From: Greg Kroah-Hartman Date: Wed, 20 Oct 2010 00:43:43 +0000 (-0700) Subject: .35 patches X-Git-Tag: v2.6.27.55~17 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=7691b2d153497d46c8796ef1c42619763aaacbe4;p=thirdparty%2Fkernel%2Fstable-queue.git .35 patches --- diff --git a/queue-2.6.35/atl1-fix-resume.patch b/queue-2.6.35/atl1-fix-resume.patch new file mode 100644 index 00000000000..fbbd88d8fa8 --- /dev/null +++ b/queue-2.6.35/atl1-fix-resume.patch @@ -0,0 +1,40 @@ +From ec5a32f67c603b11d68eb283d94eb89a4f6cfce1 Mon Sep 17 00:00:00 2001 +From: Luca Tettamanti +Date: Wed, 22 Sep 2010 10:41:58 +0000 +Subject: atl1: fix resume + +From: Luca Tettamanti + +commit ec5a32f67c603b11d68eb283d94eb89a4f6cfce1 upstream. + +adapter->cmb.cmb is initialized when the device is opened and freed when +it's closed. Accessing it unconditionally during resume results either +in a crash (NULL pointer dereference, when the interface has not been +opened yet) or data corruption (when the interface has been used and +brought down adapter->cmb.cmb points to a deallocated memory area). + +Signed-off-by: Luca Tettamanti +Acked-by: Chris Snook +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/atlx/atl1.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/net/atlx/atl1.c ++++ b/drivers/net/atlx/atl1.c +@@ -2847,10 +2847,11 @@ static int atl1_resume(struct pci_dev *p + pci_enable_wake(pdev, PCI_D3cold, 0); + + atl1_reset_hw(&adapter->hw); +- adapter->cmb.cmb->int_stats = 0; + +- if (netif_running(netdev)) ++ if (netif_running(netdev)) { ++ adapter->cmb.cmb->int_stats = 0; + atl1_up(adapter); ++ } + netif_device_attach(netdev); + + return 0; diff --git a/queue-2.6.35/de-pessimize-rds_page_copy_user.patch b/queue-2.6.35/de-pessimize-rds_page_copy_user.patch new file mode 100644 index 00000000000..e205d093042 --- /dev/null +++ b/queue-2.6.35/de-pessimize-rds_page_copy_user.patch @@ -0,0 +1,78 @@ +From 799c10559d60f159ab2232203f222f18fa3c4a5f Mon Sep 17 00:00:00 2001 +From: Linus Torvalds +Date: Fri, 15 Oct 2010 11:09:28 -0700 +Subject: De-pessimize rds_page_copy_user + +From: Linus Torvalds + +commit 799c10559d60f159ab2232203f222f18fa3c4a5f upstream. + +Don't try to "optimize" rds_page_copy_user() by using kmap_atomic() and +the unsafe atomic user mode accessor functions. It's actually slower +than the straightforward code on any reasonable modern CPU. + +Back when the code was written (although probably not by the time it was +actually merged, though), 32-bit x86 may have been the dominant +architecture. And there kmap_atomic() can be a lot faster than kmap() +(unless you have very good locality, in which case the virtual address +caching by kmap() can overcome all the downsides). + +But these days, x86-64 may not be more populous, but it's getting there +(and if you care about performance, it's definitely already there - +you'd have upgraded your CPU's already in the last few years). And on +x86-64, the non-kmap_atomic() version is faster, simply because the code +is simpler and doesn't have the "re-try page fault" case. + +People with old hardware are not likely to care about RDS anyway, and +the optimization for the 32-bit case is simply buggy, since it doesn't +verify the user addresses properly. + +Reported-by: Dan Rosenberg +Acked-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + net/rds/page.c | 27 +++++++-------------------- + 1 file changed, 7 insertions(+), 20 deletions(-) + +--- a/net/rds/page.c ++++ b/net/rds/page.c +@@ -57,30 +57,17 @@ int rds_page_copy_user(struct page *page + unsigned long ret; + void *addr; + +- if (to_user) ++ addr = kmap(page); ++ if (to_user) { + rds_stats_add(s_copy_to_user, bytes); +- else ++ ret = copy_to_user(ptr, addr + offset, bytes); ++ } else { + rds_stats_add(s_copy_from_user, bytes); +- +- addr = kmap_atomic(page, KM_USER0); +- if (to_user) +- ret = __copy_to_user_inatomic(ptr, addr + offset, bytes); +- else +- ret = __copy_from_user_inatomic(addr + offset, ptr, bytes); +- kunmap_atomic(addr, KM_USER0); +- +- if (ret) { +- addr = kmap(page); +- if (to_user) +- ret = copy_to_user(ptr, addr + offset, bytes); +- else +- ret = copy_from_user(addr + offset, ptr, bytes); +- kunmap(page); +- if (ret) +- return -EFAULT; ++ ret = copy_from_user(addr + offset, ptr, bytes); + } ++ kunmap(page); + +- return 0; ++ return ret ? -EFAULT : 0; + } + EXPORT_SYMBOL_GPL(rds_page_copy_user); + diff --git a/queue-2.6.35/dmaengine-fix-interrupt-clearing-for-mv_xor.patch b/queue-2.6.35/dmaengine-fix-interrupt-clearing-for-mv_xor.patch new file mode 100644 index 00000000000..e43a62c914b --- /dev/null +++ b/queue-2.6.35/dmaengine-fix-interrupt-clearing-for-mv_xor.patch @@ -0,0 +1,42 @@ +From cc60f8878eab892c03d06b10f389232b9b66bd83 Mon Sep 17 00:00:00 2001 +From: Simon Guinot +Date: Fri, 17 Sep 2010 23:33:51 +0200 +Subject: dmaengine: fix interrupt clearing for mv_xor + +From: Simon Guinot + +commit cc60f8878eab892c03d06b10f389232b9b66bd83 upstream. + +When using simultaneously the two DMA channels on a same engine, some +transfers are never completed. For example, an endless lock can occur +while writing heavily on a RAID5 array (with async-tx offload support +enabled). + +Note that this issue can also be reproduced by using the DMA test +client. + +On a same engine, the interrupt cause register is shared between two +DMA channels. This patch make sure that the cause bit is only cleared +for the requested channel. + +Signed-off-by: Simon Guinot +Tested-by: Luc Saillard +Acked-by: saeed bishara +Signed-off-by: Dan Williams +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/dma/mv_xor.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/dma/mv_xor.c ++++ b/drivers/dma/mv_xor.c +@@ -162,7 +162,7 @@ static int mv_is_err_intr(u32 intr_cause + + static void mv_xor_device_clear_eoc_cause(struct mv_xor_chan *chan) + { +- u32 val = (1 << (1 + (chan->idx * 16))); ++ u32 val = ~(1 << (chan->idx * 16)); + dev_dbg(chan->device->common.dev, "%s, val 0x%08x\n", __func__, val); + __raw_writel(val, XOR_INTR_CAUSE(chan)); + } diff --git a/queue-2.6.35/drivers-gpu-drm-i915-i915_gem.c-add-missing-error-handling-code.patch b/queue-2.6.35/drivers-gpu-drm-i915-i915_gem.c-add-missing-error-handling-code.patch new file mode 100644 index 00000000000..10601e697d9 --- /dev/null +++ b/queue-2.6.35/drivers-gpu-drm-i915-i915_gem.c-add-missing-error-handling-code.patch @@ -0,0 +1,52 @@ +From 929f49bf225b1b6cd04d0a7b9c0f7377d9131220 Mon Sep 17 00:00:00 2001 +From: Julia Lawall +Date: Sat, 2 Oct 2010 15:59:17 +0200 +Subject: drivers/gpu/drm/i915/i915_gem.c: Add missing error handling code + +From: Julia Lawall + +commit 929f49bf225b1b6cd04d0a7b9c0f7377d9131220 upstream. + +Extend the error handling code with operations found in other nearby error +handling code + +A simplified version of the sematic match that finds this problem is as +follows: (http://coccinelle.lip6.fr/) + +// +@r exists@ +@r@ +statement S1,S2,S3; +constant C1,C2,C3; +@@ + +*if (...) + {... S1 return -C1;} +... +*if (...) + {... when != S1 + return -C2;} +... +*if (...) + {... S1 return -C3;} +// + +Signed-off-by: Julia Lawall +Signed-off-by: Chris Wilson +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/i915/i915_gem.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/gpu/drm/i915/i915_gem.c ++++ b/drivers/gpu/drm/i915/i915_gem.c +@@ -3367,6 +3367,8 @@ i915_gem_object_pin_and_relocate(struct + (int) reloc->offset, + reloc->read_domains, + reloc->write_domain); ++ drm_gem_object_unreference(target_obj); ++ i915_gem_object_unpin(obj); + return -EINVAL; + } + if (reloc->write_domain & I915_GEM_DOMAIN_CPU || diff --git a/queue-2.6.35/drm-hold-the-mutex-when-dropping-the-last-gem-reference-v2.patch b/queue-2.6.35/drm-hold-the-mutex-when-dropping-the-last-gem-reference-v2.patch new file mode 100644 index 00000000000..9146f58f685 --- /dev/null +++ b/queue-2.6.35/drm-hold-the-mutex-when-dropping-the-last-gem-reference-v2.patch @@ -0,0 +1,107 @@ +From 39b4d07aa3583ceefe73622841303a0a3e942ca1 Mon Sep 17 00:00:00 2001 +From: Chris Wilson +Date: Thu, 30 Sep 2010 09:10:26 +0100 +Subject: drm: Hold the mutex when dropping the last GEM reference (v2) + +From: Chris Wilson + +commit 39b4d07aa3583ceefe73622841303a0a3e942ca1 upstream. + +In order to be fully threadsafe we need to check that the drm_gem_object +refcount is still 0 after acquiring the mutex in order to call the free +function. Otherwise, we may encounter scenarios like: + +Thread A: Thread B: +drm_gem_close +unreference_unlocked +kref_put mutex_lock +... i915_gem_evict +... kref_get -> BUG +... i915_gem_unbind +... kref_put +... i915_gem_object_free +... mutex_unlock +mutex_lock +i915_gem_object_free -> BUG +i915_gem_object_unbind +kfree +mutex_unlock + +Note that no driver is currently using the free_unlocked vfunc and it is +scheduled for removal, hasten that process. + +Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=30454 +Reported-and-Tested-by: Magnus Kessler +Signed-off-by: Chris Wilson +Signed-off-by: Dave Airlie +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/drm_gem.c | 22 ---------------------- + include/drm/drmP.h | 10 ++++++---- + 2 files changed, 6 insertions(+), 26 deletions(-) + +--- a/drivers/gpu/drm/drm_gem.c ++++ b/drivers/gpu/drm/drm_gem.c +@@ -451,28 +451,6 @@ drm_gem_object_free(struct kref *kref) + } + EXPORT_SYMBOL(drm_gem_object_free); + +-/** +- * Called after the last reference to the object has been lost. +- * Must be called without holding struct_mutex +- * +- * Frees the object +- */ +-void +-drm_gem_object_free_unlocked(struct kref *kref) +-{ +- struct drm_gem_object *obj = (struct drm_gem_object *) kref; +- struct drm_device *dev = obj->dev; +- +- if (dev->driver->gem_free_object_unlocked != NULL) +- dev->driver->gem_free_object_unlocked(obj); +- else if (dev->driver->gem_free_object != NULL) { +- mutex_lock(&dev->struct_mutex); +- dev->driver->gem_free_object(obj); +- mutex_unlock(&dev->struct_mutex); +- } +-} +-EXPORT_SYMBOL(drm_gem_object_free_unlocked); +- + static void drm_gem_object_ref_bug(struct kref *list_kref) + { + BUG(); +--- a/include/drm/drmP.h ++++ b/include/drm/drmP.h +@@ -802,7 +802,6 @@ struct drm_driver { + */ + int (*gem_init_object) (struct drm_gem_object *obj); + void (*gem_free_object) (struct drm_gem_object *obj); +- void (*gem_free_object_unlocked) (struct drm_gem_object *obj); + + /* vga arb irq handler */ + void (*vgaarb_irq)(struct drm_device *dev, bool state); +@@ -1431,7 +1430,6 @@ int drm_gem_init(struct drm_device *dev) + void drm_gem_destroy(struct drm_device *dev); + void drm_gem_object_release(struct drm_gem_object *obj); + void drm_gem_object_free(struct kref *kref); +-void drm_gem_object_free_unlocked(struct kref *kref); + struct drm_gem_object *drm_gem_object_alloc(struct drm_device *dev, + size_t size); + int drm_gem_object_init(struct drm_device *dev, +@@ -1457,8 +1455,12 @@ drm_gem_object_unreference(struct drm_ge + static inline void + drm_gem_object_unreference_unlocked(struct drm_gem_object *obj) + { +- if (obj != NULL) +- kref_put(&obj->refcount, drm_gem_object_free_unlocked); ++ if (obj != NULL) { ++ struct drm_device *dev = obj->dev; ++ mutex_lock(&dev->struct_mutex); ++ kref_put(&obj->refcount, drm_gem_object_free); ++ mutex_unlock(&dev->struct_mutex); ++ } + } + + int drm_gem_handle_create(struct drm_file *file_priv, diff --git a/queue-2.6.35/drm-i915-fix-gmch-power-reporting.patch b/queue-2.6.35/drm-i915-fix-gmch-power-reporting.patch new file mode 100644 index 00000000000..d1bf5297cc7 --- /dev/null +++ b/queue-2.6.35/drm-i915-fix-gmch-power-reporting.patch @@ -0,0 +1,47 @@ +From d270ae34eb77c58dea60e5b1e300a698d2ce39ac Mon Sep 17 00:00:00 2001 +From: Jesse Barnes +Date: Mon, 27 Sep 2010 10:35:44 -0700 +Subject: drm/i915: fix GMCH power reporting + +From: Jesse Barnes + +commit d270ae34eb77c58dea60e5b1e300a698d2ce39ac upstream. + +The IPS driver needs to know the current power consumption of the GMCH +in order to make decisions about when to increase or decrease the CPU +and/or GPU power envelope. So fix up the divisions to save the results +so the numbers are actually correct (contrary to some earlier comments +and code, these functions do not modify the first argument and use it +for the result). + +Signed-off-by: Jesse Barnes +Signed-off-by: Chris Wilson +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/i915/i915_dma.