From 48aa1fbe0cab8e97c6e8f3ddb38dda281a9629b9 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Thu, 18 Mar 2010 14:42:33 -0700 Subject: [PATCH] start .33 queue --- ...lements-of-secondary-adcs-on-realtek.patch | 61 ++++++ ...-fallout-on-a-asus-mobo-nvidia-mcp55.patch | 33 +++ ...r-s-kernel-size-estimation-for-rom-y.patch | 205 ++++++++++++++++++ ...-use-external-sleep-clock-in-ap-mode.patch | 39 ++++ .../ath5k-fix-i-q-calibration-for-real.patch | 114 ++++++++++ .../ath5k-fix-setup-for-cab-queue.patch | 101 +++++++++ ...ompress-fix-new-decompressor-for-pic.patch | 46 ++++ ...ers-scsi-ses.c-eliminate-double-free.patch | 61 ++++++ ...h-init-curr_ret_stack-with-ret_stack.patch | 48 ++++ ...ints-remove-stub-unthrottle-callback.patch | 52 +++++ ...he-block-buffer-for-i2c-block-writes.patch | 38 ++++ ...erbose-in-the-absence-of-real-errors.patch | 62 ++++++ ...he-touchpad-on-toshiba-tecra-a11-11l.patch | 28 +++ ...n-netbook-e1222-to-qurik-reset-table.patch | 37 ++++ ...11-fix-ht-rate-control-configuration.patch | 98 +++++++++ ...d-check-into-preempt-disable-section.patch | 60 +++++ queue-2.6.33/series | 24 ++ ...ssing-wrong-pointer-to-tg3_interrupt.patch | 39 ++++ ...ing-prevent-oops-when-generic_time-n.patch | 44 ++++ ...hing-when-starting-or-stopping-trace.patch | 85 ++++++++ ...rd-user-stack-trace-from-nmi-context.patch | 93 ++++++++ ...-warning-in-s_next-of-trace-file-ops.patch | 46 ++++ ...iable-when-resetting-the-ring-buffer.patch | 66 ++++++ ...don-t-dereference-bad-frame-pointers.patch | 64 ++++++ ...el-2m-mappings-when-using-4k-already.patch | 74 +++++++ 25 files changed, 1618 insertions(+) create mode 100644 queue-2.6.33/alsa-hda-fix-input-source-elements-of-secondary-adcs-on-realtek.patch create mode 100644 queue-2.6.33/alsa-hda-sound-msi-fallout-on-a-asus-mobo-nvidia-mcp55.patch create mode 100644 queue-2.6.33/arm-fix-decompressor-s-kernel-size-estimation-for-rom-y.patch create mode 100644 queue-2.6.33/ath5k-dont-use-external-sleep-clock-in-ap-mode.patch create mode 100644 queue-2.6.33/ath5k-fix-i-q-calibration-for-real.patch create mode 100644 queue-2.6.33/ath5k-fix-setup-for-cab-queue.patch create mode 100644 queue-2.6.33/decompress-fix-new-decompressor-for-pic.patch create mode 100644 queue-2.6.33/drivers-scsi-ses.c-eliminate-double-free.patch create mode 100644 queue-2.6.33/function-graph-init-curr_ret_stack-with-ret_stack.patch create mode 100644 queue-2.6.33/hw-breakpoints-remove-stub-unthrottle-callback.patch create mode 100644 queue-2.6.33/i2c-i801-don-t-use-the-block-buffer-for-i2c-block-writes.patch create mode 100644 queue-2.6.33/i2c-powermac-be-less-verbose-in-the-absence-of-real-errors.patch create mode 100644 queue-2.6.33/input-alps-add-support-for-the-touchpad-on-toshiba-tecra-a11-11l.patch create mode 100644 queue-2.6.33/input-i8042-add-aldi-medion-netbook-e1222-to-qurik-reset-table.patch create mode 100644 queue-2.6.33/mac80211-fix-ht-rate-control-configuration.patch create mode 100644 queue-2.6.33/ring-buffer-move-disabled-check-into-preempt-disable-section.patch create mode 100644 queue-2.6.33/series create mode 100644 queue-2.6.33/tg3-fix-tg3_poll_controller-passing-wrong-pointer-to-tg3_interrupt.patch create mode 100644 queue-2.6.33/timekeeping-prevent-oops-when-generic_time-n.patch create mode 100644 queue-2.6.33/tracing-disable-buffer-switching-when-starting-or-stopping-trace.patch create mode 100644 queue-2.6.33/tracing-do-not-record-user-stack-trace-from-nmi-context.patch create mode 100644 queue-2.6.33/tracing-fix-warning-in-s_next-of-trace-file-ops.patch create mode 100644 queue-2.6.33/tracing-use-same-local-variable-when-resetting-the-ring-buffer.patch create mode 100644 queue-2.6.33/x86-stacktrace-don-t-dereference-bad-frame-pointers.patch create mode 100644 queue-2.6.33/x86_64-cpa-don-t-work-hard-in-preserving-kernel-2m-mappings-when-using-4k-already.patch diff --git a/queue-2.6.33/alsa-hda-fix-input-source-elements-of-secondary-adcs-on-realtek.patch b/queue-2.6.33/alsa-hda-fix-input-source-elements-of-secondary-adcs-on-realtek.patch new file mode 100644 index 00000000000..6a286f9a8c7 --- /dev/null +++ b/queue-2.6.33/alsa-hda-fix-input-source-elements-of-secondary-adcs-on-realtek.patch @@ -0,0 +1,61 @@ +From 5311114d4867113c00f78829d4ce14be458ec925 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Mon, 8 Mar 2010 12:13:07 +0100 +Subject: ALSA: hda - Fix input source elements of secondary ADCs on Realtek + +From: Takashi Iwai + +commit 5311114d4867113c00f78829d4ce14be458ec925 upstream. + +Since alc_auto_create_input_ctls() doesn't set the elements for the +secondary ADCs, "Input Source" elemtns for these also get empty, resulting +in buggy outputs of alsactl like: + control.14 { + comment.access 'read write' + comment.type ENUMERATED + comment.count 1 + iface MIXER + name 'Input Source' + index 1 + value 0 + } + +This patch fixes alc_mux_enum_*() (and others) to fall back to the +first entry if the secondary input mux is empty. + +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/patch_realtek.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -407,6 +407,8 @@ static int alc_mux_enum_info(struct snd_ + unsigned int mux_idx = snd_ctl_get_ioffidx(kcontrol, &uinfo->id); + if (mux_idx >= spec->num_mux_defs) + mux_idx = 0; ++ if (!spec->input_mux[mux_idx].num_items && mux_idx > 0) ++ mux_idx = 0; + return snd_hda_input_mux_info(&spec->input_mux[mux_idx], uinfo); + } + +@@ -435,6 +437,8 @@ static int alc_mux_enum_put(struct snd_k + + mux_idx = adc_idx >= spec->num_mux_defs ? 0 : adc_idx; + imux = &spec->input_mux[mux_idx]; ++ if (!imux->num_items && mux_idx > 0) ++ imux = &spec->input_mux[0]; + + type = get_wcaps_type(get_wcaps(codec, nid)); + if (type == AC_WID_AUD_MIX) { +@@ -9941,6 +9945,8 @@ static void alc882_auto_init_input_src(s + continue; + mux_idx = c >= spec->num_mux_defs ? 0 : c; + imux = &spec->input_mux[mux_idx]; ++ if (!imux->num_items && mux_idx > 0) ++ imux = &spec->input_mux[0]; + for (idx = 0; idx < conns; idx++) { + /* if the current connection is the selected one, + * unmute it as default - otherwise mute it diff --git a/queue-2.6.33/alsa-hda-sound-msi-fallout-on-a-asus-mobo-nvidia-mcp55.patch b/queue-2.6.33/alsa-hda-sound-msi-fallout-on-a-asus-mobo-nvidia-mcp55.patch new file mode 100644 index 00000000000..fd64de1d30f --- /dev/null +++ b/queue-2.6.33/alsa-hda-sound-msi-fallout-on-a-asus-mobo-nvidia-mcp55.patch @@ -0,0 +1,33 @@ +From ecd216260f87dd8c14b2580a16f055554644bbea Mon Sep 17 00:00:00 2001 +From: Ralf Gerbig +Date: Tue, 9 Mar 2010 18:25:47 +0100 +Subject: ALSA: hda - Sound MSI fallout on a Asus mobo NVIDIA MCP55 + +From: Ralf Gerbig + +commit ecd216260f87dd8c14b2580a16f055554644bbea upstream. + +without the following patch audio ssttuutteerrs on +ASUS M2N32-SLI PREMIUM ACPI BIOS Revision 1304 +the sound device is: +00:0e.1 Audio device: nVidia Corporation MCP55 High Definition Audio (rev a2) +worked with 2.6.32 + +Signed-off-by: Ralf Gerbig +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/hda_intel.