From a01a622651b2b87bbe154e2d613076d84d24186b Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Fri, 22 Oct 2010 09:54:02 -0700 Subject: [PATCH] .33 patches please ignore --- ...ista-compatibility-for-toshiba-p305d.patch | 38 +++ ...dmi-entry-for-toshiba-satellite-l355.patch | 35 +++ ...y-clearing-pciexp_wake_sts-on-resume.patch | 40 +++ .../b44-fix-carrier-detection-on-bind.patch | 41 +++ ...e-interactivity-with-large-arguments.patch | 40 +++ ...sive-to-sigkill-with-large-arguments.patch | 54 ++++ ...event-lenovo-ideapad-s10-3-boot-hang.patch | 58 ++++ ...s-where-the-sprom-address-is-changed.patch | 228 ++++++++++++++++ queue-2.6.33/series | 17 ++ ...ges-diagnose-excessive-argument-size.patch | 46 ++++ ...-not-read-sprom-if-it-does-not-exist.patch | 141 ++++++++++ ...r-deref-when-pcihost_wrapper-is-used.patch | 56 ++++ ...ssb-handle-alternate-ssprom-location.patch | 66 +++++ ...at-different-offset-on-higher-rev-cc.patch | 91 +++++++ ...ummy-trampoline-related-inline-stubs.patch | 36 +++ ...e-1-1-pagetables-from-swapper_pg_dir.patch | 252 ++++++++++++++++++ ...ect-scattered-cpuid-features-earlier.patch | 44 +++ ...fig_vmsplit_1g-and-2g_opt-trampoline.patch | 35 +++ 18 files changed, 1318 insertions(+) create mode 100644 queue-2.6.33/acpi-disable-windows-vista-compatibility-for-toshiba-p305d.patch create mode 100644 queue-2.6.33/acpi-ec-add-vista-incompatibility-dmi-entry-for-toshiba-satellite-l355.patch create mode 100644 queue-2.6.33/acpi-enable-repeated-pciexp-wakeup-by-clearing-pciexp_wake_sts-on-resume.patch create mode 100644 queue-2.6.33/b44-fix-carrier-detection-on-bind.patch create mode 100644 queue-2.6.33/execve-improve-interactivity-with-large-arguments.patch create mode 100644 queue-2.6.33/execve-make-responsive-to-sigkill-with-large-arguments.patch create mode 100644 queue-2.6.33/intel_idle-pci-quirk-to-prevent-lenovo-ideapad-s10-3-boot-hang.patch create mode 100644 queue-2.6.33/revert-ssb-handle-netbook-devices-where-the-sprom-address-is-changed.patch create mode 100644 queue-2.6.33/setup_arg_pages-diagnose-excessive-argument-size.patch create mode 100644 queue-2.6.33/ssb-do-not-read-sprom-if-it-does-not-exist.patch create mode 100644 queue-2.6.33/ssb-fix-null-ptr-deref-when-pcihost_wrapper-is-used.patch create mode 100644 queue-2.6.33/ssb-handle-alternate-ssprom-location.patch create mode 100644 queue-2.6.33/ssb-look-for-sprom-at-different-offset-on-higher-rev-cc.patch create mode 100644 queue-2.6.33/x86-32-fix-dummy-trampoline-related-inline-stubs.patch create mode 100644 queue-2.6.33/x86-32-separate-1-1-pagetables-from-swapper_pg_dir.patch create mode 100644 queue-2.6.33/x86-detect-scattered-cpuid-features-earlier.patch create mode 100644 queue-2.6.33/x86-mm-fix-config_vmsplit_1g-and-2g_opt-trampoline.patch diff --git a/queue-2.6.33/acpi-disable-windows-vista-compatibility-for-toshiba-p305d.patch b/queue-2.6.33/acpi-disable-windows-vista-compatibility-for-toshiba-p305d.patch new file mode 100644 index 00000000000..b4c5a153a35 --- /dev/null +++ b/queue-2.6.33/acpi-disable-windows-vista-compatibility-for-toshiba-p305d.patch @@ -0,0 +1,38 @@ +From 337279ce3aa85d81d34c0f837d1c204df105103b Mon Sep 17 00:00:00 2001 +From: Zhang Rui +Date: Tue, 28 Sep 2010 22:48:55 -0400 +Subject: ACPI: Disable Windows Vista compatibility for Toshiba P305D + +From: Zhang Rui + +commit 337279ce3aa85d81d34c0f837d1c204df105103b upstream. + +Disable the Windows Vista (SP1) compatibility for Toshiba P305D. + +http://bugzilla.kernel.org/show_bug.cgi?id=14736 + +Signed-off-by: Zhang Rui +Signed-off-by: Len Brown +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/acpi/blacklist.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/drivers/acpi/blacklist.c ++++ b/drivers/acpi/blacklist.c +@@ -233,6 +233,14 @@ static struct dmi_system_id acpi_osi_dmi + DMI_MATCH(DMI_PRODUCT_NAME, "K50IJ"), + }, + }, ++ { ++ .callback = dmi_disable_osi_vista, ++ .ident = "Toshiba P305D", ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "TOSHIBA"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "Satellite P305D"), ++ }, ++ }, + + /* + * BIOS invocation of _OSI(Linux) is almost always a BIOS bug. diff --git a/queue-2.6.33/acpi-ec-add-vista-incompatibility-dmi-entry-for-toshiba-satellite-l355.patch b/queue-2.6.33/acpi-ec-add-vista-incompatibility-dmi-entry-for-toshiba-satellite-l355.patch new file mode 100644 index 00000000000..d9d30260e53 --- /dev/null +++ b/queue-2.6.33/acpi-ec-add-vista-incompatibility-dmi-entry-for-toshiba-satellite-l355.patch @@ -0,0 +1,35 @@ +From 7a1d602f5fc35d14907b7da98d5627acb69589d1 Mon Sep 17 00:00:00 2001 +From: Len Brown +Date: Tue, 28 Sep 2010 17:51:51 -0400 +Subject: ACPI: EC: add Vista incompatibility DMI entry for Toshiba Satellite L355 + +From: Len Brown + +commit 7a1d602f5fc35d14907b7da98d5627acb69589d1 upstream. + +https://bugzilla.kernel.org/show_bug.cgi?id=12641 + +Signed-off-by: Len Brown +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/acpi/blacklist.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/drivers/acpi/blacklist.c ++++ b/drivers/acpi/blacklist.c +@@ -218,6 +218,14 @@ static struct dmi_system_id acpi_osi_dmi + }, + }, + { ++ .callback = dmi_disable_osi_vista, ++ .ident = "Toshiba Satellite L355", ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "TOSHIBA"), ++ DMI_MATCH(DMI_PRODUCT_VERSION, "Satellite L355"), ++ }, ++ }, ++ { + .callback = dmi_disable_osi_win7, + .ident = "ASUS K50IJ", + .matches = { diff --git a/queue-2.6.33/acpi-enable-repeated-pciexp-wakeup-by-clearing-pciexp_wake_sts-on-resume.patch b/queue-2.6.33/acpi-enable-repeated-pciexp-wakeup-by-clearing-pciexp_wake_sts-on-resume.patch new file mode 100644 index 00000000000..7efcaba8d30 --- /dev/null +++ b/queue-2.6.33/acpi-enable-repeated-pciexp-wakeup-by-clearing-pciexp_wake_sts-on-resume.patch @@ -0,0 +1,40 @@ +From 573b638158029898caf9470c8214b7ddd29751e3 Mon Sep 17 00:00:00 2001 +From: Colin Ian King +Date: Mon, 2 Aug 2010 15:14:43 +0000 +Subject: ACPI: enable repeated PCIEXP wakeup by clearing PCIEXP_WAKE_STS on resume + +From: Colin Ian King + +commit 573b638158029898caf9470c8214b7ddd29751e3 upstream. + +Section 4.7.3.1.1 (PM1 Status Registers) of version 4.0 of +the ACPI spec concerning PCIEXP_WAKE_STS points out in +in the final note field in table 4-11 that if this bit is +set to 1 and the system is put into a sleeping state then +the system will not automatically wake. + +This bit gets set by hardware to indicate that the system +woke up due to a PCI Express