From bcddea70ceb4d54d6a66ff74411a54f114a7634f Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Tue, 18 May 2010 09:07:34 -0700 Subject: [PATCH] .33 patches --- ...models-using-conexant-cx20549-venice.patch | 39 +++ .../alsa-hda-new-intel-hda-controller.patch | 30 +++ ...ix-esi-maya44-capture-source-control.patch | 43 ++++ ...x-xonar-d1-dx-front-panel-microphone.patch | 41 +++ ...ssion-on-src-file-in-the-clone-ioctl.patch | 39 +++ ...uard-against-hardlinking-directories.patch | 90 +++++++ ...ce-between-tasklet-and-dasd_sleep_on.patch | 83 +++++++ ...-i915-disable-fbc-on-915gm-and-945gm.patch | 53 ++++ ...-leak-user-struct-on-inotify-release.patch | 44 ++++ ...e-double-free-in-inotify-inode-marks.patch | 67 +++++ ...ps-due-to-perf_event_do_pending-call.patch | 234 ++++++++++++++++++ .../profile-fix-stats-and-data-leakage.patch | 35 +++ ...turn-value-of-do_syscall_trace_enter.patch | 49 ++++ ...gger-level-lower-to-avoid-lost-chars.patch | 63 +++++ queue-2.6.33/series | 18 ++ ...nbalanced-bkl-handling-in-error-path.patch | 35 +++ ..._osvw-bit-before-accessing-osvw-msrs.patch | 43 ++++ ...-feature-in-virtualized-environments.patch | 102 ++++++++ ...x-build-error-when-k8_nb-is-disabled.patch | 41 +++ 19 files changed, 1149 insertions(+) create mode 100644 queue-2.6.33/alsa-hda-fix-0-db-for-lenovo-models-using-conexant-cx20549-venice.patch create mode 100644 queue-2.6.33/alsa-hda-new-intel-hda-controller.patch create mode 100644 queue-2.6.33/alsa-ice1724-fix-esi-maya44-capture-source-control.patch create mode 100644 queue-2.6.33/alsa-virtuoso-fix-xonar-d1-dx-front-panel-microphone.patch create mode 100644 queue-2.6.33/btrfs-check-for-read-permission-on-src-file-in-the-clone-ioctl.patch create mode 100644 queue-2.6.33/cifs-guard-against-hardlinking-directories.patch create mode 100644 queue-2.6.33/dasd-fix-race-between-tasklet-and-dasd_sleep_on.patch create mode 100644 queue-2.6.33/drm-i915-disable-fbc-on-915gm-and-945gm.patch create mode 100644 queue-2.6.33/inotify-don-t-leak-user-struct-on-inotify-release.patch create mode 100644 queue-2.6.33/inotify-race-use-after-free-double-free-in-inotify-inode-marks.patch create mode 100644 queue-2.6.33/powerpc-perf_event-fix-oops-due-to-perf_event_do_pending-call.patch create mode 100644 queue-2.6.33/profile-fix-stats-and-data-leakage.patch create mode 100644 queue-2.6.33/ptrace-fix-return-value-of-do_syscall_trace_enter.patch create mode 100644 queue-2.6.33/serial-imx.c-fix-cts-trigger-level-lower-to-avoid-lost-chars.patch create mode 100644 queue-2.6.33/tty-fix-unbalanced-bkl-handling-in-error-path.patch create mode 100644 queue-2.6.33/x86-amd-check-x86_feature_osvw-bit-before-accessing-osvw-msrs.patch create mode 100644 queue-2.6.33/x86-cacheinfo-turn-off-l3-cache-index-disable-feature-in-virtualized-environments.patch create mode 100644 queue-2.6.33/x86-k8-fix-build-error-when-k8_nb-is-disabled.patch diff --git a/queue-2.6.33/alsa-hda-fix-0-db-for-lenovo-models-using-conexant-cx20549-venice.patch b/queue-2.6.33/alsa-hda-fix-0-db-for-lenovo-models-using-conexant-cx20549-venice.patch new file mode 100644 index 00000000000..015c232a458 --- /dev/null +++ b/queue-2.6.33/alsa-hda-fix-0-db-for-lenovo-models-using-conexant-cx20549-venice.patch @@ -0,0 +1,39 @@ +From 0ebf9e3692d640917fb792a7494d05e1f5b1058f Mon Sep 17 00:00:00 2001 +From: Daniel T Chen +Date: Mon, 10 May 2010 21:50:04 +0200 +Subject: ALSA: hda: Fix 0 dB for Lenovo models using Conexant CX20549 (Venice) + +From: Daniel T Chen + +commit 0ebf9e3692d640917fb792a7494d05e1f5b1058f upstream. + +Reference: http://mailman.alsa-project.org/pipermail/alsa-devel/2010-May/027525.html + +As reported on the mailing list, we also need to cap to the 0 dB offset +for Lenovo models, else the sound will be distorted. + +Reported-and-Tested-by: Tim Starling +Signed-off-by: Daniel T Chen +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/patch_conexant.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/sound/pci/hda/patch_conexant.c ++++ b/sound/pci/hda/patch_conexant.c +@@ -1176,9 +1176,10 @@ static int patch_cxt5045(struct hda_code + case 0x103c: + case 0x1631: + case 0x1734: +- /* HP, Packard Bell, & Fujitsu-Siemens laptops have really bad +- * sound over 0dB on NID 0x17. Fix max PCM level to 0 dB +- * (originally it has 0x2b steps with 0dB offset 0x14) ++ case 0x17aa: ++ /* HP, Packard Bell, Fujitsu-Siemens & Lenovo laptops have ++ * really bad sound over 0dB on NID 0x17. Fix max PCM level to ++ * 0 dB (originally it has 0x2b steps with 0dB offset 0x14) + */ + snd_hda_override_amp_caps(codec, 0x17, HDA_INPUT, + (0x14 << AC_AMPCAP_OFFSET_SHIFT) | diff --git a/queue-2.6.33/alsa-hda-new-intel-hda-controller.patch b/queue-2.6.33/alsa-hda-new-intel-hda-controller.patch new file mode 100644 index 00000000000..feb907da660 --- /dev/null +++ b/queue-2.6.33/alsa-hda-new-intel-hda-controller.patch @@ -0,0 +1,30 @@ +From c602c8ad45d6ee6ad91fc544513cc96f70790983 Mon Sep 17 00:00:00 2001 +From: Vitaliy Kulikov +Date: Mon, 15 Mar 2010 09:01:26 +0100 +Subject: ALSA: hda - New Intel HDA controller + +From: Vitaliy Kulikov + +commit c602c8ad45d6ee6ad91fc544513cc96f70790983 upstream. + +Added a PCI controller id on new Dell laptops. + +Signed-off-by: Vitaliy Kulikov +Cc: AmenophisIII +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/hda_intel.