From: Greg Kroah-Hartman Date: Fri, 29 Oct 2010 22:29:03 +0000 (-0700) Subject: .35 patches X-Git-Tag: v2.6.27.56~22 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=01803d423d63e76b663d86320b4609fcd8f5c87e;p=thirdparty%2Fkernel%2Fstable-queue.git .35 patches --- diff --git a/queue-2.6.35/bluetooth-fix-missing-null-check.patch b/queue-2.6.35/bluetooth-fix-missing-null-check.patch new file mode 100644 index 00000000000..a023a796b84 --- /dev/null +++ b/queue-2.6.35/bluetooth-fix-missing-null-check.patch @@ -0,0 +1,40 @@ +From c19483cc5e56ac5e22dd19cf25ba210ab1537773 Mon Sep 17 00:00:00 2001 +From: Alan Cox +Date: Fri, 22 Oct 2010 14:11:26 +0100 +Subject: bluetooth: Fix missing NULL check + +From: Alan Cox + +commit c19483cc5e56ac5e22dd19cf25ba210ab1537773 upstream. + +Fortunately this is only exploitable on very unusual hardware. + +[Reported a while ago but nothing happened so just fixing it] + +Signed-off-by: Alan Cox +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/bluetooth/hci_ldisc.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/bluetooth/hci_ldisc.c ++++ b/drivers/bluetooth/hci_ldisc.c +@@ -258,9 +258,16 @@ static int hci_uart_tty_open(struct tty_ + + BT_DBG("tty %p", tty); + ++ /* FIXME: This btw is bogus, nothing requires the old ldisc to clear ++ the pointer */ + if (hu) + return -EEXIST; + ++ /* Error if the tty has no write op instead of leaving an exploitable ++ hole */ ++ if (tty->ops->write == NULL) ++ return -EOPNOTSUPP; ++ + if (!(hu = kzalloc(sizeof(struct hci_uart), GFP_KERNEL))) { + BT_ERR("Can't allocate control structure"); + return -ENFILE; diff --git a/queue-2.6.35/cifs-fix-broken-oplock-handling.patch b/queue-2.6.35/cifs-fix-broken-oplock-handling.patch new file mode 100644 index 00000000000..68b5c690154 --- /dev/null +++ b/queue-2.6.35/cifs-fix-broken-oplock-handling.patch @@ -0,0 +1,104 @@ +From aa91c7e4ab9b0842b7d7a7cbf8cca18b20df89b5 Mon Sep 17 00:00:00 2001 +From: Suresh Jayaraman +Date: Fri, 17 Sep 2010 18:56:39 +0530 +Subject: cifs: fix broken oplock handling + +From: Suresh Jayaraman + +commit aa91c7e4ab9b0842b7d7a7cbf8cca18b20df89b5 upstream. + +cifs_new_fileinfo() does not use the 'oplock' value from the callers. Instead, +it sets it to REQ_OPLOCK which seems wrong. We should be using the oplock value +obtained from the Server to set the inode's clientCanCacheAll or +clientCanCacheRead flags. Fix this by passing oplock from the callers to +cifs_new_fileinfo(). + +This change dates back to commit a6ce4932 (2.6.30-rc3). So, all the affected +versions will need this fix. Please Cc stable once reviewed and accepted. + +Reviewed-by: Jeff Layton +Signed-off-by: Suresh Jayaraman +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman + +--- + fs/cifs/cifsproto.h | 3 ++- + fs/cifs/dir.c | 12 +++++------- + fs/cifs/file.c | 4 ++-- + 3 files changed, 9 insertions(+), 10 deletions(-) + +--- a/fs/cifs/cifsproto.h ++++ b/fs/cifs/cifsproto.h +@@ -104,7 +104,8 @@ extern struct timespec cnvrtDosUnixTm(__ + + extern struct cifsFileInfo *cifs_new_fileinfo(struct inode *newinode, + __u16 fileHandle, struct file *file, +- struct vfsmount *mnt, unsigned int oflags); ++ struct vfsmount *mnt, unsigned int oflags, ++ __u32 oplock); + extern int cifs_posix_open(char *full_path, struct inode **pinode, + struct super_block *sb, + int mode, int oflags, +--- a/fs/cifs/dir.c ++++ b/fs/cifs/dir.c +@@ -138,9 +138,9 @@ cifs_bp_rename_retry: + */ + struct cifsFileInfo * + cifs_new_fileinfo(struct inode *newinode, __u16 fileHandle, +- struct file *file, struct vfsmount *mnt, unsigned int oflags) ++ struct file *file, struct vfsmount *mnt, unsigned int oflags, ++ __u32 oplock) + { +- int oplock = 0; + struct cifsFileInfo *pCifsFile; + struct cifsInodeInfo *pCifsInode; + struct cifs_sb_info *cifs_sb = CIFS_SB(mnt->mnt_sb); +@@ -149,9 +149,6 @@ cifs_new_fileinfo(struct inode *newinode + if (pCifsFile == NULL) + return pCifsFile; + +- if (oplockEnabled) +- oplock = REQ_OPLOCK; +- + pCifsFile->netfid = fileHandle; + pCifsFile->pid = current->tgid; + pCifsFile->pInode = igrab(newinode); +@@ -476,7 +473,7 @@ cifs_create_set_dentry: + } + + pfile_info = cifs_new_fileinfo(newinode, fileHandle, filp, +- nd->path.mnt, oflags); ++ nd->path.mnt, oflags, oplock); + if (pfile_info == NULL) { + fput(filp); + CIFSSMBClose(xid, tcon, fileHandle); +@@ -738,7 +735,8 @@ cifs_lookup(struct inode *parent_dir_ino + + cfile = cifs_new_fileinfo(newInode, fileHandle, filp, + nd->path.mnt, +- nd->intent.open.flags); ++ nd->intent.open.flags, ++ oplock); + if (cfile == NULL) { + fput(filp); + CIFSSMBClose(xid, pTcon, fileHandle); +--- a/fs/cifs/file.c ++++ b/fs/cifs/file.c +@@ -277,7 +277,7 @@ int cifs_open(struct inode *inode, struc + + pCifsFile = cifs_new_fileinfo(inode, netfid, file, + file->f_path.mnt, +- oflags); ++ oflags, oplock); + if (pCifsFile == NULL) { + CIFSSMBClose(xid, tcon, netfid); + rc = -ENOMEM; +@@ -367,7 +367,7 @@ int cifs_open(struct inode *inode, struc + goto out; + + pCifsFile = cifs_new_fileinfo(inode, netfid, file, file->f_path.mnt, +- file->f_flags); ++ file->f_flags, oplock); + if (pCifsFile == NULL) { + rc = -ENOMEM; + goto out; diff --git a/queue-2.6.35/futex-fix-errors-in-nested-key-ref-counting.patch b/queue-2.6.35/futex-fix-errors-in-nested-key-ref-counting.patch new file mode 100644 index 00000000000..62e9bc4182d --- /dev/null +++ b/queue-2.6.35/futex-fix-errors-in-nested-key-ref-counting.patch @@ -0,0 +1,142 @@ +From 7ada876a8703f23befbb20a7465a702ee39b1704 Mon Sep 17 00:00:00 2001 +From: Darren Hart +Date: Sun, 17 Oct 2010 08:35:04 -0700 +Subject: futex: Fix errors in nested key ref-counting +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Darren Hart + +commit 7ada876a8703f23befbb20a7465a702ee39b1704 upstream. + +futex_wait() is leaking key references due to futex_wait_setup() +acquiring an additional reference via the queue_lock() routine. The +nested key ref-counting has been masking bugs and complicating code +analysis. queue_lock() is only called with a previously ref-counted +key, so remove the additional ref-counting from the queue_(un)lock() +functions. + +Also futex_wait_requeue_pi() drops one key reference too many in +unqueue_me_pi(). Remove the key reference handling from +unqueue_me_pi(). This was paired with a queue_lock() in +futex_lock_pi(), so the count remains unchanged. + +Document remaining nested key ref-counting sites. + +Signed-off-by: Darren Hart +Reported-and-tested-by: Matthieu Fertré +Reported-by: Louis Rilling +Cc: Peter Zijlstra +Cc: Eric Dumazet +Cc: John Kacur +Cc: Rusty Russell +LKML-Reference: <4CBB17A8.70401@linux.intel.com> +Signed-off-by: Thomas Gleixner +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/futex.c | 31 ++++++++++++++++--------------- + 1 file changed, 16 insertions(+), 15 deletions(-) + +--- a/kernel/futex.c ++++ b/kernel/futex.c +@@ -1363,7 +1363,6 @@ static inline struct futex_hash_bucket * + { + struct futex_hash_bucket *hb; + +- get_futex_key_refs(&q->key); + hb = hash_futex(&q->key); + q->lock_ptr = &hb->lock; + +@@ -1375,7 +1374,6 @@ static inline void + queue_unlock(struct futex_q *q, struct futex_hash_bucket *hb) + { + spin_unlock(&hb->lock); +- drop_futex_key_refs(&q->key); + } + + /** +@@ -1480,8 +1478,6 @@ static void unqueue_me_pi(struct futex_q + q->pi_state = NULL; + + spin_unlock(q->lock_ptr); +- +- drop_futex_key_refs(&q->key); + } + + /* +@@ -1812,7 +1808,10 @@ static int futex_wait(u32 __user *uaddr, + } + + retry: +- /* Prepare to wait on uaddr. */ ++ /* ++ * Prepare to wait on uaddr. On success, holds hb lock and increments ++ * q.key refs. ++ */ + ret = futex_wait_setup(uaddr, val, fshared, &q, &hb); + if (ret) + goto out; +@@ -1822,24 +1821,23 @@ retry: + + /* If we were woken (and unqueued), we succeeded, whatever. */ + ret = 0; ++ /* unqueue_me() drops q.key ref */ + if (!unqueue_me(&q)) +- goto out_put_key; ++ goto out; + ret = -ETIMEDOUT; + if (to && !to->task) +- goto out_put_key; ++ goto out; + + /* + * We expect signal_pending(current), but we might be the + * victim of a spurious wakeup as well. + */ +- if (!signal_pending(current)) { +- put_futex_key(fshared, &q.key); ++ if (!signal_pending(current)) + goto retry; +- } + + ret = -ERESTARTSYS; + if (!abs_time) +- goto out_put_key; ++ goto out; + + restart = ¤t_thread_info()->restart_block; + restart->fn = futex_wait_restart; +@@ -1856,8 +1854,6 @@ retry: + + ret = -ERESTART_RESTARTBLOCK; + +-out_put_key: +- put_futex_key(fshared, &q.key); + out: + if (to) { + hrtimer_cancel(&to->timer); +@@ -2236,7 +2232,10 @@ static int futex_wait_requeue_pi(u32 __u + q.rt_waiter = &rt_waiter; + q.requeue_pi_key = &key2; + +- /* Prepare to wait on uaddr. */ ++ /* ++ * Prepare to wait on uaddr. On success, increments q.key (key1) ref ++ * count. ++ */ + ret = futex_wait_setup(uaddr, val, fshared, &q, &hb); + if (ret) + goto out_key2; +@@ -2254,7 +2253,9 @@ static int futex_wait_requeue_pi(u32 __u + * In order for us to be here, we know our q.key == key2, and since + * we took the hb->lock above, we also know that futex_requeue() has + * completed and we no longer have to concern ourselves with a wakeup +- * race with the atomic proxy lock acquition by the requeue code. ++ * race with the atomic proxy lock acquisition by the requeue code. The ++ * futex_requeue dropped our key1 reference and incremented our key2 ++ * reference count. + */ + + /* Check if the requeue code acquired the second futex for us. */ diff --git a/queue-2.6.35/intel_idle-do-not-use-the-lapic-timer-for-atom-c2.patch b/queue-2.6.35/intel_idle-do-not-use-the-lapic-timer-for-atom-c2.patch new file mode 100644 index 00000000000..9abc26e67c7 --- /dev/null +++ b/queue-2.6.35/intel_idle-do-not-use-the-lapic-timer-for-atom-c2.patch @@ -0,0 +1,33 @@ +From c25d29952b2a8c9aaf00e081c9162a0e383030cd Mon Sep 17 00:00:00 2001 +From: Len Brown +Date: Sat, 23 Oct 2010 23:25:53 -0400 +Subject: intel_idle: do not use the LAPIC timer for ATOM C2 + +From: Len Brown + +commit c25d29952b2a8c9aaf00e081c9162a0e383030cd upstream. + +If we use the LAPIC timer during ATOM C2 on +some nvidia chisets, the system stalls. + +https://bugzilla.kernel.org/show_bug.cgi?id=21032 + +Signed-off-by: Len Brown +Cc: Tom Gundersen +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/idle/intel_idle.