From 5556328511119fa2ffe6eda5a25306a73f021da5 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Wed, 30 Jan 2013 10:19:24 +0100 Subject: [PATCH] 3.0-stable patches added patches: arm-dma-fix-struct-page-iterator-in-dma_cache_maint-to-work-with-sparsemem.patch bluetooth-fix-sending-hci-commands-after-reset.patch --- ...a_cache_maint-to-work-with-sparsemem.patch | 76 +++++++++++++++++++ ...fix-sending-hci-commands-after-reset.patch | 47 ++++++++++++ queue-3.0/series | 2 + 3 files changed, 125 insertions(+) create mode 100644 queue-3.0/arm-dma-fix-struct-page-iterator-in-dma_cache_maint-to-work-with-sparsemem.patch create mode 100644 queue-3.0/bluetooth-fix-sending-hci-commands-after-reset.patch diff --git a/queue-3.0/arm-dma-fix-struct-page-iterator-in-dma_cache_maint-to-work-with-sparsemem.patch b/queue-3.0/arm-dma-fix-struct-page-iterator-in-dma_cache_maint-to-work-with-sparsemem.patch new file mode 100644 index 00000000000..0ba4d3a69a7 --- /dev/null +++ b/queue-3.0/arm-dma-fix-struct-page-iterator-in-dma_cache_maint-to-work-with-sparsemem.patch @@ -0,0 +1,76 @@ +From 15653371c67c3fbe359ae37b720639dd4c7b42c5 Mon Sep 17 00:00:00 2001 +From: Russell King +Date: Sat, 19 Jan 2013 11:05:57 +0000 +Subject: ARM: DMA: Fix struct page iterator in dma_cache_maint() to work with sparsemem + +From: Russell King + +commit 15653371c67c3fbe359ae37b720639dd4c7b42c5 upstream. + +Subhash Jadavani reported this partial backtrace: + Now consider this call stack from MMC block driver (this is on the ARMv7 + based board): + + [] (v7_dma_inv_range+0x30/0x48) from [] (dma_cache_maint_page+0x1c4/0x24c) + [] (dma_cache_maint_page+0x1c4/0x24c) from [] (___dma_page_cpu_to_dev+0x14/0x1c) + [] (___dma_page_cpu_to_dev+0x14/0x1c) from [] (dma_map_sg+0x3c/0x114) + +This is caused by incrementing the struct page pointer, and running off +the end of the sparsemem page array. Fix this by incrementing by pfn +instead, and convert the pfn to a struct page. + +Suggested-by: James Bottomley +Tested-by: Subhash Jadavani +Signed-off-by: Russell King +Signed-off-by: Greg Kroah-Hartman + +--- + arch/arm/mm/dma-mapping.c | 18 ++++++++++-------- + 1 file changed, 10 insertions(+), 8 deletions(-) + +--- a/arch/arm/mm/dma-mapping.c ++++ b/arch/arm/mm/dma-mapping.c +@@ -467,25 +467,27 @@ static void dma_cache_maint_page(struct + size_t size, enum dma_data_direction dir, + void (*op)(const void *, size_t, int)) + { ++ unsigned long pfn; ++ size_t left = size; ++ ++ pfn = page_to_pfn(page) + offset / PAGE_SIZE; ++ offset %= PAGE_SIZE; ++ + /* + * A single sg entry may refer to multiple physically contiguous + * pages. But we still need to process highmem pages individually. + * If highmem is not configured then the bulk of this loop gets + * optimized out. + */ +- size_t left = size; + do { + size_t len = left; + void *vaddr; + ++ page = pfn_to_page(pfn); ++ + if (PageHighMem(page)) { +- if (len + offset > PAGE_SIZE) { +- if (offset >= PAGE_SIZE) { +- page += offset / PAGE_SIZE; +- offset %= PAGE_SIZE; +- } ++ if (len + offset > PAGE_SIZE) + len = PAGE_SIZE - offset; +- } + vaddr = kmap_high_get(page); + if (vaddr) { + vaddr += offset; +@@ -502,7 +504,7 @@ static void dma_cache_maint_page(struct + op(vaddr, len, dir); + } + offset = 0; +- page++; ++ pfn++; + left -= len; + } while (left); + } diff --git a/queue-3.0/bluetooth-fix-sending-hci-commands-after-reset.patch b/queue-3.0/bluetooth-fix-sending-hci-commands-after-reset.patch new file mode 100644 index 00000000000..db54e129727 --- /dev/null +++ b/queue-3.0/bluetooth-fix-sending-hci-commands-after-reset.patch @@ -0,0 +1,47 @@ +From dbccd791a3fbbdac12c33834b73beff3984988e9 Mon Sep 17 00:00:00 2001 +From: Szymon Janc +Date: Tue, 11 Dec 2012 08:51:19 +0100 +Subject: Bluetooth: Fix sending HCI commands after reset + +From: Szymon Janc + +commit dbccd791a3fbbdac12c33834b73beff3984988e9 upstream. + +After sending reset command wait for its command complete event before +sending next command. Some chips sends CC event for command received +before reset if reset was send before chip replied with CC. + +This is also required by specification that host shall not send +additional HCI commands before receiving CC for reset. + +< HCI Command: Reset (0x03|0x0003) plen 0 [hci0] 18.404612 +> HCI Event: Command Complete (0x0e) plen 4 [hci0] 18.405850 + Write Extended Inquiry Response (0x03|0x0052) ncmd 1 + Status: Success (0x00) +< HCI Command: Read Local Supported Features (0x04|0x0003) plen 0 [hci0] 18.406079 +> HCI Event: Command Complete (0x0e) plen 4 [hci0] 18.407864 + Reset (0x03|0x0003) ncmd 1 + Status: Success (0x00) +< HCI Command: Read Local Supported Features (0x04|0x0003) plen 0 [hci0] 18.408062 +> HCI Event: Command Complete (0x0e) plen 12 [hci0] 18.408835 + +Signed-off-by: Szymon Janc +Acked-by: Johan Hedberg +Signed-off-by: Gustavo Padovan +Signed-off-by: Greg Kroah-Hartman + +--- + net/bluetooth/hci_event.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/bluetooth/hci_event.c ++++ b/net/bluetooth/hci_event.c +@@ -1823,7 +1823,7 @@ static inline void hci_cmd_complete_evt( + if (ev->opcode != HCI_OP_NOP) + del_timer(&hdev->cmd_timer); + +- if (ev->ncmd) { ++ if (ev->ncmd && !test_bit(HCI_RESET, &hdev->flags)) { + atomic_set(&hdev->cmd_cnt, 1); + if (!skb_queue_empty(&hdev->cmd_q)) + tasklet_schedule(&hdev->cmd_task); diff --git a/queue-3.0/series b/queue-3.0/series index 9fbc4f0c222..411514c2248 100644 --- a/queue-3.0/series +++ b/queue-3.0/series @@ -2,3 +2,5 @@ can-c_can-fix-invalid-error-codes.patch can-ti_hecc-fix-invalid-error-codes.patch can-pch_can-fix-invalid-error-codes.patch fs-cifs-cifs_dfs_ref.c-fix-potential-memory-leakage.patch +arm-dma-fix-struct-page-iterator-in-dma_cache_maint-to-work-with-sparsemem.patch +bluetooth-fix-sending-hci-commands-after-reset.patch -- 2.47.3