From: Greg Kroah-Hartman Date: Mon, 20 Dec 2010 19:28:01 +0000 (-0800) Subject: .36 patches X-Git-Tag: v2.6.36.3~11 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=0c2956ff492e99e11a95ddcdae84054a85971590;p=thirdparty%2Fkernel%2Fstable-queue.git .36 patches --- diff --git a/queue-2.6.36/amd64_edac-fix-interleaving-check.patch b/queue-2.6.36/amd64_edac-fix-interleaving-check.patch new file mode 100644 index 00000000000..923111aade4 --- /dev/null +++ b/queue-2.6.36/amd64_edac-fix-interleaving-check.patch @@ -0,0 +1,38 @@ +From e726f3c368e7c1919a7166ec09c5705759f1a69d Mon Sep 17 00:00:00 2001 +From: Borislav Petkov +Date: Mon, 6 Dec 2010 16:20:25 +0100 +Subject: amd64_edac: Fix interleaving check + +From: Borislav Petkov + +commit e726f3c368e7c1919a7166ec09c5705759f1a69d upstream. + +When matching error address to the range contained by one memory node, +we're in valid range when node interleaving + +1. is disabled, or +2. enabled and when the address bits we interleave on match the +interleave selector on this node (see the "Node Interleaving" section in +the BKDG for an enlightening example). + +Thus, when we early-exit, we need to reverse the compound logic +statement properly. + +Signed-off-by: Borislav Petkov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/edac/amd64_edac.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/edac/amd64_edac.c ++++ b/drivers/edac/amd64_edac.c +@@ -1572,7 +1572,7 @@ static int f10_match_to_this_node(struct + debugf1(" HoleOffset=0x%x HoleValid=0x%x IntlvSel=0x%x\n", + hole_off, hole_valid, intlv_sel); + +- if (intlv_en || ++ if (intlv_en && + (intlv_sel != ((sys_addr >> 12) & intlv_en))) + return -EINVAL; + diff --git a/queue-2.6.36/arm-6535-1-v6-mpcore-v6_dma_inv_range-and-v6_dma_flush_range-rwfo-fix.patch b/queue-2.6.36/arm-6535-1-v6-mpcore-v6_dma_inv_range-and-v6_dma_flush_range-rwfo-fix.patch new file mode 100644 index 00000000000..e9eb89efbf4 --- /dev/null +++ b/queue-2.6.36/arm-6535-1-v6-mpcore-v6_dma_inv_range-and-v6_dma_flush_range-rwfo-fix.patch @@ -0,0 +1,104 @@ +From 85b093bcc5322baa811a03ec73de0909c157f181 Mon Sep 17 00:00:00 2001 +From: Valentine Barshak +Date: Tue, 14 Dec 2010 00:03:16 +0100 +Subject: ARM: 6535/1: V6 MPCore v6_dma_inv_range and v6_dma_flush_range RWFO fix + +From: Valentine Barshak + +commit 85b093bcc5322baa811a03ec73de0909c157f181 upstream. + +Cache ownership must be acquired by reading/writing data from the +cache line to make cache operation have the desired effect on the +SMP MPCore CPU. However, the ownership is never acquired in the +v6_dma_inv_range function when cleaning the first line and +flushing the last one, in case the address is not aligned +to D_CACHE_LINE_SIZE boundary. +Fix this by reading/writing data if needed, before performing +cache operations. +While at it, fix v6_dma_flush_range to prevent RWFO outside +the buffer. + +Signed-off-by: Valentine Barshak +Signed-off-by: George G. Davis +Acked-by: Catalin Marinas +Signed-off-by: Russell King +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/mm/cache-v6.S | 28 ++++++++++++++++++++-------- + 1 file changed, 20 insertions(+), 8 deletions(-) + +--- a/arch/arm/mm/cache-v6.S ++++ b/arch/arm/mm/cache-v6.S +@@ -196,6 +196,10 @@ ENTRY(v6_flush_kern_dcache_area) + * - end - virtual end address of region + */ + v6_dma_inv_range: ++#ifdef CONFIG_DMA_CACHE_RWFO ++ ldrb r2, [r0] @ read for ownership ++ strb r2, [r0] @ write for ownership ++#endif + tst r0, #D_CACHE_LINE_SIZE - 1 + bic r0, r0, #D_CACHE_LINE_SIZE - 1 + #ifdef HARVARD_CACHE +@@ -204,6 +208,10 @@ v6_dma_inv_range: + mcrne p15, 0, r0, c7, c11, 1 @ clean unified line + #endif + tst r1, #D_CACHE_LINE_SIZE - 1 ++#ifdef CONFIG_DMA_CACHE_RWFO ++ ldrneb r2, [r1, #-1] @ read for ownership ++ strneb r2, [r1, #-1] @ write for ownership ++#endif + bic r1, r1, #D_CACHE_LINE_SIZE - 1 + #ifdef HARVARD_CACHE + mcrne p15, 0, r1, c7, c14, 1 @ clean & invalidate D line +@@ -211,10 +219,6 @@ v6_dma_inv_range: + mcrne p15, 0, r1, c7, c15, 1 @ clean & invalidate unified line + #endif + 1: +-#ifdef CONFIG_DMA_CACHE_RWFO +- ldr r2, [r0] @ read for ownership +- str r2, [r0] @ write for ownership +-#endif + #ifdef HARVARD_CACHE + mcr p15, 0, r0, c7, c6, 1 @ invalidate D line + #else +@@ -222,6 +226,10 @@ v6_dma_inv_range: + #endif + add r0, r0, #D_CACHE_LINE_SIZE + cmp r0, r1 ++#ifdef CONFIG_DMA_CACHE_RWFO ++ ldrlo r2, [r0] @ read for ownership ++ strlo r2, [r0] @ write for ownership ++#endif + blo 1b + mov r0, #0 + mcr p15, 0, r0, c7, c10, 4 @ drain write buffer +@@ -256,12 +264,12 @@ v6_dma_clean_range: + * - end - virtual end address of region + */ + ENTRY(v6_dma_flush_range) +- bic r0, r0, #D_CACHE_LINE_SIZE - 1 +-1: + #ifdef CONFIG_DMA_CACHE_RWFO +- ldr r2, [r0] @ read for ownership +- str r2, [r0] @ write for ownership ++ ldrb r2, [r0] @ read for ownership ++ strb r2, [r0] @ write for ownership + #endif ++ bic r0, r0, #D_CACHE_LINE_SIZE - 1 ++1: + #ifdef HARVARD_CACHE + mcr p15, 0, r0, c7, c14, 1 @ clean & invalidate D line + #else +@@ -269,6 +277,10 @@ ENTRY(v6_dma_flush_range) + #endif + add r0, r0, #D_CACHE_LINE_SIZE + cmp r0, r1 ++#ifdef CONFIG_DMA_CACHE_RWFO ++ ldrlob r2, [r0] @ read for ownership ++ strlob r2, [r0] @ write for ownership ++#endif + blo 1b + mov r0, #0 + mcr p15, 0, r0, c7, c10, 4 @ drain write buffer diff --git a/queue-2.6.36/asoc-fix-deemphasis-control-in-wm8904-55-60-codecs.patch b/queue-2.6.36/asoc-fix-deemphasis-control-in-wm8904-55-60-codecs.patch new file mode 100644 index 00000000000..da9fb36419c --- /dev/null +++ b/queue-2.6.36/asoc-fix-deemphasis-control-in-wm8904-55-60-codecs.patch @@ -0,0 +1,60 @@ +From 3f343f8512c7882a3637d9aea4ec6b3801cbcdc5 Mon Sep 17 00:00:00 2001 +From: Dmitry Artamonow +Date: Wed, 8 Dec 2010 23:36:17 +0300 +Subject: ASoC: fix deemphasis control in wm8904/55/60 codecs + +From: Dmitry Artamonow + +commit 3f343f8512c7882a3637d9aea4ec6b3801cbcdc5 upstream. + +Deemphasis control's .get callback should update control's value instead +of returning it - return value of callback function is used for indicating +error or success of operation. + +Signed-off-by: Dmitry Artamonow +Acked-by: Liam Girdwood +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + sound/soc/codecs/wm8904.c | 3 ++- + sound/soc/codecs/wm8955.c | 3 ++- + sound/soc/codecs/wm8960.c | 3 ++- + 3 files changed, 6 insertions(+), 3 deletions(-) + +--- a/sound/soc/codecs/wm8904.c ++++ b/sound/soc/codecs/wm8904.c +@@ -820,7 +820,8 @@ static int wm8904_get_deemph(struct snd_ + struct snd_soc_codec *codec = snd_kcontrol_chip(kcontrol); + struct wm8904_priv *wm8904 = snd_soc_codec_get_drvdata(codec); + +- return wm8904->deemph; ++ ucontrol->value.enumerated.item[0] = wm8904->deemph; ++ return 0; + } + + static int wm8904_put_deemph(struct snd_kcontrol *kcontrol, +--- a/sound/soc/codecs/wm8955.c ++++ b/sound/soc/codecs/wm8955.c +@@ -384,7 +384,8 @@ static int wm8955_get_deemph(struct snd_ + struct snd_soc_codec *codec = snd_kcontrol_chip(kcontrol); + struct wm8955_priv *wm8955 = snd_soc_codec_get_drvdata(codec); + +- return wm8955->deemph; ++ ucontrol->value.enumerated.item[0] = wm8955->deemph; ++ return 0; + } + + static int wm8955_put_deemph(struct snd_kcontrol *kcontrol, +--- a/sound/soc/codecs/wm8960.c ++++ b/sound/soc/codecs/wm8960.c +@@ -137,7 +137,8 @@ static int wm8960_get_deemph(struct snd_ + struct snd_soc_codec *codec = snd_kcontrol_chip(kcontrol); + struct wm8960_priv *wm8960 = snd_soc_codec_get_drvdata(codec); + +- return wm8960->deemph; ++ ucontrol->value.enumerated.item[0] = wm8960->deemph; ++ return 0; + } + + static int wm8960_put_deemph(struct snd_kcontrol *kcontrol, diff --git a/queue-2.6.36/asoc-fix-off-by-one-error-in-wm8994-eq-register-bank-size.patch b/queue-2.6.36/asoc-fix-off-by-one-error-in-wm8994-eq-register-bank-size.patch new file mode 100644 index 00000000000..5630ceecd46 --- /dev/null +++ b/queue-2.6.36/asoc-fix-off-by-one-error-in-wm8994-eq-register-bank-size.patch @@ -0,0 +1,29 @@ +From 3fcc0afbb9c93f3599ba03273e59915670b6c2c2 Mon Sep 17 00:00:00 2001 +From: Uk Kim +Date: Sun, 5 Dec 2010 17:32:16 +0900 +Subject: ASoC: Fix off by one error in WM8994 EQ register bank size + +From: Uk Kim + +commit 3fcc0afbb9c93f3599ba03273e59915670b6c2c2 upstream. + +Signed-off-by: Uk Kim +Acked-by: Liam Girdwood +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/mfd/wm8994/pdata.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/include/linux/mfd/wm8994/pdata.h ++++ b/include/linux/mfd/wm8994/pdata.h +@@ -29,7 +29,7 @@ struct wm8994_ldo_pdata { + #define WM8994_CONFIGURE_GPIO 0x8000 + + #define WM8994_DRC_REGS 5 +-#define WM8994_EQ_REGS 19 ++#define WM8994_EQ_REGS 20 + + /** + * DRC configurations are specified with a label and a set of register diff --git a/queue-2.6.36/asoc-fix-swap-of-left-and-right-channels-for-wm8993-4-speaker-boost-gain.patch b/queue-2.6.36/asoc-fix-swap-of-left-and-right-channels-for-wm8993-4-speaker-boost-gain.patch new file mode 100644 index 00000000000..48e1cd5733a --- /dev/null +++ b/queue-2.6.36/asoc-fix-swap-of-left-and-right-channels-for-wm8993-4-speaker-boost-gain.patch @@ -0,0 +1,31 @@ +From ed8cc471d75365f8590c76f580def899d58028c0 Mon Sep 17 00:00:00 2001 +From: Uk Kim +Date: Sun, 5 Dec 2010 17:26:07 +0900 +Subject: ASoC: Fix swap of left and right channels for WM8993/4 speaker boost gain + +From: Uk Kim + +commit ed8cc471d75365f8590c76f580def899d58028c0 upstream. + +SPKOUTL_BOOST start from third bit, SPKOUTLR_BOOST start from 0 bit. + +Signed-off-by: Uk Kim +Acked-by: Liam Girdwood +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + sound/soc/codecs/wm_hubs.