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/gpu/drm/i915/i915_dma.c ++++ b/drivers/gpu/drm/i915/i915_dma.c +@@ -1778,9 +1778,9 @@ unsigned long i915_chipset_val(struct dr + } + } + +- div_u64(diff, diff1); ++ diff = div_u64(diff, diff1); + ret = ((m * diff) + c); +- div_u64(ret, 10); ++ ret = div_u64(ret, 10); + + dev_priv->last_count1 = total_count; + dev_priv->last_time1 = now; +@@ -1849,7 +1849,7 @@ void i915_update_gfx_val(struct drm_i915 + + /* More magic constants... */ + diff = diff * 1181; +- div_u64(diff, diffms * 10); ++ diff = div_u64(diff, diffms * 10); + dev_priv->gfx_power = diff; + } + diff --git a/queue-2.6.35/drm-i915-prevent-module-unload-to-avoid-random-memory-corruption.patch b/queue-2.6.35/drm-i915-prevent-module-unload-to-avoid-random-memory-corruption.patch new file mode 100644 index 00000000000..6df8bd0c9f3 --- /dev/null +++ b/queue-2.6.35/drm-i915-prevent-module-unload-to-avoid-random-memory-corruption.patch @@ -0,0 +1,36 @@ +From 6939a5aca7cfada279a24c307e772f33104fca20 Mon Sep 17 00:00:00 2001 +From: Chris Wilson +Date: Fri, 8 Oct 2010 13:40:27 +0100 +Subject: drm/i915: Prevent module unload to avoid random memory corruption + +From: Chris Wilson + +commit 6939a5aca7cfada279a24c307e772f33104fca20 upstream. + +The i915 driver has quite a few module unload bugs, the known ones at +least have fixes that are targeting 2.6.37. However, in order to +maintain a stable kernel, we should prevent this known random memory +corruption following driver unload. This should have very low impact on +normal users who are unlikely to need to unload the i915 driver. + +Suggested-by: Thomas Gleixner +Acked-by: Daniel Vetter +Signed-off-by: Chris Wilson +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/i915/i915_dma.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/gpu/drm/i915/i915_dma.c ++++ b/drivers/gpu/drm/i915/i915_dma.c +@@ -2222,6 +2222,9 @@ int i915_driver_load(struct drm_device * + dev_priv->mchdev_lock = &mchdev_lock; + spin_unlock(&mchdev_lock); + ++ /* XXX Prevent module unload due to memory corruption bugs. */ ++ __module_get(THIS_MODULE); ++ + return 0; + + out_workqueue_free: diff --git a/queue-2.6.35/drm-i915-sanity-check-pread-pwrite.patch b/queue-2.6.35/drm-i915-sanity-check-pread-pwrite.patch new file mode 100644 index 00000000000..b5eb2dda820 --- /dev/null +++ b/queue-2.6.35/drm-i915-sanity-check-pread-pwrite.patch @@ -0,0 +1,89 @@ +From ce9d419dbecc292cc3e06e8b1d6d123d3fa813a4 Mon Sep 17 00:00:00 2001 +From: Chris Wilson +Date: Sun, 26 Sep 2010 20:50:05 +0100 +Subject: drm/i915: Sanity check pread/pwrite + +From: Chris Wilson + +commit ce9d419dbecc292cc3e06e8b1d6d123d3fa813a4 upstream. + +Move the access control up from the fast paths, which are no longer +universally taken first, up into the caller. This then duplicates some +sanity checking along the slow paths, but is much simpler. +Tracked as CVE-2010-2962. + +Reported-by: Kees Cook +Signed-off-by: Chris Wilson +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/i915/i915_gem.c | 28 ++++++++++++++++++++-------- + 1 file changed, 20 insertions(+), 8 deletions(-) + +--- a/drivers/gpu/drm/i915/i915_gem.c ++++ b/drivers/gpu/drm/i915/i915_gem.c +@@ -465,8 +465,15 @@ i915_gem_pread_ioctl(struct drm_device * + */ + if (args->offset > obj->size || args->size > obj->size || + args->offset + args->size > obj->size) { +- drm_gem_object_unreference_unlocked(obj); +- return -EINVAL; ++ ret = -EINVAL; ++ goto err; ++ } ++ ++ if (!access_ok(VERIFY_WRITE, ++ (char __user *)(uintptr_t)args->data_ptr, ++ args->size)) { ++ ret = -EFAULT; ++ goto err; + } + + if (i915_gem_object_needs_bit17_swizzle(obj)) { +@@ -478,8 +485,8 @@ i915_gem_pread_ioctl(struct drm_device * + file_priv); + } + ++err: + drm_gem_object_unreference_unlocked(obj); +- + return ret; + } + +@@ -568,8 +575,6 @@ i915_gem_gtt_pwrite_fast(struct drm_devi + + user_data = (char __user *) (uintptr_t) args->data_ptr; + remain = args->size; +- if (!access_ok(VERIFY_READ, user_data, remain)) +- return -EFAULT; + + + mutex_lock(&dev->struct_mutex); +@@ -928,8 +933,15 @@ i915_gem_pwrite_ioctl(struct drm_device + */ + if (args->offset > obj->size || args->size > obj->size || + args->offset + args->size > obj->size) { +- drm_gem_object_unreference_unlocked(obj); +- return -EINVAL; ++ ret = -EINVAL; ++ goto err; ++ } ++ ++ if (!access_ok(VERIFY_READ, ++ (char __user *)(uintptr_t)args->data_ptr, ++ args->size)) { ++ ret = -EFAULT; ++ goto err; + } + + /* We can only do the GTT pwrite on untiled buffers, as otherwise +@@ -963,8 +975,8 @@ i915_gem_pwrite_ioctl(struct drm_device + DRM_INFO("pwrite failed %d\n", ret); + #endif + ++err: + drm_gem_object_unreference_unlocked(obj); +- + return ret; + } + diff --git a/queue-2.6.35/drm-prune-gem-vma-entries.patch b/queue-2.6.35/drm-prune-gem-vma-entries.patch new file mode 100644 index 00000000000..a15e73e2a04 --- /dev/null +++ b/queue-2.6.35/drm-prune-gem-vma-entries.patch @@ -0,0 +1,112 @@ +From 31dfbc93923c0aaa0440b809f80ff2830c6a531a Mon Sep 17 00:00:00 2001 +From: Chris Wilson +Date: Mon, 27 Sep 2010 21:28:30 +0100 +Subject: drm: Prune GEM vma entries + +From: Chris Wilson + +commit 31dfbc93923c0aaa0440b809f80ff2830c6a531a upstream. + +Hook the GEM vm open/close ops into the generic drm vm open/close so +that the private vma entries are created and destroy appropriately. +Fixes the leak of the drm_vma_entries during the lifetime of the filp. + +Reported-by: Matt Mackall +Cc: Jesse Barnes +Signed-off-by: Chris Wilson +Acked-by: Jesse Barnes +Signed-off-by: Dave Airlie +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/drm_gem.c | 9 ++++++++- + drivers/gpu/drm/drm_vm.c | 28 ++++++++++++++++++---------- + include/drm/drmP.h | 1 + + 3 files changed, 27 insertions(+), 11 deletions(-) + +--- a/drivers/gpu/drm/drm_gem.c ++++ b/drivers/gpu/drm/drm_gem.c +@@ -517,6 +517,10 @@ void drm_gem_vm_open(struct vm_area_stru + struct drm_gem_object *obj = vma->vm_private_data; + + drm_gem_object_reference(obj); ++ ++ mutex_lock(&obj->dev->struct_mutex); ++ drm_vm_open_locked(vma); ++ mutex_unlock(&obj->dev->struct_mutex); + } + EXPORT_SYMBOL(drm_gem_vm_open); + +@@ -524,7 +528,10 @@ void drm_gem_vm_close(struct vm_area_str + { + struct drm_gem_object *obj = vma->vm_private_data; + +- drm_gem_object_unreference_unlocked(obj); ++ mutex_lock(&obj->dev->struct_mutex); ++ drm_vm_close_locked(vma); ++ drm_gem_object_unreference(obj); ++ mutex_unlock(&obj->dev->struct_mutex); + } + EXPORT_SYMBOL(drm_gem_vm_close); + +--- a/drivers/gpu/drm/drm_vm.c ++++ b/drivers/gpu/drm/drm_vm.c +@@ -433,15 +433,7 @@ static void drm_vm_open(struct vm_area_s + mutex_unlock(&dev->struct_mutex); + } + +-/** +- * \c close method for all virtual memory types. +- * +- * \param vma virtual memory area. +- * +- * Search the \p vma private data entry in drm_device::vmalist, unlink it, and +- * free it. +- */ +-static void drm_vm_close(struct vm_area_struct *vma) ++void drm_vm_close_locked(struct vm_area_struct *vma) + { + struct drm_file *priv = vma->vm_file->private_data; + struct drm_device *dev = priv->minor->dev; +@@ -451,7 +443,6 @@ static void drm_vm_close(struct vm_area_ + vma->vm_start, vma->vm_end - vma->vm_start); + atomic_dec(&dev->vma_count); + +- mutex_lock(&dev->struct_mutex); + list_for_each_entry_safe(pt, temp, &dev->vmalist, head) { + if (pt->vma == vma) { + list_del(&pt->head); +@@ -459,6 +450,23 @@ static void drm_vm_close(struct vm_area_ + break; + } + } ++} ++ ++/** ++ * \c close method for all virtual memory types. ++ * ++ * \param vma virtual memory area. ++ * ++ * Search the \p vma private data entry in drm_device::vmalist, unlink it, and ++ * free it. ++ */ ++static void drm_vm_close(struct vm_area_struct *vma) ++{ ++ struct drm_file *priv = vma->vm_file->private_data; ++ struct drm_device *dev = priv->minor->dev; ++ ++ mutex_lock(&dev->struct_mutex); ++ drm_vm_close_locked(vma); + mutex_unlock(&dev->struct_mutex); + } + +--- a/include/drm/drmP.h ++++ b/include/drm/drmP.h +@@ -1149,6 +1149,7 @@ extern int drm_release(struct inode *ino + extern int drm_mmap(struct file *filp, struct vm_area_struct *vma); + extern int drm_mmap_locked(struct file *filp, struct vm_area_struct *vma); + extern void drm_vm_open_locked(struct vm_area_struct *vma); ++extern void drm_vm_close_locked(struct vm_area_struct *vma); + extern resource_size_t drm_core_get_map_ofs(struct drm_local_map * map); + extern resource_size_t drm_core_get_reg_ofs(struct drm_device *dev); + extern unsigned int drm_poll(struct file *filp, struct poll_table_struct *wait); diff --git a/queue-2.6.35/drm-radeon-fix-pci-id-5657-to-be-an-rv410.patch b/queue-2.6.35/drm-radeon-fix-pci-id-5657-to-be-an-rv410.patch new file mode 100644 index 00000000000..7a1439ad3dd --- /dev/null +++ b/queue-2.6.35/drm-radeon-fix-pci-id-5657-to-be-an-rv410.patch @@ -0,0 +1,36 @@ +From f459ffbdfd04edb4a8ce6eea33170eb057a5e695 Mon Sep 17 00:00:00 2001 +From: Dave Airlie +Date: Sat, 25 Sep 2010 17:45:50 +1000 +Subject: drm/radeon: fix PCI ID 5657 to be an RV410 + +From: Dave Airlie + +commit f459ffbdfd04edb4a8ce6eea33170eb057a5e695 upstream. + +fixes https://bugzilla.kernel.org/show_bug.cgi?id=19012 + +Signed-off-by: Dave Airlie +Signed-off-by: Greg Kroah-Hartman + +--- + include/drm/drm_pciids.