From: Chris Wright Date: Fri, 24 Apr 2009 22:34:19 +0000 (-0700) Subject: 2.6.29: more patches for .3 X-Git-Tag: v2.6.29.2~2 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=78da711d1faa7f9da39a97885a8cda3b9a561101;p=thirdparty%2Fkernel%2Fstable-queue.git 2.6.29: more patches for .3 --- diff --git a/queue-2.6.29/alsa-us122l-add-snd_us122l_free.patch b/queue-2.6.29/alsa-us122l-add-snd_us122l_free.patch new file mode 100644 index 00000000000..769c56e5f40 --- /dev/null +++ b/queue-2.6.29/alsa-us122l-add-snd_us122l_free.patch @@ -0,0 +1,62 @@ +From stable-bounces@linux.kernel.org Fri Apr 24 16:05:23 2009 +Date: Fri, 24 Apr 2009 16:05:19 GMT +Message-Id: <200904241605.n3OG5Ju8007936@hera.kernel.org> +From: Karsten Wiese +To: jejb@kernel.org, stable@kernel.org +Subject: ALSA: us122l: add snd_us122l_free() + +upstream commit: 5d4af1be06affa2b42cdf59cd376752be1f934b3 + +Use it to clean up snd_us122l_card_used[]. + +Without patch unplugging of an US122L soundcard didn't reset the +corresponding element of snd_us122l_card_used[] to 0. +The (SNDRV_CARDS + 1)th plugging in did not result in creating the soundcard +device anymore. +Index values supplied with the modprobe command line were not used correctly +anymore after the first unplugging of an US122L. + +Signed-off-by: Karsten Wiese +Cc: stable@kernel.org +Signed-off-by: Takashi Iwai +[chrisw: backport to 2.6.29] +Signed-off-by: Chris Wright +--- + sound/usb/usx2y/us122l.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +--- a/sound/usb/usx2y/us122l.c ++++ b/sound/usb/usx2y/us122l.c +@@ -478,6 +478,14 @@ static bool us122l_create_card(struct sn + return true; + } + ++static void snd_us122l_free(struct snd_card *card) ++{ ++ struct us122l *us122l = US122L(card); ++ int index = us122l->chip.index; ++ if (index >= 0 && index < SNDRV_CARDS) ++ snd_us122l_card_used[index] = 0; ++} ++ + static struct snd_card *usx2y_create_card(struct usb_device *device) + { + int dev; +@@ -492,7 +500,7 @@ static struct snd_card *usx2y_create_car + if (!card) + return NULL; + snd_us122l_card_used[US122L(card)->chip.index = dev] = 1; +- ++ card->private_free = snd_us122l_free; + US122L(card)->chip.dev = device; + US122L(card)->chip.card = card; + mutex_init(&US122L(card)->mutex); +@@ -575,7 +583,7 @@ static void snd_us122l_disconnect(struct + } + + usb_put_intf(intf); +- usb_put_dev(US122L(card)->chip.dev); ++ usb_put_dev(us122l->chip.dev); + + while (atomic_read(&us122l->mmap_count)) + msleep(500); diff --git a/queue-2.6.29/b43-poison-rx-buffers.patch b/queue-2.6.29/b43-poison-rx-buffers.patch new file mode 100644 index 00000000000..3f0311d9a42 --- /dev/null +++ b/queue-2.6.29/b43-poison-rx-buffers.patch @@ -0,0 +1,115 @@ +From stable-bounces@linux.kernel.org Fri Apr 24 16:05:36 2009 +Date: Fri, 24 Apr 2009 16:05:31 GMT +Message-Id: <200904241605.n3OG5VSB008123@hera.kernel.org> +From: Michael Buesch +To: jejb@kernel.org, stable@kernel.org +Subject: b43: Poison RX buffers + +upstream commit: ec9a1d8c13e36440eda0f3c79b8149080e3ab5ba + +This patch adds poisoning and sanity checking to the RX DMA buffers. +This is used for protection against buggy hardware/firmware that raises +RX interrupts without doing an actual DMA transfer. + +This mechanism protects against rare "bad packets" (due to uninitialized skb data) +and rare kernel crashes due to uninitialized RX headers. + +The poison is selected to not match on valid frames and to be cheap for checking. + +The poison check mechanism _might_ trigger incorrectly, if we are voluntarily +receiving frames with bad PLCP headers. However, this is