diff options
author | Paul Gortmaker <paul.gortmaker@windriver.com> | 2012-08-01 15:08:05 -0400 |
---|---|---|
committer | Paul Gortmaker <paul.gortmaker@windriver.com> | 2012-08-01 15:29:47 -0400 |
commit | b6dd242df8547b7cc5c9a6dfbc8843286e7127f3 (patch) | |
tree | f4549eb172a303775db0c97f9ab2dd56699840be | |
parent | 6b333fb44dcf21434bac252b89cc0e899f8a0abd (diff) | |
download | longterm-queue-2.6.34-b6dd242df8547b7cc5c9a6dfbc8843286e7127f3.tar.gz |
add content based on v2.6.32.47 additions
All fed through reviewbot; not yet build tested.
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
88 files changed, 5727 insertions, 0 deletions
diff --git a/queue/3w-9xxx-fix-iommu_iova-leak.patch b/queue/3w-9xxx-fix-iommu_iova-leak.patch new file mode 100644 index 0000000..c6f7dfd --- /dev/null +++ b/queue/3w-9xxx-fix-iommu_iova-leak.patch @@ -0,0 +1,39 @@ +From d55e670aa45555a5017f14d287f44d37a79bcf31 Mon Sep 17 00:00:00 2001 +From: James Bottomley <JBottomley@Parallels.com> +Date: Sun, 18 Sep 2011 18:56:20 +0400 +Subject: [PATCH] 3w-9xxx: fix iommu_iova leak + +commit 96067723e46b0dd24ae7b934085ab4eff4d26a1b upstream. + +Following reports on the list, it looks like the 3e-9xxx driver will leak dma +mappings every time we get a transient queueing error back from the card. +This is because it maps the sg list in the routine that sends the command, but +doesn't unmap again in the transient failure path (even though the command is +sent back to the block layer). Fix by unmapping before returning the status. + +Reported-by: Chris Boot <bootc@bootc.net> +Tested-by: Chris Boot <bootc@bootc.net> +Acked-by: Adam Radford <aradford@gmail.com> +Signed-off-by: James Bottomley <JBottomley@Parallels.com> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> + +diff --git a/drivers/scsi/3w-9xxx.c b/drivers/scsi/3w-9xxx.c +index e9788f5..3499131 100644 +--- a/drivers/scsi/3w-9xxx.c ++++ b/drivers/scsi/3w-9xxx.c +@@ -1794,10 +1794,12 @@ static int twa_scsi_queue(struct scsi_cmnd *SCpnt, void (*done)(struct scsi_cmnd + switch (retval) { + case SCSI_MLQUEUE_HOST_BUSY: + twa_free_request_id(tw_dev, request_id); ++ twa_unmap_scsi_data(tw_dev, request_id); + break; + case 1: + tw_dev->state[request_id] = TW_S_COMPLETED; + twa_free_request_id(tw_dev, request_id); ++ twa_unmap_scsi_data(tw_dev, request_id); + SCpnt->result = (DID_ERROR << 16); + done(SCpnt); + retval = 0; +-- +1.7.12.rc1.1.gbce1580 + diff --git a/queue/ALSA-HDA-Add-new-revision-for-ALC662.patch b/queue/ALSA-HDA-Add-new-revision-for-ALC662.patch new file mode 100644 index 0000000..89bc628 --- /dev/null +++ b/queue/ALSA-HDA-Add-new-revision-for-ALC662.patch @@ -0,0 +1,33 @@ +From 444b9e04b5c4004d7c86310f99cace56c7b33d48 Mon Sep 17 00:00:00 2001 +From: David Henningsson <david.henningsson@canonical.com> +Date: Tue, 18 Oct 2011 14:07:51 +0200 +Subject: [PATCH] ALSA: HDA: Add new revision for ALC662 + +commit cc667a72d471e79fd8e5e291ea115923cf44dca0 upstream. + +The revision 0x100300 was found for ALC662. It seems to work well +with patch_alc662. + +BugLink: http://bugs.launchpad.net/bugs/877373 +Tested-by: Shengyao Xue <Shengyao.xue@canonical.com> +Signed-off-by: David Henningsson <david.henningsson@canonical.com> +Acked-by: Kailang Yang <kailang@realtek.com> +Signed-off-by: Takashi Iwai <tiwai@suse.de> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> + +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index 2c71de1..94f1a80 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -18657,6 +18657,8 @@ static struct hda_codec_preset snd_hda_preset_realtek[] = { + .patch = patch_alc882 }, + { .id = 0x10ec0662, .rev = 0x100101, .name = "ALC662 rev1", + .patch = patch_alc662 }, ++ { .id = 0x10ec0662, .rev = 0x100300, .name = "ALC662 rev3", ++ .patch = patch_alc662 }, + { .id = 0x10ec0663, .name = "ALC663", .patch = patch_alc662 }, + { .id = 0x10ec0665, .name = "ALC665", .patch = patch_alc662 }, + { .id = 0x10ec0670, .name = "ALC670", .patch = patch_alc662 }, +-- +1.7.12.rc1.1.gbce1580 + diff --git a/queue/ALSA-HDA-Cirrus-fix-Surround-Speaker-volume-control-.patch b/queue/ALSA-HDA-Cirrus-fix-Surround-Speaker-volume-control-.patch new file mode 100644 index 0000000..ccd6fa9 --- /dev/null +++ b/queue/ALSA-HDA-Cirrus-fix-Surround-Speaker-volume-control-.patch @@ -0,0 +1,32 @@ +From e5a873bb5c9857c1060b089a2444bc6512dcd649 Mon Sep 17 00:00:00 2001 +From: David Henningsson <david.henningsson@canonical.com> +Date: Wed, 14 Sep 2011 13:22:54 +0200 +Subject: [PATCH] ALSA: HDA: Cirrus - fix "Surround Speaker" volume control + name + +commit 2e1210bc3d065a6e26ff5fef228a9a7e08921d2c upstream. + +This patch fixes "Surround Speaker Playback Volume" being cut off. +(Commit b4dabfc452a10 was probably meant to fix this, but it fixed +only the "Switch" name, not the "Volume" name.) + +Signed-off-by: David Henningsson <david.henningsson@canonical.com> +Signed-off-by: Takashi Iwai <tiwai@suse.de> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> + +diff --git a/sound/pci/hda/patch_cirrus.c b/sound/pci/hda/patch_cirrus.c +index 5f08464..71855e3 100644 +--- a/sound/pci/hda/patch_cirrus.c ++++ b/sound/pci/hda/patch_cirrus.c +@@ -510,7 +510,7 @@ static int add_volume(struct hda_codec *codec, const char *name, + int index, unsigned int pval, int dir, + struct snd_kcontrol **kctlp) + { +- char tmp[32]; ++ char tmp[44]; + struct snd_kcontrol_new knew = + HDA_CODEC_VOLUME_IDX(tmp, index, 0, 0, HDA_OUTPUT); + knew.private_value = pval; +-- +1.7.12.rc1.1.gbce1580 + diff --git a/queue/ALSA-hda-realtek-Avoid-bogus-HP-pin-assignment.patch b/queue/ALSA-hda-realtek-Avoid-bogus-HP-pin-assignment.patch new file mode 100644 index 0000000..c56e89d --- /dev/null +++ b/queue/ALSA-hda-realtek-Avoid-bogus-HP-pin-assignment.patch @@ -0,0 +1,34 @@ +From 2d866337cb16fe408898fe794e5ec7ca1fbcb15e Mon Sep 17 00:00:00 2001 +From: Takashi Iwai <tiwai@suse.de> +Date: Mon, 26 Sep 2011 10:41:21 +0200 +Subject: [PATCH] ALSA: hda/realtek - Avoid bogus HP-pin assignment + +commit 5fe6e0151dbd969f5fbcd94d05c968b76d76952b upstream. + +When the headphone pin is assigned as primary output to line_out_pins[], +the automatic HP-pin assignment by ASSID must be suppressed. Otherwise +a wrong pin might be assigned to the headphone and breaks the auto-mute. + +Reference: https://bugzilla.novell.com/show_bug.cgi?id=716104 + +Signed-off-by: Takashi Iwai <tiwai@suse.de> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> + +diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c +index d388680..2c71de1 100644 +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -1336,7 +1336,9 @@ do_sku: + * 15 : 1 --> enable the function "Mute internal speaker + * when the external headphone out jack is plugged" + */ +- if (!spec->autocfg.hp_pins[0]) { ++ if (!spec->autocfg.hp_pins[0] && ++ !(spec->autocfg.line_out_pins[0] && ++ spec->autocfg.line_out_type == AUTO_PIN_HP_OUT)) { + hda_nid_t nid; + tmp = (ass >> 11) & 0x3; /* HP to chassis */ + if (tmp == 0) +-- +1.7.12.rc1.1.gbce1580 + diff --git a/queue/ARM-davinci-da850-EVM-read-mac-address-from-SPI-flas.patch b/queue/ARM-davinci-da850-EVM-read-mac-address-from-SPI-flas.patch new file mode 100644 index 0000000..4438ef3 --- /dev/null +++ b/queue/ARM-davinci-da850-EVM-read-mac-address-from-SPI-flas.patch @@ -0,0 +1,93 @@ +From 686bfe38e4cb943ba145590cfc54b2610e8297b1 Mon Sep 17 00:00:00 2001 +From: "Rajashekhara, Sudhakar" <sudhakar.raj@ti.com> +Date: Tue, 12 Jul 2011 15:58:53 +0530 +Subject: [PATCH] ARM: davinci: da850 EVM: read mac address from SPI flash + +commit 810198bc9c109489dfadc57131c5183ce6ad2d7d upstream. + +DA850/OMAP-L138 EMAC driver uses random mac address instead of +a fixed one because the mac address is not stuffed into EMAC +platform data. + +This patch provides a function which reads the mac address +stored in SPI flash (registered as MTD device) and populates the +EMAC platform data. The function which reads the mac address is +registered as a callback which gets called upon addition of MTD +device. + +NOTE: In case the MAC address stored in SPI flash is erased, follow +the instructions at [1] to restore it. + +[1] http://processors.wiki.ti.com/index.php/GSG:_OMAP-L138_DVEVM_Additional_Procedures#Restoring_MAC_address_on_SPI_Flash + +Modifications in v2: +Guarded registering the mtd_notifier only when MTD is enabled. +Earlier this was handled using mtd_has_partitions() call, but +this has been removed in Linux v3.0. + +Modifications in v3: +a. Guarded da850_evm_m25p80_notify_add() function and + da850evm_spi_notifier structure with CONFIG_MTD macros. +b. Renamed da850_evm_register_mtd_user() function to + da850_evm_setup_mac_addr() and removed the struct mtd_notifier + argument to this function. +c. Passed the da850evm_spi_notifier structure to register_mtd_user() + function. + +Modifications in v4: +Moved the da850_evm_setup_mac_addr() function within the first +CONFIG_MTD ifdef construct. + +Signed-off-by: Rajashekhara, Sudhakar <sudhakar.raj@ti.com> +Signed-off-by: Sekhar Nori <nsekhar@ti.com> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> + +diff --git a/arch/arm/mach-davinci/board-da850-evm.c b/arch/arm/mach-davinci/board-da850-evm.c +index 411284d..cc4e5cb 100644 +--- a/arch/arm/mach-davinci/board-da850-evm.c ++++ b/arch/arm/mach-davinci/board-da850-evm.c +@@ -44,6 +44,32 @@ + + #define DA850_MII_MDIO_CLKEN_PIN GPIO_TO_PIN(2, 6) + ++#ifdef CONFIG_MTD ++static void da850_evm_m25p80_notify_add(struct mtd_info *mtd) ++{ ++ char *mac_addr = davinci_soc_info.emac_pdata->mac_addr; ++ size_t retlen; ++ ++ if (!strcmp(mtd->name, "MAC-Address")) { ++ mtd->read(mtd, 0, ETH_ALEN, &retlen, mac_addr); ++ if (retlen == ETH_ALEN) ++ pr_info("Read MAC addr from SPI Flash: %pM\n", ++ mac_addr); ++ } ++} ++ ++static struct mtd_notifier da850evm_spi_notifier = { ++ .add = da850_evm_m25p80_notify_add, ++}; ++ ++static void da850_evm_setup_mac_addr(void) ++{ ++ register_mtd_user(&da850evm_spi_notifier); ++} ++#else ++static void da850_evm_setup_mac_addr(void) { } ++#endif ++ + static struct mtd_partition da850_evm_norflash_partition[] = { + { + .name = "bootloaders + env", +@@ -726,6 +752,8 @@ static __init void da850_evm_init(void) + if (ret) + pr_warning("da850_evm_init: suspend registration failed: %d\n", + ret); ++ ++ da850_evm_setup_mac_addr(); + } + + #ifdef CONFIG_SERIAL_8250_CONSOLE +-- +1.7.12.rc1.1.gbce1580 + diff --git a/queue/ASIX-Add-AX88772B-USB-ID.patch b/queue/ASIX-Add-AX88772B-USB-ID.patch new file mode 100644 index 0000000..7a8de17 --- /dev/null +++ b/queue/ASIX-Add-AX88772B-USB-ID.patch @@ -0,0 +1,31 @@ +From fd87e14491dbe3a0c7963ab113ebeb59005713a8 Mon Sep 17 00:00:00 2001 +From: Marek Vasut <marek.vasut@gmail.com> +Date: Wed, 20 Jul 2011 05:57:04 +0000 +Subject: [PATCH] ASIX: Add AX88772B USB ID + +commit 308859097831831a979f2e82cbeef0a94f438080 upstream. + +This device can be found in Acer Iconia TAB W500 tablet dock. + +Signed-off-by: Marek Vasut <marek.vasut@gmail.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> + +diff --git a/drivers/net/usb/asix.c b/drivers/net/usb/asix.c +index 35f56fc..60e882f 100644 +--- a/drivers/net/usb/asix.c ++++ b/drivers/net/usb/asix.c +@@ -1473,6 +1473,10 @@ static const struct usb_device_id products [] = { + USB_DEVICE (0x04f1, 0x3008), + .driver_info = (unsigned long) &ax8817x_info, + }, { ++ // ASIX AX88772B 10/100 ++ USB_DEVICE (0x0b95, 0x772b), ++ .driver_info = (unsigned long) &ax88772_info, ++}, { + // ASIX AX88772 10/100 + USB_DEVICE (0x0b95, 0x7720), + .driver_info = (unsigned long) &ax88772_info, +-- +1.7.12.rc1.1.gbce1580 + diff --git a/queue/ASoC-Fix-reporting-of-partial-jack-updates.patch b/queue/ASoC-Fix-reporting-of-partial-jack-updates.patch new file mode 100644 index 0000000..6e5f1ba --- /dev/null +++ b/queue/ASoC-Fix-reporting-of-partial-jack-updates.patch @@ -0,0 +1,32 @@ +From 71720968f183e74a1c94f4d6eb8238ba1854e17e Mon Sep 17 00:00:00 2001 +From: Mark Brown <broonie@opensource.wolfsonmicro.com> +Date: Sun, 4 Sep 2011 08:18:18 -0700 +Subject: [PATCH] ASoC: Fix reporting of partial jack updates + +commit 747da0f80e566500421bd7760b2e050fea3fde5e upstream. + +We need to report the entire jack state to the core jack code, not just +the bits that were being updated by the caller, otherwise the status +reported by other detection methods will be omitted from the state seen +by userspace. + +Signed-off-by: Mark Brown <broonie@opensource.wolfsonmicro.com> +Acked-by: Liam Girdwood <lrg@ti.com> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> + +diff --git a/sound/soc/soc-jack.c b/sound/soc/soc-jack.c +index 3c07a94..f097755 100644 +--- a/sound/soc/soc-jack.c ++++ b/sound/soc/soc-jack.c +@@ -95,7 +95,7 @@ void snd_soc_jack_report(struct snd_soc_jack *jack, int status, int mask) + + snd_soc_dapm_sync(codec); + +- snd_jack_report(jack->jack, status); ++ snd_jack_report(jack->jack, jack->status); + + out: + mutex_unlock(&codec->mutex); +-- +1.7.12.rc1.1.gbce1580 + diff --git a/queue/ASoC-ak4535-fixup-cache-register-table.patch b/queue/ASoC-ak4535-fixup-cache-register-table.patch new file mode 100644 index 0000000..cd5756c --- /dev/null +++ b/queue/ASoC-ak4535-fixup-cache-register-table.patch @@ -0,0 +1,37 @@ +From 6836a90c5b0e3a75baf5540b868741091d47cd70 Mon Sep 17 00:00:00 2001 +From: Axel Lin <axel.lin@gmail.com> +Date: Thu, 13 Oct 2011 17:17:06 +0800 +Subject: [PATCH] ASoC: ak4535: fixup cache register table + +commit 7c04241acbdaf97f1448dcccd27ea0fcd1a57684 upstream. + +ak4535_reg should be 8bit, but cache table is defined as 16bit. + +Signed-off-by: Axel Lin <axel.lin@gmail.com> +Signed-off-by: Mark Brown <broonie@opensource.wolfsonmicro.com> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> + +diff --git a/sound/soc/codecs/ak4535.c b/sound/soc/codecs/ak4535.c +index 352d1d0..133d8f5 100644 +--- a/sound/soc/codecs/ak4535.c ++++ b/sound/soc/codecs/ak4535.c +@@ -41,11 +41,11 @@ struct ak4535_priv { + /* + * ak4535 register cache + */ +-static const u16 ak4535_reg[AK4535_CACHEREGNUM] = { +- 0x0000, 0x0080, 0x0000, 0x0003, +- 0x0002, 0x0000, 0x0011, 0x0001, +- 0x0000, 0x0040, 0x0036, 0x0010, +- 0x0000, 0x0000, 0x0057, 0x0000, ++static const u8 ak4535_reg[AK4535_CACHEREGNUM] = { ++ 0x00, 0x80, 0x00, 0x03, ++ 0x02, 0x00, 0x11, 0x01, ++ 0x00, 0x40, 0x36, 0x10, ++ 0x00, 0x00, 0x57, 0x00, + }; + + /* +-- +1.7.12.rc1.1.gbce1580 + diff --git a/queue/ASoC-ak4642-fixup-cache-register-table.patch b/queue/ASoC-ak4642-fixup-cache-register-table.patch new file mode 100644 index 0000000..ebf1143 --- /dev/null +++ b/queue/ASoC-ak4642-fixup-cache-register-table.patch @@ -0,0 +1,50 @@ +From d4e11a5746e1d12659aa3320e6a5f6254e63c4e6 Mon Sep 17 00:00:00 2001 +From: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com> +Date: Thu, 13 Oct 2011 02:03:54 -0700 +Subject: [PATCH] ASoC: ak4642: fixup cache register table + +commit 19b115e523208a926813751aac8934cf3fc6085e upstream. + +ak4642 register was 8bit, but cache table was defined as 16bit. +ak4642 doesn't work correctry without this patch. + +Signed-off-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com> +Signed-off-by: Mark Brown <broonie@opensource.wolfsonmicro.com> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> + +diff --git a/sound/soc/codecs/ak4642.c b/sound/soc/codecs/ak4642.c +index 729859c..858d476 100644 +--- a/sound/soc/codecs/ak4642.c ++++ b/sound/soc/codecs/ak4642.c +@@ -94,17 +94,17 @@ static struct snd_soc_codec *ak4642_codec; + /* + * ak4642 register cache + */ +-static const u16 ak4642_reg[AK4642_CACHEREGNUM] = { +- 0x0000, 0x0000, 0x0001, 0x0000, +- 0x0002, 0x0000, 0x0000, 0x0000, +- 0x00e1, 0x00e1, 0x0018, 0x0000, +- 0x00e1, 0x0018, 0x0011, 0x0008, +- 0x0000, 0x0000, 0x0000, 0x0000, +- 0x0000, 0x0000, 0x0000, 0x0000, +- 0x0000, 0x0000, 0x0000, 0x0000, +- 0x0000, 0x0000, 0x0000, 0x0000, +- 0x0000, 0x0000, 0x0000, 0x0000, +- 0x0000, ++static const u8 ak4642_reg[AK4642_CACHEREGNUM] = { ++ 0x00, 0x00, 0x01, 0x00, ++ 0x02, 0x00, 0x00, 0x00, ++ 0xe1, 0xe1, 0x18, 0x00, ++ 0xe1, 0x18, 0x11, 0x08, ++ 0x00, 0x00, 0x00, 0x00, ++ 0x00, 0x00, 0x00, 0x00, ++ 0x00, 0x00, 0x00, 0x00, ++ 0x00, 0x00, 0x00, 0x00, ++ 0x00, 0x00, 0x00, 0x00, ++ 0x00, + }; + + /* +-- +1.7.12.rc1.1.gbce1580 + diff --git a/queue/ASoC-wm8940-Properly-set-codec-dapm.bias_level.patch b/queue/ASoC-wm8940-Properly-set-codec-dapm.bias_level.patch new file mode 100644 index 0000000..8309781 --- /dev/null +++ b/queue/ASoC-wm8940-Properly-set-codec-dapm.bias_level.patch @@ -0,0 +1,29 @@ +From e59c675ead02277f11657e9d67743e5a1aa5da0e Mon Sep 17 00:00:00 2001 +From: Axel Lin <axel.lin@gmail.com> +Date: Wed, 26 Oct 2011 09:53:41 +0800 +Subject: [PATCH] ASoC: wm8940: Properly set codec->dapm.bias_level + +commit 5927f94700e860ae27ff24e7f3bc9e4f7b9922eb upstream. + +Reported-by: Chris Paulson-Ellis <chris@edesix.com> +Signed-off-by: Axel Lin <axel.lin@gmail.com> +Signed-off-by: Mark Brown <broonie@opensource.wolfsonmicro.com> +Cc: stable@vger.kernel.org +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> + +diff --git a/sound/soc/codecs/wm8940.c b/sound/soc/codecs/wm8940.c +index 0c04b47..cbe5edd 100644 +--- a/sound/soc/codecs/wm8940.c ++++ b/sound/soc/codecs/wm8940.c +@@ -473,6 +473,8 @@ static int wm8940_set_bias_level(struct snd_soc_codec *codec, + break; + } + ++ codec->dapm.bias_level = level; ++ + return ret; + } + +-- +1.7.12.rc1.1.gbce1580 + diff --git a/queue/Bluetooth-l2cap-and-rfcomm-fix-1-byte-infoleak-to-us.patch b/queue/Bluetooth-l2cap-and-rfcomm-fix-1-byte-infoleak-to-us.patch new file mode 100644 index 0000000..0af24f0 --- /dev/null +++ b/queue/Bluetooth-l2cap-and-rfcomm-fix-1-byte-infoleak-to-us.patch @@ -0,0 +1,44 @@ +From 3612e702e4f27f87664cbf76ce458455b9b02f6b Mon Sep 17 00:00:00 2001 +From: Filip Palian <s3810@pjwstk.edu.pl> +Date: Thu, 12 May 2011 19:32:46 +0200 +Subject: [PATCH] Bluetooth: l2cap and rfcomm: fix 1 byte infoleak to + userspace. + +commit 8d03e971cf403305217b8e62db3a2e5ad2d6263f upstream. + +Structures "l2cap_conninfo" and "rfcomm_conninfo" have one padding +byte each. This byte in "cinfo" is copied to userspace uninitialized. + +Signed-off-by: Filip Palian <filip.palian@pjwstk.edu.pl> +Acked-by: Marcel Holtmann <marcel@holtmann.org> +Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi> +[PG: l2cap_sock.c chunk is in l2cap.c in a 2.6.34 context/baseline] +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> + +diff --git a/net/bluetooth/l2cap.c b/net/bluetooth/l2cap.c +index b21e319..0b6cf87 100644 +--- a/net/bluetooth/l2cap.c ++++ b/net/bluetooth/l2cap.c +@@ -1898,6 +1898,7 @@ static int l2cap_sock_getsockopt_old(struct socket *sock, int optname, char __us + break; + } + ++ memset(&cinfo, 0, sizeof(cinfo)); + cinfo.hci_handle = l2cap_pi(sk)->conn->hcon->handle; + memcpy(cinfo.dev_class, l2cap_pi(sk)->conn->hcon->dev_class, 3); + +diff --git a/net/bluetooth/rfcomm/sock.c b/net/bluetooth/rfcomm/sock.c +index 8ed3c37..b045bbb 100644 +--- a/net/bluetooth/rfcomm/sock.c ++++ b/net/bluetooth/rfcomm/sock.c +@@ -882,6 +882,7 @@ static int rfcomm_sock_getsockopt_old(struct socket *sock, int optname, char __u + + l2cap_sk = rfcomm_pi(sk)->dlc->session->sock->sk; + ++ memset(&cinfo, 0, sizeof(cinfo)); + cinfo.hci_handle = l2cap_pi(l2cap_sk)->conn->hcon->handle; + memcpy(cinfo.dev_class, l2cap_pi(l2cap_sk)->conn->hcon->dev_class, 3); + +-- +1.7.12.rc1.1.gbce1580 + diff --git a/queue/GRO-fix-merging-a-paged-skb-after-non-paged-skbs.patch b/queue/GRO-fix-merging-a-paged-skb-after-non-paged-skbs.patch new file mode 100644 index 0000000..3f8c32b --- /dev/null +++ b/queue/GRO-fix-merging-a-paged-skb-after-non-paged-skbs.patch @@ -0,0 +1,63 @@ +From fc6bae78220af74139120d14e5eecc72896f1456 Mon Sep 17 00:00:00 2001 +From: Michal Schmidt <mschmidt@redhat.com> +Date: Mon, 24 Jan 2011 12:08:48 +0000 +Subject: [PATCH] GRO: fix merging a paged skb after non-paged skbs + +commit d1dc7abf2fafa34b0ffcd070fd59405aa9c0a4d8 upstream. + +Suppose that several linear skbs of the same flow were received by GRO. They +were thus merged into one skb with a frag_list. Then a new skb of the same flow +arrives, but it is a paged skb with data starting in its frags[]. + +Before adding the skb to the frag_list skb_gro_receive() will of course adjust +the skb to throw away the headers. It correctly modifies the page_offset and +size of the frag, but it leaves incorrect information in the skb: + ->data_len is not decreased at all. + ->len is decreased only by headlen, as if no change were done to the frag. +Later in a receiving process this causes skb_copy_datagram_iovec() to return +-EFAULT and this is seen in userspace as the result of the recv() syscall. + +In practice the bug can be reproduced with the sfc driver. By default the +driver uses an adaptive scheme when it switches between using +napi_gro_receive() (with skbs) and napi_gro_frags() (with pages). The bug is +reproduced when under rx load with enough successful GRO merging the driver +decides to switch from the former to the latter. + +Manual control is also possible, so reproducing this is easy with netcat: + - on machine1 (with sfc): nc -l 12345 > /dev/null + - on machine2: nc machine1 12345 < /dev/zero + - on machine1: + echo 1 > /sys/module/sfc/parameters/rx_alloc_method # use skbs + echo 2 > /sys/module/sfc/parameters/rx_alloc_method # use pages + - See that nc has quit suddenly. + +[v2: Modified by Eric Dumazet to avoid advancing skb->data past the end + and to use a temporary variable.] + +Signed-off-by: Michal Schmidt <mschmidt@redhat.com> +Acked-by: Eric Dumazet <eric.dumazet@gmail.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> + +diff --git a/net/core/skbuff.c b/net/core/skbuff.c +index 9e7214e..7865bec 100644 +--- a/net/core/skbuff.c ++++ b/net/core/skbuff.c +@@ -2749,8 +2749,12 @@ int skb_gro_receive(struct sk_buff **head, struct sk_buff *skb) + + merge: + if (offset > headlen) { +- skbinfo->frags[0].page_offset += offset - headlen; +- skbinfo->frags[0].size -= offset - headlen; ++ unsigned int eat = offset - headlen; ++ ++ skbinfo->frags[0].page_offset += eat; ++ skbinfo->frags[0].size -= eat; ++ skb->data_len -= eat; ++ skb->len -= eat; + offset = headlen; + } + +-- +1.7.12.rc1.1.gbce1580 + diff --git a/queue/HID-usbhid-Add-support-for-SiGma-Micro-chip.patch b/queue/HID-usbhid-Add-support-for-SiGma-Micro-chip.patch new file mode 100644 index 0000000..dba73f2 --- /dev/null +++ b/queue/HID-usbhid-Add-support-for-SiGma-Micro-chip.patch @@ -0,0 +1,48 @@ +From a1fafa2f274cbbc65d54e07852760db1f8ef62f3 Mon Sep 17 00:00:00 2001 +From: Jeremiah Matthey <sprg86@gmail.com> +Date: Tue, 23 Aug 2011 09:44:30 +0200 +Subject: [PATCH] HID: usbhid: Add support for SiGma Micro chip + +commit f5e4282586dc0c9dab8c7d32e6c43aa07f68586b upstream. + +Patch to add SiGma Micro-based keyboards (1c4f:0002) to hid-quirks. + +These keyboards dont seem to allow the records to be initialized, and hence a +timeout occurs when the usbhid driver attempts to initialize them. The patch +just adds the signature for these keyboards to the hid-quirks list with the +setting HID_QUIRK_NO_INIT_REPORTS. This removes the 5-10 second wait for the +timeout to occur. + +Signed-off-by: Jeremiah Matthey <sprg86@gmail.com> +Signed-off-by: Jiri Kosina <jkosina@suse.cz> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> + +diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h +index fe054d6..459b457 100644 +--- a/drivers/hid/hid-ids.h ++++ b/drivers/hid/hid-ids.h +@@ -417,6 +417,9 @@ + #define USB_VENDOR_ID_SAMSUNG 0x0419 + #define USB_DEVICE_ID_SAMSUNG_IR_REMOTE 0x0001 + ++#define USB_VENDOR_ID_SIGMA_MICRO 0x1c4f ++#define USB_DEVICE_ID_SIGMA_MICRO_KEYBOARD 0x0002 ++ + #define USB_VENDOR_ID_SONY 0x054c + #define USB_DEVICE_ID_SONY_VAIO_VGX_MOUSE 0x024b + #define USB_DEVICE_ID_SONY_PS3_CONTROLLER 0x0268 +diff --git a/drivers/hid/usbhid/hid-quirks.c b/drivers/hid/usbhid/hid-quirks.c +index 1152f9b..894c1a2 100644 +--- a/drivers/hid/usbhid/hid-quirks.c ++++ b/drivers/hid/usbhid/hid-quirks.c +@@ -71,6 +71,7 @@ static const struct hid_blacklist { + + { USB_VENDOR_ID_WISEGROUP_LTD, USB_DEVICE_ID_SMARTJOY_DUAL_PLUS, HID_QUIRK_NOGET | HID_QUIRK_MULTI_INPUT }, + { USB_VENDOR_ID_WISEGROUP_LTD2, USB_DEVICE_ID_SMARTJOY_DUAL_PLUS, HID_QUIRK_NOGET | HID_QUIRK_MULTI_INPUT }, ++ { USB_VENDOR_ID_SIGMA_MICRO, USB_DEVICE_ID_SIGMA_MICRO_KEYBOARD, HID_QUIRK_NO_INIT_REPORTS }, + + { 0, 0 } + }; +-- +1.7.12.rc1.1.gbce1580 + diff --git a/queue/KVM-s390-check-cpu_id-prior-to-using-it.patch b/queue/KVM-s390-check-cpu_id-prior-to-using-it.patch new file mode 100644 index 0000000..74ef2e9 --- /dev/null +++ b/queue/KVM-s390-check-cpu_id-prior-to-using-it.patch @@ -0,0 +1,53 @@ +From 74f9b2ff96b034f19cfecf0e4b0d2a179a77c234 Mon Sep 17 00:00:00 2001 +From: Carsten Otte <cotte@de.ibm.com> +Date: Tue, 18 Oct 2011 12:27:12 +0200 +Subject: [PATCH] KVM: s390: check cpu_id prior to using it + +commit 4d47555a80495657161a7e71ec3014ff2021e450 upstream. + +We use the cpu id provided by userspace as array index here. Thus we +clearly need to check it first. Ooops. + +CC: <stable@vger.kernel.org> +Signed-off-by: Carsten Otte <cotte@de.ibm.com> +Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com> +Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> + +diff --git a/arch/s390/kvm/kvm-s390.c b/arch/s390/kvm/kvm-s390.c +index ee7c713..a6015d1 100644 +--- a/arch/s390/kvm/kvm-s390.c ++++ b/arch/s390/kvm/kvm-s390.c +@@ -311,11 +311,17 @@ int kvm_arch_vcpu_setup(struct kvm_vcpu *vcpu) + struct kvm_vcpu *kvm_arch_vcpu_create(struct kvm *kvm, + unsigned int id) + { +- struct kvm_vcpu *vcpu = kzalloc(sizeof(struct kvm_vcpu), GFP_KERNEL); +- int rc = -ENOMEM; ++ struct kvm_vcpu *vcpu; ++ int rc = -EINVAL; ++ ++ if (id >= KVM_MAX_VCPUS) ++ goto out; ++ ++ rc = -ENOMEM; + ++ vcpu = kzalloc(sizeof(struct kvm_vcpu), GFP_KERNEL); + if (!vcpu) +- goto out_nomem; ++ goto out; + + vcpu->arch.sie_block = (struct kvm_s390_sie_block *) + get_zeroed_page(GFP_KERNEL); +@@ -350,7 +356,7 @@ out_free_sie_block: + free_page((unsigned long)(vcpu->arch.sie_block)); + out_free_cpu: + kfree(vcpu); +-out_nomem: ++out: + return ERR_PTR(rc); + } + +-- +1.7.12.rc1.1.gbce1580 + diff --git a/queue/NLM-Don-t-hang-forever-on-NLM-unlock-requests.patch b/queue/NLM-Don-t-hang-forever-on-NLM-unlock-requests.patch new file mode 100644 index 0000000..7b04a0e --- /dev/null +++ b/queue/NLM-Don-t-hang-forever-on-NLM-unlock-requests.patch @@ -0,0 +1,77 @@ +From 86fdcc288a4778446e4335ca7bef23885f5ed645 Mon Sep 17 00:00:00 2001 +From: Trond Myklebust <Trond.Myklebust@netapp.com> +Date: Tue, 31 May 2011 15:15:34 -0400 +Subject: [PATCH] NLM: Don't hang forever on NLM unlock requests + +commit 0b760113a3a155269a3fba93a409c640031dd68f upstream. + +If the NLM daemon is killed on the NFS server, we can currently end up +hanging forever on an 'unlock' request, instead of aborting. Basically, +if the rpcbind request fails, or the server keeps returning garbage, we +really want to quit instead of retrying. + +Tested-by: Vasily Averin <vvs@sw.ru> +Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com> +[PG: struct rpc_task in sched.h slightly different layout vs. v3.0] +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> + +diff --git a/fs/lockd/clntproc.c b/fs/lockd/clntproc.c +index 7932c39..f4ef9d1 100644 +--- a/fs/lockd/clntproc.c ++++ b/fs/lockd/clntproc.c +@@ -710,7 +710,13 @@ static void nlmclnt_unlock_callback(struct rpc_task *task, void *data) + + if (task->tk_status < 0) { + dprintk("lockd: unlock failed (err = %d)\n", -task->tk_status); +- goto retry_rebind; ++ switch (task->tk_status) { ++ case -EACCES: ++ case -EIO: ++ goto die; ++ default: ++ goto retry_rebind; ++ } + } + if (status == NLM_LCK_DENIED_GRACE_PERIOD) { + rpc_delay(task, NLMCLNT_GRACE_WAIT); +diff --git a/include/linux/sunrpc/sched.h b/include/linux/sunrpc/sched.h +index 7bc7fd5..f2338ca 100644 +--- a/include/linux/sunrpc/sched.h ++++ b/include/linux/sunrpc/sched.h +@@ -55,6 +55,7 @@ struct rpc_task { + struct rpc_message tk_msg; /* RPC call info */ + __u8 tk_garb_retry; + __u8 tk_cred_retry; ++ __u8 tk_rebind_retry; + + /* + * callback to be executed after waking up +diff --git a/net/sunrpc/clnt.c b/net/sunrpc/clnt.c +index 0ad7828..018903c 100644 +--- a/net/sunrpc/clnt.c ++++ b/net/sunrpc/clnt.c +@@ -1053,6 +1053,9 @@ call_bind_status(struct rpc_task *task) + status = -EOPNOTSUPP; + break; + } ++ if (task->tk_rebind_retry == 0) ++ break; ++ task->tk_rebind_retry--; + rpc_delay(task, 3*HZ); + goto retry_timeout; + case -ETIMEDOUT: +diff --git a/net/sunrpc/sched.c b/net/sunrpc/sched.c +index 416ca5e..e961e06 100644 +--- a/net/sunrpc/sched.c ++++ b/net/sunrpc/sched.c +@@ -799,6 +799,7 @@ static void rpc_init_task(struct rpc_task *task, const struct rpc_task_setup *ta + /* Initialize retry counters */ + task->tk_garb_retry = 2; + task->tk_cred_retry = 2; ++ task->tk_rebind_retry = 2; + + task->tk_priority = task_setup_data->priority - RPC_PRIORITY_LOW; + task->tk_owner = current->tgid; +-- +1.7.12.rc1.1.gbce1580 + diff --git a/queue/QE-FHCI-fixed-the-CONTROL-bug.patch b/queue/QE-FHCI-fixed-the-CONTROL-bug.patch new file mode 100644 index 0000000..c853fdd --- /dev/null +++ b/queue/QE-FHCI-fixed-the-CONTROL-bug.patch @@ -0,0 +1,65 @@ +From 53e37459c57a5487a2a648c3c9de71fe4670c9ce Mon Sep 17 00:00:00 2001 +From: Jerry Huang <r66093@freescale.com> +Date: Tue, 18 Oct 2011 13:09:48 +0800 +Subject: [PATCH] QE/FHCI: fixed the CONTROL bug + +commit 273d23574f9dacd9c63c80e7d63639a669aad441 upstream. + +For USB CONTROL transaction, when the data length is zero, +the IN package is needed to finish this transaction in status stage. + +Signed-off-by: Jerry Huang <r66093@freescale.com> +Cc: stable <stable@vger.kernel.