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/hda_intel.c ++++ b/sound/pci/hda/hda_intel.c +@@ -2354,6 +2354,7 @@ static void __devinit check_probe_mask(s + static struct snd_pci_quirk msi_black_list[] __devinitdata = { + SND_PCI_QUIRK(0x1043, 0x81f2, "ASUS", 0), /* Athlon64 X2 + nvidia */ + SND_PCI_QUIRK(0x1043, 0x81f6, "ASUS", 0), /* nvidia */ ++ SND_PCI_QUIRK(0x1043, 0x822d, "ASUS", 0), /* Athlon64 X2 + nvidia MCP55 */ + {} + }; + diff --git a/queue-2.6.33/arm-fix-decompressor-s-kernel-size-estimation-for-rom-y.patch b/queue-2.6.33/arm-fix-decompressor-s-kernel-size-estimation-for-rom-y.patch new file mode 100644 index 00000000000..1be85a74eb9 --- /dev/null +++ b/queue-2.6.33/arm-fix-decompressor-s-kernel-size-estimation-for-rom-y.patch @@ -0,0 +1,205 @@ +From 98e12b5a6e05413420a7e3b3eca7fbfc2ff41b6d Mon Sep 17 00:00:00 2001 +From: Russell King +Date: Thu, 25 Feb 2010 23:56:38 +0000 +Subject: ARM: Fix decompressor's kernel size estimation for ROM=y + +From: Russell King + +commit 98e12b5a6e05413420a7e3b3eca7fbfc2ff41b6d upstream. + +Commit 2552fc2 changed the way the decompressor decides if it is safe +to decompress the kernel directly to its final location. Unfortunately, +it took the top of the compressed data as being the stack pointer, +which it is for ROM=n cases. However, for ROM=y, the stack pointer +is not relevant, and results in the wrong answer. + +Fix this by explicitly storing the end of the biggybacked data in the +decompressor, and use that to calculate the compressed image size. + +Signed-off-by: Russell King +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/boot/compressed/head.S | 50 ++++++++++++++------------------ + arch/arm/boot/compressed/vmlinux.lds.in | 3 + + 2 files changed, 26 insertions(+), 27 deletions(-) + +--- a/arch/arm/boot/compressed/head.S ++++ b/arch/arm/boot/compressed/head.S +@@ -170,8 +170,8 @@ not_angel: + + .text + adr r0, LC0 +- ARM( ldmia r0, {r1, r2, r3, r4, r5, r6, ip, sp} ) +- THUMB( ldmia r0, {r1, r2, r3, r4, r5, r6, ip} ) ++ ARM( ldmia r0, {r1, r2, r3, r4, r5, r6, r11, ip, sp}) ++ THUMB( ldmia r0, {r1, r2, r3, r4, r5, r6, r11, ip} ) + THUMB( ldr sp, [r0, #28] ) + subs r0, r0, r1 @ calculate the delta offset + +@@ -182,12 +182,13 @@ not_angel: + /* + * We're running at a different address. We need to fix + * up various pointers: +- * r5 - zImage base address +- * r6 - GOT start ++ * r5 - zImage base address (_start) ++ * r6 - size of decompressed image ++ * r11 - GOT start + * ip - GOT end + */ + add r5, r5, r0 +- add r6, r6, r0 ++ add r11, r11, r0 + add ip, ip, r0 + + #ifndef CONFIG_ZBOOT_ROM +@@ -205,10 +206,10 @@ not_angel: + /* + * Relocate all entries in the GOT table. + */ +-1: ldr r1, [r6, #0] @ relocate entries in the GOT ++1: ldr r1, [r11, #0] @ relocate entries in the GOT + add r1, r1, r0 @ table. This fixes up the +- str r1, [r6], #4 @ C references. +- cmp r6, ip ++ str r1, [r11], #4 @ C references. ++ cmp r11, ip + blo 1b + #else + +@@ -216,12 +217,12 @@ not_angel: + * Relocate entries in the GOT table. We only relocate + * the entries that are outside the (relocated) BSS region. + */ +-1: ldr r1, [r6, #0] @ relocate entries in the GOT ++1: ldr r1, [r11, #0] @ relocate entries in the GOT + cmp r1, r2 @ entry < bss_start || + cmphs r3, r1 @ _end < entry + addlo r1, r1, r0 @ table. This fixes up the +- str r1, [r6], #4 @ C references. +- cmp r6, ip ++ str r1, [r11], #4 @ C references. ++ cmp r11, ip + blo 1b + #endif + +@@ -247,6 +248,7 @@ not_relocated: mov r0, #0 + * Check to see if we will overwrite ourselves. + * r4 = final kernel address + * r5 = start of this image ++ * r6 = size of decompressed image + * r2 = end of malloc space (and therefore this image) + * We basically want: + * r4 >= r2 -> OK +@@ -254,8 +256,7 @@ not_relocated: mov r0, #0 + */ + cmp r4, r2 + bhs wont_overwrite +- sub r3, sp, r5 @ > compressed kernel size +- add r0, r4, r3, lsl #2 @ allow for 4x expansion ++ add r0, r4, r6 + cmp r0, r5 + bls wont_overwrite + +@@ -271,7 +272,6 @@ not_relocated: mov r0, #0 + * r1-r3 = unused + * r4 = kernel execution address + * r5 = decompressed kernel start +- * r6 = processor ID + * r7 = architecture ID + * r8 = atags pointer + * r9-r12,r14 = corrupted +@@ -312,7 +312,8 @@ LC0: .word LC0 @ r1 + .word _end @ r3 + .word zreladdr @ r4 + .word _start @ r5 +- .word _got_start @ r6 ++ .word _image_size @ r6 ++ .word _got_start @ r11 + .word _got_end @ ip + .word user_stack+4096 @ sp + LC1: .word reloc_end - reloc_start +@@ -336,7 +337,6 @@ params: ldr r0, =params_phys + * + * On entry, + * r4 = kernel execution address +- * r6 = processor ID + * r7 = architecture number + * r8 = atags pointer + * r9 = run-time address of "start" (???) +@@ -542,7 +542,6 @@ __common_mmu_cache_on: + * r1-r3 = unused + * r4 = kernel execution address + * r5 = decompressed kernel start +- * r6 = processor ID + * r7 = architecture ID + * r8 = atags pointer + * r9-r12,r14 = corrupted +@@ -581,19 +580,19 @@ call_kernel: bl cache_clean_flush + * r1 = corrupted + * r2 = corrupted + * r3 = block offset +- * r6 = corrupted ++ * r9 = corrupted + * r12 = corrupted + */ + + call_cache_fn: adr r12, proc_types + #ifdef CONFIG_CPU_CP15 +- mrc p15, 0, r6, c0, c0 @ get processor ID ++ mrc p15, 0, r9, c0, c0 @ get processor ID + #else +- ldr r6, =CONFIG_PROCESSOR_ID ++ ldr r9, =CONFIG_PROCESSOR_ID + #endif + 1: ldr r1, [r12, #0] @ get value + ldr r2, [r12, #4] @ get mask +- eor r1, r1, r6 @ (real ^ match) ++ eor r1, r1, r9 @ (real ^ match) + tst r1, r2 @ & mask + ARM( addeq pc, r12, r3 ) @ call cache function + THUMB( addeq r12, r3 ) +@@ -778,8 +777,7 @@ proc_types: + * Turn off the Cache and MMU. ARMv3 does not support + * reading the control register, but ARMv4 does. + * +- * On entry, r6 = processor ID +- * On exit, r0, r1, r2, r3, r12 corrupted ++ * On exit, r0, r1, r2, r3, r9, r12 corrupted + * This routine must preserve: r4, r6, r7 + */ + .align 5 +@@ -852,10 +850,8 @@ __armv3_mmu_cache_off: + /* + * Clean and flush the cache to maintain consistency. + * +- * On entry, +- * r6 = processor ID + * On exit, +- * r1, r2, r3, r11, r12 corrupted ++ * r1, r2, r3, r9, r11, r12 corrupted + * This routine must preserve: + * r0, r4, r5, r6, r7 + */ +@@ -967,7 +963,7 @@ __armv4_mmu_cache_flush: + mov r2, #64*1024 @ default: 32K dcache size (*2) + mov r11, #32 @ default: 32 byte line size + mrc p15, 0, r3, c0, c0, 1 @ read cache type +- teq r3, r6 @ cache ID register present? ++ teq r3, r9 @ cache ID register present? + beq no_cache_id + mov r1, r3, lsr #18 + and r1, r1, #7 +--- a/arch/arm/boot/compressed/vmlinux.lds.in ++++ b/arch/arm/boot/compressed/vmlinux.lds.in +@@ -36,6 +36,9 @@ SECTIONS + + _etext = .; + ++ /* Assume size of decompressed image is 4x the compressed image */ ++ _image_size = (_etext - _text) * 4; ++ + _got_start = .; + .got : { *(.got) } + _got_end = .; diff --git a/queue-2.6.33/ath5k-dont-use-external-sleep-clock-in-ap-mode.patch b/queue-2.6.33/ath5k-dont-use-external-sleep-clock-in-ap-mode.patch new file mode 100644 index 00000000000..91a7e2ea8d0 --- /dev/null +++ b/queue-2.6.33/ath5k-dont-use-external-sleep-clock-in-ap-mode.patch @@ -0,0 +1,39 @@ +From 5d6ce628f986d1a3c523cbb0a5a52095c48cc332 Mon Sep 17 00:00:00 2001 +From: Bob Copeland +Date: Wed, 20 Jan 2010 23:51:03 -0500 +Subject: ath5k: dont use external sleep clock in AP mode + +From: Bob Copeland + +commit 5d6ce628f986d1a3c523cbb0a5a52095c48cc332 upstream. + +When using the external sleep clock in AP mode, the +TSF increments too quickly, causing beacon interval +to be much lower than it is supposed to be, resulting +in lots of beacon-not-ready interrupts. + +This fixes http://bugzilla.kernel.org/show_bug.cgi?id=14802. + +Signed-off-by: Bob Copeland +Acked-by: Nick Kossifidis +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/ath/ath5k/reset.