From: Greg Kroah-Hartman Date: Tue, 9 Jun 2009 08:31:13 +0000 (-0700) Subject: lots of .29 patches X-Git-Tag: v2.6.27.25~12 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=b2433954141e6f8e17bd9ef74c210a464a8b5d95;p=thirdparty%2Fkernel%2Fstable-queue.git lots of .29 patches --- diff --git a/queue-2.6.29/3w-xxxx-scsi_dma_unmap-fix.patch b/queue-2.6.29/3w-xxxx-scsi_dma_unmap-fix.patch new file mode 100644 index 00000000000..7fc5dcabe39 --- /dev/null +++ b/queue-2.6.29/3w-xxxx-scsi_dma_unmap-fix.patch @@ -0,0 +1,60 @@ +From 7b14f58ad65f9d74e4273fb45360cfea824495aa Mon Sep 17 00:00:00 2001 +From: adam radford +Date: Mon, 11 May 2009 14:55:55 -0700 +Subject: [SCSI] 3w-xxxx: scsi_dma_unmap fix + +From: adam radford + +commit 7b14f58ad65f9d74e4273fb45360cfea824495aa upstream. + +This patch fixes the following regression that occurred during the +scsi_dma_map()/unmap() +changes when compiling with CONFIG_DMA_API_DEBUG=y : + +WARNING: at lib/dma-debug.c:496 check_unmap+0x142/0x542() +Hardware name: +3w-xxxx 0000:02:02.0: DMA-API: device driver tries to free DMA memory +it has not allocated [device address=0x0000000000000000] [size=36 +bytes] + +Signed-off-by: Adam Radford +Signed-off-by: James Bottomley +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/3w-xxxx.c | 5 +++-- + drivers/scsi/3w-xxxx.h | 2 +- + 2 files changed, 4 insertions(+), 3 deletions(-) + +--- a/drivers/scsi/3w-xxxx.c ++++ b/drivers/scsi/3w-xxxx.c +@@ -6,7 +6,7 @@ + Arnaldo Carvalho de Melo + Brad Strand + +- Copyright (C) 1999-2007 3ware Inc. ++ Copyright (C) 1999-2009 3ware Inc. + + Kernel compatiblity By: Andre Hedrick + Non-Copyright (C) 2000 Andre Hedrick +@@ -1294,7 +1294,8 @@ static void tw_unmap_scsi_data(struct pc + { + dprintk(KERN_WARNING "3w-xxxx: tw_unmap_scsi_data()\n"); + +- scsi_dma_unmap(cmd); ++ if (cmd->SCp.phase == TW_PHASE_SGLIST) ++ scsi_dma_unmap(cmd); + } /* End tw_unmap_scsi_data() */ + + /* This function will reset a device extension */ +--- a/drivers/scsi/3w-xxxx.h ++++ b/drivers/scsi/3w-xxxx.h +@@ -6,7 +6,7 @@ + Arnaldo Carvalho de Melo + Brad Strand + +- Copyright (C) 1999-2007 3ware Inc. ++ Copyright (C) 1999-2009 3ware Inc. + + Kernel compatiblity By: Andre Hedrick + Non-Copyright (C) 2000 Andre Hedrick diff --git a/queue-2.6.29/bnx2-fix-panic-in-bnx2_poll_work.patch b/queue-2.6.29/bnx2-fix-panic-in-bnx2_poll_work.patch new file mode 100644 index 00000000000..0e884de0e43 --- /dev/null +++ b/queue-2.6.29/bnx2-fix-panic-in-bnx2_poll_work.patch @@ -0,0 +1,62 @@ +From 581daf7e00c5e766f26aff80a61a860a17b0d75a Mon Sep 17 00:00:00 2001 +From: Michael Chan +Date: Wed, 6 May 2009 16:46:47 -0700 +Subject: bnx2: Fix panic in bnx2_poll_work(). + +From: Michael Chan + +commit 581daf7e00c5e766f26aff80a61a860a17b0d75a upstream. + +Add barrier() to bnx2_get_hw_{tx|rx}_cons() to fix this issue: + +http://bugzilla.kernel.org/show_bug.cgi?id=12698 + +This issue was reported by multiple i386 users. Without barrier(), +the compiled code looks like the following where %eax contains the +address of the tx_cons or rx_cons in the DMA status block. The +status block contents can change between the cmpb and the movzwl +instruction. The driver would crash if the value was not 0xff during +the cmpb instruction, but changed to 0xff during the movzwl +instruction. + +6828: 80 38 ff cmpb $0xff,(%eax) +682b: 0f b7 10 movzwl (%eax),%edx + +With the added barrier(), the compiled code now looks correct: + +683d: 0f b7 10 movzwl (%eax),%edx +6840: 0f b6 c2 movzbl %dl,%eax +6843: 3d ff 00 00 00 cmp $0xff,%eax + +Thanks to Pascal de Bruijn for reporting the +problem and Holger Noefer for patiently +testing test patches for us. + +[greg - took out version change] + +Signed-off-by: Michael Chan +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/bnx2.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/bnx2.c ++++ b/drivers/net/bnx2.c +@@ -2585,6 +2585,7 @@ bnx2_get_hw_tx_cons(struct bnx2_napi *bn + /* Tell compiler that status block fields can change. */ + barrier(); + cons = *bnapi->hw_tx_cons_ptr; ++ barrier(); + if (unlikely((cons & MAX_TX_DESC_CNT) == MAX_TX_DESC_CNT)) + cons++; + return cons; +@@ -2864,6 +2865,7 @@ bnx2_get_hw_rx_cons(struct bnx2_napi *bn + /* Tell compiler that status block fields can change. */ + barrier(); + cons = *bnapi->hw_rx_cons_ptr; ++ barrier(); + if (unlikely((cons & MAX_RX_DESC_CNT) == MAX_RX_DESC_CNT)) + cons++; + return cons; diff --git a/queue-2.6.29/cpuidle-fix-amd-c1e-suspend-hang.patch b/queue-2.6.29/cpuidle-fix-amd-c1e-suspend-hang.patch new file mode 100644 index 00000000000..0d173ce7d66 --- /dev/null +++ b/queue-2.6.29/cpuidle-fix-amd-c1e-suspend-hang.patch @@ -0,0 +1,38 @@ +From 7d60e8ab0d5507229dfbdf456501cc378610fa01 Mon Sep 17 00:00:00 2001 +From: Shaohua Li +Date: Tue, 19 May 2009 16:09:54 +0800 +Subject: cpuidle: fix AMD C1E suspend hang + +From: Shaohua Li + +commit 7d60e8ab0d5507229dfbdf456501cc378610fa01 upstream. + +When AMD C1E is enabled, local APIC timer will stop even in C1. To avoid +suspend/resume hang, this patch removes C1 and replace it with a cpu_relax() in +suspend/resume path. This hasn't any impact in runtime path. + +http://bugzilla.kernel.org/show_bug.cgi?id=13233 + +[ impact: avoid suspend/resume hang in AMD CPU with C1E enabled ] + +Tested-by: Dmitry Lyzhyn +Signed-off-by: Shaohua Li +Signed-off-by: Len Brown +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/acpi/processor_idle.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/acpi/processor_idle.c ++++ b/drivers/acpi/processor_idle.c +@@ -870,8 +870,8 @@ static int acpi_idle_enter_c1(struct cpu + + /* Do not access any ACPI IO ports in suspend path */ + if (acpi_idle_suspend) { +- acpi_safe_halt(); + local_irq_enable(); ++ cpu_relax(); + return 0; + } + diff --git a/queue-2.6.29/cpuidle-make-amc-c1e-work-in-processor_idle.patch b/queue-2.6.29/cpuidle-make-amc-c1e-work-in-processor_idle.patch new file mode 100644 index 00000000000..1aa1e1bdd63 --- /dev/null +++ b/queue-2.6.29/cpuidle-make-amc-c1e-work-in-processor_idle.patch @@ -0,0 +1,64 @@ +From stable-bounces@linux.kernel.org Tue Jun 9 01:03:56 2009 +From: Shaohua Li +Date: Tue, 2 Jun 2009 10:51:58 +0800 +Subject: cpuidle: make AMC C1E work in processor_idle +To: stable@kernel.org +Cc: linux-acpi@vger.kernel.org, lenb@kernel.org +Message-ID: <20090602025158.GA21337@sli10-desk.sh.intel.com> +Content-Disposition: inline + +From: Shaohua Li + +commit 87ad57bacb25c3f24c54f142ef445f68277705f0 upstream + +When AMD C1E is enabled, local APIC timer will stop even in C1. This patch uses +broadcast ipi to replace local APIC timer in C1. + +http://bugzilla.kernel.org/show_bug.cgi?id=13233 + +[ impact: avoid boot hang in AMD CPU with C1E enabled ] + +Tested-by: Dmitry Lyzhyn +Signed-off-by: Shaohua Li +Signed-off-by: Len Brown +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/acpi/processor_idle.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/acpi/processor_idle.c ++++ b/drivers/acpi/processor_idle.c +@@ -212,6 +212,9 @@ static void acpi_timer_check_state(int s + struct acpi_processor_power *pwr = &pr->power; + u8 type = local_apic_timer_c2_ok ? ACPI_STATE_C3 : ACPI_STATE_C2; + ++ if (boot_cpu_has(X86_FEATURE_AMDC1E)) ++ type = ACPI_STATE_C1; ++ + /* + * Check, if one of the previous states already marked the lapic + * unstable +@@ -648,6 +651,7 @@ static int acpi_processor_power_verify(s + switch (cx->type) { + case ACPI_STATE_C1: + cx->valid = 1; ++ acpi_timer_check_state(i, pr, cx); + break; + + case ACPI_STATE_C2: +@@ -871,12 +875,14 @@ static int acpi_idle_enter_c1(struct cpu + return 0; + } + ++ acpi_state_timer_broadcast(pr, cx, 1); + t1 = inl(acpi_gbl_FADT.xpm_timer_block.address); + acpi_idle_do_entry(cx); + t2 = inl(acpi_gbl_FADT.xpm_timer_block.address); + + local_irq_enable(); + cx->usage++; ++ acpi_state_timer_broadcast(pr, cx, 0); + + return ticks_elapsed_in_us(t1, t2); + } diff --git a/queue-2.6.29/drivers-serial-mpc52xx_uart.c-fix-array-overindexing-check.patch b/queue-2.6.29/drivers-serial-mpc52xx_uart.c-fix-array-overindexing-check.patch new file mode 100644 index 00000000000..2e33047143f --- /dev/null +++ b/queue-2.6.29/drivers-serial-mpc52xx_uart.c-fix-array-overindexing-check.patch @@ -0,0 +1,36 @@ +From b898f4f869da5b9d41f297fff87aca4cd42d80b3 Mon Sep 17 00:00:00 2001 +From: Roel Kluin +Date: Thu, 28 May 2009 14:34:29 -0700 +Subject: drivers/serial/mpc52xx_uart.c: fix array overindexing check + +From: Roel Kluin + +commit b898f4f869da5b9d41f297fff87aca4cd42d80b3 upstream. + +The check for an overindexing of mpc52xx_uart_{ports,nodes} has an +off-by-one. + +Signed-off-by: Roel Kluin +Acked-by: Wolfram Sang +Acked-by: Grant Likely +Cc: Benjamin Herrenschmidt +Cc: Alan Cox +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/serial/mpc52xx_uart.