From fc086bb997b5ef3e58e796d1e1890ec8290c54a0 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Thu, 18 Mar 2010 14:39:22 -0700 Subject: [PATCH] .32 patches --- ...sa-hda-enable-msi-for-gateway-m-6866.patch | 35 +++ ...lements-of-secondary-adcs-on-realtek.patch | 61 ++++++ ...r-s-kernel-size-estimation-for-rom-y.patch | 205 ++++++++++++++++++ ...-use-external-sleep-clock-in-ap-mode.patch | 43 ++++ .../ath5k-fix-setup-for-cab-queue.patch | 101 +++++++++ ...ion-in-rfcomm-within-invalid-context.patch | 77 +++++++ ...ompress-fix-new-decompressor-for-pic.patch | 50 +++++ ...ers-scsi-ses.c-eliminate-double-free.patch | 61 ++++++ ...h-init-curr_ret_stack-with-ret_stack.patch | 48 ++++ ...he-block-buffer-for-i2c-block-writes.patch | 38 ++++ ...he-touchpad-on-toshiba-tecra-a11-11l.patch | 28 +++ ...n-netbook-e1222-to-qurik-reset-table.patch | 37 ++++ ...gotten-label_module_alloc-in-tlbex.c.patch | 54 +++++ ...d-check-into-preempt-disable-section.patch | 60 +++++ queue-2.6.32/series | 21 ++ .../tg3-fix-5906-transmit-hangs.patch | 109 ++++++++++ ...ssing-wrong-pointer-to-tg3_interrupt.patch | 39 ++++ ...ing-prevent-oops-when-generic_time-n.patch | 44 ++++ ...hing-when-starting-or-stopping-trace.patch | 85 ++++++++ ...rd-user-stack-trace-from-nmi-context.patch | 93 ++++++++ ...-warning-in-s_next-of-trace-file-ops.patch | 46 ++++ ...iable-when-resetting-the-ring-buffer.patch | 66 ++++++ 22 files changed, 1401 insertions(+) create mode 100644 queue-2.6.32/alsa-hda-enable-msi-for-gateway-m-6866.patch create mode 100644 queue-2.6.32/alsa-hda-fix-input-source-elements-of-secondary-adcs-on-realtek.patch create mode 100644 queue-2.6.32/arm-fix-decompressor-s-kernel-size-estimation-for-rom-y.patch create mode 100644 queue-2.6.32/ath5k-dont-use-external-sleep-clock-in-ap-mode.patch create mode 100644 queue-2.6.32/ath5k-fix-setup-for-cab-queue.patch create mode 100644 queue-2.6.32/bluetooth-fix-sleeping-function-in-rfcomm-within-invalid-context.patch create mode 100644 queue-2.6.32/decompress-fix-new-decompressor-for-pic.patch create mode 100644 queue-2.6.32/drivers-scsi-ses.c-eliminate-double-free.patch create mode 100644 queue-2.6.32/function-graph-init-curr_ret_stack-with-ret_stack.patch create mode 100644 queue-2.6.32/i2c-i801-don-t-use-the-block-buffer-for-i2c-block-writes.patch create mode 100644 queue-2.6.32/input-alps-add-support-for-the-touchpad-on-toshiba-tecra-a11-11l.patch create mode 100644 queue-2.6.32/input-i8042-add-aldi-medion-netbook-e1222-to-qurik-reset-table.patch create mode 100644 queue-2.6.32/mips-cleanup-forgotten-label_module_alloc-in-tlbex.c.patch create mode 100644 queue-2.6.32/ring-buffer-move-disabled-check-into-preempt-disable-section.patch create mode 100644 queue-2.6.32/tg3-fix-5906-transmit-hangs.patch create mode 100644 queue-2.6.32/tg3-fix-tg3_poll_controller-passing-wrong-pointer-to-tg3_interrupt.patch create mode 100644 queue-2.6.32/timekeeping-prevent-oops-when-generic_time-n.patch create mode 100644 queue-2.6.32/tracing-disable-buffer-switching-when-starting-or-stopping-trace.patch create mode 100644 queue-2.6.32/tracing-do-not-record-user-stack-trace-from-nmi-context.patch create mode 100644 queue-2.6.32/tracing-fix-warning-in-s_next-of-trace-file-ops.patch create mode 100644 queue-2.6.32/tracing-use-same-local-variable-when-resetting-the-ring-buffer.patch diff --git a/queue-2.6.32/alsa-hda-enable-msi-for-gateway-m-6866.patch b/queue-2.6.32/alsa-hda-enable-msi-for-gateway-m-6866.patch new file mode 100644 index 00000000000..39f79e8b285 --- /dev/null +++ b/queue-2.6.32/alsa-hda-enable-msi-for-gateway-m-6866.patch @@ -0,0 +1,35 @@ +From 1a3981cc26b90c0a2f00b71bde91ae51c64e04a2 Mon Sep 17 00:00:00 2001 +From: Daniel T Chen +Date: Mon, 15 Mar 2010 01:04:26 -0400 +Subject: ALSA: hda: enable MSI for Gateway M-6866 + +From: Daniel T Chen + +BugLink: https://bugs.launchpad.net/bugs/538918 + +The OR has verified that explicitly enabling MSI is necessary for audio +to be audible by default. + +This patch is only applicable to 2.6.32.y; in 2.6.33, MSI is enabled by +default. + +Reported-by: Sam Townsend +Tested-by: Sam Townsend +Acked-by: Takashi Iwai +Signed-off-by: Daniel T Chen +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/hda_intel.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/sound/pci/hda/hda_intel.c ++++ b/sound/pci/hda/hda_intel.c +@@ -2317,6 +2317,7 @@ static void __devinit check_probe_mask(s + static struct snd_pci_quirk msi_white_list[] __devinitdata = { + SND_PCI_QUIRK(0x103c, 0x30f7, "HP Pavilion dv4t-1300", 1), + SND_PCI_QUIRK(0x103c, 0x3607, "HP Compa CQ40", 1), ++ SND_PCI_QUIRK(0x107b, 0x0380, "Gateway M-6866", 1), + {} + }; + diff --git a/queue-2.6.32/alsa-hda-fix-input-source-elements-of-secondary-adcs-on-realtek.patch b/queue-2.6.32/alsa-hda-fix-input-source-elements-of-secondary-adcs-on-realtek.patch new file mode 100644 index 00000000000..57e43bf2a79 --- /dev/null +++ b/queue-2.6.32/alsa-hda-fix-input-source-elements-of-secondary-adcs-on-realtek.patch @@ -0,0 +1,61 @@ +From 5311114d4867113c00f78829d4ce14be458ec925 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai +Date: Mon, 8 Mar 2010 12:13:07 +0100 +Subject: ALSA: hda - Fix input source elements of secondary ADCs on Realtek + +From: Takashi Iwai + +commit 5311114d4867113c00f78829d4ce14be458ec925 upstream. + +Since alc_auto_create_input_ctls() doesn't set the elements for the +secondary ADCs, "Input Source" elemtns for these also get empty, resulting +in buggy outputs of alsactl like: + control.14 { + comment.access 'read write' + comment.type ENUMERATED + comment.count 1 + iface MIXER + name 'Input Source' + index 1 + value 0 + } + +This patch fixes alc_mux_enum_*() (and others) to fall back to the +first entry if the secondary input mux is empty. + +Signed-off-by: Takashi Iwai +Signed-off-by: Greg Kroah-Hartman + +--- + sound/pci/hda/patch_realtek.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -400,6 +400,8 @@ static int alc_mux_enum_info(struct snd_ + unsigned int mux_idx = snd_ctl_get_ioffidx(kcontrol, &uinfo->id); + if (mux_idx >= spec->num_mux_defs) + mux_idx = 0; ++ if (!spec->input_mux[mux_idx].num_items && mux_idx > 0) ++ mux_idx = 0; + return snd_hda_input_mux_info(&spec->input_mux[mux_idx], uinfo); + } + +@@ -428,6 +430,8 @@ static int alc_mux_enum_put(struct snd_k + + mux_idx = adc_idx >= spec->num_mux_defs ? 0 : adc_idx; + imux = &spec->input_mux[mux_idx]; ++ if (!imux->num_items && mux_idx > 0) ++ imux = &spec->input_mux[0]; + + type = get_wcaps_type(get_wcaps(codec, nid)); + if (type == AC_WID_AUD_MIX) { +@@ -9743,6 +9747,8 @@ static void alc882_auto_init_input_src(s + continue; + mux_idx = c >= spec->num_mux_defs ? 