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/hda_intel.c ++++ b/sound/pci/hda/hda_intel.c +@@ -2718,6 +2718,7 @@ static struct pci_device_id azx_ids[] = + { PCI_DEVICE(0x8086, 0x3a6e), .driver_data = AZX_DRIVER_ICH }, + /* PCH */ + { PCI_DEVICE(0x8086, 0x3b56), .driver_data = AZX_DRIVER_ICH }, ++ { PCI_DEVICE(0x8086, 0x3b57), .driver_data = AZX_DRIVER_ICH }, + /* CPT */ + { PCI_DEVICE(0x8086, 0x1c20), .driver_data = AZX_DRIVER_PCH }, + /* SCH */ diff --git a/queue-2.6.33/alsa-ice1724-fix-esi-maya44-capture-source-control.patch b/queue-2.6.33/alsa-ice1724-fix-esi-maya44-capture-source-control.patch new file mode 100644 index 00000000000..bb9fe6d13f1 --- /dev/null +++ b/queue-2.6.33/alsa-ice1724-fix-esi-maya44-capture-source-control.patch @@ -0,0 +1,43 @@ +From 8213466596bf10b75887754773ee13c10cf86f5c Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Wed, 12 May 2010 16:43:32 +0200 +Subject: ALSA: ice1724 - Fix ESI Maya44 capture source control + +From: Takashi Iwai + +commit 8213466596bf10b75887754773ee13c10cf86f5c upstream. + +The capture source control of maya44 was wrongly coded with the bit +shift instead of the bit mask. Also, the slot for line-in was +wrongly assigned (slot 5 instead of 4). + +Reported-by: Alex Chernyshoff +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/ice1712/maya44.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/sound/pci/ice1712/maya44.c ++++ b/sound/pci/ice1712/maya44.c +@@ -347,7 +347,7 @@ static int maya_gpio_sw_put(struct snd_k + + /* known working input slots (0-4) */ + #define MAYA_LINE_IN 1 /* in-2 */ +-#define MAYA_MIC_IN 4 /* in-5 */ ++#define MAYA_MIC_IN 3 /* in-4 */ + + static void wm8776_select_input(struct snd_maya44 *chip, int idx, int line) + { +@@ -393,8 +393,8 @@ static int maya_rec_src_put(struct snd_k + int changed; + + mutex_lock(&chip->mutex); +- changed = maya_set_gpio_bits(chip->ice, GPIO_MIC_RELAY, +- sel ? GPIO_MIC_RELAY : 0); ++ changed = maya_set_gpio_bits(chip->ice, 1 << GPIO_MIC_RELAY, ++ sel ? (1 << GPIO_MIC_RELAY) : 0); + wm8776_select_input(chip, 0, sel ? MAYA_MIC_IN : MAYA_LINE_IN); + mutex_unlock(&chip->mutex); + return changed; diff --git a/queue-2.6.33/alsa-virtuoso-fix-xonar-d1-dx-front-panel-microphone.patch b/queue-2.6.33/alsa-virtuoso-fix-xonar-d1-dx-front-panel-microphone.patch new file mode 100644 index 00000000000..c8ac3060f8e --- /dev/null +++ b/queue-2.6.33/alsa-virtuoso-fix-xonar-d1-dx-front-panel-microphone.patch @@ -0,0 +1,41 @@ +From 6a45f7822544c54a2cf070d84f4e85f2fb32ec02 Mon Sep 17 00:00:00 2001 +From: Clemens Ladisch +Date: Tue, 11 May 2010 16:34:39 +0200 +Subject: ALSA: virtuoso: fix Xonar D1/DX front panel microphone + +From: Clemens Ladisch + +commit 6a45f7822544c54a2cf070d84f4e85f2fb32ec02 upstream. + +Commit 65c3ac885ce9852852b895a4a62212f62cb5f2e9 in 2.6.33 accidentally +left out the initialization of the AC97 codec FMIC2MIC bit, which broke +recording from the front panel microphone. + +Signed-off-by: Clemens Ladisch +Signed-off-by: Jaroslav Kysela +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/oxygen/xonar_cs43xx.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/sound/pci/oxygen/xonar_cs43xx.c ++++ b/sound/pci/oxygen/xonar_cs43xx.c +@@ -56,6 +56,7 @@ + #include + #include + #include "xonar.h" ++#include "cm9780.h" + #include "cs4398.h" + #include "cs4362a.h" + +@@ -172,6 +173,8 @@ static void xonar_d1_init(struct oxygen + oxygen_clear_bits16(chip, OXYGEN_GPIO_DATA, + GPIO_D1_FRONT_PANEL | GPIO_D1_INPUT_ROUTE); + ++ oxygen_ac97_set_bits(chip, 0, CM9780_JACK, CM9780_FMIC2MIC); ++ + xonar_init_cs53x1(chip); + xonar_enable_output(chip); + diff --git a/queue-2.6.33/btrfs-check-for-read-permission-on-src-file-in-the-clone-ioctl.patch b/queue-2.6.33/btrfs-check-for-read-permission-on-src-file-in-the-clone-ioctl.patch new file mode 100644 index 00000000000..2688cc03a63 --- /dev/null +++ b/queue-2.6.33/btrfs-check-for-read-permission-on-src-file-in-the-clone-ioctl.patch @@ -0,0 +1,39 @@ +From 5dc6416414fb3ec6e2825fd4d20c8bf1d7fe0395 Mon Sep 17 00:00:00 2001 +From: Dan Rosenberg +Date: Sat, 15 May 2010 11:27:37 -0400 +Subject: Btrfs: check for read permission on src file in the clone ioctl + +From: Dan Rosenberg + +commit 5dc6416414fb3ec6e2825fd4d20c8bf1d7fe0395 upstream. + +The existing code would have allowed you to clone a file that was +only open for writing + +Signed-off-by: Chris Mason +Signed-off-by: Greg Kroah-Hartman + +--- + fs/btrfs/ioctl.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/fs/btrfs/ioctl.c ++++ b/fs/btrfs/ioctl.c +@@ -964,12 +964,17 @@ static noinline long btrfs_ioctl_clone(s + ret = -EBADF; + goto out_drop_write; + } ++ + src = src_file->f_dentry->d_inode; + + ret = -EINVAL; + if (src == inode) + goto out_fput; + ++ /* the src must be open for reading */ ++ if (!(src_file->f_mode & FMODE_READ)) ++ goto out_fput; ++ + ret = -EISDIR; + if (S_ISDIR(src->i_mode) || S_ISDIR(inode->i_mode)) + goto out_fput; diff --git a/queue-2.6.33/cifs-guard-against-hardlinking-directories.patch b/queue-2.6.33/cifs-guard-against-hardlinking-directories.patch new file mode 100644 index 00000000000..f3932ee5c6d --- /dev/null +++ b/queue-2.6.33/cifs-guard-against-hardlinking-directories.patch @@ -0,0 +1,90 @@ +From 3d69438031b00c601c991ab447cafb7d5c3c59a6 Mon Sep 17 00:00:00 2001 +From: Jeff Layton +Date: Tue, 11 May 2010 14:59:55 -0400 +Subject: cifs: guard against hardlinking directories + +From: Jeff Layton + +commit 3d69438031b00c601c991ab447cafb7d5c3c59a6 upstream. + +When we made serverino the default, we trusted that the field sent by the +server in the "uniqueid" field was actually unique. It turns out that it +isn't reliably so. + +Samba, in particular, will just put the st_ino in the uniqueid field when +unix extensions are enabled. When a share spans multiple filesystems, it's +quite possible that there will be collisions. This is a server bug, but +when the inodes in question are a directory (as is often the case) and +there is a collision with the root inode of the mount, the result is a +kernel panic on umount. + +Fix this by checking explicitly for directory inodes with the same +uniqueid. If that is the