From: Greg Kroah-Hartman Date: Sat, 13 Feb 2010 00:40:32 +0000 (-0800) Subject: more .31 fun X-Git-Tag: v2.6.32.9~7 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=c0656ab77f6aa98fc6b3a10e21bfc481fe433f30;p=thirdparty%2Fkernel%2Fstable-queue.git more .31 fun --- diff --git a/queue-2.6.31/alsa-usb-audio-avoid-oops-after-disconnect.patch b/queue-2.6.31/alsa-usb-audio-avoid-oops-after-disconnect.patch new file mode 100644 index 00000000000..28557ecc964 --- /dev/null +++ b/queue-2.6.31/alsa-usb-audio-avoid-oops-after-disconnect.patch @@ -0,0 +1,34 @@ +From 78b8d5d2ee280c463908fd75f3bdf246bcb6ac8d Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Mon, 28 Dec 2009 12:24:22 +0100 +Subject: ALSA: usb-audio - Avoid Oops after disconnect + +From: Takashi Iwai + +commit 78b8d5d2ee280c463908fd75f3bdf246bcb6ac8d upstream. + +As the release of substreams may be done asynchronously from the +disconnection, close callback needs to check the shutdown flag before +actually accessing the usb interface. + +Reference: Novell bnc#505027 + http://bugzilla.novell.com/show_bug.cgi?id=565027 + +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/usb/usbaudio.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/usb/usbaudio.c ++++ b/sound/usb/usbaudio.c +@@ -1934,7 +1934,7 @@ static int snd_usb_pcm_close(struct snd_ + struct snd_usb_stream *as = snd_pcm_substream_chip(substream); + struct snd_usb_substream *subs = &as->substream[direction]; + +- if (subs->interface >= 0) { ++ if (!as->chip->shutdown && subs->interface >= 0) { + usb_set_interface(subs->dev, subs->interface, 0); + subs->interface = -1; + } diff --git a/queue-2.6.31/ath5k-fix-eeprom-checksum-check-for-custom-sized-eeproms.patch b/queue-2.6.31/ath5k-fix-eeprom-checksum-check-for-custom-sized-eeproms.patch new file mode 100644 index 00000000000..e6a59c25986 --- /dev/null +++ b/queue-2.6.31/ath5k-fix-eeprom-checksum-check-for-custom-sized-eeproms.patch @@ -0,0 +1,104 @@ +From 359207c687cc8f4f9845c8dadd0d6dabad44e584 Mon Sep 17 00:00:00 2001 +From: Luis R. Rodriguez +Date: Mon, 4 Jan 2010 10:40:39 -0500 +Subject: ath5k: Fix eeprom checksum check for custom sized eeproms + +From: Luis R. Rodriguez + +commit 359207c687cc8f4f9845c8dadd0d6dabad44e584 upstream. + +Commit 8bf3d79bc401ca417ccf9fc076d3295d1a71dbf5 enabled EEPROM +checksum checks to avoid bogus bug reports but failed to address +updating the code to consider devices with custom EEPROM sizes. +Devices with custom sized EEPROMs have the upper limit size stuffed +in the EEPROM. Use this as the upper limit instead of the static +default size. In case of a checksum error also provide back the +max size and whether or not this was the default size or a custom +one. If the EEPROM is busted we add a failsafe check to ensure +we don't loop forever or try to read bogus areas of hardware. + +This closes bug 14874 + +http://bugzilla.kernel.org/show_bug.cgi?id=14874 + +Cc: stable@kernel.org +Cc: David Quan +Cc: Stephen Beahm +Reported-by: Joshua Covington +Signed-off-by: Luis R. Rodriguez +Signed-off-by: John W. Linville + +--- + drivers/net/wireless/ath/ath5k/eeprom.c | 32 +++++++++++++++++++++++++++++--- + drivers/net/wireless/ath/ath5k/eeprom.h | 8 ++++++++ + 2 files changed, 37 insertions(+), 3 deletions(-) + +--- a/drivers/net/wireless/ath/ath5k/eeprom.c ++++ b/drivers/net/wireless/ath/ath5k/eeprom.c +@@ -97,7 +97,7 @@ ath5k_eeprom_init_header(struct ath5k_hw + struct ath5k_eeprom_info *ee = &ah->ah_capabilities.cap_eeprom; + int ret; + u16 val; +- u32 cksum, offset; ++ u32 cksum, offset, eep_max = AR5K_EEPROM_INFO_MAX; + + /* + * Read values from EEPROM and store them in the capability structure +@@ -116,12 +116,38 @@ ath5k_eeprom_init_header(struct ath5k_hw + * Validate the checksum of the EEPROM date. There are some + * devices with invalid EEPROMs. + */ +- for (cksum = 0, offset = 0; offset < AR5K_EEPROM_INFO_MAX; offset++) { ++ AR5K_EEPROM_READ(AR5K_EEPROM_SIZE_UPPER, val); ++ if (val) { ++ eep_max = (val & AR5K_EEPROM_SIZE_UPPER_MASK) << ++ AR5K_EEPROM_SIZE_ENDLOC_SHIFT; ++ AR5K_EEPROM_READ(AR5K_EEPROM_SIZE_LOWER, val); ++ eep_max = (eep_max | val) - AR5K_EEPROM_INFO_BASE; ++ ++ /* ++ * Fail safe check to prevent stupid loops due ++ * to busted EEPROMs. XXX: This value is likely too ++ * big still, waiting on a better value. ++ */ ++ if (eep_max > (3 * AR5K_EEPROM_INFO_MAX)) { ++ ATH5K_ERR(ah->ah_sc, "Invalid max custom EEPROM size: " ++ "%d (0x%04x) max expected: %d (0x%04x)\n", ++ eep_max, eep_max, ++ 3 * AR5K_EEPROM_INFO_MAX, ++ 3 * AR5K_EEPROM_INFO_MAX); ++ return -EIO; ++ } ++ } ++ ++ for (cksum = 0, offset = 0; offset < eep_max; offset++) { + AR5K_EEPROM_READ(AR5K_EEPROM_INFO(offset), val); + cksum ^= val; + } + if (cksum != AR5K_EEPROM_INFO_CKSUM) { +- ATH5K_ERR(ah->ah_sc, "Invalid EEPROM checksum 0x%04x\n", cksum); ++ ATH5K_ERR(ah->ah_sc, "Invalid EEPROM " ++ "checksum: 0x%04x eep_max: 0x%04x (%s)\n", ++ cksum, eep_max, ++ eep_max == AR5K_EEPROM_INFO_MAX ? ++ "default size" : "custom size"); + return -EIO; + } + +--- a/drivers/net/wireless/ath/ath5k/eeprom.h ++++ b/drivers/net/wireless/ath/ath5k/eeprom.h +@@ -34,6 +34,14 @@ + #define AR5K_EEPROM_RFKILL_POLARITY_S 1 + + #define AR5K_EEPROM_REG_DOMAIN 0x00bf /* EEPROM regdom */ ++ ++/* FLASH(EEPROM) Defines for AR531X chips */ ++#define AR5K_EEPROM_SIZE_LOWER 0x1b /* size info -- lower */ ++#define AR5K_EEPROM_SIZE_UPPER 0x1c /* size info -- upper */ ++#define AR5K_EEPROM_SIZE_UPPER_MASK 0xfff0 ++#define AR5K_EEPROM_SIZE_UPPER_SHIFT 4 ++#define AR5K_EEPROM_SIZE_ENDLOC_SHIFT 12 ++ + #define AR5K_EEPROM_CHECKSUM 0x00c0 /* EEPROM checksum */ + #define AR5K_EEPROM_INFO_BASE 0x00c0 /* EEPROM header */ + #define AR5K_EEPROM_INFO_MAX (0x400 - AR5K_EEPROM_INFO_BASE) diff --git a/queue-2.6.31/clockevent-don-t-remove-broadcast-device-when-cpu-is-dead.patch b/queue-2.6.31/clockevent-don-t-remove-broadcast-device-when-cpu-is-dead.patch new file mode 100644 index 00000000000..227de864063 --- /dev/null +++ b/queue-2.6.31/clockevent-don-t-remove-broadcast-device-when-cpu-is-dead.patch @@ -0,0 +1,55 @@ +From ea9d8e3f45404d411c00ae67b45cc35c58265bb7 Mon Sep 17 00:00:00 2001 +From: Xiaotian Feng +Date: Thu, 7 Jan 2010 11:22:44 +0800 +Subject: clockevent: Don't remove broadcast device when cpu is dead + +From: Xiaotian Feng + +commit ea9d8e3f45404d411c00ae67b45cc35c58265bb7 upstream. + +Marc reported that the BUG_ON in clockevents_notify() triggers on his +system. This happens because the kernel tries to remove an active +clock event device (used for broadcasting) from the device list. + +The handling of devices which can be used as per cpu device and as a +global broadcast device is suboptimal. + +The simplest solution for now (and for stable) is to check whether the +device is used as global broadcast device, but this needs to be +revisited. + +[ tglx: restored the cpuweight check and massaged the changelog ] + +Reported-by: Marc Dionne +Tested-by: Marc Dionne +Signed-off-by: Xiaotian Feng +LKML-Reference: <1262834564-13033-1-git-send-email-dfeng@redhat.com> +Signed-off-by: Thomas Gleixner +Acked-by: Jeff Mahoney +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/time/clockevents.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/kernel/time/clockevents.c ++++ b/kernel/time/clockevents.c +@@ -20,6 +20,8 @@ + #include + #include + ++#include "tick-internal.h" ++ + /* The registered clock event devices */ + static LIST_HEAD(clockevent_devices); + static LIST_HEAD(clockevents_released); +@@ -258,7 +260,8 @@ void clockevents_notify(unsigned long re + cpu = *((int *)arg); + list_for_each_entry_safe(dev, tmp, &clockevent_devices, list) { + if (cpumask_test_cpu(cpu, dev->cpumask) && +- cpumask_weight(dev->cpumask) == 1) { ++ cpumask_weight(dev->cpumask) == 1 && ++ !tick_is_broadcast_device(dev)) { + BUG_ON(dev->mode != CLOCK_EVT_MODE_UNUSED); + list_del(&dev->list); + } diff --git a/queue-2.6.31/connector-delete-buggy-notification-code.patch b/queue-2.6.31/connector-delete-buggy-notification-code.patch new file mode 100644 index 00000000000..55b07939b7c --- /dev/null +++ b/queue-2.6.31/connector-delete-buggy-notification-code.patch @@ -0,0 +1,326 @@ +From f98bfbd78c37c5946cc53089da32a5f741efdeb7 Mon Sep 17 00:00:00 2001 +From: Evgeniy Polyakov +Date: Tue, 2 Feb 2010 15:58:48 -0800 +Subject: connector: Delete buggy notification code. + +From: Evgeniy Polyakov + +commit f98bfbd78c37c5946cc53089da32a5f741efdeb7 upstream. + +On Tue, Feb 02, 2010 at 02:57:14PM -0800, Greg KH (gregkh@suse.de) wrote: +> > There are at least two ways to fix it: using a big cannon and a small +> > one. The former way is to disable notification registration, since it is +> > not used by anyone at all. Second way is to check whether calling +> > process is root and its destination group is -1 (kind of priveledged +> > one) before command is dispatched to workqueue. +> +> Well if no one is using it, removing it makes the most sense, right? +> +> No objection from me, care to make up a patch either way for this? + +Getting it is not used, let's drop support for notifications about +(un)registered events from connector. +Another option was to check credentials on receiving, but we can always +restore it without bugs if needed, but genetlink has a wider code base +and none complained, that userspace can not get notification when some +other clients were (un)registered. + +Kudos for Sebastian Krahmer , who found a bug in the +code. + +Signed-off-by: Evgeniy Polyakov +Acked-by: Greg Kroah-Hartman +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/connector/connector.c | 175 ------------------------------------------ + include/linux/connector.h | 32 ------- + 2 files changed, 207 deletions(-) + +--- a/drivers/connector/connector.c ++++ b/drivers/connector/connector.c +@@ -36,17 +36,6 @@ MODULE_LICENSE("GPL"); + MODULE_AUTHOR("Evgeniy Polyakov "); + MODULE_DESCRIPTION("Generic userspace <-> kernelspace connector."); + +-static u32 cn_idx = CN_IDX_CONNECTOR; +-static u32 cn_val = CN_VAL_CONNECTOR; +- +-module_param(cn_idx, uint, 0); +-module_param(cn_val, uint, 0); +-MODULE_PARM_DESC(cn_idx, "Connector's main device idx."); +-MODULE_PARM_DESC(cn_val, "Connector's main device val."); +- +-static DEFINE_MUTEX(notify_lock); +-static LIST_HEAD(notify_list); +- + static struct cn_dev cdev; + + static int cn_already_initialized; +@@ -210,54 +199,6 @@ static void cn_rx_skb(struct sk_buff *__ + } + + /* +- * Notification routing. +- * +- * Gets id and checks if there are notification request for it's idx +- * and val. If there are such requests notify the listeners with the +- * given notify event. +- * +- */ +-static void cn_notify(struct cb_id *id, u32 notify_event) +-{ +- struct cn_ctl_entry *ent; +- +- mutex_lock(¬ify_lock); +- list_for_each_entry(ent, ¬ify_list, notify_entry) { +- int i; +- struct cn_notify_req *req; +- struct cn_ctl_msg *ctl = ent->msg; +- int idx_found, val_found; +- +- idx_found = val_found = 0; +- +- req = (struct cn_notify_req *)ctl->data; +- for (i = 0; i < ctl->idx_notify_num; ++i, ++req) { +- if (id->idx >= req->first && +- id->idx < req->first + req->range) { +- idx_found = 1; +- break; +- } +- } +- +- for (i = 0; i < ctl->val_notify_num; ++i, ++req) { +- if (id->val >= req->first && +- id->val < req->first + req->range) { +- val_found = 1; +- break; +- } +- } +- +- if (idx_found && val_found) { +- struct cn_msg m = { .ack = notify_event, }; +- +- memcpy(&m.id, id, sizeof(m.id)); +- cn_netlink_send(&m, ctl->group, GFP_KERNEL); +- } +- } +- mutex_unlock(¬ify_lock); +-} +- +-/* + * Callback add routing - adds callback with given ID and name. + * If there is registered callback with the same ID it will not be added. + * +@@ -276,8 +217,6 @@ int cn_add_callback(struct cb_id *id, ch + if (err) + return err; + +- cn_notify(id, 0); +- + return 0; + } + EXPORT_SYMBOL_GPL(cn_add_callback); +@@ -295,111 +234,9 @@ void cn_del_callback(struct cb_id *id) + struct cn_dev *dev = &cdev; + + cn_queue_del_callback(dev->cbdev, id); +- cn_notify(id, 1); + } + EXPORT_SYMBOL_GPL(cn_del_callback); + +-/* +- * Checks two connector's control messages to be the same. +- * Returns 1 if they are the same or if the first one is corrupted. +- */ +-static int cn_ctl_msg_equals(struct cn_ctl_msg *m1, struct cn_ctl_msg *m2) +-{ +- int i; +- struct cn_notify_req *req1, *req2; +- +- if (m1->idx_notify_num != m2->idx_notify_num) +- return 0; +- +- if (m1->val_notify_num != m2->val_notify_num) +- return 