diff options
Diffstat (limited to 'releases')
103 files changed, 5457 insertions, 0 deletions
diff --git a/releases/2.6.33.20/3w-9xxx-fix-iommu_iova-leak.patch b/releases/2.6.33.20/3w-9xxx-fix-iommu_iova-leak.patch new file mode 100644 index 0000000..eb8aa7a --- /dev/null +++ b/releases/2.6.33.20/3w-9xxx-fix-iommu_iova-leak.patch @@ -0,0 +1,40 @@ +From 96067723e46b0dd24ae7b934085ab4eff4d26a1b Mon Sep 17 00:00:00 2001 +From: James Bottomley <JBottomley@Parallels.com> +Date: Sun, 18 Sep 2011 18:56:20 +0400 +Subject: [SCSI] 3w-9xxx: fix iommu_iova leak + +From: James Bottomley <JBottomley@Parallels.com> + +commit 96067723e46b0dd24ae7b934085ab4eff4d26a1b upstream. + +Following reports on the list, it looks like the 3e-9xxx driver will leak dma +mappings every time we get a transient queueing error back from the card. +This is because it maps the sg list in the routine that sends the command, but +doesn't unmap again in the transient failure path (even though the command is +sent back to the block layer). Fix by unmapping before returning the status. + +Reported-by: Chris Boot <bootc@bootc.net> +Tested-by: Chris Boot <bootc@bootc.net> +Acked-by: Adam Radford <aradford@gmail.com> +Signed-off-by: James Bottomley <JBottomley@Parallels.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + drivers/scsi/3w-9xxx.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/scsi/3w-9xxx.c ++++ b/drivers/scsi/3w-9xxx.c +@@ -1793,10 +1793,12 @@ static int twa_scsi_queue(struct scsi_cm + switch (retval) { + case SCSI_MLQUEUE_HOST_BUSY: + twa_free_request_id(tw_dev, request_id); ++ twa_unmap_scsi_data(tw_dev, request_id); + break; + case 1: + tw_dev->state[request_id] = TW_S_COMPLETED; + twa_free_request_id(tw_dev, request_id); ++ twa_unmap_scsi_data(tw_dev, request_id); + SCpnt->result = (DID_ERROR << 16); + done(SCpnt); + retval = 0; diff --git a/releases/2.6.33.20/aacraid-reset-should-disable-msi-interrupt.patch b/releases/2.6.33.20/aacraid-reset-should-disable-msi-interrupt.patch new file mode 100644 index 0000000..cdc190f --- /dev/null +++ b/releases/2.6.33.20/aacraid-reset-should-disable-msi-interrupt.patch @@ -0,0 +1,37 @@ +From d0efab26f89506387a1bde898556660e06d7eb15 Mon Sep 17 00:00:00 2001 +From: Vasily Averin <vvs@parallels.com> +Date: Fri, 2 Sep 2011 19:31:46 +0400 +Subject: [SCSI] aacraid: reset should disable MSI interrupt + +From: Vasily Averin <vvs@parallels.com> + +commit d0efab26f89506387a1bde898556660e06d7eb15 upstream. + +scsi reset on hardware with enabled MSI interrupts generates WARNING message + +[11027.798722] aacraid: Host adapter abort request (0,0,0,0) +[11027.798814] aacraid: Host adapter reset request. SCSI hang ? +[11087.762237] aacraid: SCSI bus appears hung +[11135.082543] ------------[ cut here ]------------ +[11135.082646] WARNING: at drivers/pci/msi.c:658 pci_enable_msi_block+0x251/0x290() + +Signed-off-by: Vasily Averin <vvs@sw.ru> +Acked-by: Mark Salyzyn <mark_salyzyn@us.xyratex.com> +Signed-off-by: James Bottomley <JBottomley@Parallels.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + drivers/scsi/aacraid/commsup.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/scsi/aacraid/commsup.c ++++ b/drivers/scsi/aacraid/commsup.c +@@ -1242,6 +1242,8 @@ static int _aac_reset_adapter(struct aac + kfree(aac->queues); + aac->queues = NULL; + free_irq(aac->pdev->irq, aac); ++ if (aac->msi) ++ pci_disable_msi(aac->pdev); + kfree(aac->fsa_dev); + aac->fsa_dev = NULL; + quirks = aac_get_driver_ident(index)->quirks; diff --git a/releases/2.6.33.20/ahci-enable-sb600-64bit-dma-on-asus-m3a.patch b/releases/2.6.33.20/ahci-enable-sb600-64bit-dma-on-asus-m3a.patch new file mode 100644 index 0000000..37e44bb --- /dev/null +++ b/releases/2.6.33.20/ahci-enable-sb600-64bit-dma-on-asus-m3a.patch @@ -0,0 +1,44 @@ +From 3c4aa91f21f65b7b40bdfb015eacbcb8453ccae2 Mon Sep 17 00:00:00 2001 +From: Mark Nelson <mdnelson8@gmail.com> +Date: Mon, 27 Jun 2011 16:33:44 +1000 +Subject: ahci: Enable SB600 64bit DMA on Asus M3A + +From: Mark Nelson <mdnelson8@gmail.com> + +commit 3c4aa91f21f65b7b40bdfb015eacbcb8453ccae2 upstream. + +Like e65cc194f7628ecaa02462f22f42fb09b50dcd49 this patch enables 64bit DMA +for the AHCI SATA controller of a board that has the SB600 southbridge. In +this case though we're enabling 64bit DMA for the Asus M3A motherboard. It +is a new enough board that all of the BIOS releases since the initial +release (0301 from 2007-10-22) work correctly with 64bit DMA enabled. + +Signed-off-by: Mark Nelson <mdnelson8@gmail.com> +Signed-off-by: Jeff Garzik <jgarzik@pobox.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + drivers/ata/ahci.c | 12 ++++++++++++ + 1 file changed, 12 insertions(+) + +--- a/drivers/ata/ahci.c ++++ b/drivers/ata/ahci.c +@@ -2769,6 +2769,18 @@ static bool ahci_sb600_enable_64bit(stru + DMI_MATCH(DMI_BOARD_NAME, "MS-7376"), + }, + }, ++ /* ++ * All BIOS versions for the Asus M3A support 64bit DMA. ++ * (all release versions from 0301 to 1206 were tested) ++ */ ++ { ++ .ident = "ASUS M3A", ++ .matches = { ++ DMI_MATCH(DMI_BOARD_VENDOR, ++ "ASUSTeK Computer INC."), ++ DMI_MATCH(DMI_BOARD_NAME, "M3A"), ++ }, ++ }, + { } + }; + const struct dmi_system_id *match; diff --git a/releases/2.6.33.20/alsa-hda-add-new-revision-for-alc662.patch b/releases/2.6.33.20/alsa-hda-add-new-revision-for-alc662.patch new file mode 100644 index 0000000..d941a24 --- /dev/null +++ b/releases/2.6.33.20/alsa-hda-add-new-revision-for-alc662.patch @@ -0,0 +1,34 @@ +From cc667a72d471e79fd8e5e291ea115923cf44dca0 Mon Sep 17 00:00:00 2001 +From: David Henningsson <david.henningsson@canonical.com> +Date: Tue, 18 Oct 2011 14:07:51 +0200 +Subject: ALSA: HDA: Add new revision for ALC662 + +From: David Henningsson <david.henningsson@canonical.com> + +commit cc667a72d471e79fd8e5e291ea115923cf44dca0 upstream. + +The revision 0x100300 was found for ALC662. It seems to work well +with patch_alc662. + +BugLink: http://bugs.launchpad.net/bugs/877373 +Tested-by: Shengyao Xue <Shengyao.xue@canonical.com> +Signed-off-by: David Henningsson <david.henningsson@canonical.com> +Acked-by: Kailang Yang <kailang@realtek.com> +Signed-off-by: Takashi Iwai <tiwai@suse.de> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + sound/pci/hda/patch_realtek.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -18117,6 +18117,8 @@ static struct hda_codec_preset snd_hda_p + .patch = patch_alc882 }, + { .id = 0x10ec0662, .rev = 0x100101, .name = "ALC662 rev1", + .patch = patch_alc662 }, ++ { .id = 0x10ec0662, .rev = 0x100300, .name = "ALC662 rev3", ++ .patch = patch_alc662 }, + { .id = 0x10ec0663, .name = "ALC663", .patch = patch_alc662 }, + { .id = 0x10ec0880, .name = "ALC880", .patch = patch_alc880 }, + { .id = 0x10ec0882, .name = "ALC882", .patch = patch_alc882 }, diff --git a/releases/2.6.33.20/alsa-hda-cirrus-fix-surround-speaker-volume-control-name.patch b/releases/2.6.33.20/alsa-hda-cirrus-fix-surround-speaker-volume-control-name.patch new file mode 100644 index 0000000..ac921ad --- /dev/null +++ b/releases/2.6.33.20/alsa-hda-cirrus-fix-surround-speaker-volume-control-name.patch @@ -0,0 +1,32 @@ +From 2e1210bc3d065a6e26ff5fef228a9a7e08921d2c Mon Sep 17 00:00:00 2001 +From: David Henningsson <david.henningsson@canonical.com> +Date: Wed, 14 Sep 2011 13:22:54 +0200 +Subject: ALSA: HDA: Cirrus - fix "Surround Speaker" volume control name + +From: David Henningsson <david.henningsson@canonical.com> + +commit 2e1210bc3d065a6e26ff5fef228a9a7e08921d2c upstream. + +This patch fixes "Surround Speaker Playback Volume" being cut off. +(Commit b4dabfc452a10 was probably meant to fix this, but it fixed +only the "Switch" name, not the "Volume" name.) + +Signed-off-by: David Henningsson <david.henningsson@canonical.com> +Signed-off-by: Takashi Iwai <tiwai@suse.de> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + sound/pci/hda/patch_cirrus.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/pci/hda/patch_cirrus.c ++++ b/sound/pci/hda/patch_cirrus.c +@@ -508,7 +508,7 @@ static int add_volume(struct hda_codec * + int index, unsigned int pval, int dir, + struct snd_kcontrol **kctlp) + { +- char tmp[32]; ++ char tmp[44]; + struct snd_kcontrol_new knew = + HDA_CODEC_VOLUME_IDX(tmp, index, 0, 0, HDA_OUTPUT); + knew.private_value = pval; diff --git a/releases/2.6.33.20/alsa-hda-realtek-avoid-bogus-hp-pin-assignment.patch b/releases/2.6.33.20/alsa-hda-realtek-avoid-bogus-hp-pin-assignment.patch new file mode 100644 index 0000000..6e06d5f --- /dev/null +++ b/releases/2.6.33.20/alsa-hda-realtek-avoid-bogus-hp-pin-assignment.patch @@ -0,0 +1,35 @@ +From 5fe6e0151dbd969f5fbcd94d05c968b76d76952b Mon Sep 17 00:00:00 2001 +From: Takashi Iwai <tiwai@suse.de> +Date: Mon, 26 Sep 2011 10:41:21 +0200 +Subject: ALSA: hda/realtek - Avoid bogus HP-pin assignment + +From: Takashi Iwai <tiwai@suse.de> + +commit 5fe6e0151dbd969f5fbcd94d05c968b76d76952b upstream. + +When the headphone pin is assigned as primary output to line_out_pins[], +the automatic HP-pin assignment by ASSID must be suppressed. Otherwise +a wrong pin might be assigned to the headphone and breaks the auto-mute. + +Reference: https://bugzilla.novell.com/show_bug.cgi?id=716104 + +Signed-off-by: Takashi Iwai <tiwai@suse.de> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + sound/pci/hda/patch_realtek.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/sound/pci/hda/patch_realtek.c ++++ b/sound/pci/hda/patch_realtek.c +@@ -1346,7 +1346,9 @@ do_sku: + * 15 : 1 --> enable the function "Mute internal speaker + * when the external headphone out jack is plugged" + */ +- if (!spec->autocfg.hp_pins[0]) { ++ if (!spec->autocfg.hp_pins[0] && ++ !(spec->autocfg.line_out_pins[0] && ++ spec->autocfg.line_out_type == AUTO_PIN_HP_OUT)) { + hda_nid_t nid; + tmp = (ass >> 11) & 0x3; /* HP to chassis */ + if (tmp == 0) diff --git a/releases/2.6.33.20/arm-davinci-da850-evm-read-mac-address-from-spi-flash.patch b/releases/2.6.33.20/arm-davinci-da850-evm-read-mac-address-from-spi-flash.patch new file mode 100644 index 0000000..71977f0 --- /dev/null +++ b/releases/2.6.33.20/arm-davinci-da850-evm-read-mac-address-from-spi-flash.patch @@ -0,0 +1,94 @@ +From 810198bc9c109489dfadc57131c5183ce6ad2d7d Mon Sep 17 00:00:00 2001 +From: Sudhakar Rajashekhara <sudhakar.raj@ti.com> +Date: Tue, 12 Jul 2011 15:58:53 +0530 +Subject: ARM: davinci: da850 EVM: read mac address from SPI flash + +From: Sudhakar Rajashekhara <sudhakar.raj@ti.com> + +commit 810198bc9c109489dfadc57131c5183ce6ad2d7d upstream. + +DA850/OMAP-L138 EMAC driver uses random mac address instead of +a fixed one because the mac address is not stuffed into EMAC +platform data. + +This patch provides a function which reads the mac address +stored in SPI flash (registered as MTD device) and populates the +EMAC platform data. The function which reads the mac address is +registered as a callback which gets called upon addition of MTD +device. + +NOTE: In case the MAC address stored in SPI flash is erased, follow +the instructions at [1] to restore it. + +[1] http://processors.wiki.ti.com/index.php/GSG:_OMAP-L138_DVEVM_Additional_Procedures#Restoring_MAC_address_on_SPI_Flash + +Modifications in v2: +Guarded registering the mtd_notifier only when MTD is enabled. +Earlier this was handled using mtd_has_partitions() call, but +this has been removed in Linux v3.0. + +Modifications in v3: +a. Guarded da850_evm_m25p80_notify_add() function and + da850evm_spi_notifier structure with CONFIG_MTD macros. +b. Renamed da850_evm_register_mtd_user() function to + da850_evm_setup_mac_addr() and removed the struct mtd_notifier + argument to this function. +c. Passed the da850evm_spi_notifier structure to register_mtd_user() + function. + +Modifications in v4: +Moved the da850_evm_setup_mac_addr() function within the first +CONFIG_MTD ifdef construct. + +Signed-off-by: Sudhakar Rajashekhara <sudhakar.raj@ti.com> +Signed-off-by: Sekhar Nori <nsekhar@ti.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + arch/arm/mach-davinci/board-da850-evm.c | 28 ++++++++++++++++++++++++++++ + 1 file changed, 28 insertions(+) + +--- a/arch/arm/mach-davinci/board-da850-evm.c ++++ b/arch/arm/mach-davinci/board-da850-evm.c +@@ -44,6 +44,32 @@ + + #define DA850_MII_MDIO_CLKEN_PIN GPIO_TO_PIN(2, 6) + ++#ifdef CONFIG_MTD ++static void da850_evm_m25p80_notify_add(struct mtd_info *mtd) ++{ ++ char *mac_addr = davinci_soc_info.emac_pdata->mac_addr; ++ size_t retlen; ++ ++ if (!strcmp(mtd->name, "MAC-Address")) { ++ mtd->read(mtd, 0, ETH_ALEN, &retlen, mac_addr); ++ if (retlen == ETH_ALEN) ++ pr_info("Read MAC addr from SPI Flash: %pM\n", ++ mac_addr); ++ } ++} ++ ++static struct mtd_notifier da850evm_spi_notifier = { ++ .add = da850_evm_m25p80_notify_add, ++}; ++ ++static void da850_evm_setup_mac_addr(void) ++{ ++ register_mtd_user(&da850evm_spi_notifier); ++} ++#else ++static void da850_evm_setup_mac_addr(void) { } ++#endif ++ + static struct mtd_partition da850_evm_norflash_partition[] = { + { + .name = "NOR filesystem", +@@ -696,6 +722,8 @@ static __init void da850_evm_init(void) + if (ret) + pr_warning("da850_evm_init: cpuidle registration failed: %d\n", + ret); ++ ++ da850_evm_setup_mac_addr(); + } + + #ifdef CONFIG_SERIAL_8250_CONSOLE diff --git a/releases/2.6.33.20/asix-add-ax88772b-usb-id.patch b/releases/2.6.33.20/asix-add-ax88772b-usb-id.patch new file mode 100644 index 0000000..d844c99 --- /dev/null +++ b/releases/2.6.33.20/asix-add-ax88772b-usb-id.patch @@ -0,0 +1,32 @@ +From 308859097831831a979f2e82cbeef0a94f438080 Mon Sep 17 00:00:00 2001 +From: Marek Vasut <marek.vasut@gmail.com> +Date: Wed, 20 Jul 2011 05:57:04 +0000 +Subject: ASIX: Add AX88772B USB ID + +From: Marek Vasut <marek.vasut@gmail.com> + +commit 308859097831831a979f2e82cbeef0a94f438080 upstream. + +This device can be found in Acer Iconia TAB W500 tablet dock. + +Signed-off-by: Marek Vasut <marek.vasut@gmail.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + drivers/net/usb/asix.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/drivers/net/usb/asix.c ++++ b/drivers/net/usb/asix.c +@@ -1441,6 +1441,10 @@ static const struct usb_device_id produc + USB_DEVICE (0x04f1, 0x3008), + .driver_info = (unsigned long) &ax8817x_info, + }, { ++ // ASIX AX88772B 10/100 ++ USB_DEVICE (0x0b95, 0x772b), ++ .driver_info = (unsigned long) &ax88772_info, ++}, { + // ASIX AX88772 10/100 + USB_DEVICE (0x0b95, 0x7720), + .driver_info = (unsigned long) &ax88772_info, diff --git a/releases/2.6.33.20/asoc-ak4535-fixup-cache-register-table.patch b/releases/2.6.33.20/asoc-ak4535-fixup-cache-register-table.patch new file mode 100644 index 0000000..e6e71c2 --- /dev/null +++ b/releases/2.6.33.20/asoc-ak4535-fixup-cache-register-table.patch @@ -0,0 +1,38 @@ +From 7c04241acbdaf97f1448dcccd27ea0fcd1a57684 Mon Sep 17 00:00:00 2001 +From: Axel Lin <axel.lin@gmail.com> +Date: Thu, 13 Oct 2011 17:17:06 +0800 +Subject: ASoC: ak4535: fixup cache register table + +From: Axel Lin <axel.lin@gmail.com> + +commit 7c04241acbdaf97f1448dcccd27ea0fcd1a57684 upstream. + +ak4535_reg should be 8bit, but cache table is defined as 16bit. + +Signed-off-by: Axel Lin <axel.lin@gmail.com> +Signed-off-by: Mark Brown <broonie@opensource.wolfsonmicro.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + sound/soc/codecs/ak4535.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- a/sound/soc/codecs/ak4535.c ++++ b/sound/soc/codecs/ak4535.c +@@ -40,11 +40,11 @@ struct ak4535_priv { + /* + * ak4535 register cache + */ +-static const u16 ak4535_reg[AK4535_CACHEREGNUM] = { +- 0x0000, 0x0080, 0x0000, 0x0003, +- 0x0002, 0x0000, 0x0011, 0x0001, +- 0x0000, 0x0040, 0x0036, 0x0010, +- 0x0000, 0x0000, 0x0057, 0x0000, ++static const u8 ak4535_reg[AK4535_CACHEREGNUM] = { ++ 0x00, 0x80, 0x00, 0x03, ++ 0x02, 0x00, 0x11, 0x01, ++ 0x00, 0x40, 0x36, 0x10, ++ 0x00, 0x00, 0x57, 0x00, + }; + + /* diff --git a/releases/2.6.33.20/asoc-ak4642-fixup-cache-register-table.patch b/releases/2.6.33.20/asoc-ak4642-fixup-cache-register-table.patch new file mode 100644 index 0000000..a0037da --- /dev/null +++ b/releases/2.6.33.20/asoc-ak4642-fixup-cache-register-table.patch @@ -0,0 +1,51 @@ +From 19b115e523208a926813751aac8934cf3fc6085e Mon Sep 17 00:00:00 2001 +From: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com> +Date: Thu, 13 Oct 2011 02:03:54 -0700 +Subject: ASoC: ak4642: fixup cache register table + +From: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com> + +commit 19b115e523208a926813751aac8934cf3fc6085e upstream. + +ak4642 register was 8bit, but cache table was defined as 16bit. +ak4642 doesn't work correctry without this patch. + +Signed-off-by: Kuninori Morimoto <kuninori.morimoto.gx@renesas.com> +Signed-off-by: Mark Brown <broonie@opensource.wolfsonmicro.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + sound/soc/codecs/ak4642.c | 22 +++++++++++----------- + 1 file changed, 11 insertions(+), 11 deletions(-) + +--- a/sound/soc/codecs/ak4642.c ++++ b/sound/soc/codecs/ak4642.c +@@ -93,17 +93,17 @@ static struct snd_soc_codec *ak4642_code + /* + * ak4642 register cache + */ +-static const u16 ak4642_reg[AK4642_CACHEREGNUM] = { +- 0x0000, 0x0000, 0x0001, 0x0000, +- 0x0002, 0x0000, 0x0000, 0x0000, +- 0x00e1, 0x00e1, 0x0018, 0x0000, +- 0x00e1, 0x0018, 0x0011, 0x0008, +- 0x0000, 0x0000, 0x0000, 0x0000, +- 0x0000, 0x0000, 0x0000, 0x0000, +- 0x0000, 0x0000, 0x0000, 0x0000, +- 0x0000, 0x0000, 0x0000, 0x0000, +- 0x0000, 0x0000, 0x0000, 0x0000, +- 0x0000, ++static const u8 ak4642_reg[AK4642_CACHEREGNUM] = { ++ 0x00, 0x00, 0x01, 0x00, ++ 0x02, 0x00, 0x00, 0x00, ++ 0xe1, 0xe1, 0x18, 0x00, ++ 0xe1, 0x18, 0x11, 0x08, ++ 0x00, 0x00, 0x00, 0x00, ++ 0x00, 0x00, 0x00, 0x00, ++ 0x00, 0x00, 0x00, 0x00, ++ 0x00, 0x00, 0x00, 0x00, ++ 0x00, 0x00, 0x00, 0x00, ++ 0x00, + }; + + /* diff --git a/releases/2.6.33.20/asoc-fix-reporting-of-partial-jack-updates.patch b/releases/2.6.33.20/asoc-fix-reporting-of-partial-jack-updates.patch new file mode 100644 index 0000000..3c29937 --- /dev/null +++ b/releases/2.6.33.20/asoc-fix-reporting-of-partial-jack-updates.patch @@ -0,0 +1,33 @@ +From 747da0f80e566500421bd7760b2e050fea3fde5e Mon Sep 17 00:00:00 2001 +From: Mark Brown <broonie@opensource.wolfsonmicro.com> +Date: Sun, 4 Sep 2011 08:18:18 -0700 +Subject: ASoC: Fix reporting of partial jack updates + +From: Mark Brown <broonie@opensource.wolfsonmicro.com> + +commit 747da0f80e566500421bd7760b2e050fea3fde5e upstream. + +We need to report the entire jack state to the core jack code, not just +the bits that were being updated by the caller, otherwise the status +reported by other detection methods will be omitted from the state seen +by userspace. + +Signed-off-by: Mark Brown <broonie@opensource.wolfsonmicro.com> +Acked-by: Liam Girdwood <lrg@ti.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + sound/soc/soc-jack.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/sound/soc/soc-jack.c ++++ b/sound/soc/soc-jack.c +@@ -95,7 +95,7 @@ void snd_soc_jack_report(struct snd_soc_ + + snd_soc_dapm_sync(codec); + +- snd_jack_report(jack->jack, status); ++ snd_jack_report(jack->jack, jack->status); + + out: + mutex_unlock(&codec->mutex); diff --git a/releases/2.6.33.20/atm-br2684-fix-oops-due-to-skb-dev-being-null.patch b/releases/2.6.33.20/atm-br2684-fix-oops-due-to-skb-dev-being-null.patch new file mode 100644 index 0000000..b838303 --- /dev/null +++ b/releases/2.6.33.20/atm-br2684-fix-oops-due-to-skb-dev-being-null.patch @@ -0,0 +1,53 @@ +From fbe5e29ec1886967255e76946aaf537b8cc9b81e Mon Sep 17 00:00:00 2001 +From: Daniel Schwierzeck <daniel.schwierzeck@googlemail.com> +Date: Fri, 19 Aug 2011 12:04:20 +0000 +Subject: atm: br2684: Fix oops due to skb->dev being NULL + +From: Daniel Schwierzeck <daniel.schwierzeck@googlemail.com> + +commit fbe5e29ec1886967255e76946aaf537b8cc9b81e upstream. + +This oops have been already fixed with commit + + 27141666b69f535a4d63d7bc6d9e84ee5032f82a + + atm: [br2684] Fix oops due to skb->dev being NULL + + It happens that if a packet arrives in a VC between the call to open it on + the hardware and the call to change the backend to br2684, br2684_regvcc + processes the packet and oopses dereferencing skb->dev because it is + NULL before the call to br2684_push(). + +but have been introduced again with commit + + b6211ae7f2e56837c6a4849316396d1535606e90 + + atm: Use SKB queue and list helpers instead of doing it by-hand. + +Signed-off-by: Daniel Schwierzeck <daniel.schwierzeck@googlemail.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + net/atm/br2684.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/net/atm/br2684.c ++++ b/net/atm/br2684.c +@@ -530,12 +530,13 @@ static int br2684_regvcc(struct atm_vcc + spin_unlock_irqrestore(&rq->lock, flags); + + skb_queue_walk_safe(&queue, skb, tmp) { +- struct net_device *dev = skb->dev; ++ struct net_device *dev; ++ ++ br2684_push(atmvcc, skb); ++ dev = skb->dev; + + dev->stats.rx_bytes -= skb->len; + dev->stats.rx_packets--; +- +- br2684_push(atmvcc, skb); + } + __module_get(THIS_MODULE); + return 0; diff --git a/releases/2.6.33.20/b43-fix-beacon-problem-in-ad-hoc-mode.patch b/releases/2.6.33.20/b43-fix-beacon-problem-in-ad-hoc-mode.patch new file mode 100644 index 0000000..9d28871 --- /dev/null +++ b/releases/2.6.33.20/b43-fix-beacon-problem-in-ad-hoc-mode.patch @@ -0,0 +1,33 @@ +From 8c23516fbb209ccf8f8c36268311c721faff29ee Mon Sep 17 00:00:00 2001 +From: Manual Munz <freifunk@somakoma.de> +Date: Sun, 18 Sep 2011 18:24:03 -0500 +Subject: b43: Fix beacon problem in ad-hoc mode + +From: Manual Munz <freifunk@somakoma.de> + +commit 8c23516fbb209ccf8f8c36268311c721faff29ee upstream. + +In ad-hoc mode, driver b43 does not issue beacons. + +Signed-off-by: Manual Munz <freifunk@somakoma.de> +Tested-by: Larry Finger <Larry.Finger@lwfinger.net> +Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net> +Signed-off-by: John W. Linville <linville@tuxdriver.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + drivers/net/wireless/b43/main.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/drivers/net/wireless/b43/main.c ++++ b/drivers/net/wireless/b43/main.c +@@ -1526,7 +1526,8 @@ static void handle_irq_beacon(struct b43 + u32 cmd, beacon0_valid, beacon1_valid; + + if (!b43_is_mode(wl, NL80211_IFTYPE_AP) && +- !b43_is_mode(wl, NL80211_IFTYPE_MESH_POINT)) ++ !b43_is_mode(wl, NL80211_IFTYPE_MESH_POINT) && ++ !b43_is_mode(wl, NL80211_IFTYPE_ADHOC)) + return; + + /* This is the bottom half of the asynchronous beacon update. */ diff --git a/releases/2.6.33.20/bluetooth-l2cap-and-rfcomm-fix-1-byte-infoleak-to-userspace.patch b/releases/2.6.33.20/bluetooth-l2cap-and-rfcomm-fix-1-byte-infoleak-to-userspace.patch new file mode 100644 index 0000000..477b191 --- /dev/null +++ b/releases/2.6.33.20/bluetooth-l2cap-and-rfcomm-fix-1-byte-infoleak-to-userspace.patch @@ -0,0 +1,42 @@ +From 8d03e971cf403305217b8e62db3a2e5ad2d6263f Mon Sep 17 00:00:00 2001 +From: Filip Palian <s3810@pjwstk.edu.pl> +Date: Thu, 12 May 2011 19:32:46 +0200 +Subject: Bluetooth: l2cap and rfcomm: fix 1 byte infoleak to userspace. + +From: Filip Palian <s3810@pjwstk.edu.pl> + +commit 8d03e971cf403305217b8e62db3a2e5ad2d6263f upstream. + +Structures "l2cap_conninfo" and "rfcomm_conninfo" have one padding +byte each. This byte in "cinfo" is copied to userspace uninitialized. + +Signed-off-by: Filip Palian <filip.palian@pjwstk.edu.pl> +Acked-by: Marcel Holtmann <marcel@holtmann.org> +Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + net/bluetooth/l2cap.c | 1 + + net/bluetooth/rfcomm/sock.c | 1 + + 2 files changed, 2 insertions(+) + +--- a/net/bluetooth/l2cap.c ++++ b/net/bluetooth/l2cap.c +@@ -1892,6 +1892,7 @@ static int l2cap_sock_getsockopt_old(str + break; + } + ++ memset(&cinfo, 0, sizeof(cinfo)); + cinfo.hci_handle = l2cap_pi(sk)->conn->hcon->handle; + memcpy(cinfo.dev_class, l2cap_pi(sk)->conn->hcon->dev_class, 3); + +--- a/net/bluetooth/rfcomm/sock.c ++++ b/net/bluetooth/rfcomm/sock.c +@@ -879,6 +879,7 @@ static int rfcomm_sock_getsockopt_old(st + + l2cap_sk = rfcomm_pi(sk)->dlc->session->sock->sk; + ++ memset(&cinfo, 0, sizeof(cinfo)); + cinfo.hci_handle = l2cap_pi(l2cap_sk)->conn->hcon->handle; + memcpy(cinfo.dev_class, l2cap_pi(l2cap_sk)->conn->hcon->dev_class, 3); + diff --git a/releases/2.6.33.20/bluetooth-prevent-buffer-overflow-in-l2cap-config-request.patch b/releases/2.6.33.20/bluetooth-prevent-buffer-overflow-in-l2cap-config-request.patch new file mode 100644 index 0000000..5b730d4 --- /dev/null +++ b/releases/2.6.33.20/bluetooth-prevent-buffer-overflow-in-l2cap-config-request.patch @@ -0,0 +1,35 @@ +From 7ac28817536797fd40e9646452183606f9e17f71 Mon Sep 17 00:00:00 2001 +From: Dan Rosenberg <drosenberg@vsecurity.com> +Date: Fri, 24 Jun 2011 08:38:05 -0400 +Subject: Bluetooth: Prevent buffer overflow in l2cap config request + +From: Dan Rosenberg <drosenberg@vsecurity.com> + +commit 7ac28817536797fd40e9646452183606f9e17f71 upstream. + +A remote user can provide a small value for the command size field in +the command header of an l2cap configuration request, resulting in an +integer underflow when subtracting the size of the configuration request +header. This results in copying a very large amount of data via +memcpy() and destroying the kernel heap. Check for underflow. + +Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com> +Signed-off-by: Gustavo F. Padovan <padovan@profusion.mobi> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + + +--- + net/bluetooth/l2cap.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/bluetooth/l2cap.c ++++ b/net/bluetooth/l2cap.c +@@ -2741,7 +2741,7 @@ static inline int l2cap_config_req(struc + + /* Reject if config buffer is too small. */ + len = cmd_len - sizeof(*req); +- if (l2cap_pi(sk)->conf_len + len > sizeof(l2cap_pi(sk)->conf_req)) { ++ if (len < 0 || l2cap_pi(sk)->conf_len + len > sizeof(l2cap_pi(sk)->conf_req)) { + l2cap_send_cmd(conn, cmd->ident, L2CAP_CONF_RSP, + l2cap_build_conf_rsp(sk, rsp, + L2CAP_CONF_REJECT, flags), rsp); diff --git a/releases/2.6.33.20/carminefb-fix-module-parameters-permissions.patch b/releases/2.6.33.20/carminefb-fix-module-parameters-permissions.patch new file mode 100644 index 0000000..eddc20e --- /dev/null +++ b/releases/2.6.33.20/carminefb-fix-module-parameters-permissions.patch @@ -0,0 +1,61 @@ +From c84c14224bbca6ec60d5851fcc87be0e34df2f44 Mon Sep 17 00:00:00 2001 +From: Jean Delvare <jdelvare@suse.de> +Date: Fri, 8 Jul 2011 11:04:38 +0200 +Subject: carminefb: Fix module parameters permissions + +From: Jean Delvare <jdelvare@suse.de> + +commit c84c14224bbca6ec60d5851fcc87be0e34df2f44 upstream. + +The third parameter of module_param is supposed to be an octal value. +The missing leading "0" causes the following: + +$ ls -l /sys/module/carminefb/parameters/ +total 0 +-rw-rwxr-- 1 root root 4096 Jul 8 08:55 fb_displays +-rw-rwxr-- 1 root root 4096 Jul 8 08:55 fb_mode +-rw-rwxr-- 1 root root 4096 Jul 8 08:55 fb_mode_str + +After fixing the perm parameter, we get the expected: + +$ ls -l /sys/module/carminefb/parameters/ +total 0 +-r--r--r-- 1 root root 4096 Jul 8 08:56 fb_displays +-r--r--r-- 1 root root 4096 Jul 8 08:56 fb_mode +-r--r--r-- 1 root root 4096 Jul 8 08:56 fb_mode_str + +Signed-off-by: Jean Delvare <jdelvare@suse.de> +Cc: Paul Mundt <lethal@linux-sh.org> +Cc: Sebastian Siewior <bigeasy@linutronix.de> +Signed-off-by: Paul Mundt <lethal@linux-sh.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + drivers/video/carminefb.