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/net/wireless/ath/ath5k/reset.c ++++ b/drivers/net/wireless/ath/ath5k/reset.c +@@ -1371,8 +1371,9 @@ int ath5k_hw_reset(struct ath5k_hw *ah, + * Set clocks to 32KHz operation and use an + * external 32KHz crystal when sleeping if one + * exists */ +- if (ah->ah_version == AR5K_AR5212) +- ath5k_hw_set_sleep_clock(ah, true); ++ if (ah->ah_version == AR5K_AR5212 && ++ ah->ah_op_mode != NL80211_IFTYPE_AP) ++ ath5k_hw_set_sleep_clock(ah, true); + + /* + * Disable beacons and reset the register diff --git a/queue-2.6.33/ath5k-fix-i-q-calibration-for-real.patch b/queue-2.6.33/ath5k-fix-i-q-calibration-for-real.patch new file mode 100644 index 00000000000..8dc2a7ddfd1 --- /dev/null +++ b/queue-2.6.33/ath5k-fix-i-q-calibration-for-real.patch @@ -0,0 +1,114 @@ +From 86415d43efd4f7093979cfa8a80232114266f1a4 Mon Sep 17 00:00:00 2001 +From: Bruno Randolf +Date: Tue, 9 Mar 2010 16:56:05 +0900 +Subject: ath5k: fix I/Q calibration (for real) + +From: Bruno Randolf + +commit 86415d43efd4f7093979cfa8a80232114266f1a4 upstream. + +I/Q calibration was completely broken, resulting in a high number of CRC errors +on received packets. before i could see around 10% to 20% CRC errors, with this +patch they are between 0% and 3%. + +1.) the removal of the mask in commit "ath5k: Fix I/Q calibration +(f1cf2dbd0f798b71b1590e7aca6647f2caef1649)" resulted in no mask beeing used +when writing the I/Q values into the register. additional errors in the +calculation of the values (see 2.) resulted too high numbers, exceeding the +masks, so wrong values like 0xfffffffe were written. to be safe we should +always use the bitmask when writing parts of a register. + +2.) using a (s32) cast for q_coff is a wrong conversion to signed, since we +convert to a signed value later by substracting 128. this resulted in too low +numbers for Q many times, which were limited to -16 by the boundary check later +on. + +3.) checked everything against the HAL sources and took over comments and minor +optimizations from there. + +4.) we can't use ENABLE_BITS when we want to write a number (the number can +contain zeros). also always write the correction values first and set ENABLE +bit last, like the HAL does. + +Signed-off-by: Bruno Randolf +Acked-by: Nick Kossifidis +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/ath/ath5k/phy.c | 41 +++++++++++++++++------------------ + drivers/net/wireless/ath/ath5k/reg.h | 1 + 2 files changed, 22 insertions(+), 20 deletions(-) + +--- a/drivers/net/wireless/ath/ath5k/phy.c ++++ b/drivers/net/wireless/ath/ath5k/phy.c +@@ -1386,38 +1386,39 @@ static int ath5k_hw_rf511x_calibrate(str + goto done; + + /* Calibration has finished, get the results and re-run */ ++ ++ /* work around empty results which can apparently happen on 5212 */ + for (i = 0; i <= 10; i++) { + iq_corr = ath5k_hw_reg_read(ah, AR5K_PHY_IQRES_CAL_CORR); + i_pwr = ath5k_hw_reg_read(ah, AR5K_PHY_IQRES_CAL_PWR_I); + q_pwr = ath5k_hw_reg_read(ah, AR5K_PHY_IQRES_CAL_PWR_Q); ++ ATH5K_DBG_UNLIMIT(ah->ah_sc, ATH5K_DEBUG_CALIBRATE, ++ "iq_corr:%x i_pwr:%x q_pwr:%x", iq_corr, i_pwr, q_pwr); ++ if (i_pwr && q_pwr) ++ break; + } + + i_coffd = ((i_pwr >> 1) + (q_pwr >> 1)) >> 7; + q_coffd = q_pwr >> 7; + +- /* No correction */ +- if (i_coffd == 0 || q_coffd == 0) ++ /* protect against divide by 0 and loss of sign bits */ ++ if (i_coffd == 0 || q_coffd < 2) + goto done; + +- i_coff = ((-iq_corr) / i_coffd); ++ i_coff = (-iq_corr) / i_coffd; ++ i_coff = clamp(i_coff, -32, 31); /* signed 6 bit */ ++ ++ q_coff = (i_pwr / q_coffd) - 128; ++ q_coff = clamp(q_coff, -16, 15); /* signed 5 bit */ + +- /* Boundary check */ +- if (i_coff > 31) +- i_coff = 31; +- if (i_coff < -32) +- i_coff = -32; +- +- q_coff = (((s32)i_pwr / q_coffd) - 128); +- +- /* Boundary check */ +- if (q_coff > 15) +- q_coff = 15; +- if (q_coff < -16) +- q_coff = -16; +- +- /* Commit new I/Q value */ +- AR5K_REG_ENABLE_BITS(ah, AR5K_PHY_IQ, AR5K_PHY_IQ_CORR_ENABLE | +- ((u32)q_coff) | ((u32)i_coff << AR5K_PHY_IQ_CORR_Q_I_COFF_S)); ++ ATH5K_DBG_UNLIMIT(ah->ah_sc, ATH5K_DEBUG_CALIBRATE, ++ "new I:%d Q:%d (i_coffd:%x q_coffd:%x)", ++ i_coff, q_coff, i_coffd, q_coffd); ++ ++ /* Commit new I/Q values (set enable bit last to match HAL sources) */ ++ AR5K_REG_WRITE_BITS(ah, AR5K_PHY_IQ, AR5K_PHY_IQ_CORR_Q_I_COFF, i_coff); ++ AR5K_REG_WRITE_BITS(ah, AR5K_PHY_IQ, AR5K_PHY_IQ_CORR_Q_Q_COFF, q_coff); ++ AR5K_REG_ENABLE_BITS(ah, AR5K_PHY_IQ, AR5K_PHY_IQ_CORR_ENABLE); + + /* Re-enable calibration -if we don't we'll commit + * the same values again and again */ +--- a/drivers/net/wireless/ath/ath5k/reg.h ++++ b/drivers/net/wireless/ath/ath5k/reg.h +@@ -2187,6 +2187,7 @@ + */ + #define AR5K_PHY_IQ 0x9920 /* Register Address */ + #define AR5K_PHY_IQ_CORR_Q_Q_COFF 0x0000001f /* Mask for q correction info */ ++#define AR5K_PHY_IQ_CORR_Q_Q_COFF_S 0 + #define AR5K_PHY_IQ_CORR_Q_I_COFF 0x000007e0 /* Mask for i correction info */ + #define AR5K_PHY_IQ_CORR_Q_I_COFF_S 5 + #define AR5K_PHY_IQ_CORR_ENABLE 0x00000800 /* Enable i/q correction */ diff --git a/queue-2.6.33/ath5k-fix-setup-for-cab-queue.patch b/queue-2.6.33/ath5k-fix-setup-for-cab-queue.patch new file mode 100644 index 00000000000..c1acdbaa7a5 --- /dev/null +++ b/queue-2.6.33/ath5k-fix-setup-for-cab-queue.patch @@ -0,0 +1,101 @@ +From a951ae2176b982574ffa197455db6c89359fd5eb Mon Sep 17 00:00:00 2001 +From: Bob Copeland +Date: Wed, 20 Jan 2010 23:51:04 -0500 +Subject: ath5k: fix setup for CAB queue + +From: Bob Copeland + +commit a951ae2176b982574ffa197455db6c89359fd5eb upstream. + +The beacon sent gating doesn't seem to work with any combination +of flags. Thus, buffered frames tend to stay buffered forever, +using up tx descriptors. + +Instead, use the DBA gating and hold transmission of the buffered +frames until 80% of the beacon interval has elapsed using the ready +time. This fixes the following error in AP mode: + + ath5k phy0: no further txbuf available, dropping packet + +Add a comment to acknowledge that this isn't the best solution. + +Signed-off-by: Bob Copeland +Acked-by: Nick Kossifidis +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/ath/ath5k/ath5k.h | 2 +- + drivers/net/wireless/ath/ath5k/base.c | 22 +++++++++++++++++++--- + drivers/net/wireless/ath/ath5k/qcu.c | 5 +++-- + 3 files changed, 23 insertions(+), 6 deletions(-) + +--- a/drivers/net/wireless/ath/ath5k/ath5k.h ++++ b/drivers/net/wireless/ath/ath5k/ath5k.h +@@ -535,7 +535,7 @@ struct ath5k_txq_info { + u32 tqi_cbr_period; /* Constant bit rate period */ + u32 tqi_cbr_overflow_limit; + u32 tqi_burst_time; +- u32 tqi_ready_time; /* Not used */ ++ u32 tqi_ready_time; /* Time queue waits after an event */ + }; + + /* +--- a/drivers/net/wireless/ath/ath5k/base.c ++++ b/drivers/net/wireless/ath/ath5k/base.c +@@ -1537,7 +1537,8 @@ ath5k_beaconq_config(struct ath5k_softc + + ret = ath5k_hw_get_tx_queueprops(ah, sc->bhalq, &qi); + if (ret) +- return ret; ++ goto err; ++ + if (sc->opmode == NL80211_IFTYPE_AP || + sc->opmode == NL80211_IFTYPE_MESH_POINT) { + /* +@@ -1564,10 +1565,25 @@ ath5k_beaconq_config(struct ath5k_softc + if (ret) { + ATH5K_ERR(sc, "%s: unable to update parameters for beacon " + "hardware queue!\n", __func__); +- return ret; ++ goto err; + } ++ ret = ath5k_hw_reset_tx_queue(ah, sc->bhalq); /* push to h/w */ ++ if (ret) ++ goto err; ++ ++ /* reconfigure cabq with ready time to 80% of beacon_interval */ ++ ret = ath5k_hw_get_tx_queueprops(ah, AR5K_TX_QUEUE_ID_CAB, &qi); ++ if (ret) ++ goto err; ++ ++ qi.tqi_ready_time = (sc->bintval * 80) / 100; ++ ret = ath5k_hw_set_tx_queueprops(ah, AR5K_TX_QUEUE_ID_CAB, &qi); ++ if (ret) ++ goto err; + +- return ath5k_hw_reset_tx_queue(ah, sc->bhalq); /* push to h/w */; ++ ret = ath5k_hw_reset_tx_queue(ah, AR5K_TX_QUEUE_ID_CAB); ++err: ++ return ret; + } + + static void +--- a/drivers/net/wireless/ath/ath5k/qcu.c ++++ b/drivers/net/wireless/ath/ath5k/qcu.c +@@ -408,12 +408,13 @@ int ath5k_hw_reset_tx_queue(struct ath5k + break; + + case AR5K_TX_QUEUE_CAB: ++ /* XXX: use BCN_SENT_GT, if we can figure out how */ + AR5K_REG_ENABLE_BITS(ah, AR5K_QUEUE_MISC(queue), +- AR5K_QCU_MISC_FRSHED_BCN_SENT_GT | ++ AR5K_QCU_MISC_FRSHED_DBA_GT | + AR5K_QCU_MISC_CBREXP_DIS | + AR5K_QCU_MISC_CBREXP_BCN_DIS); + +- ath5k_hw_reg_write(ah, ((AR5K_TUNE_BEACON_INTERVAL - ++ ath5k_hw_reg_write(ah, ((tq->tqi_ready_time - + (AR5K_TUNE_SW_BEACON_RESP - + AR5K_TUNE_DMA_BEACON_RESP) - + AR5K_TUNE_ADDITIONAL_SWBA_BACKOFF) * 1024) | diff --git a/queue-2.6.33/decompress-fix-new-decompressor-for-pic.patch b/queue-2.6.33/decompress-fix-new-decompressor-for-pic.patch new file mode 100644 index 00000000000..236c2a3d4c5 --- /dev/null +++ b/queue-2.6.33/decompress-fix-new-decompressor-for-pic.patch @@ -0,0 +1,46 @@ +From 5ceaa2f39bfa73c4398cd01e78f1c3ebde3d3383 Mon Sep 17 00:00:00 2001 +From: Russell King +Date: Wed, 10 Mar 2010 15:23:53 -0800 +Subject: decompress: fix new decompressor for PIC + +From: Russell King + +commit 5ceaa2f39bfa73c4398cd01e78f1c3ebde3d3383 upstream. + +The ARM kernel decompressor wants to be able to relocate