From: Greg Kroah-Hartman Date: Tue, 6 Dec 2011 22:01:50 +0000 (-0800) Subject: 3.1 patches X-Git-Tag: v3.0.13~8 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=7442bdc9650957d235e1be17c3e7e5ab88b8b903;p=thirdparty%2Fkernel%2Fstable-queue.git 3.1 patches added patches: add-missing-.set-function-for-nt_s390_last_break-regset.patch cfg80211-amend-regulatory-null-dereference-fix.patch cfg80211-fix-race-on-init-and-driver-registration.patch genirq-fix-race-condition-when-stopping-the-irq-thread.patch mac80211-fill-rate-filter-for-internal-scan-requests.patch mac80211-fix-race-condition-caused-by-late-addba-response.patch oprofile-x86-fix-crash-when-unloading-module-nmi-timer-mode.patch perf-x86-fix-pebs-instruction-unwind.patch sched-x86-avoid-unnecessary-overflow-in-sched_clock.patch slab-lockdep-fix-silly-bug.patch x86-fix-acer-aspire-1-reboot-hang.patch x86-mpparse-account-for-bus-types-other-than-isa-and-pci.patch x86-paravirt-pte-updates-in-k-un-map_atomic-need-to-be-synchronous-regardless-of-lazy_mmu-mode.patch --- diff --git a/queue-3.1/add-missing-.set-function-for-nt_s390_last_break-regset.patch b/queue-3.1/add-missing-.set-function-for-nt_s390_last_break-regset.patch new file mode 100644 index 00000000000..7a09181976d --- /dev/null +++ b/queue-3.1/add-missing-.set-function-for-nt_s390_last_break-regset.patch @@ -0,0 +1,83 @@ +From b934069c991355d27a053a932591c77960f4e414 Mon Sep 17 00:00:00 2001 +From: Martin Schwidefsky +Date: Thu, 1 Dec 2011 13:32:17 +0100 +Subject: [S390] add missing .set function for NT_S390_LAST_BREAK regset + +From: Martin Schwidefsky + +commit b934069c991355d27a053a932591c77960f4e414 upstream. + +The last breaking event address is a read-only value, the regset misses the +.set function. If a PTRACE_SETREGSET is done for NT_S390_LAST_BREAK we +get an oops due to a branch to zero: + +Kernel BUG at 0000000000000002 verbose debug info unavailable +illegal operation: 0001 #1 SMP +... +Call Trace: +(<0000000000158294> ptrace_regset+0x184/0x188) + <00000000001595b6> ptrace_request+0x37a/0x4fc + <0000000000109a78> arch_ptrace+0x108/0x1fc + <00000000001590d6> SyS_ptrace+0xaa/0x12c + <00000000005c7a42> sysc_noemu+0x16/0x1c + <000003fffd5ec10c> 0x3fffd5ec10c +Last Breaking-Event-Address: + <0000000000158242> ptrace_regset+0x132/0x188 + +Add a nop .set function to prevent the branch to zero. + +Signed-off-by: Martin Schwidefsky +Signed-off-by: Greg Kroah-Hartman + +--- + arch/s390/kernel/ptrace.c | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +--- a/arch/s390/kernel/ptrace.c ++++ b/arch/s390/kernel/ptrace.c +@@ -897,6 +897,14 @@ static int s390_last_break_get(struct ta + return 0; + } + ++static int s390_last_break_set(struct task_struct *target, ++ const struct user_regset *regset, ++ unsigned int pos, unsigned int count, ++ const void *kbuf, const void __user *ubuf) ++{ ++ return 0; ++} ++ + #endif + + static const struct user_regset s390_regsets[] = { +@@ -923,6 +931,7 @@ static const struct user_regset s390_reg + .size = sizeof(long), + .align = sizeof(long), + .get = s390_last_break_get, ++ .set = s390_last_break_set, + }, + #endif + }; +@@ -1080,6 +1089,14 @@ static int s390_compat_last_break_get(st + return 0; + } + ++static int s390_compat_last_break_set(struct task_struct *target, ++ const struct user_regset *regset, ++ unsigned int pos, unsigned int count, ++ const void *kbuf, const void __user *ubuf) ++{ ++ return 0; ++} ++ + static const struct user_regset s390_compat_regsets[] = { + [REGSET_GENERAL] = { + .core_note_type = NT_PRSTATUS, +@@ -1103,6 +1120,7 @@ static const struct user_regset s390_com + .size = sizeof(long), + .align = sizeof(long), + .get = s390_compat_last_break_get, ++ .set = s390_compat_last_break_set, + }, + [REGSET_GENERAL_EXTENDED] = { + .core_note_type = NT_S390_HIGH_GPRS, diff --git a/queue-3.1/cfg80211-amend-regulatory-null-dereference-fix.patch b/queue-3.1/cfg80211-amend-regulatory-null-dereference-fix.patch new file mode 100644 index 00000000000..5ce7f544b0d --- /dev/null +++ b/queue-3.1/cfg80211-amend-regulatory-null-dereference-fix.patch @@ -0,0 +1,46 @@ +From 0bac71af6e66dc798bf07d0c0dd14ee5503362f9 Mon Sep 17 00:00:00 2001 +From: "Luis R. Rodriguez" +Date: Mon, 28 Nov 2011 16:47:16 -0500 +Subject: cfg80211: amend regulatory NULL dereference fix + +From: "Luis R. Rodriguez" + +commit 