From: Greg Kroah-Hartman Date: Tue, 9 Jun 2009 08:59:29 +0000 (-0700) Subject: lots of .27 patches X-Git-Tag: v2.6.27.25~11 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=7a4403e25a94f1681ca8e98f9328512395917f43;p=thirdparty%2Fkernel%2Fstable-queue.git lots of .27 patches --- diff --git a/queue-2.6.27/3w-xxxx-scsi_dma_unmap-fix.patch b/queue-2.6.27/3w-xxxx-scsi_dma_unmap-fix.patch new file mode 100644 index 00000000000..7fc5dcabe39 --- /dev/null +++ b/queue-2.6.27/3w-xxxx-scsi_dma_unmap-fix.patch @@ -0,0 +1,60 @@ +From 7b14f58ad65f9d74e4273fb45360cfea824495aa Mon Sep 17 00:00:00 2001 +From: adam radford +Date: Mon, 11 May 2009 14:55:55 -0700 +Subject: [SCSI] 3w-xxxx: scsi_dma_unmap fix + +From: adam radford + +commit 7b14f58ad65f9d74e4273fb45360cfea824495aa upstream. + +This patch fixes the following regression that occurred during the +scsi_dma_map()/unmap() +changes when compiling with CONFIG_DMA_API_DEBUG=y : + +WARNING: at lib/dma-debug.c:496 check_unmap+0x142/0x542() +Hardware name: +3w-xxxx 0000:02:02.0: DMA-API: device driver tries to free DMA memory +it has not allocated [device address=0x0000000000000000] [size=36 +bytes] + +Signed-off-by: Adam Radford +Signed-off-by: James Bottomley +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/3w-xxxx.c | 5 +++-- + drivers/scsi/3w-xxxx.h | 2 +- + 2 files changed, 4 insertions(+), 3 deletions(-) + +--- a/drivers/scsi/3w-xxxx.c ++++ b/drivers/scsi/3w-xxxx.c +@@ -6,7 +6,7 @@ + Arnaldo Carvalho de Melo + Brad Strand + +- Copyright (C) 1999-2007 3ware Inc. ++ Copyright (C) 1999-2009 3ware Inc. + + Kernel compatiblity By: Andre Hedrick + Non-Copyright (C) 2000 Andre Hedrick +@@ -1294,7 +1294,8 @@ static void tw_unmap_scsi_data(struct pc + { + dprintk(KERN_WARNING "3w-xxxx: tw_unmap_scsi_data()\n"); + +- scsi_dma_unmap(cmd); ++ if (cmd->SCp.phase == TW_PHASE_SGLIST) ++ scsi_dma_unmap(cmd); + } /* End tw_unmap_scsi_data() */ + + /* This function will reset a device extension */ +--- a/drivers/scsi/3w-xxxx.h ++++ b/drivers/scsi/3w-xxxx.h +@@ -6,7 +6,7 @@ + Arnaldo Carvalho de Melo + Brad Strand + +- Copyright (C) 1999-2007 3ware Inc. ++ Copyright (C) 1999-2009 3ware Inc. + + Kernel compatiblity By: Andre Hedrick + Non-Copyright (C) 2000 Andre Hedrick diff --git a/queue-2.6.27/bnx2-fix-panic-in-bnx2_poll_work.patch b/queue-2.6.27/bnx2-fix-panic-in-bnx2_poll_work.patch new file mode 100644 index 00000000000..9d1dc57d173 --- /dev/null +++ b/queue-2.6.27/bnx2-fix-panic-in-bnx2_poll_work.patch @@ -0,0 +1,62 @@ +From 581daf7e00c5e766f26aff80a61a860a17b0d75a Mon Sep 17 00:00:00 2001 +From: Michael Chan +Date: Wed, 6 May 2009 16:46:47 -0700 +Subject: bnx2: Fix panic in bnx2_poll_work(). + +From: Michael Chan + +commit 581daf7e00c5e766f26aff80a61a860a17b0d75a upstream. + +Add barrier() to bnx2_get_hw_{tx|rx}_cons() to fix this issue: + +http://bugzilla.kernel.org/show_bug.cgi?id=12698 + +This issue was reported by multiple i386 users. Without barrier(), +the compiled code looks like the following where %eax contains the +address of the tx_cons or rx_cons in the DMA status block. The +status block contents can change between the cmpb and the movzwl +instruction. The driver would crash if the value was not 0xff during +the cmpb instruction, but changed to 0xff during the movzwl +instruction. + +6828: 80 38 ff cmpb $0xff,(%eax) +682b: 0f b7 10 movzwl (%eax),%edx + +With the added barrier(), the compiled code now looks correct: + +683d: 0f b7 10 movzwl (%eax),%edx +6840: 0f b6 c2 movzbl %dl,%eax +6843: 3d ff 00 00 00 cmp $0xff,%eax + +Thanks to Pascal de Bruijn for reporting the +problem and Holger Noefer for patiently +testing test patches for us. + +[greg - took out version change] + +Signed-off-by: Michael Chan +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/bnx2.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/bnx2.c ++++ b/drivers/net/bnx2.c +@@ -2574,6 +2574,7 @@ bnx2_get_hw_tx_cons(struct bnx2_napi *bn + /* Tell compiler that status block fields can change. */ + barrier(); + cons = *bnapi->hw_tx_cons_ptr; ++ barrier(); + if (unlikely((cons & MAX_TX_DESC_CNT) == MAX_TX_DESC_CNT)) + cons++; + return cons; +@@ -2849,6 +2850,7 @@ bnx2_get_hw_rx_cons(struct bnx2_napi *bn + /* Tell compiler that status block fields can change. */ + barrier(); + cons = *bnapi->hw_rx_cons_ptr; ++ barrier(); + if (unlikely((cons & MAX_RX_DESC_CNT) == MAX_RX_DESC_CNT)) + cons++; + return cons; diff --git a/queue-2.6.27/cpuidle-fix-amd-c1e-suspend-hang.patch b/queue-2.6.27/cpuidle-fix-amd-c1e-suspend-hang.patch new file mode 100644 index 00000000000..016fc43868c --- /dev/null +++ b/queue-2.6.27/cpuidle-fix-amd-c1e-suspend-hang.patch @@ -0,0 +1,38 @@ +From 7d60e8ab0d5507229dfbdf456501cc378610fa01 Mon Sep 17 00:00:00 2001 +From: Shaohua Li +Date: Tue, 19 May 2009 16:09:54 +0800 +Subject: cpuidle: fix AMD C1E suspend hang + +From: Shaohua Li + +commit 7d60e8ab0d5507229dfbdf456501cc378610fa01 upstream. + +When AMD C1E is enabled, local APIC timer will stop even in C1. To avoid +suspend/resume hang, this patch removes C1 and replace it with a cpu_relax() in +suspend/resume path. This hasn't any impact in runtime path. + +http://bugzilla.kernel.org/show_bug.cgi?id=13233 + +[ impact: avoid suspend/resume hang in AMD CPU with C1E enabled ] + +Tested-by: Dmitry Lyzhyn +Signed-off-by: Shaohua Li +Signed-off-by: Len Brown +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/acpi/processor_idle.