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/idle/intel_idle.c ++++ b/drivers/idle/intel_idle.c +@@ -308,7 +308,7 @@ static int intel_idle_probe(void) + break; + + case 0x1C: /* 28 - Atom Processor */ +- lapic_timer_reliable_states = (1 << 2) | (1 << 1); /* C2, C1 */ ++ lapic_timer_reliable_states = (1 << 1); /* C1 */ + cpuidle_state_table = atom_cstates; + choose_substate = choose_zero_substate; + break; diff --git a/queue-2.6.35/kvm-svm-restore-correct-registers-after-sel_cr0-intercept-emulation.patch b/queue-2.6.35/kvm-svm-restore-correct-registers-after-sel_cr0-intercept-emulation.patch new file mode 100644 index 00000000000..07e0f3c774e --- /dev/null +++ b/queue-2.6.35/kvm-svm-restore-correct-registers-after-sel_cr0-intercept-emulation.patch @@ -0,0 +1,95 @@ +From cda0008299a06f0d7218c6037c3c02d7a865e954 Mon Sep 17 00:00:00 2001 +From: Joerg Roedel +Date: Thu, 2 Sep 2010 17:29:46 +0200 +Subject: KVM: SVM: Restore correct registers after sel_cr0 intercept emulation + +From: Joerg Roedel + +commit cda0008299a06f0d7218c6037c3c02d7a865e954 upstream. + +This patch implements restoring of the correct rip, rsp, and +rax after the svm emulation in KVM injected a selective_cr0 +write intercept into the guest hypervisor. The problem was +that the vmexit is emulated in the instruction emulation +which later commits the registers right after the write-cr0 +instruction. So the l1 guest will continue to run with the +l2 rip, rsp and rax resulting in unpredictable behavior. + +This patch is not the final word, it is just an easy patch +to fix the issue. The real fix will be done when the +instruction emulator is made aware of nested virtualization. +Until this is done this patch fixes the issue and provides +an easy way to fix this in -stable too. + +Signed-off-by: Joerg Roedel +Signed-off-by: Marcelo Tosatti +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/svm.c | 33 +++++++++++++++++++++++++++++++-- + 1 file changed, 31 insertions(+), 2 deletions(-) + +--- a/arch/x86/kvm/svm.c ++++ b/arch/x86/kvm/svm.c +@@ -87,6 +87,14 @@ struct nested_state { + /* A VMEXIT is required but not yet emulated */ + bool exit_required; + ++ /* ++ * If we vmexit during an instruction emulation we need this to restore ++ * the l1 guest rip after the emulation ++ */ ++ unsigned long vmexit_rip; ++ unsigned long vmexit_rsp; ++ unsigned long vmexit_rax; ++ + /* cache for intercepts of the guest */ + u16 intercept_cr_read; + u16 intercept_cr_write; +@@ -1201,8 +1209,12 @@ static void svm_set_cr0(struct kvm_vcpu + if (old == new) { + /* cr0 write with ts and mp unchanged */ + svm->vmcb->control.exit_code = SVM_EXIT_CR0_SEL_WRITE; +- if (nested_svm_exit_handled(svm) == NESTED_EXIT_DONE) ++ if (nested_svm_exit_handled(svm) == NESTED_EXIT_DONE) { ++ svm->nested.vmexit_rip = kvm_rip_read(vcpu); ++ svm->nested.vmexit_rsp = kvm_register_read(vcpu, VCPU_REGS_RSP); ++ svm->nested.vmexit_rax = kvm_register_read(vcpu, VCPU_REGS_RAX); + return; ++ } + } + } + +@@ -2398,6 +2410,23 @@ static int emulate_on_interception(struc + return 1; + } + ++static int cr0_write_interception(struct vcpu_svm *svm) ++{ ++ struct kvm_vcpu *vcpu = &svm->vcpu; ++ int r; ++ ++ r = emulate_instruction(&svm->vcpu, 0, 0, 0); ++ ++ if (svm->nested.vmexit_rip) { ++ kvm_register_write(vcpu, VCPU_REGS_RIP, svm->nested.vmexit_rip); ++ kvm_register_write(vcpu, VCPU_REGS_RSP, svm->nested.vmexit_rsp); ++ kvm_register_write(vcpu, VCPU_REGS_RAX, svm->nested.vmexit_rax); ++ svm->nested.vmexit_rip = 0; ++ } ++ ++ return r == EMULATE_DONE; ++} ++ + static int cr8_write_interception(struct vcpu_svm *svm) + { + struct kvm_run *kvm_run = svm->vcpu.run; +@@ -2671,7 +2700,7 @@ static int (*svm_exit_handlers[])(struct + [SVM_EXIT_READ_CR4] = emulate_on_interception, + [SVM_EXIT_READ_CR8] = emulate_on_interception, + [SVM_EXIT_CR0_SEL_WRITE] = emulate_on_interception, +- [SVM_EXIT_WRITE_CR0] = emulate_on_interception, ++ [SVM_EXIT_WRITE_CR0] = cr0_write_interception, + [SVM_EXIT_WRITE_CR3] = emulate_on_interception, + [SVM_EXIT_WRITE_CR4] = emulate_on_interception, + [SVM_EXIT_WRITE_CR8] = cr8_write_interception, diff --git a/queue-2.6.35/kvm-x86-report-svm-bit-to-userspace-only-when-supported.patch b/queue-2.6.35/kvm-x86-report-svm-bit-to-userspace-only-when-supported.patch new file mode 100644 index 00000000000..118c89707f7 --- /dev/null +++ b/queue-2.6.35/kvm-x86-report-svm-bit-to-userspace-only-when-supported.patch @@ -0,0 +1,47 @@ +From 4c62a2dc92518c5adf434df8e5c2283c6762672a Mon Sep 17 00:00:00 2001 +From: Joerg Roedel +Date: Fri, 10 Sep 2010 17:31:06 +0200 +Subject: KVM: X86: Report SVM bit to userspace only when supported + +From: Joerg Roedel + +commit 4c62a2dc92518c5adf434df8e5c2283c6762672a upstream. + +This patch fixes a bug in KVM where it _always_ reports the +support of the SVM feature to userspace. But KVM only +supports SVM on AMD hardware and only when it is enabled in +the kernel module. This patch fixes the wrong reporting. + +Signed-off-by: Joerg Roedel +Signed-off-by: Avi Kivity +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/svm.c | 4 ++++ + arch/x86/kvm/x86.c | 2 +- + 2 files changed, 5 insertions(+), 1 deletion(-) + +--- a/arch/x86/kvm/svm.c ++++ b/arch/x86/kvm/svm.c +@@ -3253,6 +3253,10 @@ static void svm_cpuid_update(struct kvm_ + static void svm_set_supported_cpuid(u32 func, struct kvm_cpuid_entry2 *entry) + { + switch (func) { ++ case 0x80000001: ++ if (nested) ++ entry->ecx |= (1 << 2); /* Set SVM bit */ ++ break; + case 0x8000000A: + entry->eax = 1; /* SVM revision 1 */ + entry->ebx = 8; /* Lets support 8 ASIDs in case we add proper +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -1910,7 +1910,7 @@ static void do_cpuid_ent(struct kvm_cpui + 0 /* Reserved, XSAVE, OSXSAVE */; + /* cpuid 0x80000001.ecx */ + const u32 kvm_supported_word6_x86_features = +- F(LAHF_LM) | F(CMP_LEGACY) | F(SVM) | 0 /* ExtApicSpace */ | ++ F(LAHF_LM) | F(CMP_LEGACY) | 0 /*SVM*/ | 0 /* ExtApicSpace */ | + F(CR8_LEGACY) | F(ABM) | F(SSE4A) | F(MISALIGNSSE) | + F(3DNOWPREFETCH) | 0 /* OSVW */ | 0 /* IBS */ | F(XOP) | + 0 /* SKINIT */ | 0 /* WDT */; diff --git a/queue-2.6.35/libahci-fix-result_tf-handling-after-an-ata-pio-data-in-command.patch b/queue-2.6.35/libahci-fix-result_tf-handling-after-an-ata-pio-data-in-command.patch new file mode 100644 