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> + +diff --git a/drivers/usb/host/fhci-sched.c b/drivers/usb/host/fhci-sched.c +index ff43747..b13d78a 100644 +--- a/drivers/usb/host/fhci-sched.c ++++ b/drivers/usb/host/fhci-sched.c +@@ -1,7 +1,7 @@ + /* + * Freescale QUICC Engine USB Host Controller Driver + * +- * Copyright (c) Freescale Semicondutor, Inc. 2006. ++ * Copyright (c) Freescale Semicondutor, Inc. 2006, 2011. + * Shlomi Gridish <gridish@freescale.com> + * Jerry Huang <Chang-Ming.Huang@freescale.com> + * Copyright (c) Logic Product Development, Inc. 2007 +@@ -810,9 +810,11 @@ void fhci_queue_urb(struct fhci_hcd *fhci, struct urb *urb) + ed->dev_addr = usb_pipedevice(urb->pipe); + ed->max_pkt_size = usb_maxpacket(urb->dev, urb->pipe, + usb_pipeout(urb->pipe)); ++ /* setup stage */ + td = fhci_td_fill(fhci, urb, urb_priv, ed, cnt++, FHCI_TA_SETUP, + USB_TD_TOGGLE_DATA0, urb->setup_packet, 8, 0, 0, true); + ++ /* data stage */ + if (data_len > 0) { + td = fhci_td_fill(fhci, urb, urb_priv, ed, cnt++, + usb_pipeout(urb->pipe) ? FHCI_TA_OUT : +@@ -820,9 +822,18 @@ void fhci_queue_urb(struct fhci_hcd *fhci, struct urb *urb) + USB_TD_TOGGLE_DATA1, data, data_len, 0, 0, + true); + } +- td = fhci_td_fill(fhci, urb, urb_priv, ed, cnt++, +- usb_pipeout(urb->pipe) ? FHCI_TA_IN : FHCI_TA_OUT, +- USB_TD_TOGGLE_DATA1, data, 0, 0, 0, true); ++ ++ /* status stage */ ++ if (data_len > 0) ++ td = fhci_td_fill(fhci, urb, urb_priv, ed, cnt++, ++ (usb_pipeout(urb->pipe) ? FHCI_TA_IN : ++ FHCI_TA_OUT), ++ USB_TD_TOGGLE_DATA1, data, 0, 0, 0, true); ++ else ++ td = fhci_td_fill(fhci, urb, urb_priv, ed, cnt++, ++ FHCI_TA_IN, ++ USB_TD_TOGGLE_DATA1, data, 0, 0, 0, true); ++ + urb_state = US_CTRL_SETUP; + break; + case FHCI_TF_ISO: +-- +1.7.12.rc1.1.gbce1580 + diff --git a/queue/S390-ccwgroup-move-attributes-to-attribute-group.patch b/queue/S390-ccwgroup-move-attributes-to-attribute-group.patch new file mode 100644 index 0000000..415d4c7 --- /dev/null +++ b/queue/S390-ccwgroup-move-attributes-to-attribute-group.patch @@ -0,0 +1,124 @@ +From 027cb13b987e6de2166d4c2a52d7b635793d6dda Mon Sep 17 00:00:00 2001 +From: Sebastian Ott <sebott@linux.vnet.ibm.com> +Date: Sun, 30 Oct 2011 15:16:52 +0100 +Subject: [PATCH] [S390] ccwgroup: move attributes to attribute group + +commit dbdf1afcaaabe83dea15a3cb9b9013e73ae3b1ad upstream. + +Put sysfs attributes of ccwgroup devices in an attribute group to +ensure that these attributes are actually present when userspace +is notified via uevents. + +Signed-off-by: Sebastian Ott <sebott@linux.vnet.ibm.com> +Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> + +diff --git a/drivers/s390/cio/ccwgroup.c b/drivers/s390/cio/ccwgroup.c +index 5f97ea2..fcedb92 100644 +--- a/drivers/s390/cio/ccwgroup.c ++++ b/drivers/s390/cio/ccwgroup.c +@@ -66,6 +66,12 @@ __ccwgroup_remove_symlinks(struct ccwgroup_device *gdev) + + } + ++static ssize_t ccwgroup_online_store(struct device *dev, ++ struct device_attribute *attr, ++ const char *buf, size_t count); ++static ssize_t ccwgroup_online_show(struct device *dev, ++ struct device_attribute *attr, ++ char *buf); + /* + * Provide an 'ungroup' attribute so the user can remove group devices no + * longer needed or accidentially created. Saves memory :) +@@ -112,6 +118,20 @@ out: + } + + static DEVICE_ATTR(ungroup, 0200, NULL, ccwgroup_ungroup_store); ++static DEVICE_ATTR(online, 0644, ccwgroup_online_show, ccwgroup_online_store); ++ ++static struct attribute *ccwgroup_attrs[] = { ++ &dev_attr_online.attr, ++ &dev_attr_ungroup.attr, ++ NULL, ++}; ++static struct attribute_group ccwgroup_attr_group = { ++ .attrs = ccwgroup_attrs, ++}; ++static const struct attribute_group *ccwgroup_attr_groups[] = { ++ &ccwgroup_attr_group, ++ NULL, ++}; + + static void + ccwgroup_release (struct device *dev) +@@ -280,25 +300,17 @@ int ccwgroup_create_from_string(struct device *root, unsigned int creator_id, + } + + dev_set_name(&gdev->dev, "%s", dev_name(&gdev->cdev[0]->dev)); +- ++ gdev->dev.groups = ccwgroup_attr_groups; + rc = device_add(&gdev->dev); + if (rc) + goto error; + get_device(&gdev->dev); +- rc = device_create_file(&gdev->dev, &dev_attr_ungroup); +- +- if (rc) { +- device_unregister(&gdev->dev); +- goto error; +- } +- + rc = __ccwgroup_create_symlinks(gdev); + if (!rc) { + mutex_unlock(&gdev->reg_mutex); + put_device(&gdev->dev); + return 0; + } +- device_remove_file(&gdev->dev, &dev_attr_ungroup); + device_unregister(&gdev->dev); + error: + for (i = 0; i < num_devices; i++) +@@ -408,7 +420,7 @@ ccwgroup_online_store (struct device *dev, struct device_attribute *attr, const + int ret; + + if (!dev->driver) +- return -ENODEV; ++ return -EINVAL; + + gdev = to_ccwgroupdev(dev); + gdrv = to_ccwgroupdrv(dev->driver); +@@ -441,8 +453,6 @@ ccwgroup_online_show (struct device *dev, struct device_attribute *attr, char *b + return sprintf(buf, online ? "1\n" : "0\n"); + } + +-static DEVICE_ATTR(online, 0644, ccwgroup_online_show, ccwgroup_online_store); +- + static int + ccwgroup_probe (struct device *dev) + { +@@ -454,12 +464,7 @@ ccwgroup_probe (struct device *dev) + gdev = to_ccwgroupdev(dev); + gdrv = to_ccwgroupdrv(dev->driver); + +- if ((ret = device_create_file(dev, &dev_attr_online))) +- return ret; +- + ret = gdrv->probe ? gdrv->probe(gdev) : -ENODEV; +- if (ret) +- device_remove_file(dev, &dev_attr_online); + + return ret; + } +@@ -470,9 +475,6 @@ ccwgroup_remove (struct device *dev) + struct ccwgroup_device *gdev; + struct ccwgroup_driver *gdrv; + +- device_remove_file(dev, &dev_attr_online); +- device_remove_file(dev, &dev_attr_ungroup); +- + if (!dev->driver) + return 0; + +-- +1.7.12.rc1.1.gbce1580 + diff --git a/queue/TPM-Call-tpm_transmit-with-correct-size.patch b/queue/TPM-Call-tpm_transmit-with-correct-size.patch new file mode 100644 index 0000000..feda2f9 --- /dev/null +++ b/queue/TPM-Call-tpm_transmit-with-correct-size.patch @@ -0,0 +1,42 @@ +From 4ac575ae5cf61876f0d3ec99f8d912483a25173f Mon Sep 17 00:00:00 2001 +From: Peter Huewe <huewe.external.infineon@googlemail.com> +Date: Thu, 15 Sep 2011 14:37:43 -0300 +Subject: [PATCH] TPM: Call tpm_transmit with correct size + +commit 6b07d30aca7e52f2881b8c8c20c8a2cd28e8b3d3 upstream. + +This patch changes the call of tpm_transmit by supplying the size of the +userspace buffer instead of TPM_BUFSIZE. + +This got assigned CVE-2011-1161. + +[The first hunk didn't make sense given one could expect + way less data than TPM_BUFSIZE, so added tpm_transmit boundary + check over bufsiz instead + The last parameter of tpm_transmit() reflects the amount + of data expected from the device, and not the buffer size + being supplied to it. It isn't ideal to parse it directly, + so we just set it to the maximum the input buffer can handle + and let the userspace API to do such job.] + +Signed-off-by: Rajiv Andrade <srajiv@linux.vnet.ibm.com> +Signed-off-by: James Morris <jmorris@namei.org> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> + +diff --git a/drivers/char/tpm/tpm.c b/drivers/char/tpm/tpm.c +index 7f95fec..f39e5ee 100644 +--- a/drivers/char/tpm/tpm.c ++++ b/drivers/char/tpm/tpm.c +@@ -375,6 +375,9 @@ static ssize_t tpm_transmit(struct tpm_chip *chip, const char *buf, + u32 count, ordinal; + unsigned long stop; + ++ if (bufsiz > TPM_BUFSIZE) ++ bufsiz = TPM_BUFSIZE; ++ + count = be32_to_cpu(*((__be32 *) (buf + 2))); + ordinal = be32_to_cpu(*((__be32 *) (buf + 6))); + if (count == 0) +-- +1.7.12.rc1.1.gbce1580 + diff --git a/queue/TPM-Zero-buffer-after-copying-to-userspace.patch b/queue/TPM-Zero-buffer-after-copying-to-userspace.patch new file mode 100644 index 0000000..ab302cd --- /dev/null +++ b/queue/TPM-Zero-buffer-after-copying-to-userspace.patch @@ -0,0 +1,44 @@ +From 19788eb52b0e938adf1d5352a439099ec18d94fc Mon Sep 17 00:00:00 2001 +From: Peter Huewe <huewe.external.infineon@googlemail.com> +Date: Thu, 15 Sep 2011 14:47:42 -0300 +Subject: [PATCH] TPM: Zero buffer after copying to userspace + +commit 3321c07ae5068568cd61ac9f4ba749006a7185c9 upstream. + +Since the buffer might contain security related data it might be a good idea to +zero the buffer after we have copied it to userspace. + +This got assigned CVE-2011-1162. + +Signed-off-by: Rajiv Andrade <srajiv@linux.vnet.ibm.com> +Signed-off-by: James Morris <jmorris@namei.org> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> + +diff --git a/drivers/char/tpm/tpm.c b/drivers/char/tpm/tpm.c +index f39e5ee..9fe4683 100644 +--- a/drivers/char/tpm/tpm.c ++++ b/drivers/char/tpm/tpm.c +@@ -1031,6 +1031,7 @@ ssize_t tpm_read(struct file *file, char __user *buf, + { + struct tpm_chip *chip = file->private_data; + ssize_t ret_size; ++ int rc; + + del_singleshot_timer_sync(&chip->user_read_timer); + flush_scheduled_work(); +@@ -1041,8 +1042,11 @@ ssize_t tpm_read(struct file *file, char __user *buf, + ret_size = size; + + mutex_lock(&chip->buffer_mutex); +- if (copy_to_user(buf, chip->data_buffer, ret_size)) ++ rc = copy_to_user(buf, chip->data_buffer, ret_size); ++ memset(chip->data_buffer, 0, ret_size); ++ if (rc) + ret_size = -EFAULT; ++ + mutex_unlock(&chip->buffer_mutex); + } + +-- +1.7.12.rc1.1.gbce1580 + diff --git a/queue/USB-EHCI-Do-not-rely-on-PORT_SUSPEND-to-stop-USB-res.patch b/queue/USB-EHCI-Do-not-rely-on-PORT_SUSPEND-to-stop-USB-res.patch new file mode 100644 index 0000000..52f7dbf --- /dev/null +++ b/queue/USB-EHCI-Do-not-rely-on-PORT_SUSPEND-to-stop-USB-res.patch @@ -0,0 +1,55 @@ +From 5022cc0b284d53a008dd39ba011bd40fa0e54e24 Mon Sep 17 00:00:00 2001 +From: Wang Zhi <zhi.wang@windriver.com> +Date: Wed, 17 Aug 2011 10:39:31 +0800 +Subject: [PATCH] USB: EHCI: Do not rely on PORT_SUSPEND to stop USB resuming + in ehci_bus_resume(). + +commit d0f2fb2500b1c5fe4967eb45d8c9bc758d7aef80 upstream. + +From EHCI Spec p.28 HC should clear PORT_SUSPEND when SW clears +PORT_RESUME. In Intel Oaktrail platform, MPH (Multi-Port Host +Controller) core clears PORT_SUSPEND directly when SW sets PORT_RESUME +bit. If we rely on PORT_SUSPEND bit to stop USB resume, we will miss +the action of clearing PORT_RESUME. This will cause unexpected long +resume signal on USB bus. + +Signed-off-by: Wang Zhi <zhi.wang@windriver.com> +Signed-off-by: Alan Stern <stern@rowland.harvard.edu> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> + +diff --git a/drivers/usb/host/ehci-hub.c b/drivers/usb/host/ehci-hub.c +index ae32f02..d5ff2b0 100644 +--- a/drivers/usb/host/ehci-hub.c ++++ b/drivers/usb/host/ehci-hub.c +@@ -311,7 +311,7 @@ static int ehci_bus_resume (struct usb_hcd *hcd) + u32 temp; + u32 power_okay; + int i; +- u8 resume_needed = 0; ++ unsigned long resume_needed = 0; + + if (time_before (jiffies, ehci->next_statechange)) + msleep(5); +@@ -384,7 +384,7 @@ static int ehci_bus_resume (struct usb_hcd *hcd) + if (test_bit(i, &ehci->bus_suspended) && + (temp & PORT_SUSPEND)) { + temp |= PORT_RESUME; +- resume_needed = 1; ++ set_bit(i, &resume_needed); + } + ehci_writel(ehci, temp, &ehci->regs->port_status [i]); + } +@@ -399,8 +399,7 @@ static int ehci_bus_resume (struct usb_hcd *hcd) + i = HCS_N_PORTS (ehci->hcs_params); + while (i--) { + temp = ehci_readl(ehci, &ehci->regs->port_status [i]); +- if (test_bit(i, &ehci->bus_suspended) && +- (temp & PORT_SUSPEND)) { ++ if (test_bit(i, &resume_needed)) { + temp &= ~(PORT_RWC_BITS | PORT_RESUME); + ehci_writel(ehci, temp, &ehci->regs->port_status [i]); + ehci_vdbg (ehci, "resumed port %d\n", i + 1); +-- +1.7.12.rc1.1.gbce1580 + diff --git a/queue/USB-PL2303-correctly-handle-baudrates-above-115200.patch b/queue/USB-PL2303-correctly-handle-baudrates-above-115200.patch new file mode 100644 index 0000000..db66ccf --- /dev/null +++ b/queue/USB-PL2303-correctly-handle-baudrates-above-115200.patch @@ -0,0 +1,53 @@ +From c56c0d74024c9d3cbc638e9bcd804725d0625075 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Micha=C5=82=20Sroczy=C5=84ski?= <msroczyn@gmail.com> +Date: Tue, 5 Jul 2011 21:53:35 +0200 +Subject: [PATCH] USB: PL2303: correctly handle baudrates above 115200 + +commit 8d48fdf689fed2c73c493e5146d1463689246442 upstream. + +PL2303: correctly handle baudrates above 115200 + +Signed-off-by: Michal Sroczynski <msroczyn@gmail.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> + +diff --git a/drivers/usb/serial/pl2303.c b/drivers/usb/serial/pl2303.c +index 4b357d6..9f49375 100644 +--- a/drivers/usb/serial/pl2303.c ++++ b/drivers/usb/serial/pl2303.c +@@ -616,10 +616,28 @@ static void pl2303_set_termios(struct tty_struct *tty, + baud = 6000000; + } + dbg("%s - baud set = %d", __func__, baud); +- buf[0] = baud & 0xff; +- buf[1] = (baud >> 8) & 0xff; +- buf[2] = (baud >> 16) & 0xff; +- buf[3] = (baud >> 24) & 0xff; ++ if (baud <= 115200) { ++ buf[0] = baud & 0xff; ++ buf[1] = (baud >> 8) & 0xff; ++ buf[2] = (baud >> 16) & 0xff; ++ buf[3] = (baud >> 24) & 0xff; ++ } else { ++ /* apparently the formula for higher speeds is: ++ * baudrate = 12M * 32 / (2^buf[1]) / buf[0] ++ */ ++ unsigned tmp = 12*1000*1000*32 / baud; ++ buf[3] = 0x80; ++ buf[2] = 0; ++ buf[1] = (tmp >= 256); ++ while (tmp >= 256) { ++ tmp >>= 2; ++ buf[1] <<= 1; ++ } ++ if (tmp > 256) { ++ tmp %= 256; ++ } ++ buf[0] = tmp; ++ } + } + + /* For reference buf[4]=0 is 1 stop bits */ +-- +1.7.12.rc1.1.gbce1580 + diff --git a/queue/USB-Serial-Add-PID-0xF7C0-to-FTDI-SIO-driver-for-a-z.patch b/queue/USB-Serial-Add-PID-0xF7C0-to-FTDI-SIO-driver-for-a-z.patch new file mode 100644 index 0000000..795ad36 --- /dev/null +++ b/queue/USB-Serial-Add-PID-0xF7C0-to-FTDI-SIO-driver-for-a-z.patch @@ -0,0 +1,43 @@ +From 512a58a0b98224ae8a5539349b6e534d87c8a0cb Mon Sep 17 00:00:00 2001 +From: Artur Zimmer <artur128@3dzimmer.de> +Date: Wed, 10 Aug 2011 03:51:28 +0200 +Subject: [PATCH] USB: Serial: Add PID(0xF7C0) to FTDI SIO driver for a + zeitcontrol-device + +commit ce7e9065958191e6b7ca49d7ed0e1099c486d198 upstream. + +Here is a patch for a new PID (zeitcontrol-device mifare-reader FT232BL(like FT232BM but lead free)). + +Signed-off-by: Artur Zimmer <artur128@3dzimmer.de> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> + +diff --git a/drivers/usb/serial/ftdi_sio.c b/drivers/usb/serial/ftdi_sio.c +index 90dfdb1..24dc63c 100644 +--- a/drivers/usb/serial/ftdi_sio.c ++++ b/drivers/usb/serial/ftdi_sio.c +@@ -160,6 +160,7 @@ static struct ftdi_sio_quirk ftdi_8u2232c_quirk = { + * /sys/bus/usb/ftdi_sio/new_id, then send patch/report! + */ + static struct usb_device_id id_table_combined [] = { ++ { USB_DEVICE(FTDI_VID, FTDI_ZEITCONTROL_TAGTRACE_MIFARE_PID) }, + { USB_DEVICE(FTDI_VID, FTDI_CTI_MINI_PID) }, + { USB_DEVICE(FTDI_VID, FTDI_CTI_NANO_PID) }, + { USB_DEVICE(FTDI_VID, FTDI_AMC232_PID) }, +diff --git a/drivers/usb/serial/ftdi_sio_ids.h b/drivers/usb/serial/ftdi_sio_ids.h +index 1167732..c4670e5 100644 +--- a/drivers/usb/serial/ftdi_sio_ids.h ++++ b/drivers/usb/serial/ftdi_sio_ids.h +@@ -1166,3 +1166,9 @@ + #define FTDI_CTI_MINI_PID 0xF608 + /* USB-Nano-485*/ + #define FTDI_CTI_NANO_PID 0xF60B ++ ++/* ++ * ZeitControl cardsystems GmbH rfid-readers http://zeitconrol.de ++ */ ++/* TagTracer MIFARE*/ ++#define FTDI_ZEITCONTROL_TAGTRACE_MIFARE_PID 0xF7C0 +-- +1.7.12.rc1.1.gbce1580 + diff --git a/queue/USB-Serial-Add-device-ID-for-Sierra-Wireless-MC8305.patch b/queue/USB-Serial-Add-device-ID-for-Sierra-Wireless-MC8305.patch new file mode 100644 index 0000000..6d43127 --- /dev/null +++ b/queue/USB-Serial-Add-device-ID-for-Sierra-Wireless-MC8305.patch @@ -0,0 +1,28 @@ +From 8a37c6f89bf101d829927a7411e0fc55e19fc76c Mon Sep 17 00:00:00 2001 +From: Florian Echtler <floe@butterbrot.org> +Date: Tue, 9 Aug 2011 13:37:49 +0200 +Subject: [PATCH] USB: Serial: Add device ID for Sierra Wireless MC8305 + +commit 2f1def2695c223b2aa325e5e47d0d64200a45d23 upstream. + +A new device ID pair is added for Sierra Wireless MC8305. + +Signed-off-by: Florian Echtler <floe@butterbrot.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> + +diff --git a/drivers/usb/serial/qcserial.c b/drivers/usb/serial/qcserial.c +index 7facae0..6869b52 100644 +--- a/drivers/usb/serial/qcserial.c ++++ b/drivers/usb/serial/qcserial.c +@@ -76,6 +76,7 @@ static const struct usb_device_id id_table[] = { + {USB_DEVICE(0x1199, 0x9008)}, /* Sierra Wireless Gobi 2000 Modem device (VT773) */ + {USB_DEVICE(0x1199, 0x9009)}, /* Sierra Wireless Gobi 2000 Modem device (VT773) */ + {USB_DEVICE(0x1199, 0x900a)}, /* Sierra Wireless Gobi 2000 Modem device (VT773) */ ++ {USB_DEVICE(0x1199, 0x9011)}, /* Sierra Wireless Gobi 2000 Modem device (MC8305) */ + {USB_DEVICE(0x16d8, 0x8001)}, /* CMDTech Gobi 2000 QDL device (VU922) */ + {USB_DEVICE(0x16d8, 0x8002)}, /* CMDTech Gobi 2000 Modem device (VU922) */ + { } /* Terminating entry */ +-- +1.7.12.rc1.1.gbce1580 + diff --git a/queue/USB-add-RESET_RESUME-for-webcams-shown-to-be-quirky.patch b/queue/USB-add-RESET_RESUME-for-webcams-shown-to-be-quirky.patch new file mode 100644 index 0000000..d3bce24 --- /dev/null +++ b/queue/USB-add-RESET_RESUME-for-webcams-shown-to-be-quirky.patch @@ -0,0 +1,62 @@ +From 974e5c69d39771712c7e12e3522ee30170976695 Mon Sep 17 00:00:00 2001 +From: Oliver Neukum <oneukum@suse.de> +Date: Tue, 13 Sep 2011 08:42:21 +0200 +Subject: [PATCH] USB: add RESET_RESUME for webcams shown to be quirky + +commit 2394d67e446bf616a0885167d5f0d397bdacfdfc upstream. + +The new runtime PM code has shown that many webcams suffer +from a race condition that may crash them upon resume. +Runtime PM is especially prone to show the problem because +it retains power to the cameras at all times. However +system suspension may also crash the devices and retain +power to the devices. +The only way to solve this problem without races is in +usbcore with the RESET_RESUME quirk. + +Signed-off-by: Oliver Neukum <oneukum@suse.de> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> + +diff --git a/drivers/usb/core/quirks.c b/drivers/usb/core/quirks.c +index 99f2d61..241a0d6 100644 +--- a/drivers/usb/core/quirks.c ++++ b/drivers/usb/core/quirks.c +@@ -38,6 +38,24 @@ static const struct usb_device_id usb_quirk_list[] = { + /* Creative SB Audigy 2 NX */ + { USB_DEVICE(0x041e, 0x3020), .driver_info = USB_QUIRK_RESET_RESUME }, + ++ /* Logitech Webcam C200 */ ++ { USB_DEVICE(0x046d, 0x0802), .driver_info = USB_QUIRK_RESET_RESUME }, ++ ++ /* Logitech Webcam C250 */ ++ { USB_DEVICE(0x046d, 0x0804), .driver_info = USB_QUIRK_RESET_RESUME }, ++ ++ /* Logitech Webcam B/C500 */ ++ { USB_DEVICE(0x046d, 0x0807), .driver_info = USB_QUIRK_RESET_RESUME }, ++ ++ /* Logitech Webcam Pro 9000 */ ++ { USB_DEVICE(0x046d, 0x0809), .driver_info = USB_QUIRK_RESET_RESUME }, ++ ++ /* Logitech Webcam C310 */ ++ { USB_DEVICE(0x046d, 0x081b), .driver_info = USB_QUIRK_RESET_RESUME }, ++ ++ /* Logitech Webcam C270 */ ++ { USB_DEVICE(0x046d, 0x0825), .driver_info = USB_QUIRK_RESET_RESUME }, ++ + /* Philips PSC805 audio device */ + { USB_DEVICE(0x0471, 0x0155), .driver_info = USB_QUIRK_RESET_RESUME }, + +@@ -66,6 +84,9 @@ static const struct usb_device_id usb_quirk_list[] = { + { USB_DEVICE(0x06a3, 0x0006), .driver_info = + USB_QUIRK_CONFIG_INTF_STRINGS }, + ++ /* Guillemot Webcam Hercules Dualpix Exchange*/ ++ { USB_DEVICE(0x06f8, 0x0804), .driver_info = USB_QUIRK_RESET_RESUME }, ++ + /* M-Systems Flash Disk Pioneers */ + { USB_DEVICE(0x08ec, 0x1000), .driver_info = USB_QUIRK_RESET_RESUME }, + +-- +1.7.12.rc1.1.gbce1580 + diff --git a/queue/USB-ftdi_sio-Support-TI-Luminary-Micro-Stellaris-BD-.patch b/queue/USB-ftdi_sio-Support-TI-Luminary-Micro-Stellaris-BD-.patch new file mode 100644 index 0000000..92c9eb8 --- /dev/null +++ b/queue/USB-ftdi_sio-Support-TI-Luminary-Micro-Stellaris-BD-.patch @@ -0,0 +1,50 @@ +From 7732f06f033fc5745d5155aca38ee2807dc4ef6f Mon Sep 17 00:00:00 2001 +From: Peter Stuge <peter@stuge.se> +Date: Mon, 10 Oct 2011 03:34:54 +0200 +Subject: [PATCH] USB: ftdi_sio: Support TI/Luminary Micro Stellaris BD-ICDI + Board + +commit 3687f641307eeff6f7fe31a88dc39db88e89238b upstream. + +Some Stellaris evaluation kits have the JTAG/SWD FTDI chip onboard, +and some, like EK-LM3S9B90, come with a separate In-Circuit Debugger +Interface Board. The ICDI board can also be used stand-alone, for +other boards and chips than the kit it came with. The ICDI has both +old style 20-pin JTAG connector and new style JTAG/SWD 10-pin 1.27mm +pitch connector. + +Tested with EK-LM3S9B90, where the BD-ICDI board is included. + +Signed-off-by: Peter Stuge <peter@stuge.se> +Cc: stable <stable@vger.kernel.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> + +diff --git a/drivers/usb/serial/ftdi_sio.c b/drivers/usb/serial/ftdi_sio.c +index 27cd4a1..90dfdb1 100644 +--- a/drivers/usb/serial/ftdi_sio.c ++++ b/drivers/usb/serial/ftdi_sio.c +@@ -748,6 +748,8 @@ static struct usb_device_id id_table_combined [] = { + .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk }, + { USB_DEVICE(FTDI_VID, LMI_LM3S_EVAL_BOARD_PID), + .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk }, ++ { USB_DEVICE(FTDI_VID, LMI_LM3S_ICDI_BOARD_PID), ++ .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk }, + { USB_DEVICE(FTDI_VID, FTDI_TURTELIZER_PID), + .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk }, + { USB_DEVICE(RATOC_VENDOR_ID, RATOC_PRODUCT_ID_USB60F) }, +diff --git a/drivers/usb/serial/ftdi_sio_ids.h b/drivers/usb/serial/ftdi_sio_ids.h +index 7d7f138..1167732 100644 +--- a/drivers/usb/serial/ftdi_sio_ids.h ++++ b/drivers/usb/serial/ftdi_sio_ids.h +@@ -53,6 +53,7 @@ + /* FTDI 2332C Dual channel device, side A=245 FIFO (JTAG), Side B=RS232 UART */ + #define LMI_LM3S_DEVEL_BOARD_PID 0xbcd8 + #define LMI_LM3S_EVAL_BOARD_PID 0xbcd9 ++#define LMI_LM3S_ICDI_BOARD_PID 0xbcda + + #define FTDI_TURTELIZER_PID 0xBDC8 /* JTAG/RS-232 adapter by egnite GmbH */ + +-- +1.7.12.rc1.1.gbce1580 + diff --git a/queue/USB-ftdi_sio-add-Calao-reference-board-support.patch b/queue/USB-ftdi_sio-add-Calao-reference-board-support.patch new file mode 100644 index 0000000..02caef5 --- /dev/null +++ b/queue/USB-ftdi_sio-add-Calao-reference-board-support.patch @@ -0,0 +1,76 @@ +From 4810efa8cae603216ead9a571809047cf60c4ddd Mon Sep 17 00:00:00 2001 +From: Jean-Christophe PLAGNIOL-VILLARD <plagnioj@jcrosoft.com> +Date: Thu, 25 Aug 2011 11:46:58 +0200 +Subject: [PATCH] USB: ftdi_sio: add Calao reference board support + +commit c96fbdd0ab97235f930ebf24b38fa42a2e3458cf upstream. + +Calao use on there dev kits a FT2232 where the port 0 is used for the JTAG and +port 1 for the UART + +They use the same VID and PID as FTDI Chip but they program the manufacturer +name in the eeprom + +So use this information to detect it + +Signed-off-by: Jean-Christophe PLAGNIOL-VILLARD <plagnioj@jcrosoft.com> +Cc: Gregory Hermant <gregory.hermant@calao-systems.com> +Cc: Alan Cox <alan@linux.intel.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> + +diff --git a/drivers/usb/serial/ftdi_sio.c b/drivers/usb/serial/ftdi_sio.c +index c7e4fb8..e8bc908 100644 +--- a/drivers/usb/serial/ftdi_sio.c ++++ b/drivers/usb/serial/ftdi_sio.c +@@ -105,6 +105,7 @@ static int ftdi_jtag_probe(struct usb_serial *serial); + static int ftdi_mtxorb_hack_setup(struct usb_serial *serial); + static int ftdi_NDI_device_setup(struct usb_serial *serial); + static int ftdi_stmclite_probe(struct usb_serial *serial); ++static int ftdi_8u2232c_probe(struct usb_serial *serial); + static void ftdi_USB_UIRT_setup(struct ftdi_private *priv); + static void ftdi_HE_TIRA1_setup(struct ftdi_private *priv); + +@@ -132,6 +133,10 @@ static struct ftdi_sio_quirk ftdi_stmclite_quirk = { + .probe = ftdi_stmclite_probe, + }; + ++static struct ftdi_sio_quirk ftdi_8u2232c_quirk = { ++ .probe = ftdi_8u2232c_probe, ++}; ++ + /* + * The 8U232AM has the same API as the sio except for: + * - it can support MUCH higher baudrates; up to: +@@ -181,7 +186,8 @@ static struct usb_device_id id_table_combined [] = { + { USB_DEVICE(FTDI_VID, FTDI_8U232AM_PID) }, + { USB_DEVICE(FTDI_VID, FTDI_8U232AM_ALT_PID) }, + { USB_DEVICE(FTDI_VID, FTDI_232RL_PID) }, +- { USB_DEVICE(FTDI_VID, FTDI_8U2232C_PID) }, ++ { USB_DEVICE(FTDI_VID, FTDI_8U2232C_PID) , ++ .driver_info = (kernel_ulong_t)&ftdi_8u2232c_quirk }, + { USB_DEVICE(FTDI_VID, FTDI_4232H_PID) }, + { USB_DEVICE(FTDI_VID, FTDI_MICRO_CHAMELEON_PID) }, + { USB_DEVICE(FTDI_VID, FTDI_RELAIS_PID) }, +@@ -1749,6 +1755,18 @@ static int ftdi_jtag_probe(struct usb_serial *serial) + return 0; + } + ++static int ftdi_8u2232c_probe(struct usb_serial *serial) ++{ ++ struct usb_device *udev = serial->dev; ++ ++ dbg("%s", __func__); ++ ++ if (strcmp(udev->manufacturer, "CALAO Systems") == 0) ++ return ftdi_jtag_probe(serial); ++ ++ return 0; ++} ++ + /* + * First and second port on STMCLiteadaptors is reserved for JTAG interface + * and the forth port for pio +-- +1.7.12.rc1.1.gbce1580 + diff --git a/queue/USB-ftdi_sio-add-PID-for-Sony-Ericsson-Urban.patch b/queue/USB-ftdi_sio-add-PID-for-Sony-Ericsson-Urban.patch new file mode 100644 index 0000000..24b8180 --- /dev/null +++ b/queue/USB-ftdi_sio-add-PID-for-Sony-Ericsson-Urban.patch @@ -0,0 +1,48 @@ +From 78ffe72d04924248169c77d865c11d4c13143141 Mon Sep 17 00:00:00 2001 +From: Hakan Kvist <hakan.kvist@sonyericsson.com> +Date: Mon, 3 Oct 2011 13:41:15 +0200 +Subject: [PATCH] USB: ftdi_sio: add PID for Sony Ericsson Urban + +commit 74bdf22b5c3858b06af46f19d05c23e76c40a3bb upstream. + +Add PID 0xfc8a, 0xfc8b for device Sony Ericsson Urban + +Signed-off-by: Hakan Kvist <hakan.kvist@sonyericsson.com> +Signed-off-by: Oskar Andero <oskar.andero@sonyericsson.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> + +diff --git a/drivers/usb/serial/ftdi_sio.c b/drivers/usb/serial/ftdi_sio.c +index e8bc908..27cd4a1 100644 +--- a/drivers/usb/serial/ftdi_sio.c ++++ b/drivers/usb/serial/ftdi_sio.c +@@ -209,6 +209,8 @@ static struct usb_device_id id_table_combined [] = { + { USB_DEVICE(FTDI_VID, FTDI_XF_640_PID) }, + { USB_DEVICE(FTDI_VID, FTDI_XF_642_PID) }, + { USB_DEVICE(FTDI_VID, FTDI_DSS20_PID) }, ++ { USB_DEVICE(FTDI_VID, FTDI_URBAN_0_PID) }, ++ { USB_DEVICE(FTDI_VID, FTDI_URBAN_1_PID) }, + { USB_DEVICE(FTDI_NF_RIC_VID, FTDI_NF_RIC_PID) }, + { USB_DEVICE(FTDI_VID, FTDI_VNHCPCUSB_D_PID) }, + { USB_DEVICE(FTDI_VID, FTDI_MTXORB_0_PID) }, +diff --git a/drivers/usb/serial/ftdi_sio_ids.h b/drivers/usb/serial/ftdi_sio_ids.h +index a73443f..7d7f138 100644 +--- a/drivers/usb/serial/ftdi_sio_ids.h ++++ b/drivers/usb/serial/ftdi_sio_ids.h +@@ -419,9 +419,11 @@ + #define PROTEGO_SPECIAL_4 0xFC73 /* special/unknown device */ + + /* +- * DSS-20 Sync Station for Sony Ericsson P800 ++ * Sony Ericsson product ids + */ +-#define FTDI_DSS20_PID 0xFC82 ++#define FTDI_DSS20_PID 0xFC82 /* DSS-20 Sync Station for Sony Ericsson P800 */ ++#define FTDI_URBAN_0_PID 0xFC8A /* Sony Ericsson Urban, uart #0 */ ++#define FTDI_URBAN_1_PID 0xFC8B /* Sony Ericsson Urban, uart #1 */ + + /* www.irtrans.de device */ + #define FTDI_IRTRANS_PID 0xFC60 /* Product Id */ +-- +1.7.12.rc1.1.gbce1580 + diff --git a/queue/USB-pid_ns-ensure-pid-is-not-freed-during-kill_pid_i.patch b/queue/USB-pid_ns-ensure-pid-is-not-freed-during-kill_pid_i.patch new file mode 100644 index 0000000..dc99d81 --- /dev/null +++ b/queue/USB-pid_ns-ensure-pid-is-not-freed-during-kill_pid_i.patch @@ -0,0 +1,46 @@ +From 608eb0cf84484e72ad8411403c96ab99eec18635 Mon Sep 17 00:00:00 2001 +From: Serge Hallyn <serge.hallyn@canonical.com> +Date: Mon, 26 Sep 2011 10:18:29 -0500 +Subject: [PATCH] USB: pid_ns: ensure pid is not freed during + kill_pid_info_as_uid + +commit aec01c5895051849ed842dc5b8794017a7751f28 upstream. + +Alan Stern points out that after spin_unlock(&ps->lock) there is no +guarantee that ps->pid won't be freed. Since kill_pid_info_as_uid() is +called after the spin_unlock(), the pid passed to it must be pinned. + +Reported-by: Alan Stern <stern@rowland.harvard.edu> +Signed-off-by: Serge Hallyn <serge.hallyn@canonical.