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/soc/codecs/wm_hubs.c ++++ b/sound/soc/codecs/wm_hubs.c +@@ -293,7 +293,7 @@ SOC_DOUBLE_R("Speaker Switch", + SOC_DOUBLE_R("Speaker ZC Switch", + WM8993_SPEAKER_VOLUME_LEFT, WM8993_SPEAKER_VOLUME_RIGHT, + 7, 1, 0), +-SOC_DOUBLE_TLV("Speaker Boost Volume", WM8993_SPKOUT_BOOST, 0, 3, 7, 0, ++SOC_DOUBLE_TLV("Speaker Boost Volume", WM8993_SPKOUT_BOOST, 3, 0, 7, 0, + spkboost_tlv), + SOC_ENUM("Speaker Reference", speaker_ref), + SOC_ENUM("Speaker Mode", speaker_mode), diff --git a/queue-2.6.36/asoc-wm8580-fix-r8-initial-value.patch b/queue-2.6.36/asoc-wm8580-fix-r8-initial-value.patch new file mode 100644 index 00000000000..d09da565452 --- /dev/null +++ b/queue-2.6.36/asoc-wm8580-fix-r8-initial-value.patch @@ -0,0 +1,31 @@ +From a0968628097380be52db8b4664da98fc425546a5 Mon Sep 17 00:00:00 2001 +From: Seungwhan Youn +Date: Thu, 9 Dec 2010 18:07:52 +0900 +Subject: ASoC: WM8580: Fix R8 initial value + +From: Seungwhan Youn + +commit a0968628097380be52db8b4664da98fc425546a5 upstream. + +Acc to WM8580 manual, the default value for R8 is 0x10, not 0x1c. + +Signed-off-by: Seungwhan Youn +Acked-by: Liam Girdwood +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + sound/soc/codecs/wm8580.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/soc/codecs/wm8580.c ++++ b/sound/soc/codecs/wm8580.c +@@ -171,7 +171,7 @@ + static const u16 wm8580_reg[] = { + 0x0121, 0x017e, 0x007d, 0x0014, /*R3*/ + 0x0121, 0x017e, 0x007d, 0x0194, /*R7*/ +- 0x001c, 0x0002, 0x0002, 0x00c2, /*R11*/ ++ 0x0010, 0x0002, 0x0002, 0x00c2, /*R11*/ + 0x0182, 0x0082, 0x000a, 0x0024, /*R15*/ + 0x0009, 0x0000, 0x00ff, 0x0000, /*R19*/ + 0x00ff, 0x00ff, 0x00ff, 0x00ff, /*R23*/ diff --git a/queue-2.6.36/ath9k-disable-swba-interrupt-on-remove_interface.patch b/queue-2.6.36/ath9k-disable-swba-interrupt-on-remove_interface.patch new file mode 100644 index 00000000000..3763a56957e --- /dev/null +++ b/queue-2.6.36/ath9k-disable-swba-interrupt-on-remove_interface.patch @@ -0,0 +1,47 @@ +From 46047784b8cdcfc916f6c1cccee0c18dd1223dfd Mon Sep 17 00:00:00 2001 +From: Rajkumar Manoharan +Date: Fri, 26 Nov 2010 23:24:31 +0530 +Subject: ath9k: Disable SWBA interrupt on remove_interface + +From: Rajkumar Manoharan + +commit 46047784b8cdcfc916f6c1cccee0c18dd1223dfd upstream. + +while removing beaconing mode interface, SWBA interrupt +was never disabled when there are no other beaconing interfaces. + +Signed-off-by: Rajkumar Manoharan +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/ath/ath9k/main.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +--- a/drivers/net/wireless/ath/ath9k/main.c ++++ b/drivers/net/wireless/ath/ath9k/main.c +@@ -1484,6 +1484,7 @@ static void ath9k_remove_interface(struc + struct ath_softc *sc = aphy->sc; + struct ath_common *common = ath9k_hw_common(sc->sc_ah); + struct ath_vif *avp = (void *)vif->drv_priv; ++ bool bs_valid = false; + int i; + + ath_print(common, ATH_DBG_CONFIG, "Detach Interface\n"); +@@ -1512,7 +1513,15 @@ static void ath9k_remove_interface(struc + "slot\n", __func__); + sc->beacon.bslot[i] = NULL; + sc->beacon.bslot_aphy[i] = NULL; +- } ++ } else if (sc->beacon.bslot[i]) ++ bs_valid = true; ++ } ++ if (!bs_valid && (sc->sc_ah->imask & ATH9K_INT_SWBA)) { ++ /* Disable SWBA interrupt */ ++ sc->sc_ah->imask &= ~ATH9K_INT_SWBA; ++ ath9k_ps_wakeup(sc); ++ ath9k_hw_set_interrupts(sc->sc_ah, sc->sc_ah->imask); ++ ath9k_ps_restore(sc); + } + + sc->nvifs--; diff --git a/queue-2.6.36/ath9k-fix-bug-in-reading-input-gpio-state-for-ar9003.patch b/queue-2.6.36/ath9k-fix-bug-in-reading-input-gpio-state-for-ar9003.patch new file mode 100644 index 00000000000..97b99d3079a --- /dev/null +++ b/queue-2.6.36/ath9k-fix-bug-in-reading-input-gpio-state-for-ar9003.patch @@ -0,0 +1,52 @@ +From 9306990a656d9cfd8bf3586938012729c1f2ea50 Mon Sep 17 00:00:00 2001 +From: Vasanthakumar Thiagarajan +Date: Tue, 30 Nov 2010 23:24:09 -0800 +Subject: ath9k: Fix bug in reading input gpio state for ar9003 + +From: Vasanthakumar Thiagarajan + +commit 9306990a656d9cfd8bf3586938012729c1f2ea50 upstream. + +The register which gives input gpio state is 0x404c for ar9003, +currently 0x4048 is wrongly used. This will disable RF and make +it unusable on some of AR9003. + +Signed-off-by: Vasanthakumar Thiagarajan +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/ath/ath9k/hw.c | 3 ++- + drivers/net/wireless/ath/ath9k/reg.h | 6 ++++-- + 2 files changed, 6 insertions(+), 3 deletions(-) + +--- a/drivers/net/wireless/ath/ath9k/hw.c ++++ b/drivers/net/wireless/ath/ath9k/hw.c +@@ -2351,7 +2351,8 @@ u32 ath9k_hw_gpio_get(struct ath_hw *ah, + val = REG_READ(ah, AR7010_GPIO_IN); + return (MS(val, AR7010_GPIO_IN_VAL) & AR_GPIO_BIT(gpio)) == 0; + } else if (AR_SREV_9300_20_OR_LATER(ah)) +- return MS_REG_READ(AR9300, gpio) != 0; ++ return (MS(REG_READ(ah, AR_GPIO_IN), AR9300_GPIO_IN_VAL) & ++ AR_GPIO_BIT(gpio)) != 0; + else if (AR_SREV_9271(ah)) + return MS_REG_READ(AR9271, gpio) != 0; + else if (AR_SREV_9287_10_OR_LATER(ah)) +--- a/drivers/net/wireless/ath/ath9k/reg.h ++++ b/drivers/net/wireless/ath/ath9k/reg.h +@@ -1019,11 +1019,13 @@ enum { + #define AR9287_GPIO_IN_VAL_S 11 + #define AR9271_GPIO_IN_VAL 0xFFFF0000 + #define AR9271_GPIO_IN_VAL_S 16 +-#define AR9300_GPIO_IN_VAL 0x0001FFFF +-#define AR9300_GPIO_IN_VAL_S 0 + #define AR7010_GPIO_IN_VAL 0x0000FFFF + #define AR7010_GPIO_IN_VAL_S 0 + ++#define AR_GPIO_IN 0x404c ++#define AR9300_GPIO_IN_VAL 0x0001FFFF ++#define AR9300_GPIO_IN_VAL_S 0 ++ + #define AR_GPIO_OE_OUT (AR_SREV_9300_20_OR_LATER(ah) ? 0x4050 : 0x404c) + #define AR_GPIO_OE_OUT_DRV 0x3 + #define AR_GPIO_OE_OUT_DRV_NO 0x0 diff --git a/queue-2.6.36/ath9k-fix-bug-in-tx-power.patch b/queue-2.6.36/ath9k-fix-bug-in-tx-power.patch new file mode 100644 index 00000000000..8a6fcbc3fba --- /dev/null +++ b/queue-2.6.36/ath9k-fix-bug-in-tx-power.patch @@ -0,0 +1,48 @@ +From 841051602e3fa18ea468fe5a177aa92b6eb44b56 Mon Sep 17 00:00:00 2001 +From: Matteo Croce +Date: Fri, 3 Dec 2010 02:25:08 +0100 +Subject: ath9k: fix bug in tx power + +From: Matteo Croce + +commit 841051602e3fa18ea468fe5a177aa92b6eb44b56 upstream. + +The ath9k driver subtracts 3 dBm to the txpower as with two radios the +signal power is doubled. +The resulting value is assigned in an u16 which overflows and makes +the card work at full power. + +Signed-off-by: Matteo Croce +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/ath/ath9k/eeprom_def.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +--- a/drivers/net/wireless/ath/ath9k/eeprom_def.c ++++ b/drivers/net/wireless/ath/ath9k/eeprom_def.c +@@ -1062,15 +1062,19 @@ static void ath9k_hw_set_def_power_per_r + case 1: + break; + case 2: +- scaledPower -= REDUCE_SCALED_POWER_BY_TWO_CHAIN; ++ if (scaledPower > REDUCE_SCALED_POWER_BY_TWO_CHAIN) ++ scaledPower -= REDUCE_SCALED_POWER_BY_TWO_CHAIN; ++ else ++ scaledPower = 0; + break; + case 3: +- scaledPower -= REDUCE_SCALED_POWER_BY_THREE_CHAIN; ++ if (scaledPower > REDUCE_SCALED_POWER_BY_THREE_CHAIN) ++ scaledPower -= REDUCE_SCALED_POWER_BY_THREE_CHAIN; ++ else ++ scaledPower = 0; + break; + } + +- scaledPower = max((u16)0, scaledPower); +- + if (IS_CHAN_2GHZ(chan)) { + numCtlModes = ARRAY_SIZE(ctlModesFor11g) - + SUB_NUM_CTL_MODES_AT_2G_40; diff --git a/queue-2.6.36/ath9k-fix-sta-disconnect-issue-due-to-received-mic-failed-bcast-frames.patch b/queue-2.6.36/ath9k-fix-sta-disconnect-issue-due-to-received-mic-failed-bcast-frames.patch new file mode 100644 index 00000000000..04b38617f4b --- /dev/null +++ b/queue-2.6.36/ath9k-fix-sta-disconnect-issue-due-to-received-mic-failed-bcast-frames.patch @@ -0,0 +1,61 @@ +From 916448e77f6bcaaa7f13c3de0c3851783ae2bfd0 Mon Sep 17 00:00:00 2001 +From: Senthil Balasubramanian +Date: Tue, 30 Nov 2010 20:15:39 +0530 +Subject: ath9k: Fix STA disconnect issue due to received MIC failed bcast frames + +From: Senthil Balasubramanian + +commit 916448e77f6bcaaa7f13c3de0c3851783ae2bfd0 upstream. + +AR_RxKeyIdxValid will not be set for bcast/mcast frames and so relying +this status for MIC failed frames is buggy. + +Due to this, MIC failure events for broadcast frames are not sent to +supplicant resulted in AP disconnecting the STA. + +Able to pass Wifi Test case 5.2.18 with this fix. + +Signed-off-by: Senthil Balasubramanian +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/ath/ath9k/mac.c | 3 +-- + drivers/net/wireless/ath/ath9k/recv.c | 4 +++- + 2 files changed, 4 insertions(+), 3 deletions(-) + +--- a/drivers/net/wireless/ath/ath9k/mac.c ++++ b/drivers/net/wireless/ath/ath9k/mac.c +@@ -711,8 +711,7 @@ int ath9k_hw_rxprocdesc(struct ath_hw *a + rs->rs_phyerr = phyerr; + } else if (ads.ds_rxstatus8 & AR_DecryptCRCErr) + rs->rs_status |= ATH9K_RXERR_DECRYPT; +- else if ((ads.ds_rxstatus8 & AR_MichaelErr) && +- rs->rs_keyix != ATH9K_RXKEYIX_INVALID) ++ else if (ads.ds_rxstatus8 & AR_MichaelErr) + rs->rs_status |= ATH9K_RXERR_MIC; + else if (ads.ds_rxstatus8 & AR_KeyMiss) + rs->rs_status |= ATH9K_RXERR_DECRYPT; +--- a/drivers/net/wireless/ath/ath9k/recv.c ++++ b/drivers/net/wireless/ath/ath9k/recv.c +@@ -1035,9 +1035,11 @@ static void ath9k_rx_skb_postprocess(str + int hdrlen, padpos, padsize; + u8 keyix; + __le16 fc; ++ bool is_mc; + + /* see if any padding is done by the hw and remove it */ + hdr = (struct ieee80211_hdr *) skb->data; ++ is_mc = !!is_multicast_ether_addr(hdr->addr1); + hdrlen = ieee80211_get_hdrlen_from_skb(skb); + fc = hdr->frame_control; + padpos = ath9k_cmn_padpos(hdr->frame_control); +@@ -1058,7 +1060,7 @@ static void ath9k_rx_skb_postprocess(str + + keyix = rx_stats->rs_keyix; + +- if (!