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/drivers/video/carminefb.c ++++ b/drivers/video/carminefb.c +@@ -31,11 +31,11 @@ + #define CARMINEFB_DEFAULT_VIDEO_MODE 1 + + static unsigned int fb_mode = CARMINEFB_DEFAULT_VIDEO_MODE; +-module_param(fb_mode, uint, 444); ++module_param(fb_mode, uint, 0444); + MODULE_PARM_DESC(fb_mode, "Initial video mode as integer."); + + static char *fb_mode_str; +-module_param(fb_mode_str, charp, 444); ++module_param(fb_mode_str, charp, 0444); + MODULE_PARM_DESC(fb_mode_str, "Initial video mode in characters."); + + /* +@@ -45,7 +45,7 @@ MODULE_PARM_DESC(fb_mode_str, "Initial v + * 0b010 Display 1 + */ + static int fb_displays = CARMINE_USE_DISPLAY0 | CARMINE_USE_DISPLAY1; +-module_param(fb_displays, int, 444); ++module_param(fb_displays, int, 0444); + MODULE_PARM_DESC(fb_displays, "Bit mode, which displays are used"); + + struct carmine_hw { diff --git a/releases/2.6.33.20/ccwgroup-move-attributes-to-attribute-group.patch b/releases/2.6.33.20/ccwgroup-move-attributes-to-attribute-group.patch new file mode 100644 index 0000000..7bbfbfb --- /dev/null +++ b/releases/2.6.33.20/ccwgroup-move-attributes-to-attribute-group.patch @@ -0,0 +1,125 @@ +From dbdf1afcaaabe83dea15a3cb9b9013e73ae3b1ad Mon Sep 17 00:00:00 2001 +From: Sebastian Ott <sebott@linux.vnet.ibm.com> +Date: Sun, 30 Oct 2011 15:16:52 +0100 +Subject: [S390] ccwgroup: move attributes to attribute group + +From: Sebastian Ott <sebott@linux.vnet.ibm.com> + +commit dbdf1afcaaabe83dea15a3cb9b9013e73ae3b1ad upstream. + +Put sysfs attributes of ccwgroup devices in an attribute group to +ensure that these attributes are actually present when userspace +is notified via uevents. + +Signed-off-by: Sebastian Ott <sebott@linux.vnet.ibm.com> +Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + drivers/s390/cio/ccwgroup.c | 42 ++++++++++++++++++++++-------------------- + 1 file changed, 22 insertions(+), 20 deletions(-) + +--- a/drivers/s390/cio/ccwgroup.c ++++ b/drivers/s390/cio/ccwgroup.c +@@ -66,6 +66,12 @@ __ccwgroup_remove_symlinks(struct ccwgro + + } + ++static ssize_t ccwgroup_online_store(struct device *dev, ++ struct device_attribute *attr, ++ const char *buf, size_t count); ++static ssize_t ccwgroup_online_show(struct device *dev, ++ struct device_attribute *attr, ++ char *buf); + /* + * Provide an 'ungroup' attribute so the user can remove group devices no + * longer needed or accidentially created. Saves memory :) +@@ -112,6 +118,20 @@ out: + } + + static DEVICE_ATTR(ungroup, 0200, NULL, ccwgroup_ungroup_store); ++static DEVICE_ATTR(online, 0644, ccwgroup_online_show, ccwgroup_online_store); ++ ++static struct attribute *ccwgroup_attrs[] = { ++ &dev_attr_online.attr, ++ &dev_attr_ungroup.attr, ++ NULL, ++}; ++static struct attribute_group ccwgroup_attr_group = { ++ .attrs = ccwgroup_attrs, ++}; ++static const struct attribute_group *ccwgroup_attr_groups[] = { ++ &ccwgroup_attr_group, ++ NULL, ++}; + + static void + ccwgroup_release (struct device *dev) +@@ -280,25 +300,17 @@ int ccwgroup_create_from_string(struct d + } + + dev_set_name(&gdev->dev, "%s", dev_name(&gdev->cdev[0]->dev)); +- ++ gdev->dev.groups = ccwgroup_attr_groups; + rc = device_add(&gdev->dev); + if (rc) + goto error; + get_device(&gdev->dev); +- rc = device_create_file(&gdev->dev, &dev_attr_ungroup); +- +- if (rc) { +- device_unregister(&gdev->dev); +- goto error; +- } +- + rc = __ccwgroup_create_symlinks(gdev); + if (!rc) { + mutex_unlock(&gdev->reg_mutex); + put_device(&gdev->dev); + return 0; + } +- device_remove_file(&gdev->dev, &dev_attr_ungroup); + device_unregister(&gdev->dev); + error: + for (i = 0; i < num_devices; i++) +@@ -408,7 +420,7 @@ ccwgroup_online_store (struct device *de + int ret; + + if (!dev->driver) +- return -ENODEV; ++ return -EINVAL; + + gdev = to_ccwgroupdev(dev); + gdrv = to_ccwgroupdrv(dev->driver); +@@ -441,8 +453,6 @@ ccwgroup_online_show (struct device *dev + return sprintf(buf, online ? "1\n" : "0\n"); + } + +-static DEVICE_ATTR(online, 0644, ccwgroup_online_show, ccwgroup_online_store); +- + static int + ccwgroup_probe (struct device *dev) + { +@@ -454,12 +464,7 @@ ccwgroup_probe (struct device *dev) + gdev = to_ccwgroupdev(dev); + gdrv = to_ccwgroupdrv(dev->driver); + +- if ((ret = device_create_file(dev, &dev_attr_online))) +- return ret; +- + ret = gdrv->probe ? gdrv->probe(gdev) : -ENODEV; +- if (ret) +- device_remove_file(dev, &dev_attr_online); + + return ret; + } +@@ -470,9 +475,6 @@ ccwgroup_remove (struct device *dev) + struct ccwgroup_device *gdev; + struct ccwgroup_driver *gdrv; + +- device_remove_file(dev, &dev_attr_online); +- device_remove_file(dev, &dev_attr_ungroup); +- + if (!dev->driver) + return 0; + diff --git a/releases/2.6.33.20/cfg80211-fix-validation-of-akm-suites.patch b/releases/2.6.33.20/cfg80211-fix-validation-of-akm-suites.patch new file mode 100644 index 0000000..7f82ce6 --- /dev/null +++ b/releases/2.6.33.20/cfg80211-fix-validation-of-akm-suites.patch @@ -0,0 +1,43 @@ +From 1b9ca0272ffae212e726380f66777b30a56ed7a5 Mon Sep 17 00:00:00 2001 +From: Jouni Malinen <jouni@qca.qualcomm.com> +Date: Wed, 21 Sep 2011 16:13:07 +0300 +Subject: cfg80211: Fix validation of AKM suites + +From: Jouni Malinen <jouni@qca.qualcomm.com> + +commit 1b9ca0272ffae212e726380f66777b30a56ed7a5 upstream. + +Incorrect variable was used in validating the akm_suites array from +NL80211_ATTR_AKM_SUITES. In addition, there was no explicit +validation of the array length (we only have room for +NL80211_MAX_NR_AKM_SUITES). + +This can result in a buffer write overflow for stack variables with +arbitrary data from user space. The nl80211 commands using the affected +functionality require GENL_ADMIN_PERM, so this is only exposed to admin +users. + +Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com> +Signed-off-by: John W. Linville <linville@tuxdriver.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + net/wireless/nl80211.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +--- a/net/wireless/nl80211.c ++++ b/net/wireless/nl80211.c +@@ -3539,9 +3539,12 @@ static int nl80211_crypto_settings(struc + if (len % sizeof(u32)) + return -EINVAL; + ++ if (settings->n_akm_suites > NL80211_MAX_NR_AKM_SUITES) ++ return -EINVAL; ++ + memcpy(settings->akm_suites, data, len); + +- for (i = 0; i < settings->n_ciphers_pairwise; i++) ++ for (i = 0; i < settings->n_akm_suites; i++) + if (!nl80211_valid_akm_suite(settings->akm_suites[i])) + return -EINVAL; + } diff --git a/releases/2.6.33.20/cifs-fix-possible-memory-corruption-in-cifsfindnext.patch b/releases/2.6.33.20/cifs-fix-possible-memory-corruption-in-cifsfindnext.patch new file mode 100644 index 0000000..21abc31 --- /dev/null +++ b/releases/2.6.33.20/cifs-fix-possible-memory-corruption-in-cifsfindnext.patch @@ -0,0 +1,43 @@ +From 9438fabb73eb48055b58b89fc51e0bc4db22fabd Mon Sep 17 00:00:00 2001 +From: Jeff Layton <jlayton@redhat.com> +Date: Tue, 23 Aug 2011 07:21:28 -0400 +Subject: cifs: fix possible memory corruption in CIFSFindNext + +From: Jeff Layton <jlayton@redhat.com> + +commit 9438fabb73eb48055b58b89fc51e0bc4db22fabd upstream. + +The name_len variable in CIFSFindNext is a signed int that gets set to +the resume_name_len in the cifs_search_info. The resume_name_len however +is unsigned and for some infolevels is populated directly from a 32 bit +value sent by the server. + +If the server sends a very large value for this, then that value could +look negative when converted to a signed int. That would make that +value pass the PATH_MAX check later in CIFSFindNext. The name_len would +then be used as a length value for a memcpy. It would then be treated +as unsigned again, and the memcpy scribbles over a ton of memory. + +Fix this by making the name_len an unsigned value in CIFSFindNext. + +Reported-by: Darren Lavender <dcl@hppine99.gbr.hp.com> +Signed-off-by: Jeff Layton <jlayton@redhat.com> +Signed-off-by: Steve French <sfrench@us.ibm.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + fs/cifs/cifssmb.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/fs/cifs/cifssmb.c ++++ b/fs/cifs/cifssmb.c +@@ -3596,7 +3596,8 @@ int CIFSFindNext(const int xid, struct c + T2_FNEXT_RSP_PARMS *parms; + char *response_data; + int rc = 0; +- int bytes_returned, name_len; ++ int bytes_returned; ++ unsigned int name_len; + __u16 params, byte_count; + + cFYI(1, ("In FindNext")); diff --git a/releases/2.6.33.20/cnic-improve-netdev_up-event-handling.patch b/releases/2.6.33.20/cnic-improve-netdev_up-event-handling.patch new file mode 100644 index 0000000..f61797e --- /dev/null +++ b/releases/2.6.33.20/cnic-improve-netdev_up-event-handling.patch @@ -0,0 +1,44 @@ +From db1d350fcb156b58f66a67680617077bcacfe6fc Mon Sep 17 00:00:00 2001 +From: Michael Chan <mchan@broadcom.com> +Date: Wed, 8 Jun 2011 19:29:35 +0000 +Subject: cnic: Improve NETDEV_UP event handling + +From: Michael Chan <mchan@broadcom.com> + +commit db1d350fcb156b58f66a67680617077bcacfe6fc upstream. + +During NETDEV_UP, we use symbol_get() to get the net driver's cnic +probe function. This sometimes doesn't work if NETDEV_UP happens +right after NETDEV_REGISTER and the net driver is still running module +init code. As a result, the cnic device may not be discovered. We +fix this by probing on all NETDEV events if the device's netif_running +state is up. + +Signed-off-by: Michael Chan <mchan@broadcom.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + drivers/net/cnic.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/cnic.c ++++ b/drivers/net/cnic.c +@@ -4520,7 +4520,7 @@ static int cnic_netdev_event(struct noti + + dev = cnic_from_netdev(netdev); + +- if (!dev && (event == NETDEV_REGISTER || event == NETDEV_UP)) { ++ if (!dev && (event == NETDEV_REGISTER || netif_running(netdev))) { + /* Check for the hot-plug device */ + dev = is_cnic_dev(netdev); + if (dev) { +@@ -4536,7 +4536,7 @@ static int cnic_netdev_event(struct noti + else if (event == NETDEV_UNREGISTER) + cnic_ulp_exit(dev); + +- if (event == NETDEV_UP) { ++ if (event == NETDEV_UP || (new_dev && netif_running(netdev))) { + if (cnic_register_netdev(dev) != 0) { + cnic_put(dev); + goto done; diff --git a/releases/2.6.33.20/drivers-net-rionet.c-fix-ethernet-address-macros-for-le-platforms.patch b/releases/2.6.33.20/drivers-net-rionet.c-fix-ethernet-address-macros-for-le-platforms.patch new file mode 100644 index 0000000..20a8b9f --- /dev/null +++ b/releases/2.6.33.20/drivers-net-rionet.c-fix-ethernet-address-macros-for-le-platforms.patch @@ -0,0 +1,37 @@ +From e0c87bd95e8dad455c23bc56513af8dcb1737e55 Mon Sep 17 00:00:00 2001 +From: Alexandre Bounine <alexandre.bounine@idt.com> +Date: Wed, 2 Nov 2011 13:39:15 -0700 +Subject: drivers/net/rionet.c: fix ethernet address macros for LE platforms + +From: Alexandre Bounine <alexandre.bounine@idt.com> + +commit e0c87bd95e8dad455c23bc56513af8dcb1737e55 upstream. + +Modify Ethernet addess macros to be compatible with BE/LE platforms + +Signed-off-by: Alexandre Bounine <alexandre.bounine@idt.com> +Cc: Chul Kim <chul.kim@idt.com> +Cc: Kumar Gala <galak@kernel.crashing.org> +Cc: Matt Porter <mporter@kernel.crashing.org> +Cc: Li Yang <leoli@freescale.com> +Signed-off-by: Andrew Morton <akpm@linux-foundation.org> +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + drivers/net/rionet.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/drivers/net/rionet.c ++++ b/drivers/net/rionet.c +@@ -87,8 +87,8 @@ static struct rio_dev **rionet_active; + #define dev_rionet_capable(dev) \ + is_rionet_capable(dev->pef, dev->src_ops, dev->dst_ops) + +-#define RIONET_MAC_MATCH(x) (*(u32 *)x == 0x00010001) +-#define RIONET_GET_DESTID(x) (*(u16 *)(x + 4)) ++#define RIONET_MAC_MATCH(x) (!memcmp((x), "\00\01\00\01", 4)) ++#define RIONET_GET_DESTID(x) ((*((u8 *)x + 4) << 8) | *((u8 *)x + 5)) + + static int rionet_rx_clean(struct net_device *ndev) + { diff --git a/releases/2.6.33.20/e1000-fix-driver-to-be-used-on-pa-risc-c8000-workstations.patch b/releases/2.6.33.20/e1000-fix-driver-to-be-used-on-pa-risc-c8000-workstations.patch new file mode 100644 index 0000000..5edd70f --- /dev/null +++ b/releases/2.6.33.20/e1000-fix-driver-to-be-used-on-pa-risc-c8000-workstations.patch @@ -0,0 +1,47 @@ +From e2faeec2de9e2c73958e6ea6065dde1e8cd6f3a2 Mon Sep 17 00:00:00 2001 +From: Jeff Kirsher <jeffrey.t.kirsher@intel.com> +Date: Tue, 30 Aug 2011 20:58:56 -0400 +Subject: e1000: Fix driver to be used on PA RISC C8000 workstations + +From: Jeff Kirsher <jeffrey.t.kirsher@intel.com> + +commit e2faeec2de9e2c73958e6ea6065dde1e8cd6f3a2 upstream. + +The checksum field in the EEPROM on HPPA is really not a +checksum but a signature (0x16d6). So allow 0x16d6 as the +matching checksum on HPPA systems. + +This issue is present on longterm/stable kernels, I have +verified that this patch is applicable back to at least +2.6.32.y kernels. + +v2- changed ifdef to use CONFIG_PARISC instead of __hppa__ + +CC: Guy Martin <gmsoft@tuxicoman.be> +CC: Rolf Eike Beer <eike-kernel@sf-tec.de> +CC: Matt Turner <mattst88@gmail.com> +Reported-by: Mikulas Patocka <mikulas@artax.kerlin.mff.cuni.cz> +Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com> +Acked-by: Jesse Brandeburg <jesse.brandeburg@intel.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + drivers/net/e1000/e1000_hw.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +--- a/drivers/net/e1000/e1000_hw.c ++++ b/drivers/net/e1000/e1000_hw.c +@@ -3842,6 +3842,12 @@ s32 e1000_validate_eeprom_checksum(struc + checksum += eeprom_data; + } + ++#ifdef CONFIG_PARISC ++ /* This is a signature and not a checksum on HP c8000 */ ++ if ((hw->subsystem_vendor_id == 0x103C) && (eeprom_data == 0x16d6)) ++ return E1000_SUCCESS; ++ ++#endif + if (checksum == (u16) EEPROM_SUM) + return E1000_SUCCESS; + else { diff --git a/releases/2.6.33.20/epoll-fix-spurious-lockdep-warnings.patch b/releases/2.6.33.20/epoll-fix-spurious-lockdep-warnings.patch new file mode 100644 index 0000000..a6f4204 --- /dev/null +++ b/releases/2.6.33.20/epoll-fix-spurious-lockdep-warnings.patch @@ -0,0 +1,137 @@ +From d8805e633e054c816c47cb6e727c81f156d9253d Mon Sep 17 00:00:00 2001 +From: Nelson Elhage <nelhage@nelhage.com> +Date: Mon, 31 Oct 2011 17:13:14 -0700 +Subject: epoll: fix spurious lockdep warnings + +From: Nelson Elhage <nelhage@nelhage.com> + +commit d8805e633e054c816c47cb6e727c81f156d9253d upstream. + +epoll can acquire recursively acquire ep->mtx on multiple "struct +eventpoll"s at once in the case where one epoll fd is monitoring another +epoll fd. This is perfectly OK, since we're careful about the lock +ordering, but it causes spurious lockdep warnings. Annotate the recursion +using mutex_lock_nested, and add a comment explaining the nesting rules +for good measure. + +Recent versions of systemd are triggering this, and it can also be +demonstrated with the following trivial test program: + +--------------------8<-------------------- + +int main(void) { + int e1, e2; + struct epoll_event evt = { + .events = EPOLLIN + }; + + e1 = epoll_create1(0); + e2 = epoll_create1(0); + epoll_ctl(e1, EPOLL_CTL_ADD, e2, &evt); + return 0; +} +--------------------8<-------------------- + +Reported-by: Paul Bolle <pebolle@tiscali.nl> +Tested-by: Paul Bolle <pebolle@tiscali.nl> +Signed-off-by: Nelson Elhage <nelhage@nelhage.com> +Acked-by: Jason Baron <jbaron@redhat.com> +Cc: Dave Jones <davej@redhat.com> +Cc: Davide Libenzi <davidel@xmailserver.org> +Signed-off-by: Andrew Morton <akpm@linux-foundation.org> +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + fs/eventpoll.c | 25 ++++++++++++++++++------- + 1 file changed, 18 insertions(+), 7 deletions(-) + +--- a/fs/eventpoll.c ++++ b/fs/eventpoll.c +@@ -70,6 +70,15 @@ + * simultaneous inserts (A into B and B into A) from racing and + * constructing a cycle without either insert observing that it is + * going to. ++ * It is necessary to acquire multiple "ep->mtx"es at once in the ++ * case when one epoll fd is added to another. In this case, we ++ * always acquire the locks in the order of nesting (i.e. after ++ * epoll_ctl(e1, EPOLL_CTL_ADD, e2), e1->mtx will always be acquired ++ * before e2->mtx). Since we disallow cycles of epoll file ++ * descriptors, this ensures that the mutexes are well-ordered. In ++ * order to communicate this nesting to lockdep, when walking a tree ++ * of epoll file descriptors, we use the current recursion depth as ++ * the lockdep subkey. + * It is possible to drop the "ep->mtx" and to use the global + * mutex "epmutex" (together with "ep->lock") to have it working, + * but having "ep->mtx" will make the interface more scalable. +@@ -452,13 +461,15 @@ static void ep_unregister_pollwait(struc + * @ep: Pointer to the epoll private data structure. + * @sproc: Pointer to the scan callback. + * @priv: Private opaque data passed to the @sproc callback. ++ * @depth: The current depth of recursive f_op->poll calls. + * + * Returns: The same integer error code returned by the @sproc callback. + */ + static int ep_scan_ready_list(struct eventpoll *ep, + int (*sproc)(struct eventpoll *, + struct list_head *, void *), +- void *priv) ++ void *priv, ++ int depth) + { + int error, pwake = 0; + unsigned long flags; +@@ -469,7 +480,7 @@ static int ep_scan_ready_list(struct eve + * We need to lock this because we could be hit by + * eventpoll_release_file() and epoll_ctl(). + */ +- mutex_lock(&ep->mtx); ++ mutex_lock_nested(&ep->mtx, depth); + + /* + * Steal the ready list, and re-init the original one to the +@@ -658,7 +669,7 @@ static int ep_read_events_proc(struct ev + + static int ep_poll_readyevents_proc(void *priv, void *cookie, int call_nests) + { +- return ep_scan_ready_list(priv, ep_read_events_proc, NULL); ++ return ep_scan_ready_list(priv, ep_read_events_proc, NULL, call_nests + 1); + } + + static unsigned int ep_eventpoll_poll(struct file *file, poll_table *wait) +@@ -724,7 +735,7 @@ void eventpoll_release_file(struct file + + ep = epi->ep; + list_del_init(&epi->fllink); +- mutex_lock(&ep->mtx); ++ mutex_lock_nested(&ep->mtx, 0); + ep_remove(ep, epi); + mutex_unlock(&ep->mtx); + } +@@ -1120,7 +1131,7 @@ static int ep_send_events(struct eventpo + esed.maxevents = maxevents; + esed.events = events; + +- return ep_scan_ready_list(ep, ep_send_events_proc, &esed); ++ return ep_scan_ready_list(ep, ep_send_events_proc, &esed, 0); + } + + static int ep_poll(struct eventpoll *ep, struct epoll_event __user *events, +@@ -1215,7 +1226,7 @@ static int ep_loop_check_proc(void *priv + struct rb_node *rbp; + struct epitem *epi; + +- mutex_lock(&ep->mtx); ++ mutex_lock_nested(&ep->mtx, call_nests + 1); + for (rbp = rb_first(&ep->rbr); rbp; rbp = rb_next(rbp)) { + epi = rb_entry(rbp, struct epitem, rbn); + if (unlikely(is_file_epoll(epi->ffd.file))) { +@@ -1357,7 +1368,7 @@ SYSCALL_DEFINE4(epoll_ctl, int, epfd, in + } + + +- mutex_lock(&ep->mtx); ++ mutex_lock_nested(&ep->mtx, 0); + + /* + * Try to lookup the file inside our RB tree, Since we grabbed "mtx" diff --git a/releases/2.6.33.20/ext2-ext3-ext4-don-t-inherit-append_fl-or-immutable_fl-for-new-inodes.patch b/releases/2.6.33.20/ext2-ext3-ext4-don-t-inherit-append_fl-or-immutable_fl-for-new-inodes.patch new file mode 100644 index 0000000..b12ac2c --- /dev/null +++ b/releases/2.6.33.20/ext2-ext3-ext4-don-t-inherit-append_fl-or-immutable_fl-for-new-inodes.patch @@ -0,0 +1,62 @@ +From 1cd9f0976aa4606db8d6e3dc3edd0aca8019372a Mon Sep 17 00:00:00 2001 +From: Theodore Ts'o <tytso@mit.edu> +Date: Wed, 31 Aug 2011 11:54:51 -0400 +Subject: ext2,ext3,ext4: don't inherit APPEND_FL or IMMUTABLE_FL for new inodes + +From: Theodore Ts'o <tytso@mit.edu> + +commit 1cd9f0976aa4606db8d6e3dc3edd0aca8019372a upstream. + +This doesn't make much sense, and it exposes a bug in the kernel where +attempts to create a new file in an append-only directory using +O_CREAT will fail (but still leave a zero-length file). This was +discovered when xfstests #79 was generalized so it could run on all +file systems. + +Signed-off-by: "Theodore Ts'o" <tytso@mit.edu> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + fs/ext4/ext4.h | 3 +-- + include/linux/ext2_fs.h | 4 ++-- + include/linux/ext3_fs.h | 4 ++-- + 3 files changed, 5 insertions(+), 6 deletions(-) + +--- a/fs/ext4/ext4.h ++++ b/fs/ext4/ext4.h +@@ -291,8 +291,7 @@ struct flex_groups { + + /* Flags that should be inherited by new inodes from their parent. */ + #define EXT4_FL_INHERITED (EXT4_SECRM_FL | EXT4_UNRM_FL | EXT4_COMPR_FL |\ +- EXT4_SYNC_FL | EXT4_IMMUTABLE_FL | EXT4_APPEND_FL |\ +- EXT4_NODUMP_FL | EXT4_NOATIME_FL |\ ++ EXT4_SYNC_FL | EXT4_NODUMP_FL | EXT4_NOATIME_FL |\ + EXT4_NOCOMPR_FL | EXT4_JOURNAL_DATA_FL |\ + EXT4_NOTAIL_FL | EXT4_DIRSYNC_FL) + +--- a/include/linux/ext2_fs.h ++++ b/include/linux/ext2_fs.h +@@ -196,8 +196,8 @@ struct ext2_group_desc + + /* Flags that should be inherited by new inodes from their parent. */ + #define EXT2_FL_INHERITED (EXT2_SECRM_FL | EXT2_UNRM_FL | EXT2_COMPR_FL |\ +- EXT2_SYNC_FL | EXT2_IMMUTABLE_FL | EXT2_APPEND_FL |\ +- EXT2_NODUMP_FL | EXT2_NOATIME_FL | EXT2_COMPRBLK_FL|\ ++ EXT2_SYNC_FL | EXT2_NODUMP_FL |\ ++ EXT2_NOATIME_FL | EXT2_COMPRBLK_FL |\ + EXT2_NOCOMP_FL | EXT2_JOURNAL_DATA_FL |\ + EXT2_NOTAIL_FL | EXT2_DIRSYNC_FL) + +--- a/include/linux/ext3_fs.h ++++ b/include/linux/ext3_fs.h +@@ -180,8 +180,8 @@ struct ext3_group_desc + + /* Flags that should be inherited by new inodes from their parent. */ + #define EXT3_FL_INHERITED (EXT3_SECRM_FL | EXT3_UNRM_FL | EXT3_COMPR_FL |\ +- EXT3_SYNC_FL | EXT3_IMMUTABLE_FL | EXT3_APPEND_FL |\ +- EXT3_NODUMP_FL | EXT3_NOATIME_FL | EXT3_COMPRBLK_FL|\ ++ EXT3_SYNC_FL | EXT3_NODUMP_FL |\ ++ EXT3_NOATIME_FL | EXT3_COMPRBLK_FL |\ + EXT3_NOCOMPR_FL | EXT3_JOURNAL_DATA_FL |\ + EXT3_NOTAIL_FL | EXT3_DIRSYNC_FL) + diff --git a/releases/2.6.33.20/ext4-fix-bug_on-in-ext4_ext_insert_extent.patch b/releases/2.6.33.20/ext4-fix-bug_on-in-ext4_ext_insert_extent.patch new file mode 100644 index 0000000..0e615d9 --- /dev/null +++ b/releases/2.6.33.20/ext4-fix-bug_on-in-ext4_ext_insert_extent.patch @@ -0,0 +1,61 @@ +From gnehzuil.liu@gmail.com Thu Nov 3 10:42:14 2011 +From: Zheng Liu <gnehzuil.liu@gmail.com> +Date: Fri, 28 Oct 2011 20:34:02 +0800 +Subject: ext4: fix BUG_ON() in ext4_ext_insert_extent() +To: Greg KH <greg@kroah.com> +Cc: Ted Ts'o <tytso@mit.edu>, Tao Ma <tm@tao.ma>, linux-ext4@vger.kernel.org, Xiaoyun Mao <xiaoyun.maoxy@aliyun-inc.com>, Yingbin Wang <yingbin.wangyb@aliyun-inc.com>, Jia Wan <jia.wanj@aliyun-inc.com> +Message-ID: <20111028123402.GA26003@gmail.com> + + +From: Zheng Liu <wenqing.lz@taobao.com> + +Does not corrispond with a direct commit in Linus's tree as it was fixed +differently in the 3.0 release. + + +We will meet with a BUG_ON() if following script is run. + +mkfs.ext4 -b 4096 /dev/sdb1 1000000 +mount -t ext4 /dev/sdb1 /mnt/sdb1 +fallocate -l 100M /mnt/sdb1/test +sync +for((i=0;i<170;i++)) +do + dd if=/dev/zero of=/mnt/sdb1/test conv=notrunc bs=256k count=1 +seek=`expr $i \* 2` +done +umount /mnt/sdb1 +mount -t ext4 /dev/sdb1 /mnt/sdb1 +dd if=/dev/zero of=/mnt/sdb1/test conv=notrunc bs=256k count=1 seek=341 +umount /mnt/sdb1 +mount /dev/sdb1 /mnt/sdb1 +dd if=/dev/zero of=/mnt/sdb1/test conv=notrunc bs=256k count=1 seek=340 +sync + +The reason is that it forgot to mark dirty when splitting two extents in +ext4_ext_convert_to_initialized(). Althrough ex has been updated in +memory, it is not dirtied both in ext4_ext_convert_to_initialized() and +ext4_ext_insert_extent(). The disk layout is corrupted. Then it will +meet with a BUG_ON() when writting at the start of that extent again. + +Cc: "Theodore Ts'o" <tytso@mit.edu> +Cc: Xiaoyun Mao <xiaoyun.maoxy@aliyun-inc.com> +Cc: Yingbin Wang <yingbin.wangyb@aliyun-inc.com> +Cc: Jia Wan <jia.wanj@aliyun-inc.com> +Signed-off-by: Zheng Liu <wenqing.lz@taobao.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + fs/ext4/extents.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/fs/ext4/extents.c ++++ b/fs/ext4/extents.c +@@ -2566,6 +2566,7 @@ static int ext4_ext_convert_to_initializ + ex1 = ex; + ex1->ee_len = cpu_to_le16(iblock - ee_block); + ext4_ext_mark_uninitialized(ex1); ++ ext4_ext_dirty(handle, inode, path + depth); + ex2 = &newex; + } + /* diff --git a/releases/2.6.33.20/fcoe-unable-to-select-the-exchangeid-from-offload-pool-for-storage-targets.patch b/releases/2.6.33.20/fcoe-unable-to-select-the-exchangeid-from-offload-pool-for-storage-targets.patch new file mode 100644 index 0000000..c483b3b --- /dev/null +++ b/releases/2.6.33.20/fcoe-unable-to-select-the-exchangeid-from-offload-pool-for-storage-targets.patch @@ -0,0 +1,62 @@ +From 1ff9918b625457ce20d450d00f9ed0a12ba191b7 Mon Sep 17 00:00:00 2001 +From: Kiran Patil <kiran.patil@intel.com> +Date: Mon, 20 Jun 2011 16:59:15 -0700 +Subject: [SCSI] fcoe: Unable to select the exchangeID from offload pool for storage targets + +From: Kiran Patil <kiran.patil@intel.com> + +commit 1ff9918b625457ce20d450d00f9ed0a12ba191b7 upstream. + +Problem: When initiator sends write command to target, target tries to +assign new sequence. It allocates new exchangeID (RX_ID) +always from non-offloaded pool (Non-offload EMA) + +Fix: Enhanced fcoe_oem_match routine to look at F_CTL flags and if it +is exchange responder and command type is WRITEDATA, then function +returns TRUE instead of FALSE. This function is used to determine +which pool to use (offload pool of exchange is used only if this +function returns TRUE). + +Technical Notes: N/A + +Signed-off-by: Kiran Patil <kiran.patil@intel.com> +Signed-off-by: Robert Love <robert.w.love@intel.com> +Signed-off-by: James Bottomley <JBottomley@Parallels.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + drivers/scsi/fcoe/fcoe.c | 19 +++++++++++++++++-- + 1 file changed, 17 insertions(+), 2 deletions(-) + +--- a/drivers/scsi/fcoe/fcoe.c ++++ b/drivers/scsi/fcoe/fcoe.c +@@ -704,12 +704,27 @@ static int fcoe_shost_config(struct fc_l + * The offload EM that this routine is associated with will handle any + * packets that are for SCSI read requests. + * ++ * This has been enhanced to work when FCoE stack is operating in target ++ * mode. ++ * + * Returns: True for read types I/O, otherwise returns false. + */ + bool fcoe_oem_match(struct fc_frame *fp) + { +- return fc_fcp_is_read(fr_fsp(fp)) && +- (fr_fsp(fp)->data_len > fcoe_ddp_min); ++ struct fc_frame_header *fh = fc_frame_header_get(fp); ++ struct fcp_cmnd *fcp; ++ ++ if (fc_fcp_is_read(fr_fsp(fp)) && ++ (fr_fsp(fp)->data_len > fcoe_ddp_min)) ++ return true; ++ else if (!(ntoh24(fh->fh_f_ctl) & FC_FC_EX_CTX)) { ++ fcp = fc_frame_payload_get(fp, sizeof(*fcp)); ++ if (ntohs(fh->fh_rx_id) == FC_XID_UNKNOWN && ++ fcp && (ntohl(fcp->fc_dl) > fcoe_ddp_min) && ++ (fcp->fc_flags & FCP_CFL_WRDATA)) ++ return true; ++ } ++ return false; + } + + /** diff --git a/releases/2.6.33.20/fs-9p-fid-is-not-valid-after-a-failed-clunk.patch b/releases/2.6.33.20/fs-9p-fid-is-not-valid-after-a-failed-clunk.patch new file mode 100644 index 0000000..bb63d66 --- /dev/null +++ b/releases/2.6.33.20/fs-9p-fid-is-not-valid-after-a-failed-clunk.patch @@ -0,0 +1,35 @@ +From 5034990e28efb2d232ee82443a9edd62defd17ba Mon Sep 17 00:00:00 2001 +From: "Aneesh Kumar K.V" <aneesh.kumar@linux.vnet.ibm.com> +Date: Mon, 11 Jul 2011 16:40:58 +0000 +Subject: fs/9p: Fid is not valid after a failed clunk. + +From: "Aneesh Kumar K.V" <aneesh.kumar@linux.vnet.ibm.com> + +commit 5034990e28efb2d232ee82443a9edd62defd17ba upstream. + +free the fid even in case of failed clunk. + +Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com> +Signed-off-by: Eric Van Hensbergen <ericvh@gmail.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + net/9p/client.