diff options
author | Paul Gortmaker <paul.gortmaker@windriver.com> | 2011-01-24 00:12:32 -0500 |
---|---|---|
committer | Paul Gortmaker <paul.gortmaker@windriver.com> | 2011-01-24 00:12:32 -0500 |
commit | 9638db087a2b51cccb7dd73d29bced849c7c5765 (patch) | |
tree | 7b5727ab55b51a446567cff48442a31683469032 | |
parent | 2da2615949174c37c29ee1a81a91848b7256779e (diff) | |
download | rt-patches-9638db087a2b51cccb7dd73d29bced849c7c5765.tar.gz |
raw import of new content for v2.6.33.7.2-rt30
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
67 files changed, 6093 insertions, 6 deletions
diff --git a/9p-strlen-doesn-t-count-the-terminator.patch b/9p-strlen-doesn-t-count-the-terminator.patch new file mode 100644 index 0000000..31a5c25 --- /dev/null +++ b/9p-strlen-doesn-t-count-the-terminator.patch @@ -0,0 +1,36 @@ +From cad9c43ccdbc11387b4f2c4772e1a5f34f7e4230 Mon Sep 17 00:00:00 2001 +From: Dan Carpenter <error27@gmail.com> +Date: Fri, 9 Jul 2010 23:51:54 +0000 +Subject: [PATCH] 9p: strlen() doesn't count the terminator + +commit cad9c43ccdbc11387b4f2c4772e1a5f34f7e4230 in tip. + +commit 5c4bfa17f3ec46becec4b23d12323f7605ebd696 upstream. + +This is an off by one bug because strlen() doesn't count the NULL +terminator. We strcpy() addr into a fixed length array of size +UNIX_PATH_MAX later on. + +The addr variable is the name of the device being mounted. + +Signed-off-by: Dan Carpenter <error27@gmail.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> +Signed-off-by: John Kacur <jkacur@redhat.com> + +diff --git a/net/9p/trans_fd.c b/net/9p/trans_fd.c +index 31d0b05..7483789 100644 +--- a/net/9p/trans_fd.c ++++ b/net/9p/trans_fd.c +@@ -947,7 +947,7 @@ p9_fd_create_unix(struct p9_client *client, const char *addr, char *args) + + csocket = NULL; + +- if (strlen(addr) > UNIX_PATH_MAX) { ++ if (strlen(addr) >= UNIX_PATH_MAX) { + P9_EPRINTK(KERN_ERR, "p9_trans_unix: address too long: %s\n", + addr); + return -ENAMETOOLONG; +-- +1.7.1.1 + diff --git a/ALSA-seq-oss-Fix-double-free-at-error-path-of-snd_se.patch b/ALSA-seq-oss-Fix-double-free-at-error-path-of-snd_se.patch new file mode 100644 index 0000000..0f1ab92 --- /dev/null +++ b/ALSA-seq-oss-Fix-double-free-at-error-path-of-snd_se.patch @@ -0,0 +1,58 @@ +From 85b5abf5021d91c11185e25a542ce1f55b1a0f16 Mon Sep 17 00:00:00 2001 +From: Takashi Iwai <tiwai@suse.de> +Date: Mon, 6 Sep 2010 09:13:45 +0200 +Subject: [PATCH] ALSA: seq/oss - Fix double-free at error path of snd_seq_oss_open() + +commit 85b5abf5021d91c11185e25a542ce1f55b1a0f16 in tip. + +commit 27f7ad53829f79e799a253285318bff79ece15bd upstream + +The error handling in snd_seq_oss_open() has several bad codes that +do dereferecing released pointers and double-free of kmalloc'ed data. +The object dp is release in free_devinfo() that is called via +private_free callback. The rest shouldn't touch this object any more. + +The patch changes delete_port() to call kfree() in any case, and gets +rid of unnecessary calls of destructors in snd_seq_oss_open(). + +Fixes CVE-2010-3080. + +Reported-and-tested-by: Tavis Ormandy <taviso@cmpxchg8b.com> +Cc: <stable@kernel.org> +Signed-off-by: Takashi Iwai <tiwai@suse.de> +Signed-off-by: Thomas Gleixner <tglx@linutronix.de> + +diff --git a/sound/core/seq/oss/seq_oss_init.c b/sound/core/seq/oss/seq_oss_init.c +index d0d721c..1f133fe 100644 +--- a/sound/core/seq/oss/seq_oss_init.c ++++ b/sound/core/seq/oss/seq_oss_init.c +@@ -280,13 +280,10 @@ snd_seq_oss_open(struct file *file, int level) + return 0; + + _error: +- snd_seq_oss_writeq_delete(dp->writeq); +- snd_seq_oss_readq_delete(dp->readq); + snd_seq_oss_synth_cleanup(dp); + snd_seq_oss_midi_cleanup(dp); +- delete_port(dp); + delete_seq_queue(dp->queue); +- kfree(dp); ++ delete_port(dp); + + return rc; + } +@@ -349,8 +346,10 @@ create_port(struct seq_oss_devinfo *dp) + static int + delete_port(struct seq_oss_devinfo *dp) + { +- if (dp->port < 0) ++ if (dp->port < 0) { ++ kfree(dp); + return 0; ++ } + + debug_printk(("delete_port %i\n", dp->port)); + return snd_seq_event_port_detach(dp->cseq, dp->port); +-- +1.7.1.1 + diff --git a/AT91-SAM9G45-add-a-separate-clock-entry-for-every-si.patch b/AT91-SAM9G45-add-a-separate-clock-entry-for-every-si.patch new file mode 100644 index 0000000..551ab9e --- /dev/null +++ b/AT91-SAM9G45-add-a-separate-clock-entry-for-every-si.patch @@ -0,0 +1,85 @@ +From a8b881286deb207222f73e2668bb3033c306d253 Mon Sep 17 00:00:00 2001 +From: Fabian Godehardt <fg@emlix.com> +Date: Fri, 3 Sep 2010 13:31:33 +0100 +Subject: [PATCH] AT91: SAM9G45 - add a separate clock entry for every single TC block + +commit a8b881286deb207222f73e2668bb3033c306d253 in tip. + +commit ab64511cbbd03196d84bcc32c6e7b9d46543df7b upstream + +Without this patch you will not be able to register the first block +because of the second association call on at91_add_device_tc(). + +Signed-off-by: Fabian Godehardt <fg@emlix.com> +[nicolas.ferre@atmel.com: change tcb1_clk to fake child clock of tcb0_clk] +Acked-by: Jean-Christophe PLAGNIOL-VILLARD <plagnioj@jcrosoft.com> +Acked-by: Andrew Victor <linux@maxim.org.za> +Signed-off-by: Nicolas Ferre <nicolas.ferre@atmel.com> +Signed-off-by: Thomas Gleixner <tglx@linutronix.de> + +diff --git a/arch/arm/mach-at91/at91sam9g45.c b/arch/arm/mach-at91/at91sam9g45.c +index 85166b7..072cf1d 100644 +--- a/arch/arm/mach-at91/at91sam9g45.c ++++ b/arch/arm/mach-at91/at91sam9g45.c +@@ -120,8 +120,8 @@ static struct clk ssc1_clk = { + .pmc_mask = 1 << AT91SAM9G45_ID_SSC1, + .type = CLK_TYPE_PERIPHERAL, + }; +-static struct clk tcb_clk = { +- .name = "tcb_clk", ++static struct clk tcb0_clk = { ++ .name = "tcb0_clk", + .pmc_mask = 1 << AT91SAM9G45_ID_TCB, + .type = CLK_TYPE_PERIPHERAL, + }; +@@ -184,6 +184,14 @@ static struct clk ohci_clk = { + .parent = &uhphs_clk, + }; + ++/* One additional fake clock for second TC block */ ++static struct clk tcb1_clk = { ++ .name = "tcb1_clk", ++ .pmc_mask = 0, ++ .type = CLK_TYPE_PERIPHERAL, ++ .parent = &tcb0_clk, ++}; ++ + static struct clk *periph_clocks[] __initdata = { + &pioA_clk, + &pioB_clk, +@@ -200,7 +208,7 @@ static struct clk *periph_clocks[] __initdata = { + &spi1_clk, + &ssc0_clk, + &ssc1_clk, +- &tcb_clk, ++ &tcb0_clk, + &pwm_clk, + &tsc_clk, + &dma_clk, +@@ -213,6 +221,7 @@ static struct clk *periph_clocks[] __initdata = { + &mmc1_clk, + // irq0 + &ohci_clk, ++ &tcb1_clk, + }; + + /* +diff --git a/arch/arm/mach-at91/at91sam9g45_devices.c b/arch/arm/mach-at91/at91sam9g45_devices.c +index 809114d..4822019 100644 +--- a/arch/arm/mach-at91/at91sam9g45_devices.c ++++ b/arch/arm/mach-at91/at91sam9g45_devices.c +@@ -835,9 +835,9 @@ static struct platform_device at91sam9g45_tcb1_device = { + static void __init at91_add_device_tc(void) + { + /* this chip has one clock and irq for all six TC channels */ +- at91_clock_associate("tcb_clk", &at91sam9g45_tcb0_device.dev, "t0_clk"); ++ at91_clock_associate("tcb0_clk", &at91sam9g45_tcb0_device.dev, "t0_clk"); + platform_device_register(&at91sam9g45_tcb0_device); +- at91_clock_associate("tcb_clk", &at91sam9g45_tcb1_device.dev, "t0_clk"); ++ at91_clock_associate("tcb1_clk", &at91sam9g45_tcb1_device.dev, "t0_clk"); + platform_device_register(&at91sam9g45_tcb1_device); + } + #else +-- +1.7.1.1 + diff --git a/CIFS-Fix-compile-error-with-__init-in-cifs_init_dns_.patch b/CIFS-Fix-compile-error-with-__init-in-cifs_init_dns_.patch new file mode 100644 index 0000000..8ef0257 --- /dev/null +++ b/CIFS-Fix-compile-error-with-__init-in-cifs_init_dns_.patch @@ -0,0 +1,34 @@ +From e4de451d8b56ff7ada8f5219c221cc1417718229 Mon Sep 17 00:00:00 2001 +From: Michael Neuling <mikey@neuling.org> +Date: Wed, 4 Aug 2010 08:32:13 +1000 +Subject: [PATCH] CIFS: Fix compile error with __init in cifs_init_dns_resolver() definition + +commit e4de451d8b56ff7ada8f5219c221cc1417718229 in tip. + +An allmodconfig compile on ppc64 with 2.6.32.17 currently gives this error + +fs/cifs/dns_resolve.h:27: error: expected '=', ',', ';', 'asm' or '__attribute__' before 'cifs_init_dns_resolver' + +This adds the correct header file to fix this. + +Signed-off-by: Michael Neuling <mikey@neuling.org> +Cc: David Howells <dhowells@redhat.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> +Signed-off-by: John Kacur <jkacur@redhat.com> + +diff --git a/fs/cifs/dns_resolve.h b/fs/cifs/dns_resolve.h +index 5d7f291..763237a 100644 +--- a/fs/cifs/dns_resolve.h ++++ b/fs/cifs/dns_resolve.h +@@ -24,6 +24,8 @@ + #define _DNS_RESOLVE_H + + #ifdef __KERNEL__ ++#include <linux/module.h> ++ + extern int __init cifs_init_dns_resolver(void); + extern void cifs_exit_dns_resolver(void); + extern int dns_resolve_server_name_to_ip(const char *unc, char **ip_addr); +-- +1.7.1.1 + diff --git a/CIFS-Remove-__exit-mark-from-cifs_exit_dns_resolver.patch b/CIFS-Remove-__exit-mark-from-cifs_exit_dns_resolver.patch new file mode 100644 index 0000000..af3cc3e --- /dev/null +++ b/CIFS-Remove-__exit-mark-from-cifs_exit_dns_resolver.patch @@ -0,0 +1,49 @@ +From a9229e0ffd769ae29c19ef148bddcc8c34a9470a Mon Sep 17 00:00:00 2001 +From: David Howells <dhowells@redhat.com> +Date: Fri, 30 Jul 2010 15:25:19 +0100 +Subject: [PATCH] CIFS: Remove __exit mark from cifs_exit_dns_resolver() + +commit a9229e0ffd769ae29c19ef148bddcc8c34a9470a in tip. + +commit 51c20fcced5badee0e2021c6c89f44aa3cbd72aa upstream. + +Remove the __exit mark from cifs_exit_dns_resolver() as it's called by the +module init routine in case of error, and so may have been discarded during +linkage. + +Signed-off-by: David Howells <dhowells@redhat.com> +Acked-by: Jeff Layton <jlayton@redhat.com> +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> +Signed-off-by: Michael Neuling <mikey@neuling.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> +Signed-off-by: John Kacur <jkacur@redhat.com> + +diff --git a/fs/cifs/dns_resolve.c b/fs/cifs/dns_resolve.c +index 16f31c1..31da21f 100644 +--- a/fs/cifs/dns_resolve.c ++++ b/fs/cifs/dns_resolve.c +@@ -226,7 +226,7 @@ failed_put_cred: + return ret; + } + +-void __exit cifs_exit_dns_resolver(void) ++void cifs_exit_dns_resolver(void) + { + key_revoke(dns_resolver_cache->thread_keyring); + unregister_key_type(&key_type_dns_resolver); +diff --git a/fs/cifs/dns_resolve.h b/fs/cifs/dns_resolve.h +index 26b9eaa..5d7f291 100644 +--- a/fs/cifs/dns_resolve.h ++++ b/fs/cifs/dns_resolve.h +@@ -25,7 +25,7 @@ + + #ifdef __KERNEL__ + extern int __init cifs_init_dns_resolver(void); +-extern void __exit cifs_exit_dns_resolver(void); ++extern void cifs_exit_dns_resolver(void); + extern int dns_resolve_server_name_to_ip(const char *unc, char **ip_addr); + #endif /* KERNEL */ + +-- +1.7.1.1 + diff --git a/GFS2-rename-causes-kernel-Oops.patch b/GFS2-rename-causes-kernel-Oops.patch new file mode 100644 index 0000000..26435f9 --- /dev/null +++ b/GFS2-rename-causes-kernel-Oops.patch @@ -0,0 +1,69 @@ +From 7485c1e1593ab75bc6b9782d168b1a8aa65c79bb Mon Sep 17 00:00:00 2001 +From: Bob Peterson <rpeterso@redhat.com> +Date: Wed, 14 Jul 2010 18:12:26 -0400 +Subject: [PATCH] GFS2: rename causes kernel Oops + +commit 7485c1e1593ab75bc6b9782d168b1a8aa65c79bb in tip. + +commit 728a756b8fcd22d80e2dbba8117a8a3aafd3f203 upstream. + +This patch fixes a kernel Oops in the GFS2 rename code. + +The problem was in the way the gfs2 directory code was trying +to re-use sentinel directory entries. + +In the failing case, gfs2's rename function was renaming a +file to another name that had the same non-trivial length. +The file being renamed happened to be the first directory +entry on the leaf block. + +First, the rename code (gfs2_rename in ops_inode.c) found the +original directory entry and decided it could do its job by +simply replacing the directory entry with another. Therefore +it determined correctly that no block allocations were needed. + +Next, the rename code deleted the old directory entry prior to +replacing it with the new name. Therefore, the soon-to-be +replaced directory entry was temporarily made into a directory +entry "sentinel" or a place holder at the start of a leaf block. + +Lastly, it went to re-add the replacement directory entry in +that leaf block. However, when gfs2_dirent_find_space was +looking for space in the leaf block, it used the wrong value +for the sentinel. That threw off its calculations so later +it decides it can't really re-use the sentinel and therefore +must allocate a new leaf block. But because it previously decided +to re-use the directory entry, it didn't waste the time to +grab a new block allocation for the inode. Therefore, the +inode's i_alloc pointer was still NULL and it crashes trying to +reference it. + +In the case of sentinel directory entries, the entire dirent is +reused, not just the "free space" portion of it, and therefore +the function gfs2_dirent_find_space should use the value 0 +rather than GFS2_DIRENT_SIZE(0) for the actual dirent size. + +Fixing this calculation enables the reproducer programs to work +properly. + +Signed-off-by: Bob Peterson <rpeterso@redhat.com> +Signed-off-by: Steven Whitehouse <swhiteho@redhat.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> +Signed-off-by: John Kacur <jkacur@redhat.com> + +diff --git a/fs/gfs2/dir.c b/fs/gfs2/dir.c +index 25fddc1..a5a7227 100644 +--- a/fs/gfs2/dir.c ++++ b/fs/gfs2/dir.c +@@ -392,7 +392,7 @@ static int gfs2_dirent_find_space(const struct gfs2_dirent *dent, + unsigned totlen = be16_to_cpu(dent->de_rec_len); + + if (gfs2_dirent_sentinel(dent)) +- actual = GFS2_DIRENT_SIZE(0); ++ actual = 0; + if (totlen - actual >= required) + return 1; + return 0; +-- +1.7.1.1 + diff --git a/KEYS-Fix-RCU-no-lock-warning-in-keyctl_session_to_pa.patch b/KEYS-Fix-RCU-no-lock-warning-in-keyctl_session_to_pa.patch new file mode 100644 index 0000000..5714163 --- /dev/null +++ b/KEYS-Fix-RCU-no-lock-warning-in-keyctl_session_to_pa.patch @@ -0,0 +1,66 @@ +From 300f0c0dc280e9ee7a259651d4eb6d3e7ba3488f Mon Sep 17 00:00:00 2001 +From: David Howells <dhowells@redhat.com> +Date: Fri, 27 Aug 2010 13:54:54 +0200 +Subject: [PATCH] KEYS: Fix RCU no-lock warning in keyctl_session_to_parent() + +commit 300f0c0dc280e9ee7a259651d4eb6d3e7ba3488f in tip. + +There's an protected access to the parent process's credentials in the middle +of keyctl_session_to_parent(). This results in the following RCU warning: + +=================================================== +[ INFO: suspicious rcu_dereference_check() usage. ] +--------------------------------------------------- +security/keys/keyctl.c:1291 invoked rcu_dereference_check() without protection! + +other info that might help us debug this: + +rcu_scheduler_active = 1, debug_locks = 0 +1 lock held by keyctl-session-/2137: + #0: (tasklist_lock){.+.+..}, at: [<ffffffff811ae2ec>] keyctl_session_to_parent+0x60/0x236 + +stack backtrace: +Pid: 2137, comm: keyctl-session- Not tainted 2.6.36-rc2-cachefs+ #1 +Call Trace: + [<ffffffff8105606a>] lockdep_rcu_dereference+0xaa/0xb3 + [<ffffffff811ae379>] keyctl_session_to_parent+0xed/0x236 + [<ffffffff811af77e>] sys_keyctl+0xb4/0xb6 + [<ffffffff81001eab>] system_call_fastpath+0x16/0x1b + +The code should take the RCU read lock to make sure the parents credentials +don't go away, even though it's holding a spinlock and has IRQ disabled. + +Signed-off-by: David Howells <dhowells@redhat.com> +Signed-off-by: John Kacur <jkacur@redhat.com> + +diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c +index e9c2e7c..d29e022 100644 +--- a/security/keys/keyctl.c ++++ b/security/keys/keyctl.c +@@ -1259,6 +1259,7 @@ long keyctl_session_to_parent(void) + keyring_r = NULL; + + me = current; ++ rcu_read_lock(); + write_lock_irq(&tasklist_lock); + + parent = me->real_parent; +@@ -1313,6 +1314,7 @@ long keyctl_session_to_parent(void) + set_ti_thread_flag(task_thread_info(parent), TIF_NOTIFY_RESUME); + + write_unlock_irq(&tasklist_lock); ++ rcu_read_unlock(); + if (oldcred) + put_cred(oldcred); + return 0; +@@ -1321,6 +1323,7 @@ already_same: + ret = 0; + not_permitted: + write_unlock_irq(&tasklist_lock); ++ rcu_read_unlock(); + put_cred(cred); + return ret; + +-- +1.7.1.1 + diff --git a/KEYS-Fix-bug-in-keyctl_session_to_parent-if-parent-h.patch b/KEYS-Fix-bug-in-keyctl_session_to_parent-if-parent-h.patch new file mode 100644 index 0000000..d1f253e --- /dev/null +++ b/KEYS-Fix-bug-in-keyctl_session_to_parent-if-parent-h.patch @@ -0,0 +1,59 @@ +From 4d4ea8b53f6dae1fb354b8536a0ead210d6ea6d4 Mon Sep 17 00:00:00 2001 +From: David Howells <dhowells@redhat.com> +Date: Fri, 27 Aug 2010 14:04:07 +0200 +Subject: [PATCH] KEYS: Fix bug in keyctl_session_to_parent() if parent has no session keyring + +commit 4d4ea8b53f6dae1fb354b8536a0ead210d6ea6d4 in tip. + +Fix a bug in keyctl_session_to_parent() whereby it tries to check the ownership +of the parent process's session keyring whether or not the parent has a session +keyring [CVE-2010-2960]. + +A program like the following: + + #include <unistd.h> + #include <keyutils.h> + int main(int argc, char **argv) + { + keyctl(KEYCTL_SESSION_TO_PARENT); + } + +can be used to trigger the following bug report: + + BUG: unable to handle kernel NULL pointer dereference at 00000000000000a0 + IP: [<ffffffff811ae4dd>] keyctl_session_to_parent+0x251/0x443 + ... + Call Trace: + [<ffffffff811ae2f3>] ? keyctl_session_to_parent+0x67/0x443 + [<ffffffff8109d286>] ? __do_fault+0x24b/0x3d0 + [<ffffffff811af98c>] sys_keyctl+0xb4/0xb8 + [<ffffffff81001eab>] system_call_fastpath+0x16/0x1b + +if there is no parent process. + +If the system is using pam_keyinit then it mostly protected against this as all +processes derived from a login will have inherited the session keyring created +by pam_keyinit during the log in procedure. + +To test this, pam_keyinit calls need to be commented out in /etc/pam.d/. + +Signed-off-by: David Howells <dhowells@redhat.com> +Signed-off-by: John Kacur <jkacur@redhat.com> + +diff --git a/security/keys/keyctl.c b/security/keys/keyctl.c +index d29e022..c25603a 100644 +--- a/security/keys/keyctl.c ++++ b/security/keys/keyctl.c +@@ -1292,7 +1292,8 @@ long keyctl_session_to_parent(void) + goto not_permitted; + + /* the keyrings must have the same UID */ +- if (pcred ->tgcred->session_keyring->uid != mycred->euid || ++ if ((pcred->tgcred->session_keyring && ++ pcred->tgcred->session_keyring->uid != mycred->euid) || + mycred->tgcred->session_keyring->uid != mycred->euid) + goto not_permitted; + +-- +1.7.1.1 + diff --git a/KVM-MMU-flush-remote-tlbs-when-overwriting-spte-with.patch b/KVM-MMU-flush-remote-tlbs-when-overwriting-spte-with.patch new file mode 100644 index 0000000..ab809e9 --- /dev/null +++ b/KVM-MMU-flush-remote-tlbs-when-overwriting-spte-with.patch @@ -0,0 +1,32 @@ +From 60853cb0360944dee98b6811faeb0e012585ea82 Mon Sep 17 00:00:00 2001 +From: Xiao Guangrong <xiaoguangrong@cn.fujitsu.com> +Date: Wed, 30 Jun 2010 16:04:06 +0800 +Subject: [PATCH] KVM: MMU: flush remote tlbs when overwriting spte with different pfn + +commit 60853cb0360944dee98b6811faeb0e012585ea82 in tip. + +(cherry picked from commit 91546356d0e550fa23abf7f4b04a903c2855761f) + +After remove a rmap, we should flush all vcpu's tlb + +Signed-off-by: Xiao Guangrong <xiaoguangrong@cn.fujitsu.com> +Signed-off-by: Marcelo Tosatti <mtosatti@redhat.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> +Signed-off-by: John Kacur <jkacur@redhat.com> + +diff --git a/arch/x86/kvm/mmu.c b/arch/x86/kvm/mmu.c +index ca7c528..70655f6 100644 +--- a/arch/x86/kvm/mmu.c ++++ b/arch/x86/kvm/mmu.c +@@ -1913,6 +1913,8 @@ static void mmu_set_spte(struct kvm_vcpu *vcpu, u64 *sptep, + pgprintk("hfn old %lx new %lx\n", + spte_to_pfn(*sptep), pfn); + rmap_remove(vcpu->kvm, sptep); ++ __set_spte(sptep, shadow_trap_nonpresent_pte); ++ kvm_flush_remote_tlbs(vcpu->kvm); + } else + was_rmapped = 1; + } +-- +1.7.1.1 + diff --git a/NFS-Fix-an-Oops-in-the-NFSv4-atomic-open-code.patch b/NFS-Fix-an-Oops-in-the-NFSv4-atomic-open-code.patch new file mode 100644 index 0000000..1c0d1af --- /dev/null +++ b/NFS-Fix-an-Oops-in-the-NFSv4-atomic-open-code.patch @@ -0,0 +1,143 @@ +From 88df8860c784d4d4ba054701c565333fb6317e52 Mon Sep 17 00:00:00 2001 +From: Trond Myklebust <Trond.Myklebust@netapp.com> +Date: Wed, 18 Aug 2010 09:25:42 -0400 +Subject: [PATCH] NFS: Fix an Oops in the NFSv4 atomic open code + +commit 88df8860c784d4d4ba054701c565333fb6317e52 in tip. + +Adam Lackorzynski reports: + +with 2.6.35.2 I'm getting this reproducible Oops: + +[ 110.825396] BUG: unable to handle kernel NULL pointer dereference at +(null) +[ 110.828638] IP: [<ffffffff811247b7>] encode_attrs+0x1a/0x2a4 +[ 110.828638] PGD be89f067 PUD bf18f067 PMD 0 +[ 110.828638] Oops: 0000 [#1] SMP +[ 110.828638] last sysfs file: /sys/class/net/lo/operstate +[ 110.828638] CPU 2 +[ 110.828638] Modules linked in: rtc_cmos rtc_core rtc_lib amd64_edac_mod +i2c_amd756 edac_core i2c_core dm_mirror dm_region_hash dm_log dm_snapshot +sg sr_mod usb_storage ohci_hcd mptspi tg3 mptscsih mptbase usbcore nls_base +[last unloaded: scsi_wait_scan] +[ 110.828638] +[ 110.828638] Pid: 11264, comm: setchecksum Not tainted 2.6.35.2 #1 +[ 110.828638] RIP: 0010:[<ffffffff811247b7>] [<ffffffff811247b7>] +encode_attrs+0x1a/0x2a4 +[ 110.828638] RSP: 0000:ffff88003bf5b878 EFLAGS: 00010296 +[ 110.828638] RAX: ffff8800bddb48a8 RBX: ffff88003bf5bb18 RCX: +0000000000000000 +[ 110.828638] RDX: ffff8800be258800 RSI: 0000000000000000 RDI: +ffff88003bf5b9f8 +[ 110.828638] RBP: 0000000000000000 R08: ffff8800bddb48a8 R09: +0000000000000004 +[ 110.828638] R10: 0000000000000003 R11: ffff8800be779000 R12: +ffff8800be258800 +[ 110.828638] R13: ffff88003bf5b9f8 R14: ffff88003bf5bb20 R15: +ffff8800be258800 +[ 110.828638] FS: 0000000000000000(0000) GS:ffff880041e00000(0063) +knlGS:00000000556bd6b0 +[ 110.828638] CS: 0010 DS: 002b ES: 002b CR0: 000000008005003b +[ 110.828638] CR2: 0000000000000000 CR3: 00000000be8ef000 CR4: +00000000000006e0 +[ 110.828638] DR0: 0000000000000000 DR1: 0000000000000000 DR2: +0000000000000000 +[ 110.828638] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: +0000000000000400 +[ 110.828638] Process setchecksum (pid: 11264, threadinfo +ffff88003bf5a000, task ffff88003f232210) +[ 110.828638] Stack: +[ 110.828638] 0000000000000000 ffff8800bfbcf920 0000000000000000 +0000000000000ffe +[ 110.828638] <0> 0000000000000000 0000000000000000 0000000000000000 +0000000000000000 +[ 110.828638] <0> 0000000000000000 0000000000000000 0000000000000000 +0000000000000000 +[ 110.828638] Call Trace: +[ 110.828638] [<ffffffff81124c1f>] ? nfs4_xdr_enc_setattr+0x90/0xb4 +[ 110.828638] [<ffffffff81371161>] ? call_transmit+0x1c3/0x24a +[ 110.828638] [<ffffffff813774d9>] ? __rpc_execute+0x78/0x22a +[ 110.828638] [<ffffffff81371a91>] ? rpc_run_task+0x21/0x2b +[ 110.828638] [<ffffffff81371b7e>] ? rpc_call_sync+0x3d/0x5d +[ 110.828638] [<ffffffff8111e284>] ? _nfs4_do_setattr+0x11b/0x147 +[ 110.828638] [<ffffffff81109466>] ? nfs_init_locked+0x0/0x32 +[ 110.828638] [<ffffffff810ac521>] ? ifind+0x4e/0x90 +[ 110.828638] [<ffffffff8111e2fb>] ? nfs4_do_setattr+0x4b/0x6e +[ 110.828638] [<ffffffff8111e634>] ? nfs4_do_open+0x291/0x3a6 +[ 110.828638] [<ffffffff8111ed81>] ? nfs4_open_revalidate+0x63/0x14a +[ 110.828638] [<ffffffff811056c4>] ? nfs_open_revalidate+0xd7/0x161 +[ 110.828638] [<ffffffff810a2de4>] ? do_lookup+0x1a4/0x201 +[ 110.828638] [<ffffffff810a4733>] ? link_path_walk+0x6a/0x9d5 +[ 110.828638] [<ffffffff810a42b6>] ? do_last+0x17b/0x58e +[ 110.828638] [<ffffffff810a5fbe>] ? do_filp_open+0x1bd/0x56e +[ 110.828638] [<ffffffff811cd5e0>] ? _atomic_dec_and_lock+0x30/0x48 +[ 110.828638] [<ffffffff810a9b1b>] ? dput+0x37/0x152 +[ 110.828638] [<ffffffff810ae063>] ? alloc_fd+0x69/0x10a +[ 110.828638] [<ffffffff81099f39>] ? do_sys_open+0x56/0x100 +[ 110.828638] [<ffffffff81027a22>] ? ia32_sysret+0x0/0x5 +[ 110.828638] Code: 83 f1 01 e8 f5 ca ff ff 48 83 c4 50 5b 5d 41 5c c3 41 +57 41 56 41 55 49 89 fd 41 54 49 89 d4 55 48 89 f5 53 48 81 ec 18 01 00 00 +<8b> 06 89 c2 83 e2 08 83 fa 01 19 db 83 e3 f8 83 c3 18 a8 01 8d +[ 110.828638] RIP [<ffffffff811247b7>] encode_attrs+0x1a/0x2a4 +[ 110.828638] RSP <ffff88003bf5b878> +[ 110.828638] CR2: 0000000000000000 +[ 112.840396] ---[ end trace 95282e83fd77358f ]--- + +We need to ensure that the O_EXCL flag is turned off if the user doesn't +set O_CREAT. + +Cc: stable@kernel.org +Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com> +commit 0a377cff9428af2da2b293d11e07bc4dbf064ee5 upstream +Signed-off-by: John Kacur <jkacur@redhat.com> + +diff --git a/fs/nfs/dir.c b/fs/nfs/dir.c +index b5d55d3..df62268 100644 +--- a/fs/nfs/dir.c ++++ b/fs/nfs/dir.c +@@ -1073,7 +1073,7 @@ static int nfs_open_revalidate(struct dentry *dentry, struct nameidata *nd) + if ((openflags & (O_CREAT|O_EXCL)) == (O_CREAT|O_EXCL)) + goto no_open_dput; + /* We can't create new files, or truncate existing ones here */ +- openflags &= ~(O_CREAT|O_TRUNC); ++ openflags &= ~(O_CREAT|O_EXCL|O_TRUNC); + + /* + * Note: we're not holding inode->i_mutex and so may be racing with +diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c +index ecf6602..ae2c7a5 100644 +--- a/fs/nfs/nfs4proc.c ++++ b/fs/nfs/nfs4proc.c +@@ -2006,7 +2006,8 @@ nfs4_atomic_open(struct inode *dir, struct dentry *dentry, struct nameidata *nd) + struct rpc_cred *cred; + struct nfs4_state *state; + struct dentry *res; +- fmode_t fmode = nd->intent.open.flags & (FMODE_READ | FMODE_WRITE | FMODE_EXEC); ++ int open_flags = nd->intent.open.flags; ++ fmode_t fmode = open_flags & (FMODE_READ | FMODE_WRITE | FMODE_EXEC); + + if (nd->flags & LOOKUP_CREATE) { + attr.ia_mode = nd->intent.open.create_mode; +@@ -2014,8 +2015,9 @@ nfs4_atomic_open(struct inode *dir, struct dentry *dentry, struct nameidata *nd) + if (!IS_POSIXACL(dir)) + attr.ia_mode &= ~current_umask(); + } else { ++ open_flags &= ~O_EXCL; + attr.ia_valid = 0; +- BUG_ON(nd->intent.open.flags & O_CREAT); ++ BUG_ON(open_flags & O_CREAT); + } + + cred = rpc_lookup_cred(); +@@ -2024,7 +2026,7 @@ nfs4_atomic_open(struct inode *dir, struct dentry *dentry, struct nameidata *nd) + parent = dentry->d_parent; + /* Protect against concurrent sillydeletes */ + nfs_block_sillyrename(parent); +- state = nfs4_do_open(dir, &path, fmode, nd->intent.open.flags, &attr, cred); ++ state = nfs4_do_open(dir, &path, fmode, open_flags, &attr, cred); + put_rpccred(cred); + if (IS_ERR(state)) { + if (PTR_ERR(state) == -ENOENT) { +-- +1.7.1.1 + diff --git a/NFS-kswapd-must-not-block-in-nfs_release_page.patch b/NFS-kswapd-must-not-block-in-nfs_release_page.patch new file mode 100644 index 0000000..78ea5b5 --- /dev/null +++ b/NFS-kswapd-must-not-block-in-nfs_release_page.patch @@ -0,0 +1,57 @@ +From 49337d10eb5ae46a5d6b172bcba5b86b3cf8b7ee Mon Sep 17 00:00:00 2001 +From: Trond Myklebust <Trond.Myklebust@netapp.com> +Date: Tue, 3 Aug 2010 17:22:16 -0400 +Subject: [PATCH] NFS: kswapd must not block in nfs_release_page + +commit 49337d10eb5ae46a5d6b172bcba5b86b3cf8b7ee in tip. + +commit b608b283a962caaa280756bc8563016a71712acf upstream + +See https://bugzilla.kernel.org/show_bug.cgi?id=16056 + +If other processes are blocked waiting for kswapd to free up some memory so +that they can make progress, then we cannot allow kswapd to block on those +processes. + +Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> +Signed-off-by: John Kacur <jkacur@redhat.com> + +diff --git a/fs/nfs/file.c b/fs/nfs/file.c +index bdd2142..82ee30c 100644 +--- a/fs/nfs/file.c ++++ b/fs/nfs/file.c +@@ -27,6 +27,8 @@ + #include <linux/slab.h> + #include <linux/pagemap.h> + #include <linux/aio.h> ++#include <linux/gfp.h> ++#include <linux/swap.h> + + #include <asm/uaccess.h> + #include <asm/system.h> +@@ -484,11 +486,19 @@ static void nfs_invalidate_page(struct page *page, unsigned long offset) + */ + static int nfs_release_page(struct page *page, gfp_t gfp) + { ++ struct address_space *mapping = page->mapping; ++ + dfprintk(PAGECACHE, "NFS: release_page(%p)\n", page); + + /* Only do I/O if gfp is a superset of GFP_KERNEL */ +- if ((gfp & GFP_KERNEL) == GFP_KERNEL) +- nfs_wb_page(page->mapping->host, page); ++ if (mapping && (gfp & GFP_KERNEL) == GFP_KERNEL) { ++ int how = FLUSH_SYNC; ++ ++ /* Don't let kswapd deadlock waiting for OOM RPC calls */ ++ if (current_is_kswapd()) ++ how = 0; ++ nfs_commit_inode(mapping->host, how); ++ } + /* If PagePrivate() is set, then the page is not freeable */ + if (PagePrivate(page)) + return 0; +-- +1.7.1.1 + diff --git a/PARISC-led.c-fix-potential-stack-overflow-in-led_pro.patch b/PARISC-led.c-fix-potential-stack-overflow-in-led_pro.patch new file mode 100644 index 0000000..698c1d9 --- /dev/null +++ b/PARISC-led.c-fix-potential-stack-overflow-in-led_pro.patch @@ -0,0 +1,48 @@ +From 42aa8269b24afff27b3571de13285df2ac38e47f Mon Sep 17 00:00:00 2001 +From: Helge Deller <deller@gmx.de> +Date: Thu, 12 Aug 2010 01:24:26 +0200 +Subject: [PATCH] PARISC: led.c - fix potential stack overflow in led_proc_write() + +commit 42aa8269b24afff27b3571de13285df2ac38e47f in tip. + +commit 4b4fd27c0b5ec638a1f06ced9226fd95229dbbf0 upstream. + +avoid potential stack overflow by correctly checking count parameter + +Reported-by: Ilja <ilja@netric.org> +Signed-off-by: Helge Deller <deller@gmx.de> +Acked-by: Kyle McMartin <kyle@mcmartin.ca> +Cc: James E.J. Bottomley <jejb@parisc-linux.org> +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> +Fixed merge conflicts +Signed-off-by: John Kacur <jkacur@redhat.com> + +diff --git a/drivers/parisc/led.c b/drivers/parisc/led.c +index 188bc84..d02be78 100644 +--- a/drivers/parisc/led.c ++++ b/drivers/parisc/led.c +@@ -176,16 +176,18 @@ static ssize_t led_proc_write(struct file *file, const char *buf, + size_t count, loff_t *pos) + { + void *data = PDE(file->f_path.dentry->d_inode)->data; +- char *cur, lbuf[count + 1]; ++ char *cur, lbuf[32]; + int d; + + if (!capable(CAP_SYS_ADMIN)) + return -EACCES; + +- memset(lbuf, 0, count + 1); ++ if (count >= sizeof(lbuf)) ++ count = sizeof(lbuf)-1; + + if (copy_from_user(lbuf, buf, count)) + return -EFAULT; ++ lbuf[count] = 0; + + cur = lbuf; + +-- +1.7.1.1 + diff --git a/Revert-ssb-Handle-Netbook-devices-where-the-SPROM-ad.patch b/Revert-ssb-Handle-Netbook-devices-where-the-SPROM-ad.patch new file mode 100644 index 0000000..07e5950 --- /dev/null +++ b/Revert-ssb-Handle-Netbook-devices-where-the-SPROM-ad.patch @@ -0,0 +1,236 @@ +From 4ed85cec7c14ac55eeda64660da3df9a153798eb Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@suse.de> +Date: Fri, 6 Aug 2010 10:22:56 -0700 +Subject: [PATCH] Revert "ssb: Handle Netbook devices where the SPROM address is changed" + +commit 4ed85cec7c14ac55eeda64660da3df9a153798eb in tip. + +Turns out this isn't the best way to resolve this issue. The +individual patches will be applied instead. + +Cc: Larry Finger <Larry.Finger@lwfinger.net> +Cc: Ben Hutchings <ben@decadent.org.uk> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> +Signed-off-by: John Kacur <jkacur@redhat.com> + +diff --git a/drivers/ssb/driver_chipcommon.c b/drivers/ssb/driver_chipcommon.c +index bbf1cb2..9681536 100644 +--- a/drivers/ssb/driver_chipcommon.c ++++ b/drivers/ssb/driver_chipcommon.c +@@ -233,9 +233,6 @@ void ssb_chipcommon_init(struct ssb_chipcommon *cc) + { + if (!cc->dev) + return; /* We don't have a ChipCommon */ +- if (cc->dev->id.revision >= 11) +- cc->status = chipco_read32(cc, SSB_CHIPCO_CHIPSTAT); +- ssb_dprintk(KERN_INFO PFX "chipcommon status is 0x%x\n", cc->status); + ssb_pmu_init(cc); + chipco_powercontrol_init(cc); + ssb_chipco_set_clockmode(cc, SSB_CLKMODE_FAST); +diff --git a/drivers/ssb/driver_chipcommon_pmu.c b/drivers/ssb/driver_chipcommon_pmu.c +index 8e194d5..64abd11 100644 +--- a/drivers/ssb/driver_chipcommon_pmu.c ++++ b/drivers/ssb/driver_chipcommon_pmu.c +@@ -495,9 +495,9 @@ static void ssb_pmu_resources_init(struct ssb_chipcommon *cc) + chipco_write32(cc, SSB_CHIPCO_PMU_MAXRES_MSK, max_msk); + } + +-/* http://bcm-v4.sipsolutions.net/802.11/SSB/PmuInit */ + void ssb_pmu_init(struct ssb_chipcommon *cc) + { ++ struct ssb_bus *bus = cc->dev->bus; + u32 pmucap; + + if (!