(keyix == ATH9K_RXKEYIX_INVALID) && !decrypt_error && ++ if ((is_mc || !(keyix == ATH9K_RXKEYIX_INVALID)) && !decrypt_error && + ieee80211_has_protected(fc)) { + rxs->flag |= RX_FLAG_DECRYPTED; + } else if (ieee80211_has_protected(fc) diff --git a/queue-2.6.36/ath9k_hw-fix-endian-issues-with-ctls-on-ar9003.patch b/queue-2.6.36/ath9k_hw-fix-endian-issues-with-ctls-on-ar9003.patch new file mode 100644 index 00000000000..71deb00baba --- /dev/null +++ b/queue-2.6.36/ath9k_hw-fix-endian-issues-with-ctls-on-ar9003.patch @@ -0,0 +1,254 @@ +From e702ba18f25887c76d26c8a85cc1706463c62e9a Mon Sep 17 00:00:00 2001 +From: Felix Fietkau +Date: Wed, 1 Dec 2010 19:07:46 +0100 +Subject: ath9k_hw: fix endian issues with CTLs on AR9003 + +From: Felix Fietkau + +commit e702ba18f25887c76d26c8a85cc1706463c62e9a upstream. + +Parsing data using bitfields is messy, because it makes endian handling +much harder. AR9002 and earlier got it right, AR9003 got it wrong. +This might lead to either using too high or too low tx power values, +depending on frequency and eeprom settings. +Fix it by getting rid of the CTL related bitfields entirely and use +masks instead. + +Signed-off-by: Felix Fietkau +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/ath/ath9k/ar9003_eeprom.c | 79 ++++++++++++------------- + drivers/net/wireless/ath/ath9k/ar9003_eeprom.h | 9 -- + drivers/net/wireless/ath/ath9k/eeprom.c | 6 - + drivers/net/wireless/ath/ath9k/eeprom.h | 13 +--- + 4 files changed, 50 insertions(+), 57 deletions(-) + +--- a/drivers/net/wireless/ath/ath9k/ar9003_eeprom.c ++++ b/drivers/net/wireless/ath/ath9k/ar9003_eeprom.c +@@ -55,6 +55,8 @@ + #define SUB_NUM_CTL_MODES_AT_5G_40 2 /* excluding HT40, EXT-OFDM */ + #define SUB_NUM_CTL_MODES_AT_2G_40 3 /* excluding HT40, EXT-OFDM, EXT-CCK */ + ++#define CTL(_tpower, _flag) ((_tpower) | ((_flag) << 6)) ++ + static const struct ar9300_eeprom ar9300_default = { + .eepromVersion = 2, + .templateVersion = 2, +@@ -290,20 +292,21 @@ static const struct ar9300_eeprom ar9300 + } + }, + .ctlPowerData_2G = { +- { { {60, 0}, {60, 1}, {60, 0}, {60, 0} } }, +- { { {60, 0}, {60, 1}, {60, 0}, {60, 0} } }, +- { { {60, 1}, {60, 0}, {60, 0}, {60, 1} } }, +- +- { { {60, 1}, {60, 0}, {0, 0}, {0, 0} } }, +- { { {60, 0}, {60, 1}, {60, 0}, {60, 0} } }, +- { { {60, 0}, {60, 1}, {60, 0}, {60, 0} } }, +- +- { { {60, 0}, {60, 1}, {60, 1}, {60, 0} } }, +- { { {60, 0}, {60, 1}, {60, 0}, {60, 0} } }, +- { { {60, 0}, {60, 1}, {60, 0}, {60, 0} } }, +- +- { { {60, 0}, {60, 1}, {60, 0}, {60, 0} } }, +- { { {60, 0}, {60, 1}, {60, 1}, {60, 1} } }, ++ { { CTL(60, 0), CTL(60, 1), CTL(60, 0), CTL(60, 0) } }, ++ { { CTL(60, 0), CTL(60, 1), CTL(60, 0), CTL(60, 0) } }, ++ { { CTL(60, 1), CTL(60, 0), CTL(60, 0), CTL(60, 1) } }, ++ ++ { { CTL(60, 1), CTL(60, 0), CTL(0, 0), CTL(0, 0) } }, ++ { { CTL(60, 0), CTL(60, 1), CTL(60, 0), CTL(60, 0) } }, ++ { { CTL(60, 0), CTL(60, 1), CTL(60, 0), CTL(60, 0) } }, ++ ++ { { CTL(60, 0), CTL(60, 1), CTL(60, 1), CTL(60, 0) } }, ++ { { CTL(60, 0), CTL(60, 1), CTL(60, 0), CTL(60, 0) } }, ++ { { CTL(60, 0), CTL(60, 1), CTL(60, 0), CTL(60, 0) } }, ++ ++ { { CTL(60, 0), CTL(60, 1), CTL(60, 0), CTL(60, 0) } }, ++ { { CTL(60, 0), CTL(60, 1), CTL(60, 1), CTL(60, 1) } }, ++ { { CTL(60, 0), CTL(60, 1), CTL(60, 1), CTL(60, 1) } }, + }, + .modalHeader5G = { + /* 4 idle,t1,t2,b (4 bits per setting) */ +@@ -568,56 +571,56 @@ static const struct ar9300_eeprom ar9300 + .ctlPowerData_5G = { + { + { +- {60, 1}, {60, 1}, {60, 1}, {60, 1}, +- {60, 1}, {60, 1}, {60, 1}, {60, 0}, ++ CTL(60, 1), CTL(60, 1), CTL(60, 1), CTL(60, 1), ++ CTL(60, 1), CTL(60, 1), CTL(60, 1), CTL(60, 0), + } + }, + { + { +- {60, 1}, {60, 1}, {60, 1}, {60, 1}, +- {60, 1}, {60, 1}, {60, 1}, {60, 0}, ++ CTL(60, 1), CTL(60, 1), CTL(60, 1), CTL(60, 1), ++ CTL(60, 1), CTL(60, 1), CTL(60, 1), CTL(60, 0), + } + }, + { + { +- {60, 0}, {60, 1}, {60, 0}, {60, 1}, +- {60, 1}, {60, 1}, {60, 1}, {60, 1}, ++ CTL(60, 0), CTL(60, 1), CTL(60, 0), CTL(60, 1), ++ CTL(60, 1), CTL(60, 1), CTL(60, 1), CTL(60, 1), + } + }, + { + { +- {60, 0}, {60, 1}, {60, 1}, {60, 0}, +- {60, 1}, {60, 0}, {60, 0}, {60, 0}, ++ CTL(60, 0), CTL(60, 1), CTL(60, 1), CTL(60, 0), ++ CTL(60, 1), CTL(60, 0), CTL(60, 0), CTL(60, 0), + } + }, + { + { +- {60, 1}, {60, 1}, {60, 1}, {60, 0}, +- {60, 0}, {60, 0}, {60, 0}, {60, 0}, ++ CTL(60, 1), CTL(60, 1), CTL(60, 1), CTL(60, 0), ++ CTL(60, 0), CTL(60, 0), CTL(60, 0), CTL(60, 0), + } + }, + { + { +- {60, 1}, {60, 1}, {60, 1}, {60, 1}, +- {60, 1}, {60, 0}, {60, 0}, {60, 0}, ++ CTL(60, 1), CTL(60, 1), CTL(60, 1), CTL(60, 1), ++ CTL(60, 1), CTL(60, 0), CTL(60, 0), CTL(60, 0), + } + }, + { + { +- {60, 1}, {60, 1}, {60, 1}, {60, 1}, +- {60, 1}, {60, 1}, {60, 1}, {60, 1}, ++ CTL(60, 1), CTL(60, 1), CTL(60, 1), CTL(60, 1), ++ CTL(60, 1), CTL(60, 1), CTL(60, 1), CTL(60, 1), + } + }, + { + { +- {60, 1}, {60, 1}, {60, 0}, {60, 1}, +- {60, 1}, {60, 1}, {60, 1}, {60, 0}, ++ CTL(60, 1), CTL(60, 1), CTL(60, 0), CTL(60, 1), ++ CTL(60, 1), CTL(60, 1), CTL(60, 1), CTL(60, 0), + } + }, + { + { +- {60, 1}, {60, 0}, {60, 1}, {60, 1}, +- {60, 1}, {60, 1}, {60, 0}, {60, 1}, ++ CTL(60, 1), CTL(60, 0), CTL(60, 1), CTL(60, 1), ++ CTL(60, 1), CTL(60, 1), CTL(60, 0), CTL(60, 1), + } + }, + } +@@ -1827,9 +1830,9 @@ static u16 ar9003_hw_get_direct_edge_pow + struct cal_ctl_data_5g *ctl_5g = eep->ctlPowerData_5G; + + if (is2GHz) +- return ctl_2g[idx].ctlEdges[edge].tPower; ++ return CTL_EDGE_TPOWER(ctl_2g[idx].ctlEdges[edge]); + else +- return ctl_5g[idx].ctlEdges[edge].tPower; ++ return CTL_EDGE_TPOWER(ctl_5g[idx].ctlEdges[edge]); + } + + static u16 ar9003_hw_get_indirect_edge_power(struct ar9300_eeprom *eep, +@@ -1847,12 +1850,12 @@ static u16 ar9003_hw_get_indirect_edge_p + + if (is2GHz) { + if (ath9k_hw_fbin2freq(ctl_freqbin[edge - 1], 1) < freq && +- ctl_2g[idx].ctlEdges[edge - 1].flag) +- return ctl_2g[idx].ctlEdges[edge - 1].tPower; ++ CTL_EDGE_FLAGS(ctl_2g[idx].ctlEdges[edge - 1])) ++ return CTL_EDGE_TPOWER(ctl_2g[idx].ctlEdges[edge - 1]); + } else { + if (ath9k_hw_fbin2freq(ctl_freqbin[edge - 1], 0) < freq && +- ctl_5g[idx].ctlEdges[edge - 1].flag) +- return ctl_5g[idx].ctlEdges[edge - 1].tPower; ++ CTL_EDGE_FLAGS(ctl_5g[idx].ctlEdges[edge - 1])) ++ return CTL_EDGE_TPOWER(ctl_5g[idx].ctlEdges[edge - 1]); + } + + return AR9300_MAX_RATE_POWER; +--- a/drivers/net/wireless/ath/ath9k/ar9003_eeprom.h ++++ b/drivers/net/wireless/ath/ath9k/ar9003_eeprom.h +@@ -261,17 +261,12 @@ struct cal_tgt_pow_ht { + u8 tPow2x[14]; + } __packed; + +-struct cal_ctl_edge_pwr { +- u8 tPower:6, +- flag:2; +-} __packed; +- + struct cal_ctl_data_2g { +- struct cal_ctl_edge_pwr ctlEdges[AR9300_NUM_BAND_EDGES_2G]; ++ u8 ctlEdges[AR9300_NUM_BAND_EDGES_2G]; + } __packed; + + struct cal_ctl_data_5g { +- struct cal_ctl_edge_pwr ctlEdges[AR9300_NUM_BAND_EDGES_5G]; ++ u8 ctlEdges[AR9300_NUM_BAND_EDGES_5G]; + } __packed; + + struct ar9300_eeprom { +--- a/drivers/net/wireless/ath/ath9k/eeprom.c ++++ b/drivers/net/wireless/ath/ath9k/eeprom.c +@@ -240,16 +240,16 @@ u16 ath9k_hw_get_max_edge_power(u16 freq + for (i = 0; (i < num_band_edges) && + (pRdEdgesPower[i].bChannel != AR5416_BCHAN_UNUSED); i++) { + if (freq == ath9k_hw_fbin2freq(pRdEdgesPower[i].bChannel, is2GHz)) { +- twiceMaxEdgePower = pRdEdgesPower[i].tPower; ++ twiceMaxEdgePower = CTL_EDGE_TPOWER(pRdEdgesPower[i].ctl); + break; + } else if ((i > 0) && + (freq < ath9k_hw_fbin2freq(pRdEdgesPower[i].bChannel, + is2GHz))) { + if (ath9k_hw_fbin2freq(pRdEdgesPower[i - 1].bChannel, + is2GHz) < freq && +- pRdEdgesPower[i - 1].flag) { ++ CTL_EDGE_FLAGS(pRdEdgesPower[i - 1].ctl)) { + twiceMaxEdgePower = +- pRdEdgesPower[i - 1].tPower; ++ CTL_EDGE_TPOWER(pRdEdgesPower[i - 1].ctl); + } + break; + } +--- a/drivers/net/wireless/ath/ath9k/eeprom.h ++++ b/drivers/net/wireless/ath/ath9k/eeprom.h +@@ -233,6 +233,9 @@ + + #define AR9287_CHECKSUM_LOCATION (AR9287_EEP_START_LOC + 1) + ++#define CTL_EDGE_TPOWER(_ctl) ((_ctl) & 0x3f) ++#define CTL_EDGE_FLAGS(_ctl) (((_ctl) >> 6) & 0x03) ++ + enum eeprom_param { + EEP_NFTHRESH_5, + EEP_NFTHRESH_2, +@@ -533,18 +536,10 @@ struct cal_target_power_ht { + u8 tPow2x[8]; + } __packed; + +- +-#ifdef __BIG_ENDIAN_BITFIELD +-struct cal_ctl_edges { +- u8 bChannel; +- u8 flag:2, tPower:6; +-} __packed; +-#else + struct cal_ctl_edges { + u8 bChannel; +- u8 tPower:6, flag:2; ++ u8 ctl; + } __packed; +-#endif + + struct cal_data_op_loop_ar9287 { + u8 pwrPdg[2][5]; diff --git a/queue-2.6.36/bootmem-add-alloc_bootmem_align.patch b/queue-2.6.36/bootmem-add-alloc_bootmem_align.patch new file mode 100644 index 00000000000..d3358e25f94 --- /dev/null +++ b/queue-2.6.36/bootmem-add-alloc_bootmem_align.patch @@ -0,0 +1,34 @@ +From 53dde5f385bc56e312f78b7cb25ffaf8efd4735d Mon Sep 17 00:00:00 2001 +From: Suresh Siddha +Date: Tue, 16 Nov 2010 13:23:50 -0800 +Subject: bootmem: Add alloc_bootmem_align() + +From: Suresh Siddha + +commit 53dde5f385bc56e312f78b7cb25ffaf8efd4735d upstream. + +Add an alloc_bootmem_align() interface to allocate bootmem with +specified alignment. This is necessary to be able to allocate the +xsave area in a subsequent patch. + +Signed-off-by: Suresh Siddha +LKML-Reference: <20101116212441.977574826@sbsiddha-MOBL3.sc.intel.com> +Acked-by: H. Peter Anvin +Signed-off-by: H. Peter Anvin +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/bootmem.h | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/include/linux/bootmem.h ++++ b/include/linux/bootmem.h +@@ -105,6 +105,8 @@ extern void *__alloc_bootmem_low_node(pg + + #define alloc_bootmem(x) \ + __alloc_bootmem(x, SMP_CACHE_BYTES, __pa(MAX_DMA_ADDRESS)) ++#define