From: Greg Kroah-Hartman Date: Tue, 30 Mar 2010 21:56:29 +0000 (-0700) Subject: .32 patches X-Git-Tag: v2.6.27.46~8 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=046c5d5625b3b2dd941ebd2fde3c8f9cf8f19098;p=thirdparty%2Fkernel%2Fstable-queue.git .32 patches --- diff --git a/queue-2.6.32/ahci-use-bios-date-in-broken_suspend-list.patch b/queue-2.6.32/ahci-use-bios-date-in-broken_suspend-list.patch new file mode 100644 index 00000000000..48f9f4e1464 --- /dev/null +++ b/queue-2.6.32/ahci-use-bios-date-in-broken_suspend-list.patch @@ -0,0 +1,114 @@ +From 9deb343189b3cf45e84dd08480f330575ffe2004 Mon Sep 17 00:00:00 2001 +From: Tejun Heo +Date: Tue, 16 Mar 2010 09:50:26 +0900 +Subject: ahci: use BIOS date in broken_suspend list + +From: Tejun Heo + +commit 9deb343189b3cf45e84dd08480f330575ffe2004 upstream. + +HP is recycling both DMI_PRODUCT_NAME and DMI_BIOS_VERSION making +ahci_broken_suspend() trigger for later products which are not +affected by the original problems. Match BIOS date instead of version +and add references to bko's so that full information can be found +easier later. + +This fixes http://bugzilla.kernel.org/show_bug.cgi?id=15462 + +Signed-off-by: Tejun Heo +Reported-by: tigerfishdaisy@gmail.com +Signed-off-by: Jeff Garzik +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/ata/ahci.c | 28 ++++++++++++++++++++-------- + 1 file changed, 20 insertions(+), 8 deletions(-) + +--- a/drivers/ata/ahci.c ++++ b/drivers/ata/ahci.c +@@ -2831,6 +2831,14 @@ static bool ahci_broken_suspend(struct p + * On HP dv[4-6] and HDX18 with earlier BIOSen, link + * to the harddisk doesn't become online after + * resuming from STR. Warn and fail suspend. ++ * ++ * http://bugzilla.kernel.org/show_bug.cgi?id=12276 ++ * ++ * Use dates instead of versions to match as HP is ++ * apparently recycling both product and version ++ * strings. ++ * ++ * http://bugzilla.kernel.org/show_bug.cgi?id=15462 + */ + { + .ident = "dv4", +@@ -2839,7 +2847,7 @@ static bool ahci_broken_suspend(struct p + DMI_MATCH(DMI_PRODUCT_NAME, + "HP Pavilion dv4 Notebook PC"), + }, +- .driver_data = "F.30", /* cutoff BIOS version */ ++ .driver_data = "20090105", /* F.30 */ + }, + { + .ident = "dv5", +@@ -2848,7 +2856,7 @@ static bool ahci_broken_suspend(struct p + DMI_MATCH(DMI_PRODUCT_NAME, + "HP Pavilion dv5 Notebook PC"), + }, +- .driver_data = "F.16", /* cutoff BIOS version */ ++ .driver_data = "20090506", /* F.16 */ + }, + { + .ident = "dv6", +@@ -2857,7 +2865,7 @@ static bool ahci_broken_suspend(struct p + DMI_MATCH(DMI_PRODUCT_NAME, + "HP Pavilion dv6 Notebook PC"), + }, +- .driver_data = "F.21", /* cutoff BIOS version */ ++ .driver_data = "20090423", /* F.21 */ + }, + { + .ident = "HDX18", +@@ -2866,7 +2874,7 @@ static bool ahci_broken_suspend(struct p + DMI_MATCH(DMI_PRODUCT_NAME, + "HP HDX18 Notebook PC"), + }, +- .driver_data = "F.23", /* cutoff BIOS version */ ++ .driver_data = "20090430", /* F.23 */ + }, + /* + * Acer eMachines G725 has the same problem. BIOS +@@ -2874,6 +2882,8 @@ static bool ahci_broken_suspend(struct p + * work. Inbetween, there are V1.06, V2.06 and V3.03 + * that we don't have much idea about. For now, + * blacklist anything older than V3.04. ++ * ++ * http://bugzilla.kernel.org/show_bug.cgi?id=15104 + */ + { + .ident = "G725", +@@ -2881,19 +2891,21 @@ static bool ahci_broken_suspend(struct p + DMI_MATCH(DMI_SYS_VENDOR, "eMachines"), + DMI_MATCH(DMI_PRODUCT_NAME, "eMachines G725"), + }, +- .driver_data = "V3.04", /* cutoff BIOS version */ ++ .driver_data = "20091216", /* V3.04 */ + }, + { } /* terminate list */ + }; + const struct dmi_system_id *dmi = dmi_first_match(sysids); +- const char *ver; ++ int year, month, date; ++ char buf[9]; + + if (!dmi || pdev->bus->number || pdev->devfn != PCI_DEVFN(0x1f, 2)) + return false; + +- ver = dmi_get_system_info(DMI_BIOS_VERSION); ++ dmi_get_date(DMI_BIOS_DATE, &year, &month, &date); ++ snprintf(buf, sizeof(buf), "%04d%02d%02d", year, month, date); + +- return !ver || strcmp(ver, dmi->driver_data) < 0; ++ return strcmp(buf, dmi->driver_data) < 0; + } + + static bool ahci_broken_online(struct pci_dev *pdev) diff --git a/queue-2.6.32/b43-workaround-circular-locking-in-hw-tkip-key-update-callback.patch b/queue-2.6.32/b43-workaround-circular-locking-in-hw-tkip-key-update-callback.patch new file mode 100644 index 00000000000..5d19530b2b0 --- /dev/null +++ b/queue-2.6.32/b43-workaround-circular-locking-in-hw-tkip-key-update-callback.patch @@ -0,0 +1,56 @@ +From Larry.Finger@lwfinger.net Tue Mar 30 14:13:06 2010 +From: Michael Buesch +Date: Fri, 19 Mar 2010 10:38:33 -0500 +Subject: b43: Workaround circular locking in hw-tkip key update callback +To: Greg Kroah-Hartman +Message-ID: <4ba39a79.mevaykhV84IAaVlI%Larry.Finger@lwfinger.net> + +From: Michael Buesch + +commit 96869a39399269a776a94812e9fff3d38b47d838 upstream + +The TKIP key update callback is called from the RX path, where the driver +mutex is already locked. This results in a circular locking bug. +Avoid this by removing the lock. + +Johannes noted that there is a separate bug: The callback still breaks on SDIO +hardware, because SDIO hardware access needs to sleep, but we are not allowed +to sleep in the callback due to mac80211's RCU locking. + +Signed-off-by: Michael Buesch +Tested-by: Larry Finger +Reported-by: kecsa@kutfo.hit.bme.hu +Cc: Johannes Berg +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/b43/main.c | 11 ++++------- + 1 file changed, 4 insertions(+), 7 deletions(-) + +--- a/drivers/net/wireless/b43/main.c ++++ b/drivers/net/wireless/b43/main.c +@@ -852,19 +852,16 @@ static void b43_op_update_tkip_key(struc + if (B43_WARN_ON(!modparam_hwtkip)) + return; + +- mutex_lock(&wl->mutex); +- ++ /* This is only called from the RX path through mac80211, where ++ * our mutex is already locked. */ ++ B43_WARN_ON(!mutex_is_locked(&wl->mutex)); + dev = wl->current_dev; +- if (!dev || b43_status(dev) < B43_STAT_INITIALIZED) +- goto out_unlock; ++ B43_WARN_ON(!dev || b43_status(dev) < B43_STAT_INITIALIZED); + + keymac_write(dev, index, NULL); /* First zero out mac to avoid race */ + + rx_tkip_phase1_write(dev, index, iv32, phase1key); + keymac_write(dev, index, addr); +- +-out_unlock: +- mutex_unlock(&wl->mutex); + } + + static void do_key_write(struct b43_wldev *dev, diff --git a/queue-2.6.32/block-backport-of-various-i-o-topology-fixes-from-2.6.33-and-2.6.34.patch b/queue-2.6.32/block-backport-of-various-i-o-topology-fixes-from-2.6.33-and-2.6.34.patch new file mode 100644 index 00000000000..99bde411899 --- /dev/null +++ b/queue-2.6.32/block-backport-of-various-i-o-topology-fixes-from-2.6.33-and-2.6.34.patch @@ -0,0 +1,224 @@ +From martin.petersen@oracle.com Tue Mar 30 14:15:30 2010 +From: "Martin K. Petersen" +Date: Tue, 16 Mar 2010 20:30:01 -0400 +Subject: block: Backport of various I/O topology fixes from 2.6.33 and 2.6.34 +To: Mike Snitzer +Cc: stable@kernel.org, martin.petersen@oracle.com, jens.axboe@oracle.com +Message-ID: + +block: Backport of various I/O topology fixes from 2.6.33 and 2.6.34 + +The stacking code incorrectly scaled up the data offset in some cases +causing misaligned devices to report alignment. Rewrite the stacking +algorithm to remedy this. + +(Upstream commit 9504e0864b58b4a304820dcf3755f1da80d5e72f) + +The top device misalignment flag would not be set if the added bottom +device was already misaligned as opposed to causing a stacking failure. + +Also massage the reporting so that an error is only returned if adding +the bottom device caused the misalignment. I.e. don't return an error +if the top is already flagged as misaligned. + +(Upstream commit fe0b393f2c0a0d23a9bc9ed7dc51a1ee511098bd) + + +lcm() was defined to take integer-sized arguments. The supplied +arguments are multiplied, however, causing us to overflow given +sufficiently large input. That in turn led to incorrect optimal I/O +size reporting in some cases. Switch lcm() over to unsigned long +similar to gcd() and move the function from blk-settings.c to lib. + +Signed-off-by: Martin K. Petersen +Reviewed-by: Mike Snitzer +Signed-off-by: Greg Kroah-Hartman + +--- + block/blk-settings.c | 93 +++++++++++++++++++++++++++++++++++++-------------- + include/linux/lcm.h | 8 ++++ + lib/Makefile | 2 - + lib/lcm.c | 15 ++++++++ + 4 files changed, 92 insertions(+), 26 deletions(-) + +--- a/block/blk-settings.c ++++ b/block/blk-settings.c +@@ -8,6 +8,7 @@ + #include + #include /* for max_pfn/max_low_pfn */ + #include ++#include + + #include "blk.h" + +@@ -490,18 +491,31 @@ EXPORT_SYMBOL(blk_queue_stack_limits); + + /** + * blk_stack_limits - adjust queue_limits for stacked devices +- * @t: the stacking driver limits (top) +- * @b: the underlying queue limits (bottom) ++ * @t: the stacking driver limits (top device) ++ * @b: the underlying queue limits (bottom, component device) + * @offset: offset to beginning of data within component device + * + * Description: +- * Merges two queue_limit structs. Returns 0 if alignment didn't +- * change. Returns -1 if adding the bottom device caused +- * misalignment. ++ * This