0 : c; + imux = &spec->input_mux[mux_idx]; ++ if (!imux->num_items && mux_idx > 0) ++ imux = &spec->input_mux[0]; + for (idx = 0; idx < conns; idx++) { + /* if the current connection is the selected one, + * unmute it as default - otherwise mute it diff --git a/queue-2.6.32/arm-fix-decompressor-s-kernel-size-estimation-for-rom-y.patch b/queue-2.6.32/arm-fix-decompressor-s-kernel-size-estimation-for-rom-y.patch new file mode 100644 index 00000000000..deecd598236 --- /dev/null +++ b/queue-2.6.32/arm-fix-decompressor-s-kernel-size-estimation-for-rom-y.patch @@ -0,0 +1,205 @@ +From 98e12b5a6e05413420a7e3b3eca7fbfc2ff41b6d Mon Sep 17 00:00:00 2001 +From: Russell King +Date: Thu, 25 Feb 2010 23:56:38 +0000 +Subject: ARM: Fix decompressor's kernel size estimation for ROM=y + +From: Russell King + +commit 98e12b5a6e05413420a7e3b3eca7fbfc2ff41b6d upstream. + +Commit 2552fc2 changed the way the decompressor decides if it is safe +to decompress the kernel directly to its final location. Unfortunately, +it took the top of the compressed data as being the stack pointer, +which it is for ROM=n cases. However, for ROM=y, the stack pointer +is not relevant, and results in the wrong answer. + +Fix this by explicitly storing the end of the biggybacked data in the +decompressor, and use that to calculate the compressed image size. + +Signed-off-by: Russell King +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/boot/compressed/head.S | 50 ++++++++++++++------------------ + arch/arm/boot/compressed/vmlinux.lds.in | 3 + + 2 files changed, 26 insertions(+), 27 deletions(-) + +--- a/arch/arm/boot/compressed/head.S ++++ b/arch/arm/boot/compressed/head.S +@@ -162,8 +162,8 @@ not_angel: + + .text + adr r0, LC0 +- ARM( ldmia r0, {r1, r2, r3, r4, r5, r6, ip, sp} ) +- THUMB( ldmia r0, {r1, r2, r3, r4, r5, r6, ip} ) ++ ARM( ldmia r0, {r1, r2, r3, r4, r5, r6, r11, ip, sp}) ++ THUMB( ldmia r0, {r1, r2, r3, r4, r5, r6, r11, ip} ) + THUMB( ldr sp, [r0, #28] ) + subs r0, r0, r1 @ calculate the delta offset + +@@ -174,12 +174,13 @@ not_angel: + /* + * We're running at a different address. We need to fix + * up various pointers: +- * r5 - zImage base address +- * r6 - GOT start ++ * r5 - zImage base address (_start) ++ * r6 - size of decompressed image ++ * r11 - GOT start + * ip - GOT end + */ + add r5, r5, r0 +- add r6, r6, r0 ++ add r11, r11, r0 + add ip, ip, r0 + + #ifndef CONFIG_ZBOOT_ROM +@@ -197,10 +198,10 @@ not_angel: + /* + * Relocate all entries in the GOT table. + */ +-1: ldr r1, [r6, #0] @ relocate entries in the GOT ++1: ldr r1, [r11, #0] @ relocate entries in the GOT + add r1, r1, r0 @ table. This fixes up the +- str r1, [r6], #4 @ C references. +- cmp r6, ip ++ str r1, [r11], #4 @ C references. ++ cmp r11, ip + blo 1b + #else + +@@ -208,12 +209,12 @@ not_angel: + * Relocate entries in the GOT table. We only relocate + * the entries that are outside the (relocated) BSS region. + */ +-1: ldr r1, [r6, #0] @ relocate entries in the GOT ++1: ldr r1, [r11, #0] @ relocate entries in the GOT + cmp r1, r2 @ entry < bss_start || + cmphs r3, r1 @ _end < entry + addlo r1, r1, r0 @ table. This fixes up the +- str r1, [r6], #4 @ C references. +- cmp r6, ip ++ str r1, [r11], #4 @ C references. ++ cmp r11, ip + blo 1b + #endif + +@@ -239,6 +240,7 @@ not_relocated: mov r0, #0 + * Check to see if we will overwrite ourselves. + * r4 = final kernel address + * r5 = start of this image ++ * r6 = size of decompressed image + * r2 = end of malloc space (and therefore this image) + * We basically want: + * r4 >= r2 -> OK +@@ -246,8 +248,7 @@ not_relocated: mov r0, #0 + */ + cmp r4, r2 + bhs wont_overwrite +- sub r3, sp, r5 @ > compressed kernel size +- add r0, r4, r3, lsl #2 @ allow for 4x expansion ++ add r0, r4, r6 + cmp r0, r5 + bls wont_overwrite + +@@ -263,7 +264,6 @@ not_relocated: mov r0, #0 + * r1-r3 = unused + * r4 = kernel execution address + * r5 = decompressed kernel start +- * r6 = processor ID + * r7 = architecture ID + * r8 = atags pointer + * r9-r12,r14 = corrupted +@@ -304,7 +304,8 @@ LC0: .word LC0 @ r1 + .word _end @ r3 + .word zreladdr @ r4 + .word _start @ r5 +- .word _got_start @ r6 ++ .word _image_size @ r6 ++ .word _got_start @ r11 + .word _got_end @ ip + .word user_stack+4096 @ sp + LC1: .word reloc_end - reloc_start +@@ -328,7 +329,6 @@ params: ldr r0, =params_phys + * + * On entry, + * r4 = kernel execution address +- * r6 = processor ID + * r7 = architecture number + * r8 = atags pointer + * r9 = run-time address of "start" (???) +@@ -534,7 +534,6 @@ __common_mmu_cache_on: + * r1-r3 = unused + * r4 = kernel execution address + * r5 = decompressed kernel start +- * r6 = processor ID + * r7 = architecture ID + * r8 = atags pointer + * r9-r12,r14 = corrupted +@@ -573,19 +572,19 @@ call_kernel: bl cache_clean_flush + * r1 = corrupted + * r2 = corrupted + * r3 = block offset +- * r6 = corrupted ++ * r9 = corrupted + * r12 = corrupted + */ + + call_cache_fn: adr r12, proc_types + #ifdef CONFIG_CPU_CP15 +- mrc p15, 0, r6, c0, c0 @ get processor ID ++ mrc p15, 0, r9, c0, c0 @ get processor ID + #else +- ldr r6, =CONFIG_PROCESSOR_ID ++ ldr r9, =CONFIG_PROCESSOR_ID + #endif + 1: ldr r1, [r12, #0] @ get value + ldr r2, [r12, #4] @ get mask +- eor r1, r1, r6 @ (real ^ match) ++ eor r1, r1, r9 @ (real ^ match) + tst r1, r2 @ & mask + ARM( addeq pc, r12, r3 ) @ call cache function + THUMB( addeq r12, r3 ) +@@ -764,8 +763,7 @@ proc_types: + * Turn off the Cache and MMU. ARMv3 does not support + * reading the control register, but ARMv4 does. + * +- * On entry, r6 = processor ID +- * On exit, r0, r1, r2, r3, r12 corrupted ++ * On exit, r0, r1, r2, r3, r9, r12 corrupted + * This routine must preserve: r4, r6, r7 + */ + .align 5 +@@ -838,10 +836,8 @@ __armv3_mmu_cache_off: + /* + * Clean and flush the cache to maintain consistency. + * +- * On entry, +- * r6 = processor ID + * On exit, +- * r1, r2, r3, r11, r12 corrupted ++ * r1, r2, r3, r9, r11, r12 corrupted + * This routine must preserve: + * r0, r4, r5, r6, r7 + */ +@@ -953,7 +949,7 @@ __armv4_mmu_cache_flush: + mov r2, #64*1024 @ default: 32K dcache size (*2) + mov r11, #32 @ default: 32 byte line size + mrc p15, 0, r3, c0, c0, 1 @ read cache type +- teq r3, r6 @ cache ID register present? ++ teq r3, r9 @ cache ID register present? + beq no_cache_id + mov r1, r3, lsr #18 + and r1, r1, #7 +--- a/arch/arm/boot/compressed/vmlinux.lds.in ++++ b/arch/arm/boot/compressed/vmlinux.lds.in +@@ -36,6 +36,9 @@ SECTIONS + + _etext = .; + ++ /* Assume size of decompressed image is 4x the compressed image */ ++ _image_size = (_etext - _text) * 4; ++ + _got_start = .; + .got : { *(.got) } + _got_end = .; diff --git