From: Greg Kroah-Hartman Date: Tue, 15 Dec 2009 23:44:12 +0000 (-0800) Subject: more .32 patches X-Git-Tag: v2.6.27.42~21 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=c71fdf67ad9f2b8b8f9d030b6a6867bbd5ec7847;p=thirdparty%2Fkernel%2Fstable-queue.git more .32 patches --- diff --git a/queue-2.6.32/alsa-hda-terradici-hda-controllers-does-not-support-64-bit-mode.patch b/queue-2.6.32/alsa-hda-terradici-hda-controllers-does-not-support-64-bit-mode.patch new file mode 100644 index 00000000000..f1852e69110 --- /dev/null +++ b/queue-2.6.32/alsa-hda-terradici-hda-controllers-does-not-support-64-bit-mode.patch @@ -0,0 +1,33 @@ +From 396087eaead95fcb29eb36f1e59517aeb58c545e Mon Sep 17 00:00:00 2001 +From: Jaroslav Kysela +Date: Wed, 9 Dec 2009 10:44:47 +0100 +Subject: ALSA: hda - Terradici HDA controllers does not support 64-bit mode + +From: Jaroslav Kysela + +commit 396087eaead95fcb29eb36f1e59517aeb58c545e upstream. + +Confirmed from vendor and tests in RedHat bugzilla #536782 . + +Signed-off-by: Jaroslav Kysela +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/hda_intel.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/sound/pci/hda/hda_intel.c ++++ b/sound/pci/hda/hda_intel.c +@@ -2436,6 +2436,11 @@ static int __devinit azx_create(struct s + } + } + ++ /* disable 64bit DMA address for Teradici */ ++ /* it does not work with device 6549:1200 subsys e4a2:040b */ ++ if (chip->driver_type == AZX_DRIVER_TERA) ++ gcap &= ~ICH6_GCAP_64OK; ++ + /* allow 64bit DMA address if supported by H/W */ + if ((gcap & ICH6_GCAP_64OK) && !pci_set_dma_mask(pci, DMA_BIT_MASK(64))) + pci_set_consistent_dma_mask(pci, DMA_BIT_MASK(64)); diff --git a/queue-2.6.32/alsa-hrtimer-fix-lock-up.patch b/queue-2.6.32/alsa-hrtimer-fix-lock-up.patch new file mode 100644 index 00000000000..a0276aee161 --- /dev/null +++ b/queue-2.6.32/alsa-hrtimer-fix-lock-up.patch @@ -0,0 +1,78 @@ +From fcfdebe70759c74e2e701f69aaa7f0e5e32cf5a6 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Fri, 11 Dec 2009 12:51:05 +0100 +Subject: ALSA: hrtimer - Fix lock-up + +From: Takashi Iwai + +commit fcfdebe70759c74e2e701f69aaa7f0e5e32cf5a6 upstream. + +The timer stop callback can be called from snd_timer_interrupt(), which +is called from the hrtimer callback. Since hrtimer_cancel() waits for +the callback completion, this eventually results in a lock-up. + +This patch fixes the problem by just toggling a flag at stop callback +and call hrtimer_cancel() later. + +Reported-and-tested-by: Wojtek Zabolotny +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/core/hrtimer.c | 15 +++++++++++++-- + 1 file changed, 13 insertions(+), 2 deletions(-) + +--- a/sound/core/hrtimer.c ++++ b/sound/core/hrtimer.c +@@ -37,14 +37,22 @@ static unsigned int resolution; + struct snd_hrtimer { + struct snd_timer *timer; + struct hrtimer hrt; ++ atomic_t running; + }; + + static enum hrtimer_restart snd_hrtimer_callback(struct hrtimer *hrt) + { + struct snd_hrtimer *stime = container_of(hrt, struct snd_hrtimer, hrt); + struct snd_timer *t = stime->timer; ++ ++ if (!atomic_read(&stime->running)) ++ return HRTIMER_NORESTART; ++ + hrtimer_forward_now(hrt, ns_to_ktime(t->sticks * resolution)); + snd_timer_interrupt(stime->timer, t->sticks); ++ ++ if (!atomic_read(&stime->running)) ++ return HRTIMER_NORESTART; + return HRTIMER_RESTART; + } + +@@ -58,6 +66,7 @@ static int snd_hrtimer_open(struct snd_t + hrtimer_init(&stime->hrt, CLOCK_MONOTONIC, HRTIMER_MODE_REL); + stime->timer = t; + stime->hrt.function = snd_hrtimer_callback; ++ atomic_set(&stime->running, 0); + t->private_data = stime; + return 0; + } +@@ -78,16 +87,18 @@ static int snd_hrtimer_start(struct snd_ + { + struct snd_hrtimer *stime = t->private_data; + ++ atomic_set(&stime->running, 0); ++ hrtimer_cancel(&stime->hrt); + hrtimer_start(&stime->hrt, ns_to_ktime(t->sticks * resolution), + HRTIMER_MODE_REL); ++ atomic_set(&stime->running, 1); + return 0; + } + + static int snd_hrtimer_stop(struct snd_timer *t) + { + struct snd_hrtimer *stime = t->private_data; +- +- hrtimer_cancel(&stime->hrt); ++ atomic_set(&stime->running, 0); + return 0; + } + diff --git a/queue-2.6.32/ath5k-allow-setting-txpower-to-0.patch b/queue-2.6.32/ath5k-allow-setting-txpower-to-0.patch new file mode 100644 index 00000000000..cc520e4135f --- /dev/null +++ b/queue-2.6.32/ath5k-allow-setting-txpower-to-0.patch @@ -0,0 +1,37 @@ +From 2eb2fa67e5462a36e98172fb92c78bc405b3035f Mon Sep 17 00:00:00 2001 +From: Bob Copeland +Date: Mon, 16 Nov 2009 08:30:29 -0500 +Subject: ath5k: allow setting txpower to 0 + +From: Bob Copeland + +commit 2eb2fa67e5462a36e98172fb92c78bc405b3035f upstream. + +As a holdover from earlier code when we used to set +the power limit to '0' after a reset to configure the +default transmit power, ath5k interprets txpower=0 as +12.5 dBm. Fix that by just passing 0 through. + +This fixes http://bugzilla.kernel.org/show_bug.cgi?id=14567 + +Reported-by: Daniel Folkers +Tested-by: Daniel Folkers +Signed-off-by: Bob Copeland +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/ath/ath5k/phy.c | 2 -- + 1 file changed, 2 deletions(-) + +--- a/drivers/net/wireless/ath/ath5k/phy.c ++++ b/drivers/net/wireless/ath/ath5k/phy.c +@@ -2954,8 +2954,6 @@ ath5k_hw_txpower(struct ath5k_hw *ah, st + ATH5K_ERR(ah->ah_sc, "invalid tx power: %u\n", txpower); + return -EINVAL; + } +- if (txpower == 0) +- txpower = AR5K_TUNE_DEFAULT_TXPOWER; + + /* Reset TX power values */ + memset(&ah->ah_txpower, 0, sizeof(ah->ah_txpower)); diff --git a/queue-2.6.32/ath5k-enable-eeprom-checksum-check.patch b/queue-2.6.32/ath5k-enable-eeprom-checksum-check.patch new file mode 100644 index 00000000000..8fc477d186e --- /dev/null +++ b/queue-2.6.32/ath5k-enable-eeprom-checksum-check.patch @@ -0,0 +1,64 @@ +From 512414b0bed0d376ac4d5ec1dd6f0b1a3551febc Mon Sep 17 00:00:00 2001 +From: Luis R. Rodriguez +Date: Wed, 25 Nov 2009 17:23:26 -0500 +Subject: ath5k: enable EEPROM checksum check + +From: Luis R. Rodriguez + +commit 512414b0bed0d376ac4d5ec1dd6f0b1a3551febc upstream. + +Without this we have no gaurantee of the integrity of the +EEPROM and are likely to encounter a lot of bogus bug reports +due to actual issues on the EEPROM. With the EEPROM checksum +check in place we can easily rule those issues out. + +If you run patch during a revert *you* have a card with a busted +EEPROM and only older kernel will support that concoction. This +patch is a trade off between not accepitng bogus EEPROMs and +avoiding bogus bug reports allowing developers to focus instead +on real concrete issues. + +If stable keeps bogus bug reports because of a possibly busted EEPROM +feel free to apply this there too. + +Tested on an AR5414 + +Cc: jirislaby@gmail.com +Cc: akpm@linux-foundation.org +Cc: rjw@sisk.pl +Cc: me@bobcopeland.com +Cc: david.quan@atheros.com +Signed-off-by: Luis R. Rodriguez +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/ath/ath5k/eeprom.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/drivers/net/wireless/ath/ath5k/eeprom.c ++++ b/drivers/net/wireless/ath/ath5k/eeprom.c +@@ -97,6 +97,7 @@ ath5k_eeprom_init_header(struct ath5k_hw + struct ath5k_eeprom_info *ee = &ah->ah_capabilities.cap_eeprom; + int ret; + u16 val; ++ u32 cksum, offset; + + /* + * Read values from EEPROM and store them in the capability structure +@@ -111,7 +112,6 @@ ath5k_eeprom_init_header(struct ath5k_hw + if (ah->ah_ee_version < AR5K_EEPROM_VERSION_3_0) + return 0; + +-#ifdef notyet + /* + * Validate the checksum of the EEPROM date. There are some + * devices with invalid EEPROMs. +@@ -124,7 +124,6 @@ ath5k_eeprom_init_header(struct ath5k_hw + ATH5K_ERR(ah->ah_sc, "Invalid EEPROM checksum 0x%04x\n", cksum); + return -EIO; + } +-#endif + + AR5K_EEPROM_READ_HDR(AR5K_EEPROM_ANT_GAIN(ah->ah_ee_version), + ee_ant_gain); diff --git a/queue-2.6.32/bsdacct-fix-uid-gid-misreporting.patch b/queue-2.6.32/bsdacct-fix-uid-gid-misreporting.patch new file mode 100644 index 00000000000..98628d8ed85 --- /dev/null +++ b/queue-2.6.32/bsdacct-fix-uid-gid-misreporting.patch @@ -0,0 +1,43 @@ +From 4b731d50ff3df6b9141a6c12b088e8eb0109e83c Mon Sep 17 00:00:00 2001 +From: Alexey Dobriyan +Date: Mon, 14 Dec 2009 17:57:34 -0800 +Subject: bsdacct: fix uid/gid misreporting + +From: Alexey Dobriyan + +commit 4b731d50ff3df6b9141a6c12b088e8eb0109e83c upstream. + +commit d8e180dcd5bbbab9cd3ff2e779efcf70692ef541 "bsdacct: switch +credentials for writing to the accounting file" introduced credential +switching during final acct data collecting. However, uid/gid pair +continued to be collected from current which became credentials of who +created acct file, not who exits. + +Addresses http://bugzilla.kernel.org/show_bug.cgi?id=14676 + +Signed-off-by: Alexey Dobriyan +Reported-by: Juho K. Juopperi +Acked-by: Serge Hallyn +Acked-by: David Howells +Reviewed-by: Michal Schmidt +Cc: James Morris +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/acct.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/kernel/acct.c ++++ b/kernel/acct.c +@@ -536,7 +536,8 @@ static void do_acct_process(struct bsd_a + do_div(elapsed, AHZ); + ac.ac_btime = get_seconds() - elapsed; + /* we really need to bite the bullet and change layout */ +- current_uid_gid(&ac.ac_uid, &ac.ac_gid); ++ ac.ac_uid = orig_cred->uid; ++ ac.ac_gid = orig_cred->gid; + #if ACCT_VERSION==2 + ac.ac_ahz = AHZ; + #endif diff --git a/queue-2.6.32/debugfs-fix-create-mutex-racy-fops-and-private-data.patch b/queue-2.6.32/debugfs-fix-create-mutex-racy-fops-and-private-data.patch new file mode 100644 index 00000000000..583e8f42cdf --- /dev/null +++ b/queue-2.6.32/debugfs-fix-create-mutex-racy-fops-and-private-data.patch @@ -0,0 +1,169 @@ +From d3a3b0adad0865c12e39b712ca89efbd0a3a0dbc Mon Sep 17 00:00:00 2001 +From: Mathieu Desnoyers +Date: Tue, 17 Nov 2009 14:40:26 -0800 +Subject: debugfs: fix create mutex racy fops and private data + +From: Mathieu Desnoyers + +commit d3a3b0adad0865c12e39b712ca89efbd0a3a0dbc upstream. + +Setting fops and private data outside of the mutex at debugfs file +creation introduces a race where the files can be opened with the wrong +file operations and private data. It is easy to trigger with a process +waiting on file creation notification. + +Signed-off-by: Mathieu Desnoyers +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman + +--- + fs/debugfs/inode.c | 55 ++++++++++++++++++++++++++++++----------------------- + 1 file changed, 32 insertions(+), 23 deletions(-) + +--- a/fs/debugfs/inode.c ++++ b/fs/debugfs/inode.c +@@ -32,7 +32,9 @@ static struct vfsmount *debugfs_mount; + static int debugfs_mount_count; + static bool debugfs_registered; + +-static struct inode *debugfs_get_inode(struct super_block *sb, int mode, dev_t dev) ++static struct inode *debugfs_get_inode(struct super_block *sb, int mode, dev_t dev, ++ void *data, const struct file_operations *fops) ++ + { + struct inode *inode = new_inode(sb); + +@@ -44,14 +46,18 @@ static struct inode *debugfs_get_inode(s + init_special_inode(inode, mode, dev); + break; + case S_IFREG: +- inode->i_fop = &debugfs_file_operations; ++ inode->i_fop = fops ? fops : &debugfs_file_operations; ++ inode->i_private = data; + break; + case S_IFLNK: + inode->i_op = &debugfs_link_operations; ++ inode->i_fop = fops; ++ inode->i_private = data; + break; + case S_IFDIR: + inode->i_op = &simple_dir_inode_operations; +- inode->i_fop = &simple_dir_operations; ++ inode->i_fop = fops ? fops : &simple_dir_operations; ++ inode->i_private = data; + + /* directory inodes start off with i_nlink == 2 + * (for "." entry) */ +@@ -64,7 +70,8 @@ static struct inode *debugfs_get_inode(s + + /* SMP-safe */ + static int debugfs_mknod(struct inode *dir, struct dentry *dentry, +- int mode, dev_t dev) ++ int mode, dev_t dev, void *data, ++ const struct file_operations *fops) + { + struct inode *inode; + int error = -EPERM; +@@ -72,7 +79,7 @@ static int debugfs_mknod(struct inode *d + if (dentry->d_inode) + return -EEXIST; + +- inode = debugfs_get_inode(dir->i_sb, mode, dev); ++ inode = debugfs_get_inode(dir->i_sb, mode, dev, data, fops); + if (inode) { + d_instantiate(dentry, inode); + dget(dentry); +@@ -81,12 +88,13 @@ static int debugfs_mknod(struct inode *d + return error; + } + +-static int debugfs_mkdir(struct inode *dir, struct dentry *dentry, int mode) ++static int debugfs_mkdir(struct inode *dir, struct dentry *dentry, int mode, ++ void *data, const struct file_operations *fops) + { + int res; + + mode = (mode & (S_IRWXUGO | S_ISVTX)) | S_IFDIR; +- res = debugfs_mknod(dir, dentry, mode, 0); ++ res = debugfs_mknod(dir, dentry, mode, 0, data, fops); + if (!res) { + inc_nlink(dir); + fsnotify_mkdir(dir, dentry); +@@ -94,18 +102,20 @@ static int debugfs_mkdir(struct inode *d + return res; + } + +-static int debugfs_link(struct inode *dir, struct dentry *dentry, int mode) ++static int debugfs_link(struct inode *dir, struct dentry *dentry, int mode, ++ void *data, const struct file_operations *fops) + { + mode = (mode & S_IALLUGO) | S_IFLNK; +- return debugfs_mknod(dir, dentry, mode, 0); ++ return debugfs_mknod(dir, dentry, mode, 0, data, fops); + } + +-static int debugfs_create(struct inode *dir, struct dentry *dentry, int mode) ++static int debugfs_create(struct inode *dir, struct dentry *dentry, int mode, ++ void *data, const struct file_operations *fops) + { + int res; + + mode = (mode & S_IALLUGO) | S_IFREG; +- res = debugfs_mknod(dir, dentry, mode, 0); ++ res = debugfs_mknod(dir, dentry, mode, 0, data, fops); + if (!res) + fsnotify_create(dir, dentry); + return res; +@@ -139,7 +149,9 @@ static struct file_system_type debug_fs_ + + static int debugfs_create_by_name(const char *name, mode_t mode, + struct dentry *parent, +- struct dentry **dentry) ++ struct dentry **dentry, ++ void *data, ++ const struct file_operations *fops) + { + int error = 0; + +@@ -164,13 +176,16 @@ static int debugfs_create_by_name(const + if (!IS_ERR(*dentry)) { + switch (mode & S_IFMT) { + case S_IFDIR: +- error = debugfs_mkdir(parent->d_inode, *dentry, mode); ++ error = debugfs_mkdir(parent->d_inode, *dentry, mode, ++ data, fops); + break; + case S_IFLNK: +- error = debugfs_link(parent->d_inode, *dentry, mode); ++ error = debugfs_link(parent->d_inode, *dentry, mode, ++ data, fops); + break; + default: +- error = debugfs_create(parent->d_inode, *dentry, mode); ++ error = debugfs_create(parent->d_inode, *dentry, mode, ++ data, fops); + break; + } + dput(*dentry); +@@ -221,19 +236,13 @@ struct dentry *debugfs_create_file(const + if (error) + goto exit; + +- error = debugfs_create_by_name(name, mode, parent, &dentry); ++ error = debugfs_create_by_name(name, mode, parent, &dentry, ++ data, fops); + if (error) { + dentry = NULL; + simple_release_fs(&debugfs_mount, &debugfs_mount_count); + goto exit; + } +- +- if (dentry->d_inode) { +- if (data) +- dentry->d_inode->i_private = data; +- if (fops) +- dentry->d_inode->i_fop = fops; +- } + exit: + return dentry; + } diff --git a/queue-2.6.32/devpts_get_tty-should-validate-inode.patch b/queue-2.6.32/devpts_get_tty-should-validate-inode.patch new file mode 100644 index 00000000000..6fff330a992 --- /dev/null +++ b/queue-2.6.32/devpts_get_tty-should-validate-inode.patch @@ -0,0 +1,116 @@ +From edfacdd6f81119b9005615593f2cbd94b8c7e2d8 Mon Sep 17 00:00:00 2001 +From: Sukadev Bhattiprolu +Date: Tue, 17 Nov 2009 18:35:43 -0800 +Subject: devpts_get_tty() should validate inode + +From: Sukadev Bhattiprolu + +commit edfacdd6f81119b9005615593f2cbd94b8c7e2d8 upstream. + +devpts_get_tty() assumes that the inode passed in is associated with a valid +pty. But if the only reference to the pty is via a bind-mount, the inode +passed to devpts_get_tty() while valid, would refer to a pty that no longer +exists. + +With a lot of debug effort, Grzegorz Nosek developed a small program (see +below) to reproduce a crash on recent kernels. This crash is a regression +introduced by the commit: + + commit 527b3e4773628b30d03323a2cb5fb0d84441990f + Author: Sukadev Bhattiprolu + Date: Mon Oct 13 10:43:08 2008 +0100 + +To fix, ensure that the dentry associated with the inode has not yet been +deleted/unhashed by devpts_pty_kill(). + +See also: +https://lists.linux-foundation.org/pipermail/containers/2009-July/019273.html + +tty-bug.c: + +#define _GNU_SOURCE +#include +#include +#include +#include +#include +#include +#include + +#include + +void dummy(int sig) +{ +} + +static int child(void *unused) +{ + int fd; + + signal(SIGINT, dummy); signal(SIGHUP, dummy); + pause(); /* cheesy synchronisation to wait for /dev/pts/0 to appear */ + + mount("/dev/pts/0", "/dev/console", NULL, MS_BIND, NULL); + sleep(2); + + fd = open("/dev/console", O_RDWR); + dup(0); dup(0); + write(1, "Hello world!\n", sizeof("Hello world!\n")-1); + return 0; +} + +int main(void) +{ + pid_t pid; + char *stack; + + stack = malloc(16384); + pid = clone(child, stack+16384, CLONE_NEWNS|SIGCHLD, NULL); + + open("/dev/ptmx", O_RDWR|O_NOCTTY|O_NONBLOCK); + + unlockpt(fd); grantpt(fd); + + sleep(2); + kill(pid, SIGHUP); + sleep(1); + return 0; /* exit before child opens /dev/console */ +} + +Reported-by: Grzegorz Nosek +Signed-off-by: Sukadev Bhattiprolu +Tested-by: Serge Hallyn +Signed-off-by: Greg Kroah-Hartman + +--- + fs/devpts/inode.c | 16 ++++++++++++++-- + 1 file changed, 14 insertions(+), 2 deletions(-) + +--- a/fs/devpts/inode.c ++++ b/fs/devpts/inode.c +@@ -517,11 +517,23 @@ int devpts_pty_new(struct inode *ptmx_in + + struct tty_struct *devpts_get_tty(struct inode *pts_inode, int number) + { ++ struct dentry *dentry; ++ struct tty_struct *tty; ++ + BUG_ON(pts_inode->i_rdev == MKDEV(TTYAUX_MAJOR, PTMX_MINOR)); + ++ /* Ensure dentry has not been deleted by devpts_pty_kill() */ ++ dentry = d_find_alias(pts_inode); ++ if (!dentry) ++ return NULL; ++ ++ tty = NULL; + if (pts_inode->i_sb->s_magic == DEVPTS_SUPER_MAGIC) +- return (struct tty_struct *)pts_inode->i_private; +- return NULL; ++ tty = (struct tty_struct *)pts_inode->i_private; ++ ++ dput(dentry); ++ ++ return tty; + } + + void devpts_pty_kill(struct tty_struct *tty) diff --git a/queue-2.6.32/futex-take-mmap_sem-for-get_user_pages-in-fault_in_user_writeable.patch b/queue-2.6.32/futex-take-mmap_sem-for-get_user_pages-in-fault_in_user_writeable.patch new file mode 100644 index 00000000000..c235b6de18f --- /dev/null +++ b/queue-2.6.32/futex-take-mmap_sem-for-get_user_pages-in-fault_in_user_writeable.patch @@ -0,0 +1,43 @@ +From 722d0172377a5697919b9f7e5beb95165b1dec4e Mon Sep 17 00:00:00 2001 +From: Andi Kleen +Date: Tue, 8 Dec 2009 13:19:42 +0100 +Subject: futex: Take mmap_sem for get_user_pages in fault_in_user_writeable + +From: Andi Kleen + +commit 722d0172377a5697919b9f7e5beb95165b1dec4e upstream. + +get_user_pages() must be called with mmap_sem held. + +Signed-off-by: Andi Kleen +Cc: Andrew Morton +Cc: Nick Piggin +Cc: Darren Hart +Cc: Peter Zijlstra +LKML-Reference: <20091208121942.GA21298@basil.fritz.box> +Signed-off-by: Thomas Gleixner +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/futex.