From: Greg Kroah-Hartman Date: Mon, 6 Jan 2014 18:30:20 +0000 (-0800) Subject: 3.12-stable patches X-Git-Tag: v3.4.76~41 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=c57aaf24603824b3e4f48a6dd0cda980cf36949c;p=thirdparty%2Fkernel%2Fstable-queue.git 3.12-stable patches added patches: ath9k-fix-interrupt-handling-for-the-ar9002-family.patch ath9k_htc-properly-set-mac-address-and-bssid-mask.patch auxvec.h-account-for-at_hwcap2-in-at_vector_size_base.patch ceph-avoid-data-inconsistency-due-to-d-cache-aliasing-in-readpage.patch cgroup-fix-cgroup_create-error-handling-path.patch cpupower-fix-segfault-due-to-incorrect-getopt_long-arugments.patch dm9601-fix-reception-of-full-size-ethernet-frames-on-dm9620-dm9621a.patch dm9601-work-around-tx-fifo-sync-issue-on-dm962x.patch drm-radeon-set-correct-pipe-config-for-hawaii-in-dce.patch kvm-nvmx-unconditionally-uninit-the-mmu-on-nested-vmexit.patch kvm-x86-fix-apic-map-calculation-after-re-enabling.patch power_supply-fix-oops-from-null-pointer-dereference-from-wakeup_source_activate.patch powerpc-align-p_end.patch powerpc-fix-bad-stack-check-in-exception-entry.patch tg3-expand-4g_overflow_test-workaround-to-skb-fragments-of-any-size.patch --- diff --git a/queue-3.12/ath9k-fix-interrupt-handling-for-the-ar9002-family.patch b/queue-3.12/ath9k-fix-interrupt-handling-for-the-ar9002-family.patch new file mode 100644 index 00000000000..fcb7d7a3c26 --- /dev/null +++ b/queue-3.12/ath9k-fix-interrupt-handling-for-the-ar9002-family.patch @@ -0,0 +1,115 @@ +From 73f0b56a1ff64e7fb6c3a62088804bab93bcedc2 Mon Sep 17 00:00:00 2001 +From: Sujith Manoharan +Date: Mon, 16 Dec 2013 07:04:59 +0530 +Subject: ath9k: Fix interrupt handling for the AR9002 family + +From: Sujith Manoharan + +commit 73f0b56a1ff64e7fb6c3a62088804bab93bcedc2 upstream. + +This patch adds a driver workaround for a HW issue. + +A race condition in the HW results in missing interrupts, +which can be avoided by a read/write with the ISR register. +All chips in the AR9002 series are affected by this bug - AR9003 +and above do not have this problem. + +Cc: Felix Fietkau +Signed-off-by: Sujith Manoharan +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/ath/ath9k/ar9002_mac.c | 52 +++++++++++++++++++++++----- + 1 file changed, 43 insertions(+), 9 deletions(-) + +--- a/drivers/net/wireless/ath/ath9k/ar9002_mac.c ++++ b/drivers/net/wireless/ath/ath9k/ar9002_mac.c +@@ -76,9 +76,16 @@ static bool ar9002_hw_get_isr(struct ath + mask2 |= ATH9K_INT_CST; + if (isr2 & AR_ISR_S2_TSFOOR) + mask2 |= ATH9K_INT_TSFOOR; ++ ++ if (!(pCap->hw_caps & ATH9K_HW_CAP_RAC_SUPPORTED)) { ++ REG_WRITE(ah, AR_ISR_S2, isr2); ++ isr &= ~AR_ISR_BCNMISC; ++ } + } + +- isr = REG_READ(ah, AR_ISR_RAC); ++ if (pCap->hw_caps & ATH9K_HW_CAP_RAC_SUPPORTED) ++ isr = REG_READ(ah, AR_ISR_RAC); ++ + if (isr == 0xffffffff) { + *masked = 0; + return false; +@@ -97,11 +104,23 @@ static bool ar9002_hw_get_isr(struct ath + + *masked |= ATH9K_INT_TX; + +- s0_s = REG_READ(ah, AR_ISR_S0_S); ++ if (pCap->hw_caps & ATH9K_HW_CAP_RAC_SUPPORTED) { ++ s0_s = REG_READ(ah, AR_ISR_S0_S); ++ s1_s = REG_READ(ah, AR_ISR_S1_S); ++ } else { ++ s0_s = REG_READ(ah, AR_ISR_S0); ++ REG_WRITE(ah, AR_ISR_S0, s0_s); ++ s1_s = REG_READ(ah, AR_ISR_S1); ++ REG_WRITE(ah, AR_ISR_S1, s1_s); ++ ++ isr &= ~(AR_ISR_TXOK | ++ AR_ISR_TXDESC | ++ AR_ISR_TXERR | ++ AR_ISR_TXEOL); ++ } ++ + ah->intr_txqs |= MS(s0_s, AR_ISR_S0_QCU_TXOK); + ah->intr_txqs |= MS(s0_s, AR_ISR_S0_QCU_TXDESC); +- +- s1_s = REG_READ(ah, AR_ISR_S1_S); + ah->intr_txqs |= MS(s1_s, AR_ISR_S1_QCU_TXERR); + ah->intr_txqs |= MS(s1_s, AR_ISR_S1_QCU_TXEOL); + } +@@ -114,13 +133,15 @@ static bool ar9002_hw_get_isr(struct ath + *masked |= mask2; + } + +- if (AR_SREV_9100(ah)) +- return true; +- +- if (isr & AR_ISR_GENTMR) { ++ if (!AR_SREV_9100(ah) && (isr & AR_ISR_GENTMR)) { + u32 s5_s; + +- s5_s = REG_READ(ah, AR_ISR_S5_S); ++ if (pCap->hw_caps & ATH9K_HW_CAP_RAC_SUPPORTED) { ++ s5_s = REG_READ(ah, AR_ISR_S5_S); ++ } else { ++ s5_s = REG_READ(ah, AR_ISR_S5); ++ } ++ + ah->intr_gen_timer_trigger = + MS(s5_s, AR_ISR_S5_GENTIMER_TRIG); + +@@ -133,8 +154,21 @@ static bool ar9002_hw_get_isr(struct ath + if ((s5_s & AR_ISR_S5_TIM_TIMER) && + !(pCap->hw_caps & ATH9K_HW_CAP_AUTOSLEEP)) + *masked |= ATH9K_INT_TIM_TIMER; ++ ++ if (!(pCap->hw_caps & ATH9K_HW_CAP_RAC_SUPPORTED)) { ++ REG_WRITE(ah, AR_ISR_S5, s5_s); ++ isr &= ~AR_ISR_GENTMR; ++ } ++ } ++ ++ if (!