0; +- +- if (m1->len != m2->len) +- return 0; +- +- if ((m1->idx_notify_num + m1->val_notify_num) * sizeof(*req1) != +- m1->len) +- return 1; +- +- req1 = (struct cn_notify_req *)m1->data; +- req2 = (struct cn_notify_req *)m2->data; +- +- for (i = 0; i < m1->idx_notify_num; ++i) { +- if (req1->first != req2->first || req1->range != req2->range) +- return 0; +- req1++; +- req2++; +- } +- +- for (i = 0; i < m1->val_notify_num; ++i) { +- if (req1->first != req2->first || req1->range != req2->range) +- return 0; +- req1++; +- req2++; +- } +- +- return 1; +-} +- +-/* +- * Main connector device's callback. +- * +- * Used for notification of a request's processing. +- */ +-static void cn_callback(struct cn_msg *msg, struct netlink_skb_parms *nsp) +-{ +- struct cn_ctl_msg *ctl; +- struct cn_ctl_entry *ent; +- u32 size; +- +- if (msg->len < sizeof(*ctl)) +- return; +- +- ctl = (struct cn_ctl_msg *)msg->data; +- +- size = (sizeof(*ctl) + ((ctl->idx_notify_num + +- ctl->val_notify_num) * +- sizeof(struct cn_notify_req))); +- +- if (msg->len != size) +- return; +- +- if (ctl->len + sizeof(*ctl) != msg->len) +- return; +- +- /* +- * Remove notification. +- */ +- if (ctl->group == 0) { +- struct cn_ctl_entry *n; +- +- mutex_lock(¬ify_lock); +- list_for_each_entry_safe(ent, n, ¬ify_list, notify_entry) { +- if (cn_ctl_msg_equals(ent->msg, ctl)) { +- list_del(&ent->notify_entry); +- kfree(ent); +- } +- } +- mutex_unlock(¬ify_lock); +- +- return; +- } +- +- size += sizeof(*ent); +- +- ent = kzalloc(size, GFP_KERNEL); +- if (!ent) +- return; +- +- ent->msg = (struct cn_ctl_msg *)(ent + 1); +- +- memcpy(ent->msg, ctl, size - sizeof(*ent)); +- +- mutex_lock(¬ify_lock); +- list_add(&ent->notify_entry, ¬ify_list); +- mutex_unlock(¬ify_lock); +-} +- + static int cn_proc_show(struct seq_file *m, void *v) + { + struct cn_queue_dev *dev = cdev.cbdev; +@@ -437,11 +274,8 @@ static const struct file_operations cn_f + static int __devinit cn_init(void) + { + struct cn_dev *dev = &cdev; +- int err; + + dev->input = cn_rx_skb; +- dev->id.idx = cn_idx; +- dev->id.val = cn_val; + + dev->nls = netlink_kernel_create(&init_net, NETLINK_CONNECTOR, + CN_NETLINK_USERS + 0xf, +@@ -457,14 +291,6 @@ static int __devinit cn_init(void) + + cn_already_initialized = 1; + +- err = cn_add_callback(&dev->id, "connector", &cn_callback); +- if (err) { +- cn_already_initialized = 0; +- cn_queue_free_dev(dev->cbdev); +- netlink_kernel_release(dev->nls); +- return -EINVAL; +- } +- + proc_net_fops_create(&init_net, "connector", S_IRUGO, &cn_file_ops); + + return 0; +@@ -478,7 +304,6 @@ static void __devexit cn_fini(void) + + proc_net_remove(&init_net, "connector"); + +- cn_del_callback(&dev->id); + cn_queue_free_dev(dev->cbdev); + netlink_kernel_release(dev->nls); + } +--- a/include/linux/connector.h ++++ b/include/linux/connector.h +@@ -24,9 +24,6 @@ + + #include + +-#define CN_IDX_CONNECTOR 0xffffffff +-#define CN_VAL_CONNECTOR 0xffffffff +- + /* + * Process Events connector unique ids -- used for message routing + */ +@@ -73,30 +70,6 @@ struct cn_msg { + __u8 data[0]; + }; + +-/* +- * Notify structure - requests notification about +- * registering/unregistering idx/val in range [first, first+range]. +- */ +-struct cn_notify_req { +- __u32 first; +- __u32 range; +-}; +- +-/* +- * Main notification control message +- * *_notify_num - number of appropriate cn_notify_req structures after +- * this struct. +- * group - notification receiver's idx. +- * len - total length of the attached data. +- */ +-struct cn_ctl_msg { +- __u32 idx_notify_num; +- __u32 val_notify_num; +- __u32 group; +- __u32 len; +- __u8 data[0]; +-}; +- + #ifdef __KERNEL__ + + #include +@@ -149,11 +122,6 @@ struct cn_callback_entry { + u32 seq, group; + }; + +-struct cn_ctl_entry { +- struct list_head notify_entry; +- struct cn_ctl_msg *msg; +-}; +- + struct cn_dev { + struct cb_id id; + diff --git a/queue-2.6.31/ecryptfs-initialize-private-persistent-file-before-dereferencing-pointer.patch b/queue-2.6.31/ecryptfs-initialize-private-persistent-file-before-dereferencing-pointer.patch new file mode 100644 index 00000000000..bb7c4cd2af1 --- /dev/null +++ b/queue-2.6.31/ecryptfs-initialize-private-persistent-file-before-dereferencing-pointer.patch @@ -0,0 +1,56 @@ +From e27759d7a333d1f25d628c4f7caf845c51be51c2 Mon Sep 17 00:00:00 2001 +From: Erez Zadok +Date: Thu, 3 Dec 2009 13:35:27 -0500 +Subject: ecryptfs: initialize private persistent file before dereferencing pointer +Patch-mainline: 2.6.33 + +From: Erez Zadok + +commit e27759d7a333d1f25d628c4f7caf845c51be51c2 upstream. + +Ecryptfs_open dereferences a pointer to the private lower file (the one +stored in the ecryptfs inode), without checking if the pointer is NULL. +Right afterward, it initializes that pointer if it is NULL. Swap order of +statements to first initialize. Bug discovered by Duckjin Kang. + +Signed-off-by: Duckjin Kang +Signed-off-by: Erez Zadok +Cc: Dustin Kirkland +Cc: Al Viro +Signed-off-by: Tyler Hicks +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ecryptfs/file.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +--- a/fs/ecryptfs/file.c ++++ b/fs/ecryptfs/file.c +@@ -191,13 +191,6 @@ static int ecryptfs_open(struct inode *i + | ECRYPTFS_ENCRYPTED); + } + mutex_unlock(&crypt_stat->cs_mutex); +- if ((ecryptfs_inode_to_private(inode)->lower_file->f_flags & O_RDONLY) +- && !(file->f_flags & O_RDONLY)) { +- rc = -EPERM; +- printk(KERN_WARNING "%s: Lower persistent file is RO; eCryptfs " +- "file must hence be opened RO\n", __func__); +- goto out; +- } + if (!ecryptfs_inode_to_private(inode)->lower_file) { + rc = ecryptfs_init_persistent_file(ecryptfs_dentry); + if (rc) { +@@ -208,6 +201,13 @@ static int ecryptfs_open(struct inode *i + goto out; + } + } ++ if ((ecryptfs_inode_to_private(inode)->lower_file->f_flags & O_RDONLY) ++ && !(file->f_flags & O_RDONLY)) { ++ rc = -EPERM; ++ printk(KERN_WARNING "%s: Lower persistent file is RO; eCryptfs " ++ "file must hence be opened RO\n", __func__); ++ goto out; ++ } + ecryptfs_set_file_lower( + file, ecryptfs_inode_to_private(inode)->lower_file); + if (S_ISDIR(ecryptfs_dentry->d_inode->i_mode)) { diff --git a/queue-2.6.31/ecryptfs-use-after-free.patch b/queue-2.6.31/ecryptfs-use-after-free.patch new file mode 100644 index 00000000000..2249f1ee384 --- /dev/null +++ b/queue-2.6.31/ecryptfs-use-after-free.patch @@ -0,0 +1,48 @@ +From ece550f51ba175c14ec3ec047815927d7386ea1f Mon Sep 17 00:00:00 2001 +From: Dan Carpenter +Date: Tue, 19 Jan 2010 12:34:32 +0300 +Subject: ecryptfs: use after free +Patch-mainline: 2.6.33 + +From: Dan Carpenter + +commit ece550f51ba175c14ec3ec047815927d7386ea1f upstream. + +The "full_alg_name" variable is used on a couple error paths, so we +shouldn't free it until the end. + +Signed-off-by: Dan Carpenter +Signed-off-by: Tyler Hicks +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ecryptfs/crypto.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/fs/ecryptfs/crypto.c ++++ b/fs/ecryptfs/crypto.c +@@ -1745,7 +1745,7 @@ ecryptfs_process_key_cipher(struct crypt + char *cipher_name, size_t *key_size) + { + char dummy_key[ECRYPTFS_MAX_KEY_BYTES]; +- char *full_alg_name; ++ char *full_alg_name = NULL; + int rc; + + *key_tfm = NULL; +@@ -1760,7 +1760,6 @@ ecryptfs_process_key_cipher(struct crypt + if (rc) + goto out; + *key_tfm = crypto_alloc_blkcipher(full_alg_name, 0, CRYPTO_ALG_ASYNC); +- kfree(full_alg_name); + if (IS_ERR(*key_tfm)) { + rc = PTR_ERR(*key_tfm); + printk(KERN_ERR "Unable to allocate crypto cipher with name " +@@ -1782,6 +1781,7 @@ ecryptfs_process_key_cipher(struct crypt + goto out; + } + out: ++ kfree(full_alg_name); + return rc; + } + diff --git a/queue-2.6.31/edac-i5000_edac-critical-fix-panic-out-of-bounds.patch b/queue-2.6.31/edac-i5000_edac-critical-fix-panic-out-of-bounds.patch new file mode 100644 index 00000000000..4f1e2aabd51 --- /dev/null +++ b/queue-2.6.31/edac-i5000_edac-critical-fix-panic-out-of-bounds.patch @@ -0,0 +1,47 @@ +From 118f3e1afd5534c15f9701f33514186cfc841a27 Mon Sep 17 00:00:00 2001 +From: Tamas Vincze +Date: Fri, 15 Jan 2010 17:01:10 -0800 +Subject: edac: i5000_edac critical fix panic out of bounds +Patch-mainline: 2.6.33 + +From: Tamas Vincze + +commit 118f3e1afd5534c15f9701f33514186cfc841a27 upstream. + +EDAC MC0: INTERNAL ERROR: channel-b out of range (4 >= 4) +Kernel panic - not syncing: EDAC MC0: Uncorrected Error (XEN) Domain 0 crashed: 'noreboot' set - not rebooting. + +This happens because FERR_NF_FBD bit 28 is not updated on i5000. Due to +that, both bits 28 and 29 may be equal to one, returning channel = 3. As +this value is invalid, EDAC core generates the panic. + +Addresses http://bugzilla.kernel.org/show_bug.cgi?id=14568 + +Signed-off-by: Tamas Vincze +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Doug Thompson +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/edac/i5000_edac.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/drivers/edac/i5000_edac.c ++++ b/drivers/edac/i5000_edac.c +@@ -577,7 +577,13 @@ static void i5000_process_nonfatal_error + debugf0("\tUncorrected bits= 0x%x\n", ue_errors); + + branch = EXTRACT_FBDCHAN_INDX(info->ferr_nf_fbd); +- channel = branch; ++ ++ /* ++ * According with i5000 datasheet, bit 28 has no significance ++ * for errors M4Err-M12Err and M17Err-M21Err, on FERR_NF_FBD ++ */ ++ channel = branch & 2; ++ + bank = NREC_BANK(info->nrecmema); + rank = NREC_RANK(info->nrecmema); + rdwr = NREC_RDWR(info->nrecmema); diff --git a/queue-2.6.31/fix-race-in-tty_fasync-properly.patch b/queue-2.6.31/fix-race-in-tty_fasync-properly.patch index 28ca303235a..5302157ae6c 100644 --- a/queue-2.6.31/fix-race-in-tty_fasync-properly.patch +++ b/queue-2.6.31/fix-race-in-tty_fasync-properly.patch @@ -40,9 +40,14 @@ Acked-by: Américo Wang Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman +--- + drivers/char/tty_io.c | 4 +++- + fs/fcntl.c | 6 ++---- + 2 files changed, 5 insertions(+), 5 deletions(-) + --- a/drivers/char/tty_io.c +++ b/drivers/char/tty_io.c -@@ -1951,8 +1951,10 @@ static int tty_fasync(int fd, struct file *filp, int on) +@@ -1912,8 +1912,10 @@ static int tty_fasync(int fd, struct fil pid = task_pid(current); type = PIDTYPE_PID; } @@ -54,11 +59,9 @@ Signed-off-by: Greg Kroah-Hartman if (retval) goto out; } else { -diff --git a/fs/fcntl.c b/fs/fcntl.c -index 5ef953e..97e01dc 100644 --- a/fs/fcntl.c +++ b/fs/fcntl.c -@@ -199,9 +199,7 @@ static int setfl(int fd, struct file * filp, unsigned long arg) +@@ -199,9 +199,7 @@ static int setfl(int fd, struct file * f static void f_modown(struct file *filp, struct pid *pid, enum pid_type type, int force) { @@ -69,7 +72,7 @@ index 5ef953e..97e01dc 100644 if (force || !filp->f_owner.pid) { put_pid(filp->f_owner.pid); filp->f_owner.pid = get_pid(pid); -@@ -213,7 +211,7 @@ static void f_modown(struct file *filp, struct pid *pid, enum pid_type type, +@@ -213,7 +211,7 @@ static void f_modown(struct file *filp, filp->f_owner.euid = cred->euid; } } diff --git a/queue-2.6.31/fnctl-f_modown-should-call-write_lock_irqsave-restore.patch b/queue-2.6.31/fnctl-f_modown-should-call-write_lock_irqsave-restore.patch new file mode 100644 index 00000000000..7d11934855e --- /dev/null +++ b/queue-2.6.31/fnctl-f_modown-should-call-write_lock_irqsave-restore.patch @@ -0,0 +1,48 @@ +From b04da8bfdfbbd79544cab2fadfdc12e87eb01600 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Tue, 26 Jan 2010 15:04:02 -0800 +Subject: fnctl: f_modown should call write_lock_irqsave/restore +Patch-mainline: 2.6.33 + +From: Greg Kroah-Hartman + +commit b04da8bfdfbbd79544cab2fadfdc12e87eb01600 upstream. + +Commit 703625118069f9f8960d356676662d3db5a9d116 exposed that f_modown() +should call write_lock_irqsave instead of just write_lock_irq so that +because a caller could have a spinlock held and it would not be good to +renable interrupts. + +Cc: Eric W. Biederman +Cc: Al Viro +Cc: Alan Cox +Cc: Tavis Ormandy +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Linus Torvalds + +--- + fs/fcntl.