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +--- a/kernel/futex.c ++++ b/kernel/futex.c +@@ -304,8 +304,14 @@ void put_futex_key(int fshared, union fu + */ + static int fault_in_user_writeable(u32 __user *uaddr) + { +- int ret = get_user_pages(current, current->mm, (unsigned long)uaddr, +- 1, 1, 0, NULL, NULL); ++ struct mm_struct *mm = current->mm; ++ int ret; ++ ++ down_read(&mm->mmap_sem); ++ ret = get_user_pages(current, mm, (unsigned long)uaddr, ++ 1, 1, 0, NULL, NULL); ++ up_read(&mm->mmap_sem); ++ + return ret < 0 ? ret : 0; + } + diff --git a/queue-2.6.32/hfs-fix-a-potential-buffer-overflow.patch b/queue-2.6.32/hfs-fix-a-potential-buffer-overflow.patch new file mode 100644 index 00000000000..ea43f3a606d --- /dev/null +++ b/queue-2.6.32/hfs-fix-a-potential-buffer-overflow.patch @@ -0,0 +1,95 @@ +From ec81aecb29668ad71f699f4e7b96ec46691895b6 Mon Sep 17 00:00:00 2001 +From: Amerigo Wang +Date: Mon, 14 Dec 2009 17:57:37 -0800 +Subject: hfs: fix a potential buffer overflow + +From: Amerigo Wang + +commit ec81aecb29668ad71f699f4e7b96ec46691895b6 upstream. + +A specially-crafted Hierarchical File System (HFS) filesystem could cause +a buffer overflow to occur in a process's kernel stack during a memcpy() +call within the hfs_bnode_read() function (at fs/hfs/bnode.c:24). The +attacker can provide the source buffer and length, and the destination +buffer is a local variable of a fixed length. This local variable (passed +as "&entry" from fs/hfs/dir.c:112 and allocated on line 60) is stored in +the stack frame of hfs_bnode_read()'s caller, which is hfs_readdir(). +Because the hfs_readdir() function executes upon any attempt to read a +directory on the filesystem, it gets called whenever a user attempts to +inspect any filesystem contents. + +[amwang@redhat.com: modify this patch and fix coding style problems] +Signed-off-by: WANG Cong +Cc: Eugene Teo +Cc: Roman Zippel +Cc: Al Viro +Cc: Christoph Hellwig +Cc: Alexey Dobriyan +Cc: Dave Anderson +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/hfs/catalog.c | 4 ++++ + fs/hfs/dir.c | 11 +++++++++++ + fs/hfs/super.c | 7 ++++++- + 3 files changed, 21 insertions(+), 1 deletion(-) + +--- a/fs/hfs/catalog.c ++++ b/fs/hfs/catalog.c +@@ -289,6 +289,10 @@ int hfs_cat_move(u32 cnid, struct inode + err = hfs_brec_find(&src_fd); + if (err) + goto out; ++ if (src_fd.entrylength > sizeof(entry) || src_fd.entrylength < 0) { ++ err = -EIO; ++ goto out; ++ } + + hfs_bnode_read(src_fd.bnode, &entry, src_fd.entryoffset, + src_fd.entrylength); +--- a/fs/hfs/dir.c ++++ b/fs/hfs/dir.c +@@ -79,6 +79,11 @@ static int hfs_readdir(struct file *filp + filp->f_pos++; + /* fall through */ + case 1: ++ if (fd.entrylength > sizeof(entry) || fd.entrylength < 0) { ++ err = -EIO; ++ goto out; ++ } ++ + hfs_bnode_read(fd.bnode, &entry, fd.entryoffset, fd.entrylength); + if (entry.type != HFS_CDR_THD) { + printk(KERN_ERR "hfs: bad catalog folder thread\n"); +@@ -109,6 +114,12 @@ static int hfs_readdir(struct file *filp + err = -EIO; + goto out; + } ++ ++ if (fd.entrylength > sizeof(entry) || fd.entrylength < 0) { ++ err = -EIO; ++ goto out; ++ } ++ + hfs_bnode_read(fd.bnode, &entry, fd.entryoffset, fd.entrylength); + type = entry.type; + len = hfs_mac2asc(sb, strbuf, &fd.key->cat.CName); +--- a/fs/hfs/super.c ++++ b/fs/hfs/super.c +@@ -409,8 +409,13 @@ static int hfs_fill_super(struct super_b + /* try to get the root inode */ + hfs_find_init(HFS_SB(sb)->cat_tree, &fd); + res = hfs_cat_find_brec(sb, HFS_ROOT_CNID, &fd); +- if (!res) ++ if (!res) { ++ if (fd.entrylength > sizeof(rec) || fd.entrylength < 0) { ++ res = -EIO; ++ goto bail; ++ } + hfs_bnode_read(fd.bnode, &rec, fd.entryoffset, fd.entrylength); ++ } + if (res) { + hfs_find_exit(&fd); + goto bail_no_root; diff --git a/queue-2.6.32/hrtimer-fix-proc-timer_list-regression.patch b/queue-2.6.32/hrtimer-fix-proc-timer_list-regression.patch new file mode 100644 index 00000000000..00324e729a8 --- /dev/null +++ b/queue-2.6.32/hrtimer-fix-proc-timer_list-regression.patch @@ -0,0 +1,55 @@ +From 8629ea2eaba8ca0de2e38ce1b4a825e16255976e Mon Sep 17 00:00:00 2001 +From: Feng Tang +Date: Thu, 3 Sep 2009 16:32:53 +0800 +Subject: hrtimer: Fix /proc/timer_list regression + +From: Feng Tang + +commit 8629ea2eaba8ca0de2e38ce1b4a825e16255976e upstream. + +commit 507e1231 (timer stats: Optimize by adding quick check to avoid +function calls) introduced a regression in /proc/timer_list. + +/proc/timer_list shows now + #0: , tick_sched_timer, S:01, <(null)>, /-1 +instead of + #0: , tick_sched_timer, S:01, hrtimer_start, swapper/0 + +Revert the hrtimer quick check for now. The optimization needs more +thought, but this is neither 2.6.32-rc7 nor stable material. + +[ tglx: - Removed unrelated changes from the original patch + - Prevent unneccesary call to timer_stats_update_stats + - massaged the changelog ] + +Signed-off-by: Feng Tang +LKML-Reference: +Cc: Heiko Carstens +Signed-off-by: Andrew Morton +Signed-off-by: Thomas Gleixner +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/hrtimer.h | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/include/linux/hrtimer.h ++++ b/include/linux/hrtimer.h +@@ -446,7 +446,7 @@ extern void timer_stats_update_stats(voi + + static inline void timer_stats_account_hrtimer(struct hrtimer *timer) + { +- if (likely(!timer->start_site)) ++ if (likely(!timer_stats_active)) + return; + timer_stats_update_stats(timer, timer->start_pid, timer->start_site, + timer->function, timer->start_comm, 0); +@@ -457,8 +457,6 @@ extern void __timer_stats_hrtimer_set_st + + static inline void timer_stats_hrtimer_set_start_info(struct hrtimer *timer) + { +- if (likely(!timer_stats_active)) +- return; + __timer_stats_hrtimer_set_start_info(timer, __builtin_return_address(0)); + } + diff --git a/queue-2.6.32/jbd2-don-t-wipe-the-journal-on-a-failed-journal-checksum.patch b/queue-2.6.32/jbd2-don-t-wipe-the-journal-on-a-failed-journal-checksum.patch new file mode 100644 index 00000000000..030f06c45fc --- /dev/null +++ b/queue-2.6.32/jbd2-don-t-wipe-the-journal-on-a-failed-journal-checksum.patch @@ -0,0 +1,42 @@ +From e6a47428de84e19fda52f21ab73fde2906c40d09 Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o +Date: Sun, 15 Nov 2009 15:31:37 -0500 +Subject: jbd2: don't wipe the journal on a failed journal checksum + +From: Theodore Ts'o + +commit e6a47428de84e19fda52f21ab73fde2906c40d09 upstream. + +If there is a failed journal checksum, don't reset the journal. This +allows for userspace programs to decide how to recover from this +situation. It may be that ignoring the journal checksum failure might +be a better way of recovering the file system. Once we add per-block +checksums, we can definitely do better. Until then, a system +administrator can try backing up the file system image (or taking a +snapshot) and and trying to determine experimentally whether ignoring +the checksum failure or aborting the journal replay results in less +data loss. + +Signed-off-by: "Theodore Ts'o" +Signed-off-by: Greg Kroah-Hartman + +--- + fs/jbd2/journal.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/fs/jbd2/journal.c ++++ b/fs/jbd2/journal.c +@@ -1253,6 +1253,13 @@ int jbd2_journal_load(journal_t *journal + if (jbd2_journal_recover(journal)) + goto recovery_error; + ++ if (journal->j_failed_commit) { ++ printk(KERN_ERR "JBD2: journal transaction %u on %s " ++ "is corrupt.\n", journal->j_failed_commit, ++ journal->j_devname); ++ return -EIO; ++ } ++ + /* OK, we've finished with the dynamic journal bits: + * reinitialise the dynamic contents of the superblock in memory + * and reset them on disk. */ diff --git a/queue-2.6.32/kvm-fix-irq_source_id-size-verification.patch b/queue-2.6.32/kvm-fix-irq_source_id-size-verification.patch new file mode 100644 index 00000000000..b7590e4be30 --- /dev/null +++ b/queue-2.6.32/kvm-fix-irq_source_id-size-verification.patch @@ -0,0 +1,47 @@ +From cd5a2685de4a642fd0bd763e8c19711ef08dbe27 Mon Sep 17 00:00:00 2001 +From: Marcelo Tosatti +Date: Sat, 17 Oct 2009 22:47:23 -0300 +Subject: KVM: fix irq_source_id size verification + +From: Marcelo Tosatti + +commit cd5a2685de4a642fd0bd763e8c19711ef08dbe27 upstream. + +find_first_zero_bit works with bit numbers, not bytes. + +Fixes + +https://sourceforge.net/tracker/?func=detail&aid=2847560&group_id=180599&atid=893831 + +Reported-by: "Xu, Jiajun" +Signed-off-by: Marcelo Tosatti +Signed-off-by: Greg Kroah-Hartman + +--- + virt/kvm/irq_comm.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +--- a/virt/kvm/irq_comm.c ++++ b/virt/kvm/irq_comm.c +@@ -205,10 +205,9 @@ int kvm_request_irq_source_id(struct kvm + int irq_source_id; + + mutex_lock(&kvm->irq_lock); +- irq_source_id = find_first_zero_bit(bitmap, +- sizeof(kvm->arch.irq_sources_bitmap)); ++ irq_source_id = find_first_zero_bit(bitmap, BITS_PER_LONG); + +- if (irq_source_id >= sizeof(kvm->arch.irq_sources_bitmap)) { ++ if (irq_source_id >= BITS_PER_LONG) { + printk(KERN_WARNING "kvm: exhaust allocatable IRQ sources!\n"); + return -EFAULT; + } +@@ -228,7 +227,7 @@ void kvm_free_irq_source_id(struct kvm * + + mutex_lock(&kvm->irq_lock); + if (irq_source_id < 0 || +- irq_source_id >= sizeof(kvm->arch.irq_sources_bitmap)) { ++ irq_source_id >= BITS_PER_LONG) { + printk(KERN_ERR "kvm: IRQ source ID out of range!\n"); + return; + } diff --git a/queue-2.6.32/kvm-s390-fix-prefix-register-checking-in-arch-s390-kvm-sigp.c.patch b/queue-2.6.32/kvm-s390-fix-prefix-register-checking-in-arch-s390-kvm-sigp.c.patch new file mode 100644 index 00000000000..e823c8f16d6 --- /dev/null +++ b/queue-2.6.32/kvm-s390-fix-prefix-register-checking-in-arch-s390-kvm-sigp.c.patch @@ -0,0 +1,47 @@ +From f50146bd7bdb75435638e60d4960edd9bcdf88b8 Mon Sep 17 00:00:00 2001 +From: Carsten Otte +Date: Mon, 30 Nov 2009 17:14:41 +0100 +Subject: KVM: s390: Fix prefix register checking in arch/s390/kvm/sigp.c + +From: Carsten Otte + +commit f50146bd7bdb75435638e60d4960edd9bcdf88b8 upstream. + +This patch corrects the checking of the new address for the prefix register. +On s390, the prefix register is used to address the cpu's lowcore (address +0...8k). This check is supposed to verify that the memory is readable and +present. +copy_from_guest is a helper function, that can be used to read from guest +memory. It applies prefixing, adds the start address of the guest memory in +user, and then calls copy_from_user. Previous code was obviously broken for +two reasons: +- prefixing should not be applied here. The current prefix register is + going to be updated soon, and the address we're looking for will be + 0..8k after we've updated the register +- we're adding the guest origin (gmsor) twice: once in subject code + and once in copy_from_guest + +With kuli, we did not hit this problem because (a) we were lucky with +previous prefix register content, and (b) our guest memory was mmaped +very low into user address space. + +Signed-off-by: Carsten Otte +Reported-by: Alexander Graf +Signed-off-by: Avi Kivity +Signed-off-by: Greg Kroah-Hartman + +--- a/arch/s390/kvm/sigp.c ++++ b/arch/s390/kvm/sigp.c +@@ -188,9 +188,9 @@ static int __sigp_set_prefix(struct kvm_vcpu *vcpu, u16 cpu_addr, u32 address, + + /* make sure that the new value is valid memory */ + address = address & 0x7fffe000u; +- if ((copy_from_guest(vcpu, &tmp, +- (u64) (address + vcpu->arch.sie_block->gmsor) , 1)) || +- (copy_from_guest(vcpu, &tmp, (u64) (address + ++ if ((copy_from_user(&tmp, (void __user *) ++ (address + vcpu->arch.sie_block->gmsor) , 1)) || ++ (copy_from_user(&tmp, (void __user *)(address + + vcpu->arch.sie_block->gmsor + PAGE_SIZE), 1))) { + *reg |= SIGP_STAT_INVALID_PARAMETER; + return 1; /* invalid parameter */ diff --git a/queue-2.6.32/kvm-s390-make-psw-available-on-all-exits-not-just-a-subset.patch b/queue-2.6.32/kvm-s390-make-psw-available-on-all-exits-not-just-a-subset.patch new file mode 100644 index 00000000000..b5deb743ab7 --- /dev/null +++ b/queue-2.6.32/kvm-s390-make-psw-available-on-all-exits-not-just-a-subset.patch @@ -0,0 +1,147 @@ +From d7b0b5eb3000c6fb902f08c619fcd673a23d8fab Mon Sep 17 00:00:00 2001 +From: Carsten Otte +Date: Thu, 19 Nov 2009 14:21:16 +0100 +Subject: KVM: s390: Make psw available on all exits, not just a subset + +From: Carsten Otte + +commit d7b0b5eb3000c6fb902f08c619fcd673a23d8fab upstream. + +This patch moves s390 processor status word into the base kvm_run +struct and keeps it up-to date on all userspace exits. + +The userspace ABI is broken by this, however there are no applications +in the wild using this. A capability check is provided so users can +verify the updated API exists. + +Signed-off-by: Carsten Otte +Signed-off-by: Avi Kivity +Signed-off-by: Greg Kroah-Hartman + +--- + arch/s390/include/asm/kvm.h | 3 ++- + arch/s390/kvm/kvm-s390.c | 25 +++++++++++++++++-------- + include/linux/kvm.h | 8 ++++++-- + 3 files changed, 25 insertions(+), 11 deletions(-) + +--- a/arch/s390/include/asm/kvm.h ++++ b/arch/s390/include/asm/kvm.h +@@ -1,6 +1,5 @@ + #ifndef __LINUX_KVM_S390_H + #define __LINUX_KVM_S390_H +- + /* + * asm-s390/kvm.h - KVM s390 specific structures and definitions + * +@@ -15,6 +14,8 @@ + */ + #include + ++#define __KVM_S390 ++ + /* for KVM_GET_REGS and KVM_SET_REGS */ + struct kvm_regs { + /* general purpose regs for s390 */ +--- a/arch/s390/kvm/kvm-s390.c ++++ b/arch/s390/kvm/kvm-s390.c +@@ -116,10 +116,16 @@ long kvm_arch_dev_ioctl(struct file *fil + + int kvm_dev_ioctl_check_extension(long ext) + { ++ int r; ++ + switch (ext) { ++ case KVM_CAP_S390_PSW: ++ r = 1; ++ break; + default: +- return 0; ++ r = 0; + } ++ return r; + } + + /* Section: vm related */ +@@ -419,8 +425,10 @@ static int kvm_arch_vcpu_ioctl_set_initi + vcpu_load(vcpu); + if (atomic_read(&vcpu->arch.sie_block->cpuflags) & CPUSTAT_RUNNING) + rc = -EBUSY; +- else +- vcpu->arch.sie_block->gpsw = psw; ++ else { ++ vcpu->run->psw_mask = psw.mask; ++ vcpu->run->psw_addr = psw.addr; ++ } + vcpu_put(vcpu); + return rc; + } +@@ -508,9 +516,6 @@ rerun_vcpu: + + switch (kvm_run->exit_reason) { + case KVM_EXIT_S390_SIEIC: +- vcpu->arch.sie_block->gpsw.mask = kvm_run->s390_sieic.mask; +- vcpu->arch.sie_block->gpsw.addr = kvm_run->s390_sieic.addr; +- break; + case KVM_EXIT_UNKNOWN: + case KVM_EXIT_INTR: + case KVM_EXIT_S390_RESET: +@@ -519,6 +524,9 @@ rerun_vcpu: + BUG(); + } + ++ vcpu->arch.sie_block->gpsw.mask = kvm_run->psw_mask; ++ vcpu->arch.sie_block->gpsw.addr = kvm_run->psw_addr; ++ + might_fault(); + + do { +@@ -538,8 +546,6 @@ rerun_vcpu: + /* intercept cannot be handled in-kernel, prepare kvm-run */ + kvm_run->exit_reason = KVM_EXIT_S390_SIEIC; + kvm_run->s390_sieic.icptcode = vcpu->arch.sie_block->icptcode; +- kvm_run->s390_sieic.mask = vcpu->arch.sie_block->gpsw.mask; +- kvm_run->s390_sieic.addr = vcpu->arch.sie_block->gpsw.addr; + kvm_run->s390_sieic.ipa = vcpu->arch.sie_block->ipa; + kvm_run->s390_sieic.ipb = vcpu->arch.sie_block->ipb; + rc = 0; +@@ -551,6 +557,9 @@ rerun_vcpu: + rc = 0; + } + ++ kvm_run->psw_mask = vcpu->arch.sie_block->gpsw.mask; ++ kvm_run->psw_addr = vcpu->arch.sie_block->gpsw.addr; ++ + if (vcpu->sigset_active) + sigprocmask(SIG_SETMASK, &sigsaved, NULL); + +--- a/include/linux/kvm.h ++++ b/include/linux/kvm.h +@@ -116,6 +116,11 @@ struct kvm_run { + __u64 cr8; + __u64 apic_base; + ++#ifdef __KVM_S390 ++ /* the processor status word for s390 */ ++ __u64 psw_mask; /* psw upper half */ ++ __u64 psw_addr; /* psw lower half */ ++#endif + union { + /* KVM_EXIT_UNKNOWN */ + struct { +@@ -167,8 +172,6 @@ struct kvm_run { + /* KVM_EXIT_S390_SIEIC */ + struct { + __u8 icptcode; +- __u64 mask; /* psw upper half */ +- __u64 addr; /* psw lower half */ + __u16 ipa; + __u32 ipb; + } s390_sieic; +@@ -474,6 +477,7 @@ struct kvm_irq_routing { + }; + + #endif ++#define KVM_CAP_S390_PSW 42 + + #ifdef KVM_CAP_MCE + /* x86 MCE */ diff --git a/queue-2.6.32/kvm-x86-emulator-limit-instructions-to-15-bytes.patch b/queue-2.6.32/kvm-x86-emulator-limit-instructions-to-15-bytes.patch new file mode 100644 index 00000000000..e5f6af95c4f --- /dev/null +++ b/queue-2.6.32/kvm-x86-emulator-limit-instructions-to-15-bytes.patch @@ -0,0 +1,50 @@ +From eb3c79e64a70fb8f7473e30fa07e89c1ecc2c9bb Mon Sep 17 00:00:00 2001 +From: Avi Kivity +Date: Tue, 24 Nov 2009 15:20:15 +0200 +Subject: KVM: x86 emulator: limit instructions to 15 bytes + +From: Avi Kivity + +commit eb3c79e64a70fb8f7473e30fa07e89c1ecc2c9bb upstream. + +While we are never normally passed an instruction that exceeds 15 bytes, +smp games can cause us to attempt to interpret one, which will cause +large latencies in non-preempt hosts. + +Signed-off-by: Avi Kivity +Signed-off-by: Greg Kroah-Hartman + +--- a/arch/x86/include/asm/kvm_emulate.h ++++ b/arch/x86/include/asm/kvm_emulate.h +@@ -129,7 +129,7 @@ struct decode_cache { + u8 seg_override; + unsigned int d; + unsigned long regs[NR_VCPU_REGS]; +- unsigned long eip; ++ unsigned long eip, eip_orig; + /* modrm */ + u8 modrm; + u8 modrm_mod; +diff --git a/arch/x86/kvm/emulate.c b/arch/x86/kvm/emulate.c +index d226dff..7e8faea 100644 +--- a/arch/x86/kvm/emulate.c ++++ b/arch/x86/kvm/emulate.c +@@ -622,6 +622,9 @@ static int do_insn_fetch(struct x86_emulate_ctxt *ctxt, + { + int rc = 0; + ++ /* x86 instructions are limited to 15 bytes. */ ++ if (eip + size - ctxt->decode.eip_orig > 15) ++ return X86EMUL_UNHANDLEABLE; + eip += ctxt->cs_base; + while (size--) { + rc = do_fetch_insn_byte(ctxt, ops, eip++, dest++); +@@ -880,7 +883,7 @@ x86_decode_insn(struct x86_emulate_ctxt *ctxt, struct x86_emulate_ops *ops) + /* Shadow copy of register state. Committed on successful emulation. */ + + memset(c, 0, sizeof(struct decode_cache)); +- c->eip = kvm_rip_read(ctxt->vcpu); ++ c->eip = c->eip_orig = kvm_rip_read(ctxt->vcpu); + ctxt->cs_base = seg_base(ctxt, VCPU_SREG_CS); + memcpy(c->regs, ctxt->vcpu->arch.regs, sizeof c->regs); + diff --git a/queue-2.6.32/kvm-x86-include-pvclock-msrs-in-msrs_to_save.patch b/queue-2.6.32/kvm-x86-include-pvclock-msrs-in-msrs_to_save.patch new file mode 100644 index 00000000000..61cea5c0db2 --- /dev/null +++ b/queue-2.6.32/kvm-x86-include-pvclock-msrs-in-msrs_to_save.patch @@ -0,0 +1,59 @@ +From e3267cbbbfbcbe9c18833e89b10beabb1117cb55 Mon Sep 17 00:00:00 2001 +From: Glauber Costa +Date: Tue, 6 Oct 2009 13:24:50 -0400 +Subject: KVM: x86: include pvclock MSRs in msrs_to_save + +From: Glauber Costa + +commit e3267cbbbfbcbe9c18833e89b10beabb1117cb55 upstream. + +For a while now, we are issuing a rdmsr instruction to find out which +msrs in our save list are really supported by the underlying machine. +However, it fails to account for kvm-specific msrs, such as the pvclock +ones. + +This patch moves then to the beginning of the list, and skip testing them. + +Signed-off-by: Glauber Costa +Signed-off-by: Marcelo Tosatti +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kvm/x86.