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> + +diff --git a/drivers/usb/core/devio.c b/drivers/usb/core/devio.c +index 6088192..85a4967 100644 +--- a/drivers/usb/core/devio.c ++++ b/drivers/usb/core/devio.c +@@ -409,7 +409,7 @@ static void async_completed(struct urb *urb) + sinfo.si_errno = as->status; + sinfo.si_code = SI_ASYNCIO; + sinfo.si_addr = as->userurb; +- pid = as->pid; ++ pid = get_pid(as->pid); + uid = as->uid; + euid = as->euid; + secid = as->secid; +@@ -424,9 +424,11 @@ static void async_completed(struct urb *urb) + cancel_bulk_urbs(ps, as->bulk_addr); + spin_unlock(&ps->lock); + +- if (signr) ++ if (signr) { + kill_pid_info_as_uid(sinfo.si_signo, &sinfo, pid, uid, + euid, secid); ++ put_pid(pid); ++ } + + wake_up(&ps->wait); + } +-- +1.7.12.rc1.1.gbce1580 + diff --git a/queue/USB-pl2303-add-id-for-SMART-device.patch b/queue/USB-pl2303-add-id-for-SMART-device.patch new file mode 100644 index 0000000..49a8ba5 --- /dev/null +++ b/queue/USB-pl2303-add-id-for-SMART-device.patch @@ -0,0 +1,43 @@ +From 44bfaa6facc6a46dc620ee2295fd388f38bb0569 Mon Sep 17 00:00:00 2001 +From: Eric Benoit <eric@ecks.ca> +Date: Sat, 24 Sep 2011 02:04:50 -0400 +Subject: [PATCH] USB: pl2303: add id for SMART device + +commit 598f0b703506da841d3459dc0c48506be14d1778 upstream. + +Add vendor and product ID for the SMART USB to serial adapter. These +were meant to be used with their SMART Board whiteboards, but can be +re-purposed for other tasks. Tested and working (at at least 9600 bps). + +Signed-off-by: Eric Benoit <eric@ecks.ca> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> + +diff --git a/drivers/usb/serial/pl2303.c b/drivers/usb/serial/pl2303.c +index 9f49375..e42ee9b 100644 +--- a/drivers/usb/serial/pl2303.c ++++ b/drivers/usb/serial/pl2303.c +@@ -102,6 +102,7 @@ static const struct usb_device_id id_table[] = { + { USB_DEVICE(SANWA_VENDOR_ID, SANWA_PRODUCT_ID) }, + { USB_DEVICE(ADLINK_VENDOR_ID, ADLINK_ND6530_PRODUCT_ID) }, + { USB_DEVICE(WINCHIPHEAD_VENDOR_ID, WINCHIPHEAD_USBSER_PRODUCT_ID) }, ++ { USB_DEVICE(SMART_VENDOR_ID, SMART_PRODUCT_ID) }, + { } /* Terminating entry */ + }; + +diff --git a/drivers/usb/serial/pl2303.h b/drivers/usb/serial/pl2303.h +index ca0d237..3d10d7f 100644 +--- a/drivers/usb/serial/pl2303.h ++++ b/drivers/usb/serial/pl2303.h +@@ -148,3 +148,8 @@ + /* WinChipHead USB->RS 232 adapter */ + #define WINCHIPHEAD_VENDOR_ID 0x4348 + #define WINCHIPHEAD_USBSER_PRODUCT_ID 0x5523 ++ ++/* SMART USB Serial Adapter */ ++#define SMART_VENDOR_ID 0x0b8c ++#define SMART_PRODUCT_ID 0x2303 ++ +-- +1.7.12.rc1.1.gbce1580 + diff --git a/queue/USB-qcserial-add-device-ID-for-HP-un2430-Mobile-Broa.patch b/queue/USB-qcserial-add-device-ID-for-HP-un2430-Mobile-Broa.patch new file mode 100644 index 0000000..b3df7cf --- /dev/null +++ b/queue/USB-qcserial-add-device-ID-for-HP-un2430-Mobile-Broa.patch @@ -0,0 +1,29 @@ +From c6b50909595699c5f75aca94801c2c5543431bc5 Mon Sep 17 00:00:00 2001 +From: Rigbert Hamisch <rigbert@gmx.de> +Date: Tue, 27 Sep 2011 10:46:43 +0200 +Subject: [PATCH] USB: qcserial: add device ID for "HP un2430 Mobile Broadband + Module" + +commit 1bfac90d1b8e63a4d44158c3445d8fda3fb6d5eb upstream. + +add device ID for "HP un2430 Mobile Broadband Module" + +Signed-off-by: Rigbert Hamisch <rigbert@gmx.de> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> + +diff --git a/drivers/usb/serial/qcserial.c b/drivers/usb/serial/qcserial.c +index 225fc88..7facae0 100644 +--- a/drivers/usb/serial/qcserial.c ++++ b/drivers/usb/serial/qcserial.c +@@ -26,6 +26,7 @@ static const struct usb_device_id id_table[] = { + {USB_DEVICE(0x05c6, 0x9212)}, /* Acer Gobi Modem Device */ + {USB_DEVICE(0x03f0, 0x1f1d)}, /* HP un2400 Gobi Modem Device */ + {USB_DEVICE(0x03f0, 0x201d)}, /* HP un2400 Gobi QDL Device */ ++ {USB_DEVICE(0x03f0, 0x371d)}, /* HP un2430 Mobile Broadband Module */ + {USB_DEVICE(0x04da, 0x250d)}, /* Panasonic Gobi Modem device */ + {USB_DEVICE(0x04da, 0x250c)}, /* Panasonic Gobi QDL device */ + {USB_DEVICE(0x413c, 0x8172)}, /* Dell Gobi Modem device */ +-- +1.7.12.rc1.1.gbce1580 + diff --git a/queue/USB-storage-Use-normalized-sense-when-emulating-auto.patch b/queue/USB-storage-Use-normalized-sense-when-emulating-auto.patch new file mode 100644 index 0000000..e1ab354 --- /dev/null +++ b/queue/USB-storage-Use-normalized-sense-when-emulating-auto.patch @@ -0,0 +1,101 @@ +From 6914b0e0cfd7f85015251f630fcc4351cb11946f Mon Sep 17 00:00:00 2001 +From: Luben Tuikov <ltuikov@yahoo.com> +Date: Thu, 11 Nov 2010 15:43:11 -0800 +Subject: [PATCH] USB: storage: Use normalized sense when emulating autosense + +commit e16da02fcdf1c5e824432f88abf42623dafdf191 upstream. + +This patch solves two things: +1) Enables autosense emulation code to correctly +interpret descriptor format sense data, and +2) Fixes a bug whereby the autosense emulation +code would overwrite descriptor format sense data +with SENSE KEY HARDWARE ERROR in fixed format, to +incorrectly look like this: + +Oct 21 14:11:07 localhost kernel: sd 7:0:0:0: [sdc] Sense Key : Recovered Error [current] [descriptor] +Oct 21 14:11:07 localhost kernel: Descriptor sense data with sense descriptors (in hex): +Oct 21 14:11:07 localhost kernel: 72 01 04 1d 00 00 00 0e 09 0c 00 00 00 00 00 00 +Oct 21 14:11:07 localhost kernel: 00 4f 00 c2 00 50 +Oct 21 14:11:07 localhost kernel: sd 7:0:0:0: [sdc] ASC=0x4 ASCQ=0x1d + +Signed-off-by: Luben Tuikov <ltuikov@yahoo.com> +Acked-by: Alan Stern <stern@rowland.harvard.edu> +Acked-by: Matthew Dharm <mdharm-usb@one-eyed-alien.net> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> + +diff --git a/drivers/usb/storage/transport.c b/drivers/usb/storage/transport.c +index f253ede..0ea5426 100644 +--- a/drivers/usb/storage/transport.c ++++ b/drivers/usb/storage/transport.c +@@ -695,6 +695,9 @@ void usb_stor_invoke_transport(struct scsi_cmnd *srb, struct us_data *us) + int temp_result; + struct scsi_eh_save ses; + int sense_size = US_SENSE_SIZE; ++ struct scsi_sense_hdr sshdr; ++ const u8 *scdd; ++ u8 fm_ili; + + /* device supports and needs bigger sense buffer */ + if (us->fflags & US_FL_SANE_SENSE) +@@ -778,32 +781,30 @@ Retry_Sense: + srb->sense_buffer[7] = (US_SENSE_SIZE - 8); + } + ++ scsi_normalize_sense(srb->sense_buffer, SCSI_SENSE_BUFFERSIZE, ++ &sshdr); ++ + US_DEBUGP("-- Result from auto-sense is %d\n", temp_result); + US_DEBUGP("-- code: 0x%x, key: 0x%x, ASC: 0x%x, ASCQ: 0x%x\n", +- srb->sense_buffer[0], +- srb->sense_buffer[2] & 0xf, +- srb->sense_buffer[12], +- srb->sense_buffer[13]); ++ sshdr.response_code, sshdr.sense_key, ++ sshdr.asc, sshdr.ascq); + #ifdef CONFIG_USB_STORAGE_DEBUG +- usb_stor_show_sense( +- srb->sense_buffer[2] & 0xf, +- srb->sense_buffer[12], +- srb->sense_buffer[13]); ++ usb_stor_show_sense(sshdr.sense_key, sshdr.asc, sshdr.ascq); + #endif + + /* set the result so the higher layers expect this data */ + srb->result = SAM_STAT_CHECK_CONDITION; + ++ scdd = scsi_sense_desc_find(srb->sense_buffer, ++ SCSI_SENSE_BUFFERSIZE, 4); ++ fm_ili = (scdd ? scdd[3] : srb->sense_buffer[2]) & 0xA0; ++ + /* We often get empty sense data. This could indicate that + * everything worked or that there was an unspecified + * problem. We have to decide which. + */ +- if ( /* Filemark 0, ignore EOM, ILI 0, no sense */ +- (srb->sense_buffer[2] & 0xaf) == 0 && +- /* No ASC or ASCQ */ +- srb->sense_buffer[12] == 0 && +- srb->sense_buffer[13] == 0) { +- ++ if (sshdr.sense_key == 0 && sshdr.asc == 0 && sshdr.ascq == 0 && ++ fm_ili == 0) { + /* If things are really okay, then let's show that. + * Zero out the sense buffer so the higher layers + * won't realize we did an unsolicited auto-sense. +@@ -818,7 +819,10 @@ Retry_Sense: + */ + } else { + srb->result = DID_ERROR << 16; +- srb->sense_buffer[2] = HARDWARE_ERROR; ++ if ((sshdr.response_code & 0x72) == 0x72) ++ srb->sense_buffer[1] = HARDWARE_ERROR; ++ else ++ srb->sense_buffer[2] = HARDWARE_ERROR; + } + } + } +-- +1.7.12.rc1.1.gbce1580 + diff --git a/queue/Update-email-address-for-stable-patch-submission.patch b/queue/Update-email-address-for-stable-patch-submission.patch new file mode 100644 index 0000000..af3a406 --- /dev/null +++ b/queue/Update-email-address-for-stable-patch-submission.patch @@ -0,0 +1,53 @@ +From cb32b8247a1c8c1e75bf753321619f8cd764d62e Mon Sep 17 00:00:00 2001 +From: Josh Boyer <jwboyer@redhat.com> +Date: Mon, 17 Oct 2011 21:16:39 -0400 +Subject: [PATCH] Update email address for stable patch submission + +commit 5fa224295f0e0358c8bc0e5390702338df889def upstream. + +The stable@kernel.org email address has been replaced with the +stable@vger.kernel.org mailing list. Change the stable kernel rules to +reference the new list instead of the semi-defunct email alias. + +CC: <stable@kernel.org> +CC: <stable@vger.kernel.org> +Signed-off-by: Josh Boyer <jwboyer@redhat.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> + +diff --git a/Documentation/stable_kernel_rules.txt b/Documentation/stable_kernel_rules.txt +index e213f45..21fd05c 100644 +--- a/Documentation/stable_kernel_rules.txt ++++ b/Documentation/stable_kernel_rules.txt +@@ -24,10 +24,10 @@ Rules on what kind of patches are accepted, and which ones are not, into the + Procedure for submitting patches to the -stable tree: + + - Send the patch, after verifying that it follows the above rules, to +- stable@kernel.org. You must note the upstream commit ID in the changelog +- of your submission. ++ stable@vger.kernel.org. You must note the upstream commit ID in the ++ changelog of your submission. + - To have the patch automatically included in the stable tree, add the tag +- Cc: stable@kernel.org ++ Cc: stable@vger.kernel.org + in the sign-off area. Once the patch is merged it will be applied to + the stable tree without anything else needing to be done by the author + or subsystem maintainer. +@@ -35,10 +35,10 @@ Procedure for submitting patches to the -stable tree: + cherry-picked than this can be specified in the following format in + the sign-off area: + +- Cc: <stable@kernel.org> # .32.x: a1f84a3: sched: Check for idle +- Cc: <stable@kernel.org> # .32.x: 1b9508f: sched: Rate-limit newidle +- Cc: <stable@kernel.org> # .32.x: fd21073: sched: Fix affinity logic +- Cc: <stable@kernel.org> # .32.x ++ Cc: <stable@vger.kernel.org> # .32.x: a1f84a3: sched: Check for idle ++ Cc: <stable@vger.kernel.org> # .32.x: 1b9508f: sched: Rate-limit newidle ++ Cc: <stable@vger.kernel.org> # .32.x: fd21073: sched: Fix affinity logic ++ Cc: <stable@vger.kernel.org> # .32.x + Signed-off-by: Ingo Molnar <mingo@elte.hu> + + The tag sequence has the meaning of: +-- +1.7.12.rc1.1.gbce1580 + diff --git a/queue/aacraid-reset-should-disable-MSI-interrupt.patch b/queue/aacraid-reset-should-disable-MSI-interrupt.patch new file mode 100644 index 0000000..6927ab5 --- /dev/null +++ b/queue/aacraid-reset-should-disable-MSI-interrupt.patch @@ -0,0 +1,36 @@ +From e7ae837eed3136f39ac6c1d2c81df773fc3c2faa Mon Sep 17 00:00:00 2001 +From: Vasily Averin <vvs@parallels.com> +Date: Fri, 2 Sep 2011 19:31:46 +0400 +Subject: [PATCH] aacraid: reset should disable MSI interrupt + +commit d0efab26f89506387a1bde898556660e06d7eb15 upstream. + +scsi reset on hardware with enabled MSI interrupts generates WARNING message + +[11027.798722] aacraid: Host adapter abort request (0,0,0,0) +[11027.798814] aacraid: Host adapter reset request. SCSI hang ? +[11087.762237] aacraid: SCSI bus appears hung +[11135.082543] ------------[ cut here ]------------ +[11135.082646] WARNING: at drivers/pci/msi.c:658 pci_enable_msi_block+0x251/0x290() + +Signed-off-by: Vasily Averin <vvs@sw.ru> +Acked-by: Mark Salyzyn <mark_salyzyn@us.xyratex.com> +Signed-off-by: James Bottomley <JBottomley@Parallels.com> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> + +diff --git a/drivers/scsi/aacraid/commsup.c b/drivers/scsi/aacraid/commsup.c +index 94d2954..2cb663f 100644 +--- a/drivers/scsi/aacraid/commsup.c ++++ b/drivers/scsi/aacraid/commsup.c +@@ -1242,6 +1242,8 @@ static int _aac_reset_adapter(struct aac_dev *aac, int forced) + kfree(aac->queues); + aac->queues = NULL; + free_irq(aac->pdev->irq, aac); ++ if (aac->msi) ++ pci_disable_msi(aac->pdev); + kfree(aac->fsa_dev); + aac->fsa_dev = NULL; + quirks = aac_get_driver_ident(index)->quirks; +-- +1.7.12.rc1.1.gbce1580 + diff --git a/queue/ahci-Enable-SB600-64bit-DMA-on-Asus-M3A.patch b/queue/ahci-Enable-SB600-64bit-DMA-on-Asus-M3A.patch new file mode 100644 index 0000000..9251df6 --- /dev/null +++ b/queue/ahci-Enable-SB600-64bit-DMA-on-Asus-M3A.patch @@ -0,0 +1,43 @@ +From 6fd774e403565c16061380043718a4ac780265cb Mon Sep 17 00:00:00 2001 +From: Mark Nelson <mdnelson8@gmail.com> +Date: Mon, 27 Jun 2011 16:33:44 +1000 +Subject: [PATCH] ahci: Enable SB600 64bit DMA on Asus M3A + +commit 3c4aa91f21f65b7b40bdfb015eacbcb8453ccae2 upstream. + +Like e65cc194f7628ecaa02462f22f42fb09b50dcd49 this patch enables 64bit DMA +for the AHCI SATA controller of a board that has the SB600 southbridge. In +this case though we're enabling 64bit DMA for the Asus M3A motherboard. It +is a new enough board that all of the BIOS releases since the initial +release (0301 from 2007-10-22) work correctly with 64bit DMA enabled. + +Signed-off-by: Mark Nelson <mdnelson8@gmail.com> +Signed-off-by: Jeff Garzik <jgarzik@pobox.com> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> + +diff --git a/drivers/ata/ahci.c b/drivers/ata/ahci.c +index 9215998..a5b1fd9 100644 +--- a/drivers/ata/ahci.c ++++ b/drivers/ata/ahci.c +@@ -2981,6 +2981,18 @@ static bool ahci_sb600_enable_64bit(struct pci_dev *pdev) + DMI_MATCH(DMI_BOARD_NAME, "MS-7376"), + }, + }, ++ /* ++ * All BIOS versions for the Asus M3A support 64bit DMA. ++ * (all release versions from 0301 to 1206 were tested) ++ */ ++ { ++ .ident = "ASUS M3A", ++ .matches = { ++ DMI_MATCH(DMI_BOARD_VENDOR, ++ "ASUSTeK Computer INC."), ++ DMI_MATCH(DMI_BOARD_NAME, "M3A"), ++ }, ++ }, + { } + }; + const struct dmi_system_id *match; +-- +1.7.12.rc1.1.gbce1580 + diff --git a/queue/atm-br2684-Fix-oops-due-to-skb-dev-being-NULL.patch b/queue/atm-br2684-Fix-oops-due-to-skb-dev-being-NULL.patch new file mode 100644 index 0000000..e6f7e23 --- /dev/null +++ b/queue/atm-br2684-Fix-oops-due-to-skb-dev-being-NULL.patch @@ -0,0 +1,52 @@ +From 43091c408bb4c889fad1b772761268d8465397d4 Mon Sep 17 00:00:00 2001 +From: Daniel Schwierzeck <daniel.schwierzeck@googlemail.com> +Date: Fri, 19 Aug 2011 12:04:20 +0000 +Subject: [PATCH] atm: br2684: Fix oops due to skb->dev being NULL + +commit fbe5e29ec1886967255e76946aaf537b8cc9b81e upstream. + +This oops have been already fixed with commit + + 27141666b69f535a4d63d7bc6d9e84ee5032f82a + + atm: [br2684] Fix oops due to skb->dev being NULL + + It happens that if a packet arrives in a VC between the call to open it on + the hardware and the call to change the backend to br2684, br2684_regvcc + processes the packet and oopses dereferencing skb->dev because it is + NULL before the call to br2684_push(). + +but have been introduced again with commit + + b6211ae7f2e56837c6a4849316396d1535606e90 + + atm: Use SKB queue and list helpers instead of doing it by-hand. + +Signed-off-by: Daniel Schwierzeck <daniel.schwierzeck@googlemail.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> + +diff --git a/net/atm/br2684.c b/net/atm/br2684.c +index f3bae14..e9b5677 100644 +--- a/net/atm/br2684.c ++++ b/net/atm/br2684.c +@@ -522,12 +522,13 @@ static int br2684_regvcc(struct atm_vcc *atmvcc, void __user * arg) + spin_unlock_irqrestore(&rq->lock, flags); + + skb_queue_walk_safe(&queue, skb, tmp) { +- struct net_device *dev = skb->dev; ++ struct net_device *dev; ++ ++ br2684_push(atmvcc, skb); ++ dev = skb->dev; + + dev->stats.rx_bytes -= skb->len; + dev->stats.rx_packets--; +- +- br2684_push(atmvcc, skb); + } + __module_get(THIS_MODULE); + return 0; +-- +1.7.12.rc1.1.gbce1580 + diff --git a/queue/b43-Fix-beacon-problem-in-ad-hoc-mode.patch b/queue/b43-Fix-beacon-problem-in-ad-hoc-mode.patch new file mode 100644 index 0000000..5f081e8 --- /dev/null +++ b/queue/b43-Fix-beacon-problem-in-ad-hoc-mode.patch @@ -0,0 +1,32 @@ +From a4b18d085adc973fdb916be9709801a4789fb2fd Mon Sep 17 00:00:00 2001 +From: Manual Munz <freifunk@somakoma.de> +Date: Sun, 18 Sep 2011 18:24:03 -0500 +Subject: [PATCH] b43: Fix beacon problem in ad-hoc mode + +commit 8c23516fbb209ccf8f8c36268311c721faff29ee upstream. + +In ad-hoc mode, driver b43 does not issue beacons. + +Signed-off-by: Manual Munz <freifunk@somakoma.de> +Tested-by: Larry Finger <Larry.Finger@lwfinger.net> +Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net> +Signed-off-by: John W. Linville <linville@tuxdriver.com> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> + +diff --git a/drivers/net/wireless/b43/main.c b/drivers/net/wireless/b43/main.c +index 9a374ef..1f230b8 100644 +--- a/drivers/net/wireless/b43/main.c ++++ b/drivers/net/wireless/b43/main.c +@@ -1538,7 +1538,8 @@ static void handle_irq_beacon(struct b43_wldev *dev) + u32 cmd, beacon0_valid, beacon1_valid; + + if (!b43_is_mode(wl, NL80211_IFTYPE_AP) && +- !b43_is_mode(wl, NL80211_IFTYPE_MESH_POINT)) ++ !b43_is_mode(wl, NL80211_IFTYPE_MESH_POINT) && ++ !b43_is_mode(wl, NL80211_IFTYPE_ADHOC)) + return; + + /* This is the bottom half of the asynchronous beacon update. */ +-- +1.7.12.rc1.1.gbce1580 + diff --git a/queue/carminefb-Fix-module-parameters-permissions.patch b/queue/carminefb-Fix-module-parameters-permissions.patch new file mode 100644 index 0000000..8c38d5b --- /dev/null +++ b/queue/carminefb-Fix-module-parameters-permissions.patch @@ -0,0 +1,60 @@ +From 1efce56c0a49b74ed78c2f314623855ae49611e0 Mon Sep 17 00:00:00 2001 +From: Jean Delvare <jdelvare@suse.de> +Date: Fri, 8 Jul 2011 11:04:38 +0200 +Subject: [PATCH] carminefb: Fix module parameters permissions + +commit c84c14224bbca6ec60d5851fcc87be0e34df2f44 upstream. + +The third parameter of module_param is supposed to be an octal value. +The missing leading "0" causes the following: + +$ ls -l /sys/module/carminefb/parameters/ +total 0 +-rw-rwxr-- 1 root root 4096 Jul 8 08:55 fb_displays +-rw-rwxr-- 1 root root 4096 Jul 8 08:55 fb_mode +-rw-rwxr-- 1 root root 4096 Jul 8 08:55 fb_mode_str + +After fixing the perm parameter, we get the expected: + +$ ls -l /sys/module/carminefb/parameters/ +total 0 +-r--r--r-- 1 root root 4096 Jul 8 08:56 fb_displays +-r--r--r-- 1 root root 4096 Jul 8 08:56 fb_mode +-r--r--r-- 1 root root 4096 Jul 8 08:56 fb_mode_str + +Signed-off-by: Jean Delvare <jdelvare@suse.de> +Cc: Paul Mundt <lethal@linux-sh.org> +Cc: Sebastian Siewior <bigeasy@linutronix.de> +Signed-off-by: Paul Mundt <lethal@linux-sh.org> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> + +diff --git a/drivers/video/carminefb.c b/drivers/video/carminefb.c +index d8345fc..96b52a4 100644 +--- a/drivers/video/carminefb.c ++++ b/drivers/video/carminefb.c +@@ -32,11 +32,11 @@ + #define CARMINEFB_DEFAULT_VIDEO_MODE 1 + + static unsigned int fb_mode = CARMINEFB_DEFAULT_VIDEO_MODE; +-module_param(fb_mode, uint, 444); ++module_param(fb_mode, uint, 0444); + MODULE_PARM_DESC(fb_mode, "Initial video mode as integer."); + + static char *fb_mode_str; +-module_param(fb_mode_str, charp, 444); ++module_param(fb_mode_str, charp, 0444); + MODULE_PARM_DESC(fb_mode_str, "Initial video mode in characters."); + + /* +@@ -46,7 +46,7 @@ MODULE_PARM_DESC(fb_mode_str, "Initial video mode in characters."); + * 0b010 Display 1 + */ + static int fb_displays = CARMINE_USE_DISPLAY0 | CARMINE_USE_DISPLAY1; +-module_param(fb_displays, int, 444); ++module_param(fb_displays, int, 0444); + MODULE_PARM_DESC(fb_displays, "Bit mode, which displays are used"); + + struct carmine_hw { +-- +1.7.12.rc1.1.gbce1580 + diff --git a/queue/cfg80211-Fix-validation-of-AKM-suites.patch b/queue/cfg80211-Fix-validation-of-AKM-suites.patch new file mode 100644 index 0000000..cc27ea3 --- /dev/null +++ b/queue/cfg80211-Fix-validation-of-AKM-suites.patch @@ -0,0 +1,42 @@ +From da8f5afc3c5bdd96b11a83aa52aabc5fbf849eee Mon Sep 17 00:00:00 2001 +From: Jouni Malinen <jouni@qca.qualcomm.com> +Date: Wed, 21 Sep 2011 16:13:07 +0300 +Subject: [PATCH] cfg80211: Fix validation of AKM suites + +commit 1b9ca0272ffae212e726380f66777b30a56ed7a5 upstream. + +Incorrect variable was used in validating the akm_suites array from +NL80211_ATTR_AKM_SUITES. In addition, there was no explicit +validation of the array length (we only have room for +NL80211_MAX_NR_AKM_SUITES). + +This can result in a buffer write overflow for stack variables with +arbitrary data from user space. The nl80211 commands using the affected +functionality require GENL_ADMIN_PERM, so this is only exposed to admin +users. + +Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com> +Signed-off-by: John W. Linville <linville@tuxdriver.com> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> + +diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c +index 56bc9b9..fde82a8 100644 +--- a/net/wireless/nl80211.c ++++ b/net/wireless/nl80211.c +@@ -3537,9 +3537,12 @@ static int nl80211_crypto_settings(struct genl_info *info, + if (len % sizeof(u32)) + return -EINVAL; + ++ if (settings->n_akm_suites > NL80211_MAX_NR_AKM_SUITES) ++ return -EINVAL; ++ + memcpy(settings->akm_suites, data, len); + +- for (i = 0; i < settings->n_ciphers_pairwise; i++) ++ for (i = 0; i < settings->n_akm_suites; i++) + if (!nl80211_valid_akm_suite(settings->akm_suites[i])) + return -EINVAL; + } +-- +1.7.12.rc1.1.gbce1580 + diff --git a/queue/cnic-Improve-NETDEV_UP-event-handling.patch b/queue/cnic-Improve-NETDEV_UP-event-handling.patch new file mode 100644 index 0000000..8b85b15 --- /dev/null +++ b/queue/cnic-Improve-NETDEV_UP-event-handling.patch @@ -0,0 +1,43 @@ +From b54d6e35bd9e697f259d1f5c5bf3af1c2b45f84e Mon Sep 17 00:00:00 2001 +From: Michael Chan <mchan@broadcom.com> +Date: Wed, 8 Jun 2011 19:29:35 +0000 +Subject: [PATCH] cnic: Improve NETDEV_UP event handling + +commit db1d350fcb156b58f66a67680617077bcacfe6fc upstream. + +During NETDEV_UP, we use symbol_get() to get the net driver's cnic +probe function. This sometimes doesn't work if NETDEV_UP happens +right after NETDEV_REGISTER and the net driver is still running module +init code. As a result, the cnic device may not be discovered. We +fix this by probing on all NETDEV events if the device's netif_running +state is up. + +Signed-off-by: Michael Chan <mchan@broadcom.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> + +diff --git a/drivers/net/cnic.c b/drivers/net/cnic.c +index 4b451a7..49242ac 100644 +--- a/drivers/net/cnic.c ++++ b/drivers/net/cnic.c +@@ -4528,7 +4528,7 @@ static int cnic_netdev_event(struct notifier_block *this, unsigned long event, + + dev = cnic_from_netdev(netdev); + +- if (!dev && (event == NETDEV_REGISTER || event == NETDEV_UP)) { ++ if (!dev && (event == NETDEV_REGISTER || netif_running(netdev))) { + /* Check for the hot-plug device */ + dev = is_cnic_dev(netdev); + if (dev) { +@@ -4544,7 +4544,7 @@ static int cnic_netdev_event(struct notifier_block *this, unsigned long event, + else if (event == NETDEV_UNREGISTER) + cnic_ulp_exit(dev); + +- if (event == NETDEV_UP) { ++ if (event == NETDEV_UP || (new_dev && netif_running(netdev))) { + if (cnic_register_netdev(dev) != 0) { + cnic_put(dev); + goto done; +-- +1.7.12.rc1.1.gbce1580 + diff --git a/queue/deal-with-races-in-proc-syscall-stack-personality.patch b/queue/deal-with-races-in-proc-syscall-stack-personality.patch new file mode 100644 index 0000000..cb1db51 --- /dev/null +++ b/queue/deal-with-races-in-proc-syscall-stack-personality.patch @@ -0,0 +1,178 @@ +From 882f26f030190e05f300cf247a14ebeeb6a55569 Mon Sep 17 00:00:00 2001 +From: Al Viro <viro@zeniv.linux.org.uk> +Date: Wed, 23 Mar 2011 15:52:50 -0400 +Subject: [PATCH] deal with races in /proc/*/{syscall,stack,personality} + +commit a9712bc12c40c172e393f85a9b2ba8db4bf59509 upstream. + +All of those are rw-r--r-- and all are broken for suid - if you open +a file before the target does suid-root exec, you'll be still able +to access it. For personality it's not a big deal, but for syscall +and stack it's a real problem. + +Fix: check that task is tracable for you at the time of read(). + +Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> + +diff --git a/fs/proc/base.c b/fs/proc/base.c +index 08741b0..52be01a 100644 +--- a/fs/proc/base.c ++++ b/fs/proc/base.c +@@ -329,6 +329,23 @@ static int proc_pid_wchan(struct task_struct *task, char *buffer) + } + #endif /* CONFIG_KALLSYMS */ + ++static int lock_trace(struct task_struct *task) ++{ ++ int err = mutex_lock_killable(&task->signal->cred_guard_mutex); ++ if (err) ++ return err; ++ if (!ptrace_may_access(task, PTRACE_MODE_ATTACH)) { ++ mutex_unlock(&task->signal->cred_guard_mutex); ++ return -EPERM; ++ } ++ return 0; ++} ++ ++static void unlock_trace(struct task_struct *task) ++{ ++ mutex_unlock(&task->signal->cred_guard_mutex); ++} ++ + #ifdef CONFIG_STACKTRACE + + #define MAX_STACK_TRACE_DEPTH 64 +@@ -338,6 +355,7 @@ static int proc_pid_stack(struct seq_file *m, struct pid_namespace *ns, + { + struct stack_trace trace; + unsigned long *entries; ++ int err; + int i; + + entries = kmalloc(MAX_STACK_TRACE_DEPTH * sizeof(*entries), GFP_KERNEL); +@@ -348,15 +366,20 @@ static int proc_pid_stack(struct seq_file *m, struct pid_namespace *ns, + trace.max_entries = MAX_STACK_TRACE_DEPTH; + trace.entries = entries; + trace.skip = 0; +- save_stack_trace_tsk(task, &trace); + +- for (i = 0; i < trace.nr_entries; i++) { +- seq_printf(m, "[<%p>] %pS\n", +- (void *)entries[i], (void *)entries[i]); ++ err = lock_trace(task); ++ if (!err) { ++ save_stack_trace_tsk(task, &trace); ++ ++ for (i = 0; i < trace.nr_entries; i++) { ++ seq_printf(m, "[<%p>] %pS\n", ++ (void *)entries[i], (void *)entries[i]); ++ } ++ unlock_trace(task); + } + kfree(entries); + +- return 0; ++ return err; + } + #endif + +@@ -528,18 +551,22 @@ static int proc_pid_syscall(struct task_struct *task, char *buffer) + { + long nr; + unsigned long args[6], sp, pc; ++ int res = lock_trace(task); ++ if (res) ++ return res; + + if (task_current_syscall(task, &nr, args, 6, &sp, &pc)) +- return sprintf(buffer, "running\n"); +- +- if (nr < 0) +- return sprintf(buffer, "%ld 0x%lx 0x%lx\n", nr, sp, pc); +- +- return sprintf(buffer, ++ res = sprintf(buffer, "running\n"); ++ else if (nr < 0) ++ res = sprintf(buffer, "%ld 0x%lx 0x%lx\n", nr, sp, pc); ++ else ++ res = sprintf(buffer, + "%ld 0x%lx 0x%lx 0x%lx 0x%lx 0x%lx 0x%lx 0x%lx 0x%lx\n", + nr, + args[0], args[1], args[2], args[3], args[4], args[5], + sp, pc); ++ unlock_trace(task); ++ return res; + } + #endif /* CONFIG_HAVE_ARCH_TRACEHOOK */ + +@@ -2561,8 +2588,12 @@ static int proc_tgid_io_accounting(struct task_struct *task, char *buffer) + static int proc_pid_personality(struct seq_file *m, struct pid_namespace *ns, + struct pid *pid, struct task_struct *task) + { +- seq_printf(m, "%08x\n", task->personality); +- return 0; ++ int err = lock_trace(task); ++ if (!err) { ++ seq_printf(m, "%08x\n", task->personality); ++ unlock_trace(task); ++ } ++ return err; + } + + /* +@@ -2581,14 +2612,14 @@ static const struct pid_entry