From: Greg Kroah-Hartman Date: Tue, 3 Feb 2009 00:07:27 +0000 (-0800) Subject: .28 patches X-Git-Tag: v2.6.28.3~6 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=10a3ef200de9d936643bf5f296ce028bfc8999ab;p=thirdparty%2Fkernel%2Fstable-queue.git .28 patches --- diff --git a/queue-2.6.28/cifs-make-sure-we-allocate-enough-storage-for-socket-address.patch b/queue-2.6.28/cifs-make-sure-we-allocate-enough-storage-for-socket-address.patch new file mode 100644 index 00000000000..79332fdb84a --- /dev/null +++ b/queue-2.6.28/cifs-make-sure-we-allocate-enough-storage-for-socket-address.patch @@ -0,0 +1,101 @@ +From jlayton@redhat.com Mon Feb 2 15:10:37 2009 +From: Jeff Layton +Date: Thu, 22 Jan 2009 10:35:13 -0500 +Subject: cifs: make sure we allocate enough storage for socket address +To: stable@kernel.org +Message-ID: <1232638513-9022-1-git-send-email-jlayton@redhat.com> + +From: Jeff Layton + +commit a9ac49d303f967be0dabd97cb722c4a13109c6c2 upstream. + +cifs_mount declares a struct sockaddr on the stack and then casts it +to the proper address type. The storage allocated is fine for ipv4, +but is too small for ipv6 addresses. Declare it as +"struct sockaddr_storage" instead of struct sockaddr". + +This bug was manifesting itself as oopses and address corruption when +mounting IPv6 addresses. + +Signed-off-by: Jeff Layton +Tested-by: Stefan Bader +Signed-off-by: Steve French +Signed-off-by: Greg Kroah-Hartman + +--- + fs/cifs/connect.c | 18 +++++++++--------- + 1 file changed, 9 insertions(+), 9 deletions(-) + +--- a/fs/cifs/connect.c ++++ b/fs/cifs/connect.c +@@ -1356,7 +1356,7 @@ cifs_parse_mount_options(char *options, + } + + static struct TCP_Server_Info * +-cifs_find_tcp_session(struct sockaddr *addr) ++cifs_find_tcp_session(struct sockaddr_storage *addr) + { + struct list_head *tmp; + struct TCP_Server_Info *server; +@@ -1376,11 +1376,11 @@ cifs_find_tcp_session(struct sockaddr *a + if (server->tcpStatus == CifsNew) + continue; + +- if (addr->sa_family == AF_INET && ++ if (addr->ss_family == AF_INET && + (addr4->sin_addr.s_addr != + server->addr.sockAddr.sin_addr.s_addr)) + continue; +- else if (addr->sa_family == AF_INET6 && ++ else if (addr->ss_family == AF_INET6 && + memcmp(&server->addr.sockAddr6.sin6_addr, + &addr6->sin6_addr, sizeof(addr6->sin6_addr))) + continue; +@@ -2036,7 +2036,7 @@ cifs_mount(struct super_block *sb, struc + int rc = 0; + int xid; + struct socket *csocket = NULL; +- struct sockaddr addr; ++ struct sockaddr_storage addr; + struct sockaddr_in *sin_server = (struct sockaddr_in *) &addr; + struct sockaddr_in6 *sin_server6 = (struct sockaddr_in6 *) &addr; + struct smb_vol volume_info; +@@ -2048,7 +2048,7 @@ cifs_mount(struct super_block *sb, struc + + /* cFYI(1, ("Entering cifs_mount. Xid: %d with: %s", xid, mount_data)); */ + +- memset(&addr, 0, sizeof(struct sockaddr)); ++ memset(&addr, 0, sizeof(struct sockaddr_storage)); + memset(&volume_info, 0, sizeof(struct smb_vol)); + if (cifs_parse_mount_options(mount_data, devname, &volume_info)) { + rc = -EINVAL; +@@ -2078,9 +2078,9 @@ cifs_mount(struct super_block *sb, struc + rc = cifs_inet_pton(AF_INET6, volume_info.UNCip, + &sin_server6->sin6_addr.in6_u); + if (rc > 0) +- addr.sa_family = AF_INET6; ++ addr.ss_family = AF_INET6; + } else { +- addr.sa_family = AF_INET; ++ addr.ss_family = AF_INET; + } + + if (rc <= 0) { +@@ -2122,7 +2122,7 @@ cifs_mount(struct super_block *sb, struc + + srvTcp = cifs_find_tcp_session(&addr); + if (!srvTcp) { /* create socket */ +- if (addr.sa_family == AF_INET6) { ++ if (addr.ss_family == AF_INET6) { + cFYI(1, ("attempting ipv6 connect")); + /* BB should we allow ipv6 on port 139? */ + /* other OS never observed in Wild doing 139 with v6 */ +@@ -2153,7 +2153,7 @@ cifs_mount(struct super_block *sb, struc + } else { + srvTcp->noblocksnd = volume_info.noblocksnd; + srvTcp->noautotune = volume_info.noautotune; +- if (addr.sa_family == AF_INET6) ++ if (addr.ss_family == AF_INET6) + memcpy(&srvTcp->addr.sockAddr6, sin_server6, + sizeof(struct sockaddr_in6)); + else diff --git a/queue-2.6.28/m68knommu-set-no_dma.patch b/queue-2.6.28/m68knommu-set-no_dma.patch new file mode 100644 index 00000000000..c0c36389584 --- /dev/null +++ b/queue-2.6.28/m68knommu-set-no_dma.patch @@ -0,0 +1,57 @@ +From e0212e72186e855027dd35b37e9d7a99a078448c Mon Sep 17 00:00:00 2001 +From: Adrian Bunk +Date: Wed, 29 Oct 2008 12:15:47 +0200 +Subject: m68knommu: set NO_DMA + +From: Adrian Bunk + +commit e0212e72186e855027dd35b37e9d7a99a078448c upstream. + +m68knommu does not set the Kconfig NO_DMA variable, but also does +not provide the required functions, resulting in the following +build error triggered by commit a40c24a13366e324bc0ff8c3bb107db89312c984 +(net: Add SKB DMA mapping helper functions.): + +<-- snip --> + +.. + LD vmlinux +net/built-in.o: In function `skb_dma_unmap': +(.text+0xac5e): undefined reference to `dma_unmap_single' +net/built-in.o: In function `skb_dma_unmap': +(.text+0xac7a): undefined reference to `dma_unmap_page' +net/built-in.o: In function `skb_dma_map': +(.text+0xacdc): undefined reference to `dma_map_single' +net/built-in.o: In function `skb_dma_map': +(.text+0xace8): undefined reference to `dma_mapping_error' +net/built-in.o: In function `skb_dma_map': +(.text+0xad10): undefined reference to `dma_map_page' +net/built-in.o: In function `skb_dma_map': +(.text+0xad82): undefined reference to `dma_unmap_page' +net/built-in.o: In function `skb_dma_map': +(.text+0xadc6): undefined reference to `dma_unmap_single' +make[1]: *** [vmlinux] Error 1 + +<-- snip --> + +Signed-off-by: Adrian Bunk +Signed-off-by: Greg Ungerer +Signed-off-by: Greg Kroah-Hartman + +--- + arch/m68knommu/Kconfig | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/arch/m68knommu/Kconfig ++++ b/arch/m68knommu/Kconfig +@@ -14,6 +14,10 @@ config MMU + bool + default n + ++config NO_DMA ++ bool ++ default y ++ + config FPU + bool + default n diff --git a/queue-2.6.28/manually-revert-mlock-downgrade-mmap-sem-while-populating-mlocked-regions.patch b/queue-2.6.28/manually-revert-mlock-downgrade-mmap-sem-while-populating-mlocked-regions.patch new file mode 100644 index 00000000000..d167ecc4aa9 --- /dev/null +++ b/queue-2.6.28/manually-revert-mlock-downgrade-mmap-sem-while-populating-mlocked-regions.patch @@ -0,0 +1,137 @@ +From 27421e211a39784694b597dbf35848b88363c248 Mon Sep 17 00:00:00 2001 +From: Linus Torvalds +Date: Sun, 1 Feb 2009 11:00:16 -0800 +Subject: Manually revert "mlock: downgrade mmap sem while populating mlocked regions" + +From: Linus Torvalds + +commit 27421e211a39784694b597dbf35848b88363c248 upstream. + +This essentially reverts commit 8edb08caf68184fb170f4f69c7445929e199eaea. + +It downgraded our mmap semaphore to a read-lock while mlocking pages, in +order to allow other threads (and external accesses like "ps" et al) to +walk the vma lists and take page faults etc. Which is a nice idea, but +the implementation