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +--- a/arch/x86/kvm/x86.c ++++ b/arch/x86/kvm/x86.c +@@ -484,16 +484,19 @@ static inline u32 bit(int bitno) + * and KVM_SET_MSRS, and KVM_GET_MSR_INDEX_LIST. + * + * This list is modified at module load time to reflect the +- * capabilities of the host cpu. ++ * capabilities of the host cpu. This capabilities test skips MSRs that are ++ * kvm-specific. Those are put in the beginning of the list. + */ ++ ++#define KVM_SAVE_MSRS_BEGIN 2 + static u32 msrs_to_save[] = { ++ MSR_KVM_SYSTEM_TIME, MSR_KVM_WALL_CLOCK, + MSR_IA32_SYSENTER_CS, MSR_IA32_SYSENTER_ESP, MSR_IA32_SYSENTER_EIP, + MSR_K6_STAR, + #ifdef CONFIG_X86_64 + MSR_CSTAR, MSR_KERNEL_GS_BASE, MSR_SYSCALL_MASK, MSR_LSTAR, + #endif +- MSR_IA32_TSC, MSR_KVM_SYSTEM_TIME, MSR_KVM_WALL_CLOCK, +- MSR_IA32_PERF_STATUS, MSR_IA32_CR_PAT, MSR_VM_HSAVE_PA ++ MSR_IA32_TSC, MSR_IA32_PERF_STATUS, MSR_IA32_CR_PAT, MSR_VM_HSAVE_PA + }; + + static unsigned num_msrs_to_save; +@@ -2433,7 +2436,8 @@ static void kvm_init_msr_list(void) + u32 dummy[2]; + unsigned i, j; + +- for (i = j = 0; i < ARRAY_SIZE(msrs_to_save); i++) { ++ /* skip the first msrs in the list. KVM-specific */ ++ for (i = j = KVM_SAVE_MSRS_BEGIN; i < ARRAY_SIZE(msrs_to_save); i++) { + if (rdmsr_safe(msrs_to_save[i], &dummy[0], &dummy[1]) < 0) + continue; + if (j < i) diff --git a/queue-2.6.32/md-bitmap-protect-against-bitmap-removal-while-being-updated.patch b/queue-2.6.32/md-bitmap-protect-against-bitmap-removal-while-being-updated.patch new file mode 100644 index 00000000000..653598c06d5 --- /dev/null +++ b/queue-2.6.32/md-bitmap-protect-against-bitmap-removal-while-being-updated.patch @@ -0,0 +1,148 @@ +From aa5cbd103887011b4830355f88fb055f9ad2d556 Mon Sep 17 00:00:00 2001 +From: NeilBrown +Date: Mon, 14 Dec 2009 12:49:46 +1100 +Subject: md/bitmap: protect against bitmap removal while being updated. + +From: NeilBrown + +commit aa5cbd103887011b4830355f88fb055f9ad2d556 upstream. + +A write intent bitmap can be removed from an array while the +array is active. +When this happens, all IO is suspended and flushed before the +bitmap is removed. +However it is possible that bitmap_daemon_work is still running to +clear old bits from the bitmap. If it is, it can dereference the +bitmap after it has been freed. + +So introduce a new mutex to protect bitmap_daemon_work and get it +before destroying a bitmap. + +This is suitable for any current -stable kernel. + +Signed-off-by: NeilBrown +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/bitmap.c | 24 ++++++++++++++++++------ + drivers/md/bitmap.h | 2 +- + drivers/md/md.c | 3 ++- + drivers/md/md.h | 1 + + 4 files changed, 22 insertions(+), 8 deletions(-) + +--- a/drivers/md/bitmap.c ++++ b/drivers/md/bitmap.c +@@ -1078,23 +1078,31 @@ static bitmap_counter_t *bitmap_get_coun + * out to disk + */ + +-void bitmap_daemon_work(struct bitmap *bitmap) ++void bitmap_daemon_work(mddev_t *mddev) + { ++ struct bitmap *bitmap; + unsigned long j; + unsigned long flags; + struct page *page = NULL, *lastpage = NULL; + int blocks; + void *paddr; + +- if (bitmap == NULL) ++ /* Use a mutex to guard daemon_work against ++ * bitmap_destroy. ++ */ ++ mutex_lock(&mddev->bitmap_mutex); ++ bitmap = mddev->bitmap; ++ if (bitmap == NULL) { ++ mutex_unlock(&mddev->bitmap_mutex); + return; ++ } + if (time_before(jiffies, bitmap->daemon_lastrun + bitmap->daemon_sleep*HZ)) + goto done; + + bitmap->daemon_lastrun = jiffies; + if (bitmap->allclean) { + bitmap->mddev->thread->timeout = MAX_SCHEDULE_TIMEOUT; +- return; ++ goto done; + } + bitmap->allclean = 1; + +@@ -1203,6 +1211,7 @@ void bitmap_daemon_work(struct bitmap *b + done: + if (bitmap->allclean == 0) + bitmap->mddev->thread->timeout = bitmap->daemon_sleep * HZ; ++ mutex_unlock(&mddev->bitmap_mutex); + } + + static bitmap_counter_t *bitmap_get_counter(struct bitmap *bitmap, +@@ -1541,9 +1550,9 @@ void bitmap_flush(mddev_t *mddev) + */ + sleep = bitmap->daemon_sleep; + bitmap->daemon_sleep = 0; +- bitmap_daemon_work(bitmap); +- bitmap_daemon_work(bitmap); +- bitmap_daemon_work(bitmap); ++ bitmap_daemon_work(mddev); ++ bitmap_daemon_work(mddev); ++ bitmap_daemon_work(mddev); + bitmap->daemon_sleep = sleep; + bitmap_update_sb(bitmap); + } +@@ -1574,6 +1583,7 @@ static void bitmap_free(struct bitmap *b + kfree(bp); + kfree(bitmap); + } ++ + void bitmap_destroy(mddev_t *mddev) + { + struct bitmap *bitmap = mddev->bitmap; +@@ -1581,7 +1591,9 @@ void bitmap_destroy(mddev_t *mddev) + if (!bitmap) /* there was no bitmap */ + return; + ++ mutex_lock(&mddev->bitmap_mutex); + mddev->bitmap = NULL; /* disconnect from the md device */ ++ mutex_unlock(&mddev->bitmap_mutex); + if (mddev->thread) + mddev->thread->timeout = MAX_SCHEDULE_TIMEOUT; + +--- a/drivers/md/bitmap.h ++++ b/drivers/md/bitmap.h +@@ -282,7 +282,7 @@ void bitmap_close_sync(struct bitmap *bi + void bitmap_cond_end_sync(struct bitmap *bitmap, sector_t sector); + + void bitmap_unplug(struct bitmap *bitmap); +-void bitmap_daemon_work(struct bitmap *bitmap); ++void bitmap_daemon_work(mddev_t *mddev); + #endif + + #endif +--- a/drivers/md/md.c ++++ b/drivers/md/md.c +@@ -367,6 +367,7 @@ static mddev_t * mddev_find(dev_t unit) + + mutex_init(&new->open_mutex); + mutex_init(&new->reconfig_mutex); ++ mutex_init(&new->bitmap_mutex); + INIT_LIST_HEAD(&new->disks); + INIT_LIST_HEAD(&new->all_mddevs); + init_timer(&new->safemode_timer); +@@ -6629,7 +6630,7 @@ void md_check_recovery(mddev_t *mddev) + + + if (mddev->bitmap) +- bitmap_daemon_work(mddev->bitmap); ++ bitmap_daemon_work(mddev); + + if (mddev->ro) + return; +--- a/drivers/md/md.h ++++ b/drivers/md/md.h +@@ -289,6 +289,7 @@ struct mddev_s + * hot-adding a bitmap. It should + * eventually be settable by sysfs. + */ ++ struct mutex bitmap_mutex; + + struct list_head all_mddevs; + }; diff --git a/queue-2.6.32/nfs-fix-nfs_migrate_page.patch b/queue-2.6.32/nfs-fix-nfs_migrate_page.patch new file mode 100644 index 00000000000..b06ac86caa3 --- /dev/null +++ b/queue-2.6.32/nfs-fix-nfs_migrate_page.patch @@ -0,0 +1,47 @@ +From 190f38e5cedc910940b1da9015f00458c18f97b4 Mon Sep 17 00:00:00 2001 +From: Trond Myklebust +Date: Thu, 10 Dec 2009 09:05:55 -0500 +Subject: NFS: Fix nfs_migrate_page() + +From: Trond Myklebust + +commit 190f38e5cedc910940b1da9015f00458c18f97b4 upstream. + +The call to migrate_page() will cause the page->private field to be +cleared. +Also fix up the locking around the page->private transfer, so that we ensure +that calls to nfs_page_find_request() don't end up racing. + +Finally, fix up a double free bug: nfs_unlock_request() already calls +nfs_release_request() for us... + +Reported-by: Wu Fengguang +Tested-by: Andi Kleen +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman + +--- + fs/nfs/write.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/fs/nfs/write.c ++++ b/fs/nfs/write.c +@@ -1612,15 +1612,16 @@ int nfs_migrate_page(struct address_spac + if (ret) + goto out_unlock; + page_cache_get(newpage); ++ spin_lock(&mapping->host->i_lock); + req->wb_page = newpage; + SetPagePrivate(newpage); +- set_page_private(newpage, page_private(page)); ++ set_page_private(newpage, (unsigned long)req); + ClearPagePrivate(page); + set_page_private(page, 0); ++ spin_unlock(&mapping->host->i_lock); + page_cache_release(page); + out_unlock: + nfs_clear_page_tag_locked(req); +- nfs_release_request(req); + out: + return ret; + } diff --git a/queue-2.6.32/pata_hpt-37x-3x2n-fix-timing-register-masks-take-2.patch b/queue-2.6.32/pata_hpt-37x-3x2n-fix-timing-register-masks-take-2.patch new file mode 100644 index 00000000000..51cb8f5b78f --- /dev/null +++ b/queue-2.6.32/pata_hpt-37x-3x2n-fix-timing-register-masks-take-2.patch @@ -0,0 +1,173 @@ +From 5600c70e576199a7552e1c0fff43f3fe16f5566e Mon Sep 17 00:00:00 2001 +From: Sergei Shtylyov +Date: Fri, 27 Nov 2009 22:29:02 +0400 +Subject: pata_hpt{37x|3x2n}: fix timing register masks (take 2) + +From: Sergei Shtylyov + +commit 5600c70e576199a7552e1c0fff43f3fe16f5566e upstream. + +These drivers inherited from the older 'hpt366' IDE driver the buggy timing +register masks in their set_piomode() metods. As a result, too low command +cycle active time is programmed for slow PIO modes. Quite fortunately, it's +later "fixed up" by the set_dmamode() methods which also "helpfully" reprogram +the command timings, usually to PIO mode 4; unfortunately, setting an UltraDMA +mode #N also reprograms already set PIO data timings, usually to MWDMA mode # +max(N, 2) timings... + +However, the drivers added some breakage of their own too: the bit that they +set/clear to control the FIFO is sometimes wrong -- it's actually the MSB of +the command cycle setup time; also, setting it in DMA mode is wrong as this +bit is only for PIO actually and clearing it for PIO modes is not needed as +no mode in any timing table has it set... + +Fix all this, inverting the masks while at it, like in the 'hpt366' and +'pata_hpt366' drivers; bump the drivers' versions, accounting for recent +patches that forgot to do it... + +Signed-off-by: Sergei Shtylyov +Signed-off-by: Jeff Garzik +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/ata/pata_hpt37x.c | 32 +++++++++++++++----------------- + drivers/ata/pata_hpt3x2n.c | 17 ++++++++--------- + 2 files changed, 23 insertions(+), 26 deletions(-) + +--- a/drivers/ata/pata_hpt37x.c ++++ b/drivers/ata/pata_hpt37x.c +@@ -24,7 +24,7 @@ + #include + + #define DRV_NAME "pata_hpt37x" +-#define DRV_VERSION "0.6.12" ++#define DRV_VERSION "0.6.14" + + struct hpt_clock { + u8 xfer_speed; +@@ -404,9 +404,8 @@ static void hpt370_set_piomode(struct at + + pci_read_config_dword(pdev, addr1, ®); + mode = hpt37x_find_mode(ap, adev->pio_mode); +- mode &= ~0x8000000; /* No FIFO in PIO */ +- mode &= ~0x30070000; /* Leave config bits alone */ +- reg &= 0x30070000; /* Strip timing bits */ ++ mode &= 0xCFC3FFFF; /* Leave DMA bits alone */ ++ reg &= ~0xCFC3FFFF; /* Strip timing bits */ + pci_write_config_dword(pdev, addr1, reg | mode); + } + +@@ -423,8 +422,7 @@ static void hpt370_set_dmamode(struct at + { + struct pci_dev *pdev = to_pci_dev(ap->host->dev); + u32 addr1, addr2; +- u32 reg; +- u32 mode; ++ u32 reg, mode, mask; + u8 fast; + + addr1 = 0x40 + 4 * (adev->devno + 2 * ap->port_no); +@@ -436,11 +434,12 @@ static void hpt370_set_dmamode(struct at + fast |= 0x01; + pci_write_config_byte(pdev, addr2, fast); + ++ mask = adev->dma_mode < XFER_UDMA_0 ? 0x31C001FF : 0x303C0000; ++ + pci_read_config_dword(pdev, addr1, ®); + mode = hpt37x_find_mode(ap, adev->dma_mode); +- mode |= 0x8000000; /* FIFO in MWDMA or UDMA */ +- mode &= ~0xC0000000; /* Leave config bits alone */ +- reg &= 0xC0000000; /* Strip timing bits */ ++ mode &= mask; ++ reg &= ~mask; + pci_write_config_dword(pdev, addr1, reg | mode); + } + +@@ -508,9 +507,8 @@ static void hpt372_set_piomode(struct at + mode = hpt37x_find_mode(ap, adev->pio_mode); + + printk("Find mode for %d reports %X\n", adev->pio_mode, mode); +- mode &= ~0x80000000; /* No FIFO in PIO */ +- mode &= ~0x30070000; /* Leave config bits alone */ +- reg &= 0x30070000; /* Strip timing bits */ ++ mode &= 0xCFC3FFFF; /* Leave DMA bits alone */ ++ reg &= ~0xCFC3FFFF; /* Strip timing bits */ + pci_write_config_dword(pdev, addr1, reg | mode); + } + +@@ -527,8 +525,7 @@ static void hpt372_set_dmamode(struct at + { + struct pci_dev *pdev = to_pci_dev(ap->host->dev); + u32 addr1, addr2; +- u32 reg; +- u32 mode; ++ u32 reg, mode, mask; + u8 fast; + + addr1 = 0x40 + 4 * (adev->devno + 2 * ap->port_no); +@@ -539,12 +536,13 @@ static void hpt372_set_dmamode(struct at + fast &= ~0x07; + pci_write_config_byte(pdev, addr2, fast); + ++ mask = adev->dma_mode < XFER_UDMA_0 ? 0x31C001FF : 0x303C0000; ++ + pci_read_config_dword(pdev, addr1, ®); + mode = hpt37x_find_mode(ap, adev->dma_mode); + printk("Find mode for DMA %d reports %X\n", adev->dma_mode, mode); +- mode &= ~0xC0000000; /* Leave config bits alone */ +- mode |= 0x80000000; /* FIFO in MWDMA or UDMA */ +- reg &= 0xC0000000; /* Strip timing bits */ ++ mode &= mask; ++ reg &= ~mask; + pci_write_config_dword(pdev, addr1, reg | mode); + } + +--- a/drivers/ata/pata_hpt3x2n.c ++++ b/drivers/ata/pata_hpt3x2n.c +@@ -25,7 +25,7 @@ + #include + + #define DRV_NAME "pata_hpt3x2n" +-#define DRV_VERSION "0.3.4" ++#define DRV_VERSION "0.3.7" + + enum { + HPT_PCI_FAST = (1 << 31), +@@ -185,9 +185,8 @@ static void hpt3x2n_set_piomode(struct a + + pci_read_config_dword(pdev, addr1, ®); + mode = hpt3x2n_find_mode(ap, adev->pio_mode); +- mode &= ~0x8000000; /* No FIFO in PIO */ +- mode &= ~0x30070000; /* Leave config bits alone */ +- reg &= 0x30070000; /* Strip timing bits */ ++ mode &= 0xCFC3FFFF; /* Leave DMA bits alone */ ++ reg &= ~0xCFC3FFFF; /* Strip timing bits */ + pci_write_config_dword(pdev, addr1, reg | mode); + } + +@@ -204,8 +203,7 @@ static void hpt3x2n_set_dmamode(struct a + { + struct pci_dev *pdev = to_pci_dev(ap->host->dev); + u32 addr1, addr2; +- u32 reg; +- u32 mode; ++ u32 reg, mode, mask; + u8 fast; + + addr1 = 0x40 + 4 * (adev->devno + 2 * ap->port_no); +@@ -216,11 +214,12 @@ static void hpt3x2n_set_dmamode(struct a + fast &= ~0x07; + pci_write_config_byte(pdev, addr2, fast); + ++ mask = adev->dma_mode < XFER_UDMA_0 ? 0x31C001FF : 0x303C0000; ++ + pci_read_config_dword(pdev, addr1, ®); + mode = hpt3x2n_find_mode(ap, adev->dma_mode); +- mode |= 0x8000000; /* FIFO in MWDMA or UDMA */ +- mode &= ~0xC0000000; /* Leave config bits alone */ +- reg &= 0xC0000000; /* Strip timing bits */ ++ mode &= mask; ++ reg &= ~mask; + pci_write_config_dword(pdev, addr1, reg | mode); + } + diff --git a/queue-2.6.32/perf-don-t-free-perf_mmap_data-until-work-has-been-done.patch b/queue-2.6.32/perf-don-t-free-perf_mmap_data-until-work-has-been-done.patch new file mode 100644 index 00000000000..f12539eab29 --- /dev/null +++ b/queue-2.6.32/perf-don-t-free-perf_mmap_data-until-work-has-been-done.patch @@ -0,0 +1,56 @@ +From ec70ccd806111ba3caf596def91a8580138b12db Mon Sep 17 00:00:00 2001 +From: Kristian Høgsberg +Date: Tue, 1 Dec 2009 15:05:01 -0500 +Subject: perf: Don't free perf_mmap_data until work has been done +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Kristian Høgsberg + +commit ec70ccd806111ba3caf596def91a8580138b12db upstream. + +In the CONFIG_PERF_USE_VMALLOC case, perf_mmap_data_free() only +schedules the cleanup of the perf_mmap_data struct. In that +case we have to wait until the work has been done before we free +data. + +Signed-off-by: Kristian Høgsberg +Cc: David S. Miller +Cc: Peter Zijlstra +Cc: Paul Mackerras +Cc: Frederic Weisbecker +LKML-Reference: <1259697901-1747-1-git-send-email-krh@bitplanet.net> +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/perf_event.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/kernel/perf_event.c ++++ b/kernel/perf_event.c +@@ -2174,6 +2174,7 @@ static void perf_mmap_data_free(struct p + perf_mmap_free_page((unsigned long)data->user_page); + for (i = 0; i < data->nr_pages; i++) + perf_mmap_free_page((unsigned long)data->data_pages[i]); ++ kfree(data); + } + + #else +@@ -2214,6 +2215,7 @@ static void perf_mmap_data_free_work(str + perf_mmap_unmark_page(base + (i * PAGE_SIZE)); + + vfree(base); ++ kfree(data); + } + + static void perf_mmap_data_free(struct perf_mmap_data *data) +@@ -2319,7 +2321,6 @@ static void perf_mmap_data_free_rcu(stru + + data = container_of(rcu_head, struct perf_mmap_data, rcu_head); + perf_mmap_data_free(data); +- kfree(data); + } + + static void perf_mmap_data_release(struct perf_event *event) diff --git a/queue-2.6.32/perf_event-fix-invalid-type-in-ioctl-definition.patch b/queue-2.6.32/perf_event-fix-invalid-type-in-ioctl-definition.patch new file mode 100644 index 00000000000..1c4ac7ee7fe --- /dev/null +++ b/queue-2.6.32/perf_event-fix-invalid-type-in-ioctl-definition.patch @@ -0,0 +1,32 @@ +From 4c49b12853fbb5eff4849b7b6a1e895776f027a1 Mon Sep 17 00:00:00 2001 +From: Arjan van de Ven +Date: Fri, 13 Nov 2009 21:47:33 -0800 +Subject: perf_event: Fix invalid type in ioctl definition + +From: Arjan van de Ven + +commit 4c49b12853fbb5eff4849b7b6a1e895776f027a1 upstream. + +u64 is invalid in userspace headers, including ioctl +definitions; use __u64 instead + +Signed-off-by: Arjan van de Ven +LKML-Reference: <20091113214733.7cd76be9@infradead.org> +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/perf_event.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/include/linux/perf_event.h ++++ b/include/linux/perf_event.h +@@ -219,7 +219,7 @@ struct perf_event_attr { + #define PERF_EVENT_IOC_DISABLE _IO ('$', 1) + #define PERF_EVENT_IOC_REFRESH _IO ('$', 2) + #define PERF_EVENT_IOC_RESET _IO ('$', 3) +-#define PERF_EVENT_IOC_PERIOD _IOW('$', 4, u64) ++#define PERF_EVENT_IOC_PERIOD _IOW('$', 4, __u64) + #define PERF_EVENT_IOC_SET_OUTPUT _IO ('$', 5) + + enum perf_event_ioc_flags { diff --git a/queue-2.6.32/perf_event-initialize-data.period-in-perf_swevent_hrtimer.patch b/queue-2.6.32/perf_event-initialize-data.period-in-perf_swevent_hrtimer.patch new file mode 100644 index 00000000000..b4668ac8bd5 --- /dev/null +++ b/queue-2.6.32/perf_event-initialize-data.period-in-perf_swevent_hrtimer.patch @@ -0,0 +1,45 @@ +From 59d069eb5ae9b033ed1c124c92e1532c4a958991 Mon Sep 17 00:00:00 2001 +From: Xiao Guangrong +Date: Tue, 1 Dec 2009 17:30:08 +0800 +Subject: perf_event: Initialize data.period in perf_swevent_hrtimer() + +From: Xiao Guangrong + +commit 59d069eb5ae9b033ed1c124c92e1532c4a958991 upstream. + +In current code in perf_swevent_hrtimer(), data.period is not +initialized, The result is obvious wrong: + + # ./perf record -f -e cpu-clock make + # ./perf report + # Samples: 1740 + # + # Overhead Command ...... + # ........ ........ .......................................... + # + 1025422183050275328.00% sh libc-2.9.90.so ... + 1025422183050275328.00% perl libperl.so ... + 1025422168240043264.00% perl [kernel] ... + 1025422030011210752.00% perl [kernel] ... + +Signed-off-by: Xiao Guangrong +Acked-by: Peter Zijlstra +Cc: Frederic Weisbecker +LKML-Reference: <4B14E220.2050107@cn.fujitsu.com> +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/perf_event.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/kernel/perf_event.c ++++ b/kernel/perf_event.c +@@ -3949,6 +3949,7 @@ static enum hrtimer_restart perf_swevent + event->pmu->read(event); + + data.addr = 0; ++ data.period = event->hw.last_period; + regs = get_irq_regs(); + /* + * In case we exclude kernel IPs or are somehow not in interrupt diff --git a/queue-2.6.32/pm-runtime-fix-lockdep-warning-in-__pm_runtime_set_status.patch b/queue-2.6.32/pm-runtime-fix-lockdep-warning-in-__pm_runtime_set_status.patch new file mode 100644 index 00000000000..6ace5feb25f --- /dev/null +++ b/queue-2.6.32/pm-runtime-fix-lockdep-warning-in-__pm_runtime_set_status.patch @@ -0,0 +1,31 @@ +From bab636b921017f0db6e0c2979438f50b898a9808 Mon Sep 17 00:00:00 2001 +From: Rafael J. Wysocki +Date: Thu, 3 Dec 2009 20:21:21 +0100 +Subject: PM / Runtime: Fix lockdep warning in __pm_runtime_set_status() + +From: Rafael J. Wysocki + +commit bab636b921017f0db6e0c2979438f50b898a9808 upstream. + +Lockdep complains about taking the parent lock in +__pm_runtime_set_status(), so mark it as nested. + +Signed-off-by: Rafael J. Wysocki +Reported-by: Alan Stern +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/base/power/runtime.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/base/power/runtime.c ++++ b/drivers/base/power/runtime.c +@@ -777,7 +777,7 @@ int __pm_runtime_set_status(struct devic + } + + if (parent) { +- spin_lock(&parent->power.lock); ++ spin_lock_nested(&parent->power.lock, SINGLE_DEPTH_NESTING); + + /* + * It is invalid to put an active child under a parent that is diff --git a/queue-2.6.32/pxa-em-x270-fix-usb-hub-power-up-reset-sequence.patch b/queue-2.6.32/pxa-em-x270-fix-usb-hub-power-up-reset-sequence.patch new file mode 100644 index 00000000000..306e1c3b8ec --- /dev/null +++ b/queue-2.6.32/pxa-em-x270-fix-usb-hub-power-up-reset-sequence.patch @@ -0,0 +1,42 @@ +From 1b82e4c32fba96d8805b1e2126ba5382e56fac32 Mon Sep 17 00:00:00 2001 +From: Igor Grinberg +Date: Sun, 6 Dec 2009 15:45:43 +0200 +Subject: [ARM] pxa/em-x270: fix usb hub power up/reset sequence + +From: Igor Grinberg + +commit 1b82e4c32fba96d8805b1e2126ba5382e56fac32 upstream. + +Signed-off-by: Igor Grinberg +Signed-off-by: Mike Rapoport +Signed-off-by: Eric Miao +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/mach-pxa/em-x270.c | 11 +++++------ + 1 file changed, 5 insertions(+), 6 deletions(-) + +--- a/arch/arm/mach-pxa/em-x270.c ++++ b/arch/arm/mach-pxa/em-x270.c +@@ -497,16 +497,15 @@ static int em_x270_usb_hub_init(void) + goto err_free_vbus_gpio; + + /* USB Hub power-on and reset */ +- gpio_direction_output(usb_hub_reset, 0); ++ gpio_direction_output(usb_hub_reset, 1); ++ gpio_direction_output(GPIO9_USB_VBUS_EN, 0); + regulator_enable(em_x270_usb_ldo); +- gpio_set_value(usb_hub_reset, 1); + gpio_set_value(usb_hub_reset, 0); ++ gpio_set_value(usb_hub_reset, 1); + regulator_disable(em_x270_usb_ldo); + regulator_enable(em_x270_usb_ldo); +- gpio_set_value(usb_hub_reset, 1); +- +- /* enable VBUS */ +- gpio_direction_output(GPIO9_USB_VBUS_EN, 1); ++ gpio_set_value(usb_hub_reset, 0); ++ gpio_set_value(GPIO9_USB_VBUS_EN, 1); + + return 0; + diff --git a/queue-2.6.32/rcu-fix-note_new_gpnum-uses-of-gpnum.patch b/queue-2.6.32/rcu-fix-note_new_gpnum-uses-of-gpnum.patch new file mode 100644 index 00000000000..9cef4d8c9d7 --- /dev/null +++ b/queue-2.6.32/rcu-fix-note_new_gpnum-uses-of-gpnum.patch @@ -0,0 +1,105 @@ +From 9160306e6f5b68bb64630c9031c517ca1cf463db Mon Sep 17 00:00:00 2001 +From: Paul E. McKenney +Date: Mon, 2 Nov 2009 13:52:29 -0800 +Subject: rcu: Fix note_new_gpnum() uses of ->gpnum + +From: Paul E. McKenney + +commit 9160306e6f5b68bb64630c9031c517ca1cf463db upstream. + +Impose a clear locking design on the note_new_gpnum() +function's use of the ->gpnum counter. This is done by updating +rdp->gpnum only from the corresponding leaf rcu_node structure's +rnp->gpnum field, and even then only under the protection of +that same rcu_node structure's ->lock field. Performance and +scalability are maintained using a form of double-checked +locking, and excessive spinning is avoided by use of the +spin_trylock() function. The use of spin_trylock() is safe due +to the fact that CPUs who fail to acquire this lock will try +again later. The hierarchical nature of the rcu_node data +structure limits contention (which could be limited further if +need be using the RCU_FANOUT kernel parameter). + +Without this patch, obscure but quite possible races could +result in a quiescent state that occurred during one grace +period to be accounted to the following grace period, causing +this following grace period to end prematurely. Not good! + +Signed-off-by: Paul E. McKenney +Cc: laijs@cn.fujitsu.com +Cc: dipankar@in.ibm.com +Cc: mathieu.desnoyers@polymtl.ca +Cc: josh@joshtriplett.org +Cc: dvhltc@us.ibm.com +Cc: niv@us.ibm.com +Cc: peterz@infradead.org +Cc: rostedt@goodmis.org +Cc: Valdis.Kletnieks@vt.edu +Cc: dhowells@redhat.com +LKML-Reference: <12571987492350-git-send-email-> +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/rcutree.c | 34 ++++++++++++++++++++++++++++------ + 1 file changed, 28 insertions(+), 6 deletions(-) + +--- a/kernel/rcutree.c ++++ b/kernel/rcutree.c +@@ -538,13 +538,33 @@ static void check_cpu_stall(struct rcu_s + /* + * Update CPU-local rcu_data state to record the newly noticed grace period. + * This is used both when we started the grace period and when we notice +- * that someone else started the grace period. +- */ ++ * that someone else started the grace period. The caller must hold the ++ * ->lock of the leaf rcu_node structure corresponding to the current CPU, ++ * and must have irqs disabled. ++ */ ++static void __note_new_gpnum(struct rcu_state *rsp, struct rcu_node *rnp, struct rcu_data *rdp) ++{ ++ if (rdp->gpnum != rnp->gpnum) { ++ rdp->qs_pending = 1; ++ rdp->passed_quiesc = 0; ++ rdp->gpnum = rnp->gpnum; ++ } ++} ++ + static void note_new_gpnum(struct rcu_state *rsp, struct rcu_data *rdp) + { +- rdp->qs_pending = 1; +- rdp->passed_quiesc = 0; +- rdp->gpnum = rsp->gpnum; ++ unsigned long flags; ++ struct rcu_node *rnp; ++ ++ local_irq_save(flags); ++ rnp = rdp->mynode; ++ if (rdp->gpnum == ACCESS_ONCE(rnp->gpnum) || /* outside lock. */ ++ !spin_trylock(&rnp->lock)) { /* irqs already off, retry later. */ ++ local_irq_restore(flags); ++ return; ++ } ++ __note_new_gpnum(rsp, rnp, rdp); ++ spin_unlock_irqrestore(&rnp->lock, flags); + } + + /* +@@ -635,6 +655,9 @@ rcu_start_gp_per_cpu(struct rcu_state *r + */ + rdp->nxttail[RCU_NEXT_READY_TAIL] = rdp->nxttail[RCU_NEXT_TAIL]; + rdp->nxttail[RCU_WAIT_TAIL] = rdp->nxttail[RCU_NEXT_TAIL]; ++ ++ /* Set state so that this CPU will detect the next quiescent state. */ ++ __note_new_gpnum(rsp, rnp, rdp); + } + + /* +@@ -662,7 +685,6 @@ rcu_start_gp(struct rcu_state *rsp, unsi + rsp->jiffies_force_qs = jiffies + RCU_JIFFIES_TILL_FORCE_QS; + record_gp_stall_check_time(rsp); + dyntick_record_completed(rsp, rsp->completed - 1); +- note_new_gpnum(rsp, rdp); + + /* Special-case the common single-level case. */ + if (NUM_RCU_NODES == 1) { diff --git a/queue-2.6.32/rcu-fix-synchronization-for-rcu_process_gp_end-uses-of-completed-counter.patch b/queue-2.6.32/rcu-fix-synchronization-for-rcu_process_gp_end-uses-of-completed-counter.patch new file mode 100644 index 00000000000..279c3932198 --- /dev/null +++ b/queue-2.6.32/rcu-fix-synchronization-for-rcu_process_gp_end-uses-of-completed-counter.patch @@ -0,0 +1,252 @@ +From d09b62dfa336447c52a5ec9bb88adbc479b0f3b8 Mon Sep 17 00:00:00 2001 +From: Paul E. McKenney +Date: Mon, 2 Nov 2009 13:52:28 -0800 +Subject: rcu: Fix synchronization for rcu_process_gp_end() uses of ->completed counter + +From: Paul E. McKenney + +commit d09b62dfa336447c52a5ec9bb88adbc479b0f3b8 upstream. + +Impose a clear locking design on the rcu_process_gp_end() +function's use of the ->completed counter. This is done by +creating a ->completed field in the rcu_node structure, which +can safely be accessed under the protection of that structure's +lock. Performance and scalability are maintained by using a +form of double-checked locking, so that rcu_process_gp_end() +only acquires the leaf rcu_node structure's ->lock if a grace +period has recently ended. + +This fix reduces rcutorture failure rate by at least two orders +of magnitude under heavy stress with force_quiescent_state() +being invoked artificially often. Without this fix, +unsynchronized access to the ->completed field can cause +rcu_process_gp_end() to advance callbacks whose grace period has +not yet expired. (Bad idea!) + +Signed-off-by: Paul E. McKenney +Cc: laijs@cn.fujitsu.com +Cc: dipankar@in.ibm.com +Cc: mathieu.desnoyers@polymtl.ca +Cc: josh@joshtriplett.org +Cc: dvhltc@us.ibm.com +Cc: niv@us.ibm.com +Cc: peterz@infradead.org +Cc: rostedt@goodmis.org +Cc: Valdis.Kletnieks@vt.edu +Cc: dhowells@redhat.com +LKML-Reference: <12571987494069-git-send-email-> +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/rcutree.c | 128 ++++++++++++++++++++++++++++++++++--------------------- + kernel/rcutree.h | 3 + + 2 files changed, 83 insertions(+), 48 deletions(-) + +--- a/kernel/rcutree.c ++++ b/kernel/rcutree.c +@@ -568,6 +568,76 @@ check_for_new_grace_period(struct rcu_st + } + + /* ++ * Advance this CPU's callbacks, but only if the current grace period ++ * has ended. This may be called only from the CPU to whom the rdp ++ * belongs. In addition, the corresponding leaf rcu_node structure's ++ * ->lock must be held by the caller, with irqs disabled. ++ */ ++static void ++__rcu_process_gp_end(struct rcu_state *rsp, struct rcu_node *rnp, struct rcu_data *rdp) ++{ ++ /* Did another grace period end? */ ++ if (rdp->completed != rnp->completed) { ++ ++ /* Advance callbacks. No harm if list empty. */ ++ rdp->nxttail[RCU_DONE_TAIL] = rdp->nxttail[RCU_WAIT_TAIL]; ++ rdp->nxttail[RCU_WAIT_TAIL] = rdp->nxttail[RCU_NEXT_READY_TAIL]; ++ rdp->nxttail[RCU_NEXT_READY_TAIL] = rdp->nxttail[RCU_NEXT_TAIL]; ++ ++ /* Remember that we saw this grace-period completion. */ ++ rdp->completed = rnp->completed; ++ } ++} ++ ++/* ++ * Advance this CPU's callbacks, but only if the current grace period ++ * has ended. This may be called only from the CPU to whom the rdp ++ * belongs. ++ */ ++static void ++rcu_process_gp_end(struct rcu_state *rsp, struct rcu_data *rdp) ++{ ++ unsigned long flags; ++ struct rcu_node *rnp; ++ ++ local_irq_save(flags); ++ rnp = rdp->mynode; ++ if (rdp->completed == ACCESS_ONCE(rnp->completed) || /* outside lock. */ ++ !spin_trylock(&rnp->lock)) { /* irqs already off, retry later. */ ++ local_irq_restore(flags); ++ return; ++ } ++ __rcu_process_gp_end(rsp, rnp, rdp); ++ spin_unlock_irqrestore(&rnp->lock, flags); ++} ++ ++/* ++ * Do per-CPU grace-period initialization for running CPU. The caller ++ * must hold the lock of the leaf rcu_node structure corresponding to ++ * this CPU. ++ */ ++static void ++rcu_start_gp_per_cpu(struct rcu_state *rsp, struct rcu_node *rnp, struct rcu_data *rdp) ++{ ++ /* Prior grace period ended, so advance callbacks for current CPU. */ ++ __rcu_process_gp_end(rsp, rnp, rdp); ++ ++ /* ++ * Because this CPU just now started the new grace period, we know ++ * that all of its callbacks will be covered by this upcoming grace ++ * period, even the ones that were registered arbitrarily recently. ++ * Therefore, advance all outstanding callbacks to RCU_WAIT_TAIL. ++ * ++ * Other CPUs cannot be sure exactly when the grace period started. ++ * Therefore, their recently registered callbacks must pass through ++ * an additional RCU_NEXT_READY stage, so that they will be handled ++ * by the next RCU grace period. ++ */ ++ rdp->nxttail[RCU_NEXT_READY_TAIL] = rdp->nxttail[RCU_NEXT_TAIL]; ++ rdp->nxttail[RCU_WAIT_TAIL] = rdp->nxttail[RCU_NEXT_TAIL]; ++} ++ ++/* + * Start a new RCU grace period if warranted, re-initializing the hierarchy + * in preparation for detecting the next grace period. The caller must hold + * the root node's ->lock, which is released before return. Hard irqs must +@@ -594,26 +664,14 @@ rcu_start_gp(struct rcu_state *rsp, unsi + dyntick_record_completed(rsp, rsp->completed - 1); + note_new_gpnum(rsp, rdp); + +- /* +- * Because this CPU just now started the new grace period, we know +- * that all of its callbacks will be covered by this upcoming grace +- * period, even the ones that were registered arbitrarily recently. +- * Therefore, advance all outstanding callbacks to RCU_WAIT_TAIL. +- * +- * Other CPUs cannot be sure exactly when the grace period started. +- * Therefore, their recently registered callbacks must pass through +- * an additional RCU_NEXT_READY stage, so that they will be handled +- * by the next RCU grace period. +- */ +- rdp->nxttail[RCU_NEXT_READY_TAIL] = rdp->nxttail[RCU_NEXT_TAIL]; +- rdp->nxttail[RCU_WAIT_TAIL] = rdp->nxttail[RCU_NEXT_TAIL]; +- + /* Special-case the common single-level case. */ + if (NUM_RCU_NODES == 1) { + rcu_preempt_check_blocked_tasks(rnp); + rnp->qsmask = rnp->qsmaskinit; + rnp->gpnum = rsp->gpnum; ++ rnp->completed = rsp->completed; + rsp->signaled = RCU_SIGNAL_INIT; /* force_quiescent_state OK. */ ++ rcu_start_gp_per_cpu(rsp, rnp, rdp); + spin_unlock_irqrestore(&rnp->lock, flags); + return; + } +@@ -646,6 +704,9 @@ rcu_start_gp(struct rcu_state *rsp, unsi + rcu_preempt_check_blocked_tasks(rnp); + rnp->qsmask = rnp->qsmaskinit; + rnp->gpnum = rsp->gpnum; ++ rnp->completed = rsp->completed; ++ if (rnp == rdp->mynode) ++ rcu_start_gp_per_cpu(rsp, rnp, rdp); + spin_unlock(&rnp->lock); /* irqs remain disabled. */ + } + +@@ -657,34 +718,6 @@ rcu_start_gp(struct rcu_state *rsp, unsi + } + + /* +- * Advance this CPU's callbacks, but only if the current grace period +- * has ended. This may be called only from the CPU to whom the rdp +- * belongs. +- */ +-static void +-rcu_process_gp_end(struct rcu_state *rsp, struct rcu_data *rdp) +-{ +- long completed_snap; +- unsigned long flags; +- +- local_irq_save(flags); +- completed_snap = ACCESS_ONCE(rsp->completed); /* outside of lock. */ +- +- /* Did another grace period end? */ +- if (rdp->completed != completed_snap) { +- +- /* Advance callbacks. No harm if list empty. */ +- rdp->nxttail[RCU_DONE_TAIL] = rdp->nxttail[RCU_WAIT_TAIL]; +- rdp->nxttail[RCU_WAIT_TAIL] = rdp->nxttail[RCU_NEXT_READY_TAIL]; +- rdp->nxttail[RCU_NEXT_READY_TAIL] = rdp->nxttail[RCU_NEXT_TAIL]; +- +- /* Remember that we saw this grace-period completion. */ +- rdp->completed = completed_snap; +- } +- local_irq_restore(flags); +-} +- +-/* + * Clean up after the prior grace period and let rcu_start_gp() start up + * the next grace period if one is needed. Note that the caller must + * hold rnp->lock, as required by rcu_start_gp(), which will release it. +@@ -695,7 +728,6 @@ static void cpu_quiet_msk_finish(struct + WARN_ON_ONCE(!rcu_gp_in_progress(rsp)); + rsp->completed = rsp->gpnum; + rsp->signaled = RCU_GP_IDLE; +- rcu_process_gp_end(rsp, rsp->rda[smp_processor_id()]); + rcu_start_gp(rsp, flags); /* releases root node's rnp->lock. */ + } + +@@ -1537,21 +1569,16 @@ static void __cpuinit + rcu_init_percpu_data(int cpu, struct rcu_state *rsp, int preemptable) + { + unsigned long flags; +- long lastcomp; + unsigned long mask; + struct rcu_data *rdp = rsp->rda[cpu]; + struct rcu_node *rnp = rcu_get_root(rsp); + + /* Set up local state, ensuring consistent view of global state. */ + spin_lock_irqsave(&rnp->lock, flags); +- lastcomp = rsp->completed; +- rdp->completed = lastcomp; +- rdp->gpnum = lastcomp; + rdp->passed_quiesc = 0; /* We could be racing with new GP, */ + rdp->qs_pending = 1; /* so set up to respond to current GP. */ + rdp->beenonline = 1; /* We have now been online. */ + rdp->preemptable = preemptable; +- rdp->passed_quiesc_completed = lastcomp - 1; + rdp->qlen_last_fqs_check = 0; + rdp->n_force_qs_snap = rsp->n_force_qs; + rdp->blimit = blimit; +@@ -1573,6 +1600,11 @@ rcu_init_percpu_data(int cpu, struct rcu + spin_lock(&rnp->lock); /* irqs already disabled. */ + rnp->qsmaskinit |= mask; + mask = rnp->grpmask; ++ if (rnp == rdp->mynode) { ++ rdp->gpnum = rnp->completed; /* if GP in progress... */ ++ rdp->completed = rnp->completed; ++ rdp->passed_quiesc_completed = rnp->completed - 1; ++ } + spin_unlock(&rnp->lock); /* irqs already disabled. */ + rnp = rnp->parent; + } while (rnp != NULL && !(rnp->qsmaskinit & mask)); +--- a/kernel/rcutree.h ++++ b/kernel/rcutree.h +@@ -84,6 +84,9 @@ struct rcu_node { + long gpnum; /* Current grace period for this node. */ + /* This will either be equal to or one */ + /* behind the root rcu_node's gpnum. */ ++ long completed; /* Last grace period completed for this node. */ ++ /* This will either be equal to or one */ ++ /* behind the root rcu_node's gpnum. */ + unsigned long qsmask; /* CPUs or groups that need to switch in */ + /* order for current grace period to proceed.