0bac71af6e66dc798bf07d0c0dd14ee5503362f9 upstream. + +Johannes' patch for "cfg80211: fix regulatory NULL dereference" +broke user regulaotry hints and it did not address the fact that +last_request was left populated even if the previous regulatory +hint was stale due to the wiphy disappearing. + +Fix user reguluatory hints by only bailing out if for those +regulatory hints where a request_wiphy is expected. The stale last_request +considerations are addressed through the previous fixes on last_request +where we reset the last_request to a static world regdom request upon +reset_regdomains(). In this case though we further enhance the effect +by simply restoring reguluatory settings completely. + +Cc: Johannes Berg +Signed-off-by: Luis R. Rodriguez +Reviewed-by: Johannes Berg +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + net/wireless/reg.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/net/wireless/reg.c ++++ b/net/wireless/reg.c +@@ -2040,8 +2040,10 @@ static int __set_regdom(const struct iee + } + + request_wiphy = wiphy_idx_to_wiphy(last_request->wiphy_idx); +- if (!request_wiphy) { +- reg_set_request_processed(); ++ if (!request_wiphy && ++ (last_request->initiator == NL80211_REGDOM_SET_BY_DRIVER || ++ last_request->initiator == NL80211_REGDOM_SET_BY_COUNTRY_IE)) { ++ schedule_delayed_work(®_timeout, 0); + return -ENODEV; + } + diff --git a/queue-3.1/cfg80211-fix-race-on-init-and-driver-registration.patch b/queue-3.1/cfg80211-fix-race-on-init-and-driver-registration.patch new file mode 100644 index 00000000000..0275c83e9d9 --- /dev/null +++ b/queue-3.1/cfg80211-fix-race-on-init-and-driver-registration.patch @@ -0,0 +1,160 @@ +From a042994dd377d86bff9446ee76151ceb6267c9ba Mon Sep 17 00:00:00 2001 +From: "Luis R. Rodriguez" +Date: Mon, 28 Nov 2011 16:47:15 -0500 +Subject: cfg80211: fix race on init and driver registration + +From: "Luis R. Rodriguez" + +commit a042994dd377d86bff9446ee76151ceb6267c9ba upstream. + +There is a theoretical race that if hit will trigger +a crash. The race is between when we issue the first +regulatory hint, regulatory_hint_core(), gets processed +by the workqueue and between when the first device +gets registered to the wireless core. This is not easy +to reproduce but it was easy to do so through the +regulatory simulator I have been working on. This +is a port of the fix I implemented there [1]. + +[1] https://github.com/mcgrof/regsim/commit/a246ccf81f059cb662eee288aa13100f631e4cc8 + +Cc: Johannes Berg +Signed-off-by: Luis R. Rodriguez +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + net/wireless/reg.c | 43 +++++++++++++++++++++++++++---------------- + 1 file changed, 27 insertions(+), 16 deletions(-) + +--- a/net/wireless/reg.c ++++ b/net/wireless/reg.c +@@ -57,8 +57,17 @@ + #define REG_DBG_PRINT(args...) + #endif + ++static struct regulatory_request core_request_world = { ++ .initiator = NL80211_REGDOM_SET_BY_CORE, ++ .alpha2[0] = '0', ++ .alpha2[1] = '0', ++ .intersect = false, ++ .processed = true, ++ .country_ie_env = ENVIRON_ANY, ++}; ++ + /* Receipt of information from last regulatory request */ +-static struct regulatory_request *last_request; ++static struct regulatory_request *last_request = &core_request_world; + + /* To trigger userspace events */ + static struct platform_device *reg_pdev; +@@ -150,7 +159,7 @@ static char user_alpha2[2]; + module_param(ieee80211_regdom, charp, 0444); + MODULE_PARM_DESC(ieee80211_regdom, "IEEE 802.11 regulatory domain code"); + +-static void reset_regdomains(void) ++static void reset_regdomains(bool full_reset) + { + /* avoid freeing static information or freeing something twice */ + if (cfg80211_regdomain == cfg80211_world_regdom) +@@ -165,6 +174,13 @@ static void reset_regdomains(void) + + cfg80211_world_regdom = &world_regdom; + cfg80211_regdomain = NULL; ++ ++ if (!full_reset) ++ return; ++ ++ if (last_request != &core_request_world) ++ kfree(last_request); ++ last_request = &core_request_world; + } + + /* +@@ -175,7 +191,7 @@ static void update_world_regdomain(const + { + BUG_ON(!last_request); + +- reset_regdomains(); ++ reset_regdomains(false); + + cfg80211_world_regdom = rd; + cfg80211_regdomain = rd; +@@ -1396,7 +1412,8 @@ static int __regulatory_hint(struct wiph + } + + new_request: +- kfree(last_request); ++ if (last_request != &core_request_world) ++ kfree(last_request); + + last_request = pending_request; + last_request->intersect = intersect; +@@ -1566,9 +1583,6 @@ static int regulatory_hint_core(const ch + { + struct regulatory_request *request; + +- kfree(last_request); +- last_request = NULL; +- + request = kzalloc(sizeof(struct regulatory_request), + GFP_KERNEL); + if (!request) +@@ -1766,7 +1780,7 @@ static void restore_regulatory_settings( + mutex_lock(&cfg80211_mutex); + mutex_lock(®_mutex); + +- reset_regdomains(); ++ reset_regdomains(true); + restore_alpha2(alpha2, reset_user); + + /* +@@ -2035,7 +2049,7 @@ static int __set_regdom(const struct iee + int r; + + if (last_request->initiator != NL80211_REGDOM_SET_BY_DRIVER) { +- reset_regdomains(); ++ reset_regdomains(false); + cfg80211_regdomain = rd; + return 0; + } +@@ -2056,7 +2070,7 @@ static int __set_regdom(const struct iee + if (r) + return r; + +- reset_regdomains(); ++ reset_regdomains(false); + cfg80211_regdomain = rd; + return 0; + } +@@ -2081,7 +2095,7 @@ static int __set_regdom(const struct iee + + rd = NULL; + +- reset_regdomains(); ++ reset_regdomains(false); + cfg80211_regdomain = intersected_rd; + + return 0; +@@ -2101,7 +2115,7 @@ static int __set_regdom(const struct iee + kfree(rd); + rd = NULL; + +- reset_regdomains(); ++ reset_regdomains(false); + cfg80211_regdomain = intersected_rd; + + return 0; +@@ -2254,11 +2268,8 @@ void /* __init_or_exit */ regulatory_exi + mutex_lock(&cfg80211_mutex); + mutex_lock(®_mutex); + +- reset_regdomains(); +- +- kfree(last_request); ++ reset_regdomains(true); + +- last_request = NULL; + dev_set_uevent_suppress(®_pdev->dev, true); + + platform_device_unregister(reg_pdev); diff --git a/queue-3.1/genirq-fix-race-condition-when-stopping-the-irq-thread.patch b/queue-3.1/genirq-fix-race-condition-when-stopping-the-irq-thread.patch new file mode 100644 index 00000000000..e92ced82214 --- /dev/null +++ b/queue-3.1/genirq-fix-race-condition-when-stopping-the-irq-thread.patch @@ -0,0 +1,68 @@ +From 550acb19269d65f32e9ac4ddb26c2b2070e37f1c Mon Sep 17 00:00:00 2001 +From: Ido Yariv +Date: Thu, 1 Dec 2011 13:55:08 +0200 +Subject: genirq: Fix race condition when stopping the irq thread + +From: Ido Yariv + +commit 550acb19269d65f32e9ac4ddb26c2b2070e37f1c upstream. + +In irq_wait_for_interrupt(), the should_stop member is verified before +setting the task's state to TASK_INTERRUPTIBLE and calling schedule(). +In case kthread_stop sets should_stop and wakes up the process after +should_stop is checked by the irq thread but before the task's state +is changed, the irq thread might never exit: + +kthread_stop irq_wait_for_interrupt +------------ ---------------------- + + ... +... while (!kthread_should_stop()) { +kthread->should_stop = 1; +wake_up_process(k); +wait_for_completion(&kthread->exited); +... + set_current_state(TASK_INTERRUPTIBLE); + + ... + + schedule(); + } + +Fix this by checking if the thread should stop after modifying the +task's state. + +[ tglx: Simplified it a bit ] + +Signed-off-by: Ido Yariv +Link: http://lkml.kernel.org/r/1322740508-22640-1-git-send-email-ido@wizery.com +Signed-off-by: Thomas Gleixner +Signed-off-by: Greg Kroah-Hartman + +--- + kernel/irq/manage.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/kernel/irq/manage.c ++++ b/kernel/irq/manage.c +@@ -620,8 +620,9 @@ static irqreturn_t irq_nested_primary_ha + + static int irq_wait_for_interrupt(struct irqaction *action) + { ++ set_current_state(TASK_INTERRUPTIBLE); ++ + while (!kthread_should_stop()) { +- set_current_state(TASK_INTERRUPTIBLE); + + if (test_and_clear_bit(IRQTF_RUNTHREAD, + &action->thread_flags)) { +@@ -629,7 +630,9 @@ static int irq_wait_for_interrupt(struct + return 0; + } + schedule(); ++ set_current_state(TASK_INTERRUPTIBLE); + } ++ __set_current_state(TASK_RUNNING); + return -1; + } + diff --git a/queue-3.1/mac80211-fill-rate-filter-for-internal-scan-requests.patch b/queue-3.1/mac80211-fill-rate-filter-for-internal-scan-requests.patch new file mode 100644 index 00000000000..4920cd97dd6 --- /dev/null +++ b/queue-3.1/mac80211-fill-rate-filter-for-internal-scan-requests.patch @@ -0,0 +1,36 @@ +From c72e8d335e2c6a309b6281f2abcf491f37b8b92b Mon Sep 17 00:00:00 2001 +From: Simon Wunderlich +Date: Wed, 30 Nov 2011 16:56:30 +0100 +Subject: mac80211: fill rate filter for internal scan requests + +From: Simon Wunderlich + +commit c72e8d335e2c6a309b6281f2abcf491f37b8b92b upstream. + +The rates bitmap for internal scan requests shoud be filled, +otherwise there will be probe requests with zero rates supported. + +Signed-off-by: Simon Wunderlich +Signed-off-by: Mathias Kretschmer +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + net/mac80211/main.