From: Greg Kroah-Hartman Date: Thu, 5 Nov 2009 23:25:30 +0000 (-0800) Subject: more .31 patches X-Git-Tag: v2.6.31.6~9 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=73adf4b58808d20a9770a5d52d539beb8aa20328;p=thirdparty%2Fkernel%2Fstable-queue.git more .31 patches --- diff --git a/queue-2.6.31/acpi-pci-fix-null-pointer-dereference-in-acpi_get_pci_dev-rev.-2.patch b/queue-2.6.31/acpi-pci-fix-null-pointer-dereference-in-acpi_get_pci_dev-rev.-2.patch new file mode 100644 index 00000000000..ac4d77046cb --- /dev/null +++ b/queue-2.6.31/acpi-pci-fix-null-pointer-dereference-in-acpi_get_pci_dev-rev.-2.patch @@ -0,0 +1,59 @@ +From 497fb54f578efd2b479727bc88d5ef942c0a1e2d Mon Sep 17 00:00:00 2001 +From: Rafael J. Wysocki +Date: Tue, 13 Oct 2009 01:01:57 +0200 +Subject: ACPI / PCI: Fix NULL pointer dereference in acpi_get_pci_dev() (rev. 2) + +From: Rafael J. Wysocki + +commit 497fb54f578efd2b479727bc88d5ef942c0a1e2d upstream. + +acpi_get_pci_dev() may be called for a non-PCI device, in which case +it should return NULL. However, it assumes that every handle it +finds in the ACPI CA name space, between given device handle and the +PCI root bridge handle, corresponds to a PCI-to-PCI bridge with an +existing secondary bus. For this reason, when it finds a struct +pci_dev object corresponding to one of them, it doesn't check if +its 'subordinate' field is a valid pointer. This obviously leads to +a NULL pointer dereference if acpi_get_pci_dev() is called for a +non-PCI device with a PCI parent which is not a bridge. + +To fix this issue make acpi_get_pci_dev() check if pdev->subordinate +is not NULL for every device it finds on the path between the root +bridge and the device it's supposed to get to and return NULL if the +"target" device cannot be found. + +http://bugzilla.kernel.org/show_bug.cgi?id=14129 +(worked in 2.6.30, regression in 2.6.31) + +Signed-off-by: Rafael J. Wysocki +Reported-by: Danny Feng +Reviewed-by: Alex Chiang +Tested-by: chepioq +Signed-off-by: Len Brown +Cc: Chuck Ebbert +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/acpi/pci_root.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +--- a/drivers/acpi/pci_root.c ++++ b/drivers/acpi/pci_root.c +@@ -400,6 +400,17 @@ struct pci_dev *acpi_get_pci_dev(acpi_ha + + pbus = pdev->subordinate; + pci_dev_put(pdev); ++ ++ /* ++ * This function may be called for a non-PCI device that has a ++ * PCI parent (eg. a disk under a PCI SATA controller). In that ++ * case pdev->subordinate will be NULL for the parent. ++ */ ++ if (!pbus) { ++ dev_dbg(&pdev->dev, "Not a PCI-to-PCI bridge\n"); ++ pdev = NULL; ++ break; ++ } + } + out: + list_for_each_entry_safe(node, tmp, &device_list, node) diff --git a/queue-2.6.31/agp-intel-add-b43-chipset-support.patch b/queue-2.6.31/agp-intel-add-b43-chipset-support.patch new file mode 100644 index 00000000000..0f53a9000d8 --- /dev/null +++ b/queue-2.6.31/agp-intel-add-b43-chipset-support.patch @@ -0,0 +1,63 @@ +From 38d8a95621b20ed7868e232a35a26ee61bdcae6f Mon Sep 17 00:00:00 2001 +From: Fabian Henze +Date: Tue, 8 Sep 2009 00:59:58 +0800 +Subject: agp/intel: Add B43 chipset support + +From: Fabian Henze + +commit 38d8a95621b20ed7868e232a35a26ee61bdcae6f upstream. + +Signed-off-by: Fabian Henze +[Fix reversed HB & IG ids for B43] +Signed-off-by: Zhenyu Wang +Signed-off-by: Eric Anholt +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/char/agp/intel-agp.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/char/agp/intel-agp.c ++++ b/drivers/char/agp/intel-agp.c +@@ -36,6 +36,8 @@ + #define PCI_DEVICE_ID_INTEL_Q35_IG 0x29B2 + #define PCI_DEVICE_ID_INTEL_Q33_HB 0x29D0 + #define PCI_DEVICE_ID_INTEL_Q33_IG 0x29D2 ++#define PCI_DEVICE_ID_INTEL_B43_HB 0x2E40 ++#define PCI_DEVICE_ID_INTEL_B43_IG 0x2E42 + #define PCI_DEVICE_ID_INTEL_GM45_HB 0x2A40 + #define PCI_DEVICE_ID_INTEL_GM45_IG 0x2A42 + #define PCI_DEVICE_ID_INTEL_IGD_E_HB 0x2E00 +@@ -81,6 +83,7 @@ + agp_bridge->dev->device == PCI_DEVICE_ID_INTEL_G45_HB || \ + agp_bridge->dev->device == PCI_DEVICE_ID_INTEL_GM45_HB || \ + agp_bridge->dev->device == PCI_DEVICE_ID_INTEL_G41_HB || \ ++ agp_bridge->dev->device == PCI_DEVICE_ID_INTEL_B43_HB || \ + agp_bridge->dev->device == PCI_DEVICE_ID_INTEL_IGDNG_D_HB || \ + agp_bridge->dev->device == PCI_DEVICE_ID_INTEL_IGDNG_M_HB || \ + agp_bridge->dev->device == PCI_DEVICE_ID_INTEL_IGDNG_MA_HB) +@@ -1232,6 +1235,7 @@ static void intel_i965_get_gtt_range(int + case PCI_DEVICE_ID_INTEL_Q45_HB: + case PCI_DEVICE_ID_INTEL_G45_HB: + case PCI_DEVICE_ID_INTEL_G41_HB: ++ case PCI_DEVICE_ID_INTEL_B43_HB: + case PCI_DEVICE_ID_INTEL_IGDNG_D_HB: + case PCI_DEVICE_ID_INTEL_IGDNG_M_HB: + case PCI_DEVICE_ID_INTEL_IGDNG_MA_HB: +@@ -2208,6 +2212,8 @@ static const struct intel_driver_descrip + "Q45/Q43", NULL, &intel_i965_driver }, + { PCI_DEVICE_ID_INTEL_G45_HB, PCI_DEVICE_ID_INTEL_G45_IG, 0, + "G45/G43", NULL, &intel_i965_driver }, ++ { PCI_DEVICE_ID_INTEL_B43_HB, PCI_DEVICE_ID_INTEL_B43_IG, 0, ++ "B43", NULL, &intel_i965_driver }, + { PCI_DEVICE_ID_INTEL_G41_HB, PCI_DEVICE_ID_INTEL_G41_IG, 0, + "G41", NULL, &intel_i965_driver }, + { PCI_DEVICE_ID_INTEL_IGDNG_D_HB, PCI_DEVICE_ID_INTEL_IGDNG_D_IG, 0, +@@ -2408,6 +2414,7 @@ static struct pci_device_id agp_intel_pc + ID(PCI_DEVICE_ID_INTEL_Q45_HB), + ID(PCI_DEVICE_ID_INTEL_G45_HB), + ID(PCI_DEVICE_ID_INTEL_G41_HB), ++ ID(PCI_DEVICE_ID_INTEL_B43_HB), + ID(PCI_DEVICE_ID_INTEL_IGDNG_D_HB), + ID(PCI_DEVICE_ID_INTEL_IGDNG_M_HB), + ID(PCI_DEVICE_ID_INTEL_IGDNG_MA_HB), diff --git a/queue-2.6.31/alpha-fix-build-after-vmlinux.lds.s-cleanup.patch b/queue-2.6.31/alpha-fix-build-after-vmlinux.lds.s-cleanup.patch new file mode 100644 index 00000000000..34133f0b780 --- /dev/null +++ b/queue-2.6.31/alpha-fix-build-after-vmlinux.lds.s-cleanup.patch @@ -0,0 +1,29 @@ +From de078ef55c74d02ee93d44513da5ee88a089d71d Mon Sep 17 00:00:00 2001 +From: Sam Ravnborg +Date: Fri, 25 Sep 2009 19:53:43 +0200 +Subject: alpha: fix build after vmlinux.lds.S cleanup + +From: Sam Ravnborg + +commit de078ef55c74d02ee93d44513da5ee88a089d71d upstream. + +Add include to get missing THREAD_SIZE definition + +Signed-off-by: Sam Ravnborg +Cc: Tim Abbott +Cc: Ivan Kokshaysky +Cc: Richard Henderson +Signed-off-by: Greg Kroah-Hartman + +--- + arch/alpha/kernel/vmlinux.lds.S | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/alpha/kernel/vmlinux.lds.S ++++ b/arch/alpha/kernel/vmlinux.lds.S +@@ -1,4 +1,5 @@ + #include ++#include + #include + + OUTPUT_FORMAT("elf64-alpha") diff --git a/queue-2.6.31/b43-fix-bugzilla-14181-and-the-bug-from-the-previous-fix.patch b/queue-2.6.31/b43-fix-bugzilla-14181-and-the-bug-from-the-previous-fix.patch new file mode 100644 index 00000000000..844ef542c1e --- /dev/null +++ b/queue-2.6.31/b43-fix-bugzilla-14181-and-the-bug-from-the-previous-fix.patch @@ -0,0 +1,39 @@ +From d50bae33d1358b909ade05ae121d83d3a60ab63f Mon Sep 17 00:00:00 2001 +From: Larry Finger +Date: Fri, 16 Oct 2009 10:18:09 -0500 +Subject: b43: Fix Bugzilla #14181 and the bug from the previous 'fix' + +From: Larry Finger + +commit d50bae33d1358b909ade05ae121d83d3a60ab63f upstream. + +"b43: Fix PPC crash in rfkill polling on unload" fixed the bug reported +in Bugzilla No. 14181; however, it introduced a new bug. Whenever the +radio switch was turned off, it was necessary to unload and reload +the driver for it to recognize the switch again. + +This patch fixes both the original bug in #14181 and the bug introduced by +the previous patch. It must be stated, however, that if there is a BCM4306/3 +with an rfkill switch (not yet proven), then the driver will need an +unload/reload cycle to turn the device back on. + +Signed-off-by: Larry Finger +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/b43/rfkill.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/net/wireless/b43/rfkill.c ++++ b/drivers/net/wireless/b43/rfkill.c +@@ -33,7 +33,8 @@ bool b43_is_hw_radio_enabled(struct b43_ + & B43_MMIO_RADIO_HWENABLED_HI_MASK)) + return 1; + } else { +- if (b43_read16(dev, B43_MMIO_RADIO_HWENABLED_LO) ++ if (b43_status(dev) >= B43_STAT_STARTED && ++ b43_read16(dev, B43_MMIO_RADIO_HWENABLED_LO) + & B43_MMIO_RADIO_HWENABLED_LO_MASK) + return 1; + } diff --git a/queue-2.6.31/cifs-fixing-to-avoid-invalid-kfree-in-cifs_get_tcp_session.patch b/queue-2.6.31/cifs-fixing-to-avoid-invalid-kfree-in-cifs_get_tcp_session.patch new file mode 100644 index 00000000000..8f1e71c2e94 --- /dev/null +++ b/queue-2.6.31/cifs-fixing-to-avoid-invalid-kfree-in-cifs_get_tcp_session.patch @@ -0,0 +1,106 @@ +From 8347a5cdd1422eea0470ed586274c7f29e274b47 Mon Sep 17 00:00:00 2001 +From: Steve French +Date: Tue, 6 Oct 2009 18:31:29 +0000 +Subject: CIFS: Fixing to avoid invalid kfree() in cifs_get_tcp_session() + +From: Steve French + +commit 8347a5cdd1422eea0470ed586274c7f29e274b47 upstream. + +trivial bug in fs/cifs/connect.c . +The bug is caused by fail of extract_hostname() +when mounting cifs file system. + +This is the situation when I noticed this bug. + +% sudo mount -t cifs //192.168.10.208 mountpoint -o options... + +Then my kernel says, + +[ 1461.807776] ------------[ cut here ]------------ +[ 1461.807781] kernel BUG at mm/slab.c:521! +[ 1461.807784] invalid opcode: 0000 [#2] PREEMPT SMP +[ 1461.807790] last sysfs file: +/sys/devices/pci0000:00/0000:00:1e.0/0000:09:02.0/resource +[ 1461.807793] CPU 0 +[ 1461.807796] Modules linked in: nls_iso8859_1 usbhid sbp2 uhci_hcd +ehci_hcd i2c_i801 ohci1394 ieee1394 psmouse serio_raw pcspkr sky2 usbcore +evdev +[ 1461.807816] Pid: 3446, comm: mount Tainted: G D 2.6.32-rc2-vanilla +[ 1461.807820] RIP: 0010:[] [] +kfree+0x63/0x156 +[ 1461.807829] RSP: 0018:ffff8800b4f7fbb8 EFLAGS: 00010046 +[ 1461.807832] RAX: ffffea00033fff98 RBX: ffff8800afbae7e2 RCX: +0000000000000000 +[ 1461.807836] RDX: ffffea0000000000 RSI: 000000000000005c RDI: +ffffffffffffffea +[ 1461.807839] RBP: ffff8800b4f7fbf8 R08: 0000000000000001 R09: +0000000000000000 +[ 1461.807842] R10: 0000000000000000 R11: ffff8800b4f7fbf8 R12: +00000000ffffffea +[ 1461.807845] R13: ffff8800afb23000 R14: ffff8800b4f87bc0 R15: +ffffffffffffffea +[ 1461.807849] FS: 00007f52b6f187c0(0000) GS:ffff880007600000(0000) +knlGS:0000000000000000 +[ 1461.807852] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b +[ 1461.807855] CR2: 0000000000613000 CR3: 00000000af8f9000 CR4: +00000000000006f0 +[ 1461.807858] DR0: 0000000000000000 DR1: 0000000000000000 DR2: +0000000000000000 +[ 1461.807861] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: +0000000000000400 +[ 1461.807865] Process mount (pid: 3446, threadinfo ffff8800b4f7e000, task +ffff8800950e4380) +[ 1461.807867] Stack: +[ 1461.807869] 0000000000000202 0000000000000282 ffff8800b4f7fbf8 +ffff8800afbae7e2 +[ 1461.807876] <0> 00000000ffffffea ffff8800afb23000 ffff8800b4f87bc0 +ffff8800b4f7fc28 +[ 1461.807884] <0> ffff8800b4f7fcd8 ffffffff81159f6d ffffffff81147bc2 +ffffffff816bfb48 +[ 1461.807892] Call Trace: +[ 1461.807899] [] cifs_get_tcp_session+0x440/0x44b +[ 1461.807904] [] ? find_nls+0x1c/0xe9 +[ 1461.807909] [] cifs_mount+0x16bc/0x2167 +[ 1461.807917] [] ? _spin_unlock+0x30/0x4b +[ 1461.807923] [] cifs_get_sb+0xa5/0x1a8 +[ 1461.807928] [] vfs_kern_mount+0x56/0xc9 +[ 1461.807933] [] do_kern_mount+0x47/0xe7 +[ 1461.807938] [] do_mount+0x712/0x775 +[ 1461.807943] [] ? copy_mount_options+0xcf/0x132 +[ 1461.807948] [] sys_mount+0x7f/0xbf +[ 1461.807953] [] ? lockdep_sys_exit_thunk+0x35/0x67 +[ 1461.807960] [] system_call_fastpath+0x16/0x1b +[ 1461.807963] Code: 00 00 00 00 ea ff ff 48 c1 e8 0c 48 6b c0 68 48 01 d0 +66 83 38 00 79 04 48 8b 40 10 66 83 38 00 79 04 48 8b 40 10 80 38 00 78 04 +<0f> 0b eb fe 4c 8b 70 58 4c 89 ff 41 8b 76 4c e8 b8 49 fb ff e8 +[ 1461.808022] RIP [] kfree+0x63/0x156 +[ 1461.808027] RSP +[ 1461.808031] ---[ end trace ffe26fcdc72c0ce4 ]--- + +The reason of this bug is that the error handling code of +cifs_get_tcp_session() +calls kfree() when corresponding kmalloc() failed. +(The kmalloc() is called by extract_hostname().) + +Signed-off-by: Hitoshi Mitake +Reviewed-by: Jeff Layton +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman + +--- + fs/cifs/connect.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/fs/cifs/connect.c ++++ b/fs/cifs/connect.c +@@ -1556,7 +1556,8 @@ cifs_get_tcp_session(struct smb_vol *vol + + out_err: + if (tcp_ses) { +- kfree(tcp_ses->hostname); ++ if (!IS_ERR(tcp_ses->hostname)) ++ kfree(tcp_ses->hostname); + if (tcp_ses->ssocket) + sock_release(tcp_ses->ssocket); + kfree(tcp_ses); diff --git a/queue-2.6.31/cpuidle-always-return-with-interrupts-enabled.patch b/queue-2.6.31/cpuidle-always-return-with-interrupts-enabled.patch new file mode 100644 index 00000000000..0e832678b16 --- /dev/null +++ b/queue-2.6.31/cpuidle-always-return-with-interrupts-enabled.patch @@ -0,0 +1,56 @@ +From 246eb7f0ed1a8aeddec5313137767658f378949b Mon Sep 17 00:00:00 2001 +From: Kevin Hilman +Date: Mon, 26 Oct 2009 16:50:18 -0700 +Subject: cpuidle: always return with interrupts enabled + +From: Kevin Hilman + +commit 246eb7f0ed1a8aeddec5313137767658f378949b upstream. + +In the case where cpuidle_idle_call() returns before changing state due to +a need_resched(), it was returning with IRQs disabled. + +The idle path assumes that the platform specific idle code returns with +interrupts enabled (although this too is undocumented AFAICT) and on ARM +we have a WARN_ON(!(irqs_disabled()) when returning from the idle loop, so +the user-visible effects were only a warning since interrupts were +eventually re-enabled later. + +On x86, this same problem exists, but there is no WARN_ON() to detect it. +As on ARM, the interrupts are eventually re-enabled, so I'm not sure of +any actual bugs triggered by this. It's primarily a +correctness/consistency fix. + +This patch ensures IRQs are (re)enabled before returning. + +Reported-by: Hemanth V +Signed-off-by: Kevin Hilman +Cc: Arjan van de Ven +Cc: Len Brown +Cc: Venkatesh Pallipadi +Cc: Ingo Molnar +Cc: "Rafael J. Wysocki" +Tested-by: Martin Michlmayr +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/cpuidle/cpuidle.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/cpuidle/cpuidle.c ++++ b/drivers/cpuidle/cpuidle.c +@@ -75,8 +75,11 @@ static void cpuidle_idle_call(void) + #endif + /* ask the governor for the next state */ + next_state = cpuidle_curr_governor->select(dev); +- if (need_resched()) ++ if (need_resched()) { ++ local_irq_enable(); + return; ++ } ++ + target_state = &dev->states[next_state]; + + /* enter the state and update stats */ diff --git a/queue-2.6.31/drm-i915-add-b43-chipset-support.patch b/queue-2.6.31/drm-i915-add-b43-chipset-support.patch new file mode 100644 index 00000000000..be1c7d6b72d --- /dev/null +++ b/queue-2.6.31/drm-i915-add-b43-chipset-support.patch @@ -0,0 +1,47 @@ +From 7839c5d5519b6d9e2ccf3cdbf1c39e3817ad0835 Mon Sep 17 00:00:00 2001 +From: Fabian Henze +Date: Tue, 8 Sep 2009 00:59:59 +0800 +Subject: drm/i915: add B43 chipset support + +From: Fabian Henze + +commit 7839c5d5519b6d9e2ccf3cdbf1c39e3817ad0835 upstream. + +Signed-off-by: Fabian Henze +Signed-off-by: Zhenyu Wang +Signed-off-by: Eric Anholt +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/i915/i915_drv.h | 2 ++ + include/drm/drm_pciids.h | 1 + + 2 files changed, 3 insertions(+) + +--- a/drivers/gpu/drm/i915/i915_drv.h ++++ b/drivers/gpu/drm/i915/i915_drv.h +@@ -854,6 +854,7 @@ extern int i915_wait_ring(struct drm_dev + (dev)->pci_device == 0x2E12 || \ + (dev)->pci_device == 0x2E22 || \ + (dev)->pci_device == 0x2E32 || \ ++ (dev)->pci_device == 0x2E42 || \ + (dev)->pci_device == 0x0042 || \ + (dev)->pci_device == 0x0046) + +@@ -866,6 +867,7 @@ extern int i915_wait_ring(struct drm_dev + (dev)->pci_device == 0x2E12 || \ + (dev)->pci_device == 0x2E22 || \ + (dev)->pci_device == 0x2E32 || \ ++ (dev)->pci_device == 0x2E42 || \ + IS_GM45(dev)) + + #define IS_IGDG(dev) ((dev)->pci_device == 0xa001) +--- a/include/drm/drm_pciids.h ++++ b/include/drm/drm_pciids.h +@@ -552,6 +552,7 @@ + {0x8086, 0x2e12, PCI_ANY_ID, PCI_ANY_ID, PCI_CLASS_DISPLAY_VGA << 8, 0xffff00, 0}, \ + {0x8086, 0x2e22, PCI_ANY_ID, PCI_ANY_ID, PCI_CLASS_DISPLAY_VGA << 8, 0xffff00, 0}, \ + {0x8086, 0x2e32, PCI_ANY_ID, PCI_ANY_ID, PCI_CLASS_DISPLAY_VGA << 8, 0xffff00, 0}, \ ++ {0x8086, 0x2e42, PCI_ANY_ID, PCI_ANY_ID, PCI_CLASS_DISPLAY_VGA << 8, 0xffff00, 0}, \ + {0x8086, 0xa001, PCI_ANY_ID, PCI_ANY_ID, PCI_CLASS_DISPLAY_VGA << 8, 0xffff00, 0}, \ + {0x8086, 0xa011, PCI_ANY_ID, PCI_ANY_ID, PCI_CLASS_DISPLAY_VGA << 8, 0xffff00, 0}, \ + {0x8086, 0x35e8, PCI_ANY_ID, PCI_ANY_ID, PCI_CLASS_DISPLAY_VGA << 8, 0xffff00, 0}, \ diff --git a/queue-2.6.31/drm-i915-fix-fdi-m-n-setting-according-with-correct-color-depth.patch b/queue-2.6.31/drm-i915-fix-fdi-m-n-setting-according-with-correct-color-depth.patch new file mode 100644 index 00000000000..f1041f8b65c --- /dev/null +++ b/queue-2.6.31/drm-i915-fix-fdi-m-n-setting-according-with-correct-color-depth.patch @@ -0,0 +1,101 @@ +From 58a27471d00dc09945cbcfbbc5cbcdcd3c28211d Mon Sep 17 00:00:00 2001 +From: Zhenyu Wang +Date: Fri, 25 Sep 2009 08:01:28 +0000 +Subject: drm/i915: Fix FDI M/N setting according with correct color depth + +From: Zhenyu Wang + +commit 58a27471d00dc09945cbcfbbc5cbcdcd3c28211d upstream. + +FDI M/N calculation hasn't taken the current pipe color depth into account, +but always set as 24bpp. This one checks current pipe color depth setting, +and change FDI M/N calculation a little to use bits_per_pixel first, then +convert to bytes_per_pixel later. + +This fixes display corrupt issue on Arrandle LVDS with 1600x900 panel +in 18bpp dual-channel mode. + +Signed-off-by: Zhenyu Wang +Signed-off-by: Eric Anholt +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/i915/i915_reg.h | 5 +++++ + drivers/gpu/drm/i915/intel_display.c | 31 +++++++++++++++++++++++++++---- + 2 files changed, 32 insertions(+), 4 deletions(-) + +--- a/drivers/gpu/drm/i915/i915_reg.h ++++ b/drivers/gpu/drm/i915/i915_reg.h +@@ -1616,6 +1616,11 @@ + #define PIPE_START_VBLANK_INTERRUPT_STATUS (1UL<<2) /* 965 or later */ + #define PIPE_VBLANK_INTERRUPT_STATUS (1UL<<1) + #define PIPE_OVERLAY_UPDATED_STATUS (1UL<<0) ++#define PIPE_BPC_MASK (7 << 5) /* Ironlake */ ++#define PIPE_8BPC (0 << 5) ++#define PIPE_10BPC (1 << 5) ++#define PIPE_6BPC (2 << 5) ++#define PIPE_12BPC (3 << 5) + + #define DSPARB 0x70030 + #define DSPARB_CSTART_MASK (0x7f << 7) +--- a/drivers/gpu/drm/i915/intel_display.c ++++ b/drivers/gpu/drm/i915/intel_display.c +@@ -1764,7 +1764,7 @@ fdi_reduce_ratio(u32 *num, u32 *den) + #define LINK_N 0x80000 + + static void +-igdng_compute_m_n(int bytes_per_pixel, int nlanes, ++igdng_compute_m_n(int bits_per_pixel, int nlanes, + int pixel_clock, int link_clock, + struct fdi_m_n *m_n) + { +@@ -1774,7 +1774,8 @@ igdng_compute_m_n(int bytes_per_pixel, i + + temp = (u64) DATA_N * pixel_clock; + temp = div_u64(temp, link_clock); +- m_n->gmch_m = div_u64(temp * bytes_per_pixel, nlanes); ++ m_n->gmch_m = div_u64(temp * bits_per_pixel, nlanes); ++ m_n->gmch_m >>= 3; /* convert to bytes_per_pixel */ + m_n->gmch_n = DATA_N; + fdi_reduce_ratio(&m_n->gmch_m, &m_n->gmch_n); + +@@ -2396,7 +2397,7 @@ static int intel_crtc_mode_set(struct dr + + /* FDI link */ + if (IS_IGDNG(dev)) { +- int lane, link_bw; ++ int lane, link_bw, bpp; + /* eDP doesn't require FDI link, so just set DP M/N + according to current link config */ + if (is_edp) { +@@ -2415,7 +2416,29 @@ static int intel_crtc_mode_set(struct dr + lane = 4; + link_bw = 270000; + } +- igdng_compute_m_n(3, lane, target_clock, ++ ++ /* determine panel color depth */ ++ temp = I915_READ(pipeconf_reg); ++ ++ switch (temp & PIPE_BPC_MASK) { ++ case PIPE_8BPC: ++ bpp = 24; ++ break; ++ case PIPE_10BPC: ++ bpp = 30; ++ break; ++ case PIPE_6BPC: ++ bpp = 18; ++ break; ++ case PIPE_12BPC: ++ bpp = 36; ++ break; ++ default: ++ DRM_ERROR("unknown pipe bpc value\n"); ++ bpp = 24; ++ } ++ ++ igdng_compute_m_n(bpp, lane, target_clock, + link_bw, &m_n); + } + diff --git a/queue-2.6.31/drm-i915-fix-panel-fitting-filter-coefficient-select-for-ironlake.patch b/queue-2.6.31/drm-i915-fix-panel-fitting-filter-coefficient-select-for-ironlake.patch new file mode 100644 index 00000000000..bc6f6a145f8 --- /dev/null +++ b/queue-2.6.31/drm-i915-fix-panel-fitting-filter-coefficient-select-for-ironlake.patch @@ -0,0 +1,48 @@ +From b1f60b7029989da71fd8ea1b1176480fac9e846c Mon Sep 17 00:00:00 2001 +From: Zhenyu Wang +Date: Mon, 19 Oct 2009 15:43:49 +0800 +Subject: drm/i915: fix panel fitting filter coefficient select for Ironlake + +From: Zhenyu Wang + +commit b1f60b7029989da71fd8ea1b1176480fac9e846c upstream. + +Must set filter selection as hardcoded coefficients for medium 3x3 +filtering, which matches vbios setting for Ironlake. + +This fixes display corrupt issue on HP arrandale with new vbios. + +Signed-off-by: Zhenyu Wang +Signed-off-by: Eric Anholt +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/i915/i915_reg.h | 5 +++++ + drivers/gpu/drm/i915/intel_display.c | 2 +- + 2 files changed, 6 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/i915/i915_reg.h ++++ b/drivers/gpu/drm/i915/i915_reg.h +@@ -1871,6 +1871,11 @@ + #define PFA_CTL_1 0x68080 + #define PFB_CTL_1 0x68880 + #define PF_ENABLE (1<<31) ++#define PF_FILTER_MASK (3<<23) ++#define PF_FILTER_PROGRAMMED (0<<23) ++#define PF_FILTER_MED_3x3 (1<<23) ++#define PF_FILTER_EDGE_ENHANCE (2<<23) ++#define PF_FILTER_EDGE_SOFTEN (3<<23) + #define PFA_WIN_SZ 0x68074 + #define PFB_WIN_SZ 0x68874 + #define PFA_WIN_POS 0x68070 +--- a/drivers/gpu/drm/i915/intel_display.c ++++ b/drivers/gpu/drm/i915/intel_display.c +@@ -1213,7 +1213,7 @@ static void igdng_crtc_dpms(struct drm_c + /* Enable panel fitting for LVDS */ + if (intel_pipe_has_type(crtc, INTEL_OUTPUT_LVDS)) { + temp = I915_READ(pf_ctl_reg); +- I915_WRITE(pf_ctl_reg, temp | PF_ENABLE); ++ I915_WRITE(pf_ctl_reg, temp | PF_ENABLE | PF_FILTER_MED_3x3); + + /* currently full aspect */ + I915_WRITE(pf_win_pos, 0); diff --git a/queue-2.6.31/drm-i915-fix-to-setup-display-reference-clock-control-on-ironlake.patch b/queue-2.6.31/drm-i915-fix-to-setup-display-reference-clock-control-on-ironlake.patch new file mode 100644 index 00000000000..4565a8dfd47 --- /dev/null +++ b/queue-2.6.31/drm-i915-fix-to-setup-display-reference-clock-control-on-ironlake.patch @@ -0,0 +1,91 @@ +From c038e51e841581cc3fb9a76e5e16331331e9c85c Mon Sep 17 00:00:00 2001 +From: Zhenyu Wang +Date: Mon, 19 Oct 2009 15:43:48 +0800 +Subject: drm/i915: fix to setup display reference clock control on Ironlake + +From: Zhenyu Wang + +commit c038e51e841581cc3fb9a76e5e16331331e9c85c upstream. + +For new stepping of PCH, the display reference clock +is fully under driver's control. This one trys to setup +all needed reference clock for different outputs. Older +stepping of PCH chipset should be ignoring this. + +This fixes output failure issue on newer PCH which requires +driver to take control of reference clock enabling. + +Signed-off-by: Zhenyu Wang +Signed-off-by: Eric Anholt +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/i915/i915_reg.h | 4 +-- + drivers/gpu/drm/i915/intel_display.c | 40 +++++++++++++++++++++++++++++++++++ + 2 files changed, 42 insertions(+), 2 deletions(-) + +--- a/drivers/gpu/drm/i915/i915_reg.h ++++ b/drivers/gpu/drm/i915/i915_reg.h +@@ -1990,11 +1990,11 @@ + #define DREF_CPU_SOURCE_OUTPUT_MASK (3<<13) + #define DREF_SSC_SOURCE_DISABLE (0<<11) + #define DREF_SSC_SOURCE_ENABLE (2<<11) +-#define DREF_SSC_SOURCE_MASK (2<<11) ++#define DREF_SSC_SOURCE_MASK (3<<11) + #define DREF_NONSPREAD_SOURCE_DISABLE (0<<9) + #define DREF_NONSPREAD_CK505_ENABLE (1<<9) + #define DREF_NONSPREAD_SOURCE_ENABLE (2<<9) +-#define DREF_NONSPREAD_SOURCE_MASK (2<<9) ++#define DREF_NONSPREAD_SOURCE_MASK (3<<9) + #define DREF_SUPERSPREAD_SOURCE_DISABLE (0<<7) + #define DREF_SUPERSPREAD_SOURCE_ENABLE (2<<7) + #define DREF_SSC4_DOWNSPREAD (0<<6) +--- a/drivers/gpu/drm/i915/intel_display.c ++++ b/drivers/gpu/drm/i915/intel_display.c +@@ -2442,6 +2442,46 @@ static int intel_crtc_mode_set(struct dr + link_bw, &m_n); + } + ++ /* Ironlake: try to setup display ref clock before DPLL ++ * enabling. This is only under driver's control after ++ * PCH B stepping, previous chipset stepping should be ++ * ignoring this setting. ++ */ ++ if (IS_IGDNG(dev)) { ++ temp = I915_READ(PCH_DREF_CONTROL); ++ /* Always enable nonspread source */ ++ temp &= ~DREF_NONSPREAD_SOURCE_MASK; ++ temp |= DREF_NONSPREAD_SOURCE_ENABLE; ++ I915_WRITE(PCH_DREF_CONTROL, temp); ++ POSTING_READ(PCH_DREF_CONTROL); ++ ++ temp &= ~DREF_SSC_SOURCE_MASK; ++ temp |= DREF_SSC_SOURCE_ENABLE; ++ I915_WRITE(PCH_DREF_CONTROL, temp); ++ POSTING_READ(PCH_DREF_CONTROL); ++ ++ udelay(200); ++ ++ if (is_edp) { ++ if (dev_priv->lvds_use_ssc) { ++ temp |= DREF_SSC1_ENABLE; ++ I915_WRITE(PCH_DREF_CONTROL, temp); ++ POSTING_READ(PCH_DREF_CONTROL); ++ ++ udelay(200); ++ ++ temp &= ~DREF_CPU_SOURCE_OUTPUT_MASK; ++ temp |= DREF_CPU_SOURCE_OUTPUT_DOWNSPREAD; ++ I915_WRITE(PCH_DREF_CONTROL, temp); ++ POSTING_READ(PCH_DREF_CONTROL); ++ } else { ++ temp |= DREF_CPU_SOURCE_OUTPUT_NONSPREAD; ++ I915_WRITE(PCH_DREF_CONTROL, temp); ++ POSTING_READ(PCH_DREF_CONTROL); ++ } ++ } ++ } ++ + if (IS_IGD(dev)) + fp = (1 << clock.n) << 16 | clock.m1 << 8 | clock.m2; + else diff --git a/queue-2.6.31/fsnotify-do-not-set-group-for-a-mark-before-it-is-on-the-i_list.patch b/queue-2.6.31/fsnotify-do-not-set-group-for-a-mark-before-it-is-on-the-i_list.patch new file mode 100644 index 00000000000..4fb6582b21c --- /dev/null +++ b/queue-2.6.31/fsnotify-do-not-set-group-for-a-mark-before-it-is-on-the-i_list.patch @@ -0,0 +1,70 @@ +From 9f0d793b52eb2266359661369ef6303838904855 Mon Sep 17 00:00:00 2001 +From: Eric Paris +Date: Fri, 11 Sep 2009 13:03:19 -0400 +Subject: fsnotify: do not set group for a mark before it is on the i_list + +From: Eric Paris + +commit 9f0d793b52eb2266359661369ef6303838904855 upstream. + +fsnotify_add_mark is supposed to add a mark to the g_list and i_list and to +set the group and inode for the mark. fsnotify_destroy_mark_by_entry uses +the fact that ->group != NULL to know if this group should be destroyed or +if it's already been done. + +But fsnotify_add_mark sets the group and inode before it actually adds the +mark to the i_list and g_list. This can result in a race in inotify, it +requires 3 threads. + +sys_inotify_add_watch("file") sys_inotify_add_watch("file") sys_inotify_rm_watch([a]) +inotify_update_watch() +inotify_new_watch() +inotify_add_to_idr() + ^--- returns wd = [a] + inotfiy_update_watch() + inotify_new_watch() + inotify_add_to_idr() + fsnotify_add_mark() + ^--- returns wd = [b] + returns to userspace; + inotify_idr_find([a]) + ^--- gives us the pointer from task 1 +fsnotify_add_mark() + ^--- this is going to set the mark->group and mark->inode fields, but will +return -EEXIST because of the race with [b]. + fsnotify_destroy_mark() + ^--- since ->group != NULL we call back + into inotify_freeing_mark() which calls + inotify_remove_from_idr([a]) + +since fsnotify_add_mark() failed we call: +inotify_remove_from_idr([a]) <------WHOOPS it's not in the idr, this could + have been any entry added later! + +The fix is to make sure we don't set mark->group until we are sure the mark is +on the inode and fsnotify_add_mark will return success. + +Signed-off-by: Eric Paris +Signed-off-by: Greg Kroah-Hartman + +--- + fs/notify/inode_mark.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/fs/notify/inode_mark.c ++++ b/fs/notify/inode_mark.c +@@ -324,11 +324,11 @@ int fsnotify_add_mark(struct fsnotify_ma + spin_lock(&group->mark_lock); + spin_lock(&inode->i_lock); + +- entry->group = group; +- entry->inode = inode; +- + lentry = fsnotify_find_mark_entry(group, inode); + if (!lentry) { ++ entry->group = group; ++ entry->inode = inode; ++ + hlist_add_head(&entry->i_list, &inode->i_fsnotify_mark_entries); + list_add(&entry->g_list, &group->mark_entries); + diff --git a/queue-2.6.31/fuse-fix-kunmap-in-fuse_ioctl_copy_user.patch b/queue-2.6.31/fuse-fix-kunmap-in-fuse_ioctl_copy_user.patch new file mode 100644 index 00000000000..589b35a41b7 --- /dev/null +++ b/queue-2.6.31/fuse-fix-kunmap-in-fuse_ioctl_copy_user.patch @@ -0,0 +1,33 @@ +From 0bd87182d3ab18a32a8e9175d3f68754c58e3432 Mon Sep 17 00:00:00 2001 +From: Jens Axboe +Date: Tue, 3 Nov 2009 11:40:44 +0100 +Subject: fuse: fix kunmap in fuse_ioctl_copy_user + +From: Jens Axboe + +commit 0bd87182d3ab18a32a8e9175d3f68754c58e3432 upstream. + +Looks like another victim of the confusing kmap() vs kmap_atomic() API +differences. + +Reported-by: Todor Gyumyushev +Signed-off-by: Jens Axboe +Signed-off-by: Miklos Szeredi +Cc: Tejun Heo +Signed-off-by: Greg Kroah-Hartman + +--- + fs/fuse/file.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/fuse/file.c ++++ b/fs/fuse/file.c +@@ -1600,7 +1600,7 @@ static int fuse_ioctl_copy_user(struct p + kaddr += copy; + } + +- kunmap(map); ++ kunmap(page); + } + + return 0; diff --git a/queue-2.6.31/fuse-prevent-fuse_put_request-on-invalid-pointer.patch b/queue-2.6.31/fuse-prevent-fuse_put_request-on-invalid-pointer.patch new file mode 100644 index 00000000000..5251ee4019d --- /dev/null +++ b/queue-2.6.31/fuse-prevent-fuse_put_request-on-invalid-pointer.patch @@ -0,0 +1,33 @@ +From f60311d5f7670d9539b424e4ed8b5c0872fc9e83 Mon Sep 17 00:00:00 2001 +From: Anand V. Avati +Date: Thu, 22 Oct 2009 06:24:52 -0700 +Subject: fuse: prevent fuse_put_request on invalid pointer + +From: Anand V. Avati + +commit f60311d5f7670d9539b424e4ed8b5c0872fc9e83 upstream. + +fuse_direct_io() has a loop where requests are allocated in each +iteration. if allocation fails, the loop is broken out and follows +into an unconditional fuse_put_request() on that invalid pointer. + +Signed-off-by: Anand V. Avati +Signed-off-by: Miklos Szeredi +Signed-off-by: Greg Kroah-Hartman + +--- + fs/fuse/file.