From: Greg Kroah-Hartman Date: Tue, 3 Sep 2013 18:47:59 +0000 (-0700) Subject: 3.10-stable patches X-Git-Tag: v3.0.95~15 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=56c522e5799e035c939ed22e462f5c051e583b42;p=thirdparty%2Fkernel%2Fstable-queue.git 3.10-stable patches added patches: ath9k-enable-pll-fix-only-for-ar9340-ar9330.patch ath9k_htc-restore-skb-headroom-when-returning-skb-to-mac80211.patch drm-i915-ivb-fix-edp-voltage-swing-reg-val.patch drm-vmwgfx-split-gmr2_remap-commands-if-they-are-to-large.patch iwl4965-fix-rfkill-set-state-regression.patch mac80211-add-a-flag-to-indicate-cck-support-for-ht-clients.patch mac80211-add-missing-channel-context-release.patch memcg-check-that-kmem_cache-has-memcg_params-before-accessing-it.patch sunrpc-fix-memory-corruption-issue-on-32-bit-highmem-systems.patch workqueue-cond_resched-after-processing-each-work-item.patch x86-mm-fix-boot-crash-with-debug_page_alloc-y-and-more-than-512g-ram.patch --- diff --git a/queue-3.10/ath9k-enable-pll-fix-only-for-ar9340-ar9330.patch b/queue-3.10/ath9k-enable-pll-fix-only-for-ar9340-ar9330.patch new file mode 100644 index 00000000000..033ccc09c3b --- /dev/null +++ b/queue-3.10/ath9k-enable-pll-fix-only-for-ar9340-ar9330.patch @@ -0,0 +1,39 @@ +From 19c361608ce3e73f352e323262f7e0a8264be3af Mon Sep 17 00:00:00 2001 +From: Sujith Manoharan +Date: Tue, 20 Aug 2013 10:05:59 +0530 +Subject: ath9k: Enable PLL fix only for AR9340/AR9330 + +From: Sujith Manoharan + +commit 19c361608ce3e73f352e323262f7e0a8264be3af upstream. + +The PLL hang workaround is required only for AR9330 and +AR9340. This issue was first observed on an AP121 and the WAR +is enabled for AR9340 also (DB120 etc.), since it uses a PLL +design identical to AR9330. This is not required for AR9485 and AR9550. + +Various bugs have been reported regarding this: + +https://bugzilla.redhat.com/show_bug.cgi?id=997217 +https://bugzilla.redhat.com/show_bug.cgi?id=994648 + +Signed-off-by: Sujith Manoharan +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/ath/ath9k/main.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/net/wireless/ath/ath9k/main.c ++++ b/drivers/net/wireless/ath/ath9k/main.c +@@ -173,8 +173,7 @@ static void ath_restart_work(struct ath_ + { + ieee80211_queue_delayed_work(sc->hw, &sc->tx_complete_work, 0); + +- if (AR_SREV_9340(sc->sc_ah) || AR_SREV_9485(sc->sc_ah) || +- AR_SREV_9550(sc->sc_ah)) ++ if (AR_SREV_9340(sc->sc_ah) || AR_SREV_9330(sc->sc_ah)) + ieee80211_queue_delayed_work(sc->hw, &sc->hw_pll_work, + msecs_to_jiffies(ATH_PLL_WORK_INTERVAL)); + diff --git a/queue-3.10/ath9k_htc-restore-skb-headroom-when-returning-skb-to-mac80211.patch b/queue-3.10/ath9k_htc-restore-skb-headroom-when-returning-skb-to-mac80211.patch new file mode 100644 index 00000000000..1c8e34a2ae4 --- /dev/null +++ b/queue-3.10/ath9k_htc-restore-skb-headroom-when-returning-skb-to-mac80211.patch @@ -0,0 +1,57 @@ +From d2e9fc141e2aa21f4b35ee27072d84e9aa6e2ba0 Mon Sep 17 00:00:00 2001 +From: Helmut Schaa +Date: Fri, 16 Aug 2013 21:39:40 +0200 +Subject: ath9k_htc: Restore skb headroom when returning skb to mac80211 + +From: Helmut Schaa + +commit d2e9fc141e2aa21f4b35ee27072d84e9aa6e2ba0 upstream. + +ath9k_htc adds padding between the 802.11 header and the payload during +TX by moving the header. When handing the frame back to mac80211 for TX +status handling the header is not moved back into its original position. +This can result in a too small skb headroom when entering ath9k_htc +again (due to a soft retransmission for example) causing an +skb_under_panic oops. + +Fix this by moving the 802.11 header back into its original position +before returning the frame to mac80211 as other drivers like rt2x00 +or ath5k do. + +Reported-by: Marc Kleine-Budde +Signed-off-by: Helmut Schaa +Tested-by: Marc Kleine-Budde +Signed-off-by: Marc Kleine-Budde +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/ath/ath9k/htc_drv_txrx.