index 00000000000..4ea4dd70b30 --- /dev/null +++ b/queue-2.6.35/libahci-fix-result_tf-handling-after-an-ata-pio-data-in-command.patch @@ -0,0 +1,73 @@ +From 6ad601955315b010a117306b994f2204fae85fdc Mon Sep 17 00:00:00 2001 +From: Tejun Heo +Date: Fri, 15 Oct 2010 11:00:08 +0200 +Subject: libahci: fix result_tf handling after an ATA PIO data-in command + +From: Tejun Heo + +commit 6ad601955315b010a117306b994f2204fae85fdc upstream. + +ATA devices don't send D2H Reg FIS after an successful ATA PIO data-in +command. The host is supposed to take the TF and E_Status of the +preceding PIO Setup FIS. Update ahci_qc_fill_rtf() such that it takes +TF + E_Status from PIO Setup FIS after a successful ATA PIO data-in +command. + +Without this patch, result_tf for such a command is filled with the +content of the previous D2H Reg FIS which belongs to a previous +command, which can make the command incorrectly seen as failed. + +* Patch updated to grab the whole TF + E_Status from PIO Setup FIS + instead of just E_Status as suggested by Robert Hancock. + +Signed-off-by: Tejun Heo +Reported-by: Mark Lord +Cc: Robert Hancock +Signed-off-by: Jeff Garzik +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/ata/ahci.h | 1 + + drivers/ata/libahci.c | 18 +++++++++++++++--- + 2 files changed, 16 insertions(+), 3 deletions(-) + +--- a/drivers/ata/ahci.h ++++ b/drivers/ata/ahci.h +@@ -72,6 +72,7 @@ enum { + AHCI_CMD_RESET = (1 << 8), + AHCI_CMD_CLR_BUSY = (1 << 10), + ++ RX_FIS_PIO_SETUP = 0x20, /* offset of PIO Setup FIS data */ + RX_FIS_D2H_REG = 0x40, /* offset of D2H Register FIS data */ + RX_FIS_SDB = 0x58, /* offset of SDB FIS data */ + RX_FIS_UNK = 0x60, /* offset of Unknown FIS data */ +--- a/drivers/ata/libahci.c ++++ b/drivers/ata/libahci.c +@@ -1824,12 +1824,24 @@ static unsigned int ahci_qc_issue(struct + static bool ahci_qc_fill_rtf(struct ata_queued_cmd *qc) + { + struct ahci_port_priv *pp = qc->ap->private_data; +- u8 *d2h_fis = pp->rx_fis + RX_FIS_D2H_REG; ++ u8 *rx_fis = pp->rx_fis; + + if (pp->fbs_enabled) +- d2h_fis += qc->dev->link->pmp * AHCI_RX_FIS_SZ; ++ rx_fis += qc->dev->link->pmp * AHCI_RX_FIS_SZ; ++ ++ /* ++ * After a successful execution of an ATA PIO data-in command, ++ * the device doesn't send D2H Reg FIS to update the TF and ++ * the host should take TF and E_Status from the preceding PIO ++ * Setup FIS. ++ */ ++ if (qc->tf.protocol == ATA_PROT_PIO && qc->dma_dir == DMA_FROM_DEVICE && ++ !(qc->flags & ATA_QCFLAG_FAILED)) { ++ ata_tf_from_fis(rx_fis + RX_FIS_PIO_SETUP, &qc->result_tf); ++ qc->result_tf.command = (rx_fis + RX_FIS_PIO_SETUP)[15]; ++ } else ++ ata_tf_from_fis(rx_fis + RX_FIS_D2H_REG, &qc->result_tf); + +- ata_tf_from_fis(d2h_fis, &qc->result_tf); + return true; + } + diff --git a/queue-2.6.35/mm-x86-saving-vmcore-with-non-lazy-freeing-of-vmas.patch b/queue-2.6.35/mm-x86-saving-vmcore-with-non-lazy-freeing-of-vmas.patch new file mode 100644 index 00000000000..5170d1cfa6c --- /dev/null +++ b/queue-2.6.35/mm-x86-saving-vmcore-with-non-lazy-freeing-of-vmas.patch @@ -0,0 +1,72 @@ +From 3ee48b6af49cf534ca2f481ecc484b156a41451d Mon Sep 17 00:00:00 2001 +From: Cliff Wickman +Date: Thu, 16 Sep 2010 11:44:02 -0500 +Subject: mm, x86: Saving vmcore with non-lazy freeing of vmas + +From: Cliff Wickman + +commit 3ee48b6af49cf534ca2f481ecc484b156a41451d upstream. + +During the reading of /proc/vmcore the kernel is doing +ioremap()/iounmap() repeatedly. And the buildup of un-flushed +vm_area_struct's is causing a great deal of overhead. (rb_next() +is chewing up most of that time). + +This solution is to provide function set_iounmap_nonlazy(). It +causes a subsequent call to iounmap() to immediately purge the +vma area (with try_purge_vmap_area_lazy()). + +With this patch we have seen the time for writing a 250MB +compressed dump drop from 71 seconds to 44 seconds. + +Signed-off-by: Cliff Wickman +Cc: Andrew Morton +Cc: kexec@lists.infradead.org +LKML-Reference: +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/include/asm/io.h | 1 + + arch/x86/kernel/crash_dump_64.c | 1 + + mm/vmalloc.c | 9 +++++++++ + 3 files changed, 11 insertions(+) + +--- a/arch/x86/include/asm/io.h ++++ b/arch/x86/include/asm/io.h +@@ -206,6 +206,7 @@ static inline void __iomem *ioremap(reso + + extern void iounmap(volatile void __iomem *addr); + ++extern void set_iounmap_nonlazy(void); + + #ifdef __KERNEL__ + +--- a/arch/x86/kernel/crash_dump_64.c ++++ b/arch/x86/kernel/crash_dump_64.c +@@ -46,6 +46,7 @@ ssize_t copy_oldmem_page(unsigned long p + } else + memcpy(buf, vaddr + offset, csize); + ++ set_iounmap_nonlazy(); + iounmap(vaddr); + return csize; + } +--- a/mm/vmalloc.c ++++ b/mm/vmalloc.c +@@ -513,6 +513,15 @@ static atomic_t vmap_lazy_nr = ATOMIC_IN + static void purge_fragmented_blocks_allcpus(void); + + /* ++ * called before a call to iounmap() if the caller wants vm_area_struct's ++ * immediately freed. ++ */ ++void set_iounmap_nonlazy(void) ++{ ++ atomic_set(&vmap_lazy_nr, lazy_max_pages()+1); ++} ++ ++/* + * Purges all lazily-freed vmap areas. + * + * If sync is 0 then don't purge if there is already a purge in progress. diff --git a/queue-2.6.35/pipe-fix-failure-to-return-error-code-on-confirm.patch b/queue-2.6.35/pipe-fix-failure-to-return-error-code-on-confirm.patch new file mode 100644 index 00000000000..2262a9bddef --- /dev/null +++ b/queue-2.6.35/pipe-fix-failure-to-return-error-code-on-confirm.patch @@ -0,0 +1,31 @@ +From e5953cbdff26f7cbae7eff30cd9b18c4e19b7594 Mon Sep 17 00:00:00 2001 +From: Nicolas Kaiser +Date: Thu, 21 Oct 2010 14:56:00 +0200 +Subject: pipe: fix failure to return error code on ->confirm() + +From: Nicolas Kaiser + +commit e5953cbdff26f7cbae7eff30cd9b18c4e19b7594 upstream. + +The arguments were transposed, we want to assign the error code to +'ret', which is being returned. + +Signed-off-by: Nicolas Kaiser +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + fs/pipe.