case, then we can assume that using server inode +numbers will be a problem and that they should be disabled. + +Fixes Samba bugzilla 7407 + +Signed-off-by: Jeff Layton +Reviewed-and-Tested-by: Suresh Jayaraman +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman + +--- + fs/cifs/cifsglob.h | 1 + + fs/cifs/inode.c | 21 +++++++++++++++++++-- + 2 files changed, 20 insertions(+), 2 deletions(-) + +--- a/fs/cifs/cifsglob.h ++++ b/fs/cifs/cifsglob.h +@@ -500,6 +500,7 @@ struct dfs_info3_param { + #define CIFS_FATTR_DFS_REFERRAL 0x1 + #define CIFS_FATTR_DELETE_PENDING 0x2 + #define CIFS_FATTR_NEED_REVAL 0x4 ++#define CIFS_FATTR_INO_COLLISION 0x8 + + struct cifs_fattr { + u32 cf_flags; +--- a/fs/cifs/inode.c ++++ b/fs/cifs/inode.c +@@ -610,6 +610,16 @@ cifs_find_inode(struct inode *inode, voi + if (CIFS_I(inode)->uniqueid != fattr->cf_uniqueid) + return 0; + ++ /* ++ * uh oh -- it's a directory. We can't use it since hardlinked dirs are ++ * verboten. Disable serverino and return it as if it were found, the ++ * caller can discard it, generate a uniqueid and retry the find ++ */ ++ if (S_ISDIR(inode->i_mode) && !list_empty(&inode->i_dentry)) { ++ fattr->cf_flags |= CIFS_FATTR_INO_COLLISION; ++ cifs_autodisable_serverino(CIFS_SB(inode->i_sb)); ++ } ++ + return 1; + } + +@@ -629,15 +639,22 @@ cifs_iget(struct super_block *sb, struct + unsigned long hash; + struct inode *inode; + ++retry_iget5_locked: + cFYI(1, ("looking for uniqueid=%llu", fattr->cf_uniqueid)); + + /* hash down to 32-bits on 32-bit arch */ + hash = cifs_uniqueid_to_ino_t(fattr->cf_uniqueid); + + inode = iget5_locked(sb, hash, cifs_find_inode, cifs_init_inode, fattr); +- +- /* we have fattrs in hand, update the inode */ + if (inode) { ++ /* was there a problematic inode number collision? */ ++ if (fattr->cf_flags & CIFS_FATTR_INO_COLLISION) { ++ iput(inode); ++ fattr->cf_uniqueid = iunique(sb, ROOT_I); ++ fattr->cf_flags &= ~CIFS_FATTR_INO_COLLISION; ++ goto retry_iget5_locked; ++ } ++ + cifs_fattr_to_inode(inode, fattr); + if (sb->s_flags & MS_NOATIME) + inode->i_flags |= S_NOATIME | S_NOCMTIME; diff --git a/queue-2.6.33/dasd-fix-race-between-tasklet-and-dasd_sleep_on.patch b/queue-2.6.33/dasd-fix-race-between-tasklet-and-dasd_sleep_on.patch new file mode 100644 index 00000000000..cae08ffc507 --- /dev/null +++ b/queue-2.6.33/dasd-fix-race-between-tasklet-and-dasd_sleep_on.patch @@ -0,0 +1,83 @@ +From 1c1e093cbf6d3a7576ba0bd10363362a1c5c74ee Mon Sep 17 00:00:00 2001 +From: Stefan Weinhuber +Date: Wed, 12 May 2010 09:32:11 +0200 +Subject: [S390] dasd: fix race between tasklet and dasd_sleep_on + +From: Stefan Weinhuber + +commit 1c1e093cbf6d3a7576ba0bd10363362a1c5c74ee upstream. + +The various dasd_sleep_on functions use a global wait queue when +waiting for a cqr. The wait condition checks the status and devlist +fields of the cqr to determine if it is safe to continue. This +evaluation may return true, although the tasklet has not finished +processing of the cqr and the callback function has not been called +yet. When the callback is finally called, the data in the cqr may +already be invalid. The sleep_on wait condition needs a safe way to +determine if the tasklet has finished processing. Use the +callback_data field of the cqr to store a token, which is set by +the callback function itself. + +Signed-off-by: Stefan Weinhuber +Signed-off-by: Heiko Carstens +Signed-off-by: Martin Schwidefsky +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/s390/block/dasd.c | 17 ++++++++++------- + 1 file changed, 10 insertions(+), 7 deletions(-) + +--- a/drivers/s390/block/dasd.c ++++ b/drivers/s390/block/dasd.c +@@ -35,6 +35,9 @@ + */ + #define DASD_CHANQ_MAX_SIZE 4 + ++#define DASD_SLEEPON_START_TAG (void *) 1 ++#define DASD_SLEEPON_END_TAG (void *) 2 ++ + /* + * SECTION: exported variables of dasd.c + */ +@@ -1460,7 +1463,10 @@ void dasd_add_request_tail(struct dasd_c + */ + static void dasd_wakeup_cb(struct dasd_ccw_req *cqr, void *data) + { +- wake_up((wait_queue_head_t *) data); ++ spin_lock_irq(get_ccwdev_lock(cqr->startdev->cdev)); ++ cqr->callback_data = DASD_SLEEPON_END_TAG; ++ spin_unlock_irq(get_ccwdev_lock(cqr->startdev->cdev)); ++ wake_up(&generic_waitq); + } + + static inline int _wait_for_wakeup(struct dasd_ccw_req *cqr) +@@ -1470,10 +1476,7 @@ static inline int _wait_for_wakeup(struc + + device = cqr->startdev; + spin_lock_irq(get_ccwdev_lock(device->cdev)); +- rc = ((cqr->status == DASD_CQR_DONE || +- cqr->status == DASD_CQR_NEED_ERP || +- cqr->status == DASD_CQR_TERMINATED) && +- list_empty(&cqr->devlist)); ++ rc = (cqr->callback_data == DASD_SLEEPON_END_TAG); + spin_unlock_irq(get_ccwdev_lock(device->cdev)); + return rc; + } +@@ -1561,7 +1564,7 @@ static int _dasd_sleep_on(struct dasd_cc + wait_event(generic_waitq, !(device->stopped)); + + cqr->callback = dasd_wakeup_cb; +- cqr->callback_data = (void *) &generic_waitq; ++ cqr->callback_data = DASD_SLEEPON_START_TAG; + dasd_add_request_tail(cqr); + if (interruptible) { + rc = wait_event_interruptible( +@@ -1640,7 +1643,7 @@ int dasd_sleep_on_immediatly(struct dasd + } + + cqr->callback = dasd_wakeup_cb; +- cqr->callback_data = (void *) &generic_waitq; ++ cqr->callback_data = DASD_SLEEPON_START_TAG; + cqr->status = DASD_CQR_QUEUED; + list_add(&cqr->devlist, &device->ccw_queue); + diff --git a/queue-2.6.33/drm-i915-disable-fbc-on-915gm-and-945gm.patch b/queue-2.6.33/drm-i915-disable-fbc-on-915gm-and-945gm.patch new file mode 100644 index 00000000000..0565a004f00 --- /dev/null +++ b/queue-2.6.33/drm-i915-disable-fbc-on-915gm-and-945gm.patch @@ -0,0 +1,53 @@ +From 8d06a1e1e9c69244f08beb7d17146483f9dcd120 Mon Sep 17 00:00:00 2001 +From: Robert Hooker +Date: Fri, 19 Mar 2010 15:13:27 -0400 +Subject: drm/i915: Disable