_packet_to_mac80211(struct il_priv *il, struct il_rx_buf *rxb, - struct ieee80211_hdr *hdr = (struct ieee80211_hdr *)IL_RX_DATA(pkt); - struct il3945_rx_frame_hdr *rx_hdr = IL_RX_HDR(pkt); - struct il3945_rx_frame_end *rx_end = IL_RX_END(pkt); -- u16 len = le16_to_cpu(rx_hdr->len); -+ u32 len = le16_to_cpu(rx_hdr->len); - struct sk_buff *skb; - __le16 fc = hdr->frame_control; -+ u32 fraglen = PAGE_SIZE << il->hw_params.rx_page_order; - - /* We received data from the HW, so stop the watchdog */ -- if (unlikely -- (len + IL39_RX_FRAME_SIZE > -- PAGE_SIZE << il->hw_params.rx_page_order)) { -+ if (unlikely(len + IL39_RX_FRAME_SIZE > fraglen)) { - D_DROP("Corruption detected!\n"); - return; - } -@@ -506,26 +507,32 @@ il3945_pass_packet_to_mac80211(struct il_priv *il, struct il_rx_buf *rxb, - D_INFO("Woke queues - frame received on passive channel\n"); - } - -- skb = dev_alloc_skb(128); -+ skb = dev_alloc_skb(SMALL_PACKET_SIZE); - if (!skb) { - IL_ERR("dev_alloc_skb failed\n"); - return; - } - - if (!il3945_mod_params.sw_crypto) -- il_set_decrypted_flag(il, (struct ieee80211_hdr *)rxb_addr(rxb), -+ il_set_decrypted_flag(il, (struct ieee80211_hdr *)pkt, - le32_to_cpu(rx_end->status), stats); - -- skb_add_rx_frag(skb, 0, rxb->page, -- (void *)rx_hdr->payload - (void *)pkt, len, -- len); -- -+ /* If frame is small enough to fit into skb->head, copy it -+ * and do not consume a full page -+ */ -+ if (len <= SMALL_PACKET_SIZE) { -+ memcpy(skb_put(skb, len), rx_hdr->payload, len); -+ } else { -+ skb_add_rx_frag(skb, 0, rxb->page, -+ (void *)rx_hdr->payload - (void *)pkt, len, -+ fraglen); -+ il->alloc_rxb_page--; -+ rxb->page = NULL; -+ } - il_update_stats(il, false, fc, len); - memcpy(IEEE80211_SKB_RXCB(skb), stats, sizeof(*stats)); - - ieee80211_rx(il->hw, skb); -- il->alloc_rxb_page--; -- rxb->page = NULL; - } - - #define IL_DELAY_NEXT_SCAN_AFTER_ASSOC (HZ*6) - - diff --git a/iwl4965-better-skb-management-in-rx-path.patch b/iwl4965-better-skb-management-in-rx-path.patch deleted file mode 100644 index 904ff04f6..000000000 --- a/iwl4965-better-skb-management-in-rx-path.patch +++ /dev/null @@ -1,65 +0,0 @@ -4965 version of Eric patch "iwl3945: better skb management in rx path". -It fixes several problems : - -1) skb->truesize is underestimated. - We really consume PAGE_SIZE bytes for a fragment, - not the frame length. -2) 128 bytes of initial headroom is a bit low and forces reallocations. -3) We can avoid consuming a full page for small enough frames. - -Signed-off-by: Stanislaw Gruszka ---- - drivers/net/wireless/iwlegacy/4965-mac.c | 18 ++++++++++++------ - 1 file changed, 12 insertions(+), 6 deletions(-) - -diff --git a/drivers/net/wireless/iwlegacy/4965-mac.c b/drivers/net/wireless/iwlegacy/4965-mac.c -index d287fd2..4e5d408 100644 ---- a/drivers/net/wireless/iwlegacy/4965-mac.c -+++ b/drivers/net/wireless/iwlegacy/4965-mac.c -@@ -574,9 +574,11 @@ il4965_translate_rx_status(struct il_priv *il, u32 decrypt_in) - return decrypt_out; - } - -+#define SMALL_PACKET_SIZE 256 -+ - static void - il4965_pass_packet_to_mac80211(struct il_priv *il, struct ieee80211_hdr *hdr, -- u16 len, u32 ampdu_status, struct il_rx_buf *rxb, -+ u32 len, u32 ampdu_status, struct il_rx_buf *rxb, - struct ieee80211_rx_status *stats) - { - struct sk_buff *skb; -@@ -598,21 +600,25 @@ il4965_pass_packet_to_mac80211(struct il_priv *il, struct ieee80211_hdr *hdr, - il_set_decrypted_flag(il, hdr, ampdu_status, stats)) - return; - -- skb = dev_alloc_skb(128); -+ skb = dev_alloc_skb(SMALL_PACKET_SIZE); - if (!skb) { - IL_ERR("dev_alloc_skb failed\n"); - return; - } - -- skb_add_rx_frag(skb, 0, rxb->page, (void *)hdr - rxb_addr(rxb), len, -- len); -+ if (len <= SMALL_PACKET_SIZE) { -+ memcpy(skb_put(skb, len), hdr, len); -+ } else { -+ skb_add_rx_frag(skb, 0, rxb->page, (void *)hdr - rxb_addr(rxb), -+ len, PAGE_SIZE << il->hw_params.rx_page_order); -+ il->alloc_rxb_page--; -+ rxb->page = NULL; -+ } - - il_update_stats(il, false, fc, len); - memcpy(IEEE80211_SKB_RXCB(skb), stats, sizeof(*stats)); - - ieee80211_rx(il->hw, skb); -- il->alloc_rxb_page--; -- rxb->page = NULL; - } - - /* Called for N_RX (legacy ABG frames), or --- -1.7.11.7 - diff --git a/iwlwifi-dvm-dont-override-mac80211-queue-setting.patch b/iwlwifi-dvm-dont-override-mac80211-queue-setting.patch deleted file mode 100644 index ce5f00b0b..000000000 --- a/iwlwifi-dvm-dont-override-mac80211-queue-setting.patch +++ /dev/null @@ -1,98 +0,0 @@ -From f6b129527ca15bae29ffb9417ddaa1c9d99ffc5d Mon Sep 17 00:00:00 2001 -From: Emmanuel Grumbach -Date: Tue, 15 Oct 2013 19:04:54 +0000 -Subject: iwlwifi: dvm: don't override mac80211's queue setting - -Since we set IEEE80211_HW_QUEUE_CONTROL, we can let -mac80211 do the queue assignement and don't need to -override its decisions. -While reassiging the same values is harmless of course, -it triggered a WARNING when iwlwifi and mac80211 came -to different conclusions. This happened when mac80211 set -IEEE80211_TX_CTL_SEND_AFTER_DTIM, but didn't route the -packet to the cab_queue because no stations were asleep. - -iwlwifi should not override mac80211's decicions for -offchannel packets and packets to be sent after DTIM, -but it should override mac80211's decision for AMPDUs -since we have a special queue for them. So for AMPDU, -we still override info->hw_queue by the AMPDU queue. - -This avoids: -------------[ cut here ]------------ -WARNING: CPU: 0 PID: 2531 at drivers/net/wireless/iwlwifi/dvm/tx.c:456 iwlagn_tx_skb+0x6c5/0x883() -Modules linked in: -CPU: 0 PID: 2531 Comm: hostapd Not tainted 3.12.0-rc5+ #1 -Hardware name: /D53427RKE, BIOS RKPPT10H.86A.0017.2013.0425.1251 04/25/2013 - 0000000000000000 0000000000000009 ffffffff8189aa62 0000000000000000 - ffffffff8105a4f2 ffff880058339a48 ffffffff815f8a04 0000000000000000 - ffff8800560097b0 0000000000000208 0000000000000000 ffff8800561a9e5e -Call Trace: - [] ? dump_stack+0x41/0x51 - [] ? warn_slowpath_common+0x78/0x90 - [] ? iwlagn_tx_skb+0x6c5/0x883 - [] ? iwlagn_tx_skb+0x6c5/0x883 - [] ? put_cred+0x15/0x15 - [] ? iwlagn_mac_tx+0x19/0x2f - [] ? __ieee80211_tx+0x226/0x29b - [] ? ieee80211_tx+0xa6/0xb5 - [] ? ieee80211_monitor_start_xmit+0x1e9/0x204 - [] ? dev_hard_start_xmit+0x271/0x3ec - [] ? sch_direct_xmit+0x66/0x164 - [] ? dev_queue_xmit+0x1e5/0x3c8 - [] ? packet_sendmsg+0xac5/0xb3d - [] ? sock_sendmsg+0x37/0x52 - [] ? __do_fault+0x338/0x36b - [] ? verify_iovec+0x44/0x94 - [] ? ___sys_sendmsg+0x1f1/0x283 - [] ? __inode_wait_for_writeback+0x67/0xae - [] ? __cache_free.isra.46+0x178/0x187 - [] ? kmem_cache_free+0x44/0x84 - [] ? dentry_kill+0x13d/0x149 - [] ? dput+0xe5/0xef - [] ? fget_light+0x2e/0x7c - [] ? __sys_sendmsg+0x39/0x57 - [] ? system_call_fastpath+0x16/0x1b ----[ end trace 1b3eb79359c1d1e6 ]--- - -Reported-by: Sander Eikelenboom -Reviewed-by: Johannes Berg -Signed-off-by: Johannes Berg ---- -diff --git a/drivers/net/wireless/iwlwifi/dvm/tx.c b/drivers/net/wireless/iwlwifi/dvm/tx.c -index da442b8..1fef524 100644 ---- a/drivers/net/wireless/iwlwifi/dvm/tx.c -+++ b/drivers/net/wireless/iwlwifi/dvm/tx.c -@@ -433,27 +433,19 @@ int iwlagn_tx_skb(struct iwl_priv *priv, - /* Copy MAC header from skb into command buffer */ - memcpy(tx_cmd->hdr, hdr, hdr_len); - -+ txq_id = info->hw_queue; -+ - if (is_agg) - txq_id = priv->tid_data[sta_id][tid].agg.txq_id; - else if (info->flags & IEEE80211_TX_CTL_SEND_AFTER_DTIM) { - /* -- * Send this frame after DTIM -- there's a special queue -- * reserved for this for contexts that support AP mode. -- */ -- txq_id = ctx->mcast_queue; -- -- /* - * The microcode will clear the more data - * bit in the last frame it transmits. - */ - hdr->frame_control |= - cpu_to_le16(IEEE80211_FCTL_MOREDATA); -- } else if (info->flags & IEEE80211_TX_CTL_TX_OFFCHAN) -- txq_id = IWL_AUX_QUEUE; -- else -- txq_id = ctx->ac_to_queue[skb_get_queue_mapping(skb)]; -+ } - -- WARN_ON_ONCE(!is_agg && txq_id != info->hw_queue); - WARN_ON_ONCE(is_agg && - priv->queue_to_mac80211[txq_id] != info->hw_queue); - --- -cgit v0.9.2 diff --git a/kernel.spec b/kernel.spec index 79f7b92d8..2d22a947a 100644 --- a/kernel.spec +++ b/kernel.spec @@ -68,13 +68,13 @@ Summary: The Linux kernel # base_sublevel is the kernel version we're starting with and patching # on top of -- for example, 3.1-rc7-git1 starts with a 3.0 base, # which yields a base_sublevel of 0. -%define base_sublevel 11 +%define base_sublevel 12 ## If this is a released kernel ## %if 0%{?released_kernel} # Do we have a -stable update to apply? -%define stable_update 10 +%define stable_update 5 # Is it a -stable RC? %define stable_rc 0 # Set rpm version accordingly @@ -631,10 +631,6 @@ Patch09: upstream-reverts.patch # Standalone patches -Patch100: taint-vbox.patch - -Patch110: vmbugon-warnon.patch - Patch390: defaults-acpi-video.patch Patch450: input-kill-stupid-messages.patch @@ -647,32 +643,28 @@ Patch470: die-floppy-die.patch Patch510: silence-noise.patch Patch530: silence-fbcon-logo.patch +Patch600: x86-allow-1024-cpus.patch + Patch800: crash-driver.patch # crypto/ +# keys + # secure boot Patch1000: devel-pekey-secure-boot-20130502.patch # virt + ksm patches # DRM -#atch1700: drm-edid-try-harder-to-fix-up-broken-headers.patch -#Patch1800: drm-vgem.patch + # nouveau + drm fixes # intel drm is all merged upstream -Patch1824: drm-intel-next.patch -# radeon drm fix # Quiet boot fixes # silence the ACPI blacklist code Patch2802: silence-acpi-blacklist.patch -# media patches -Patch2899: v4l-dvb-fixes.patch -Patch2900: v4l-dvb-update.patch -Patch2901: v4l-dvb-experimental.patch - # fs fixes # NFSv4 @@ -688,17 +680,31 @@ Patch14010: lis3-improve-handling-of-null-rate.patch Patch15000: nowatchdog-on-virt.patch +# ARM64 + # ARM -Patch21000: arm-export-read_current_timer.patch # lpae Patch21001: arm-lpae-ax88796.patch +Patch21004: arm-sound-soc-samsung-dma-avoid-another-64bit-division.patch # ARM omap -Patch21003: arm-omap-load-tfp410.patch +Patch21010: arm-omap-load-tfp410.patch # ARM tegra -Patch21005: arm-tegra-usb-no-reset-linux33.patch +Patch21020: arm-tegra-usb-no-reset-linux33.patch + +# ARM i.MX6 +# http://www.spinics.net/lists/devicetree/msg08276.html +Patch21025: arm-imx6-utilite.patch + +# am33xx (BeagleBone) +# https://github.com/beagleboard/kernel +# Pulled primarily from the above git repo. First patch is all in arm-soc +# scheduled for 3.13. The others should be landing via other trees +Patch21030: arm-am33xx-arm-soc-upstream.patch +Patch21031: arm-am33xx-bblack.patch +Patch21032: arm-am33xx-cpsw.patch #rhbz 754518 Patch21235: scsi-sd_revalidate_disk-prevent-NULL-ptr-deref.patch @@ -710,44 +716,10 @@ Patch21242: criu-no-expert.patch Patch21247: ath9k_rx_dma_stop_check.patch Patch22000: weird-root-dentry-name-debug.patch -Patch22010: debug-idle-sched-warn-once.patch - -#rhbz 927469 -Patch23006: fix-child-thread-introspection.patch Patch25047: drm-radeon-Disable-writeback-by-default-on-ppc.patch -#rhbz 977040 -Patch25056: iwl3945-better-skb-management-in-rx-path.patch -Patch25057: iwl4965-better-skb-management-in-rx-path.patch - -#rhbz 963715 -Patch25077: media-cx23885-Fix-TeVii-S471-regression-since-introduction-of-ts2020.patch - -#rhbz 985522 -Patch25107: ntp-Make-periodic-RTC-update-more-reliable.patch - -#rhbz 971893 -Patch25109: bonding-driver-alb-learning.patch - -#rhbz 902012 -Patch25114: elevator-Fix-a-race-in-elevator-switching-and-md.patch -Patch25115: elevator-acquire-q-sysfs_lock-in-elevator_change.patch - -#rhbz 974072 -Patch25117: rt2800-add-support-for-rf3070.patch - -#rhbz 1015989 -Patch25122: netfilter-nf_conntrack-use-RCU-safe-kfree-for-conntr.patch - -#rhbz 982153 -Patch25123: iommu-Remove-stack-trace-from-broken-irq-remapping-warning.patch - -#rhbz 998732 -Patch25125: vfio-iommu-Fixed-interaction-of-VFIO_IOMMU_MAP_DMA.patch - #rhbz 896695 -Patch25126: 0001-iwlwifi-don-t-WARN-on-host-commands-sent-when-firmwa.patch Patch25127: 0002-iwlwifi-don-t-WARN-on-bad-firmware-state.patch #rhbz 993744 @@ -756,43 +728,11 @@ Patch25128: dm-cache-policy-mq_fix-large-scale-table-allocation-bug.patch #rhbz 1000439 Patch25129: cpupower-Fix-segfault-due-to-incorrect-getopt_long-a.patch -#rhbz 1010679 -Patch25130: fix-radeon-sound.patch -Patch25149: drm-radeon-24hz-audio-fixes.patch - -#rhbz 984696 -Patch25132: rt2800usb-slow-down-TX-status-polling.patch - -#rhbz 1023413 -Patch25135: alps-Support-for-Dell-XT2-model.patch - -#rhbz 1011621 -Patch25137: cifs-Allow-LANMAN-auth-for-unencapsulated-auth-methods.patch - -#rhbz 1025769 -Patch25142: iwlwifi-dvm-dont-override-mac80211-queue-setting.patch - -Patch25143: drm-qxl-backport-fixes-for-Fedora.patch -Patch25160: drm-qxl-fix-memory-leak-in-release-list-handling.patch - -Patch25144: Input-evdev-fall-back-to-vmalloc-for-client-event-buffer.patch - -#CVE-2013-4563 rhbz 1030015 1030017 -Patch25145: ipv6-fix-headroom-calculation-in-udp6_ufo_fragment.patch - -#rhbz 1015905 -Patch25146: 0001-ip6_output-fragment-outgoing-reassembled-skb-properl.patch -Patch25147: 0002-netfilter-push-reasm-skb-through-instead-of-original.patch +Patch25140: drm-qxl-backport-fixes-for-Fedora.patch #rhbz 1011362 Patch25148: alx-Reset-phy-speed-after-resume.patch -#rhbz 1031086 -Patch25150: slab_common-Do-not-check-for-duplicate-slab-names.patch - -#rhbz 967652 -Patch25151: KVM-x86-fix-emulation-of-movzbl-bpl-eax.patch - # Fix 15sec NFS mount delay Patch25152: sunrpc-create-a-new-dummy-pipe-for-gssd-to-hold-open.patch Patch25153: sunrpc-replace-gssd_running-with-more-reliable-check.patch @@ -801,22 +741,9 @@ Patch25154: nfs-check-gssd-running-before-krb5i-auth.patch #CVE-2013-6382 rhbz 1033603 1034670 Patch25157: xfs-underflow-bug-in-xfs_attrlist_by_handle.patch -#rhbz 1022733 -Patch25158: via-velocity-fix-netif_receive_skb-use-in-irq-disable.patch - -#rhbz 998342 -Patch25159: usbnet-fix-status-interrupt-urb-handling.patch - -#CVE-2013-6405 rhbz 1035875 1035887 -Patch25161: inet-prevent-leakage-of-uninitialized-memory-to-user.patch -Patch25162: inet-fix-addr_len-msg_namelen-assignment-in-recv_error-and-rxpmtu-functions.patch - #rhbz 958826 Patch25164: dell-laptop.patch -#CVE-2013-XXXX rhbz 1039845 1039874 -Patch25165: net-rework-recvmsg-handler-msg_name-and-msg_namelen-.patch - #rhbz 1030802 Patch25170: Input-elantech-add-support-for-newer-August-2013-dev.patch Patch25171: elantech-Properly-differentiate-between-clickpads-an.patch @@ -836,6 +763,9 @@ Patch25175: KVM-Improve-create-VCPU-parameter.patch #rhbz 1025770 Patch25176: br-fix-use-of-rx_handler_data-in-code-executed-on-no.patch +#rhbz 1024002 +Patch25177: libata-implement-ATA_HORKAGE_NO_NCQ_TRIM-and-apply-it-to-Micro-M500-SSDs.patch + # END OF PATCH DEFINITIONS %endif @@ -1372,20 +1302,24 @@ ApplyOptionalPatch compile-fixes.patch # revert patches from upstream that conflict or that we get via other means ApplyOptionalPatch upstream-reverts.patch -R -ApplyPatch taint-vbox.patch - -ApplyPatch vmbugon-warnon.patch - # Architecture patches # x86(-64) +ApplyPatch x86-allow-1024-cpus.patch + +# ARM64 # # ARM # -ApplyPatch arm-export-read_current_timer.patch ApplyPatch arm-lpae-ax88796.patch +ApplyPatch arm-sound-soc-samsung-dma-avoid-another-64bit-division.patch ApplyPatch arm-omap-load-tfp410.patch ApplyPatch arm-tegra-usb-no-reset-linux33.patch +ApplyPatch arm-imx6-utilite.patch + +ApplyPatch arm-am33xx-arm-soc-upstream.patch +ApplyPatch arm-am33xx-bblack.patch +ApplyPatch arm-am33xx-cpsw.patch # # bugfixes to drivers and filesystems @@ -1454,23 +1388,16 @@ ApplyPatch devel-pekey-secure-boot-20130502.patch # Assorted Virt Fixes # DRM core -#ApplyPatch drm-edid-try-harder-to-fix-up-broken-headers.patch -#ApplyPatch drm-vgem.patch # Nouveau DRM # Intel DRM -ApplyOptionalPatch drm-intel-next.patch + +# Radeon DRM # silence the ACPI blacklist code ApplyPatch silence-acpi-blacklist.patch -# V4L/DVB updates/fixes/experimental drivers -# apply if non-empty -ApplyOptionalPatch v4l-dvb-fixes.patch -ApplyOptionalPatch v4l-dvb-update.patch -ApplyOptionalPatch v4l-dvb-experimental.patch - # Patches headed upstream ApplyPatch fs-proc-devtree-remove_proc_entry.patch @@ -1487,8 +1414,7 @@ ApplyPatch nowatchdog-on-virt.patch #rhbz 754518 ApplyPatch scsi-sd_revalidate_disk-prevent-NULL-ptr-deref.patch -ApplyPatch weird-root-dentry-name-debug.patch -ApplyPatch debug-idle-sched-warn-once.patch +#pplyPatch weird-root-dentry-name-debug.patch # https://fedoraproject.org/wiki/Features/Checkpoint_Restore ApplyPatch criu-no-expert.patch @@ -1496,42 +1422,9 @@ ApplyPatch criu-no-expert.patch #rhbz 892811 ApplyPatch ath9k_rx_dma_stop_check.patch -#rhbz 927469 -ApplyPatch fix-child-thread-introspection.patch - ApplyPatch drm-radeon-Disable-writeback-by-default-on-ppc.patch -#rhbz 977040 -ApplyPatch iwl3945-better-skb-management-in-rx-path.patch -ApplyPatch iwl4965-better-skb-management-in-rx-path.patch - -#rhbz 963715 -ApplyPatch media-cx23885-Fix-TeVii-S471-regression-since-introduction-of-ts2020.patch - -#rhbz 985522 -ApplyPatch ntp-Make-periodic-RTC-update-more-reliable.patch - -#rhbz 971893 -ApplyPatch bonding-driver-alb-learning.patch - -#rhbz 902012 -ApplyPatch elevator-Fix-a-race-in-elevator-switching-and-md.patch -ApplyPatch elevator-acquire-q-sysfs_lock-in-elevator_change.patch - -#rhbz 974072 -ApplyPatch rt2800-add-support-for-rf3070.patch - -#rhbz 1015989 -ApplyPatch netfilter-nf_conntrack-use-RCU-safe-kfree-for-conntr.patch - -#rhbz 982153 -ApplyPatch iommu-Remove-stack-trace-from-broken-irq-remapping-warning.patch - -#rhbz 998732 -ApplyPatch vfio-iommu-Fixed-interaction-of-VFIO_IOMMU_MAP_DMA.patch - #rhbz 896695 -ApplyPatch 0001-iwlwifi-don-t-WARN-on-host-commands-sent-when-firmwa.patch ApplyPatch 0002-iwlwifi-don-t-WARN-on-bad-firmware-state.patch #rhbz 993744 @@ -1540,43 +1433,11 @@ ApplyPatch dm-cache-policy-mq_fix-large-scale-table-allocation-bug.patch #rhbz 1000439 ApplyPatch cpupower-Fix-segfault-due-to-incorrect-getopt_long-a.patch -#rhbz 1010679 -ApplyPatch fix-radeon-sound.patch -ApplyPatch drm-radeon-24hz-audio-fixes.patch - -#rhbz 984696 -ApplyPatch rt2800usb-slow-down-TX-status-polling.patch - -#rhbz 1023413 -ApplyPatch alps-Support-for-Dell-XT2-model.patch - -#rhbz 1011621 -ApplyPatch cifs-Allow-LANMAN-auth-for-unencapsulated-auth-methods.patch - -#rhbz 1025769 -ApplyPatch iwlwifi-dvm-dont-override-mac80211-queue-setting.patch - ApplyPatch drm-qxl-backport-fixes-for-Fedora.patch -ApplyPatch drm-qxl-fix-memory-leak-in-release-list-handling.patch - -ApplyPatch Input-evdev-fall-back-to-vmalloc-for-client-event-buffer.patch - -#CVE-2013-4563 rhbz 1030015 1030017 -ApplyPatch ipv6-fix-headroom-calculation-in-udp6_ufo_fragment.patch - -#rhbz 1015905 -ApplyPatch 0001-ip6_output-fragment-outgoing-reassembled-skb-properl.patch -ApplyPatch 0002-netfilter-push-reasm-skb-through-instead-of-original.patch #rhbz 1011362 ApplyPatch alx-Reset-phy-speed-after-resume.patch -#rhbz 1031086 -ApplyPatch slab_common-Do-not-check-for-duplicate-slab-names.patch - -#rhbz 967652 -ApplyPatch KVM-x86-fix-emulation-of-movzbl-bpl-eax.patch - # Fix 15sec NFS mount delay ApplyPatch sunrpc-create-a-new-dummy-pipe-for-gssd-to-hold-open.patch ApplyPatch sunrpc-replace-gssd_running-with-more-reliable-check.patch @@ -1585,22 +1446,9 @@ ApplyPatch nfs-check-gssd-running-before-krb5i-auth.patch #CVE-2013-6382 rhbz 1033603 1034670 ApplyPatch xfs-underflow-bug-in-xfs_attrlist_by_handle.patch -#rhbz 1022733 -ApplyPatch via-velocity-fix-netif_receive_skb-use-in-irq-disable.patch - -#rhbz 998342 -ApplyPatch usbnet-fix-status-interrupt-urb-handling.patch - -#CVE-2013-6405 rhbz 1035875 1035887 -ApplyPatch inet-prevent-leakage-of-uninitialized-memory-to-user.patch -ApplyPatch inet-fix-addr_len-msg_namelen-assignment-in-recv_error-and-rxpmtu-functions.patch - #rhbz 958826 ApplyPatch dell-laptop.patch -#CVE-2013-XXXX rhbz 1039845 1039874 -ApplyPatch net-rework-recvmsg-handler-msg_name-and-msg_namelen-.patch - #rhbz 1030802 ApplyPatch Input-elantech-add-support-for-newer-August-2013-dev.patch ApplyPatch elantech-Properly-differentiate-between-clickpads-an.patch @@ -1620,6 +1468,9 @@ ApplyPatch KVM-Improve-create-VCPU-parameter.patch #rhbz 1025770 ApplyPatch br-fix-use-of-rx_handler_data-in-code-executed-on-no.patch +#rhbz 1024002 +ApplyPatch libata-implement-ATA_HORKAGE_NO_NCQ_TRIM-and-apply-it-to-Micro-M500-SSDs.patch + # END OF PATCH APPLICATIONS %endif @@ -2432,6 +2283,9 @@ fi # and build. %changelog +* Tue Dec 17 2013 Justin M. Forbes - Fix host lockup in bridge code when starting from virt guest (rhbz 1025770) diff --git a/libata-implement-ATA_HORKAGE_NO_NCQ_TRIM-and-apply-it-to-Micro-M500-SSDs.patch b/libata-implement-ATA_HORKAGE_NO_NCQ_TRIM-and-apply-it-to-Micro-M500-SSDs.patch new file mode 100644 index 000000000..6d2c50495 --- /dev/null +++ b/libata-implement-ATA_HORKAGE_NO_NCQ_TRIM-and-apply-it-to-Micro-M500-SSDs.patch @@ -0,0 +1,71 @@ +Bugzilla: 1024002 +Upstream-status: Should hit 3.13 and CC'd to 3.12 stable + +From f78dea064c5f7de07de4912a6e5136dbc443d614 Mon Sep 17 00:00:00 2001 +From: Marc Carino +Date: Tue, 17 Dec 2013 02:15:53 +0000 +Subject: libata: implement ATA_HORKAGE_NO_NCQ_TRIM and apply it to Micro M500 SSDs + +Certain drives cannot handle queued TRIM commands properly, even +though support is indicated in the IDENTIFY DEVICE buffer. This patch +allows for disabling the commands for the affected drives and apply it +to the Micron/Crucial M500 SSDs which exhibit incorrect protocol +behavior when issued queued TRIM commands, which could lead to silent +data corruption. + +tj: Merged two unnecessarily split patches and made minor edits + including shortening horkage name. + +Signed-off-by: Marc Carino +Signed-off-by: Tejun Heo +Link: http://lkml.kernel.org/g/1387246554-7311-1-git-send-email-marc.ceeeee@gmail.com +Cc: stable@vger.kernel.org # 3.12+ +--- +diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c +index ff01584..1393a58 100644 +--- a/drivers/ata/libata-core.c ++++ b/drivers/ata/libata-core.c +@@ -2149,9 +2149,16 @@ static int ata_dev_config_ncq(struct ata_device *dev, + "failed to get NCQ Send/Recv Log Emask 0x%x\n", + err_mask); + } else { ++ u8 *cmds = dev->ncq_send_recv_cmds; ++ + dev->flags |= ATA_DFLAG_NCQ_SEND_RECV; +- memcpy(dev->ncq_send_recv_cmds, ap->sector_buf, +- ATA_LOG_NCQ_SEND_RECV_SIZE); ++ memcpy(cmds, ap->sector_buf, ATA_LOG_NCQ_SEND_RECV_SIZE); ++ ++ if (dev->horkage & ATA_HORKAGE_NO_NCQ_TRIM) { ++ ata_dev_dbg(dev, "disabling queued TRIM support\n"); ++ cmds[ATA_LOG_NCQ_SEND_RECV_DSM_OFFSET] &= ++ ~ATA_LOG_NCQ_SEND_RECV_DSM_TRIM; ++ } + } + } + +@@ -4205,6 +4212,10 @@ static const struct ata_blacklist_entry ata_device_blacklist [] = { + { "PIONEER DVD-RW DVR-212D", NULL, ATA_HORKAGE_NOSETXFER }, + { "PIONEER DVD-RW DVR-216D", NULL, ATA_HORKAGE_NOSETXFER }, + ++ /* devices that don't properly handle queued TRIM commands */ ++ { "Micron_M500*", NULL, ATA_HORKAGE_NO_NCQ_TRIM, }, ++ { "Crucial_CT???M500SSD1", NULL, ATA_HORKAGE_NO_NCQ_TRIM, }, ++ + /* End Marker */ + { } + }; +diff --git a/include/linux/libata.h b/include/linux/libata.h +index 0e23c26..9b50337 100644 +--- a/include/linux/libata.h ++++ b/include/linux/libata.h +@@ -418,6 +418,7 @@ enum { + ATA_HORKAGE_DUMP_ID = (1 << 16), /* dump IDENTIFY data */ + ATA_HORKAGE_MAX_SEC_LBA48 = (1 << 17), /* Set max sects to 65535 */ + ATA_HORKAGE_ATAPI_DMADIR = (1 << 18), /* device requires dmadir */ ++ ATA_HORKAGE_NO_NCQ_TRIM = (1 << 19), /* don't use queued TRIM */ + + /* DMA mask for user DMA control: User visible values; DO NOT + renumber */ +-- +cgit v0.9.2 diff --git a/media-cx23885-Fix-TeVii-S471-regression-since-introduction-of-ts2020.patch b/media-cx23885-Fix-TeVii-S471-regression-since-introduction-of-ts2020.patch deleted file mode 100644 index 2a28a2fe1..000000000 --- a/media-cx23885-Fix-TeVii-S471-regression-since-introduction-of-ts2020.patch +++ /dev/null @@ -1,30 +0,0 @@ -From b43ea8068d2090cb1e44632c8a938ab40d2c7419 Mon Sep 17 00:00:00 2001 -From: Johannes Koch -Date: Wed, 17 Jul 2013 17:28:16 +0000 -Subject: [media] cx23885: Fix TeVii S471 regression since introduction of ts2020 - -Patch to make TeVii S471 cards use the ts2020 tuner, since ds3000 driver no -longer contains tuning code. - -Signed-off-by: Johannes Koch -Signed-off-by: Mauro Carvalho Chehab ---- -(limited to 'drivers/media/pci/cx23885/cx23885-dvb.c') - -diff --git a/drivers/media/pci/cx23885/cx23885-dvb.c b/drivers/media/pci/cx23885/cx23885-dvb.c -index 9c5ed10..bb291c6 100644 ---- a/drivers/media/pci/cx23885/cx23885-dvb.c -+++ b/drivers/media/pci/cx23885/cx23885-dvb.c -@@ -1249,6 +1249,10 @@ static int dvb_register(struct cx23885_tsport *port) - fe0->dvb.frontend = dvb_attach(ds3000_attach, - &tevii_ds3000_config, - &i2c_bus->i2c_adap); -+ if (fe0->dvb.frontend != NULL) { -+ dvb_attach(ts2020_attach, fe0->dvb.frontend, -+ &tevii_ts2020_config, &i2c_bus->i2c_adap); -+ } - break; - case CX23885_BOARD_PROF_8000: - i2c_bus = &dev->i2c_bus[0]; --- -cgit v0.9.2 diff --git a/modsign-uefi.patch b/modsign-uefi.patch new file mode 100644 index 000000000..17009c196 --- /dev/null +++ b/modsign-uefi.patch @@ -0,0 +1,621 @@ +From 0a5e59dd7a921f20d77b13aa4e01392086ddbd12 Mon Sep 17 00:00:00 2001 +From: Dave Howells +Date: Tue, 23 Oct 2012 09:30:54 -0400 +Subject: [PATCH 1/5] Add EFI signature data types + +Add the data types that are used for containing hashes, keys and certificates +for cryptographic verification. + +Signed-off-by: David Howells +--- + include/linux/efi.h | 20 ++++++++++++++++++++ + 1 file changed, 20 insertions(+) + +diff --git a/include/linux/efi.h b/include/linux/efi.h +index eed2202..1da1b3c 100644 +--- a/include/linux/efi.h ++++ b/include/linux/efi.h +@@ -389,6 +389,12 @@ typedef efi_status_t efi_query_variable_store_t(u32 attributes, unsigned long si + #define EFI_FILE_SYSTEM_GUID \ + EFI_GUID( 0x964e5b22, 0x6459, 0x11d2, 0x8e, 0x39, 0x00, 0xa0, 0xc9, 0x69, 0x72, 0x3b ) + ++#define EFI_CERT_SHA256_GUID \ ++ EFI_GUID( 0xc1c41626, 0x504c, 0x4092, 0xac, 0xa9, 0x41, 0xf9, 0x36, 0x93, 0x43, 0x28 ) ++ ++#define EFI_CERT_X509_GUID \ ++ EFI_GUID( 0xa5c059a1, 0x94e4, 0x4aa7, 0x87, 0xb5, 0xab, 0x15, 0x5c, 0x2b, 0xf0, 0x72 ) ++ + typedef struct { + efi_guid_t guid; + u64 table; +@@ -524,6 +530,20 @@ typedef struct { + + #define EFI_INVALID_TABLE_ADDR (~0UL) + ++typedef struct { ++ efi_guid_t signature_owner; ++ u8 signature_data[]; ++} efi_signature_data_t; ++ ++typedef struct { ++ efi_guid_t signature_type; ++ u32 signature_list_size; ++ u32 signature_header_size; ++ u32 signature_size; ++ u8 signature_header[]; ++ /* efi_signature_data_t signatures[][] */ ++} efi_signature_list_t; ++ + /* + * All runtime access to EFI goes through this structure: + */ +-- +1.8.3.1 + + +From 8b75428a7e1813cd3bc225a959e63d67898e4808 Mon Sep 17 00:00:00 2001 +From: Dave Howells +Date: Tue, 23 Oct 2012 09:36:28 -0400 +Subject: [PATCH 2/5] Add an EFI signature blob parser and key loader. + +X.509 certificates are loaded into the specified keyring as asymmetric type +keys. + +Signed-off-by: David Howells +--- + crypto/asymmetric_keys/Kconfig | 8 +++ + crypto/asymmetric_keys/Makefile | 1 + + crypto/asymmetric_keys/efi_parser.c | 109 ++++++++++++++++++++++++++++++++++++ + include/linux/efi.h | 4 ++ + 4 files changed, 122 insertions(+) + create mode 100644 crypto/asymmetric_keys/efi_parser.c + +diff --git a/crypto/asymmetric_keys/Kconfig b/crypto/asymmetric_keys/Kconfig +index 6d2c2ea..ace9c30 100644 +--- a/crypto/asymmetric_keys/Kconfig ++++ b/crypto/asymmetric_keys/Kconfig +@@ -35,4 +35,12 @@ config X509_CERTIFICATE_PARSER + data and provides the ability to instantiate a crypto key from a + public key packet found inside the certificate. + ++config EFI_SIGNATURE_LIST_PARSER ++ bool "EFI signature list parser" ++ depends on EFI ++ select X509_CERTIFICATE_PARSER ++ help ++ This option provides support for parsing EFI signature lists for ++ X.509 certificates and turning them into keys. ++ + endif # ASYMMETRIC_KEY_TYPE +diff --git a/crypto/asymmetric_keys/Makefile b/crypto/asymmetric_keys/Makefile +index 0727204..cd8388e 100644 +--- a/crypto/asymmetric_keys/Makefile ++++ b/crypto/asymmetric_keys/Makefile +@@ -8,6 +8,7 @@ asymmetric_keys-y := asymmetric_type.o signature.o + + obj-$(CONFIG_ASYMMETRIC_PUBLIC_KEY_SUBTYPE) += public_key.o + obj-$(CONFIG_PUBLIC_KEY_ALGO_RSA) += rsa.o ++obj-$(CONFIG_EFI_SIGNATURE_LIST_PARSER) += efi_parser.o + + # + # X.509 Certificate handling +diff --git a/crypto/asymmetric_keys/efi_parser.c b/crypto/asymmetric_keys/efi_parser.c +new file mode 100644 +index 0000000..424896a +--- /dev/null ++++ b/crypto/asymmetric_keys/efi_parser.c +@@ -0,0 +1,109 @@ ++/* EFI signature/key/certificate list parser ++ * ++ * Copyright (C) 2012 Red Hat, Inc. All Rights Reserved. ++ * Written by David Howells (dhowells@redhat.com) ++ * ++ * This program is free software; you can redistribute it and/or ++ * modify it under the terms of the GNU General Public Licence ++ * as published by the Free Software Foundation; either version ++ * 2 of the Licence, or (at your option) any later version. ++ */ ++ ++#define pr_fmt(fmt) "EFI: "fmt ++#include ++#include ++#include ++#include ++#include ++ ++static __initdata efi_guid_t efi_cert_x509_guid = EFI_CERT_X509_GUID; ++ ++/** ++ * parse_efi_signature_list - Parse an EFI signature list for certificates ++ * @data: The data blob to parse ++ * @size: The size of the data blob ++ * @keyring: The keyring to add extracted keys to ++ */ ++int __init parse_efi_signature_list(const void *data, size_t size, struct key *keyring) ++{ ++ unsigned offs = 0; ++ size_t lsize, esize, hsize, elsize; ++ ++ pr_devel("-->%s(,%zu)\n", __func__, size); ++ ++ while (size > 0) { ++ efi_signature_list_t list; ++ const efi_signature_data_t *elem; ++ key_ref_t key; ++ ++ if (size < sizeof(list)) ++ return -EBADMSG; ++ ++ memcpy(&list, data, sizeof(list)); ++ pr_devel("LIST[%04x] guid=%pUl ls=%x hs=%x ss=%x\n", ++ offs, ++ list.signature_type.b, list.signature_list_size, ++ list.signature_header_size, list.signature_size); ++ ++ lsize = list.signature_list_size; ++ hsize = list.signature_header_size; ++ esize = list.signature_size; ++ elsize = lsize - sizeof(list) - hsize; ++ ++ if (lsize > size) { ++ pr_devel("<--%s() = -EBADMSG [overrun @%x]\n", ++ __func__, offs); ++ return -EBADMSG; ++ } ++ if (lsize < sizeof(list) || ++ lsize - sizeof(list) < hsize || ++ esize < sizeof(*elem) || ++ elsize < esize || ++ elsize % esize != 0) { ++ pr_devel("- bad size combo @%x\n", offs); ++ return -EBADMSG; ++ } ++ ++ if (efi_guidcmp(list.signature_type, efi_cert_x509_guid) != 0) { ++ data += lsize; ++ size -= lsize; ++ offs += lsize; ++ continue; ++ } ++ ++ data += sizeof(list) + hsize; ++ size -= sizeof(list) + hsize; ++ offs += sizeof(list) + hsize; ++ ++ for (; elsize > 0; elsize -= esize) { ++ elem = data; ++ ++ pr_devel("ELEM[%04x]\n", offs); ++ ++ key = key_create_or_update( ++ make_key_ref(keyring, 1), ++ "asymmetric", ++ NULL, ++ &elem->signature_data, ++ esize - sizeof(*elem), ++ (KEY_POS_ALL & ~KEY_POS_SETATTR) | ++ KEY_USR_VIEW, ++ KEY_ALLOC_NOT_IN_QUOTA | ++ KEY_ALLOC_TRUSTED); ++ ++ if (IS_ERR(key)) ++ pr_err("Problem loading in-kernel X.509 certificate (%ld)\n", ++ PTR_ERR(key)); ++ else ++ pr_notice("Loaded cert '%s' linked to '%s'\n", ++ key_ref_to_ptr(key)->description, ++ keyring->description); ++ ++ data += esize; ++ size -= esize; ++ offs += esize; ++ } ++ } ++ ++ return 0; ++} +diff --git a/include/linux/efi.h b/include/linux/efi.h +index 1da1b3c..42a1d25 100644 +--- a/include/linux/efi.h ++++ b/include/linux/efi.h +@@ -619,6 +619,10 @@ extern int efi_set_rtc_mmss(const struct timespec *now); + extern void efi_reserve_boot_services(void); + extern struct efi_memory_map memmap; + ++struct key; ++extern int __init parse_efi_signature_list(const void *data, size_t size, ++ struct key *keyring); ++ + /** + * efi_range_is_wc - check the WC bit on an address range + * @start: starting kvirt address +-- +1.8.3.1 + + +From 920108c0f9cc5854dd329a5dfc904e91d40a4b26 Mon Sep 17 00:00:00 2001 +From: Josh Boyer +Date: Fri, 26 Oct 2012 12:36:24 -0400 +Subject: [PATCH 3/5] KEYS: Add a system blacklist keyring + +This adds an additional keyring that is used to store certificates that +are blacklisted. This keyring is searched first when loading signed modules +and if the module's certificate is found, it will refuse to load. This is +useful in cases where third party certificates are used for module signing. + +Signed-off-by: Josh Boyer +--- + include/keys/system_keyring.h | 4 ++++ + init/Kconfig | 9 +++++++++ + kernel/module_signing.c | 12 ++++++++++++ + kernel/system_keyring.c | 17 +++++++++++++++++ + 4 files changed, 42 insertions(+) + +diff --git a/include/keys/system_keyring.h b/include/keys/system_keyring.h +index 8dabc39..e466de1 100644 +--- a/include/keys/system_keyring.h ++++ b/include/keys/system_keyring.h +@@ -18,6 +18,10 @@ + + extern struct key *system_trusted_keyring; + ++#ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING ++extern struct key *system_blacklist_keyring; ++#endif ++ + #endif + + #endif /* _KEYS_SYSTEM_KEYRING_H */ +diff --git a/init/Kconfig b/init/Kconfig +index 0ff5407..ba76e57 100644 +--- a/init/Kconfig ++++ b/init/Kconfig +@@ -1680,6 +1680,15 @@ config SYSTEM_TRUSTED_KEYRING + + Keys in this keyring are used by module signature checking. + ++config SYSTEM_BLACKLIST_KEYRING ++ bool "Provide system-wide ring of blacklisted keys" ++ depends on KEYS ++ help ++ Provide a system keyring to which blacklisted keys can be added. Keys ++ in the keyring are considered entirely untrusted. Keys in this keyring ++ are used by the module signature checking to reject loading of modules ++ signed with a blacklisted key. ++ + menuconfig MODULES + bool "Enable loadable module support" + option modules +diff --git a/kernel/module_signing.c b/kernel/module_signing.c +index 0b6b870..0a29b40 100644 +--- a/kernel/module_signing.c ++++ b/kernel/module_signing.c +@@ -158,6 +158,18 @@ static struct key *request_asymmetric_key(const char *signer, size_t signer_len, + + pr_debug("Look up: \"%s\"\n", id); + ++#ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING ++ key = keyring_search(make_key_ref(system_blacklist_keyring, 1), ++ &key_type_asymmetric, id); ++ if (!IS_ERR(key)) { ++ /* module is signed with a cert in the blacklist. reject */ ++ pr_err("Module key '%s' is in blacklist\n", id); ++ key_ref_put(key); ++ kfree(id); ++ return ERR_PTR(-EKEYREJECTED); ++ } ++#endif ++ + key = keyring_search(make_key_ref(system_trusted_keyring, 1), + &key_type_asymmetric, id); + if (IS_ERR(key)) +diff --git a/kernel/system_keyring.c b/kernel/system_keyring.c +index 564dd93..389b50d 100644 +--- a/kernel/system_keyring.c ++++ b/kernel/system_keyring.c +@@ -20,6 +20,9 @@ + + struct key *system_trusted_keyring; + EXPORT_SYMBOL_GPL(system_trusted_keyring); ++#ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING ++struct key *system_blacklist_keyring; ++#endif + + extern __initconst const u8 system_certificate_list[]; + extern __initconst const u8 system_certificate_list_end[]; +@@ -41,6 +44,20 @@ static __init int system_trusted_keyring_init(void) + panic("Can't allocate system trusted keyring\n"); + + set_bit(KEY_FLAG_TRUSTED_ONLY, &system_trusted_keyring->flags); ++ ++#ifdef CONFIG_SYSTEM_BLACKLIST_KEYRING ++ system_blacklist_keyring = keyring_alloc(".system_blacklist_keyring", ++ KUIDT_INIT(0), KGIDT_INIT(0), ++ current_cred(), ++ (KEY_POS_ALL & ~KEY_POS_SETATTR) | ++ KEY_USR_VIEW | KEY_USR_READ, ++ KEY_ALLOC_NOT_IN_QUOTA, NULL); ++ if (IS_ERR(system_blacklist_keyring)) ++ panic("Can't allocate system blacklist keyring\n"); ++ ++ set_bit(KEY_FLAG_TRUSTED_ONLY, &system_blacklist_keyring->flags); ++#endif ++ + return 0; + } + +-- +1.8.3.1 + + +From 69dca9998380c1931227a01205cdf23c34509753 Mon Sep 17 00:00:00 2001 +From: Josh Boyer +Date: Fri, 26 Oct 2012 12:42:16 -0400 +Subject: [PATCH 4/5] MODSIGN: Import certificates from UEFI Secure Boot + +Secure Boot stores a list of allowed certificates in the 'db' variable. +This imports those certificates into the system trusted keyring. This +allows for a third party signing certificate to be used in conjunction +with signed modules. By importing the public certificate into the 'db' +variable, a user can allow a module signed with that certificate to +load. The shim UEFI bootloader has a similar certificate list stored +in the 'MokListRT' variable. We import those as well. + +In the opposite case, Secure Boot maintains a list of disallowed +certificates in the 'dbx' variable. We load those certificates into +the newly introduced system blacklist keyring and forbid any module +signed with those from loading. + +Signed-off-by: Josh Boyer +--- + include/linux/efi.h | 6 ++++ + init/Kconfig | 9 +++++ + kernel/Makefile | 3 ++ + kernel/modsign_uefi.c | 92 +++++++++++++++++++++++++++++++++++++++++++++++++++ + 4 files changed, 110 insertions(+) + create mode 100644 kernel/modsign_uefi.c + +diff --git a/include/linux/efi.h b/include/linux/efi.h +index 42a1d25..d3e6036 100644 +--- a/include/linux/efi.h ++++ b/include/linux/efi.h +@@ -395,6 +395,12 @@ typedef efi_status_t efi_query_variable_store_t(u32 attributes, unsigned long si + #define EFI_CERT_X509_GUID \ + EFI_GUID( 0xa5c059a1, 0x94e4, 0x4aa7, 0x87, 0xb5, 0xab, 0x15, 0x5c, 0x2b, 0xf0, 0x72 ) + ++#define EFI_IMAGE_SECURITY_DATABASE_GUID \ ++ EFI_GUID( 0xd719b2cb, 0x3d3a, 0x4596, 0xa3, 0xbc, 0xda, 0xd0, 0x0e, 0x67, 0x65, 0x6f ) ++ ++#define EFI_SHIM_LOCK_GUID \ ++ EFI_GUID( 0x605dab50, 0xe046, 0x4300, 0xab, 0xb6, 0x3d, 0xd8, 0x10, 0xdd, 0x8b, 0x23 ) ++ + typedef struct { + efi_guid_t guid; + u64 table; +diff --git a/init/Kconfig b/init/Kconfig +index ba76e57..b09cd98 100644 +--- a/init/Kconfig ++++ b/init/Kconfig +@@ -1799,6 +1799,15 @@ config MODULE_SIG_ALL + comment "Do not forget to sign required modules with scripts/sign-file" + depends on MODULE_SIG_FORCE && !MODULE_SIG_ALL + ++config MODULE_SIG_UEFI ++ bool "Allow modules signed with certs stored in UEFI" ++ depends on MODULE_SIG && SYSTEM_BLACKLIST_KEYRING && EFI ++ select EFI_SIGNATURE_LIST_PARSER ++ help ++ This will import certificates stored in UEFI and allow modules ++ signed with those to be loaded. It will also disallow loading ++ of modules stored in the UEFI dbx variable. ++ + choice + prompt "Which hash algorithm should modules be signed with?" + depends on MODULE_SIG +diff --git a/kernel/Makefile b/kernel/Makefile +index 6313698..cb35a89 100644 +--- a/kernel/Makefile ++++ b/kernel/Makefile +@@ -57,6 +57,7 @@ obj-$(CONFIG_UID16) += uid16.o + obj-$(CONFIG_SYSTEM_TRUSTED_KEYRING) += system_keyring.o system_certificates.o + obj-$(CONFIG_MODULES) += module.o + obj-$(CONFIG_MODULE_SIG) += module_signing.o ++obj-$(CONFIG_MODULE_SIG_UEFI) += modsign_uefi.o + obj-$(CONFIG_KALLSYMS) += kallsyms.o + obj-$(CONFIG_BSD_PROCESS_ACCT) += acct.o + obj-$(CONFIG_KEXEC) += kexec.o +@@ -115,6 +116,8 @@ obj-$(CONFIG_CONTEXT_TRACKING) += context_tracking.o + + $(obj)/configs.o: $(obj)/config_data.h + ++$(obj)/modsign_uefi.o: KBUILD_CFLAGS += -fshort-wchar ++ + # config_data.h contains the same information as ikconfig.h but gzipped. + # Info from config_data can be extracted from /proc/config* + targets += config_data.gz +diff --git a/kernel/modsign_uefi.c b/kernel/modsign_uefi.c +new file mode 100644 +index 0000000..94b0eb3 +--- /dev/null ++++ b/kernel/modsign_uefi.c +@@ -0,0 +1,92 @@ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include "module-internal.h" ++ ++static __init void *get_cert_list(efi_char16_t *name, efi_guid_t *guid, unsigned long *size) ++{ ++ efi_status_t status; ++ unsigned long lsize = 4; ++ unsigned long tmpdb[4]; ++ void *db = NULL; ++ ++ status = efi.get_variable(name, guid, NULL, &lsize, &tmpdb); ++ if (status != EFI_BUFFER_TOO_SMALL) { ++ pr_err("Couldn't get size: 0x%lx\n", status); ++ return NULL; ++ } ++ ++ db = kmalloc(lsize, GFP_KERNEL); ++ if (!db) { ++ pr_err("Couldn't allocate memory for uefi cert list\n"); ++ goto out; ++ } ++ ++ status = efi.get_variable(name, guid, NULL, &lsize, db); ++ if (status != EFI_SUCCESS) { ++ kfree(db); ++ db = NULL; ++ pr_err("Error reading db var: 0x%lx\n", status); ++ } ++out: ++ *size = lsize; ++ return db; ++} ++ ++/* ++ * * Load the certs contained in the UEFI databases ++ * */ ++static int __init load_uefi_certs(void) ++{ ++ efi_guid_t secure_var = EFI_IMAGE_SECURITY_DATABASE_GUID; ++ efi_guid_t mok_var = EFI_SHIM_LOCK_GUID; ++ void *db = NULL, *dbx = NULL, *mok = NULL; ++ unsigned long dbsize = 0, dbxsize = 0, moksize = 0; ++ int rc = 0; ++ ++ /* Check if SB is enabled and just return if not */ ++ if (!efi_enabled(EFI_SECURE_BOOT)) ++ return 0; ++ ++ /* Get db, MokListRT, and dbx. They might not exist, so it isn't ++ * an error if we can't get them. ++ */ ++ db = get_cert_list(L"db", &secure_var, &dbsize); ++ if (!db) { ++ pr_err("MODSIGN: Couldn't get UEFI db list\n"); ++ } else { ++ rc = parse_efi_signature_list(db, dbsize, system_trusted_keyring); ++ if (rc) ++ pr_err("Couldn't parse db signatures: %d\n", rc); ++ kfree(db); ++ } ++ ++ mok = get_cert_list(L"MokListRT", &mok_var, &moksize); ++ if (!mok) { ++ pr_info("MODSIGN: Couldn't get UEFI MokListRT\n"); ++ } else { ++ rc = parse_efi_signature_list(mok, moksize, system_trusted_keyring); ++ if (rc) ++ pr_err("Couldn't parse MokListRT signatures: %d\n", rc); ++ kfree(mok); ++ } ++ ++ dbx = get_cert_list(L"dbx", &secure_var, &dbxsize); ++ if (!dbx) { ++ pr_info("MODSIGN: Couldn't get UEFI dbx list\n"); ++ } else { ++ rc = parse_efi_signature_list(dbx, dbxsize, ++ system_blacklist_keyring); ++ if (rc) ++ pr_err("Couldn't parse dbx signatures: %d\n", rc); ++ kfree(dbx); ++ } ++ ++ return rc; ++} ++late_initcall(load_uefi_certs); +-- +1.8.3.1 + + +From c8e6d256ddfa2182d5b011a4ab70f8c5c9b2b590 Mon Sep 17 00:00:00 2001 +From: Josh Boyer +Date: Thu, 3 Oct 2013 10:14:23 -0400 +Subject: [PATCH 5/5] MODSIGN: Support not importing certs from db + +If a user tells shim to not use the certs/hashes in the UEFI db variable +for verification purposes, shim will set a UEFI variable called MokIgnoreDB. +Have the uefi import code look for this and not import things from the db +variable. + +Signed-off-by: Josh Boyer +--- + kernel/modsign_uefi.c | 40 +++++++++++++++++++++++++++++++--------- + 1 file changed, 31 insertions(+), 9 deletions(-) + +diff --git a/kernel/modsign_uefi.c b/kernel/modsign_uefi.c +index 94b0eb3..ae28b97 100644 +--- a/kernel/modsign_uefi.c ++++ b/kernel/modsign_uefi.c +@@ -8,6 +8,23 @@ + #include + #include "module-internal.h" + ++static __init int check_ignore_db(void) ++{ ++ efi_status_t status; ++ unsigned int db = 0; ++ unsigned long size = sizeof(db); ++ efi_guid_t guid = EFI_SHIM_LOCK_GUID; ++ ++ /* Check and see if the MokIgnoreDB variable exists. If that fails ++ * then we don't ignore DB. If it succeeds, we do. ++ */ ++ status = efi.get_variable(L"MokIgnoreDB", &guid, NULL, &size, &db); ++ if (status != EFI_SUCCESS) ++ return 0; ++ ++ return 1; ++} ++ + static __init void *get_cert_list(efi_char16_t *name, efi_guid_t *guid, unsigned long *size) + { + efi_status_t status; +@@ -47,23 +64,28 @@ static int __init load_uefi_certs(void) + efi_guid_t mok_var = EFI_SHIM_LOCK_GUID; + void *db = NULL, *dbx = NULL, *mok = NULL; + unsigned long dbsize = 0, dbxsize = 0, moksize = 0; +- int rc = 0; ++ int ignore_db, rc = 0; + + /* Check if SB is enabled and just return if not */ + if (!efi_enabled(EFI_SECURE_BOOT)) + return 0; + ++ /* See if the user has setup Ignore DB mode */ ++ ignore_db = check_ignore_db(); ++ + /* Get db, MokListRT, and dbx. They might not exist, so it isn't + * an error if we can't get them. + */ +- db = get_cert_list(L"db", &secure_var, &dbsize); +- if (!db) { +- pr_err("MODSIGN: Couldn't get UEFI db list\n"); +- } else { +- rc = parse_efi_signature_list(db, dbsize, system_trusted_keyring); +- if (rc) +- pr_err("Couldn't parse db signatures: %d\n", rc); +- kfree(db); ++ if (!ignore_db) { ++ db = get_cert_list(L"db", &secure_var, &dbsize); ++ if (!db) { ++ pr_err("MODSIGN: Couldn't get UEFI db list\n"); ++ } else { ++ rc = parse_efi_signature_list(db, dbsize, system_trusted_keyring); ++ if (rc) ++ pr_err("Couldn't parse db signatures: %d\n", rc); ++ kfree(db); ++ } + } + + mok = get_cert_list(L"MokListRT", &mok_var, &moksize); +-- +1.8.3.1 + diff --git a/net-rework-recvmsg-handler-msg_name-and-msg_namelen-.patch b/net-rework-recvmsg-handler-msg_name-and-msg_namelen-.patch deleted file mode 100644 index 3ec6d0194..000000000 --- a/net-rework-recvmsg-handler-msg_name-and-msg_namelen-.patch +++ /dev/null @@ -1,774 +0,0 @@ -Bugzilla: 1039874 -Upstream-status: 3.13 and 3.12.4 - -From 9cb9fb275f8794546dc31a79f2f02127fed5baf2 Mon Sep 17 00:00:00 2001 -From: Hannes Frederic Sowa -Date: Thu, 21 Nov 2013 03:14:22 +0100 -Subject: [PATCH] net: rework recvmsg handler msg_name and msg_namelen logic - -[ Upstream commit f3d3342602f8bcbf37d7c46641cb9bca7618eb1c ] - -This patch now always passes msg->msg_namelen as 0. recvmsg handlers must -set msg_namelen to the proper size <= sizeof(struct sockaddr_storage) -to return msg_name to the user. - -This prevents numerous uninitialized memory leaks we had in the -recvmsg handlers and makes it harder for new code to accidentally leak -uninitialized memory. - -Optimize for the case recvfrom is called with NULL as address. We don't -need to copy the address at all, so set it to NULL before invoking the -recvmsg handler. We can do so, because all the recvmsg handlers must -cope with the case a plain read() is called on them. read() also sets -msg_name to NULL. - -Also document these changes in include/linux/net.h as suggested by David -Miller. - -Changes since RFC: - -Set msg->msg_name = NULL if user specified a NULL in msg_name but had a -non-null msg_namelen in verify_iovec/verify_compat_iovec. This doesn't -affect sendto as it would bail out earlier while trying to copy-in the -address. It also more naturally reflects the logic by the callers of -verify_iovec. - -With this change in place I could remove " -if (!uaddr || msg_sys->msg_namelen == 0) - msg->msg_name = NULL -". - -This change does not alter the user visible error logic as we ignore -msg_namelen as long as msg_name is NULL. - -Also remove two unnecessary curly brackets in ___sys_recvmsg and change -comments to netdev style. - -Cc: David Miller -Suggested-by: Eric Dumazet -Signed-off-by: Hannes Frederic Sowa -Signed-off-by: David S. Miller -Signed-off-by: Greg Kroah-Hartman ---- - crypto/algif_hash.c | 2 -- - crypto/algif_skcipher.c | 1 - - drivers/isdn/mISDN/socket.c | 13 ++++--------- - drivers/net/ppp/pppoe.c | 2 -- - include/linux/net.h | 8 ++++++++ - net/appletalk/ddp.c | 16 +++++++--------- - net/atm/common.c | 2 -- - net/ax25/af_ax25.c | 4 ++-- - net/bluetooth/af_bluetooth.c | 4 ---- - net/bluetooth/hci_sock.c | 2 -- - net/bluetooth/rfcomm/sock.c | 1 - - net/bluetooth/sco.c | 1 - - net/caif/caif_socket.c | 4 ---- - net/compat.c | 3 ++- - net/core/iovec.c | 3 ++- - net/ipx/af_ipx.c | 3 +-- - net/irda/af_irda.c | 4 ---- - net/iucv/af_iucv.c | 2 -- - net/key/af_key.c | 1 - - net/l2tp/l2tp_ppp.c | 2 -- - net/llc/af_llc.c | 2 -- - net/netlink/af_netlink.c | 2 -- - net/netrom/af_netrom.c | 3 +-- - net/nfc/llcp_sock.c | 2 -- - net/nfc/rawsock.c | 2 -- - net/packet/af_packet.c | 32 +++++++++++++++----------------- - net/rds/recv.c | 2 -- - net/rose/af_rose.c | 8 +++++--- - net/rxrpc/ar-recvmsg.c | 9 ++++++--- - net/socket.c | 19 +++++++++++-------- - net/tipc/socket.c | 6 ------ - net/unix/af_unix.c | 5 ----- - net/vmw_vsock/af_vsock.c | 2 -- - net/vmw_vsock/vmci_transport.c | 2 -- - net/x25/af_x25.c | 3 +-- - 35 files changed, 65 insertions(+), 112 deletions(-) - -diff --git a/crypto/algif_hash.c b/crypto/algif_hash.c -index 0262210..ef5356c 100644 ---- a/crypto/algif_hash.c -+++ b/crypto/algif_hash.c -@@ -161,8 +161,6 @@ static int hash_recvmsg(struct kiocb *unused, struct socket *sock, - else if (len < ds) - msg->msg_flags |= MSG_TRUNC; - -- msg->msg_namelen = 0; -- - lock_sock(sk); - if (ctx->more) { - ctx->more = 0; -diff --git a/crypto/algif_skcipher.c b/crypto/algif_skcipher.c -index a1c4f0a..6a6dfc0 100644 ---- a/crypto/algif_skcipher.c -+++ b/crypto/algif_skcipher.c -@@ -432,7 +432,6 @@ static int skcipher_recvmsg(struct kiocb *unused, struct socket *sock, - long copied = 0; - - lock_sock(sk); -- msg->msg_namelen = 0; - for (iov = msg->msg_iov, iovlen = msg->msg_iovlen; iovlen > 0; - iovlen--, iov++) { - unsigned long seglen = iov->iov_len; -diff --git a/drivers/isdn/mISDN/socket.c b/drivers/isdn/mISDN/socket.c -index e47dcb9..5cefb47 100644 ---- a/drivers/isdn/mISDN/socket.c -+++ b/drivers/isdn/mISDN/socket.c -@@ -117,7 +117,6 @@ mISDN_sock_recvmsg(struct kiocb *iocb, struct socket *sock, - { - struct sk_buff *skb; - struct sock *sk = sock->sk; -- struct sockaddr_mISDN *maddr; - - int copied, err; - -@@ -135,9 +134,9 @@ mISDN_sock_recvmsg(struct kiocb *iocb, struct socket *sock, - if (!skb) - return err; - -- if (msg->msg_namelen >= sizeof(struct sockaddr_mISDN)) { -- msg->msg_namelen = sizeof(struct sockaddr_mISDN); -- maddr = (struct sockaddr_mISDN *)msg->msg_name; -+ if (msg->msg_name) { -+ struct sockaddr_mISDN *maddr = msg->msg_name; -+ - maddr->family = AF_ISDN; - maddr->dev = _pms(sk)->dev->id; - if ((sk->sk_protocol == ISDN_P_LAPD_TE) || -@@ -150,11 +149,7 @@ mISDN_sock_recvmsg(struct kiocb *iocb, struct socket *sock, - maddr->sapi = _pms(sk)->ch.addr & 0xFF; - maddr->tei = (_pms(sk)->ch.addr >> 8) & 0xFF; - } -- } else { -- if (msg->msg_namelen) -- printk(KERN_WARNING "%s: too small namelen %d\n", -- __func__, msg->msg_namelen); -- msg->msg_namelen = 0; -+ msg->msg_namelen = sizeof(*maddr); - } - - copied = skb->len + MISDN_HEADER_LEN; -diff --git a/drivers/net/ppp/pppoe.c b/drivers/net/ppp/pppoe.c -index 5f66e30..82ee6ed 100644 ---- a/drivers/net/ppp/pppoe.c -+++ b/drivers/net/ppp/pppoe.c -@@ -979,8 +979,6 @@ static int pppoe_recvmsg(struct kiocb *iocb, struct socket *sock, - if (error < 0) - goto end; - -- m->msg_namelen = 0; -- - if (skb) { - total_len = min_t(size_t, total_len, skb->len); - error = skb_copy_datagram_iovec(skb, 0, m->msg_iov, total_len); -diff --git a/include/linux/net.h b/include/linux/net.h -index 4f27575..8bd9d92 100644 ---- a/include/linux/net.h -+++ b/include/linux/net.h -@@ -163,6 +163,14 @@ struct proto_ops { - #endif - int (*sendmsg) (struct kiocb *iocb, struct socket *sock, - struct msghdr *m, size_t total_len); -+ /* Notes for implementing recvmsg: -+ * =============================== -+ * msg->msg_namelen should get updated by the recvmsg handlers -+ * iff msg_name != NULL. It is by default 0 to prevent -+ * returning uninitialized memory to user space. The recvfrom -+ * handlers can assume that msg.msg_name is either NULL or has -+ * a minimum size of sizeof(struct sockaddr_storage). -+ */ - int (*recvmsg) (struct kiocb *iocb, struct socket *sock, - struct msghdr *m, size_t total_len, - int flags); -diff --git a/net/appletalk/ddp.c b/net/appletalk/ddp.c -index 7fee50d..7d424ac 100644 ---- a/net/appletalk/ddp.c -+++ b/net/appletalk/ddp.c -@@ -1735,7 +1735,6 @@ static int atalk_recvmsg(struct kiocb *iocb, struct socket *sock, struct msghdr - size_t size, int flags) - { - struct sock *sk = sock->sk; -- struct sockaddr_at *sat = (struct sockaddr_at *)msg->msg_name; - struct ddpehdr *ddp; - int copied = 0; - int offset = 0; -@@ -1764,14 +1763,13 @@ static int atalk_recvmsg(struct kiocb *iocb, struct socket *sock, struct msghdr - } - err = skb_copy_datagram_iovec(skb, offset, msg->msg_iov, copied); - -- if (!err) { -- if (sat) { -- sat->sat_family = AF_APPLETALK; -- sat->sat_port = ddp->deh_sport; -- sat->sat_addr.s_node = ddp->deh_snode; -- sat->sat_addr.s_net = ddp->deh_snet; -- } -- msg->msg_namelen = sizeof(*sat); -+ if (!err && msg->msg_name) { -+ struct sockaddr_at *sat = msg->msg_name; -+ sat->sat_family = AF_APPLETALK; -+ sat->sat_port = ddp->deh_sport; -+ sat->sat_addr.s_node = ddp->deh_snode; -+ sat->sat_addr.s_net = ddp->deh_snet; -+ msg->msg_namelen = sizeof(*sat); - } - - skb_free_datagram(sk, skb); /* Free the datagram. */ -diff --git a/net/atm/common.c b/net/atm/common.c -index 737bef5..7b49100 100644 ---- a/net/atm/common.c -+++ b/net/atm/common.c -@@ -531,8 +531,6 @@ int vcc_recvmsg(struct kiocb *iocb, struct socket *sock, struct msghdr *msg, - struct sk_buff *skb; - int copied, error = -EINVAL; - -- msg->msg_namelen = 0; -- - if (sock->state != SS_CONNECTED) - return -ENOTCONN; - -diff --git a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c -index 4b4d2b7..78c474f 100644 ---- a/net/ax25/af_ax25.c -+++ b/net/ax25/af_ax25.c -@@ -1636,11 +1636,11 @@ static int ax25_recvmsg(struct kiocb *iocb, struct socket *sock, - - skb_copy_datagram_iovec(skb, 0, msg->msg_iov, copied); - -- if (msg->msg_namelen != 0) { -- struct sockaddr_ax25 *sax = (struct sockaddr_ax25 *)msg->msg_name; -+ if (msg->msg_name) { - ax25_digi digi; - ax25_address src; - const unsigned char *mac = skb_mac_header(skb); -+ struct sockaddr_ax25 *sax = msg->msg_name; - - memset(sax, 0, sizeof(struct full_sockaddr_ax25)); - ax25_addr_parse(mac + 1, skb->data - mac - 1, &src, NULL, -diff --git a/net/bluetooth/af_bluetooth.c b/net/bluetooth/af_bluetooth.c -index 9096137..6629cdc 100644 ---- a/net/bluetooth/af_bluetooth.c -+++ b/net/bluetooth/af_bluetooth.c -@@ -221,8 +221,6 @@ int bt_sock_recvmsg(struct kiocb *iocb, struct socket *sock, - if (flags & (MSG_OOB)) - return -EOPNOTSUPP; - -- msg->msg_namelen = 0; -- - skb = skb_recv_datagram(sk, flags, noblock, &err); - if (!skb) { - if (sk->sk_shutdown & RCV_SHUTDOWN) -@@ -287,8 +285,6 @@ int bt_sock_stream_recvmsg(struct kiocb *iocb, struct socket *sock, - if (flags & MSG_OOB) - return -EOPNOTSUPP; - -- msg->msg_namelen = 0; -- - BT_DBG("sk %p size %zu", sk, size); - - lock_sock(sk); -diff --git a/net/bluetooth/hci_sock.c b/net/bluetooth/hci_sock.c -index 9bd7d95..fa4bf66 100644 ---- a/net/bluetooth/hci_sock.c -+++ b/net/bluetooth/hci_sock.c -@@ -752,8 +752,6 @@ static int hci_sock_recvmsg(struct kiocb *iocb, struct socket *sock, - if (!skb) - return err; - -- msg->msg_namelen = 0; -- - copied = skb->len; - if (len < copied) { - msg->msg_flags |= MSG_TRUNC; -diff --git a/net/bluetooth/rfcomm/sock.c b/net/bluetooth/rfcomm/sock.c -index 30b3721..c1c6028 100644 ---- a/net/bluetooth/rfcomm/sock.c -+++ b/net/bluetooth/rfcomm/sock.c -@@ -608,7 +608,6 @@ static int rfcomm_sock_recvmsg(struct kiocb *iocb, struct socket *sock, - - if (test_and_clear_bit(RFCOMM_DEFER_SETUP, &d->flags)) { - rfcomm_dlc_accept(d); -- msg->msg_namelen = 0; - return 0; - } - -diff --git a/net/bluetooth/sco.c b/net/bluetooth/sco.c -index e7bd4ee..2bb1d3a 100644 ---- a/net/bluetooth/sco.c -+++ b/net/bluetooth/sco.c -@@ -700,7 +700,6 @@ static int sco_sock_recvmsg(struct kiocb *iocb, struct socket *sock, - test_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags)) { - sco_conn_defer_accept(pi->conn->hcon, 0); - sk->sk_state = BT_CONFIG; -- msg->msg_namelen = 0; - - release_sock(sk); - return 0; -diff --git a/net/caif/caif_socket.c b/net/caif/caif_socket.c -index 05a41c7..d6be3ed 100644 ---- a/net/caif/caif_socket.c -+++ b/net/caif/caif_socket.c -@@ -286,8 +286,6 @@ static int caif_seqpkt_recvmsg(struct kiocb *iocb, struct socket *sock, - if (m->msg_flags&MSG_OOB) - goto read_error; - -- m->msg_namelen = 0; -- - skb = skb_recv_datagram(sk, flags, 0 , &ret); - if (!skb) - goto read_error; -@@ -361,8 +359,6 @@ static int caif_stream_recvmsg(struct kiocb *iocb, struct socket *sock, - if (flags&MSG_OOB) - goto out; - -- msg->msg_namelen = 0; -- - /* - * Lock the socket to prevent queue disordering - * while sleeps in memcpy_tomsg -diff --git a/net/compat.c b/net/compat.c -index 8903258..618c6a8 100644 ---- a/net/compat.c -+++ b/net/compat.c -@@ -93,7 +93,8 @@ int verify_compat_iovec(struct msghdr *kern_msg, struct iovec *kern_iov, - if (err < 0) - return err; - } -- kern_msg->msg_name = kern_address; -+ if (kern_msg->msg_name) -+ kern_msg->msg_name = kern_address; - } else - kern_msg->msg_name = NULL; - -diff --git a/net/core/iovec.c b/net/core/iovec.c -index de178e4..9a31515 100644 ---- a/net/core/iovec.c -+++ b/net/core/iovec.c -@@ -48,7 +48,8 @@ int verify_iovec(struct msghdr *m, struct iovec *iov, struct sockaddr_storage *a - if (err < 0) - return err; - } -- m->msg_name = address; -+ if (m->msg_name) -+ m->msg_name = address; - } else { - m->msg_name = NULL; - } -diff --git a/net/ipx/af_ipx.c b/net/ipx/af_ipx.c -index 7a1e0fc..e096025 100644 ---- a/net/ipx/af_ipx.c -+++ b/net/ipx/af_ipx.c -@@ -1823,8 +1823,6 @@ static int ipx_recvmsg(struct kiocb *iocb, struct socket *sock, - if (skb->tstamp.tv64) - sk->sk_stamp = skb->tstamp; - -- msg->msg_namelen = sizeof(*sipx); -- - if (sipx) { - sipx->sipx_family = AF_IPX; - sipx->sipx_port = ipx->ipx_source.sock; -@@ -1832,6 +1830,7 @@ static int ipx_recvmsg(struct kiocb *iocb, struct socket *sock, - sipx->sipx_network = IPX_SKB_CB(skb)->ipx_source_net; - sipx->sipx_type = ipx->ipx_type; - sipx->sipx_zero = 0; -+ msg->msg_namelen = sizeof(*sipx); - } - rc = copied; - -diff --git a/net/irda/af_irda.c b/net/irda/af_irda.c -index 0578d4f..a5e62ef5 100644 ---- a/net/irda/af_irda.c -+++ b/net/irda/af_irda.c -@@ -1385,8 +1385,6 @@ static int irda_recvmsg_dgram(struct kiocb *iocb, struct socket *sock, - - IRDA_DEBUG(4, "%s()\n", __func__); - -- msg->msg_namelen = 0; -- - skb = skb_recv_datagram(sk, flags & ~MSG_DONTWAIT, - flags & MSG_DONTWAIT, &err); - if (!skb) -@@ -1451,8 +1449,6 @@ static int irda_recvmsg_stream(struct kiocb *iocb, struct socket *sock, - target = sock_rcvlowat(sk, flags & MSG_WAITALL, size); - timeo = sock_rcvtimeo(sk, noblock); - -- msg->msg_namelen = 0; -- - do { - int chunk; - struct sk_buff *skb = skb_dequeue(&sk->sk_receive_queue); -diff --git a/net/iucv/af_iucv.c b/net/iucv/af_iucv.c -index 168aff5..c4b7218 100644 ---- a/net/iucv/af_iucv.c -+++ b/net/iucv/af_iucv.c -@@ -1324,8 +1324,6 @@ static int iucv_sock_recvmsg(struct kiocb *iocb, struct socket *sock, - int err = 0; - u32 offset; - -- msg->msg_namelen = 0; -- - if ((sk->sk_state == IUCV_DISCONN) && - skb_queue_empty(&iucv->backlog_skb_q) && - skb_queue_empty(&sk->sk_receive_queue) && -diff --git a/net/key/af_key.c b/net/key/af_key.c -index ab8bd2c..66f51c5 100644 ---- a/net/key/af_key.c -+++ b/net/key/af_key.c -@@ -3623,7 +3623,6 @@ static int pfkey_recvmsg(struct kiocb *kiocb, - if (flags & ~(MSG_PEEK|MSG_DONTWAIT|MSG_TRUNC|MSG_CMSG_COMPAT)) - goto out; - -- msg->msg_namelen = 0; - skb = skb_recv_datagram(sk, flags, flags & MSG_DONTWAIT, &err); - if (skb == NULL) - goto