does not work. + +Because we cannot upgrade the lock back to a write lock without +releasing the mmap semaphore, the code had to release the lock entirely +and then re-take it as a writelock. However, that meant that the caller +possibly lost the vma chain that it was following, since now another +thread could come in and mmap/munmap the range. + +The code tried to work around that by just looking up the vma again and +erroring out if that happened, but quite frankly, that was just a buggy +hack that doesn't actually protect against anything (the other thread +could just have replaced the vma with another one instead of totally +unmapping it). + +The only way to downgrade to a read map _reliably_ is to do it at the +end, which is likely the right thing to do: do all the 'vma' operations +with the write-lock held, then downgrade to a read after completing them +all, and then do the "populate the newly mlocked regions" while holding +just the read lock. And then just drop the read-lock and return to user +space. + +The (perhaps somewhat simpler) alternative is to just make all the +callers of mlock_vma_pages_range() know that the mmap lock got dropped, +and just re-grab the mmap semaphore if it needs to mlock more than one +vma region. + +So we can do this "downgrade mmap sem while populating mlocked regions" +thing right, but the way it was done here was absolutely not correct. +Thus the revert, in the expectation that we will do it all correctly +some day. + +Cc: Lee Schermerhorn +Cc: Rik van Riel +Cc: Andrew Morton +Signed-off-by: Linus Torvalds +Signed-off-by: Greg Kroah-Hartman + +--- + mm/mlock.c | 47 ++--------------------------------------------- + 1 file changed, 2 insertions(+), 45 deletions(-) + +--- a/mm/mlock.c ++++ b/mm/mlock.c +@@ -293,14 +293,10 @@ static inline int __mlock_posix_error_re + * + * return number of pages [> 0] to be removed from locked_vm on success + * of "special" vmas. +- * +- * return negative error if vma spanning @start-@range disappears while +- * mmap semaphore is dropped. Unlikely? + */ + long mlock_vma_pages_range(struct vm_area_struct *vma, + unsigned long start, unsigned long end) + { +- struct mm_struct *mm = vma->vm_mm; + int nr_pages = (end - start) / PAGE_SIZE; + BUG_ON(!(vma->vm_flags & VM_LOCKED)); + +@@ -313,20 +309,8 @@ long mlock_vma_pages_range(struct vm_are + if (!((vma->vm_flags & (VM_DONTEXPAND | VM_RESERVED)) || + is_vm_hugetlb_page(vma) || + vma == get_gate_vma(current))) { +- long error; +- downgrade_write(&mm->mmap_sem); +- +- error = __mlock_vma_pages_range(vma, start, end, 1); + +- up_read(&mm->mmap_sem); +- /* vma can change or disappear */ +- down_write(&mm->mmap_sem); +- vma = find_vma(mm, start); +- /* non-NULL vma must contain @start, but need to check @end */ +- if (!vma || end > vma->vm_end) +- return -ENOMEM; +- +- return 0; /* hide other errors from mmap(), et al */ ++ return __mlock_vma_pages_range(vma, start, end, 1); + } + + /* +@@ -437,41 +421,14 @@ success: + vma->vm_flags = newflags; + + if (lock) { +- /* +- * mmap_sem is currently held for write. Downgrade the write +- * lock to a read lock so that other faults, mmap scans, ... +- * while we fault in all pages. +- */ +- downgrade_write(&mm->mmap_sem); +- + ret = __mlock_vma_pages_range(vma, start, end, 1); + +- /* +- * Need to reacquire mmap sem in write mode, as our callers +- * expect this. We have no support for atomically upgrading +- * a sem to write, so we need to check for ranges while sem +- * is unlocked. +- */ +- up_read(&mm->mmap_sem); +- /* vma can change or disappear */ +- down_write(&mm->mmap_sem); +- *prev = find_vma(mm, start); +- /* non-NULL *prev must contain @start, but need to check @end */ +- if (!