FBC on 915GM and 945GM. + +From: Robert Hooker + +commit 8d06a1e1e9c69244f08beb7d17146483f9dcd120 upstream. + +It is causing hangs after a suspend/resume cycle with the default +powersave=1 module option on these chipsets since 2.6.32-rc. + +BugLink: http://bugs.launchpad.net/bugs/492392 +Signed-off-by: Robert Hooker +Acked-by: Jesse Barnes +Signed-off-by: Eric Anholt +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/gpu/drm/i915/i915_drv.c | 4 ++-- + drivers/gpu/drm/i915/intel_display.c | 2 +- + 2 files changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/gpu/drm/i915/i915_drv.c ++++ b/drivers/gpu/drm/i915/i915_drv.c +@@ -79,14 +79,14 @@ const static struct intel_device_info in + .is_i915g = 1, .is_i9xx = 1, .cursor_needs_physical = 1, + }; + const static struct intel_device_info intel_i915gm_info = { +- .is_i9xx = 1, .is_mobile = 1, .has_fbc = 1, ++ .is_i9xx = 1, .is_mobile = 1, + .cursor_needs_physical = 1, + }; + const static struct intel_device_info intel_i945g_info = { + .is_i9xx = 1, .has_hotplug = 1, .cursor_needs_physical = 1, + }; + const static struct intel_device_info intel_i945gm_info = { +- .is_i945gm = 1, .is_i9xx = 1, .is_mobile = 1, .has_fbc = 1, ++ .is_i945gm = 1, .is_i9xx = 1, .is_mobile = 1, + .has_hotplug = 1, .cursor_needs_physical = 1, + }; + +--- a/drivers/gpu/drm/i915/intel_display.c ++++ b/drivers/gpu/drm/i915/intel_display.c +@@ -4683,7 +4683,7 @@ static void intel_init_display(struct dr + dev_priv->display.fbc_enabled = g4x_fbc_enabled; + dev_priv->display.enable_fbc = g4x_enable_fbc; + dev_priv->display.disable_fbc = g4x_disable_fbc; +- } else if (IS_I965GM(dev) || IS_I945GM(dev) || IS_I915GM(dev)) { ++ } else if (IS_I965GM(dev)) { + dev_priv->display.fbc_enabled = i8xx_fbc_enabled; + dev_priv->display.enable_fbc = i8xx_enable_fbc; + dev_priv->display.disable_fbc = i8xx_disable_fbc; diff --git a/queue-2.6.33/inotify-don-t-leak-user-struct-on-inotify-release.patch b/queue-2.6.33/inotify-don-t-leak-user-struct-on-inotify-release.patch new file mode 100644 index 00000000000..7e557161cf8 --- /dev/null +++ b/queue-2.6.33/inotify-don-t-leak-user-struct-on-inotify-release.patch @@ -0,0 +1,44 @@ +From b3b38d842fa367d862b83e7670af4e0fd6a80fc0 Mon Sep 17 00:00:00 2001 +From: Pavel Emelyanov +Date: Wed, 12 May 2010 15:34:07 -0700 +Subject: inotify: don't leak user struct on inotify release + +From: Pavel Emelyanov + +commit b3b38d842fa367d862b83e7670af4e0fd6a80fc0 upstream. + +inotify_new_group() receives a get_uid-ed user_struct and saves the +reference on group->inotify_data.user. The problem is that free_uid() is +never called on it. + +Issue seem to be introduced by 63c882a0 (inotify: reimplement inotify +using fsnotify) after 2.6.30. + +Signed-off-by: Pavel Emelyanov +Eric Paris +Signed-off-by: Andrew Morton +Signed-off-by: Eric Paris +Signed-off-by: Greg Kroah-Hartman + +--- + fs/notify/inotify/inotify_fsnotify.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/fs/notify/inotify/inotify_fsnotify.c ++++ b/fs/notify/inotify/inotify_fsnotify.c +@@ -28,6 +28,7 @@ + #include /* struct path */ + #include /* kmem_* */ + #include ++#include + + #include "inotify.h" + +@@ -146,6 +147,7 @@ static void inotify_free_group_priv(stru + idr_for_each(&group->inotify_data.idr, idr_callback, group); + idr_remove_all(&group->inotify_data.idr); + idr_destroy(&group->inotify_data.idr); ++ free_uid(group->inotify_data.user); + } + + void inotify_free_event_priv(struct fsnotify_event_private_data *fsn_event_priv) diff --git a/queue-2.6.33/inotify-race-use-after-free-double-free-in-inotify-inode-marks.patch b/queue-2.6.33/inotify-race-use-after-free-double-free-in-inotify-inode-marks.patch new file mode 100644 index 00000000000..eb576563473 --- /dev/null +++ b/queue-2.6.33/inotify-race-use-after-free-double-free-in-inotify-inode-marks.patch @@ -0,0 +1,67 @@ +From e08733446e72b983fed850fc5d8bd21b386feb29 Mon Sep 17 00:00:00 2001 +From: Eric Paris +Date: Tue, 11 May 2010 17:17:40 -0400 +Subject: inotify: race use after free/double free in inotify inode marks + +From: Eric Paris + +commit e08733446e72b983fed850fc5d8bd21b386feb29 upstream. + +There is a race in the inotify add/rm watch code. A task can find and +remove a mark which doesn't have all of it's references. This can +result in a use after free/double free situation. + +Task A Task B +------------ ----------- +inotify_new_watch() + allocate a mark (refcnt == 1) + add it to the idr + inotify_rm_watch() + inotify_remove_from_idr() + fsnotify_put_mark() + refcnt hits 0, free + take reference because we are on idr + [at this point it is a use after free] + [time goes on] + refcnt may hit 0 again, double free + +The fix is to take the reference BEFORE the object can be found in the +idr. + +Signed-off-by: Eric Paris +Signed-off-by: Greg Kroah-Hartman + +--- + fs/notify/inotify/inotify_user.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/fs/notify/inotify/inotify_user.c ++++ b/fs/notify/inotify/inotify_user.c +@@ -550,21 +550,24 @@ retry: + if (unlikely(!idr_pre_get(&group->inotify_data.idr, GFP_KERNEL))) + goto out_err; + ++ /* we are putting the mark on the idr, take a reference */ ++ fsnotify_get_mark(&tmp_ientry->fsn_entry); ++ + spin_lock(&group->inotify_data.idr_lock); + ret = idr_get_new_above(&group->inotify_data.idr, &tmp_ientry->fsn_entry, + group->inotify_data.last_wd+1, + &tmp_ientry->wd); + spin_unlock(&group->inotify_data.idr_lock); + if (ret) { ++ /* we didn't get on the idr, drop the idr reference */ ++ fsnotify_put_mark(&tmp_ientry->fsn_entry); ++ + /* idr was out of memory allocate and try again */ + if (ret == -EAGAIN) + goto retry; + goto out_err; + } + +- /* we put the mark on the idr, take a reference */ +- fsnotify_get_mark(&tmp_ientry->fsn_entry); +- + /* we