From: Greg Kroah-Hartman Date: Wed, 28 Jul 2010 22:18:06 +0000 (-0700) Subject: .32 patches X-Git-Tag: v2.6.27.49~26 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=bcb3eca5ba44eaa1f5eecec88c15070c6d89302e;p=thirdparty%2Fkernel%2Fstable-queue.git .32 patches --- diff --git a/queue-2.6.32/arm-6201-1-realview-do-not-use-outer_sync-on-arm11mpcore-boards-with-l220.patch b/queue-2.6.32/arm-6201-1-realview-do-not-use-outer_sync-on-arm11mpcore-boards-with-l220.patch new file mode 100644 index 00000000000..b28e821baab --- /dev/null +++ b/queue-2.6.32/arm-6201-1-realview-do-not-use-outer_sync-on-arm11mpcore-boards-with-l220.patch @@ -0,0 +1,54 @@ +From 2503a5ecd86c002506001eba432c524ea009fe7f Mon Sep 17 00:00:00 2001 +From: Catalin Marinas +Date: Thu, 1 Jul 2010 13:21:47 +0100 +Subject: ARM: 6201/1: RealView: Do not use outer_sync() on ARM11MPCore boards with L220 + +From: Catalin Marinas + +commit 2503a5ecd86c002506001eba432c524ea009fe7f upstream. + +RealView boards with certain revisions of the L220 cache controller (ARM11* +processors only) may have issues (hardware deadlock) with the recent changes to +the mb() barrier implementation (DSB followed by an L2 cache sync). The patch +redefines the RealView ARM11MPCore mandatory barriers without the outer_sync() +call. + +Tested-by: Linus Walleij +Signed-off-by: Catalin Marinas +Signed-off-by: Russell King +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/mach-realview/Kconfig | 2 ++ + arch/arm/mach-realview/include/mach/barriers.h | 8 ++++++++ + 2 files changed, 10 insertions(+) + +--- a/arch/arm/mach-realview/Kconfig ++++ b/arch/arm/mach-realview/Kconfig +@@ -18,6 +18,7 @@ config REALVIEW_EB_ARM11MP + bool "Support ARM11MPCore tile" + depends on MACH_REALVIEW_EB + select CPU_V6 ++ select ARCH_HAS_BARRIERS if SMP + help + Enable support for the ARM11MPCore tile on the Realview platform. + +@@ -35,6 +36,7 @@ config MACH_REALVIEW_PB11MP + select CPU_V6 + select ARM_GIC + select HAVE_PATA_PLATFORM ++ select ARCH_HAS_BARRIERS if SMP + help + Include support for the ARM(R) RealView MPCore Platform Baseboard. + PB11MPCore is a platform with an on-board ARM11MPCore and has +--- /dev/null ++++ b/arch/arm/mach-realview/include/mach/barriers.h +@@ -0,0 +1,8 @@ ++/* ++ * Barriers redefined for RealView ARM11MPCore platforms with L220 cache ++ * controller to work around hardware errata causing the outer_sync() ++ * operation to deadlock the system. ++ */ ++#define mb() dsb() ++#define rmb() dmb() ++#define wmb() mb() diff --git a/queue-2.6.32/arm-6226-1-fix-kprobe-bug-in-ldr-instruction-emulation.patch b/queue-2.6.32/arm-6226-1-fix-kprobe-bug-in-ldr-instruction-emulation.patch new file mode 100644 index 00000000000..7a3bf882712 --- /dev/null +++ b/queue-2.6.32/arm-6226-1-fix-kprobe-bug-in-ldr-instruction-emulation.patch @@ -0,0 +1,39 @@ +From 0ebe25f90cd99bb1bcf622ec8a841421d48380d6 Mon Sep 17 00:00:00 2001 +From: Nicolas Pitre +Date: Wed, 14 Jul 2010 05:21:22 +0100 +Subject: ARM: 6226/1: fix kprobe bug in ldr instruction emulation + +From: Nicolas Pitre + +commit 0ebe25f90cd99bb1bcf622ec8a841421d48380d6 upstream. + +From: Bin Yang + +Signed-off-by: Bin Yang +Signed-off-by: Nicolas Pitre +Signed-off-by: Russell King +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/kernel/kprobes-decode.