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c ++++ b/drivers/net/wireless/ath/ath9k/htc_drv_txrx.c +@@ -448,6 +448,7 @@ static void ath9k_htc_tx_process(struct + struct ieee80211_conf *cur_conf = &priv->hw->conf; + bool txok; + int slot; ++ int hdrlen, padsize; + + slot = strip_drv_header(priv, skb); + if (slot < 0) { +@@ -504,6 +505,15 @@ send_mac80211: + + ath9k_htc_tx_clear_slot(priv, slot); + ++ /* Remove padding before handing frame back to mac80211 */ ++ hdrlen = ieee80211_get_hdrlen_from_skb(skb); ++ ++ padsize = hdrlen & 3; ++ if (padsize && skb->len > hdrlen + padsize) { ++ memmove(skb->data + padsize, skb->data, hdrlen); ++ skb_pull(skb, padsize); ++ } ++ + /* Send status to mac80211 */ + ieee80211_tx_status(priv->hw, skb); + } diff --git a/queue-3.10/drm-i915-ivb-fix-edp-voltage-swing-reg-val.patch b/queue-3.10/drm-i915-ivb-fix-edp-voltage-swing-reg-val.patch new file mode 100644 index 00000000000..0b17b7f580c --- /dev/null +++ b/queue-3.10/drm-i915-ivb-fix-edp-voltage-swing-reg-val.patch @@ -0,0 +1,48 @@ +From 77fa4cbd5fa389e28419bbe8ac491b5fdd54840d Mon Sep 17 00:00:00 2001 +From: Imre Deak +Date: Fri, 23 Aug 2013 23:50:23 +0300 +Subject: drm/i915: ivb: fix edp voltage swing reg val + +From: Imre Deak + +commit 77fa4cbd5fa389e28419bbe8ac491b5fdd54840d upstream. + +Fix the typo introduced in + +commit 1a2eb4604b85c5efb343da8a4dcf41288fcfca85 +Author: Keith Packard +Date: Wed Nov 16 16:26:07 2011 -0800 + + drm/i915: Hook up Ivybridge eDP + +This fixes eDP link-training failures and cases where all voltage swing +/pre-emphasis levels were tried and failed during clock recovery and - +as a fallback - we go on to do channel equalization with the last voltage +swing/pre-emphasis level which will succeed. Both issues can lead to a +blank screen. + +v2: +- improve commit message + +Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=64880 +Tested-by: Jeremy Moles +Signed-off-by: Imre Deak +Reviewed-by: Paulo Zanoni +Signed-off-by: Daniel Vetter +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/i915/i915_reg.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/i915/i915_reg.h ++++ b/drivers/gpu/drm/i915/i915_reg.h +@@ -4246,7 +4246,7 @@ + #define EDP_LINK_TRAIN_600MV_0DB_IVB (0x30 <<22) + #define EDP_LINK_TRAIN_600MV_3_5DB_IVB (0x36 <<22) + #define EDP_LINK_TRAIN_800MV_0DB_IVB (0x38 <<22) +-#define EDP_LINK_TRAIN_800MV_3_5DB_IVB (0x33 <<22) ++#define EDP_LINK_TRAIN_800MV_3_5DB_IVB (0x3e <<22) + + /* legacy values */ + #define EDP_LINK_TRAIN_500MV_0DB_IVB (0x00 <<22) diff --git a/queue-3.10/drm-vmwgfx-split-gmr2_remap-commands-if-they-are-to-large.patch b/queue-3.10/drm-vmwgfx-split-gmr2_remap-commands-if-they-are-to-large.patch new file mode 100644 index 00000000000..52956f5287c --- /dev/null +++ b/queue-3.10/drm-vmwgfx-split-gmr2_remap-commands-if-they-are-to-large.patch @@ -0,0 +1,116 @@ +From 6e4dcff3adbf25acb87e74500a58e3c07bdec40f Mon Sep 17 00:00:00 2001 +From: Jakob Bornecrantz +Date: Thu, 29 Aug 2013 02:32:53 +0200 +Subject: drm/vmwgfx: Split GMR2_REMAP commands if they are to large + +From: Jakob Bornecrantz + +commit 6e4dcff3adbf25acb87e74500a58e3c07bdec40f upstream. + +This fixes the piglit test texturing/max-texture-size +causing the VM to die due to a too large SVGA command. + +Signed-off-by: Jakob Bornecrantz +Reviewed-by: Biran Paul +Reviewed-by: Zack Rusin +Signed-off-by: Dave Airlie +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/vmwgfx/vmwgfx_gmr.c | 60 ++++++++++++++++++++++++------------ + 1 file changed, 40 insertions(+), 20 deletions(-) + +--- a/drivers/gpu/drm/vmwgfx/vmwgfx_gmr.c ++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_gmr.c +@@ -29,7 +29,9 @@ + #include + #include + +-#define VMW_PPN_SIZE sizeof(unsigned long) ++#define VMW_PPN_SIZE (sizeof(unsigned long)) ++/* A future safe maximum remap size. */ ++#define VMW_PPN_PER_REMAP ((31 * 1024) / VMW_PPN_SIZE) + + static int vmw_gmr2_bind(struct vmw_private *dev_priv, + struct page *pages[], +@@ -38,43 +40,61 @@ static int vmw_gmr2_bind(struct vmw_priv + { + SVGAFifoCmdDefineGMR2 define_cmd; + SVGAFifoCmdRemapGMR2 remap_cmd; +- uint32_t define_size = sizeof(define_cmd) + 4; +- uint32_t remap_size = VMW_PPN_SIZE * num_pages + sizeof(remap_cmd) + 4; + uint32_t *cmd; + uint32_t *cmd_orig; ++ uint32_t define_size = sizeof(define_cmd) + sizeof(*cmd); ++ uint32_t remap_num = num_pages / VMW_PPN_PER_REMAP + ((num_pages % VMW_PPN_PER_REMAP) > 0); ++ uint32_t remap_size = VMW_PPN_SIZE * num_pages + (sizeof(remap_cmd) + sizeof(*cmd)) * remap_num; ++ uint32_t remap_pos = 0; ++ uint32_t cmd_size = define_size + remap_size; + uint32_t i; + +- cmd_orig = cmd = vmw_fifo_reserve(dev_priv, define_size + remap_size); ++ cmd_orig = cmd = vmw_fifo_reserve(dev_priv, cmd_size); + if (unlikely(cmd == NULL)) + return -ENOMEM; + + define_cmd.gmrId = gmr_id; + define_cmd.numPages = num_pages; + ++ *cmd++ = SVGA_CMD_DEFINE_GMR2; ++ memcpy(cmd, &define_cmd, sizeof(define_cmd)); ++ cmd += sizeof(define_cmd) / sizeof(*cmd); ++ ++ /* ++ * Need to split the command if there are too many ++ * pages that goes into the gmr. ++ */ ++ + remap_cmd.gmrId = gmr_id; + remap_cmd.flags = (VMW_PPN_SIZE > sizeof(*cmd)) ? + SVGA_REMAP_GMR2_PPN64 : SVGA_REMAP_GMR2_PPN32; +- remap_cmd.offsetPages = 0; +- remap_cmd.numPages = num_pages; + +- *cmd++ = SVGA_CMD_DEFINE_GMR2; +- memcpy(cmd, &define_cmd, sizeof(define_cmd)); +- cmd += sizeof(define_cmd) / sizeof(uint32); ++ while (num_pages > 0) { ++ unsigned long nr = min(num_pages, (unsigned long)VMW_PPN_PER_REMAP); ++ ++ remap_cmd.offsetPages = remap_pos; ++ remap_cmd.numPages = nr; + +- *cmd++ = SVGA_CMD_REMAP_GMR2; +- memcpy(cmd, &remap_cmd, sizeof(remap_cmd)); +- cmd += sizeof(remap_cmd) / sizeof(uint32); +- +- for (i = 0; i < num_pages; ++i) { +- if (VMW_PPN_SIZE <= 4) +- *cmd = page_to_pfn(*pages++); +- else +- *((uint64_t *)cmd) = page_to_pfn(*pages++); ++ *cmd++ = SVGA_CMD_REMAP_GMR2; ++ memcpy(cmd, &remap_cmd, sizeof(remap_cmd)); ++ cmd += sizeof(remap_cmd) / sizeof(*cmd); ++ ++ for (i = 0; i < nr; ++i) { ++ if (VMW_PPN_SIZE <= 4) ++ *cmd = page_to_pfn(*pages++); ++ else ++ *((uint64_t *)cmd) = page_to_pfn(*pages++); + +- cmd += VMW_PPN_SIZE / sizeof(*cmd); ++ cmd += VMW_PPN_SIZE / sizeof(*cmd); ++ } ++ ++ num_pages -= nr; ++ remap_pos += nr; + } + +- vmw_fifo_commit(dev_priv, define_size + remap_size); ++ BUG_ON(cmd != cmd_orig + cmd_size / sizeof(*cmd)); ++ ++ vmw_fifo_commit(dev_priv, cmd_size); + + return 0; + } diff --git a/queue-3.10/iwl4965-fix-rfkill-set-state-regression.patch b/queue-3.10/iwl4965-fix-rfkill-set-state-regression.patch new file mode 100644 index 00000000000..58286ce5343 --- /dev/null +++ b/queue-3.10/iwl4965-fix-rfkill-set-state-regression.patch @@ -0,0 +1,41 @@ +From b2fcc0aee58a3435566dd6d8501a0b355552f28b Mon Sep 17 00:00:00 2001 +From: Stanislaw Gruszka +Date: Wed, 21 Aug 2013 10:18:19 +0200 +Subject: iwl4965: fix rfkill set state regression + +From: Stanislaw Gruszka + +commit b2fcc0aee58a3435566dd6d8501a0b355552f28b upstream. + +My current 3.11 fix: + +commit 788f7a56fce1bcb2067b62b851a086fca48a0056 +Author: Stanislaw Gruszka +Date: Thu Aug 1 12:07:55 2013 +0200 + + iwl4965: reset firmware after rfkill off + +broke rfkill notification to user-space . I missed that bug, because +I compiled without CONFIG_RFKILL, sorry about that. + +Signed-off-by: Stanislaw Gruszka +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/iwlegacy/4965-mac.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/wireless/iwlegacy/4965-mac.c ++++ b/drivers/net/wireless/iwlegacy/4965-mac.c +@@ -4446,9 +4446,9 @@ il4965_irq_tasklet(struct il_priv *il) + set_bit(S_RFKILL, &il->status); + } else { + clear_bit(S_RFKILL, &il->status); +- wiphy_rfkill_set_hw_state(il->hw->wiphy, hw_rf_kill); + il_force_reset(il, true); + } ++ wiphy_rfkill_set_hw_state(il->hw->wiphy, hw_rf_kill); + + handled |= CSR_INT_BIT_RF_KILL; + } diff --git a/queue-3.10/mac80211-add-a-flag-to-indicate-cck-support-for-ht-clients.patch b/queue-3.10/mac80211-add-a-flag-to-indicate-cck-support-for-ht-clients.patch new file mode 100644 index 00000000000..2d06cb42ff7 --- /dev/null +++ b/queue-3.10/mac80211-add-a-flag-to-indicate-cck-support-for-ht-clients.patch @@ -0,0 +1,88 @@ +From 2dfca312a91631311c1cf7c090246cc8103de038 Mon Sep 17 00:00:00 2001 +From: Felix Fietkau +Date: Tue, 20 Aug 2013 19:43:54 +0200 +Subject: mac80211: add a flag to indicate CCK support for HT clients + +From: Felix Fietkau + +commit 2dfca312a91631311c1cf7c090246cc8103de038 upstream. + +brcm80211 cannot handle sending frames with CCK rates as part of an +A-MPDU session. Other drivers may have issues too. Set the flag in all +drivers that have been tested with CCK rates. + +This fixes a reported brcmsmac regression introduced in +commit ef47a5e4f1aaf1d0e2e6875e34b2c9595897bef6 +"mac80211/minstrel_ht: fix cck rate sampling" + +Reported-by: Tom Gundersen +Signed-off-by: Felix Fietkau +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/ath/ath9k/init.c | 3 ++- + drivers/net/wireless/ath/carl9170/main.c | 3 ++- + drivers/net/wireless/rt2x00/rt2800lib.c | 3 ++- + include/net/mac80211.h | 1 + + net/mac80211/rc80211_minstrel_ht.c | 3 +++ + 5 files changed, 10 insertions(+), 3 deletions(-) + +--- a/drivers/net/wireless/ath/ath9k/init.c ++++ b/drivers/net/wireless/ath/ath9k/init.c +@@ -767,7 +767,8 @@ void ath9k_set_hw_capab(struct ath_softc + IEEE80211_HW_PS_NULLFUNC_STACK | + IEEE80211_HW_SPECTRUM_MGMT | + IEEE80211_HW_REPORTS_TX_ACK_STATUS | +- IEEE80211_HW_SUPPORTS_RC_TABLE; ++ IEEE80211_HW_SUPPORTS_RC_TABLE | ++ IEEE80211_HW_SUPPORTS_HT_CCK_RATES; + + if (sc->sc_ah->caps.hw_caps & ATH9K_HW_CAP_HT) + hw->flags |= IEEE80211_HW_AMPDU_AGGREGATION; +--- a/drivers/net/wireless/ath/carl9170/main.c ++++ b/drivers/net/wireless/ath/carl9170/main.c +@@ -1857,7 +1857,8 @@ void *carl9170_alloc(size_t priv_size) + IEEE80211_HW_SUPPORTS_PS | + IEEE80211_HW_PS_NULLFUNC_STACK | + IEEE80211_HW_NEED_DTIM_BEFORE_ASSOC | +- IEEE80211_HW_SIGNAL_DBM; ++ IEEE80211_HW_SIGNAL_DBM | ++ IEEE80211_HW_SUPPORTS_HT_CCK_RATES; + + if (!modparam_noht) { + /* +--- a/drivers/net/wireless/rt2x00/rt2800lib.c ++++ b/drivers/net/wireless/rt2x00/rt2800lib.c +@@ -5912,7 +5912,8 @@ static int rt2800_probe_hw_mode(struct r + IEEE80211_HW_SUPPORTS_PS | + IEEE80211_HW_PS_NULLFUNC_STACK | + IEEE80211_HW_AMPDU_AGGREGATION | +- IEEE80211_HW_REPORTS_TX_ACK_STATUS; ++ IEEE80211_HW_REPORTS_TX_ACK_STATUS | ++ IEEE80211_HW_SUPPORTS_HT_CCK_RATES; + + /* + * Don't set IEEE80211_HW_HOST_BROADCAST_PS_BUFFERING for USB devices +--- a/include/net/mac80211.h ++++ b/include/net/mac80211.h +@@ -1484,6 +1484,7 @@ enum ieee80211_hw_flags { + IEEE80211_HW_SUPPORTS_RC_TABLE = 1<<24, + IEEE80211_HW_P2P_DEV_ADDR_FOR_INTF = 1<<25, + IEEE80211_HW_TIMING_BEACON_ONLY = 1<<26, ++ IEEE80211_HW_SUPPORTS_HT_CCK_RATES = 1<<27, + }; + + /** +--- a/net/mac80211/rc80211_minstrel_ht.c ++++ b/net/mac80211/rc80211_minstrel_ht.c +@@ -828,6 +828,9 @@ minstrel_ht_update_cck(struct minstrel_p + if (sband->band != IEEE80211_BAND_2GHZ) + return; + ++ if (!(mp->hw->flags & IEEE80211_HW_SUPPORTS_HT_CCK_RATES)) ++ return; ++ + mi->cck_supported = 0; + mi->cck_supported_short = 0; + for (i = 0; i < 4; i++) { diff --git a/queue-3.10/mac80211-add-missing-channel-context-release.patch b/queue-3.10/mac80211-add-missing-channel-context-release.patch new file mode 100644 index 00000000000..cf17cc252dc --- /dev/null +++ b/queue-3.10/mac80211-add-missing-channel-context-release.patch @@ -0,0 +1,29 @@ +From 2a3ba63c235fdcd37f6451bdf4a0c7865a3930cf Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Tue, 20 Aug 2013 11:28:50 +0200 +Subject: mac80211: add missing channel context release + +From: Johannes Berg + +commit 2a3ba63c235fdcd37f6451bdf4a0c7865a3930cf upstream. + +IBSS needs to release the channel context when leaving +but I evidently missed that. Fix it. + +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + net/mac80211/ibss.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/mac80211/ibss.c ++++ b/net/mac80211/ibss.c +@@ -1166,6 +1166,7 @@ int ieee80211_ibss_leave(struct ieee8021 + clear_bit(SDATA_STATE_OFFCHANNEL_BEACON_STOPPED, &sdata->state); + ieee80211_bss_info_change_notify(sdata, BSS_CHANGED_BEACON_ENABLED | + BSS_CHANGED_IBSS); ++ ieee80211_vif_release_channel(sdata); + synchronize_rcu(); + kfree(presp); + diff --git a/queue-3.10/memcg-check-that-kmem_cache-has-memcg_params-before-accessing-it.patch b/queue-3.10/memcg-check-that-kmem_cache-has-memcg_params-before-accessing-it.patch new file mode 100644 index 00000000000..8263a598f8a --- /dev/null +++ b/queue-3.10/memcg-check-that-kmem_cache-has-memcg_params-before-accessing-it.patch @@ -0,0 +1,76 @@ +From 6f6b8951897e487ea6f77b90ea01f70a9c363770 Mon Sep 17 00:00:00 2001 +From: Andrey Vagin +Date: Wed, 28 Aug 2013 16:35:20 -0700 +Subject: memcg: check that kmem_cache has memcg_params before accessing it + +From: Andrey Vagin + +commit 6f6b8951897e487ea6f77b90ea01f70a9c363770 upstream. + +If the system had a few memory groups and all of them were destroyed, +memcg_limited_groups_array_size has non-zero value, but all new caches +are created without memcg_params, because memcg_kmem_enabled() returns +false. + +We try to enumirate child caches in a few places and all