nonfatal, because the +chance of such a match is basically zero and in case it happens it just results +in dropping the packet. +Bad-PLCP RX defaults to off, and you should leave it off unless you want to listen +to the latest news broadcasted by your microwave oven. + +This patch also moves the initialization of the RX-header "length" field in front of +the mapping of the DMA buffer. The CPU should not touch the buffer after we mapped it. + +Cc: stable@kernel.org +Reported-by: Francesco Gringoli +Signed-off-by: Michael Buesch +Signed-off-by: John W. Linville +Signed-off-by: Chris Wright +--- + drivers/net/wireless/b43/dma.c | 37 +++++++++++++++++++++++++++++++++---- + 1 file changed, 33 insertions(+), 4 deletions(-) + +--- a/drivers/net/wireless/b43/dma.c ++++ b/drivers/net/wireless/b43/dma.c +@@ -551,11 +551,32 @@ address_error: + return 1; + } + ++static bool b43_rx_buffer_is_poisoned(struct b43_dmaring *ring, struct sk_buff *skb) ++{ ++ unsigned char *f = skb->data + ring->frameoffset; ++ ++ return ((f[0] & f[1] & f[2] & f[3] & f[4] & f[5] & f[6] & f[7]) == 0xFF); ++} ++ ++static void b43_poison_rx_buffer(struct b43_dmaring *ring, struct sk_buff *skb) ++{ ++ struct b43_rxhdr_fw4 *rxhdr; ++ unsigned char *frame; ++ ++ /* This poisons the RX buffer to detect DMA failures. */ ++ ++ rxhdr = (struct b43_rxhdr_fw4 *)(skb->data); ++ rxhdr->frame_len = 0; ++ ++ B43_WARN_ON(ring->rx_buffersize < ring->frameoffset + sizeof(struct b43_plcp_hdr6) + 2); ++ frame = skb->data + ring->frameoffset; ++ memset(frame, 0xFF, sizeof(struct b43_plcp_hdr6) + 2 /* padding */); ++} ++ + static int setup_rx_descbuffer(struct b43_dmaring *ring, + struct b43_dmadesc_generic *desc, + struct b43_dmadesc_meta *meta, gfp_t gfp_flags) + { +- struct b43_rxhdr_fw4 *rxhdr; + dma_addr_t dmaaddr; + struct sk_buff *skb; + +@@ -564,6 +585,7 @@ static int setup_rx_descbuffer(struct b4 + skb = __dev_alloc_skb(ring->rx_buffersize, gfp_flags); + if (unlikely(!skb)) + return -ENOMEM; ++ b43_poison_rx_buffer(ring, skb); + dmaaddr = map_descbuffer(ring, skb->data, ring->rx_buffersize, 0); + if (b43_dma_mapping_error(ring, dmaaddr, ring->rx_buffersize, 0)) { + /* ugh. try to realloc in zone_dma */ +@@ -574,6 +596,7 @@ static int setup_rx_descbuffer(struct b4 + skb = __dev_alloc_skb(ring->rx_buffersize, gfp_flags); + if (unlikely(!skb)) + return -ENOMEM; ++ b43_poison_rx_buffer(ring, skb); + dmaaddr = map_descbuffer(ring, skb->data, + ring->rx_buffersize, 0); + } +@@ -589,9 +612,6 @@ static int setup_rx_descbuffer(struct b4 + ring->ops->fill_descriptor(ring, desc, dmaaddr, + ring->rx_buffersize, 0, 0, 0); + +- rxhdr = (struct b43_rxhdr_fw4 *)(skb->data); +- rxhdr->frame_len = 0; +- + return 0; + } + +@@ -1482,6 +1502,15 @@ static void dma_rx(struct b43_dmaring *r + goto drop; + } + } ++ if (unlikely(b43_rx_buffer_is_poisoned(ring, skb))) { ++ /* Something went wrong with the DMA. ++ * The device did not touch the buffer and did not overwrite the poison. */ ++ b43dbg(ring->dev->wl, "DMA RX: Dropping poisoned buffer.\n"); ++ /* recycle the descriptor buffer. */ ++ sync_descbuffer_for_device(ring, meta->dmaaddr, ++ ring->rx_buffersize); ++ goto drop; ++ } + if (unlikely(len > ring->rx_buffersize)) { + /* The data did not fit into one descriptor buffer + * and is split over multiple buffers. diff --git a/queue-2.6.29/b43-refresh-rx-poison-on-buffer-recycling.patch b/queue-2.6.29/b43-refresh-rx-poison-on-buffer-recycling.patch new file mode 100644 index 00000000000..62f29594a44 --- /dev/null +++ b/queue-2.6.29/b43-refresh-rx-poison-on-buffer-recycling.patch @@ -0,0 +1,78 @@ +From stable-bounces@linux.kernel.org Fri Apr 24 16:05:34 2009 +Date: Fri, 24 Apr 2009 16:05:29 GMT +Message-Id: <200904241605.n3OG5TGL008104@hera.kernel.org> +From: Michael Buesch +To: jejb@kernel.org, stable@kernel.org +Subject: b43: Refresh RX poison on buffer recycling + +upstream commit: cf68636a9773aa97915497fe54fa4a51e3f08f3a + +The RX buffer poison needs to be refreshed, if we recycle an RX buffer, +because it might be (partially) overwritten by some DMA operations. + +Cc: stable@kernel.org +Cc: Francesco Gringoli +Signed-off-by: Michael Buesch +Signed-off-by: John W. Linville +Signed-off-by: Chris Wright +--- + drivers/net/wireless/b43/dma.c | 21 +++++++++++---------- + 1 file changed, 11 insertions(+), 10 deletions(-) + +--- a/drivers/net/wireless/b43/dma.c ++++ b/drivers/net/wireless/b43/dma.c +@@ -1496,20 +1496,16 @@ static void dma_rx(struct b43_dmaring *r + len = le16_to_cpu(rxhdr->frame_len); + } while (len == 0 && i++ < 5); + if (unlikely(len == 0)) { +- /* recycle the descriptor buffer. */ +- sync_descbuffer_for_device(ring, meta->dmaaddr, +- ring->rx_buffersize); +- goto drop; ++ dmaaddr = meta->dmaaddr; ++ goto drop_recycle_buffer; + } + } + if (unlikely(b43_rx_buffer_is_poisoned(ring, skb))) { + /* Something went wrong with the DMA. + * The device did not touch the buffer and did not overwrite the poison. */ + b43dbg(ring->dev->wl, "DMA RX: Dropping poisoned buffer.\n"); +- /* recycle the descriptor buffer. */ +- sync_descbuffer_for_device(ring, meta->dmaaddr, +- ring->rx_buffersize); +- goto drop; ++ dmaaddr = meta->dmaaddr; ++ goto drop_recycle_buffer; + } + if (unlikely(len > ring->rx_buffersize)) { + /* The data did not fit into one descriptor buffer +@@ -1523,6 +1519,7 @@ static void dma_rx(struct b43_dmaring *r + while (1) { + desc = ops->idx2desc(ring, *slot, &meta); + /* recycle the descriptor buffer. */ ++ b43_poison_rx_buffer(ring, meta->skb); + sync_descbuffer_for_device(ring, meta->dmaaddr, + ring->rx_buffersize); + *slot = next_slot(ring, *slot); +@@ -1541,8 +1538,7 @@ static void dma_rx(struct b43_dmaring *r + err = setup_rx_descbuffer(ring, desc, meta, GFP_ATOMIC); + if (unlikely(err)) { + b43dbg(ring->dev->wl, "DMA RX: setup_rx_descbuffer() failed\n"); +- sync_descbuffer_for_device(ring, dmaaddr, ring->rx_buffersize); +- goto drop; ++ goto drop_recycle_buffer; + } + + unmap_descbuffer(ring, dmaaddr, ring->rx_buffersize, 0); +@@ -1552,6 +1548,11 @@ static void dma_rx(struct b43_dmaring *r + b43_rx(ring->dev, skb, rxhdr); + drop: + return; ++ ++drop_recycle_buffer: ++ /* Poison and recycle the RX buffer. */ ++ b43_poison_rx_buffer(ring, skb); ++ sync_descbuffer_for_device(ring, dmaaddr, ring->rx_buffersize); + } + + void b43_dma_rx(struct b43_dmaring *ring) diff --git a/queue-2.6.29/kvm-fix-overlapping-check-for-memory-slots.patch b/queue-2.6.29/kvm-fix-overlapping-check-for-memory-slots.patch new file mode 100644 index 00000000000..0e821e47fdd --- /dev/null +++ b/queue-2.6.29/kvm-fix-overlapping-check-for-memory-slots.patch @@ -0,0 +1,54 @@ +From stable-bounces@linux.kernel.org Fri Apr 24 16:05:14 2009 +Date: Fri, 24 Apr 2009 16:05:09 GMT +Message-Id: <200904241605.n3OG59WB007756@hera.kernel.org> +From: Jan Kiszka +To: jejb@kernel.org, stable@kernel.org +Subject: KVM: Fix overlapping check for memory slots + +upstream commit: 4cd481f68dde99ac416003b825c835f71e364393 + +When checking for overlapping slots on registration of a new one, kvm +currently also considers zero-length (ie. deleted) slots and rejects +requests incorrectly. This finally denies user space from joining slots. +Fix