alloc_bootmem_align(x, align) \ ++ __alloc_bootmem(x, align, __pa(MAX_DMA_ADDRESS)) + #define alloc_bootmem_nopanic(x) \ + __alloc_bootmem_nopanic(x, SMP_CACHE_BYTES, __pa(MAX_DMA_ADDRESS)) + #define alloc_bootmem_pages(x) \ diff --git a/queue-2.6.36/edac-fix-workqueue-related-crashes.patch b/queue-2.6.36/edac-fix-workqueue-related-crashes.patch new file mode 100644 index 00000000000..9dd0bc11a6c --- /dev/null +++ b/queue-2.6.36/edac-fix-workqueue-related-crashes.patch @@ -0,0 +1,51 @@ +From bb31b3122c0dd07d2d958da17a50ad771ce79e2b Mon Sep 17 00:00:00 2001 +From: Borislav Petkov +Date: Thu, 2 Dec 2010 17:48:35 +0100 +Subject: EDAC: Fix workqueue-related crashes + +From: Borislav Petkov + +commit bb31b3122c0dd07d2d958da17a50ad771ce79e2b upstream. + +00740c58541b6087d78418cebca1fcb86dc6077d changed edac_core to +un-/register a workqueue item only if a lowlevel driver supplies a +polling routine. Normally, when we remove a polling low-level driver, we +go and cancel all the queued work. However, the workqueue unreg happens +based on the ->op_state setting, and edac_mc_del_mc() sets this to +OP_OFFLINE _before_ we cancel the work item, leading to NULL ptr oops on +the workqueue list. + +Fix it by putting the unreg stuff in proper order. + +Reported-and-tested-by: Tobias Karnat +LKML-Reference: <1291201307.3029.21.camel@Tobias-Karnat> +Signed-off-by: Borislav Petkov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/edac/edac_mc.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +--- a/drivers/edac/edac_mc.c ++++ b/drivers/edac/edac_mc.c +@@ -578,14 +578,16 @@ struct mem_ctl_info *edac_mc_del_mc(stru + return NULL; + } + +- /* marking MCI offline */ +- mci->op_state = OP_OFFLINE; +- + del_mc_from_global_list(mci); + mutex_unlock(&mem_ctls_mutex); + +- /* flush workq processes and remove sysfs */ ++ /* flush workq processes */ + edac_mc_workq_teardown(mci); ++ ++ /* marking MCI offline */ ++ mci->op_state = OP_OFFLINE; ++ ++ /* remove from sysfs */ + edac_remove_sysfs_mci_device(mci); + + edac_printk(KERN_INFO, EDAC_MC, diff --git a/queue-2.6.36/firewire-ohci-fix-regression-with-agere-fw643-rev-06-disable-msi.patch b/queue-2.6.36/firewire-ohci-fix-regression-with-agere-fw643-rev-06-disable-msi.patch new file mode 100644 index 00000000000..94b8ef82039 --- /dev/null +++ b/queue-2.6.36/firewire-ohci-fix-regression-with-agere-fw643-rev-06-disable-msi.patch @@ -0,0 +1,96 @@ +From 9993e0fe0f5f29c69e79efcb271ffc9843002985 Mon Sep 17 00:00:00 2001 +From: Stefan Richter +Date: Tue, 7 Dec 2010 20:32:40 +0100 +Subject: firewire: ohci: fix regression with Agere FW643 rev 06, disable MSI + +From: Stefan Richter + +commit 9993e0fe0f5f29c69e79efcb271ffc9843002985 upstream. + +Agere FW643 rev 06, listed as "11c1:5901 (rev 06) (prog-if 10 [OHCI])", +produced SBP-2 I/O errors since kernel 2.6.36. Disabling MSI fixes it. + +Since MSI work on Agere FW643-E (same vendor and device ID, but rev 07), +introduce a device revision field into firewire-ohci's quirks list so +that different quirks can be defined for older and newer revisions. + +Reported-by: Jonathan Isom +Signed-off-by: Stefan Richter +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/firewire/ohci.c | 48 +++++++++++++++++++++++++++++++++--------------- + 1 file changed, 33 insertions(+), 15 deletions(-) + +--- a/drivers/firewire/ohci.c ++++ b/drivers/firewire/ohci.c +@@ -242,6 +242,7 @@ static inline struct fw_ohci *fw_ohci(st + + static char ohci_driver_name[] = KBUILD_MODNAME; + ++#define PCI_DEVICE_ID_AGERE_FW643 0x5901 + #define PCI_DEVICE_ID_JMICRON_JMB38X_FW 0x2380 + #define PCI_DEVICE_ID_TI_TSB12LV22 0x8009 + +@@ -253,19 +254,34 @@ static char ohci_driver_name[] = KBUILD_ + + /* In case of multiple matches in ohci_quirks[], only the first one is used. */ + static const struct { +- unsigned short vendor, device, flags; ++ unsigned short vendor, device, revision, flags; + } ohci_quirks[] = { +- {PCI_VENDOR_ID_TI, PCI_DEVICE_ID_TI_TSB12LV22, QUIRK_CYCLE_TIMER | +- QUIRK_RESET_PACKET | +- QUIRK_NO_1394A}, +- {PCI_VENDOR_ID_TI, PCI_ANY_ID, QUIRK_RESET_PACKET}, +- {PCI_VENDOR_ID_AL, PCI_ANY_ID, QUIRK_CYCLE_TIMER}, +- {PCI_VENDOR_ID_JMICRON, PCI_DEVICE_ID_JMICRON_JMB38X_FW, QUIRK_NO_MSI}, +- {PCI_VENDOR_ID_NEC, PCI_ANY_ID, QUIRK_CYCLE_TIMER}, +- {PCI_VENDOR_ID_VIA, PCI_ANY_ID, QUIRK_CYCLE_TIMER | +- QUIRK_NO_MSI}, +- {PCI_VENDOR_ID_RICOH, PCI_ANY_ID, QUIRK_CYCLE_TIMER}, +- {PCI_VENDOR_ID_APPLE, PCI_DEVICE_ID_APPLE_UNI_N_FW, QUIRK_BE_HEADERS}, ++ {PCI_VENDOR_ID_AL, PCI_ANY_ID, PCI_ANY_ID, ++ QUIRK_CYCLE_TIMER}, ++ ++ {PCI_VENDOR_ID_APPLE, PCI_DEVICE_ID_APPLE_UNI_N_FW, PCI_ANY_ID, ++ QUIRK_BE_HEADERS}, ++ ++ {PCI_VENDOR_ID_ATT, PCI_DEVICE_ID_AGERE_FW643, 6, ++ QUIRK_NO_MSI}, ++ ++ {PCI_VENDOR_ID_JMICRON, PCI_DEVICE_ID_JMICRON_JMB38X_FW, PCI_ANY_ID, ++ QUIRK_NO_MSI}, ++ ++ {PCI_VENDOR_ID_NEC, PCI_ANY_ID, PCI_ANY_ID, ++ QUIRK_CYCLE_TIMER}, ++ ++ {PCI_VENDOR_ID_RICOH, PCI_ANY_ID, PCI_ANY_ID, ++ QUIRK_CYCLE_TIMER}, ++ ++ {PCI_VENDOR_ID_TI, PCI_DEVICE_ID_TI_TSB12LV22, PCI_ANY_ID, ++ QUIRK_CYCLE_TIMER | QUIRK_RESET_PACKET | QUIRK_NO_1394A}, ++ ++ {PCI_VENDOR_ID_TI, PCI_ANY_ID, PCI_ANY_ID, ++ QUIRK_RESET_PACKET}, ++ ++ {PCI_VENDOR_ID_VIA, PCI_ANY_ID, PCI_ANY_ID, ++ QUIRK_CYCLE_TIMER | QUIRK_NO_MSI}, + }; + + /* This overrides anything that was found in ohci_quirks[]. */ +@@ -2922,9 +2938,11 @@ static int __devinit pci_probe(struct pc + } + + for (i = 0; i < ARRAY_SIZE(ohci_quirks); i++) +- if (ohci_quirks[i].vendor == dev->vendor && +- (ohci_quirks[i].device == dev->device || +- ohci_quirks[i].device == (unsigned short)PCI_ANY_ID)) { ++ if ((ohci_quirks[i].vendor == dev->vendor) && ++ (ohci_quirks[i].device == (unsigned short)PCI_ANY_ID || ++ ohci_quirks[i].device == dev->device) && ++ (ohci_quirks[i].revision == (unsigned short)PCI_ANY_ID || ++ ohci_quirks[i].revision >= dev->revision)) { + ohci->quirks = ohci_quirks[i].flags; + break; + } diff --git a/queue-2.6.36/firewire-ohci-fix-regression-with-via-vt6315-disable-msi.patch b/queue-2.6.36/firewire-ohci-fix-regression-with-via-vt6315-disable-msi.patch new file mode 100644 index 00000000000..9cc42a0a9b5 --- /dev/null +++ b/queue-2.6.36/firewire-ohci-fix-regression-with-via-vt6315-disable-msi.patch @@ -0,0 +1,34 @@ +From af0cdf4947818becfe209610b209315578645ab4 Mon Sep 17 00:00:00 2001 +From: Stefan Richter +Date: Tue, 7 Dec 2010 19:16:02 +0100 +Subject: firewire: ohci: fix regression with VIA VT6315, disable MSI + +From: Stefan Richter + +commit af0cdf4947818becfe209610b209315578645ab4 upstream. + +"VIA Technologies, Inc. VT6315 Series Firewire Controller [1106:3403]" +does not generate any interrupts if Message Signaled Interrupts were +enabled. This is a regression since kernel 2.6.36 in which MSI support +was added to firewire-ohci. Hence blacklist MSI on all VIA controllers. + +Reported-by: Robin Cook +Signed-off-by: Stefan Richter +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/firewire/ohci.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/firewire/ohci.c ++++ b/drivers/firewire/ohci.c +@@ -262,7 +262,8 @@ static const struct { + {PCI_VENDOR_ID_AL, PCI_ANY_ID, QUIRK_CYCLE_TIMER}, + {PCI_VENDOR_ID_JMICRON, PCI_DEVICE_ID_JMICRON_JMB38X_FW, QUIRK_NO_MSI}, + {PCI_VENDOR_ID_NEC, PCI_ANY_ID, QUIRK_CYCLE_TIMER}, +- {PCI_VENDOR_ID_VIA, PCI_ANY_ID, QUIRK_CYCLE_TIMER}, ++ {PCI_VENDOR_ID_VIA, PCI_ANY_ID, QUIRK_CYCLE_TIMER | ++ QUIRK_NO_MSI}, + {PCI_VENDOR_ID_RICOH, PCI_ANY_ID, QUIRK_CYCLE_TIMER}, + {PCI_VENDOR_ID_APPLE, PCI_DEVICE_ID_APPLE_UNI_N_FW, QUIRK_BE_HEADERS}, + }; diff --git a/queue-2.6.36/hwmon-adm1026-allow-1-as-a-valid-divider-value.patch b/queue-2.6.36/hwmon-adm1026-allow-1-as-a-valid-divider-value.patch new file mode 100644 index 00000000000..faf191f506c --- /dev/null +++ b/queue-2.6.36/hwmon-adm1026-allow-1-as-a-valid-divider-value.patch @@ -0,0 +1,32 @@ +From 8b0f1840a46449e1946fc88860ef3ec8d6b1c2c7 Mon Sep 17 00:00:00 2001 +From: Gabriele Gorla +Date: Wed, 8 Dec 2010 16:27:22 +0100 +Subject: hwmon: (adm1026) Allow 1 as a valid divider value + +From: Gabriele Gorla + +commit 8b0f1840a46449e1946fc88860ef3ec8d6b1c2c7 upstream. + +Allow 1 as a valid div value as specified in the ADM1026 datasheet. + +Signed-off-by: Gabriele Gorla +Signed-off-by: Jean Delvare +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hwmon/adm1026.