wakeup event, so clear it during +acpi_hw_clear_acpi_status() calls to enable subsequent +resumes to work. + +BugLink: http://bugs.launchpad.net/bugs/613381 + +Signed-off-by: Colin Ian King +Signed-off-by: Len Brown +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/acpi/acpica/aclocal.h | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/acpi/acpica/aclocal.h ++++ b/drivers/acpi/acpica/aclocal.h +@@ -846,6 +846,7 @@ struct acpi_bit_register_info { + ACPI_BITMASK_POWER_BUTTON_STATUS | \ + ACPI_BITMASK_SLEEP_BUTTON_STATUS | \ + ACPI_BITMASK_RT_CLOCK_STATUS | \ ++ ACPI_BITMASK_PCIEXP_WAKE_DISABLE | \ + ACPI_BITMASK_WAKE_STATUS) + + #define ACPI_BITMASK_TIMER_ENABLE 0x0001 diff --git a/queue-2.6.33/b44-fix-carrier-detection-on-bind.patch b/queue-2.6.33/b44-fix-carrier-detection-on-bind.patch new file mode 100644 index 00000000000..79f8f963f3a --- /dev/null +++ b/queue-2.6.33/b44-fix-carrier-detection-on-bind.patch @@ -0,0 +1,41 @@ +From bcf64aa379fcadd074449cbf0c049da70071b06f Mon Sep 17 00:00:00 2001 +From: Paul Fertser +Date: Mon, 11 Oct 2010 15:45:35 -0700 +Subject: b44: fix carrier detection on bind + +From: Paul Fertser + +commit bcf64aa379fcadd074449cbf0c049da70071b06f upstream. + +For carrier detection to work properly when binding the driver with a cable +unplugged, netif_carrier_off() should be called after register_netdev(), +not before. + +Signed-off-by: Paul Fertser +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/b44.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/b44.c ++++ b/drivers/net/b44.c +@@ -2175,8 +2175,6 @@ static int __devinit b44_init_one(struct + dev->irq = sdev->irq; + SET_ETHTOOL_OPS(dev, &b44_ethtool_ops); + +- netif_carrier_off(dev); +- + err = ssb_bus_powerup(sdev->bus, 0); + if (err) { + dev_err(sdev->dev, +@@ -2216,6 +2214,8 @@ static int __devinit b44_init_one(struct + goto err_out_powerdown; + } + ++ netif_carrier_off(dev); ++ + ssb_set_drvdata(sdev, dev); + + /* Chip reset provides power to the b44 MAC & PCI cores, which diff --git a/queue-2.6.33/execve-improve-interactivity-with-large-arguments.patch b/queue-2.6.33/execve-improve-interactivity-with-large-arguments.patch new file mode 100644 index 00000000000..2679509f5d6 --- /dev/null +++ b/queue-2.6.33/execve-improve-interactivity-with-large-arguments.patch @@ -0,0 +1,40 @@ +From 7993bc1f4663c0db67bb8f0d98e6678145b387cd Mon Sep 17 00:00:00 2001 +From: Roland McGrath +Date: Tue, 7 Sep 2010 19:36:28 -0700 +Subject: execve: improve interactivity with large arguments + +From: Roland McGrath + +commit 7993bc1f4663c0db67bb8f0d98e6678145b387cd upstream. + +This adds a preemption point during the copying of the argument and +environment strings for execve, in copy_strings(). There is already +a preemption point in the count() loop, so this doesn't add any new +points in the abstract sense. + +When the total argument+environment strings are very large, the time +spent copying them can be much more than a normal user time slice. +So this change improves the interactivity of the rest of the system +when one process is doing an execve with very large arguments. + +Signed-off-by: Roland McGrath +Reviewed-by: KOSAKI Motohiro +Signed-off-by: Linus Torvalds +Cc: Chuck Ebbert +Signed-off-by: Greg Kroah-Hartman + +--- + fs/exec.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/fs/exec.c ++++ b/fs/exec.c +@@ -418,6 +418,8 @@ static int copy_strings(int argc, char _ + while (len > 0) { + int offset, bytes_to_copy; + ++ cond_resched(); ++ + offset = pos % PAGE_SIZE; + if (offset == 0) + offset = PAGE_SIZE; diff --git a/queue-2.6.33/execve-make-responsive-to-sigkill-with-large-arguments.patch b/queue-2.6.33/execve-make-responsive-to-sigkill-with-large-arguments.patch new file mode 100644 index 00000000000..97f29780192 --- /dev/null +++ b/queue-2.6.33/execve-make-responsive-to-sigkill-with-large-arguments.patch @@ -0,0 +1,54 @@ +From 9aea5a65aa7a1af9a4236dfaeb0088f1624f9919 Mon Sep 17 00:00:00 2001 +From: Roland McGrath +Date: Tue, 7 Sep 2010 19:37:06 -0700 +Subject: execve: make responsive to SIGKILL with large arguments + +From: Roland McGrath + +commit 9aea5a65aa7a1af9a4236dfaeb0088f1624f9919 upstream. + +An execve with a very large total of argument/environment strings +can take a really long time in the execve system call. It runs +uninterruptibly to count and copy all the strings. This change +makes it abort the exec quickly if sent a SIGKILL. + +Note that this is the conservative change, to interrupt only for +SIGKILL, by using fatal_signal_pending(). It would be perfectly +correct semantics to let any signal interrupt the string-copying in +execve, i.e. use signal_pending() instead of fatal_signal_pending(). +We'll save that change for later, since it could have user-visible +consequences, such as having a timer set too quickly make it so that +an execve can never complete, though it always happened to work before. + +Signed-off-by: Roland McGrath +Reviewed-by: KOSAKI Motohiro +Cc: Chuck Ebbert +Signed-off-by: Linus Torvalds + +--- + fs/exec.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/fs/exec.c ++++ b/fs/exec.c +@@ -375,6 +375,9 @@ static int count(char __user * __user * + argv++; + if (i++ >= max) + return -E2BIG; ++ ++ if (fatal_signal_pending(current)) ++ return -ERESTARTNOHAND; + cond_resched(); + } + } +@@ -418,6 +421,10 @@ static int copy_strings(int argc, char _ + while (len > 0) { + int offset, bytes_to_copy; + ++ if (fatal_signal_pending(current)) { ++ ret = -ERESTARTNOHAND; ++ goto out; ++ } + cond_resched(); + + offset = pos % PAGE_SIZE; diff --git a/queue-2.6.33/intel_idle-pci-quirk-to-prevent-lenovo-ideapad-s10-3-boot-hang.patch b/queue-2.6.33/intel_idle-pci-quirk-to-prevent-lenovo-ideapad-s10-3-boot-hang.patch new file mode 100644 index 00000000000..00f8baa57f2 --- /dev/null +++ b/queue-2.6.33/intel_idle-pci-quirk-to-prevent-lenovo-ideapad-s10-3-boot-hang.patch @@ -0,0 +1,58 @@ +From 4731fdcf6f7bdab3e369a3f844d4ea4d4017284d Mon Sep 17 00:00:00 2001 +From: Len Brown +Date: Fri, 24 Sep 2010 21:02:27 -0400 +Subject: intel_idle: PCI quirk to prevent Lenovo Ideapad s10-3 boot hang + +From: Len Brown + +commit 4731fdcf6f7bdab3e369a3f844d4ea4d4017284d upstream. + +When the Lenovo Ideapad S10-3 is booted with HT enabled, +it hits a boot hang in the intel_idle driver. + +This occurs when entering ATM-C4 for the first time, +unless BM_STS is first cleared. + +acpi_idle doesn't see this because it first checks +and clears BM_STS, but it would hit the same