--- /dev/null
+From 337279ce3aa85d81d34c0f837d1c204df105103b Mon Sep 17 00:00:00 2001
+From: Zhang Rui <rui.zhang@intel.com>
+Date: Tue, 28 Sep 2010 22:48:55 -0400
+Subject: ACPI: Disable Windows Vista compatibility for Toshiba P305D
+
+From: Zhang Rui <rui.zhang@intel.com>
+
+commit 337279ce3aa85d81d34c0f837d1c204df105103b upstream.
+
+Disable the Windows Vista (SP1) compatibility for Toshiba P305D.
+
+http://bugzilla.kernel.org/show_bug.cgi?id=14736
+
+Signed-off-by: Zhang Rui <rui.zhang@intel.com>
+Signed-off-by: Len Brown <len.brown@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/acpi/blacklist.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/drivers/acpi/blacklist.c
++++ b/drivers/acpi/blacklist.c
+@@ -233,6 +233,14 @@ static struct dmi_system_id acpi_osi_dmi
+ DMI_MATCH(DMI_PRODUCT_NAME, "K50IJ"),
+ },
+ },
++ {
++ .callback = dmi_disable_osi_vista,
++ .ident = "Toshiba P305D",
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "TOSHIBA"),
++ DMI_MATCH(DMI_PRODUCT_NAME, "Satellite P305D"),
++ },
++ },
+
+ /*
+ * BIOS invocation of _OSI(Linux) is almost always a BIOS bug.
--- /dev/null
+From 7a1d602f5fc35d14907b7da98d5627acb69589d1 Mon Sep 17 00:00:00 2001
+From: Len Brown <len.brown@intel.com>
+Date: Tue, 28 Sep 2010 17:51:51 -0400
+Subject: ACPI: EC: add Vista incompatibility DMI entry for Toshiba Satellite L355
+
+From: Len Brown <len.brown@intel.com>
+
+commit 7a1d602f5fc35d14907b7da98d5627acb69589d1 upstream.
+
+https://bugzilla.kernel.org/show_bug.cgi?id=12641
+
+Signed-off-by: Len Brown <len.brown@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/acpi/blacklist.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+--- a/drivers/acpi/blacklist.c
++++ b/drivers/acpi/blacklist.c
+@@ -218,6 +218,14 @@ static struct dmi_system_id acpi_osi_dmi
+ },
+ },
+ {
++ .callback = dmi_disable_osi_vista,
++ .ident = "Toshiba Satellite L355",
++ .matches = {
++ DMI_MATCH(DMI_SYS_VENDOR, "TOSHIBA"),
++ DMI_MATCH(DMI_PRODUCT_VERSION, "Satellite L355"),
++ },
++ },
++ {
+ .callback = dmi_disable_osi_win7,
+ .ident = "ASUS K50IJ",
+ .matches = {
--- /dev/null
+From 573b638158029898caf9470c8214b7ddd29751e3 Mon Sep 17 00:00:00 2001
+From: Colin Ian King <colin.king@canonical.com>
+Date: Mon, 2 Aug 2010 15:14:43 +0000
+Subject: ACPI: enable repeated PCIEXP wakeup by clearing PCIEXP_WAKE_STS on resume
+
+From: Colin Ian King <colin.king@canonical.com>
+
+commit 573b638158029898caf9470c8214b7ddd29751e3 upstream.
+
+Section 4.7.3.1.1 (PM1 Status Registers) of version 4.0 of
+the ACPI spec concerning PCIEXP_WAKE_STS points out in
+in the final note field in table 4-11 that if this bit is
+set to 1 and the system is put into a sleeping state then
+the system will not automatically wake.
+
+This bit gets set by hardware to indicate that the system
+woke up due to a PCI Express wakeup event, so clear it during
+acpi_hw_clear_acpi_status() calls to enable subsequent
+resumes to work.
+
+BugLink: http://bugs.launchpad.net/bugs/613381
+
+Signed-off-by: Colin Ian King <colin.king@canonical.com>
+Signed-off-by: Len Brown <len.brown@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/acpi/acpica/aclocal.h | 1 +
+ 1 file changed, 1 insertion(+)
+
+--- a/drivers/acpi/acpica/aclocal.h
++++ b/drivers/acpi/acpica/aclocal.h
+@@ -846,6 +846,7 @@ struct acpi_bit_register_info {
+ ACPI_BITMASK_POWER_BUTTON_STATUS | \
+ ACPI_BITMASK_SLEEP_BUTTON_STATUS | \
+ ACPI_BITMASK_RT_CLOCK_STATUS | \
++ ACPI_BITMASK_PCIEXP_WAKE_DISABLE | \
+ ACPI_BITMASK_WAKE_STATUS)
+
+ #define ACPI_BITMASK_TIMER_ENABLE 0x0001
--- /dev/null
+From bcf64aa379fcadd074449cbf0c049da70071b06f Mon Sep 17 00:00:00 2001
+From: Paul Fertser <fercerpav@gmail.com>
+Date: Mon, 11 Oct 2010 15:45:35 -0700
+Subject: b44: fix carrier detection on bind
+
+From: Paul Fertser <fercerpav@gmail.com>
+
+commit bcf64aa379fcadd074449cbf0c049da70071b06f upstream.
+
+For carrier detection to work properly when binding the driver with a cable
+unplugged, netif_carrier_off() should be called after register_netdev(),
+not before.
+
+Signed-off-by: Paul Fertser <fercerpav@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/net/b44.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/drivers/net/b44.c
++++ b/drivers/net/b44.c
+@@ -2175,8 +2175,6 @@ static int __devinit b44_init_one(struct
+ dev->irq = sdev->irq;
+ SET_ETHTOOL_OPS(dev, &b44_ethtool_ops);
+
+- netif_carrier_off(dev);
+-
+ err = ssb_bus_powerup(sdev->bus, 0);
+ if (err) {
+ dev_err(sdev->dev,
+@@ -2216,6 +2214,8 @@ static int __devinit b44_init_one(struct
+ goto err_out_powerdown;
+ }
+
++ netif_carrier_off(dev);
++
+ ssb_set_drvdata(sdev, dev);
+
+ /* Chip reset provides power to the b44 MAC & PCI cores, which
--- /dev/null
+From 7993bc1f4663c0db67bb8f0d98e6678145b387cd Mon Sep 17 00:00:00 2001
+From: Roland McGrath <roland@redhat.com>
+Date: Tue, 7 Sep 2010 19:36:28 -0700
+Subject: execve: improve interactivity with large arguments
+
+From: Roland McGrath <roland@redhat.com>
+
+commit 7993bc1f4663c0db67bb8f0d98e6678145b387cd upstream.
+
+This adds a preemption point during the copying of the argument and
+environment strings for execve, in copy_strings(). There is already
+a preemption point in the count() loop, so this doesn't add any new
+points in the abstract sense.
+
+When the total argument+environment strings are very large, the time
+spent copying them can be much more than a normal user time slice.
+So this change improves the interactivity of the rest of the system
+when one process is doing an execve with very large arguments.
+
+Signed-off-by: Roland McGrath <roland@redhat.com>
+Reviewed-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Chuck Ebbert <cebbert@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/exec.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/fs/exec.c
++++ b/fs/exec.c
+@@ -418,6 +418,8 @@ static int copy_strings(int argc, char _
+ while (len > 0) {
+ int offset, bytes_to_copy;
+
++ cond_resched();
++
+ offset = pos % PAGE_SIZE;
+ if (offset == 0)
+ offset = PAGE_SIZE;
--- /dev/null
+From 9aea5a65aa7a1af9a4236dfaeb0088f1624f9919 Mon Sep 17 00:00:00 2001
+From: Roland McGrath <roland@redhat.com>
+Date: Tue, 7 Sep 2010 19:37:06 -0700
+Subject: execve: make responsive to SIGKILL with large arguments
+
+From: Roland McGrath <roland@redhat.com>
+
+commit 9aea5a65aa7a1af9a4236dfaeb0088f1624f9919 upstream.