function is used by stacking drivers like MD and DM to ensure ++ * that all component devices have compatible block sizes and ++ * alignments. The stacking driver must provide a queue_limits ++ * struct (top) and then iteratively call the stacking function for ++ * all component (bottom) devices. The stacking function will ++ * attempt to combine the values and ensure proper alignment. ++ * ++ * Returns 0 if the top and bottom queue_limits are compatible. The ++ * top device's block sizes and alignment offsets may be adjusted to ++ * ensure alignment with the bottom device. If no compatible sizes ++ * and alignments exist, -1 is returned and the resulting top ++ * queue_limits will have the misaligned flag set to indicate that ++ * the alignment_offset is undefined. + */ + int blk_stack_limits(struct queue_limits *t, struct queue_limits *b, + sector_t offset) + { ++ sector_t alignment; ++ unsigned int top, bottom, ret = 0; ++ + t->max_sectors = min_not_zero(t->max_sectors, b->max_sectors); + t->max_hw_sectors = min_not_zero(t->max_hw_sectors, b->max_hw_sectors); + t->bounce_pfn = min_not_zero(t->bounce_pfn, b->bounce_pfn); +@@ -518,6 +532,26 @@ int blk_stack_limits(struct queue_limits + t->max_segment_size = min_not_zero(t->max_segment_size, + b->max_segment_size); + ++ t->misaligned |= b->misaligned; ++ ++ alignment = queue_limit_alignment_offset(b, offset); ++ ++ /* Bottom device has different alignment. Check that it is ++ * compatible with the current top alignment. ++ */ ++ if (t->alignment_offset != alignment) { ++ ++ top = max(t->physical_block_size, t->io_min) ++ + t->alignment_offset; ++ bottom = max(b->physical_block_size, b->io_min) + alignment; ++ ++ /* Verify that top and bottom intervals line up */ ++ if (max(top, bottom) & (min(top, bottom) - 1)) { ++ t->misaligned = 1; ++ ret = -1; ++ } ++ } ++ + t->logical_block_size = max(t->logical_block_size, + b->logical_block_size); + +@@ -525,37 +559,46 @@ int blk_stack_limits(struct queue_limits + b->physical_block_size); + + t->io_min = max(t->io_min, b->io_min); ++ t->io_opt = lcm(t->io_opt, b->io_opt); ++ + t->no_cluster |= b->no_cluster; + +- /* Bottom device offset aligned? */ +- if (offset && +- (offset & (b->physical_block_size - 1)) != b->alignment_offset) { ++ /* Physical block size a multiple of the logical block size? */ ++ if (t->physical_block_size & (t->logical_block_size - 1)) { ++ t->physical_block_size = t->logical_block_size; + t->misaligned = 1; +- return -1; ++ ret = -1; + } + +- /* If top has no alignment offset, inherit from bottom */ +- if (!t->alignment_offset) +- t->alignment_offset = +- b->alignment_offset & (b->physical_block_size - 1); ++ /* Minimum I/O a multiple of the physical block size? */ ++ if (t->io_min & (t->physical_block_size - 1)) { ++ t->io_min = t->physical_block_size; ++ t->misaligned = 1; ++ ret = -1; ++ } + +- /* Top device aligned on logical block boundary? */ +- if (t->alignment_offset & (t->logical_block_size - 1)) { ++ /* Optimal I/O a multiple of the physical block size? */ ++ if (t->io_opt & (t->physical_block_size - 1)) { ++ t->io_opt = 0; + t->misaligned = 1; +- return -1; ++ ret = -1; + } + +- /* Find lcm() of optimal I/O size */ +- if (t->io_opt && b->io_opt) +- t->io_opt = (t->io_opt * b->io_opt) / gcd(t->io_opt, b->io_opt); +- else if (b->io_opt) +- t->io_opt = b->io_opt; ++ /* Find lowest common alignment_offset */ ++ t->alignment_offset = lcm(t->alignment_offset, alignment) ++ & (max(t->physical_block_size, t->io_min) - 1); ++ ++ /* Verify that new alignment_offset is on a logical block boundary */ ++ if (t->alignment_offset & (t->logical_block_size - 1)) { ++ t->misaligned = 1; ++ ret = -1; ++ } + +- /* Verify that optimal I/O size is a multiple of io_min */ +- if (t->io_min && t->io_opt % t->io_min) +- return -1; ++ /* Discard */ ++ t->max_discard_sectors = min_not_zero(t->max_discard_sectors, ++ b->max_discard_sectors); + +- return 0; ++ return ret; + } + EXPORT_SYMBOL(blk_stack_limits); + +--- /dev/null ++++ b/include/linux/lcm.h +@@ -0,0 +1,8 @@ ++#ifndef _LCM_H ++#define _LCM_H ++ ++#include ++ ++unsigned long lcm(unsigned long a, unsigned long b) __attribute_const__; ++ ++#endif /* _LCM_H */ +--- a/lib/Makefile ++++ b/lib/Makefile +@@ -21,7 +21,7 @@ lib-y += kobject.o kref.o klist.o + + obj-y += bcd.o div64.o sort.o parser.o halfmd4.o debug_locks.o random32.o \ + bust_spinlocks.o hexdump.o kasprintf.o bitmap.o scatterlist.o \ +- string_helpers.o gcd.o ++ string_helpers.o gcd.o lcm.o + + ifeq ($(CONFIG_DEBUG_KOBJECT),y) + CFLAGS_kobject.o += -DDEBUG +--- /dev/null ++++ b/lib/lcm.c +@@ -0,0 +1,15 @@ ++#include ++#include ++#include ++ ++/* Lowest common multiple */ ++unsigned long lcm(unsigned long a, unsigned long b) ++{ ++ if (a && b) ++ return (a * b) / gcd(a, b); ++ else if (b) ++ return b; ++ ++ return a; ++} ++EXPORT_SYMBOL_GPL(lcm); diff --git a/queue-2.6.32/bluetooth-fix-kernel-crash-on-l2cap-stress-tests.patch b/queue-2.6.32/bluetooth-fix-kernel-crash-on-l2cap-stress-tests.patch new file mode 100644 index 00000000000..cbf99e48ee3 --- /dev/null +++ b/queue-2.6.32/bluetooth-fix-kernel-crash-on-l2cap-stress-tests.patch @@ -0,0 +1,57 @@ +From c2c77ec83bdad17fb688557b5b3fdc36661dd1c6 Mon Sep 17 00:00:00 2001 +From: Andrei Emeltchenko +Date: Fri, 19 Mar 2010 10:26:28 +0200 +Subject: Bluetooth: Fix kernel crash on L2CAP stress tests + +From: Andrei Emeltchenko + +commit c2c77ec83bdad17fb688557b5b3fdc36661dd1c6 upstream. + +Added very simple check that req buffer has enough space to +fit configuration parameters. Shall be enough to reject packets +with configuration size more than req buffer. + +Crash trace below + +[ 6069.659393] Unable to handle kernel paging request at virtual address 02000205 +[ 6069.673034] Internal error: Oops: 805 [#1] PREEMPT +... +[ 6069.727172] PC is at l2cap_add_conf_opt+0x70/0xf0 [l2cap] +[ 6069.732604] LR is at l2cap_recv_frame+0x1350/0x2e78 [l2cap] +... +[ 6070.030303] Backtrace: +[ 6070.032806] [] (l2cap_add_conf_opt+0x0/0xf0 [l2cap]) from +[] (l2cap_recv_frame+0x1350/0x2e78 [l2cap]) +[ 6070.043823] r8:dc5d3100 r7:df2a91d6 r6:00000001 r5:df2a8000 r4:00000200 +[ 6070.050659] [] (l2cap_recv_frame+0x0/0x2e78 [l2cap]) from +[] (l2cap_recv_acldata+0x2bc/0x350 [l2cap]) +[ 6070.061798] [] (l2cap_recv_acldata+0x0/0x350 [l2cap]) from +[] (hci_rx_task+0x244/0x478 [bluetooth]) +[ 6070.072631] r6:dc647700 r5:00000001 r4:df2ab740 +[ 6070.077362] [] (hci_rx_task+0x0/0x478 [bluetooth]) from +[] (tasklet_action+0x78/0xd8) +[ 6070.087005] [] (tasklet_action+0x0/0xd8) from [] + +Signed-off-by: Andrei Emeltchenko +Acked-by: Gustavo F. Padovan +Signed-off-by: Marcel Holtmann +Signed-off-by: Greg Kroah-Hartman + +--- + net/bluetooth/l2cap.c | 5 +++++ + 1 file changed, 5 insertions(+) + +--- a/net/bluetooth/l2cap.c ++++ b/net/bluetooth/l2cap.c +@@ -2813,6 +2813,11 @@ static inline int l2cap_config_rsp(struc + int len = cmd->len - sizeof(*rsp); + char req[64]; + ++ if (len > sizeof(req) - sizeof(struct l2cap_conf_req)) { ++ l2cap_send_disconn_req(conn, sk); ++ goto done; ++ } ++ + /* throw out any old stored conf requests */ + result = L2CAP_CONF_SUCCESS; + len = l2cap_parse_conf_rsp(sk, rsp->data, diff --git a/queue-2.6.32/bluetooth-fix-potential-bad-memory-access-with-sysfs-files.patch b/queue-2.6.32/bluetooth-fix-potential-bad-memory-access-with-sysfs-files.patch new file mode 100644 index 00000000000..a2f2cb5eecf --- /dev/null +++ b/queue-2.6.32/bluetooth-fix-potential-bad-memory-access-with-sysfs-files.patch @@ -0,0 +1,142 @@ +From 101545f6fef4a0a3ea8daf0b5b880df2c6a92a69 Mon Sep 17 00:00:00 2001 +From: Marcel Holtmann +Date: Mon, 15 Mar 2010 14:12:58 -0700 +Subject: Bluetooth: Fix potential bad memory access with sysfs files + +From: Marcel Holtmann + +commit 101545f6fef4a0a3ea8daf0b5b880df2c6a92a69 upstream. + +When creating a high number of Bluetooth sockets (L2CAP, SCO +and RFCOMM) it is possible to scribble repeatedly on arbitrary +pages of memory. Ensure that the content of these sysfs files is +always less than one page. Even if this means truncating. The +files in question are scheduled to be moved over to debugfs in +the future anyway. + +Based on initial patches from Neil Brown and Linus Torvalds + +Reported-by: Neil Brown +Signed-off-by: Marcel Holtmann +Signed-off-by: Greg Kroah-Hartman + +--- + net/bluetooth/l2cap.c | 10 +++++++++- + net/bluetooth/rfcomm/core.c | 13 ++++++++++++- + net/bluetooth/rfcomm/sock.c | 11 ++++++++++- + net/bluetooth/sco.c | 11 ++++++++++- + 4 files changed, 41 insertions(+), 4 deletions(-) + +--- a/net/bluetooth/l2cap.c ++++ b/net/bluetooth/l2cap.c +@@ -3885,16 +3885,24 @@ static ssize_t l2cap_sysfs_show(struct c + struct sock *sk; + struct hlist_node *node; + char *str = buf; ++ int size = PAGE_SIZE; + + read_lock_bh(&l2cap_sk_list.lock); + + sk_for_each(sk, node, &l2cap_sk_list.head) { + struct l2cap_pinfo *pi = l2cap_pi(sk); ++ int len; + +- str += sprintf(str, "%s %s %d %d 0x%4.4x 0x%4.4x %d %d %d\n", ++ len = snprintf(str, size, "%s %s %d %d 0x%4.4x 0x%4.4x %d %d %d\n", + batostr(&bt_sk(sk)->src), batostr(&bt_sk(sk)->dst), + sk->sk_state, __le16_to_cpu(pi->psm), pi->scid, + pi->dcid, pi->imtu, pi->omtu, pi->sec_level); ++ ++ size -= len; ++ if (size <= 0) ++ break; ++ ++ str += len; + } + + read_unlock_bh(&l2cap_sk_list.lock); +--- a/net/bluetooth/rfcomm/core.c ++++ b/net/bluetooth/rfcomm/core.c +@@ -2096,6 +2096,7 @@ static ssize_t rfcomm_dlc_sysfs_show(str + struct rfcomm_session *s; + struct list_head *pp, *p; + char *str = buf; ++ int size = PAGE_SIZE; + + rfcomm_lock(); + +@@ -2104,11 +2105,21 @@ static ssize_t rfcomm_dlc_sysfs_show(str + list_for_each(pp, &s->dlcs) { + struct sock *sk = s->sock->sk; + struct rfcomm_dlc *d = list_entry(pp, struct rfcomm_dlc, list); ++ int len; + +- str += sprintf(str, "%s %s %ld %d %d %d %d\n", ++ len = snprintf(str, size, "%s %s %ld %d %d %d %d\n", + batostr(&bt_sk(sk)->src), batostr(&bt_sk(sk)->dst), + d->state, d->dlci, d->mtu, d->rx_credits, d->tx_credits); ++ ++ size -= len; ++ if (size <= 0) ++ break; ++ ++ str += len; + } ++ ++ if (size <= 0) ++ break; + } + + rfcomm_unlock(); +--- a/net/bluetooth/rfcomm/sock.c ++++ b/net/bluetooth/rfcomm/sock.c +@@ -1065,13 +1065,22 @@ static ssize_t rfcomm_sock_sysfs_show(st + struct sock *sk; + struct hlist_node *node; + char *str = buf; ++ int size = PAGE_SIZE; + + read_lock_bh(&rfcomm_sk_list.lock); + + sk_for_each(sk, node, &rfcomm_sk_list.head) { +- str += sprintf(str, "%s %s %d %d\n", ++ int len; ++ ++ len = snprintf(str, size, "%s %s %d %d\n", + batostr(&bt_sk(sk)->src), batostr(&bt_sk(sk)->dst), + sk->sk_state, rfcomm_pi(sk)->channel); ++ ++ size -= len; ++ if (size <= 0) ++ break; ++ ++ str += len; + } + + read_unlock_bh(&rfcomm_sk_list.lock); +--- a/net/bluetooth/sco.c ++++ b/net/bluetooth/sco.c +@@ -957,13 +957,22 @@ static ssize_t sco_sysfs_show(struct cla + struct sock *sk; + struct hlist_node *node; + char *str = buf; ++ int size = PAGE_SIZE; + + read_lock_bh(&sco_sk_list.lock); + + sk_for_each(sk, node, &sco_sk_list.head) { +- str += sprintf(str, "%s %s %d\n", ++ int len; ++ ++ len = snprintf(str, size, "%s %s %d\n", + batostr(&bt_sk(sk)->src), batostr(&bt_sk(sk)->dst), + sk->sk_state); ++ ++ size -= len; ++ if (size <= 0) ++ break; ++ ++ str += len; + } + + read_unlock_bh(&sco_sk_list.lock); diff --git a/queue-2.6.32/gfs2-skip-check-for-mandatory-locks-when-unlocking.patch b/queue-2.6.32/gfs2-skip-check-for-mandatory-locks-when-unlocking.patch new file mode 100644 index 00000000000..e2c6b64f572 --- /dev/null +++ b/queue-2.6.32/gfs2-skip-check-for-mandatory-locks-when-unlocking.patch @@ -0,0 +1,32 @@ +From 720e7749279bde0d08684b1bb4e7a2eedeec6394 Mon Sep 17 00:00:00 2001 +From: Sachin Prabhu +Date: Thu, 11 Mar 2010 12:24:45 -0500 +Subject: GFS2: Skip check for mandatory locks when unlocking + +From: Sachin Prabhu + +commit 720e7749279bde0d08684b1bb4e7a2eedeec6394 upstream. + +gfs2_lock() will skip locks on file which have mode set to 02666. This is a problem in cases where the mode of the file is changed after a process has obtained a lock on the file. Such a lock will be skipped and will result in a BUG in locks_remove_flock(). + +gfs2_lock() should skip the check for mandatory locks when unlocking a file. + +Signed-off-by: Sachin Prabhu +Signed-off-by: Steven Whitehouse +Signed-off-by: Greg Kroah-Hartman + +--- + fs/gfs2/file.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/gfs2/file.c ++++ b/fs/gfs2/file.c +@@ -606,7 +606,7 @@ static int gfs2_lock(struct file *file, + + if (!(fl->fl_flags & FL_POSIX)) + return -ENOLCK; +- if (__mandatory_lock(&ip->i_inode)) ++ if (__mandatory_lock(&ip->i_inode) && fl->fl_type != F_UNLCK) + return -ENOLCK; + + if (cmd == F_CANCELLK) { diff --git a/queue-2.6.32/quota-fix-warning-when-a-delayed-write-happens-before-quota-is-enabled.patch b/queue-2.6.32/quota-fix-warning-when-a-delayed-write-happens-before-quota-is-enabled.patch new file mode 100644 index 00000000000..c2d15a0565d --- /dev/null +++ b/queue-2.6.32/quota-fix-warning-when-a-delayed-write-happens-before-quota-is-enabled.patch @@ -0,0 +1,126 @@ +From 0a5a9c725512461d19397490f3adf29931dca1f2 Mon Sep 17 00:00:00 2001 +From: Jan Kara +Date: Tue, 9 Feb 2010 18:20:39 +0100 +Subject: quota: Fix warning when a delayed write happens before quota is enabled + +From: Jan Kara + +commit 0a5a9c725512461d19397490f3adf29931dca1f2 upstream. + +If a delayed-allocation write happens before quota is enabled, the +kernel spits out a warning: +WARNING: at fs/quota/dquot.c:988 dquot_claim_space+0x77/0x112() + +because the fact that user has some delayed allocation is not