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/net/mac80211/main.c ++++ b/net/mac80211/main.c +@@ -742,6 +742,12 @@ int ieee80211_register_hw(struct ieee802 + if (!local->int_scan_req) + return -ENOMEM; + ++ for (band = 0; band < IEEE80211_NUM_BANDS; band++) { ++ if (!local->hw.wiphy->bands[band]) ++ continue; ++ local->int_scan_req->rates[band] = (u32) -1; ++ } ++ + /* if low-level driver supports AP, we also support VLAN */ + if (local->hw.wiphy->interface_modes & BIT(NL80211_IFTYPE_AP)) { + hw->wiphy->interface_modes |= BIT(NL80211_IFTYPE_AP_VLAN); diff --git a/queue-3.1/mac80211-fix-race-condition-caused-by-late-addba-response.patch b/queue-3.1/mac80211-fix-race-condition-caused-by-late-addba-response.patch new file mode 100644 index 00000000000..8b35689c110 --- /dev/null +++ b/queue-3.1/mac80211-fix-race-condition-caused-by-late-addba-response.patch @@ -0,0 +1,61 @@ +From johannes@sipsolutions.net Tue Dec 6 13:55:26 2011 +From: Nikolay Martynov +Date: Tue, 06 Dec 2011 15:39:32 +0100 +Subject: mac80211: fix race condition caused by late addBA response +To: Nikolay Martynov , John Linville , Greg Kroah-Hartman +Cc: stable@vger.kernel.org +Message-ID: <1323182372.4696.22.camel@jlt3.sipsolutions.net> + + +From: Nikolay Martynov + +Upstream commit d305a6557b2c4dca0110f05ffe745b1ef94adb80. + +If addBA responses comes in just after addba_resp_timer has +expired mac80211 will still accept it and try to open the +aggregation session. This causes drivers to be confused and +in some cases even crash. + +This patch fixes the race condition and makes sure that if +addba_resp_timer has expired addBA response is not longer +accepted and we do not try to open half-closed session. + +Signed-off-by: Nikolay Martynov +[some adjustments] +Signed-off-by: Johannes Berg +Signed-off-by: John W. Linville +--- + net/mac80211/agg-tx.c | 17 ++++++++++++++++- + 1 file changed, 16 insertions(+), 1 deletion(-) + +--- a/net/mac80211/agg-tx.c ++++ b/net/mac80211/agg-tx.c +@@ -792,12 +792,27 @@ void ieee80211_process_addba_resp(struct + goto out; + } + +- del_timer(&tid_tx->addba_resp_timer); ++ del_timer_sync(&tid_tx->addba_resp_timer); + + #ifdef CONFIG_MAC80211_HT_DEBUG + printk(KERN_DEBUG "switched off addBA timer for tid %d\n", tid); + #endif + ++ /* ++ * addba_resp_timer may have fired before we got here, and ++ * caused WANT_STOP to be set. If the stop then was already ++ * processed further, STOPPING might be set. ++ */ ++ if (test_bit(HT_AGG_STATE_WANT_STOP, &tid_tx->state) || ++ test_bit(HT_AGG_STATE_STOPPING, &tid_tx->state)) { ++#ifdef CONFIG_MAC80211_HT_DEBUG ++ printk(KERN_DEBUG ++ "got addBA resp for tid %d but we already gave up\n", ++ tid); ++#endif ++ goto out; ++ } ++ + if (le16_to_cpu(mgmt->u.action.u.addba_resp.status) + == WLAN_STATUS_SUCCESS) { + /* diff --git a/queue-3.1/oprofile-x86-fix-crash-when-unloading-module-nmi-timer-mode.patch b/queue-3.1/oprofile-x86-fix-crash-when-unloading-module-nmi-timer-mode.patch new file mode 100644 index 00000000000..bc0e3f2bc6f --- /dev/null +++ b/queue-3.1/oprofile-x86-fix-crash-when-unloading-module-nmi-timer-mode.patch @@ -0,0 +1,90 @@ +From 97f7f8189fe54e3cfe324ef9ad35064f3d2d3bff Mon Sep 17 00:00:00 2001 +From: Robert Richter +Date: Mon, 10 Oct 2011 16:21:10 +0200 +Subject: oprofile, x86: Fix crash when unloading module (nmi timer mode) + +From: Robert Richter + +commit 97f7f8189fe54e3cfe324ef9ad35064f3d2d3bff upstream. + +If oprofile uses the nmi timer interrupt there is a crash while +unloading the module. The bug can be triggered with oprofile build as +module and kernel parameter nolapic set. This patch fixes this. + +oprofile: using NMI timer interrupt. +BUG: unable to handle kernel NULL pointer dereference at 0000000000000008 +IP: [] unregister_syscore_ops+0x41/0x58 +PGD 42dbca067 PUD 41da6a067 PMD 0 +Oops: 0002 [#1] PREEMPT SMP +CPU 5 +Modules linked in: oprofile(-) [last unloaded: oprofile] + +Pid: 2518, comm: modprobe Not tainted 3.1.0-rc7-00019-gb2fb49d #19 Advanced Micro