+
+An execve with a very large total of argument/environment strings
+can take a really long time in the execve system call. It runs
+uninterruptibly to count and copy all the strings. This change
+makes it abort the exec quickly if sent a SIGKILL.
+
+Note that this is the conservative change, to interrupt only for
+SIGKILL, by using fatal_signal_pending(). It would be perfectly
+correct semantics to let any signal interrupt the string-copying in
+execve, i.e. use signal_pending() instead of fatal_signal_pending().
+We'll save that change for later, since it could have user-visible
+consequences, such as having a timer set too quickly make it so that
+an execve can never complete, though it always happened to work before.
+
+Signed-off-by: Roland McGrath <roland@redhat.com>
+Reviewed-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
+Cc: Chuck Ebbert <cebbert@redhat.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+
+---
+ fs/exec.c | 7 +++++++
+ 1 file changed, 7 insertions(+)
+
+--- a/fs/exec.c
++++ b/fs/exec.c
+@@ -375,6 +375,9 @@ static int count(char __user * __user *
+ argv++;
+ if (i++ >= max)
+ return -E2BIG;
++
++ if (fatal_signal_pending(current))
++ return -ERESTARTNOHAND;
+ cond_resched();
+ }
+ }
+@@ -418,6 +421,10 @@ static int copy_strings(int argc, char _
+ while (len > 0) {
+ int offset, bytes_to_copy;
+
++ if (fatal_signal_pending(current)) {
++ ret = -ERESTARTNOHAND;
++ goto out;
++ }
+ cond_resched();
+
+ offset = pos % PAGE_SIZE;
--- /dev/null
+From 4731fdcf6f7bdab3e369a3f844d4ea4d4017284d Mon Sep 17 00:00:00 2001
+From: Len Brown <len.brown@intel.com>
+Date: Fri, 24 Sep 2010 21:02:27 -0400
+Subject: intel_idle: PCI quirk to prevent Lenovo Ideapad s10-3 boot hang
+
+From: Len Brown <len.brown@intel.com>
+
+commit 4731fdcf6f7bdab3e369a3f844d4ea4d4017284d upstream.
+
+When the Lenovo Ideapad S10-3 is booted with HT enabled,
+it hits a boot hang in the intel_idle driver.
+
+This occurs when entering ATM-C4 for the first time,
+unless BM_STS is first cleared.
+
+acpi_idle doesn't see this because it first checks
+and clears BM_STS, but it would hit the same hang
+if that check were disabled.
+
+http://bugs.meego.com/show_bug.cgi?id=7093
+https://bugs.launchpad.net/ubuntu/+source/linux/+bug/634702
+
+Signed-off-by: Len Brown <len.brown@intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/pci/quirks.c | 20 ++++++++++++++++++++
+ 1 file changed, 20 insertions(+)
+
+--- a/drivers/pci/quirks.c
++++ b/drivers/pci/quirks.c
+@@ -155,6 +155,26 @@ DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_NE
+ DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_NEC, PCI_DEVICE_ID_NEC_CBUS_3, quirk_isa_dma_hangs);
+
+ /*
++ * Intel NM10 "TigerPoint" LPC PM1a_STS.BM_STS must be clear
++ * for some HT machines to use C4 w/o hanging.
++ */
++static void __devinit quirk_tigerpoint_bm_sts(struct pci_dev *dev)
++{
++ u32 pmbase;
++ u16 pm1a;
++
++ pci_read_config_dword(dev, 0x40, &pmbase);
++ pmbase = pmbase & 0xff80;
++ pm1a = inw(pmbase);
++
++ if (pm1a & 0x10) {
++ dev_info(&dev->dev, FW_BUG "TigerPoint LPC.BM_STS cleared\n");
++ outw(0x10, pmbase);
++ }
++}
++DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_TGP_LPC, quirk_tigerpoint_bm_sts);
++
++/*
+ * Chipsets where PCI->PCI transfers vanish or hang
+ */
+ static void __devinit quirk_nopcipci(struct pci_dev *dev)
--- /dev/null
+From 7fc0405db42af7c170c6eb5d0244b38b54ea7d2c Mon Sep 17 00:00:00 2001
+From: Greg Kroah-Hartman <gregkh@suse.de>
+Date: Fri, 6 Aug 2010 10:22:56 -0700
+Subject: Revert "ssb: Handle Netbook devices where the SPROM address is changed"
+
+From: Greg Kroah-Hartman <gregkh@suse.de>
+
+Turns out this isn't the best way to resolve this issue. The
+individual patches will be applied instead.
+
+Cc: Larry Finger <Larry.Finger@lwfinger.net>
+Cc: Ben Hutchings <ben@decadent.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/ssb/driver_chipcommon.c | 3 -
+ drivers/ssb/driver_chipcommon_pmu.c | 17 ++++++-----
+ drivers/ssb/pci.c | 46 +++---------------------------
+ drivers/ssb/sprom.c | 15 ---------
+ include/linux/ssb/ssb.h | 1
+ include/linux/ssb/ssb_driver_chipcommon.h | 2 -
+ include/linux/ssb/ssb_regs.h | 3 -
+ 7 files changed, 17 insertions(+), 70 deletions(-)
+
+--- a/drivers/ssb/driver_chipcommon.c
++++ b/drivers/ssb/driver_chipcommon.c
+@@ -233,9 +233,6 @@ void ssb_chipcommon_init(struct ssb_chip
+ {
+ if (!cc->dev)
+ return; /* We don't have a ChipCommon */
+- if (cc->dev->id.revision >= 11)
+- cc->status = chipco_read32(cc, SSB_CHIPCO_CHIPSTAT);
+- ssb_dprintk(KERN_INFO PFX "chipcommon status is 0x%x\n", cc->status);
+ ssb_pmu_init(cc);
+ chipco_powercontrol_init(cc);
+ ssb_chipco_set_clockmode(cc, SSB_CLKMODE_FAST);
+--- a/drivers/ssb/driver_chipcommon_pmu.c
++++ b/drivers/ssb/driver_chipcommon_pmu.c
+@@ -495,9 +495,9 @@ static void ssb_pmu_resources_init(struc
+ chipco_write32(cc, SSB_CHIPCO_PMU_MAXRES_MSK, max_msk);
+ }
+
+-/* http://bcm-v4.sipsolutions.net/802.11/SSB/PmuInit */
+ void ssb_pmu_init(struct ssb_chipcommon *cc)
+ {
++ struct ssb_bus *bus = cc->dev->bus;
+ u32 pmucap;
+
+ if (!(cc->capabilities & SSB_CHIPCO_CAP_PMU))
+@@ -509,12 +509,15 @@ void ssb_pmu_init(struct ssb_chipcommon
+ ssb_dprintk(KERN_DEBUG PFX "Found rev %u PMU (capabilities 0x%08X)\n",
+ cc->pmu.rev, pmucap);
+
+- if (cc->pmu.rev == 1)
+- chipco_mask32(cc, SSB_CHIPCO_PMU_CTL,
+- ~SSB_CHIPCO_PMU_CTL_NOILPONW);
+- else
+- chipco_set32(cc, SSB_CHIPCO_PMU_CTL,
+- SSB_CHIPCO_PMU_CTL_NOILPONW);
++ if (cc->pmu.rev >= 1) {
++ if ((bus->chip_id == 0x4325) && (bus->chip_rev < 2)) {
++ chipco_mask32(cc, SSB_CHIPCO_PMU_CTL,
++ ~SSB_CHIPCO_PMU_CTL_NOILPONW);
++ } else {