(cc->capabilities & SSB_CHIPCO_CAP_PMU)) +@@ -509,12 +509,15 @@ void ssb_pmu_init(struct ssb_chipcommon *cc) + ssb_dprintk(KERN_DEBUG PFX "Found rev %u PMU (capabilities 0x%08X)\n", + cc->pmu.rev, pmucap); + +- if (cc->pmu.rev == 1) +- chipco_mask32(cc, SSB_CHIPCO_PMU_CTL, +- ~SSB_CHIPCO_PMU_CTL_NOILPONW); +- else +- chipco_set32(cc, SSB_CHIPCO_PMU_CTL, +- SSB_CHIPCO_PMU_CTL_NOILPONW); ++ if (cc->pmu.rev >= 1) { ++ if ((bus->chip_id == 0x4325) && (bus->chip_rev < 2)) { ++ chipco_mask32(cc, SSB_CHIPCO_PMU_CTL, ++ ~SSB_CHIPCO_PMU_CTL_NOILPONW); ++ } else { ++ chipco_set32(cc, SSB_CHIPCO_PMU_CTL, ++ SSB_CHIPCO_PMU_CTL_NOILPONW); ++ } ++ } + ssb_pmu_pll_init(cc); + ssb_pmu_resources_init(cc); + } +diff --git a/drivers/ssb/pci.c b/drivers/ssb/pci.c +index 17a1781..9e50896 100644 +--- a/drivers/ssb/pci.c ++++ b/drivers/ssb/pci.c +@@ -22,7 +22,6 @@ + + #include "ssb_private.h" + +-bool ssb_is_sprom_available(struct ssb_bus *bus); + + /* Define the following to 1 to enable a printk on each coreswitch. */ + #define SSB_VERBOSE_PCICORESWITCH_DEBUG 0 +@@ -168,7 +167,7 @@ err_pci: + } + + /* Get the word-offset for a SSB_SPROM_XXX define. */ +-#define SPOFF(offset) ((offset) / sizeof(u16)) ++#define SPOFF(offset) (((offset) - SSB_SPROM_BASE) / sizeof(u16)) + /* Helper to extract some _offset, which is one of the SSB_SPROM_XXX defines. */ + #define SPEX16(_outvar, _offset, _mask, _shift) \ + out->_outvar = ((in[SPOFF(_offset)] & (_mask)) >> (_shift)) +@@ -253,13 +252,8 @@ static int sprom_do_read(struct ssb_bus *bus, u16 *sprom) + { + int i; + +- /* Check if SPROM can be read */ +- if (ioread16(bus->mmio + bus->sprom_offset) == 0xFFFF) { +- ssb_printk(KERN_ERR PFX "Unable to read SPROM\n"); +- return -ENODEV; +- } + for (i = 0; i < bus->sprom_size; i++) +- sprom[i] = ioread16(bus->mmio + bus->sprom_offset + (i * 2)); ++ sprom[i] = ioread16(bus->mmio + SSB_SPROM_BASE + (i * 2)); + + return 0; + } +@@ -290,7 +284,7 @@ static int sprom_do_write(struct ssb_bus *bus, const u16 *sprom) + ssb_printk("75%%"); + else if (i % 2) + ssb_printk("."); +- writew(sprom[i], bus->mmio + bus->sprom_offset + (i * 2)); ++ writew(sprom[i], bus->mmio + SSB_SPROM_BASE + (i * 2)); + mmiowb(); + msleep(20); + } +@@ -626,49 +620,21 @@ static int ssb_pci_sprom_get(struct ssb_bus *bus, + int err = -ENOMEM; + u16 *buf; + +- if (!ssb_is_sprom_available(bus)) { +- ssb_printk(KERN_ERR PFX "No SPROM available!\n"); +- return -ENODEV; +- } +- if (bus->chipco.dev) { /* can be unavailible! */ +- /* +- * get SPROM offset: SSB_SPROM_BASE1 except for +- * chipcommon rev >= 31 or chip ID is 0x4312 and +- * chipcommon status & 3 == 2 +- */ +- if (bus->chipco.dev->id.revision >= 31) +- bus->sprom_offset = SSB_SPROM_BASE31; +- else if (bus->chip_id == 0x4312 && +- (bus->chipco.status & 0x03) == 2) +- bus->sprom_offset = SSB_SPROM_BASE31; +- else +- bus->sprom_offset = SSB_SPROM_BASE1; +- } else { +- bus->sprom_offset = SSB_SPROM_BASE1; +- } +- ssb_dprintk(KERN_INFO PFX "SPROM offset is 0x%x\n", bus->sprom_offset); +- + buf = kcalloc(SSB_SPROMSIZE_WORDS_R123, sizeof(u16), GFP_KERNEL); + if (!buf) + goto out; + bus->sprom_size = SSB_SPROMSIZE_WORDS_R123; +- err = sprom_do_read(bus, buf); +- if (err) +- goto out_free; ++ sprom_do_read(bus, buf); + err = sprom_check_crc(buf, bus->sprom_size); + if (err) { + /* try for a 440 byte SPROM - revision 4 and higher */ + kfree(buf); + buf = kcalloc(SSB_SPROMSIZE_WORDS_R4, sizeof(u16), + GFP_KERNEL); +- if (!buf) { +- err = -ENOMEM; ++ if (!buf) + goto out; +- } + bus->sprom_size = SSB_SPROMSIZE_WORDS_R4; +- err = sprom_do_read(bus, buf); +- if (err) +- goto out_free; ++ sprom_do_read(bus, buf); + err = sprom_check_crc(buf, bus->sprom_size); + if (err) { + /* All CRC attempts failed. +diff --git a/drivers/ssb/sprom.c b/drivers/ssb/sprom.c +index 7249f26..d0e6762 100644 +--- a/drivers/ssb/sprom.c ++++ b/drivers/ssb/sprom.c +@@ -175,18 +175,3 @@ const struct ssb_sprom *ssb_get_fallback_sprom(void) + { + return fallback_sprom; + } +- +-/* http://bcm-v4.sipsolutions.net/802.11/IsSpromAvailable */ +-bool ssb_is_sprom_available(struct ssb_bus *bus) +-{ +- /* status register only exists on chipcomon rev >= 11 and we need check +- for >= 31 only */ +- /* this routine differs from specs as we do not access SPROM directly +- on PCMCIA */ +- if (bus->bustype == SSB_BUSTYPE_PCI && +- bus->chipco.dev && /* can be unavailible! */ +- bus->chipco.dev->id.revision >= 31) +- return bus->chipco.capabilities & SSB_CHIPCO_CAP_SPROM; +- +- return true; +-} +diff --git a/include/linux/ssb/ssb.h b/include/linux/ssb/ssb.h +index 732ba9a..24f9885 100644 +--- a/include/linux/ssb/ssb.h ++++ b/include/linux/ssb/ssb.h +@@ -306,7 +306,6 @@ struct ssb_bus { + u16 chip_id; + u16 chip_rev; + u16 sprom_size; /* number of words in sprom */ +- u16 sprom_offset; + u8 chip_package; + + /* List of devices (cores) on the backplane. */ +diff --git a/include/linux/ssb/ssb_driver_chipcommon.h b/include/linux/ssb/ssb_driver_chipcommon.h +index 7600f38..4e27acf 100644 +--- a/include/linux/ssb/ssb_driver_chipcommon.h ++++ b/include/linux/ssb/ssb_driver_chipcommon.h +@@ -46,7 +46,6 @@ + #define SSB_PLLTYPE_7 0x00038000 /* 25Mhz, 4 dividers */ + #define SSB_CHIPCO_CAP_PCTL 0x00040000 /* Power Control */ + #define SSB_CHIPCO_CAP_OTPS 0x00380000 /* OTP size */ +-#define SSB_CHIPCO_CAP_SPROM 0x40000000 /* SPROM present */ + #define SSB_CHIPCO_CAP_OTPS_SHIFT 19 + #define SSB_CHIPCO_CAP_OTPS_BASE 5 + #define SSB_CHIPCO_CAP_JTAGM 0x00400000 /* JTAG master present */ +@@ -565,7 +564,6 @@ struct ssb_chipcommon_pmu { + struct ssb_chipcommon { + struct ssb_device *dev; + u32 capabilities; +- u32 status; + /* Fast Powerup Delay constant */ + u16 fast_pwrup_delay; + struct ssb_chipcommon_pmu pmu; +diff --git a/include/linux/ssb/ssb_regs.h b/include/linux/ssb/ssb_regs.h +index b8be23c..9ae9082 100644 +--- a/include/linux/ssb/ssb_regs.h ++++ b/include/linux/ssb/ssb_regs.h +@@ -170,8 +170,7 @@ + #define SSB_SPROMSIZE_WORDS_R4 220 + #define SSB_SPROMSIZE_BYTES_R123 (SSB_SPROMSIZE_WORDS_R123 * sizeof(u16)) + #define SSB_SPROMSIZE_BYTES_R4 (SSB_SPROMSIZE_WORDS_R4 * sizeof(u16)) +-#define SSB_SPROM_BASE1 0x1000 +-#define SSB_SPROM_BASE31 0x0800 ++#define SSB_SPROM_BASE 0x1000 + #define SSB_SPROM_REVISION 0x107E + #define SSB_SPROM_REVISION_REV 0x00FF /* SPROM Revision number */ + #define SSB_SPROM_REVISION_CRC 0xFF00 /* SPROM CRC8 value */ +-- +1.7.1.1 + diff --git a/SCSI-enclosure-fix-error-path-actually-return-ERR_PT.patch b/SCSI-enclosure-fix-error-path-actually-return-ERR_PT.patch new file mode 100644 index 0000000..81a42c9 --- /dev/null +++ b/SCSI-enclosure-fix-error-path-actually-return-ERR_PT.patch @@ -0,0 +1,37 @@ +From 432cfce723b6f538103b7cdcbec64788fa7e9137 Mon Sep 17 00:00:00 2001 +From: James Bottomley <James.Bottomley@suse.de> +Date: Fri, 12 Mar 2010 16:14:42 -0600 +Subject: [PATCH] SCSI: enclosure: fix error path - actually return ERR_PTR() on error + +commit 432cfce723b6f538103b7cdcbec64788fa7e9137 in tip. + +commit a91c1be21704113b023919826c6d531da46656ef upstream. + +we also need to clean up and free the cdev. + +Reported-by: Jani Nikula <ext-jani.1.nikula@nokia.com> +Signed-off-by: James Bottomley <James.Bottomley@suse.de> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> +Signed-off-by: John Kacur <jkacur@redhat.com> + +diff --git a/drivers/misc/enclosure.c b/drivers/misc/enclosure.c +index 1eac626..68e4cd7 100644 +--- a/drivers/misc/enclosure.c ++++ b/drivers/misc/enclosure.c +@@ -284,8 +284,11 @@ enclosure_component_register(struct enclosure_device *edev, + cdev->groups = enclosure_groups; + + err = device_register(cdev); +- if (err) +- ERR_PTR(err); ++ if (err) { ++ ecomp->number = -1; ++ put_device(cdev); ++ return ERR_PTR(err); ++ } + + return ecomp; + } +-- +1.7.1.1 + diff --git a/act_nat-use-stack-variable.patch b/act_nat-use-stack-variable.patch new file mode 100644 index 0000000..91aa270 --- /dev/null +++ b/act_nat-use-stack-variable.patch @@ -0,0 +1,74 @@ +From cd92f998fd8a688dce9b9a7930f6bfbc30d2f918 Mon Sep 17 00:00:00 2001 +From: Changli Gao <xiaosuo@gmail.com> +Date: Tue, 29 Jun 2010 23:07:09 +0000 +Subject: [PATCH] act_nat: use stack variable + +commit cd92f998fd8a688dce9b9a7930f6bfbc30d2f918 in tip. + +commit 504f85c9d05f7c605306e808f0d835fe11bfd18d upstream. Picked to +avoid merge conflict for security related fixes. + +structure tc_nat isn't too big for stack, so we can put it in stack. + +Signed-off-by: Changli Gao <xiaosuo@gmail.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Thomas Gleixner <tglx@linutronix.de> + +diff --git a/net/sched/act_nat.c b/net/sched/act_nat.c +index d885ba3..c4c6805 100644 +--- a/net/sched/act_nat.c ++++ b/net/sched/act_nat.c +@@ -261,40 +261,29 @@ static int tcf_nat_dump(struct sk_buff *skb, struct tc_action *a, + { + unsigned char *b = skb_tail_pointer(skb); + struct tcf_nat *p = a->priv; +- struct tc_nat *opt; ++ struct tc_nat opt; + struct tcf_t t; +- int s; + +- s = sizeof(*opt); ++ opt.old_addr = p->old_addr; ++ opt.new_addr = p->new_addr; ++ opt.mask = p->mask; ++ opt.flags = p->flags; + +- /* netlink spinlocks held above us - must use ATOMIC */ +- opt = kzalloc(s, GFP_ATOMIC); +- if (unlikely(!opt)) +- return -ENOBUFS; ++ opt.index = p->tcf_index; ++ opt.action = p->tcf_action; ++ opt.refcnt = p->tcf_refcnt - ref; ++ opt.bindcnt = p->tcf_bindcnt - bind; + +- opt->old_addr = p->old_addr; +- opt->new_addr = p->new_addr; +- opt->mask = p->mask; +- opt->flags = p->flags; +- +- opt->index = p->tcf_index; +- opt->action = p->tcf_action; +- opt->refcnt = p->tcf_refcnt - ref; +- opt->bindcnt = p->tcf_bindcnt - bind; +- +- NLA_PUT(skb, TCA_NAT_PARMS, s, opt); ++ NLA_PUT(skb, TCA_NAT_PARMS, sizeof(opt), &opt); + t.install = jiffies_to_clock_t(jiffies - p->tcf_tm.install); + t.lastuse = jiffies_to_clock_t(jiffies - p->tcf_tm.lastuse); + t.expires = jiffies_to_clock_t(p->tcf_tm.expires); + NLA_PUT(skb, TCA_NAT_TM, sizeof(t), &t); + +- kfree(opt); +- + return skb->len; + + nla_put_failure: + nlmsg_trim(skb, b); +- kfree(opt); + return -1; + } + +-- +1.7.1.1 + diff --git a/amd64_edac-Correct-scrub-rate-setting.patch b/amd64_edac-Correct-scrub-rate-setting.patch new file mode 100644 index 0000000..3a6ab7c --- /dev/null +++ b/amd64_edac-Correct-scrub-rate-setting.patch @@ -0,0 +1,32 @@ +From 257a4e898dbb326c067ae3c6f886592f277c23cf Mon Sep 17 00:00:00 2001 +From: Borislav Petkov <borislav.petkov@amd.com> +Date: Fri, 21 May 2010 21:25:03 +0200 +Subject: [PATCH] amd64_edac: Correct scrub rate setting + +commit 257a4e898dbb326c067ae3c6f886592f277c23cf in tip. + +commit bc57117856cf1e581135810b37d3b75f9d1749f5 upstream. + +Exit early when setting scrub rate on unknown/unsupported families. + +Signed-off-by: Borislav Petkov <borislav.petkov@amd.com> +Acked-by: Doug Thompson <dougthompson@xmission.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> +Signed-off-by: John Kacur <jkacur@redhat.com> + +diff --git a/drivers/edac/amd64_edac.c b/drivers/edac/amd64_edac.c +index 388a0e8..8134cce 100644 +--- a/drivers/edac/amd64_edac.c ++++ b/drivers/edac/amd64_edac.c +@@ -178,7 +178,7 @@ static int amd64_set_scrub_rate(struct mem_ctl_info *mci, u32 *bandwidth) + + default: + amd64_printk(KERN_ERR, "Unsupported family!\n"); +- break; ++ return -EINVAL; + } + return amd64_search_set_scrub_rate(pvt->misc_f3_ctl, *bandwidth, + min_scrubrate); +-- +1.7.1.1 + diff --git a/amd64_edac-Fix-DCT-base-address-selector.patch b/amd64_edac-Fix-DCT-base-address-selector.patch new file mode 100644 index 0000000..e9af6fd --- /dev/null +++ b/amd64_edac-Fix-DCT-base-address-selector.patch @@ -0,0 +1,34 @@ +From 3f5500cecf00d94473183adef6000bb691ca170c Mon Sep 17 00:00:00 2001 +From: Borislav Petkov <borislav.petkov@amd.com> +Date: Mon, 8 Mar 2010 18:29:35 +0100 +Subject: [PATCH] amd64_edac: Fix DCT base address selector + +commit 3f5500cecf00d94473183adef6000bb691ca170c in tip. + +commit 9975a5f22a4fcc8d08035c65439900a983f891ad upstream. + +The correct check is to verify whether in high range we're below 4GB +and not to extract the DctSelBaseAddr again. See "2.8.5 Routing DRAM +Requests" in the F10h BKDG. + +Signed-off-by: Borislav Petkov <borislav.petkov@amd.com> +Acked-by: Doug Thompson <dougthompson@xmission.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> +Signed-off-by: John Kacur <jkacur@redhat.com> + +diff --git a/drivers/edac/amd64_edac.c b/drivers/edac/amd64_edac.c +index 72904c8..388a0e8 100644 +--- a/drivers/edac/amd64_edac.c ++++ b/drivers/edac/amd64_edac.c +@@ -1430,7 +1430,7 @@ static inline u64 f10_get_base_addr_offset(u64 sys_addr, int hi_range_sel, + u64 chan_off; + + if (hi_range_sel) { +- if (!(dct_sel_base_addr & 0xFFFFF800) && ++ if (!(dct_sel_base_addr & 0xFFFF0000) && + hole_valid && (sys_addr >= 0x100000000ULL)) + chan_off = hole_off << 16; + else +-- +1.7.1.1 + diff --git a/arm-imx-gpio-add-spinlock-protection.patch b/arm-imx-gpio-add-spinlock-protection.patch new file mode 100644 index 0000000..a21a1d5 --- /dev/null +++ b/arm-imx-gpio-add-spinlock-protection.patch @@ -0,0 +1,78 @@ +From d7e94ae23c5fba8236290a74fd171ceb6618da15 Mon Sep 17 00:00:00 2001 +From: Baruch Siach <baruch@tkos.co.il> +Date: Tue, 6 Jul 2010 14:03:22 +0300 +Subject: [PATCH] arm/imx/gpio: add spinlock protection + +commit d7e94ae23c5fba8236290a74fd171ceb6618da15 in tip. + +commit 14cb0deb66fcfca8fdbef75da8c84b5405a8c767 upstream. + +The GPIO registers need protection from concurrent access for operations that +are not atomic. + +Cc: Juergen Beisert <j.beisert@pengutronix.de> +Cc: Daniel Mack <daniel@caiaq.de> +Reported-by: rpkamiak@rockwellcollins.com +Signed-off-by: Baruch Siach <baruch@tkos.co.il> +Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> +Sighed.off-by: John Kacur <jkacur@redhat.com> + +diff --git a/arch/arm/plat-mxc/gpio.c b/arch/arm/plat-mxc/gpio.c +index d65ebe3..2b96c64 100644 +--- a/arch/arm/plat-mxc/gpio.c ++++ b/arch/arm/plat-mxc/gpio.c +@@ -223,13 +223,16 @@ static void _set_gpio_direction(struct gpio_chip *chip, unsigned offset, + struct mxc_gpio_port *port = + container_of(chip, struct mxc_gpio_port, chip); + u32 l; ++ unsigned long flags; + ++ spin_lock_irqsave(&port->lock, flags); + l = __raw_readl(port->base + GPIO_GDIR); + if (dir) + l |= 1 << offset; + else + l &= ~(1 << offset); + __raw_writel(l, port->base + GPIO_GDIR); ++ spin_unlock_irqrestore(&port->lock, flags); + } + + static void mxc_gpio_set(struct gpio_chip *chip, unsigned offset, int value) +@@ -238,9 +241,12 @@ static void mxc_gpio_set(struct gpio_chip *chip, unsigned offset, int value) + container_of(chip, struct mxc_gpio_port, chip); + void __iomem *reg = port->base + GPIO_DR; + u32 l; ++ unsigned long flags; + ++ spin_lock_irqsave(&port->lock, flags); + l = (__raw_readl(reg) & (~(1 << offset))) | (value << offset); + __raw_writel(l, reg); ++ spin_unlock_irqrestore(&port->lock, flags); + } + + static int mxc_gpio_get(struct gpio_chip *chip, unsigned offset) +@@ -294,6 +300,8 @@ int __init mxc_gpio_init(struct mxc_gpio_port *port, int cnt) + port[i].chip.base = i * 32; + port[i].chip.ngpio = 32; + ++ spin_lock_init(&port[i].lock); ++ + /* its a serious configuration bug when it fails */ + BUG_ON( gpiochip_add(&port[i].chip) < 0 ); + +diff --git a/arch/arm/plat-mxc/include/mach/gpio.h b/arch/arm/plat-mxc/include/mach/gpio.h +index 894d2f8..6bd932c 100644 +--- a/arch/arm/plat-mxc/include/mach/gpio.h ++++ b/arch/arm/plat-mxc/include/mach/gpio.h +@@ -36,6 +36,7 @@ struct mxc_gpio_port { + int virtual_irq_start; + struct gpio_chip chip; + u32 both_edges; ++ spinlock_t lock; + }; + + int mxc_gpio_init(struct mxc_gpio_port*, int); +-- +1.7.1.1 + diff --git a/ath9k-enable-serialize_regmode-for-non-PCIE-AR9160.patch b/ath9k-enable-serialize_regmode-for-non-PCIE-AR9160.patch new file mode 100644 index 0000000..09736f8 --- /dev/null +++ b/ath9k-enable-serialize_regmode-for-non-PCIE-AR9160.patch @@ -0,0 +1,33 @@ +From e10e4ec1d82319111e7de0012a4f30939b067ff6 Mon Sep 17 00:00:00 2001 +From: John W. Linville <linville@tuxdriver.com> +Date: Wed, 28 Jul 2010 10:06:35 -0400 +Subject: [PATCH] ath9k: enable serialize_regmode for non-PCIE AR9160 + +commit e10e4ec1d82319111e7de0012a4f30939b067ff6 in tip. + +commit 4c85ab11ca56da1aa59b58c80cc6a356515cc645 upstream. + +https://bugzilla.kernel.org/show_bug.cgi?id=16476 + +Signed-off-by: John W. Linville <linville@tuxdriver.com> +Acked-by: Luis R. Rodriguez <lrodriguez@atheros.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> +Signed-off-by: John Kacur <jkacur@redhat.com> + +diff --git a/drivers/net/wireless/ath/ath9k/hw.c b/drivers/net/wireless/ath/ath9k/hw.c +index 6661178..4dc9a9d 100644 +--- a/drivers/net/wireless/ath/ath9k/hw.c ++++ b/drivers/net/wireless/ath/ath9k/hw.c +@@ -910,7 +910,8 @@ int ath9k_hw_init(struct ath_hw *ah) + + if (ah->config.serialize_regmode == SER_REG_MODE_AUTO) { + if (ah->hw_version.macVersion == AR_SREV_VERSION_5416_PCI || +- (AR_SREV_9280(ah) && !ah->is_pciexpress)) { ++ ((AR_SREV_9160(ah) || AR_SREV_9280(ah)) && ++ !ah->is_pciexpress)) { + ah->config.serialize_regmode = + SER_REG_MODE_ON; + } else { +-- +1.7.1.1 + diff --git a/ath9k-fix-TSF-after-reset-on-AR913x.patch b/ath9k-fix-TSF-after-reset-on-AR913x.patch new file mode 100644 index 0000000..7c8bd79 --- /dev/null +++ b/ath9k-fix-TSF-after-reset-on-AR913x.patch @@ -0,0 +1,73 @@ +From 9fd8aa660733f1aced857a71c65a8871670be920 Mon Sep 17 00:00:00 2001 +From: Felix Fietkau <nbd@openwrt.org> +Date: Wed, 30 Jun 2010 02:07:48 +0200 +Subject: [PATCH] ath9k: fix TSF after reset on AR913x + +commit 9fd8aa660733f1aced857a71c65a8871670be920 in tip. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +commit f860d526eb2939a1c37128900b5af2b6f3ff7f20 upstream. + +When issuing a reset, the TSF value is lost in the hardware because of +the 913x specific cold reset. As with some AR9280 cards, the TSF needs +to be preserved in software here. + +Additionally, there's an issue that frequently prevents a successful +TSF write directly after the chip reset. In this case, repeating the +TSF write after the initval-writes usually works. + +This patch detects failed TSF writes and recovers from them, taking +into account the delay caused by the initval writes. + +Signed-off-by: Felix Fietkau <nbd@openwrt.org> +Reported-by: Björn Smedman <bjorn.smedman@venatech.se> +Signed-off-by: John W. Linville <linville@tuxdriver.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> +Signed-off-by: John Kacur <jkacur@redhat.com> + +diff --git a/drivers/net/wireless/ath/ath9k/hw.c b/drivers/net/wireless/ath/ath9k/hw.c +index 4dc9a9d..a116ee0 100644 +--- a/drivers/net/wireless/ath/ath9k/hw.c ++++ b/drivers/net/wireless/ath/ath9k/hw.c +@@ -1997,7 +1997,8 @@ int ath9k_hw_reset(struct ath_hw *ah, struct ath9k_channel *chan, + macStaId1 = REG_READ(ah, AR_STA_ID1) & AR_STA_ID1_BASE_RATE_11B; + + /* For chips on which RTC reset is done, save TSF before it gets cleared */ +- if (AR_SREV_9280(ah) && ah->eep_ops->get_eeprom(ah, EEP_OL_PWRCTRL)) ++ if (AR_SREV_9100(ah) || ++ (AR_SREV_9280(ah) && ah->eep_ops->get_eeprom(ah, EEP_OL_PWRCTRL))) + tsf = ath9k_hw_gettsf64(ah); + + saveLedState = REG_READ(ah, AR_CFG_LED) & +@@ -2027,7 +2028,7 @@ int ath9k_hw_reset(struct ath_hw *ah, struct ath9k_channel *chan, + } + + /* Restore TSF */ +- if (tsf && AR_SREV_9280(ah) && ah->eep_ops->get_eeprom(ah, EEP_OL_PWRCTRL)) ++ if (tsf) + ath9k_hw_settsf64(ah, tsf); + + if (AR_SREV_9280_10_OR_LATER(ah)) +@@ -2047,6 +2048,17 @@ int ath9k_hw_reset(struct ath_hw *ah, struct ath9k_channel *chan, + if (r) + return r; + ++ /* ++ * Some AR91xx SoC devices frequently fail to accept TSF writes ++ * right after the chip reset. When that happens, write a new ++ * value after the initvals have been applied, with an offset ++ * based on measured time difference ++ */ ++ if (AR_SREV_9100(ah) && (ath9k_hw_gettsf64(ah) < tsf)) { ++ tsf += 1500; ++ ath9k_hw_settsf64(ah, tsf); ++ } ++ + /* Setup MFP options for CCMP */ + if (AR_SREV_9280_20_OR_LATER(ah)) { + /* Mask Retry(b11), PwrMgt(b12), MoreData(b13) to 0 in mgmt +-- +1.7.1.1 + diff --git a/ath9k-fix-yet-another-buffer-leak-in-the-tx-aggregat.patch b/ath9k-fix-yet-another-buffer-leak-in-the-tx-aggregat.patch new file mode 100644 index 0000000..c64d1e7 --- /dev/null +++ b/ath9k-fix-yet-another-buffer-leak-in-the-tx-aggregat.patch @@ -0,0 +1,59 @@ +From 8dc20bd4d01bf44795d3bd356251e850dfd1fbb8 Mon Sep 17 00:00:00 2001 +From: Felix Fietkau <nbd@openwrt.org> +Date: Fri, 23 Jul 2010 03:53:16 +0200 +Subject: [PATCH] ath9k: fix yet another buffer leak in the tx aggregation code + +commit 8dc20bd4d01bf44795d3bd356251e850dfd1fbb8 in tip. + +commit 4cee78614cfa046a26c4fbf313d5bbacb3ad8efc upstream. + +When an aggregation session is being cleaned up, while the tx status +for some frames is being processed, the TID is flushed and its buffers +are sent out. + +Unfortunately that left the pending un-acked frames unprocessed, thus +leaking buffers. Fix this by reordering the code so that those frames +are processed first, before the TID is flushed. + +Signed-off-by: Felix Fietkau <nbd@openwrt.org> +Signed-off-by: John W. Linville <linville@tuxdriver.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> +Signed-off-by: John Kacur <jkacur@redhat.com> + +diff --git a/drivers/net/wireless/ath/ath9k/xmit.c b/drivers/net/wireless/ath/ath9k/xmit.c +index 8b7c267..c6dc24a 100644 +--- a/drivers/net/wireless/ath/ath9k/xmit.c ++++ b/drivers/net/wireless/ath/ath9k/xmit.c +@@ -453,6 +453,14 @@ static void ath_tx_complete_aggr(struct ath_softc *sc, struct ath_txq *txq, + bf = bf_next; + } + ++ /* prepend un-acked frames to the beginning of the pending frame queue */ ++ if (!list_empty(&bf_pending)) { ++ spin_lock_bh(&txq->axq_lock); ++ list_splice(&bf_pending, &tid->buf_q); ++ ath_tx_queue_tid(txq, tid); ++ spin_unlock_bh(&txq->axq_lock); ++ } ++ + if (tid->state & AGGR_CLEANUP) { + if (tid->baw_head == tid->baw_tail) { + tid->state &= ~AGGR_ADDBA_COMPLETE; +@@ -465,14 +473,6 @@ static void ath_tx_complete_aggr(struct ath_softc *sc, struct ath_txq *txq, + return; + } + +- /* prepend un-acked frames to the beginning of the pending frame queue */ +- if (!list_empty(&bf_pending)) { +- spin_lock_bh(&txq->axq_lock); +- list_splice(&bf_pending, &tid->buf_q); +- ath_tx_queue_tid(txq, tid); +- spin_unlock_bh(&txq->axq_lock); +- } +- + rcu_read_unlock(); + + if (needreset) +-- +1.7.1.1 + diff --git a/ath9k_hw-fix-an-off-by-one-error-in-the-PDADC-bounda.patch b/ath9k_hw-fix-an-off-by-one-error-in-the-PDADC-bounda.patch new file mode 100644 index 0000000..dcad7ea --- /dev/null +++ b/ath9k_hw-fix-an-off-by-one-error-in-the-PDADC-bounda.patch @@ -0,0 +1,34 @@ +From 2089c7f8577fd5b4979004af11e5781760da65b9 Mon Sep 17 00:00:00 2001 +From: Felix Fietkau <nbd@openwrt.org> +Date: Sun, 11 Jul 2010 12:48:41 +0200 +Subject: [PATCH] ath9k_hw: fix an off-by-one error in the PDADC boundaries calculation + +commit 2089c7f8577fd5b4979004af11e5781760da65b9 in tip. + +commit 03b4776c408d2f4bf3a5d204e223724d154716d1 upstream. + +PDADC values were only generated for values surrounding the target +index, however not for the target index itself, leading to a minor +error in the generated curve. + +Signed-off-by: Felix Fietkau <nbd@openwrt.org> +Signed-off-by: John W. Linville <linville@tuxdriver.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> +Signed-off-by: John Kacur <jkacur@redhat.com> + +diff --git a/drivers/net/wireless/ath/ath9k/eeprom_def.c b/drivers/net/wireless/ath/ath9k/eeprom_def.c +index 404a034..1644b1a 100644 +--- a/drivers/net/wireless/ath/ath9k/eeprom_def.c ++++ b/drivers/net/wireless/ath/ath9k/eeprom_def.c +@@ -721,7 +721,7 @@ static void ath9k_hw_get_def_gain_boundaries_pdadcs(struct ath_hw *ah, + vpdTableI[i][sizeCurrVpdTable - 2]); + vpdStep = (int16_t)((vpdStep < 1) ? 1 : vpdStep); + +- if (tgtIndex > maxIndex) { ++ if (tgtIndex >= maxIndex) { + while ((ss <= tgtIndex) && + (k < (AR5416_NUM_PDADC_VALUES - 1))) { + tmpVal = (int16_t)((vpdTableI[i][sizeCurrVpdTable - 1] + +-- +1.7.1.1 + diff --git a/can-add-limit-for-nframes-and-clean-up-signed-unsign.patch b/can-add-limit-for-nframes-and-clean-up-signed-unsign.patch new file mode 100644 index 0000000..b28b7ae --- /dev/null +++ b/can-add-limit-for-nframes-and-clean-up-signed-unsign.patch @@ -0,0 +1,159 @@ +From 300bc74d197bfbfc7e843b2529e31a93043dfe80 Mon Sep 17 00:00:00 2001 +From: Oliver Hartkopp <socketcan@hartkopp.net> +Date: Wed, 11 Aug 2010 16:12:35 -0700 +Subject: [PATCH] can: add limit for nframes and clean up signed/unsigned variables + +commit 300bc74d197bfbfc7e843b2529e31a93043dfe80 in tip. + +This patch adds a limit for nframes as the number of frames in TX_SETUP and +RX_SETUP are derived from a single byte multiplex value by default. +Use-cases that would require to send/filter more than 256 CAN frames should +be implemented in userspace for complexity reasons anyway. + +Additionally the assignments of unsigned values from userspace to signed +values in kernelspace and vice versa are fixed by using unsigned values in +kernelspace consistently. + +Signed-off-by: Oliver Hartkopp <socketcan@hartkopp.net> +Reported-by: Ben Hawkes <hawkes@google.com> +Acked-by: Urs Thuermann <urs.thuermann@volkswagen.de> +Signed-off-by: David S. Miller <davem@davemloft.net> +commit 5b75c4973ce779520b9d1e392483207d6f842cde upstream +Signed-off-by: John Kacur <jkacur@redhat.com> + +diff --git a/net/can/bcm.c b/net/can/bcm.c +index e32af52..e876417 100644 +--- a/net/can/bcm.c ++++ b/net/can/bcm.c +@@ -59,6 +59,13 @@ + #include <net/sock.h> + #include <net/net_namespace.h> + ++/* ++ * To send multiple CAN frame content within TX_SETUP or to filter ++ * CAN messages with multiplex index within RX_SETUP, the number of ++ * different filters is limited to 256 due to the one byte index value. ++ */ ++#define MAX_NFRAMES 256 ++ + /* use of last_frames[index].can_dlc */ + #define RX_RECV 0x40 /* received data for this element */ + #define RX_THR 0x80 /* element not been sent due to throttle feature */ +@@ -88,16 +95,16 @@ struct bcm_op { + struct list_head list; + int ifindex; + canid_t can_id; +- int flags; ++ u32 flags; + unsigned long frames_abs, frames_filtered; + struct timeval ival1, ival2; + struct hrtimer timer, thrtimer; + struct tasklet_struct tsklet, thrtsklet; + ktime_t rx_stamp, kt_ival1, kt_ival2, kt_lastmsg; + int rx_ifindex; +- int count; +- int nframes; +- int currframe; ++ u32 count; ++ u32 nframes; ++ u32 currframe; + struct can_frame *frames; + struct can_frame *last_frames; + struct can_frame sframe; +@@ -174,7 +181,7 @@ static int bcm_proc_show(struct seq_file *m, void *v) + + seq_printf(m, "rx_op: %03X %-5s ", + op->can_id, bcm_proc_getifname(ifname, op->ifindex)); +- seq_printf(m, "[%d]%c ", op->nframes, ++ seq_printf(m, "[%u]%c ", op->nframes, + (op->flags & RX_CHECK_DLC)?'d':' '); + if (op->kt_ival1.tv64) + seq_printf(m, "timeo=%lld ", +@@ -197,7 +204,7 @@ static int bcm_proc_show(struct seq_file *m, void *v) + + list_for_each_entry(op, &bo->tx_ops, list) { + +- seq_printf(m, "tx_op: %03X %s [%d] ", ++ seq_printf(m, "tx_op: %03X %s [%u] ", + op->can_id, + bcm_proc_getifname(ifname, op->ifindex), + op->nframes); +@@ -282,7 +289,7 @@ static void bcm_send_to_user(struct bcm_op *op, struct bcm_msg_head *head, + struct can_frame *firstframe; + struct sockaddr_can *addr; + struct sock *sk = op->sk; +- int datalen = head->nframes * CFSIZ; ++ unsigned int datalen = head->nframes * CFSIZ; + int err; + + skb = alloc_skb(sizeof(*head) + datalen, gfp_any()); +@@ -467,7 +474,7 @@ rx_changed_settime: + * bcm_rx_cmp_to_index - (bit)compares the currently received data to formerly + * received data stored in op->last_frames[] + */ +-static void bcm_rx_cmp_to_index(struct bcm_op *op, int index, ++static void bcm_rx_cmp_to_index(struct bcm_op *op, unsigned int index, + const struct can_frame *rxdata) + { + /* +@@ -553,7 +560,8 @@ static enum hrtimer_restart bcm_rx_timeout_handler(struct hrtimer *hrtimer) + /* + * bcm_rx_do_flush - helper for bcm_rx_thr_flush + */ +-static inline int bcm_rx_do_flush(struct bcm_op *op, int update, int index) ++static inline int bcm_rx_do_flush(struct bcm_op *op, int update, ++ unsigned int index) + { + if ((op->last_frames) && (op->last_frames[index].can_dlc & RX_THR)) { + if (update) +@@ -574,7 +582,7 @@ static int bcm_rx_thr_flush(struct bcm_op *op, int update) + int updated = 0; + + if (op->nframes > 1) { +- int i; ++ unsigned int i; + + /* for MUX filter we start at index 1 */ + for (i = 1; i < op->nframes; i++) +@@ -623,7 +631,7 @@ static void bcm_rx_handler(struct sk_buff *skb, void *data) + { + struct bcm_op *op = (struct bcm_op *)data; + const struct can_frame *rxframe = (struct can_frame *)skb->data; +- int i; ++ unsigned int i; + + /* disable timeout */ + hrtimer_cancel(&op->timer); +@@ -823,14 +831,15 @@ static int bcm_tx_setup(struct bcm_msg_head *msg_head, struct msghdr *msg, + { + struct bcm_sock *bo = bcm_sk(sk); + struct bcm_op *op; +- int i, err; ++ unsigned int i; ++ int err; + + /* we need a real device to send frames */ + if (!ifindex) + return -ENODEV; + +- /* we need at least one can_frame */ +- if (msg_head->nframes < 1) ++ /* check nframes boundaries - we need at least one can_frame */ ++ if (msg_head->nframes < 1 || msg_head->nframes > MAX_NFRAMES) + return -EINVAL; + + /* check the given can_id */ +@@ -994,6 +1003,10 @@ static int bcm_rx_setup(struct bcm_msg_head *msg_head, struct msghdr *msg, + msg_head->nframes = 0; + } + ++ /* the first element contains the mux-mask => MAX_NFRAMES + 1 */ ++ if (msg_head->nframes > MAX_NFRAMES + 1) ++ return -EINVAL; ++ + if ((msg_head->flags & RX_RTR_FRAME) && + ((msg_head->nframes != 1) || + (!(msg_head->can_id & CAN_RTR_FLAG)))) +-- +1.7.1.1 + diff --git a/cfg80211-don-t-get-expired-BSSes.patch b/cfg80211-don-t-get-expired-BSSes.patch new file mode 100644 index 0000000..3b3e544 --- /dev/null +++ b/cfg80211-don-t-get-expired-BSSes.patch @@ -0,0 +1,54 @@ +From ab1b2be69fff354ec0ecbf25260e5fbe12507c48 Mon Sep 17 00:00:00 2001 +From: Johannes Berg <johannes.berg@intel.com> +Date: Tue, 13 Jul 2010 10:55:38 +0200 +Subject: [PATCH] cfg80211: don't get expired BSSes + +commit ab1b2be69fff354ec0ecbf25260e5fbe12507c48 in tip. + +commit ccb6c1360f8dd43303c659db718e7e0b24175db5 upstream. + +When kernel-internal users use cfg80211_get_bss() +to get a reference to a BSS struct, they may end +up getting one that would have been removed from +the list if there had been any userspace access +to the list. This leads to inconsistencies and +problems. + +Fix it by making cfg80211_get_bss() ignore BSSes +that cfg80211_bss_expire() would remove. + +Fixes http://bugzilla.intellinuxwireless.org/show_bug.cgi?id=2180 + +Reported-by: Jiajia Zheng <jiajia.zheng@intel.com> +Tested-by: Jiajia Zheng <jiajia.zheng@intel.com> +Signed-off-by: Johannes Berg <johannes.berg@intel.com> +Signed-off-by: John W. Linville <linville@tuxdriver.