From: Greg Kroah-Hartman Date: Mon, 4 May 2009 22:01:14 +0000 (-0700) Subject: more .29 patches X-Git-Tag: v2.6.27.23~12 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=7a2dd30e54e8fed1690433b4a60537b57977c6e1;p=thirdparty%2Fkernel%2Fstable-queue.git more .29 patches --- diff --git a/queue-2.6.29/asoc-fix-offset-of-freqmode-in-wm8580-pll-configuration.patch b/queue-2.6.29/asoc-fix-offset-of-freqmode-in-wm8580-pll-configuration.patch new file mode 100644 index 00000000000..539e096acdc --- /dev/null +++ b/queue-2.6.29/asoc-fix-offset-of-freqmode-in-wm8580-pll-configuration.patch @@ -0,0 +1,27 @@ +From ce88168f5b5eca7f40394fa6b05ae29f4b685569 Mon Sep 17 00:00:00 2001 +From: Mark Brown +Date: Tue, 21 Apr 2009 12:35:15 +0100 +Subject: ASoC: Fix offset of freqmode in WM8580 PLL configuration + +From: Mark Brown + +commit ce88168f5b5eca7f40394fa6b05ae29f4b685569 upstream. + +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + sound/soc/codecs/wm8580.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/soc/codecs/wm8580.c ++++ b/sound/soc/codecs/wm8580.c +@@ -533,7 +533,7 @@ static int wm8580_set_dai_pll(struct snd + reg = wm8580_read(codec, WM8580_PLLA4 + offset); + reg &= ~0x3f; + reg |= pll_div.prescale | pll_div.postscale << 1 | +- pll_div.freqmode << 4; ++ pll_div.freqmode << 3; + + wm8580_write(codec, WM8580_PLLA4 + offset, reg); + diff --git a/queue-2.6.29/bio-fix-memcpy-corruption-in-bio_copy_user_iov.patch b/queue-2.6.29/bio-fix-memcpy-corruption-in-bio_copy_user_iov.patch new file mode 100644 index 00000000000..8ecbc53c6a9 --- /dev/null +++ b/queue-2.6.29/bio-fix-memcpy-corruption-in-bio_copy_user_iov.patch @@ -0,0 +1,34 @@ +From 69838727bcd819a8fd73a88447801221788b0c6d Mon Sep 17 00:00:00 2001 +From: FUJITA Tomonori +Date: Tue, 28 Apr 2009 20:24:29 +0200 +Subject: bio: fix memcpy corruption in bio_copy_user_iov() + +From: FUJITA Tomonori + +commit 69838727bcd819a8fd73a88447801221788b0c6d upstream. + +st driver uses blk_rq_map_user() in order to just build a request out +of page frames. In this case, map_data->offset is a non zero value and +iov[0].iov_base is NULL. We need to increase nr_pages for that. + +Cc: stable@kernel.org +Signed-off-by: FUJITA Tomonori +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + fs/bio.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/fs/bio.c ++++ b/fs/bio.c +@@ -806,6 +806,9 @@ struct bio *bio_copy_user_iov(struct req + len += iov[i].iov_len; + } + ++ if (offset) ++ nr_pages++; ++ + bmd = bio_alloc_map_data(nr_pages, iov_count, gfp_mask); + if (!bmd) + return ERR_PTR(-ENOMEM); diff --git a/queue-2.6.29/drm-i915-allow-tiled-front-buffers-on-965.patch b/queue-2.6.29/drm-i915-allow-tiled-front-buffers-on-965.patch new file mode 100644 index 00000000000..859fcc20690 --- /dev/null +++ b/queue-2.6.29/drm-i915-allow-tiled-front-buffers-on-965.patch @@ -0,0 +1,68 @@ +From f544847fbaf099278343f875987a983f2b913134 Mon Sep 17 00:00:00 2001 +From: Jesse Barnes +Date: Tue, 14 Apr 2009 14:17:47 -0700 +Subject: drm/i915: allow tiled front buffers on 965+ + +From: Jesse Barnes + +commit f544847fbaf099278343f875987a983f2b913134 upstream. + +This patch corrects a pretty big oversight in the KMS code for 965+ +chips. The current code is missing tiled surface register programming, +so userland can allocate a tiled surface and use it for mode setting, +resulting in corruption. This patch fixes that, allowing for tiled +front buffers on 965+. + +Cc: stable@kernel.org +Tested-by: Arkadiusz Miskiewicz +Signed-off-by: Jesse Barnes +Signed-off-by: Eric Anholt +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/i915/i915_reg.h | 1 + + drivers/gpu/drm/i915/intel_display.c | 9 +++++++++ + 2 files changed, 10 insertions(+) + +--- a/drivers/gpu/drm/i915/i915_reg.h ++++ b/drivers/gpu/drm/i915/i915_reg.h +@@ -1431,6 +1431,7 @@ + #define DISPPLANE_NO_LINE_DOUBLE 0 + #define DISPPLANE_STEREO_POLARITY_FIRST 0 + #define DISPPLANE_STEREO_POLARITY_SECOND (1<<18) ++#define DISPPLANE_TILED (1<<10) + #define DSPAADDR 0x70184 + #define DSPASTRIDE 0x70188 + #define DSPAPOS 0x7018C /* reserved */ +--- a/drivers/gpu/drm/i915/intel_display.c ++++ b/drivers/gpu/drm/i915/intel_display.c +@@ -338,6 +338,7 @@ intel_pipe_set_base(struct drm_crtc *crt + int dspbase = (pipe == 0 ? DSPAADDR : DSPBADDR); + int dspsurf = (pipe == 0 ? DSPASURF : DSPBSURF); + int dspstride = (pipe == 0) ? DSPASTRIDE : DSPBSTRIDE; ++ int dsptileoff = (pipe == 0 ? DSPATILEOFF : DSPBTILEOFF); + int dspcntr_reg = (pipe == 0) ? DSPACNTR : DSPBCNTR; + u32 dspcntr, alignment; + int ret; +@@ -414,6 +415,13 @@ intel_pipe_set_base(struct drm_crtc *crt + mutex_unlock(&dev->struct_mutex); + return -EINVAL; + } ++ if (IS_I965G(dev)) { ++ if (obj_priv->tiling_mode != I915_TILING_NONE) ++ dspcntr |= DISPPLANE_TILED; ++ else ++ dspcntr &= ~DISPPLANE_TILED; ++ } ++ + I915_WRITE(dspcntr_reg, dspcntr); + + Start = obj_priv->gtt_offset; +@@ -426,6 +434,7 @@ intel_pipe_set_base(struct drm_crtc *crt + I915_READ(dspbase); + I915_WRITE(dspsurf, Start); + I915_READ(dspsurf); ++ I915_WRITE(dsptileoff, (y << 16) | x); + } else { + I915_WRITE(dspbase, Start + Offset); + I915_READ(dspbase); diff --git a/queue-2.6.29/kbuild-fix-module.markers-permission-error-under-cygwin.patch b/queue-2.6.29/kbuild-fix-module.markers-permission-error-under-cygwin.patch new file mode 100644 index 00000000000..e1a138a8c71 --- /dev/null +++ b/queue-2.6.29/kbuild-fix-module.markers-permission-error-under-cygwin.patch @@ -0,0 +1,49 @@ +From 99e3a1eb3c22bb671c6f3d22d8244bfc9fad8185 Mon Sep 17 00:00:00 2001 +From: Cedric Hombourger +Date: Sat, 25 Apr 2009 09:38:21 +0200 +Subject: kbuild: fix Module.markers permission error under cygwin + +From: Cedric Hombourger + +commit 99e3a1eb3c22bb671c6f3d22d8244bfc9fad8185 upstream. + +While building the kernel, we end-up calling modpost with -K and -M +options for the same file (Modules.markers). This is resulting in +modpost's main function calling read_markers() and then write_markers() on +the same file. + +We then have read_markers() mmap'ing the file, and writer_markers() +opening that same file for writing. + +The issue is that read_markers() exits without munmap'ing the file and is +as a matter holding a reference on Modules.markers. When write_markers() +is opening that very same file for writing, we still have a reference on +it and cygwin (Windows?) is then making fopen() fail with EPERM. + +Calling release_file() before exiting read_markers() clears that reference +(and memory leak) and fopen() then succeeds. + +Tested on both cygwin (1.3.22) and Linux. Also ran modpost within +valgrind on Linux to make sure that the munmap'ed file was not accessed +after read_markers() + +Signed-off-by: Cedric Hombourger +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Sam Ravnborg +Signed-off-by: Greg Kroah-Hartman + +--- + scripts/mod/modpost.