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/net/9p/client.c ++++ b/net/9p/client.c +@@ -1038,9 +1038,11 @@ int p9_client_clunk(struct p9_fid *fid) + P9_DPRINTK(P9_DEBUG_9P, "<<< RCLUNK fid %d\n", fid->fid); + + p9_free_req(clnt, req); +- p9_fid_destroy(fid); +- + error: ++ /* ++ * Fid is not valid even after a failed clunk ++ */ ++ p9_fid_destroy(fid); + return err; + } + EXPORT_SYMBOL(p9_client_clunk); diff --git a/releases/2.6.33.20/fs-9p-fix-invalid-mount-options-args.patch b/releases/2.6.33.20/fs-9p-fix-invalid-mount-options-args.patch new file mode 100644 index 0000000..999566a --- /dev/null +++ b/releases/2.6.33.20/fs-9p-fix-invalid-mount-options-args.patch @@ -0,0 +1,99 @@ +From a2dd43bb0d7b9ce28f8a39254c25840c0730498e Mon Sep 17 00:00:00 2001 +From: Prem Karat <prem.karat@linux.vnet.ibm.com> +Date: Fri, 6 May 2011 18:24:18 +0530 +Subject: fs/9p: Fix invalid mount options/args + +From: Prem Karat <prem.karat@linux.vnet.ibm.com> + +commit a2dd43bb0d7b9ce28f8a39254c25840c0730498e upstream. + +Without this fix, if any invalid mount options/args are passed while mouting +the 9p fs, no error (-EINVAL) is returned and default arg value is assigned. + +This fix returns -EINVAL when an invalid arguement is found while parsing +mount options. + +Signed-off-by: Prem Karat <prem.karat@linux.vnet.ibm.com> +Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com> +Signed-off-by: Eric Van Hensbergen <ericvh@gmail.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + fs/9p/v9fs.c | 43 ++++++++++++++++++++++++++++++++++--------- + 1 file changed, 34 insertions(+), 9 deletions(-) + +--- a/fs/9p/v9fs.c ++++ b/fs/9p/v9fs.c +@@ -75,6 +75,25 @@ static const match_table_t tokens = { + {Opt_err, NULL} + }; + ++/* Interpret mount options for cache mode */ ++static int get_cache_mode(char *s) ++{ ++ int version = -EINVAL; ++ ++ if (!strcmp(s, "loose")) { ++ version = CACHE_LOOSE; ++ P9_DPRINTK(P9_DEBUG_9P, "Cache mode: loose\n"); ++ } else if (!strcmp(s, "fscache")) { ++ version = CACHE_FSCACHE; ++ P9_DPRINTK(P9_DEBUG_9P, "Cache mode: fscache\n"); ++ } else if (!strcmp(s, "none")) { ++ version = CACHE_NONE; ++ P9_DPRINTK(P9_DEBUG_9P, "Cache mode: none\n"); ++ } else ++ printk(KERN_INFO "9p: Unknown Cache mode %s.\n", s); ++ return version; ++} ++ + /** + * v9fs_parse_options - parse mount options into session structure + * @v9ses: existing v9fs session information +@@ -94,7 +113,7 @@ static int v9fs_parse_options(struct v9f + /* setup defaults */ + v9ses->afid = ~0; + v9ses->debug = 0; +- v9ses->cache = 0; ++ v9ses->cache = CACHE_NONE; + #ifdef CONFIG_9P_FSCACHE + v9ses->cachetag = NULL; + #endif +@@ -168,13 +187,13 @@ static int v9fs_parse_options(struct v9f + "problem allocating copy of cache arg\n"); + goto free_and_return; + } ++ ret = get_cache_mode(s); ++ if (ret == -EINVAL) { ++ kfree(s); ++ goto free_and_return; ++ } + +- if (strcmp(s, "loose") == 0) +- v9ses->cache = CACHE_LOOSE; +- else if (strcmp(s, "fscache") == 0) +- v9ses->cache = CACHE_FSCACHE; +- else +- v9ses->cache = CACHE_NONE; ++ v9ses->cache = ret; + kfree(s); + break; + +@@ -195,9 +214,15 @@ static int v9fs_parse_options(struct v9f + else { + v9ses->flags |= V9FS_ACCESS_SINGLE; + v9ses->uid = simple_strtoul(s, &e, 10); +- if (*e != '\0') +- v9ses->uid = ~0; ++ if (*e != '\0') { ++ ret = -EINVAL; ++ printk(KERN_INFO "9p: Unknown access " ++ "argument %s.\n", s); ++ kfree(s); ++ goto free_and_return; ++ } + } ++ + kfree(s); + break; + diff --git a/releases/2.6.33.20/gro-fix-different-skb-headrooms.patch b/releases/2.6.33.20/gro-fix-different-skb-headrooms.patch new file mode 100644 index 0000000..f7b0edf --- /dev/null +++ b/releases/2.6.33.20/gro-fix-different-skb-headrooms.patch @@ -0,0 +1,69 @@ +From 3d3be4333fdf6faa080947b331a6a19bce1a4f57 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet <eric.dumazet@gmail.com> +Date: Wed, 1 Sep 2010 00:50:51 +0000 +Subject: gro: fix different skb headrooms + +From: Eric Dumazet <eric.dumazet@gmail.com> + +commit 3d3be4333fdf6faa080947b331a6a19bce1a4f57 upstream. + +Packets entering GRO might have different headrooms, even for a given +flow (because of implementation details in drivers, like copybreak). +We cant force drivers to deliver packets with a fixed headroom. + +1) fix skb_segment() + +skb_segment() makes the false assumption headrooms of fragments are same +than the head. When CHECKSUM_PARTIAL is used, this can give csum_start +errors, and crash later in skb_copy_and_csum_dev() + +2) allocate a minimal skb for head of frag_list + +skb_gro_receive() uses netdev_alloc_skb(headroom + skb_gro_offset(p)) to +allocate a fresh skb. This adds NET_SKB_PAD to a padding already +provided by netdevice, depending on various things, like copybreak. + +Use alloc_skb() to allocate an exact padding, to reduce cache line +needs: +NET_SKB_PAD + NET_IP_ALIGN + +bugzilla : https://bugzilla.kernel.org/show_bug.cgi?id=16626 + +Many thanks to Plamen Petrov, testing many debugging patches ! +With help of Jarek Poplawski. + +Reported-by: Plamen Petrov <pvp-lsts@fs.uni-ruse.bg> +Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> +CC: Jarek Poplawski <jarkao2@gmail.com> +Cc: Ben Hutchings <bhutchings@solarflare.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + net/core/skbuff.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/net/core/skbuff.c ++++ b/net/core/skbuff.c +@@ -2578,6 +2578,10 @@ struct sk_buff *skb_segment(struct sk_bu + __copy_skb_header(nskb, skb); + nskb->mac_len = skb->mac_len; + ++ /* nskb and skb might have different headroom */ ++ if (nskb->ip_summed == CHECKSUM_PARTIAL) ++ nskb->csum_start += skb_headroom(nskb) - headroom; ++ + skb_reset_mac_header(nskb); + skb_set_network_header(nskb, skb->mac_len); + nskb->transport_header = (nskb->network_header + +@@ -2707,8 +2711,8 @@ int skb_gro_receive(struct sk_buff **hea + } else if (skb_gro_len(p) != pinfo->gso_size) + return -E2BIG; + +- headroom = skb_headroom(p); +- nskb = netdev_alloc_skb(p->dev, headroom + skb_gro_offset(p)); ++ headroom = NET_SKB_PAD + NET_IP_ALIGN; ++ nskb = alloc_skb(headroom + skb_gro_offset(p), GFP_ATOMIC); + if (unlikely(!nskb)) + return -ENOMEM; + diff --git a/releases/2.6.33.20/gro-fix-merging-a-paged-skb-after-non-paged-skbs.patch b/releases/2.6.33.20/gro-fix-merging-a-paged-skb-after-non-paged-skbs.patch new file mode 100644 index 0000000..a14fb61 --- /dev/null +++ b/releases/2.6.33.20/gro-fix-merging-a-paged-skb-after-non-paged-skbs.patch @@ -0,0 +1,64 @@ +From d1dc7abf2fafa34b0ffcd070fd59405aa9c0a4d8 Mon Sep 17 00:00:00 2001 +From: Michal Schmidt <mschmidt@redhat.com> +Date: Mon, 24 Jan 2011 12:08:48 +0000 +Subject: GRO: fix merging a paged skb after non-paged skbs + +From: Michal Schmidt <mschmidt@redhat.com> + +commit d1dc7abf2fafa34b0ffcd070fd59405aa9c0a4d8 upstream. + +Suppose that several linear skbs of the same flow were received by GRO. They +were thus merged into one skb with a frag_list. Then a new skb of the same flow +arrives, but it is a paged skb with data starting in its frags[]. + +Before adding the skb to the frag_list skb_gro_receive() will of course adjust +the skb to throw away the headers. It correctly modifies the page_offset and +size of the frag, but it leaves incorrect information in the skb: + ->data_len is not decreased at all. + ->len is decreased only by headlen, as if no change were done to the frag. +Later in a receiving process this causes skb_copy_datagram_iovec() to return +-EFAULT and this is seen in userspace as the result of the recv() syscall. + +In practice the bug can be reproduced with the sfc driver. By default the +driver uses an adaptive scheme when it switches between using +napi_gro_receive() (with skbs) and napi_gro_frags() (with pages). The bug is +reproduced when under rx load with enough successful GRO merging the driver +decides to switch from the former to the latter. + +Manual control is also possible, so reproducing this is easy with netcat: + - on machine1 (with sfc): nc -l 12345 > /dev/null + - on machine2: nc machine1 12345 < /dev/zero + - on machine1: + echo 1 > /sys/module/sfc/parameters/rx_alloc_method # use skbs + echo 2 > /sys/module/sfc/parameters/rx_alloc_method # use pages + - See that nc has quit suddenly. + +[v2: Modified by Eric Dumazet to avoid advancing skb->data past the end + and to use a temporary variable.] + +Signed-off-by: Michal Schmidt <mschmidt@redhat.com> +Acked-by: Eric Dumazet <eric.dumazet@gmail.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + net/core/skbuff.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/net/core/skbuff.c ++++ b/net/core/skbuff.c +@@ -2745,8 +2745,12 @@ int skb_gro_receive(struct sk_buff **hea + + merge: + if (offset > headlen) { +- skbinfo->frags[0].page_offset += offset - headlen; +- skbinfo->frags[0].size -= offset - headlen; ++ unsigned int eat = offset - headlen; ++ ++ skbinfo->frags[0].page_offset += eat; ++ skbinfo->frags[0].size -= eat; ++ skb->data_len -= eat; ++ skb->len -= eat; + offset = headlen; + } + diff --git a/releases/2.6.33.20/gro-re-fix-different-skb-headrooms.patch b/releases/2.6.33.20/gro-re-fix-different-skb-headrooms.patch new file mode 100644 index 0000000..322dc0d --- /dev/null +++ b/releases/2.6.33.20/gro-re-fix-different-skb-headrooms.patch @@ -0,0 +1,45 @@ +From 64289c8e6851bca0e589e064c9a5c9fbd6ae5dd4 Mon Sep 17 00:00:00 2001 +From: Jarek Poplawski <jarkao2@gmail.com> +Date: Sat, 4 Sep 2010 10:34:29 +0000 +Subject: gro: Re-fix different skb headrooms + +From: Jarek Poplawski <jarkao2@gmail.com> + +commit 64289c8e6851bca0e589e064c9a5c9fbd6ae5dd4 upstream. + +The patch: "gro: fix different skb headrooms" in its part: +"2) allocate a minimal skb for head of frag_list" is buggy. The copied +skb has p->data set at the ip header at the moment, and skb_gro_offset +is the length of ip + tcp headers. So, after the change the length of +mac header is skipped. Later skb_set_mac_header() sets it into the +NET_SKB_PAD area (if it's long enough) and ip header is misaligned at +NET_SKB_PAD + NET_IP_ALIGN offset. There is no reason to assume the +original skb was wrongly allocated, so let's copy it as it was. + +bugzilla : https://bugzilla.kernel.org/show_bug.cgi?id=16626 +fixes commit: 3d3be4333fdf6faa080947b331a6a19bce1a4f57 + +Reported-by: Plamen Petrov <pvp-lsts@fs.uni-ruse.bg> +Signed-off-by: Jarek Poplawski <jarkao2@gmail.com> +CC: Eric Dumazet <eric.dumazet@gmail.com> +Acked-by: Eric Dumazet <eric.dumazet@gmail.com> +Tested-by: Plamen Petrov <pvp-lsts@fs.uni-ruse.bg> +Signed-off-by: David S. Miller <davem@davemloft.net> +Cc: Ben Hutchings <bhutchings@solarflare.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + net/core/skbuff.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/core/skbuff.c ++++ b/net/core/skbuff.c +@@ -2711,7 +2711,7 @@ int skb_gro_receive(struct sk_buff **hea + } else if (skb_gro_len(p) != pinfo->gso_size) + return -E2BIG; + +- headroom = NET_SKB_PAD + NET_IP_ALIGN; ++ headroom = skb_headroom(p); + nskb = alloc_skb(headroom + skb_gro_offset(p), GFP_ATOMIC); + if (unlikely(!nskb)) + return -ENOMEM; diff --git a/releases/2.6.33.20/hid-usbhid-add-support-for-sigma-micro-chip.patch b/releases/2.6.33.20/hid-usbhid-add-support-for-sigma-micro-chip.patch new file mode 100644 index 0000000..c7167c2 --- /dev/null +++ b/releases/2.6.33.20/hid-usbhid-add-support-for-sigma-micro-chip.patch @@ -0,0 +1,49 @@ +From f5e4282586dc0c9dab8c7d32e6c43aa07f68586b Mon Sep 17 00:00:00 2001 +From: Jeremiah Matthey <sprg86@gmail.com> +Date: Tue, 23 Aug 2011 09:44:30 +0200 +Subject: HID: usbhid: Add support for SiGma Micro chip + +From: Jeremiah Matthey <sprg86@gmail.com> + +commit f5e4282586dc0c9dab8c7d32e6c43aa07f68586b upstream. + +Patch to add SiGma Micro-based keyboards (1c4f:0002) to hid-quirks. + +These keyboards dont seem to allow the records to be initialized, and hence a +timeout occurs when the usbhid driver attempts to initialize them. The patch +just adds the signature for these keyboards to the hid-quirks list with the +setting HID_QUIRK_NO_INIT_REPORTS. This removes the 5-10 second wait for the +timeout to occur. + +Signed-off-by: Jeremiah Matthey <sprg86@gmail.com> +Signed-off-by: Jiri Kosina <jkosina@suse.cz> +Signed-off-by: Jonathan Nieder <jrnieder@gmail.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + drivers/hid/hid-ids.h | 3 +++ + drivers/hid/usbhid/hid-quirks.c | 1 + + 2 files changed, 4 insertions(+) + +--- a/drivers/hid/hid-ids.h ++++ b/drivers/hid/hid-ids.h +@@ -389,6 +389,9 @@ + #define USB_VENDOR_ID_SAMSUNG 0x0419 + #define USB_DEVICE_ID_SAMSUNG_IR_REMOTE 0x0001 + ++#define USB_VENDOR_ID_SIGMA_MICRO 0x1c4f ++#define USB_DEVICE_ID_SIGMA_MICRO_KEYBOARD 0x0002 ++ + #define USB_VENDOR_ID_SONY 0x054c + #define USB_DEVICE_ID_SONY_VAIO_VGX_MOUSE 0x024b + #define USB_DEVICE_ID_SONY_PS3_CONTROLLER 0x0268 +--- a/drivers/hid/usbhid/hid-quirks.c ++++ b/drivers/hid/usbhid/hid-quirks.c +@@ -66,6 +66,7 @@ static const struct hid_blacklist { + { USB_VENDOR_ID_WISEGROUP_LTD, USB_DEVICE_ID_SMARTJOY_DUAL_PLUS, HID_QUIRK_NOGET | HID_QUIRK_MULTI_INPUT }, + { USB_VENDOR_ID_WISEGROUP_LTD2, USB_DEVICE_ID_SMARTJOY_DUAL_PLUS, HID_QUIRK_NOGET | HID_QUIRK_MULTI_INPUT }, + ++ { USB_VENDOR_ID_SIGMA_MICRO, USB_DEVICE_ID_SIGMA_MICRO_KEYBOARD, HID_QUIRK_NO_INIT_REPORTS }, + { 0, 0 } + }; + diff --git a/releases/2.6.33.20/hvc_console-improve-tty-console-put_chars-handling.patch b/releases/2.6.33.20/hvc_console-improve-tty-console-put_chars-handling.patch new file mode 100644 index 0000000..34d21d7 --- /dev/null +++ b/releases/2.6.33.20/hvc_console-improve-tty-console-put_chars-handling.patch @@ -0,0 +1,57 @@ +From 8c2381af0d3ef62a681dac5a141b6dabb27bf2e1 Mon Sep 17 00:00:00 2001 +From: Hendrik Brueckner <brueckner@linux.vnet.ibm.com> +Date: Tue, 5 Jul 2011 21:50:18 +0000 +Subject: hvc_console: Improve tty/console put_chars handling + +From: Hendrik Brueckner <brueckner@linux.vnet.ibm.com> + +commit 8c2381af0d3ef62a681dac5a141b6dabb27bf2e1 upstream. + +Currently, the hvc_console_print() function drops console output if the +hvc backend's put_chars() returns 0. This patch changes this behavior +to allow a retry through returning -EAGAIN. + +This change also affects the hvc_push() function. Both functions are +changed to handle -EAGAIN and to retry the put_chars() operation. + +If a hvc backend returns -EAGAIN, the retry handling differs: + + - hvc_console_print() spins to write the complete console output. + - hvc_push() behaves the same way as for returning 0. + +Now hvc backends can indirectly control the way how console output is +handled through the hvc console layer. + +Signed-off-by: Hendrik Brueckner <brueckner@linux.vnet.ibm.com> +Acked-by: Anton Blanchard <anton@samba.org> +Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + drivers/char/hvc_console.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/drivers/char/hvc_console.c ++++ b/drivers/char/hvc_console.c +@@ -162,8 +162,10 @@ static void hvc_console_print(struct con + } else { + r = cons_ops[index]->put_chars(vtermnos[index], c, i); + if (r <= 0) { +- /* throw away chars on error */ +- i = 0; ++ /* throw away characters on error ++ * but spin in case of -EAGAIN */ ++ if (r != -EAGAIN) ++ i = 0; + } else if (r > 0) { + i -= r; + if (i > 0) +@@ -442,7 +444,7 @@ static int hvc_push(struct hvc_struct *h + + n = hp->ops->put_chars(hp->vtermno, hp->outbuf, hp->n_outbuf); + if (n <= 0) { +- if (n == 0) { ++ if (n == 0 || n == -EAGAIN) { + hp->do_wakeup = 1; + return 0; + } diff --git a/releases/2.6.33.20/hwmon-w83627ehf-properly-report-thermal-diode-sensors.patch b/releases/2.6.33.20/hwmon-w83627ehf-properly-report-thermal-diode-sensors.patch new file mode 100644 index 0000000..8f5c201 --- /dev/null +++ b/releases/2.6.33.20/hwmon-w83627ehf-properly-report-thermal-diode-sensors.patch @@ -0,0 +1,67 @@ +From bf164c58e58328c40ebc597a8ac00cc6840f9703 Mon Sep 17 00:00:00 2001 +From: Jean Delvare <khali@linux-fr.org> +Date: Thu, 13 Oct 2011 15:49:08 -0400 +Subject: hwmon: (w83627ehf) Properly report thermal diode sensors + +From: Jean Delvare <khali@linux-fr.org> + +commit bf164c58e58328c40ebc597a8ac00cc6840f9703 upstream. + +The w83627ehf driver is improperly reporting thermal diode sensors as +type 2, instead of 3. This caused "sensors" and possibly other +monitoring tools to report these sensors as "transistor" instead of +"thermal diode". + +Furthermore, diode subtype selection (CPU vs. external) is only +supported by the original W83627EHF/EHG. All later models only support +CPU diode type, and some (NCT6776F) don't even have the register in +question so we should avoid reading from it. + +Signed-off-by: Jean Delvare <khali@linux-fr.org> +Signed-off-by: Guenter Roeck <guenter.roeck@ericsson.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + drivers/hwmon/w83627ehf.c | 15 +++++++++++---- + 1 file changed, 11 insertions(+), 4 deletions(-) + +--- a/drivers/hwmon/w83627ehf.c ++++ b/drivers/hwmon/w83627ehf.c +@@ -1273,7 +1273,8 @@ static void w83627ehf_device_remove_file + } + + /* Get the monitoring functions started */ +-static inline void __devinit w83627ehf_init_device(struct w83627ehf_data *data) ++static inline void __devinit w83627ehf_init_device(struct w83627ehf_data *data, ++ enum kinds kind) + { + int i; + u8 tmp, diode; +@@ -1302,10 +1303,16 @@ static inline void __devinit w83627ehf_i + w83627ehf_write_value(data, W83627EHF_REG_VBAT, tmp | 0x01); + + /* Get thermal sensor types */ +- diode = w83627ehf_read_value(data, W83627EHF_REG_DIODE); ++ switch (kind) { ++ case w83627ehf: ++ diode = w83627ehf_read_value(data, W83627EHF_REG_DIODE); ++ break; ++ default: ++ diode = 0x70; ++ } + for (i = 0; i < 3; i++) { + if ((tmp & (0x02 << i))) +- data->temp_type[i] = (diode & (0x10 << i)) ? 1 : 2; ++ data->temp_type[i] = (diode & (0x10 << i)) ? 1 : 3; + else + data->temp_type[i] = 4; /* thermistor */ + } +@@ -1353,7 +1360,7 @@ static int __devinit w83627ehf_probe(str + } + + /* Initialize the chip */ +- w83627ehf_init_device(data); ++ w83627ehf_init_device(data, sio_data->kind); + + data->vrm = vid_which_vrm(); + superio_enter(sio_data->sioreg); diff --git a/releases/2.6.33.20/iommu-amd-fix-wrong-shift-direction.patch b/releases/2.6.33.20/iommu-amd-fix-wrong-shift-direction.patch new file mode 100644 index 0000000..306daa6 --- /dev/null +++ b/releases/2.6.33.20/iommu-amd-fix-wrong-shift-direction.patch @@ -0,0 +1,30 @@ +From fcd0861db1cf4e6ed99f60a815b7b72c2ed36ea4 Mon Sep 17 00:00:00 2001 +From: Joerg Roedel <joerg.roedel@amd.com> +Date: Tue, 11 Oct 2011 17:41:32 +0200 +Subject: iommu/amd: Fix wrong shift direction + +From: Joerg Roedel <joerg.roedel@amd.com> + +commit fcd0861db1cf4e6ed99f60a815b7b72c2ed36ea4 upstream. + +The shift direction was wrong because the function takes a +page number and i is the address is the loop. + +Signed-off-by: Joerg Roedel <joerg.roedel@amd.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + arch/x86/kernel/amd_iommu.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/arch/x86/kernel/amd_iommu.c ++++ b/arch/x86/kernel/amd_iommu.c +@@ -1066,7 +1066,7 @@ static int alloc_new_range(struct dma_op + if (!pte || !IOMMU_PTE_PRESENT(*pte)) + continue; + +- dma_ops_reserve_addresses(dma_dom, i << PAGE_SHIFT, 1); ++ dma_ops_reserve_addresses(dma_dom, i >> PAGE_SHIFT, 1); + } + + update_domain(&dma_dom->domain); diff --git a/releases/2.6.33.20/ipr-always-initiate-hard-reset-in-kdump-kernel.patch b/releases/2.6.33.20/ipr-always-initiate-hard-reset-in-kdump-kernel.patch new file mode 100644 index 0000000..3a9b5ec --- /dev/null +++ b/releases/2.6.33.20/ipr-always-initiate-hard-reset-in-kdump-kernel.patch @@ -0,0 +1,38 @@ +From 5d7c20b7fa5c6ca19e871b4050e321c99d32bd43 Mon Sep 17 00:00:00 2001 +From: Anton Blanchard <anton@samba.org> +Date: Mon, 1 Aug 2011 19:43:45 +1000 +Subject: [SCSI] ipr: Always initiate hard reset in kdump kernel + +From: Anton Blanchard <anton@samba.org> + +commit 5d7c20b7fa5c6ca19e871b4050e321c99d32bd43 upstream. + +During kdump testing I noticed timeouts when initialising each IPR +adapter. While the driver has logic to detect an adapter in an +indeterminate state, it wasn't triggering and each adapter went +through a 5 minute timeout before finally going operational. + +Some analysis showed the needs_hard_reset flag wasn't getting set. +We can check the reset_devices kernel parameter which is set by +kdump and force a full reset. This fixes the problem. + +Signed-off-by: Anton Blanchard <anton@samba.org> +Acked-by: Brian King <brking@linux.vnet.ibm.com> +Signed-off-by: James Bottomley <JBottomley@Parallels.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + drivers/scsi/ipr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/scsi/ipr.c ++++ b/drivers/scsi/ipr.c +@@ -7673,7 +7673,7 @@ static int __devinit ipr_probe_ioa(struc + uproc = readl(ioa_cfg->regs.sense_uproc_interrupt_reg); + if ((mask & IPR_PCII_HRRQ_UPDATED) == 0 || (uproc & IPR_UPROCI_RESET_ALERT)) + ioa_cfg->needs_hard_reset = 1; +- if (interrupts & IPR_PCII_ERROR_INTERRUPTS) ++ if ((interrupts & IPR_PCII_ERROR_INTERRUPTS) || reset_devices) + ioa_cfg->needs_hard_reset = 1; + if (interrupts & IPR_PCII_IOA_UNIT_CHECKED) + ioa_cfg->ioa_unit_checked = 1; diff --git a/releases/2.6.33.20/ipv6-add-gso-support-on-forwarding-path.patch b/releases/2.6.33.20/ipv6-add-gso-support-on-forwarding-path.patch new file mode 100644 index 0000000..0549118 --- /dev/null +++ b/releases/2.6.33.20/ipv6-add-gso-support-on-forwarding-path.patch @@ -0,0 +1,42 @@ +From 0aa68271510ae2b221d4b60892103837be63afe4 Mon Sep 17 00:00:00 2001 +From: Herbert Xu <herbert@gondor.apana.org.au> +Date: Thu, 27 May 2010 16:14:30 -0700 +Subject: ipv6: Add GSO support on forwarding path + +From: Herbert Xu <herbert@gondor.apana.org.au> + +commit 0aa68271510ae2b221d4b60892103837be63afe4 upstream. + +Currently we disallow GSO packets on the IPv6 forward path. +This patch fixes this. + +Note that I discovered that our existing GSO MTU checks (e.g., +IPv4 forwarding) are buggy in that they skip the check altogether, +when they really should be checking gso_size + header instead. + +I have also been lazy here in that I haven't bothered to segment +the GSO packet by hand before generating an ICMP message. Someone +should add that to be 100% correct. + +Reported-by: Ralf Baechle <ralf@linux-mips.org> +Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Apollon Oikonomopoulos <apoikos@gmail.com> +Signed-off-by: Faidon Liambotis <paravoid@debian.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + net/ipv6/ip6_output.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/ipv6/ip6_output.c ++++ b/net/ipv6/ip6_output.c +@@ -509,7 +509,7 @@ int ip6_forward(struct sk_buff *skb) + } + } + +- if (skb->len > dst_mtu(dst)) { ++ if (skb->len > dst_mtu(dst) && !skb_is_gso(skb)) { + /* Again, force OUTPUT device used as source address */ + skb->dev = dst->dev; + icmpv6_send(skb, ICMPV6_PKT_TOOBIG, 0, dst_mtu(dst), skb->dev); diff --git a/releases/2.6.33.20/irda-fix-smsc-ircc2-section-mismatch-warning.patch b/releases/2.6.33.20/irda-fix-smsc-ircc2-section-mismatch-warning.patch new file mode 100644 index 0000000..db2cdfe --- /dev/null +++ b/releases/2.6.33.20/irda-fix-smsc-ircc2-section-mismatch-warning.patch @@ -0,0 +1,32 @@ +From f470e5ae34d68880a38aa79ee5c102ebc2a1aef6 Mon Sep 17 00:00:00 2001 +From: Randy Dunlap <randy.dunlap@oracle.com> +Date: Tue, 21 Jun 2011 20:32:53 -0700 +Subject: irda: fix smsc-ircc2 section mismatch warning + +From: Randy Dunlap <randy.dunlap@oracle.com> + +commit f470e5ae34d68880a38aa79ee5c102ebc2a1aef6 upstream. + +Fix section mismatch warning: + +WARNING: drivers/net/irda/smsc-ircc2.o(.devinit.text+0x1a7): Section mismatch in reference from the function smsc_ircc_pnp_probe() to the function .init.text:smsc_ircc_open() + +Signed-off-by: Randy Dunlap <randy.dunlap@oracle.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + drivers/net/irda/smsc-ircc2.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/net/irda/smsc-ircc2.c ++++ b/drivers/net/irda/smsc-ircc2.c +@@ -515,7 +515,7 @@ static const struct net_device_ops smsc_ + * Try to open driver instance + * + */ +-static int __init smsc_ircc_open(unsigned int fir_base, unsigned int sir_base, u8 dma, u8 irq) ++static int __devinit smsc_ircc_open(unsigned int fir_base, unsigned int sir_base, u8 dma, u8 irq) + { + struct smsc_ircc_cb *self; + struct net_device *dev; diff --git a/releases/2.6.33.20/kcore-fix-test-for-end-of-list.patch b/releases/2.6.33.20/kcore-fix-test-for-end-of-list.patch new file mode 100644 index 0000000..dd7560e --- /dev/null +++ b/releases/2.6.33.20/kcore-fix-test-for-end-of-list.patch @@ -0,0 +1,35 @@ +From 4fd2c20d964a8fb9861045f1022475c9d200d684 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter <error27@gmail.com> +Date: Tue, 23 Mar 2010 13:35:42 -0700 +Subject: kcore: fix test for end of list + +From: Dan Carpenter <error27@gmail.com> + +commit 4fd2c20d964a8fb9861045f1022475c9d200d684 upstream. + +"m" is never NULL here. We need a different test for the end of list +condition. + +Signed-off-by: Dan Carpenter <error27@gmail.com> +Acked-by: KAMEZAWA Hiroyuki <kamezawa.hiroyu@jp.fujitsu.com> +Acked-by: WANG Cong <xiyou.wangcong@gmail.com> +Signed-off-by: Andrew Morton <akpm@linux-foundation.org> +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> +Cc: Leonardo Chiquitto <leonardo.lists@gmail.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + fs/proc/kcore.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/proc/kcore.c ++++ b/fs/proc/kcore.c +@@ -490,7 +490,7 @@ read_kcore(struct file *file, char __use + } + read_unlock(&kclist_lock); + +- if (m == NULL) { ++ if (&m->list == &kclist_head) { + if (clear_user(buffer, tsz)) + return -EFAULT; + } else if (is_vmalloc_or_module_addr((void *)start)) { diff --git a/releases/2.6.33.20/kmod-prevent-kmod_loop_msg-overflow-in-__request_module.patch b/releases/2.6.33.20/kmod-prevent-kmod_loop_msg-overflow-in-__request_module.patch new file mode 100644 index 0000000..6019d89 --- /dev/null +++ b/releases/2.6.33.20/kmod-prevent-kmod_loop_msg-overflow-in-__request_module.patch @@ -0,0 +1,40 @@ +From 37252db6aa576c34fd794a5a54fb32d7a8b3a07a Mon Sep 17 00:00:00 2001 +From: Jiri Kosina <jkosina@suse.cz> +Date: Wed, 26 Oct 2011 13:10:39 +1030 +Subject: kmod: prevent kmod_loop_msg overflow in __request_module() + +From: Jiri Kosina <jkosina@suse.cz> + +commit 37252db6aa576c34fd794a5a54fb32d7a8b3a07a upstream. + +Due to post-increment in condition of kmod_loop_msg in __request_module(), +the system log can be spammed by much more than 5 instances of the 'runaway +loop' message if the number of events triggering it makes the kmod_loop_msg +to overflow. + +Fix that by making sure we never increment it past the threshold. + +Signed-off-by: Jiri Kosina <jkosina@suse.cz> +Signed-off-by: Rusty Russell <rusty@rustcorp.com.au> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + kernel/kmod.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/kernel/kmod.c ++++ b/kernel/kmod.c +@@ -106,10 +106,12 @@ int __request_module(bool wait, const ch + atomic_inc(&kmod_concurrent); + if (atomic_read(&kmod_concurrent) > max_modprobes) { + /* We may be blaming an innocent here, but unlikely */ +- if (kmod_loop_msg++ < 5) ++ if (kmod_loop_msg < 5) { + printk(KERN_ERR + "request_module: runaway loop modprobe %s\n", + module_name); ++ kmod_loop_msg++; ++ } + atomic_dec(&kmod_concurrent); + return -ENOMEM; + } diff --git a/releases/2.6.33.20/kobj_uevent-ignore-if-some-listeners-cannot-handle-message.patch b/releases/2.6.33.20/kobj_uevent-ignore-if-some-listeners-cannot-handle-message.patch new file mode 100644 index 0000000..584f252 --- /dev/null +++ b/releases/2.6.33.20/kobj_uevent-ignore-if-some-listeners-cannot-handle-message.patch @@ -0,0 +1,37 @@ +From ebf4127cd677e9781b450e44dfaaa1cc595efcaa Mon Sep 17 00:00:00 2001 +From: Milan Broz <mbroz@redhat.com> +Date: Mon, 22 Aug 2011 15:51:34 +0200 +Subject: kobj_uevent: Ignore if some listeners cannot handle message + +From: Milan Broz <mbroz@redhat.com> + +commit ebf4127cd677e9781b450e44dfaaa1cc595efcaa upstream. + +kobject_uevent() uses a multicast socket and should ignore +if one of listeners cannot handle messages or nobody is +listening at all. + +Easily reproducible when a process in system is cloned +with CLONE_NEWNET flag. + +(See also http://article.gmane.org/gmane.linux.kernel.device-mapper.dm-crypt/5256) + +Signed-off-by: Milan Broz <mbroz@redhat.com> +Acked-by: Kay Sievers <kay.sievers@vrfy.