hang +if that check were disabled. + +http://bugs.meego.com/show_bug.cgi?id=7093 +https://bugs.launchpad.net/ubuntu/+source/linux/+bug/634702 + +Signed-off-by: Len Brown +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pci/quirks.c | 20 ++++++++++++++++++++ + 1 file changed, 20 insertions(+) + +--- a/drivers/pci/quirks.c ++++ b/drivers/pci/quirks.c +@@ -155,6 +155,26 @@ DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_NE + DECLARE_PCI_FIXUP_FINAL(PCI_VENDOR_ID_NEC, PCI_DEVICE_ID_NEC_CBUS_3, quirk_isa_dma_hangs); + + /* ++ * Intel NM10 "TigerPoint" LPC PM1a_STS.BM_STS must be clear ++ * for some HT machines to use C4 w/o hanging. ++ */ ++static void __devinit quirk_tigerpoint_bm_sts(struct pci_dev *dev) ++{ ++ u32 pmbase; ++ u16 pm1a; ++ ++ pci_read_config_dword(dev, 0x40, &pmbase); ++ pmbase = pmbase & 0xff80; ++ pm1a = inw(pmbase); ++ ++ if (pm1a & 0x10) { ++ dev_info(&dev->dev, FW_BUG "TigerPoint LPC.BM_STS cleared\n"); ++ outw(0x10, pmbase); ++ } ++} ++DECLARE_PCI_FIXUP_HEADER(PCI_VENDOR_ID_INTEL, PCI_DEVICE_ID_INTEL_TGP_LPC, quirk_tigerpoint_bm_sts); ++ ++/* + * Chipsets where PCI->PCI transfers vanish or hang + */ + static void __devinit quirk_nopcipci(struct pci_dev *dev) diff --git a/queue-2.6.33/revert-ssb-handle-netbook-devices-where-the-sprom-address-is-changed.patch b/queue-2.6.33/revert-ssb-handle-netbook-devices-where-the-sprom-address-is-changed.patch new file mode 100644 index 00000000000..b38d367ad2c --- /dev/null +++ b/queue-2.6.33/revert-ssb-handle-netbook-devices-where-the-sprom-address-is-changed.patch @@ -0,0 +1,228 @@ +From 7fc0405db42af7c170c6eb5d0244b38b54ea7d2c Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman +Date: Fri, 6 Aug 2010 10:22:56 -0700 +Subject: Revert "ssb: Handle Netbook devices where the SPROM address is changed" + +From: Greg Kroah-Hartman + +Turns out this isn't the best way to resolve this issue. The +individual patches will be applied instead. + +Cc: Larry Finger +Cc: Ben Hutchings +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/ssb/driver_chipcommon.c | 3 - + drivers/ssb/driver_chipcommon_pmu.c | 17 ++++++----- + drivers/ssb/pci.c | 46 +++--------------------------- + drivers/ssb/sprom.c | 15 --------- + include/linux/ssb/ssb.h | 1 + include/linux/ssb/ssb_driver_chipcommon.h | 2 - + include/linux/ssb/ssb_regs.h | 3 - + 7 files changed, 17 insertions(+), 70 deletions(-) + +--- a/drivers/ssb/driver_chipcommon.c ++++ b/drivers/ssb/driver_chipcommon.c +@@ -233,9 +233,6 @@ void ssb_chipcommon_init(struct ssb_chip + { + if (!cc->dev) + return; /* We don't have a ChipCommon */ +- if (cc->dev->id.revision >= 11) +- cc->status = chipco_read32(cc, SSB_CHIPCO_CHIPSTAT); +- ssb_dprintk(KERN_INFO PFX "chipcommon status is 0x%x\n", cc->status); + ssb_pmu_init(cc); + chipco_powercontrol_init(cc); + ssb_chipco_set_clockmode(cc, SSB_CLKMODE_FAST); +--- a/drivers/ssb/driver_chipcommon_pmu.c ++++ b/drivers/ssb/driver_chipcommon_pmu.c +@@ -495,9 +495,9 @@ static void ssb_pmu_resources_init(struc + chipco_write32(cc, SSB_CHIPCO_PMU_MAXRES_MSK, max_msk); + } + +-/* http://bcm-v4.sipsolutions.net/802.11/SSB/PmuInit */ + void ssb_pmu_init(struct ssb_chipcommon *cc) + { ++ struct ssb_bus *bus = cc->dev->bus; + u32 pmucap; + + if (!(cc->capabilities & SSB_CHIPCO_CAP_PMU)) +@@ -509,12 +509,15 @@ void ssb_pmu_init(struct ssb_chipcommon + ssb_dprintk(KERN_DEBUG PFX "Found rev %u PMU (capabilities 0x%08X)\n", + cc->pmu.rev, pmucap); + +- if (cc->pmu.rev == 1) +- chipco_mask32(cc, SSB_CHIPCO_PMU_CTL, +- ~SSB_CHIPCO_PMU_CTL_NOILPONW); +- else +- chipco_set32(cc, SSB_CHIPCO_PMU_CTL, +- SSB_CHIPCO_PMU_CTL_NOILPONW); ++ if (cc->pmu.rev >= 1) { ++ if ((bus->chip_id == 0x4325) && (bus->chip_rev < 2)) { ++ chipco_mask32(cc, SSB_CHIPCO_PMU_CTL, ++ ~SSB_CHIPCO_PMU_CTL_NOILPONW); ++ } else { ++ chipco_set32(cc, SSB_CHIPCO_PMU_CTL, ++ SSB_CHIPCO_PMU_CTL_NOILPONW); ++ } ++ } + ssb_pmu_pll_init(cc); + ssb_pmu_resources_init(cc); + } +--- a/drivers/ssb/pci.c ++++ b/drivers/ssb/pci.c +@@ -22,7 +22,6 @@ + + #include "ssb_private.h" + +-bool ssb_is_sprom_available(struct ssb_bus *bus); + + /* Define the following to 1 to enable a printk on each coreswitch. */ + #define SSB_VERBOSE_PCICORESWITCH_DEBUG 0 +@@ -168,7 +167,7 @@ err_pci: + } + + /* Get the word-offset for a SSB_SPROM_XXX define. */ +-#define SPOFF(offset) ((offset) / sizeof(u16)) ++#define SPOFF(offset) (((offset) - SSB_SPROM_BASE) / sizeof(u16)) + /* Helper to extract some _offset, which is one of the SSB_SPROM_XXX defines. */ + #define SPEX16(_outvar, _offset, _mask, _shift) \ + out->_outvar = ((in[SPOFF(_offset)] & (_mask)) >> (_shift)) +@@ -253,13 +252,8 @@ static int sprom_do_read(struct ssb_bus + { + int i; + +- /* Check if SPROM can be read */ +- if (ioread16(bus->mmio + bus->sprom_offset) == 0xFFFF) { +- ssb_printk(KERN_ERR PFX "Unable to read SPROM\n"); +- return -ENODEV; +- } + for (i = 0; i < bus->sprom_size; i++) +- sprom[i] = ioread16(bus->mmio + bus->sprom_offset + (i * 2)); ++ sprom[i] = ioread16(bus->mmio + SSB_SPROM_BASE + (i * 2)); + + return 0; + } +@@ -290,7 +284,7 @@ static int sprom_do_write(struct ssb_bus + ssb_printk("75%%"); + else if (i % 2) + ssb_printk("."); +- writew(sprom[i], bus->mmio + bus->sprom_offset + (i * 2)); ++ writew(sprom[i], bus->mmio + SSB_SPROM_BASE + (i * 2)); + mmiowb(); + msleep(20); + } +@@ -626,49 +620,21 @@ static int ssb_pci_sprom_get(struct ssb_ + int err = -ENOMEM; + u16 *buf; + +- if (!ssb_is_sprom_available(bus)) { +- ssb_printk(KERN_ERR PFX "No SPROM available!\n"); +- return -ENODEV; +- } +- if (bus->chipco.dev) { /* can be unavailible! */ +- /* +- * get SPROM offset: SSB_SPROM_BASE1 except for +- * chipcommon rev >= 31 or chip ID is 0x4312 and +- * chipcommon status & 3 == 2 +- */ +- if (bus->chipco.dev->id.revision >= 31) +- bus->sprom_offset = SSB_SPROM_BASE31; +- else if (bus->chip_id == 0x4312 && +- (bus->chipco.status & 0x03) == 2) +- bus->sprom_offset = SSB_SPROM_BASE31; +- else +- bus->sprom_offset = SSB_SPROM_BASE1; +- } else { +- bus->sprom_offset = SSB_SPROM_BASE1; +- } +- ssb_dprintk(KERN_INFO PFX "SPROM offset is 0x%x\n", bus->sprom_offset); +- + buf = kcalloc(SSB_SPROMSIZE_WORDS_R123, sizeof(u16), GFP_KERNEL); + if (!buf) + goto out; + bus->sprom_size = SSB_SPROMSIZE_WORDS_R123; +- err = sprom_do_read(bus, buf); +- if (err) +- goto out_free; ++ sprom_do_read(bus, buf); + err = sprom_check_crc(buf, bus->sprom_size); + if (err) { + /* try for a 440 byte SPROM - revision 4 and higher */ + kfree(buf); + buf = kcalloc(SSB_SPROMSIZE_WORDS_R4, sizeof(u16), + GFP_KERNEL); +- if (!buf) { +- err = -ENOMEM; ++ if (!buf) + goto out; +- } + bus->sprom_size = SSB_SPROMSIZE_WORDS_R4; +- err = sprom_do_read(bus, buf); +- if (err) +- goto out_free; ++ sprom_do_read(bus, buf); + err = sprom_check_crc(buf, bus->sprom_size); + if (err) { + /* All CRC attempts failed. +--- a/drivers/ssb/sprom.c ++++ b/drivers/ssb/sprom.c +@@ -175,18 +175,3 @@ const struct ssb_sprom *ssb_get_fallback + { + return fallback_sprom; + } +- +-/* http://bcm-v4.sipsolutions.net/802.11/IsSpromAvailable */ +-bool ssb_is_sprom_available(struct ssb_bus *bus) +-{ +- /* status register only exists on chipcomon rev >= 11 and we need check +- for >= 31 only */ +- /* this routine differs from specs as we do not access SPROM directly +- on PCMCIA */ +- if (bus->bustype == SSB_BUSTYPE_PCI && +- bus->chipco.dev && /* can be unavailible! */ +- bus->chipco.dev->id.revision >= 31) +- return bus->chipco.capabilities & SSB_CHIPCO_CAP_SPROM; +- +- return true; +-} +--- a/include/linux/ssb/ssb.h ++++ b/include/linux/ssb/ssb.h +@@ -306,7 +306,6 @@ struct ssb_bus { + u16 chip_id; + u16 chip_rev; + u16 sprom_size; /* number of words in sprom */ +- u16 sprom_offset; + u8 chip_package; + + /* List of devices (cores) on the backplane. */ +--- a/include/linux/ssb/ssb_driver_chipcommon.h ++++ b/include/linux/ssb/ssb_driver_chipcommon.h +@@ -46,7 +46,6 @@ + #define SSB_PLLTYPE_7 0x00038000 /* 25Mhz, 4 dividers */ + #define SSB_CHIPCO_CAP_PCTL 0x00040000 /* Power Control */ + #define SSB_CHIPCO_CAP_OTPS 0x00380000 /* OTP size */ +-#define SSB_CHIPCO_CAP_SPROM 0x40000000 /* SPROM present */ + #define SSB_CHIPCO_CAP_OTPS_SHIFT 19 + #define SSB_CHIPCO_CAP_OTPS_BASE 5 + #define SSB_CHIPCO_CAP_JTAGM 0x00400000 /* JTAG master present */ +@@ -565,7 +564,6 @@ struct ssb_chipcommon_pmu { + struct ssb_chipcommon { + struct ssb_device *dev; + u32 capabilities; +- u32 status; + /* Fast Powerup Delay constant */ + u16 fast_pwrup_delay; + struct ssb_chipcommon_pmu pmu; +--- a/include/linux/ssb/ssb_regs.h ++++ b/include/linux/ssb/ssb_regs.h +@@ -170,8 +170,7 @@ + #define SSB_SPROMSIZE_WORDS_R4 220 + #define SSB_SPROMSIZE_BYTES_R123 (SSB_SPROMSIZE_WORDS_R123 * sizeof(u16)) + #define SSB_SPROMSIZE_BYTES_R4 (SSB_SPROMSIZE_WORDS_R4 * sizeof(u16)) +-#define SSB_SPROM_BASE1 0x1000 +-#define SSB_SPROM_BASE31 0x0800 ++#define SSB_SPROM_BASE 0x1000 + #define SSB_SPROM_REVISION 0x107E + #define SSB_SPROM_REVISION_REV 0x00FF /* SPROM Revision number */ + #define SSB_SPROM_REVISION_CRC 0xFF00 /* SPROM CRC8 value */ diff --git a/queue-2.6.33/series b/queue-2.6.33/series index fa993a2ba62..434afa6df7e 100644 --- a/queue-2.6.33/series +++ b/queue-2.6.33/series @@ -45,3 +45,20 @@ xfrm4-strip-ecn-and-ip-precedence-bits-in-policy-lookup.patch bsg-fix-incorrect-device_status-value.patch r6040-fix-r6040_multicast_list.patch r6040-fix-multicast-list-iteration-when-hash-filter-is-used.patch +b44-fix-carrier-detection-on-bind.patch +acpi-enable-repeated-pciexp-wakeup-by-clearing-pciexp_wake_sts-on-resume.patch +intel_idle-pci-quirk-to-prevent-lenovo-ideapad-s10-3-boot-hang.patch +acpi-ec-add-vista-incompatibility-dmi-entry-for-toshiba-satellite-l355.patch +acpi-disable-windows-vista-compatibility-for-toshiba-p305d.patch +x86-detect-scattered-cpuid-features-earlier.patch +setup_arg_pages-diagnose-excessive-argument-size.patch +execve-improve-interactivity-with-large-arguments.patch +execve-make-responsive-to-sigkill-with-large-arguments.patch +x86-32-separate-1-1-pagetables-from-swapper_pg_dir.patch +x86-32-fix-dummy-trampoline-related-inline-stubs.patch +x86-mm-fix-config_vmsplit_1g-and-2g_opt-trampoline.patch +revert-ssb-handle-netbook-devices-where-the-sprom-address-is-changed.patch +ssb-do-not-read-sprom-if-it-does-not-exist.patch +ssb-look-for-sprom-at-different-offset-on-higher-rev-cc.patch +ssb-fix-null-ptr-deref-when-pcihost_wrapper-is-used.patch +ssb-handle-alternate-ssprom-location.patch diff --git a/queue-2.6.33/setup_arg_pages-diagnose-excessive-argument-size.patch b/queue-2.6.33/setup_arg_pages-diagnose-excessive-argument-size.patch new file mode 100644 index 00000000000..d86739e6198 --- /dev/null +++ b/queue-2.6.33/setup_arg_pages-diagnose-excessive-argument-size.patch @@ -0,0 +1,46 @@ +From 1b528181b2ffa14721fb28ad1bd539fe1732c583 Mon Sep 17 00:00:00 2001 +From: Roland McGrath +Date: Tue, 7 Sep 2010 19:35:49 -0700 +Subject: setup_arg_pages: diagnose excessive argument size + +From: Roland McGrath + +commit 1b528181b2ffa14721fb28ad1bd539fe1732c583 upstream. + +The CONFIG_STACK_GROWSDOWN variant of setup_arg_pages() does not +check the size of the argument/environment area on the stack. +When it is unworkably large, shift_arg_pages() hits its BUG_ON. +This is exploitable with a very large RLIMIT_STACK limit, to +create a crash pretty easily. + +Check that the initial stack is not too large to make it possible +to map in any executable. We're not checking that the actual +executable (or intepreter, for binfmt_elf) will fit. So those +mappings might clobber part of the initial stack mapping. But +that is just userland lossage that userland made happen, not a +kernel problem. + +Signed-off-by: Roland McGrath +Reviewed-by: KOSAKI Motohiro +Signed-off-by: Linus Torvalds +Cc: Chuck Ebbert +Signed-off-by: Greg Kroah-Hartman + +--- + fs/exec.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/fs/exec.c ++++ b/fs/exec.c +@@ -593,6 +593,11 @@ int setup_arg_pages(struct linux_binprm + #else + stack_top = arch_align_stack(stack_top); + stack_top = PAGE_ALIGN(stack_top); ++ ++ if (unlikely(stack_top < mmap_min_addr) || ++ unlikely(vma->vm_end - vma->vm_start >= stack_top - mmap_min_addr)) ++ return -ENOMEM; ++ + stack_shift = vma->vm_end - stack_top; + + bprm->p -= stack_shift; diff --git a/queue-2.6.33/ssb-do-not-read-sprom-if-it-does-not-exist.patch b/queue-2.6.33/ssb-do-not-read-sprom-if-it-does-not-exist.patch new file mode 100644 index 00000000000..8f58897ce2f --- /dev/null +++ b/queue-2.6.33/ssb-do-not-read-sprom-if-it-does-not-exist.patch @@ -0,0 +1,141 @@ +From d53cdbb94a52a920d5420ed64d986c3523a56743 Mon Sep 17 00:00:00 2001 +From: John W. Linville +Date: Wed, 31 Mar 2010 21:39:35 +0200 +Subject: ssb: do not read SPROM if it does not exist +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: John W. Linville + +commit d53cdbb94a52a920d5420ed64d986c3523a56743 upstream. + +Attempting to read registers that don't exist on the SSB bus can cause +hangs on some boxes. At least