From: Greg Kroah-Hartman Date: Thu, 29 Nov 2012 20:45:40 +0000 (-0800) Subject: 3.0-stable patches X-Git-Tag: v3.6.9~18 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=ce89470a46a175853d873323bc746e09423a8762;p=thirdparty%2Fkernel%2Fstable-queue.git 3.0-stable patches added patches: alsa-hda-cirrus-correctly-clear-line_out_pins-when-moving-to-speaker.patch alsa-ua101-usx2y-fix-broken-midi-output.patch dm-fix-deadlock-with-request-based-dm-and-queue-request_fn-recursion.patch futex-avoid-wake_futex-for-a-pi-futex_q.patch mac80211-deinitialize-ibss-internals-after-emptiness-check.patch mtd-slram-invalid-checking-of-absolute-end-address.patch mwifiex-report-error-to-mmc-core-if-we-cannot-suspend.patch parisc-fix-user-triggerable-panic-on-parisc.patch parisc-fix-virtual-aliasing-issue-in-get_shared_area.patch radeon-add-agpmode-1-quirk-for-rv250.patch rtlwifi-rtl8192cu-add-new-usb-id.patch scsi-isci-copy-fis-0x34-response-into-proper-buffer.patch x86-32-fix-invalid-stack-address-while-in-softirq.patch x86-microcode-amd-add-support-for-family-16h-processors.patch --- diff --git a/queue-3.0/alsa-hda-cirrus-correctly-clear-line_out_pins-when-moving-to-speaker.patch b/queue-3.0/alsa-hda-cirrus-correctly-clear-line_out_pins-when-moving-to-speaker.patch new file mode 100644 index 00000000000..e0346a16150 --- /dev/null +++ b/queue-3.0/alsa-hda-cirrus-correctly-clear-line_out_pins-when-moving-to-speaker.patch @@ -0,0 +1,32 @@ +From 34c3d1926bdaf45d3a891dd577482abcdd9faa34 Mon Sep 17 00:00:00 2001 +From: David Henningsson +Date: Wed, 21 Nov 2012 10:03:10 +0100 +Subject: ALSA: hda - Cirrus: Correctly clear line_out_pins when moving to speaker + +From: David Henningsson + +commit 34c3d1926bdaf45d3a891dd577482abcdd9faa34 upstream. + +If this array is not cleared, the jack related code later might +fail to create "Internal Speaker Phantom Jack" on Dell Inspiron 3420 and +Dell Vostro 2420. + +BugLink: https://bugs.launchpad.net/bugs/1076840 +Signed-off-by: David Henningsson +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/patch_cirrus.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/patch_cirrus.c ++++ b/sound/pci/hda/patch_cirrus.c +@@ -413,6 +413,7 @@ static int parse_output(struct hda_codec + memcpy(cfg->speaker_pins, cfg->line_out_pins, + sizeof(cfg->speaker_pins)); + cfg->line_outs = 0; ++ memset(cfg->line_out_pins, 0, sizeof(cfg->line_out_pins)); + } + + return 0; diff --git a/queue-3.0/alsa-ua101-usx2y-fix-broken-midi-output.patch b/queue-3.0/alsa-ua101-usx2y-fix-broken-midi-output.patch new file mode 100644 index 00000000000..0188e5d48a3 --- /dev/null +++ b/queue-3.0/alsa-ua101-usx2y-fix-broken-midi-output.patch @@ -0,0 +1,65 @@ +From e99ddfde6ae0dd2662bb40435696002b590e4057 Mon Sep 17 00:00:00 2001 +From: Clemens Ladisch +Date: Wed, 31 Oct 2012 16:35:30 +0100 +Subject: ALSA: ua101, usx2y: fix broken MIDI output + +From: Clemens Ladisch + +commit e99ddfde6ae0dd2662bb40435696002b590e4057 upstream. + +Commit 88a8516a2128 (ALSA: usbaudio: implement USB autosuspend) added +autosuspend code to all files making up the snd-usb-audio driver. +However, midi.c is part of snd-usb-lib and is also used by other +drivers, not all of which support autosuspend. Thus, calls to +usb_autopm_get_interface() could fail, and this unexpected error would +result in the MIDI output being completely unusable. + +Make it work by ignoring the error that is expected with drivers that do +not support autosuspend. + +Reported-by: Colin Fletcher +Reported-by: Devin Venable +Reported-by: Dr Nick Bailey +Reported-by: Jannis Achstetter +Reported-by: Rui Nuno Capela +Cc: Oliver Neukum +Signed-off-by: Clemens Ladisch +Signed-off-by: Greg Kroah-Hartman + +--- + sound/usb/midi.