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> +Signed-off-by: John Kacur <jkacur@redhat.com> + +diff --git a/net/wireless/scan.c b/net/wireless/scan.c +index 0c2cbbe..f2967e6 100644 +--- a/net/wireless/scan.c ++++ b/net/wireless/scan.c +@@ -271,6 +271,7 @@ struct cfg80211_bss *cfg80211_get_bss(struct wiphy *wiphy, + { + struct cfg80211_registered_device *dev = wiphy_to_dev(wiphy); + struct cfg80211_internal_bss *bss, *res = NULL; ++ unsigned long now = jiffies; + + spin_lock_bh(&dev->bss_lock); + +@@ -279,6 +280,10 @@ struct cfg80211_bss *cfg80211_get_bss(struct wiphy *wiphy, + continue; + if (channel && bss->pub.channel != channel) + continue; ++ /* Don't get expired BSS structs */ ++ if (time_after(now, bss->ts + IEEE80211_SCAN_RESULT_EXPIRE) && ++ !atomic_read(&bss->hold)) ++ continue; + if (is_bss(&bss->pub, bssid, ssid, ssid_len)) { + res = bss; + kref_get(&res->ref); +-- +1.7.1.1 + diff --git a/cfg80211-ignore-spurious-deauth.patch b/cfg80211-ignore-spurious-deauth.patch new file mode 100644 index 0000000..435cb37 --- /dev/null +++ b/cfg80211-ignore-spurious-deauth.patch @@ -0,0 +1,47 @@ +From d377614a016ce3f4cf61c13f1356a23844d07e61 Mon Sep 17 00:00:00 2001 +From: Johannes Berg <johannes.berg@intel.com> +Date: Mon, 12 Jul 2010 14:46:43 +0200 +Subject: [PATCH] cfg80211: ignore spurious deauth + +commit d377614a016ce3f4cf61c13f1356a23844d07e61 in tip. + +commit 643f82e32f14faf0d0944c804203a6681b6b0a1e upstream. + +Ever since mac80211/drivers are no longer +fully in charge of keeping track of the +auth status, trying to make them do so will +fail. Instead of warning and reporting the +deauthentication to userspace, cfg80211 must +simply ignore it so that spurious +deauthentications, e.g. before starting +authentication, aren't seen by userspace as +actual deauthentications. + +Reported-by: Paul Stewart <pstew@google.com> +Signed-off-by: Johannes Berg <johannes.berg@intel.com> +Signed-off-by: John W. Linville <linville@tuxdriver.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> +Signed-off-by: John Kacur <jkacur@redhat.com> + +diff --git a/net/wireless/mlme.c b/net/wireless/mlme.c +index 82e6002..012d11b 100644 +--- a/net/wireless/mlme.c ++++ b/net/wireless/mlme.c +@@ -43,10 +43,10 @@ void cfg80211_send_rx_auth(struct net_device *dev, const u8 *buf, size_t len) + } + } + +- WARN_ON(!done); +- +- nl80211_send_rx_auth(rdev, dev, buf, len, GFP_KERNEL); +- cfg80211_sme_rx_auth(dev, buf, len); ++ if (done) { ++ nl80211_send_rx_auth(rdev, dev, buf, len, GFP_KERNEL); ++ cfg80211_sme_rx_auth(dev, buf, len); ++ } + + wdev_unlock(wdev); + } +-- +1.7.1.1 + diff --git a/comedi-Uncripple-8255-based-DIO-subdevices.patch b/comedi-Uncripple-8255-based-DIO-subdevices.patch new file mode 100644 index 0000000..69672b2 --- /dev/null +++ b/comedi-Uncripple-8255-based-DIO-subdevices.patch @@ -0,0 +1,72 @@ +From 7486bb3b78e9f73d705e310b9c9621b9352977b4 Mon Sep 17 00:00:00 2001 +From: Ian Abbott <abbotti@mev.co.uk> +Date: Fri, 30 Jul 2010 14:59:37 +0100 +Subject: [PATCH] comedi: Uncripple 8255-based DIO subdevices + +commit 7486bb3b78e9f73d705e310b9c9621b9352977b4 in tip. + +(Note: upstream comedi configuration has been overhauled, so this patch +does not apply there.) + +Several comedi drivers call subdev_8255_init() (declared in +"drivers/staging/comedi/drivers/8255.h") to set up one or more DIO +subdevices. This should be provided by the 8255.ko module, but unless +the CONFIG_COMEDI_8255 or CONFIG_COMEDI_8255_MODULE macro is defined, +the 8255.h header uses a dummy inline version of the function instead. +This means the comedi devices end up with an "unused" subdevice with 0 +channels instead of a "DIO" subdevice with 24 channels! + +This patch provides a non-interactive COMEDI_8255 option and selects it +whenever the COMEDI_PCI_DRIVERS or COMEDI_PCMCIA_DRIVERS options are +selected. + +Signed-off-by: Ian Abbott <abbotti@mev.co.uk> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> +Signed-off-by: John Kacur <jkacur@redhat.com> + +diff --git a/drivers/staging/comedi/Kconfig b/drivers/staging/comedi/Kconfig +index d63c889..1d6834d 100644 +--- a/drivers/staging/comedi/Kconfig ++++ b/drivers/staging/comedi/Kconfig +@@ -16,6 +16,7 @@ config COMEDI_DEBUG + config COMEDI_PCI_DRIVERS + tristate "Comedi PCI drivers" + depends on COMEDI && PCI ++ select COMEDI_8255 + default N + ---help--- + Enable lots of comedi PCI drivers to be built +@@ -23,6 +24,7 @@ config COMEDI_PCI_DRIVERS + config COMEDI_PCMCIA_DRIVERS + tristate "Comedi PCMCIA drivers" + depends on COMEDI && PCMCIA && PCCARD ++ select COMEDI_8255 + default N + ---help--- + Enable lots of comedi PCMCIA and PCCARD drivers to be built +@@ -33,3 +35,6 @@ config COMEDI_USB_DRIVERS + default N + ---help--- + Enable lots of comedi USB drivers to be built ++ ++config COMEDI_8255 ++ tristate +diff --git a/drivers/staging/comedi/drivers/Makefile b/drivers/staging/comedi/drivers/Makefile +index df2854d..33b1d52 100644 +--- a/drivers/staging/comedi/drivers/Makefile ++++ b/drivers/staging/comedi/drivers/Makefile +@@ -8,8 +8,10 @@ obj-$(CONFIG_COMEDI) += comedi_test.o + obj-$(CONFIG_COMEDI) += comedi_parport.o + obj-$(CONFIG_COMEDI) += pcm_common.o + ++# Comedi 8255 module ++obj-$(CONFIG_COMEDI_8255) += 8255.o ++ + # Comedi PCI drivers +-obj-$(CONFIG_COMEDI_PCI_DRIVERS) += 8255.o + obj-$(CONFIG_COMEDI_PCI_DRIVERS) += acl7225b.o + obj-$(CONFIG_COMEDI_PCI_DRIVERS) += addi_apci_035.o + obj-$(CONFIG_COMEDI_PCI_DRIVERS) += addi_apci_1032.o +-- +1.7.1.1 + diff --git a/compat-Make-compat_alloc_user_space-incorporate-the-.patch b/compat-Make-compat_alloc_user_space-incorporate-the-.patch new file mode 100644 index 0000000..a19c296 --- /dev/null +++ b/compat-Make-compat_alloc_user_space-incorporate-the-.patch @@ -0,0 +1,190 @@ +From c2841fe895b29834edd7137478e2ba19a4a21ef1 Mon Sep 17 00:00:00 2001 +From: H. Peter Anvin <hpa@linux.intel.com> +Date: Tue, 7 Sep 2010 16:16:18 -0700 +Subject: [PATCH] compat: Make compat_alloc_user_space() incorporate the access_ok() + +commit c2841fe895b29834edd7137478e2ba19a4a21ef1 in tip. + +compat_alloc_user_space() expects the caller to independently call +access_ok() to verify the returned area. A missing call could +introduce problems on some architectures. + +This patch incorporates the access_ok() check into +compat_alloc_user_space() and also adds a sanity check on the length. +The existing compat_alloc_user_space() implementations are renamed +arch_compat_alloc_user_space() and are used as part of the +implementation of the new global function. + +This patch assumes NULL will cause __get_user()/__put_user() to either +fail or access userspace on all architectures. This should be +followed by checking the return value of compat_access_user_space() +for NULL in the callers, at which time the access_ok() in the callers +can also be removed. + +Reported-by: Ben Hawkes <hawkes@sota.gen.nz> +Signed-off-by: H. Peter Anvin <hpa@linux.intel.com> +Acked-by: Benjamin Herrenschmidt <benh@kernel.crashing.org> +Acked-by: Chris Metcalf <cmetcalf@tilera.com> +Acked-by: David S. Miller <davem@davemloft.net> +Acked-by: Ingo Molnar <mingo@elte.hu> +Acked-by: Thomas Gleixner <tglx@linutronix.de> +Acked-by: Tony Luck <tony.luck@intel.com> +Cc: Andrew Morton <akpm@linux-foundation.org> +Cc: Arnd Bergmann <arnd@arndb.de> +Cc: Fenghua Yu <fenghua.yu@intel.com> +Cc: H. Peter Anvin <hpa@zytor.com> +Cc: Heiko Carstens <heiko.carstens@de.ibm.com> +Cc: Helge Deller <deller@gmx.de> +Cc: James Bottomley <jejb@parisc-linux.org> +Cc: Kyle McMartin <kyle@mcmartin.ca> +Cc: Martin Schwidefsky <schwidefsky@de.ibm.com> +Cc: Paul Mackerras <paulus@samba.org> +Cc: Ralf Baechle <ralf@linux-mips.org> +Cc: <stable@kernel.org> +Upstream-commit: c41d68a513c71e35a14f66d71782d27a79a81ea6 +Fixed-merge-conflicts-for v2.6.33.7-rt29 +Signed-off-by: John Kacur <jkacur@redhat.com> + +diff --git a/arch/ia64/include/asm/compat.h b/arch/ia64/include/asm/compat.h +index dfcf75b..c8662cd 100644 +--- a/arch/ia64/include/asm/compat.h ++++ b/arch/ia64/include/asm/compat.h +@@ -198,7 +198,7 @@ ptr_to_compat(void __user *uptr) + } + + static __inline__ void __user * +-compat_alloc_user_space (long len) ++arch_compat_alloc_user_space (long len) + { + struct pt_regs *regs = task_pt_regs(current); + return (void __user *) (((regs->r12 & 0xffffffff) & -16) - len); +diff --git a/arch/mips/include/asm/compat.h b/arch/mips/include/asm/compat.h +index f58aed3..27505bd 100644 +--- a/arch/mips/include/asm/compat.h ++++ b/arch/mips/include/asm/compat.h +@@ -144,7 +144,7 @@ static inline compat_uptr_t ptr_to_compat(void __user *uptr) + return (u32)(unsigned long)uptr; + } + +-static inline void __user *compat_alloc_user_space(long len) ++static inline void __user *arch_compat_alloc_user_space(long len) + { + struct pt_regs *regs = (struct pt_regs *) + ((unsigned long) current_thread_info() + THREAD_SIZE - 32) - 1; +diff --git a/arch/parisc/include/asm/compat.h b/arch/parisc/include/asm/compat.h +index 7f32611..7c77fa9 100644 +--- a/arch/parisc/include/asm/compat.h ++++ b/arch/parisc/include/asm/compat.h +@@ -146,7 +146,7 @@ static inline compat_uptr_t ptr_to_compat(void __user *uptr) + return (u32)(unsigned long)uptr; + } + +-static __inline__ void __user *compat_alloc_user_space(long len) ++static __inline__ void __user *arch_compat_alloc_user_space(long len) + { + struct pt_regs *regs = ¤t->thread.regs; + return (void __user *)regs->gr[30]; +diff --git a/arch/powerpc/include/asm/compat.h b/arch/powerpc/include/asm/compat.h +index 4774c2f..8d0fff3 100644 +--- a/arch/powerpc/include/asm/compat.h ++++ b/arch/powerpc/include/asm/compat.h +@@ -133,7 +133,7 @@ static inline compat_uptr_t ptr_to_compat(void __user *uptr) + return (u32)(unsigned long)uptr; + } + +-static inline void __user *compat_alloc_user_space(long len) ++static inline void __user *arch_compat_alloc_user_space(long len) + { + struct pt_regs *regs = current->thread.regs; + unsigned long usp = regs->gpr[1]; +diff --git a/arch/s390/include/asm/compat.h b/arch/s390/include/asm/compat.h +index 01a0802..0c940d3 100644 +--- a/arch/s390/include/asm/compat.h ++++ b/arch/s390/include/asm/compat.h +@@ -180,7 +180,7 @@ static inline int is_compat_task(void) + + #endif + +-static inline void __user *compat_alloc_user_space(long len) ++static inline void __user *arch_compat_alloc_user_space(long len) + { + unsigned long stack; + +diff --git a/arch/sparc/include/asm/compat.h b/arch/sparc/include/asm/compat.h +index 0e70625..612bb38 100644 +--- a/arch/sparc/include/asm/compat.h ++++ b/arch/sparc/include/asm/compat.h +@@ -166,7 +166,7 @@ static inline compat_uptr_t ptr_to_compat(void __user *uptr) + return (u32)(unsigned long)uptr; + } + +-static inline void __user *compat_alloc_user_space(long len) ++static inline void __user *arch_compat_alloc_user_space(long len) + { + struct pt_regs *regs = current_thread_info()->kregs; + unsigned long usp = regs->u_regs[UREG_I6]; +diff --git a/arch/x86/include/asm/compat.h b/arch/x86/include/asm/compat.h +index 9a9c7bd..c8c9a74 100644 +--- a/arch/x86/include/asm/compat.h ++++ b/arch/x86/include/asm/compat.h +@@ -204,7 +204,7 @@ static inline compat_uptr_t ptr_to_compat(void __user *uptr) + return (u32)(unsigned long)uptr; + } + +-static inline void __user *compat_alloc_user_space(long len) ++static inline void __user *arch_compat_alloc_user_space(long len) + { + struct pt_regs *regs = task_pt_regs(current); + return (void __user *)regs->sp - len; +diff --git a/include/linux/compat.h b/include/linux/compat.h +index ef68119..f66c13d 100644 +--- a/include/linux/compat.h ++++ b/include/linux/compat.h +@@ -353,5 +353,7 @@ asmlinkage long compat_sys_newfstatat(unsigned int dfd, char __user * filename, + asmlinkage long compat_sys_openat(unsigned int dfd, const char __user *filename, + int flags, int mode); + ++extern void __user *compat_alloc_user_space(unsigned long len); ++ + #endif /* CONFIG_COMPAT */ + #endif /* _LINUX_COMPAT_H */ +diff --git a/kernel/compat.c b/kernel/compat.c +index 180d188..8bc5578 100644 +--- a/kernel/compat.c ++++ b/kernel/compat.c +@@ -25,6 +25,7 @@ + #include <linux/posix-timers.h> + #include <linux/times.h> + #include <linux/ptrace.h> ++#include <linux/module.h> + + #include <asm/uaccess.h> + +@@ -1136,3 +1137,24 @@ compat_sys_sysinfo(struct compat_sysinfo __user *info) + + return 0; + } ++ ++/* ++ * Allocate user-space memory for the duration of a single system call, ++ * in order to marshall parameters inside a compat thunk. ++ */ ++void __user *compat_alloc_user_space(unsigned long len) ++{ ++ void __user *ptr; ++ ++ /* If len would occupy more than half of the entire compat space... */ ++ if (unlikely(len > (((compat_uptr_t)~0) >> 1))) ++ return NULL; ++ ++ ptr = arch_compat_alloc_user_space(len); ++ ++ if (unlikely(!access_ok(VERIFY_WRITE, ptr, len))) ++ return NULL; ++ ++ return ptr; ++} ++EXPORT_SYMBOL_GPL(compat_alloc_user_space); +-- +1.7.1.1 + diff --git a/drm-block-userspace-under-allocating-buffer-and-havi.patch b/drm-block-userspace-under-allocating-buffer-and-havi.patch new file mode 100644 index 0000000..8e28f35 --- /dev/null +++ b/drm-block-userspace-under-allocating-buffer-and-havi.patch @@ -0,0 +1,862 @@ +From bf18be070d1b8d87f6ba3c01686e1c8fc3ef0aca Mon Sep 17 00:00:00 2001 +From: Thomas Gleixner <tglx@linutronix.de> +Date: Wed, 15 Dec 2010 09:57:34 +0100 +Subject: [PATCH] drm: block userspace under allocating buffer and having drivers overwrite it (v2) + +commit bf18be070d1b8d87f6ba3c01686e1c8fc3ef0aca in tip. + +commit 1b2f1489633888d4a06028315dc19d65768a1c05 upstream + +With the current screwed but its ABI, ioctls for the drm, Linus +pointed out that we could allow userspace to specify the allocation +size, but we pass it to the driver which then uses it blindly to store +a struct. Now if userspace specifies the allocation size as smaller +than the driver needs, the driver can possibly overwrite memory. + +This patch restructures the driver ioctls so we store the structure +size we are expecting, and make sure we allocate at least that +size. The copy from/to userspace are still restricted to the size the +user specifies, this allows ioctl structs to grow on both sides of the +equation. + +Up until now we didn't really use the DRM_IOCTL defines in the kernel, +so this cleans them up and adds them for nouveau. + +v2: +fix nouveau pushbuf arg (thanks to Ben for pointing it out) + +Reported-by: Linus Torvalds <torvalds@linuxfoundation.org> +Signed-off-by: Dave Airlie <airlied@redhat.com> +Signed-off-by: Thomas Gleixner <tglx@linutronix.de> + +diff --git a/drivers/gpu/drm/drm_drv.c b/drivers/gpu/drm/drm_drv.c +index 766c468..5dd94ca 100644 +--- a/drivers/gpu/drm/drm_drv.c ++++ b/drivers/gpu/drm/drm_drv.c +@@ -54,6 +54,9 @@ + static int drm_version(struct drm_device *dev, void *data, + struct drm_file *file_priv); + ++#define DRM_IOCTL_DEF(ioctl, _func, _flags) \ ++ [DRM_IOCTL_NR(ioctl)] = {.cmd = ioctl, .func = _func, .flags = _flags, .cmd_drv = 0} ++ + /** Ioctl table */ + static struct drm_ioctl_desc drm_ioctls[] = { + DRM_IOCTL_DEF(DRM_IOCTL_VERSION, drm_version, 0), +@@ -445,6 +448,7 @@ long drm_ioctl(struct file *filp, + int retcode = -EINVAL; + char stack_kdata[128]; + char *kdata = NULL; ++ unsigned int usize, asize; + + dev = file_priv->minor->dev; + atomic_inc(&dev->ioctl_count); +@@ -460,11 +464,18 @@ long drm_ioctl(struct file *filp, + ((nr < DRM_COMMAND_BASE) || (nr >= DRM_COMMAND_END))) + goto err_i1; + if ((nr >= DRM_COMMAND_BASE) && (nr < DRM_COMMAND_END) && +- (nr < DRM_COMMAND_BASE + dev->driver->num_ioctls)) ++ (nr < DRM_COMMAND_BASE + dev->driver->num_ioctls)) { ++ u32 drv_size; + ioctl = &dev->driver->ioctls[nr - DRM_COMMAND_BASE]; ++ drv_size = _IOC_SIZE(ioctl->cmd_drv); ++ usize = asize = _IOC_SIZE(cmd); ++ if (drv_size > asize) ++ asize = drv_size; ++ } + else if ((nr >= DRM_COMMAND_END) || (nr < DRM_COMMAND_BASE)) { + ioctl = &drm_ioctls[nr]; + cmd = ioctl->cmd; ++ usize = asize = _IOC_SIZE(cmd); + } else + goto err_i1; + +@@ -484,10 +495,10 @@ long drm_ioctl(struct file *filp, + retcode = -EACCES; + } else { + if (cmd & (IOC_IN | IOC_OUT)) { +- if (_IOC_SIZE(cmd) <= sizeof(stack_kdata)) { ++ if (asize <= sizeof(stack_kdata)) { + kdata = stack_kdata; + } else { +- kdata = kmalloc(_IOC_SIZE(cmd), GFP_KERNEL); ++ kdata = kmalloc(asize, GFP_KERNEL); + if (!kdata) { + retcode = -ENOMEM; + goto err_i1; +@@ -497,11 +508,13 @@ long drm_ioctl(struct file *filp, + + if (cmd & IOC_IN) { + if (copy_from_user(kdata, (void __user *)arg, +- _IOC_SIZE(cmd)) != 0) { ++ usize) != 0) { + retcode = -EFAULT; + goto err_i1; + } +- } ++ } else ++ memset(kdata, 0, usize); ++ + if (ioctl->flags & DRM_UNLOCKED) + retcode = func(dev, kdata, file_priv); + else { +@@ -512,7 +525,7 @@ long drm_ioctl(struct file *filp, + + if (cmd & IOC_OUT) { + if (copy_to_user((void __user *)arg, kdata, +- _IOC_SIZE(cmd)) != 0) ++ usize) != 0) + retcode = -EFAULT; + } + } +diff --git a/drivers/gpu/drm/i810/i810_dma.c b/drivers/gpu/drm/i810/i810_dma.c +index de32d22..63371ab 100644 +--- a/drivers/gpu/drm/i810/i810_dma.c ++++ b/drivers/gpu/drm/i810/i810_dma.c +@@ -1245,21 +1245,21 @@ int i810_driver_dma_quiescent(struct drm_device * dev) + } + + struct drm_ioctl_desc i810_ioctls[] = { +- DRM_IOCTL_DEF(DRM_I810_INIT, i810_dma_init, DRM_AUTH|DRM_MASTER|DRM_ROOT_ONLY), +- DRM_IOCTL_DEF(DRM_I810_VERTEX, i810_dma_vertex, DRM_AUTH), +- DRM_IOCTL_DEF(DRM_I810_CLEAR, i810_clear_bufs, DRM_AUTH), +- DRM_IOCTL_DEF(DRM_I810_FLUSH, i810_flush_ioctl, DRM_AUTH), +- DRM_IOCTL_DEF(DRM_I810_GETAGE, i810_getage, DRM_AUTH), +- DRM_IOCTL_DEF(DRM_I810_GETBUF, i810_getbuf, DRM_AUTH), +- DRM_IOCTL_DEF(DRM_I810_SWAP, i810_swap_bufs, DRM_AUTH), +- DRM_IOCTL_DEF(DRM_I810_COPY, i810_copybuf, DRM_AUTH), +- DRM_IOCTL_DEF(DRM_I810_DOCOPY, i810_docopy, DRM_AUTH), +- DRM_IOCTL_DEF(DRM_I810_OV0INFO, i810_ov0_info, DRM_AUTH), +- DRM_IOCTL_DEF(DRM_I810_FSTATUS, i810_fstatus, DRM_AUTH), +- DRM_IOCTL_DEF(DRM_I810_OV0FLIP, i810_ov0_flip, DRM_AUTH), +- DRM_IOCTL_DEF(DRM_I810_MC, i810_dma_mc, DRM_AUTH|DRM_MASTER|DRM_ROOT_ONLY), +- DRM_IOCTL_DEF(DRM_I810_RSTATUS, i810_rstatus, DRM_AUTH), +- DRM_IOCTL_DEF(DRM_I810_FLIP, i810_flip_bufs, DRM_AUTH) ++ DRM_IOCTL_DEF_DRV(I810_INIT, i810_dma_init, DRM_AUTH|DRM_MASTER|DRM_ROOT_ONLY), ++ DRM_IOCTL_DEF_DRV(I810_VERTEX, i810_dma_vertex, DRM_AUTH), ++ DRM_IOCTL_DEF_DRV(I810_CLEAR, i810_clear_bufs, DRM_AUTH), ++ DRM_IOCTL_DEF_DRV(I810_FLUSH, i810_flush_ioctl, DRM_AUTH), ++ DRM_IOCTL_DEF_DRV(I810_GETAGE, i810_getage, DRM_AUTH), ++ DRM_IOCTL_DEF_DRV(I810_GETBUF, i810_getbuf, DRM_AUTH), ++ DRM_IOCTL_DEF_DRV(I810_SWAP, i810_swap_bufs, DRM_AUTH), ++ DRM_IOCTL_DEF_DRV(I810_COPY, i810_copybuf, DRM_AUTH), ++ DRM_IOCTL_DEF_DRV(I810_DOCOPY, i810_docopy, DRM_AUTH), ++ DRM_IOCTL_DEF_DRV(I810_OV0INFO, i810_ov0_info, DRM_AUTH), ++ DRM_IOCTL_DEF_DRV(I810_FSTATUS, i810_fstatus, DRM_AUTH), ++ DRM_IOCTL_DEF_DRV(I810_OV0FLIP, i810_ov0_flip, DRM_AUTH), ++ DRM_IOCTL_DEF_DRV(I810_MC, i810_dma_mc, DRM_AUTH|DRM_MASTER|DRM_ROOT_ONLY), ++ DRM_IOCTL_DEF_DRV(I810_RSTATUS, i810_rstatus, DRM_AUTH), ++ DRM_IOCTL_DEF_DRV(I810_FLIP, i810_flip_bufs, DRM_AUTH), + }; + + int i810_max_ioctl = DRM_ARRAY_SIZE(i810_ioctls); +diff --git a/drivers/gpu/drm/i830/i830_dma.c b/drivers/gpu/drm/i830/i830_dma.c +index 06bd732..150f6d8 100644 +--- a/drivers/gpu/drm/i830/i830_dma.c ++++ b/drivers/gpu/drm/i830/i830_dma.c +@@ -1516,20 +1516,20 @@ int i830_driver_dma_quiescent(struct drm_device * dev) + } + + struct drm_ioctl_desc i830_ioctls[] = { +- DRM_IOCTL_DEF(DRM_I830_INIT, i830_dma_init, DRM_AUTH|DRM_MASTER|DRM_ROOT_ONLY), +- DRM_IOCTL_DEF(DRM_I830_VERTEX, i830_dma_vertex, DRM_AUTH), +- DRM_IOCTL_DEF(DRM_I830_CLEAR, i830_clear_bufs, DRM_AUTH), +- DRM_IOCTL_DEF(DRM_I830_FLUSH, i830_flush_ioctl, DRM_AUTH), +- DRM_IOCTL_DEF(DRM_I830_GETAGE, i830_getage, DRM_AUTH), +- DRM_IOCTL_DEF(DRM_I830_GETBUF, i830_getbuf, DRM_AUTH), +- DRM_IOCTL_DEF(DRM_I830_SWAP, i830_swap_bufs, DRM_AUTH), +- DRM_IOCTL_DEF(DRM_I830_COPY, i830_copybuf, DRM_AUTH), +- DRM_IOCTL_DEF(DRM_I830_DOCOPY, i830_docopy, DRM_AUTH), +- DRM_IOCTL_DEF(DRM_I830_FLIP, i830_flip_bufs, DRM_AUTH), +- DRM_IOCTL_DEF(DRM_I830_IRQ_EMIT, i830_irq_emit, DRM_AUTH), +- DRM_IOCTL_DEF(DRM_I830_IRQ_WAIT, i830_irq_wait, DRM_AUTH), +- DRM_IOCTL_DEF(DRM_I830_GETPARAM, i830_getparam, DRM_AUTH), +- DRM_IOCTL_DEF(DRM_I830_SETPARAM, i830_setparam, DRM_AUTH) ++ DRM_IOCTL_DEF_DRV(I830_INIT, i830_dma_init, DRM_AUTH|DRM_MASTER|DRM_ROOT_ONLY), ++ DRM_IOCTL_DEF_DRV(I830_VERTEX, i830_dma_vertex, DRM_AUTH), ++ DRM_IOCTL_DEF_DRV(I830_CLEAR, i830_clear_bufs, DRM_AUTH), ++ DRM_IOCTL_DEF_DRV(I830_FLUSH, i830_flush_ioctl, DRM_AUTH), ++ DRM_IOCTL_DEF_DRV(I830_GETAGE, i830_getage, DRM_AUTH), ++ DRM_IOCTL_DEF_DRV(I830_GETBUF, i830_getbuf, DRM_AUTH), ++ DRM_IOCTL_DEF_DRV(I830_SWAP, i830_swap_bufs, DRM_AUTH), ++ DRM_IOCTL_DEF_DRV(I830_COPY, i830_copybuf, DRM_AUTH), ++ DRM_IOCTL_DEF_DRV(I830_DOCOPY, i830_docopy, DRM_AUTH), ++ DRM_IOCTL_DEF_DRV(I830_FLIP, i830_flip_bufs, DRM_AUTH), ++ DRM_IOCTL_DEF_DRV(I830_IRQ_EMIT, i830_irq_emit, DRM_AUTH), ++ DRM_IOCTL_DEF_DRV(I830_IRQ_WAIT, i830_irq_wait, DRM_AUTH), ++ DRM_IOCTL_DEF_DRV(I830_GETPARAM, i830_getparam, DRM_AUTH), ++ DRM_IOCTL_DEF_DRV(I830_SETPARAM, i830_setparam, DRM_AUTH), + }; + + int i830_max_ioctl = DRM_ARRAY_SIZE(i830_ioctls); +diff --git a/drivers/gpu/drm/i915/i915_dma.c b/drivers/gpu/drm/i915/i915_dma.c +index d642efd..0792d31 100644 +--- a/drivers/gpu/drm/i915/i915_dma.c ++++ b/drivers/gpu/drm/i915/i915_dma.c +@@ -1644,46 +1644,46 @@ void i915_driver_postclose(struct drm_device *dev, struct drm_file *file_priv) + } + + struct drm_ioctl_desc i915_ioctls[] = { +- DRM_IOCTL_DEF(DRM_I915_INIT, i915_dma_init, DRM_AUTH|DRM_MASTER|DRM_ROOT_ONLY), +- DRM_IOCTL_DEF(DRM_I915_FLUSH, i915_flush_ioctl, DRM_AUTH), +- DRM_IOCTL_DEF(DRM_I915_FLIP, i915_flip_bufs, DRM_AUTH), +- DRM_IOCTL_DEF(DRM_I915_BATCHBUFFER, i915_batchbuffer, DRM_AUTH), +- DRM_IOCTL_DEF(DRM_I915_IRQ_EMIT, i915_irq_emit, DRM_AUTH), +- DRM_IOCTL_DEF(DRM_I915_IRQ_WAIT, i915_irq_wait, DRM_AUTH), +- DRM_IOCTL_DEF(DRM_I915_GETPARAM, i915_getparam, DRM_AUTH), +- DRM_IOCTL_DEF(DRM_I915_SETPARAM, i915_setparam, DRM_AUTH|DRM_MASTER|DRM_ROOT_ONLY), +- DRM_IOCTL_DEF(DRM_I915_ALLOC, i915_mem_alloc, DRM_AUTH), +- DRM_IOCTL_DEF(DRM_I915_FREE, i915_mem_free, DRM_AUTH), +- DRM_IOCTL_DEF(DRM_I915_INIT_HEAP, i915_mem_init_heap, DRM_AUTH|DRM_MASTER|DRM_ROOT_ONLY), +- DRM_IOCTL_DEF(DRM_I915_CMDBUFFER, i915_cmdbuffer, DRM_AUTH), +- DRM_IOCTL_DEF(DRM_I915_DESTROY_HEAP, i915_mem_destroy_heap, DRM_AUTH|DRM_MASTER|DRM_ROOT_ONLY ), +- DRM_IOCTL_DEF(DRM_I915_SET_VBLANK_PIPE, i915_vblank_pipe_set, DRM_AUTH|DRM_MASTER|DRM_ROOT_ONLY ), +- DRM_IOCTL_DEF(DRM_I915_GET_VBLANK_PIPE, i915_vblank_pipe_get, DRM_AUTH ), +- DRM_IOCTL_DEF(DRM_I915_VBLANK_SWAP, i915_vblank_swap, DRM_AUTH), +- DRM_IOCTL_DEF(DRM_I915_HWS_ADDR, i915_set_status_page, DRM_AUTH|DRM_MASTER|DRM_ROOT_ONLY), +- DRM_IOCTL_DEF(DRM_I915_GEM_INIT, i915_gem_init_ioctl, DRM_AUTH|DRM_MASTER|DRM_ROOT_ONLY), +- DRM_IOCTL_DEF(DRM_I915_GEM_EXECBUFFER, i915_gem_execbuffer, DRM_AUTH), +- DRM_IOCTL_DEF(DRM_I915_GEM_EXECBUFFER2, i915_gem_execbuffer2, DRM_AUTH), +- DRM_IOCTL_DEF(DRM_I915_GEM_PIN, i915_gem_pin_ioctl, DRM_AUTH|DRM_ROOT_ONLY), +- DRM_IOCTL_DEF(DRM_I915_GEM_UNPIN, i915_gem_unpin_ioctl, DRM_AUTH|DRM_ROOT_ONLY), +- DRM_IOCTL_DEF(DRM_I915_GEM_BUSY, i915_gem_busy_ioctl, DRM_AUTH), +- DRM_IOCTL_DEF(DRM_I915_GEM_THROTTLE, i915_gem_throttle_ioctl, DRM_AUTH), +- DRM_IOCTL_DEF(DRM_I915_GEM_ENTERVT, i915_gem_entervt_ioctl, DRM_AUTH|DRM_MASTER|DRM_ROOT_ONLY), +- DRM_IOCTL_DEF(DRM_I915_GEM_LEAVEVT, i915_gem_leavevt_ioctl, DRM_AUTH|DRM_MASTER|DRM_ROOT_ONLY), +- DRM_IOCTL_DEF(DRM_I915_GEM_CREATE, i915_gem_create_ioctl, 0), +- DRM_IOCTL_DEF(DRM_I915_GEM_PREAD, i915_gem_pread_ioctl, 0), +- DRM_IOCTL_DEF(DRM_I915_GEM_PWRITE, i915_gem_pwrite_ioctl, 0), +- DRM_IOCTL_DEF(DRM_I915_GEM_MMAP, i915_gem_mmap_ioctl, 0), +- DRM_IOCTL_DEF(DRM_I915_GEM_MMAP_GTT, i915_gem_mmap_gtt_ioctl, 0), +- DRM_IOCTL_DEF(DRM_I915_GEM_SET_DOMAIN, i915_gem_set_domain_ioctl, 0), +- DRM_IOCTL_DEF(DRM_I915_GEM_SW_FINISH, i915_gem_sw_finish_ioctl, 0), +- DRM_IOCTL_DEF(DRM_I915_GEM_SET_TILING, i915_gem_set_tiling, 0), +- DRM_IOCTL_DEF(DRM_I915_GEM_GET_TILING, i915_gem_get_tiling, 0), +- DRM_IOCTL_DEF(DRM_I915_GEM_GET_APERTURE, i915_gem_get_aperture_ioctl, 0), +- DRM_IOCTL_DEF(DRM_I915_GET_PIPE_FROM_CRTC_ID, intel_get_pipe_from_crtc_id, 0), +- DRM_IOCTL_DEF(DRM_I915_GEM_MADVISE, i915_gem_madvise_ioctl, 0), +- DRM_IOCTL_DEF(DRM_I915_OVERLAY_PUT_IMAGE, intel_overlay_put_image, DRM_MASTER|DRM_CONTROL_ALLOW), +- DRM_IOCTL_DEF(DRM_I915_OVERLAY_ATTRS, intel_overlay_attrs, DRM_MASTER|DRM_CONTROL_ALLOW), ++ DRM_IOCTL_DEF_DRV(I915_INIT, i915_dma_init, DRM_AUTH|DRM_MASTER|DRM_ROOT_ONLY), ++ DRM_IOCTL_DEF_DRV(I915_FLUSH, i915_flush_ioctl, DRM_AUTH), ++ DRM_IOCTL_DEF_DRV(I915_FLIP, i915_flip_bufs, DRM_AUTH), ++ DRM_IOCTL_DEF_DRV(I915_BATCHBUFFER, i915_batchbuffer, DRM_AUTH), ++ DRM_IOCTL_DEF_DRV(I915_IRQ_EMIT, i915_irq_emit, DRM_AUTH), ++ DRM_IOCTL_DEF_DRV(I915_IRQ_WAIT, i915_irq_wait, DRM_AUTH), ++ DRM_IOCTL_DEF_DRV(I915_GETPARAM, i915_getparam, DRM_AUTH), ++ DRM_IOCTL_DEF_DRV(I915_SETPARAM, i915_setparam, DRM_AUTH|DRM_MASTER|DRM_ROOT_ONLY), ++ DRM_IOCTL_DEF_DRV(I915_ALLOC, i915_mem_alloc, DRM_AUTH), ++ DRM_IOCTL_DEF_DRV(I915_FREE, i915_mem_free, DRM_AUTH), ++ DRM_IOCTL_DEF_DRV(I915_INIT_HEAP, i915_mem_init_heap, DRM_AUTH|DRM_MASTER|DRM_ROOT_ONLY), ++ DRM_IOCTL_DEF_DRV(I915_CMDBUFFER, i915_cmdbuffer, DRM_AUTH), ++ DRM_IOCTL_DEF_DRV(I915_DESTROY_HEAP, i915_mem_destroy_heap, DRM_AUTH|DRM_MASTER|DRM_ROOT_ONLY), ++ DRM_IOCTL_DEF_DRV(I915_SET_VBLANK_PIPE, i915_vblank_pipe_set, DRM_AUTH|DRM_MASTER|DRM_ROOT_ONLY), ++ DRM_IOCTL_DEF_DRV(I915_GET_VBLANK_PIPE, i915_vblank_pipe_get, DRM_AUTH), ++ DRM_IOCTL_DEF_DRV(I915_VBLANK_SWAP, i915_vblank_swap, DRM_AUTH), ++ DRM_IOCTL_DEF_DRV(I915_HWS_ADDR, i915_set_status_page, DRM_AUTH|DRM_MASTER|DRM_ROOT_ONLY), ++ DRM_IOCTL_DEF_DRV(I915_GEM_INIT, i915_gem_init_ioctl, DRM_AUTH|DRM_MASTER|DRM_ROOT_ONLY), ++ DRM_IOCTL_DEF_DRV(I915_GEM_EXECBUFFER, i915_gem_execbuffer, DRM_AUTH), ++ DRM_IOCTL_DEF_DRV(I915_GEM_EXECBUFFER2, i915_gem_execbuffer2, DRM_AUTH), ++ DRM_IOCTL_DEF_DRV(I915_GEM_PIN, i915_gem_pin_ioctl, DRM_AUTH|DRM_ROOT_ONLY), ++ DRM_IOCTL_DEF_DRV(I915_GEM_UNPIN, i915_gem_unpin_ioctl, DRM_AUTH|DRM_ROOT_ONLY), ++ DRM_IOCTL_DEF_DRV(I915_GEM_BUSY, i915_gem_busy_ioctl, DRM_AUTH), ++ DRM_IOCTL_DEF_DRV(I915_GEM_THROTTLE, i915_gem_throttle_ioctl, DRM_AUTH), ++ DRM_IOCTL_DEF_DRV(I915_GEM_ENTERVT, i915_gem_entervt_ioctl, DRM_AUTH|DRM_MASTER|DRM_ROOT_ONLY), ++ DRM_IOCTL_DEF_DRV(I915_GEM_LEAVEVT, i915_gem_leavevt_ioctl, DRM_AUTH|DRM_MASTER|DRM_ROOT_ONLY), ++ DRM_IOCTL_DEF_DRV(I915_GEM_CREATE, i915_gem_create_ioctl, 0), ++ DRM_IOCTL_DEF_DRV(I915_GEM_PREAD, i915_gem_pread_ioctl, 0), ++ DRM_IOCTL_DEF_DRV(I915_GEM_PWRITE, i915_gem_pwrite_ioctl, 0), ++ DRM_IOCTL_DEF_DRV(I915_GEM_MMAP, i915_gem_mmap_ioctl, 0), ++ DRM_IOCTL_DEF_DRV(I915_GEM_MMAP_GTT, i915_gem_mmap_gtt_ioctl, 0), ++ DRM_IOCTL_DEF_DRV(I915_GEM_SET_DOMAIN, i915_gem_set_domain_ioctl, 0), ++ DRM_IOCTL_DEF_DRV(I915_GEM_SW_FINISH, i915_gem_sw_finish_ioctl, 0), ++ DRM_IOCTL_DEF_DRV(I915_GEM_SET_TILING, i915_gem_set_tiling, 0), ++ DRM_IOCTL_DEF_DRV(I915_GEM_GET_TILING, i915_gem_get_tiling, 0), ++ DRM_IOCTL_DEF_DRV(I915_GEM_GET_APERTURE, i915_gem_get_aperture_ioctl, 0), ++ DRM_IOCTL_DEF_DRV(I915_GET_PIPE_FROM_CRTC_ID, intel_get_pipe_from_crtc_id, 0), ++ DRM_IOCTL_DEF_DRV(I915_GEM_MADVISE, i915_gem_madvise_ioctl, 0), ++ DRM_IOCTL_DEF_DRV(I915_OVERLAY_PUT_IMAGE, intel_overlay_put_image, DRM_MASTER|DRM_CONTROL_ALLOW), ++ DRM_IOCTL_DEF_DRV(I915_OVERLAY_ATTRS, intel_overlay_attrs, DRM_MASTER|DRM_CONTROL_ALLOW), + }; + + int i915_max_ioctl = DRM_ARRAY_SIZE(i915_ioctls); +diff --git a/drivers/gpu/drm/mga/mga_state.c b/drivers/gpu/drm/mga/mga_state.c +index a53b848..27dcff7 100644 +--- a/drivers/gpu/drm/mga/mga_state.c ++++ b/drivers/gpu/drm/mga/mga_state.c +@@ -1086,19 +1086,19 @@ file_priv) + } + + struct drm_ioctl_desc mga_ioctls[] = { +- DRM_IOCTL_DEF(DRM_MGA_INIT, mga_dma_init, DRM_AUTH|DRM_MASTER|DRM_ROOT_ONLY), +- DRM_IOCTL_DEF(DRM_MGA_FLUSH, mga_dma_flush, DRM_AUTH), +- DRM_IOCTL_DEF(DRM_MGA_RESET, mga_dma_reset, DRM_AUTH), +- DRM_IOCTL_DEF(DRM_MGA_SWAP, mga_dma_swap, DRM_AUTH), +- DRM_IOCTL_DEF(DRM_MGA_CLEAR, mga_dma_clear, DRM_AUTH), +- DRM_IOCTL_DEF(DRM_MGA_VERTEX, mga_dma_vertex, DRM_AUTH), +- DRM_IOCTL_DEF(DRM_MGA_INDICES, mga_dma_indices, DRM_AUTH), +- DRM_IOCTL_DEF(DRM_MGA_ILOAD, mga_dma_iload, DRM_AUTH), +- DRM_IOCTL_DEF(DRM_MGA_BLIT, mga_dma_blit, DRM_AUTH), +- DRM_IOCTL_DEF(DRM_MGA_GETPARAM, mga_getparam, DRM_AUTH), +- DRM_IOCTL_DEF(DRM_MGA_SET_FENCE, mga_set_fence, DRM_AUTH), +- DRM_IOCTL_DEF(DRM_MGA_WAIT_FENCE, mga_wait_fence, DRM_AUTH), +- DRM_IOCTL_DEF(DRM_MGA_DMA_BOOTSTRAP, mga_dma_bootstrap, DRM_AUTH|DRM_MASTER|DRM_ROOT_ONLY), ++ DRM_IOCTL_DEF_DRV(MGA_INIT, mga_dma_init, DRM_AUTH|DRM_MASTER|DRM_ROOT_ONLY), ++ DRM_IOCTL_DEF_DRV(MGA_FLUSH, mga_dma_flush, DRM_AUTH), ++ DRM_IOCTL_DEF_DRV(MGA_RESET, mga_dma_reset, DRM_AUTH), ++ DRM_IOCTL_DEF_DRV(MGA_SWAP, mga_dma_swap, DRM_AUTH), ++ DRM_IOCTL_DEF_DRV(MGA_CLEAR, mga_dma_clear, DRM_AUTH), ++ DRM_IOCTL_DEF_DRV(MGA_VERTEX, mga_dma_vertex, DRM_AUTH), ++ DRM_IOCTL_DEF_DRV(MGA_INDICES, mga_dma_indices, DRM_AUTH), ++ DRM_IOCTL_DEF_DRV(MGA_ILOAD, mga_dma_iload, DRM_AUTH), ++ DRM_IOCTL_DEF_DRV(MGA_BLIT, mga_dma_blit, DRM_AUTH), ++ DRM_IOCTL_DEF_DRV(MGA_GETPARAM, mga_getparam, DRM_AUTH), ++ DRM_IOCTL_DEF_DRV(MGA_SET_FENCE, mga_set_fence, DRM_AUTH), ++ DRM_IOCTL_DEF_DRV(MGA_WAIT_FENCE, mga_wait_fence, DRM_AUTH), ++ DRM_IOCTL_DEF_DRV(MGA_DMA_BOOTSTRAP, mga_dma_bootstrap, DRM_AUTH|DRM_MASTER|DRM_ROOT_ONLY), + }; + + int mga_max_ioctl = DRM_ARRAY_SIZE(mga_ioctls); +diff --git a/drivers/gpu/drm/nouveau/nouveau_channel.c b/drivers/gpu/drm/nouveau/nouveau_channel.c +index 2281f99..6cce7cb 100644 +--- a/drivers/gpu/drm/nouveau/nouveau_channel.c ++++ b/drivers/gpu/drm/nouveau/nouveau_channel.c +@@ -408,23 +408,18 @@ nouveau_ioctl_fifo_free(struct drm_device *dev, void *data, + ***********************************/ + + struct drm_ioctl_desc nouveau_ioctls[] = { +- DRM_IOCTL_DEF(DRM_NOUVEAU_CARD_INIT, nouveau_ioctl_card_init, DRM_AUTH), +- DRM_IOCTL_DEF(DRM_NOUVEAU_GETPARAM, nouveau_ioctl_getparam, DRM_AUTH), +- DRM_IOCTL_DEF(DRM_NOUVEAU_SETPARAM, nouveau_ioctl_setparam, DRM_AUTH|DRM_MASTER|DRM_ROOT_ONLY), +- DRM_IOCTL_DEF(DRM_NOUVEAU_CHANNEL_ALLOC, nouveau_ioctl_fifo_alloc, DRM_AUTH), +- DRM_IOCTL_DEF(DRM_NOUVEAU_CHANNEL_FREE, nouveau_ioctl_fifo_free, DRM_AUTH), +- DRM_IOCTL_DEF(DRM_NOUVEAU_GROBJ_ALLOC, nouveau_ioctl_grobj_alloc, DRM_AUTH), +- DRM_IOCTL_DEF(DRM_NOUVEAU_NOTIFIEROBJ_ALLOC, nouveau_ioctl_notifier_alloc, DRM_AUTH), +- DRM_IOCTL_DEF(DRM_NOUVEAU_GPUOBJ_FREE, nouveau_ioctl_gpuobj_free, DRM_AUTH), +- DRM_IOCTL_DEF(DRM_NOUVEAU_GEM_NEW, nouveau_gem_ioctl_new, DRM_AUTH), +- DRM_IOCTL_DEF(DRM_NOUVEAU_GEM_PUSHBUF, nouveau_gem_ioctl_pushbuf, DRM_AUTH), +- DRM_IOCTL_DEF(DRM_NOUVEAU_GEM_PUSHBUF_CALL, nouveau_gem_ioctl_pushbuf_call, DRM_AUTH), +- DRM_IOCTL_DEF(DRM_NOUVEAU_GEM_PIN, nouveau_gem_ioctl_pin, DRM_AUTH), +- DRM_IOCTL_DEF(DRM_NOUVEAU_GEM_UNPIN, nouveau_gem_ioctl_unpin, DRM_AUTH), +- DRM_IOCTL_DEF(DRM_NOUVEAU_GEM_CPU_PREP, nouveau_gem_ioctl_cpu_prep, DRM_AUTH), +- DRM_IOCTL_DEF(DRM_NOUVEAU_GEM_CPU_FINI, nouveau_gem_ioctl_cpu_fini, DRM_AUTH), +- DRM_IOCTL_DEF(DRM_NOUVEAU_GEM_INFO, nouveau_gem_ioctl_info, DRM_AUTH), +- DRM_IOCTL_DEF(DRM_NOUVEAU_GEM_PUSHBUF_CALL2, nouveau_gem_ioctl_pushbuf_call2, DRM_AUTH), ++ DRM_IOCTL_DEF_DRV(NOUVEAU_GETPARAM, nouveau_ioctl_getparam, DRM_AUTH), ++ DRM_IOCTL_DEF_DRV(NOUVEAU_SETPARAM, nouveau_ioctl_setparam, DRM_AUTH|DRM_MASTER|DRM_ROOT_ONLY), ++ DRM_IOCTL_DEF_DRV(NOUVEAU_CHANNEL_ALLOC, nouveau_ioctl_fifo_alloc, DRM_AUTH), ++ DRM_IOCTL_DEF_DRV(NOUVEAU_CHANNEL_FREE, nouveau_ioctl_fifo_free, DRM_AUTH), ++ DRM_IOCTL_DEF_DRV(NOUVEAU_GROBJ_ALLOC, nouveau_ioctl_grobj_alloc, DRM_AUTH), ++ DRM_IOCTL_DEF_DRV(NOUVEAU_NOTIFIEROBJ_ALLOC, nouveau_ioctl_notifier_alloc, DRM_AUTH), ++ DRM_IOCTL_DEF_DRV(NOUVEAU_GPUOBJ_FREE, nouveau_ioctl_gpuobj_free, DRM_AUTH), ++ DRM_IOCTL_DEF_DRV(NOUVEAU_GEM_NEW, nouveau_gem_ioctl_new, DRM_AUTH), ++ DRM_IOCTL_DEF_DRV(NOUVEAU_GEM_PUSHBUF, nouveau_gem_ioctl_pushbuf, DRM_AUTH), ++ DRM_IOCTL_DEF_DRV(NOUVEAU_GEM_CPU_PREP, nouveau_gem_ioctl_cpu_prep, DRM_AUTH), ++ DRM_IOCTL_DEF_DRV(NOUVEAU_GEM_CPU_FINI, nouveau_gem_ioctl_cpu_fini, DRM_AUTH), ++ DRM_IOCTL_DEF_DRV(NOUVEAU_GEM_INFO, nouveau_gem_ioctl_info, DRM_AUTH), + }; + + int nouveau_max_ioctl = DRM_ARRAY_SIZE(nouveau_ioctls); +diff --git a/drivers/gpu/drm/r128/r128_state.c b/drivers/gpu/drm/r128/r128_state.c +index af2665c..2b783f2 100644 +--- a/drivers/gpu/drm/r128/r128_state.c ++++ b/drivers/gpu/drm/r128/r128_state.c +@@ -1655,29 +1655,29 @@ void r128_driver_preclose(struct drm_device * dev, struct drm_file *file_priv) + } + } + +-void r128_driver_lastclose(struct