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/include/drm/drm_pciids.h ++++ b/include/drm/drm_pciids.h +@@ -85,7 +85,6 @@ + {0x1002, 0x5460, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_RV380|RADEON_IS_MOBILITY}, \ + {0x1002, 0x5462, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_RV380|RADEON_IS_MOBILITY}, \ + {0x1002, 0x5464, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_RV380|RADEON_IS_MOBILITY}, \ +- {0x1002, 0x5657, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_RV380|RADEON_NEW_MEMMAP}, \ + {0x1002, 0x5548, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_R423|RADEON_NEW_MEMMAP}, \ + {0x1002, 0x5549, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_R423|RADEON_NEW_MEMMAP}, \ + {0x1002, 0x554A, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_R423|RADEON_NEW_MEMMAP}, \ +@@ -103,6 +102,7 @@ + {0x1002, 0x564F, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_RV410|RADEON_IS_MOBILITY|RADEON_NEW_MEMMAP}, \ + {0x1002, 0x5652, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_RV410|RADEON_IS_MOBILITY|RADEON_NEW_MEMMAP}, \ + {0x1002, 0x5653, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_RV410|RADEON_IS_MOBILITY|RADEON_NEW_MEMMAP}, \ ++ {0x1002, 0x5657, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_RV410|RADEON_NEW_MEMMAP}, \ + {0x1002, 0x5834, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_RS300|RADEON_IS_IGP}, \ + {0x1002, 0x5835, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_RS300|RADEON_IS_IGP|RADEON_IS_MOBILITY}, \ + {0x1002, 0x5954, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_RS480|RADEON_IS_IGP|RADEON_IS_MOBILITY|RADEON_IS_IGPGART}, \ diff --git a/queue-2.6.35/drm-radeon-kms-add-quirk-for-msi-k9a2gm-motherboard.patch b/queue-2.6.35/drm-radeon-kms-add-quirk-for-msi-k9a2gm-motherboard.patch new file mode 100644 index 00000000000..3bc76ce484d --- /dev/null +++ b/queue-2.6.35/drm-radeon-kms-add-quirk-for-msi-k9a2gm-motherboard.patch @@ -0,0 +1,39 @@ +From f36fce0f49ed40f3e843d45fa53d476d63444b58 Mon Sep 17 00:00:00 2001 +From: Alex Deucher +Date: Mon, 27 Sep 2010 11:33:00 -0400 +Subject: drm/radeon/kms: add quirk for MSI K9A2GM motherboard + +From: Alex Deucher + +commit f36fce0f49ed40f3e843d45fa53d476d63444b58 upstream. + +Board has no digital connectors + +Reported-by: Andy Walls +Tested-by: Andy Walls +Signed-off-by: Alex Deucher +Signed-off-by: Dave Airlie +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/radeon/radeon_atombios.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/drivers/gpu/drm/radeon/radeon_atombios.c ++++ b/drivers/gpu/drm/radeon/radeon_atombios.c +@@ -226,6 +226,15 @@ static bool radeon_atom_apply_quirks(str + *connector_type = DRM_MODE_CONNECTOR_DVID; + } + ++ /* MSI K9A2GM V2/V3 board has no HDMI or DVI */ ++ if ((dev->pdev->device == 0x796e) && ++ (dev->pdev->subsystem_vendor == 0x1462) && ++ (dev->pdev->subsystem_device == 0x7302)) { ++ if ((supported_device == ATOM_DEVICE_DFP2_SUPPORT) || ++ (supported_device == ATOM_DEVICE_DFP3_SUPPORT)) ++ return false; ++ } ++ + /* a-bit f-i90hd - ciaranm on #radeonhd - this board has no DVI */ + if ((dev->pdev->device == 0x7941) && + (dev->pdev->subsystem_vendor == 0x147b) && diff --git a/queue-2.6.35/drm-radeon-kms-fix-possible-sigbus-in-evergreen-accel-code.patch b/queue-2.6.35/drm-radeon-kms-fix-possible-sigbus-in-evergreen-accel-code.patch new file mode 100644 index 00000000000..2e535aebd86 --- /dev/null +++ b/queue-2.6.35/drm-radeon-kms-fix-possible-sigbus-in-evergreen-accel-code.patch @@ -0,0 +1,42 @@ +From alexdeucher@gmail.com Tue Oct 19 17:38:17 2010 +From: Alex Deucher +Date: Tue, 12 Oct 2010 12:20:31 -0400 +Subject: drm/radeon/kms: fix possible sigbus in evergreen accel code +To: airlied@gmail.com, dri-devel@lists.freedesktop.org +Cc: Alex Deucher , stable@kernel.org +Message-ID: <1286900431-7497-1-git-send-email-alexdeucher@gmail.com> + +From: Alex Deucher + +Not upstream in Linus's tree as it was fixed by a much more intrusive +patch in a different manner, commit c919b371cb734f42b11 + + +2.6.35 and 2.6.36 do not contain blit support for evergreen +asics so if they use unmappable vram, you can end up with an +unreachable buffer address. This should not be applied to drm-next +as that tree already contains evergreen blit support. This should +only be applied to the 2.6.35 and 2.6.36 stable trees. + +Fixes: +https://bugs.freedesktop.org/show_bug.cgi?id=30188 + +Signed-off-by: Alex Deucher +Acked-by: Dave Airlie +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/radeon/evergreen.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/gpu/drm/radeon/evergreen.c ++++ b/drivers/gpu/drm/radeon/evergreen.c +@@ -1389,6 +1389,8 @@ int evergreen_mc_init(struct radeon_devi + rdev->mc.mc_vram_size = RREG32(CONFIG_MEMSIZE) * 1024 * 1024; + rdev->mc.real_vram_size = RREG32(CONFIG_MEMSIZE) * 1024 * 1024; + rdev->mc.visible_vram_size = rdev->mc.aper_size; ++ /* limit it to the aperture size for now as there is no blit support in 2.6.35/36*/ ++ rdev->mc.real_vram_size = rdev->mc.visible_vram_size; + r600_vram_gtt_location(rdev, &rdev->mc); + radeon_update_bandwidth_info(rdev); + diff --git a/queue-2.6.35/drm-radeon-kms-fix-potential-segfault-in-r600_ioctl_wait_idle.patch b/queue-2.6.35/drm-radeon-kms-fix-potential-segfault-in-r600_ioctl_wait_idle.patch new file mode 100644 index 00000000000..46f0331a393 --- /dev/null +++ b/queue-2.6.35/drm-radeon-kms-fix-potential-segfault-in-r600_ioctl_wait_idle.patch @@ -0,0 +1,37 @@ +From e488459a0e131acc9e14df093cfee740bc431953 Mon Sep 17 00:00:00 2001 +From: Alex Deucher +Date: Mon, 27 Sep 2010 10:57:10 -0400 +Subject: drm/radeon/kms: fix potential segfault in r600_ioctl_wait_idle + +From: Alex Deucher + +commit e488459a0e131acc9e14df093cfee740bc431953 upstream. + +radeon_gem_wait_idle_ioctl can apparently get called prior to +the vram page being set up or even if accel if false, so make +sure it's valid before using it. + +Should fix: +http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=597636 +https://bugs.freedesktop.org/show_bug.cgi?id=29834 + +Signed-off-by: Alex Deucher +Signed-off-by: Dave Airlie +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/radeon/r600.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/radeon/r600.c ++++ b/drivers/gpu/drm/radeon/r600.c +@@ -3522,7 +3522,8 @@ void r600_ioctl_wait_idle(struct radeon_ + /* r7xx hw bug. write to HDP_DEBUG1 followed by fb read + * rather than write to HDP_REG_COHERENCY_FLUSH_CNTL + */ +- if ((rdev->family >= CHIP_RV770) && (rdev->family <= CHIP_RV740)) { ++ if ((rdev->family >= CHIP_RV770) && (rdev->family <= CHIP_RV740) && ++ rdev->vram_scratch.ptr) { + void __iomem *ptr = (void *)rdev->vram_scratch.ptr; + u32 tmp; + diff --git a/queue-2.6.35/drm-radeon-kms-fix-up-encoder-info-messages-for-dfp6.patch b/queue-2.6.35/drm-radeon-kms-fix-up-encoder-info-messages-for-dfp6.patch new file mode 100644 index 00000000000..4dbb99369b3 --- /dev/null +++ b/queue-2.6.35/drm-radeon-kms-fix-up-encoder-info-messages-for-dfp6.patch @@ -0,0 +1,31 @@ +From 73758a5d51280ca0613b8380fc07351f4d64f9c8 Mon Sep 17 00:00:00 2001 +From: Alex Deucher +Date: Fri, 24 Sep 2010 14:59:32 -0400 +Subject: drm/radeon/kms: fix up encoder info messages for DFP6 + +From: Alex Deucher + +commit 73758a5d51280ca0613b8380fc07351f4d64f9c8 upstream. + +encoder info was not printed properly on boards using the +DFP6 id. + +Signed-off-by: Alex Deucher +Signed-off-by: Dave Airlie +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/radeon/radeon_display.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/gpu/drm/radeon/radeon_display.c ++++ b/drivers/gpu/drm/radeon/radeon_display.c +@@ -349,6 +349,8 @@ static void radeon_print_display_setup(s + DRM_INFO(" DFP4: %s\n", encoder_names[radeon_encoder->encoder_id]); + if (devices & ATOM_DEVICE_DFP5_SUPPORT) + DRM_INFO(" DFP5: %s\n", encoder_names[radeon_encoder->encoder_id]); ++ if (devices & ATOM_DEVICE_DFP6_SUPPORT) ++ DRM_INFO(" DFP6: %s\n", encoder_names[radeon_encoder->encoder_id]); + if (devices & ATOM_DEVICE_TV1_SUPPORT) + DRM_INFO(" TV1: %s\n", encoder_names[radeon_encoder->encoder_id]); + if (devices & ATOM_DEVICE_CV_SUPPORT) diff --git a/queue-2.6.35/firewire-ohci-fix-ti-tsb82aa2-regression-since-2.6.35.patch b/queue-2.6.35/firewire-ohci-fix-ti-tsb82aa2-regression-since-2.6.35.patch new file mode 100644 index 00000000000..a0ea428fe51 --- /dev/null +++ b/queue-2.6.35/firewire-ohci-fix-ti-tsb82aa2-regression-since-2.6.35.patch @@ -0,0 +1,83 @@ +From aa0170fff3c26bf2b42159af2dd9cf86444c292a Mon Sep 17 00:00:00 2001 +From: Stefan Richter +Date: Sun, 17 Oct 2010 14:09:12 +0200 +Subject: firewire: ohci: fix TI TSB82AA2 regression since 2.6.35 + +From: Stefan Richter + +commit aa0170fff3c26bf2b42159af2dd9cf86444c292a upstream. + +Revert commit 54672386ccf36ffa21d1de8e75624af83f9b0eeb +"firewire: ohci: fix up configuration of TI chips". +It caused massive slow-down and data corruption with a TSB82AA2 based +StarTech EC1394B2 ExpressCard and FireWire 800 harddisks. + +https://bugs.launchpad.net/ubuntu/+source/linux/+bug/657081 +http://thread.gmane.org/gmane.linux.kernel.firewire.user/4013 + +The fact that some card EEPROMs do not program these enhancements may be +related to TSB81BA3 phy chip errata, if not to bugs of TSB82AA2 itself. +We could re-add these configuration steps, but only conditional on a +whitelist of cards on which these enhancements bring a proven positive +effect. + +Reported-and-tested-by: Eric Shattow +Cc: Clemens Ladisch +Signed-off-by: Stefan Richter +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/firewire/ohci.c | 19 +------------------ + drivers/firewire/ohci.h | 8 -------- + 2 files changed, 1 insertion(+), 26 deletions(-) + +--- a/drivers/firewire/ohci.c ++++ b/drivers/firewire/ohci.c +@@ -2439,7 +2439,7 @@ static int __devinit pci_probe(struct pc + const struct pci_device_id *ent) + { + struct fw_ohci *ohci; +- u32 bus_options, max_receive, link_speed, version, link_enh; ++ u32 bus_options, max_receive, link_speed, version; + u64 guid; + int i, err, n_ir, n_it; + size_t size; +@@ -2492,23 +2492,6 @@ static int __devinit pci_probe(struct pc + if (param_quirks) + ohci->quirks = param_quirks; + +- /* TI OHCI-Lynx and compatible: set recommended configuration bits. */ +- if (dev->vendor == PCI_VENDOR_ID_TI) { +- pci_read_config_dword(dev, PCI_CFG_TI_LinkEnh, &link_enh); +- +- /* adjust latency of ATx FIFO: use 1.7 KB threshold */ +- link_enh &= ~TI_LinkEnh_atx_thresh_mask; +- link_enh |= TI_LinkEnh_atx_thresh_1_7K; +- +- /* use priority arbitration for asynchronous responses */ +- link_enh |= TI_LinkEnh_enab_unfair; +- +- /* required for aPhyEnhanceEnable to work */ +- link_enh |= TI_LinkEnh_enab_accel; +- +- pci_write_config_dword(dev, PCI_CFG_TI_LinkEnh, link_enh); +- } +- + ar_context_init(&ohci->ar_request_ctx, ohci, + OHCI1394_AsReqRcvContextControlSet); + +--- a/drivers/firewire/ohci.h ++++ b/drivers/firewire/ohci.h +@@ -154,12 +154,4 @@ + + #define OHCI1394_phy_tcode 0xe + +-/* TI extensions */ +- +-#define PCI_CFG_TI_LinkEnh 0xf4 +-#define TI_LinkEnh_enab_accel 0x00000002 +-#define TI_LinkEnh_enab_unfair 0x00000080 +-#define TI_LinkEnh_atx_thresh_mask 0x00003000 +-#define TI_LinkEnh_atx_thresh_1_7K 0x00001000 +- + #endif /* _FIREWIRE_OHCI_H */ diff --git a/queue-2.6.35/hrtimer-preserve-timer-state-in-remove_hrtimer.patch b/queue-2.6.35/hrtimer-preserve-timer-state-in-remove_hrtimer.patch new file mode 100644 index 00000000000..0d3a15bbfa8 --- /dev/null +++ b/queue-2.6.35/hrtimer-preserve-timer-state-in-remove_hrtimer.patch @@ -0,0 +1,88 @@ +From f13d4f979c518119bba5439dd2364d76d31dcd3f Mon Sep 17 00:00:00 2001 +From: Salman Qazi +Date: Tue, 12 Oct 2010 07:25:19 -0700 +Subject: hrtimer: Preserve timer state in remove_hrtimer() + +From: Salman Qazi + +commit f13d4f979c518119bba5439dd2364d76d31dcd3f upstream. + +The race is described as follows: + +CPU X CPU Y +remove_hrtimer +// state & QUEUED == 0 +timer->state = CALLBACK +unlock timer base +timer->f(n) //very long + hrtimer_start + lock timer base + remove_hrtimer // no effect + hrtimer_enqueue + timer->state = CALLBACK | + QUEUED + unlock timer base + hrtimer_start + lock timer base + remove_hrtimer + mode = INACTIVE + // CALLBACK bit lost! + switch_hrtimer_base + CALLBACK bit not set: + timer->base + changes to a + different CPU. +lock this CPU's timer base + +The bug was introduced with commit ca109491f (hrtimer: removing all ur +callback modes) in 2.6.29 + +[ tglx: Feed new state via local variable and add a comment. ] + +Signed-off-by: Salman Qazi +Cc: akpm@linux-foundation.org +Cc: Peter Zijlstra +LKML-Reference: <20101012142351.8485.21823.stgit@dungbeetle.mtv.corp.google.com> +Signed-off-by: Thomas Gleixner +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/hrtimer.