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/drivers/hwmon/adm1026.c ++++ b/drivers/hwmon/adm1026.c +@@ -920,9 +920,7 @@ static ssize_t set_fan_div(struct device + + val = simple_strtol(buf, NULL, 10); + new_div = DIV_TO_REG(val); +- if (new_div == 0) { +- return -EINVAL; +- } ++ + mutex_lock(&data->update_lock); + orig_div = data->fan_div[nr]; + data->fan_div[nr] = DIV_FROM_REG(new_div); diff --git a/queue-2.6.36/hwmon-adm1026-fix-setting-fan_div.patch b/queue-2.6.36/hwmon-adm1026-fix-setting-fan_div.patch new file mode 100644 index 00000000000..b6bfa56f020 --- /dev/null +++ b/queue-2.6.36/hwmon-adm1026-fix-setting-fan_div.patch @@ -0,0 +1,55 @@ +From 52bc9802ce849d0d287cc5fe76d06b0daa3986ca Mon Sep 17 00:00:00 2001 +From: Gabriele Gorla +Date: Wed, 8 Dec 2010 16:27:22 +0100 +Subject: hwmon: (adm1026) Fix setting fan_div + +From: Gabriele Gorla + +commit 52bc9802ce849d0d287cc5fe76d06b0daa3986ca upstream. + +Prevent setting fan_div from stomping on other fans that share the +same I2C register. + +Signed-off-by: Gabriele Gorla +Signed-off-by: Jean Delvare +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hwmon/adm1026.c | 16 +++++++++------- + 1 file changed, 9 insertions(+), 7 deletions(-) + +--- a/drivers/hwmon/adm1026.c ++++ b/drivers/hwmon/adm1026.c +@@ -916,7 +916,7 @@ static ssize_t set_fan_div(struct device + int nr = sensor_attr->index; + struct i2c_client *client = to_i2c_client(dev); + struct adm1026_data *data = i2c_get_clientdata(client); +- int val, orig_div, new_div, shift; ++ int val, orig_div, new_div; + + val = simple_strtol(buf, NULL, 10); + new_div = DIV_TO_REG(val); +@@ -926,15 +926,17 @@ static ssize_t set_fan_div(struct device + data->fan_div[nr] = DIV_FROM_REG(new_div); + + if (nr < 4) { /* 0 <= nr < 4 */ +- shift = 2 * nr; + adm1026_write_value(client, ADM1026_REG_FAN_DIV_0_3, +- ((DIV_TO_REG(orig_div) & (~(0x03 << shift))) | +- (new_div << shift))); ++ (DIV_TO_REG(data->fan_div[0]) << 0) | ++ (DIV_TO_REG(data->fan_div[1]) << 2) | ++ (DIV_TO_REG(data->fan_div[2]) << 4) | ++ (DIV_TO_REG(data->fan_div[3]) << 6)); + } else { /* 3 < nr < 8 */ +- shift = 2 * (nr - 4); + adm1026_write_value(client, ADM1026_REG_FAN_DIV_4_7, +- ((DIV_TO_REG(orig_div) & (~(0x03 << (2 * shift)))) | +- (new_div << shift))); ++ (DIV_TO_REG(data->fan_div[4]) << 0) | ++ (DIV_TO_REG(data->fan_div[5]) << 2) | ++ (DIV_TO_REG(data->fan_div[6]) << 4) | ++ (DIV_TO_REG(data->fan_div[7]) << 6)); + } + + if (data->fan_div[nr] != orig_div) { diff --git a/queue-2.6.36/ib-uverbs-handle-large-number-of-entries-in-poll-cq.patch b/queue-2.6.36/ib-uverbs-handle-large-number-of-entries-in-poll-cq.patch new file mode 100644 index 00000000000..45d31cef048 --- /dev/null +++ b/queue-2.6.36/ib-uverbs-handle-large-number-of-entries-in-poll-cq.patch @@ -0,0 +1,163 @@ +From 7182afea8d1afd432a17c18162cc3fd441d0da93 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Wed, 13 Oct 2010 09:13:12 +0000 +Subject: IB/uverbs: Handle large number of entries in poll CQ + +From: Dan Carpenter + +commit 7182afea8d1afd432a17c18162cc3fd441d0da93 upstream. + +In ib_uverbs_poll_cq() code there is a potential integer overflow if +userspace passes in a large cmd.ne. The calls to kmalloc() would +allocate smaller buffers than intended, leading to memory corruption. +There iss also an information leak if resp wasn't all used. +Unprivileged userspace may call this function, although only if an +RDMA device that uses this function is present. + +Fix this by copying CQ entries one at a time, which avoids the +allocation entirely, and also by moving this copying into a function +that makes sure to initialize all memory copied to userspace. + +Special thanks to Jason Gunthorpe +for his help and advice. + +Signed-off-by: Dan Carpenter + +[ Monkey around with things a bit to avoid bad code generation by gcc + when designated initializers are used. - Roland ] + +Signed-off-by: Roland Dreier +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/core/uverbs_cmd.c | 101 +++++++++++++++++++---------------- + 1 file changed, 57 insertions(+), 44 deletions(-) + +--- a/drivers/infiniband/core/uverbs_cmd.c ++++ b/drivers/infiniband/core/uverbs_cmd.c +@@ -891,68 +891,81 @@ out: + return ret ? ret : in_len; + } + ++static int copy_wc_to_user(void __user *dest, struct ib_wc *wc) ++{ ++ struct ib_uverbs_wc tmp; ++ ++ tmp.wr_id = wc->wr_id; ++ tmp.status = wc->status; ++ tmp.opcode = wc->opcode; ++ tmp.vendor_err = wc->vendor_err; ++ tmp.byte_len = wc->byte_len; ++ tmp.ex.imm_data = (__u32 __force) wc->ex.imm_data; ++ tmp.qp_num = wc->qp->qp_num; ++ tmp.src_qp = wc->src_qp; ++ tmp.wc_flags = wc->wc_flags; ++ tmp.pkey_index = wc->pkey_index; ++ tmp.slid = wc->slid; ++ tmp.sl = wc->sl; ++ tmp.dlid_path_bits = wc->dlid_path_bits; ++ tmp.port_num = wc->port_num; ++ tmp.reserved = 0; ++ ++ if (copy_to_user(dest, &tmp, sizeof tmp)) ++ return -EFAULT; ++ ++ return 0; ++} ++ + ssize_t ib_uverbs_poll_cq(struct ib_uverbs_file *file, + const char __user *buf, int in_len, + int out_len) + { + struct ib_uverbs_poll_cq cmd; +- struct ib_uverbs_poll_cq_resp *resp; ++ struct ib_uverbs_poll_cq_resp resp; ++ u8 __user *header_ptr; ++ u8 __user *data_ptr; + struct ib_cq *cq; +- struct ib_wc *wc; +- int ret = 0; +- int i; +- int rsize; ++ struct ib_wc wc; ++ int ret; + + if (copy_from_user(&cmd, buf, sizeof cmd)) + return -EFAULT; + +- wc = kmalloc(cmd.ne * sizeof *wc, GFP_KERNEL); +- if (!wc) +- return -ENOMEM; +- +- rsize = sizeof *resp + cmd.ne * sizeof(struct ib_uverbs_wc); +- resp = kmalloc(rsize, GFP_KERNEL); +- if (!resp) { +- ret = -ENOMEM; +- goto out_wc; +- } +- + cq = idr_read_cq(cmd.cq_handle, file->ucontext, 0); +- if (!cq) { +- ret = -EINVAL; +- goto out; +- } ++ if (!cq) ++ return -EINVAL; + +- resp->count = ib_poll_cq(cq, cmd.ne, wc); +- +- put_cq_read(cq); ++ /* we copy a struct ib_uverbs_poll_cq_resp to user space */ ++ header_ptr = (void __user *)(unsigned long) cmd.response; ++ data_ptr = header_ptr + sizeof resp; ++ ++ memset(&resp, 0, sizeof resp); ++ while (resp.count < cmd.ne) { ++ ret = ib_poll_cq(cq, 1, &wc); ++ if (ret < 0) ++ goto out_put; ++ if (!ret) ++ break; ++ ++ ret = copy_wc_to_user(data_ptr, &wc); ++ if (ret) ++ goto out_put; + +- for (i = 0; i < resp->count; i++) { +- resp->wc[i].wr_id = wc[i].wr_id; +- resp->wc[i].status = wc[i].status; +- resp->wc[i].opcode = wc[i].opcode; +- resp->wc[i].vendor_err = wc[i].vendor_err; +- resp->wc[i].byte_len = wc[i].byte_len; +- resp->wc[i].ex.imm_data = (__u32 __force) wc[i].ex.imm_data; +- resp->wc[i].qp_num = wc[i].qp->qp_num; +- resp->wc[i].src_qp = wc[i].src_qp; +- resp->wc[i].wc_flags = wc[i].wc_flags; +- resp->wc[i].pkey_index = wc[i].pkey_index; +- resp->wc[i].slid = wc[i].slid; +- resp->wc[i].sl = wc[i].sl; +- resp->wc[i].dlid_path_bits = wc[i].dlid_path_bits; +- resp->wc[i].port_num = wc[i].port_num; ++ data_ptr += sizeof(struct ib_uverbs_wc); ++ ++resp.count; + } + +- if (copy_to_user((void __user *) (unsigned long) cmd.response, resp, rsize)) ++ if (copy_to_user(header_ptr, &resp, sizeof resp)) { + ret = -EFAULT; ++ goto out_put; ++ } + +-out: +- kfree(resp); ++ ret = in_len; + +-out_wc: +- kfree(wc); +- return ret ? ret : in_len; ++out_put: ++ put_cq_read(cq); ++ return ret; + } + + ssize_t ib_uverbs_req_notify_cq(struct ib_uverbs_file *file, diff --git a/queue-2.6.36/llc-fix-a-device-refcount-imbalance.patch b/queue-2.6.36/llc-fix-a-device-refcount-imbalance.patch new file mode 100644 index 00000000000..d34a7827e35 --- /dev/null +++ b/queue-2.6.36/llc-fix-a-device-refcount-imbalance.patch @@ -0,0 +1,79 @@ +From 35d9b0c906ad92d32a0b8db5daa6fabfcc2f068d Mon Sep 17 00:00:00 2001 +From: Eric Dumazet +Date: Sun, 5 Dec 2010 02:03:26 +0000 +Subject: llc: fix a device refcount imbalance +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Eric Dumazet + +commit 35d9b0c906ad92d32a0b8db5daa6fabfcc2f068d upstream. + +Le dimanche 05 décembre 2010 à 12:23 +0100, Eric Dumazet a écrit : +> Le dimanche 05 décembre 2010 à 09:19 +0100, Eric Dumazet a écrit : +> +> > Hmm.. +> > +> > If somebody can explain why RTNL is held in arp_ioctl() (and therefore +> > in arp_req_delete()), we might first remove RTNL use in arp_ioctl() so +> > that your patch can be applied. +> > +> > Right now it is not good, because RTNL wont be necessarly held when you +> > are going to call arp_invalidate() ? +> +> While doing this analysis, I found a refcount bug in llc, I'll send a +> patch for net-2.6 + +Oh well, of course I must first fix the bug in net-2.6, and wait David +pull the fix in net-next-2.6 before sending this rcu conversion. + +Note: this patch should be sent to stable teams (2.6.34 and up) + +[PATCH net-2.6] llc: fix a device refcount imbalance + +commit abf9d537fea225 (llc: add support for SO_BINDTODEVICE) added one +refcount imbalance in llc_ui_bind(), because dev_getbyhwaddr() doesnt +take a reference on device, while dev_get_by_index() does. + +Fix this using RCU locking. And since an RCU conversion will be done for +2.6.38 for dev_getbyhwaddr(), put the rcu_read_lock/unlock exactly at +their final place. + +Signed-off-by: Eric Dumazet +Cc: Octavian Purdila +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/llc/af_llc.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/net/llc/af_llc.c ++++ b/net/llc/af_llc.c +@@ -317,8 +317,9 @@ static int llc_ui_bind(struct socket *so + goto out; + rc = -ENODEV; + rtnl_lock(); ++ rcu_read_lock(); + if (sk->sk_bound_dev_if) { +- llc->dev = dev_get_by_index(&init_net, sk->sk_bound_dev_if); ++ llc->dev = dev_get_by_index_rcu(&init_net, sk->sk_bound_dev_if); + if (llc->dev) { + if (!addr->sllc_arphrd) + addr->sllc_arphrd = llc->dev->type; +@@ -329,13 +330,13 @@ static int llc_ui_bind(struct socket *so + !llc_mac_match(addr->sllc_mac, + llc->dev->dev_addr)) { + rc = -EINVAL; +- dev_put(llc->dev); + llc->dev = NULL; + } + } + } else + llc->dev = dev_getbyhwaddr(&init_net, addr->sllc_arphrd, + addr->sllc_mac); ++ rcu_read_unlock(); + rtnl_unlock(); + if (!llc->dev) + goto out; diff --git a/queue-2.6.36/mac80211-fix-bug-in-pskb_expand_head-when-transmitting-shared-skbs.patch b/queue-2.6.36/mac80211-fix-bug-in-pskb_expand_head-when-transmitting-shared-skbs.patch new file mode 100644 index 00000000000..77d11f21731 --- /dev/null +++ b/queue-2.6.36/mac80211-fix-bug-in-pskb_expand_head-when-transmitting-shared-skbs.patch @@ -0,0 +1,121 @@ +From 7e2447075690860e2cea96b119fc9cadbaa7e83c Mon Sep 17 00:00:00 2001 +From: Helmut Schaa +Date: Thu, 2 Dec 2010 18:44:09 +0100 +Subject: mac80211: Fix BUG in pskb_expand_head when transmitting shared skbs + +From: Helmut Schaa + +commit 7e2447075690860e2cea96b119fc9cadbaa7e83c upstream. + +mac80211 doesn't handle shared skbs correctly at the moment. As a result +a possible resize can trigger a BUG in pskb_expand_head. + +[ 676.030000] Kernel bug detected[#1]: +[ 