a/queue-2.6.32/ath5k-dont-use-external-sleep-clock-in-ap-mode.patch b/queue-2.6.32/ath5k-dont-use-external-sleep-clock-in-ap-mode.patch new file mode 100644 index 00000000000..0c0e1cc8eac --- /dev/null +++ b/queue-2.6.32/ath5k-dont-use-external-sleep-clock-in-ap-mode.patch @@ -0,0 +1,43 @@ +From lrodriguez@atheros.com Thu Mar 18 14:20:58 2010 +From: Bob Copeland +Date: Thu, 11 Mar 2010 18:23:48 -0500 +Subject: ath5k: dont use external sleep clock in AP mode +To: stable@kernel.org +Cc: Bob Copeland , linux-wireless@vger.kernel.org, linville@tuxdriver.com, mb@bu3sch.de, ath5k-devel@venema.h4ckr.net +Message-ID: <1268349829-3195-2-git-send-email-lrodriguez@atheros.com> + +From: Bob Copeland + +commit 5d6ce628f986d1a3c523cbb0a5a52095c48cc332 upstream + +When using the external sleep clock in AP mode, the +TSF increments too quickly, causing beacon interval +to be much lower than it is supposed to be, resulting +in lots of beacon-not-ready interrupts. + +This fixes http://bugzilla.kernel.org/show_bug.cgi?id=14802. + +Signed-off-by: Bob Copeland +Acked-by: Nick Kossifidis +Signed-off-by: John W. Linville +Cc: Luis Rodriguez +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/ath/ath5k/reset.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/net/wireless/ath/ath5k/reset.c ++++ b/drivers/net/wireless/ath/ath5k/reset.c +@@ -1382,8 +1382,9 @@ int ath5k_hw_reset(struct ath5k_hw *ah, + * Set clocks to 32KHz operation and use an + * external 32KHz crystal when sleeping if one + * exists */ +- if (ah->ah_version == AR5K_AR5212) +- ath5k_hw_set_sleep_clock(ah, true); ++ if (ah->ah_version == AR5K_AR5212 && ++ ah->ah_op_mode != NL80211_IFTYPE_AP) ++ ath5k_hw_set_sleep_clock(ah, true); + + /* + * Disable beacons and reset the register diff --git a/queue-2.6.32/ath5k-fix-setup-for-cab-queue.patch b/queue-2.6.32/ath5k-fix-setup-for-cab-queue.patch new file mode 100644 index 00000000000..a0010030e6c --- /dev/null +++ b/queue-2.6.32/ath5k-fix-setup-for-cab-queue.patch @@ -0,0 +1,101 @@ +From a951ae2176b982574ffa197455db6c89359fd5eb Mon Sep 17 00:00:00 2001 +From: Bob Copeland +Date: Wed, 20 Jan 2010 23:51:04 -0500 +Subject: ath5k: fix setup for CAB queue + +From: Bob Copeland + +commit a951ae2176b982574ffa197455db6c89359fd5eb upstream. + +The beacon sent gating doesn't seem to work with any combination +of flags. Thus, buffered frames tend to stay buffered forever, +using up tx descriptors. + +Instead, use the DBA gating and hold transmission of the buffered +frames until 80% of the beacon interval has elapsed using the ready +time. This fixes the following error in AP mode: + + ath5k phy0: no further txbuf available, dropping packet + +Add a comment to acknowledge that this isn't the best solution. + +Signed-off-by: Bob Copeland +Acked-by: Nick Kossifidis +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/ath/ath5k/ath5k.h | 2 +- + drivers/net/wireless/ath/ath5k/base.c | 22 +++++++++++++++++++--- + drivers/net/wireless/ath/ath5k/qcu.c | 5 +++-- + 3 files changed, 23 insertions(+), 6 deletions(-) + +--- a/drivers/net/wireless/ath/ath5k/ath5k.h ++++ b/drivers/net/wireless/ath/ath5k/ath5k.h +@@ -540,7 +540,7 @@ struct ath5k_txq_info { + u32 tqi_cbr_period; /* Constant bit rate period */ + u32 tqi_cbr_overflow_limit; + u32 tqi_burst_time; +- u32 tqi_ready_time; /* Not used */ ++ u32 tqi_ready_time; /* Time queue waits after an event */ + }; + + /* +--- a/drivers/net/wireless/ath/ath5k/base.c ++++ b/drivers/net/wireless/ath/ath5k/base.c +@@ -1511,7 +1511,8 @@ ath5k_beaconq_config(struct ath5k_softc + + ret = ath5k_hw_get_tx_queueprops(ah, sc->bhalq, &qi); + if (ret) +- return ret; ++ goto err; ++ + if (sc->opmode == NL80211_IFTYPE_AP || + sc->opmode == NL80211_IFTYPE_MESH_POINT) { + /* +@@ -1538,10 +1539,25 @@ ath5k_beaconq_config(struct ath5k_softc + if (ret) { + ATH5K_ERR(sc, "%s: unable to update parameters for beacon " + "hardware queue!\n", __func__); +- return ret; ++ goto err; + } ++ ret = ath5k_hw_reset_tx_queue(ah, sc->bhalq); /* push to h/w */ ++ if (ret) ++ goto err; ++ ++ /* reconfigure cabq with ready time to 80% of beacon_interval */ ++ ret = ath5k_hw_get_tx_queueprops(ah, AR5K_TX_QUEUE_ID_CAB, &qi); ++ if (ret) ++ goto err; ++ ++ qi.tqi_ready_time = (sc->bintval * 80) / 100; ++ ret = ath5k_hw_set_tx_queueprops(ah, AR5K_TX_QUEUE_ID_CAB, &qi); ++ if (ret) ++ goto err; + +- return ath5k_hw_reset_tx_queue(ah, sc->bhalq); /* push to h/w */; ++ ret = ath5k_hw_reset_tx_queue(ah, AR5K_TX_QUEUE_ID_CAB); ++err: ++ return ret; + } + + static void +--- a/drivers/net/wireless/ath/ath5k/qcu.c ++++ b/drivers/net/wireless/ath/ath5k/qcu.c +@@ -408,12 +408,13 @@ int ath5k_hw_reset_tx_queue(struct ath5k + break; + + case AR5K_TX_QUEUE_CAB: ++ /* XXX: use BCN_SENT_GT, if we can figure out how */ + AR5K_REG_ENABLE_BITS(ah, AR5K_QUEUE_MISC(queue), +- AR5K_QCU_MISC_FRSHED_BCN_SENT_GT | ++ AR5K_QCU_MISC_FRSHED_DBA_GT | + AR5K_QCU_MISC_CBREXP_DIS | + AR5K_QCU_MISC_CBREXP_BCN_DIS); + +- ath5k_hw_reg_write(ah, ((AR5K_TUNE_BEACON_INTERVAL - ++ ath5k_hw_reg_write(ah, ((tq->tqi_ready_time - + (AR5K_TUNE_SW_BEACON_RESP - + AR5K_TUNE_DMA_BEACON_RESP) - + AR5K_TUNE_ADDITIONAL_SWBA_BACKOFF) * 1024) | diff --git a/queue-2.6.32/bluetooth-fix-sleeping-function-in-rfcomm-within-invalid-context.patch b/queue-2.6.32/bluetooth-fix-sleeping-function-in-rfcomm-within-invalid-context.patch new file mode 100644 index 00000000000..92b5df45a73 --- /dev/null +++ b/queue-2.6.32/bluetooth-fix-sleeping-function-in-rfcomm-within-invalid-context.patch @@ -0,0 +1,77 @@ +From 485f1eff73a7b932fd3abb0dfcf804e1a1f59025 Mon Sep 17 00:00:00 2001 +From: Marcel Holtmann +Date: Wed, 3 Feb 2010 15:52:18 -0800 +Subject: Bluetooth: Fix sleeping function in RFCOMM within invalid context + +From: Marcel Holtmann + +commit 485f1eff73a7b932fd3abb0dfcf804e1a1f59025 upstream. + +With the commit 9e726b17422bade75fba94e625cd35fd1353e682 the +rfcomm_session_put() gets accidentially called from a timeout +callback and results in this: + +BUG: sleeping function called from invalid context at net/core/sock.c:1897 +in_atomic(): 1, irqs_disabled(): 0, pid: 0, name: swapper +Pid: 0, comm: swapper Tainted: P 2.6.32 #31 +Call Trace: + [] __might_sleep+0xf8/0xfa + [] lock_sock_nested+0x29/0xc4 + [] lock_sock+0xb/0xd [l2cap] + [] l2cap_sock_shutdown+0x1c/0x76 [l2cap] + [] ? clockevents_program_event+0x75/0x7e + [] ? tick_dev_program_event+0x37/0xa5 + [] l2cap_sock_release+0x27/0x67 [l2cap] + [] sock_release+0x1a/0x67 + [] rfcomm_session_del+0x34/0x53 [rfcomm] + [] rfcomm_session_put+0x14/0x16 [rfcomm] + [] rfcomm_session_timeout+0xe/0x1a [rfcomm] + [] run_timer_softirq+0x1e2/0x29a + [] ? rfcomm_session_timeout+0x0/0x1a [rfcomm] + [] __do_softirq+0xfe/0x1c5 + [] ? timer_interrupt+0x1a/0x21 + [] call_softirq+0x1c/0x28 + [] do_softirq+0x33/0x6b + [] irq_exit+0x36/0x85 + [] do_IRQ+0xa6/0xbd + [] ret_from_intr+0x0/0xa + [] ? acpi_idle_enter_bm+0x269/0x294 + [] ? acpi_idle_enter_bm+0x25f/0x294 + [] ? cpuidle_idle_call+0x97/0x107 + [] ? cpu_idle+0x53/0xaa + [] ? rest_init+0x7a/0x7c + [] ? start_kernel+0x389/0x394 + [] ? x86_64_start_reservations+0xac/0xb0 + [] ? x86_64_start_kernel+0xe4/0xeb + +To fix this, the rfcomm_session_put() needs to be moved out of +rfcomm_session_timeout() into rfcomm_process_sessions(). In that +context it is perfectly fine to sleep and disconnect the socket. + +Signed-off-by: Marcel Holtmann +Tested-by: David John +Cc: Chase Douglas +Signed-off-by: Greg Kroah-Hartman + +--- + net/bluetooth/rfcomm/core.