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/fs/fcntl.c ++++ b/fs/fcntl.c +@@ -199,7 +199,9 @@ static int setfl(int fd, struct file * f + static void f_modown(struct file *filp, struct pid *pid, enum pid_type type, + int force) + { +- write_lock_irq(&filp->f_owner.lock); ++ unsigned long flags; ++ ++ write_lock_irqsave(&filp->f_owner.lock, flags); + if (force || !filp->f_owner.pid) { + put_pid(filp->f_owner.pid); + filp->f_owner.pid = get_pid(pid); +@@ -211,7 +213,7 @@ static void f_modown(struct file *filp, + filp->f_owner.euid = cred->euid; + } + } +- write_unlock_irq(&filp->f_owner.lock); ++ write_unlock_irqrestore(&filp->f_owner.lock, flags); + } + + int __f_setown(struct file *filp, struct pid *pid, enum pid_type type, diff --git a/queue-2.6.31/hid-add-device-ids-for-new-model-of-apple-wireless-keyboard.patch b/queue-2.6.31/hid-add-device-ids-for-new-model-of-apple-wireless-keyboard.patch new file mode 100644 index 00000000000..98795bd0d09 --- /dev/null +++ b/queue-2.6.31/hid-add-device-ids-for-new-model-of-apple-wireless-keyboard.patch @@ -0,0 +1,62 @@ +From 23aeb61e7e1f02fb0f3b8f9e798e75537ca1731d Mon Sep 17 00:00:00 2001 +From: Christian Schuerer-Waldheim +Date: Wed, 6 Jan 2010 14:49:57 +0100 +Subject: HID: add device IDs for new model of Apple Wireless Keyboard + +From: Christian Schuerer-Waldheim + +commit 23aeb61e7e1f02fb0f3b8f9e798e75537ca1731d upstream. + +Added device IDs for the new model of the Apple Wireless Keyboard +(November 2009). + +Signed-off-by: Christian Schuerer-Waldheim +Signed-off-by: Jiri Kosina +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/hid/hid-apple.c | 7 +++++++ + drivers/hid/hid-core.c | 3 +++ + drivers/hid/hid-ids.h | 3 +++ + 3 files changed, 13 insertions(+) + +--- a/drivers/hid/hid-apple.c ++++ b/drivers/hid/hid-apple.c +@@ -431,6 +431,13 @@ static const struct hid_device_id apple_ + .driver_data = APPLE_HAS_FN | APPLE_ISO_KEYBOARD }, + { HID_USB_DEVICE(USB_VENDOR_ID_APPLE, USB_DEVICE_ID_APPLE_WELLSPRING3_JIS), + .driver_data = APPLE_HAS_FN | APPLE_RDESC_JIS }, ++ { HID_BLUETOOTH_DEVICE(USB_VENDOR_ID_APPLE, USB_DEVICE_ID_APPLE_ALU_WIRELESS_2009_ANSI), ++ .driver_data = APPLE_NUMLOCK_EMULATION | APPLE_HAS_FN }, ++ { HID_BLUETOOTH_DEVICE(USB_VENDOR_ID_APPLE, USB_DEVICE_ID_APPLE_ALU_WIRELESS_2009_ISO), ++ .driver_data = APPLE_NUMLOCK_EMULATION | APPLE_HAS_FN | ++ APPLE_ISO_KEYBOARD }, ++ { HID_BLUETOOTH_DEVICE(USB_VENDOR_ID_APPLE, USB_DEVICE_ID_APPLE_ALU_WIRELESS_2009_JIS), ++ .driver_data = APPLE_NUMLOCK_EMULATION | APPLE_HAS_FN }, + { HID_USB_DEVICE(USB_VENDOR_ID_APPLE, USB_DEVICE_ID_APPLE_FOUNTAIN_TP_ONLY), + .driver_data = APPLE_NUMLOCK_EMULATION | APPLE_HAS_FN }, + { HID_USB_DEVICE(USB_VENDOR_ID_APPLE, USB_DEVICE_ID_APPLE_GEYSER1_TP_ONLY), +--- a/drivers/hid/hid-core.c ++++ b/drivers/hid/hid-core.c +@@ -1259,6 +1259,9 @@ static const struct hid_device_id hid_bl + { HID_USB_DEVICE(USB_VENDOR_ID_APPLE, USB_DEVICE_ID_APPLE_WELLSPRING3_ANSI) }, + { HID_USB_DEVICE(USB_VENDOR_ID_APPLE, USB_DEVICE_ID_APPLE_WELLSPRING3_ISO) }, + { HID_USB_DEVICE(USB_VENDOR_ID_APPLE, USB_DEVICE_ID_APPLE_WELLSPRING3_JIS) }, ++ { HID_BLUETOOTH_DEVICE(USB_VENDOR_ID_APPLE, USB_DEVICE_ID_APPLE_ALU_WIRELESS_2009_ANSI) }, ++ { HID_BLUETOOTH_DEVICE(USB_VENDOR_ID_APPLE, USB_DEVICE_ID_APPLE_ALU_WIRELESS_2009_ISO) }, ++ { HID_BLUETOOTH_DEVICE(USB_VENDOR_ID_APPLE, USB_DEVICE_ID_APPLE_ALU_WIRELESS_2009_JIS) }, + { HID_USB_DEVICE(USB_VENDOR_ID_APPLE, USB_DEVICE_ID_APPLE_FOUNTAIN_TP_ONLY) }, + { HID_USB_DEVICE(USB_VENDOR_ID_APPLE, USB_DEVICE_ID_APPLE_GEYSER1_TP_ONLY) }, + { HID_USB_DEVICE(USB_VENDOR_ID_BELKIN, USB_DEVICE_ID_FLIP_KVM) }, +--- a/drivers/hid/hid-ids.h ++++ b/drivers/hid/hid-ids.h +@@ -88,6 +88,9 @@ + #define USB_DEVICE_ID_APPLE_WELLSPRING3_ANSI 0x0236 + #define USB_DEVICE_ID_APPLE_WELLSPRING3_ISO 0x0237 + #define USB_DEVICE_ID_APPLE_WELLSPRING3_JIS 0x0238 ++#define USB_DEVICE_ID_APPLE_ALU_WIRELESS_2009_ANSI 0x0239 ++#define USB_DEVICE_ID_APPLE_ALU_WIRELESS_2009_ISO 0x023a ++#define USB_DEVICE_ID_APPLE_ALU_WIRELESS_2009_JIS 0x023b + #define USB_DEVICE_ID_APPLE_FOUNTAIN_TP_ONLY 0x030a + #define USB_DEVICE_ID_APPLE_GEYSER1_TP_ONLY 0x030b + #define USB_DEVICE_ID_APPLE_ATV_IRCONTROL 0x8241 diff --git a/queue-2.6.31/inotify-do-not-reuse-watch-descriptors.patch b/queue-2.6.31/inotify-do-not-reuse-watch-descriptors.patch new file mode 100644 index 00000000000..0df1e2bf436 --- /dev/null +++ b/queue-2.6.31/inotify-do-not-reuse-watch-descriptors.patch @@ -0,0 +1,85 @@ +From 9e572cc9877ee6c43af60778f6b8d5ba0692d935 Mon Sep 17 00:00:00 2001 +From: Eric Paris +Date: Fri, 15 Jan 2010 12:12:24 -0500 +Subject: inotify: do not reuse watch descriptors +Patch-mainline: 2.6.33 + +From: Eric Paris + +commit 9e572cc9877ee6c43af60778f6b8d5ba0692d935 upstream. + +Since commit 7e790dd5fc937bc8d2400c30a05e32a9e9eef276 ("inotify: fix +error paths in inotify_update_watch") inotify changed the manor in which +it gave watch descriptors back to userspace. Previous to this commit +inotify acted like the following: + + inotify_add_watch(X, Y, Z) = 1 + inotify_rm_watch(X, 1); + inotify_add_watch(X, Y, Z) = 2 + +but after this patch inotify would return watch descriptors like so: + + inotify_add_watch(X, Y, Z) = 1 + inotify_rm_watch(X, 1); + inotify_add_watch(X, Y, Z) = 1 + +which I saw as equivalent to opening an fd where + + open(file) = 1; + close(1); + open(file) = 1; + +seemed perfectly reasonable. The issue is that quite a bit of userspace +apparently relies on the behavior in which watch descriptors will not be +quickly reused. KDE relies on it, I know some selinux packages rely on +it, and I have heard complaints from other random sources such as debian +bug 558981. + +Although the man page implies what we do is ok, we broke userspace so +this patch almost reverts us to the old behavior. It is still slightly +racey and I have patches that would fix that, but they are rather large +and this will fix it for all real world cases. The race is as follows: + + - task1 creates a watch and blocks in idr_new_watch() before it updates + the hint. + - task2 creates a watch and updates the hint. + - task1 updates the hint with it's older wd + - task removes the watch created by task2 + - task adds a new watch and will reuse the wd originally given to task2 + +it requires moving some locking around the hint (last_wd) but this should +solve it for the real world and be -stable safe. + +As a side effect this patch papers over a bug in the lib/idr code which +is causing a large number WARN's to pop on people's system and many +reports in kerneloops.org. I'm working on the root cause of that idr +bug seperately but this should make inotify immune to that issue. + +Signed-off-by: Eric Paris +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/notify/inotify/inotify_user.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/fs/notify/inotify/inotify_user.c ++++ b/fs/notify/inotify/inotify_user.c +@@ -558,7 +558,7 @@ retry: + + spin_lock(&group->inotify_data.idr_lock); + ret = idr_get_new_above(&group->inotify_data.idr, &tmp_ientry->fsn_entry, +- group->inotify_data.last_wd, ++ group->inotify_data.last_wd+1, + &tmp_ientry->wd); + spin_unlock(&group->inotify_data.idr_lock); + if (ret) { +@@ -638,7 +638,7 @@ static struct fsnotify_group *inotify_ne + + spin_lock_init(&group->inotify_data.idr_lock); + idr_init(&group->inotify_data.idr); +- group->inotify_data.last_wd = 1; ++ group->inotify_data.last_wd = 0; + group->inotify_data.user = user; + group->inotify_data.fa = NULL; + diff --git a/queue-2.6.31/inotify-only-warn-once-for-inotify-problems.patch b/queue-2.6.31/inotify-only-warn-once-for-inotify-problems.patch new file mode 100644 index 00000000000..0aed457dc7c --- /dev/null +++ b/queue-2.6.31/inotify-only-warn-once-for-inotify-problems.patch @@ -0,0 +1,34 @@ +From 976ae32be45a736acd49215a7e4771ff91f161c3 Mon Sep 17 00:00:00 2001 +From: Eric Paris +Date: Fri, 15 Jan 2010 12:12:25 -0500 +Subject: inotify: only warn once for inotify problems +Patch-mainline: 2.6.33 + +From: Eric Paris + +commit 976ae32be45a736acd49215a7e4771ff91f161c3 upstream. + +inotify will WARN() if it finds that the idr and the fsnotify internals +somehow got out of sync. It was only supposed to do this once but due +to this stupid bug it would warn every single time a problem was +detected. + +Signed-off-by: Eric Paris +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/notify/inotify/inotify_fsnotify.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/notify/inotify/inotify_fsnotify.c ++++ b/fs/notify/inotify/inotify_fsnotify.c +@@ -121,7 +121,7 @@ static int idr_callback(int id, void *p, + if (warned) + return 0; + +- warned = false; ++ warned = true; + entry = p; + ientry = container_of(entry, struct inotify_inode_mark_entry, fsn_entry); + diff --git a/queue-2.6.31/input-alps-add-interleaved-protocol-support-dell-e6x00-series.patch b/queue-2.6.31/input-alps-add-interleaved-protocol-support-dell-e6x00-series.patch new file mode 100644 index 00000000000..f0fe05b698f --- /dev/null +++ b/queue-2.6.31/input-alps-add-interleaved-protocol-support-dell-e6x00-series.patch @@ -0,0 +1,396 @@ +From adi@hexapodia.org Mon Jan 25 11:19:41 2010 +From: Sebastian Kapfer +Date: Fri, 15 Jan 2010 10:11:22 -0800 +Subject: Input: ALPS - add interleaved protocol support (Dell E6x00 series) +To: stable@kernel.org +Cc: Dmitry Torokhov , kernel-team@lists.ubuntu.com, Sebastian Kapfer , 296610@bugs.launchpad.net +Message-ID: <20100115181122.GA11414@hexapodia.org> +Content-Disposition: inline + +From: Sebastian Kapfer + +commit 1d9f26262aef6d63ff65eba0fd5f1583f342b69b upstream + +Properly handle version of the protocol where standard PS/2 packets +from trackpoint are stuffed into middle (byte 3-6) of the standard +ALPS packets when both the touchpad and trackpoint are used together. + +The patch is based on work done by Matthew Chapman and additional +research done by David Kubicek and Erik Osterholm: + + https://bugs.launchpad.net/ubuntu/+source/linux/+bug/296610 + +Many thanks to David Kubicek for his efforts in researching fine points +of this new version of the protocol, especially interaction between pad +and stick in these models. + +Cc: Andy Isaacson +Signed-off-by: Sebastian Kapfer +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/input/mouse/alps.c | 252 ++++++++++++++++++++++++++++++++++++++++----- + drivers/input/mouse/alps.h | 1 + 2 files changed, 228 insertions(+), 25 deletions(-) + +--- a/drivers/input/mouse/alps.c ++++ b/drivers/input/mouse/alps.c +@@ -5,6 +5,7 @@ + * Copyright (c) 2003-2005 Peter Osterlund + * Copyright (c) 2004 Dmitry Torokhov + * Copyright (c) 2005 Vojtech Pavlik ++ * Copyright (c) 2009 Sebastian Kapfer + * + * ALPS detection, tap switching and status querying info is taken from + * tpconfig utility (by C. Scott Ananian and Bruce Kall). +@@ -35,6 +36,8 @@ + #define ALPS_OLDPROTO 0x10 + #define ALPS_PASS 0x20 + #define ALPS_FW_BK_2 0x40 ++#define ALPS_PS2_INTERLEAVED 0x80 /* 3-byte PS/2 packet interleaved with ++ 6-byte ALPS packet */ + + static const struct alps_model_info alps_model_data[] = { + { { 0x32, 0x02, 0x14 }, 0xf8, 0xf8, ALPS_PASS | ALPS_DUALPOINT }, /* Toshiba Salellite Pro M10 */ +@@ -55,7 +58,9 @@ static const struct alps_model_info alps + { { 0x20, 0x02, 0x0e }, 0xf8, 0xf8, ALPS_PASS | ALPS_DUALPOINT }, /* XXX */ + { { 0x22, 0x02, 0x0a }, 0xf8, 0xf8, ALPS_PASS | ALPS_DUALPOINT }, + { { 0x22, 0x02, 0x14 }, 0xff, 0xff, ALPS_PASS | ALPS_DUALPOINT }, /* Dell Latitude D600 */ +- { { 0x62, 0x02, 0x14 }, 0xcf, 0xcf, ALPS_PASS | ALPS_DUALPOINT }, /* Dell Latitude E6500 */ ++ /* Dell Latitude E5500, E6400, E6500, Precision M4400 */ ++ { { 0x62, 0x02, 0x14 }, 0xcf, 0xcf, ++ ALPS_PASS | ALPS_DUALPOINT | ALPS_PS2_INTERLEAVED }, + { { 0x73, 0x02, 0x50 }, 0xcf, 0xcf, ALPS_FW_BK_1 }, /* Dell Vostro 1400 */ + }; + +@@ -66,20 +71,88 @@ static const struct alps_model_info alps + */ + + /* +- * ALPS abolute Mode - new format ++ * PS/2 packet format ++ * ++ * byte 0: 0 0 YSGN XSGN 1 M R L ++ * byte 1: X7 X6 X5 X4 X3 X2 X1 X0 ++ * byte 2: Y7 Y6 Y5 Y4 Y3 Y2 Y1 Y0 ++ * ++ * Note that the device never signals overflow condition. ++ * ++ * ALPS absolute Mode - new format + * + * byte 0: 1 ? ? ? 