recorded +in quota structure. + +Make dquot_initialize() update amount of reserved space for user if it sees +inode has some space reserved. Also make sure that reserved quota space does +not go negative and we warn about the filesystem bug just once. + +Signed-off-by: Jan Kara +Signed-off-by: Greg Kroah-Hartman + +--- + fs/quota/dquot.c | 35 +++++++++++++++++++++++++++++++---- + 1 file changed, 31 insertions(+), 4 deletions(-) + +--- a/fs/quota/dquot.c ++++ b/fs/quota/dquot.c +@@ -229,6 +229,8 @@ static struct hlist_head *dquot_hash; + struct dqstats dqstats; + EXPORT_SYMBOL(dqstats); + ++static qsize_t inode_get_rsv_space(struct inode *inode); ++ + static inline unsigned int + hashfn(const struct super_block *sb, unsigned int id, int type) + { +@@ -820,11 +822,14 @@ static int dqinit_needed(struct inode *i + static void add_dquot_ref(struct super_block *sb, int type) + { + struct inode *inode, *old_inode = NULL; ++ int reserved = 0; + + spin_lock(&inode_lock); + list_for_each_entry(inode, &sb->s_inodes, i_sb_list) { + if (inode->i_state & (I_FREEING|I_CLEAR|I_WILL_FREE|I_NEW)) + continue; ++ if (unlikely(inode_get_rsv_space(inode) > 0)) ++ reserved = 1; + if (!atomic_read(&inode->i_writecount)) + continue; + if (!dqinit_needed(inode, type)) +@@ -845,6 +850,12 @@ static void add_dquot_ref(struct super_b + } + spin_unlock(&inode_lock); + iput(old_inode); ++ ++ if (reserved) { ++ printk(KERN_WARNING "VFS (%s): Writes happened before quota" ++ " was turned on thus quota information is probably " ++ "inconsistent. Please run quotacheck(8).\n", sb->s_id); ++ } + } + + /* +@@ -958,10 +969,12 @@ static inline void dquot_resv_space(stru + /* + * Claim reserved quota space + */ +-static void dquot_claim_reserved_space(struct dquot *dquot, +- qsize_t number) ++static void dquot_claim_reserved_space(struct dquot *dquot, qsize_t number) + { +- WARN_ON(dquot->dq_dqb.dqb_rsvspace < number); ++ if (dquot->dq_dqb.dqb_rsvspace < number) { ++ WARN_ON_ONCE(1); ++ number = dquot->dq_dqb.dqb_rsvspace; ++ } + dquot->dq_dqb.dqb_curspace += number; + dquot->dq_dqb.dqb_rsvspace -= number; + } +@@ -969,7 +982,12 @@ static void dquot_claim_reserved_space(s + static inline + void dquot_free_reserved_space(struct dquot *dquot, qsize_t number) + { +- dquot->dq_dqb.dqb_rsvspace -= number; ++ if (dquot->dq_dqb.dqb_rsvspace >= number) ++ dquot->dq_dqb.dqb_rsvspace -= number; ++ else { ++ WARN_ON_ONCE(1); ++ dquot->dq_dqb.dqb_rsvspace = 0; ++ } + } + + static void dquot_decr_inodes(struct dquot *dquot, qsize_t number) +@@ -1287,6 +1305,7 @@ static int info_bdq_free(struct dquot *d + return QUOTA_NL_BHARDBELOW; + return QUOTA_NL_NOWARN; + } ++ + /* + * Initialize quota pointers in inode + * We do things in a bit complicated way but by that we avoid calling +@@ -1298,6 +1317,7 @@ int dquot_initialize(struct inode *inode + int cnt, ret = 0; + struct dquot *got[MAXQUOTAS] = { NULL, NULL }; + struct super_block *sb = inode->i_sb; ++ qsize_t rsv; + + /* First test before acquiring mutex - solves deadlocks when we + * re-enter the quota code and are already holding the mutex */ +@@ -1332,6 +1352,13 @@ int dquot_initialize(struct inode *inode + if (!inode->i_dquot[cnt]) { + inode->i_dquot[cnt] = got[cnt]; + got[cnt] = NULL; ++ /* ++ * Make quota reservation system happy if someone ++ * did a write before quota was turned on ++ */ ++ rsv = inode_get_rsv_space(inode); ++ if (unlikely(rsv)) ++ dquot_resv_space(inode->i_dquot[cnt], rsv); + } + } + out_err: diff --git a/queue-2.6.32/quota-manage-reserved-space-when-quota-is-not-active.patch b/queue-2.6.32/quota-manage-reserved-space-when-quota-is-not-active.patch new file mode 100644 index 00000000000..0c67203ba40 --- /dev/null +++ b/queue-2.6.32/quota-manage-reserved-space-when-quota-is-not-active.patch @@ -0,0 +1,121 @@ +From c469070aea5a0ada45a836937c776fd3083dae2b Mon Sep 17 00:00:00 2001 +From: Dmitry Monakhov +Date: Tue, 9 Feb 2010 17:53:36 +0100 +Subject: quota: manage reserved space when quota is not active [v2] + +From: Dmitry Monakhov + +commit c469070aea5a0ada45a836937c776fd3083dae2b upstream. + +Since we implemented generic reserved space management interface, +then it is possible to account reserved space even when quota +is not active (similar to i_blocks/i_bytes). + +Without this patch following testcase result in massive comlain from +WARN_ON in dquot_claim_space() + +TEST_CASE: +mount /dev/sdb /mnt -oquota +dd if=/dev/zero of=/mnt/test bs=1M count=1 +quotaon /mnt +# fs_reserved_spave == 1Mb +# quota_reserved_space == 0, because