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/pipe.c ++++ b/fs/pipe.c +@@ -382,7 +382,7 @@ pipe_read(struct kiocb *iocb, const stru + error = ops->confirm(pipe, buf); + if (error) { + if (!ret) +- error = ret; ++ ret = error; + break; + } + diff --git a/queue-2.6.35/series b/queue-2.6.35/series index eeec35abda2..a769d02bce5 100644 --- a/queue-2.6.35/series +++ b/queue-2.6.35/series @@ -7,3 +7,20 @@ powerpc-perf-fix-sampling-enable-for-ppc970.patch pcmcia-synclink_cs-fix-information-leak-to-userland.patch sched-drop-all-load-weight-manipulation-for-rt-tasks.patch sched-fix-string-comparison-in-proc-sched_features.patch +bluetooth-fix-missing-null-check.patch +futex-fix-errors-in-nested-key-ref-counting.patch +cifs-fix-broken-oplock-handling.patch +libahci-fix-result_tf-handling-after-an-ata-pio-data-in-command.patch +intel_idle-do-not-use-the-lapic-timer-for-atom-c2.patch +mm-x86-saving-vmcore-with-non-lazy-freeing-of-vmas.patch +x86-cpu-fix-renamed-not-yet-shipping-amd-cpuid-feature-bit.patch +x86-kexec-make-sure-to-stop-all-cpus-before-exiting-the-kernel.patch +x86-olpc-don-t-retry-ec-commands-forever.patch +x86-mtrr-assume-sys_cfg-exists-on-all-future-amd-cpus.patch +x86-intr-remap-set-redirection-hint-in-the-irte.patch +x86-kdump-change-copy_oldmem_page-to-use-cached-addressing.patch +x86-vm86-fix-preemption-bug-for-int1-debug-and-int3-breakpoint-handlers.patch +kvm-x86-report-svm-bit-to-userspace-only-when-supported.patch +kvm-svm-restore-correct-registers-after-sel_cr0-intercept-emulation.patch +usb-mct_u232-fix-broken-close.patch +pipe-fix-failure-to-return-error-code-on-confirm.patch diff --git a/queue-2.6.35/usb-mct_u232-fix-broken-close.patch b/queue-2.6.35/usb-mct_u232-fix-broken-close.patch new file mode 100644 index 00000000000..ac48a7aa923 --- /dev/null +++ b/queue-2.6.35/usb-mct_u232-fix-broken-close.patch @@ -0,0 +1,43 @@ +From 92ca0dc5ee022e4c0e488177e1d8865a0778c6c2 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Thu, 21 Oct 2010 10:49:10 +0200 +Subject: USB: mct_u232: fix broken close + +From: Johan Hovold + +commit 92ca0dc5ee022e4c0e488177e1d8865a0778c6c2 upstream. + +Fix regression introduced by commit +f26788da3b342099d2b02d99ba1cb7f154d6ef7b (USB: serial: refactor generic +close) which broke driver close(). + +This driver uses non-standard semantics for the read urb which makes the +generic close function fail to kill it (the read urb is actually an +interrupt urb and therefore bulk_in size is zero). + +Reported-by: Eric Shattow "Eprecocious" +Tested-by: Eric Shattow "Eprecocious" +Signed-off-by: Johan Hovold +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/mct_u232.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/drivers/usb/serial/mct_u232.c ++++ b/drivers/usb/serial/mct_u232.c +@@ -549,9 +549,12 @@ static void mct_u232_close(struct usb_se + { + dbg("%s port %d", __func__, port->number); + +- usb_serial_generic_close(port); +- if (port->serial->dev) ++ if (port->serial->dev) { ++ /* shutdown our urbs */ ++ usb_kill_urb(port->write_urb); ++ usb_kill_urb(port->read_urb); + usb_kill_urb(port->interrupt_in_urb); ++ } + } /* mct_u232_close */ + + diff --git a/queue-2.6.35/x86-cpu-fix-renamed-not-yet-shipping-amd-cpuid-feature-bit.patch b/queue-2.6.35/x86-cpu-fix-renamed-not-yet-shipping-amd-cpuid-feature-bit.patch new file mode 100644 index 00000000000..9e1b8907fd4 --- /dev/null +++ b/queue-2.6.35/x86-cpu-fix-renamed-not-yet-shipping-amd-cpuid-feature-bit.patch @@ -0,0 +1,48 @@ +From 7ef8aa72ab176e0288f363d1247079732c5d5792 Mon Sep 17 00:00:00 2001 +From: Andre Przywara +Date: Mon, 6 Sep 2010 15:14:17 +0200 +Subject: x86, cpu: Fix renamed, not-yet-shipping AMD CPUID feature bit + +From: Andre Przywara + +commit 7ef8aa72ab176e0288f363d1247079732c5d5792 upstream. + +The AMD SSE5 feature set as-it has been replaced by some extensions +to the AVX instruction set. Thus the bit formerly advertised as SSE5 +is re-used for one of these extensions (XOP). +Although this changes the /proc/cpuinfo output, it is not user visible, as +there are no CPUs (yet) having this feature. +To avoid confusion this should be added to the stable series, too. + +Signed-off-by: Andre Przywara +LKML-Reference: <1283778860-26843-2-git-send-email-andre.przywara@amd.com> +Signed-off-by: H. Peter Anvin +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/include/asm/cpufeature.h | 2 +- + arch/x86/kvm/x86.