1 ? ? ? + * byte 1: 0 x6 x5 x4 x3 x2 x1 x0 +- * byte 2: 0 x10 x9 x8 x7 ? fin ges ++ * byte 2: 0 x10 x9 x8 x7 ? fin ges + * byte 3: 0 y9 y8 y7 1 M R L + * byte 4: 0 y6 y5 y4 y3 y2 y1 y0 + * byte 5: 0 z6 z5 z4 z3 z2 z1 z0 + * ++ * Dualpoint device -- interleaved packet format ++ * ++ * byte 0: 1 1 0 0 1 1 1 1 ++ * byte 1: 0 x6 x5 x4 x3 x2 x1 x0 ++ * byte 2: 0 x10 x9 x8 x7 0 fin ges ++ * byte 3: 0 0 YSGN XSGN 1 1 1 1 ++ * byte 4: X7 X6 X5 X4 X3 X2 X1 X0 ++ * byte 5: Y7 Y6 Y5 Y4 Y3 Y2 Y1 Y0 ++ * byte 6: 0 y9 y8 y7 1 m r l ++ * byte 7: 0 y6 y5 y4 y3 y2 y1 y0 ++ * byte 8: 0 z6 z5 z4 z3 z2 z1 z0 ++ * ++ * CAPITALS = stick, miniscules = touchpad ++ * + * ?'s can have different meanings on different models, + * such as wheel rotation, extra buttons, stick buttons + * on a dualpoint, etc. + */ + ++static bool alps_is_valid_first_byte(const struct alps_model_info *model, ++ unsigned char data) ++{ ++ return (data & model->mask0) == model->byte0; ++} ++ ++static void alps_report_buttons(struct psmouse *psmouse, ++ struct input_dev *dev1, struct input_dev *dev2, ++ int left, int right, int middle) ++{ ++ struct alps_data *priv = psmouse->private; ++ const struct alps_model_info *model = priv->i; ++ ++ if (model->flags & ALPS_PS2_INTERLEAVED) { ++ struct input_dev *dev; ++ ++ /* ++ * If shared button has already been reported on the ++ * other device (dev2) then this event should be also ++ * sent through that device. ++ */ ++ dev = test_bit(BTN_LEFT, dev2->key) ? dev2 : dev1; ++ input_report_key(dev, BTN_LEFT, left); ++ ++ dev = test_bit(BTN_RIGHT, dev2->key) ? dev2 : dev1; ++ input_report_key(dev, BTN_RIGHT, right); ++ ++ dev = test_bit(BTN_MIDDLE, dev2->key) ? dev2 : dev1; ++ input_report_key(dev, BTN_MIDDLE, middle); ++ ++ /* ++ * Sync the _other_ device now, we'll do the first ++ * device later once we report the rest of the events. ++ */ ++ input_sync(dev2); ++ } else { ++ /* ++ * For devices with non-interleaved packets we know what ++ * device buttons belong to so we can simply report them. ++ */ ++ input_report_key(dev1, BTN_LEFT, left); ++ input_report_key(dev1, BTN_RIGHT, right); ++ input_report_key(dev1, BTN_MIDDLE, middle); ++ } ++} ++ + static void alps_process_packet(struct psmouse *psmouse) + { + struct alps_data *priv = psmouse->private; +@@ -89,18 +162,6 @@ static void alps_process_packet(struct p + int x, y, z, ges, fin, left, right, middle; + int back = 0, forward = 0; + +- if ((packet[0] & 0xc8) == 0x08) { /* 3-byte PS/2 packet */ +- input_report_key(dev2, BTN_LEFT, packet[0] & 1); +- input_report_key(dev2, BTN_RIGHT, packet[0] & 2); +- input_report_key(dev2, BTN_MIDDLE, packet[0] & 4); +- input_report_rel(dev2, REL_X, +- packet[1] ? packet[1] - ((packet[0] << 4) & 0x100) : 0); +- input_report_rel(dev2, REL_Y, +- packet[2] ? ((packet[0] << 3) & 0x100) - packet[2] : 0); +- input_sync(dev2); +- return; +- } +- + if (priv->i->flags & ALPS_OLDPROTO) { + left = packet[2] & 0x10; + right = packet[2] & 0x08; +@@ -136,18 +197,13 @@ static void alps_process_packet(struct p + input_report_rel(dev2, REL_X, (x > 383 ? (x - 768) : x)); + input_report_rel(dev2, REL_Y, -(y > 255 ? (y - 512) : y)); + +- input_report_key(dev2, BTN_LEFT, left); +- input_report_key(dev2, BTN_RIGHT, right); +- input_report_key(dev2, BTN_MIDDLE, middle); ++ alps_report_buttons(psmouse, dev2, dev, left, right, middle); + +- input_sync(dev); + input_sync(dev2); + return; + } + +- input_report_key(dev, BTN_LEFT, left); +- input_report_key(dev, BTN_RIGHT, right); +- input_report_key(dev, BTN_MIDDLE, middle); ++ alps_report_buttons(psmouse, dev, dev2, left, right, middle); + + /* Convert hardware tap to a reasonable Z value */ + if (ges && !fin) z = 40; +@@ -188,25 +244,168 @@ static void alps_process_packet(struct p + input_sync(dev); + } + ++static void alps_report_bare_ps2_packet(struct psmouse *psmouse, ++ unsigned char packet[], ++ bool report_buttons) ++{ ++ struct alps_data *priv = psmouse->private; ++ struct input_dev *dev2 = priv->dev2; ++ ++ if (report_buttons) ++ alps_report_buttons(psmouse, dev2, psmouse->dev, ++ packet[0] & 1, packet[0] & 2, packet[0] & 4); ++ ++ input_report_rel(dev2, REL_X, ++ packet[1] ? packet[1] - ((packet[0] << 4) & 0x100) : 0); ++ input_report_rel(dev2, REL_Y, ++ packet[2] ? ((packet[0] << 3) & 0x100) - packet[2] : 0); ++ ++ input_sync(dev2); ++} ++ ++static psmouse_ret_t alps_handle_interleaved_ps2(struct psmouse *psmouse) ++{ ++ struct alps_data *priv = psmouse->private; ++ ++ if (psmouse->pktcnt < 6) ++ return PSMOUSE_GOOD_DATA; ++ ++ if (psmouse->pktcnt == 6) { ++ /* ++ * Start a timer to flush the packet if it ends up last ++ * 6-byte packet in the stream. Timer needs to fire ++ * psmouse core times out itself. 20 ms should be enough ++ * to decide if we are getting more data or not. ++ */ ++ mod_timer(&priv->timer, jiffies + msecs_to_jiffies(20)); ++ return PSMOUSE_GOOD_DATA; ++ } ++ ++ del_timer(&priv->timer); ++ ++ if (psmouse->packet[6] & 0x80) { ++ ++ /* ++ * Highest bit is set - that means we either had ++ * complete ALPS packet and this is start of the ++ * next packet or we got garbage. ++ */ ++ ++ if (((psmouse->packet[3] | ++ psmouse->packet[4] | ++ psmouse->packet[5]) & 0x80) || ++ (!alps_is_valid_first_byte(priv->i, psmouse->packet[6]))) { ++ dbg("refusing packet %x %x %x %x " ++ "(suspected interleaved ps/2)\n", ++ psmouse->packet[3], psmouse->packet[4], ++ psmouse->packet[5], psmouse->packet[6]); ++ return PSMOUSE_BAD_DATA; ++ } ++ ++ alps_process_packet(psmouse); ++ ++ /* Continue with the next packet */ ++ psmouse->packet[0] = psmouse->packet[6]; ++ psmouse->pktcnt = 1; ++ ++ } else { ++ ++ /* ++ * High bit is 0 - that means that we indeed got a PS/2 ++ * packet in the middle of ALPS packet. ++ * ++ * There is also possibility that we got 6-byte ALPS ++ * packet followed by 3-byte packet from trackpoint. We ++ * can not distinguish between these 2 scenarios but ++ * becase the latter is unlikely to happen in course of ++ * normal operation (user would need to press all ++ * buttons on the pad and start moving trackpoint ++ * without touching the pad surface) we assume former. ++ * Even if we are wrong the wost thing that would happen ++ * the cursor would jump but we should not get protocol ++ * desynchronization. ++ */ ++ ++ alps_report_bare_ps2_packet(psmouse, &psmouse->packet[3], ++ false); ++ ++ /* ++ * Continue with the standard ALPS protocol handling, ++ * but make sure we won't process it as an interleaved ++ * packet again, which may happen if all buttons are ++ * pressed. To avoid this let's reset the 4th bit which ++ * is normally 1. ++ */ ++ psmouse->packet[3] = psmouse->packet[6] & 0xf7; ++ psmouse->pktcnt = 4; ++ } ++ ++ return PSMOUSE_GOOD_DATA; ++} ++ ++static void alps_flush_packet(unsigned long data) ++{ ++ struct psmouse *psmouse = (struct psmouse *)data; ++ ++ serio_pause_rx(psmouse->ps2dev.serio); ++ ++ if (psmouse->pktcnt == 6) { ++ ++ /* ++ * We did not any more data in reasonable amount of time. ++ * Validate the last 3 bytes and process as a standard ++ * ALPS packet. ++ */ ++ if ((psmouse->packet[3] | ++ psmouse->packet[4] | ++ psmouse->packet[5]) & 0x80) { ++ dbg("refusing packet %x %x %x " ++ "(suspected interleaved ps/2)\n", ++ psmouse->packet[3], psmouse->packet[4], ++ psmouse->packet[5]); ++ } else { ++ alps_process_packet(psmouse); ++ } ++ psmouse->pktcnt = 0; ++ } ++ ++ serio_continue_rx(psmouse->ps2dev.serio); ++} ++ + static psmouse_ret_t alps_process_byte(struct psmouse *psmouse) + { + struct alps_data *priv = psmouse->private; ++ const struct alps_model_info *model = priv->i; + + if ((psmouse->packet[0] & 0xc8) == 0x08) { /* PS/2 packet */ + if (psmouse->pktcnt == 3) { +- alps_process_packet(psmouse); ++ alps_report_bare_ps2_packet(psmouse, psmouse->packet, ++ true); + return PSMOUSE_FULL_PACKET; + } + return PSMOUSE_GOOD_DATA; + } + +- if ((psmouse->packet[0] & priv->i->mask0) != priv->i->byte0) ++ /* Check for PS/2 packet stuffed in the middle of ALPS packet. */ ++ ++ if ((model->flags & ALPS_PS2_INTERLEAVED) && ++ psmouse->pktcnt >= 4 && (psmouse->packet[3] & 0x0f) == 0x0f) { ++ return alps_handle_interleaved_ps2(psmouse); ++ } ++ ++ if (!alps_is_valid_first_byte(model, psmouse->packet[0])) { ++ dbg("refusing packet[0] = %x (mask0 = %x, byte0 = %x)\n", ++ psmouse->packet[0], model->mask0, model->byte0); + return PSMOUSE_BAD_DATA; ++ } + + /* Bytes 2 - 6 should have 0 in the highest bit */ + if (psmouse->pktcnt >= 2 && psmouse->pktcnt <= 6 && +- (psmouse->packet[psmouse->pktcnt - 1] & 0x80)) ++ (psmouse->packet[psmouse->pktcnt - 1] & 0x80)) { ++ dbg("refusing packet[%i] = %x\n", ++ psmouse->pktcnt - 1, psmouse->packet[psmouse->pktcnt - 1]); + return PSMOUSE_BAD_DATA; ++ } + + if (psmouse->pktcnt == 6) { + alps_process_packet(psmouse); +@@ -441,6 +640,7 @@ static void alps_disconnect(struct psmou + struct alps_data *priv = psmouse->private; + + psmouse_reset(psmouse); ++ del_timer_sync(&priv->timer); + input_unregister_device(priv->dev2); + kfree(priv); + } +@@ -457,6 +657,8 @@ int alps_init(struct psmouse *psmouse) + goto init_fail; + + priv->dev2 = dev2; ++ setup_timer(&priv->timer, alps_flush_packet, (unsigned long)psmouse); ++ + psmouse->private = priv; + + if (alps_hw_init(psmouse, &version)) +--- a/drivers/input/mouse/alps.h ++++ b/drivers/input/mouse/alps.h +@@ -23,6 +23,7 @@ struct alps_data { + char phys[32]; /* Phys */ + const struct alps_model_info *i;/* Info */ + int prev_fin; /* Finger bit from previous packet */ ++ struct timer_list timer; + }; + + #ifdef CONFIG_MOUSE_PS2_ALPS diff --git a/queue-2.6.31/ipc-ns-fix-memory-leak-idr.patch b/queue-2.6.31/ipc-ns-fix-memory-leak-idr.patch new file mode 100644 index 00000000000..7b14bb77314 --- /dev/null +++ b/queue-2.6.31/ipc-ns-fix-memory-leak-idr.patch @@ -0,0 +1,63 @@ +From 7d6feeb287c61aafa88f06345387b1188edf4b86 Mon Sep 17 00:00:00 2001 +From: Serge E. Hallyn +Date: Tue, 15 Dec 2009 16:47:27 -0800 +Subject: ipc ns: fix memory leak (idr) +Patch-mainline: 2.6.33 + +From: Serge E. Hallyn + +commit 7d6feeb287c61aafa88f06345387b1188edf4b86 upstream. + +We have apparently had a memory leak since +7ca7e564e049d8b350ec9d958ff25eaa24226352 "ipc: store ipcs into IDRs" in +2007. The idr of which 3 exist for each ipc namespace is never freed. + +This patch simply frees them when the ipcns is freed. I don't believe any +idr_remove() are done from rcu (and could therefore be delayed until after +this idr_destroy()), so the patch should be safe. Some quick testing +showed no harm, and the memory leak fixed. + +Caught by kmemleak. + +Signed-off-by: Serge E. Hallyn +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Acked-by: Nick Piggin +Signed-off-by: Greg Kroah-Hartman + +--- + ipc/msg.c | 1 + + ipc/sem.c | 1 + + ipc/shm.c | 1 + + 3 files changed, 3 insertions(+) + +--- a/ipc/msg.c ++++ b/ipc/msg.c +@@ -125,6 +125,7 @@ void msg_init_ns(struct ipc_namespace *n + void msg_exit_ns(struct ipc_namespace *ns) + { + free_ipcs(ns, &msg_ids(ns), freeque); ++ idr_destroy(&ns->ids[IPC_MSG_IDS].ipcs_idr); + } + #endif + +--- a/ipc/sem.c ++++ b/ipc/sem.c +@@ -129,6 +129,7 @@ void sem_init_ns(struct ipc_namespace *n + void sem_exit_ns(struct ipc_namespace *ns) + { + free_ipcs(ns, &sem_ids(ns), freeary); ++ idr_destroy(&ns->ids[IPC_SEM_IDS].ipcs_idr); + } + #endif + +--- a/ipc/shm.c ++++ b/ipc/shm.c +@@ -101,6 +101,7 @@ static void do_shm_rmid(struct ipc_names + void shm_exit_ns(struct ipc_namespace *ns) + { + free_ipcs(ns, &shm_ids(ns), do_shm_rmid); ++ idr_destroy(&ns->ids[IPC_SHM_IDS].ipcs_idr); + } + #endif + diff --git a/queue-2.6.31/kvm-x86-emulator-limit-instructions-to-15-bytes.patch b/queue-2.6.31/kvm-x86-emulator-limit-instructions-to-15-bytes.patch new file mode 100644 index 00000000000..8ff1c7f2355 --- /dev/null +++ b/queue-2.6.31/kvm-x86-emulator-limit-instructions-to-15-bytes.patch @@ -0,0 +1,51 @@ +From: Avi Kivity +Date: Tue, 24 Nov 2009 15:20:15 +0200 +Subject: KVM: x86 emulator: limit instructions to 15 bytes + +From: Avi Kivity + +commit eb3c79e64a70fb8f7473e30fa07e89c1ecc2c9bb upstream + +While we are never normally passed an instruction that exceeds 15 bytes, +smp games can cause us to attempt to interpret one, which will cause +large latencies in non-preempt hosts. + +Signed-off-by: Avi Kivity +Signed-off-by: Greg Kroah-Hartman +--- + arch/x86/include/asm/kvm_x86_emulate.h | 2 +- + arch/x86/kvm/x86_emulate.c | 5 ++++- + 2 files changed, 5 insertions(+), 2 deletions(-) + +--- a/arch/x86/include/asm/kvm_x86_emulate.h ++++ b/arch/x86/include/asm/kvm_x86_emulate.h +@@ -129,7 +129,7 @@ struct decode_cache { + u8 seg_override; + unsigned int d; + unsigned long regs[NR_VCPU_REGS]; +- unsigned long eip; ++ unsigned long eip, eip_orig; + /* modrm */ + u8 modrm; + u8 modrm_mod; +--- a/arch/x86/kvm/x86_emulate.c ++++ b/arch/x86/kvm/x86_emulate.c +@@ -606,6 +606,9 @@ static int do_insn_fetch(struct x86_emul + { + int rc = 0; + ++ /* x86 instructions are limited to 15 bytes. */ ++ if (eip + size - ctxt->decode.eip_orig > 15) ++ return X86EMUL_UNHANDLEABLE; + eip += ctxt->cs_base; + while (size--) { + rc = do_fetch_insn_byte(ctxt, ops, eip++, dest++); +@@ -864,7 +867,7 @@ x86_decode_insn(struct x86_emulate_ctxt + /* Shadow copy of register state. Committed on successful emulation. */ + + memset(c, 0, sizeof(struct decode_cache)); +- c->eip = kvm_rip_read(ctxt->vcpu); ++ c->eip = c->eip_orig = kvm_rip_read(ctxt->vcpu); + ctxt->cs_base = seg_base(ctxt, VCPU_SREG_CS); + memcpy(c->regs, ctxt->vcpu->arch.regs, sizeof c->regs); + diff --git a/queue-2.6.31/megaraid_sas-remove-sysfs-poll_mode_io-world-writeable-permissions.patch b/queue-2.6.31/megaraid_sas-remove-sysfs-poll_mode_io-world-writeable-permissions.patch new file mode 100644 index 00000000000..5fa657b87b2 --- /dev/null +++ b/queue-2.6.31/megaraid_sas-remove-sysfs-poll_mode_io-world-writeable-permissions.patch @@ -0,0 +1,37 @@ +From bb7d3f24c71e528989501617651b669fbed798cb Mon Sep 17 00:00:00 2001 +From: Bryn M. Reeves +Date: Thu, 12 Nov 2009 18:31:54 +0000 +Subject: [SCSI] megaraid_sas: remove sysfs poll_mode_io world writeable permissions +Patch-mainline: 2.6.33 +References: bnc#557180 CVE-2009-3939 + +From: Bryn M. Reeves + +commit bb7d3f24c71e528989501617651b669fbed798cb upstream. + +/sys/bus/pci/drivers/megaraid_sas/poll_mode_io defaults to being +world-writable, which seems bad (letting any user affect kernel driver +behavior). + +This turns off group and user write permissions, so that on typical +production systems only root can write to it. + +Signed-off-by: Bryn M. Reeves +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/megaraid/megaraid_sas.