out; -diff --git a/net/l2tp/l2tp_ppp.c b/net/l2tp/l2tp_ppp.c -index 8c46b27..44441c0 100644 ---- a/net/l2tp/l2tp_ppp.c -+++ b/net/l2tp/l2tp_ppp.c -@@ -197,8 +197,6 @@ static int pppol2tp_recvmsg(struct kiocb *iocb, struct socket *sock, - if (sk->sk_state & PPPOX_BOUND) - goto end; - -- msg->msg_namelen = 0; -- - err = 0; - skb = skb_recv_datagram(sk, flags & ~MSG_DONTWAIT, - flags & MSG_DONTWAIT, &err); -diff --git a/net/llc/af_llc.c b/net/llc/af_llc.c -index 48aaa89..8870988 100644 ---- a/net/llc/af_llc.c -+++ b/net/llc/af_llc.c -@@ -720,8 +720,6 @@ static int llc_ui_recvmsg(struct kiocb *iocb, struct socket *sock, - int target; /* Read at least this many bytes */ - long timeo; - -- msg->msg_namelen = 0; -- - lock_sock(sk); - copied = -ENOTCONN; - if (unlikely(sk->sk_type == SOCK_STREAM && sk->sk_state == TCP_LISTEN)) -diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c -index 0c61b59..90b654b 100644 ---- a/net/netlink/af_netlink.c -+++ b/net/netlink/af_netlink.c -@@ -2317,8 +2317,6 @@ static int netlink_recvmsg(struct kiocb *kiocb, struct socket *sock, - } - #endif - -- msg->msg_namelen = 0; -- - copied = data_skb->len; - if (len < copied) { - msg->msg_flags |= MSG_TRUNC; -diff --git a/net/netrom/af_netrom.c b/net/netrom/af_netrom.c -index 698814b..53c19a3 100644 ---- a/net/netrom/af_netrom.c -+++ b/net/netrom/af_netrom.c -@@ -1179,10 +1179,9 @@ static int nr_recvmsg(struct kiocb *iocb, struct socket *sock, - sax->sax25_family = AF_NETROM; - skb_copy_from_linear_data_offset(skb, 7, sax->sax25_call.ax25_call, - AX25_ADDR_LEN); -+ msg->msg_namelen = sizeof(*sax); - } - -- msg->msg_namelen = sizeof(*sax); -- - skb_free_datagram(sk, skb); - - release_sock(sk); -diff --git a/net/nfc/llcp_sock.c b/net/nfc/llcp_sock.c -index d308402..824c605 100644 ---- a/net/nfc/llcp_sock.c -+++ b/net/nfc/llcp_sock.c -@@ -807,8 +807,6 @@ static int llcp_sock_recvmsg(struct kiocb *iocb, struct socket *sock, - - pr_debug("%p %zu\n", sk, len); - -- msg->msg_namelen = 0; -- - lock_sock(sk); - - if (sk->sk_state == LLCP_CLOSED && -diff --git a/net/nfc/rawsock.c b/net/nfc/rawsock.c -index 313bf1b..5d11f4a 100644 ---- a/net/nfc/rawsock.c -+++ b/net/nfc/rawsock.c -@@ -241,8 +241,6 @@ static int rawsock_recvmsg(struct kiocb *iocb, struct socket *sock, - if (!skb) - return rc; - -- msg->msg_namelen = 0; -- - copied = skb->len; - if (len < copied) { - msg->msg_flags |= MSG_TRUNC; -diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c -index 75c8bbf..739c50d 100644 ---- a/net/packet/af_packet.c -+++ b/net/packet/af_packet.c -@@ -2694,7 +2694,6 @@ static int packet_recvmsg(struct kiocb *iocb, struct socket *sock, - struct sock *sk = sock->sk; - struct sk_buff *skb; - int copied, err; -- struct sockaddr_ll *sll; - int vnet_hdr_len = 0; - - err = -EINVAL; -@@ -2777,22 +2776,10 @@ static int packet_recvmsg(struct kiocb *iocb, struct socket *sock, - goto out_free; - } - -- /* -- * If the address length field is there to be filled in, we fill -- * it in now. -- */ -- -- sll = &PACKET_SKB_CB(skb)->sa.ll; -- if (sock->type == SOCK_PACKET) -- msg->msg_namelen = sizeof(struct sockaddr_pkt); -- else -- msg->msg_namelen = sll->sll_halen + offsetof(struct sockaddr_ll, sll_addr); -- -- /* -- * You lose any data beyond the buffer you gave. If it worries a -- * user program they can ask the device for its MTU anyway. -+ /* You lose any data beyond the buffer you gave. If it worries -+ * a user program they can ask the device for its MTU -+ * anyway. - */ -- - copied = skb->len; - if (copied > len) { - copied = len; -@@ -2805,9 +2792,20 @@ static int packet_recvmsg(struct kiocb *iocb, struct socket *sock, - - sock_recv_ts_and_drops(msg, sk, skb); - -- if (msg->msg_name) -+ if (msg->msg_name) { -+ /* If the address length field is there to be filled -+ * in, we fill it in now. -+ */ -+ if (sock->type == SOCK_PACKET) { -+ msg->msg_namelen = sizeof(struct sockaddr_pkt); -+ } else { -+ struct sockaddr_ll *sll = &PACKET_SKB_CB(skb)->sa.ll; -+ msg->msg_namelen = sll->sll_halen + -+ offsetof(struct sockaddr_ll, sll_addr); -+ } - memcpy(msg->msg_name, &PACKET_SKB_CB(skb)->sa, - msg->msg_namelen); -+ } - - if (pkt_sk(sk)->auxdata) { - struct tpacket_auxdata aux; -diff --git a/net/rds/recv.c b/net/rds/recv.c -index 9f0f17c..de339b2 100644 ---- a/net/rds/recv.c -+++ b/net/rds/recv.c -@@ -410,8 +410,6 @@ int rds_recvmsg(struct kiocb *iocb, struct socket *sock, struct msghdr *msg, - - rdsdebug("size %zu flags 0x%x timeo %ld\n", size, msg_flags, timeo); - -- msg->msg_namelen = 0; -- - if (msg_flags & MSG_OOB) - goto out; - -diff --git a/net/rose/af_rose.c b/net/rose/af_rose.c -index e98fcfb..33af772 100644 ---- a/net/rose/af_rose.c -+++ b/net/rose/af_rose.c -@@ -1216,7 +1216,6 @@ static int rose_recvmsg(struct kiocb *iocb, struct socket *sock, - { - struct sock *sk = sock->sk; - struct rose_sock *rose = rose_sk(sk); -- struct sockaddr_rose *srose = (struct sockaddr_rose *)msg->msg_name; - size_t copied; - unsigned char *asmptr; - struct sk_buff *skb; -@@ -1252,8 +1251,11 @@ static int rose_recvmsg(struct kiocb *iocb, struct socket *sock, - - skb_copy_datagram_iovec(skb, 0, msg->msg_iov, copied); - -- if (srose != NULL) { -- memset(srose, 0, msg->msg_namelen); -+ if (msg->msg_name) { -+ struct sockaddr_rose *srose; -+ -+ memset(msg->msg_name, 0, sizeof(struct full_sockaddr_rose)); -+ srose = msg->msg_name; - srose->srose_family = AF_ROSE; - srose->srose_addr = rose->dest_addr; - srose->srose_call = rose->dest_call; -diff --git a/net/rxrpc/ar-recvmsg.c b/net/rxrpc/ar-recvmsg.c -index 4b48687..898492a 100644 ---- a/net/rxrpc/ar-recvmsg.c -+++ b/net/rxrpc/ar-recvmsg.c -@@ -143,10 +143,13 @@ int rxrpc_recvmsg(struct kiocb *iocb, struct socket *sock, - - /* copy the peer address and timestamp */ - if (!continue_call) { -- if (msg->msg_name && msg->msg_namelen > 0) -+ if (msg->msg_name) { -+ size_t len = -+ sizeof(call->conn->trans->peer->srx); - memcpy(msg->msg_name, -- &call->conn->trans->peer->srx, -- sizeof(call->conn->trans->peer->srx)); -+ &call->conn->trans->peer->srx, len); -+ msg->msg_namelen = len; -+ } - sock_recv_ts_and_drops(msg, &rx->sk, skb); - } - -diff --git a/net/socket.c b/net/socket.c -index 4b94643..5158ff7 100644 ---- a/net/socket.c -+++ b/net/socket.c -@@ -1849,8 +1849,10 @@ SYSCALL_DEFINE6(recvfrom, int, fd, void __user *, ubuf, size_t, size, - msg.msg_iov = &iov; - iov.iov_len = size; - iov.iov_base = ubuf; -- msg.msg_name = (struct sockaddr *)&address; -- msg.msg_namelen = sizeof(address); -+ /* Save some cycles and don't copy the address if not needed */ -+ msg.msg_name = addr ? (struct sockaddr *)&address : NULL; -+ /* We assume all kernel code knows the size of sockaddr_storage */ -+ msg.msg_namelen = 0; - if (sock->file->f_flags & O_NONBLOCK) - flags |= MSG_DONTWAIT; - err = sock_recvmsg(sock, &msg, size, flags); -@@ -2230,16 +2232,14 @@ static int ___sys_recvmsg(struct socket *sock, struct msghdr __user *msg, - goto out; - } - -- /* -- * Save the user-mode address (verify_iovec will change the -- * kernel msghdr to use the kernel address space) -+ /* Save the user-mode address (verify_iovec will change the -+ * kernel msghdr to use the kernel address space) - */ -- - uaddr = (__force void __user *)msg_sys->msg_name; - uaddr_len = COMPAT_NAMELEN(msg); -- if (MSG_CMSG_COMPAT & flags) { -+ if (MSG_CMSG_COMPAT & flags) - err = verify_compat_iovec(msg_sys, iov, &addr, VERIFY_WRITE); -- } else -+ else - err = verify_iovec(msg_sys, iov, &addr, VERIFY_WRITE); - if (err < 0) - goto out_freeiov; -@@ -2248,6 +2248,9 @@ static int ___sys_recvmsg(struct socket *sock, struct msghdr __user *msg, - cmsg_ptr = (unsigned long)msg_sys->msg_control; - msg_sys->msg_flags = flags & (MSG_CMSG_CLOEXEC|MSG_CMSG_COMPAT); - -+ /* We assume all kernel code knows the size of sockaddr_storage */ -+ msg_sys->msg_namelen = 0; -+ - if (sock->file->f_flags & O_NONBLOCK) - flags |= MSG_DONTWAIT; - err = (nosec ? sock_recvmsg_nosec : sock_recvmsg)(sock, msg_sys, -diff --git a/net/tipc/socket.c b/net/tipc/socket.c -index 6cc7ddd..dffdbea 100644 ---- a/net/tipc/socket.c -+++ b/net/tipc/socket.c -@@ -984,9 +984,6 @@ static int recv_msg(struct kiocb *iocb, struct socket *sock, - goto exit; - } - -- /* will be updated in set_orig_addr() if needed */ -- m->msg_namelen = 0; -- - timeout = sock_rcvtimeo(sk, flags & MSG_DONTWAIT); - restart: - -@@ -1095,9 +1092,6 @@ static int recv_stream(struct kiocb *iocb, struct socket *sock, - goto exit; - } - -- /* will be updated in set_orig_addr() if needed */ -- m->msg_namelen = 0; -- - target = sock_rcvlowat(sk, flags & MSG_WAITALL, buf_len); - timeout = sock_rcvtimeo(sk, flags & MSG_DONTWAIT); - -diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c -index e64bbcf..6c66e8d 100644 ---- a/net/unix/af_unix.c -+++ b/net/unix/af_unix.c -@@ -1762,7 +1762,6 @@ static void unix_copy_addr(struct msghdr *msg, struct sock *sk) - { - struct unix_sock *u = unix_sk(sk); - -- msg->msg_namelen = 0; - if (u->addr) { - msg->msg_namelen = u->addr->len; - memcpy(msg->msg_name, u->addr->name, u->addr->len); -@@ -1786,8 +1785,6 @@ static int unix_dgram_recvmsg(struct kiocb *iocb, struct socket *sock, - if (flags&MSG_OOB) - goto out; - -- msg->msg_namelen = 0; -- - err = mutex_lock_interruptible(&u->readlock); - if (err) { - err = sock_intr_errno(sock_rcvtimeo(sk, noblock)); -@@ -1927,8 +1924,6 @@ static int unix_stream_recvmsg(struct kiocb *iocb, struct socket *sock, - target = sock_rcvlowat(sk, flags&MSG_WAITALL, size); - timeo = sock_rcvtimeo(sk, flags&MSG_DONTWAIT); - -- msg->msg_namelen = 0; -- - /* Lock the socket to prevent queue disordering - * while sleeps in memcpy_tomsg - */ -diff --git a/net/vmw_vsock/af_vsock.c b/net/vmw_vsock/af_vsock.c -index 4d93346..16f721c 100644 ---- a/net/vmw_vsock/af_vsock.c -+++ b/net/vmw_vsock/af_vsock.c -@@ -1663,8 +1663,6 @@ vsock_stream_recvmsg(struct kiocb *kiocb, - vsk = vsock_sk(sk); - err = 0; - -- msg->msg_namelen = 0; -- - lock_sock(sk); - - if (sk->sk_state != SS_CONNECTED) { -diff --git a/net/vmw_vsock/vmci_transport.c b/net/vmw_vsock/vmci_transport.c -index ffc11df..73ca104 100644 ---- a/net/vmw_vsock/vmci_transport.c -+++ b/net/vmw_vsock/vmci_transport.c -@@ -1746,8 +1746,6 @@ static int vmci_transport_dgram_dequeue(struct kiocb *kiocb, - if (flags & MSG_OOB || flags & MSG_ERRQUEUE) - return -EOPNOTSUPP; - -- msg->msg_namelen = 0; -- - /* Retrieve the head sk_buff from the socket's receive queue. */ - err = 0; - skb = skb_recv_datagram(&vsk->sk, flags, noblock, &err); -diff --git a/net/x25/af_x25.c b/net/x25/af_x25.c -index 45a3ab5..7622789 100644 ---- a/net/x25/af_x25.c -+++ b/net/x25/af_x25.c -@@ -1340,10 +1340,9 @@ static int x25_recvmsg(struct kiocb *iocb, struct socket *sock, - if (sx25) { - sx25->sx25_family = AF_X25; - sx25->sx25_addr = x25->dest_addr; -+ msg->msg_namelen = sizeof(*sx25); - } - -- msg->msg_namelen = sizeof(struct sockaddr_x25); -- - x25_check_rbuf(sk); - rc = copied; - out_free_dgram: --- -1.8.3.1 - diff --git a/netfilter-nf_conntrack-use-RCU-safe-kfree-for-conntr.patch b/netfilter-nf_conntrack-use-RCU-safe-kfree-for-conntr.patch deleted file mode 100644 index fd8351fa4..000000000 --- a/netfilter-nf_conntrack-use-RCU-safe-kfree-for-conntr.patch +++ /dev/null @@ -1,35 +0,0 @@ -From c13a84a830a208fb3443628773c8ca0557773cc7 Mon Sep 17 00:00:00 2001 -From: =?UTF-8?q?Michal=20Kube=C4=8Dek?= -Date: Wed, 11 Sep 2013 10:17:27 +0200 -Subject: [PATCH] netfilter: nf_conntrack: use RCU safe kfree for conntrack - extensions - -Commit 68b80f11 (netfilter: nf_nat: fix RCU races) introduced -RCU protection for freeing extension data when reallocation -moves them to a new location. We need the same protection when -freeing them in nf_ct_ext_free() in order to prevent a -use-after-free by other threads referencing a NAT extension data -via bysource list. - -Signed-off-by: Michal Kubecek -Signed-off-by: Pablo Neira Ayuso ---- - include/net/netfilter/nf_conntrack_extend.h | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/include/net/netfilter/nf_conntrack_extend.h b/include/net/netfilter/nf_conntrack_extend.h -index ff95434..88a1d40 100644 ---- a/include/net/netfilter/nf_conntrack_extend.h -+++ b/include/net/netfilter/nf_conntrack_extend.h -@@ -86,7 +86,7 @@ static inline void nf_ct_ext_destroy(struct nf_conn *ct) - static inline void nf_ct_ext_free(struct nf_conn *ct) - { - if (ct->ext) -- kfree(ct->ext); -+ kfree_rcu(ct->ext, rcu); - } - - /* Add this type, returns pointer to data or NULL. */ --- -1.8.3.1 - diff --git a/ntp-Make-periodic-RTC-update-more-reliable.patch b/ntp-Make-periodic-RTC-update-more-reliable.patch deleted file mode 100644 index 59179e719..000000000 --- a/ntp-Make-periodic-RTC-update-more-reliable.patch +++ /dev/null @@ -1,44 +0,0 @@ -From a97ad0c4b447a132a322cedc3a5f7fa4cab4b304 Mon Sep 17 00:00:00 2001 -From: Miroslav Lichvar -Date: Thu, 1 Aug 2013 19:31:35 +0200 -Subject: [PATCH] ntp: Make periodic RTC update more reliable - -The current code requires that the scheduled update of the RTC happens -in the closest tick to the half of the second. This seems to be -difficult to achieve reliably. The scheduled work may be missing the -target time by a tick or two and be constantly rescheduled every second. - -Relax the limit to 10 ticks. As a typical RTC drifts in the 11-minute -update interval by several milliseconds, this shouldn't affect the -overall accuracy of the RTC much. - -Signed-off-by: Miroslav Lichvar -Signed-off-by: John Stultz ---- - kernel/time/ntp.c | 3 ++- - 1 file changed, 2 insertions(+), 1 deletion(-) - -diff --git a/kernel/time/ntp.c b/kernel/time/ntp.c -index 8f5b3b9..ab1fa7c 100644 ---- a/kernel/time/ntp.c -+++ b/kernel/time/ntp.c -@@ -475,6 +475,7 @@ static void sync_cmos_clock(struct work_struct *work) - * called as close as possible to 500 ms before the new second starts. - * This code is run on a timer. If the clock is set, that timer - * may not expire at the correct time. Thus, we adjust... -+ * We want the clock to be within a couple of ticks from the target. - */ - if (!ntp_synced()) { - /* -@@ -485,7 +486,7 @@ static void sync_cmos_clock(struct work_struct *work) - } - - getnstimeofday(&now); -- if (abs(now.tv_nsec - (NSEC_PER_SEC / 2)) <= tick_nsec / 2) { -+ if (abs(now.tv_nsec - (NSEC_PER_SEC / 2)) <= tick_nsec * 5) { - struct timespec adjust = now; - - fail = -ENODEV; --- -1.7.9.5 - diff --git a/rt2800-add-support-for-rf3070.patch b/rt2800-add-support-for-rf3070.patch deleted file mode 100644 index 24c16cb9c..000000000 --- a/rt2800-add-support-for-rf3070.patch +++ /dev/null @@ -1,80 +0,0 @@ -diff --git a/drivers/net/wireless/rt2x00/rt2800.h