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/bluetooth/rfcomm/core.c ++++ b/net/bluetooth/rfcomm/core.c +@@ -251,7 +251,6 @@ static void rfcomm_session_timeout(unsig + BT_DBG("session %p state %ld", s, s->state); + + set_bit(RFCOMM_TIMED_OUT, &s->flags); +- rfcomm_session_put(s); + rfcomm_schedule(RFCOMM_SCHED_TIMEO); + } + +@@ -1917,6 +1916,7 @@ static inline void rfcomm_process_sessio + if (test_and_clear_bit(RFCOMM_TIMED_OUT, &s->flags)) { + s->state = BT_DISCONN; + rfcomm_send_disc(s, 0); ++ rfcomm_session_put(s); + continue; + } + diff --git a/queue-2.6.32/decompress-fix-new-decompressor-for-pic.patch b/queue-2.6.32/decompress-fix-new-decompressor-for-pic.patch new file mode 100644 index 00000000000..4285cfa208c --- /dev/null +++ b/queue-2.6.32/decompress-fix-new-decompressor-for-pic.patch @@ -0,0 +1,50 @@ +From 5ceaa2f39bfa73c4398cd01e78f1c3ebde3d3383 Mon Sep 17 00:00:00 2001 +From: Russell King +Date: Wed, 10 Mar 2010 15:23:53 -0800 +Subject: decompress: fix new decompressor for PIC + +From: Russell King + +commit 5ceaa2f39bfa73c4398cd01e78f1c3ebde3d3383 upstream. + +The ARM kernel decompressor wants to be able to relocate r/w data +independently from the rest of the image, and we do this by ensuring that +r/w data has global visibility. Define STATIC_RW_DATA to be empty to +achieve this. + +Signed-off-by: Russell King +Cc: Alain Knaff +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + include/linux/decompress/mm.h | 14 ++++++++++++-- + 1 file changed, 12 insertions(+), 2 deletions(-) + +--- a/include/linux/decompress/mm.h ++++ b/include/linux/decompress/mm.h +@@ -14,11 +14,21 @@ + + /* Code active when included from pre-boot environment: */ + ++/* ++ * Some architectures want to ensure there is no local data in their ++ * pre-boot environment, so that data can arbitarily relocated (via ++ * GOT references). This is achieved by defining STATIC_RW_DATA to ++ * be null. ++ */ ++#ifndef STATIC_RW_DATA ++#define STATIC_RW_DATA static ++#endif ++ + /* A trivial malloc implementation, adapted from + * malloc by Hannu Savolainen 1993 and Matthias Urlichs 1994 + */ +-static unsigned long malloc_ptr; +-static int malloc_count; ++STATIC_RW_DATA unsigned long malloc_ptr; ++STATIC_RW_DATA int malloc_count; + + static void *malloc(int size) + { diff --git a/queue-2.6.32/drivers-scsi-ses.c-eliminate-double-free.patch b/queue-2.6.32/drivers-scsi-ses.c-eliminate-double-free.patch new file mode 100644 index 00000000000..4dec6418006 --- /dev/null +++ b/queue-2.6.32/drivers-scsi-ses.c-eliminate-double-free.patch @@ -0,0 +1,61 @@ +From 9b3a6549b2602ca30f58715a0071e29f9898cae9 Mon Sep 17 00:00:00 2001 +From: Julia Lawall +Date: Wed, 10 Mar 2010 15:20:42 -0800 +Subject: drivers/scsi/ses.c: eliminate double free + +From: Julia Lawall + +commit 9b3a6549b2602ca30f58715a0071e29f9898cae9 upstream. + +The few lines below the kfree of hdr_buf may go to the label err_free +which will also free hdr_buf. The most straightforward solution seems to +be to just move the kfree of hdr_buf after these gotos. + +A simplified version of the semantic match that finds this problem is as +follows: (http://coccinelle.lip6.fr/) + +// +@r@ +identifier E; +expression E1; +iterator I; +statement S; +@@ + +*kfree(E); +... when != E = E1 + when != I(E,...) S + when != &E +*kfree(E); +// + +Signed-off-by: Julia Lawall +Cc: James Bottomley +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/scsi/ses.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/scsi/ses.c ++++ b/drivers/scsi/ses.c +@@ -591,8 +591,6 @@ static int ses_intf_add(struct device *c + ses_dev->page10_len = len; + buf = NULL; + } +- kfree(hdr_buf); +- + scomp = kzalloc(sizeof(struct ses_component) * components, GFP_KERNEL); + if (!scomp) + goto err_free; +@@ -604,6 +602,8 @@ static int ses_intf_add(struct device *c + goto err_free; + } + ++ kfree(hdr_buf); ++ + edev->scratch = ses_dev; + for (i = 0; i < components; i++) + edev->component[i].scratch = scomp + i; diff --git a/queue-2.6.32/function-graph-init-curr_ret_stack-with-ret_stack.patch b/queue-2.6.32/function-graph-init-curr_ret_stack-with-ret_stack.patch new file mode 100644 index 00000000000..9348fed5753 --- /dev/null +++ b/queue-2.6.32/function-graph-init-curr_ret_stack-with-ret_stack.patch @@ -0,0 +1,48 @@ +From ea14eb714041d40fcc5180b5a586034503650149 Mon Sep 17 00:00:00 2001 +From: Steven Rostedt +Date: Fri, 12 Mar 2010 19:41:23 -0500 +Subject: function-graph: Init curr_ret_stack with ret_stack + +From: Steven Rostedt + +commit ea14eb714041d40fcc5180b5a586034503650149 upstream. + +If the graph tracer is active, and a task is forked but the allocating of +the processes graph stack fails, it can cause crash later on. + +This is due to the temporary stack being NULL, but the curr_ret_stack +variable is copied from the parent. If it is not -1, then in +ftrace_graph_probe_sched_switch() the following: + + for (index = next->curr_ret_stack; index >= 0; index--) + next->ret_stack[index].calltime += timestamp; + +Will cause a kernel OOPS. + +Found with Li Zefan's ftrace_stress_test. + +Signed-off-by: Steven Rostedt +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/trace/ftrace.