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/scsi/megaraid/megaraid_sas.c ++++ b/drivers/scsi/megaraid/megaraid_sas.c +@@ -3451,7 +3451,7 @@ out: + return retval; + } + +-static DRIVER_ATTR(poll_mode_io, S_IRUGO|S_IWUGO, ++static DRIVER_ATTR(poll_mode_io, S_IRUGO|S_IWUSR, + megasas_sysfs_show_poll_mode_io, + megasas_sysfs_set_poll_mode_io); + diff --git a/queue-2.6.31/nozomi-quick-fix-for-the-close-close-bug.patch b/queue-2.6.31/nozomi-quick-fix-for-the-close-close-bug.patch new file mode 100644 index 00000000000..78fd08ab82d --- /dev/null +++ b/queue-2.6.31/nozomi-quick-fix-for-the-close-close-bug.patch @@ -0,0 +1,47 @@ +From eeec32a731631a9bad9abb21c626b9f2840bee0d Mon Sep 17 00:00:00 2001 +From: Alan Cox +Date: Mon, 4 Jan 2010 16:26:50 +0000 +Subject: nozomi: quick fix for the close/close bug +Patch-mainline: 2.6.33 + +From: Alan Cox + +commit eeec32a731631a9bad9abb21c626b9f2840bee0d upstream. + +Nozomi goes wrong if you get the sequence + + open + open + close + + [stuff] + close + +which turns out to occur on some ppp type setups. + +This is a quick patch up for the problem. It's not really fixing Nozomi +which completely fails to implement tty open/close semantics and all the +other needed stuff. Doing it right is a rather more invasive patch set and +not one that will backport. + +Signed-off-by: Alan Cox +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/char/nozomi.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/char/nozomi.c ++++ b/drivers/char/nozomi.c +@@ -1628,10 +1628,10 @@ static void ntty_close(struct tty_struct + + dc->open_ttys--; + port->count--; +- tty_port_tty_set(port, NULL); + + if (port->count == 0) { + DBG1("close: %d", nport->token_dl); ++ tty_port_tty_set(port, NULL); + spin_lock_irqsave(&dc->spin_mutex, flags); + dc->last_ier &= ~(nport->token_dl); + writew(dc->last_ier, dc->reg_ier); diff --git a/queue-2.6.31/page-allocator-update-nr_free_pages-only-when-necessary.patch b/queue-2.6.31/page-allocator-update-nr_free_pages-only-when-necessary.patch new file mode 100644 index 00000000000..59f06e92413 --- /dev/null +++ b/queue-2.6.31/page-allocator-update-nr_free_pages-only-when-necessary.patch @@ -0,0 +1,41 @@ +From 6ccf80eb15ccaca4d3f1ab5162b9ded5eecd9971 Mon Sep 17 00:00:00 2001 +From: KOSAKI Motohiro +Date: Fri, 15 Jan 2010 17:01:18 -0800 +Subject: page allocator: update NR_FREE_PAGES only when necessary +Patch-mainline: 2.6.33 + +From: KOSAKI Motohiro + +commit 6ccf80eb15ccaca4d3f1ab5162b9ded5eecd9971 upstream. + +commit f2260e6b (page allocator: update NR_FREE_PAGES only as necessary) +made one minor regression. if __rmqueue() was failed, NR_FREE_PAGES stat +go wrong. this patch fixes it. + +Signed-off-by: KOSAKI Motohiro +Cc: Mel Gorman +Reviewed-by: Minchan Kim +Reported-by: Huang Shijie +Reviewed-by: Christoph Lameter +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/page_alloc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/mm/page_alloc.c ++++ b/mm/page_alloc.c +@@ -1167,10 +1167,10 @@ again: + } + spin_lock_irqsave(&zone->lock, flags); + page = __rmqueue(zone, order, migratetype); +- __mod_zone_page_state(zone, NR_FREE_PAGES, -(1 << order)); + spin_unlock(&zone->lock); + if (!page) + goto failed; ++ __mod_zone_page_state(zone, NR_FREE_PAGES, -(1 << order)); + } + + __count_zone_vm_events(PGALLOC, zone, 1 << order); diff --git a/queue-2.6.31/partitions-read-whole-sector-with-efi-gpt-header.patch b/queue-2.6.31/partitions-read-whole-sector-with-efi-gpt-header.patch new file mode 100644 index 00000000000..7389c760fe9 --- /dev/null +++ b/queue-2.6.31/partitions-read-whole-sector-with-efi-gpt-header.patch @@ -0,0 +1,76 @@ +From 87038c2d5bda2418fda8b1456a0ae81cc3ff5bd8 Mon Sep 17 00:00:00 2001 +From: Karel Zak +Date: Mon, 23 Nov 2009 09:29:58 +0100 +Subject: partitions: read whole sector with EFI GPT header + +From: Karel Zak + +commit 87038c2d5bda2418fda8b1456a0ae81cc3ff5bd8 upstream. + +The size of EFI GPT header is not static, but whole sector is +allocated for the header. The HeaderSize field must be greater +than 92 (= sizeof(struct gpt_header) and must be less than or +equal to the logical block size. + +It means we have to read whole sector with the header, because the +header crc32 checksum is calculated according to HeaderSize. + +For more details see UEFI standard (version 2.3, May 2009): + - 5.3.1 GUID Format overview, page 93 + - Table 13. GUID Partition Table Header, page 96 + +Signed-off-by: Karel Zak +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + fs/partitions/efi.c | 7 ++++--- + fs/partitions/efi.h | 8 ++++++-- + 2 files changed, 10 insertions(+), 5 deletions(-) + +--- a/fs/partitions/efi.c ++++ b/fs/partitions/efi.c +@@ -257,15 +257,16 @@ static gpt_header * + alloc_read_gpt_header(struct block_device *bdev, u64 lba) + { + gpt_header *gpt; ++ unsigned ssz = bdev_logical_block_size(bdev); ++ + if (!bdev) + return NULL; + +- gpt = kzalloc(sizeof (gpt_header), GFP_KERNEL); ++ gpt = kzalloc(ssz, GFP_KERNEL); + if (!gpt) + return NULL; + +- if (read_lba(bdev, lba, (u8 *) gpt, +- sizeof (gpt_header)) < sizeof (gpt_header)) { ++ if (read_lba(bdev, lba, (u8 *) gpt, ssz) < ssz) { + kfree(gpt); + gpt=NULL; + return NULL; +--- a/fs/partitions/efi.h ++++ b/fs/partitions/efi.h +@@ -37,7 +37,6 @@ + #define EFI_PMBR_OSTYPE_EFI 0xEF + #define EFI_PMBR_OSTYPE_EFI_GPT 0xEE + +-#define GPT_BLOCK_SIZE 512 + #define GPT_HEADER_SIGNATURE 0x5452415020494645ULL + #define GPT_HEADER_REVISION_V1 0x00010000 + #define GPT_PRIMARY_PARTITION_TABLE_LBA 1 +@@ -79,7 +78,12 @@ typedef struct _gpt_header { + __le32 num_partition_entries; + __le32 sizeof_partition_entry; + __le32 partition_entry_array_crc32; +- u8 reserved2[GPT_BLOCK_SIZE - 92]; ++ ++ /* The rest of the logical block is reserved by UEFI and must be zero. ++ * EFI standard handles this by: ++ * ++ * uint8_t reserved2[ BlockSize - 92 ]; ++ */ + } __attribute__ ((packed)) gpt_header; + + typedef struct _gpt_entry_attributes { diff --git a/queue-2.6.31/partitions-use-sector-size-for-efi-gpt.patch b/queue-2.6.31/partitions-use-sector-size-for-efi-gpt.patch new file mode 100644 index 00000000000..a5ed6420f40 --- /dev/null +++ b/queue-2.6.31/partitions-use-sector-size-for-efi-gpt.patch @@ -0,0 +1,127 @@ +From 7d13af3279985f554784a45cc961f706dbcdbdd1 Mon Sep 17 00:00:00 2001 +From: Karel Zak +Date: Mon, 23 Nov 2009 09:29:13 +0100 +Subject: partitions: use sector size for EFI GPT + +From: Karel Zak + +commit 7d13af3279985f554784a45cc961f706dbcdbdd1 upstream. + +Currently, kernel uses strictly 512-byte sectors for EFI GPT parsing. +That's wrong. + +UEFI standard (version 2.3, May 2009, 5.3.1 GUID Format overview, page +95) defines that LBA is always based on the logical block size. It +means bdev_logical_block_size() (aka BLKSSZGET) for Linux. + +This patch removes static sector size from EFI GPT parser. + +The problem is reproducible with the latest GNU Parted: + + # modprobe scsi_debug dev_size_mb=50 sector_size=4096 + + # ./parted /dev/sdb print + Model: Linux scsi_debug (scsi) + Disk /dev/sdb: 52.4MB + Sector size (logical/physical): 4096B/4096B + Partition Table: gpt + + Number Start End Size File system Name Flags + 1 24.6kB 3002kB 2978kB primary + 2 3002kB 6001kB 2998kB primary + 3 6001kB 9003kB 3002kB primary + + # blockdev --rereadpt /dev/sdb + # dmesg | tail -1 + sdb: unknown partition table <---- !!! + +with this patch: + + # blockdev --rereadpt /dev/sdb + # dmesg | tail -1 + sdb: sdb1 sdb2 sdb3 + +Signed-off-by: Karel Zak +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + fs/partitions/efi.c | 23 +++++++++++++++-------- + 1 file changed, 15 insertions(+), 8 deletions(-) + +--- a/fs/partitions/efi.c ++++ b/fs/partitions/efi.c +@@ -1,7 +1,9 @@ + /************************************************************ + * EFI GUID Partition Table handling +- * Per Intel EFI Specification v1.02 +- * http://developer.intel.com/technology/efi/efi.htm ++ * ++ * http://www.uefi.org/specs/ ++ * http://www.intel.com/technology/efi/ ++ * + * efi.[ch] by Matt Domsch + * Copyright 2000,2001,2002,2004 Dell Inc. + * +@@ -92,6 +94,7 @@ + * + ************************************************************/ + #include ++#include + #include "check.h" + #include "efi.h" + +@@ -141,7 +144,8 @@ last_lba(struct block_device *bdev) + { + if (!bdev || !bdev->bd_inode) + return 0; +- return (bdev->bd_inode->i_size >> 9) - 1ULL; ++ return div_u64(bdev->bd_inode->i_size, ++ bdev_logical_block_size(bdev)) - 1ULL; + } + + static inline int +@@ -188,6 +192,7 @@ static size_t + read_lba(struct block_device *bdev, u64 lba, u8 * buffer, size_t count) + { + size_t totalreadcount = 0; ++ sector_t n = lba * (bdev_logical_block_size(bdev) / 512); + + if (!bdev || !buffer || lba > last_lba(bdev)) + return 0; +@@ -195,7 +200,7 @@ read_lba(struct block_device *bdev, u64 + while (count) { + int copied = 512; + Sector sect; +- unsigned char *data = read_dev_sector(bdev, lba++, §); ++ unsigned char *data = read_dev_sector(bdev, n++, §); + if (!data) + break; + if (copied > count) +@@ -602,6 +607,7 @@ efi_partition(struct parsed_partitions * + gpt_header *gpt = NULL; + gpt_entry *ptes = NULL; + u32 i; ++ unsigned ssz = bdev_logical_block_size(bdev) / 512; + + if (!find_valid_gpt(bdev, &gpt, &ptes) || !gpt || !ptes) { + kfree(gpt); +@@ -612,13 +618,14 @@ efi_partition(struct parsed_partitions * + pr_debug("GUID Partition Table is valid! Yea!