From 2d3823c0654a04a1306fe6be0603ac3690f6acd2 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Mon, 5 Nov 2012 14:34:38 +0100 Subject: [PATCH] 3.6-stable patches added patches: ath9k-fix-stale-pointers-potentially-causing-access-to-free-d-skbs.patch ath9k-test-for-tid-only-in-blockacks-while-checking-tx-status.patch input-tsc40-remove-wrong-announcement-of-pressure-support.patch ixgbe-ptp-get_ts_info-missing-software-support.patch xen-gntdev-don-t-leak-memory-from-ioctl_gntdev_map_grant_ref.patch xen-mmu-use-xen-specific-tlb-flush-instead-of-the-generic-one.patch --- ...tially-causing-access-to-free-d-skbs.patch | 43 +++++++++ ...n-blockacks-while-checking-tx-status.patch | 65 ++++++++++++++ ...ong-announcement-of-pressure-support.patch | 33 +++++++ ...get_ts_info-missing-software-support.patch | 34 +++++++ queue-3.6/series | 6 ++ ...mory-from-ioctl_gntdev_map_grant_ref.patch | 82 +++++++++++++++++ ...tlb-flush-instead-of-the-generic-one.patch | 88 +++++++++++++++++++ 7 files changed, 351 insertions(+) create mode 100644 queue-3.6/ath9k-fix-stale-pointers-potentially-causing-access-to-free-d-skbs.patch create mode 100644 queue-3.6/ath9k-test-for-tid-only-in-blockacks-while-checking-tx-status.patch create mode 100644 queue-3.6/input-tsc40-remove-wrong-announcement-of-pressure-support.patch create mode 100644 queue-3.6/ixgbe-ptp-get_ts_info-missing-software-support.patch create mode 100644 queue-3.6/series create mode 100644 queue-3.6/xen-gntdev-don-t-leak-memory-from-ioctl_gntdev_map_grant_ref.patch create mode 100644 queue-3.6/xen-mmu-use-xen-specific-tlb-flush-instead-of-the-generic-one.patch diff --git a/queue-3.6/ath9k-fix-stale-pointers-potentially-causing-access-to-free-d-skbs.patch b/queue-3.6/ath9k-fix-stale-pointers-potentially-causing-access-to-free-d-skbs.patch new file mode 100644 index 00000000000..73c0d6f695f --- /dev/null +++ b/queue-3.6/ath9k-fix-stale-pointers-potentially-causing-access-to-free-d-skbs.patch @@ -0,0 +1,43 @@ +From 8c6e30936a7893a85f6222084f0f26aceb81137a Mon Sep 17 00:00:00 2001 +From: Felix Fietkau +Date: Fri, 26 Oct 2012 00:31:11 +0200 +Subject: ath9k: fix stale pointers potentially causing access to free'd skbs + +From: Felix Fietkau + +commit 8c6e30936a7893a85f6222084f0f26aceb81137a upstream. + +bf->bf_next is only while buffers are chained as part of an A-MPDU +in the tx queue. When a tid queue is flushed (e.g. on tearing down +an aggregation session), frames can be enqueued again as normal +transmission, without bf_next being cleared. This can lead to the +old pointer being dereferenced again later. + +This patch might fix crashes and "Failed to stop TX DMA!" messages. + +Signed-off-by: Felix Fietkau +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/ath/ath9k/xmit.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/net/wireless/ath/ath9k/xmit.c ++++ b/drivers/net/wireless/ath/ath9k/xmit.c +@@ -312,6 +312,7 @@ static struct ath_buf *ath_tx_get_buffer + } + + bf = list_first_entry(&sc->tx.txbuf, struct ath_buf, list); ++ bf->bf_next = NULL; + list_del(&bf->list); + + spin_unlock_bh(&sc->tx.txbuflock); +@@ -1774,6 +1775,7 @@ static void ath_tx_send_normal(struct at + list_add_tail(&bf->list, &bf_head); + bf->bf_state.bf_type = 0; + ++ bf->bf_next = NULL; + bf->bf_lastbf = bf; + ath_tx_fill_desc(sc, bf, txq, fi->framelen); + ath_tx_txqaddbuf(sc, txq, &bf_head, false); diff --git a/queue-3.6/ath9k-test-for-tid-only-in-blockacks-while-checking-tx-status.patch b/queue-3.6/ath9k-test-for-tid-only-in-blockacks-while-checking-tx-status.patch new file mode 100644 index 00000000000..1b5729bd755 --- /dev/null +++ b/queue-3.6/ath9k-test-for-tid-only-in-blockacks-while-checking-tx-status.patch @@ -0,0 +1,65 @@ +From 6fe7cc71bbf3a0bc28c9cec3c00bc11e81344412 Mon Sep 17 00:00:00 2001 +From: Sven Eckelmann +Date: Mon, 29 Oct 2012 13:25:20 +0100 +Subject: ath9k: Test for TID only in BlockAcks while checking tx status + +From: Sven Eckelmann + +commit 6fe7cc71bbf3a0bc28c9cec3c00bc11e81344412 upstream. + +The ath9k xmit functions for AMPDUs can send frames as non-aggregate in case +only one frame is currently available. The client will then answer using a +normal Ack instead of a BlockAck. This acknowledgement has no TID stored and +therefore the hardware is not able to provide us the corresponding TID. + +The TID set by the hardware in the tx status descriptor has to be seen as +undefined and not as a valid TID value for normal acknowledgements. Doing +otherwise results in a massive amount of retransmissions and stalls of +connections. + +Users may experience low bandwidth and complete connection stalls in +environments with transfers using multiple TIDs. + +This regression was introduced in b11b160defc48e4daa283f785192ea3a23a51f8e +("ath9k: validate the TID in the tx status information"). + +Signed-off-by: Sven Eckelmann +Signed-off-by: Simon Wunderlich +Acked-by: Felix Fietkau +Signed-off-by: John W. Linville +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/wireless/ath/ath9k/xmit.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/drivers/net/wireless/ath/ath9k/xmit.c ++++ b/drivers/net/wireless/ath/ath9k/xmit.c +@@ -394,7 +394,7 @@ static void ath_tx_complete_aggr(struct + u16 seq_st = 0, acked_cnt = 0, txfail_cnt = 0, seq_first; + u32 ba[WME_BA_BMP_SIZE >> 5]; + int isaggr, txfail, txpending, sendbar = 0, needreset = 0, nbad = 0; +- bool rc_update = true; ++ bool rc_update = true, isba; + struct ieee80211_tx_rate rates[4]; + struct ath_frame_info *fi; + int nframes; +@@ -438,13 +438,17 @@ static void ath_tx_complete_aggr(struct + tidno = ieee80211_get_qos_ctl(hdr)[0] & IEEE80211_QOS_CTL_TID_MASK; + tid = ATH_AN_2_TID(an, tidno); + seq_first = tid->seq_start; ++ isba = ts->ts_flags & ATH9K_TX_BA; + + /* + * The hardware occasionally sends a tx status for the wrong TID. + * In this case, the BA status cannot be considered valid and all + * subframes need to be retransmitted ++ * ++ * Only BlockAcks have a TID and therefore normal Acks cannot be ++ * checked + */ +- if (tidno != ts->tid) ++ if (isba && tidno != ts->tid) + txok = false; + + isaggr = bf_isaggr(bf); diff --git a/queue-3.6/input-tsc40-remove-wrong-announcement-of-pressure-support.patch b/queue-3.6/input-tsc40-remove-wrong-announcement-of-pressure-support.patch new file mode 100644 index 00000000000..4f08e428ea9 --- /dev/null +++ b/queue-3.6/input-tsc40-remove-wrong-announcement-of-pressure-support.patch @@ -0,0 +1,33 @@ +From 32ed1911fc79908d704023317d4ddeb3883fd07e Mon Sep 17 00:00:00 2001 +From: Rolf Eike Beer +Date: Tue, 30 Oct 2012 23:39:10 -0700 +Subject: Input: tsc40 - remove wrong announcement of pressure support + +From: Rolf Eike Beer + +commit 32ed1911fc79908d704023317d4ddeb3883fd07e upstream. + +The tsc40 driver announces it supports the pressure event, but will never +send one. The announcement will cause tslib to wait for such events and +sending all touch events with a pressure of 0. Removing the announcement +will make tslib fall back to emulating the pressure on touch events so +everything works as expected. + +Signed-off-by: Rolf Eike Beer +Signed-off-by: Dmitry Torokhov +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/input/touchscreen/tsc40.