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/acpi/processor_idle.c ++++ b/drivers/acpi/processor_idle.c +@@ -1468,8 +1468,8 @@ static int acpi_idle_enter_c1(struct cpu + + /* Do not access any ACPI IO ports in suspend path */ + if (acpi_idle_suspend) { +- acpi_safe_halt(); + local_irq_enable(); ++ cpu_relax(); + return 0; + } + diff --git a/queue-2.6.27/cpuidle-make-amc-c1e-work-in-processor_idle.patch b/queue-2.6.27/cpuidle-make-amc-c1e-work-in-processor_idle.patch new file mode 100644 index 00000000000..abd320ce3f8 --- /dev/null +++ b/queue-2.6.27/cpuidle-make-amc-c1e-work-in-processor_idle.patch @@ -0,0 +1,64 @@ +From stable-bounces@linux.kernel.org Tue Jun 9 01:03:56 2009 +From: Shaohua Li +Date: Tue, 2 Jun 2009 10:51:58 +0800 +Subject: cpuidle: make AMC C1E work in processor_idle +To: stable@kernel.org +Cc: linux-acpi@vger.kernel.org, lenb@kernel.org +Message-ID: <20090602025158.GA21337@sli10-desk.sh.intel.com> +Content-Disposition: inline + +From: Shaohua Li + +commit 87ad57bacb25c3f24c54f142ef445f68277705f0 upstream + +When AMD C1E is enabled, local APIC timer will stop even in C1. This patch uses +broadcast ipi to replace local APIC timer in C1. + +http://bugzilla.kernel.org/show_bug.cgi?id=13233 + +[ impact: avoid boot hang in AMD CPU with C1E enabled ] + +Tested-by: Dmitry Lyzhyn +Signed-off-by: Shaohua Li +Signed-off-by: Len Brown +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/acpi/processor_idle.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/acpi/processor_idle.c ++++ b/drivers/acpi/processor_idle.c +@@ -303,6 +303,9 @@ static void acpi_timer_check_state(int s + struct acpi_processor_power *pwr = &pr->power; + u8 type = local_apic_timer_c2_ok ? ACPI_STATE_C3 : ACPI_STATE_C2; + ++ if (boot_cpu_has(X86_FEATURE_AMDC1E)) ++ type = ACPI_STATE_C1; ++ + /* + * Check, if one of the previous states already marked the lapic + * unstable +@@ -1154,6 +1157,7 @@ static int acpi_processor_power_verify(s + switch (cx->type) { + case ACPI_STATE_C1: + cx->valid = 1; ++ acpi_timer_check_state(i, pr, cx); + break; + + case ACPI_STATE_C2: +@@ -1476,12 +1480,14 @@ static int acpi_idle_enter_c1(struct cpu + if (pr->flags.bm_check) + acpi_idle_update_bm_rld(pr, cx); + ++ acpi_state_timer_broadcast(pr, cx, 1); + t1 = inl(acpi_gbl_FADT.xpm_timer_block.address); + acpi_idle_do_entry(cx); + t2 = inl(acpi_gbl_FADT.xpm_timer_block.address); + + local_irq_enable(); + cx->usage++; ++ acpi_state_timer_broadcast(pr, cx, 0); + + return ticks_elapsed_in_us(t1, t2); + } diff --git a/queue-2.6.27/drivers-serial-mpc52xx_uart.c-fix-array-overindexing-check.patch b/queue-2.6.27/drivers-serial-mpc52xx_uart.c-fix-array-overindexing-check.patch new file mode 100644 index 00000000000..b9da44fd9e4 --- /dev/null +++ b/queue-2.6.27/drivers-serial-mpc52xx_uart.c-fix-array-overindexing-check.patch @@ -0,0 +1,36 @@ +From b898f4f869da5b9d41f297fff87aca4cd42d80b3 Mon Sep 17 00:00:00 2001 +From: Roel Kluin +Date: Thu, 28 May 2009 14:34:29 -0700 +Subject: drivers/serial/mpc52xx_uart.c: fix array overindexing check + +From: Roel Kluin + +commit b898f4f869da5b9d41f297fff87aca4cd42d80b3 upstream. + +The check for an overindexing of mpc52xx_uart_{ports,nodes} has an +off-by-one. + +Signed-off-by: Roel Kluin +Acked-by: Wolfram Sang +Acked-by: Grant Likely +Cc: Benjamin Herrenschmidt +Cc: Alan Cox +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/serial/mpc52xx_uart.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/serial/mpc52xx_uart.c ++++ b/drivers/serial/mpc52xx_uart.c +@@ -1000,7 +1000,7 @@ mpc52xx_console_setup(struct console *co + pr_debug("mpc52xx_console_setup co=%p, co->index=%i, options=%s\n", + co, co->index, options); + +- if ((co->index < 0) || (co->index > MPC52xx_PSC_MAXNUM)) { ++ if ((co->index < 0) || (co->index >= MPC52xx_PSC_MAXNUM)) { + pr_debug("PSC%x out of range\n", co->index); + return -EINVAL; + } diff --git a/queue-2.6.27/e1000-add-missing-length-check-to-e1000-receive-routine.patch b/queue-2.6.27/e1000-add-missing-length-check-to-e1000-receive-routine.patch new file mode 100644 index 00000000000..3419a8ae196 --- /dev/null +++ b/queue-2.6.27/e1000-add-missing-length-check-to-e1000-receive-routine.patch @@ -0,0 +1,52 @@ +From ea30e11970a96cfe5e32c03a29332554573b4a10 Mon Sep 17 00:00:00 2001 +From: Neil Horman +Date: Tue, 2 Jun 2009 01:29:58 -0700 +Subject: e1000: add missing length check to e1000 receive routine + +From: Neil Horman + +commit ea30e11970a96cfe5e32c03a29332554573b4a10 upstream. + + Patch to fix bad length checking in e1000. E1000 by default does two +things: + +1) Spans rx descriptors for packets that don't fit into 1 skb on recieve +2) Strips the crc from a frame by subtracting 4 bytes from the length prior to +doing an skb_put + +Since the e1000 driver isn't written to support receiving packets that span +multiple rx buffers, it checks the End of Packet bit of every frame, and +discards it if its not set. This places us in a situation where, if we have a +spanning packet, the first part is discarded, but the second part is not (since +it is the end of packet, and it passes the EOP bit test). If the second part of +the frame is small (4 bytes or less), we subtract 4 from it to remove its crc, +underflow the length, and wind up in skb_over_panic, when we try to skb_put a +huge number of bytes into the skb. This amounts to a remote DOS attack through +careful selection of frame size in relation to interface MTU. The fix for this +is already in the e1000e driver, as well as the e1000 sourceforge driver, but no +one ever pushed it to e1000. This is lifted straight from e1000e, and prevents +small frames from causing the underflow described above + +Signed-off-by: Neil Horman +Tested-by: Andy Gospodarek +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/e1000/e1000_main.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/net/e1000/e1000_main.c ++++ b/drivers/net/e1000/e1000_main.c +@@ -4133,8 +4133,9 @@ static bool e1000_clean_rx_irq(struct e1 + PCI_DMA_FROMDEVICE); + + length = le16_to_cpu(rx_desc->length); +- +- if (unlikely(!(status & E1000_RXD_STAT_EOP))) { ++ /* !EOP means multiple descriptors were used to store a single ++ * packet, also make sure the frame isn't just CRC only */ ++ if (unlikely(!(status & E1000_RXD_STAT_EOP) || (length <= 4))) { + /* All receives must fit into a single buffer */ + E1000_DBG("%s: Receive packet consumed multiple" + " buffers\n", netdev->name); diff --git a/queue-2.6.27/hwmon-add-missing-__devexit_p.patch b/queue-2.6.27/hwmon-add-missing-__devexit_p.patch new file mode 100644 index 00000000000..494ed3c4f0b --- /dev/null +++ b/queue-2.6.27/hwmon-add-missing-__devexit_p.patch @@ -0,0 +1,33 @@ +From stable-bounces@linux.kernel.org Tue Jun 9 01:01:58 2009 +From: Mike Frysinger +Date: Tue, 2 Jun 2009 14:22:49 +0200 +Subject: hwmon: (lm78) Add missing __devexit_p() +To: stable@kernel.org +Message-ID: <20090602142249.0ee4ea83@hyperion.delvare> + +From: Mike Frysinger + +commit 39d8bbedb9571a89d638f5b05358f26ab503d7a6 upstream. + +The remove function uses __devexit, so the .remove assignment needs +__devexit_p() to fix a build error with hotplug disabled. + +Signed-off-by: Mike Frysinger +Signed-off-by: Jean Delvare +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hwmon/lm78.