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +--- a/kernel/hrtimer.c ++++ b/kernel/hrtimer.c +@@ -936,6 +936,7 @@ static inline int + remove_hrtimer(struct hrtimer *timer, struct hrtimer_clock_base *base) + { + if (hrtimer_is_queued(timer)) { ++ unsigned long state; + int reprogram; + + /* +@@ -949,8 +950,13 @@ remove_hrtimer(struct hrtimer *timer, st + debug_deactivate(timer); + timer_stats_hrtimer_clear_start_info(timer); + reprogram = base->cpu_base == &__get_cpu_var(hrtimer_bases); +- __remove_hrtimer(timer, base, HRTIMER_STATE_INACTIVE, +- reprogram); ++ /* ++ * We must preserve the CALLBACK state flag here, ++ * otherwise we could move the timer base in ++ * switch_hrtimer_base. ++ */ ++ state = timer->state & HRTIMER_STATE_CALLBACK; ++ __remove_hrtimer(timer, base, state, reprogram); + return 1; + } + return 0; +@@ -1237,6 +1243,9 @@ static void __run_hrtimer(struct hrtimer + BUG_ON(timer->state != HRTIMER_STATE_CALLBACK); + enqueue_hrtimer(timer, base); + } ++ ++ WARN_ON_ONCE(!(timer->state & HRTIMER_STATE_CALLBACK)); ++ + timer->state &= ~HRTIMER_STATE_CALLBACK; + } + diff --git a/queue-2.6.35/i2c-pca-fix-waitforcompletion-return-value.patch b/queue-2.6.35/i2c-pca-fix-waitforcompletion-return-value.patch new file mode 100644 index 00000000000..a5f6c28f5f0 --- /dev/null +++ b/queue-2.6.35/i2c-pca-fix-waitforcompletion-return-value.patch @@ -0,0 +1,86 @@ +From 6abb930af064fb1cf4177d32e2c7bfb89eee0fe5 Mon Sep 17 00:00:00 2001 +From: Yegor Yefremov +Date: Thu, 30 Sep 2010 14:14:22 +0200 +Subject: i2c-pca: Fix waitforcompletion() return value + +From: Yegor Yefremov + +commit 6abb930af064fb1cf4177d32e2c7bfb89eee0fe5 upstream. + +ret is still -1, if during the polling read_byte() returns at once +with I2C_PCA_CON_SI set. So ret > 0 would lead *_waitforcompletion() +to return 0, in spite of the proper behavior. + +The routine was rewritten, so that ret has always a proper value, +before returning. + +Signed-off-by: Yegor Yefremov +Reviewed-by: Wolfram Sang +Signed-off-by: Jean Delvare +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/i2c/busses/i2c-pca-isa.c | 12 ++++++++---- + drivers/i2c/busses/i2c-pca-platform.c | 11 +++++++---- + 2 files changed, 15 insertions(+), 8 deletions(-) + +--- a/drivers/i2c/busses/i2c-pca-isa.c ++++ b/drivers/i2c/busses/i2c-pca-isa.c +@@ -71,8 +71,8 @@ static int pca_isa_readbyte(void *pd, in + + static int pca_isa_waitforcompletion(void *pd) + { +- long ret = ~0; + unsigned long timeout; ++ long ret; + + if (irq > -1) { + ret = wait_event_timeout(pca_wait, +@@ -81,11 +81,15 @@ static int pca_isa_waitforcompletion(voi + } else { + /* Do polling */ + timeout = jiffies + pca_isa_ops.timeout; +- while (((pca_isa_readbyte(pd, I2C_PCA_CON) +- & I2C_PCA_CON_SI) == 0) +- && (ret = time_before(jiffies, timeout))) ++ do { ++ ret = time_before(jiffies, timeout); ++ if (pca_isa_readbyte(pd, I2C_PCA_CON) ++ & I2C_PCA_CON_SI) ++ break; + udelay(100); ++ } while (ret); + } ++ + return ret > 0; + } + +--- a/drivers/i2c/busses/i2c-pca-platform.c ++++ b/drivers/i2c/busses/i2c-pca-platform.c +@@ -80,8 +80,8 @@ static void i2c_pca_pf_writebyte32(void + static int i2c_pca_pf_waitforcompletion(void *pd) + { + struct i2c_pca_pf_data *i2c = pd; +- long ret = ~0; + unsigned long timeout; ++ long ret; + + if (i2c->irq) { + ret = wait_event_timeout(i2c->wait, +@@ -90,10 +90,13 @@ static int i2c_pca_pf_waitforcompletion( + } else { + /* Do polling */ + timeout = jiffies + i2c->adap.timeout; +- while (((i2c->algo_data.read_byte(i2c, I2C_PCA_CON) +- & I2C_PCA_CON_SI) == 0) +- && (ret = time_before(jiffies, timeout))) ++ do { ++ ret = time_before(jiffies, timeout); ++ if (i2c->algo_data.read_byte(i2c, I2C_PCA_CON) ++ & I2C_PCA_CON_SI) ++ break; + udelay(100); ++ } while (ret); + } + + return ret > 0; diff --git a/queue-2.6.35/input-joydev-fix-jsiocsaxmap-ioctl.patch b/queue-2.6.35/input-joydev-fix-jsiocsaxmap-ioctl.patch new file mode 100644 index 00000000000..98c6a970a34 --- /dev/null +++ b/queue-2.6.35/input-joydev-fix-jsiocsaxmap-ioctl.patch @@ -0,0 +1,33 @@ +From d2520a426dc3033c00077e923a553fc6c98c7564 Mon Sep 17 00:00:00 2001 +From: Kenneth Waters +Date: Tue, 21 Sep 2010 00:58:23 -0700 +Subject: Input: joydev - fix JSIOCSAXMAP ioctl + +From: Kenneth Waters + +commit d2520a426dc3033c00077e923a553fc6c98c7564 upstream. + +Fixed JSIOCSAXMAP ioctl to update absmap, the map from hardware axis to +event axis in addition to abspam. This fixes a regression introduced +by 999b874f. + +Signed-off-by: Kenneth Waters +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/input/joydev.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/input/joydev.c ++++ b/drivers/input/joydev.c +@@ -483,6 +483,9 @@ static int joydev_handle_JSIOCSAXMAP(str + + memcpy(joydev->abspam, abspam, len); + ++ for (i = 0; i < joydev->nabs; i++) ++ joydev->absmap[joydev->abspam[i]] = i; ++ + out: + kfree(abspam); + return retval; diff --git a/queue-2.6.35/input-wacom-fix-pressure-in-cintiq-21ux2.patch b/queue-2.6.35/input-wacom-fix-pressure-in-cintiq-21ux2.patch new file mode 100644 index 00000000000..f9bc06d31d4 --- /dev/null +++ b/queue-2.6.35/input-wacom-fix-pressure-in-cintiq-21ux2.patch @@ -0,0 +1,35 @@ +From ca047fedd89bbb4b79b61e0656a7b799e4e45e6d Mon Sep 17 00:00:00 2001 +From: Aristeu Rozanski +Date: Sun, 10 Oct 2010 14:12:33 -0700 +Subject: Input: wacom - fix pressure in Cintiq 21UX2 + +From: Aristeu Rozanski + +commit ca047fedd89bbb4b79b61e0656a7b799e4e45e6d upstream. + +Currently the pressure range in Cintiq 21UX2 is limited to half of the +supported. This patch fixes the problem. + +Signed-off-by: Aristeu Rozanski +Acked-by: Ping Cheng +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/input/tablet/wacom_wac.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/drivers/input/tablet/wacom_wac.c ++++ b/drivers/input/tablet/wacom_wac.c +@@ -409,8 +409,10 @@ static void wacom_intuos_general(struct + /* general pen packet */ + if ((data[1] & 0xb8) == 0xa0) { + t = (data[6] << 2) | ((data[7] >> 6) & 3); +- if (features->type >= INTUOS4S && features->type <= INTUOS4L) ++ if ((features->type >= INTUOS4S && features->type <= INTUOS4L) || ++ features->type == WACOM_21UX2) { + t = (t << 1) | (data[1] & 1); ++ } + input_report_abs(input, ABS_PRESSURE, t); + input_report_abs(input, ABS_TILT_X, + ((data[7] << 1) & 0x7e) | (data[8] >> 7)); diff --git a/queue-2.6.35/ioat2-fix-performance-regression.patch b/queue-2.6.35/ioat2-fix-performance-regression.patch new file mode 100644 index 00000000000..f9c206f2bb7 --- /dev/null +++ b/queue-2.6.35/ioat2-fix-performance-regression.patch @@ -0,0 +1,48 @@ +From c50a898fd4e736623ee175920db056194e0bb483 Mon Sep 17 00:00:00 2001 +From: Dan Williams +Date: Wed, 13 Oct 2010 15:43:10 -0700 +Subject: ioat2: fix performance regression + +From: Dan Williams + +commit c50a898fd4e736623ee175920db056194e0bb483 upstream. + +Commit 0793448 "DMAENGINE: generic channel status v2" changed the interface for +how dma channel progress is retrieved. It inadvertently exported an internal +helper function ioat_tx_status() instead of ioat_dma_tx_status(). The latter +polls the hardware to get the latest completion state, while the helper just +evaluates the current state without touching hardware. The effect is that we +end up waiting for completion timeouts or descriptor allocation errors before +the completion state is updated. + +iperf (before fix): +[SUM] 0.0-41.3 sec 364 MBytes 73.9 Mbits/sec + +iperf (after fix): +[SUM] 0.0- 4.5 sec 499 MBytes 940 Mbits/sec + +This is a regression starting with 2.6.35. + +Cc: Dave Jiang +Cc: Jesse Brandeburg +Cc: Linus Walleij +Cc: Maciej Sosnowski +Reported-by: Richard Scobie +Signed-off-by: Dan Williams +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/dma/ioat/dma_v2.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/dma/ioat/dma_v2.c ++++ b/drivers/dma/ioat/dma_v2.c +@@ -879,7 +879,7 @@ int __devinit ioat2_dma_probe(struct ioa + dma->device_issue_pending = ioat2_issue_pending; + dma->device_alloc_chan_resources = ioat2_alloc_chan_resources; + dma->device_free_chan_resources = ioat2_free_chan_resources; +- dma->device_tx_status = ioat_tx_status; ++ dma->device_tx_status = ioat_dma_tx_status; + + err = ioat_probe(device); + if (err) diff --git a/queue-2.6.35/mac80211-fix-use-after-free.patch b/queue-2.6.35/mac80211-fix-use-after-free.patch new file mode 100644 index 00000000000..85871a41579 --- /dev/null +++ b/queue-2.6.35/mac80211-fix-use-after-free.patch @@ -0,0 +1,58 @@ +From cd87a2d3a33d75a646f1aa1aa2ee5bf712d6f963 Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Fri, 24 Sep 2010 11:20:47 +0200 +Subject: mac80211: fix use-after-free + +From: Johannes Berg + +commit cd87a2d3a33d75a646f1aa1aa2ee5bf712d6f963 upstream. + +commit 8c0c709eea5cbab97fb464cd68b06f24acc58ee1 +Author: Johannes Berg +Date: Wed Nov 25 17:46:15 2009 +0100 + + mac80211: move cmntr flag out of rx flags + +moved the CMTR flag into the skb's status, and +in doing so introduced a use-after-free -- when +the skb has been handed to cooked monitors the +status setting will touch now invalid memory. + +Additionally, moving it there has effectively +discarded the optimisation -- since the bit is +only ever set on freed SKBs, and those were a +copy, it could never be checked. + +For the current release, fixing this properly +is a bit too involved, so let's just remove the +problematic code and leave userspace with one +copy of each frame for each virtual interface. + +Signed-off-by: Johannes Berg +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + net/mac80211/rx.c | 4 ---- + 1 file changed, 4 deletions(-) + +--- a/net/mac80211/rx.c ++++ b/net/mac80211/rx.c +@@ -2156,9 +2156,6 @@ static void ieee80211_rx_cooked_monitor( + struct net_device *prev_dev = NULL; + struct ieee80211_rx_status *status = IEEE80211_SKB_RXCB(skb); + +- if (status->flag & RX_FLAG_INTERNAL_CMTR) +- goto out_free_skb; +- + if (skb_headroom(skb) < sizeof(*rthdr) && + pskb_expand_head(skb, sizeof(*rthdr), 0, GFP_ATOMIC)) + goto out_free_skb; +@@ -2217,7 +2214,6 @@ static void ieee80211_rx_cooked_monitor( + } else + goto out_free_skb; + +- status->flag |= RX_FLAG_INTERNAL_CMTR; + return; + + out_free_skb: diff --git a/queue-2.6.35/mfd-ignore-non-gpio-irqs-when-setting-wm831x-irq-types.patch b/queue-2.6.35/mfd-ignore-non-gpio-irqs-when-setting-wm831x-irq-types.patch new file mode 100644 index 00000000000..76d62c33b82 --- /dev/null +++ b/queue-2.6.35/mfd-ignore-non-gpio-irqs-when-setting-wm831x-irq-types.patch @@ -0,0 +1,39 @@ +From c9d66d3515bbb0ad8062721487de7ade02d2b936 Mon Sep 17 00:00:00 2001 +From: Mark Brown +Date: Mon, 16 Aug 2010 20:26:51 +0100 +Subject: mfd: Ignore non-GPIO IRQs when setting wm831x IRQ types + +From: Mark Brown + +commit c9d66d3515bbb0ad8062721487de7ade02d2b936 upstream. + +The driver was originally tested with an additional patch which +made this unneeded but that patch had issuges and got lost on the +way to mainline, causing problems when the errors are reported. + +Signed-off-by: Mark Brown +Signed-off-by: Samuel Ortiz +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mfd/wm831x-irq.