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + lib/kobject_uevent.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/lib/kobject_uevent.c ++++ b/lib/kobject_uevent.c +@@ -235,7 +235,7 @@ int kobject_uevent_env(struct kobject *k + retval = netlink_broadcast(uevent_sock, skb, 0, 1, + GFP_KERNEL); + /* ENOBUFS should be handled in userspace */ +- if (retval == -ENOBUFS) ++ if (retval == -ENOBUFS || retval == -ESRCH) + retval = 0; + } else + retval = -ENOMEM; diff --git a/releases/2.6.33.20/kvm-s390-check-cpu_id-prior-to-using-it.patch b/releases/2.6.33.20/kvm-s390-check-cpu_id-prior-to-using-it.patch new file mode 100644 index 0000000..5cf5a7f --- /dev/null +++ b/releases/2.6.33.20/kvm-s390-check-cpu_id-prior-to-using-it.patch @@ -0,0 +1,53 @@ +From 4d47555a80495657161a7e71ec3014ff2021e450 Mon Sep 17 00:00:00 2001 +From: Carsten Otte <cotte@de.ibm.com> +Date: Tue, 18 Oct 2011 12:27:12 +0200 +Subject: KVM: s390: check cpu_id prior to using it + +From: Carsten Otte <cotte@de.ibm.com> + +commit 4d47555a80495657161a7e71ec3014ff2021e450 upstream. + +We use the cpu id provided by userspace as array index here. Thus we +clearly need to check it first. Ooops. + +Signed-off-by: Carsten Otte <cotte@de.ibm.com> +Signed-off-by: Christian Borntraeger <borntraeger@de.ibm.com> +Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + arch/s390/kvm/kvm-s390.c | 14 ++++++++++---- + 1 file changed, 10 insertions(+), 4 deletions(-) + +--- a/arch/s390/kvm/kvm-s390.c ++++ b/arch/s390/kvm/kvm-s390.c +@@ -309,11 +309,17 @@ int kvm_arch_vcpu_setup(struct kvm_vcpu + struct kvm_vcpu *kvm_arch_vcpu_create(struct kvm *kvm, + unsigned int id) + { +- struct kvm_vcpu *vcpu = kzalloc(sizeof(struct kvm_vcpu), GFP_KERNEL); +- int rc = -ENOMEM; ++ struct kvm_vcpu *vcpu; ++ int rc = -EINVAL; + ++ if (id >= KVM_MAX_VCPUS) ++ goto out; ++ ++ rc = -ENOMEM; ++ ++ vcpu = kzalloc(sizeof(struct kvm_vcpu), GFP_KERNEL); + if (!vcpu) +- goto out_nomem; ++ goto out; + + vcpu->arch.sie_block = (struct kvm_s390_sie_block *) + get_zeroed_page(GFP_KERNEL); +@@ -348,7 +354,7 @@ out_free_sie_block: + free_page((unsigned long)(vcpu->arch.sie_block)); + out_free_cpu: + kfree(vcpu); +-out_nomem: ++out: + return ERR_PTR(rc); + } + diff --git a/releases/2.6.33.20/libiscsi_tcp-fix-lld-data-allocation.patch b/releases/2.6.33.20/libiscsi_tcp-fix-lld-data-allocation.patch new file mode 100644 index 0000000..a97db42 --- /dev/null +++ b/releases/2.6.33.20/libiscsi_tcp-fix-lld-data-allocation.patch @@ -0,0 +1,56 @@ +From 74dcd0ec735ba9c5bef254b2f6e53068cf3f9ff0 Mon Sep 17 00:00:00 2001 +From: Mike Christie <michaelc@cs.wisc.edu> +Date: Fri, 24 Jun 2011 15:11:55 -0500 +Subject: [SCSI] libiscsi_tcp: fix LLD data allocation + +From: Mike Christie <michaelc@cs.wisc.edu> + +commit 74dcd0ec735ba9c5bef254b2f6e53068cf3f9ff0 upstream. + +Have libiscsi_tcp have upper layers allocate the LLD data +along with the iscsi_cls_conn struct, so it is refcounted. + +Signed-off-by: Mike Christie <michaelc@cs.wisc.edu> +Signed-off-by: James Bottomley <JBottomley@Parallels.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + drivers/scsi/libiscsi_tcp.c | 14 +++----------- + 1 file changed, 3 insertions(+), 11 deletions(-) + +--- a/drivers/scsi/libiscsi_tcp.c ++++ b/drivers/scsi/libiscsi_tcp.c +@@ -1072,7 +1072,8 @@ iscsi_tcp_conn_setup(struct iscsi_cls_se + struct iscsi_cls_conn *cls_conn; + struct iscsi_tcp_conn *tcp_conn; + +- cls_conn = iscsi_conn_setup(cls_session, sizeof(*tcp_conn), conn_idx); ++ cls_conn = iscsi_conn_setup(cls_session, ++ sizeof(*tcp_conn) + dd_data_size, conn_idx); + if (!cls_conn) + return NULL; + conn = cls_conn->dd_data; +@@ -1084,22 +1085,13 @@ iscsi_tcp_conn_setup(struct iscsi_cls_se + + tcp_conn = conn->dd_data; + tcp_conn->iscsi_conn = conn; +- +- tcp_conn->dd_data = kzalloc(dd_data_size, GFP_KERNEL); +- if (!tcp_conn->dd_data) { +- iscsi_conn_teardown(cls_conn); +- return NULL; +- } ++ tcp_conn->dd_data = conn->dd_data + sizeof(*tcp_conn); + return cls_conn; + } + EXPORT_SYMBOL_GPL(iscsi_tcp_conn_setup); + + void iscsi_tcp_conn_teardown(struct iscsi_cls_conn *cls_conn) + { +- struct iscsi_conn *conn = cls_conn->dd_data; +- struct iscsi_tcp_conn *tcp_conn = conn->dd_data; +- +- kfree(tcp_conn->dd_data); + iscsi_conn_teardown(cls_conn); + } + EXPORT_SYMBOL_GPL(iscsi_tcp_conn_teardown); diff --git a/releases/2.6.33.20/libsas-fix-failure-to-revalidate-domain-for-anything-but-the-first-expander-child.patch b/releases/2.6.33.20/libsas-fix-failure-to-revalidate-domain-for-anything-but-the-first-expander-child.patch new file mode 100644 index 0000000..a8dae83 --- /dev/null +++ b/releases/2.6.33.20/libsas-fix-failure-to-revalidate-domain-for-anything-but-the-first-expander-child.patch @@ -0,0 +1,43 @@ +From 24926dadc41cc566e974022b0e66231b82c6375f Mon Sep 17 00:00:00 2001 +From: Mark Salyzyn <mark_salyzyn@us.xyratex.com> +Date: Thu, 1 Sep 2011 06:11:17 -0700 +Subject: [SCSI] libsas: fix failure to revalidate domain for anything but the first expander child. + +From: Mark Salyzyn <mark_salyzyn@us.xyratex.com> + +commit 24926dadc41cc566e974022b0e66231b82c6375f upstream. + +In an enclosure model where there are chaining expanders to a large body +of storage, it was discovered that libsas, responding to a broadcast +event change, would only revalidate the domain of first child expander +in the list. + +The issue is that the pointer value to the discovered source device was +used to break out of the loop, rather than the content of the pointer. + +This still remains non-compliant as the revalidate domain code is +supposed to loop through all child expanders, and not stop at the first +one it finds that reports a change count. However, the design of this +routine does not allow multiple device discoveries and that would be a +more complicated set of patches reserved for another day. We are fixing +the glaring bug rather than refactoring the code. + +Signed-off-by: Mark Salyzyn <msalyzyn@us.xyratex.com> +Signed-off-by: James Bottomley <JBottomley@Parallels.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + drivers/scsi/libsas/sas_expander.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/scsi/libsas/sas_expander.c ++++ b/drivers/scsi/libsas/sas_expander.c +@@ -1712,7 +1712,7 @@ static int sas_find_bcast_dev(struct dom + list_for_each_entry(ch, &ex->children, siblings) { + if (ch->dev_type == EDGE_DEV || ch->dev_type == FANOUT_DEV) { + res = sas_find_bcast_dev(ch, src_dev); +- if (src_dev) ++ if (*src_dev) + return res; + } + } diff --git a/releases/2.6.33.20/libsas-fix-panic-when-single-phy-is-disabled-on-a-wide-port.patch b/releases/2.6.33.20/libsas-fix-panic-when-single-phy-is-disabled-on-a-wide-port.patch new file mode 100644 index 0000000..75522b8 --- /dev/null +++ b/releases/2.6.33.20/libsas-fix-panic-when-single-phy-is-disabled-on-a-wide-port.patch @@ -0,0 +1,111 @@ +From a73914c35b05d80f8ce78288e10056c91090b666 Mon Sep 17 00:00:00 2001 +From: Mark Salyzyn <mark_salyzyn@us.xyratex.com> +Date: Thu, 22 Sep 2011 08:32:23 -0700 +Subject: [SCSI] libsas: fix panic when single phy is disabled on a wide port + +From: Mark Salyzyn <mark_salyzyn@us.xyratex.com> + +commit a73914c35b05d80f8ce78288e10056c91090b666 upstream. + +When a wide port is being utilized to a target, if one disables only one +of the +phys, we get an OS crash: + +BUG: unable to handle kernel NULL pointer dereference at +0000000000000238 +IP: [<ffffffff814ca9b1>] mutex_lock+0x21/0x50 +PGD 4103f5067 PUD 41dba9067 PMD 0 +Oops: 0002 [#1] SMP +last sysfs file: /sys/bus/pci/slots/5/address +CPU 0 +Modules linked in: pm8001(U) ses enclosure fuse nfsd exportfs autofs4 +ipmi_devintf ipmi_si ipmi_msghandler nfs lockd fscache nfs_acl +auth_rpcgss 8021q fcoe libfcoe garp libfc scsi_transport_fc stp scsi_tgt +llc sunrpc cpufreq_ondemand acpi_cpufreq freq_table ipv6 sr_mod cdrom +dm_mirror dm_region_hash dm_log uinput sg i2c_i801 i2c_core iTCO_wdt +iTCO_vendor_support e1000e mlx4_ib ib_mad ib_core mlx4_en mlx4_core ext3 +jbd mbcache sd_mod crc_t10dif usb_storage ata_generic pata_acpi ata_piix +libsas(U) scsi_transport_sas dm_mod [last unloaded: pm8001] + +Modules linked in: pm8001(U) ses enclosure fuse nfsd exportfs autofs4 +ipmi_devintf ipmi_si ipmi_msghandler nfs lockd fscache nfs_acl +auth_rpcgss 8021q fcoe libfcoe garp libfc scsi_transport_fc stp scsi_tgt +llc sunrpc cpufreq_ondemand acpi_cpufreq freq_table ipv6 sr_mod cdrom +dm_mirror dm_region_hash dm_log uinput sg i2c_i801 i2c_core iTCO_wdt +iTCO_vendor_support e1000e mlx4_ib ib_mad ib_core mlx4_en mlx4_core ext3 +jbd mbcache sd_mod crc_t10dif usb_storage ata_generic pata_acpi ata_piix +libsas(U) scsi_transport_sas dm_mod [last unloaded: pm8001] +Pid: 5146, comm: scsi_wq_5 Not tainted +2.6.32-71.29.1.el6.lustre.7.x86_64 #1 Storage Server +RIP: 0010:[<ffffffff814ca9b1>] [<ffffffff814ca9b1>] +mutex_lock+0x21/0x50 +RSP: 0018:ffff8803e4e33d30 EFLAGS: 00010246 +RAX: 0000000000000000 RBX: 0000000000000238 RCX: 0000000000000000 +RDX: 0000000000000000 RSI: ffff8803e664c800 RDI: 0000000000000238 +RBP: ffff8803e4e33d40 R08: 0000000000000000 R09: 0000000000000000 +R10: 0000000000000000 R11: 0000000000000001 R12: 0000000000000000 +R13: 0000000000000238 R14: ffff88041acb7200 R15: ffff88041c51ada0 +FS: 0000000000000000(0000) GS:ffff880028200000(0000) +knlGS:0000000000000000 +CS: 0010 DS: 0018 ES: 0018 CR0: 000000008005003b +CR2: 0000000000000238 CR3: 0000000410143000 CR4: 00000000000006f0 +DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 +DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 +Process scsi_wq_5 (pid: 5146, threadinfo ffff8803e4e32000, task +ffff8803e4e294a0) +Stack: + ffff8803e664c800 0000000000000000 ffff8803e4e33d70 ffffffffa001f06e +<0> ffff8803e4e33d60 ffff88041c51ada0 ffff88041acb7200 ffff88041bc0aa00 +<0> ffff8803e4e33d90 ffffffffa0032b6c 0000000000000014 ffff88041acb7200 +Call Trace: + [<ffffffffa001f06e>] sas_port_delete_phy+0x2e/0xa0 [scsi_transport_sas] + [<ffffffffa0032b6c>] sas_unregister_devs_sas_addr+0xac/0xe0 [libsas] + [<ffffffffa0034914>] sas_ex_revalidate_domain+0x204/0x330 [libsas] + [<ffffffffa00307f0>] ? sas_revalidate_domain+0x0/0x90 [libsas] + [<ffffffffa0030855>] sas_revalidate_domain+0x65/0x90 [libsas] + [<ffffffff8108c7d0>] worker_thread+0x170/0x2a0 + [<ffffffff81091ea0>] ? autoremove_wake_function+0x0/0x40 + [<ffffffff8108c660>] ? worker_thread+0x0/0x2a0 + [<ffffffff81091b36>] kthread+0x96/0xa0 + [<ffffffff810141ca>] child_rip+0xa/0x20 + [<ffffffff81091aa0>] ? kthread+0x0/0xa0 + [<ffffffff810141c0>] ? child_rip+0x0/0x20 +Code: ff ff 85 c0 75 ed eb d6 66 90 55 48 89 e5 48 83 ec 10 48 89 1c 24 +4c 89 64 24 08 0f 1f 44 00 00 48 89 fb e8 92 f4 ff ff 48 89 df <f0> ff +0f 79 05 e8 25 00 00 00 65 48 8b 04 25 08 cc 00 00 48 2d +RIP [<ffffffff814ca9b1>] mutex_lock+0x21/0x50 + RSP <ffff8803e4e33d30> +CR2: 0000000000000238 + +The following patch is admittedly a band-aid, and does not solve the +root cause, but it still is a good candidate for hardening as a pointer +check before reference. + +Signed-off-by: Mark Salyzyn <mark_salyzyn@us.xyratex.com> +Tested-by: Jack Wang <jack_wang@usish.com> +Signed-off-by: James Bottomley <JBottomley@Parallels.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + drivers/scsi/libsas/sas_expander.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +--- a/drivers/scsi/libsas/sas_expander.c ++++ b/drivers/scsi/libsas/sas_expander.c +@@ -1757,10 +1757,12 @@ static void sas_unregister_devs_sas_addr + sas_disable_routing(parent, phy->attached_sas_addr); + } + memset(phy->attached_sas_addr, 0, SAS_ADDR_SIZE); +- sas_port_delete_phy(phy->port, phy->phy); +- if (phy->port->num_phys == 0) +- sas_port_delete(phy->port); +- phy->port = NULL; ++ if (phy->port) { ++ sas_port_delete_phy(phy->port, phy->phy); ++ if (phy->port->num_phys == 0) ++ sas_port_delete(phy->port); ++ phy->port = NULL; ++ } + } + + static int sas_discover_bfs_by_root_level(struct domain_device *root, diff --git a/releases/2.6.33.20/libsas-set-sas_address-and-device-type-of-rphy.patch b/releases/2.6.33.20/libsas-set-sas_address-and-device-type-of-rphy.patch new file mode 100644 index 0000000..ca2cbff --- /dev/null +++ b/releases/2.6.33.20/libsas-set-sas_address-and-device-type-of-rphy.patch @@ -0,0 +1,32 @@ +From bb041a0e9c31229071b6e56e1d0d8374af0d2038 Mon Sep 17 00:00:00 2001 +From: Jack Wang <jack_wang@usish.com> +Date: Fri, 23 Sep 2011 14:32:32 +0800 +Subject: [SCSI] libsas: set sas_address and device type of rphy + +From: Jack Wang <jack_wang@usish.com> + +commit bb041a0e9c31229071b6e56e1d0d8374af0d2038 upstream. + +Libsas forget to set the sas_address and device type of rphy lead to file +under /sys/class/sas_x show wrong value, fix that. + +Signed-off-by: Jack Wang <jack_wang@usish.com> +Tested-by: Crystal Yu <crystal_yu@usish.com> +Signed-off-by: James Bottomley <JBottomley@Parallels.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + drivers/scsi/libsas/sas_expander.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/drivers/scsi/libsas/sas_expander.c ++++ b/drivers/scsi/libsas/sas_expander.c +@@ -198,6 +198,8 @@ static void sas_set_ex_phy(struct domain + phy->virtual = dr->virtual; + phy->last_da_index = -1; + ++ phy->phy->identify.sas_address = SAS_ADDR(phy->attached_sas_addr); ++ phy->phy->identify.device_type = phy->attached_dev_type; + phy->phy->identify.initiator_port_protocols = phy->attached_iproto; + phy->phy->identify.target_port_protocols = phy->attached_tproto; + phy->phy->identify.phy_identifier = phy_id; diff --git a/releases/2.6.33.20/md-fix-handling-for-devices-from-2tb-to-4tb-in-0.90.patch b/releases/2.6.33.20/md-fix-handling-for-devices-from-2tb-to-4tb-in-0.90.patch new file mode 100644 index 0000000..046a490 --- /dev/null +++ b/releases/2.6.33.20/md-fix-handling-for-devices-from-2tb-to-4tb-in-0.90.patch @@ -0,0 +1,67 @@ +From 27a7b260f71439c40546b43588448faac01adb93 Mon Sep 17 00:00:00 2001 +From: NeilBrown <neilb@suse.de> +Date: Sat, 10 Sep 2011 17:21:28 +1000 +Subject: md: Fix handling for devices from 2TB to 4TB in 0.90 metadata. + +From: NeilBrown <neilb@suse.de> + +commit 27a7b260f71439c40546b43588448faac01adb93 upstream. + +0.90 metadata uses an unsigned 32bit number to count the number of +kilobytes used from each device. +This should allow up to 4TB per device. +However we multiply this by 2 (to get sectors) before casting to a +larger type, so sizes above 2TB get truncated. + +Also we allow rdev->sectors to be larger than 4TB, so it is possible +for the array to be resized larger than the metadata can handle. +So make sure rdev->sectors never exceeds 4TB when 0.90 metadata is in +used. + +Also the sanity check at the end of super_90_load should include level +1 as it used ->size too. (RAID0 and Linear don't use ->size at all). + +Reported-by: Pim Zandbergen <P.Zandbergen@macroscoop.nl> +Signed-off-by: NeilBrown <neilb@suse.de> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + drivers/md/md.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +--- a/drivers/md/md.c ++++ b/drivers/md/md.c +@@ -980,8 +980,11 @@ static int super_90_load(mdk_rdev_t *rde + ret = 0; + } + rdev->sectors = rdev->sb_start; ++ /* Limit to 4TB as metadata cannot record more than that */ ++ if (rdev->sectors >= (2ULL << 32)) ++ rdev->sectors = (2ULL << 32) - 2; + +- if (rdev->sectors < sb->size * 2 && sb->level > 1) ++ if (rdev->sectors < ((sector_t)sb->size) * 2 && sb->level >= 1) + /* "this cannot possibly happen" ... */ + ret = -EINVAL; + +@@ -1016,7 +1019,7 @@ static int super_90_validate(mddev_t *md + mddev->clevel[0] = 0; + mddev->layout = sb->layout; + mddev->raid_disks = sb->raid_disks; +- mddev->dev_sectors = sb->size * 2; ++ mddev->dev_sectors = ((sector_t)sb->size) * 2; + mddev->events = ev1; + mddev->bitmap_info.offset = 0; + mddev->bitmap_info.default_offset = MD_SB_BYTES >> 9; +@@ -1255,6 +1258,11 @@ super_90_rdev_size_change(mdk_rdev_t *rd + rdev->sb_start = calc_dev_sboffset(rdev->bdev); + if (!num_sectors || num_sectors > rdev->sb_start) + num_sectors = rdev->sb_start; ++ /* Limit to 4TB as metadata cannot record more than that. ++ * 4TB == 2^32 KB, or 2*2^32 sectors. ++ */ ++ if (num_sectors >= (2ULL << 32)) ++ num_sectors = (2ULL << 32) - 2; + md_super_write(rdev->mddev, rdev, rdev->sb_start, rdev->sb_size, + rdev->sb_page); + md_super_wait(rdev->mddev); diff --git a/releases/2.6.33.20/md-linear-avoid-corrupting-structure-while-waiting-for.patch b/releases/2.6.33.20/md-linear-avoid-corrupting-structure-while-waiting-for.patch new file mode 100644 index 0000000..ad0995d --- /dev/null +++ b/releases/2.6.33.20/md-linear-avoid-corrupting-structure-while-waiting-for.patch @@ -0,0 +1,33 @@ +From 1b6afa17581027218088a18a9ceda600e0ddba7a Mon Sep 17 00:00:00 2001 +From: NeilBrown <neilb@suse.de> +Date: Thu, 25 Aug 2011 14:43:53 +1000 +Subject: md/linear: avoid corrupting structure while waiting for rcu_free to complete. + +From: NeilBrown <neilb@suse.de> + +commit 1b6afa17581027218088a18a9ceda600e0ddba7a upstream. + +I don't know what I was thinking putting 'rcu' after a dynamically +sized array! The array could still be in use when we call rcu_free() +(That is the point) so we mustn't corrupt it. + +Signed-off-by: NeilBrown <neilb@suse.de> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + drivers/md/linear.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/md/linear.h ++++ b/drivers/md/linear.h +@@ -10,9 +10,9 @@ typedef struct dev_info dev_info_t; + + struct linear_private_data + { ++ struct rcu_head rcu; + sector_t array_sectors; + dev_info_t disks[0]; +- struct rcu_head rcu; + }; + + diff --git a/releases/2.6.33.20/net-9p-fix-client-code-to-fail-more-gracefully-on-protocol-error.patch b/releases/2.6.33.20/net-9p-fix-client-code-to-fail-more-gracefully-on-protocol-error.patch new file mode 100644 index 0000000..4349a3f --- /dev/null +++ b/releases/2.6.33.20/net-9p-fix-client-code-to-fail-more-gracefully-on-protocol-error.patch @@ -0,0 +1,32 @@ +From b85f7d92d7bd7e3298159e8b1eed8cb8cbbb0348 Mon Sep 17 00:00:00 2001 +From: Eric Van Hensbergen <ericvh@gmail.com> +Date: Wed, 13 Jul 2011 19:12:18 -0500 +Subject: net/9p: fix client code to fail more gracefully on protocol error + +From: Eric Van Hensbergen <ericvh@gmail.com> + +commit b85f7d92d7bd7e3298159e8b1eed8cb8cbbb0348 upstream. + +There was a BUG_ON to protect against a bad id which could be dealt with +more gracefully. + +Reported-by: Natalie Orlin <norlin@us.ibm.com> +Signed-off-by: Eric Van Hensbergen <ericvh@gmail.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + net/9p/client.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/9p/client.c ++++ b/net/9p/client.c +@@ -230,7 +230,8 @@ struct p9_req_t *p9_tag_lookup(struct p9 + * buffer to read the data into */ + tag++; + +- BUG_ON(tag >= c->max_tag); ++ if(tag >= c->max_tag) ++ return NULL; + + row = tag / P9_ROW_MAXTAG; + col = tag % P9_ROW_MAXTAG; diff --git a/releases/2.6.33.20/net-9p-fix-the-msize-calculation.patch b/releases/2.6.33.20/net-9p-fix-the-msize-calculation.patch new file mode 100644 index 0000000..a690c38 --- /dev/null +++ b/releases/2.6.33.20/net-9p-fix-the-msize-calculation.patch @@ -0,0 +1,33 @@ +From c9ffb05ca5b5098d6ea468c909dd384d90da7d54 Mon Sep 17 00:00:00 2001 +From: "Venkateswararao Jujjuri (JV)" <jvrao@linux.vnet.ibm.com> +Date: Wed, 29 Jun 2011 18:06:33 -0700 +Subject: net/9p: Fix the msize calculation. + +From: "Venkateswararao Jujjuri (JV)" <jvrao@linux.vnet.ibm.com> + +commit c9ffb05ca5b5098d6ea468c909dd384d90da7d54 upstream. + +msize represents the maximum PDU size that includes P9_IOHDRSZ. + +Signed-off-by: Venkateswararao Jujjuri "<jvrao@linux.vnet.ibm.com> +Signed-off-by: Aneesh Kumar K.V <aneesh.kumar@linux.vnet.ibm.com> +Signed-off-by: Eric Van Hensbergen <ericvh@gmail.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + net/9p/client.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/net/9p/client.c ++++ b/net/9p/client.c +@@ -708,8 +708,8 @@ struct p9_client *p9_client_create(const + if (err) + goto destroy_fidpool; + +- if ((clnt->msize+P9_IOHDRSZ) > clnt->trans_mod->maxsize) +- clnt->msize = clnt->trans_mod->maxsize-P9_IOHDRSZ; ++ if (clnt->msize > clnt->trans_mod->maxsize) ++ clnt->msize = clnt->trans_mod->maxsize; + + err = p9_client_version(clnt); + if (err) diff --git a/releases/2.6.33.20/net-fix-a-memmove-bug-in-dev_gro_receive.patch b/releases/2.6.33.20/net-fix-a-memmove-bug-in-dev_gro_receive.patch new file mode 100644 index 0000000..0cc8415 --- /dev/null +++ b/releases/2.6.33.20/net-fix-a-memmove-bug-in-dev_gro_receive.patch @@ -0,0 +1,42 @@ +From e5093aec2e6b60c3df2420057ffab9ed4a6d2792 Mon Sep 17 00:00:00 2001 +From: Jarek Poplawski <jarkao2@gmail.com> +Date: Wed, 11 Aug 2010 02:02:10 +0000 +Subject: net: Fix a memmove bug in dev_gro_receive() + +From: Jarek Poplawski <jarkao2@gmail.com> + +commit e5093aec2e6b60c3df2420057ffab9ed4a6d2792 upstream. + +>Xin Xiaohui wrote: +> I looked into the code dev_gro_receive(), found the code here: +> if the frags[0] is pulled to 0, then the page will be released, +> and memmove() frags left. +> Is that right? I'm not sure if memmove do right or not, but +> frags[0].size is never set after memove at least. what I think +> a simple way is not to do anything if we found frags[0].size == 0. +> The patch is as followed. +... + +This version of the patch fixes the bug directly in memmove. + +Reported-by: "Xin, Xiaohui" <xiaohui.xin@intel.com> +Signed-off-by: Jarek Poplawski <jarkao2@gmail.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Cc: Ben Hutchings <bhutchings@solarflare.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + net/core/dev.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/net/core/dev.c ++++ b/net/core/dev.c +@@ -2664,7 +2664,7 @@ pull: + put_page(skb_shinfo(skb)->frags[0].page); + memmove(skb_shinfo(skb)->frags, + skb_shinfo(skb)->frags + 1, +- --skb_shinfo(skb)->nr_frags); ++ --skb_shinfo(skb)->nr_frags * sizeof(skb_frag_t)); + } + } + diff --git a/releases/2.6.33.20/net_sched-fix-qdisc_notify.patch b/releases/2.6.33.20/net_sched-fix-qdisc_notify.patch new file mode 100644 index 0000000..5903dd0 --- /dev/null +++ b/releases/2.6.33.20/net_sched-fix-qdisc_notify.patch @@ -0,0 +1,69 @@ +From 53b0f08042f04813cd1a7473dacd3edfacb28eb3 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet <eric.dumazet@gmail.com> +Date: Sat, 22 May 2010 20:37:44 +0000 +Subject: net_sched: Fix qdisc_notify() + +From: Eric Dumazet <eric.dumazet@gmail.com> + +commit 53b0f08042f04813cd1a7473dacd3edfacb28eb3 upstream. + +Ben Pfaff reported a kernel oops and provided a test program to +reproduce it. + +https://kerneltrap.org/mailarchive/linux-netdev/2010/5/21/6277805 + +tc_fill_qdisc() should not be called for builtin qdisc, or it +dereference a NULL pointer to get device ifindex. + +Fix is to always use tc_qdisc_dump_ignore() before calling +tc_fill_qdisc(). + +Reported-by: Ben Pfaff <blp@nicira.com> +Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + net/sched/sch_api.c | 14 +++++++------- + 1 file changed, 7 insertions(+), 7 deletions(-) + +--- a/net/sched/sch_api.c ++++ b/net/sched/sch_api.c +@@ -1195,6 +1195,11 @@ nla_put_failure: + return -1; + } + ++static bool tc_qdisc_dump_ignore(struct Qdisc *q) ++{ ++ return (q->flags & TCQ_F_BUILTIN) ? true : false; ++} ++ + static int qdisc_notify(struct sk_buff *oskb, struct nlmsghdr *n, + u32 clid, struct Qdisc *old, struct Qdisc *new) + { +@@ -1205,11 +1210,11 @@ static int qdisc_notify(struct sk_buff * + if (!skb) + return -ENOBUFS; + +- if (old && old->handle) { ++ if (old && !tc_qdisc_dump_ignore(old)) { + if (tc_fill_qdisc(skb, old, clid, pid, n->nlmsg_seq, 0, RTM_DELQDISC) < 0) + goto err_out; + } +- if (new) { ++ if (new && !tc_qdisc_dump_ignore(new)) { + if (tc_fill_qdisc(skb, new, clid, pid, n->nlmsg_seq, old ? NLM_F_REPLACE : 0, RTM_NEWQDISC) < 0) + goto err_out; + } +@@ -1222,11 +1227,6 @@ err_out: + return -EINVAL; + } + +-static bool tc_qdisc_dump_ignore(struct Qdisc *q) +-{ +- return (q->flags & TCQ_F_BUILTIN) ? true : false; +-} +- + static int tc_dump_qdisc_root(struct Qdisc *root, struct sk_buff *skb, + struct netlink_callback *cb, + int *q_idx_p, int s_q_idx) diff --git a/releases/2.6.33.20/nfsd4-fix-seqid_mutating_error.patch b/releases/2.6.33.20/nfsd4-fix-seqid_mutating_error.patch new file mode 100644 index 0000000..721425b --- /dev/null +++ b/releases/2.6.33.20/nfsd4-fix-seqid_mutating_error.patch @@ -0,0 +1,59 @@ +From 576163005de286bbd418fcb99cfd0971523a0c6d Mon Sep 17 00:00:00 2001 +From: "J. Bruce Fields" <bfields@redhat.com> +Date: Wed, 10 Aug 2011 19:16:22 -0400 +Subject: nfsd4: fix seqid_mutating_error + +From: "J. Bruce Fields" <bfields@redhat.com> + +commit 576163005de286bbd418fcb99cfd0971523a0c6d upstream. + +The set of errors here does *not* agree with the set of errors specified +in the rfc! + +While we're there, turn this macros into a function, for the usual +reasons, and move it to the one place where it's actually used. + +Signed-off-by: J. Bruce Fields <bfields@redhat.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + fs/nfsd/nfs4xdr.c | 12 ++++++++++++ + fs/nfsd/state.h | 6 ------ + 2 files changed, 12 insertions(+), 6 deletions(-) + +--- a/fs/nfsd/nfs4xdr.c ++++ b/fs/nfsd/nfs4xdr.c +@@ -1507,6 +1507,18 @@ static void write_cinfo(__be32 **p, stru + \ + save = resp->p; + ++static bool seqid_mutating_err(__be32 err) ++{ ++ /* rfc 3530 section 8.1.5: */ ++ return err != nfserr_stale_clientid && ++ err != nfserr_stale_stateid && ++ err != nfserr_bad_stateid && ++ err != nfserr_bad_seqid && ++ err != nfserr_bad_xdr && ++ err != nfserr_resource && ++ err != nfserr_nofilehandle; ++} ++ + /* + * Routine for encoding the result of a "seqid-mutating" NFSv4 operation. This + * is where sequence id's are incremented, and the replay cache is filled. +--- a/fs/nfsd/state.h ++++ b/fs/nfsd/state.h +@@ -363,12 +363,6 @@ struct nfs4_stateid { + #define WR_STATE 0x00000020 + #define CLOSE_STATE 0x00000040 + +-#define seqid_mutating_err(err) \ +- (((err) != nfserr_stale_clientid) && \ +- ((err) != nfserr_bad_seqid) && \ +- ((err) != nfserr_stale_stateid) && \ +- ((err) != nfserr_bad_stateid)) +- + struct nfsd4_compound_state; + + extern __be32 nfs4_preprocess_stateid_op(struct nfsd4_compound_state *cstate, diff --git a/releases/2.6.33.20/nfsd4-ignore-want-bits-in-open-downgrade.patch b/releases/2.6.33.20/nfsd4-ignore-want-bits-in-open-downgrade.patch new file mode 100644 index 0000000..51e16df --- /dev/null +++ b/releases/2.6.33.20/nfsd4-ignore-want-bits-in-open-downgrade.patch @@ -0,0 +1,30 @@ +From c30e92df30d7d5fe65262fbce5d1b7de675fe34e Mon Sep 17 00:00:00 2001 +From: "J. Bruce Fields" <bfields@redhat.com> +Date: Mon, 10 Oct 2011 17:34:31 -0400 +Subject: nfsd4: ignore WANT bits in open downgrade + +From: "J. Bruce Fields" <bfields@redhat.com> + +commit c30e92df30d7d5fe65262fbce5d1b7de675fe34e upstream. + +We don't use WANT bits yet--and sending them can probably trigger a +BUG() further down. + +Signed-off-by: J. Bruce Fields <bfields@redhat.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + fs/nfsd/nfs4state.