676.030000] Cpu 0 +[ 676.030000] $ 0 : 00000000 00000000 819662ff 00000002 +[ 676.030000] $ 4 : 81966200 00000020 00000000 00000020 +[ 676.030000] $ 8 : 819662e0 800043c0 00000002 00020000 +[ 676.030000] $12 : 3b9aca00 00000000 00000000 00470000 +[ 676.030000] $16 : 80ea2000 00000000 00000000 00000000 +[ 676.030000] $20 : 818aa200 80ea2018 80ea2000 00000008 +[ 676.030000] $24 : 00000002 800ace5c +[ 676.030000] $28 : 8199a000 8199bd20 81938f88 80f180d4 +[ 676.030000] Hi : 0000026e +[ 676.030000] Lo : 0000757e +[ 676.030000] epc : 801245e4 pskb_expand_head+0x44/0x1d8 +[ 676.030000] Not tainted +[ 676.030000] ra : 80f180d4 ieee80211_skb_resize+0xb0/0x114 [mac80211] +[ 676.030000] Status: 1000a403 KERNEL EXL IE +[ 676.030000] Cause : 10800024 +[ 676.030000] PrId : 0001964c (MIPS 24Kc) +[ 676.030000] Modules linked in: mac80211_hwsim rt2800lib rt2x00soc rt2x00pci rt2x00lib mac80211 crc_itu_t crc_ccitt cfg80211 compat arc4 aes_generic deflate ecb cbc [last unloaded: rt2800pci] +[ 676.030000] Process kpktgend_0 (pid: 97, threadinfo=8199a000, task=81879f48, tls=00000000) +[ 676.030000] Stack : ffffffff 00000000 00000000 00000014 00000004 80ea2000 00000000 00000000 +[ 676.030000] 818aa200 80f180d4 ffffffff 0000000a 81879f78 81879f48 81879f48 00000018 +[ 676.030000] 81966246 80ea2000 818432e0 80f1a420 80203050 81814d98 00000001 81879f48 +[ 676.030000] 81879f48 00000018 81966246 818432e0 0000001a 8199bdd4 0000001c 80f1b72c +[ 676.030000] 80203020 8001292c 80ef4aa2 7f10b55d 801ab5b8 81879f48 00000188 80005c90 +[ 676.030000] ... +[ 676.030000] Call Trace: +[ 676.030000] [<801245e4>] pskb_expand_head+0x44/0x1d8 +[ 676.030000] [<80f180d4>] ieee80211_skb_resize+0xb0/0x114 [mac80211] +[ 676.030000] [<80f1a420>] ieee80211_xmit+0x150/0x22c [mac80211] +[ 676.030000] [<80f1b72c>] ieee80211_subif_start_xmit+0x6f4/0x73c [mac80211] +[ 676.030000] [<8014361c>] pktgen_thread_worker+0xfac/0x16f8 +[ 676.030000] [<8002ebe8>] kthread+0x7c/0x88 +[ 676.030000] [<80008e0c>] kernel_thread_helper+0x10/0x18 +[ 676.030000] +[ 676.030000] +[ 676.030000] Code: 24020001 10620005 2502001f <0200000d> 0804917a 00000000 2502001f 00441023 00531021 + +Fix this by making a local copy of shared skbs prior to mangeling them. +To avoid copying the skb unnecessarily move the skb_copy call below the +checks that don't need write access to the skb. + +Also, move the assignment of nh_pos and h_pos below the skb_copy to point +to the correct skb. + +It would be possible to avoid another resize of the copied skb by using +skb_copy_expand instead of skb_copy but that would make the patch more +complex. Also, shared skbs are a corner case right now, so the resize +shouldn't matter much. + +Cc: Johannes Berg +Signed-off-by: Helmut Schaa +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + net/mac80211/tx.c | 21 ++++++++++++++++++--- + 1 file changed, 18 insertions(+), 3 deletions(-) + +--- a/net/mac80211/tx.c ++++ b/net/mac80211/tx.c +@@ -1705,15 +1705,13 @@ netdev_tx_t ieee80211_subif_start_xmit(s + int nh_pos, h_pos; + struct sta_info *sta = NULL; + u32 sta_flags = 0; ++ struct sk_buff *tmp_skb; + + if (unlikely(skb->len < ETH_HLEN)) { + ret = NETDEV_TX_OK; + goto fail; + } + +- nh_pos = skb_network_header(skb) - skb->data; +- h_pos = skb_transport_header(skb) - skb->data; +- + /* convert Ethernet header to proper 802.11 header (based on + * operation mode) */ + ethertype = (skb->data[12] << 8) | skb->data[13]; +@@ -1885,6 +1883,20 @@ netdev_tx_t ieee80211_subif_start_xmit(s + goto fail; + } + ++ /* ++ * If the skb is shared we need to obtain our own copy. ++ */ ++ if (skb_shared(skb)) { ++ tmp_skb = skb; ++ skb = skb_copy(skb, GFP_ATOMIC); ++ kfree_skb(tmp_skb); ++ ++ if (!skb) { ++ ret = NETDEV_TX_OK; ++ goto fail; ++ } ++ } ++ + hdr.frame_control = fc; + hdr.duration_id = 0; + hdr.seq_ctrl = 0; +@@ -1903,6 +1915,9 @@ netdev_tx_t ieee80211_subif_start_xmit(s + encaps_len = 0; + } + ++ nh_pos = skb_network_header(skb) - skb->data; ++ h_pos = skb_transport_header(skb) - skb->data; ++ + skb_pull(skb, skip_header_bytes); + nh_pos -= skip_header_bytes; + h_pos -= skip_header_bytes; diff --git a/queue-2.6.36/nfs-fix-fcntl-f_getlk-not-reporting-some-conflicts.patch b/queue-2.6.36/nfs-fix-fcntl-f_getlk-not-reporting-some-conflicts.patch new file mode 100644 index 00000000000..a38e4bbca7d --- /dev/null +++ b/queue-2.6.36/nfs-fix-fcntl-f_getlk-not-reporting-some-conflicts.patch @@ -0,0 +1,46 @@ +From 21ac19d484a8ffb66f64487846c8d53afef04d2b Mon Sep 17 00:00:00 2001 +From: Sergey Vlasov +Date: Sun, 28 Nov 2010 21:04:05 +0000 +Subject: NFS: Fix fcntl F_GETLK not reporting some conflicts + +From: Sergey Vlasov + +commit 21ac19d484a8ffb66f64487846c8d53afef04d2b upstream. + +The commit 129a84de2347002f09721cda3155ccfd19fade40 (locks: fix F_GETLK +regression (failure to find conflicts)) fixed the posix_test_lock() +function by itself, however, its usage in NFS changed by the commit +9d6a8c5c213e34c475e72b245a8eb709258e968c (locks: give posix_test_lock +same interface as ->lock) remained broken - subsequent NFS-specific +locking code received F_UNLCK instead of the user-specified lock type. +To fix the problem, fl->fl_type needs to be saved before the +posix_test_lock() call and restored if no local conflicts were reported. + +Reference: https://bugzilla.kernel.org/show_bug.cgi?id=23892 +Tested-by: Alexander Morozov +Signed-off-by: Sergey Vlasov +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfs/file.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/fs/nfs/file.c ++++ b/fs/nfs/file.c +@@ -687,6 +687,7 @@ static int do_getlk(struct file *filp, i + { + struct inode *inode = filp->f_mapping->host; + int status = 0; ++ unsigned int saved_type = fl->fl_type; + + /* Try local locking first */ + posix_test_lock(filp, fl); +@@ -694,6 +695,7 @@ static int do_getlk(struct file *filp, i + /* found a conflict */ + goto out; + } ++ fl->fl_type = saved_type; + + if (nfs_have_delegation(inode, FMODE_READ)) + goto out_noconflict; diff --git a/queue-2.6.36/nfs-fix-panic-after-nfs_umount.patch b/queue-2.6.36/nfs-fix-panic-after-nfs_umount.patch new file mode 100644 index 00000000000..0cc30475a76 --- /dev/null +++ b/queue-2.6.36/nfs-fix-panic-after-nfs_umount.patch @@ -0,0 +1,56 @@ +From 5b362ac3799ff4225c40935500f520cad4d7ed66 Mon Sep 17 00:00:00 2001 +From: Chuck Lever +Date: Fri, 10 Dec 2010 12:31:14 -0500 +Subject: NFS: Fix panic after nfs_umount() + +From: Chuck Lever + +commit 5b362ac3799ff4225c40935500f520cad4d7ed66 upstream. + +After a few unsuccessful NFS mount attempts in which the client and +server cannot agree on an authentication flavor both support, the +client panics. nfs_umount() is invoked in the kernel in this case. + +Turns out nfs_umount()'s UMNT RPC invocation causes the RPC client to +write off the end of the rpc_clnt's iostat array. This is because the +mount client's nrprocs field is initialized with the count of defined +procedures (two: MNT and UMNT), rather than the size of the client's +proc array (four). + +The fix is to use the same initialization technique used by most other +upper layer clients in the kernel. + +Introduced by commit 0b524123, which failed to update nrprocs when +support was added for UMNT in the kernel. + +BugLink: https://bugzilla.kernel.org/show_bug.cgi?id=24302 +BugLink: http://bugs.launchpad.net/bugs/683938 + +Reported-by: Stefan Bader +Tested-by: Stefan Bader +Signed-off-by: Chuck Lever +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfs/mount_clnt.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/fs/nfs/mount_clnt.c ++++ b/fs/nfs/mount_clnt.c +@@ -503,13 +503,13 @@ static struct rpc_procinfo mnt3_procedur + + static struct rpc_version mnt_version1 = { + .number = 1, +- .nrprocs = 2, ++ .nrprocs = ARRAY_SIZE(mnt_procedures), + .procs = mnt_procedures, + }; + + static struct rpc_version mnt_version3 = { + .number = 3, +- .nrprocs = 2, ++ .nrprocs = ARRAY_SIZE(mnt3_procedures), + .procs = mnt3_procedures, + }; + diff --git a/queue-2.6.36/nfsd-fix-possible-bug_on-firing-in-set_change_info.patch b/queue-2.6.36/nfsd-fix-possible-bug_on-firing-in-set_change_info.patch new file mode 100644 index 00000000000..08e9a576f53 --- /dev/null +++ b/queue-2.6.36/nfsd-fix-possible-bug_on-firing-in-set_change_info.patch @@ -0,0 +1,77 @@ +From c1ac3ffcd0bc7e9617f62be8c7043d53ab84deac Mon Sep 17 00:00:00 2001 +From: Neil Brown +Date: Thu, 2 Dec 2010 11:14:30 +1100 +Subject: nfsd: Fix possible BUG_ON firing in set_change_info + +From: Neil Brown + +commit c1ac3ffcd0bc7e9617f62be8c7043d53ab84deac upstream. + +If vfs_getattr in fill_post_wcc returns an error, we don't +set fh_post_change. +For NFSv4, this can result in set_change_info triggering a BUG_ON. +i.e. fh_post_saved being zero isn't really a bug. + +So: + - instead of BUGging when fh_post_saved is zero, just clear ->atomic. + - if vfs_getattr fails in fill_post_wcc, take a copy of i_ctime anyway. + This will be used i seg_change_info, but not overly trusted. + - While we are there, remove the pointless 'if' statements in set_change_info. + There is no harm setting all the values. + +Signed-off-by: NeilBrown +Signed-off-by: J. Bruce Fields +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfsd/nfs3xdr.c | 6 ++++-- + fs/nfsd/xdr4.h | 21 ++++++++++----------- + 2 files changed, 14 insertions(+), 13 deletions(-) + +--- a/fs/nfsd/nfs3xdr.c ++++ b/fs/nfsd/nfs3xdr.c +@@ -260,9 +260,11 @@ void fill_post_wcc(struct svc_fh *fhp) + err = vfs_getattr(fhp->fh_export->ex_path.mnt, fhp->fh_dentry, + &fhp->fh_post_attr); + fhp->fh_post_change = fhp->fh_dentry->d_inode->i_version; +- if (err) ++ if (err) { + fhp->fh_post_saved = 0; +- else ++ /* Grab the ctime anyway - set_change_info might use it */ ++ fhp->fh_post_attr.ctime = fhp->fh_dentry->d_inode->i_ctime; ++ } else + fhp->fh_post_saved = 1; + } + +--- a/fs/nfsd/xdr4.h ++++ b/fs/nfsd/xdr4.h +@@ -484,18 +484,17 @@ static inline bool nfsd4_not_cached(stru + static inline void + set_change_info(struct nfsd4_change_info *cinfo, struct svc_fh *fhp) + { +- BUG_ON(!fhp->fh_pre_saved || !fhp->fh_post_saved); +- cinfo->atomic = 1; ++ BUG_ON(!fhp->fh_pre_saved); ++ cinfo->atomic = fhp->fh_post_saved; + cinfo->change_supported = IS_I_VERSION(fhp->fh_dentry->d_inode); +- if (cinfo->change_supported) { +- cinfo->before_change = fhp->fh_pre_change; +- cinfo->after_change = fhp->fh_post_change; +- } else { +- cinfo->before_ctime_sec = fhp->fh_pre_ctime.tv_sec; +- cinfo->before_ctime_nsec = fhp->fh_pre_ctime.tv_nsec; +- cinfo->after_ctime_sec = fhp->fh_post_attr.ctime.tv_sec; +- cinfo->after_ctime_nsec = fhp->fh_post_attr.ctime.tv_nsec; +- } ++ ++ cinfo->before_change = fhp->fh_pre_change; ++ cinfo->after_change = fhp->fh_post_change; ++ cinfo->before_ctime_sec = fhp->fh_pre_ctime.tv_sec; ++ cinfo->before_ctime_nsec = fhp->fh_pre_ctime.tv_nsec; ++ cinfo->after_ctime_sec = fhp->fh_post_attr.ctime.tv_sec; ++ cinfo->after_ctime_nsec = fhp->fh_post_attr.ctime.tv_nsec; ++ + } + + int nfs4svc_encode_voidres(struct svc_rqst *, __be32 *, void *); diff --git a/queue-2.6.36/nohz-fix-get_next_timer_interrupt-vs-cpu-hotplug.patch b/queue-2.6.36/nohz-fix-get_next_timer_interrupt-vs-cpu-hotplug.patch new file mode 100644 index 00000000000..4d9c362e9c5 --- /dev/null +++ b/queue-2.6.36/nohz-fix-get_next_timer_interrupt-vs-cpu-hotplug.patch @@ -0,0 +1,71 @@ +From dbd87b5af055a0cc9bba17795c9a2b0d17795389 Mon Sep 17 00:00:00 2001 +From: Heiko Carstens +Date: Wed, 1 Dec 2010 10:11:09 +0100 +Subject: nohz: Fix get_next_timer_interrupt() vs cpu hotplug + +From: Heiko Carstens + +commit dbd87b5af055a0cc9bba17795c9a2b0d17795389 upstream. + +This fixes a bug as seen on 2.6.32 based kernels where timers got +enqueued on offline cpus. + +If a cpu goes offline it might still have pending timers. These will +be migrated during CPU_DEAD handling after the cpu is offline. +However while the cpu is going offline it will schedule the idle task +which will then call tick_nohz_stop_sched_tick(). + +That function in turn will call get_next_timer_intterupt() to figure +out if the tick of the cpu can be stopped or not. If it turns out that +the next tick is just one jiffy off (delta_jiffies == 1) +tick_nohz_stop_sched_tick() incorrectly assumes that the tick should +not stop and takes an early exit and thus it won't update the load +balancer cpu. + +Just afterwards the cpu will be killed and the load balancer cpu could +be the offline cpu. + +On 2.6.32 based kernel get_nohz_load_balancer() gets called to decide +on which cpu a timer should be enqueued (see __mod_timer()). Which +leads to the possibility that timers get enqueued on an offline cpu. +These will never expire and can cause a system hang. + +This has been observed 2.6.32 kernels. On current kernels +__mod_timer() uses get_nohz_timer_target() which doesn't have that +problem. However there might be other problems because of the too +early exit tick_nohz_stop_sched_tick() in case a cpu goes offline. + +The easiest and probably safest fix seems to be to let +get_next_timer_interrupt() just lie and let it say there isn't any +pending timer if the current cpu is offline. + +I also thought of moving migrate_[hr]timers() from CPU_DEAD to +CPU_DYING, but seeing that there already have been fixes at least in +the hrtimer code in this area I'm afraid that this could add new +subtle bugs. + +Signed-off-by: Heiko Carstens +Signed-off-by: Peter Zijlstra +LKML-Reference: <20101201091109.GA8984@osiris.boeblingen.de.ibm.com> +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/timer.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/kernel/timer.c ++++ b/kernel/timer.c +@@ -1252,6 +1252,12 @@ unsigned long get_next_timer_interrupt(u + struct tvec_base *base = __get_cpu_var(tvec_bases); + unsigned long expires; + ++ /* ++ * Pretend that there is no timer pending if the cpu is offline. ++ * Possible pending timers will be migrated later to an active cpu. ++ */ ++ if (cpu_is_offline(smp_processor_id())) ++ return now + NEXT_TIMER_MAX_DELTA; + spin_lock(&base->lock); + if (time_before_eq(base->next_timer, base->timer_jiffies)) + base->next_timer = __next_timer_interrupt(base); diff --git a/queue-2.6.36/nohz-fix-printk_needs_cpu-return-value-on-offline-cpus.patch b/queue-2.6.36/nohz-fix-printk_needs_cpu-return-value-on-offline-cpus.patch new file mode 100644 index 00000000000..7c101f6f384 --- /dev/null +++ b/queue-2.6.36/nohz-fix-printk_needs_cpu-return-value-on-offline-cpus.patch @@ -0,0 +1,64 @@ +From 61ab25447ad6334a74e32f60efb135a3467223f8 Mon Sep 17 00:00:00 2001 +From: Heiko Carstens +Date: Fri, 26 Nov 2010 13:00:59 +0100 +Subject: nohz: Fix printk_needs_cpu() return value on offline cpus + +From: Heiko Carstens + +commit 61ab25447ad6334a74e32f60efb135a3467223f8 upstream. + +This patch fixes a hang observed with 2.6.32 kernels where timers got enqueued +on offline cpus. + +printk_needs_cpu() may return 1 if called on offline cpus. When a cpu gets +offlined it schedules the idle process which, before killing its own cpu, will +call tick_nohz_stop_sched_tick(). That function in turn will call +printk_needs_cpu() in order to check if the local tick can be disabled. On +offline cpus this function should naturally return 0 since regardless if the +tick gets disabled or not the cpu will be dead short after. That is besides the +fact that __cpu_disable() should already have made sure that no interrupts on +the offlined cpu will be delivered anyway. + +In this case it prevents tick_nohz_stop_sched_tick() to call +select_nohz_load_balancer(). No idea if that really is a problem. However what +made me debug this is that on 2.6.32 the function get_nohz_load_balancer() is +used within __mod_timer() to select a cpu on which a timer gets enqueued. If +printk_needs_cpu() returns 1 then the nohz_load_balancer cpu doesn't get +updated when a cpu gets offlined. It may contain the cpu number of an offline +cpu. In turn timers get enqueued on an offline cpu and not very surprisingly +they never expire and cause system hangs. + +This has been observed 2.6.32 kernels. On current kernels __mod_timer() uses +get_nohz_timer_target() which doesn't have that problem. However there might be +other problems because of the too early exit tick_nohz_stop_sched_tick() in +case a cpu goes offline. + +Easiest way to fix this is just to test if the current cpu is offline and call +printk_tick() directly which clears the condition. + +Alternatively I tried a cpu hotplug notifier which would clear the condition, +however between calling the notifier function and printk_needs_cpu() something +could have called printk() again and the problem is back again. This seems to +be the safest fix. + +Signed-off-by: Heiko Carstens +Signed-off-by: Peter Zijlstra +LKML-Reference: <20101126120235.406766476@de.ibm.com> +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/printk.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/kernel/printk.c ++++ b/kernel/printk.c +@@ -1062,6 +1062,8 @@ void printk_tick(void) + + int printk_needs_cpu(int cpu) + { ++ if (unlikely(cpu_is_offline(cpu))) ++ printk_tick(); + return per_cpu(printk_pending, cpu); + } + diff --git a/queue-2.6.36/pm-hibernate-fix-pm_post_-notification-with-user-space-suspend.patch b/queue-2.6.36/pm-hibernate-fix-pm_post_-notification-with-user-space-suspend.patch new file mode 100644 index 00000000000..dfab078852f --- /dev/null +++ b/queue-2.6.36/pm-hibernate-fix-pm_post_-notification-with-user-space-suspend.patch @@ -0,0 +1,32 @@ +From 1497dd1d29c6a53fcd3c80f7ac8d0e0239e7389e Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Fri, 10 Dec 2010 00:16:39 +0100 +Subject: PM / Hibernate: Fix PM_POST_* notification with user-space suspend + +From: Takashi Iwai + +commit 1497dd1d29c6a53fcd3c80f7ac8d0e0239e7389e upstream. + +The user-space hibernation sends a wrong notification after the image +restoration because of thinko for the file flag check. RDONLY +corresponds to hibernation and WRONLY to restoration, confusingly. + +Signed-off-by: Takashi Iwai +Signed-off-by: Rafael J. Wysocki +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/power/user.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/kernel/power/user.c ++++ b/kernel/power/user.c +@@ -137,7 +137,7 @@ static int snapshot_release(struct inode + free_all_swap_pages(data->swap); + if (data->frozen) + thaw_processes(); +- pm_notifier_call_chain(data->mode == O_WRONLY ? ++ pm_notifier_call_chain(data->mode == O_RDONLY ? + PM_POST_HIBERNATION : PM_POST_RESTORE); + atomic_inc(&snapshot_device_available); + diff --git a/queue-2.6.36/qla2xxx-correct-issue-where-npiv-config-data-was-not-being-allocated-for-82xx-parts.patch b/queue-2.6.36/qla2xxx-correct-issue-where-npiv-config-data-was-not-being-allocated-for-82xx-parts.patch new file mode 100644 index 00000000000..76ef14d6956 --- /dev/null +++ b/queue-2.6.36/qla2xxx-correct-issue-where-npiv-config-data-was-not-being-allocated-for-82xx-parts.patch @@ -0,0 +1,30 @@ +From 087c621e22f49c326cdc65d98c6fc0737ac13533 Mon Sep 17 00:00:00 2001 +From: Andrew Vasquez +Date: Tue, 23 Nov 2010 16:52:48 -0800 +Subject: [SCSI] qla2xxx: Correct issue where NPIV-config data was not being allocated for 82xx parts. + +From: Andrew Vasquez + +commit 087c621e22f49c326cdc65d98c6fc0737ac13533 upstream. + +This would cause a panic while reading the NPIV-config data. + +Signed-off-by: Andrew Vasquez +Signed-off-by: Madhuranath Iyengar +Signed-off-by: James Bottomley +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/qla2xxx/qla_os.