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/kernel/trace/ftrace.c ++++ b/kernel/trace/ftrace.c +@@ -3258,6 +3258,7 @@ void ftrace_graph_init_task(struct task_ + { + /* Make sure we do not use the parent ret_stack */ + t->ret_stack = NULL; ++ t->curr_ret_stack = -1; + + if (ftrace_graph_active) { + struct ftrace_ret_stack *ret_stack; +@@ -3267,7 +3268,6 @@ void ftrace_graph_init_task(struct task_ + GFP_KERNEL); + if (!ret_stack) + return; +- t->curr_ret_stack = -1; + atomic_set(&t->tracing_graph_pause, 0); + atomic_set(&t->trace_overrun, 0); + t->ftrace_timestamp = 0; diff --git a/queue-2.6.32/i2c-i801-don-t-use-the-block-buffer-for-i2c-block-writes.patch b/queue-2.6.32/i2c-i801-don-t-use-the-block-buffer-for-i2c-block-writes.patch new file mode 100644 index 00000000000..43881c7b061 --- /dev/null +++ b/queue-2.6.32/i2c-i801-don-t-use-the-block-buffer-for-i2c-block-writes.patch @@ -0,0 +1,38 @@ +From c074c39d62306efa5ba7c69c1a1531bc7333d252 Mon Sep 17 00:00:00 2001 +From: Jean Delvare +Date: Sat, 13 Mar 2010 20:56:53 +0100 +Subject: i2c-i801: Don't use the block buffer for I2C block writes + +From: Jean Delvare + +commit c074c39d62306efa5ba7c69c1a1531bc7333d252 upstream. + +Experience has shown that the block buffer can only be used for SMBus +(not I2C) block transactions, even though the datasheet doesn't +mention this limitation. + +Reported-by: Felix Rubinstein +Signed-off-by: Jean Delvare +Cc: Oleg Ryjkov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/i2c/busses/i2c-i801.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/i2c/busses/i2c-i801.c ++++ b/drivers/i2c/busses/i2c-i801.c +@@ -415,9 +415,11 @@ static int i801_block_transaction(union + data->block[0] = 32; /* max for SMBus block reads */ + } + ++ /* Experience has shown that the block buffer can only be used for ++ SMBus (not I2C) block transactions, even though the datasheet ++ doesn't mention this limitation. */ + if ((i801_features & FEATURE_BLOCK_BUFFER) +- && !(command == I2C_SMBUS_I2C_BLOCK_DATA +- && read_write == I2C_SMBUS_READ) ++ && command != I2C_SMBUS_I2C_BLOCK_DATA + && i801_set_block_buffer_mode() == 0) + result = i801_block_transaction_by_block(data, read_write, + hwpec); diff --git a/queue-2.6.32/input-alps-add-support-for-the-touchpad-on-toshiba-tecra-a11-11l.patch b/queue-2.6.32/input-alps-add-support-for-the-touchpad-on-toshiba-tecra-a11-11l.patch new file mode 100644 index 00000000000..14fae825a6e --- /dev/null +++ b/queue-2.6.32/input-alps-add-support-for-the-touchpad-on-toshiba-tecra-a11-11l.patch @@ -0,0 +1,28 @@ +From eb8bff85c5bd5caef7c374ff32b86545029efb56 Mon Sep 17 00:00:00 2001 +From: Thomas Bächler +Date: Tue, 9 Mar 2010 20:38:48 -0800 +Subject: Input: alps - add support for the touchpad on Toshiba Tecra A11-11L + +From: Thomas Bächler + +commit eb8bff85c5bd5caef7c374ff32b86545029efb56 upstream. + +Signed-off-by: Thomas Bächler +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/input/mouse/alps.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/input/mouse/alps.c ++++ b/drivers/input/mouse/alps.c +@@ -62,6 +62,8 @@ static const struct alps_model_info alps + { { 0x62, 0x02, 0x14 }, 0xcf, 0xcf, + ALPS_PASS | ALPS_DUALPOINT | ALPS_PS2_INTERLEAVED }, + { { 0x73, 0x02, 0x50 }, 0xcf, 0xcf, ALPS_FW_BK_1 }, /* Dell Vostro 1400 */ ++ { { 0x52, 0x01, 0x14 }, 0xff, 0xff, ++ ALPS_PASS | ALPS_DUALPOINT | ALPS_PS2_INTERLEAVED }, /* Toshiba Tecra A11-11L */ + }; + + /* diff --git a/queue-2.6.32/input-i8042-add-aldi-medion-netbook-e1222-to-qurik-reset-table.patch b/queue-2.6.32/input-i8042-add-aldi-medion-netbook-e1222-to-qurik-reset-table.patch new file mode 100644 index 00000000000..c77d5bd3f16 --- /dev/null +++ b/queue-2.6.32/input-i8042-add-aldi-medion-netbook-e1222-to-qurik-reset-table.patch @@ -0,0 +1,37 @@ +From 31968ecf584330b51a25b7bf881c2b632a02a3fb Mon Sep 17 00:00:00 2001 +From: Christoph Fritz +Date: Sat, 13 Mar 2010 22:26:23 -0800 +Subject: Input: i8042 - add ALDI/MEDION netbook E1222 to qurik reset table + +From: Christoph Fritz + +commit 31968ecf584330b51a25b7bf881c2b632a02a3fb upstream. + +ALDI/MEDION netbook E1222 needs to be in the reset quirk list for +its touchpad's proper function. + +Reported-by: Michael Fischer +Signed-off-by: Christoph Fritz +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/input/serio/i8042-x86ia64io.h | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/drivers/input/serio/i8042-x86ia64io.h ++++ b/drivers/input/serio/i8042-x86ia64io.h +@@ -442,6 +442,13 @@ static const struct dmi_system_id __init + }, + }, + { ++ /* Medion Akoya E1222 */ ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "MEDION"), ++ DMI_MATCH(DMI_PRODUCT_NAME, "E122X"), ++ }, ++ }, ++ { + /* Mivvy M310 */ + .matches = { + DMI_MATCH(DMI_SYS_VENDOR, "VIOOO"), diff --git a/queue-2.6.32/mips-cleanup-forgotten-label_module_alloc-in-tlbex.c.patch b/queue-2.6.32/mips-cleanup-forgotten-label_module_alloc-in-tlbex.c.patch new file mode 100644 index 00000000000..4a815f28c4d --- /dev/null +++ b/queue-2.6.32/mips-cleanup-forgotten-label_module_alloc-in-tlbex.c.patch @@ -0,0 +1,54 @@ +From abbdc3d88aa2d5c937b21044c336bcd056c1732f Mon Sep 17 00:00:00 2001 +From: David Daney +Date: Thu, 3 Dec 2009 17:43:54 -0800 +Subject: MIPS: Cleanup forgotten label_module_alloc in tlbex.c + +From: David Daney + +commit abbdc3d88aa2d5c937b21044c336bcd056c1732f upstream. + +commit c8af165342e83a4eb078c9607d29a7c399d30a53 (lmo) rsp. +e0cc87f59490d7d62a8ab2a76498dc8a2b64927a (kernel.org) left +label_module_alloc unused. Remove it now. + +Signed-off-by: David Daney +Cc: linux-mips@linux-mips.org +Patchwork: http://patchwork.linux-mips.org/patch/752/ +Signed-off-by: Ralf Baechle +Signed-off-by: Greg Kroah-Hartman + +--- + arch/mips/mm/tlbex.c | 8 -------- + 1 file changed, 8 deletions(-) + +--- a/arch/mips/mm/tlbex.c ++++ b/arch/mips/mm/tlbex.c +@@ -73,9 +73,6 @@ static int __cpuinit m4kc_tlbp_war(void) + enum label_id { + label_second_part = 1, + label_leave, +-#ifdef MODULE_START +- label_module_alloc, +-#endif + label_vmalloc, + label_vmalloc_done, + label_tlbw_hazard, +@@ -92,9 +89,6 @@ enum label_id { + + UASM_L_LA(_second_part) + UASM_L_LA(_leave) +-#ifdef MODULE_START +-UASM_L_LA(_module_alloc) +-#endif + UASM_L_LA(_vmalloc) + UASM_L_LA(_vmalloc_done) + UASM_L_LA(_tlbw_hazard) +@@ -802,8 +796,6 @@ static void __cpuinit build_r4000_tlb_re + } else { + #if defined(CONFIG_HUGETLB_PAGE) + const enum label_id ls = label_tlb_huge_update; +-#elif defined(MODULE_START) +- const enum label_id ls = label_module_alloc; + #else + const enum label_id ls = label_vmalloc; + #endif diff --git a/queue-2.6.32/ring-buffer-move-disabled-check-into-preempt-disable-section.patch b/queue-2.6.32/ring-buffer-move-disabled-check-into-preempt-disable-section.patch new file mode 100644 index 00000000000..3001672875c --- /dev/null +++ b/queue-2.6.32/ring-buffer-move-disabled-check-into-preempt-disable-section.patch @@ -0,0 +1,60 @@ +From 52fbe9cde7fdb5c6fac196d7ebd2d92d05ef3cd4 Mon Sep 17 00:00:00 2001 +From: Lai Jiangshan +Date: Mon, 8 Mar 2010 14:50:43 +0800 +Subject: ring-buffer: Move disabled check into preempt disable section + +From: Lai Jiangshan + +commit 52fbe9cde7fdb5c6fac196d7ebd2d92d05ef3cd4 upstream. + +The ring buffer resizing and resetting relies on a schedule RCU +action. The buffers are disabled, a synchronize_sched() is called +and then the resize or reset takes place. + +But this only works if the disabling of the buffers are within the +preempt disabled section, otherwise a window exists that the buffers +can be written to while a reset or resize takes place. + +Reported-by: Li Zefan +Signed-off-by: Lai Jiangshan +LKML-Reference: <4B949E43.2010906@cn.fujitsu.com> +Signed-off-by: Steven Rostedt +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/trace/ring_buffer.