rpms
/
kernel
2
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Linux v3.5.5

This commit is contained in:
Josh Boyer 2012-10-02 15:11:38 -04:00
parent 1876a31055
commit ef6c2f38d1
7 changed files with 6 additions and 9288 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

35
drm-radeon-force-dma32-to-fix-regression-rs4xx-rs6xx.patch
View File

@ -1,35 +0,0 @@
From 4a2b6662c3632176b4fdf012243dd3751367bf1f Mon Sep 17 00:00:00 2001
From: Jerome Glisse <jglisse@redhat.com>
Date: Tue, 28 Aug 2012 16:50:22 -0400
Subject: [PATCH] drm/radeon: force dma32 to fix regression rs4xx,rs6xx,rs740
It seems some of those IGP dislike non dma32 page despite what
documentation says. Fix regression since we allowed non dma32
pages. It seems it only affect some revision of those IGP chips
as we don't know which one just force dma32 for all of them.
https://bugzilla.redhat.com/show_bug.cgi?id=785375
Signed-off-by: Jerome Glisse <jglisse@redhat.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
---
drivers/gpu/drm/radeon/radeon_device.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/radeon/radeon_device.c b/drivers/gpu/drm/radeon/radeon_device.c
index d2e2438..33da8bf 100644
--- a/drivers/gpu/drm/radeon/radeon_device.c
+++ b/drivers/gpu/drm/radeon/radeon_device.c
@@ -1051,7 +1051,7 @@ int radeon_device_init(struct radeon_device *rdev,
if (rdev->flags & RADEON_IS_AGP)
rdev->need_dma32 = true;
if ((rdev->flags & RADEON_IS_PCI) &&
- (rdev->family < CHIP_RS400))
+ (rdev->family <= CHIP_RS740))
rdev->need_dma32 = true;
dma_bits = rdev->need_dma32 ? 32 : 40;
--
1.7.11.4

70
drm-radeon-make-64bit-fences-more-robust.patch
View File

@ -1,70 +0,0 @@
From: Christian König <deathsimple@vodafone.de>
Only increase the higher 32bits if we really detect a wrap around.
v2: instead of increasing the higher 32bits just use the higher
32bits from the last emitted fence.
v3: also use last emitted fence value as upper limit.
The intention of this patch is to make fences as robust as
they where before introducing 64bit fences. This is
necessary because on older systems it looks like the fence
value gets corrupted on initialization.
Fixes:
https://bugs.freedesktop.org/show_bug.cgi?id=51344
Should also fix:
https://bugs.freedesktop.org/show_bug.cgi?id=54129
https://bugs.freedesktop.org/show_bug.cgi?id=54662
https://bugzilla.redhat.com/show_bug.cgi?id=846505
https://bugzilla.redhat.com/show_bug.cgi?id=845639
This is the 3.5 stable version of the patch:
http://git.kernel.org/?p=linux/kernel/git/torvalds/linux.git;a=commitdiff;h=f492c171a38d77fc13a8998a0721f2da50835224
3.4 and previous kernels do not need to be patched.
Signed-off-by: Christian König <deathsimple@vodafone.de>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
---
drivers/gpu/drm/radeon/radeon_fence.c | 8 +++++---
1 files changed, 5 insertions(+), 3 deletions(-)
diff --git a/drivers/gpu/drm/radeon/radeon_fence.c b/drivers/gpu/drm/radeon/radeon_fence.c
index 11f5f40..71298ce 100644
--- a/drivers/gpu/drm/radeon/radeon_fence.c
+++ b/drivers/gpu/drm/radeon/radeon_fence.c
@@ -75,7 +75,7 @@ int radeon_fence_emit(struct radeon_device *rdev, struct radeon_fence *fence)
void radeon_fence_process(struct radeon_device *rdev, int ring)
{
- uint64_t seq, last_seq;
+ uint64_t seq, last_seq, last_emitted;
unsigned count_loop = 0;
bool wake = false;
@@ -102,13 +102,15 @@ void radeon_fence_process(struct radeon_device *rdev, int ring)
*/
last_seq = atomic64_read(&rdev->fence_drv[ring].last_seq);
do {
+ last_emitted = rdev->fence_drv[ring].seq;
seq = radeon_fence_read(rdev, ring);
seq |= last_seq & 0xffffffff00000000LL;
if (seq < last_seq) {
- seq += 0x100000000LL;
+ seq &= 0xffffffff;
+ seq |= last_emitted & 0xffffffff00000000LL;
}
- if (seq == last_seq) {
+ if (seq <= last_seq || seq > last_emitted) {
break;
}
/* If we loop over we don't want to return without
--
1.7.7.5
--
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html

