From f44c2c1867b02a918b077dc063f76f290b244fa5 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 6 Feb 2012 10:51:37 -0800 Subject: [PATCH] 3.0-stable patches added patches: alsa-hda-fix-duplicated-output-to-more-than-one-codec.patch arm-7306-1-vfp-flush-thread-hwstate-before-restoring-context-from-sigframe.patch arm-7307-1-vfp-fix-ptrace-regset-modification-race.patch arm-7308-1-vfp-flush-thread-hwstate-before-copying-ptrace-registers.patch arm-omap2-gpmc-fix-device-size-setup.patch asoc-wm_hubs-enable-line-out-vmid-buffer-for-single-ended-line-outputs.patch asoc-wm_hubs-fix-wrong-bits-for-lineout2-n-p-mixer.patch drivers-tty-vt-vt_ioctl.c-fix-kdfontop-32bit-compatibility-layer.patch firewire-ohci-add-reset-packet-quirk-for-sb-audigy.patch firewire-ohci-disable-msi-on-ricoh-controllers.patch ib-mlx4-pass-smp-vendor-specific-attribute-mads-to-firmware.patch kprobes-fix-a-memory-leak-in-function-pre_handler_kretprobe.patch proc-make-sure-mem_open-doesn-t-pin-the-target-s-memory.patch proc-mem_release-should-check-mm-null.patch proc-unify-mem_read-and-mem_write.patch readahead-fix-pipeline-break-caused-by-block-plug.patch --- ...icated-output-to-more-than-one-codec.patch | 33 ++++ ...fore-restoring-context-from-sigframe.patch | 57 +++++++ ...-fix-ptrace-regset-modification-race.patch | 66 ++++++++ ...tate-before-copying-ptrace-registers.patch | 38 +++++ ...arm-omap2-gpmc-fix-device-size-setup.patch | 41 +++++ ...buffer-for-single-ended-line-outputs.patch | 54 +++++++ ...ix-wrong-bits-for-lineout2-n-p-mixer.patch | 30 ++++ ...x-kdfontop-32bit-compatibility-layer.patch | 41 +++++ ...add-reset-packet-quirk-for-sb-audigy.patch | 41 +++++ ...hci-disable-msi-on-ricoh-controllers.patch | 41 +++++ ...-specific-attribute-mads-to-firmware.patch | 87 +++++++++++ ...ak-in-function-pre_handler_kretprobe.patch | 49 ++++++ ...open-doesn-t-pin-the-target-s-memory.patch | 76 +++++++++ ...roc-mem_release-should-check-mm-null.patch | 32 ++++ .../proc-unify-mem_read-and-mem_write.patch | 146 ++++++++++++++++++ ...-pipeline-break-caused-by-block-plug.patch | 97 ++++++++++++ queue-3.0/series | 16 ++ 17 files changed, 945 insertions(+) create mode 100644 queue-3.0/alsa-hda-fix-duplicated-output-to-more-than-one-codec.patch create mode 100644 queue-3.0/arm-7306-1-vfp-flush-thread-hwstate-before-restoring-context-from-sigframe.patch create mode 100644 queue-3.0/arm-7307-1-vfp-fix-ptrace-regset-modification-race.patch create mode 100644 queue-3.0/arm-7308-1-vfp-flush-thread-hwstate-before-copying-ptrace-registers.patch create mode 100644 queue-3.0/arm-omap2-gpmc-fix-device-size-setup.patch create mode 100644 queue-3.0/asoc-wm_hubs-enable-line-out-vmid-buffer-for-single-ended-line-outputs.patch create mode 100644 queue-3.0/asoc-wm_hubs-fix-wrong-bits-for-lineout2-n-p-mixer.patch create mode 100644 queue-3.0/drivers-tty-vt-vt_ioctl.c-fix-kdfontop-32bit-compatibility-layer.patch create mode 100644 queue-3.0/firewire-ohci-add-reset-packet-quirk-for-sb-audigy.patch create mode 100644 queue-3.0/firewire-ohci-disable-msi-on-ricoh-controllers.patch create mode 100644 queue-3.0/ib-mlx4-pass-smp-vendor-specific-attribute-mads-to-firmware.patch create mode 100644 queue-3.0/kprobes-fix-a-memory-leak-in-function-pre_handler_kretprobe.patch create mode 100644 queue-3.0/proc-make-sure-mem_open-doesn-t-pin-the-target-s-memory.patch create mode 100644 queue-3.0/proc-mem_release-should-check-mm-null.patch create mode 100644 queue-3.0/proc-unify-mem_read-and-mem_write.patch create mode 100644 queue-3.0/readahead-fix-pipeline-break-caused-by-block-plug.patch create mode 100644 queue-3.0/series diff --git a/queue-3.0/alsa-hda-fix-duplicated-output-to-more-than-one-codec.patch b/queue-3.0/alsa-hda-fix-duplicated-output-to-more-than-one-codec.patch new file mode 100644 index 00000000000..bf93eab3bea --- /dev/null +++ b/queue-3.0/alsa-hda-fix-duplicated-output-to-more-than-one-codec.patch @@ -0,0 +1,33 @@ +From 54c2a89f60fd71b924d0f848ac892442951401a6 Mon Sep 17 00:00:00 2001 +From: David Henningsson +Date: Wed, 1 Feb 2012 12:05:41 +0100 +Subject: ALSA: HDA: Fix duplicated output to more than one codec + +From: David Henningsson + +commit 54c2a89f60fd71b924d0f848ac892442951401a6 upstream. + +This typo caused the wrong codec's nid to be checked for wcaps type. +As a result, sometimes speakers would duplicate the output sent to +HDMI output. + +BugLink: https://bugs.launchpad.net/bugs/924320 +Signed-off-by: David Henningsson +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/hda_codec.