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/fs/nfsd/nfs4state.c ++++ b/fs/nfsd/nfs4state.c +@@ -3062,6 +3062,8 @@ nfsd4_open_downgrade(struct svc_rqst *rq + if (!access_valid(od->od_share_access, cstate->minorversion) + || !deny_valid(od->od_share_deny)) + return nfserr_inval; ++ /* We don't yet support WANT bits: */ ++ od->od_share_access &= NFS4_SHARE_ACCESS_MASK; + + nfs4_lock_state(); + if ((status = nfs4_preprocess_seqid_op(cstate, diff --git a/releases/2.6.33.20/nfsd4-remove-check-for-a-32-bit-cookie-in-nfsd4_readdir.patch b/releases/2.6.33.20/nfsd4-remove-check-for-a-32-bit-cookie-in-nfsd4_readdir.patch new file mode 100644 index 0000000..e35c0ce --- /dev/null +++ b/releases/2.6.33.20/nfsd4-remove-check-for-a-32-bit-cookie-in-nfsd4_readdir.patch @@ -0,0 +1,34 @@ +From 832023bffb4b493f230be901f681020caf3ed1f8 Mon Sep 17 00:00:00 2001 +From: Bernd Schubert <bernd.schubert@itwm.fraunhofer.de> +Date: Mon, 8 Aug 2011 17:38:08 +0200 +Subject: nfsd4: Remove check for a 32-bit cookie in nfsd4_readdir() + +From: Bernd Schubert <bernd.schubert@itwm.fraunhofer.de> + +commit 832023bffb4b493f230be901f681020caf3ed1f8 upstream. + +Fan Yong <yong.fan@whamcloud.com> noticed setting +FMODE_32bithash wouldn't work with nfsd v4, as +nfsd4_readdir() checks for 32 bit cookies. However, according to RFC 3530 +cookies have a 64 bit type and cookies are also defined as u64 in +'struct nfsd4_readdir'. So remove the test for >32-bit values. + +Signed-off-by: Bernd Schubert <bernd.schubert@itwm.fraunhofer.de> +Signed-off-by: J. Bruce Fields <bfields@redhat.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + fs/nfsd/nfs4proc.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/fs/nfsd/nfs4proc.c ++++ b/fs/nfsd/nfs4proc.c +@@ -677,7 +677,7 @@ nfsd4_readdir(struct svc_rqst *rqstp, st + readdir->rd_bmval[1] &= nfsd_suppattrs1(cstate->minorversion); + readdir->rd_bmval[2] &= nfsd_suppattrs2(cstate->minorversion); + +- if ((cookie > ~(u32)0) || (cookie == 1) || (cookie == 2) || ++ if ((cookie == 1) || (cookie == 2) || + (cookie == 0 && memcmp(readdir->rd_verf.data, zeroverf.data, NFS4_VERIFIER_SIZE))) + return nfserr_bad_cookie; + diff --git a/releases/2.6.33.20/nl80211-fix-overflow-in-ssid_len.patch b/releases/2.6.33.20/nl80211-fix-overflow-in-ssid_len.patch new file mode 100644 index 0000000..76ed840 --- /dev/null +++ b/releases/2.6.33.20/nl80211-fix-overflow-in-ssid_len.patch @@ -0,0 +1,46 @@ +From 57a27e1d6a3bb9ad4efeebd3a8c71156d6207536 Mon Sep 17 00:00:00 2001 +From: Luciano Coelho <coelho@ti.com> +Date: Tue, 7 Jun 2011 20:42:26 +0300 +Subject: nl80211: fix overflow in ssid_len + +From: Luciano Coelho <coelho@ti.com> + +commit 57a27e1d6a3bb9ad4efeebd3a8c71156d6207536 upstream. + +When one of the SSID's length passed in a scan or sched_scan request +is larger than 255, there will be an overflow in the u8 that is used +to store the length before checking. This causes the check to fail +and we overrun the buffer when copying the SSID. + +Fix this by checking the nl80211 attribute length before copying it to +the struct. + +This is a follow up for the previous commit +208c72f4fe44fe09577e7975ba0e7fa0278f3d03, which didn't fix the problem +entirely. + +Reported-by: Ido Yariv <ido@wizery.com> +Signed-off-by: Luciano Coelho <coelho@ti.com> +Signed-off-by: John W. Linville <linville@tuxdriver.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + net/wireless/nl80211.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/net/wireless/nl80211.c ++++ b/net/wireless/nl80211.c +@@ -3078,11 +3078,11 @@ static int nl80211_trigger_scan(struct s + i = 0; + if (info->attrs[NL80211_ATTR_SCAN_SSIDS]) { + nla_for_each_nested(attr, info->attrs[NL80211_ATTR_SCAN_SSIDS], tmp) { +- request->ssids[i].ssid_len = nla_len(attr); +- if (request->ssids[i].ssid_len > IEEE80211_MAX_SSID_LEN) { ++ if (nla_len(attr) > IEEE80211_MAX_SSID_LEN) { + err = -EINVAL; + goto out_free; + } ++ request->ssids[i].ssid_len = nla_len(attr); + memcpy(request->ssids[i].ssid, nla_data(attr), nla_len(attr)); + i++; + } diff --git a/releases/2.6.33.20/nlm-don-t-hang-forever-on-nlm-unlock-requests.patch b/releases/2.6.33.20/nlm-don-t-hang-forever-on-nlm-unlock-requests.patch new file mode 100644 index 0000000..8015c65 --- /dev/null +++ b/releases/2.6.33.20/nlm-don-t-hang-forever-on-nlm-unlock-requests.patch @@ -0,0 +1,78 @@ +From 0b760113a3a155269a3fba93a409c640031dd68f Mon Sep 17 00:00:00 2001 +From: Trond Myklebust <Trond.Myklebust@netapp.com> +Date: Tue, 31 May 2011 15:15:34 -0400 +Subject: NLM: Don't hang forever on NLM unlock requests + +From: Trond Myklebust <Trond.Myklebust@netapp.com> + +commit 0b760113a3a155269a3fba93a409c640031dd68f upstream. + +If the NLM daemon is killed on the NFS server, we can currently end up +hanging forever on an 'unlock' request, instead of aborting. Basically, +if the rpcbind request fails, or the server keeps returning garbage, we +really want to quit instead of retrying. + +Tested-by: Vasily Averin <vvs@sw.ru> +Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + + +--- + fs/lockd/clntproc.c | 8 +++++++- + include/linux/sunrpc/sched.h | 4 ++-- + net/sunrpc/clnt.c | 3 +++ + net/sunrpc/sched.c | 1 + + 4 files changed, 13 insertions(+), 3 deletions(-) + +--- a/fs/lockd/clntproc.c ++++ b/fs/lockd/clntproc.c +@@ -709,7 +709,13 @@ static void nlmclnt_unlock_callback(stru + + if (task->tk_status < 0) { + dprintk("lockd: unlock failed (err = %d)\n", -task->tk_status); +- goto retry_rebind; ++ switch (task->tk_status) { ++ case -EACCES: ++ case -EIO: ++ goto die; ++ default: ++ goto retry_rebind; ++ } + } + if (status == NLM_LCK_DENIED_GRACE_PERIOD) { + rpc_delay(task, NLMCLNT_GRACE_WAIT); +--- a/include/linux/sunrpc/sched.h ++++ b/include/linux/sunrpc/sched.h +@@ -84,8 +84,8 @@ struct rpc_task { + long tk_rtt; /* round-trip time (jiffies) */ + + pid_t tk_owner; /* Process id for batching tasks */ +- unsigned char tk_priority : 2;/* Task priority */ +- ++ unsigned char tk_priority : 2,/* Task priority */ ++ tk_rebind_retry : 2; + #ifdef RPC_DEBUG + unsigned short tk_pid; /* debugging aid */ + #endif +--- a/net/sunrpc/clnt.c ++++ b/net/sunrpc/clnt.c +@@ -1052,6 +1052,9 @@ call_bind_status(struct rpc_task *task) + status = -EOPNOTSUPP; + break; + } ++ if (task->tk_rebind_retry == 0) ++ break; ++ task->tk_rebind_retry--; + rpc_delay(task, 3*HZ); + goto retry_timeout; + case -ETIMEDOUT: +--- a/net/sunrpc/sched.c ++++ b/net/sunrpc/sched.c +@@ -799,6 +799,7 @@ static void rpc_init_task(struct rpc_tas + /* Initialize retry counters */ + task->tk_garb_retry = 2; + task->tk_cred_retry = 2; ++ task->tk_rebind_retry = 2; + + task->tk_priority = task_setup_data->priority - RPC_PRIORITY_LOW; + task->tk_owner = current->tgid; diff --git a/releases/2.6.33.20/plat-mxc-iomux-v3.h-implicitly-enable-pull-up-down-when-that-s-desired.patch b/releases/2.6.33.20/plat-mxc-iomux-v3.h-implicitly-enable-pull-up-down-when-that-s-desired.patch new file mode 100644 index 0000000..1c025b6 --- /dev/null +++ b/releases/2.6.33.20/plat-mxc-iomux-v3.h-implicitly-enable-pull-up-down-when-that-s-desired.patch @@ -0,0 +1,52 @@ +From 6571534b600b8ca1936ff5630b9e0947f21faf16 Mon Sep 17 00:00:00 2001 +From: Paul Fertser <fercerpav@gmail.com> +Date: Mon, 10 Oct 2011 11:19:23 +0400 +Subject: plat-mxc: iomux-v3.h: implicitly enable pull-up/down when that's desired + +From: Paul Fertser <fercerpav@gmail.com> + +commit 6571534b600b8ca1936ff5630b9e0947f21faf16 upstream. + +To configure pads during the initialisation a set of special constants +is used, e.g. +#define MX25_PAD_FEC_MDIO__FEC_MDIO IOMUX_PAD(0x3c4, 0x1cc, 0x10, 0, 0, PAD_CTL_HYS | PAD_CTL_PUS_22K_UP) + +The problem is that no pull-up/down is getting activated unless both +PAD_CTL_PUE (pull-up enable) and PAD_CTL_PKE (pull/keeper module +enable) set. This is clearly stated in the i.MX25 datasheet and is +confirmed by the measurements on hardware. This leads to some rather +hard to understand bugs such as misdetecting an absent ethernet PHY (a +real bug i had), unstable data transfer etc. This might affect mx25, +mx35, mx50, mx51 and mx53 SoCs. + +It's reasonable to expect that if the pullup value is specified, the +intention was to have it actually active, so we implicitly add the +needed bits. + +Signed-off-by: Paul Fertser <fercerpav@gmail.com> +Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + arch/arm/plat-mxc/include/mach/iomux-v3.h | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +--- a/arch/arm/plat-mxc/include/mach/iomux-v3.h ++++ b/arch/arm/plat-mxc/include/mach/iomux-v3.h +@@ -73,11 +73,11 @@ struct pad_desc { + #define PAD_CTL_HYS (1 << 8) + + #define PAD_CTL_PKE (1 << 7) +-#define PAD_CTL_PUE (1 << 6) +-#define PAD_CTL_PUS_100K_DOWN (0 << 4) +-#define PAD_CTL_PUS_47K_UP (1 << 4) +-#define PAD_CTL_PUS_100K_UP (2 << 4) +-#define PAD_CTL_PUS_22K_UP (3 << 4) ++#define PAD_CTL_PUE (1 << 6 | PAD_CTL_PKE) ++#define PAD_CTL_PUS_100K_DOWN (0 << 4 | PAD_CTL_PUE) ++#define PAD_CTL_PUS_47K_UP (1 << 4 | PAD_CTL_PUE) ++#define PAD_CTL_PUS_100K_UP (2 << 4 | PAD_CTL_PUE) ++#define PAD_CTL_PUS_22K_UP (3 << 4 | PAD_CTL_PUE) + + #define PAD_CTL_ODE (1 << 3) + diff --git a/releases/2.6.33.20/powerpc-pci-check-devices-status-property-when-scanning-of.patch b/releases/2.6.33.20/powerpc-pci-check-devices-status-property-when-scanning-of.patch new file mode 100644 index 0000000..67cd310 --- /dev/null +++ b/releases/2.6.33.20/powerpc-pci-check-devices-status-property-when-scanning-of.patch @@ -0,0 +1,37 @@ +From 5b339bdf164d8aee394609768f7e2e4415b0252a Mon Sep 17 00:00:00 2001 +From: Sonny Rao <sonnyrao@us.ibm.com> +Date: Mon, 10 May 2010 15:13:41 +0000 +Subject: powerpc/pci: Check devices status property when scanning OF tree + +From: Sonny Rao <sonnyrao@us.ibm.com> + +commit 5b339bdf164d8aee394609768f7e2e4415b0252a upstream. + +We ran into an issue where it looks like we're not properly ignoring a +pci device with a non-good status property when we walk the device tree +and instanciate the Linux side PCI devices. + +However, the EEH init code does look for the property and disables EEH +on these devices. This leaves us in an inconsistent where we are poking +at a supposedly bad piece of hardware and RTAS will block our config +cycles because EEH isn't enabled anyway. + +Signed-of-by: Sonny Rao <sonnyrao@linux.vnet.ibm.com> +Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + arch/powerpc/kernel/pci_of_scan.c | 2 ++ + 1 file changed, 2 insertions(+) + +--- a/arch/powerpc/kernel/pci_of_scan.c ++++ b/arch/powerpc/kernel/pci_of_scan.c +@@ -310,6 +310,8 @@ static void __devinit __of_scan_bus(stru + /* Scan direct children */ + for_each_child_of_node(node, child) { + pr_debug(" * %s\n", child->full_name); ++ if (!of_device_is_available(child)) ++ continue; + reg = of_get_property(child, "reg", ®len); + if (reg == NULL || reglen < 20) + continue; diff --git a/releases/2.6.33.20/qe-fhci-fixed-the-control-bug.patch b/releases/2.6.33.20/qe-fhci-fixed-the-control-bug.patch new file mode 100644 index 0000000..3d61dd2 --- /dev/null +++ b/releases/2.6.33.20/qe-fhci-fixed-the-control-bug.patch @@ -0,0 +1,64 @@ +From 273d23574f9dacd9c63c80e7d63639a669aad441 Mon Sep 17 00:00:00 2001 +From: Jerry Huang <r66093@freescale.com> +Date: Tue, 18 Oct 2011 13:09:48 +0800 +Subject: QE/FHCI: fixed the CONTROL bug + +From: Jerry Huang <r66093@freescale.com> + +commit 273d23574f9dacd9c63c80e7d63639a669aad441 upstream. + +For USB CONTROL transaction, when the data length is zero, +the IN package is needed to finish this transaction in status stage. + +Signed-off-by: Jerry Huang <r66093@freescale.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + drivers/usb/host/fhci-sched.c | 19 +++++++++++++++---- + 1 file changed, 15 insertions(+), 4 deletions(-) + +--- a/drivers/usb/host/fhci-sched.c ++++ b/drivers/usb/host/fhci-sched.c +@@ -1,7 +1,7 @@ + /* + * Freescale QUICC Engine USB Host Controller Driver + * +- * Copyright (c) Freescale Semicondutor, Inc. 2006. ++ * Copyright (c) Freescale Semicondutor, Inc. 2006, 2011. + * Shlomi Gridish <gridish@freescale.com> + * Jerry Huang <Chang-Ming.Huang@freescale.com> + * Copyright (c) Logic Product Development, Inc. 2007 +@@ -810,9 +810,11 @@ void fhci_queue_urb(struct fhci_hcd *fhc + ed->dev_addr = usb_pipedevice(urb->pipe); + ed->max_pkt_size = usb_maxpacket(urb->dev, urb->pipe, + usb_pipeout(urb->pipe)); ++ /* setup stage */ + td = fhci_td_fill(fhci, urb, urb_priv, ed, cnt++, FHCI_TA_SETUP, + USB_TD_TOGGLE_DATA0, urb->setup_packet, 8, 0, 0, true); + ++ /* data stage */ + if (data_len > 0) { + td = fhci_td_fill(fhci, urb, urb_priv, ed, cnt++, + usb_pipeout(urb->pipe) ? FHCI_TA_OUT : +@@ -820,9 +822,18 @@ void fhci_queue_urb(struct fhci_hcd *fhc + USB_TD_TOGGLE_DATA1, data, data_len, 0, 0, + true); + } +- td = fhci_td_fill(fhci, urb, urb_priv, ed, cnt++, +- usb_pipeout(urb->pipe) ? FHCI_TA_IN : FHCI_TA_OUT, +- USB_TD_TOGGLE_DATA1, data, 0, 0, 0, true); ++ ++ /* status stage */ ++ if (data_len > 0) ++ td = fhci_td_fill(fhci, urb, urb_priv, ed, cnt++, ++ (usb_pipeout(urb->pipe) ? FHCI_TA_IN : ++ FHCI_TA_OUT), ++ USB_TD_TOGGLE_DATA1, data, 0, 0, 0, true); ++ else ++ td = fhci_td_fill(fhci, urb, urb_priv, ed, cnt++, ++ FHCI_TA_IN, ++ USB_TD_TOGGLE_DATA1, data, 0, 0, 0, true); ++ + urb_state = US_CTRL_SETUP; + break; + case FHCI_TF_ISO: diff --git a/releases/2.6.33.20/qla2xxx-correct-inadvertent-loop-state-transitions-during-port-update-handling.patch b/releases/2.6.33.20/qla2xxx-correct-inadvertent-loop-state-transitions-during-port-update-handling.patch new file mode 100644 index 0000000..1b531d7 --- /dev/null +++ b/releases/2.6.33.20/qla2xxx-correct-inadvertent-loop-state-transitions-during-port-update-handling.patch @@ -0,0 +1,51 @@ +From 58b48576966ed0afd3f63ef17480ec12748a7119 Mon Sep 17 00:00:00 2001 +From: Andrew Vasquez <andrew.vasquez@qlogic.com> +Date: Tue, 16 Aug 2011 11:29:28 -0700 +Subject: [SCSI] qla2xxx: Correct inadvertent loop state transitions during port-update handling. + +From: Andrew Vasquez <andrew.vasquez@qlogic.com> + +commit 58b48576966ed0afd3f63ef17480ec12748a7119 upstream. + +Transitioning to a LOOP_UPDATE loop-state could cause the driver +to miss normal link/target processing. LOOP_UPDATE is a crufty +artifact leftover from at time the driver performed it's own +internal command-queuing. Safely remove this state. + +Signed-off-by: Andrew Vasquez <andrew.vasquez@qlogic.com> +Signed-off-by: Chad Dupuis <chad.dupuis@qlogic.com> +Signed-off-by: James Bottomley <JBottomley@Parallels.com> + +--- + drivers/scsi/qla2xxx/qla_init.c | 3 --- + drivers/scsi/qla2xxx/qla_isr.c | 1 - + 2 files changed, 4 deletions(-) + +--- a/drivers/scsi/qla2xxx/qla_init.c ++++ b/drivers/scsi/qla2xxx/qla_init.c +@@ -3481,15 +3481,12 @@ qla2x00_loop_resync(scsi_qla_host_t *vha + req = vha->req; + rsp = req->rsp; + +- atomic_set(&vha->loop_state, LOOP_UPDATE); + clear_bit(ISP_ABORT_RETRY, &vha->dpc_flags); + if (vha->flags.online) { + if (!(rval = qla2x00_fw_ready(vha))) { + /* Wait at most MAX_TARGET RSCNs for a stable link. */ + wait_time = 256; + do { +- atomic_set(&vha->loop_state, LOOP_UPDATE); +- + /* Issue a marker after FW becomes ready. */ + qla2x00_marker(vha, req, rsp, 0, 0, + MK_SYNC_ALL); +--- a/drivers/scsi/qla2xxx/qla_isr.c ++++ b/drivers/scsi/qla2xxx/qla_isr.c +@@ -723,7 +723,6 @@ skip_rio: + vha->flags.rscn_queue_overflow = 1; + } + +- atomic_set(&vha->loop_state, LOOP_UPDATE); + atomic_set(&vha->loop_down_timer, 0); + vha->flags.management_server_logged_in = 0; + diff --git a/releases/2.6.33.20/revert-mips-mtx-1-make-au1000_eth-probe-all-phy.patch b/releases/2.6.33.20/revert-mips-mtx-1-make-au1000_eth-probe-all-phy.patch new file mode 100644 index 0000000..5064b7a --- /dev/null +++ b/releases/2.6.33.20/revert-mips-mtx-1-make-au1000_eth-probe-all-phy.patch @@ -0,0 +1,48 @@ +From florian@openwrt.org Wed Nov 2 14:06:55 2011 +From: Florian Fainelli <florian@openwrt.org> +Date: Mon, 17 Oct 2011 19:43:06 +0200 +Subject: Revert "MIPS: MTX-1: Make au1000_eth probe all PHY +To: ralf@linux-mips.org, linux-mips@linux-mips.org, Greg KH <gregkh@suse.de> +Message-ID: <201110171943.06143.florian@openwrt.org> + +From: Florian Fainelli <florian@openwrt.org> + +Commit 34dce55d was not applicable in 2.6.33 and introduces a build breakage. +Revert that commit since it is irrelevant for this kernel version. + +Acked-by: Ralf Baechle <ralf@linux-mips.org> +Signed-off-by: Florian Fainelli <florian@openwrt.org> + +--- + arch/mips/alchemy/mtx-1/platform.c | 9 --------- + 1 file changed, 9 deletions(-) + +--- a/arch/mips/alchemy/mtx-1/platform.c ++++ b/arch/mips/alchemy/mtx-1/platform.c +@@ -28,8 +28,6 @@ + #include <linux/mtd/physmap.h> + #include <mtd/mtd-abi.h> + +-#include <asm/mach-au1x00/au1xxx_eth.h> +- + static struct gpio_keys_button mtx1_gpio_button[] = { + { + .gpio = 207, +@@ -142,17 +140,10 @@ static struct __initdata platform_device + &mtx1_mtd, + }; + +-static struct au1000_eth_platform_data mtx1_au1000_eth0_pdata = { +- .phy_search_highest_addr = 1, +- .phy1_search_mac0 = 1, +-}; +- + static int __init mtx1_register_devices(void) + { + int rc; + +- au1xxx_override_eth_cfg(0, &mtx1_au1000_eth0_pdata); +- + rc = gpio_request(mtx1_gpio_button[0].gpio, + mtx1_gpio_button[0].desc); + if (rc < 0) { diff --git a/releases/2.6.33.20/revert-usb-musb-restore-index-register-in-resume-path.patch b/releases/2.6.33.20/revert-usb-musb-restore-index-register-in-resume-path.patch new file mode 100644 index 0000000..9a3ef09 --- /dev/null +++ b/releases/2.6.33.20/revert-usb-musb-restore-index-register-in-resume-path.patch @@ -0,0 +1,32 @@ +From c7552a202dea01d2861f0a1629edb362f78a029d Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@suse.de> +Date: Wed, 2 Nov 2011 14:04:11 -0700 +Subject: Revert "usb: musb: restore INDEX register in resume path" + +From: Greg Kroah-Hartman <gregkh@suse.de> + +This reverts commit 5aa8a93b5d44724f1f63357b300eca208fb069d0. + +Turns out this breaks the build, and as such, really isn't needed for +the 2.6.33-stable branch at all. + +Reported-by: Phil Carmody <ext-phil.2.carmody@nokia.com> +Cc: Anand Gadiyar <gadiyar@ti.com> +Cc: Ajay Kumar Gupta <ajay.gupta@ti.com> +Cc: Felipe Balbi <balbi@ti.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + drivers/usb/musb/musb_core.c | 1 - + 1 file changed, 1 deletion(-) + +--- a/drivers/usb/musb/musb_core.c ++++ b/drivers/usb/musb/musb_core.c +@@ -1640,7 +1640,6 @@ void musb_dma_completion(struct musb *mu + } + } + } +- musb_writeb(musb_base, MUSB_INDEX, musb->context.index); + } + + #else diff --git a/releases/2.6.33.20/revert-x86-hotplug-use-mwait-to-offline-a-processor-fix-the.patch b/releases/2.6.33.20/revert-x86-hotplug-use-mwait-to-offline-a-processor-fix-the.patch new file mode 100644 index 0000000..dc389dc --- /dev/null +++ b/releases/2.6.33.20/revert-x86-hotplug-use-mwait-to-offline-a-processor-fix-the.patch @@ -0,0 +1,154 @@ +From 56c8dceec742223755ad71c489cdf7b5fb551292 Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@suse.de> +Date: Tue, 30 Aug 2011 15:35:11 -0700 +Subject: Revert "x86, hotplug: Use mwait to offline a processor, fix the legacy case" + +From: Greg Kroah-Hartman <gregkh@suse.de> + +This reverts commit 226917b0735f31cf5c704e07fdd590d99bbfae58 (upstream +ea53069231f9317062910d6e772cca4ce93de8c8 and +a68e5c94f7d3dd64fef34dd5d97e365cae4bb42a and +ce5f68246bf2385d6174856708d0b746dc378f20 all mushed together) as +Jonathan Nieder reports that this causes a regression on some hardware. + +More details can be found at http://bugs.debian.org/622259 + +Cc: Jonathan Nieder <jrnieder@gmail.com> +Cc: H. Peter Anvin <hpa@linux.intel.com> +Cc: Len Brown <len.brown@intel.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> +--- + arch/x86/include/asm/processor.h | 23 ++++++++++ + arch/x86/kernel/smpboot.c | 85 --------------------------------------- + 2 files changed, 24 insertions(+), 84 deletions(-) + +--- a/arch/x86/include/asm/processor.h ++++ b/arch/x86/include/asm/processor.h +@@ -767,6 +767,29 @@ extern unsigned long boot_option_idle_o + extern unsigned long idle_halt; + extern unsigned long idle_nomwait; + ++/* ++ * on systems with caches, caches must be flashed as the absolute ++ * last instruction before going into a suspended halt. Otherwise, ++ * dirty data can linger in the cache and become stale on resume, ++ * leading to strange errors. ++ * ++ * perform a variety of operations to guarantee that the compiler ++ * will not reorder instructions. wbinvd itself is serializing ++ * so the processor will not reorder. ++ * ++ * Systems without cache can just go into halt. ++ */ ++static inline void wbinvd_halt(void) ++{ ++ mb(); ++ /* check for clflush to determine if wbinvd is legal */ ++ if (cpu_has_clflush) ++ asm volatile("cli; wbinvd; 1: hlt; jmp 1b" : : : "memory"); ++ else ++ while (1) ++ halt(); ++} ++ + extern void enable_sep_cpu(void); + extern int sysenter_setup(void); + +--- a/arch/x86/kernel/smpboot.c ++++ b/arch/x86/kernel/smpboot.c +@@ -1329,94 +1329,11 @@ void play_dead_common(void) + local_irq_disable(); + } + +-#define MWAIT_SUBSTATE_MASK 0xf +-#define MWAIT_SUBSTATE_SIZE 4 +- +-#define CPUID_MWAIT_LEAF 5 +-#define CPUID5_ECX_EXTENSIONS_SUPPORTED 0x1 +- +-/* +- * We need to flush the caches before going to sleep, lest we have +- * dirty data in our caches when we come back up. +- */ +-static inline void mwait_play_dead(void) +-{ +- unsigned int eax, ebx, ecx, edx; +- unsigned int highest_cstate = 0; +- unsigned int highest_subcstate = 0; +- int i; +- void *mwait_ptr; +- +- if (!cpu_has(¤t_cpu_data, X86_FEATURE_MWAIT)) +- return; +- if (!cpu_has(¤t_cpu_data, X86_FEATURE_CLFLSH)) +- return; +- if (current_cpu_data.cpuid_level < CPUID_MWAIT_LEAF) +- return; +- +- eax = CPUID_MWAIT_LEAF; +- ecx = 0; +- native_cpuid(&eax, &ebx, &ecx, &edx); +- +- /* +- * eax will be 0 if EDX enumeration is not valid. +- * Initialized below to cstate, sub_cstate value when EDX is valid. +- */ +- if (!(ecx & CPUID5_ECX_EXTENSIONS_SUPPORTED)) { +- eax = 0; +- } else { +- edx >>= MWAIT_SUBSTATE_SIZE; +- for (i = 0; i < 7 && edx; i++, edx >>= MWAIT_SUBSTATE_SIZE) { +- if (edx & MWAIT_SUBSTATE_MASK) { +- highest_cstate = i; +- highest_subcstate = edx & MWAIT_SUBSTATE_MASK; +- } +- } +- eax = (highest_cstate << MWAIT_SUBSTATE_SIZE) | +- (highest_subcstate - 1); +- } +- +- /* +- * This should be a memory location in a cache line which is +- * unlikely to be touched by other processors. The actual +- * content is immaterial as it is not actually modified in any way. +- */ +- mwait_ptr = ¤t_thread_info()->flags; +- +- wbinvd(); +- +- while (1) { +- /* +- * The CLFLUSH is a workaround for erratum AAI65 for +- * the Xeon 7400 series. It's not clear it is actually +- * needed, but it should be harmless in either case. +- * The WBINVD is insufficient due to the spurious-wakeup +- * case where we return around the loop. +- */ +- clflush(mwait_ptr); +- __monitor(mwait_ptr, 0, 0); +- mb(); +- __mwait(eax, 0); +- } +-} +- +-static inline void hlt_play_dead(void) +-{ +- if (current_cpu_data.x86 >= 4) +- wbinvd(); +- +- while (1) { +- native_halt(); +- } +-} +- + void native_play_dead(void) + { + play_dead_common(); + tboot_shutdown(TB_SHUTDOWN_WFS); +- +- mwait_play_dead(); /* Only returns on failure */ +- hlt_play_dead(); ++ wbinvd_halt(); + } + + #else /* ... !CONFIG_HOTPLUG_CPU */ diff --git a/releases/2.6.33.20/rt2x00-do-not-drop-usb-dev-reference-counter-on-suspend.patch b/releases/2.6.33.20/rt2x00-do-not-drop-usb-dev-reference-counter-on-suspend.patch new file mode 100644 index 0000000..e1972a5 --- /dev/null +++ b/releases/2.6.33.20/rt2x00-do-not-drop-usb-dev-reference-counter-on-suspend.patch @@ -0,0 +1,80 @@ +From 543cc38c8fe86deba4169977c61eb88491036837 Mon Sep 17 00:00:00 2001 +From: Stanislaw Gruszka <sgruszka@redhat.com> +Date: Fri, 12 Aug 2011 14:02:04 +0200 +Subject: rt2x00: do not drop usb dev reference counter on suspend + +From: Stanislaw Gruszka <sgruszka@redhat.com> + +commit 543cc38c8fe86deba4169977c61eb88491036837 upstream. + +When hibernating ->resume may not be called by usb core, but disconnect +and probe instead, so we do not increase the counter after decreasing +it in ->supend. As a result we free memory early, and get crash when +unplugging usb dongle. + +BUG: unable to handle kernel paging request at 6b6b6b9f +IP: [<c06909b0>] driver_sysfs_remove+0x10/0x30 +*pdpt = 0000000034f21001 *pde = 0000000000000000 +Pid: 20, comm: khubd Not tainted 3.1.0-rc1-wl+ #20 LENOVO 6369CTO/6369CTO +EIP: 0060:[<c06909b0>] EFLAGS: 00010202 CPU: 1 +EIP is at driver_sysfs_remove+0x10/0x30 +EAX: 6b6b6b6b EBX: f52bba34 ECX: 00000000 EDX: 6b6b6b6b +ESI: 6b6b6b6b EDI: c0a0ea20 EBP: f61c9e68 ESP: f61c9e64 + DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068 +Process khubd (pid: 20, ti=f61c8000 task=f6138270 task.ti=f61c8000) +Call Trace: + [<c06909ef>] __device_release_driver+0x1f/0xa0 + [<c0690b20>] device_release_driver+0x20/0x40 + [<c068fd64>] bus_remove_device+0x84/0xe0 + [<c068e12a>] ? device_remove_attrs+0x2a/0x80 + [<c068e267>] device_del+0xe7/0x170 + [<c06d93d4>] usb_disconnect+0xd4/0x180 + [<c06d9d61>] hub_thread+0x691/0x1600 + [<c0473260>] ? wake_up_bit+0x30/0x30 + [<c0442a39>] ? complete+0x49/0x60 + [<c06d96d0>] ? hub_disconnect+0xd0/0xd0 + [<c06d96d0>] ? hub_disconnect+0xd0/0xd0 + [<c0472eb4>] kthread+0x74/0x80 + [<c0472e40>] ? kthread_worker_fn+0x150/0x150 + [<c0809b3e>] kernel_thread_helper+0x6/0x10 + +Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com> +Acked-by: Ivo van Doorn <IvDoorn@gmail.com> +Signed-off-by: John W. Linville <linville@tuxdriver.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + drivers/net/wireless/rt2x00/rt2x00usb.c | 14 +------------- + 1 file changed, 1 insertion(+), 13 deletions(-) + +--- a/drivers/net/wireless/rt2x00/rt2x00usb.c ++++ b/drivers/net/wireless/rt2x00/rt2x00usb.c +@@ -705,18 +705,8 @@ int rt2x00usb_suspend(struct usb_interfa + { + struct ieee80211_hw *hw = usb_get_intfdata(usb_intf); + struct rt2x00_dev *rt2x00dev = hw->priv; +- int retval; + +- retval = rt2x00lib_suspend(rt2x00dev, state); +- if (retval) +- return retval; +- +- /* +- * Decrease usbdev refcount. +- */ +- usb_put_dev(interface_to_usbdev(usb_intf)); +- +- return 0; ++ return rt2x00lib_suspend(rt2x00dev, state); + } + EXPORT_SYMBOL_GPL(rt2x00usb_suspend); + +@@ -725,8 +715,6 @@ int rt2x00usb_resume(struct usb_interfac + struct ieee80211_hw *hw = usb_get_intfdata(usb_intf); + struct rt2x00_dev *rt2x00dev = hw->priv; + +- usb_get_dev(interface_to_usbdev(usb_intf)); +- + return rt2x00lib_resume(rt2x00dev); + } + EXPORT_SYMBOL_GPL(rt2x00usb_resume); diff --git a/releases/2.6.33.20/rtl2800usb-fix-incorrect-storage-of-mac-address-on.patch b/releases/2.6.33.20/rtl2800usb-fix-incorrect-storage-of-mac-address-on.patch new file mode 100644 index 0000000..ee1cb84 --- /dev/null +++ b/releases/2.6.33.20/rtl2800usb-fix-incorrect-storage-of-mac-address-on.patch @@ -0,0 +1,47 @@ +From daabead1c32f331edcfb255fd973411c667977e8 Mon Sep 17 00:00:00 2001 +From: Larry Finger <Larry.Finger@lwfinger.net> +Date: Wed, 14 Sep 2011 16:50:23 -0500 +Subject: rtl2800usb: Fix incorrect storage of MAC address on big-endian platforms + +From: Larry Finger <Larry.Finger@lwfinger.net> + +commit daabead1c32f331edcfb255fd973411c667977e8 upstream. + +The eeprom data is stored in little-endian order in the rt2x00 library. +As it was converted to cpu order in the read routines, the data need to +be converted to LE on a big-endian platform. + +Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net> +Signed-off-by: John W. Linville <linville@tuxdriver.