\n"); + + for (i = 0; i < le32_to_cpu(gpt->num_partition_entries) && i < state->limit-1; i++) { ++ u64 start = le64_to_cpu(ptes[i].starting_lba); ++ u64 size = le64_to_cpu(ptes[i].ending_lba) - ++ le64_to_cpu(ptes[i].starting_lba) + 1ULL; ++ + if (!is_pte_valid(&ptes[i], last_lba(bdev))) + continue; + +- put_partition(state, i+1, le64_to_cpu(ptes[i].starting_lba), +- (le64_to_cpu(ptes[i].ending_lba) - +- le64_to_cpu(ptes[i].starting_lba) + +- 1ULL)); ++ put_partition(state, i+1, start * ssz, size * ssz); + + /* If this is a RAID volume, tell md */ + if (!efi_guidcmp(ptes[i].partition_type_guid, diff --git a/queue-2.6.31/reiserfs-truncate-blocks-not-used-by-a-write.patch b/queue-2.6.31/reiserfs-truncate-blocks-not-used-by-a-write.patch new file mode 100644 index 00000000000..eb80477f155 --- /dev/null +++ b/queue-2.6.31/reiserfs-truncate-blocks-not-used-by-a-write.patch @@ -0,0 +1,79 @@ +From ec8e2f7466ca370f5e09000ca40a71759afc9ac8 Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Thu, 17 Dec 2009 15:27:06 -0800 +Subject: reiserfs: truncate blocks not used by a write +Patch-mainline: 2.6.33 + +From: Jan Kara + +commit ec8e2f7466ca370f5e09000ca40a71759afc9ac8 upstream. + +It can happen that write does not use all the blocks allocated in +write_begin either because of some filesystem error (like ENOSPC) or +because page with data to write has been removed from memory. We truncate +these blocks so that we don't have dangling blocks beyond i_size. + +Cc: Jeff Mahoney +Signed-off-by: Jan Kara +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/reiserfs/inode.c | 17 ++++++++++++++--- + 1 file changed, 14 insertions(+), 3 deletions(-) + +--- a/fs/reiserfs/inode.c ++++ b/fs/reiserfs/inode.c +@@ -2531,6 +2531,12 @@ static int reiserfs_writepage(struct pag + return reiserfs_write_full_page(page, wbc); + } + ++static void reiserfs_truncate_failed_write(struct inode *inode) ++{ ++ truncate_inode_pages(inode->i_mapping, inode->i_size); ++ reiserfs_truncate_file(inode, 0); ++} ++ + static int reiserfs_write_begin(struct file *file, + struct address_space *mapping, + loff_t pos, unsigned len, unsigned flags, +@@ -2597,6 +2603,8 @@ static int reiserfs_write_begin(struct f + if (ret) { + unlock_page(page); + page_cache_release(page); ++ /* Truncate allocated blocks */ ++ reiserfs_truncate_failed_write(inode); + } + return ret; + } +@@ -2689,8 +2697,7 @@ static int reiserfs_write_end(struct fil + ** transaction tracking stuff when the size changes. So, we have + ** to do the i_size updates here. + */ +- pos += copied; +- if (pos > inode->i_size) { ++ if (pos + copied > inode->i_size) { + struct reiserfs_transaction_handle myth; + reiserfs_write_lock(inode->i_sb); + /* If the file have grown beyond the border where it +@@ -2708,7 +2715,7 @@ static int reiserfs_write_end(struct fil + goto journal_error; + } + reiserfs_update_inode_transaction(inode); +- inode->i_size = pos; ++ inode->i_size = pos + copied; + /* + * this will just nest into our transaction. It's important + * to use mark_inode_dirty so the inode gets pushed around on the +@@ -2735,6 +2742,10 @@ static int reiserfs_write_end(struct fil + out: + unlock_page(page); + page_cache_release(page); ++ ++ if (pos + len > inode->i_size) ++ reiserfs_truncate_failed_write(inode); ++ + return ret == 0 ? copied : ret; + + journal_error: diff --git a/queue-2.6.31/scsi-enclosure-fix-oops-while-iterating-enclosure_status-array.patch b/queue-2.6.31/scsi-enclosure-fix-oops-while-iterating-enclosure_status-array.patch new file mode 100644 index 00000000000..8a4d7d65fff --- /dev/null +++ b/queue-2.6.31/scsi-enclosure-fix-oops-while-iterating-enclosure_status-array.patch @@ -0,0 +1,50 @@ +From cc9b2e9f6603190c009e5d2629ce8e3f99571346 Mon Sep 17 00:00:00 2001 +From: James Bottomley +Date: Thu, 26 Nov 2009 09:50:20 -0600 +Subject: SCSI: enclosure: fix oops while iterating enclosure_status array +Patch-mainline: 2.6.33 + +From: James Bottomley + +commit cc9b2e9f6603190c009e5d2629ce8e3f99571346 upstream. + +Based on patch originally by Jeff Mahoney + + enclosure_status is expected to be a NULL terminated array of strings + but isn't actually NULL terminated. When writing an invalid value to + /sys/class/enclosure/.../.../status, it goes off the end of the array + and Oopses. + + +Fix by making the assumption true and adding NULL at the end. + +Reported-by: Artur Wojcik +Signed-off-by: James Bottomley +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/misc/enclosure.c | 1 + + include/linux/enclosure.h | 2 ++ + 2 files changed, 3 insertions(+) + +--- a/drivers/misc/enclosure.c ++++ b/drivers/misc/enclosure.c +@@ -362,6 +362,7 @@ static const char *const enclosure_statu + [ENCLOSURE_STATUS_NOT_INSTALLED] = "not installed", + [ENCLOSURE_STATUS_UNKNOWN] = "unknown", + [ENCLOSURE_STATUS_UNAVAILABLE] = "unavailable", ++ [ENCLOSURE_STATUS_MAX] = NULL, + }; + + static const char *const enclosure_type [] = { +--- a/include/linux/enclosure.h ++++ b/include/linux/enclosure.h +@@ -42,6 +42,8 @@ enum enclosure_status { + ENCLOSURE_STATUS_NOT_INSTALLED, + ENCLOSURE_STATUS_UNKNOWN, + ENCLOSURE_STATUS_UNAVAILABLE, ++ /* last element for counting purposes */ ++ ENCLOSURE_STATUS_MAX + }; + + /* SFF-8485 activity light settings */ diff --git a/queue-2.6.31/serial-8250_pnp-use-wildcard-for-serial-wacom-tablets.patch b/queue-2.6.31/serial-8250_pnp-use-wildcard-for-serial-wacom-tablets.patch new file mode 100644 index 00000000000..1e8f5731c4e --- /dev/null +++ b/queue-2.6.31/serial-8250_pnp-use-wildcard-for-serial-wacom-tablets.patch @@ -0,0 +1,44 @@ +From 6d34855d9aa281f72c533ecb827405139d1b0fe9 Mon Sep 17 00:00:00 2001 +From: Matthew Garrett +Date: Wed, 9 Dec 2009 12:31:37 -0800 +Subject: serial: 8250_pnp: use wildcard for serial Wacom tablets +Patch-mainline: 2.6.33 + +From: Matthew Garrett + +commit 6d34855d9aa281f72c533ecb827405139d1b0fe9 upstream. + +Wacom claims that the WACF namespace will always be devoted to serial +Wacom tablets. Remove the existing entries and add a wildcard to avoid +having to update the kernel every time they add a new device. + +Signed-off-by: Ping Cheng +Signed-off-by: Matthew Garrett +Tested-by: Ping Cheng +Cc: Alan Cox +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/serial/8250_pnp.c | 10 +--------- + 1 file changed, 1 insertion(+), 9 deletions(-) + +--- a/drivers/serial/8250_pnp.c ++++ b/drivers/serial/8250_pnp.c +@@ -328,15 +328,7 @@ static const struct pnp_device_id pnp_de + /* U.S. Robotics 56K Voice INT PnP*/ + { "USR9190", 0 }, + /* Wacom tablets */ +- { "WACF004", 0 }, +- { "WACF005", 0 }, +- { "WACF006", 0 }, +- { "WACF007", 0 }, +- { "WACF008", 0 }, +- { "WACF009", 0 }, +- { "WACF00A", 0 }, +- { "WACF00B", 0 }, +- { "WACF00C", 0 }, ++ { "WACFXXX", 0 }, + /* Compaq touchscreen */ + { "FPI2002", 0 }, + /* Fujitsu Stylistic touchscreens */ diff --git a/queue-2.6.31/series b/queue-2.6.31/series index 05aabfca6eb..44c7fefc258 100644 --- a/queue-2.6.31/series +++ b/queue-2.6.31/series @@ -8,8 +8,41 @@ cciss-make-cciss_seq_show-handle-holes-in-the-h-drv-array.patch cpufreq-fix-use-after-free-of-struct-powernow_k8_data.patch resource-add-helpers-for-fetching-rlimits.patch fs-exec.c-restrict-initial-stack-space-expansion-to-rlimit.patch - -# needs more to be added first rtc-fm3130-add-missing-braces.patch +ath5k-fix-eeprom-checksum-check-for-custom-sized-eeproms.patch +clockevent-don-t-remove-broadcast-device-when-cpu-is-dead.patch +connector-delete-buggy-notification-code.patch +kvm-x86-emulator-limit-instructions-to-15-bytes.patch +alsa-usb-audio-avoid-oops-after-disconnect.patch +hid-add-device-ids-for-new-model-of-apple-wireless-keyboard.patch +inotify-do-not-reuse-watch-descriptors.patch +inotify-only-warn-once-for-inotify-problems.patch +edac-i5000_edac-critical-fix-panic-out-of-bounds.patch +megaraid_sas-remove-sysfs-poll_mode_io-world-writeable-permissions.patch +page-allocator-update-nr_free_pages-only-when-necessary.patch +x86-apic-use-physical-mode-for-ibm-summit-platforms.patch +reiserfs-truncate-blocks-not-used-by-a-write.patch +ecryptfs-initialize-private-persistent-file-before-dereferencing-pointer.patch +ecryptfs-use-after-free.patch +nozomi-quick-fix-for-the-close-close-bug.patch +serial-8250_pnp-use-wildcard-for-serial-wacom-tablets.patch +tty-fix-race-in-tty_fasync.patch +usb-add-missing-delay-during-remote-wakeup.patch +usb-add-speed-values-for-usb-3.0-and-wireless-controllers.patch +usb-don-t-use-gfp_kernel-while-we-cannot-reset-a-storage-device.patch +usb-ehci-fix-handling-of-unusual-interrupt-intervals.patch +usb-ehci-uhci-fix-race-between-root-hub-suspend-and-port-resume.patch +usb-fix-bitmask-merge-error.patch +usb-serial-fix-memory-leak-in-generic-driver.patch +scsi-enclosure-fix-oops-while-iterating-enclosure_status-array.patch +x86-pci-pat-return-einval-for-pci-mmap-wc-request-for-pat_enabled.patch +usb-fix-usbstorage-for-2770-915d-delivers-no-fat.patch +vmalloc-remove-bug_on-due-to-racy-counting-of-vm_lazy_free.patch +input-alps-add-interleaved-protocol-support-dell-e6x00-series.patch +partitions-read-whole-sector-with-efi-gpt-header.patch +partitions-use-sector-size-for-efi-gpt.patch +sfc-fix-dma-mapping-cleanup-in-case-of-an-error-in-tso.patch +v4l-dvb-af9015-add-new-usb-id-for-kworld-plustv-dual-dvb-t-stick-dvb-t-399u.patch +ipc-ns-fix-memory-leak-idr.patch +fnctl-f_modown-should-call-write_lock_irqsave-restore.patch fix-race-in-tty_fasync-properly.patch - diff --git a/queue-2.6.31/sfc-fix-dma-mapping-cleanup-in-case-of-an-error-in-tso.patch b/queue-2.6.31/sfc-fix-dma-mapping-cleanup-in-case-of-an-error-in-tso.patch new file mode 100644 index 00000000000..840996bb97a --- /dev/null +++ b/queue-2.6.31/sfc-fix-dma-mapping-cleanup-in-case-of-an-error-in-tso.patch @@ -0,0 +1,41 @@ +From a7ebd27a13757248863cd61e541af7fa9e7727ee Mon Sep 17 00:00:00 2001 +From: Neil Turton +Date: Wed, 23 Dec 2009 13:47:13 +0000 +Subject: sfc: Fix DMA mapping cleanup in case of an error in TSO + +From: Neil Turton + +commit a7ebd27a13757248863cd61e541af7fa9e7727ee upstream. + +We need buffer->len to remain valid to work out the correct address to +be unmapped. We therefore need to clear buffer->len after the unmap +operation. + +Signed-off-by: Ben Hutchings +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/sfc/tx.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/sfc/tx.c ++++ b/drivers/net/sfc/tx.c +@@ -823,8 +823,6 @@ static void efx_enqueue_unwind(struct ef + tx_queue->efx->type->txd_ring_mask]; + efx_tsoh_free(tx_queue, buffer); + EFX_BUG_ON_PARANOID(buffer->skb); +- buffer->len = 0; +- buffer->continuation = true; + if (buffer->unmap_len) { + unmap_addr = (buffer->dma_addr + buffer->len - + buffer->unmap_len); +@@ -838,6 +836,8 @@ static void efx_enqueue_unwind(struct ef + PCI_DMA_TODEVICE); + buffer->unmap_len = 0; + } ++ buffer->len = 0; ++ buffer->continuation = true; + } + } + diff --git a/queue-2.6.31/tty-fix-race-in-tty_fasync.patch b/queue-2.6.31/tty-fix-race-in-tty_fasync.patch new file mode 100644 index 00000000000..4e0841792de --- /dev/null +++ b/queue-2.6.31/tty-fix-race-in-tty_fasync.patch @@ -0,0 +1,42 @@ +From 703625118069f9f8960d356676662d3db5a9d116 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Thu, 17 Dec 2009 07:07:19 -0800 +Subject: tty: fix race in tty_fasync +Patch-mainline: 2.6.33 + +From: Greg Kroah-Hartman + +commit 703625118069f9f8960d356676662d3db5a9d116 upstream. + +We need to keep the lock held over the call to __f_setown() to +prevent a PID race. + +Thanks to Al Viro for pointing out the problem, and to Travis for +making us look here in the first place. + +Cc: Eric W. Biederman +Cc: Al Viro +Cc: Alan Cox +Cc: Linus Torvalds +Cc: Tavis Ormandy +Cc: Jeff Dike +Cc: Julien Tinnes +Cc: Matt Mackall +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/char/tty_io.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/char/tty_io.c ++++ b/drivers/char/tty_io.c +@@ -1912,8 +1912,8 @@ static int tty_fasync(int fd, struct fil + pid = task_pid(current); + type = PIDTYPE_PID; + } +- spin_unlock_irqrestore(&tty->ctrl_lock, flags); + retval = __f_setown(filp, pid, type, 0); ++ spin_unlock_irqrestore(&tty->ctrl_lock, flags); + if (retval) + goto out; + } else { diff --git a/queue-2.6.31/usb-add-missing-delay-during-remote-wakeup.patch b/queue-2.6.31/usb-add-missing-delay-during-remote-wakeup.patch new file mode 100644 index 00000000000..89422804efc --- /dev/null +++ b/queue-2.6.31/usb-add-missing-delay-during-remote-wakeup.patch @@ -0,0 +1,75 @@ +From 49d0f078f494b9d81e820a13dd8093a9bfb0b6b1 Mon Sep 17 00:00:00 2001 +From: Alan Stern +Date: Fri, 8 Jan 2010 11:18:38 -0500 +Subject: USB: add missing delay during remote wakeup +Patch-mainline: 2.6.33 + +From: Alan Stern + +commit 49d0f078f494b9d81e820a13dd8093a9bfb0b6b1 upstream. + +This patch (as1330) fixes a bug in khbud's handling of remote +wakeups. When a device sends a remote-wakeup request, the parent hub +(or the host controller driver, for directly attached devices) begins +the resume sequence and notifies khubd when the sequence finishes. At +this point the port's SUSPEND feature is automatically turned off. + +However the device needs an additional 10-ms resume-recovery time +(TRSMRCY in the USB spec). Khubd does not wait for this delay if the +SUSPEND feature is off, and as a result some devices fail to behave +properly following a remote wakeup. This patch adds the missing +delay to the remote-wakeup path. + +It also extends the resume-signalling delay used by ehci-hcd and +uhci-hcd from 20 ms (the value in the spec) to 25 ms (the value we use +for non-remote-wakeup resumes). The extra time appears to help some +devices. + +Signed-off-by: Alan Stern +Cc: Rickard Bellini +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/core/hub.c | 3 +++ + drivers/usb/host/ehci-hcd.c | 5 +++-- + drivers/usb/host/uhci-hub.c | 2 +- + 3 files changed, 7 insertions(+), 3 deletions(-) + +--- a/drivers/usb/core/hub.c ++++ b/drivers/usb/core/hub.c +@@ -3188,6 +3188,9 @@ static void