tgid_base_stuff[] = { + REG("environ", S_IRUSR, proc_environ_operations), + INF("auxv", S_IRUSR, proc_pid_auxv), + ONE("status", S_IRUGO, proc_pid_status), +- ONE("personality", S_IRUSR, proc_pid_personality), ++ ONE("personality", S_IRUGO, proc_pid_personality), + INF("limits", S_IRUSR, proc_pid_limits), + #ifdef CONFIG_SCHED_DEBUG + REG("sched", S_IRUGO|S_IWUSR, proc_pid_sched_operations), + #endif + REG("comm", S_IRUGO|S_IWUSR, proc_pid_set_comm_operations), + #ifdef CONFIG_HAVE_ARCH_TRACEHOOK +- INF("syscall", S_IRUSR, proc_pid_syscall), ++ INF("syscall", S_IRUGO, proc_pid_syscall), + #endif + INF("cmdline", S_IRUGO, proc_pid_cmdline), + ONE("stat", S_IRUGO, proc_tgid_stat), +@@ -2616,7 +2647,7 @@ static const struct pid_entry tgid_base_stuff[] = { + INF("wchan", S_IRUGO, proc_pid_wchan), + #endif + #ifdef CONFIG_STACKTRACE +- ONE("stack", S_IRUSR, proc_pid_stack), ++ ONE("stack", S_IRUGO, proc_pid_stack), + #endif + #ifdef CONFIG_SCHEDSTATS + INF("schedstat", S_IRUGO, proc_pid_schedstat), +@@ -2921,14 +2952,14 @@ static const struct pid_entry tid_base_stuff[] = { + REG("environ", S_IRUSR, proc_environ_operations), + INF("auxv", S_IRUSR, proc_pid_auxv), + ONE("status", S_IRUGO, proc_pid_status), +- ONE("personality", S_IRUSR, proc_pid_personality), ++ ONE("personality", S_IRUGO, proc_pid_personality), + INF("limits", S_IRUSR, proc_pid_limits), + #ifdef CONFIG_SCHED_DEBUG + REG("sched", S_IRUGO|S_IWUSR, proc_pid_sched_operations), + #endif + REG("comm", S_IRUGO|S_IWUSR, proc_pid_set_comm_operations), + #ifdef CONFIG_HAVE_ARCH_TRACEHOOK +- INF("syscall", S_IRUSR, proc_pid_syscall), ++ INF("syscall", S_IRUGO, proc_pid_syscall), + #endif + INF("cmdline", S_IRUGO, proc_pid_cmdline), + ONE("stat", S_IRUGO, proc_tid_stat), +@@ -2955,7 +2986,7 @@ static const struct pid_entry tid_base_stuff[] = { + INF("wchan", S_IRUGO, proc_pid_wchan), + #endif + #ifdef CONFIG_STACKTRACE +- ONE("stack", S_IRUSR, proc_pid_stack), ++ ONE("stack", S_IRUGO, proc_pid_stack), + #endif + #ifdef CONFIG_SCHEDSTATS + INF("schedstat", S_IRUGO, proc_pid_schedstat), +-- +1.7.12.rc1.1.gbce1580 + diff --git a/queue/drivers-net-rionet.c-fix-ethernet-address-macros-for.patch b/queue/drivers-net-rionet.c-fix-ethernet-address-macros-for.patch new file mode 100644 index 0000000..f772834 --- /dev/null +++ b/queue/drivers-net-rionet.c-fix-ethernet-address-macros-for.patch @@ -0,0 +1,38 @@ +From 959b705d9d021a1e79a09f8b6563bafc9c9f1a4d Mon Sep 17 00:00:00 2001 +From: Alexandre Bounine <alexandre.bounine@idt.com> +Date: Wed, 2 Nov 2011 13:39:15 -0700 +Subject: [PATCH] drivers/net/rionet.c: fix ethernet address macros for LE + platforms + +commit e0c87bd95e8dad455c23bc56513af8dcb1737e55 upstream. + +Modify Ethernet addess macros to be compatible with BE/LE platforms + +Signed-off-by: Alexandre Bounine <alexandre.bounine@idt.com> +Cc: Chul Kim <chul.kim@idt.com> +Cc: Kumar Gala <galak@kernel.crashing.org> +Cc: Matt Porter <mporter@kernel.crashing.org> +Cc: Li Yang <leoli@freescale.com> +Cc: <stable@vger.kernel.org> +Signed-off-by: Andrew Morton <akpm@linux-foundation.org> +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> + +diff --git a/drivers/net/rionet.c b/drivers/net/rionet.c +index 07eb884..0f6cbc8 100644 +--- a/drivers/net/rionet.c ++++ b/drivers/net/rionet.c +@@ -88,8 +88,8 @@ static struct rio_dev **rionet_active; + #define dev_rionet_capable(dev) \ + is_rionet_capable(dev->pef, dev->src_ops, dev->dst_ops) + +-#define RIONET_MAC_MATCH(x) (*(u32 *)x == 0x00010001) +-#define RIONET_GET_DESTID(x) (*(u16 *)(x + 4)) ++#define RIONET_MAC_MATCH(x) (!memcmp((x), "\00\01\00\01", 4)) ++#define RIONET_GET_DESTID(x) ((*((u8 *)x + 4) << 8) | *((u8 *)x + 5)) + + static int rionet_rx_clean(struct net_device *ndev) + { +-- +1.7.12.rc1.1.gbce1580 + diff --git a/queue/e1000-Fix-driver-to-be-used-on-PA-RISC-C8000-worksta.patch b/queue/e1000-Fix-driver-to-be-used-on-PA-RISC-C8000-worksta.patch new file mode 100644 index 0000000..3a37934 --- /dev/null +++ b/queue/e1000-Fix-driver-to-be-used-on-PA-RISC-C8000-worksta.patch @@ -0,0 +1,46 @@ +From 2d66a1cab7c81765595f90f55492b47ad692f43e Mon Sep 17 00:00:00 2001 +From: Jeff Kirsher <jeffrey.t.kirsher@intel.com> +Date: Tue, 30 Aug 2011 20:58:56 -0400 +Subject: [PATCH] e1000: Fix driver to be used on PA RISC C8000 workstations + +commit e2faeec2de9e2c73958e6ea6065dde1e8cd6f3a2 upstream. + +The checksum field in the EEPROM on HPPA is really not a +checksum but a signature (0x16d6). So allow 0x16d6 as the +matching checksum on HPPA systems. + +This issue is present on longterm/stable kernels, I have +verified that this patch is applicable back to at least +2.6.32.y kernels. + +v2- changed ifdef to use CONFIG_PARISC instead of __hppa__ + +CC: Guy Martin <gmsoft@tuxicoman.be> +CC: Rolf Eike Beer <eike-kernel@sf-tec.de> +CC: Matt Turner <mattst88@gmail.com> +Reported-by: Mikulas Patocka <mikulas@artax.kerlin.mff.cuni.cz> +Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com> +Acked-by: Jesse Brandeburg <jesse.brandeburg@intel.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> + +diff --git a/drivers/net/e1000/e1000_hw.c b/drivers/net/e1000/e1000_hw.c +index 8d7d87f..0d82be0 100644 +--- a/drivers/net/e1000/e1000_hw.c ++++ b/drivers/net/e1000/e1000_hw.c +@@ -3842,6 +3842,12 @@ s32 e1000_validate_eeprom_checksum(struct e1000_hw *hw) + checksum += eeprom_data; + } + ++#ifdef CONFIG_PARISC ++ /* This is a signature and not a checksum on HP c8000 */ ++ if ((hw->subsystem_vendor_id == 0x103C) && (eeprom_data == 0x16d6)) ++ return E1000_SUCCESS; ++ ++#endif + if (checksum == (u16) EEPROM_SUM) + return E1000_SUCCESS; + else { +-- +1.7.12.rc1.1.gbce1580 + diff --git a/queue/epoll-fix-spurious-lockdep-warnings.patch b/queue/epoll-fix-spurious-lockdep-warnings.patch new file mode 100644 index 0000000..bcceab7 --- /dev/null +++ b/queue/epoll-fix-spurious-lockdep-warnings.patch @@ -0,0 +1,137 @@ +From e09f7140b626d463712547ab626ecd3894b52d7b Mon Sep 17 00:00:00 2001 +From: Nelson Elhage <nelhage@nelhage.com> +Date: Mon, 31 Oct 2011 17:13:14 -0700 +Subject: [PATCH] epoll: fix spurious lockdep warnings + +commit d8805e633e054c816c47cb6e727c81f156d9253d upstream. + +epoll can acquire recursively acquire ep->mtx on multiple "struct +eventpoll"s at once in the case where one epoll fd is monitoring another +epoll fd. This is perfectly OK, since we're careful about the lock +ordering, but it causes spurious lockdep warnings. Annotate the recursion +using mutex_lock_nested, and add a comment explaining the nesting rules +for good measure. + +Recent versions of systemd are triggering this, and it can also be +demonstrated with the following trivial test program: + +--------------------8<-------------------- + +int main(void) { + int e1, e2; + struct epoll_event evt = { + .events = EPOLLIN + }; + + e1 = epoll_create1(0); + e2 = epoll_create1(0); + epoll_ctl(e1, EPOLL_CTL_ADD, e2, &evt); + return 0; +} +--------------------8<-------------------- + +Reported-by: Paul Bolle <pebolle@tiscali.nl> +Tested-by: Paul Bolle <pebolle@tiscali.nl> +Signed-off-by: Nelson Elhage <nelhage@nelhage.com> +Acked-by: Jason Baron <jbaron@redhat.com> +Cc: Dave Jones <davej@redhat.com> +Cc: Davide Libenzi <davidel@xmailserver.org> +Cc: <stable@vger.kernel.org> +Signed-off-by: Andrew Morton <akpm@linux-foundation.org> +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> + +diff --git a/fs/eventpoll.c b/fs/eventpoll.c +index 85c5a9f..34ca5ca 100644 +--- a/fs/eventpoll.c ++++ b/fs/eventpoll.c +@@ -70,6 +70,15 @@ + * simultaneous inserts (A into B and B into A) from racing and + * constructing a cycle without either insert observing that it is + * going to. ++ * It is necessary to acquire multiple "ep->mtx"es at once in the ++ * case when one epoll fd is added to another. In this case, we ++ * always acquire the locks in the order of nesting (i.e. after ++ * epoll_ctl(e1, EPOLL_CTL_ADD, e2), e1->mtx will always be acquired ++ * before e2->mtx). Since we disallow cycles of epoll file ++ * descriptors, this ensures that the mutexes are well-ordered. In ++ * order to communicate this nesting to lockdep, when walking a tree ++ * of epoll file descriptors, we use the current recursion depth as ++ * the lockdep subkey. + * It is possible to drop the "ep->mtx" and to use the global + * mutex "epmutex" (together with "ep->lock") to have it working, + * but having "ep->mtx" will make the interface more scalable. +@@ -454,13 +463,15 @@ static void ep_unregister_pollwait(struct eventpoll *ep, struct epitem *epi) + * @ep: Pointer to the epoll private data structure. + * @sproc: Pointer to the scan callback. + * @priv: Private opaque data passed to the @sproc callback. ++ * @depth: The current depth of recursive f_op->poll calls. + * + * Returns: The same integer error code returned by the @sproc callback. + */ + static int ep_scan_ready_list(struct eventpoll *ep, + int (*sproc)(struct eventpoll *, + struct list_head *, void *), +- void *priv) ++ void *priv, ++ int depth) + { + int error, pwake = 0; + unsigned long flags; +@@ -471,7 +482,7 @@ static int ep_scan_ready_list(struct eventpoll *ep, + * We need to lock this because we could be hit by + * eventpoll_release_file() and epoll_ctl(). + */ +- mutex_lock(&ep->mtx); ++ mutex_lock_nested(&ep->mtx, depth); + + /* + * Steal the ready list, and re-init the original one to the +@@ -660,7 +671,7 @@ static int ep_read_events_proc(struct eventpoll *ep, struct list_head *head, + + static int ep_poll_readyevents_proc(void *priv, void *cookie, int call_nests) + { +- return ep_scan_ready_list(priv, ep_read_events_proc, NULL); ++ return ep_scan_ready_list(priv, ep_read_events_proc, NULL, call_nests + 1); + } + + static unsigned int ep_eventpoll_poll(struct file *file, poll_table *wait) +@@ -726,7 +737,7 @@ void eventpoll_release_file(struct file *file) + + ep = epi->ep; + list_del_init(&epi->fllink); +- mutex_lock(&ep->mtx); ++ mutex_lock_nested(&ep->mtx, 0); + ep_remove(ep, epi); + mutex_unlock(&ep->mtx); + } +@@ -1123,7 +1134,7 @@ static int ep_send_events(struct eventpoll *ep, + esed.maxevents = maxevents; + esed.events = events; + +- return ep_scan_ready_list(ep, ep_send_events_proc, &esed); ++ return ep_scan_ready_list(ep, ep_send_events_proc, &esed, 0); + } + + static int ep_poll(struct eventpoll *ep, struct epoll_event __user *events, +@@ -1218,7 +1229,7 @@ static int ep_loop_check_proc(void *priv, void *cookie, int call_nests) + struct rb_node *rbp; + struct epitem *epi; + +- mutex_lock(&ep->mtx); ++ mutex_lock_nested(&ep->mtx, call_nests + 1); + for (rbp = rb_first(&ep->rbr); rbp; rbp = rb_next(rbp)) { + epi = rb_entry(rbp, struct epitem, rbn); + if (unlikely(is_file_epoll(epi->ffd.file))) { +@@ -1360,7 +1371,7 @@ SYSCALL_DEFINE4(epoll_ctl, int, epfd, int, op, int, fd, + } + + +- mutex_lock(&ep->mtx); ++ mutex_lock_nested(&ep->mtx, 0); + + /* + * Try to lookup the file inside our RB tree, Since we grabbed "mtx" +-- +1.7.12.rc1.1.gbce1580 + diff --git a/queue/ext2-ext3-ext4-don-t-inherit-APPEND_FL-or-IMMUTABLE_.patch b/queue/ext2-ext3-ext4-don-t-inherit-APPEND_FL-or-IMMUTABLE_.patch new file mode 100644 index 0000000..d1f08ce --- /dev/null +++ b/queue/ext2-ext3-ext4-don-t-inherit-APPEND_FL-or-IMMUTABLE_.patch @@ -0,0 +1,64 @@ +From 1e93c8f6953ceaca15ec6f629134c95fd316fc7e Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o <tytso@mit.edu> +Date: Wed, 31 Aug 2011 11:54:51 -0400 +Subject: [PATCH] ext2,ext3,ext4: don't inherit APPEND_FL or IMMUTABLE_FL for + new inodes + +commit 1cd9f0976aa4606db8d6e3dc3edd0aca8019372a upstream. + +This doesn't make much sense, and it exposes a bug in the kernel where +attempts to create a new file in an append-only directory using +O_CREAT will fail (but still leave a zero-length file). This was +discovered when xfstests #79 was generalized so it could run on all +file systems. + +Signed-off-by: "Theodore Ts'o" <tytso@mit.edu> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> + +diff --git a/fs/ext4/ext4.h b/fs/ext4/ext4.h +index 650ef37..f842e7d 100644 +--- a/fs/ext4/ext4.h ++++ b/fs/ext4/ext4.h +@@ -302,8 +302,7 @@ struct flex_groups { + + /* Flags that should be inherited by new inodes from their parent. */ + #define EXT4_FL_INHERITED (EXT4_SECRM_FL | EXT4_UNRM_FL | EXT4_COMPR_FL |\ +- EXT4_SYNC_FL | EXT4_IMMUTABLE_FL | EXT4_APPEND_FL |\ +- EXT4_NODUMP_FL | EXT4_NOATIME_FL |\ ++ EXT4_SYNC_FL | EXT4_NODUMP_FL | EXT4_NOATIME_FL |\ + EXT4_NOCOMPR_FL | EXT4_JOURNAL_DATA_FL |\ + EXT4_NOTAIL_FL | EXT4_DIRSYNC_FL) + +diff --git a/include/linux/ext2_fs.h b/include/linux/ext2_fs.h +index 2dfa707..0bfcb76 100644 +--- a/include/linux/ext2_fs.h ++++ b/include/linux/ext2_fs.h +@@ -196,8 +196,8 @@ struct ext2_group_desc + + /* Flags that should be inherited by new inodes from their parent. */ + #define EXT2_FL_INHERITED (EXT2_SECRM_FL | EXT2_UNRM_FL | EXT2_COMPR_FL |\ +- EXT2_SYNC_FL | EXT2_IMMUTABLE_FL | EXT2_APPEND_FL |\ +- EXT2_NODUMP_FL | EXT2_NOATIME_FL | EXT2_COMPRBLK_FL|\ ++ EXT2_SYNC_FL | EXT2_NODUMP_FL |\ ++ EXT2_NOATIME_FL | EXT2_COMPRBLK_FL |\ + EXT2_NOCOMP_FL | EXT2_JOURNAL_DATA_FL |\ + EXT2_NOTAIL_FL | EXT2_DIRSYNC_FL) + +diff --git a/include/linux/ext3_fs.h b/include/linux/ext3_fs.h +index 5f494b4..2d861bc 100644 +--- a/include/linux/ext3_fs.h ++++ b/include/linux/ext3_fs.h +@@ -180,8 +180,8 @@ struct ext3_group_desc + + /* Flags that should be inherited by new inodes from their parent. */ + #define EXT3_FL_INHERITED (EXT3_SECRM_FL | EXT3_UNRM_FL | EXT3_COMPR_FL |\ +- EXT3_SYNC_FL | EXT3_IMMUTABLE_FL | EXT3_APPEND_FL |\ +- EXT3_NODUMP_FL | EXT3_NOATIME_FL | EXT3_COMPRBLK_FL|\ ++ EXT3_SYNC_FL | EXT3_NODUMP_FL |\ ++ EXT3_NOATIME_FL | EXT3_COMPRBLK_FL |\ + EXT3_NOCOMPR_FL | EXT3_JOURNAL_DATA_FL |\ + EXT3_NOTAIL_FL | EXT3_DIRSYNC_FL) + +-- +1.7.12.rc1.1.gbce1580 + diff --git a/queue/fs-9p-Fid-is-not-valid-after-a-failed-clunk.patch b/queue/fs-9p-Fid-is-not-valid-after-a-failed-clunk.patch new file mode 100644 index 0000000..6ceac77 --- /dev/null +++ b/queue/fs-9p-Fid-is-not-valid-after-a-failed-clunk.patch @@ -0,0 +1,34 @@ +From 5efd7837c84e48ea89436323be4777532c2ea74f Mon Sep 17 00:00:00 2001 +From: "Aneesh Kumar K.V" <aneesh.kumar@linux.vnet.ibm.com> +Date: Mon, 11 Jul 2011 16:40:58 +0000 +Subject: [PATCH] fs/9p: Fid is not valid after a failed clunk. + +commit 5034990e28efb2d232ee82443a9edd62defd17ba upstream. + +free the fid even in case of failed clunk. + +Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com> +Signed-off-by: Eric Van Hensbergen <ericvh@gmail.com> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> + +diff --git a/net/9p/client.c b/net/9p/client.c +index f7bf503..7f1c085 100644 +--- a/net/9p/client.c ++++ b/net/9p/client.c +@@ -1114,9 +1114,11 @@ int p9_client_clunk(struct p9_fid *fid) + P9_DPRINTK(P9_DEBUG_9P, "<<< RCLUNK fid %d\n", fid->fid); + + p9_free_req(clnt, req); +- p9_fid_destroy(fid); +- + error: ++ /* ++ * Fid is not valid even after a failed clunk ++ */ ++ p9_fid_destroy(fid); + return err; + } + EXPORT_SYMBOL(p9_client_clunk); +-- +1.7.12.rc1.1.gbce1580 + diff --git a/queue/hvc_console-Improve-tty-console-put_chars-handling.patch b/queue/hvc_console-Improve-tty-console-put_chars-handling.patch new file mode 100644 index 0000000..a4eea17 --- /dev/null +++ b/queue/hvc_console-Improve-tty-console-put_chars-handling.patch @@ -0,0 +1,58 @@ +From 230ee59de286a459a37417eb797af77bd8cb0642 Mon Sep 17 00:00:00 2001 +From: Hendrik Brueckner <brueckner@linux.vnet.ibm.com> +Date: Tue, 5 Jul 2011 21:50:18 +0000 +Subject: [PATCH] hvc_console: Improve tty/console put_chars handling + +commit 8c2381af0d3ef62a681dac5a141b6dabb27bf2e1 upstream. + +Currently, the hvc_console_print() function drops console output if the +hvc backend's put_chars() returns 0. This patch changes this behavior +to allow a retry through returning -EAGAIN. + +This change also affects the hvc_push() function. Both functions are +changed to handle -EAGAIN and to retry the put_chars() operation. + +If a hvc backend returns -EAGAIN, the retry handling differs: + + - hvc_console_print() spins to write the complete console output. + - hvc_push() behaves the same way as for returning 0. + +Now hvc backends can indirectly control the way how console output is +handled through the hvc console layer. + +Signed-off-by: Hendrik Brueckner <brueckner@linux.vnet.ibm.com> +Acked-by: Anton Blanchard <anton@samba.org> +Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org> +[PG: map drivers/tty/hvc/ --> drivers/char for v2.6.34 baseline] + +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> + +diff --git a/drivers/char/hvc_console.c b/drivers/char/hvc_console.c +index 35cca4c..8417efe 100644 +--- a/drivers/char/hvc_console.c ++++ b/drivers/char/hvc_console.c +@@ -163,8 +163,10 @@ static void hvc_console_print(struct console *co, const char *b, + } else { + r = cons_ops[index]->put_chars(vtermnos[index], c, i); + if (r <= 0) { +- /* throw away chars on error */ +- i = 0; ++ /* throw away characters on error ++ * but spin in case of -EAGAIN */ ++ if (r != -EAGAIN) ++ i = 0; + } else if (r > 0) { + i -= r; + if (i > 0) +@@ -448,7 +450,7 @@ static int hvc_push(struct hvc_struct *hp) + + n = hp->ops->put_chars(hp->vtermno, hp->outbuf, hp->n_outbuf); + if (n <= 0) { +- if (n == 0) { ++ if (n == 0 || n == -EAGAIN) { + hp->do_wakeup = 1; + return 0; + } +-- +1.7.12.rc1.1.gbce1580 + diff --git a/queue/hwmon-w83627ehf-Properly-report-thermal-diode-sensor.patch b/queue/hwmon-w83627ehf-Properly-report-thermal-diode-sensor.patch new file mode 100644 index 0000000..9329917 --- /dev/null +++ b/queue/hwmon-w83627ehf-Properly-report-thermal-diode-sensor.patch @@ -0,0 +1,66 @@ +From 4920c146e4b8a8fe16dce40e0bf331966fa3b023 Mon Sep 17 00:00:00 2001 +From: Jean Delvare <khali@linux-fr.org> +Date: Thu, 13 Oct 2011 15:49:08 -0400 +Subject: [PATCH] hwmon: (w83627ehf) Properly report thermal diode sensors + +commit bf164c58e58328c40ebc597a8ac00cc6840f9703 upstream. + +The w83627ehf driver is improperly reporting thermal diode sensors as +type 2, instead of 3. This caused "sensors" and possibly other +monitoring tools to report these sensors as "transistor" instead of +"thermal diode". + +Furthermore, diode subtype selection (CPU vs. external) is only +supported by the original W83627EHF/EHG. All later models only support +CPU diode type, and some (NCT6776F) don't even have the register in +question so we should avoid reading from it. + +Signed-off-by: Jean Delvare <khali@linux-fr.org> +Signed-off-by: Guenter Roeck <guenter.roeck@ericsson.com> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> + +diff --git a/drivers/hwmon/w83627ehf.c b/drivers/hwmon/w83627ehf.c +index dc53e61..4473207 100644 +--- a/drivers/hwmon/w83627ehf.c ++++ b/drivers/hwmon/w83627ehf.c +@@ -1284,7 +1284,8 @@ static void w83627ehf_device_remove_files(struct device *dev) + } + + /* Get the monitoring functions started */ +-static inline void __devinit w83627ehf_init_device(struct w83627ehf_data *data) ++static inline void __devinit w83627ehf_init_device(struct w83627ehf_data *data, ++ enum kinds kind) + { + int i; + u8 tmp, diode; +@@ -1313,10 +1314,16 @@ static inline void __devinit w83627ehf_init_device(struct w83627ehf_data *data) + w83627ehf_write_value(data, W83627EHF_REG_VBAT, tmp | 0x01); + + /* Get thermal sensor types */ +- diode = w83627ehf_read_value(data, W83627EHF_REG_DIODE); ++ switch (kind) { ++ case w83627ehf: ++ diode = w83627ehf_read_value(data, W83627EHF_REG_DIODE); ++ break; ++ default: ++ diode = 0x70; ++ } + for (i = 0; i < 3; i++) { + if ((tmp & (0x02 << i))) +- data->temp_type[i] = (diode & (0x10 << i)) ? 1 : 2; ++ data->temp_type[i] = (diode & (0x10 << i)) ? 1 : 3; + else + data->temp_type[i] = 4; /* thermistor */ + } +@@ -1364,7 +1371,7 @@ static int __devinit w83627ehf_probe(struct platform_device *pdev) + } + + /* Initialize the chip */ +- w83627ehf_init_device(data); ++ w83627ehf_init_device(data, sio_data->kind); + + data->vrm = vid_which_vrm(); + superio_enter(sio_data->sioreg); +-- +1.7.12.rc1.1.gbce1580 + diff --git a/queue/iommu-amd-Fix-wrong-shift-direction.patch b/queue/iommu-amd-Fix-wrong-shift-direction.patch new file mode 100644 index 0000000..30de39c --- /dev/null +++ b/queue/iommu-amd-Fix-wrong-shift-direction.patch @@ -0,0 +1,30 @@ +From 84a2c43d37cf5cf616c20ef6d84dbbaef6dbf1f3 Mon Sep 17 00:00:00 2001 +From: Joerg Roedel <joerg.roedel@amd.com> +Date: Tue, 11 Oct 2011 17:41:32 +0200 +Subject: [PATCH] iommu/amd: Fix wrong shift direction + +commit fcd0861db1cf4e6ed99f60a815b7b72c2ed36ea4 upstream. + +The shift direction was wrong because the function takes a +page number and i is the address is the loop. + +Signed-off-by: Joerg Roedel <joerg.roedel@amd.com> +[PG: drivers/iommu/ was arch/x86/kernel/ in 2.6.34 context] +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> + +diff --git a/arch/x86/kernel/amd_iommu.c b/arch/x86/kernel/amd_iommu.c +index 1aae617..74ce61d 100644 +--- a/arch/x86/kernel/amd_iommu.c ++++ b/arch/x86/kernel/amd_iommu.c +@@ -1046,7 +1046,7 @@ static int alloc_new_range(struct dma_ops_domain *dma_dom, + if (!pte || !IOMMU_PTE_PRESENT(*pte)) + continue; + +- dma_ops_reserve_addresses(dma_dom, i << PAGE_SHIFT, 1); ++ dma_ops_reserve_addresses(dma_dom, i >> PAGE_SHIFT, 1); + } + + update_domain(&dma_dom->domain); +-- +1.7.12.rc1.1.gbce1580 + diff --git a/queue/ipr-Always-initiate-hard-reset-in-kdump-kernel.patch b/queue/ipr-Always-initiate-hard-reset-in-kdump-kernel.patch new file mode 100644 index 0000000..c0cafcf --- /dev/null +++ b/queue/ipr-Always-initiate-hard-reset-in-kdump-kernel.patch @@ -0,0 +1,37 @@ +From 9f640ccf500f04016c64daa2da061c98bbac5290 Mon Sep 17 00:00:00 2001 +From: Anton Blanchard <anton@samba.org> +Date: Mon, 1 Aug 2011 19:43:45 +1000 +Subject: [PATCH] ipr: Always initiate hard reset in kdump kernel + +commit 5d7c20b7fa5c6ca19e871b4050e321c99d32bd43 upstream. + +During kdump testing I noticed timeouts when initialising each IPR +adapter. While the driver has logic to detect an adapter in an +indeterminate state, it wasn't triggering and each adapter went +through a 5 minute timeout before finally going operational. + +Some analysis showed the needs_hard_reset flag wasn't getting set. +We can check the reset_devices kernel parameter which is set by +kdump and force a full reset. This fixes the problem. + +Signed-off-by: Anton Blanchard <anton@samba.org> +Acked-by: Brian King <brking@linux.vnet.ibm.com> +Signed-off-by: James Bottomley <JBottomley@Parallels.com> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> + +diff --git a/drivers/scsi/ipr.c b/drivers/scsi/ipr.c +index 520461b..771eb42 100644 +--- a/drivers/scsi/ipr.c ++++ b/drivers/scsi/ipr.c +@@ -8543,7 +8543,7 @@ static int __devinit ipr_probe_ioa(struct pci_dev *pdev, + uproc = readl(ioa_cfg->regs.sense_uproc_interrupt_reg32); + if ((mask & IPR_PCII_HRRQ_UPDATED) == 0 || (uproc & IPR_UPROCI_RESET_ALERT)) + ioa_cfg->needs_hard_reset = 1; +- if (interrupts & IPR_PCII_ERROR_INTERRUPTS) ++ if ((interrupts & IPR_PCII_ERROR_INTERRUPTS) || reset_devices) + ioa_cfg->needs_hard_reset = 1; + if (interrupts & IPR_PCII_IOA_UNIT_CHECKED) + ioa_cfg->ioa_unit_checked = 1; +-- +1.7.12.rc1.1.gbce1580 + diff --git a/queue/ipv6-Add-GSO-support-on-forwarding-path.patch b/queue/ipv6-Add-GSO-support-on-forwarding-path.patch new file mode 100644 index 0000000..ae19222 --- /dev/null +++ b/queue/ipv6-Add-GSO-support-on-forwarding-path.patch @@ -0,0 +1,39 @@ +From 34d75d54627d6947086398cb1ee8fe8db28ae25e Mon Sep 17 00:00:00 2001 +From: Herbert Xu <herbert@gondor.apana.org.au> +Date: Thu, 27 May 2010 16:14:30 -0700 +Subject: [PATCH] ipv6: Add GSO support on forwarding path + +commit 0aa68271510ae2b221d4b60892103837be63afe4 upstream. + +Currently we disallow GSO packets on the IPv6 forward path. +This patch fixes this. + +Note that I discovered that our existing GSO MTU checks (e.g., +IPv4 forwarding) are buggy in that they skip the check altogether, +when they really should be checking gso_size + header instead. + +I have also been lazy here in that I haven't bothered to segment +the GSO packet by hand before generating an ICMP message. Someone +should add that to be 100% correct. + +Reported-by: Ralf Baechle <ralf@linux-mips.org> +Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> + +diff --git a/net/ipv6/ip6_output.c b/net/ipv6/ip6_output.c +index 60daecc..2d55954 100644 +--- a/net/ipv6/ip6_output.c ++++ b/net/ipv6/ip6_output.c +@@ -514,7 +514,7 @@ int ip6_forward(struct sk_buff *skb) + if (mtu < IPV6_MIN_MTU) + mtu = IPV6_MIN_MTU; + +- if (skb->len > mtu) { ++ if (skb->len > mtu && !skb_is_gso(skb)) { + /* Again, force OUTPUT device used as source address */ + skb->dev = dst->dev; + icmpv6_send(skb, ICMPV6_PKT_TOOBIG, 0, mtu); +-- +1.7.12.rc1.1.gbce1580 + diff --git a/queue/irda-fix-smsc-ircc2-section-mismatch-warning.patch b/queue/irda-fix-smsc-ircc2-section-mismatch-warning.patch new file mode 100644 index 0000000..445ec59 --- /dev/null +++ b/queue/irda-fix-smsc-ircc2-section-mismatch-warning.patch @@ -0,0 +1,31 @@ +From ae223a414d7365d5eff466e698fee18b2a3ab7f6 Mon Sep 17 00:00:00 2001 +From: Randy Dunlap <randy.dunlap@oracle.com> +Date: Tue, 21 Jun 2011 20:32:53 -0700 +Subject: [PATCH] irda: fix smsc-ircc2 section mismatch warning + +commit f470e5ae34d68880a38aa79ee5c102ebc2a1aef6 upstream. + +Fix section mismatch warning: + +WARNING: drivers/net/irda/smsc-ircc2.o(.devinit.text+0x1a7): Section mismatch in reference from the function smsc_ircc_pnp_probe() to the function .init.text:smsc_ircc_open() + +Signed-off-by: Randy Dunlap <randy.dunlap@oracle.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> + +diff --git a/drivers/net/irda/smsc-ircc2.c b/drivers/net/irda/smsc-ircc2.c +index 6af84d8..ab971f9 100644 +--- a/drivers/net/irda/smsc-ircc2.c ++++ b/drivers/net/irda/smsc-ircc2.c +@@ -515,7 +515,7 @@ static const struct net_device_ops smsc_ircc_netdev_ops = { + * Try to open driver instance + * + */ +-static int __init smsc_ircc_open(unsigned int fir_base, unsigned int sir_base, u8 dma, u8 irq) ++static int __devinit smsc_ircc_open(unsigned int fir_base, unsigned int sir_base, u8 dma, u8 irq) + { + struct smsc_ircc_cb *self; + struct net_device *dev; +-- +1.7.12.rc1.1.gbce1580 + diff --git a/queue/kmod-prevent-kmod_loop_msg-overflow-in-__request_mod.patch b/queue/kmod-prevent-kmod_loop_msg-overflow-in-__request_mod.patch new file mode 100644 index 0000000..3f242a0 --- /dev/null +++ b/queue/kmod-prevent-kmod_loop_msg-overflow-in-__request_mod.patch @@ -0,0 +1,39 @@ +From 154171e041153227e856a2c1ae312678163d39ad Mon Sep 17 00:00:00 2001 +From: Jiri Kosina <jkosina@suse.cz> +Date: Wed, 26 Oct 2011 13:10:39 +1030 +Subject: [PATCH] kmod: prevent kmod_loop_msg overflow in __request_module() + +commit 37252db6aa576c34fd794a5a54fb32d7a8b3a07a upstream. + +Due to post-increment in condition of kmod_loop_msg in __request_module(), +the system log can be spammed by much more than 5 instances of the 'runaway +loop' message if the number of events triggering it makes the kmod_loop_msg +to overflow. + +Fix that by making sure we never increment it past the threshold. + +Signed-off-by: Jiri Kosina <jkosina@suse.cz> +Signed-off-by: Rusty Russell <rusty@rustcorp.com.au> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> + +diff --git a/kernel/kmod.c b/kernel/kmod.c +index bf0e231..f50a996 100644 +--- a/kernel/kmod.c ++++ b/kernel/kmod.c +@@ -106,10 +106,12 @@ int __request_module(bool wait, const char *fmt, ...) + atomic_inc(&kmod_concurrent); + if (atomic_read(&kmod_concurrent) > max_modprobes) { + /* We may be blaming an innocent here, but unlikely */ +- if (kmod_loop_msg++ < 5) ++ if (kmod_loop_msg < 5) { + printk(KERN_ERR + "request_module: runaway loop modprobe %s\n", + module_name); ++ kmod_loop_msg++; ++ } + atomic_dec(&kmod_concurrent); + return -ENOMEM; + } +-- +1.7.12.rc1.1.gbce1580 + diff --git a/queue/kobj_uevent-Ignore-if-some-listeners-cannot-handle-m.patch b/queue/kobj_uevent-Ignore-if-some-listeners-cannot-handle-m.patch new file mode 100644 index 0000000..6f890b7 --- /dev/null +++ b/queue/kobj_uevent-Ignore-if-some-listeners-cannot-handle-m.patch @@ -0,0 +1,37 @@ +From 44bb14ce6bb206f38edce55757cbe45733d896f7 Mon Sep 17 00:00:00 2001 +From: Milan Broz <mbroz@redhat.com> +Date: Mon, 22 Aug 2011 15:51:34 +0200 +Subject: [PATCH] kobj_uevent: Ignore if some listeners cannot handle message + +commit ebf4127cd677e9781b450e44dfaaa1cc595efcaa upstream. + +kobject_uevent() uses a multicast socket and should ignore +if one of listeners cannot handle messages or nobody is +listening at all. + +Easily reproducible when a process in system is cloned +with CLONE_NEWNET flag. + +(See also http://article.gmane.org/gmane.linux.kernel.device-mapper.dm-crypt/5256) + +Signed-off-by: Milan Broz <mbroz@redhat.com> +Acked-by: Kay Sievers <kay.sievers@vrfy.