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/hwmon/lm78.c ++++ b/drivers/hwmon/lm78.c +@@ -178,7 +178,7 @@ static struct platform_driver lm78_isa_d + .name = "lm78", + }, + .probe = lm78_isa_probe, +- .remove = lm78_isa_remove, ++ .remove = __devexit_p(lm78_isa_remove), + }; + + diff --git a/queue-2.6.27/igb-fix-lro-warning.patch b/queue-2.6.27/igb-fix-lro-warning.patch new file mode 100644 index 00000000000..2a511f8a1bc --- /dev/null +++ b/queue-2.6.27/igb-fix-lro-warning.patch @@ -0,0 +1,41 @@ +From jeffrey.t.kirsher@intel.com Tue Jun 9 01:13:47 2009 +From: Jeff Kirsher +Date: Tue, 02 Jun 2009 16:38:52 -0700 +Subject: igb: fix LRO warning +To: greg@kroah.com +Cc: stable@kernel.org, Jeff Kirsher , Stephen Hemminger +Message-ID: <20090602233851.24887.98909.stgit@localhost.localdomain> + +From: Jeff Kirsher + +This fix is only needed for 2.6.29.y tree, since in 2.6.30 and later IGB +has moved to using GRO instead of LRO. + +igb supports LRO, but was not setting any hooks to the ->set_flags +ethtool_ops function. This would trigger warnings if the user tried +to enable or disable LRO. + +Based on the patch provided by Stephen Hemminger + +Reported-by: Sergey Kononenko +Signed-off-by: Jeff Kirsher +CC: Stephen Hemminger +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/igb/igb_ethtool.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/net/igb/igb_ethtool.c ++++ b/drivers/net/igb/igb_ethtool.c +@@ -2029,6 +2029,10 @@ static struct ethtool_ops igb_ethtool_op + .get_ethtool_stats = igb_get_ethtool_stats, + .get_coalesce = igb_get_coalesce, + .set_coalesce = igb_set_coalesce, ++ .get_flags = ethtool_op_get_flags, ++#ifdef CONFIG_IGB_LRO ++ .set_flags = ethtool_op_set_flags, ++#endif + }; + + void igb_set_ethtool_ops(struct net_device *netdev) diff --git a/queue-2.6.27/mac80211-pid-fix-memory-corruption.patch b/queue-2.6.27/mac80211-pid-fix-memory-corruption.patch new file mode 100644 index 00000000000..c55d1c36c57 --- /dev/null +++ b/queue-2.6.27/mac80211-pid-fix-memory-corruption.patch @@ -0,0 +1,144 @@ +From jirislaby@gmail.com Tue Jun 9 01:56:41 2009 +From: Jiri Slaby +Date: Wed, 13 May 2009 09:55:26 +0200 +Subject: mac80211: pid, fix memory corruption +To: greg@kroah.com +Cc: stable@kernel.org, linux-kernel@vger.kernel.org, Jiri Slaby , "John W. Linville" +Message-ID: <1242201326-10935-1-git-send-email-jirislaby@gmail.com> + +From: Jiri Slaby + +commit a8659597bf744b0f8d2560e2a734b5c941569e0e upstream + +pid doesn't count with some band having more bitrates than the one +associated the first time. +Fix that by counting the maximal available bitrate count and allocate +big enough space. + +Secondly, fix touching uninitialized memory which causes panics. +Index sucked from this random memory points to the hell. +The fix is to sort the rates on each band change. + +Also remove a comment which is wrong now. + +This version also contains half of +mac80211: avoid NULL ptr deref when finding max_rates in PID and minstrel +patch by John W. Linville, which is namely: +- if (sband->n_bitrates > max_rates) ++ if (sband && sband->n_bitrates > max_rates) +to fix oopses on one band devices. + +Signed-off-by: Jiri Slaby +Cc: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + net/mac80211/rc80211_pid_algo.c | 71 +++++++++++++++++++++------------------- + 1 file changed, 39 insertions(+), 32 deletions(-) + +--- a/net/mac80211/rc80211_pid_algo.c ++++ b/net/mac80211/rc80211_pid_algo.c +@@ -367,8 +367,40 @@ static void rate_control_pid_rate_init(v + * Until that method is implemented, we will use the lowest supported + * rate as a workaround. */ + struct ieee80211_supported_band *sband; ++ struct rc_pid_info *pinfo = priv; ++ struct rc_pid_rateinfo *rinfo = pinfo->rinfo; ++ int i, j, tmp; ++ bool s; + + sband = local->hw.wiphy->bands[local->hw.conf.channel->band]; ++ ++ /* Sort the rates. This is optimized for the most common case (i.e. ++ * almost-sorted CCK+OFDM rates). Kind of bubble-sort with reversed ++ * mapping too. */ ++ for (i = 0; i < sband->n_bitrates; i++) { ++ rinfo[i].index = i; ++ rinfo[i].rev_index = i; ++ if (RC_PID_FAST_START) ++ rinfo[i].diff = 0; ++ else ++ rinfo[i].diff = i * pinfo->norm_offset; ++ } ++ for (i = 1; i < sband->n_bitrates; i++) { ++ s = 0; ++ for (j = 0; j < sband->n_bitrates - i; j++) ++ if (unlikely(sband->bitrates[rinfo[j].index].bitrate > ++ sband->bitrates[rinfo[j + 1].index].bitrate)) { ++ tmp = rinfo[j].index; ++ rinfo[j].index = rinfo[j + 1].index; ++ rinfo[j + 1].index = tmp; ++ rinfo[rinfo[j].index].rev_index = j; ++ rinfo[rinfo[j + 1].index].rev_index = j + 1; ++ s = 1; ++ } ++ if (!s) ++ break; ++ } ++ + sta->txrate_idx = rate_lowest_index(local, sband, sta); + sta->fail_avg = 0; + } +@@ -378,21 +410,23 @@ static void *rate_control_pid_alloc(stru + struct rc_pid_info *pinfo; + struct rc_pid_rateinfo *rinfo; + struct ieee80211_supported_band *sband; +- int i, j, tmp; +- bool s; ++ int i, max_rates = 0; + #ifdef CONFIG_MAC80211_DEBUGFS + struct rc_pid_debugfs_entries *de; + #endif + +- sband = local->hw.wiphy->bands[local->hw.conf.channel->band]; +- + pinfo = kmalloc(sizeof(*pinfo), GFP_ATOMIC); + if (!pinfo) + return NULL; + ++ for (i = 0; i < IEEE80211_NUM_BANDS; i++) { ++ sband = local->hw.wiphy->bands[i]; ++ if (sband && sband->n_bitrates > max_rates) ++ max_rates = sband->n_bitrates; ++ } + /* We can safely assume that sband won't change unless we get + * reinitialized. */ +- rinfo = kmalloc(sizeof(*rinfo) * sband->n_bitrates, GFP_ATOMIC); ++ rinfo = kmalloc(sizeof(*rinfo) * max_rates, GFP_ATOMIC); + if (!rinfo) { + kfree(pinfo); + return