drm_device * dev) ++void r128_driver_lastclose(struct drm_device *dev) + { + r128_do_cleanup_cce(dev); + } + + struct drm_ioctl_desc r128_ioctls[] = { +- DRM_IOCTL_DEF(DRM_R128_INIT, r128_cce_init, DRM_AUTH|DRM_MASTER|DRM_ROOT_ONLY), +- DRM_IOCTL_DEF(DRM_R128_CCE_START, r128_cce_start, DRM_AUTH|DRM_MASTER|DRM_ROOT_ONLY), +- DRM_IOCTL_DEF(DRM_R128_CCE_STOP, r128_cce_stop, DRM_AUTH|DRM_MASTER|DRM_ROOT_ONLY), +- DRM_IOCTL_DEF(DRM_R128_CCE_RESET, r128_cce_reset, DRM_AUTH|DRM_MASTER|DRM_ROOT_ONLY), +- DRM_IOCTL_DEF(DRM_R128_CCE_IDLE, r128_cce_idle, DRM_AUTH), +- DRM_IOCTL_DEF(DRM_R128_RESET, r128_engine_reset, DRM_AUTH), +- DRM_IOCTL_DEF(DRM_R128_FULLSCREEN, r128_fullscreen, DRM_AUTH), +- DRM_IOCTL_DEF(DRM_R128_SWAP, r128_cce_swap, DRM_AUTH), +- DRM_IOCTL_DEF(DRM_R128_FLIP, r128_cce_flip, DRM_AUTH), +- DRM_IOCTL_DEF(DRM_R128_CLEAR, r128_cce_clear, DRM_AUTH), +- DRM_IOCTL_DEF(DRM_R128_VERTEX, r128_cce_vertex, DRM_AUTH), +- DRM_IOCTL_DEF(DRM_R128_INDICES, r128_cce_indices, DRM_AUTH), +- DRM_IOCTL_DEF(DRM_R128_BLIT, r128_cce_blit, DRM_AUTH), +- DRM_IOCTL_DEF(DRM_R128_DEPTH, r128_cce_depth, DRM_AUTH), +- DRM_IOCTL_DEF(DRM_R128_STIPPLE, r128_cce_stipple, DRM_AUTH), +- DRM_IOCTL_DEF(DRM_R128_INDIRECT, r128_cce_indirect, DRM_AUTH|DRM_MASTER|DRM_ROOT_ONLY), +- DRM_IOCTL_DEF(DRM_R128_GETPARAM, r128_getparam, DRM_AUTH), ++ DRM_IOCTL_DEF_DRV(R128_INIT, r128_cce_init, DRM_AUTH|DRM_MASTER|DRM_ROOT_ONLY), ++ DRM_IOCTL_DEF_DRV(R128_CCE_START, r128_cce_start, DRM_AUTH|DRM_MASTER|DRM_ROOT_ONLY), ++ DRM_IOCTL_DEF_DRV(R128_CCE_STOP, r128_cce_stop, DRM_AUTH|DRM_MASTER|DRM_ROOT_ONLY), ++ DRM_IOCTL_DEF_DRV(R128_CCE_RESET, r128_cce_reset, DRM_AUTH|DRM_MASTER|DRM_ROOT_ONLY), ++ DRM_IOCTL_DEF_DRV(R128_CCE_IDLE, r128_cce_idle, DRM_AUTH), ++ DRM_IOCTL_DEF_DRV(R128_RESET, r128_engine_reset, DRM_AUTH), ++ DRM_IOCTL_DEF_DRV(R128_FULLSCREEN, r128_fullscreen, DRM_AUTH), ++ DRM_IOCTL_DEF_DRV(R128_SWAP, r128_cce_swap, DRM_AUTH), ++ DRM_IOCTL_DEF_DRV(R128_FLIP, r128_cce_flip, DRM_AUTH), ++ DRM_IOCTL_DEF_DRV(R128_CLEAR, r128_cce_clear, DRM_AUTH), ++ DRM_IOCTL_DEF_DRV(R128_VERTEX, r128_cce_vertex, DRM_AUTH), ++ DRM_IOCTL_DEF_DRV(R128_INDICES, r128_cce_indices, DRM_AUTH), ++ DRM_IOCTL_DEF_DRV(R128_BLIT, r128_cce_blit, DRM_AUTH), ++ DRM_IOCTL_DEF_DRV(R128_DEPTH, r128_cce_depth, DRM_AUTH), ++ DRM_IOCTL_DEF_DRV(R128_STIPPLE, r128_cce_stipple, DRM_AUTH), ++ DRM_IOCTL_DEF_DRV(R128_INDIRECT, r128_cce_indirect, DRM_AUTH|DRM_MASTER|DRM_ROOT_ONLY), ++ DRM_IOCTL_DEF_DRV(R128_GETPARAM, r128_getparam, DRM_AUTH), + }; + + int r128_max_ioctl = DRM_ARRAY_SIZE(r128_ioctls); +diff --git a/drivers/gpu/drm/radeon/radeon_kms.c b/drivers/gpu/drm/radeon/radeon_kms.c +index f23b056..860dd37 100644 +--- a/drivers/gpu/drm/radeon/radeon_kms.c ++++ b/drivers/gpu/drm/radeon/radeon_kms.c +@@ -248,45 +248,45 @@ KMS_INVALID_IOCTL(radeon_surface_free_kms) + + + struct drm_ioctl_desc radeon_ioctls_kms[] = { +- DRM_IOCTL_DEF(DRM_RADEON_CP_INIT, radeon_cp_init_kms, DRM_AUTH|DRM_MASTER|DRM_ROOT_ONLY), +- DRM_IOCTL_DEF(DRM_RADEON_CP_START, radeon_cp_start_kms, DRM_AUTH|DRM_MASTER|DRM_ROOT_ONLY), +- DRM_IOCTL_DEF(DRM_RADEON_CP_STOP, radeon_cp_stop_kms, DRM_AUTH|DRM_MASTER|DRM_ROOT_ONLY), +- DRM_IOCTL_DEF(DRM_RADEON_CP_RESET, radeon_cp_reset_kms, DRM_AUTH|DRM_MASTER|DRM_ROOT_ONLY), +- DRM_IOCTL_DEF(DRM_RADEON_CP_IDLE, radeon_cp_idle_kms, DRM_AUTH), +- DRM_IOCTL_DEF(DRM_RADEON_CP_RESUME, radeon_cp_resume_kms, DRM_AUTH), +- DRM_IOCTL_DEF(DRM_RADEON_RESET, radeon_engine_reset_kms, DRM_AUTH), +- DRM_IOCTL_DEF(DRM_RADEON_FULLSCREEN, radeon_fullscreen_kms, DRM_AUTH), +- DRM_IOCTL_DEF(DRM_RADEON_SWAP, radeon_cp_swap_kms, DRM_AUTH), +- DRM_IOCTL_DEF(DRM_RADEON_CLEAR, radeon_cp_clear_kms, DRM_AUTH), +- DRM_IOCTL_DEF(DRM_RADEON_VERTEX, radeon_cp_vertex_kms, DRM_AUTH), +- DRM_IOCTL_DEF(DRM_RADEON_INDICES, radeon_cp_indices_kms, DRM_AUTH), +- DRM_IOCTL_DEF(DRM_RADEON_TEXTURE, radeon_cp_texture_kms, DRM_AUTH), +- DRM_IOCTL_DEF(DRM_RADEON_STIPPLE, radeon_cp_stipple_kms, DRM_AUTH), +- DRM_IOCTL_DEF(DRM_RADEON_INDIRECT, radeon_cp_indirect_kms, DRM_AUTH|DRM_MASTER|DRM_ROOT_ONLY), +- DRM_IOCTL_DEF(DRM_RADEON_VERTEX2, radeon_cp_vertex2_kms, DRM_AUTH), +- DRM_IOCTL_DEF(DRM_RADEON_CMDBUF, radeon_cp_cmdbuf_kms, DRM_AUTH), +- DRM_IOCTL_DEF(DRM_RADEON_GETPARAM, radeon_cp_getparam_kms, DRM_AUTH), +- DRM_IOCTL_DEF(DRM_RADEON_FLIP, radeon_cp_flip_kms, DRM_AUTH), +- DRM_IOCTL_DEF(DRM_RADEON_ALLOC, radeon_mem_alloc_kms, DRM_AUTH), +- DRM_IOCTL_DEF(DRM_RADEON_FREE, radeon_mem_free_kms, DRM_AUTH), +- DRM_IOCTL_DEF(DRM_RADEON_INIT_HEAP, radeon_mem_init_heap_kms, DRM_AUTH|DRM_MASTER|DRM_ROOT_ONLY), +- DRM_IOCTL_DEF(DRM_RADEON_IRQ_EMIT, radeon_irq_emit_kms, DRM_AUTH), +- DRM_IOCTL_DEF(DRM_RADEON_IRQ_WAIT, radeon_irq_wait_kms, DRM_AUTH), +- DRM_IOCTL_DEF(DRM_RADEON_SETPARAM, radeon_cp_setparam_kms, DRM_AUTH), +- DRM_IOCTL_DEF(DRM_RADEON_SURF_ALLOC, radeon_surface_alloc_kms, DRM_AUTH), +- DRM_IOCTL_DEF(DRM_RADEON_SURF_FREE, radeon_surface_free_kms, DRM_AUTH), ++ DRM_IOCTL_DEF_DRV(RADEON_CP_INIT, radeon_cp_init_kms, DRM_AUTH|DRM_MASTER|DRM_ROOT_ONLY), ++ DRM_IOCTL_DEF_DRV(RADEON_CP_START, radeon_cp_start_kms, DRM_AUTH|DRM_MASTER|DRM_ROOT_ONLY), ++ DRM_IOCTL_DEF_DRV(RADEON_CP_STOP, radeon_cp_stop_kms, DRM_AUTH|DRM_MASTER|DRM_ROOT_ONLY), ++ DRM_IOCTL_DEF_DRV(RADEON_CP_RESET, radeon_cp_reset_kms, DRM_AUTH|DRM_MASTER|DRM_ROOT_ONLY), ++ DRM_IOCTL_DEF_DRV(RADEON_CP_IDLE, radeon_cp_idle_kms, DRM_AUTH), ++ DRM_IOCTL_DEF_DRV(RADEON_CP_RESUME, radeon_cp_resume_kms, DRM_AUTH), ++ DRM_IOCTL_DEF_DRV(RADEON_RESET, radeon_engine_reset_kms, DRM_AUTH), ++ DRM_IOCTL_DEF_DRV(RADEON_FULLSCREEN, radeon_fullscreen_kms, DRM_AUTH), ++ DRM_IOCTL_DEF_DRV(RADEON_SWAP, radeon_cp_swap_kms, DRM_AUTH), ++ DRM_IOCTL_DEF_DRV(RADEON_CLEAR, radeon_cp_clear_kms, DRM_AUTH), ++ DRM_IOCTL_DEF_DRV(RADEON_VERTEX, radeon_cp_vertex_kms, DRM_AUTH), ++ DRM_IOCTL_DEF_DRV(RADEON_INDICES, radeon_cp_indices_kms, DRM_AUTH), ++ DRM_IOCTL_DEF_DRV(RADEON_TEXTURE, radeon_cp_texture_kms, DRM_AUTH), ++ DRM_IOCTL_DEF_DRV(RADEON_STIPPLE, radeon_cp_stipple_kms, DRM_AUTH), ++ DRM_IOCTL_DEF_DRV(RADEON_INDIRECT, radeon_cp_indirect_kms, DRM_AUTH|DRM_MASTER|DRM_ROOT_ONLY), ++ DRM_IOCTL_DEF_DRV(RADEON_VERTEX2, radeon_cp_vertex2_kms, DRM_AUTH), ++ DRM_IOCTL_DEF_DRV(RADEON_CMDBUF, radeon_cp_cmdbuf_kms, DRM_AUTH), ++ DRM_IOCTL_DEF_DRV(RADEON_GETPARAM, radeon_cp_getparam_kms, DRM_AUTH), ++ DRM_IOCTL_DEF_DRV(RADEON_FLIP, radeon_cp_flip_kms, DRM_AUTH), ++ DRM_IOCTL_DEF_DRV(RADEON_ALLOC, radeon_mem_alloc_kms, DRM_AUTH), ++ DRM_IOCTL_DEF_DRV(RADEON_FREE, radeon_mem_free_kms, DRM_AUTH), ++ DRM_IOCTL_DEF_DRV(RADEON_INIT_HEAP, radeon_mem_init_heap_kms, DRM_AUTH|DRM_MASTER|DRM_ROOT_ONLY), ++ DRM_IOCTL_DEF_DRV(RADEON_IRQ_EMIT, radeon_irq_emit_kms, DRM_AUTH), ++ DRM_IOCTL_DEF_DRV(RADEON_IRQ_WAIT, radeon_irq_wait_kms, DRM_AUTH), ++ DRM_IOCTL_DEF_DRV(RADEON_SETPARAM, radeon_cp_setparam_kms, DRM_AUTH), ++ DRM_IOCTL_DEF_DRV(RADEON_SURF_ALLOC, radeon_surface_alloc_kms, DRM_AUTH), ++ DRM_IOCTL_DEF_DRV(RADEON_SURF_FREE, radeon_surface_free_kms, DRM_AUTH), + /* KMS */ +- DRM_IOCTL_DEF(DRM_RADEON_GEM_INFO, radeon_gem_info_ioctl, DRM_AUTH), +- DRM_IOCTL_DEF(DRM_RADEON_GEM_CREATE, radeon_gem_create_ioctl, DRM_AUTH), +- DRM_IOCTL_DEF(DRM_RADEON_GEM_MMAP, radeon_gem_mmap_ioctl, DRM_AUTH), +- DRM_IOCTL_DEF(DRM_RADEON_GEM_SET_DOMAIN, radeon_gem_set_domain_ioctl, DRM_AUTH), +- DRM_IOCTL_DEF(DRM_RADEON_GEM_PREAD, radeon_gem_pread_ioctl, DRM_AUTH), +- DRM_IOCTL_DEF(DRM_RADEON_GEM_PWRITE, radeon_gem_pwrite_ioctl, DRM_AUTH), +- DRM_IOCTL_DEF(DRM_RADEON_GEM_WAIT_IDLE, radeon_gem_wait_idle_ioctl, DRM_AUTH), +- DRM_IOCTL_DEF(DRM_RADEON_CS, radeon_cs_ioctl, DRM_AUTH), +- DRM_IOCTL_DEF(DRM_RADEON_INFO, radeon_info_ioctl, DRM_AUTH), +- DRM_IOCTL_DEF(DRM_RADEON_GEM_SET_TILING, radeon_gem_set_tiling_ioctl, DRM_AUTH), +- DRM_IOCTL_DEF(DRM_RADEON_GEM_GET_TILING, radeon_gem_get_tiling_ioctl, DRM_AUTH), +- DRM_IOCTL_DEF(DRM_RADEON_GEM_BUSY, radeon_gem_busy_ioctl, DRM_AUTH), ++ DRM_IOCTL_DEF_DRV(RADEON_GEM_INFO, radeon_gem_info_ioctl, DRM_AUTH), ++ DRM_IOCTL_DEF_DRV(RADEON_GEM_CREATE, radeon_gem_create_ioctl, DRM_AUTH), ++ DRM_IOCTL_DEF_DRV(RADEON_GEM_MMAP, radeon_gem_mmap_ioctl, DRM_AUTH), ++ DRM_IOCTL_DEF_DRV(RADEON_GEM_SET_DOMAIN, radeon_gem_set_domain_ioctl, DRM_AUTH), ++ DRM_IOCTL_DEF_DRV(RADEON_GEM_PREAD, radeon_gem_pread_ioctl, DRM_AUTH), ++ DRM_IOCTL_DEF_DRV(RADEON_GEM_PWRITE, radeon_gem_pwrite_ioctl, DRM_AUTH), ++ DRM_IOCTL_DEF_DRV(RADEON_GEM_WAIT_IDLE, radeon_gem_wait_idle_ioctl, DRM_AUTH), ++ DRM_IOCTL_DEF_DRV(RADEON_CS, radeon_cs_ioctl, DRM_AUTH), ++ DRM_IOCTL_DEF_DRV(RADEON_INFO, radeon_info_ioctl, DRM_AUTH), ++ DRM_IOCTL_DEF_DRV(RADEON_GEM_SET_TILING, radeon_gem_set_tiling_ioctl, DRM_AUTH), ++ DRM_IOCTL_DEF_DRV(RADEON_GEM_GET_TILING, radeon_gem_get_tiling_ioctl, DRM_AUTH), ++ DRM_IOCTL_DEF_DRV(RADEON_GEM_BUSY, radeon_gem_busy_ioctl, DRM_AUTH), + }; + int radeon_max_kms_ioctl = DRM_ARRAY_SIZE(radeon_ioctls_kms); +diff --git a/drivers/gpu/drm/radeon/radeon_state.c b/drivers/gpu/drm/radeon/radeon_state.c +index 16436bb..2f81481 100644 +--- a/drivers/gpu/drm/radeon/radeon_state.c ++++ b/drivers/gpu/drm/radeon/radeon_state.c +@@ -3218,34 +3218,34 @@ void radeon_driver_postclose(struct drm_device *dev, struct drm_file *file_priv) + } + + struct drm_ioctl_desc radeon_ioctls[] = { +- DRM_IOCTL_DEF(DRM_RADEON_CP_INIT, radeon_cp_init, DRM_AUTH|DRM_MASTER|DRM_ROOT_ONLY), +- DRM_IOCTL_DEF(DRM_RADEON_CP_START, radeon_cp_start, DRM_AUTH|DRM_MASTER|DRM_ROOT_ONLY), +- DRM_IOCTL_DEF(DRM_RADEON_CP_STOP, radeon_cp_stop, DRM_AUTH|DRM_MASTER|DRM_ROOT_ONLY), +- DRM_IOCTL_DEF(DRM_RADEON_CP_RESET, radeon_cp_reset, DRM_AUTH|DRM_MASTER|DRM_ROOT_ONLY), +- DRM_IOCTL_DEF(DRM_RADEON_CP_IDLE, radeon_cp_idle, DRM_AUTH), +- DRM_IOCTL_DEF(DRM_RADEON_CP_RESUME, radeon_cp_resume, DRM_AUTH), +- DRM_IOCTL_DEF(DRM_RADEON_RESET, radeon_engine_reset, DRM_AUTH), +- DRM_IOCTL_DEF(DRM_RADEON_FULLSCREEN, radeon_fullscreen, DRM_AUTH), +- DRM_IOCTL_DEF(DRM_RADEON_SWAP, radeon_cp_swap, DRM_AUTH), +- DRM_IOCTL_DEF(DRM_RADEON_CLEAR, radeon_cp_clear, DRM_AUTH), +- DRM_IOCTL_DEF(DRM_RADEON_VERTEX, radeon_cp_vertex, DRM_AUTH), +- DRM_IOCTL_DEF(DRM_RADEON_INDICES, radeon_cp_indices, DRM_AUTH), +- DRM_IOCTL_DEF(DRM_RADEON_TEXTURE, radeon_cp_texture, DRM_AUTH), +- DRM_IOCTL_DEF(DRM_RADEON_STIPPLE, radeon_cp_stipple, DRM_AUTH), +- DRM_IOCTL_DEF(DRM_RADEON_INDIRECT, radeon_cp_indirect, DRM_AUTH|DRM_MASTER|DRM_ROOT_ONLY), +- DRM_IOCTL_DEF(DRM_RADEON_VERTEX2, radeon_cp_vertex2, DRM_AUTH), +- DRM_IOCTL_DEF(DRM_RADEON_CMDBUF, radeon_cp_cmdbuf, DRM_AUTH), +- DRM_IOCTL_DEF(DRM_RADEON_GETPARAM, radeon_cp_getparam, DRM_AUTH), +- DRM_IOCTL_DEF(DRM_RADEON_FLIP, radeon_cp_flip, DRM_AUTH), +- DRM_IOCTL_DEF(DRM_RADEON_ALLOC, radeon_mem_alloc, DRM_AUTH), +- DRM_IOCTL_DEF(DRM_RADEON_FREE, radeon_mem_free, DRM_AUTH), +- DRM_IOCTL_DEF(DRM_RADEON_INIT_HEAP, radeon_mem_init_heap, DRM_AUTH|DRM_MASTER|DRM_ROOT_ONLY), +- DRM_IOCTL_DEF(DRM_RADEON_IRQ_EMIT, radeon_irq_emit, DRM_AUTH), +- DRM_IOCTL_DEF(DRM_RADEON_IRQ_WAIT, radeon_irq_wait, DRM_AUTH), +- DRM_IOCTL_DEF(DRM_RADEON_SETPARAM, radeon_cp_setparam, DRM_AUTH), +- DRM_IOCTL_DEF(DRM_RADEON_SURF_ALLOC, radeon_surface_alloc, DRM_AUTH), +- DRM_IOCTL_DEF(DRM_RADEON_SURF_FREE, radeon_surface_free, DRM_AUTH), +- DRM_IOCTL_DEF(DRM_RADEON_CS, r600_cs_legacy_ioctl, DRM_AUTH) ++ DRM_IOCTL_DEF_DRV(RADEON_CP_INIT, radeon_cp_init, DRM_AUTH|DRM_MASTER|DRM_ROOT_ONLY), ++ DRM_IOCTL_DEF_DRV(RADEON_CP_START, radeon_cp_start, DRM_AUTH|DRM_MASTER|DRM_ROOT_ONLY), ++ DRM_IOCTL_DEF_DRV(RADEON_CP_STOP, radeon_cp_stop, DRM_AUTH|DRM_MASTER|DRM_ROOT_ONLY), ++ DRM_IOCTL_DEF_DRV(RADEON_CP_RESET, radeon_cp_reset, DRM_AUTH|DRM_MASTER|DRM_ROOT_ONLY), ++ DRM_IOCTL_DEF_DRV(RADEON_CP_IDLE, radeon_cp_idle, DRM_AUTH), ++ DRM_IOCTL_DEF_DRV(RADEON_CP_RESUME, radeon_cp_resume, DRM_AUTH), ++ DRM_IOCTL_DEF_DRV(RADEON_RESET, radeon_engine_reset, DRM_AUTH), ++ DRM_IOCTL_DEF_DRV(RADEON_FULLSCREEN, radeon_fullscreen, DRM_AUTH), ++ DRM_IOCTL_DEF_DRV(RADEON_SWAP, radeon_cp_swap, DRM_AUTH), ++ DRM_IOCTL_DEF_DRV(RADEON_CLEAR, radeon_cp_clear, DRM_AUTH), ++ DRM_IOCTL_DEF_DRV(RADEON_VERTEX, radeon_cp_vertex, DRM_AUTH), ++ DRM_IOCTL_DEF_DRV(RADEON_INDICES, radeon_cp_indices, DRM_AUTH), ++ DRM_IOCTL_DEF_DRV(RADEON_TEXTURE, radeon_cp_texture, DRM_AUTH), ++ DRM_IOCTL_DEF_DRV(RADEON_STIPPLE, radeon_cp_stipple, DRM_AUTH), ++ DRM_IOCTL_DEF_DRV(RADEON_INDIRECT, radeon_cp_indirect, DRM_AUTH|DRM_MASTER|DRM_ROOT_ONLY), ++ DRM_IOCTL_DEF_DRV(RADEON_VERTEX2, radeon_cp_vertex2, DRM_AUTH), ++ DRM_IOCTL_DEF_DRV(RADEON_CMDBUF, radeon_cp_cmdbuf, DRM_AUTH), ++ DRM_IOCTL_DEF_DRV(RADEON_GETPARAM, radeon_cp_getparam, DRM_AUTH), ++ DRM_IOCTL_DEF_DRV(RADEON_FLIP, radeon_cp_flip, DRM_AUTH), ++ DRM_IOCTL_DEF_DRV(RADEON_ALLOC, radeon_mem_alloc, DRM_AUTH), ++ DRM_IOCTL_DEF_DRV(RADEON_FREE, radeon_mem_free, DRM_AUTH), ++ DRM_IOCTL_DEF_DRV(RADEON_INIT_HEAP, radeon_mem_init_heap, DRM_AUTH|DRM_MASTER|DRM_ROOT_ONLY), ++ DRM_IOCTL_DEF_DRV(RADEON_IRQ_EMIT, radeon_irq_emit, DRM_AUTH), ++ DRM_IOCTL_DEF_DRV(RADEON_IRQ_WAIT, radeon_irq_wait, DRM_AUTH), ++ DRM_IOCTL_DEF_DRV(RADEON_SETPARAM, radeon_cp_setparam, DRM_AUTH), ++ DRM_IOCTL_DEF_DRV(RADEON_SURF_ALLOC, radeon_surface_alloc, DRM_AUTH), ++ DRM_IOCTL_DEF_DRV(RADEON_SURF_FREE, radeon_surface_free, DRM_AUTH), ++ DRM_IOCTL_DEF_DRV(RADEON_CS, r600_cs_legacy_ioctl, DRM_AUTH) + }; + + int radeon_max_ioctl = DRM_ARRAY_SIZE(radeon_ioctls); +diff --git a/drivers/gpu/drm/savage/savage_bci.c b/drivers/gpu/drm/savage/savage_bci.c +index bff6fc2..0a4f4d0 100644 +--- a/drivers/gpu/drm/savage/savage_bci.c ++++ b/drivers/gpu/drm/savage/savage_bci.c +@@ -1081,10 +1081,10 @@ void savage_reclaim_buffers(struct drm_device *dev, struct drm_file *file_priv) + } + + struct drm_ioctl_desc savage_ioctls[] = { +- DRM_IOCTL_DEF(DRM_SAVAGE_BCI_INIT, savage_bci_init, DRM_AUTH|DRM_MASTER|DRM_ROOT_ONLY), +- DRM_IOCTL_DEF(DRM_SAVAGE_BCI_CMDBUF, savage_bci_cmdbuf, DRM_AUTH), +- DRM_IOCTL_DEF(DRM_SAVAGE_BCI_EVENT_EMIT, savage_bci_event_emit, DRM_AUTH), +- DRM_IOCTL_DEF(DRM_SAVAGE_BCI_EVENT_WAIT, savage_bci_event_wait, DRM_AUTH), ++ DRM_IOCTL_DEF_DRV(SAVAGE_BCI_INIT, savage_bci_init, DRM_AUTH|DRM_MASTER|DRM_ROOT_ONLY), ++ DRM_IOCTL_DEF_DRV(SAVAGE_BCI_CMDBUF, savage_bci_cmdbuf, DRM_AUTH), ++ DRM_IOCTL_DEF_DRV(SAVAGE_BCI_EVENT_EMIT, savage_bci_event_emit, DRM_AUTH), ++ DRM_IOCTL_DEF_DRV(SAVAGE_BCI_EVENT_WAIT, savage_bci_event_wait, DRM_AUTH), + }; + + int savage_max_ioctl = DRM_ARRAY_SIZE(savage_ioctls); +diff --git a/drivers/gpu/drm/sis/sis_mm.c b/drivers/gpu/drm/sis/sis_mm.c +index af22111..18a110a 100644 +--- a/drivers/gpu/drm/sis/sis_mm.c ++++ b/drivers/gpu/drm/sis/sis_mm.c +@@ -322,12 +322,12 @@ void sis_reclaim_buffers_locked(struct drm_device * dev, + } + + struct drm_ioctl_desc sis_ioctls[] = { +- DRM_IOCTL_DEF(DRM_SIS_FB_ALLOC, sis_fb_alloc, DRM_AUTH), +- DRM_IOCTL_DEF(DRM_SIS_FB_FREE, sis_drm_free, DRM_AUTH), +- DRM_IOCTL_DEF(DRM_SIS_AGP_INIT, sis_ioctl_agp_init, DRM_AUTH | DRM_MASTER | DRM_ROOT_ONLY), +- DRM_IOCTL_DEF(DRM_SIS_AGP_ALLOC, sis_ioctl_agp_alloc, DRM_AUTH), +- DRM_IOCTL_DEF(DRM_SIS_AGP_FREE, sis_drm_free, DRM_AUTH), +- DRM_IOCTL_DEF(DRM_SIS_FB_INIT, sis_fb_init, DRM_AUTH | DRM_MASTER | DRM_ROOT_ONLY), ++ DRM_IOCTL_DEF_DRV(SIS_FB_ALLOC, sis_fb_alloc, DRM_AUTH), ++ DRM_IOCTL_DEF_DRV(SIS_FB_FREE, sis_drm_free, DRM_AUTH), ++ DRM_IOCTL_DEF_DRV(SIS_AGP_INIT, sis_ioctl_agp_init, DRM_AUTH | DRM_MASTER | DRM_ROOT_ONLY), ++ DRM_IOCTL_DEF_DRV(SIS_AGP_ALLOC, sis_ioctl_agp_alloc, DRM_AUTH), ++ DRM_IOCTL_DEF_DRV(SIS_AGP_FREE, sis_drm_free, DRM_AUTH), ++ DRM_IOCTL_DEF_DRV(SIS_FB_INIT, sis_fb_init, DRM_AUTH | DRM_MASTER | DRM_ROOT_ONLY), + }; + + int sis_max_ioctl = DRM_ARRAY_SIZE(sis_ioctls); +diff --git a/drivers/gpu/drm/via/via_dma.c b/drivers/gpu/drm/via/via_dma.c +index bfb92d2..5dfdc0b 100644 +--- a/drivers/gpu/drm/via/via_dma.c ++++ b/drivers/gpu/drm/via/via_dma.c +@@ -738,20 +738,20 @@ static int via_cmdbuf_size(struct drm_device *dev, void *data, struct drm_file * + } + + struct drm_ioctl_desc via_ioctls[] = { +- DRM_IOCTL_DEF(DRM_VIA_ALLOCMEM, via_mem_alloc, DRM_AUTH), +- DRM_IOCTL_DEF(DRM_VIA_FREEMEM, via_mem_free, DRM_AUTH), +- DRM_IOCTL_DEF(DRM_VIA_AGP_INIT, via_agp_init, DRM_AUTH|DRM_MASTER), +- DRM_IOCTL_DEF(DRM_VIA_FB_INIT, via_fb_init, DRM_AUTH|DRM_MASTER), +- DRM_IOCTL_DEF(DRM_VIA_MAP_INIT, via_map_init, DRM_AUTH|DRM_MASTER), +- DRM_IOCTL_DEF(DRM_VIA_DEC_FUTEX, via_decoder_futex, DRM_AUTH), +- DRM_IOCTL_DEF(DRM_VIA_DMA_INIT, via_dma_init, DRM_AUTH), +- DRM_IOCTL_DEF(DRM_VIA_CMDBUFFER, via_cmdbuffer, DRM_AUTH), +- DRM_IOCTL_DEF(DRM_VIA_FLUSH, via_flush_ioctl, DRM_AUTH), +- DRM_IOCTL_DEF(DRM_VIA_PCICMD, via_pci_cmdbuffer, DRM_AUTH), +- DRM_IOCTL_DEF(DRM_VIA_CMDBUF_SIZE, via_cmdbuf_size, DRM_AUTH), +- DRM_IOCTL_DEF(DRM_VIA_WAIT_IRQ, via_wait_irq, DRM_AUTH), +- DRM_IOCTL_DEF(DRM_VIA_DMA_BLIT, via_dma_blit, DRM_AUTH), +- DRM_IOCTL_DEF(DRM_VIA_BLIT_SYNC, via_dma_blit_sync, DRM_AUTH) ++ DRM_IOCTL_DEF_DRV(VIA_ALLOCMEM, via_mem_alloc, DRM_AUTH), ++ DRM_IOCTL_DEF_DRV(VIA_FREEMEM, via_mem_free, DRM_AUTH), ++ DRM_IOCTL_DEF_DRV(VIA_AGP_INIT, via_agp_init, DRM_AUTH|DRM_MASTER), ++ DRM_IOCTL_DEF_DRV(VIA_FB_INIT, via_fb_init, DRM_AUTH|DRM_MASTER), ++ DRM_IOCTL_DEF_DRV(VIA_MAP_INIT, via_map_init, DRM_AUTH|DRM_MASTER), ++ DRM_IOCTL_DEF_DRV(VIA_DEC_FUTEX, via_decoder_futex, DRM_AUTH), ++ DRM_IOCTL_DEF_DRV(VIA_DMA_INIT, via_dma_init, DRM_AUTH), ++ DRM_IOCTL_DEF_DRV(VIA_CMDBUFFER, via_cmdbuffer, DRM_AUTH), ++ DRM_IOCTL_DEF_DRV(VIA_FLUSH, via_flush_ioctl, DRM_AUTH), ++ DRM_IOCTL_DEF_DRV(VIA_PCICMD, via_pci_cmdbuffer, DRM_AUTH), ++ DRM_IOCTL_DEF_DRV(VIA_CMDBUF_SIZE, via_cmdbuf_size, DRM_AUTH), ++ DRM_IOCTL_DEF_DRV(VIA_WAIT_IRQ, via_wait_irq, DRM_AUTH), ++ DRM_IOCTL_DEF_DRV(VIA_DMA_BLIT, via_dma_blit, DRM_AUTH), ++ DRM_IOCTL_DEF_DRV(VIA_BLIT_SYNC, via_dma_blit_sync, DRM_AUTH) + }; + + int via_max_ioctl = DRM_ARRAY_SIZE(via_ioctls); +diff --git a/drivers/gpu/drm/vmwgfx/vmwgfx_drv.c b/drivers/gpu/drm/vmwgfx/vmwgfx_drv.c +index 0c9c081..3b87c7e 100644 +--- a/drivers/gpu/drm/vmwgfx/vmwgfx_drv.c ++++ b/drivers/gpu/drm/vmwgfx/vmwgfx_drv.c +@@ -96,46 +96,46 @@ + */ + + #define VMW_IOCTL_DEF(ioctl, func, flags) \ +- [DRM_IOCTL_NR(ioctl) - DRM_COMMAND_BASE] = {ioctl, flags, func} ++ [DRM_IOCTL_NR(DRM_IOCTL_##ioctl) - DRM_COMMAND_BASE] = {DRM_##ioctl, flags, func, DRM_IOCTL_##ioctl} + + /** + * Ioctl definitions. + */ + + static struct drm_ioctl_desc vmw_ioctls[] = { +- VMW_IOCTL_DEF(DRM_IOCTL_VMW_GET_PARAM, vmw_getparam_ioctl, ++ VMW_IOCTL_DEF(VMW_GET_PARAM, vmw_getparam_ioctl, + DRM_AUTH | DRM_UNLOCKED), +- VMW_IOCTL_DEF(DRM_IOCTL_VMW_ALLOC_DMABUF, vmw_dmabuf_alloc_ioctl, ++ VMW_IOCTL_DEF(VMW_ALLOC_DMABUF, vmw_dmabuf_alloc_ioctl, + DRM_AUTH | DRM_UNLOCKED), +- VMW_IOCTL_DEF(DRM_IOCTL_VMW_UNREF_DMABUF, vmw_dmabuf_unref_ioctl, ++ VMW_IOCTL_DEF(VMW_UNREF_DMABUF, vmw_dmabuf_unref_ioctl, + DRM_AUTH | DRM_UNLOCKED), +- VMW_IOCTL_DEF(DRM_IOCTL_VMW_CURSOR_BYPASS, ++ VMW_IOCTL_DEF(VMW_CURSOR_BYPASS, + vmw_kms_cursor_bypass_ioctl, + DRM_MASTER | DRM_CONTROL_ALLOW | DRM_UNLOCKED), + +- VMW_IOCTL_DEF(DRM_IOCTL_VMW_CONTROL_STREAM, vmw_overlay_ioctl, ++ VMW_IOCTL_DEF(VMW_CONTROL_STREAM, vmw_overlay_ioctl, + DRM_MASTER | DRM_CONTROL_ALLOW | DRM_UNLOCKED), +- VMW_IOCTL_DEF(DRM_IOCTL_VMW_CLAIM_STREAM, vmw_stream_claim_ioctl, ++ VMW_IOCTL_DEF(VMW_CLAIM_STREAM, vmw_stream_claim_ioctl, + DRM_MASTER | DRM_CONTROL_ALLOW | DRM_UNLOCKED), +- VMW_IOCTL_DEF(DRM_IOCTL_VMW_UNREF_STREAM, vmw_stream_unref_ioctl, ++ VMW_IOCTL_DEF(VMW_UNREF_STREAM, vmw_stream_unref_ioctl, + DRM_MASTER | DRM_CONTROL_ALLOW | DRM_UNLOCKED), + +- VMW_IOCTL_DEF(DRM_IOCTL_VMW_CREATE_CONTEXT, vmw_context_define_ioctl, ++ VMW_IOCTL_DEF(VMW_CREATE_CONTEXT, vmw_context_define_ioctl, + DRM_AUTH | DRM_UNLOCKED), +- VMW_IOCTL_DEF(DRM_IOCTL_VMW_UNREF_CONTEXT, vmw_context_destroy_ioctl, ++ VMW_IOCTL_DEF(VMW_UNREF_CONTEXT, vmw_context_destroy_ioctl, + DRM_AUTH | DRM_UNLOCKED), +- VMW_IOCTL_DEF(DRM_IOCTL_VMW_CREATE_SURFACE, vmw_surface_define_ioctl, ++ VMW_IOCTL_DEF(VMW_CREATE_SURFACE, vmw_surface_define_ioctl, + DRM_AUTH | DRM_UNLOCKED), +- VMW_IOCTL_DEF(DRM_IOCTL_VMW_UNREF_SURFACE, vmw_surface_destroy_ioctl, ++ VMW_IOCTL_DEF(VMW_UNREF_SURFACE, vmw_surface_destroy_ioctl, + DRM_AUTH | DRM_UNLOCKED), +- VMW_IOCTL_DEF(DRM_IOCTL_VMW_REF_SURFACE, vmw_surface_reference_ioctl, ++ VMW_IOCTL_DEF(VMW_REF_SURFACE, vmw_surface_reference_ioctl, + DRM_AUTH | DRM_UNLOCKED), +- VMW_IOCTL_DEF(DRM_IOCTL_VMW_EXECBUF, vmw_execbuf_ioctl, ++ VMW_IOCTL_DEF(VMW_EXECBUF, vmw_execbuf_ioctl, + DRM_AUTH | DRM_UNLOCKED), +- VMW_IOCTL_DEF(DRM_IOCTL_VMW_FIFO_DEBUG, vmw_fifo_debug_ioctl, ++ VMW_IOCTL_DEF(VMW_FIFO_DEBUG, vmw_fifo_debug_ioctl, + DRM_AUTH | DRM_ROOT_ONLY | DRM_MASTER | DRM_UNLOCKED), +- VMW_IOCTL_DEF(DRM_IOCTL_VMW_FENCE_WAIT, vmw_fence_wait_ioctl, +- DRM_AUTH | DRM_UNLOCKED) ++ VMW_IOCTL_DEF(VMW_FENCE_WAIT, vmw_fence_wait_ioctl, ++ DRM_AUTH | DRM_UNLOCKED), + }; + + static struct pci_device_id vmw_pci_id_list[] = { +diff --git a/include/drm/drmP.h b/include/drm/drmP.h +index ffac157..7addaab 100644 +--- a/include/drm/drmP.h ++++ b/include/drm/drmP.h +@@ -302,14 +302,16 @@ struct drm_ioctl_desc { + unsigned int cmd; + int flags; + drm_ioctl_t *func; ++ unsigned int cmd_drv; + }; + + /** + * Creates a driver or general drm_ioctl_desc array entry for the given + * ioctl, for use by drm_ioctl(). + */ +-#define DRM_IOCTL_DEF(ioctl, _func, _flags) \ +- [DRM_IOCTL_NR(ioctl)] = {.cmd = ioctl, .func = _func, .flags = _flags} ++ ++#define DRM_IOCTL_DEF_DRV(ioctl, _func, _flags) \ ++ [DRM_IOCTL_NR(DRM_##ioctl)] = {.cmd = DRM_##ioctl, .func = _func, .flags = _flags, .cmd_drv = DRM_IOCTL_##ioctl} + + struct drm_magic_entry { + struct list_head head; +diff --git a/include/drm/i830_drm.h b/include/drm/i830_drm.h +index 4b00d2d..61315c2 100644 +--- a/include/drm/i830_drm.h ++++ b/include/drm/i830_drm.h +@@ -264,20 +264,20 @@ typedef struct _drm_i830_sarea { + #define DRM_I830_GETPARAM 0x0c + #define DRM_I830_SETPARAM 0x0d + +-#define DRM_IOCTL_I830_INIT DRM_IOW( DRM_COMMAND_BASE + DRM_IOCTL_I830_INIT, drm_i830_init_t) +-#define DRM_IOCTL_I830_VERTEX DRM_IOW( DRM_COMMAND_BASE + DRM_IOCTL_I830_VERTEX, drm_i830_vertex_t) +-#define DRM_IOCTL_I830_CLEAR DRM_IOW( DRM_COMMAND_BASE + DRM_IOCTL_I830_CLEAR, drm_i830_clear_t) +-#define DRM_IOCTL_I830_FLUSH DRM_IO ( DRM_COMMAND_BASE + DRM_IOCTL_I830_FLUSH) +-#define DRM_IOCTL_I830_GETAGE DRM_IO ( DRM_COMMAND_BASE + DRM_IOCTL_I830_GETAGE) +-#define DRM_IOCTL_I830_GETBUF DRM_IOWR(DRM_COMMAND_BASE + DRM_IOCTL_I830_GETBUF, drm_i830_dma_t) +-#define DRM_IOCTL_I830_SWAP DRM_IO ( DRM_COMMAND_BASE + DRM_IOCTL_I830_SWAP) +-#define DRM_IOCTL_I830_COPY DRM_IOW( DRM_COMMAND_BASE + DRM_IOCTL_I830_COPY, drm_i830_copy_t) +-#define DRM_IOCTL_I830_DOCOPY DRM_IO ( DRM_COMMAND_BASE + DRM_IOCTL_I830_DOCOPY) +-#define DRM_IOCTL_I830_FLIP DRM_IO ( DRM_COMMAND_BASE + DRM_IOCTL_I830_FLIP) +-#define DRM_IOCTL_I830_IRQ_EMIT DRM_IOWR(DRM_COMMAND_BASE + DRM_IOCTL_I830_IRQ_EMIT, drm_i830_irq_emit_t) +-#define DRM_IOCTL_I830_IRQ_WAIT DRM_IOW( DRM_COMMAND_BASE + DRM_IOCTL_I830_IRQ_WAIT, drm_i830_irq_wait_t) +-#define DRM_IOCTL_I830_GETPARAM DRM_IOWR(DRM_COMMAND_BASE + DRM_IOCTL_I830_GETPARAM, drm_i830_getparam_t) +-#define DRM_IOCTL_I830_SETPARAM DRM_IOWR(DRM_COMMAND_BASE + DRM_IOCTL_I830_SETPARAM, drm_i830_setparam_t) ++#define DRM_IOCTL_I830_INIT DRM_IOW( DRM_COMMAND_BASE + DRM_I830_INIT, drm_i830_init_t) ++#define DRM_IOCTL_I830_VERTEX DRM_IOW( DRM_COMMAND_BASE + DRM_I830_VERTEX, drm_i830_vertex_t) ++#define DRM_IOCTL_I830_CLEAR DRM_IOW( DRM_COMMAND_BASE + DRM_I830_CLEAR, drm_i830_clear_t) ++#define DRM_IOCTL_I830_FLUSH DRM_IO ( DRM_COMMAND_BASE + DRM_I830_FLUSH) ++#define DRM_IOCTL_I830_GETAGE DRM_IO ( DRM_COMMAND_BASE + DRM_I830_GETAGE) ++#define DRM_IOCTL_I830_GETBUF DRM_IOWR(DRM_COMMAND_BASE + DRM_I830_GETBUF, drm_i830_dma_t) ++#define DRM_IOCTL_I830_SWAP DRM_IO ( DRM_COMMAND_BASE + DRM_I830_SWAP) ++#define DRM_IOCTL_I830_COPY DRM_IOW( DRM_COMMAND_BASE + DRM_I830_COPY, drm_i830_copy_t) ++#define DRM_IOCTL_I830_DOCOPY DRM_IO ( DRM_COMMAND_BASE + DRM_I830_DOCOPY) ++#define DRM_IOCTL_I830_FLIP DRM_IO ( DRM_COMMAND_BASE + DRM_I830_FLIP) ++#define DRM_IOCTL_I830_IRQ_EMIT DRM_IOWR(DRM_COMMAND_BASE + DRM_I830_IRQ_EMIT, drm_i830_irq_emit_t) ++#define DRM_IOCTL_I830_IRQ_WAIT DRM_IOW( DRM_COMMAND_BASE + DRM_I830_IRQ_WAIT, drm_i830_irq_wait_t) ++#define DRM_IOCTL_I830_GETPARAM DRM_IOWR(DRM_COMMAND_BASE + DRM_I830_GETPARAM, drm_i830_getparam_t) ++#define DRM_IOCTL_I830_SETPARAM DRM_IOWR(DRM_COMMAND_BASE + DRM_I830_SETPARAM, drm_i830_setparam_t) + + typedef struct _drm_i830_clear { + int clear_color; +diff --git a/include/drm/i915_drm.h b/include/drm/i915_drm.h +index b64a8d7..9e5469e 100644 +--- a/include/drm/i915_drm.h ++++ b/include/drm/i915_drm.h +@@ -206,6 +206,7 @@ typedef struct _drm_i915_sarea { + #define DRM_IOCTL_I915_SET_VBLANK_PIPE DRM_IOW( DRM_COMMAND_BASE + DRM_I915_SET_VBLANK_PIPE, drm_i915_vblank_pipe_t) + #define DRM_IOCTL_I915_GET_VBLANK_PIPE DRM_IOR( DRM_COMMAND_BASE + DRM_I915_GET_VBLANK_PIPE, drm_i915_vblank_pipe_t) + #define DRM_IOCTL_I915_VBLANK_SWAP DRM_IOWR(DRM_COMMAND_BASE + DRM_I915_VBLANK_SWAP, drm_i915_vblank_swap_t) ++#define DRM_IOCTL_I915_HWS_ADDR DRM_IOW(DRM_COMMAND_BASE + DRM_I915_HWS_ADDR, struct drm_i915_gem_init) + #define DRM_IOCTL_I915_GEM_INIT DRM_IOW(DRM_COMMAND_BASE + DRM_I915_GEM_INIT, struct drm_i915_gem_init) + #define DRM_IOCTL_I915_GEM_EXECBUFFER DRM_IOW(DRM_COMMAND_BASE + DRM_I915_GEM_EXECBUFFER, struct drm_i915_gem_execbuffer) + #define DRM_IOCTL_I915_GEM_EXECBUFFER2 DRM_IOW(DRM_COMMAND_BASE + DRM_I915_GEM_EXECBUFFER2, struct drm_i915_gem_execbuffer2) +diff --git a/include/drm/mga_drm.h b/include/drm/mga_drm.h +index 3ffbc47..c16097f 100644 +--- a/include/drm/mga_drm.h ++++ b/include/drm/mga_drm.h +@@ -248,7 +248,7 @@ typedef struct _drm_mga_sarea { + #define DRM_MGA_DMA_BOOTSTRAP 0x0c + + #define DRM_IOCTL_MGA_INIT DRM_IOW( DRM_COMMAND_BASE + DRM_MGA_INIT, drm_mga_init_t) +-#define DRM_IOCTL_MGA_FLUSH DRM_IOW( DRM_COMMAND_BASE + DRM_MGA_FLUSH, drm_lock_t) ++#define DRM_IOCTL_MGA_FLUSH DRM_IOW( DRM_COMMAND_BASE + DRM_MGA_FLUSH, struct drm_lock) + #define DRM_IOCTL_MGA_RESET DRM_IO( DRM_COMMAND_BASE + DRM_MGA_RESET) + #define DRM_IOCTL_MGA_SWAP DRM_IO( DRM_COMMAND_BASE + DRM_MGA_SWAP) + #define DRM_IOCTL_MGA_CLEAR DRM_IOW( DRM_COMMAND_BASE + DRM_MGA_CLEAR, drm_mga_clear_t) +diff --git a/include/drm/nouveau_drm.h b/include/drm/nouveau_drm.h +index f745948..a2661cd 100644 +--- a/include/drm/nouveau_drm.h ++++ b/include/drm/nouveau_drm.h +@@ -218,4 +218,17 @@ struct drm_nouveau_sarea { + #define DRM_NOUVEAU_GEM_INFO 0x47 + #define DRM_NOUVEAU_GEM_PUSHBUF_CALL2 0x48 + ++#define DRM_IOCTL_NOUVEAU_GETPARAM DRM_IOWR(DRM_COMMAND_BASE + DRM_NOUVEAU_GETPARAM, struct drm_nouveau_getparam) ++#define DRM_IOCTL_NOUVEAU_SETPARAM DRM_IOWR(DRM_COMMAND_BASE + DRM_NOUVEAU_SETPARAM, struct drm_nouveau_setparam) ++#define DRM_IOCTL_NOUVEAU_CHANNEL_ALLOC DRM_IOWR(DRM_COMMAND_BASE + DRM_NOUVEAU_CHANNEL_ALLOC, struct drm_nouveau_channel_alloc) ++#define DRM_IOCTL_NOUVEAU_CHANNEL_FREE DRM_IOW (DRM_COMMAND_BASE + DRM_NOUVEAU_CHANNEL_FREE, struct drm_nouveau_channel_free) ++#define DRM_IOCTL_NOUVEAU_GROBJ_ALLOC DRM_IOW (DRM_COMMAND_BASE + DRM_NOUVEAU_GROBJ_ALLOC, struct drm_nouveau_grobj_alloc) ++#define DRM_IOCTL_NOUVEAU_NOTIFIEROBJ_ALLOC DRM_IOWR(DRM_COMMAND_BASE + DRM_NOUVEAU_NOTIFIEROBJ_ALLOC, struct drm_nouveau_notifierobj_alloc) ++#define DRM_IOCTL_NOUVEAU_GPUOBJ_FREE DRM_IOW (DRM_COMMAND_BASE + DRM_NOUVEAU_GPUOBJ_FREE, struct drm_nouveau_gpuobj_free) ++#define DRM_IOCTL_NOUVEAU_GEM_NEW DRM_IOWR(DRM_COMMAND_BASE + DRM_NOUVEAU_GEM_NEW, struct drm_nouveau_gem_new) ++#define DRM_IOCTL_NOUVEAU_GEM_PUSHBUF DRM_IOWR(DRM_COMMAND_BASE + DRM_NOUVEAU_GEM_PUSHBUF, struct drm_nouveau_gem_pushbuf) ++#define DRM_IOCTL_NOUVEAU_GEM_CPU_PREP DRM_IOW (DRM_COMMAND_BASE + DRM_NOUVEAU_GEM_CPU_PREP, struct drm_nouveau_gem_cpu_prep) ++#define DRM_IOCTL_NOUVEAU_GEM_CPU_FINI DRM_IOW (DRM_COMMAND_BASE + DRM_NOUVEAU_GEM_CPU_FINI, struct drm_nouveau_gem_cpu_fini) ++#define DRM_IOCTL_NOUVEAU_GEM_INFO DRM_IOWR(DRM_COMMAND_BASE + DRM_NOUVEAU_GEM_INFO, struct drm_nouveau_gem_info) ++ + #endif /* __NOUVEAU_DRM_H__ */ +diff --git a/include/drm/radeon_drm.h b/include/drm/radeon_drm.h +index 39537f3..43a92ba 100644 +--- a/include/drm/radeon_drm.h ++++ b/include/drm/radeon_drm.h +@@ -547,8 +547,8 @@ typedef struct { + #define DRM_IOCTL_RADEON_GEM_WAIT_IDLE DRM_IOW(DRM_COMMAND_BASE + DRM_RADEON_GEM_WAIT_IDLE, struct drm_radeon_gem_wait_idle) + #define DRM_IOCTL_RADEON_CS DRM_IOWR(DRM_COMMAND_BASE + DRM_RADEON_CS, struct drm_radeon_cs) + #define DRM_IOCTL_RADEON_INFO DRM_IOWR(DRM_COMMAND_BASE + DRM_RADEON_INFO, struct drm_radeon_info) +-#define DRM_IOCTL_RADEON_SET_TILING DRM_IOWR(DRM_COMMAND_BASE + DRM_RADEON_GEM_SET_TILING, struct drm_radeon_gem_set_tiling) +-#define DRM_IOCTL_RADEON_GET_TILING DRM_IOWR(DRM_COMMAND_BASE + DRM_RADEON_GEM_GET_TILING, struct drm_radeon_gem_get_tiling) ++#define DRM_IOCTL_RADEON_GEM_SET_TILING DRM_IOWR(DRM_COMMAND_BASE + DRM_RADEON_GEM_SET_TILING, struct drm_radeon_gem_set_tiling) ++#define DRM_IOCTL_RADEON_GEM_GET_TILING DRM_IOWR(DRM_COMMAND_BASE + DRM_RADEON_GEM_GET_TILING, struct drm_radeon_gem_get_tiling) + #define DRM_IOCTL_RADEON_GEM_BUSY DRM_IOWR(DRM_COMMAND_BASE + DRM_RADEON_GEM_BUSY, struct drm_radeon_gem_busy) + + typedef struct drm_radeon_init { +diff --git a/include/drm/savage_drm.h b/include/drm/savage_drm.h +index 8a576ef..4863cf6 100644 +--- a/include/drm/savage_drm.h ++++ b/include/drm/savage_drm.h +@@ -63,10 +63,10 @@ typedef struct _drm_savage_sarea { + #define DRM_SAVAGE_BCI_EVENT_EMIT 0x02 + #define DRM_SAVAGE_BCI_EVENT_WAIT 0x03 + +-#define DRM_IOCTL_SAVAGE_INIT DRM_IOW( DRM_COMMAND_BASE + DRM_SAVAGE_BCI_INIT, drm_savage_init_t) +-#define DRM_IOCTL_SAVAGE_CMDBUF DRM_IOW( DRM_COMMAND_BASE + DRM_SAVAGE_BCI_CMDBUF, drm_savage_cmdbuf_t) +-#define DRM_IOCTL_SAVAGE_EVENT_EMIT DRM_IOWR(DRM_COMMAND_BASE + DRM_SAVAGE_BCI_EVENT_EMIT, drm_savage_event_emit_t) +-#define DRM_IOCTL_SAVAGE_EVENT_WAIT DRM_IOW( DRM_COMMAND_BASE + DRM_SAVAGE_BCI_EVENT_WAIT, drm_savage_event_wait_t) ++#define DRM_IOCTL_SAVAGE_BCI_INIT DRM_IOW( DRM_COMMAND_BASE + DRM_SAVAGE_BCI_INIT, drm_savage_init_t) ++#define DRM_IOCTL_SAVAGE_BCI_CMDBUF DRM_IOW( DRM_COMMAND_BASE + DRM_SAVAGE_BCI_CMDBUF, drm_savage_cmdbuf_t) ++#define DRM_IOCTL_SAVAGE_BCI_EVENT_EMIT DRM_IOWR(DRM_COMMAND_BASE + DRM_SAVAGE_BCI_EVENT_EMIT, drm_savage_event_emit_t) ++#define DRM_IOCTL_SAVAGE_BCI_EVENT_WAIT DRM_IOW( DRM_COMMAND_BASE + DRM_SAVAGE_BCI_EVENT_WAIT, drm_savage_event_wait_t) + + #define SAVAGE_DMA_PCI 1 + #define SAVAGE_DMA_AGP 3 +-- +1.7.1.1 + diff --git a/drm-i915-Check-overlay-stride-errata-for-i830-and-i8.patch b/drm-i915-Check-overlay-stride-errata-for-i830-and-i8.patch new file mode 100644 index 0000000..39aa223 --- /dev/null +++ b/drm-i915-Check-overlay-stride-errata-for-i830-and-i8.patch @@ -0,0 +1,45 @@ +From d4202e40240d7f3f7448d60fe8b0e151fa4b421b Mon Sep 17 00:00:00 2001 +From: Chris Wilson <chris@chris-wilson.co.uk> +Date: Mon, 12 Jul 2010 19:35:38 +0100 +Subject: [PATCH] drm/i915: Check overlay stride errata for i830 and i845 + +commit d4202e40240d7f3f7448d60fe8b0e151fa4b421b in tip. + +commit a1efd14a99483a4fb9308902397ed86b69454c99 upstream. + +Apparently i830 and i845 cannot handle any stride that is not a multiple +of 256, unlike their brethren which do support 64 byte aligned strides. + +Signed-off-by: Chris Wilson <chris@chris-wilson.co.uk> +Signed-off-by: Eric Anholt <eric@anholt.net> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> +Signed-off-by: John Kacur <jkacur@redhat.com> + +diff --git a/drivers/gpu/drm/i915/intel_overlay.c b/drivers/gpu/drm/i915/intel_overlay.c +index 6b89042..ed4058e 100644 +--- a/drivers/gpu/drm/i915/intel_overlay.c ++++ b/drivers/gpu/drm/i915/intel_overlay.c +@@ -965,7 +965,7 @@ static int check_overlay_src(struct drm_device *dev, + || rec->src_width < N_HORIZ_Y_TAPS*4) + return -EINVAL; + +- /* check alingment constrains */ ++ /* check alignment constraints */ + switch (rec->flags & I915_OVERLAY_TYPE_MASK) { + case I915_OVERLAY_RGB: + /* not implemented */ +@@ -997,7 +997,10 @@ static int check_overlay_src(struct drm_device *dev, + return -EINVAL; + + /* stride checking */ +- stride_mask = 63; ++ if (IS_I830(dev) || IS_845G(dev)) ++ stride_mask = 255; ++ else ++ stride_mask = 63; + + if (rec->stride_Y & stride_mask || rec->stride_UV & stride_mask) + return -EINVAL; +-- +1.7.1.1 + diff --git a/e1000e-82577-82578-PHY-register-access-issues.patch b/e1000e-82577-82578-PHY-register-access-issues.patch new file mode 100644 index 0000000..ee809dc --- /dev/null +++ b/e1000e-82577-82578-PHY-register-access-issues.patch @@ -0,0 +1,40 @@ +From d2f1f93b7f10b1dbcd8bda3bea794789af9d298d Mon Sep 17 00:00:00 2001 +From: Bruce Allan <bruce.w.allan@intel.com> +Date: Tue, 27 Jul 2010 12:28:46 +0000 +Subject: [PATCH] e1000e: 82577/82578 PHY register access issues + +commit d2f1f93b7f10b1dbcd8bda3bea794789af9d298d in tip. + +commit ff847ac2d3e90edd94674c28bade25ae1e6a2e49 upstream. + +The MAC-PHY interconnect on 82577/82578 uses a power management feature +(called K1) which must be disabled when in 1Gbps due to a hardware issue on +these parts. The #define bit setting used to enable/disable K1 is +incorrect and can cause PHY register accesses to stop working altogether +until the next device reset. This patch sets the register correctly. + +This issue is present in kernels since 2.6.32. + +Signed-off-by: Bruce Allan <bruce.w.allan@intel.com> +Tested-by: Jeff Pieper <jeffrey.e.pieper@intel.com> +Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> +Signed-off-by: John Kacur <jkacur@redhat.com> + +diff --git a/drivers/net/e1000e/hw.h b/drivers/net/e1000e/hw.h +index eccf29b..606c4da 100644 +--- a/drivers/net/e1000e/hw.h ++++ b/drivers/net/e1000e/hw.h +@@ -306,7 +306,7 @@ enum e1e_registers { + #define E1000_KMRNCTRLSTA_INBAND_PARAM 0x9 /* Kumeran InBand Parameters */ + #define E1000_KMRNCTRLSTA_DIAG_NELPBK 0x1000 /* Nearend Loopback mode */ + #define E1000_KMRNCTRLSTA_K1_CONFIG 0x7 +-#define E1000_KMRNCTRLSTA_K1_ENABLE 0x140E ++#define E1000_KMRNCTRLSTA_K1_ENABLE 0x0002 + #define E1000_KMRNCTRLSTA_K1_DISABLE 0x1400 + + #define IFE_PHY_EXTENDED_STATUS_CONTROL 0x10 +-- +1.7.1.1 + diff --git a/e1000e-don-t-inadvertently-re-set-INTX_DISABLE.patch b/e1000e-don-t-inadvertently-re-set-INTX_DISABLE.patch new file mode 100644 index 0000000..df8947e --- /dev/null +++ b/e1000e-don-t-inadvertently-re-set-INTX_DISABLE.patch @@ -0,0 +1,73 @@ +From 8ed2a497de4d19e0a68f9e0d5de5f00d2cd39068 Mon Sep 17 00:00:00 2001 +From: Dean Nelson <dnelson@redhat.com> +Date: Tue, 29 Jun 2010 18:12:05 +0000 +Subject: [PATCH] e1000e: don't inadvertently re-set INTX_DISABLE + +commit 8ed2a497de4d19e0a68f9e0d5de5f00d2cd39068 in tip. + +commit 36f2407fe52c55566221f8c68c8fb808abffd2f5 upstream. + +Should e1000_test_msi() fail to see an msi interrupt, it attempts to +fallback to legacy INTx interrupts. But an error in the code may prevent +this from happening correctly. + +Before calling e1000_test_msi_interrupt(), e1000_test_msi() disables SERR +by clearing the SERR bit from the just read PCI_COMMAND bits as it writes +them back out. + +Upon return from calling e1000_test_msi_interrupt(), it re-enables SERR +by writing out the version of PCI_COMMAND it had previously read. + +The problem with this is that e1000_test_msi_interrupt() calls +pci_disable_msi(), which eventually ends up in pci_intx(). And because +pci_intx() was called with enable set to 1, the INTX_DISABLE bit gets +cleared from PCI_COMMAND, which is what we want. But when we get back to +e1000_test_msi(), the INTX_DISABLE bit gets inadvertently re-set because +of the attempt by e1000_test_msi() to re-enable SERR. + +The solution is to have e1000_test_msi() re-read the PCI_COMMAND bits as +part of its attempt to re-enable SERR. + +During debugging/testing of this issue I found that not all the systems +I ran on had the SERR bit set to begin with. And on some of the systems +the same could be said for the INTX_DISABLE bit. Needless to say these +latter systems didn't have a problem falling back to legacy INTx +interrupts with the code as is. + +Signed-off-by: Dean Nelson <dnelson@redhat.com> +Tested-by: Emil Tantilov <emil.s.tantilov@intel.com> +Signed-off-by: Jeff Kirsher <jeffrey.t.kirsher@intel.