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/serial/mpc52xx_uart.c ++++ b/drivers/serial/mpc52xx_uart.c +@@ -988,7 +988,7 @@ mpc52xx_console_setup(struct console *co + pr_debug("mpc52xx_console_setup co=%p, co->index=%i, options=%s\n", + co, co->index, options); + +- if ((co->index < 0) || (co->index > MPC52xx_PSC_MAXNUM)) { ++ if ((co->index < 0) || (co->index >= MPC52xx_PSC_MAXNUM)) { + pr_debug("PSC%x out of range\n", co->index); + return -EINVAL; + } diff --git a/queue-2.6.29/e1000-add-missing-length-check-to-e1000-receive-routine.patch b/queue-2.6.29/e1000-add-missing-length-check-to-e1000-receive-routine.patch new file mode 100644 index 00000000000..53b90fed726 --- /dev/null +++ b/queue-2.6.29/e1000-add-missing-length-check-to-e1000-receive-routine.patch @@ -0,0 +1,48 @@ +From ea30e11970a96cfe5e32c03a29332554573b4a10 Mon Sep 17 00:00:00 2001 +From: Neil Horman +Date: Tue, 2 Jun 2009 01:29:58 -0700 +Subject: e1000: add missing length check to e1000 receive routine + +From: Neil Horman + +commit ea30e11970a96cfe5e32c03a29332554573b4a10 upstream. + + Patch to fix bad length checking in e1000. E1000 by default does two +things: + +1) Spans rx descriptors for packets that don't fit into 1 skb on recieve +2) Strips the crc from a frame by subtracting 4 bytes from the length prior to +doing an skb_put + +Since the e1000 driver isn't written to support receiving packets that span +multiple rx buffers, it checks the End of Packet bit of every frame, and +discards it if its not set. This places us in a situation where, if we have a +spanning packet, the first part is discarded, but the second part is not (since +it is the end of packet, and it passes the EOP bit test). If the second part of +the frame is small (4 bytes or less), we subtract 4 from it to remove its crc, +underflow the length, and wind up in skb_over_panic, when we try to skb_put a +huge number of bytes into the skb. This amounts to a remote DOS attack through +careful selection of frame size in relation to interface MTU. The fix for this +is already in the e1000e driver, as well as the e1000 sourceforge driver, but no +one ever pushed it to e1000. This is lifted straight from e1000e, and prevents +small frames from causing the underflow described above + +Signed-off-by: Neil Horman +Tested-by: Andy Gospodarek +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- a/drivers/net/e1000/e1000_main.c ++++ b/drivers/net/e1000/e1000_main.c +@@ -4027,8 +4027,9 @@ static bool e1000_clean_rx_irq(struct e1000_adapter *adapter, + PCI_DMA_FROMDEVICE); + + length = le16_to_cpu(rx_desc->length); +- +- if (unlikely(!(status & E1000_RXD_STAT_EOP))) { ++ /* !EOP means multiple descriptors were used to store a single ++ * packet, also make sure the frame isn't just CRC only */ ++ if (unlikely(!(status & E1000_RXD_STAT_EOP) || (length <= 4))) { + /* All receives must fit into a single buffer */ + E1000_DBG("%s: Receive packet consumed multiple" + " buffers\n", netdev->name); diff --git a/queue-2.6.29/hid-fix-dropped-device-specific-quirks.patch b/queue-2.6.29/hid-fix-dropped-device-specific-quirks.patch new file mode 100644 index 00000000000..8b8f5be5e83 --- /dev/null +++ b/queue-2.6.29/hid-fix-dropped-device-specific-quirks.patch @@ -0,0 +1,34 @@ +From f5208997087e6eb2096532b5a313eeb236535bdc Mon Sep 17 00:00:00 2001 +From: Zoltan Karcagi +Date: Wed, 6 May 2009 16:30:21 +0200 +Subject: HID: fix dropped device-specific quirks + +From: Zoltan Karcagi + +commit f5208997087e6eb2096532b5a313eeb236535bdc upstream. + +Device-specific quirks are set up correctly in their respective vendor-specific +driver, then get overwritten in usbhid_parse(). + +This is only issue for device-specific NOGET quirks being set by driver for a +few devices out there. + +Signed-off-by: Zoltan Karcagi +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hid/usbhid/hid-core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/hid/usbhid/hid-core.c ++++ b/drivers/hid/usbhid/hid-core.c +@@ -765,7 +765,7 @@ static int usbhid_parse(struct hid_devic + goto err; + } + +- hid->quirks = quirks; ++ hid->quirks |= quirks; + + return 0; + err: diff --git a/queue-2.6.29/hwmon-add-missing-__devexit_p.patch b/queue-2.6.29/hwmon-add-missing-__devexit_p.patch new file mode 100644 index 00000000000..f51e7ac2d75 --- /dev/null +++ b/queue-2.6.29/hwmon-add-missing-__devexit_p.patch @@ -0,0 +1,33 @@ +From stable-bounces@linux.kernel.org Tue Jun 9 01:01:58 2009 +From: Mike Frysinger +Date: Tue, 2 Jun 2009 14:22:49 +0200 +Subject: hwmon: (lm78) Add missing __devexit_p() +To: stable@kernel.org +Message-ID: <20090602142249.0ee4ea83@hyperion.delvare> + +From: Mike Frysinger + +commit 39d8bbedb9571a89d638f5b05358f26ab503d7a6 upstream. + +The remove function uses __devexit, so the .remove assignment needs +__devexit_p() to fix a build error with hotplug disabled. + +Signed-off-by: Mike Frysinger +Signed-off-by: Jean Delvare +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hwmon/lm78.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/hwmon/lm78.c ++++ b/drivers/hwmon/lm78.c +@@ -182,7 +182,7 @@ static struct platform_driver lm78_isa_d + .name = "lm78", + }, + .probe = lm78_isa_probe, +- .remove = lm78_isa_remove, ++ .remove = __devexit_p(lm78_isa_remove), + }; + + diff --git a/queue-2.6.29/ide-fix-40-wire-cable-detection-for-tsst-sh-s202-atapi-devices.patch b/queue-2.6.29/ide-fix-40-wire-cable-detection-for-tsst-sh-s202-atapi-devices.patch new file mode 100644 index 00000000000..0cc2350c074 --- /dev/null +++ b/queue-2.6.29/ide-fix-40-wire-cable-detection-for-tsst-sh-s202-atapi-devices.patch @@ -0,0 +1,79 @@ +From 8369d5fa63260cc54464b4687aa6a0f78402d98e Mon Sep 17 00:00:00 2001 +From: Bartlomiej Zolnierkiewicz +Date: Fri, 22 May 2009 16:23:36 +0200 +Subject: ide: fix 40-wire cable detection for TSST SH-S202* ATAPI devices (v2) + +From: Bartlomiej Zolnierkiewicz + +commit 8369d5fa63260cc54464b4687aa6a0f78402d98e upstream. + +Since 2.6.26 we support UDMA66 on ATAPI devices requiring IVB quirk: + + commit 8588a2b732928b343233af9b1855705b8286bed4 + ("ide: add SH-S202J to ivb_list[]") + +We also later added support for more such devices in: + + commit e97564f362a93f8c248246c19828895950341252 + ("ide: More TSST drives with broken cable detection") + +and in: + + commit 3ced5c49bd2d1f2c7f769e3a54385883de63a652 + ("ide: add TSSTcorp CDDVDW SH-S202H to ivb_list[]") + +It turns out that such devices lack cable detection altogether +(which in turn results in incorrect detection of 40-wire cables +by our current cable detection strategy) so always handle them +by trusting host-side cable detection only. + +v2: +Model detection fixup from Martin. + +Reported-and-tested-by: Martin Lottermoser +Signed-off-by: Bartlomiej Zolnierkiewicz +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/ide/ide-iops.c | 21 +++++++++++++++++---- + 1 file changed, 17 insertions(+), 4 deletions(-) + +--- a/drivers/ide/ide-iops.c ++++ b/drivers/ide/ide-iops.c +@@ -587,8 +587,6 @@ EXPORT_SYMBOL_GPL(ide_in_drive_list); + + /* + * Early UDMA66 devices don't set bit14 to 1, only bit13 is valid. +- * We list them here and depend on the device side cable detection for them. +- * + * Some optical devices with the buggy firmwares have the same problem. + */ + static const struct drive_list_entry ivb_list[] = { +@@ -632,10 +630,25 @@ u8 eighty_ninty_three (ide_drive_t *driv + * - force bit13 (80c cable present) check also for !ivb devices + * (unless the slave device is pre-ATA3) + */ +- if ((id[ATA_ID_HW_CONFIG] & 0x4000) || +- (ivb && (id[ATA_ID_HW_CONFIG] & 0x2000))) ++ if (id[ATA_ID_HW_CONFIG] & 0x4000) + return 1; + ++ if (ivb) { ++ const char *model = (char *)&id[ATA_ID_PROD]; ++ ++ if (strstr(model, "TSSTcorp CDDVDW SH-S202")) { ++ /* ++ * These ATAPI devices always report 80c cable ++ * so we have to depend on the host in this case. ++ */ ++ if (hwif->cbl == ATA_CBL_PATA80) ++ return 1; ++ } else { ++ /* Depend on the device side cable detection. */ ++ if (id[ATA_ID_HW_CONFIG] & 0x2000) ++ return 1; ++ } ++ } + no_80w: + if (drive->dev_flags & IDE_DFLAG_UDMA33_WARNED) + return 0; diff --git a/queue-2.6.29/ide-fix-oops-during-ide-cd-error-recovery.patch b/queue-2.6.29/ide-fix-oops-during-ide-cd-error-recovery.patch new file mode 100644 index 00000000000..8bf8456c1dc --- /dev/null +++ b/queue-2.6.29/ide-fix-oops-during-ide-cd-error-recovery.patch @@ -0,0 +1,55 @@ +From e3b29f05124b07303088795396ff858811d2acb8 Mon Sep 17 00:00:00 2001 +From: Bartlomiej Zolnierkiewicz +Date: Fri, 22 May 2009 16:23:37 +0200 +Subject: ide: fix OOPS during ide-cd error recovery + +From: Bartlomiej Zolnierkiewicz + +commit e3b29f05124b07303088795396ff858811d2acb8 upstream. + +On Tuesday 19 May 2009 20:29:28 Martin Lottermoser wrote: + +> hdc: cdrom_decode_status: error=0x40 <3>{ LastFailedSense=0x04 } +> ide: failed opcode was: unknown +> hdc: DMA disabled +> ------------[ cut here ]------------ +> kernel BUG at drivers/ide/ide-io.c:872! + +It is possible for ide-cd to ignore ide_error()'s return value under +some circumstances. Workaround it in ide_intr() and ide_timer_expiry() +by checking if there is a device/port reset pending currently. + +Fixes bug #13345: + + http://bugzilla.kernel.org/show_bug.cgi?id=13345 + +Reported-by: Martin Lottermoser +Reported-and-tested-by: Modestas Vainius +Cc: Borislav Petkov +Signed-off-by: Bartlomiej Zolnierkiewicz +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/ide/ide-io.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/ide/ide-io.c ++++ b/drivers/ide/ide-io.c +@@ -967,7 +967,7 @@ void ide_timer_expiry (unsigned long dat + } + spin_lock_irq(&hwif->lock); + enable_irq(hwif->irq); +- if (startstop == ide_stopped) { ++ if (startstop == ide_stopped && hwif->polling == 0) { + ide_unlock_port(hwif); + plug_device = 1; + } +@@ -1145,7 +1145,7 @@ irqreturn_t ide_intr (int irq, void *dev + * same irq as is currently being serviced here, and Linux + * won't allow another of the same (on any CPU) until we return. + */ +- if (startstop == ide_stopped) { ++ if (startstop == ide_stopped && hwif->polling == 0) { + BUG_ON(hwif->handler); + ide_unlock_port(hwif); + plug_device = 1; diff --git a/queue-2.6.29/ide-tape-remove-back-to-back-request_sense-detection.patch b/queue-2.6.29/ide-tape-remove-back-to-back-request_sense-detection.patch new file mode 100644 index 00000000000..df2ae2516de --- /dev/null +++ b/queue-2.6.29/ide-tape-remove-back-to-back-request_sense-detection.patch @@ -0,0 +1,40 @@ +From 36999a5af1b6c5379e59f0ddf434db08d03c19e4 Mon Sep 17 00:00:00 2001 +From: Tejun Heo +Date: Sun, 19 Apr 2009 07:00:41 +0900 +Subject: ide-tape: remove back-to-back REQUEST_SENSE detection + +From: Tejun Heo + +commit 36999a5af1b6c5379e59f0ddf434db08d03c19e4 upstream. + +Impact: fix an oops which always triggers + +ide_tape_issue_pc() assumed drive->pc isn't NULL on invocation when +checking for back-to-back request sense issues but drive->pc can be +NULL and even when it's not NULL, it's not safe to dereference it once +the previous command is complete because pc could have been freed or +was on stack. Kill back-to-back REQUEST_SENSE detection. + +Signed-off-by: Tejun Heo +Signed-off-by: Bartlomiej Zolnierkiewicz +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/ide/ide-tape.c | 6 ------ + 1 file changed, 6 deletions(-) + +--- a/drivers/ide/ide-tape.c ++++ b/drivers/ide/ide-tape.c +@@ -654,12 +654,6 @@ static ide_startstop_t idetape_issue_pc( + { + idetape_tape_t *tape = drive->driver_data; + +- if (drive->pc->c[0] == REQUEST_SENSE && +- pc->c[0] == REQUEST_SENSE) { +- printk(KERN_ERR "ide-tape: possible ide-tape.c bug - " +- "Two request sense in serial were issued\n"); +- } +- + if (tape->failed_pc == NULL && pc->c[0] != REQUEST_SENSE) + tape->failed_pc = pc; + diff --git a/queue-2.6.29/ide_pci_generic-add-quirk-for-netcell-ata-raid.patch b/queue-2.6.29/ide_pci_generic-add-quirk-for-netcell-ata-raid.patch new file mode 100644 index 00000000000..6e3982e6ac1 --- /dev/null +++ b/queue-2.6.29/ide_pci_generic-add-quirk-for-netcell-ata-raid.patch @@ -0,0 +1,59 @@ +From c339dfdd65b52bfd947ab29d1210314a2f6d622d Mon Sep 17 00:00:00 2001 +From: Bartlomiej Zolnierkiewicz +Date: Sat, 30 May 2009 20:06:54 +0200 +Subject: ide_pci_generic: add quirk for Netcell ATA RAID + +From: Bartlomiej Zolnierkiewicz + +commit c339dfdd65b52bfd947ab29d1210314a2f6d622d upstream. + +We need to explicitly mark words 85-87 as valid ones since +firmware doesn't do it. + +This should fix support for LBA48 and FLUSH CACHE [EXT] command +which stopped working after we applied more strict checking of +identify words in: + + commit 942dcd85bf8edf38cdc3745306ca250684d99a61 + ("ide: idedisk_supports_lba48() -> ata_id_lba48_enabled()") + +and + + commit 4b58f17d7c45a8e5f4acda641bec388398b9c0fa + ("ide: ide_id_has_flush_cache() -> ata_id_flush_enabled()") + +Reported-and-tested-by: "Trevor Hemsley" +Signed-off-by: Bartlomiej Zolnierkiewicz +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/ide/ide-pci-generic.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +--- a/drivers/ide/ide-pci-generic.c ++++ b/drivers/ide/ide-pci-generic.c +@@ -35,6 +35,16 @@ MODULE_PARM_DESC(all_generic_ide, "IDE g + + #define IDE_HFLAGS_UMC (IDE_HFLAG_NO_DMA | IDE_HFLAG_FORCE_LEGACY_IRQS) + ++static void netcell_quirkproc(ide_drive_t *drive) ++{ ++ /* mark words 85-87 as valid */ ++ drive->id[ATA_ID_CSF_DEFAULT] |= 0x4000; ++} ++ ++static const struct ide_port_ops netcell_port_ops = { ++ .quirkproc = netcell_quirkproc, ++}; ++ + #define DECLARE_GENERIC_PCI_DEV(extra_flags) \ + { \ + .name = DRV_NAME, \ +@@ -76,6 +86,7 @@ static const struct ide_port_info generi + + { /* 6: Revolution */ + .name = DRV_NAME, ++ .port_ops = &netcell_port_ops, + .host_flags = IDE_HFLAG_CLEAR_SIMPLEX | + IDE_HFLAG_TRUST_BIOS_FOR_DMA | + IDE_HFLAG_OFF_BOARD, diff --git a/queue-2.6.29/igb-fix-lro-warning.patch b/queue-2.6.29/igb-fix-lro-warning.patch new file mode 100644 index 00000000000..486eed5af57 --- /dev/null +++ b/queue-2.6.29/igb-fix-lro-warning.patch @@ -0,0 +1,41 @@ +From jeffrey.t.kirsher@intel.com Tue Jun 9 01:13:47 2009 +From: Jeff Kirsher +Date: Tue, 02 Jun 2009 16:38:52 -0700 +Subject: igb: fix LRO warning +To: greg@kroah.com +Cc: stable@kernel.org, Jeff Kirsher , Stephen Hemminger +Message-ID: <20090602233851.24887.98909.stgit@localhost.localdomain> + +From: Jeff Kirsher + +This fix is only needed for 2.6.29.y tree, since in 2.6.30 and later IGB +has moved to using GRO instead of LRO. + +igb supports LRO, but was not setting any hooks to the ->set_flags +ethtool_ops function. This would trigger warnings if the user tried +to enable or disable LRO. + +Based on the patch provided by Stephen Hemminger + +Reported-by: Sergey Kononenko +Signed-off-by: Jeff Kirsher +CC: Stephen Hemminger +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/igb/igb_ethtool.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/net/igb/igb_ethtool.c ++++ b/drivers/net/igb/igb_ethtool.c +@@ -2024,6 +2024,10 @@ static struct ethtool_ops igb_ethtool_op + .get_ethtool_stats = igb_get_ethtool_stats, + .get_coalesce = igb_get_coalesce, + .set_coalesce = igb_set_coalesce, ++ .get_flags = ethtool_op_get_flags, ++#ifdef CONFIG_IGB_LRO ++ .set_flags = ethtool_op_set_flags, ++#endif + }; + + void igb_set_ethtool_ops(struct net_device *netdev) diff --git a/queue-2.6.29/iwlwifi-update-key-flags-at-time-key-is-set.patch b/queue-2.6.29/iwlwifi-update-key-flags-at-time-key-is-set.patch new file mode 100644 index 00000000000..c335bccccbc --- /dev/null +++ b/queue-2.6.29/iwlwifi-update-key-flags-at-time-key-is-set.patch @@ -0,0 +1,90 @@ +From 299f5462087f3bc2141e6bc83ba7e2b15d8a07d2 Mon Sep 17 00:00:00 2001 +From: Reinette Chatre +Date: Thu, 30 Apr 2009 13:56:31 -0700 +Subject: iwlwifi: update key flags at time key is set + +From: Reinette Chatre + +commit 299f5462087f3bc2141e6bc83ba7e2b15d8a07d2 upstream. + +We need to be symmetrical in what is done when key is set and cleared. +This is important wrt the key flags as they are used during key +clearing and if they are not set when the key is set the key cannot be +cleared completely. + +This addresses the many occurences of the WARN found in +iwl_set_tkip_dynamic_key_info() and tracked in +http://www.kerneloops.org/searchweek.php?search=iwl_set_dynamic_key + +If calling iwl_set_tkip_dynamic_key_info()/iwl_remove_dynamic_key() +pair a few times in a row will cause that we run out of key space. +This is because the index stored in the key flags is used by +iwl_remove_dynamic_key() to decide if it should remove the key. +Unfortunately the key flags, and hence the key index is currently only +set at the time the key is written to the device (in +iwl_update_tkip_key()) and _not_ in iwl_set_tkip_dynamic_key_info(). +Fix this by setting flags in iwl_set_tkip_dynamic_key_info(). + +Signed-off-by: Reinette Chatre +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + + +--- + drivers/net/wireless/iwlwifi/iwl-sta.c | 21 +++++++++++---------- + 1 file changed, 11 insertions(+), 10 deletions(-) + +--- a/drivers/net/wireless/iwlwifi/iwl-sta.c ++++ b/drivers/net/wireless/iwlwifi/iwl-sta.c +@@ -708,6 +708,14 @@ static int iwl_set_tkip_dynamic_key_info + { + unsigned long flags; + int ret = 0; ++ __le16 key_flags = 0; ++ ++ key_flags |= (STA_KEY_FLG_TKIP | STA_KEY_FLG_MAP_KEY_MSK); ++ key_flags |= cpu_to_le16(keyconf->keyidx << STA_KEY_FLG_KEYID_POS); ++ key_flags &= ~STA_KEY_FLG_INVALID; ++ ++ if (sta_id == priv->hw_params.bcast_sta_id) ++ key_flags |= STA_KEY_MULTICAST_MSK; + + keyconf->flags |= IEEE80211_KEY_FLAG_GENERATE_IV; + keyconf->flags |= IEEE80211_KEY_FLAG_GENERATE_MMIC; +@@ -727,6 +735,9 @@ static int iwl_set_tkip_dynamic_key_info + WARN(priv->stations[sta_id].sta.key.key_offset == WEP_INVALID_OFFSET, + "no space for new kew"); + ++ priv->stations[sta_id].sta.key.key_flags = key_flags; ++ ++ + /* This copy is acutally not needed: we get the key with each TX */ + memcpy(priv->stations[sta_id].keyinfo.key, keyconf->key, 16); + +@@ -743,9 +754,7 @@ void iwl_update_tkip_key(struct iwl_priv + { + u8 sta_id = IWL_INVALID_STATION; + unsigned long flags; +- __le16 key_flags = 0; + int i; +- DECLARE_MAC_BUF(mac); + + sta_id = iwl_find_station(priv, addr); + if (sta_id == IWL_INVALID_STATION) { +@@ -760,16 +769,8 @@ void iwl_update_tkip_key(struct iwl_priv + return; + } + +- key_flags |= (STA_KEY_FLG_TKIP | STA_KEY_FLG_MAP_KEY_MSK); +- key_flags |= cpu_to_le16(keyconf->keyidx << STA_KEY_FLG_KEYID_POS); +- key_flags &= ~STA_KEY_FLG_INVALID; +- +- if (sta_id == priv->hw_params.bcast_sta_id) +- key_flags |= STA_KEY_MULTICAST_MSK; +- + spin_lock_irqsave(&priv->sta_lock, flags); + +- priv->stations[sta_id].sta.key.key_flags = key_flags; + priv->stations[sta_id].sta.key.tkip_rx_tsc_byte2 = (u8) iv32; + + for (i = 0; i < 5; i++) diff --git a/queue-2.6.29/kvm-explicity-initialize-cpus_hardware_enabled.patch b/queue-2.6.29/kvm-explicity-initialize-cpus_hardware_enabled.patch new file mode 100644 index 00000000000..1eb9c19a846 --- /dev/null +++ b/queue-2.6.29/kvm-explicity-initialize-cpus_hardware_enabled.patch @@ -0,0 +1,34 @@ +From a4c0364be3f43d3e17fe19270f8b3d64881606e6 Mon Sep 17 00:00:00 2001 +From: Avi Kivity +Date: Sat, 6 Jun 2009 12:34:39 +0300 +Subject: KVM: Explicity initialize cpus_hardware_enabled + +From: Avi Kivity + +commit a4c0364be3f43d3e17fe19270f8b3d64881606e6 upstream. + +Under CONFIG_MAXSMP, cpus_hardware_enabled is allocated from the heap and +not statically initialized. This causes a crash on reboot when kvm thinks +vmx is enabled on random nonexistent cpus and accesses nonexistent percpu +lists. + +Fix by explicitly clearing the variable. + +Reported-and-tested-by: Yinghai Lu +Signed-off-by: Avi Kivity +Signed-off-by: Greg Kroah-Hartman + +--- + virt/kvm/kvm_main.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/virt/kvm/kvm_main.c ++++ b/virt/kvm/kvm_main.c +@@ -2315,6 +2315,7 @@ int kvm_init(void *opaque, unsigned int + r = -ENOMEM; + goto out_free_0; + } ++ cpumask_clear(cpus_hardware_enabled); + + r = kvm_arch_hardware_setup(); + if (r < 0) diff --git a/queue-2.6.29/mac80211-avoid-null-ptr-deref-when-finding-max_rates-in-pid-and-minstrel.patch b/queue-2.6.29/mac80211-avoid-null-ptr-deref-when-finding-max_rates-in-pid-and-minstrel.patch new file mode 100644 index 00000000000..b4923271e96 --- /dev/null +++ b/queue-2.6.29/mac80211-avoid-null-ptr-deref-when-finding-max_rates-in-pid-and-minstrel.patch @@ -0,0 +1,46 @@ +From 621ad7c96aa138cfeab53cd4debc5a4e08b2189b Mon Sep 17 00:00:00 2001 +From: John W. Linville +Date: Tue, 5 May 2009 15:18:26 -0400 +Subject: mac80211: avoid NULL ptr deref when finding max_rates in PID and minstrel + +From: John W. Linville + +commit 621ad7c96aa138cfeab53cd4debc5a4e08b2189b upstream. + +"There is another problem with this piece of code. The sband will be NULL +after second iteration on single band device and cause null pointer +dereference. Everything is working with dual band card. Sorry, but i +don't know how to explain this clearly in English. I have looked on the +second patch for pid algorithm and found similar bug." + +Reported-by: Karol Szuster +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + net/mac80211/rc80211_minstrel.c | 2 +- + net/mac80211/rc80211_pid_algo.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +--- a/net/mac80211/rc80211_minstrel.c ++++ b/net/mac80211/rc80211_minstrel.c +@@ -477,7 +477,7 @@ minstrel_alloc_sta(void *priv, struct ie + + for (i = 0; i < IEEE80211_NUM_BANDS; i++) { + sband = hw->wiphy->bands[i]; +- if (sband->n_bitrates > max_rates) ++ if (sband && sband->n_bitrates > max_rates) + max_rates = sband->n_bitrates; + } + +--- a/net/mac80211/rc80211_pid_algo.c ++++ b/net/mac80211/rc80211_pid_algo.c +@@ -378,7 +378,7 @@ static void *rate_control_pid_alloc(stru + + for (i = 0; i < IEEE80211_NUM_BANDS; i++) { + sband = hw->wiphy->bands[i]; +- if (sband->n_bitrates > max_rates) ++ if (sband && sband->n_bitrates > max_rates) + max_rates = sband->n_bitrates; + } + diff --git a/queue-2.6.29/mac80211-minstrel-fix-memory-corruption.patch b/queue-2.6.29/mac80211-minstrel-fix-memory-corruption.patch new file mode 100644 index 00000000000..fd0c154bf09 --- /dev/null +++ b/queue-2.6.29/mac80211-minstrel-fix-memory-corruption.patch @@ -0,0 +1,36 @@ +From 8e532175277d9a5eae49768ed086555081f741a7 Mon Sep 17 00:00:00 2001 +From: Jiri Slaby +Date: Mon, 4 May 2009 18:04:55 +0200 +Subject: mac80211: minstrel, fix memory corruption + +From: Jiri Slaby + +commit 8e532175277d9a5eae49768ed086555081f741a7 upstream. + +minstrel doesn't count max rate count in fact, since it doesn't use +a loop variable `i' and hence allocs space only for bitrates found in +the first band. + +Fix it by involving the `i' as an index so that it traverses all the +bands now and finds the real max bitrate count. + +Signed-off-by: Jiri Slaby +Cc: Felix Fietkau +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + net/mac80211/rc80211_minstrel.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/mac80211/rc80211_minstrel.c ++++ b/net/mac80211/rc80211_minstrel.c +@@ -476,7 +476,7 @@ minstrel_alloc_sta(void *priv, struct ie + return NULL; + + for (i = 0; i < IEEE80211_NUM_BANDS; i++) { +- sband = hw->wiphy->bands[hw->conf.channel->band]; ++ sband = hw->wiphy->bands[i]; + if (sband->n_bitrates > max_rates) + max_rates = sband->n_bitrates; + } diff --git a/queue-2.6.29/mac80211-pid-fix-memory-corruption.patch b/queue-2.6.29/mac80211-pid-fix-memory-corruption.patch new file mode 100644 index 00000000000..bb3f34c7437 --- /dev/null +++ b/queue-2.6.29/mac80211-pid-fix-memory-corruption.patch @@ -0,0 +1,137 @@ +From 6909268dc93ae4b0b8e1ebb4b2fa70b1a47dd347 Mon Sep 17 00:00:00 2001 +From: Jiri Slaby +Date: Mon, 4 May 2009 18:10:28 +0200 +Subject: mac80211: pid, fix memory corruption + +From: Jiri Slaby + +commit 6909268dc93ae4b0b8e1ebb4b2fa70b1a47dd347 upstream. + +pid doesn't count with some band having more bitrates than the one +associated the first time. +Fix that by counting the maximal available bitrate count and allocate +big enough space. + +Secondly, fix touching uninitialized memory which causes panics. +Index sucked from this random memory points to the hell. +The fix is to sort the rates on each band change. + +Signed-off-by: Jiri Slaby +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + net/mac80211/rc80211_pid_algo.c | 73 +++++++++++++++++++++------------------- + 1 file changed, 39 insertions(+), 34 deletions(-) + +--- a/net/mac80211/rc80211_pid_algo.c ++++ b/net/mac80211/rc80211_pid_algo.c +@@ -317,13 +317,44 @@ rate_control_pid_rate_init(void *priv, s + struct ieee80211_sta *sta, void *priv_sta) + { + struct rc_pid_sta_info *spinfo = priv_sta; ++ struct rc_pid_info *pinfo = priv; ++ struct rc_pid_rateinfo *rinfo = pinfo->rinfo; + struct sta_info *si; ++ int i, j, tmp; ++ bool s; + + /* TODO: This routine should consider using RSSI from previous packets + * as we need to have IEEE 802.1X auth succeed immediately after assoc.. + * Until that method is implemented, we will use the lowest supported + * rate as a workaround. */ + ++ /* Sort the rates. This is optimized for the most common case (i.e. ++ * almost-sorted CCK+OFDM rates). Kind of bubble-sort with reversed ++ * mapping too. */ ++ for (i = 0; i < sband->n_bitrates; i++) { ++ rinfo[i].index = i; ++ rinfo[i].rev_index = i; ++ if (RC_PID_FAST_START) ++ rinfo[i].diff = 0; ++ else ++ rinfo[i].diff = i * pinfo->norm_offset; ++ } ++ for (i = 1; i < sband->n_bitrates; i++) { ++ s = 0; ++ for (j = 0; j < sband->n_bitrates - i; j++) ++ if (unlikely(sband->bitrates[rinfo[j].index].bitrate > ++ sband->bitrates[rinfo[j + 1].index].bitrate)) { ++ tmp = rinfo[j].index; ++ rinfo[j].index = rinfo[j + 1].index; ++ rinfo[j + 1].index = tmp; ++ rinfo[rinfo[j].index].rev_index = j; ++ rinfo[rinfo[j + 1].index].rev_index = j + 1; ++ s = 1; ++ } ++ if (!s) ++ break; ++ } ++ + spinfo->txrate_idx = rate_lowest_index(sband, sta); + /* HACK */ + si = container_of(sta, struct sta_info, sta); +@@ -336,21 +367,22 @@ static void *rate_control_pid_alloc(stru + struct rc_pid_info *pinfo; + struct rc_pid_rateinfo *rinfo; + struct ieee80211_supported_band *sband; +- int i, j, tmp; +- bool s; ++ int i, max_rates = 0; + #ifdef CONFIG_MAC80211_DEBUGFS + struct rc_pid_debugfs_entries *de; + #endif + +- sband = hw->wiphy->bands[hw->conf.channel->band]; +- + pinfo = kmalloc(sizeof(*pinfo), GFP_ATOMIC); + if (!pinfo) + return NULL; + +- /* We can safely assume that sband won't change unless we get +- * reinitialized. */ +- rinfo = kmalloc(sizeof(*rinfo) * sband->n_bitrates, GFP_ATOMIC); ++ for (i = 0; i < IEEE80211_NUM_BANDS; i++) { ++ sband = hw->wiphy->bands[i]; ++ if (sband->n_bitrates > max_rates) ++ max_rates = sband->n_bitrates; ++ } ++ ++ rinfo = kmalloc(sizeof(*rinfo) * max_rates, GFP_ATOMIC); + if (!rinfo) { + kfree(pinfo); + return NULL; +@@ -368,33 +400,6 @@ static void *rate_control_pid_alloc(stru + pinfo->rinfo = rinfo; + pinfo->oldrate = 0; + +- /* Sort the rates. This is optimized for the most common case (i.e. +- * almost-sorted CCK+OFDM rates). Kind of bubble-sort with reversed +- * mapping too. */ +- for (i = 0; i < sband->n_bitrates; i++) { +- rinfo[i].index = i; +- rinfo[i].rev_index = i; +- if (RC_PID_FAST_START) +- rinfo[i].diff = 0; +- else +- rinfo[i].diff = i * pinfo->norm_offset; +- } +- for (i = 1; i < sband->n_bitrates; i++) { +- s = 0; +- for (j = 0; j < sband->n_bitrates - i; j++) +- if (unlikely(sband->bitrates[rinfo[j].index].bitrate > +- sband->bitrates[rinfo[j + 1].index].bitrate)) { +- tmp = rinfo[j].index; +- rinfo[j].index = rinfo[j + 1].index; +- rinfo[j + 1].index = tmp; +- rinfo[rinfo[j].index].rev_index = j; +- rinfo[rinfo[j + 1].index].rev_index = j + 1; +- s = 1; +- } +- if (!s) +- break; +- } +- + #ifdef CONFIG_MAC80211_DEBUGFS + de = &pinfo->dentries; + de->target = debugfs_create_u32("target_pf", S_IRUSR | S_IWUSR, diff --git a/queue-2.6.29/mm-account-for-map_shared-mappings-using-vm_mayshare-and-not-vm_shared-in-hugetlbfs.patch b/queue-2.6.29/mm-account-for-map_shared-mappings-using-vm_mayshare-and-not-vm_shared-in-hugetlbfs.patch new file mode 100644 index 00000000000..31e92cf308d --- /dev/null +++ b/queue-2.6.29/mm-account-for-map_shared-mappings-using-vm_mayshare-and-not-vm_shared-in-hugetlbfs.patch @@ -0,0 +1,169 @@ +From f83a275dbc5ca1721143698e844243fcadfabf6a Mon Sep 17 00:00:00 2001 +From: Mel Gorman +Date: Thu, 28 May 2009 14:34:40 -0700 +Subject: mm: account for MAP_SHARED mappings using VM_MAYSHARE and not VM_SHARED in hugetlbfs + +From: Mel Gorman + +commit f83a275dbc5ca1721143698e844243fcadfabf6a upstream. + +Addresses http://bugzilla.kernel.org/show_bug.cgi?id=13302 + +hugetlbfs reserves huge pages but does not fault them at mmap() time to +ensure that future faults succeed. The reservation behaviour differs +depending on whether the mapping was mapped MAP_SHARED or MAP_PRIVATE. +For MAP_SHARED mappings, hugepages are reserved when mmap() is first +called and are tracked based on information associated with the inode. +Other processes mapping MAP_SHARED use the same reservation. MAP_PRIVATE +track the reservations based on the VMA created as part of the mmap() +operation. Each process mapping MAP_PRIVATE must make its own +reservation. + +hugetlbfs currently checks if a VMA is MAP_SHARED with the VM_SHARED flag +and not VM_MAYSHARE. For file-backed mappings, such as hugetlbfs, +VM_SHARED is set only if the mapping is MAP_SHARED and the file was opened +read-write. If a shared memory mapping was mapped shared-read-write for +populating of data and mapped shared-read-only by other processes, then +hugetlbfs would account for the mapping as if it was MAP_PRIVATE. This +causes processes to fail to map the file MAP_SHARED even though it should +succeed as the reservation is there. + +This patch alters mm/hugetlb.c and replaces VM_SHARED with VM_MAYSHARE +when the intent of the code was to check whether the VMA was mapped +MAP_SHARED or MAP_PRIVATE. + +Signed-off-by: Mel Gorman +Cc: Hugh Dickins +Cc: Ingo Molnar +Cc: Lee Schermerhorn +Cc: KOSAKI Motohiro +Cc: +Cc: Eric B Munson +Cc: Adam Litke +Cc: Andy Whitcroft +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/hugetlb.c | 26 +++++++++++++------------- + 1 file changed, 13 insertions(+), 13 deletions(-) + +--- a/mm/hugetlb.c ++++ b/mm/hugetlb.c +@@ -316,7 +316,7 @@ static void resv_map_release(struct kref + static struct resv_map *vma_resv_map(struct vm_area_struct *vma) + { + VM_BUG_ON(!is_vm_hugetlb_page(vma)); +- if (!(vma->vm_flags & VM_SHARED)) ++ if (!(vma->vm_flags & VM_MAYSHARE)) + return (struct resv_map *)(get_vma_private_data(vma) & + ~HPAGE_RESV_MASK); + return NULL; +@@ -325,7 +325,7 @@ static struct resv_map *vma_resv_map(str + static void set_vma_resv_map(struct vm_area_struct *vma, struct resv_map *map) + { + VM_BUG_ON(!is_vm_hugetlb_page(vma)); +- VM_BUG_ON(vma->vm_flags & VM_SHARED); ++ VM_BUG_ON(vma->vm_flags & VM_MAYSHARE); + + set_vma_private_data(vma, (get_vma_private_data(vma) & + HPAGE_RESV_MASK) | (unsigned long)map); +@@ -334,7 +334,7 @@ static void set_vma_resv_map(struct vm_a + static void set_vma_resv_flags(struct vm_area_struct *vma, unsigned long flags) + { + VM_BUG_ON(!is_vm_hugetlb_page(vma)); +- VM_BUG_ON(vma->vm_flags & VM_SHARED); ++ VM_BUG_ON(vma->vm_flags & VM_MAYSHARE); + + set_vma_private_data(vma, get_vma_private_data(vma) | flags); + } +@@ -353,7 +353,7 @@ static void decrement_hugepage_resv_vma( + if (vma->vm_flags & VM_NORESERVE) + return; + +- if (vma->vm_flags & VM_SHARED) { ++ if (vma->vm_flags & VM_MAYSHARE) { + /* Shared mappings always use reserves */ + h->resv_huge_pages--; + } else if (is_vma_resv_set(vma, HPAGE_RESV_OWNER)) { +@@ -369,14 +369,14 @@ static void decrement_hugepage_resv_vma( + void reset_vma_resv_huge_pages(struct vm_area_struct *vma) + { + VM_BUG_ON(!is_vm_hugetlb_page(vma)); +- if (!(vma->vm_flags & VM_SHARED)) ++ if (!(vma->vm_flags & VM_MAYSHARE)) + vma->vm_private_data = (void *)0; + } + + /* Returns true if the VMA has associated reserve pages */ + static int vma_has_reserves(struct vm_area_struct *vma) + { +- if (vma->vm_flags & VM_SHARED) ++ if (vma->vm_flags & VM_MAYSHARE) + return 1; + if (is_vma_resv_set(vma, HPAGE_RESV_OWNER)) + return 1; +@@ -924,7 +924,7 @@ static int vma_needs_reservation(struct + struct address_space *mapping = vma->vm_file->f_mapping; + struct inode *inode = mapping->host; + +- if (vma->vm_flags & VM_SHARED) { ++ if (vma->vm_flags & VM_MAYSHARE) { + pgoff_t idx = vma_hugecache_offset(h, vma, addr); + return region_chg(&inode->i_mapping->private_list, + idx, idx + 1); +@@ -949,7 +949,7 @@ static void vma_commit_reservation(struc + struct address_space *mapping = vma->vm_file->f_mapping; + struct inode *inode = mapping->host; + +- if (vma->vm_flags & VM_SHARED) { ++ if (vma->vm_flags & VM_MAYSHARE) { + pgoff_t idx = vma_hugecache_offset(h, vma, addr); + region_add(&inode->i_mapping->private_list, idx, idx + 1); + +@@ -1893,7 +1893,7 @@ retry_avoidcopy: + * at the time of fork() could consume its reserves on COW instead + * of the full address range. + */ +- if (!