Device Anaheim/Anaheim +RIP: 0010:[] [] unregister_syscore_ops+0x41/0x58 +RSP: 0018:ffff88041ef71e98 EFLAGS: 00010296 +RAX: 0000000000000000 RBX: ffffffffa0017100 RCX: dead000000200200 +RDX: 0000000000000000 RSI: dead000000100100 RDI: ffffffff8178c620 +RBP: ffff88041ef71ea8 R08: 0000000000000001 R09: 0000000000000082 +R10: 0000000000000000 R11: ffff88041ef71de8 R12: 0000000000000080 +R13: fffffffffffffff5 R14: 0000000000000001 R15: 0000000000610210 +FS: 00007fc902f20700(0000) GS:ffff88042fd40000(0000) knlGS:0000000000000000 +CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b +CR2: 0000000000000008 CR3: 000000041cdb6000 CR4: 00000000000006e0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 +Process modprobe (pid: 2518, threadinfo ffff88041ef70000, task ffff88041d348040) +Stack: + ffff88041ef71eb8 ffffffffa0017790 ffff88041ef71eb8 ffffffffa0013532 + ffff88041ef71ec8 ffffffffa00132d6 ffff88041ef71ed8 ffffffffa00159b2 + ffff88041ef71f78 ffffffff81073115 656c69666f72706f 0000000000610200 +Call Trace: + [] op_nmi_exit+0x15/0x17 [oprofile] + [] oprofile_arch_exit+0xe/0x10 [oprofile] + [] oprofile_exit+0x1e/0x20 [oprofile] + [] sys_delete_module+0x1c3/0x22f + [] ? trace_hardirqs_on_thunk+0x3a/0x3f + [] system_call_fastpath+0x16/0x1b +Code: 20 c6 78 81 e8 c5 cc 23 00 48 8b 13 48 8b 43 08 48 be 00 01 10 00 00 00 ad de 48 b9 00 02 20 00 00 00 ad de 48 c7 c7 20 c6 78 81 + 89 42 08 48 89 10 48 89 33 48 89 4b 08 e8 a6 c0 23 00 5a 5b +RIP [] unregister_syscore_ops+0x41/0x58 + RSP +CR2: 0000000000000008 +---[ end trace 43a541a52956b7b0 ]--- + +Signed-off-by: Robert Richter +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/oprofile/init.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/arch/x86/oprofile/init.c ++++ b/arch/x86/oprofile/init.c +@@ -21,6 +21,7 @@ extern int op_nmi_timer_init(struct opro + extern void op_nmi_exit(void); + extern void x86_backtrace(struct pt_regs * const regs, unsigned int depth); + ++static int nmi_timer; + + int __init oprofile_arch_init(struct oprofile_operations *ops) + { +@@ -31,8 +32,9 @@ int __init oprofile_arch_init(struct opr + #ifdef CONFIG_X86_LOCAL_APIC + ret = op_nmi_init(ops); + #endif ++ nmi_timer = (ret != 0); + #ifdef CONFIG_X86_IO_APIC +- if (ret < 0) ++ if (nmi_timer) + ret = op_nmi_timer_init(ops); + #endif + ops->backtrace = x86_backtrace; +@@ -44,6 +46,7 @@ int __init oprofile_arch_init(struct opr + void oprofile_arch_exit(void) + { + #ifdef CONFIG_X86_LOCAL_APIC +- op_nmi_exit(); ++ if (!nmi_timer) ++ op_nmi_exit(); + #endif + } diff --git a/queue-3.1/perf-x86-fix-pebs-instruction-unwind.patch b/queue-3.1/perf-x86-fix-pebs-instruction-unwind.patch new file mode 100644 index 00000000000..6f4ef940696 --- /dev/null +++ b/queue-3.1/perf-x86-fix-pebs-instruction-unwind.patch @@ -0,0 +1,47 @@ +From 57d1c0c03c6b48b2b96870d831b9ce6b917f53ac Mon Sep 17 00:00:00 2001 +From: Peter Zijlstra +Date: Fri, 7 Oct 2011 13:36:40 +0200 +Subject: perf/x86: Fix PEBS instruction unwind + +From: Peter Zijlstra + +commit 57d1c0c03c6b48b2b96870d831b9ce6b917f53ac upstream. + +Masami spotted that we always try to decode the instruction stream as +64bit instructions when running a 64bit kernel, this doesn't work for +ia32-compat proglets. + +Use TIF_IA32 to detect if we need to use the 32bit instruction +decoder. + +Reported-by: Masami Hiramatsu +Signed-off-by: Peter Zijlstra +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/cpu/perf_event_intel_ds.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/arch/x86/kernel/cpu/perf_event_intel_ds.c ++++ b/arch/x86/kernel/cpu/perf_event_intel_ds.c +@@ -508,6 +508,7 @@ static int intel_pmu_pebs_fixup_ip(struc + unsigned long from = cpuc->lbr_entries[0].from; + unsigned long old_to, to = cpuc->lbr_entries[0].to; + unsigned long ip = regs->ip; ++ int is_64bit = 0; + + /* + * We don't need to fixup if the PEBS assist is fault like +@@ -559,7 +560,10 @@ static int intel_pmu_pebs_fixup_ip(struc + } else + kaddr = (void *)to; + +- kernel_insn_init(&insn, kaddr); ++#ifdef CONFIG_X86_64 ++ is_64bit = kernel_ip(to) || !test_thread_flag(TIF_IA32); ++#endif ++ insn_init(&insn, kaddr, is_64bit); + insn_get_length(&insn); + to += insn.length; + } while (to < ip); diff --git a/queue-3.1/sched-x86-avoid-unnecessary-overflow-in-sched_clock.patch b/queue-3.1/sched-x86-avoid-unnecessary-overflow-in-sched_clock.patch