From bbdf29fde88e7870625d51575c4286bdeeb7f830 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Tue, 26 Mar 2013 10:39:28 -0700 Subject: [PATCH] 3.8-stable patches added patches: arm-tegra-fix-register-address-of-slink-controller.patch drivers-rtc-rtc-at91rm9200.c-use-a-variable-for-storing-imr.patch drivers-video-ep93xx-fb.c-include-linux-io.h-for-devm_ioremap.patch drm-i915-bounds-check-execbuffer-relocation-count.patch i2c-tegra-check-the-clk_prepare_enable-return-value.patch kms-fix-edid-detailed-timing-frame-rate.patch kms-fix-edid-detailed-timing-vsync-parsing.patch mm-hugetlb-fix-total-hugetlbfs-pages-count-when-using-memory-overcommit-accouting.patch mqueue-sys_mq_open-do-not-call-mnt_drop_write-if-read-only.patch mwifiex-fix-potential-out-of-boundary-access-to-ibss-rate-table.patch revert-drm-i915-write-backlight-harder.patch rtlwifi-rtl8192cu-fix-problem-that-prevents-reassociation.patch rtlwifi-rtl8192cu-fix-schedule-while-atomic-bug-splat.patch target-file-bump-fd_max_sectors-to-2048-to-handle-1m-sized-i-os.patch target-iscsi-fix-mutual-chap-auth-on-big-endian-arches.patch tracing-fix-free-of-probe-entry-by-calling-call_rcu_sched.patch tracing-fix-race-in-snapshot-swapping.patch tracing-keep-overwrite-in-sync-between-regular-and-snapshot-buffers.patch tracing-protect-tracer-flags-with-trace_types_lock.patch --- ...register-address-of-slink-controller.patch | 44 ++++ ...200.c-use-a-variable-for-storing-imr.patch | 203 ++++++++++++++++++ ...-include-linux-io.h-for-devm_ioremap.patch | 40 ++++ ...ds-check-execbuffer-relocation-count.patch | 53 +++++ ...-the-clk_prepare_enable-return-value.patch | 56 +++++ ...-fix-edid-detailed-timing-frame-rate.patch | 36 ++++ ...x-edid-detailed-timing-vsync-parsing.patch | 40 ++++ ...en-using-memory-overcommit-accouting.patch | 65 ++++++ ...not-call-mnt_drop_write-if-read-only.patch | 50 +++++ ...f-boundary-access-to-ibss-rate-table.patch | 40 ++++ ...vert-drm-i915-write-backlight-harder.patch | 72 +++++++ ...-problem-that-prevents-reassociation.patch | 142 ++++++++++++ ...-fix-schedule-while-atomic-bug-splat.patch | 60 ++++++ queue-3.8/series | 19 ++ ...tors-to-2048-to-handle-1m-sized-i-os.patch | 41 ++++ ...utual-chap-auth-on-big-endian-arches.patch | 42 ++++ ...robe-entry-by-calling-call_rcu_sched.patch | 41 ++++ ...racing-fix-race-in-snapshot-swapping.patch | 51 +++++ ...between-regular-and-snapshot-buffers.patch | 40 ++++ ...t-tracer-flags-with-trace_types_lock.patch | 61 ++++++ 20 files changed, 1196 insertions(+) create mode 100644 queue-3.8/arm-tegra-fix-register-address-of-slink-controller.patch create mode 100644 queue-3.8/drivers-rtc-rtc-at91rm9200.c-use-a-variable-for-storing-imr.patch create mode 100644 queue-3.8/drivers-video-ep93xx-fb.c-include-linux-io.h-for-devm_ioremap.patch create mode 100644 queue-3.8/drm-i915-bounds-check-execbuffer-relocation-count.patch create mode 100644 queue-3.8/i2c-tegra-check-the-clk_prepare_enable-return-value.patch create mode 100644 queue-3.8/kms-fix-edid-detailed-timing-frame-rate.patch create mode 100644 queue-3.8/kms-fix-edid-detailed-timing-vsync-parsing.patch create mode 100644 queue-3.8/mm-hugetlb-fix-total-hugetlbfs-pages-count-when-using-memory-overcommit-accouting.patch create mode 100644 queue-3.8/mqueue-sys_mq_open-do-not-call-mnt_drop_write-if-read-only.patch create mode 100644 queue-3.8/mwifiex-fix-potential-out-of-boundary-access-to-ibss-rate-table.patch create mode 100644 queue-3.8/revert-drm-i915-write-backlight-harder.patch create mode 100644 queue-3.8/rtlwifi-rtl8192cu-fix-problem-that-prevents-reassociation.patch create mode 100644 queue-3.8/rtlwifi-rtl8192cu-fix-schedule-while-atomic-bug-splat.patch create mode 100644 queue-3.8/target-file-bump-fd_max_sectors-to-2048-to-handle-1m-sized-i-os.patch create mode 100644 queue-3.8/target-iscsi-fix-mutual-chap-auth-on-big-endian-arches.patch create mode 100644 queue-3.8/tracing-fix-free-of-probe-entry-by-calling-call_rcu_sched.patch create mode 100644 queue-3.8/tracing-fix-race-in-snapshot-swapping.patch create mode 100644 queue-3.8/tracing-keep-overwrite-in-sync-between-regular-and-snapshot-buffers.patch create mode 100644 queue-3.8/tracing-protect-tracer-flags-with-trace_types_lock.patch diff --git a/queue-3.8/arm-tegra-fix-register-address-of-slink-controller.patch b/queue-3.8/arm-tegra-fix-register-address-of-slink-controller.patch new file mode 100644 index 00000000000..dae35a8c25c --- /dev/null +++ b/queue-3.8/arm-tegra-fix-register-address-of-slink-controller.patch @@ -0,0 +1,44 @@ +From 57471c8d3c22873f70813820e6b4d2d1fea9629d Mon Sep 17 00:00:00 2001 +From: Laxman Dewangan +Date: Fri, 22 Mar 2013 12:35:06 -0600 +Subject: ARM: tegra: fix register address of slink controller + +From: Laxman Dewangan + +commit 57471c8d3c22873f70813820e6b4d2d1fea9629d upstream. + +Fix typo on register address of slink3 controller where register +address is wrongly set as 0x7000d480 but it is 0x7000d800. + +Signed-off-by: Laxman Dewangan +Signed-off-by: Stephen Warren +Signed-off-by: Arnd Bergmann +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/boot/dts/tegra20.dtsi | 2 +- + arch/arm/boot/dts/tegra30.dtsi | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/arm/boot/dts/tegra20.dtsi ++++ b/arch/arm/boot/dts/tegra20.dtsi +@@ -314,7 +314,7 @@ + + spi@7000d800 { + compatible = "nvidia,tegra20-slink"; +- reg = <0x7000d480 0x200>; ++ reg = <0x7000d800 0x200>; + interrupts = <0 83 0x04>; + nvidia,dma-request-selector = <&apbdma 17>; + #address-cells = <1>; +--- a/arch/arm/boot/dts/tegra30.dtsi ++++ b/arch/arm/boot/dts/tegra30.dtsi +@@ -309,7 +309,7 @@ + + spi@7000d800 { + compatible = "nvidia,tegra30-slink", "nvidia,tegra20-slink"; +- reg = <0x7000d480 0x200>; ++ reg = <0x7000d800 0x200>; + interrupts = <0 83 0x04>; + nvidia,dma-request-selector = <&apbdma 17>; + #address-cells = <1>; diff --git a/queue-3.8/drivers-rtc-rtc-at91rm9200.c-use-a-variable-for-storing-imr.patch b/queue-3.8/drivers-rtc-rtc-at91rm9200.c-use-a-variable-for-storing-imr.patch new file mode 100644 index 00000000000..10b6a198828 --- /dev/null +++ b/queue-3.8/drivers-rtc-rtc-at91rm9200.c-use-a-variable-for-storing-imr.patch @@ -0,0 +1,203 @@ +From 0ef1594c017521ea89278e80fe3f80dafb17abde