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/drivers/mfd/wm831x-irq.c ++++ b/drivers/mfd/wm831x-irq.c +@@ -394,8 +394,13 @@ static int wm831x_irq_set_type(unsigned + + irq = irq - wm831x->irq_base; + +- if (irq < WM831X_IRQ_GPIO_1 || irq > WM831X_IRQ_GPIO_11) +- return -EINVAL; ++ if (irq < WM831X_IRQ_GPIO_1 || irq > WM831X_IRQ_GPIO_11) { ++ /* Ignore internal-only IRQs */ ++ if (irq >= 0 && irq < WM831X_NUM_IRQS) ++ return 0; ++ else ++ return -EINVAL; ++ } + + switch (type) { + case IRQ_TYPE_EDGE_BOTH: diff --git a/queue-2.6.35/ocfs2-don-t-walk-off-the-end-of-fast-symlinks.patch b/queue-2.6.35/ocfs2-don-t-walk-off-the-end-of-fast-symlinks.patch new file mode 100644 index 00000000000..d49b6f1b8ea --- /dev/null +++ b/queue-2.6.35/ocfs2-don-t-walk-off-the-end-of-fast-symlinks.patch @@ -0,0 +1,33 @@ +From 1fc8a117865b54590acd773a55fbac9221b018f0 Mon Sep 17 00:00:00 2001 +From: Joel Becker +Date: Wed, 29 Sep 2010 17:33:05 -0700 +Subject: ocfs2: Don't walk off the end of fast symlinks. + +From: Joel Becker + +commit 1fc8a117865b54590acd773a55fbac9221b018f0 upstream. + +ocfs2 fast symlinks are NUL terminated strings stored inline in the +inode data area. However, disk corruption or a local attacker could, in +theory, remove that NUL. Because we're using strlen() (my fault, +introduced in a731d1 when removing vfs_follow_link()), we could walk off +the end of that string. + +Signed-off-by: Joel Becker +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ocfs2/symlink.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/ocfs2/symlink.c ++++ b/fs/ocfs2/symlink.c +@@ -128,7 +128,7 @@ static void *ocfs2_fast_follow_link(stru + } + + /* Fast symlinks can't be large */ +- len = strlen(target); ++ len = strnlen(target, ocfs2_fast_symlink_chars(inode->i_sb)); + link = kzalloc(len + 1, GFP_NOFS); + if (!link) { + status = -ENOMEM; diff --git a/queue-2.6.35/oss-soundcard-locking-bug-in-sound_ioctl.patch b/queue-2.6.35/oss-soundcard-locking-bug-in-sound_ioctl.patch new file mode 100644 index 00000000000..9070be627da --- /dev/null +++ b/queue-2.6.35/oss-soundcard-locking-bug-in-sound_ioctl.patch @@ -0,0 +1,40 @@ +From d4cfa4d12f46e2520f4c1d1a92e891ce068b7464 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Sun, 10 Oct 2010 19:33:52 +0200 +Subject: OSS: soundcard: locking bug in sound_ioctl() + +From: Dan Carpenter + +commit d4cfa4d12f46e2520f4c1d1a92e891ce068b7464 upstream. + +We shouldn't return directly here because we're still holding the +&soundcard_mutex. + +This bug goes all the way back to the start of git. It's strange that +no one has complained about it as a runtime bug. + +Signed-off-by: Dan Carpenter +Acked-by: Arnd Bergmann +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/oss/soundcard.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/sound/oss/soundcard.c ++++ b/sound/oss/soundcard.c +@@ -389,11 +389,11 @@ static long sound_ioctl(struct file *fil + case SND_DEV_DSP: + case SND_DEV_DSP16: + case SND_DEV_AUDIO: +- return audio_ioctl(dev, file, cmd, p); ++ ret = audio_ioctl(dev, file, cmd, p); + break; + + case SND_DEV_MIDIN: +- return MIDIbuf_ioctl(dev, file, cmd, p); ++ ret = MIDIbuf_ioctl(dev, file, cmd, p); + break; + + } diff --git a/queue-2.6.35/reiserfs-fix-dependency-inversion-between-inode-and-reiserfs-mutexes.patch b/queue-2.6.35/reiserfs-fix-dependency-inversion-between-inode-and-reiserfs-mutexes.patch new file mode 100644 index 00000000000..54e3a5082cc --- /dev/null +++ b/queue-2.6.35/reiserfs-fix-dependency-inversion-between-inode-and-reiserfs-mutexes.patch @@ -0,0 +1,98 @@ +From 3f259d092c7a2fdf217823e8f1838530adb0cdb0 Mon Sep 17 00:00:00 2001 +From: Frederic Weisbecker +Date: Thu, 30 Sep 2010 15:15:37 -0700 +Subject: reiserfs: fix dependency inversion between inode and reiserfs mutexes + +From: Frederic Weisbecker + +commit 3f259d092c7a2fdf217823e8f1838530adb0cdb0 upstream. + +The reiserfs mutex already depends on the inode mutex, so we can't lock +the inode mutex in reiserfs_unpack() without using the safe locking API, +because reiserfs_unpack() is always called with the reiserfs mutex locked. + +This fixes: + + ======================================================= + [ INFO: possible circular locking dependency detected ] + 2.6.35c #13 + ------------------------------------------------------- + lilo/1606 is trying to acquire lock: + (&sb->s_type->i_mutex_key#8){+.+.+.}, at: [] reiserfs_unpack+0x60/0x110 [reiserfs] + + but task is already holding lock: + (&REISERFS_SB(s)->lock){+.+.+.}, at: [] reiserfs_write_lock+0x28/0x40 [reiserfs] + + which lock already depends on the new lock. + + the existing dependency chain (in reverse order) is: + + -> #1 (&REISERFS_SB(s)->lock){+.+.+.}: + [] lock_acquire+0x67/0x80 + [] __mutex_lock_common+0x4d/0x410 + [] mutex_lock_nested+0x18/0x20 + [] reiserfs_write_lock+0x28/0x40 [reiserfs] + [] reiserfs_lookup_privroot+0x2a/0x90 [reiserfs] + [] reiserfs_fill_super+0x941/0xe60 [reiserfs] + [] get_sb_bdev+0x117/0x170 + [] get_super_block+0x21/0x30 [reiserfs] + [] vfs_kern_mount+0x6a/0x1b0 + [] do_kern_mount+0x39/0xe0 + [] do_mount+0x340/0x790 + [] sys_mount+0x84/0xb0 + [] syscall_call+0x7/0xb + + -> #0 (&sb->s_type->i_mutex_key#8){+.+.+.}: + [] __lock_acquire+0x1026/0x1180 + [] lock_acquire+0x67/0x80 + [] __mutex_lock_common+0x4d/0x410 + [] mutex_lock_nested+0x18/0x20 + [] reiserfs_unpack+0x60/0x110 [reiserfs] + [] reiserfs_ioctl+0x272/0x320 [reiserfs] + [] vfs_ioctl+0x28/0xa0 + [] do_vfs_ioctl+0x32d/0x5c0 + [] sys_ioctl+0x63/0x70 + [] syscall_call+0x7/0xb + + other info that might help us debug this: + + 1 lock held by lilo/1606: + #0: (&REISERFS_SB(s)->lock){+.+.+.}, at: [] reiserfs_write_lock+0x28/0x40 [reiserfs] + + stack backtrace: + Pid: 1606, comm: lilo Not tainted 2.6.35c #13 + Call Trace: + [] __lock_acquire+0x1026/0x1180 + [] lock_acquire+0x67/0x80 + [] __mutex_lock_common+0x4d/0x410 + [] mutex_lock_nested+0x18/0x20 + [] reiserfs_unpack+0x60/0x110 [reiserfs] + [] reiserfs_ioctl+0x272/0x320 [reiserfs] + [] vfs_ioctl+0x28/0xa0 + [] do_vfs_ioctl+0x32d/0x5c0 + [] sys_ioctl+0x63/0x70 + [] syscall_call+0x7/0xb + +Reported-by: Jarek Poplawski +Tested-by: Jarek Poplawski +Signed-off-by: Frederic Weisbecker +Cc: Jeff Mahoney +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/reiserfs/ioctl.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/reiserfs/ioctl.c ++++ b/fs/reiserfs/ioctl.c +@@ -188,7 +188,7 @@ int reiserfs_unpack(struct inode *inode, + /* we need to make sure nobody is changing the file size beneath + ** us + */ +- mutex_lock(&inode->i_mutex); ++ reiserfs_mutex_lock_safe(&inode->i_mutex, inode->i_sb); + reiserfs_write_lock(inode->i_sb); + + write_from = inode->i_size & (blocksize - 1); diff --git a/queue-2.6.35/reiserfs-fix-unwanted-reiserfs-lock-recursion.patch b/queue-2.6.35/reiserfs-fix-unwanted-reiserfs-lock-recursion.patch new file mode 100644 index 00000000000..e7f39900857 --- /dev/null +++ b/queue-2.6.35/reiserfs-fix-unwanted-reiserfs-lock-recursion.patch @@ -0,0 +1,129 @@ +From 9d8117e72bf453dd9d85e0cd322ce4a0f8bccbc0 Mon Sep 17 00:00:00 2001 +From: Frederic Weisbecker +Date: Thu, 30 Sep 2010 15:15:38 -0700 +Subject: reiserfs: fix unwanted reiserfs lock recursion + +From: Frederic Weisbecker + +commit 9d8117e72bf453dd9d85e0cd322ce4a0f8bccbc0 upstream. + +Prevent from recursively locking the reiserfs lock in reiserfs_unpack() +because we may call journal_begin() that requires the lock to be taken +only once, otherwise it won't be able to release the lock while taking +other mutexes, ending up in inverted dependencies between the journal +mutex and the reiserfs lock for example. + +This fixes: + + ======================================================= + [ INFO: possible circular locking dependency detected ] + 2.6.35.4.4a #3 + ------------------------------------------------------- + lilo/1620 is trying to acquire lock: + (&journal->j_mutex){+.+...}, at: [] do_journal_begin_r+0x7f/0x340 [reiserfs] + + but task is already holding lock: + (&REISERFS_SB(s)->lock){+.+.+.}, at: [] reiserfs_write_lock+0x28/0x40 [reiserfs] + + which lock already depends on the new lock. + + the existing dependency chain (in reverse order) is: + + -> #1 (&REISERFS_SB(s)->lock){+.+.+.}: + [] lock_acquire+0x67/0x80 + [] __mutex_lock_common+0x4d/0x410 + [] mutex_lock_nested+0x18/0x20 + [] reiserfs_write_lock+0x28/0x40 [reiserfs] + [] do_journal_begin_r+0x86/0x340 [reiserfs] + [] journal_begin+0x77/0x140 [reiserfs] + [] reiserfs_remount+0x224/0x530 [reiserfs] + [] do_remount_sb+0x60/0x110 + [] do_mount+0x625/0x790 + [] sys_mount+0x84/0xb0 + [] syscall_call+0x7/0xb + + -> #0 (&journal->j_mutex){+.+...}: + [] __lock_acquire+0x1026/0x1180 + [] lock_acquire+0x67/0x80 + [] __mutex_lock_common+0x4d/0x410 + [] mutex_lock_nested+0x18/0x20 + [] do_journal_begin_r+0x7f/0x340 [reiserfs] + [] journal_begin+0x77/0x140 [reiserfs] + [] reiserfs_persistent_transaction+0x41/0x90 [reiserfs] + [] reiserfs_get_block+0x22c/0x1530 [reiserfs] + [] __block_prepare_write+0x1bb/0x3a0 + [] block_prepare_write+0x26/0x40 + [] reiserfs_prepare_write+0x88/0x170 [reiserfs] + [] reiserfs_unpack+0xe6/0x120 [reiserfs] + [] reiserfs_ioctl+0x272/0x320 [reiserfs] + [] vfs_ioctl+0x28/0xa0 + [] do_vfs_ioctl+0x32d/0x5c0 + [] sys_ioctl+0x63/0x70 + [] syscall_call+0x7/0xb + + other info that might help us debug this: + + 2 locks held by lilo/1620: + #0: (&sb->s_type->i_mutex_key#8){+.+.+.}, at: [] reiserfs_unpack+0x6a/0x120 [reiserfs] + #1: (&REISERFS_SB(s)->lock){+.+.+.