From: Greg Kroah-Hartman Date: Fri, 4 May 2012 19:20:33 +0000 (-0700) Subject: 3.0-stable patches X-Git-Tag: v3.3.5~3 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=1019479bb8e3937fc4e0ca25c225bdfc605b4ec3;p=thirdparty%2Fkernel%2Fstable-queue.git 3.0-stable patches added patches: efivars-improve-variable-validation.patch hwmon-coretemp-fix-oops-on-cpu-unplug.patch hwmon-coretemp-increase-cpu-core-limit.patch i2c-pnx-disable-clk-in-suspend.patch ipw2200-fix-race-condition-in-the-command-completion-acknowledge.patch libata-skip-old-error-history-when-counting-probe-trials.patch mac80211-fix-ap-mode-eap-tx-for-vlan-stations.patch rtlwifi-fix-oops-on-unload.patch sched-fix-nohz-load-accounting-again.patch wl1251-fix-crash-on-remove-due-to-leftover-work-item.patch wl1251-fix-crash-on-remove-due-to-premature-kfree.patch --- diff --git a/queue-3.0/efivars-improve-variable-validation.patch b/queue-3.0/efivars-improve-variable-validation.patch new file mode 100644 index 00000000000..304751db294 --- /dev/null +++ b/queue-3.0/efivars-improve-variable-validation.patch @@ -0,0 +1,140 @@ +From 54b3a4d311c98ad94b737802a8b5f2c8c6bfd627 Mon Sep 17 00:00:00 2001 +From: Matthew Garrett +Date: Thu, 3 May 2012 16:50:46 -0400 +Subject: efivars: Improve variable validation + +From: Matthew Garrett + +commit 54b3a4d311c98ad94b737802a8b5f2c8c6bfd627 upstream. + +Ben Hutchings pointed out that the validation in efivars was inadequate - +most obviously, an entry with size 0 would server as a DoS against the +kernel. Improve this based on his suggestions. + +Signed-off-by: Matthew Garrett +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/firmware/efivars.c | 46 +++++++++++++++++++++++++++++---------------- + 1 file changed, 30 insertions(+), 16 deletions(-) + +--- a/drivers/firmware/efivars.c ++++ b/drivers/firmware/efivars.c +@@ -167,18 +167,21 @@ utf16_strsize(efi_char16_t *data, unsign + } + + static bool +-validate_device_path(struct efi_variable *var, int match, u8 *buffer, int len) ++validate_device_path(struct efi_variable *var, int match, u8 *buffer, ++ unsigned long len) + { + struct efi_generic_dev_path *node; + int offset = 0; + + node = (struct efi_generic_dev_path *)buffer; + +- while (offset < len) { +- offset += node->length; ++ if (len < sizeof(*node)) ++ return false; + +- if (offset > len) +- return false; ++ while (offset <= len - sizeof(*node) && ++ node->length >= sizeof(*node) && ++ node->length <= len - offset) { ++ offset += node->length; + + if ((node->type == EFI_DEV_END_PATH || + node->type == EFI_DEV_END_PATH2) && +@@ -197,7 +200,8 @@ validate_device_path(struct efi_variable + } + + static bool +-validate_boot_order(struct efi_variable *var, int match, u8 *buffer, int len) ++validate_boot_order(struct efi_variable *var, int match, u8 *buffer, ++ unsigned long len) + { + /* An array of 16-bit integers */ + if ((len % 2) != 0) +@@ -207,19 +211,27 @@ validate_boot_order(struct efi_variable + } + + static bool +-validate_load_option(struct efi_variable *var, int match, u8 *buffer, int len) ++validate_load_option(struct efi_variable *var, int match, u8 *buffer, ++ unsigned long len) + { + u16 filepathlength; +- int i, desclength = 0; ++ int i, desclength = 0, namelen; ++ ++ namelen = utf16_strnlen(var->VariableName, sizeof(var->VariableName)); + + /* Either "Boot" or "Driver" followed by four digits of hex */ + for (i = match; i < match+4; i++) { +- if (hex_to_bin(var->VariableName[i] & 0xff) < 0) ++ if (var->VariableName[i] > 127 || ++ hex_to_bin(var->VariableName[i] & 0xff) < 0) + return true; + } + +- /* A valid entry must be at least 6 bytes */ +- if (len < 6) ++ /* Reject it if there's 4 digits of hex and then further content */ ++ if (namelen > match + 4) ++ return false; ++ ++ /* A valid entry must be at least 8 bytes */ ++ if (len < 8) + return false; + + filepathlength = buffer[4] | buffer[5] << 8; +@@ -228,7 +240,7 @@ validate_load_option(struct efi_variable + * There's no stored length for the description, so it has to be + * found by hand + */ +- desclength = utf16_strsize((efi_char16_t *)(buffer + 6), len) + 2; ++ desclength = utf16_strsize((efi_char16_t *)(buffer + 6), len - 6) + 2; + + /* Each boot entry must have a descriptor */ + if (!desclength) +@@ -250,7 +262,8 @@ validate_load_option(struct efi_variable + } + + static bool +-validate_uint16(struct efi_variable *var, int match, u8 *buffer, int len) ++validate_uint16(struct efi_variable *var, int match, u8 *buffer, ++ unsigned long len) + { + /* A single 16-bit integer */ + if (len != 2) +@@ -260,7 +273,8 @@ validate_uint16(struct efi_variable *var + } + + static bool +-validate_ascii_string(struct efi_variable *var, int match, u8 *buffer, int len) ++validate_ascii_string(struct efi_variable *var, int match, u8 *buffer, ++ unsigned long len) + { + int i; + +@@ -278,7 +292,7 @@ validate_ascii_string(struct efi_variabl + struct variable_validate { + char *name; + bool (*validate)(struct efi_variable *var, int match, u8 *data, +- int len); ++ unsigned long len); + }; + + static const struct variable_validate variable_validate[] = { +@@ -300,7 +314,7 @@ static const struct variable_validate va + }; + + static bool +-validate_var(struct efi_variable *var, u8 *data, int len) ++validate_var(struct efi_variable *var, u8 *data, unsigned long len) + { + int i; + u16 *unicode_name = var->VariableName; diff --git a/queue-3.0/hwmon-coretemp-fix-oops-on-cpu-unplug.patch b/queue-3.0/hwmon-coretemp-fix-oops-on-cpu-unplug.patch new file mode 100644 index 00000000000..b72e9a23f39 --- /dev/null +++ b/queue-3.0/hwmon-coretemp-fix-oops-on-cpu-unplug.patch @@ -0,0 +1,75 @@ +From b704871124b477807966f06789c2b32f2de58bf7 Mon Sep 17 00:00:00 2001 +From: "Kirill A. Shutemov" +Date: Mon, 30 Apr 2012 09:18:01 -0400 +Subject: hwmon: (coretemp) fix oops on cpu unplug + +From: "Kirill A. Shutemov" + +commit b704871124b477807966f06789c2b32f2de58bf7 upstream. + +coretemp tries to access core_data array beyond bounds on cpu unplug if +core id of the cpu if more than NUM_REAL_CORES-1. + +BUG: unable to handle kernel NULL pointer dereference at 000000000000013c +IP: [] coretemp_cpu_callback+0x93/0x1ba [coretemp] +PGD 673e5a067 PUD 66e9b3067 PMD 0 +Oops: 0000 [#1] SMP +CPU 79 +Modules linked in: sunrpc cpufreq_ondemand acpi_cpufreq freq_table mperf bnep bluetooth rfkill ip6t_REJECT nf_conntrack_ipv6 nf_defrag_ipv6 ip6table_filter nf_conntrack_ipv4 nf_defrag_ipv4 ip6_tables xt_state nf_conntrack coretemp crc32c_intel asix tpm_tis pcspkr usbnet iTCO_wdt i2c_i801 microcode mii joydev tpm i2c_core iTCO_vendor_support tpm_bios i7core_edac igb ioatdma edac_core dca megaraid_sas [last unloaded: oprofile] + +Pid: 3315, comm: set-cpus Tainted: G W 3.4.0-rc5+ #2 QCI QSSC-S4R/QSSC-S4R +RIP: 0010:[] [] coretemp_cpu_callback+0x93/0x1ba [coretemp] +RSP: 0018:ffff880472fb3d48 EFLAGS: 00010246 +RAX: 0000000000000124 RBX: 0000000000000034 RCX: 00000000ffffffff +RDX: 0000000000000000 RSI: 0000000000000046 RDI: 0000000000000246 +RBP: ffff880472fb3d88 R08: ffff88077fcd36c0 R09: 0000000000000001 +R10: ffffffff8184bc48 R11: 0000000000000000 R12: ffff880273095800 +R13: 0000000000000013 R14: ffff8802730a1810 R15: 0000000000000000 +FS: 00007f694a20f720(0000) GS:ffff88077fcc0000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b +CR2: 000000000000013c CR3: 000000067209b000 CR4: 00000000000007e0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 +Process set-cpus (pid: 3315, threadinfo ffff880472fb2000, task ffff880471fa0000) +Stack: + ffff880277b4c308 0000000000000003 ffff880472fb3d88 0000000000000005 + 0000000000000034 00000000ffffffd1 ffffffff81cadc70 ffff880472fb3e14 + ffff880472fb3dc8 ffffffff8161f48d ffff880471fa0000 0000000000000034 +Call Trace: + [] notifier_call_chain+0x4d/0x70 + [] __raw_notifier_call_chain+0xe/0x10 + [] __cpu_notify+0x20/0x40 + [] _cpu_down+0x81/0x270 + [] cpu_down+0x37/0x50 + [] store_online+0x63/0xc0 + [] dev_attr_store+0x18/0x30 + [] sysfs_write_file+0xef/0x170 + [] vfs_write+0xb3/0x180 + [] sys_write+0x4a/0x90 + [] system_call_fastpath+0x16/0x1b +Code: 48 c7 c7 94 60 01 a0 44 0f b7 ac 10 ac 00 00 00 31 c0 e8 41 b7 5f e1 41 83 c5 02 49 63 c5 49 8b 44 c4 10 48 85 c0 74 56 45 31 ff <39> 58 18 75 4e eb 1f 49 63 d7 4c 89 f7 48 89 45 c8 48 6b d2 28 +RIP [] coretemp_cpu_callback+0x93/0x1ba [coretemp] + RSP +CR2: 000000000000013c + +Signed-off-by: Kirill A. Shutemov +Signed-off-by: Guenter Roeck +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hwmon/coretemp.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/hwmon/coretemp.c ++++ b/drivers/hwmon/coretemp.c +@@ -752,6 +752,10 @@ static void __cpuinit put_core_offline(u + + indx = TO_ATTR_NO(cpu); + ++ /* The core id is too big, just return */ ++ if (indx > MAX_CORE_DATA - 1) ++ return; ++ + if (pdata->core_data[indx] && pdata->core_data[indx]->cpu == cpu) + coretemp_remove_core(pdata, &pdev->dev, indx); + diff --git a/queue-3.0/hwmon-coretemp-increase-cpu-core-limit.patch b/queue-3.0/hwmon-coretemp-increase-cpu-core-limit.patch new file mode 100644 index 00000000000..19af989ca5f --- /dev/null +++ b/queue-3.0/hwmon-coretemp-increase-cpu-core-limit.patch @@ -0,0 +1,33 @@ +From bdc71c9a87b898e4c380c23b2e3e18071312ecde Mon Sep 17 00:00:00 2001 +From: Guenter Roeck +Date: Tue, 1 May 2012 08:15:42 -0700 +Subject: hwmon: (coretemp) Increase CPU core limit + +From: Guenter Roeck + +commit bdc71c9a87b898e4c380c23b2e3e18071312ecde upstream. + +CPU core ID is used to index the core_data[] array. The core ID is, however, not +sequential; 10-core CPUS can have a core ID as high as 25. Increase the limit to +32 to be able to deal with current CPUs. + +Signed-off-by: Guenter Roeck +Acked-by: Jean Delvare +Acked-by: Durgadoss R +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hwmon/coretemp.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/hwmon/coretemp.c ++++ b/drivers/hwmon/coretemp.c +@@ -42,7 +42,7 @@ + #define DRVNAME "coretemp" + + #define BASE_SYSFS_ATTR_NO 2 /* Sysfs Base attr no for coretemp */ +-#define NUM_REAL_CORES 16 /* Number of Real cores per cpu */ ++#define NUM_REAL_CORES 32 /* Number of Real cores per cpu */ + #define CORETEMP_NAME_LENGTH 17 /* String Length of attrs */ + #define MAX_ATTRS 5 /* Maximum no of per-core attrs */ + #define MAX_CORE_DATA (NUM_REAL_CORES + BASE_SYSFS_ATTR_NO) diff --git a/queue-3.0/i2c-pnx-disable-clk-in-suspend.patch b/queue-3.0/i2c-pnx-disable-clk-in-suspend.patch new file mode 100644 index 00000000000..5c67577b9a2 --- /dev/null +++ b/queue-3.0/i2c-pnx-disable-clk-in-suspend.patch @@ -0,0 +1,34 @@ +From 6c557cfee08751d22aed34840f389b846f0f4508 Mon Sep 17 00:00:00 2001 +From: Roland Stigge +Date: Wed, 4 Apr 2012 10:34:37 +0200 +Subject: i2c: pnx: Disable clk in suspend + +From: Roland Stigge + +commit 6c557cfee08751d22aed34840f389b846f0f4508 upstream. + +In the driver's suspend function, clk_enable() was used instead of +clk_disable(). This is corrected with this patch. + +Signed-off-by: Roland Stigge +Reviewed-by: Arnd Bergmann +[wsa: reworded commit header slightly] +Signed-off-by: Wolfram Sang +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/i2c/busses/i2c-pnx.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/i2c/busses/i2c-pnx.c ++++ b/drivers/i2c/busses/i2c-pnx.c +@@ -546,8 +546,7 @@ static int i2c_pnx_controller_suspend(st + { + struct i2c_pnx_algo_data *alg_data = platform_get_drvdata(pdev); + +- /* FIXME: shouldn't this be clk_disable? */ +- clk_enable(alg_data->clk); ++ clk_disable(alg_data->clk); + + return 0; + } diff --git a/queue-3.0/ipw2200-fix-race-condition-in-the-command-completion-acknowledge.patch b/queue-3.0/ipw2200-fix-race-condition-in-the-command-completion-acknowledge.patch new file mode 100644 index 00000000000..516295de5b0 --- /dev/null +++ b/queue-3.0/ipw2200-fix-race-condition-in-the-command-completion-acknowledge.patch @@ -0,0 +1,71 @@ +From dd447319895d0c0af423e483d9b63f84f3f8869a Mon Sep 17 00:00:00 2001 +From: Stanislav Yakovlev +Date: Thu, 19 Apr 2012 15:55:09 -0400 +Subject: ipw2200: Fix race condition in the command completion acknowledge + +From: Stanislav Yakovlev + +commit dd447319895d0c0af423e483d9b63f84f3f8869a upstream. + +Driver incorrectly validates command completion: instead of waiting +for a command to be acknowledged it continues execution. Most of the +time driver gets acknowledge of the command completion in a tasklet +before it executes the next one. But sometimes it sends the next +command before it gets acknowledge for the previous one. In such a +case one of the following error messages appear in the log: + +Failed to send SYSTEM_CONFIG: Already sending a command. +Failed to send ASSOCIATE: Already sending a command. +Failed to send TX_POWER: Already sending a command. + +After that you need to reload the driver to get it working again. + +This bug occurs during roaming (reported by Sam Varshavchik) +https://bugzilla.redhat.com/show_bug.cgi?id=738508 +and machine booting (reported by Tom Gundersen and Mads Kiilerich) +https://bugs.archlinux.org/task/28097 +https://bugzilla.redhat.com/show_bug.cgi?id=802106 + +This patch doesn't fix the delay issue during firmware load. +But at least device now works as usual after boot. + +Signed-off-by: Stanislav Yakovlev +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/ipw2x00/ipw2200.c | 13 ++++++++++++- + 1 file changed, 12 insertions(+), 1 deletion(-) + +--- a/drivers/net/wireless/ipw2x00/ipw2200.c ++++ b/drivers/net/wireless/ipw2x00/ipw2200.c +@@ -2182,6 +2182,7 @@ static int __ipw_send_cmd(struct ipw_pri + { + int rc = 0; + unsigned long flags; ++ unsigned long now, end; + + spin_lock_irqsave(&priv->lock, flags); + if (priv->status & STATUS_HCMD_ACTIVE) { +@@ -2223,10 +2224,20 @@ static int __ipw_send_cmd(struct ipw_pri + } + spin_unlock_irqrestore(&priv->lock, flags); + ++ now = jiffies; ++ end = now + HOST_COMPLETE_TIMEOUT; ++again: + rc = wait_event_interruptible_timeout(priv->wait_command_queue, + !