are on the idr, now get on the inode */ + ret = fsnotify_add_mark(&tmp_ientry->fsn_entry, group, inode); + if (ret) { diff --git a/queue-2.6.33/powerpc-perf_event-fix-oops-due-to-perf_event_do_pending-call.patch b/queue-2.6.33/powerpc-perf_event-fix-oops-due-to-perf_event_do_pending-call.patch new file mode 100644 index 00000000000..6112c6db88f --- /dev/null +++ b/queue-2.6.33/powerpc-perf_event-fix-oops-due-to-perf_event_do_pending-call.patch @@ -0,0 +1,234 @@ +From 0fe1ac48bef018bed896307cd12f6ca9b5e704ab Mon Sep 17 00:00:00 2001 +From: Paul Mackerras +Date: Tue, 13 Apr 2010 20:46:04 +0000 +Subject: powerpc/perf_event: Fix oops due to perf_event_do_pending call + +From: Paul Mackerras + +commit 0fe1ac48bef018bed896307cd12f6ca9b5e704ab upstream. + +Anton Blanchard found that large POWER systems would occasionally +crash in the exception exit path when profiling with perf_events. +The symptom was that an interrupt would occur late in the exit path +when the MSR[RI] (recoverable interrupt) bit was clear. Interrupts +should be hard-disabled at this point but they were enabled. Because +the interrupt was not recoverable the system panicked. + +The reason is that the exception exit path was calling +perf_event_do_pending after hard-disabling interrupts, and +perf_event_do_pending will re-enable interrupts. + +The simplest and cleanest fix for this is to use the same mechanism +that 32-bit powerpc does, namely to cause a self-IPI by setting the +decrementer to 1. This means we can remove the tests in the exception +exit path and raw_local_irq_restore. + +This also makes sure that the call to perf_event_do_pending from +timer_interrupt() happens within irq_enter/irq_exit. (Note that +calling perf_event_do_pending from timer_interrupt does not mean that +there is a possible 1/HZ latency; setting the decrementer to 1 ensures +that the timer interrupt will happen immediately, i.e. within one +timebase tick, which is a few nanoseconds or 10s of nanoseconds.) + +Signed-off-by: Paul Mackerras +Signed-off-by: Benjamin Herrenschmidt +Signed-off-by: Greg Kroah-Hartman + +--- + arch/powerpc/include/asm/hw_irq.h | 38 ------------------------ + arch/powerpc/kernel/asm-offsets.c | 1 + arch/powerpc/kernel/entry_64.S | 9 ----- + arch/powerpc/kernel/irq.c | 6 --- + arch/powerpc/kernel/time.c | 60 ++++++++++++++++++++++++++++++-------- + 5 files changed, 48 insertions(+), 66 deletions(-) + +--- a/arch/powerpc/include/asm/hw_irq.h ++++ b/arch/powerpc/include/asm/hw_irq.h +@@ -130,43 +130,5 @@ static inline int irqs_disabled_flags(un + */ + struct irq_chip; + +-#ifdef CONFIG_PERF_EVENTS +- +-#ifdef CONFIG_PPC64 +-static inline unsigned long test_perf_event_pending(void) +-{ +- unsigned long x; +- +- asm volatile("lbz %0,%1(13)" +- : "=r" (x) +- : "i" (offsetof(struct paca_struct, perf_event_pending))); +- return x; +-} +- +-static inline void set_perf_event_pending(void) +-{ +- asm volatile("stb %0,%1(13)" : : +- "r" (1), +- "i" (offsetof(struct paca_struct, perf_event_pending))); +-} +- +-static inline void clear_perf_event_pending(void) +-{ +- asm volatile("stb %0,%1(13)" : : +- "r" (0), +- "i" (offsetof(struct paca_struct, perf_event_pending))); +-} +-#endif /* CONFIG_PPC64 */ +- +-#else /* CONFIG_PERF_EVENTS */ +- +-static inline unsigned long test_perf_event_pending(void) +-{ +- return 0; +-} +- +-static inline void clear_perf_event_pending(void) {} +-#endif /* CONFIG_PERF_EVENTS */ +- + #endif /* __KERNEL__ */ + #endif /* _ASM_POWERPC_HW_IRQ_H */ +--- a/arch/powerpc/kernel/asm-offsets.c ++++ b/arch/powerpc/kernel/asm-offsets.c +@@ -133,7 +133,6 @@ int main(void) + DEFINE(PACAKMSR, offsetof(struct paca_struct, kernel_msr)); + DEFINE(PACASOFTIRQEN, offsetof(struct paca_struct, soft_enabled)); + DEFINE(PACAHARDIRQEN, offsetof(struct paca_struct, hard_enabled)); +- DEFINE(PACAPERFPEND, offsetof(struct paca_struct, perf_event_pending)); + DEFINE(PACACONTEXTID, offsetof(struct paca_struct, context.id)); + #ifdef CONFIG_PPC_MM_SLICES + DEFINE(PACALOWSLICESPSIZE, offsetof(struct paca_struct, +--- a/arch/powerpc/kernel/entry_64.S ++++ b/arch/powerpc/kernel/entry_64.S +@@ -556,15 +556,6 @@ ALT_FW_FTR_SECTION_END_IFCLR(FW_FEATURE_ + 2: + TRACE_AND_RESTORE_IRQ(r5); + +-#ifdef CONFIG_PERF_EVENTS +- /* check paca->perf_event_pending if we're enabling ints */ +- lbz r3,PACAPERFPEND(r13) +- and. r3,r3,r5 +- beq 27f +- bl .perf_event_do_pending +-27: +-#endif /* CONFIG_PERF_EVENTS */ +- + /* extract EE bit and use it to restore paca->hard_enabled */ + ld r3,_MSR(r1) + rldicl r4,r3,49,63 /* r0 = (r3 >> 15) & 1 */ +--- a/arch/powerpc/kernel/irq.c ++++ b/arch/powerpc/kernel/irq.c +@@ -53,7 +53,6 @@ + #include + #include + #include +-#include + + #include + #include +@@ -143,11 +142,6 @@ notrace void raw_local_irq_restore(unsig + } + #endif /* CONFIG_PPC_STD_MMU_64 */ + +- if (test_perf_event_pending()) { +- clear_perf_event_pending(); +- perf_event_do_pending(); +- } +- + /* + * if (get_paca()->hard_enabled) return; + * But again we need to take care that gcc gets hard_enabled directly +--- a/arch/powerpc/kernel/time.c ++++ b/arch/powerpc/kernel/time.c +@@ -532,25 +532,60 @@ void __init iSeries_time_init_early(void + } + #endif /* CONFIG_PPC_ISERIES */ + +-#if defined(CONFIG_PERF_EVENTS) && defined(CONFIG_PPC32) +-DEFINE_PER_CPU(u8, perf_event_pending); ++#ifdef CONFIG_PERF_EVENTS + +-void set_perf_event_pending(void) ++/* ++ * 64-bit uses a byte in the PACA, 32-bit uses a per-cpu variable... ++ */ ++#ifdef CONFIG_PPC64 ++static inline unsigned long test_perf_event_pending(void) + { +- get_cpu_var(perf_event_pending) = 1; +- set_dec(1); +- put_cpu_var(perf_event_pending); ++ unsigned long x; ++ ++ asm volatile("lbz %0,%1(13)" ++ : "=r" (x) ++ : "i" (offsetof(struct paca_struct, perf_event_pending))); ++ return x; + } + ++static inline void set_perf_event_pending_flag(void) ++{ ++ asm volatile("stb %0,%1(13)" : : ++ "r" (1), ++ "i" (offsetof(struct paca_struct, perf_event_pending))); ++} ++ ++static inline void clear_perf_event_pending(void) ++{ ++ asm volatile("stb %0,%1(13)" : : ++ "r" (0), ++ "i" (offsetof(struct paca_struct, perf_event_pending))); ++} ++ ++#else /* 32-bit */ ++ ++DEFINE_PER_CPU(u8, perf_event_pending); ++ ++#define set_perf_event_pending_flag() __get_cpu_var(perf_event_pending) = 1 + #define test_perf_event_pending() __get_cpu_var(perf_event_pending) + #define clear_perf_event_pending() __get_cpu_var(perf_event_pending) = 0 + +-#else /* CONFIG_PERF_EVENTS && CONFIG_PPC32 */ ++#endif /* 32 vs 64 bit */ ++ ++void set_perf_event_pending(void) ++{ ++ preempt_disable(); ++ set_perf_event_pending_flag(); ++ set_dec(1); ++ preempt_enable(); ++} ++ ++#else /* CONFIG_PERF_EVENTS */ + + #define test_perf_event_pending() 0 + #define clear_perf_event_pending() + +-#endif /* CONFIG_PERF_EVENTS && CONFIG_PPC32 */ ++#endif /* CONFIG_PERF_EVENTS */ + + /* + * For iSeries shared processors, we have to let the hypervisor +@@ -580,10 +615,6 @@ void timer_interrupt(struct pt_regs * re + set_dec(DECREMENTER_MAX); + + #ifdef CONFIG_PPC32 +- if (test_perf_event_pending()) { +- clear_perf_event_pending(); +- perf_event_do_pending(); +- } + if (atomic_read(&ppc_n_lost_interrupts) != 0) + do_IRQ(regs); + #endif +@@ -602,6 +633,11 @@ void timer_interrupt(struct pt_regs * re + + calculate_steal_time(); + ++ if (test_perf_event_pending()) { ++ clear_perf_event_pending(); ++ perf_event_do_pending(); ++ } ++ + #ifdef CONFIG_PPC_ISERIES + if (firmware_has_feature(FW_FEATURE_ISERIES)) + get_lppaca()->int_dword.fields.decr_int = 0; diff --git a/queue-2.6.33/profile-fix-stats-and-data-leakage.patch b/queue-2.6.33/profile-fix-stats-and-data-leakage.patch new file mode 100644 index 00000000000..8d6f71fe2c1 --- /dev/null +++ b/queue-2.6.33/profile-fix-stats-and-data-leakage.patch @@ -0,0 +1,35 @@ +From 16a2164bb03612efe79a76c73da6da44445b9287 Mon Sep 17 00:00:00 2001 +From: Hugh Dickins +Date: Fri, 14 May 2010 19:44:10 -0700 +Subject: profile: fix stats and data leakage + +From: Hugh Dickins + +commit 16a2164bb03612efe79a76c73da6da44445b9287 upstream. + +If the kernel is large or the profiling step small, /proc/profile +leaks data and readprofile shows silly stats, until readprofile -r +has reset the buffer: clear the prof_buffer when it is vmalloc()ed. + +Signed-off-by: Hugh Dickins +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/profile.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/kernel/profile.c ++++ b/kernel/profile.c +@@ -127,8 +127,10 @@ int __ref profile_init(void) + return 0; + + prof_buffer = vmalloc(buffer_bytes); +- if (prof_buffer) ++ if (prof_buffer) { ++ memset(prof_buffer, 0, buffer_bytes); + return 0; ++ } + + free_cpumask_var(prof_cpu_mask); + return -ENOMEM; diff --git a/queue-2.6.33/ptrace-fix-return-value-of-do_syscall_trace_enter.patch b/queue-2.6.33/ptrace-fix-return-value-of-do_syscall_trace_enter.patch new file mode 100644 index 00000000000..35633745aad --- /dev/null +++ b/queue-2.6.33/ptrace-fix-return-value-of-do_syscall_trace_enter.patch @@ -0,0 +1,49 @@ +From 545c174d1f093a462b4bb9131b23d5ea72a600e1 Mon Sep 17 00:00:00 2001 +From: Gerald Schaefer +Date: Wed, 12 May 2010 09:32:12 +0200 +Subject: [S390] ptrace: fix return value of do_syscall_trace_enter() + +From: Gerald Schaefer + +commit 545c174d1f093a462b4bb9131b23d5ea72a600e1 upstream. + +strace may change the system call number, so regs->gprs[2] must not +be read before tracehook_report_syscall_entry(). This fixes a bug +where "strace -f" will hang after a vfork(). + +Signed-off-by: Gerald Schaefer +Signed-off-by: Martin Schwidefsky +Signed-off-by: Greg Kroah-Hartman + +--- + arch/s390/kernel/ptrace.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/arch/s390/kernel/ptrace.c ++++ b/arch/s390/kernel/ptrace.c +@@ -640,7 +640,7 @@ long compat_arch_ptrace(struct task_stru + + asmlinkage long do_syscall_trace_enter(struct pt_regs *regs) + { +- long ret; ++ long ret = 0; + + /* Do the secure computing check first. */ + secure_computing(regs->gprs[2]); +@@ -649,7 +649,6 @@ asmlinkage long do_syscall_trace_enter(s + * The sysc_tracesys code in entry.S stored the system + * call number to gprs[2]. + */ +- ret = regs->gprs[2]; + if (test_thread_flag(TIF_SYSCALL_TRACE) && + (tracehook_report_syscall_entry(regs) || + regs->gprs[2] >= NR_syscalls)) { +@@ -671,7 +670,7 @@ asmlinkage long do_syscall_trace_enter(s + regs->gprs[2], regs->orig_gpr2, + regs->gprs[3], regs->gprs[4], + regs->gprs[5]); +- return ret; ++ return ret ?: regs->gprs[2]; + } + + asmlinkage void do_syscall_trace_exit(struct pt_regs *regs) diff --git a/queue-2.6.33/serial-imx.c-fix-cts-trigger-level-lower-to-avoid-lost-chars.patch b/queue-2.6.33/serial-imx.c-fix-cts-trigger-level-lower-to-avoid-lost-chars.patch new file mode 100644 index 00000000000..bf142c37423 --- /dev/null +++ b/queue-2.6.33/serial-imx.c-fix-cts-trigger-level-lower-to-avoid-lost-chars.patch @@ -0,0 +1,63 @@ +From 1c5250d6163dac28be3afabdfb6c723f107051b7 Mon Sep 17 00:00:00 2001 +From: Valentin Longchamp +Date: Wed, 5 May 2010 11:47:07 +0200 +Subject: serial: imx.c: fix CTS trigger level lower to avoid lost chars +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Valentin Longchamp + +commit 1c5250d6163dac28be3afabdfb6c723f107051b7 upstream. + +The imx CTS trigger level is left at its reset value that is 32 +chars. Since the RX FIFO has 32 entries, when CTS is raised, the +FIFO already is full. However, some serial port devices first empty +their TX FIFO