(pCap->hw_caps & ATH9K_HW_CAP_RAC_SUPPORTED)) { ++ REG_WRITE(ah, AR_ISR, isr); ++ REG_READ(ah, AR_ISR); + } + ++ if (AR_SREV_9100(ah)) ++ return true; ++ + if (sync_cause) { + ath9k_debug_sync_cause(common, sync_cause); + fatal_int = diff --git a/queue-3.12/ath9k_htc-properly-set-mac-address-and-bssid-mask.patch b/queue-3.12/ath9k_htc-properly-set-mac-address-and-bssid-mask.patch new file mode 100644 index 00000000000..52d0a74c47f --- /dev/null +++ b/queue-3.12/ath9k_htc-properly-set-mac-address-and-bssid-mask.patch @@ -0,0 +1,99 @@ +From 657eb17d87852c42b55c4b06d5425baa08b2ddb3 Mon Sep 17 00:00:00 2001 +From: Mathy Vanhoef +Date: Thu, 28 Nov 2013 12:21:45 +0100 +Subject: ath9k_htc: properly set MAC address and BSSID mask + +From: Mathy Vanhoef + +commit 657eb17d87852c42b55c4b06d5425baa08b2ddb3 upstream. + +Pick the MAC address of the first virtual interface as the new hardware MAC +address. Set BSSID mask according to this MAC address. This fixes CVE-2013-4579. + +Signed-off-by: Mathy Vanhoef +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/ath/ath9k/htc_drv_main.c | 25 +++++++++++++++++-------- + drivers/net/wireless/ath/ath9k/main.c | 5 +++-- + 2 files changed, 20 insertions(+), 10 deletions(-) + +--- a/drivers/net/wireless/ath/ath9k/htc_drv_main.c ++++ b/drivers/net/wireless/ath/ath9k/htc_drv_main.c +@@ -147,21 +147,26 @@ static void ath9k_htc_bssid_iter(void *d + struct ath9k_vif_iter_data *iter_data = data; + int i; + +- for (i = 0; i < ETH_ALEN; i++) +- iter_data->mask[i] &= ~(iter_data->hw_macaddr[i] ^ mac[i]); ++ if (iter_data->hw_macaddr != NULL) { ++ for (i = 0; i < ETH_ALEN; i++) ++ iter_data->mask[i] &= ~(iter_data->hw_macaddr[i] ^ mac[i]); ++ } else { ++ iter_data->hw_macaddr = mac; ++ } + } + +-static void ath9k_htc_set_bssid_mask(struct ath9k_htc_priv *priv, ++static void ath9k_htc_set_mac_bssid_mask(struct ath9k_htc_priv *priv, + struct ieee80211_vif *vif) + { + struct ath_common *common = ath9k_hw_common(priv->ah); + struct ath9k_vif_iter_data iter_data; + + /* +- * Use the hardware MAC address as reference, the hardware uses it +- * together with the BSSID mask when matching addresses. ++ * Pick the MAC address of the first interface as the new hardware ++ * MAC address. The hardware will use it together with the BSSID mask ++ * when matching addresses. + */ +- iter_data.hw_macaddr = common->macaddr; ++ iter_data.hw_macaddr = NULL; + memset(&iter_data.mask, 0xff, ETH_ALEN); + + if (vif) +@@ -173,6 +178,10 @@ static void ath9k_htc_set_bssid_mask(str + ath9k_htc_bssid_iter, &iter_data); + + memcpy(common->bssidmask, iter_data.mask, ETH_ALEN); ++ ++ if (iter_data.hw_macaddr) ++ memcpy(common->macaddr, iter_data.hw_macaddr, ETH_ALEN); ++ + ath_hw_setbssidmask(common); + } + +@@ -1083,7 +1092,7 @@ static int ath9k_htc_add_interface(struc + goto out; + } + +- ath9k_htc_set_bssid_mask(priv, vif); ++ ath9k_htc_set_mac_bssid_mask(priv, vif); + + priv->vif_slot |= (1 << avp->index); + priv->nvifs++; +@@ -1148,7 +1157,7 @@ static void ath9k_htc_remove_interface(s + + ath9k_htc_set_opmode(priv); + +- ath9k_htc_set_bssid_mask(priv, vif); ++ ath9k_htc_set_mac_bssid_mask(priv, vif); + + /* + * Stop ANI only if there are no associated station interfaces. +--- a/drivers/net/wireless/ath/ath9k/main.c ++++ b/drivers/net/wireless/ath/ath9k/main.c +@@ -885,8 +885,9 @@ void ath9k_calculate_iter_data(struct ie + struct ath_common *common = ath9k_hw_common(ah); + + /* +- * Use the hardware MAC address as reference, the hardware uses it +- * together with the BSSID mask when matching addresses. ++ * Pick the MAC address of the first interface as the new hardware ++ * MAC address. The hardware will use it together with the BSSID mask ++ * when matching addresses. + */ + memset(iter_data, 0, sizeof(*iter_data)); + memset(&iter_data->mask, 0xff, ETH_ALEN); diff --git a/queue-3.12/auxvec.h-account-for-at_hwcap2-in-at_vector_size_base.patch b/queue-3.12/auxvec.h-account-for-at_hwcap2-in-at_vector_size_base.patch new file mode 100644 index 00000000000..a9ff95aa16f --- /dev/null +++ b/queue-3.12/auxvec.h-account-for-at_hwcap2-in-at_vector_size_base.patch @@ -0,0 +1,35 @@ +From f60900f2609e893c7f8d0bccc7ada4947dac4cd5 Mon Sep 17 00:00:00 2001 +From: Ard Biesheuvel +Date: Mon, 23 Dec 2013 18:49:30 +0100 +Subject: auxvec.h: account for AT_HWCAP2 in AT_VECTOR_SIZE_BASE + +From: Ard Biesheuvel + +commit f60900f2609e893c7f8d0bccc7ada4947dac4cd5 upstream. + +Commit 2171364d1a92 ("powerpc: Add HWCAP2 aux entry") introduced a new +AT_ auxv entry type AT_HWCAP2 but failed to update AT_VECTOR_SIZE_BASE +accordingly. + +Signed-off-by: Ard Biesheuvel +Fixes: 2171364d1a92 (powerpc: Add HWCAP2 aux entry) +Acked-by: Michael Neuling +Cc: Nishanth Aravamudan +Cc: Benjamin Herrenschmidt +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/auxvec.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/include/linux/auxvec.h ++++ b/include/linux/auxvec.h +@@ -3,6 +3,6 @@ + + #include + +-#define AT_VECTOR_SIZE_BASE 19 /* NEW_AUX_ENT entries in auxiliary table */ ++#define AT_VECTOR_SIZE_BASE 20 /* NEW_AUX_ENT entries in auxiliary table */ + /* number of "#define AT_.