(vma->vm_flags & VM_SHARED) && ++ if (!(vma->vm_flags & VM_MAYSHARE) && + is_vma_resv_set(vma, HPAGE_RESV_OWNER) && + old_page != pagecache_page) + outside_reserve = 1; +@@ -2000,7 +2000,7 @@ retry: + clear_huge_page(page, address, huge_page_size(h)); + __SetPageUptodate(page); + +- if (vma->vm_flags & VM_SHARED) { ++ if (vma->vm_flags & VM_MAYSHARE) { + int err; + struct inode *inode = mapping->host; + +@@ -2104,7 +2104,7 @@ int hugetlb_fault(struct mm_struct *mm, + goto out_mutex; + } + +- if (!(vma->vm_flags & VM_SHARED)) ++ if (!(vma->vm_flags & VM_MAYSHARE)) + pagecache_page = hugetlbfs_pagecache_page(h, + vma, address); + } +@@ -2289,7 +2289,7 @@ int hugetlb_reserve_pages(struct inode * + * to reserve the full area even if read-only as mprotect() may be + * called to make the mapping read-write. Assume !vma is a shm mapping + */ +- if (!vma || vma->vm_flags & VM_SHARED) ++ if (!vma || vma->vm_flags & VM_MAYSHARE) + chg = region_chg(&inode->i_mapping->private_list, from, to); + else { + struct resv_map *resv_map = resv_map_alloc(); +@@ -2330,7 +2330,7 @@ int hugetlb_reserve_pages(struct inode * + * consumed reservations are stored in the map. Hence, nothing + * else has to be done for private mappings here + */ +- if (!vma || vma->vm_flags & VM_SHARED) ++ if (!vma || vma->vm_flags & VM_MAYSHARE) + region_add(&inode->i_mapping->private_list, from, to); + return 0; + } diff --git a/queue-2.6.29/mtd_dataflash-unbreak-erase-support.patch b/queue-2.6.29/mtd_dataflash-unbreak-erase-support.patch new file mode 100644 index 00000000000..92e9a700d56 --- /dev/null +++ b/queue-2.6.29/mtd_dataflash-unbreak-erase-support.patch @@ -0,0 +1,34 @@ +From dbf8c11f821b6ff83302c34f2403b4f7231f50ae Mon Sep 17 00:00:00 2001 +From: Peter Korsgaard +Date: Mon, 18 May 2009 11:13:54 +0100 +Subject: mtd_dataflash: unbreak erase support + +From: Peter Korsgaard + +commit dbf8c11f821b6ff83302c34f2403b4f7231f50ae upstream. + +Commit 5b7f3a50 (fix dataflash 64-bit divisions) unfortunately +introduced a typo. Erase addr and len were swapped in the pageaddr +calculation, causing the wrong sectors to get erased. + +Signed-off-by: Peter Korsgaard +Acked-by: Artem Bityutskiy +Signed-off-by: David Woodhouse +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mtd/devices/mtd_dataflash.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/mtd/devices/mtd_dataflash.c ++++ b/drivers/mtd/devices/mtd_dataflash.c +@@ -184,7 +184,7 @@ static int dataflash_erase(struct mtd_in + /* Calculate flash page address; use block erase (for speed) if + * we're at a block boundary and need to erase the whole block. + */ +- pageaddr = div_u64(instr->len, priv->page_size); ++ pageaddr = div_u64(instr->addr, priv->page_size); + do_block = (pageaddr & 0x7) == 0 && instr->len >= blocksize; + pageaddr = pageaddr << priv->page_offset; + diff --git a/queue-2.6.29/powerpc-fix-for-long-standing-bug-noticed-by-gcc-4.4.0.patch b/queue-2.6.29/powerpc-fix-for-long-standing-bug-noticed-by-gcc-4.4.0.patch new file mode 100644 index 00000000000..03584fc71ea --- /dev/null +++ b/queue-2.6.29/powerpc-fix-for-long-standing-bug-noticed-by-gcc-4.4.0.patch @@ -0,0 +1,31 @@ +From b62c31ae401c6df25c61b206681a6e904ef97169 Mon Sep 17 00:00:00 2001 +From: Stephen Rothwell +Date: Thu, 23 Apr 2009 22:56:11 +1000 +Subject: powerpc: fix for long standing bug noticed by gcc 4.4.0 + +From: Stephen Rothwell + +commit b62c31ae401c6df25c61b206681a6e904ef97169 upstream. + +Previous gcc versions didn't notice this because one of the preceding +#ifs always evaluated to true. + +gcc 4.4.0 produced this error: + +arch/powerpc/mm/tlb_nohash_low.S:206:6: error: #elif with no expression + +Signed-off-by: Stephen Rothwell +Acked-by: Josh Boyer +Signed-off-by: Kumar Gala +Signed-off-by: Greg Kroah-Hartman + +--- a/arch/powerpc/mm/tlb_nohash_low.S ++++ b/arch/powerpc/mm/tlb_nohash_low.S +@@ -191,6 +191,6 @@ ALT_MMU_FTR_SECTION_END_IFCLR(MMU_FTR_USE_TLBILX) + isync + 1: wrtee r10 + blr +-#elif ++#else + #error Unsupported processor type ! + #endif diff --git a/queue-2.6.29/random-make-get_random_int-more-random.patch b/queue-2.6.29/random-make-get_random_int-more-random.patch new file mode 100644 index 00000000000..2b72e2cc38d --- /dev/null +++ b/queue-2.6.29/random-make-get_random_int-more-random.patch @@ -0,0 +1,72 @@ +From 8a0a9bd4db63bc45e3017bedeafbd88d0eb84d02 Mon Sep 17 00:00:00 2001 +From: Linus Torvalds +Date: Tue, 5 May 2009 08:17:43 -0700 +Subject: random: make get_random_int() more random + +From: Linus Torvalds + +commit 8a0a9bd4db63bc45e3017bedeafbd88d0eb84d02 upstream. + +It's a really simple patch that basically just open-codes the current +"secure_ip_id()" call, but when open-coding it we now use a _static_ +hashing area, so that it gets updated every time. + +And to make sure somebody can't just start from the same original seed of +all-zeroes, and then do the "half_md4_transform()" over and over until +they get the same sequence as the kernel has, each iteration also mixes in +the same old "current->pid + jiffies" we used - so we should now have a +regular strong pseudo-number generator, but we also have one that doesn't +have a single seed. + +Note: the "pid + jiffies" is just meant to be a tiny tiny bit of noise. It +has no real meaning. It could be anything. I just picked the previous +seed, it's just that now we keep the state in between calls and that will +feed into the next result, and that should make all the difference. + +I made that hash be a per-cpu data just to avoid cache-line ping-pong: +having multiple CPU's write to the same data would be fine for randomness, +and add yet another layer of chaos to it, but since get_random_int() is +supposed to be a fast interface I did it that way instead. I considered +using "__raw_get_cpu_var()" to avoid any preemption overhead while still +getting the hash be _mostly_ ping-pong free, but in the end good taste won +out. + +Signed-off-by: Ingo Molnar +Signed-off-by: Linus Torvalds +Cc: Jake Edge +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/char/random.c | 19 ++++++++++++------- + 1 file changed, 12 insertions(+), 7 deletions(-) + +--- a/drivers/char/random.c ++++ b/drivers/char/random.c +@@ -1660,15 +1660,20 @@ EXPORT_SYMBOL(secure_dccp_sequence_numbe + * value is not cryptographically secure but for several uses the cost of + * depleting entropy is too high + */ ++DEFINE_PER_CPU(__u32 [4], get_random_int_hash); + unsigned int get_random_int(void) + { +- /* +- * Use IP's RNG. It suits our purpose perfectly: it re-keys itself +- * every second, from the entropy pool (and thus creates a limited +- * drain on it), and uses halfMD4Transform within the second. We +- * also mix it with jiffies and the PID: +- */ +- return secure_ip_id((__force __be32)(current->pid + jiffies)); ++ struct keydata *keyptr; ++ __u32 *hash = get_cpu_var(get_random_int_hash); ++ int ret; ++ ++ keyptr = get_keyptr(); ++ hash[0] += current->pid + jiffies + get_cycles() + (int)(long)&ret; ++ ++ ret = half_md4_transform(hash, keyptr->secret); ++ put_cpu_var(get_random_int_hash); ++ ++ return ret; + } + + /* diff --git a/queue-2.6.29/selinux-bug-in-selinux-compat_net-code.patch b/queue-2.6.29/selinux-bug-in-selinux-compat_net-code.patch new file mode 100644 index 00000000000..1b7bec27164 --- /dev/null +++ b/queue-2.6.29/selinux-bug-in-selinux-compat_net-code.patch @@ -0,0 +1,46 @@ +From stable-bounces@linux.kernel.org Tue Jun 9 01:08:36 2009 +From: Eric Paris +Date: Mon, 01 Jun 2009 10:21:05 -0400 +Subject: SELinux: BUG in SELinux compat_net code +To: stable@kernel.org +Message-ID: <1243866065.3050.7.camel@dhcp231-142.rdu.redhat.com> + +From: Eric Paris + +This patch is not applicable to Linus's tree as the code in question has +been removed for 2.6.30. I'm sending in case any of the stable +maintainers would like to push to their branches (which I think anything +pre 2.6.30 would like to do). + +Ubuntu users were experiencing a kernel panic when they enabled SELinux +due to an old bug in our handling of the compatibility mode network +controls, introduced Jan 1 2008 effad8df44261031a882e1a895415f7186a5098e +Most distros have not used the compat_net code since the new code was +introduced and so noone has hit this problem before. Ubuntu is the only +distro I know that enabled that legacy cruft by default. But, I was ask +to look at it and found that the above patch changed a call to +avc_has_perm from if(send_perm) to if(!send_perm) in +selinux_ip_postroute_iptables_compat(). The result is that users who +turn on SELinux and have compat_net set can (and oftern will) BUG() in +avc_has_perm_noaudit since they are requesting 0 permissions. + +This patch corrects that accidental bug introduction. + +Signed-off-by: Eric Paris +Signed-off-by: Greg Kroah-Hartman + +--- + security/selinux/hooks.