Mon Sep 17 00:00:00 2001 +From: Nicolas Ferre +Date: Fri, 22 Mar 2013 15:04:47 -0700 +Subject: drivers/rtc/rtc-at91rm9200.c: use a variable for storing IMR + +From: Nicolas Ferre + +commit 0ef1594c017521ea89278e80fe3f80dafb17abde upstream. + +On some revisions of AT91 SoCs, the RTC IMR register is not working. +Instead of elaborating a workaround for that specific SoC or IP version, +we simply use a software variable to store the Interrupt Mask Register +and modify it for each enabling/disabling of an interrupt. The overhead +of this is negligible anyway. + +The interrupt mask register (IMR) for the RTC is broken on the AT91SAM9x5 +sub-family of SoCs (good overview of the members here: +http://www.eewiki.net/display/linuxonarm/AT91SAM9x5 ). The "user visible +effect" is the RTC doesn't work. + +That sub-family is less than two years old and only has devicetree (DT) +support and came online circa lk 3.7 . The dust is yet to settle on the +DT stuff at least for AT91 SoCs (translation: lots of stuff is still +broken, so much that it is hard to know where to start). + +The fix in the patch is pretty simple: just shadow the silicon IMR +register with a variable in the driver. Some older SoCs (pre-DT) use the +the rtc-at91rm9200 driver (e.g. obviously the AT91RM9200) and they should +not be impacted by the change. There shouldn't be a large volume of +interrupts associated with a RTC. + +Signed-off-by: Nicolas Ferre +Reported-by: Douglas Gilbert +Cc: Jean-Christophe PLAGNIOL-VILLARD +Cc: Ludovic Desroches +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/rtc/rtc-at91rm9200.c | 50 ++++++++++++++++++++++++++----------------- + drivers/rtc/rtc-at91rm9200.h | 1 + 2 files changed, 31 insertions(+), 20 deletions(-) + +--- a/drivers/rtc/rtc-at91rm9200.c ++++ b/drivers/rtc/rtc-at91rm9200.c +@@ -44,6 +44,7 @@ static DECLARE_COMPLETION(at91_rtc_updat + static unsigned int at91_alarm_year = AT91_RTC_EPOCH; + static void __iomem *at91_rtc_regs; + static int irq; ++static u32 at91_rtc_imr; + + /* + * Decode time/date into rtc_time structure +@@ -108,9 +109,11 @@ static int at91_rtc_settime(struct devic + cr = at91_rtc_read(AT91_RTC_CR); + at91_rtc_write(AT91_RTC_CR, cr | AT91_RTC_UPDCAL | AT91_RTC_UPDTIM); + ++ at91_rtc_imr |= AT91_RTC_ACKUPD; + at91_rtc_write(AT91_RTC_IER, AT91_RTC_ACKUPD); + wait_for_completion(&at91_rtc_updated); /* wait for ACKUPD interrupt */ + at91_rtc_write(AT91_RTC_IDR, AT91_RTC_ACKUPD); ++ at91_rtc_imr &= ~AT91_RTC_ACKUPD; + + at91_rtc_write(AT91_RTC_TIMR, + bin2bcd(tm->tm_sec) << 0 +@@ -142,7 +145,7 @@ static int at91_rtc_readalarm(struct dev + tm->tm_yday = rtc_year_days(tm->tm_mday, tm->tm_mon, tm->tm_year); + tm->tm_year = at91_alarm_year - 1900; + +- alrm->enabled = (at91_rtc_read(AT91_RTC_IMR) & AT91_RTC_ALARM) ++ alrm->enabled = (at91_rtc_imr & AT91_RTC_ALARM) + ? 1 : 0; + + pr_debug("%s(): %4d-%02d-%02d %02d:%02d:%02d\n", __func__, +@@ -168,6 +171,7 @@ static int at91_rtc_setalarm(struct devi + tm.tm_sec = alrm->time.tm_sec; + + at91_rtc_write(AT91_RTC_IDR, AT91_RTC_ALARM); ++ at91_rtc_imr &= ~AT91_RTC_ALARM; + at91_rtc_write(AT91_RTC_TIMALR, + bin2bcd(tm.tm_sec) << 0 + | bin2bcd(tm.tm_min) << 8 +@@ -180,6 +184,7 @@ static int at91_rtc_setalarm(struct devi + + if (alrm->enabled) { + at91_rtc_write(AT91_RTC_SCCR, AT91_RTC_ALARM); ++ at91_rtc_imr |= AT91_RTC_ALARM; + at91_rtc_write(AT91_RTC_IER, AT91_RTC_ALARM); + } + +@@ -196,9 +201,12 @@ static int at91_rtc_alarm_irq_enable(str + + if (enabled) { + at91_rtc_write(AT91_RTC_SCCR, AT91_RTC_ALARM); ++ at91_rtc_imr |= AT91_RTC_ALARM; + at91_rtc_write(AT91_RTC_IER, AT91_RTC_ALARM); +- } else ++ } else { + at91_rtc_write(AT91_RTC_IDR, AT91_RTC_ALARM); ++ at91_rtc_imr &= ~AT91_RTC_ALARM; ++ } + + return 0; + } +@@ -207,12 +215,10 @@ static int at91_rtc_alarm_irq_enable(str + */ + static int at91_rtc_proc(struct device *dev, struct seq_file *seq) + { +- unsigned long imr = at91_rtc_read(AT91_RTC_IMR); +- + seq_printf(seq, "update_IRQ\t: %s\n", +- (imr & AT91_RTC_ACKUPD) ? "yes" : "no"); ++ (at91_rtc_imr & AT91_RTC_ACKUPD) ? "yes" : "no"); + seq_printf(seq, "periodic_IRQ\t: %s\n", +- (imr & AT91_RTC_SECEV) ? "yes" : "no"); ++ (at91_rtc_imr & AT91_RTC_SECEV) ? "yes" : "no"); + + return 0; + } +@@ -227,7 +233,7 @@ static irqreturn_t at91_rtc_interrupt(in + unsigned int rtsr; + unsigned long events = 0; + +- rtsr = at91_rtc_read(AT91_RTC_SR) & at91_rtc_read(AT91_RTC_IMR); ++ rtsr = at91_rtc_read(AT91_RTC_SR) & at91_rtc_imr; + if (rtsr) { /* this interrupt is shared! Is it ours? */ + if (rtsr & AT91_RTC_ALARM) + events |= (RTC_AF | RTC_IRQF); +@@ -291,6 +297,7 @@ static int __init at91_rtc_probe(struct + at91_rtc_write(AT91_RTC_IDR, AT91_RTC_ACKUPD | AT91_RTC_ALARM | + AT91_RTC_SECEV | AT91_RTC_TIMEV | + AT91_RTC_CALEV); ++ at91_rtc_imr = 0; + + ret = request_irq(irq, at91_rtc_interrupt, + IRQF_SHARED, +@@ -330,6 +337,7 @@ static int __exit at91_rtc_remove(struct + at91_rtc_write(AT91_RTC_IDR, AT91_RTC_ACKUPD | AT91_RTC_ALARM | + AT91_RTC_SECEV | AT91_RTC_TIMEV | + AT91_RTC_CALEV); ++ at91_rtc_imr = 0; + free_irq(irq, pdev); + + rtc_device_unregister(rtc); +@@ -342,31 +350,35 @@ static int __exit at91_rtc_remove(struct + + /* AT91RM9200 RTC Power management control */ + +-static u32 at91_rtc_imr; ++static u32 at91_rtc_bkpimr; ++ + + static int at91_rtc_suspend(struct device *dev) + { + /* this IRQ is shared with DBGU and other hardware which isn't + * necessarily doing PM like we are... + */ +- at91_rtc_imr = at91_rtc_read(AT91_RTC_IMR) +- & (AT91_RTC_ALARM|AT91_RTC_SECEV); +- if (at91_rtc_imr) { +- if (device_may_wakeup(dev)) ++ at91_rtc_bkpimr = at91_rtc_imr & (AT91_RTC_ALARM|AT91_RTC_SECEV); ++ if (at91_rtc_bkpimr) { ++ if (device_may_wakeup(dev)) { + enable_irq_wake(irq); +- else +- at91_rtc_write(AT91_RTC_IDR, at91_rtc_imr); +- } ++ } else { ++ at91_rtc_write(AT91_RTC_IDR, at91_rtc_bkpimr); ++ at91_rtc_imr &= ~at91_rtc_bkpimr; ++ } ++} + return 0; + } + + static int at91_rtc_resume(struct device *dev) + { +- if (at91_rtc_imr) { +- if (device_may_wakeup(dev)) ++ if (at91_rtc_bkpimr) { ++ if (device_may_wakeup(dev)) { + disable_irq_wake(irq); +- else +- at91_rtc_write(AT91_RTC_IER, at91_rtc_imr); ++ } else { ++ at91_rtc_imr |= at91_rtc_bkpimr; ++ at91_rtc_write(AT91_RTC_IER, at91_rtc_bkpimr); ++ } + } + return 0; + } +--- a/drivers/rtc/rtc-at91rm9200.h ++++ b/drivers/rtc/rtc-at91rm9200.h +@@ -64,7 +64,6 @@ + #define AT91_RTC_SCCR 0x1c /* Status Clear Command Register */ + #define AT91_RTC_IER 0x20 /* Interrupt Enable Register */ + #define AT91_RTC_IDR 0x24 /* Interrupt Disable Register */ +-#define AT91_RTC_IMR 0x28 /* Interrupt Mask Register */ + + #define AT91_RTC_VER 0x2c /* Valid Entry Register */ + #define AT91_RTC_NVTIM (1 << 0) /* Non valid Time */ diff --git a/queue-3.8/drivers-video-ep93xx-fb.c-include-linux-io.h-for-devm_ioremap.patch b/queue-3.8/drivers-video-ep93xx-fb.c-include-linux-io.h-for-devm_ioremap.patch new file mode 100644 index 00000000000..d6f023e3c3a --- /dev/null +++ b/queue-3.8/drivers-video-ep93xx-fb.c-include-linux-io.h-for-devm_ioremap.patch @@ -0,0 +1,40 @@ +From e66b05873a7a76afc569da6382509471cba8d5ff Mon Sep 17 00:00:00 2001 +From: H Hartley Sweeten +Date: Fri, 22 Mar 2013 15:04:45 -0700 +Subject: drivers/video/ep93xx-fb.c: include for devm_ioremap() + +From: H Hartley Sweeten + +commit e66b05873a7a76afc569da6382509471cba8d5ff upstream. + +Commit be8678149701 ("drivers/video/ep93xx-fb.c: use devm_ functions") +introduced a build error: + + drivers/video/ep93xx-fb.c: In function 'ep93xxfb_probe': + drivers/video/ep93xx-fb.c:532: error: implicit declaration of function 'devm_ioremap' + drivers/video/ep93xx-fb.c:533: warning: assignment makes pointer from integer without a cast + +Include to pickup the declaration of 'devm_ioremap'. + +Signed-off-by: H Hartley Sweeten +Cc: Florian Tobias Schandinat +Acked-by: Ryan Mallon +Cc: Damien Cassou +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/video/ep93xx-fb.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/video/ep93xx-fb.c ++++ b/drivers/video/ep93xx-fb.c +@@ -23,6 +23,7 @@ + #include + #include + #include ++#include + + #include + diff --git a/queue-3.8/drm-i915-bounds-check-execbuffer-relocation-count.patch b/queue-3.8/drm-i915-bounds-check-execbuffer-relocation-count.patch new file mode 100644 index 00000000000..f94a18b3a3c --- /dev/null +++ b/queue-3.8/drm-i915-bounds-check-execbuffer-relocation-count.patch @@ -0,0 +1,53 @@ +From 3118a4f652c7b12c752f3222af0447008f9b2368 Mon Sep 17 00:00:00 2001 +From: Kees Cook +Date: Mon, 11 Mar 2013 17:31:45 -0700 +Subject: drm/i915: bounds check execbuffer relocation count + +From: Kees Cook + +commit 3118a4f652c7b12c752f3222af0447008f9b2368 upstream. + +It is possible to wrap the counter used to allocate the buffer for +relocation copies. This could lead to heap writing overflows. + +CVE-2013-0913 + +v3: collapse test, improve comment +v2: move check into validate_exec_list + +Signed-off-by: Kees Cook +Reported-by: Pinkie Pie +Reviewed-by: Chris Wilson +Signed-off-by: Daniel Vetter +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/i915/i915_gem_execbuffer.c | 11 ++++++++--- + 1 file changed, 8 insertions(+), 3 deletions(-) + +--- a/drivers/gpu/drm/i915/i915_gem_execbuffer.c ++++ b/drivers/gpu/drm/i915/i915_gem_execbuffer.c +@@ -706,15 +706,20 @@ validate_exec_list(struct drm_i915_gem_e + int count) + { + int i; ++ int relocs_total = 0; ++ int relocs_max = INT_MAX / sizeof(struct drm_i915_gem_relocation_entry); + + for (i = 0; i < count; i++) { + char __user *ptr = (char __user *)(uintptr_t)exec[i].relocs_ptr; + int length; /* limited by fault_in_pages_readable() */ + +- /* First check for malicious input causing overflow */ +- if (exec[i].relocation_count > +- INT_MAX / sizeof(struct drm_i915_gem_relocation_entry)) ++ /* First check for malicious input causing overflow in ++ * the worst case where we need to allocate the entire ++ * relocation tree as a single array. ++ */ ++ if (exec[i].relocation_count > relocs_max - relocs_total) + return -EINVAL; ++ relocs_total += exec[i].relocation_count; + + length = exec[i].relocation_count * + sizeof(struct drm_i915_gem_relocation_entry); diff --git a/queue-3.8/i2c-tegra-check-the-clk_prepare_enable-return-value.patch b/queue-3.8/i2c-tegra-check-the-clk_prepare_enable-return-value.patch new file mode 100644 index 00000000000..6c53e858ca9 --- /dev/null +++ b/queue-3.8/i2c-tegra-check-the-clk_prepare_enable-return-value.patch @@ -0,0 +1,56 @@ +From 132c803f7b70b17322579f6f4f3f65cf68e55135 Mon Sep 17 00:00:00 2001 +From: Laxman Dewangan +Date: Fri, 15 Mar 2013 05:34:08 +0000 +Subject: i2c: tegra: check the clk_prepare_enable() return value + +From: Laxman Dewangan + +commit 132c803f7b70b17322579f6f4f3f65cf68e55135 upstream. + +NVIDIA's Tegra SoC allows read/write of controller register only +if controller clock is enabled. System hangs if read/write happens +to registers without enabling clock. + +clk_prepare_enable() can be fail due to unknown reason and hence +adding check for return value of this function. If this function +success then only access register otherwise return to caller with +error. + +Signed-off-by: Laxman Dewangan +Reviewed-by: Stephen Warren +Signed-off-by: Wolfram Sang +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/i2c/busses/i2c-tegra.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +--- a/drivers/i2c/busses/i2c-tegra.c ++++ b/drivers/i2c/busses/i2c-tegra.c +@@ -392,7 +392,11 @@ static int tegra_i2c_init(struct tegra_i + u32 val; + int err = 0; + +- tegra_i2c_clock_enable(i2c_dev); ++ err = tegra_i2c_clock_enable(i2c_dev); ++ if (err < 0) { ++ dev_err(i2c_dev->dev, "Clock enable failed %d\n", err); ++ return err; ++ } + + tegra_periph_reset_assert(i2c_dev->div_clk); + udelay(2); +@@ -599,7 +603,12 @@ static int tegra_i2c_xfer(struct i2c_ada + if (i2c_dev->is_suspended) + return -EBUSY; + +- tegra_i2c_clock_enable(i2c_dev); ++ ret = tegra_i2c_clock_enable(i2c_dev); ++ if (ret < 0) { ++ dev_err(i2c_dev->dev, "Clock enable failed %d\n", ret); ++ return ret; ++ } ++ + for (i = 0; i < num; i++) { + enum msg_end_type end_type = MSG_END_STOP; + if (i < (num - 1)) { diff --git a/queue-3.8/kms-fix-edid-detailed-timing-frame-rate.patch b/queue-3.8/kms-fix-edid-detailed-timing-frame-rate.patch new file mode 100644 index 00000000000..eadd07f98c7 --- /dev/null +++ b/queue-3.8/kms-fix-edid-detailed-timing-frame-rate.patch @@ -0,0 +1,36 @@ +From c19b3b0f6eed552952845e4ad908dba2113d67b4 Mon Sep 17 00:00:00 2001 +From: Torsten Duwe +Date: Sat, 23 Mar 2013 15:39:34 +0100 +Subject: KMS: fix EDID detailed timing frame rate + +From: Torsten Duwe + +commit c19b3b0f6eed552952845e4ad908dba2113d67b4 upstream. + +When KMS has parsed an EDID "detailed timing", it leaves the frame rate +zeroed. Consecutive (debug-) output of that mode thus yields 0 for +vsync. This simple fix also speeds up future invocations of +drm_mode_vrefresh(). + +While it is debatable whether this qualifies as a -stable fix I'd apply +it for consistency's sake; drm_helper_probe_single_connector_modes() +does the same thing already for all probed modes. + +Signed-off-by: Torsten Duwe +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/drm_edid.