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/fs/fuse/file.c ++++ b/fs/fuse/file.c +@@ -1063,7 +1063,8 @@ ssize_t fuse_direct_io(struct file *file + break; + } + } +- fuse_put_request(fc, req); ++ if (!IS_ERR(req)) ++ fuse_put_request(fc, req); + if (res > 0) + *ppos = pos; + diff --git a/queue-2.6.31/keys-get_instantiation_keyring-should-inc-the-keyring-refcount-in-all-cases.patch b/queue-2.6.31/keys-get_instantiation_keyring-should-inc-the-keyring-refcount-in-all-cases.patch new file mode 100644 index 00000000000..44310c03567 --- /dev/null +++ b/queue-2.6.31/keys-get_instantiation_keyring-should-inc-the-keyring-refcount-in-all-cases.patch @@ -0,0 +1,73 @@ +From 21279cfa107af07ef985539ac0de2152b9cba5f5 Mon Sep 17 00:00:00 2001 +From: David Howells +Date: Thu, 15 Oct 2009 10:14:35 +0100 +Subject: KEYS: get_instantiation_keyring() should inc the keyring refcount in all cases + +From: David Howells + +commit 21279cfa107af07ef985539ac0de2152b9cba5f5 upstream. + +The destination keyring specified to request_key() and co. is made available to +the process that instantiates the key (the slave process started by +/sbin/request-key typically). This is passed in the request_key_auth struct as +the dest_keyring member. + +keyctl_instantiate_key and keyctl_negate_key() call get_instantiation_keyring() +to get the keyring to attach the newly constructed key to at the end of +instantiation. This may be given a specific keyring into which a link will be +made later, or it may be asked to find the keyring passed to request_key(). In +the former case, it returns a keyring with the refcount incremented by +lookup_user_key(); in the latter case, it returns the keyring from the +request_key_auth struct - and does _not_ increment the refcount. + +The latter case will eventually result in an oops when the keyring prematurely +runs out of references and gets destroyed. The effect may take some time to +show up as the key is destroyed lazily. + +To fix this, the keyring returned by get_instantiation_keyring() must always +have its refcount incremented, no matter where it comes from. + +This can be tested by setting /etc/request-key.conf to: + +#OP TYPE DESCRIPTION CALLOUT INFO PROGRAM ARG1 ARG2 ARG3 ... +#====== ======= =============== =============== =============================== +create * test:* * |/bin/false %u %g %d %{user:_display} +negate * * * /bin/keyctl negate %k 10 @u + +and then doing: + + keyctl add user _display aaaaaaaa @u + while keyctl request2 user test:x test:x @u && + keyctl list @u; + do + keyctl request2 user test:x test:x @u; + sleep 31; + keyctl list @u; + done + +which will oops eventually. Changing the negate line to have @u rather than +%S at the end is important as that forces the latter case by passing a special +keyring ID rather than an actual keyring ID. + +Reported-by: Alexander Zangerl +Signed-off-by: David Howells +Tested-by: Alexander Zangerl +Signed-off-by: Linus Torvalds +Cc: Chuck Ebbert +Signed-off-by: Greg Kroah-Hartman + +--- + security/keys/keyctl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/security/keys/keyctl.c ++++ b/security/keys/keyctl.c +@@ -860,7 +860,7 @@ static long get_instantiation_keyring(ke + /* otherwise specify the destination keyring recorded in the + * authorisation key (any KEY_SPEC_*_KEYRING) */ + if (ringid >= KEY_SPEC_REQUESTOR_KEYRING) { +- *_dest_keyring = rka->dest_keyring; ++ *_dest_keyring = key_get(rka->dest_keyring); + return 0; + } + diff --git a/queue-2.6.31/kvm-get_tss_base_addr-should-return-a-gpa_t.patch b/queue-2.6.31/kvm-get_tss_base_addr-should-return-a-gpa_t.patch new file mode 100644 index 00000000000..d8e8e717dea --- /dev/null +++ b/queue-2.6.31/kvm-get_tss_base_addr-should-return-a-gpa_t.patch @@ -0,0 +1,32 @@ +From abb3911965c1bd8eea305f64d4840a314259d96d Mon Sep 17 00:00:00 2001 +From: Gleb Natapov +Date: Sun, 25 Oct 2009 17:42:02 +0200 +Subject: KVM: get_tss_base_addr() should return a gpa_t + +From: Gleb Natapov + +commit abb3911965c1bd8eea305f64d4840a314259d96d upstream. + +If TSS we are switching to resides in high memory task switch will fail +since address will be truncated. Windows2k3 does this sometimes when +running with more then 4G + +Signed-off-by: Gleb Natapov +Signed-off-by: Avi Kivity +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/x86.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -3762,7 +3762,7 @@ static int save_guest_segment_descriptor + return kvm_write_guest(vcpu->kvm, gpa, seg_desc, 8); + } + +-static u32 get_tss_base_addr(struct kvm_vcpu *vcpu, ++static gpa_t get_tss_base_addr(struct kvm_vcpu *vcpu, + struct desc_struct *seg_desc) + { + u32 base_addr; diff --git a/queue-2.6.31/libertas-if_usb-fix-crash-on-64-bit-machines.patch b/queue-2.6.31/libertas-if_usb-fix-crash-on-64-bit-machines.patch new file mode 100644 index 00000000000..4305e04bf6d --- /dev/null +++ b/queue-2.6.31/libertas-if_usb-fix-crash-on-64-bit-machines.patch @@ -0,0 +1,41 @@ +From e9024a059f2c17fb2bfab212ee9d31511d7b8e57 Mon Sep 17 00:00:00 2001 +From: David Woodhouse +Date: Fri, 30 Oct 2009 17:45:14 +0000 +Subject: libertas if_usb: Fix crash on 64-bit machines + +From: David Woodhouse + +commit e9024a059f2c17fb2bfab212ee9d31511d7b8e57 upstream. + +On a 64-bit kernel, skb->tail is an offset, not a pointer. The libertas +usb driver passes it to usb_fill_bulk_urb() anyway, causing interesting +crashes. Fix that by using skb->data instead. + +This highlights a problem with usb_fill_bulk_urb(). It doesn't notice +when dma_map_single() fails and return the error to its caller as it +should. In fact it _can't_ currently return the error, since it returns +void. + +So this problem was showing up only at unmap time, after we'd already +suffered memory corruption by doing DMA to a bogus address. + +Signed-off-by: David Woodhouse +Acked-by: David S. Miller +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/libertas/if_usb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/wireless/libertas/if_usb.c ++++ b/drivers/net/wireless/libertas/if_usb.c +@@ -507,7 +507,7 @@ static int __if_usb_submit_rx_urb(struct + /* Fill the receive configuration URB and initialise the Rx call back */ + usb_fill_bulk_urb(cardp->rx_urb, cardp->udev, + usb_rcvbulkpipe(cardp->udev, cardp->ep_in), +- (void *) (skb->tail + (size_t) IPFIELD_ALIGN_OFFSET), ++ skb->data + IPFIELD_ALIGN_OFFSET, + MRVDRV_ETH_RX_PACKET_BUFFER_SIZE, callbackfn, + cardp); + diff --git a/queue-2.6.31/mac80211-check-interface-is-down-before-type-change.patch b/queue-2.6.31/mac80211-check-interface-is-down-before-type-change.patch new file mode 100644 index 00000000000..c7e5f91ab4e --- /dev/null +++ b/queue-2.6.31/mac80211-check-interface-is-down-before-type-change.patch @@ -0,0 +1,60 @@ +From c1f9a764cf47686b1f5a0cf87ada68d90056136a Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Sun, 1 Nov 2009 19:25:40 +0100 +Subject: mac80211: check interface is down before type change + +From: Johannes Berg + +commit c1f9a764cf47686b1f5a0cf87ada68d90056136a upstream. + +For some strange reason the netif_running() check +ended up after the actual type change instead of +before, potentially causing all kinds of problems +if the interface is up while changing the type; +one of the problems manifests itself as a warning: + +WARNING: at net/mac80211/iface.c:651 ieee80211_teardown_sdata+0xda/0x1a0 [mac80211]() +Hardware name: Aspire one +Pid: 2596, comm: wpa_supplicant Tainted: G W 2.6.31-10-generic #32-Ubuntu +Call Trace: + [] warn_slowpath_common+0x6d/0xa0 + [] warn_slowpath_null+0x15/0x20 + [] ieee80211_teardown_sdata+0xda/0x1a0 [mac80211] + [] ieee80211_if_change_type+0x4a/0xc0 [mac80211] + [] ieee80211_change_iface+0x61/0xa0 [mac80211] + [] cfg80211_wext_siwmode+0xc7/0x120 [cfg80211] + [] ioctl_standard_call+0x58/0xf0 + +(http://www.kerneloops.org/searchweek.php?search=ieee80211_teardown_sdata) + +Cc: Arjan van de Ven +Signed-off-by: Johannes Berg +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + net/mac80211/cfg.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/net/mac80211/cfg.c ++++ b/net/mac80211/cfg.c +@@ -87,6 +87,9 @@ static int ieee80211_change_iface(struct + if (!dev) + return -ENODEV; + ++ if (netif_running(dev)) ++ return -EBUSY; ++ + if (!nl80211_type_check(type)) + return -EINVAL; + +@@ -96,9 +99,6 @@ static int ieee80211_change_iface(struct + if (ret) + return ret; + +- if (netif_running(sdata->dev)) +- return -EBUSY; +- + if (ieee80211_vif_is_mesh(&sdata->vif) && params->mesh_id_len) + ieee80211_sdata_set_mesh_id(sdata, + params->mesh_id_len, diff --git a/queue-2.6.31/mac80211-fix-for-incorrect-sequence-number-on-hostapd-injected-frames.patch b/queue-2.6.31/mac80211-fix-for-incorrect-sequence-number-on-hostapd-injected-frames.patch new file mode 100644 index 00000000000..d480e273f90 --- /dev/null +++ b/queue-2.6.31/mac80211-fix-for-incorrect-sequence-number-on-hostapd-injected-frames.patch @@ -0,0 +1,41 @@ +From 9b1ce526eb917c8b5c8497c327768130ee683392 Mon Sep 17 00:00:00 2001 +From: Björn Smedman +Date: Sat, 24 Oct 2009 20:55:09 +0200 +Subject: mac80211: fix for incorrect sequence number on hostapd injected frames + +From: Björn Smedman + +commit 9b1ce526eb917c8b5c8497c327768130ee683392 upstream. + +When hostapd injects a frame, e.g. an authentication or association +response, mac80211 looks for a suitable access point virtual interface +to associate the frame with based on its source address. This makes it +possible e.g. to correctly assign sequence numbers to the frames. + +A small typo in the ethernet address comparison statement caused a +failure to find a suitable ap interface. Sequence numbers on such +frames where therefore left unassigned causing some clients +(especially windows-based 11b/g clients) to reject them and fail to +authenticate or associate with the access point. This patch fixes the +typo in the address comparison statement. + +Signed-off-by: Björn Smedman +Reviewed-by: Johannes Berg +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + net/mac80211/tx.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/mac80211/tx.c ++++ b/net/mac80211/tx.c +@@ -1478,7 +1478,7 @@ int ieee80211_master_start_xmit(struct s + if (sdata->vif.type != NL80211_IFTYPE_AP) + continue; + if (compare_ether_addr(sdata->dev->dev_addr, +- hdr->addr2)) { ++ hdr->addr2) == 0) { + dev_hold(sdata->dev); + dev_put(odev); + osdata = sdata; diff --git a/queue-2.6.31/mips-fix-build-of-vmlinux.lds.patch b/queue-2.6.31/mips-fix-build-of-vmlinux.lds.patch new file mode 100644 index 00000000000..640b6830a02 --- /dev/null +++ b/queue-2.6.31/mips-fix-build-of-vmlinux.lds.patch @@ -0,0 +1,62 @@ +From d71789b6fa37c21ce5eb588d279f57904a62e7e2 Mon Sep 17 00:00:00 2001 +From: Manuel Lauss +Date: Thu, 24 Sep 2009 21:44:24 +0200 +Subject: mips: fix build of vmlinux.lds + +From: Manuel Lauss + +commit d71789b6fa37c21ce5eb588d279f57904a62e7e2 upstream. + +Commit 51b563fc93c8cb5bff1d67a0a71c374e4a4ea049 ("arm, cris, mips, +sparc, powerpc, um, xtensa: fix build with bash 4.0") removed a few +CPPFLAGS with vital include paths necessary to build vmlinux.lds +on MIPS, and moved the calculation of the 'jiffies' symbol +directly to vmlinux.lds.S but forgot to change make ifdef/... to +cpp macros. + +Signed-off-by: Manuel Lauss +[sam: moved assignment of CPPFLAGS arch/mips/kernel/Makefile] +Signed-off-by: Sam Ravnborg +Acked-by: Dmitri Vorobiev +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/kernel/Makefile | 2 ++ + arch/mips/kernel/vmlinux.lds.S | 12 ++++++------ + 2 files changed, 8 insertions(+), 6 deletions(-) + +--- a/arch/mips/kernel/Makefile ++++ b/arch/mips/kernel/Makefile +@@ -2,6 +2,8 @@ + # Makefile for the Linux/MIPS kernel. + # + ++CPPFLAGS_vmlinux.lds := $(KBUILD_CFLAGS) ++ + extra-y := head.o init_task.o vmlinux.lds + + obj-y += cpu-probe.o branch.o entry.o genex.o irq.o process.o \ +--- a/arch/mips/kernel/vmlinux.lds.S ++++ b/arch/mips/kernel/vmlinux.lds.S +@@ -10,15 +10,15 @@ PHDRS { + note PT_NOTE FLAGS(4); /* R__ */ + } + +-ifdef CONFIG_32BIT +- ifdef CONFIG_CPU_LITTLE_ENDIAN ++#ifdef CONFIG_32BIT ++ #ifdef CONFIG_CPU_LITTLE_ENDIAN + jiffies = jiffies_64; +- else ++ #else + jiffies = jiffies_64 + 4; +- endif +-else ++ #endif ++#else + jiffies = jiffies_64; +-endif ++#endif + + SECTIONS + { diff --git a/queue-2.6.31/mm-remove-incorrect-swap_count-from-try_to_unuse.patch b/queue-2.6.31/mm-remove-incorrect-swap_count-from-try_to_unuse.patch new file mode 100644 index 00000000000..38e09824205 --- /dev/null +++ b/queue-2.6.31/mm-remove-incorrect-swap_count-from-try_to_unuse.patch @@ -0,0 +1,43 @@ +From 32c5fc10e79a7053ac5728b01a0bff55cbcb9d49 Mon Sep 17 00:00:00 2001 +From: Bo Liu +Date: Mon, 2 Nov 2009 16:50:33 +0000 +Subject: mm: remove incorrect swap_count() from try_to_unuse() + +From: Bo Liu + +commit 32c5fc10e79a7053ac5728b01a0bff55cbcb9d49 upstream. + +In try_to_unuse(), swcount is a local copy of *swap_map, including the +SWAP_HAS_CACHE bit; but a wrong comparison against swap_count(*swap_map), +which masks off the SWAP_HAS_CACHE bit, succeeded where it should fail. + +That had the effect of resetting the mm from which to start searching +for the next swap page, to an irrelevant mm instead of to an mm in which +this swap page had been found: which may increase search time by ~20%. +But we're used to swapoff being slow, so never noticed the slowdown. + +Remove that one spurious use of swap_count(): Bo Liu thought it merely +redundant, Hugh rewrote the description since it was measurably wrong. + +Signed-off-by: Bo Liu +Signed-off-by: Hugh Dickins +Reviewed-by: KAMEZAWA Hiroyuki +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/swapfile.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/mm/swapfile.c ++++ b/mm/swapfile.c +@@ -1149,8 +1149,7 @@ static int try_to_unuse(unsigned int typ + } else + retval = unuse_mm(mm, entry, page); + +- if (set_start_mm && +- swap_count(*swap_map) < swcount) { ++ if (set_start_mm && *swap_map < swcount) { + mmput(new_start_mm); + atomic_inc(&mm->mm_users); + new_start_mm = mm; diff --git a/queue-2.6.31/nilfs2-fix-dirty-page-accounting-leak-causing-hang-at-write.patch b/queue-2.6.31/nilfs2-fix-dirty-page-accounting-leak-causing-hang-at-write.patch new file mode 100644 index 00000000000..41184470253 --- /dev/null +++ b/queue-2.6.31/nilfs2-fix-dirty-page-accounting-leak-causing-hang-at-write.patch @@ -0,0 +1,44 @@ +From b1e19e5601277845b4f17ecd7c9ba04f73ee11aa Mon Sep 17 00:00:00 2001 +From: Ryusuke Konishi +Date: Tue, 3 Nov 2009 00:25:53 +0900 +Subject: nilfs2: fix dirty page accounting leak causing hang at write +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ryusuke Konishi + +commit b1e19e5601277845b4f17ecd7c9ba04f73ee11aa upstream. + +Bruno Prémont and Dunphy, Bill noticed me that NILFS will certainly +hang on ARM-based targets. + +I found this was caused by an underflow of dirty pages counter. A +b-tree cache routine was marking page dirty without adjusting page +account information. + +This fixes the dirty page accounting leak and resolves the hang on +arm-based targets. + +Reported-by: Bruno Prémont +Reported-by: Dunphy, Bill +Signed-off-by: Ryusuke Konishi +Tested-by: Bruno Prémont +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nilfs2/btnode.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/fs/nilfs2/btnode.c ++++ b/fs/nilfs2/btnode.c +@@ -276,8 +276,7 @@ void nilfs_btnode_commit_change_key(stru + "invalid oldkey %lld (newkey=%lld)", + (unsigned long long)oldkey, + (unsigned long long)newkey); +- if (!test_set_buffer_dirty(obh) && TestSetPageDirty(opage)) +- BUG(); ++ nilfs_btnode_mark_dirty(obh); + + spin_lock_irq(&btnc->tree_lock); + radix_tree_delete(&btnc->page_tree, oldkey); diff --git a/queue-2.6.31/nommu-don-t-pass-null-pointers-to-fput-in-do_mmap_pgoff.patch b/queue-2.6.31/nommu-don-t-pass-null-pointers-to-fput-in-do_mmap_pgoff.patch new file mode 100644 index 00000000000..4a6a1b8afea --- /dev/null +++ b/queue-2.6.31/nommu-don-t-pass-null-pointers-to-fput-in-do_mmap_pgoff.patch @@ -0,0 +1,48 @@ +From 89a8640279f8bb78aaf778d1fc5c4a6778f18064 Mon Sep 17 00:00:00 2001 +From: David Howells +Date: Fri, 30 Oct 2009 13:13:26 +0000 +Subject: NOMMU: Don't pass NULL pointers to fput() in do_mmap_pgoff() + +From: David Howells + +commit 89a8640279f8bb78aaf778d1fc5c4a6778f18064 upstream. + +Don't pass NULL pointers to fput() in the error handling paths of the NOMMU +do_mmap_pgoff() as it can't handle it. + +The following can be used as a test program: + + int main() { static long long a[1024 * 1024 * 20] = { 0 }; return a;} + +Without the patch, the code oopses in atomic_long_dec_and_test() as called by +fput() after the kernel complains that it can't allocate that big a chunk of +memory. With the patch, the kernel just complains about the allocation size +and then the program segfaults during execve() as execve() can't complete the +allocation of all the new ELF program segments. + +Reported-by: Robin Getz +Signed-off-by: David Howells +Acked-by: Robin Getz +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/nommu.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/mm/nommu.c ++++ b/mm/nommu.c +@@ -1384,9 +1384,11 @@ share: + error_just_free: + up_write(&nommu_region_sem); + error: +- fput(region->vm_file); ++ if (region->vm_file) ++ fput(region->vm_file); + kmem_cache_free(vm_region_jar, region); +- fput(vma->vm_file); ++ if (vma->vm_file) ++ fput(vma->vm_file); + if (vma->vm_flags & VM_EXECUTABLE) + removed_exe_file_vma(vma->vm_mm); + kmem_cache_free(vm_area_cachep, vma); diff --git a/queue-2.6.31/param-fix-lots-of-bugs-with-writing-charp-params-from-sysfs-by-leaking-mem.patch b/queue-2.6.31/param-fix-lots-of-bugs-with-writing-charp-params-from-sysfs-by-leaking-mem.patch new file mode 100644 index 00000000000..28d0688df90 --- /dev/null +++ b/queue-2.6.31/param-fix-lots-of-bugs-with-writing-charp-params-from-sysfs-by-leaking-mem.patch @@ -0,0 +1,77 @@ +From 65afac7d80ab3bc9f81e75eafb71eeb92a3ebdef Mon Sep 17 00:00:00 2001 +From: Rusty Russell +Date: Thu, 29 Oct 2009 08:56:16 -0600 +Subject: param: fix lots of bugs with writing charp params from sysfs, by leaking mem. + +From: Rusty Russell + +commit 65afac7d80ab3bc9f81e75eafb71eeb92a3ebdef upstream. + +e180a6b7759a "param: fix charp parameters set via sysfs" fixed the case +where charp parameters written via sysfs were freed, leaving drivers +accessing random memory. + +Unfortunately, storing a flag in the kparam struct was a bad idea: it's +rodata so setting it causes an oops on some archs. But that's not all: + +1) module_param_array() on charp doesn't work reliably, since we use an + uninitialized temporary struct kernel_param. +2) there's a fundamental race if a module uses this parameter and then + it's changed: they will still access the old, freed, memory. + +The simplest fix (ie. for 2.6.32) is to never free the memory. This +prevents all these problems, at cost of a memory leak. In practice, there +are only 18 places where a charp is writable via sysfs, and all are +root-only writable. + +Reported-by: Takashi Iwai +Cc: Sitsofe Wheeler +Cc: Frederic Weisbecker +Cc: Christof Schmitt +Signed-off-by: Rusty Russell +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/moduleparam.h | 1 - + kernel/params.c | 10 +--------- + 2 files changed, 1 insertion(+), 10 deletions(-) + +--- a/include/linux/moduleparam.h ++++ b/include/linux/moduleparam.h +@@ -37,7 +37,6 @@ typedef int (*param_set_fn)(const char * + typedef int (*param_get_fn)(char *buffer, struct kernel_param *kp); + + /* Flag bits for kernel_param.flags */ +-#define KPARAM_KMALLOCED 1 + #define KPARAM_ISBOOL 2 + + struct kernel_param { +--- a/kernel/params.c ++++ b/kernel/params.c +@@ -217,13 +217,9 @@ int param_set_charp(const char *val, str + return -ENOSPC; + } + +- if (kp->flags & KPARAM_KMALLOCED) +- kfree(*(char **)kp->arg); +- + /* This is a hack. We can't need to strdup in early boot, and we + * don't need to; this mangled commandline is preserved. */ + if (slab_is_available()) { +- kp->flags |= KPARAM_KMALLOCED; + *(char **)kp->arg = kstrdup(val, GFP_KERNEL); + if (!kp->arg) + return -ENOMEM; +@@ -604,11 +600,7 @@ void module_param_sysfs_remove(struct mo + + void destroy_params(const struct kernel_param *params, unsigned num) + { +- unsigned int i; +- +- for (i = 0; i < num; i++) +- if (params[i].flags & KPARAM_KMALLOCED) +- kfree(*(char **)params[i].arg); ++ /* FIXME: This should free kmalloced charp parameters. It doesn't. */ + } + + static void __init kernel_add_sysfs_param(const char *name, diff --git a/queue-2.6.31/param-fix-null-comparison-on-oom.patch b/queue-2.6.31/param-fix-null-comparison-on-oom.patch new file mode 100644 index 00000000000..633fe428a5c --- /dev/null +++ b/queue-2.6.31/param-fix-null-comparison-on-oom.patch @@ -0,0 +1,30 @@ +From d553ad864e3b3dde3f1038d491e207021b2d6293 Mon Sep 17 00:00:00 2001 +From: Rusty Russell +Date: Thu, 29 Oct 2009 08:56:17 -0600 +Subject: param: fix NULL comparison on oom + +From: Rusty Russell + +commit d553ad864e3b3dde3f1038d491e207021b2d6293 upstream. + +kp->arg is always true: it's the contents of that pointer we care about. + +Reported-by: Takashi Iwai +Signed-off-by: Rusty Russell +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/params.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/kernel/params.c ++++ b/kernel/params.c +@@ -221,7 +221,7 @@ int param_set_charp(const char *val, str + * don't need to; this mangled commandline is preserved. */ + if (slab_is_available()) { + *(char **)kp->arg = kstrdup(val, GFP_KERNEL); +- if (!kp->arg) ++ if (!*(char **)kp->arg) + return -ENOMEM; + } else + *(const char **)kp->arg = val; diff --git a/queue-2.6.31/param-fix-setting-arrays-of-bool.patch b/queue-2.6.31/param-fix-setting-arrays-of-bool.patch new file mode 100644 index 00000000000..d79937a46ec --- /dev/null +++ b/queue-2.6.31/param-fix-setting-arrays-of-bool.patch @@ -0,0 +1,50 @@ +From 3c7d76e371ac1a3802ae1673f5c63554af59325c Mon Sep 17 00:00:00 2001 +From: Rusty Russell +Date: Thu, 29 Oct 2009 08:56:19 -0600 +Subject: param: fix setting arrays of bool + +From: Rusty Russell + +commit 3c7d76e371ac1a3802ae1673f5c63554af59325c upstream. + +We create a dummy struct kernel_param on the stack for parsing each +array element, but we didn't initialize the flags word. This matters +for arrays of type "bool", where the flag indicates if it really is +an array of bools or unsigned int (old-style). + +Reported-by: Takashi Iwai +Signed-off-by: Rusty Russell +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/params.