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/arch/arm/kernel/kprobes-decode.c ++++ b/arch/arm/kernel/kprobes-decode.c +@@ -583,13 +583,14 @@ static void __kprobes emulate_ldr(struct + { + insn_llret_3arg_fn_t *i_fn = (insn_llret_3arg_fn_t *)&p->ainsn.insn[0]; + kprobe_opcode_t insn = p->opcode; ++ long ppc = (long)p->addr + 8; + union reg_pair fnr; + int rd = (insn >> 12) & 0xf; + int rn = (insn >> 16) & 0xf; + int rm = insn & 0xf; + long rdv; +- long rnv = regs->uregs[rn]; +- long rmv = regs->uregs[rm]; /* rm/rmv may be invalid, don't care. */ ++ long rnv = (rn == 15) ? ppc : regs->uregs[rn]; ++ long rmv = (rm == 15) ? ppc : regs->uregs[rm]; + long cpsr = regs->ARM_cpsr; + + fnr.dr = insnslot_llret_3arg_rflags(rnv, 0, rmv, cpsr, i_fn); diff --git a/queue-2.6.32/asoc-remove-duplicate-aux-definition-from-wm8776.patch b/queue-2.6.32/asoc-remove-duplicate-aux-definition-from-wm8776.patch new file mode 100644 index 00000000000..b9a3b90996c --- /dev/null +++ b/queue-2.6.32/asoc-remove-duplicate-aux-definition-from-wm8776.patch @@ -0,0 +1,27 @@ +From 3c0709396df0869786f83e4b2d2d687c70ee886d Mon Sep 17 00:00:00 2001 +From: Mark Brown +Date: Sat, 17 Jul 2010 14:20:17 +0100 +Subject: ASoC: Remove duplicate AUX definition from WM8776 + +From: Mark Brown + +commit 3c0709396df0869786f83e4b2d2d687c70ee886d upstream. + +Signed-off-by: Mark Brown +Acked-by: Liam Girdwood +Signed-off-by: Greg Kroah-Hartman + +--- + sound/soc/codecs/wm8776.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/sound/soc/codecs/wm8776.c ++++ b/sound/soc/codecs/wm8776.c +@@ -93,7 +93,6 @@ SOC_DAPM_SINGLE("Bypass Switch", WM8776_ + + static const struct snd_soc_dapm_widget wm8776_dapm_widgets[] = { + SND_SOC_DAPM_INPUT("AUX"), +-SND_SOC_DAPM_INPUT("AUX"), + + SND_SOC_DAPM_INPUT("AIN1"), + SND_SOC_DAPM_INPUT("AIN2"), diff --git a/queue-2.6.32/cmd640-fix-kernel-oops-in-test_irq-method.patch b/queue-2.6.32/cmd640-fix-kernel-oops-in-test_irq-method.patch new file mode 100644 index 00000000000..8bedfc21ad9 --- /dev/null +++ b/queue-2.6.32/cmd640-fix-kernel-oops-in-test_irq-method.patch @@ -0,0 +1,38 @@ +From a9ddabc52ce3757a4331d6c1e8bf4065333cc51b Mon Sep 17 00:00:00 2001 +From: Sergei Shtylyov +Date: Tue, 11 May 2010 00:08:03 -0700 +Subject: cmd640: fix kernel oops in test_irq() method + +From: Sergei Shtylyov + +commit a9ddabc52ce3757a4331d6c1e8bf4065333cc51b upstream. + +When implementing the test_iqr() method, I forgot that this driver is not an +ordinary PCI driver and also needs to support VLB variant of the chip. Moreover, +'hwif->dev' should be NULL, potentially causing oops in pci_read_config_byte(). + +Signed-off-by: Sergei Shtylyov +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/ide/cmd640.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +--- a/drivers/ide/cmd640.c ++++ b/drivers/ide/cmd640.c +@@ -632,12 +632,10 @@ static void cmd640_init_dev(ide_drive_t + + static int cmd640_test_irq(ide_hwif_t *hwif) + { +- struct pci_dev *dev = to_pci_dev(hwif->dev); + int irq_reg = hwif->channel ? ARTTIM23 : CFR; +- u8 irq_stat, irq_mask = hwif->channel ? ARTTIM23_IDE23INTR : ++ u8 irq_mask = hwif->channel ? ARTTIM23_IDE23INTR : + CFR_IDE01INTR; +- +- pci_read_config_byte(dev, irq_reg, &irq_stat); ++ u8 irq_stat = get_cmd640_reg(irq_reg); + + return (irq_stat & irq_mask) ? 1 : 0; + } diff --git a/queue-2.6.32/ethtool-fix-potential-kernel-buffer-overflow-in-ethtool_grxclsrlall.patch b/queue-2.6.32/ethtool-fix-potential-kernel-buffer-overflow-in-ethtool_grxclsrlall.patch new file mode 100644 index 00000000000..1df81479d5b --- /dev/null +++ b/queue-2.6.32/ethtool-fix-potential-kernel-buffer-overflow-in-ethtool_grxclsrlall.patch @@ -0,0 +1,36 @@ +From db048b69037e7fa6a7d9e95a1271a50dc08ae233 Mon Sep 17 00:00:00 2001 +From: Ben Hutchings +Date: Mon, 28 Jun 2010 08:44:07 +0000 +Subject: ethtool: Fix potential kernel buffer overflow in ETHTOOL_GRXCLSRLALL + +From: Ben Hutchings + +commit db048b69037e7fa6a7d9e95a1271a50dc08ae233 upstream. + +On a 32-bit machine, info.rule_cnt >= 0x40000000 leads to integer +overflow and the buffer may be smaller than needed. Since +ETHTOOL_GRXCLSRLALL is unprivileged, this can presumably be used for at +least denial of service. + +Signed-off-by: Ben Hutchings +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/core/ethtool.