*" above, minus {AT_NULL, AT_IGNORE, AT_NOTELF} */ + #endif /* _LINUX_AUXVEC_H */ diff --git a/queue-3.12/ceph-avoid-data-inconsistency-due-to-d-cache-aliasing-in-readpage.patch b/queue-3.12/ceph-avoid-data-inconsistency-due-to-d-cache-aliasing-in-readpage.patch new file mode 100644 index 00000000000..121856c74bc --- /dev/null +++ b/queue-3.12/ceph-avoid-data-inconsistency-due-to-d-cache-aliasing-in-readpage.patch @@ -0,0 +1,40 @@ +From 56f91aad69444d650237295f68c195b74d888d95 Mon Sep 17 00:00:00 2001 +From: Li Wang +Date: Wed, 13 Nov 2013 15:22:14 +0800 +Subject: ceph: Avoid data inconsistency due to d-cache aliasing in readpage() + +From: Li Wang + +commit 56f91aad69444d650237295f68c195b74d888d95 upstream. + +If the length of data to be read in readpage() is exactly +PAGE_CACHE_SIZE, the original code does not flush d-cache +for data consistency after finishing reading. This patches fixes +this. + +Signed-off-by: Li Wang +Signed-off-by: Sage Weil +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ceph/addr.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/fs/ceph/addr.c ++++ b/fs/ceph/addr.c +@@ -210,9 +210,13 @@ static int readpage_nounlock(struct file + if (err < 0) { + SetPageError(page); + goto out; +- } else if (err < PAGE_CACHE_SIZE) { ++ } else { ++ if (err < PAGE_CACHE_SIZE) { + /* zero fill remainder of page */ +- zero_user_segment(page, err, PAGE_CACHE_SIZE); ++ zero_user_segment(page, err, PAGE_CACHE_SIZE); ++ } else { ++ flush_dcache_page(page); ++ } + } + SetPageUptodate(page); + diff --git a/queue-3.12/cgroup-fix-cgroup_create-error-handling-path.patch b/queue-3.12/cgroup-fix-cgroup_create-error-handling-path.patch new file mode 100644 index 00000000000..be6b3cc5549 --- /dev/null +++ b/queue-3.12/cgroup-fix-cgroup_create-error-handling-path.patch @@ -0,0 +1,127 @@ +From 266ccd505e8acb98717819cef9d91d66c7b237cc Mon Sep 17 00:00:00 2001 +From: Tejun Heo +Date: Fri, 6 Dec 2013 15:07:32 -0500 +Subject: cgroup: fix cgroup_create() error handling path + +From: Tejun Heo + +commit 266ccd505e8acb98717819cef9d91d66c7b237cc upstream. + +ae7f164a09 ("cgroup: move cgroup->subsys[] assignment to +online_css()") moved cgroup->subsys[] assignements later in +cgroup_create() but didn't update error handling path accordingly +leading to the following oops and leaking later css's after an +online_css() failure. The oops is from cgroup destruction path being +invoked on the partially constructed cgroup which is not ready to +handle empty slots in cgrp->subsys[] array. + + BUG: unable to handle kernel NULL pointer dereference at 0000000000000008 + IP: [] cgroup_destroy_locked+0x118/0x2f0 + PGD a780a067 PUD aadbe067 PMD 0 + Oops: 0000 [#1] SMP + Modules linked in: + CPU: 6 PID: 7360 Comm: mkdir Not tainted 3.13.0-rc2+ #69 + Hardware name: + task: ffff8800b9dbec00 ti: ffff8800a781a000 task.ti: ffff8800a781a000 + RIP: 0010:[] [] cgroup_destroy_locked+0x118/0x2f0 + RSP: 0018:ffff8800a781bd98 EFLAGS: 00010282 + RAX: ffff880586903878 RBX: ffff880586903800 RCX: ffff880586903820 + RDX: ffff880586903860 RSI: ffff8800a781bdb0 RDI: ffff880586903820 + RBP: ffff8800a781bde8 R08: ffff88060e0b8048 R09: ffffffff811d7bc1 + R10: 000000000000008c R11: 0000000000000001 R12: ffff8800a72286c0 + R13: 0000000000000000 R14: ffffffff81cf7a40 R15: 0000000000000001 + FS: 00007f60ecda57a0(0000) GS:ffff8806272c0000(0000) knlGS:0000000000000000 + CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 + CR2: 0000000000000008 CR3: 00000000a7a03000 CR4: 00000000000007e0 + Stack: + ffff880586903860 ffff880586903910 ffff8800a72286c0 ffff880586903820 + ffffffff81cf7a40 ffff880586903800 ffff88060e0b8018 ffffffff81cf7a40 + ffff8800b9dbec00 ffff8800b9dbf098 ffff8800a781bec8 ffffffff810ef5bf + Call Trace: + [] cgroup_mkdir+0x55f/0x5f0 + [] vfs_mkdir+0xee/0x140 + [] SyS_mkdirat+0x6e/0xf0 + [] SyS_mkdir+0x19/0x20 + [] system_call_fastpath+0x16/0x1b + +This patch moves reference bumping inside online_css() loop, clears +css_ar[] as css's are brought online successfully, and updates +err_destroy path so that either a css is fully online and destroyed by +cgroup_destroy_locked() or the error path frees it. This creates a +duplicate css free logic in the error path but it will be cleaned up +soon. + +v2: Li pointed out that cgroup_destroy_locked() would do NULL-deref if + invoked with a cgroup which doesn't have all css's populated. + Update cgroup_destroy_locked() so that it skips NULL css's. + +Signed-off-by: Tejun Heo +Acked-by: Li Zefan +Reported-by: Vladimir Davydov +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/cgroup.c | 31 +++++++++++++++++++++---------- + 1 file changed, 21 insertions(+), 10 deletions(-) + +--- a/kernel/cgroup.c ++++ b/kernel/cgroup.c +@@ -4490,14 +4490,6 @@ static long cgroup_create(struct cgroup + list_add_tail_rcu(&cgrp->sibling, &cgrp->parent->children); + root->number_of_cgroups++; + +- /* each css holds a ref to the cgroup's dentry and the parent css */ +- for_each_root_subsys(root, ss) { +- struct cgroup_subsys_state *css = css_ar[ss->subsys_id]; +- +- dget(dentry); +- css_get(css->parent); +- } +- + /* hold a ref to the parent's dentry */ + dget(parent->dentry); + +@@ -4509,6 +4501,13 @@ static long cgroup_create(struct cgroup + if (err) + goto err_destroy; + ++ /* each css holds a ref to the cgroup's dentry and parent css */ ++ dget(dentry); ++ css_get(css->parent); ++ ++ /* mark it consumed for error path */ ++ css_ar[ss->subsys_id] = NULL; ++ + if (ss->broken_hierarchy && !ss->warned_broken_hierarchy && + parent->parent) { + pr_warning("cgroup: %s (%d) created nested cgroup for controller \"%s\" which has incomplete hierarchy support. Nested cgroups may change behavior in the future.