r/w data +independently from the rest of the image, and we do this by ensuring that +r/w data has global visibility. Define STATIC_RW_DATA to be empty to +achieve this. + +Signed-off-by: Russell King +Cc: Alain Knaff +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- a/include/linux/decompress/mm.h ++++ b/include/linux/decompress/mm.h +@@ -14,11 +14,21 @@ + + /* Code active when included from pre-boot environment: */ + ++/* ++ * Some architectures want to ensure there is no local data in their ++ * pre-boot environment, so that data can arbitarily relocated (via ++ * GOT references). This is achieved by defining STATIC_RW_DATA to ++ * be null. ++ */ ++#ifndef STATIC_RW_DATA ++#define STATIC_RW_DATA static ++#endif ++ + /* A trivial malloc implementation, adapted from + * malloc by Hannu Savolainen 1993 and Matthias Urlichs 1994 + */ +-static unsigned long malloc_ptr; +-static int malloc_count; ++STATIC_RW_DATA unsigned long malloc_ptr; ++STATIC_RW_DATA int malloc_count; + + static void *malloc(int size) + { diff --git a/queue-2.6.33/drivers-scsi-ses.c-eliminate-double-free.patch b/queue-2.6.33/drivers-scsi-ses.c-eliminate-double-free.patch new file mode 100644 index 00000000000..4dec6418006 --- /dev/null +++ b/queue-2.6.33/drivers-scsi-ses.c-eliminate-double-free.patch @@ -0,0 +1,61 @@ +From 9b3a6549b2602ca30f58715a0071e29f9898cae9 Mon Sep 17 00:00:00 2001 +From: Julia Lawall +Date: Wed, 10 Mar 2010 15:20:42 -0800 +Subject: drivers/scsi/ses.c: eliminate double free + +From: Julia Lawall + +commit 9b3a6549b2602ca30f58715a0071e29f9898cae9 upstream. + +The few lines below the kfree of hdr_buf may go to the label err_free +which will also free hdr_buf. The most straightforward solution seems to +be to just move the kfree of hdr_buf after these gotos. + +A simplified version of the semantic match that finds this problem is as +follows: (http://coccinelle.lip6.fr/) + +// +@r@ +identifier E; +expression E1; +iterator I; +statement S; +@@ + +*kfree(E); +... when != E = E1 + when != I(E,...) S + when != &E +*kfree(E); +// + +Signed-off-by: Julia Lawall +Cc: James Bottomley +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/ses.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/scsi/ses.c ++++ b/drivers/scsi/ses.c +@@ -591,8 +591,6 @@ static int ses_intf_add(struct device *c + ses_dev->page10_len = len; + buf = NULL; + } +- kfree(hdr_buf); +- + scomp = kzalloc(sizeof(struct ses_component) * components, GFP_KERNEL); + if (!scomp) + goto err_free; +@@ -604,6 +602,8 @@ static int ses_intf_add(struct device *c + goto err_free; + } + ++ kfree(hdr_buf); ++ + edev->scratch = ses_dev; + for (i = 0; i < components; i++) + edev->component[i].scratch = scomp + i; diff --git a/queue-2.6.33/function-graph-init-curr_ret_stack-with-ret_stack.patch b/queue-2.6.33/function-graph-init-curr_ret_stack-with-ret_stack.patch new file mode 100644 index 00000000000..912ce75268f --- /dev/null +++ b/queue-2.6.33/function-graph-init-curr_ret_stack-with-ret_stack.patch @@ -0,0 +1,48 @@ +From ea14eb714041d40fcc5180b5a586034503650149 Mon Sep 17 00:00:00 2001 +From: Steven Rostedt +Date: Fri, 12 Mar 2010 19:41:23 -0500 +Subject: function-graph: Init curr_ret_stack with ret_stack + +From: Steven Rostedt + +commit ea14eb714041d40fcc5180b5a586034503650149 upstream. + +If the graph tracer is active, and a task is forked but the allocating of +the processes graph stack fails, it can cause crash later on. + +This is due to the temporary stack being NULL, but the curr_ret_stack +variable is copied from the parent. If it is not -1, then in +ftrace_graph_probe_sched_switch() the following: + + for (index = next->curr_ret_stack; index >= 0; index--) + next->ret_stack[index].calltime += timestamp; + +Will cause a kernel OOPS. + +Found with Li Zefan's ftrace_stress_test. + +Signed-off-by: Steven Rostedt +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/trace/ftrace.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/kernel/trace/ftrace.c ++++ b/kernel/trace/ftrace.c +@@ -3364,6 +3364,7 @@ void ftrace_graph_init_task(struct task_ + { + /* Make sure we do not use the parent ret_stack */ + t->ret_stack = NULL; ++ t->curr_ret_stack = -1; + + if (ftrace_graph_active) { + struct ftrace_ret_stack *ret_stack; +@@ -3373,7 +3374,6 @@ void ftrace_graph_init_task(struct task_ + GFP_KERNEL); + if (!ret_stack) + return; +- t->curr_ret_stack = -1; + atomic_set(&t->tracing_graph_pause, 0); + atomic_set(&t->trace_overrun, 0); + t->ftrace_timestamp = 0; diff --git a/queue-2.6.33/hw-breakpoints-remove-stub-unthrottle-callback.patch b/queue-2.6.33/hw-breakpoints-remove-stub-unthrottle-callback.patch new file mode 100644 index 00000000000..37bf76e2bb3 --- /dev/null +++ b/queue-2.6.33/hw-breakpoints-remove-stub-unthrottle-callback.patch @@ -0,0 +1,52 @@ +From 1e259e0a9982078896f3404240096cbea01daca4 Mon Sep 17 00:00:00 2001 +From: Frederic Weisbecker +Date: Sun, 28 Feb 2010 20:51:15 +0100 +Subject: hw-breakpoints: Remove stub unthrottle callback + +From: Frederic Weisbecker + +commit 1e259e0a9982078896f3404240096cbea01daca4 upstream. + +We support event unthrottling in breakpoint events. It means +that if we have more than sysctl_perf_event_sample_rate/HZ, +perf will throttle, ignoring subsequent events until the next +tick. + +So if ptrace exceeds this max rate, it will omit events, which +breaks the ptrace determinism that is supposed to report every +triggered breakpoints. This is likely to happen if we set +sysctl_perf_event_sample_rate to 1. + +This patch removes support for unthrottling in breakpoint +events to break throttling and restore ptrace determinism. + +Signed-off-by: Frederic Weisbecker +Cc: Peter Zijlstra +Cc: K.Prasad +Cc: Paul Mackerras +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/hw_breakpoint.c | 5 ----- + kernel/hw_breakpoint.c | 1 - + 2 files changed, 6 deletions(-) + +--- a/arch/x86/kernel/hw_breakpoint.c ++++ b/arch/x86/kernel/hw_breakpoint.c +@@ -531,8 +531,3 @@ void hw_breakpoint_pmu_read(struct perf_ + { + /* TODO */ + } +- +-void hw_breakpoint_pmu_unthrottle(struct perf_event *bp) +-{ +- /* TODO */ +-} +--- a/kernel/hw_breakpoint.c ++++ b/kernel/hw_breakpoint.c +@@ -489,5 +489,4 @@ struct pmu perf_ops_bp = { + .enable = arch_install_hw_breakpoint, + .disable = arch_uninstall_hw_breakpoint, + .read = hw_breakpoint_pmu_read, +- .unthrottle = hw_breakpoint_pmu_unthrottle + }; diff --git a/queue-2.6.33/i2c-i801-don-t-use-the-block-buffer-for-i2c-block-writes.patch b/queue-2.6.33/i2c-i801-don-t-use-the-block-buffer-for-i2c-block-writes.patch new file mode 100644 index 00000000000..43881c7b061 --- /dev/null +++ b/queue-2.6.33/i2c-i801-don-t-use-the-block-buffer-for-i2c-block-writes.patch @@ -0,0 +1,38 @@ +From c074c39d62306efa5ba7c69c1a1531bc7333d252 Mon Sep 17 00:00:00 2001 +From: Jean Delvare +Date: Sat, 13 Mar 2010 20:56:53 +0100 +Subject: i2c-i801: Don't use the block buffer for I2C block writes + +From: Jean Delvare + +commit c074c39d62306efa5ba7c69c1a1531bc7333d252 upstream. + +Experience has shown that the block buffer can only be used for SMBus +(not I2C) block transactions, even though the datasheet doesn't +mention this limitation. + +Reported-by: Felix Rubinstein +Signed-off-by: Jean Delvare +Cc: Oleg Ryjkov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/i2c/busses/i2c-i801.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/i2c/busses/i2c-i801.c ++++ b/drivers/i2c/busses/i2c-i801.c +@@ -415,9 +415,11 @@ static int i801_block_transaction(union + data->block[0] = 32; /* max for SMBus block reads */ + } + ++ /* Experience has shown that the block buffer can only be used for ++ SMBus (not I2C) block transactions, even though the datasheet ++ doesn't mention this limitation. */ + if ((i801_features & FEATURE_BLOCK_BUFFER) +- && !