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/net/core/ethtool.c ++++ b/net/core/ethtool.c +@@ -244,8 +244,9 @@ static int ethtool_get_rxnfc(struct net_ + + if (info.cmd == ETHTOOL_GRXCLSRLALL) { + if (info.rule_cnt > 0) { +- rule_buf = kmalloc(info.rule_cnt * sizeof(u32), +- GFP_USER); ++ if (info.rule_cnt <= KMALLOC_MAX_SIZE / sizeof(u32)) ++ rule_buf = kmalloc(info.rule_cnt * sizeof(u32), ++ GFP_USER); + if (!rule_buf) + return -ENOMEM; + } diff --git a/queue-2.6.32/ide-fix-ide-taskfile-with-cfq-scheduler.patch b/queue-2.6.32/ide-fix-ide-taskfile-with-cfq-scheduler.patch new file mode 100644 index 00000000000..b2a8806abce --- /dev/null +++ b/queue-2.6.32/ide-fix-ide-taskfile-with-cfq-scheduler.patch @@ -0,0 +1,47 @@ +From 720fc22a7af79d91ec460c80efa92c65c12d105e Mon Sep 17 00:00:00 2001 +From: Mikulas Patocka +Date: Tue, 6 Apr 2010 16:43:33 -0700 +Subject: ide: Fix IDE taskfile with cfq scheduler + +From: Mikulas Patocka + +commit 720fc22a7af79d91ec460c80efa92c65c12d105e upstream. + +When ide taskfile access is being used (for example with hdparm --security +commands) and cfq scheduler is selected, the scheduler crashes on BUG in +cfq_put_request. + +The reason is that the cfq scheduler is tracking counts of read and write +requests separately; the ide-taskfile subsystem allocates a read request and +then flips the flag to make it a write request. The counters in cfq will +mismatch. + +This patch changes ide-taskfile to allocate the READ or WRITE request as +required and don't change the flag later. + +Signed-off-by: Mikulas Patocka +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/ide/ide-taskfile.c | 6 ++---- + 1 file changed, 2 insertions(+), 4 deletions(-) + +--- a/drivers/ide/ide-taskfile.c ++++ b/drivers/ide/ide-taskfile.c +@@ -428,13 +428,11 @@ int ide_raw_taskfile(ide_drive_t *drive, + { + struct request *rq; + int error; ++ int rw = !(cmd->tf_flags & IDE_TFLAG_WRITE) ? READ : WRITE; + +- rq = blk_get_request(drive->queue, READ, __GFP_WAIT); ++ rq = blk_get_request(drive->queue, rw, __GFP_WAIT); + rq->cmd_type = REQ_TYPE_ATA_TASKFILE; + +- if (cmd->tf_flags & IDE_TFLAG_WRITE) +- rq->cmd_flags |= REQ_RW; +- + /* + * (ks) We transfer currently only whole sectors. + * This is suffient for now. But, it would be great, diff --git a/queue-2.6.32/input-i8042-add-gigabyte-spring-peak-to-dmi_noloop_table.patch b/queue-2.6.32/input-i8042-add-gigabyte-spring-peak-to-dmi_noloop_table.patch new file mode 100644 index 00000000000..1082f347a2e --- /dev/null +++ b/queue-2.6.32/input-i8042-add-gigabyte-spring-peak-to-dmi_noloop_table.patch @@ -0,0 +1,39 @@ +From 3e1bbc8d5018a05c0793c8a32b777a1396eb4414 Mon Sep 17 00:00:00 2001 +From: Kamal Mostafa +Date: Mon, 19 Jul 2010 11:00:52 -0700 +Subject: Input: i8042 - add Gigabyte Spring Peak to dmi_noloop_table + +From: Kamal Mostafa + +commit 3e1bbc8d5018a05c0793c8a32b777a1396eb4414 upstream. + +Gigabyte "Spring Peak" notebook indicates wrong chassis-type, tripping up +i8042 and breaking the touchpad. Add this model to i8042_dmi_noloop_table[] +to resolve. + +BugLink: https://bugs.launchpad.net/bugs/580664 + +Signed-off-by: Kamal Mostafa +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/input/serio/i8042-x86ia64io.h | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/input/serio/i8042-x86ia64io.h ++++ b/drivers/input/serio/i8042-x86ia64io.h +@@ -166,6 +166,13 @@ static const struct dmi_system_id __init + }, + }, + { ++ /* Gigabyte Spring Peak - defines wrong chassis type */ ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "GIGABYTE"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "Spring Peak"), ++ }, ++ }, ++ { + .matches = { + DMI_MATCH(DMI_SYS_VENDOR, "Hewlett-Packard"), + DMI_MATCH(DMI_PRODUCT_NAME, "HP Pavilion dv9700"), diff --git a/queue-2.6.32/input-twl40300-keypad-fix-handling-of-all-ground-rows.patch b/queue-2.6.32/input-twl40300-keypad-fix-handling-of-all-ground-rows.patch new file mode 100644 index 00000000000..e14ee897ff5 --- /dev/null +++ b/queue-2.6.32/input-twl40300-keypad-fix-handling-of-all-ground-rows.patch @@ -0,0 +1,151 @@ +From 3fea60261e73dbf4a51130d40cafcc8465b0f2c3 Mon Sep 17 00:00:00 2001 +From: Dmitry Torokhov +Date: Tue, 20 Jul 2010 20:25:35 -0700 +Subject: Input: twl40300-keypad - fix handling of "all ground" rows + +From: Dmitry Torokhov + +commit 3fea60261e73dbf4a51130d40cafcc8465b0f2c3 upstream. + +The Nokia RX51 board code (arch/arm/mach-omap2/board-rx51-peripherals.c) +defines a key map for the matrix keypad keyboard. The hardware seems to +use all of the 8 rows and 8 columns of the keypad, although not all +possible locations are used. + +The TWL4030 supports keypads with at most 8 rows and 8 columns. Most keys +are defined with a row and column number between 0 and 7, except + + KEY(0xff, 2, KEY_F9), + KEY(0xff, 4, KEY_F10), + KEY(0xff, 5, KEY_F11), + +which represent keycodes that should be emitted when entire row is +connected to the ground. since the driver handles this case as if we +had an extra column in the key matrix. Unfortunately we do not allocate +enough space and end up owerwriting some random memory. + +Reported-and-tested-by: Laurent Pinchart +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/mach-omap2/board-rx51-peripherals.c | 17 ++++++++++++++--- + drivers/input/keyboard/twl4030_keypad.c | 17 +++++++++++------ + 2 files changed, 25 insertions(+), 9 deletions(-) + +--- a/arch/arm/mach-omap2/board-rx51-peripherals.c ++++ b/arch/arm/mach-omap2/board-rx51-peripherals.c +@@ -37,6 +37,10 @@ + #define SYSTEM_REV_S_USES_VAUX3 0x8 + + static int board_keymap[] = { ++ /* ++ * Note that KEY(x, 8, KEY_XXX) entries represent "entrire row ++ * connected to the ground" matrix state. ++ */ + KEY(0, 0, KEY_Q), + KEY(0, 1, KEY_O), + KEY(0, 2, KEY_P), +@@ -44,6 +48,7 @@ static int board_keymap[] = { + KEY(0, 4, KEY_BACKSPACE), + KEY(0, 6, KEY_A), + KEY(0, 7, KEY_S), ++ + KEY(1, 0, KEY_W), + KEY(1, 1, KEY_D), + KEY(1, 2, KEY_F), +@@ -52,6 +57,7 @@ static int board_keymap[] = { + KEY(1, 5, KEY_J), + KEY(1, 6, KEY_K), + KEY(1, 7, KEY_L), ++ + KEY(2, 0, KEY_E), + KEY(2, 1, KEY_DOT), + KEY(2, 2, KEY_UP), +@@ -59,6 +65,8 @@ static int board_keymap[] = { + KEY(2, 5, KEY_Z), + KEY(2, 6, KEY_X), + KEY(2, 7, KEY_C), ++ KEY(2, 8, KEY_F9), ++ + KEY(3, 0, KEY_R), + KEY(3, 1, KEY_V), + KEY(3, 2, KEY_B), +@@ -67,20 +75,23 @@ static int board_keymap[] = { + KEY(3, 5, KEY_SPACE), + KEY(3, 6, KEY_SPACE), + KEY(3, 7, KEY_LEFT), ++ + KEY(4, 0, KEY_T), + KEY(4, 1, KEY_DOWN), + KEY(4, 2, KEY_RIGHT), + KEY(4, 4, KEY_LEFTCTRL), + KEY(4, 5, KEY_RIGHTALT), + KEY(4, 6, KEY_LEFTSHIFT), ++ KEY(4, 8, KEY_10), ++ + KEY(5, 0, KEY_Y), ++ KEY(5, 8, KEY_11), ++ + KEY(6, 0, KEY_U), ++ + KEY(7, 0, KEY_I), + KEY(7, 1, KEY_F7), + KEY(7, 2, KEY_F8), +- KEY(0xff, 2, KEY_F9), +- KEY(0xff, 4, KEY_F10), +- KEY(0xff, 5, KEY_F11), + }; + + static struct matrix_keymap_data board_map_data = { +--- a/drivers/input/keyboard/twl4030_keypad.c ++++ b/drivers/input/keyboard/twl4030_keypad.c +@@ -50,8 +50,12 @@ + */ + #define TWL4030_MAX_ROWS 8 /* TWL4030 hard limit */ + #define TWL4030_MAX_COLS 8 +-#define TWL4030_ROW_SHIFT 3 +-#define TWL4030_KEYMAP_SIZE (TWL4030_MAX_ROWS * TWL4030_MAX_COLS) ++/* ++ * Note that we add space for an extra column so that we can handle ++ * row lines connected to the gnd (see twl4030_col_xlate()). ++ */ ++#define TWL4030_ROW_SHIFT 4 ++#define TWL4030_KEYMAP_SIZE (TWL4030_MAX_ROWS << TWL4030_ROW_SHIFT) + + struct twl4030_keypad { + unsigned short keymap[TWL4030_KEYMAP_SIZE]; +@@ -181,7 +185,7 @@ static int twl4030_read_kp_matrix_state( + return ret; + } + +-static int twl4030_is_in_ghost_state(struct twl4030_keypad *kp, u16 *key_state) ++static bool twl4030_is_in_ghost_state(struct twl4030_keypad *kp, u16 *key_state) + { + int i; + u16 check = 0; +@@ -190,12 +194,12 @@ static int twl4030_is_in_ghost_state(str + u16 col = key_state[i]; + + if ((col & check) && hweight16(col) > 1) +- return 1; ++ return true; + + check |= col; + } + +- return 0; ++ return false; + } + + static void twl4030_kp_scan(struct twl4030_keypad *kp, bool release_all) +@@ -224,7 +228,8 @@ static void twl4030_kp_scan(struct twl40 + if (!changed) + continue; + +- for (col = 0; col < kp->n_cols; col++) { ++ /* Extra column handles "all gnd" rows */ ++ for (col = 0; col < kp->n_cols + 1; col++) { + int code; + + if (!(changed & (1 << col))) diff --git a/queue-2.6.32/ipoib-fix-world-writable-child-interface-control-sysfs-attributes.patch b/queue-2.6.32/ipoib-fix-world-writable-child-interface-control-sysfs-attributes.patch new file mode 100644 index 00000000000..210217c720b --- /dev/null +++ b/queue-2.6.32/ipoib-fix-world-writable-child-interface-control-sysfs-attributes.patch @@ -0,0 +1,42 @@ +From 7a52b34b07122ff5f45258d47f260f8a525518f0 Mon Sep 17 00:00:00 2001 +From: Or Gerlitz +Date: Sun, 6 Jun 2010 04:59:16 +0000 +Subject: IPoIB: Fix world-writable child interface control sysfs attributes + +From: Or Gerlitz + +commit 7a52b34b07122ff5f45258d47f260f8a525518f0 upstream. + +Sumeet Lahorani reported that the IPoIB +child entries are world-writable; however we don't want ordinary users +to be able to create and destroy child interfaces, so fix them to be +writable only by root. + +Signed-off-by: Or Gerlitz +Signed-off-by: Roland Dreier +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/ulp/ipoib/ipoib_main.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/infiniband/ulp/ipoib/ipoib_main.c ++++ b/drivers/infiniband/ulp/ipoib/ipoib_main.c +@@ -1163,7 +1163,7 @@ static ssize_t create_child(struct devic + + return ret ? ret : count; + } +-static DEVICE_ATTR(create_child, S_IWUGO, NULL, create_child); ++static DEVICE_ATTR(create_child, S_IWUSR, NULL, create_child); + + static ssize_t delete_child(struct device *dev, + struct device_attribute *attr, +@@ -1183,7 +1183,7 @@ static ssize_t delete_child(struct devic + return ret ? ret : count; + + } +-static DEVICE_ATTR(delete_child, S_IWUGO, NULL, delete_child); ++static DEVICE_ATTR(delete_child, S_IWUSR, NULL, delete_child); + + int ipoib_add_pkey_attr(struct net_device *dev) + { diff --git a/queue-2.6.32/net-core-neighbour-update-oops.patch b/queue-2.6.32/net-core-neighbour-update-oops.patch new file mode 100644 index 00000000000..46caba1f89e --- /dev/null +++ b/queue-2.6.32/net-core-neighbour-update-oops.patch @@ -0,0 +1,46 @@ +From 91a72a70594e5212c97705ca6a694bd307f7a26b Mon Sep 17 00:00:00 2001 +From: Doug Kehn +Date: Wed, 14 Jul 2010 18:02:16 -0700 +Subject: net/core: neighbour update Oops + +From: Doug Kehn + +commit 