\n", +@@ -4555,6 +4554,14 @@ err_free_cgrp: + return err; + + err_destroy: ++ for_each_root_subsys(root, ss) { ++ struct cgroup_subsys_state *css = css_ar[ss->subsys_id]; ++ ++ if (css) { ++ percpu_ref_cancel_init(&css->refcnt); ++ ss->css_free(css); ++ } ++ } + cgroup_destroy_locked(cgrp); + mutex_unlock(&cgroup_mutex); + mutex_unlock(&dentry->d_inode->i_mutex); +@@ -4716,8 +4723,12 @@ static int cgroup_destroy_locked(struct + * will be invoked to perform the rest of destruction once the + * percpu refs of all css's are confirmed to be killed. + */ +- for_each_root_subsys(cgrp->root, ss) +- kill_css(cgroup_css(cgrp, ss)); ++ for_each_root_subsys(cgrp->root, ss) { ++ struct cgroup_subsys_state *css = cgroup_css(cgrp, ss); ++ ++ if (css) ++ kill_css(css); ++ } + + /* + * Mark @cgrp dead. This prevents further task migration and child diff --git a/queue-3.12/cpupower-fix-segfault-due-to-incorrect-getopt_long-arugments.patch b/queue-3.12/cpupower-fix-segfault-due-to-incorrect-getopt_long-arugments.patch new file mode 100644 index 00000000000..b932e9943ce --- /dev/null +++ b/queue-3.12/cpupower-fix-segfault-due-to-incorrect-getopt_long-arugments.patch @@ -0,0 +1,43 @@ +From f447ef4a56dee4b68a91460bcdfe06b5011085f2 Mon Sep 17 00:00:00 2001 +From: Josh Boyer +Date: Fri, 11 Oct 2013 08:45:51 -0400 +Subject: cpupower: Fix segfault due to incorrect getopt_long arugments + +From: Josh Boyer + +commit f447ef4a56dee4b68a91460bcdfe06b5011085f2 upstream. + +If a user calls 'cpupower set --perf-bias 15', the process will end with +a SIGSEGV in libc because cpupower-set passes a NULL optarg to the atoi +call. This is because the getopt_long structure currently has all of +the options as having an optional_argument when they really have a +required argument. We change the structure to use required_argument to +match the short options and it resolves the issue. + +This fixes https://bugzilla.redhat.com/show_bug.cgi?id=1000439 + +Signed-off-by: Josh Boyer +Cc: Dominik Brodowski +Cc: Thomas Renninger +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + tools/power/cpupower/utils/cpupower-set.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/tools/power/cpupower/utils/cpupower-set.c ++++ b/tools/power/cpupower/utils/cpupower-set.c +@@ -18,9 +18,9 @@ + #include "helpers/bitmask.h" + + static struct option set_opts[] = { +- { .name = "perf-bias", .has_arg = optional_argument, .flag = NULL, .val = 'b'}, +- { .name = "sched-mc", .has_arg = optional_argument, .flag = NULL, .val = 'm'}, +- { .name = "sched-smt", .has_arg = optional_argument, .flag = NULL, .val = 's'}, ++ { .name = "perf-bias", .has_arg = required_argument, .flag = NULL, .val = 'b'}, ++ { .name = "sched-mc", .has_arg = required_argument, .flag = NULL, .val = 'm'}, ++ { .name = "sched-smt", .has_arg = required_argument, .flag = NULL, .val = 's'}, + { }, + }; + diff --git a/queue-3.12/dm9601-fix-reception-of-full-size-ethernet-frames-on-dm9620-dm9621a.patch b/queue-3.12/dm9601-fix-reception-of-full-size-ethernet-frames-on-dm9620-dm9621a.patch new file mode 100644 index 00000000000..1a7dc0496aa --- /dev/null +++ b/queue-3.12/dm9601-fix-reception-of-full-size-ethernet-frames-on-dm9620-dm9621a.patch @@ -0,0 +1,36 @@ +From 407900cfb54bdb2cfa228010b6697305f66b2948 Mon Sep 17 00:00:00 2001 +From: Peter Korsgaard +Date: Mon, 16 Dec 2013 11:35:33 +0100 +Subject: dm9601: fix reception of full size ethernet frames on dm9620/dm9621a + +From: Peter Korsgaard + +commit 407900cfb54bdb2cfa228010b6697305f66b2948 upstream. + +dm9620/dm9621a require room for 4 byte padding even in dm9601 (3 byte +header) mode. + +Signed-off-by: Peter Korsgaard +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/usb/dm9601.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +--- a/drivers/net/usb/dm9601.c ++++ b/drivers/net/usb/dm9601.c +@@ -364,7 +364,12 @@ static int dm9601_bind(struct usbnet *de + dev->net->ethtool_ops = &dm9601_ethtool_ops; + dev->net->hard_header_len += DM_TX_OVERHEAD; + dev->hard_mtu = dev->net->mtu + dev->net->hard_header_len; +- dev->rx_urb_size = dev->net->mtu + ETH_HLEN + DM_RX_OVERHEAD; ++ ++ /* dm9620/21a require room for 4 byte padding, even in dm9601 ++ * mode, so we need +1 to be able to receive full size ++ * ethernet frames. ++ */ ++ dev->rx_urb_size = dev->net->mtu + ETH_HLEN + DM_RX_OVERHEAD + 1; + + dev->mii.dev = dev->net; + dev->mii.mdio_read = dm9601_mdio_read; diff --git a/queue-3.12/dm9601-work-around-tx-fifo-sync-issue-on-dm962x.patch b/queue-3.12/dm9601-work-around-tx-fifo-sync-issue-on-dm962x.patch new file mode 100644 index 00000000000..f8ec593c689 --- /dev/null +++ b/queue-3.12/dm9601-work-around-tx-fifo-sync-issue-on-dm962x.patch @@ -0,0 +1,83 @@ +From 4263c86dca5198da6bd3ad826d0b2304fbe25776 Mon Sep 17 00:00:00 2001 +From: Peter Korsgaard +Date: Mon, 16 Dec 