89
fbcon-fix-race-condition-between-console-lock-and-cursor-timer.patch
View File

@ -1,89 +0,0 @@
Delivered-To: jwboyer@gmail.com
Received: by 10.229.184.7 with SMTP id ci7csp32184qcb;
Mon, 20 Aug 2012 23:40:20 -0700 (PDT)
Received: by 10.236.195.97 with SMTP id o61mr24210886yhn.17.1345531220620;
Mon, 20 Aug 2012 23:40:20 -0700 (PDT)
Return-Path: <airlied@redhat.com>
Received: from mx1.redhat.com (mx1.redhat.com. [209.132.183.28])
by mx.google.com with ESMTP id c5si239413anp.5.2012.08.20.23.40.20;
Mon, 20 Aug 2012 23:40:20 -0700 (PDT)
Received-SPF: pass (google.com: domain of airlied@redhat.com designates 209.132.183.28 as permitted sender) client-ip=209.132.183.28;
Authentication-Results: mx.google.com; spf=pass (google.com: domain of airlied@redhat.com designates 209.132.183.28 as permitted sender) smtp.mail=airlied@redhat.com
Received: from int-mx01.intmail.prod.int.phx2.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.11])
by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id q7L6eJ4K014799
(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK);
Tue, 21 Aug 2012 02:40:19 -0400
Received: from prime.bne.redhat.com (dhcp-41-76.bne.redhat.com [10.64.41.76])
by int-mx01.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id q7L6eFfB029177;
Tue, 21 Aug 2012 02:40:16 -0400
From: Dave Airlie <airlied@redhat.com>
To: linux-fbdev@vger.kernel.org
Cc: dri-devel@lists.sf.net, linux-kernel@vger.kernel.org,
Linus <torvalds@linux-foundation.org>,
Alan Cox <alan@lxorguk.ukuu.org.uk>,
Randy Dunlap <rdunlap@xenotime.net>, Josh Boyer <jwboyer@gmail.com>,
Dave Airlie <airlied@redhat.com>
Subject: [PATCH] fbcon: fix race condition between console lock and cursor timer
Date: Tue, 21 Aug 2012 16:40:07 +1000
Message-Id: <1345531207-24926-1-git-send-email-airlied@redhat.com>
X-Scanned-By: MIMEDefang 2.67 on 10.5.11.11
So we've had a fair few reports of fbcon handover breakage between
efi/vesafb and i915 surface recently, so I dedicated a couple of
days to finding the problem.
Essentially the last thing we saw was the conflicting framebuffer
message and that was all.
So after much tracing with direct netconsole writes (printks
under console_lock not so useful), I think I found the race.
Thread A (driver load) Thread B (timer thread)
unbind_con_driver -> |
bind_con_driver -> |
vc->vc_sw->con_deinit -> |
fbcon_deinit -> |
console_lock() |
| |
| fbcon_flashcursor timer fires
| console_lock() <- blocked for A
|
|
fbcon_del_cursor_timer ->
del_timer_sync
(BOOM)
Of course because all of this is under the console lock,
we never see anything, also since we also just unbound the active
console guess what we never see anything.
Hopefully this fixes the problem for anyone seeing vesafb->kms
driver handoff.
Signed-off-by: David Airlie <airlied@redhat.com>
---
drivers/video/console/fbcon.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/drivers/video/console/fbcon.c b/drivers/video/console/fbcon.c
index 2e471c2..f8a79fc 100644
--- a/drivers/video/console/fbcon.c
+++ b/drivers/video/console/fbcon.c
@@ -372,8 +372,12 @@ static void fb_flashcursor(struct work_struct *work)
struct vc_data *vc = NULL;
int c;
int mode;
+ int ret;
+
+ ret = console_trylock();
+ if (ret == 0)
+ return;
- console_lock();
if (ops && ops->currcon != -1)
vc = vc_cons[ops->currcon].d;
--
1.7.10.2