NULL; +@@ -410,33 +444,6 @@ static void *rate_control_pid_alloc(stru + pinfo->rinfo = rinfo; + pinfo->oldrate = 0; + +- /* Sort the rates. This is optimized for the most common case (i.e. +- * almost-sorted CCK+OFDM rates). Kind of bubble-sort with reversed +- * mapping too. */ +- for (i = 0; i < sband->n_bitrates; i++) { +- rinfo[i].index = i; +- rinfo[i].rev_index = i; +- if (RC_PID_FAST_START) +- rinfo[i].diff = 0; +- else +- rinfo[i].diff = i * pinfo->norm_offset; +- } +- for (i = 1; i < sband->n_bitrates; i++) { +- s = 0; +- for (j = 0; j < sband->n_bitrates - i; j++) +- if (unlikely(sband->bitrates[rinfo[j].index].bitrate > +- sband->bitrates[rinfo[j + 1].index].bitrate)) { +- tmp = rinfo[j].index; +- rinfo[j].index = rinfo[j + 1].index; +- rinfo[j + 1].index = tmp; +- rinfo[rinfo[j].index].rev_index = j; +- rinfo[rinfo[j + 1].index].rev_index = j + 1; +- s = 1; +- } +- if (!s) +- break; +- } +- + #ifdef CONFIG_MAC80211_DEBUGFS + de = &pinfo->dentries; + de->dir = debugfs_create_dir("rc80211_pid", diff --git a/queue-2.6.27/mm-account-for-map_shared-mappings-using-vm_mayshare-and-not-vm_shared-in-hugetlbfs.patch b/queue-2.6.27/mm-account-for-map_shared-mappings-using-vm_mayshare-and-not-vm_shared-in-hugetlbfs.patch new file mode 100644 index 00000000000..e0ec72c614f --- /dev/null +++ b/queue-2.6.27/mm-account-for-map_shared-mappings-using-vm_mayshare-and-not-vm_shared-in-hugetlbfs.patch @@ -0,0 +1,169 @@ +From f83a275dbc5ca1721143698e844243fcadfabf6a Mon Sep 17 00:00:00 2001 +From: Mel Gorman +Date: Thu, 28 May 2009 14:34:40 -0700 +Subject: mm: account for MAP_SHARED mappings using VM_MAYSHARE and not VM_SHARED in hugetlbfs + +From: Mel Gorman + +commit f83a275dbc5ca1721143698e844243fcadfabf6a upstream. + +Addresses http://bugzilla.kernel.org/show_bug.cgi?id=13302 + +hugetlbfs reserves huge pages but does not fault them at mmap() time to +ensure that future faults succeed. The reservation behaviour differs +depending on whether the mapping was mapped MAP_SHARED or MAP_PRIVATE. +For MAP_SHARED mappings, hugepages are reserved when mmap() is first +called and are tracked based on information associated with the inode. +Other processes mapping MAP_SHARED use the same reservation. MAP_PRIVATE +track the reservations based on the VMA created as part of the mmap() +operation. Each process mapping MAP_PRIVATE must make its own +reservation. + +hugetlbfs currently checks if a VMA is MAP_SHARED with the VM_SHARED flag +and not VM_MAYSHARE. For file-backed mappings, such as hugetlbfs, +VM_SHARED is set only if the mapping is MAP_SHARED and the file was opened +read-write. If a shared memory mapping was mapped shared-read-write for +populating of data and mapped shared-read-only by other processes, then +hugetlbfs would account for the mapping as if it was MAP_PRIVATE. This +causes processes to fail to map the file MAP_SHARED even though it should +succeed as the reservation is there. + +This patch alters mm/hugetlb.c and replaces VM_SHARED with VM_MAYSHARE +when the intent of the code was to check whether the VMA was mapped +MAP_SHARED or MAP_PRIVATE. + +Signed-off-by: Mel Gorman +Cc: Hugh Dickins +Cc: Ingo Molnar +Cc: Lee Schermerhorn +Cc: KOSAKI Motohiro +Cc: +Cc: Eric B Munson +Cc: Adam Litke +Cc: Andy Whitcroft +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/hugetlb.c | 26 +++++++++++++------------- + 1 file changed, 13 insertions(+), 13 deletions(-) + +--- a/mm/hugetlb.c ++++ b/mm/hugetlb.c +@@ -286,7 +286,7 @@ void resv_map_release(struct kref *ref) + static struct resv_map *vma_resv_map(struct vm_area_struct *vma) + { + VM_BUG_ON(!is_vm_hugetlb_page(vma)); +- if (!(vma->vm_flags & VM_SHARED)) ++ if (!(vma->vm_flags & VM_MAYSHARE)) + return (struct resv_map *)(get_vma_private_data(vma) & + ~HPAGE_RESV_MASK); + return 0; +@@ -295,7 +295,7 @@ static struct resv_map *vma_resv_map(str + static void set_vma_resv_map(struct vm_area_struct *vma, struct resv_map *map) + { + VM_BUG_ON(!is_vm_hugetlb_page(vma)); +- VM_BUG_ON(vma->vm_flags & VM_SHARED); ++ VM_BUG_ON(vma->vm_flags & VM_MAYSHARE); + + set_vma_private_data(vma, (get_vma_private_data(vma) & + HPAGE_RESV_MASK) | (unsigned long)map); +@@ -304,7 +304,7 @@ static void set_vma_resv_map(struct vm_a + static void set_vma_resv_flags(struct vm_area_struct *vma, unsigned long flags) + { + VM_BUG_ON(!is_vm_hugetlb_page(vma)); +- VM_BUG_ON(vma->vm_flags & VM_SHARED); ++ VM_BUG_ON(vma->vm_flags & VM_MAYSHARE); + + set_vma_private_data(vma, get_vma_private_data(vma) | flags); + } +@@ -323,7 +323,7 @@ static void decrement_hugepage_resv_vma( + if (vma->vm_flags & VM_NORESERVE) + return; + +- if (vma->vm_flags & VM_SHARED) { ++ if (vma->vm_flags & VM_MAYSHARE) { + /* Shared mappings always use reserves */ + h->resv_huge_pages--; + } else if (is_vma_resv_set(vma, HPAGE_RESV_OWNER)) { +@@ -339,14 +339,14 @@ static void decrement_hugepage_resv_vma( + void reset_vma_resv_huge_pages(struct vm_area_struct *vma) + { + VM_BUG_ON(!is_vm_hugetlb_page(vma)); +- if (!(vma->vm_flags & VM_SHARED)) ++ if (!(vma->vm_flags & VM_MAYSHARE)) + vma->vm_private_data = (void *)0; + } + + /* Returns true if the VMA has associated reserve pages */ + static int vma_has_reserves(struct vm_area_struct *vma) + { +- if (vma->vm_flags & VM_SHARED) ++ if (vma->vm_flags & VM_MAYSHARE) + return 1; + if (is_vma_resv_set(vma, HPAGE_RESV_OWNER)) + return 1; +@@ -890,7 +890,7 @@ static int vma_needs_reservation(struct + struct address_space *mapping = vma->vm_file->f_mapping; + struct inode *inode = mapping->host; + +- if (vma->vm_flags & VM_SHARED) { ++ if (vma->vm_flags & VM_MAYSHARE) { + pgoff_t idx = vma_hugecache_offset(h, vma, addr); + return region_chg(&inode->i_mapping->private_list, + idx, idx + 1); +@@ -915,7 +915,7 @@ static void vma_commit_reservation(struc + struct address_space *mapping = vma->vm_file->f_mapping; + struct inode *inode = mapping->host; + +- if (vma->vm_flags & VM_SHARED) { ++ if (vma->vm_flags & VM_MAYSHARE) { + pgoff_t idx = vma_hugecache_offset(h, vma, addr); + region_add(&inode->i_mapping->private_list, idx, idx + 1); + +@@ -1862,7 +1862,7 @@ retry_avoidcopy: + * at the time of fork() could consume its reserves on COW instead + * of the full address range. + */ +- if (!