91a72a70594e5212c97705ca6a694bd307f7a26b upstream. + +When configuring DMVPN (GRE + openNHRP) and a GRE remote +address is configured a kernel Oops is observed. The +obserseved Oops is caused by a NULL header_ops pointer +(neigh->dev->header_ops) in neigh_update_hhs() when + +void (*update)(struct hh_cache*, const struct net_device*, const unsigned char *) += neigh->dev->header_ops->cache_update; + +is executed. The dev associated with the NULL header_ops is +the GRE interface. This patch guards against the +possibility that header_ops is NULL. + +This Oops was first observed in kernel version 2.6.26.8. + +Signed-off-by: Doug Kehn +Acked-by: Eric Dumazet +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/core/neighbour.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/net/core/neighbour.c ++++ b/net/core/neighbour.c +@@ -945,7 +945,10 @@ static void neigh_update_hhs(struct neig + { + struct hh_cache *hh; + void (*update)(struct hh_cache*, const struct net_device*, const unsigned char *) +- = neigh->dev->header_ops->cache_update; ++ = NULL; ++ ++ if (neigh->dev->header_ops) ++ update = neigh->dev->header_ops->cache_update; + + if (update) { + for (hh = neigh->hh; hh; hh = hh->hh_next) { diff --git a/queue-2.6.32/rtc-fix-ds1388-time-corruption.patch b/queue-2.6.32/rtc-fix-ds1388-time-corruption.patch new file mode 100644 index 00000000000..e60cd129146 --- /dev/null +++ b/queue-2.6.32/rtc-fix-ds1388-time-corruption.patch @@ -0,0 +1,48 @@ +From 96fc3a45ea073136566f3c2676cad52f8b39a7df Mon Sep 17 00:00:00 2001 +From: Joakim Tjernlund +Date: Tue, 29 Jun 2010 15:05:34 -0700 +Subject: rtc: fix ds1388 time corruption + +From: Joakim Tjernlund + +commit 96fc3a45ea073136566f3c2676cad52f8b39a7df upstream. + +The ds1307 driver misreads the ds1388 registers when checking for 12 or 24 +hour mode. Instead of checking the hour register it reads the minute +register. Therefore the driver thinks minutes >= 40 has the 12HR bit set +and resets the minute register by zeroing the high bits. This results in +minutes are reset to 0-9, jumping back in time 40 or 50 minutes. The time +jump is also written back to the RTC. + +Signed-off-by: Joakim Tjernlund +Cc: Wan ZongShun +Cc: Alessandro Zummo +Cc: Paul Gortmaker +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/rtc/rtc-ds1307.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/rtc/rtc-ds1307.c ++++ b/drivers/rtc/rtc-ds1307.c +@@ -775,7 +775,7 @@ static int __devinit ds1307_probe(struct + + read_rtc: + /* read RTC registers */ +- tmp = ds1307->read_block_data(ds1307->client, 0, 8, buf); ++ tmp = ds1307->read_block_data(ds1307->client, ds1307->offset, 8, buf); + if (tmp != 8) { + pr_debug("read error %d\n", tmp); + err = -EIO; +@@ -860,7 +860,7 @@ read_rtc: + if (ds1307->regs[DS1307_REG_HOUR] & DS1307_BIT_PM) + tmp += 12; + i2c_smbus_write_byte_data(client, +- DS1307_REG_HOUR, ++ ds1307->offset + DS1307_REG_HOUR, + bin2bcd(tmp)); + } + diff --git a/queue-2.6.32/sdhci-s3c-add-missing-remove-function.patch b/queue-2.6.32/sdhci-s3c-add-missing-remove-function.patch new file mode 100644 index 00000000000..81221ffcbf6 --- /dev/null +++ b/queue-2.6.32/sdhci-s3c-add-missing-remove-function.patch @@ -0,0 +1,52 @@ +From 9d51a6b2487724e8713cd2794cf09ffeee5f6932 Mon Sep 17 00:00:00 2001 +From: Marek Szyprowski +Date: Tue, 20 Jul 2010 13:24:33 -0700 +Subject: sdhci-s3c: add missing remove function + +From: Marek Szyprowski + +commit 9d51a6b2487724e8713cd2794cf09ffeee5f6932 upstream. + +System will crash sooner or later once the memory with the code of the +s3c-sdhci.ko module is reused for something else. I really have no idea +how