new file mode 100644 index 00000000000..c05f2d62086 --- /dev/null +++ b/queue-3.1/sched-x86-avoid-unnecessary-overflow-in-sched_clock.patch @@ -0,0 +1,72 @@ +From 4cecf6d401a01d054afc1e5f605bcbfe553cb9b9 Mon Sep 17 00:00:00 2001 +From: Salman Qazi +Date: Tue, 15 Nov 2011 14:12:06 -0800 +Subject: sched, x86: Avoid unnecessary overflow in sched_clock + +From: Salman Qazi + +commit 4cecf6d401a01d054afc1e5f605bcbfe553cb9b9 upstream. + +(Added the missing signed-off-by line) + +In hundreds of days, the __cycles_2_ns calculation in sched_clock +has an overflow. cyc * per_cpu(cyc2ns, cpu) exceeds 64 bits, causing +the final value to become zero. We can solve this without losing +any precision. + +We can decompose TSC into quotient and remainder of division by the +scale factor, and then use this to convert TSC into nanoseconds. + +Signed-off-by: Salman Qazi +Acked-by: John Stultz +Reviewed-by: Paul Turner +Signed-off-by: Peter Zijlstra +Link: http://lkml.kernel.org/r/20111115221121.7262.88871.stgit@dungbeetle.mtv.corp.google.com +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/include/asm/timer.h | 23 ++++++++++++++++++++++- + 1 file changed, 22 insertions(+), 1 deletion(-) + +--- a/arch/x86/include/asm/timer.h ++++ b/arch/x86/include/asm/timer.h +@@ -32,6 +32,22 @@ extern int no_timer_check; + * (mathieu.desnoyers@polymtl.ca) + * + * -johnstul@us.ibm.com "math is hard, lets go shopping!" ++ * ++ * In: ++ * ++ * ns = cycles * cyc2ns_scale / SC ++ * ++ * Although we may still have enough bits to store the value of ns, ++ * in some cases, we may not have enough bits to store cycles * cyc2ns_scale, ++ * leading to an incorrect result. ++ * ++ * To avoid this, we can decompose 'cycles' into quotient and remainder ++ * of division by SC. Then, ++ * ++ * ns = (quot * SC + rem) * cyc2ns_scale / SC ++ * = quot * cyc2ns_scale + (rem * cyc2ns_scale) / SC ++ * ++ * - sqazi@google.com + */ + + DECLARE_PER_CPU(unsigned long, cyc2ns); +@@ -41,9 +57,14 @@ DECLARE_PER_CPU(unsigned long long, cyc2 + + static inline unsigned long long __cycles_2_ns(unsigned long long cyc) + { ++ unsigned long long quot; ++ unsigned long long rem; + int cpu = smp_processor_id(); + unsigned long long ns = per_cpu(cyc2ns_offset, cpu); +- ns += cyc * per_cpu(cyc2ns, cpu) >> CYC2NS_SCALE_FACTOR; ++ quot = (cyc >> CYC2NS_SCALE_FACTOR); ++ rem = cyc & ((1ULL << CYC2NS_SCALE_FACTOR) - 1); ++ ns += quot * per_cpu(cyc2ns, cpu) + ++ ((rem * per_cpu(cyc2ns, cpu)) >> CYC2NS_SCALE_FACTOR); + return ns; + } + diff --git a/queue-3.1/series b/queue-3.1/series index be460d7c640..c8771a4c362 100644 --- a/queue-3.1/series +++ b/queue-3.1/series @@ -76,3 +76,16 @@ ib-fix-rcu-lockdep-splats.patch usb-ehci-fix-hub-tt-scheduling-issue-with-iso-transfer.patch ehci-fix-a-regression-in-the-iso-scheduler.patch xhci-fix-bug-in-xhci_clear_command_ring.patch +sched-x86-avoid-unnecessary-overflow-in-sched_clock.patch +x86-mpparse-account-for-bus-types-other-than-isa-and-pci.patch +x86-fix-acer-aspire-1-reboot-hang.patch +x86-paravirt-pte-updates-in-k-un-map_atomic-need-to-be-synchronous-regardless-of-lazy_mmu-mode.patch +perf-x86-fix-pebs-instruction-unwind.patch +oprofile-x86-fix-crash-when-unloading-module-nmi-timer-mode.patch +add-missing-.set-function-for-nt_s390_last_break-regset.patch +mac80211-fill-rate-filter-for-internal-scan-requests.patch +mac80211-fix-race-condition-caused-by-late-addba-response.patch +cfg80211-fix-race-on-init-and-driver-registration.patch +cfg80211-amend-regulatory-null-dereference-fix.patch +genirq-fix-race-condition-when-stopping-the-irq-thread.patch +slab-lockdep-fix-silly-bug.patch diff --git a/queue-3.1/slab-lockdep-fix-silly-bug.patch b/queue-3.1/slab-lockdep-fix-silly-bug.patch new file mode 100644 index 00000000000..e2202129cec --- /dev/null +++ b/queue-3.1/slab-lockdep-fix-silly-bug.patch @@ -0,0 +1,54 @@ +From 52cef189165d74a5d6030184a8e05595194c69ca Mon Sep 17 00:00:00 2001 +From: Peter Zijlstra +Date: Mon, 28 Nov 2011 21:12:40 +0100 +Subject: slab, lockdep: Fix silly bug + +From: Peter Zijlstra + +commit 52cef189165d74a5d6030184a8e05595194c69ca upstream. + +Commit 30765b92 ("slab, lockdep: Annotate the locks before using +them") moves the init_lock_keys() call from after g_cpucache_up = +FULL, to before it. And overlooks the fact that init_node_lock_keys() +tests for it and ignores everything !FULL. + +Introduce a LATE stage and change the lockdep test to be +Cc: Pekka Enberg +Signed-off-by: Peter Zijlstra +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + mm/slab.