}, at: [] reiserfs_write_lock+0x28/0x40 [reiserfs] + + stack backtrace: + Pid: 1620, comm: lilo Not tainted 2.6.35.4.4a #3 + Call Trace: + [] __lock_acquire+0x1026/0x1180 + [] lock_acquire+0x67/0x80 + [] __mutex_lock_common+0x4d/0x410 + [] mutex_lock_nested+0x18/0x20 + [] do_journal_begin_r+0x7f/0x340 [reiserfs] + [] journal_begin+0x77/0x140 [reiserfs] + [] reiserfs_persistent_transaction+0x41/0x90 [reiserfs] + [] reiserfs_get_block+0x22c/0x1530 [reiserfs] + [] __block_prepare_write+0x1bb/0x3a0 + [] block_prepare_write+0x26/0x40 + [] reiserfs_prepare_write+0x88/0x170 [reiserfs] + [] reiserfs_unpack+0xe6/0x120 [reiserfs] + [] reiserfs_ioctl+0x272/0x320 [reiserfs] + [] vfs_ioctl+0x28/0xa0 + [] do_vfs_ioctl+0x32d/0x5c0 + [] sys_ioctl+0x63/0x70 + [] syscall_call+0x7/0xb + +Reported-by: Jarek Poplawski +Tested-by: Jarek Poplawski +Signed-off-by: Frederic Weisbecker +Cc: Jeff Mahoney +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/reiserfs/ioctl.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/fs/reiserfs/ioctl.c ++++ b/fs/reiserfs/ioctl.c +@@ -170,6 +170,7 @@ int reiserfs_prepare_write(struct file * + int reiserfs_unpack(struct inode *inode, struct file *filp) + { + int retval = 0; ++ int depth; + int index; + struct page *page; + struct address_space *mapping; +@@ -189,7 +190,7 @@ int reiserfs_unpack(struct inode *inode, + ** us + */ + reiserfs_mutex_lock_safe(&inode->i_mutex, inode->i_sb); +- reiserfs_write_lock(inode->i_sb); ++ depth = reiserfs_write_lock_once(inode->i_sb); + + write_from = inode->i_size & (blocksize - 1); + /* if we are on a block boundary, we are already unpacked. */ +@@ -224,6 +225,6 @@ int reiserfs_unpack(struct inode *inode, + + out: + mutex_unlock(&inode->i_mutex); +- reiserfs_write_unlock(inode->i_sb); ++ reiserfs_write_unlock_once(inode->i_sb, depth); + return retval; + } diff --git a/queue-2.6.35/ring-buffer-fix-typo-of-time-extends-per-page.patch b/queue-2.6.35/ring-buffer-fix-typo-of-time-extends-per-page.patch new file mode 100644 index 00000000000..6a013ab00f2 --- /dev/null +++ b/queue-2.6.35/ring-buffer-fix-typo-of-time-extends-per-page.patch @@ -0,0 +1,89 @@ +From d01343244abdedd18303d0323b518ed9cdcb1988 Mon Sep 17 00:00:00 2001 +From: Steven Rostedt +Date: Tue, 12 Oct 2010 12:06:43 -0400 +Subject: ring-buffer: Fix typo of time extends per page + +From: Steven Rostedt + +commit d01343244abdedd18303d0323b518ed9cdcb1988 upstream. + +Time stamps for the ring buffer are created by the difference between +two events. Each page of the ring buffer holds a full 64 bit timestamp. +Each event has a 27 bit delta stamp from the last event. The unit of time +is nanoseconds, so 27 bits can hold ~134 milliseconds. If two events +happen more than 134 milliseconds apart, a time extend is inserted +to add more bits for the delta. The time extend has 59 bits, which +is good for ~18 years. + +Currently the time extend is committed separately from the event. +If an event is discarded before it is committed, due to filtering, +the time extend still exists. If all events are being filtered, then +after ~134 milliseconds a new time extend will be added to the buffer. + +This can only happen till the end of the page. Since each page holds +a full timestamp, there is no reason to add a time extend to the +beginning of a page. Time extends can only fill a page that has actual +data at the beginning, so there is no fear that time extends will fill +more than a page without any data. + +When reading an event, a loop is made to skip over time extends +since they are only used to maintain the time stamp and are never +given to the caller. As a paranoid check to prevent the loop running +forever, with the knowledge that time extends may only fill a page, +a check is made that tests the iteration of the loop, and if the +iteration is more than the number of time extends that can fit in a page +a warning is printed and the ring buffer is disabled (all of ftrace +is also disabled with it). + +There is another event type that is called a TIMESTAMP which can +hold 64 bits of data in the theoretical case that two events happen +18 years apart. This code has not been implemented, but the name +of this event exists, as well as the structure for it. The +size of a TIMESTAMP is 16 bytes, where as a time extend is only +8 bytes. The macro used to calculate how many time extends can fit on +a page used the TIMESTAMP size instead of the time extend size +cutting the amount in half. + +The following test case can easily trigger the warning since we only +need to have half the page filled with time extends to trigger the +warning: + + # cd /sys/kernel/debug/tracing/ + # echo function > current_tracer + # echo 'common_pid < 0' > events/ftrace/function/filter + # echo > trace + # echo 1 > trace_marker + # sleep 120 + # cat trace + +Enabling the function tracer and then setting the filter to only trace +functions where the process id is negative (no events), then clearing +the trace buffer to ensure that we have nothing in the buffer, +then write to trace_marker to add an event to the beginning of a page, +sleep for 2 minutes (only 35 seconds is probably needed, but this +guarantees the bug), and then finally reading the trace which will +trigger the bug. + +This patch fixes the typo and prevents the false positive of that warning. + +Reported-by: Hans J. Koch +Tested-by: Hans J. Koch +Cc: Thomas Gleixner +Signed-off-by: Steven Rostedt +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/trace/ring_buffer.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/kernel/trace/ring_buffer.c ++++ b/kernel/trace/ring_buffer.c +@@ -405,7 +405,7 @@ static inline int test_time_stamp(u64 de + #define BUF_MAX_DATA_SIZE (BUF_PAGE_SIZE - (sizeof(u32) * 2)) + + /* Max number of timestamps that can fit on a page */ +-#define RB_TIMESTAMPS_PER_PAGE (BUF_PAGE_SIZE / RB_LEN_TIME_STAMP) ++#define RB_TIMESTAMPS_PER_PAGE (BUF_PAGE_SIZE / RB_LEN_TIME_EXTEND) + + int ring_buffer_print_page_header(struct trace_seq *s) + { diff --git a/queue-2.6.35/series b/queue-2.6.35/series index 8e7ca26da87..192c7aaa345 100644 --- a/queue-2.6.35/series +++ b/queue-2.6.35/series @@ -30,3 +30,41 @@ tracing-x86-don-t-use-mcount-in-pvclock.c.patch tracing-x86-don-t-use-mcount-in-kvmclock.c.patch ksm-fix-bad-user-data-when-swapping.patch i7core_edac-fix-panic-in-udimm-sysfs-attributes-registration.patch +v4l1-fix-32-bit-compat-microcode-loading-translation.patch +v4l-dvb-cx231xx-avoid-an-oops-when-card-is-unknown-card-0.patch +v4l-dvb-ir-fix-keys-beeing-stuck-down-forever.patch +v4l-dvb-don-t-identify-pv-sbtvd-hybrid-as-a-dibcom-device.patch +input-joydev-fix-jsiocsaxmap-ioctl.patch +input-wacom-fix-pressure-in-cintiq-21ux2.patch +ioat2-fix-performance-regression.patch +mac80211-fix-use-after-free.patch +x86-hpet-fix-bogus-error-check-in-hpet_assign_irq.patch +x86-irq-plug-memory-leak-in-sparse-irq.patch +ubd-fix-incorrect-sector-handling-during-request-restart.patch +oss-soundcard-locking-bug-in-sound_ioctl.patch +virtio-blk-fix-request-leak.patch +ring-buffer-fix-typo-of-time-extends-per-page.patch +dmaengine-fix-interrupt-clearing-for-mv_xor.patch +drivers-gpu-drm-i915-i915_gem.c-add-missing-error-handling-code.patch +hrtimer-preserve-timer-state-in-remove_hrtimer.patch +i2c-pca-fix-waitforcompletion-return-value.patch +reiserfs-fix-dependency-inversion-between-inode-and-reiserfs-mutexes.patch +reiserfs-fix-unwanted-reiserfs-lock-recursion.patch +ocfs2-don-t-walk-off-the-end-of-fast-symlinks.patch +mfd-ignore-non-gpio-irqs-when-setting-wm831x-irq-types.patch +wext-fix-potential-private-ioctl-memory-content-leak.patch +atl1-fix-resume.patch +x86-numa-for-each-node-register-the-memory-blocks-actually-used.patch +x86-amd-mce-thresholding-fix-the-mci_miscj-iteration-order.patch +de-pessimize-rds_page_copy_user.patch +firewire-ohci-fix-ti-tsb82aa2-regression-since-2.6.35.patch +drm-i915-prevent-module-unload-to-avoid-random-memory-corruption.patch +drm-i915-sanity-check-pread-pwrite.patch +drm-i915-fix-gmch-power-reporting.patch +drm-prune-gem-vma-entries.patch +drm-hold-the-mutex-when-dropping-the-last-gem-reference-v2.patch +drm-radeon-fix-pci-id-5657-to-be-an-rv410.patch +drm-radeon-kms-fix-possible-sigbus-in-evergreen-accel-code.patch +drm-radeon-kms-fix-up-encoder-info-messages-for-dfp6.patch +drm-radeon-kms-fix-potential-segfault-in-r600_ioctl_wait_idle.patch +drm-radeon-kms-add-quirk-for-msi-k9a2gm-motherboard.patch diff --git a/queue-2.6.35/ubd-fix-incorrect-sector-handling-during-request-restart.patch b/queue-2.6.35/ubd-fix-incorrect-sector-handling-during-request-restart.patch new file mode 100644 index 00000000000..de32e93422c --- /dev/null +++ b/queue-2.6.35/ubd-fix-incorrect-sector-handling-during-request-restart.patch @@ -0,0 +1,104 @@ +From 47526903feb52f4c26a6350370bdf74e337fcdb1 Mon Sep 17 00:00:00 2001 +From: Tejun Heo +Date: Fri, 15 Oct 2010 12:56:21 +0200 +Subject: ubd: fix incorrect sector handling during request restart + +From: Tejun Heo + +commit 47526903feb52f4c26a6350370bdf74e337fcdb1 upstream. + +Commit f81f2f7c (ubd: drop unnecessary rq->sector manipulation) +dropped request->sector manipulation in preparation for global request +handling cleanup; unfortunately, it incorrectly assumed that the +updated sector wasn't being used. + +ubd tries to issue as many requests as possible to io_thread. When +issuing fails due to memory pressure or other reasons, the device is +put on the restart list and issuing stops. On IO completion, devices +on the restart list are scanned and IO issuing is restarted. + +ubd issues IOs sg-by-sg and issuing can be stopped in the middle of a +request, so each device on the restart queue needs to remember where +to restart in its current request. ubd needs to keep track of the +issue position itself because, + +* blk_rq_pos(req) is now updated by the block layer to keep track of + _completion_ position. + +* Multiple io_req's for the current request may be in flight, so it's + difficult to tell where blk_rq_pos(req) currently is. + +Add ubd->rq_pos to keep track of the issue position and use it to +correctly restart io_req issue. + +Signed-off-by: Tejun Heo +Reported-by: Richard Weinberger +Tested-by: Richard Weinberger +Tested-by: Chris Frey +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + arch/um/drivers/ubd_kern.