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/scripts/mod/modpost.c ++++ b/scripts/mod/modpost.c +@@ -2005,6 +2005,7 @@ static void read_markers(const char *fna + if (!mod->skip) + add_marker(mod, marker, fmt); + } ++ release_file(file, size); + return; + fail: + fatal("parse error in markers list file\n"); diff --git a/queue-2.6.29/mm-fix-committed_as-underflow-on-large-nr_cpus-environment.patch b/queue-2.6.29/mm-fix-committed_as-underflow-on-large-nr_cpus-environment.patch new file mode 100644 index 00000000000..1a5eb1c5cb9 --- /dev/null +++ b/queue-2.6.29/mm-fix-committed_as-underflow-on-large-nr_cpus-environment.patch @@ -0,0 +1,226 @@ +From 00a62ce91e554198ef28234c91c36f850f5a3bc9 Mon Sep 17 00:00:00 2001 +From: KOSAKI Motohiro +Date: Thu, 30 Apr 2009 15:08:51 -0700 +Subject: mm: fix Committed_AS underflow on large NR_CPUS environment + +From: KOSAKI Motohiro + +commit 00a62ce91e554198ef28234c91c36f850f5a3bc9 upstream. + +The Committed_AS field can underflow in certain situations: + +> # while true; do cat /proc/meminfo | grep _AS; sleep 1; done | uniq -c +> 1 Committed_AS: 18446744073709323392 kB +> 11 Committed_AS: 18446744073709455488 kB +> 6 Committed_AS: 35136 kB +> 5 Committed_AS: 18446744073709454400 kB +> 7 Committed_AS: 35904 kB +> 3 Committed_AS: 18446744073709453248 kB +> 2 Committed_AS: 34752 kB +> 9 Committed_AS: 18446744073709453248 kB +> 8 Committed_AS: 34752 kB +> 3 Committed_AS: 18446744073709320960 kB +> 7 Committed_AS: 18446744073709454080 kB +> 3 Committed_AS: 18446744073709320960 kB +> 5 Committed_AS: 18446744073709454080 kB +> 6 Committed_AS: 18446744073709320960 kB + +Because NR_CPUS can be greater than 1000 and meminfo_proc_show() does +not check for underflow. + +But NR_CPUS proportional isn't good calculation. In general, +possibility of lock contention is proportional to the number of online +cpus, not theorical maximum cpus (NR_CPUS). + +The current kernel has generic percpu-counter stuff. using it is right +way. it makes code simplify and percpu_counter_read_positive() don't +make underflow issue. + +Reported-by: Dave Hansen +Signed-off-by: KOSAKI Motohiro +Cc: Eric B Munson +Cc: Mel Gorman +Cc: Christoph Lameter +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/proc/meminfo.c | 2 +- + include/linux/mman.h | 9 +++------ + mm/mmap.c | 12 ++++++------ + mm/nommu.c | 13 +++++++------ + mm/swap.c | 46 ---------------------------------------------- + 5 files changed, 17 insertions(+), 65 deletions(-) + +--- a/fs/proc/meminfo.c ++++ b/fs/proc/meminfo.c +@@ -35,7 +35,7 @@ static int meminfo_proc_show(struct seq_ + #define K(x) ((x) << (PAGE_SHIFT - 10)) + si_meminfo(&i); + si_swapinfo(&i); +- committed = atomic_long_read(&vm_committed_space); ++ committed = percpu_counter_read_positive(&vm_committed_as); + allowed = ((totalram_pages - hugetlb_total_pages()) + * sysctl_overcommit_ratio / 100) + total_swap_pages; + +--- a/include/linux/mman.h ++++ b/include/linux/mman.h +@@ -12,21 +12,18 @@ + + #ifdef __KERNEL__ + #include ++#include + + #include + + extern int sysctl_overcommit_memory; + extern int sysctl_overcommit_ratio; +-extern atomic_long_t vm_committed_space; ++extern struct percpu_counter vm_committed_as; + +-#ifdef CONFIG_SMP +-extern void vm_acct_memory(long pages); +-#else + static inline void vm_acct_memory(long pages) + { +- atomic_long_add(pages, &vm_committed_space); ++ percpu_counter_add(&vm_committed_as, pages); + } +-#endif + + static inline void vm_unacct_memory(long pages) + { +--- a/mm/mmap.c ++++ b/mm/mmap.c +@@ -84,7 +84,7 @@ EXPORT_SYMBOL(vm_get_page_prot); + int sysctl_overcommit_memory = OVERCOMMIT_GUESS; /* heuristic overcommit */ + int sysctl_overcommit_ratio = 50; /* default is 50% */ + int sysctl_max_map_count __read_mostly = DEFAULT_MAX_MAP_COUNT; +-atomic_long_t vm_committed_space = ATOMIC_LONG_INIT(0); ++struct percpu_counter vm_committed_as; + + /* + * Check that a process has enough memory to allocate a new virtual +@@ -178,11 +178,7 @@ int __vm_enough_memory(struct mm_struct + if (mm) + allowed -= mm->total_vm / 32; + +- /* +- * cast `allowed' as a signed long because vm_committed_space +- * sometimes has a negative value +- */ +- if (atomic_long_read(&vm_committed_space) < (long)allowed) ++ if (percpu_counter_read_positive(&vm_committed_as) < allowed) + return 0; + error: + vm_unacct_memory(pages); +@@ -2262,6 +2258,10 @@ static int special_mapping_fault(struct + */ + static void special_mapping_close(struct vm_area_struct *vma) + { ++ int ret; ++ ++ ret = percpu_counter_init(&vm_committed_as, 0); ++ VM_BUG_ON(ret); + } + + static struct vm_operations_struct special_mapping_vmops = { +--- a/mm/nommu.c ++++ b/mm/nommu.c +@@ -62,7 +62,7 @@ void *high_memory; + struct page *mem_map; + unsigned long max_mapnr; + unsigned long num_physpages; +-atomic_long_t vm_committed_space = ATOMIC_LONG_INIT(0); ++struct percpu_counter vm_committed_as; + int sysctl_overcommit_memory = OVERCOMMIT_GUESS; /* heuristic overcommit */ + int sysctl_overcommit_ratio = 50; /* default is 50% */ + int sysctl_max_map_count = DEFAULT_MAX_MAP_COUNT; +@@ -463,6 +463,10 @@ SYSCALL_DEFINE1(brk, unsigned long, brk) + */ + void __init mmap_init(void) + { ++ int ret; ++ ++ ret = percpu_counter_init(&vm_committed_as, 0); ++ VM_BUG_ON(ret); + vm_region_jar = kmem_cache_create("vm_region_jar", + sizeof(struct vm_region), 0, + SLAB_PANIC, NULL); +@@ -1849,12 +1853,9 @@ int __vm_enough_memory(struct mm_struct + if (mm) + allowed -= mm->total_vm / 32; + +- /* +- * cast `allowed' as a signed long because vm_committed_space +- * sometimes has a negative value +- */ +- if (atomic_long_read(&vm_committed_space) < (long)allowed) ++ if (percpu_counter_read_positive(&vm_committed_as) < allowed) + return 0; ++ + error: + vm_unacct_memory(pages); + +--- a/mm/swap.c ++++ b/mm/swap.c +@@ -514,49 +514,6 @@ unsigned pagevec_lookup_tag(struct pagev + + EXPORT_SYMBOL(pagevec_lookup_tag); + +-#ifdef CONFIG_SMP +-/* +- * We tolerate a little inaccuracy to avoid ping-ponging the counter between +- * CPUs +- */ +-#define ACCT_THRESHOLD max(16, NR_CPUS * 2) +- +-static DEFINE_PER_CPU(long, committed_space); +- +-void vm_acct_memory(long pages) +-{ +- long *local; +- +- preempt_disable(); +- local = &__get_cpu_var(committed_space); +- *local += pages; +- if (*local > ACCT_THRESHOLD || *local < -ACCT_THRESHOLD) { +- atomic_long_add(*local, &vm_committed_space); +- *local = 0; +- } +- preempt_enable(); +-} +- +-#ifdef CONFIG_HOTPLUG_CPU +- +-/* Drop the CPU's cached committed space back into the central pool. */ +-static int cpu_swap_callback(struct notifier_block *nfb, +- unsigned long action, +- void *hcpu) +-{ +- long *committed; +- +- committed = &per_cpu(committed_space, (long)hcpu); +- if (action == CPU_DEAD || action == CPU_DEAD_FROZEN) { +- atomic_long_add(*committed, &vm_committed_space); +- *committed = 0; +- drain_cpu_pagevecs((long)hcpu); +- } +- return NOTIFY_OK; +-} +-#endif /* CONFIG_HOTPLUG_CPU */ +-#endif /* CONFIG_SMP */ +- + /* + * Perform any setup for the swap system + */ +@@ -577,7 +534,4 @@ void __init swap_setup(void) + * Right now other parts of the system means that we + * _really_ don't want to cluster much more + */ +-#ifdef CONFIG_HOTPLUG_CPU +- hotcpu_notifier(cpu_swap_callback, 0); +-#endif + } diff --git a/queue-2.6.29/pagemap-require-aligned-length-non-null-reads-of-proc-pid-pagemap.patch b/queue-2.6.29/pagemap-require-aligned-length-non-null-reads-of-proc-pid-pagemap.patch new file mode 100644 index 00000000000..29273edc75f --- /dev/null +++ b/queue-2.6.29/pagemap-require-aligned-length-non-null-reads-of-proc-pid-pagemap.patch @@ -0,0 +1,42 @@ +From 0816178638c15ce5472d39d771a96860dff4141a Mon Sep 17 00:00:00 2001 +From: Vitaly Mayatskikh +Date: Thu, 30 Apr 2009 15:08:18 -0700 +Subject: pagemap: require aligned-length, non-null reads of /proc/pid/pagemap + +From: Vitaly Mayatskikh + +commit 0816178638c15ce5472d39d771a96860dff4141a upstream. + +The intention of commit aae8679b0ebcaa92f99c1c3cb0cd651594a43915 +("pagemap: fix bug in add_to_pagemap, require aligned-length reads of +/proc/pid/pagemap") was to force reads of /proc/pid/pagemap to be a +multiple of 8 bytes, but now it allows to read 0 bytes, which actually +puts some data to user's buffer. According to POSIX, if count is zero, +read() should return zero and has no other results. + +Signed-off-by: Vitaly Mayatskikh +Cc: Thomas Tuttle +Acked-by: Matt Mackall +Cc: Alexey Dobriyan +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/proc/task_mmu.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/fs/proc/task_mmu.c ++++ b/fs/proc/task_mmu.c +@@ -663,6 +663,10 @@ static ssize_t pagemap_read(struct file + goto out_task; + + ret = 0; ++ ++ if (!count) ++ goto out_task; ++ + mm = get_task_mm(task); + if (!mm) + goto out_task; diff --git a/queue-2.6.29/pci-quirk-disable-msi-on-via-vt3364-chipsets.patch b/queue-2.6.29/pci-quirk-disable-msi-on-via-vt3364-chipsets.patch new file mode 100644 index 00000000000..4a3f5b119fb --- /dev/null +++ b/queue-2.6.29/pci-quirk-disable-msi-on-via-vt3364-chipsets.patch @@ -0,0 +1,33 @@ +From 162dedd39dcc6eca3fc0d29cf19658c6c13b840e Mon Sep 17 00:00:00 2001 +From: Thomas Renninger +Date: Fri, 3 Apr 2009 06:34:00 -0700 +Subject: PCI quirk: disable MSI on VIA VT3364 chipsets + +From: Thomas Renninger + +commit 162dedd39dcc6eca3fc0d29cf19658c6c13b840e upstream. + +Without this patch, Broadcom BCM5906 Ethernet controllers set up via MSI +cause the machine to hang. Tejun agreed that the best is to blacklist +the whole chipset and after adding it, seeing the other VIA quirks +disabling MSI, this very much looks like the right way. + +Cc: +Signed-off-by: Thomas Renninger +Signed-off-by: Jesse Barnes +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pci/quirks.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/pci/quirks.c ++++ b/drivers/pci/quirks.c +@@ -1960,6 +1960,7 @@ DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_AT + DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_ATI, PCI_DEVICE_ID_ATI_RS480, quirk_disable_all_msi); + DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_VIA, PCI_DEVICE_ID_VIA_VT3336, quirk_disable_all_msi); + DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_VIA, PCI_DEVICE_ID_VIA_VT3351, quirk_disable_all_msi); ++DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_VIA, PCI_DEVICE_ID_VIA_VT3364, quirk_disable_all_msi); + + /* Disable MSI on chipsets that are known to not support it */ + static void __devinit