31
kernel.spec
View File

@ -54,7 +54,7 @@ Summary: The Linux kernel
# For non-released -rc kernels, this will be appended after the rcX and
# gitX tags, so a 3 here would become part of release "0.rcX.gitX.3"
#
%global baserelease 3
%global baserelease 1
%global fedora_build %{baserelease}
# base_sublevel is the kernel version we're starting with and patching
@ -66,7 +66,7 @@ Summary: The Linux kernel
%if 0%{?released_kernel}
# Do we have a -stable update to apply?
%define stable_update 4
%define stable_update 5
# Is it a -stable RC?
%define stable_rc 0
# Set rpm version accordingly
@ -673,7 +673,6 @@ Patch800: linux-2.6-crash-driver.patch
# DRM
#atch1700: drm-edid-try-harder-to-fix-up-broken-headers.patch
Patch1701: drm-radeon-force-dma32-to-fix-regression-rs4xx-rs6xx.patch
Patch1800: drm-vgem.patch
@ -752,23 +751,12 @@ Patch22056: crypto-aesni-intel-fix-wrong-kfree-pointer.patch
#rhbz 714271
Patch22060: CPU-hotplug-cpusets-suspend-Dont-modify-cpusets-during.patch
#rhbz 820039 843554
Patch22061: rds-set-correct-msg_namelen.patch
#rhbz 857324
Patch22070: net-tcp-bz857324.patch
Patch23000: fbcon-fix-race-condition-between-console-lock-and-cursor-timer.patch
#rhbz 850350
Patch24050: xen-pciback-restore-pci-config-space-after-FLR.patch
#rhbz 846505 845639
Patch24055: drm-radeon-make-64bit-fences-more-robust.patch
#3.5.5 stable queue
Patch25000: linux-3.5.5-stable-queue.patch
# END OF PATCH DEFINITIONS
%endif
@ -1409,7 +1397,6 @@ ApplyPatch linux-2.6-e1000-ich9-montevina.patch
# DRM core
#ApplyPatch drm-edid-try-harder-to-fix-up-broken-headers.patch
ApplyPatch drm-radeon-force-dma32-to-fix-regression-rs4xx-rs6xx.patch
ApplyPatch drm-vgem.patch
# Nouveau DRM
@ -1471,23 +1458,12 @@ ApplyPatch crypto-aesni-intel-fix-wrong-kfree-pointer.patch
#rhbz 714271
ApplyPatch CPU-hotplug-cpusets-suspend-Dont-modify-cpusets-during.patch
#rhbz 820039 843554
ApplyPatch rds-set-correct-msg_namelen.patch
#rhbz 857324
ApplyPatch net-tcp-bz857324.patch
ApplyPatch fbcon-fix-race-condition-between-console-lock-and-cursor-timer.patch
#rhbz 850350
ApplyPatch xen-pciback-restore-pci-config-space-after-FLR.patch
#rhbz 846505 845639
ApplyPatch drm-radeon-make-64bit-fences-more-robust.patch
# 3.5.5 stable queue
ApplyPatch linux-3.5.5-stable-queue.patch
# END OF PATCH APPLICATIONS
%endif
@ -2351,6 +2327,9 @@ fi
# '-' | |
# '-'
%changelog
* Tue Oct 02 2012 Josh Boyer <jwboyer@redhat.com> - 3.5.5-1
- Linux v3.5.5
* Fri Sep 28 2012 Dave Jones <davej@redhat.com>
- Apply potential fix for bogus WARN_ON in tcp. (rhbz 857324)