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/sound/usb/midi.c ++++ b/sound/usb/midi.c +@@ -147,6 +147,7 @@ struct snd_usb_midi_out_endpoint { + struct snd_usb_midi_out_endpoint* ep; + struct snd_rawmidi_substream *substream; + int active; ++ bool autopm_reference; + uint8_t cable; /* cable number << 4 */ + uint8_t state; + #define STATE_UNKNOWN 0 +@@ -1059,7 +1060,8 @@ static int snd_usbmidi_output_open(struc + return -ENXIO; + } + err = usb_autopm_get_interface(umidi->iface); +- if (err < 0) ++ port->autopm_reference = err >= 0; ++ if (err < 0 && err != -EACCES) + return -EIO; + substream->runtime->private_data = port; + port->state = STATE_UNKNOWN; +@@ -1070,9 +1072,11 @@ static int snd_usbmidi_output_open(struc + static int snd_usbmidi_output_close(struct snd_rawmidi_substream *substream) + { + struct snd_usb_midi* umidi = substream->rmidi->private_data; ++ struct usbmidi_out_port *port = substream->runtime->private_data; + + substream_open(substream, 0); +- usb_autopm_put_interface(umidi->iface); ++ if (port->autopm_reference) ++ usb_autopm_put_interface(umidi->iface); + return 0; + } + diff --git a/queue-3.0/dm-fix-deadlock-with-request-based-dm-and-queue-request_fn-recursion.patch b/queue-3.0/dm-fix-deadlock-with-request-based-dm-and-queue-request_fn-recursion.patch new file mode 100644 index 00000000000..4addbaccc0a --- /dev/null +++ b/queue-3.0/dm-fix-deadlock-with-request-based-dm-and-queue-request_fn-recursion.patch @@ -0,0 +1,43 @@ +From a8c32a5c98943d370ea606a2e7dc04717eb92206 Mon Sep 17 00:00:00 2001 +From: Jens Axboe +Date: Tue, 6 Nov 2012 12:24:26 +0100 +Subject: dm: fix deadlock with request based dm and queue request_fn recursion + +From: Jens Axboe + +commit a8c32a5c98943d370ea606a2e7dc04717eb92206 upstream. + +Request based dm attempts to re-run the request queue off the +request completion path. If used with a driver that potentially does +end_io from its request_fn, we could deadlock trying to recurse +back into request dispatch. Fix this by punting the request queue +run to kblockd. + +Tested to fix a quickly reproducible deadlock in such a scenario. + +Acked-by: Alasdair G Kergon +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/md/dm.c | 8 +++++++- + 1 file changed, 7 insertions(+), 1 deletion(-) + +--- a/drivers/md/dm.c ++++ b/drivers/md/dm.c +@@ -745,8 +745,14 @@ static void rq_completed(struct mapped_d + if (!md_in_flight(md)) + wake_up(&md->wait); + ++ /* ++ * Run this off this callpath, as drivers could invoke end_io while ++ * inside their request_fn (and holding the queue lock). Calling ++ * back into ->request_fn() could deadlock attempting to grab the ++ * queue lock again. ++ */ + if (run_queue) +- blk_run_queue(md->queue); ++ blk_run_queue_async(md->queue); + + /* + * dm_put() must be at the end of this function. See the comment above diff --git a/queue-3.0/futex-avoid-wake_futex-for-a-pi-futex_q.patch b/queue-3.0/futex-avoid-wake_futex-for-a-pi-futex_q.patch new file mode 100644 index 00000000000..5e3828c2d41 --- /dev/null +++ b/queue-3.0/futex-avoid-wake_futex-for-a-pi-futex_q.patch @@ -0,0 +1,98 @@ +From aa10990e028cac3d5e255711fb9fb47e00700e35 Mon Sep 17 00:00:00 2001 +From: Darren Hart +Date: Mon, 26 Nov 2012 16:29:56 -0800 +Subject: futex: avoid wake_futex() for a PI futex_q + +From: Darren Hart + +commit aa10990e028cac3d5e255711fb9fb47e00700e35 upstream. + +Dave Jones reported a bug with futex_lock_pi() that his trinity test +exposed. Sometime between queue_me() and taking the q.lock_ptr, the +lock_ptr became NULL, resulting in a crash. + +While futex_wake() is careful to not call wake_futex() on futex_q's with +a pi_state or an rt_waiter (which are either waiting for a +futex_unlock_pi() or a PI futex_requeue()), futex_wake_op() and +futex_requeue() do not perform the same test. + +Update futex_wake_op() and futex_requeue() to test for q.pi_state and +q.rt_waiter and abort with -EINVAL if detected. To ensure any future +breakage is caught, add a WARN() to wake_futex() if the same condition +is true. + +This fix has seen 3 hours of testing with "trinity -c futex" on an +x86_64 VM with 4 CPUS. + +[akpm@linux-foundation.org: tidy up the WARN()] +Signed-off-by: Darren Hart +Reported-by: Dave