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +--- a/kernel/trace/ring_buffer.c ++++ b/kernel/trace/ring_buffer.c +@@ -2237,12 +2237,12 @@ ring_buffer_lock_reserve(struct ring_buf + if (ring_buffer_flags != RB_BUFFERS_ON) + return NULL; + +- if (atomic_read(&buffer->record_disabled)) +- return NULL; +- + /* If we are tracing schedule, we don't want to recurse */ + resched = ftrace_preempt_disable(); + ++ if (atomic_read(&buffer->record_disabled)) ++ goto out_nocheck; ++ + if (trace_recursive_lock()) + goto out_nocheck; + +@@ -2474,11 +2474,11 @@ int ring_buffer_write(struct ring_buffer + if (ring_buffer_flags != RB_BUFFERS_ON) + return -EBUSY; + +- if (atomic_read(&buffer->record_disabled)) +- return -EBUSY; +- + resched = ftrace_preempt_disable(); + ++ if (atomic_read(&buffer->record_disabled)) ++ goto out; ++ + cpu = raw_smp_processor_id(); + + if (!cpumask_test_cpu(cpu, buffer->cpumask)) diff --git a/queue-2.6.32/series b/queue-2.6.32/series index eebe9d0456b..6879c21fd2c 100644 --- a/queue-2.6.32/series +++ b/queue-2.6.32/series @@ -1 +1,22 @@ drm-i915-fix-gpio-register-detection-logic-for-bios-without-vbt.patch +drivers-scsi-ses.c-eliminate-double-free.patch +decompress-fix-new-decompressor-for-pic.patch +arm-fix-decompressor-s-kernel-size-estimation-for-rom-y.patch +mips-cleanup-forgotten-label_module_alloc-in-tlbex.c.patch +tg3-fix-tg3_poll_controller-passing-wrong-pointer-to-tg3_interrupt.patch +tg3-fix-5906-transmit-hangs.patch +alsa-hda-fix-input-source-elements-of-secondary-adcs-on-realtek.patch +alsa-hda-enable-msi-for-gateway-m-6866.patch +timekeeping-prevent-oops-when-generic_time-n.patch +input-alps-add-support-for-the-touchpad-on-toshiba-tecra-a11-11l.patch +input-i8042-add-aldi-medion-netbook-e1222-to-qurik-reset-table.patch +i2c-i801-don-t-use-the-block-buffer-for-i2c-block-writes.patch +ath5k-dont-use-external-sleep-clock-in-ap-mode.patch +ath5k-fix-setup-for-cab-queue.patch +ring-buffer-move-disabled-check-into-preempt-disable-section.patch +function-graph-init-curr_ret_stack-with-ret_stack.patch +bluetooth-fix-sleeping-function-in-rfcomm-within-invalid-context.patch +tracing-fix-warning-in-s_next-of-trace-file-ops.patch +tracing-use-same-local-variable-when-resetting-the-ring-buffer.patch +tracing-disable-buffer-switching-when-starting-or-stopping-trace.patch +tracing-do-not-record-user-stack-trace-from-nmi-context.patch diff --git a/queue-2.6.32/tg3-fix-5906-transmit-hangs.patch b/queue-2.6.32/tg3-fix-5906-transmit-hangs.patch new file mode 100644 index 00000000000..0425bb8962f --- /dev/null +++ b/queue-2.6.32/tg3-fix-5906-transmit-hangs.patch @@ -0,0 +1,109 @@ +From mpagano@gentoo.org Thu Mar 18 14:01:54 2010 +From: Matt Carlson +Date: Fri, 12 Mar 2010 18:12:13 -0500 +Subject: tg3: Fix 5906 transmit hangs +To: stable@kernel.org +Cc: mcarlson@broadcom.com +Message-ID: <201003121812.14105.mpagano@gentoo.org> + +From: Matt Carlson + +This is a resubmit backport of commit 92c6b8d16a36df3f28b2537bed2a56491fb08f11 +to kernel version 2.6.32. The gentoo bug report can be found at +https://bugs.gentoo.org/show_bug.cgi?id=301091. Thanks to Matt Carlson for his +assistance and working me to fix a regression caused by the initial patch. The +original description is as follows: + +The 5906 has trouble with fragments that are less than 8 bytes in size. This +patch works around the problem by pivoting the 5906's transmit routine to +tg3_start_xmit_dma_bug() and introducing a new SHORT_DMA_BUG flag that enables +code to detect and react to the problematic condition. + +Signed-off-by: Mike Pagano +Signed-off-by: Matt Carlson +Signed-off-by: Michael Chan +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/tg3.c | 21 ++++++++++++++++----- + drivers/net/tg3.h | 3 +++ + 2 files changed, 19 insertions(+), 5 deletions(-) + +--- a/drivers/net/tg3.c ++++ b/drivers/net/tg3.c +@@ -5392,7 +5392,7 @@ static netdev_tx_t tg3_start_xmit_dma_bu + mss = 0; + if ((mss = skb_shinfo(skb)->gso_size) != 0) { + struct iphdr *iph; +- int tcp_opt_len, ip_tcp_len, hdr_len; ++ u32 tcp_opt_len, ip_tcp_len, hdr_len; + + if (skb_header_cloned(skb) && + pskb_expand_head(skb, 0, 0, GFP_ATOMIC)) { +@@ -5423,8 +5423,10 @@ static netdev_tx_t tg3_start_xmit_dma_bu + IPPROTO_TCP, + 0); + +- if ((tp->tg3_flags2 & TG3_FLG2_HW_TSO) || +- (GET_ASIC_REV(tp->pci_chip_rev_id) == ASIC_REV_5705)) { ++ if (tp->tg3_flags2 & TG3_FLG2_HW_TSO_2) ++ mss |= hdr_len << 9; ++ else if ((tp->tg3_flags2 & TG3_FLG2_HW_TSO_1) || ++ GET_ASIC_REV(tp->pci_chip_rev_id) == ASIC_REV_5705) { + if (tcp_opt_len || iph->ihl > 5) { + int tsflags; + +@@ -5459,6 +5461,9 @@ static netdev_tx_t tg3_start_xmit_dma_bu + + would_hit_hwbug = 0; + ++ if ((tp->tg3_flags3 & TG3_FLG3_SHORT_DMA_BUG) && len <= 8) ++ would_hit_hwbug = 1; ++ + if (tp->tg3_flags3 & TG3_FLG3_5701_DMA_BUG) + would_hit_hwbug = 1; + else if (tg3_4g_overflow_test(mapping, len)) +@@ -5482,6 +5487,10 @@ static netdev_tx_t tg3_start_xmit_dma_bu + + tnapi->tx_buffers[entry].skb = NULL; + ++ if ((tp->tg3_flags3 & TG3_FLG3_SHORT_DMA_BUG) && ++ len <= 8) ++ would_hit_hwbug = 1; ++ + if (tg3_4g_overflow_test(mapping, len)) + would_hit_hwbug = 1; + +@@ -12608,6 +12617,9 @@ static int __devinit tg3_get_invariants( + } + } + ++ if (GET_ASIC_REV(tp->pci_chip_rev_id) == ASIC_REV_5906) ++ tp->tg3_flags3 |= TG3_FLG3_SHORT_DMA_BUG; ++ + tp->irq_max = 1; + + #ifdef TG3_NAPI +@@ -13975,8 +13987,7 @@ static int __devinit tg3_init_one(struct + goto err_out_iounmap; + } + +- if ((tp->tg3_flags3 & TG3_FLG3_5755_PLUS) || +- GET_ASIC_REV(tp->pci_chip_rev_id) == ASIC_REV_5906) ++ if (tp->tg3_flags3 & TG3_FLG3_5755_PLUS) + dev->netdev_ops = &tg3_netdev_ops; + else + dev->netdev_ops = &tg3_netdev_ops_dma_bug; +--- a/drivers/net/tg3.h ++++ b/drivers/net/tg3.h +@@ -2759,6 +2759,9 @@ struct tg3 { + #define TG3_FLG3_TOGGLE_10_100_L1PLLPD 0x00008000 + #define TG3_FLG3_PHY_IS_FET 0x00010000 + #define TG3_FLG3_ENABLE_RSS 0x00020000 ++#define TG3_FLG3_4G_DMA_BNDRY_BUG 0x00080000 ++#define TG3_FLG3_40BIT_DMA_LIMIT_BUG 0x00100000 ++#define TG3_FLG3_SHORT_DMA_BUG 0x00200000 + + struct timer_list timer; + u16 timer_counter; diff --git a/queue-2.6.32/tg3-fix-tg3_poll_controller-passing-wrong-pointer-to-tg3_interrupt.patch b/queue-2.6.32/tg3-fix-tg3_poll_controller-passing-wrong-pointer-to-tg3_interrupt.patch new file mode 100644 index 00000000000..78c677f6a98 --- /dev/null +++ b/queue-2.6.32/tg3-fix-tg3_poll_controller-passing-wrong-pointer-to-tg3_interrupt.patch @@ -0,0 +1,39 @@ +From fe234f0e5cbb880792d2d1ac0743cf8c07e9dde3 Mon Sep 17 00:00:00 2001 +From: Louis Rilling +Date: Tue, 9 Mar 2010 06:14:41 +0000 +Subject: tg3: Fix tg3_poll_controller() passing wrong pointer to tg3_interrupt() + +From: Louis Rilling + +commit fe234f0e5cbb880792d2d1ac0743cf8c07e9dde3 upstream. + +Commit 09943a1819a240ff4a72f924d0038818fcdd0a90 + Author: Matt Carlson + Date: Fri Aug 28 14:01:57 2009 +0000 + + tg3: Convert ISR parameter to tnapi + +forgot to update tg3_poll_controller(), leading to intermittent crashes with +netpoll. + +Fix this. + +Signed-off-by: Louis Rilling +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/tg3.