the check by skipping deleted slots and advertise this via a +KVM_CAP_JOIN_MEMORY_REGIONS_WORKS. + +Cc: stable@kernel.org +Signed-off-by: Jan Kiszka +Signed-off-by: Avi Kivity +Signed-off-by: Chris Wright +--- + include/linux/kvm.h | 2 ++ + virt/kvm/kvm_main.c | 3 ++- + 2 files changed, 4 insertions(+), 1 deletion(-) + +--- a/include/linux/kvm.h ++++ b/include/linux/kvm.h +@@ -396,6 +396,8 @@ struct kvm_trace_rec { + #ifdef __KVM_HAVE_USER_NMI + #define KVM_CAP_USER_NMI 22 + #endif ++/* Another bug in KVM_SET_USER_MEMORY_REGION fixed: */ ++#define KVM_CAP_JOIN_MEMORY_REGIONS_WORKS 30 + + /* + * ioctls for VM fds +--- a/virt/kvm/kvm_main.c ++++ b/virt/kvm/kvm_main.c +@@ -1005,7 +1005,7 @@ int __kvm_set_memory_region(struct kvm * + for (i = 0; i < KVM_MEMORY_SLOTS; ++i) { + struct kvm_memory_slot *s = &kvm->memslots[i]; + +- if (s == memslot) ++ if (s == memslot || !s->npages) + continue; + if (!((base_gfn + npages <= s->base_gfn) || + (base_gfn >= s->base_gfn + s->npages))) +@@ -1997,6 +1997,7 @@ static long kvm_dev_ioctl_check_extensio + switch (arg) { + case KVM_CAP_USER_MEMORY: + case KVM_CAP_DESTROY_MEMORY_REGION_WORKS: ++ case KVM_CAP_JOIN_MEMORY_REGIONS_WORKS: + return 1; + default: + break; diff --git a/queue-2.6.29/kvm-mmu-disable-global-page-optimization.patch b/queue-2.6.29/kvm-mmu-disable-global-page-optimization.patch new file mode 100644 index 00000000000..a8ba5ae396d --- /dev/null +++ b/queue-2.6.29/kvm-mmu-disable-global-page-optimization.patch @@ -0,0 +1,33 @@ +From mtosatti@redhat.com Fri Apr 24 15:05:03 2009 +Date: Fri, 24 Apr 2009 18:18:27 -0300 +From: Marcelo Tosatti +To: Chris Wright +Subject: KVM: MMU: disable global page optimization +Message-ID: <20090424211827.GA13223@amt.cnet> + +upstream commit: bf47a760f66add7870fba33ab50f58b550d6bbd1 + +Complexity to fix it not worthwhile the gains, as discussed +in http://article.gmane.org/gmane.comp.emulators.kvm.devel/28649. + +Cc: stable@kernel.org +Signed-off-by: Marcelo Tosatti +Signed-off-by: Avi Kivity +[mtosatti: backport to 2.6.29] +Signed-off-by: Chris Wright + +--- + arch/x86/kvm/mmu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/kvm/mmu.c ++++ b/arch/x86/kvm/mmu.c +@@ -797,7 +797,7 @@ static struct kvm_mmu_page *kvm_mmu_allo + ASSERT(is_empty_shadow_page(sp->spt)); + bitmap_zero(sp->slot_bitmap, KVM_MEMORY_SLOTS + KVM_PRIVATE_MEM_SLOTS); + sp->multimapped = 0; +- sp->global = 1; ++ sp->global = 0; + sp->parent_pte = parent_pte; + --vcpu->kvm->arch.n_free_mmu_pages; + return sp; diff --git a/queue-2.6.29/kvm-mmu-fix-off-by-one-calculating-large-page-count.patch b/queue-2.6.29/kvm-mmu-fix-off-by-one-calculating-large-page-count.patch new file mode 100644 index 00000000000..56eb04f9da3 --- /dev/null +++ b/queue-2.6.29/kvm-mmu-fix-off-by-one-calculating-large-page-count.patch @@ -0,0 +1,45 @@ +From stable-bounces@linux.kernel.org Fri Apr 24 16:05:20 2009 +Date: Fri, 24 Apr 2009 16:05:14 GMT +Message-Id: <200904241605.n3OG5EXJ007808@hera.kernel.org> +From: Avi Kivity +To: jejb@kernel.org, stable@kernel.org +Subject: KVM: MMU: Fix off-by-one calculating large page count + +upstream commit: 99894a799f09cf9e28296bb16e75bd5830fd2c4e + +The large page initialization code concludes there are two large pages spanned +by a slot covering 1 (small) page starting at gfn 1. This is incorrect, and +also results in incorrect write_count initialization in some cases (base = 1, +npages = 513 for example). + +Cc: stable@kernel.org +Signed-off-by: Avi Kivity +Signed-off-by: Chris Wright +--- + virt/kvm/kvm_main.c | 8 +++----- + 1 file changed, 3 insertions(+), 