of them are +potentially dangerous. + +For example my kernel is compiled with CONFIG_SLAB and it crashed when I +tryed to mount a NFS share after a few experiments with kmemcg. + + BUG: unable to handle kernel NULL pointer dereference at 0000000000000008 + IP: [] do_tune_cpucache+0x8a/0xd0 + PGD b942a067 PUD b999f067 PMD 0 + Oops: 0000 [#1] SMP + Modules linked in: fscache(+) ip6table_filter ip6_tables iptable_filter ip_tables i2c_piix4 pcspkr virtio_net virtio_balloon i2c_core floppy + CPU: 0 PID: 357 Comm: modprobe Not tainted 3.11.0-rc7+ #59 + Hardware name: Bochs Bochs, BIOS Bochs 01/01/2011 + task: ffff8800b9f98240 ti: ffff8800ba32e000 task.ti: ffff8800ba32e000 + RIP: 0010:[] [] do_tune_cpucache+0x8a/0xd0 + RSP: 0018:ffff8800ba32fb70 EFLAGS: 00010246 + RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000006 + RDX: 0000000000000000 RSI: ffff8800b9f98910 RDI: 0000000000000246 + RBP: ffff8800ba32fba0 R08: 0000000000000002 R09: 0000000000000004 + R10: 0000000000000001 R11: 0000000000000001 R12: 0000000000000010 + R13: 0000000000000008 R14: 00000000000000d0 R15: ffff8800375d0200 + FS: 00007f55f1378740(0000) GS:ffff8800bfa00000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b + CR2: 00007f24feba57a0 CR3: 0000000037b51000 CR4: 00000000000006f0 + Call Trace: + enable_cpucache+0x49/0x100 + setup_cpu_cache+0x215/0x280 + __kmem_cache_create+0x2fa/0x450 + kmem_cache_create_memcg+0x214/0x350 + kmem_cache_create+0x2b/0x30 + fscache_init+0x19b/0x230 [fscache] + do_one_initcall+0xfa/0x1b0 + load_module+0x1c41/0x26d0 + SyS_finit_module+0x86/0xb0 + system_call_fastpath+0x16/0x1b + +Signed-off-by: Andrey Vagin +Cc: Pekka Enberg +Cc: Christoph Lameter +Cc: Glauber Costa +Cc: Joonsoo Kim +Cc: Michal Hocko +Cc: Johannes Weiner +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/slab.h | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/mm/slab.h ++++ b/mm/slab.h +@@ -162,6 +162,8 @@ static inline const char *cache_name(str + + static inline struct kmem_cache *cache_from_memcg(struct kmem_cache *s, int idx) + { ++ if (!s->memcg_params) ++ return NULL; + return s->memcg_params->memcg_caches[idx]; + } + diff --git a/queue-3.10/series b/queue-3.10/series index e8841c860f7..c342386c9c7 100644 --- a/queue-3.10/series +++ b/queue-3.10/series @@ -11,3 +11,14 @@ regmap-add-another-missing-header-for-config_regmap-stubs.patch timer_list-correct-the-iterator-for-timer_list.patch ipc-bugfix-for-msgrcv-with-msgtyp-0.patch drivers-base-memory.c-fix-show_mem_removable-to-handle-missing-sections.patch +memcg-check-that-kmem_cache-has-memcg_params-before-accessing-it.patch +workqueue-cond_resched-after-processing-each-work-item.patch +drm-vmwgfx-split-gmr2_remap-commands-if-they-are-to-large.patch +drm-i915-ivb-fix-edp-voltage-swing-reg-val.patch +sunrpc-fix-memory-corruption-issue-on-32-bit-highmem-systems.patch +x86-mm-fix-boot-crash-with-debug_page_alloc-y-and-more-than-512g-ram.patch +ath9k_htc-restore-skb-headroom-when-returning-skb-to-mac80211.patch +ath9k-enable-pll-fix-only-for-ar9340-ar9330.patch +mac80211-add-missing-channel-context-release.patch +mac80211-add-a-flag-to-indicate-cck-support-for-ht-clients.patch +iwl4965-fix-rfkill-set-state-regression.patch diff --git a/queue-3.10/sunrpc-fix-memory-corruption-issue-on-32-bit-highmem-systems.patch b/queue-3.10/sunrpc-fix-memory-corruption-issue-on-32-bit-highmem-systems.patch new file mode 100644 index 00000000000..b467216654e --- /dev/null +++ b/queue-3.10/sunrpc-fix-memory-corruption-issue-on-32-bit-highmem-systems.patch @@ -0,0 +1,50 @@ +From 347e2233b7667e336d9f671f1a52dfa3f0416e2c Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Wed, 28 Aug 2013 13:35:13 -0400 +Subject: SUNRPC: Fix memory corruption issue on 32-bit highmem systems + +From: Trond Myklebust + +commit 347e2233b7667e336d9f671f1a52dfa3f0416e2c upstream. + +Some architectures, such as ARM-32 do not return the same base address +when you call kmap_atomic() twice on the same page. +This causes problems for the memmove() call in the XDR helper routine +"_shift_data_right_pages()", since it defeats the detection of +overlapping memory ranges, and has been seen to corrupt memory. + +The fix is to distinguish between the case where we're doing an +inter-page copy or not. In the former case of we know that the memory +ranges cannot possibly overlap, so we can additionally micro-optimise +by replacing memmove() with memcpy(). + +Reported-by: Mark Young +Reported-by: Matt Craighead +Cc: Bruce Fields +Signed-off-by: Trond Myklebust +Tested-by: Matt Craighead +Signed-off-by: Greg Kroah-Hartman + +--- + net/sunrpc/xdr.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/net/sunrpc/xdr.c ++++ b/net/sunrpc/xdr.c +@@ -207,10 +207,13 @@ _shift_data_right_pages(struct page **pa + pgfrom_base -= copy; + + vto = kmap_atomic(*pgto); +- vfrom = kmap_atomic(*pgfrom); +- memmove(vto + pgto_base, vfrom + pgfrom_base, copy); ++ if (*pgto != *pgfrom) { ++ vfrom = kmap_atomic(*pgfrom); ++ memcpy(vto + pgto_base, vfrom + pgfrom_base, copy); ++ kunmap_atomic(vfrom); ++ } else ++ memmove(vto + pgto_base, vto + pgfrom_base, copy); + flush_dcache_page(*pgto); +- kunmap_atomic(vfrom); + kunmap_atomic(vto); + + } while ((len -= copy) != 0); diff --git a/queue-3.10/workqueue-cond_resched-after-processing-each-work-item.patch b/queue-3.10/workqueue-cond_resched-after-processing-each-work-item.patch new file mode 100644 index 00000000000..a4392383e03 --- /dev/null +++ b/queue-3.10/workqueue-cond_resched-after-processing-each-work-item.patch @@ -0,0 +1,54 @@ +From b22ce2785d97423846206cceec4efee0c4afd980 Mon Sep 17 00:00:00 2001 +From: Tejun Heo +Date: Wed, 28 Aug 2013 17:33:37 -0400 +Subject: workqueue: cond_resched() after processing each work item + +From: Tejun Heo + +commit b22ce2785d97423846206cceec4efee0c4afd980 upstream. + +If !PREEMPT, a kworker running work items back to back can hog CPU. +This becomes dangerous when a self-requeueing work item which is +waiting for something to happen races against stop_machine. Such +self-requeueing work item would requeue itself indefinitely hogging +the kworker and CPU it's running on while stop_machine would wait for +that CPU to enter stop_machine while preventing anything else from +happening on all other CPUs. The two would deadlock. + +Jamie Liu reports that this deadlock scenario exists around +scsi_requeue_run_queue() and libata port multiplier support, where one +port may exclude command processing from other ports. With the right +timing, scsi_requeue_run_queue() can end up requeueing itself trying +to execute an IO which is asked to be retried while another device has +an exclusive access, which in turn can't make forward progress due to +stop_machine. + +Fix it by invoking cond_resched() after executing each work item. + +Signed-off-by: Tejun Heo +Reported-by: Jamie Liu +References: http://thread.gmane.org/gmane.linux.kernel/1552567 +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/workqueue.