++ chipco_set32(cc, SSB_CHIPCO_PMU_CTL,
++ SSB_CHIPCO_PMU_CTL_NOILPONW);
++ }
++ }
+ ssb_pmu_pll_init(cc);
+ ssb_pmu_resources_init(cc);
+ }
+--- a/drivers/ssb/pci.c
++++ b/drivers/ssb/pci.c
+@@ -22,7 +22,6 @@
+
+ #include "ssb_private.h"
+
+-bool ssb_is_sprom_available(struct ssb_bus *bus);
+
+ /* Define the following to 1 to enable a printk on each coreswitch. */
+ #define SSB_VERBOSE_PCICORESWITCH_DEBUG 0
+@@ -168,7 +167,7 @@ err_pci:
+ }
+
+ /* Get the word-offset for a SSB_SPROM_XXX define. */
+-#define SPOFF(offset) ((offset) / sizeof(u16))
++#define SPOFF(offset) (((offset) - SSB_SPROM_BASE) / sizeof(u16))
+ /* Helper to extract some _offset, which is one of the SSB_SPROM_XXX defines. */
+ #define SPEX16(_outvar, _offset, _mask, _shift) \
+ out->_outvar = ((in[SPOFF(_offset)] & (_mask)) >> (_shift))
+@@ -253,13 +252,8 @@ static int sprom_do_read(struct ssb_bus
+ {
+ int i;
+
+- /* Check if SPROM can be read */
+- if (ioread16(bus->mmio + bus->sprom_offset) == 0xFFFF) {
+- ssb_printk(KERN_ERR PFX "Unable to read SPROM\n");
+- return -ENODEV;
+- }
+ for (i = 0; i < bus->sprom_size; i++)
+- sprom[i] = ioread16(bus->mmio + bus->sprom_offset + (i * 2));
++ sprom[i] = ioread16(bus->mmio + SSB_SPROM_BASE + (i * 2));
+
+ return 0;
+ }
+@@ -290,7 +284,7 @@ static int sprom_do_write(struct ssb_bus
+ ssb_printk("75%%");
+ else if (i % 2)
+ ssb_printk(".");
+- writew(sprom[i], bus->mmio + bus->sprom_offset + (i * 2));
++ writew(sprom[i], bus->mmio + SSB_SPROM_BASE + (i * 2));
+ mmiowb();
+ msleep(20);
+ }
+@@ -626,49 +620,21 @@ static int ssb_pci_sprom_get(struct ssb_
+ int err = -ENOMEM;
+ u16 *buf;
+
+- if (!ssb_is_sprom_available(bus)) {
+- ssb_printk(KERN_ERR PFX "No SPROM available!\n");
+- return -ENODEV;
+- }
+- if (bus->chipco.dev) { /* can be unavailible! */
+- /*
+- * get SPROM offset: SSB_SPROM_BASE1 except for
+- * chipcommon rev >= 31 or chip ID is 0x4312 and
+- * chipcommon status & 3 == 2
+- */
+- if (bus->chipco.dev->id.revision >= 31)
+- bus->sprom_offset = SSB_SPROM_BASE31;
+- else if (bus->chip_id == 0x4312 &&
+- (bus->chipco.status & 0x03) == 2)
+- bus->sprom_offset = SSB_SPROM_BASE31;
+- else
+- bus->sprom_offset = SSB_SPROM_BASE1;
+- } else {
+- bus->sprom_offset = SSB_SPROM_BASE1;
+- }
+- ssb_dprintk(KERN_INFO PFX "SPROM offset is 0x%x\n", bus->sprom_offset);
+-
+ buf = kcalloc(SSB_SPROMSIZE_WORDS_R123, sizeof(u16), GFP_KERNEL);
+ if (!buf)
+ goto out;
+ bus->sprom_size = SSB_SPROMSIZE_WORDS_R123;
+- err = sprom_do_read(bus, buf);
+- if (err)
+- goto out_free;
++ sprom_do_read(bus, buf);
+ err = sprom_check_crc(buf, bus->sprom_size);
+ if (err) {
+ /* try for a 440 byte SPROM - revision 4 and higher */
+ kfree(buf);
+ buf = kcalloc(SSB_SPROMSIZE_WORDS_R4, sizeof(u16),
+ GFP_KERNEL);
+- if (!buf) {
+- err = -ENOMEM;
++ if (!buf)
+ goto out;
+- }
+ bus->sprom_size = SSB_SPROMSIZE_WORDS_R4;
+- err = sprom_do_read(bus, buf);
+- if (err)
+- goto out_free;
++ sprom_do_read(bus, buf);
+ err = sprom_check_crc(buf, bus->sprom_size);
+ if (err) {
+ /* All CRC attempts failed.
+--- a/drivers/ssb/sprom.c
++++ b/drivers/ssb/sprom.c
+@@ -175,18 +175,3 @@ const struct ssb_sprom *ssb_get_fallback
+ {
+ return fallback_sprom;
+ }
+-
+-/* http://bcm-v4.sipsolutions.net/802.11/IsSpromAvailable */
+-bool ssb_is_sprom_available(struct ssb_bus *bus)
+-{
+- /* status register only exists on chipcomon rev >= 11 and we need check
+- for >= 31 only */
+- /* this routine differs from specs as we do not access SPROM directly
+- on PCMCIA */
+- if (bus->bustype == SSB_BUSTYPE_PCI &&
+- bus->chipco.dev && /* can be unavailible! */
+- bus->chipco.dev->id.revision >= 31)
+- return bus->chipco.capabilities & SSB_CHIPCO_CAP_SPROM;
+-
+- return true;
+-}
+--- a/include/linux/ssb/ssb.h
++++ b/include/linux/ssb/ssb.h
+@@ -306,7 +306,6 @@ struct ssb_bus {
+ u16 chip_id;
+ u16 chip_rev;
+ u16 sprom_size; /* number of words in sprom */
+- u16 sprom_offset;
+ u8 chip_package;
+
+ /* List of devices (cores) on the backplane. */
+--- a/include/linux/ssb/ssb_driver_chipcommon.h
++++ b/include/linux/ssb/ssb_driver_chipcommon.h
+@@ -46,7 +46,6 @@
+ #define SSB_PLLTYPE_7 0x00038000 /* 25Mhz, 4 dividers */
+ #define SSB_CHIPCO_CAP_PCTL 0x00040000 /* Power Control */
+ #define SSB_CHIPCO_CAP_OTPS 0x00380000 /* OTP size */
+-#define SSB_CHIPCO_CAP_SPROM 0x40000000 /* SPROM present */
+ #define SSB_CHIPCO_CAP_OTPS_SHIFT 19
+ #define SSB_CHIPCO_CAP_OTPS_BASE 5
+ #define SSB_CHIPCO_CAP_JTAGM 0x00400000 /* JTAG master present */
+@@ -565,7 +564,6 @@ struct ssb_chipcommon_pmu {
+ struct ssb_chipcommon {
+ struct ssb_device *dev;
+ u32 capabilities;
+- u32 status;
+ /* Fast Powerup Delay constant */
+ u16 fast_pwrup_delay;
+ struct ssb_chipcommon_pmu pmu;
+--- a/include/linux/ssb/ssb_regs.h
++++ b/include/linux/ssb/ssb_regs.h
+@@ -170,8 +170,7 @@
+ #define SSB_SPROMSIZE_WORDS_R4 220
+ #define SSB_SPROMSIZE_BYTES_R123 (SSB_SPROMSIZE_WORDS_R123 * sizeof(u16))
+ #define SSB_SPROMSIZE_BYTES_R4 (SSB_SPROMSIZE_WORDS_R4 * sizeof(u16))
+-#define SSB_SPROM_BASE1 0x1000
+-#define SSB_SPROM_BASE31 0x0800
++#define SSB_SPROM_BASE 0x1000
+ #define SSB_SPROM_REVISION 0x107E
+ #define SSB_SPROM_REVISION_REV 0x00FF /* SPROM Revision number */
+ #define SSB_SPROM_REVISION_CRC 0xFF00 /* SPROM CRC8 value */
bsg-fix-incorrect-device_status-value.patch
r6040-fix-r6040_multicast_list.patch
r6040-fix-multicast-list-iteration-when-hash-filter-is-used.patch
+b44-fix-carrier-detection-on-bind.patch
+acpi-enable-repeated-pciexp-wakeup-by-clearing-pciexp_wake_sts-on-resume.patch
+intel_idle-pci-quirk-to-prevent-lenovo-ideapad-s10-3-boot-hang.patch
+acpi-ec-add-vista-incompatibility-dmi-entry-for-toshiba-satellite-l355.patch