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/pci/hda/hda_codec.c ++++ b/sound/pci/hda/hda_codec.c +@@ -1328,7 +1328,7 @@ void snd_hda_codec_setup_stream(struct h + for (i = 0; i < c->cvt_setups.used; i++) { + p = snd_array_elem(&c->cvt_setups, i); + if (!p->active && p->stream_tag == stream_tag && +- get_wcaps_type(get_wcaps(codec, p->nid)) == type) ++ get_wcaps_type(get_wcaps(c, p->nid)) == type) + p->dirty = 1; + } + } diff --git a/queue-3.0/arm-7306-1-vfp-flush-thread-hwstate-before-restoring-context-from-sigframe.patch b/queue-3.0/arm-7306-1-vfp-flush-thread-hwstate-before-restoring-context-from-sigframe.patch new file mode 100644 index 00000000000..e298131963a --- /dev/null +++ b/queue-3.0/arm-7306-1-vfp-flush-thread-hwstate-before-restoring-context-from-sigframe.patch @@ -0,0 +1,57 @@ +From 2af276dfb1722e97b190bd2e646b079a2aa674db Mon Sep 17 00:00:00 2001 +From: Will Deacon +Date: Mon, 30 Jan 2012 20:21:42 +0100 +Subject: ARM: 7306/1: vfp: flush thread hwstate before restoring context from sigframe + +From: Will Deacon + +commit 2af276dfb1722e97b190bd2e646b079a2aa674db upstream. + +Following execution of a signal handler, we currently restore the VFP +context from the ucontext in the signal frame. This involves copying +from the user stack into the current thread's vfp_hard_struct and then +flushing the new data out to the hardware registers. + +This is problematic when using a preemptible kernel because we could be +context switched whilst updating the vfp_hard_struct. If the current +thread has made use of VFP since the last context switch, the VFP +notifier will copy from the hardware registers into the vfp_hard_struct, +overwriting any data that had been partially copied by the signal code. + +Disabling preemption across copy_from_user calls is a terrible idea, so +instead we move the VFP thread flush *before* we update the +vfp_hard_struct. Since the flushing is performed lazily, this has the +effect of disabling VFP and clearing the CPU's VFP state pointer, +therefore preventing the thread from being updated with stale data on +the next context switch. + +Tested-by: Peter Maydell +Signed-off-by: Will Deacon +Signed-off-by: Russell King +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/kernel/signal.c | 5 ++--- + 1 file changed, 2 insertions(+), 3 deletions(-) + +--- a/arch/arm/kernel/signal.c ++++ b/arch/arm/kernel/signal.c +@@ -227,6 +227,8 @@ static int restore_vfp_context(struct vf + if (magic != VFP_MAGIC || size != VFP_STORAGE_SIZE) + return -EINVAL; + ++ vfp_flush_hwstate(thread); ++ + /* + * Copy the floating point registers. There can be unused + * registers see asm/hwcap.h for details. +@@ -251,9 +253,6 @@ static int restore_vfp_context(struct vf + __get_user_error(h->fpinst, &frame->ufp_exc.fpinst, err); + __get_user_error(h->fpinst2, &frame->ufp_exc.fpinst2, err); + +- if (!err) +- vfp_flush_hwstate(thread); +- + return err ? -EFAULT : 0; + } + diff --git a/queue-3.0/arm-7307-1-vfp-fix-ptrace-regset-modification-race.patch b/queue-3.0/arm-7307-1-vfp-fix-ptrace-regset-modification-race.patch new file mode 100644 index 00000000000..a24586f88ab --- /dev/null +++ b/queue-3.0/arm-7307-1-vfp-fix-ptrace-regset-modification-race.patch @@ -0,0 +1,66 @@ +From 247f4993a5974e6759606c4d380748eecfd273ff Mon Sep 17 00:00:00 2001 +From: Dave Martin +Date: Mon, 30 Jan 2012 20:22:28 +0100 +Subject: ARM: 7307/1: vfp: fix ptrace regset modification race + +From: Dave Martin + +commit 247f4993a5974e6759606c4d380748eecfd273ff upstream. + +In a preemptible kernel, vfp_set() can be preempted, causing the +hardware VFP context to be switched while the thread vfp state is +being read and modified. This leads to a race condition which can +cause the thread vfp state to become corrupted if lazy VFP context +save occurs due to preemption in between the time thread->vfpstate +is read and the time the modified state is written back. + +This may occur if preemption occurs during the execution of a +ptrace() call which modifies the VFP register state of a thread. +Such instances should be very rare in most realistic scenarios -- +none has been reported, so far as I am aware. Only uniprocessor +systems should be affected, since VFP context save is not currently +lazy in SMP kernels. + +The problem was introduced by my earlier patch migrating to use +regsets to implement ptrace. + +This patch does a vfp_sync_hwstate() before reading +thread->vfpstate, to make sure that the thread's VFP state is not +live in the hardware registers while the registers are modified. + +Thanks to Will Deacon for spotting this. + +Signed-off-by: Dave Martin +Signed-off-by: Will Deacon +Signed-off-by: Russell King +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/kernel/ptrace.