5 deletions(-) + +--- a/virt/kvm/kvm_main.c ++++ b/virt/kvm/kvm_main.c +@@ -964,6 +964,7 @@ int __kvm_set_memory_region(struct kvm * + int r; + gfn_t base_gfn; + unsigned long npages; ++ int largepages; + unsigned long i; + struct kvm_memory_slot *memslot; + struct kvm_memory_slot old, new; +@@ -1039,11 +1040,8 @@ int __kvm_set_memory_region(struct kvm * + new.userspace_addr = 0; + } + if (npages && !new.lpage_info) { +- int largepages = npages / KVM_PAGES_PER_HPAGE; +- if (npages % KVM_PAGES_PER_HPAGE) +- largepages++; +- if (base_gfn % KVM_PAGES_PER_HPAGE) +- largepages++; ++ largepages = 1 + (base_gfn + npages - 1) / KVM_PAGES_PER_HPAGE; ++ largepages -= base_gfn / KVM_PAGES_PER_HPAGE; + + new.lpage_info = vmalloc(largepages * sizeof(*new.lpage_info)); + diff --git a/queue-2.6.29/kvm-x86-release-time_page-on-vcpu-destruction.patch b/queue-2.6.29/kvm-x86-release-time_page-on-vcpu-destruction.patch new file mode 100644 index 00000000000..4ea4d52e2f7 --- /dev/null +++ b/queue-2.6.29/kvm-x86-release-time_page-on-vcpu-destruction.patch @@ -0,0 +1,34 @@ +From stable-bounces@linux.kernel.org Fri Apr 24 16:05:12 2009 +Date: Fri, 24 Apr 2009 16:05:07 GMT +Message-Id: <200904241605.n3OG57Qs007736@hera.kernel.org> +From: Joerg Roedel +To: jejb@kernel.org, stable@kernel.org +Subject: KVM: x86: release time_page on vcpu destruction + +upstream commit: 7f1ea208968f021943d4103ba59e06bb6d8239cb + +Not releasing the time_page causes a leak of that page or the compound +page it is situated in. + +Cc: stable@kernel.org +Signed-off-by: Joerg Roedel +Signed-off-by: Avi Kivity +Signed-off-by: Chris Wright +--- + arch/x86/kvm/x86.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -3962,6 +3962,11 @@ EXPORT_SYMBOL_GPL(kvm_put_guest_fpu); + + void kvm_arch_vcpu_free(struct kvm_vcpu *vcpu) + { ++ if (vcpu->arch.time_page) { ++ kvm_release_page_dirty(vcpu->arch.time_page); ++ vcpu->arch.time_page = NULL; ++ } ++ + kvm_x86_ops->vcpu_free(vcpu); + } + diff --git a/queue-2.6.29/mac80211-fix-basic-rate-bitmap-calculation.patch b/queue-2.6.29/mac80211-fix-basic-rate-bitmap-calculation.patch new file mode 100644 index 00000000000..4247eaa127c --- /dev/null +++ b/queue-2.6.29/mac80211-fix-basic-rate-bitmap-calculation.patch @@ -0,0 +1,35 @@ +From stable-bounces@linux.kernel.org Fri Apr 24 16:05:22 2009 +Date: Fri, 24 Apr 2009 16:05:16 GMT +Message-Id: <200904241605.n3OG5GvL007897@hera.kernel.org> +From: Johannes Berg +To: jejb@kernel.org, stable@kernel.org +Subject: mac80211: fix basic rate bitmap calculation + +upstream commit: 7e0986c17f695952ce5d61ed793ce048ba90a661 + +"mac80211: fix basic rates setting from association response" +introduced a copy/paste error. + +Unfortunately, this not just leads to wrong data being passed +to the driver but is remotely exploitable for some hardware or +driver combinations. + +Signed-off-by: Johannes Berg +Cc: stable@kernel.org [2.6.29] +Signed-off-by: John W. Linville +Signed-off-by: Chris Wright +--- + net/mac80211/mlme.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/mac80211/mlme.c ++++ b/net/mac80211/mlme.c +@@ -1342,7 +1342,7 @@ static void ieee80211_rx_mgmt_assoc_resp + + for (i = 0; i < elems.ext_supp_rates_len; i++) { + int rate = (elems.ext_supp_rates[i] & 0x7f) * 5; +- bool is_basic = !!(elems.supp_rates[i] & 0x80); ++ bool is_basic = !!