(vma->vm_flags & VM_SHARED) && ++ if (!(vma->vm_flags & VM_MAYSHARE) && + is_vma_resv_set(vma, HPAGE_RESV_OWNER) && + old_page != pagecache_page) + outside_reserve = 1; +@@ -1969,7 +1969,7 @@ retry: + clear_huge_page(page, address, huge_page_size(h)); + __SetPageUptodate(page); + +- if (vma->vm_flags & VM_SHARED) { ++ if (vma->vm_flags & VM_MAYSHARE) { + int err; + struct inode *inode = mapping->host; + +@@ -2073,7 +2073,7 @@ int hugetlb_fault(struct mm_struct *mm, + goto out_unlock; + } + +- if (!(vma->vm_flags & VM_SHARED)) ++ if (!(vma->vm_flags & VM_MAYSHARE)) + pagecache_page = hugetlbfs_pagecache_page(h, + vma, address); + } +@@ -2223,7 +2223,7 @@ int hugetlb_reserve_pages(struct inode * + * to reserve the full area even if read-only as mprotect() may be + * called to make the mapping read-write. Assume !vma is a shm mapping + */ +- if (!vma || vma->vm_flags & VM_SHARED) ++ if (!vma || vma->vm_flags & VM_MAYSHARE) + chg = region_chg(&inode->i_mapping->private_list, from, to); + else { + struct resv_map *resv_map = resv_map_alloc(); +@@ -2246,7 +2246,7 @@ int hugetlb_reserve_pages(struct inode * + hugetlb_put_quota(inode->i_mapping, chg); + return ret; + } +- if (!vma || vma->vm_flags & VM_SHARED) ++ if (!vma || vma->vm_flags & VM_MAYSHARE) + region_add(&inode->i_mapping->private_list, from, to); + return 0; + } diff --git a/queue-2.6.27/random-make-get_random_int-more-random.patch b/queue-2.6.27/random-make-get_random_int-more-random.patch new file mode 100644 index 00000000000..c2e62bd8e7d --- /dev/null +++ b/queue-2.6.27/random-make-get_random_int-more-random.patch @@ -0,0 +1,72 @@ +From 8a0a9bd4db63bc45e3017bedeafbd88d0eb84d02 Mon Sep 17 00:00:00 2001 +From: Linus Torvalds +Date: Tue, 5 May 2009 08:17:43 -0700 +Subject: random: make get_random_int() more random + +From: Linus Torvalds + +commit 8a0a9bd4db63bc45e3017bedeafbd88d0eb84d02 upstream. + +It's a really simple patch that basically just open-codes the current +"secure_ip_id()" call, but when open-coding it we now use a _static_ +hashing area, so that it gets updated every time. + +And to make sure somebody can't just start from the same original seed of +all-zeroes, and then do the "half_md4_transform()" over and over until +they get the same sequence as the kernel has, each iteration also mixes in +the same old "current->pid + jiffies" we used - so we should now have a +regular strong pseudo-number generator, but we also have one that doesn't +have a single seed. + +Note: the "pid + jiffies" is just meant to be a tiny tiny bit of noise. It +has no real meaning. It could be anything. I just picked the previous +seed, it's just that now we keep the state in between calls and that will +feed into the next result, and that should make all the difference. + +I made that hash be a per-cpu data just to avoid cache-line ping-pong: +having multiple CPU's write to the same data would be fine for randomness, +and add yet another layer of chaos to it, but since get_random_int() is +supposed to be a fast interface I did it that way instead. I considered +using "__raw_get_cpu_var()" to avoid any preemption overhead while still +getting the hash be _mostly_ ping-pong free, but in the end good taste won +out. + +Signed-off-by: Ingo Molnar +Signed-off-by: Linus Torvalds +Cc: Jake Edge +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/char/random.c | 19 ++++++++++++------- + 1 file changed, 12 insertions(+), 7 deletions(-) + +--- a/drivers/char/random.c ++++ b/drivers/char/random.c +@@ -1626,15 +1626,20 @@ EXPORT_SYMBOL(secure_dccp_sequence_numbe + * value is not cryptographically secure but for several uses the cost of + * depleting entropy is too high + */ ++DEFINE_PER_CPU(__u32 [4], get_random_int_hash); + unsigned int get_random_int(void) + { +- /* +- * Use IP's RNG. It suits our purpose perfectly: it re-keys itself +- * every second, from the entropy pool (and thus creates a limited +- * drain on it), and uses halfMD4Transform within the second. We +- * also mix it with jiffies and the PID: +- */ +- return secure_ip_id((__force __be32)(current->pid + jiffies)); ++ struct keydata *keyptr; ++ __u32 *hash = get_cpu_var(get_random_int_hash); ++ int ret; ++ ++ keyptr = get_keyptr(); ++ hash[0] += current->pid + jiffies + get_cycles() + (int)(long)&ret; ++ ++ ret = half_md4_transform(hash, keyptr->secret); ++ put_cpu_var(get_random_int_hash); ++ ++ return ret; + } + + /* diff --git a/queue-2.6.27/selinux-bug-in-selinux-compat_net-code.patch b/queue-2.6.27/selinux-bug-in-selinux-compat_net-code.patch new file mode 100644 index 00000000000..bf8ca7369b2 --- /dev/null +++ b/queue-2.6.27/selinux-bug-in-selinux-compat_net-code.patch @@ -0,0 +1,46 @@ +From stable-bounces@linux.kernel.org Tue Jun 9 01:08:36 2009 +From: Eric Paris +Date: Mon, 01 Jun 2009 10:21:05 -0400 +Subject: SELinux: BUG in SELinux compat_net code +To: stable@kernel.org +Message-ID: <1243866065.3050.7.camel@dhcp231-142.rdu.redhat.com> + +From: Eric Paris + +This patch is not applicable to Linus's tree as the code in question has +been removed for 2.6.30. I'm sending in case any of the stable +maintainers would like to push to their branches (which I think anything +pre 2.6.30 would like to do). + +Ubuntu users were experiencing a kernel panic when they enabled SELinux +due to an old bug in our handling of the compatibility mode network +controls, introduced Jan 1 2008 effad8df44261031a882e1a895415f7186a5098e +Most distros have not used the compat_net code since the new code was +introduced and so noone has hit this problem before. Ubuntu is the only +distro I know that enabled that legacy cruft by default. But, I was ask +to look at it and found that the above patch changed a call to +avc_has_perm from if(send_perm) to if(!send_perm) in +selinux_ip_postroute_iptables_compat(). The result is that users who +turn on SELinux and have compat_net set can (and oftern will) BUG() in +avc_has_perm_noaudit since they are requesting 0 permissions. + +This patch corrects that accidental bug introduction. + +Signed-off-by: Eric Paris +Signed-off-by: Greg Kroah-Hartman + +--- + security/selinux/hooks.