before stopping when CTS is raised, resulting in lost +chars. + +This patch sets the trigger level lower so that other chars arrive +after CTS is raised, there is still room for 16 of them. + +Signed-off-by: Valentin Longchamp +Tested-by: Philippe Rétornaz +Acked-by: Wolfram Sang +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/serial/imx.c | 10 +++++++++- + 1 file changed, 9 insertions(+), 1 deletion(-) + +--- a/drivers/serial/imx.c ++++ b/drivers/serial/imx.c +@@ -119,7 +119,8 @@ + #define MX2_UCR3_RXDMUXSEL (1<<2) /* RXD Muxed Input Select, on mx2/mx3 */ + #define UCR3_INVT (1<<1) /* Inverted Infrared transmission */ + #define UCR3_BPEN (1<<0) /* Preset registers enable */ +-#define UCR4_CTSTL_32 (32<<10) /* CTS trigger level (32 chars) */ ++#define UCR4_CTSTL_SHF 10 /* CTS trigger level shift */ ++#define UCR4_CTSTL_MASK 0x3F /* CTS trigger is 6 bits wide */ + #define UCR4_INVR (1<<9) /* Inverted infrared reception */ + #define UCR4_ENIRI (1<<8) /* Serial infrared interrupt enable */ + #define UCR4_WKEN (1<<7) /* Wake interrupt enable */ +@@ -590,6 +591,9 @@ static int imx_setup_ufcr(struct imx_por + return 0; + } + ++/* half the RX buffer size */ ++#define CTSTL 16 ++ + static int imx_startup(struct uart_port *port) + { + struct imx_port *sport = (struct imx_port *)port; +@@ -606,6 +610,10 @@ static int imx_startup(struct uart_port + if (USE_IRDA(sport)) + temp |= UCR4_IRSC; + ++ /* set the trigger level for CTS */ ++ temp &= ~(UCR4_CTSTL_MASK<< UCR4_CTSTL_SHF); ++ temp |= CTSTL<< UCR4_CTSTL_SHF; ++ + writel(temp & ~UCR4_DREN, sport->port.membase + UCR4); + + if (USE_IRDA(sport)) { diff --git a/queue-2.6.33/series b/queue-2.6.33/series index 67fa027b76a..8476d1be4ec 100644 --- a/queue-2.6.33/series +++ b/queue-2.6.33/series @@ -12,3 +12,21 @@ mmc-atmel-mci-prevent-kernel-oops-while-removing-card.patch mmc-atmel-mci-remove-data-error-interrupt-after-xfer.patch drm-i915-use-pipe_control-instruction-on-ironlake-and-sandy-bridge.patch drm-i915-fix-non-ironlake-965-class-crashes.patch +ptrace-fix-return-value-of-do_syscall_trace_enter.patch +dasd-fix-race-between-tasklet-and-dasd_sleep_on.patch +powerpc-perf_event-fix-oops-due-to-perf_event_do_pending-call.patch +cifs-guard-against-hardlinking-directories.patch +serial-imx.c-fix-cts-trigger-level-lower-to-avoid-lost-chars.patch +tty-fix-unbalanced-bkl-handling-in-error-path.patch +alsa-ice1724-fix-esi-maya44-capture-source-control.patch +alsa-virtuoso-fix-xonar-d1-dx-front-panel-microphone.patch +alsa-hda-fix-0-db-for-lenovo-models-using-conexant-cx20549-venice.patch +inotify-race-use-after-free-double-free-in-inotify-inode-marks.patch +inotify-don-t-leak-user-struct-on-inotify-release.patch +profile-fix-stats-and-data-leakage.patch +x86-k8-fix-build-error-when-k8_nb-is-disabled.patch +x86-cacheinfo-turn-off-l3-cache-index-disable-feature-in-virtualized-environments.patch +x86-amd-check-x86_feature_osvw-bit-before-accessing-osvw-msrs.patch +btrfs-check-for-read-permission-on-src-file-in-the-clone-ioctl.patch +alsa-hda-new-intel-hda-controller.patch +drm-i915-disable-fbc-on-915gm-and-945gm.patch diff --git a/queue-2.6.33/tty-fix-unbalanced-bkl-handling-in-error-path.patch b/queue-2.6.33/tty-fix-unbalanced-bkl-handling-in-error-path.patch new file mode 100644 index 00000000000..c5153f69d9a --- /dev/null +++ b/queue-2.6.33/tty-fix-unbalanced-bkl-handling-in-error-path.patch @@ -0,0 +1,35 @@ +From 77945febbe60a69e9dcab7f49d33a1aa1e436973 Mon Sep 17 00:00:00 2001 +From: Alan Cox +Date: Tue, 4 May 2010 20:42:36 +0100 +Subject: tty: Fix unbalanced BKL handling in error path + +From: Alan Cox + +commit 77945febbe60a69e9dcab7f49d33a1aa1e436973 upstream. + +Arnd noted: + +After the "retry_open:" label, we first get the tty_mutex +and then the BKL. However a the end of tty_open, we jump +back to retry_open with the BKL still held. If we run into +this case, the tty_open function will be left with the BKL +still held. + +Signed-off-by: Alan Cox +Acked-by: Arnd Bergmann +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/char/tty_io.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/char/tty_io.c ++++ b/drivers/char/tty_io.c +@@ -1875,6 +1875,7 @@ got_driver: + */ + if (filp->f_op == &hung_up_tty_fops) + filp->f_op = &tty_fops; ++ unlock_kernel(); + goto retry_open; + } + unlock_kernel(); diff --git a/queue-2.6.33/x86-amd-check-x86_feature_osvw-bit-before-accessing-osvw-msrs.patch b/queue-2.6.33/x86-amd-check-x86_feature_osvw-bit-before-accessing-osvw-msrs.patch new file mode 100644 index 00000000000..f31f4573bc9 --- /dev/null +++ b/queue-2.6.33/x86-amd-check-x86_feature_osvw-bit-before-accessing-osvw-msrs.patch @@ -0,0 +1,43 @@ +From f01487119dda3d9f58c9729c7361ecc50a61c188 Mon Sep 17 00:00:00 2001 +From: Andreas Herrmann +Date: Tue, 27 Apr 2010 12:13:48 +0200 +Subject: x86, amd: Check X86_FEATURE_OSVW bit before accessing OSVW MSRs + +From: Andreas Herrmann + +commit f01487119dda3d9f58c9729c7361ecc50a61c188 upstream. + +If host CPU is exposed to a guest the OSVW MSRs are not guaranteed +to be present and a GP fault occurs. Thus checking the feature flag is +essential. + +Signed-off-by: Andreas Herrmann +LKML-Reference: <20100427101348.GC4489@alberich.amd.com> +Signed-off-by: H. Peter Anvin +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/process.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +--- a/arch/x86/kernel/process.c ++++ b/arch/x86/kernel/process.c +@@ -539,11 +539,13 @@ static int __cpuinit check_c1e_idle(cons + * check OSVW bit for CPUs that are not affected + * by erratum #400 + */ +- rdmsrl(MSR_AMD64_OSVW_ID_LENGTH, val); +- if (val >= 2) { +- rdmsrl(MSR_AMD64_OSVW_STATUS, val); +- if (!