(priv-> + status & STATUS_HCMD_ACTIVE), +- HOST_COMPLETE_TIMEOUT); ++ end - now); ++ if (rc < 0) { ++ now = jiffies; ++ if (time_before(now, end)) ++ goto again; ++ rc = 0; ++ } ++ + if (rc == 0) { + spin_lock_irqsave(&priv->lock, flags); + if (priv->status & STATUS_HCMD_ACTIVE) { diff --git a/queue-3.0/libata-skip-old-error-history-when-counting-probe-trials.patch b/queue-3.0/libata-skip-old-error-history-when-counting-probe-trials.patch new file mode 100644 index 00000000000..b8b253aec43 --- /dev/null +++ b/queue-3.0/libata-skip-old-error-history-when-counting-probe-trials.patch @@ -0,0 +1,39 @@ +From 6868225e3e92399068be9a5f1635752d91012ad5 Mon Sep 17 00:00:00 2001 +From: Lin Ming +Date: Thu, 3 May 2012 22:15:07 +0800 +Subject: libata: skip old error history when counting probe trials + +From: Lin Ming + +commit 6868225e3e92399068be9a5f1635752d91012ad5 upstream. + +Commit d902747("[libata] Add ATA transport class") introduced +ATA_EFLAG_OLD_ER to mark entries in the error ring as cleared. + +But ata_count_probe_trials_cb() didn't check this flag and it still +counts the old error history. So wrong probe trials count is returned +and it causes problem, for example, SATA link speed is slowed down from +3.0Gbps to 1.5Gbps. + +Fix it by checking ATA_EFLAG_OLD_ER in ata_count_probe_trials_cb(). + +Signed-off-by: Lin Ming +Signed-off-by: Jeff Garzik +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/ata/libata-eh.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/ata/libata-eh.c ++++ b/drivers/ata/libata-eh.c +@@ -3487,7 +3487,8 @@ static int ata_count_probe_trials_cb(str + u64 now = get_jiffies_64(); + int *trials = void_arg; + +- if (ent->timestamp < now - min(now, interval)) ++ if ((ent->eflags & ATA_EFLAG_OLD_ER) || ++ (ent->timestamp < now - min(now, interval))) + return -1; + + (*trials)++; diff --git a/queue-3.0/mac80211-fix-ap-mode-eap-tx-for-vlan-stations.patch b/queue-3.0/mac80211-fix-ap-mode-eap-tx-for-vlan-stations.patch new file mode 100644 index 00000000000..e8b6198d21d --- /dev/null +++ b/queue-3.0/mac80211-fix-ap-mode-eap-tx-for-vlan-stations.patch @@ -0,0 +1,36 @@ +From 66f2c99af3d6f2d0aa1120884cf1c60613ef61c0 Mon Sep 17 00:00:00 2001 +From: Felix Fietkau +Date: Sun, 29 Apr 2012 15:44:16 +0200 +Subject: mac80211: fix AP mode EAP tx for VLAN stations + +From: Felix Fietkau + +commit 66f2c99af3d6f2d0aa1120884cf1c60613ef61c0 upstream. + +EAP frames for stations in an AP VLAN are sent on the main AP interface +to avoid race conditions wrt. moving stations. +For that to work properly, sta_info_get_bss must be used instead of +sta_info_get when sending EAP packets. +Previously this was only done for cooked monitor injected packets, so +this patch adds a check for tx->skb->protocol to the same place. + +Signed-off-by: Felix Fietkau +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + net/mac80211/tx.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/mac80211/tx.c ++++ b/net/mac80211/tx.c +@@ -1222,7 +1222,8 @@ ieee80211_tx_prepare(struct ieee80211_su + tx->sta = rcu_dereference(sdata->u.vlan.sta); + if (!tx->sta && sdata->dev->ieee80211_ptr->use_4addr) + return TX_DROP; +- } else if (info->flags & IEEE80211_TX_CTL_INJECTED) { ++ } else if (info->flags & IEEE80211_TX_CTL_INJECTED || ++ tx->sdata->control_port_protocol == tx->skb->protocol) { + tx->sta = sta_info_get_bss(sdata, hdr->addr1); + } + if (!tx->sta) diff --git a/queue-3.0/rtlwifi-fix-oops-on-unload.patch b/queue-3.0/rtlwifi-fix-oops-on-unload.patch new file mode 100644 index 00000000000..d1f5ba59d9b --- /dev/null +++ b/queue-3.0/rtlwifi-fix-oops-on-unload.patch @@ -0,0 +1,65 @@ +From 44eb65cfd8da4b9c231238998729e858e963a980 Mon Sep 17 00:00:00 2001 +From: Larry Finger +Date: Thu, 19 Apr 2012 21:39:06 -0500 +Subject: rtlwifi: Fix oops on unload + +From: Larry Finger + +commit 44eb65cfd8da4b9c231238998729e858e963a980 upstream. + +Under some circumstances, a PCI-based driver reports the following OOPs: + +Mar 19 08:14:35 kvothe kernel: [ 6584.626011] Oops: 0000 [#1] SMP +--snip-- +Mar 19 08:14:35 kvothe kernel: [ 6584.626011] Pid: 19627, comm: rmmod +Not tainted 3.2.9-2.fc16.x86_64 #1 LENOVO 05962RU/05962RU +Mar 19 08:14:35 kvothe kernel: [ 6584.626011] RIP: +0010:[] [] +rtl92ce_get_desc+0x19/0xd0 [rtl8192ce] +--snip-- +Mar 19 08:14:35 kvothe kernel: [ 6584.626011] Process rmmod (pid: +19627, threadinfo ffff880050262000, task ffff8801156d5cc0) +Mar 19 08:14:35 kvothe kernel: [ 6584.626011] Stack: +Mar 19 08:14:35 kvothe kernel: [ 6584.626011] 0000000000000002 +ffff8801176c2540 ffff880050263ca8 ffffffffa03348e7 +Mar 19 08:14:35 kvothe kernel: [ 6584.626011] 0000000000000282 +0000000180150014 ffff880050263fd8 ffff8801176c2810 +Mar 19 08:14:35 kvothe kernel: [ 6584.626011] ffff880050263bc8 +ffffffff810550e2 00000000000002c0 ffff8801176c0d40 +Mar 19 08:14:35 kvothe kernel: [ 6584.626011] Call Trace: +Mar 19 08:14:35 kvothe kernel: [ 6584.626011] [] +_rtl_pci_rx_interrupt+0x187/0x650 [rtlwifi] +--snip-- +Mar 19 08:14:35 kvothe kernel: [ 6584.626011] Code: ff 09 d0 89 07 48 +83 c4 08 5b 5d c3 66 0f 1f 44 00 00 55 48 89 e5 53 48 83 ec 08 66 66 +66 66 90 40 84 f6 89 d3 74 13 84 d2 75 57 <8b> 07 48 83 c4 08 5b 5d c1 +e8 1f c3 0f 1f 00 84 d2 74 ed 80 fa +Mar 19 08:14:35 kvothe kernel: [ 6584.626011] RIP +[] rtl92ce_get_desc+0x19/0xd0 [rtl8192ce] +Mar 19 08:14:35 kvothe kernel: [ 6584.626011] RSP +Mar 19 08:14:35 kvothe kernel: [ 6584.626011] CR2: 00000000000006e0 +Mar 19 08:14:35 kvothe kernel: [ 6584.646491] ---[ end trace +8636c766dcfbe0e6 ]--- + +This oops is due to interrupts not being disabled in this particular path. + +Reported-by: Dave Airlie +Tested-by: Dave Airlie +Signed-off-by: Larry Finger +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/rtlwifi/pci.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/wireless/rtlwifi/pci.c ++++ b/drivers/net/wireless/rtlwifi/pci.c +@@ -1988,6 +1988,7 @@ void rtl_pci_disconnect(struct pci_dev * + rtl_deinit_deferred_work(hw); + rtlpriv->intf_ops->adapter_stop(hw); + } ++ rtlpriv->cfg->ops->disable_interrupt(hw); + + /*deinit rfkill */ + rtl_deinit_rfkill(hw); diff --git a/queue-3.0/sched-fix-nohz-load-accounting-again.patch b/queue-3.0/sched-fix-nohz-load-accounting-again.patch new file mode 100644 index 00000000000..f9f54ac5a86 --- /dev/null +++ b/queue-3.0/sched-fix-nohz-load-accounting-again.patch @@ -0,0 +1,133 @@ +From c308b56b5398779cd3da0f62ab26b0453494c3d4 Mon Sep 17 00:00:00 2001 +From: Peter Zijlstra +Date: Thu, 1 Mar 2012 15:04:46 +0100 +Subject: sched: Fix nohz load accounting -- again! +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Peter Zijlstra + +commit c308b56b5398779cd3da0f62ab26b0453494c3d4 upstream. +[ backported to 3.0 by Kerin Millar ] + +Various people reported nohz load tracking still being wrecked, but Doug +spotted the actual problem. We fold the nohz remainder in too soon, +causing us to loose samples and under-account. + +So instead of playing catch-up up-front, always do a single load-fold +with whatever state we encounter and only then fold the nohz remainder +and play catch-up. + +Reported-by: Doug Smythies +Reported-by: LesÅ=82aw Kope=C4=87 +Reported-by: Aman Gupta +Signed-off-by: Peter Zijlstra +Link: http://lkml.kernel.org/n/tip-4v31etnhgg9kwd6ocgx3rxl8@git.kernel.org +Signed-off-by: Ingo Molnar +Cc: Kerin Millar +Signed-off-by: Greg Kroah-Hartman + + +--- + kernel/sched.c | 53 ++++++++++++++++++++++++++--------------------------- + 1 file changed, 26 insertions(+), 27 deletions(-) + +--- a/kernel/sched.c ++++ b/kernel/sched.c +@@ -3392,13 +3392,10 @@ calc_load_n(unsigned long load, unsigned + * Once we've updated the global active value, we need to apply the exponential + * weights adjusted to the number of cycles missed. + */ +-static void calc_global_nohz(unsigned long ticks) ++static void calc_global_nohz(void) + { + long delta, active, n; + +- if (time_before(jiffies, calc_load_update)) +- return; +- + /* + * If we crossed a calc_load_update boundary, make sure to fold + * any pending idle changes, the respective CPUs might have +@@ -3410,31 +3407,25 @@ static void calc_global_nohz(unsigned lo + atomic_long_add(delta, &calc_load_tasks); + + /* +- * If we were idle for multiple load cycles, apply them. ++ * It could be the one fold was all it took, we done! + */ +- if (ticks >= LOAD_FREQ) { +- n = ticks / LOAD_FREQ; ++ if (time_before(jiffies, calc_load_update + 10)) ++ return; + +- active = atomic_long_read(&calc_load_tasks); +- active = active > 0 ? active * FIXED_1 : 0; ++ /* ++ * Catch-up, fold however many we are behind still ++ */ ++ delta = jiffies - calc_load_update - 10; ++ n = 1 + (delta / LOAD_FREQ); + +- avenrun[0] = calc_load_n(avenrun[0], EXP_1, active, n); +- avenrun[1] = calc_load_n(avenrun[1], EXP_5, active, n); +- avenrun[2] = calc_load_n(avenrun[2], EXP_15, active, n); ++ active = atomic_long_read(&calc_load_tasks); ++ active = active > 0 ? active * FIXED_1 : 0; + +- calc_load_update += n * LOAD_FREQ; +- } ++ avenrun[0] = calc_load_n(avenrun[0], EXP_1, active, n); ++ avenrun[1] = calc_load_n(avenrun[1], EXP_5, active, n); ++ avenrun[2] = calc_load_n(avenrun[2], EXP_15, active, n); + +- /* +- * Its possible the remainder of the above division also crosses +- * a LOAD_FREQ period, the regular check in calc_global_load() +- * which comes after this will take care of that. +- * +- * Consider us being 11 ticks before a cycle completion, and us +- * sleeping for 4*LOAD_FREQ + 22 ticks, then the above code will +- * age us 4 cycles, and the test in calc_global_load() will +- * pick up the final one. +- */ ++ calc_load_update += n * LOAD_FREQ; + } + #else + static void calc_load_account_idle(struct rq *this_rq) +@@ -3446,7 +3437,7 @@ static inline long calc_load_fold_idle(v + return 0; + } + +-static void calc_global_nohz(unsigned long ticks) ++static void calc_global_nohz(void) + { + } + #endif +@@ -3474,8 +3465,6 @@ void calc_global_load(unsigned long tick + { + long active; + +- calc_global_nohz(ticks); +- + if (time_before(jiffies, calc_load_update + 10)) + return; + +@@ -3487,6 +3476,16 @@ void calc_global_load(unsigned long tick + avenrun[2] = calc_load(avenrun[2], EXP_15, active); + + calc_load_update += LOAD_FREQ; ++ ++ /* ++ * Account one period with whatever state we found before ++ * folding in the nohz state and ageing the entire idle period. ++ * ++ * This avoids loosing a sample when we go idle between ++ * calc_load_account_active() (10 ticks ago) and now and thus ++ * under-accounting. ++ */ ++ calc_global_nohz(); + } + + /* diff --git a/queue-3.0/series b/queue-3.0/series index 210e4b2bf8a..8d07de8c174 100644 --- a/queue-3.0/series +++ b/queue-3.0/series @@ -34,3 +34,14 @@ efi-add-new-variable-attributes.patch efivars-string-functions.patch efivars-fix-warnings-when-config_pstore-n.patch efi-validate-uefi-boot-variables.patch +efivars-improve-variable-validation.patch +hwmon-coretemp-increase-cpu-core-limit.patch +hwmon-coretemp-fix-oops-on-cpu-unplug.patch +libata-skip-old-error-history-when-counting-probe-trials.patch +i2c-pnx-disable-clk-in-suspend.patch +ipw2200-fix-race-condition-in-the-command-completion-acknowledge.patch +mac80211-fix-ap-mode-eap-tx-for-vlan-stations.patch +rtlwifi-fix-oops-on-unload.patch +wl1251-fix-crash-on-remove-due-to-premature-kfree.patch +wl1251-fix-crash-on-remove-due-to-leftover-work-item.patch +sched-fix-nohz-load-accounting-again.patch diff --git a/queue-3.0/wl1251-fix-crash-on-remove-due-to-leftover-work-item.patch b/queue-3.0/wl1251-fix-crash-on-remove-due-to-leftover-work-item.patch new file mode 100644 index 00000000000..7f9a172eaa2 --- /dev/null +++ b/queue-3.0/wl1251-fix-crash-on-remove-due-to-leftover-work-item.patch @@ -0,0 +1,32 @@ +From 4c1bcdb5a3354b250b82a67549f57ac27a3bb85f Mon Sep 17 00:00:00 2001 +From: Grazvydas Ignotas +Date: Thu, 26 Apr 2012 23:07:44 +0300 +Subject: wl1251: fix crash on remove due to leftover work item + +From: Grazvydas Ignotas + +commit 4c1bcdb5a3354b250b82a67549f57ac27a3bb85f upstream. + +This driver currently leaves elp_work behind when stopping, which +occasionally results in data corruption because work function ends +up accessing freed memory, typical symptoms of this are various +worker_thread crashes. Fix it by cancelling elp_work. + +Signed-off-by: Grazvydas Ignotas +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/wl1251/main.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/wireless/wl1251/main.c ++++ b/drivers/net/wireless/wl1251/main.c +@@ -479,6 +479,7 @@ static void wl1251_op_stop(struct ieee80 + cancel_work_sync(&wl->irq_work); + cancel_work_sync(&wl->tx_work); + cancel_work_sync(&wl->filter_work); ++ cancel_delayed_work_sync(&wl->elp_work); + + mutex_lock(&wl->mutex); + diff --git a/queue-3.0/wl1251-fix-crash-on-remove-due-to-premature-kfree.patch b/queue-3.0/wl1251-fix-crash-on-remove-due-to-premature-kfree.patch new file mode 100644 index 00000000000..72631c5f163 --- /dev/null +++ b/queue-3.0/wl1251-fix-crash-on-remove-due-to-premature-kfree.patch @@ -0,0 +1,38 @@ +From 328c32f0f85467af5a6c4c3289e168d9ad2555af Mon Sep 17 00:00:00 2001 +From: Grazvydas Ignotas +Date: Thu, 26 Apr 2012 23:07:43 +0300 +Subject: wl1251: fix crash on remove due to premature kfree + +From: Grazvydas Ignotas + +commit 328c32f0f85467af5a6c4c3289e168d9ad2555af upstream. + +Currently SDIO glue frees it's own structure before calling +wl1251_free_hw(), which in turn calls ieee80211_unregister_hw(). +The later call may result in a need to communicate with the chip +to stop it (as it happens now if the interface is still up before +rmmod), which means calls are made back to the glue, resulting in +freed memory access. + +Fix this by freeing glue data last. + +Signed-off-by: Grazvydas Ignotas +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/wl1251/sdio.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/wireless/wl1251/sdio.c ++++ b/drivers/net/wireless/wl1251/sdio.c +@@ -314,8 +314,8 @@ static void __devexit wl1251_sdio_remove + + if (wl->irq) + free_irq(wl->irq, wl); +- kfree(wl_sdio); + wl1251_free_hw(wl); ++ kfree(wl_sdio); + + sdio_claim_host(func); + sdio_release_irq(func);