*/ + /* In leaf rcu_node, each bit corresponds to */ diff --git a/queue-2.6.32/rcu-prepare-for-synchronization-fixes-clean-up-for-non-no_hz-handling-of-completed-counter.patch b/queue-2.6.32/rcu-prepare-for-synchronization-fixes-clean-up-for-non-no_hz-handling-of-completed-counter.patch new file mode 100644 index 00000000000..37c02a5553f --- /dev/null +++ b/queue-2.6.32/rcu-prepare-for-synchronization-fixes-clean-up-for-non-no_hz-handling-of-completed-counter.patch @@ -0,0 +1,181 @@ +From 281d150c5f8892f158747594ab49ce2823fd8b8c Mon Sep 17 00:00:00 2001 +From: Paul E. McKenney +Date: Mon, 2 Nov 2009 13:52:27 -0800 +Subject: rcu: Prepare for synchronization fixes: clean up for non-NO_HZ handling of ->completed counter + +From: Paul E. McKenney + +commit 281d150c5f8892f158747594ab49ce2823fd8b8c upstream. + +Impose a clear locking design on non-NO_HZ handling of the +->completed counter. This increases the distance between the +RCU and the CPU-hotplug mechanisms. + +Signed-off-by: Paul E. McKenney +Cc: laijs@cn.fujitsu.com +Cc: dipankar@in.ibm.com +Cc: mathieu.desnoyers@polymtl.ca +Cc: josh@joshtriplett.org +Cc: dvhltc@us.ibm.com +Cc: niv@us.ibm.com +Cc: peterz@infradead.org +Cc: rostedt@goodmis.org +Cc: Valdis.Kletnieks@vt.edu +Cc: dhowells@redhat.com +LKML-Reference: <12571987491353-git-send-email-> +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/rcutree.c | 67 ++++++++++++++++++++++++------------------------------- + kernel/rcutree.h | 8 +++--- + 2 files changed, 34 insertions(+), 41 deletions(-) + +--- a/kernel/rcutree.c ++++ b/kernel/rcutree.c +@@ -176,9 +176,29 @@ static struct rcu_node *rcu_get_root(str + return &rsp->node[0]; + } + ++/* ++ * Record the specified "completed" value, which is later used to validate ++ * dynticks counter manipulations and CPU-offline checks. Specify ++ * "rsp->completed - 1" to unconditionally invalidate any future dynticks ++ * manipulations and CPU-offline checks. Such invalidation is useful at ++ * the beginning of a grace period. ++ */ ++static void dyntick_record_completed(struct rcu_state *rsp, long comp) ++{ ++ rsp->dynticks_completed = comp; ++} ++ + #ifdef CONFIG_SMP + + /* ++ * Recall the previously recorded value of the completion for dynticks. ++ */ ++static long dyntick_recall_completed(struct rcu_state *rsp) ++{ ++ return rsp->dynticks_completed; ++} ++ ++/* + * If the specified CPU is offline, tell the caller that it is in + * a quiescent state. Otherwise, whack it with a reschedule IPI. + * Grace periods can end up waiting on an offline CPU when that +@@ -335,28 +355,9 @@ void rcu_irq_exit(void) + set_need_resched(); + } + +-/* +- * Record the specified "completed" value, which is later used to validate +- * dynticks counter manipulations. Specify "rsp->completed - 1" to +- * unconditionally invalidate any future dynticks manipulations (which is +- * useful at the beginning of a grace period). +- */ +-static void dyntick_record_completed(struct rcu_state *rsp, long comp) +-{ +- rsp->dynticks_completed = comp; +-} +- + #ifdef CONFIG_SMP + + /* +- * Recall the previously recorded value of the completion for dynticks. +- */ +-static long dyntick_recall_completed(struct rcu_state *rsp) +-{ +- return rsp->dynticks_completed; +-} +- +-/* + * Snapshot the specified CPU's dynticks counter so that we can later + * credit them with an implicit quiescent state. Return 1 if this CPU + * is in dynticks idle mode, which is an extended quiescent state. +@@ -419,24 +420,8 @@ static int rcu_implicit_dynticks_qs(stru + + #else /* #ifdef CONFIG_NO_HZ */ + +-static void dyntick_record_completed(struct rcu_state *rsp, long comp) +-{ +-} +- + #ifdef CONFIG_SMP + +-/* +- * If there are no dynticks, then the only way that a CPU can passively +- * be in a quiescent state is to be offline. Unlike dynticks idle, which +- * is a point in time during the prior (already finished) grace period, +- * an offline CPU is always in a quiescent state, and thus can be +- * unconditionally applied. So just return the current value of completed. +- */ +-static long dyntick_recall_completed(struct rcu_state *rsp) +-{ +- return rsp->completed; +-} +- + static int dyntick_save_progress_counter(struct rcu_data *rdp) + { + return 0; +@@ -1144,6 +1129,7 @@ static void force_quiescent_state(struct + long lastcomp; + struct rcu_node *rnp = rcu_get_root(rsp); + u8 signaled; ++ u8 forcenow; + + if (!rcu_gp_in_progress(rsp)) + return; /* No grace period in progress, nothing to force. */ +@@ -1180,16 +1166,23 @@ static void force_quiescent_state(struct + if (rcu_process_dyntick(rsp, lastcomp, + dyntick_save_progress_counter)) + goto unlock_ret; ++ /* fall into next case. */ ++ ++ case RCU_SAVE_COMPLETED: + + /* Update state, record completion counter. */ ++ forcenow = 0; + spin_lock(&rnp->lock); + if (lastcomp == rsp->completed && +- rsp->signaled == RCU_SAVE_DYNTICK) { ++ rsp->signaled == signaled) { + rsp->signaled = RCU_FORCE_QS; + dyntick_record_completed(rsp, lastcomp); ++ forcenow = signaled == RCU_SAVE_COMPLETED; + } + spin_unlock(&rnp->lock); +- break; ++ if (!forcenow) ++ break; ++ /* fall into next case. */ + + case RCU_FORCE_QS: + +--- a/kernel/rcutree.h ++++ b/kernel/rcutree.h +@@ -204,11 +204,12 @@ struct rcu_data { + #define RCU_GP_IDLE 0 /* No grace period in progress. */ + #define RCU_GP_INIT 1 /* Grace period being initialized. */ + #define RCU_SAVE_DYNTICK 2 /* Need to scan dyntick state. */ +-#define RCU_FORCE_QS 3 /* Need to force quiescent state. */ ++#define RCU_SAVE_COMPLETED 3 /* Need to save rsp->completed. */ ++#define RCU_FORCE_QS 4 /* Need to force quiescent state. */ + #ifdef CONFIG_NO_HZ + #define RCU_SIGNAL_INIT RCU_SAVE_DYNTICK + #else /* #ifdef CONFIG_NO_HZ */ +-#define RCU_SIGNAL_INIT RCU_FORCE_QS ++#define RCU_SIGNAL_INIT RCU_SAVE_COMPLETED + #endif /* #else #ifdef CONFIG_NO_HZ */ + + #define RCU_JIFFIES_TILL_FORCE_QS 3 /* for rsp->jiffies_force_qs */ +@@ -274,9 +275,8 @@ struct rcu_state { + unsigned long jiffies_stall; /* Time at which to check */ + /* for CPU stalls. */ + #endif /* #ifdef CONFIG_RCU_CPU_STALL_DETECTOR */ +-#ifdef CONFIG_NO_HZ + long dynticks_completed; /* Value of completed @ snap. */ +-#endif /* #ifdef CONFIG_NO_HZ */ ++ /* Protected by fqslock. */ + }; + + #ifdef RCU_TREE_NONCORE diff --git a/queue-2.6.32/rcu-remove-inline-from-forward-referenced-functions.patch b/queue-2.6.32/rcu-remove-inline-from-forward-referenced-functions.patch new file mode 100644 index 00000000000..19fadcdf7e0 --- /dev/null +++ b/queue-2.6.32/rcu-remove-inline-from-forward-referenced-functions.patch @@ -0,0 +1,65 @@ +From dbe01350fa8ce0c11948ab7d6be71a4d901be151 Mon Sep 17 00:00:00 2001 +From: Paul E. McKenney +Date: Tue, 10 Nov 2009 13:37:19 -0800 +Subject: rcu: Remove inline from forward-referenced functions + +From: Paul E. McKenney + +commit dbe01350fa8ce0c11948ab7d6be71a4d901be151 upstream. + +Some variants of gcc are reputed to dislike forward references +to functions declared "inline". Remove the "inline" keyword +from such functions. + +Signed-off-by: Paul E. McKenney +Cc: laijs@cn.fujitsu.com +Cc: dipankar@in.ibm.com +Cc: mathieu.desnoyers@polymtl.ca +Cc: josh@joshtriplett.org +Cc: dvhltc@us.ibm.com +Cc: niv@us.ibm.com +Cc: peterz@infradead.org +Cc: rostedt@goodmis.org +Cc: Valdis.Kletnieks@vt.edu +Cc: dhowells@redhat.com +Cc: Benjamin Gilbert +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/rcutree.h | 2 +- + kernel/rcutree_plugin.h | 4 ++-- + 2 files changed, 3 insertions(+), 3 deletions(-) + +--- a/kernel/rcutree.h ++++ b/kernel/rcutree.h +@@ -301,7 +301,7 @@ DECLARE_PER_CPU(struct rcu_data, rcu_pre + #else /* #ifdef RCU_TREE_NONCORE */ + + /* Forward declarations for rcutree_plugin.h */ +-static inline void rcu_bootup_announce(void); ++static void rcu_bootup_announce(void); + long rcu_batches_completed(void); + static void rcu_preempt_note_context_switch(int cpu); + static int rcu_preempted_readers(struct rcu_node *rnp); +--- a/kernel/rcutree_plugin.h ++++ b/kernel/rcutree_plugin.h +@@ -33,7 +33,7 @@ DEFINE_PER_CPU(struct rcu_data, rcu_pree + /* + * Tell them what RCU they are running. + */ +-static inline void rcu_bootup_announce(void) ++static void rcu_bootup_announce(void) + { + printk(KERN_INFO + "Experimental preemptable hierarchical RCU implementation.\n"); +@@ -481,7 +481,7 @@ void exit_rcu(void) + /* + * Tell them what RCU they are running. + */ +-static inline void rcu_bootup_announce(void) ++static void rcu_bootup_announce(void) + { + printk(KERN_INFO "Hierarchical RCU implementation.\n"); + } diff --git a/queue-2.6.32/s390-clear-high-order-bits-of-registers-after-sam64.patch b/queue-2.6.32/s390-clear-high-order-bits-of-registers-after-sam64.patch new file mode 100644 index 00000000000..aaca5c1c8ea --- /dev/null +++ b/queue-2.6.32/s390-clear-high-order-bits-of-registers-after-sam64.patch @@ -0,0 +1,44 @@ +From cf87b7439ec81b9374e7772e44e9cb2eb9e57160 Mon Sep 17 00:00:00 2001 +From: Hendrik Brueckner +Date: Mon, 7 Dec 2009 12:44:42 +0100 +Subject: [S390] s390: clear high-order bits of registers after sam64 + +From: Hendrik Brueckner + +commit cf87b7439ec81b9374e7772e44e9cb2eb9e57160 upstream. + +When the kernel is IPLed without the CLEAR option and switches +to 64-bit, the high-order half of the registers might contain +random values. This can cause addressing exceptions and the +kernel enters an interrupt loop. + +Initialize the high-order half of the general purpose registers +with zeros after switching to 64-bit mode. + +Signed-off-by: Hendrik Brueckner +Signed-off-by: Martin Schwidefsky +Signed-off-by: Greg Kroah-Hartman + +--- + arch/s390/kernel/head64.S | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/arch/s390/kernel/head64.S ++++ b/arch/s390/kernel/head64.S +@@ -83,6 +83,8 @@ startup_continue: + slr %r0,%r0 # set cpuid to zero + sigp %r1,%r0,0x12 # switch to esame mode + sam64 # switch to 64 bit mode ++ llgfr %r13,%r13 # clear high-order half of base reg ++ lmh %r0,%r15,.Lzero64-.LPG1(%r13) # clear high-order half + lctlg %c0,%c15,.Lctl-.LPG1(%r13) # load control registers + lg %r12,.Lparmaddr-.LPG1(%r13) # pointer to parameter area + # move IPL device to lowcore +@@ -127,6 +129,7 @@ startup_continue: + .L4malign:.quad 0xffffffffffc00000 + .Lscan2g:.quad 0x80000000 + 0x20000 - 8 # 2GB + 128K - 8 + .Lnop: .long 0x07000700 ++.Lzero64:.fill 16,4,0x0 + #ifdef CONFIG_ZFCPDUMP + .Lcurrent_cpu: + .long 0x0 diff --git a/queue-2.6.32/sched-check-for-an-idle-shared-cache-in-select_task_rq_fair.patch b/queue-2.6.32/sched-check-for-an-idle-shared-cache-in-select_task_rq_fair.patch new file mode 100644 index 00000000000..cfbbda1a856 --- /dev/null +++ b/queue-2.6.32/sched-check-for-an-idle-shared-cache-in-select_task_rq_fair.patch @@ -0,0 +1,70 @@ +From a1f84a3ab8e002159498814eaa7e48c33752b04b Mon Sep 17 00:00:00 2001 +From: Mike Galbraith +Date: Tue, 27 Oct 2009 15:35:38 +0100 +Subject: sched: Check for an idle shared cache in select_task_rq_fair() + +From: Mike Galbraith + +commit a1f84a3ab8e002159498814eaa7e48c33752b04b upstream. + +When waking affine, check for an idle shared cache, and if +found, wake to that CPU/sibling instead of the waker's CPU. + +This improves pgsql+oltp ramp up by roughly 8%. Possibly more +for other loads, depending on overlap. The trade-off is a +roughly 1% peak downturn if tasks are truly synchronous. + +Signed-off-by: Mike Galbraith +Cc: Arjan van de Ven +Cc: Peter Zijlstra +LKML-Reference: <1256654138.17752.7.camel@marge.simson.net> +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/sched_fair.c | 33 +++++++++++++++++++++++++++++---- + 1 file changed, 29 insertions(+), 4 deletions(-) + +--- a/kernel/sched_fair.c ++++ b/kernel/sched_fair.c +@@ -1398,11 +1398,36 @@ static int select_task_rq_fair(struct ta + want_sd = 0; + } + +- if (want_affine && (tmp->flags & SD_WAKE_AFFINE) && +- cpumask_test_cpu(prev_cpu, sched_domain_span(tmp))) { ++ if (want_affine && (tmp->flags & SD_WAKE_AFFINE)) { ++ int candidate = -1, i; + +- affine_sd = tmp; +- want_affine = 0; ++ if (cpumask_test_cpu(prev_cpu, sched_domain_span(tmp))) ++ candidate = cpu; ++ ++ /* ++ * Check for an idle shared cache. ++ */ ++ if (tmp->flags & SD_PREFER_SIBLING) { ++ if (candidate == cpu) { ++ if (!cpu_rq(prev_cpu)->cfs.nr_running) ++ candidate = prev_cpu; ++ } ++ ++ if (candidate == -1 || candidate == cpu) { ++ for_each_cpu(i, sched_domain_span(tmp)) { ++ if (!cpu_rq(i)->cfs.nr_running) { ++ candidate = i; ++ break; ++ } ++ } ++ } ++ } ++ ++ if (candidate >= 0) { ++ affine_sd = tmp; ++ want_affine = 0; ++ cpu = candidate; ++ } + } + + if (!want_sd && !want_affine) diff --git a/queue-2.6.32/sched-fix-affinity-logic-in-select_task_rq_fair.patch b/queue-2.6.32/sched-fix-affinity-logic-in-select_task_rq_fair.patch new file mode 100644 index 00000000000..fb92c02646a --- /dev/null +++ b/queue-2.6.32/sched-fix-affinity-logic-in-select_task_rq_fair.patch @@ -0,0 +1,57 @@ +From fd210738f6601d0fb462df9a2fe5a41896ff6a8f Mon Sep 17 00:00:00 2001 +From: Mike Galbraith +Date: Thu, 5 Nov 2009 10:57:46 +0100 +Subject: sched: Fix affinity logic in select_task_rq_fair() + +From: Mike Galbraith + +commit fd210738f6601d0fb462df9a2fe5a41896ff6a8f upstream. + +Ingo Molnar reported: + +[ 26.804000] BUG: using smp_processor_id() in preemptible [00000000] code: events/1/10 +[ 26.808000] caller is vmstat_update+0x26/0x70 +[ 26.812000] Pid: 10, comm: events/1 Not tainted 2.6.32-rc5 #6887 +[ 26.816000] Call Trace: +[ 26.820000] [] ? printk+0x28/0x3c +[ 26.824000] [] debug_smp_processor_id+0xf0/0x110 +[ 26.824000] mount used greatest stack depth: 1464 bytes left +[ 26.828000] [] vmstat_update+0x26/0x70 +[ 26.832000] [] worker_thread+0x188/0x310 +[ 26.836000] [] ? worker_thread+0x127/0x310 +[ 26.840000] [] ? autoremove_wake_function+0x0/0x60 +[ 26.844000] [] ? worker_thread+0x0/0x310 +[ 26.848000] [] kthread+0x7c/0x90 +[ 26.852000] [] ? kthread+0x0/0x90 +[ 26.856000] [] kernel_thread_helper+0x7/0x10 +[ 26.860000] BUG: using smp_processor_id() in preemptible [00000000] code: events/1/10 +[ 26.864000] caller is vmstat_update+0x3c/0x70 + +Because this commit: + + a1f84a3: sched: Check for an idle shared cache in select_task_rq_fair() + +broke ->cpus_allowed. + +Signed-off-by: Mike Galbraith +Cc: Peter Zijlstra +Cc: arjan@infradead.org +LKML-Reference: <1257415066.12867.1.camel@marge.simson.net> +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/sched_fair.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/kernel/sched_fair.c ++++ b/kernel/sched_fair.c +@@ -1415,6 +1415,8 @@ static int select_task_rq_fair(struct ta + + if (candidate == -1 || candidate == cpu) { + for_each_cpu(i, sched_domain_span(tmp)) { ++ if (!cpumask_test_cpu(i, &p->cpus_allowed)) ++ continue; + if (!cpu_rq(i)->cfs.nr_running) { + candidate = i; + break; diff --git a/queue-2.6.32/sched-fix-and-clean-up-rate-limit-newidle-code.patch b/queue-2.6.32/sched-fix-and-clean-up-rate-limit-newidle-code.patch new file mode 100644 index 00000000000..e6b5456ea94 --- /dev/null +++ b/queue-2.6.32/sched-fix-and-clean-up-rate-limit-newidle-code.patch @@ -0,0 +1,101 @@ +From eae0c9dfb534cb3449888b9601228efa6480fdb5 Mon Sep 17 00:00:00 2001 +From: Mike Galbraith +Date: Tue, 10 Nov 2009 03:50:02 +0100 +Subject: sched: Fix and clean up rate-limit newidle code + +From: Mike Galbraith + +commit eae0c9dfb534cb3449888b9601228efa6480fdb5 upstream. + +Commit 1b9508f, "Rate-limit newidle" has been confirmed to fix +the netperf UDP loopback regression reported by Alex Shi. + +This is a cleanup and a fix: + + - moved to a more out of the way spot + + - fix to ensure that balancing doesn't try to balance + runqueues which haven't gone online yet, which can + mess up CPU enumeration during boot. + +Reported-by: Alex Shi +Reported-by: Zhang, Yanmin +Signed-off-by: Mike Galbraith +Acked-by: Peter Zijlstra +Cc: # .32.x: a1f84a3: sched: Check for an idle shared cache +Cc: # .32.x: 1b9508f: sched: Rate-limit newidle +Cc: # .32.x: fd21073: sched: Fix affinity logic +Cc: # .32.x +LKML-Reference: <1257821402.5648.17.camel@marge.simson.net> +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/sched.c | 28 +++++++++++++++------------- + 1 file changed, 15 insertions(+), 13 deletions(-) + +--- a/kernel/sched.c ++++ b/kernel/sched.c +@@ -2386,17 +2386,6 @@ static int try_to_wake_up(struct task_st + if (rq != orig_rq) + update_rq_clock(rq); + +- if (rq->idle_stamp) { +- u64 delta = rq->clock - rq->idle_stamp; +- u64 max = 2*sysctl_sched_migration_cost; +- +- if (delta > max) +- rq->avg_idle = max; +- else +- update_avg(&rq->avg_idle, delta); +- rq->idle_stamp = 0; +- } +- + WARN_ON(p->state != TASK_WAKING); + cpu = task_cpu(p); + +@@ -2453,6 +2442,17 @@ out_running: + #ifdef CONFIG_SMP + if (p->sched_class->task_wake_up) + p->sched_class->task_wake_up(rq, p); ++ ++ if (unlikely(rq->idle_stamp)) { ++ u64 delta = rq->clock - rq->idle_stamp; ++ u64 max = 2*sysctl_sched_migration_cost; ++ ++ if (delta > max) ++ rq->avg_idle = max; ++ else ++ update_avg(&rq->avg_idle, delta); ++ rq->idle_stamp = 0; ++ } + #endif + out: + task_rq_unlock(rq, &flags); +@@ -4139,7 +4139,7 @@ static int load_balance(int this_cpu, st + unsigned long flags; + struct cpumask *cpus = __get_cpu_var(load_balance_tmpmask); + +- cpumask_setall(cpus); ++ cpumask_copy(cpus, cpu_online_mask); + + /* + * When power savings policy is enabled for the parent domain, idle +@@ -4302,7 +4302,7 @@ load_balance_newidle(int this_cpu, struc + int all_pinned = 0; + struct cpumask *cpus = __get_cpu_var(load_balance_tmpmask); + +- cpumask_setall(cpus); ++ cpumask_copy(cpus, cpu_online_mask); + + /* + * When power savings policy is enabled for the parent domain, idle +@@ -9542,6 +9542,8 @@ void __init sched_init(void) + rq->cpu = i; + rq->online = 0; + rq->migration_thread = NULL; ++ rq->idle_stamp = 0; ++ rq->avg_idle = 2*sysctl_sched_migration_cost; + INIT_LIST_HEAD(&rq->migration_queue); + rq_attach_root(rq, &def_root_domain); + #endif diff --git a/queue-2.6.32/sched-rate-limit-newidle.patch b/queue-2.6.32/sched-rate-limit-newidle.patch new file mode 100644 index 00000000000..3757a66ada3 --- /dev/null +++ b/queue-2.6.32/sched-rate-limit-newidle.patch @@ -0,0 +1,95 @@ +From 1b9508f6831e10d53256825de8904caa22d1ca2c Mon Sep 17 00:00:00 2001 +From: Mike Galbraith +Date: Wed, 4 Nov 2009 17:53:50 +0100 +Subject: sched: Rate-limit newidle + +From: Mike Galbraith + +commit 1b9508f6831e10d53256825de8904caa22d1ca2c upstream. + +Rate limit newidle to migration_cost. It's a win for all +stages of sysbench oltp tests. + +Signed-off-by: Mike Galbraith +Cc: Peter Zijlstra +LKML-Reference: +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/sched.c | 22 +++++++++++++++++++++- + kernel/sched_debug.c | 4 ++++ + 2 files changed, 25 insertions(+), 1 deletion(-) + +--- a/kernel/sched.c ++++ b/kernel/sched.c +@@ -591,6 +591,8 @@ struct rq { + + u64 rt_avg; + u64 age_stamp; ++ u64 idle_stamp; ++ u64 avg_idle; + #endif + + /* calc_load related fields */ +@@ -2384,6 +2386,17 @@ static int try_to_wake_up(struct task_st + if (rq != orig_rq) + update_rq_clock(rq); + ++ if (rq->idle_stamp) { ++ u64 delta = rq->clock - rq->idle_stamp; ++ u64 max = 2*sysctl_sched_migration_cost; ++ ++ if (delta > max) ++ rq->avg_idle = max; ++ else ++ update_avg(&rq->avg_idle, delta); ++ rq->idle_stamp = 0; ++ } ++ + WARN_ON(p->state != TASK_WAKING); + cpu = task_cpu(p); + +@@ -4429,6 +4442,11 @@ static void idle_balance(int this_cpu, s + int pulled_task = 0; + unsigned long next_balance = jiffies + HZ; + ++ this_rq->idle_stamp = this_rq->clock; ++ ++ if (this_rq->avg_idle < sysctl_sched_migration_cost) ++ return; ++ + for_each_domain(this_cpu, sd) { + unsigned long interval; + +@@ -4443,8 +4461,10 @@ static void idle_balance(int this_cpu, s + interval = msecs_to_jiffies(sd->balance_interval); + if (time_after(next_balance, sd->last_balance + interval)) + next_balance = sd->last_balance + interval; +- if (pulled_task) ++ if (pulled_task) { ++ this_rq->idle_stamp = 0; + break; ++ } + } + if (pulled_task || time_after(jiffies, this_rq->next_balance)) { + /* +--- a/kernel/sched_debug.c ++++ b/kernel/sched_debug.c +@@ -285,12 +285,16 @@ static void print_cpu(struct seq_file *m + + #ifdef CONFIG_SCHEDSTATS + #define P(n) SEQ_printf(m, " .