(elems.ext_supp_rates[i] & 0x80); + + if (rate > 110) + have_higher_than_11mbit = true; diff --git a/queue-2.6.29/mac80211-fix-bug-in-getting-rx-status-for-frames-pending-in-reorder-buffer.patch b/queue-2.6.29/mac80211-fix-bug-in-getting-rx-status-for-frames-pending-in-reorder-buffer.patch new file mode 100644 index 00000000000..618644e4f00 --- /dev/null +++ b/queue-2.6.29/mac80211-fix-bug-in-getting-rx-status-for-frames-pending-in-reorder-buffer.patch @@ -0,0 +1,91 @@ +From stable-bounces@linux.kernel.org Fri Apr 24 16:05:38 2009 +Date: Fri, 24 Apr 2009 16:05:33 GMT +Message-Id: <200904241605.n3OG5XPq008148@hera.kernel.org> +From: Vasanthakumar Thiagarajan +To: jejb@kernel.org, stable@kernel.org +Subject: mac80211: Fix bug in getting rx status for frames pending in reorder buffer + +upstream commit: b3631286aca3f54427ca0eb950981e9753866f6c + +Currently rx status for frames which are completed from reorder buffer +is taken from it's cb area which is not always right, cb is not holding +the rx status when driver uses mac80211's non-irq rx handler to pass it's +received frames. This results in dropping almost all frames from reorder +buffer when security is enabled by doing double decryption (first in hw, +second in sw because of wrong rx status). This patch copies rx status into +cb area before the frame is put into reorder buffer. After this patch, +there is a significant improvement in throughput with ath9k + WPA2(AES). + +Signed-off-by: Vasanthakumar Thiagarajan +Acked-by: Johannes Berg +Cc: stable@kernel.org +Signed-off-by: John W. Linville +Signed-off-by: Chris Wright +--- + net/mac80211/rx.c | 13 +++++++++---- + 1 file changed, 9 insertions(+), 4 deletions(-) + +--- a/net/mac80211/rx.c ++++ b/net/mac80211/rx.c +@@ -29,6 +29,7 @@ + static u8 ieee80211_sta_manage_reorder_buf(struct ieee80211_hw *hw, + struct tid_ampdu_rx *tid_agg_rx, + struct sk_buff *skb, ++ struct ieee80211_rx_status *status, + u16 mpdu_seq_num, + int bar_req); + /* +@@ -1538,7 +1539,7 @@ ieee80211_rx_h_ctrl(struct ieee80211_rx_ + /* manage reordering buffer according to requested */ + /* sequence number */ + rcu_read_lock(); +- ieee80211_sta_manage_reorder_buf(hw, tid_agg_rx, NULL, ++ ieee80211_sta_manage_reorder_buf(hw, tid_agg_rx, NULL, NULL, + start_seq_num, 1); + rcu_read_unlock(); + return RX_DROP_UNUSABLE; +@@ -2034,6 +2035,7 @@ static inline u16 seq_sub(u16 sq1, u16 s + static u8 ieee80211_sta_manage_reorder_buf(struct ieee80211_hw *hw, + struct tid_ampdu_rx *tid_agg_rx, + struct sk_buff *skb, ++ struct ieee80211_rx_status *rxstatus, + u16 mpdu_seq_num, + int bar_req) + { +@@ -2115,6 +2117,8 @@ static u8 ieee80211_sta_manage_reorder_b + + /* put the frame in the reordering buffer */ + tid_agg_rx->reorder_buf[index] = skb; ++ memcpy(tid_agg_rx->reorder_buf[index]->cb, rxstatus, ++ sizeof(*rxstatus)); + tid_agg_rx->stored_mpdu_num++; + /* release the buffer until next missing frame */ + index = seq_sub(tid_agg_rx->head_seq_num, tid_agg_rx->ssn) +@@ -2140,7 +2144,8 @@ static u8 ieee80211_sta_manage_reorder_b + } + + static u8 ieee80211_rx_reorder_ampdu(struct ieee80211_local *local, +- struct sk_buff *skb) ++ struct sk_buff *skb, ++ struct ieee80211_rx_status *status) + { + struct ieee80211_hw *hw = &local->hw; + struct ieee80211_hdr *hdr = (struct ieee80211_hdr *) skb->data; +@@ -2191,7 +2196,7 @@ static u8 ieee80211_rx_reorder_ampdu(str + + /* according to mpdu sequence number deal with reordering buffer */ + mpdu_seq_num = (sc & IEEE80211_SCTL_SEQ) >> 4; +- ret = ieee80211_sta_manage_reorder_buf(hw, tid_agg_rx, skb, ++ ret = ieee80211_sta_manage_reorder_buf(hw, tid_agg_rx, skb, status, + mpdu_seq_num, 0); + end_reorder: + return ret; +@@ -2255,7 +2260,7 @@ void __ieee80211_rx(struct ieee80211_hw + return; + } + +- if (!ieee80211_rx_reorder_ampdu(local, skb)) ++ if (!ieee80211_rx_reorder_ampdu(local, skb, status)) + __ieee80211_rx_handle_packet(hw, skb, status, rate); + + rcu_read_unlock(); diff --git a/queue-2.6.29/series b/queue-2.6.29/series index a0518bf6e3a..b56a0dd7956 100644 --- a/queue-2.6.29/series +++ b/queue-2.6.29/series @@ -1 +1,12 @@ forcedeth-fix-resume-from-hibernation-regression.patch +mac80211-fix-bug-in-getting-rx-status-for-frames-pending-in-reorder-buffer.patch +b43-poison-rx-buffers.patch +b43-refresh-rx-poison-on-buffer-recycling.patch +thinkpad-acpi-fix-led-blinking-through-timer-trigger.patch +alsa-us122l-add-snd_us122l_free.patch +mac80211-fix-basic-rate-bitmap-calculation.patch +kvm-mmu-fix-off-by-one-calculating-large-page-count.patch +kvm-mmu-disable-global-page-optimization.patch +kvm-fix-overlapping-check-for-memory-slots.patch +kvm-x86-release-time_page-on-vcpu-destruction.patch +usb-unusual-device-support-for-gold-mp3-player-energy.patch diff --git a/queue-2.6.29/thinkpad-acpi-fix-led-blinking-through-timer-trigger.patch b/queue-2.6.29/thinkpad-acpi-fix-led-blinking-through-timer-trigger.patch new file mode 100644 index 00000000000..0be6b2b2168 --- /dev/null +++ b/queue-2.6.29/thinkpad-acpi-fix-led-blinking-through-timer-trigger.patch @@ -0,0 +1,131 @@ +From stable-bounces@linux.kernel.org Fri Apr 24 16:05:26 2009 +Date: Fri, 24 Apr 2009 16:05:21 GMT +Message-Id: <200904241605.n3OG5LVS007983@hera.kernel.org> +From: Henrique de Moraes Holschuh +To: jejb@kernel.org, stable@kernel.org +Subject: thinkpad-acpi: fix LED blinking through timer trigger + +upstream commit: 75bd3bf2ade9d548be0d2bde60b5ee0fdce0b127 + +The set_blink hook code in the LED subdriver would never manage to get +a LED to blink, and instead it would just turn it on. The consequence +of this is that the "timer" trigger would not cause the LED to blink +if given default parameters. + +This problem exists since 2.6.26-rc1. + +To fix it, switch the deferred LED work handling to use the +thinkpad-acpi-specific LED status (off/on/blink) directly. + +This also makes the code easier to read, and to extend later. + +Signed-off-by: Henrique de Moraes Holschuh +Cc: stable@kernel.org +Signed-off-by: Len Brown +Signed-off-by: Chris Wright +--- + drivers/platform/x86/thinkpad_acpi.c | 41 ++++++++++++++++------------------- + 1 file changed, 19 insertions(+), 22 deletions(-) + +--- a/drivers/platform/x86/thinkpad_acpi.c ++++ b/drivers/platform/x86/thinkpad_acpi.c +@@ -306,11 +306,17 @@ static u32 dbg_level; + + static struct workqueue_struct *tpacpi_wq; + ++enum led_status_t { ++ TPACPI_LED_OFF = 0, ++ TPACPI_LED_ON, ++ TPACPI_LED_BLINK, ++}; ++ + /* Special LED class that can defer work */ + struct tpacpi_led_classdev { + struct led_classdev led_classdev; + struct work_struct work; +- enum led_brightness new_brightness; ++ enum led_status_t new_state; + unsigned int led; + }; + +@@ -4057,7 +4063,7 @@ static void light_set_status_worker(stru + container_of(work, struct tpacpi_led_classdev, work); + + if (likely(tpacpi_lifecycle == TPACPI_LIFE_RUNNING)) +- light_set_status((data->new_brightness != LED_OFF)); ++ light_set_status((data->new_state != TPACPI_LED_OFF)); + } + + static void light_sysfs_set(struct led_classdev *led_cdev, +@@ -4067,7 +4073,8 @@ static void light_sysfs_set(struct led_c + container_of(led_cdev, + struct tpacpi_led_classdev, + led_classdev); +- data->new_brightness = brightness; ++ data->new_state = (brightness != LED_OFF) ? ++ TPACPI_LED_ON : TPACPI_LED_OFF; + queue_work(tpacpi_wq, &data->work); + } + +@@ -4574,12 +4581,6 @@ enum { /* For TPACPI_LED_OLD */ + TPACPI_LED_EC_HLMS = 0x0e, /* EC reg to select