8848
linux-3.5.5-stable-queue.patch
View File

File diff suppressed because it is too large Load Diff

219
rds-set-correct-msg_namelen.patch
View File

@ -1,219 +0,0 @@
From 06b6a1cf6e776426766298d055bb3991957d90a7 Mon Sep 17 00:00:00 2001
From: Weiping Pan <wpan@redhat.com>
Date: Mon, 23 Jul 2012 10:37:48 +0800
Subject: [PATCH] rds: set correct msg_namelen
Jay Fenlason (fenlason@redhat.com) found a bug,
that recvfrom() on an RDS socket can return the contents of random kernel
memory to userspace if it was called with a address length larger than
sizeof(struct sockaddr_in).
rds_recvmsg() also fails to set the addr_len paramater properly before
returning, but that's just a bug.
There are also a number of cases wher recvfrom() can return an entirely bogus
address. Anything in rds_recvmsg() that returns a non-negative value but does
not go through the "sin = (struct sockaddr_in *)msg->msg_name;" code path
at the end of the while(1) loop will return up to 128 bytes of kernel memory
to userspace.
And I write two test programs to reproduce this bug, you will see that in
rds_server, fromAddr will be overwritten and the following sock_fd will be
destroyed.
Yes, it is the programmer's fault to set msg_namelen incorrectly, but it is
better to make the kernel copy the real length of address to user space in
such case.
How to run the test programs ?
I test them on 32bit x86 system, 3.5.0-rc7.
1 compile
gcc -o rds_client rds_client.c
gcc -o rds_server rds_server.c
2 run ./rds_server on one console
3 run ./rds_client on another console
4 you will see something like:
server is waiting to receive data...
old socket fd=3
server received data from client:data from client
msg.msg_namelen=32
new socket fd=-1067277685
sendmsg()
: Bad file descriptor
/***************** rds_client.c ********************/
int main(void)
{
int sock_fd;
struct sockaddr_in serverAddr;
struct sockaddr_in toAddr;
char recvBuffer[128] = "data from client";
struct msghdr msg;
struct iovec iov;
sock_fd = socket(AF_RDS, SOCK_SEQPACKET, 0);
if (sock_fd < 0) {
perror("create socket error\n");
exit(1);
}
memset(&serverAddr, 0, sizeof(serverAddr));
serverAddr.sin_family = AF_INET;
serverAddr.sin_addr.s_addr = inet_addr("127.0.0.1");
serverAddr.sin_port = htons(4001);
if (bind(sock_fd, (struct sockaddr*)&serverAddr, sizeof(serverAddr)) < 0) {
perror("bind() error\n");
close(sock_fd);
exit(1);
}
memset(&toAddr, 0, sizeof(toAddr));
toAddr.sin_family = AF_INET;
toAddr.sin_addr.s_addr = inet_addr("127.0.0.1");
toAddr.sin_port = htons(4000);
msg.msg_name = &toAddr;
msg.msg_namelen = sizeof(toAddr);
msg.msg_iov = &iov;
msg.msg_iovlen = 1;
msg.msg_iov->iov_base = recvBuffer;
msg.msg_iov->iov_len = strlen(recvBuffer) + 1;
msg.msg_control = 0;
msg.msg_controllen = 0;
msg.msg_flags = 0;
if (sendmsg(sock_fd, &msg, 0) == -1) {
perror("sendto() error\n");
close(sock_fd);
exit(1);
}
printf("client send data:%s\n", recvBuffer);
memset(recvBuffer, '\0', 128);
msg.msg_name = &toAddr;