%-30s: %d\n", #n, rq->n); ++#define P64(n) SEQ_printf(m, " .%-30s: %Ld\n", #n, rq->n); + + P(yld_count); + + P(sched_switch); + P(sched_count); + P(sched_goidle); ++#ifdef CONFIG_SMP ++ P64(avg_idle); ++#endif + + P(ttwu_count); + P(ttwu_local); diff --git a/queue-2.6.32/series b/queue-2.6.32/series index da7fbfd0c55..8153abf11d1 100644 --- a/queue-2.6.32/series +++ b/queue-2.6.32/series @@ -1,3 +1,61 @@ usb-usb-storage-fix-bug-in-fill_inquiry.patch usb-option-add-pid-for-zte.patch firewire-ohci-handle-receive-packets-with-a-data-length-of-zero.patch +rcu-prepare-for-synchronization-fixes-clean-up-for-non-no_hz-handling-of-completed-counter.patch +rcu-fix-synchronization-for-rcu_process_gp_end-uses-of-completed-counter.patch +rcu-fix-note_new_gpnum-uses-of-gpnum.patch +rcu-remove-inline-from-forward-referenced-functions.patch +perf_event-fix-invalid-type-in-ioctl-definition.patch +perf_event-initialize-data.period-in-perf_swevent_hrtimer.patch +perf-don-t-free-perf_mmap_data-until-work-has-been-done.patch +pm-runtime-fix-lockdep-warning-in-__pm_runtime_set_status.patch +sched-check-for-an-idle-shared-cache-in-select_task_rq_fair.patch +sched-fix-affinity-logic-in-select_task_rq_fair.patch +sched-rate-limit-newidle.patch +sched-fix-and-clean-up-rate-limit-newidle-code.patch +x86-amd-iommu-attach-devices-to-pre-allocated-domains-early.patch +x86-amd-iommu-un__init-iommu_setup_msi.patch +x86-calgary-iommu-quirk-find-nearest-matching-calgary-while-walking-up-the-pci-tree.patch +x86-fix-iommu-nodac-parameter-handling.patch +x86-gart-pci-gart_64.c-use-correct-length-in-strncmp.patch +x86-asus-p4s800-reboot-bios-quirk.patch +x86-apic-enable-lapic-nmi-watchdog-on-amd-family-11h.patch +ssb-fix-range-check-in-sprom-write.patch +ath5k-allow-setting-txpower-to-0.patch +ath5k-enable-eeprom-checksum-check.patch +hrtimer-fix-proc-timer_list-regression.patch +alsa-hrtimer-fix-lock-up.patch +alsa-hda-terradici-hda-controllers-does-not-support-64-bit-mode.patch +kvm-x86-emulator-limit-instructions-to-15-bytes.patch +kvm-s390-fix-prefix-register-checking-in-arch-s390-kvm-sigp.c.patch +kvm-s390-make-psw-available-on-all-exits-not-just-a-subset.patch +kvm-fix-irq_source_id-size-verification.patch +kvm-x86-include-pvclock-msrs-in-msrs_to_save.patch +x86-prevent-gcc-4.4.x-pentium-mmx-et-al-function-prologue-wreckage.patch +x86-use-maccumulate-outgoing-args-for-sane-mcount-prologues.patch +x86-mce-don-t-restart-timer-if-disabled.patch +x86-mce-set-up-timer-unconditionally.patch +x86-sgi-uv-fix-bau-initialization.patch +x86-fix-duplicated-uv-bau-interrupt-vector.patch +x86-add-new-intel-cpu-cache-size-descriptors.patch +x86-fix-typo-in-intel-cpu-cache-size-descriptor.patch +pata_hpt-37x-3x2n-fix-timing-register-masks-take-2.patch +s390-clear-high-order-bits-of-registers-after-sam64.patch +v4l-dvb-fix-test-in-copy_reg_bits.patch +bsdacct-fix-uid-gid-misreporting.patch +ubi-flush-wl-before-clearing-update-marker.patch +jbd2-don-t-wipe-the-journal-on-a-failed-journal-checksum.patch +usb-xhci-add-correct-email-and-files-to-maintainers-entry.patch +usb-musb_gadget_ep0-fix-unhandled-endpoint-0-irqs-again.patch +usb-option.c-add-support-for-d-link-dwm-162-u5.patch +usb-usbtmc-repeat-usb_bulk_msg-until-whole-message-is-transfered.patch +usb-usb-storage-add-bad_sense-flag.patch +usb-close-usb_find_interface-race-v3.patch +pxa-em-x270-fix-usb-hub-power-up-reset-sequence.patch +hfs-fix-a-potential-buffer-overflow.patch +sunrpc-is_err-ptr_err-confusion.patch +nfs-fix-nfs_migrate_page.patch +md-bitmap-protect-against-bitmap-removal-while-being-updated.patch +futex-take-mmap_sem-for-get_user_pages-in-fault_in_user_writeable.patch +devpts_get_tty-should-validate-inode.patch +debugfs-fix-create-mutex-racy-fops-and-private-data.patch diff --git a/queue-2.6.32/ssb-fix-range-check-in-sprom-write.patch b/queue-2.6.32/ssb-fix-range-check-in-sprom-write.patch new file mode 100644 index 00000000000..1a002e02f85 --- /dev/null +++ b/queue-2.6.32/ssb-fix-range-check-in-sprom-write.patch @@ -0,0 +1,66 @@ +From e33761e6f23881de9f3ee77cc2204ab2e26f3d9a Mon Sep 17 00:00:00 2001 +From: Michael Buesch +Date: Mon, 23 Nov 2009 20:58:06 +0100 +Subject: ssb: Fix range check in sprom write + +From: Michael Buesch + +commit e33761e6f23881de9f3ee77cc2204ab2e26f3d9a upstream. + +The range check in the sprom image parser hex2sprom() is broken. +One sprom word is 4 hex characters. +This fixes the check and also adds much better sanity checks to the code. +We better make sure the image is OK by doing some sanity checks to avoid +bricking the device by accident. + +Signed-off-by: Michael Buesch +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/ssb/sprom.c | 20 ++++++++++++++++---- + 1 file changed, 16 insertions(+), 4 deletions(-) + +--- a/drivers/ssb/sprom.c ++++ b/drivers/ssb/sprom.c +@@ -13,6 +13,8 @@ + + #include "ssb_private.h" + ++#include ++ + + static const struct ssb_sprom *fallback_sprom; + +@@ -33,17 +35,27 @@ static int sprom2hex(const u16 *sprom, c + static int hex2sprom(u16 *sprom, const char *dump, size_t len, + size_t sprom_size_words) + { +- char tmp[5] = { 0 }; +- int cnt = 0; ++ char c, tmp[5] = { 0 }; ++ int err, cnt = 0; + unsigned long parsed; + +- if (len < sprom_size_words * 2) ++ /* Strip whitespace at the end. */ ++ while (len) { ++ c = dump[len - 1]; ++ if (!isspace(c) && c != '\0') ++ break; ++ len--; ++ } ++ /* Length must match exactly. */ ++ if (len != sprom_size_words * 4) + return -EINVAL; + + while (cnt < sprom_size_words) { + memcpy(tmp, dump, 4); + dump += 4; +- parsed = simple_strtoul(tmp, NULL, 16); ++ err = strict_strtoul(tmp, 16, &parsed); ++ if (err) ++ return err; + sprom[cnt++] = swab16((u16)parsed); + } + diff --git a/queue-2.6.32/sunrpc-is_err-ptr_err-confusion.patch b/queue-2.6.32/sunrpc-is_err-ptr_err-confusion.patch new file mode 100644 index 00000000000..5118ecfa496 --- /dev/null +++ b/queue-2.6.32/sunrpc-is_err-ptr_err-confusion.patch @@ -0,0 +1,30 @@ +From 480e3243df156e39eea6c91057e2ae612a6bbe19 Mon Sep 17 00:00:00 2001 +From: Roel Kluin +Date: Tue, 8 Dec 2009 13:13:03 -0500 +Subject: SUNRPC: IS_ERR/PTR_ERR confusion + +From: Roel Kluin + +commit 480e3243df156e39eea6c91057e2ae612a6bbe19 upstream. + +IS_ERR returns 1 or 0, PTR_ERR returns the error value. + +Signed-off-by: Roel Kluin +Signed-off-by: Trond Myklebust +Signed-off-by: Greg Kroah-Hartman + +--- + net/sunrpc/auth_gss/auth_gss.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/sunrpc/auth_gss/auth_gss.c ++++ b/net/sunrpc/auth_gss/auth_gss.c +@@ -485,7 +485,7 @@ gss_refresh_upcall(struct rpc_task *task + dprintk("RPC: %5u gss_refresh_upcall for uid %u\n", task->tk_pid, + cred->cr_uid); + gss_msg = gss_setup_upcall(task->tk_client, gss_auth, cred); +- if (IS_ERR(gss_msg) == -EAGAIN) { ++ if (PTR_ERR(gss_msg) == -EAGAIN) { + /* XXX: warning on the first, under the assumption we + * shouldn't normally hit this case on a refresh. */ + warn_gssd(); diff --git a/queue-2.6.32/ubi-flush-wl-before-clearing-update-marker.patch b/queue-2.6.32/ubi-flush-wl-before-clearing-update-marker.patch new file mode 100644 index 00000000000..9db9371b7f3 --- /dev/null +++ b/queue-2.6.32/ubi-flush-wl-before-clearing-update-marker.patch @@ -0,0 +1,88 @@ +From 6afaf8a484cbbfd2ccf58a4e5396d1f280469789 Mon Sep 17 00:00:00 2001 +From: Sebastian Andrzej Siewior +Date: Sun, 29 Nov 2009 19:46:02 +0100 +Subject: UBI: flush wl before clearing update marker + +From: Sebastian Andrzej Siewior + +commit 6afaf8a484cbbfd2ccf58a4e5396d1f280469789 upstream. + +ubiupdatevol -t does the following: +- ubi_start_update() + - set_update_marker() + - for all LEBs ubi_eba_unmap_leb() + - clear_update_marker() + - ubi_wl_flush() + +ubi_wl_flush() physically erases all PEB, once it returns all PEBs are +empty. clear_update_marker() has the update marker written after return. +If there is a power cut between the last two functions then the UBI +volume has no longer the "update" marker set and may have some valid +LEBs while some of them may be gone. +If that volume in question happens to be a UBIFS volume, then mount +will fail with + +|UBIFS error (pid 1361): ubifs_read_node: bad node type (255 but expected 6) +|UBIFS error (pid 1361): ubifs_read_node: bad node at LEB 0:0 +|Not a node, first 24 bytes: +|00000000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff + +if there is at least one valid LEB and the wear-leveling worker managed +to clear LEB 0. + +The patch waits for the wl worker to finish prior clearing the "update" +marker on flash. The two new LEB which are scheduled for erasing after +clear_update_marker() should not matter because they are only visible to +UBI. + +Signed-off-by: Sebastian Andrzej Siewior +Signed-off-by: Artem Bityutskiy +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mtd/ubi/upd.c | 20 +++++++++++--------- + 1 file changed, 11 insertions(+), 9 deletions(-) + +--- a/drivers/mtd/ubi/upd.c ++++ b/drivers/mtd/ubi/upd.c +@@ -147,12 +147,14 @@ int ubi_start_update(struct ubi_device * + } + + if (bytes == 0) { ++ err = ubi_wl_flush(ubi); ++ if (err) ++ return err; ++ + err = clear_update_marker(ubi, vol, 0); + if (err) + return err; +- err = ubi_wl_flush(ubi); +- if (!err) +- vol->updating = 0; ++ vol->updating = 0; + } + + vol->upd_buf = vmalloc(ubi->leb_size); +@@ -362,16 +364,16 @@ int ubi_more_update_data(struct ubi_devi + + ubi_assert(vol->upd_received <= vol->upd_bytes); + if (vol->upd_received == vol->upd_bytes) { ++ err = ubi_wl_flush(ubi); ++ if (err) ++ return err; + /* The update is finished, clear the update marker */ + err = clear_update_marker(ubi, vol, vol->upd_bytes); + if (err) + return err; +- err = ubi_wl_flush(ubi); +- if (err == 0) { +- vol->updating = 0; +- err = to_write; +- vfree(vol->upd_buf); +- } ++ vol->updating = 0; ++ err = to_write; ++ vfree(vol->upd_buf); + } + + return err; diff --git a/queue-2.6.32/usb-close-usb_find_interface-race-v3.patch b/queue-2.6.32/usb-close-usb_find_interface-race-v3.patch new file mode 100644 index 00000000000..b562a78ec46 --- /dev/null +++ b/queue-2.6.32/usb-close-usb_find_interface-race-v3.patch @@ -0,0 +1,103 @@ +From c2d284ee04ab6f6718de2ddcf1b43160e046c41d Mon Sep 17 00:00:00 2001 +From: Russ Dill +Date: Mon, 14 Dec 2009 21:45:35 -0700 +Subject: USB: Close usb_find_interface race v3 + +From: Russ Dill + +commit c2d284ee04ab6f6718de2ddcf1b43160e046c41d upstream. + +USB drivers that create character devices call usb_register_dev in their +probe function. This associates the usb_interface device with that minor +number and creates the character device and announces it to the world. +However, the driver's probe function is called before the new +usb_interface is added to the driver's klist_devices. + +This is a problem because userspace will respond to the character device +creation announcement by opening the character device. The driver's open +function will the call usb_find_interface to find the usb_interface +associated with that minor number. usb_find_interface will walk the +driver's list of devices and find the usb_interface with the matching +minor number. + +Because the announcement happens before the usb_interface is added to the +driver's klist_devices, a race condition exists. A straightforward fix +is to walk the list of devices on usb_bus_type instead since the device +is added to that list before the announcement occurs. + +bus_find_device calls get_device to bump the reference count on the found +device. It is arguable that the reference count should be dropped by the +caller of usb_find_interface instead of usb_find_interface, however, +the current users of usb_find_interface do not expect this. + +The original version of this patch only matched against minor number +instead of driver and minor number. This version matches against both. + +Signed-off-by: Russ Dill +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/core/usb.c | 31 ++++++++++++++++--------------- + 1 file changed, 16 insertions(+), 15 deletions(-) + +--- a/drivers/usb/core/usb.c ++++ b/drivers/usb/core/usb.c +@@ -132,7 +132,7 @@ EXPORT_SYMBOL_GPL(usb_altnum_to_altsetti + + struct find_interface_arg { + int minor; +- struct usb_interface *interface; ++ struct device_driver *drv; + }; + + static int __find_interface(struct device *dev, void *data) +@@ -143,12 +143,10 @@ static int __find_interface(struct devic + if (!is_usb_interface(dev)) + return 0; + ++ if (dev->driver != arg->drv) ++ return 0; + intf = to_usb_interface(dev); +- if (intf->minor != -1 && intf->minor == arg->minor) { +- arg->interface = intf; +- return 1; +- } +- return 0; ++ return intf->minor == arg->minor; + } + + /** +@@ -156,21 +154,24 @@ static int __find_interface(struct devic + * @drv: the driver whose current configuration is considered + * @minor: the minor number of the desired device + * +- * This walks the driver device list and returns a pointer to the interface +- * with the matching minor. Note, this only works for devices that share the +- * USB major number. ++ * This walks the bus device list and returns a pointer to the interface ++ * with the matching minor and driver. Note, this only works for devices ++ * that share the USB major number. + */ + struct usb_interface *usb_find_interface(struct usb_driver *drv, int minor) + { + struct find_interface_arg argb; +- int retval; ++ struct device *dev; + + argb.minor = minor; +- argb.interface = NULL; +- /* eat the error, it will be in argb.interface */ +- retval = driver_for_each_device(&drv->drvwrap.driver, NULL, &argb, +- __find_interface); +- return argb.interface; ++ argb.drv = &drv->drvwrap.driver; ++ ++ dev = bus_find_device(&usb_bus_type, NULL, &argb, __find_interface); ++ ++ /* Drop reference count from bus_find_device */ ++ put_device(dev); ++ ++ return dev ? to_usb_interface(dev) : NULL; + } + EXPORT_SYMBOL_GPL(usb_find_interface); + diff --git a/queue-2.6.32/usb-musb_gadget_ep0-fix-unhandled-endpoint-0-irqs-again.patch b/queue-2.6.32/usb-musb_gadget_ep0-fix-unhandled-endpoint-0-irqs-again.patch new file mode 100644 index 00000000000..c658964ef31 --- /dev/null +++ b/queue-2.6.32/usb-musb_gadget_ep0-fix-unhandled-endpoint-0-irqs-again.patch @@ -0,0 +1,36 @@ +From 196f1b7a387546f425df2f1fad26772e3d513aea Mon Sep 17 00:00:00 2001 +From: Sergei Shtylyov +Date: Mon, 16 Nov 2009 16:24:05 +0530 +Subject: USB: musb_gadget_ep0: fix unhandled endpoint 0 IRQs, again + +From: Sergei Shtylyov + +commit 196f1b7a387546f425df2f1fad26772e3d513aea upstream. + +Commit a5073b52833e4df8e16c93dc4cbb7e0c558c74a2 (musb_gadget: fix +unhandled endpoint 0 IRQs) somehow missed its key change: + +"The gadget EP0 code routinely ignores an interrupt at end of +the data phase because of musb_g_ep0_giveback() resetting the +state machine to "idle, waiting for SETUP" phase prematurely." + +So, the majority of the cases of unhandled IRQs is still unfixed... + +Signed-off-by: Sergei Shtylyov +Signed-off-by: Anand Gadiyar +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/musb/musb_gadget_ep0.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/drivers/usb/musb/musb_gadget_ep0.c ++++ b/drivers/usb/musb/musb_gadget_ep0.c +@@ -199,7 +199,6 @@ service_in_request(struct musb *musb, co + static void musb_g_ep0_giveback(struct musb *musb, struct usb_request *req) + { + musb_g_giveback(&musb->endpoints[0].ep_in, req, 0); +- musb->ep0_state = MUSB_EP0_STAGE_SETUP; + } + + /* diff --git a/queue-2.6.32/usb-option.c-add-support-for-d-link-dwm-162-u5.patch b/queue-2.6.32/usb-option.c-add-support-for-d-link-dwm-162-u5.patch new file mode 100644 index 00000000000..88033eafa54 --- /dev/null +++ b/queue-2.6.32/usb-option.c-add-support-for-d-link-dwm-162-u5.patch @@ -0,0 +1,37 @@ +From 54a8e144acad6506920f385f4ef2779664f05b21 Mon Sep 17 00:00:00 2001 +From: Zhang Le +Date: Tue, 17 Nov 2009 14:53:42 -0800 +Subject: USB: option.c: add support for D-Link DWM-162-U5 + +From: Zhang Le + +commit 54a8e144acad6506920f385f4ef2779664f05b21 upstream. + +Add D-Link DWM-162-U5 device id 1e0e:ce16 into option driver. The device +has 4 interfaces, of which 1 is handled by storage and the other 3 by +option driver. + +The device appears first as CD-only 05c6:2100 device and must be switched +to 1e0e:ce16 mode either by using "eject CD" or usb_modeswitch. + +The MessageContent for usb_modeswitch.conf is: +"55534243e0c26a85000000000000061b000000020000000000000000000000" + +Signed-off-by: Zhang Le +Signed-off-by: Andrew Morton +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/serial/option.