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/scsi/qla2xxx/qla_os.c ++++ b/drivers/scsi/qla2xxx/qla_os.c +@@ -2095,6 +2095,7 @@ qla2x00_probe_one(struct pci_dev *pdev, + ha->init_cb_size = sizeof(struct mid_init_cb_81xx); + ha->gid_list_info_size = 8; + ha->optrom_size = OPTROM_SIZE_82XX; ++ ha->nvram_npiv_size = QLA_MAX_VPORTS_QLA25XX; + ha->isp_ops = &qla82xx_isp_ops; + ha->flash_conf_off = FARX_ACCESS_FLASH_CONF; + ha->flash_data_off = FARX_ACCESS_FLASH_DATA; diff --git a/queue-2.6.36/qla2xxx-populate-command-type-6-lun-field-properly.patch b/queue-2.6.36/qla2xxx-populate-command-type-6-lun-field-properly.patch new file mode 100644 index 00000000000..6e823b5e1f2 --- /dev/null +++ b/queue-2.6.36/qla2xxx-populate-command-type-6-lun-field-properly.patch @@ -0,0 +1,43 @@ +From 85727e1f78bd8392a0657ad6a4ff85fef1cc4a6d Mon Sep 17 00:00:00 2001 +From: Mike Hernandez +Date: Tue, 23 Nov 2010 16:52:46 -0800 +Subject: [SCSI] qla2xxx: Populate Command Type 6 LUN field properly. + +From: Mike Hernandez + +commit 85727e1f78bd8392a0657ad6a4ff85fef1cc4a6d upstream. + +Use the host_to_fcp_swap call to correctly populate the LUN field +in the Command Type 6 path. This field is used during LUN reset +cleanup and must match the field used in the FCP command. + +Signed-off-by: Mike Hernandez +Signed-off-by: Madhuranath Iyengar +Signed-off-by: James Bottomley +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/qla2xxx/qla_iocb.c | 1 + + drivers/scsi/qla2xxx/qla_nx.c | 1 + + 2 files changed, 2 insertions(+) + +--- a/drivers/scsi/qla2xxx/qla_iocb.c ++++ b/drivers/scsi/qla2xxx/qla_iocb.c +@@ -1061,6 +1061,7 @@ qla24xx_build_scsi_crc_2_iocbs(srb_t *sp + fcp_cmnd->additional_cdb_len |= 2; + + int_to_scsilun(sp->cmd->device->lun, &fcp_cmnd->lun); ++ host_to_fcp_swap((uint8_t *)&fcp_cmnd->lun, sizeof(fcp_cmnd->lun)); + memcpy(fcp_cmnd->cdb, cmd->cmnd, cmd->cmd_len); + cmd_pkt->fcp_cmnd_dseg_len = cpu_to_le16(fcp_cmnd_len); + cmd_pkt->fcp_cmnd_dseg_address[0] = cpu_to_le32( +--- a/drivers/scsi/qla2xxx/qla_nx.c ++++ b/drivers/scsi/qla2xxx/qla_nx.c +@@ -2740,6 +2740,7 @@ sufficient_dsds: + goto queuing_error_fcp_cmnd; + + int_to_scsilun(sp->cmd->device->lun, &cmd_pkt->lun); ++ host_to_fcp_swap((uint8_t *)&cmd_pkt->lun, sizeof(cmd_pkt->lun)); + + /* build FCP_CMND IU */ + memset(ctx->fcp_cmnd, 0, sizeof(struct fcp_cmnd)); diff --git a/queue-2.6.36/series b/queue-2.6.36/series index 86ffaa28efb..bee6bd645cd 100644 --- a/queue-2.6.36/series +++ b/queue-2.6.36/series @@ -10,3 +10,33 @@ drm-radeon-kms-don-t-apply-7xx-hdp-flush-workaround-on-agp.patch drm-kms-remove-spaces-from-connector-names-v2.patch drm-radeon-kms-fix-vram-base-calculation-on-rs780-rs880.patch drm-i915-always-set-the-dp-transcoder-config-to-8bpc.patch +nohz-fix-printk_needs_cpu-return-value-on-offline-cpus.patch +nohz-fix-get_next_timer_interrupt-vs-cpu-hotplug.patch +firewire-ohci-fix-regression-with-via-vt6315-disable-msi.patch +firewire-ohci-fix-regression-with-agere-fw643-rev-06-disable-msi.patch +nfs-fix-panic-after-nfs_umount.patch +nfsd-fix-possible-bug_on-firing-in-set_change_info.patch +nfs-fix-fcntl-f_getlk-not-reporting-some-conflicts.patch +sunrpc-prevent-use-after-free-on-clearing-xpt_busy.patch +hwmon-adm1026-allow-1-as-a-valid-divider-value.patch +hwmon-adm1026-fix-setting-fan_div.patch +edac-fix-workqueue-related-crashes.patch +amd64_edac-fix-interleaving-check.patch +asoc-fix-swap-of-left-and-right-channels-for-wm8993-4-speaker-boost-gain.patch +asoc-fix-off-by-one-error-in-wm8994-eq-register-bank-size.patch +asoc-wm8580-fix-r8-initial-value.patch +asoc-fix-deemphasis-control-in-wm8904-55-60-codecs.patch +bootmem-add-alloc_bootmem_align.patch +x86-xsave-use-alloc_bootmem_align-instead-of-alloc_bootmem.patch +ib-uverbs-handle-large-number-of-entries-in-poll-cq.patch +pm-hibernate-fix-pm_post_-notification-with-user-space-suspend.patch +arm-6535-1-v6-mpcore-v6_dma_inv_range-and-v6_dma_flush_range-rwfo-fix.patch +qla2xxx-correct-issue-where-npiv-config-data-was-not-being-allocated-for-82xx-parts.patch +qla2xxx-populate-command-type-6-lun-field-properly.patch +llc-fix-a-device-refcount-imbalance.patch +ath9k-disable-swba-interrupt-on-remove_interface.patch +ath9k-fix-sta-disconnect-issue-due-to-received-mic-failed-bcast-frames.patch +ath9k-fix-bug-in-reading-input-gpio-state-for-ar9003.patch +ath9k_hw-fix-endian-issues-with-ctls-on-ar9003.patch +ath9k-fix-bug-in-tx-power.patch +mac80211-fix-bug-in-pskb_expand_head-when-transmitting-shared-skbs.patch diff --git a/queue-2.6.36/sunrpc-prevent-use-after-free-on-clearing-xpt_busy.patch b/queue-2.6.36/sunrpc-prevent-use-after-free-on-clearing-xpt_busy.patch new file mode 100644 index 00000000000..7acf84d023a --- /dev/null +++ b/queue-2.6.36/sunrpc-prevent-use-after-free-on-clearing-xpt_busy.patch @@ -0,0 +1,78 @@ +From ed2849d3ecfa339435818eeff28f6c3424300cec Mon Sep 17 00:00:00 2001 +From: NeilBrown +Date: Tue, 16 Nov 2010 16:55:19 +1100 +Subject: sunrpc: prevent use-after-free on clearing XPT_BUSY + +From: NeilBrown + +commit ed2849d3ecfa339435818eeff28f6c3424300cec upstream. + +When an xprt is created, it has a refcount of 1, and XPT_BUSY is set. +The refcount is *not* owned by the thread that created the xprt +(as is clear from the fact that creators never put the reference). +Rather, it is owned by the absence of XPT_DEAD. Once XPT_DEAD is set, +(And XPT_BUSY is clear) that initial reference is dropped and the xprt +can be freed. + +So when a creator clears XPT_BUSY it is dropping its only reference and +so must not touch the xprt again. + +However svc_recv, after calling ->xpo_accept (and so getting an XPT_BUSY +reference on a new xprt), calls svc_xprt_recieved. This clears +XPT_BUSY and then svc_xprt_enqueue - this last without owning a reference. +This is dangerous and has been seen to leave svc_xprt_enqueue working +with an xprt containing garbage. + +So we need to hold an extra counted reference over that call to +svc_xprt_received. + +For safety, any time we clear XPT_BUSY and then use the xprt again, we +first get a reference, and the put it again afterwards. + +Note that svc_close_all does not need this extra protection as there are +no threads running, and the final free can only be called asynchronously +from such a thread. + +Signed-off-by: NeilBrown +Signed-off-by: J. Bruce Fields +Signed-off-by: Greg Kroah-Hartman + +--- + net/sunrpc/svc_xprt.c | 9 ++++++++- + 1 file changed, 8 insertions(+), 1 deletion(-) + +--- a/net/sunrpc/svc_xprt.c ++++ b/net/sunrpc/svc_xprt.c +@@ -212,6 +212,7 @@ int svc_create_xprt(struct svc_serv *ser + spin_lock(&svc_xprt_class_lock); + list_for_each_entry(xcl, &svc_xprt_class_list, xcl_list) { + struct svc_xprt *newxprt; ++ unsigned short newport; + + if (strcmp(xprt_name, xcl->xcl_name)) + continue; +@@ -230,8 +231,9 @@ int svc_create_xprt(struct svc_serv *ser + spin_lock_bh(&serv->sv_lock); + list_add(&newxprt->xpt_list, &serv->sv_permsocks); + spin_unlock_bh(&serv->sv_lock); ++ newport = svc_xprt_local_port(newxprt); + clear_bit(XPT_BUSY, &newxprt->xpt_flags); +- return svc_xprt_local_port(newxprt); ++ return newport; + } + err: + spin_unlock(&svc_xprt_class_lock); +@@ -431,8 +433,13 @@ void svc_xprt_received(struct svc_xprt * + { + BUG_ON(!test_bit(XPT_BUSY, &xprt->xpt_flags)); + xprt->xpt_pool = NULL; ++ /* As soon as we clear busy, the xprt could be closed and ++ * 'put', so we need a reference to call svc_xprt_enqueue with: ++ */ ++ svc_xprt_get(xprt); + clear_bit(XPT_BUSY, &xprt->xpt_flags); + svc_xprt_enqueue(xprt); ++ svc_xprt_put(xprt); + } + EXPORT_SYMBOL_GPL(svc_xprt_received); + diff --git a/queue-2.6.36/x86-xsave-use-alloc_bootmem_align-instead-of-alloc_bootmem.patch b/queue-2.6.36/x86-xsave-use-alloc_bootmem_align-instead-of-alloc_bootmem.patch new file mode 100644 index 00000000000..c8c4d587740 --- /dev/null +++ b/queue-2.6.36/x86-xsave-use-alloc_bootmem_align-instead-of-alloc_bootmem.patch @@ -0,0 +1,38 @@ +From 10340ae130fb70352eae1ae8a00b7906d91bf166 Mon Sep 17 00:00:00 2001 +From: Suresh Siddha +Date: Tue, 16 Nov 2010 13:23:51 -0800 +Subject: x86, xsave: Use alloc_bootmem_align() instead of alloc_bootmem() + +From: Suresh Siddha + +commit 10340ae130fb70352eae1ae8a00b7906d91bf166 upstream. + +Alignment of alloc_bootmem() depends on the value of +L1_CACHE_SHIFT. What we need here, however, is 64 byte alignment. Use +alloc_bootmem_align() and explicitly specify the alignment instead. + +This fixes a kernel boot crash reported by Jody when the cpu in .config +is set to MPENTIUMII but the kernel is booted on a xsave-capable CPU. + +Reported-by: Jody Bruchon +Signed-off-by: Suresh Siddha +LKML-Reference: <20101116212442.059967454@sbsiddha-MOBL3.sc.intel.com> +Signed-off-by: H. Peter Anvin +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/xsave.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/arch/x86/kernel/xsave.c ++++ b/arch/x86/kernel/xsave.c +@@ -394,7 +394,8 @@ static void __init setup_xstate_init(voi + * Setup init_xstate_buf to represent the init state of + * all the features managed by the xsave + */ +- init_xstate_buf = alloc_bootmem(xstate_size); ++ init_xstate_buf = alloc_bootmem_align(xstate_size, ++ __alignof__(struct xsave_struct)); + init_xstate_buf->i387.mxcsr = MXCSR_DEFAULT; + + clts();