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> + +diff --git a/lib/kobject_uevent.c b/lib/kobject_uevent.c +index 7b48d44..0273ead 100644 +--- a/lib/kobject_uevent.c ++++ b/lib/kobject_uevent.c +@@ -236,7 +236,7 @@ int kobject_uevent_env(struct kobject *kobj, enum kobject_action action, + retval = netlink_broadcast(uevent_sock, skb, 0, 1, + GFP_KERNEL); + /* ENOBUFS should be handled in userspace */ +- if (retval == -ENOBUFS) ++ if (retval == -ENOBUFS || retval == -ESRCH) + retval = 0; + } else + retval = -ENOMEM; +-- +1.7.12.rc1.1.gbce1580 + diff --git a/queue/libiscsi_tcp-fix-LLD-data-allocation.patch b/queue/libiscsi_tcp-fix-LLD-data-allocation.patch new file mode 100644 index 0000000..589df9b --- /dev/null +++ b/queue/libiscsi_tcp-fix-LLD-data-allocation.patch @@ -0,0 +1,55 @@ +From f0a439299ae86d55aafa2b530d9d61c41e6d7c4a Mon Sep 17 00:00:00 2001 +From: Mike Christie <michaelc@cs.wisc.edu> +Date: Fri, 24 Jun 2011 15:11:55 -0500 +Subject: [PATCH] libiscsi_tcp: fix LLD data allocation + +commit 74dcd0ec735ba9c5bef254b2f6e53068cf3f9ff0 upstream. + +Have libiscsi_tcp have upper layers allocate the LLD data +along with the iscsi_cls_conn struct, so it is refcounted. + +Signed-off-by: Mike Christie <michaelc@cs.wisc.edu> +Signed-off-by: James Bottomley <JBottomley@Parallels.com> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> + +diff --git a/drivers/scsi/libiscsi_tcp.c b/drivers/scsi/libiscsi_tcp.c +index 5c92620..b90bb2a 100644 +--- a/drivers/scsi/libiscsi_tcp.c ++++ b/drivers/scsi/libiscsi_tcp.c +@@ -1073,7 +1073,8 @@ iscsi_tcp_conn_setup(struct iscsi_cls_session *cls_session, int dd_data_size, + struct iscsi_cls_conn *cls_conn; + struct iscsi_tcp_conn *tcp_conn; + +- cls_conn = iscsi_conn_setup(cls_session, sizeof(*tcp_conn), conn_idx); ++ cls_conn = iscsi_conn_setup(cls_session, ++ sizeof(*tcp_conn) + dd_data_size, conn_idx); + if (!cls_conn) + return NULL; + conn = cls_conn->dd_data; +@@ -1085,22 +1086,13 @@ iscsi_tcp_conn_setup(struct iscsi_cls_session *cls_session, int dd_data_size, + + tcp_conn = conn->dd_data; + tcp_conn->iscsi_conn = conn; +- +- tcp_conn->dd_data = kzalloc(dd_data_size, GFP_KERNEL); +- if (!tcp_conn->dd_data) { +- iscsi_conn_teardown(cls_conn); +- return NULL; +- } ++ tcp_conn->dd_data = conn->dd_data + sizeof(*tcp_conn); + return cls_conn; + } + EXPORT_SYMBOL_GPL(iscsi_tcp_conn_setup); + + void iscsi_tcp_conn_teardown(struct iscsi_cls_conn *cls_conn) + { +- struct iscsi_conn *conn = cls_conn->dd_data; +- struct iscsi_tcp_conn *tcp_conn = conn->dd_data; +- +- kfree(tcp_conn->dd_data); + iscsi_conn_teardown(cls_conn); + } + EXPORT_SYMBOL_GPL(iscsi_tcp_conn_teardown); +-- +1.7.12.rc1.1.gbce1580 + diff --git a/queue/libsas-fix-failure-to-revalidate-domain-for-anything.patch b/queue/libsas-fix-failure-to-revalidate-domain-for-anything.patch new file mode 100644 index 0000000..0558bab --- /dev/null +++ b/queue/libsas-fix-failure-to-revalidate-domain-for-anything.patch @@ -0,0 +1,43 @@ +From 5a71af725df555c93fd838fbf65c7b2b7dc7367f Mon Sep 17 00:00:00 2001 +From: Mark Salyzyn <mark_salyzyn@us.xyratex.com> +Date: Thu, 1 Sep 2011 06:11:17 -0700 +Subject: [PATCH] libsas: fix failure to revalidate domain for anything but + the first expander child. + +commit 24926dadc41cc566e974022b0e66231b82c6375f upstream. + +In an enclosure model where there are chaining expanders to a large body +of storage, it was discovered that libsas, responding to a broadcast +event change, would only revalidate the domain of first child expander +in the list. + +The issue is that the pointer value to the discovered source device was +used to break out of the loop, rather than the content of the pointer. + +This still remains non-compliant as the revalidate domain code is +supposed to loop through all child expanders, and not stop at the first +one it finds that reports a change count. However, the design of this +routine does not allow multiple device discoveries and that would be a +more complicated set of patches reserved for another day. We are fixing +the glaring bug rather than refactoring the code. + +Signed-off-by: Mark Salyzyn <msalyzyn@us.xyratex.com> +Signed-off-by: James Bottomley <JBottomley@Parallels.com> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> + +diff --git a/drivers/scsi/libsas/sas_expander.c b/drivers/scsi/libsas/sas_expander.c +index fbf0a09..46acf74 100644 +--- a/drivers/scsi/libsas/sas_expander.c ++++ b/drivers/scsi/libsas/sas_expander.c +@@ -1713,7 +1713,7 @@ static int sas_find_bcast_dev(struct domain_device *dev, + list_for_each_entry(ch, &ex->children, siblings) { + if (ch->dev_type == EDGE_DEV || ch->dev_type == FANOUT_DEV) { + res = sas_find_bcast_dev(ch, src_dev); +- if (src_dev) ++ if (*src_dev) + return res; + } + } +-- +1.7.12.rc1.1.gbce1580 + diff --git a/queue/libsas-fix-panic-when-single-phy-is-disabled-on-a-wi.patch b/queue/libsas-fix-panic-when-single-phy-is-disabled-on-a-wi.patch new file mode 100644 index 0000000..15fc0e6 --- /dev/null +++ b/queue/libsas-fix-panic-when-single-phy-is-disabled-on-a-wi.patch @@ -0,0 +1,110 @@ +From 706140add4d8207236ccfa7694fdbb04705f1add Mon Sep 17 00:00:00 2001 +From: Mark Salyzyn <mark_salyzyn@us.xyratex.com> +Date: Thu, 22 Sep 2011 08:32:23 -0700 +Subject: [PATCH] libsas: fix panic when single phy is disabled on a wide port + +commit a73914c35b05d80f8ce78288e10056c91090b666 upstream. + +When a wide port is being utilized to a target, if one disables only one +of the +phys, we get an OS crash: + +BUG: unable to handle kernel NULL pointer dereference at +0000000000000238 +IP: [<ffffffff814ca9b1>] mutex_lock+0x21/0x50 +PGD 4103f5067 PUD 41dba9067 PMD 0 +Oops: 0002 [#1] SMP +last sysfs file: /sys/bus/pci/slots/5/address +CPU 0 +Modules linked in: pm8001(U) ses enclosure fuse nfsd exportfs autofs4 +ipmi_devintf ipmi_si ipmi_msghandler nfs lockd fscache nfs_acl +auth_rpcgss 8021q fcoe libfcoe garp libfc scsi_transport_fc stp scsi_tgt +llc sunrpc cpufreq_ondemand acpi_cpufreq freq_table ipv6 sr_mod cdrom +dm_mirror dm_region_hash dm_log uinput sg i2c_i801 i2c_core iTCO_wdt +iTCO_vendor_support e1000e mlx4_ib ib_mad ib_core mlx4_en mlx4_core ext3 +jbd mbcache sd_mod crc_t10dif usb_storage ata_generic pata_acpi ata_piix +libsas(U) scsi_transport_sas dm_mod [last unloaded: pm8001] + +Modules linked in: pm8001(U) ses enclosure fuse nfsd exportfs autofs4 +ipmi_devintf ipmi_si ipmi_msghandler nfs lockd fscache nfs_acl +auth_rpcgss 8021q fcoe libfcoe garp libfc scsi_transport_fc stp scsi_tgt +llc sunrpc cpufreq_ondemand acpi_cpufreq freq_table ipv6 sr_mod cdrom +dm_mirror dm_region_hash dm_log uinput sg i2c_i801 i2c_core iTCO_wdt +iTCO_vendor_support e1000e mlx4_ib ib_mad ib_core mlx4_en mlx4_core ext3 +jbd mbcache sd_mod crc_t10dif usb_storage ata_generic pata_acpi ata_piix +libsas(U) scsi_transport_sas dm_mod [last unloaded: pm8001] +Pid: 5146, comm: scsi_wq_5 Not tainted +2.6.32-71.29.1.el6.lustre.7.x86_64 #1 Storage Server +RIP: 0010:[<ffffffff814ca9b1>] [<ffffffff814ca9b1>] +mutex_lock+0x21/0x50 +RSP: 0018:ffff8803e4e33d30 EFLAGS: 00010246 +RAX: 0000000000000000 RBX: 0000000000000238 RCX: 0000000000000000 +RDX: 0000000000000000 RSI: ffff8803e664c800 RDI: 0000000000000238 +RBP: ffff8803e4e33d40 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000000 +R13: 0000000000000238 R14: ffff88041acb7200 R15: ffff88041c51ada0 +FS: 0000000000000000(0000) GS:ffff880028200000(0000) +knlGS:0000000000000000 +CS: 0010 DS: 0018 ES: 0018 CR0: 000000008005003b +CR2: 0000000000000238 CR3: 0000000410143000 CR4: 00000000000006f0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 +Process scsi_wq_5 (pid: 5146, threadinfo ffff8803e4e32000, task +ffff8803e4e294a0) +Stack: + ffff8803e664c800 0000000000000000 ffff8803e4e33d70 ffffffffa001f06e +<0> ffff8803e4e33d60 ffff88041c51ada0 ffff88041acb7200 ffff88041bc0aa00 +<0> ffff8803e4e33d90 ffffffffa0032b6c 0000000000000014 ffff88041acb7200 +Call Trace: + [<ffffffffa001f06e>] sas_port_delete_phy+0x2e/0xa0 [scsi_transport_sas] + [<ffffffffa0032b6c>] sas_unregister_devs_sas_addr+0xac/0xe0 [libsas] + [<ffffffffa0034914>] sas_ex_revalidate_domain+0x204/0x330 [libsas] + [<ffffffffa00307f0>] ? sas_revalidate_domain+0x0/0x90 [libsas] + [<ffffffffa0030855>] sas_revalidate_domain+0x65/0x90 [libsas] + [<ffffffff8108c7d0>] worker_thread+0x170/0x2a0 + [<ffffffff81091ea0>] ? autoremove_wake_function+0x0/0x40 + [<ffffffff8108c660>] ? worker_thread+0x0/0x2a0 + [<ffffffff81091b36>] kthread+0x96/0xa0 + [<ffffffff810141ca>] child_rip+0xa/0x20 + [<ffffffff81091aa0>] ? kthread+0x0/0xa0 + [<ffffffff810141c0>] ? child_rip+0x0/0x20 +Code: ff ff 85 c0 75 ed eb d6 66 90 55 48 89 e5 48 83 ec 10 48 89 1c 24 +4c 89 64 24 08 0f 1f 44 00 00 48 89 fb e8 92 f4 ff ff 48 89 df <f0> ff +0f 79 05 e8 25 00 00 00 65 48 8b 04 25 08 cc 00 00 48 2d +RIP [<ffffffff814ca9b1>] mutex_lock+0x21/0x50 + RSP <ffff8803e4e33d30> +CR2: 0000000000000238 + +The following patch is admittedly a band-aid, and does not solve the +root cause, but it still is a good candidate for hardening as a pointer +check before reference. + +Signed-off-by: Mark Salyzyn <mark_salyzyn@us.xyratex.com> +Tested-by: Jack Wang <jack_wang@usish.com> +Signed-off-by: James Bottomley <JBottomley@Parallels.com> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> + +diff --git a/drivers/scsi/libsas/sas_expander.c b/drivers/scsi/libsas/sas_expander.c +index 46acf74..7107bbc 100644 +--- a/drivers/scsi/libsas/sas_expander.c ++++ b/drivers/scsi/libsas/sas_expander.c +@@ -1758,10 +1758,12 @@ static void sas_unregister_devs_sas_addr(struct domain_device *parent, + sas_disable_routing(parent, phy->attached_sas_addr); + } + memset(phy->attached_sas_addr, 0, SAS_ADDR_SIZE); +- sas_port_delete_phy(phy->port, phy->phy); +- if (phy->port->num_phys == 0) +- sas_port_delete(phy->port); +- phy->port = NULL; ++ if (phy->port) { ++ sas_port_delete_phy(phy->port, phy->phy); ++ if (phy->port->num_phys == 0) ++ sas_port_delete(phy->port); ++ phy->port = NULL; ++ } + } + + static int sas_discover_bfs_by_root_level(struct domain_device *root, +-- +1.7.12.rc1.1.gbce1580 + diff --git a/queue/libsas-set-sas_address-and-device-type-of-rphy.patch b/queue/libsas-set-sas_address-and-device-type-of-rphy.patch new file mode 100644 index 0000000..bb678f9 --- /dev/null +++ b/queue/libsas-set-sas_address-and-device-type-of-rphy.patch @@ -0,0 +1,31 @@ +From 6ad641d66a13c048eaa4a129d97403c36fe9f932 Mon Sep 17 00:00:00 2001 +From: Jack Wang <jack_wang@usish.com> +Date: Fri, 23 Sep 2011 14:32:32 +0800 +Subject: [PATCH] libsas: set sas_address and device type of rphy + +commit bb041a0e9c31229071b6e56e1d0d8374af0d2038 upstream. + +Libsas forget to set the sas_address and device type of rphy lead to file +under /sys/class/sas_x show wrong value, fix that. + +Signed-off-by: Jack Wang <jack_wang@usish.com> +Tested-by: Crystal Yu <crystal_yu@usish.com> +Signed-off-by: James Bottomley <JBottomley@Parallels.com> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> + +diff --git a/drivers/scsi/libsas/sas_expander.c b/drivers/scsi/libsas/sas_expander.c +index 7107bbc..4ee42bb 100644 +--- a/drivers/scsi/libsas/sas_expander.c ++++ b/drivers/scsi/libsas/sas_expander.c +@@ -199,6 +199,8 @@ static void sas_set_ex_phy(struct domain_device *dev, int phy_id, + phy->virtual = dr->virtual; + phy->last_da_index = -1; + ++ phy->phy->identify.sas_address = SAS_ADDR(phy->attached_sas_addr); ++ phy->phy->identify.device_type = phy->attached_dev_type; + phy->phy->identify.initiator_port_protocols = phy->attached_iproto; + phy->phy->identify.target_port_protocols = phy->attached_tproto; + phy->phy->identify.phy_identifier = phy_id; +-- +1.7.12.rc1.1.gbce1580 + diff --git a/queue/md-Fix-handling-for-devices-from-2TB-to-4TB-in-0.90-.patch b/queue/md-Fix-handling-for-devices-from-2TB-to-4TB-in-0.90-.patch new file mode 100644 index 0000000..e6d66f7 --- /dev/null +++ b/queue/md-Fix-handling-for-devices-from-2TB-to-4TB-in-0.90-.patch @@ -0,0 +1,67 @@ +From 8fa65576f36aa2d630081a40b9651038dbfe9dad Mon Sep 17 00:00:00 2001 +From: NeilBrown <neilb@suse.de> +Date: Sat, 10 Sep 2011 17:21:28 +1000 +Subject: [PATCH] md: Fix handling for devices from 2TB to 4TB in 0.90 + metadata. + +commit 27a7b260f71439c40546b43588448faac01adb93 upstream. + +0.90 metadata uses an unsigned 32bit number to count the number of +kilobytes used from each device. +This should allow up to 4TB per device. +However we multiply this by 2 (to get sectors) before casting to a +larger type, so sizes above 2TB get truncated. + +Also we allow rdev->sectors to be larger than 4TB, so it is possible +for the array to be resized larger than the metadata can handle. +So make sure rdev->sectors never exceeds 4TB when 0.90 metadata is in +used. + +Also the sanity check at the end of super_90_load should include level +1 as it used ->size too. (RAID0 and Linear don't use ->size at all). + +Reported-by: Pim Zandbergen <P.Zandbergen@macroscoop.nl> +Signed-off-by: NeilBrown <neilb@suse.de> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> + +diff --git a/drivers/md/md.c b/drivers/md/md.c +index d26df7f..4788c82 100644 +--- a/drivers/md/md.c ++++ b/drivers/md/md.c +@@ -985,8 +985,11 @@ static int super_90_load(mdk_rdev_t *rdev, mdk_rdev_t *refdev, int minor_version + ret = 0; + } + rdev->sectors = rdev->sb_start; ++ /* Limit to 4TB as metadata cannot record more than that */ ++ if (rdev->sectors >= (2ULL << 32)) ++ rdev->sectors = (2ULL << 32) - 2; + +- if (rdev->sectors < sb->size * 2 && sb->level > 1) ++ if (rdev->sectors < ((sector_t)sb->size) * 2 && sb->level >= 1) + /* "this cannot possibly happen" ... */ + ret = -EINVAL; + +@@ -1021,7 +1024,7 @@ static int super_90_validate(mddev_t *mddev, mdk_rdev_t *rdev) + mddev->clevel[0] = 0; + mddev->layout = sb->layout; + mddev->raid_disks = sb->raid_disks; +- mddev->dev_sectors = sb->size * 2; ++ mddev->dev_sectors = ((sector_t)sb->size) * 2; + mddev->events = ev1; + mddev->bitmap_info.offset = 0; + mddev->bitmap_info.default_offset = MD_SB_BYTES >> 9; +@@ -1260,6 +1263,11 @@ super_90_rdev_size_change(mdk_rdev_t *rdev, sector_t num_sectors) + rdev->sb_start = calc_dev_sboffset(rdev->bdev); + if (!num_sectors || num_sectors > rdev->sb_start) + num_sectors = rdev->sb_start; ++ /* Limit to 4TB as metadata cannot record more than that. ++ * 4TB == 2^32 KB, or 2*2^32 sectors. ++ */ ++ if (num_sectors >= (2ULL << 32)) ++ num_sectors = (2ULL << 32) - 2; + md_super_write(rdev->mddev, rdev, rdev->sb_start, rdev->sb_size, + rdev->sb_page); + md_super_wait(rdev->mddev); +-- +1.7.12.rc1.1.gbce1580 + diff --git a/queue/md-linear-avoid-corrupting-structure-while-waiting-f.patch b/queue/md-linear-avoid-corrupting-structure-while-waiting-f.patch new file mode 100644 index 0000000..fe18f9e --- /dev/null +++ b/queue/md-linear-avoid-corrupting-structure-while-waiting-f.patch @@ -0,0 +1,33 @@ +From 7725f7bb1cf84eb19876fe72deb941adf36d3fc8 Mon Sep 17 00:00:00 2001 +From: NeilBrown <neilb@suse.de> +Date: Thu, 25 Aug 2011 14:43:53 +1000 +Subject: [PATCH] md/linear: avoid corrupting structure while waiting for + rcu_free to complete. + +commit 1b6afa17581027218088a18a9ceda600e0ddba7a upstream. + +I don't know what I was thinking putting 'rcu' after a dynamically +sized array! The array could still be in use when we call rcu_free() +(That is the point) so we mustn't corrupt it. + +Signed-off-by: NeilBrown <neilb@suse.de> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> + +diff --git a/drivers/md/linear.h b/drivers/md/linear.h +index 0ce29b6..2f2da05 100644 +--- a/drivers/md/linear.h ++++ b/drivers/md/linear.h +@@ -10,9 +10,9 @@ typedef struct dev_info dev_info_t; + + struct linear_private_data + { ++ struct rcu_head rcu; + sector_t array_sectors; + dev_info_t disks[0]; +- struct rcu_head rcu; + }; + + +-- +1.7.12.rc1.1.gbce1580 + diff --git a/queue/net-9p-Fix-the-msize-calculation.patch b/queue/net-9p-Fix-the-msize-calculation.patch new file mode 100644 index 0000000..465b60b --- /dev/null +++ b/queue/net-9p-Fix-the-msize-calculation.patch @@ -0,0 +1,32 @@ +From 5206e9ab039361176450a29586123c1e08dfa900 Mon Sep 17 00:00:00 2001 +From: "Venkateswararao Jujjuri (JV)" <jvrao@linux.vnet.ibm.com> +Date: Wed, 29 Jun 2011 18:06:33 -0700 +Subject: [PATCH] net/9p: Fix the msize calculation. + +commit c9ffb05ca5b5098d6ea468c909dd384d90da7d54 upstream. + +msize represents the maximum PDU size that includes P9_IOHDRSZ. + +Signed-off-by: Venkateswararao Jujjuri "<jvrao@linux.vnet.ibm.com> +Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com> +Signed-off-by: Eric Van Hensbergen <ericvh@gmail.com> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> + +diff --git a/net/9p/client.c b/net/9p/client.c +index 7f1c085..4fb9791 100644 +--- a/net/9p/client.c ++++ b/net/9p/client.c +@@ -775,8 +775,8 @@ struct p9_client *p9_client_create(const char *dev_name, char *options) + if (err) + goto destroy_fidpool; + +- if ((clnt->msize+P9_IOHDRSZ) > clnt->trans_mod->maxsize) +- clnt->msize = clnt->trans_mod->maxsize-P9_IOHDRSZ; ++ if (clnt->msize > clnt->trans_mod->maxsize) ++ clnt->msize = clnt->trans_mod->maxsize; + + err = p9_client_version(clnt); + if (err) +-- +1.7.12.rc1.1.gbce1580 + diff --git a/queue/net-9p-fix-client-code-to-fail-more-gracefully-on-pr.patch b/queue/net-9p-fix-client-code-to-fail-more-gracefully-on-pr.patch new file mode 100644 index 0000000..0bd4230 --- /dev/null +++ b/queue/net-9p-fix-client-code-to-fail-more-gracefully-on-pr.patch @@ -0,0 +1,32 @@ +From b8b7789a2b1148fb155bbe0e79dfd5efcdf18171 Mon Sep 17 00:00:00 2001 +From: Eric Van Hensbergen <ericvh@gmail.com> +Date: Wed, 13 Jul 2011 19:12:18 -0500 +Subject: [PATCH] net/9p: fix client code to fail more gracefully on protocol + error + +commit b85f7d92d7bd7e3298159e8b1eed8cb8cbbb0348 upstream. + +There was a BUG_ON to protect against a bad id which could be dealt with +more gracefully. + +Reported-by: Natalie Orlin <norlin@us.ibm.com> +Signed-off-by: Eric Van Hensbergen <ericvh@gmail.com> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> + +diff --git a/net/9p/client.c b/net/9p/client.c +index 0aa79fa..f7bf503 100644 +--- a/net/9p/client.c ++++ b/net/9p/client.c +@@ -272,7 +272,8 @@ struct p9_req_t *p9_tag_lookup(struct p9_client *c, u16 tag) + * buffer to read the data into */ + tag++; + +- BUG_ON(tag >= c->max_tag); ++ if(tag >= c->max_tag) ++ return NULL; + + row = tag / P9_ROW_MAXTAG; + col = tag % P9_ROW_MAXTAG; +-- +1.7.12.rc1.1.gbce1580 + diff --git a/queue/nfsd4-Remove-check-for-a-32-bit-cookie-in-nfsd4_read.patch b/queue/nfsd4-Remove-check-for-a-32-bit-cookie-in-nfsd4_read.patch new file mode 100644 index 0000000..0ff3550 --- /dev/null +++ b/queue/nfsd4-Remove-check-for-a-32-bit-cookie-in-nfsd4_read.patch @@ -0,0 +1,33 @@ +From 4815f26882019b6b1099edff1689fd2c76befa3e Mon Sep 17 00:00:00 2001 +From: Bernd Schubert <bernd.schubert@itwm.fraunhofer.de> +Date: Mon, 8 Aug 2011 17:38:08 +0200 +Subject: [PATCH] nfsd4: Remove check for a 32-bit cookie in nfsd4_readdir() + +commit 832023bffb4b493f230be901f681020caf3ed1f8 upstream. + +Fan Yong <yong.fan@whamcloud.com> noticed setting +FMODE_32bithash wouldn't work with nfsd v4, as +nfsd4_readdir() checks for 32 bit cookies. However, according to RFC 3530 +cookies have a 64 bit type and cookies are also defined as u64 in +'struct nfsd4_readdir'. So remove the test for >32-bit values. + +Signed-off-by: Bernd Schubert <bernd.schubert@itwm.fraunhofer.de> +Signed-off-by: J. Bruce Fields <bfields@redhat.com> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> + +diff --git a/fs/nfsd/nfs4proc.c b/fs/nfsd/nfs4proc.c +index 5046e8b..3b9fcb2 100644 +--- a/fs/nfsd/nfs4proc.c ++++ b/fs/nfsd/nfs4proc.c +@@ -678,7 +678,7 @@ nfsd4_readdir(struct svc_rqst *rqstp, struct nfsd4_compound_state *cstate, + readdir->rd_bmval[1] &= nfsd_suppattrs1(cstate->minorversion); + readdir->rd_bmval[2] &= nfsd_suppattrs2(cstate->minorversion); + +- if ((cookie > ~(u32)0) || (cookie == 1) || (cookie == 2) || ++ if ((cookie == 1) || (cookie == 2) || + (cookie == 0 && memcmp(readdir->rd_verf.data, zeroverf.data, NFS4_VERIFIER_SIZE))) + return nfserr_bad_cookie; + +-- +1.7.12.rc1.1.gbce1580 + diff --git a/queue/nfsd4-ignore-WANT-bits-in-open-downgrade.patch b/queue/nfsd4-ignore-WANT-bits-in-open-downgrade.patch new file mode 100644 index 0000000..20e7bb7 --- /dev/null +++ b/queue/nfsd4-ignore-WANT-bits-in-open-downgrade.patch @@ -0,0 +1,29 @@ +From 1f697b6ebaf167525bbcfaa03a33ff44b0124f58 Mon Sep 17 00:00:00 2001 +From: "J. Bruce Fields" <bfields@redhat.com> +Date: Mon, 10 Oct 2011 17:34:31 -0400 +Subject: [PATCH] nfsd4: ignore WANT bits in open downgrade + +commit c30e92df30d7d5fe65262fbce5d1b7de675fe34e upstream. + +We don't use WANT bits yet--and sending them can probably trigger a +BUG() further down. + +Signed-off-by: J. Bruce Fields <bfields@redhat.com> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> + +diff --git a/fs/nfsd/nfs4state.c b/fs/nfsd/nfs4state.c +index 6a8feda..aa76339 100644 +--- a/fs/nfsd/nfs4state.c ++++ b/fs/nfsd/nfs4state.c +@@ -3065,6 +3065,8 @@ nfsd4_open_downgrade(struct svc_rqst *rqstp, + if (!access_valid(od->od_share_access, cstate->minorversion) + || !deny_valid(od->od_share_deny)) + return nfserr_inval; ++ /* We don't yet support WANT bits: */ ++ od->od_share_access &= NFS4_SHARE_ACCESS_MASK; + + nfs4_lock_state(); + if ((status = nfs4_preprocess_seqid_op(cstate, +-- +1.7.12.rc1.1.gbce1580 + diff --git a/queue/plat-mxc-iomux-v3.h-implicitly-enable-pull-up-down-w.patch b/queue/plat-mxc-iomux-v3.h-implicitly-enable-pull-up-down-w.patch new file mode 100644 index 0000000..f11750e --- /dev/null +++ b/queue/plat-mxc-iomux-v3.h-implicitly-enable-pull-up-down-w.patch @@ -0,0 +1,52 @@ +From 29bec48392d24419e3f140fcaf8a5c47e3b51f6a Mon Sep 17 00:00:00 2001 +From: Paul Fertser <fercerpav@gmail.com> +Date: Mon, 10 Oct 2011 11:19:23 +0400 +Subject: [PATCH] plat-mxc: iomux-v3.h: implicitly enable pull-up/down when + that's desired + +commit 6571534b600b8ca1936ff5630b9e0947f21faf16 upstream. + +To configure pads during the initialisation a set of special constants +is used, e.g. +#define MX25_PAD_FEC_MDIO__FEC_MDIO IOMUX_PAD(0x3c4, 0x1cc, 0x10, 0, 0, PAD_CTL_HYS | PAD_CTL_PUS_22K_UP) + +The problem is that no pull-up/down is getting activated unless both +PAD_CTL_PUE (pull-up enable) and PAD_CTL_PKE (pull/keeper module +enable) set. This is clearly stated in the i.MX25 datasheet and is +confirmed by the measurements on hardware. This leads to some rather +hard to understand bugs such as misdetecting an absent ethernet PHY (a +real bug i had), unstable data transfer etc. This might affect mx25, +mx35, mx50, mx51 and mx53 SoCs. + +It's reasonable to expect that if the pullup value is specified, the +intention was to have it actually active, so we implicitly add the +needed bits. + +Signed-off-by: Paul Fertser <fercerpav@gmail.com> +Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> + +diff --git a/arch/arm/plat-mxc/include/mach/iomux-v3.h b/arch/arm/plat-mxc/include/mach/iomux-v3.h +index f2f73d3..1f0b102 100644 +--- a/arch/arm/plat-mxc/include/mach/iomux-v3.h ++++ b/arch/arm/plat-mxc/include/mach/iomux-v3.h +@@ -73,11 +73,11 @@ struct pad_desc { + #define PAD_CTL_HYS (1 << 8) + + #define PAD_CTL_PKE (1 << 7) +-#define PAD_CTL_PUE (1 << 6) +-#define PAD_CTL_PUS_100K_DOWN (0 << 4) +-#define PAD_CTL_PUS_47K_UP (1 << 4) +-#define PAD_CTL_PUS_100K_UP (2 << 4) +-#define PAD_CTL_PUS_22K_UP (3 << 4) ++#define PAD_CTL_PUE (1 << 6 | PAD_CTL_PKE) ++#define PAD_CTL_PUS_100K_DOWN (0 << 4 | PAD_CTL_PUE) ++#define PAD_CTL_PUS_47K_UP (1 << 4 | PAD_CTL_PUE) ++#define PAD_CTL_PUS_100K_UP (2 << 4 | PAD_CTL_PUE) ++#define PAD_CTL_PUS_22K_UP (3 << 4 | PAD_CTL_PUE) + + #define PAD_CTL_ODE (1 << 3) + +-- +1.7.12.rc1.1.gbce1580 + diff --git a/queue/powerpc-pci-Check-devices-status-property-when-scann.patch b/queue/powerpc-pci-Check-devices-status-property-when-scann.patch new file mode 100644 index 0000000..c4031ab --- /dev/null +++ b/queue/powerpc-pci-Check-devices-status-property-when-scann.patch @@ -0,0 +1,38 @@ +From 278c7cb6846f739d2a54a990df919b3d72016b6b Mon Sep 17 00:00:00 2001 +From: Sonny Rao <sonnyrao@us.ibm.com> +Date: Mon, 10 May 2010 15:13:41 +0000 +Subject: [PATCH] powerpc/pci: Check devices status property when scanning OF + tree + +commit 5b339bdf164d8aee394609768f7e2e4415b0252a upstream. + +We ran into an issue where it looks like we're not properly ignoring a +pci device with a non-good status property when we walk the device tree +and instanciate the Linux side PCI devices. + +However, the EEH init code does look for the property and disables EEH +on these devices. This leaves us in an inconsistent where we are poking +at a supposedly bad piece of hardware and RTAS will block our config +cycles because EEH isn't enabled anyway. + +Signed-of-by: Sonny Rao <sonnyrao@linux.vnet.ibm.com> + +Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> + +diff --git a/arch/powerpc/kernel/pci_of_scan.c b/arch/powerpc/kernel/pci_of_scan.c +index cd11d5c..6ddb795f 100644 +--- a/arch/powerpc/kernel/pci_of_scan.c ++++ b/arch/powerpc/kernel/pci_of_scan.c +@@ -310,6 +310,8 @@ static void __devinit __of_scan_bus(struct device_node *node, + /* Scan direct children */ + for_each_child_of_node(node, child) { + pr_debug(" * %s\n", child->full_name); ++ if (!of_device_is_available(child)) ++ continue; + reg = of_get_property(child, "reg", ®len); + if (reg == NULL || reglen < 20) + continue; +-- +1.7.12.rc1.1.gbce1580 + diff --git a/queue/qla2xxx-Correct-inadvertent-loop-state-transitions-d.patch b/queue/qla2xxx-Correct-inadvertent-loop-state-transitions-d.patch new file mode 100644 index 0000000..a273d00 --- /dev/null +++ b/queue/qla2xxx-Correct-inadvertent-loop-state-transitions-d.patch @@ -0,0 +1,53 @@ +From 90de630f0221556ce1278cc36db15aac0713def9 Mon Sep 17 00:00:00 2001 +From: Andrew Vasquez <andrew.vasquez@qlogic.com> +Date: Tue, 16 Aug 2011 11:29:28 -0700 +Subject: [PATCH] qla2xxx: Correct inadvertent loop state transitions during + port-update handling. + +commit 58b48576966ed0afd3f63ef17480ec12748a7119 upstream. + +Transitioning to a LOOP_UPDATE loop-state could cause the driver +to miss normal link/target processing. LOOP_UPDATE is a crufty +artifact leftover from at time the driver performed it's own +internal command-queuing. Safely remove this state. + +Signed-off-by: Andrew Vasquez <andrew.vasquez@qlogic.com> +Signed-off-by: Chad Dupuis <chad.dupuis@qlogic.com> +Signed-off-by: James Bottomley <JBottomley@Parallels.com> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> + +diff --git a/drivers/scsi/qla2xxx/qla_init.c b/drivers/scsi/qla2xxx/qla_init.c +index 4229bb4..8e23aa2 100644 +--- a/drivers/scsi/qla2xxx/qla_init.c ++++ b/drivers/scsi/qla2xxx/qla_init.c +@@ -3497,15 +3497,12 @@ qla2x00_loop_resync(scsi_qla_host_t *vha) + req = vha->req; + rsp = req->rsp; + +- atomic_set(&vha->loop_state, LOOP_UPDATE); + clear_bit(ISP_ABORT_RETRY, &vha->dpc_flags); + if (vha->flags.online) { + if (!