+acpi-disable-windows-vista-compatibility-for-toshiba-p305d.patch
+x86-detect-scattered-cpuid-features-earlier.patch
+setup_arg_pages-diagnose-excessive-argument-size.patch
+execve-improve-interactivity-with-large-arguments.patch
+execve-make-responsive-to-sigkill-with-large-arguments.patch
+x86-32-separate-1-1-pagetables-from-swapper_pg_dir.patch
+x86-32-fix-dummy-trampoline-related-inline-stubs.patch
+x86-mm-fix-config_vmsplit_1g-and-2g_opt-trampoline.patch
+revert-ssb-handle-netbook-devices-where-the-sprom-address-is-changed.patch
+ssb-do-not-read-sprom-if-it-does-not-exist.patch
+ssb-look-for-sprom-at-different-offset-on-higher-rev-cc.patch
+ssb-fix-null-ptr-deref-when-pcihost_wrapper-is-used.patch
+ssb-handle-alternate-ssprom-location.patch
--- /dev/null
+From 1b528181b2ffa14721fb28ad1bd539fe1732c583 Mon Sep 17 00:00:00 2001
+From: Roland McGrath <roland@redhat.com>
+Date: Tue, 7 Sep 2010 19:35:49 -0700
+Subject: setup_arg_pages: diagnose excessive argument size
+
+From: Roland McGrath <roland@redhat.com>
+
+commit 1b528181b2ffa14721fb28ad1bd539fe1732c583 upstream.
+
+The CONFIG_STACK_GROWSDOWN variant of setup_arg_pages() does not
+check the size of the argument/environment area on the stack.
+When it is unworkably large, shift_arg_pages() hits its BUG_ON.
+This is exploitable with a very large RLIMIT_STACK limit, to
+create a crash pretty easily.
+
+Check that the initial stack is not too large to make it possible
+to map in any executable. We're not checking that the actual
+executable (or intepreter, for binfmt_elf) will fit. So those
+mappings might clobber part of the initial stack mapping. But
+that is just userland lossage that userland made happen, not a
+kernel problem.
+
+Signed-off-by: Roland McGrath <roland@redhat.com>
+Reviewed-by: KOSAKI Motohiro <kosaki.motohiro@jp.fujitsu.com>
+Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
+Cc: Chuck Ebbert <cebbert@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ fs/exec.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+--- a/fs/exec.c
++++ b/fs/exec.c
+@@ -593,6 +593,11 @@ int setup_arg_pages(struct linux_binprm
+ #else
+ stack_top = arch_align_stack(stack_top);
+ stack_top = PAGE_ALIGN(stack_top);
++
++ if (unlikely(stack_top < mmap_min_addr) ||
++ unlikely(vma->vm_end - vma->vm_start >= stack_top - mmap_min_addr))
++ return -ENOMEM;
++
+ stack_shift = vma->vm_end - stack_top;
+
+ bprm->p -= stack_shift;
--- /dev/null
+From d53cdbb94a52a920d5420ed64d986c3523a56743 Mon Sep 17 00:00:00 2001
+From: John W. Linville <linville@tuxdriver.com>
+Date: Wed, 31 Mar 2010 21:39:35 +0200
+Subject: ssb: do not read SPROM if it does not exist
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: John W. Linville <linville@tuxdriver.com>
+
+commit d53cdbb94a52a920d5420ed64d986c3523a56743 upstream.
+
+Attempting to read registers that don't exist on the SSB bus can cause
+hangs on some boxes. At least some b43 devices are 'in the wild' that
+don't have SPROMs at all. When the SSB bus support loads, it attempts
+to read these (non-existant) SPROMs and causes hard hangs on the box --
+no console output, etc.
+
+This patch adds some intelligence to determine whether or not the SPROM
+is present before attempting to read it. This avoids those hard hangs
+on those devices with no SPROM attached to their SSB bus. The
+SSB-attached devices (e.g. b43, et al.) won't work, but at least the box
+will survive to test further patches. :-)
+
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Rafał Miłecki <zajec5@gmail.com>
+Cc: Larry Finger <Larry.Finger@lwfinger.net>
+Cc: Michael Buesch <mb@bu3sch.de>
+Cc: Ben Hutchings <ben@decadent.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/ssb/driver_chipcommon.c | 2 ++
+ drivers/ssb/pci.c | 5 +++++
+ drivers/ssb/sprom.c | 14 ++++++++++++++
+ include/linux/ssb/ssb.h | 3 +++
+ include/linux/ssb/ssb_driver_chipcommon.h | 15 +++++++++++++++
+ 5 files changed, 39 insertions(+)
+
+--- a/drivers/ssb/driver_chipcommon.c
++++ b/drivers/ssb/driver_chipcommon.c
+@@ -233,6 +233,8 @@ void ssb_chipcommon_init(struct ssb_chip
+ {
+ if (!cc->dev)
+ return; /* We don't have a ChipCommon */
++ if (cc->dev->id.revision >= 11)
++ cc->status = chipco_read32(cc, SSB_CHIPCO_CHIPSTAT);
+ ssb_pmu_init(cc);
+ chipco_powercontrol_init(cc);
+ ssb_chipco_set_clockmode(cc, SSB_CLKMODE_FAST);
+--- a/drivers/ssb/pci.c
++++ b/drivers/ssb/pci.c
+@@ -620,6 +620,11 @@ static int ssb_pci_sprom_get(struct ssb_
+ int err = -ENOMEM;
+ u16 *buf;
+
++ if (!ssb_is_sprom_available(bus)) {
++ ssb_printk(KERN_ERR PFX "No SPROM available!\n");
++ return -ENODEV;
++ }
++
+ buf = kcalloc(SSB_SPROMSIZE_WORDS_R123, sizeof(u16), GFP_KERNEL);
+ if (!buf)
+ goto out;
+--- a/drivers/ssb/sprom.c
++++ b/drivers/ssb/sprom.c
+@@ -175,3 +175,17 @@ const struct ssb_sprom *ssb_get_fallback
+ {
+ return fallback_sprom;
+ }
++
++/* http://bcm-v4.sipsolutions.net/802.11/IsSpromAvailable */
++bool ssb_is_sprom_available(struct ssb_bus *bus)
++{
++ /* status register only exists on chipcomon rev >= 11 and we need check
++ for >= 31 only */
++ /* this routine differs from specs as we do not access SPROM directly
++ on PCMCIA */
++ if (bus->bustype == SSB_BUSTYPE_PCI &&
++ bus->chipco.dev->id.revision >= 31)
++ return bus->chipco.capabilities & SSB_CHIPCO_CAP_SPROM;
++
++ return true;
++}
+--- a/include/linux/ssb/ssb.h
++++ b/include/linux/ssb/ssb.h
+@@ -394,6 +394,9 @@ extern int ssb_bus_sdiobus_register(stru
+
+ extern void ssb_bus_unregister(struct ssb_bus *bus);
+
++/* Does the device have an SPROM? */
++extern bool ssb_is_sprom_available(struct ssb_bus *bus);
++
+ /* Set a fallback SPROM.
