From: Greg Kroah-Hartman Date: Wed, 20 Oct 2010 00:43:15 +0000 (-0700) Subject: .32 patches X-Git-Tag: v2.6.27.55~19 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=f2230c31505948962168721d44eec40cdb7697ea;p=thirdparty%2Fkernel%2Fstable-queue.git .32 patches --- diff --git a/queue-2.6.32/atl1-fix-resume.patch b/queue-2.6.32/atl1-fix-resume.patch new file mode 100644 index 00000000000..9ce5380d92d --- /dev/null +++ b/queue-2.6.32/atl1-fix-resume.patch @@ -0,0 +1,40 @@ +From ec5a32f67c603b11d68eb283d94eb89a4f6cfce1 Mon Sep 17 00:00:00 2001 +From: Luca Tettamanti +Date: Wed, 22 Sep 2010 10:41:58 +0000 +Subject: atl1: fix resume + +From: Luca Tettamanti + +commit ec5a32f67c603b11d68eb283d94eb89a4f6cfce1 upstream. + +adapter->cmb.cmb is initialized when the device is opened and freed when +it's closed. Accessing it unconditionally during resume results either +in a crash (NULL pointer dereference, when the interface has not been +opened yet) or data corruption (when the interface has been used and +brought down adapter->cmb.cmb points to a deallocated memory area). + +Signed-off-by: Luca Tettamanti +Acked-by: Chris Snook +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/atlx/atl1.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/net/atlx/atl1.c ++++ b/drivers/net/atlx/atl1.c +@@ -2856,10 +2856,11 @@ static int atl1_resume(struct pci_dev *p + pci_enable_wake(pdev, PCI_D3cold, 0); + + atl1_reset_hw(&adapter->hw); +- adapter->cmb.cmb->int_stats = 0; + +- if (netif_running(netdev)) ++ if (netif_running(netdev)) { ++ adapter->cmb.cmb->int_stats = 0; + atl1_up(adapter); ++ } + netif_device_attach(netdev); + + return 0; diff --git a/queue-2.6.32/de-pessimize-rds_page_copy_user.patch b/queue-2.6.32/de-pessimize-rds_page_copy_user.patch new file mode 100644 index 00000000000..143b006fb1e --- /dev/null +++ b/queue-2.6.32/de-pessimize-rds_page_copy_user.patch @@ -0,0 +1,78 @@ +From 799c10559d60f159ab2232203f222f18fa3c4a5f Mon Sep 17 00:00:00 2001 +From: Linus Torvalds +Date: Fri, 15 Oct 2010 11:09:28 -0700 +Subject: De-pessimize rds_page_copy_user + +From: Linus Torvalds + +commit 799c10559d60f159ab2232203f222f18fa3c4a5f upstream. + +Don't try to "optimize" rds_page_copy_user() by using kmap_atomic() and +the unsafe atomic user mode accessor functions. It's actually slower +than the straightforward code on any reasonable modern CPU. + +Back when the code was written (although probably not by the time it was +actually merged, though), 32-bit x86 may have been the dominant +architecture. And there kmap_atomic() can be a lot faster than kmap() +(unless you have very good locality, in which case the virtual address +caching by kmap() can overcome all the downsides). + +But these days, x86-64 may not be more populous, but it's getting there +(and if you care about performance, it's definitely already there - +you'd have upgraded your CPU's already in the last few years). And on +x86-64, the non-kmap_atomic() version is faster, simply because the code +is simpler and doesn't have the "re-try page fault" case. + +People with old hardware are not likely to care about RDS anyway, and +the optimization for the 32-bit case is simply buggy, since it doesn't +verify the user addresses properly. + +Reported-by: Dan Rosenberg +Acked-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + net/rds/page.c | 27 +++++++-------------------- + 1 file changed, 7 insertions(+), 20 deletions(-) + +--- a/net/rds/page.c ++++ b/net/rds/page.c +@@ -56,30 +56,17 @@ int rds_page_copy_user(struct page *page + unsigned long ret; + void *addr; + +- if (to_user) ++ addr = kmap(page); ++ if (to_user) { + rds_stats_add(s_copy_to_user, bytes); +- else ++ ret = copy_to_user(ptr, addr + offset, bytes); ++ } else { + rds_stats_add(s_copy_from_user, bytes); +- +- addr = kmap_atomic(page, KM_USER0); +- if (to_user) +- ret = __copy_to_user_inatomic(ptr, addr + offset, bytes); +- else +- ret = __copy_from_user_inatomic(addr + offset, ptr, bytes); +- kunmap_atomic(addr, KM_USER0); +- +- if (ret) { +- addr = kmap(page); +- if (to_user) +- ret = copy_to_user(ptr, addr + offset, bytes); +- else +- ret = copy_from_user(addr + offset, ptr, bytes); +- kunmap(page); +- if (ret) +- return -EFAULT; ++ ret = copy_from_user(addr + offset, ptr, bytes); + } ++ kunmap(page); + +- return 0; ++ return ret ? -EFAULT : 0; + } + EXPORT_SYMBOL_GPL(rds_page_copy_user); + diff --git a/queue-2.6.32/dmaengine-fix-interrupt-clearing-for-mv_xor.patch b/queue-2.6.32/dmaengine-fix-interrupt-clearing-for-mv_xor.patch new file mode 100644 index 00000000000..7b111f3cba7 --- /dev/null +++ b/queue-2.6.32/dmaengine-fix-interrupt-clearing-for-mv_xor.patch @@ -0,0 +1,42 @@ +From cc60f8878eab892c03d06b10f389232b9b66bd83 Mon Sep 17 00:00:00 2001 +From: Simon Guinot +Date: Fri, 17 Sep 2010 23:33:51 +0200 +Subject: dmaengine: fix interrupt clearing for mv_xor + +From: Simon Guinot + +commit cc60f8878eab892c03d06b10f389232b9b66bd83 upstream. + +When using simultaneously the two DMA channels on a same engine, some +transfers are never completed. For example, an endless lock can occur +while writing heavily on a RAID5 array (with async-tx offload support +enabled). + +Note that this issue can also be reproduced by using the DMA test +client. + +On a same engine, the interrupt cause register is shared between two +DMA channels. This patch make sure that the cause bit is only cleared +for the requested channel. + +Signed-off-by: Simon Guinot +Tested-by: Luc Saillard +Acked-by: saeed bishara +Signed-off-by: Dan Williams +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/dma/mv_xor.