b/drivers/net/wireless/rt2x00/rt2800.h -index d78c495..2132830 100644 ---- a/drivers/net/wireless/rt2x00/rt2800.h -+++ b/drivers/net/wireless/rt2x00/rt2800.h -@@ -65,6 +65,7 @@ - #define RF3021 0x0007 - #define RF3022 0x0008 - #define RF3052 0x0009 -+#define RF3070 0x3070 - #define RF2853 0x000a - #define RF3320 0x000b - #define RF3322 0x000c -diff --git a/drivers/net/wireless/rt2x00/rt2800lib.c b/drivers/net/wireless/rt2x00/rt2800lib.c -index 1b41c8e..2958265 100644 ---- a/drivers/net/wireless/rt2x00/rt2800lib.c -+++ b/drivers/net/wireless/rt2x00/rt2800lib.c -@@ -2597,6 +2597,7 @@ static void rt2800_config_channel(struct rt2x00_dev *rt2x00dev, - case RF3322: - rt2800_config_channel_rf3322(rt2x00dev, conf, rf, info); - break; -+ case RF3070: - case RF5360: - case RF5370: - case RF5372: -@@ -2611,7 +2612,8 @@ static void rt2800_config_channel(struct rt2x00_dev *rt2x00dev, - rt2800_config_channel_rf2xxx(rt2x00dev, conf, rf, info); - } - -- if (rt2x00_rf(rt2x00dev, RF3290) || -+ if (rt2x00_rf(rt2x00dev, RF3070) || -+ rt2x00_rf(rt2x00dev, RF3290) || - rt2x00_rf(rt2x00dev, RF3322) || - rt2x00_rf(rt2x00dev, RF5360) || - rt2x00_rf(rt2x00dev, RF5370) || -@@ -3219,6 +3221,7 @@ void rt2800_vco_calibration(struct rt2x00_dev *rt2x00dev) - rt2x00_set_field8(&rfcsr, RFCSR7_RF_TUNING, 1); - rt2800_rfcsr_write(rt2x00dev, 7, rfcsr); - break; -+ case RF3070: - case RF3290: - case RF5360: - case RF5370: -@@ -5731,6 +5734,7 @@ static int rt2800_init_eeprom(struct rt2x00_dev *rt2x00dev) - case RF3021: - case RF3022: - case RF3052: -+ case RF3070: - case RF3290: - case RF3320: - case RF3322: -@@ -6186,6 +6190,7 @@ static int rt2800_probe_hw_mode(struct rt2x00_dev *rt2x00dev) - rt2x00_rf(rt2x00dev, RF2020) || - rt2x00_rf(rt2x00dev, RF3021) || - rt2x00_rf(rt2x00dev, RF3022) || -+ rt2x00_rf(rt2x00dev, RF3070) || - rt2x00_rf(rt2x00dev, RF3290) || - rt2x00_rf(rt2x00dev, RF3320) || - rt2x00_rf(rt2x00dev, RF3322) || -@@ -6219,10 +6224,11 @@ static int rt2800_probe_hw_mode(struct rt2x00_dev *rt2x00dev) - /* - * Initialize HT information. - */ -- if (!rt2x00_rf(rt2x00dev, RF2020)) -+ if (!rt2x00_rf(rt2x00dev, RF2020)) { - spec->ht.ht_supported = true; -- else -+ } else { - spec->ht.ht_supported = false; -+ } - - spec->ht.cap = - IEEE80211_HT_CAP_SUP_WIDTH_20_40 | -@@ -6290,6 +6296,7 @@ static int rt2800_probe_hw_mode(struct rt2x00_dev *rt2x00dev) - case RF3022: - case RF3320: - case RF3052: -+ case RF3070: - case RF3290: - case RF5360: - case RF5370: diff --git a/rt2800usb-slow-down-TX-status-polling.patch b/rt2800usb-slow-down-TX-status-polling.patch deleted file mode 100644 index a76f9b847..000000000 --- a/rt2800usb-slow-down-TX-status-polling.patch +++ /dev/null @@ -1,53 +0,0 @@ -Polling TX statuses too frequently has two negative effects. First is -randomly peek CPU usage, causing overall system functioning delays. -Second bad effect is that device is not able to fill TX statuses in -H/W register on some workloads and we get lot of timeouts like below: - -ieee80211 phy4: rt2800usb_entry_txstatus_timeout: Warning - TX status timeout for entry 7 in queue 2 -ieee80211 phy4: rt2800usb_entry_txstatus_timeout: Warning - TX status timeout for entry 7 in queue 2 -ieee80211 phy4: rt2800usb_txdone: Warning - Got TX status for an empty queue 2, dropping - -This not only cause flood of messages in dmesg, but also bad throughput, -since rate scaling algorithm can not work optimally. - -In the future, we should probably make polling interval be adjusted -automatically, but for now just increase values, this make mentioned -problems gone. - -Resolve: -https://bugzilla.kernel.org/show_bug.cgi?id=62781 - -Cc: stable@vger.kernel.org -Signed-off-by: Stanislaw Gruszka ---- - drivers/net/wireless/rt2x00/rt2800usb.c | 8 ++++---- - 1 file changed, 4 insertions(+), 4 deletions(-) - -diff --git a/drivers/net/wireless/rt2x00/rt2800usb.c b/drivers/net/wireless/rt2x00/rt2800usb.c -index 96677ce5..e095e61 100644 ---- a/drivers/net/wireless/rt2x00/rt2800usb.c -+++ b/drivers/net/wireless/rt2x00/rt2800usb.c -@@ -176,8 +176,8 @@ static bool rt2800usb_tx_sta_fifo_read_completed(struct rt2x00_dev *rt2x00dev, - queue_work(rt2x00dev->workqueue, &rt2x00dev->txdone_work); - - if (rt2800usb_txstatus_pending(rt2x00dev)) { -- /* Read register after 250 us */ -- hrtimer_start(&rt2x00dev->txstatus_timer, ktime_set(0, 250000), -+ /* Read register after 1 ms */ -+ hrtimer_start(&rt2x00dev->txstatus_timer, ktime_set(0, 1000000), - HRTIMER_MODE_REL); - return false; - } -@@ -202,8 +202,8 @@ static void rt2800usb_async_read_tx_status(struct rt2x00_dev *rt2x00dev) - if (test_and_set_bit(TX_STATUS_READING, &rt2x00dev->flags)) - return; - -- /* Read TX_STA_FIFO register after 500 us */ -- hrtimer_start(&rt2x00dev->txstatus_timer, ktime_set(0, 500000), -+ /* Read TX_STA_FIFO register after 2 ms */ -+ hrtimer_start(&rt2x00dev->txstatus_timer, ktime_set(0, 2000000), - HRTIMER_MODE_REL); - } - --- -1.8.3.1 diff --git a/sb-hibernate.patch b/sb-hibernate.patch new file mode 100644 index 000000000..447237c60 --- /dev/null +++ b/sb-hibernate.patch @@ -0,0 +1,112 @@ +From ffe1ee94d526900ce1e5191cdd38934477dd209a Mon Sep 17 00:00:00 2001 +From: Josh Boyer +Date: Fri, 26 Oct 2012 14:02:09 -0400 +Subject: [PATCH] hibernate: Disable in a signed modules environment + +There is currently no way to verify the resume image when returning +from hibernate. This might compromise the signed modules trust model, +so until we can work with signed hibernate images we disable it in +a secure modules environment. + +Signed-off-by: Josh Boyer +--- + kernel/power/hibernate.c | 16 +++++++++++++++- + kernel/power/main.c | 7 ++++++- + kernel/power/user.c | 1 + + 3 files changed, 22 insertions(+), 2 deletions(-) + +diff --git a/kernel/power/hibernate.c b/kernel/power/hibernate.c +index b26f5f1..e65228b 100644 +--- a/kernel/power/hibernate.c ++++ b/kernel/power/hibernate.c +@@ -28,6 +28,8 @@ + #include + #include + #include ++#include ++#include + + #include "power.h" + +@@ -632,6 +634,10 @@ int hibernate(void) + { + int error; + ++ if (secure_modules()) { ++ return -EPERM; ++ } ++ + lock_system_sleep(); + /* The snapshot device should not be opened while we're running */ + if (!atomic_add_unless(&snapshot_device_available, -1, 0)) { +@@ -723,7 +729,7 @@ static int software_resume(void) + /* + * If the user said "noresume".. bail out early. + */ +- if (noresume) ++ if (noresume || secure_modules()) + return 0; + + /* +@@ -889,6 +895,11 @@ static ssize_t disk_show(struct kobject *kobj, struct kobj_attribute *attr, + int i; + char *start = buf; + ++ if (efi_enabled(EFI_SECURE_BOOT)) { ++ buf += sprintf(buf, "[%s]\n", "disabled"); ++ return buf-start; ++ } ++ + for (i = HIBERNATION_FIRST; i <= HIBERNATION_MAX; i++) { + if (!hibernation_modes[i]) + continue; +@@ -923,6 +934,9 @@ static ssize_t disk_store(struct kobject *kobj, struct kobj_attribute *attr, + char *p; + int mode = HIBERNATION_INVALID; + ++ if (secure_modules()) ++ return -EPERM; ++ + p = memchr(buf, '\n', n); + len = p ? p - buf : n; + +diff --git a/kernel/power/main.c b/kernel/power/main.c +index 1d1bf63..300f300 100644 +--- a/kernel/power/main.c ++++ b/kernel/power/main.c +@@ -15,6 +15,7 @@ + #include + #include + #include ++#include + + #include "power.h" + +@@ -301,7 +302,11 @@ static ssize_t state_show(struct kobject *kobj, struct kobj_attribute *attr, + } + #endif + #ifdef CONFIG_HIBERNATION +- s += sprintf(s, "%s\n", "disk"); ++ if (!efi_enabled(EFI_SECURE_BOOT)) { ++ s += sprintf(s, "%s\n", "disk"); ++ } else { ++ s += sprintf(s, "\n"); ++ } + #else + if (s != buf) + /* convert the last space to a newline */ +diff --git a/kernel/power/user.c b/kernel/power/user.c +index 15cb72f..fa85ed5 100644 +--- a/kernel/power/user.c ++++ b/kernel/power/user.c +@@ -25,6 +25,7 @@ + #include + #include + #include ++#include + + #include + +-- +1.8.3.1 + diff --git a/secure-modules.patch b/secure-modules.patch new file mode 100644 index 000000000..9d01b9356 --- /dev/null +++ b/secure-modules.patch @@ -0,0 +1,874 @@ +From 8dea807503a1ba88d9e27595daae7f86ec968711 Mon Sep 17 00:00:00 2001 +From: Matthew Garrett +Date: Fri, 9 Aug 2013 17:58:15 -0400 +Subject: [PATCH 01/14] Add secure_modules() call + +Provide a single call to allow kernel code to determine whether the system +has been configured to either disable module loading entirely or to load +only modules signed with a trusted key. + +Signed-off-by: Matthew Garrett +--- + include/linux/module.h | 7 +++++++ + kernel/module.c | 10 ++++++++++ + 2 files changed, 17 insertions(+) + +diff --git a/include/linux/module.h b/include/linux/module.h +index 46f1ea0..0c266b2 100644 +--- a/include/linux/module.h ++++ b/include/linux/module.h +@@ -509,6 +509,8 @@ int unregister_module_notifier(struct notifier_block * nb); + + extern void print_modules(void); + ++extern bool secure_modules(void); ++ + #else /* !CONFIG_MODULES... */ + + /* Given an address, look for it in the exception tables. */ +@@ -619,6 +621,11 @@ static inline int unregister_module_notifier(struct notifier_block * nb) + static inline void print_modules(void) + { + } ++ ++static inline bool secure_modules(void) ++{ ++ return false; ++} + #endif /* CONFIG_MODULES */ + + #ifdef CONFIG_SYSFS +diff --git a/kernel/module.c b/kernel/module.c +index 2069158..0e94acf 100644 +--- a/kernel/module.c ++++ b/kernel/module.c +@@ -3852,3 +3852,13 @@ void module_layout(struct module *mod, + } + EXPORT_SYMBOL(module_layout); + #endif ++ ++bool secure_modules(void) ++{ ++#ifdef CONFIG_MODULE_SIG ++ return (sig_enforce || modules_disabled); ++#else ++ return modules_disabled; ++#endif ++} ++EXPORT_SYMBOL(secure_modules); +-- +1.8.3.1 + + +From 9b7b3f6283bf784e4ea1c34e52646b12971b2823 Mon Sep 17 00:00:00 2001 +From: Matthew Garrett +Date: Thu, 8 Mar 2012 10:10:38 -0500 +Subject: [PATCH 02/14] PCI: Lock down BAR access when module security is + enabled + +Any hardware that can potentially generate DMA has to be locked down from +userspace in order to avoid it being possible for an attacker to modify +kernel code, allowing them to circumvent disabled module loading or module +signing. Default to paranoid - in future we can potentially relax this for +sufficiently IOMMU-isolated devices. + +Signed-off-by: Matthew Garrett +--- + drivers/pci/pci-sysfs.c | 10 ++++++++++ + drivers/pci/proc.c | 8 +++++++- + drivers/pci/syscall.c | 3 ++- + 3 files changed, 19 insertions(+), 2 deletions(-) + +diff --git a/drivers/pci/pci-sysfs.c b/drivers/pci/pci-sysfs.c +index c0dbe1f..cd4e35f 100644 +--- a/drivers/pci/pci-sysfs.c ++++ b/drivers/pci/pci-sysfs.c +@@ -29,6 +29,7 @@ + #include + #include + #include ++#include + #include "pci.h" + + static int sysfs_initialized; /* = 0 */ +@@ -624,6 +625,9 @@ pci_write_config(struct file* filp, struct kobject *kobj, + loff_t init_off = off; + u8 *data = (u8*) buf; + ++ if (secure_modules()) ++ return -EPERM; ++ + if (off > dev->cfg_size) + return 0; + if (off + count > dev->cfg_size) { +@@ -930,6 +934,9 @@ pci_mmap_resource(struct kobject *kobj, struct bin_attribute *attr, + resource_size_t start, end; + int i; + ++ if (secure_modules()) ++ return -EPERM; ++ + for (i = 0; i < PCI_ROM_RESOURCE; i++) + if (res == &pdev->resource[i]) + break; +@@ -1037,6 +1044,9 @@ pci_write_resource_io(struct file *filp, struct kobject *kobj, + struct bin_attribute *attr, char *buf, + loff_t off, size_t count) + { ++ if (secure_modules()) ++ return -EPERM; ++ + return pci_resource_io(filp, kobj, attr, buf, off, count, true); + } + +diff --git a/drivers/pci/proc.c b/drivers/pci/proc.c +index cdc7836..e3d498b 100644 +--- a/drivers/pci/proc.c ++++ b/drivers/pci/proc.c +@@ -117,6 +117,9 @@ proc_bus_pci_write(struct file *file, const char __user *buf, size_t nbytes, lof + int size = dev->cfg_size; + int cnt; + ++ if (secure_modules()) ++ return -EPERM; ++ + if (pos >= size) + return 0; + if (nbytes >= size) +@@ -196,6 +199,9 @@ static long proc_bus_pci_ioctl(struct file *file, unsigned int cmd, + #endif /* HAVE_PCI_MMAP */ + int ret = 0; + ++ if (secure_modules()) ++ return -EPERM; ++ + switch (cmd) { + case PCIIOC_CONTROLLER: + ret = pci_domain_nr(dev->bus); +@@ -234,7 +240,7 @@ static int proc_bus_pci_mmap(struct file *file, struct vm_area_struct *vma) + struct pci_filp_private *fpriv = file->private_data; + int i, ret; + +- if (!capable(CAP_SYS_RAWIO)) ++ if (!capable(CAP_SYS_RAWIO) || secure_modules()) + return -EPERM; + + /* Make sure the caller is mapping a real resource for this device */ +diff --git a/drivers/pci/syscall.c b/drivers/pci/syscall.c +index e1c1ec5..bffbf71 100644 +--- a/drivers/pci/syscall.c ++++ b/drivers/pci/syscall.c +@@ -10,6 +10,7 @@ + #include + #include + #include ++#include + #include + #include "pci.h" + +@@ -92,7 +93,7 @@ SYSCALL_DEFINE5(pciconfig_write, unsigned long, bus, unsigned long, dfn, + u32 dword; + int err = 0; + +- if (!capable(CAP_SYS_ADMIN)) ++ if (!capable(CAP_SYS_ADMIN) || secure_modules()) + return -EPERM; + + dev = pci_get_bus_and_slot(bus, dfn); +-- +1.8.3.1 + + +From aac2425a2664c09c2a369e1eec6e7a5bc2713cb1 Mon Sep 17 00:00:00 2001 +From: Matthew Garrett +Date: Thu, 8 Mar 2012 10:35:59 -0500 +Subject: [PATCH 03/14] x86: Lock down IO port access when module security is + enabled + +IO port access would permit users to gain access to PCI configuration +registers, which in turn (on a lot of hardware) give access to MMIO register +space. This would potentially permit root to trigger arbitrary DMA, so lock +it down by default. + +Signed-off-by: Matthew Garrett +--- + arch/x86/kernel/ioport.c | 5 +++-- + drivers/char/mem.c | 4 ++++ + 2 files changed, 7 insertions(+), 2 deletions(-) + +diff --git a/arch/x86/kernel/ioport.c b/arch/x86/kernel/ioport.c +index 4ddaf66..00b4403 100644 +--- a/arch/x86/kernel/ioport.c ++++ b/arch/x86/kernel/ioport.c +@@ -15,6 +15,7 @@ + #include + #include + #include ++#include + #include + + /* +@@ -28,7 +29,7 @@ asmlinkage long sys_ioperm(unsigned long from, unsigned long num, int turn_on) + + if ((from + num <= from) || (from + num > IO_BITMAP_BITS)) + return -EINVAL; +- if (turn_on && !capable(CAP_SYS_RAWIO)) ++ if (turn_on && (!capable(CAP_SYS_RAWIO) || secure_modules())) + return -EPERM; + + /* +@@ -103,7 +104,7 @@ SYSCALL_DEFINE1(iopl, unsigned int, level) + return -EINVAL; + /* Trying to gain more privileges? */ + if (level > old) { +- if (!capable(CAP_SYS_RAWIO)) ++ if (!capable(CAP_SYS_RAWIO) || secure_modules()) + return -EPERM; + } + regs->flags = (regs->flags & ~X86_EFLAGS_IOPL) | (level << 12); +diff --git a/drivers/char/mem.c b/drivers/char/mem.c +index f895a8c..1af8664 100644 +--- a/drivers/char/mem.c ++++ b/drivers/char/mem.c +@@ -28,6 +28,7 @@ + #include + #include + #include ++#include + + #include + +@@ -563,6 +564,9 @@ static ssize_t write_port(struct file *file, const char __user *buf, + unsigned long i = *ppos; + const char __user *tmp = buf; + ++ if (secure_modules()) ++ return -EPERM; ++ + if (!access_ok(VERIFY_READ, buf, count)) + return -EFAULT; + while (count-- > 0 && i < 65536) { +-- +1.8.3.1 + + +From e7f9789c7eedf291972666befee726ff8e7126f6 Mon Sep 17 00:00:00 2001 +From: Matthew Garrett +Date: Fri, 9 Mar 2012 08:39:37 -0500 +Subject: [PATCH 04/14] ACPI: Limit access to custom_method + +custom_method effectively allows arbitrary access to system memory, making +it possible for an attacker to circumvent restrictions on module loading. +Disable it if any such restrictions have been enabled. + +Signed-off-by: Matthew Garrett +--- + drivers/acpi/custom_method.