2013 11:35:35 +0100 +Subject: dm9601: work around tx fifo sync issue on dm962x + +From: Peter Korsgaard + +commit 4263c86dca5198da6bd3ad826d0b2304fbe25776 upstream. + +Certain dm962x revisions contain an bug, where if a USB bulk transfer retry +(E.G. if bulk crc mismatch) happens right after a transfer with odd or +maxpacket length, the internal tx hardware fifo gets out of sync causing +the interface to stop working. + +Work around it by adding up to 3 bytes of padding to ensure this situation +cannot trigger. + +This workaround also means we never pass multiple-of-maxpacket size skb's +to usbnet, so the length adjustment to handle usbnet's padding of those can +be removed. + +Reported-by: Joseph Chang +Signed-off-by: Peter Korsgaard +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/usb/dm9601.c | 27 +++++++++++++++++++-------- + 1 file changed, 19 insertions(+), 8 deletions(-) + +--- a/drivers/net/usb/dm9601.c ++++ b/drivers/net/usb/dm9601.c +@@ -473,7 +473,7 @@ static int dm9601_rx_fixup(struct usbnet + static struct sk_buff *dm9601_tx_fixup(struct usbnet *dev, struct sk_buff *skb, + gfp_t flags) + { +- int len; ++ int len, pad; + + /* format: + b1: packet length low +@@ -481,12 +481,23 @@ static struct sk_buff *dm9601_tx_fixup(s + b3..n: packet data + */ + +- len = skb->len; ++ len = skb->len + DM_TX_OVERHEAD; + +- if (skb_headroom(skb) < DM_TX_OVERHEAD) { ++ /* workaround for dm962x errata with tx fifo getting out of ++ * sync if a USB bulk transfer retry happens right after a ++ * packet with odd / maxpacket length by adding up to 3 bytes ++ * padding. ++ */ ++ while ((len & 1) || !(len % dev->maxpacket)) ++ len++; ++ ++ len -= DM_TX_OVERHEAD; /* hw header doesn't count as part of length */ ++ pad = len - skb->len; ++ ++ if (skb_headroom(skb) < DM_TX_OVERHEAD || skb_tailroom(skb) < pad) { + struct sk_buff *skb2; + +- skb2 = skb_copy_expand(skb, DM_TX_OVERHEAD, 0, flags); ++ skb2 = skb_copy_expand(skb, DM_TX_OVERHEAD, pad, flags); + dev_kfree_skb_any(skb); + skb = skb2; + if (!skb) +@@ -495,10 +506,10 @@ static struct sk_buff *dm9601_tx_fixup(s + + __skb_push(skb, DM_TX_OVERHEAD); + +- /* usbnet adds padding if length is a multiple of packet size +- if so, adjust length value in header */ +- if ((skb->len % dev->maxpacket) == 0) +- len++; ++ if (pad) { ++ memset(skb->data + skb->len, 0, pad); ++ __skb_put(skb, pad); ++ } + + skb->data[0] = len; + skb->data[1] = len >> 8; diff --git a/queue-3.12/drm-radeon-set-correct-pipe-config-for-hawaii-in-dce.patch b/queue-3.12/drm-radeon-set-correct-pipe-config-for-hawaii-in-dce.patch new file mode 100644 index 00000000000..31035de0ffc --- /dev/null +++ b/queue-3.12/drm-radeon-set-correct-pipe-config-for-hawaii-in-dce.patch @@ -0,0 +1,45 @@ +From 35a905282b20e556cd09f348f9c2bc8a22ea26d5 Mon Sep 17 00:00:00 2001 +From: Marek Olšák +Date: Mon, 23 Dec 2013 17:11:35 +0100 +Subject: drm/radeon: set correct pipe config for Hawaii in DCE + +From: Marek Olšák + +commit 35a905282b20e556cd09f348f9c2bc8a22ea26d5 upstream. + +Signed-off-by: Marek Olšák +Signed-off-by: Alex Deucher +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/radeon/atombios_crtc.c | 19 ++++++------------- + 1 file changed, 6 insertions(+), 13 deletions(-) + +--- a/drivers/gpu/drm/radeon/atombios_crtc.c ++++ b/drivers/gpu/drm/radeon/atombios_crtc.c +@@ -1180,19 +1180,12 @@ static int dce4_crtc_do_set_base(struct + fb_format |= EVERGREEN_GRPH_ARRAY_MODE(EVERGREEN_GRPH_ARRAY_1D_TILED_THIN1); + + if (rdev->family >= CHIP_BONAIRE) { +- u32 num_pipe_configs = rdev->config.cik.max_tile_pipes; +- u32 num_rb = rdev->config.cik.max_backends_per_se; +- if (num_pipe_configs > 8) +- num_pipe_configs = 8; +- if (num_pipe_configs == 8) +- fb_format |= CIK_GRPH_PIPE_CONFIG(CIK_ADDR_SURF_P8_32x32_16x16); +- else if (num_pipe_configs == 4) { +- if (num_rb == 4) +- fb_format |= CIK_GRPH_PIPE_CONFIG(CIK_ADDR_SURF_P4_16x16); +- else if (num_rb < 4) +- fb_format |= CIK_GRPH_PIPE_CONFIG(CIK_ADDR_SURF_P4_8x16); +- } else if (num_pipe_configs == 2) +- fb_format |= CIK_GRPH_PIPE_CONFIG(CIK_ADDR_SURF_P2); ++ /* Read the pipe config from the 2D TILED SCANOUT mode. ++ * It should be the same for the other modes too, but not all ++ * modes set the pipe config field. */ ++ u32 pipe_config = (rdev->config.cik.tile_mode_array[10] >> 6) & 0x1f; ++ ++ fb_format |= CIK_GRPH_PIPE_CONFIG(pipe_config); + } else if ((rdev->family == CHIP_TAHITI) || + (rdev->family == CHIP_PITCAIRN)) + fb_format |= SI_GRPH_PIPE_CONFIG(SI_ADDR_SURF_P8_32x32_8x16); diff --git a/queue-3.12/kvm-nvmx-unconditionally-uninit-the-mmu-on-nested-vmexit.patch b/queue-3.12/kvm-nvmx-unconditionally-uninit-the-mmu-on-nested-vmexit.patch new file mode 100644 index 00000000000..d95c6723217 --- /dev/null +++ b/queue-3.12/kvm-nvmx-unconditionally-uninit-the-mmu-on-nested-vmexit.patch @@ -0,0 +1,38 @@ +From 29bf08f12b2fd72b882da0d85b7385e4a438a297 Mon Sep 17 00:00:00 2001 +From: Jan Kiszka +Date: Sat, 28 Dec 2013 16:31:52 +0100 +Subject: KVM: nVMX: Unconditionally uninit the MMU on nested vmexit + +From: Jan Kiszka + +commit 29bf08f12b2fd72b882da0d85b7385e4a438a297 upstream. + +Three reasons for doing this: 1. arch.walk_mmu points to arch.mmu anyway +in case nested EPT wasn't in use. 2. this aligns VMX with SVM. But 3. is +most important: nested_cpu_has_ept(vmcs12) queries the VMCS page, and if +one guest VCPU manipulates the page of another VCPU in L2, we may be +fooled to skip over the nested_ept_uninit_mmu_context, leaving mmu in +nested state. That can crash the host later on if nested_ept_get_cr3 is +invoked while L1 already left vmxon and nested.current_vmcs12 became +NULL therefore. + +Signed-off-by: Jan Kiszka +Signed-off-by: Marcelo Tosatti +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/vmx.