msg.msg_namelen = sizeof(toAddr);
msg.msg_iov = &iov;
msg.msg_iovlen = 1;
msg.msg_iov->iov_base = recvBuffer;
msg.msg_iov->iov_len = 128;
msg.msg_control = 0;
msg.msg_controllen = 0;
msg.msg_flags = 0;
if (recvmsg(sock_fd, &msg, 0) == -1) {
perror("recvmsg() error\n");
close(sock_fd);
exit(1);
}
printf("receive data from server:%s\n", recvBuffer);
close(sock_fd);
return 0;
}
/***************** rds_server.c ********************/
int main(void)
{
struct sockaddr_in fromAddr;
int sock_fd;
struct sockaddr_in serverAddr;
unsigned int addrLen;
char recvBuffer[128];
struct msghdr msg;
struct iovec iov;
sock_fd = socket(AF_RDS, SOCK_SEQPACKET, 0);
if(sock_fd < 0) {
perror("create socket error\n");
exit(0);
}
memset(&serverAddr, 0, sizeof(serverAddr));
serverAddr.sin_family = AF_INET;
serverAddr.sin_addr.s_addr = inet_addr("127.0.0.1");
serverAddr.sin_port = htons(4000);
if (bind(sock_fd, (struct sockaddr*)&serverAddr, sizeof(serverAddr)) < 0) {
perror("bind error\n");
close(sock_fd);
exit(1);
}
printf("server is waiting to receive data...\n");
msg.msg_name = &fromAddr;
/*
* I add 16 to sizeof(fromAddr), ie 32,
* and pay attention to the definition of fromAddr,
* recvmsg() will overwrite sock_fd,
* since kernel will copy 32 bytes to userspace.
*
* If you just use sizeof(fromAddr), it works fine.
* */
msg.msg_namelen = sizeof(fromAddr) + 16;
/* msg.msg_namelen = sizeof(fromAddr); */
msg.msg_iov = &iov;
msg.msg_iovlen = 1;
msg.msg_iov->iov_base = recvBuffer;
msg.msg_iov->iov_len = 128;
msg.msg_control = 0;
msg.msg_controllen = 0;
msg.msg_flags = 0;
while (1) {
printf("old socket fd=%d\n", sock_fd);
if (recvmsg(sock_fd, &msg, 0) == -1) {
perror("recvmsg() error\n");
close(sock_fd);
exit(1);
}
printf("server received data from client:%s\n", recvBuffer);
printf("msg.msg_namelen=%d\n", msg.msg_namelen);
printf("new socket fd=%d\n", sock_fd);
strcat(recvBuffer, "--data from server");
if (sendmsg(sock_fd, &msg, 0) == -1) {
perror("sendmsg()\n");
close(sock_fd);
exit(1);
}
}
close(sock_fd);
return 0;
}
Signed-off-by: Weiping Pan <wpan@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
---
net/rds/recv.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/rds/recv.c b/net/rds/recv.c
index 5c6e9f1..9f0f17c 100644
--- a/net/rds/recv.c
+++ b/net/rds/recv.c
@@ -410,6 +410,8 @@ int rds_recvmsg(struct kiocb *iocb, struct socket *sock, struct msghdr *msg,
rdsdebug("size %zu flags 0x%x timeo %ld\n", size, msg_flags, timeo);
+ msg->msg_namelen = 0;
+
if (msg_flags & MSG_OOB)
goto out;
@@ -485,6 +487,7 @@ int rds_recvmsg(struct kiocb *iocb, struct socket *sock, struct msghdr *msg,
sin->sin_port = inc->i_hdr.h_sport;
sin->sin_addr.s_addr = inc->i_saddr;
memset(sin->sin_zero, 0, sizeof(sin->sin_zero));
+ msg->msg_namelen = sizeof(*sin);
}
break;
}
--
1.7.11.2

2
sources
View File

@ -1,2 +1,2 @@
24153eaaa81dedc9481ada8cd9c3b83d linux-3.5.tar.xz
4d34e5098b490670261b1aea71d26023 patch-3.5.4.xz
0d658ffcd548ab029c9a8d6c4d07e8e2 patch-3.5.5.xz