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> +Signed-off-by: John Kacur <jkacur@redhat.com> + +diff --git a/drivers/net/e1000e/netdev.c b/drivers/net/e1000e/netdev.c +index 4d353d2..6a59835 100644 +--- a/drivers/net/e1000e/netdev.c ++++ b/drivers/net/e1000e/netdev.c +@@ -3058,13 +3058,18 @@ static int e1000_test_msi(struct e1000_adapter *adapter) + + /* disable SERR in case the MSI write causes a master abort */ + pci_read_config_word(adapter->pdev, PCI_COMMAND, &pci_cmd); +- pci_write_config_word(adapter->pdev, PCI_COMMAND, +- pci_cmd & ~PCI_COMMAND_SERR); ++ if (pci_cmd & PCI_COMMAND_SERR) ++ pci_write_config_word(adapter->pdev, PCI_COMMAND, ++ pci_cmd & ~PCI_COMMAND_SERR); + + err = e1000_test_msi_interrupt(adapter); + +- /* restore previous setting of command word */ +- pci_write_config_word(adapter->pdev, PCI_COMMAND, pci_cmd); ++ /* re-enable SERR */ ++ if (pci_cmd & PCI_COMMAND_SERR) { ++ pci_read_config_word(adapter->pdev, PCI_COMMAND, &pci_cmd); ++ pci_cmd |= PCI_COMMAND_SERR; ++ pci_write_config_word(adapter->pdev, PCI_COMMAND, pci_cmd); ++ } + + /* success ! */ + if (!err) +-- +1.7.1.1 + diff --git a/iwlwifi-fix-scan-abort.patch b/iwlwifi-fix-scan-abort.patch new file mode 100644 index 0000000..e0b3cfc --- /dev/null +++ b/iwlwifi-fix-scan-abort.patch @@ -0,0 +1,67 @@ +From efce9f4d350659888a49cbdb2006b698182cb447 Mon Sep 17 00:00:00 2001 +From: Stanislaw Gruszka <sgruszka@redhat.com> +Date: Thu, 29 Jul 2010 11:37:41 +0200 +Subject: [PATCH] iwlwifi: fix scan abort + +commit efce9f4d350659888a49cbdb2006b698182cb447 in tip. + +commit d28232b461b8d54b09e59325dbac8b0913ce2049 upstream. + +Fix possible double priv->mutex lock introduced by commit +a69b03e941abae00380fc6bc1877fb797a1b31e6 +"iwlwifi: cancel scan watchdog in iwl_bg_abort_scan" . +We can not call cancel_delayed_work_sync(&priv->scan_check) with +priv->mutex locked because workqueue function iwl_bg_scan_check() +take that lock internally. + +We do not need to synchronize when canceling priv->scan_check work. +We can avoid races (sending double abort command or send no +command at all) using STATUS_SCAN_ABORT bit. Moreover +current iwl_bg_scan_check() code seems to be broken, as +we should not send abort commands when currently aborting. + +Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com> +Signed-off-by: John W. Linville <linville@tuxdriver.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> +Signed-off-by: John Kacur <jkacur@redhat.com> + +diff --git a/drivers/net/wireless/iwlwifi/iwl-scan.c b/drivers/net/wireless/iwlwifi/iwl-scan.c +index 8bc2105..83e529a 100644 +--- a/drivers/net/wireless/iwlwifi/iwl-scan.c ++++ b/drivers/net/wireless/iwlwifi/iwl-scan.c +@@ -496,11 +496,10 @@ void iwl_bg_scan_check(struct work_struct *data) + return; + + mutex_lock(&priv->mutex); +- if (test_bit(STATUS_SCANNING, &priv->status) || +- test_bit(STATUS_SCAN_ABORTING, &priv->status)) { +- IWL_DEBUG_SCAN(priv, "Scan completion watchdog resetting " +- "adapter (%dms)\n", +- jiffies_to_msecs(IWL_SCAN_CHECK_WATCHDOG)); ++ if (test_bit(STATUS_SCANNING, &priv->status) && ++ !test_bit(STATUS_SCAN_ABORTING, &priv->status)) { ++ IWL_DEBUG_SCAN(priv, "Scan completion watchdog (%dms)\n", ++ jiffies_to_msecs(IWL_SCAN_CHECK_WATCHDOG)); + + if (!test_bit(STATUS_EXIT_PENDING, &priv->status)) + iwl_send_scan_abort(priv); +@@ -810,12 +809,11 @@ void iwl_bg_abort_scan(struct work_struct *work) + !test_bit(STATUS_GEO_CONFIGURED, &priv->status)) + return; + +- mutex_lock(&priv->mutex); +- +- cancel_delayed_work_sync(&priv->scan_check); +- set_bit(STATUS_SCAN_ABORTING, &priv->status); +- iwl_send_scan_abort(priv); ++ cancel_delayed_work(&priv->scan_check); + ++ mutex_lock(&priv->mutex); ++ if (test_bit(STATUS_SCAN_ABORTING, &priv->status)) ++ iwl_send_scan_abort(priv); + mutex_unlock(&priv->mutex); + } + EXPORT_SYMBOL(iwl_bg_abort_scan); +-- +1.7.1.1 + diff --git a/mac80211-avoid-scheduling-while-atomic-in-mesh_rx_pl.patch b/mac80211-avoid-scheduling-while-atomic-in-mesh_rx_pl.patch new file mode 100644 index 0000000..5584a3c --- /dev/null +++ b/mac80211-avoid-scheduling-while-atomic-in-mesh_rx_pl.patch @@ -0,0 +1,167 @@ +From fbbddb2d5a59a87849965ef67c7f87e0d1e31d9b Mon Sep 17 00:00:00 2001 +From: John W. Linville <linville@tuxdriver.com> +Date: Mon, 21 Jun 2010 17:14:07 -0400 +Subject: [PATCH] mac80211: avoid scheduling while atomic in mesh_rx_plink_frame + +commit fbbddb2d5a59a87849965ef67c7f87e0d1e31d9b in tip. + +commit c937019761a758f2749b1f3a032b7a91fb044753 upstream. + +While mesh_rx_plink_frame holds sta->lock... + +mesh_rx_plink_frame -> + mesh_plink_inc_estab_count -> + ieee80211_bss_info_change_notify + +...but ieee80211_bss_info_change_notify is allowed to sleep. A driver +taking advantage of that allowance can cause a scheduling while +atomic bug. Similar paths exist for mesh_plink_dec_estab_count, +so work around those as well. + +http://bugzilla.kernel.org/show_bug.cgi?id=16099 + +Also, correct a minor kerneldoc comment error (mismatched function names). + +Signed-off-by: John W. Linville <linville@tuxdriver.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> +Sighed-off-by: John Kacur <jkacur@redhat.com> + +diff --git a/net/mac80211/mesh_plink.c b/net/mac80211/mesh_plink.c +index 0f7c6e6..9d0c75d 100644 +--- a/net/mac80211/mesh_plink.c ++++ b/net/mac80211/mesh_plink.c +@@ -64,7 +64,6 @@ void mesh_plink_inc_estab_count(struct ieee80211_sub_if_data *sdata) + { + atomic_inc(&sdata->u.mesh.mshstats.estab_plinks); + mesh_accept_plinks_update(sdata); +- ieee80211_bss_info_change_notify(sdata, BSS_CHANGED_BEACON); + } + + static inline +@@ -72,7 +71,6 @@ void mesh_plink_dec_estab_count(struct ieee80211_sub_if_data *sdata) + { + atomic_dec(&sdata->u.mesh.mshstats.estab_plinks); + mesh_accept_plinks_update(sdata); +- ieee80211_bss_info_change_notify(sdata, BSS_CHANGED_BEACON); + } + + /** +@@ -114,7 +112,7 @@ static struct sta_info *mesh_plink_alloc(struct ieee80211_sub_if_data *sdata, + } + + /** +- * mesh_plink_deactivate - deactivate mesh peer link ++ * __mesh_plink_deactivate - deactivate mesh peer link + * + * @sta: mesh peer link to deactivate + * +@@ -122,18 +120,23 @@ static struct sta_info *mesh_plink_alloc(struct ieee80211_sub_if_data *sdata, + * + * Locking: the caller must hold sta->lock + */ +-static void __mesh_plink_deactivate(struct sta_info *sta) ++static bool __mesh_plink_deactivate(struct sta_info *sta) + { + struct ieee80211_sub_if_data *sdata = sta->sdata; ++ bool deactivated = false; + +- if (sta->plink_state == PLINK_ESTAB) ++ if (sta->plink_state == PLINK_ESTAB) { + mesh_plink_dec_estab_count(sdata); ++ deactivated = true; ++ } + sta->plink_state = PLINK_BLOCKED; + mesh_path_flush_by_nexthop(sta); ++ ++ return deactivated; + } + + /** +- * __mesh_plink_deactivate - deactivate mesh peer link ++ * mesh_plink_deactivate - deactivate mesh peer link + * + * @sta: mesh peer link to deactivate + * +@@ -141,9 +144,15 @@ static void __mesh_plink_deactivate(struct sta_info *sta) + */ + void mesh_plink_deactivate(struct sta_info *sta) + { ++ struct ieee80211_sub_if_data *sdata = sta->sdata; ++ bool deactivated; ++ + spin_lock_bh(&sta->lock); +- __mesh_plink_deactivate(sta); ++ deactivated = __mesh_plink_deactivate(sta); + spin_unlock_bh(&sta->lock); ++ ++ if (deactivated) ++ ieee80211_bss_info_change_notify(sdata, BSS_CHANGED_BEACON); + } + + static int mesh_plink_frame_tx(struct ieee80211_sub_if_data *sdata, +@@ -380,10 +389,16 @@ int mesh_plink_open(struct sta_info *sta) + + void mesh_plink_block(struct sta_info *sta) + { ++ struct ieee80211_sub_if_data *sdata = sta->sdata; ++ bool deactivated; ++ + spin_lock_bh(&sta->lock); +- __mesh_plink_deactivate(sta); ++ deactivated = __mesh_plink_deactivate(sta); + sta->plink_state = PLINK_BLOCKED; + spin_unlock_bh(&sta->lock); ++ ++ if (deactivated) ++ ieee80211_bss_info_change_notify(sdata, BSS_CHANGED_BEACON); + } + + +@@ -396,6 +411,7 @@ void mesh_rx_plink_frame(struct ieee80211_sub_if_data *sdata, struct ieee80211_m + enum plink_event event; + enum plink_frame_type ftype; + size_t baselen; ++ bool deactivated; + u8 ie_len; + u8 *baseaddr; + __le16 plid, llid, reason; +@@ -649,8 +665,9 @@ void mesh_rx_plink_frame(struct ieee80211_sub_if_data *sdata, struct ieee80211_m + case CNF_ACPT: + del_timer(&sta->plink_timer); + sta->plink_state = PLINK_ESTAB; +- mesh_plink_inc_estab_count(sdata); + spin_unlock_bh(&sta->lock); ++ mesh_plink_inc_estab_count(sdata); ++ ieee80211_bss_info_change_notify(sdata, BSS_CHANGED_BEACON); + mpl_dbg("Mesh plink with %pM ESTABLISHED\n", + sta->sta.addr); + break; +@@ -682,8 +699,9 @@ void mesh_rx_plink_frame(struct ieee80211_sub_if_data *sdata, struct ieee80211_m + case OPN_ACPT: + del_timer(&sta->plink_timer); + sta->plink_state = PLINK_ESTAB; +- mesh_plink_inc_estab_count(sdata); + spin_unlock_bh(&sta->lock); ++ mesh_plink_inc_estab_count(sdata); ++ ieee80211_bss_info_change_notify(sdata, BSS_CHANGED_BEACON); + mpl_dbg("Mesh plink with %pM ESTABLISHED\n", + sta->sta.addr); + mesh_plink_frame_tx(sdata, PLINK_CONFIRM, sta->sta.addr, llid, +@@ -700,11 +718,13 @@ void mesh_rx_plink_frame(struct ieee80211_sub_if_data *sdata, struct ieee80211_m + case CLS_ACPT: + reason = cpu_to_le16(MESH_CLOSE_RCVD); + sta->reason = reason; +- __mesh_plink_deactivate(sta); ++ deactivated = __mesh_plink_deactivate(sta); + sta->plink_state = PLINK_HOLDING; + llid = sta->llid; + mod_plink_timer(sta, dot11MeshHoldingTimeout(sdata)); + spin_unlock_bh(&sta->lock); ++ if (deactivated) ++ ieee80211_bss_info_change_notify(sdata, BSS_CHANGED_BEACON); + mesh_plink_frame_tx(sdata, PLINK_CLOSE, sta->sta.addr, llid, + plid, reason); + break; +-- +1.7.1.1 + diff --git a/mm-fix-ia64-crash-when-gcore-reads-gate-area.patch b/mm-fix-ia64-crash-when-gcore-reads-gate-area.patch new file mode 100644 index 0000000..031aaa8 --- /dev/null +++ b/mm-fix-ia64-crash-when-gcore-reads-gate-area.patch @@ -0,0 +1,65 @@ +From 638825246853be0282cf339ef5d5c1ebfe9890a8 Mon Sep 17 00:00:00 2001 +From: Hugh Dickins <hughd@google.com> +Date: Fri, 30 Jul 2010 10:58:26 -0700 +Subject: [PATCH] mm: fix ia64 crash when gcore reads gate area + +commit 638825246853be0282cf339ef5d5c1ebfe9890a8 in tip. + +commit de51257aa301652876ab6e8f13ea4eadbe4a3846 upstream. + +Debian's ia64 autobuilders have been seeing kernel freeze or reboot +when running the gdb testsuite (Debian bug 588574): dannf bisected to +2.6.32 62eede62dafb4a6633eae7ffbeb34c60dba5e7b1 "mm: ZERO_PAGE without +PTE_SPECIAL"; and reproduced it with gdb's gcore on a simple target. + +I'd missed updating the gate_vma handling in __get_user_pages(): that +happens to use vm_normal_page() (nowadays failing on the zero page), +yet reported success even when it failed to get a page - boom when +access_process_vm() tried to copy that to its intermediate buffer. + +Fix this, resisting cleanups: in particular, leave it for now reporting +success when not asked to get any pages - very probably safe to change, +but let's not risk it without testing exposure. + +Why did ia64 crash with 16kB pages, but succeed with 64kB pages? +Because setup_gate() pads each 64kB of its gate area with zero pages. + +Reported-by: Andreas Barth <aba@not.so.argh.org> +Bisected-by: dann frazier <dannf@debian.org> +Signed-off-by: Hugh Dickins <hughd@google.com> +Tested-by: dann frazier <dannf@dannf.org> +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> +Signed-off-by: John Kacur <jkacur@redhat.com> + +diff --git a/mm/memory.c b/mm/memory.c +index aecb745..65b2f04 100644 +--- a/mm/memory.c ++++ b/mm/memory.c +@@ -1285,10 +1285,20 @@ int __get_user_pages(struct task_struct *tsk, struct mm_struct *mm, + return i ? : -EFAULT; + } + if (pages) { +- struct page *page = vm_normal_page(gate_vma, start, *pte); ++ struct page *page; ++ ++ page = vm_normal_page(gate_vma, start, *pte); ++ if (!page) { ++ if (!(gup_flags & FOLL_DUMP) && ++ is_zero_pfn(pte_pfn(*pte))) ++ page = pte_page(*pte); ++ else { ++ pte_unmap(pte); ++ return i ? : -EFAULT; ++ } ++ } + pages[i] = page; +- if (page) +- get_page(page); ++ get_page(page); + } + pte_unmap(pte); + if (vmas) +-- +1.7.1.1 + diff --git a/mm-fix-missing-page-table-unmap-for-stack-guard-page.patch b/mm-fix-missing-page-table-unmap-for-stack-guard-page.patch new file mode 100644 index 0000000..1ef7267 --- /dev/null +++ b/mm-fix-missing-page-table-unmap-for-stack-guard-page.patch @@ -0,0 +1,36 @@ +From 27ed5f7263e8c301282298ef3d6c911455bba26a Mon Sep 17 00:00:00 2001 +From: Linus Torvalds <torvalds@linux-foundation.org> +Date: Fri, 13 Aug 2010 09:24:04 -0700 +Subject: [PATCH] mm: fix missing page table unmap for stack guard page failure case + +commit 27ed5f7263e8c301282298ef3d6c911455bba26a in tip. + +commit 5528f9132cf65d4d892bcbc5684c61e7822b21e9 upstream + +.. which didn't show up in my tests because it's a no-op on x86-64 and +most other architectures. But we enter the function with the last-level +page table mapped, and should unmap it at exit. + +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> +Cherry-picked for v2.6.33.7-rt29 +Signed-off-by: John Kacur <jkacur@redhat.com> + +diff --git a/mm/memory.c b/mm/memory.c +index d8ea21c..8e4cf5d 100644 +--- a/mm/memory.c ++++ b/mm/memory.c +@@ -2675,8 +2675,10 @@ static int do_anonymous_page(struct mm_struct *mm, struct vm_area_struct *vma, + spinlock_t *ptl; + pte_t entry; + +- if (check_stack_guard_page(vma, address) < 0) ++ if (check_stack_guard_page(vma, address) < 0) { ++ pte_unmap(page_table); + return VM_FAULT_SIGBUS; ++ } + + if (!(flags & FAULT_FLAG_WRITE)) { + entry = pte_mkspecial(pfn_pte(my_zero_pfn(address), +-- +1.7.1.1 + diff --git a/mm-fix-page-table-unmap-for-stack-guard-page-properl.patch b/mm-fix-page-table-unmap-for-stack-guard-page-properl.patch new file mode 100644 index 0000000..8a0b3b9 --- /dev/null +++ b/mm-fix-page-table-unmap-for-stack-guard-page-properl.patch @@ -0,0 +1,79 @@ +From a487cf3a8203643d21d9c14823586e2c72eebaba Mon Sep 17 00:00:00 2001 +From: Linus Torvalds <torvalds@linux-foundation.org> +Date: Sat, 14 Aug 2010 11:44:56 -0700 +Subject: [PATCH] mm: fix page table unmap for stack guard page properly + +commit a487cf3a8203643d21d9c14823586e2c72eebaba in tip. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +commit 11ac552477e32835cb6970bf0a70c210807f5673 upstream + +We do in fact need to unmap the page table _before_ doing the whole +stack guard page logic, because if it is needed (mainly 32-bit x86 with +PAE and CONFIG_HIGHPTE, but other architectures may use it too) then it +will do a kmap_atomic/kunmap_atomic. + +And those kmaps will create an atomic region that we cannot do +allocations in. However, the whole stack expand code will need to do +anon_vma_prepare() and vma_lock_anon_vma() and they cannot do that in an +atomic region. + +Now, a better model might actually be to do the anon_vma_prepare() when +_creating_ a VM_GROWSDOWN segment, and not have to worry about any of +this at page fault time. But in the meantime, this is the +straightforward fix for the issue. + +See https://bugzilla.kernel.org/show_bug.cgi?id=16588 for details. + +Reported-by: Wylda <wylda@volny.cz> +Reported-by: Sedat Dilek <sedat.dilek@gmail.com> +Reported-by: Mike Pagano <mpagano@gentoo.org> +Reported-by: François Valenduc <francois.valenduc@tvcablenet.be> +Tested-by: Ed Tomlinson <edt@aei.ca> +Cc: Pekka Enberg <penberg@kernel.org> +Cc: Greg KH <gregkh@suse.de> +Cc: stable@kernel.org +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> +Cherry-picked for v2.6.33.7-rt29 +Signed-off-by: John Kacur <jkacur@redhat.com> + +diff --git a/mm/memory.c b/mm/memory.c +index 8e4cf5d..c4c5ca5 100644 +--- a/mm/memory.c ++++ b/mm/memory.c +@@ -2675,24 +2675,23 @@ static int do_anonymous_page(struct mm_struct *mm, struct vm_area_struct *vma, + spinlock_t *ptl; + pte_t entry; + +- if (check_stack_guard_page(vma, address) < 0) { +- pte_unmap(page_table); ++ pte_unmap(page_table); ++ ++ /* Check if we need to add a guard page to the stack */ ++ if (check_stack_guard_page(vma, address) < 0) + return VM_FAULT_SIGBUS; +- } + ++ /* Use the zero-page for reads */ + if (!(flags & FAULT_FLAG_WRITE)) { + entry = pte_mkspecial(pfn_pte(my_zero_pfn(address), + vma->vm_page_prot)); +- ptl = pte_lockptr(mm, pmd); +- spin_lock(ptl); ++ page_table = pte_offset_map_lock(mm, pmd, address, &ptl); + if (!pte_none(*page_table)) + goto unlock; + goto setpte; + } + + /* Allocate our own private page. */ +- pte_unmap(page_table); +- + if (unlikely(anon_vma_prepare(vma))) + goto oom; + page = alloc_zeroed_user_highpage_movable(vma, address); +-- +1.7.1.1 + diff --git a/mm-fix-up-some-user-visible-effects-of-the-stack-gua.patch b/mm-fix-up-some-user-visible-effects-of-the-stack-gua.patch new file mode 100644 index 0000000..47a5acb --- /dev/null +++ b/mm-fix-up-some-user-visible-effects-of-the-stack-gua.patch @@ -0,0 +1,92 @@ +From e276f93c1c8ba22adf058e219caaf3fd1e6cecf5 Mon Sep 17 00:00:00 2001 +From: Linus Torvalds <torvalds@linux-foundation.org> +Date: Sun, 15 Aug 2010 11:35:52 -0700 +Subject: [PATCH] mm: fix up some user-visible effects of the stack guard page + +commit e276f93c1c8ba22adf058e219caaf3fd1e6cecf5 in tip. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +commit d7824370e26325c881b665350ce64fb0a4fde24a upstream + +This commit makes the stack guard page somewhat less visible to user +space. It does this by: + + - not showing the guard page in /proc/<pid>/maps + + It looks like lvm-tools will actually read /proc/self/maps to figure + out where all its mappings are, and effectively do a specialized + "mlockall()" in user space. By not showing the guard page as part of + the mapping (by just adding PAGE_SIZE to the start for grows-up + pages), lvm-tools ends up not being aware of it. + + - by also teaching the _real_ mlock() functionality not to try to lock + the guard page. + + That would just expand the mapping down to create a new guard page, + so there really is no point in trying to lock it in place. + +It would perhaps be nice to show the guard page specially in +/proc/<pid>/maps (or at least mark grow-down segments some way), but +let's not open ourselves up to more breakage by user space from programs +that depends on the exact deails of the 'maps' file. + +Special thanks to Henrique de Moraes Holschuh for diving into lvm-tools +source code to see what was going on with the whole new warning. + +Reported-and-tested-by: François Valenduc <francois.valenduc@tvcablenet.be +Reported-by: Henrique de Moraes Holschuh <hmh@hmh.eng.br> +Cc: stable@kernel.org +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> +Signed-off-by: Thomas Gleixner <tglx@linutronix.de> + +diff --git a/fs/proc/task_mmu.c b/fs/proc/task_mmu.c +index f532ea8..8cb2bd3 100644 +--- a/fs/proc/task_mmu.c ++++ b/fs/proc/task_mmu.c +@@ -208,6 +208,7 @@ static void show_map_vma(struct seq_file *m, struct vm_area_struct *vma) + int flags = vma->vm_flags; + unsigned long ino = 0; + unsigned long long pgoff = 0; ++ unsigned long start; + dev_t dev = 0; + int len; + +@@ -218,8 +219,13 @@ static void show_map_vma(struct seq_file *m, struct vm_area_struct *vma) + pgoff = ((loff_t)vma->vm_pgoff) << PAGE_SHIFT; + } + ++ /* We don't show the stack guard page in /proc/maps */ ++ start = vma->vm_start; ++ if (vma->vm_flags & VM_GROWSDOWN) ++ start += PAGE_SIZE; ++ + seq_printf(m, "%08lx-%08lx %c%c%c%c %08llx %02x:%02x %lu %n", +- vma->vm_start, ++ start, + vma->vm_end, + flags & VM_READ ? 'r' : '-', + flags & VM_WRITE ? 'w' : '-', +diff --git a/mm/mlock.c b/mm/mlock.c +index 2b8335a..13da2d5 100644 +--- a/mm/mlock.c ++++ b/mm/mlock.c +@@ -167,6 +167,14 @@ static long __mlock_vma_pages_range(struct vm_area_struct *vma, + if (vma->vm_flags & VM_WRITE) + gup_flags |= FOLL_WRITE; + ++ /* We don't try to access the guard page of a stack vma */ ++ if (vma->vm_flags & VM_GROWSDOWN) { ++ if (start == vma->vm_start) { ++ start += PAGE_SIZE; ++ nr_pages--; ++ } ++ } ++ + while (nr_pages > 0) { + int i; + +-- +1.7.1.1 + diff --git a/mm-keep-a-guard-page-below-a-grow-down-stack-segment.patch b/mm-keep-a-guard-page-below-a-grow-down-stack-segment.patch new file mode 100644 index 0000000..43963d9 --- /dev/null +++ b/mm-keep-a-guard-page-below-a-grow-down-stack-segment.patch @@ -0,0 +1,74 @@ +From ed313b5159c985cddcc9bc5d3468a7f470c41292 Mon Sep 17 00:00:00 2001 +From: Linus Torvalds <torvalds@linux-foundation.org> +Date: Thu, 12 Aug 2010 17:54:33 -0700 +Subject: [PATCH] mm: keep a guard page below a grow-down stack segment + +commit ed313b5159c985cddcc9bc5d3468a7f470c41292 in tip. + +commit 320b2b8de12698082609ebbc1a17165727f4c893 upstream + +This is a rather minimally invasive patch to solve the problem of the +user stack growing into a memory mapped area below it. Whenever we fill +the first page of the stack segment, expand the segment down by one +page. + +Now, admittedly some odd application might _want_ the stack to grow down +into the preceding memory mapping, and so we may at some point need to +make this a process tunable (some people might also want to have more +than a single page of guarding), but let's try the minimal approach +first. + +Tested with trivial application that maps a single page just below the +stack, and then starts recursing. Without this, we will get a SIGSEGV +_after_ the stack has smashed the mapping. With this patch, we'll get a +nice SIGBUS just as the stack touches the page just above the mapping. + +Requested-by: Keith Packard <keithp@keithp.com> +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> +Cherry-picked for v2.6.33.7-rt29 +Signed-off-by: John Kacur <jkacur@redhat.com> + +diff --git a/mm/memory.c b/mm/memory.c +index 65b2f04..d8ea21c 100644 +--- a/mm/memory.c ++++ b/mm/memory.c +@@ -2643,6 +2643,26 @@ out_release: + } + + /* ++ * This is like a special single-page "expand_downwards()", ++ * except we must first make sure that 'address-PAGE_SIZE' ++ * doesn't hit another vma. ++ * ++ * The "find_vma()" will do the right thing even if we wrap ++ */ ++static inline int check_stack_guard_page(struct vm_area_struct *vma, unsigned long address) ++{ ++ address &= PAGE_MASK; ++ if ((vma->vm_flags & VM_GROWSDOWN) && address == vma->vm_start) { ++ address -= PAGE_SIZE; ++ if (find_vma(vma->vm_mm, address) != vma) ++ return -ENOMEM; ++ ++ expand_stack(vma, address); ++ } ++ return 0; ++} ++ ++/* + * We enter with non-exclusive mmap_sem (to exclude vma changes, + * but allow concurrent faults), and pte mapped but not yet locked. + * We return with mmap_sem still held, but pte unmapped and unlocked. +@@ -2655,6 +2675,9 @@ static int do_anonymous_page(struct mm_struct *mm, struct vm_area_struct *vma, + spinlock_t *ptl; + pte_t entry; + ++ if (check_stack_guard_page(vma, address) < 0) ++ return VM_FAULT_SIGBUS; ++ + if (!(flags & FAULT_FLAG_WRITE)) { + entry = pte_mkspecial(pfn_pte(my_zero_pfn(address), + vma->vm_page_prot)); +-- +1.7.1.1 + diff --git a/mm-make-stack-guard-page-logic-use-vm_prev-pointer.patch b/mm-make-stack-guard-page-logic-use-vm_prev-pointer.patch new file mode 100644 index 0000000..2913d18 --- /dev/null +++ b/mm-make-stack-guard-page-logic-use-vm_prev-pointer.patch @@ -0,0 +1,50 @@ +From 3cf7bf56bb62dcb9d99b0060bac4648e2bf8cb16 Mon Sep 17 00:00:00 2001 +From: Linus Torvalds <torvalds@linux-foundation.org> +Date: Fri, 20 Aug 2010 16:49:40 -0700 +Subject: [PATCH] mm: make stack guard page logic use vm_prev pointer + +commit 3cf7bf56bb62dcb9d99b0060bac4648e2bf8cb16 in tip. + +commit 0e8e50e20c837eeec8323bba7dcd25fe5479194c upstream + +Like the mlock() change previously, this makes the stack guard check +code use vma->vm_prev to see what the mapping below the current stack +is, rather than have to look it up with find_vma(). + +Also, accept an abutting stack segment, since that happens naturally if +you split the stack with mlock or mprotect. + +Tested-by: Ian Campbell <ijc@hellion.org.uk> +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> +Signed-off-by: Thomas Gleixner <tglx@linutronix.de> + +diff --git a/mm/memory.c b/mm/memory.c +index c4c5ca5..84fd42f 100644 +--- a/mm/memory.c ++++ b/mm/memory.c +@@ -2653,11 +2653,18 @@ static inline int check_stack_guard_page(struct vm_area_struct *vma, unsigned lo + { + address &= PAGE_MASK; + if ((vma->vm_flags & VM_GROWSDOWN) && address == vma->vm_start) { +- address -= PAGE_SIZE; +- if (find_vma(vma->vm_mm, address) != vma) +- return -ENOMEM; ++ struct vm_area_struct *prev = vma->vm_prev; ++ ++ /* ++ * Is there a mapping abutting this one below? ++ * ++ * That's only ok if it's the same stack mapping ++ * that has gotten split.. ++ */ ++ if (prev && prev->vm_end == address) ++ return prev->vm_flags & VM_GROWSDOWN ? 