Jones +Cc: Thomas Gleixner +Cc: Peter Zijlstra +Cc: Ingo Molnar +Cc: John Kacur +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/futex.c | 18 +++++++++++++++++- + 1 file changed, 17 insertions(+), 1 deletion(-) + +--- a/kernel/futex.c ++++ b/kernel/futex.c +@@ -843,6 +843,9 @@ static void wake_futex(struct futex_q *q + { + struct task_struct *p = q->task; + ++ if (WARN(q->pi_state || q->rt_waiter, "refusing to wake PI futex\n")) ++ return; ++ + /* + * We set q->lock_ptr = NULL _before_ we wake up the task. If + * a non-futex wake up happens on another CPU then the task +@@ -1078,6 +1081,10 @@ retry_private: + + plist_for_each_entry_safe(this, next, head, list) { + if (match_futex (&this->key, &key1)) { ++ if (this->pi_state || this->rt_waiter) { ++ ret = -EINVAL; ++ goto out_unlock; ++ } + wake_futex(this); + if (++ret >= nr_wake) + break; +@@ -1090,6 +1097,10 @@ retry_private: + op_ret = 0; + plist_for_each_entry_safe(this, next, head, list) { + if (match_futex (&this->key, &key2)) { ++ if (this->pi_state || this->rt_waiter) { ++ ret = -EINVAL; ++ goto out_unlock; ++ } + wake_futex(this); + if (++op_ret >= nr_wake2) + break; +@@ -1098,6 +1109,7 @@ retry_private: + ret += op_ret; + } + ++out_unlock: + double_unlock_hb(hb1, hb2); + out_put_keys: + put_futex_key(&key2); +@@ -1387,9 +1399,13 @@ retry_private: + /* + * FUTEX_WAIT_REQEUE_PI and FUTEX_CMP_REQUEUE_PI should always + * be paired with each other and no other futex ops. ++ * ++ * We should never be requeueing a futex_q with a pi_state, ++ * which is awaiting a futex_unlock_pi(). + */ + if ((requeue_pi && !this->rt_waiter) || +- (!requeue_pi && this->rt_waiter)) { ++ (!requeue_pi && this->rt_waiter) || ++ this->pi_state) { + ret = -EINVAL; + break; + } diff --git a/queue-3.0/mac80211-deinitialize-ibss-internals-after-emptiness-check.patch b/queue-3.0/mac80211-deinitialize-ibss-internals-after-emptiness-check.patch new file mode 100644 index 00000000000..85326d1e0f8 --- /dev/null +++ b/queue-3.0/mac80211-deinitialize-ibss-internals-after-emptiness-check.patch @@ -0,0 +1,53 @@ +From b78a4932f5fb11fadf41e69c606a33fa6787574c Mon Sep 17 00:00:00 2001 +From: Simon Wunderlich +Date: Tue, 13 Nov 2012 18:43:03 +0100 +Subject: mac80211: deinitialize ibss-internals after emptiness check + +From: Simon Wunderlich + +commit b78a4932f5fb11fadf41e69c606a33fa6787574c upstream. + +The check whether the IBSS is active and can be removed should be +performed before deinitializing the fields used for the check/search. +Otherwise, the configured BSS will not be found and removed properly. + +To make it more clear for the future, rename sdata->u.ibss to the +local pointer ifibss which is used within the checks. + +This behaviour was introduced by +f3209bea110cade12e2b133da8b8499689cb0e2e +("mac80211: fix IBSS teardown race") + +Signed-off-by: Simon Wunderlich +Cc: Ignacy Gawedzki +Signed-off-by: Johannes Berg +Signed-off-by: Greg Kroah-Hartman + +--- + net/mac80211/ibss.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/net/mac80211/ibss.c ++++ b/net/mac80211/ibss.c +@@ -965,10 +965,6 @@ int ieee80211_ibss_leave(struct ieee8021 + + mutex_lock(&sdata->u.ibss.mtx); + +- sdata->u.ibss.state = IEEE80211_IBSS_MLME_SEARCH; +- memset(sdata->u.ibss.bssid, 0, ETH_ALEN); +- sdata->u.ibss.ssid_len = 0; +- + active_ibss = ieee80211_sta_active_ibss(sdata); + + if (!active_ibss && !is_zero_ether_addr(ifibss->bssid)) { +@@ -989,6 +985,10 @@ int ieee80211_ibss_leave(struct ieee8021 + } + } + ++ ifibss->state = IEEE80211_IBSS_MLME_SEARCH; ++ memset(ifibss->bssid, 0, ETH_ALEN); ++ ifibss->ssid_len = 0; ++ + sta_info_flush(sdata->local, sdata); + + /* remove beacon */ diff --git a/queue-3.0/mtd-slram-invalid-checking-of-absolute-end-address.patch b/queue-3.0/mtd-slram-invalid-checking-of-absolute-end-address.patch new file mode 100644 index 00000000000..98c46776fcc --- /dev/null +++ b/queue-3.0/mtd-slram-invalid-checking-of-absolute-end-address.patch @@ -0,0 +1,30 @@ +From c36a7ff4578ab6294885aef5ef241aeec4cdb1f0 Mon Sep 17 00:00:00 2001 +From: Jiri Engelthaler +Date: Thu, 20 Sep 2012 16:49:50 +0200 +Subject: mtd: slram: invalid checking of absolute end address + +From: Jiri Engelthaler + +commit c36a7ff4578ab6294885aef5ef241aeec4cdb1f0 upstream. + +Fixed parsing end absolute address. + +Signed-off-by: Jiri Engelthaler +Signed-off-by: Artem Bityutskiy +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/mtd/devices/slram.