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/dma/mv_xor.c ++++ b/drivers/dma/mv_xor.c +@@ -161,7 +161,7 @@ static int mv_is_err_intr(u32 intr_cause + + static void mv_xor_device_clear_eoc_cause(struct mv_xor_chan *chan) + { +- u32 val = (1 << (1 + (chan->idx * 16))); ++ u32 val = ~(1 << (chan->idx * 16)); + dev_dbg(chan->device->common.dev, "%s, val 0x%08x\n", __func__, val); + __raw_writel(val, XOR_INTR_CAUSE(chan)); + } diff --git a/queue-2.6.32/drm-radeon-fix-pci-id-5657-to-be-an-rv410.patch b/queue-2.6.32/drm-radeon-fix-pci-id-5657-to-be-an-rv410.patch new file mode 100644 index 00000000000..7a1439ad3dd --- /dev/null +++ b/queue-2.6.32/drm-radeon-fix-pci-id-5657-to-be-an-rv410.patch @@ -0,0 +1,36 @@ +From f459ffbdfd04edb4a8ce6eea33170eb057a5e695 Mon Sep 17 00:00:00 2001 +From: Dave Airlie +Date: Sat, 25 Sep 2010 17:45:50 +1000 +Subject: drm/radeon: fix PCI ID 5657 to be an RV410 + +From: Dave Airlie + +commit f459ffbdfd04edb4a8ce6eea33170eb057a5e695 upstream. + +fixes https://bugzilla.kernel.org/show_bug.cgi?id=19012 + +Signed-off-by: Dave Airlie +Signed-off-by: Greg Kroah-Hartman + +--- + include/drm/drm_pciids.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/include/drm/drm_pciids.h ++++ b/include/drm/drm_pciids.h +@@ -85,7 +85,6 @@ + {0x1002, 0x5460, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_RV380|RADEON_IS_MOBILITY}, \ + {0x1002, 0x5462, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_RV380|RADEON_IS_MOBILITY}, \ + {0x1002, 0x5464, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_RV380|RADEON_IS_MOBILITY}, \ +- {0x1002, 0x5657, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_RV380|RADEON_NEW_MEMMAP}, \ + {0x1002, 0x5548, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_R423|RADEON_NEW_MEMMAP}, \ + {0x1002, 0x5549, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_R423|RADEON_NEW_MEMMAP}, \ + {0x1002, 0x554A, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_R423|RADEON_NEW_MEMMAP}, \ +@@ -103,6 +102,7 @@ + {0x1002, 0x564F, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_RV410|RADEON_IS_MOBILITY|RADEON_NEW_MEMMAP}, \ + {0x1002, 0x5652, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_RV410|RADEON_IS_MOBILITY|RADEON_NEW_MEMMAP}, \ + {0x1002, 0x5653, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_RV410|RADEON_IS_MOBILITY|RADEON_NEW_MEMMAP}, \ ++ {0x1002, 0x5657, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_RV410|RADEON_NEW_MEMMAP}, \ + {0x1002, 0x5834, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_RS300|RADEON_IS_IGP}, \ + {0x1002, 0x5835, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_RS300|RADEON_IS_IGP|RADEON_IS_MOBILITY}, \ + {0x1002, 0x5954, PCI_ANY_ID, PCI_ANY_ID, 0, 0, CHIP_RS480|RADEON_IS_IGP|RADEON_IS_MOBILITY|RADEON_IS_IGPGART}, \ diff --git a/queue-2.6.32/hrtimer-preserve-timer-state-in-remove_hrtimer.patch b/queue-2.6.32/hrtimer-preserve-timer-state-in-remove_hrtimer.patch new file mode 100644 index 00000000000..85c4bb1df8a --- /dev/null +++ b/queue-2.6.32/hrtimer-preserve-timer-state-in-remove_hrtimer.patch @@ -0,0 +1,88 @@ +From f13d4f979c518119bba5439dd2364d76d31dcd3f Mon Sep 17 00:00:00 2001 +From: Salman Qazi +Date: Tue, 12 Oct 2010 07:25:19 -0700 +Subject: hrtimer: Preserve timer state in remove_hrtimer() + +From: Salman Qazi + +commit f13d4f979c518119bba5439dd2364d76d31dcd3f upstream. + +The race is described as follows: + +CPU X CPU Y +remove_hrtimer +// state & QUEUED == 0 +timer->state = CALLBACK +unlock timer base +timer->f(n) //very long + hrtimer_start + lock timer base + remove_hrtimer // no effect + hrtimer_enqueue + timer->state = CALLBACK | + QUEUED + unlock timer base + hrtimer_start + lock timer base + remove_hrtimer + mode = INACTIVE + // CALLBACK bit lost! + switch_hrtimer_base + CALLBACK bit not set: + timer->base + changes to a + different CPU. +lock this CPU's timer base + +The bug was introduced with commit ca109491f (hrtimer: removing all ur +callback modes) in 2.6.29 + +[ tglx: Feed new state via local variable and add a comment. ] + +Signed-off-by: Salman Qazi +Cc: akpm@linux-foundation.org +Cc: Peter Zijlstra +LKML-Reference: <20101012142351.8485.21823.stgit@dungbeetle.mtv.corp.google.com> +Signed-off-by: Thomas Gleixner +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/hrtimer.