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/security/selinux/hooks.c ++++ b/security/selinux/hooks.c +@@ -4477,7 +4477,7 @@ static int selinux_ip_postroute_iptables + if (err) + return err; + +- if (send_perm != 0) ++ if (!send_perm) + return 0; + + err = sel_netport_sid(sk->sk_protocol, diff --git a/queue-2.6.27/series b/queue-2.6.27/series index 430b4fd886a..32474d68027 100644 --- a/queue-2.6.27/series +++ b/queue-2.6.27/series @@ -15,3 +15,21 @@ pktgen-do-not-access-flows-beyond-its-length.patch net-fix-skb_seq_read-returning-wrong-offset-length-for-page-frag-data.patch tcp-fix-2-iw-selection.patch x86-work-around-fedora-11-x86-32-kernel-failures-on-intel-atom-cpus.patch +3w-xxxx-scsi_dma_unmap-fix.patch +bnx2-fix-panic-in-bnx2_poll_work.patch +cpuidle-fix-amd-c1e-suspend-hang.patch +cpuidle-make-amc-c1e-work-in-processor_idle.patch +drivers-serial-mpc52xx_uart.c-fix-array-overindexing-check.patch +e1000-add-missing-length-check-to-e1000-receive-routine.patch +hwmon-add-missing-__devexit_p.patch +igb-fix-lro-warning.patch +mm-account-for-map_shared-mappings-using-vm_mayshare-and-not-vm_shared-in-hugetlbfs.patch +random-make-get_random_int-more-random.patch +selinux-bug-in-selinux-compat_net-code.patch +sound-usb-audio-make-the-motu-fastlane-work-again.patch +usb-isp1760-urb_dequeue-doesn-t-always-find-the-urbs.patch +x86-ignore-vm_locked-when-determining-if-hugetlb-backed-page-tables-can-be-shared-or-not.patch +x86-pci-fix-mmconfig-detection-with-32bit-near-4g.patch +v4l-dvb-cx88-prevent-general-protection-fault-on-rmmod.patch +x86-fix-dmi-on-efi.patch +mac80211-pid-fix-memory-corruption.patch diff --git a/queue-2.6.27/sound-usb-audio-make-the-motu-fastlane-work-again.patch b/queue-2.6.27/sound-usb-audio-make-the-motu-fastlane-work-again.patch new file mode 100644 index 00000000000..9eb1546c351 --- /dev/null +++ b/queue-2.6.27/sound-usb-audio-make-the-motu-fastlane-work-again.patch @@ -0,0 +1,82 @@ +From 55de5ef970c680d8d75f2a9aa7e4f172140dbd9c Mon Sep 17 00:00:00 2001 +From: Clemens Ladisch +Date: Wed, 27 May 2009 10:49:30 +0200 +Subject: sound: usb-audio: make the MotU Fastlane work again + +From: Clemens Ladisch + +commit 55de5ef970c680d8d75f2a9aa7e4f172140dbd9c upstream. + +Kernel 2.6.18 broke the MotU Fastlane, which uses duplicate endpoint +numbers in a manner that is not only illegal but also confuses the +kernel's endpoint descriptor caching mechanism. To work around this, we +have to add a separate usb_set_interface() call to guide the USB core to +the correct descriptors. + +Signed-off-by: Clemens Ladisch +Reported-and-tested-by: David Fries +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/usb/usbaudio.c | 2 +- + sound/usb/usbaudio.h | 2 +- + sound/usb/usbmidi.c | 12 +++++++++++- + sound/usb/usbquirks.h | 2 +- + 4 files changed, 14 insertions(+), 4 deletions(-) + +--- a/sound/usb/usbaudio.c ++++ b/sound/usb/usbaudio.c +@@ -3367,7 +3367,7 @@ static int snd_usb_create_quirk(struct s + [QUIRK_MIDI_YAMAHA] = snd_usb_create_midi_interface, + [QUIRK_MIDI_MIDIMAN] = snd_usb_create_midi_interface, + [QUIRK_MIDI_NOVATION] = snd_usb_create_midi_interface, +- [QUIRK_MIDI_RAW] = snd_usb_create_midi_interface, ++ [QUIRK_MIDI_FASTLANE] = snd_usb_create_midi_interface, + [QUIRK_MIDI_EMAGIC] = snd_usb_create_midi_interface, + [QUIRK_MIDI_CME] = snd_usb_create_midi_interface, + [QUIRK_AUDIO_STANDARD_INTERFACE] = create_standard_audio_quirk, +--- a/sound/usb/usbaudio.h ++++ b/sound/usb/usbaudio.h +@@ -153,7 +153,7 @@ enum quirk_type { + QUIRK_MIDI_YAMAHA, + QUIRK_MIDI_MIDIMAN, + QUIRK_MIDI_NOVATION, +- QUIRK_MIDI_RAW, ++ QUIRK_MIDI_FASTLANE, + QUIRK_MIDI_EMAGIC, + QUIRK_MIDI_CME, + QUIRK_AUDIO_STANDARD_INTERFACE, +--- a/sound/usb/usbmidi.c ++++ b/sound/usb/usbmidi.c +@@ -1733,8 +1733,18 @@ int snd_usb_create_midi_interface(struct + umidi->usb_protocol_ops = &snd_usbmidi_novation_ops; + err = snd_usbmidi_detect_per_port_endpoints(umidi, endpoints); + break; +- case QUIRK_MIDI_RAW: ++ case QUIRK_MIDI_FASTLANE: + umidi->usb_protocol_ops = &snd_usbmidi_raw_ops; ++ /* ++ * Interface 1 contains isochronous endpoints, but with the same ++ * numbers as in interface 0. Since it is interface 1 that the ++ * USB core has most recently seen, these descriptors are now ++ * associated with the endpoint numbers. This will foul up our ++ * attempts to submit bulk/interrupt URBs to the endpoints in ++ * interface 0, so we have to make sure that the USB core looks ++ * again at interface 0 by calling usb_set_interface() on it. ++ */ ++ usb_set_interface(umidi->chip->dev, 0, 0); + err = snd_usbmidi_detect_per_port_endpoints(umidi, endpoints); + break; + case QUIRK_MIDI_EMAGIC: +--- a/sound/usb/usbquirks.h ++++ b/sound/usb/usbquirks.h +@@ -1756,7 +1756,7 @@ YAMAHA_DEVICE(0x7010, "UB99"), + .data = & (const struct snd_usb_audio_quirk[]) { + { + .ifnum = 0, +- .type = QUIRK_MIDI_RAW ++ .type = QUIRK_MIDI_FASTLANE + }, + { + .ifnum = 1, diff --git a/queue-2.6.27/usb-isp1760-urb_dequeue-doesn-t-always-find-the-urbs.patch b/queue-2.6.27/usb-isp1760-urb_dequeue-doesn-t-always-find-the-urbs.patch new file mode 100644 index 00000000000..cfdd87bb3b6 --- /dev/null +++ b/queue-2.6.27/usb-isp1760-urb_dequeue-doesn-t-always-find-the-urbs.patch @@ -0,0 +1,100 @@ +From 0afb20e00b5053170c85298fed842b32d20b4ea9 Mon Sep 17 00:00:00 2001 +From: Warren Free +Date: Fri, 8 May 2009 10:27:08 +0200 +Subject: USB: isp1760: urb_dequeue doesn't always find the urbs + +From: Warren Free + +commit 0afb20e00b5053170c85298fed842b32d20b4ea9 upstream. + +The option driver (and presumably others) allocates several URBs when it +opens and tries to free them when it closes. The isp1760_urb_dequeue +function gets called, but the packet being dequeued is not necessarily at +the +front of one of the 32 queues. If not, the isp1760_urb_done function doesn't +get called for the URB and the process trying to free it hangs forever on a +wait_queue. This patch does two