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/mtd/devices/slram.c ++++ b/drivers/mtd/devices/slram.c +@@ -266,7 +266,7 @@ static int parse_cmdline(char *devname, + + if (*(szlength) != '+') { + devlength = simple_strtoul(szlength, &buffer, 0); +- devlength = handle_unit(devlength, buffer) - devstart; ++ devlength = handle_unit(devlength, buffer); + if (devlength < devstart) + goto err_out; + diff --git a/queue-3.0/mwifiex-report-error-to-mmc-core-if-we-cannot-suspend.patch b/queue-3.0/mwifiex-report-error-to-mmc-core-if-we-cannot-suspend.patch new file mode 100644 index 00000000000..d6413c46583 --- /dev/null +++ b/queue-3.0/mwifiex-report-error-to-mmc-core-if-we-cannot-suspend.patch @@ -0,0 +1,51 @@ +From dd321acddc3be1371263b8c9e6c6f2af89f63d57 Mon Sep 17 00:00:00 2001 +From: Bing Zhao +Date: Thu, 15 Nov 2012 15:58:48 -0800 +Subject: mwifiex: report error to MMC core if we cannot suspend + +From: Bing Zhao + +commit dd321acddc3be1371263b8c9e6c6f2af89f63d57 upstream. + +When host_sleep_config command fails we should return error to +MMC core to indicate the failure for our device. + +The misspelled variable is also removed as it's redundant. + +Signed-off-by: Bing Zhao +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/mwifiex/sdio.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +--- a/drivers/net/wireless/mwifiex/sdio.c ++++ b/drivers/net/wireless/mwifiex/sdio.c +@@ -122,7 +122,6 @@ static int mwifiex_sdio_suspend(struct d + struct sdio_mmc_card *card; + struct mwifiex_adapter *adapter; + mmc_pm_flag_t pm_flag = 0; +- int hs_actived = 0; + int i; + int ret = 0; + +@@ -149,12 +148,14 @@ static int mwifiex_sdio_suspend(struct d + adapter = card->adapter; + + /* Enable the Host Sleep */ +- hs_actived = mwifiex_enable_hs(adapter); +- if (hs_actived) { +- pr_debug("cmd: suspend with MMC_PM_KEEP_POWER\n"); +- ret = sdio_set_host_pm_flags(func, MMC_PM_KEEP_POWER); ++ if (!mwifiex_enable_hs(adapter)) { ++ dev_err(adapter->dev, "cmd: failed to suspend\n"); ++ return -EFAULT; + } + ++ dev_dbg(adapter->dev, "cmd: suspend with MMC_PM_KEEP_POWER\n"); ++ ret = sdio_set_host_pm_flags(func, MMC_PM_KEEP_POWER); ++ + /* Indicate device suspended */ + adapter->is_suspended = true; + diff --git a/queue-3.0/parisc-fix-user-triggerable-panic-on-parisc.patch b/queue-3.0/parisc-fix-user-triggerable-panic-on-parisc.patch new file mode 100644 index 00000000000..cb63c921557 --- /dev/null +++ b/queue-3.0/parisc-fix-user-triggerable-panic-on-parisc.patch @@ -0,0 +1,59 @@ +From 441a179dafc0f99fc8b3a8268eef66958621082e Mon Sep 17 00:00:00 2001 +From: Al Viro +Date: Wed, 21 Nov 2012 19:27:23 +0000 +Subject: PARISC: fix user-triggerable panic on parisc + +From: Al Viro + +commit 441a179dafc0f99fc8b3a8268eef66958621082e upstream. + +int sys32_rt_sigprocmask(int how, compat_sigset_t __user *set, compat_sigset_t __user *oset, + unsigned int sigsetsize) +{ + sigset_t old_set, new_set; + int ret; + + if (set && get_sigset32(set, &new_set, sigsetsize)) + +... +static int +get_sigset32(compat_sigset_t __user *up, sigset_t *set, size_t sz) +{ + compat_sigset_t s; + int r; + + if (sz != sizeof *set) panic("put_sigset32()"); + +In other words, rt_sigprocmask(69, (void *)69, 69) done by 32bit process +will promptly panic the box. + +Signed-off-by: Al Viro +Signed-off-by: James Bottomley +Signed-off-by: Greg Kroah-Hartman + +--- + arch/parisc/kernel/signal32.