0 : -ENOMEM; + +- expand_stack(vma, address); ++ expand_stack(vma, address - PAGE_SIZE); + } + return 0; + } +-- +1.7.1.1 + diff --git a/mm-make-the-mlock-stack-guard-page-checks-stricter.patch b/mm-make-the-mlock-stack-guard-page-checks-stricter.patch new file mode 100644 index 0000000..f51f54a --- /dev/null +++ b/mm-make-the-mlock-stack-guard-page-checks-stricter.patch @@ -0,0 +1,58 @@ +From 901f364298f4e4a1c3334d291fb90967b25e61de Mon Sep 17 00:00:00 2001 +From: Linus Torvalds <torvalds@linux-foundation.org> +Date: Fri, 20 Aug 2010 16:39:25 -0700 +Subject: [PATCH] mm: make the mlock() stack guard page checks stricter + +commit 901f364298f4e4a1c3334d291fb90967b25e61de in tip. + +commit 7798330ac8114c731cfab83e634c6ecedaa233d7 upstream + +If we've split the stack vma, only the lowest one has the guard page. +Now that we have a doubly linked list of vma's, checking this is trivial. + +Tested-by: Ian Campbell <ijc@hellion.org.uk> +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> +Signed-off-by: Thomas Gleixner <tglx@linutronix.de> + +diff --git a/mm/mlock.c b/mm/mlock.c +index 13da2d5..8441a18 100644 +--- a/mm/mlock.c ++++ b/mm/mlock.c +@@ -135,6 +135,19 @@ void munlock_vma_page(struct page *page) + } + } + ++/* Is the vma a continuation of the stack vma above it? */ ++static inline int vma_stack_continue(struct vm_area_struct *vma, unsigned long addr) ++{ ++ return vma && (vma->vm_end == addr) && (vma->vm_flags & VM_GROWSDOWN); ++} ++ ++static inline int stack_guard_page(struct vm_area_struct *vma, unsigned long addr) ++{ ++ return (vma->vm_flags & VM_GROWSDOWN) && ++ (vma->vm_start == addr) && ++ !vma_stack_continue(vma->vm_prev, addr); ++} ++ + /** + * __mlock_vma_pages_range() - mlock a range of pages in the vma. + * @vma: target vma +@@ -168,11 +181,9 @@ static long __mlock_vma_pages_range(struct vm_area_struct *vma, + gup_flags |= FOLL_WRITE; + + /* We don't try to access the guard page of a stack vma */ +- if (vma->vm_flags & VM_GROWSDOWN) { +- if (start == vma->vm_start) { +- start += PAGE_SIZE; +- nr_pages--; +- } ++ if (stack_guard_page(vma, start)) { ++ addr += PAGE_SIZE; ++ nr_pages--; + } + + while (nr_pages > 0) { +-- +1.7.1.1 + diff --git a/mm-make-the-vma-list-be-doubly-linked.patch b/mm-make-the-vma-list-be-doubly-linked.patch new file mode 100644 index 0000000..737a076 --- /dev/null +++ b/mm-make-the-vma-list-be-doubly-linked.patch @@ -0,0 +1,160 @@ +From 498f7001734ff4fb0ef5a494241c1048b1264c0a Mon Sep 17 00:00:00 2001 +From: Thomas Gleixner <tglx@linutronix.de> +Date: Tue, 14 Dec 2010 19:29:34 +0100 +Subject: [PATCH] mm: make the vma list be doubly linked + +commit 498f7001734ff4fb0ef5a494241c1048b1264c0a in tip. + +commit 297c5eee372478fc32fec5fe8eed711eedb13f3d upstream + +It's a really simple list, and several of the users want to go backwards +in it to find the previous vma. So rather than have to look up the +previous entry with 'find_vma_prev()' or something similar, just make it +doubly linked instead. + +Tested-by: Ian Campbell <ijc@hellion.org.uk> +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> +Signed-off-by: Thomas Gleixner <tglx@linutronix.de> + +diff --git a/include/linux/mm_types.h b/include/linux/mm_types.h +index bd17761..2f743b1 100644 +--- a/include/linux/mm_types.h ++++ b/include/linux/mm_types.h +@@ -144,7 +144,7 @@ struct vm_area_struct { + within vm_mm. */ + + /* linked list of VM areas per task, sorted by address */ +- struct vm_area_struct *vm_next; ++ struct vm_area_struct *vm_next, *vm_prev; + + pgprot_t vm_page_prot; /* Access permissions of this VMA. */ + unsigned long vm_flags; /* Flags, see mm.h. */ +diff --git a/kernel/fork.c b/kernel/fork.c +index 1d4acdf..aaa66b9 100644 +--- a/kernel/fork.c ++++ b/kernel/fork.c +@@ -309,7 +309,7 @@ out: + #ifdef CONFIG_MMU + static int dup_mmap(struct mm_struct *mm, struct mm_struct *oldmm) + { +- struct vm_area_struct *mpnt, *tmp, **pprev; ++ struct vm_area_struct *mpnt, *tmp, *prev, **pprev; + struct rb_node **rb_link, *rb_parent; + int retval; + unsigned long charge; +@@ -338,6 +338,7 @@ static int dup_mmap(struct mm_struct *mm, struct mm_struct *oldmm) + if (retval) + goto out; + ++ prev = NULL; + for (mpnt = oldmm->mmap; mpnt; mpnt = mpnt->vm_next) { + struct file *file; + +@@ -366,7 +367,7 @@ static int dup_mmap(struct mm_struct *mm, struct mm_struct *oldmm) + vma_set_policy(tmp, pol); + tmp->vm_flags &= ~VM_LOCKED; + tmp->vm_mm = mm; +- tmp->vm_next = NULL; ++ tmp->vm_next = tmp->vm_prev = NULL; + anon_vma_link(tmp); + file = tmp->vm_file; + if (file) { +@@ -400,6 +401,8 @@ static int dup_mmap(struct mm_struct *mm, struct mm_struct *oldmm) + */ + *pprev = tmp; + pprev = &tmp->vm_next; ++ tmp->vm_prev = prev; ++ prev = tmp; + + __vma_link_rb(mm, tmp, rb_link, rb_parent); + rb_link = &tmp->vm_rb.rb_right; +diff --git a/mm/mmap.c b/mm/mmap.c +index 73ab63e..a15569e 100644 +--- a/mm/mmap.c ++++ b/mm/mmap.c +@@ -388,17 +388,23 @@ static inline void + __vma_link_list(struct mm_struct *mm, struct vm_area_struct *vma, + struct vm_area_struct *prev, struct rb_node *rb_parent) + { ++ struct vm_area_struct *next; ++ ++ vma->vm_prev = prev; + if (prev) { +- vma->vm_next = prev->vm_next; ++ next = prev->vm_next; + prev->vm_next = vma; + } else { + mm->mmap = vma; + if (rb_parent) +- vma->vm_next = rb_entry(rb_parent, ++ next = rb_entry(rb_parent, + struct vm_area_struct, vm_rb); + else +- vma->vm_next = NULL; ++ next = NULL; + } ++ vma->vm_next = next; ++ if (next) ++ next->vm_prev = vma; + } + + void __vma_link_rb(struct mm_struct *mm, struct vm_area_struct *vma, +@@ -486,7 +492,11 @@ static inline void + __vma_unlink(struct mm_struct *mm, struct vm_area_struct *vma, + struct vm_area_struct *prev) + { +- prev->vm_next = vma->vm_next; ++ struct vm_area_struct *next = vma->vm_next; ++ ++ prev->vm_next = next; ++ if (next) ++ next->vm_prev = prev; + rb_erase(&vma->vm_rb, &mm->mm_rb); + if (mm->mmap_cache == vma) + mm->mmap_cache = prev; +@@ -1846,6 +1856,7 @@ detach_vmas_to_be_unmapped(struct mm_struct *mm, struct vm_area_struct *vma, + unsigned long addr; + + insertion_point = (prev ? &prev->vm_next : &mm->mmap); ++ vma->vm_prev = NULL; + do { + rb_erase(&vma->vm_rb, &mm->mm_rb); + mm->map_count--; +@@ -1853,6 +1864,8 @@ detach_vmas_to_be_unmapped(struct mm_struct *mm, struct vm_area_struct *vma, + vma = vma->vm_next; + } while (vma && vma->vm_start < end); + *insertion_point = vma; ++ if (vma) ++ vma->vm_prev = prev; + tail_vma->vm_next = NULL; + if (mm->unmap_area == arch_unmap_area) + addr = prev ? prev->vm_end : mm->mmap_base; +diff --git a/mm/nommu.c b/mm/nommu.c +index 48a2ecf..016ded2 100644 +--- a/mm/nommu.c ++++ b/mm/nommu.c +@@ -609,7 +609,7 @@ static void protect_vma(struct vm_area_struct *vma, unsigned long flags) + */ + static void add_vma_to_mm(struct mm_struct *mm, struct vm_area_struct *vma) + { +- struct vm_area_struct *pvma, **pp; ++ struct vm_area_struct *pvma, **pp, *next; + struct address_space *mapping; + struct rb_node **p, *parent; + +@@ -669,8 +669,11 @@ static void add_vma_to_mm(struct mm_struct *mm, struct vm_area_struct *vma) + break; + } + +- vma->vm_next = *pp; ++ next = *pp; + *pp = vma; ++ vma->vm_next = next; ++ if (next) ++ next->vm_prev = vma; + } + + /* +-- +1.7.1.1 + diff --git a/net-ebtables-Work-around-per-cpu-assumptions.patch b/net-ebtables-Work-around-per-cpu-assumptions.patch new file mode 100644 index 0000000..35e882b --- /dev/null +++ b/net-ebtables-Work-around-per-cpu-assumptions.patch @@ -0,0 +1,51 @@ +From a1026af461530b4f0a875c4bdffac4137b2db549 Mon Sep 17 00:00:00 2001 +From: Luis Claudio R. Goncalves <lclaudio@uudg.org> +Date: Sat, 27 Nov 2010 13:04:05 -0200 +Subject: [PATCH] net: ebtables: Work around per cpu assumptions + +commit a1026af461530b4f0a875c4bdffac4137b2db549 in tip. + +I have been seeing several variations of this BUG message: + + BUG: using smp_processor_id() in preemptible [00000000] code: ... + caller is ebt_do_table+0x94/0x60c [ebtables] + +Disable preemption while fetching and using the ID of the current CPU. + +Signed-off-by: "Luis Claudio R. Goncalves" <lclaudio@uudg.org> +Signed-off-by: Thomas Gleixner <tglx@linutronix.de> + +diff --git a/net/bridge/netfilter/ebtables.c b/net/bridge/netfilter/ebtables.c +index 0b7f262..2ffdd86 100644 +--- a/net/bridge/netfilter/ebtables.c ++++ b/net/bridge/netfilter/ebtables.c +@@ -153,7 +153,7 @@ unsigned int ebt_do_table (unsigned int hook, struct sk_buff *skb, + const struct net_device *in, const struct net_device *out, + struct ebt_table *table) + { +- int i, nentries; ++ int i, nentries, cpu; + struct ebt_entry *point; + struct ebt_counter *counter_base, *cb_base; + struct ebt_entry_target *t; +@@ -174,12 +174,14 @@ unsigned int ebt_do_table (unsigned int hook, struct sk_buff *skb, + + read_lock_bh(&table->lock); + private = table->private; +- cb_base = COUNTER_BASE(private->counters, private->nentries, +- smp_processor_id()); ++ preempt_disable_rt(); ++ cpu = smp_processor_id(); ++ cb_base = COUNTER_BASE(private->counters, private->nentries, cpu); + if (private->chainstack) +- cs = private->chainstack[smp_processor_id()]; ++ cs = private->chainstack[cpu]; + else + cs = NULL; ++ preempt_enable_rt(); + chaininfo = private->hook_entry[hook]; + nentries = private->hook_entry[hook]->nentries; + point = (struct ebt_entry *)(private->hook_entry[hook]->data); +-- +1.7.1.1 + diff --git a/net-sched-fix-some-kernel-memory-leaks.patch b/net-sched-fix-some-kernel-memory-leaks.patch new file mode 100644 index 0000000..8e38154 --- /dev/null +++ b/net-sched-fix-some-kernel-memory-leaks.patch @@ -0,0 +1,170 @@ +From 49aa1d9ed423c0d901b5e0c072f1b0269a17a572 Mon Sep 17 00:00:00 2001 +From: Eric Dumazet <eric.dumazet@gmail.com> +Date: Mon, 16 Aug 2010 20:04:22 +0000 +Subject: [PATCH] net sched: fix some kernel memory leaks + +commit 49aa1d9ed423c0d901b5e0c072f1b0269a17a572 in tip. + +commit 4cd5975151e23ae319c9f4e356bd742ea09493a6 upstream + +We leak at least 32bits of kernel memory to user land in tc dump, +because we dont init all fields (capab ?) of the dumped structure. + +Use C99 initializers so that holes and non explicit fields are zeroed. + +Signed-off-by: Eric Dumazet <eric.dumazet@gmail.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Thomas Gleixner <tglx@linutronix.de> + +diff --git a/net/sched/act_gact.c b/net/sched/act_gact.c +index e7f796a..f9fc6ec 100644 +--- a/net/sched/act_gact.c ++++ b/net/sched/act_gact.c +@@ -152,21 +152,24 @@ static int tcf_gact(struct sk_buff *skb, struct tc_action *a, struct tcf_result + static int tcf_gact_dump(struct sk_buff *skb, struct tc_action *a, int bind, int ref) + { + unsigned char *b = skb_tail_pointer(skb); +- struct tc_gact opt; + struct tcf_gact *gact = a->priv; ++ struct tc_gact opt = { ++ .index = gact->tcf_index, ++ .refcnt = gact->tcf_refcnt - ref, ++ .bindcnt = gact->tcf_bindcnt - bind, ++ .action = gact->tcf_action, ++ }; + struct tcf_t t; + +- opt.index = gact->tcf_index; +- opt.refcnt = gact->tcf_refcnt - ref; +- opt.bindcnt = gact->tcf_bindcnt - bind; +- opt.action = gact->tcf_action; + NLA_PUT(skb, TCA_GACT_PARMS, sizeof(opt), &opt); + #ifdef CONFIG_GACT_PROB + if (gact->tcfg_ptype) { +- struct tc_gact_p p_opt; +- p_opt.paction = gact->tcfg_paction; +- p_opt.pval = gact->tcfg_pval; +- p_opt.ptype = gact->tcfg_ptype; ++ struct tc_gact_p p_opt = { ++ .paction = gact->tcfg_paction, ++ .pval = gact->tcfg_pval, ++ .ptype = gact->tcfg_ptype, ++ }; ++ + NLA_PUT(skb, TCA_GACT_PROB, sizeof(p_opt), &p_opt); + } + #endif +diff --git a/net/sched/act_mirred.c b/net/sched/act_mirred.c +index d329170..0476eb3 100644 +--- a/net/sched/act_mirred.c ++++ b/net/sched/act_mirred.c +@@ -210,15 +210,16 @@ static int tcf_mirred_dump(struct sk_buff *skb, struct tc_action *a, int bind, i + { + unsigned char *b = skb_tail_pointer(skb); + struct tcf_mirred *m = a->priv; +- struct tc_mirred opt; ++ struct tc_mirred opt = { ++ .index = m->tcf_index, ++ .action = m->tcf_action, ++ .refcnt = m->tcf_refcnt - ref, ++ .bindcnt = m->tcf_bindcnt - bind, ++ .eaction = m->tcfm_eaction, ++ .ifindex = m->tcfm_ifindex, ++ }; + struct tcf_t t; + +- opt.index = m->tcf_index; +- opt.action = m->tcf_action; +- opt.refcnt = m->tcf_refcnt - ref; +- opt.bindcnt = m->tcf_bindcnt - bind; +- opt.eaction = m->tcfm_eaction; +- opt.ifindex = m->tcfm_ifindex; + NLA_PUT(skb, TCA_MIRRED_PARMS, sizeof(opt), &opt); + t.install = jiffies_to_clock_t(jiffies - m->tcf_tm.install); + t.lastuse = jiffies_to_clock_t(jiffies - m->tcf_tm.lastuse); +diff --git a/net/sched/act_nat.c b/net/sched/act_nat.c +index c4c6805..7464634 100644 +--- a/net/sched/act_nat.c ++++ b/net/sched/act_nat.c +@@ -261,19 +261,19 @@ static int tcf_nat_dump(struct sk_buff *skb, struct tc_action *a, + { + unsigned char *b = skb_tail_pointer(skb); + struct tcf_nat *p = a->priv; +- struct tc_nat opt; ++ struct tc_nat opt = { ++ .old_addr = p->old_addr, ++ .new_addr = p->new_addr, ++ .mask = p->mask, ++ .flags = p->flags, ++ ++ .index = p->tcf_index, ++ .action = p->tcf_action, ++ .refcnt = p->tcf_refcnt - ref, ++ .bindcnt = p->tcf_bindcnt - bind, ++ }; + struct tcf_t t; + +- opt.old_addr = p->old_addr; +- opt.new_addr = p->new_addr; +- opt.mask = p->mask; +- opt.flags = p->flags; +- +- opt.index = p->tcf_index; +- opt.action = p->tcf_action; +- opt.refcnt = p->tcf_refcnt - ref; +- opt.bindcnt = p->tcf_bindcnt - bind; +- + NLA_PUT(skb, TCA_NAT_PARMS, sizeof(opt), &opt); + t.install = jiffies_to_clock_t(jiffies - p->tcf_tm.install); + t.lastuse = jiffies_to_clock_t(jiffies - p->tcf_tm.lastuse); +diff --git a/net/sched/act_simple.c b/net/sched/act_simple.c +index 8daa1eb..41c8a44 100644 +--- a/net/sched/act_simple.c ++++ b/net/sched/act_simple.c +@@ -163,13 +163,14 @@ static inline int tcf_simp_dump(struct sk_buff *skb, struct tc_action *a, + { + unsigned char *b = skb_tail_pointer(skb); + struct tcf_defact *d = a->priv; +- struct tc_defact opt; ++ struct tc_defact opt = { ++ .index = d->tcf_index, ++ .refcnt = d->tcf_refcnt - ref, ++ .bindcnt = d->tcf_bindcnt - bind, ++ .action = d->tcf_action, ++ }; + struct tcf_t t; + +- opt.index = d->tcf_index; +- opt.refcnt = d->tcf_refcnt - ref; +- opt.bindcnt = d->tcf_bindcnt - bind; +- opt.action = d->tcf_action; + NLA_PUT(skb, TCA_DEF_PARMS, sizeof(opt), &opt); + NLA_PUT_STRING(skb, TCA_DEF_DATA, d->tcfd_defdata); + t.install = jiffies_to_clock_t(jiffies - d->tcf_tm.install); +diff --git a/net/sched/act_skbedit.c b/net/sched/act_skbedit.c +index e9607fe..66cbf4e 100644 +--- a/net/sched/act_skbedit.c ++++ b/net/sched/act_skbedit.c +@@ -159,13 +159,14 @@ static inline int tcf_skbedit_dump(struct sk_buff *skb, struct tc_action *a, + { + unsigned char *b = skb_tail_pointer(skb); + struct tcf_skbedit *d = a->priv; +- struct tc_skbedit opt; ++ struct tc_skbedit opt = { ++ .index = d->tcf_index, ++ .refcnt = d->tcf_refcnt - ref, ++ .bindcnt = d->tcf_bindcnt - bind, ++ .action = d->tcf_action, ++ }; + struct tcf_t t; + +- opt.index = d->tcf_index; +- opt.refcnt = d->tcf_refcnt - ref; +- opt.bindcnt = d->tcf_bindcnt - bind; +- opt.action = d->tcf_action; + NLA_PUT(skb, TCA_SKBEDIT_PARMS, sizeof(opt), &opt); + if (d->flags & SKBEDIT_F_PRIORITY) + NLA_PUT(skb, TCA_SKBEDIT_PRIORITY, sizeof(d->priority), +-- +1.7.1.1 + diff --git a/niu-Fix-kernel-buffer-overflow-for-ETHTOOL_GRXCLSRLA.patch b/niu-Fix-kernel-buffer-overflow-for-ETHTOOL_GRXCLSRLA.patch new file mode 100644 index 0000000..3ee02d8 --- /dev/null +++ b/niu-Fix-kernel-buffer-overflow-for-ETHTOOL_GRXCLSRLA.patch @@ -0,0 +1,70 @@ +From 1389ed5d809bc8369fa9f9c7f930735397901d6b Mon Sep 17 00:00:00 2001 +From: Ben Hutchings <bhutchings@solarflare.com> +Date: Tue, 7 Sep 2010 04:35:19 +0000 +Subject: [PATCH] niu: Fix kernel buffer overflow for ETHTOOL_GRXCLSRLALL + +commit 1389ed5d809bc8369fa9f9c7f930735397901d6b in tip. + +niu_get_ethtool_tcam_all() assumes that its output buffer is the right +size, and warns before returning if it is not. However, the output +buffer size is under user control and ETHTOOL_GRXCLSRLALL is an +unprivileged ethtool command. Therefore this is at least a local +denial-of-service vulnerability. + +Change it to check before writing each entry and to return an error if +the buffer is already full. + +Compile-tested only. + +Signed-off-by: Ben Hutchings <bhutchings@solarflare.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Backported to 2.6.33.7-rt29 +Signed-off-by: John Kacur <jkacur@redhat.com> + +diff --git a/drivers/net/niu.c b/drivers/net/niu.c +index 1cd2408..24a2337 100644 +--- a/drivers/net/niu.c ++++ b/drivers/net/niu.c +@@ -7311,33 +7311,28 @@ static int niu_get_ethtool_tcam_all(struct niu *np, + struct niu_parent *parent = np->parent; + struct niu_tcam_entry *tp; + int i, idx, cnt; +- u16 n_entries; + unsigned long flags; +- ++ int ret = 0; + + /* put the tcam size here */ + nfc->data = tcam_get_size(np); + + niu_lock_parent(np, flags); +- n_entries = nfc->rule_cnt; + for (cnt = 0, i = 0; i < nfc->data; i++) { + idx = tcam_get_index(np, i); + tp = &parent->tcam[idx]; + if (!tp->valid) + continue; ++ if (cnt == nfc->rule_cnt) { ++ ret = -EMSGSIZE; ++ break; ++ } + rule_locs[cnt] = i; + cnt++; + } + niu_unlock_parent(np, flags); + +- if (n_entries != cnt) { +- /* print warning, this should not happen */ +- pr_info(PFX "niu%d: %s In niu_get_ethtool_tcam_all, " +- "n_entries[%d] != cnt[%d]!!!\n\n", +- np->parent->index, np->dev->name, n_entries, cnt); +- } +- +- return 0; ++ return ret; + } + + static int niu_get_nfc(struct net_device *dev, struct ethtool_rxnfc *cmd, +-- +1.7.1.1 + diff --git a/parisc-pass-through-t-to-early-iodc-console.patch b/parisc-pass-through-t-to-early-iodc-console.patch new file mode 100644 index 0000000..d52b94f --- /dev/null +++ b/parisc-pass-through-t-to-early-iodc-console.patch @@ -0,0 +1,58 @@ +From 8c0b0d65176a265d5ac0262aecb7138b9ea19b1d Mon Sep 17 00:00:00 2001 +From: Kyle McMartin <kyle@mcmartin.ca> +Date: Tue, 3 Aug 2010 20:38:08 -0400 +Subject: [PATCH] parisc: pass through '\t' to early (iodc) console + +commit 8c0b0d65176a265d5ac0262aecb7138b9ea19b1d in tip. + +commit d9b68e5e88248bb24fd4e455588bea1d56108fd6 upstream. + +The firmware handles '\t' internally, so stop trying to emulate it +(which, incidentally, had a bug in it.) + +Fixes a really weird hang at bootup in rcu_bootup_announce, which, +as far as I can tell, is the first printk in the core kernel to use +a tab as the first character. + +Signed-off-by: Kyle McMartin <kyle@parisc-linux.org> +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> +Signed-off-by: John Kacur <jkacur@redhat.com> + +diff --git a/arch/parisc/kernel/firmware.c b/arch/parisc/kernel/firmware.c +index 4c247e0..df971fa 100644 +--- a/arch/parisc/kernel/firmware.c ++++ b/arch/parisc/kernel/firmware.c +@@ -1123,7 +1123,6 @@ static char __attribute__((aligned(64))) iodc_dbuf[4096]; + */ + int pdc_iodc_print(const unsigned char *str, unsigned count) + { +- static int posx; /* for simple TAB-Simulation... */ + unsigned int i; + unsigned long flags; + +@@ -1133,19 +1132,12 @@ int pdc_iodc_print(const unsigned char *str, unsigned count) + iodc_dbuf[i+0] = '\r'; + iodc_dbuf[i+1] = '\n'; + i += 2; +- posx = 0; + goto print; +- case '\t': +- while (posx & 7) { +- iodc_dbuf[i] = ' '; +- i++, posx++; +- } +- break; + case '\b': /* BS */ +- posx -= 2; ++ i--; /* overwrite last */ + default: + iodc_dbuf[i] = str[i]; +- i++, posx++; ++ i++; + break; + } + } +-- +1.7.1.1 + diff --git a/perf-Provide-kmap_atomic_direct-for-CONFIG_HIGHMEM.patch b/perf-Provide-kmap_atomic_direct-for-CONFIG_HIGHMEM.patch new file mode 100644 index 0000000..404fa33 --- /dev/null +++ b/perf-Provide-kmap_atomic_direct-for-CONFIG_HIGHMEM.patch @@ -0,0 +1,34 @@ +From 327735e61bcee29f59a6fd053db894cdddff987e Mon Sep 17 00:00:00 2001 +From: Tim Blechmann <tim@klingt.org> +Date: Mon, 30 Aug 2010 12:20:19 +0200 +Subject: [PATCH] perf: Provide kmap_atomic_direct for !CONFIG_HIGHMEM + +commit 327735e61bcee29f59a6fd053db894cdddff987e in tip. + +ddeca6231cbdebd0fa0f1bac816f1e1e6eae485b doesn't compile, if CONFIG_HIGHMEM +is not enabled, because kmap_atomic_direct and kunmap_atomic_direct are +undefined. + +Signed-off-by: Tim Blechmann <tim@klingt.org> +Cc: Peter Zijlstra <a.p.zijlstra@chello.nl> +LKML-Reference: <8df2d360ce2f1b88d50e0929528f011d50dc1ce5.1283163601.git.tim@klingt.org> +Signed-off-by: Thomas Gleixner <tglx@linutronix.de> + +diff --git a/include/linux/highmem.h b/include/linux/highmem.h +index ab2cc20..ceb4f2e 100644 +--- a/include/linux/highmem.h ++++ b/include/linux/highmem.h +@@ -65,8 +65,10 @@ static inline void *kmap_atomic(struct page *page, enum km_type idx) + return page_address(page); + } + #define kmap_atomic_prot(page, idx, prot) kmap_atomic(page, idx) ++#define kmap_atomic_direct(page, idx) kmap_atomic(page, idx) + + #define kunmap_atomic(addr, idx) do { pagefault_enable(); } while (0) ++#define kunmap_atomic_direct(page, idx) kunmap_atomic(page, idx) + #define kmap_atomic_pfn(pfn, idx) kmap_atomic(pfn_to_page(pfn), (idx)) + #define kmap_atomic_to_page(ptr) virt_to_page(ptr) + +-- +1.7.1.1 + diff --git a/perf-Use-kmap_atomic_direct.patch b/perf-Use-kmap_atomic_direct.patch new file mode 100644 index 0000000..c9ae558 --- /dev/null +++ b/perf-Use-kmap_atomic_direct.patch @@ -0,0 +1,37 @@ +From ddeca6231cbdebd0fa0f1bac816f1e1e6eae485b Mon Sep 17 00:00:00 2001 +From: Peter Zijlstra <peterz@infradead.org> +Date: Fri, 27 Aug 2010 11:54:52 +0200 +Subject: [PATCH] perf: Use kmap_atomic_direct + +commit ddeca6231cbdebd0fa0f1bac816f1e1e6eae485b in tip. + +-rt falls back to regular kmap to provide preemptible kmap_atomic, which +is fine, except that the perf PMI does actually run from NMI context. + +Use the kmap_atomic_direct() API which still provides the old, really +atomic kmap functionality regardless of PREEMPT_RT, previously only used +for paravirt stuffs. + +Reported-by: "Sydir, Jerry" <jerry.sydir@intel.com> +Signed-off-by: Peter Zijlstra <a.p.zijlstra@chello.nl> +Signed-off-by: Thomas Gleixner <tglx@linutronix.de> + +diff --git a/arch/x86/kernel/cpu/perf_event.c b/arch/x86/kernel/cpu/perf_event.c +index 16307ff..4c178c3 100644 +--- a/arch/x86/kernel/cpu/perf_event.c ++++ b/arch/x86/kernel/cpu/perf_event.c +@@ -2480,9 +2480,9 @@ copy_from_user_nmi(void *to, const void __user *from, unsigned long n) + offset = addr & (PAGE_SIZE - 1); + size = min(PAGE_SIZE - offset, n - len); + +- map = kmap_atomic(page, type); ++ map = kmap_atomic_direct(page, type); + memcpy(to, map+offset, size); +- kunmap_atomic(map, type); ++ kunmap_atomic_direct(map, type); + put_page(page); + + len += size; +-- +1.7.1.1 + diff --git a/powerpc-fsl-booke-Move-loadcam_entry-back-to-asm-cod.patch b/powerpc-fsl-booke-Move-loadcam_entry-back-to-asm-cod.patch new file mode 100644 index 0000000..9393704 --- /dev/null +++ b/powerpc-fsl-booke-Move-loadcam_entry-back-to-asm-cod.patch @@ -0,0 +1,152 @@ +From a09b02ca20ca5899aa911aec5d8e21e9e20793d6 Mon Sep 17 00:00:00 2001 +From: Kumar Gala <galak@kernel.crashing.org> +Date: Thu, 13 May 2010 14:38:21 -0500 +Subject: [PATCH] powerpc/fsl-booke: Move loadcam_entry back to asm code to fix SMP ftrace + +commit a09b02ca20ca5899aa911aec5d8e21e9e20793d6 in tip. + +When we build with ftrace enabled its possible that loadcam_entry would +have used the stack pointer (even though the code doesn't need it). We +call loadcam_entry in __secondary_start before the stack is setup. To +ensure that loadcam_entry doesn't use the stack pointer the easiest +solution is to just have it in asm code. + +Signed-off-by: Kumar Gala <galak@kernel.crashing.org> +[bigeasy@linutronix.de: fix cherry pick of upstream commit 78f6223 for 33-rt] +Signed-off-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de> +Signed-off-by: Thomas Gleixner <tglx@linutronix.de> + +diff --git a/arch/powerpc/kernel/asm-offsets.c b/arch/powerpc/kernel/asm-offsets.c +index 11d0668..f0857f8 100644 +--- a/arch/powerpc/kernel/asm-offsets.c ++++ b/arch/powerpc/kernel/asm-offsets.c +@@ -420,6 +420,14 @@ int main(void) + DEFINE(PGD_T_LOG2, PGD_T_LOG2); + DEFINE(PTE_T_LOG2, PTE_T_LOG2); + #endif ++#ifdef CONFIG_FSL_BOOKE ++ DEFINE(TLBCAM_SIZE, sizeof(struct tlbcam)); ++ DEFINE(TLBCAM_MAS0, offsetof(struct tlbcam, MAS0)); ++ DEFINE(TLBCAM_MAS1, offsetof(struct tlbcam, MAS1)); ++ DEFINE(TLBCAM_MAS2, offsetof(struct tlbcam, MAS2)); ++ DEFINE(TLBCAM_MAS3, offsetof(struct tlbcam, MAS3)); ++ DEFINE(TLBCAM_MAS7, offsetof(struct tlbcam, MAS7)); ++#endif + + #ifdef CONFIG_KVM_EXIT_TIMING + DEFINE(VCPU_TIMING_EXIT_TBU, offsetof(struct kvm_vcpu, +diff --git a/arch/powerpc/mm/fsl_booke_mmu.c b/arch/powerpc/mm/fsl_booke_mmu.c +index 1ce9dd5..01a795d 100644 +--- a/arch/powerpc/mm/fsl_booke_mmu.c ++++ b/arch/powerpc/mm/fsl_booke_mmu.c +@@ -2,7 +2,7 @@ + * Modifications by Kumar Gala (galak@kernel.crashing.org) to support + * E500 Book E processors. + * +- * Copyright 2004 Freescale Semiconductor, Inc ++ * Copyright 2004,2010 Freescale Semiconductor, Inc. + * + * This file contains the routines for initializing the MMU + * on the 4xx series of chips. +@@ -56,19 +56,13 @@ + + unsigned int tlbcam_index; + +-#define NUM_TLBCAMS (64) + + #if defined(CONFIG_LOWMEM_CAM_NUM_BOOL) && (CONFIG_LOWMEM_CAM_NUM >= NUM_TLBCAMS) + #error "LOWMEM_CAM_NUM must be less than NUM_TLBCAMS" + #endif + +-struct tlbcam { +- u32 MAS0; +- u32 MAS1; +- unsigned long MAS2; +- u32 MAS3; +- u32 MAS7; +-} TLBCAM[NUM_TLBCAMS]; ++#define NUM_TLBCAMS (64) ++struct tlbcam TLBCAM[NUM_TLBCAMS]; + + struct tlbcamrange { + unsigned long start; +@@ -109,19 +103,6 @@ unsigned long p_mapped_by_tlbcam(phys_addr_t pa) + return 0; + } + +-void loadcam_entry(int idx) +-{ +- mtspr(SPRN_MAS0, TLBCAM[idx].MAS0); +- mtspr(SPRN_MAS1, TLBCAM[idx].MAS1); +- mtspr(SPRN_MAS2, TLBCAM[idx].MAS2); +- mtspr(SPRN_MAS3, TLBCAM[idx].MAS3); +- +- if (cur_cpu_spec->cpu_features & MMU_FTR_BIG_PHYS) +- mtspr(SPRN_MAS7, TLBCAM[idx].MAS7); +- +- asm volatile("isync;tlbwe;isync" : : : "memory"); +-} +- + /* + * Set up one of the I/D BAT (block address translation) register pairs. + * The parameters are not checked; in particular size must be a power +diff --git a/arch/powerpc/mm/mmu_decl.h b/arch/powerpc/mm/mmu_decl.h +index d49a775..0591f25 100644 +--- a/arch/powerpc/mm/mmu_decl.h ++++ b/arch/powerpc/mm/mmu_decl.h +@@ -149,7 +149,15 @@ extern unsigned long mmu_mapin_ram(unsigned long top); + extern void MMU_init_hw(void); + extern unsigned long mmu_mapin_ram(unsigned long top); + extern void adjust_total_lowmem(void); +- ++extern void loadcam_entry(unsigned int index); ++ ++struct tlbcam { ++ u32 MAS0; ++ u32 MAS1; ++ unsigned long MAS2; ++ u32 MAS3; ++ u32 MAS7; ++}; + #elif defined(CONFIG_PPC32) + /* anything 32-bit except 4xx or 8xx */ + extern void MMU_init_hw(void); +diff --git a/arch/powerpc/mm/tlb_nohash_low.S b/arch/powerpc/mm/tlb_nohash_low.S +index bbdc5b5..8656ecf 100644 +--- a/arch/powerpc/mm/tlb_nohash_low.S ++++ b/arch/powerpc/mm/tlb_nohash_low.S +@@ -271,3 +271,31 @@ _GLOBAL(set_context) + #else + #error Unsupported processor type ! + #endif ++ ++#if defined(CONFIG_FSL_BOOKE) ++/* ++ * extern void loadcam_entry(unsigned int index) ++ * ++ * Load TLBCAM[index] entry in to the L2 CAM MMU ++ */ ++_GLOBAL(loadcam_entry) ++ LOAD_REG_ADDR(r4, TLBCAM) ++ mulli r5,r3,TLBCAM_SIZE ++ add r3,r5,r4 ++ lwz r4,TLBCAM_MAS0(r3) ++ mtspr SPRN_MAS0,r4 ++ lwz r4,TLBCAM_MAS1(r3) ++ mtspr SPRN_MAS1,r4 ++ PPC_LL r4,TLBCAM_MAS2(r3) ++ mtspr SPRN_MAS2,r4 ++ lwz r4,TLBCAM_MAS3(r3) ++ mtspr SPRN_MAS3,r4 ++BEGIN_MMU_FTR_SECTION ++ lwz r4,TLBCAM_MAS7(r3) ++ mtspr SPRN_MAS7,r4 ++END_MMU_FTR_SECTION_IFSET(MMU_FTR_BIG_PHYS) ++ isync ++ tlbwe ++ isync ++ blr ++#endif +-- +1.7.1.1 + diff --git a/rt-mm-fix-kthreadd-livelock-in-drain_local_pages_wor.patch b/rt-mm-fix-kthreadd-livelock-in-drain_local_pages_wor.patch new file mode 100644 index 0000000..3deed2b --- /dev/null +++ b/rt-mm-fix-kthreadd-livelock-in-drain_local_pages_wor.patch @@ -0,0 +1,133 @@ +From e94445b78dc821e0e9de5a9bf5bd263f5ae2c471 Mon Sep 17 00:00:00 2001 +From: Mike Galbraith <mgalbraith@suse.de> +Date: Wed, 8 Dec 2010 08:11:50 +0100 +Subject: [PATCH] rt: mm: fix kthreadd livelock in drain_local_pages_work + +commit e94445b78dc821e0e9de5a9bf5bd263f5ae2c471 in tip. + +In a low memory situation, kthreadd may call schedule_on_each_cpu() while +trying to spawn a worker, and the system grinds to a halt as below. + +[25689.675353] SysRq : Show Blocked State +[25689.682919] task PC stack pid father +[25689.694781] kthreadd D 00000000ffffffff 0 2 0 0x00000000 +[25689.708613] ffff88013fb37810 0000000000000046 0000000000000000 000000000000b3f0 +[25689.708616] ffff88013fa93040 ffff88013fa93308 000000023fa93408 0000000000000000 +[25689.708619] 0000000000000000 ffff88013faadfd8 ffff88013faadb50 0000000000000004 +[25689.709058] Call Trace: +[25689.709064] [<ffffffff8236b45c>] ? schedule+0x1c/0x30 +[25689.709066] [<ffffffff8236b99d>] ? schedule_timeout+0x26d/0x2b0 +[25689.709069] [<ffffffff8203932e>] ? enqueue_task_rt+0x12e/0x290 +[25689.709074] [<ffffffff8236a804>] ? wait_for_common+0xc4/0x1a0 +[25689.709077] [<ffffffff82040700>] ? default_wake_function+0x0/0x10 +[25689.709080] [<ffffffff820b3d90>] ? drain_local_pages_work+0x0/0x10 +[25689.709084] [<ffffffff82059c1c>] ? flush_work+0x6c/0xc0 +[25689.709086] [<ffffffff82059e40>] ? wq_barrier_func+0x0/0x10 +[25689.709088] [<ffffffff82059ccf>] ? __queue_work+0x5f/0x70 +[25689.709090] [<ffffffff8205a233>] ? schedule_on_each_cpu+0x113/0x160 +[25689.709093] [<ffffffff820b6e5d>] ? __alloc_pages_nodemask+0x61d/0x760 +[25689.709095] [<ffffffff820b59f9>] ? __get_free_pages+0x9/0x50 +[25689.709098] [<ffffffff820434ea>] ? copy_process+0xea/0x13f0 +[25689.709101] [<ffffffff82033da0>] ? enqueue_task+0x60/0x70 +[25689.709103] [<ffffffff82033eb4>] ? activate_task+0x24/0x30 +[25689.709105] [<ffffffff8204488b>] ? do_fork+0x9b/0x3d0 +[25689.709107] [<ffffffff820354ae>] ? update_curr+0xae/0x140 +[25689.709111] [<ffffffff8200178b>] ? __switch_to+0xeb/0x350 +[25689.709114] [<ffffffff8200b5bc>] ? kernel_thread+0x7c/0x90 +[25689.709117] [<ffffffff8205d9d0>] ? kthread+0x0/0xa0 +[25689.709119] [<ffffffff82003e20>] ? kernel_thread_helper+0x0/0x10 +[25689.709121] [<ffffffff8236b45c>] ? schedule+0x1c/0x30 +[25689.709123] [<ffffffff8205d98f>] ? kthreadd+0x14f/0x190 +[25689.709125] [<ffffffff82003e24>] ? kernel_thread_helper+0x4/0x10 +[25689.709127] [<ffffffff8205d840>] ? kthreadd+0x0/0x190 +[25689.709129] [<ffffffff82003e20>] ? kernel_thread_helper+0x0/0x10 +[25689.709147] events/0 D ffff88000d29d1d0 0 211 2 0x00000000 +[25689.709150] ffff88013f282080 0000000000000046 0000000000000400 000000000000f540 +[25689.709152] ffff88013f231040 ffff88013f231308 000000000000f540 000000000000f540 +[25689.709153] 0000000000000008 ffff88013f255fd8 ffff88013f255bf0 ffff88013f255c00 +[25689.709155] Call Trace: +[25689.709159] [<ffffffff82119190>] ? bdi_sched_wait+0x0/0x10 +[25689.709160] [<ffffffff8236b45c>] ? schedule+0x1c/0x30 +[25689.709162] [<ffffffff82119199>] ? bdi_sched_wait+0x9/0x10 +[25689.709164] [<ffffffff8236bbd0>] ? __wait_on_bit+0x50/0x80 +[25689.709166] [<ffffffff82119190>] ? bdi_sched_wait+0x0/0x10 +[25689.709167] [<ffffffff8236bc79>] ? out_of_line_wait_on_bit+0x79/0xa0 +[25689.709169] [<ffffffff8205de20>] ? wake_bit_function+0x0/0x20 +[25689.709171] [<ffffffff82119748>] ? bdi_start_writeback+0xc8/0xd0 +[25689.709174] [<ffffffff8211dbda>] ? __sync_filesystem+0x3a/0x90 +[25689.709177] [<ffffffff8211ddea>] ? sync_filesystem+0x2a/0x50 +[25689.709180] [<ffffffff820fa8d1>] ? generic_shutdown_super+0x21/0x110 +[25689.709182] [<ffffffff820faa19>] ? kill_anon_super+0x9/0x50 +[25689.709192] [<ffffffffa044cded>] ? nfs_kill_super+0x1d/0x40 [nfs] +[25689.709194] [<ffffffff820fb2b3>] ? deactivate_super+0x83/0xb0 +[25689.709197] [<ffffffff82112e0b>] ? release_mounts+0xab/0xd0 +[25689.709199] [<ffffffff82112ffa>] ? mark_mounts_for_expiry+0x11a/0x130 +[25689.709207] [<ffffffffa0456c00>] ? nfs_expire_automounts+0x0/0x40 [nfs] +[25689.709215] [<ffffffffa0456c10>] ? nfs_expire_automounts+0x10/0x40 [nfs] +[25689.709217] [<ffffffff820597dc>] ? worker_thread+0x15c/0x230 +[25689.709219] [<ffffffff8205ddf0>] ? autoremove_wake_function+0x0/0x30 +[25689.709221] [<ffffffff82059680>] ? worker_thread+0x0/0x230 +[25689.709223] [<ffffffff8205da66>] ? kthread+0x96/0xa0 +[25689.709225] [<ffffffff8203dd1a>] ? finish_task_switch+0x4a/0x100 +[25689.709227] [<ffffffff82003e24>] ? kernel_thread_helper+0x4/0x10 +[25689.709229] [<ffffffff8205d9d0>] ? kthread+0x0/0xa0 +[25689.709231] [<ffffffff82003e20>] ? kernel_thread_helper+0x0/0x10 +[25689.709234] bdi-default D 0000000000000000 0 233 2 0x00000000 +[25689.709236] ffffffff8260e020 0000000000000046 0000000000000000 000000000000b3f0 +[25689.709238] ffff88013f282080 ffff88013f282348 000000000000f540 0000000000000000 +[25689.709240] 0000000000000000 ffff88013f36bfd8 ffff88013f36bd38 0000000000000004 +[25689.709242] Call Trace: +[25689.709243] [<ffffffff8236b45c>] ? schedule+0x1c/0x30 +[25689.709245] [<ffffffff8236b99d>] ? schedule_timeout+0x26d/0x2b0 +[25689.709247] [<ffffffff8236a804>] ? wait_for_common+0xc4/0x1a0 +[25689.709250] [<ffffffff82040700>] ? default_wake_function+0x0/0x10 +[25689.709252] [<ffffffff8203dd1a>] ? finish_task_switch+0x4a/0x100 +[25689.709254] [<ffffffff8205dc28>] ? kthread_create+0x98/0x130 +[25689.709256] [<ffffffff820c5540>] ? bdi_start_fn+0x0/0xf0 +[25689.709260] [<ffffffff82051f50>] ? process_timeout+0x0/0x10 +[25689.709262] [<ffffffff820c53aa>] ? bdi_forker_task+0x19a/0x330 +[25689.709263] [<ffffffff8236ada6>] ? __schedule+0x426/0x960 +[25689.709265] [<ffffffff820c5210>] ? bdi_forker_task+0x0/0x330 +[25689.709268] [<ffffffff8205da66>] ? kthread+0x96/0xa0 +[25689.709270] [<ffffffff8203dd1a>] ? finish_task_switch+0x4a/0x100 +[25689.709272] [<ffffffff82003e24>] ? kernel_thread_helper+0x4/0x10 +[25689.709274] [<ffffffff8205d9d0>] ? kthread+0x0/0xa0 +[25689.709276] [<ffffffff82003e20>] ? kernel_thread_helper+0x0/0x10 +etc etc etc... + +Signed-off-by: Mike Galbraith <mgalbraith@suse.de> +Signed-off-by: Thomas Gleixner <tglx@linutronix.de> +Acked-by: Peter Zijlstra <peterz@infradead.org> + +diff --git a/mm/page_alloc.c b/mm/page_alloc.c +index bde9ea1..81f9359 100644 +--- a/mm/page_alloc.c ++++ b/mm/page_alloc.c +@@ -1121,6 +1121,15 @@ static void drain_local_pages_work(struct work_struct *wrk) + } + #endif + ++#ifdef CONFIG_PREEMPT_RT ++extern struct task_struct *kthreadd_task; ++ ++static inline int is_kthreadd(struct task_struct *p) ++{ ++ return p == kthreadd_task; ++} ++#endif ++ + /* + * Spill all the per-cpu pages from all CPUs back into the buddy allocator + */ +@@ -1146,7 +1155,7 @@ void drain_all_pages(void) + * + * And yes, this is one big hack. Please fix ;-) + */ +- if (sizeof(void *)*nr_cpu_ids < PAGE_SIZE) ++ if (!is_kthreadd(current) && sizeof(void *)*nr_cpu_ids < PAGE_SIZE) + schedule_on_each_cpu(drain_local_pages_work); + else { + static int once; +-- +1.7.1.1 + @@ -493,6 +493,73 @@ UIO-Add-a-driver-for-Hilscher-netX-based-fieldbus-ca.patch # v2.6.33.6-rt27.patch printk-Restore-irqs-before-calling-release_console_m.patch # v2.6.33.6-rt28.patch +# v2.6.33.7-rt29.patch +mm-fix-ia64-crash-when-gcore-reads-gate-area.patch +comedi-Uncripple-8255-based-DIO-subdevices.patch +NFS-kswapd-must-not-block-in-nfs_release_page.patch +PARISC-led.c-fix-potential-stack-overflow-in-led_pro.patch +arm-imx-gpio-add-spinlock-protection.patch +parisc-pass-through-t-to-early-iodc-console.patch +amd64_edac-Fix-DCT-base-address-selector.patch +amd64_edac-Correct-scrub-rate-setting.patch +e1000e-don-t-inadvertently-re-set-INTX_DISABLE.patch +e1000e-82577-82578-PHY-register-access-issues.patch +9p-strlen-doesn-t-count-the-terminator.patch +ath9k-enable-serialize_regmode-for-non-PCIE-AR9160.patch +ath9k_hw-fix-an-off-by-one-error-in-the-PDADC-bounda.patch +ath9k-fix-TSF-after-reset-on-AR913x.patch +ath9k-fix-yet-another-buffer-leak-in-the-tx-aggregat.patch +iwlwifi-fix-scan-abort.patch +cfg80211-ignore-spurious-deauth.patch +cfg80211-don-t-get-expired-BSSes.patch +xfs-prevent-swapext-from-operating-on-write-only-fil.patch +SCSI-enclosure-fix-error-path-actually-return-ERR_PT.patch +GFS2-rename-causes-kernel-Oops.patch +slow-work-use-get_ref-wrapper-instead-of-directly-ca.patch +CIFS-Remove-__exit-mark-from-cifs_exit_dns_resolver.patch +CIFS-Fix-compile-error-with-__init-in-cifs_init_dns_.patch +xen-drop-xen_sched_clock-in-favour-of-using-plain-wa.patch +mac80211-avoid-scheduling-while-atomic-in-mesh_rx_pl.patch +KVM-MMU-flush-remote-tlbs-when-overwriting-spte-with.patch +drm-i915-Check-overlay-stride-errata-for-i830-and-i8.patch +Revert-ssb-Handle-Netbook-devices-where-the-SPROM-ad.patch +ssb-do-not-read-SPROM-if-it-does-not-exist.patch +ssb-Look-for-SPROM-at-different-offset-on-higher-rev.patch +ssb-fix-NULL-ptr-deref-when-pcihost_wrapper-is-used.patch +ssb-Handle-alternate-SSPROM-location.patch +# v2.6.33.7.1-rt29.patch +perf-Use-kmap_atomic_direct.patch +perf-Provide-kmap_atomic_direct-for-CONFIG_HIGHMEM.patch +staging-comedi-Fix-type-in-semaphore-conversion.patch +NFS-Fix-an-Oops-in-the-NFSv4-atomic-open-code.patch +can-add-limit-for-nframes-and-clean-up-signed-unsign.patch +KEYS-Fix-RCU-no-lock-warning-in-keyctl_session_to_pa.patch +KEYS-Fix-bug-in-keyctl_session_to_parent-if-parent-h.patch +niu-Fix-kernel-buffer-overflow-for-ETHTOOL_GRXCLSRLA.patch +x86-Limit-32bit-PAE-memory-to-16G.patch +tracing-Do-not-allow-llseek-to-set_ftrace_filter.patch +act_nat-use-stack-variable.patch +net-sched-fix-some-kernel-memory-leaks.patch +wireless-extensions-fix-kernel-heap-content-leak.patch +ALSA-seq-oss-Fix-double-free-at-error-path-of-snd_se.patch +compat-Make-compat_alloc_user_space-incorporate-the-.patch +x86-64-compat-Test-rax-for-the-syscall-number-not-ea.patch +x86-64-compat-Retruncate-rax-after-ia32-syscall-entr.patch +drm-block-userspace-under-allocating-buffer-and-havi.patch +mm-keep-a-guard-page-below-a-grow-down-stack-segment.patch +mm-fix-missing-page-table-unmap-for-stack-guard-page.patch +mm-fix-page-table-unmap-for-stack-guard-page-properl.patch +mm-fix-up-some-user-visible-effects-of-the-stack-gua.patch +mm-make-the-vma-list-be-doubly-linked.patch +mm-make-the-mlock-stack-guard-page-checks-stricter.patch +mm-make-stack-guard-page-logic-use-vm_prev-pointer.patch +AT91-SAM9G45-add-a-separate-clock-entry-for-every-si.patch +powerpc-fsl-booke-Move-loadcam_entry-back-to-asm-cod.patch +rt-mm-fix-kthreadd-livelock-in-drain_local_pages_wor.patch +tracing-Add-combined-timer-and-wakeup-latency-histog.patch +net-ebtables-Work-around-per-cpu-assumptions.patch +x86-Convert-mce-timer-to-hrtimer.patch +x86-stackprotector-Avoid-random-pool-on-rt.patch # # Temporary commits just to facilitate "git diff" tree comparisons. # @@ -501,4 +568,4 @@ bad-bad-code-damage-put-it-in-Guantanamo.patch # # # -v2.6.33.7-rt29.patch +v2.6.33.7.2-rt30.patch diff --git a/slow-work-use-get_ref-wrapper-instead-of-directly-ca.patch b/slow-work-use-get_ref-wrapper-instead-of-directly-ca.patch new file mode 100644 index 0000000..be8c5b9 --- /dev/null +++ b/slow-work-use-get_ref-wrapper-instead-of-directly-ca.patch @@ -0,0 +1,35 @@ +From ab006e335c3f31d09e4067af18b065750cc23128 Mon Sep 17 00:00:00 2001 +From: Dave Airlie <airlied@redhat.com> +Date: Mon, 29 Mar 2010 12:01:50 +0100 +Subject: [PATCH] slow-work: use get_ref wrapper instead of directly calling get_ref + +commit ab006e335c3f31d09e4067af18b065750cc23128 in tip. + +commit 88be12c440cfa2fa3f5be83507360aac9ea1c54e upstream. + +Otherwise we can get an oops if the user has no get_ref/put_ref +requirement. + +Signed-off-by: Dave Airlie <airlied@redhat.com> +Signed-off-by: David Howells <dhowells@redhat.com> +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> +Cc: Kurt Garloff <garloff@suse.de> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> +Signed-off-by: John Kacur <jkacur@redhat.com> + +diff --git a/kernel/slow-work.c b/kernel/slow-work.c +index 7494bbf..7d3f4fa 100644 +--- a/kernel/slow-work.c ++++ b/kernel/slow-work.c +@@ -637,7 +637,7 @@ int delayed_slow_work_enqueue(struct delayed_slow_work *dwork, + goto cancelled; + + /* the timer holds a reference whilst it is pending */ +- ret = work->ops->get_ref(work); ++ ret = slow_work_get_ref(work); + if (ret < 0) + goto cant_get_ref; + +-- +1.7.1.1 + diff --git a/ssb-Handle-alternate-SSPROM-location.patch b/ssb-Handle-alternate-SSPROM-location.patch new file mode 100644 index 0000000..123dbcd --- /dev/null +++ b/ssb-Handle-alternate-SSPROM-location.patch @@ -0,0 +1,69 @@ +From e6c02110e0dc98464340d41695258e927f884f48 Mon Sep 17 00:00:00 2001 +From: Larry Finger <Larry.Finger@lwfinger.net> +Date: Fri, 14 May 2010 22:08:58 -0500 +Subject: [PATCH] ssb: Handle alternate SSPROM location + +commit e6c02110e0dc98464340d41695258e927f884f48 in tip. + +commit 9d1ac34ec3a67713308ae0883c3359c557f14d17 upstream. + +In kernel Bugzilla #15825 (2 users), in a wireless mailing list thread +(http://lists.infradead.org/pipermail/b43-dev/2010-May/000124.html), and on a +netbook owned by John Linville +(http://marc.info/?l=linux-wireless&m=127230751408818&w=4), there are reports +of ssb failing to detect an SPROM at the normal location. After studying the +MMIO trace dump for the Broadcom wl driver, it was determined that the affected +boxes had a relocated SPROM. + +This patch fixes all systems that have reported this problem. + +Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net> +Signed-off-by: John W. Linville <linville@tuxdriver.com> +Cc: Ben Hutchings <ben@decadent.org.uk> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> +Signed-off-by: John Kacur <jkacur@redhat.com> + +diff --git a/drivers/ssb/driver_chipcommon.c b/drivers/ssb/driver_chipcommon.c +index a55cff8..bbf1cb2 100644 +--- a/drivers/ssb/driver_chipcommon.c ++++ b/drivers/ssb/driver_chipcommon.c +@@ -235,6 +235,7 @@ void ssb_chipcommon_init(struct ssb_chipcommon *cc) + return; /* We don't have a ChipCommon */ + if (cc->dev->id.revision >= 11) + cc->status = chipco_read32(cc, SSB_CHIPCO_CHIPSTAT); ++ ssb_dprintk(KERN_INFO PFX "chipcommon status is 0x%x\n", cc->status); + ssb_pmu_init(cc); + chipco_powercontrol_init(cc); + ssb_chipco_set_clockmode(cc, SSB_CLKMODE_FAST); +diff --git a/drivers/ssb/pci.c b/drivers/ssb/pci.c +index 243db85..321d9ef 100644 +--- a/drivers/ssb/pci.c ++++ b/drivers/ssb/pci.c +@@ -625,11 +625,22 @@ static int ssb_pci_sprom_get(struct ssb_bus *bus, + return -ENODEV; + } + if (bus->chipco.dev) { /* can be unavailible! */ +- bus->sprom_offset = (bus->chipco.dev->id.revision < 31) ? +- SSB_SPROM_BASE1 : SSB_SPROM_BASE31; ++ /* ++ * get SPROM offset: SSB_SPROM_BASE1 except for ++ * chipcommon rev >= 31 or chip ID is 0x4312 and ++ * chipcommon status & 3 == 2 ++ */ ++ if (bus->chipco.dev->id.revision >= 31) ++ bus->sprom_offset = SSB_SPROM_BASE31; ++ else if (bus->chip_id == 0x4312 && ++ (bus->chipco.status & 0x03) == 2) ++ bus->sprom_offset = SSB_SPROM_BASE31; ++ else ++ bus->sprom_offset = SSB_SPROM_BASE1; + } else { + bus->sprom_offset = SSB_SPROM_BASE1; + } ++ ssb_dprintk(KERN_INFO PFX "SPROM offset is 0x%x\n", bus->sprom_offset); + + buf = kcalloc(SSB_SPROMSIZE_WORDS_R123, sizeof(u16), GFP_KERNEL); + if (!buf) +-- +1.7.1.1 + diff --git a/ssb-Look-for-SPROM-at-different-offset-on-higher-rev.patch b/ssb-Look-for-SPROM-at-different-offset-on-higher-rev.patch new file mode 100644 index 0000000..b75e34b --- /dev/null +++ b/ssb-Look-for-SPROM-at-different-offset-on-higher-rev.patch @@ -0,0 +1,94 @@ +From 9ab4cdebfe963748baba3146c5616c1b601f0cf9 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Rafa=C5=82=20Mi=C5=82ecki?= <zajec5@gmail.com> +Date: Wed, 31 Mar 2010 21:59:21 +0200 +Subject: [PATCH] ssb: Look for SPROM at different offset on higher rev CC + +commit 9ab4cdebfe963748baba3146c5616c1b601f0cf9 in tip. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +commit ea2db495f92ad2cf3301623e60cb95b4062bc484 upstream. + +Our offset handling becomes even a little more hackish now. For some reason I +do not understand all offsets as inrelative. It assumes base offset is 0x1000 +but it will work for now as we make offsets relative anyway by removing base +0x1000. Should be cleaner however. + +Signed-off-by: RafaÅ‚ MiÅ‚ecki <zajec5@gmail.com> +Signed-off-by: John W. Linville <linville@tuxdriver.com> +Cc: Larry Finger <Larry.Finger@lwfinger.net> +Cc: Ben Hutchings <ben@decadent.org.uk> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> +Signed-off-by: John Kacur <jkacur@redhat.com> + +diff --git a/drivers/ssb/pci.c b/drivers/ssb/pci.c +index a4b2b99..5bb1278 100644 +--- a/drivers/ssb/pci.c ++++ b/drivers/ssb/pci.c +@@ -167,7 +167,7 @@ err_pci: + } + + /* Get the word-offset for a SSB_SPROM_XXX define. */ +-#define SPOFF(offset) (((offset) - SSB_SPROM_BASE) / sizeof(u16)) ++#define SPOFF(offset) (((offset) - SSB_SPROM_BASE1) / sizeof(u16)) + /* Helper to extract some _offset, which is one of the SSB_SPROM_XXX defines. */ + #define SPEX16(_outvar, _offset, _mask, _shift) \ + out->_outvar = ((in[SPOFF(_offset)] & (_mask)) >> (_shift)) +@@ -253,7 +253,7 @@ static int sprom_do_read(struct ssb_bus *bus, u16 *sprom) + int i; + + for (i = 0; i < bus->sprom_size; i++) +- sprom[i] = ioread16(bus->mmio + SSB_SPROM_BASE + (i * 2)); ++ sprom[i] = ioread16(bus->mmio + bus->sprom_offset + (i * 2)); + + return 0; + } +@@ -284,7 +284,7 @@ static int sprom_do_write(struct ssb_bus *bus, const u16 *sprom) + ssb_printk("75%%"); + else if (i % 2) + ssb_printk("."); +- writew(sprom[i], bus->mmio + SSB_SPROM_BASE + (i * 2)); ++ writew(sprom[i], bus->mmio + bus->sprom_offset + (i * 2)); + mmiowb(); + msleep(20); + } +@@ -625,6 +625,9 @@ static int ssb_pci_sprom_get(struct ssb_bus *bus, + return -ENODEV; + } + ++ bus->sprom_offset = (bus->chipco.dev->id.revision < 31) ? ++ SSB_SPROM_BASE1 : SSB_SPROM_BASE31; ++ + buf = kcalloc(SSB_SPROMSIZE_WORDS_R123, sizeof(u16), GFP_KERNEL); + if (!buf) + goto out; +diff --git a/include/linux/ssb/ssb.h b/include/linux/ssb/ssb.h +index 3b4da23..a2608bf 100644 +--- a/include/linux/ssb/ssb.h ++++ b/include/linux/ssb/ssb.h +@@ -305,6 +305,7 @@ struct ssb_bus { + /* ID information about the Chip. */ + u16 chip_id; + u16 chip_rev; ++ u16 sprom_offset; + u16 sprom_size; /* number of words in sprom */ + u8 chip_package; + +diff --git a/include/linux/ssb/ssb_regs.h b/include/linux/ssb/ssb_regs.h +index 9ae9082..b8be23c 100644 +--- a/include/linux/ssb/ssb_regs.h ++++ b/include/linux/ssb/ssb_regs.h +@@ -170,7 +170,8 @@ + #define SSB_SPROMSIZE_WORDS_R4 220 + #define SSB_SPROMSIZE_BYTES_R123 (SSB_SPROMSIZE_WORDS_R123 * sizeof(u16)) + #define SSB_SPROMSIZE_BYTES_R4 (SSB_SPROMSIZE_WORDS_R4 * sizeof(u16)) +-#define SSB_SPROM_BASE 0x1000 ++#define SSB_SPROM_BASE1 0x1000 ++#define SSB_SPROM_BASE31 0x0800 + #define SSB_SPROM_REVISION 0x107E + #define SSB_SPROM_REVISION_REV 0x00FF /* SPROM Revision number */ + #define SSB_SPROM_REVISION_CRC 0xFF00 /* SPROM CRC8 value */ +-- +1.7.1.1 + diff --git a/ssb-do-not-read-SPROM-if-it-does-not-exist.patch b/ssb-do-not-read-SPROM-if-it-does-not-exist.patch new file mode 100644 index 0000000..2123d91 --- /dev/null +++ b/ssb-do-not-read-SPROM-if-it-does-not-exist.patch @@ -0,0 +1,147 @@ +From 314beea43b3778f7919917154afc11d134bba9fd Mon Sep 17 00:00:00 2001 +From: John W. Linville <linville@tuxdriver.com> +Date: Wed, 31 Mar 2010 21:39:35 +0200 +Subject: [PATCH] ssb: do not read SPROM if it does not exist + +commit 314beea43b3778f7919917154afc11d134bba9fd in tip. +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +commit d53cdbb94a52a920d5420ed64d986c3523a56743 upstream. + +Attempting to read registers that don't exist on the SSB bus can cause +hangs on some boxes. At least some b43 devices are 'in the wild' that +don't have SPROMs at all. When the SSB bus support loads, it attempts +to read these (non-existant) SPROMs and causes hard hangs on the box -- +no console output, etc. + +This patch adds some intelligence to determine whether or not the SPROM +is present before attempting to read it. This avoids those hard hangs +on those devices with no SPROM attached to their SSB bus. The +SSB-attached devices (e.g. b43, et al.) won't work, but at least the box +will survive to test further patches. :-) + +Signed-off-by: John W. Linville <linville@tuxdriver.com> +Signed-off-by: RafaÅ‚ MiÅ‚ecki <zajec5@gmail.com> +Cc: Larry Finger <Larry.Finger@lwfinger.net> +Cc: Michael Buesch <mb@bu3sch.de> +Cc: Ben Hutchings <ben@decadent.org.uk> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> +Signed-off-by: John Kacur <jkacur@redhat.com> + +diff --git a/drivers/ssb/driver_chipcommon.c b/drivers/ssb/driver_chipcommon.c +index 9681536..a55cff8 100644 +--- a/drivers/ssb/driver_chipcommon.c ++++ b/drivers/ssb/driver_chipcommon.c +@@ -233,6 +233,8 @@ void ssb_chipcommon_init(struct ssb_chipcommon *cc) + { + if (!cc->dev) + return; /* We don't have a ChipCommon */ ++ if (cc->dev->id.revision >= 11) ++ cc->status = chipco_read32(cc, SSB_CHIPCO_CHIPSTAT); + ssb_pmu_init(cc); + chipco_powercontrol_init(cc); + ssb_chipco_set_clockmode(cc, SSB_CLKMODE_FAST); +diff --git a/drivers/ssb/pci.c b/drivers/ssb/pci.c +index 9e50896..a4b2b99 100644 +--- a/drivers/ssb/pci.c ++++ b/drivers/ssb/pci.c +@@ -620,6 +620,11 @@ static int ssb_pci_sprom_get(struct ssb_bus *bus, + int err = -ENOMEM; + u16 *buf; + ++ if (!ssb_is_sprom_available(bus)) { ++ ssb_printk(KERN_ERR PFX "No SPROM available!\n"); ++ return -ENODEV; ++ } ++ + buf = kcalloc(SSB_SPROMSIZE_WORDS_R123, sizeof(u16), GFP_KERNEL); + if (!buf) + goto out; +diff --git a/drivers/ssb/sprom.c b/drivers/ssb/sprom.c +index d0e6762..83bc088 100644 +--- a/drivers/ssb/sprom.c ++++ b/drivers/ssb/sprom.c +@@ -175,3 +175,17 @@ const struct ssb_sprom *ssb_get_fallback_sprom(void) + { + return fallback_sprom; + } ++ ++/* http://bcm-v4.sipsolutions.net/802.11/IsSpromAvailable */ ++bool ssb_is_sprom_available(struct ssb_bus *bus) ++{ ++ /* status register only exists on chipcomon rev >= 11 and we need check ++ for >= 31 only */ ++ /* this routine differs from specs as we do not access SPROM directly ++ on PCMCIA */ ++ if (bus->bustype == SSB_BUSTYPE_PCI && ++ bus->chipco.dev->id.revision >= 31) ++ return bus->chipco.capabilities & SSB_CHIPCO_CAP_SPROM; ++ ++ return true; ++} +diff --git a/include/linux/ssb/ssb.h b/include/linux/ssb/ssb.h +index 24f9885..3b4da23 100644 +--- a/include/linux/ssb/ssb.h ++++ b/include/linux/ssb/ssb.h +@@ -394,6 +394,9 @@ extern int ssb_bus_sdiobus_register(struct ssb_bus *bus, + + extern void ssb_bus_unregister(struct ssb_bus *bus); + ++/* Does the device have an SPROM? */ ++extern bool ssb_is_sprom_available(struct ssb_bus *bus); ++ + /* Set a fallback SPROM. + * See kdoc at the function definition for complete documentation. */ + extern int ssb_arch_set_fallback_sprom(const struct ssb_sprom *sprom); +diff --git a/include/linux/ssb/ssb_driver_chipcommon.h b/include/linux/ssb/ssb_driver_chipcommon.h +index 4e27acf..2cdf249 100644 +--- a/include/linux/ssb/ssb_driver_chipcommon.h ++++ b/include/linux/ssb/ssb_driver_chipcommon.h +@@ -53,6 +53,7 @@ + #define SSB_CHIPCO_CAP_64BIT 0x08000000 /* 64-bit Backplane */ + #define SSB_CHIPCO_CAP_PMU 0x10000000 /* PMU available (rev >= 20) */ + #define SSB_CHIPCO_CAP_ECI 0x20000000 /* ECI available (rev >= 20) */ ++#define SSB_CHIPCO_CAP_SPROM 0x40000000 /* SPROM present */ + #define SSB_CHIPCO_CORECTL 0x0008 + #define SSB_CHIPCO_CORECTL_UARTCLK0 0x00000001 /* Drive UART with internal clock */ + #define SSB_CHIPCO_CORECTL_SE 0x00000002 /* sync clk out enable (corerev >= 3) */ +@@ -385,6 +386,7 @@ + + + /** Chip specific Chip-Status register contents. */ ++#define SSB_CHIPCO_CHST_4322_SPROM_EXISTS 0x00000040 /* SPROM present */ + #define SSB_CHIPCO_CHST_4325_SPROM_OTP_SEL 0x00000003 + #define SSB_CHIPCO_CHST_4325_DEFCIS_SEL 0 /* OTP is powered up, use def. CIS, no SPROM */ + #define SSB_CHIPCO_CHST_4325_SPROM_SEL 1 /* OTP is powered up, SPROM is present */ +@@ -398,6 +400,18 @@ + #define SSB_CHIPCO_CHST_4325_RCAL_VALUE_SHIFT 4 + #define SSB_CHIPCO_CHST_4325_PMUTOP_2B 0x00000200 /* 1 for 2b, 0 for to 2a */ + ++/** Macros to determine SPROM presence based on Chip-Status register. */ ++#define SSB_CHIPCO_CHST_4312_SPROM_PRESENT(status) \ ++ ((status & SSB_CHIPCO_CHST_4325_SPROM_OTP_SEL) != \ ++ SSB_CHIPCO_CHST_4325_OTP_SEL) ++#define SSB_CHIPCO_CHST_4322_SPROM_PRESENT(status) \ ++ (status & SSB_CHIPCO_CHST_4322_SPROM_EXISTS) ++#define SSB_CHIPCO_CHST_4325_SPROM_PRESENT(status) \ ++ (((status & SSB_CHIPCO_CHST_4325_SPROM_OTP_SEL) != \ ++ SSB_CHIPCO_CHST_4325_DEFCIS_SEL) && \ ++ ((status & SSB_CHIPCO_CHST_4325_SPROM_OTP_SEL) != \ ++ SSB_CHIPCO_CHST_4325_OTP_SEL)) ++ + + + /** Clockcontrol masks and values **/ +@@ -564,6 +578,7 @@ struct ssb_chipcommon_pmu { + struct ssb_chipcommon { + struct ssb_device *dev; + u32 capabilities; ++ u32 status; + /* Fast Powerup Delay constant */ + u16 fast_pwrup_delay; + struct ssb_chipcommon_pmu pmu; +-- +1.7.1.1 + diff --git a/ssb-fix-NULL-ptr-deref-when-pcihost_wrapper-is-used.patch b/ssb-fix-NULL-ptr-deref-when-pcihost_wrapper-is-used.patch new file mode 100644 index 0000000..8dabbd1 --- /dev/null +++ b/ssb-fix-NULL-ptr-deref-when-pcihost_wrapper-is-used.patch @@ -0,0 +1,59 @@ +From 0bc60c25bef60f44d8686ed0971d1499b0fe1930 Mon Sep 17 00:00:00 2001 +From: Christoph Fritz <chf.fritz@googlemail.com> +Date: Fri, 28 May 2010 10:45:59 +0200 +Subject: [PATCH] ssb: fix NULL ptr deref when pcihost_wrapper is used + +commit 0bc60c25bef60f44d8686ed0971d1499b0fe1930 in tip. + +commit da1fdb02d9200ff28b6f3a380d21930335fe5429 upstream. + +Ethernet driver b44 does register ssb by it's pcihost_wrapper +and doesn't set ssb_chipcommon. A check on this value +introduced with commit d53cdbb94a52a920d5420ed64d986c3523a56743 +and ea2db495f92ad2cf3301623e60cb95b4062bc484 triggers: + +BUG: unable to handle kernel NULL pointer dereference at 00000010 +IP: [<c1266c36>] ssb_is_sprom_available+0x16/0x30 + +Signed-off-by: Christoph Fritz <chf.fritz@googlemail.com> +Signed-off-by: John W. Linville <linville@tuxdriver.com> +Cc: Larry Finger <Larry.Finger@lwfinger.net> +Cc: Ben Hutchings <ben@decadent.org.uk> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> +Signed-off-by: John Kacur <jkacur@redhat.com> + +diff --git a/drivers/ssb/pci.c b/drivers/ssb/pci.c +index 5bb1278..243db85 100644 +--- a/drivers/ssb/pci.c ++++ b/drivers/ssb/pci.c +@@ -624,9 +624,12 @@ static int ssb_pci_sprom_get(struct ssb_bus *bus, + ssb_printk(KERN_ERR PFX "No SPROM available!\n"); + return -ENODEV; + } +- +- bus->sprom_offset = (bus->chipco.dev->id.revision < 31) ? +- SSB_SPROM_BASE1 : SSB_SPROM_BASE31; ++ if (bus->chipco.dev) { /* can be unavailible! */ ++ bus->sprom_offset = (bus->chipco.dev->id.revision < 31) ? ++ SSB_SPROM_BASE1 : SSB_SPROM_BASE31; ++ } else { ++ bus->sprom_offset = SSB_SPROM_BASE1; ++ } + + buf = kcalloc(SSB_SPROMSIZE_WORDS_R123, sizeof(u16), GFP_KERNEL); + if (!buf) +diff --git a/drivers/ssb/sprom.c b/drivers/ssb/sprom.c +index 83bc088..7249f26 100644 +--- a/drivers/ssb/sprom.c ++++ b/drivers/ssb/sprom.c +@@ -184,6 +184,7 @@ bool ssb_is_sprom_available(struct ssb_bus *bus) + /* this routine differs from specs as we do not access SPROM directly + on PCMCIA */ + if (bus->bustype == SSB_BUSTYPE_PCI && ++ bus->chipco.dev && /* can be unavailible! */ + bus->chipco.dev->id.revision >= 31) + return bus->chipco.capabilities & SSB_CHIPCO_CAP_SPROM; + +-- +1.7.1.1 + diff --git a/staging-comedi-Fix-type-in-semaphore-conversion.patch b/staging-comedi-Fix-type-in-semaphore-conversion.patch new file mode 100644 index 0000000..d237794 --- /dev/null +++ b/staging-comedi-Fix-type-in-semaphore-conversion.patch @@ -0,0 +1,29 @@ +From 00b073df968c8ced3df1e43d4d04ae52af5ff999 Mon Sep 17 00:00:00 2001 +From: adi@drcomp.erfurt.thur.de <adi@drcomp.erfurt.thur.de> +Date: Thu, 16 Sep 2010 17:28:40 +0200 +Subject: [PATCH] staging/comedi: Fix type in semaphore conversion + +commit 00b073df968c8ced3df1e43d4d04ae52af5ff999 in tip. + +This patch corrects a typo in the RT patchset that prevents usbdux.c +from being built. + +Signed-off-by: Adrian Knoth <adi@drcomp.erfurt.thur.de> +Signed-off-by: Thomas Gleixner <tglx@linutronix.de> + +diff --git a/drivers/staging/comedi/drivers/usbdux.c b/drivers/staging/comedi/drivers/usbdux.c +index d611bd7..b98e91c 100644 +--- a/drivers/staging/comedi/drivers/usbdux.c ++++ b/drivers/staging/comedi/drivers/usbdux.c +@@ -2370,7 +2370,7 @@ static int usbduxsub_probe(struct usb_interface *uinterf, + dev_dbg(dev, "comedi_: usbdux: " + "usbduxsub[%d] is ready to connect to comedi.\n", index); + +- sema_init(&(usbduxsub[index].sem)), 1; ++ sema_init(&(usbduxsub[index].sem), 1); + /* save a pointer to the usb device */ + usbduxsub[index].usbdev = udev; + +-- +1.7.1.1 + diff --git a/tracing-Add-combined-timer-and-wakeup-latency-histog.patch b/tracing-Add-combined-timer-and-wakeup-latency-histog.patch new file mode 100644 index 0000000..7c50a12 --- /dev/null +++ b/tracing-Add-combined-timer-and-wakeup-latency-histog.patch @@ -0,0 +1,379 @@ +From cfaca74d233d07b0e29c134062a980d1e89ddd20 Mon Sep 17 00:00:00 2001 +From: Carsten Emde <C.Emde@osadl.org> +Date: Mon, 18 Oct 2010 22:53:08 +0100 +Subject: [PATCH] tracing: Add combined timer and wakeup latency histogram + +commit cfaca74d233d07b0e29c134062a980d1e89ddd20 in tip. + +The real-time wakeup latency tracer (wakeup_rt) and the wakeup latency +histogram (CONFIG_WAKEUP_LATENCY_HIST) monitor processes that have the +highest priority of the system throughout their entire wakeup processing +and do not share this priority with any other concurrently running or +scheduled process. Thus, this tracer should be able to determine a +system's worst-case latency. However, in a situation where interrupts +are temporarily disabled, the timer interrupt to enqueue a process is +already late, but the latency between enqueuing and wakeup still may be +normal. In this case, an erroneously low latency is recorded. + +To overcome this limitation and to create a true recording of the +apparent latency of every single wakeup procedure, an additional tracer +was implemented. This tracer determines the offset between the intended +timeout and the real timeout of the timer interrupts; the +CONFIG_MISSED_TIMER_OFFSETS_HIST configuration item is used to enable +this tracer. + +For the time being, however, these two tracers work independently; in +consequence, the worst-case timer offset and the worst-case wakeup latency +cannot simply be added to determine the overall scheduling latency, since the +two worst-case values normally are not derived at the same time from the +same process. + +This patch adds the additional latency histogram "timerandwakeup"; it is +based on the existing wakeup latency histogram, except that the timer +latency is added to the recorded latency value, if the process was +enqueued and woken up as a result of an expired wakeup timer. The +"timerandwakeup" latency histogram is configured implicitly, if both +CONFIG_WAKEUP_LATENCY_HIST and CONFIG_MISSED_TIMER_OFFSETS_HIST are +configured, but must be enabled separately at run-time. + +Signed-off-by: Carsten Emde <C.Emde@osadl.org> +Signed-off-by: Thomas Gleixner <tglx@linutronix.de> + +diff --git a/Documentation/trace/histograms.txt b/Documentation/trace/histograms.txt +index 6645057..0528201 100644 +--- a/Documentation/trace/histograms.txt ++++ b/Documentation/trace/histograms.txt +@@ -36,14 +36,20 @@ Effective latencies are actually occuring during wakeup of a process. To + determine effective latencies, the kernel stores the time stamp when a + process is scheduled to be woken up, and determines the duration of the + wakeup time shortly before control is passed over to this process. Note +-that the apparent latency in user space may be considerably longer, +-since +-i) interrupts may be disabled preventing the scheduler from initiating +-the wakeup mechanism, and +-ii) the process may be interrupted after control is passed over to it +-but before user space execution takes place. +-- Configuration item (in the Kernel hacking/Tracers submenu) ++that the apparent latency in user space may be somewhat longer, since the ++process may be interrupted after control is passed over to it but before ++the execution in user space takes place. Simply measuring the interval ++between enqueuing and wakeup may also not appropriate in cases when a ++process is scheduled as a result of a timer expiration. The timer may have ++missed its deadline, e.g. due to disabled interrupts, but this latency ++would not be registered. Therefore, the offsets of missed timers are ++recorded in a separate histogram. If both wakeup latency and missed timer ++offsets are configured and enabled, a third histogram may be enabled that ++records the overall latency as a sum of the timer latency, if any, and the ++wakeup latency. This histogram is called "timerandwakeup". ++- Configuration items (in the Kernel hacking/Tracers submenu) + CONFIG_WAKEUP_LATENCY ++ CONFIG_MISSED_TIMER_OFSETS + + + * Usage +@@ -59,30 +65,34 @@ from shell command line level, or add + nodev /sys sysfs defaults 0 0 + nodev /sys/kernel/debug debugfs defaults 0 0 + +-to the file /etc/fstab. All latency histogram related files are ++to the file /etc/fstab. All latency histogram related files are then + available in the directory /sys/kernel/debug/tracing/latency_hist. A + particular histogram type is enabled by writing non-zero to the related + variable in the /sys/kernel/debug/tracing/latency_hist/enable directory. + Select "preemptirqsoff" for the histograms of potential sources of +-latencies and "wakeup" for histograms of effective latencies. The ++latencies and "wakeup" for histograms of effective latencies etc. The + histogram data - one per CPU - are available in the files + + /sys/kernel/debug/tracing/latency_hist/preemptoff/CPUx + /sys/kernel/debug/tracing/latency_hist/irqsoff/CPUx + /sys/kernel/debug/tracing/latency_hist/preemptirqsoff/CPUx +-/sys/kernel/debug/tracing/latency_hist/wakeup/CPUx. ++/sys/kernel/debug/tracing/latency_hist/wakeup/CPUx ++/sys/kernel/debug/tracing/latency_hist/wakeup/sharedprio/CPUx ++/sys/kernel/debug/tracing/latency_hist/missed_timer_offsets/CPUx ++/sys/kernel/debug/tracing/latency_hist/timerandwakeup/CPUx + + The histograms are reset by writing non-zero to the file "reset" in a + particular latency directory. To reset all latency data, use + + #!