some b43 devices are 'in the wild' that +don't have SPROMs at all. When the SSB bus support loads, it attempts +to read these (non-existant) SPROMs and causes hard hangs on the box -- +no console output, etc. + +This patch adds some intelligence to determine whether or not the SPROM +is present before attempting to read it. This avoids those hard hangs +on those devices with no SPROM attached to their SSB bus. The +SSB-attached devices (e.g. b43, et al.) won't work, but at least the box +will survive to test further patches. :-) + +Signed-off-by: John W. Linville +Signed-off-by: Rafał Miłecki +Cc: Larry Finger +Cc: Michael Buesch +Cc: Ben Hutchings +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/ssb/driver_chipcommon.c | 2 ++ + drivers/ssb/pci.c | 5 +++++ + drivers/ssb/sprom.c | 14 ++++++++++++++ + include/linux/ssb/ssb.h | 3 +++ + include/linux/ssb/ssb_driver_chipcommon.h | 15 +++++++++++++++ + 5 files changed, 39 insertions(+) + +--- a/drivers/ssb/driver_chipcommon.c ++++ b/drivers/ssb/driver_chipcommon.c +@@ -233,6 +233,8 @@ void ssb_chipcommon_init(struct ssb_chip + { + if (!cc->dev) + return; /* We don't have a ChipCommon */ ++ if (cc->dev->id.revision >= 11) ++ cc->status = chipco_read32(cc, SSB_CHIPCO_CHIPSTAT); + ssb_pmu_init(cc); + chipco_powercontrol_init(cc); + ssb_chipco_set_clockmode(cc, SSB_CLKMODE_FAST); +--- a/drivers/ssb/pci.c ++++ b/drivers/ssb/pci.c +@@ -620,6 +620,11 @@ static int ssb_pci_sprom_get(struct ssb_ + int err = -ENOMEM; + u16 *buf; + ++ if (!ssb_is_sprom_available(bus)) { ++ ssb_printk(KERN_ERR PFX "No SPROM available!\n"); ++ return -ENODEV; ++ } ++ + buf = kcalloc(SSB_SPROMSIZE_WORDS_R123, sizeof(u16), GFP_KERNEL); + if (!buf) + goto out; +--- a/drivers/ssb/sprom.c ++++ b/drivers/ssb/sprom.c +@@ -175,3 +175,17 @@ const struct ssb_sprom *ssb_get_fallback + { + return fallback_sprom; + } ++ ++/* http://bcm-v4.sipsolutions.net/802.11/IsSpromAvailable */ ++bool ssb_is_sprom_available(struct ssb_bus *bus) ++{ ++ /* status register only exists on chipcomon rev >= 11 and we need check ++ for >= 31 only */ ++ /* this routine differs from specs as we do not access SPROM directly ++ on PCMCIA */ ++ if (bus->bustype == SSB_BUSTYPE_PCI && ++ bus->chipco.dev->id.revision >= 31) ++ return bus->chipco.capabilities & SSB_CHIPCO_CAP_SPROM; ++ ++ return true; ++} +--- a/include/linux/ssb/ssb.h ++++ b/include/linux/ssb/ssb.h +@@ -394,6 +394,9 @@ extern int ssb_bus_sdiobus_register(stru + + extern void ssb_bus_unregister(struct ssb_bus *bus); + ++/* Does the device have an SPROM? */ ++extern bool ssb_is_sprom_available(struct ssb_bus *bus); ++ + /* Set a fallback SPROM. + * See kdoc at the function definition for complete documentation. */ + extern int ssb_arch_set_fallback_sprom(const struct ssb_sprom *sprom); +--- a/include/linux/ssb/ssb_driver_chipcommon.h ++++ b/include/linux/ssb/ssb_driver_chipcommon.h +@@ -53,6 +53,7 @@ + #define SSB_CHIPCO_CAP_64BIT 0x08000000 /* 64-bit Backplane */ + #define SSB_CHIPCO_CAP_PMU 0x10000000 /* PMU available (rev >= 20) */ + #define SSB_CHIPCO_CAP_ECI 0x20000000 /* ECI available (rev >= 20) */ ++#define SSB_CHIPCO_CAP_SPROM 0x40000000 /* SPROM present */ + #define SSB_CHIPCO_CORECTL 0x0008 + #define SSB_CHIPCO_CORECTL_UARTCLK0 0x00000001 /* Drive UART with internal clock */ + #define SSB_CHIPCO_CORECTL_SE 0x00000002 /* sync clk out enable (corerev >= 3) */ +@@ -385,6 +386,7 @@ + + + /** Chip specific Chip-Status register contents. */ ++#define SSB_CHIPCO_CHST_4322_SPROM_EXISTS 0x00000040 /* SPROM present */ + #define SSB_CHIPCO_CHST_4325_SPROM_OTP_SEL 0x00000003 + #define SSB_CHIPCO_CHST_4325_DEFCIS_SEL 0 /* OTP is powered up, use def. CIS, no SPROM */ + #define SSB_CHIPCO_CHST_4325_SPROM_SEL 1 /* OTP is powered up, SPROM is present */ +@@ -398,6 +400,18 @@ + #define SSB_CHIPCO_CHST_4325_RCAL_VALUE_SHIFT 4 + #define SSB_CHIPCO_CHST_4325_PMUTOP_2B 0x00000200 /* 1 for 2b, 0 for to 2a */ + ++/** Macros to determine SPROM presence based on Chip-Status register. */ ++#define SSB_CHIPCO_CHST_4312_SPROM_PRESENT(status) \ ++ ((status & SSB_CHIPCO_CHST_4325_SPROM_OTP_SEL) != \ ++ SSB_CHIPCO_CHST_4325_OTP_SEL) ++#define SSB_CHIPCO_CHST_4322_SPROM_PRESENT(status) \ ++ (status & SSB_CHIPCO_CHST_4322_SPROM_EXISTS) ++#define SSB_CHIPCO_CHST_4325_SPROM_PRESENT(status) \ ++ (((status & SSB_CHIPCO_CHST_4325_SPROM_OTP_SEL) != \ ++ SSB_CHIPCO_CHST_4325_DEFCIS_SEL) && \ ++ ((status & SSB_CHIPCO_CHST_4325_SPROM_OTP_SEL) != \ ++ SSB_CHIPCO_CHST_4325_OTP_SEL)) ++ + + + /** Clockcontrol masks and values **/ +@@ -564,6 +578,7 @@ struct ssb_chipcommon_pmu { + struct ssb_chipcommon { + struct ssb_device *dev; + u32 capabilities; ++ u32 status; + /* Fast Powerup Delay constant */ + u16 fast_pwrup_delay; + struct ssb_chipcommon_pmu pmu; diff --git a/queue-2.6.33/ssb-fix-null-ptr-deref-when-pcihost_wrapper-is-used.patch b/queue-2.6.33/ssb-fix-null-ptr-deref-when-pcihost_wrapper-is-used.patch new file mode 100644 index 00000000000..5e7559cd827 --- /dev/null +++ b/queue-2.6.33/ssb-fix-null-ptr-deref-when-pcihost_wrapper-is-used.patch @@ -0,0 +1,56 @@ +From da1fdb02d9200ff28b6f3a380d21930335fe5429 Mon Sep 17 00:00:00 2001 +From: Christoph Fritz +Date: Fri, 28 May 2010 10:45:59 +0200 +Subject: ssb: fix NULL ptr deref when pcihost_wrapper is used + +From: Christoph Fritz + +commit da1fdb02d9200ff28b6f3a380d21930335fe5429 upstream. + +Ethernet driver b44 does register ssb by it's pcihost_wrapper +and doesn't set ssb_chipcommon. A check on this value +introduced with commit d53cdbb94a52a920d5420ed64d986c3523a56743 +and ea2db495f92ad2cf3301623e60cb95b4062bc484 triggers: + +BUG: unable to handle kernel NULL pointer dereference at 00000010 +IP: [] ssb_is_sprom_available+0x16/0x30 + +Signed-off-by: Christoph Fritz +Signed-off-by: John W. Linville +Cc: Larry Finger +Cc: Ben Hutchings +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/ssb/pci.c | 9 ++++++--- + drivers/ssb/sprom.c | 1 + + 2 files changed, 7 insertions(+), 3 deletions(-) + +--- a/drivers/ssb/pci.c ++++ b/drivers/ssb/pci.c +@@ -624,9 +624,12 @@ static int ssb_pci_sprom_get(struct ssb_ + ssb_printk(KERN_ERR PFX "No SPROM available!