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/kernel/workqueue.c ++++ b/kernel/workqueue.c +@@ -2188,6 +2188,15 @@ __acquires(&pool->lock) + dump_stack(); + } + ++ /* ++ * The following prevents a kworker from hogging CPU on !PREEMPT ++ * kernels, where a requeueing work item waiting for something to ++ * happen could deadlock with stop_machine as such work item could ++ * indefinitely requeue itself while all other CPUs are trapped in ++ * stop_machine. ++ */ ++ cond_resched(); ++ + spin_lock_irq(&pool->lock); + + /* clear cpu intensive status */ diff --git a/queue-3.10/x86-mm-fix-boot-crash-with-debug_page_alloc-y-and-more-than-512g-ram.patch b/queue-3.10/x86-mm-fix-boot-crash-with-debug_page_alloc-y-and-more-than-512g-ram.patch new file mode 100644 index 00000000000..5335e3f682c --- /dev/null +++ b/queue-3.10/x86-mm-fix-boot-crash-with-debug_page_alloc-y-and-more-than-512g-ram.patch @@ -0,0 +1,67 @@ +From 527bf129f9a780e11b251cf2467dc30118a57d16 Mon Sep 17 00:00:00 2001 +From: Yinghai Lu +Date: Mon, 12 Aug 2013 16:43:24 -0700 +Subject: x86/mm: Fix boot crash with DEBUG_PAGE_ALLOC=y and more than 512G RAM + +From: Yinghai Lu + +commit 527bf129f9a780e11b251cf2467dc30118a57d16 upstream. + +Dave Hansen reported that systems between 500G and 600G RAM +crash early if DEBUG_PAGEALLOC is selected. + + > [ 0.000000] init_memory_mapping: [mem 0x00000000-0x000fffff] + > [ 0.000000] [mem 0x00000000-0x000fffff] page 4k + > [ 0.000000] BRK [0x02086000, 0x02086fff] PGTABLE + > [ 0.000000] BRK [0x02087000, 0x02087fff] PGTABLE + > [ 0.000000] BRK [0x02088000, 0x02088fff] PGTABLE + > [ 0.000000] init_memory_mapping: [mem 0xe80ee00000-0xe80effffff] + > [ 0.000000] [mem 0xe80ee00000-0xe80effffff] page 4k + > [ 0.000000] BRK [0x02089000, 0x02089fff] PGTABLE + > [ 0.000000] BRK [0x0208a000, 0x0208afff] PGTABLE + > [ 0.000000] Kernel panic - not syncing: alloc_low_page: ran out of memory + +It turns out that we missed increasing needed pages in BRK to +mapping initial 2M and [0,1M) when we switched to use the #PF +handler to set memory mappings: + + > commit 8170e6bed465b4b0c7687f93e9948aca4358a33b + > Author: H. Peter Anvin + > Date: Thu Jan 24 12:19:52 2013 -0800 + > + > x86, 64bit: Use a #PF handler to materialize early mappings on demand + +Before that, we had the maping from [0,512M) in head_64.S, and we +can spare two pages [0-1M). After that change, we can not reuse +pages anymore. + +When we have more than 512M ram, we need an extra page for pgd page +with [512G, 1024g). + +Increase pages in BRK for page table to solve the boot crash. + +Reported-by: Dave Hansen +Bisected-by: Dave Hansen +Tested-by: Dave Hansen +Signed-off-by: Yinghai Lu +Link: http://lkml.kernel.org/r/1376351004-4015-1-git-send-email-yinghai@kernel.org +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/mm/init.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/x86/mm/init.c ++++ b/arch/x86/mm/init.c +@@ -78,8 +78,8 @@ __ref void *alloc_low_pages(unsigned int + return __va(pfn << PAGE_SHIFT); + } + +-/* need 4 4k for initial PMD_SIZE, 4k for 0-ISA_END_ADDRESS */ +-#define INIT_PGT_BUF_SIZE (5 * PAGE_SIZE) ++/* need 3 4k for initial PMD_SIZE, 3 4k for 0-ISA_END_ADDRESS */ ++#define INIT_PGT_BUF_SIZE (6 * PAGE_SIZE) + RESERVE_BRK(early_pgt_alloc, INIT_PGT_BUF_SIZE); + void __init early_alloc_pgt_buf(void) + {