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + drivers/net/wireless/rt2x00/rt2800lib.c | 17 +++++++++-------- + 1 file changed, 9 insertions(+), 8 deletions(-) + +--- a/drivers/net/wireless/rt2x00/rt2800lib.c ++++ b/drivers/net/wireless/rt2x00/rt2800lib.c +@@ -1694,14 +1694,15 @@ static void rt2800_efuse_read(struct rt2 + rt2800_regbusy_read(rt2x00dev, EFUSE_CTRL, EFUSE_CTRL_KICK, ®); + + /* Apparently the data is read from end to start */ +- rt2800_register_read_lock(rt2x00dev, EFUSE_DATA3, +- (u32 *)&rt2x00dev->eeprom[i]); +- rt2800_register_read_lock(rt2x00dev, EFUSE_DATA2, +- (u32 *)&rt2x00dev->eeprom[i + 2]); +- rt2800_register_read_lock(rt2x00dev, EFUSE_DATA1, +- (u32 *)&rt2x00dev->eeprom[i + 4]); +- rt2800_register_read_lock(rt2x00dev, EFUSE_DATA0, +- (u32 *)&rt2x00dev->eeprom[i + 6]); ++ rt2800_register_read_lock(rt2x00dev, EFUSE_DATA3, ®); ++ /* The returned value is in CPU order, but eeprom is le */ ++ rt2x00dev->eeprom[i] = cpu_to_le32(reg); ++ rt2800_register_read_lock(rt2x00dev, EFUSE_DATA2, ®); ++ *(u32 *)&rt2x00dev->eeprom[i + 2] = cpu_to_le32(reg); ++ rt2800_register_read_lock(rt2x00dev, EFUSE_DATA1, ®); ++ *(u32 *)&rt2x00dev->eeprom[i + 4] = cpu_to_le32(reg); ++ rt2800_register_read_lock(rt2x00dev, EFUSE_DATA0, ®); ++ *(u32 *)&rt2x00dev->eeprom[i + 6] = cpu_to_le32(reg); + + mutex_unlock(&rt2x00dev->csr_mutex); + } diff --git a/releases/2.6.33.20/scm-lower-scm_max_fd.patch b/releases/2.6.33.20/scm-lower-scm_max_fd.patch new file mode 100644 index 0000000..b2c8f5b --- /dev/null +++ b/releases/2.6.33.20/scm-lower-scm_max_fd.patch @@ -0,0 +1,73 @@ +From bba14de98753cb6599a2dae0e520714b2153522d Mon Sep 17 00:00:00 2001 +From: Eric Dumazet <eric.dumazet@gmail.com> +Date: Tue, 23 Nov 2010 14:09:15 +0000 +Subject: scm: lower SCM_MAX_FD + +From: Eric Dumazet <eric.dumazet@gmail.com> + +commit bba14de98753cb6599a2dae0e520714b2153522d upstream. + +Lower SCM_MAX_FD from 255 to 253 so that allocations for scm_fp_list are +halved. (commit f8d570a4 added two pointers in this structure) + +scm_fp_dup() should not copy whole structure (and trigger kmemcheck +warnings), but only the used part. While we are at it, only allocate +needed size. + +Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + include/net/scm.h | 5 +++-- + net/core/scm.c | 10 ++++++---- + 2 files changed, 9 insertions(+), 6 deletions(-) + +--- a/include/net/scm.h ++++ b/include/net/scm.h +@@ -10,11 +10,12 @@ + /* Well, we should have at least one descriptor open + * to accept passed FDs 8) + */ +-#define SCM_MAX_FD 255 ++#define SCM_MAX_FD 253 + + struct scm_fp_list { + struct list_head list; +- int count; ++ short count; ++ short max; + struct file *fp[SCM_MAX_FD]; + }; + +--- a/net/core/scm.c ++++ b/net/core/scm.c +@@ -78,10 +78,11 @@ static int scm_fp_copy(struct cmsghdr *c + return -ENOMEM; + *fplp = fpl; + fpl->count = 0; ++ fpl->max = SCM_MAX_FD; + } + fpp = &fpl->fp[fpl->count]; + +- if (fpl->count + num > SCM_MAX_FD) ++ if (fpl->count + num > fpl->max) + return -EINVAL; + + /* +@@ -302,11 +303,12 @@ struct scm_fp_list *scm_fp_dup(struct sc + if (!fpl) + return NULL; + +- new_fpl = kmalloc(sizeof(*fpl), GFP_KERNEL); ++ new_fpl = kmemdup(fpl, offsetof(struct scm_fp_list, fp[fpl->count]), ++ GFP_KERNEL); + if (new_fpl) { +- for (i=fpl->count-1; i>=0; i--) ++ for (i = 0; i < fpl->count; i++) + get_file(fpl->fp[i]); +- memcpy(new_fpl, fpl, sizeof(*fpl)); ++ new_fpl->max = new_fpl->count; + } + return new_fpl; + } diff --git a/releases/2.6.33.20/series b/releases/2.6.33.20/series new file mode 100644 index 0000000..247edfc --- /dev/null +++ b/releases/2.6.33.20/series @@ -0,0 +1,102 @@ +usb-ftdi_sio-add-calao-reference-board-support.patch +usb-ehci-do-not-rely-on-port_suspend-to-stop-usb-resuming-in-ehci_bus_resume.patch +rt2x00-do-not-drop-usb-dev-reference-counter-on-suspend.patch +atm-br2684-fix-oops-due-to-skb-dev-being-null.patch +sparc64-remove-unnecessary-macros-from-spinlock_64.h.patch +sparc32-unbreak-arch_write_unlock.patch +sparc-fix-array-bounds-error-setting-up-pcic-nmi-trap.patch +ipv6-add-gso-support-on-forwarding-path.patch +revert-x86-hotplug-use-mwait-to-offline-a-processor-fix-the.patch +gro-fix-merging-a-paged-skb-after-non-paged-skbs.patch +xen-blkfront-fix-data-size-for-xenbus_gather-in-blkfront_connect.patch +md-linear-avoid-corrupting-structure-while-waiting-for.patch +powerpc-pci-check-devices-status-property-when-scanning-of.patch +xen-x86_32-do-not-enable-iterrupts-when-returning-from.patch +xen-smp-warn-user-why-they-keel-over-nosmp-or-noapic-and-what-to-use-instead.patch +arm-davinci-da850-evm-read-mac-address-from-spi-flash.patch +md-fix-handling-for-devices-from-2tb-to-4tb-in-0.90.patch +net-9p-fix-client-code-to-fail-more-gracefully-on-protocol-error.patch +fs-9p-fid-is-not-valid-after-a-failed-clunk.patch +fs-9p-fix-invalid-mount-options-args.patch +net-9p-fix-the-msize-calculation.patch +irda-fix-smsc-ircc2-section-mismatch-warning.patch +qla2xxx-correct-inadvertent-loop-state-transitions-during-port-update-handling.patch +e1000-fix-driver-to-be-used-on-pa-risc-c8000-workstations.patch +asoc-fix-reporting-of-partial-jack-updates.patch +alsa-hda-cirrus-fix-surround-speaker-volume-control-name.patch +cifs-fix-possible-memory-corruption-in-cifsfindnext.patch +b43-fix-beacon-problem-in-ad-hoc-mode.patch +wireless-reset-beacon_found-while-updating-regulatory.patch +rtl2800usb-fix-incorrect-storage-of-mac-address-on.patch +usb-pl2303-correctly-handle-baudrates-above-115200.patch +asix-add-ax88772b-usb-id.patch +fcoe-unable-to-select-the-exchangeid-from-offload-pool-for-storage-targets.patch +hvc_console-improve-tty-console-put_chars-handling.patch +tpm-call-tpm_transmit-with-correct-size.patch +tpm-zero-buffer-after-copying-to-userspace.patch +libiscsi_tcp-fix-lld-data-allocation.patch +cnic-improve-netdev_up-event-handling.patch +alsa-hda-realtek-avoid-bogus-hp-pin-assignment.patch +3w-9xxx-fix-iommu_iova-leak.patch +aacraid-reset-should-disable-msi-interrupt.patch +libsas-fix-failure-to-revalidate-domain-for-anything-but-the-first-expander-child.patch +cfg80211-fix-validation-of-akm-suites.patch +splice-direct_splice_actor-should-not-use-pos-in-sd.patch +libsas-fix-panic-when-single-phy-is-disabled-on-a-wide-port.patch +ahci-enable-sb600-64bit-dma-on-asus-m3a.patch +hid-usbhid-add-support-for-sigma-micro-chip.patch +hwmon-w83627ehf-properly-report-thermal-diode-sensors.patch +x25-prevent-skb-overreads-when-checking-call-user-data.patch +staging-quatech_usb2-potential-lost-wakeup-scenario-in-tiocmiwait.patch +usb-qcserial-add-device-id-for-hp-un2430-mobile-broadband-module.patch +xhci-mem.c-check-for-ring-first_seg-null.patch +ipr-always-initiate-hard-reset-in-kdump-kernel.patch +libsas-set-sas_address-and-device-type-of-rphy.patch +alsa-hda-add-new-revision-for-alc662.patch +x86-fix-compilation-bug-in-kprobes-twobyte_is_boostable.patch +epoll-fix-spurious-lockdep-warnings.patch +usbmon-vs.-tcpdump-fix-dropped-packet-count.patch +usb-storage-use-normalized-sense-when-emulating-autosense.patch +usb-core-devio.c-check-for-printer-class-specific-request.patch +usb-pid_ns-ensure-pid-is-not-freed-during.patch +usb-cdc-acm-owen-si-30-support.patch +usb-pl2303-add-id-for-smart-device.patch +usb-ftdi_sio-add-pid-for-sony-ericsson-urban.patch +usb-ftdi_sio-support-ti-luminary-micro-stellaris-bd-icdi.patch +qe-fhci-fixed-the-control-bug.patch +update-email-address-for-stable-patch-submission.patch +kobj_uevent-ignore-if-some-listeners-cannot-handle-message.patch +kmod-prevent-kmod_loop_msg-overflow-in-__request_module.patch +time-change-jiffies_to_clock_t-argument-type-to-unsigned-long.patch +tracing-fix-returning-of-duplicate-data-after-eof-in-trace_pipe_raw.patch +nfsd4-remove-check-for-a-32-bit-cookie-in-nfsd4_readdir.patch +nfsd4-fix-seqid_mutating_error.patch +nfsd4-ignore-want-bits-in-open-downgrade.patch +asoc-ak4642-fixup-cache-register-table.patch +asoc-ak4535-fixup-cache-register-table.patch +kvm-s390-check-cpu_id-prior-to-using-it.patch +ccwgroup-move-attributes-to-attribute-group.patch +iommu-amd-fix-wrong-shift-direction.patch +carminefb-fix-module-parameters-permissions.patch +uvcvideo-set-alternate-setting-0-on-resume-if-the-bus-has-been-reset.patch +tuner_xc2028-allow-selection-of-the-frequency-adjustment-code-for-xc3028.patch +plat-mxc-iomux-v3.h-implicitly-enable-pull-up-down-when-that-s-desired.patch +net-fix-a-memmove-bug-in-dev_gro_receive.patch +gro-fix-different-skb-headrooms.patch +gro-re-fix-different-skb-headrooms.patch +revert-mips-mtx-1-make-au1000_eth-probe-all-phy.patch +revert-usb-musb-restore-index-register-in-resume-path.patch +watchdog-mtx1-wdt-fix-build-failure.patch +kcore-fix-test-for-end-of-list.patch +thinkpad-acpi-module-autoloading-for-newer-lenovo-thinkpads.patch +scm-lower-scm_max_fd.patch +nlm-don-t-hang-forever-on-nlm-unlock-requests.patch +bluetooth-l2cap-and-rfcomm-fix-1-byte-infoleak-to-userspace.patch +vm-fix-vm_pgoff-wrap-in-stack-expansion.patch +vm-fix-vm_pgoff-wrap-in-upward-expansion.patch +bluetooth-prevent-buffer-overflow-in-l2cap-config-request.patch +nl80211-fix-overflow-in-ssid_len.patch +net_sched-fix-qdisc_notify.patch +ext4-fix-bug_on-in-ext4_ext_insert_extent.patch +drivers-net-rionet.c-fix-ethernet-address-macros-for-le-platforms.patch +ext2-ext3-ext4-don-t-inherit-append_fl-or-immutable_fl-for-new-inodes.patch diff --git a/releases/2.6.33.20/sparc-fix-array-bounds-error-setting-up-pcic-nmi-trap.patch b/releases/2.6.33.20/sparc-fix-array-bounds-error-setting-up-pcic-nmi-trap.patch new file mode 100644 index 0000000..a0ee423 --- /dev/null +++ b/releases/2.6.33.20/sparc-fix-array-bounds-error-setting-up-pcic-nmi-trap.patch @@ -0,0 +1,48 @@ +From 4a0342ca8e8150bd47e7118a76e300692a1b6b7b Mon Sep 17 00:00:00 2001 +From: Ian Campbell <Ian.Campbell@citrix.com> +Date: Wed, 17 Aug 2011 22:14:57 +0000 +Subject: sparc: fix array bounds error setting up PCIC NMI trap + +From: Ian Campbell <Ian.Campbell@citrix.com> + +commit 4a0342ca8e8150bd47e7118a76e300692a1b6b7b upstream. + + CC arch/sparc/kernel/pcic.o +arch/sparc/kernel/pcic.c: In function 'pcic_probe': +arch/sparc/kernel/pcic.c:359:33: error: array subscript is above array bounds [-Werror=array-bounds] +arch/sparc/kernel/pcic.c:359:8: error: array subscript is above array bounds [-Werror=array-bounds] +arch/sparc/kernel/pcic.c:360:33: error: array subscript is above array bounds [-Werror=array-bounds] +arch/sparc/kernel/pcic.c:360:8: error: array subscript is above array bounds [-Werror=array-bounds] +arch/sparc/kernel/pcic.c:361:33: error: array subscript is above array bounds [-Werror=array-bounds] +arch/sparc/kernel/pcic.c:361:8: error: array subscript is above array bounds [-Werror=array-bounds] +cc1: all warnings being treated as errors + +I'm not particularly familiar with sparc but t_nmi (defined in head_32.S via +the TRAP_ENTRY macro) and pcic_nmi_trap_patch (defined in entry.S) both appear +to be 4 instructions long and I presume from the usage that instructions are +int sized. + +Signed-off-by: Ian Campbell <ian.campbell@citrix.com> +Cc: "David S. Miller" <davem@davemloft.net> +Cc: sparclinux@vger.kernel.org +Reviewed-by: Sam Ravnborg <sam@ravnborg.org> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + arch/sparc/kernel/pcic.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/arch/sparc/kernel/pcic.c ++++ b/arch/sparc/kernel/pcic.c +@@ -349,8 +349,8 @@ int __init pcic_probe(void) + strcpy(pbm->prom_name, namebuf); + + { +- extern volatile int t_nmi[1]; +- extern int pcic_nmi_trap_patch[1]; ++ extern volatile int t_nmi[4]; ++ extern int pcic_nmi_trap_patch[4]; + + t_nmi[0] = pcic_nmi_trap_patch[0]; + t_nmi[1] = pcic_nmi_trap_patch[1]; diff --git a/releases/2.6.33.20/sparc32-unbreak-arch_write_unlock.patch b/releases/2.6.33.20/sparc32-unbreak-arch_write_unlock.patch new file mode 100644 index 0000000..4853637 --- /dev/null +++ b/releases/2.6.33.20/sparc32-unbreak-arch_write_unlock.patch @@ -0,0 +1,60 @@ +From 3f6aa0b113846a8628baa649af422cfc6fb1d786 Mon Sep 17 00:00:00 2001 +From: Mikael Pettersson <mikpe@it.uu.se> +Date: Mon, 15 Aug 2011 10:11:50 +0000 +Subject: sparc32: unbreak arch_write_unlock() + +From: Mikael Pettersson <mikpe@it.uu.se> + +commit 3f6aa0b113846a8628baa649af422cfc6fb1d786 upstream. + +The sparc32 version of arch_write_unlock() is just a plain assignment. +Unfortunately this allows the compiler to schedule side-effects in a +protected region to occur after the HW-level unlock, which is broken. +E.g., the following trivial test case gets miscompiled: + + #include <linux/spinlock.h> + rwlock_t lock; + int counter; + void foo(void) { write_lock(&lock); ++counter; write_unlock(&lock); } + +Fixed by adding a compiler memory barrier to arch_write_unlock(). The +sparc64 version combines the barrier and assignment into a single asm(), +and implements the operation as a static inline, so that's what I did too. + +Compile-tested with sparc32_defconfig + CONFIG_SMP=y. + +Signed-off-by: Mikael Pettersson <mikpe@it.uu.se> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + arch/sparc/include/asm/spinlock_32.h | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +--- a/arch/sparc/include/asm/spinlock_32.h ++++ b/arch/sparc/include/asm/spinlock_32.h +@@ -130,6 +130,15 @@ static inline void arch_write_lock(arch_ + *(volatile __u32 *)&lp->lock = ~0U; + } + ++static void inline arch_write_unlock(arch_rwlock_t *lock) ++{ ++ __asm__ __volatile__( ++" st %%g0, [%0]" ++ : /* no outputs */ ++ : "r" (lock) ++ : "memory"); ++} ++ + static inline int arch_write_trylock(arch_rwlock_t *rw) + { + unsigned int val; +@@ -174,8 +183,6 @@ static inline int __arch_read_trylock(ar + res; \ + }) + +-#define arch_write_unlock(rw) do { (rw)->lock = 0; } while(0) +- + #define arch_spin_lock_flags(lock, flags) arch_spin_lock(lock) + #define arch_read_lock_flags(rw, flags) arch_read_lock(rw) + #define arch_write_lock_flags(rw, flags) arch_write_lock(rw) diff --git a/releases/2.6.33.20/sparc64-remove-unnecessary-macros-from-spinlock_64.h.patch b/releases/2.6.33.20/sparc64-remove-unnecessary-macros-from-spinlock_64.h.patch new file mode 100644 index 0000000..ed3d3bf --- /dev/null +++ b/releases/2.6.33.20/sparc64-remove-unnecessary-macros-from-spinlock_64.h.patch @@ -0,0 +1,45 @@ +From a0fba3eb059e73fed2d376a901f8117734c12f1f Mon Sep 17 00:00:00 2001 +From: Mikael Pettersson <mikpe@it.uu.se> +Date: Mon, 15 Aug 2011 10:10:31 +0000 +Subject: sparc64: remove unnecessary macros from spinlock_64.h + +From: Mikael Pettersson <mikpe@it.uu.se> + +commit a0fba3eb059e73fed2d376a901f8117734c12f1f upstream. + +The sparc64 spinlock_64.h contains a number of operations defined +first as static inline functions, and then as macros with the same +names and parameters as the functions. Maybe this was needed at +some point in the past, but now nothing seems to depend on these +macros (checked with a recursive grep looking for ifdefs on these +names). Other archs don't define these identity-macros. + +So this patch deletes these unnecessary macros. + +Compile-tested with sparc64_defconfig. + +Signed-off-by: Mikael Pettersson <mikpe@it.uu.se> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + arch/sparc/include/asm/spinlock_64.h | 6 ------ + 1 file changed, 6 deletions(-) + +--- a/arch/sparc/include/asm/spinlock_64.h ++++ b/arch/sparc/include/asm/spinlock_64.h +@@ -210,14 +210,8 @@ static int inline arch_write_trylock(arc + return result; + } + +-#define arch_read_lock(p) arch_read_lock(p) + #define arch_read_lock_flags(p, f) arch_read_lock(p) +-#define arch_read_trylock(p) arch_read_trylock(p) +-#define arch_read_unlock(p) arch_read_unlock(p) +-#define arch_write_lock(p) arch_write_lock(p) + #define arch_write_lock_flags(p, f) arch_write_lock(p) +-#define arch_write_unlock(p) arch_write_unlock(p) +-#define arch_write_trylock(p) arch_write_trylock(p) + + #define arch_read_can_lock(rw) (!((rw)->lock & 0x80000000UL)) + #define arch_write_can_lock(rw) (!(rw)->lock) diff --git a/releases/2.6.33.20/splice-direct_splice_actor-should-not-use-pos-in-sd.patch b/releases/2.6.33.20/splice-direct_splice_actor-should-not-use-pos-in-sd.patch new file mode 100644 index 0000000..18649c3 --- /dev/null +++ b/releases/2.6.33.20/splice-direct_splice_actor-should-not-use-pos-in-sd.patch @@ -0,0 +1,33 @@ +From 2cb4b05e7647891b46b91c07c9a60304803d1688 Mon Sep 17 00:00:00 2001 +From: Changli Gao <xiaosuo@gmail.com> +Date: Tue, 29 Jun 2010 13:09:18 +0200 +Subject: splice: direct_splice_actor() should not use pos in sd + +From: Changli Gao <xiaosuo@gmail.com> + +commit 2cb4b05e7647891b46b91c07c9a60304803d1688 upstream. + +direct_splice_actor() shouldn't use sd->pos, as sd->pos is for file reading, +file->f_pos should be used instead. + +Signed-off-by: Changli Gao <xiaosuo@gmail.com> +Signed-off-by: Miklos Szeredi <mszeredi@suse.cz> +Signed-off-by: Jens Axboe <jaxboe@fusionio.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + fs/splice.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/fs/splice.c ++++ b/fs/splice.c +@@ -1231,7 +1231,8 @@ static int direct_splice_actor(struct pi + { + struct file *file = sd->u.file; + +- return do_splice_from(pipe, file, &sd->pos, sd->total_len, sd->flags); ++ return do_splice_from(pipe, file, &file->f_pos, sd->total_len, ++ sd->flags); + } + + /** diff --git a/releases/2.6.33.20/staging-quatech_usb2-potential-lost-wakeup-scenario-in-tiocmiwait.patch b/releases/2.6.33.20/staging-quatech_usb2-potential-lost-wakeup-scenario-in-tiocmiwait.patch new file mode 100644 index 0000000..305f636 --- /dev/null +++ b/releases/2.6.33.20/staging-quatech_usb2-potential-lost-wakeup-scenario-in-tiocmiwait.patch @@ -0,0 +1,65 @@ +From e8df1674d383d2ecc6efa8d7dba74c03aafdfdd7 Mon Sep 17 00:00:00 2001 +From: Kautuk Consul <consul.kautuk@gmail.com> +Date: Wed, 14 Sep 2011 08:56:21 +0530 +Subject: staging: quatech_usb2: Potential lost wakeup scenario in TIOCMIWAIT + +From: Kautuk Consul <consul.kautuk@gmail.com> + +commit e8df1674d383d2ecc6efa8d7dba74c03aafdfdd7 upstream. + +If the usermode app does an ioctl over this serial device by +using TIOCMIWAIT, then the code will wait by setting the current +task state to TASK_INTERRUPTIBLE and then calling schedule(). +This will be woken up by the qt2_process_modem_status on URB +completion when the port_extra->shadowMSR is set to the new +modem status. + +However, this could result in a lost wakeup scenario due to a race +in the logic in the qt2_ioctl(TIOCMIWAIT) loop and the URB completion +for new modem status in qt2_process_modem_status. +Due to this, the usermode app's task will continue to sleep despite a +change in the modem status. + +Signed-off-by: Kautuk Consul <consul.kautuk@gmail.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + drivers/staging/quatech_usb2/quatech_usb2.c | 9 +++++++-- + 1 file changed, 7 insertions(+), 2 deletions(-) + +--- a/drivers/staging/quatech_usb2/quatech_usb2.c ++++ b/drivers/staging/quatech_usb2/quatech_usb2.c +@@ -921,9 +921,10 @@ static int qt2_ioctl(struct tty_struct * + dbg("%s() port %d, cmd == TIOCMIWAIT enter", + __func__, port->number); + prev_msr_value = port_extra->shadowMSR & QT2_SERIAL_MSR_MASK; ++ barrier(); ++ __set_current_state(TASK_INTERRUPTIBLE); + while (1) { + add_wait_queue(&port_extra->wait, &wait); +- set_current_state(TASK_INTERRUPTIBLE); + schedule(); + dbg("%s(): port %d, cmd == TIOCMIWAIT here\n", + __func__, port->number); +@@ -931,9 +932,12 @@ static int qt2_ioctl(struct tty_struct * + /* see if a signal woke us up */ + if (signal_pending(current)) + return -ERESTARTSYS; ++ set_current_state(TASK_INTERRUPTIBLE); + msr_value = port_extra->shadowMSR & QT2_SERIAL_MSR_MASK; +- if (msr_value == prev_msr_value) ++ if (msr_value == prev_msr_value) { ++ __set_current_state(TASK_RUNNING); + return -EIO; /* no change - error */ ++ } + if ((arg & TIOCM_RNG && + ((prev_msr_value & QT2_SERIAL_MSR_RI) == + (msr_value & QT2_SERIAL_MSR_RI))) || +@@ -946,6 +950,7 @@ static int qt2_ioctl(struct tty_struct * + (arg & TIOCM_CTS && + ((prev_msr_value & QT2_SERIAL_MSR_CTS) == + (msr_value & QT2_SERIAL_MSR_CTS)))) { ++ __set_current_state(TASK_RUNNING); + return 0; + } + } /* end inifinite while */ diff --git a/releases/2.6.33.20/thinkpad-acpi-module-autoloading-for-newer-lenovo-thinkpads.patch b/releases/2.6.33.20/thinkpad-acpi-module-autoloading-for-newer-lenovo-thinkpads.patch new file mode 100644 index 0000000..7dfcc77 --- /dev/null +++ b/releases/2.6.33.20/thinkpad-acpi-module-autoloading-for-newer-lenovo-thinkpads.patch @@ -0,0 +1,51 @@ +From bjorn@mork.no Wed Nov 2 14:11:41 2011 +From: Manoj Iyer <manoj.iyer@canonical.com> +Date: Thu, 20 Oct 2011 20:50:25 +0200 +Subject: thinkpad-acpi: module autoloading for newer Lenovo ThinkPads. +To: stable@vger.kernel.org +Cc: Manoj Iyer <manoj.iyer@canonical.com>, Andy Lutomirski <luto@mit.edu>, Matthew Garrett <mjg@redhat.com> +Message-ID: <1319136625-29820-1-git-send-email-bjorn@mork.no> + +From: Manoj Iyer <manoj.iyer@canonical.com> + +commit 9fbdaeb4f4dd14a0caa9fc35c496d5440c251a3a upstream. + +The newer Lenovo ThinkPads have HKEY HID of LEN0068 instead +of IBM0068. Added new HID so that thinkpad_acpi module will +auto load on these newer Lenovo ThinkPads. + +Acked-by: Henrique de Moraes Holschuh <hmh@hmh.eng.br> +Cc: stable@vger.kernel.org +Signed-off-by: Manoj Iyer <manoj.iyer@canonical.com> +Signed-off-by: Andy Lutomirski <luto@mit.edu> +Signed-off-by: Matthew Garrett <mjg@redhat.com> +Signed-off-by: Bjørn Mork <bjorn@mork.no> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + drivers/platform/x86/thinkpad_acpi.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +--- a/drivers/platform/x86/thinkpad_acpi.c ++++ b/drivers/platform/x86/thinkpad_acpi.c +@@ -122,7 +122,9 @@ enum { + }; + + /* ACPI HIDs */ +-#define TPACPI_ACPI_HKEY_HID "IBM0068" ++#define TPACPI_ACPI_IBM_HKEY_HID "IBM0068" ++#define TPACPI_ACPI_LENOVO_HKEY_HID "LEN0068" ++#define TPACPI_ACPI_EC_HID "PNP0C09" + + /* Input IDs */ + #define TPACPI_HKEY_INPUT_PRODUCT 0x5054 /* "TP" */ +@@ -3849,7 +3851,8 @@ errexit: + } + + static const struct acpi_device_id ibm_htk_device_ids[] = { +- {TPACPI_ACPI_HKEY_HID, 0}, ++ {TPACPI_ACPI_IBM_HKEY_HID, 0}, ++ {TPACPI_ACPI_LENOVO_HKEY_HID, 0}, + {"", 0}, + }; + diff --git a/releases/2.6.33.20/time-change-jiffies_to_clock_t-argument-type-to-unsigned-long.patch b/releases/2.6.33.20/time-change-jiffies_to_clock_t-argument-type-to-unsigned-long.patch new file mode 100644 index 0000000..c68edb9 --- /dev/null +++ b/releases/2.6.33.20/time-change-jiffies_to_clock_t-argument-type-to-unsigned-long.patch @@ -0,0 +1,50 @@ +From cbbc719fccdb8cbd87350a05c0d33167c9b79365 Mon Sep 17 00:00:00 2001 +From: hank <pyu@redhat.com> +Date: Tue, 20 Sep 2011 13:53:39 -0700 +Subject: time: Change jiffies_to_clock_t() argument type to unsigned long + +From: hank <pyu@redhat.com> + +commit cbbc719fccdb8cbd87350a05c0d33167c9b79365 upstream. + +The parameter's origin type is long. On an i386 architecture, it can +easily be larger than 0x80000000, causing this function to convert it +to a sign-extended u64 type. + +Change the type to unsigned long so we get the correct result. + +Signed-off-by: hank <pyu@redhat.com> +Cc: John Stultz <john.stultz@linaro.org> +[ build fix ] +Signed-off-by: Andrew Morton <akpm@linux-foundation.org> +Signed-off-by: Thomas Gleixner <tglx@linutronix.de> +Signed-off-by: Ingo Molnar <mingo@elte.hu> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + include/linux/jiffies.h | 2 +- + kernel/time.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +--- a/include/linux/jiffies.h ++++ b/include/linux/jiffies.h +@@ -303,7 +303,7 @@ extern void jiffies_to_timespec(const un + extern unsigned long timeval_to_jiffies(const struct timeval *value); + extern void jiffies_to_timeval(const unsigned long jiffies, + struct timeval *value); +-extern clock_t jiffies_to_clock_t(long x); ++extern clock_t jiffies_to_clock_t(unsigned long x); + extern unsigned long clock_t_to_jiffies(unsigned long x); + extern u64 jiffies_64_to_clock_t(u64 x); + extern u64 nsec_to_clock_t(u64 x); +--- a/kernel/time.c ++++ b/kernel/time.c +@@ -593,7 +593,7 @@ EXPORT_SYMBOL(jiffies_to_timeval); + /* + * Convert jiffies/jiffies_64 to clock_t and back. + */ +-clock_t jiffies_to_clock_t(long x) ++clock_t jiffies_to_clock_t(unsigned long x) + { + #if (TICK_NSEC % (NSEC_PER_SEC / USER_HZ)) == 0 + # if HZ < USER_HZ diff --git a/releases/2.6.33.20/tpm-call-tpm_transmit-with-correct-size.patch b/releases/2.6.33.20/tpm-call-tpm_transmit-with-correct-size.patch new file mode 100644 index 0000000..125e91e --- /dev/null +++ b/releases/2.6.33.20/tpm-call-tpm_transmit-with-correct-size.patch @@ -0,0 +1,43 @@ +From 6b07d30aca7e52f2881b8c8c20c8a2cd28e8b3d3 Mon Sep 17 00:00:00 2001 +From: Peter Huewe <huewe.external.infineon@googlemail.com> +Date: Thu, 15 Sep 2011 14:37:43 -0300 +Subject: TPM: Call tpm_transmit with correct size + +From: Peter Huewe <huewe.external.infineon@googlemail.com> + +commit 6b07d30aca7e52f2881b8c8c20c8a2cd28e8b3d3 upstream. + +This patch changes the call of tpm_transmit by supplying the size of the +userspace buffer instead of TPM_BUFSIZE. + +This got assigned CVE-2011-1161. + +[The first hunk didn't make sense given one could expect + way less data than TPM_BUFSIZE, so added tpm_transmit boundary + check over bufsiz instead + The last parameter of tpm_transmit() reflects the amount + of data expected from the device, and not the buffer size + being supplied to it. It isn't ideal to parse it directly, + so we just set it to the maximum the input buffer can handle + and let the userspace API to do such job.] + +Signed-off-by: Rajiv Andrade <srajiv@linux.vnet.ibm.com> +Signed-off-by: James Morris <jmorris@namei.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + drivers/char/tpm/tpm.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/char/tpm/tpm.c ++++ b/drivers/char/tpm/tpm.c +@@ -374,6 +374,9 @@ static ssize_t tpm_transmit(struct tpm_c + u32 count, ordinal; + unsigned long stop; + ++ if (bufsiz > TPM_BUFSIZE) ++ bufsiz = TPM_BUFSIZE; ++ + count = be32_to_cpu(*((__be32 *) (buf + 2))); + ordinal = be32_to_cpu(*((__be32 *) (buf + 6))); + if (count == 0) diff --git a/releases/2.6.33.20/tpm-zero-buffer-after-copying-to-userspace.patch b/releases/2.6.33.20/tpm-zero-buffer-after-copying-to-userspace.patch new file mode 100644 index 0000000..c284e7c --- /dev/null +++ b/releases/2.6.33.20/tpm-zero-buffer-after-copying-to-userspace.patch @@ -0,0 +1,45 @@ +From 3321c07ae5068568cd61ac9f4ba749006a7185c9 Mon Sep 17 00:00:00 2001 +From: Peter Huewe <huewe.external.infineon@googlemail.com> +Date: Thu, 15 Sep 2011 14:47:42 -0300 +Subject: TPM: Zero buffer after copying to userspace + +From: Peter Huewe <huewe.external.infineon@googlemail.com> + +commit 3321c07ae5068568cd61ac9f4ba749006a7185c9 upstream. + +Since the buffer might contain security related data it might be a good idea to +zero the buffer after we have copied it to userspace. + +This got assigned CVE-2011-1162. + +Signed-off-by: Rajiv Andrade <srajiv@linux.vnet.ibm.com> +Signed-off-by: James Morris <jmorris@namei.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + drivers/char/tpm/tpm.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +--- a/drivers/char/tpm/tpm.c ++++ b/drivers/char/tpm/tpm.c +@@ -1030,6 +1030,7 @@ ssize_t tpm_read(struct file *file, char + { + struct tpm_chip *chip = file->private_data; + ssize_t ret_size; ++ int rc; + + del_singleshot_timer_sync(&chip->user_read_timer); + flush_scheduled_work(); +@@ -1040,8 +1041,11 @@ ssize_t tpm_read(struct file *file, char + ret_size = size; + + mutex_lock(&chip->buffer_mutex); +- if (copy_to_user(buf, chip->data_buffer, ret_size)) ++ rc = copy_to_user(buf, chip->data_buffer, ret_size); ++ memset(chip->data_buffer, 0, ret_size); ++ if (rc) + ret_size = -EFAULT; ++ + mutex_unlock(&chip->buffer_mutex); + } + diff --git a/releases/2.6.33.20/tracing-fix-returning-of-duplicate-data-after-eof-in-trace_pipe_raw.patch b/releases/2.6.33.20/tracing-fix-returning-of-duplicate-data-after-eof-in-trace_pipe_raw.patch new file mode 100644 index 0000000..172197c --- /dev/null +++ b/releases/2.6.33.20/tracing-fix-returning-of-duplicate-data-after-eof-in-trace_pipe_raw.patch @@ -0,0 +1,55 @@ +From 436fc280261dcfce5af38f08b89287750dc91cd2 Mon Sep 17 00:00:00 2001 +From: Steven Rostedt <srostedt@redhat.com> +Date: Fri, 14 Oct 2011 10:44:25 -0400 +Subject: tracing: Fix returning of duplicate data after EOF in trace_pipe_raw + +From: Steven Rostedt <srostedt@redhat.com> + +commit 436fc280261dcfce5af38f08b89287750dc91cd2 upstream. + +The trace_pipe_raw handler holds a cached page from the time the file +is opened to the time it is closed. The cached page is used to handle +the case of the user space buffer being smaller than what was read from +the ring buffer. The left over buffer is held in the cache so that the +next read will continue where the data left off. + +After EOF is returned (no more data in the buffer), the index of +the cached page is set to zero. If a user app reads the page again +after EOF, the check in the buffer will see that the cached page +is less than page size and will return the cached page again. This +will cause reading the trace_pipe_raw again after EOF to return +duplicate data, making the output look like the time went backwards +but instead data is just repeated. + +The fix is to not reset the index right after all data is read +from the cache, but to reset it after all data is read and more +data exists in the ring buffer. + +Reported-by: Jeremy Eder <jeder@redhat.com> +Signed-off-by: Steven Rostedt <rostedt@goodmis.