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +--- a/kernel/hrtimer.c ++++ b/kernel/hrtimer.c +@@ -920,6 +920,7 @@ static inline int + remove_hrtimer(struct hrtimer *timer, struct hrtimer_clock_base *base) + { + if (hrtimer_is_queued(timer)) { ++ unsigned long state; + int reprogram; + + /* +@@ -933,8 +934,13 @@ remove_hrtimer(struct hrtimer *timer, st + debug_deactivate(timer); + timer_stats_hrtimer_clear_start_info(timer); + reprogram = base->cpu_base == &__get_cpu_var(hrtimer_bases); +- __remove_hrtimer(timer, base, HRTIMER_STATE_INACTIVE, +- reprogram); ++ /* ++ * We must preserve the CALLBACK state flag here, ++ * otherwise we could move the timer base in ++ * switch_hrtimer_base. ++ */ ++ state = timer->state & HRTIMER_STATE_CALLBACK; ++ __remove_hrtimer(timer, base, state, reprogram); + return 1; + } + return 0; +@@ -1221,6 +1227,9 @@ static void __run_hrtimer(struct hrtimer + BUG_ON(timer->state != HRTIMER_STATE_CALLBACK); + enqueue_hrtimer(timer, base); + } ++ ++ WARN_ON_ONCE(!(timer->state & HRTIMER_STATE_CALLBACK)); ++ + timer->state &= ~HRTIMER_STATE_CALLBACK; + } + diff --git a/queue-2.6.32/i2c-pca-fix-waitforcompletion-return-value.patch b/queue-2.6.32/i2c-pca-fix-waitforcompletion-return-value.patch new file mode 100644 index 00000000000..a5f6c28f5f0 --- /dev/null +++ b/queue-2.6.32/i2c-pca-fix-waitforcompletion-return-value.patch @@ -0,0 +1,86 @@ +From 6abb930af064fb1cf4177d32e2c7bfb89eee0fe5 Mon Sep 17 00:00:00 2001 +From: Yegor Yefremov +Date: Thu, 30 Sep 2010 14:14:22 +0200 +Subject: i2c-pca: Fix waitforcompletion() return value + +From: Yegor Yefremov + +commit 6abb930af064fb1cf4177d32e2c7bfb89eee0fe5 upstream. + +ret is still -1, if during the polling read_byte() returns at once +with I2C_PCA_CON_SI set. So ret > 0 would lead *_waitforcompletion() +to return 0, in spite of the proper behavior. + +The routine was rewritten, so that ret has always a proper value, +before returning. + +Signed-off-by: Yegor Yefremov +Reviewed-by: Wolfram Sang +Signed-off-by: Jean Delvare +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/i2c/busses/i2c-pca-isa.c | 12 ++++++++---- + drivers/i2c/busses/i2c-pca-platform.c | 11 +++++++---- + 2 files changed, 15 insertions(+), 8 deletions(-) + +--- a/drivers/i2c/busses/i2c-pca-isa.c ++++ b/drivers/i2c/busses/i2c-pca-isa.c +@@ -71,8 +71,8 @@ static int pca_isa_readbyte(void *pd, in + + static int pca_isa_waitforcompletion(void *pd) + { +- long ret = ~0; + unsigned long timeout; ++ long ret; + + if (irq > -1) { + ret = wait_event_timeout(pca_wait, +@@ -81,11 +81,15 @@ static int pca_isa_waitforcompletion(voi + } else { + /* Do polling */ + timeout = jiffies + pca_isa_ops.timeout; +- while (((pca_isa_readbyte(pd, I2C_PCA_CON) +- & I2C_PCA_CON_SI) == 0) +- && (ret = time_before(jiffies, timeout))) ++ do { ++ ret = time_before(jiffies, timeout); ++ if (pca_isa_readbyte(pd, I2C_PCA_CON) ++ & I2C_PCA_CON_SI) ++ break; + udelay(100); ++ } while (ret); + } ++ + return ret > 0; + } + +--- a/drivers/i2c/busses/i2c-pca-platform.c ++++ b/drivers/i2c/busses/i2c-pca-platform.c +@@ -80,8 +80,8 @@ static void i2c_pca_pf_writebyte32(void + static int i2c_pca_pf_waitforcompletion(void *pd) + { + struct i2c_pca_pf_data *i2c = pd; +- long ret = ~0; + unsigned long timeout; ++ long ret; + + if (i2c->irq) { + ret = wait_event_timeout(i2c->wait, +@@ -90,10 +90,13 @@ static int i2c_pca_pf_waitforcompletion( + } else { + /* Do polling */ + timeout = jiffies + i2c->adap.timeout; +- while (((i2c->algo_data.read_byte(i2c, I2C_PCA_CON) +- & I2C_PCA_CON_SI) == 0) +- && (ret = time_before(jiffies, timeout))) ++ do { ++ ret = time_before(jiffies, timeout); ++ if (i2c->algo_data.read_byte(i2c, I2C_PCA_CON) ++ & I2C_PCA_CON_SI) ++ break; + udelay(100); ++ } while (ret); + } + + return ret > 0; diff --git a/queue-2.6.32/input-joydev-fix-jsiocsaxmap-ioctl.patch b/queue-2.6.32/input-joydev-fix-jsiocsaxmap-ioctl.patch new file mode 100644 index 00000000000..b9788a0c9c7 --- /dev/null +++ b/queue-2.6.32/input-joydev-fix-jsiocsaxmap-ioctl.patch @@ -0,0 +1,33 @@ +From d2520a426dc3033c00077e923a553fc6c98c7564 Mon Sep 17 00:00:00 2001 +From: Kenneth Waters +Date: Tue, 21 Sep 2010 00:58:23 -0700 +Subject: Input: joydev - fix JSIOCSAXMAP ioctl + +From: Kenneth Waters + +commit d2520a426dc3033c00077e923a553fc6c98c7564 upstream. + +Fixed JSIOCSAXMAP ioctl to update absmap, the map from hardware axis to +event axis in addition to abspam. This fixes a regression introduced +by 999b874f. + +Signed-off-by: Kenneth Waters +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/input/joydev.