+ * See kdoc at the function definition for complete documentation. */
+ extern int ssb_arch_set_fallback_sprom(const struct ssb_sprom *sprom);
+--- a/include/linux/ssb/ssb_driver_chipcommon.h
++++ b/include/linux/ssb/ssb_driver_chipcommon.h
+@@ -53,6 +53,7 @@
+ #define SSB_CHIPCO_CAP_64BIT 0x08000000 /* 64-bit Backplane */
+ #define SSB_CHIPCO_CAP_PMU 0x10000000 /* PMU available (rev >= 20) */
+ #define SSB_CHIPCO_CAP_ECI 0x20000000 /* ECI available (rev >= 20) */
++#define SSB_CHIPCO_CAP_SPROM 0x40000000 /* SPROM present */
+ #define SSB_CHIPCO_CORECTL 0x0008
+ #define SSB_CHIPCO_CORECTL_UARTCLK0 0x00000001 /* Drive UART with internal clock */
+ #define SSB_CHIPCO_CORECTL_SE 0x00000002 /* sync clk out enable (corerev >= 3) */
+@@ -385,6 +386,7 @@
+
+
+ /** Chip specific Chip-Status register contents. */
++#define SSB_CHIPCO_CHST_4322_SPROM_EXISTS 0x00000040 /* SPROM present */
+ #define SSB_CHIPCO_CHST_4325_SPROM_OTP_SEL 0x00000003
+ #define SSB_CHIPCO_CHST_4325_DEFCIS_SEL 0 /* OTP is powered up, use def. CIS, no SPROM */
+ #define SSB_CHIPCO_CHST_4325_SPROM_SEL 1 /* OTP is powered up, SPROM is present */
+@@ -398,6 +400,18 @@
+ #define SSB_CHIPCO_CHST_4325_RCAL_VALUE_SHIFT 4
+ #define SSB_CHIPCO_CHST_4325_PMUTOP_2B 0x00000200 /* 1 for 2b, 0 for to 2a */
+
++/** Macros to determine SPROM presence based on Chip-Status register. */
++#define SSB_CHIPCO_CHST_4312_SPROM_PRESENT(status) \
++ ((status & SSB_CHIPCO_CHST_4325_SPROM_OTP_SEL) != \
++ SSB_CHIPCO_CHST_4325_OTP_SEL)
++#define SSB_CHIPCO_CHST_4322_SPROM_PRESENT(status) \
++ (status & SSB_CHIPCO_CHST_4322_SPROM_EXISTS)
++#define SSB_CHIPCO_CHST_4325_SPROM_PRESENT(status) \
++ (((status & SSB_CHIPCO_CHST_4325_SPROM_OTP_SEL) != \
++ SSB_CHIPCO_CHST_4325_DEFCIS_SEL) && \
++ ((status & SSB_CHIPCO_CHST_4325_SPROM_OTP_SEL) != \
++ SSB_CHIPCO_CHST_4325_OTP_SEL))
++
+
+
+ /** Clockcontrol masks and values **/
+@@ -564,6 +578,7 @@ struct ssb_chipcommon_pmu {
+ struct ssb_chipcommon {
+ struct ssb_device *dev;
+ u32 capabilities;
++ u32 status;
+ /* Fast Powerup Delay constant */
+ u16 fast_pwrup_delay;
+ struct ssb_chipcommon_pmu pmu;
--- /dev/null
+From da1fdb02d9200ff28b6f3a380d21930335fe5429 Mon Sep 17 00:00:00 2001
+From: Christoph Fritz <chf.fritz@googlemail.com>
+Date: Fri, 28 May 2010 10:45:59 +0200
+Subject: ssb: fix NULL ptr deref when pcihost_wrapper is used
+
+From: Christoph Fritz <chf.fritz@googlemail.com>
+
+commit da1fdb02d9200ff28b6f3a380d21930335fe5429 upstream.
+
+Ethernet driver b44 does register ssb by it's pcihost_wrapper
+and doesn't set ssb_chipcommon. A check on this value
+introduced with commit d53cdbb94a52a920d5420ed64d986c3523a56743
+and ea2db495f92ad2cf3301623e60cb95b4062bc484 triggers:
+
+BUG: unable to handle kernel NULL pointer dereference at 00000010
+IP: [<c1266c36>] ssb_is_sprom_available+0x16/0x30
+
+Signed-off-by: Christoph Fritz <chf.fritz@googlemail.com>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Cc: Larry Finger <Larry.Finger@lwfinger.net>
+Cc: Ben Hutchings <ben@decadent.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/ssb/pci.c | 9 ++++++---
+ drivers/ssb/sprom.c | 1 +
+ 2 files changed, 7 insertions(+), 3 deletions(-)
+
+--- a/drivers/ssb/pci.c
++++ b/drivers/ssb/pci.c
+@@ -624,9 +624,12 @@ static int ssb_pci_sprom_get(struct ssb_
+ ssb_printk(KERN_ERR PFX "No SPROM available!\n");
+ return -ENODEV;
+ }
+-
+- bus->sprom_offset = (bus->chipco.dev->id.revision < 31) ?
+- SSB_SPROM_BASE1 : SSB_SPROM_BASE31;
++ if (bus->chipco.dev) { /* can be unavailible! */
++ bus->sprom_offset = (bus->chipco.dev->id.revision < 31) ?
++ SSB_SPROM_BASE1 : SSB_SPROM_BASE31;
++ } else {
++ bus->sprom_offset = SSB_SPROM_BASE1;
++ }
+
+ buf = kcalloc(SSB_SPROMSIZE_WORDS_R123, sizeof(u16), GFP_KERNEL);
+ if (!buf)
+--- a/drivers/ssb/sprom.c
++++ b/drivers/ssb/sprom.c
+@@ -184,6 +184,7 @@ bool ssb_is_sprom_available(struct ssb_b
+ /* this routine differs from specs as we do not access SPROM directly
+ on PCMCIA */
+ if (bus->bustype == SSB_BUSTYPE_PCI &&
++ bus->chipco.dev && /* can be unavailible! */
+ bus->chipco.dev->id.revision >= 31)
+ return bus->chipco.capabilities & SSB_CHIPCO_CAP_SPROM;
+
--- /dev/null
+From 9d1ac34ec3a67713308ae0883c3359c557f14d17 Mon Sep 17 00:00:00 2001
+From: Larry Finger <Larry.Finger@lwfinger.net>
+Date: Fri, 14 May 2010 22:08:58 -0500
+Subject: ssb: Handle alternate SSPROM location
+
+From: Larry Finger <Larry.Finger@lwfinger.net>
+
+commit 9d1ac34ec3a67713308ae0883c3359c557f14d17 upstream.
+
+In kernel Bugzilla #15825 (2 users), in a wireless mailing list thread
+(http://lists.infradead.org/pipermail/b43-dev/2010-May/000124.html), and on a
+netbook owned by John Linville
+(http://marc.info/?l=linux-wireless&m=127230751408818&w=4), there are reports
+of ssb failing to detect an SPROM at the normal location. After studying the
+MMIO trace dump for the Broadcom wl driver, it was determined that the affected
+boxes had a relocated SPROM.