(command == I2C_SMBUS_I2C_BLOCK_DATA +- && read_write == I2C_SMBUS_READ) ++ && command != I2C_SMBUS_I2C_BLOCK_DATA + && i801_set_block_buffer_mode() == 0) + result = i801_block_transaction_by_block(data, read_write, + hwpec); diff --git a/queue-2.6.33/i2c-powermac-be-less-verbose-in-the-absence-of-real-errors.patch b/queue-2.6.33/i2c-powermac-be-less-verbose-in-the-absence-of-real-errors.patch new file mode 100644 index 00000000000..0ef8aed231a --- /dev/null +++ b/queue-2.6.33/i2c-powermac-be-less-verbose-in-the-absence-of-real-errors.patch @@ -0,0 +1,62 @@ +From 8e4b980c28c91cfe9d0ce0431bc0af56e146b49e Mon Sep 17 00:00:00 2001 +From: Jean Delvare +Date: Sat, 13 Mar 2010 20:56:52 +0100 +Subject: i2c-powermac: Be less verbose in the absence of real errors. + +From: Jean Delvare + +commit 8e4b980c28c91cfe9d0ce0431bc0af56e146b49e upstream. + +Be less verbose in the absence of real errors. We don't have to report +failed probes to the users, it's only confusing them. + +Signed-off-by: Jean Delvare +Tested-by: Andrey Gusev +Cc: Benjamin Herrenschmidt +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/i2c/busses/i2c-powermac.c | 25 ++++++++++++++++++------- + 1 file changed, 18 insertions(+), 7 deletions(-) + +--- a/drivers/i2c/busses/i2c-powermac.c ++++ b/drivers/i2c/busses/i2c-powermac.c +@@ -122,9 +122,14 @@ static s32 i2c_powermac_smbus_xfer( stru + + rc = pmac_i2c_xfer(bus, addrdir, subsize, subaddr, buf, len); + if (rc) { +- dev_err(&adap->dev, +- "I2C transfer at 0x%02x failed, size %d, err %d\n", +- addrdir >> 1, size, rc); ++ if (rc == -ENXIO) ++ dev_dbg(&adap->dev, ++ "I2C transfer at 0x%02x failed, size %d, " ++ "err %d\n", addrdir >> 1, size, rc); ++ else ++ dev_err(&adap->dev, ++ "I2C transfer at 0x%02x failed, size %d, " ++ "err %d\n", addrdir >> 1, size, rc); + goto bail; + } + +@@ -175,10 +180,16 @@ static int i2c_powermac_master_xfer( str + goto bail; + } + rc = pmac_i2c_xfer(bus, addrdir, 0, 0, msgs->buf, msgs->len); +- if (rc < 0) +- dev_err(&adap->dev, "I2C %s 0x%02x failed, err %d\n", +- addrdir & 1 ? "read from" : "write to", addrdir >> 1, +- rc); ++ if (rc < 0) { ++ if (rc == -ENXIO) ++ dev_dbg(&adap->dev, "I2C %s 0x%02x failed, err %d\n", ++ addrdir & 1 ? "read from" : "write to", ++ addrdir >> 1, rc); ++ else ++ dev_err(&adap->dev, "I2C %s 0x%02x failed, err %d\n", ++ addrdir & 1 ? "read from" : "write to", ++ addrdir >> 1, rc); ++ } + bail: + pmac_i2c_close(bus); + return rc < 0 ? rc : 1; diff --git a/queue-2.6.33/input-alps-add-support-for-the-touchpad-on-toshiba-tecra-a11-11l.patch b/queue-2.6.33/input-alps-add-support-for-the-touchpad-on-toshiba-tecra-a11-11l.patch new file mode 100644 index 00000000000..5a73c06e650 --- /dev/null +++ b/queue-2.6.33/input-alps-add-support-for-the-touchpad-on-toshiba-tecra-a11-11l.patch @@ -0,0 +1,28 @@ +From eb8bff85c5bd5caef7c374ff32b86545029efb56 Mon Sep 17 00:00:00 2001 +From: Thomas Bächler +Date: Tue, 9 Mar 2010 20:38:48 -0800 +Subject: Input: alps - add support for the touchpad on Toshiba Tecra A11-11L + +From: Thomas Bächler + +commit eb8bff85c5bd5caef7c374ff32b86545029efb56 upstream. + +Signed-off-by: Thomas Bächler +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/input/mouse/alps.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/input/mouse/alps.c ++++ b/drivers/input/mouse/alps.c +@@ -63,6 +63,8 @@ static const struct alps_model_info alps + { { 0x62, 0x02, 0x14 }, 0xcf, 0xcf, + ALPS_PASS | ALPS_DUALPOINT | ALPS_PS2_INTERLEAVED }, + { { 0x73, 0x02, 0x50 }, 0xcf, 0xcf, ALPS_FOUR_BUTTONS }, /* Dell Vostro 1400 */ ++ { { 0x52, 0x01, 0x14 }, 0xff, 0xff, ++ ALPS_PASS | ALPS_DUALPOINT | ALPS_PS2_INTERLEAVED }, /* Toshiba Tecra A11-11L */ + }; + + /* diff --git a/queue-2.6.33/input-i8042-add-aldi-medion-netbook-e1222-to-qurik-reset-table.patch b/queue-2.6.33/input-i8042-add-aldi-medion-netbook-e1222-to-qurik-reset-table.patch new file mode 100644 index 00000000000..c77d5bd3f16 --- /dev/null +++ b/queue-2.6.33/input-i8042-add-aldi-medion-netbook-e1222-to-qurik-reset-table.patch @@ -0,0 +1,37 @@ +From 31968ecf584330b51a25b7bf881c2b632a02a3fb Mon Sep 17 00:00:00 2001 +From: Christoph Fritz +Date: Sat, 13 Mar 2010 22:26:23 -0800 +Subject: Input: i8042 - add ALDI/MEDION netbook E1222 to qurik reset table + +From: Christoph Fritz + +commit 31968ecf584330b51a25b7bf881c2b632a02a3fb upstream. + +ALDI/MEDION netbook E1222 needs to be in the reset quirk list for +its touchpad's proper function. + +Reported-by: Michael Fischer +Signed-off-by: Christoph Fritz +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/input/serio/i8042-x86ia64io.h | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/input/serio/i8042-x86ia64io.h ++++ b/drivers/input/serio/i8042-x86ia64io.h +@@ -442,6 +442,13 @@ static const struct dmi_system_id __init + }, + }, + { ++ /* Medion Akoya E1222 */ ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "MEDION"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "E122X"), ++ }, ++ }, ++ { + /* Mivvy M310 */ + .matches = { + DMI_MATCH(DMI_SYS_VENDOR, "VIOOO"), diff --git a/queue-2.6.33/mac80211-fix-ht-rate-control-configuration.patch b/queue-2.6.33/mac80211-fix-ht-rate-control-configuration.patch new file mode 100644 index 00000000000..d8575cb9ea2 --- /dev/null +++ b/queue-2.6.33/mac80211-fix-ht-rate-control-configuration.patch @@ -0,0 +1,98 @@ +From 4fa004373133ece3d9b1c0a7e243b0e53760b165 Mon Sep 17 00:00:00 2001 +From: Sujith +Date: Mon, 1 Mar 2010 14:42:57 +0530 +Subject: mac80211: Fix HT rate control configuration + +From: Sujith + +commit 4fa004373133ece3d9b1c0a7e243b0e53760b165 upstream. + +Handling HT configuration changes involved setting the channel +with the new HT parameters and then issuing a rate_update() +notification to the driver. + +This behavior changed after the off-channel changes. Now, the channel +is not updated with the new HT params in enable_ht() - instead, it +is now done when the scan work terminates. This results in the driver +depending on stale information, defaulting to non-HT mode always. + +Fix this by passing the new channel type to the driver. + +Signed-off-by: Sujith +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/ath/ath9k/rc.c | 6 +++--- + include/net/mac80211.h | 3 ++- + net/mac80211/mlme.c | 3 ++- + net/mac80211/rate.h | 5 +++-- + 4 files changed, 10 insertions(+), 7 deletions(-) + +--- a/drivers/net/wireless/ath/ath9k/rc.c ++++ b/drivers/net/wireless/ath/ath9k/rc.c +@@ -1323,7 +1323,7 @@ static void ath_rate_init(void *priv, st + + static void ath_rate_update(void *priv, struct ieee80211_supported_band *sband, + struct ieee80211_sta *sta, void *priv_sta, +- u32 changed) ++ u32 changed, enum nl80211_channel_type oper_chan_type) + { + struct ath_softc *sc = priv; + struct ath_rate_priv *ath_rc_priv = priv_sta; +@@ -1340,8 +1340,8 @@ static void ath_rate_update(void *priv, + if (sc->sc_ah->opmode != NL80211_IFTYPE_STATION) + return; + +- if (sc->hw->conf.channel_type == NL80211_CHAN_HT40MINUS || +- sc->hw->conf.channel_type == NL80211_CHAN_HT40PLUS) ++ if (oper_chan_type == NL80211_CHAN_HT40MINUS || ++ oper_chan_type == NL80211_CHAN_HT40PLUS) + oper_cw40 = true; + + oper_sgi40 = (sta->ht_cap.cap & IEEE80211_HT_CAP_SGI_40) ? +--- a/include/net/mac80211.h ++++ b/include/net/mac80211.h +@@ -2258,7 +2258,8 @@ struct rate_control_ops { + struct ieee80211_sta *sta, void *priv_sta); + void (*rate_update)(void *priv, struct ieee80211_supported_band *sband, + struct ieee80211_sta *sta, +- void *priv_sta, u32 changed); ++ void *priv_sta, u32 changed, ++ enum nl80211_channel_type oper_chan_type); + void (*free_sta)(void *priv, struct ieee80211_sta *sta, + void *priv_sta); + +--- a/net/mac80211/mlme.c ++++ b/net/mac80211/mlme.c +@@ -205,7 +205,8 @@ static u32 ieee80211_enable_ht(struct ie + sta = sta_info_get(local, bssid); + if (sta) + rate_control_rate_update(local, sband, sta, +- IEEE80211_RC_HT_CHANGED); ++ IEEE80211_RC_HT_CHANGED, ++ local->oper_channel_type); + rcu_read_unlock(); + } + +--- a/net/mac80211/rate.h ++++ b/net/mac80211/rate.h +@@ -69,7 +69,8 @@ static inline void rate_control_rate_ini + + static inline void rate_control_rate_update(struct ieee80211_local *local, + struct