diff options
author | Paul Gortmaker <paul.gortmaker@windriver.com> | 2012-05-09 13:11:21 -0400 |
---|---|---|
committer | Paul Gortmaker <paul.gortmaker@windriver.com> | 2012-05-09 13:53:40 -0400 |
commit | 14664a59bf026b96283f9813019f2bcfb8ce2053 (patch) | |
tree | a2cc1c2252c5280b234e46dafa2d7079e8fcf6a9 | |
parent | fb0f146bd226339638e1441f0bd91a393bf7aff4 (diff) | |
download | longterm-queue-2.6.34-14664a59bf026b96283f9813019f2bcfb8ce2053.tar.gz |
import of selections paralleling 2.6.32.44
Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com>
46 files changed, 2520 insertions, 0 deletions
diff --git a/audit/from-v2.6.32/audit.txt b/audit/from-v2.6.32/audit.txt index 69aa206..9b1a3a0 100644 --- a/audit/from-v2.6.32/audit.txt +++ b/audit/from-v2.6.32/audit.txt @@ -3133,3 +3133,61 @@ b63010f5 b5199515 v3.0 n 86df3486 a91d9287 v3.0 n f55a989b 99a15e21 v3.0 n 4553fbdf 2b472611 v3.0 n +---- v2.6.32.44 ---- +Commit Parent Parent in In 34.x Notes +======================================================================== +3481be7e xxxxxxxx -- ? -- n/a Makefile ver. change +58e6859b 2e302ebf v2.6.33 y +bb30b191 xxxxxxxx -- ? -- ? +3d247615 d15b774c v3.1 n +c72ff34c 286f367d v3.1 n +67b0a842 ca9380fd v3.1 n +fc10e555 1d1221f3 v3.0 n +2beffeba 21c5977a v3.0 n +35ed3d0f d5aa407f v2.6.34 y +05154233 e924960d v2.6.34 y +7606088a c2892f02 v2.6.34 y +39371f2a 24e6cf92 v2.6.36 n +eda9d27e fc87a406 v2.6.36 n +223c7f08 4ff67b72 v2.6.36 n +0d5c4526 xxxxxxxx -- ? -- n/a a revert +436aa5fe f1c18071 v2.6.37 n +4534a8bb 995bd3bb v2.6.36 n +cb815937 51d33021 v3.1 n +38e6bb76 e04f5f7e v3.1 n +108786ae 81463c1d v3.1 n +8a8b5c1b ebc63e53 v3.1 n +98aea907 ad95c5e9 v3.1 n +b259a3c0 0d0138eb v3.1 n +78a4ddf9 07d0c38e v3.1 n +33009117 864d296c v3.1 n +1b7fbaab 63f21a56 v3.1 n +1932c741 050438ed v3.1 n +8d858047 b5b51544 v3.1 n +2dee3236 2a350cab v3.1 n +e766b12b 82103978 v3.1 n +eaf507ea 676b58c2 v3.1 n +da229078 5911e963 v3.1 n +3cd03745 94c5b41b v3.1 n +122c9c81 6c7b3ea5 v3.1 n +b43906bf c5c69f3f v3.0 y in queue already +262e2d9d 3c5fec75 v3.1 n/a later reverted. +6691c4c3 6ea12a04 v3.1 n +51faabb8 819cbb12 v3.1 n +82b6e850 026dfaf1 v3.1 n +99d74703 5d78fcb0 v2.6.35 n +741172ee 9a61d726 v2.6.34 y +9d8970f0 b7798d28 v3.0 n +3da5a14f 8c56cacc v3.0 n +49d571cd 9daedd83 v3.0 n +90d769e3 0c03150e v3.1 n +166d832b d3f684f2 v3.0 n +abcd4aa3 dc6b8450 v3.0 n +5bba1fce ec0dd267 v3.0 n +a05061d6 b55c5989 v3.0 n +809eb666 e5012d1f v3.0 n +c3c239c6 17dd759c v3.1 y in queue already +5c47b590 a024c1a6 v3.0 n +f89e20d6 50e9efd6 v3.0 n +46905de0 227690df v3.0 n +32910025 e999dc50 v3.0 n diff --git a/queue/ALSA-sound-core-pcm_compat.c-adjust-array-index.patch b/queue/ALSA-sound-core-pcm_compat.c-adjust-array-index.patch new file mode 100644 index 0000000..793440d --- /dev/null +++ b/queue/ALSA-sound-core-pcm_compat.c-adjust-array-index.patch @@ -0,0 +1,48 @@ +From d35cda8da6f83fc317e6b180cb40002afd06b05d Mon Sep 17 00:00:00 2001 +From: Julia Lawall <julia@diku.dk> +Date: Thu, 28 Jul 2011 14:46:05 +0200 +Subject: [PATCH] ALSA: sound/core/pcm_compat.c: adjust array index + +commit ca9380fd68514c7bc952282c1b4fc70607e9fe43 upstream. + +Convert array index from the loop bound to the loop index. + +A simplified version of the semantic patch that fixes this problem is as +follows: (http://coccinelle.lip6.fr/) + +// <smpl> +@@ +expression e1,e2,ar; +@@ + +for(e1 = 0; e1 < e2; e1++) { <... + ar[ +- e2 ++ e1 + ] + ...> } +// </smpl> + +Signed-off-by: Julia Lawall <julia@diku.dk> +Signed-off-by: Takashi Iwai <tiwai@suse.de> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> +--- + sound/core/pcm_compat.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/sound/core/pcm_compat.c b/sound/core/pcm_compat.c +index 5fb2e28..91cdf94 100644 +--- a/sound/core/pcm_compat.c ++++ b/sound/core/pcm_compat.c +@@ -342,7 +342,7 @@ static int snd_pcm_ioctl_xfern_compat(struct snd_pcm_substream *substream, + kfree(bufs); + return -EFAULT; + } +- bufs[ch] = compat_ptr(ptr); ++ bufs[i] = compat_ptr(ptr); + bufptr++; + } + if (dir == SNDRV_PCM_STREAM_PLAYBACK) +-- +1.7.9.6 + diff --git a/queue/ARM-pxa-cm-x300-fix-V3020-RTC-functionality.patch b/queue/ARM-pxa-cm-x300-fix-V3020-RTC-functionality.patch new file mode 100644 index 0000000..e4fd3ca --- /dev/null +++ b/queue/ARM-pxa-cm-x300-fix-V3020-RTC-functionality.patch @@ -0,0 +1,39 @@ +From ec53fcb7028b1dcd1d86efee324db4cd8527a7d2 Mon Sep 17 00:00:00 2001 +From: Igor Grinberg <grinberg@compulab.co.il> +Date: Mon, 9 May 2011 14:41:46 +0300 +Subject: [PATCH] ARM: pxa/cm-x300: fix V3020 RTC functionality + +commit 6c7b3ea52e345ab614edb91d3f0e9f3bb3713871 upstream. + +While in sleep mode the CS# and other V3020 RTC GPIOs must be driven +high, otherwise V3020 RTC fails to keep the right time in sleep mode. + +Signed-off-by: Igor Grinberg <grinberg@compulab.co.il> +Signed-off-by: Eric Miao <eric.y.miao@gmail.com> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> +--- + arch/arm/mach-pxa/cm-x300.c | 8 ++++---- + 1 file changed, 4 insertions(+), 4 deletions(-) + +diff --git a/arch/arm/mach-pxa/cm-x300.c b/arch/arm/mach-pxa/cm-x300.c +index f054062..945b52a 100644 +--- a/arch/arm/mach-pxa/cm-x300.c ++++ b/arch/arm/mach-pxa/cm-x300.c +@@ -154,10 +154,10 @@ static mfp_cfg_t cm_x3xx_mfp_cfg[] __initdata = { + GPIO99_GPIO, /* Ethernet IRQ */ + + /* RTC GPIOs */ +- GPIO95_GPIO, /* RTC CS */ +- GPIO96_GPIO, /* RTC WR */ +- GPIO97_GPIO, /* RTC RD */ +- GPIO98_GPIO, /* RTC IO */ ++ GPIO95_GPIO | MFP_LPM_DRIVE_HIGH, /* RTC CS */ ++ GPIO96_GPIO | MFP_LPM_DRIVE_HIGH, /* RTC WR */ ++ GPIO97_GPIO | MFP_LPM_DRIVE_HIGH, /* RTC RD */ ++ GPIO98_GPIO, /* RTC IO */ + + /* Standard I2C */ + GPIO21_I2C_SCL, +-- +1.7.9.6 + diff --git a/queue/ASoC-Fix-Blackfin-I2S-_pointer-implementation-return.patch b/queue/ASoC-Fix-Blackfin-I2S-_pointer-implementation-return.patch new file mode 100644 index 0000000..178425a --- /dev/null +++ b/queue/ASoC-Fix-Blackfin-I2S-_pointer-implementation-return.patch @@ -0,0 +1,52 @@ +From 1beb131c25ed2410251f5c034350894cc3f089d5 Mon Sep 17 00:00:00 2001 +From: Mark Brown <broonie@opensource.wolfsonmicro.com> +Date: Mon, 13 Jun 2011 12:14:07 +0100 +Subject: [PATCH] ASoC: Fix Blackfin I2S _pointer() implementation return in + bounds values + +commit e999dc50404d401150a5429b6459473a691fd1a0 upstream. + +The Blackfin DMA controller can report one frame beyond the end of the +buffer in the wraparound case but ALSA requires that the pointer always +be in the buffer. Do the wraparound to handle this. A similar bug is +likely to apply to the other Blackfin PCM drivers but the code is less +obvious to inspection and I don't have a user to test. + +Reported-by: Kieran O'Leary <Kieran.O'Leary@wolfsonmicro.com> +Acked-by: Liam Girdwood <lrg@ti.com> +Signed-off-by: Mark Brown <broonie@opensource.wolfsonmicro.com> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> +--- + sound/soc/blackfin/bf5xx-i2s-pcm.c | 13 +++++++++++-- + 1 file changed, 11 insertions(+), 2 deletions(-) + +diff --git a/sound/soc/blackfin/bf5xx-i2s-pcm.c b/sound/soc/blackfin/bf5xx-i2s-pcm.c +index 1d2a1ad..9aa41b1 100644 +--- a/sound/soc/blackfin/bf5xx-i2s-pcm.c ++++ b/sound/soc/blackfin/bf5xx-i2s-pcm.c +@@ -139,11 +139,20 @@ static snd_pcm_uframes_t bf5xx_pcm_pointer(struct snd_pcm_substream *substream) + pr_debug("%s enter\n", __func__); + if (substream->stream == SNDRV_PCM_STREAM_PLAYBACK) { + diff = sport_curr_offset_tx(sport); +- frames = bytes_to_frames(substream->runtime, diff); + } else { + diff = sport_curr_offset_rx(sport); +- frames = bytes_to_frames(substream->runtime, diff); + } ++ ++ /* ++ * TX at least can report one frame beyond the end of the ++ * buffer if we hit the wraparound case - clamp to within the ++ * buffer as the ALSA APIs require. ++ */ ++ if (diff == snd_pcm_lib_buffer_bytes(substream)) ++ diff = 0; ++ ++ frames = bytes_to_frames(substream->runtime, diff); ++ + return frames; + } + +-- +1.7.9.6 + diff --git a/queue/Blacklist-Traxdata-CDR4120-and-IOMEGA-Zip-drive-to-a.patch b/queue/Blacklist-Traxdata-CDR4120-and-IOMEGA-Zip-drive-to-a.patch new file mode 100644 index 0000000..3ae32c9 --- /dev/null +++ b/queue/Blacklist-Traxdata-CDR4120-and-IOMEGA-Zip-drive-to-a.patch @@ -0,0 +1,43 @@ +From 4be4a790e7c12277e0e20a7c486a1e0fc113ada8 Mon Sep 17 00:00:00 2001 +From: Werner Fink <werner@novell.com> +Date: Thu, 9 Jun 2011 10:54:24 +0530 +Subject: [PATCH] Blacklist Traxdata CDR4120 and IOMEGA Zip drive to avoid + lock ups. + +commit 82103978189e9731658cd32da5eb85ab7b8542b8 upstream. + +This patch resulted from the discussion at +https://bugzilla.novell.com/show_bug.cgi?id=679277, +https://bugzilla.novell.com/show_bug.cgi?id=681840 . + +Signed-off-by: Werner Fink <werner@novell.com> +Signed-off-by: Ankit Jain <jankit@suse.de> +Signed-off-by: James Bottomley <JBottomley@Parallels.com> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> +--- + drivers/scsi/scsi_devinfo.c | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/drivers/scsi/scsi_devinfo.c b/drivers/scsi/scsi_devinfo.c +index 43fad4c..9f34f41 100644 +--- a/drivers/scsi/scsi_devinfo.c ++++ b/drivers/scsi/scsi_devinfo.c +@@ -197,6 +197,7 @@ static struct { + {"IBM", "ProFibre 4000R", "*", BLIST_SPARSELUN | BLIST_LARGELUN}, + {"IBM", "2105", NULL, BLIST_RETRY_HWERROR}, + {"iomega", "jaz 1GB", "J.86", BLIST_NOTQ | BLIST_NOLUN}, ++ {"IOMEGA", "ZIP", NULL, BLIST_NOTQ | BLIST_NOLUN}, + {"IOMEGA", "Io20S *F", NULL, BLIST_KEY}, + {"INSITE", "Floptical F*8I", NULL, BLIST_KEY}, + {"INSITE", "I325VM", NULL, BLIST_KEY}, +@@ -243,6 +244,7 @@ static struct { + {"Tornado-", "F4", "*", BLIST_NOREPORTLUN}, + {"TOSHIBA", "CDROM", NULL, BLIST_ISROM}, + {"TOSHIBA", "CD-ROM", NULL, BLIST_ISROM}, ++ {"Traxdata", "CDR4120", NULL, BLIST_NOLUN}, /* locks up */ + {"USB2.0", "SMARTMEDIA/XD", NULL, BLIST_FORCELUN | BLIST_INQUIRY_36}, + {"WangDAT", "Model 2600", "01.7", BLIST_SELECT_NO_ATN}, + {"WangDAT", "Model 3200", "02.2", BLIST_SELECT_NO_ATN}, +-- +1.7.9.6 + diff --git a/queue/EHCI-fix-direction-handling-for-interrupt-data-toggl.patch b/queue/EHCI-fix-direction-handling-for-interrupt-data-toggl.patch new file mode 100644 index 0000000..7b862e6 --- /dev/null +++ b/queue/EHCI-fix-direction-handling-for-interrupt-data-toggl.patch @@ -0,0 +1,77 @@ +From 2bcae2e1a2122f533cc6f780b0d056f3dad632bd Mon Sep 17 00:00:00 2001 +From: Alan Stern <stern@rowland.harvard.edu> +Date: Tue, 19 Jul 2011 14:01:23 -0400 +Subject: [PATCH] EHCI: fix direction handling for interrupt data toggles + +commit e04f5f7e423018bcec84c11af2058cdce87816f3 upstream. + +This patch (as1480) fixes a rather obscure bug in ehci-hcd. The +qh_update() routine needs to know the number and direction of the +endpoint corresponding to its QH argument. The number can be taken +directly from the QH data structure, but the direction isn't stored +there. The direction is taken instead from the first qTD linked to +the QH. + +However, it turns out that for interrupt transfers, qh_update() gets +called before the qTDs are linked to the QH. As a result, qh_update() +computes a bogus direction value, which messes up the endpoint toggle +handling. Under the right combination of circumstances this causes +usb_reset_endpoint() not to work correctly, which causes packets to be +dropped and communications to fail. + +Now, it's silly for the QH structure not to have direct access to all +the descriptor information for the corresponding endpoint. Ultimately +it may get a pointer to the usb_host_endpoint structure; for now, +adding a copy of the direction flag solves the immediate problem. + +This allows the Spyder2 color-calibration system (a low-speed USB +device that sends all its interrupt data packets with the toggle set +to 0 and hance requires constant use of usb_reset_endpoint) to work +when connected through a high-speed hub. Thanks to Graeme Gill for +supplying the hardware that allowed me to track down this bug. + +Signed-off-by: Alan Stern <stern@rowland.harvard.edu> +Reported-by: Graeme Gill <graeme@argyllcms.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> +--- + drivers/usb/host/ehci-q.c | 3 ++- + drivers/usb/host/ehci.h | 1 + + 2 files changed, 3 insertions(+), 1 deletion(-) + +diff --git a/drivers/usb/host/ehci-q.c b/drivers/usb/host/ehci-q.c +index 781c573..9b46a1e 100644 +--- a/drivers/usb/host/ehci-q.c ++++ b/drivers/usb/host/ehci-q.c +@@ -103,7 +103,7 @@ qh_update (struct ehci_hcd *ehci, struct ehci_qh *qh, struct ehci_qtd *qtd) + if (!(hw->hw_info1 & cpu_to_hc32(ehci, 1 << 14))) { + unsigned is_out, epnum; + +- is_out = !(qtd->hw_token & cpu_to_hc32(ehci, 1 << 8)); ++ is_out = qh->is_out; + epnum = (hc32_to_cpup(ehci, &hw->hw_info1) >> 8) & 0x0f; + if (unlikely (!usb_gettoggle (qh->dev, epnum, is_out))) { + hw->hw_token &= ~cpu_to_hc32(ehci, QTD_TOGGLE); +@@ -945,6 +945,7 @@ done: + hw = qh->hw; + hw->hw_info1 = cpu_to_hc32(ehci, info1); + hw->hw_info2 = cpu_to_hc32(ehci, info2); ++ qh->is_out = !is_input; + usb_settoggle (urb->dev, usb_pipeendpoint (urb->pipe), !is_input, 1); + qh_refresh (ehci, qh); + return qh; +diff --git a/drivers/usb/host/ehci.h b/drivers/usb/host/ehci.h +index 20b5e16..1bb7a7f 100644 +--- a/drivers/usb/host/ehci.h ++++ b/drivers/usb/host/ehci.h +@@ -367,6 +367,7 @@ struct ehci_qh { + #define NO_FRAME ((unsigned short)~0) /* pick new start */ + + struct usb_device *dev; /* access to TT */ ++ unsigned is_out:1; /* bulk or intr OUT */ + unsigned clearing_tt:1; /* Clear-TT-Buf in progress */ + }; + +-- +1.7.9.6 + diff --git a/queue/EHCI-only-power-off-port-if-over-current-is-active.patch b/queue/EHCI-only-power-off-port-if-over-current-is-active.patch new file mode 100644 index 0000000..4cf04e9 --- /dev/null +++ b/queue/EHCI-only-power-off-port-if-over-current-is-active.patch @@ -0,0 +1,46 @@ +From 3e559ecff1a18deb6079a3d66ebacb37edadb7e4 Mon Sep 17 00:00:00 2001 +From: Sergei Shtylyov <sshtylyov@ru.mvista.com> +Date: Wed, 6 Jul 2011 23:19:38 +0400 +Subject: [PATCH] EHCI: only power off port if over-current is active + +commit 81463c1d707186adbbe534016cd1249edeab0dac upstream. + +MAX4967 USB power supply chip we use on our boards signals over-current when +power is not enabled; once it's enabled, over-current signal returns to normal. +That unfortunately caused the endless stream of "over-current change on port" +messages. The EHCI root hub code reacts on every over-current signal change +with powering off the port -- such change event is generated the moment the +port power is enabled, so once enabled the power is immediately cut off. +I think we should only cut off power when we're seeing the active over-current +signal, so I'm adding such check to that code. I also think that the fact that +we've cut off the port power should be reflected in the result of GetPortStatus +request immediately, hence I'm adding a PORTSCn register readback after write... + +Signed-off-by: Sergei Shtylyov <sshtylyov@ru.mvista.com> +Acked-by: Alan Stern <stern@rowland.harvard.edu> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> +--- + drivers/usb/host/ehci-hub.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/drivers/usb/host/ehci-hub.c b/drivers/usb/host/ehci-hub.c +index 1b2af4d..ae32f02 100644 +--- a/drivers/usb/host/ehci-hub.c ++++ b/drivers/usb/host/ehci-hub.c +@@ -837,10 +837,11 @@ static int ehci_hub_control ( + * power switching; they're allowed to just limit the + * current. khubd will turn the power back on. + */ +- if (HCS_PPC (ehci->hcs_params)){ ++ if ((temp & PORT_OC) && HCS_PPC(ehci->hcs_params)) { + ehci_writel(ehci, + temp & ~(PORT_RWC_BITS | PORT_POWER), + status_reg); ++ temp = ehci_readl(ehci, status_reg); + } + } + +-- +1.7.9.6 + diff --git a/queue/NFSv4.1-update-nfs4_fattr_bitmap_maxsz.patch b/queue/NFSv4.1-update-nfs4_fattr_bitmap_maxsz.patch new file mode 100644 index 0000000..2ae5a1b --- /dev/null +++ b/queue/NFSv4.1-update-nfs4_fattr_bitmap_maxsz.patch @@ -0,0 +1,33 @@ +From 46aca5fdb078081d41e0323f25ac12e7cbfc17bc Mon Sep 17 00:00:00 2001 +From: Andy Adamson <andros@netapp.com> +Date: Mon, 11 Jul 2011 17:17:42 -0400 +Subject: [PATCH] NFSv4.1: update nfs4_fattr_bitmap_maxsz + +commit e5012d1f3861d18c7f3814e757c1c3ab3741dbcd upstream. + +Attribute IDs assigned in RFC 5661 now require three bitmaps. +Fixes hitting a BUG_ON in xdr_shrink_bufhead when getting ACLs. + +Signed-off-by: Andy Adamson <andros@netapp.com> +Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> +--- + fs/nfs/nfs4xdr.