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/drivers/input/touchscreen/tsc40.c ++++ b/drivers/input/touchscreen/tsc40.c +@@ -107,7 +107,6 @@ static int tsc_connect(struct serio *ser + __set_bit(BTN_TOUCH, input_dev->keybit); + input_set_abs_params(ptsc->dev, ABS_X, 0, 0x3ff, 0, 0); + input_set_abs_params(ptsc->dev, ABS_Y, 0, 0x3ff, 0, 0); +- input_set_abs_params(ptsc->dev, ABS_PRESSURE, 0, 0, 0, 0); + + serio_set_drvdata(serio, ptsc); + diff --git a/queue-3.6/ixgbe-ptp-get_ts_info-missing-software-support.patch b/queue-3.6/ixgbe-ptp-get_ts_info-missing-software-support.patch new file mode 100644 index 00000000000..8cc1cbef7c1 --- /dev/null +++ b/queue-3.6/ixgbe-ptp-get_ts_info-missing-software-support.patch @@ -0,0 +1,34 @@ +From 50f8d35de8ba4af311ea1176c534e8b73bb198e5 Mon Sep 17 00:00:00 2001 +From: Jacob Keller +Date: Wed, 31 Oct 2012 22:30:54 +0000 +Subject: ixgbe: PTP get_ts_info missing software support + +From: Jacob Keller + +commit 50f8d35de8ba4af311ea1176c534e8b73bb198e5 upstream. + +This patch corrects the ethtool get_ts_info functon which did not state that +software timestamping was supported, even though it is. + +Signed-off-by: Jacob Keller +Tested-by: Stephen Ko +Signed-off-by: Jeff Kirsher +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/net/ethernet/intel/ixgbe/ixgbe_ethtool.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/net/ethernet/intel/ixgbe/ixgbe_ethtool.c ++++ b/drivers/net/ethernet/intel/ixgbe/ixgbe_ethtool.c +@@ -2673,6 +2673,9 @@ static int ixgbe_get_ts_info(struct net_ + case ixgbe_mac_X540: + case ixgbe_mac_82599EB: + info->so_timestamping = ++ SOF_TIMESTAMPING_TX_SOFTWARE | ++ SOF_TIMESTAMPING_RX_SOFTWARE | ++ SOF_TIMESTAMPING_SOFTWARE | + SOF_TIMESTAMPING_TX_HARDWARE | + SOF_TIMESTAMPING_RX_HARDWARE | + SOF_TIMESTAMPING_RAW_HARDWARE; diff --git a/queue-3.6/series b/queue-3.6/series new file mode 100644 index 00000000000..3de14478813 --- /dev/null +++ b/queue-3.6/series @@ -0,0 +1,6 @@ +xen-gntdev-don-t-leak-memory-from-ioctl_gntdev_map_grant_ref.patch +xen-mmu-use-xen-specific-tlb-flush-instead-of-the-generic-one.patch +ixgbe-ptp-get_ts_info-missing-software-support.patch +input-tsc40-remove-wrong-announcement-of-pressure-support.patch +ath9k-fix-stale-pointers-potentially-causing-access-to-free-d-skbs.patch +ath9k-test-for-tid-only-in-blockacks-while-checking-tx-status.patch diff --git a/queue-3.6/xen-gntdev-don-t-leak-memory-from-ioctl_gntdev_map_grant_ref.patch b/queue-3.6/xen-gntdev-don-t-leak-memory-from-ioctl_gntdev_map_grant_ref.patch new file mode 100644 index 00000000000..df2e6d05dbe --- /dev/null +++ b/queue-3.6/xen-gntdev-don-t-leak-memory-from-ioctl_gntdev_map_grant_ref.patch @@ -0,0 +1,82 @@ +From a67baeb77375199bbd842fa308cb565164dd1f19 Mon Sep 17 00:00:00 2001 +From: David Vrabel +Date: Wed, 24 Oct 2012 12:39:02 +0100 +Subject: xen/gntdev: don't leak memory from IOCTL_GNTDEV_MAP_GRANT_REF + +From: David Vrabel + +commit a67baeb77375199bbd842fa308cb565164dd1f19 upstream. + +map->kmap_ops allocated in gntdev_alloc_map() wasn't freed by +gntdev_put_map(). + +Add a gntdev_free_map() helper function to free everything allocated +by gntdev_alloc_map(). + +Signed-off-by: David Vrabel +Signed-off-by: Konrad Rzeszutek Wilk +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/xen/gntdev.c | 36 +++++++++++++++++++----------------- + 1 file changed, 19 insertions(+), 17 deletions(-) + +--- a/drivers/xen/gntdev.c ++++ b/drivers/xen/gntdev.c +@@ -105,6 +105,21 @@ static void gntdev_print_maps(struct gnt + #endif + } + ++static void gntdev_free_map(struct grant_map *map) ++{ ++ if (map == NULL) ++ return; ++ ++ if (map->pages) ++ free_xenballooned_pages(map->count, map->pages); ++ kfree(map->pages); ++ kfree(map->grants); ++ kfree(map->map_ops); ++ kfree(map->unmap_ops); ++ kfree(map->kmap_ops); ++ kfree(map); ++} ++ + static