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/mm/slab.c ++++ b/mm/slab.c +@@ -595,6 +595,7 @@ static enum { + PARTIAL_AC, + PARTIAL_L3, + EARLY, ++ LATE, + FULL + } g_cpucache_up; + +@@ -671,7 +672,7 @@ static void init_node_lock_keys(int q) + { + struct cache_sizes *s = malloc_sizes; + +- if (g_cpucache_up != FULL) ++ if (g_cpucache_up < LATE) + return; + + for (s = malloc_sizes; s->cs_size != ULONG_MAX; s++) { +@@ -1666,6 +1667,8 @@ void __init kmem_cache_init_late(void) + { + struct kmem_cache *cachep; + ++ g_cpucache_up = LATE; ++ + /* Annotate slab for lockdep -- annotate the malloc caches */ + init_lock_keys(); + diff --git a/queue-3.1/x86-fix-acer-aspire-1-reboot-hang.patch b/queue-3.1/x86-fix-acer-aspire-1-reboot-hang.patch new file mode 100644 index 00000000000..ae925e1ff52 --- /dev/null +++ b/queue-3.1/x86-fix-acer-aspire-1-reboot-hang.patch @@ -0,0 +1,72 @@ +From 1ef03890969932e9359b9a4c658f7f87771910ac Mon Sep 17 00:00:00 2001 +From: Peter Chubb +Date: Mon, 5 Dec 2011 16:53:53 +0300 +Subject: x86: Fix "Acer Aspire 1" reboot hang +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Peter Chubb + +commit 1ef03890969932e9359b9a4c658f7f87771910ac upstream. + +Looks like on some Acer Aspire 1s with older bioses, reboot via bios +fails. It works on my machine, (with BIOS version 0.3310) but +not on some others (BIOS version 0.3309). + +There's a log of problems at: + + https://bbs.archlinux.org/viewtopic.php?id=124136 + +This patch adds a different callback to the reboot quirk table, +to allow rebooting via keybaord controller. + +Reported-by: UroÅ¡ Vampl +Tested-by: Vasily Khoruzhick +Signed-off-by: Peter Chubb +Cc: Don Zickus +Cc: Peter Zijlstra +Link: http://lkml.kernel.org/r/1323093233-9481-1-git-send-email-anarsoul@gmail.com +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/reboot.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +--- a/arch/x86/kernel/reboot.c ++++ b/arch/x86/kernel/reboot.c +@@ -124,7 +124,7 @@ __setup("reboot=", reboot_setup); + */ + + /* +- * Some machines require the "reboot=b" commandline option, ++ * Some machines require the "reboot=b" or "reboot=k" commandline options, + * this quirk makes that automatic. + */ + static int __init set_bios_reboot(const struct dmi_system_id *d) +@@ -136,6 +136,15 @@ static int __init set_bios_reboot(const + return 0; + } + ++static int __init set_kbd_reboot(const struct dmi_system_id *d) ++{ ++ if (reboot_type != BOOT_KBD) { ++ reboot_type = BOOT_KBD; ++ printk(KERN_INFO "%s series board detected. Selecting KBD-method for reboot.\n", d->ident); ++ } ++ return 0; ++} ++ + static struct dmi_system_id __initdata reboot_dmi_table[] = { + { /* Handle problems with rebooting on Dell E520's */ + .callback = set_bios_reboot, +@@ -295,7 +304,7 @@ static struct dmi_system_id __initdata r + }, + }, + { /* Handle reboot issue on Acer Aspire one */ +- .callback = set_bios_reboot, ++ .callback = set_kbd_reboot, + .ident = "Acer Aspire One A110", + .matches = { + DMI_MATCH(DMI_SYS_VENDOR, "Acer"), diff --git a/queue-3.1/x86-mpparse-account-for-bus-types-other-than-isa-and-pci.patch b/queue-3.1/x86-mpparse-account-for-bus-types-other-than-isa-and-pci.patch new file mode 100644 index 00000000000..81658e30cc5 --- /dev/null +++ b/queue-3.1/x86-mpparse-account-for-bus-types-other-than-isa-and-pci.patch @@ -0,0 +1,54 @@ +From 9e6866686bdf2dcf3aeb0838076237ede532dcc8 Mon Sep 17 00:00:00 2001 +From: Bjorn Helgaas +Date: Sun, 25 Sep 2011 15:29:00 -0600 +Subject: x86/mpparse: Account for bus types other than ISA and PCI + +From: Bjorn Helgaas + +commit 9e6866686bdf2dcf3aeb0838076237ede532dcc8 upstream. + +In commit f8924e770e04 ("x86: unify mp_bus_info"), the 32-bit +and 64-bit versions of MP_bus_info were rearranged to match each +other better. Unfortunately it introduced a regression: prior +to that change we used to always set the mp_bus_not_pci bit, +then clear it if we found a PCI bus. After it, we set +mp_bus_not_pci for ISA buses, clear it for PCI buses, and leave +it alone otherwise. + +In the cases of ISA and PCI, there's not much difference. But +ISA is not the only non-PCI bus, so it's better