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + kernel/trace/trace.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/kernel/trace/trace.c ++++ b/kernel/trace/trace.c +@@ -3624,8 +3624,6 @@ tracing_buffers_read(struct file *filp, + if (info->read < PAGE_SIZE) + goto read; + +- info->read = 0; +- + trace_access_lock(info->cpu); + ret = ring_buffer_read_page(info->tr->buffer, + &info->spare, +@@ -3640,6 +3638,8 @@ tracing_buffers_read(struct file *filp, + if (pos < PAGE_SIZE) + memset(info->spare + pos, 0, PAGE_SIZE - pos); + ++ info->read = 0; ++ + read: + size = PAGE_SIZE - info->read; + if (size > count) diff --git a/releases/2.6.33.20/tuner_xc2028-allow-selection-of-the-frequency-adjustment-code-for-xc3028.patch b/releases/2.6.33.20/tuner_xc2028-allow-selection-of-the-frequency-adjustment-code-for-xc3028.patch new file mode 100644 index 0000000..a779526 --- /dev/null +++ b/releases/2.6.33.20/tuner_xc2028-allow-selection-of-the-frequency-adjustment-code-for-xc3028.patch @@ -0,0 +1,32 @@ +From 9bed77ee2fb46b74782d0d9d14b92e9d07f3df6e Mon Sep 17 00:00:00 2001 +From: Mauro Carvalho Chehab <mchehab@redhat.com> +Date: Thu, 28 Jul 2011 16:38:54 -0300 +Subject: [media] tuner_xc2028: Allow selection of the frequency adjustment code for XC3028 + +From: Mauro Carvalho Chehab <mchehab@redhat.com> + +commit 9bed77ee2fb46b74782d0d9d14b92e9d07f3df6e upstream. + +This device is not using the proper demod IF. Instead of using the +IF macro, it is specifying a IF frequency. This doesn't work, as xc3028 +needs to load an specific SCODE for the tuner. In this case, there's +no IF table for 5 MHz. + +Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + drivers/media/video/cx23885/cx23885-dvb.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/media/video/cx23885/cx23885-dvb.c ++++ b/drivers/media/video/cx23885/cx23885-dvb.c +@@ -741,7 +741,7 @@ static int dvb_register(struct cx23885_t + static struct xc2028_ctrl ctl = { + .fname = XC3028L_DEFAULT_FIRMWARE, + .max_len = 64, +- .demod = 5000, ++ .demod = XC3028_FE_DIBCOM52, + /* This is true for all demods with + v36 firmware? */ + .type = XC2028_D2633, diff --git a/releases/2.6.33.20/update-email-address-for-stable-patch-submission.patch b/releases/2.6.33.20/update-email-address-for-stable-patch-submission.patch new file mode 100644 index 0000000..1d371a4 --- /dev/null +++ b/releases/2.6.33.20/update-email-address-for-stable-patch-submission.patch @@ -0,0 +1,50 @@ +From 5fa224295f0e0358c8bc0e5390702338df889def Mon Sep 17 00:00:00 2001 +From: Josh Boyer <jwboyer@redhat.com> +Date: Mon, 17 Oct 2011 21:16:39 -0400 +Subject: Update email address for stable patch submission + +From: Josh Boyer <jwboyer@redhat.com> + +commit 5fa224295f0e0358c8bc0e5390702338df889def upstream. + +The stable@kernel.org email address has been replaced with the +stable@vger.kernel.org mailing list. Change the stable kernel rules to +reference the new list instead of the semi-defunct email alias. + +Signed-off-by: Josh Boyer <jwboyer@redhat.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + Documentation/stable_kernel_rules.txt | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +--- a/Documentation/stable_kernel_rules.txt ++++ b/Documentation/stable_kernel_rules.txt +@@ -25,10 +25,10 @@ Rules on what kind of patches are accept + Procedure for submitting patches to the -stable tree: + + - Send the patch, after verifying that it follows the above rules, to +- stable@kernel.org. ++ stable@vger.kernel.org. + - To have the patch automatically included in the stable tree, add the + the tag +- Cc: stable@kernel.org ++ Cc: stable@vger.kernel.org + in the sign-off area. Once the patch is merged it will be applied to + the stable tree without anything else needing to be done by the author + or subsystem maintainer. +@@ -36,10 +36,10 @@ Procedure for submitting patches to the + cherry-picked than this can be specified in the following format in + the sign-off area: + +- Cc: <stable@kernel.org> # .32.x: a1f84a3: sched: Check for idle +- Cc: <stable@kernel.org> # .32.x: 1b9508f: sched: Rate-limit newidle +- Cc: <stable@kernel.org> # .32.x: fd21073: sched: Fix affinity logic +- Cc: <stable@kernel.org> # .32.x ++ Cc: <stable@vger.kernel.org> # .32.x: a1f84a3: sched: Check for idle ++ Cc: <stable@vger.kernel.org> # .32.x: 1b9508f: sched: Rate-limit newidle ++ Cc: <stable@vger.kernel.org> # .32.x: fd21073: sched: Fix affinity logic ++ Cc: <stable@vger.kernel.org> # .32.x + Signed-off-by: Ingo Molnar <mingo@elte.hu> + + The tag sequence has the meaning of: diff --git a/releases/2.6.33.20/usb-cdc-acm-owen-si-30-support.patch b/releases/2.6.33.20/usb-cdc-acm-owen-si-30-support.patch new file mode 100644 index 0000000..62a1588 --- /dev/null +++ b/releases/2.6.33.20/usb-cdc-acm-owen-si-30-support.patch @@ -0,0 +1,43 @@ +From 65e52f41fa944cef2e6d4222b8c54f46cc575214 Mon Sep 17 00:00:00 2001 +From: Denis Pershin <dyp@perchine.com> +Date: Sun, 4 Sep 2011 17:37:21 +0700 +Subject: usb: cdc-acm: Owen SI-30 support + +From: Denis Pershin <dyp@perchine.com> + +commit 65e52f41fa944cef2e6d4222b8c54f46cc575214 upstream. + +here is the patch to support Owen SI-30 device. +This is a pulse counter controller. +http://www.owen.ru/en/catalog/93788515 + +usb-drivers output: +T: Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 4 Spd=12 MxCh= 0 +D: Ver= 2.00 Cls=02(commc) Sub=00 Prot=00 MxPS= 8 #Cfgs= 1 +P: Vendor=03eb ProdID=0030 Rev=01.01 +C: #Ifs= 2 Cfg#= 1 Atr=c0 MxPwr=0mA +I: If#= 0 Alt= 0 #EPs= 1 Cls=02(commc) Sub=02 Prot=00 Driver=cdc_acm +I: If#= 1 Alt= 0 #EPs= 2 Cls=0a(data ) Sub=00 Prot=00 Driver=cdc_acm + +This patch is installed on my home system which receives data from this +controller connected to cold water counter. + +Signed-off-by: Denis Pershin <dyp@perchine.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + drivers/usb/class/cdc-acm.c | 3 +++ + 1 file changed, 3 insertions(+) + +--- a/drivers/usb/class/cdc-acm.c ++++ b/drivers/usb/class/cdc-acm.c +@@ -1582,6 +1582,9 @@ static struct usb_device_id acm_ids[] = + { NOKIA_PCSUITE_ACM_INFO(0x0108), }, /* Nokia 5320 XpressMusic 2G */ + { NOKIA_PCSUITE_ACM_INFO(0x01f5), }, /* Nokia N97, RM-505 */ + ++ /* Support for Owen devices */ ++ { USB_DEVICE(0x03eb, 0x0030), }, /* Owen SI30 */ ++ + /* NOTE: non-Nokia COMM/ACM/0xff is likely MSFT RNDIS... NOT a modem! */ + + /* control interfaces with various AT-command sets */ diff --git a/releases/2.6.33.20/usb-core-devio.c-check-for-printer-class-specific-request.patch b/releases/2.6.33.20/usb-core-devio.c-check-for-printer-class-specific-request.patch new file mode 100644 index 0000000..38f1933 --- /dev/null +++ b/releases/2.6.33.20/usb-core-devio.c-check-for-printer-class-specific-request.patch @@ -0,0 +1,74 @@ +From 393cbb5151ecda9f9e14e3082d048dd27a1ff9f6 Mon Sep 17 00:00:00 2001 +From: Matthias Dellweg <2500@gmx.de> +Date: Sun, 25 Sep 2011 14:26:25 +0200 +Subject: usb/core/devio.c: Check for printer class specific request + +From: Matthias Dellweg <2500@gmx.de> + +commit 393cbb5151ecda9f9e14e3082d048dd27a1ff9f6 upstream. + +In the usb printer class specific request get_device_id the value of +wIndex is (interface << 8 | altsetting) instead of just interface. +This enables the detection of some printers with libusb. + +Acked-by: Alan Stern <stern@rowland.harvard.edu> +Signed-off-by: Matthias Dellweg <2500@gmx.de> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + drivers/usb/core/devio.c | 21 ++++++++++++++++++--- + 1 file changed, 18 insertions(+), 3 deletions(-) + +--- a/drivers/usb/core/devio.c ++++ b/drivers/usb/core/devio.c +@@ -601,9 +601,10 @@ static int findintfep(struct usb_device + } + + static int check_ctrlrecip(struct dev_state *ps, unsigned int requesttype, +- unsigned int index) ++ unsigned int request, unsigned int index) + { + int ret = 0; ++ struct usb_host_interface *alt_setting; + + if (ps->dev->state != USB_STATE_UNAUTHENTICATED + && ps->dev->state != USB_STATE_ADDRESS +@@ -612,6 +613,19 @@ static int check_ctrlrecip(struct dev_st + if (USB_TYPE_VENDOR == (USB_TYPE_MASK & requesttype)) + return 0; + ++ /* ++ * check for the special corner case 'get_device_id' in the printer ++ * class specification, where wIndex is (interface << 8 | altsetting) ++ * instead of just interface ++ */ ++ if (requesttype == 0xa1 && request == 0) { ++ alt_setting = usb_find_alt_setting(ps->dev->actconfig, ++ index >> 8, index & 0xff); ++ if (alt_setting ++ && alt_setting->desc.bInterfaceClass == USB_CLASS_PRINTER) ++ index >>= 8; ++ } ++ + index &= 0xff; + switch (requesttype & USB_RECIP_MASK) { + case USB_RECIP_ENDPOINT: +@@ -760,7 +774,8 @@ static int proc_control(struct dev_state + + if (copy_from_user(&ctrl, arg, sizeof(ctrl))) + return -EFAULT; +- ret = check_ctrlrecip(ps, ctrl.bRequestType, ctrl.wIndex); ++ ret = check_ctrlrecip(ps, ctrl.bRequestType, ctrl.bRequest, ++ ctrl.wIndex); + if (ret) + return ret; + wLength = ctrl.wLength; /* To suppress 64k PAGE_SIZE warning */ +@@ -1082,7 +1097,7 @@ static int proc_do_submiturb(struct dev_ + kfree(dr); + return -EINVAL; + } +- ret = check_ctrlrecip(ps, dr->bRequestType, ++ ret = check_ctrlrecip(ps, dr->bRequestType, dr->bRequest, + le16_to_cpup(&dr->wIndex)); + if (ret) { + kfree(dr); diff --git a/releases/2.6.33.20/usb-ehci-do-not-rely-on-port_suspend-to-stop-usb-resuming-in-ehci_bus_resume.patch b/releases/2.6.33.20/usb-ehci-do-not-rely-on-port_suspend-to-stop-usb-resuming-in-ehci_bus_resume.patch new file mode 100644 index 0000000..bd9e5de --- /dev/null +++ b/releases/2.6.33.20/usb-ehci-do-not-rely-on-port_suspend-to-stop-usb-resuming-in-ehci_bus_resume.patch @@ -0,0 +1,54 @@ +From d0f2fb2500b1c5fe4967eb45d8c9bc758d7aef80 Mon Sep 17 00:00:00 2001 +From: Wang Zhi <zhi.wang@windriver.com> +Date: Wed, 17 Aug 2011 10:39:31 +0800 +Subject: USB: EHCI: Do not rely on PORT_SUSPEND to stop USB resuming in ehci_bus_resume(). + +From: Wang Zhi <zhi.wang@windriver.com> + +commit d0f2fb2500b1c5fe4967eb45d8c9bc758d7aef80 upstream. + +From EHCI Spec p.28 HC should clear PORT_SUSPEND when SW clears +PORT_RESUME. In Intel Oaktrail platform, MPH (Multi-Port Host +Controller) core clears PORT_SUSPEND directly when SW sets PORT_RESUME +bit. If we rely on PORT_SUSPEND bit to stop USB resume, we will miss +the action of clearing PORT_RESUME. This will cause unexpected long +resume signal on USB bus. + +Signed-off-by: Wang Zhi <zhi.wang@windriver.com> +Signed-off-by: Alan Stern <stern@rowland.harvard.edu> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + drivers/usb/host/ehci-hub.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +--- a/drivers/usb/host/ehci-hub.c ++++ b/drivers/usb/host/ehci-hub.c +@@ -245,7 +245,7 @@ static int ehci_bus_resume (struct usb_h + u32 temp; + u32 power_okay; + int i; +- u8 resume_needed = 0; ++ unsigned long resume_needed = 0; + + if (time_before (jiffies, ehci->next_statechange)) + msleep(5); +@@ -309,7 +309,7 @@ static int ehci_bus_resume (struct usb_h + if (test_bit(i, &ehci->bus_suspended) && + (temp & PORT_SUSPEND)) { + temp |= PORT_RESUME; +- resume_needed = 1; ++ set_bit(i, &resume_needed); + } + ehci_writel(ehci, temp, &ehci->regs->port_status [i]); + } +@@ -324,8 +324,7 @@ static int ehci_bus_resume (struct usb_h + i = HCS_N_PORTS (ehci->hcs_params); + while (i--) { + temp = ehci_readl(ehci, &ehci->regs->port_status [i]); +- if (test_bit(i, &ehci->bus_suspended) && +- (temp & PORT_SUSPEND)) { ++ if (test_bit(i, &resume_needed)) { + temp &= ~(PORT_RWC_BITS | PORT_RESUME); + ehci_writel(ehci, temp, &ehci->regs->port_status [i]); + ehci_vdbg (ehci, "resumed port %d\n", i + 1); diff --git a/releases/2.6.33.20/usb-ftdi_sio-add-calao-reference-board-support.patch b/releases/2.6.33.20/usb-ftdi_sio-add-calao-reference-board-support.patch new file mode 100644 index 0000000..599ef2d --- /dev/null +++ b/releases/2.6.33.20/usb-ftdi_sio-add-calao-reference-board-support.patch @@ -0,0 +1,76 @@ +From c96fbdd0ab97235f930ebf24b38fa42a2e3458cf Mon Sep 17 00:00:00 2001 +From: Jean-Christophe PLAGNIOL-VILLARD <plagnioj@jcrosoft.com> +Date: Thu, 25 Aug 2011 11:46:58 +0200 +Subject: USB: ftdi_sio: add Calao reference board support + +From: Jean-Christophe PLAGNIOL-VILLARD <plagnioj@jcrosoft.com> + +commit c96fbdd0ab97235f930ebf24b38fa42a2e3458cf upstream. + +Calao use on there dev kits a FT2232 where the port 0 is used for the JTAG and +port 1 for the UART + +They use the same VID and PID as FTDI Chip but they program the manufacturer +name in the eeprom + +So use this information to detect it + +Signed-off-by: Jean-Christophe PLAGNIOL-VILLARD <plagnioj@jcrosoft.com> +Cc: Gregory Hermant <gregory.hermant@calao-systems.com> +Cc: Alan Cox <alan@linux.intel.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + drivers/usb/serial/ftdi_sio.c | 20 +++++++++++++++++++- + 1 file changed, 19 insertions(+), 1 deletion(-) + +--- a/drivers/usb/serial/ftdi_sio.c ++++ b/drivers/usb/serial/ftdi_sio.c +@@ -105,6 +105,7 @@ static int ftdi_jtag_probe(struct usb_ + static int ftdi_mtxorb_hack_setup(struct usb_serial *serial); + static int ftdi_NDI_device_setup(struct usb_serial *serial); + static int ftdi_stmclite_probe(struct usb_serial *serial); ++static int ftdi_8u2232c_probe(struct usb_serial *serial); + static void ftdi_USB_UIRT_setup(struct ftdi_private *priv); + static void ftdi_HE_TIRA1_setup(struct ftdi_private *priv); + +@@ -132,6 +133,10 @@ static struct ftdi_sio_quirk ftdi_stmcli + .probe = ftdi_stmclite_probe, + }; + ++static struct ftdi_sio_quirk ftdi_8u2232c_quirk = { ++ .probe = ftdi_8u2232c_probe, ++}; ++ + /* + * The 8U232AM has the same API as the sio except for: + * - it can support MUCH higher baudrates; up to: +@@ -178,7 +183,8 @@ static struct usb_device_id id_table_com + { USB_DEVICE(FTDI_VID, FTDI_8U232AM_PID) }, + { USB_DEVICE(FTDI_VID, FTDI_8U232AM_ALT_PID) }, + { USB_DEVICE(FTDI_VID, FTDI_232RL_PID) }, +- { USB_DEVICE(FTDI_VID, FTDI_8U2232C_PID) }, ++ { USB_DEVICE(FTDI_VID, FTDI_8U2232C_PID) , ++ .driver_info = (kernel_ulong_t)&ftdi_8u2232c_quirk }, + { USB_DEVICE(FTDI_VID, FTDI_4232H_PID) }, + { USB_DEVICE(FTDI_VID, FTDI_MICRO_CHAMELEON_PID) }, + { USB_DEVICE(FTDI_VID, FTDI_RELAIS_PID) }, +@@ -1739,6 +1745,18 @@ static int ftdi_jtag_probe(struct usb_se + + return 0; + } ++ ++static int ftdi_8u2232c_probe(struct usb_serial *serial) ++{ ++ struct usb_device *udev = serial->dev; ++ ++ dbg("%s", __func__); ++ ++ if (strcmp(udev->manufacturer, "CALAO Systems") == 0) ++ return ftdi_jtag_probe(serial); ++ ++ return 0; ++} + + /* + * First and second port on STMCLiteadaptors is reserved for JTAG interface diff --git a/releases/2.6.33.20/usb-ftdi_sio-add-pid-for-sony-ericsson-urban.patch b/releases/2.6.33.20/usb-ftdi_sio-add-pid-for-sony-ericsson-urban.patch new file mode 100644 index 0000000..e8fe46b --- /dev/null +++ b/releases/2.6.33.20/usb-ftdi_sio-add-pid-for-sony-ericsson-urban.patch @@ -0,0 +1,47 @@ +From 74bdf22b5c3858b06af46f19d05c23e76c40a3bb Mon Sep 17 00:00:00 2001 +From: Hakan Kvist <hakan.kvist@sonyericsson.com> +Date: Mon, 3 Oct 2011 13:41:15 +0200 +Subject: USB: ftdi_sio: add PID for Sony Ericsson Urban + +From: Hakan Kvist <hakan.kvist@sonyericsson.com> + +commit 74bdf22b5c3858b06af46f19d05c23e76c40a3bb upstream. + +Add PID 0xfc8a, 0xfc8b for device Sony Ericsson Urban + +Signed-off-by: Hakan Kvist <hakan.kvist@sonyericsson.com> +Signed-off-by: Oskar Andero <oskar.andero@sonyericsson.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + drivers/usb/serial/ftdi_sio.c | 2 ++ + drivers/usb/serial/ftdi_sio_ids.h | 6 ++++-- + 2 files changed, 6 insertions(+), 2 deletions(-) + +--- a/drivers/usb/serial/ftdi_sio.c ++++ b/drivers/usb/serial/ftdi_sio.c +@@ -205,6 +205,8 @@ static struct usb_device_id id_table_com + { USB_DEVICE(FTDI_VID, FTDI_XF_640_PID) }, + { USB_DEVICE(FTDI_VID, FTDI_XF_642_PID) }, + { USB_DEVICE(FTDI_VID, FTDI_DSS20_PID) }, ++ { USB_DEVICE(FTDI_VID, FTDI_URBAN_0_PID) }, ++ { USB_DEVICE(FTDI_VID, FTDI_URBAN_1_PID) }, + { USB_DEVICE(FTDI_NF_RIC_VID, FTDI_NF_RIC_PID) }, + { USB_DEVICE(FTDI_VID, FTDI_VNHCPCUSB_D_PID) }, + { USB_DEVICE(FTDI_VID, FTDI_MTXORB_0_PID) }, +--- a/drivers/usb/serial/ftdi_sio_ids.h ++++ b/drivers/usb/serial/ftdi_sio_ids.h +@@ -399,9 +399,11 @@ + #define PROTEGO_SPECIAL_4 0xFC73 /* special/unknown device */ + + /* +- * DSS-20 Sync Station for Sony Ericsson P800 ++ * Sony Ericsson product ids + */ +-#define FTDI_DSS20_PID 0xFC82 ++#define FTDI_DSS20_PID 0xFC82 /* DSS-20 Sync Station for Sony Ericsson P800 */ ++#define FTDI_URBAN_0_PID 0xFC8A /* Sony Ericsson Urban, uart #0 */ ++#define FTDI_URBAN_1_PID 0xFC8B /* Sony Ericsson Urban, uart #1 */ + + /* www.irtrans.de device */ + #define FTDI_IRTRANS_PID 0xFC60 /* Product Id */ diff --git a/releases/2.6.33.20/usb-ftdi_sio-support-ti-luminary-micro-stellaris-bd-icdi.patch b/releases/2.6.33.20/usb-ftdi_sio-support-ti-luminary-micro-stellaris-bd-icdi.patch new file mode 100644 index 0000000..cf8f046 --- /dev/null +++ b/releases/2.6.33.20/usb-ftdi_sio-support-ti-luminary-micro-stellaris-bd-icdi.patch @@ -0,0 +1,47 @@ +From 3687f641307eeff6f7fe31a88dc39db88e89238b Mon Sep 17 00:00:00 2001 +From: Peter Stuge <peter@stuge.se> +Date: Mon, 10 Oct 2011 03:34:54 +0200 +Subject: USB: ftdi_sio: Support TI/Luminary Micro Stellaris BD-ICDI Board + +From: Peter Stuge <peter@stuge.se> + +commit 3687f641307eeff6f7fe31a88dc39db88e89238b upstream. + +Some Stellaris evaluation kits have the JTAG/SWD FTDI chip onboard, +and some, like EK-LM3S9B90, come with a separate In-Circuit Debugger +Interface Board. The ICDI board can also be used stand-alone, for +other boards and chips than the kit it came with. The ICDI has both +old style 20-pin JTAG connector and new style JTAG/SWD 10-pin 1.27mm +pitch connector. + +Tested with EK-LM3S9B90, where the BD-ICDI board is included. + +Signed-off-by: Peter Stuge <peter@stuge.se> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + drivers/usb/serial/ftdi_sio.c | 2 ++ + drivers/usb/serial/ftdi_sio_ids.h | 1 + + 2 files changed, 3 insertions(+) + +--- a/drivers/usb/serial/ftdi_sio.c ++++ b/drivers/usb/serial/ftdi_sio.c +@@ -744,6 +744,8 @@ static struct usb_device_id id_table_com + .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk }, + { USB_DEVICE(FTDI_VID, LMI_LM3S_EVAL_BOARD_PID), + .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk }, ++ { USB_DEVICE(FTDI_VID, LMI_LM3S_ICDI_BOARD_PID), ++ .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk }, + { USB_DEVICE(FTDI_VID, FTDI_TURTELIZER_PID), + .driver_info = (kernel_ulong_t)&ftdi_jtag_quirk }, + { USB_DEVICE(RATOC_VENDOR_ID, RATOC_PRODUCT_ID_USB60F) }, +--- a/drivers/usb/serial/ftdi_sio_ids.h ++++ b/drivers/usb/serial/ftdi_sio_ids.h +@@ -48,6 +48,7 @@ + /* FTDI 2332C Dual channel device, side A=245 FIFO (JTAG), Side B=RS232 UART */ + #define LMI_LM3S_DEVEL_BOARD_PID 0xbcd8 + #define LMI_LM3S_EVAL_BOARD_PID 0xbcd9 ++#define LMI_LM3S_ICDI_BOARD_PID 0xbcda + + #define FTDI_TURTELIZER_PID 0xBDC8 /* JTAG/RS-232 adapter by egnite GmBH */ + diff --git a/releases/2.6.33.20/usb-pid_ns-ensure-pid-is-not-freed-during.patch b/releases/2.6.33.20/usb-pid_ns-ensure-pid-is-not-freed-during.patch new file mode 100644 index 0000000..9f0f8ff --- /dev/null +++ b/releases/2.6.33.20/usb-pid_ns-ensure-pid-is-not-freed-during.patch @@ -0,0 +1,45 @@ +From aec01c5895051849ed842dc5b8794017a7751f28 Mon Sep 17 00:00:00 2001 +From: Serge Hallyn <serge.hallyn@canonical.com> +Date: Mon, 26 Sep 2011 10:18:29 -0500 +Subject: USB: pid_ns: ensure pid is not freed during kill_pid_info_as_uid + +From: Serge Hallyn <serge.hallyn@canonical.com> + +commit aec01c5895051849ed842dc5b8794017a7751f28 upstream. + +Alan Stern points out that after spin_unlock(&ps->lock) there is no +guarantee that ps->pid won't be freed. Since kill_pid_info_as_uid() is +called after the spin_unlock(), the pid passed to it must be pinned. + +Reported-by: Alan Stern <stern@rowland.harvard.edu> +Signed-off-by: Serge Hallyn <serge.hallyn@canonical.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + drivers/usb/core/devio.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/drivers/usb/core/devio.c ++++ b/drivers/usb/core/devio.c +@@ -403,7 +403,7 @@ static void async_completed(struct urb * + sinfo.si_errno = as->status; + sinfo.si_code = SI_ASYNCIO; + sinfo.si_addr = as->userurb; +- pid = as->pid; ++ pid = get_pid(as->pid); + uid = as->uid; + euid = as->euid; + secid = as->secid; +@@ -416,9 +416,11 @@ static void async_completed(struct urb * + cancel_bulk_urbs(ps, as->bulk_addr); + spin_unlock(&ps->lock); + +- if (signr) ++ if (signr) { + kill_pid_info_as_uid(sinfo.si_signo, &sinfo, pid, uid, + euid, secid); ++ put_pid(pid); ++ } + + wake_up(&ps->wait); + } diff --git a/releases/2.6.33.20/usb-pl2303-add-id-for-smart-device.patch b/releases/2.6.33.20/usb-pl2303-add-id-for-smart-device.patch new file mode 100644 index 0000000..550da62 --- /dev/null +++ b/releases/2.6.33.20/usb-pl2303-add-id-for-smart-device.patch @@ -0,0 +1,42 @@ +From 598f0b703506da841d3459dc0c48506be14d1778 Mon Sep 17 00:00:00 2001 +From: Eric Benoit <eric@ecks.ca> +Date: Sat, 24 Sep 2011 02:04:50 -0400 +Subject: USB: pl2303: add id for SMART device + +From: Eric Benoit <eric@ecks.ca> + +commit 598f0b703506da841d3459dc0c48506be14d1778 upstream. + +Add vendor and product ID for the SMART USB to serial adapter. These +were meant to be used with their SMART Board whiteboards, but can be +re-purposed for other tasks. Tested and working (at at least 9600 bps). + +Signed-off-by: Eric Benoit <eric@ecks.ca> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + drivers/usb/serial/pl2303.c | 1 + + drivers/usb/serial/pl2303.h | 5 +++++ + 2 files changed, 6 insertions(+) + +--- a/drivers/usb/serial/pl2303.c ++++ b/drivers/usb/serial/pl2303.c +@@ -101,6 +101,7 @@ static struct usb_device_id id_table [] + { USB_DEVICE(SANWA_VENDOR_ID, SANWA_PRODUCT_ID) }, + { USB_DEVICE(ADLINK_VENDOR_ID, ADLINK_ND6530_PRODUCT_ID) }, + { USB_DEVICE(WINCHIPHEAD_VENDOR_ID, WINCHIPHEAD_USBSER_PRODUCT_ID) }, ++ { USB_DEVICE(SMART_VENDOR_ID, SMART_PRODUCT_ID) }, + { } /* Terminating entry */ + }; + +--- a/drivers/usb/serial/pl2303.h ++++ b/drivers/usb/serial/pl2303.h +@@ -144,3 +144,8 @@ + /* WinChipHead USB->RS 232 adapter */ + #define WINCHIPHEAD_VENDOR_ID 0x4348 + #define WINCHIPHEAD_USBSER_PRODUCT_ID 0x5523 ++ ++/* SMART USB Serial Adapter */ ++#define SMART_VENDOR_ID 0x0b8c ++#define SMART_PRODUCT_ID 0x2303 ++ diff --git a/releases/2.6.33.20/usb-pl2303-correctly-handle-baudrates-above-115200.patch b/releases/2.6.33.20/usb-pl2303-correctly-handle-baudrates-above-115200.patch new file mode 100644 index 0000000..69bdf34 --- /dev/null +++ b/releases/2.6.33.20/usb-pl2303-correctly-handle-baudrates-above-115200.patch @@ -0,0 +1,53 @@ +From 8d48fdf689fed2c73c493e5146d1463689246442 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Micha=C5=82=20Sroczy=C5=84ski?= <msroczyn@gmail.com> +Date: Tue, 5 Jul 2011 21:53:35 +0200 +Subject: USB: PL2303: correctly handle baudrates above 115200 + +From: Michal Sroczynski <msroczyn@gmail.com> + +commit 8d48fdf689fed2c73c493e5146d1463689246442 upstream. + +PL2303: correctly handle baudrates above 115200 + +Signed-off-by: Michal Sroczynski <msroczyn@gmail.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + drivers/usb/serial/pl2303.c | 26 ++++++++++++++++++++++---- + 1 file changed, 22 insertions(+), 4 deletions(-) + +--- a/drivers/usb/serial/pl2303.c ++++ b/drivers/usb/serial/pl2303.c +@@ -616,10 +616,28 @@ static void pl2303_set_termios(struct tt + baud = 6000000; + } + dbg("%s - baud set = %d", __func__, baud); +- buf[0] = baud & 0xff; +- buf[1] = (baud >> 8) & 0xff; +- buf[2] = (baud >> 16) & 0xff; +- buf[3] = (baud >> 24) & 0xff; ++ if (baud <= 115200) { ++ buf[0] = baud & 0xff; ++ buf[1] = (baud >> 8) & 0xff; ++ buf[2] = (baud >> 16) & 0xff; ++ buf[3] = (baud >> 24) & 0xff; ++ } else { ++ /* apparently the formula for higher speeds is: ++ * baudrate = 12M * 32 / (2^buf[1]) / buf[0] ++ */ ++ unsigned tmp = 12*1000*1000*32 / baud; ++ buf[3] = 0x80; ++ buf[2] = 0; ++ buf[1] = (tmp >= 256); ++ while (tmp >= 256) { ++ tmp >>= 2; ++ buf[1] <<= 1; ++ } ++ if (tmp > 256) { ++ tmp %= 256; ++ } ++ buf[0] = tmp; ++ } + } + + /* For reference buf[4]=0 is 1 stop bits */ diff --git a/releases/2.6.33.20/usb-qcserial-add-device-id-for-hp-un2430-mobile-broadband-module.patch b/releases/2.6.33.20/usb-qcserial-add-device-id-for-hp-un2430-mobile-broadband-module.patch new file mode 100644 index 0000000..f31fd6d --- /dev/null +++ b/releases/2.6.33.20/usb-qcserial-add-device-id-for-hp-un2430-mobile-broadband-module.patch @@ -0,0 +1,28 @@ +From 1bfac90d1b8e63a4d44158c3445d8fda3fb6d5eb Mon Sep 17 00:00:00 2001 +From: Rigbert Hamisch <rigbert@gmx.de> +Date: Tue, 27 Sep 2011 10:46:43 +0200 +Subject: USB: qcserial: add device ID for "HP un2430 Mobile Broadband Module" + +From: Rigbert Hamisch <rigbert@gmx.de> + +commit 1bfac90d1b8e63a4d44158c3445d8fda3fb6d5eb upstream. + +add device ID for "HP un2430 Mobile Broadband Module" + +Signed-off-by: Rigbert Hamisch <rigbert@gmx.de> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + drivers/usb/serial/qcserial.