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/input/joydev.c ++++ b/drivers/input/joydev.c +@@ -481,6 +481,9 @@ static int joydev_handle_JSIOCSAXMAP(str + + memcpy(joydev->abspam, abspam, len); + ++ for (i = 0; i < joydev->nabs; i++) ++ joydev->absmap[joydev->abspam[i]] = i; ++ + out: + kfree(abspam); + return retval; diff --git a/queue-2.6.32/ocfs2-don-t-walk-off-the-end-of-fast-symlinks.patch b/queue-2.6.32/ocfs2-don-t-walk-off-the-end-of-fast-symlinks.patch new file mode 100644 index 00000000000..d49b6f1b8ea --- /dev/null +++ b/queue-2.6.32/ocfs2-don-t-walk-off-the-end-of-fast-symlinks.patch @@ -0,0 +1,33 @@ +From 1fc8a117865b54590acd773a55fbac9221b018f0 Mon Sep 17 00:00:00 2001 +From: Joel Becker +Date: Wed, 29 Sep 2010 17:33:05 -0700 +Subject: ocfs2: Don't walk off the end of fast symlinks. + +From: Joel Becker + +commit 1fc8a117865b54590acd773a55fbac9221b018f0 upstream. + +ocfs2 fast symlinks are NUL terminated strings stored inline in the +inode data area. However, disk corruption or a local attacker could, in +theory, remove that NUL. Because we're using strlen() (my fault, +introduced in a731d1 when removing vfs_follow_link()), we could walk off +the end of that string. + +Signed-off-by: Joel Becker +Signed-off-by: Greg Kroah-Hartman + +--- + fs/ocfs2/symlink.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/ocfs2/symlink.c ++++ b/fs/ocfs2/symlink.c +@@ -128,7 +128,7 @@ static void *ocfs2_fast_follow_link(stru + } + + /* Fast symlinks can't be large */ +- len = strlen(target); ++ len = strnlen(target, ocfs2_fast_symlink_chars(inode->i_sb)); + link = kzalloc(len + 1, GFP_NOFS); + if (!link) { + status = -ENOMEM; diff --git a/queue-2.6.32/ring-buffer-fix-typo-of-time-extends-per-page.patch b/queue-2.6.32/ring-buffer-fix-typo-of-time-extends-per-page.patch new file mode 100644 index 00000000000..ba2eb6c529e --- /dev/null +++ b/queue-2.6.32/ring-buffer-fix-typo-of-time-extends-per-page.patch @@ -0,0 +1,89 @@ +From d01343244abdedd18303d0323b518ed9cdcb1988 Mon Sep 17 00:00:00 2001 +From: Steven Rostedt +Date: Tue, 12 Oct 2010 12:06:43 -0400 +Subject: ring-buffer: Fix typo of time extends per page + +From: Steven Rostedt + +commit d01343244abdedd18303d0323b518ed9cdcb1988 upstream. + +Time stamps for the ring buffer are created by the difference between +two events. Each page of the ring buffer holds a full 64 bit timestamp. +Each event has a 27 bit delta stamp from the last event. The unit of time +is nanoseconds, so 27 bits can hold ~134 milliseconds. If two events +happen more than 134 milliseconds apart, a time extend is inserted +to add more bits for the delta. The time extend has 59 bits, which +is good for ~18 years. + +Currently the time extend is committed separately from the event. +If an event is discarded before it is committed, due to filtering, +the time extend still exists. If all events are being filtered, then +after ~134 milliseconds a new time extend will be added to the buffer. + +This can only happen till the end of the page. Since each page holds +a full timestamp, there is no reason to add a time extend to the +beginning of a page. Time extends can only fill a page that has actual +data at the beginning, so there is no fear that time extends will fill +more than a page without any data. + +When reading an event, a loop is made to skip over time extends +since they are only used to maintain the time stamp and are never +given to the caller. As a paranoid check to prevent the loop running +forever, with the knowledge that time extends may only fill a page, +a check is made that tests the iteration of the loop, and if the +iteration is more than the number of time extends that can fit in a page +a warning is printed and the ring buffer is disabled (all of ftrace +is also disabled with it). + +There is another event type that is called a TIMESTAMP which can +hold 64 bits of data in the theoretical case that two events happen +18 years apart. This code has not been implemented, but the name +of this event exists, as well as the structure for it. The +size of a TIMESTAMP is 16 bytes, where as a time extend is only +8 bytes. The macro used to calculate how many time extends can fit on +a page used the TIMESTAMP size instead of the time extend size +cutting the amount in half. + +The following test case can easily trigger the warning since we only +need to have half the page filled with time extends to trigger the +warning: + + # cd /sys/kernel/debug/tracing/ + # echo function > current_tracer + # echo 'common_pid < 0' > events/ftrace/function/filter + # echo > trace + # echo 1 > trace_marker + # sleep 120 + # cat trace + +Enabling the function tracer and then setting the filter to only trace +functions where the process id is negative (no events), then clearing +the trace buffer to ensure that we have nothing in the buffer, +then write to trace_marker to add an event to the beginning of a page, +sleep for 2 minutes (only 35 seconds is probably needed, but this +guarantees the bug), and then finally reading the trace which will +trigger the bug. + +This patch fixes the typo and prevents the false positive of that warning. + +Reported-by: Hans J. Koch +Tested-by: Hans J. Koch +Cc: Thomas Gleixner +Signed-off-by: Steven Rostedt +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/trace/ring_buffer.