(*prev) || end > (*prev)->vm_end) +- ret = -ENOMEM; +- else if (ret > 0) { ++ if (ret > 0) { + mm->locked_vm -= ret; + ret = 0; + } else + ret = __mlock_posix_error_return(ret); /* translate if needed */ + } else { +- /* +- * TODO: for unlocking, pages will already be resident, so +- * we don't need to wait for allocations/reclaim/pagein, ... +- * However, unlocking a very large region can still take a +- * while. Should we downgrade the semaphore for both lock +- * AND unlock ? +- */ + __mlock_vma_pages_range(vma, start, end, 0); + } + diff --git a/queue-2.6.28/netfilter-ctnetlink-fix-scheduling-while-atomic.patch b/queue-2.6.28/netfilter-ctnetlink-fix-scheduling-while-atomic.patch new file mode 100644 index 00000000000..6938a297356 --- /dev/null +++ b/queue-2.6.28/netfilter-ctnetlink-fix-scheduling-while-atomic.patch @@ -0,0 +1,39 @@ +From 748085fcbedbf7b0f38d95e178265d7b13360b44 Mon Sep 17 00:00:00 2001 +From: Patrick McHardy +Date: Wed, 21 Jan 2009 12:19:49 -0800 +Subject: netfilter: ctnetlink: fix scheduling while atomic + +From: Patrick McHardy + +commit 748085fcbedbf7b0f38d95e178265d7b13360b44 upstream. + +Caused by call to request_module() while holding nf_conntrack_lock. + +Reported-and-tested-by: Kövesdi György +Signed-off-by: Patrick McHardy +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/netfilter/nf_conntrack_netlink.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/net/netfilter/nf_conntrack_netlink.c ++++ b/net/netfilter/nf_conntrack_netlink.c +@@ -825,13 +825,16 @@ ctnetlink_parse_nat_setup(struct nf_conn + if (!parse_nat_setup) { + #ifdef CONFIG_MODULES + rcu_read_unlock(); ++ spin_unlock_bh(&nf_conntrack_lock); + nfnl_unlock(); + if (request_module("nf-nat-ipv4") < 0) { + nfnl_lock(); ++ spin_lock_bh(&nf_conntrack_lock); + rcu_read_lock(); + return -EOPNOTSUPP; + } + nfnl_lock(); ++ spin_lock_bh(&nf_conntrack_lock); + rcu_read_lock(); + if (nfnetlink_parse_nat_setup_hook) + return -EAGAIN; diff --git a/queue-2.6.28/orinoco-move-kmalloc-outside-spinlock-in-orinoco_ioctl_set_genie.patch b/queue-2.6.28/orinoco-move-kmalloc-outside-spinlock-in-orinoco_ioctl_set_genie.patch new file mode 100644 index 00000000000..bb9b53e51c8 --- /dev/null +++ b/queue-2.6.28/orinoco-move-kmalloc-outside-spinlock-in-orinoco_ioctl_set_genie.patch @@ -0,0 +1,119 @@ +From arvidjaar@mail.ru Mon Feb 2 15:34:51 2009 +From: Andrey Borzenkov +Date: Thu, 29 Jan 2009 20:39:32 +0300 +Subject: orinoco: move kmalloc(..., GFP_KERNEL) outside spinlock in orinoco_ioctl_set_genie +To: Greg KH +Cc: "John W. Linville" , stable@kernel.org +Message-ID: <200901292039.51554.arvidjaar@mail.ru> + + +From: Andrey Borzenkov + +commit 7fe99c4e28ab54eada8aa456b417114e6ef21587 upstream + +orinoco: move kmalloc(..., GFP_KERNEL) outside spinlock in orinoco_ioctl_set_genie + +[ 56.923623] BUG: sleeping function called from invalid context at /home/bor/src/linux-git/mm/slub.c:1599 +[ 56.923644] in_atomic(): 0, irqs_disabled(): 1, pid: 3031, name: wpa_supplicant +[ 56.923656] 2 locks held by wpa_supplicant/3031: +[ 56.923662] #0: (rtnl_mutex){--..}, at: [] rtnl_lock+0xf/0x20 +[ 56.923703] #1: (&priv->lock){++..