the lack of remove function went unnoticed into the mainline code. + +Signed-off-by: Marek Szyprowski +Signed-off-by: Kyungmin Park +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mmc/host/sdhci-s3c.c | 20 ++++++++++++++++++++ + 1 file changed, 20 insertions(+) + +--- a/drivers/mmc/host/sdhci-s3c.c ++++ b/drivers/mmc/host/sdhci-s3c.c +@@ -372,6 +372,26 @@ static int __devinit sdhci_s3c_probe(str + + static int __devexit sdhci_s3c_remove(struct platform_device *pdev) + { ++ struct sdhci_host *host = platform_get_drvdata(pdev); ++ struct sdhci_s3c *sc = sdhci_priv(host); ++ int ptr; ++ ++ sdhci_remove_host(host, 1); ++ ++ for (ptr = 0; ptr < 3; ptr++) { ++ clk_disable(sc->clk_bus[ptr]); ++ clk_put(sc->clk_bus[ptr]); ++ } ++ clk_disable(sc->clk_io); ++ clk_put(sc->clk_io); ++ ++ iounmap(host->ioaddr); ++ release_resource(sc->ioarea); ++ kfree(sc->ioarea); ++ ++ sdhci_free_host(host); ++ platform_set_drvdata(pdev, NULL); ++ + return 0; + } + diff --git a/queue-2.6.32/series b/queue-2.6.32/series index 66bc0386202..0fd1feeb12f 100644 --- a/queue-2.6.32/series +++ b/queue-2.6.32/series @@ -49,3 +49,18 @@ sched-prevent-compiler-from-optimising-the-sched_avg_update-loop.patch sched-fix-over-scheduling-bug.patch genirq-deal-with-desc-set_type-changing-desc-chip.patch serial-cpm_uart-implement-the-cpm_uart_early_write-function-for-console-poll.patch +cmd640-fix-kernel-oops-in-test_irq-method.patch +ide-fix-ide-taskfile-with-cfq-scheduler.patch +net-core-neighbour-update-oops.patch +tcp-fix-crash-in-tcp_xmit_retransmit_queue.patch +rtc-fix-ds1388-time-corruption.patch +ethtool-fix-potential-kernel-buffer-overflow-in-ethtool_grxclsrlall.patch +sdhci-s3c-add-missing-remove-function.patch +asoc-remove-duplicate-aux-definition-from-wm8776.patch +x86-fix-x2apic-preenabled-system-with-kexec.patch +ipoib-fix-world-writable-child-interface-control-sysfs-attributes.patch +input-i8042-add-gigabyte-spring-peak-to-dmi_noloop_table.patch +input-twl40300-keypad-fix-handling-of-all-ground-rows.patch +arm-6201-1-realview-do-not-use-outer_sync-on-arm11mpcore-boards-with-l220.patch +arm-6226-1-fix-kprobe-bug-in-ldr-instruction-emulation.patch +x86-do-not-try-to-disable-hpet-if-it-hasn-t-been-initialized-before.patch diff --git a/queue-2.6.32/tcp-fix-crash-in-tcp_xmit_retransmit_queue.patch b/queue-2.6.32/tcp-fix-crash-in-tcp_xmit_retransmit_queue.patch new file mode 100644 index 00000000000..b738478e055 --- /dev/null +++ b/queue-2.6.32/tcp-fix-crash-in-tcp_xmit_retransmit_queue.patch @@ -0,0 +1,44 @@ +From 45e77d314585869dfe43c82679f7e08c9b35b898 Mon Sep 17 00:00:00 2001 +From: Ilpo Järvinen +Date: Mon, 19 Jul 2010 01:16:18 +0000 +Subject: tcp: fix crash in tcp_xmit_retransmit_queue +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Ilpo Järvinen + +commit 45e77d314585869dfe43c82679f7e08c9b35b898 upstream. + +It can happen that there are no packets in queue while calling +tcp_xmit_retransmit_queue(). tcp_write_queue_head() then returns +NULL and that gets deref'ed to get sacked into a local var. + +There is no work to do if no packets are outstanding so we just +exit early. + +This oops was introduced by 08ebd1721ab8fd (tcp: remove tp->lost_out +guard to make joining diff nicer). + +Signed-off-by: Ilpo Järvinen +Reported-by: Lennart Schulte +Tested-by: Lennart Schulte +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/ipv4/tcp_output.