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/arch/arm/kernel/ptrace.c ++++ b/arch/arm/kernel/ptrace.c +@@ -719,10 +719,13 @@ static int vfp_set(struct task_struct *t + { + int ret; + struct thread_info *thread = task_thread_info(target); +- struct vfp_hard_struct new_vfp = thread->vfpstate.hard; ++ struct vfp_hard_struct new_vfp; + const size_t user_fpregs_offset = offsetof(struct user_vfp, fpregs); + const size_t user_fpscr_offset = offsetof(struct user_vfp, fpscr); + ++ vfp_sync_hwstate(thread); ++ new_vfp = thread->vfpstate.hard; ++ + ret = user_regset_copyin(&pos, &count, &kbuf, &ubuf, + &new_vfp.fpregs, + user_fpregs_offset, +@@ -743,7 +746,6 @@ static int vfp_set(struct task_struct *t + if (ret) + return ret; + +- vfp_sync_hwstate(thread); + thread->vfpstate.hard = new_vfp; + vfp_flush_hwstate(thread); + diff --git a/queue-3.0/arm-7308-1-vfp-flush-thread-hwstate-before-copying-ptrace-registers.patch b/queue-3.0/arm-7308-1-vfp-flush-thread-hwstate-before-copying-ptrace-registers.patch new file mode 100644 index 00000000000..90806d8b1fd --- /dev/null +++ b/queue-3.0/arm-7308-1-vfp-flush-thread-hwstate-before-copying-ptrace-registers.patch @@ -0,0 +1,38 @@ +From 8130b9d7b9d858aa04ce67805e8951e3cb6e9b2f Mon Sep 17 00:00:00 2001 +From: Will Deacon +Date: Mon, 30 Jan 2012 20:23:29 +0100 +Subject: ARM: 7308/1: vfp: flush thread hwstate before copying ptrace registers + +From: Will Deacon + +commit 8130b9d7b9d858aa04ce67805e8951e3cb6e9b2f upstream. + +If we are context switched whilst copying into a thread's +vfp_hard_struct then the partial copy may be corrupted by the VFP +context switching code (see "ARM: vfp: flush thread hwstate before +restoring context from sigframe"). + +This patch updates the ptrace VFP set code so that the thread state is +flushed before the copy, therefore disabling VFP and preventing +corruption from occurring. + +Signed-off-by: Will Deacon +Signed-off-by: Russell King +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/kernel/ptrace.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/arm/kernel/ptrace.c ++++ b/arch/arm/kernel/ptrace.c +@@ -746,8 +746,8 @@ static int vfp_set(struct task_struct *t + if (ret) + return ret; + +- thread->vfpstate.hard = new_vfp; + vfp_flush_hwstate(thread); ++ thread->vfpstate.hard = new_vfp; + + return 0; + } diff --git a/queue-3.0/arm-omap2-gpmc-fix-device-size-setup.patch b/queue-3.0/arm-omap2-gpmc-fix-device-size-setup.patch new file mode 100644 index 00000000000..8c9e0f0ce36 --- /dev/null +++ b/queue-3.0/arm-omap2-gpmc-fix-device-size-setup.patch @@ -0,0 +1,41 @@ +From 8ef5d844cc3a644ea6f7665932a4307e9fad01fa Mon Sep 17 00:00:00 2001 +From: Yegor Yefremov +Date: Mon, 23 Jan 2012 08:32:23 +0100 +Subject: ARM: OMAP2+: GPMC: fix device size setup + +From: Yegor Yefremov + +commit 8ef5d844cc3a644ea6f7665932a4307e9fad01fa upstream. + +following statement can only change device size from 8-bit(0) to 16-bit(1), +but not vice versa: + +regval |= GPMC_CONFIG1_DEVICESIZE(wval); + +so as this field has 1 reserved bit, that could be used in future, +just clear both bits and then OR with the desired value + +Signed-off-by: Yegor Yefremov +Signed-off-by: Tony Lindgren +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/mach-omap2/gpmc.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/arch/arm/mach-omap2/gpmc.c ++++ b/arch/arm/mach-omap2/gpmc.c +@@ -528,7 +528,13 @@ int gpmc_cs_configure(int cs, int cmd, i + + case GPMC_CONFIG_DEV_SIZE: + regval = gpmc_cs_read_reg(cs, GPMC_CS_CONFIG1); ++ ++ /* clear 2 target bits */ ++ regval &= ~GPMC_CONFIG1_DEVICESIZE(3); ++ ++ /* set the proper value */ + regval |= GPMC_CONFIG1_DEVICESIZE(wval); ++ + gpmc_cs_write_reg(cs, GPMC_CS_CONFIG1, regval); + break; + diff --git a/queue-3.0/asoc-wm_hubs-enable-line-out-vmid-buffer-for-single-ended-line-outputs.patch b/queue-3.0/asoc-wm_hubs-enable-line-out-vmid-buffer-for-single-ended-line-outputs.patch new file mode 100644 index 00000000000..3fd18ca4129 --- /dev/null +++ b/queue-3.0/asoc-wm_hubs-enable-line-out-vmid-buffer-for-single-ended-line-outputs.patch @@ -0,0 +1,54 @@ +From 77231abe55433aa17eca712718745275853fa66d Mon Sep 17 00:00:00 2001 +From: Mark Brown +Date: Fri, 20 Jan 2012 12:19:43 +0000 +Subject: ASoC: wm_hubs: Enable line out VMID buffer for single ended line outputs + +From: Mark Brown + +commit 77231abe55433aa17eca712718745275853fa66d upstream. + +For optimal performance the single ended line outputs require that the +line output VMID buffer be enabled. + +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + sound/soc/codecs/wm_hubs.