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/x86/include/asm/cpufeature.h ++++ b/arch/x86/include/asm/cpufeature.h +@@ -150,7 +150,7 @@ + #define X86_FEATURE_3DNOWPREFETCH (6*32+ 8) /* 3DNow prefetch instructions */ + #define X86_FEATURE_OSVW (6*32+ 9) /* OS Visible Workaround */ + #define X86_FEATURE_IBS (6*32+10) /* Instruction Based Sampling */ +-#define X86_FEATURE_SSE5 (6*32+11) /* SSE-5 */ ++#define X86_FEATURE_XOP (6*32+11) /* extended AVX instructions */ + #define X86_FEATURE_SKINIT (6*32+12) /* SKINIT/STGI instructions */ + #define X86_FEATURE_WDT (6*32+13) /* Watchdog timer */ + #define X86_FEATURE_NODEID_MSR (6*32+19) /* NodeId MSR */ +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -1912,7 +1912,7 @@ static void do_cpuid_ent(struct kvm_cpui + const u32 kvm_supported_word6_x86_features = + F(LAHF_LM) | F(CMP_LEGACY) | F(SVM) | 0 /* ExtApicSpace */ | + F(CR8_LEGACY) | F(ABM) | F(SSE4A) | F(MISALIGNSSE) | +- F(3DNOWPREFETCH) | 0 /* OSVW */ | 0 /* IBS */ | F(SSE5) | ++ F(3DNOWPREFETCH) | 0 /* OSVW */ | 0 /* IBS */ | F(XOP) | + 0 /* SKINIT */ | 0 /* WDT */; + + /* all calls to cpuid_count() should be made on the same cpu */ diff --git a/queue-2.6.35/x86-intr-remap-set-redirection-hint-in-the-irte.patch b/queue-2.6.35/x86-intr-remap-set-redirection-hint-in-the-irte.patch new file mode 100644 index 00000000000..e59307a2b8d --- /dev/null +++ b/queue-2.6.35/x86-intr-remap-set-redirection-hint-in-the-irte.patch @@ -0,0 +1,55 @@ +From 75e3cfbed6f71a8f151dc6e413b6ce3c390030cb Mon Sep 17 00:00:00 2001 +From: Suresh Siddha +Date: Fri, 27 Aug 2010 11:09:48 -0700 +Subject: x86, intr-remap: Set redirection hint in the IRTE + +From: Suresh Siddha + +commit 75e3cfbed6f71a8f151dc6e413b6ce3c390030cb upstream. + +Currently the redirection hint in the interrupt-remapping table entry +is set to 0, which means the remapped interrupt is directed to the +processors listed in the destination. So in logical flat mode +in the presence of intr-remapping, this results in a single +interrupt multi-casted to multiple cpu's as specified by the destination +bit mask. But what we really want is to send that interrupt to one of the cpus +based on the lowest priority delivery mode. + +Set the redirection hint in the IRTE to '1' to indicate that we want +the remapped interrupt to be directed to only one of the processors +listed in the destination. + +This fixes the issue of same interrupt getting delivered to multiple cpu's +in the logical flat mode in the presence of interrupt-remapping. While +there is no functional issue observed with this behavior, this will +impact performance of such configurations (<=8 cpu's using logical flat +mode in the presence of interrupt-remapping) + +Signed-off-by: Suresh Siddha +LKML-Reference: <20100827181049.013051492@sbsiddha-MOBL3.sc.intel.com> +Cc: Weidong Han +Signed-off-by: H. Peter Anvin +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/apic/io_apic.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/arch/x86/kernel/apic/io_apic.c ++++ b/arch/x86/kernel/apic/io_apic.c +@@ -1397,6 +1397,7 @@ int setup_ioapic_entry(int apic_id, int + irte.dlvry_mode = apic->irq_delivery_mode; + irte.vector = vector; + irte.dest_id = IRTE_DEST(destination); ++ irte.redir_hint = 1; + + /* Set source-id of interrupt request */ + set_ioapic_sid(&irte, apic_id); +@@ -3348,6 +3349,7 @@ static int msi_compose_msg(struct pci_de + irte.dlvry_mode = apic->irq_delivery_mode; + irte.vector = cfg->vector; + irte.dest_id = IRTE_DEST(dest); ++ irte.redir_hint = 1; + + /* Set source-id of interrupt request */ + if (pdev) diff --git a/queue-2.6.35/x86-kdump-change-copy_oldmem_page-to-use-cached-addressing.patch b/queue-2.6.35/x86-kdump-change-copy_oldmem_page-to-use-cached-addressing.patch new file mode 100644 index 00000000000..4081fe46b94 --- /dev/null +++ b/queue-2.6.35/x86-kdump-change-copy_oldmem_page-to-use-cached-addressing.patch @@ -0,0 +1,39 @@ +From 37a2f9f30a360fb03522d15c85c78265ccd80287 Mon Sep 17 00:00:00 2001 +From: Cliff Wickman +Date: Wed, 8 Sep 2010 10:14:27 -0500 +Subject: x86, kdump: Change copy_oldmem_page() to use cached addressing + +From: Cliff Wickman + +commit 37a2f9f30a360fb03522d15c85c78265ccd80287 upstream. + +The copy of /proc/vmcore to a user buffer proceeds much faster +if the kernel addresses memory as cached. + +With this patch we have seen an increase in transfer rate from +less than 15MB/s to 80-460MB/s, depending on size of the +transfer. This makes a big difference in time needed to save a +system dump. + +Signed-off-by: Cliff Wickman +Acked-by: "Eric W. Biederman" +Cc: kexec@lists.infradead.org +LKML-Reference: +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/crash_dump_64.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/kernel/crash_dump_64.c ++++ b/arch/x86/kernel/crash_dump_64.c +@@ -34,7 +34,7 @@ ssize_t copy_oldmem_page(unsigned long p + if (!csize) + return 0; + +- vaddr = ioremap(pfn << PAGE_SHIFT, PAGE_SIZE); ++ vaddr = ioremap_cache(pfn << PAGE_SHIFT, PAGE_SIZE); + if (!vaddr) + return -ENOMEM; + diff --git a/queue-2.6.35/x86-kexec-make-sure-to-stop-all-cpus-before-exiting-the-kernel.patch b/queue-2.6.35/x86-kexec-make-sure-to-stop-all-cpus-before-exiting-the-kernel.patch new file mode 100644 index 00000000000..cb102eaf285 --- /dev/null +++ b/queue-2.6.35/x86-kexec-make-sure-to-stop-all-cpus-before-exiting-the-kernel.patch @@ -0,0 +1,145 @@ +From 76fac077db6b34e2c6383a7b4f3f4f7b7d06d8ce Mon Sep 17 00:00:00 2001 +From: Alok Kataria +Date: Mon, 11 Oct 2010 14:37:08 -0700 +Subject: x86, kexec: Make sure to stop all CPUs before exiting the kernel + +From: Alok Kataria + +commit 76fac077db6b34e2c6383a7b4f3f4f7b7d06d8ce upstream. + +x86 smp_ops now has a new op, stop_other_cpus which takes a parameter +"wait" this allows the caller to specify if it wants to stop until all +the cpus have processed the stop IPI. This is required specifically +for the kexec case where we should wait for all the cpus to be stopped +before starting the new kernel. We now wait for the cpus to stop in +all cases except for panic/kdump where we expect things to be broken +and we are doing our best to make things work anyway. + +This patch fixes a legitimate regression, which was introduced during +2.6.30, by commit id 