(rval = qla2x00_fw_ready(vha))) { + /* Wait at most MAX_TARGET RSCNs for a stable link. */ + wait_time = 256; + do { +- atomic_set(&vha->loop_state, LOOP_UPDATE); +- + /* Issue a marker after FW becomes ready. */ + qla2x00_marker(vha, req, rsp, 0, 0, + MK_SYNC_ALL); +diff --git a/drivers/scsi/qla2xxx/qla_isr.c b/drivers/scsi/qla2xxx/qla_isr.c +index db539b0..0266b78 100644 +--- a/drivers/scsi/qla2xxx/qla_isr.c ++++ b/drivers/scsi/qla2xxx/qla_isr.c +@@ -724,7 +724,6 @@ skip_rio: + vha->flags.rscn_queue_overflow = 1; + } + +- atomic_set(&vha->loop_state, LOOP_UPDATE); + atomic_set(&vha->loop_down_timer, 0); + vha->flags.management_server_logged_in = 0; + +-- +1.7.12.rc1.1.gbce1580 + diff --git a/queue/rt2x00-do-not-drop-usb-dev-reference-counter-on-susp.patch b/queue/rt2x00-do-not-drop-usb-dev-reference-counter-on-susp.patch new file mode 100644 index 0000000..a566e34 --- /dev/null +++ b/queue/rt2x00-do-not-drop-usb-dev-reference-counter-on-susp.patch @@ -0,0 +1,79 @@ +From 77e7b96dae01713760f07b66f1c8800dfd640d98 Mon Sep 17 00:00:00 2001 +From: Stanislaw Gruszka <sgruszka@redhat.com> +Date: Fri, 12 Aug 2011 14:02:04 +0200 +Subject: [PATCH] rt2x00: do not drop usb dev reference counter on suspend + +commit 543cc38c8fe86deba4169977c61eb88491036837 upstream. + +When hibernating ->resume may not be called by usb core, but disconnect +and probe instead, so we do not increase the counter after decreasing +it in ->supend. As a result we free memory early, and get crash when +unplugging usb dongle. + +BUG: unable to handle kernel paging request at 6b6b6b9f +IP: [<c06909b0>] driver_sysfs_remove+0x10/0x30 +*pdpt = 0000000034f21001 *pde = 0000000000000000 +Pid: 20, comm: khubd Not tainted 3.1.0-rc1-wl+ #20 LENOVO 6369CTO/6369CTO +EIP: 0060:[<c06909b0>] EFLAGS: 00010202 CPU: 1 +EIP is at driver_sysfs_remove+0x10/0x30 +EAX: 6b6b6b6b EBX: f52bba34 ECX: 00000000 EDX: 6b6b6b6b +ESI: 6b6b6b6b EDI: c0a0ea20 EBP: f61c9e68 ESP: f61c9e64 + DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068 +Process khubd (pid: 20, ti=f61c8000 task=f6138270 task.ti=f61c8000) +Call Trace: + [<c06909ef>] __device_release_driver+0x1f/0xa0 + [<c0690b20>] device_release_driver+0x20/0x40 + [<c068fd64>] bus_remove_device+0x84/0xe0 + [<c068e12a>] ? device_remove_attrs+0x2a/0x80 + [<c068e267>] device_del+0xe7/0x170 + [<c06d93d4>] usb_disconnect+0xd4/0x180 + [<c06d9d61>] hub_thread+0x691/0x1600 + [<c0473260>] ? wake_up_bit+0x30/0x30 + [<c0442a39>] ? complete+0x49/0x60 + [<c06d96d0>] ? hub_disconnect+0xd0/0xd0 + [<c06d96d0>] ? hub_disconnect+0xd0/0xd0 + [<c0472eb4>] kthread+0x74/0x80 + [<c0472e40>] ? kthread_worker_fn+0x150/0x150 + [<c0809b3e>] kernel_thread_helper+0x6/0x10 + +Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com> +Acked-by: Ivo van Doorn <IvDoorn@gmail.com> +Signed-off-by: John W. Linville <linville@tuxdriver.com> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> + +diff --git a/drivers/net/wireless/rt2x00/rt2x00usb.c b/drivers/net/wireless/rt2x00/rt2x00usb.c +index f9a7f8b..f423c65 100644 +--- a/drivers/net/wireless/rt2x00/rt2x00usb.c ++++ b/drivers/net/wireless/rt2x00/rt2x00usb.c +@@ -706,18 +706,8 @@ int rt2x00usb_suspend(struct usb_interface *usb_intf, pm_message_t state) + { + struct ieee80211_hw *hw = usb_get_intfdata(usb_intf); + struct rt2x00_dev *rt2x00dev = hw->priv; +- int retval; +- +- retval = rt2x00lib_suspend(rt2x00dev, state); +- if (retval) +- return retval; + +- /* +- * Decrease usbdev refcount. +- */ +- usb_put_dev(interface_to_usbdev(usb_intf)); +- +- return 0; ++ return rt2x00lib_suspend(rt2x00dev, state); + } + EXPORT_SYMBOL_GPL(rt2x00usb_suspend); + +@@ -726,8 +716,6 @@ int rt2x00usb_resume(struct usb_interface *usb_intf) + struct ieee80211_hw *hw = usb_get_intfdata(usb_intf); + struct rt2x00_dev *rt2x00dev = hw->priv; + +- usb_get_dev(interface_to_usbdev(usb_intf)); +- + return rt2x00lib_resume(rt2x00dev); + } + EXPORT_SYMBOL_GPL(rt2x00usb_resume); +-- +1.7.12.rc1.1.gbce1580 + diff --git a/queue/scm-lower-SCM_MAX_FD.patch b/queue/scm-lower-SCM_MAX_FD.patch new file mode 100644 index 0000000..c7bbbd1 --- /dev/null +++ b/queue/scm-lower-SCM_MAX_FD.patch @@ -0,0 +1,73 @@ +From 62f7eb1d289d5cebf2167cb8fdc1e724472a7674 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet <eric.dumazet@gmail.com> +Date: Tue, 23 Nov 2010 14:09:15 +0000 +Subject: [PATCH] scm: lower SCM_MAX_FD + +commit bba14de98753cb6599a2dae0e520714b2153522d upstream. + +Lower SCM_MAX_FD from 255 to 253 so that allocations for scm_fp_list are +halved. (commit f8d570a4 added two pointers in this structure) + +scm_fp_dup() should not copy whole structure (and trigger kmemcheck +warnings), but only the used part. While we are at it, only allocate +needed size. + +Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> + +diff --git a/include/net/scm.h b/include/net/scm.h +index 8360e47..8b5cccd 100644 +--- a/include/net/scm.h ++++ b/include/net/scm.h +@@ -10,11 +10,12 @@ + /* Well, we should have at least one descriptor open + * to accept passed FDs 8) + */ +-#define SCM_MAX_FD 255 ++#define SCM_MAX_FD 253 + + struct scm_fp_list { + struct list_head list; +- int count; ++ short count; ++ short max; + struct file *fp[SCM_MAX_FD]; + }; + +diff --git a/net/core/scm.c b/net/core/scm.c +index b88f6f9..ddc0448 100644 +--- a/net/core/scm.c ++++ b/net/core/scm.c +@@ -79,10 +79,11 @@ static int scm_fp_copy(struct cmsghdr *cmsg, struct scm_fp_list **fplp) + return -ENOMEM; + *fplp = fpl; + fpl->count = 0; ++ fpl->max = SCM_MAX_FD; + } + fpp = &fpl->fp[fpl->count]; + +- if (fpl->count + num > SCM_MAX_FD) ++ if (fpl->count + num > fpl->max) + return -EINVAL; + + /* +@@ -303,11 +304,12 @@ struct scm_fp_list *scm_fp_dup(struct scm_fp_list *fpl) + if (!fpl) + return NULL; + +- new_fpl = kmalloc(sizeof(*fpl), GFP_KERNEL); ++ new_fpl = kmemdup(fpl, offsetof(struct scm_fp_list, fp[fpl->count]), ++ GFP_KERNEL); + if (new_fpl) { +- for (i=fpl->count-1; i>=0; i--) ++ for (i = 0; i < fpl->count; i++) + get_file(fpl->fp[i]); +- memcpy(new_fpl, fpl, sizeof(*fpl)); ++ new_fpl->max = new_fpl->count; + } + return new_fpl; + } +-- +1.7.12.rc1.1.gbce1580 + diff --git a/queue/series b/queue/series index 4b03111..ad72fac 100644 --- a/queue/series +++ b/queue/series @@ -18,3 +18,91 @@ security-fix-compile-error-in-commoncap.c.patch fcaps-clear-the-same-personality-flags-as-suid-when-.patch KEYS-Fix-a-NULL-pointer-deref-in-the-user-defined-ke.patch locks-fix-checking-of-fcntl_setlease-argument.patch +# content based on v2.6.32.47 additions +USB-ftdi_sio-add-Calao-reference-board-support.patch +USB-EHCI-Do-not-rely-on-PORT_SUSPEND-to-stop-USB-res.patch +rt2x00-do-not-drop-usb-dev-reference-counter-on-susp.patch +atm-br2684-Fix-oops-due-to-skb-dev-being-NULL.patch +sparc-Allow-handling-signals-when-stack-is-corrupted.patch +sparc-fix-array-bounds-error-setting-up-PCIC-NMI-tra.patch +ipv6-Add-GSO-support-on-forwarding-path.patch +GRO-fix-merging-a-paged-skb-after-non-paged-skbs.patch +xen-blkfront-fix-data-size-for-xenbus_gather-in-blkf.patch +md-linear-avoid-corrupting-structure-while-waiting-f.patch +powerpc-pci-Check-devices-status-property-when-scann.patch +xen-x86_32-do-not-enable-iterrupts-when-returning-fr.patch +xen-smp-Warn-user-why-they-keel-over-nosmp-or-noapic.patch +ARM-davinci-da850-EVM-read-mac-address-from-SPI-flas.patch +md-Fix-handling-for-devices-from-2TB-to-4TB-in-0.90-.patch +net-9p-fix-client-code-to-fail-more-gracefully-on-pr.patch +fs-9p-Fid-is-not-valid-after-a-failed-clunk.patch +net-9p-Fix-the-msize-calculation.patch +irda-fix-smsc-ircc2-section-mismatch-warning.patch +qla2xxx-Correct-inadvertent-loop-state-transitions-d.patch +e1000-Fix-driver-to-be-used-on-PA-RISC-C8000-worksta.patch +ASoC-Fix-reporting-of-partial-jack-updates.patch +ALSA-HDA-Cirrus-fix-Surround-Speaker-volume-control-.patch +b43-Fix-beacon-problem-in-ad-hoc-mode.patch +wireless-Reset-beacon_found-while-updating-regulator.patch +USB-PL2303-correctly-handle-baudrates-above-115200.patch +ASIX-Add-AX88772B-USB-ID.patch +hvc_console-Improve-tty-console-put_chars-handling.patch +TPM-Call-tpm_transmit-with-correct-size.patch +TPM-Zero-buffer-after-copying-to-userspace.patch +libiscsi_tcp-fix-LLD-data-allocation.patch +cnic-Improve-NETDEV_UP-event-handling.patch +ALSA-hda-realtek-Avoid-bogus-HP-pin-assignment.patch +3w-9xxx-fix-iommu_iova-leak.patch +aacraid-reset-should-disable-MSI-interrupt.patch +libsas-fix-failure-to-revalidate-domain-for-anything.patch +cfg80211-Fix-validation-of-AKM-suites.patch +libsas-fix-panic-when-single-phy-is-disabled-on-a-wi.patch +ahci-Enable-SB600-64bit-DMA-on-Asus-M3A.patch +HID-usbhid-Add-support-for-SiGma-Micro-chip.patch +hwmon-w83627ehf-Properly-report-thermal-diode-sensor.patch +x25-Prevent-skb-overreads-when-checking-call-user-da.patch +staging-quatech_usb2-Potential-lost-wakeup-scenario-.patch +USB-qcserial-add-device-ID-for-HP-un2430-Mobile-Broa.patch +xhci-mem.c-Check-for-ring-first_seg-NULL.patch +ipr-Always-initiate-hard-reset-in-kdump-kernel.patch +libsas-set-sas_address-and-device-type-of-rphy.patch +ALSA-HDA-Add-new-revision-for-ALC662.patch +x86-Fix-compilation-bug-in-kprobes-twobyte_is_boosta.patch +epoll-fix-spurious-lockdep-warnings.patch +usbmon-vs.-tcpdump-fix-dropped-packet-count.patch +USB-storage-Use-normalized-sense-when-emulating-auto.patch +USB-pid_ns-ensure-pid-is-not-freed-during-kill_pid_i.patch +usb-cdc-acm-Owen-SI-30-support.patch +USB-add-RESET_RESUME-for-webcams-shown-to-be-quirky.patch +USB-pl2303-add-id-for-SMART-device.patch +USB-ftdi_sio-add-PID-for-Sony-Ericsson-Urban.patch +USB-ftdi_sio-Support-TI-Luminary-Micro-Stellaris-BD-.patch +QE-FHCI-fixed-the-CONTROL-bug.patch +Update-email-address-for-stable-patch-submission.patch +kobj_uevent-Ignore-if-some-listeners-cannot-handle-m.patch +kmod-prevent-kmod_loop_msg-overflow-in-__request_mod.patch +time-Change-jiffies_to_clock_t-argument-type-to-unsi.patch +nfsd4-Remove-check-for-a-32-bit-cookie-in-nfsd4_read.patch +nfsd4-ignore-WANT-bits-in-open-downgrade.patch +ASoC-wm8940-Properly-set-codec-dapm.bias_level.patch +ASoC-ak4642-fixup-cache-register-table.patch +ASoC-ak4535-fixup-cache-register-table.patch +KVM-s390-check-cpu_id-prior-to-using-it.patch +S390-ccwgroup-move-attributes-to-attribute-group.patch +iommu-amd-Fix-wrong-shift-direction.patch +carminefb-Fix-module-parameters-permissions.patch +uvcvideo-Set-alternate-setting-0-on-resume-if-the-bu.patch +tuner_xc2028-Allow-selection-of-the-frequency-adjust.patch +plat-mxc-iomux-v3.h-implicitly-enable-pull-up-down-w.patch +um-fix-ubd-cow-size.patch +xen-timer-Missing-IRQF_NO_SUSPEND-in-timer-code-brok.patch +thinkpad-acpi-module-autoloading-for-newer-Lenovo-Th.patch +scm-lower-SCM_MAX_FD.patch +deal-with-races-in-proc-syscall-stack-personality.patch +NLM-Don-t-hang-forever-on-NLM-unlock-requests.patch +Bluetooth-l2cap-and-rfcomm-fix-1-byte-infoleak-to-us.patch +vm-fix-vm_pgoff-wrap-in-upward-expansion.patch +drivers-net-rionet.c-fix-ethernet-address-macros-for.patch +ext2-ext3-ext4-don-t-inherit-APPEND_FL-or-IMMUTABLE_.patch +USB-Serial-Add-device-ID-for-Sierra-Wireless-MC8305.patch +USB-Serial-Add-PID-0xF7C0-to-FTDI-SIO-driver-for-a-z.patch diff --git a/queue/sparc-Allow-handling-signals-when-stack-is-corrupted.patch b/queue/sparc-Allow-handling-signals-when-stack-is-corrupted.patch new file mode 100644 index 0000000..49f1e72 --- /dev/null +++ b/queue/sparc-Allow-handling-signals-when-stack-is-corrupted.patch @@ -0,0 +1,1166 @@ +From 2e97e743bcf206a58c4e6b02b88f7ab0d9901a4e Mon Sep 17 00:00:00 2001 +From: "David S. Miller" <davem@davemloft.net> +Date: Sat, 20 Aug 2011 17:14:54 -0700 +Subject: [PATCH] sparc: Allow handling signals when stack is corrupted. + +commit 5598473a5b40c47a8c5349dd2c2630797169cf1a upstream. + +If we can't push the pending register windows onto the user's stack, +we disallow signal delivery even if the signal would be delivered on a +valid seperate signal stack. + +Add a register window save area in the signal frame, and store any +unsavable windows there. + +On sigreturn, if any windows are still queued up in the signal frame, +try to push them back onto the stack and if that fails we kill the +process immediately. + +This allows the debug/tst-longjmp_chk2 glibc test case to pass. + +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> + +diff --git a/arch/sparc/include/asm/sigcontext.h b/arch/sparc/include/asm/sigcontext.h +index a1607d1..69914d7 100644 +--- a/arch/sparc/include/asm/sigcontext.h ++++ b/arch/sparc/include/asm/sigcontext.h +@@ -45,6 +45,19 @@ typedef struct { + int si_mask; + } __siginfo32_t; + ++#define __SIGC_MAXWIN 7 ++ ++typedef struct { ++ unsigned long locals[8]; ++ unsigned long ins[8]; ++} __siginfo_reg_window; ++ ++typedef struct { ++ int wsaved; ++ __siginfo_reg_window reg_window[__SIGC_MAXWIN]; ++ unsigned long rwbuf_stkptrs[__SIGC_MAXWIN]; ++} __siginfo_rwin_t; ++ + #ifdef CONFIG_SPARC64 + typedef struct { + unsigned int si_float_regs [64]; +@@ -73,6 +86,7 @@ struct sigcontext { + unsigned long ss_size; + } sigc_stack; + unsigned long sigc_mask; ++ __siginfo_rwin_t * sigc_rwin_save; + }; + + #else +diff --git a/arch/sparc/kernel/Makefile b/arch/sparc/kernel/Makefile +index 0c2dc1f..d493568 100644 +--- a/arch/sparc/kernel/Makefile ++++ b/arch/sparc/kernel/Makefile +@@ -32,6 +32,7 @@ obj-$(CONFIG_SPARC32) += sun4m_irq.o sun4c_irq.o sun4d_irq.o + + obj-y += process_$(BITS).o + obj-y += signal_$(BITS).o ++obj-y += sigutil_$(BITS).o + obj-$(CONFIG_SPARC32) += ioport.o + obj-y += setup_$(BITS).o + obj-y += idprom.o +diff --git a/arch/sparc/kernel/signal32.c b/arch/sparc/kernel/signal32.c +index 75fad42..1ba95af 100644 +--- a/arch/sparc/kernel/signal32.c ++++ b/arch/sparc/kernel/signal32.c +@@ -29,6 +29,8 @@ + #include <asm/visasm.h> + #include <asm/compat_signal.h> + ++#include "sigutil.h" ++ + #define _BLOCKABLE (~(sigmask(SIGKILL) | sigmask(SIGSTOP))) + + /* This magic should be in g_upper[0] for all upper parts +@@ -44,14 +46,14 @@ typedef struct { + struct signal_frame32 { + struct sparc_stackf32 ss; + __siginfo32_t info; +- /* __siginfo_fpu32_t * */ u32 fpu_save; ++ /* __siginfo_fpu_t * */ u32 fpu_save; + unsigned int insns[2]; + unsigned int extramask[_COMPAT_NSIG_WORDS - 1]; + unsigned int extra_size; /* Should be sizeof(siginfo_extra_v8plus_t) */ + /* Only valid if (info.si_regs.psr & (PSR_VERS|PSR_IMPL)) == PSR_V8PLUS */ + siginfo_extra_v8plus_t v8plus; +- __siginfo_fpu_t fpu_state; +-}; ++ /* __siginfo_rwin_t * */u32 rwin_save; ++} __attribute__((aligned(8))); + + typedef struct compat_siginfo{ + int si_signo; +@@ -110,18 +112,14 @@ struct rt_signal_frame32 { + compat_siginfo_t info; + struct pt_regs32 regs; + compat_sigset_t mask; +- /* __siginfo_fpu32_t * */ u32 fpu_save; ++ /* __siginfo_fpu_t * */ u32 fpu_save; + unsigned int insns[2]; + stack_t32 stack; + unsigned int extra_size; /* Should be sizeof(siginfo_extra_v8plus_t) */ + /* Only valid if (regs.psr & (PSR_VERS|PSR_IMPL)) == PSR_V8PLUS */ + siginfo_extra_v8plus_t v8plus; +- __siginfo_fpu_t fpu_state; +-}; +- +-/* Align macros */ +-#define SF_ALIGNEDSZ (((sizeof(struct signal_frame32) + 15) & (~15))) +-#define RT_ALIGNEDSZ (((sizeof(struct rt_signal_frame32) + 15) & (~15))) ++ /* __siginfo_rwin_t * */u32 rwin_save; ++} __attribute__((aligned(8))); + + int copy_siginfo_to_user32(compat_siginfo_t __user *to, siginfo_t *from) + { +@@ -192,30 +190,13 @@ int copy_siginfo_from_user32(siginfo_t *to, compat_siginfo_t __user *from) + return 0; + } + +-static int restore_fpu_state32(struct pt_regs *regs, __siginfo_fpu_t __user *fpu) +-{ +- unsigned long *fpregs = current_thread_info()->fpregs; +- unsigned long fprs; +- int err; +- +- err = __get_user(fprs, &fpu->si_fprs); +- fprs_write(0); +- regs->tstate &= ~TSTATE_PEF; +- if (fprs & FPRS_DL) +- err |= copy_from_user(fpregs, &fpu->si_float_regs[0], (sizeof(unsigned int) * 32)); +- if (fprs & FPRS_DU) +- err |= copy_from_user(fpregs+16, &fpu->si_float_regs[32], (sizeof(unsigned int) * 32)); +- err |= __get_user(current_thread_info()->xfsr[0], &fpu->si_fsr); +- err |= __get_user(current_thread_info()->gsr[0], &fpu->si_gsr); +- current_thread_info()->fpsaved[0] |= fprs; +- return err; +-} +- + void do_sigreturn32(struct pt_regs *regs) + { + struct signal_frame32 __user *sf; ++ compat_uptr_t fpu_save; ++ compat_uptr_t rwin_save; + unsigned int psr; +- unsigned pc, npc, fpu_save; ++ unsigned pc, npc; + sigset_t set; + unsigned seta[_COMPAT_NSIG_WORDS]; + int err, i; +@@ -273,8 +254,13 @@ void do_sigreturn32(struct pt_regs *regs) + pt_regs_clear_syscall(regs); + + err |= __get_user(fpu_save, &sf->fpu_save); +- if (fpu_save) +- err |= restore_fpu_state32(regs, &sf->fpu_state); ++ if (!err && fpu_save) ++ err |= restore_fpu_state(regs, compat_ptr(fpu_save)); ++ err |= __get_user(rwin_save, &sf->rwin_save); ++ if (!err && rwin_save) { ++ if (restore_rwin_state(compat_ptr(rwin_save))) ++ goto segv; ++ } + err |= __get_user(seta[0], &sf->info.si_mask); + err |= copy_from_user(seta+1, &sf->extramask, + (_COMPAT_NSIG_WORDS - 1) * sizeof(unsigned int)); +@@ -300,7 +286,9 @@ segv: + asmlinkage void do_rt_sigreturn32(struct pt_regs *regs) + { + struct rt_signal_frame32 __user *sf; +- unsigned int psr, pc, npc, fpu_save, u_ss_sp; ++ unsigned int psr, pc, npc, u_ss_sp; ++ compat_uptr_t fpu_save; ++ compat_uptr_t rwin_save; + mm_segment_t old_fs; + sigset_t set; + compat_sigset_t seta; +@@ -359,8 +347,8 @@ asmlinkage void do_rt_sigreturn32(struct pt_regs *regs) + pt_regs_clear_syscall(regs); + + err |= __get_user(fpu_save, &sf->fpu_save); +- if (fpu_save) +- err |= restore_fpu_state32(regs, &sf->fpu_state); ++ if (!err && fpu_save) ++ err |= restore_fpu_state(regs, compat_ptr(fpu_save)); + err |= copy_from_user(&seta, &sf->mask, sizeof(compat_sigset_t)); + err |= __get_user(u_ss_sp, &sf->stack.ss_sp); + st.ss_sp = compat_ptr(u_ss_sp); +@@ -376,6 +364,12 @@ asmlinkage void do_rt_sigreturn32(struct pt_regs *regs) + do_sigaltstack((stack_t __user *) &st, NULL, (unsigned long)sf); + set_fs(old_fs); + ++ err |= __get_user(rwin_save, &sf->rwin_save); ++ if (!err && rwin_save) { ++ if (restore_rwin_state(compat_ptr(rwin_save))) ++ goto segv; ++ } ++ + switch (_NSIG_WORDS) { + case 4: set.sig[3] = seta.sig[6] + (((long)seta.sig[7]) << 32); + case 3: set.sig[2] = seta.sig[4] + (((long)seta.sig[5]) << 32); +@@ -433,26 +427,6 @@ static void __user *get_sigframe(struct sigaction *sa, struct pt_regs *regs, uns + return (void __user *) sp; + } + +-static int save_fpu_state32(struct pt_regs *regs, __siginfo_fpu_t __user *fpu) +-{ +- unsigned long *fpregs = current_thread_info()->fpregs; +- unsigned long fprs; +- int err = 0; +- +- fprs = current_thread_info()->fpsaved[0]; +- if (fprs & FPRS_DL) +- err |= copy_to_user(&fpu->si_float_regs[0], fpregs, +- (sizeof(unsigned int) * 32)); +- if (fprs & FPRS_DU) +- err |= copy_to_user(&fpu->si_float_regs[32], fpregs+16, +- (sizeof(unsigned int) * 32)); +- err |= __put_user(current_thread_info()->xfsr[0], &fpu->si_fsr); +- err |= __put_user(current_thread_info()->gsr[0], &fpu->si_gsr); +- err |= __put_user(fprs, &fpu->si_fprs); +- +- return err; +-} +- + /* The I-cache flush instruction only works in the primary ASI, which + * right now is the nucleus, aka. kernel space. + * +@@ -515,18 +489,23 @@ static int setup_frame32(struct k_sigaction *ka, struct pt_regs *regs, + int signo, sigset_t *oldset) + { + struct signal_frame32 __user *sf; ++ int i, err, wsaved; ++ void __user *tail; + int sigframe_size; + u32 psr; +- int i, err; + unsigned int seta[_COMPAT_NSIG_WORDS]; + + /* 1. Make sure everything is clean */ + synchronize_user_stack(); + save_and_clear_fpu(); + +- sigframe_size = SF_ALIGNEDSZ; +- if (!(current_thread_info()->fpsaved[0] & FPRS_FEF)) +- sigframe_size -= sizeof(__siginfo_fpu_t); ++ wsaved = get_thread_wsaved(); ++ ++ sigframe_size = sizeof(*sf); ++ if (current_thread_info()->fpsaved[0] & FPRS_FEF) ++ sigframe_size += sizeof(__siginfo_fpu_t); ++ if (wsaved) ++ sigframe_size += sizeof(__siginfo_rwin_t); + + sf = (struct signal_frame32 __user *) + get_sigframe(&ka->sa, regs, sigframe_size); +@@ -534,8 +513,7 @@ static int setup_frame32(struct k_sigaction *ka, struct pt_regs *regs, + if (invalid_frame_pointer(sf, sigframe_size)) + goto sigill; + +- if (get_thread_wsaved() != 0) +- goto sigill; ++ tail = (sf + 1); + + /* 2. Save the current process state */ + if (test_thread_flag(TIF_32BIT)) { +@@ -560,11 +538,22 @@ static int setup_frame32(struct k_sigaction *ka, struct pt_regs *regs, + &sf->v8plus.asi); + + if (psr & PSR_EF) { +- err |= save_fpu_state32(regs, &sf->fpu_state); +- err |= __put_user((u64)&sf->fpu_state, &sf->fpu_save); ++ __siginfo_fpu_t __user *fp = tail; ++ tail += sizeof(*fp); ++ err |= save_fpu_state(regs, fp); ++ err |= __put_user((u64)fp, &sf->fpu_save); + } else { + err |= __put_user(0, &sf->fpu_save); + } ++ if (wsaved) { ++ __siginfo_rwin_t __user *rwp = tail; ++ tail += sizeof(*rwp); ++ err |= save_rwin_state(wsaved, rwp); ++ err |= __put_user((u64)rwp, &sf->rwin_save); ++ set_thread_wsaved(0); ++ } else { ++ err |= __put_user(0, &sf->rwin_save); ++ } + + switch (_NSIG_WORDS) { + case 4: seta[7] = (oldset->sig[3] >> 32); +@@ -580,10 +569,21 @@ static int setup_frame32(struct k_sigaction *ka, struct pt_regs *regs, + err |= __copy_to_user(sf->extramask, seta + 1, + (_COMPAT_NSIG_WORDS - 1) * sizeof(unsigned int)); + +- err |= copy_in_user((u32 __user *)sf, +- (u32 __user *)(regs->u_regs[UREG_FP]), +- sizeof(struct reg_window32)); +- ++ if (!wsaved) { ++ err |= copy_in_user((u32 __user *)sf, ++ (u32 __user *)(regs->u_regs[UREG_FP]), ++ sizeof(struct reg_window32)); ++ } else { ++ struct reg_window *rp; ++ ++ rp = ¤t_thread_info()->reg_window[wsaved - 1]; ++ for (i = 0; i < 8; i++) ++ err |= __put_user(rp->locals[i], &sf->ss.locals[i]); ++ for (i = 0; i < 6; i++) ++ err |= __put_user(rp->ins[i], &sf->ss.ins[i]); ++ err |= __put_user(rp->ins[6], &sf->ss.fp); ++ err |= __put_user(rp->ins[7], &sf->ss.callers_pc); ++ } + if (err) + goto sigsegv; + +@@ -613,7 +613,6 @@ static int setup_frame32(struct k_sigaction *ka, struct pt_regs *regs, + err |= __put_user(0x91d02010, &sf->insns[1]); /*t 0x10*/ + if (err) + goto sigsegv; +- + flush_signal_insns(address); + } + return 0; +@@ -632,18 +631,23 @@ static int setup_rt_frame32(struct k_sigaction *ka, struct pt_regs *regs, + siginfo_t *info) + { + struct rt_signal_frame32 __user *sf; ++ int i, err, wsaved; ++ void __user *tail; + int sigframe_size; + u32 psr; +- int i, err; + compat_sigset_t seta; + + /* 1. Make sure everything is clean */ + synchronize_user_stack(); + save_and_clear_fpu(); + +- sigframe_size = RT_ALIGNEDSZ; +- if (!(current_thread_info()->fpsaved[0] & FPRS_FEF)) +- sigframe_size -= sizeof(__siginfo_fpu_t); ++ wsaved = get_thread_wsaved(); ++ ++ sigframe_size = sizeof(*sf); ++ if (current_thread_info()->fpsaved[0] & FPRS_FEF) ++ sigframe_size += sizeof(__siginfo_fpu_t); ++ if (wsaved) ++ sigframe_size += sizeof(__siginfo_rwin_t); + + sf = (struct rt_signal_frame32 __user *) + get_sigframe(&ka->sa, regs, sigframe_size); +@@ -651,8 +655,7 @@ static int setup_rt_frame32(struct k_sigaction *ka, struct pt_regs *regs, + if (invalid_frame_pointer(sf, sigframe_size)) + goto sigill; + +- if (get_thread_wsaved() != 0) +- goto sigill; ++ tail = (sf + 1); + + /* 2. Save the current process state */ + if (test_thread_flag(TIF_32BIT)) { +@@ -677,11 +680,22 @@ static int setup_rt_frame32(struct k_sigaction *ka, struct pt_regs *regs, + &sf->v8plus.asi); + + if (psr & PSR_EF) { +- err |= save_fpu_state32(regs, &sf->fpu_state); +- err |= __put_user((u64)&sf->fpu_state, &sf->fpu_save); ++ __siginfo_fpu_t __user *fp = tail; ++ tail += sizeof(*fp); ++ err |= save_fpu_state(regs, fp); ++ err |= __put_user((u64)fp, &sf->fpu_save); + } else { + err |= __put_user(0, &sf->fpu_save); + } ++ if (wsaved) { ++ __siginfo_rwin_t __user *rwp = tail; ++ tail += sizeof(*rwp); ++ err |= save_rwin_state(wsaved, rwp); ++ err |= __put_user((u64)rwp, &sf->rwin_save); ++ set_thread_wsaved(0); ++ } else { ++ err |= __put_user(0, &sf->rwin_save); ++ } + + /* Update the siginfo structure. */ + err |= copy_siginfo_to_user32(&sf->info, info); +@@ -703,9 +717,21 @@ static int setup_rt_frame32(struct k_sigaction *ka, struct pt_regs *regs, + } + err |= __copy_to_user(&sf->mask, &seta, sizeof(compat_sigset_t)); + +- err |= copy_in_user((u32 __user *)sf, +- (u32 __user *)(regs->u_regs[UREG_FP]), +- sizeof(struct reg_window32)); ++ if (!wsaved) { ++ err |= copy_in_user((u32 __user *)sf, ++ (u32 __user *)(regs->u_regs[UREG_FP]), ++ sizeof(struct reg_window32)); ++ } else { ++ struct reg_window *rp; ++ ++ rp = ¤t_thread_info()->reg_window[wsaved - 1]; ++ for (i = 0; i < 8; i++) ++ err |= __put_user(rp->locals[i], &sf->ss.locals[i]); ++ for (i = 0; i < 6; i++) ++ err |= __put_user(rp->ins[i], &sf->ss.ins[i]); ++ err |= __put_user(rp->ins[6], &sf->ss.fp); ++ err |= __put_user(rp->ins[7], &sf->ss.callers_pc); ++ } + if (err) + goto sigsegv; + +diff --git a/arch/sparc/kernel/signal_32.c b/arch/sparc/kernel/signal_32.c +index 5e5c5fd..04ede8f 100644 +--- a/arch/sparc/kernel/signal_32.c ++++ b/arch/sparc/kernel/signal_32.c +@@ -26,6 +26,8 @@ + #include <asm/pgtable.h> + #include <asm/cacheflush.h> /* flush_sig_insns */ + ++#include "sigutil.h" ++ + #define _BLOCKABLE (~(sigmask(SIGKILL) | sigmask(SIGSTOP))) + + extern void fpsave(unsigned long *fpregs, unsigned long *fsr, +@@ -39,8 +41,8 @@ struct signal_frame { + unsigned long insns[2] __attribute__ ((aligned (8))); + unsigned int extramask[_NSIG_WORDS - 1]; + unsigned int extra_size; /* Should be 0 */ +- __siginfo_fpu_t fpu_state; +-}; ++ __siginfo_rwin_t __user *rwin_save; ++} __attribute__((aligned(8))); + + struct rt_signal_frame { + struct sparc_stackf ss; +@@ -51,8 +53,8 @@ struct rt_signal_frame { + unsigned int insns[2]; + stack_t stack; + unsigned int extra_size; /* Should be 0 */ +- __siginfo_fpu_t fpu_state; +-}; ++ __siginfo_rwin_t __user *rwin_save; ++} __attribute__((aligned(8))); + + /* Align macros */ + #define SF_ALIGNEDSZ (((sizeof(struct signal_frame) + 7) & (~7))) +@@ -79,43 +81,13 @@ asmlinkage int sys_sigsuspend(old_sigset_t set) + return _sigpause_common(set); + } + +-static inline int +-restore_fpu_state(struct pt_regs *regs, __siginfo_fpu_t __user *fpu) +-{ +- int err; +-#ifdef CONFIG_SMP +- if (test_tsk_thread_flag(current, TIF_USEDFPU)) +- regs->psr &= ~PSR_EF; +-#else +- if (current == last_task_used_math) { +- last_task_used_math = NULL; +- regs->psr &= ~PSR_EF; +- } +-#endif +- set_used_math(); +- clear_tsk_thread_flag(current, TIF_USEDFPU); +- +- if (!access_ok(VERIFY_READ, fpu, sizeof(*fpu))) +- return -EFAULT; +- +- err = __copy_from_user(¤t->thread.float_regs[0], &fpu->si_float_regs[0], +- (sizeof(unsigned long) * 32)); +- err |= __get_user(current->thread.fsr, &fpu->si_fsr); +- err |= __get_user(current->thread.fpqdepth, &fpu->si_fpqdepth); +- if (current->thread.fpqdepth != 0) +- err |= __copy_from_user(¤t->thread.fpqueue[0], +- &fpu->si_fpqueue[0], +- ((sizeof(unsigned long) + +- (sizeof(unsigned long *)))*16)); +- return err; +-} +- + asmlinkage void do_sigreturn(struct pt_regs *regs) + { + struct signal_frame __user *sf; + unsigned long up_psr, pc, npc; + sigset_t set; + __siginfo_fpu_t __user *fpu_save; ++ __siginfo_rwin_t __user *rwin_save; + int err; + + /* Always make any pending restarted system calls return -EINTR */ +@@ -150,9 +122,11 @@ asmlinkage void do_sigreturn(struct pt_regs *regs) + pt_regs_clear_syscall(regs); + + err |= __get_user(fpu_save, &sf->fpu_save); +- + if (fpu_save) + err |= restore_fpu_state(regs, fpu_save); ++ err |= __get_user(rwin_save, &sf->rwin_save); ++ if (rwin_save) ++ err |= restore_rwin_state(rwin_save); + + /* This is pretty much atomic, no amount locking would prevent + * the races which exist anyways. +@@ -180,6 +154,7 @@ asmlinkage void do_rt_sigreturn(struct pt_regs *regs) + struct rt_signal_frame __user *sf; + unsigned int psr, pc, npc; + __siginfo_fpu_t __user *fpu_save; ++ __siginfo_rwin_t __user *rwin_save; + mm_segment_t old_fs; + sigset_t set; + stack_t st; +@@ -207,8 +182,7 @@ asmlinkage void do_rt_sigreturn(struct pt_regs *regs) + pt_regs_clear_syscall(regs); + + err |= __get_user(fpu_save, &sf->fpu_save); +- +- if (fpu_save) ++ if (!err && fpu_save) + err |= restore_fpu_state(regs, fpu_save); + err |= __copy_from_user(&set, &sf->mask, sizeof(sigset_t)); + +@@ -228,6 +202,12 @@ asmlinkage void do_rt_sigreturn(struct pt_regs *regs) + do_sigaltstack((const stack_t __user *) &st, NULL, (unsigned long)sf); + set_fs(old_fs); + ++ err |= __get_user(rwin_save, &sf->rwin_save); ++ if (!err && rwin_save) { ++ if (restore_rwin_state(rwin_save)) ++ goto segv; ++ } ++ + sigdelsetmask(&set, ~_BLOCKABLE); + spin_lock_irq(¤t->sighand->siglock); + current->blocked = set; +@@ -280,53 +260,23 @@ static inline void __user *get_sigframe(struct sigaction *sa, struct pt_regs *re + return (void __user *) sp; + } + +-static inline int +-save_fpu_state(struct pt_regs *regs, __siginfo_fpu_t __user *fpu) +-{ +- int err = 0; +-#ifdef CONFIG_SMP +- if (test_tsk_thread_flag(current, TIF_USEDFPU)) { +- put_psr(get_psr() | PSR_EF); +- fpsave(¤t->thread.float_regs[0], ¤t->thread.fsr, +- ¤t->thread.fpqueue[0], ¤t->thread.fpqdepth); +- regs->psr &= ~(PSR_EF); +- clear_tsk_thread_flag(current, TIF_USEDFPU); +- } +-#else +- if (current == last_task_used_math) { +- put_psr(get_psr() | PSR_EF); +- fpsave(¤t->thread.float_regs[0], ¤t->thread.fsr, +- ¤t->thread.fpqueue[0], ¤t->thread.fpqdepth); +- last_task_used_math = NULL; +- regs->psr &= ~(PSR_EF); +- } +-#endif +- err |= __copy_to_user(&fpu->si_float_regs[0], +- ¤t->thread.float_regs[0], +- (sizeof(unsigned long) * 32)); +- err |= __put_user(current->thread.fsr, &fpu->si_fsr); +- err |= __put_user(current->thread.fpqdepth, &fpu->si_fpqdepth); +- if (current->thread.fpqdepth != 0) +- err |= __copy_to_user(&fpu->si_fpqueue[0], +- ¤t->thread.fpqueue[0], +- ((sizeof(unsigned long) + +- (sizeof(unsigned long *)))*16)); +- clear_used_math(); +- return err; +-} +- + static int setup_frame(struct k_sigaction *ka, struct pt_regs *regs, + int signo, sigset_t *oldset) + { + struct signal_frame __user *sf; +- int sigframe_size, err; ++ int sigframe_size, err, wsaved; ++ void __user *tail; + + /* 1. Make sure everything is clean */ + synchronize_user_stack(); + +- sigframe_size = SF_ALIGNEDSZ; +- if (!used_math()) +- sigframe_size -= sizeof(__siginfo_fpu_t); ++ wsaved = current_thread_info()->w_saved; ++ ++ sigframe_size = sizeof(*sf); ++ if (used_math()) ++ sigframe_size += sizeof(__siginfo_fpu_t); ++ if (wsaved) ++ sigframe_size += sizeof(__siginfo_rwin_t); + + sf = (struct signal_frame __user *) + get_sigframe(&ka->sa, regs, sigframe_size); +@@ -334,8 +284,7 @@ static int setup_frame(struct k_sigaction *ka, struct pt_regs *regs, + if (invalid_frame_pointer(sf, sigframe_size)) + goto sigill_and_return; + +- if (current_thread_info()->w_saved != 0) +- goto sigill_and_return; ++ tail = sf + 1; + + /* 2. Save the current process state */ + err = __copy_to_user(&sf->info.si_regs, regs, sizeof(struct pt_regs)); +@@ -343,17 +292,34 @@ static int setup_frame(struct k_sigaction *ka, struct pt_regs *regs, + err |= __put_user(0, &sf->extra_size); + + if (used_math()) { +- err |= save_fpu_state(regs, &sf->fpu_state); +- err |= __put_user(&sf->fpu_state, &sf->fpu_save); ++ __siginfo_fpu_t __user *fp = tail; ++ tail += sizeof(*fp); ++ err |= save_fpu_state(regs, fp); ++ err |= __put_user(fp, &sf->fpu_save); + } else { + err |= __put_user(0, &sf->fpu_save); + } ++ if (wsaved) { ++ __siginfo_rwin_t __user *rwp = tail; ++ tail += sizeof(*rwp); ++ err |= save_rwin_state(wsaved, rwp); ++ err |= __put_user(rwp, &sf->rwin_save); ++ } else { ++ err |= __put_user(0, &sf->rwin_save); ++ } + + err |= __put_user(oldset->sig[0], &sf->info.si_mask); + err |= __copy_to_user(sf->extramask, &oldset->sig[1], + (_NSIG_WORDS - 1) * sizeof(unsigned int)); +- err |= __copy_to_user(sf, (char *) regs->u_regs[UREG_FP], +- sizeof(struct reg_window32)); ++ if (!wsaved) { ++ err |= __copy_to_user(sf, (char *) regs->u_regs[UREG_FP], ++ sizeof(struct reg_window32)); ++ } else { ++ struct reg_window32 *rp; ++ ++ rp = ¤t_thread_info()->reg_window[wsaved - 1]; ++ err |= __copy_to_user(sf, rp, sizeof(struct reg_window32)); ++ } + if (err) + goto sigsegv; + +@@ -399,21 +365,24 @@ static int setup_rt_frame(struct k_sigaction *ka, struct pt_regs *regs, + int signo, sigset_t *oldset, siginfo_t *info) + { + struct rt_signal_frame __user *sf; +- int sigframe_size; ++ int sigframe_size, wsaved; ++ void __user *tail; + unsigned int psr; + int err; + + synchronize_user_stack(); +- sigframe_size = RT_ALIGNEDSZ; +- if (!used_math()) +- sigframe_size -= sizeof(__siginfo_fpu_t); ++ wsaved = current_thread_info()->w_saved; ++ sigframe_size = sizeof(*sf); ++ if (used_math()) ++ sigframe_size += sizeof(__siginfo_fpu_t); ++ if (wsaved) ++ sigframe_size += sizeof(__siginfo_rwin_t); + sf = (struct rt_signal_frame __user *) + get_sigframe(&ka->sa, regs, sigframe_size); + if (invalid_frame_pointer(sf, sigframe_size)) + goto sigill; +- if (current_thread_info()->w_saved != 0) +- goto sigill; + ++ tail = sf + 1; + err = __put_user(regs->pc, &sf->regs.pc); + err |= __put_user(regs->npc, &sf->regs.npc); + err |= __put_user(regs->y, &sf->regs.y); +@@ -425,11 +394,21 @@ static int setup_rt_frame(struct k_sigaction *ka, struct pt_regs *regs, + err |= __put_user(0, &sf->extra_size); + + if (psr & PSR_EF) { +- err |= save_fpu_state(regs, &sf->fpu_state); +- err |= __put_user(&sf->fpu_state, &sf->fpu_save); ++ __siginfo_fpu_t *fp = tail; ++ tail += sizeof(*fp); ++ err |= save_fpu_state(regs, fp); ++ err |= __put_user(fp, &sf->fpu_save); + } else { + err |= __put_user(0, &sf->fpu_save); + } ++ if (wsaved) { ++ __siginfo_rwin_t *rwp = tail; ++ tail += sizeof(*rwp); ++ err |= save_rwin_state(wsaved, rwp); ++ err |= __put_user(rwp, &sf->rwin_save); ++ } else { ++ err |= __put_user(0, &sf->rwin_save); ++ } + err |= __copy_to_user(&sf->mask, &oldset->sig[0], sizeof(sigset_t)); + + /* Setup sigaltstack */ +@@ -437,8 +416,15 @@ static int setup_rt_frame(struct k_sigaction *ka, struct pt_regs *regs, + err |= __put_user(sas_ss_flags(regs->u_regs[UREG_FP]), &sf->stack.ss_flags); + err |= __put_user(current->sas_ss_size, &sf->stack.ss_size); + +- err |= __copy_to_user(sf, (char *) regs->u_regs[UREG_FP], +- sizeof(struct reg_window32)); ++ if (!wsaved) { ++ err |= __copy_to_user(sf, (char *) regs->u_regs[UREG_FP], ++ sizeof(struct reg_window32)); ++ } else { ++ struct reg_window32 *rp; ++ ++ rp = ¤t_thread_info()->reg_window[wsaved - 1]; ++ err |= __copy_to_user(sf, rp, sizeof(struct reg_window32)); ++ } + + err |= copy_siginfo_to_user(&sf->info, info); + +diff --git a/arch/sparc/kernel/signal_64.c b/arch/sparc/kernel/signal_64.c +index 006fe45..47509df 100644 +--- a/arch/sparc/kernel/signal_64.c ++++ b/arch/sparc/kernel/signal_64.c +@@ -34,6 +34,7 @@ + + #include "entry.h" + #include "systbls.h" ++#include "sigutil.h" + + #define _BLOCKABLE (~(sigmask(SIGKILL) | sigmask(SIGSTOP))) + +@@ -236,7 +237,7 @@ struct rt_signal_frame { + __siginfo_fpu_t __user *fpu_save; + stack_t stack; + sigset_t mask; +- __siginfo_fpu_t fpu_state; ++ __siginfo_rwin_t *rwin_save; + }; + + static long _sigpause_common(old_sigset_t set) +@@ -266,33 +267,12 @@ asmlinkage long sys_sigsuspend(old_sigset_t set) + return _sigpause_common(set); + } + +-static inline int +-restore_fpu_state(struct pt_regs *regs, __siginfo_fpu_t __user *fpu) +-{ +- unsigned long *fpregs = current_thread_info()->fpregs; +- unsigned long fprs; +- int err; +- +- err = __get_user(fprs, &fpu->si_fprs); +- fprs_write(0); +- regs->tstate &= ~TSTATE_PEF; +- if (fprs & FPRS_DL) +- err |= copy_from_user(fpregs, &fpu->si_float_regs[0], +- (sizeof(unsigned int) * 32)); +- if (fprs & FPRS_DU) +- err |= copy_from_user(fpregs+16, &fpu->si_float_regs[32], +- (sizeof(unsigned int) * 32)); +- err |= __get_user(current_thread_info()->xfsr[0], &fpu->si_fsr); +- err |= __get_user(current_thread_info()->gsr[0], &fpu->si_gsr); +- current_thread_info()->fpsaved[0] |= fprs; +- return err; +-} +- + void do_rt_sigreturn(struct pt_regs *regs) + { + struct rt_signal_frame __user *sf; + unsigned long tpc, tnpc, tstate; + __siginfo_fpu_t __user *fpu_save; ++ __siginfo_rwin_t __user *rwin_save; + sigset_t set; + int err; + +@@ -325,8 +305,8 @@ void do_rt_sigreturn(struct pt_regs *regs) + regs->tstate |= (tstate & (TSTATE_ASI | TSTATE_ICC | TSTATE_XCC)); + + err |= __get_user(fpu_save, &sf->fpu_save); +- if (fpu_save) +- err |= restore_fpu_state(regs, &sf->fpu_state); ++ if (!err && fpu_save) ++ err |= restore_fpu_state(regs, fpu_save); + + err |= __copy_from_user(&set, &sf->mask, sizeof(sigset_t)); + err |= do_sigaltstack(&sf->stack, NULL, (unsigned long)sf); +@@ -334,6 +314,12 @@ void do_rt_sigreturn(struct pt_regs *regs) + if (err) + goto segv; + ++ err |= __get_user(rwin_save, &sf->rwin_save); ++ if (!err && rwin_save) { ++ if (restore_rwin_state(rwin_save)) ++ goto segv; ++ } ++ + regs->tpc = tpc; + regs->tnpc = tnpc; + +@@ -351,34 +337,13 @@ segv: + } + + /* Checks if the fp is valid */ +-static int invalid_frame_pointer(void __user *fp, int fplen) ++static int invalid_frame_pointer(void __user *fp) + { + if (((unsigned long) fp) & 15) + return 1; + return 0; + } + +-static inline int +-save_fpu_state(struct pt_regs *regs, __siginfo_fpu_t __user *fpu) +-{ +- unsigned long *fpregs = current_thread_info()->fpregs; +- unsigned long fprs; +- int err = 0; +- +- fprs = current_thread_info()->fpsaved[0]; +- if (fprs & FPRS_DL) +- err |= copy_to_user(&fpu->si_float_regs[0], fpregs, +- (sizeof(unsigned int) * 32)); +- if (fprs & FPRS_DU) +- err |= copy_to_user(&fpu->si_float_regs[32], fpregs+16, +- (sizeof(unsigned int) * 32)); +- err |= __put_user(current_thread_info()->xfsr[0], &fpu->si_fsr); +- err |= __put_user(current_thread_info()->gsr[0], &fpu->si_gsr); +- err |= __put_user(fprs, &fpu->si_fprs); +- +- return err; +-} +- + static inline void __user *get_sigframe(struct k_sigaction *ka, struct pt_regs *regs, unsigned long framesize) + { + unsigned long sp = regs->u_regs[UREG_FP] + STACK_BIAS; +@@ -414,34 +379,48 @@ setup_rt_frame(struct k_sigaction *ka, struct pt_regs *regs, + int signo, sigset_t *oldset, siginfo_t *info) + { + struct rt_signal_frame __user *sf; +- int sigframe_size, err; ++ int wsaved, err, sf_size; ++ void __user *tail; + + /* 1. Make sure everything is clean */ + synchronize_user_stack(); + save_and_clear_fpu(); + +- sigframe_size = sizeof(struct rt_signal_frame); +- if (!(current_thread_info()->fpsaved[0] & FPRS_FEF)) +- sigframe_size -= sizeof(__siginfo_fpu_t); ++ wsaved = get_thread_wsaved(); + ++ sf_size = sizeof(struct rt_signal_frame); ++ if (current_thread_info()->fpsaved[0] & FPRS_FEF) ++ sf_size += sizeof(__siginfo_fpu_t); ++ if (wsaved) ++ sf_size += sizeof(__siginfo_rwin_t); + sf = (struct rt_signal_frame __user *) +- get_sigframe(ka, regs, sigframe_size); +- +- if (invalid_frame_pointer (sf, sigframe_size)) +- goto sigill; ++ get_sigframe(ka, regs, sf_size); + +- if (get_thread_wsaved() != 0) ++ if (invalid_frame_pointer (sf)) + goto sigill; + ++ tail = (sf + 1); ++ + /* 2. Save the current process state */ + err = copy_to_user(&sf->regs, regs, sizeof (*regs)); + + if (current_thread_info()->fpsaved[0] & FPRS_FEF) { +- err |= save_fpu_state(regs, &sf->fpu_state); +- err |= __put_user((u64)&sf->fpu_state, &sf->fpu_save); ++ __siginfo_fpu_t __user *fpu_save = tail; ++ tail += sizeof(__siginfo_fpu_t); ++ err |= save_fpu_state(regs, fpu_save); ++ err |= __put_user((u64)fpu_save, &sf->fpu_save); + } else { + err |= __put_user(0, &sf->fpu_save); + } ++ if (wsaved) { ++ __siginfo_rwin_t __user *rwin_save = tail; ++ tail += sizeof(__siginfo_rwin_t); ++ err |= save_rwin_state(wsaved, rwin_save); ++ err |= __put_user((u64)rwin_save, &sf->rwin_save); ++ set_thread_wsaved(0); ++ } else { ++ err |= __put_user(0, &sf->rwin_save); ++ } + + /* Setup sigaltstack */ + err |= __put_user(current->sas_ss_sp, &sf->stack.ss_sp); +@@ -450,10 +429,17 @@ setup_rt_frame(struct k_sigaction *ka, struct pt_regs *regs, + + err |= copy_to_user(&sf->mask, oldset, sizeof(sigset_t)); + +- err |= copy_in_user((u64 __user *)sf, +- (u64 __user *)(regs->u_regs[UREG_FP]+STACK_BIAS), +- sizeof(struct reg_window)); ++ if (!wsaved) { ++ err |= copy_in_user((u64 __user *)sf, ++ (u64 __user *)(regs->u_regs[UREG_FP] + ++ STACK_BIAS), ++ sizeof(struct reg_window)); ++ } else { ++ struct reg_window *rp; + ++ rp = ¤t_thread_info()->reg_window[wsaved - 1]; ++ err |= copy_to_user(sf, rp, sizeof(struct reg_window)); ++ } + if (info) + err |= copy_siginfo_to_user(&sf->info, info); + else { +diff --git a/arch/sparc/kernel/sigutil.h b/arch/sparc/kernel/sigutil.h +new file mode 100644 +index 0000000..d223aa4 +--- /dev/null ++++ b/arch/sparc/kernel/sigutil.h +@@ -0,0 +1,9 @@ ++#ifndef _SIGUTIL_H ++#define _SIGUTIL_H ++ ++int save_fpu_state(struct pt_regs *regs, __siginfo_fpu_t __user *fpu); ++int restore_fpu_state(struct pt_regs *regs, __siginfo_fpu_t __user *fpu); ++int save_rwin_state(int wsaved, __siginfo_rwin_t __user *rwin); ++int restore_rwin_state(__siginfo_rwin_t __user *rp); ++ ++#endif /* _SIGUTIL_H */ +diff --git a/arch/sparc/kernel/sigutil_32.c b/arch/sparc/kernel/sigutil_32.c +new file mode 100644 +index 0000000..35c7897 +--- /dev/null ++++ b/arch/sparc/kernel/sigutil_32.c +@@ -0,0 +1,120 @@ ++#include <linux/kernel.h> ++#include <linux/types.h> ++#include <linux/thread_info.h> ++#include <linux/uaccess.h> ++#include <linux/sched.h> ++ ++#include <asm/sigcontext.h> ++#include <asm/fpumacro.h> ++#include <asm/ptrace.h> ++ ++#include "sigutil.h" ++ ++int save_fpu_state(struct pt_regs *regs, __siginfo_fpu_t __user *fpu) ++{ ++ int err = 0; ++#ifdef CONFIG_SMP ++ if (test_tsk_thread_flag(current, TIF_USEDFPU)) { ++ put_psr(get_psr() | PSR_EF); ++ fpsave(¤t->thread.float_regs[0], ¤t->thread.fsr, ++ ¤t->thread.fpqueue[0], ¤t->thread.fpqdepth); ++ regs->psr &= ~(PSR_EF); ++ clear_tsk_thread_flag(current, TIF_USEDFPU); ++ } ++#else ++ if (current == last_task_used_math) { ++ put_psr(get_psr() | PSR_EF); ++ fpsave(¤t->thread.float_regs[0], ¤t->thread.fsr, ++ ¤t->thread.fpqueue[0], ¤t->thread.fpqdepth); ++ last_task_used_math = NULL; ++ regs->psr &= ~(PSR_EF); ++ } ++#endif ++ err |= __copy_to_user(&fpu->si_float_regs[0], ++ ¤t->thread.float_regs[0], ++ (sizeof(unsigned long) * 32)); ++ err |= __put_user(current->thread.fsr, &fpu->si_fsr); ++ err |= __put_user(current->thread.fpqdepth, &fpu->si_fpqdepth); ++ if (current->thread.fpqdepth != 0) ++ err |= __copy_to_user(&fpu->si_fpqueue[0], ++ ¤t->thread.fpqueue[0], ++ ((sizeof(unsigned long) + ++ (sizeof(unsigned long *)))*16)); ++ clear_used_math(); ++ return err; ++} ++ ++int restore_fpu_state(struct pt_regs *regs, __siginfo_fpu_t __user *fpu) ++{ ++ int err; ++#ifdef CONFIG_SMP ++ if (test_tsk_thread_flag(current, TIF_USEDFPU)) ++ regs->psr &= ~PSR_EF; ++#else ++ if (current == last_task_used_math) { ++ last_task_used_math = NULL; ++ regs->psr &= ~PSR_EF; ++ } ++#endif ++ set_used_math(); ++ clear_tsk_thread_flag(current, TIF_USEDFPU); ++ ++ if (!access_ok(VERIFY_READ, fpu, sizeof(*fpu))) ++ return -EFAULT; ++ ++ err = __copy_from_user(¤t->thread.float_regs[0], &fpu->si_float_regs[0], ++ (sizeof(unsigned long) * 32)); ++ err |= __get_user(current->thread.fsr, &fpu->si_fsr); ++ err |= __get_user(current->thread.fpqdepth, &fpu->si_fpqdepth); ++ if (current->thread.fpqdepth != 0) ++ err |= __copy_from_user(¤t->thread.fpqueue[0], ++ &fpu->si_fpqueue[0], ++ ((sizeof(unsigned long) + ++ (sizeof(unsigned long *)))*16)); ++ return err; ++} ++ ++int save_rwin_state(int wsaved, __siginfo_rwin_t __user *rwin) ++{ ++ int i, err = __put_user(wsaved, &rwin->wsaved); ++ ++ for (i = 0; i < wsaved; i++) { ++ struct reg_window32 *rp; ++ unsigned long fp; ++ ++ rp = ¤t_thread_info()->reg_window[i]; ++ fp = current_thread_info()->rwbuf_stkptrs[i]; ++ err |= copy_to_user(&rwin->reg_window[i], rp, ++ sizeof(struct reg_window32)); ++ err |= __put_user(fp, &rwin->rwbuf_stkptrs[i]); ++ } ++ return err; ++} ++ ++int restore_rwin_state(__siginfo_rwin_t __user *rp) ++{ ++ struct thread_info *t = current_thread_info(); ++ int i, wsaved, err; ++ ++ __get_user(wsaved, &rp->wsaved); ++ if (wsaved > NSWINS) ++ return -EFAULT; ++ ++ err = 0; ++ for (i = 0; i < wsaved; i++) { ++ err |= copy_from_user(&t->reg_window[i], ++ &rp->reg_window[i], ++ sizeof(struct reg_window32)); ++ err |= __get_user(t->rwbuf_stkptrs[i], ++ &rp->rwbuf_stkptrs[i]); ++ } ++ if (err) ++ return err; ++ ++ t->w_saved = wsaved; ++ synchronize_user_stack(); ++ if (t->w_saved) ++ return -EFAULT; ++ return 0; ++ ++} +diff --git a/arch/sparc/kernel/sigutil_64.c b/arch/sparc/kernel/sigutil_64.c +new file mode 100644 +index 0000000..e7dc508 +--- /dev/null ++++ b/arch/sparc/kernel/sigutil_64.c +@@ -0,0 +1,93 @@ ++#include <linux/kernel.h> ++#include <linux/types.h> ++#include <linux/thread_info.h> ++#include <linux/uaccess.h> ++ ++#include <asm/sigcontext.h> ++#include <asm/fpumacro.h> ++#include <asm/ptrace.h> ++ ++#include "sigutil.h" ++ ++int save_fpu_state(struct pt_regs *regs, __siginfo_fpu_t __user *fpu) ++{ ++ unsigned long *fpregs = current_thread_info()->fpregs; ++ unsigned long fprs; ++ int err = 0; ++ ++ fprs = current_thread_info()->fpsaved[0]; ++ if (fprs & FPRS_DL) ++ err |= copy_to_user(&fpu->si_float_regs[0], fpregs, ++ (sizeof(unsigned int) * 32)); ++ if (fprs & FPRS_DU) ++ err |= copy_to_user(&fpu->si_float_regs[32], fpregs+16, ++ (sizeof(unsigned int) * 32)); ++ err |= __put_user(current_thread_info()->xfsr[0], &fpu->si_fsr); ++ err |= __put_user(current_thread_info()->gsr[0], &fpu->si_gsr); ++ err |= __put_user(fprs, &fpu->si_fprs); ++ ++ return err; ++} ++ ++int restore_fpu_state(struct pt_regs *regs, __siginfo_fpu_t __user *fpu) ++{ ++ unsigned long *fpregs = current_thread_info()->fpregs; ++ unsigned long fprs; ++ int err; ++ ++ err = __get_user(fprs, &fpu->si_fprs); ++ fprs_write(0); ++ regs->tstate &= ~TSTATE_PEF; ++ if (fprs & FPRS_DL) ++ err |= copy_from_user(fpregs, &fpu->si_float_regs[0], ++ (sizeof(unsigned int) * 32)); ++ if (fprs & FPRS_DU) ++ err |= copy_from_user(fpregs+16, &fpu->si_float_regs[32], ++ (sizeof(unsigned int) * 32)); ++ err |= __get_user(current_thread_info()->xfsr[0], &fpu->si_fsr); ++ err |= __get_user(current_thread_info()->gsr[0], &fpu->si_gsr); ++ current_thread_info()->fpsaved[0] |= fprs; ++ return err; ++} ++ ++int save_rwin_state(int wsaved, __siginfo_rwin_t __user *rwin) ++{ ++ int i, err = __put_user(wsaved, &rwin->wsaved); ++ ++ for (i = 0; i < wsaved; i++) { ++ struct reg_window *rp = ¤t_thread_info()->reg_window[i]; ++ unsigned long fp = current_thread_info()->rwbuf_stkptrs[i]; ++ ++ err |= copy_to_user(&rwin->reg_window[i], rp, ++ sizeof(struct reg_window)); ++ err |= __put_user(fp, &rwin->rwbuf_stkptrs[i]); ++ } ++ return err; ++} ++ ++int restore_rwin_state(__siginfo_rwin_t __user *rp) ++{ ++ struct thread_info *t = current_thread_info(); ++ int i, wsaved, err; ++ ++ __get_user(wsaved, &rp->wsaved); ++ if (wsaved > NSWINS) ++ return -EFAULT; ++ ++ err = 0; ++ for (i = 0; i < wsaved; i++) { ++ err |= copy_from_user(&t->reg_window[i], ++ &rp->reg_window[i], ++ sizeof(struct reg_window)); ++ err |= __get_user(t->rwbuf_stkptrs[i], ++ &rp->rwbuf_stkptrs[i]); ++ } ++ if (err) ++ return err; ++ ++ set_thread_wsaved(wsaved); ++ synchronize_user_stack(); ++ if (get_thread_wsaved()) ++ return -EFAULT; ++ return 0; ++} +-- +1.7.12.rc1.1.gbce1580 + diff --git a/queue/sparc-fix-array-bounds-error-setting-up-PCIC-NMI-tra.patch b/queue/sparc-fix-array-bounds-error-setting-up-PCIC-NMI-tra.patch new file mode 100644 index 0000000..f736ae9 --- /dev/null +++ b/queue/sparc-fix-array-bounds-error-setting-up-PCIC-NMI-tra.patch @@ -0,0 +1,47 @@ +From 2ca0a9a73698cfb46c212e764eaff17127b76332 Mon Sep 17 00:00:00 2001 +From: Ian Campbell <Ian.Campbell@citrix.com> +Date: Wed, 17 Aug 2011 22:14:57 +0000 +Subject: [PATCH] sparc: fix array bounds error setting up PCIC NMI trap + +commit 4a0342ca8e8150bd47e7118a76e300692a1b6b7b upstream. + + CC arch/sparc/kernel/pcic.o +arch/sparc/kernel/pcic.c: In function 'pcic_probe': +arch/sparc/kernel/pcic.c:359:33: error: array subscript is above array bounds [-Werror=array-bounds] +arch/sparc/kernel/pcic.c:359:8: error: array subscript is above array bounds [-Werror=array-bounds] +arch/sparc/kernel/pcic.c:360:33: error: array subscript is above array bounds [-Werror=array-bounds] +arch/sparc/kernel/pcic.c:360:8: error: array subscript is above array bounds [-Werror=array-bounds] +arch/sparc/kernel/pcic.c:361:33: error: array subscript is above array bounds [-Werror=array-bounds] +arch/sparc/kernel/pcic.c:361:8: error: array subscript is above array bounds [-Werror=array-bounds] +cc1: all warnings being treated as errors + +I'm not particularly familiar with sparc but t_nmi (defined in head_32.S via +the TRAP_ENTRY macro) and pcic_nmi_trap_patch (defined in entry.S) both appear +to be 4 instructions long and I presume from the usage that instructions are +int sized. + +Signed-off-by: Ian Campbell <ian.campbell@citrix.com> +Cc: "David S. Miller" <davem@davemloft.net> +Cc: sparclinux@vger.kernel.org +Reviewed-by: Sam Ravnborg <sam@ravnborg.org> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> + +diff --git a/arch/sparc/kernel/pcic.c b/arch/sparc/kernel/pcic.c +index d36a8d3..2479ecd 100644 +--- a/arch/sparc/kernel/pcic.c ++++ b/arch/sparc/kernel/pcic.c +@@ -349,8 +349,8 @@ int __init pcic_probe(void) + strcpy(pbm->prom_name, namebuf); + + { +- extern volatile int t_nmi[1]; +- extern int pcic_nmi_trap_patch[1]; ++ extern volatile int t_nmi[4]; ++ extern int pcic_nmi_trap_patch[4]; + + t_nmi[0] = pcic_nmi_trap_patch[0]; + t_nmi[1] = pcic_nmi_trap_patch[1]; +-- +1.7.12.rc1.1.gbce1580 + diff --git a/queue/staging-quatech_usb2-Potential-lost-wakeup-scenario-.patch b/queue/staging-quatech_usb2-Potential-lost-wakeup-scenario-.patch new file mode 100644 index 0000000..ea0219a --- /dev/null +++ b/queue/staging-quatech_usb2-Potential-lost-wakeup-scenario-.patch @@ -0,0 +1,66 @@ +From 4e0d93dec613b4b12306ac33850a597fcef64a9e Mon Sep 17 00:00:00 2001 +From: Kautuk Consul <consul.kautuk@gmail.com> +Date: Wed, 14 Sep 2011 08:56:21 +0530 +Subject: [PATCH] staging: quatech_usb2: Potential lost wakeup scenario in + TIOCMIWAIT + +commit e8df1674d383d2ecc6efa8d7dba74c03aafdfdd7 upstream. + +If the usermode app does an ioctl over this serial device by +using TIOCMIWAIT, then the code will wait by setting the current +task state to TASK_INTERRUPTIBLE and then calling schedule(). +This will be woken up by the qt2_process_modem_status on URB +completion when the port_extra->shadowMSR is set to the new +modem status. + +However, this could result in a lost wakeup scenario due to a race +in the logic in the qt2_ioctl(TIOCMIWAIT) loop and the URB completion +for new modem status in qt2_process_modem_status. +Due to this, the usermode app's task will continue to sleep despite a +change in the modem status. + +Signed-off-by: Kautuk Consul <consul.kautuk@gmail.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> + +diff --git a/drivers/staging/quatech_usb2/quatech_usb2.c b/drivers/staging/quatech_usb2/quatech_usb2.c +index 1561f74..3ca3c2a 100644 +--- a/drivers/staging/quatech_usb2/quatech_usb2.c ++++ b/drivers/staging/quatech_usb2/quatech_usb2.c +@@ -921,9 +921,10 @@ static int qt2_ioctl(struct tty_struct *tty, struct file *file, + dbg("%s() port %d, cmd == TIOCMIWAIT enter", + __func__, port->number); + prev_msr_value = port_extra->shadowMSR & QT2_SERIAL_MSR_MASK; ++ barrier(); ++ __set_current_state(TASK_INTERRUPTIBLE); + while (1) { + add_wait_queue(&port_extra->wait, &wait); +- set_current_state(TASK_INTERRUPTIBLE); + schedule(); + dbg("%s(): port %d, cmd == TIOCMIWAIT here\n", + __func__, port->number); +@@ -931,9 +932,12 @@ static int qt2_ioctl(struct tty_struct *tty, struct file *file, + /* see if a signal woke us up */ + if (signal_pending(current)) + return -ERESTARTSYS; ++ set_current_state(TASK_INTERRUPTIBLE); + msr_value = port_extra->shadowMSR & QT2_SERIAL_MSR_MASK; +- if (msr_value == prev_msr_value) ++ if (msr_value == prev_msr_value) { ++ __set_current_state(TASK_RUNNING); + return -EIO; /* no change - error */ ++ } + if ((arg & TIOCM_RNG && + ((prev_msr_value & QT2_SERIAL_MSR_RI) == + (msr_value & QT2_SERIAL_MSR_RI))) || +@@ -946,6 +950,7 @@ static int qt2_ioctl(struct tty_struct *tty, struct file *file, + (arg & TIOCM_CTS && + ((prev_msr_value & QT2_SERIAL_MSR_CTS) == + (msr_value & QT2_SERIAL_MSR_CTS)))) { ++ __set_current_state(TASK_RUNNING); + return 0; + } + } /* end inifinite while */ +-- +1.7.12.rc1.1.gbce1580 + diff --git a/queue/thinkpad-acpi-module-autoloading-for-newer-Lenovo-Th.patch b/queue/thinkpad-acpi-module-autoloading-for-newer-Lenovo-Th.patch new file mode 100644 index 0000000..aee0787 --- /dev/null +++ b/queue/thinkpad-acpi-module-autoloading-for-newer-Lenovo-Th.patch @@ -0,0 +1,45 @@ +From fd9cc0a1fbb25f92723a842e1656615c102a888b Mon Sep 17 00:00:00 2001 +From: Manoj Iyer <manoj.iyer@canonical.com> +Date: Sun, 8 May 2011 18:04:29 -0400 +Subject: [PATCH] thinkpad-acpi: module autoloading for newer Lenovo + ThinkPads. + +commit 9fbdaeb4f4dd14a0caa9fc35c496d5440c251a3a upstream. + +The newer Lenovo ThinkPads have HKEY HID of LEN0068 instead +of IBM0068. Added new HID so that thinkpad_acpi module will +auto load on these newer Lenovo ThinkPads. + +Acked-by: Henrique de Moraes Holschuh <hmh@hmh.eng.br> +Signed-off-by: Manoj Iyer <manoj.iyer@canonical.com> +Signed-off-by: Andy Lutomirski <luto@mit.edu> +Signed-off-by: Matthew Garrett <mjg@redhat.com> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> + +diff --git a/drivers/platform/x86/thinkpad_acpi.c b/drivers/platform/x86/thinkpad_acpi.c +index 63290b3..73d6ddc 100644 +--- a/drivers/platform/x86/thinkpad_acpi.c ++++ b/drivers/platform/x86/thinkpad_acpi.c +@@ -123,7 +123,8 @@ enum { + }; + + /* ACPI HIDs */ +-#define TPACPI_ACPI_HKEY_HID "IBM0068" ++#define TPACPI_ACPI_IBM_HKEY_HID "IBM0068" ++#define TPACPI_ACPI_LENOVO_HKEY_HID "LEN0068" + + /* Input IDs */ + #define TPACPI_HKEY_INPUT_PRODUCT 0x5054 /* "TP" */ +@@ -3850,7 +3851,8 @@ errexit: + } + + static const struct acpi_device_id ibm_htk_device_ids[] = { +- {TPACPI_ACPI_HKEY_HID, 0}, ++ {TPACPI_ACPI_IBM_HKEY_HID, 0}, ++ {TPACPI_ACPI_LENOVO_HKEY_HID, 0}, + {"", 0}, + }; + +-- +1.7.12.rc1.1.gbce1580 + diff --git a/queue/time-Change-jiffies_to_clock_t-argument-type-to-unsi.patch b/queue/time-Change-jiffies_to_clock_t-argument-type-to-unsi.patch new file mode 100644 index 0000000..109aac1 --- /dev/null +++ b/queue/time-Change-jiffies_to_clock_t-argument-type-to-unsi.patch @@ -0,0 +1,52 @@ +From b37470660dc82be5fda4ad4882f11aa01d01b770 Mon Sep 17 00:00:00 2001 +From: hank <pyu@redhat.com> +Date: Tue, 20 Sep 2011 13:53:39 -0700 +Subject: [PATCH] time: Change jiffies_to_clock_t() argument type to unsigned + long + +commit cbbc719fccdb8cbd87350a05c0d33167c9b79365 upstream. + +The parameter's origin type is long. On an i386 architecture, it can +easily be larger than 0x80000000, causing this function to convert it +to a sign-extended u64 type. + +Change the type to unsigned long so we get the correct result. + +Signed-off-by: hank <pyu@redhat.com> +Cc: John Stultz <john.stultz@linaro.org> +[ build fix ] +Signed-off-by: Andrew Morton <akpm@linux-foundation.org> +Signed-off-by: Thomas Gleixner <tglx@linutronix.de> +Signed-off-by: Ingo Molnar <mingo@elte.hu> + +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> + +diff --git a/include/linux/jiffies.h b/include/linux/jiffies.h +index 6811f4b..284c13d 100644 +--- a/include/linux/jiffies.h ++++ b/include/linux/jiffies.h +@@ -303,7 +303,7 @@ extern void jiffies_to_timespec(const unsigned long jiffies, + extern unsigned long timeval_to_jiffies(const struct timeval *value); + extern void jiffies_to_timeval(const unsigned long jiffies, + struct timeval *value); +-extern clock_t jiffies_to_clock_t(long x); ++extern clock_t jiffies_to_clock_t(unsigned long x); + extern unsigned long clock_t_to_jiffies(unsigned long x); + extern u64 jiffies_64_to_clock_t(u64 x); + extern u64 nsec_to_clock_t(u64 x); +diff --git a/kernel/time.c b/kernel/time.c +index 656dccf..82e83b0 100644 +--- a/kernel/time.c ++++ b/kernel/time.c +@@ -592,7 +592,7 @@ EXPORT_SYMBOL(jiffies_to_timeval); + /* + * Convert jiffies/jiffies_64 to clock_t and back. + */ +-clock_t jiffies_to_clock_t(long x) ++clock_t jiffies_to_clock_t(unsigned long x) + { + #if (TICK_NSEC % (NSEC_PER_SEC / USER_HZ)) == 0 + # if HZ < USER_HZ +-- +1.7.12.rc1.1.gbce1580 + diff --git a/queue/tuner_xc2028-Allow-selection-of-the-frequency-adjust.patch b/queue/tuner_xc2028-Allow-selection-of-the-frequency-adjust.patch new file mode 100644 index 0000000..411f030 --- /dev/null +++ b/queue/tuner_xc2028-Allow-selection-of-the-frequency-adjust.patch @@ -0,0 +1,32 @@ +From c0509c0377438d60e3368b18788d1297a7f29925 Mon Sep 17 00:00:00 2001 +From: Mauro Carvalho Chehab <mchehab@redhat.com> +Date: Thu, 28 Jul 2011 16:38:54 -0300 +Subject: [PATCH] tuner_xc2028: Allow selection of the frequency adjustment + code for XC3028 + +commit 9bed77ee2fb46b74782d0d9d14b92e9d07f3df6e upstream. + +This device is not using the proper demod IF. Instead of using the +IF macro, it is specifying a IF frequency. This doesn't work, as xc3028 +needs to load an specific SCODE for the tuner. In this case, there's +no IF table for 5 MHz. + +Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> + +diff --git a/drivers/media/video/cx23885/cx23885-dvb.c b/drivers/media/video/cx23885/cx23885-dvb.c +index 939079d..3f85b6c 100644 +--- a/drivers/media/video/cx23885/cx23885-dvb.c ++++ b/drivers/media/video/cx23885/cx23885-dvb.c +@@ -747,7 +747,7 @@ static int dvb_register(struct cx23885_tsport *port) + static struct xc2028_ctrl ctl = { + .fname = XC3028L_DEFAULT_FIRMWARE, + .max_len = 64, +- .demod = 5000, ++ .demod = XC3028_FE_DIBCOM52, + /* This is true for all demods with + v36 firmware? */ + .type = XC2028_D2633, +-- +1.7.12.rc1.1.gbce1580 + diff --git a/queue/um-fix-ubd-cow-size.patch b/queue/um-fix-ubd-cow-size.patch new file mode 100644 index 0000000..2da043d --- /dev/null +++ b/queue/um-fix-ubd-cow-size.patch @@ -0,0 +1,65 @@ +From c4c5d0bd04f68814e927b35a883600621e51f4d2 Mon Sep 17 00:00:00 2001 +From: Richard Weinberger <richard@nod.at> +Date: Wed, 2 Nov 2011 13:17:27 +0100 +Subject: [PATCH] um: fix ubd cow size + +commit 8535639810e578960233ad39def3ac2157b0c3ec upstream. + +ubd_file_size() cannot use ubd_dev->cow.file because at this time +ubd_dev->cow.file is not initialized. +Therefore, ubd_file_size() will always report a wrong disk size when +COW files are used. +Reading from /dev/ubd* would crash the kernel. + +We have to read the correct disk size from the COW file's backing +file. + +Signed-off-by: Richard Weinberger <richard@nod.at> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> + +diff --git a/arch/um/drivers/ubd_kern.c b/arch/um/drivers/ubd_kern.c +index 3d63b83..1cbad01 100644 +--- a/arch/um/drivers/ubd_kern.c ++++ b/arch/um/drivers/ubd_kern.c +@@ -511,8 +511,37 @@ __uml_exitcall(kill_io_thread); + static inline int ubd_file_size(struct ubd *ubd_dev, __u64 *size_out) + { + char *file; ++ int fd; ++ int err; ++ ++ __u32 version; ++ __u32 align; ++ char *backing_file; ++ time_t mtime; ++ unsigned long long size; ++ int sector_size; ++ int bitmap_offset; ++ ++ if (ubd_dev->file && ubd_dev->cow.file) { ++ file = ubd_dev->cow.file; ++ ++ goto out; ++ } + +- file = ubd_dev->cow.file ? ubd_dev->cow.file : ubd_dev->file; ++ fd = os_open_file(ubd_dev->file, global_openflags, 0); ++ if (fd < 0) ++ return fd; ++ ++ err = read_cow_header(file_reader, &fd, &version, &backing_file, \ ++ &mtime, &size, §or_size, &align, &bitmap_offset); ++ os_close_file(fd); ++ ++ if(err == -EINVAL) ++ file = ubd_dev->file; ++ else ++ file = backing_file; ++ ++out: + return os_file_size(file, size_out); + } + +-- +1.7.12.rc1.1.gbce1580 + diff --git a/queue/usb-cdc-acm-Owen-SI-30-support.patch b/queue/usb-cdc-acm-Owen-SI-30-support.patch new file mode 100644 index 0000000..c1c7d46 --- /dev/null +++ b/queue/usb-cdc-acm-Owen-SI-30-support.patch @@ -0,0 +1,43 @@ +From a8119030812ba128168e996bd928da661d9823e4 Mon Sep 17 00:00:00 2001 +From: Denis Pershin <dyp@perchine.com> +Date: Sun, 4 Sep 2011 17:37:21 +0700 +Subject: [PATCH] usb: cdc-acm: Owen SI-30 support + +commit 65e52f41fa944cef2e6d4222b8c54f46cc575214 upstream. + +here is the patch to support Owen SI-30 device. +This is a pulse counter controller. +http://www.owen.ru/en/catalog/93788515 + +usb-drivers output: +T: Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 4 Spd=12 MxCh= 0 +D: Ver= 2.00 Cls=02(commc) Sub=00 Prot=00 MxPS= 8 #Cfgs= 1 +P: Vendor=03eb ProdID=0030 Rev=01.01 +C: #Ifs= 2 Cfg#= 1 Atr=c0 MxPwr=0mA +I: If#= 0 Alt= 0 #EPs= 1 Cls=02(commc) Sub=02 Prot=00 Driver=cdc_acm +I: If#= 1 Alt= 0 #EPs= 2 Cls=0a(data ) Sub=00 Prot=00 Driver=cdc_acm + +This patch is installed on my home system which receives data from this +controller connected to cold water counter. + +Signed-off-by: Denis Pershin <dyp@perchine.