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fs/nfs/nfs4xdr.c b/fs/nfs/nfs4xdr.c +index 63ec2b7..c1a2f66 100644 +--- a/fs/nfs/nfs4xdr.c ++++ b/fs/nfs/nfs4xdr.c +@@ -89,7 +89,7 @@ static int nfs4_stat_to_errno(int); + #define encode_getfh_maxsz (op_encode_hdr_maxsz) + #define decode_getfh_maxsz (op_decode_hdr_maxsz + 1 + \ + ((3+NFS4_FHSIZE) >> 2)) +-#define nfs4_fattr_bitmap_maxsz 3 ++#define nfs4_fattr_bitmap_maxsz 4 + #define encode_getattr_maxsz (op_encode_hdr_maxsz + nfs4_fattr_bitmap_maxsz) + #define nfs4_name_maxsz (1 + ((3 + NFS4_MAXNAMLEN) >> 2)) + #define nfs4_path_maxsz (1 + ((3 + NFS4_MAXPATHLEN) >> 2)) +-- +1.7.9.6 + diff --git a/queue/PCI-ARI-is-a-PCIe-v2-feature.patch b/queue/PCI-ARI-is-a-PCIe-v2-feature.patch new file mode 100644 index 0000000..62e1aa1 --- /dev/null +++ b/queue/PCI-ARI-is-a-PCIe-v2-feature.patch @@ -0,0 +1,52 @@ +From 6765e5ea50be3c47bcb79a124eed85c50aa9b2a4 Mon Sep 17 00:00:00 2001 +From: Chris Wright <chrisw@sous-sol.org> +Date: Wed, 13 Jul 2011 10:14:33 -0700 +Subject: [PATCH] PCI: ARI is a PCIe v2 feature + +commit 864d296cf948aef0fa32b81407541572583f7572 upstream. + +The function pci_enable_ari() may mistakenly set the downstream port +of a v1 PCIe switch in ARI Forwarding mode. This is a PCIe v2 feature, +and with an SR-IOV device on that switch port believing the switch above +is ARI capable it may attempt to use functions 8-255, translating into +invalid (non-zero) device numbers for that bus. This has been seen +to cause Completion Timeouts and general misbehaviour including hangs +and panics. + +Acked-by: Don Dutile <ddutile@redhat.com> +Tested-by: Don Dutile <ddutile@redhat.com> +Signed-off-by: Chris Wright <chrisw@sous-sol.org> +Signed-off-by: Jesse Barnes <jbarnes@virtuousgeek.org> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> +--- + drivers/pci/pci.c | 7 ++++++- + 1 file changed, 6 insertions(+), 1 deletion(-) + +diff --git a/drivers/pci/pci.c b/drivers/pci/pci.c +index 8abe983..2326637 100644 +--- a/drivers/pci/pci.c ++++ b/drivers/pci/pci.c +@@ -1713,7 +1713,7 @@ void pci_enable_ari(struct pci_dev *dev) + { + int pos; + u32 cap; +- u16 ctrl; ++ u16 flags, ctrl; + struct pci_dev *bridge; + + if (!pci_is_pcie(dev) || dev->devfn) +@@ -1731,6 +1731,11 @@ void pci_enable_ari(struct pci_dev *dev) + if (!pos) + return; + ++ /* ARI is a PCIe v2 feature */ ++ pci_read_config_word(bridge, pos + PCI_EXP_FLAGS, &flags); ++ if ((flags & PCI_EXP_FLAGS_VERS) < 2) ++ return; ++ + pci_read_config_dword(bridge, pos + PCI_EXP_DEVCAP2, &cap); + if (!(cap & PCI_EXP_DEVCAP2_ARI)) + return; +-- +1.7.9.6 + diff --git a/queue/SUNRPC-Fix-a-race-between-work-queue-and-rpc_killall.patch b/queue/SUNRPC-Fix-a-race-between-work-queue-and-rpc_killall.patch new file mode 100644 index 0000000..1c9980a --- /dev/null +++ b/queue/SUNRPC-Fix-a-race-between-work-queue-and-rpc_killall.patch @@ -0,0 +1,67 @@ +From 898ce3e1b965b1aa5712a7c04539acda8dcd82ce Mon Sep 17 00:00:00 2001 +From: Trond Myklebust <Trond.Myklebust@netapp.com> +Date: Wed, 6 Jul 2011 19:58:23 -0400 +Subject: [PATCH] SUNRPC: Fix a race between work-queue and rpc_killall_tasks + +commit b55c59892e1f3b6c7d4b9ccffb4263e1486fb990 upstream. + +Since rpc_killall_tasks may modify the rpc_task's tk_action field +without any locking, we need to be careful when dereferencing it. + +Reported-by: Ben Greear <greearb@candelatech.com> +Tested-by: Ben Greear <greearb@candelatech.com> +Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> +--- + net/sunrpc/sched.c | 27 +++++++++++---------------- + 1 file changed, 11 insertions(+), 16 deletions(-) + +diff --git a/net/sunrpc/sched.c b/net/sunrpc/sched.c +index 03a5c9e..416ca5e 100644 +--- a/net/sunrpc/sched.c ++++ b/net/sunrpc/sched.c +@@ -628,30 +628,25 @@ static void __rpc_execute(struct rpc_task *task) + BUG_ON(RPC_IS_QUEUED(task)); + + for (;;) { ++ void (*do_action)(struct rpc_task *); + + /* +- * Execute any pending callback. ++ * Execute any pending callback first. + */ +- if (task->tk_callback) { +- void (*save_callback)(struct rpc_task *); +- +- /* +- * We set tk_callback to NULL before calling it, +- * in case it sets the tk_callback field itself: +- */ +- save_callback = task->tk_callback; +- task->tk_callback = NULL; +- save_callback(task); +- } else { ++ do_action = task->tk_callback; ++ task->tk_callback = NULL; ++ if (do_action == NULL) { + /* + * Perform the next FSM step. +- * tk_action may be NULL when the task has been killed +- * by someone else. ++ * tk_action may be NULL if the task has been killed. ++ * In particular, note that rpc_killall_tasks may ++ * do this at any time, so beware when dereferencing. + */ +- if (task->tk_action == NULL) ++ do_action = task->tk_action; ++ if (do_action == NULL) + break; +- task->tk_action(task); + } ++ do_action(task); + + /* + * Lockless check for whether task is sleeping or not. +-- +1.7.9.6 + diff --git a/queue/SUNRPC-Fix-use-of-static-variable-in-rpcb_getport_as.patch b/queue/SUNRPC-Fix-use-of-static-variable-in-rpcb_getport_as.patch new file mode 100644 index 0000000..29dbd01 --- /dev/null +++ b/queue/SUNRPC-Fix-use-of-static-variable-in-rpcb_getport_as.patch @@ -0,0 +1,39 @@ +From 719dd3fd4544a0f7c664c43727f1b10edff7c470 Mon Sep 17 00:00:00 2001 +From: Ben Greear <greearb@candelatech.com> +Date: Tue, 12 Jul 2011 10:27:55 -0700 +Subject: [PATCH] SUNRPC: Fix use of static variable in rpcb_getport_async + +commit ec0dd267bf7d08cb30e321e45a75fd40edd7e528 upstream. + +Because struct rpcbind_args *map was declared static, if two +threads entered this method at the same time, the values +assigned to map could be sent two two differen tasks. +This could cause all sorts of problems, include use-after-free +and double-free of memory. + +Fix this by removing the static declaration so that the map +pointer is on the stack. + +Signed-off-by: Ben Greear <greearb@candelatech.com> +Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> +--- + net/sunrpc/rpcb_clnt.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/net/sunrpc/rpcb_clnt.c b/net/sunrpc/rpcb_clnt.c +index 1211053..ab39ae2 100644 +--- a/net/sunrpc/rpcb_clnt.c ++++ b/net/sunrpc/rpcb_clnt.c +@@ -580,7 +580,7 @@ void rpcb_getport_async(struct rpc_task *task) + u32 bind_version; + struct rpc_xprt *xprt; + struct rpc_clnt *rpcb_clnt; +- static struct rpcbind_args *map; ++ struct rpcbind_args *map; + struct rpc_task *child; + struct sockaddr_storage addr; + struct sockaddr *sap = (struct sockaddr *)&addr; +-- +1.7.9.6 + diff --git a/queue/USB-OHCI-fix-another-regression-for-NVIDIA-controlle.patch b/queue/USB-OHCI-fix-another-regression-for-NVIDIA-controlle.patch new file mode 100644 index 0000000..92c0fa1 --- /dev/null +++ b/queue/USB-OHCI-fix-another-regression-for-NVIDIA-controlle.patch @@ -0,0 +1,87 @@ +From 6d12b0728359222c73804a9dd79cb92d7c427dff Mon Sep 17 00:00:00 2001 +From: Alan Stern <stern@rowland.harvard.edu> +Date: Fri, 15 Jul 2011 17:22:15 -0400 +Subject: [PATCH] USB: OHCI: fix another regression for NVIDIA controllers + +commit 6ea12a04d295235ed67010a09fdea58c949e3eb0 upstream. + +The NVIDIA series of OHCI controllers continues to be troublesome. A +few people using the MCP67 chipset have reported that even with the +most recent kernels, the OHCI controller fails to handle new +connections and spams the system log with "unable to enumerate USB +port" messages. This is different from the other problems previously +reported for NVIDIA OHCI controllers, although it is probably related. + +It turns out that the MCP67 controller does not like to be kept in the +RESET state very long. After only a few seconds, it decides not to +work any more. This patch (as1479) changes the PCI initialization +quirk code so that NVIDIA controllers are switched into the SUSPEND +state after 50 ms of RESET. With no interrupts enabled and all the +downstream devices reset, and thus unable to send wakeup requests, +this should be perfectly safe (even for non-NVIDIA hardware). + +The removal code in ohci-hcd hasn't been changed; it will still leave +the controller in the RESET state. As a result, if someone unloads +ohci-hcd and then reloads it, the controller won't work again until +the system is rebooted. If anybody complains about this, the removal +code can be updated similarly. + +This fixes Bugzilla #22052. + +Tested-by: Larry Finger <Larry.Finger@lwfinger.net> +Signed-off-by: Alan Stern <stern@rowland.harvard.edu> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> +--- + drivers/usb/host/pci-quirks.c | 28 ++++++++++++++++++++++++++++ + 1 file changed, 28 insertions(+) + +diff --git a/drivers/usb/host/pci-quirks.c b/drivers/usb/host/pci-quirks.c +index 464ed97..bcf7a88 100644 +--- a/drivers/usb/host/pci-quirks.c ++++ b/drivers/usb/host/pci-quirks.c +@@ -34,6 +34,8 @@ + #define OHCI_INTRSTATUS 0x0c + #define OHCI_INTRENABLE 0x10 + #define OHCI_INTRDISABLE 0x14 ++#define OHCI_FMINTERVAL 0x34 ++#define OHCI_HCR (1 << 0) /* host controller reset */ + #define OHCI_OCR (1 << 3) /* ownership change request */ + #define OHCI_CTRL_RWC (1 << 9) /* remote wakeup connected */ + #define OHCI_CTRL_IR (1 << 8) /* interrupt routing */ +@@ -204,6 +206,32 @@ static void __devinit quirk_usb_handoff_ohci(struct pci_dev *pdev) + + /* reset controller, preserving RWC (and possibly IR) */ + writel(control & OHCI_CTRL_MASK, base + OHCI_CONTROL); ++ readl(base + OHCI_CONTROL); ++ ++ /* Some NVIDIA controllers stop working if kept in RESET for too long */ ++ if (pdev->vendor == PCI_VENDOR_ID_NVIDIA) { ++ u32 fminterval; ++ int cnt; ++ ++ /* drive reset for at least 50 ms (7.1.7.5) */ ++ msleep(50); ++ ++ /* software reset of the controller, preserving HcFmInterval */ ++ fminterval = readl(base + OHCI_FMINTERVAL); ++ writel(OHCI_HCR, base + OHCI_CMDSTATUS); ++ ++ /* reset requires max 10 us delay */ ++ for (cnt = 30; cnt > 0; --cnt) { /* ... allow extra time */ ++ if ((readl(base + OHCI_CMDSTATUS) & OHCI_HCR) == 0) ++ break; ++ udelay(1); ++ } ++ writel(fminterval, base + OHCI_FMINTERVAL); ++ ++ /* Now we're in the SUSPEND state with all devices reset ++ * and wakeups and interrupts disabled ++ */ ++ } + + /* + * disable interrupts +-- +1.7.9.6 + diff --git a/queue/USB-pl2303.h-checkpatch-cleanups.patch b/queue/USB-pl2303.h-checkpatch-cleanups.patch new file mode 100644 index 0000000..1752622 --- /dev/null +++ b/queue/USB-pl2303.h-checkpatch-cleanups.patch @@ -0,0 +1,39 @@ +From c3ec06aedc0cf29ba0dbbce2a418b599922f9b4e Mon Sep 17 00:00:00 2001 +From: Greg Kroah-Hartman <gregkh@suse.de> +Date: Mon, 17 May 2010 10:33:41 -0700 +Subject: [PATCH] USB: pl2303.h: checkpatch cleanups + +commit 5d78fcb0caf219e2e6c8e486d7e31fec1333ac06 upstream. + +Minor whitespace cleanups to make checkpatch happy. + +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> +--- + drivers/usb/serial/pl2303.h | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git a/drivers/usb/serial/pl2303.h b/drivers/usb/serial/pl2303.h +index d67b480..1b025f7 100644 +--- a/drivers/usb/serial/pl2303.h ++++ b/drivers/usb/serial/pl2303.h +@@ -5,7 +5,7 @@ + * it under the terms of the GNU General Public License as published by + * the Free Software Foundation; either version 2 of the License, or + * (at your option) any later version. +- * ++ * + */ + + #define BENQ_VENDOR_ID 0x04a5 +@@ -142,5 +142,5 @@ + #define SANWA_PRODUCT_ID 0x0001 + + /* ADLINK ND-6530 RS232,RS485 and RS422 adapter */ +-#define ADLINK_VENDOR_ID 0x0b63 +-#define ADLINK_ND6530_PRODUCT_ID 0x6530 ++#define ADLINK_VENDOR_ID 0x0b63 ++#define ADLINK_ND6530_PRODUCT_ID 0x6530 +-- +1.7.9.6 + diff --git a/queue/USB-serial-add-IDs-for-WinChipHead-USB-RS232-adapter.patch b/queue/USB-serial-add-IDs-for-WinChipHead-USB-RS232-adapter.patch new file mode 100644 index 0000000..dbb6a8b --- /dev/null +++ b/queue/USB-serial-add-IDs-for-WinChipHead-USB-RS232-adapter.patch @@ -0,0 +1,45 @@ +From 5be71c12a6d6432ca7a3881c1474e54fb48f38ba Mon Sep 17 00:00:00 2001 +From: Wolfgang Denk <wd@denx.de> +Date: Tue, 19 Jul 2011 11:25:38 +0200 +Subject: [PATCH] USB: serial: add IDs for WinChipHead USB->RS232 adapter + +commit 026dfaf18973404a01f488d6aa556a8c466e06a4 upstream. + +Add ID 4348:5523 for WinChipHead USB->RS 232 adapter with +Prolifec PL2303 chipset + +Signed-off-by: Wolfgang Denk <wd@denx.de> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> +--- + drivers/usb/serial/pl2303.c | 1 + + drivers/usb/serial/pl2303.h | 4 ++++ + 2 files changed, 5 insertions(+) + +diff --git a/drivers/usb/serial/pl2303.c b/drivers/usb/serial/pl2303.c +index eb7d1ce..4b357d6 100644 +--- a/drivers/usb/serial/pl2303.c ++++ b/drivers/usb/serial/pl2303.c +@@ -101,6 +101,7 @@ static const struct usb_device_id id_table[] = { + { USB_DEVICE(SONY_VENDOR_ID, SONY_QN3USB_PRODUCT_ID) }, + { USB_DEVICE(SANWA_VENDOR_ID, SANWA_PRODUCT_ID) }, + { USB_DEVICE(ADLINK_VENDOR_ID, ADLINK_ND6530_PRODUCT_ID) }, ++ { USB_DEVICE(WINCHIPHEAD_VENDOR_ID, WINCHIPHEAD_USBSER_PRODUCT_ID) }, + { } /* Terminating entry */ + }; + +diff --git a/drivers/usb/serial/pl2303.h b/drivers/usb/serial/pl2303.h +index 1b025f7..ca0d237 100644 +--- a/drivers/usb/serial/pl2303.h ++++ b/drivers/usb/serial/pl2303.h +@@ -144,3 +144,7 @@ + /* ADLINK ND-6530 RS232,RS485 and RS422 adapter */ + #define ADLINK_VENDOR_ID 0x0b63 + #define ADLINK_ND6530_PRODUCT_ID 0x6530 ++ ++/* WinChipHead USB->RS 232 adapter */ ++#define WINCHIPHEAD_VENDOR_ID 0x4348 ++#define WINCHIPHEAD_USBSER_PRODUCT_ID 0x5523 +-- +1.7.9.6 + diff --git a/queue/alpha-fix-several-security-issues.patch b/queue/alpha-fix-several-security-issues.patch new file mode 100644 index 0000000..3f3e63c --- /dev/null +++ b/queue/alpha-fix-several-security-issues.patch @@ -0,0 +1,93 @@ +From a75970dd466de70f65ab05797a2292fe0429d634 Mon Sep 17 00:00:00 2001 +From: Dan Rosenberg <drosenberg@vsecurity.com> +Date: Wed, 15 Jun 2011 15:09:01 -0700 +Subject: [PATCH] alpha: fix several security issues + +commit 21c5977a836e399fc710ff2c5367845ed5c2527f upstream. + +Fix several security issues in Alpha-specific syscalls. Untested, but +mostly trivial. + +1. Signedness issue in osf_getdomainname allows copying out-of-bounds +kernel memory to userland. + +2. Signedness issue in osf_sysinfo allows copying large amounts of +kernel memory to userland. + +3. Typo (?) in osf_getsysinfo bounds minimum instead of maximum copy +size, allowing copying large amounts of kernel memory to userland. + +4. Usage of user pointer in osf_wait4 while under KERNEL_DS allows +privilege escalation via writing return value of sys_wait4 to kernel +memory. + +Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com> +Cc: Richard Henderson <rth@twiddle.net> +Cc: Ivan Kokshaysky <ink@jurassic.park.msu.ru> +Cc: Matt Turner <mattst88@gmail.com> +Signed-off-by: Andrew Morton <akpm@linux-foundation.org> +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> +--- + arch/alpha/kernel/osf_sys.c | 11 +++++++---- + 1 file changed, 7 insertions(+), 4 deletions(-) + +diff --git a/arch/alpha/kernel/osf_sys.c b/arch/alpha/kernel/osf_sys.c +index de9d397..57825bb 100644 +--- a/arch/alpha/kernel/osf_sys.c ++++ b/arch/alpha/kernel/osf_sys.c +@@ -432,7 +432,7 @@ SYSCALL_DEFINE2(osf_getdomainname, char __user *, name, int, namelen) + return -EFAULT; + + len = namelen; +- if (namelen > 32) ++ if (len > 32) + len = 32; + + down_read(&uts_sem); +@@ -619,7 +619,7 @@ SYSCALL_DEFINE3(osf_sysinfo, int, command, char __user *, buf, long, count) + down_read(&uts_sem); + res = sysinfo_table[offset]; + len = strlen(res)+1; +- if (len > count) ++ if ((unsigned long)len > (unsigned long)count) + len = count; + if (copy_to_user(buf, res, len)) + err = -EFAULT; +@@ -674,7 +674,7 @@ SYSCALL_DEFINE5(osf_getsysinfo, unsigned long, op, void __user *, buffer, + return 1; + + case GSI_GET_HWRPB: +- if (nbytes < sizeof(*hwrpb)) ++ if (nbytes > sizeof(*hwrpb)) + return -EINVAL; + if (copy_to_user(buffer, hwrpb, nbytes) != 0) + return -EFAULT; +@@ -1036,6 +1036,7 @@ SYSCALL_DEFINE4(osf_wait4, pid_t, pid, int __user *, ustatus, int, options, + { + struct rusage r; + long ret, err; ++ unsigned int status = 0; + mm_segment_t old_fs; + + if (!ur) +@@ -1044,13 +1045,15 @@ SYSCALL_DEFINE4(osf_wait4, pid_t, pid, int __user *, ustatus, int, options, + old_fs = get_fs(); + + set_fs (KERNEL_DS); +- ret = sys_wait4(pid, ustatus, options, (struct rusage __user *) &r); ++ ret = sys_wait4(pid, (unsigned int __user *) &status, options, ++ (struct rusage __user *) &r); + set_fs (old_fs); + + if (!access_ok(VERIFY_WRITE, ur, sizeof(*ur))) + return -EFAULT; + + err = 0; ++ err |= put_user(status, ustatus); + err |= __put_user(r.ru_utime.tv_sec, &ur->ru_utime.tv_sec); + err |= __put_user(r.ru_utime.tv_usec, &ur->ru_utime.tv_usec); + err |= __put_user(r.ru_stime.tv_sec, &ur->ru_stime.tv_sec); +-- +1.7.9.6 + diff --git a/queue/bridge-send-proper-message_age-in-config-BPDU.patch b/queue/bridge-send-proper-message_age-in-config-BPDU.patch new file mode 100644 index 0000000..6e73eb5 --- /dev/null +++ b/queue/bridge-send-proper-message_age-in-config-BPDU.patch @@ -0,0 +1,86 @@ +From 24123c51c5e72dc3e92a25e8516338591c2c68cc Mon Sep 17 00:00:00 2001 +From: stephen hemminger <shemminger@vyatta.com> +Date: Fri, 22 Jul 2011 07:47:06 +0000 +Subject: [PATCH] bridge: send proper message_age in config BPDU + +commit 0c03150e7ea8f7fcd03cfef29385e0010b22ee92 upstream. + +A bridge topology with three systems: + + +------+ +------+ + | A(2) |--| B(1) | + +------+ +------+ + \ / + +------+ + | C(3) | + +------+ + +What is supposed to happen: + * bridge with the lowest ID is elected root (for example: B) + * C detects that A->C is higher cost path and puts in blocking state + +What happens. Bridge with lowest id (B) is elected correctly as +root and things start out fine initially. But then config BPDU +doesn't get transmitted from A -> C. Because of that +the link from A-C is transistioned to the forwarding state. + +The root cause of this is that the configuration messages +is generated with bogus message age, and dropped before +sending. + +In the standardmessage_age is supposed to be: + the time since the generation of the Configuration BPDU by + the Root that instigated the generation of this Configuration BPDU. + +Reimplement this by recording the timestamp (age + jiffies) when +recording config information. The old code incorrectly used the time +elapsed on the ageing timer which was incorrect. + +See also: + https://bugzilla.vyatta.com/show_bug.cgi?id=7164 + +Signed-off-by: Stephen Hemminger <shemminger@vyatta.