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/usb/serial/option.c ++++ b/drivers/usb/serial/option.c +@@ -635,6 +635,7 @@ static struct usb_device_id option_ids[] + { USB_DEVICE(TOSHIBA_VENDOR_ID, TOSHIBA_PRODUCT_G450) }, + { USB_DEVICE(TOSHIBA_VENDOR_ID, TOSHIBA_PRODUCT_HSDPA_MINICARD ) }, /* Toshiba 3G HSDPA == Novatel Expedite EU870D MiniCard */ + { USB_DEVICE(ALINK_VENDOR_ID, 0x9000) }, ++ { USB_DEVICE(ALINK_VENDOR_ID, 0xce16) }, + { USB_DEVICE_AND_INTERFACE_INFO(ALINK_VENDOR_ID, ALINK_PRODUCT_3GU, 0xff, 0xff, 0xff) }, + { USB_DEVICE(ALCATEL_VENDOR_ID, ALCATEL_PRODUCT_X060S) }, + { USB_DEVICE(AIRPLUS_VENDOR_ID, AIRPLUS_PRODUCT_MCD650) }, diff --git a/queue-2.6.32/usb-usb-storage-add-bad_sense-flag.patch b/queue-2.6.32/usb-usb-storage-add-bad_sense-flag.patch new file mode 100644 index 00000000000..155b2882abd --- /dev/null +++ b/queue-2.6.32/usb-usb-storage-add-bad_sense-flag.patch @@ -0,0 +1,139 @@ +From a0bb108112a872c0b0c4b3ef4974f95fb75b155d Mon Sep 17 00:00:00 2001 +From: Alan Stern +Date: Mon, 7 Dec 2009 16:39:16 -0500 +Subject: USB: usb-storage: add BAD_SENSE flag + +From: Alan Stern + +commit a0bb108112a872c0b0c4b3ef4974f95fb75b155d upstream. + +This patch (as1311) fixes a problem in usb-storage: Some devices are +pretty broken when it comes to reporting sense data. The information +they send back indicates that they have more than 18 bytes of sense +data available, but when the system asks for more than 18 they fail or +hang. The symptom is that probing fails with multiple resets. + +The patch adds a new BAD_SENSE flag to indicate that usb-storage +should never ask for more than 18 bytes of sense data. The flag can +be set in an unusual_devs entry or via the "quirks=" module parameter, +and it is set automatically whenever a REQUEST SENSE command for more +than 18 bytes fails or times out. + +An unusual_devs entry is added for the Agfa photo frame, which uses a +Prolific chip having this bug. + +Signed-off-by: Alan Stern +Tested-by: Daniel Kukula +Signed-off-by: Greg Kroah-Hartman + +--- a/Documentation/kernel-parameters.txt ++++ b/Documentation/kernel-parameters.txt +@@ -2663,6 +2663,8 @@ and is between 256 and 4096 characters. It is defined in the file + to a common usb-storage quirk flag as follows: + a = SANE_SENSE (collect more than 18 bytes + of sense data); ++ b = BAD_SENSE (don't collect more than 18 ++ bytes of sense data); + c = FIX_CAPACITY (decrease the reported + device capacity by one sector); + h = CAPACITY_HEURISTICS (decrease the +diff --git a/drivers/usb/storage/transport.c b/drivers/usb/storage/transport.c +index 589f6b4..cc313d1 100644 +--- a/drivers/usb/storage/transport.c ++++ b/drivers/usb/storage/transport.c +@@ -666,10 +666,11 @@ void usb_stor_invoke_transport(struct scsi_cmnd *srb, struct us_data *us) + * to wait for at least one CHECK_CONDITION to determine + * SANE_SENSE support + */ +- if ((srb->cmnd[0] == ATA_16 || srb->cmnd[0] == ATA_12) && ++ if (unlikely((srb->cmnd[0] == ATA_16 || srb->cmnd[0] == ATA_12) && + result == USB_STOR_TRANSPORT_GOOD && + !(us->fflags & US_FL_SANE_SENSE) && +- !(srb->cmnd[2] & 0x20)) { ++ !(us->fflags & US_FL_BAD_SENSE) && ++ !(srb->cmnd[2] & 0x20))) { + US_DEBUGP("-- SAT supported, increasing auto-sense\n"); + us->fflags |= US_FL_SANE_SENSE; + } +@@ -718,6 +719,12 @@ Retry_Sense: + if (test_bit(US_FLIDX_TIMED_OUT, &us->dflags)) { + US_DEBUGP("-- auto-sense aborted\n"); + srb->result = DID_ABORT << 16; ++ ++ /* If SANE_SENSE caused this problem, disable it */ ++ if (sense_size != US_SENSE_SIZE) { ++ us->fflags &= ~US_FL_SANE_SENSE; ++ us->fflags |= US_FL_BAD_SENSE; ++ } + goto Handle_Errors; + } + +@@ -727,10 +734,11 @@ Retry_Sense: + * (small) sense request. This fixes some USB GSM modems + */ + if (temp_result == USB_STOR_TRANSPORT_FAILED && +- (us->fflags & US_FL_SANE_SENSE) && +- sense_size != US_SENSE_SIZE) { ++ sense_size != US_SENSE_SIZE) { + US_DEBUGP("-- auto-sense failure, retry small sense\n"); + sense_size = US_SENSE_SIZE; ++ us->fflags &= ~US_FL_SANE_SENSE; ++ us->fflags |= US_FL_BAD_SENSE; + goto Retry_Sense; + } + +@@ -754,6 +762,7 @@ Retry_Sense: + */ + if (srb->sense_buffer[7] > (US_SENSE_SIZE - 8) && + !(us->fflags & US_FL_SANE_SENSE) && ++ !(us->fflags & US_FL_BAD_SENSE) && + (srb->sense_buffer[0] & 0x7C) == 0x70) { + US_DEBUGP("-- SANE_SENSE support enabled\n"); + us->fflags |= US_FL_SANE_SENSE; +diff --git a/drivers/usb/storage/unusual_devs.h b/drivers/usb/storage/unusual_devs.h +index d4f034e..64a0a2c 100644 +--- a/drivers/usb/storage/unusual_devs.h ++++ b/drivers/usb/storage/unusual_devs.h +@@ -818,6 +818,13 @@ UNUSUAL_DEV( 0x066f, 0x8000, 0x0001, 0x0001, + US_SC_DEVICE, US_PR_DEVICE, NULL, + US_FL_FIX_CAPACITY ), + ++/* Reported by Daniel Kukula */ ++UNUSUAL_DEV( 0x067b, 0x1063, 0x0100, 0x0100, ++ "Prolific Technology, Inc.", ++ "Prolific Storage Gadget", ++ US_SC_DEVICE, US_PR_DEVICE, NULL, ++ US_FL_BAD_SENSE ), ++ + /* Reported by Rogerio Brito */ + UNUSUAL_DEV( 0x067b, 0x2317, 0x0001, 0x001, + "Prolific Technology, Inc.", +diff --git a/drivers/usb/storage/usb.c b/drivers/usb/storage/usb.c +index 1599d86..f5c0264 100644 +--- a/drivers/usb/storage/usb.c ++++ b/drivers/usb/storage/usb.c +@@ -463,6 +463,9 @@ static void adjust_quirks(struct us_data *us) + case 'a': + f |= US_FL_SANE_SENSE; + break; ++ case 'b': ++ f |= US_FL_BAD_SENSE; ++ break; + case 'c': + f |= US_FL_FIX_CAPACITY; + break; +diff --git a/include/linux/usb_usual.h b/include/linux/usb_usual.h +index 3d15fb9..a4b947e 100644 +--- a/include/linux/usb_usual.h ++++ b/include/linux/usb_usual.h +@@ -56,7 +56,9 @@ + US_FLAG(SANE_SENSE, 0x00008000) \ + /* Sane Sense (> 18 bytes) */ \ + US_FLAG(CAPACITY_OK, 0x00010000) \ +- /* READ CAPACITY response is correct */ ++ /* READ CAPACITY response is correct */ \ ++ US_FLAG(BAD_SENSE, 0x00020000) \ ++ /* Bad Sense (never more than 18 bytes) */ + + #define US_FLAG(name, value) US_FL_##name = value , + enum { US_DO_ALL_FLAGS }; diff --git a/queue-2.6.32/usb-usbtmc-repeat-usb_bulk_msg-until-whole-message-is-transfered.patch b/queue-2.6.32/usb-usbtmc-repeat-usb_bulk_msg-until-whole-message-is-transfered.patch new file mode 100644 index 00000000000..b4b47092b3f --- /dev/null +++ b/queue-2.6.32/usb-usbtmc-repeat-usb_bulk_msg-until-whole-message-is-transfered.patch @@ -0,0 +1,48 @@ +From ec412b92dbe3ea839716853eea058d1bcc5e6ca4 Mon Sep 17 00:00:00 2001 +From: Andre Herms +Date: Thu, 19 Nov 2009 18:14:49 +0100 +Subject: USB: usbtmc: repeat usb_bulk_msg until whole message is transfered + +From: Andre Herms + +commit ec412b92dbe3ea839716853eea058d1bcc5e6ca4 upstream. + +usb_bulk_msg() transfers only bytes up to the maximum packet size. +It must be repeated by the usbtmc driver until all bytes of a TMC message +are transfered. + +Without this patch, ETIMEDOUT is reported when writing TMC messages +larger than the maximum USB bulk size and the transfer remains incomplete. +The user will notice that the device hangs and must be reset by either closing +the application or pulling the plug. + +Signed-off-by: Andre Herms +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/usb/class/usbtmc.c | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +--- a/drivers/usb/class/usbtmc.c ++++ b/drivers/usb/class/usbtmc.c +@@ -562,10 +562,16 @@ static ssize_t usbtmc_write(struct file + n_bytes = roundup(12 + this_part, 4); + memset(buffer + 12 + this_part, 0, n_bytes - (12 + this_part)); + +- retval = usb_bulk_msg(data->usb_dev, +- usb_sndbulkpipe(data->usb_dev, +- data->bulk_out), +- buffer, n_bytes, &actual, USBTMC_TIMEOUT); ++ do { ++ retval = usb_bulk_msg(data->usb_dev, ++ usb_sndbulkpipe(data->usb_dev, ++ data->bulk_out), ++ buffer, n_bytes, ++ &actual, USBTMC_TIMEOUT); ++ if (retval != 0) ++ break; ++ n_bytes -= actual; ++ } while (n_bytes); + + data->bTag_last_write = data->bTag; + data->bTag++; diff --git a/queue-2.6.32/usb-xhci-add-correct-email-and-files-to-maintainers-entry.patch b/queue-2.6.32/usb-xhci-add-correct-email-and-files-to-maintainers-entry.patch new file mode 100644 index 00000000000..e8f0140cc1d --- /dev/null +++ b/queue-2.6.32/usb-xhci-add-correct-email-and-files-to-maintainers-entry.patch @@ -0,0 +1,35 @@ +From 36d0344c254a7b333272757f858c403ea3a2d29f Mon Sep 17 00:00:00 2001 +From: Sarah Sharp +Date: Tue, 1 Dec 2009 10:37:07 -0800 +Subject: USB: xhci: Add correct email and files to MAINTAINERS entry. + +From: Sarah Sharp + +commit 36d0344c254a7b333272757f858c403ea3a2d29f upstream. + +Add the xHCI driver files to its MAINTAINERS entry so that I'm Cc'd on +cleanup patches. Update the email address to one I actually use for +sending patches and responding to Linux mailing list emails. + +Signed-off-by: Sarah Sharp +Signed-off-by: Greg Kroah-Hartman + +--- + MAINTAINERS | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/MAINTAINERS ++++ b/MAINTAINERS +@@ -5594,9 +5594,11 @@ S: Maintained + F: drivers/net/wireless/rndis_wlan.c + + USB XHCI DRIVER +-M: Sarah Sharp ++M: Sarah Sharp + L: linux-usb@vger.kernel.org + S: Supported ++F: drivers/usb/host/xhci* ++F: drivers/usb/host/pci-quirks* + + USB ZC0301 DRIVER + M: Luca Risolia diff --git a/queue-2.6.32/v4l-dvb-fix-test-in-copy_reg_bits.patch b/queue-2.6.32/v4l-dvb-fix-test-in-copy_reg_bits.patch new file mode 100644 index 00000000000..586f6779801 --- /dev/null +++ b/queue-2.6.32/v4l-dvb-fix-test-in-copy_reg_bits.patch @@ -0,0 +1,32 @@ +From c95a419a5604ec8a23cd73f61e9bb151e8cbe89b Mon Sep 17 00:00:00 2001 +From: Roel Kluin +Date: Fri, 20 Nov 2009 15:34:13 -0300 +Subject: V4L/DVB: Fix test in copy_reg_bits() + +From: Roel Kluin + +commit c95a419a5604ec8a23cd73f61e9bb151e8cbe89b upstream. + +The reg_pair2[j].reg was tested twice. + +Signed-off-by: Roel Kluin +Acked-by: Michael Krufky +Signed-off-by: Andrew Morton +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/common/tuners/mxl5007t.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/media/common/tuners/mxl5007t.c ++++ b/drivers/media/common/tuners/mxl5007t.c +@@ -196,7 +196,7 @@ static void copy_reg_bits(struct reg_pai + i = j = 0; + + while (reg_pair1[i].reg || reg_pair1[i].val) { +- while (reg_pair2[j].reg || reg_pair2[j].reg) { ++ while (reg_pair2[j].reg || reg_pair2[j].val) { + if (reg_pair1[i].reg != reg_pair2[j].reg) { + j++; + continue; diff --git a/queue-2.6.32/x86-add-new-intel-cpu-cache-size-descriptors.patch b/queue-2.6.32/x86-add-new-intel-cpu-cache-size-descriptors.patch new file mode 100644 index 00000000000..dc748699736 --- /dev/null +++ b/queue-2.6.32/x86-add-new-intel-cpu-cache-size-descriptors.patch @@ -0,0 +1,34 @@ +From 85160b92fbd35321104819283c91bfed2b553e3c Mon Sep 17 00:00:00 2001 +From: Dave Jones +Date: Tue, 10 Nov 2009 13:49:24 -0500 +Subject: x86: Add new Intel CPU cache size descriptors + +From: Dave Jones + +commit 85160b92fbd35321104819283c91bfed2b553e3c upstream. + +The latest rev of Intel doc AP-485 details new cache descriptors +that we don't yet support. 12MB, 18MB and 24MB 24-way assoc L3 +caches. + +Signed-off-by: Dave Jones +LKML-Reference: <20091110184924.GA20337@redhat.com> +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/cpu/intel_cacheinfo.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/arch/x86/kernel/cpu/intel_cacheinfo.c ++++ b/arch/x86/kernel/cpu/intel_cacheinfo.c +@@ -102,6 +102,9 @@ static const struct _cache_table __cpuin + { 0xe2, LVL_3, 2048 }, /* 16-way set assoc, 64 byte line size */ + { 0xe3, LVL_3, 4096 }, /* 16-way set assoc, 64 byte line size */ + { 0xe4, LVL_3, 8192 }, /* 16-way set assoc, 64 byte line size */ ++ { 0xea, LVL_3, 12288 }, /* 24-way set assoc, 64 byte line size */ ++ { 0xeb, LVL_3, 18432 }, /* 24-way set assoc, 64 byte line size */ ++ { 0xec, LVL_3, 24576 }, /* 24-way set assoc, 64 byte line size */ + { 0x00, 0, 0} + }; + diff --git a/queue-2.6.32/x86-amd-iommu-attach-devices-to-pre-allocated-domains-early.patch b/queue-2.6.32/x86-amd-iommu-attach-devices-to-pre-allocated-domains-early.patch new file mode 100644 index 00000000000..28bc2316498 --- /dev/null +++ b/queue-2.6.32/x86-amd-iommu-attach-devices-to-pre-allocated-domains-early.patch @@ -0,0 +1,51 @@ +From be831297716036de5b24308447ecb69f1706a846 Mon Sep 17 00:00:00 2001 +From: Joerg Roedel +Date: Mon, 23 Nov 2009 12:50:00 +0100 +Subject: x86/amd-iommu: attach devices to pre-allocated domains early + +From: Joerg Roedel + +commit be831297716036de5b24308447ecb69f1706a846 upstream. + +For some devices the ACPI table may define unity map +requirements which must me met when the IOMMU is enabled. So +we need to attach devices to their domains as early as +possible so that these mappings are in place when needed. +This patch assigns the domains right after they are +allocated. Otherwise this can result in I/O page faults +before a driver binds to a device and BIOS is still using +it. + +Signed-off-by: Joerg Roedel +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/amd_iommu.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/arch/x86/kernel/amd_iommu.c ++++ b/arch/x86/kernel/amd_iommu.c +@@ -2047,10 +2047,10 @@ static void prealloc_protection_domains( + struct pci_dev *dev = NULL; + struct dma_ops_domain *dma_dom; + struct amd_iommu *iommu; +- u16 devid; ++ u16 devid, __devid; + + while ((dev = pci_get_device(PCI_ANY_ID, PCI_ANY_ID, dev)) != NULL) { +- devid = calc_devid(dev->bus->number, dev->devfn); ++ __devid = devid = calc_devid(dev->bus->number, dev->devfn); + if (devid > amd_iommu_last_bdf) + continue; + devid = amd_iommu_alias_table[devid]; +@@ -2065,6 +2065,10 @@ static void prealloc_protection_domains( + init_unity_mappings_for_device(dma_dom, devid); + dma_dom->target_dev = devid; + ++ attach_device(iommu, &dma_dom->domain, devid); ++ if (__devid != devid) ++ attach_device(iommu, &dma_dom->domain, __devid); ++ + list_add_tail(&dma_dom->list, &iommu_pd_list); + } + } diff --git a/queue-2.6.32/x86-amd-iommu-un__init-iommu_setup_msi.patch b/queue-2.6.32/x86-amd-iommu-un__init-iommu_setup_msi.patch new file mode 100644 index 00000000000..0d75a911bd4 --- /dev/null +++ b/queue-2.6.32/x86-amd-iommu-un__init-iommu_setup_msi.patch @@ -0,0 +1,30 @@ +From 9f800de38b05d84809e89f16671d636a140eede7 Mon Sep 17 00:00:00 2001 +From: Joerg Roedel +Date: Mon, 23 Nov 2009 12:45:25 +0100 +Subject: x86/amd-iommu: un__init iommu_setup_msi + +From: Joerg Roedel + +commit 9f800de38b05d84809e89f16671d636a140eede7 upstream. + +This function may be called on the resume path and can not +be dropped after booting. + +Signed-off-by: Joerg Roedel +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/amd_iommu_init.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/kernel/amd_iommu_init.c ++++ b/arch/x86/kernel/amd_iommu_init.c +@@ -925,7 +925,7 @@ static int __init init_iommu_all(struct + * + ****************************************************************************/ + +-static int __init iommu_setup_msi(struct amd_iommu *iommu) ++static int iommu_setup_msi(struct amd_iommu *iommu) + { + int r; + diff --git a/queue-2.6.32/x86-apic-enable-lapic-nmi-watchdog-on-amd-family-11h.patch b/queue-2.6.32/x86-apic-enable-lapic-nmi-watchdog-on-amd-family-11h.patch new file mode 100644 index 00000000000..8bb62213ad3 --- /dev/null +++ b/queue-2.6.32/x86-apic-enable-lapic-nmi-watchdog-on-amd-family-11h.patch @@ -0,0 +1,47 @@ +From 7d1849aff6687a135a8da3a75e32a00e3137a5e2 Mon Sep 17 00:00:00 2001 +From: Mikael Pettersson +Date: Thu, 3 Dec 2009 15:52:44 +0100 +Subject: x86, apic: Enable lapic nmi watchdog on AMD Family 11h + +From: Mikael Pettersson + +commit 7d1849aff6687a135a8da3a75e32a00e3137a5e2 upstream. + +The x86 lapic nmi watchdog does not recognize AMD Family 11h, +resulting in: + + NMI watchdog: CPU not supported + +As far as I can see from available documentation (the BKDM), +family 11h looks identical to family 10h as far as the PMU +is concerned. + +Extending the check to accept family 11h results in: + + Testing NMI watchdog ... OK. + +I've been running with this change on a Turion X2 Ultra ZM-82 +laptop for a couple of weeks now without problems. + +Signed-off-by: Mikael Pettersson +Cc: Andreas Herrmann +Cc: Joerg Roedel +LKML-Reference: <19223.53436.931768.278021@pilspetsen.it.uu.se> +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/cpu/perfctr-watchdog.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/kernel/cpu/perfctr-watchdog.c ++++ b/arch/x86/kernel/cpu/perfctr-watchdog.c +@@ -712,7 +712,7 @@ static void probe_nmi_watchdog(void) + switch (boot_cpu_data.x86_vendor) { + case X86_VENDOR_AMD: + if (boot_cpu_data.x86 != 6 && boot_cpu_data.x86 != 15 && +- boot_cpu_data.x86 != 16) ++ boot_cpu_data.x86 != 16 && boot_cpu_data.x86 != 17) + return; + wd_ops = &k7_wd_ops; + break; diff --git a/queue-2.6.32/x86-asus-p4s800-reboot-bios-quirk.patch b/queue-2.6.32/x86-asus-p4s800-reboot-bios-quirk.patch new file mode 100644 index 00000000000..1e80fca636c --- /dev/null +++ b/queue-2.6.32/x86-asus-p4s800-reboot-bios-quirk.patch @@ -0,0 +1,63 @@ +From 4832ddda2ec4df96ea1eed334ae2dbd65fc1f541 Mon Sep 17 00:00:00 2001 +From: Leann Ogasawara +Date: Fri, 4 Dec 2009 15:42:22 -0800 +Subject: x86: ASUS P4S800 reboot=bios quirk + +From: Leann Ogasawara + +commit 4832ddda2ec4df96ea1eed334ae2dbd65fc1f541 upstream. + +Bug reporter noted their system with an ASUS P4S800 motherboard would +hang when rebooting unless reboot=b was specified. Their dmidecode +didn't contain descriptive System Information for Manufacturer or +Product Name, so I used their Base Board Information to create a +reboot quirk patch. The bug reporter confirmed this patch resolves +the reboot hang. + +Handle 0x0001, DMI type 1, 25 bytes +System Information + Manufacturer: System Manufacturer + Product Name: System Name + Version: System Version + Serial Number: SYS-1234567890 + UUID: E0BFCD8B-7948-D911-A953-E486B4EEB67F + Wake-up Type: Power Switch + +Handle 0x0002, DMI type 2, 8 bytes +Base Board Information + Manufacturer: ASUSTeK Computer INC. + Product Name: P4S800 + Version: REV 1.xx + Serial Number: xxxxxxxxxxx + +BugLink: http://bugs.launchpad.net/bugs/366682 + +ASUS P4S800 will hang when rebooting unless reboot=b is specified. +Add a quirk to reboot through the bios. + +Signed-off-by: Leann Ogasawara +LKML-Reference: <1259972107.4629.275.camel@emiko> +Signed-off-by: H. Peter Anvin +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/reboot.