4ef702c10b5df18ab04921fc252c26421d4d6c75. + +Signed-off-by: Alok N Kataria +LKML-Reference: <1286833028.1372.20.camel@ank32.eng.vmware.com> +Cc: Eric W. Biederman +Cc: Jeremy Fitzhardinge +Signed-off-by: H. Peter Anvin +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/include/asm/smp.h | 9 +++++++-- + arch/x86/kernel/reboot.c | 2 +- + arch/x86/kernel/smp.c | 15 +++++++++------ + arch/x86/xen/enlighten.c | 2 +- + arch/x86/xen/smp.c | 6 +++--- + 5 files changed, 21 insertions(+), 13 deletions(-) + +--- a/arch/x86/include/asm/smp.h ++++ b/arch/x86/include/asm/smp.h +@@ -50,7 +50,7 @@ struct smp_ops { + void (*smp_prepare_cpus)(unsigned max_cpus); + void (*smp_cpus_done)(unsigned max_cpus); + +- void (*smp_send_stop)(void); ++ void (*stop_other_cpus)(int wait); + void (*smp_send_reschedule)(int cpu); + + int (*cpu_up)(unsigned cpu); +@@ -73,7 +73,12 @@ extern struct smp_ops smp_ops; + + static inline void smp_send_stop(void) + { +- smp_ops.smp_send_stop(); ++ smp_ops.stop_other_cpus(0); ++} ++ ++static inline void stop_other_cpus(void) ++{ ++ smp_ops.stop_other_cpus(1); + } + + static inline void smp_prepare_boot_cpu(void) +--- a/arch/x86/kernel/reboot.c ++++ b/arch/x86/kernel/reboot.c +@@ -641,7 +641,7 @@ void native_machine_shutdown(void) + /* O.K Now that I'm on the appropriate processor, + * stop all of the others. + */ +- smp_send_stop(); ++ stop_other_cpus(); + #endif + + lapic_shutdown(); +--- a/arch/x86/kernel/smp.c ++++ b/arch/x86/kernel/smp.c +@@ -159,10 +159,10 @@ asmlinkage void smp_reboot_interrupt(voi + irq_exit(); + } + +-static void native_smp_send_stop(void) ++static void native_stop_other_cpus(int wait) + { + unsigned long flags; +- unsigned long wait; ++ unsigned long timeout; + + if (reboot_force) + return; +@@ -179,9 +179,12 @@ static void native_smp_send_stop(void) + if (num_online_cpus() > 1) { + apic->send_IPI_allbutself(REBOOT_VECTOR); + +- /* Don't wait longer than a second */ +- wait = USEC_PER_SEC; +- while (num_online_cpus() > 1 && wait--) ++ /* ++ * Don't wait longer than a second if the caller ++ * didn't ask us to wait. ++ */ ++ timeout = USEC_PER_SEC; ++ while (num_online_cpus() > 1 && (wait || timeout--)) + udelay(1); + } + +@@ -227,7 +230,7 @@ struct smp_ops smp_ops = { + .smp_prepare_cpus = native_smp_prepare_cpus, + .smp_cpus_done = native_smp_cpus_done, + +- .smp_send_stop = native_smp_send_stop, ++ .stop_other_cpus = native_stop_other_cpus, + .smp_send_reschedule = native_smp_send_reschedule, + + .cpu_up = native_cpu_up, +--- a/arch/x86/xen/enlighten.c ++++ b/arch/x86/xen/enlighten.c +@@ -1001,7 +1001,7 @@ static void xen_reboot(int reason) + struct sched_shutdown r = { .reason = reason }; + + #ifdef CONFIG_SMP +- smp_send_stop(); ++ stop_other_cpus(); + #endif + + if (HYPERVISOR_sched_op(SCHEDOP_shutdown, &r)) +--- a/arch/x86/xen/smp.c ++++ b/arch/x86/xen/smp.c +@@ -398,9 +398,9 @@ static void stop_self(void *v) + BUG(); + } + +-static void xen_smp_send_stop(void) ++static void xen_stop_other_cpus(int wait) + { +- smp_call_function(stop_self, NULL, 0); ++ smp_call_function(stop_self, NULL, wait); + } + + static void xen_smp_send_reschedule(int cpu) +@@ -468,7 +468,7 @@ static const struct smp_ops xen_smp_ops + .cpu_disable = xen_cpu_disable, + .play_dead = xen_play_dead, + +- .smp_send_stop = xen_smp_send_stop, ++ .stop_other_cpus = xen_stop_other_cpus, + .smp_send_reschedule = xen_smp_send_reschedule, + + .send_call_func_ipi = xen_smp_send_call_function_ipi, diff --git a/queue-2.6.35/x86-mtrr-assume-sys_cfg-exists-on-all-future-amd-cpus.patch b/queue-2.6.35/x86-mtrr-assume-sys_cfg-exists-on-all-future-amd-cpus.patch new file mode 100644 index 00000000000..9f1ea572956 --- /dev/null +++ b/queue-2.6.35/x86-mtrr-assume-sys_cfg-exists-on-all-future-amd-cpus.patch @@ -0,0 +1,42 @@ +From 3fdbf004c1706480a7c7fac3c9d836fa6df20d7d Mon Sep 17 00:00:00 2001 +From: Andreas Herrmann +Date: Thu, 30 Sep 2010 14:32:35 +0200 +Subject: x86, mtrr: Assume SYS_CFG[Tom2ForceMemTypeWB] exists on all future AMD CPUs + +From: Andreas Herrmann + +commit 3fdbf004c1706480a7c7fac3c9d836fa6df20d7d upstream. + +Instead of adapting the CPU family check in amd_special_default_mtrr() +for each new CPU family assume that all new AMD CPUs support the +necessary bits in SYS_CFG MSR. + +Tom2Enabled is architectural (defined in APM Vol.2). +Tom2ForceMemTypeWB is defined in all BKDGs starting with K8 NPT. +In pre K8-NPT BKDG this bit is reserved (read as zero). + +W/o this adaption Linux would unnecessarily complain about bad MTRR +settings on every new AMD CPU family, e.g. + +[ 0.000000] WARNING: BIOS bug: CPU MTRRs don't cover all of memory, losing 4863MB of RAM. + +Signed-off-by: Andreas Herrmann +LKML-Reference: <20100930123235.GB20545@loge.amd.com> +Signed-off-by: H. Peter Anvin +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/cpu/mtrr/cleanup.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/kernel/cpu/mtrr/cleanup.c ++++ b/arch/x86/kernel/cpu/mtrr/cleanup.c +@@ -827,7 +827,7 @@ int __init amd_special_default_mtrr(void + + if (boot_cpu_data.x86_vendor != X86_VENDOR_AMD) + return 0; +- if (boot_cpu_data.x86 < 0xf || boot_cpu_data.x86 > 0x11) ++ if (boot_cpu_data.x86 < 0xf) + return 0; + /* In case some hypervisor doesn't pass SYSCFG through: */ + if (rdmsr_safe(MSR_K8_SYSCFG, &l, &h) < 0) diff --git a/queue-2.6.35/x86-olpc-don-t-retry-ec-commands-forever.patch b/queue-2.6.35/x86-olpc-don-t-retry-ec-commands-forever.patch new file mode 100644 index 00000000000..85f529aa57e --- /dev/null +++ b/queue-2.6.35/x86-olpc-don-t-retry-ec-commands-forever.patch @@ -0,0 +1,44 @@ +From 286e5b97eb22baab9d9a41ca76c6b933a484252c Mon Sep 17 00:00:00 2001 +From: Paul Fox +Date: Fri, 1 Oct 2010 18:17:19 +0100 +Subject: x86, olpc: Don't retry EC commands forever + +From: Paul Fox + +commit 286e5b97eb22baab9d9a41ca76c6b933a484252c upstream. + +Avoids a potential infinite loop. + +It was observed once, during an EC hacking/debugging +session - not in regular operation. + +Signed-off-by: Daniel Drake +Cc: dilinger@queued.net +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/olpc.