quota was disabled +dd if=/dev/zero of=/mnt/test seek=1 bs=1M count=1 +# fs_reserved_spave == 2Mb +# quota_reserved_space == 1Mb +sync # ->dquot_claim_space() -> WARN_ON + +Signed-off-by: Dmitry Monakhov +Signed-off-by: Jan Kara +Signed-off-by: Greg Kroah-Hartman + +--- + fs/quota/dquot.c | 10 ++++++---- + include/linux/quotaops.h | 11 +++++++++-- + 2 files changed, 15 insertions(+), 6 deletions(-) + +--- a/fs/quota/dquot.c ++++ b/fs/quota/dquot.c +@@ -1399,28 +1399,30 @@ static qsize_t *inode_reserved_space(str + return inode->i_sb->dq_op->get_reserved_space(inode); + } + +-static void inode_add_rsv_space(struct inode *inode, qsize_t number) ++void inode_add_rsv_space(struct inode *inode, qsize_t number) + { + spin_lock(&inode->i_lock); + *inode_reserved_space(inode) += number; + spin_unlock(&inode->i_lock); + } ++EXPORT_SYMBOL(inode_add_rsv_space); + +- +-static void inode_claim_rsv_space(struct inode *inode, qsize_t number) ++void inode_claim_rsv_space(struct inode *inode, qsize_t number) + { + spin_lock(&inode->i_lock); + *inode_reserved_space(inode) -= number; + __inode_add_bytes(inode, number); + spin_unlock(&inode->i_lock); + } ++EXPORT_SYMBOL(inode_claim_rsv_space); + +-static void inode_sub_rsv_space(struct inode *inode, qsize_t number) ++void inode_sub_rsv_space(struct inode *inode, qsize_t number) + { + spin_lock(&inode->i_lock); + *inode_reserved_space(inode) -= number; + spin_unlock(&inode->i_lock); + } ++EXPORT_SYMBOL(inode_sub_rsv_space); + + static qsize_t inode_get_rsv_space(struct inode *inode) + { +--- a/include/linux/quotaops.h ++++ b/include/linux/quotaops.h +@@ -26,6 +26,10 @@ static inline void writeout_quota_sb(str + sb->s_qcop->quota_sync(sb, type); + } + ++void inode_add_rsv_space(struct inode *inode, qsize_t number); ++void inode_claim_rsv_space(struct inode *inode, qsize_t number); ++void inode_sub_rsv_space(struct inode *inode, qsize_t number); ++ + int dquot_initialize(struct inode *inode, int type); + int dquot_drop(struct inode *inode); + struct dquot *dqget(struct super_block *sb, unsigned int id, int type); +@@ -42,7 +46,6 @@ int dquot_alloc_inode(const struct inode + int dquot_reserve_space(struct inode *inode, qsize_t number, int prealloc); + int dquot_claim_space(struct inode *inode, qsize_t number); + void dquot_release_reserved_space(struct inode *inode, qsize_t number); +-qsize_t dquot_get_reserved_space(struct inode *inode); + + int dquot_free_space(struct inode *inode, qsize_t number); + int dquot_free_inode(const struct inode *inode, qsize_t number); +@@ -199,6 +202,8 @@ static inline int vfs_dq_reserve_space(s + if (inode->i_sb->dq_op->reserve_space(inode, nr, 0) == NO_QUOTA) + return 1; + } ++ else ++ inode_add_rsv_space(inode, nr); + return 0; + } + +@@ -221,7 +226,7 @@ static inline int vfs_dq_claim_space(str + if (inode->i_sb->dq_op->claim_space(inode, nr) == NO_QUOTA) + return 1; + } else +- inode_add_bytes(inode, nr); ++ inode_claim_rsv_space(inode, nr); + + mark_inode_dirty(inode); + return 0; +@@ -235,6 +240,8 @@ void vfs_dq_release_reservation_space(st + { + if (sb_any_quota_active(inode->i_sb)) + inode->i_sb->dq_op->release_rsv(inode, nr); ++ else ++ inode_sub_rsv_space(inode, nr); + } + + static inline void vfs_dq_free_space_nodirty(struct inode *inode, qsize_t nr) diff --git a/queue-2.6.32/s3cmci-initialize-default-platform-data-no_wprotect-and-no_detect-with-1.patch b/queue-2.6.32/s3cmci-initialize-default-platform-data-no_wprotect-and-no_detect-with-1.patch new file mode 100644 index 00000000000..2a4f1f5cdd3 --- /dev/null +++ b/queue-2.6.32/s3cmci-initialize-default-platform-data-no_wprotect-and-no_detect-with-1.patch @@ -0,0 +1,38 @@ +From e1dcbab5755d0ffa32f8f6cbeb562c769872bd7c Mon Sep 17 00:00:00 2001 +From: Lars-Peter Clausen +Date: Fri, 5 Mar 2010 13:43:35 -0800 +Subject: s3cmci: initialize default platform data no_wprotect and no_detect with 1 + +commit c212808a1ba6bfba489006399b8152a047305acf upstream. + +If no platform_data was givin to the device it's going to use it's default +platform data struct which has all fields initialized to zero. As a +result the driver is going to try to request gpio0 both as write protect +and card detect pin. Which of course will fail and makes the driver +unusable + +Previously to the introduction of no_wprotect and no_detect the behavior +was to assume that if no platform data was given there is no write protect +or card detect pin. This patch restores that behavior. + +Signed-off-by: Lars-Peter Clausen +Cc: Ben Dooks +Cc: +Signed-off-by: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman +--- + drivers/mmc/host/s3cmci.