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/acpi/custom_method.c b/drivers/acpi/custom_method.c +index 12b62f2..50647b3 100644 +--- a/drivers/acpi/custom_method.c ++++ b/drivers/acpi/custom_method.c +@@ -29,6 +29,9 @@ static ssize_t cm_write(struct file *file, const char __user * user_buf, + struct acpi_table_header table; + acpi_status status; + ++ if (secure_modules()) ++ return -EPERM; ++ + if (!(*ppos)) { + /* parse the table header to get the table length */ + if (count <= sizeof(struct acpi_table_header)) +-- +1.8.3.1 + + +From d81cd6628c821d47bd086354cbc57b1474f3c1a8 Mon Sep 17 00:00:00 2001 +From: Matthew Garrett +Date: Fri, 9 Mar 2012 08:46:50 -0500 +Subject: [PATCH 05/14] asus-wmi: Restrict debugfs interface when module + loading is restricted + +We have no way of validating what all of the Asus WMI methods do on a +given machine, and there's a risk that some will allow hardware state to +be manipulated in such a way that arbitrary code can be executed in the +kernel, circumventing module loading restrictions. Prevent that if any of +these features are enabled. + +Signed-off-by: Matthew Garrett +--- + drivers/platform/x86/asus-wmi.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git a/drivers/platform/x86/asus-wmi.c b/drivers/platform/x86/asus-wmi.c +index 19c313b..db18ef66 100644 +--- a/drivers/platform/x86/asus-wmi.c ++++ b/drivers/platform/x86/asus-wmi.c +@@ -1618,6 +1618,9 @@ static int show_dsts(struct seq_file *m, void *data) + int err; + u32 retval = -1; + ++ if (secure_modules()) ++ return -EPERM; ++ + err = asus_wmi_get_devstate(asus, asus->debug.dev_id, &retval); + + if (err < 0) +@@ -1634,6 +1637,9 @@ static int show_devs(struct seq_file *m, void *data) + int err; + u32 retval = -1; + ++ if (secure_modules()) ++ return -EPERM; ++ + err = asus_wmi_set_devstate(asus->debug.dev_id, asus->debug.ctrl_param, + &retval); + +@@ -1658,6 +1664,9 @@ static int show_call(struct seq_file *m, void *data) + union acpi_object *obj; + acpi_status status; + ++ if (secure_modules()) ++ return -EPERM; ++ + status = wmi_evaluate_method(ASUS_WMI_MGMT_GUID, + 1, asus->debug.method_id, + &input, &output); +-- +1.8.3.1 + + +From df75e984729ef50bb691b4d15472529fcd81580b Mon Sep 17 00:00:00 2001 +From: Matthew Garrett +Date: Fri, 9 Mar 2012 09:28:15 -0500 +Subject: [PATCH 06/14] Restrict /dev/mem and /dev/kmem when module loading is + restricted + +Allowing users to write to address space makes it possible for the kernel +to be subverted, avoiding module loading restrictions. Prevent this when +any restrictions have been imposed on loading modules. + +Signed-off-by: Matthew Garrett +--- + drivers/char/mem.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/char/mem.c b/drivers/char/mem.c +index 1af8664..61406c8 100644 +--- a/drivers/char/mem.c ++++ b/drivers/char/mem.c +@@ -159,6 +159,9 @@ static ssize_t write_mem(struct file *file, const char __user *buf, + unsigned long copied; + void *ptr; + ++ if (secure_modules()) ++ return -EPERM; ++ + if (!valid_phys_addr_range(p, count)) + return -EFAULT; + +@@ -497,6 +500,9 @@ static ssize_t write_kmem(struct file *file, const char __user *buf, + char *kbuf; /* k-addr because vwrite() takes vmlist_lock rwlock */ + int err = 0; + ++ if (secure_modules()) ++ return -EPERM; ++ + if (p < (unsigned long) high_memory) { + unsigned long to_write = min_t(unsigned long, count, + (unsigned long)high_memory - p); +-- +1.8.3.1 + + +From 78955913cc46cc5e5c7f2c71c1b07a5c18e06456 Mon Sep 17 00:00:00 2001 +From: Josh Boyer +Date: Mon, 25 Jun 2012 19:57:30 -0400 +Subject: [PATCH 07/14] acpi: Ignore acpi_rsdp kernel parameter when module + loading is restricted + +This option allows userspace to pass the RSDP address to the kernel, which +makes it possible for a user to circumvent any restrictions imposed on +loading modules. Disable it in that case. + +Signed-off-by: Josh Boyer +--- + drivers/acpi/osl.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/acpi/osl.c b/drivers/acpi/osl.c +index 6ab2c35..e4c4410 100644 +--- a/drivers/acpi/osl.c ++++ b/drivers/acpi/osl.c +@@ -45,6 +45,7 @@ + #include + #include + #include ++#include + + #include + #include +@@ -245,7 +246,7 @@ early_param("acpi_rsdp", setup_acpi_rsdp); + acpi_physical_address __init acpi_os_get_root_pointer(void) + { + #ifdef CONFIG_KEXEC +- if (acpi_rsdp) ++ if (acpi_rsdp && !secure_modules()) + return acpi_rsdp; + #endif + +-- +1.8.3.1 + + +From 23aae9143fbece326b3a26bf5ba48956c99cabe4 Mon Sep 17 00:00:00 2001 +From: Matthew Garrett +Date: Fri, 9 Aug 2013 03:33:56 -0400 +Subject: [PATCH 08/14] kexec: Disable at runtime if the kernel enforces module + loading restrictions + +kexec permits the loading and execution of arbitrary code in ring 0, which +is something that module signing enforcement is meant to prevent. It makes +sense to disable kexec in this situation. + +Signed-off-by: Matthew Garrett +--- + kernel/kexec.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/kernel/kexec.c b/kernel/kexec.c +index 59f7b55..3e2b63a 100644 +--- a/kernel/kexec.c ++++ b/kernel/kexec.c +@@ -32,6 +32,7 @@ + #include + #include + #include ++#include + + #include + #include +@@ -943,6 +944,13 @@ SYSCALL_DEFINE4(kexec_load, unsigned long, entry, unsigned long, nr_segments, + return -EPERM; + + /* ++ * kexec can be used to circumvent module loading restrictions, so ++ * prevent loading in that case ++ */ ++ if (secure_modules()) ++ return -EPERM; ++ ++ /* + * Verify we have a legal set of flags + * This leaves us room for future extensions. + */ +-- +1.8.3.1 + + +From 218cd49aa2d6a085c5c4edc0396200864f0b54ad Mon Sep 17 00:00:00 2001 +From: Matthew Garrett +Date: Tue, 3 Sep 2013 11:23:29 -0400 +Subject: [PATCH 09/14] uswsusp: Disable when module loading is restricted + +uswsusp allows a user process to dump and then restore kernel state, which +makes it possible to avoid module loading restrictions. Prevent this when +any restrictions have been imposed on loading modules. + +Signed-off-by: Matthew Garrett +--- + kernel/power/user.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/kernel/power/user.c b/kernel/power/user.c +index 4ed81e7..15cb72f 100644 +--- a/kernel/power/user.c ++++ b/kernel/power/user.c +@@ -24,6 +24,7 @@ + #include + #include + #include ++#include + + #include + +@@ -48,6 +49,9 @@ static int snapshot_open(struct inode *inode, struct file *filp) + struct snapshot_data *data; + int error; + ++ if (secure_modules()) ++ return -EPERM; ++ + lock_system_sleep(); + + if (!atomic_add_unless(&snapshot_device_available, -1, 0)) { +-- +1.8.3.1 + + +From beeaac053d4ae57dc65be1da8b46e5d4bc6542b8 Mon Sep 17 00:00:00 2001 +From: Matthew Garrett +Date: Fri, 8 Feb 2013 11:12:13 -0800 +Subject: [PATCH 10/14] x86: Restrict MSR access when module loading is + restricted + +Writing to MSRs should not be allowed if module loading is restricted, +since it could lead to execution of arbitrary code in kernel mode. Based +on a patch by Kees Cook. + +Cc: Kees Cook +Signed-off-by: Matthew Garrett +--- + arch/x86/kernel/msr.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/arch/x86/kernel/msr.c b/arch/x86/kernel/msr.c +index 88458fa..d08f7e3 100644 +--- a/arch/x86/kernel/msr.c ++++ b/arch/x86/kernel/msr.c +@@ -103,6 +103,9 @@ static ssize_t msr_write(struct file *file, const char __user *buf, + int err = 0; + ssize_t bytes = 0; + ++ if (secure_modules()) ++ return -EPERM; ++ + if (count % 8) + return -EINVAL; /* Invalid chunk size */ + +@@ -150,6 +153,10 @@ static long msr_ioctl(struct file *file, unsigned int ioc, unsigned long arg) + err = -EBADF; + break; + } ++ if (secure_modules()) { ++ err = -EPERM; ++ break; ++ } + if (copy_from_user(®s, uregs, sizeof regs)) { + err = -EFAULT; + break; +-- +1.8.3.1 + + +From b4331711c52aff0a6a9cef0f4b52fe261874d6f2 Mon Sep 17 00:00:00 2001 +From: Matthew Garrett +Date: Fri, 9 Aug 2013 18:36:30 -0400 +Subject: [PATCH 11/14] Add option to automatically enforce module signatures + when in Secure Boot mode + +UEFI Secure Boot provides a mechanism for ensuring that the firmware will +only load signed bootloaders and kernels. Certain use cases may also +require that all kernel modules also be signed. Add a configuration option +that enforces this automatically when enabled. + +Signed-off-by: Matthew Garrett +--- + Documentation/x86/zero-page.txt | 2 ++ + arch/x86/Kconfig | 10 ++++++++++ + arch/x86/boot/compressed/eboot.c | 36 +++++++++++++++++++++++++++++++++++ + arch/x86/include/uapi/asm/bootparam.h | 3 ++- + arch/x86/kernel/setup.c | 6 ++++++ + include/linux/module.h | 6 ++++++ + kernel/module.c | 7 +++++++ + 7 files changed, 69 insertions(+), 1 deletion(-) + +diff --git a/Documentation/x86/zero-page.txt b/Documentation/x86/zero-page.txt +index 199f453..ec38acf 100644 +--- a/Documentation/x86/zero-page.txt ++++ b/Documentation/x86/zero-page.txt +@@ -30,6 +30,8 @@ Offset Proto Name Meaning + 1E9/001 ALL eddbuf_entries Number of entries in eddbuf (below) + 1EA/001 ALL edd_mbr_sig_buf_entries Number of entries in edd_mbr_sig_buffer + (below) ++1EB/001 ALL kbd_status Numlock is enabled ++1EC/001 ALL secure_boot Secure boot is enabled in the firmware + 1EF/001 ALL sentinel Used to detect broken bootloaders + 290/040 ALL edd_mbr_sig_buffer EDD MBR signatures + 2D0/A00 ALL e820_map E820 memory map table +diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig +index b32ebf9..6a6c19b 100644 +--- a/arch/x86/Kconfig ++++ b/arch/x86/Kconfig +@@ -1581,6 +1581,16 @@ config EFI_STUB + + See Documentation/x86/efi-stub.txt for more information. + ++config EFI_SECURE_BOOT_SIG_ENFORCE ++ def_bool n ++ prompt "Force module signing when UEFI Secure Boot is enabled" ++ ---help--- ++ UEFI Secure Boot provides a mechanism for ensuring that the ++ firmware will only load signed bootloaders and kernels. Certain ++ use cases may also require that all kernel modules also be signed. ++ Say Y here to automatically enable module signature enforcement ++ when a system boots with UEFI Secure Boot enabled. ++ + config SECCOMP + def_bool y + prompt "Enable seccomp to safely compute untrusted bytecode" +diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c +index b7388a4..53bfe4f 100644 +--- a/arch/x86/boot/compressed/eboot.c ++++ b/arch/x86/boot/compressed/eboot.c +@@ -12,6 +12,7 @@ + #include + #include + #include ++#include + + #undef memcpy /* Use memcpy from misc.c */ + +@@ -861,6 +862,37 @@ fail: + return status; + } + ++static int get_secure_boot(void) ++{ ++ u8 sb, setup; ++ unsigned long datasize = sizeof(sb); ++ efi_guid_t var_guid = EFI_GLOBAL_VARIABLE_GUID; ++ efi_status_t status; ++ ++ status = efi_call_phys5(sys_table->runtime->get_variable, ++ L"SecureBoot", &var_guid, NULL, &datasize, &sb); ++ ++ if (status != EFI_SUCCESS) ++ return 0; ++ ++ if (sb == 0) ++ return 0; ++ ++ ++ status = efi_call_phys5(sys_table->runtime->get_variable, ++ L"SetupMode", &var_guid, NULL, &datasize, ++ &setup); ++ ++ if (status != EFI_SUCCESS) ++ return 0; ++ ++ if (setup == 1) ++ return 0; ++ ++ return 1; ++} ++ ++ + /* + * Because the x86 boot code expects to be passed a boot_params we + * need to create one ourselves (usually the bootloader would create +@@ -1169,6 +1201,10 @@ struct boot_params *efi_main(void *handle, efi_system_table_t *_table, + if (sys_table->hdr.signature != EFI_SYSTEM_TABLE_SIGNATURE) + goto fail; + ++ sanitize_boot_params(boot_params); ++ ++ boot_params->secure_boot = get_secure_boot(); ++ + setup_graphics(boot_params); + + setup_efi_pci(boot_params); +diff --git a/arch/x86/include/uapi/asm/bootparam.h b/arch/x86/include/uapi/asm/bootparam.h +index c15ddaf..85d7685 100644 +--- a/arch/x86/include/uapi/asm/bootparam.h ++++ b/arch/x86/include/uapi/asm/bootparam.h +@@ -131,7 +131,8 @@ struct boot_params { + __u8 eddbuf_entries; /* 0x1e9 */ + __u8 edd_mbr_sig_buf_entries; /* 0x1ea */ + __u8 kbd_status; /* 0x1eb */ +- __u8 _pad5[3]; /* 0x1ec */ ++ __u8 secure_boot; /* 0x1ec */ ++ __u8 _pad5[2]; /* 0x1ed */ + /* + * The sentinel is set to a nonzero value (0xff) in header.S. + * +diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c +index f8ec578..deeb7bc 100644 +--- a/arch/x86/kernel/setup.c ++++ b/arch/x86/kernel/setup.c +@@ -1129,6 +1129,12 @@ void __init setup_arch(char **cmdline_p) + + io_delay_init(); + ++#ifdef CONFIG_EFI_SECURE_BOOT_SIG_ENFORCE ++ if (boot_params.secure_boot) { ++ enforce_signed_modules(); ++ } ++#endif ++ + /* + * Parse the ACPI tables for possible boot-time SMP configuration. + */ +diff --git a/include/linux/module.h b/include/linux/module.h +index 0c266b2..5a6374a 100644 +--- a/include/linux/module.h ++++ b/include/linux/module.h +@@ -184,6 +184,12 @@ const struct exception_table_entry *search_exception_tables(unsigned long add); + + struct notifier_block; + ++#ifdef CONFIG_MODULE_SIG ++extern void enforce_signed_modules(void); ++#else ++static inline void enforce_signed_modules(void) {}; ++#endif ++ + #ifdef CONFIG_MODULES + + extern int modules_disabled; /* for sysctl */ +diff --git a/kernel/module.c b/kernel/module.c +index 0e94acf..974139b 100644 +--- a/kernel/module.c ++++ b/kernel/module.c +@@ -3853,6 +3853,13 @@ void module_layout(struct module *mod, + EXPORT_SYMBOL(module_layout); + #endif + ++#ifdef CONFIG_MODULE_SIG ++void enforce_signed_modules(void) ++{ ++ sig_enforce = true; ++} ++#endif ++ + bool secure_modules(void) + { + #ifdef CONFIG_MODULE_SIG +-- +1.8.3.1 + + +From bb28516d346e6511f1e012321c48eb142763e539 Mon Sep 17 00:00:00 2001 +From: Josh Boyer +Date: Tue, 5 Feb 2013 19:25:05 -0500 +Subject: [PATCH 12/14] efi: Disable secure boot if shim is in insecure mode + +A user can manually tell the shim boot loader to disable validation of +images it loads. When a user does this, it creates a UEFI variable called +MokSBState that does not have the runtime attribute set. Given that the +user explicitly disabled validation, we can honor that and not enable +secure boot mode if that variable is set. + +Signed-off-by: Josh Boyer +--- + arch/x86/boot/compressed/eboot.c | 20 +++++++++++++++++++- + 1 file changed, 19 insertions(+), 1 deletion(-) + +diff --git a/arch/x86/boot/compressed/eboot.c b/arch/x86/boot/compressed/eboot.c +index 53bfe4f..946028b 100644 +--- a/arch/x86/boot/compressed/eboot.c ++++ b/arch/x86/boot/compressed/eboot.c +@@ -864,8 +864,9 @@ fail: + + static int get_secure_boot(void) + { +- u8 sb, setup; ++ u8 sb, setup, moksbstate; + unsigned long datasize = sizeof(sb); ++ u32 attr; + efi_guid_t var_guid = EFI_GLOBAL_VARIABLE_GUID; + efi_status_t status; + +@@ -889,6 +890,23 @@ static int get_secure_boot(void) + if (setup == 1) + return 0; + ++ /* See if a user has put shim into insecure_mode. If so, and the variable ++ * doesn't have the runtime attribute set, we might as well honor that. ++ */ ++ var_guid = EFI_SHIM_LOCK_GUID; ++ status = efi_call_phys5(sys_table->runtime->get_variable, ++ L"MokSBState", &var_guid, &attr, &datasize, ++ &moksbstate); ++ ++ /* If it fails, we don't care why. Default to secure */ ++ if (status != EFI_SUCCESS) ++ return 1; ++ ++ if (!