(val & BIT(1))) +- goto no_c1e_idle; ++ if (cpu_has(c, X86_FEATURE_OSVW)) { ++ rdmsrl(MSR_AMD64_OSVW_ID_LENGTH, val); ++ if (val >= 2) { ++ rdmsrl(MSR_AMD64_OSVW_STATUS, val); ++ if (!(val & BIT(1))) ++ goto no_c1e_idle; ++ } + } + return 1; + } diff --git a/queue-2.6.33/x86-cacheinfo-turn-off-l3-cache-index-disable-feature-in-virtualized-environments.patch b/queue-2.6.33/x86-cacheinfo-turn-off-l3-cache-index-disable-feature-in-virtualized-environments.patch new file mode 100644 index 00000000000..e99698a926f --- /dev/null +++ b/queue-2.6.33/x86-cacheinfo-turn-off-l3-cache-index-disable-feature-in-virtualized-environments.patch @@ -0,0 +1,102 @@ +From 7f284d3cc96e02468a42e045f77af11e5ff8b095 Mon Sep 17 00:00:00 2001 +From: Frank Arnold +Date: Thu, 22 Apr 2010 16:06:59 +0200 +Subject: x86, cacheinfo: Turn off L3 cache index disable feature in virtualized environments + +From: Frank Arnold + +commit 7f284d3cc96e02468a42e045f77af11e5ff8b095 upstream. + +When running a quest kernel on xen we get: + +BUG: unable to handle kernel NULL pointer dereference at 0000000000000038 +IP: [] cpuid4_cache_lookup_regs+0x2ca/0x3df +PGD 0 +Oops: 0000 [#1] SMP +last sysfs file: +CPU 0 +Modules linked in: + +Pid: 0, comm: swapper Tainted: G W 2.6.34-rc3 #1 /HVM domU +RIP: 0010:[] [] cpuid4_cache_lookup_regs+0x +2ca/0x3df +RSP: 0018:ffff880002203e08 EFLAGS: 00010046 +RAX: 0000000000000000 RBX: 0000000000000003 RCX: 0000000000000060 +RDX: 0000000000000000 RSI: 0000000000000040 RDI: 0000000000000000 +RBP: ffff880002203ed8 R08: 00000000000017c0 R09: ffff880002203e38 +R10: ffff8800023d5d40 R11: ffffffff81a01e28 R12: ffff880187e6f5c0 +R13: ffff880002203e34 R14: ffff880002203e58 R15: ffff880002203e68 +FS: 0000000000000000(0000) GS:ffff880002200000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b +CR2: 0000000000000038 CR3: 0000000001a3c000 CR4: 00000000000006f0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 +Process swapper (pid: 0, threadinfo ffffffff81a00000, task ffffffff81a44020) +Stack: + ffffffff810d7ecb ffff880002203e20 ffffffff81059140 ffff880002203e30 +<0> ffffffff810d7ec9 0000000002203e40 000000000050d140 ffff880002203e70 +<0> 0000000002008140 0000000000000086 ffff880040020140 ffffffff81068b8b +Call Trace: + + [] ? sync_supers_timer_fn+0x0/0x1c + [] ? mod_timer+0x23/0x25 + [] ? arm_supers_timer+0x34/0x36 + [] ? hrtimer_get_next_event+0xa7/0xc3 + [] ? get_next_timer_interrupt+0x19a/0x20d + [] get_cpu_leaves+0x5c/0x232 + [] ? sched_clock_local+0x1c/0x82 + [] ? sched_clock_tick+0x75/0x7a + [] generic_smp_call_function_single_interrupt+0xae/0xd0 + [] smp_call_function_single_interrupt+0x18/0x27 + [] call_function_single_interrupt+0x13/0x20 + + [] ? notifier_call_chain+0x14/0x63 + [] ? native_safe_halt+0xc/0xd + [] ? default_idle+0x36/0x53 + [] cpu_idle+0xaa/0xe4 + [] rest_init+0x7e/0x80 + [] start_kernel+0x40e/0x419 + [] x86_64_start_reservations+0xb3/0xb7 + [] x86_64_start_kernel+0xf8/0x107 +Code: 14 d5 40 ff ae 81 8b 14 02 31 c0 3b 15 47 1c 8b 00 7d 0e 48 8b 05 36 1c 8b + 00 48 63 d2 48 8b 04 d0 c7 85 5c ff ff ff 00 00 00 00 <8b> 70 38 48 8d 8d 5c ff + ff ff 48 8b 78 10 ba c4 01 00 00 e8 eb +RIP [] cpuid4_cache_lookup_regs+0x2ca/0x3df + RSP +CR2: 0000000000000038 +---[ end trace a7919e7f17c0a726 ]--- + +The L3 cache index disable feature of AMD CPUs has to be disabled if the +kernel is running as guest on top of a hypervisor because northbridge +devices are not available to the guest. Currently, this fixes a boot +crash on top of Xen. In the future this will become an issue on KVM as +well. + +Check if northbridge devices are present and do not enable the feature +if there are none. + +[ hpa: backported to 2.6.34 ] + +Signed-off-by: Frank Arnold +LKML-Reference: <1271945222-5283-3-git-send-email-bp@amd64.org> +Acked-by: Borislav Petkov +Signed-off-by: H. Peter Anvin +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/cpu/intel_cacheinfo.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/arch/x86/kernel/cpu/intel_cacheinfo.c ++++ b/arch/x86/kernel/cpu/intel_cacheinfo.c +@@ -338,6 +338,10 @@ amd_check_l3_disable(int index, struct _ + (boot_cpu_data.x86_mask < 0x1))) + return; + ++ /* not in virtualized environments */ ++ if (num_k8_northbridges == 0) ++ return; ++ + this_leaf->can_disable = true; + this_leaf->l3_indices = amd_calc_l3_indices(); + } diff --git a/queue-2.6.33/x86-k8-fix-build-error-when-k8_nb-is-disabled.patch b/queue-2.6.33/x86-k8-fix-build-error-when-k8_nb-is-disabled.patch new file mode 100644 index 00000000000..2e48a06e99f --- /dev/null +++ b/queue-2.6.33/x86-k8-fix-build-error-when-k8_nb-is-disabled.patch @@ -0,0 +1,41 @@ +From ade029e2aaacc8965a548b0b0f80c5bee97ffc68 Mon Sep 17 00:00:00 2001 +From: Borislav Petkov +Date: Sat, 24 Apr 2010 09:56:53 +0200 +Subject: x86, k8: Fix build error when K8_NB is disabled + +From: Borislav Petkov + +commit ade029e2aaacc8965a548b0b0f80c5bee97ffc68 upstream. + +K8_NB depends on PCI and when the last is disabled (allnoconfig) we fail +at the final linking stage due to missing exported num_k8_northbridges. +Add a header stub for that. + +Signed-off-by: Borislav Petkov +LKML-Reference: <20100503183036.GJ26107@aftab> +Signed-off-by: H. Peter Anvin +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/include/asm/k8.h | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/arch/x86/include/asm/k8.h ++++ b/arch/x86/include/asm/k8.h +@@ -16,11 +16,16 @@ extern int k8_numa_init(unsigned long st + extern int k8_scan_nodes(void); + + #ifdef CONFIG_K8_NB ++extern int num_k8_northbridges; ++ + static inline struct pci_dev *node_to_k8_nb_misc(int node) + { + return (node < num_k8_northbridges) ? k8_northbridges[node] : NULL; + } ++ + #else ++#define num_k8_northbridges 0 ++ + static inline struct pci_dev *node_to_k8_nb_misc(int node) + { + return NULL; -- 2.47.3