quirk_disable_msi(struct pci_dev *dev) diff --git a/queue-2.6.29/ptrace-ptrace_attach-fix-the-usage-of-cred_exec_mutex.patch b/queue-2.6.29/ptrace-ptrace_attach-fix-the-usage-of-cred_exec_mutex.patch new file mode 100644 index 00000000000..4170a58ebb9 --- /dev/null +++ b/queue-2.6.29/ptrace-ptrace_attach-fix-the-usage-of-cred_exec_mutex.patch @@ -0,0 +1,41 @@ +From cad81bc2529ab8c62b6fdc83a1c0c7f4a87209eb Mon Sep 17 00:00:00 2001 +From: Oleg Nesterov +Date: Mon, 27 Apr 2009 01:41:34 +0200 +Subject: ptrace: ptrace_attach: fix the usage of ->cred_exec_mutex + +From: Oleg Nesterov + +commit cad81bc2529ab8c62b6fdc83a1c0c7f4a87209eb upstream. + +ptrace_attach() needs task->cred_exec_mutex, not current->cred_exec_mutex. + +Signed-off-by: Oleg Nesterov +Acked-by: Roland McGrath +Acked-by: David Howells +Signed-off-by: James Morris +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/ptrace.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/kernel/ptrace.c ++++ b/kernel/ptrace.c +@@ -186,7 +186,7 @@ int ptrace_attach(struct task_struct *ta + /* Protect exec's credential calculations against our interference; + * SUID, SGID and LSM creds get determined differently under ptrace. + */ +- retval = mutex_lock_interruptible(¤t->cred_exec_mutex); ++ retval = mutex_lock_interruptible(&task->cred_exec_mutex); + if (retval < 0) + goto out; + +@@ -230,7 +230,7 @@ repeat: + bad: + write_unlock_irqrestore(&tasklist_lock, flags); + task_unlock(task); +- mutex_unlock(¤t->cred_exec_mutex); ++ mutex_unlock(&task->cred_exec_mutex); + out: + return retval; + } diff --git a/queue-2.6.29/series b/queue-2.6.29/series index 75490bf5b22..3341e8dc8fb 100644 --- a/queue-2.6.29/series +++ b/queue-2.6.29/series @@ -18,3 +18,13 @@ exit_notify-kill-the-wrong-capable-check.patch pci-fix-incorrect-mask-of-pm-no_soft_reset-bit.patch unreached-code-in-selinux_ip_postroute_iptables_compat.patch drm-i915-add-support-for-g41-chipset.patch +x86-64-fix-fpu-corruption-with-signals-and-preemption.patch +x86-pci-don-t-call-e820_all_mapped-with-1-in-the-mmconfig-case.patch +asoc-fix-offset-of-freqmode-in-wm8580-pll-configuration.patch +pci-quirk-disable-msi-on-via-vt3364-chipsets.patch +bio-fix-memcpy-corruption-in-bio_copy_user_iov.patch +drm-i915-allow-tiled-front-buffers-on-965.patch +mm-fix-committed_as-underflow-on-large-nr_cpus-environment.patch +pagemap-require-aligned-length-non-null-reads-of-proc-pid-pagemap.patch +kbuild-fix-module.markers-permission-error-under-cygwin.patch +ptrace-ptrace_attach-fix-the-usage-of-cred_exec_mutex.patch diff --git a/queue-2.6.29/x86-64-fix-fpu-corruption-with-signals-and-preemption.patch b/queue-2.6.29/x86-64-fix-fpu-corruption-with-signals-and-preemption.patch new file mode 100644 index 00000000000..c5a59216e06 --- /dev/null +++ b/queue-2.6.29/x86-64-fix-fpu-corruption-with-signals-and-preemption.patch @@ -0,0 +1,59 @@ +From 06c38d5e36b12d040839ff224e805146c0368556 Mon Sep 17 00:00:00 2001 +From: Suresh Siddha +Date: Thu, 9 Apr 2009 15:24:34 -0700 +Subject: x86-64: fix FPU corruption with signals and preemption + +From: Suresh Siddha + +commit 06c38d5e36b12d040839ff224e805146c0368556 upstream. + +In 64bit signal delivery path, clear_used_math() was happening before saving +the current active FPU state on to the user stack for signal handling. Between +clear_used_math() and the state store on to the user stack, potentially we +can get a page fault for the user address and can block. Infact, while testing +we were hitting