+
+This patch fixes all systems that have reported this problem.
+
+Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Cc: Ben Hutchings <ben@decadent.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/ssb/driver_chipcommon.c | 1 +
+ drivers/ssb/pci.c | 15 +++++++++++++--
+ 2 files changed, 14 insertions(+), 2 deletions(-)
+
+--- a/drivers/ssb/driver_chipcommon.c
++++ b/drivers/ssb/driver_chipcommon.c
+@@ -235,6 +235,7 @@ void ssb_chipcommon_init(struct ssb_chip
+ return; /* We don't have a ChipCommon */
+ if (cc->dev->id.revision >= 11)
+ cc->status = chipco_read32(cc, SSB_CHIPCO_CHIPSTAT);
++ ssb_dprintk(KERN_INFO PFX "chipcommon status is 0x%x\n", cc->status);
+ ssb_pmu_init(cc);
+ chipco_powercontrol_init(cc);
+ ssb_chipco_set_clockmode(cc, SSB_CLKMODE_FAST);
+--- a/drivers/ssb/pci.c
++++ b/drivers/ssb/pci.c
+@@ -625,11 +625,22 @@ static int ssb_pci_sprom_get(struct ssb_
+ return -ENODEV;
+ }
+ if (bus->chipco.dev) { /* can be unavailible! */
+- bus->sprom_offset = (bus->chipco.dev->id.revision < 31) ?
+- SSB_SPROM_BASE1 : SSB_SPROM_BASE31;
++ /*
++ * get SPROM offset: SSB_SPROM_BASE1 except for
++ * chipcommon rev >= 31 or chip ID is 0x4312 and
++ * chipcommon status & 3 == 2
++ */
++ if (bus->chipco.dev->id.revision >= 31)
++ bus->sprom_offset = SSB_SPROM_BASE31;
++ else if (bus->chip_id == 0x4312 &&
++ (bus->chipco.status & 0x03) == 2)
++ bus->sprom_offset = SSB_SPROM_BASE31;
++ else
++ bus->sprom_offset = SSB_SPROM_BASE1;
+ } else {
+ bus->sprom_offset = SSB_SPROM_BASE1;
+ }
++ ssb_dprintk(KERN_INFO PFX "SPROM offset is 0x%x\n", bus->sprom_offset);
+
+ buf = kcalloc(SSB_SPROMSIZE_WORDS_R123, sizeof(u16), GFP_KERNEL);
+ if (!buf)
--- /dev/null
+From ea2db495f92ad2cf3301623e60cb95b4062bc484 Mon Sep 17 00:00:00 2001
+From: Rafał Miłecki <zajec5@gmail.com>
+Date: Wed, 31 Mar 2010 21:59:21 +0200
+Subject: ssb: Look for SPROM at different offset on higher rev CC
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+From: Rafał Miłecki <zajec5@gmail.com>
+
+commit ea2db495f92ad2cf3301623e60cb95b4062bc484 upstream.
+
+Our offset handling becomes even a little more hackish now. For some reason I
+do not understand all offsets as inrelative. It assumes base offset is 0x1000
+but it will work for now as we make offsets relative anyway by removing base
+0x1000. Should be cleaner however.
+
+Signed-off-by: Rafał Miłecki <zajec5@gmail.com>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Cc: Larry Finger <Larry.Finger@lwfinger.net>
+Cc: Ben Hutchings <ben@decadent.org.uk>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+
+---
+ drivers/ssb/pci.c | 9 ++++++---
+ include/linux/ssb/ssb.h | 1 +
+ include/linux/ssb/ssb_regs.h | 3 ++-
+ 3 files changed, 9 insertions(+), 4 deletions(-)
+
+--- a/drivers/ssb/pci.c
++++ b/drivers/ssb/pci.c
+@@ -167,7 +167,7 @@ err_pci:
+ }
+
+ /* Get the word-offset for a SSB_SPROM_XXX define. */
+-#define SPOFF(offset) (((offset) - SSB_SPROM_BASE) / sizeof(u16))
++#define SPOFF(offset) (((offset) - SSB_SPROM_BASE1) / sizeof(u16))
+ /* Helper to extract some _offset, which is one of the SSB_SPROM_XXX defines. */
+ #define SPEX16(_outvar, _offset, _mask, _shift) \
+ out->_outvar = ((in[SPOFF(_offset)] & (_mask)) >> (_shift))
+@@ -253,7 +253,7 @@ static int sprom_do_read(struct ssb_bus
+ int i;
+
+ for (i = 0; i < bus->sprom_size; i++)
+- sprom[i] = ioread16(bus->mmio + SSB_SPROM_BASE + (i * 2));
++ sprom[i] = ioread16(bus->mmio + bus->sprom_offset + (i * 2));
+
+ return 0;
+ }
+@@ -284,7 +284,7 @@ static int sprom_do_write(struct ssb_bus
+ ssb_printk("75%%");
+ else if (i % 2)
+ ssb_printk(".");
+- writew(sprom[i], bus->mmio + SSB_SPROM_BASE + (i * 2));
++ writew(sprom[i], bus->mmio + bus->sprom_offset + (i * 2));
+ mmiowb();
+ msleep(20);
+ }
+@@ -625,6 +625,9 @@ static int ssb_pci_sprom_get(struct ssb_
+ return -ENODEV;
+ }
+
++ bus->sprom_offset = (bus->chipco.dev->id.revision < 31) ?
++ SSB_SPROM_BASE1 : SSB_SPROM_BASE31;
++
+ buf = kcalloc(SSB_SPROMSIZE_WORDS_R123, sizeof(u16), GFP_KERNEL);
+ if (!buf)
+ goto out;
+--- a/include/linux/ssb/ssb.h
++++ b/include/linux/ssb/ssb.h
+@@ -305,6 +305,7 @@ struct ssb_bus {
+ /* ID information about the Chip. */
+ u16 chip_id;
+ u16 chip_rev;
++ u16 sprom_offset;
+ u16 sprom_size; /* number of words in sprom */
+ u8 chip_package;
+
+--- a/include/linux/ssb/ssb_regs.h
++++ b/include/linux/ssb/ssb_regs.h
+@@ -170,7 +170,8 @@
+ #define SSB_SPROMSIZE_WORDS_R4 220
+ #define SSB_SPROMSIZE_BYTES_R123 (SSB_SPROMSIZE_WORDS_R123 * sizeof(u16))
+ #define SSB_SPROMSIZE_BYTES_R4 (SSB_SPROMSIZE_WORDS_R4 * sizeof(u16))
+-#define SSB_SPROM_BASE 0x1000
++#define SSB_SPROM_BASE1 0x1000
++#define SSB_SPROM_BASE31 0x0800
+ #define SSB_SPROM_REVISION 0x107E
+ #define SSB_SPROM_REVISION_REV 0x00FF /* SPROM Revision number */
+ #define SSB_SPROM_REVISION_CRC 0xFF00 /* SPROM CRC8 value */
--- /dev/null
+From 8848a91068c018bc91f597038a0f41462a0f88a4 Mon Sep 17 00:00:00 2001
+From: H. Peter Anvin <hpa@zytor.com>
+Date: Wed, 18 Aug 2010 11:42:23 -0700
+Subject: x86-32: Fix dummy trampoline-related inline stubs
+
+From: H. Peter Anvin <hpa@zytor.com>
+
+commit 8848a91068c018bc91f597038a0f41462a0f88a4 upstream.
+
+Fix dummy inline stubs for trampoline-related functions when no
+trampolines exist (until we get rid of the no-trampoline case
+entirely.)