things. If the URB being dequeued has others +queued behind it, it re-queues them. And it searches the queues looking for +the URB being dequeued rather than just looking at the one at the front of +the queue. + +[bigeasy@linutronix] whitespace fixes, reformating + +Signed-off-by: Warren Free +Signed-off-by: Sebastian Andrzej Siewior +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/host/isp1760-hcd.c | 24 ++++++++++++++++++++++-- + 1 file changed, 22 insertions(+), 2 deletions(-) + +--- a/drivers/usb/host/isp1760-hcd.c ++++ b/drivers/usb/host/isp1760-hcd.c +@@ -1645,6 +1645,7 @@ static int isp1760_urb_dequeue(struct us + u32 reg_base, or_reg, skip_reg; + unsigned long flags; + struct ptd ptd; ++ packet_enqueue *pe; + + switch (usb_pipetype(urb->pipe)) { + case PIPE_ISOCHRONOUS: +@@ -1656,6 +1657,7 @@ static int isp1760_urb_dequeue(struct us + reg_base = INT_REGS_OFFSET; + or_reg = HC_INT_IRQ_MASK_OR_REG; + skip_reg = HC_INT_PTD_SKIPMAP_REG; ++ pe = enqueue_an_INT_packet; + break; + + default: +@@ -1663,6 +1665,7 @@ static int isp1760_urb_dequeue(struct us + reg_base = ATL_REGS_OFFSET; + or_reg = HC_ATL_IRQ_MASK_OR_REG; + skip_reg = HC_ATL_PTD_SKIPMAP_REG; ++ pe = enqueue_an_ATL_packet; + break; + } + +@@ -1674,6 +1677,7 @@ static int isp1760_urb_dequeue(struct us + u32 skip_map; + u32 or_map; + struct isp1760_qtd *qtd; ++ struct isp1760_qh *qh = ints->qh; + + skip_map = isp1760_readl(hcd->regs + skip_reg); + skip_map |= 1 << i; +@@ -1686,8 +1690,7 @@ static int isp1760_urb_dequeue(struct us + priv_write_copy(priv, (u32 *)&ptd, hcd->regs + reg_base + + i * sizeof(ptd), sizeof(ptd)); + qtd = ints->qtd; +- +- clean_up_qtdlist(qtd); ++ qtd = clean_up_qtdlist(qtd); + + free_mem(priv, ints->payload); + +@@ -1698,7 +1701,24 @@ static int isp1760_urb_dequeue(struct us + ints->payload = 0; + + isp1760_urb_done(priv, urb, status); ++ if (qtd) ++ pe(hcd, qh, qtd); + break; ++ ++ } else if (ints->qtd) { ++ struct isp1760_qtd *qtd, *prev_qtd = ints->qtd; ++ ++ for (qtd = ints->qtd->hw_next; qtd; qtd = qtd->hw_next) { ++ if (qtd->urb == urb) { ++ prev_qtd->hw_next = clean_up_qtdlist(qtd); ++ isp1760_urb_done(priv, urb, status); ++ break; ++ } ++ prev_qtd = qtd; ++ } ++ /* we found the urb before the end of the list */ ++ if (qtd) ++ break; + } + ints++; + } diff --git a/queue-2.6.27/v4l-dvb-cx88-prevent-general-protection-fault-on-rmmod.patch b/queue-2.6.27/v4l-dvb-cx88-prevent-general-protection-fault-on-rmmod.patch new file mode 100644 index 00000000000..7c0b60ae19e --- /dev/null +++ b/queue-2.6.27/v4l-dvb-cx88-prevent-general-protection-fault-on-rmmod.patch @@ -0,0 +1,83 @@ +From stable-bounces@linux.kernel.org Tue Jun 9 01:44:43 2009 +From: Jean Delvare +Date: Tue, 2 Jun 2009 14:33:47 +0200 +Subject: V4L/DVB (10943): cx88: Prevent general protection fault on rmmod +To: stable@kernel.org +Message-ID: <20090602143347.0726490b@hyperion.delvare> + + +From: Jean Delvare + +commit 569b7ec73abf576f9a9e4070d213aadf2cce73cb upstream. + +V4L/DVB (10943): cx88: Prevent general protection fault on rmmod + +When unloading the cx8800 driver I sometimes get a general protection +fault. Analysis revealed a race in cx88_ir_stop(). It can be solved by +using a delayed work instead of a timer for infrared input polling. + +Signed-off-by: Jean Delvare +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/video/cx88/cx88-input.c | 25 +++++++------------------ + 1 file changed, 7 insertions(+), 18 deletions(-) + +--- a/drivers/media/video/cx88/cx88-input.c ++++ b/drivers/media/video/cx88/cx88-input.c +@@ -48,8 +48,7 @@ struct cx88_IR { + + /* poll external decoder */ + int polling; +- struct work_struct work; +- struct timer_list timer; ++ struct delayed_work work; + u32 gpio_addr; + u32 last_gpio; + u32 mask_keycode; +@@ -143,27 +142,19 @@ static void cx88_ir_handle_key(struct cx + } + } + +-static void ir_timer(unsigned long data) +-{ +- struct cx88_IR *ir = (struct cx88_IR *)data; +- +- schedule_work(&ir->work); +-} +- + static void cx88_ir_work(struct work_struct *work) + { +- struct cx88_IR *ir = container_of(work, struct cx88_IR, work); ++ struct cx88_IR *ir = container_of(work, struct cx88_IR, work.work); + + cx88_ir_handle_key(ir); +- mod_timer(&ir->timer, jiffies + msecs_to_jiffies(ir->polling)); ++ schedule_delayed_work(&ir->work, msecs_to_jiffies(ir->polling)); + } + + void cx88_ir_start(struct cx88_core *core, struct cx88_IR *ir) + { + if (ir->polling) { +- setup_timer(&ir->timer, ir_timer, (unsigned long)ir); +- INIT_WORK(&ir->work, cx88_ir_work); +- schedule_work(&ir->work); ++ INIT_DELAYED_WORK(&ir->work, cx88_ir_work); ++ schedule_delayed_work(&ir->work, 0); + } + if (ir->sampling) { + core->pci_irqmask |= PCI_INT_IR_SMPINT; +@@ -179,10 +170,8 @@ void cx88_ir_stop(struct cx88_core *core + core->pci_irqmask &= ~PCI_INT_IR_SMPINT; + } + +- if (ir->polling) { +- del_timer_sync(&ir->timer); +- flush_scheduled_work(); +- } ++ if (ir->polling) ++ cancel_delayed_work_sync(&ir->work); + } + + /* ---------------------------------------------------------------------- */ diff --git a/queue-2.6.27/x86-fix-dmi-on-efi.patch b/queue-2.6.27/x86-fix-dmi-on-efi.patch new file mode 100644 index 00000000000..c6f224b60ac --- /dev/null +++ b/queue-2.6.27/x86-fix-dmi-on-efi.patch @@ -0,0 +1,53 @@ +From ff0c0874905fb312ca1491bbdac2653b0b48c20b Mon Sep 17 00:00:00 2001 +From: Brian Maly +Date: Tue, 3 Mar 2009 21:55:31 -0500 +Subject: x86: fix DMI on EFI + +From: Brian Maly + +commit ff0c0874905fb312ca1491bbdac2653b0b48c20b upstream. + +Impact: reactivate DMI quirks on EFI hardware + +DMI tables are loaded by EFI, so the dmi calls must happen after +efi_init() and not before. + +Currently Apple hardware uses DMI to determine the framebuffer mappings +for efifb. Without DMI working you also have no video on MacBook Pro. + +This patch resolves the DMI issue for EFI hardware (DMI is now properly +detected at boot), and additionally efifb now loads on Apple hardware +(i.e. video works). + +Signed-off-by: Brian Maly +Acked-by: Yinghai Lu +Cc: ying.huang@intel.com +LKML-Reference: <49ADEDA3.1030406@redhat.com> +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/setup.