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/kernel/params.c ++++ b/kernel/params.c +@@ -299,6 +299,7 @@ static int param_array(const char *name, + unsigned int min, unsigned int max, + void *elem, int elemsize, + int (*set)(const char *, struct kernel_param *kp), ++ u16 flags, + unsigned int *num) + { + int ret; +@@ -308,6 +309,7 @@ static int param_array(const char *name, + /* Get the name right for errors. */ + kp.name = name; + kp.arg = elem; ++ kp.flags = flags; + + /* No equals sign? */ + if (!val) { +@@ -353,7 +355,8 @@ int param_array_set(const char *val, str + unsigned int temp_num; + + return param_array(kp->name, val, 1, arr->max, arr->elem, +- arr->elemsize, arr->set, arr->num ?: &temp_num); ++ arr->elemsize, arr->set, kp->flags, ++ arr->num ?: &temp_num); + } + + int param_array_get(char *buffer, struct kernel_param *kp) diff --git a/queue-2.6.31/pata_sc1200-fix-crash-on-boot.patch b/queue-2.6.31/pata_sc1200-fix-crash-on-boot.patch new file mode 100644 index 00000000000..a8466782319 --- /dev/null +++ b/queue-2.6.31/pata_sc1200-fix-crash-on-boot.patch @@ -0,0 +1,36 @@ +From 6d4f950e9ea15816c6a4f266ce6b9e438346771e Mon Sep 17 00:00:00 2001 +From: Alan Cox +Date: Tue, 6 Oct 2009 16:07:51 +0100 +Subject: pata_sc1200: Fix crash on boot + +From: Alan Cox + +commit 6d4f950e9ea15816c6a4f266ce6b9e438346771e upstream. + +The SC1200 needs a NULL terminator or it may cause a crash on boot. + +Bug #14227 + +Also correct a bogus comment as the driver had serializing added so can run +dual port. + +Signed-off-by: Alan Cox +Signed-off-by: Jeff Garzik +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/ata/pata_sc1200.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/ata/pata_sc1200.c ++++ b/drivers/ata/pata_sc1200.c +@@ -235,8 +235,7 @@ static int sc1200_init_one(struct pci_de + .udma_mask = ATA_UDMA2, + .port_ops = &sc1200_port_ops + }; +- /* Can't enable port 2 yet, see top comments */ +- const struct ata_port_info *ppi[] = { &info, }; ++ const struct ata_port_info *ppi[] = { &info, NULL }; + + return ata_pci_sff_init_one(dev, ppi, &sc1200_sht, NULL); + } diff --git a/queue-2.6.31/revert-acpi-attach-the-acpi-device-to-the-acpi-handle-as-early-as-possible.patch b/queue-2.6.31/revert-acpi-attach-the-acpi-device-to-the-acpi-handle-as-early-as-possible.patch new file mode 100644 index 00000000000..1c1dfdf4899 --- /dev/null +++ b/queue-2.6.31/revert-acpi-attach-the-acpi-device-to-the-acpi-handle-as-early-as-possible.patch @@ -0,0 +1,49 @@ +From f61f925859c57f6175082aeeee17743c68558a6e Mon Sep 17 00:00:00 2001 +From: Len Brown +Date: Sat, 5 Sep 2009 13:33:23 -0400 +Subject: Revert "ACPI: Attach the ACPI device to the ACPI handle as early as possible" + +From: Len Brown + +commit f61f925859c57f6175082aeeee17743c68558a6e upstream. + +This reverts commit eab4b645769fa2f8703f5a3cb0cc4ac090d347af. + +http://bugzilla.kernel.org/show_bug.cgi?id=13002 + +Signed-off-by: Len Brown +Cc: Chuck Ebbert +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/acpi/scan.c | 12 ++---------- + 1 file changed, 2 insertions(+), 10 deletions(-) + +--- a/drivers/acpi/scan.c ++++ b/drivers/acpi/scan.c +@@ -1264,16 +1264,6 @@ acpi_add_single_object(struct acpi_devic + acpi_device_set_id(device, parent, handle, type); + + /* +- * The ACPI device is attached to acpi handle before getting +- * the power/wakeup/peformance flags. Otherwise OS can't get +- * the corresponding ACPI device by the acpi handle in the course +- * of getting the power/wakeup/performance flags. +- */ +- result = acpi_device_set_context(device, type); +- if (result) +- goto end; +- +- /* + * Power Management + * ---------------- + */ +@@ -1303,6 +1293,8 @@ acpi_add_single_object(struct acpi_devic + goto end; + } + ++ if ((result = acpi_device_set_context(device, type))) ++ goto end; + + result = acpi_device_register(device, parent); + diff --git a/queue-2.6.31/series b/queue-2.6.31/series index acc1c22ff7b..8ee7ce69bc0 100644 --- a/queue-2.6.31/series +++ b/queue-2.6.31/series @@ -33,3 +33,42 @@ dpt_i2o-fix-typo-of-einval.patch hfsplus-refuse-to-mount-volumes-larger-than-2tb.patch driver-core-fix-driver_register-return-value.patch tty-mark-generic_serial-users-as-broken.patch +param-fix-lots-of-bugs-with-writing-charp-params-from-sysfs-by-leaking-mem.patch +param-fix-null-comparison-on-oom.patch +param-fix-setting-arrays-of-bool.patch +usb-serial-sierra-driver-send_setup-autopm-fix.patch +usb-option-patch-for-huawei-mobile-broadband-e270-modem.patch +usb-option-support-for-airplus-mcd650-datacard.patch +usb-option-tlaytech-tue800-support.patch +libertas-if_usb-fix-crash-on-64-bit-machines.patch +cpuidle-always-return-with-interrupts-enabled.patch +virtio-order-used-ring-after-used-index-read.patch +cifs-fixing-to-avoid-invalid-kfree-in-cifs_get_tcp_session.patch +mac80211-fix-for-incorrect-sequence-number-on-hostapd-injected-frames.patch +mac80211-check-interface-is-down-before-type-change.patch +x86-uv-fix-information-in-__uv_hub_info-structure.patch +x86-uv-set-delivery_mode-4-for-vector-nmi_vector-in-uv_hub_send_ipi.patch +nommu-don-t-pass-null-pointers-to-fput-in-do_mmap_pgoff.patch +mm-remove-incorrect-swap_count-from-try_to_unuse.patch +x86-64-fix-register-leak-in-32-bit-syscall-audting.patch +nilfs2-fix-dirty-page-accounting-leak-causing-hang-at-write.patch +drm-i915-fix-fdi-m-n-setting-according-with-correct-color-depth.patch +drm-i915-fix-to-setup-display-reference-clock-control-on-ironlake.patch +drm-i915-fix-panel-fitting-filter-coefficient-select-for-ironlake.patch +agp-intel-add-b43-chipset-support.patch +drm-i915-add-b43-chipset-support.patch +xen-hvc-make-sure-console-output-is-always-emitted-with-explicit-polling.patch +xen-mask-extended-topology-info-in-cpuid.patch +sgi-gru-decrapfiy-options_write-function.patch +kvm-get_tss_base_addr-should-return-a-gpa_t.patch +fuse-prevent-fuse_put_request-on-invalid-pointer.patch +fuse-fix-kunmap-in-fuse_ioctl_copy_user.patch +x86-amd-iommu-workaround-for-erratum-63.patch +fsnotify-do-not-set-group-for-a-mark-before-it-is-on-the-i_list.patch +mips-fix-build-of-vmlinux.lds.patch +alpha-fix-build-after-vmlinux.lds.s-cleanup.patch +acpi-pci-fix-null-pointer-dereference-in-acpi_get_pci_dev-rev.-2.patch +revert-acpi-attach-the-acpi-device-to-the-acpi-handle-as-early-as-possible.patch +keys-get_instantiation_keyring-should-inc-the-keyring-refcount-in-all-cases.patch +b43-fix-bugzilla-14181-and-the-bug-from-the-previous-fix.patch +pata_sc1200-fix-crash-on-boot.patch diff --git a/queue-2.6.31/sgi-gru-decrapfiy-options_write-function.patch b/queue-2.6.31/sgi-gru-decrapfiy-options_write-function.patch new file mode 100644 index 00000000000..b6ba35e57bf --- /dev/null +++ b/queue-2.6.31/sgi-gru-decrapfiy-options_write-function.patch @@ -0,0 +1,54 @@ +From d39b7dd1dcbf394a1cb897457c862dafe9a20ac5 Mon Sep 17 00:00:00 2001 +From: Linus Torvalds +Date: Thu, 5 Nov 2009 10:48:30 -0800 +Subject: sgi-gru: decrapfiy options_write() function + +From: Linus Torvalds + +commit d39b7dd1dcbf394a1cb897457c862dafe9a20ac5 upstream. + +Not a single line of actual code in the function was really +fundamentally correct. + +Problems ranged from lack of proper range checking, to removing the last +character written (which admittedly is usually '\n'), to not accepting +hex numbers even though the 'show' routine would show the data in that +format. + +This tries to do better. + +Acked-by: Michael Buesch +Tested-and-acked-by: Jack Steiner +Cc: Jiri Kosina +Cc: Michael Gilbert +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/misc/sgi-gru/gruprocfs.c | 13 +++++++------ + 1 file changed, 7 insertions(+), 6 deletions(-) + +--- a/drivers/misc/sgi-gru/gruprocfs.c ++++ b/drivers/misc/sgi-gru/gruprocfs.c +@@ -161,14 +161,15 @@ static int options_show(struct seq_file + static ssize_t options_write(struct file *file, const char __user *userbuf, + size_t count, loff_t *data) + { +- unsigned long val; +- char buf[80]; ++ char buf[20]; + +- if (strncpy_from_user(buf, userbuf, sizeof(buf) - 1) < 0) ++ if (count >= sizeof(buf)) ++ return -EINVAL; ++ if (copy_from_user(buf, userbuf, count)) + return -EFAULT; +- buf[count - 1] = '\0'; +- if (!strict_strtoul(buf, 10, &val)) +- gru_options = val; ++ buf[count] = '\0'; ++ if (strict_strtoul(buf, 0, &gru_options)) ++ return -EINVAL; + + return count; + } diff --git a/queue-2.6.31/usb-option-patch-for-huawei-mobile-broadband-e270-modem.patch b/queue-2.6.31/usb-option-patch-for-huawei-mobile-broadband-e270-modem.patch new file mode 100644 index 00000000000..86110df449f --- /dev/null +++ b/queue-2.6.31/usb-option-patch-for-huawei-mobile-broadband-e270-modem.patch @@ -0,0 +1,33 @@ +From 0ee3a33a0481c8f5c9edb7a5a02f3c76496d9551 Mon Sep 17 00:00:00 2001 +From: Ronnie Furuskog +Date: Mon, 21 Sep 2009 21:20:55 +0200 +Subject: USB: option: Patch for Huawei Mobile Broadband E270+ Modem + +From: Ronnie Furuskog + +commit 0ee3a33a0481c8f5c9edb7a5a02f3c76496d9551 upstream. + +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/option.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/usb/serial/option.c ++++ b/drivers/usb/serial/option.c +@@ -166,6 +166,7 @@ static int option_resume(struct usb_ser + #define HUAWEI_PRODUCT_E143D 0x143D + #define HUAWEI_PRODUCT_E143E 0x143E + #define HUAWEI_PRODUCT_E143F 0x143F ++#define HUAWEI_PRODUCT_E14AC 0x14AC + + #define QUANTA_VENDOR_ID 0x0408 + #define QUANTA_PRODUCT_Q101 0xEA02 +@@ -426,6 +427,7 @@ static struct usb_device_id option_ids[] + { USB_DEVICE_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, HUAWEI_PRODUCT_E143D, 0xff, 0xff, 0xff) }, + { USB_DEVICE_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, HUAWEI_PRODUCT_E143E, 0xff, 0xff, 0xff) }, + { USB_DEVICE_AND_INTERFACE_INFO(HUAWEI_VENDOR_ID, HUAWEI_PRODUCT_E143F, 0xff, 0xff, 0xff) }, ++ { USB_DEVICE(HUAWEI_VENDOR_ID, HUAWEI_PRODUCT_E14AC) }, + { USB_DEVICE(AMOI_VENDOR_ID, AMOI_PRODUCT_9508) }, + { USB_DEVICE(NOVATELWIRELESS_VENDOR_ID, NOVATELWIRELESS_PRODUCT_V640) }, /* Novatel Merlin V640/XV620 */ + { USB_DEVICE(NOVATELWIRELESS_VENDOR_ID, NOVATELWIRELESS_PRODUCT_V620) }, /* Novatel Merlin V620/S620 */ diff --git a/queue-2.6.31/usb-option-support-for-airplus-mcd650-datacard.patch b/queue-2.6.31/usb-option-support-for-airplus-mcd650-datacard.patch new file mode 100644 index 00000000000..7baa9a2e21d --- /dev/null +++ b/queue-2.6.31/usb-option-support-for-airplus-mcd650-datacard.patch @@ -0,0 +1,41 @@ +From 12148da6722be3b44c2220206b6ccb80d2d9d8f8 Mon Sep 17 00:00:00 2001 +From: Huzaifa Sidhpurwala +Date: Mon, 12 Oct 2009 14:34:45 +0530 +Subject: USB: option: Support for AIRPLUS MCD650 Datacard + +From: Huzaifa Sidhpurwala + +commit 12148da6722be3b44c2220206b6ccb80d2d9d8f8 upstream. + +Here is a patch for Airplus MCD 650 card + +Note: This device is with Victor V Kudlak, and he confirmed that this +device works with the patch. + +Signed-off-by: Huzaifa Sidhpurwala +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/option.