+
+Signed-off-by: H. Peter Anvin <hpa@zytor.com>
+Cc: Joerg Roedel <joerg.roedel@amd.com>
+Cc: Borislav Petkov <borislav.petkov@amd.com>
+LKML-Reference: <4C6C294D.3030404@zytor.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/x86/include/asm/trampoline.h | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/arch/x86/include/asm/trampoline.h
++++ b/arch/x86/include/asm/trampoline.h
+@@ -22,8 +22,8 @@ extern unsigned long setup_trampoline(vo
+ extern void __init setup_trampoline_page_table(void);
+ extern void __init reserve_trampoline_memory(void);
+ #else
+-static inline void reserve_trampoline_memory(void) {};
+-extern void __init setup_trampoline_page_table(void) {};
++static inline void setup_trampoline_page_table(void) {}
++static inline void reserve_trampoline_memory(void) {}
+ #endif /* CONFIG_X86_TRAMPOLINE */
+
+ #endif /* __ASSEMBLY__ */
--- /dev/null
+From fd89a137924e0710078c3ae855e7cec1c43cb845 Mon Sep 17 00:00:00 2001
+From: Joerg Roedel <joerg.roedel@amd.com>
+Date: Mon, 16 Aug 2010 14:38:33 +0200
+Subject: x86-32: Separate 1:1 pagetables from swapper_pg_dir
+
+From: Joerg Roedel <joerg.roedel@amd.com>
+
+commit fd89a137924e0710078c3ae855e7cec1c43cb845 upstream.
+
+This patch fixes machine crashes which occur when heavily exercising the
+CPU hotplug codepaths on a 32-bit kernel. These crashes are caused by
+AMD Erratum 383 and result in a fatal machine check exception. Here's
+the scenario:
+
+1. On 32-bit, the swapper_pg_dir page table is used as the initial page
+table for booting a secondary CPU.
+
+2. To make this work, swapper_pg_dir needs a direct mapping of physical
+memory in it (the low mappings). By adding those low, large page (2M)
+mappings (PAE kernel), we create the necessary conditions for Erratum
+383 to occur.
+
+3. Other CPUs which do not participate in the off- and onlining game may
+use swapper_pg_dir while the low mappings are present (when leave_mm is
+called). For all steps below, the CPU referred to is a CPU that is using
+swapper_pg_dir, and not the CPU which is being onlined.
+
+4. The presence of the low mappings in swapper_pg_dir can result
+in TLB entries for addresses below __PAGE_OFFSET to be established
+speculatively. These TLB entries are marked global and large.
+
+5. When the CPU with such TLB entry switches to another page table, this
+TLB entry remains because it is global.
+
+6. The process then generates an access to an address covered by the
+above TLB entry but there is a permission mismatch - the TLB entry
+covers a large global page not accessible to userspace.
+
+7. Due to this permission mismatch a new 4kb, user TLB entry gets
+established. Further, Erratum 383 provides for a small window of time
+where both TLB entries are present. This results in an uncorrectable
+machine check exception signalling a TLB multimatch which panics the
+machine.
+
+There are two ways to fix this issue:
+
+ 1. Always do a global TLB flush when a new cr3 is loaded and the
+ old page table was swapper_pg_dir. I consider this a hack hard
+ to understand and with performance implications
+
+ 2. Do not use swapper_pg_dir to boot secondary CPUs like 64-bit
+ does.
+
+This patch implements solution 2. It introduces a trampoline_pg_dir
+which has the same layout as swapper_pg_dir with low_mappings. This page
+table is used as the initial page table of the booting CPU. Later in the
+bringup process, it switches to swapper_pg_dir and does a global TLB
+flush. This fixes the crashes in our test cases.
+
+-v2: switch to swapper_pg_dir right after entering start_secondary() so
+that we are able to access percpu data which might not be mapped in the
+trampoline page table.
+
+Signed-off-by: Joerg Roedel <joerg.roedel@amd.com>
+LKML-Reference: <20100816123833.GB28147@aftab>
+Signed-off-by: Borislav Petkov <borislav.petkov@amd.com>
+Signed-off-by: H. Peter Anvin <hpa@zytor.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/x86/include/asm/pgtable_32.h | 1 +
+ arch/x86/include/asm/trampoline.h | 3 +++
+ arch/x86/kernel/head_32.S | 8 +++++++-
+ arch/x86/kernel/setup.c | 2 ++
+ arch/x86/kernel/smpboot.c | 32 +++++++++++++-------------------
+ arch/x86/kernel/trampoline.c | 18 ++++++++++++++++++
+ 6 files changed, 44 insertions(+), 20 deletions(-)
+
+--- a/arch/x86/include/asm/pgtable_32.h
++++ b/arch/x86/include/asm/pgtable_32.h
+@@ -27,6 +27,7 @@ struct mm_struct;
+ struct vm_area_struct;
+
+ extern pgd_t swapper_pg_dir[1024];
++extern pgd_t trampoline_pg_dir[1024];
+
+ static inline void pgtable_cache_init(void) { }
+ static inline void check_pgt_cache(void) { }
+--- a/arch/x86/include/asm/trampoline.h
++++ b/arch/x86/include/asm/trampoline.h
+@@ -13,14 +13,17 @@ extern unsigned char *trampoline_base;
+
+ extern unsigned long init_rsp;
+ extern unsigned long initial_code;
++extern unsigned long initial_page_table;
+ extern unsigned long initial_gs;
+
+ #define TRAMPOLINE_SIZE roundup(trampoline_end - trampoline_data, PAGE_SIZE)
+
+ extern unsigned long setup_trampoline(void);
++extern void __init setup_trampoline_page_table(void);
+ extern void __init reserve_trampoline_memory(void);
+ #else
+ static inline void reserve_trampoline_memory(void) {};
++extern void __init setup_trampoline_page_table(void) {};
+ #endif /* CONFIG_X86_TRAMPOLINE */
+
+ #endif /* __ASSEMBLY__ */
+--- a/arch/x86/kernel/head_32.S
++++ b/arch/x86/kernel/head_32.S
+@@ -328,7 +328,7 @@ ENTRY(startup_32_smp)
+ /*
+ * Enable paging
+ */
+- movl $pa(swapper_pg_dir),%eax
++ movl pa(initial_page_table), %eax
+ movl %eax,%cr3 /* set the page table pointer.. */
+ movl %cr0,%eax
+ orl $X86_CR0_PG,%eax
+@@ -608,6 +608,8 @@ ignore_int:
+ .align 4
+ ENTRY(initial_code)
+ .long i386_start_kernel
++ENTRY(initial_page_table)
++ .long pa(swapper_pg_dir)
+
+ /*
+ * BSS section
+@@ -623,6 +625,10 @@ ENTRY(swapper_pg_dir)
+ #endif
+ swapper_pg_fixmap:
+ .fill 1024,4,0
++#ifdef CONFIG_X86_TRAMPOLINE
++ENTRY(trampoline_pg_dir)
++ .fill 1024,4,0
++#endif
+ ENTRY(empty_zero_page)
+ .fill 4096,1,0
+
+--- a/arch/x86/kernel/setup.c
++++ b/arch/x86/kernel/setup.c
+@@ -981,6 +981,8 @@ void __init setup_arch(char **cmdline_p)
+ paging_init();
+ x86_init.paging.pagetable_setup_done(swapper_pg_dir);
+
++ setup_trampoline_page_table();
++
+ tboot_probe();
+
+ #ifdef CONFIG_X86_64
+--- a/arch/x86/kernel/smpboot.c
++++ b/arch/x86/kernel/smpboot.c
+@@ -70,7 +70,6 @@
+
+ #ifdef CONFIG_X86_32
+ u8 apicid_2_node[MAX_APICID];
+-static int low_mappings;
+ #endif
+
+ /* State of each CPU */
+@@ -273,6 +272,18 @@ notrace static void __cpuinit start_seco
+ * fragile that we want to limit the things done here to the
+ * most necessary things.