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/arch/x86/kernel/setup.c ++++ b/arch/x86/kernel/setup.c +@@ -730,6 +730,9 @@ void __init setup_arch(char **cmdline_p) + + finish_e820_parsing(); + ++ if (efi_enabled) ++ efi_init(); ++ + dmi_scan_machine(); + + dmi_check_system(bad_bios_dmi_table); +@@ -743,8 +746,6 @@ void __init setup_arch(char **cmdline_p) + insert_resource(&iomem_resource, &data_resource); + insert_resource(&iomem_resource, &bss_resource); + +- if (efi_enabled) +- efi_init(); + + #ifdef CONFIG_X86_32 + if (ppro_with_ram_bug()) { diff --git a/queue-2.6.27/x86-ignore-vm_locked-when-determining-if-hugetlb-backed-page-tables-can-be-shared-or-not.patch b/queue-2.6.27/x86-ignore-vm_locked-when-determining-if-hugetlb-backed-page-tables-can-be-shared-or-not.patch new file mode 100644 index 00000000000..cb5f79f8d49 --- /dev/null +++ b/queue-2.6.27/x86-ignore-vm_locked-when-determining-if-hugetlb-backed-page-tables-can-be-shared-or-not.patch @@ -0,0 +1,71 @@ +From 32b154c0b0bae2879bf4e549d861caf1759a3546 Mon Sep 17 00:00:00 2001 +From: Mel Gorman +Date: Thu, 28 May 2009 14:34:37 -0700 +Subject: x86: ignore VM_LOCKED when determining if hugetlb-backed page tables can be shared or not + +From: Mel Gorman + +commit 32b154c0b0bae2879bf4e549d861caf1759a3546 upstream. + +Addresses http://bugzilla.kernel.org/show_bug.cgi?id=13302 + +On x86 and x86-64, it is possible that page tables are shared beween +shared mappings backed by hugetlbfs. As part of this, +page_table_shareable() checks a pair of vma->vm_flags and they must match +if they are to be shared. All VMA flags are taken into account, including +VM_LOCKED. + +The problem is that VM_LOCKED is cleared on fork(). When a process with a +shared memory segment forks() to exec() a helper, there will be shared +VMAs with different flags. The impact is that the shared segment is +sometimes considered shareable and other times not, depending on what +process is checking. + +What happens is that the segment page tables are being shared but the +count is inaccurate depending on the ordering of events. As the page +tables are freed with put_page(), bad pmd's are found when some of the +children exit. The hugepage counters also get corrupted and the Total and +Free count will no longer match even when all the hugepage-backed regions +are freed. This requires a reboot of the machine to "fix". + +This patch addresses the problem by comparing all flags except VM_LOCKED +when deciding if pagetables should be shared or not for hugetlbfs-backed +mapping. + +Signed-off-by: Mel Gorman +Acked-by: Hugh Dickins +Cc: Ingo Molnar +Cc: Lee Schermerhorn +Cc: KOSAKI Motohiro +Cc: +Cc: Eric B Munson +Cc: Adam Litke +Cc: Andy Whitcroft +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/mm/hugetlbpage.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/arch/x86/mm/hugetlbpage.c ++++ b/arch/x86/mm/hugetlbpage.c +@@ -26,12 +26,16 @@ static unsigned long page_table_shareabl + unsigned long sbase = saddr & PUD_MASK; + unsigned long s_end = sbase + PUD_SIZE; + ++ /* Allow segments to share if only one is marked locked */ ++ unsigned long vm_flags = vma->vm_flags & ~VM_LOCKED; ++ unsigned long svm_flags = svma->vm_flags & ~VM_LOCKED; ++ + /* + * match the virtual addresses, permission and the alignment of the + * page table page. + */ + if (pmd_index(addr) != pmd_index(saddr) || +- vma->vm_flags != svma->vm_flags || ++ vm_flags != svm_flags || + sbase < svma->vm_start || svma->vm_end < s_end) + return 0; + diff --git a/queue-2.6.27/x86-pci-fix-mmconfig-detection-with-32bit-near-4g.patch b/queue-2.6.27/x86-pci-fix-mmconfig-detection-with-32bit-near-4g.patch new file mode 100644 index 00000000000..95cb26fca47 --- /dev/null +++ b/queue-2.6.27/x86-pci-fix-mmconfig-detection-with-32bit-near-4g.patch @@ -0,0 +1,68 @@ +From 75e613cdc7bb2ba3795b1bc3ddf19476c767ba68 Mon Sep 17 00:00:00 2001 +From: Yinghai Lu +Date: Wed, 3 Jun 2009 00:13:13 -0700 +Subject: x86/pci: fix mmconfig detection with 32bit near 4g + +From: Yinghai Lu + +commit 75e613cdc7bb2ba3795b1bc3ddf19476c767ba68 upstream. + +Pascal reported and bisected a commit: +| x86/PCI: don't call e820_all_mapped with -1 in the mmconfig case + +which broke one system system. + +ACPI: Using IOAPIC for interrupt routing +PCI: MCFG configuration 0: base f0000000 segment 0 buses 0 - 255 +PCI: MCFG area at f0000000 reserved in ACPI motherboard resources +PCI: Using MMCONFIG for extended config space + +it didn't have +PCI: updated MCFG configuration 0: base f0000000 segment 0 buses 0 - 63 +anymore, and try to use 0xf000000 - 0xffffffff for mmconfig + +For 32bit, mcfg_res->end could be 32bit only (if 64 resources aren't used) +So use end - 1 to pass the value in mcfg->end to avoid overflow. + +We don't need to worry about the e820 path, they are always 64 bit. + +Reported-by: Pascal Terjan +Bisected-by: Pascal Terjan +Tested-by: Pascal Terjan +Signed-off-by: Yinghai Lu +Signed-off-by: Jesse Barnes +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/pci/mmconfig-shared.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/arch/x86/pci/mmconfig-shared.c ++++ b/arch/x86/pci/mmconfig-shared.c +@@ -255,7 +255,7 @@ static acpi_status __init check_mcfg_res + if (!fixmem32) + return AE_OK; + if ((mcfg_res->start >= fixmem32->address) && +- (mcfg_res->end <= (fixmem32->address + ++ (mcfg_res->end < (fixmem32->address + + fixmem32->address_length))) { + mcfg_res->flags = 1; + return AE_CTRL_TERMINATE; +@@ -272,7 +272,7 @@ static acpi_status __init check_mcfg_res + return AE_OK; + + if ((mcfg_res->start >= address.minimum) && +- (mcfg_res->end <= (address.minimum + address.address_length))) { ++ (mcfg_res->end < (address.minimum + address.address_length))) { + mcfg_res->flags = 1; + return AE_CTRL_TERMINATE; + } +@@ -298,7 +298,7 @@ static int __init is_acpi_reserved(u64 s + struct resource mcfg_res; + + mcfg_res.start = start; +- mcfg_res.end = end; ++ mcfg_res.end = end - 1; + mcfg_res.flags = 0; + + acpi_get_devices("PNP0C01", find_mboard_resource, &mcfg_res, NULL);