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/tg3.c ++++ b/drivers/net/tg3.c +@@ -4995,7 +4995,7 @@ static void tg3_poll_controller(struct n + struct tg3 *tp = netdev_priv(dev); + + for (i = 0; i < tp->irq_cnt; i++) +- tg3_interrupt(tp->napi[i].irq_vec, dev); ++ tg3_interrupt(tp->napi[i].irq_vec, &tp->napi[i]); + } + #endif + diff --git a/queue-2.6.32/timekeeping-prevent-oops-when-generic_time-n.patch b/queue-2.6.32/timekeeping-prevent-oops-when-generic_time-n.patch new file mode 100644 index 00000000000..4afca86b173 --- /dev/null +++ b/queue-2.6.32/timekeeping-prevent-oops-when-generic_time-n.patch @@ -0,0 +1,44 @@ +From ad6759fbf35d104dbf573cd6f4c6784ad6823f7e Mon Sep 17 00:00:00 2001 +From: john stultz +Date: Mon, 1 Mar 2010 12:34:43 -0800 +Subject: timekeeping: Prevent oops when GENERIC_TIME=n + +From: john stultz + +commit ad6759fbf35d104dbf573cd6f4c6784ad6823f7e upstream. + +Aaro Koskinen reported an issue in kernel.org bugzilla #15366, where +on non-GENERIC_TIME systems, accessing +/sys/devices/system/clocksource/clocksource0/current_clocksource +results in an oops. + +It seems the timekeeper/clocksource rework missed initializing the +curr_clocksource value in the !GENERIC_TIME case. + +Thanks to Aaro for reporting and diagnosing the issue as well as +testing the fix! + +Reported-by: Aaro Koskinen +Signed-off-by: John Stultz +Cc: Martin Schwidefsky +LKML-Reference: <1267475683.4216.61.camel@localhost.localdomain> +Signed-off-by: Thomas Gleixner +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/time/clocksource.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/kernel/time/clocksource.c ++++ b/kernel/time/clocksource.c +@@ -515,6 +515,10 @@ static inline void clocksource_select(vo + */ + static int __init clocksource_done_booting(void) + { ++ mutex_lock(&clocksource_mutex); ++ curr_clocksource = clocksource_default_clock(); ++ mutex_unlock(&clocksource_mutex); ++ + finished_booting = 1; + + /* diff --git a/queue-2.6.32/tracing-disable-buffer-switching-when-starting-or-stopping-trace.patch b/queue-2.6.32/tracing-disable-buffer-switching-when-starting-or-stopping-trace.patch new file mode 100644 index 00000000000..978e5db137b --- /dev/null +++ b/queue-2.6.32/tracing-disable-buffer-switching-when-starting-or-stopping-trace.patch @@ -0,0 +1,85 @@ +From a2f8071428ed9a0f06865f417c962421c9a6b488 Mon Sep 17 00:00:00 2001 +From: Steven Rostedt +Date: Fri, 12 Mar 2010 19:56:00 -0500 +Subject: tracing: Disable buffer switching when starting or stopping trace + +From: Steven Rostedt + +commit a2f8071428ed9a0f06865f417c962421c9a6b488 upstream. + +When the trace iterator is read, tracing_start() and tracing_stop() +is called to stop tracing while the iterator is processing the trace +output. + +These functions disable both the standard buffer and the max latency +buffer. But if the wakeup tracer is running, it can switch these +buffers between the two disables: + + buffer = global_trace.buffer; + if (buffer) + ring_buffer_record_disable(buffer); + + <<<--------- swap happens here + + buffer = max_tr.buffer; + if (buffer) + ring_buffer_record_disable(buffer); + +What happens is that we disabled the same buffer twice. On tracing_start() +we can enable the same buffer twice. All ring_buffer_record_disable() +must be matched with a ring_buffer_record_enable() or the buffer +can be disable permanently, or enable prematurely, and cause a bug +where a reset happens while a trace is commiting. + +This patch protects these two by taking the ftrace_max_lock to prevent +a switch from occurring. + +Found with Li Zefan's ftrace_stress_test. + +Reported-by: Lai Jiangshan +Signed-off-by: Steven Rostedt +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/trace/trace.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +--- a/kernel/trace/trace.c ++++ b/kernel/trace/trace.c +@@ -858,6 +858,8 @@ void tracing_start(void) + goto out; + } + ++ /* Prevent the buffers from switching */ ++ arch_spin_lock(&ftrace_max_lock); + + buffer = global_trace.buffer; + if (buffer) +@@ -867,6 +869,8 @@ void tracing_start(void) + if (buffer) + ring_buffer_record_enable(buffer); + ++ arch_spin_unlock(&ftrace_max_lock); ++ + ftrace_start(); + out: + spin_unlock_irqrestore(&tracing_start_lock, flags); +@@ -888,6 +892,9 @@ void tracing_stop(void) + if (trace_stop_count++) + goto out; + ++ /* Prevent the buffers from switching */ ++ arch_spin_lock(&ftrace_max_lock); ++ + buffer = global_trace.buffer; + if (buffer) + ring_buffer_record_disable(buffer); +@@ -896,6 +903,8 @@ void tracing_stop(void) + if (buffer) + ring_buffer_record_disable(buffer); + ++ arch_spin_unlock(&ftrace_max_lock); ++ + out: + spin_unlock_irqrestore(&tracing_start_lock, flags); + } diff --git a/queue-2.6.32/tracing-do-not-record-user-stack-trace-from-nmi-context.patch b/queue-2.6.32/tracing-do-not-record-user-stack-trace-from-nmi-context.patch new file mode 100644 index 00000000000..8d01087eda2 --- /dev/null +++ b/queue-2.6.32/tracing-do-not-record-user-stack-trace-from-nmi-context.patch @@ -0,0 +1,93 @@ +From b6345879ccbd9b92864fbd7eb8ac48acdb4d6b15 Mon Sep 17 00:00:00 2001 +From: Steven Rostedt +Date: Fri, 12 Mar 2010 20:03:30 -0500 +Subject: tracing: Do not record user stack trace from NMI context + +From: Steven Rostedt + +commit b6345879ccbd9b92864fbd7eb8ac48acdb4d6b15 upstream. + +A bug was found with Li Zefan's ftrace_stress_test that caused applications +to segfault during the test. + +Placing a tracing_off() in the segfault code, and examining several +traces, I found that the following was always the case. The lock tracer +was enabled (lockdep being required) and userstack was enabled. Testing +this out, I just enabled the two, but that was not good enough. I needed +to run