}, at: [] orinoco_ioctl_set_genie+0x52/0x130 [orinoco] +[ 56.923782] irq event stamp: 910 +[ 56.923788] hardirqs last enabled at (909): [] __kmalloc+0x7b/0x140 +[ 56.923820] hardirqs last disabled at (910): [] _spin_lock_irqsave+0x19/0x80 +[ 56.923847] softirqs last enabled at (880): [] __do_softirq+0xc4/0x110 +[ 56.923865] softirqs last disabled at (871): [] do_softirq+0x8e/0xe0 +[ 56.923895] Pid: 3031, comm: wpa_supplicant Not tainted 2.6.29-rc2-1avb #1 +[ 56.923905] Call Trace: +[ 56.923919] [] ? do_softirq+0x8e/0xe0 +[ 56.923941] [] __might_sleep+0xd2/0x100 +[ 56.923952] [] __kmalloc+0xd7/0x140 +[ 56.923963] [] ? _spin_lock_irqsave+0x6a/0x80 +[ 56.923981] [] ? orinoco_ioctl_set_genie+0x79/0x130 [orinoco] +[ 56.923999] [] ? orinoco_ioctl_set_genie+0x52/0x130 [orinoco] +[ 56.924017] [] orinoco_ioctl_set_genie+0x79/0x130 [orinoco] +[ 56.924036] [] ? copy_from_user+0x35/0x130 +[ 56.924061] [] ioctl_standard_call+0x196/0x380 +[ 56.924085] [] ? __dev_get_by_name+0x85/0xb0 +[ 56.924096] [] wext_handle_ioctl+0x14f/0x230 +[ 56.924113] [] ? orinoco_ioctl_set_genie+0x0/0x130 [orinoco] +[ 56.924132] [] dev_ioctl+0x495/0x570 +[ 56.924155] [] ? sys_sendto+0xa5/0xd0 +[ 56.924171] [] ? mark_held_locks+0x48/0x90 +[ 56.924183] [] ? sock_ioctl+0x0/0x280 +[ 56.924193] [] sock_ioctl+0xfd/0x280 +[ 56.924203] [] ? sock_ioctl+0x0/0x280 +[ 56.924235] [] vfs_ioctl+0x20/0x80 +[ 56.924246] [] do_vfs_ioctl+0x72/0x570 +[ 56.924257] [] ? sys_send+0x32/0x40 +[ 56.924268] [] ? sys_socketcall+0x1d0/0x2a0 +[ 56.924280] [] ? sysenter_exit+0xf/0x16 +[ 56.924292] [] sys_ioctl+0x39/0x70 +[ 56.924302] [] sysenter_do_call+0x12/0x31 + +Signed-off-by: Andrey Borzenkov +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/orinoco.c | 30 +++++++++++++----------------- + 1 file changed, 13 insertions(+), 17 deletions(-) + +--- a/drivers/net/wireless/orinoco.c ++++ b/drivers/net/wireless/orinoco.c +@@ -4938,32 +4938,29 @@ static int orinoco_ioctl_set_genie(struc + struct orinoco_private *priv = netdev_priv(dev); + u8 *buf; + unsigned long flags; +- int err = 0; + + if ((wrqu->data.length > MAX_WPA_IE_LEN) || + (wrqu->data.length && (extra == NULL))) + return -EINVAL; + +- if (orinoco_lock(priv, &flags) != 0) +- return -EBUSY; +- + if (wrqu->data.length) { + buf = kmalloc(wrqu->data.length, GFP_KERNEL); +- if (buf == NULL) { +- err = -ENOMEM; +- goto out; +- } ++ if (buf == NULL) ++ return -ENOMEM; + + memcpy(buf, extra, wrqu->data.length); +- kfree(priv->wpa_ie); +- priv->wpa_ie = buf; +- priv->wpa_ie_len = wrqu->data.length; +- } else { +- kfree(priv->wpa_ie); +- priv->wpa_ie = NULL; +- priv->wpa_ie_len = 0; ++ } else ++ buf = NULL; ++ ++ if (orinoco_lock(priv, &flags) != 0) { ++ kfree(buf); ++ return -EBUSY; + } + ++ kfree(priv->wpa_ie); ++ priv->wpa_ie = buf; ++ priv->wpa_ie_len = wrqu->data.length; ++ + if (priv->wpa_ie) { + /* Looks like wl_lkm wants to check the auth alg, and + * somehow pass it to the firmware. +@@ -4972,9 +4969,8 @@ static int orinoco_ioctl_set_genie(struc + */ + } + +-out: + orinoco_unlock(priv, &flags); +- return err; ++ return 0; + } + + static int orinoco_ioctl_get_genie(struct net_device *dev, diff --git a/queue-2.6.28/pci-msi-bugfix-utilize-for-msi_capability_init.patch b/queue-2.6.28/pci-msi-bugfix-utilize-for-msi_capability_init.patch new file mode 100644 index 00000000000..c32e0ce0db6 --- /dev/null +++ b/queue-2.6.28/pci-msi-bugfix-utilize-for-msi_capability_init.patch @@ -0,0 +1,63 @@ +From 0db29af1e767464d71b89410d61a1e5b668d0370 Mon Sep 17 00:00:00 2001 +From: Hidetoshi Seto +Date: Wed, 24 Dec 2008 17:27:04 +0900 +Subject: PCI/MSI: bugfix/utilize for msi_capability_init() + +From: Hidetoshi Seto + +commit 0db29af1e767464d71b89410d61a1e5b668d0370 upstream. + +This patch fix a following bug and does a cleanup. + +bug: + commit 5993760f7fc75b77e4701f1e56dc84c0d6cf18d5 + had a wrong change (since is_64 is boolean[0|1]): + +- pci_write_config_dword(dev, +- msi_mask_bits_reg(pos, is_64bit_address(control)), +- maskbits); ++ pci_write_config_dword(dev, entry->msi_attrib.is_64, maskbits); + +utilize: + Unify separated if (entry->msi_attrib.maskbit) statements. + +Signed-off-by: Hidetoshi Seto +Acked-by: "Jike Song" +Signed-off-by: Jesse Barnes +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/pci/msi.c | 16 +++++++--------- + 1 file changed, 7 insertions(+), 9 deletions(-) + +--- a/drivers/pci/msi.c ++++ b/drivers/pci/msi.c +@@ -378,21 +378,19 @@ static int msi_capability_init(struct pc + entry->msi_attrib.masked = 1; + entry->msi_attrib.default_irq = dev->irq; /* Save IOAPIC IRQ */ + entry->msi_attrib.pos = pos; +- if (entry->msi_attrib.maskbit) { +- entry->mask_base = (void __iomem *)(long)msi_mask_bits_reg(pos, +- entry->msi_attrib.is_64); +- } + entry->dev = dev; + if (entry->msi_attrib.maskbit) { +- unsigned int maskbits, temp; ++ unsigned int base, maskbits, temp; ++ ++ base = msi_mask_bits_reg(pos, entry->msi_attrib.is_64); ++ entry->mask_base = (void __iomem *)(long)base; ++ + /* All MSIs are unmasked by default, Mask them all */ +- pci_read_config_dword(dev, +- msi_mask_bits_reg(pos, entry->msi_attrib.is_64), +- &maskbits); ++ pci_read_config_dword(dev, base, &maskbits); + temp = (1 << multi_msi_capable(control)); + temp = ((temp - 1) & ~temp); + maskbits |= temp; +- pci_write_config_dword(dev, entry->msi_attrib.is_64, maskbits); ++ pci_write_config_dword(dev, base, maskbits); + entry->msi_attrib.maskbits_mask = temp; + } + list_add_tail(&entry->list, &dev->msi_list); diff --git a/queue-2.6.28/sata_mv-fix-8-port-timeouts-on-508x-6081-chips.patch b/queue-2.6.28/sata_mv-fix-8-port-timeouts-on-508x-6081-chips.patch new file mode 100644 index 00000000000..73fd081562a --- /dev/null +++ b/queue-2.6.28/sata_mv-fix-8-port-timeouts-on-508x-6081-chips.patch @@ -0,0 +1,33 @@ +From b0bccb18bc523d1d5060d25958f12438062829a9 Mon Sep 17 00:00:00 2001 +From: Mark Lord +Date: Mon, 19 Jan 2009 18:04:37 -0500 +Subject: sata_mv: fix 8-port timeouts on 508x/6081 chips + +From: Mark Lord + +commit b0bccb18bc523d1d5060d25958f12438062829a9 upstream. + +Fix a longstanding bug for the 8-port Marvell Sata controllers (508x/6081), +where accesses to the upper 4 ports would cause lost-interrupts / timeouts +for the lower 4-ports. With this patch, the 6081 boards should finally be +reliable enough for mainstream use with Linux. + +Signed-off-by: Mark Lord +Signed-off-by: Jeff Garzik +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/ata/sata_mv.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/ata/sata_mv.c ++++ b/drivers/ata/sata_mv.c +@@ -883,7 +883,7 @@ static void mv_start_dma(struct ata_port + struct mv_host_priv *hpriv = ap->host->private_data; + int hardport = mv_hardport_from_port(ap->port_no); + void __iomem *hc_mmio = mv_hc_base_from_port( +- mv_host_base(ap->host), hardport); ++ mv_host_base(ap->host), ap->port_no); + u32 hc_irq_cause, ipending; + + /* clear EDMA event indicators, if any */ diff --git a/queue-2.6.28/series b/queue-2.6.28/series new file mode 100644 index 