struct grant_map *gntdev_alloc_map(struct gntdev_priv *priv, int count) + { + struct grant_map *add; +@@ -142,12 +157,7 @@ static struct grant_map *gntdev_alloc_ma + return add; + + err: +- kfree(add->pages); +- kfree(add->grants); +- kfree(add->map_ops); +- kfree(add->unmap_ops); +- kfree(add->kmap_ops); +- kfree(add); ++ gntdev_free_map(add); + return NULL; + } + +@@ -198,17 +208,9 @@ static void gntdev_put_map(struct grant_ + evtchn_put(map->notify.event); + } + +- if (map->pages) { +- if (!use_ptemod) +- unmap_grant_pages(map, 0, map->count); +- +- free_xenballooned_pages(map->count, map->pages); +- } +- kfree(map->pages); +- kfree(map->grants); +- kfree(map->map_ops); +- kfree(map->unmap_ops); +- kfree(map); ++ if (map->pages && !use_ptemod) ++ unmap_grant_pages(map, 0, map->count); ++ gntdev_free_map(map); + } + + /* ------------------------------------------------------------------ */ diff --git a/queue-3.6/xen-mmu-use-xen-specific-tlb-flush-instead-of-the-generic-one.patch b/queue-3.6/xen-mmu-use-xen-specific-tlb-flush-instead-of-the-generic-one.patch new file mode 100644 index 00000000000..ee536dbef59 --- /dev/null +++ b/queue-3.6/xen-mmu-use-xen-specific-tlb-flush-instead-of-the-generic-one.patch @@ -0,0 +1,88 @@ +From 95a7d76897c1e7243d4137037c66d15cbf2cce76 Mon Sep 17 00:00:00 2001 +From: Konrad Rzeszutek Wilk +Date: Wed, 31 Oct 2012 12:38:31 -0400 +Subject: xen/mmu: Use Xen specific TLB flush instead of the generic one. + +From: Konrad Rzeszutek Wilk + +commit 95a7d76897c1e7243d4137037c66d15cbf2cce76 upstream. + +As Mukesh explained it, the MMUEXT_TLB_FLUSH_ALL allows the +hypervisor to do a TLB flush on all active vCPUs. If instead +we were using the generic one (which ends up being xen_flush_tlb) +we end up making the MMUEXT_TLB_FLUSH_LOCAL hypercall. But +before we make that hypercall the kernel will IPI all of the +vCPUs (even those that were asleep from the hypervisor +perspective). The end result is that we needlessly wake them +up and do a TLB flush when we can just let the hypervisor +do it correctly. + +This patch gives around 50% speed improvement when migrating +idle guest's from one host to another. + +Oracle-bug: 14630170 + +Tested-by: Jingjie Jiang +Suggested-by: Mukesh Rathor +Signed-off-by: Konrad Rzeszutek Wilk +Signed-off-by: Greg Kroah-Hartman + +--- + arch/x86/xen/mmu.c | 21 ++++++++++++++++++++- + include/trace/events/xen.h | 8 ++++++++ + 2 files changed, 28 insertions(+), 1 deletion(-) + +--- a/arch/x86/xen/mmu.c ++++ b/arch/x86/xen/mmu.c +@@ -1215,6 +1215,25 @@ unsigned long xen_read_cr2_direct(void) + return this_cpu_read(xen_vcpu_info.arch.cr2); + } + ++void xen_flush_tlb_all(void) ++{ ++ struct mmuext_op *op; ++ struct multicall_space mcs; ++ ++ trace_xen_mmu_flush_tlb_all(0); ++ ++ preempt_disable(); ++ ++ mcs = xen_mc_entry(sizeof(*op)); ++ ++ op = mcs.args; ++ op->cmd = MMUEXT_TLB_FLUSH_ALL; ++ MULTI_mmuext_op(mcs.mc, op, 1, NULL, DOMID_SELF); ++ ++ xen_mc_issue(PARAVIRT_LAZY_MMU); ++ ++ preempt_enable(); ++} + static void xen_flush_tlb(void) + { + struct mmuext_op *op; +@@ -2366,7 +2385,7 @@ int xen_remap_domain_mfn_range(struct vm + err = 0; + out: + +- flush_tlb_all(); ++ xen_flush_tlb_all(); + + return err; + } +--- a/include/trace/events/xen.h ++++ b/include/trace/events/xen.h +@@ -377,6 +377,14 @@ DECLARE_EVENT_CLASS(xen_mmu_pgd, + DEFINE_XEN_MMU_PGD_EVENT(xen_mmu_pgd_pin); + DEFINE_XEN_MMU_PGD_EVENT(xen_mmu_pgd_unpin); + ++TRACE_EVENT(xen_mmu_flush_tlb_all, ++ TP_PROTO(int x), ++ TP_ARGS(x), ++ TP_STRUCT__entry(__array(char, x, 0)), ++ TP_fast_assign((void)x), ++ TP_printk("%s", "") ++ ); ++ + TRACE_EVENT(xen_mmu_flush_tlb, + TP_PROTO(int x), + TP_ARGS(x), -- 2.47.3