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/arch/x86/kernel/olpc.c ++++ b/arch/x86/kernel/olpc.c +@@ -117,6 +117,7 @@ int olpc_ec_cmd(unsigned char cmd, unsig + unsigned long flags; + int ret = -EIO; + int i; ++ int restarts = 0; + + spin_lock_irqsave(&ec_lock, flags); + +@@ -173,7 +174,9 @@ restart: + if (wait_on_obf(0x6c, 1)) { + printk(KERN_ERR "olpc-ec: timeout waiting for" + " EC to provide data!\n"); +- goto restart; ++ if (restarts++ < 10) ++ goto restart; ++ goto err; + } + outbuf[i] = inb(0x68); + printk(KERN_DEBUG "olpc-ec: received 0x%x\n", diff --git a/queue-2.6.35/x86-vm86-fix-preemption-bug-for-int1-debug-and-int3-breakpoint-handlers.patch b/queue-2.6.35/x86-vm86-fix-preemption-bug-for-int1-debug-and-int3-breakpoint-handlers.patch new file mode 100644 index 00000000000..a648d7d61e8 --- /dev/null +++ b/queue-2.6.35/x86-vm86-fix-preemption-bug-for-int1-debug-and-int3-breakpoint-handlers.patch @@ -0,0 +1,104 @@ +From 6554287b1de0448f1e02e200d02b43914e997d15 Mon Sep 17 00:00:00 2001 +From: Bart Oldeman +Date: Thu, 23 Sep 2010 13:16:58 -0400 +Subject: x86, vm86: Fix preemption bug for int1 debug and int3 breakpoint handlers. + +From: Bart Oldeman + +commit 6554287b1de0448f1e02e200d02b43914e997d15 upstream. + +Impact: fix kernel bug such as: +BUG: scheduling while atomic: dosemu.bin/19680/0x00000004 +See also Ubuntu bug 455067 at +https://bugs.launchpad.net/ubuntu/+source/linux/+bug/455067 + +Commits 4915a35e35a037254550a2ba9f367a812bc37d40 +("Use preempt_conditional_sti/cli in do_int3, like on x86_64.") +and 3d2a71a596bd9c761c8487a2178e95f8a61da083 +("x86, traps: converge do_debug handlers") +started disabling preemption in int1 and int3 handlers on i386. +The problem with vm86 is that the call to handle_vm86_trap() may jump +straight to entry_32.S and never returns so preempt is never enabled +again, and there is an imbalance in the preempt count. + +Commit be716615fe596ee117292dc615e95f707fb67fd1 ("x86, vm86: +fix preemption bug"), which was later (accidentally?) reverted by commit +08d68323d1f0c34452e614263b212ca556dae47f ("hw-breakpoints: modifying +generic debug exception to use thread-specific debug registers") +fixed the problem for debug exceptions but not for breakpoints. + +There are three solutions to this problem. + +1. Reenable preemption before calling handle_vm86_trap(). This +was the approach that was later reverted. + +2. Do not disable preemption for i386 in breakpoint and debug handlers. +This was the situation before October 2008. As far as I understand +preemption only needs to be disabled on x86_64 because a seperate stack is +used, but it's nice to have things work the same way on +i386 and x86_64. + +3. Let handle_vm86_trap() return instead of jumping to assembly code. +By setting a flag in _TIF_WORK_MASK, either TIF_IRET or TIF_NOTIFY_RESUME, +the code in entry_32.S is instructed to return to 32 bit mode from +V86 mode. The logic in entry_32.S was already present to handle signals. +(I chose TIF_IRET because it's slightly more efficient in +do_notify_resume() in signal.c, but in fact TIF_IRET can probably be +replaced by TIF_NOTIFY_RESUME everywhere.) + +I'm submitting approach 3, because I believe it is the most elegant +and prevents future confusion. Still, an obvious +preempt_conditional_cli(regs); is necessary in traps.c to correct the +bug. + +[ hpa: This is technically a regression, but because: + 1. the regression is so old, + 2. the patch seems relatively high risk, justifying more testing, and + 3. we're late in the 2.6.36-rc cycle, + + I'm queuing it up for the 2.6.37 merge window. It might, however, + justify as a -stable backport at a latter time, hence Cc: stable. ] + +Signed-off-by: Bart Oldeman +LKML-Reference: +Cc: Frederic Weisbecker +Cc: K.Prasad +Cc: Alan Stern +Cc: Alexander van Heukelum +Signed-off-by: H. Peter Anvin +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/traps.c | 1 + + arch/x86/kernel/vm86_32.c | 10 ++++++++-- + 2 files changed, 9 insertions(+), 2 deletions(-) + +--- a/arch/x86/kernel/traps.c ++++ b/arch/x86/kernel/traps.c +@@ -568,6 +568,7 @@ dotraplinkage void __kprobes do_debug(st + if (regs->flags & X86_VM_MASK) { + handle_vm86_trap((struct kernel_vm86_regs *) regs, + error_code, 1); ++ preempt_conditional_cli(regs); + return; + } + +--- a/arch/x86/kernel/vm86_32.c ++++ b/arch/x86/kernel/vm86_32.c +@@ -551,8 +551,14 @@ cannot_handle: + int handle_vm86_trap(struct kernel_vm86_regs *regs, long error_code, int trapno) + { + if (VMPI.is_vm86pus) { +- if ((trapno == 3) || (trapno == 1)) +- return_to_32bit(regs, VM86_TRAP + (trapno << 8)); ++ if ((trapno == 3) || (trapno == 1)) { ++ KVM86->regs32->ax = VM86_TRAP + (trapno << 8); ++ /* setting this flag forces the code in entry_32.S to ++ call save_v86_state() and change the stack pointer ++ to KVM86->regs32 */ ++ set_thread_flag(TIF_IRET); ++ return 0; ++ } + do_int(regs, trapno, (unsigned char __user *) (regs->pt.ss << 4), SP(regs)); + return 0; + }