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/sound/soc/codecs/wm_hubs.c ++++ b/sound/soc/codecs/wm_hubs.c +@@ -589,6 +589,8 @@ SND_SOC_DAPM_INPUT("IN2RP:VXRP"), + SND_SOC_DAPM_MICBIAS("MICBIAS2", WM8993_POWER_MANAGEMENT_1, 5, 0), + SND_SOC_DAPM_MICBIAS("MICBIAS1", WM8993_POWER_MANAGEMENT_1, 4, 0), + ++SND_SOC_DAPM_SUPPLY("LINEOUT_VMID_BUF", WM8993_ANTIPOP1, 7, 0, NULL, 0), ++ + SND_SOC_DAPM_MIXER("IN1L PGA", WM8993_POWER_MANAGEMENT_2, 6, 0, + in1l_pga, ARRAY_SIZE(in1l_pga)), + SND_SOC_DAPM_MIXER("IN1R PGA", WM8993_POWER_MANAGEMENT_2, 4, 0, +@@ -794,9 +796,11 @@ static const struct snd_soc_dapm_route l + }; + + static const struct snd_soc_dapm_route lineout1_se_routes[] = { ++ { "LINEOUT1N Mixer", NULL, "LINEOUT_VMID_BUF" }, + { "LINEOUT1N Mixer", "Left Output Switch", "Left Output PGA" }, + { "LINEOUT1N Mixer", "Right Output Switch", "Right Output PGA" }, + ++ { "LINEOUT1P Mixer", NULL, "LINEOUT_VMID_BUF" }, + { "LINEOUT1P Mixer", "Left Output Switch", "Left Output PGA" }, + + { "LINEOUT1N Driver", NULL, "LINEOUT1N Mixer" }, +@@ -813,9 +817,11 @@ static const struct snd_soc_dapm_route l + }; + + static const struct snd_soc_dapm_route lineout2_se_routes[] = { ++ { "LINEOUT2N Mixer", NULL, "LINEOUT_VMID_BUF" }, + { "LINEOUT2N Mixer", "Left Output Switch", "Left Output PGA" }, + { "LINEOUT2N Mixer", "Right Output Switch", "Right Output PGA" }, + ++ { "LINEOUT2P Mixer", NULL, "LINEOUT_VMID_BUF" }, + { "LINEOUT2P Mixer", "Right Output Switch", "Right Output PGA" }, + + { "LINEOUT2N Driver", NULL, "LINEOUT2N Mixer" }, diff --git a/queue-3.0/asoc-wm_hubs-fix-wrong-bits-for-lineout2-n-p-mixer.patch b/queue-3.0/asoc-wm_hubs-fix-wrong-bits-for-lineout2-n-p-mixer.patch new file mode 100644 index 00000000000..630b967eac4 --- /dev/null +++ b/queue-3.0/asoc-wm_hubs-fix-wrong-bits-for-lineout2-n-p-mixer.patch @@ -0,0 +1,30 @@ +From 114395c61ad2eb5a7a5cd163fcadb2414e48245a Mon Sep 17 00:00:00 2001 +From: UK KIM +Date: Sat, 28 Jan 2012 01:52:22 +0900 +Subject: ASoC: wm_hubs: fix wrong bits for LINEOUT2 N/P mixer + +From: UK KIM + +commit 114395c61ad2eb5a7a5cd163fcadb2414e48245a upstream. + +Signed-off-by: UK KIM +Signed-off-by: Mark Brown +Signed-off-by: Greg Kroah-Hartman + +--- + sound/soc/codecs/wm_hubs.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/sound/soc/codecs/wm_hubs.c ++++ b/sound/soc/codecs/wm_hubs.c +@@ -568,8 +568,8 @@ SOC_DAPM_SINGLE("Output Switch", WM8993_ + }; + + static const struct snd_kcontrol_new line2n_mix[] = { +-SOC_DAPM_SINGLE("Left Output Switch", WM8993_LINE_MIXER2, 6, 1, 0), +-SOC_DAPM_SINGLE("Right Output Switch", WM8993_LINE_MIXER2, 5, 1, 0), ++SOC_DAPM_SINGLE("Left Output Switch", WM8993_LINE_MIXER2, 5, 1, 0), ++SOC_DAPM_SINGLE("Right Output Switch", WM8993_LINE_MIXER2, 6, 1, 0), + }; + + static const struct snd_kcontrol_new line2p_mix[] = { diff --git a/queue-3.0/drivers-tty-vt-vt_ioctl.c-fix-kdfontop-32bit-compatibility-layer.patch b/queue-3.0/drivers-tty-vt-vt_ioctl.c-fix-kdfontop-32bit-compatibility-layer.patch new file mode 100644 index 00000000000..61be389dff0 --- /dev/null +++ b/queue-3.0/drivers-tty-vt-vt_ioctl.c-fix-kdfontop-32bit-compatibility-layer.patch @@ -0,0 +1,41 @@ +From cbcb8346054073d000ecac324763372d6abd44ac Mon Sep 17 00:00:00 2001 +From: Samuel Thibault +Date: Fri, 3 Feb 2012 15:37:15 -0800 +Subject: drivers/tty/vt/vt_ioctl.c: fix KDFONTOP 32bit compatibility layer + +From: Samuel Thibault + +commit cbcb8346054073d000ecac324763372d6abd44ac upstream. + +KDFONTOP(GET) currently fails with EIO when being run in a 32bit userland +with a 64bit kernel if the font width is not 8. + +This is because of the setting of the KD_FONT_FLAG_OLD flag, which makes +con_font_get return EIO in such case. + +This flag should *not* be set for KDFONTOP, since it's actually the whole +point of this flag (see comment in con_font_set for instance). + +Signed-off-by: Samuel Thibault +Reviewed-by: Arnd Bergmann +Cc: Arthur Taylor +Cc: Jiri Slaby +Cc: Jiri Olsa +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/tty/vt/vt_ioctl.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/drivers/tty/vt/vt_ioctl.c ++++ b/drivers/tty/vt/vt_ioctl.c +@@ -1463,7 +1463,6 @@ compat_kdfontop_ioctl(struct compat_cons + if (!perm && op->op != KD_FONT_OP_GET) + return -EPERM; + op->data = compat_ptr(((struct compat_console_font_op *)op)->data); +- op->flags |= KD_FONT_FLAG_OLD; + i = con_font_op(vc, op); + if (i) + return i; diff --git a/queue-3.0/firewire-ohci-add-reset-packet-quirk-for-sb-audigy.patch b/queue-3.0/firewire-ohci-add-reset-packet-quirk-for-sb-audigy.patch new file mode 100644 index 00000000000..ebc32767340 --- /dev/null +++ b/queue-3.0/firewire-ohci-add-reset-packet-quirk-for-sb-audigy.patch @@ -0,0 +1,41 @@ +From d1bb399ad03c11e792f6dea198d3b1e23061f094 Mon Sep 17 00:00:00 2001 +From: Clemens Ladisch +Date: Thu, 26 Jan 2012 22:05:58 +0100 +Subject: firewire: ohci: add reset packet quirk for SB Audigy + +From: Clemens Ladisch + +commit d1bb399ad03c11e792f6dea198d3b1e23061f094 upstream. + +The Audigy's SB1394 controller is actually from Texas Instruments +and has the same bus reset packet generation bug, so it needs the +same quirk entry. + +Signed-off-by: Clemens Ladisch +Signed-off-by: Stefan Richter +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/firewire/ohci.