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/drivers/usb/serial/qcserial.c ++++ b/drivers/usb/serial/qcserial.c +@@ -26,6 +26,7 @@ static struct usb_device_id id_table[] = + {USB_DEVICE(0x05c6, 0x9212)}, /* Acer Gobi Modem Device */ + {USB_DEVICE(0x03f0, 0x1f1d)}, /* HP un2400 Gobi Modem Device */ + {USB_DEVICE(0x03f0, 0x201d)}, /* HP un2400 Gobi QDL Device */ ++ {USB_DEVICE(0x03f0, 0x371d)}, /* HP un2430 Mobile Broadband Module */ + {USB_DEVICE(0x04da, 0x250d)}, /* Panasonic Gobi Modem device */ + {USB_DEVICE(0x04da, 0x250c)}, /* Panasonic Gobi QDL device */ + {USB_DEVICE(0x413c, 0x8172)}, /* Dell Gobi Modem device */ diff --git a/releases/2.6.33.20/usb-storage-use-normalized-sense-when-emulating-autosense.patch b/releases/2.6.33.20/usb-storage-use-normalized-sense-when-emulating-autosense.patch new file mode 100644 index 0000000..bac99fe --- /dev/null +++ b/releases/2.6.33.20/usb-storage-use-normalized-sense-when-emulating-autosense.patch @@ -0,0 +1,101 @@ +From e16da02fcdf1c5e824432f88abf42623dafdf191 Mon Sep 17 00:00:00 2001 +From: Luben Tuikov <ltuikov@yahoo.com> +Date: Thu, 11 Nov 2010 15:43:11 -0800 +Subject: USB: storage: Use normalized sense when emulating autosense + +From: Luben Tuikov <ltuikov@yahoo.com> + +commit e16da02fcdf1c5e824432f88abf42623dafdf191 upstream. + +This patch solves two things: +1) Enables autosense emulation code to correctly +interpret descriptor format sense data, and +2) Fixes a bug whereby the autosense emulation +code would overwrite descriptor format sense data +with SENSE KEY HARDWARE ERROR in fixed format, to +incorrectly look like this: + +Oct 21 14:11:07 localhost kernel: sd 7:0:0:0: [sdc] Sense Key : Recovered Error [current] [descriptor] +Oct 21 14:11:07 localhost kernel: Descriptor sense data with sense descriptors (in hex): +Oct 21 14:11:07 localhost kernel: 72 01 04 1d 00 00 00 0e 09 0c 00 00 00 00 00 00 +Oct 21 14:11:07 localhost kernel: 00 4f 00 c2 00 50 +Oct 21 14:11:07 localhost kernel: sd 7:0:0:0: [sdc] ASC=0x4 ASCQ=0x1d + +Signed-off-by: Luben Tuikov <ltuikov@yahoo.com> +Acked-by: Alan Stern <stern@rowland.harvard.edu> +Acked-by: Matthew Dharm <mdharm-usb@one-eyed-alien.net> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + drivers/usb/storage/transport.c | 34 +++++++++++++++++++--------------- + 1 file changed, 19 insertions(+), 15 deletions(-) + +--- a/drivers/usb/storage/transport.c ++++ b/drivers/usb/storage/transport.c +@@ -693,6 +693,9 @@ void usb_stor_invoke_transport(struct sc + int temp_result; + struct scsi_eh_save ses; + int sense_size = US_SENSE_SIZE; ++ struct scsi_sense_hdr sshdr; ++ const u8 *scdd; ++ u8 fm_ili; + + /* device supports and needs bigger sense buffer */ + if (us->fflags & US_FL_SANE_SENSE) +@@ -776,32 +779,30 @@ Retry_Sense: + srb->sense_buffer[7] = (US_SENSE_SIZE - 8); + } + ++ scsi_normalize_sense(srb->sense_buffer, SCSI_SENSE_BUFFERSIZE, ++ &sshdr); ++ + US_DEBUGP("-- Result from auto-sense is %d\n", temp_result); + US_DEBUGP("-- code: 0x%x, key: 0x%x, ASC: 0x%x, ASCQ: 0x%x\n", +- srb->sense_buffer[0], +- srb->sense_buffer[2] & 0xf, +- srb->sense_buffer[12], +- srb->sense_buffer[13]); ++ sshdr.response_code, sshdr.sense_key, ++ sshdr.asc, sshdr.ascq); + #ifdef CONFIG_USB_STORAGE_DEBUG +- usb_stor_show_sense( +- srb->sense_buffer[2] & 0xf, +- srb->sense_buffer[12], +- srb->sense_buffer[13]); ++ usb_stor_show_sense(sshdr.sense_key, sshdr.asc, sshdr.ascq); + #endif + + /* set the result so the higher layers expect this data */ + srb->result = SAM_STAT_CHECK_CONDITION; + ++ scdd = scsi_sense_desc_find(srb->sense_buffer, ++ SCSI_SENSE_BUFFERSIZE, 4); ++ fm_ili = (scdd ? scdd[3] : srb->sense_buffer[2]) & 0xA0; ++ + /* We often get empty sense data. This could indicate that + * everything worked or that there was an unspecified + * problem. We have to decide which. + */ +- if ( /* Filemark 0, ignore EOM, ILI 0, no sense */ +- (srb->sense_buffer[2] & 0xaf) == 0 && +- /* No ASC or ASCQ */ +- srb->sense_buffer[12] == 0 && +- srb->sense_buffer[13] == 0) { +- ++ if (sshdr.sense_key == 0 && sshdr.asc == 0 && sshdr.ascq == 0 && ++ fm_ili == 0) { + /* If things are really okay, then let's show that. + * Zero out the sense buffer so the higher layers + * won't realize we did an unsolicited auto-sense. +@@ -816,7 +817,10 @@ Retry_Sense: + */ + } else { + srb->result = DID_ERROR << 16; +- srb->sense_buffer[2] = HARDWARE_ERROR; ++ if ((sshdr.response_code & 0x72) == 0x72) ++ srb->sense_buffer[1] = HARDWARE_ERROR; ++ else ++ srb->sense_buffer[2] = HARDWARE_ERROR; + } + } + } diff --git a/releases/2.6.33.20/usbmon-vs.-tcpdump-fix-dropped-packet-count.patch b/releases/2.6.33.20/usbmon-vs.-tcpdump-fix-dropped-packet-count.patch new file mode 100644 index 0000000..3ff5f19 --- /dev/null +++ b/releases/2.6.33.20/usbmon-vs.-tcpdump-fix-dropped-packet-count.patch @@ -0,0 +1,36 @@ +From 236c448cb6e7f82096101e1ace4b77f8b38f82c8 Mon Sep 17 00:00:00 2001 +From: Johannes Stezenbach <js@sig21.net> +Date: Thu, 8 Sep 2011 15:39:15 +0200 +Subject: usbmon vs. tcpdump: fix dropped packet count + +From: Johannes Stezenbach <js@sig21.net> + +commit 236c448cb6e7f82096101e1ace4b77f8b38f82c8 upstream. + +Report the number of dropped packets instead of zero +when using the binary usbmon interface with tcpdump. + +# tcpdump -i usbmon1 -w dump +tcpdump: listening on usbmon1, link-type USB_LINUX_MMAPPED (USB with padded Linux header), capture size 65535 bytes +^C2155 packets captured +2155 packets received by filter +1019 packets dropped by kernel + +Signed-off-by: Johannes Stezenbach <js@sig21.net> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + drivers/usb/mon/mon_bin.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/usb/mon/mon_bin.c ++++ b/drivers/usb/mon/mon_bin.c +@@ -1074,7 +1074,7 @@ static int mon_bin_ioctl(struct inode *i + nevents = mon_bin_queued(rp); + + sp = (struct mon_bin_stats __user *)arg; +- if (put_user(rp->cnt_lost, &sp->dropped)) ++ if (put_user(ndropped, &sp->dropped)) + return -EFAULT; + if (put_user(nevents, &sp->queued)) + return -EFAULT; diff --git a/releases/2.6.33.20/uvcvideo-set-alternate-setting-0-on-resume-if-the-bus-has-been-reset.patch b/releases/2.6.33.20/uvcvideo-set-alternate-setting-0-on-resume-if-the-bus-has-been-reset.patch new file mode 100644 index 0000000..d38a042 --- /dev/null +++ b/releases/2.6.33.20/uvcvideo-set-alternate-setting-0-on-resume-if-the-bus-has-been-reset.patch @@ -0,0 +1,74 @@ +From d59a7b1dbce8b972ec2dc9fcaaae0bfa23687423 Mon Sep 17 00:00:00 2001 +From: Ming Lei <tom.leiming@gmail.com> +Date: Sat, 16 Jul 2011 00:51:00 -0300 +Subject: [media] uvcvideo: Set alternate setting 0 on resume if the bus has been reset + +From: Ming Lei <tom.leiming@gmail.com> + +commit d59a7b1dbce8b972ec2dc9fcaaae0bfa23687423 upstream. + +If the bus has been reset on resume, set the alternate setting to 0. +This should be the default value, but some devices crash or otherwise +misbehave if they don't receive a SET_INTERFACE request before any other +video control request. + +Microdia's 0c45:6437 camera has been found to require this change or it +will stop sending video data after resume. + +uvc_video.c] + +Signed-off-by: Ming Lei <ming.lei@canonical.com> +Signed-off-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com> +Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + drivers/media/video/uvc/uvc_driver.c | 2 +- + drivers/media/video/uvc/uvc_video.c | 10 +++++++++- + drivers/media/video/uvc/uvcvideo.h | 2 +- + 3 files changed, 11 insertions(+), 3 deletions(-) + +--- a/drivers/media/video/uvc/uvc_driver.c ++++ b/drivers/media/video/uvc/uvc_driver.c +@@ -1891,7 +1891,7 @@ static int __uvc_resume(struct usb_inter + + list_for_each_entry(stream, &dev->streams, list) { + if (stream->intf == intf) +- return uvc_video_resume(stream); ++ return uvc_video_resume(stream, reset); + } + + uvc_trace(UVC_TRACE_SUSPEND, "Resume: video streaming USB interface " +--- a/drivers/media/video/uvc/uvc_video.c ++++ b/drivers/media/video/uvc/uvc_video.c +@@ -1045,10 +1045,18 @@ int uvc_video_suspend(struct uvc_streami + * buffers, making sure userspace applications are notified of the problem + * instead of waiting forever. + */ +-int uvc_video_resume(struct uvc_streaming *stream) ++int uvc_video_resume(struct uvc_streaming *stream, int reset) + { + int ret; + ++ /* If the bus has been reset on resume, set the alternate setting to 0. ++ * This should be the default value, but some devices crash or otherwise ++ * misbehave if they don't receive a SET_INTERFACE request before any ++ * other video control request. ++ */ ++ if (reset) ++ usb_set_interface(stream->dev->udev, stream->intfnum, 0); ++ + stream->frozen = 0; + + ret = uvc_commit_video(stream, &stream->ctrl); +--- a/drivers/media/video/uvc/uvcvideo.h ++++ b/drivers/media/video/uvc/uvcvideo.h +@@ -604,7 +604,7 @@ extern const struct v4l2_file_operations + /* Video */ + extern int uvc_video_init(struct uvc_streaming *stream); + extern int uvc_video_suspend(struct uvc_streaming *stream); +-extern int uvc_video_resume(struct uvc_streaming *stream); ++extern int uvc_video_resume(struct uvc_streaming *stream, int reset); + extern int uvc_video_enable(struct uvc_streaming *stream, int enable); + extern int uvc_probe_video(struct uvc_streaming *stream, + struct uvc_streaming_control *probe); diff --git a/releases/2.6.33.20/vm-fix-vm_pgoff-wrap-in-stack-expansion.patch b/releases/2.6.33.20/vm-fix-vm_pgoff-wrap-in-stack-expansion.patch new file mode 100644 index 0000000..d41c76e --- /dev/null +++ b/releases/2.6.33.20/vm-fix-vm_pgoff-wrap-in-stack-expansion.patch @@ -0,0 +1,50 @@ +From a626ca6a656450e9f4df91d0dda238fff23285f4 Mon Sep 17 00:00:00 2001 +From: Linus Torvalds <torvalds@linux-foundation.org> +Date: Wed, 13 Apr 2011 08:07:28 -0700 +Subject: vm: fix vm_pgoff wrap in stack expansion +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Linus Torvalds <torvalds@linux-foundation.org> + +commit a626ca6a656450e9f4df91d0dda238fff23285f4 upstream. + +Commit 982134ba6261 ("mm: avoid wrapping vm_pgoff in mremap()") fixed +the case of a expanding mapping causing vm_pgoff wrapping when you used +mremap. But there was another case where we expand mappings hiding in +plain sight: the automatic stack expansion. + +This fixes that case too. + +This one also found by Robert ÅšwiÄ™cki, using his nasty system call +fuzzer tool. Good job. + +Reported-and-tested-by: Robert ÅšwiÄ™cki <robert@swiecki.net> +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + mm/mmap.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +--- a/mm/mmap.c ++++ b/mm/mmap.c +@@ -1721,10 +1721,13 @@ static int expand_downwards(struct vm_ar + size = vma->vm_end - address; + grow = (vma->vm_start - address) >> PAGE_SHIFT; + +- error = acct_stack_growth(vma, size, grow); +- if (!error) { +- vma->vm_start = address; +- vma->vm_pgoff -= grow; ++ error = -ENOMEM; ++ if (grow <= vma->vm_pgoff) { ++ error = acct_stack_growth(vma, size, grow); ++ if (!error) { ++ vma->vm_start = address; ++ vma->vm_pgoff -= grow; ++ } + } + } + anon_vma_unlock(vma); diff --git a/releases/2.6.33.20/vm-fix-vm_pgoff-wrap-in-upward-expansion.patch b/releases/2.6.33.20/vm-fix-vm_pgoff-wrap-in-upward-expansion.patch new file mode 100644 index 0000000..004278e --- /dev/null +++ b/releases/2.6.33.20/vm-fix-vm_pgoff-wrap-in-upward-expansion.patch @@ -0,0 +1,42 @@ +From 42c36f63ac1366ab0ecc2d5717821362c259f517 Mon Sep 17 00:00:00 2001 +From: Hugh Dickins <hughd@google.com> +Date: Mon, 9 May 2011 17:44:42 -0700 +Subject: vm: fix vm_pgoff wrap in upward expansion + +From: Hugh Dickins <hughd@google.com> + +commit 42c36f63ac1366ab0ecc2d5717821362c259f517 upstream. + +Commit a626ca6a6564 ("vm: fix vm_pgoff wrap in stack expansion") fixed +the case of an expanding mapping causing vm_pgoff wrapping when you had +downward stack expansion. But there was another case where IA64 and +PA-RISC expand mappings: upward expansion. + +This fixes that case too. + +Signed-off-by: Hugh Dickins <hughd@google.com> +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + mm/mmap.c | 9 ++++++--- + 1 file changed, 6 insertions(+), 3 deletions(-) + +--- a/mm/mmap.c ++++ b/mm/mmap.c +@@ -1677,9 +1677,12 @@ int expand_upwards(struct vm_area_struct + size = address - vma->vm_start; + grow = (address - vma->vm_end) >> PAGE_SHIFT; + +- error = acct_stack_growth(vma, size, grow); +- if (!error) +- vma->vm_end = address; ++ error = -ENOMEM; ++ if (vma->vm_pgoff + (size >> PAGE_SHIFT) >= vma->vm_pgoff) { ++ error = acct_stack_growth(vma, size, grow); ++ if (!error) ++ vma->vm_end = address; ++ } + } + anon_vma_unlock(vma); + return error; diff --git a/releases/2.6.33.20/watchdog-mtx1-wdt-fix-build-failure.patch b/releases/2.6.33.20/watchdog-mtx1-wdt-fix-build-failure.patch new file mode 100644 index 0000000..a3a1e52 --- /dev/null +++ b/releases/2.6.33.20/watchdog-mtx1-wdt-fix-build-failure.patch @@ -0,0 +1,40 @@ +From florian@openwrt.org Wed Nov 2 14:09:31 2011 +From: Florian Fainelli <florian@openwrt.org> +Date: Mon, 17 Oct 2011 19:47:44 +0200 +Subject: watchdog: mtx1-wdt: fix build failure +To: Wim Van Sebroeck <wim@iguana.be>, Greg KH <gregkh@suse.de>, linux-watchdog@vger.kernel.org +Message-ID: <201110171947.44673.florian@openwrt.org> + +From: Florian Fainelli <florian@openwrt.org> + +Commit 72b6e8a847 (watchdog: mtx1-wdt: request gpio before using it) was +backported from upstream. The patch is using a gpiolib call which is only +available in kernel 2.6.34+. Fix build by using the "old" gpiolib API +instead. + +Signed-off-by: Florian Fainelli <florian@openwrt.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + drivers/watchdog/mtx-1_wdt.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +--- a/drivers/watchdog/mtx-1_wdt.c ++++ b/drivers/watchdog/mtx-1_wdt.c +@@ -211,13 +211,14 @@ static int __devinit mtx1_wdt_probe(stru + int ret; + + mtx1_wdt_device.gpio = pdev->resource[0].start; +- ret = gpio_request_one(mtx1_wdt_device.gpio, +- GPIOF_OUT_INIT_HIGH, "mtx1-wdt"); ++ ret = gpio_request(mtx1_wdt_device.gpio, "mtx1-wdt"); + if (ret < 0) { + dev_err(&pdev->dev, "failed to request gpio"); + return ret; + } + ++ gpio_direction_output(mtx1_wdt_device.gpio, 1); ++ + spin_lock_init(&mtx1_wdt_device.lock); + init_completion(&mtx1_wdt_device.stop); + mtx1_wdt_device.queue = 0; diff --git a/releases/2.6.33.20/wireless-reset-beacon_found-while-updating-regulatory.patch b/releases/2.6.33.20/wireless-reset-beacon_found-while-updating-regulatory.patch new file mode 100644 index 0000000..8efb2ee --- /dev/null +++ b/releases/2.6.33.20/wireless-reset-beacon_found-while-updating-regulatory.patch @@ -0,0 +1,39 @@ +From aa3d7eef398dd4f29045e9889b817d5161afe03e Mon Sep 17 00:00:00 2001 +From: Rajkumar Manoharan <rmanohar@qca.qualcomm.com> +Date: Wed, 14 Sep 2011 14:28:17 +0530 +Subject: wireless: Reset beacon_found while updating regulatory + +From: Rajkumar Manoharan <rmanohar@qca.qualcomm.com> + +commit aa3d7eef398dd4f29045e9889b817d5161afe03e upstream. + +During the association, the regulatory is updated by country IE +that reaps the previously found beacons. The impact is that +after a STA disconnects *or* when for any reason a regulatory +domain change happens the beacon hint flag is not cleared +therefore preventing future beacon hints to be learned. +This is important as a regulatory domain change or a restore +of regulatory settings would set back the passive scan and no-ibss +flags on the channel. This is the right place to do this given that +it covers any regulatory domain change. + +Reviewed-by: Luis R. Rodriguez <mcgrof@gmail.com> +Signed-off-by: Rajkumar Manoharan <rmanohar@qca.qualcomm.com> +Acked-by: Luis R. Rodriguez <mcgrof@qca.qualcomm.com> +Signed-off-by: John W. Linville <linville@tuxdriver.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + net/wireless/reg.c | 1 + + 1 file changed, 1 insertion(+) + +--- a/net/wireless/reg.c ++++ b/net/wireless/reg.c +@@ -998,6 +998,7 @@ static void handle_channel(struct wiphy + return; + } + ++ chan->beacon_found = false; + chan->flags = flags | bw_flags | map_regdom_flags(reg_rule->flags); + chan->max_antenna_gain = min(chan->orig_mag, + (int) MBI_TO_DBI(power_rule->max_antenna_gain)); diff --git a/releases/2.6.33.20/x25-prevent-skb-overreads-when-checking-call-user-data.patch b/releases/2.6.33.20/x25-prevent-skb-overreads-when-checking-call-user-data.patch new file mode 100644 index 0000000..4689050 --- /dev/null +++ b/releases/2.6.33.20/x25-prevent-skb-overreads-when-checking-call-user-data.patch @@ -0,0 +1,36 @@ +From 7f81e25befdfb3272345a2e775f520e1d515fa20 Mon Sep 17 00:00:00 2001 +From: Matthew Daley <mattjd@gmail.com> +Date: Fri, 14 Oct 2011 18:45:05 +0000 +Subject: x25: Prevent skb overreads when checking call user data + +From: Matthew Daley <mattjd@gmail.com> + +commit 7f81e25befdfb3272345a2e775f520e1d515fa20 upstream. + +x25_find_listener does not check that the amount of call user data given +in the skb is big enough in per-socket comparisons, hence buffer +overreads may occur. Fix this by adding a check. + +Signed-off-by: Matthew Daley <mattjd@gmail.com> +Cc: Eric Dumazet <eric.dumazet@gmail.com> +Cc: Andrew Hendry <andrew.hendry@gmail.com> +Acked-by: Andrew Hendry <andrew.hendry@gmail.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + net/x25/af_x25.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +--- a/net/x25/af_x25.c ++++ b/net/x25/af_x25.c +@@ -294,7 +294,8 @@ static struct sock *x25_find_listener(st + * Found a listening socket, now check the incoming + * call user data vs this sockets call user data + */ +- if(skb->len > 0 && x25_sk(s)->cudmatchlength > 0) { ++ if (x25_sk(s)->cudmatchlength > 0 && ++ skb->len >= x25_sk(s)->cudmatchlength) { + if((memcmp(x25_sk(s)->calluserdata.cuddata, + skb->data, + x25_sk(s)->cudmatchlength)) == 0) { diff --git a/releases/2.6.33.20/x86-fix-compilation-bug-in-kprobes-twobyte_is_boostable.patch b/releases/2.6.33.20/x86-fix-compilation-bug-in-kprobes-twobyte_is_boostable.patch new file mode 100644 index 0000000..77f2178 --- /dev/null +++ b/releases/2.6.33.20/x86-fix-compilation-bug-in-kprobes-twobyte_is_boostable.patch @@ -0,0 +1,96 @@ +From 315eb8a2a1b7f335d40ceeeb11b9e067475eb881 Mon Sep 17 00:00:00 2001 +From: Josh Stone <jistone@redhat.com> +Date: Mon, 24 Oct 2011 10:15:51 -0700 +Subject: x86: Fix compilation bug in kprobes' twobyte_is_boostable +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +From: Josh Stone <jistone@redhat.com> + +commit 315eb8a2a1b7f335d40ceeeb11b9e067475eb881 upstream. + +When compiling an i386_defconfig kernel with gcc-4.6.1-9.fc15.i686, I +noticed a warning about the asm operand for test_bit in kprobes' +can_boost. I discovered that this caused only the first long of +twobyte_is_boostable[] to be output. + +Jakub filed and fixed gcc PR50571 to correct the warning and this output +issue. But to solve it for less current gcc, we can make kprobes' +twobyte_is_boostable[] non-const, and it won't be optimized out. + +Before: + + CC arch/x86/kernel/kprobes.o + In file included from include/linux/bitops.h:22:0, + from include/linux/kernel.h:17, + from [...]/arch/x86/include/asm/percpu.h:44, + from [...]/arch/x86/include/asm/current.h:5, + from [...]/arch/x86/include/asm/processor.h:15, + from [...]/arch/x86/include/asm/atomic.h:6, + from include/linux/atomic.h:4, + from include/linux/mutex.h:18, + from include/linux/notifier.h:13, + from include/linux/kprobes.h:34, + from arch/x86/kernel/kprobes.c:43: + [...]/arch/x86/include/asm/bitops.h: In function ‘can_boost.part.1’: + [...]/arch/x86/include/asm/bitops.h:319:2: warning: use of memory input + without lvalue in asm operand 1 is deprecated [enabled by default] + + $ objdump -rd arch/x86/kernel/kprobes.o | grep -A1 -w bt + 551: 0f a3 05 00 00 00 00 bt %eax,0x0 + 554: R_386_32 .rodata.cst4 + + $ objdump -s -j .rodata.cst4 -j .data arch/x86/kernel/kprobes.o + + arch/x86/kernel/kprobes.o: file format elf32-i386 + + Contents of section .data: + 0000 48000000 00000000 00000000 00000000 H............... + Contents of section .rodata.cst4: + 0000 4c030000 L... + +Only a single long of twobyte_is_boostable[] is in the object file. + +After, without the const on twobyte_is_boostable: + + $ objdump -rd arch/x86/kernel/kprobes.o | grep -A1 -w bt + 551: 0f a3 05 20 00 00 00 bt %eax,0x20 + 554: R_386_32 .data + + $ objdump -s -j .rodata.cst4 -j .data arch/x86/kernel/kprobes.o + + arch/x86/kernel/kprobes.o: file format elf32-i386 + + Contents of section .data: + 0000 48000000 00000000 00000000 00000000 H............... + 0010 00000000 00000000 00000000 00000000 ................ + 0020 4c030000 0f000200 ffff0000 ffcff0c0 L............... + 0030 0000ffff 3bbbfff8 03ff2ebb 26bb2e77 ....;.......&..w + +Now all 32 bytes are output into .data instead. + +Signed-off-by: Josh Stone <jistone@redhat.com> +Cc: Masami Hiramatsu <masami.hiramatsu.pt@hitachi.com> +Cc: Jakub Jelinek <jakub@redhat.com> +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + arch/x86/kernel/kprobes.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/arch/x86/kernel/kprobes.c ++++ b/arch/x86/kernel/kprobes.c +@@ -74,8 +74,10 @@ DEFINE_PER_CPU(struct kprobe_ctlblk, kpr + /* + * Undefined/reserved opcodes, conditional jump, Opcode Extension + * Groups, and some special opcodes can not boost. ++ * This is non-const to keep gcc from statically optimizing it out, as ++ * variable_test_bit makes gcc think only *(unsigned long*) is used. + */ +-static const u32 twobyte_is_boostable[256 / 32] = { ++static u32 twobyte_is_boostable[256 / 32] = { + /* 0 1 2 3 4 5 6 7 8 9 a b c d e f */ + /* ---------------------------------------------- */ + W(0x00, 0, 0, 1, 1, 0, 0, 1, 0, 1, 1, 0, 0, 0, 0, 0, 0) | /* 00 */ diff --git a/releases/2.6.33.20/xen-blkfront-fix-data-size-for-xenbus_gather-in-blkfront_connect.patch b/releases/2.6.33.20/xen-blkfront-fix-data-size-for-xenbus_gather-in-blkfront_connect.patch new file mode 100644 index 0000000..ff58ad5 --- /dev/null +++ b/releases/2.6.33.20/xen-blkfront-fix-data-size-for-xenbus_gather-in-blkfront_connect.patch @@ -0,0 +1,35 @@ +From 4352b47ab7918108b389a48d2163c9a4c2aaf139 Mon Sep 17 00:00:00 2001 +From: Marek Marczykowski <marmarek@mimuw.edu.pl> +Date: Tue, 3 May 2011 12:04:52 -0400 +Subject: xen-blkfront: fix data size for xenbus_gather in blkfront_connect + +From: Marek Marczykowski <marmarek@mimuw.edu.pl> + +commit 4352b47ab7918108b389a48d2163c9a4c2aaf139 upstream. + +barrier variable is int, not long. This overflow caused another variable +override: "err" (in PV code) and "binfo" (in xenlinux code - +drivers/xen/blkfront/blkfront.c). The later caused incorrect device +flags (RO/removable etc). + +Signed-off-by: Marek Marczykowski <marmarek@mimuw.edu.pl> +Acked-by: Ian Campbell <Ian.Campbell@citrix.com> +[v1: Changed title] +Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + drivers/block/xen-blkfront.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/drivers/block/xen-blkfront.c ++++ b/drivers/block/xen-blkfront.c +@@ -890,7 +890,7 @@ static void blkfront_connect(struct blkf + } + + err = xenbus_gather(XBT_NIL, info->xbdev->otherend, +- "feature-barrier", "%lu", &info->feature_barrier, ++ "feature-barrier", "%d", &info->feature_barrier, + NULL); + if (err) + info->feature_barrier = 0; diff --git a/releases/2.6.33.20/xen-smp-warn-user-why-they-keel-over-nosmp-or-noapic-and-what-to-use-instead.patch b/releases/2.6.33.20/xen-smp-warn-user-why-they-keel-over-nosmp-or-noapic-and-what-to-use-instead.patch new file mode 100644 index 0000000..d4164ab --- /dev/null +++ b/releases/2.6.33.20/xen-smp-warn-user-why-they-keel-over-nosmp-or-noapic-and-what-to-use-instead.patch @@ -0,0 +1,52 @@ +From ed467e69f16e6b480e2face7bc5963834d025f91 Mon Sep 17 00:00:00 2001 +From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> +Date: Thu, 1 Sep 2011 09:48:27 -0400 +Subject: xen/smp: Warn user why they keel over - nosmp or noapic and what to use instead. + +From: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> + +commit ed467e69f16e6b480e2face7bc5963834d025f91 upstream. + +We have hit a couple of customer bugs where they would like to +use those parameters to run an UP kernel - but both of those +options turn of important sources of interrupt information so +we end up not being able to boot. The correct way is to +pass in 'dom0_max_vcpus=1' on the Xen hypervisor line and +the kernel will patch itself to be a UP kernel. + +Fixes bug: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=637308 + +Acked-by: Ian Campbell <Ian.Campbell@eu.citrix.com> +Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + arch/x86/xen/smp.c | 10 ++++++++++ + 1 file changed, 10 insertions(+) + +--- a/arch/x86/xen/smp.c ++++ b/arch/x86/xen/smp.c +@@ -30,6 +30,7 @@ + #include <xen/page.h> + #include <xen/events.h> + ++#include <xen/hvc-console.h> + #include "xen-ops.h" + #include "mmu.h" + +@@ -180,6 +181,15 @@ static void __init xen_smp_prepare_cpus( + { + unsigned cpu; + ++ if (skip_ioapic_setup) { ++ char *m = (max_cpus == 0) ? ++ "The nosmp parameter is incompatible with Xen; " \ ++ "use Xen dom0_max_vcpus=1 parameter" : ++ "The noapic parameter is incompatible with Xen"; ++ ++ xen_raw_printk(m); ++ panic(m); ++ } + xen_init_lock_cpu(0); + + smp_store_cpu_info(0); diff --git a/releases/2.6.33.20/xen-x86_32-do-not-enable-iterrupts-when-returning-from.patch b/releases/2.6.33.20/xen-x86_32-do-not-enable-iterrupts-when-returning-from.patch new file mode 100644 index 0000000..499fd89 --- /dev/null +++ b/releases/2.6.33.20/xen-x86_32-do-not-enable-iterrupts-when-returning-from.patch @@ -0,0 +1,57 @@ +From d198d499148a0c64a41b3aba9e7dd43772832b91 Mon Sep 17 00:00:00 2001 +From: Igor Mammedov <imammedo@redhat.com> +Date: Thu, 1 Sep 2011 13:46:55 +0200 +Subject: xen: x86_32: do not enable iterrupts when returning from exception in interrupt context + +From: Igor Mammedov <imammedo@redhat.com> + +commit d198d499148a0c64a41b3aba9e7dd43772832b91 upstream. + +If vmalloc page_fault happens inside of interrupt handler with interrupts +disabled then on exit path from exception handler when there is no pending +interrupts, the following code (arch/x86/xen/xen-asm_32.S:112): + + cmpw $0x0001, XEN_vcpu_info_pending(%eax) + sete XEN_vcpu_info_mask(%eax) + +will enable interrupts even if they has been previously disabled according to +eflags from the bounce frame (arch/x86/xen/xen-asm_32.S:99) + + testb $X86_EFLAGS_IF>>8, 8+1+ESP_OFFSET(%esp) + setz XEN_vcpu_info_mask(%eax) + +Solution is in setting XEN_vcpu_info_mask only when it should be set +according to + cmpw $0x0001, XEN_vcpu_info_pending(%eax) +but not clearing it if there isn't any pending events. + +Reproducer for bug is attached to RHBZ 707552 + +Signed-off-by: Igor Mammedov <imammedo@redhat.com> +Acked-by: Jeremy Fitzhardinge <jeremy@goop.org> +Signed-off-by: Konrad Rzeszutek Wilk <konrad.wilk@oracle.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + arch/x86/xen/xen-asm_32.S | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +--- a/arch/x86/xen/xen-asm_32.S ++++ b/arch/x86/xen/xen-asm_32.S +@@ -113,11 +113,13 @@ xen_iret_start_crit: + + /* + * If there's something pending, mask events again so we can +- * jump back into xen_hypervisor_callback ++ * jump back into xen_hypervisor_callback. Otherwise do not ++ * touch XEN_vcpu_info_mask. + */ +- sete XEN_vcpu_info_mask(%eax) ++ jne 1f ++ movb $1, XEN_vcpu_info_mask(%eax) + +- popl %eax ++1: popl %eax + + /* + * From this point on the registers are restored and the stack diff --git a/releases/2.6.33.20/xhci-mem.c-check-for-ring-first_seg-null.patch b/releases/2.6.33.20/xhci-mem.c-check-for-ring-first_seg-null.patch new file mode 100644 index 0000000..5438d31 --- /dev/null +++ b/releases/2.6.33.20/xhci-mem.c-check-for-ring-first_seg-null.patch @@ -0,0 +1,61 @@ +From 0e6c7f746ea99089fb3263709075c20485a479ae Mon Sep 17 00:00:00 2001 +From: Kautuk Consul <consul.kautuk@gmail.com> +Date: Mon, 19 Sep 2011 16:53:12 -0700 +Subject: xhci-mem.c: Check for ring->first_seg != NULL + +From: Kautuk Consul <consul.kautuk@gmail.com> + +commit 0e6c7f746ea99089fb3263709075c20485a479ae upstream. + +There are 2 situations wherein the xhci_ring* might not get freed: +- When xhci_ring_alloc() -> xhci_segment_alloc() returns NULL and + we goto the fail: label in xhci_ring_alloc. In this case, the ring + will not get kfreed. +- When the num_segs argument to xhci_ring_alloc is passed as 0 and + we try to free the rung after that. + ( This doesn't really happen as of now in the code but we seem to + be entertaining num_segs=0 in xhci_ring_alloc ) + +This should be backported to kernels as old as 2.6.31. + +Signed-off-by: Kautuk Consul <consul.kautuk@gmail.com> +Signed-off-by: Sarah Sharp <sarah.a.sharp@linux.intel.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + drivers/usb/host/xhci-mem.c | 22 ++++++++++++---------- + 1 file changed, 12 insertions(+), 10 deletions(-) + +--- a/drivers/usb/host/xhci-mem.c ++++ b/drivers/usb/host/xhci-mem.c +@@ -110,18 +110,20 @@ void xhci_ring_free(struct xhci_hcd *xhc + struct xhci_segment *seg; + struct xhci_segment *first_seg; + +- if (!ring || !ring->first_seg) ++ if (!ring) + return; +- first_seg = ring->first_seg; +- seg = first_seg->next; +- xhci_dbg(xhci, "Freeing ring at %p\n", ring); +- while (seg != first_seg) { +- struct xhci_segment *next = seg->next; +- xhci_segment_free(xhci, seg); +- seg = next; ++ if (ring->first_seg) { ++ first_seg = ring->first_seg; ++ seg = first_seg->next; ++ xhci_dbg(xhci, "Freeing ring at %p\n", ring); ++ while (seg != first_seg) { ++ struct xhci_segment *next = seg->next; ++ xhci_segment_free(xhci, seg); ++ seg = next; ++ } ++ xhci_segment_free(xhci, first_seg); ++ ring->first_seg = NULL; + } +- xhci_segment_free(xhci, first_seg); +- ring->first_seg = NULL; + kfree(ring); + } + |