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/kernel/trace/ring_buffer.c ++++ b/kernel/trace/ring_buffer.c +@@ -389,7 +389,7 @@ static inline int test_time_stamp(u64 de + #define BUF_MAX_DATA_SIZE (BUF_PAGE_SIZE - (sizeof(u32) * 2)) + + /* Max number of timestamps that can fit on a page */ +-#define RB_TIMESTAMPS_PER_PAGE (BUF_PAGE_SIZE / RB_LEN_TIME_STAMP) ++#define RB_TIMESTAMPS_PER_PAGE (BUF_PAGE_SIZE / RB_LEN_TIME_EXTEND) + + int ring_buffer_print_page_header(struct trace_seq *s) + { diff --git a/queue-2.6.32/series b/queue-2.6.32/series index 414561b95e0..6516864cba5 100644 --- a/queue-2.6.32/series +++ b/queue-2.6.32/series @@ -15,3 +15,20 @@ x86-amd-iommu-fix-rounding-bug-in-__unmap_single.patch x86-amd-iommu-work-around-s3-bios-bug.patch tracing-x86-don-t-use-mcount-in-pvclock.c.patch tracing-x86-don-t-use-mcount-in-kvmclock.c.patch +v4l1-fix-32-bit-compat-microcode-loading-translation.patch +v4l-dvb-cx231xx-avoid-an-oops-when-card-is-unknown-card-0.patch +v4l-dvb-13966-dvb-t-regression-fix-for-saa7134-cards.patch +input-joydev-fix-jsiocsaxmap-ioctl.patch +x86-hpet-fix-bogus-error-check-in-hpet_assign_irq.patch +x86-irq-plug-memory-leak-in-sparse-irq.patch +ubd-fix-incorrect-sector-handling-during-request-restart.patch +ring-buffer-fix-typo-of-time-extends-per-page.patch +dmaengine-fix-interrupt-clearing-for-mv_xor.patch +hrtimer-preserve-timer-state-in-remove_hrtimer.patch +i2c-pca-fix-waitforcompletion-return-value.patch +ocfs2-don-t-walk-off-the-end-of-fast-symlinks.patch +wext-fix-potential-private-ioctl-memory-content-leak.patch +atl1-fix-resume.patch +x86-amd-mce-thresholding-fix-the-mci_miscj-iteration-order.patch +de-pessimize-rds_page_copy_user.patch +drm-radeon-fix-pci-id-5657-to-be-an-rv410.patch diff --git a/queue-2.6.32/ubd-fix-incorrect-sector-handling-during-request-restart.patch b/queue-2.6.32/ubd-fix-incorrect-sector-handling-during-request-restart.patch new file mode 100644 index 00000000000..d899037aef7 --- /dev/null +++ b/queue-2.6.32/ubd-fix-incorrect-sector-handling-during-request-restart.patch @@ -0,0 +1,104 @@ +From 47526903feb52f4c26a6350370bdf74e337fcdb1 Mon Sep 17 00:00:00 2001 +From: Tejun Heo +Date: Fri, 15 Oct 2010 12:56:21 +0200 +Subject: ubd: fix incorrect sector handling during request restart + +From: Tejun Heo + +commit 47526903feb52f4c26a6350370bdf74e337fcdb1 upstream. + +Commit f81f2f7c (ubd: drop unnecessary rq->sector manipulation) +dropped request->sector manipulation in preparation for global request +handling cleanup; unfortunately, it incorrectly assumed that the +updated sector wasn't being used. + +ubd tries to issue as many requests as possible to io_thread. When +issuing fails due to memory pressure or other reasons, the device is +put on the restart list and issuing stops. On IO completion, devices +on the restart list are scanned and IO issuing is restarted. + +ubd issues IOs sg-by-sg and issuing can be stopped in the middle of a +request, so each device on the restart queue needs to remember where +to restart in its current request. ubd needs to keep track of the +issue position itself because, + +* blk_rq_pos(req) is now updated by the block layer to keep track of + _completion_ position. + +* Multiple io_req's for the current request may be in flight, so it's + difficult to tell where blk_rq_pos(req) currently is. + +Add ubd->rq_pos to keep track of the issue position and use it to +correctly restart io_req issue. + +Signed-off-by: Tejun Heo +Reported-by: Richard Weinberger +Tested-by: Richard Weinberger +Tested-by: Chris Frey +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + arch/um/drivers/ubd_kern.c | 9 +++++---- + 1 file changed, 5 insertions(+), 4 deletions(-) + +--- a/arch/um/drivers/ubd_kern.c ++++ b/arch/um/drivers/ubd_kern.c +@@ -160,6 +160,7 @@ struct ubd { + struct scatterlist sg[MAX_SG]; + struct request *request; + int start_sg, end_sg; ++ sector_t rq_pos; + }; + + #define DEFAULT_COW { \ +@@ -184,6 +185,7 @@ struct ubd { + .request = NULL, \ + .start_sg = 0, \ + .end_sg = 0, \ ++ .rq_pos = 0, \ + } + + /* Protected by ubd_lock */ +@@ -1222,7 +1224,6 @@ static void do_ubd_request(struct reques + { + struct io_thread_req *io_req; + struct request *req; +- sector_t sector; + int n; + + while(1){ +@@ -1233,12 +1234,12 @@ static void do_ubd_request(struct reques + return; + + dev->request = req; ++ dev->rq_pos = blk_rq_pos(req); + dev->start_sg = 0; + dev->end_sg = blk_rq_map_sg(q, req, dev->sg); + } + + req = dev->request; +- sector = blk_rq_pos(req); + while(dev->start_sg < dev->end_sg){ + struct scatterlist *sg = &dev->sg[dev->start_sg]; + +@@ -1250,10 +1251,9 @@ static void do_ubd_request(struct reques + return; + } + prepare_request(req, io_req, +- (unsigned long long)sector << 9, ++ (unsigned long long)dev->rq_pos << 9, + sg->offset, sg->length, sg_page(sg)); + +- sector += sg->length >> 9; + n = os_write_file(thread_fd, &io_req, + sizeof(struct io_thread_req *)); + if(n != sizeof(struct io_thread_req *)){ +@@ -1266,6 +1266,7 @@ static void do_ubd_request(struct reques + return; + } + ++ dev->rq_pos += sg->length >> 9; + dev->start_sg++; + } + dev->end_sg = 0; diff --git a/queue-2.6.32/v4l-dvb-13966-dvb-t-regression-fix-for-saa7134-cards.patch b/queue-2.6.32/v4l-dvb-13966-dvb-t-regression-fix-for-saa7134-cards.patch new file mode 100644 index 