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/arch/um/drivers/ubd_kern.c ++++ b/arch/um/drivers/ubd_kern.c +@@ -162,6 +162,7 @@ struct ubd { + struct scatterlist sg[MAX_SG]; + struct request *request; + int start_sg, end_sg; ++ sector_t rq_pos; + }; + + #define DEFAULT_COW { \ +@@ -186,6 +187,7 @@ struct ubd { + .request = NULL, \ + .start_sg = 0, \ + .end_sg = 0, \ ++ .rq_pos = 0, \ + } + + /* Protected by ubd_lock */ +@@ -1223,7 +1225,6 @@ static void do_ubd_request(struct reques + { + struct io_thread_req *io_req; + struct request *req; +- sector_t sector; + int n; + + while(1){ +@@ -1234,12 +1235,12 @@ static void do_ubd_request(struct reques + return; + + dev->request = req; ++ dev->rq_pos = blk_rq_pos(req); + dev->start_sg = 0; + dev->end_sg = blk_rq_map_sg(q, req, dev->sg); + } + + req = dev->request; +- sector = blk_rq_pos(req); + while(dev->start_sg < dev->end_sg){ + struct scatterlist *sg = &dev->sg[dev->start_sg]; + +@@ -1251,10 +1252,9 @@ static void do_ubd_request(struct reques + return; + } + prepare_request(req, io_req, +- (unsigned long long)sector << 9, ++ (unsigned long long)dev->rq_pos << 9, + sg->offset, sg->length, sg_page(sg)); + +- sector += sg->length >> 9; + n = os_write_file(thread_fd, &io_req, + sizeof(struct io_thread_req *)); + if(n != sizeof(struct io_thread_req *)){ +@@ -1267,6 +1267,7 @@ static void do_ubd_request(struct reques + return; + } + ++ dev->rq_pos += sg->length >> 9; + dev->start_sg++; + } + dev->end_sg = 0; diff --git a/queue-2.6.35/v4l-dvb-cx231xx-avoid-an-oops-when-card-is-unknown-card-0.patch b/queue-2.6.35/v4l-dvb-cx231xx-avoid-an-oops-when-card-is-unknown-card-0.patch new file mode 100644 index 00000000000..c9409a67c21 --- /dev/null +++ b/queue-2.6.35/v4l-dvb-cx231xx-avoid-an-oops-when-card-is-unknown-card-0.patch @@ -0,0 +1,53 @@ +From c10469c637602c2385e2993d8c730cc44fd47d23 Mon Sep 17 00:00:00 2001 +From: Mauro Carvalho Chehab +Date: Sat, 11 Sep 2010 11:37:51 -0300 +Subject: V4L/DVB: cx231xx: Avoid an OOPS when card is unknown (card=0) + +From: Mauro Carvalho Chehab + +commit c10469c637602c2385e2993d8c730cc44fd47d23 upstream. + +As reported by: Carlos Americo Domiciano : + +[ 220.033500] cx231xx v4l2 driver loaded. +[ 220.033571] cx231xx #0: New device Conexant Corporation Polaris AV Capturb @ 480 Mbps (1554:5010) with 6 interfaces +[ 220.033577] cx231xx #0: registering interface 0 +[ 220.033591] cx231xx #0: registering interface 1 +[ 220.033654] cx231xx #0: registering interface 6 +[ 220.033910] cx231xx #0: Identified as Unknown CX231xx video grabber (card=0) +[ 220.033946] BUG: unable to handle kernel NULL pointer dereference at (null) +[ 220.033955] IP: [] cx231xx_pre_card_setup+0x5d/0xb0 [cx231xx] + +Thanks-to: Carlos Americo Domiciano +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/video/cx231xx/cx231xx-cards.c | 14 ++++++++------ + 1 file changed, 8 insertions(+), 6 deletions(-) + +--- a/drivers/media/video/cx231xx/cx231xx-cards.c ++++ b/drivers/media/video/cx231xx/cx231xx-cards.c +@@ -226,14 +226,16 @@ void cx231xx_pre_card_setup(struct cx231 + dev->board.name, dev->model); + + /* set the direction for GPIO pins */ +- cx231xx_set_gpio_direction(dev, dev->board.tuner_gpio->bit, 1); +- cx231xx_set_gpio_value(dev, dev->board.tuner_gpio->bit, 1); +- cx231xx_set_gpio_direction(dev, dev->board.tuner_sif_gpio, 1); ++ if (dev->board.tuner_gpio) { ++ cx231xx_set_gpio_direction(dev, dev->board.tuner_gpio->bit, 1); ++ cx231xx_set_gpio_value(dev, dev->board.tuner_gpio->bit, 1); ++ cx231xx_set_gpio_direction(dev, dev->board.tuner_sif_gpio, 1); + +- /* request some modules if any required */ ++ /* request some modules if any required */ + +- /* reset the Tuner */ +- cx231xx_gpio_set(dev, dev->board.tuner_gpio); ++ /* reset the Tuner */ ++ cx231xx_gpio_set(dev, dev->board.tuner_gpio); ++ } + + /* set the mode to Analog mode initially */ + cx231xx_set_mode(dev, CX231XX_ANALOG_MODE); diff --git a/queue-2.6.35/v4l-dvb-don-t-identify-pv-sbtvd-hybrid-as-a-dibcom-device.patch b/queue-2.6.35/v4l-dvb-don-t-identify-pv-sbtvd-hybrid-as-a-dibcom-device.patch new file mode 100644 index 00000000000..ca62973f48f --- /dev/null +++ b/queue-2.6.35/v4l-dvb-don-t-identify-pv-sbtvd-hybrid-as-a-dibcom-device.patch @@ -0,0 +1,69 @@ +From 3bfb317f97cfddbbec67bbe8e35ad38af3507397 Mon Sep 17 00:00:00 2001 +From: Mauro Carvalho Chehab +Date: Fri, 3 Sep 2010 10:50:24 -0300 +Subject: V4L/DVB: Don't identify PV SBTVD Hybrid as a DibCom device + +From: Mauro Carvalho Chehab + +commit 3bfb317f97cfddbbec67bbe8e35ad38af3507397 upstream. + +As reported by Carlos, Prolink Pixelview SBTVD Hybrid is based on +Conexant cx231xx + Fujitsu 86A20S demodulator. However, both shares +the same USB ID. So, we need to use USB bcdDevice, in order to +properly discover what's the board. + +We know for sure that bcd 0x100 is used for a dib0700 device, while +bcd 0x4001 is used for a cx23102 device. This patch reserves two ranges, +the first one from 0x0000-0x3f00 for dib0700, and the second from +0x4000-0x4fff for cx231xx devices. + +This may need fixes in the future, as we get access to other devices. + +Thanks-to: Carlos Americo Domiciano +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/dvb/dvb-usb/dib0700_devices.c | 2 +- + drivers/media/video/cx231xx/Makefile | 1 + + drivers/media/video/cx231xx/cx231xx-cards.c | 3 +++ + 3 files changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/media/dvb/dvb-usb/dib0700_devices.c ++++ b/drivers/media/dvb/dvb-usb/dib0700_devices.c +@@ -2081,7 +2081,7 @@ struct usb_device_id dib0700_usb_id_tabl + /* 60 */{ USB_DEVICE(USB_VID_TERRATEC, USB_PID_TERRATEC_CINERGY_T_XXS_2) }, + { USB_DEVICE(USB_VID_DIBCOM, USB_PID_DIBCOM_STK807XPVR) }, + { USB_DEVICE(USB_VID_DIBCOM, USB_PID_DIBCOM_STK807XP) }, +- { USB_DEVICE(USB_VID_PIXELVIEW, USB_PID_PIXELVIEW_SBTVD) }, ++ { USB_DEVICE_VER(USB_VID_PIXELVIEW, USB_PID_PIXELVIEW_SBTVD, 0x000, 0x3f00) }, + { USB_DEVICE(USB_VID_EVOLUTEPC, USB_PID_TVWAY_PLUS) }, + /* 65 */{ USB_DEVICE(USB_VID_PINNACLE, USB_PID_PINNACLE_PCTV73ESE) }, + { USB_DEVICE(USB_VID_PINNACLE, USB_PID_PINNACLE_PCTV282E) }, +--- a/drivers/media/video/cx231xx/Makefile ++++ b/drivers/media/video/cx231xx/Makefile +@@ -11,4 +11,5 @@ EXTRA_CFLAGS += -Idrivers/media/video + EXTRA_CFLAGS += -Idrivers/media/common/tuners + EXTRA_CFLAGS += -Idrivers/media/dvb/dvb-core + EXTRA_CFLAGS += -Idrivers/media/dvb/frontends ++EXTRA_CFLAGS += -Idrivers/media/dvb/dvb-usb + +--- a/drivers/media/video/cx231xx/cx231xx-cards.c ++++ b/drivers/media/video/cx231xx/cx231xx-cards.c +@@ -32,6 +32,7 @@ + #include + + #include ++#include "dvb-usb-ids.h" + #include "xc5000.h" + + #include "cx231xx.h" +@@ -175,6 +176,8 @@ struct usb_device_id cx231xx_id_table[] + .driver_info = CX231XX_BOARD_CNXT_RDE_250}, + {USB_DEVICE(0x0572, 0x58A1), + .driver_info = CX231XX_BOARD_CNXT_RDU_250}, ++ {USB_DEVICE_VER(USB_VID_PIXELVIEW, USB_PID_PIXELVIEW_SBTVD, 0x4000,0x4fff), ++ .driver_info = CX231XX_BOARD_UNKNOWN}, + {}, + }; + diff --git a/queue-2.6.35/v4l-dvb-ir-fix-keys-beeing-stuck-down-forever.patch b/queue-2.6.35/v4l-dvb-ir-fix-keys-beeing-stuck-down-forever.patch new file mode 100644 index 00000000000..4aa45fe568d --- /dev/null +++ b/queue-2.6.35/v4l-dvb-ir-fix-keys-beeing-stuck-down-forever.patch @@ -0,0 +1,38 @@ +From e0172fd373ab77a83ea952fd6a75c612e1b0bf9e Mon Sep 17 00:00:00 2001 +From: Maxim Levitsky +Date: Mon, 6 Sep 2010 18:26:09 -0300 +Subject: V4L/DVB: IR: fix keys beeing stuck down forever + +From: Maxim Levitsky + +commit e0172fd373ab77a83ea952fd6a75c612e1b0bf9e upstream. + +The logic in ir_timer_keyup was inverted. + +In case that values aren't equal, +the meaning of the time_is_after_eq_jiffies(ir->keyup_jiffies) is that +ir->keyup_jiffies is after the the jiffies or equally that +that jiffies are before the the ir->keyup_jiffies which is +exactly the situation we want to avoid (that the timeout is in the future) +Confusing Eh? + +Signed-off-by: Maxim Levitsky +Acked-by: Jarod Wilson +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/IR/ir-keytable.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/media/IR/ir-keytable.c ++++ b/drivers/media/IR/ir-keytable.c +@@ -319,7 +319,7 @@ static void ir_timer_keyup(unsigned long + * a keyup event might follow immediately after the keydown. + */ + spin_lock_irqsave(&ir->keylock, flags); +- if (time_is_after_eq_jiffies(ir->keyup_jiffies)) ++ if (time_is_before_eq_jiffies(ir->keyup_jiffies)) + ir_keyup(ir); + spin_unlock_irqrestore(&ir->keylock, flags); + } diff --git a/queue-2.6.35/v4l1-fix-32-bit-compat-microcode-loading-translation.patch b/queue-2.6.35/v4l1-fix-32-bit-compat-microcode-loading-translation.patch new file mode 100644 index 00000000000..bfb7db817ed --- /dev/null +++ b/queue-2.6.35/v4l1-fix-32-bit-compat-microcode-loading-translation.patch @@ -0,0 +1,88 @@ +From 3e645d6b485446c54c6745c5e2cf5c528fe4deec Mon Sep 17 00:00:00 2001 +From: Linus Torvalds +Date: Fri, 15 Oct 2010 11:12:38 -0700 +Subject: v4l1: fix 32-bit compat microcode loading translation + +From: Linus Torvalds + +commit 3e645d6b485446c54c6745c5e2cf5c528fe4deec upstream. + +The compat code for the VIDIOCSMICROCODE ioctl is totally buggered. +It's only used by the VIDEO_STRADIS driver, and that one is scheduled to +staging and eventually removed unless somebody steps up to maintain it +(at which point it should use request_firmware() rather than some magic +ioctl). So we'll get rid of it eventually. + +But in the meantime, the compatibility ioctl code is broken, and this +tries to get it to at least limp along (even if Mauro suggested just +deleting it entirely, which may be the right thing to do - I don't think +the compatibility translation code has ever worked unless you were very +lucky). + +Reported-by: Kees Cook +Cc: Mauro Carvalho Chehab +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/video/v4l2-compat-ioctl32.c | 32 +++++++++++++++++++----------- + 1 file changed, 21 insertions(+), 11 deletions(-) + +--- a/drivers/media/video/v4l2-compat-ioctl32.c ++++ b/drivers/media/video/v4l2-compat-ioctl32.c +@@ -193,17 +193,24 @@ static int put_video_window32(struct vid + struct video_code32 { + char loadwhat[16]; /* name or tag of file being passed */ + compat_int_t datasize; +- unsigned char *data; ++ compat_uptr_t data; + }; + +-static int get_microcode32(struct video_code *kp, struct video_code32 __user *up) ++static struct video_code __user *get_microcode32(struct video_code32 *kp) + { +- if (!access_ok(VERIFY_READ, up, sizeof(struct video_code32)) || +- copy_from_user(kp->loadwhat, up->loadwhat, sizeof(up->loadwhat)) || +- get_user(kp->datasize, &up->datasize) || +- copy_from_user(kp->data, up->data, up->datasize)) +- return -EFAULT; +- return 0; ++ struct video_code __user *up; ++ ++ up = compat_alloc_user_space(sizeof(*up)); ++ ++ /* ++ * NOTE! We don't actually care if these fail. If the ++ * user address is invalid, the native ioctl will do ++ * the error handling for us ++ */ ++ (void) copy_to_user(up->loadwhat, kp->loadwhat, sizeof(up->loadwhat)); ++ (void) put_user(kp->datasize, &up->datasize); ++ (void) put_user(compat_ptr(kp->data), &up->data); ++ return up; + } + + #define VIDIOCGTUNER32 _IOWR('v', 4, struct video_tuner32) +@@ -744,7 +751,7 @@ static long do_video_ioctl(struct file * + struct video_tuner vt; + struct video_buffer vb; + struct video_window vw; +- struct video_code vc; ++ struct video_code32 vc; + struct video_audio va; + #endif + struct v4l2_format v2f; +@@ -823,8 +830,11 @@ static long do_video_ioctl(struct file * + break; + + case VIDIOCSMICROCODE: +- err = get_microcode32(&karg.vc, up); +- compatible_arg = 0; ++ /* Copy the 32-bit "video_code32" to kernel space */ ++ if (copy_from_user(&karg.vc, up, sizeof(karg.vc))) ++ return -EFAULT; ++ /* Convert the 32-bit version to a 64-bit version in user space */ ++ up = get_microcode32(&karg.vc); + break; + + case VIDIOCSFREQ: diff --git a/queue-2.6.35/virtio-blk-fix-request-leak.patch b/queue-2.6.35/virtio-blk-fix-request-leak.patch new file mode 100644 index 00000000000..b95aee7f34f --- /dev/null +++ b/queue-2.6.35/virtio-blk-fix-request-leak.patch @@ -0,0 +1,42 @@ +From e4c4776dea9fd0295ebb3b215599d52938d6d7a3 Mon Sep 17 00:00:00 2001 +From: Mike Snitzer +Date: Sat, 9 Oct 2010 12:12:13 +1030 +Subject: virtio-blk: fix request leak. + +From: Mike Snitzer + +commit e4c4776dea9fd0295ebb3b215599d52938d6d7a3 upstream. + +Must drop reference taken by blk_make_request(). + +Signed-off-by: Mike Snitzer +Signed-off-by: Rusty Russell +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/block/virtio_blk.