+ */
++
++#ifdef CONFIG_X86_32
++ /*
++ * Switch away from the trampoline page-table
++ *
++ * Do this before cpu_init() because it needs to access per-cpu
++ * data which may not be mapped in the trampoline page-table.
++ */
++ load_cr3(swapper_pg_dir);
++ __flush_tlb_all();
++#endif
++
+ vmi_bringup();
+ cpu_init();
+ preempt_disable();
+@@ -291,12 +302,6 @@ notrace static void __cpuinit start_seco
+ enable_8259A_irq(0);
+ }
+
+-#ifdef CONFIG_X86_32
+- while (low_mappings)
+- cpu_relax();
+- __flush_tlb_all();
+-#endif
+-
+ /* This must be done before setting cpu_online_mask */
+ set_cpu_sibling_map(raw_smp_processor_id());
+ wmb();
+@@ -743,6 +748,7 @@ do_rest:
+ #ifdef CONFIG_X86_32
+ /* Stack for startup_32 can be just as for start_secondary onwards */
+ irq_ctx_init(cpu);
++ initial_page_table = __pa(&trampoline_pg_dir);
+ #else
+ clear_tsk_thread_flag(c_idle.idle, TIF_FORK);
+ initial_gs = per_cpu_offset(cpu);
+@@ -883,20 +889,8 @@ int __cpuinit native_cpu_up(unsigned int
+
+ per_cpu(cpu_state, cpu) = CPU_UP_PREPARE;
+
+-#ifdef CONFIG_X86_32
+- /* init low mem mapping */
+- clone_pgd_range(swapper_pg_dir, swapper_pg_dir + KERNEL_PGD_BOUNDARY,
+- min_t(unsigned long, KERNEL_PGD_PTRS, KERNEL_PGD_BOUNDARY));
+- flush_tlb_all();
+- low_mappings = 1;
+-
+ err = do_boot_cpu(apicid, cpu);
+
+- zap_low_mappings(false);
+- low_mappings = 0;
+-#else
+- err = do_boot_cpu(apicid, cpu);
+-#endif
+ if (err) {
+ pr_debug("do_boot_cpu failed %d\n", err);
+ return -EIO;
+--- a/arch/x86/kernel/trampoline.c
++++ b/arch/x86/kernel/trampoline.c
+@@ -1,6 +1,7 @@
+ #include <linux/io.h>
+
+ #include <asm/trampoline.h>
++#include <asm/pgtable.h>
+ #include <asm/e820.h>
+
+ #if defined(CONFIG_X86_64) && defined(CONFIG_ACPI_SLEEP)
+@@ -37,3 +38,20 @@ unsigned long __trampinit setup_trampoli
+ memcpy(trampoline_base, trampoline_data, TRAMPOLINE_SIZE);
+ return virt_to_phys(trampoline_base);
+ }
++
++void __init setup_trampoline_page_table(void)
++{
++#ifdef CONFIG_X86_32
++ /* Copy kernel address range */
++ clone_pgd_range(trampoline_pg_dir + KERNEL_PGD_BOUNDARY,
++ swapper_pg_dir + KERNEL_PGD_BOUNDARY,
++ min_t(unsigned long, KERNEL_PGD_PTRS,
++ KERNEL_PGD_BOUNDARY));
++
++ /* Initialize low mappings */
++ clone_pgd_range(trampoline_pg_dir,
++ swapper_pg_dir + KERNEL_PGD_BOUNDARY,
++ min_t(unsigned long, KERNEL_PGD_PTRS,
++ KERNEL_PGD_BOUNDARY));
++#endif
++}
--- /dev/null
+From 1dedefd1a066a795a87afca9c0236e1a94de9bf6 Mon Sep 17 00:00:00 2001
+From: Jacob Pan <jacob.jun.pan@linux.intel.com>
+Date: Wed, 19 May 2010 12:01:23 -0700
+Subject: x86: detect scattered cpuid features earlier
+
+From: Jacob Pan <jacob.jun.pan@linux.intel.com>
+
+commit 1dedefd1a066a795a87afca9c0236e1a94de9bf6 upstream.
+
+Some extra CPU features such as ARAT is needed in early boot so
+that x86_init function pointers can be set up properly.
+http://lkml.org/lkml/2010/5/18/519
+At start_kernel() level, this patch moves init_scattered_cpuid_features()
+from check_bugs() to setup_arch() -> early_cpu_init() which is earlier than
+platform specific x86_init layer setup. Suggested by HPA.
+
+Signed-off-by: Jacob Pan <jacob.jun.pan@linux.intel.com>
+LKML-Reference: <1274295685-6774-2-git-send-email-jacob.jun.pan@linux.intel.com>
+Acked-by: Thomas Gleixner <tglx@linutronix.de>
+Signed-off-by: H. Peter Anvin <hpa@linux.intel.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/x86/kernel/cpu/common.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/arch/x86/kernel/cpu/common.c
++++ b/arch/x86/kernel/cpu/common.c
+@@ -576,6 +576,7 @@ void __cpuinit get_cpu_cap(struct cpuinf
+ if (c->extended_cpuid_level >= 0x80000007)
+ c->x86_power = cpuid_edx(0x80000007);
+
++ init_scattered_cpuid_features(c);
+ }
+
+ static void __cpuinit identify_cpu_without_cpuid(struct cpuinfo_x86 *c)
+@@ -731,7 +732,6 @@ static void __cpuinit generic_identify(s
+
+ get_model_name(c); /* Default name */
+
+- init_scattered_cpuid_features(c);
+ detect_nopl(c);
+ }
+
--- /dev/null
+From b7d460897739e02f186425b7276e3fdb1595cea7 Mon Sep 17 00:00:00 2001
+From: Hugh Dickins <hughd@google.com>
+Date: Tue, 24 Aug 2010 22:44:12 -0700
+Subject: x86, mm: Fix CONFIG_VMSPLIT_1G and 2G_OPT trampoline
+
+From: Hugh Dickins <hughd@google.com>
+
+commit b7d460897739e02f186425b7276e3fdb1595cea7 upstream.
+
+rc2 kernel crashes when booting second cpu on this CONFIG_VMSPLIT_2G_OPT
+laptop: whereas cloning from kernel to low mappings pgd range does need
+to limit by both KERNEL_PGD_PTRS and KERNEL_PGD_BOUNDARY, cloning kernel
+pgd range itself must not be limited by the smaller KERNEL_PGD_BOUNDARY.
+
+Signed-off-by: Hugh Dickins <hughd@google.com>
+LKML-Reference: <alpine.LSU.2.00.1008242235120.2515@sister.anvils>
+Signed-off-by: H. Peter Anvin <hpa@zytor.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ arch/x86/kernel/trampoline.c | 3 +--
+ 1 file changed, 1 insertion(+), 2 deletions(-)
+
+--- a/arch/x86/kernel/trampoline.c
++++ b/arch/x86/kernel/trampoline.c
+@@ -45,8 +45,7 @@ void __init setup_trampoline_page_table(
+ /* Copy kernel address range */
+ clone_pgd_range(trampoline_pg_dir + KERNEL_PGD_BOUNDARY,
+ swapper_pg_dir + KERNEL_PGD_BOUNDARY,
+- min_t(unsigned long, KERNEL_PGD_PTRS,
+- KERNEL_PGD_BOUNDARY));
++ KERNEL_PGD_PTRS);
+
+ /* Initialize low mappings */
+ clone_pgd_range(trampoline_pg_dir,
projects / thirdparty / kernel / stable-queue.git / commitdiff