00000000000..8e84dcae982 --- /dev/null +++ b/queue-2.6.32/v4l-dvb-13966-dvb-t-regression-fix-for-saa7134-cards.patch @@ -0,0 +1,70 @@ +From 08be64be3d1e5ecd72e7ba3147aea518e527f08e Mon Sep 17 00:00:00 2001 +From: Dmitri Belimov +Date: Fri, 8 Jan 2010 06:38:28 -0300 +Subject: V4L/DVB (13966): DVB-T regression fix for saa7134 cards + +From: Dmitri Belimov + +commit 08be64be3d1e5ecd72e7ba3147aea518e527f08e upstream. + +Some customers has problem with quality of DVB-T +https://bugs.launchpad.net/ubuntu/+source/linux/+bug/446575 + +After this patch http://patchwork.kernel.org/patch/23345/ + +This is patch for fix regression with DVB-T. Tested with many people. + +Signed-off-by: Alexey Osipov +Signed-off-by: Beholder Intl. Ltd. Dmitry Belimov +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/video/saa7134/saa7134-core.c | 13 ------------- + drivers/media/video/saa7134/saa7134-ts.c | 13 +++++++++++++ + 2 files changed, 13 insertions(+), 13 deletions(-) + +--- a/drivers/media/video/saa7134/saa7134-core.c ++++ b/drivers/media/video/saa7134/saa7134-core.c +@@ -420,19 +420,6 @@ int saa7134_set_dmabits(struct saa7134_d + ctrl |= SAA7134_MAIN_CTRL_TE5; + irq |= SAA7134_IRQ1_INTE_RA2_1 | + SAA7134_IRQ1_INTE_RA2_0; +- +- /* dma: setup channel 5 (= TS) */ +- +- saa_writeb(SAA7134_TS_DMA0, (dev->ts.nr_packets - 1) & 0xff); +- saa_writeb(SAA7134_TS_DMA1, +- ((dev->ts.nr_packets - 1) >> 8) & 0xff); +- /* TSNOPIT=0, TSCOLAP=0 */ +- saa_writeb(SAA7134_TS_DMA2, +- (((dev->ts.nr_packets - 1) >> 16) & 0x3f) | 0x00); +- saa_writel(SAA7134_RS_PITCH(5), TS_PACKET_SIZE); +- saa_writel(SAA7134_RS_CONTROL(5), SAA7134_RS_CONTROL_BURST_16 | +- SAA7134_RS_CONTROL_ME | +- (dev->ts.pt_ts.dma >> 12)); + } + + /* set task conditions + field handling */ +--- a/drivers/media/video/saa7134/saa7134-ts.c ++++ b/drivers/media/video/saa7134/saa7134-ts.c +@@ -250,6 +250,19 @@ int saa7134_ts_start(struct saa7134_dev + + BUG_ON(dev->ts_started); + ++ /* dma: setup channel 5 (= TS) */ ++ saa_writeb(SAA7134_TS_DMA0, (dev->ts.nr_packets - 1) & 0xff); ++ saa_writeb(SAA7134_TS_DMA1, ++ ((dev->ts.nr_packets - 1) >> 8) & 0xff); ++ /* TSNOPIT=0, TSCOLAP=0 */ ++ saa_writeb(SAA7134_TS_DMA2, ++ (((dev->ts.nr_packets - 1) >> 16) & 0x3f) | 0x00); ++ saa_writel(SAA7134_RS_PITCH(5), TS_PACKET_SIZE); ++ saa_writel(SAA7134_RS_CONTROL(5), SAA7134_RS_CONTROL_BURST_16 | ++ SAA7134_RS_CONTROL_ME | ++ (dev->ts.pt_ts.dma >> 12)); ++ ++ /* reset hardware TS buffers */ + saa_writeb(SAA7134_TS_SERIAL1, 0x00); + saa_writeb(SAA7134_TS_SERIAL1, 0x03); + saa_writeb(SAA7134_TS_SERIAL1, 0x00); diff --git a/queue-2.6.32/v4l-dvb-cx231xx-avoid-an-oops-when-card-is-unknown-card-0.patch b/queue-2.6.32/v4l-dvb-cx231xx-avoid-an-oops-when-card-is-unknown-card-0.patch new file mode 100644 index 00000000000..0b5d8ed00b8 --- /dev/null +++ b/queue-2.6.32/v4l-dvb-cx231xx-avoid-an-oops-when-card-is-unknown-card-0.patch @@ -0,0 +1,53 @@ +From c10469c637602c2385e2993d8c730cc44fd47d23 Mon Sep 17 00:00:00 2001 +From: Mauro Carvalho Chehab +Date: Sat, 11 Sep 2010 11:37:51 -0300 +Subject: V4L/DVB: cx231xx: Avoid an OOPS when card is unknown (card=0) + +From: Mauro Carvalho Chehab + +commit c10469c637602c2385e2993d8c730cc44fd47d23 upstream. + +As reported by: Carlos Americo Domiciano : + +[ 220.033500] cx231xx v4l2 driver loaded. +[ 220.033571] cx231xx #0: New device Conexant Corporation Polaris AV Capturb @ 480 Mbps (1554:5010) with 6 interfaces +[ 220.033577] cx231xx #0: registering interface 0 +[ 220.033591] cx231xx #0: registering interface 1 +[ 220.033654] cx231xx #0: registering interface 6 +[ 220.033910] cx231xx #0: Identified as Unknown CX231xx video grabber (card=0) +[ 220.033946] BUG: unable to handle kernel NULL pointer dereference at (null) +[ 220.033955] IP: [] cx231xx_pre_card_setup+0x5d/0xb0 [cx231xx] + +Thanks-to: Carlos Americo Domiciano +Signed-off-by: Mauro Carvalho Chehab +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/video/cx231xx/cx231xx-cards.c | 14 ++++++++------ + 1 file changed, 8 insertions(+), 6 deletions(-) + +--- a/drivers/media/video/cx231xx/cx231xx-cards.c ++++ b/drivers/media/video/cx231xx/cx231xx-cards.c +@@ -225,14 +225,16 @@ void cx231xx_pre_card_setup(struct cx231 + dev->board.name, dev->model); + + /* set the direction for GPIO pins */ +- cx231xx_set_gpio_direction(dev, dev->board.tuner_gpio->bit, 1); +- cx231xx_set_gpio_value(dev, dev->board.tuner_gpio->bit, 1); +- cx231xx_set_gpio_direction(dev, dev->board.tuner_sif_gpio, 1); ++ if (dev->board.tuner_gpio) { ++ cx231xx_set_gpio_direction(dev, dev->board.tuner_gpio->bit, 1); ++ cx231xx_set_gpio_value(dev, dev->board.tuner_gpio->bit, 1); ++ cx231xx_set_gpio_direction(dev, dev->board.tuner_sif_gpio, 1); + +- /* request some modules if any required */ ++ /* request some modules if any required */ + +- /* reset the Tuner */ +- cx231xx_gpio_set(dev, dev->board.tuner_gpio); ++ /* reset the Tuner */ ++ cx231xx_gpio_set(dev, dev->board.tuner_gpio); ++ } + + /* set the mode to Analog mode initially */ + cx231xx_set_mode(dev, CX231XX_ANALOG_MODE); diff --git a/queue-2.6.32/v4l1-fix-32-bit-compat-microcode-loading-translation.patch b/queue-2.6.32/v4l1-fix-32-bit-compat-microcode-loading-translation.patch new file mode 100644 index 00000000000..d1e78978660 --- /dev/null +++ b/queue-2.6.32/v4l1-fix-32-bit-compat-microcode-loading-translation.patch @@ -0,0 +1,88 @@ +From 3e645d6b485446c54c6745c5e2cf5c528fe4deec Mon Sep 17 00:00:00 2001 +From: Linus Torvalds +Date: Fri, 15 Oct 2010 11:12:38 -0700 +Subject: v4l1: fix 32-bit compat microcode loading translation + +From: Linus Torvalds + +commit 3e645d6b485446c54c6745c5e2cf5c528fe4deec upstream. + +The compat code for the VIDIOCSMICROCODE ioctl is totally buggered. +It's only used by the VIDEO_STRADIS driver, and that one is scheduled to +staging and eventually removed unless somebody steps up to maintain it +(at which point it should use request_firmware() rather than some magic +ioctl). So we'll get rid of it eventually. + +But in the meantime, the compatibility ioctl code is broken, and this +tries to get it to at least limp along (even if Mauro suggested just +deleting it entirely, which may be the right thing to do - I don't think +the compatibility translation code has ever worked unless you were very +lucky). + +Reported-by: Kees Cook +Cc: Mauro Carvalho Chehab +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/media/video/v4l2-compat-ioctl32.c | 32 +++++++++++++++++++----------- + 1 file changed, 21 insertions(+), 11 deletions(-) + +--- a/drivers/media/video/v4l2-compat-ioctl32.c ++++ b/drivers/media/video/v4l2-compat-ioctl32.c +@@ -193,17 +193,24 @@ static int put_video_window32(struct vid + struct video_code32 { + char loadwhat[16]; /* name or tag of file being passed */ + compat_int_t datasize; +- unsigned char *data; ++ compat_uptr_t data; + }; + +-static int get_microcode32(struct video_code *kp, struct video_code32 __user *up) ++static struct video_code __user *get_microcode32(struct video_code32 *kp) + { +- if (!access_ok(VERIFY_READ, up, sizeof(struct video_code32)) || +- copy_from_user(kp->loadwhat, up->loadwhat, sizeof(up->loadwhat)) || +- get_user(kp->datasize, &up->datasize) || +- copy_from_user(kp->data, up->data, up->datasize)) +- return -EFAULT; +- return 0; ++ struct video_code __user *up; ++ ++ up = compat_alloc_user_space(sizeof(*up)); ++ ++ /* ++ * NOTE! We don't actually care if these fail. If the ++ * user address is invalid, the native ioctl will do ++ * the error handling for us ++ */ ++ (void) copy_to_user(up->loadwhat, kp->loadwhat, sizeof(up->loadwhat)); ++ (void) put_user(kp->datasize, &up->datasize); ++ (void) put_user(compat_ptr(kp->data), &up->data); ++ return up; + } + + #define VIDIOCGTUNER32 _IOWR('v', 4, struct video_tuner32) +@@ -741,7 +748,7 @@ static long do_video_ioctl(struct file * + struct video_tuner vt; + struct video_buffer vb; + struct video_window vw; +- struct video_code vc; ++ struct video_code32 vc; + struct video_audio va; + #endif + struct v4l2_format v2f; +@@ -820,8 +827,11 @@ static long do_video_ioctl(struct file * + break; + + case VIDIOCSMICROCODE: +- err = get_microcode32(&karg.vc, up); +- compatible_arg = 0; ++ /* Copy the 32-bit "video_code32" to kernel space */ ++ if (copy_from_user(&karg.vc, up, sizeof(karg.vc))) ++ return -EFAULT; ++ /* Convert the 32-bit version to a 64-bit version in user space */ ++ up = get_microcode32(&karg.vc); + break; + + case VIDIOCSFREQ: diff --git a/queue-2.6.32/wext-fix-potential-private-ioctl-memory-content-leak.patch b/queue-2.6.32/wext-fix-potential-private-ioctl-memory-content-leak.patch new file mode 100644 index 00000000000..2d35ee0ba0d --- /dev/null +++ b/queue-2.6.32/wext-fix-potential-private-ioctl-memory-content-leak.patch @@ -0,0 +1,39 @@ +From df6d02300f7c2fbd0fbe626d819c8e5237d72c62 Mon Sep 17 00:00:00 2001 +From: Johannes Berg +Date: Fri, 17 Sep 2010 00:38:25 +0200 +Subject: wext: fix potential private ioctl memory content leak + +From: Johannes Berg + +commit df6d02300f7c2fbd0fbe626d819c8e5237d72c62 upstream. + +When a driver doesn't fill the entire buffer, old +heap contents may remain, and if it also doesn't +update the length properly, this old heap content +will be copied back to userspace. + +It is very unlikely that this happens in any of +the drivers using private ioctls since it would +show up as junk being reported by iwpriv, but it +seems better to be safe here, so use kzalloc. + +Reported-by: Jeff Mahoney +Signed-off-by: Johannes Berg +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + net/wireless/wext.