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/block/virtio_blk.c ++++ b/drivers/block/virtio_blk.c +@@ -203,6 +203,7 @@ static int virtblk_get_id(struct gendisk + struct virtio_blk *vblk = disk->private_data; + struct request *req; + struct bio *bio; ++ int err; + + bio = bio_map_kern(vblk->disk->queue, id_str, VIRTIO_BLK_ID_BYTES, + GFP_KERNEL); +@@ -216,7 +217,10 @@ static int virtblk_get_id(struct gendisk + } + + req->cmd_type = REQ_TYPE_SPECIAL; +- return blk_execute_rq(vblk->disk->queue, vblk->disk, req, false); ++ err = blk_execute_rq(vblk->disk->queue, vblk->disk, req, false); ++ blk_put_request(req); ++ ++ return err; + } + + static int virtblk_ioctl(struct block_device *bdev, fmode_t mode, diff --git a/queue-2.6.35/wext-fix-potential-private-ioctl-memory-content-leak.patch b/queue-2.6.35/wext-fix-potential-private-ioctl-memory-content-leak.patch new file mode 100644 index 00000000000..6557389ef06 --- /dev/null +++ b/queue-2.6.35/wext-fix-potential-private-ioctl-memory-content-leak.patch @@ -0,0 +1,39 @@ +From df6d02300f7c2fbd0fbe626d819c8e5237d72c62 Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Fri, 17 Sep 2010 00:38:25 +0200 +Subject: wext: fix potential private ioctl memory content leak + +From: Johannes Berg + +commit df6d02300f7c2fbd0fbe626d819c8e5237d72c62 upstream. + +When a driver doesn't fill the entire buffer, old +heap contents may remain, and if it also doesn't +update the length properly, this old heap content +will be copied back to userspace. + +It is very unlikely that this happens in any of +the drivers using private ioctls since it would +show up as junk being reported by iwpriv, but it +seems better to be safe here, so use kzalloc. + +Reported-by: Jeff Mahoney +Signed-off-by: Johannes Berg +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + net/wireless/wext-priv.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/wireless/wext-priv.c ++++ b/net/wireless/wext-priv.c +@@ -152,7 +152,7 @@ static int ioctl_private_iw_point(struct + } else if (!iwp->pointer) + return -EFAULT; + +- extra = kmalloc(extra_size, GFP_KERNEL); ++ extra = kzalloc(extra_size, GFP_KERNEL); + if (!extra) + return -ENOMEM; + diff --git a/queue-2.6.35/x86-amd-mce-thresholding-fix-the-mci_miscj-iteration-order.patch b/queue-2.6.35/x86-amd-mce-thresholding-fix-the-mci_miscj-iteration-order.patch new file mode 100644 index 00000000000..ff2f57a5336 --- /dev/null +++ b/queue-2.6.35/x86-amd-mce-thresholding-fix-the-mci_miscj-iteration-order.patch @@ -0,0 +1,61 @@ +From 6dcbfe4f0b4e17e289d56fa534b7ce5a6b7f63a3 Mon Sep 17 00:00:00 2001 +From: Borislav Petkov +Date: Fri, 8 Oct 2010 12:08:34 +0200 +Subject: x86, AMD, MCE thresholding: Fix the MCi_MISCj iteration order + +From: Borislav Petkov + +commit 6dcbfe4f0b4e17e289d56fa534b7ce5a6b7f63a3 upstream. + +This fixes possible cases of not collecting valid error info in +the MCE error thresholding groups on F10h hardware. + +The current code contains a subtle problem of checking only the +Valid bit of MSR0000_0413 (which is MC4_MISC0 - DRAM +thresholding group) in its first iteration and breaking out if +the bit is cleared. + +But (!), this MSR contains an offset value, BlkPtr[31:24], which +points to the remaining MSRs in this thresholding group which +might contain valid information too. But if we bail out only +after we checked the valid bit in the first MSR and not the +block pointer too, we miss that other information. + +The thing is, MC4_MISC0[BlkPtr] is not predicated on +MCi_STATUS[MiscV] or MC4_MISC0[Valid] and should be checked +prior to iterating over the MCI_MISCj thresholding group, +irrespective of the MC4_MISC0[Valid] setting. + +Signed-off-by: Borislav Petkov +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/cpu/mcheck/mce_amd.c | 9 +++------ + 1 file changed, 3 insertions(+), 6 deletions(-) + +--- a/arch/x86/kernel/cpu/mcheck/mce_amd.c ++++ b/arch/x86/kernel/cpu/mcheck/mce_amd.c +@@ -141,6 +141,7 @@ void mce_amd_feature_init(struct cpuinfo + address = (low & MASK_BLKPTR_LO) >> 21; + if (!address) + break; ++ + address += MCG_XBLK_ADDR; + } else + ++address; +@@ -148,12 +149,8 @@ void mce_amd_feature_init(struct cpuinfo + if (rdmsr_safe(address, &low, &high)) + break; + +- if (!(high & MASK_VALID_HI)) { +- if (block) +- continue; +- else +- break; +- } ++ if (!(high & MASK_VALID_HI)) ++ continue; + + if (!(high & MASK_CNTP_HI) || + (high & MASK_LOCKED_HI)) diff --git a/queue-2.6.35/x86-hpet-fix-bogus-error-check-in-hpet_assign_irq.patch b/queue-2.6.35/x86-hpet-fix-bogus-error-check-in-hpet_assign_irq.patch new file mode 100644 index 00000000000..3869c773307 --- /dev/null +++ b/queue-2.6.35/x86-hpet-fix-bogus-error-check-in-hpet_assign_irq.patch @@ -0,0 +1,35 @@ +From 021989622810b02aab4b24f91e1f5ada2b654579 Mon Sep 17 00:00:00 2001 +From: Thomas Gleixner +Date: Tue, 28 Sep 2010 23:20:23 +0200 +Subject: x86, hpet: Fix bogus error check in hpet_assign_irq() + +From: Thomas Gleixner + +commit 021989622810b02aab4b24f91e1f5ada2b654579 upstream. + +create_irq() returns -1 if the interrupt allocation failed, but the +code checks for irq == 0. + +Use create_irq_nr() instead. + +Signed-off-by: Thomas Gleixner +Cc: Venkatesh Pallipadi +LKML-Reference: +Signed-off-by: H. Peter Anvin +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/hpet.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/kernel/hpet.c ++++ b/arch/x86/kernel/hpet.c +@@ -507,7 +507,7 @@ static int hpet_assign_irq(struct hpet_d + { + unsigned int irq; + +- irq = create_irq(); ++ irq = create_irq_nr(0, -1); + if (!irq) + return -EINVAL; + diff --git a/queue-2.6.35/x86-irq-plug-memory-leak-in-sparse-irq.patch b/queue-2.6.35/x86-irq-plug-memory-leak-in-sparse-irq.patch new file mode 100644 index 00000000000..bd67b829e17 --- /dev/null +++ b/queue-2.6.35/x86-irq-plug-memory-leak-in-sparse-irq.patch @@ -0,0 +1,51 @@ +From 1cf180c94e9166cda083ff65333883ab3648e852 Mon Sep 17 00:00:00 2001 +From: Thomas Gleixner +Date: Tue, 28 Sep 2010 20:57:19 +0200 +Subject: x86, irq: Plug memory leak in sparse irq + +From: Thomas Gleixner + +commit 1cf180c94e9166cda083ff65333883ab3648e852 upstream. + +free_irq_cfg() is not freeing the cpumask_vars in irq_cfg. Fixing this +triggers a use after free caused by the fact that copying struct +irq_cfg is done with memcpy, which copies the pointer not the cpumask. + +Fix both places. + +Signed-off-by: Thomas Gleixner +Cc: Yinghai Lu +LKML-Reference: +Signed-off-by: Thomas Gleixner +Signed-off-by: H. Peter Anvin +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/apic/io_apic.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +--- a/arch/x86/kernel/apic/io_apic.c ++++ b/arch/x86/kernel/apic/io_apic.c +@@ -306,14 +306,19 @@ void arch_init_copy_chip_data(struct irq + + old_cfg = old_desc->chip_data; + +- memcpy(cfg, old_cfg, sizeof(struct irq_cfg)); ++ cfg->vector = old_cfg->vector; ++ cfg->move_in_progress = old_cfg->move_in_progress; ++ cpumask_copy(cfg->domain, old_cfg->domain); ++ cpumask_copy(cfg->old_domain, old_cfg->old_domain); + + init_copy_irq_2_pin(old_cfg, cfg, node); + } + +-static void free_irq_cfg(struct irq_cfg *old_cfg) ++static void free_irq_cfg(struct irq_cfg *cfg) + { +- kfree(old_cfg); ++ free_cpumask_var(cfg->domain); ++ free_cpumask_var(cfg->old_domain); ++ kfree(cfg); + } + + void arch_free_chip_data(struct irq_desc *old_desc, struct irq_desc *desc) diff --git a/queue-2.6.35/x86-numa-for-each-node-register-the-memory-blocks-actually-used.patch b/queue-2.6.35/x86-numa-for-each-node-register-the-memory-blocks-actually-used.patch new file mode 100644 index 00000000000..5634ed599cb --- /dev/null +++ b/queue-2.6.35/x86-numa-for-each-node-register-the-memory-blocks-actually-used.patch @@ -0,0 +1,78 @@ +From 73cf624d029d776a33d0a80c695485b3f9b36231 Mon Sep 17 00:00:00 2001 +From: Yinghai Lu +Date: Sun, 10 Oct 2010 19:52:15 -0700 +Subject: x86, numa: For each node, register the memory blocks actually used + +From: Yinghai Lu + +commit 73cf624d029d776a33d0a80c695485b3f9b36231 upstream. + +Russ reported SGI UV is broken recently. He said: + +| The SRAT table shows that memory range is spread over two nodes. +| +| SRAT: Node 0 PXM 0 100000000-800000000 +| SRAT: Node 1 PXM 1 800000000-1000000000 +| SRAT: Node 0 PXM 0 1000000000-1080000000 +| +|Previously, the kernel early_node_map[] would show three entries +|with the proper node. +| +|[ 0.000000] 0: 0x00100000 -> 0x00800000 +|[ 0.000000] 1: 0x00800000 -> 0x01000000 +|[ 0.000000] 0: 0x01000000 -> 0x01080000 +| +|The problem is recent community kernel early_node_map[] shows +|only two entries with the node 0 entry overlapping the node 1 +|entry. +| +| 0: 0x00100000 -> 0x01080000 +| 1: 0x00800000 -> 0x01000000 + +After looking at the changelog, Found out that it has been broken for a while by +following commit + +|commit 8716273caef7f55f39fe4fc6c69c5f9f197f41f1 +|Author: David Rientjes +|Date: Fri Sep 25 15:20:04 2009 -0700 +| +| x86: Export srat physical topology + +Before that commit, register_active_regions() is called for every SRAT memory +entry right away. + +Use nodememblk_range[] instead of nodes[] in order to make sure we +capture the actual memory blocks registered with each node. nodes[] +contains an extended range which spans all memory regions associated +with a node, but that does not mean that all the memory in between are +included. + +Reported-by: Russ Anderson +Tested-by: Russ Anderson +Signed-off-by: Yinghai Lu +LKML-Reference: <4CB27BDF.5000800@kernel.org> +Acked-by: David Rientjes +Signed-off-by: H. Peter Anvin +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/mm/srat_64.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/arch/x86/mm/srat_64.c ++++ b/arch/x86/mm/srat_64.c +@@ -420,9 +420,11 @@ int __init acpi_scan_nodes(unsigned long + return -1; + } + +- for_each_node_mask(i, nodes_parsed) +- e820_register_active_regions(i, nodes[i].start >> PAGE_SHIFT, +- nodes[i].end >> PAGE_SHIFT); ++ for (i = 0; i < num_node_memblks; i++) ++ e820_register_active_regions(memblk_nodeid[i], ++ node_memblk_range[i].start >> PAGE_SHIFT, ++ node_memblk_range[i].end >> PAGE_SHIFT); ++ + /* for out of order entries in SRAT */ + sort_node_map(); + if (!nodes_cover_memory(nodes)) {