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/firewire/ohci.c ++++ b/drivers/firewire/ohci.c +@@ -262,6 +262,7 @@ static inline struct fw_ohci *fw_ohci(st + static char ohci_driver_name[] = KBUILD_MODNAME; + + #define PCI_DEVICE_ID_AGERE_FW643 0x5901 ++#define PCI_DEVICE_ID_CREATIVE_SB1394 0x4001 + #define PCI_DEVICE_ID_JMICRON_JMB38X_FW 0x2380 + #define PCI_DEVICE_ID_TI_TSB12LV22 0x8009 + #define PCI_VENDOR_ID_PINNACLE_SYSTEMS 0x11bd +@@ -285,6 +286,9 @@ static const struct { + {PCI_VENDOR_ID_ATT, PCI_DEVICE_ID_AGERE_FW643, 6, + QUIRK_NO_MSI}, + ++ {PCI_VENDOR_ID_CREATIVE, PCI_DEVICE_ID_CREATIVE_SB1394, PCI_ANY_ID, ++ QUIRK_RESET_PACKET}, ++ + {PCI_VENDOR_ID_JMICRON, PCI_DEVICE_ID_JMICRON_JMB38X_FW, PCI_ANY_ID, + QUIRK_NO_MSI}, + diff --git a/queue-3.0/firewire-ohci-disable-msi-on-ricoh-controllers.patch b/queue-3.0/firewire-ohci-disable-msi-on-ricoh-controllers.patch new file mode 100644 index 00000000000..ba36cf07d42 --- /dev/null +++ b/queue-3.0/firewire-ohci-disable-msi-on-ricoh-controllers.patch @@ -0,0 +1,41 @@ +From 320cfa6ce0b3dc794fedfa4bae54c0f65077234d Mon Sep 17 00:00:00 2001 +From: Stefan Richter +Date: Sun, 29 Jan 2012 12:41:15 +0100 +Subject: firewire: ohci: disable MSI on Ricoh controllers + +From: Stefan Richter + +commit 320cfa6ce0b3dc794fedfa4bae54c0f65077234d upstream. + +The PCIe device + + FireWire (IEEE 1394) [0c00]: Ricoh Co Ltd FireWire Host Controller + [1180:e832] (prog-if 10 [OHCI]) + +is unable to access attached FireWire devices when MSI is enabled but +works if MSI is disabled. +http://www.mail-archive.com/alsa-user@lists.sourceforge.net/msg28251.html + +Hence add the "disable MSI" quirks flag for this device, or in fact for +safety and simplicity for all current (R5U230, R5U231, R5U240) and +future Ricoh PCIe 1394 controllers. + +Reported-by: Stefan Thomas +Signed-off-by: Stefan Richter +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/firewire/ohci.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/firewire/ohci.c ++++ b/drivers/firewire/ohci.c +@@ -299,7 +299,7 @@ static const struct { + QUIRK_NO_MSI}, + + {PCI_VENDOR_ID_RICOH, PCI_ANY_ID, PCI_ANY_ID, +- QUIRK_CYCLE_TIMER}, ++ QUIRK_CYCLE_TIMER | QUIRK_NO_MSI}, + + {PCI_VENDOR_ID_TI, PCI_DEVICE_ID_TI_TSB12LV22, PCI_ANY_ID, + QUIRK_CYCLE_TIMER | QUIRK_RESET_PACKET | QUIRK_NO_1394A}, diff --git a/queue-3.0/ib-mlx4-pass-smp-vendor-specific-attribute-mads-to-firmware.patch b/queue-3.0/ib-mlx4-pass-smp-vendor-specific-attribute-mads-to-firmware.patch new file mode 100644 index 00000000000..82b200f6fb0 --- /dev/null +++ b/queue-3.0/ib-mlx4-pass-smp-vendor-specific-attribute-mads-to-firmware.patch @@ -0,0 +1,87 @@ +From a6f7feae6d19e84253918d88b04153af09d3a243 Mon Sep 17 00:00:00 2001 +From: Jack Morgenstein +Date: Thu, 26 Jan 2012 16:41:33 +0200 +Subject: IB/mlx4: pass SMP vendor-specific attribute MADs to firmware + +From: Jack Morgenstein + +commit a6f7feae6d19e84253918d88b04153af09d3a243 upstream. + +In the current code, vendor-specific MADs (e.g with the FDR-10 +attribute) are silently dropped by the driver, resulting in timeouts +at the sending side and inability to query/configure the relevant +feature. However, the ConnectX firmware is able to handle such MADs. +For unsupported attributes, the firmware returns a GET_RESPONSE MAD +containing an error status. + +For example, for a FDR-10 node with LID 11: + + # ibstat mlx4_0 1 + + CA: 'mlx4_0' + Port 1: + State: Active + Physical state: LinkUp + Rate: 40 (FDR10) + Base lid: 11 + LMC: 0 + SM lid: 24 + Capability mask: 0x02514868 + Port GUID: 0x0002c903002e65d1 + Link layer: InfiniBand + +Extended Port Query (EPI) vendor mad timeouts before the patch: + + # smpquery MEPI 11 -d + + ibwarn: [4196] smp_query_via: attr 0xff90 mod 0x0 route Lid 11 + ibwarn: [4196] _do_madrpc: retry 1 (timeout 1000 ms) + ibwarn: [4196] _do_madrpc: retry 2 (timeout 1000 ms) + ibwarn: [4196] _do_madrpc: timeout after 3 retries, 3000 ms + ibwarn: [4196] mad_rpc: _do_madrpc failed; dport (Lid 11) + smpquery: iberror: [pid 4196] main: failed: operation EPI: ext port info query failed + +EPI query works OK with the patch: + + # smpquery MEPI 11 -d + + ibwarn: [6548] smp_query_via: attr 0xff90 mod 0x0 route Lid 11 + ibwarn: [6548] mad_rpc: data offs 64 sz 64 + mad data + 0000 0000 0000 0001 0000 0001 0000 0001 + 0000 0000 0000 0000 0000 0000 0000 0000 + 0000 0000 0000 0000 0000 0000 0000 0000 + 0000 0000 0000 0000 0000 0000 0000 0000 + # Ext Port info: Lid 11 port 0 + StateChangeEnable:...............0x00 + LinkSpeedSupported:..............0x01 + LinkSpeedEnabled:................0x01 + LinkSpeedActive:.................0x01 + +Signed-off-by: Jack Morgenstein +Signed-off-by: Or Gerlitz +Acked-by: Ira Weiny +Signed-off-by: Roland Dreier +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/infiniband/hw/mlx4/mad.c | 7 ++----- + 1 file changed, 2 insertions(+), 5 deletions(-) + +--- a/drivers/infiniband/hw/mlx4/mad.c ++++ b/drivers/infiniband/hw/mlx4/mad.c +@@ -255,12 +255,9 @@ int mlx4_ib_process_mad(struct ib_device + return IB_MAD_RESULT_SUCCESS; + + /* +- * Don't process SMInfo queries or vendor-specific +- * MADs -- the SMA can't handle them. ++ * Don't process SMInfo queries -- the SMA can't handle them. + */ +- if (in_mad->mad_hdr.attr_id == IB_SMP_ATTR_SM_INFO || +- ((in_mad->mad_hdr.attr_id & IB_SMP_ATTR_VENDOR_MASK) == +- IB_SMP_ATTR_VENDOR_MASK)) ++ if (in_mad->mad_hdr.attr_id == IB_SMP_ATTR_SM_INFO) + return IB_MAD_RESULT_SUCCESS; + } else if (in_mad->mad_hdr.mgmt_class == IB_MGMT_CLASS_PERF_MGMT || + in_mad->mad_hdr.mgmt_class == MLX4_IB_VENDOR_CLASS1 || diff --git a/queue-3.0/kprobes-fix-a-memory-leak-in-function-pre_handler_kretprobe.patch b/queue-3.0/kprobes-fix-a-memory-leak-in-function-pre_handler_kretprobe.patch new file mode 100644 index 00000000000..db27b15f39e --- /dev/null +++ b/queue-3.0/kprobes-fix-a-memory-leak-in-function-pre_handler_kretprobe.patch @@ -0,0 +1,49 @@ +From 55ca6140e9bb307efc97a9301a4f501de02a6fd6 Mon Sep 17 00:00:00 2001 +From: Jiang Liu +Date: Fri, 3 Feb 2012 15:37:16 -0800 +Subject: kprobes: fix a memory leak in function pre_handler_kretprobe() + +From: Jiang Liu + +commit 55ca6140e9bb307efc97a9301a4f501de02a6fd6 upstream. + +In function pre_handler_kretprobe(), the allocated kretprobe_instance +object will get leaked if the entry_handler callback returns non-zero. +This may cause all the preallocated kretprobe_instance objects exhausted. + +This issue can be reproduced by changing +samples/kprobes/kretprobe_example.c to probe "mutex_unlock". And the fix +is straightforward: just put the allocated kretprobe_instance object back +onto the free_instances list. + +[akpm@linux-foundation.org: use raw_spin_lock/unlock] +Signed-off-by: Jiang Liu +Acked-by: Jim Keniston +Acked-by: Ananth N Mavinakayanahalli +Cc: Masami Hiramatsu +Cc: Anil S Keshavamurthy +Cc: "David S. Miller" +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/kprobes.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/kernel/kprobes.c ++++ b/kernel/kprobes.c +@@ -1660,8 +1660,12 @@ static int __kprobes pre_handler_kretpro + ri->rp = rp; + ri->task = current; + +- if (rp->entry_handler && rp->entry_handler(ri, regs)) ++ if (rp->entry_handler && rp->entry_handler(ri, regs)) { ++ raw_spin_lock_irqsave(&rp->lock, flags); ++ hlist_add_head(&ri->hlist, &rp->free_instances); ++ raw_spin_unlock_irqrestore(&rp->lock, flags); + return 0; ++ } + + arch_prepare_kretprobe(ri, regs); + diff --git a/queue-3.0/proc-make-sure-mem_open-doesn-t-pin-the-target-s-memory.patch b/queue-3.0/proc-make-sure-mem_open-doesn-t-pin-the-target-s-memory.patch new file mode 100644 index 00000000000..c11f44a3a74 --- /dev/null +++ b/queue-3.0/proc-make-sure-mem_open-doesn-t-pin-the-target-s-memory.patch @@ -0,0 +1,76 @@ +From 6d08f2c7139790c268820a2e590795cb8333181a Mon Sep 17 00:00:00 2001 +From: Oleg Nesterov +Date: Tue, 31 Jan 2012 17:15:11 +0100 +Subject: proc: make sure mem_open() doesn't pin the target's memory + +From: Oleg Nesterov + +commit 6d08f2c7139790c268820a2e590795cb8333181a upstream. + +Once /proc/pid/mem is opened, the memory can't be released until +mem_release() even if its owner exits. + +Change mem_open() to do atomic_inc(mm_count) + mmput(), this only +pins mm_struct. Change mem_rw() to do atomic_inc_not_zero(mm_count) +before access_remote_vm(), this verifies that this mm is still alive. + +I am not sure what should mem_rw() return if atomic_inc_not_zero() +fails. With this patch it returns zero to match the "mm == NULL" case, +may be it should return -EINVAL like it did before e268337d. + +Perhaps it makes sense to add the additional fatal_signal_pending() +check into the main loop, to ensure we do not hold this memory if +the target task was oom-killed. + +Signed-off-by: Oleg Nesterov +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/proc/base.c | 14 +++++++++++++- + 1 file changed, 13 insertions(+), 1 deletion(-) + +--- a/fs/proc/base.c ++++ b/fs/proc/base.c +@@ -775,6 +775,13 @@ static int mem_open(struct inode* inode, + if (IS_ERR(mm)) + return PTR_ERR(mm); + ++ if (mm) { ++ /* ensure this mm_struct can't be freed */ ++ atomic_inc(&mm->mm_count); ++ /* but do not pin its memory */ ++ mmput(mm); ++ } ++ + /* OK to pass negative loff_t, we can catch out-of-range */ + file->f_mode |= FMODE_UNSIGNED_OFFSET; + file->private_data = mm; +@@ -798,6 +805,9 @@ static ssize_t mem_rw(struct file *file, + return -ENOMEM; + + copied = 0; ++ if (!atomic_inc_not_zero(&mm->mm_users)) ++ goto free; ++ + while (count > 0) { + int this_len = min_t(int, count, PAGE_SIZE); + +@@ -825,6 +835,8 @@ static ssize_t mem_rw(struct file *file, + } + *ppos = addr; + ++ mmput(mm); ++free: + free_page((unsigned long) page); + return copied; + } +@@ -861,7 +873,7 @@ static int mem_release(struct inode *ino + { + struct mm_struct *mm = file->private_data; + if (mm) +- mmput(mm); ++ mmdrop(mm); + return 0; + } + diff --git a/queue-3.0/proc-mem_release-should-check-mm-null.patch b/queue-3.0/proc-mem_release-should-check-mm-null.patch new file mode 100644 index 00000000000..fdf901f1670 --- /dev/null +++ b/queue-3.0/proc-mem_release-should-check-mm-null.patch @@ -0,0 +1,32 @@ +From 71879d3cb3dd8f2dfdefb252775c1b3ea04a3dd4 Mon Sep 17 00:00:00 2001 +From: Oleg Nesterov +Date: Tue, 31 Jan 2012 17:14:38 +0100 +Subject: proc: mem_release() should check mm != NULL + +From: Oleg Nesterov + +commit 71879d3cb3dd8f2dfdefb252775c1b3ea04a3dd4 upstream. + +mem_release() can hit mm == NULL, add the necessary check. + +Signed-off-by: Oleg Nesterov +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/proc/base.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/fs/proc/base.c ++++ b/fs/proc/base.c +@@ -886,8 +886,8 @@ loff_t mem_lseek(struct file *file, loff + static int mem_release(struct inode *inode, struct file *file) + { + struct mm_struct *mm = file->private_data; +- +- mmput(mm); ++ if (mm) ++ mmput(mm); + return 0; + } + diff --git a/queue-3.0/proc-unify-mem_read-and-mem_write.patch b/queue-3.0/proc-unify-mem_read-and-mem_write.patch new file mode 100644 index 00000000000..d1064dd5669 --- /dev/null +++ b/queue-3.0/proc-unify-mem_read-and-mem_write.patch @@ -0,0 +1,146 @@ +From 572d34b946bae070debd42db1143034d9687e13f Mon Sep 17 00:00:00 2001 +From: Oleg Nesterov +Date: Tue, 31 Jan 2012 17:14:54 +0100 +Subject: proc: unify mem_read() and mem_write() + +From: Oleg Nesterov + +commit 572d34b946bae070debd42db1143034d9687e13f upstream. + +No functional changes, cleanup and preparation. + +mem_read() and mem_write() are very similar. Move this code into the +new common helper, mem_rw(), which takes the additional "int write" +argument. + +Signed-off-by: Oleg Nesterov +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + fs/proc/base.c | 90 ++++++++++++++++++++------------------------------------- + 1 file changed, 32 insertions(+), 58 deletions(-) + +--- a/fs/proc/base.c ++++ b/fs/proc/base.c +@@ -782,57 +782,13 @@ static int mem_open(struct inode* inode, + return 0; + } + +-static ssize_t mem_read(struct file * file, char __user * buf, +- size_t count, loff_t *ppos) ++static ssize_t mem_rw(struct file *file, char __user *buf, ++ size_t count, loff_t *ppos, int write) + { +- int ret; +- char *page; +- unsigned long src = *ppos; + struct mm_struct *mm = file->private_data; +- +- if (!mm) +- return 0; +- +- page = (char *)__get_free_page(GFP_TEMPORARY); +- if (!page) +- return -ENOMEM; +- +- ret = 0; +- +- while (count > 0) { +- int this_len, retval; +- +- this_len = (count > PAGE_SIZE) ? PAGE_SIZE : count; +- retval = access_remote_vm(mm, src, page, this_len, 0); +- if (!retval) { +- if (!ret) +- ret = -EIO; +- break; +- } +- +- if (copy_to_user(buf, page, retval)) { +- ret = -EFAULT; +- break; +- } +- +- ret += retval; +- src += retval; +- buf += retval; +- count -= retval; +- } +- *ppos = src; +- +- free_page((unsigned long) page); +- return ret; +-} +- +-static ssize_t mem_write(struct file * file, const char __user *buf, +- size_t count, loff_t *ppos) +-{ +- int copied; ++ unsigned long addr = *ppos; ++ ssize_t copied; + char *page; +- unsigned long dst = *ppos; +- struct mm_struct *mm = file->private_data; + + if (!mm) + return 0; +@@ -843,30 +799,48 @@ static ssize_t mem_write(struct file * f + + copied = 0; + while (count > 0) { +- int this_len, retval; ++ int this_len = min_t(int, count, PAGE_SIZE); + +- this_len = (count > PAGE_SIZE) ? PAGE_SIZE : count; +- if (copy_from_user(page, buf, this_len)) { ++ if (write && copy_from_user(page, buf, this_len)) { + copied = -EFAULT; + break; + } +- retval = access_remote_vm(mm, dst, page, this_len, 1); +- if (!retval) { ++ ++ this_len = access_remote_vm(mm, addr, page, this_len, write); ++ if (!this_len) { + if (!copied) + copied = -EIO; + break; + } +- copied += retval; +- buf += retval; +- dst += retval; +- count -= retval; ++ ++ if (!write && copy_to_user(buf, page, this_len)) { ++ copied = -EFAULT; ++ break; ++ } ++ ++ buf += this_len; ++ addr += this_len; ++ copied += this_len; ++ count -= this_len; + } +- *ppos = dst; ++ *ppos = addr; + + free_page((unsigned long) page); + return copied; + } + ++static ssize_t mem_read(struct file *file, char __user *buf, ++ size_t count, loff_t *ppos) ++{ ++ return mem_rw(file, buf, count, ppos, 0); ++} ++ ++static ssize_t mem_write(struct file *file, const char __user *buf, ++ size_t