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/arch/x86/kvm/vmx.c ++++ b/arch/x86/kvm/vmx.c +@@ -8218,8 +8218,7 @@ static void load_vmcs12_host_state(struc + vcpu->arch.cr4_guest_owned_bits = ~vmcs_readl(CR4_GUEST_HOST_MASK); + kvm_set_cr4(vcpu, vmcs12->host_cr4); + +- if (nested_cpu_has_ept(vmcs12)) +- nested_ept_uninit_mmu_context(vcpu); ++ nested_ept_uninit_mmu_context(vcpu); + + kvm_set_cr3(vcpu, vmcs12->host_cr3); + kvm_mmu_reset_context(vcpu); diff --git a/queue-3.12/kvm-x86-fix-apic-map-calculation-after-re-enabling.patch b/queue-3.12/kvm-x86-fix-apic-map-calculation-after-re-enabling.patch new file mode 100644 index 00000000000..009dce61422 --- /dev/null +++ b/queue-3.12/kvm-x86-fix-apic-map-calculation-after-re-enabling.patch @@ -0,0 +1,48 @@ +From e66d2ae7c67bd9ac982a3d1890564de7f7eabf4b Mon Sep 17 00:00:00 2001 +From: Jan Kiszka +Date: Sun, 29 Dec 2013 02:29:30 +0100 +Subject: KVM: x86: Fix APIC map calculation after re-enabling + +From: Jan Kiszka + +commit e66d2ae7c67bd9ac982a3d1890564de7f7eabf4b upstream. + +Update arch.apic_base before triggering recalculate_apic_map. Otherwise +the recalculation will work against the previous state of the APIC and +will fail to build the correct map when an APIC is hardware-enabled +again. + +This fixes a regression of 1e08ec4a13. + +Signed-off-by: Jan Kiszka +Signed-off-by: Marcelo Tosatti +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/lapic.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/arch/x86/kvm/lapic.c ++++ b/arch/x86/kvm/lapic.c +@@ -1350,6 +1350,10 @@ void kvm_lapic_set_base(struct kvm_vcpu + return; + } + ++ if (!kvm_vcpu_is_bsp(apic->vcpu)) ++ value &= ~MSR_IA32_APICBASE_BSP; ++ vcpu->arch.apic_base = value; ++ + /* update jump label if enable bit changes */ + if ((vcpu->arch.apic_base ^ value) & MSR_IA32_APICBASE_ENABLE) { + if (value & MSR_IA32_APICBASE_ENABLE) +@@ -1359,10 +1363,6 @@ void kvm_lapic_set_base(struct kvm_vcpu + recalculate_apic_map(vcpu->kvm); + } + +- if (!kvm_vcpu_is_bsp(apic->vcpu)) +- value &= ~MSR_IA32_APICBASE_BSP; +- +- vcpu->arch.apic_base = value; + if ((old_value ^ value) & X2APIC_ENABLE) { + if (value & X2APIC_ENABLE) { + u32 id = kvm_apic_id(apic); diff --git a/queue-3.12/power_supply-fix-oops-from-null-pointer-dereference-from-wakeup_source_activate.patch b/queue-3.12/power_supply-fix-oops-from-null-pointer-dereference-from-wakeup_source_activate.patch new file mode 100644 index 00000000000..24993502cb9 --- /dev/null +++ b/queue-3.12/power_supply-fix-oops-from-null-pointer-dereference-from-wakeup_source_activate.patch @@ -0,0 +1,128 @@ +From 80c6463e2fa3377febfc98a6672d92d07f3c26c1 Mon Sep 17 00:00:00 2001 +From: Shuah Khan +Date: Fri, 22 Nov 2013 10:54:28 -0700 +Subject: power_supply: Fix Oops from NULL pointer dereference from wakeup_source_activate + +From: Shuah Khan + +commit 80c6463e2fa3377febfc98a6672d92d07f3c26c1 upstream. + +power_supply_register() calls device_init_wakeup() to register a wakeup +source before initializing dev_name. As a result, device_wakeup_enable() +end up registering wakeup source with a null name when +wakeup_source_register() gets called with dev_name(dev) which is null at +the time. + +When kernel is booted with wakeup_source_activate enabled, it will panic +when the trace point code tries to dereference ws->name. + +Fixed the problem by moving up the kobject_set_name() call prior to +accesses to dev_name(). Replaced kobject_set_name() with dev_set_name() +which is the right interface to be called from drivers. Fixed the call to +device_del() prior to device_add() in for wakeup_init_failed error +handling code. + +Trace after the change: + + bash-2143 [003] d... 132.280697: wakeup_source_activate: BAT1 state=0x20001 + kworker/3:2-1169 [003] d... 132.281305: wakeup_source_deactivate: BAT1 state=0x30000 + +Oops message: + +[ 819.769934] device: 'BAT1': device_add +[ 819.770078] PM: Adding info for No Bus:BAT1 +[ 819.770235] BUG: unable to handle kernel NULL pointer dereference at (null) +[ 819.770435] IP: [] skip_spaces+0x30/0x30 +[ 819.770572] PGD 3efd90067 PUD 3eff61067 PMD 0 +[ 819.770716] Oops: 0000 [#1] SMP +[ 819.770829] Modules linked in: arc4 iwldvm mac80211 x86_pkg_temp_thermal coretemp kvm_intel joydev i915 kvm uvcvideo ghash_clmulni_intel