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/gpu/drm/drm_edid.c ++++ b/drivers/gpu/drm/drm_edid.c +@@ -975,6 +975,7 @@ set_size: + } + + mode->type = DRM_MODE_TYPE_DRIVER; ++ mode->vrefresh = drm_mode_vrefresh(mode); + drm_mode_set_name(mode); + + return mode; diff --git a/queue-3.8/kms-fix-edid-detailed-timing-vsync-parsing.patch b/queue-3.8/kms-fix-edid-detailed-timing-vsync-parsing.patch new file mode 100644 index 00000000000..8dab030af4a --- /dev/null +++ b/queue-3.8/kms-fix-edid-detailed-timing-vsync-parsing.patch @@ -0,0 +1,40 @@ +From 16dad1d743d31a104a849c8944e6b9eb479f6cd7 Mon Sep 17 00:00:00 2001 +From: Torsten Duwe +Date: Sat, 23 Mar 2013 15:38:22 +0100 +Subject: KMS: fix EDID detailed timing vsync parsing + +From: Torsten Duwe + +commit 16dad1d743d31a104a849c8944e6b9eb479f6cd7 upstream. + +EDID spreads some values across multiple bytes; bit-fiddling is needed +to retrieve these. The current code to parse "detailed timings" has a +cut&paste error that results in a vsync offset of at most 15 lines +instead of 63. + +See + + http://en.wikipedia.org/wiki/EDID + +and in the "EDID Detailed Timing Descriptor" see bytes 10+11 show why +that needs to be a left shift. + +Signed-off-by: Torsten Duwe +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/drm_edid.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/gpu/drm/drm_edid.c ++++ b/drivers/gpu/drm/drm_edid.c +@@ -894,7 +894,7 @@ static struct drm_display_mode *drm_mode + unsigned vblank = (pt->vactive_vblank_hi & 0xf) << 8 | pt->vblank_lo; + unsigned hsync_offset = (pt->hsync_vsync_offset_pulse_width_hi & 0xc0) << 2 | pt->hsync_offset_lo; + unsigned hsync_pulse_width = (pt->hsync_vsync_offset_pulse_width_hi & 0x30) << 4 | pt->hsync_pulse_width_lo; +- unsigned vsync_offset = (pt->hsync_vsync_offset_pulse_width_hi & 0xc) >> 2 | pt->vsync_offset_pulse_width_lo >> 4; ++ unsigned vsync_offset = (pt->hsync_vsync_offset_pulse_width_hi & 0xc) << 2 | pt->vsync_offset_pulse_width_lo >> 4; + unsigned vsync_pulse_width = (pt->hsync_vsync_offset_pulse_width_hi & 0x3) << 4 | (pt->vsync_offset_pulse_width_lo & 0xf); + + /* ignore tiny modes */ diff --git a/queue-3.8/mm-hugetlb-fix-total-hugetlbfs-pages-count-when-using-memory-overcommit-accouting.patch b/queue-3.8/mm-hugetlb-fix-total-hugetlbfs-pages-count-when-using-memory-overcommit-accouting.patch new file mode 100644 index 00000000000..f970ec0b7be --- /dev/null +++ b/queue-3.8/mm-hugetlb-fix-total-hugetlbfs-pages-count-when-using-memory-overcommit-accouting.patch @@ -0,0 +1,65 @@ +From d00285884c0892bb1310df96bce6056e9ce9b9d9 Mon Sep 17 00:00:00 2001 +From: Wanpeng Li +Date: Fri, 22 Mar 2013 15:04:40 -0700 +Subject: mm/hugetlb: fix total hugetlbfs pages count when using memory overcommit accouting + +From: Wanpeng Li + +commit d00285884c0892bb1310df96bce6056e9ce9b9d9 upstream. + +hugetlb_total_pages is used for overcommit calculations but the current +implementation considers only the default hugetlb page size (which is +either the first defined hugepage size or the one specified by +default_hugepagesz kernel boot parameter). + +If the system is configured for more than one hugepage size, which is +possible since commit a137e1cc6d6e ("hugetlbfs: per mount huge page +sizes") then the overcommit estimation done by __vm_enough_memory() +(resp. shown by meminfo_proc_show) is not precise - there is an +impression of more available/allowed memory. This can lead to an +unexpected ENOMEM/EFAULT resp. SIGSEGV when memory is accounted. + +Testcase: + boot: hugepagesz=1G hugepages=1 + the default overcommit ratio is 50 + before patch: + + egrep 'CommitLimit' /proc/meminfo + CommitLimit: 55434168 kB + + after patch: + + egrep 'CommitLimit' /proc/meminfo + CommitLimit: 54909880 kB + +[akpm@linux-foundation.org: coding-style tweak] +Signed-off-by: Wanpeng Li +Acked-by: Michal Hocko +Cc: "Aneesh Kumar K.V" +Cc: Hillf Danton +Cc: KAMEZAWA Hiroyuki +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/hugetlb.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/mm/hugetlb.c ++++ b/mm/hugetlb.c +@@ -2127,8 +2127,12 @@ int hugetlb_report_node_meminfo(int nid, + /* Return the number pages of memory we physically have, in PAGE_SIZE units. */ + unsigned long hugetlb_total_pages(void) + { +- struct hstate *h = &default_hstate; +- return h->nr_huge_pages * pages_per_huge_page(h); ++ struct hstate *h; ++ unsigned long nr_total_pages = 0; ++ ++ for_each_hstate(h) ++ nr_total_pages += h->nr_huge_pages * pages_per_huge_page(h); ++ return nr_total_pages; + } + + static int hugetlb_acct_memory(struct hstate *h, long delta) diff --git a/queue-3.8/mqueue-sys_mq_open-do-not-call-mnt_drop_write-if-read-only.patch b/queue-3.8/mqueue-sys_mq_open-do-not-call-mnt_drop_write-if-read-only.patch new file mode 100644 index 00000000000..97af0a82285 --- /dev/null +++ b/queue-3.8/mqueue-sys_mq_open-do-not-call-mnt_drop_write-if-read-only.patch @@ -0,0 +1,50 @@ +From 38d78e587d4960d0db94add518d27ee74bad2301 Mon Sep 17 00:00:00 2001 +From: Vladimir Davydov +Date: Fri, 22 Mar 2013 15:04:51 -0700 +Subject: mqueue: sys_mq_open: do not call mnt_drop_write() if read-only + +From: Vladimir Davydov + +commit 38d78e587d4960d0db94add518d27ee74bad2301 upstream. + +mnt_drop_write() must be called only if mnt_want_write() succeeded, +otherwise the mnt_writers counter will diverge. + +mnt_writers counters are used to check if remounting FS as read-only is +OK, so after an extra mnt_drop_write() call, it would be impossible to +remount mqueue FS as read-only. Besides, on umount a warning would be +printed like this one: + + ===================================== + [ BUG: bad unlock balance detected! ] + 3.9.0-rc3 #5 Not tainted + ------------------------------------- + a.out/12486 is trying to release lock (sb_writers) at: + mnt_drop_write+0x1f/0x30 + but there are no more locks to release! + +Signed-off-by: Vladimir Davydov +Cc: Doug Ledford +Cc: KOSAKI Motohiro +Cc: "Eric W. Biederman" +Cc: Al Viro +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + ipc/mqueue.