count, loff_t *ppos) ++{ ++ return mem_rw(file, (char __user*)buf, count, ppos, 1); ++} ++ + loff_t mem_lseek(struct file *file, loff_t offset, int orig) + { + switch (orig) { diff --git a/queue-3.0/readahead-fix-pipeline-break-caused-by-block-plug.patch b/queue-3.0/readahead-fix-pipeline-break-caused-by-block-plug.patch new file mode 100644 index 00000000000..faf411746e7 --- /dev/null +++ b/queue-3.0/readahead-fix-pipeline-break-caused-by-block-plug.patch @@ -0,0 +1,97 @@ +From 3deaa7190a8da38453c4fabd9dec7f66d17fff67 Mon Sep 17 00:00:00 2001 +From: Shaohua Li +Date: Fri, 3 Feb 2012 15:37:17 -0800 +Subject: readahead: fix pipeline break caused by block plug + +From: Shaohua Li + +commit 3deaa7190a8da38453c4fabd9dec7f66d17fff67 upstream. + +Herbert Poetzl reported a performance regression since 2.6.39. The test +is a simple dd read, but with big block size. The reason is: + +T1: ra (A, A+128k), (A+128k, A+256k) +T2: lock_page for page A, submit the 256k +T3: hit page A+128K, ra (A+256k, A+384). the range isn't submitted +because of plug and there isn't any lock_page till we hit page A+256k +because all pages from A to A+256k is in memory +T4: hit page A+256k, ra (A+384, A+ 512). Because of plug, the range isn't +submitted again. +T5: lock_page A+256k, so (A+256k, A+512k) will be submitted. The task is +waitting for (A+256k, A+512k) finish. + +There is no request to disk in T3 and T4, so readahead pipeline breaks. + +We really don't need block plug for generic_file_aio_read() for buffered +I/O. The readahead already has plug and has fine grained control when I/O +should be submitted. Deleting plug for buffered I/O fixes the regression. + +One side effect is plug makes the request size 256k, the size is 128k +without it. This is because default ra size is 128k and not a reason we +need plug here. + +Vivek said: + +: We submit some readahead IO to device request queue but because of nested +: plug, queue never gets unplugged. When read logic reaches a page which is +: not in page cache, it waits for page to be read from the disk +: (lock_page_killable()) and that time we flush the plug list. +: +: So effectively read ahead logic is kind of broken in parts because of +: nested plugging. Removing top level plug (generic_file_aio_read()) for +: buffered reads, will allow unplugging queue earlier for readahead. + +Signed-off-by: Shaohua Li +Signed-off-by: Wu Fengguang +Reported-by: Herbert Poetzl +Tested-by: Eric Dumazet +Cc: Christoph Hellwig +Cc: Jens Axboe +Cc: Vivek Goyal +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/filemap.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/mm/filemap.c ++++ b/mm/filemap.c +@@ -1379,15 +1379,12 @@ generic_file_aio_read(struct kiocb *iocb + unsigned long seg = 0; + size_t count; + loff_t *ppos = &iocb->ki_pos; +- struct blk_plug plug; + + count = 0; + retval = generic_segment_checks(iov, &nr_segs, &count, VERIFY_WRITE); + if (retval) + return retval; + +- blk_start_plug(&plug); +- + /* coalesce the iovecs and go direct-to-BIO for O_DIRECT */ + if (filp->f_flags & O_DIRECT) { + loff_t size; +@@ -1403,8 +1400,12 @@ generic_file_aio_read(struct kiocb *iocb + retval = filemap_write_and_wait_range(mapping, pos, + pos + iov_length(iov, nr_segs) - 1); + if (!retval) { ++ struct blk_plug plug; ++ ++ blk_start_plug(&plug); + retval = mapping->a_ops->direct_IO(READ, iocb, + iov, pos, nr_segs); ++ blk_finish_plug(&plug); + } + if (retval > 0) { + *ppos = pos + retval; +@@ -1460,7 +1461,6 @@ generic_file_aio_read(struct kiocb *iocb + break; + } + out: +- blk_finish_plug(&plug); + return retval; + } + EXPORT_SYMBOL(generic_file_aio_read); diff --git a/queue-3.0/series b/queue-3.0/series new file mode 100644 index 00000000000..b84822bc1e1 --- /dev/null +++ b/queue-3.0/series @@ -0,0 +1,16 @@ +readahead-fix-pipeline-break-caused-by-block-plug.patch +alsa-hda-fix-duplicated-output-to-more-than-one-codec.patch +asoc-wm_hubs-enable-line-out-vmid-buffer-for-single-ended-line-outputs.patch +asoc-wm_hubs-fix-wrong-bits-for-lineout2-n-p-mixer.patch +arm-7306-1-vfp-flush-thread-hwstate-before-restoring-context-from-sigframe.patch +arm-7307-1-vfp-fix-ptrace-regset-modification-race.patch +arm-7308-1-vfp-flush-thread-hwstate-before-copying-ptrace-registers.patch +arm-omap2-gpmc-fix-device-size-setup.patch +drivers-tty-vt-vt_ioctl.c-fix-kdfontop-32bit-compatibility-layer.patch +proc-mem_release-should-check-mm-null.patch +proc-unify-mem_read-and-mem_write.patch +proc-make-sure-mem_open-doesn-t-pin-the-target-s-memory.patch +firewire-ohci-add-reset-packet-quirk-for-sb-audigy.patch +firewire-ohci-disable-msi-on-ricoh-controllers.patch +ib-mlx4-pass-smp-vendor-specific-attribute-mads-to-firmware.patch +kprobes-fix-a-memory-leak-in-function-pre_handler_kretprobe.patch -- 2.47.3