\n"); + return -ENODEV; + } +- +- bus->sprom_offset = (bus->chipco.dev->id.revision < 31) ? +- SSB_SPROM_BASE1 : SSB_SPROM_BASE31; ++ if (bus->chipco.dev) { /* can be unavailible! */ ++ bus->sprom_offset = (bus->chipco.dev->id.revision < 31) ? ++ SSB_SPROM_BASE1 : SSB_SPROM_BASE31; ++ } else { ++ bus->sprom_offset = SSB_SPROM_BASE1; ++ } + + buf = kcalloc(SSB_SPROMSIZE_WORDS_R123, sizeof(u16), GFP_KERNEL); + if (!buf) +--- a/drivers/ssb/sprom.c ++++ b/drivers/ssb/sprom.c +@@ -184,6 +184,7 @@ bool ssb_is_sprom_available(struct ssb_b + /* this routine differs from specs as we do not access SPROM directly + on PCMCIA */ + if (bus->bustype == SSB_BUSTYPE_PCI && ++ bus->chipco.dev && /* can be unavailible! */ + bus->chipco.dev->id.revision >= 31) + return bus->chipco.capabilities & SSB_CHIPCO_CAP_SPROM; + diff --git a/queue-2.6.33/ssb-handle-alternate-ssprom-location.patch b/queue-2.6.33/ssb-handle-alternate-ssprom-location.patch new file mode 100644 index 00000000000..b12eac3de0c --- /dev/null +++ b/queue-2.6.33/ssb-handle-alternate-ssprom-location.patch @@ -0,0 +1,66 @@ +From 9d1ac34ec3a67713308ae0883c3359c557f14d17 Mon Sep 17 00:00:00 2001 +From: Larry Finger +Date: Fri, 14 May 2010 22:08:58 -0500 +Subject: ssb: Handle alternate SSPROM location + +From: Larry Finger + +commit 9d1ac34ec3a67713308ae0883c3359c557f14d17 upstream. + +In kernel Bugzilla #15825 (2 users), in a wireless mailing list thread +(http://lists.infradead.org/pipermail/b43-dev/2010-May/000124.html), and on a +netbook owned by John Linville +(http://marc.info/?l=linux-wireless&m=127230751408818&w=4), there are reports +of ssb failing to detect an SPROM at the normal location. After studying the +MMIO trace dump for the Broadcom wl driver, it was determined that the affected +boxes had a relocated SPROM. + +This patch fixes all systems that have reported this problem. + +Signed-off-by: Larry Finger +Signed-off-by: John W. Linville +Cc: Ben Hutchings +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/ssb/driver_chipcommon.c | 1 + + drivers/ssb/pci.c | 15 +++++++++++++-- + 2 files changed, 14 insertions(+), 2 deletions(-) + +--- a/drivers/ssb/driver_chipcommon.c ++++ b/drivers/ssb/driver_chipcommon.c +@@ -235,6 +235,7 @@ void ssb_chipcommon_init(struct ssb_chip + return; /* We don't have a ChipCommon */ + if (cc->dev->id.revision >= 11) + cc->status = chipco_read32(cc, SSB_CHIPCO_CHIPSTAT); ++ ssb_dprintk(KERN_INFO PFX "chipcommon status is 0x%x\n", cc->status); + ssb_pmu_init(cc); + chipco_powercontrol_init(cc); + ssb_chipco_set_clockmode(cc, SSB_CLKMODE_FAST); +--- a/drivers/ssb/pci.c ++++ b/drivers/ssb/pci.c +@@ -625,11 +625,22 @@ static int ssb_pci_sprom_get(struct ssb_ + return -ENODEV; + } + if (bus->chipco.dev) { /* can be unavailible! */ +- bus->sprom_offset = (bus->chipco.dev->id.revision < 31) ? +- SSB_SPROM_BASE1 : SSB_SPROM_BASE31; ++ /* ++ * get SPROM offset: SSB_SPROM_BASE1 except for ++ * chipcommon rev >= 31 or chip ID is 0x4312 and ++ * chipcommon status & 3 == 2 ++ */ ++ if (bus->chipco.dev->id.revision >= 31) ++ bus->sprom_offset = SSB_SPROM_BASE31; ++ else if (bus->chip_id == 0x4312 && ++ (bus->chipco.status & 0x03) == 2) ++ bus->sprom_offset = SSB_SPROM_BASE31; ++ else ++ bus->sprom_offset = SSB_SPROM_BASE1; + } else { + bus->sprom_offset = SSB_SPROM_BASE1; + } ++ ssb_dprintk(KERN_INFO PFX "SPROM offset is 0x%x\n", bus->sprom_offset); + + buf = kcalloc(SSB_SPROMSIZE_WORDS_R123, sizeof(u16), GFP_KERNEL); + if (!buf) diff --git a/queue-2.6.33/ssb-look-for-sprom-at-different-offset-on-higher-rev-cc.patch b/queue-2.6.33/ssb-look-for-sprom-at-different-offset-on-higher-rev-cc.patch new file mode 100644 index 00000000000..5b939e7d201 --- /dev/null +++ b/queue-2.6.33/ssb-look-for-sprom-at-different-offset-on-higher-rev-cc.patch @@ -0,0 +1,91 @@ +From ea2db495f92ad2cf3301623e60cb95b4062bc484 Mon Sep 17 00:00:00 2001 +From: Rafał Miłecki +Date: Wed, 31 Mar 2010 21:59:21 +0200 +Subject: ssb: Look for SPROM at different offset on higher rev CC +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Rafał Miłecki + +commit ea2db495f92ad2cf3301623e60cb95b4062bc484 upstream. + +Our offset handling becomes even a little more hackish now. For some reason I +do not understand all offsets as inrelative. It assumes base offset is 0x1000 +but it will work for now as we make offsets relative anyway by removing base +0x1000. Should be cleaner however. + +Signed-off-by: Rafał Miłecki +Signed-off-by: John W. Linville +Cc: Larry Finger +Cc: Ben Hutchings +Signed-off-by: Greg Kroah-Hartman + + +--- + drivers/ssb/pci.c | 9 ++++++--- + include/linux/ssb/ssb.h | 1 + + include/linux/ssb/ssb_regs.h | 3 ++- + 3 files changed, 9 insertions(+), 4 deletions(-) + +--- a/drivers/ssb/pci.c ++++ b/drivers/ssb/pci.c +@@ -167,7 +167,7 @@ err_pci: + } + + /* Get the word-offset for a SSB_SPROM_XXX define. */ +-#define SPOFF(offset) (((offset) - SSB_SPROM_BASE) / sizeof(u16)) ++#define SPOFF(offset) (((offset) - SSB_SPROM_BASE1) / sizeof(u16)) + /* Helper to extract some _offset, which is one of the SSB_SPROM_XXX defines. */ + #define SPEX16(_outvar, _offset, _mask, _shift) \ + out->_outvar = ((in[SPOFF(_offset)] & (_mask)) >> (_shift)) +@@ -253,7 +253,7 @@ static int sprom_do_read(struct ssb_bus + int i; + + for (i = 0; i < bus->sprom_size; i++) +- sprom[i] = ioread16(bus->mmio + SSB_SPROM_BASE + (i * 2)); ++ sprom[i] = ioread16(bus->mmio + bus->sprom_offset + (i * 2)); + + return 0; + } +@@ -284,7 +284,7 @@ static int sprom_do_write(struct ssb_bus + ssb_printk("75%%"); + else if (i % 2) + ssb_printk("."); +- writew(sprom[i], bus->mmio + SSB_SPROM_BASE + (i * 2)); ++ writew(sprom[i], bus->mmio + bus->sprom_offset + (i * 2)); + mmiowb(); + msleep(20); + } +@@ -625,6 +625,9 @@ static int ssb_pci_sprom_get(struct ssb_ + return -ENODEV; + } + ++ bus->sprom_offset = (bus->chipco.dev->id.revision < 31) ? ++ SSB_SPROM_BASE1 : SSB_SPROM_BASE31; ++ + buf = kcalloc(SSB_SPROMSIZE_WORDS_R123, sizeof(u16), GFP_KERNEL); + if (!buf) + goto out; +--- a/include/linux/ssb/ssb.h ++++ b/include/linux/ssb/ssb.h +@@ -305,6 +305,7 @@ struct ssb_bus { + /* ID information about the Chip. */ + u16 chip_id; + u16 chip_rev; ++ u16 sprom_offset; + u16 sprom_size; /* number of words in sprom */ + u8 chip_package; + +--- a/include/linux/ssb/ssb_regs.h ++++ b/include/linux/ssb/ssb_regs.h +@@ -170,7 +170,8 @@ + #define SSB_SPROMSIZE_WORDS_R4 220 + #define SSB_SPROMSIZE_BYTES_R123 (SSB_SPROMSIZE_WORDS_R123 * sizeof(u16)) + #define SSB_SPROMSIZE_BYTES_R4 (SSB_SPROMSIZE_WORDS_R4 * sizeof(u16)) +-#define SSB_SPROM_BASE 0x1000 ++#define SSB_SPROM_BASE1 0x1000 ++#define SSB_SPROM_BASE31 0x0800 + #define SSB_SPROM_REVISION 0x107E + #define SSB_SPROM_REVISION_REV 0x00FF /* SPROM Revision number */ + #define SSB_SPROM_REVISION_CRC 0xFF00 /* SPROM CRC8 value */ diff --git a/queue-2.6.33/x86-32-fix-dummy-trampoline-related-inline-stubs.patch