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/ipc/mqueue.c ++++ b/ipc/mqueue.c +@@ -840,7 +840,8 @@ out_putfd: + fd = error; + } + mutex_unlock(&root->d_inode->i_mutex); +- mnt_drop_write(mnt); ++ if (!ro) ++ mnt_drop_write(mnt); + out_putname: + putname(name); + return fd; diff --git a/queue-3.8/mwifiex-fix-potential-out-of-boundary-access-to-ibss-rate-table.patch b/queue-3.8/mwifiex-fix-potential-out-of-boundary-access-to-ibss-rate-table.patch new file mode 100644 index 00000000000..6e5ec546197 --- /dev/null +++ b/queue-3.8/mwifiex-fix-potential-out-of-boundary-access-to-ibss-rate-table.patch @@ -0,0 +1,40 @@ +From 5f0fabf84d7b52f979dcbafa3d3c530c60d9a92c Mon Sep 17 00:00:00 2001 +From: Bing Zhao +Date: Thu, 7 Mar 2013 20:00:16 -0800 +Subject: mwifiex: fix potential out-of-boundary access to ibss rate table + +From: Bing Zhao + +commit 5f0fabf84d7b52f979dcbafa3d3c530c60d9a92c upstream. + +smatch found this error: + +CHECK drivers/net/wireless/mwifiex/join.c + drivers/net/wireless/mwifiex/join.c:1121 + mwifiex_cmd_802_11_ad_hoc_join() + error: testing array offset 'i' after use. + +Signed-off-by: Bing Zhao +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/mwifiex/join.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +--- a/drivers/net/wireless/mwifiex/join.c ++++ b/drivers/net/wireless/mwifiex/join.c +@@ -1092,10 +1092,9 @@ mwifiex_cmd_802_11_ad_hoc_join(struct mw + adhoc_join->bss_descriptor.bssid, + adhoc_join->bss_descriptor.ssid); + +- for (i = 0; bss_desc->supported_rates[i] && +- i < MWIFIEX_SUPPORTED_RATES; +- i++) +- ; ++ for (i = 0; i < MWIFIEX_SUPPORTED_RATES && ++ bss_desc->supported_rates[i]; i++) ++ ; + rates_size = i; + + /* Copy Data Rates from the Rates recorded in scan response */ diff --git a/queue-3.8/revert-drm-i915-write-backlight-harder.patch b/queue-3.8/revert-drm-i915-write-backlight-harder.patch new file mode 100644 index 00000000000..c401a31376b --- /dev/null +++ b/queue-3.8/revert-drm-i915-write-backlight-harder.patch @@ -0,0 +1,72 @@ +From b1289371fcd580b4c412e6d05c4cb8ac8d277239 Mon Sep 17 00:00:00 2001 +From: Daniel Vetter +Date: Fri, 22 Mar 2013 15:44:46 +0100 +Subject: Revert "drm/i915: write backlight harder" + +From: Daniel Vetter + +commit b1289371fcd580b4c412e6d05c4cb8ac8d277239 upstream. + +This reverts commit cf0a6584aa6d382f802f2c3cacac23ccbccde0cd. + +Turns out that cargo-culting breaks systems. Note that we can't revert +further, since + +commit 770c12312ad617172b1a65b911d3e6564fc5aca8 +Author: Takashi Iwai +Date: Sat Aug 11 08:56:42 2012 +0200 + + drm/i915: Fix blank panel at reopening lid + +fixed a regression in 3.6-rc kernels for which we've never figured out +the exact root cause. But some further inspection of the backlight +code reveals that it's seriously lacking locking. And especially the +asle backlight update is know to get fired (through some smm magic) +when writing specific backlight control registers. So the possibility +of suffering from races is rather real. + +Until those races are fixed I don't think it makes sense to try +further hacks. Which sucks a bit, but sometimes that's how it is :( + +References: http://www.mail-archive.com/intel-gfx@lists.freedesktop.org/msg18788.html +Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=47941 +Tested-by: Takashi Iwai +Cc: Jani Nikula +Cc: Takashi Iwai +Signed-off-by: Daniel Vetter +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/i915/intel_panel.c | 13 +++++-------- + 1 file changed, 5 insertions(+), 8 deletions(-) + +--- a/drivers/gpu/drm/i915/intel_panel.c ++++ b/drivers/gpu/drm/i915/intel_panel.c +@@ -321,9 +321,6 @@ void intel_panel_enable_backlight(struct + if (dev_priv->backlight_level == 0) + dev_priv->backlight_level = intel_panel_get_max_backlight(dev); + +- dev_priv->backlight_enabled = true; +- intel_panel_actually_set_backlight(dev, dev_priv->backlight_level); +- + if (INTEL_INFO(dev)->gen >= 4) { + uint32_t reg, tmp; + +@@ -359,12 +356,12 @@ void intel_panel_enable_backlight(struct + } + + set_level: +- /* Check the current backlight level and try to set again if it's zero. +- * On some machines, BLC_PWM_CPU_CTL is cleared to zero automatically +- * when BLC_PWM_CPU_CTL2 and BLC_PWM_PCH_CTL1 are written. ++ /* Call below after setting BLC_PWM_CPU_CTL2 and BLC_PWM_PCH_CTL1. ++ * BLC_PWM_CPU_CTL may be cleared to zero automatically when these ++ * registers are set. + */ +- if (!intel_panel_get_backlight(dev)) +- intel_panel_actually_set_backlight(dev, dev_priv->backlight_level); ++ dev_priv->backlight_enabled = true; ++ intel_panel_actually_set_backlight(dev, dev_priv->backlight_level); + } + + static void intel_panel_init_backlight(struct drm_device *dev) diff --git a/queue-3.8/rtlwifi-rtl8192cu-fix-problem-that-prevents-reassociation.patch b/queue-3.8/rtlwifi-rtl8192cu-fix-problem-that-prevents-reassociation.patch new file mode 100644 index 00000000000..84cc27b8a10 --- /dev/null +++ b/queue-3.8/rtlwifi-rtl8192cu-fix-problem-that-prevents-reassociation.patch @@ -0,0 +1,142 @@ +From 9437a248e7cac427c898bdb11bd1ac6844a1ead4 Mon Sep 17 00:00:00 2001 +From: Larry Finger +Date: Wed, 13 Mar 2013 10:28:13 -0500 +Subject: rtlwifi: rtl8192cu: Fix problem that prevents reassociation + +From: Larry Finger + +commit 9437a248e7cac427c898bdb11bd1ac6844a1ead4 upstream. + +The driver was failing to clear the BSSID when a disconnect happened. That +prevented a reconnection. This problem is reported at +https://bugzilla.redhat.com/show_bug.cgi?id=789605, +https://bugzilla.redhat.com/show_bug.cgi?id=866786, +https://bugzilla.redhat.com/show_bug.cgi?id=906734, and +https://bugzilla.kernel.org/show_bug.cgi?id=46171. + +Thanks to Jussi Kivilinna for making the critical observation +that led to the solution. + +Reported-by: Jussi Kivilinna +Tested-by: Jussi Kivilinna +Tested-by: Alessandro Lannocca +Signed-off-by: Larry Finger +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/rtlwifi/rtl8192cu/hw.c | 87 +++++++++++----------------- + 1 file changed, 35 insertions(+), 52 deletions(-) + +--- a/drivers/net/wireless/rtlwifi/rtl8192cu/hw.c ++++ b/drivers/net/wireless/rtlwifi/rtl8192cu/hw.c +@@ -1377,74 +1377,57 @@ void rtl92cu_card_disable(struct ieee802 + + void rtl92cu_set_check_bssid(struct ieee80211_hw *hw, bool check_bssid) + { +- /* dummy routine needed for callback from rtl_op_configure_filter() */ +-} +- +-/*========================================================================== */ +- +-static void _rtl92cu_set_check_bssid(struct ieee80211_hw *hw, +- enum nl80211_iftype type) +-{ + struct rtl_priv *rtlpriv = rtl_priv(hw); +- u32 reg_rcr = rtl_read_dword(rtlpriv, REG_RCR); + struct rtl_hal *rtlhal = rtl_hal(rtlpriv); +- struct rtl_phy *rtlphy = &(rtlpriv->phy); +- u8 filterout_non_associated_bssid = false; ++ u32 reg_rcr = rtl_read_dword(rtlpriv, REG_RCR); + +- switch (type) { +- case NL80211_IFTYPE_ADHOC: +- case NL80211_IFTYPE_STATION: +- filterout_non_associated_bssid = true; +- break; +- case NL80211_IFTYPE_UNSPECIFIED: +- case NL80211_IFTYPE_AP: +- default: +- break; +- } +- if (filterout_non_associated_bssid) { ++ if (rtlpriv->psc.rfpwr_state != ERFON) ++ return; ++ ++ if (check_bssid) { ++ u8 tmp; + if (IS_NORMAL_CHIP(rtlhal->version)) { +- switch (rtlphy->current_io_type) { +- case IO_CMD_RESUME_DM_BY_SCAN: +- reg_rcr |= (RCR_CBSSID_DATA | RCR_CBSSID_BCN); +- rtlpriv->cfg->ops->set_hw_reg(hw, +- HW_VAR_RCR, (u8 *)(®_rcr)); +- /* enable update TSF */ +- _rtl92cu_set_bcn_ctrl_reg(hw, 0, BIT(4)); +- break; +- case IO_CMD_PAUSE_DM_BY_SCAN: +- reg_rcr &= ~(RCR_CBSSID_DATA | RCR_CBSSID_BCN); +- rtlpriv->cfg->ops->set_hw_reg(hw, +- HW_VAR_RCR, (u8 *)(®_rcr)); +- /* disable update TSF */ +- _rtl92cu_set_bcn_ctrl_reg(hw, BIT(4), 0); +- break; +- } ++ reg_rcr |= (RCR_CBSSID_DATA | RCR_CBSSID_BCN); ++ tmp = BIT(4); + } else { +- reg_rcr |= (RCR_CBSSID); +- rtlpriv->cfg->ops->set_hw_reg(hw, HW_VAR_RCR, +- (u8 *)(®_rcr)); +- _rtl92cu_set_bcn_ctrl_reg(hw, 0, (BIT(4)|BIT(5))); ++ reg_rcr |= RCR_CBSSID; ++ tmp = BIT(4) | BIT(5); + } +- } else if (filterout_non_associated_bssid == false) { ++ rtlpriv->cfg->ops->set_hw_reg(hw, HW_VAR_RCR, ++ (u8 *) (®_rcr)); ++ _rtl92cu_set_bcn_ctrl_reg(hw, 0, tmp); ++ } else { ++ u8 tmp; + if (IS_NORMAL_CHIP(rtlhal->version)) { +- reg_rcr &= (~(RCR_CBSSID_DATA | RCR_CBSSID_BCN)); +- rtlpriv->cfg->ops->set_hw_reg(hw, HW_VAR_RCR, +- (u8 *)(®_rcr)); +- _rtl92cu_set_bcn_ctrl_reg(hw, BIT(4), 0); ++ reg_rcr &= ~(RCR_CBSSID_DATA | RCR_CBSSID_BCN); ++ tmp = BIT(4); + } else { +- reg_rcr &= (~RCR_CBSSID); +- rtlpriv->cfg->ops->set_hw_reg(hw, HW_VAR_RCR, +- (u8 *)(®_rcr)); +- _rtl92cu_set_bcn_ctrl_reg(hw, (BIT(4)|BIT(5)), 0); ++ reg_rcr &= ~RCR_CBSSID; ++ tmp = BIT(4) | BIT(5); + } ++ reg_rcr &= (~(RCR_CBSSID_DATA | RCR_CBSSID_BCN)); ++ rtlpriv->cfg->ops->set_hw_reg(hw, ++ HW_VAR_RCR, (u8 *) (®_rcr)); ++ _rtl92cu_set_bcn_ctrl_reg(hw, tmp, 0); + } + } + ++/*========================================================================== */ ++ + int rtl92cu_set_network_type(struct ieee80211_hw *hw, enum nl80211_iftype type) + { ++ struct rtl_priv *rtlpriv = rtl_priv(hw); ++ + if (_rtl92cu_set_media_status(hw, type)) + return -EOPNOTSUPP; +- _rtl92cu_set_check_bssid(hw, type); ++ ++ if (rtlpriv->mac80211.link_state == MAC80211_LINKED) { ++ if (type != NL80211_IFTYPE_AP) ++ rtl92cu_set_check_bssid(hw, true); ++ } else { ++ rtl92cu_set_check_bssid(hw, false); ++ } ++ + return 0; + } + diff --git a/queue-3.8/rtlwifi-rtl8192cu-fix-schedule-while-atomic-bug-splat.patch b/queue-3.8/rtlwifi-rtl8192cu-fix-schedule-while-atomic-bug-splat.patch new file mode 100644 index 00000000000..cfaf56cd5bf --- /dev/null +++ b/queue-3.8/rtlwifi-rtl8192cu-fix-schedule-while-atomic-bug-splat.patch @@ -0,0 +1,60 @@ +From 664899786cb49cb52f620e06ac19c0be524a7cfa Mon Sep 17 00:00:00 2001 +From: Larry Finger +Date: Wed, 27 Feb 2013 14:10:30 -0600 +Subject: rtlwifi: rtl8192cu: Fix schedule while atomic bug splat + +From: Larry Finger + +commit 664899786cb49cb52f620e06ac19c0be524a7cfa upstream. + +When run at debug 3 or higher, rtl8192cu reports a BUG as follows: + +BUG: scheduling while atomic: kworker/u:0/5281/0x00000002 +INFO: lockdep is turned off. +Modules linked in: rtl8192cu rtl8192c_common rtlwifi fuse af_packet bnep bluetooth b43 mac80211 cfg80211 ipv6 snd_hda_codec_conexant kvm_amd k +vm snd_hda_intel snd_hda_codec bcma rng_core snd_pcm ssb mmc_core snd_seq snd_timer snd_seq_device snd i2c_nforce2 sr_mod pcmcia forcedeth i2c_core soundcore + cdrom sg serio_raw k8temp hwmon joydev ac battery pcmcia_core snd_page_alloc video button wmi autofs4 ext4 mbcache jbd2 crc16 thermal processor scsi_dh_alua + scsi_dh_hp_sw scsi_dh_rdac scsi_dh_emc scsi_dh ata_generic pata_acpi pata_amd [last unloaded: rtlwifi] +Pid: 5281, comm: kworker/u:0 Tainted: G W 3.8.0-wl+ #119 +Call Trace: + [] __schedule_bug+0x62/0x70 + [] __schedule+0x730/0xa30 + [] ? usb_hcd_link_urb_to_ep+0x19/0xa0 + [] schedule+0x24/0x70 + [] schedule_timeout+0x18c/0x2f0 + [] ? wait_for_common+0x40/0x180 + [] ? ehci_urb_enqueue+0xf1/0xee0 + [] ? trace_hardirqs_on+0xd/0x10 + [] wait_for_common+0xe5/0x180 + [] ? try_to_wake_up+0x2d0/0x2d0 + [] wait_for_completion_timeout+0xe/0x10 + [] usb_start_wait_urb+0x8c/0x100 + [] usb_control_msg+0xd9/0x130 + [] _usb_read_sync+0xcd/0x140 [rtlwifi] + [] _usb_read32_sync+0xe/0x10 [rtlwifi] + [] rtl92cu_update_hal_rate_table+0x1a5/0x1f0 [rtl8192cu] + +The cause is a synchronous read from routine rtl92cu_update_hal_rate_table(). +The resulting output is not critical, thus the debug statement is +deleted. + +Reported-by: Jussi Kivilinna +Signed-off-by: Larry Finger +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/rtlwifi/rtl8192cu/hw.c | 2 -- + 1 file changed, 2 deletions(-) + +--- a/drivers/net/wireless/rtlwifi/rtl8192cu/hw.c ++++ b/drivers/net/wireless/rtlwifi/rtl8192cu/hw.c +@@ -2058,8 +2058,6 @@ void rtl92cu_update_hal_rate_table(struc + (shortgi_rate << 4) | (shortgi_rate); + } + rtl_write_dword(rtlpriv, REG_ARFR0 + ratr_index * 4, ratr_value); +- RT_TRACE(rtlpriv, COMP_RATR, DBG_DMESG, "%x\n", +- rtl_read_dword(rtlpriv, REG_ARFR0)); + } + + void rtl92cu_update_hal_rate_mask(struct ieee80211_hw *hw, u8 rssi_level) diff --git a/queue-3.8/series b/queue-3.8/series index 46ecf5271e0..4d9c91a5a7b 100644 --- a/queue-3.8/series +++ b/queue-3.8/series @@ -35,3 +35,22 @@ saner-proc_get_inode-calling-conventions.patch vfs-proc-guarantee-unique-inodes-in-proc.patch revert-drm-i915-try-to-train-dp-even-harder.patch drm-i915-restrict-kernel-address-leak-in-debugfs.patch +tracing-fix-race-in-snapshot-swapping.patch +tracing-fix-free-of-probe-entry-by-calling-call_rcu_sched.patch +tracing-protect-tracer-flags-with-trace_types_lock.patch +tracing-keep-overwrite-in-sync-between-regular-and-snapshot-buffers.patch +rtlwifi-rtl8192cu-fix-schedule-while-atomic-bug-splat.patch +rtlwifi-rtl8192cu-fix-problem-that-prevents-reassociation.patch +mwifiex-fix-potential-out-of-boundary-access-to-ibss-rate-table.patch +drm-i915-bounds-check-execbuffer-relocation-count.patch +revert-drm-i915-write-backlight-harder.patch +i2c-tegra-check-the-clk_prepare_enable-return-value.patch +kms-fix-edid-detailed-timing-vsync-parsing.patch +kms-fix-edid-detailed-timing-frame-rate.patch +drivers-rtc-rtc-at91rm9200.c-use-a-variable-for-storing-imr.patch +mm-hugetlb-fix-total-hugetlbfs-pages-count-when-using-memory-overcommit-accouting.patch +drivers-video-ep93xx-fb.c-include-linux-io.h-for-devm_ioremap.patch +mqueue-sys_mq_open-do-not-call-mnt_drop_write-if-read-only.patch +target-iscsi-fix-mutual-chap-auth-on-big-endian-arches.patch +target-file-bump-fd_max_sectors-to-2048-to-handle-1m-sized-i-os.patch +arm-tegra-fix-register-address-of-slink-controller.patch diff --git a/queue-3.8/target-file-bump-fd_max_sectors-to-2048-to-handle-1m-sized-i-os.patch b/queue-3.8/target-file-bump-fd_max_sectors-to-2048-to-handle-1m-sized-i-os.patch new file mode 100644 index 00000000000..69af2615319 --- /dev/null +++ b/queue-3.8/target-file-bump-fd_max_sectors-to-2048-to-handle-1m-sized-i-os.patch @@ -0,0 +1,41 @@ +From f002a24388cc460c8a9be7d446a9871f7c9d52b6 Mon Sep 17 00:00:00 2001 +From: Nicholas Bellinger +Date: Mon, 18 Mar 2013 13:15:57 -0700 +Subject: target/file: Bump FD_MAX_SECTORS to 2048 to handle 1M sized I/Os + +From: Nicholas Bellinger + +commit f002a24388cc460c8a9be7d446a9871f7c9d52b6 upstream. + +This patch bumps the default FILEIO backend FD_MAX_SECTORS value from +1024 -> 2048 in order to allow block_size=512 to handle 1M sized I/Os. + +The current default rejects I/Os larger than 512K in sbc_parse_cdb(): + +[12015.915146] SCSI OP 2ah with too big sectors 1347 exceeds backend +hw_max_sectors: 1024 +[12015.977744] SCSI OP 2ah with too big sectors 2048 exceeds backend +hw_max_sectors: 1024 + +This issue is present in >= v3.5 based kernels, introduced after the +removal of se_task logic. + +Reported-by: Viljami Ilola +Signed-off-by: Nicholas Bellinger +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/target/target_core_file.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/target/target_core_file.h ++++ b/drivers/target/target_core_file.h +@@ -7,7 +7,7 @@ + #define FD_DEVICE_QUEUE_DEPTH 32 + #define FD_MAX_DEVICE_QUEUE_DEPTH 128 + #define FD_BLOCKSIZE 512 +-#define FD_MAX_SECTORS 1024 ++#define FD_MAX_SECTORS 2048 + + #define RRF_EMULATE_CDB 0x01 + #define RRF_GOT_LBA 0x02 diff --git a/queue-3.8/target-iscsi-fix-mutual-chap-auth-on-big-endian-arches.patch b/queue-3.8/target-iscsi-fix-mutual-chap-auth-on-big-endian-arches.patch new file mode 100644 index 00000000000..0207085c6e3 --- /dev/null +++ b/queue-3.8/target-iscsi-fix-mutual-chap-auth-on-big-endian-arches.patch @@ -0,0 +1,42 @@ +From 7ac9ad11b2a5cf77a92b58ee6b672ad2fa155eb1 Mon Sep 17 00:00:00 2001 +From: Andy Grover +Date: Mon, 4 Mar 2013 13:52:09 -0800 +Subject: target/iscsi: Fix mutual CHAP auth on big-endian arches + +From: Andy Grover + +commit 7ac9ad11b2a5cf77a92b58ee6b672ad2fa155eb1 upstream. + +See https://bugzilla.redhat.com/show_bug.cgi?id=916290 + +Used a temp var since we take its address in sg_init_one. + +Signed-off-by: Andy Grover +Signed-off-by: Nicholas Bellinger +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/target/iscsi/iscsi_target_auth.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/drivers/target/iscsi/iscsi_target_auth.c ++++ b/drivers/target/iscsi/iscsi_target_auth.c +@@ -166,6 +166,7 @@ static int chap_server_compute_md5( + { + char *endptr; + unsigned long id; ++ unsigned char id_as_uchar; + unsigned char digest[MD5_SIGNATURE_SIZE]; + unsigned char type, response[MD5_SIGNATURE_SIZE * 2 + 2]; + unsigned char identifier[10], *challenge = NULL; +@@ -355,7 +356,9 @@ static int chap_server_compute_md5( + goto out; + } + +- sg_init_one(&sg, &id, 1); ++ /* To handle both endiannesses */ ++ id_as_uchar = id; ++ sg_init_one(&sg, &id_as_uchar, 1); + ret = crypto_hash_update(&desc, &sg, 1); + if (ret < 0) { + pr_err("crypto_hash_update() failed for id\n"); diff --git a/queue-3.8/tracing-fix-free-of-probe-entry-by-calling-call_rcu_sched.patch b/queue-3.8/tracing-fix-free-of-probe-entry-by-calling-call_rcu_sched.patch new file mode 100644 index 00000000000..5fa5150956e --- /dev/null +++ b/queue-3.8/tracing-fix-free-of-probe-entry-by-calling-call_rcu_sched.patch @@ -0,0 +1,41 @@ +From 740466bc89ad8bd5afcc8de220f715f62b21e365 Mon Sep 17 00:00:00 2001 +From: "Steven Rostedt (Red Hat)" +Date: Wed, 13 Mar 2013 11:15:19 -0400 +Subject: tracing: Fix free of probe entry by calling call_rcu_sched() + +From: "Steven Rostedt (Red Hat)" + +commit 740466bc89ad8bd5afcc8de220f715f62b21e365 upstream. + +Because function tracing is very invasive, and can even trace +calls to rcu_read_lock(), RCU access in function tracing is done +with preempt_disable_notrace(). This requires a synchronize_sched() +for updates and not a synchronize_rcu(). + +Function probes (traceon, traceoff, etc) must be freed after +a synchronize_sched() after its entry has been removed from the +hash. But call_rcu() is used. Fix this by using call_rcu_sched(). + +Also fix the usage to use hlist_del_rcu() instead of hlist_del(). + +Signed-off-by: Steven Rostedt +Cc: Paul McKenney +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/trace/ftrace.