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> +--- + net/bridge/br_private.h | 1 + + net/bridge/br_stp.c | 4 ++-- + 2 files changed, 3 insertions(+), 2 deletions(-) + +diff --git a/net/bridge/br_private.h b/net/bridge/br_private.h +index 846d7d1..2af6d75 100644 +--- a/net/bridge/br_private.h ++++ b/net/bridge/br_private.h +@@ -110,6 +110,7 @@ struct net_bridge_port + bridge_id designated_bridge; + u32 path_cost; + u32 designated_cost; ++ unsigned long designated_age; + + struct timer_list forward_delay_timer; + struct timer_list hold_timer; +diff --git a/net/bridge/br_stp.c b/net/bridge/br_stp.c +index edcf14b..7c16198 100644 +--- a/net/bridge/br_stp.c ++++ b/net/bridge/br_stp.c +@@ -165,8 +165,7 @@ void br_transmit_config(struct net_bridge_port *p) + else { + struct net_bridge_port *root + = br_get_port(br, br->root_port); +- bpdu.message_age = br->max_age +- - (root->message_age_timer.expires - jiffies) ++ bpdu.message_age = (jiffies - root->designated_age) + + MESSAGE_AGE_INCR; + } + bpdu.max_age = br->max_age; +@@ -190,6 +189,7 @@ static inline void br_record_config_information(struct net_bridge_port *p, + p->designated_cost = bpdu->root_path_cost; + p->designated_bridge = bpdu->bridge_id; + p->designated_port = bpdu->port_id; ++ p->designated_age = jiffies + bpdu->message_age; + + mod_timer(&p->message_age_timer, jiffies + + (p->br->max_age - bpdu->message_age)); +-- +1.7.9.6 + diff --git a/queue/bttv-fix-s_tuner-for-radio.patch b/queue/bttv-fix-s_tuner-for-radio.patch new file mode 100644 index 0000000..defc02f --- /dev/null +++ b/queue/bttv-fix-s_tuner-for-radio.patch @@ -0,0 +1,34 @@ +From 2605d0669e26169d621815255e57e132460df438 Mon Sep 17 00:00:00 2001 +From: Hans Verkuil <hans.verkuil@cisco.com> +Date: Sun, 12 Jun 2011 07:02:43 -0300 +Subject: [PATCH] bttv: fix s_tuner for radio + +commit a024c1a6b274e11596d124619e43c25560f64c01 upstream. + +Fix typo: g_tuner should have been s_tuner. + +Tested with a bttv card. + +Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com> +Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> +--- + drivers/media/video/bt8xx/bttv-driver.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/media/video/bt8xx/bttv-driver.c b/drivers/media/video/bt8xx/bttv-driver.c +index f4860f0..62502ff 100644 +--- a/drivers/media/video/bt8xx/bttv-driver.c ++++ b/drivers/media/video/bt8xx/bttv-driver.c +@@ -3530,7 +3530,7 @@ static int radio_s_tuner(struct file *file, void *priv, + if (0 != t->index) + return -EINVAL; + +- bttv_call_all(btv, tuner, g_tuner, t); ++ bttv_call_all(btv, tuner, s_tuner, t); + return 0; + } + +-- +1.7.9.6 + diff --git a/queue/cciss-do-not-attempt-to-read-from-a-write-only-regis.patch b/queue/cciss-do-not-attempt-to-read-from-a-write-only-regis.patch new file mode 100644 index 0000000..b6e5b50 --- /dev/null +++ b/queue/cciss-do-not-attempt-to-read-from-a-write-only-regis.patch @@ -0,0 +1,34 @@ +From 00b698c79c8f3f667fef845e0271a1777da15b7a Mon Sep 17 00:00:00 2001 +From: "Stephen M. Cameron" <scameron@beardog.cce.hp.com> +Date: Sat, 9 Jul 2011 09:04:12 +0200 +Subject: [PATCH] cciss: do not attempt to read from a write-only register + +commit 07d0c38e7d84f911c72058a124c7f17b3c779a65 upstream. + +Most smartarrays will tolerate it, but some new ones don't. + +Signed-off-by: Stephen M. Cameron <scameron@beardog.cce.hp.com> + +Note: this is a regression caused by commit 1ddd5049 +Signed-off-by: Jens Axboe <jaxboe@fusionio.com> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> +--- + drivers/block/cciss.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/drivers/block/cciss.h b/drivers/block/cciss.h +index 37a2d4f..759cbd9 100644 +--- a/drivers/block/cciss.h ++++ b/drivers/block/cciss.h +@@ -173,7 +173,7 @@ static void SA5_submit_command( ctlr_info_t *h, CommandList_struct *c) + printk("Sending %x - down to controller\n", c->busaddr ); + #endif /* CCISS_DEBUG */ + writel(c->busaddr, h->vaddr + SA5_REQUEST_PORT_OFFSET); +- readl(h->vaddr + SA5_REQUEST_PORT_OFFSET); ++ readl(h->vaddr + SA5_SCRATCHPAD_OFFSET); + h->commands_outstanding++; + if ( h->commands_outstanding > h->max_outstanding) + h->max_outstanding = h->commands_outstanding; +-- +1.7.9.6 + diff --git a/queue/cifs-check-for-NULL-session-password.patch b/queue/cifs-check-for-NULL-session-password.patch new file mode 100644 index 0000000..2c6df3b --- /dev/null +++ b/queue/cifs-check-for-NULL-session-password.patch @@ -0,0 +1,32 @@ +From 2574db3eb0b52f978c2187adad125642c7c7c3dc Mon Sep 17 00:00:00 2001 +From: Jeff Layton <jlayton@redhat.com> +Date: Mon, 23 Aug 2010 11:38:04 -0400 +Subject: [PATCH] cifs: check for NULL session password + +commit 24e6cf92fde1f140d8eb0bf7cd24c2c78149b6b2 upstream. + +It's possible for a cifsSesInfo struct to have a NULL password, so we +need to check for that prior to running strncmp on it. + +Signed-off-by: Jeff Layton <jlayton@redhat.com> +Signed-off-by: Steve French <sfrench@us.ibm.com> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> +--- + fs/cifs/connect.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c +index 0fbc8d2..f31ad2d 100644 +--- a/fs/cifs/connect.c ++++ b/fs/cifs/connect.c +@@ -1609,6 +1609,7 @@ cifs_find_smb_ses(struct TCP_Server_Info *server, struct smb_vol *vol) + MAX_USERNAME_SIZE)) + continue; + if (strlen(vol->username) != 0 && ++ ses->password != NULL && + strncmp(ses->password, + vol->password ? vol->password : "", + MAX_PASSWORD_SIZE)) +-- +1.7.9.6 + diff --git a/queue/cifs-clean-up-cifs_find_smb_ses-try-2.patch b/queue/cifs-clean-up-cifs_find_smb_ses-try-2.patch new file mode 100644 index 0000000..a9f6b9e --- /dev/null +++ b/queue/cifs-clean-up-cifs_find_smb_ses-try-2.patch @@ -0,0 +1,94 @@ +From 64708d32df0fdf50f1a2cedd96d4a719e8bd9ef6 Mon Sep 17 00:00:00 2001 +From: Jeff Layton <jlayton@redhat.com> +Date: Tue, 6 Jul 2010 20:43:02 -0400 +Subject: [PATCH] cifs: clean up cifs_find_smb_ses (try #2) + +commit 4ff67b720c02c36e54d55b88c2931879b7db1cd2 upstream. + +This patch replaces the earlier patch by the same name. The only +difference is that MAX_PASSWORD_SIZE has been increased to attempt to +match the limits that windows enforces. + +Do a better job of matching sessions by authtype. Matching by username +for a Kerberos session is incorrect, and anonymous sessions need special +handling. + +Also, in the case where we do match by username, we also need to match +by password. That ensures that someone else doesn't "borrow" an existing +session without needing to know the password. + +Finally, passwords can be longer than 16 bytes. Bump MAX_PASSWORD_SIZE +to 512 to match the size that the userspace mount helper allows. + +Signed-off-by: Jeff Layton <jlayton@redhat.com> +Signed-off-by: Steve French <sfrench@us.ibm.com> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> +--- + fs/cifs/cifsglob.h | 2 +- + fs/cifs/connect.c | 26 ++++++++++++++++++-------- + 2 files changed, 19 insertions(+), 9 deletions(-) + +diff --git a/fs/cifs/cifsglob.h b/fs/cifs/cifsglob.h +index 0c2fd17..23fc9ae 100644 +--- a/fs/cifs/cifsglob.h ++++ b/fs/cifs/cifsglob.h +@@ -34,7 +34,7 @@ + #define MAX_SHARE_SIZE 64 /* used to be 20, this should still be enough */ + #define MAX_USERNAME_SIZE 32 /* 32 is to allow for 15 char names + null + termination then *2 for unicode versions */ +-#define MAX_PASSWORD_SIZE 16 ++#define MAX_PASSWORD_SIZE 512 /* max for windows seems to be 256 wide chars */ + + #define CIFS_MIN_RCV_POOL 4 + +diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c +index 1f6aae0..4e134a7 100644 +--- a/fs/cifs/connect.c ++++ b/fs/cifs/connect.c +@@ -1592,17 +1592,27 @@ out_err: + } + + static struct cifsSesInfo * +-cifs_find_smb_ses(struct TCP_Server_Info *server, char *username) ++cifs_find_smb_ses(struct TCP_Server_Info *server, struct smb_vol *vol) + { +- struct list_head *tmp; + struct cifsSesInfo *ses; + + write_lock(&cifs_tcp_ses_lock); +- list_for_each(tmp, &server->smb_ses_list) { +- ses = list_entry(tmp, struct cifsSesInfo, smb_ses_list); +- if (strncmp(ses->userName, username, MAX_USERNAME_SIZE)) +- continue; +- ++ list_for_each_entry(ses, &server->smb_ses_list, smb_ses_list) { ++ switch (server->secType) { ++ case Kerberos: ++ if (vol->linux_uid != ses->linux_uid) ++ continue; ++ break; ++ default: ++ /* anything else takes username/password */ ++ if (strncmp(ses->userName, vol->username, ++ MAX_USERNAME_SIZE)) ++ continue; ++ if (strlen(vol->username) != 0 && ++ strncmp(ses->password, vol->password, ++ MAX_PASSWORD_SIZE)) ++ continue; ++ } + ++ses->ses_count; + write_unlock(&cifs_tcp_ses_lock); + return ses; +@@ -2385,7 +2395,7 @@ try_mount_again: + goto out; + } + +- pSesInfo = cifs_find_smb_ses(srvTcp, volume_info->username); ++ pSesInfo = cifs_find_smb_ses(srvTcp, volume_info); + if (pSesInfo) { + cFYI(1, ("Existing smb sess found (status=%d)", + pSesInfo->status)); +-- +1.7.9.6 + diff --git a/queue/cifs-fix-NULL-pointer-dereference-in-cifs_find_smb_s.patch b/queue/cifs-fix-NULL-pointer-dereference-in-cifs_find_smb_s.patch new file mode 100644 index 0000000..ce38aa9 --- /dev/null +++ b/queue/cifs-fix-NULL-pointer-dereference-in-cifs_find_smb_s.patch @@ -0,0 +1,37 @@ +From 81d0cf1128d027f3a4b8e0d6c29dfe984701a5f3 Mon Sep 17 00:00:00 2001 +From: Jeff Layton <jlayton@redhat.com> +Date: Wed, 18 Aug 2010 13:13:39 -0400 +Subject: [PATCH] cifs: fix NULL pointer dereference in cifs_find_smb_ses + +commit fc87a40677bbe0937e2ff0642c7e83c9a4813f3d upstream. + +cifs_find_smb_ses assumes that the vol->password field is a valid +pointer, but that's only the case if a password was passed in via +the options string. It's possible that one won't be if there is +no mount helper on the box. + +Reported-by: diabel <gacek-2004@wp.pl> +Signed-off-by: Jeff Layton <jlayton@redhat.com> +Signed-off-by: Steve French <sfrench@us.ibm.com> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> +--- + fs/cifs/connect.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c +index 4e134a7..0fbc8d2 100644 +--- a/fs/cifs/connect.c ++++ b/fs/cifs/connect.c +@@ -1609,7 +1609,8 @@ cifs_find_smb_ses(struct TCP_Server_Info *server, struct smb_vol *vol) + MAX_USERNAME_SIZE)) + continue; + if (strlen(vol->username) != 0 && +- strncmp(ses->password, vol->password, ++ strncmp(ses->password, ++ vol->password ? vol->password : "", + MAX_PASSWORD_SIZE)) + continue; + } +-- +1.7.9.6 + diff --git a/queue/davinci-DM365-EVM-fix-video-input-mux-bits.patch b/queue/davinci-DM365-EVM-fix-video-input-mux-bits.patch new file mode 100644 index 0000000..1456c79 --- /dev/null +++ b/queue/davinci-DM365-EVM-fix-video-input-mux-bits.patch @@ -0,0 +1,45 @@ +From 14dfd5e82b83e67253e5f49ba63ea4e6cee4f007 Mon Sep 17 00:00:00 2001 +From: Jon Povey <jon.povey@racelogic.co.uk> +Date: Tue, 19 Jul 2011 12:30:11 +0900 +Subject: [PATCH] davinci: DM365 EVM: fix video input mux bits + +commit 9daedd833a38edd90cf7baa1b1fcf61c3a0721e3 upstream. + +Video input mux settings for tvp7002 and imager inputs were swapped. +Comment was correct. + +Tested on EVM with tvp7002 input. + +Signed-off-by: Jon Povey <jon.povey@racelogic.co.uk> +Acked-by: Manjunath Hadli <manjunath.hadli@ti.com> +Signed-off-by: Sekhar Nori <nsekhar@ti.com> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> +--- + arch/arm/mach-davinci/board-dm365-evm.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/arch/arm/mach-davinci/board-dm365-evm.c b/arch/arm/mach-davinci/board-dm365-evm.c +index df4ab21..7b3201d 100644 +--- a/arch/arm/mach-davinci/board-dm365-evm.c ++++ b/arch/arm/mach-davinci/board-dm365-evm.c +@@ -525,7 +525,7 @@ fail: + */ + if (have_imager()) { + label = "HD imager"; +- mux |= 1; ++ mux |= 2; + + /* externally mux MMC1/ENET/AIC33 to imager */ + mux |= BIT(6) | BIT(5) | BIT(3); +@@ -546,7 +546,7 @@ fail: + resets &= ~BIT(1); + + if (have_tvp7002()) { +- mux |= 2; ++ mux |= 1; + resets &= ~BIT(2); + label = "tvp7002 HD"; + } else { +-- +1.7.9.6 + diff --git a/queue/dm-fix-idr-leak-on-module-removal.patch b/queue/dm-fix-idr-leak-on-module-removal.patch new file mode 100644 index 0000000..6d8ed4b --- /dev/null +++ b/queue/dm-fix-idr-leak-on-module-removal.patch @@ -0,0 +1,53 @@ +From bdd056c012f217fe81a3050babf196f0ef442ada Mon Sep 17 00:00:00 2001 +From: Alasdair G Kergon <agk@redhat.com> +Date: Tue, 2 Aug 2011 12:32:01 +0100 +Subject: [PATCH] dm: fix idr leak on module removal + +commit d15b774c2920d55e3d58275c97fbe3adc3afde38 upstream. + +Destroy _minor_idr when unloading the core dm module. (Found by kmemleak.) + +Signed-off-by: Alasdair G Kergon <agk@redhat.com> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> +--- + drivers/md/dm.c | 10 ++++++++-- + 1 file changed, 8 insertions(+), 2 deletions(-) + +diff --git a/drivers/md/dm.c b/drivers/md/dm.c +index c955f7f..6c65d49 100644 +--- a/drivers/md/dm.c ++++ b/drivers/md/dm.c +@@ -36,6 +36,8 @@ static const char *_name = DM_NAME; + static unsigned int major = 0; + static unsigned int _major = 0; + ++static DEFINE_IDR(_minor_idr); ++ + static DEFINE_SPINLOCK(_minor_lock); + /* + * For bio-based dm. +@@ -324,6 +326,12 @@ static void __exit dm_exit(void) + + while (i--) + _exits[i](); ++ ++ /* ++ * Should be empty by this point. ++ */ ++ idr_remove_all(&_minor_idr); ++ idr_destroy(&_minor_idr); + } + + /* +@@ -1772,8 +1780,6 @@ static int dm_any_congested(void *congested_data, int bdi_bits) + /*----------------------------------------------------------------- + * An IDR is used to keep track of allocated minor numbers. + *---------------------------------------------------------------*/ +-static DEFINE_IDR(_minor_idr); +- + static void free_minor(int minor) + { + spin_lock(&_minor_lock); +-- +1.7.9.6 + diff --git a/queue/dm-mpath-fix-potential-NULL-pointer-in-feature-arg-p.patch b/queue/dm-mpath-fix-potential-NULL-pointer-in-feature-arg-p.patch new file mode 100644 index 0000000..73d2a90 --- /dev/null +++ b/queue/dm-mpath-fix-potential-NULL-pointer-in-feature-arg-p.patch @@ -0,0 +1,37 @@ +From 899fe7c432ff3a23a6e64c5f1bfdfe669f04e080 Mon Sep 17 00:00:00 2001 +From: Mike Snitzer <snitzer@redhat.com> +Date: Tue, 2 Aug 2011 12:32:00 +0100 +Subject: [PATCH] dm mpath: fix potential NULL pointer in feature arg + processing + +commit 286f367dad40beb3234a18c17391d03ba939a7f3 upstream. + +Avoid dereferencing a NULL pointer if the number of feature arguments +supplied is fewer than indicated. + +Signed-off-by: Mike Snitzer <snitzer@redhat.com> +Signed-off-by: Alasdair G Kergon <agk@redhat.com> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> +--- + drivers/md/dm-mpath.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/drivers/md/dm-mpath.c b/drivers/md/dm-mpath.c +index ed1d0c2..78090eb 100644 +--- a/drivers/md/dm-mpath.c ++++ b/drivers/md/dm-mpath.c +@@ -793,6 +793,11 @@ static int parse_features(struct arg_set *as, struct multipath *m) + if (!argc) + return 0; + ++ if (argc > as->argc) { ++ ti->error = "not enough arguments for features"; ++ return -EINVAL; ++ } ++ + do { + param_name = shift(as); + argc--; +-- +1.7.9.6 + diff --git a/queue/ext3-Fix-oops-in-ext3_try_to_allocate_with_rsv.patch b/queue/ext3-Fix-oops-in-ext3_try_to_allocate_with_rsv.patch new file mode 100644 index 0000000..f9f1551 --- /dev/null +++ b/queue/ext3-Fix-oops-in-ext3_try_to_allocate_with_rsv.patch @@ -0,0 +1,52 @@ +From 4b59f709fc27ab05e0f8c211029e180162325e77 Mon Sep 17 00:00:00 2001 +From: Jan Kara <jack@suse.cz> +Date: Mon, 30 May 2011 13:29:20 +0200 +Subject: [PATCH] ext3: Fix oops in ext3_try_to_allocate_with_rsv() + +commit ad95c5e9bc8b5885f94dce720137cac8fa8da4c9 upstream. + +Block allocation is called from two places: ext3_get_blocks_handle() and +ext3_xattr_block_set(). These two callers are not necessarily synchronized +because xattr code holds only xattr_sem and i_mutex, and +ext3_get_blocks_handle() may hold only truncate_mutex when called from +writepage() path. Block reservation code does not expect two concurrent +allocations to happen to the same inode and thus assertions can be triggered +or reservation structure corruption can occur. + +Fix the problem by taking truncate_mutex in xattr code to serialize +allocations. + +CC: Sage Weil <sage@newdream.net> +Reported-by: Fyodor Ustinov <ufm@ufm.su> +Signed-off-by: Jan Kara <jack@suse.cz> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> +--- + fs/ext3/xattr.c | 12 ++++++++++-- + 1 file changed, 10 insertions(+), 2 deletions(-) + +diff --git a/fs/ext3/xattr.c b/fs/ext3/xattr.c +index 534a94c..3a6356d 100644 +--- a/fs/ext3/xattr.c ++++ b/fs/ext3/xattr.c +@@ -803,8 +803,16 @@ inserted: + /* We need to allocate a new block */ + ext3_fsblk_t