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/wireless/wext.c ++++ b/net/wireless/wext.c +@@ -1029,7 +1029,7 @@ static int ioctl_private_iw_point(struct + } else if (!iwp->pointer) + return -EFAULT; + +- extra = kmalloc(extra_size, GFP_KERNEL); ++ extra = kzalloc(extra_size, GFP_KERNEL); + if (!extra) + return -ENOMEM; + diff --git a/queue-2.6.32/x86-amd-mce-thresholding-fix-the-mci_miscj-iteration-order.patch b/queue-2.6.32/x86-amd-mce-thresholding-fix-the-mci_miscj-iteration-order.patch new file mode 100644 index 00000000000..b01fbc8758f --- /dev/null +++ b/queue-2.6.32/x86-amd-mce-thresholding-fix-the-mci_miscj-iteration-order.patch @@ -0,0 +1,61 @@ +From 6dcbfe4f0b4e17e289d56fa534b7ce5a6b7f63a3 Mon Sep 17 00:00:00 2001 +From: Borislav Petkov +Date: Fri, 8 Oct 2010 12:08:34 +0200 +Subject: x86, AMD, MCE thresholding: Fix the MCi_MISCj iteration order + +From: Borislav Petkov + +commit 6dcbfe4f0b4e17e289d56fa534b7ce5a6b7f63a3 upstream. + +This fixes possible cases of not collecting valid error info in +the MCE error thresholding groups on F10h hardware. + +The current code contains a subtle problem of checking only the +Valid bit of MSR0000_0413 (which is MC4_MISC0 - DRAM +thresholding group) in its first iteration and breaking out if +the bit is cleared. + +But (!), this MSR contains an offset value, BlkPtr[31:24], which +points to the remaining MSRs in this thresholding group which +might contain valid information too. But if we bail out only +after we checked the valid bit in the first MSR and not the +block pointer too, we miss that other information. + +The thing is, MC4_MISC0[BlkPtr] is not predicated on +MCi_STATUS[MiscV] or MC4_MISC0[Valid] and should be checked +prior to iterating over the MCI_MISCj thresholding group, +irrespective of the MC4_MISC0[Valid] setting. + +Signed-off-by: Borislav Petkov +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/cpu/mcheck/mce_amd.c | 9 +++------ + 1 file changed, 3 insertions(+), 6 deletions(-) + +--- a/arch/x86/kernel/cpu/mcheck/mce_amd.c ++++ b/arch/x86/kernel/cpu/mcheck/mce_amd.c +@@ -140,6 +140,7 @@ void mce_amd_feature_init(struct cpuinfo + address = (low & MASK_BLKPTR_LO) >> 21; + if (!address) + break; ++ + address += MCG_XBLK_ADDR; + } else + ++address; +@@ -147,12 +148,8 @@ void mce_amd_feature_init(struct cpuinfo + if (rdmsr_safe(address, &low, &high)) + break; + +- if (!(high & MASK_VALID_HI)) { +- if (block) +- continue; +- else +- break; +- } ++ if (!(high & MASK_VALID_HI)) ++ continue; + + if (!(high & MASK_CNTP_HI) || + (high & MASK_LOCKED_HI)) diff --git a/queue-2.6.32/x86-hpet-fix-bogus-error-check-in-hpet_assign_irq.patch b/queue-2.6.32/x86-hpet-fix-bogus-error-check-in-hpet_assign_irq.patch new file mode 100644 index 00000000000..edb9a0366f1 --- /dev/null +++ b/queue-2.6.32/x86-hpet-fix-bogus-error-check-in-hpet_assign_irq.patch @@ -0,0 +1,35 @@ +From 021989622810b02aab4b24f91e1f5ada2b654579 Mon Sep 17 00:00:00 2001 +From: Thomas Gleixner +Date: Tue, 28 Sep 2010 23:20:23 +0200 +Subject: x86, hpet: Fix bogus error check in hpet_assign_irq() + +From: Thomas Gleixner + +commit 021989622810b02aab4b24f91e1f5ada2b654579 upstream. + +create_irq() returns -1 if the interrupt allocation failed, but the +code checks for irq == 0. + +Use create_irq_nr() instead. + +Signed-off-by: Thomas Gleixner +Cc: Venkatesh Pallipadi +LKML-Reference: +Signed-off-by: H. Peter Anvin +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/hpet.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/kernel/hpet.c ++++ b/arch/x86/kernel/hpet.c +@@ -497,7 +497,7 @@ static int hpet_assign_irq(struct hpet_d + { + unsigned int irq; + +- irq = create_irq(); ++ irq = create_irq_nr(0, -1); + if (!irq) + return -EINVAL; + diff --git a/queue-2.6.32/x86-irq-plug-memory-leak-in-sparse-irq.patch b/queue-2.6.32/x86-irq-plug-memory-leak-in-sparse-irq.patch new file mode 100644 index 00000000000..d7b05d79802 --- /dev/null +++ b/queue-2.6.32/x86-irq-plug-memory-leak-in-sparse-irq.patch @@ -0,0 +1,51 @@ +From 1cf180c94e9166cda083ff65333883ab3648e852 Mon Sep 17 00:00:00 2001 +From: Thomas Gleixner +Date: Tue, 28 Sep 2010 20:57:19 +0200 +Subject: x86, irq: Plug memory leak in sparse irq + +From: Thomas Gleixner + +commit 1cf180c94e9166cda083ff65333883ab3648e852 upstream. + +free_irq_cfg() is not freeing the cpumask_vars in irq_cfg. Fixing this +triggers a use after free caused by the fact that copying struct +irq_cfg is done with memcpy, which copies the pointer not the cpumask. + +Fix both places. + +Signed-off-by: Thomas Gleixner +Cc: Yinghai Lu +LKML-Reference: +Signed-off-by: Thomas Gleixner +Signed-off-by: H. Peter Anvin +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/apic/io_apic.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +--- a/arch/x86/kernel/apic/io_apic.c ++++ b/arch/x86/kernel/apic/io_apic.c +@@ -332,14 +332,19 @@ void arch_init_copy_chip_data(struct irq + + old_cfg = old_desc->chip_data; + +- memcpy(cfg, old_cfg, sizeof(struct irq_cfg)); ++ cfg->vector = old_cfg->vector; ++ cfg->move_in_progress = old_cfg->move_in_progress; ++ cpumask_copy(cfg->domain, old_cfg->domain); ++ cpumask_copy(cfg->old_domain, old_cfg->old_domain); + + init_copy_irq_2_pin(old_cfg, cfg, node); + } + +-static void free_irq_cfg(struct irq_cfg *old_cfg) ++static void free_irq_cfg(struct irq_cfg *cfg) + { +- kfree(old_cfg); ++ free_cpumask_var(cfg->domain); ++ free_cpumask_var(cfg->old_domain); ++ kfree(cfg); + } + + void arch_free_chip_data(struct irq_desc *old_desc, struct irq_desc *desc)