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/arch/parisc/kernel/signal32.c ++++ b/arch/parisc/kernel/signal32.c +@@ -67,7 +67,8 @@ put_sigset32(compat_sigset_t __user *up, + { + compat_sigset_t s; + +- if (sz != sizeof *set) panic("put_sigset32()"); ++ if (sz != sizeof *set) ++ return -EINVAL; + sigset_64to32(&s, set); + + return copy_to_user(up, &s, sizeof s); +@@ -79,7 +80,8 @@ get_sigset32(compat_sigset_t __user *up, + compat_sigset_t s; + int r; + +- if (sz != sizeof *set) panic("put_sigset32()"); ++ if (sz != sizeof *set) ++ return -EINVAL; + + if ((r = copy_from_user(&s, up, sz)) == 0) { + sigset_32to64(set, &s); diff --git a/queue-3.0/parisc-fix-virtual-aliasing-issue-in-get_shared_area.patch b/queue-3.0/parisc-fix-virtual-aliasing-issue-in-get_shared_area.patch new file mode 100644 index 00000000000..f118e90f6f7 --- /dev/null +++ b/queue-3.0/parisc-fix-virtual-aliasing-issue-in-get_shared_area.patch @@ -0,0 +1,47 @@ +From 949a05d03490e39e773e8652ccab9157e6f595b4 Mon Sep 17 00:00:00 2001 +From: James Bottomley +Date: Fri, 2 Nov 2012 12:30:53 +0000 +Subject: PARISC: fix virtual aliasing issue in get_shared_area() + +From: James Bottomley + +commit 949a05d03490e39e773e8652ccab9157e6f595b4 upstream. + +On Thu, 2012-11-01 at 16:45 -0700, Michel Lespinasse wrote: +> Looking at the arch/parisc/kernel/sys_parisc.c implementation of +> get_shared_area(), I do have a concern though. The function basically +> ignores the pgoff argument, so that if one creates a shared mapping of +> pages 0-N of a file, and then a separate shared mapping of pages 1-N +> of that same file, both will have the same cache offset for their +> starting address. +> +> This looks like this would create obvious aliasing issues. Am I +> misreading this ? I can't understand how this could work good enough +> to be undetected, so there must be something I'm missing here ??? + +This turns out to be correct and we need to pay attention to the pgoff as +well as the address when creating the virtual address for the area. +Fortunately, the bug is rarely triggered as most applications which use pgoff +tend to use large values (git being the primary one, and it uses pgoff in +multiples of 16MB) which are larger than our cache coherency modulus, so the +problem isn't often seen in practise. + +Reported-by: Michel Lespinasse +Signed-off-by: James Bottomley +Signed-off-by: Greg Kroah-Hartman + +--- + arch/parisc/kernel/sys_parisc.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/arch/parisc/kernel/sys_parisc.c ++++ b/arch/parisc/kernel/sys_parisc.c +@@ -73,6 +73,8 @@ static unsigned long get_shared_area(str + struct vm_area_struct *vma; + int offset = mapping ? get_offset(mapping) : 0; + ++ offset = (offset + (pgoff << PAGE_SHIFT)) & 0x3FF000; ++ + addr = DCACHE_ALIGN(addr - offset) + offset; + + for (vma = find_vma(current->mm, addr); ; vma = vma->vm_next) { diff --git a/queue-3.0/radeon-add-agpmode-1-quirk-for-rv250.patch b/queue-3.0/radeon-add-agpmode-1-quirk-for-rv250.patch new file mode 100644 index 00000000000..6cc87fed3d4 --- /dev/null +++ b/queue-3.0/radeon-add-agpmode-1-quirk-for-rv250.patch @@ -0,0 +1,39 @@ +From 45171002b01b2e2ec4f991eca81ffd8430fd0aec Mon Sep 17 00:00:00 2001 +From: Paul Bolle +Date: Mon, 19 Nov 2012 21:17:31 +0100 +Subject: radeon: add AGPMode 1 quirk for RV250 + +From: Paul Bolle + +commit 45171002b01b2e2ec4f991eca81ffd8430fd0aec upstream. + +The Intel 82855PM host bridge / Mobility FireGL 9000 RV250 combination +in an (outdated) ThinkPad T41 needs AGPMode 1 for suspend/resume (under +KMS, that is). So add a quirk for it. + +(Change R250 to RV250 in comment for preceding quirk too.) + +Signed-off-by: Paul Bolle +Signed-off-by: Alex Deucher +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/radeon/radeon_agp.