ieee80211_supported_band *sband, +- struct sta_info *sta, u32 changed) ++ struct sta_info *sta, u32 changed, ++ enum nl80211_channel_type oper_chan_type) + { + struct rate_control_ref *ref = local->rate_ctrl; + struct ieee80211_sta *ista = &sta->sta; +@@ -77,7 +78,7 @@ static inline void rate_control_rate_upd + + if (ref && ref->ops->rate_update) + ref->ops->rate_update(ref->priv, sband, ista, +- priv_sta, changed); ++ priv_sta, changed, oper_chan_type); + } + + static inline void *rate_control_alloc_sta(struct rate_control_ref *ref, diff --git a/queue-2.6.33/ring-buffer-move-disabled-check-into-preempt-disable-section.patch b/queue-2.6.33/ring-buffer-move-disabled-check-into-preempt-disable-section.patch new file mode 100644 index 00000000000..cb8076eb1e9 --- /dev/null +++ b/queue-2.6.33/ring-buffer-move-disabled-check-into-preempt-disable-section.patch @@ -0,0 +1,60 @@ +From 52fbe9cde7fdb5c6fac196d7ebd2d92d05ef3cd4 Mon Sep 17 00:00:00 2001 +From: Lai Jiangshan +Date: Mon, 8 Mar 2010 14:50:43 +0800 +Subject: ring-buffer: Move disabled check into preempt disable section + +From: Lai Jiangshan + +commit 52fbe9cde7fdb5c6fac196d7ebd2d92d05ef3cd4 upstream. + +The ring buffer resizing and resetting relies on a schedule RCU +action. The buffers are disabled, a synchronize_sched() is called +and then the resize or reset takes place. + +But this only works if the disabling of the buffers are within the +preempt disabled section, otherwise a window exists that the buffers +can be written to while a reset or resize takes place. + +Reported-by: Li Zefan +Signed-off-by: Lai Jiangshan +LKML-Reference: <4B949E43.2010906@cn.fujitsu.com> +Signed-off-by: Steven Rostedt +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/trace/ring_buffer.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +--- a/kernel/trace/ring_buffer.c ++++ b/kernel/trace/ring_buffer.c +@@ -2232,12 +2232,12 @@ ring_buffer_lock_reserve(struct ring_buf + if (ring_buffer_flags != RB_BUFFERS_ON) + return NULL; + +- if (atomic_read(&buffer->record_disabled)) +- return NULL; +- + /* If we are tracing schedule, we don't want to recurse */ + resched = ftrace_preempt_disable(); + ++ if (atomic_read(&buffer->record_disabled)) ++ goto out_nocheck; ++ + if (trace_recursive_lock()) + goto out_nocheck; + +@@ -2469,11 +2469,11 @@ int ring_buffer_write(struct ring_buffer + if (ring_buffer_flags != RB_BUFFERS_ON) + return -EBUSY; + +- if (atomic_read(&buffer->record_disabled)) +- return -EBUSY; +- + resched = ftrace_preempt_disable(); + ++ if (atomic_read(&buffer->record_disabled)) ++ goto out; ++ + cpu = raw_smp_processor_id(); + + if (!cpumask_test_cpu(cpu, buffer->cpumask)) diff --git a/queue-2.6.33/series b/queue-2.6.33/series new file mode 100644 index 00000000000..0e84fcbf9ff --- /dev/null +++ b/queue-2.6.33/series @@ -0,0 +1,24 @@ +drivers-scsi-ses.c-eliminate-double-free.patch +decompress-fix-new-decompressor-for-pic.patch +arm-fix-decompressor-s-kernel-size-estimation-for-rom-y.patch +mac80211-fix-ht-rate-control-configuration.patch +tg3-fix-tg3_poll_controller-passing-wrong-pointer-to-tg3_interrupt.patch +alsa-hda-sound-msi-fallout-on-a-asus-mobo-nvidia-mcp55.patch +alsa-hda-fix-input-source-elements-of-secondary-adcs-on-realtek.patch +timekeeping-prevent-oops-when-generic_time-n.patch +input-alps-add-support-for-the-touchpad-on-toshiba-tecra-a11-11l.patch +input-i8042-add-aldi-medion-netbook-e1222-to-qurik-reset-table.patch +i2c-powermac-be-less-verbose-in-the-absence-of-real-errors.patch +i2c-i801-don-t-use-the-block-buffer-for-i2c-block-writes.patch +ath5k-fix-i-q-calibration-for-real.patch +ath5k-dont-use-external-sleep-clock-in-ap-mode.patch +ath5k-fix-setup-for-cab-queue.patch +ring-buffer-move-disabled-check-into-preempt-disable-section.patch +x86_64-cpa-don-t-work-hard-in-preserving-kernel-2m-mappings-when-using-4k-already.patch +x86-stacktrace-don-t-dereference-bad-frame-pointers.patch +hw-breakpoints-remove-stub-unthrottle-callback.patch +function-graph-init-curr_ret_stack-with-ret_stack.patch +tracing-fix-warning-in-s_next-of-trace-file-ops.patch +tracing-use-same-local-variable-when-resetting-the-ring-buffer.patch +tracing-disable-buffer-switching-when-starting-or-stopping-trace.patch +tracing-do-not-record-user-stack-trace-from-nmi-context.patch diff --git a/queue-2.6.33/tg3-fix-tg3_poll_controller-passing-wrong-pointer-to-tg3_interrupt.patch b/queue-2.6.33/tg3-fix-tg3_poll_controller-passing-wrong-pointer-to-tg3_interrupt.patch new file mode 100644 index 00000000000..c5bee38221e --- /dev/null +++ b/queue-2.6.33/tg3-fix-tg3_poll_controller-passing-wrong-pointer-to-tg3_interrupt.patch @@ -0,0 +1,39 @@ +From fe234f0e5cbb880792d2d1ac0743cf8c07e9dde3 Mon Sep 17 00:00:00 2001 +From: Louis Rilling +Date: Tue, 9 Mar 2010 06:14:41 +0000 +Subject: tg3: Fix tg3_poll_controller() passing wrong pointer to tg3_interrupt() + +From: Louis Rilling + +commit fe234f0e5cbb880792d2d1ac0743cf8c07e9dde3 upstream. + +Commit 09943a1819a240ff4a72f924d0038818fcdd0a90 + Author: Matt Carlson + Date: Fri Aug 28 14:01:57 2009 +0000 + + tg3: Convert ISR parameter to tnapi + +forgot to update tg3_poll_controller(), leading to intermittent crashes with +netpoll. + +Fix this. + +Signed-off-by: Louis Rilling +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/tg3.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/tg3.c ++++ b/drivers/net/tg3.c +@@ -5223,7 +5223,7 @@ static void tg3_poll_controller(struct n + struct tg3 *tp = netdev_priv(dev); + + for (i = 0; i < tp->irq_cnt; i++) +- tg3_interrupt(tp->napi[i].irq_vec, dev); ++ tg3_interrupt(tp->napi[i].irq_vec, &tp->napi[i]); + } + #endif + diff --git a/queue-2.6.33/timekeeping-prevent-oops-when-generic_time-n.patch b/queue-2.6.33/timekeeping-prevent-oops-when-generic_time-n.patch new file mode 100644 index 00000000000..4db537b9cf4 --- /dev/null +++ b/queue-2.6.33/timekeeping-prevent-oops-when-generic_time-n.patch @@ -0,0 +1,44 @@ +From ad6759fbf35d104dbf573cd6f4c6784ad6823f7e Mon Sep 17 00:00:00 2001 +From: john stultz +Date: Mon, 1 Mar 2010 12:34:43 -0800 +Subject: timekeeping: Prevent oops when GENERIC_TIME=n + +From: john stultz + +commit ad6759fbf35d104dbf573cd6f4c6784ad6823f7e upstream. + +Aaro Koskinen reported an issue in kernel.org bugzilla #15366, where +on non-GENERIC_TIME systems, accessing +/sys/devices/system/clocksource/clocksource0/current_clocksource +results in an oops. + +It seems the timekeeper/clocksource rework missed initializing the +curr_clocksource value in the !GENERIC_TIME case. + +Thanks to Aaro for reporting and diagnosing the issue as well as +testing the fix! + +Reported-by: Aaro Koskinen +Signed-off-by: John Stultz +Cc: Martin Schwidefsky +LKML-Reference: <1267475683.4216.61.camel@localhost.localdomain> +Signed-off-by: Thomas Gleixner +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/time/clocksource.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/kernel/time/clocksource.c ++++ b/kernel/time/clocksource.c +@@ -580,6 +580,10 @@ static inline void clocksource_select(vo + */ + static int __init clocksource_done_booting(void) + { ++ mutex_lock(&clocksource_mutex); ++ curr_clocksource = clocksource_default_clock(); ++ mutex_unlock(&clocksource_mutex); ++ + finished_booting = 1; + + /* diff --git a/queue-2.6.33/tracing-disable-buffer-switching-when-starting-or-stopping-trace.patch b/queue-2.6.33/tracing-disable-buffer-switching-when-starting-or-stopping-trace.patch new file mode 100644 index 00000000000..f4d71e75bb6 --- /dev/null +++ b/queue-2.6.33/tracing-disable-buffer-switching-when-starting-or-stopping-trace.patch @@ -0,0 +1,85 @@ +From a2f8071428ed9a0f06865f417c962421c9a6b488 Mon Sep 17 00:00:00 2001 +From: Steven Rostedt +Date: Fri, 12 Mar 2010 19:56:00 -0500 +Subject: tracing: Disable buffer switching when starting or stopping trace + +From: Steven Rostedt + +commit a2f8071428ed9a0f06865f417c962421c9a6b488 upstream. + +When the trace iterator is read, tracing_start() and tracing_stop() +is called to stop tracing while the iterator is processing the trace +output. + +These functions disable both the standard buffer and the max latency +buffer. But if the wakeup tracer is running, it can switch these +buffers between the two disables: + + buffer = global_trace.buffer; + if (buffer) + ring_buffer_record_disable(buffer); + + <<<--------- swap happens here + + buffer = max_tr.buffer; + if (buffer) + ring_buffer_record_disable(buffer); + +What happens is that we disabled the same buffer twice. On tracing_start() +we can enable the same buffer twice. All ring_buffer_record_disable() +must be matched with a ring_buffer_record_enable() or the buffer +can be disable permanently, or enable prematurely, and cause a bug +where a reset happens while a trace is commiting. + +This patch protects these two by taking the ftrace_max_lock to prevent +a switch from occurring. + +Found with Li Zefan's ftrace_stress_test. + +Reported-by: Lai Jiangshan +Signed-off-by: Steven Rostedt +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/trace/trace.