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/arch/x86/kernel/reboot.c ++++ b/arch/x86/kernel/reboot.c +@@ -259,6 +259,14 @@ static struct dmi_system_id __initdata r + DMI_MATCH(DMI_PRODUCT_NAME, "SBC-FITPC2"), + }, + }, ++ { /* Handle problems with rebooting on ASUS P4S800 */ ++ .callback = set_bios_reboot, ++ .ident = "ASUS P4S800", ++ .matches = { ++ DMI_MATCH(DMI_BOARD_VENDOR, "ASUSTeK Computer INC."), ++ DMI_MATCH(DMI_BOARD_NAME, "P4S800"), ++ }, ++ }, + { } + }; + diff --git a/queue-2.6.32/x86-calgary-iommu-quirk-find-nearest-matching-calgary-while-walking-up-the-pci-tree.patch b/queue-2.6.32/x86-calgary-iommu-quirk-find-nearest-matching-calgary-while-walking-up-the-pci-tree.patch new file mode 100644 index 00000000000..56628970153 --- /dev/null +++ b/queue-2.6.32/x86-calgary-iommu-quirk-find-nearest-matching-calgary-while-walking-up-the-pci-tree.patch @@ -0,0 +1,83 @@ +From 4528752f49c1f4025473d12bc5fa9181085c3f22 Mon Sep 17 00:00:00 2001 +From: Darrick J. Wong +Date: Wed, 2 Dec 2009 15:05:56 -0800 +Subject: x86, Calgary IOMMU quirk: Find nearest matching Calgary while walking up the PCI tree + +From: Darrick J. Wong + +commit 4528752f49c1f4025473d12bc5fa9181085c3f22 upstream. + +On a multi-node x3950M2 system, there's a slight oddity in the +PCI device tree for all secondary nodes: + + 30:1e.0 PCI bridge: Intel Corporation 82801 PCI Bridge (rev e1) + \-33:00.0 PCI bridge: IBM CalIOC2 PCI-E Root Port (rev 01) + \-34:00.0 RAID bus controller: LSI Logic / Symbios Logic MegaRAID SAS 1078 (rev 04) + +...as compared to the primary node: + + 00:1e.0 PCI bridge: Intel Corporation 82801 PCI Bridge (rev e1) + \-01:00.0 VGA compatible controller: ATI Technologies Inc ES1000 (rev 02) + 03:00.0 PCI bridge: IBM CalIOC2 PCI-E Root Port (rev 01) + \-04:00.0 RAID bus controller: LSI Logic / Symbios Logic MegaRAID SAS 1078 (rev 04) + +In both nodes, the LSI RAID controller hangs off a CalIOC2 +device, but on the secondary nodes, the BIOS hides the VGA +device and substitutes the device tree ending with the disk +controller. + +It would seem that Calgary devices don't necessarily appear at +the top of the PCI tree, which means that the current code to +find the Calgary IOMMU that goes with a particular device is +buggy. + +Rather than walk all the way to the top of the PCI +device tree and try to match bus number with Calgary descriptor, +the code needs to examine each parent of the particular device; +if it encounters a Calgary with a matching bus number, simply +use that. + +Otherwise, we BUG() when the bus number of the Calgary doesn't +match the bus number of whatever's at the top of the device tree. + +Extra note: This patch appears to work correctly for the x3950 +that came before the x3950 M2. + +Signed-off-by: Darrick J. Wong +Acked-by: Muli Ben-Yehuda +Cc: FUJITA Tomonori +Cc: Joerg Roedel +Cc: Yinghai Lu +Cc: Jon D. Mason +Cc: Corinna Schultz +LKML-Reference: <20091202230556.GG10295@tux1.beaverton.ibm.com> +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/pci-calgary_64.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +--- a/arch/x86/kernel/pci-calgary_64.c ++++ b/arch/x86/kernel/pci-calgary_64.c +@@ -318,13 +318,15 @@ static inline struct iommu_table *find_i + + pdev = to_pci_dev(dev); + ++ /* search up the device tree for an iommu */ + pbus = pdev->bus; +- +- /* is the device behind a bridge? Look for the root bus */ +- while (pbus->parent) ++ do { ++ tbl = pci_iommu(pbus); ++ if (tbl && tbl->it_busno == pbus->number) ++ break; ++ tbl = NULL; + pbus = pbus->parent; +- +- tbl = pci_iommu(pbus); ++ } while (pbus); + + BUG_ON(tbl && (tbl->it_busno != pbus->number)); + diff --git a/queue-2.6.32/x86-fix-duplicated-uv-bau-interrupt-vector.patch b/queue-2.6.32/x86-fix-duplicated-uv-bau-interrupt-vector.patch new file mode 100644 index 00000000000..fafba3c7c1e --- /dev/null +++ b/queue-2.6.32/x86-fix-duplicated-uv-bau-interrupt-vector.patch @@ -0,0 +1,36 @@ +From 1d865fb728bd6bbcdfbd6ec1e2b8ade3b4805641 Mon Sep 17 00:00:00 2001 +From: Cliff Wickman +Date: Fri, 11 Dec 2009 11:36:18 -0600 +Subject: x86: Fix duplicated UV BAU interrupt vector + +From: Cliff Wickman + +commit 1d865fb728bd6bbcdfbd6ec1e2b8ade3b4805641 upstream. + +Interrupt vector 0xec has been doubly defined in irq_vectors.h + +It seems arbitrary whether LOCAL_PENDING_VECTOR or +UV_BAU_MESSAGE is the higher number. As long as they are +unique. If they are not unique we'll hit a BUG in +alloc_system_vector(). + +Signed-off-by: Cliff Wickman +LKML-Reference: +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/include/asm/irq_vectors.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/include/asm/irq_vectors.h ++++ b/arch/x86/include/asm/irq_vectors.h +@@ -113,7 +113,7 @@ + */ + #define LOCAL_PENDING_VECTOR 0xec + +-#define UV_BAU_MESSAGE 0xec ++#define UV_BAU_MESSAGE 0xea + + /* + * Self IPI vector for machine checks diff --git a/queue-2.6.32/x86-fix-iommu-nodac-parameter-handling.patch b/queue-2.6.32/x86-fix-iommu-nodac-parameter-handling.patch new file mode 100644 index 00000000000..964acc9d7b5 --- /dev/null +++ b/queue-2.6.32/x86-fix-iommu-nodac-parameter-handling.patch @@ -0,0 +1,33 @@ +From 2ae8bb75db1f3de422eb5898f2a063c46c36dba8 Mon Sep 17 00:00:00 2001 +From: Tejun Heo +Date: Mon, 26 Oct 2009 15:41:46 +0100 +Subject: x86: Fix iommu=nodac parameter handling + +From: Tejun Heo + +commit 2ae8bb75db1f3de422eb5898f2a063c46c36dba8 upstream. + +iommu=nodac should forbid dac instead of enabling it. Fix it. + +Signed-off-by: Tejun Heo +Acked-by: FUJITA Tomonori +Cc: Matteo Frigo +LKML-Reference: <4AE5B52A.4050408@kernel.org> +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/pci-dma.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/kernel/pci-dma.c ++++ b/arch/x86/kernel/pci-dma.c +@@ -214,7 +214,7 @@ static __init int iommu_setup(char *p) + if (!strncmp(p, "allowdac", 8)) + forbid_dac = 0; + if (!strncmp(p, "nodac", 5)) +- forbid_dac = -1; ++ forbid_dac = 1; + if (!strncmp(p, "usedac", 6)) { + forbid_dac = -1; + return 1; diff --git a/queue-2.6.32/x86-fix-typo-in-intel-cpu-cache-size-descriptor.patch b/queue-2.6.32/x86-fix-typo-in-intel-cpu-cache-size-descriptor.patch new file mode 100644 index 00000000000..e8331f6bc1f --- /dev/null +++ b/queue-2.6.32/x86-fix-typo-in-intel-cpu-cache-size-descriptor.patch @@ -0,0 +1,34 @@ +From e02e0e1a130b9ca37c5186d38ad4b3aaf58bb149 Mon Sep 17 00:00:00 2001 +From: Dave Jones +Date: Tue, 10 Nov 2009 15:01:20 -0500 +Subject: x86: Fix typo in Intel CPU cache size descriptor + +From: Dave Jones + +commit e02e0e1a130b9ca37c5186d38ad4b3aaf58bb149 upstream. + +I double-checked the datasheet. One of the existing +descriptors has a typo: it should be 2MB not 2038 KB. + +Signed-off-by: Dave Jones +Cc: # .3x.x: 85160b9: x86: Add new Intel CPU cache size descriptors +Cc: # .3x.x +LKML-Reference: <20091110200120.GA27090@redhat.com> +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/cpu/intel_cacheinfo.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/kernel/cpu/intel_cacheinfo.c ++++ b/arch/x86/kernel/cpu/intel_cacheinfo.c +@@ -94,7 +94,7 @@ static const struct _cache_table __cpuin + { 0xd1, LVL_3, 1024 }, /* 4-way set assoc, 64 byte line size */ + { 0xd2, LVL_3, 2048 }, /* 4-way set assoc, 64 byte line size */ + { 0xd6, LVL_3, 1024 }, /* 8-way set assoc, 64 byte line size */ +- { 0xd7, LVL_3, 2038 }, /* 8-way set assoc, 64 byte line size */ ++ { 0xd7, LVL_3, 2048 }, /* 8-way set assoc, 64 byte line size */ + { 0xd8, LVL_3, 4096 }, /* 12-way set assoc, 64 byte line size */ + { 0xdc, LVL_3, 2048 }, /* 12-way set assoc, 64 byte line size */ + { 0xdd, LVL_3, 4096 }, /* 12-way set assoc, 64 byte line size */ diff --git a/queue-2.6.32/x86-gart-pci-gart_64.c-use-correct-length-in-strncmp.patch b/queue-2.6.32/x86-gart-pci-gart_64.c-use-correct-length-in-strncmp.patch new file mode 100644 index 00000000000..6dd29d3baa6 --- /dev/null +++ b/queue-2.6.32/x86-gart-pci-gart_64.c-use-correct-length-in-strncmp.patch @@ -0,0 +1,29 @@ +From 41855b77547fa18d90ed6a5d322983d3fdab1959 Mon Sep 17 00:00:00 2001 +From: Joe Perches +Date: Mon, 9 Nov 2009 17:58:50 -0800 +Subject: x86: GART: pci-gart_64.c: Use correct length in strncmp + +From: Joe Perches + +commit 41855b77547fa18d90ed6a5d322983d3fdab1959 upstream. + +Signed-off-by: Joe Perches +LKML-Reference: <1257818330.12852.72.camel@Joe-Laptop.home> +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/pci-gart_64.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/kernel/pci-gart_64.c ++++ b/arch/x86/kernel/pci-gart_64.c +@@ -856,7 +856,7 @@ void __init gart_parse_options(char *p) + #endif + if (isdigit(*p) && get_option(&p, &arg)) + iommu_size = arg; +- if (!strncmp(p, "fullflush", 8)) ++ if (!strncmp(p, "fullflush", 9)) + iommu_fullflush = 1; + if (!strncmp(p, "nofullflush", 11)) + iommu_fullflush = 0; diff --git a/queue-2.6.32/x86-mce-don-t-restart-timer-if-disabled.patch b/queue-2.6.32/x86-mce-don-t-restart-timer-if-disabled.patch new file mode 100644 index 00000000000..ff025e74e38 --- /dev/null +++ b/queue-2.6.32/x86-mce-don-t-restart-timer-if-disabled.patch @@ -0,0 +1,39 @@ +From fe5ed91ddce85a0ed0e4f92c10b099873ef62167 Mon Sep 17 00:00:00 2001 +From: Hidetoshi Seto +Date: Thu, 3 Dec 2009 11:33:08 +0900 +Subject: x86, mce: don't restart timer if disabled + +From: Hidetoshi Seto + +commit fe5ed91ddce85a0ed0e4f92c10b099873ef62167 upstream. + +Even it is in error path unlikely taken, add_timer_on() at +CPU_DOWN_FAILED* needs to be skipped if mce_timer is disabled. + +Signed-off-by: Hidetoshi Seto +Cc: Andi Kleen +Cc: Huang Ying +Cc: Jan Beulich +Signed-off-by: H. Peter Anvin +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/cpu/mcheck/mce.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/arch/x86/kernel/cpu/mcheck/mce.c ++++ b/arch/x86/kernel/cpu/mcheck/mce.c +@@ -1991,9 +1991,11 @@ mce_cpu_callback(struct notifier_block * + break; + case CPU_DOWN_FAILED: + case CPU_DOWN_FAILED_FROZEN: +- t->expires = round_jiffies(jiffies + ++ if (!mce_ignore_ce && check_interval) { ++ t->expires = round_jiffies(jiffies + + __get_cpu_var(mce_next_interval)); +- add_timer_on(t, cpu); ++ add_timer_on(t, cpu); ++ } + smp_call_function_single(cpu, mce_reenable_cpu, &action, 1); + break; + case CPU_POST_DEAD: diff --git a/queue-2.6.32/x86-mce-set-up-timer-unconditionally.patch b/queue-2.6.32/x86-mce-set-up-timer-unconditionally.patch new file mode 100644 index 00000000000..f75efa35b54 --- /dev/null +++ b/queue-2.6.32/x86-mce-set-up-timer-unconditionally.patch @@ -0,0 +1,43 @@ +From bc09effabf0c5c6c7021e5ef9af15a23579b32a8 Mon Sep 17 00:00:00 2001 +From: Jan Beulich +Date: Tue, 8 Dec 2009 11:21:37 +0900 +Subject: x86/mce: Set up timer unconditionally + +From: Jan Beulich + +commit bc09effabf0c5c6c7021e5ef9af15a23579b32a8 upstream. + +mce_timer must be passed to setup_timer() in all cases, no +matter whether it is going to be actually used. Otherwise, when +the CPU gets brought down, its call to del_timer_sync() will +never return, as the timer won't have a base associated, and +hence lock_timer_base() will loop infinitely. + +Signed-off-by: Jan Beulich +Signed-off-by: Hidetoshi Seto +LKML-Reference: <4B1DB831.2030801@jp.fujitsu.com> +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/cpu/mcheck/mce.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/arch/x86/kernel/cpu/mcheck/mce.c ++++ b/arch/x86/kernel/cpu/mcheck/mce.c +@@ -1374,13 +1374,14 @@ static void mce_init_timer(void) + struct timer_list *t = &__get_cpu_var(mce_timer); + int *n = &__get_cpu_var(mce_next_interval); + ++ setup_timer(t, mcheck_timer, smp_processor_id()); ++ + if (mce_ignore_ce) + return; + + *n = check_interval * HZ; + if (!*n) + return; +- setup_timer(t, mcheck_timer, smp_processor_id()); + t->expires = round_jiffies(jiffies + *n); + add_timer_on(t, smp_processor_id()); + } diff --git a/queue-2.6.32/x86-prevent-gcc-4.4.x-pentium-mmx-et-al-function-prologue-wreckage.patch b/queue-2.6.32/x86-prevent-gcc-4.4.x-pentium-mmx-et-al-function-prologue-wreckage.patch new file mode 100644 index 00000000000..982eaa0ff1e --- /dev/null +++ b/queue-2.6.32/x86-prevent-gcc-4.4.x-pentium-mmx-et-al-function-prologue-wreckage.patch @@ -0,0 +1,99 @@ +From 746357d6a526d6da9d89a2ec645b28406e959c2e Mon Sep 17 00:00:00 2001 +From: Thomas Gleixner +Date: Fri, 20 Nov 2009 12:01:43 +0100 +Subject: x86: Prevent GCC 4.4.x (pentium-mmx et al) function prologue wreckage + +From: Thomas Gleixner + +commit 746357d6a526d6da9d89a2ec645b28406e959c2e upstream. + +When the kernel is compiled with -pg for tracing GCC 4.4.x inserts +stack alignment of a function _before_ the mcount prologue if the +-march=pentium-mmx is set and -mtune=generic is not set. This breaks +the assumption of the function graph tracer which expects that the +mcount prologue + + push %ebp + mov %esp, %ebp + +is the first stack operation in a function because it needs to modify +the function return address on the stack to trap into the tracer +before returning to the real caller. + +The generated code is: + + push %edi + lea 0x8(%esp),%edi + and $0xfffffff0,%esp + pushl -0x4(%edi) + push %ebp + mov %esp,%ebp + +so the tracer modifies the copy of the return address which is stored +after the stack alignment and therefor does not trap the return which +in turn breaks the call chain logic of the tracer and leads to a +kernel panic. + +Aside of the fact that the generated code is horrible for no good +reason other -march -mtune options generate the expected: + + push %ebp + mov %esp,%ebp + and $0xfffffff0,%esp + +which does the same and keeps everything intact. + +After some experimenting we found out that this problem is restricted +to gcc4.4.x and to the following -march settings: + +i586, pentium, pentium-mmx, k6, k6-2, k6-3, winchip-c6, winchip2, c3, +geode + +By adding -mtune=generic the code generator produces always the +expected code. + +So forcing -mtune=generic when CONFIG_FUNCTION_GRAPH_TRACER=y is not +pretty, but at the moment the only way to prevent that the kernel +trips over gcc-shrooms induced code madness. + +Most distro kernels have CONFIG_X86_GENERIC=y anyway which forces +-mtune=generic as well so it will not impact those. + +References: http://gcc.gnu.org/bugzilla/show_bug.cgi?id=42109 + http://lkml.org/lkml/2009/11/19/17 + +Signed-off-by: Thomas Gleixner +LKML-Reference: +Cc: Linus Torvalds +Cc: Andrew Morton +Cc: Ingo Molnar +Cc: Peter Zijlstra +Cc: H. Peter Anvin +Cc: Steven Rostedt +Cc: Frederic Weisbecker , +Cc: Jeff Law +Cc: gcc@gcc.gnu.org +Cc: David Daney +Cc: Andrew Haley +Cc: Richard Guenther +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/Makefile_32.cpu | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/arch/x86/Makefile_32.cpu ++++ b/arch/x86/Makefile_32.cpu +@@ -46,6 +46,12 @@ cflags-$(CONFIG_MGEODEGX1) += -march=pen + # cpu entries + cflags-$(CONFIG_X86_GENERIC) += $(call tune,generic,$(call tune,i686)) + ++# Work around the pentium-mmx code generator madness of gcc4.4.x which ++# does stack alignment by generating horrible code _before_ the mcount ++# prologue (push %ebp, mov %esp, %ebp) which breaks the function graph ++# tracer assumptions ++cflags-$(CONFIG_FUNCTION_GRAPH_TRACER) += $(call cc-option,-mtune=generic) ++ + # Bug fix for binutils: this option is required in order to keep + # binutils from generating NOPL instructions against our will. + ifneq ($(CONFIG_X86_P6_NOP),y) diff --git a/queue-2.6.32/x86-sgi-uv-fix-bau-initialization.patch b/queue-2.6.32/x86-sgi-uv-fix-bau-initialization.patch new file mode 100644 index 00000000000..8458b78a6cc --- /dev/null +++ b/queue-2.6.32/x86-sgi-uv-fix-bau-initialization.patch @@ -0,0 +1,38 @@ +From e38e2af1c57c3eb5211331a5b4fcaae0c4a2a918 Mon Sep 17 00:00:00 2001 +From: Cliff Wickman +Date: Thu, 19 Nov 2009 17:12:43 -0600 +Subject: x86: SGI UV: Fix BAU initialization + +From: Cliff Wickman + +commit e38e2af1c57c3eb5211331a5b4fcaae0c4a2a918 upstream. + +A memory mapped register that affects the SGI UV Broadcast +Assist Unit's interrupt handling may sometimes be unintialized. + +Remove the condition on its initialization, as that condition +can be randomly satisfied by a hardware reset. + +Signed-off-by: Cliff Wickman +LKML-Reference: +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/tlb_uv.c | 4 +--- + 1 file changed, 1 insertion(+), 3 deletions(-) + +--- a/arch/x86/kernel/tlb_uv.c ++++ b/arch/x86/kernel/tlb_uv.c +@@ -817,10 +817,8 @@ static int __init uv_init_blade(int blad + */ + apicid = blade_to_first_apicid(blade); + pa = uv_read_global_mmr64(pnode, UVH_BAU_DATA_CONFIG); +- if ((pa & 0xff) != UV_BAU_MESSAGE) { +- uv_write_global_mmr64(pnode, UVH_BAU_DATA_CONFIG, ++ uv_write_global_mmr64(pnode, UVH_BAU_DATA_CONFIG, + ((apicid << 32) | UV_BAU_MESSAGE)); +- } + return 0; + } + diff --git a/queue-2.6.32/x86-use-maccumulate-outgoing-args-for-sane-mcount-prologues.patch b/queue-2.6.32/x86-use-maccumulate-outgoing-args-for-sane-mcount-prologues.patch new file mode 100644 index 00000000000..a88c182b450 --- /dev/null +++ b/queue-2.6.32/x86-use-maccumulate-outgoing-args-for-sane-mcount-prologues.patch @@ -0,0 +1,40 @@ +From b8b7d791a8ff01d2380089279a69afa99115fb23 Mon Sep 17 00:00:00 2001 +From: Thomas Gleixner +Date: Sat, 28 Nov 2009 15:03:03 +0100 +Subject: x86: Use -maccumulate-outgoing-args for sane mcount prologues + +From: Thomas Gleixner + +commit b8b7d791a8ff01d2380089279a69afa99115fb23 upstream. + +commit 746357d (x86: Prevent GCC 4.4.x (pentium-mmx et al) function +prologue wreckage) uses -mtune=generic to work around the function +prologue problem with mcount on -march=pentium-mmx and others. + +Jakub pointed out that we can use -maccumulate-outgoing-args instead +which is selected by -mtune=generic and prevents the problem without +losing the -march specific optimizations. + +Pointed-out-by: Jakub Jelinek +Signed-off-by: Thomas Gleixner +Cc: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/Makefile_32.cpu | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/arch/x86/Makefile_32.cpu ++++ b/arch/x86/Makefile_32.cpu +@@ -49,8 +49,9 @@ cflags-$(CONFIG_X86_GENERIC) += $(call + # Work around the pentium-mmx code generator madness of gcc4.4.x which + # does stack alignment by generating horrible code _before_ the mcount + # prologue (push %ebp, mov %esp, %ebp) which breaks the function graph +-# tracer assumptions +-cflags-$(CONFIG_FUNCTION_GRAPH_TRACER) += $(call cc-option,-mtune=generic) ++# tracer assumptions. For i686, generic, core2 this is set by the ++# compiler anyway ++cflags-$(CONFIG_FUNCTION_GRAPH_TRACER) += $(call cc-option,-maccumulate-outgoing-args) + + # Bug fix for binutils: this option is required in order to keep + # binutils from generating NOPL instructions against our will.