led to command */ + }; + +-enum led_status_t { +- TPACPI_LED_OFF = 0, +- TPACPI_LED_ON, +- TPACPI_LED_BLINK, +-}; +- + static enum led_access_mode led_supported; + + TPACPI_HANDLE(led, ec, "SLED", /* 570 */ +@@ -4673,23 +4674,13 @@ static int led_set_status(const unsigned + return rc; + } + +-static void led_sysfs_set_status(unsigned int led, +- enum led_brightness brightness) +-{ +- led_set_status(led, +- (brightness == LED_OFF) ? +- TPACPI_LED_OFF : +- (tpacpi_led_state_cache[led] == TPACPI_LED_BLINK) ? +- TPACPI_LED_BLINK : TPACPI_LED_ON); +-} +- + static void led_set_status_worker(struct work_struct *work) + { + struct tpacpi_led_classdev *data = + container_of(work, struct tpacpi_led_classdev, work); + + if (likely(tpacpi_lifecycle == TPACPI_LIFE_RUNNING)) +- led_sysfs_set_status(data->led, data->new_brightness); ++ led_set_status(data->led, data->new_state); + } + + static void led_sysfs_set(struct led_classdev *led_cdev, +@@ -4698,7 +4689,13 @@ static void led_sysfs_set(struct led_cla + struct tpacpi_led_classdev *data = container_of(led_cdev, + struct tpacpi_led_classdev, led_classdev); + +- data->new_brightness = brightness; ++ if (brightness == LED_OFF) ++ data->new_state = TPACPI_LED_OFF; ++ else if (tpacpi_led_state_cache[data->led] != TPACPI_LED_BLINK) ++ data->new_state = TPACPI_LED_ON; ++ else ++ data->new_state = TPACPI_LED_BLINK; ++ + queue_work(tpacpi_wq, &data->work); + } + +@@ -4716,7 +4713,7 @@ static int led_sysfs_blink_set(struct le + } else if ((*delay_on != 500) || (*delay_off != 500)) + return -EINVAL; + +- data->new_brightness = TPACPI_LED_BLINK; ++ data->new_state = TPACPI_LED_BLINK; + queue_work(tpacpi_wq, &data->work); + + return 0; diff --git a/queue-2.6.29/usb-unusual-device-support-for-gold-mp3-player-energy.patch b/queue-2.6.29/usb-unusual-device-support-for-gold-mp3-player-energy.patch new file mode 100644 index 00000000000..25e34e3b090 --- /dev/null +++ b/queue-2.6.29/usb-unusual-device-support-for-gold-mp3-player-energy.patch @@ -0,0 +1,47 @@ +From stable-bounces@linux.kernel.org Fri Apr 24 16:05:08 2009 +Date: Fri, 24 Apr 2009 16:05:04 GMT +Message-Id: <200904241605.n3OG54gX007660@hera.kernel.org> +From: Chuck Short +To: jejb@kernel.org, stable@kernel.org +Subject: USB: Unusual Device support for Gold MP3 Player Energy + +upstream commit: 46c6e93faa85d1362e1d127dc28cf9d0b304a6f1 + +Reported by Alessio Treglia on +https://bugs.launchpad.net/ubuntu/+source/linux/+bug/125250 + +User was getting the following errors in dmesg: + +[ 2158.139386] sd 5:0:0:1: ioctl_internal_command return code = 8000002 +[ 2158.139390] : Current: sense key: No Sense +[ 2158.139393] Additional sense: No additional sense information + +Adds unusual device support. + +modified: drivers/usb/storage/unusual_devs.h + +Signed-off-by: Chuck Short +Signed-off-by: Tim Gardner +Signed-off-by: Stefan Bader +Cc: stable +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Chris Wright +--- + drivers/usb/storage/unusual_devs.h | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/usb/storage/unusual_devs.h ++++ b/drivers/usb/storage/unusual_devs.h +@@ -2134,6 +2134,12 @@ UNUSUAL_DEV( 0xed06, 0x4500, 0x0001, 0x + US_SC_DEVICE, US_PR_DEVICE, NULL, + US_FL_CAPACITY_HEURISTICS), + ++/* Reported by Alessio Treglia */ ++UNUSUAL_DEV( 0xed10, 0x7636, 0x0001, 0x0001, ++ "TGE", ++ "Digital MP3 Audio Player", ++ US_SC_DEVICE, US_PR_DEVICE, NULL, US_FL_NOT_LOCKABLE ), ++ + /* Control/Bulk transport for all SubClass values */ + USUAL_DEV(US_SC_RBC, US_PR_CB, USB_US_TYPE_STOR), + USUAL_DEV(US_SC_8020, US_PR_CB, USB_US_TYPE_STOR),