videobuf2_vmalloc aesni_intel videobuf2_memops videobuf2_core aes_x86_64 ablk_helper cryptd videodev iwlwifi lrw rfcomm gf128mul glue_helper bnep btusb media bluetooth parport_pc hid_generic ppdev snd_hda_codec_hdmi drm_kms_helper snd_hda_codec_realtek cfg80211 drm tpm_infineon samsung_laptop snd_hda_intel usbhid snd_hda_codec hid snd_hwdep snd_pcm microcode snd_page_alloc snd_timer psmouse i2c_algo_bit lpc_ich tpm_tis video wmi mac_hid serio_raw ext2 lp parport r8169 mii +[ 819.771802] CPU: 0 PID: 2167 Comm: bash Not tainted 3.12.0+ #25 +[ 819.771876] Hardware name: SAMSUNG ELECTRONICS CO., LTD. 900X3C/900X3D/900X4C/900X4D/SAMSUNG_NP1234567890, BIOS P03AAC 07/12/2012 +[ 819.772022] task: ffff88002e6ddcc0 ti: ffff8804015ca000 task.ti: ffff8804015ca000 +[ 819.772119] RIP: 0010:[] [] skip_spaces+0x30/0x30 +[ 819.772242] RSP: 0018:ffff8804015cbc70 EFLAGS: 00010046 +[ 819.772310] RAX: 0000000000000003 RBX: ffff88040cfd6d40 RCX: 0000000000000018 +[ 819.772397] RDX: 0000000000020001 RSI: 0000000000000000 RDI: 0000000000000000 +[ 819.772484] RBP: ffff8804015cbcc0 R08: 0000000000000000 R09: ffff8803f0768d40 +[ 819.772570] R10: ffffea001033b800 R11: 0000000000000000 R12: ffffffff81c519c0 +[ 819.772656] R13: 0000000000020001 R14: 0000000000000000 R15: 0000000000020001 +[ 819.772744] FS: 00007ff98309b740(0000) GS:ffff88041f200000(0000) knlGS:0000000000000000 +[ 819.772845] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 +[ 819.772917] CR2: 0000000000000000 CR3: 00000003f59dc000 CR4: 00000000001407f0 +[ 819.773001] Stack: +[ 819.773030] ffffffff81114003 ffff8804015cbcb0 0000000000000000 0000000000000046 +[ 819.773146] ffff880409757a18 ffff8803f065a160 0000000000000000 0000000000020001 +[ 819.773273] 0000000000000000 0000000000000000 ffff8804015cbce8 ffffffff8143e388 +[ 819.773387] Call Trace: +[ 819.773434] [] ? ftrace_raw_event_wakeup_source+0x43/0xe0 +[ 819.773520] [] wakeup_source_report_event+0xb8/0xd0 +[ 819.773595] [] __pm_stay_awake+0x2d/0x50 +[ 819.773724] [] power_supply_changed+0x3c/0x90 +[ 819.773795] [] power_supply_register+0x18c/0x250 +[ 819.773869] [] sysfs_add_battery+0x61/0x7b +[ 819.773935] [] battery_notify+0x37/0x3f +[ 819.774001] [] notifier_call_chain+0x4c/0x70 +[ 819.774071] [] __blocking_notifier_call_chain+0x4d/0x70 +[ 819.774149] [] blocking_notifier_call_chain+0x16/0x20 +[ 819.774227] [] pm_notifier_call_chain+0x1a/0x40 +[ 819.774316] [] hibernate+0x66/0x1c0 +[ 819.774407] [] state_store+0x71/0xa0 +[ 819.774507] [] kobj_attr_store+0xf/0x20 +[ 819.774613] [] sysfs_write_file+0x128/0x1c0 +[ 819.774735] [] vfs_write+0xbd/0x1e0 +[ 819.774841] [] SyS_write+0x49/0xa0 +[ 819.774939] [] system_call_fastpath+0x16/0x1b +[ 819.775055] Code: 89 f8 48 89 e5 f6 82 c0 a6 84 81 20 74 15 0f 1f 44 00 00 48 83 c0 01 0f b6 10 f6 82 c0 a6 84 81 20 75 f0 5d c3 66 0f 1f 44 00 00 <80> 3f 00 55 48 89 e5 74 15 48 89 f8 0f 1f 40 00 48 83 c0 01 80 +[ 819.775760] RIP [] skip_spaces+0x30/0x30 +[ 819.775881] RSP +[ 819.775949] CR2: 0000000000000000 +[ 819.794175] ---[ end trace c4ef25127039952e ]--- + +Signed-off-by: Shuah Khan +Acked-by: Anton Vorontsov +Acked-by: Greg Kroah-Hartman +Signed-off-by: Anton Vorontsov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/power/power_supply_core.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +--- a/drivers/power/power_supply_core.c ++++ b/drivers/power/power_supply_core.c +@@ -511,6 +511,10 @@ int power_supply_register(struct device + dev_set_drvdata(dev, psy); + psy->dev = dev; + ++ rc = dev_set_name(dev, "%s", psy->name); ++ if (rc) ++ goto dev_set_name_failed; ++ + INIT_WORK(&psy->changed_work, power_supply_changed_work); + + rc = power_supply_check_supplies(psy); +@@ -524,10 +528,6 @@ int power_supply_register(struct device + if (rc) + goto wakeup_init_failed; + +- rc = kobject_set_name(&dev->kobj, "%s", psy->name); +- if (rc) +- goto kobject_set_name_failed; +- + rc = device_add(dev); + if (rc) + goto device_add_failed; +@@ -553,11 +553,11 @@ create_triggers_failed: + register_cooler_failed: + psy_unregister_thermal(psy); + register_thermal_failed: +-wakeup_init_failed: + device_del(dev); +-kobject_set_name_failed: + device_add_failed: ++wakeup_init_failed: + check_supplies_failed: ++dev_set_name_failed: + put_device(dev); + success: + return rc; diff --git a/queue-3.12/powerpc-align-p_end.patch b/queue-3.12/powerpc-align-p_end.patch new file mode 100644 index 00000000000..e9d40cfc7bb --- /dev/null +++ b/queue-3.12/powerpc-align-p_end.patch @@ -0,0 +1,34 @@ +From 286e4f90a72c0b0621dde0294af6ed4b0baddabb Mon Sep 17 00:00:00 2001 +From: Anton Blanchard +Date: Mon, 23 Dec 2013 12:19:51 +1100 +Subject: powerpc: Align p_end + +From: Anton Blanchard + +commit 286e4f90a72c0b0621dde0294af6ed4b0baddabb upstream. + +p_end is an 8 byte value embedded in the text section. This means it +is only 4 byte aligned when it should be 8 byte aligned. Fix this +by adding an explicit alignment. + +This fixes an issue where POWER7 little endian builds with +CONFIG_RELOCATABLE=y fail to boot. + +Signed-off-by: Anton Blanchard +Signed-off-by: Benjamin Herrenschmidt +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/kernel/head_64.S | 1 + + 1 file changed, 1 insertion(+) + +--- a/arch/powerpc/kernel/head_64.S ++++ b/arch/powerpc/kernel/head_64.S +@@ -467,6 +467,7 @@ _STATIC(__after_prom_start) + mtctr r8 + bctr + ++.balign 8 + p_end: .llong _end - _stext + + 4: /* Now copy the rest of the kernel up to _end */ diff --git a/queue-3.12/powerpc-fix-bad-stack-check-in-exception-entry.patch b/queue-3.12/powerpc-fix-bad-stack-check-in-exception-entry.patch new file mode 100644 index 00000000000..1a77b581974 --- /dev/null +++ b/queue-3.12/powerpc-fix-bad-stack-check-in-exception-entry.patch @@ -0,0 +1,42 @@ +From 90ff5d688e61f49f23545ffab6228bd7e87e6dc7 Mon Sep 17 00:00:00 2001 +From: Michael Neuling +Date: Mon, 16 Dec 2013 15:12:43 +1100 +Subject: powerpc: Fix bad stack check in exception entry + +From: Michael Neuling + +commit 90ff5d688e61f49f23545ffab6228bd7e87e6dc7 upstream. + +In EXCEPTION_PROLOG_COMMON() we check to see if the stack pointer (r1) +is valid when coming from the kernel. If it's not valid, we die but +with a nice oops message. + +Currently we allocate a stack frame (subtract INT_FRAME_SIZE) before we +check to see if the stack pointer is negative. Unfortunately, this +won't detect a bad stack where r1 is less than INT_FRAME_SIZE. + +This patch fixes the check to compare the modified r1 with +-INT_FRAME_SIZE. With this, bad kernel stack pointers (including NULL +pointers) are correctly detected again. + +Kudos to Paulus for finding this. + +Signed-off-by: Michael Neuling +Signed-off-by: Benjamin Herrenschmidt +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/include/asm/exception-64s.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/powerpc/include/asm/exception-64s.h ++++ b/arch/powerpc/include/asm/exception-64s.h +@@ -265,7 +265,7 @@ do_kvm_##n: \ + subi r1,r1,INT_FRAME_SIZE; /* alloc frame on kernel stack */ \ + beq- 1f; \ + ld r1,PACAKSAVE(r13); /* kernel stack to use */ \ +-1: cmpdi cr1,r1,0; /* check if r1 is in userspace */ \ ++1: cmpdi cr1,r1,-INT_FRAME_SIZE; /* check if r1 is in userspace */ \ + blt+ cr1,3f; /* abort if it is */ \ + li r1,(n); /* will be reloaded later */ \ + sth r1,PACA_TRAP_SAVE(r13); \ diff --git a/queue-3.12/series b/queue-3.12/series index 196f9efc8e0..9f9b2b5bb85 100644 --- a/queue-3.12/series +++ b/queue-3.12/series @@ -78,3 +78,18 @@ drm-radeon-fix-uvd-256mb-check.patch drm-radeon-fix-render-backend-setup-for-si-and-cik.patch drm-radeon-expose-render-backend-mask-to-the-userspace.patch drm-radeon-0x9649-is-sumo2-not-sumo.patch +drm-radeon-set-correct-pipe-config-for-hawaii-in-dce.patch +ceph-avoid-data-inconsistency-due-to-d-cache-aliasing-in-readpage.patch +tg3-expand-4g_overflow_test-workaround-to-skb-fragments-of-any-size.patch +cgroup-fix-cgroup_create-error-handling-path.patch +auxvec.h-account-for-at_hwcap2-in-at_vector_size_base.patch +dm9601-fix-reception-of-full-size-ethernet-frames-on-dm9620-dm9621a.patch +dm9601-work-around-tx-fifo-sync-issue-on-dm962x.patch +ath9k-fix-interrupt-handling-for-the-ar9002-family.patch +ath9k_htc-properly-set-mac-address-and-bssid-mask.patch +kvm-nvmx-unconditionally-uninit-the-mmu-on-nested-vmexit.patch +kvm-x86-fix-apic-map-calculation-after-re-enabling.patch +powerpc-fix-bad-stack-check-in-exception-entry.patch +powerpc-align-p_end.patch +cpupower-fix-segfault-due-to-incorrect-getopt_long-arugments.patch +power_supply-fix-oops-from-null-pointer-dereference-from-wakeup_source_activate.patch diff --git a/queue-3.12/tg3-expand-4g_overflow_test-workaround-to-skb-fragments-of-any-size.patch b/queue-3.12/tg3-expand-4g_overflow_test-workaround-to-skb-fragments-of-any-size.patch new file mode 100644 index 00000000000..8c450bcdf5e --- /dev/null +++ b/queue-3.12/tg3-expand-4g_overflow_test-workaround-to-skb-fragments-of-any-size.patch @@ -0,0 +1,35 @@ +From 375679104ab3ccfd18dcbd7ba503734fb9a2c63a Mon Sep 17 00:00:00 2001 +From: Nithin Sujir +Date: Thu, 19 Dec 2013 17:44:11 -0800 +Subject: tg3: Expand 4g_overflow_test workaround to skb fragments of any size. + +From: Nithin Sujir + +commit 375679104ab3ccfd18dcbd7ba503734fb9a2c63a upstream. + +The current driver assumes that an skb fragment can only be upto jumbo +size. Presumably this was a fast-path optimization. This assumption is +no longer true as fragments can be upto 32k. + +v2: Remove unnecessary parantheses per Eric Dumazet. + +Signed-off-by: Nithin Nayak Sujir +Signed-off-by: Michael Chan +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/ethernet/broadcom/tg3.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/ethernet/broadcom/tg3.c ++++ b/drivers/net/ethernet/broadcom/tg3.c +@@ -7608,7 +7608,7 @@ static inline int tg3_4g_overflow_test(d + { + u32 base = (u32) mapping & 0xffffffff; + +- return (base > 0xffffdcc0) && (base + len + 8 < base); ++ return base + len + 8 < base; + } + + /* Test for TSO DMA buffers that cross into regions which are within MSS bytes