hub_events(void) + USB_PORT_FEAT_C_SUSPEND); + udev = hdev->children[i-1]; + if (udev) { ++ /* TRSMRCY = 10 msec */ ++ msleep(10); ++ + usb_lock_device(udev); + ret = remote_wakeup(hdev-> + children[i-1]); +--- a/drivers/usb/host/ehci-hcd.c ++++ b/drivers/usb/host/ehci-hcd.c +@@ -764,9 +764,10 @@ static irqreturn_t ehci_irq (struct usb_ + + /* start 20 msec resume signaling from this port, + * and make khubd collect PORT_STAT_C_SUSPEND to +- * stop that signaling. ++ * stop that signaling. Use 5 ms extra for safety, ++ * like usb_port_resume() does. + */ +- ehci->reset_done [i] = jiffies + msecs_to_jiffies (20); ++ ehci->reset_done[i] = jiffies + msecs_to_jiffies(25); + ehci_dbg (ehci, "port %d remote wakeup\n", i + 1); + mod_timer(&hcd->rh_timer, ehci->reset_done[i]); + } +--- a/drivers/usb/host/uhci-hub.c ++++ b/drivers/usb/host/uhci-hub.c +@@ -167,7 +167,7 @@ static void uhci_check_ports(struct uhci + /* Port received a wakeup request */ + set_bit(port, &uhci->resuming_ports); + uhci->ports_timeout = jiffies + +- msecs_to_jiffies(20); ++ msecs_to_jiffies(25); + + /* Make sure we see the port again + * after the resuming period is over. */ diff --git a/queue-2.6.31/usb-add-speed-values-for-usb-3.0-and-wireless-controllers.patch b/queue-2.6.31/usb-add-speed-values-for-usb-3.0-and-wireless-controllers.patch new file mode 100644 index 00000000000..8391d7e4b7a --- /dev/null +++ b/queue-2.6.31/usb-add-speed-values-for-usb-3.0-and-wireless-controllers.patch @@ -0,0 +1,37 @@ +From b132b04e193908a94d95065d0628f8fb0159cc55 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Thu, 14 Jan 2010 10:33:19 -0800 +Subject: USB: add speed values for USB 3.0 and wireless controllers +Patch-mainline: 2.6.33 + +From: Greg Kroah-Hartman + +commit b132b04e193908a94d95065d0628f8fb0159cc55 upstream. + +These controllers say "unknown" for their speed in sysfs, which +obviously isn't correct. + +Reported-by: Kurt Garloff +Cc: Sarah Sharp +Cc: David Vrabel +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/core/sysfs.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/usb/core/sysfs.c ++++ b/drivers/usb/core/sysfs.c +@@ -111,6 +111,12 @@ show_speed(struct device *dev, struct de + case USB_SPEED_HIGH: + speed = "480"; + break; ++ case USB_SPEED_VARIABLE: ++ speed = "480"; ++ break; ++ case USB_SPEED_SUPER: ++ speed = "5000"; ++ break; + default: + speed = "unknown"; + } diff --git a/queue-2.6.31/usb-don-t-use-gfp_kernel-while-we-cannot-reset-a-storage-device.patch b/queue-2.6.31/usb-don-t-use-gfp_kernel-while-we-cannot-reset-a-storage-device.patch new file mode 100644 index 00000000000..339f4de4dfc --- /dev/null +++ b/queue-2.6.31/usb-don-t-use-gfp_kernel-while-we-cannot-reset-a-storage-device.patch @@ -0,0 +1,69 @@ +From acbe2febe71abb2360b008e9ab3ee5c44169f78c Mon Sep 17 00:00:00 2001 +From: Oliver Neukum +Date: Tue, 12 Jan 2010 12:32:50 +0100 +Subject: USB: Don't use GFP_KERNEL while we cannot reset a storage device +Patch-mainline: 2.6.33 + +From: Oliver Neukum + +commit acbe2febe71abb2360b008e9ab3ee5c44169f78c upstream. + +Memory allocations with GFP_KERNEL can cause IO to a storage +device which can fail resulting in a need to reset the device. +Therefore GFP_KERNEL cannot be safely used between usb_lock_device() +and usb_unlock_device(). Replace by GFP_NOIO. + +Signed-off-by: Oliver Neukum +Cc: Alan Stern +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/core/devices.c | 2 +- + drivers/usb/core/message.c | 8 ++++---- + 2 files changed, 5 insertions(+), 5 deletions(-) + +--- a/drivers/usb/core/devices.c ++++ b/drivers/usb/core/devices.c +@@ -494,7 +494,7 @@ static ssize_t usb_device_dump(char __us + return 0; + /* allocate 2^1 pages = 8K (on i386); + * should be more than enough for one device */ +- pages_start = (char *)__get_free_pages(GFP_KERNEL, 1); ++ pages_start = (char *)__get_free_pages(GFP_NOIO, 1); + if (!pages_start) + return -ENOMEM; + +--- a/drivers/usb/core/message.c ++++ b/drivers/usb/core/message.c +@@ -923,11 +923,11 @@ char *usb_cache_string(struct usb_device + if (index <= 0) + return NULL; + +- buf = kmalloc(MAX_USB_STRING_SIZE, GFP_KERNEL); ++ buf = kmalloc(MAX_USB_STRING_SIZE, GFP_NOIO); + if (buf) { + len = usb_string(udev, index, buf, MAX_USB_STRING_SIZE); + if (len > 0) { +- smallbuf = kmalloc(++len, GFP_KERNEL); ++ smallbuf = kmalloc(++len, GFP_NOIO); + if (!smallbuf) + return buf; + memcpy(smallbuf, buf, len); +@@ -1694,7 +1694,7 @@ int usb_set_configuration(struct usb_dev + if (cp) { + nintf = cp->desc.bNumInterfaces; + new_interfaces = kmalloc(nintf * sizeof(*new_interfaces), +- GFP_KERNEL); ++ GFP_NOIO); + if (!new_interfaces) { + dev_err(&dev->dev, "Out of memory\n"); + return -ENOMEM; +@@ -1703,7 +1703,7 @@ int usb_set_configuration(struct usb_dev + for (; n < nintf; ++n) { + new_interfaces[n] = kzalloc( + sizeof(struct usb_interface), +- GFP_KERNEL); ++ GFP_NOIO); + if (!new_interfaces[n]) { + dev_err(&dev->dev, "Out of memory\n"); + ret = -ENOMEM; diff --git a/queue-2.6.31/usb-ehci-fix-handling-of-unusual-interrupt-intervals.patch b/queue-2.6.31/usb-ehci-fix-handling-of-unusual-interrupt-intervals.patch new file mode 100644 index 00000000000..a384bf3cb90 --- /dev/null +++ b/queue-2.6.31/usb-ehci-fix-handling-of-unusual-interrupt-intervals.patch @@ -0,0 +1,62 @@ +From 1b9a38bfa6e664ff02511314f5586d711c83cc91 Mon Sep 17 00:00:00 2001 +From: Alan Stern +Date: Fri, 8 Jan 2010 11:17:55 -0500 +Subject: USB: EHCI: fix handling of unusual interrupt intervals +Patch-mainline: 2.6.33 + +From: Alan Stern + +commit 1b9a38bfa6e664ff02511314f5586d711c83cc91 upstream. + +This patch (as1320) fixes two problems related to interrupt-URB +scheduling in ehci-hcd. + + URBs with an interval of 2 or 4 microframes aren't handled. + For the time being, the patch reduces to interval to 1 uframe. + + URBs are constrained to have an interval no larger than 1024 + frames by usb_submit_urb(). But some EHCI controllers allow + use of a schedule as short as 256 frames; for these + controllers we may have to decrease the interval to the + actual schedule length. + +The second problem isn't very significant since few devices expose +interrupt endpoints with an interval larger than 256 frames. But the +first problem is critical; it will prevent the kernel from working +with devices having interrupt intervals of 2 or 4 uframes. + +Signed-off-by: Alan Stern +Tested-by: Glynn Farrow +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/host/ehci-q.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +--- a/drivers/usb/host/ehci-q.c ++++ b/drivers/usb/host/ehci-q.c +@@ -802,9 +802,10 @@ qh_make ( + * But interval 1 scheduling is simpler, and + * includes high bandwidth. + */ +- dbg ("intr period %d uframes, NYET!", +- urb->interval); +- goto done; ++ urb->interval = 1; ++ } else if (qh->period > ehci->periodic_size) { ++ qh->period = ehci->periodic_size; ++ urb->interval = qh->period << 3; + } + } else { + int think_time; +@@ -827,6 +828,10 @@ qh_make ( + usb_calc_bus_time (urb->dev->speed, + is_input, 0, max_packet (maxp))); + qh->period = urb->interval; ++ if (qh->period > ehci->periodic_size) { ++ qh->period = ehci->periodic_size; ++ urb->interval = qh->period; ++ } + } + } + diff --git a/queue-2.6.31/usb-ehci-uhci-fix-race-between-root-hub-suspend-and-port-resume.patch b/queue-2.6.31/usb-ehci-uhci-fix-race-between-root-hub-suspend-and-port-resume.patch new file mode 100644 index 00000000000..23dead6fa03 --- /dev/null +++ b/queue-2.6.31/usb-ehci-uhci-fix-race-between-root-hub-suspend-and-port-resume.patch @@ -0,0 +1,88 @@ +From cec3a53c7fe794237b582e8e77fc0e48465e65ee Mon Sep 17 00:00:00 2001 +From: Alan Stern +Date: Fri, 8 Jan 2010 11:18:20 -0500 +Subject: USB: EHCI & UHCI: fix race between root-hub suspend and port resume +Patch-mainline: 2.6.33 + +From: Alan Stern + +commit cec3a53c7fe794237b582e8e77fc0e48465e65ee upstream. + +This patch (as1321) fixes a problem with EHCI and UHCI root-hub +suspends: If the suspend occurs while a port is trying to resume, the +resume doesn't finish and simply gets lost. When remote wakeup is +enabled, this is undesirable behavior. + +The patch checks first to see if any port resumes are in progress, and +if they are then it fails the root-hub suspend with -EBUSY. + +Signed-off-by: Alan Stern +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/host/ehci-hub.c | 20 +++++++++++++++++++- + drivers/usb/host/uhci-hcd.c | 15 ++++++++++++++- + 2 files changed, 33 insertions(+), 2 deletions(-) + +--- a/drivers/usb/host/ehci-hub.c ++++ b/drivers/usb/host/ehci-hub.c +@@ -119,9 +119,26 @@ static int ehci_bus_suspend (struct usb_ + del_timer_sync(&ehci->watchdog); + del_timer_sync(&ehci->iaa_watchdog); + +- port = HCS_N_PORTS (ehci->hcs_params); + spin_lock_irq (&ehci->lock); + ++ /* Once the controller is stopped, port resumes that are already ++ * in progress won't complete. Hence if remote wakeup is enabled ++ * for the root hub and any ports are in the middle of a resume or ++ * remote wakeup, we must fail the suspend. ++ */ ++ if (hcd->self.root_hub->do_remote_wakeup) { ++ port = HCS_N_PORTS(ehci->hcs_params); ++ while (port--) { ++ if (ehci->reset_done[port] != 0) { ++ spin_unlock_irq(&ehci->lock); ++ ehci_dbg(ehci, "suspend failed because " ++ "port %d is resuming\n", ++ port + 1); ++ return -EBUSY; ++ } ++ } ++ } ++ + /* stop schedules, clean any completed work */ + if (HC_IS_RUNNING(hcd->state)) { + ehci_quiesce (ehci); +@@ -137,6 +154,7 @@ static int ehci_bus_suspend (struct usb_ + */ + ehci->bus_suspended = 0; + ehci->owned_ports = 0; ++ port = HCS_N_PORTS(ehci->hcs_params); + while (port--) { + u32 __iomem *reg = &ehci->regs->port_status [port]; + u32 t1 = ehci_readl(ehci, reg) & ~PORT_RWC_BITS; +--- a/drivers/usb/host/uhci-hcd.c ++++ b/drivers/usb/host/uhci-hcd.c +@@ -749,7 +749,20 @@ static int uhci_rh_suspend(struct usb_hc + spin_lock_irq(&uhci->lock); + if (!test_bit(HCD_FLAG_HW_ACCESSIBLE, &hcd->flags)) + rc = -ESHUTDOWN; +- else if (!uhci->dead) ++ else if (uhci->dead) ++ ; /* Dead controllers tell no tales */ ++ ++ /* Once the controller is stopped, port resumes that are already ++ * in progress won't complete. Hence if remote wakeup is enabled ++ * for the root hub and any ports are in the middle of a resume or ++ * remote wakeup, we must fail the suspend. ++ */ ++ else if (hcd->self.root_hub->do_remote_wakeup && ++ uhci->resuming_ports) { ++ dev_dbg(uhci_dev(uhci), "suspend failed because a port " ++ "is resuming\n"); ++ rc = -EBUSY; ++ } else + suspend_rh(uhci, UHCI_RH_SUSPENDED); + spin_unlock_irq(&uhci->lock); + return rc; diff --git a/queue-2.6.31/usb-fix-bitmask-merge-error.patch b/queue-2.6.31/usb-fix-bitmask-merge-error.patch new file mode 100644 index 00000000000..bb8e0617beb --- /dev/null +++ b/queue-2.6.31/usb-fix-bitmask-merge-error.patch @@ -0,0 +1,33 @@ +From a91b593edd4b3e8aa91f671b763b27b8119eb49d Mon Sep 17 00:00:00 2001 +From: Alan Stern +Date: Tue, 22 Dec 2009 23:16:32 -0500 +Subject: USB: fix bitmask merge error +Patch-mainline: 2.6.33 + +From: Alan Stern + +commit a91b593edd4b3e8aa91f671b763b27b8119eb49d upstream. + +This patch adds a mask bit which was mistakenly omitted from the +as1311 patch (usb-storage: add BAD_SENSE flag). + +Signed-off-by: Alan Stern +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/storage/usb.