/bin/sh + +-HISTDIR=/sys/kernel/debug/tracing/latency_hist ++TRACINGDIR=/sys/kernel/debug/tracing ++HISTDIR=$TRACINGDIR/latency_hist + + if test -d $HISTDIR + then + cd $HISTDIR +- for i in */reset ++ for i in `find . | grep /reset$` + do + echo 1 >$i + done +@@ -138,7 +148,7 @@ grep -v " 0$" /sys/kernel/debug/tracing/latency_hist/preemptoff/CPU0 + To only collect wakeup latency data of a particular process, write the + PID of the requested process to + +-/sys/kernel/debug/tracing/latency_hist/wakeup/pid. ++/sys/kernel/debug/tracing/latency_hist/wakeup/pid + + PIDs are not considered, if this variable is set to 0. + +diff --git a/include/linux/sched.h b/include/linux/sched.h +index 4610e2c..71ef150 100644 +--- a/include/linux/sched.h ++++ b/include/linux/sched.h +@@ -1658,6 +1658,9 @@ struct task_struct { + unsigned long trace_recursion; + #ifdef CONFIG_WAKEUP_LATENCY_HIST + u64 preempt_timestamp_hist; ++#ifdef CONFIG_MISSED_TIMER_OFFSETS_HIST ++ unsigned long timer_offset; ++#endif + #endif + #endif /* CONFIG_TRACING */ + #ifdef CONFIG_CGROUP_MEM_RES_CTLR /* memcg uses this to do batch job */ +diff --git a/kernel/trace/Kconfig b/kernel/trace/Kconfig +index 7d57890..a9f1344 100644 +--- a/kernel/trace/Kconfig ++++ b/kernel/trace/Kconfig +@@ -267,10 +267,24 @@ config WAKEUP_LATENCY_HIST + + /sys/kernel/debug/tracing/latency_hist/wakeup/sharedprio + ++ If both Scheduling Latency Histogram and Missed Timer Offsets ++ Histogram are selected, additional histogram data will be collected ++ that contain, in addition to the wakeup latency, the timer latency, in ++ case the wakeup was triggered by an expired timer. These histograms ++ are available in the ++ ++ /sys/kernel/debug/tracing/latency_hist/timerandwakeup ++ ++ directory. They reflect the apparent interrupt and scheduling latency ++ and are best suitable to determine the worst-case latency of a given ++ system. To enable these histograms, write a non-zero number to ++ ++ /sys/kernel/debug/tracing/latency_hist/enable/timerandwakeup ++ + config MISSED_TIMER_OFFSETS_HIST + depends on GENERIC_TIME + select GENERIC_TRACER +- bool "Missed timer offsets histogram" ++ bool "Missed Timer Offsets Histogram" + help + Generate a histogram of missed timer offsets in microseconds. The + histograms are disabled by default. To enable them, write a non-zero +@@ -282,6 +296,20 @@ config MISSED_TIMER_OFFSETS_HIST + + /sys/kernel/debug/tracing/latency_hist/missed_timer_offsets + ++ If both Scheduling Latency Histogram and Missed Timer Offsets ++ Histogram are selected, additional histogram data will be collected ++ that contain, in addition to the wakeup latency, the timer latency, in ++ case the wakeup was triggered by an expired timer. These histograms ++ are available in the ++ ++ /sys/kernel/debug/tracing/latency_hist/timerandwakeup ++ ++ directory. They reflect the apparent interrupt and scheduling latency ++ and are best suitable to determine the worst-case latency of a given ++ system. To enable these histograms, write a non-zero number to ++ ++ /sys/kernel/debug/tracing/latency_hist/enable/timerandwakeup ++ + config SYSPROF_TRACER + bool "Sysprof Tracer" + depends on X86 +diff --git a/kernel/trace/latency_hist.c b/kernel/trace/latency_hist.c +index 7c26615..43dba1e 100644 +--- a/kernel/trace/latency_hist.c ++++ b/kernel/trace/latency_hist.c +@@ -36,6 +36,7 @@ enum { + WAKEUP_LATENCY, + WAKEUP_LATENCY_SHAREDPRIO, + MISSED_TIMER_OFFSETS, ++ TIMERANDWAKEUP_LATENCY, + MAX_LATENCY_TYPE, + }; + +@@ -134,6 +135,17 @@ static DEFINE_PER_CPU(struct maxlatproc_data, missed_timer_offsets_maxlatproc); + static unsigned long missed_timer_offsets_pid; + #endif + ++#if defined(CONFIG_WAKEUP_LATENCY_HIST) && \ ++ defined(CONFIG_MISSED_TIMER_OFFSETS_HIST) ++static DEFINE_PER_CPU(struct hist_data, timerandwakeup_latency_hist); ++static char *timerandwakeup_latency_hist_dir = "timerandwakeup"; ++static struct enable_data timerandwakeup_enabled_data = { ++ .latency_type = TIMERANDWAKEUP_LATENCY, ++ .enabled = 0, ++}; ++static DEFINE_PER_CPU(struct maxlatproc_data, timerandwakeup_maxlatproc); ++#endif ++ + void notrace latency_hist(int latency_type, int cpu, unsigned long latency, + struct task_struct *p) + { +@@ -179,15 +191,23 @@ void notrace latency_hist(int latency_type, int cpu, unsigned long latency, + mp = &per_cpu(missed_timer_offsets_maxlatproc, cpu); + break; + #endif ++#if defined(CONFIG_WAKEUP_LATENCY_HIST) && \ ++ defined(CONFIG_MISSED_TIMER_OFFSETS_HIST) ++ case TIMERANDWAKEUP_LATENCY: ++ my_hist = &per_cpu(timerandwakeup_latency_hist, cpu); ++ mp = &per_cpu(timerandwakeup_maxlatproc, cpu); ++ break; ++#endif ++ + default: + return; + } + ++ latency += my_hist->offset; ++ + if (atomic_read(&my_hist->hist_mode) == 0) + return; + +- latency += my_hist->offset; +- + if (latency < 0 || latency >= MAX_ENTRY_NUM) { + if (latency < 0) + my_hist->below_hist_bound_samples++; +@@ -203,7 +223,8 @@ void notrace latency_hist(int latency_type, int cpu, unsigned long latency, + defined(CONFIG_MISSED_TIMER_OFFSETS_HIST) + if (latency_type == WAKEUP_LATENCY || + latency_type == WAKEUP_LATENCY_SHAREDPRIO || +- latency_type == MISSED_TIMER_OFFSETS) { ++ latency_type == MISSED_TIMER_OFFSETS || ++ latency_type == TIMERANDWAKEUP_LATENCY) { + strncpy(mp->comm, p->comm, sizeof(mp->comm)); + mp->pid = task_pid_nr(p); + mp->prio = p->prio; +@@ -384,6 +405,13 @@ latency_hist_reset(struct file *file, const char __user *a, + mp = &per_cpu(missed_timer_offsets_maxlatproc, cpu); + break; + #endif ++#if defined(CONFIG_WAKEUP_LATENCY_HIST) && \ ++ defined(CONFIG_MISSED_TIMER_OFFSETS_HIST) ++ case TIMERANDWAKEUP_LATENCY: ++ hist = &per_cpu(timerandwakeup_latency_hist, cpu); ++ mp = &per_cpu(timerandwakeup_maxlatproc, cpu); ++ break; ++#endif + } + + hist_reset(hist); +@@ -391,7 +419,8 @@ latency_hist_reset(struct file *file, const char __user *a, + defined(CONFIG_MISSED_TIMER_OFFSETS_HIST) + if (latency_type == WAKEUP_LATENCY || + latency_type == WAKEUP_LATENCY_SHAREDPRIO || +- latency_type == MISSED_TIMER_OFFSETS) { ++ latency_type == MISSED_TIMER_OFFSETS || ++ latency_type == TIMERANDWAKEUP_LATENCY) { + mp->comm[0] = '\0'; + mp->prio = mp->pid = mp->latency = -1; + } +@@ -567,6 +596,14 @@ do_enable(struct file *file, const char __user *ubuf, size_t cnt, loff_t *ppos) + } + break; + #endif ++#if defined(CONFIG_WAKEUP_LATENCY_HIST) && \ ++ defined(CONFIG_MISSED_TIMER_OFFSETS_HIST) ++ case TIMERANDWAKEUP_LATENCY: ++ if (!wakeup_latency_enabled_data.enabled || ++ !missed_timer_offsets_enabled_data.enabled) ++ return -EINVAL; ++ break; ++#endif + default: + break; + } +@@ -615,12 +652,18 @@ do_enable(struct file *file, const char __user *ubuf, size_t cnt, loff_t *ppos) + per_cpu(wakeup_sharedprio, cpu) = 0; + } + } ++#ifdef CONFIG_MISSED_TIMER_OFFSETS_HIST ++ timerandwakeup_enabled_data.enabled = 0; ++#endif + break; + #endif + #ifdef CONFIG_MISSED_TIMER_OFFSETS_HIST + case MISSED_TIMER_OFFSETS: + unregister_trace_hrtimer_interrupt( + probe_hrtimer_interrupt); ++#ifdef CONFIG_WAKEUP_LATENCY_HIST ++ timerandwakeup_enabled_data.enabled = 0; ++#endif + break; + #endif + default: +@@ -861,10 +904,20 @@ static notrace void probe_wakeup_latency_hist_stop(struct rq *rq, + if (per_cpu(wakeup_sharedprio, cpu)) { + latency_hist(WAKEUP_LATENCY_SHAREDPRIO, cpu, latency, next); + per_cpu(wakeup_sharedprio, cpu) = 0; +- } else ++ } else { + latency_hist(WAKEUP_LATENCY, cpu, latency, next); ++#ifdef CONFIG_MISSED_TIMER_OFFSETS_HIST ++ if (timerandwakeup_enabled_data.enabled) { ++ latency_hist(TIMERANDWAKEUP_LATENCY, cpu, ++ next->timer_offset + latency, next); ++ } ++#endif ++ } + + out_reset: ++#ifdef CONFIG_MISSED_TIMER_OFFSETS_HIST ++ next->timer_offset = 0; ++#endif + put_task_struct(cpu_wakeup_task); + per_cpu(wakeup_task, cpu) = NULL; + out: +@@ -888,6 +941,9 @@ static notrace void probe_hrtimer_interrupt(int cpu, long long latency_ns, + + latency = (unsigned long) div_s64(-latency_ns, 1000); + latency_hist(MISSED_TIMER_OFFSETS, cpu, latency, task); ++#ifdef CONFIG_WAKEUP_LATENCY_HIST ++ task->timer_offset = latency; ++#endif + } + } + #endif +@@ -1035,6 +1091,32 @@ static __init int latency_hist_init(void) + enable_root, (void *)&missed_timer_offsets_enabled_data, + &enable_fops); + #endif ++ ++#if defined(CONFIG_WAKEUP_LATENCY_HIST) && \ ++ defined(CONFIG_MISSED_TIMER_OFFSETS_HIST) ++ dentry = debugfs_create_dir(timerandwakeup_latency_hist_dir, ++ latency_hist_root); ++ for_each_possible_cpu(i) { ++ sprintf(name, cpufmt, i); ++ entry = debugfs_create_file(name, 0444, dentry, ++ &per_cpu(timerandwakeup_latency_hist, i), ++ &latency_hist_fops); ++ my_hist = &per_cpu(timerandwakeup_latency_hist, i); ++ atomic_set(&my_hist->hist_mode, 1); ++ my_hist->min_lat = 0xFFFFFFFFUL; ++ ++ sprintf(name, cpufmt_maxlatproc, i); ++ mp = &per_cpu(timerandwakeup_maxlatproc, i); ++ entry = debugfs_create_file(name, 0444, dentry, mp, ++ &maxlatproc_fops); ++ mp->prio = mp->pid = mp->latency = -1; ++ } ++ entry = debugfs_create_file("reset", 0644, dentry, ++ (void *)TIMERANDWAKEUP_LATENCY, &latency_hist_reset_fops); ++ entry = debugfs_create_file("timerandwakeup", 0644, ++ enable_root, (void *)&timerandwakeup_enabled_data, ++ &enable_fops); ++#endif + return 0; + } + +-- +1.7.1.1 + diff --git a/tracing-Do-not-allow-llseek-to-set_ftrace_filter.patch b/tracing-Do-not-allow-llseek-to-set_ftrace_filter.patch new file mode 100644 index 0000000..d627096 --- /dev/null +++ b/tracing-Do-not-allow-llseek-to-set_ftrace_filter.patch @@ -0,0 +1,53 @@ +From dc7dde7adbc57b7461b4b1302c94fe31699f60e2 Mon Sep 17 00:00:00 2001 +From: Steven Rostedt <srostedt@redhat.com> +Date: Wed, 8 Sep 2010 11:20:37 -0400 +Subject: [PATCH] tracing: Do not allow llseek to set_ftrace_filter + +commit dc7dde7adbc57b7461b4b1302c94fe31699f60e2 in tip. + +Reading the file set_ftrace_filter does three things. + +1) shows whether or not filters are set for the function tracer +2) shows what functions are set for the function tracer +3) shows what triggers are set on any functions + +3 is independent from 1 and 2. + +The way this file currently works is that it is a state machine, +and as you read it, it may change state. But this assumption breaks +when you use lseek() on the file. The state machine gets out of sync +and the t_show() may use the wrong pointer and cause a kernel oops. + +Luckily, this will only kill the app that does the lseek, but the app +dies while holding a mutex. This prevents anyone else from using the +set_ftrace_filter file (or any other function tracing file for that matter). + +A real fix for this is to rewrite the code, but that is too much for +a -rc release or stable. This patch simply disables llseek on the +set_ftrace_filter() file for now, and we can do the proper fix for the +next major release. + +Reported-by: Robert Swiecki <swiecki@google.com> +Cc: Chris Wright <chrisw@sous-sol.org> +Cc: Tavis Ormandy <taviso@google.com> +Cc: Eugene Teo <eugene@redhat.com> +Cc: vendor-sec@lst.de +Cc: <stable@kernel.org> +Signed-off-by: Steven Rostedt <rostedt@goodmis.org> + +diff --git a/kernel/trace/ftrace.c b/kernel/trace/ftrace.c +index 9ed787f..a30e205 100644 +--- a/kernel/trace/ftrace.c ++++ b/kernel/trace/ftrace.c +@@ -2410,7 +2410,7 @@ static const struct file_operations ftrace_filter_fops = { + .open = ftrace_filter_open, + .read = seq_read, + .write = ftrace_filter_write, +- .llseek = ftrace_regex_lseek, ++ .llseek = no_llseek, + .release = ftrace_filter_release, + }; + +-- +1.7.1.1 + diff --git a/v2.6.33.7-rt29.patch b/v2.6.33.7.2-rt30.patch index f02752f..2241710 100644 --- a/v2.6.33.7-rt29.patch +++ b/v2.6.33.7.2-rt30.patch @@ -1,12 +1,14 @@ -From 4a5565c894f6c51ce5912882cdd931a6a7df97ab Mon Sep 17 00:00:00 2001 +From 377e0c673b5841d2c13c2f45f92c13d425fd128a Mon Sep 17 00:00:00 2001 From: Thomas Gleixner <tglx@linutronix.de> -Date: Tue, 3 Aug 2010 11:10:07 +0200 -Subject: [PATCH] v2.6.33.7-rt29 +Date: Tue, 21 Dec 2010 10:35:47 +0100 +Subject: [PATCH] v2.6.33.7.2-rt30 + +commit 377e0c673b5841d2c13c2f45f92c13d425fd128a in tip. Signed-off-by: Thomas Gleixner <tglx@linutronix.de> diff --git a/Makefile b/Makefile -index 7409f21..09cecdc 100644 +index a0ed9de..5e4679b 100644 --- a/Makefile +++ b/Makefile @@ -1,7 +1,7 @@ @@ -14,7 +16,7 @@ index 7409f21..09cecdc 100644 PATCHLEVEL = 6 SUBLEVEL = 33 -EXTRAVERSION = .7 -+EXTRAVERSION = .7-rt29 ++EXTRAVERSION = .7.2-rt30 NAME = Man-Eating Seals of Antiquity # *DOCUMENTATION* diff --git a/wireless-extensions-fix-kernel-heap-content-leak.patch b/wireless-extensions-fix-kernel-heap-content-leak.patch new file mode 100644 index 0000000..1faaa1b --- /dev/null +++ b/wireless-extensions-fix-kernel-heap-content-leak.patch @@ -0,0 +1,81 @@ +From 5741fe45da56e3a75eac22942d0fae123ae7d9a0 Mon Sep 17 00:00:00 2001 +From: Johannes Berg <johannes.berg@intel.com> +Date: Mon, 30 Aug 2010 12:24:54 +0200 +Subject: [PATCH] wireless extensions: fix kernel heap content leak + +commit 5741fe45da56e3a75eac22942d0fae123ae7d9a0 in tip. + +commit 42da2f948d949efd0111309f5827bf0298bcc9a4 upstream + +Wireless extensions have an unfortunate, undocumented +requirement which requires drivers to always fill +iwp->length when returning a successful status. When +a driver doesn't do this, it leads to a kernel heap +content leak when userspace offers a larger buffer +than would have been necessary. + +Arguably, this is a driver bug, as it should, if it +returns 0, fill iwp->length, even if it separately +indicated that the buffer contents was not valid. + +However, we can also at least avoid the memory content +leak if the driver doesn't do this by setting the iwp +length to max_tokens, which then reflects how big the +buffer is that the driver may fill, regardless of how +big the userspace buffer is. + +To illustrate the point, this patch also fixes a +corresponding cfg80211 bug (since this requirement +isn't documented nor was ever pointed out by anyone +during code review, I don't trust all drivers nor +all cfg80211 handlers to implement it correctly). + +Cc: stable@kernel.org [all the way back] +Signed-off-by: Johannes Berg <johannes.berg@intel.com> +Signed-off-by: John W. Linville <linville@tuxdriver.com> +Signed-off-by: Thomas Gleixner <tglx@linutronix.de> + +diff --git a/net/wireless/wext-compat.c b/net/wireless/wext-compat.c +index 4198243..28ac277 100644 +--- a/net/wireless/wext-compat.c ++++ b/net/wireless/wext-compat.c +@@ -1388,6 +1388,9 @@ int cfg80211_wext_giwessid(struct net_device *dev, + { + struct wireless_dev *wdev = dev->ieee80211_ptr; + ++ data->flags = 0; ++ data->length = 0; ++ + switch (wdev->iftype) { + case NL80211_IFTYPE_ADHOC: + return cfg80211_ibss_wext_giwessid(dev, info, data, ssid); +diff --git a/net/wireless/wext-core.c b/net/wireless/wext-core.c +index 5e1656b..c040b98 100644 +--- a/net/wireless/wext-core.c ++++ b/net/wireless/wext-core.c +@@ -781,6 +781,22 @@ static int ioctl_standard_iw_point(struct iw_point *iwp, unsigned int cmd, + } + } + ++ if (IW_IS_GET(cmd) && !(descr->flags & IW_DESCR_FLAG_NOMAX)) { ++ /* ++ * If this is a GET, but not NOMAX, it means that the extra ++ * data is not bounded by userspace, but by max_tokens. Thus ++ * set the length to max_tokens. This matches the extra data ++ * allocation. ++ * The driver should fill it with the number of tokens it ++ * provided, and it may check iwp->length rather than having ++ * knowledge of max_tokens. If the driver doesn't change the ++ * iwp->length, this ioctl just copies back max_token tokens ++ * filled with zeroes. Hopefully the driver isn't claiming ++ * them to be valid data. ++ */ ++ iwp->length = descr->max_tokens; ++ } ++ + err = handler(dev, info, (union iwreq_data *) iwp, extra); + + iwp->length += essid_compat; +-- +1.7.1.1 + diff --git a/x86-64-compat-Retruncate-rax-after-ia32-syscall-entr.patch b/x86-64-compat-Retruncate-rax-after-ia32-syscall-entr.patch new file mode 100644 index 0000000..ea65057 --- /dev/null +++ b/x86-64-compat-Retruncate-rax-after-ia32-syscall-entr.patch @@ -0,0 +1,51 @@ +From 3609ee783b603f811c3c1d9b2bba3a15dc8030cd Mon Sep 17 00:00:00 2001 +From: Roland McGrath <roland@redhat.com> +Date: Tue, 14 Sep 2010 12:22:58 -0700 +Subject: [PATCH] x86-64, compat: Retruncate rax after ia32 syscall entry tracing + +commit 3609ee783b603f811c3c1d9b2bba3a15dc8030cd in tip. + +commit eefdca043e8391dcd719711716492063030b55ac upstream + +In commit d4d6715, we reopened an old hole for a 64-bit ptracer touching a +32-bit tracee in system call entry. A %rax value set via ptrace at the +entry tracing stop gets used whole as a 32-bit syscall number, while we +only check the low 32 bits for validity. + +Fix it by truncating %rax back to 32 bits after syscall_trace_enter, +in addition to testing the full 64 bits as has already been added. + +Reported-by: Ben Hawkes <hawkes@sota.gen.nz> +Signed-off-by: Roland McGrath <roland@redhat.com> +Signed-off-by: H. Peter Anvin <hpa@linux.intel.com> +Signed-off-by: Thomas Gleixner <tglx@linutronix.de> + +diff --git a/arch/x86/ia32/ia32entry.S b/arch/x86/ia32/ia32entry.S +index 93996a7..d9438ba 100644 +--- a/arch/x86/ia32/ia32entry.S ++++ b/arch/x86/ia32/ia32entry.S +@@ -50,7 +50,12 @@ + /* + * Reload arg registers from stack in case ptrace changed them. + * We don't reload %eax because syscall_trace_enter() returned +- * the value it wants us to use in the table lookup. ++ * the %rax value we should see. Instead, we just truncate that ++ * value to 32 bits again as we did on entry from user mode. ++ * If it's a new value set by user_regset during entry tracing, ++ * this matches the normal truncation of the user-mode value. ++ * If it's -1 to make us punt the syscall, then (u32)-1 is still ++ * an appropriately invalid value. + */ + .macro LOAD_ARGS32 offset, _r9=0 + .if \_r9 +@@ -60,6 +65,7 @@ + movl \offset+48(%rsp),%edx + movl \offset+56(%rsp),%esi + movl \offset+64(%rsp),%edi ++ movl %eax,%eax /* zero extension */ + .endm + + .macro CFI_STARTPROC32 simple +-- +1.7.1.1 + diff --git a/x86-64-compat-Test-rax-for-the-syscall-number-not-ea.patch b/x86-64-compat-Test-rax-for-the-syscall-number-not-ea.patch new file mode 100644 index 0000000..c852b52 --- /dev/null +++ b/x86-64-compat-Test-rax-for-the-syscall-number-not-ea.patch @@ -0,0 +1,99 @@ +From b2104d5552a93f7efa58be388ad7c3d5faf747ca Mon Sep 17 00:00:00 2001 +From: H. Peter Anvin <hpa@linux.intel.com> +Date: Tue, 14 Sep 2010 12:42:41 -0700 +Subject: [PATCH] x86-64, compat: Test %rax for the syscall number, not %eax + +commit b2104d5552a93f7efa58be388ad7c3d5faf747ca in tip. + +commit 36d001c70d8a0144ac1d038f6876c484849a74de upstream + +On 64 bits, we always, by necessity, jump through the system call +table via %rax. For 32-bit system calls, in theory the system call +number is stored in %eax, and the code was testing %eax for a valid +system call number. At one point we loaded the stored value back from +the stack to enforce zero-extension, but that was removed in checkin +d4d67150165df8bf1cc05e532f6efca96f907cab. An actual 32-bit process +will not be able to introduce a non-zero-extended number, but it can +happen via ptrace. + +Instead of re-introducing the zero-extension, test what we are +actually going to use, i.e. %rax. This only adds a handful of REX +prefixes to the code. + +Reported-by: Ben Hawkes <hawkes@sota.gen.nz> +Signed-off-by: H. Peter Anvin <hpa@linux.intel.com> +Cc: <stable@kernel.org> +Cc: Roland McGrath <roland@redhat.com> +Cc: Andrew Morton <akpm@linux-foundation.org> +Signed-off-by: Thomas Gleixner <tglx@linutronix.de> + +diff --git a/arch/x86/ia32/ia32entry.S b/arch/x86/ia32/ia32entry.S +index 53147ad..93996a7 100644 +--- a/arch/x86/ia32/ia32entry.S ++++ b/arch/x86/ia32/ia32entry.S +@@ -153,7 +153,7 @@ ENTRY(ia32_sysenter_target) + testl $_TIF_WORK_SYSCALL_ENTRY,TI_flags(%r10) + CFI_REMEMBER_STATE + jnz sysenter_tracesys +- cmpl $(IA32_NR_syscalls-1),%eax ++ cmpq $(IA32_NR_syscalls-1),%rax + ja ia32_badsys + sysenter_do_call: + IA32_ARG_FIXUP +@@ -195,7 +195,7 @@ sysexit_from_sys_call: + movl $AUDIT_ARCH_I386,%edi /* 1st arg: audit arch */ + call audit_syscall_entry + movl RAX-ARGOFFSET(%rsp),%eax /* reload syscall number */ +- cmpl $(IA32_NR_syscalls-1),%eax ++ cmpq $(IA32_NR_syscalls-1),%rax + ja ia32_badsys + movl %ebx,%edi /* reload 1st syscall arg */ + movl RCX-ARGOFFSET(%rsp),%esi /* reload 2nd syscall arg */ +@@ -248,7 +248,7 @@ sysenter_tracesys: + call syscall_trace_enter + LOAD_ARGS32 ARGOFFSET /* reload args from stack in case ptrace changed it */ + RESTORE_REST +- cmpl $(IA32_NR_syscalls-1),%eax ++ cmpq $(IA32_NR_syscalls-1),%rax + ja int_ret_from_sys_call /* sysenter_tracesys has set RAX(%rsp) */ + jmp sysenter_do_call + CFI_ENDPROC +@@ -314,7 +314,7 @@ ENTRY(ia32_cstar_target) + testl $_TIF_WORK_SYSCALL_ENTRY,TI_flags(%r10) + CFI_REMEMBER_STATE + jnz cstar_tracesys +- cmpl $IA32_NR_syscalls-1,%eax ++ cmpq $IA32_NR_syscalls-1,%rax + ja ia32_badsys + cstar_do_call: + IA32_ARG_FIXUP 1 +@@ -367,7 +367,7 @@ cstar_tracesys: + LOAD_ARGS32 ARGOFFSET, 1 /* reload args from stack in case ptrace changed it */ + RESTORE_REST + xchgl %ebp,%r9d +- cmpl $(IA32_NR_syscalls-1),%eax ++ cmpq $(IA32_NR_syscalls-1),%rax + ja int_ret_from_sys_call /* cstar_tracesys has set RAX(%rsp) */ + jmp cstar_do_call + END(ia32_cstar_target) +@@ -425,7 +425,7 @@ ENTRY(ia32_syscall) + orl $TS_COMPAT,TI_status(%r10) + testl $_TIF_WORK_SYSCALL_ENTRY,TI_flags(%r10) + jnz ia32_tracesys +- cmpl $(IA32_NR_syscalls-1),%eax ++ cmpq $(IA32_NR_syscalls-1),%rax + ja ia32_badsys + ia32_do_call: + IA32_ARG_FIXUP +@@ -444,7 +444,7 @@ ia32_tracesys: + call syscall_trace_enter + LOAD_ARGS32 ARGOFFSET /* reload args from stack in case ptrace changed it */ + RESTORE_REST +- cmpl $(IA32_NR_syscalls-1),%eax ++ cmpq $(IA32_NR_syscalls-1),%rax + ja int_ret_from_sys_call /* ia32_tracesys has set RAX(%rsp) */ + jmp ia32_do_call + END(ia32_syscall) +-- +1.7.1.1 + diff --git a/x86-Convert-mce-timer-to-hrtimer.patch b/x86-Convert-mce-timer-to-hrtimer.patch new file mode 100644 index 0000000..8d74f8b --- /dev/null +++ b/x86-Convert-mce-timer-to-hrtimer.patch @@ -0,0 +1,156 @@ +From 76bdf0c3151369f5b15af4baac2708e59347d664 Mon Sep 17 00:00:00 2001 +From: Thomas Gleixner <tglx@linutronix.de> +Date: Mon, 13 Dec 2010 16:33:39 +0100 +Subject: [PATCH] x86: Convert mce timer to hrtimer + +commit 76bdf0c3151369f5b15af4baac2708e59347d664 in tip. + +mce_timer is started in atomic contexts of cpu bringup. This results +in might_sleep() warnings on RT. Convert mce_timer to a hrtimer to +avoid this. + +Signed-off-by: Thomas Gleixner <tglx@linutronix.de> + +diff --git a/arch/x86/kernel/cpu/mcheck/mce.c b/arch/x86/kernel/cpu/mcheck/mce.c +index a8aacd4..2b4aba9 100644 +--- a/arch/x86/kernel/cpu/mcheck/mce.c ++++ b/arch/x86/kernel/cpu/mcheck/mce.c +@@ -35,6 +35,7 @@ + #include <linux/fs.h> + #include <linux/mm.h> + #include <linux/debugfs.h> ++#include <linux/jiffies.h> + + #include <asm/processor.h> + #include <asm/hw_irq.h> +@@ -1131,17 +1132,14 @@ void mce_log_therm_throt_event(__u64 status) + * poller finds an MCE, poll 2x faster. When the poller finds no more + * errors, poll 2x slower (up to check_interval seconds). + */ +-static int check_interval = 5 * 60; /* 5 minutes */ ++static unsigned long check_interval = 5 * 60; /* 5 minutes */ + +-static DEFINE_PER_CPU(int, mce_next_interval); /* in jiffies */ +-static DEFINE_PER_CPU(struct timer_list, mce_timer); ++static DEFINE_PER_CPU(unsigned long, mce_next_interval); /* in jiffies */ ++static DEFINE_PER_CPU(struct hrtimer, mce_timer); + +-static void mce_start_timer(unsigned long data) ++static enum hrtimer_restart mce_start_timer(struct hrtimer *timer) + { +- struct timer_list *t = &per_cpu(mce_timer, data); +- int *n; +- +- WARN_ON(smp_processor_id() != data); ++ unsigned long *n; + + if (mce_available(¤t_cpu_data)) { + machine_check_poll(MCP_TIMESTAMP, +@@ -1154,12 +1152,13 @@ static void mce_start_timer(unsigned long data) + */ + n = &__get_cpu_var(mce_next_interval); + if (mce_notify_irq()) +- *n = max(*n/2, HZ/100); ++ *n = max(*n/2, HZ/100UL); + else +- *n = min(*n*2, (int)round_jiffies_relative(check_interval*HZ)); ++ *n = min(*n*2, round_jiffies_relative(check_interval*HZ)); + +- t->expires = jiffies + *n; +- add_timer_on(t, smp_processor_id()); ++ hrtimer_forward(timer, timer->base->get_time(), ++ ns_to_ktime(jiffies_to_usecs(*n) * 1000)); ++ return HRTIMER_RESTART; + } + + static void mce_do_trigger(struct work_struct *work) +@@ -1385,10 +1384,11 @@ static void __mcheck_cpu_init_vendor(struct cpuinfo_x86 *c) + + static void __mcheck_cpu_init_timer(void) + { +- struct timer_list *t = &__get_cpu_var(mce_timer); +- int *n = &__get_cpu_var(mce_next_interval); ++ struct hrtimer *t = &__get_cpu_var(mce_timer); ++ unsigned long *n = &__get_cpu_var(mce_next_interval); + +- setup_timer(t, mce_start_timer, smp_processor_id()); ++ hrtimer_init(t, CLOCK_MONOTONIC, HRTIMER_MODE_REL); ++ t->function = mce_start_timer; + + if (mce_ignore_ce) + return; +@@ -1396,8 +1396,9 @@ static void __mcheck_cpu_init_timer(void) + *n = check_interval * HZ; + if (!*n) + return; +- t->expires = round_jiffies(jiffies + *n); +- add_timer_on(t, smp_processor_id()); ++ ++ hrtimer_start_range_ns(t, ns_to_ktime(jiffies_to_usecs(*n) * 1000), ++ 0 , HRTIMER_MODE_REL_PINNED); + } + + /* Handle unconfigured int18 (should never happen) */ +@@ -1711,7 +1712,7 @@ static int mce_resume(struct sys_device *dev) + + static void mce_cpu_restart(void *data) + { +- del_timer_sync(&__get_cpu_var(mce_timer)); ++ hrtimer_cancel(&__get_cpu_var(mce_timer)); + if (!mce_available(¤t_cpu_data)) + return; + __mcheck_cpu_init_generic(); +@@ -1730,7 +1731,7 @@ static void mce_disable_ce(void *all) + if (!mce_available(¤t_cpu_data)) + return; + if (all) +- del_timer_sync(&__get_cpu_var(mce_timer)); ++ hrtimer_cancel(&__get_cpu_var(mce_timer)); + cmci_clear(); + } + +@@ -1962,6 +1963,8 @@ static void __cpuinit mce_disable_cpu(void *h) + if (!mce_available(¤t_cpu_data)) + return; + ++ hrtimer_cancel(&__get_cpu_var(mce_timer)); ++ + if (!(action & CPU_TASKS_FROZEN)) + cmci_clear(); + for (i = 0; i < banks; i++) { +@@ -1988,6 +1991,7 @@ static void __cpuinit mce_reenable_cpu(void *h) + if (b->init) + wrmsrl(MSR_IA32_MCx_CTL(i), b->ctl); + } ++ __mcheck_cpu_init_timer(); + } + + /* Get notified when a cpu comes on/off. Be hotplug friendly. */ +@@ -1995,7 +1999,6 @@ static int __cpuinit + mce_cpu_callback(struct notifier_block *nfb, unsigned long action, void *hcpu) + { + unsigned int cpu = (unsigned long)hcpu; +- struct timer_list *t = &per_cpu(mce_timer, cpu); + + switch (action) { + case CPU_ONLINE: +@@ -2012,16 +2015,10 @@ mce_cpu_callback(struct notifier_block *nfb, unsigned long action, void *hcpu) + break; + case CPU_DOWN_PREPARE: + case CPU_DOWN_PREPARE_FROZEN: +- del_timer_sync(t); + smp_call_function_single(cpu, mce_disable_cpu, &action, 1); + break; + case CPU_DOWN_FAILED: + case CPU_DOWN_FAILED_FROZEN: +- if (!mce_ignore_ce && check_interval) { +- t->expires = round_jiffies(jiffies + +- __get_cpu_var(mce_next_interval)); +- add_timer_on(t, cpu); +- } + smp_call_function_single(cpu, mce_reenable_cpu, &action, 1); + break; + case CPU_POST_DEAD: +-- +1.7.1.1 + diff --git a/x86-Limit-32bit-PAE-memory-to-16G.patch b/x86-Limit-32bit-PAE-memory-to-16G.patch new file mode 100644 index 0000000..d8933d4 --- /dev/null +++ b/x86-Limit-32bit-PAE-memory-to-16G.patch @@ -0,0 +1,60 @@ +From 2da92b60dd58ce7613a909165cbd84cb69217b7d Mon Sep 17 00:00:00 2001 +From: Luis Claudio R. Goncalves <lgoncalv@redhat.com> +Date: Thu, 9 Sep 2010 21:13:28 +0200 +Subject: [PATCH] x86: Limit 32bit PAE memory to 16G + +commit 2da92b60dd58ce7613a909165cbd84cb69217b7d in tip. + +This patch limits the amount of usable physical RAM to 16 GB on +i386. It solves bug 311411 "[RHEL5 RT] Kernel panic - not syncing: Out +of memory". + +The crash was caused by running out of low memory while allocating the +memory map on machines equipped with more than ~56 GB RAM. The realtime +kernel does not like having too much RAM because it has larger struct +page then the normal kernel. + +The officially supported amount of RAM on i386 RHEL-5 is 16 GB anyway. + +Originally-From: Michal Schmidt <mschmidt@redhat.com> +Signed-off-by: Clark Williams <williams@redhat.com> +Signed-off-by: Luis Claudio R. Goncalves <lgoncalv@redhat.com> +Signed-off-by: Thomas Gleixner <tglx@linutronix.de> + +diff --git a/arch/x86/include/asm/setup.h b/arch/x86/include/asm/setup.h +index 18e496c..32a748a 100644 +--- a/arch/x86/include/asm/setup.h ++++ b/arch/x86/include/asm/setup.h +@@ -13,6 +13,7 @@ + */ + #define MAXMEM_PFN PFN_DOWN(MAXMEM) + #define MAX_NONPAE_PFN (1 << 20) ++#define MAX_SANE_PAE_PFN (1 << 22) + + #endif /* __i386__ */ + +diff --git a/arch/x86/kernel/e820.c b/arch/x86/kernel/e820.c +index a1a7876..5158861 100644 +--- a/arch/x86/kernel/e820.c ++++ b/arch/x86/kernel/e820.c +@@ -1136,6 +1136,17 @@ static unsigned long __init e820_end_pfn(unsigned long limit_pfn, unsigned type) + + if (start_pfn >= limit_pfn) + continue; ++#ifdef CONFIG_X86_32 ++ if (end_pfn > MAX_SANE_PAE_PFN) { ++ last_pfn = MAX_SANE_PAE_PFN; ++ printk(KERN_WARNING ++ "WARNING: Running a 32 bit kernel with more " ++ "than 16 GB RAM is not supported on MRG RT.\n" ++ "Using only 16 GB. To take advantage of all " ++ "of your RAM, use a x86_64 kernel.\n"); ++ break; ++ } ++#endif + if (end_pfn > limit_pfn) { + last_pfn = limit_pfn; + break; +-- +1.7.1.1 + diff --git a/x86-stackprotector-Avoid-random-pool-on-rt.patch b/x86-stackprotector-Avoid-random-pool-on-rt.patch new file mode 100644 index 0000000..424dce3 --- /dev/null +++ b/x86-stackprotector-Avoid-random-pool-on-rt.patch @@ -0,0 +1,51 @@ +From 5fed714f43c07bb622426ccc4de8c8c7500cb148 Mon Sep 17 00:00:00 2001 +From: Thomas Gleixner <tglx@linutronix.de> +Date: Thu, 16 Dec 2010 14:25:18 +0100 +Subject: [PATCH] x86: stackprotector: Avoid random pool on rt + +commit 5fed714f43c07bb622426ccc4de8c8c7500cb148 in tip. + +CPU bringup calls into the random pool to initialize the stack +canary. During boot that works nicely even on RT as the might sleep +checks are disabled. During CPU hotplug the might sleep checks +trigger. Making the locks in random raw is a major PITA, so avoid the +call on RT is the only sensible solution. This is basically the same +randomness which we get during boot where the random pool has no +entropy and we rely on the TSC randomnness. + +Reported-by: Carsten Emde <carsten.emde@osadl.org> +Signed-off-by: Thomas Gleixner <tglx@linutronix.de> + +diff --git a/arch/x86/include/asm/stackprotector.h b/arch/x86/include/asm/stackprotector.h +index 1575177..4cf440f 100644 +--- a/arch/x86/include/asm/stackprotector.h ++++ b/arch/x86/include/asm/stackprotector.h +@@ -58,7 +58,7 @@ + */ + static __always_inline void boot_init_stack_canary(void) + { +- u64 canary; ++ u64 uninitialized_var(canary); + u64 tsc; + + #ifdef CONFIG_X86_64 +@@ -69,8 +69,16 @@ static __always_inline void boot_init_stack_canary(void) + * of randomness. The TSC only matters for very early init, + * there it already has some randomness on most systems. Later + * on during the bootup the random pool has true entropy too. ++ * ++ * For preempt-rt we need to weaken the randomness a bit, as ++ * we can't call into the random generator from atomic context ++ * due to locking constraints. We just leave canary ++ * uninitialized and use the TSC based randomness on top of ++ * it. + */ ++#ifndef CONFIG_PREEMPT_RT + get_random_bytes(&canary, sizeof(canary)); ++#endif + tsc = __native_read_tsc(); + canary += tsc + (tsc << 32UL); + +-- +1.7.1.1 + diff --git a/xen-drop-xen_sched_clock-in-favour-of-using-plain-wa.patch b/xen-drop-xen_sched_clock-in-favour-of-using-plain-wa.patch new file mode 100644 index 0000000..89d82af --- /dev/null +++ b/xen-drop-xen_sched_clock-in-favour-of-using-plain-wa.patch @@ -0,0 +1,89 @@ +From 8d5c4661948a86d4a0d733f521f99c49cd988e37 Mon Sep 17 00:00:00 2001 +From: Jeremy Fitzhardinge <jeremy.fitzhardinge@citrix.com> +Date: Mon, 12 Jul 2010 11:49:59 -0700 +Subject: [PATCH] xen: drop xen_sched_clock in favour of using plain wallclock time + +commit 8d5c4661948a86d4a0d733f521f99c49cd988e37 in tip. + +commit 8a22b9996b001c88f2bfb54c6de6a05fc39e177a upstream. + +xen_sched_clock only counts unstolen time. In principle this should +be useful to the Linux scheduler so that it knows how much time a process +actually consumed. But in practice this doesn't work very well as the +scheduler expects the sched_clock time to be synchronized between +cpus. It also uses sched_clock to measure the time a task spends +sleeping, in which case "unstolen time" isn't meaningful. + +So just use plain xen_clocksource_read to return wallclock nanoseconds +for sched_clock. + +Signed-off-by: Jeremy Fitzhardinge <jeremy.fitzhardinge@citrix.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> +Signed-off-by: John Kacur <jkacur@redhat.com> + +diff --git a/arch/x86/xen/enlighten.c b/arch/x86/xen/enlighten.c +index b607239..90a8da8 100644 +--- a/arch/x86/xen/enlighten.c ++++ b/arch/x86/xen/enlighten.c +@@ -926,7 +926,7 @@ static const struct pv_init_ops xen_init_ops __initdata = { + }; + + static const struct pv_time_ops xen_time_ops __initdata = { +- .sched_clock = xen_sched_clock, ++ .sched_clock = xen_clocksource_read, + }; + + static const struct pv_cpu_ops xen_cpu_ops __initdata = { +diff --git a/arch/x86/xen/time.c b/arch/x86/xen/time.c +index 0d3f07c..646f4e2 100644 +--- a/arch/x86/xen/time.c ++++ b/arch/x86/xen/time.c +@@ -154,45 +154,6 @@ static void do_stolen_accounting(void) + account_idle_ticks(ticks); + } + +-/* +- * Xen sched_clock implementation. Returns the number of unstolen +- * nanoseconds, which is nanoseconds the VCPU spent in RUNNING+BLOCKED +- * states. +- */ +-unsigned long long xen_sched_clock(void) +-{ +- struct vcpu_runstate_info state; +- cycle_t now; +- u64 ret; +- s64 offset; +- +- /* +- * Ideally sched_clock should be called on a per-cpu basis +- * anyway, so preempt should already be disabled, but that's +- * not current practice at the moment. +- */ +- preempt_disable(); +- +- now = xen_clocksource_read(); +- +- get_runstate_snapshot(&state); +- +- WARN_ON(state.state != RUNSTATE_running); +- +- offset = now - state.state_entry_time; +- if (offset < 0) +- offset = 0; +- +- ret = state.time[RUNSTATE_blocked] + +- state.time[RUNSTATE_running] + +- offset; +- +- preempt_enable(); +- +- return ret; +-} +- +- + /* Get the TSC speed from Xen */ + unsigned long xen_tsc_khz(void) + { +-- +1.7.1.1 + diff --git a/xfs-prevent-swapext-from-operating-on-write-only-fil.patch b/xfs-prevent-swapext-from-operating-on-write-only-fil.patch new file mode 100644 index 0000000..5c56417 --- /dev/null +++ b/xfs-prevent-swapext-from-operating-on-write-only-fil.patch @@ -0,0 +1,45 @@ +From 127524e1a065bd3208db65b156e2bebac8bd0e94 Mon Sep 17 00:00:00 2001 +From: Dan Rosenberg <dan.j.rosenberg@gmail.com> +Date: Thu, 24 Jun 2010 12:07:47 +1000 +Subject: [PATCH] xfs: prevent swapext from operating on write-only files + +commit 127524e1a065bd3208db65b156e2bebac8bd0e94 in tip. + +commit 1817176a86352f65210139d4c794ad2d19fc6b63 upstream. + +This patch prevents user "foo" from using the SWAPEXT ioctl to swap +a write-only file owned by user "bar" into a file owned by "foo" and +subsequently reading it. It does so by checking that the file +descriptors passed to the ioctl are also opened for reading. + +Signed-off-by: Dan Rosenberg <dan.j.rosenberg@gmail.com> +Reviewed-by: Christoph Hellwig <hch@lst.de> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> +Signed-off-by: John Kacur <jkacur@redhat.com> + +diff --git a/fs/xfs/xfs_dfrag.c b/fs/xfs/xfs_dfrag.c +index 84ca1cf..dd1b621 100644 +--- a/fs/xfs/xfs_dfrag.c ++++ b/fs/xfs/xfs_dfrag.c +@@ -63,7 +63,9 @@ xfs_swapext( + goto out; + } + +- if (!(file->f_mode & FMODE_WRITE) || (file->f_flags & O_APPEND)) { ++ if (!(file->f_mode & FMODE_WRITE) || ++ !(file->f_mode & FMODE_READ) || ++ (file->f_flags & O_APPEND)) { + error = XFS_ERROR(EBADF); + goto out_put_file; + } +@@ -75,6 +77,7 @@ xfs_swapext( + } + + if (!(target_file->f_mode & FMODE_WRITE) || ++ !(target_file->f_mode & FMODE_READ) || + (target_file->f_flags & O_APPEND)) { + error = XFS_ERROR(EBADF); + goto out_put_target_file; +-- +1.7.1.1 + |