00000000000..a910a79db21 --- /dev/null +++ b/queue-2.6.28/series @@ -0,0 +1,9 @@ +manually-revert-mlock-downgrade-mmap-sem-while-populating-mlocked-regions.patch +xen-make-sysfs-files-behave-as-their-names-suggest.patch +sata_mv-fix-8-port-timeouts-on-508x-6081-chips.patch +m68knommu-set-no_dma.patch +pci-msi-bugfix-utilize-for-msi_capability_init.patch +x86-use-early-clobbers-in-usercopy-.c.patch +cifs-make-sure-we-allocate-enough-storage-for-socket-address.patch +netfilter-ctnetlink-fix-scheduling-while-atomic.patch +orinoco-move-kmalloc-outside-spinlock-in-orinoco_ioctl_set_genie.patch diff --git a/queue-2.6.28/x86-use-early-clobbers-in-usercopy-.c.patch b/queue-2.6.28/x86-use-early-clobbers-in-usercopy-.c.patch new file mode 100644 index 00000000000..30db8b590c3 --- /dev/null +++ b/queue-2.6.28/x86-use-early-clobbers-in-usercopy-.c.patch @@ -0,0 +1,104 @@ +From e0a96129db574d6365e3439d16d88517c437ab33 Mon Sep 17 00:00:00 2001 +From: Andi Kleen +Date: Fri, 16 Jan 2009 15:22:11 +0100 +Subject: x86: use early clobbers in usercopy*.c + +From: Andi Kleen + +commit e0a96129db574d6365e3439d16d88517c437ab33 upstream. + +Impact: fix rare (but currently harmless) miscompile with certain configs and gcc versions + +Hugh Dickins noticed that strncpy_from_user() was miscompiled +in some circumstances with gcc 4.3. + +Thanks to Hugh's excellent analysis it was easy to track down. + +Hugh writes: + +> Try building an x86_64 defconfig 2.6.29-rc1 kernel tree, +> except not quite defconfig, switch CONFIG_PREEMPT_NONE=y +> and CONFIG_PREEMPT_VOLUNTARY off (because it expands a +> might_fault() there, which hides the issue): using a +> gcc 4.3.2 (I've checked both openSUSE 11.1 and Fedora 10). +> +> It generates the following: +> +> 0000000000000000 <__strncpy_from_user>: +> 0: 48 89 d1 mov %rdx,%rcx +> 3: 48 85 c9 test %rcx,%rcx +> 6: 74 0e je 16 <__strncpy_from_user+0x16> +> 8: ac lods %ds:(%rsi),%al +> 9: aa stos %al,%es:(%rdi) +> a: 84 c0 test %al,%al +> c: 74 05 je 13 <__strncpy_from_user+0x13> +> e: 48 ff c9 dec %rcx +> 11: 75 f5 jne 8 <__strncpy_from_user+0x8> +> 13: 48 29 c9 sub %rcx,%rcx +> 16: 48 89 c8 mov %rcx,%rax +> 19: c3 retq +> +> Observe that "sub %rcx,%rcx; mov %rcx,%rax", whereas gcc 4.2.1 +> (and many other configs) say "sub %rcx,%rdx; mov %rdx,%rax". +> Isn't it returning 0 when it ought to be returning strlen? + +The asm constraints for the strncpy_from_user() result were missing an +early clobber, which tells gcc that the last output arguments +are written before all input arguments are read. + +Also add more early clobbers in the rest of the file and fix 32-bit +usercopy.c in the same way. + +Signed-off-by: Andi Kleen +Signed-off-by: H. Peter Anvin +[ since this API is rarely used and no in-kernel user relies on a 'len' + return value (they only rely on negative return values) this miscompile + was never noticed in the field. But it's worth fixing it nevertheless. ] +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/lib/usercopy_32.c | 4 ++-- + arch/x86/lib/usercopy_64.c | 4 ++-- + 2 files changed, 4 insertions(+), 4 deletions(-) + +--- a/arch/x86/lib/usercopy_32.c ++++ b/arch/x86/lib/usercopy_32.c +@@ -56,7 +56,7 @@ do { \ + " jmp 2b\n" \ + ".previous\n" \ + _ASM_EXTABLE(0b,3b) \ +- : "=d"(res), "=c"(count), "=&a" (__d0), "=&S" (__d1), \ ++ : "=&d"(res), "=&c"(count), "=&a" (__d0), "=&S" (__d1), \ + "=&D" (__d2) \ + : "i"(-EFAULT), "0"(count), "1"(count), "3"(src), "4"(dst) \ + : "memory"); \ +@@ -218,7 +218,7 @@ long strnlen_user(const char __user *s, + " .align 4\n" + " .long 0b,2b\n" + ".previous" +- :"=r" (n), "=D" (s), "=a" (res), "=c" (tmp) ++ :"=&r" (n), "=&D" (s), "=&a" (res), "=&c" (tmp) + :"0" (n), "1" (s), "2" (0), "3" (mask) + :"cc"); + return res & mask; +--- a/arch/x86/lib/usercopy_64.c ++++ b/arch/x86/lib/usercopy_64.c +@@ -32,7 +32,7 @@ do { \ + " jmp 2b\n" \ + ".previous\n" \ + _ASM_EXTABLE(0b,3b) \ +- : "=r"(res), "=c"(count), "=&a" (__d0), "=&S" (__d1), \ ++ : "=&r"(res), "=&c"(count), "=&a" (__d0), "=&S" (__d1), \ + "=&D" (__d2) \ + : "i"(-EFAULT), "0"(count), "1"(count), "3"(src), "4"(dst) \ + : "memory"); \ +@@ -86,7 +86,7 @@ unsigned long __clear_user(void __user * + ".previous\n" + _ASM_EXTABLE(0b,3b) + _ASM_EXTABLE(1b,2b) +- : [size8] "=c"(size), [dst] "=&D" (__d0) ++ : [size8] "=&c"(size), [dst] "=&D" (__d0) + : [size1] "r"(size & 7), "[size8]" (size / 8), "[dst]"(addr), + [zero] "r" (0UL), [eight] "r" (8UL)); + return size; diff --git a/queue-2.6.28/xen-make-sysfs-files-behave-as-their-names-suggest.patch b/queue-2.6.28/xen-make-sysfs-files-behave-as-their-names-suggest.patch new file mode 100644 index 00000000000..d6205277284 --- /dev/null +++ b/queue-2.6.28/xen-make-sysfs-files-behave-as-their-names-suggest.patch @@ -0,0 +1,77 @@ +From 618b2c8db24522ae273d8299c6a936ea13793c4d Mon Sep 17 00:00:00 2001 +From: Jeremy Fitzhardinge +Date: Wed, 28 Jan 2009 16:50:20 -0800 +Subject: xen: make sysfs files behave as their names suggest + +From: Jeremy Fitzhardinge + +commit 618b2c8db24522ae273d8299c6a936ea13793c4d upstream. + +1: make "target_kb" only accept and produce a memory size in kilobytes. +2: add a second "target" file which produces output in bytes, and will accept + memparse input (scaled bytes) + +This fixes the rather irritating problem that writing the same value +read back into target_kb would end up shrinking the domain by a factor +of 1024, with generally bad results. + +Signed-off-by: Jeremy Fitzhardinge +Cc: "dan.magenheimer@oracle.com" +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/xen/balloon.c | 33 ++++++++++++++++++++++++++++++++- + 1 file changed, 32 insertions(+), 1 deletion(-) + +--- a/drivers/xen/balloon.c ++++ b/drivers/xen/balloon.c +@@ -488,7 +488,7 @@ static ssize_t store_target_kb(struct sy + if (!capable(CAP_SYS_ADMIN)) + return -EPERM; + +- target_bytes = memparse(buf, &endchar); ++ target_bytes = simple_strtoull(buf, &endchar, 0) * 1024; + + balloon_set_new_target(target_bytes >> PAGE_SHIFT); + +@@ -498,8 +498,39 @@ static ssize_t store_target_kb(struct sy + static SYSDEV_ATTR(target_kb, S_IRUGO | S_IWUSR, + show_target_kb, store_target_kb); + ++ ++static ssize_t show_target(struct sys_device *dev, struct sysdev_attribute *attr, ++ char *buf) ++{ ++ return sprintf(buf, "%llu\n", ++ (u64)balloon_stats.target_pages << PAGE_SHIFT); ++} ++ ++static ssize_t store_target(struct sys_device *dev, ++ struct sysdev_attribute *attr, ++ const char *buf, ++ size_t count) ++{ ++ char *endchar; ++ unsigned long long target_bytes; ++ ++ if (!capable(CAP_SYS_ADMIN)) ++ return -EPERM; ++ ++ target_bytes = memparse(buf, &endchar); ++ ++ balloon_set_new_target(target_bytes >> PAGE_SHIFT); ++ ++ return count; ++} ++ ++static SYSDEV_ATTR(target, S_IRUGO | S_IWUSR, ++ show_target, store_target); ++ ++ + static struct sysdev_attribute *balloon_attrs[] = { + &attr_target_kb, ++ &attr_target, + }; + + static struct attribute *balloon_info_attrs[] = {