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/kernel/trace/trace.c ++++ b/kernel/trace/trace.c +@@ -857,6 +857,8 @@ void tracing_start(void) + goto out; + } + ++ /* Prevent the buffers from switching */ ++ arch_spin_lock(&ftrace_max_lock); + + buffer = global_trace.buffer; + if (buffer) +@@ -866,6 +868,8 @@ void tracing_start(void) + if (buffer) + ring_buffer_record_enable(buffer); + ++ arch_spin_unlock(&ftrace_max_lock); ++ + ftrace_start(); + out: + spin_unlock_irqrestore(&tracing_start_lock, flags); +@@ -887,6 +891,9 @@ void tracing_stop(void) + if (trace_stop_count++) + goto out; + ++ /* Prevent the buffers from switching */ ++ arch_spin_lock(&ftrace_max_lock); ++ + buffer = global_trace.buffer; + if (buffer) + ring_buffer_record_disable(buffer); +@@ -895,6 +902,8 @@ void tracing_stop(void) + if (buffer) + ring_buffer_record_disable(buffer); + ++ arch_spin_unlock(&ftrace_max_lock); ++ + out: + spin_unlock_irqrestore(&tracing_start_lock, flags); + } diff --git a/queue-2.6.33/tracing-do-not-record-user-stack-trace-from-nmi-context.patch b/queue-2.6.33/tracing-do-not-record-user-stack-trace-from-nmi-context.patch new file mode 100644 index 00000000000..5b9deaad3e1 --- /dev/null +++ b/queue-2.6.33/tracing-do-not-record-user-stack-trace-from-nmi-context.patch @@ -0,0 +1,93 @@ +From b6345879ccbd9b92864fbd7eb8ac48acdb4d6b15 Mon Sep 17 00:00:00 2001 +From: Steven Rostedt +Date: Fri, 12 Mar 2010 20:03:30 -0500 +Subject: tracing: Do not record user stack trace from NMI context + +From: Steven Rostedt + +commit b6345879ccbd9b92864fbd7eb8ac48acdb4d6b15 upstream. + +A bug was found with Li Zefan's ftrace_stress_test that caused applications +to segfault during the test. + +Placing a tracing_off() in the segfault code, and examining several +traces, I found that the following was always the case. The lock tracer +was enabled (lockdep being required) and userstack was enabled. Testing +this out, I just enabled the two, but that was not good enough. I needed +to run something else that could trigger it. Running a load like hackbench +did not work, but executing a new program would. The following would +trigger the segfault within seconds: + + # echo 1 > /debug/tracing/options/userstacktrace + # echo 1 > /debug/tracing/events/lock/enable + # while :; do ls > /dev/null ; done + +Enabling the function graph tracer and looking at what was happening +I finally noticed that all cashes happened just after an NMI. + + 1) | copy_user_handle_tail() { + 1) | bad_area_nosemaphore() { + 1) | __bad_area_nosemaphore() { + 1) | no_context() { + 1) | fixup_exception() { + 1) 0.319 us | search_exception_tables(); + 1) 0.873 us | } +[...] + 1) 0.314 us | __rcu_read_unlock(); + 1) 0.325 us | native_apic_mem_write(); + 1) 0.943 us | } + 1) 0.304 us | rcu_nmi_exit(); +[...] + 1) 0.479 us | find_vma(); + 1) | bad_area() { + 1) | __bad_area() { + +After capturing several traces of failures, all of them happened +after an NMI. Curious about this, I added a trace_printk() to the NMI +handler to read the regs->ip to see where the NMI happened. In which I +found out it was here: + +ffffffff8135b660 : +ffffffff8135b660: 48 83 ec 78 sub $0x78,%rsp +ffffffff8135b664: e8 97 01 00 00 callq ffffffff8135b800 + +What was happening is that the NMI would happen at the place that a page +fault occurred. It would call rcu_read_lock() which was traced by +the lock events, and the user_stack_trace would run. This would trigger +a page fault inside the NMI. I do not see where the CR2 register is +saved or restored in NMI handling. This means that it would corrupt +the page fault handling that the NMI interrupted. + +The reason the while loop of ls helped trigger the bug, was that +each execution of ls would cause lots of pages to be faulted in, and +increase the chances of the race happening. + +The simple solution is to not allow user stack traces in NMI context. +After this patch, I ran the above "ls" test for a couple of hours +without any issues. Without this patch, the bug would trigger in less +than a minute. + +Reported-by: Li Zefan +Signed-off-by: Steven Rostedt +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/trace/trace.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/kernel/trace/trace.c ++++ b/kernel/trace/trace.c +@@ -1191,6 +1191,13 @@ ftrace_trace_userstack(struct ring_buffe + if (!(trace_flags & TRACE_ITER_USERSTACKTRACE)) + return; + ++ /* ++ * NMIs can not handle page faults, even with fix ups. ++ * The save user stack can (and often does) fault. ++ */ ++ if (unlikely(in_nmi())) ++ return; ++ + event = trace_buffer_lock_reserve(buffer, TRACE_USER_STACK, + sizeof(*entry), flags, pc); + if (!event) diff --git a/queue-2.6.33/tracing-fix-warning-in-s_next-of-trace-file-ops.patch b/queue-2.6.33/tracing-fix-warning-in-s_next-of-trace-file-ops.patch new file mode 100644 index 00000000000..09b2bbd2d54 --- /dev/null +++ b/queue-2.6.33/tracing-fix-warning-in-s_next-of-trace-file-ops.patch @@ -0,0 +1,46 @@ +From ac91d85456372a90af5b85eb6620fd2efb1e431b Mon Sep 17 00:00:00 2001 +From: Lai Jiangshan +Date: Tue, 2 Mar 2010 17:54:50 +0800 +Subject: tracing: Fix warning in s_next of trace file ops + +From: Lai Jiangshan + +commit ac91d85456372a90af5b85eb6620fd2efb1e431b upstream. + +This warning in s_next() can be triggered by lseek(): + [] ? s_next+0x77/0x80 + [] warn_slowpath_common+0x81/0xa0 + [] ? s_next+0x77/0x80 + [] warn_slowpath_null+0x1a/0x20 + [] s_next+0x77/0x80 + [] traverse+0x117/0x200 + [] seq_lseek+0xa3/0x120 + [] ? seq_lseek+0x0/0x120 + [] vfs_llseek+0x41/0x50 + [] sys_llseek+0x66/0xa0 + [] sysenter_do_call+0x12/0x26 + +The iterator "leftover" variable is zeroed in the opening of the trace +file. But lseek can call s_start() which will call s_next() without +reseting the "leftover" variable back to zero, which might trigger +the WARN_ON_ONCE(iter->leftover) that is in s_next(). + +Signed-off-by: Lai Jiangshan +LKML-Reference: <4B8CE06A.9090207@cn.fujitsu.com> +Signed-off-by: Steven Rostedt +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/trace/trace.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/kernel/trace/trace.c ++++ b/kernel/trace/trace.c +@@ -1628,6 +1628,7 @@ static void *s_start(struct seq_file *m, + + ftrace_enable_cpu(); + ++ iter->leftover = 0; + for (p = iter; p && l < *pos; p = s_next(m, p, &l)) + ; + diff --git a/queue-2.6.33/tracing-use-same-local-variable-when-resetting-the-ring-buffer.patch b/queue-2.6.33/tracing-use-same-local-variable-when-resetting-the-ring-buffer.patch new file mode 100644 index 00000000000..68fa59f1a6a --- /dev/null +++ b/queue-2.6.33/tracing-use-same-local-variable-when-resetting-the-ring-buffer.patch @@ -0,0 +1,66 @@ +From 283740c619d211e34572cc93c8cdba92ccbdb9cc Mon Sep 17 00:00:00 2001 +From: Steven Rostedt +Date: Fri, 12 Mar 2010 19:48:41 -0500 +Subject: tracing: Use same local variable when resetting the ring buffer + +From: Steven Rostedt + +commit 283740c619d211e34572cc93c8cdba92ccbdb9cc upstream. + +In the ftrace code that resets the ring buffer it references the +buffer with a local variable, but then uses the tr->buffer as the +parameter to reset. If the wakeup tracer is running, which can +switch the tr->buffer with the max saved buffer, this can break +the requirement of disabling the buffer before the reset. + + buffer = tr->buffer; + ring_buffer_record_disable(buffer); + synchronize_sched(); + __tracing_reset(tr->buffer, cpu); + +If the tr->buffer is swapped, then the reset is not happening to the +buffer that was disabled. This will cause the ring buffer to fail. + +Found with Li Zefan's ftrace_stress_test. + +Reported-by: Lai Jiangshan +Signed-off-by: Steven Rostedt +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/trace/trace.