to always set +mp_bus_not_pci and clear it only for PCI. + +Without this change, Dan's Dell PowerEdge 4200 panics on boot +with a log indicating interrupt routing trouble unless the +"noapic" option is supplied. With this change, the machine +boots reliably without "noapic". + +Fixes http://bugs.debian.org/586494 + +Reported-bisected-and-tested-by: Dan McGrath +Signed-off-by: Bjorn Helgaas +Cc: Dan McGrath +Cc: Alexey Starikovskiy +[jrnieder@gmail.com: clarified commit message] +Signed-off-by: Jonathan Nieder +Link: http://lkml.kernel.org/r/20111122215000.GA9151@elie.hsd1.il.comcast.net +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/kernel/mpparse.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/kernel/mpparse.c ++++ b/arch/x86/kernel/mpparse.c +@@ -95,8 +95,8 @@ static void __init MP_bus_info(struct mp + } + #endif + ++ set_bit(m->busid, mp_bus_not_pci); + if (strncmp(str, BUSTYPE_ISA, sizeof(BUSTYPE_ISA) - 1) == 0) { +- set_bit(m->busid, mp_bus_not_pci); + #if defined(CONFIG_EISA) || defined(CONFIG_MCA) + mp_bus_id_to_type[m->busid] = MP_BUS_ISA; + #endif diff --git a/queue-3.1/x86-paravirt-pte-updates-in-k-un-map_atomic-need-to-be-synchronous-regardless-of-lazy_mmu-mode.patch b/queue-3.1/x86-paravirt-pte-updates-in-k-un-map_atomic-need-to-be-synchronous-regardless-of-lazy_mmu-mode.patch new file mode 100644 index 00000000000..a3ed707b4e4 --- /dev/null +++ b/queue-3.1/x86-paravirt-pte-updates-in-k-un-map_atomic-need-to-be-synchronous-regardless-of-lazy_mmu-mode.patch @@ -0,0 +1,87 @@ +From 2cd1c8d4dc7ecca9e9431e2dabe41ae9c7d89e51 Mon Sep 17 00:00:00 2001 +From: Konrad Rzeszutek Wilk +Date: Tue, 15 Nov 2011 14:49:09 -0800 +Subject: x86/paravirt: PTE updates in k(un)map_atomic need to be synchronous, regardless of lazy_mmu mode + +From: Konrad Rzeszutek Wilk + +commit 2cd1c8d4dc7ecca9e9431e2dabe41ae9c7d89e51 upstream. + +Fix an outstanding issue that has been reported since 2.6.37. +Under a heavy loaded machine processing "fork()" calls could +crash with: + +BUG: unable to handle kernel paging request at f573fc8c +IP: [] swap_count_continued+0x104/0x180 +*pdpt = 000000002a3b9027 *pde = 0000000001bed067 *pte = 0000000000000000 Oops: 0000 [#1] SMP +Modules linked in: +Pid: 1638, comm: apache2 Not tainted 3.0.4-linode37 #1 +EIP: 0061:[] EFLAGS: 00210246 CPU: 3 +EIP is at swap_count_continued+0x104/0x180 +.. snip.. +Call Trace: + [] ? __swap_duplicate+0xc2/0x160 + [] ? pte_mfn_to_pfn+0x87/0xe0 + [] ? swap_duplicate+0x14/0x40 + [] ? copy_pte_range+0x45b/0x500 + [] ? copy_page_range+0x195/0x200 + [] ? dup_mmap+0x1c6/0x2c0 + [] ? dup_mm+0xa8/0x130 + [] ? copy_process+0x98a/0xb30 + [] ? do_fork+0x4f/0x280 + [] ? getnstimeofday+0x43/0x100 + [] ? sys_clone+0x30/0x40 + [] ? ptregs_clone+0x15/0x48 + [] ? syscall_call+0x7/0xb + +The problem is that in copy_page_range() we turn lazy mode on, +and then in swap_entry_free() we call swap_count_continued() +which ends up in: + + map = kmap_atomic(page, KM_USER0) + offset; + +and then later we touch *map. + +Since we are running in batched mode (lazy) we don't actually +set up the PTE mappings and the kmap_atomic is not done +synchronously and ends up trying to dereference a page that has +not been set. + +Looking at kmap_atomic_prot_pfn(), it uses +'arch_flush_lazy_mmu_mode' and doing the same in +kmap_atomic_prot() and __kunmap_atomic() makes the problem go +away. + +Interestingly, commit b8bcfe997e4615 ("x86/paravirt: remove lazy +mode in interrupts") removed part of this to fix an interrupt +issue - but it went to far and did not consider this scenario. + +Signed-off-by: Konrad Rzeszutek Wilk +Cc: Peter Zijlstra +Cc: Jeremy Fitzhardinge +Signed-off-by: Andrew Morton +Signed-off-by: Ingo Molnar +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/mm/highmem_32.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/arch/x86/mm/highmem_32.c ++++ b/arch/x86/mm/highmem_32.c +@@ -45,6 +45,7 @@ void *kmap_atomic_prot(struct page *page + vaddr = __fix_to_virt(FIX_KMAP_BEGIN + idx); + BUG_ON(!pte_none(*(kmap_pte-idx))); + set_pte(kmap_pte-idx, mk_pte(page, prot)); ++ arch_flush_lazy_mmu_mode(); + + return (void *)vaddr; + } +@@ -88,6 +89,7 @@ void __kunmap_atomic(void *kvaddr) + */ + kpte_clear_flush(kmap_pte-idx, vaddr); + kmap_atomic_idx_pop(); ++ arch_flush_lazy_mmu_mode(); + } + #ifdef CONFIG_DEBUG_HIGHMEM + else {