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/kernel/trace/ftrace.c ++++ b/kernel/trace/ftrace.c +@@ -3082,8 +3082,8 @@ __unregister_ftrace_function_probe(char + continue; + } + +- hlist_del(&entry->node); +- call_rcu(&entry->rcu, ftrace_free_entry_rcu); ++ hlist_del_rcu(&entry->node); ++ call_rcu_sched(&entry->rcu, ftrace_free_entry_rcu); + } + } + __disable_ftrace_function_probe(); diff --git a/queue-3.8/tracing-fix-race-in-snapshot-swapping.patch b/queue-3.8/tracing-fix-race-in-snapshot-swapping.patch new file mode 100644 index 00000000000..f06e8925033 --- /dev/null +++ b/queue-3.8/tracing-fix-race-in-snapshot-swapping.patch @@ -0,0 +1,51 @@ +From 2721e72dd10f71a3ba90f59781becf02638aa0d9 Mon Sep 17 00:00:00 2001 +From: "Steven Rostedt (Red Hat)" +Date: Tue, 12 Mar 2013 11:32:32 -0400 +Subject: tracing: Fix race in snapshot swapping + +From: "Steven Rostedt (Red Hat)" + +commit 2721e72dd10f71a3ba90f59781becf02638aa0d9 upstream. + +Although the swap is wrapped with a spin_lock, the assignment +of the temp buffer used to swap is not within that lock. +It needs to be moved into that lock, otherwise two swaps +happening on two different CPUs, can end up using the wrong +temp buffer to assign in the swap. + +Luckily, all current callers of the swap function appear to have +their own locks. But in case something is added that allows two +different callers to call the swap, then there's a chance that +this race can trigger and corrupt the buffers. + +New code is coming soon that will allow for this race to trigger. + +I've Cc'd stable, so this bug will not show up if someone backports +one of the changes that can trigger this bug. + +Signed-off-by: Steven Rostedt +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/trace/trace.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/kernel/trace/trace.c ++++ b/kernel/trace/trace.c +@@ -703,7 +703,7 @@ __update_max_tr(struct trace_array *tr, + void + update_max_tr(struct trace_array *tr, struct task_struct *tsk, int cpu) + { +- struct ring_buffer *buf = tr->buffer; ++ struct ring_buffer *buf; + + if (trace_stop_count) + return; +@@ -715,6 +715,7 @@ update_max_tr(struct trace_array *tr, st + } + arch_spin_lock(&ftrace_max_lock); + ++ buf = tr->buffer; + tr->buffer = max_tr.buffer; + max_tr.buffer = buf; + diff --git a/queue-3.8/tracing-keep-overwrite-in-sync-between-regular-and-snapshot-buffers.patch b/queue-3.8/tracing-keep-overwrite-in-sync-between-regular-and-snapshot-buffers.patch new file mode 100644 index 00000000000..ea9d3766694 --- /dev/null +++ b/queue-3.8/tracing-keep-overwrite-in-sync-between-regular-and-snapshot-buffers.patch @@ -0,0 +1,40 @@ +From 80902822658aab18330569587cdb69ac1dfdcea8 Mon Sep 17 00:00:00 2001 +From: "Steven Rostedt (Red Hat)" +Date: Thu, 14 Mar 2013 14:20:54 -0400 +Subject: tracing: Keep overwrite in sync between regular and snapshot buffers + +From: "Steven Rostedt (Red Hat)" + +commit 80902822658aab18330569587cdb69ac1dfdcea8 upstream. + +Changing the overwrite mode for the ring buffer via the trace +option only sets the normal buffer. But the snapshot buffer could +swap with it, and then the snapshot would be in non overwrite mode +and the normal buffer would be in overwrite mode, even though the +option flag states otherwise. + +Keep the two buffers overwrite modes in sync. + +Signed-off-by: Steven Rostedt +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/trace/trace.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/kernel/trace/trace.c ++++ b/kernel/trace/trace.c +@@ -2850,8 +2850,12 @@ static void set_tracer_flags(unsigned in + if (mask == TRACE_ITER_RECORD_CMD) + trace_event_enable_cmd_record(enabled); + +- if (mask == TRACE_ITER_OVERWRITE) ++ if (mask == TRACE_ITER_OVERWRITE) { + ring_buffer_change_overwrite(global_trace.buffer, enabled); ++#ifdef CONFIG_TRACER_MAX_TRACE ++ ring_buffer_change_overwrite(max_tr.buffer, enabled); ++#endif ++ } + + if (mask == TRACE_ITER_PRINTK) + trace_printk_start_stop_comm(enabled); diff --git a/queue-3.8/tracing-protect-tracer-flags-with-trace_types_lock.patch b/queue-3.8/tracing-protect-tracer-flags-with-trace_types_lock.patch new file mode 100644 index 00000000000..a848380be27 --- /dev/null +++ b/queue-3.8/tracing-protect-tracer-flags-with-trace_types_lock.patch @@ -0,0 +1,61 @@ +From 69d34da2984c95b33ea21518227e1f9470f11d95 Mon Sep 17 00:00:00 2001 +From: "Steven Rostedt (Red Hat)" +Date: Thu, 14 Mar 2013 13:50:56 -0400 +Subject: tracing: Protect tracer flags with trace_types_lock + +From: "Steven Rostedt (Red Hat)" + +commit 69d34da2984c95b33ea21518227e1f9470f11d95 upstream. + +Seems that the tracer flags have never been protected from +synchronous writes. Luckily, admins don't usually modify the +tracing flags via two different tasks. But if scripts were to +be used to modify them, then they could get corrupted. + +Move the trace_types_lock that protects against tracers changing +to also protect the flags being set. + +Signed-off-by: Steven Rostedt +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/trace/trace.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +--- a/kernel/trace/trace.c ++++ b/kernel/trace/trace.c +@@ -2871,6 +2871,8 @@ static int trace_set_options(char *optio + cmp += 2; + } + ++ mutex_lock(&trace_types_lock); ++ + for (i = 0; trace_options[i]; i++) { + if (strcmp(cmp, trace_options[i]) == 0) { + set_tracer_flags(1 << i, !neg); +@@ -2879,11 +2881,10 @@ static int trace_set_options(char *optio + } + + /* If no option could be set, test the specific tracer options */ +- if (!trace_options[i]) { +- mutex_lock(&trace_types_lock); ++ if (!trace_options[i]) + ret = set_tracer_option(current_trace, cmp, neg); +- mutex_unlock(&trace_types_lock); +- } ++ ++ mutex_unlock(&trace_types_lock); + + return ret; + } +@@ -4641,7 +4642,10 @@ trace_options_core_write(struct file *fi + + if (val != 0 && val != 1) + return -EINVAL; ++ ++ mutex_lock(&trace_types_lock); + set_tracer_flags(1 << index, val); ++ mutex_unlock(&trace_types_lock); + + *ppos += cnt; + -- 2.47.3