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/security/selinux/hooks.c ++++ b/security/selinux/hooks.c +@@ -4648,7 +4648,7 @@ static int selinux_ip_postroute_iptables + if (err) + return err; + +- if (send_perm != 0) ++ if (!send_perm) + return 0; + + err = sel_netport_sid(sk->sk_protocol, diff --git a/queue-2.6.29/series b/queue-2.6.29/series index d7b6fd3d530..21f3b765263 100644 --- a/queue-2.6.29/series +++ b/queue-2.6.29/series @@ -27,3 +27,31 @@ kvm-make-paravirt-tlb-flush-also-reload-the-pae-pdptrs.patch kvm-fix-pdptr-reloading-on-cr4-writes.patch cfg80211-fix-race-between-core-hint-and-driver-s-custom-apply.patch drm-r128-fix-r128-ioremaps-to-use-ioremap_wc.patch +drivers-serial-mpc52xx_uart.c-fix-array-overindexing-check.patch +x86-ignore-vm_locked-when-determining-if-hugetlb-backed-page-tables-can-be-shared-or-not.patch +mm-account-for-map_shared-mappings-using-vm_mayshare-and-not-vm_shared-in-hugetlbfs.patch +usb-isp1760-urb_dequeue-doesn-t-always-find-the-urbs.patch +sound-usb-audio-make-the-motu-fastlane-work-again.patch +usb-serial-fix-crash-when-sub-driver-updates-firmware.patch +x86-pci-fix-mmconfig-detection-with-32bit-near-4g.patch +mtd_dataflash-unbreak-erase-support.patch +hwmon-add-missing-__devexit_p.patch +cpuidle-make-amc-c1e-work-in-processor_idle.patch +cpuidle-fix-amd-c1e-suspend-hang.patch +ide-fix-40-wire-cable-detection-for-tsst-sh-s202-atapi-devices.patch +kvm-explicity-initialize-cpus_hardware_enabled.patch +ide_pci_generic-add-quirk-for-netcell-ata-raid.patch +ide-fix-oops-during-ide-cd-error-recovery.patch +selinux-bug-in-selinux-compat_net-code.patch +e1000-add-missing-length-check-to-e1000-receive-routine.patch +igb-fix-lro-warning.patch +iwlwifi-update-key-flags-at-time-key-is-set.patch +mac80211-minstrel-fix-memory-corruption.patch +mac80211-pid-fix-memory-corruption.patch +mac80211-avoid-null-ptr-deref-when-finding-max_rates-in-pid-and-minstrel.patch +bnx2-fix-panic-in-bnx2_poll_work.patch +random-make-get_random_int-more-random.patch +hid-fix-dropped-device-specific-quirks.patch +3w-xxxx-scsi_dma_unmap-fix.patch +powerpc-fix-for-long-standing-bug-noticed-by-gcc-4.4.0.patch +ide-tape-remove-back-to-back-request_sense-detection.patch diff --git a/queue-2.6.29/sound-usb-audio-make-the-motu-fastlane-work-again.patch b/queue-2.6.29/sound-usb-audio-make-the-motu-fastlane-work-again.patch new file mode 100644 index 00000000000..78ac9a366c0 --- /dev/null +++ b/queue-2.6.29/sound-usb-audio-make-the-motu-fastlane-work-again.patch @@ -0,0 +1,82 @@ +From 55de5ef970c680d8d75f2a9aa7e4f172140dbd9c Mon Sep 17 00:00:00 2001 +From: Clemens Ladisch +Date: Wed, 27 May 2009 10:49:30 +0200 +Subject: sound: usb-audio: make the MotU Fastlane work again + +From: Clemens Ladisch + +commit 55de5ef970c680d8d75f2a9aa7e4f172140dbd9c upstream. + +Kernel 2.6.18 broke the MotU Fastlane, which uses duplicate endpoint +numbers in a manner that is not only illegal but also confuses the +kernel's endpoint descriptor caching mechanism. To work around this, we +have to add a separate usb_set_interface() call to guide the USB core to +the correct descriptors. + +Signed-off-by: Clemens Ladisch +Reported-and-tested-by: David Fries +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/usb/usbaudio.c | 2 +- + sound/usb/usbaudio.h | 2 +- + sound/usb/usbmidi.c | 12 +++++++++++- + sound/usb/usbquirks.h | 2 +- + 4 files changed, 14 insertions(+), 4 deletions(-) + +--- a/sound/usb/usbaudio.c ++++ b/sound/usb/usbaudio.c +@@ -3375,7 +3375,7 @@ static int snd_usb_create_quirk(struct s + [QUIRK_MIDI_YAMAHA] = snd_usb_create_midi_interface, + [QUIRK_MIDI_MIDIMAN] = snd_usb_create_midi_interface, + [QUIRK_MIDI_NOVATION] = snd_usb_create_midi_interface, +- [QUIRK_MIDI_RAW] = snd_usb_create_midi_interface, ++ [QUIRK_MIDI_FASTLANE] = snd_usb_create_midi_interface, + [QUIRK_MIDI_EMAGIC] = snd_usb_create_midi_interface, + [QUIRK_MIDI_CME] = snd_usb_create_midi_interface, + [QUIRK_AUDIO_STANDARD_INTERFACE] = create_standard_audio_quirk, +--- a/sound/usb/usbaudio.h ++++ b/sound/usb/usbaudio.h +@@ -153,7 +153,7 @@ enum quirk_type { + QUIRK_MIDI_YAMAHA, + QUIRK_MIDI_MIDIMAN, + QUIRK_MIDI_NOVATION, +- QUIRK_MIDI_RAW, ++ QUIRK_MIDI_FASTLANE, + QUIRK_MIDI_EMAGIC, + QUIRK_MIDI_CME, + QUIRK_MIDI_US122L, +--- a/sound/usb/usbmidi.c ++++ b/sound/usb/usbmidi.c +@@ -1778,8 +1778,18 @@ int snd_usb_create_midi_interface(struct + umidi->usb_protocol_ops = &snd_usbmidi_novation_ops; + err = snd_usbmidi_detect_per_port_endpoints(umidi, endpoints); + break; +- case QUIRK_MIDI_RAW: ++ case QUIRK_MIDI_FASTLANE: + umidi->usb_protocol_ops = &snd_usbmidi_raw_ops; ++ /* ++ * Interface 1 contains isochronous endpoints, but with the same ++ * numbers as in interface 0. Since it is interface 1 that the ++ * USB core has most recently seen, these descriptors are now ++ * associated with the endpoint numbers. This will foul up our ++ * attempts to submit bulk/interrupt URBs to the endpoints in ++ * interface 0, so we have to make sure that the USB core looks ++ * again at interface 0 by calling usb_set_interface() on it. ++ */ ++ usb_set_interface(umidi->chip->dev, 0, 0); + err = snd_usbmidi_detect_per_port_endpoints(umidi, endpoints); + break; + case QUIRK_MIDI_EMAGIC: +--- a/sound/usb/usbquirks.h ++++ b/sound/usb/usbquirks.h +@@ -1858,7 +1858,7 @@ YAMAHA_DEVICE(0x7010, "UB99"), + .data = & (const struct snd_usb_audio_quirk[]) { + { + .ifnum = 0, +- .type = QUIRK_MIDI_RAW ++ .type = QUIRK_MIDI_FASTLANE + }, + { + .ifnum = 1, diff --git a/queue-2.6.29/usb-isp1760-urb_dequeue-doesn-t-always-find-the-urbs.patch b/queue-2.6.29/usb-isp1760-urb_dequeue-doesn-t-always-find-the-urbs.patch new file mode 100644 index 00000000000..399d4befd7f --- /dev/null +++ b/queue-2.6.29/usb-isp1760-urb_dequeue-doesn-t-always-find-the-urbs.patch @@ -0,0 +1,99 @@ +From 0afb20e00b5053170c85298fed842b32d20b4ea9 Mon Sep 17 00:00:00 2001 +From: Warren Free +Date: Fri, 8 May 2009 10:27:08 +0200 +Subject: USB: isp1760: urb_dequeue doesn't always find the urbs + +From: Warren Free + +commit 0afb20e00b5053170c85298fed842b32d20b4ea9 upstream. + +The option driver (and presumably others) allocates several URBs when it +opens and tries to free them when it closes. The isp1760_urb_dequeue +function gets called, but the packet being dequeued is not necessarily at +the +front of one of the 32 queues. If not, the isp1760_urb_done function doesn't +get called for the URB and the process trying to free it hangs forever on a +wait_queue. This patch does two things. If the URB being dequeued has others +queued behind it, it re-queues them. And it searches the queues looking for +the URB being dequeued rather than just looking at the one at the front of +the queue. + +[bigeasy@linutronix] whitespace fixes, reformating + +Signed-off-by: Warren Free +Signed-off-by: Sebastian Andrzej Siewior +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/host/isp1760-hcd.c | 24 ++++++++++++++++++++++-- + 1 file changed, 22 insertions(+), 2 deletions(-) + +--- a/drivers/usb/host/isp1760-hcd.c ++++ b/drivers/usb/host/isp1760-hcd.c +@@ -1644,6 +1644,7 @@ static int isp1760_urb_dequeue(struct us + u32 reg_base, or_reg, skip_reg; + unsigned long flags; + struct ptd ptd; ++ packet_enqueue *pe; + + switch (usb_pipetype(urb->pipe)) { + case PIPE_ISOCHRONOUS: +@@ -1655,6 +1656,7 @@ static int isp1760_urb_dequeue(struct us + reg_base = INT_REGS_OFFSET; + or_reg = HC_INT_IRQ_MASK_OR_REG; + skip_reg = HC_INT_PTD_SKIPMAP_REG; ++ pe = enqueue_an_INT_packet; + break; + + default: +@@ -1662,6 +1664,7 @@ static int isp1760_urb_dequeue(struct us + reg_base = ATL_REGS_OFFSET; + or_reg = HC_ATL_IRQ_MASK_OR_REG; + skip_reg = HC_ATL_PTD_SKIPMAP_REG; ++ pe = enqueue_an_ATL_packet; + break; + } + +@@ -1673,6 +1676,7 @@ static int isp1760_urb_dequeue(struct us + u32 skip_map; + u32 or_map; + struct isp1760_qtd *qtd; ++ struct isp1760_qh *qh = ints->qh; + + skip_map = isp1760_readl(hcd->regs + skip_reg); + skip_map |= 1 << i; +@@ -1685,8 +1689,7 @@ static int isp1760_urb_dequeue(struct us + priv_write_copy(priv, (u32 *)&ptd, hcd->regs + reg_base + + i * sizeof(ptd), sizeof(ptd)); + qtd = ints->qtd; +- +- clean_up_qtdlist(qtd); ++ qtd = clean_up_qtdlist(qtd); + + free_mem(priv, ints->payload); + +@@ -1697,7 +1700,24 @@ static int isp1760_urb_dequeue(struct us + ints->payload = 0; + + isp1760_urb_done(priv, urb, status); ++ if (qtd) ++ pe(hcd, qh, qtd); + break; ++ ++ } else if (ints->qtd) { ++ struct isp1760_qtd *qtd, *prev_qtd = ints->qtd; ++ ++ for (qtd = ints->qtd->hw_next; qtd; qtd = qtd->hw_next) { ++ if (qtd->urb == urb) { ++ prev_qtd->hw_next = clean_up_qtdlist(qtd); ++ isp1760_urb_done(priv, urb, status); ++ break; ++ } ++ prev_qtd = qtd; ++ } ++ /* we found the urb before the end of the list */ ++ if (qtd) ++ break; + } + ints++; + } diff --git a/queue-2.6.29/usb-serial-fix-crash-when-sub-driver-updates-firmware.patch b/queue-2.6.29/usb-serial-fix-crash-when-sub-driver-updates-firmware.patch new file mode 100644 index 00000000000..05c08d2c644 --- /dev/null +++ b/queue-2.6.29/usb-serial-fix-crash-when-sub-driver-updates-firmware.patch @@ -0,0 +1,42 @@ +From 0a3c8549ea7e94d74a41096d42bc6cdf43d183bf Mon Sep 17 00:00:00 2001 +From: Alan Stern +Date: Wed, 27 May 2009 11:25:52 -0400 +Subject: usb-serial: fix crash when sub-driver updates firmware + +From: Alan Stern + +commit 0a3c8549ea7e94d74a41096d42bc6cdf43d183bf upstream. + +This patch (as1244) fixes a crash in usb-serial that occurs when a +sub-driver returns a positive value from its attach method, indicating +that new firmware was loaded and the device will disconnect and +reconnect. The usb-serial core then skips the step of registering the +port devices; when the disconnect occurs, the attempt to unregister +the ports fails dramatically. + +This problem shows up with Keyspan devices and it might affect others +as well. + +When the attach method returns a positive value, the patch sets +num_ports to 0. This tells usb_serial_disconnect() not to try +unregistering any of the ports; instead they are cleaned up by +destroy_serial(). + +Signed-off-by: Alan Stern +Tested-by: Benjamin Herrenschmidt +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/usb-serial.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/usb/serial/usb-serial.c ++++ b/drivers/usb/serial/usb-serial.c +@@ -978,6 +978,7 @@ int usb_serial_probe(struct usb_interfac + if (retval > 0) { + /* quietly accept this device, but don't bind to a + serial port as it's about to disappear */ ++ serial->num_ports = 0; + goto exit; + } + } diff --git a/queue-2.6.29/x86-ignore-vm_locked-when-determining-if-hugetlb-backed-page-tables-can-be-shared-or-not.patch b/queue-2.6.29/x86-ignore-vm_locked-when-determining-if-hugetlb-backed-page-tables-can-be-shared-or-not.patch new file mode 100644 index 00000000000..cb5f79f8d49 --- /dev/null +++ b/queue-2.6.29/x86-ignore-vm_locked-when-determining-if-hugetlb-backed-page-tables-can-be-shared-or-not.patch @@ -0,0 +1,71 @@ +From 32b154c0b0bae2879bf4e549d861caf1759a3546 Mon Sep 17 00:00:00 2001 +From: Mel Gorman +Date: Thu, 28 May 2009 14:34:37 -0700 +Subject: x86: ignore VM_LOCKED when determining if hugetlb-backed page tables can be shared or not + +From: Mel Gorman + +commit 32b154c0b0bae2879bf4e549d861caf1759a3546 upstream. + +Addresses http://bugzilla.kernel.org/show_bug.cgi?id=13302 + +On x86 and x86-64, it is possible that page tables are shared beween +shared mappings backed by hugetlbfs. As part of this, +page_table_shareable() checks a pair of vma->vm_flags and they must match +if they are to be shared. All VMA flags are taken into account, including +VM_LOCKED. + +The problem is that VM_LOCKED is cleared on fork(). When a process with a +shared memory segment forks() to exec() a helper, there will be shared +VMAs with different flags. The impact is that the shared segment is +sometimes considered shareable and other times not, depending on what +process is checking. + +What happens is that the segment page tables are being shared but the +count is inaccurate depending on the ordering of events. As the page +tables are freed with put_page(), bad pmd's are found when some of the +children exit. The hugepage counters also get corrupted and the Total and +Free count will no longer match even when all the hugepage-backed regions +are freed. This requires a reboot of the machine to "fix". + +This patch addresses the problem by comparing all flags except VM_LOCKED +when deciding if pagetables should be shared or not for hugetlbfs-backed +mapping. + +Signed-off-by: Mel Gorman +Acked-by: Hugh Dickins +Cc: Ingo Molnar +Cc: Lee Schermerhorn +Cc: KOSAKI Motohiro +Cc: +Cc: Eric B Munson +Cc: Adam Litke +Cc: Andy Whitcroft +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/mm/hugetlbpage.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/arch/x86/mm/hugetlbpage.c ++++ b/arch/x86/mm/hugetlbpage.c +@@ -26,12 +26,16 @@ static unsigned long page_table_shareabl + unsigned long sbase = saddr & PUD_MASK; + unsigned long s_end = sbase + PUD_SIZE; + ++ /* Allow segments to share if only one is marked locked */ ++ unsigned long vm_flags = vma->vm_flags & ~VM_LOCKED; ++ unsigned long svm_flags = svma->vm_flags & ~VM_LOCKED; ++ + /* + * match the virtual addresses, permission and the alignment of the + * page table page. + */ + if (pmd_index(addr) != pmd_index(saddr) || +- vma->vm_flags != svma->vm_flags || ++ vm_flags != svm_flags || + sbase < svma->vm_start || svma->vm_end < s_end) + return 0; + diff --git a/queue-2.6.29/x86-pci-fix-mmconfig-detection-with-32bit-near-4g.patch b/queue-2.6.29/x86-pci-fix-mmconfig-detection-with-32bit-near-4g.patch new file mode 100644 index 00000000000..7042137fa6b --- /dev/null +++ b/queue-2.6.29/x86-pci-fix-mmconfig-detection-with-32bit-near-4g.patch @@ -0,0 +1,68 @@ +From 75e613cdc7bb2ba3795b1bc3ddf19476c767ba68 Mon Sep 17 00:00:00 2001 +From: Yinghai Lu +Date: Wed, 3 Jun 2009 00:13:13 -0700 +Subject: x86/pci: fix mmconfig detection with 32bit near 4g + +From: Yinghai Lu + +commit 75e613cdc7bb2ba3795b1bc3ddf19476c767ba68 upstream. + +Pascal reported and bisected a commit: +| x86/PCI: don't call e820_all_mapped with -1 in the mmconfig case + +which broke one system system. + +ACPI: Using IOAPIC for interrupt routing +PCI: MCFG configuration 0: base f0000000 segment 0 buses 0 - 255 +PCI: MCFG area at f0000000 reserved in ACPI motherboard resources +PCI: Using MMCONFIG for extended config space + +it didn't have +PCI: updated MCFG configuration 0: base f0000000 segment 0 buses 0 - 63 +anymore, and try to use 0xf000000 - 0xffffffff for mmconfig + +For 32bit, mcfg_res->end could be 32bit only (if 64 resources aren't used) +So use end - 1 to pass the value in mcfg->end to avoid overflow. + +We don't need to worry about the e820 path, they are always 64 bit. + +Reported-by: Pascal Terjan +Bisected-by: Pascal Terjan +Tested-by: Pascal Terjan +Signed-off-by: Yinghai Lu +Signed-off-by: Jesse Barnes +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/pci/mmconfig-shared.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/arch/x86/pci/mmconfig-shared.c ++++ b/arch/x86/pci/mmconfig-shared.c +@@ -254,7 +254,7 @@ static acpi_status __init check_mcfg_res + if (!fixmem32) + return AE_OK; + if ((mcfg_res->start >= fixmem32->address) && +- (mcfg_res->end <= (fixmem32->address + ++ (mcfg_res->end < (fixmem32->address + + fixmem32->address_length))) { + mcfg_res->flags = 1; + return AE_CTRL_TERMINATE; +@@ -271,7 +271,7 @@ static acpi_status __init check_mcfg_res + return AE_OK; + + if ((mcfg_res->start >= address.minimum) && +- (mcfg_res->end <= (address.minimum + address.address_length))) { ++ (mcfg_res->end < (address.minimum + address.address_length))) { + mcfg_res->flags = 1; + return AE_CTRL_TERMINATE; + } +@@ -297,7 +297,7 @@ static int __init is_acpi_reserved(u64 s + struct resource mcfg_res; + + mcfg_res.start = start; +- mcfg_res.end = end; ++ mcfg_res.end = end - 1; + mcfg_res.flags = 0; + + acpi_get_devices("PNP0C01", find_mboard_resource, &mcfg_res, NULL);