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> + +diff --git a/drivers/usb/class/cdc-acm.c b/drivers/usb/class/cdc-acm.c +index e907cfd..db34eb4 100644 +--- a/drivers/usb/class/cdc-acm.c ++++ b/drivers/usb/class/cdc-acm.c +@@ -1623,6 +1623,9 @@ static const struct usb_device_id acm_ids[] = { + { NOKIA_PCSUITE_ACM_INFO(0x03cd), }, /* Nokia C7 */ + { SAMSUNG_PCSUITE_ACM_INFO(0x6651), }, /* Samsung GTi8510 (INNOV8) */ + ++ /* Support for Owen devices */ ++ { USB_DEVICE(0x03eb, 0x0030), }, /* Owen SI30 */ ++ + /* NOTE: non-Nokia COMM/ACM/0xff is likely MSFT RNDIS... NOT a modem! */ + + /* Support Lego NXT using pbLua firmware */ +-- +1.7.12.rc1.1.gbce1580 + diff --git a/queue/usbmon-vs.-tcpdump-fix-dropped-packet-count.patch b/queue/usbmon-vs.-tcpdump-fix-dropped-packet-count.patch new file mode 100644 index 0000000..89164d4 --- /dev/null +++ b/queue/usbmon-vs.-tcpdump-fix-dropped-packet-count.patch @@ -0,0 +1,36 @@ +From 26e837cd60a1857e8faa1bcfbad6b46e203a4109 Mon Sep 17 00:00:00 2001 +From: Johannes Stezenbach <js@sig21.net> +Date: Thu, 8 Sep 2011 15:39:15 +0200 +Subject: [PATCH] usbmon vs. tcpdump: fix dropped packet count + +commit 236c448cb6e7f82096101e1ace4b77f8b38f82c8 upstream. + +Report the number of dropped packets instead of zero +when using the binary usbmon interface with tcpdump. + +# tcpdump -i usbmon1 -w dump +tcpdump: listening on usbmon1, link-type USB_LINUX_MMAPPED (USB with padded Linux header), capture size 65535 bytes +^C2155 packets captured +2155 packets received by filter +1019 packets dropped by kernel + +Signed-off-by: Johannes Stezenbach <js@sig21.net> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> + +diff --git a/drivers/usb/mon/mon_bin.c b/drivers/usb/mon/mon_bin.c +index 6ee9d76..45f9705 100644 +--- a/drivers/usb/mon/mon_bin.c ++++ b/drivers/usb/mon/mon_bin.c +@@ -1080,7 +1080,7 @@ static int mon_bin_ioctl(struct inode *inode, struct file *file, + nevents = mon_bin_queued(rp); + + sp = (struct mon_bin_stats __user *)arg; +- if (put_user(rp->cnt_lost, &sp->dropped)) ++ if (put_user(ndropped, &sp->dropped)) + return -EFAULT; + if (put_user(nevents, &sp->queued)) + return -EFAULT; +-- +1.7.12.rc1.1.gbce1580 + diff --git a/queue/uvcvideo-Set-alternate-setting-0-on-resume-if-the-bu.patch b/queue/uvcvideo-Set-alternate-setting-0-on-resume-if-the-bu.patch new file mode 100644 index 0000000..b448446 --- /dev/null +++ b/queue/uvcvideo-Set-alternate-setting-0-on-resume-if-the-bu.patch @@ -0,0 +1,76 @@ +From cfb4f52ffb46f29b770662568b3236643179ae96 Mon Sep 17 00:00:00 2001 +From: Ming Lei <tom.leiming@gmail.com> +Date: Sat, 16 Jul 2011 00:51:00 -0300 +Subject: [PATCH] uvcvideo: Set alternate setting 0 on resume if the bus has + been reset + +commit d59a7b1dbce8b972ec2dc9fcaaae0bfa23687423 upstream. + +If the bus has been reset on resume, set the alternate setting to 0. +This should be the default value, but some devices crash or otherwise +misbehave if they don't receive a SET_INTERFACE request before any other +video control request. + +Microdia's 0c45:6437 camera has been found to require this change or it +will stop sending video data after resume. + +uvc_video.c] + +Signed-off-by: Ming Lei <ming.lei@canonical.com> +Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> +Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> + +diff --git a/drivers/media/video/uvc/uvc_driver.c b/drivers/media/video/uvc/uvc_driver.c +index 838b56f..590b817 100644 +--- a/drivers/media/video/uvc/uvc_driver.c ++++ b/drivers/media/video/uvc/uvc_driver.c +@@ -1885,7 +1885,7 @@ static int __uvc_resume(struct usb_interface *intf, int reset) + + list_for_each_entry(stream, &dev->streams, list) { + if (stream->intf == intf) +- return uvc_video_resume(stream); ++ return uvc_video_resume(stream, reset); + } + + uvc_trace(UVC_TRACE_SUSPEND, "Resume: video streaming USB interface " +diff --git a/drivers/media/video/uvc/uvc_video.c b/drivers/media/video/uvc/uvc_video.c +index 687c970..a96f9ea 100644 +--- a/drivers/media/video/uvc/uvc_video.c ++++ b/drivers/media/video/uvc/uvc_video.c +@@ -1056,10 +1056,18 @@ int uvc_video_suspend(struct uvc_streaming *stream) + * buffers, making sure userspace applications are notified of the problem + * instead of waiting forever. + */ +-int uvc_video_resume(struct uvc_streaming *stream) ++int uvc_video_resume(struct uvc_streaming *stream, int reset) + { + int ret; + ++ /* If the bus has been reset on resume, set the alternate setting to 0. ++ * This should be the default value, but some devices crash or otherwise ++ * misbehave if they don't receive a SET_INTERFACE request before any ++ * other video control request. ++ */ ++ if (reset) ++ usb_set_interface(stream->dev->udev, stream->intfnum, 0); ++ + stream->frozen = 0; + + ret = uvc_commit_video(stream, &stream->ctrl); +diff --git a/drivers/media/video/uvc/uvcvideo.h b/drivers/media/video/uvc/uvcvideo.h +index d1f8840..1180ec7 100644 +--- a/drivers/media/video/uvc/uvcvideo.h ++++ b/drivers/media/video/uvc/uvcvideo.h +@@ -596,7 +596,7 @@ extern const struct v4l2_file_operations uvc_fops; + /* Video */ + extern int uvc_video_init(struct uvc_streaming *stream); + extern int uvc_video_suspend(struct uvc_streaming *stream); +-extern int uvc_video_resume(struct uvc_streaming *stream); ++extern int uvc_video_resume(struct uvc_streaming *stream, int reset); + extern int uvc_video_enable(struct uvc_streaming *stream, int enable); + extern int uvc_probe_video(struct uvc_streaming *stream, + struct uvc_streaming_control *probe); +-- +1.7.12.rc1.1.gbce1580 + diff --git a/queue/vm-fix-vm_pgoff-wrap-in-upward-expansion.patch b/queue/vm-fix-vm_pgoff-wrap-in-upward-expansion.patch new file mode 100644 index 0000000..96b35fa --- /dev/null +++ b/queue/vm-fix-vm_pgoff-wrap-in-upward-expansion.patch @@ -0,0 +1,42 @@ +From b9bd6d40e88dcf1317be9822e98da10476684e76 Mon Sep 17 00:00:00 2001 +From: Hugh Dickins <hughd@google.com> +Date: Mon, 9 May 2011 17:44:42 -0700 +Subject: [PATCH] vm: fix vm_pgoff wrap in upward expansion + +commit 42c36f63ac1366ab0ecc2d5717821362c259f517 upstream. + +Commit a626ca6a6564 ("vm: fix vm_pgoff wrap in stack expansion") fixed +the case of an expanding mapping causing vm_pgoff wrapping when you had +downward stack expansion. But there was another case where IA64 and +PA-RISC expand mappings: upward expansion. + +This fixes that case too. + +Signed-off-by: Hugh Dickins <hughd@google.com> +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> +[PG: .34 doesn't have perf call via 3af9e859 (in .36); adjust accordingly] +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> + +diff --git a/mm/mmap.c b/mm/mmap.c +index fe9b76a..053c540 100644 +--- a/mm/mmap.c ++++ b/mm/mmap.c +@@ -1740,9 +1740,12 @@ int expand_upwards(struct vm_area_struct *vma, unsigned long address) + size = address - vma->vm_start; + grow = (address - vma->vm_end) >> PAGE_SHIFT; + +- error = acct_stack_growth(vma, size, grow); +- if (!error) +- vma->vm_end = address; ++ error = -ENOMEM; ++ if (vma->vm_pgoff + (size >> PAGE_SHIFT) >= vma->vm_pgoff) { ++ error = acct_stack_growth(vma, size, grow); ++ if (!error) ++ vma->vm_end = address; ++ } + } + anon_vma_unlock(vma); + return error; +-- +1.7.12.rc1.1.gbce1580 + diff --git a/queue/wireless-Reset-beacon_found-while-updating-regulator.patch b/queue/wireless-Reset-beacon_found-while-updating-regulator.patch new file mode 100644 index 0000000..4b31dcf --- /dev/null +++ b/queue/wireless-Reset-beacon_found-while-updating-regulator.patch @@ -0,0 +1,38 @@ +From f7d681f66209a0df7695fdb63dcc0fcf0bd73fd0 Mon Sep 17 00:00:00 2001 +From: Rajkumar Manoharan <rmanohar@qca.qualcomm.com> +Date: Wed, 14 Sep 2011 14:28:17 +0530 +Subject: [PATCH] wireless: Reset beacon_found while updating regulatory + +commit aa3d7eef398dd4f29045e9889b817d5161afe03e upstream. + +During the association, the regulatory is updated by country IE +that reaps the previously found beacons. The impact is that +after a STA disconnects *or* when for any reason a regulatory +domain change happens the beacon hint flag is not cleared +therefore preventing future beacon hints to be learned. +This is important as a regulatory domain change or a restore +of regulatory settings would set back the passive scan and no-ibss +flags on the channel. This is the right place to do this given that +it covers any regulatory domain change. + +Reviewed-by: Luis R. Rodriguez <mcgrof@gmail.com> +Signed-off-by: Rajkumar Manoharan <rmanohar@qca.qualcomm.com> +Acked-by: Luis R. Rodriguez <mcgrof@qca.qualcomm.com> +Signed-off-by: John W. Linville <linville@tuxdriver.com> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> + +diff --git a/net/wireless/reg.c b/net/wireless/reg.c +index 422da20..3ed40f7 100644 +--- a/net/wireless/reg.c ++++ b/net/wireless/reg.c +@@ -1302,6 +1302,7 @@ static void handle_channel(struct wiphy *wiphy, enum ieee80211_band band, + return; + } + ++ chan->beacon_found = false; + chan->flags = flags | bw_flags | map_regdom_flags(reg_rule->flags); + chan->max_antenna_gain = min(chan->orig_mag, + (int) MBI_TO_DBI(power_rule->max_antenna_gain)); +-- +1.7.12.rc1.1.gbce1580 + diff --git a/queue/x25-Prevent-skb-overreads-when-checking-call-user-da.patch b/queue/x25-Prevent-skb-overreads-when-checking-call-user-da.patch new file mode 100644 index 0000000..14ec98e --- /dev/null +++ b/queue/x25-Prevent-skb-overreads-when-checking-call-user-da.patch @@ -0,0 +1,35 @@ +From 3e665f97da788634e06b98e4f597bfd984b03b60 Mon Sep 17 00:00:00 2001 +From: Matthew Daley <mattjd@gmail.com> +Date: Fri, 14 Oct 2011 18:45:05 +0000 +Subject: [PATCH] x25: Prevent skb overreads when checking call user data + +commit 7f81e25befdfb3272345a2e775f520e1d515fa20 upstream. + +x25_find_listener does not check that the amount of call user data given +in the skb is big enough in per-socket comparisons, hence buffer +overreads may occur. Fix this by adding a check. + +Signed-off-by: Matthew Daley <mattjd@gmail.com> +Cc: Eric Dumazet <eric.dumazet@gmail.com> +Cc: Andrew Hendry <andrew.hendry@gmail.com> +Acked-by: Andrew Hendry <andrew.hendry@gmail.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> + +diff --git a/net/x25/af_x25.c b/net/x25/af_x25.c +index 36e84e1..3117b9e 100644 +--- a/net/x25/af_x25.c ++++ b/net/x25/af_x25.c +@@ -296,7 +296,8 @@ static struct sock *x25_find_listener(struct x25_address *addr, + * Found a listening socket, now check the incoming + * call user data vs this sockets call user data + */ +- if(skb->len > 0 && x25_sk(s)->cudmatchlength > 0) { ++ if (x25_sk(s)->cudmatchlength > 0 && ++ skb->len >= x25_sk(s)->cudmatchlength) { + if((memcmp(x25_sk(s)->calluserdata.cuddata, + skb->data, + x25_sk(s)->cudmatchlength)) == 0) { +-- +1.7.12.rc1.1.gbce1580 + diff --git a/queue/x86-Fix-compilation-bug-in-kprobes-twobyte_is_boosta.patch b/queue/x86-Fix-compilation-bug-in-kprobes-twobyte_is_boosta.patch new file mode 100644 index 0000000..12f5eec --- /dev/null +++ b/queue/x86-Fix-compilation-bug-in-kprobes-twobyte_is_boosta.patch @@ -0,0 +1,95 @@ +From dcb9d9fed580feb12cbeec2055827344d272a7e0 Mon Sep 17 00:00:00 2001 +From: Josh Stone <jistone@redhat.com> +Date: Mon, 24 Oct 2011 10:15:51 -0700 +Subject: [PATCH] x86: Fix compilation bug in kprobes' twobyte_is_boostable +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +commit 315eb8a2a1b7f335d40ceeeb11b9e067475eb881 upstream. + +When compiling an i386_defconfig kernel with gcc-4.6.1-9.fc15.i686, I +noticed a warning about the asm operand for test_bit in kprobes' +can_boost. I discovered that this caused only the first long of +twobyte_is_boostable[] to be output. + +Jakub filed and fixed gcc PR50571 to correct the warning and this output +issue. But to solve it for less current gcc, we can make kprobes' +twobyte_is_boostable[] non-const, and it won't be optimized out. + +Before: + + CC arch/x86/kernel/kprobes.o + In file included from include/linux/bitops.h:22:0, + from include/linux/kernel.h:17, + from [...]/arch/x86/include/asm/percpu.h:44, + from [...]/arch/x86/include/asm/current.h:5, + from [...]/arch/x86/include/asm/processor.h:15, + from [...]/arch/x86/include/asm/atomic.h:6, + from include/linux/atomic.h:4, + from include/linux/mutex.h:18, + from include/linux/notifier.h:13, + from include/linux/kprobes.h:34, + from arch/x86/kernel/kprobes.c:43: + [...]/arch/x86/include/asm/bitops.h: In function ‘can_boost.part.1’: + [...]/arch/x86/include/asm/bitops.h:319:2: warning: use of memory input + without lvalue in asm operand 1 is deprecated [enabled by default] + + $ objdump -rd arch/x86/kernel/kprobes.o | grep -A1 -w bt + 551: 0f a3 05 00 00 00 00 bt %eax,0x0 + 554: R_386_32 .rodata.cst4 + + $ objdump -s -j .rodata.cst4 -j .data arch/x86/kernel/kprobes.o + + arch/x86/kernel/kprobes.o: file format elf32-i386 + + Contents of section .data: + 0000 48000000 00000000 00000000 00000000 H............... + Contents of section .rodata.cst4: + 0000 4c030000 L... + +Only a single long of twobyte_is_boostable[] is in the object file. + +After, without the const on twobyte_is_boostable: + + $ objdump -rd arch/x86/kernel/kprobes.o | grep -A1 -w bt + 551: 0f a3 05 20 00 00 00 bt %eax,0x20 + 554: R_386_32 .data + + $ objdump -s -j .rodata.cst4 -j .data arch/x86/kernel/kprobes.o + + arch/x86/kernel/kprobes.o: file format elf32-i386 + + Contents of section .data: + 0000 48000000 00000000 00000000 00000000 H............... + 0010 00000000 00000000 00000000 00000000 ................ + 0020 4c030000 0f000200 ffff0000 ffcff0c0 L............... + 0030 0000ffff 3bbbfff8 03ff2ebb 26bb2e77 ....;.......&..w + +Now all 32 bytes are output into .data instead. + +Signed-off-by: Josh Stone <jistone@redhat.com> +Cc: Masami Hiramatsu <masami.hiramatsu.pt@hitachi.com> +Cc: Jakub Jelinek <jakub@redhat.com> +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> + +diff --git a/arch/x86/kernel/kprobes.c b/arch/x86/kernel/kprobes.c +index ac4ed92..9619315 100644 +--- a/arch/x86/kernel/kprobes.c ++++ b/arch/x86/kernel/kprobes.c +@@ -75,8 +75,10 @@ DEFINE_PER_CPU(struct kprobe_ctlblk, kprobe_ctlblk); + /* + * Undefined/reserved opcodes, conditional jump, Opcode Extension + * Groups, and some special opcodes can not boost. ++ * This is non-const to keep gcc from statically optimizing it out, as ++ * variable_test_bit makes gcc think only *(unsigned long*) is used. + */ +-static const u32 twobyte_is_boostable[256 / 32] = { ++static u32 twobyte_is_boostable[256 / 32] = { + /* 0 1 2 3 4 5 6 7 8 9 a b c d e f */ + /* ---------------------------------------------- */ + W(0x00, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0, 0, 0, 0, 0, 0) | /* 00 */ +-- +1.7.12.rc1.1.gbce1580 + diff --git a/queue/xen-blkfront-fix-data-size-for-xenbus_gather-in-blkf.patch b/queue/xen-blkfront-fix-data-size-for-xenbus_gather-in-blkf.patch new file mode 100644 index 0000000..e31e1f3 --- /dev/null +++ b/queue/xen-blkfront-fix-data-size-for-xenbus_gather-in-blkf.patch @@ -0,0 +1,36 @@ +From 14901cffbf5390a943dce195823ff83186738af3 Mon Sep 17 00:00:00 2001 +From: Marek Marczykowski <marmarek@mimuw.edu.pl> +Date: Tue, 3 May 2011 12:04:52 -0400 +Subject: [PATCH] xen-blkfront: fix data size for xenbus_gather in + blkfront_connect + +commit 4352b47ab7918108b389a48d2163c9a4c2aaf139 upstream. + +barrier variable is int, not long. This overflow caused another variable +override: "err" (in PV code) and "binfo" (in xenlinux code - +drivers/xen/blkfront/blkfront.c). The later caused incorrect device +flags (RO/removable etc). + +Signed-off-by: Marek Marczykowski <marmarek@mimuw.edu.pl> +Acked-by: Ian Campbell <Ian.Campbell@citrix.com> +[v1: Changed title] +Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> + +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> + +diff --git a/drivers/block/xen-blkfront.c b/drivers/block/xen-blkfront.c +index 82ed403..5d5e1ea 100644 +--- a/drivers/block/xen-blkfront.c ++++ b/drivers/block/xen-blkfront.c +@@ -890,7 +890,7 @@ static void blkfront_connect(struct blkfront_info *info) + } + + err = xenbus_gather(XBT_NIL, info->xbdev->otherend, +- "feature-barrier", "%lu", &info->feature_barrier, ++ "feature-barrier", "%d", &info->feature_barrier, + NULL); + if (err) + info->feature_barrier = 0; +-- +1.7.12.rc1.1.gbce1580 + diff --git a/queue/xen-smp-Warn-user-why-they-keel-over-nosmp-or-noapic.patch b/queue/xen-smp-Warn-user-why-they-keel-over-nosmp-or-noapic.patch new file mode 100644 index 0000000..90ee76f --- /dev/null +++ b/queue/xen-smp-Warn-user-why-they-keel-over-nosmp-or-noapic.patch @@ -0,0 +1,52 @@ +From ce328f383fa899ebedc48e659b3bfbd76dbdd859 Mon Sep 17 00:00:00 2001 +From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> +Date: Thu, 1 Sep 2011 09:48:27 -0400 +Subject: [PATCH] xen/smp: Warn user why they keel over - nosmp or noapic and + what to use instead. + +commit ed467e69f16e6b480e2face7bc5963834d025f91 upstream. + +We have hit a couple of customer bugs where they would like to +use those parameters to run an UP kernel - but both of those +options turn of important sources of interrupt information so +we end up not being able to boot. The correct way is to +pass in 'dom0_max_vcpus=1' on the Xen hypervisor line and +the kernel will patch itself to be a UP kernel. + +Fixes bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=637308 + +Acked-by: Ian Campbell <Ian.Campbell@eu.citrix.com> +Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> + +diff --git a/arch/x86/xen/smp.c b/arch/x86/xen/smp.c +index d2dfbf5..9aac865 100644 +--- a/arch/x86/xen/smp.c ++++ b/arch/x86/xen/smp.c +@@ -31,6 +31,7 @@ + #include <xen/page.h> + #include <xen/events.h> + ++#include <xen/hvc-console.h> + #include "xen-ops.h" + #include "mmu.h" + +@@ -181,6 +182,15 @@ static void __init xen_smp_prepare_cpus(unsigned int max_cpus) + { + unsigned cpu; + ++ if (skip_ioapic_setup) { ++ char *m = (max_cpus == 0) ? ++ "The nosmp parameter is incompatible with Xen; " \ ++ "use Xen dom0_max_vcpus=1 parameter" : ++ "The noapic parameter is incompatible with Xen"; ++ ++ xen_raw_printk(m); ++ panic(m); ++ } + xen_init_lock_cpu(0); + + smp_store_cpu_info(0); +-- +1.7.12.rc1.1.gbce1580 + diff --git a/queue/xen-timer-Missing-IRQF_NO_SUSPEND-in-timer-code-brok.patch b/queue/xen-timer-Missing-IRQF_NO_SUSPEND-in-timer-code-brok.patch new file mode 100644 index 0000000..5fd5578 --- /dev/null +++ b/queue/xen-timer-Missing-IRQF_NO_SUSPEND-in-timer-code-brok.patch @@ -0,0 +1,36 @@ +From 34773a57b049259775ca45894301012ada80c7b1 Mon Sep 17 00:00:00 2001 +From: Ian Campbell <Ian.Campbell@citrix.com> +Date: Tue, 8 Feb 2011 14:03:31 +0000 +Subject: [PATCH] xen/timer: Missing IRQF_NO_SUSPEND in timer code broke + suspend. + +commit f611f2da99420abc973c32cdbddbf5c365d0a20c upstream. + +The patches missed an indirect use of IRQF_NO_SUSPEND pulled in via +IRQF_TIMER. The following patch fixes the issue. + +With this fixlet PV guest migration works just fine. I also booted the +entire series as a dom0 kernel and it appeared fine. + +Signed-off-by: Ian Campbell <ian.campbell@citrix.com> +Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> + +diff --git a/arch/x86/xen/time.c b/arch/x86/xen/time.c +index a05bda6..fb2b388 100644 +--- a/arch/x86/xen/time.c ++++ b/arch/x86/xen/time.c +@@ -396,7 +396,9 @@ void xen_setup_timer(int cpu) + name = "<timer kasprintf failed>"; + + irq = bind_virq_to_irqhandler(VIRQ_TIMER, cpu, xen_timer_interrupt, +- IRQF_DISABLED|IRQF_PERCPU|IRQF_NOBALANCING|IRQF_TIMER, ++ IRQF_DISABLED|IRQF_PERCPU| ++ IRQF_NOBALANCING|IRQF_TIMER| ++ IRQF_FORCE_RESUME, + name, NULL); + + evt = &per_cpu(xen_clock_events, cpu); +-- +1.7.12.rc1.1.gbce1580 + diff --git a/queue/xen-x86_32-do-not-enable-iterrupts-when-returning-fr.patch b/queue/xen-x86_32-do-not-enable-iterrupts-when-returning-fr.patch new file mode 100644 index 0000000..b36befb --- /dev/null +++ b/queue/xen-x86_32-do-not-enable-iterrupts-when-returning-fr.patch @@ -0,0 +1,57 @@ +From 43d492d8c5866c8c8248f887ba45b2e291b57c9c Mon Sep 17 00:00:00 2001 +From: Igor Mammedov <imammedo@redhat.com> +Date: Thu, 1 Sep 2011 13:46:55 +0200 +Subject: [PATCH] xen: x86_32: do not enable iterrupts when returning from + exception in interrupt context + +commit d198d499148a0c64a41b3aba9e7dd43772832b91 upstream. + +If vmalloc page_fault happens inside of interrupt handler with interrupts +disabled then on exit path from exception handler when there is no pending +interrupts, the following code (arch/x86/xen/xen-asm_32.S:112): + + cmpw $0x0001, XEN_vcpu_info_pending(%eax) + sete XEN_vcpu_info_mask(%eax) + +will enable interrupts even if they has been previously disabled according to +eflags from the bounce frame (arch/x86/xen/xen-asm_32.S:99) + + testb $X86_EFLAGS_IF>>8, 8+1+ESP_OFFSET(%esp) + setz XEN_vcpu_info_mask(%eax) + +Solution is in setting XEN_vcpu_info_mask only when it should be set +according to + cmpw $0x0001, XEN_vcpu_info_pending(%eax) +but not clearing it if there isn't any pending events. + +Reproducer for bug is attached to RHBZ 707552 + +Signed-off-by: Igor Mammedov <imammedo@redhat.com> +Acked-by: Jeremy Fitzhardinge <jeremy@goop.org> +Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> + +diff --git a/arch/x86/xen/xen-asm_32.S b/arch/x86/xen/xen-asm_32.S +index 22a2093..b040b0e 100644 +--- a/arch/x86/xen/xen-asm_32.S ++++ b/arch/x86/xen/xen-asm_32.S +@@ -113,11 +113,13 @@ xen_iret_start_crit: + + /* + * If there's something pending, mask events again so we can +- * jump back into xen_hypervisor_callback ++ * jump back into xen_hypervisor_callback. Otherwise do not ++ * touch XEN_vcpu_info_mask. + */ +- sete XEN_vcpu_info_mask(%eax) ++ jne 1f ++ movb $1, XEN_vcpu_info_mask(%eax) + +- popl %eax ++1: popl %eax + + /* + * From this point on the registers are restored and the stack +-- +1.7.12.rc1.1.gbce1580 + diff --git a/queue/xhci-mem.c-Check-for-ring-first_seg-NULL.patch b/queue/xhci-mem.c-Check-for-ring-first_seg-NULL.patch new file mode 100644 index 0000000..a072ced --- /dev/null +++ b/queue/xhci-mem.c-Check-for-ring-first_seg-NULL.patch @@ -0,0 +1,61 @@ +From bbb70703d2b87c31f4c7ec93c818a209bf867b6c Mon Sep 17 00:00:00 2001 +From: Kautuk Consul <consul.kautuk@gmail.com> +Date: Mon, 19 Sep 2011 16:53:12 -0700 +Subject: [PATCH] xhci-mem.c: Check for ring->first_seg != NULL + +commit 0e6c7f746ea99089fb3263709075c20485a479ae upstream. + +There are 2 situations wherein the xhci_ring* might not get freed: +- When xhci_ring_alloc() -> xhci_segment_alloc() returns NULL and + we goto the fail: label in xhci_ring_alloc. In this case, the ring + will not get kfreed. +- When the num_segs argument to xhci_ring_alloc is passed as 0 and + we try to free the rung after that. + ( This doesn't really happen as of now in the code but we seem to + be entertaining num_segs=0 in xhci_ring_alloc ) + +This should be backported to kernels as old as 2.6.31. + +Signed-off-by: Kautuk Consul <consul.kautuk@gmail.com> +Signed-off-by: Sarah Sharp <sarah.a.sharp@linux.intel.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> + +diff --git a/drivers/usb/host/xhci-mem.c b/drivers/usb/host/xhci-mem.c +index 727ac40..31cf540 100644 +--- a/drivers/usb/host/xhci-mem.c ++++ b/drivers/usb/host/xhci-mem.c +@@ -111,18 +111,20 @@ void xhci_ring_free(struct xhci_hcd *xhci, struct xhci_ring *ring) + struct xhci_segment *seg; + struct xhci_segment *first_seg; + +- if (!ring || !ring->first_seg) ++ if (!ring) + return; +- first_seg = ring->first_seg; +- seg = first_seg->next; +- xhci_dbg(xhci, "Freeing ring at %p\n", ring); +- while (seg != first_seg) { +- struct xhci_segment *next = seg->next; +- xhci_segment_free(xhci, seg); +- seg = next; ++ if (ring->first_seg) { ++ first_seg = ring->first_seg; ++ seg = first_seg->next; ++ xhci_dbg(xhci, "Freeing ring at %p\n", ring); ++ while (seg != first_seg) { ++ struct xhci_segment *next = seg->next; ++ xhci_segment_free(xhci, seg); ++ seg = next; ++ } ++ xhci_segment_free(xhci, first_seg); ++ ring->first_seg = NULL; + } +- xhci_segment_free(xhci, first_seg); +- ring->first_seg = NULL; + kfree(ring); + } + +-- +1.7.12.rc1.1.gbce1580 + |