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/ipv4/tcp_output.c ++++ b/net/ipv4/tcp_output.c +@@ -2037,6 +2037,9 @@ void tcp_xmit_retransmit_queue(struct so + int mib_idx; + int fwd_rexmitting = 0; + ++ if (!tp->packets_out) ++ return; ++ + if (!tp->lost_out) + tp->retransmit_high = tp->snd_una; + diff --git a/queue-2.6.32/x86-do-not-try-to-disable-hpet-if-it-hasn-t-been-initialized-before.patch b/queue-2.6.32/x86-do-not-try-to-disable-hpet-if-it-hasn-t-been-initialized-before.patch new file mode 100644 index 00000000000..91aecd61e19 --- /dev/null +++ b/queue-2.6.32/x86-do-not-try-to-disable-hpet-if-it-hasn-t-been-initialized-before.patch @@ -0,0 +1,37 @@ +From ff4878089e1eaeac79d57878ad4ea32910fb4037 Mon Sep 17 00:00:00 2001 +From: Stefano Stabellini +Date: Wed, 21 Jul 2010 18:32:37 +0100 +Subject: x86: Do not try to disable hpet if it hasn't been initialized before + +From: Stefano Stabellini + +commit ff4878089e1eaeac79d57878ad4ea32910fb4037 upstream. + +hpet_disable is called unconditionally on machine reboot if hpet support +is compiled in the kernel. +hpet_disable only checks if the machine is hpet capable but doesn't make +sure that hpet has been initialized. + +[ tglx: Made it a one liner and removed the redundant hpet_address check ] + +Signed-off-by: Stefano Stabellini +Acked-by: Venkatesh Pallipadi +LKML-Reference: +Signed-off-by: Thomas Gleixner +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/hpet.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/kernel/hpet.c ++++ b/arch/x86/kernel/hpet.c +@@ -949,7 +949,7 @@ fs_initcall(hpet_late_init); + + void hpet_disable(void) + { +- if (is_hpet_capable()) { ++ if (is_hpet_capable() && hpet_virt_address) { + unsigned long cfg = hpet_readl(HPET_CFG); + + if (hpet_legacy_int_enabled) { diff --git a/queue-2.6.32/x86-fix-x2apic-preenabled-system-with-kexec.patch b/queue-2.6.32/x86-fix-x2apic-preenabled-system-with-kexec.patch new file mode 100644 index 00000000000..c2b2fae9b5f --- /dev/null +++ b/queue-2.6.32/x86-fix-x2apic-preenabled-system-with-kexec.patch @@ -0,0 +1,53 @@ +From fd19dce7ac07973f700b0f13fb7f94b951414a4c Mon Sep 17 00:00:00 2001 +From: Yinghai Lu +Date: Thu, 15 Jul 2010 00:00:59 -0700 +Subject: x86: Fix x2apic preenabled system with kexec + +From: Yinghai Lu + +commit fd19dce7ac07973f700b0f13fb7f94b951414a4c upstream. + +Found one x2apic system kexec loop test failed +when CONFIG_NMI_WATCHDOG=y (old) or CONFIG_LOCKUP_DETECTOR=y (current tip) + +first kernel can kexec second kernel, but second kernel can not kexec third one. + +it can be duplicated on another system with BIOS preenabled x2apic. +First kernel can not kexec second kernel. + +It turns out, when kernel boot with pre-enabled x2apic, it will not execute +disable_local_APIC on shutdown path. + +when init_apic_mappings() is called in setup_arch, it will skip setting of +apic_phys when x2apic_mode is set. ( x2apic_mode is much early check_x2apic()) +Then later, disable_local_APIC() will bail out early because !apic_phys. + +So check !x2apic_mode in x2apic_mode in disable_local_APIC with !apic_phys. + +another solution could be updating init_apic_mappings() to set apic_phys even +for preenabled x2apic system. Actually even for x2apic system, that lapic +address is mapped already in early stage. + +BTW: is there any x2apic preenabled system with apicid of boot cpu > 255? + +Signed-off-by: Yinghai Lu +LKML-Reference: <4C3EB22B.3000701@kernel.org> +Acked-by: Suresh Siddha +Signed-off-by: H. Peter Anvin +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/apic/apic.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/kernel/apic/apic.c ++++ b/arch/x86/kernel/apic/apic.c +@@ -941,7 +941,7 @@ void disable_local_APIC(void) + unsigned int value; + + /* APIC hasn't been mapped yet */ +- if (!apic_phys) ++ if (!x2apic_mode && !apic_phys) + return; + + clear_local_APIC();