(attr & EFI_VARIABLE_RUNTIME_ACCESS)) { ++ if (moksbstate == 1) ++ return 0; ++ } ++ + return 1; + } + +-- +1.8.3.1 + + +From 4c8824bac8d4284e66c39c365ba84151f2d78e87 Mon Sep 17 00:00:00 2001 +From: Josh Boyer +Date: Tue, 27 Aug 2013 13:28:43 -0400 +Subject: [PATCH 13/14] efi: Make EFI_SECURE_BOOT_SIG_ENFORCE depend on EFI + +The functionality of the config option is dependent upon the platform being +UEFI based. Reflect this in the config deps. + +Signed-off-by: Josh Boyer +--- + arch/x86/Kconfig | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/arch/x86/Kconfig b/arch/x86/Kconfig +index 6a6c19b..10498ec 100644 +--- a/arch/x86/Kconfig ++++ b/arch/x86/Kconfig +@@ -1582,7 +1582,8 @@ config EFI_STUB + See Documentation/x86/efi-stub.txt for more information. + + config EFI_SECURE_BOOT_SIG_ENFORCE +- def_bool n ++ def_bool n ++ depends on EFI + prompt "Force module signing when UEFI Secure Boot is enabled" + ---help--- + UEFI Secure Boot provides a mechanism for ensuring that the +-- +1.8.3.1 + + +From 871b0ed1847c3c5413a4ca72ecf18735858f7708 Mon Sep 17 00:00:00 2001 +From: Josh Boyer +Date: Tue, 27 Aug 2013 13:33:03 -0400 +Subject: [PATCH 14/14] efi: Add EFI_SECURE_BOOT bit + +UEFI machines can be booted in Secure Boot mode. Add a EFI_SECURE_BOOT bit +for use with efi_enabled. + +Signed-off-by: Josh Boyer +--- + arch/x86/kernel/setup.c | 2 ++ + include/linux/efi.h | 1 + + 2 files changed, 3 insertions(+) + +diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c +index deeb7bc..08dc16e 100644 +--- a/arch/x86/kernel/setup.c ++++ b/arch/x86/kernel/setup.c +@@ -1131,7 +1131,9 @@ void __init setup_arch(char **cmdline_p) + + #ifdef CONFIG_EFI_SECURE_BOOT_SIG_ENFORCE + if (boot_params.secure_boot) { ++ set_bit(EFI_SECURE_BOOT, &x86_efi_facility); + enforce_signed_modules(); ++ pr_info("Secure boot enabled\n"); + } + #endif + +diff --git a/include/linux/efi.h b/include/linux/efi.h +index 5f8f176..eed2202 100644 +--- a/include/linux/efi.h ++++ b/include/linux/efi.h +@@ -634,6 +634,7 @@ extern int __init efi_setup_pcdp_console(char *); + #define EFI_RUNTIME_SERVICES 3 /* Can we use runtime services? */ + #define EFI_MEMMAP 4 /* Can we use EFI memory map? */ + #define EFI_64BIT 5 /* Is the firmware 64-bit? */ ++#define EFI_SECURE_BOOT 6 /* Are we in Secure Boot mode? */ + + #ifdef CONFIG_EFI + # ifdef CONFIG_X86 +-- +1.8.3.1 + diff --git a/silence-noise.patch b/silence-noise.patch index 1e4d7c57f..a8032597e 100644 --- a/silence-noise.patch +++ b/silence-noise.patch @@ -7,28 +7,20 @@ Some systems, such as EFI-based Apple systems, won't necessarily have an i8042 to initialize. We shouldn't be printing an error message in this case, since not detecting the chip is the correct behavior. --- - drivers/input/serio/i8042.c | 4 +--- - 1 files changed, 1 insertions(+), 3 deletions(-) - diff --git a/drivers/input/serio/i8042.c b/drivers/input/serio/i8042.c -index 170f71e..4f3e632 100644 +index 52c9ebf..c374a96 100644 --- a/drivers/input/serio/i8042.c +++ b/drivers/input/serio/i8042.c -@@ -701,10 +701,8 @@ static int __devinit i8042_check_aux(void) - +@@ -855,7 +855,6 @@ static int __init i8042_check_aux(void) static int i8042_controller_check(void) { -- if (i8042_flush() == I8042_BUFFER_SIZE) { + if (i8042_flush()) { - pr_err("No controller found\n"); -+ if (i8042_flush() == I8042_BUFFER_SIZE) return -ENODEV; -- } - - return 0; - } --- -1.6.0.1 + } +-- + Socket fuzzers like sfuzz will trigger this printk a lot, even though it's ratelimited. It isn't particularly useful, so just remove it. diff --git a/slab_common-Do-not-check-for-duplicate-slab-names.patch b/slab_common-Do-not-check-for-duplicate-slab-names.patch deleted file mode 100644 index c99303cc0..000000000 --- a/slab_common-Do-not-check-for-duplicate-slab-names.patch +++ /dev/null @@ -1,71 +0,0 @@ -Bugzilla: 1031086 -Upstream-status: 3.12 - -From cd8fa0170867ce6e6e2d7edba1dc1a0b87485854 Mon Sep 17 00:00:00 2001 -From: Christoph Lameter -Date: Sat, 21 Sep 2013 21:56:34 +0000 -Subject: [PATCH] slab_common: Do not check for duplicate slab names - -SLUB can alias multiple slab kmem_create_requests to one slab cache to save -memory and increase the cache hotness. As a result the name of the slab can be -stale. Only check the name for duplicates if we are in debug mode where we do -not merge multiple caches. - -This fixes the following problem reported by Jonathan Brassow: - - The problem with kmem_cache* is this: - - *) Assume CONFIG_SLUB is set - 1) kmem_cache_create(name="foo-a") - - creates new kmem_cache structure - 2) kmem_cache_create(name="foo-b") - - If identical cache characteristics, it will be merged with the previously - created cache associated with "foo-a". The cache's refcount will be - incremented and an alias will be created via sysfs_slab_alias(). - 3) kmem_cache_destroy() - - Attempting to destroy cache associated with "foo-a", but instead the - refcount is simply decremented. I don't even think the sysfs aliases are - ever removed... - 4) kmem_cache_create(name="foo-a") - - This FAILS because kmem_cache_sanity_check colides with the existing - name ("foo-a") associated with the non-removed cache. - - This is a problem for RAID (specifically dm-raid) because the name used - for the kmem_cache_create is ("raid%d-%p", level, mddev). If the cache - persists for long enough, the memory address of an old mddev will be - reused for a new mddev - causing an identical formulation of the cache - name. Even though kmem_cache_destory had long ago been used to delete - the old cache, the merging of caches has cause the name and cache of that - old instance to be preserved and causes a colision (and thus failure) in - kmem_cache_create(). I see this regularly in my testing. - -Reported-by: Jonathan Brassow -Signed-off-by: Christoph Lameter -Signed-off-by: Pekka Enberg ---- - mm/slab_common.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/mm/slab_common.c b/mm/slab_common.c -index 538bade..d434771 100644 ---- a/mm/slab_common.c -+++ b/mm/slab_common.c -@@ -55,6 +55,7 @@ static int kmem_cache_sanity_check(struct mem_cgroup *memcg, const char *name, - continue; - } - -+#if !defined(CONFIG_SLUB) || !defined(CONFIG_SLUB_DEBUG_ON) - /* - * For simplicity, we won't check this in the list of memcg - * caches. We have control over memcg naming, and if there -@@ -68,6 +69,7 @@ static int kmem_cache_sanity_check(struct mem_cgroup *memcg, const char *name, - s = NULL; - return -EINVAL; - } -+#endif - } - - WARN_ON(strchr(name, ' ')); /* It confuses parsers */ --- -1.8.3.1 - diff --git a/sources b/sources index c634d10c0..df0f7b616 100644 --- a/sources +++ b/sources @@ -1,2 +1,2 @@ -fea363551ff45fbe4cb88497b863b261 linux-3.11.tar.xz -c918da07cf5ad4240945ae56c4de3bc0 patch-3.11.10.xz +cc6ee608854e0da4b64f6c1ff8b6398c linux-3.12.tar.xz +70e456d21f7e7c0dc2f9bd170f1ae4ee patch-3.12.5.xz diff --git a/sunrpc-replace-gssd_running-with-more-reliable-check.patch b/sunrpc-replace-gssd_running-with-more-reliable-check.patch index f2ca18555..8cd5c0090 100644 --- a/sunrpc-replace-gssd_running-with-more-reliable-check.patch +++ b/sunrpc-replace-gssd_running-with-more-reliable-check.patch @@ -14,16 +14,19 @@ extraneous newline from the message. Signed-off-by: Jeff Layton Signed-off-by: Trond Myklebust --- + Fixed up to apply to 3.12.1 by Josh Boyer + include/linux/sunrpc/rpc_pipe_fs.h | 2 ++ net/sunrpc/auth_gss/auth_gss.c | 17 +++++++---------- net/sunrpc/netns.h | 2 -- net/sunrpc/rpc_pipe.c | 14 ++++++++++---- 4 files changed, 19 insertions(+), 16 deletions(-) -diff -up linux-3.11.9-200.fc19.x86_64/include/linux/sunrpc/rpc_pipe_fs.h.orig linux-3.11.9-200.fc19.x86_64/include/linux/sunrpc/rpc_pipe_fs.h ---- linux-3.11.9-200.fc19.x86_64/include/linux/sunrpc/rpc_pipe_fs.h.orig 2013-11-21 10:11:17.893026000 -0500 -+++ linux-3.11.9-200.fc19.x86_64/include/linux/sunrpc/rpc_pipe_fs.h 2013-11-21 10:14:17.709348000 -0500 -@@ -94,5 +94,7 @@ extern int rpc_unlink(struct dentry *); +diff --git a/include/linux/sunrpc/rpc_pipe_fs.h b/include/linux/sunrpc/rpc_pipe_fs.h +index 85f1342..7f490be 100644 +--- a/include/linux/sunrpc/rpc_pipe_fs.h ++++ b/include/linux/sunrpc/rpc_pipe_fs.h +@@ -131,5 +131,7 @@ extern int rpc_unlink(struct dentry *); extern int register_rpc_pipefs(void); extern void unregister_rpc_pipefs(void); @@ -31,10 +34,11 @@ diff -up linux-3.11.9-200.fc19.x86_64/include/linux/sunrpc/rpc_pipe_fs.h.orig li + #endif #endif -diff -up linux-3.11.9-200.fc19.x86_64/net/sunrpc/auth_gss/auth_gss.c.orig linux-3.11.9-200.fc19.x86_64/net/sunrpc/auth_gss/auth_gss.c ---- linux-3.11.9-200.fc19.x86_64/net/sunrpc/auth_gss/auth_gss.c.orig 2013-09-02 16:46:10.000000000 -0400 -+++ linux-3.11.9-200.fc19.x86_64/net/sunrpc/auth_gss/auth_gss.c 2013-11-21 10:18:33.681923000 -0500 -@@ -507,8 +507,7 @@ static void warn_gssd(void) +diff --git a/net/sunrpc/auth_gss/auth_gss.c b/net/sunrpc/auth_gss/auth_gss.c +index 0846566..1ada878 100644 +--- a/net/sunrpc/auth_gss/auth_gss.c ++++ b/net/sunrpc/auth_gss/auth_gss.c +@@ -517,8 +517,7 @@ static void warn_gssd(void) unsigned long now = jiffies; if (time_after(now, ratelimit)) { @@ -44,7 +48,7 @@ diff -up linux-3.11.9-200.fc19.x86_64/net/sunrpc/auth_gss/auth_gss.c.orig linux- ratelimit = now + 15*HZ; } } -@@ -571,7 +570,6 @@ gss_create_upcall(struct gss_auth *gss_a +@@ -581,7 +580,6 @@ gss_create_upcall(struct gss_auth *gss_auth, struct gss_cred *gss_cred) struct rpc_pipe *pipe; struct rpc_cred *cred = &gss_cred->gc_base; struct gss_upcall_msg *gss_msg; @@ -52,7 +56,7 @@ diff -up linux-3.11.9-200.fc19.x86_64/net/sunrpc/auth_gss/auth_gss.c.orig linux- DEFINE_WAIT(wait); int err; -@@ -579,17 +577,16 @@ gss_create_upcall(struct gss_auth *gss_a +@@ -589,17 +587,16 @@ gss_create_upcall(struct gss_auth *gss_auth, struct gss_cred *gss_cred) __func__, from_kuid(&init_user_ns, cred->cr_uid)); retry: err = 0; @@ -65,7 +69,7 @@ diff -up linux-3.11.9-200.fc19.x86_64/net/sunrpc/auth_gss/auth_gss.c.orig linux- + warn_gssd(); + return -EACCES; + } - gss_msg = gss_setup_upcall(gss_auth->client, gss_auth, cred); + gss_msg = gss_setup_upcall(gss_auth, cred); if (PTR_ERR(gss_msg) == -EAGAIN) { err = wait_event_interruptible_timeout(pipe_version_waitqueue, - sn->pipe_version >= 0, timeout); @@ -76,9 +80,10 @@ diff -up linux-3.11.9-200.fc19.x86_64/net/sunrpc/auth_gss/auth_gss.c.orig linux- warn_gssd(); err = -EACCES; } -diff -up linux-3.11.9-200.fc19.x86_64/net/sunrpc/netns.h.orig linux-3.11.9-200.fc19.x86_64/net/sunrpc/netns.h ---- linux-3.11.9-200.fc19.x86_64/net/sunrpc/netns.h.orig 2013-11-21 10:11:17.897029000 -0500 -+++ linux-3.11.9-200.fc19.x86_64/net/sunrpc/netns.h 2013-11-21 10:14:17.722351000 -0500 +diff --git a/net/sunrpc/netns.h b/net/sunrpc/netns.h +index 8a8e841..94e506f 100644 +--- a/net/sunrpc/netns.h ++++ b/net/sunrpc/netns.h @@ -33,8 +33,6 @@ struct sunrpc_net { int pipe_version; atomic_t pipe_users; @@ -88,9 +93,10 @@ diff -up linux-3.11.9-200.fc19.x86_64/net/sunrpc/netns.h.orig linux-3.11.9-200.f }; extern int sunrpc_net_id; -diff -up linux-3.11.9-200.fc19.x86_64/net/sunrpc/rpc_pipe.c.orig linux-3.11.9-200.fc19.x86_64/net/sunrpc/rpc_pipe.c ---- linux-3.11.9-200.fc19.x86_64/net/sunrpc/rpc_pipe.c.orig 2013-11-21 10:11:17.903026000 -0500 -+++ linux-3.11.9-200.fc19.x86_64/net/sunrpc/rpc_pipe.c 2013-11-21 10:14:17.727348000 -0500 +diff --git a/net/sunrpc/rpc_pipe.c b/net/sunrpc/rpc_pipe.c +index 40aef18..ad444f3 100644 +--- a/net/sunrpc/rpc_pipe.c ++++ b/net/sunrpc/rpc_pipe.c @@ -216,14 +216,11 @@ rpc_destroy_inode(struct inode *inode) static int rpc_pipe_open(struct inode *inode, struct file *filp) @@ -106,7 +112,7 @@ diff -up linux-3.11.9-200.fc19.x86_64/net/sunrpc/rpc_pipe.c.orig linux-3.11.9-20 pipe = RPC_I(inode)->pipe; if (pipe == NULL) goto out; -@@ -1082,7 +1079,6 @@ int rpc_pipefs_init_net(struct net *net) +@@ -1231,7 +1228,6 @@ int rpc_pipefs_init_net(struct net *net) return PTR_ERR(sn->gssd_dummy); mutex_init(&sn->pipefs_sb_lock); @@ -114,7 +120,7 @@ diff -up linux-3.11.9-200.fc19.x86_64/net/sunrpc/rpc_pipe.c.orig linux-3.11.9-20 sn->pipe_version = -1; return 0; } -@@ -1236,6 +1232,16 @@ err_depopulate: +@@ -1385,6 +1381,16 @@ err_depopulate: return err; } @@ -131,4 +137,3 @@ diff -up linux-3.11.9-200.fc19.x86_64/net/sunrpc/rpc_pipe.c.orig linux-3.11.9-20 static struct dentry * rpc_mount(struct file_system_type *fs_type, int flags, const char *dev_name, void *data) - diff --git a/sysrq-secure-boot.patch b/sysrq-secure-boot.patch new file mode 100644 index 000000000..b4bb80d00 --- /dev/null +++ b/sysrq-secure-boot.patch @@ -0,0 +1,243 @@ +From 71aac34ed679daa0bf772051eb40412b5bd95da3 Mon Sep 17 00:00:00 2001 +From: Kyle McMartin +Date: Fri, 30 Aug 2013 09:28:51 -0400 +Subject: [PATCH] Add sysrq option to disable secure boot mode + +--- + arch/x86/kernel/setup.c | 35 +++++++++++++++++++++++++++++++++++ + drivers/input/misc/uinput.c | 1 + + drivers/tty/sysrq.c | 19 +++++++++++++------ + include/linux/input.h | 5 +++++ + include/linux/sysrq.h | 8 +++++++- + kernel/debug/kdb/kdb_main.c | 2 +- + kernel/module.c | 4 ++-- + 7 files changed, 64 insertions(+), 10 deletions(-) + +diff --git a/arch/x86/kernel/setup.c b/arch/x86/kernel/setup.c +index 08dc16e..6971f8e 100644 +--- a/arch/x86/kernel/setup.c ++++ b/arch/x86/kernel/setup.c +@@ -70,6 +70,11 @@ + #include + #include + ++#include ++#include ++#include ++#include ++ + #include