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/usb/storage/usb.c ++++ b/drivers/usb/storage/usb.c +@@ -430,7 +430,8 @@ static void adjust_quirks(struct us_data + u16 vid = le16_to_cpu(us->pusb_dev->descriptor.idVendor); + u16 pid = le16_to_cpu(us->pusb_dev->descriptor.idProduct); + unsigned f = 0; +- unsigned int mask = (US_FL_SANE_SENSE | US_FL_FIX_CAPACITY | ++ unsigned int mask = (US_FL_SANE_SENSE | US_FL_BAD_SENSE | ++ US_FL_FIX_CAPACITY | + US_FL_CAPACITY_HEURISTICS | US_FL_IGNORE_DEVICE | + US_FL_NOT_LOCKABLE | US_FL_MAX_SECTORS_64 | + US_FL_CAPACITY_OK | US_FL_IGNORE_RESIDUE | diff --git a/queue-2.6.31/usb-fix-usbstorage-for-2770-915d-delivers-no-fat.patch b/queue-2.6.31/usb-fix-usbstorage-for-2770-915d-delivers-no-fat.patch new file mode 100644 index 00000000000..98c411e61fc --- /dev/null +++ b/queue-2.6.31/usb-fix-usbstorage-for-2770-915d-delivers-no-fat.patch @@ -0,0 +1,52 @@ +From 10d2cdb6102669279bee2d9a00a22431b74583d5 Mon Sep 17 00:00:00 2001 +From: Ryan May +Date: Wed, 6 Jan 2010 10:09:25 -0600 +Subject: USB: fix usbstorage for 2770:915d delivers no FAT +Patch-mainline: 2.6.33 +References: bnc#552353 + +From: Ryan May + +commit 10d2cdb6102669279bee2d9a00a22431b74583d5 upstream. + +Resolves kernel.org bug 14914. + +Remove entry for 2770:915d (usb digital camera with mass storage +support) from unusual_devs.h. The fix triggered by the entry causes +the file system on the camera to be completely inaccessible (no +partition table, the device is not mountable). + +The patch works, but let me clarify a few things about it. All the +patch does is remove the entry for this device from the +drivers/usb/storage/unusual_devs.h, which is supposed to help with a +problem with the device's reported size (I think). I'm pretty sure it +was originally added for a reason, so I'm not sure removing it won't +cause other problems to reappear. Also, I should note that this +unusual_devs.h entry was present (and activating workarounds) in +2.6.29, but in that version everything works fine. Starting with +2.6.30, things no longer work. + +Signed-off-by: Ryan May +Cc: Rohan Hart +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/storage/unusual_devs.h | 7 ------- + 1 file changed, 7 deletions(-) + +--- a/drivers/usb/storage/unusual_devs.h ++++ b/drivers/usb/storage/unusual_devs.h +@@ -1827,13 +1827,6 @@ UNUSUAL_DEV( 0x2735, 0x100b, 0x0000, 0x + US_SC_DEVICE, US_PR_DEVICE, NULL, + US_FL_GO_SLOW ), + +-/* Reported by Rohan Hart */ +-UNUSUAL_DEV( 0x2770, 0x915d, 0x0010, 0x0010, +- "INTOVA", +- "Pixtreme", +- US_SC_DEVICE, US_PR_DEVICE, NULL, +- US_FL_FIX_CAPACITY ), +- + /* Reported by Frederic Marchal + * Mio Moov 330 + */ diff --git a/queue-2.6.31/usb-serial-fix-memory-leak-in-generic-driver.patch b/queue-2.6.31/usb-serial-fix-memory-leak-in-generic-driver.patch new file mode 100644 index 00000000000..a3a5b200ffe --- /dev/null +++ b/queue-2.6.31/usb-serial-fix-memory-leak-in-generic-driver.patch @@ -0,0 +1,38 @@ +From 2591530204a76fecc843529ade56afe865dd2657 Mon Sep 17 00:00:00 2001 +From: Johan Hovold +Date: Wed, 6 Jan 2010 15:48:42 -0800 +Subject: usb: serial: fix memory leak in generic driver +Patch-mainline: 2.6.33 + +From: Johan Hovold + +commit 2591530204a76fecc843529ade56afe865dd2657 upstream. + +Fix a regression introduced by commit +715b1dc01fe44537e8fce9566e4bb48d6821d84b ("USB: usb_debug, +usb_generic_serial: implement multi urb write"). + +URB transfer buffer was never freed when using multi-urb writes. +Currently the only driver enabling multi-urb writes is usb_debug. + +Signed-off-by: Johan Hovold +Cc: Greg KH +Acked-by: Jason Wessel +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/generic.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/usb/serial/generic.c ++++ b/drivers/usb/serial/generic.c +@@ -480,6 +480,8 @@ void usb_serial_generic_write_bulk_callb + dbg("%s - port %d", __func__, port->number); + + if (port->serial->type->max_in_flight_urbs) { ++ kfree(urb->transfer_buffer); ++ + spin_lock_irqsave(&port->lock, flags); + --port->urbs_in_flight; + port->tx_bytes_flight -= urb->transfer_buffer_length; diff --git a/queue-2.6.31/v4l-dvb-af9015-add-new-usb-id-for-kworld-plustv-dual-dvb-t-stick-dvb-t-399u.patch b/queue-2.6.31/v4l-dvb-af9015-add-new-usb-id-for-kworld-plustv-dual-dvb-t-stick-dvb-t-399u.patch new file mode 100644 index 00000000000..79f0ed55b13 --- /dev/null +++ b/queue-2.6.31/v4l-dvb-af9015-add-new-usb-id-for-kworld-plustv-dual-dvb-t-stick-dvb-t-399u.patch @@ -0,0 +1,52 @@ +From c92f056308c4a77a833e1cc1e16c1b68974483a6 Mon Sep 17 00:00:00 2001 +From: Mart Raudsepp +Date: Fri, 24 Jul 2009 13:45:41 -0300 +Subject: V4L/DVB: af9015: add new USB ID for KWorld PlusTV Dual DVB-T Stick (DVB-T 399U) + +From: Mart Raudsepp + +commit c92f056308c4a77a833e1cc1e16c1b68974483a6 upstream. + +Add new USB ID (1b80:e400) for KWorld PlusTV Dual DVB-T Stick (DVB-T 399U). +The model number on the devices sticker label is "KW-DVB-T 399UR". + +Signed-off-by: Mart Raudsepp +Acked-by: Antti Palosaari +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/dvb/dvb-usb/af9015.c | 4 +++- + drivers/media/dvb/dvb-usb/dvb-usb-ids.h | 1 + + 2 files changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/media/dvb/dvb-usb/af9015.c ++++ b/drivers/media/dvb/dvb-usb/af9015.c +@@ -1266,6 +1266,7 @@ static struct usb_device_id af9015_usb_t + {USB_DEVICE(USB_VID_KWORLD_2, USB_PID_CONCEPTRONIC_CTVDIGRCU)}, + {USB_DEVICE(USB_VID_KWORLD_2, USB_PID_KWORLD_MC810)}, + {USB_DEVICE(USB_VID_KYE, USB_PID_GENIUS_TVGO_DVB_T03)}, ++/* 25 */{USB_DEVICE(USB_VID_KWORLD_2, USB_PID_KWORLD_399U_2)}, + {0}, + }; + MODULE_DEVICE_TABLE(usb, af9015_usb_table); +@@ -1346,7 +1347,8 @@ static struct dvb_usb_device_properties + { + .name = "KWorld PlusTV Dual DVB-T Stick " \ + "(DVB-T 399U)", +- .cold_ids = {&af9015_usb_table[4], NULL}, ++ .cold_ids = {&af9015_usb_table[4], ++ &af9015_usb_table[25], NULL}, + .warm_ids = {NULL}, + }, + { +--- a/drivers/media/dvb/dvb-usb/dvb-usb-ids.h ++++ b/drivers/media/dvb/dvb-usb/dvb-usb-ids.h +@@ -103,6 +103,7 @@ + #define USB_PID_GRANDTEC_DVBT_USB_WARM 0x0fa1 + #define USB_PID_INTEL_CE9500 0x9500 + #define USB_PID_KWORLD_399U 0xe399 ++#define USB_PID_KWORLD_399U_2 0xe400 + #define USB_PID_KWORLD_395U 0xe396 + #define USB_PID_KWORLD_395U_2 0xe39b + #define USB_PID_KWORLD_395U_3 0xe395 diff --git a/queue-2.6.31/vmalloc-remove-bug_on-due-to-racy-counting-of-vm_lazy_free.patch b/queue-2.6.31/vmalloc-remove-bug_on-due-to-racy-counting-of-vm_lazy_free.patch new file mode 100644 index 00000000000..d45aaf2322f --- /dev/null +++ b/queue-2.6.31/vmalloc-remove-bug_on-due-to-racy-counting-of-vm_lazy_free.patch @@ -0,0 +1,78 @@ +From 88f5004430babb836cfce886d5d54c82166f8ba4 Mon Sep 17 00:00:00 2001 +From: Yongseok Koh +Date: Tue, 19 Jan 2010 17:33:49 +0900 +Subject: vmalloc: remove BUG_ON due to racy counting of VM_LAZY_FREE +Patch-mainline: 2.6.33 + +From: Yongseok Koh + +commit 88f5004430babb836cfce886d5d54c82166f8ba4 upstream. + +In free_unmap_area_noflush(), va->flags is marked as VM_LAZY_FREE first, and +then vmap_lazy_nr is increased atomically. + +But, in __purge_vmap_area_lazy(), while traversing of vmap_are_list, nr +is counted by checking VM_LAZY_FREE is set to va->flags. After counting +the variable nr, kernel reads vmap_lazy_nr atomically and checks a +BUG_ON condition whether nr is greater than vmap_lazy_nr to prevent +vmap_lazy_nr from being negative. + +The problem is that, if interrupted right after marking VM_LAZY_FREE, +increment of vmap_lazy_nr can be delayed. Consequently, BUG_ON +condition can be met because nr is counted more than vmap_lazy_nr. + +It is highly probable when vmalloc/vfree are called frequently. This +scenario have been verified by adding delay between marking VM_LAZY_FREE +and increasing vmap_lazy_nr in free_unmap_area_noflush(). + +Even the vmap_lazy_nr is for checking high watermark, it never be the +strict watermark. Although the BUG_ON condition is to prevent +vmap_lazy_nr from being negative, vmap_lazy_nr is signed variable. So, +it could go down to negative value temporarily. + +Consequently, removing the BUG_ON condition is proper. + +A possible BUG_ON message is like the below. + + kernel BUG at mm/vmalloc.c:517! + invalid opcode: 0000 [#1] SMP + EIP: 0060:[] EFLAGS: 00010297 CPU: 3 + EIP is at __purge_vmap_area_lazy+0x144/0x150 + EAX: ee8a8818 EBX: c08e77d4 ECX: e7c7ae40 EDX: c08e77ec + ESI: 000081fe EDI: e7c7ae60 EBP: e7c7ae64 ESP: e7c7ae3c + DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068 + Call Trace: + [] free_unmap_vmap_area_noflush+0x69/0x70 + [] remove_vm_area+0x22/0x70 + [] __vunmap+0x45/0xe0 + [] vmalloc+0x2c/0x30 + Code: 8d 59 e0 eb 04 66 90 89 cb 89 d0 e8 87 fe ff ff 8b 43 20 89 da 8d 48 e0 8d 43 20 3b 04 24 75 e7 fe 05 a8 a5 a3 c0 e9 78 ff ff ff <0f> 0b eb fe 90 8d b4 26 00 00 00 00 56 89 c6 b8 ac a5 a3 c0 31 + EIP: [] __purge_vmap_area_lazy+0x144/0x150 SS:ESP 0068:e7c7ae3c + +[ See also http://marc.info/?l=linux-kernel&m=126335856228090&w=2 ] + +Signed-off-by: Yongseok Koh +Reviewed-by: Minchan Kim +Cc: Nick Piggin +Cc: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/vmalloc.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/mm/vmalloc.c ++++ b/mm/vmalloc.c +@@ -546,10 +546,8 @@ static void __purge_vmap_area_lazy(unsig + } + rcu_read_unlock(); + +- if (nr) { +- BUG_ON(nr > atomic_read(&vmap_lazy_nr)); ++ if (nr) + atomic_sub(nr, &vmap_lazy_nr); +- } + + if (nr || force_flush) + flush_tlb_kernel_range(*start, *end); diff --git a/queue-2.6.31/x86-apic-use-physical-mode-for-ibm-summit-platforms.patch b/queue-2.6.31/x86-apic-use-physical-mode-for-ibm-summit-platforms.patch new file mode 100644 index 00000000000..eb91ddcfe19 --- /dev/null +++ b/queue-2.6.31/x86-apic-use-physical-mode-for-ibm-summit-platforms.patch @@ -0,0 +1,46 @@ +From dfea91d5a7c795fd6f4e1a97489a98e4e767463e Mon Sep 17 00:00:00 2001 +From: Suresh Siddha +Date: Mon, 18 Jan 2010 12:10:48 -0800 +Subject: x86, apic: use physical mode for IBM summit platforms +Patch-mainline: 2.6.33 + +From: Suresh Siddha + +commit dfea91d5a7c795fd6f4e1a97489a98e4e767463e upstream. + +Chris McDermott from IBM confirmed that hurricane chipset in IBM summit +platforms doesn't support logical flat mode. Irrespective of the other +things like apic_id's, total number of logical cpu's, Linux kernel +should default to physical mode for this system. + +The 32-bit kernel does so using the OEM checks for the IBM summit +platform. Add a similar OEM platform check for the 64bit kernel too. + +Otherwise the linux kernel boot can hang on this platform under certain +bios/platform settings. + +Signed-off-by: Suresh Siddha +Tested-by: Ananth N Mavinakayanahalli +Cc: Chris McDermott +Cc: Yinghai Lu +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/apic/apic_flat_64.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/arch/x86/kernel/apic/apic_flat_64.c ++++ b/arch/x86/kernel/apic/apic_flat_64.c +@@ -240,6 +240,11 @@ static int physflat_acpi_madt_oem_check( + printk(KERN_DEBUG "system APIC only can use physical flat"); + return 1; + } ++ ++ if (!strncmp(oem_id, "IBM", 3) && !strncmp(oem_table_id, "EXA", 3)) { ++ printk(KERN_DEBUG "IBM Summit detected, will use apic physical"); ++ return 1; ++ } + #endif + + return 0; diff --git a/queue-2.6.31/x86-pci-pat-return-einval-for-pci-mmap-wc-request-for-pat_enabled.patch b/queue-2.6.31/x86-pci-pat-return-einval-for-pci-mmap-wc-request-for-pat_enabled.patch new file mode 100644 index 00000000000..a3716b83f10 --- /dev/null +++ b/queue-2.6.31/x86-pci-pat-return-einval-for-pci-mmap-wc-request-for-pat_enabled.patch @@ -0,0 +1,57 @@ +From 2992e545ea006992ec9dc91c4fa996ce1e15f921 Mon Sep 17 00:00:00 2001 +From: Suresh Siddha +Date: Mon, 26 Oct 2009 13:21:32 -0800 +Subject: x86/PCI/PAT: return EINVAL for pci mmap WC request for !pat_enabled +Patch-mainline: 2.6.33 + +From: Suresh Siddha + +commit 2992e545ea006992ec9dc91c4fa996ce1e15f921 upstream. + +Thomas Schlichter reported: +> X.org uses libpciaccess which tries to mmap with write combining enabled via +> /sys/bus/pci/devices/*/resource0_wc. Currently, when PAT is not enabled, the +> kernel does fall back to uncached mmap. Then libpciaccess thinks it succeeded +> mapping with write combining enabled and does not set up suited MTRR entries. +> ;-( + +Instead of silently mapping pci mmap region as UC minus in the case +of !pat_enabled and wc request, we can return error. Eric Anholt mentioned +that caller (like X) typically follows up with UC minus pci mmap request and +if there is a free mtrr slot, caller will manage adding WC mtrr. + +Jesse Barnes says: +> Older versions of libpciaccess will behave better if we do it that way +> (iirc it only allocates an MTRR if the resource_wc file doesn't exist or +> fails to get mapped). + +Reported-by: Thomas Schlichter +Signed-off-by: Thomas Schlichter +Signed-off-by: Suresh Siddha +Acked-by: Eric Anholt +Acked-by: Jesse Barnes +Signed-off-by: Jesse Barnes +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/pci/i386.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/arch/x86/pci/i386.c ++++ b/arch/x86/pci/i386.c +@@ -282,6 +282,15 @@ int pci_mmap_page_range(struct pci_dev * + return -EINVAL; + + prot = pgprot_val(vma->vm_page_prot); ++ ++ /* ++ * Return error if pat is not enabled and write_combine is requested. ++ * Caller can followup with UC MINUS request and add a WC mtrr if there ++ * is a free mtrr slot. ++ */ ++ if (!pat_enabled && write_combine) ++ return -EINVAL; ++ + if (pat_enabled && write_combine) + prot |= _PAGE_CACHE_WC; + else if (pat_enabled || boot_cpu_data.x86 > 3)