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/gpu/drm/radeon/radeon_agp.c ++++ b/drivers/gpu/drm/radeon/radeon_agp.c +@@ -70,9 +70,12 @@ static struct radeon_agpmode_quirk radeo + /* Intel 82830 830 Chipset Host Bridge / Mobility M6 LY Needs AGPMode 2 (fdo #17360)*/ + { PCI_VENDOR_ID_INTEL, 0x3575, PCI_VENDOR_ID_ATI, 0x4c59, + PCI_VENDOR_ID_DELL, 0x00e3, 2}, +- /* Intel 82852/82855 host bridge / Mobility FireGL 9000 R250 Needs AGPMode 1 (lp #296617) */ ++ /* Intel 82852/82855 host bridge / Mobility FireGL 9000 RV250 Needs AGPMode 1 (lp #296617) */ + { PCI_VENDOR_ID_INTEL, 0x3580, PCI_VENDOR_ID_ATI, 0x4c66, + PCI_VENDOR_ID_DELL, 0x0149, 1}, ++ /* Intel 82855PM host bridge / Mobility FireGL 9000 RV250 Needs AGPMode 1 for suspend/resume */ ++ { PCI_VENDOR_ID_INTEL, 0x3340, PCI_VENDOR_ID_ATI, 0x4c66, ++ PCI_VENDOR_ID_IBM, 0x0531, 1}, + /* Intel 82852/82855 host bridge / Mobility 9600 M10 RV350 Needs AGPMode 1 (deb #467460) */ + { PCI_VENDOR_ID_INTEL, 0x3580, PCI_VENDOR_ID_ATI, 0x4e50, + 0x1025, 0x0061, 1}, diff --git a/queue-3.0/rtlwifi-rtl8192cu-add-new-usb-id.patch b/queue-3.0/rtlwifi-rtl8192cu-add-new-usb-id.patch new file mode 100644 index 00000000000..4992ab1c093 --- /dev/null +++ b/queue-3.0/rtlwifi-rtl8192cu-add-new-usb-id.patch @@ -0,0 +1,31 @@ +From a485e827f07bfdd0762059386e6e787bed6e81ee Mon Sep 17 00:00:00 2001 +From: Albert Pool +Date: Tue, 30 Oct 2012 20:58:06 +0100 +Subject: rtlwifi: rtl8192cu: Add new USB ID + +From: Albert Pool + +commit a485e827f07bfdd0762059386e6e787bed6e81ee upstream. + +This is an ISY IWL 2000. Probably a clone of Belkin F7D1102 050d:1102. +Its FCC ID is the same. + +Signed-off-by: Albert Pool +Acked-by: Larry Finger +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/rtlwifi/rtl8192cu/sw.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/net/wireless/rtlwifi/rtl8192cu/sw.c ++++ b/drivers/net/wireless/rtlwifi/rtl8192cu/sw.c +@@ -295,6 +295,7 @@ static struct usb_device_id rtl8192c_usb + /*=== Customer ID ===*/ + /****** 8188CU ********/ + {RTL_USB_DEVICE(0x050d, 0x1102, rtl92cu_hal_cfg)}, /*Belkin - Edimax*/ ++ {RTL_USB_DEVICE(0x050d, 0x11f2, rtl92cu_hal_cfg)}, /*Belkin - ISY*/ + {RTL_USB_DEVICE(0x06f8, 0xe033, rtl92cu_hal_cfg)}, /*Hercules - Edimax*/ + {RTL_USB_DEVICE(0x07b8, 0x8188, rtl92cu_hal_cfg)}, /*Abocom - Abocom*/ + {RTL_USB_DEVICE(0x07b8, 0x8189, rtl92cu_hal_cfg)}, /*Funai - Abocom*/ diff --git a/queue-3.0/scsi-isci-copy-fis-0x34-response-into-proper-buffer.patch b/queue-3.0/scsi-isci-copy-fis-0x34-response-into-proper-buffer.patch new file mode 100644 index 00000000000..a5647a40bab --- /dev/null +++ b/queue-3.0/scsi-isci-copy-fis-0x34-response-into-proper-buffer.patch @@ -0,0 +1,36 @@ +From 49bd665c5407a453736d3232ee58f2906b42e83c Mon Sep 17 00:00:00 2001 +From: Maciej Patelczyk +Date: Mon, 15 Oct 2012 14:29:03 +0200 +Subject: SCSI: isci: copy fis 0x34 response into proper buffer + +From: Maciej Patelczyk + +commit 49bd665c5407a453736d3232ee58f2906b42e83c upstream. + +SATA MICROCODE DOWNALOAD fails on isci driver. After receiving Register +Device to Host (FIS 0x34) frame Initiator resets phy. +In the frame handler routine response (FIS 0x34) was copied into wrong +buffer and upper layer did not receive any answer which resulted in +timeout and reset. +This patch corrects this bug. + +Signed-off-by: Maciej Patelczyk +Signed-off-by: Lukasz Dorau +Signed-off-by: James Bottomley +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/isci/request.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/scsi/isci/request.c ++++ b/drivers/scsi/isci/request.c +@@ -1693,7 +1693,7 @@ sci_io_request_frame_handler(struct isci + frame_index, + (void **)&frame_buffer); + +- sci_controller_copy_sata_response(&ireq->stp.req, ++ sci_controller_copy_sata_response(&ireq->stp.rsp, + frame_header, + frame_buffer); + diff --git a/queue-3.0/series b/queue-3.0/series index 07f59b7985f..4d4875dfaaa 100644 --- a/queue-3.0/series +++ b/queue-3.0/series @@ -3,3 +3,17 @@ drivers-block-dac960-fix-dac960_v2_ioctl_opcode_t-wenum-compare-warning.patch drivers-block-dac960-fix-wuninitialized-warning.patch riva-fbdev-fix-several-wuninitialized.patch ifenslave-fix-unused-variable-warnings.patch +x86-32-fix-invalid-stack-address-while-in-softirq.patch +x86-microcode-amd-add-support-for-family-16h-processors.patch +rtlwifi-rtl8192cu-add-new-usb-id.patch +mwifiex-report-error-to-mmc-core-if-we-cannot-suspend.patch +scsi-isci-copy-fis-0x34-response-into-proper-buffer.patch +alsa-ua101-usx2y-fix-broken-midi-output.patch +alsa-hda-cirrus-correctly-clear-line_out_pins-when-moving-to-speaker.patch +parisc-fix-virtual-aliasing-issue-in-get_shared_area.patch +parisc-fix-user-triggerable-panic-on-parisc.patch +mtd-slram-invalid-checking-of-absolute-end-address.patch +dm-fix-deadlock-with-request-based-dm-and-queue-request_fn-recursion.patch +futex-avoid-wake_futex-for-a-pi-futex_q.patch +mac80211-deinitialize-ibss-internals-after-emptiness-check.patch +radeon-add-agpmode-1-quirk-for-rv250.patch diff --git a/queue-3.0/x86-32-fix-invalid-stack-address-while-in-softirq.patch b/queue-3.0/x86-32-fix-invalid-stack-address-while-in-softirq.patch new file mode 100644 index 00000000000..80ed0339d4f --- /dev/null +++ b/queue-3.0/x86-32-fix-invalid-stack-address-while-in-softirq.patch @@ -0,0 +1,144 @@ +From 1022623842cb72ee4d0dbf02f6937f38c92c3f41 Mon Sep 17 00:00:00 2001 +From: Robert Richter +Date: Mon, 3 Sep 2012 20:54:48 +0200 +Subject: x86-32: Fix invalid stack address while in softirq + +From: Robert Richter + +commit 1022623842cb72ee4d0dbf02f6937f38c92c3f41 upstream. + +In 32 bit the stack address provided by kernel_stack_pointer() may +point to an invalid range causing NULL pointer access or page faults +while in NMI (see trace below). This happens if called in softirq +context and if the stack is empty. The address at ®s->sp is then +out of range. + +Fixing this by checking if regs and ®s->sp are in the same stack +context. Otherwise return the previous stack pointer stored in struct +thread_info. If that address is invalid too, return address of regs. + + BUG: unable to handle kernel NULL pointer dereference at 0000000a + IP: [] print_context_stack+0x6e/0x8d + *pde = 00000000 + Oops: 0000 [#1] SMP + Modules linked in: + Pid: 4434, comm: perl Not tainted 3.6.0-rc3-oprofile-i386-standard-g4411a05 #4 Hewlett-Packard HP xw9400 Workstation/0A1Ch + EIP: 0060:[] EFLAGS: 00010093 CPU: 0 + EIP is at print_context_stack+0x6e/0x8d + EAX: ffffe000 EBX: 0000000a ECX: f4435f94 EDX: 0000000a + ESI: f4435f94 EDI: f4435f94 EBP: f5409ec0 ESP: f5409ea0 + DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068 + CR0: 8005003b CR2: 0000000a CR3: 34ac9000 CR4: 000007d0 + DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000 + DR6: ffff0ff0 DR7: 00000400 + Process perl (pid: 4434, ti=f5408000 task=f5637850 task.ti=f4434000) + Stack: + 000003e8 ffffe000 00001ffc f4e39b00 00000000 0000000a f4435f94 c155198c + f5409ef0 c1003723 c155198c f5409f04 00000000 f5409edc 00000000 00000000 + f5409ee8 f4435f94 f5409fc4 00000001 f5409f1c c12dce1c 00000000 c155198c + Call Trace: + [] dump_trace+0x7b/0xa1 + [] x86_backtrace+0x40/0x88 + [] ? oprofile_add_sample+0x56/0x84 + [] oprofile_add_sample+0x75/0x84 + [] op_amd_check_ctrs+0x46/0x260 + [] profile_exceptions_notify+0x23/0x4c + [] nmi_handle+0x31/0x4a + [] ? ftrace_define_fields_irq_handler_entry+0x45/0x45 + [] do_nmi+0xa0/0x2ff + [] ? ftrace_define_fields_irq_handler_entry+0x45/0x45 + [] nmi_stack_correct+0x28/0x2d + [] ? ftrace_define_fields_irq_handler_entry+0x45/0x45 + [] ? do_softirq+0x4b/0x7f + + [] irq_exit+0x35/0x5b + [] smp_apic_timer_interrupt+0x6c/0x7a + [] apic_timer_interrupt+0x2a/0x30 + Code: 89 fe eb 08 31 c9 8b 45 0c ff 55 ec 83 c3 04 83 7d 10 00 74 0c 3b 5d 10 73 26 3b 5d e4 73 0c eb 1f 3b 5d f0 76 1a 3b 5d e8 73 15 <8b> 13 89 d0 89 55 e0 e8 ad 42 03 00 85 c0 8b 55 e0 75 a6 eb cc + EIP: [] print_context_stack+0x6e/0x8d SS:ESP 0068:f5409ea0 + CR2: 000000000000000a + ---[ end trace 62afee3481b00012 ]--- + Kernel panic - not syncing: Fatal exception in interrupt + +V2: +* add comments to kernel_stack_pointer() +* always return a valid stack address by falling back to the address + of regs + +Reported-by: Yang Wei +Signed-off-by: Robert Richter +Link: http://lkml.kernel.org/r/20120912135059.GZ8285@erda.amd.com +Signed-off-by: H. Peter Anvin +Cc: Jun Zhang +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/include/asm/ptrace.h | 15 ++++----------- + arch/x86/kernel/ptrace.c | 28 ++++++++++++++++++++++++++++ + 2 files changed, 32 insertions(+), 11 deletions(-) + +--- a/arch/x86/include/asm/ptrace.h ++++ b/arch/x86/include/asm/ptrace.h +@@ -187,21 +187,14 @@ static inline int v8086_mode(struct pt_r + #endif + } + +-/* +- * X86_32 CPUs don't save ss and esp if the CPU is already in kernel mode +- * when it traps. The previous stack will be directly underneath the saved +- * registers, and 'sp/ss' won't even have been saved. Thus the '®s->sp'. +- * +- * This is valid only for kernel mode traps. +- */ +-static inline unsigned long kernel_stack_pointer(struct pt_regs *regs) +-{ + #ifdef CONFIG_X86_32 +- return (unsigned long)(®s->sp); ++extern unsigned long kernel_stack_pointer(struct pt_regs *regs); + #else ++static inline unsigned long kernel_stack_pointer(struct pt_regs *regs) ++{ + return regs->sp; +-#endif + } ++#endif + + #define GET_IP(regs) ((regs)->ip) + #define GET_FP(regs) ((regs)->bp) +--- a/arch/x86/kernel/ptrace.c ++++ b/arch/x86/kernel/ptrace.c +@@ -164,6 +164,34 @@ static inline bool invalid_selector(u16 + + #define FLAG_MASK FLAG_MASK_32 + ++/* ++ * X86_32 CPUs don't save ss and esp if the CPU is already in kernel mode ++ * when it traps. The previous stack will be directly underneath the saved ++ * registers, and 'sp/ss' won't even have been saved. Thus the '®s->sp'. ++ * ++ * Now, if the stack is empty, '®s->sp' is out of range. In this ++ * case we try to take the previous stack. To always return a non-null ++ * stack pointer we fall back to regs as stack if no previous stack ++ * exists. ++ * ++ * This is valid only for kernel mode traps. ++ */ ++unsigned long kernel_stack_pointer(struct pt_regs *regs) ++{ ++ unsigned long context = (unsigned long)regs & ~(THREAD_SIZE - 1); ++ unsigned long sp = (unsigned long)®s->sp; ++ struct thread_info *tinfo; ++ ++ if (context == (sp & ~(THREAD_SIZE - 1))) ++ return sp; ++ ++ tinfo = (struct thread_info *)context; ++ if (tinfo->previous_esp) ++ return tinfo->previous_esp; ++ ++ return (unsigned long)regs; ++} ++ + static unsigned long *pt_regs_access(struct pt_regs *regs, unsigned long regno) + { + BUILD_BUG_ON(offsetof(struct pt_regs, bx) != 0); diff --git a/queue-3.0/x86-microcode-amd-add-support-for-family-16h-processors.patch b/queue-3.0/x86-microcode-amd-add-support-for-family-16h-processors.patch new file mode 100644 index 00000000000..5e2a0d4d6c8 --- /dev/null +++ b/queue-3.0/x86-microcode-amd-add-support-for-family-16h-processors.patch @@ -0,0 +1,43 @@ +From 36c46ca4f322a7bf89aad5462a3a1f61713edce7 Mon Sep 17 00:00:00 2001 +From: Boris Ostrovsky +Date: Thu, 15 Nov 2012 13:41:50 -0500 +Subject: x86, microcode, AMD: Add support for family 16h processors + +From: Boris Ostrovsky + +commit 36c46ca4f322a7bf89aad5462a3a1f61713edce7 upstream. + +Add valid patch size for family 16h processors. + +[ hpa: promoting to urgent/stable since it is hw enabling and trivial ] + +Signed-off-by: Boris Ostrovsky +Acked-by: Andreas Herrmann +Link: http://lkml.kernel.org/r/1353004910-2204-1-git-send-email-boris.ostrovsky@amd.com +Signed-off-by: H. Peter Anvin +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/microcode_amd.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/arch/x86/kernel/microcode_amd.c ++++ b/arch/x86/kernel/microcode_amd.c +@@ -162,6 +162,7 @@ static unsigned int verify_ucode_size(in + #define F1XH_MPB_MAX_SIZE 2048 + #define F14H_MPB_MAX_SIZE 1824 + #define F15H_MPB_MAX_SIZE 4096 ++#define F16H_MPB_MAX_SIZE 3458 + + switch (c->x86) { + case 0x14: +@@ -170,6 +171,9 @@ static unsigned int verify_ucode_size(in + case 0x15: + max_size = F15H_MPB_MAX_SIZE; + break; ++ case 0x16: ++ max_size = F16H_MPB_MAX_SIZE; ++ break; + default: + max_size = F1XH_MPB_MAX_SIZE; + break;