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/usb/serial/option.c ++++ b/drivers/usb/serial/option.c +@@ -329,6 +329,9 @@ static int option_resume(struct usb_ser + #define ALCATEL_VENDOR_ID 0x1bbb + #define ALCATEL_PRODUCT_X060S 0x0000 + ++/* Airplus products */ ++#define AIRPLUS_VENDOR_ID 0x1011 ++#define AIRPLUS_PRODUCT_MCD650 0x3198 + + static struct usb_device_id option_ids[] = { + { USB_DEVICE(OPTION_VENDOR_ID, OPTION_PRODUCT_COLT) }, +@@ -590,6 +593,7 @@ static struct usb_device_id option_ids[] + { USB_DEVICE(ALINK_VENDOR_ID, 0x9000) }, + { USB_DEVICE_AND_INTERFACE_INFO(ALINK_VENDOR_ID, ALINK_PRODUCT_3GU, 0xff, 0xff, 0xff) }, + { USB_DEVICE(ALCATEL_VENDOR_ID, ALCATEL_PRODUCT_X060S) }, ++ { USB_DEVICE(AIRPLUS_VENDOR_ID, AIRPLUS_PRODUCT_MCD650) }, + { } /* Terminating entry */ + }; + MODULE_DEVICE_TABLE(usb, option_ids); diff --git a/queue-2.6.31/usb-option-tlaytech-tue800-support.patch b/queue-2.6.31/usb-option-tlaytech-tue800-support.patch new file mode 100644 index 00000000000..c5662811ab4 --- /dev/null +++ b/queue-2.6.31/usb-option-tlaytech-tue800-support.patch @@ -0,0 +1,39 @@ +From fead2ab6cf9ad3a84a06e68ccc20d1e460fad13e Mon Sep 17 00:00:00 2001 +From: Bryan Wu +Date: Thu, 22 Oct 2009 15:00:36 +0800 +Subject: USB: option: TLAYTECH TUE800 support + +From: Bryan Wu + +commit fead2ab6cf9ad3a84a06e68ccc20d1e460fad13e upstream. + +Add ID for Tlaytech TUE800 CDMA modem to the option driver. + +Signed-off-by: Bryan Wu +Acked-By: Matthias Urlichs +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/option.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/usb/serial/option.c ++++ b/drivers/usb/serial/option.c +@@ -316,6 +316,9 @@ static int option_resume(struct usb_ser + #define QISDA_PRODUCT_H20_4515 0x4515 + #define QISDA_PRODUCT_H20_4519 0x4519 + ++/* TLAYTECH PRODUCTS */ ++#define TLAYTECH_VENDOR_ID 0x20B9 ++#define TLAYTECH_PRODUCT_TEU800 0x1682 + + /* TOSHIBA PRODUCTS */ + #define TOSHIBA_VENDOR_ID 0x0930 +@@ -594,6 +597,7 @@ static struct usb_device_id option_ids[] + { USB_DEVICE_AND_INTERFACE_INFO(ALINK_VENDOR_ID, ALINK_PRODUCT_3GU, 0xff, 0xff, 0xff) }, + { USB_DEVICE(ALCATEL_VENDOR_ID, ALCATEL_PRODUCT_X060S) }, + { USB_DEVICE(AIRPLUS_VENDOR_ID, AIRPLUS_PRODUCT_MCD650) }, ++ { USB_DEVICE(TLAYTECH_VENDOR_ID, TLAYTECH_PRODUCT_TEU800) }, + { } /* Terminating entry */ + }; + MODULE_DEVICE_TABLE(usb, option_ids); diff --git a/queue-2.6.31/usb-serial-sierra-driver-send_setup-autopm-fix.patch b/queue-2.6.31/usb-serial-sierra-driver-send_setup-autopm-fix.patch new file mode 100644 index 00000000000..4a1887bfb7c --- /dev/null +++ b/queue-2.6.31/usb-serial-sierra-driver-send_setup-autopm-fix.patch @@ -0,0 +1,70 @@ +From 3c77d5137d3f4ff41721e9b4f4812db56a6065c0 Mon Sep 17 00:00:00 2001 +From: Elina Pasheva +Date: Fri, 16 Oct 2009 12:04:54 -0700 +Subject: USB: serial: sierra driver send_setup() autopm fix + +From: Elina Pasheva + +commit 3c77d5137d3f4ff41721e9b4f4812db56a6065c0 upstream. + +This patch presents a fix for the autosuspend feature implementation in +sierra usb serial driver for function sierra_send_setup(). Because it +is possible to call sierra_send_setup() before sierra_open() or after +sierra_close() we added a get/put interface activity to assure that the +usb control can happen even when the device is autosuspended. + +Signed-off-by: Elina Pasheva +Tested-by: Matthew Safar +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/sierra.c | 23 ++++++++++++++--------- + 1 file changed, 14 insertions(+), 9 deletions(-) + +--- a/drivers/usb/serial/sierra.c ++++ b/drivers/usb/serial/sierra.c +@@ -287,6 +287,8 @@ static int sierra_send_setup(struct usb_ + struct sierra_port_private *portdata; + __u16 interface = 0; + int val = 0; ++ int do_send = 0; ++ int retval; + + dev_dbg(&port->dev, "%s\n", __func__); + +@@ -305,10 +307,7 @@ static int sierra_send_setup(struct usb_ + */ + if (port->interrupt_in_urb) { + /* send control message */ +- return usb_control_msg(serial->dev, +- usb_rcvctrlpipe(serial->dev, 0), +- 0x22, 0x21, val, interface, +- NULL, 0, USB_CTRL_SET_TIMEOUT); ++ do_send = 1; + } + } + +@@ -320,12 +319,18 @@ static int sierra_send_setup(struct usb_ + interface = 1; + else if (port->bulk_out_endpointAddress == 5) + interface = 2; +- return usb_control_msg(serial->dev, +- usb_rcvctrlpipe(serial->dev, 0), +- 0x22, 0x21, val, interface, +- NULL, 0, USB_CTRL_SET_TIMEOUT); ++ ++ do_send = 1; + } +- return 0; ++ if (!do_send) ++ return 0; ++ ++ usb_autopm_get_interface(serial->interface); ++ retval = usb_control_msg(serial->dev, usb_rcvctrlpipe(serial->dev, 0), ++ 0x22, 0x21, val, interface, NULL, 0, USB_CTRL_SET_TIMEOUT); ++ usb_autopm_put_interface(serial->interface); ++ ++ return retval; + } + + static void sierra_set_termios(struct tty_struct *tty, diff --git a/queue-2.6.31/virtio-order-used-ring-after-used-index-read.patch b/queue-2.6.31/virtio-order-used-ring-after-used-index-read.patch new file mode 100644 index 00000000000..5cb7442696f --- /dev/null +++ b/queue-2.6.31/virtio-order-used-ring-after-used-index-read.patch @@ -0,0 +1,33 @@ +From 2d61ba95034f1abbdec7729d52c740870a5eddb6 Mon Sep 17 00:00:00 2001 +From: Michael S. Tsirkin +Date: Sun, 25 Oct 2009 15:28:53 +0200 +Subject: virtio: order used ring after used index read + +From: Michael S. Tsirkin + +commit 2d61ba95034f1abbdec7729d52c740870a5eddb6 upstream. + +On SMP guests, reads from the ring might bypass used index reads. This +causes guest crashes because host writes to used index to signal ring +data readiness. Fix this by inserting rmb before used ring reads. + +Signed-off-by: Michael S. Tsirkin +Signed-off-by: Rusty Russell +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/virtio/virtio_ring.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/virtio/virtio_ring.c ++++ b/drivers/virtio/virtio_ring.c +@@ -281,6 +281,9 @@ static void *vring_get_buf(struct virtqu + return NULL; + } + ++ /* Only get used array entries after they have been exposed by host. */ ++ rmb(); ++ + i = vq->vring.used->ring[vq->last_used_idx%vq->vring.num].id; + *len = vq->vring.used->ring[vq->last_used_idx%vq->vring.num].len; + diff --git a/queue-2.6.31/x86-64-fix-register-leak-in-32-bit-syscall-audting.patch b/queue-2.6.31/x86-64-fix-register-leak-in-32-bit-syscall-audting.patch new file mode 100644 index 00000000000..6e24fdc78bf --- /dev/null +++ b/queue-2.6.31/x86-64-fix-register-leak-in-32-bit-syscall-audting.patch @@ -0,0 +1,54 @@ +From 81766741fe1eee3884219e8daaf03f466f2ed52f Mon Sep 17 00:00:00 2001 +From: Jan Beulich +Date: Mon, 26 Oct 2009 15:20:29 +0000 +Subject: x86-64: Fix register leak in 32-bit syscall audting + +From: Jan Beulich + +commit 81766741fe1eee3884219e8daaf03f466f2ed52f upstream. + +Restoring %ebp after the call to audit_syscall_exit() is not +only unnecessary (because the register didn't get clobbered), +but in the sysenter case wasn't even doing the right thing: It +loaded %ebp from a location below the top of stack (RBP < +ARGOFFSET), i.e. arbitrary kernel data got passed back to user +mode in the register. + +Signed-off-by: Jan Beulich +Acked-by: Roland McGrath +LKML-Reference: <4AE5CC4D020000780001BD13@vpn.id2.novell.com> +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/ia32/ia32entry.S | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/arch/x86/ia32/ia32entry.S ++++ b/arch/x86/ia32/ia32entry.S +@@ -204,7 +204,7 @@ sysexit_from_sys_call: + movl RDI-ARGOFFSET(%rsp),%r8d /* reload 5th syscall arg */ + .endm + +- .macro auditsys_exit exit,ebpsave=RBP ++ .macro auditsys_exit exit + testl $(_TIF_ALLWORK_MASK & ~_TIF_SYSCALL_AUDIT),TI_flags(%r10) + jnz ia32_ret_from_sys_call + TRACE_IRQS_ON +@@ -217,7 +217,6 @@ sysexit_from_sys_call: + call audit_syscall_exit + GET_THREAD_INFO(%r10) + movl RAX-ARGOFFSET(%rsp),%eax /* reload syscall return value */ +- movl \ebpsave-ARGOFFSET(%rsp),%ebp /* reload user register value */ + movl $(_TIF_ALLWORK_MASK & ~_TIF_SYSCALL_AUDIT),%edi + cli + TRACE_IRQS_OFF +@@ -351,7 +350,7 @@ cstar_auditsys: + jmp cstar_dispatch + + sysretl_audit: +- auditsys_exit sysretl_from_sys_call, RCX /* user %ebp in RCX slot */ ++ auditsys_exit sysretl_from_sys_call + #endif + + cstar_tracesys: diff --git a/queue-2.6.31/x86-amd-iommu-workaround-for-erratum-63.patch b/queue-2.6.31/x86-amd-iommu-workaround-for-erratum-63.patch new file mode 100644 index 00000000000..7e45149f2a3 --- /dev/null +++ b/queue-2.6.31/x86-amd-iommu-workaround-for-erratum-63.patch @@ -0,0 +1,86 @@ +From c5cca146aa03e1f60fb179df65f0dbaf17bc64ed Mon Sep 17 00:00:00 2001 +From: Joerg Roedel +Date: Fri, 9 Oct 2009 18:31:20 +0200 +Subject: x86/amd-iommu: Workaround for erratum 63 + +From: Joerg Roedel + +commit c5cca146aa03e1f60fb179df65f0dbaf17bc64ed upstream. + +There is an erratum for IOMMU hardware which documents +undefined behavior when forwarding SMI requests from +peripherals and the DTE of that peripheral has a sysmgt +value of 01b. This problem caused weird IO_PAGE_FAULTS in my +case. +This patch implements the suggested workaround for that +erratum into the AMD IOMMU driver. The erratum is +documented with number 63. + +Signed-off-by: Joerg Roedel +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/include/asm/amd_iommu.h | 1 + + arch/x86/kernel/amd_iommu.c | 2 ++ + arch/x86/kernel/amd_iommu_init.c | 22 ++++++++++++++++++++++ + 3 files changed, 25 insertions(+) + +--- a/arch/x86/include/asm/amd_iommu.h ++++ b/arch/x86/include/asm/amd_iommu.h +@@ -30,6 +30,7 @@ extern irqreturn_t amd_iommu_int_handler + extern void amd_iommu_flush_all_domains(void); + extern void amd_iommu_flush_all_devices(void); + extern void amd_iommu_shutdown(void); ++extern void amd_iommu_apply_erratum_63(u16 devid); + #else + static inline int amd_iommu_init(void) { return -ENODEV; } + static inline void amd_iommu_detect(void) { } +--- a/arch/x86/kernel/amd_iommu.c ++++ b/arch/x86/kernel/amd_iommu.c +@@ -1112,6 +1112,8 @@ static void __detach_device(struct prote + amd_iommu_dev_table[devid].data[1] = 0; + amd_iommu_dev_table[devid].data[2] = 0; + ++ amd_iommu_apply_erratum_63(devid); ++ + /* decrease reference counter */ + domain->dev_cnt -= 1; + +--- a/arch/x86/kernel/amd_iommu_init.c ++++ b/arch/x86/kernel/amd_iommu_init.c +@@ -509,6 +509,26 @@ static void set_dev_entry_bit(u16 devid, + amd_iommu_dev_table[devid].data[i] |= (1 << _bit); + } + ++static int get_dev_entry_bit(u16 devid, u8 bit) ++{ ++ int i = (bit >> 5) & 0x07; ++ int _bit = bit & 0x1f; ++ ++ return (amd_iommu_dev_table[devid].data[i] & (1 << _bit)) >> _bit; ++} ++ ++ ++void amd_iommu_apply_erratum_63(u16 devid) ++{ ++ int sysmgt; ++ ++ sysmgt = get_dev_entry_bit(devid, DEV_ENTRY_SYSMGT1) | ++ (get_dev_entry_bit(devid, DEV_ENTRY_SYSMGT2) << 1); ++ ++ if (sysmgt == 0x01) ++ set_dev_entry_bit(devid, DEV_ENTRY_IW); ++} ++ + /* Writes the specific IOMMU for a device into the rlookup table */ + static void __init set_iommu_for_device(struct amd_iommu *iommu, u16 devid) + { +@@ -537,6 +557,8 @@ static void __init set_dev_entry_from_ac + if (flags & ACPI_DEVFLAG_LINT1) + set_dev_entry_bit(devid, DEV_ENTRY_LINT1_PASS); + ++ amd_iommu_apply_erratum_63(devid); ++ + set_iommu_for_device(iommu, devid); + } + diff --git a/queue-2.6.31/x86-uv-fix-information-in-__uv_hub_info-structure.patch b/queue-2.6.31/x86-uv-fix-information-in-__uv_hub_info-structure.patch new file mode 100644 index 00000000000..0bef13d2c77 --- /dev/null +++ b/queue-2.6.31/x86-uv-fix-information-in-__uv_hub_info-structure.patch @@ -0,0 +1,82 @@ +From 036ed8ba61b72c19dc5759446d4fe0844aa88255 Mon Sep 17 00:00:00 2001 +From: Robin Holt +Date: Thu, 15 Oct 2009 17:40:00 -0500 +Subject: x86, UV: Fix information in __uv_hub_info structure + +From: Robin Holt + +commit 036ed8ba61b72c19dc5759446d4fe0844aa88255 upstream. + +A few parts of the uv_hub_info structure are initialized +incorrectly. + + - n_val is being loaded with m_val. + - gpa_mask is initialized with a bytes instead of an unsigned long. + - Handle the case where none of the alias registers are used. + +Lastly I converted the bau over to using the uv_hub_info->m_val +which is the correct value. + +Without this patch, booting a large configuration hits a +problem where the upper bits of the gnode affect the pnode +and the bau will not operate. + +Signed-off-by: Robin Holt +Acked-by: Jack Steiner +Cc: Cliff Whickman +LKML-Reference: <20091015224946.396355000@alcatraz.americas.sgi.com> +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/apic/x2apic_uv_x.c | 8 ++++---- + arch/x86/kernel/tlb_uv.c | 4 ++-- + 2 files changed, 6 insertions(+), 6 deletions(-) + +--- a/arch/x86/kernel/apic/x2apic_uv_x.c ++++ b/arch/x86/kernel/apic/x2apic_uv_x.c +@@ -352,14 +352,14 @@ static __init void get_lowmem_redirect(u + + for (i = 0; i < ARRAY_SIZE(redir_addrs); i++) { + alias.v = uv_read_local_mmr(redir_addrs[i].alias); +- if (alias.s.base == 0) { ++ if (alias.s.enable && alias.s.base == 0) { + *size = (1UL << alias.s.m_alias); + redirect.v = uv_read_local_mmr(redir_addrs[i].redirect); + *base = (unsigned long)redirect.s.dest_base << DEST_SHIFT; + return; + } + } +- BUG(); ++ *base = *size = 0; + } + + enum map_type {map_wb, map_uc}; +@@ -609,12 +609,12 @@ void __init uv_system_init(void) + uv_cpu_hub_info(cpu)->lowmem_remap_base = lowmem_redir_base; + uv_cpu_hub_info(cpu)->lowmem_remap_top = lowmem_redir_size; + uv_cpu_hub_info(cpu)->m_val = m_val; +- uv_cpu_hub_info(cpu)->n_val = m_val; ++ uv_cpu_hub_info(cpu)->n_val = n_val; + uv_cpu_hub_info(cpu)->numa_blade_id = blade; + uv_cpu_hub_info(cpu)->blade_processor_id = lcpu; + uv_cpu_hub_info(cpu)->pnode = pnode; + uv_cpu_hub_info(cpu)->pnode_mask = pnode_mask; +- uv_cpu_hub_info(cpu)->gpa_mask = (1 << (m_val + n_val)) - 1; ++ uv_cpu_hub_info(cpu)->gpa_mask = (1UL << (m_val + n_val)) - 1; + uv_cpu_hub_info(cpu)->gnode_upper = gnode_upper; + uv_cpu_hub_info(cpu)->gnode_extra = gnode_extra; + uv_cpu_hub_info(cpu)->global_mmr_base = mmr_base; +--- a/arch/x86/kernel/tlb_uv.c ++++ b/arch/x86/kernel/tlb_uv.c +@@ -843,8 +843,8 @@ static int __init uv_bau_init(void) + GFP_KERNEL, cpu_to_node(cur_cpu)); + + uv_bau_retry_limit = 1; +- uv_nshift = uv_hub_info->n_val; +- uv_mmask = (1UL << uv_hub_info->n_val) - 1; ++ uv_nshift = uv_hub_info->m_val; ++ uv_mmask = (1UL << uv_hub_info->m_val) - 1; + nblades = uv_num_possible_blades(); + + uv_bau_table_bases = (struct bau_control **) diff --git a/queue-2.6.31/x86-uv-set-delivery_mode-4-for-vector-nmi_vector-in-uv_hub_send_ipi.patch b/queue-2.6.31/x86-uv-set-delivery_mode-4-for-vector-nmi_vector-in-uv_hub_send_ipi.patch new file mode 100644 index 00000000000..fae350b15de --- /dev/null +++ b/queue-2.6.31/x86-uv-set-delivery_mode-4-for-vector-nmi_vector-in-uv_hub_send_ipi.patch @@ -0,0 +1,54 @@ +From 02dd0a0613e0d84c7dd8315e3fe6204d005b7c79 Mon Sep 17 00:00:00 2001 +From: Robin Holt +Date: Tue, 20 Oct 2009 14:36:15 -0500 +Subject: x86, UV: Set DELIVERY_MODE=4 for vector=NMI_VECTOR in uv_hub_send_ipi() + +From: Robin Holt + +commit 02dd0a0613e0d84c7dd8315e3fe6204d005b7c79 upstream. + +When sending a NMI_VECTOR IPI using the UV_HUB_IPI_INT register, +we need to ensure the delivery mode field of that register has +NMI delivery selected. + +This makes those IPIs true NMIs, instead of flat IPIs. It +matters to reboot sequences and KGDB, both of which use NMI +IPIs. + +Signed-off-by: Robin Holt +Acked-by: Jack Steiner +Cc: Martin Hicks +LKML-Reference: <20091020193620.877322000@alcatraz.americas.sgi.com> +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/include/asm/uv/uv_hub.h | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/arch/x86/include/asm/uv/uv_hub.h ++++ b/arch/x86/include/asm/uv/uv_hub.h +@@ -18,6 +18,8 @@ + #include + #include + #include ++#include ++#include + + + /* +@@ -420,9 +422,14 @@ static inline void uv_set_cpu_scir_bits( + static inline void uv_hub_send_ipi(int pnode, int apicid, int vector) + { + unsigned long val; ++ unsigned long dmode = dest_Fixed; ++ ++ if (vector == NMI_VECTOR) ++ dmode = dest_NMI; + + val = (1UL << UVH_IPI_INT_SEND_SHFT) | + ((apicid) << UVH_IPI_INT_APIC_ID_SHFT) | ++ (dmode << UVH_IPI_INT_DELIVERY_MODE_SHFT) | + (vector << UVH_IPI_INT_VECTOR_SHFT); + uv_write_global_mmr64(pnode, UVH_IPI_INT, val); + } diff --git a/queue-2.6.31/xen-hvc-make-sure-console-output-is-always-emitted-with-explicit-polling.patch b/queue-2.6.31/xen-hvc-make-sure-console-output-is-always-emitted-with-explicit-polling.patch new file mode 100644 index 00000000000..a8ad07de795 --- /dev/null +++ b/queue-2.6.31/xen-hvc-make-sure-console-output-is-always-emitted-with-explicit-polling.patch @@ -0,0 +1,63 @@ +From 7825cf10e31c64ece3cac66fb01a742f1094da51 Mon Sep 17 00:00:00 2001 +From: Jeremy Fitzhardinge +Date: Tue, 20 Oct 2009 15:28:21 +0900 +Subject: xen/hvc: make sure console output is always emitted, with explicit polling + +From: Jeremy Fitzhardinge + +commit 7825cf10e31c64ece3cac66fb01a742f1094da51 upstream. + +We never want to rely on the hvc workqueue to emit output, because the +most interesting output is when the kernel is broken. This will +improve oops/crash/console message for better debugging. + +Instead, we force-poll until all output is emitted. + +Signed-off-by: Jeremy Fitzhardinge +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/char/hvc_xen.c | 25 ++++++++++++++++++++++++- + 1 file changed, 24 insertions(+), 1 deletion(-) + +--- a/drivers/char/hvc_xen.c ++++ b/drivers/char/hvc_xen.c +@@ -55,7 +55,7 @@ static inline void notify_daemon(void) + notify_remote_via_evtchn(xen_start_info->console.domU.evtchn); + } + +-static int write_console(uint32_t vtermno, const char *data, int len) ++static int __write_console(const char *data, int len) + { + struct xencons_interface *intf = xencons_interface(); + XENCONS_RING_IDX cons, prod; +@@ -76,6 +76,29 @@ static int write_console(uint32_t vtermn + return sent; + } + ++static int write_console(uint32_t vtermno, const char *data, int len) ++{ ++ int ret = len; ++ ++ /* ++ * Make sure the whole buffer is emitted, polling if ++ * necessary. We don't ever want to rely on the hvc daemon ++ * because the most interesting console output is when the ++ * kernel is crippled. ++ */ ++ while (len) { ++ int sent = __write_console(data, len); ++ ++ data += sent; ++ len -= sent; ++ ++ if (unlikely(len)) ++ HYPERVISOR_sched_op(SCHEDOP_yield, NULL); ++ } ++ ++ return ret; ++} ++ + static int read_console(uint32_t vtermno, char *buf, int len) + { + struct xencons_interface *intf = xencons_interface(); diff --git a/queue-2.6.31/xen-mask-extended-topology-info-in-cpuid.patch b/queue-2.6.31/xen-mask-extended-topology-info-in-cpuid.patch new file mode 100644 index 00000000000..902471c2c53 --- /dev/null +++ b/queue-2.6.31/xen-mask-extended-topology-info-in-cpuid.patch @@ -0,0 +1,57 @@ +From 82d6469916c6fcfa345636a49004c9d1753905d1 Mon Sep 17 00:00:00 2001 +From: Jeremy Fitzhardinge +Date: Thu, 22 Oct 2009 16:41:15 -0700 +Subject: xen: mask extended topology info in cpuid + +From: Jeremy Fitzhardinge + +commit 82d6469916c6fcfa345636a49004c9d1753905d1 upstream. + +A Xen guest never needs to know about extended topology, and knowing +would just confuse it. + +This patch just zeros ebx in leaf 0xb which indicates no topology info, +preventing a crash under Xen on cpus which support this leaf. + +Signed-off-by: Jeremy Fitzhardinge + +--- + arch/x86/xen/enlighten.c | 11 ++++++++++- + 1 file changed, 10 insertions(+), 1 deletion(-) + +--- a/arch/x86/xen/enlighten.c ++++ b/arch/x86/xen/enlighten.c +@@ -178,6 +178,7 @@ static __read_mostly unsigned int cpuid_ + static void xen_cpuid(unsigned int *ax, unsigned int *bx, + unsigned int *cx, unsigned int *dx) + { ++ unsigned maskebx = ~0; + unsigned maskecx = ~0; + unsigned maskedx = ~0; + +@@ -185,9 +186,16 @@ static void xen_cpuid(unsigned int *ax, + * Mask out inconvenient features, to try and disable as many + * unsupported kernel subsystems as possible. + */ +- if (*ax == 1) { ++ switch (*ax) { ++ case 1: + maskecx = cpuid_leaf1_ecx_mask; + maskedx = cpuid_leaf1_edx_mask; ++ break; ++ ++ case 0xb: ++ /* Suppress extended topology stuff */ ++ maskebx = 0; ++ break; + } + + asm(XEN_EMULATE_PREFIX "cpuid" +@@ -197,6 +205,7 @@ static void xen_cpuid(unsigned int *ax, + "=d" (*dx) + : "0" (*ax), "2" (*cx)); + ++ *bx &= maskebx; + *cx &= maskecx; + *dx &= maskedx; + }