the might_fault() in __clear_user() which can do a schedule(). + +At a later point in time, we will schedule back into this process and +resume the save state (using "xsave/fxsave" instruction) which can lead +to DNA fault. And as used_math was cleared before, we will reinit the FP state +in the DNA fault and continue. This reinit will result in loosing the +FPU state of the process. + +Move clear_used_math() to a point after the FPU state has been stored +onto the user stack. + +This issue is present from a long time (even before the xsave changes +and the x86 merge). But it can easily be exposed in 2.6.28.x and 2.6.29.x +series because of the __clear_user() in this path, which has an explicit +__cond_resched() leading to a context switch with CONFIG_PREEMPT_VOLUNTARY. + +[ Impact: fix FPU state corruption ] + +Signed-off-by: Suresh Siddha +Signed-off-by: H. Peter Anvin +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/xsave.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/arch/x86/kernel/xsave.c ++++ b/arch/x86/kernel/xsave.c +@@ -89,7 +89,7 @@ int save_i387_xstate(void __user *buf) + + if (!used_math()) + return 0; +- clear_used_math(); /* trigger finit */ ++ + if (task_thread_info(tsk)->status & TS_USEDFPU) { + /* + * Start with clearing the user buffer. This will present a +@@ -114,6 +114,8 @@ int save_i387_xstate(void __user *buf) + return -1; + } + ++ clear_used_math(); /* trigger finit */ ++ + if (task_thread_info(tsk)->status & TS_XSAVE) { + struct _fpstate __user *fx = buf; + struct _xstate __user *x = buf; diff --git a/queue-2.6.29/x86-pci-don-t-call-e820_all_mapped-with-1-in-the-mmconfig-case.patch b/queue-2.6.29/x86-pci-don-t-call-e820_all_mapped-with-1-in-the-mmconfig-case.patch new file mode 100644 index 00000000000..4cac43103ba --- /dev/null +++ b/queue-2.6.29/x86-pci-don-t-call-e820_all_mapped-with-1-in-the-mmconfig-case.patch @@ -0,0 +1,50 @@ +From 044cd80942e47b9de0915b627902adf05c52377f Mon Sep 17 00:00:00 2001 +From: Yinghai Lu +Date: Sat, 18 Apr 2009 01:43:46 -0700 +Subject: x86/PCI: don't call e820_all_mapped with -1 in the mmconfig case + +From: Yinghai Lu + +commit 044cd80942e47b9de0915b627902adf05c52377f upstream. + +e820_all_mapped need end is (addr + size) instead of (addr + size - 1) + +Cc: stable@kernel.org +Acked-by: Ingo Molnar +Signed-off-by: Yinghai Lu +Signed-off-by: Jesse Barnes +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/pci/mmconfig-shared.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/arch/x86/pci/mmconfig-shared.c ++++ b/arch/x86/pci/mmconfig-shared.c +@@ -254,7 +254,7 @@ static acpi_status __init check_mcfg_res + if (!fixmem32) + return AE_OK; + if ((mcfg_res->start >= fixmem32->address) && +- (mcfg_res->end < (fixmem32->address + ++ (mcfg_res->end <= (fixmem32->address + + fixmem32->address_length))) { + mcfg_res->flags = 1; + return AE_CTRL_TERMINATE; +@@ -271,7 +271,7 @@ static acpi_status __init check_mcfg_res + return AE_OK; + + if ((mcfg_res->start >= address.minimum) && +- (mcfg_res->end < (address.minimum + address.address_length))) { ++ (mcfg_res->end <= (address.minimum + address.address_length))) { + mcfg_res->flags = 1; + return AE_CTRL_TERMINATE; + } +@@ -318,7 +318,7 @@ static int __init is_mmconf_reserved(che + u64 old_size = size; + int valid = 0; + +- while (!is_reserved(addr, addr + size - 1, E820_RESERVED)) { ++ while (!is_reserved(addr, addr + size, E820_RESERVED)) { + size >>= 1; + if (size < (16UL<<20)) + break;