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/mmc/host/s3cmci.c ++++ b/drivers/mmc/host/s3cmci.c +@@ -1361,6 +1361,8 @@ static struct mmc_host_ops s3cmci_ops = + static struct s3c24xx_mci_pdata s3cmci_def_pdata = { + /* This is currently here to avoid a number of if (host->pdata) + * checks. Any zero fields to ensure reaonable defaults are picked. */ ++ .no_wprotect = 1, ++ .no_detect = 1, + }; + + #ifdef CONFIG_CPU_FREQ diff --git a/queue-2.6.32/series b/queue-2.6.32/series index a584517e693..40d66d70666 100644 --- a/queue-2.6.32/series +++ b/queue-2.6.32/series @@ -103,3 +103,14 @@ mac80211-retry-null-data-frame-for-power-save.patch ath9k-enable-ieee80211_hw_reports_tx_ack_status-flag-for-ath9k.patch mac80211-reset-dynamic-ps-timer-in-rx-path.patch leds-gpio-fix-default-state-handling-on-of-platforms.patch +quota-manage-reserved-space-when-quota-is-not-active.patch +quota-fix-warning-when-a-delayed-write-happens-before-quota-is-enabled.patch +ahci-use-bios-date-in-broken_suspend-list.patch +bluetooth-fix-potential-bad-memory-access-with-sysfs-files.patch +bluetooth-fix-kernel-crash-on-l2cap-stress-tests.patch +sh-fix-zimage-boot-using-fixed-pmb.patch +b43-workaround-circular-locking-in-hw-tkip-key-update-callback.patch +block-backport-of-various-i-o-topology-fixes-from-2.6.33-and-2.6.34.patch +s3cmci-initialize-default-platform-data-no_wprotect-and-no_detect-with-1.patch +x86-fix-sched_clock_cpu-for-systems-with-unsynchronized-tsc.patch +gfs2-skip-check-for-mandatory-locks-when-unlocking.patch diff --git a/queue-2.6.32/sh-fix-zimage-boot-using-fixed-pmb.patch b/queue-2.6.32/sh-fix-zimage-boot-using-fixed-pmb.patch new file mode 100644 index 00000000000..804ff103c40 --- /dev/null +++ b/queue-2.6.32/sh-fix-zimage-boot-using-fixed-pmb.patch @@ -0,0 +1,27 @@ +From bf917b0f87eac066566345a845b8dc41c3daae71 Mon Sep 17 00:00:00 2001 +From: Nobuhiro Iwamatsu +Date: Sat, 20 Mar 2010 16:42:54 +0900 +Subject: [PATCH] sh: Fix zImage boot using fixed PMB. + +commit 319c2cc761505ee54a9536c5d0b9c2ee3fb33866 upstream. + +Signed-off-by: Nobuhiro Iwamatsu +Signed-off-by: Yoshihiro Shimoda +Signed-off-by: Paul Mundt +Signed-off-by: Greg Kroah-Hartman + +--- + arch/sh/boot/compressed/misc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/sh/boot/compressed/misc.c ++++ b/arch/sh/boot/compressed/misc.c +@@ -132,7 +132,7 @@ void decompress_kernel(void) + output_addr = (CONFIG_MEMORY_START + 0x2000); + #else + output_addr = PHYSADDR((unsigned long)&_text+PAGE_SIZE); +-#ifdef CONFIG_29BIT ++#if defined(CONFIG_29BIT) || defined(CONFIG_PMB_FIXED) + output_addr |= P2SEG; + #endif + #endif diff --git a/queue-2.6.32/x86-fix-sched_clock_cpu-for-systems-with-unsynchronized-tsc.patch b/queue-2.6.32/x86-fix-sched_clock_cpu-for-systems-with-unsynchronized-tsc.patch new file mode 100644 index 00000000000..85caece0ea4 --- /dev/null +++ b/queue-2.6.32/x86-fix-sched_clock_cpu-for-systems-with-unsynchronized-tsc.patch @@ -0,0 +1,46 @@ +From 14be1f7454ea96ee614467a49cf018a1a383b189 Mon Sep 17 00:00:00 2001 +From: Dimitri Sivanich +Date: Mon, 1 Mar 2010 11:48:15 -0600 +Subject: x86: Fix sched_clock_cpu for systems with unsynchronized TSC + +From: Dimitri Sivanich + +commit 14be1f7454ea96ee614467a49cf018a1a383b189 upstream. + +On UV systems, the TSC is not synchronized across blades. The +sched_clock_cpu() function is returning values that can go +backwards (I've seen as much as 8 seconds) when switching +between cpus. + +As each cpu comes up, early_init_intel() will currently set the +sched_clock_stable flag true. When mark_tsc_unstable() runs, it +clears the flag, but this only occurs once (the first time a cpu +comes up whose TSC is not synchronized with cpu 0). After this, +early_init_intel() will set the flag again as the next cpu comes +up. + +Only set sched_clock_stable if tsc has not been marked unstable. + +Signed-off-by: Dimitri Sivanich +Acked-by: Venkatesh Pallipadi +Acked-by: Peter Zijlstra +LKML-Reference: <20100301174815.GC8224@sgi.com> +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/cpu/intel.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/arch/x86/kernel/cpu/intel.c ++++ b/arch/x86/kernel/cpu/intel.c +@@ -70,7 +70,8 @@ static void __cpuinit early_init_intel(s + if (c->x86_power & (1 << 8)) { + set_cpu_cap(c, X86_FEATURE_CONSTANT_TSC); + set_cpu_cap(c, X86_FEATURE_NONSTOP_TSC); +- sched_clock_stable = 1; ++ if (!check_tsc_unstable()) ++ sched_clock_stable = 1; + } + + /*