something else that could trigger it. Running a load like hackbench +did not work, but executing a new program would. The following would +trigger the segfault within seconds: + + # echo 1 > /debug/tracing/options/userstacktrace + # echo 1 > /debug/tracing/events/lock/enable + # while :; do ls > /dev/null ; done + +Enabling the function graph tracer and looking at what was happening +I finally noticed that all cashes happened just after an NMI. + + 1) | copy_user_handle_tail() { + 1) | bad_area_nosemaphore() { + 1) | __bad_area_nosemaphore() { + 1) | no_context() { + 1) | fixup_exception() { + 1) 0.319 us | search_exception_tables(); + 1) 0.873 us | } +[...] + 1) 0.314 us | __rcu_read_unlock(); + 1) 0.325 us | native_apic_mem_write(); + 1) 0.943 us | } + 1) 0.304 us | rcu_nmi_exit(); +[...] + 1) 0.479 us | find_vma(); + 1) | bad_area() { + 1) | __bad_area() { + +After capturing several traces of failures, all of them happened +after an NMI. Curious about this, I added a trace_printk() to the NMI +handler to read the regs->ip to see where the NMI happened. In which I +found out it was here: + +ffffffff8135b660 : +ffffffff8135b660: 48 83 ec 78 sub $0x78,%rsp +ffffffff8135b664: e8 97 01 00 00 callq ffffffff8135b800 + +What was happening is that the NMI would happen at the place that a page +fault occurred. It would call rcu_read_lock() which was traced by +the lock events, and the user_stack_trace would run. This would trigger +a page fault inside the NMI. I do not see where the CR2 register is +saved or restored in NMI handling. This means that it would corrupt +the page fault handling that the NMI interrupted. + +The reason the while loop of ls helped trigger the bug, was that +each execution of ls would cause lots of pages to be faulted in, and +increase the chances of the race happening. + +The simple solution is to not allow user stack traces in NMI context. +After this patch, I ran the above "ls" test for a couple of hours +without any issues. Without this patch, the bug would trigger in less +than a minute. + +Reported-by: Li Zefan +Signed-off-by: Steven Rostedt +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/trace/trace.c | 7 +++++++ + 1 file changed, 7 insertions(+) + +--- a/kernel/trace/trace.c ++++ b/kernel/trace/trace.c +@@ -1171,6 +1171,13 @@ ftrace_trace_userstack(struct ring_buffe + if (!(trace_flags & TRACE_ITER_USERSTACKTRACE)) + return; + ++ /* ++ * NMIs can not handle page faults, even with fix ups. ++ * The save user stack can (and often does) fault. ++ */ ++ if (unlikely(in_nmi())) ++ return; ++ + event = trace_buffer_lock_reserve(buffer, TRACE_USER_STACK, + sizeof(*entry), flags, pc); + if (!event) diff --git a/queue-2.6.32/tracing-fix-warning-in-s_next-of-trace-file-ops.patch b/queue-2.6.32/tracing-fix-warning-in-s_next-of-trace-file-ops.patch new file mode 100644 index 00000000000..a60a9ab1704 --- /dev/null +++ b/queue-2.6.32/tracing-fix-warning-in-s_next-of-trace-file-ops.patch @@ -0,0 +1,46 @@ +From ac91d85456372a90af5b85eb6620fd2efb1e431b Mon Sep 17 00:00:00 2001 +From: Lai Jiangshan +Date: Tue, 2 Mar 2010 17:54:50 +0800 +Subject: tracing: Fix warning in s_next of trace file ops + +From: Lai Jiangshan + +commit ac91d85456372a90af5b85eb6620fd2efb1e431b upstream. + +This warning in s_next() can be triggered by lseek(): + [] ? s_next+0x77/0x80 + [] warn_slowpath_common+0x81/0xa0 + [] ? s_next+0x77/0x80 + [] warn_slowpath_null+0x1a/0x20 + [] s_next+0x77/0x80 + [] traverse+0x117/0x200 + [] seq_lseek+0xa3/0x120 + [] ? seq_lseek+0x0/0x120 + [] vfs_llseek+0x41/0x50 + [] sys_llseek+0x66/0xa0 + [] sysenter_do_call+0x12/0x26 + +The iterator "leftover" variable is zeroed in the opening of the trace +file. But lseek can call s_start() which will call s_next() without +reseting the "leftover" variable back to zero, which might trigger +the WARN_ON_ONCE(iter->leftover) that is in s_next(). + +Signed-off-by: Lai Jiangshan +LKML-Reference: <4B8CE06A.9090207@cn.fujitsu.com> +Signed-off-by: Steven Rostedt +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/trace/trace.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/kernel/trace/trace.c ++++ b/kernel/trace/trace.c +@@ -1609,6 +1609,7 @@ static void *s_start(struct seq_file *m, + + ftrace_enable_cpu(); + ++ iter->leftover = 0; + for (p = iter; p && l < *pos; p = s_next(m, p, &l)) + ; + diff --git a/queue-2.6.32/tracing-use-same-local-variable-when-resetting-the-ring-buffer.patch b/queue-2.6.32/tracing-use-same-local-variable-when-resetting-the-ring-buffer.patch new file mode 100644 index 00000000000..148efdc2339 --- /dev/null +++ b/queue-2.6.32/tracing-use-same-local-variable-when-resetting-the-ring-buffer.patch @@ -0,0 +1,66 @@ +From 283740c619d211e34572cc93c8cdba92ccbdb9cc Mon Sep 17 00:00:00 2001 +From: Steven Rostedt +Date: Fri, 12 Mar 2010 19:48:41 -0500 +Subject: tracing: Use same local variable when resetting the ring buffer + +From: Steven Rostedt + +commit 283740c619d211e34572cc93c8cdba92ccbdb9cc upstream. + +In the ftrace code that resets the ring buffer it references the +buffer with a local variable, but then uses the tr->buffer as the +parameter to reset. If the wakeup tracer is running, which can +switch the tr->buffer with the max saved buffer, this can break +the requirement of disabling the buffer before the reset. + + buffer = tr->buffer; + ring_buffer_record_disable(buffer); + synchronize_sched(); + __tracing_reset(tr->buffer, cpu); + +If the tr->buffer is swapped, then the reset is not happening to the +buffer that was disabled. This will cause the ring buffer to fail. + +Found with Li Zefan's ftrace_stress_test. + +Reported-by: Lai Jiangshan +Signed-off-by: Steven Rostedt +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/trace/trace.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +--- a/kernel/trace/trace.c ++++ b/kernel/trace/trace.c +@@ -748,10 +748,10 @@ out: + mutex_unlock(&trace_types_lock); + } + +-static void __tracing_reset(struct trace_array *tr, int cpu) ++static void __tracing_reset(struct ring_buffer *buffer, int cpu) + { + ftrace_disable_cpu(); +- ring_buffer_reset_cpu(tr->buffer, cpu); ++ ring_buffer_reset_cpu(buffer, cpu); + ftrace_enable_cpu(); + } + +@@ -763,7 +763,7 @@ void tracing_reset(struct trace_array *t + + /* Make sure all commits have finished */ + synchronize_sched(); +- __tracing_reset(tr, cpu); ++ __tracing_reset(buffer, cpu); + + ring_buffer_record_enable(buffer); + } +@@ -781,7 +781,7 @@ void tracing_reset_online_cpus(struct tr + tr->time_start = ftrace_now(tr->cpu); + + for_each_online_cpu(cpu) +- __tracing_reset(tr, cpu); ++ __tracing_reset(buffer, cpu); + + ring_buffer_record_enable(buffer); + } -- 2.47.3