b/queue-2.6.33/x86-32-fix-dummy-trampoline-related-inline-stubs.patch new file mode 100644 index 00000000000..a787183b697 --- /dev/null +++ b/queue-2.6.33/x86-32-fix-dummy-trampoline-related-inline-stubs.patch @@ -0,0 +1,36 @@ +From 8848a91068c018bc91f597038a0f41462a0f88a4 Mon Sep 17 00:00:00 2001 +From: H. Peter Anvin +Date: Wed, 18 Aug 2010 11:42:23 -0700 +Subject: x86-32: Fix dummy trampoline-related inline stubs + +From: H. Peter Anvin + +commit 8848a91068c018bc91f597038a0f41462a0f88a4 upstream. + +Fix dummy inline stubs for trampoline-related functions when no +trampolines exist (until we get rid of the no-trampoline case +entirely.) + +Signed-off-by: H. Peter Anvin +Cc: Joerg Roedel +Cc: Borislav Petkov +LKML-Reference: <4C6C294D.3030404@zytor.com> +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/include/asm/trampoline.h | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/x86/include/asm/trampoline.h ++++ b/arch/x86/include/asm/trampoline.h +@@ -22,8 +22,8 @@ extern unsigned long setup_trampoline(vo + extern void __init setup_trampoline_page_table(void); + extern void __init reserve_trampoline_memory(void); + #else +-static inline void reserve_trampoline_memory(void) {}; +-extern void __init setup_trampoline_page_table(void) {}; ++static inline void setup_trampoline_page_table(void) {} ++static inline void reserve_trampoline_memory(void) {} + #endif /* CONFIG_X86_TRAMPOLINE */ + + #endif /* __ASSEMBLY__ */ diff --git a/queue-2.6.33/x86-32-separate-1-1-pagetables-from-swapper_pg_dir.patch b/queue-2.6.33/x86-32-separate-1-1-pagetables-from-swapper_pg_dir.patch new file mode 100644 index 00000000000..7cbf6f67a6a --- /dev/null +++ b/queue-2.6.33/x86-32-separate-1-1-pagetables-from-swapper_pg_dir.patch @@ -0,0 +1,252 @@ +From fd89a137924e0710078c3ae855e7cec1c43cb845 Mon Sep 17 00:00:00 2001 +From: Joerg Roedel +Date: Mon, 16 Aug 2010 14:38:33 +0200 +Subject: x86-32: Separate 1:1 pagetables from swapper_pg_dir + +From: Joerg Roedel + +commit fd89a137924e0710078c3ae855e7cec1c43cb845 upstream. + +This patch fixes machine crashes which occur when heavily exercising the +CPU hotplug codepaths on a 32-bit kernel. These crashes are caused by +AMD Erratum 383 and result in a fatal machine check exception. Here's +the scenario: + +1. On 32-bit, the swapper_pg_dir page table is used as the initial page +table for booting a secondary CPU. + +2. To make this work, swapper_pg_dir needs a direct mapping of physical +memory in it (the low mappings). By adding those low, large page (2M) +mappings (PAE kernel), we create the necessary conditions for Erratum +383 to occur. + +3. Other CPUs which do not participate in the off- and onlining game may +use swapper_pg_dir while the low mappings are present (when leave_mm is +called). For all steps below, the CPU referred to is a CPU that is using +swapper_pg_dir, and not the CPU which is being onlined. + +4. The presence of the low mappings in swapper_pg_dir can result +in TLB entries for addresses below __PAGE_OFFSET to be established +speculatively. These TLB entries are marked global and large. + +5. When the CPU with such TLB entry switches to another page table, this +TLB entry remains because it is global. + +6. The process then generates an access to an address covered by the +above TLB entry but there is a permission mismatch - the TLB entry +covers a large global page not accessible to userspace. + +7. Due to this permission mismatch a new 4kb, user TLB entry gets +established. Further, Erratum 383 provides for a small window of time +where both TLB entries are present. This results in an uncorrectable +machine check exception signalling a TLB multimatch which panics the +machine. + +There are two ways to fix this issue: + + 1. Always do a global TLB flush when a new cr3 is loaded and the + old page table was swapper_pg_dir. I consider this a hack hard + to understand and with performance implications + + 2. Do not use swapper_pg_dir to boot secondary CPUs like 64-bit + does. + +This patch implements solution 2. It introduces a trampoline_pg_dir +which has the same layout as swapper_pg_dir with low_mappings. This page +table is used as the initial page table of the booting CPU. Later in the +bringup process, it switches to swapper_pg_dir and does a global TLB +flush. This fixes the crashes in our test cases. + +-v2: switch to swapper_pg_dir right after entering start_secondary() so +that we are able to access percpu data which might not be mapped in the +trampoline page table. + +Signed-off-by: Joerg Roedel +LKML-Reference: <20100816123833.GB28147@aftab> +Signed-off-by: Borislav Petkov +Signed-off-by: H. Peter Anvin +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/include/asm/pgtable_32.h | 1 + + arch/x86/include/asm/trampoline.h | 3 +++ + arch/x86/kernel/head_32.S | 8 +++++++- + arch/x86/kernel/setup.c | 2 ++ + arch/x86/kernel/smpboot.c | 32 +++++++++++++------------------- + arch/x86/kernel/trampoline.c | 18 ++++++++++++++++++ + 6 files changed, 44 insertions(+), 20 deletions(-) + +--- a/arch/x86/include/asm/pgtable_32.h ++++ b/arch/x86/include/asm/pgtable_32.h +@@ -27,6 +27,7 @@ struct mm_struct; + struct vm_area_struct; + + extern pgd_t swapper_pg_dir[1024]; ++extern pgd_t trampoline_pg_dir[1024]; + + static inline void pgtable_cache_init(void) { } + static inline void check_pgt_cache(void) { } +--- a/arch/x86/include/asm/trampoline.h ++++ b/arch/x86/include/asm/trampoline.h +@@ -13,14 +13,17 @@ extern unsigned char *trampoline_base; + + extern unsigned long init_rsp; + extern unsigned long initial_code; ++extern unsigned long initial_page_table; + extern unsigned long initial_gs; + + #define TRAMPOLINE_SIZE roundup(trampoline_end - trampoline_data, PAGE_SIZE) + + extern unsigned long setup_trampoline(void); ++extern void __init setup_trampoline_page_table(void); + extern void __init reserve_trampoline_memory(void); + #else + static inline void reserve_trampoline_memory(void) {}; ++extern void __init setup_trampoline_page_table(void) {}; + #endif /* CONFIG_X86_TRAMPOLINE */ + + #endif /* __ASSEMBLY__ */ +--- a/arch/x86/kernel/head_32.S ++++ b/arch/x86/kernel/head_32.S +@@ -328,7 +328,7 @@ ENTRY(startup_32_smp) + /* + * Enable paging + */ +- movl $pa(swapper_pg_dir),%eax ++ movl pa(initial_page_table), %eax + movl %eax,%cr3 /* set the page table pointer.. */ + movl %cr0,%eax + orl $X86_CR0_PG,%eax +@@ -608,6 +608,8 @@ ignore_int: + .align 4 + ENTRY(initial_code) + .long i386_start_kernel ++ENTRY(initial_page_table) ++ .long pa(swapper_pg_dir) + + /* + * BSS section +@@ -623,6 +625,10 @@ ENTRY(swapper_pg_dir) + #endif + swapper_pg_fixmap: + .fill 1024,4,0 ++#ifdef CONFIG_X86_TRAMPOLINE ++ENTRY(trampoline_pg_dir) ++ .fill 1024,4,0 ++#endif + ENTRY(empty_zero_page) + .fill 4096,1,0 + +--- a/arch/x86/kernel/setup.c ++++ b/arch/x86/kernel/setup.c +@@ -981,6 +981,8 @@ void __init setup_arch(char **cmdline_p) + paging_init(); + x86_init.paging.pagetable_setup_done(swapper_pg_dir); + ++ setup_trampoline_page_table(); ++ + tboot_probe(); + + #ifdef CONFIG_X86_64 +--- a/arch/x86/kernel/smpboot.c ++++ b/arch/x86/kernel/smpboot.c +@@ -70,7 +70,6 @@ + + #ifdef CONFIG_X86_32 + u8 apicid_2_node[MAX_APICID]; +-static int low_mappings; + #endif + + /* State of each CPU */ +@@ -273,6 +272,18 @@ notrace static void __cpuinit start_seco + * fragile that we want to limit the things done here to the + * most necessary things. + */ ++ ++#ifdef CONFIG_X86_32 ++ /* ++ * Switch away from the trampoline page-table ++ * ++ * Do this before cpu_init() because it needs to access per-cpu ++ * data which may not be mapped in the trampoline page-table. ++ */ ++ load_cr3(swapper_pg_dir); ++ __flush_tlb_all(); ++#endif ++ + vmi_bringup(); + cpu_init(); + preempt_disable(); +@@ -291,12 +302,6 @@ notrace static void __cpuinit start_seco + enable_8259A_irq(0); + } + +-#ifdef CONFIG_X86_32 +- while (low_mappings) +- cpu_relax(); +- __flush_tlb_all(); +-#endif +- + /* This must be done before setting cpu_online_mask */ + set_cpu_sibling_map(raw_smp_processor_id()); + wmb(); +@@ -743,6 +748,7 @@ do_rest: + #ifdef CONFIG_X86_32 + /* Stack for startup_32 can be just as for start_secondary onwards */ + irq_ctx_init(cpu); ++ initial_page_table = __pa(&trampoline_pg_dir); + #else + clear_tsk_thread_flag(c_idle.idle, TIF_FORK); + initial_gs = per_cpu_offset(cpu); +@@ -883,20 +889,8 @@ int __cpuinit native_cpu_up(unsigned int + + per_cpu(cpu_state, cpu) = CPU_UP_PREPARE; + +-#ifdef CONFIG_X86_32 +- /* init low mem mapping */ +- clone_pgd_range(swapper_pg_dir, swapper_pg_dir + KERNEL_PGD_BOUNDARY, +- min_t(unsigned long, KERNEL_PGD_PTRS, KERNEL_PGD_BOUNDARY)); +- flush_tlb_all(); +- low_mappings = 1; +- + err = do_boot_cpu(apicid, cpu); + +- zap_low_mappings(false); +- low_mappings = 0; +-#else +- err = do_boot_cpu(apicid, cpu); +-#endif + if (err) { + pr_debug("do_boot_cpu failed %d\n", err); + return -EIO; +--- a/arch/x86/kernel/trampoline.c ++++ b/arch/x86/kernel/trampoline.c +@@ -1,6 +1,7 @@ + #include + + #include ++#include + #include + + #if defined(CONFIG_X86_64) && defined(CONFIG_ACPI_SLEEP) +@@ -37,3 +38,20 @@ unsigned long __trampinit setup_trampoli + memcpy(trampoline_base, trampoline_data, TRAMPOLINE_SIZE); + return virt_to_phys(trampoline_base); + } ++ ++void __init setup_trampoline_page_table(void) ++{ ++#ifdef CONFIG_X86_32 ++ /* Copy kernel address range */ ++ clone_pgd_range(trampoline_pg_dir + KERNEL_PGD_BOUNDARY, ++ swapper_pg_dir + KERNEL_PGD_BOUNDARY, ++ min_t(unsigned long, KERNEL_PGD_PTRS, ++ KERNEL_PGD_BOUNDARY)); ++ ++ /* Initialize low mappings */ ++ clone_pgd_range(trampoline_pg_dir, ++ swapper_pg_dir + KERNEL_PGD_BOUNDARY, ++ min_t(unsigned long, KERNEL_PGD_PTRS, ++ KERNEL_PGD_BOUNDARY)); ++#endif ++} diff --git a/queue-2.6.33/x86-detect-scattered-cpuid-features-earlier.patch b/queue-2.6.33/x86-detect-scattered-cpuid-features-earlier.patch new file mode 100644 index 00000000000..e7b41569da5 --- /dev/null +++ b/queue-2.6.33/x86-detect-scattered-cpuid-features-earlier.patch @@ -0,0 +1,44 @@ +From 1dedefd1a066a795a87afca9c0236e1a94de9bf6 Mon Sep 17 00:00:00 2001 +From: Jacob Pan +Date: Wed, 19 May 2010 12:01:23 -0700 +Subject: x86: detect scattered cpuid features earlier + +From: Jacob Pan + +commit 1dedefd1a066a795a87afca9c0236e1a94de9bf6 upstream. + +Some extra CPU features such as ARAT is needed in early boot so +that x86_init function pointers can be set up properly. +http://lkml.org/lkml/2010/5/18/519 +At start_kernel() level, this patch moves init_scattered_cpuid_features() +from check_bugs() to setup_arch() -> early_cpu_init() which is earlier than +platform specific x86_init layer setup. Suggested by HPA. + +Signed-off-by: Jacob Pan +LKML-Reference: <1274295685-6774-2-git-send-email-jacob.jun.pan@linux.intel.com> +Acked-by: Thomas Gleixner +Signed-off-by: H. Peter Anvin +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/cpu/common.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/kernel/cpu/common.c ++++ b/arch/x86/kernel/cpu/common.c +@@ -576,6 +576,7 @@ void __cpuinit get_cpu_cap(struct cpuinf + if (c->extended_cpuid_level >= 0x80000007) + c->x86_power = cpuid_edx(0x80000007); + ++ init_scattered_cpuid_features(c); + } + + static void __cpuinit identify_cpu_without_cpuid(struct cpuinfo_x86 *c) +@@ -731,7 +732,6 @@ static void __cpuinit generic_identify(s + + get_model_name(c); /* Default name */ + +- init_scattered_cpuid_features(c); + detect_nopl(c); + } + diff --git a/queue-2.6.33/x86-mm-fix-config_vmsplit_1g-and-2g_opt-trampoline.patch b/queue-2.6.33/x86-mm-fix-config_vmsplit_1g-and-2g_opt-trampoline.patch new file mode 100644 index 00000000000..53b9c04d361 --- /dev/null +++ b/queue-2.6.33/x86-mm-fix-config_vmsplit_1g-and-2g_opt-trampoline.patch @@ -0,0 +1,35 @@ +From b7d460897739e02f186425b7276e3fdb1595cea7 Mon Sep 17 00:00:00 2001 +From: Hugh Dickins +Date: Tue, 24 Aug 2010 22:44:12 -0700 +Subject: x86, mm: Fix CONFIG_VMSPLIT_1G and 2G_OPT trampoline + +From: Hugh Dickins + +commit b7d460897739e02f186425b7276e3fdb1595cea7 upstream. + +rc2 kernel crashes when booting second cpu on this CONFIG_VMSPLIT_2G_OPT +laptop: whereas cloning from kernel to low mappings pgd range does need +to limit by both KERNEL_PGD_PTRS and KERNEL_PGD_BOUNDARY, cloning kernel +pgd range itself must not be limited by the smaller KERNEL_PGD_BOUNDARY. + +Signed-off-by: Hugh Dickins +LKML-Reference: +Signed-off-by: H. Peter Anvin +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/trampoline.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +--- a/arch/x86/kernel/trampoline.c ++++ b/arch/x86/kernel/trampoline.c +@@ -45,8 +45,7 @@ void __init setup_trampoline_page_table( + /* Copy kernel address range */ + clone_pgd_range(trampoline_pg_dir + KERNEL_PGD_BOUNDARY, + swapper_pg_dir + KERNEL_PGD_BOUNDARY, +- min_t(unsigned long, KERNEL_PGD_PTRS, +- KERNEL_PGD_BOUNDARY)); ++ KERNEL_PGD_PTRS); + + /* Initialize low mappings */ + clone_pgd_range(trampoline_pg_dir, -- 2.47.2