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/kernel/trace/trace.c ++++ b/kernel/trace/trace.c +@@ -747,10 +747,10 @@ out: + mutex_unlock(&trace_types_lock); + } + +-static void __tracing_reset(struct trace_array *tr, int cpu) ++static void __tracing_reset(struct ring_buffer *buffer, int cpu) + { + ftrace_disable_cpu(); +- ring_buffer_reset_cpu(tr->buffer, cpu); ++ ring_buffer_reset_cpu(buffer, cpu); + ftrace_enable_cpu(); + } + +@@ -762,7 +762,7 @@ void tracing_reset(struct trace_array *t + + /* Make sure all commits have finished */ + synchronize_sched(); +- __tracing_reset(tr, cpu); ++ __tracing_reset(buffer, cpu); + + ring_buffer_record_enable(buffer); + } +@@ -780,7 +780,7 @@ void tracing_reset_online_cpus(struct tr + tr->time_start = ftrace_now(tr->cpu); + + for_each_online_cpu(cpu) +- __tracing_reset(tr, cpu); ++ __tracing_reset(buffer, cpu); + + ring_buffer_record_enable(buffer); + } diff --git a/queue-2.6.33/x86-stacktrace-don-t-dereference-bad-frame-pointers.patch b/queue-2.6.33/x86-stacktrace-don-t-dereference-bad-frame-pointers.patch new file mode 100644 index 00000000000..98a47bbcbf3 --- /dev/null +++ b/queue-2.6.33/x86-stacktrace-don-t-dereference-bad-frame-pointers.patch @@ -0,0 +1,64 @@ +From 29044ad1509ecc229f1d5a31aeed7a8dc61a71c4 Mon Sep 17 00:00:00 2001 +From: Frederic Weisbecker +Date: Wed, 3 Mar 2010 02:25:22 +0100 +Subject: x86/stacktrace: Don't dereference bad frame pointers + +From: Frederic Weisbecker + +commit 29044ad1509ecc229f1d5a31aeed7a8dc61a71c4 upstream. + +Callers of a stacktrace might pass bad frame pointers. Those +are usually checked for safety in stack walking helpers before +any dereferencing, but this is not the case when we need to go +through one more frame pointer that backlinks the irq stack to +the previous one, as we don't have any reliable address boudaries +to compare this frame pointer against. + +This raises crashes when we record callchains for ftrace events +with perf because we don't use the right helpers to capture +registers there. We get wrong frame pointers as we call +task_pt_regs() even on kernel threads, which is a wrong thing +as it gives us the initial state of any kernel threads freshly +created. This is even not what we want for user tasks. What we want +is a hot snapshot of registers when the ftrace event triggers, not +the state before a task entered the kernel. + +This requires more thoughts to do it correctly though. +So first put a guardian to ensure the given frame pointer +can be dereferenced to avoid crashes. We'll think about how to fix +the callers in a subsequent patch. + +Signed-off-by: Frederic Weisbecker +Cc: Ingo Molnar +Cc: Thomas Gleixner +Cc: H. Peter Anvin +Cc: Peter Zijlstra +Cc: Paul Mackerras +Cc: Steven Rostedt +Cc: Arnaldo Carvalho de Melo +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/dumpstack_64.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +--- a/arch/x86/kernel/dumpstack_64.c ++++ b/arch/x86/kernel/dumpstack_64.c +@@ -125,9 +125,15 @@ fixup_bp_irq_link(unsigned long bp, unsi + { + #ifdef CONFIG_FRAME_POINTER + struct stack_frame *frame = (struct stack_frame *)bp; ++ unsigned long next; + +- if (!in_irq_stack(stack, irq_stack, irq_stack_end)) +- return (unsigned long)frame->next_frame; ++ if (!in_irq_stack(stack, irq_stack, irq_stack_end)) { ++ if (!probe_kernel_address(&frame->next_frame, next)) ++ return next; ++ else ++ WARN_ONCE(1, "Perf: bad frame pointer = %p in " ++ "callchain\n", &frame->next_frame); ++ } + #endif + return bp; + } diff --git a/queue-2.6.33/x86_64-cpa-don-t-work-hard-in-preserving-kernel-2m-mappings-when-using-4k-already.patch b/queue-2.6.33/x86_64-cpa-don-t-work-hard-in-preserving-kernel-2m-mappings-when-using-4k-already.patch new file mode 100644 index 00000000000..4ef50cc8e15 --- /dev/null +++ b/queue-2.6.33/x86_64-cpa-don-t-work-hard-in-preserving-kernel-2m-mappings-when-using-4k-already.patch @@ -0,0 +1,74 @@ +From 281ff33b7c1b1ba2a5f9b03425e5f692a94913fa Mon Sep 17 00:00:00 2001 +From: Suresh Siddha +Date: Thu, 18 Feb 2010 11:51:40 -0800 +Subject: x86_64, cpa: Don't work hard in preserving kernel 2M mappings when using 4K already + +From: Suresh Siddha + +commit 281ff33b7c1b1ba2a5f9b03425e5f692a94913fa upstream. + +We currently enforce the !RW mapping for the kernel mapping that maps +holes between different text, rodata and data sections. However, kernel +identity mappings will have different RWX permissions to the pages mapping to +text and to the pages padding (which are freed) the text, rodata sections. +Hence kernel identity mappings will be broken to smaller pages. For 64-bit, +kernel text and kernel identity mappings are different, so we can enable +protection checks that come with CONFIG_DEBUG_RODATA, as well as retain 2MB +large page mappings for kernel text. + +Konrad reported a boot failure with the Linux Xen paravirt guest because of +this. In this paravirt guest case, the kernel text mapping and the kernel +identity mapping share the same page-table pages. Thus forcing the !RW mapping +for some of the kernel mappings also cause the kernel identity mappings to be +read-only resulting in the boot failure. Linux Xen paravirt guest also +uses 4k mappings and don't use 2M mapping. + +Fix this issue and retain large page performance advantage for native kernels +by not working hard and not enforcing !RW for the kernel text mapping, +if the current mapping is already using small page mapping. + +Reported-by: Konrad Rzeszutek Wilk +Signed-off-by: Suresh Siddha +LKML-Reference: <1266522700.2909.34.camel@sbs-t61.sc.intel.com> +Tested-by: Konrad Rzeszutek Wilk +Signed-off-by: H. Peter Anvin +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/mm/pageattr.c | 25 +++++++++++++++++++++++-- + 1 file changed, 23 insertions(+), 2 deletions(-) + +--- a/arch/x86/mm/pageattr.c ++++ b/arch/x86/mm/pageattr.c +@@ -291,8 +291,29 @@ static inline pgprot_t static_protection + */ + if (kernel_set_to_readonly && + within(address, (unsigned long)_text, +- (unsigned long)__end_rodata_hpage_align)) +- pgprot_val(forbidden) |= _PAGE_RW; ++ (unsigned long)__end_rodata_hpage_align)) { ++ unsigned int level; ++ ++ /* ++ * Don't enforce the !RW mapping for the kernel text mapping, ++ * if the current mapping is already using small page mapping. ++ * No need to work hard to preserve large page mappings in this ++ * case. ++ * ++ * This also fixes the Linux Xen paravirt guest boot failure ++ * (because of unexpected read-only mappings for kernel identity ++ * mappings). In this paravirt guest case, the kernel text ++ * mapping and the kernel identity mapping share the same ++ * page-table pages. Thus we can't really use different ++ * protections for the kernel text and identity mappings. Also, ++ * these shared mappings are made of small page mappings. ++ * Thus this don't enforce !RW mapping for small page kernel ++ * text mapping logic will help Linux Xen parvirt guest boot ++ * aswell. ++ */ ++ if (lookup_address(address, &level) && (level != PG_LEVEL_4K)) ++ pgprot_val(forbidden) |= _PAGE_RW; ++ } + #endif + + prot = __pgprot(pgprot_val(prot) & ~pgprot_val(forbidden)); -- 2.47.3