goal = ext3_group_first_block_no(sb, + EXT3_I(inode)->i_block_group); +- ext3_fsblk_t block = ext3_new_block(handle, inode, +- goal, &error); ++ ext3_fsblk_t block; ++ ++ /* ++ * Protect us agaist concurrent allocations to the ++ * same inode from ext3_..._writepage(). Reservation ++ * code does not expect racing allocations. ++ */ ++ mutex_lock(&EXT3_I(inode)->truncate_mutex); ++ block = ext3_new_block(handle, inode, goal, &error); ++ mutex_unlock(&EXT3_I(inode)->truncate_mutex); + if (error) + goto cleanup; + ea_idebug(inode, "creating block %d", block); +-- +1.7.9.6 + diff --git a/queue/hwmon-max1111-Fix-race-condition-causing-NULL-pointe.patch b/queue/hwmon-max1111-Fix-race-condition-causing-NULL-pointe.patch new file mode 100644 index 0000000..eb611f1 --- /dev/null +++ b/queue/hwmon-max1111-Fix-race-condition-causing-NULL-pointe.patch @@ -0,0 +1,83 @@ +From 9dffb0a0203f113886bd63ef5dd2040937be8048 Mon Sep 17 00:00:00 2001 +From: Pavel Herrmann <morpheus.ibis@gmail.com> +Date: Sun, 17 Jul 2011 18:39:19 +0200 +Subject: [PATCH] hwmon: (max1111) Fix race condition causing NULL pointer + exception + +commit d3f684f2820a7f42acef68bea6622d9032127fb2 upstream. + +spi_sync call uses its spi_message parameter to keep completion information, +using a drvdata structure is not thread-safe. Use a mutex to prevent +multiple access to shared driver data. + +Signed-off-by: Pavel Herrmann <morpheus.ibis@gmail.com> +Acked-by: Russell King <rmk+kernel@arm.linux.org.uk> +Acked-by: Pavel Machek <pavel@ucw.cz> +Acked-by: Marek Vasut <marek.vasut@gmail.com> +Acked-by: Cyril Hrubis <metan@ucw.cz> +Tested-by: Stanislav Brabec <utx@penguin.cz> +Signed-off-by: Jean Delvare <khali@linux-fr.org> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> +--- + drivers/hwmon/max1111.c | 11 +++++++++++ + 1 file changed, 11 insertions(+) + +diff --git a/drivers/hwmon/max1111.c b/drivers/hwmon/max1111.c +index 12a54aa..14335bb 100644 +--- a/drivers/hwmon/max1111.c ++++ b/drivers/hwmon/max1111.c +@@ -40,6 +40,8 @@ struct max1111_data { + struct spi_transfer xfer[2]; + uint8_t *tx_buf; + uint8_t *rx_buf; ++ struct mutex drvdata_lock; ++ /* protect msg, xfer and buffers from multiple access */ + }; + + static int max1111_read(struct device *dev, int channel) +@@ -48,6 +50,9 @@ static int max1111_read(struct device *dev, int channel) + uint8_t v1, v2; + int err; + ++ /* writing to drvdata struct is not thread safe, wait on mutex */ ++ mutex_lock(&data->drvdata_lock); ++ + data->tx_buf[0] = (channel << MAX1111_CTRL_SEL_SH) | + MAX1111_CTRL_PD0 | MAX1111_CTRL_PD1 | + MAX1111_CTRL_SGL | MAX1111_CTRL_UNI | MAX1111_CTRL_STR; +@@ -55,12 +60,15 @@ static int max1111_read(struct device *dev, int channel) + err = spi_sync(data->spi, &data->msg); + if (err < 0) { + dev_err(dev, "spi_sync failed with %d\n", err); ++ mutex_unlock(&data->drvdata_lock); + return err; + } + + v1 = data->rx_buf[0]; + v2 = data->rx_buf[1]; + ++ mutex_unlock(&data->drvdata_lock); ++ + if ((v1 & 0xc0) || (v2 & 0x3f)) + return -EINVAL; + +@@ -176,6 +184,8 @@ static int __devinit max1111_probe(struct spi_device *spi) + if (err) + goto err_free_data; + ++ mutex_init(&data->drvdata_lock); ++ + data->spi = spi; + spi_set_drvdata(spi, data); + +@@ -213,6 +223,7 @@ static int __devexit max1111_remove(struct spi_device *spi) + + hwmon_device_unregister(data->hwmon_dev); + sysfs_remove_group(&spi->dev.kobj, &max1111_attr_group); ++ mutex_destroy(&data->drvdata_lock); + kfree(data->rx_buf); + kfree(data->tx_buf); + kfree(data); +-- +1.7.9.6 + diff --git a/queue/jme-Fix-unmap-error-Causing-system-freeze.patch b/queue/jme-Fix-unmap-error-Causing-system-freeze.patch new file mode 100644 index 0000000..f983da6 --- /dev/null +++ b/queue/jme-Fix-unmap-error-Causing-system-freeze.patch @@ -0,0 +1,70 @@ +From 4f1f99170ec53e71811b4c09bded8ced9c124467 Mon Sep 17 00:00:00 2001 +From: Guo-Fu Tseng <cooldavid@cooldavid.org> +Date: Wed, 20 Jul 2011 16:57:36 +0000 +Subject: [PATCH] jme: Fix unmap error (Causing system freeze) + +commit 94c5b41b327e08de0ddf563237855f55080652a1 upstream. + +This patch add the missing dma_unmap(). +Which solved the critical issue of system freeze on heavy load. + +Michal Miroslaw's rejected patch: +[PATCH v2 10/46] net: jme: convert to generic DMA API +Pointed out the issue also, thank you Michal. +But the fix was incorrect. It would unmap needed address +when low memory. + +Got lots of feedback from End user and Gentoo Bugzilla. +https://bugs.gentoo.org/show_bug.cgi?id=373109 +Thank you all. :) + +Signed-off-by: Guo-Fu Tseng <cooldavid@cooldavid.org> +Acked-by: Chris Wright <chrisw@sous-sol.org> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> +--- + drivers/net/jme.c | 20 ++++++++++++++------ + 1 file changed, 14 insertions(+), 6 deletions(-) + +diff --git a/drivers/net/jme.c b/drivers/net/jme.c +index b2d190e..7b8fc3d 100644 +--- a/drivers/net/jme.c ++++ b/drivers/net/jme.c +@@ -682,20 +682,28 @@ jme_make_new_rx_buf(struct jme_adapter *jme, int i) + struct jme_ring *rxring = &(jme->rxring[0]); + struct jme_buffer_info *rxbi = rxring->bufinf + i; + struct sk_buff *skb; ++ dma_addr_t mapping; + + skb = netdev_alloc_skb(jme->dev, + jme->dev->mtu + RX_EXTRA_LEN); + if (unlikely(!skb)) + return -ENOMEM; + ++ mapping = pci_map_page(jme->pdev, virt_to_page(skb->data), ++ offset_in_page(skb->data), skb_tailroom(skb), ++ PCI_DMA_FROMDEVICE); ++ if (unlikely(pci_dma_mapping_error(jme->pdev, mapping))) { ++ dev_kfree_skb(skb); ++ return -ENOMEM; ++ } ++ ++ if (likely(rxbi->mapping)) ++ pci_unmap_page(jme->pdev, rxbi->mapping, ++ rxbi->len, PCI_DMA_FROMDEVICE); ++ + rxbi->skb = skb; + rxbi->len = skb_tailroom(skb); +- rxbi->mapping = pci_map_page(jme->pdev, +- virt_to_page(skb->data), +- offset_in_page(skb->data), +- rxbi->len, +- PCI_DMA_FROMDEVICE); +- ++ rxbi->mapping = mapping; + return 0; + } + +-- +1.7.9.6 + diff --git a/queue/kexec-x86-Fix-incorrect-jump-back-address-if-not-pre.patch b/queue/kexec-x86-Fix-incorrect-jump-back-address-if-not-pre.patch new file mode 100644 index 0000000..e338bdb --- /dev/null +++ b/queue/kexec-x86-Fix-incorrect-jump-back-address-if-not-pre.patch @@ -0,0 +1,61 @@ +From 7c467bea138022ec6feeb6a5a459701406825592 Mon Sep 17 00:00:00 2001 +From: Huang Ying <ying.huang@intel.com> +Date: Thu, 14 Jul 2011 09:34:37 +0800 +Subject: [PATCH] kexec, x86: Fix incorrect jump back address if not + preserving context + +commit 050438ed5a05b25cdf287f5691e56a58c2606997 upstream. + +In kexec jump support, jump back address passed to the kexeced +kernel via function calling ABI, that is, the function call +return address is the jump back entry. + +Furthermore, jump back entry == 0 should be used to signal that +the jump back or preserve context is not enabled in the original +kernel. + +But in the current implementation the stack position used for +function call return address is not cleared context +preservation is disabled. The patch fixes this bug. + +Reported-and-tested-by: Yin Kangkai <kangkai.yin@intel.com> +Signed-off-by: Huang Ying <ying.huang@intel.com> +Cc: Eric W. Biederman <ebiederm@xmission.com> +Cc: Vivek Goyal <vgoyal@redhat.com> +Link: http://lkml.kernel.org/r/1310607277-25029-1-git-send-email-ying.huang@intel.com +Signed-off-by: Ingo Molnar <mingo@elte.hu> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> +--- + arch/x86/kernel/relocate_kernel_32.S | 2 ++ + arch/x86/kernel/relocate_kernel_64.S | 2 ++ + 2 files changed, 4 insertions(+) + +diff --git a/arch/x86/kernel/relocate_kernel_32.S b/arch/x86/kernel/relocate_kernel_32.S +index 4123553..36818f8 100644 +--- a/arch/x86/kernel/relocate_kernel_32.S ++++ b/arch/x86/kernel/relocate_kernel_32.S +@@ -97,6 +97,8 @@ relocate_kernel: + ret + + identity_mapped: ++ /* set return address to 0 if not preserving context */ ++ pushl $0 + /* store the start address on the stack */ + pushl %edx + +diff --git a/arch/x86/kernel/relocate_kernel_64.S b/arch/x86/kernel/relocate_kernel_64.S +index 4de8f5b..7a6f3b3 100644 +--- a/arch/x86/kernel/relocate_kernel_64.S ++++ b/arch/x86/kernel/relocate_kernel_64.S +@@ -100,6 +100,8 @@ relocate_kernel: + ret + + identity_mapped: ++ /* set return address to 0 if not preserving context */ ++ pushq $0 + /* store the start address on the stack */ + pushq %rdx + +-- +1.7.9.6 + diff --git a/queue/libata-fix-unexpectedly-frozen-port-after-ata_eh_res.patch b/queue/libata-fix-unexpectedly-frozen-port-after-ata_eh_res.patch new file mode 100644 index 0000000..0fb25e0 --- /dev/null +++ b/queue/libata-fix-unexpectedly-frozen-port-after-ata_eh_res.patch @@ -0,0 +1,72 @@ +From 4d7c6b511d0f2d9ec6cf70ef6f88331b20fecc76 Mon Sep 17 00:00:00 2001 +From: Tejun Heo <tj@kernel.org> +Date: Wed, 25 May 2011 13:19:39 +0200 +Subject: [PATCH] libata: fix unexpectedly frozen port after ata_eh_reset() + +commit 8c56cacc724c7650b893d43068fa66044aa29a61 upstream. + +To work around controllers which can't properly plug events while +reset, ata_eh_reset() clears error states and ATA_PFLAG_EH_PENDING +after reset but before RESET is marked done. As reset is the final +recovery action and full verification of devices including onlineness +and classfication match is done afterwards, this shouldn't lead to +lost devices or missed hotplug events. + +Unfortunately, it forgot to thaw the port when clearing EH_PENDING, so +if the condition happens after resetting an empty port, the port could +be left frozen and EH will end without thawing it, making the port +unresponsive to further hotplug events. + +Thaw if the port is frozen after clearing EH_PENDING. This problem is +reported by Bruce Stenning in the following thread. + + http://thread.gmane.org/gmane.linux.kernel/1123265 + +stable: I think we should weather this patch a bit longer in -rcX + before sending it to -stable. Please wait at least a month + after this patch makes upstream. Thanks. + +-v2: Fixed spelling in the comment per Dave Howorth. + +Signed-off-by: Tejun Heo <tj@kernel.org> +Reported-by: Bruce Stenning <b.stenning@indigovision.com> +Cc: Dave Howorth <dhoworth@mrc-lmb.cam.ac.uk> +Signed-off-by: Jeff Garzik <jgarzik@pobox.com> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> +--- + drivers/ata/libata-eh.c | 12 ++++++++---- + 1 file changed, 8 insertions(+), 4 deletions(-) + +diff --git a/drivers/ata/libata-eh.c b/drivers/ata/libata-eh.c +index 1cf0bff..3704b2d 100644 +--- a/drivers/ata/libata-eh.c ++++ b/drivers/ata/libata-eh.c +@@ -2716,10 +2716,11 @@ int ata_eh_reset(struct ata_link *link, int classify, + } + + /* +- * Some controllers can't be frozen very well and may set +- * spuruious error conditions during reset. Clear accumulated +- * error information. As reset is the final recovery action, +- * nothing is lost by doing this. ++ * Some controllers can't be frozen very well and may set spurious ++ * error conditions during reset. Clear accumulated error ++ * information and re-thaw the port if frozen. As reset is the ++ * final recovery action and we cross check link onlineness against ++ * device classification later, no hotplug event is lost by this. + */ + spin_lock_irqsave(link->ap->lock, flags); + memset(&link->eh_info, 0, sizeof(link->eh_info)); +@@ -2728,6 +2729,9 @@ int ata_eh_reset(struct ata_link *link, int classify, + ap->pflags &= ~ATA_PFLAG_EH_PENDING; + spin_unlock_irqrestore(link->ap->lock, flags); + ++ if (ap->pflags & ATA_PFLAG_FROZEN) ++ ata_eh_thaw_port(ap); ++ + /* + * Make sure onlineness and classification result correspond. + * Hotplug could have happened during reset and some +-- +1.7.9.6 + diff --git a/queue/libsas-remove-expander-from-dev-list-on-error.patch b/queue/libsas-remove-expander-from-dev-list-on-error.patch new file mode 100644 index 0000000..6bd42be --- /dev/null +++ b/queue/libsas-remove-expander-from-dev-list-on-error.patch @@ -0,0 +1,37 @@ +From 3ab5dda417039b8caa498b11cf7bd6817d9f1756 Mon Sep 17 00:00:00 2001 +From: Luben Tuikov <ltuikov@yahoo.com> +Date: Tue, 26 Jul 2011 23:10:48 -0700 +Subject: [PATCH] libsas: remove expander from dev list on error + +commit 5911e963d3718e306bcac387b83e259aa4228896 upstream. + +If expander discovery fails (sas_discover_expander()), remove the +expander from the port device list (sas_ex_discover_expander()), +before freeing it. Else the list is corrupted and, e.g., when we +attempt to send SMP commands to other devices, the kernel oopses. + +Signed-off-by: Luben Tuikov <ltuikov@yahoo.com> +Reviewed-by: Jack Wang <jack_wang@usish.com> +Signed-off-by: James Bottomley <JBottomley@Parallels.com> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> +--- + drivers/scsi/libsas/sas_expander.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/scsi/libsas/sas_expander.c b/drivers/scsi/libsas/sas_expander.c +index c65af02..fbf0a09 100644 +--- a/drivers/scsi/libsas/sas_expander.c ++++ b/drivers/scsi/libsas/sas_expander.c +@@ -841,6 +841,9 @@ static struct domain_device *sas_ex_discover_expander( + + res = sas_discover_expander(child); + if (res) { ++ spin_lock_irq(&parent->port->dev_list_lock); ++ list_del(&child->dev_list_node); ++ spin_unlock_irq(&parent->port->dev_list_lock); + kfree(child); + return NULL; + } +-- +1.7.9.6 + diff --git a/queue/mac80211-Restart-STA-timers-only-on-associated-state.patch b/queue/mac80211-Restart-STA-timers-only-on-associated-state.patch new file mode 100644 index 0000000..f070678 --- /dev/null +++ b/queue/mac80211-Restart-STA-timers-only-on-associated-state.patch @@ -0,0 +1,35 @@ +From 229cc7dd5bf394f2e8f685df74e3c903a46f1199 Mon Sep 17 00:00:00 2001 +From: Rajkumar Manoharan <rmanohar@qca.qualcomm.com> +Date: Thu, 7 Jul 2011 23:33:39 +0530 +Subject: [PATCH] mac80211: Restart STA timers only on associated state + +commit 676b58c27475a9defccc025fea1cbd2b141ee539 upstream. + +A panic was observed when the device is failed to resume properly, +and there are no running interfaces. ieee80211_reconfig tries +to restart STA timers on unassociated state. + +Signed-off-by: Rajkumar Manoharan <rmanohar@qca.qualcomm.com> +Signed-off-by: John W. Linville <linville@tuxdriver.com> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> +--- + net/mac80211/mlme.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c +index 1349a09..83d2e42 100644 +--- a/net/mac80211/mlme.c ++++ b/net/mac80211/mlme.c +@@ -1746,6 +1746,9 @@ void ieee80211_sta_restart(struct ieee80211_sub_if_data *sdata) + { + struct ieee80211_if_managed *ifmgd = &sdata->u.mgd; + ++ if (!ifmgd->associated) ++ return; ++ + if (test_and_clear_bit(TMR_RUNNING_TIMER, &ifmgd->timers_running)) + add_timer(&ifmgd->timer); + if (test_and_clear_bit(TMR_RUNNING_CHANSW, &ifmgd->timers_running)) +-- +1.7.9.6 + diff --git a/queue/pmcraid-reject-negative-request-size.patch b/queue/pmcraid-reject-negative-request-size.patch new file mode 100644 index 0000000..e11d0ff --- /dev/null +++ b/queue/pmcraid-reject-negative-request-size.patch @@ -0,0 +1,54 @@ +From 2f5797e7784e64c9c860de31ab165c85e12b82ca Mon Sep 17 00:00:00 2001 +From: Dan Rosenberg <drosenberg@vsecurity.com> +Date: Mon, 11 Jul 2011 14:08:23 -0700 +Subject: [PATCH] pmcraid: reject negative request size + +commit b5b515445f4f5a905c5dd27e6e682868ccd6c09d upstream. + +There's a code path in pmcraid that can be reached via device ioctl that +causes all sorts of ugliness, including heap corruption or triggering the +OOM killer due to consecutive allocation of large numbers of pages. + +First, the user can call pmcraid_chr_ioctl(), with a type +PMCRAID_PASSTHROUGH_IOCTL. This calls through to +pmcraid_ioctl_passthrough(). Next, a pmcraid_passthrough_ioctl_buffer +is copied in, and the request_size variable is set to +buffer->ioarcb.data_transfer_length, which is an arbitrary 32-bit +signed value provided by the user. If a negative value is provided +here, bad things can happen. For example, +pmcraid_build_passthrough_ioadls() is called with this request_size, +which immediately calls pmcraid_alloc_sglist() with a negative size. +The resulting math on allocating a scatter list can result in an +overflow in the kzalloc() call (if num_elem is 0, the sglist will be +smaller than expected), or if num_elem is unexpectedly large the +subsequent loop will call alloc_pages() repeatedly, a high number of +pages will be allocated and the OOM killer might be invoked. + +It looks like preventing this value from being negative in +pmcraid_ioctl_passthrough() would be sufficient. + +Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com> +Signed-off-by: Andrew Morton <akpm@linux-foundation.org> +Signed-off-by: James Bottomley <JBottomley@Parallels.com> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> +--- + drivers/scsi/pmcraid.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/drivers/scsi/pmcraid.c b/drivers/scsi/pmcraid.c +index bdb7259..ba82c0c 100644 +--- a/drivers/scsi/pmcraid.c ++++ b/drivers/scsi/pmcraid.c +@@ -3577,6 +3577,9 @@ static long pmcraid_ioctl_passthrough( + pmcraid_err("couldn't build passthrough ioadls\n"); + goto out_free_buffer; + } ++ } else if (request_size < 0) { ++ rc = -EINVAL; ++ goto out_free_buffer; + } + + /* If data is being written into the device, copy the data from user +-- +1.7.9.6 + diff --git a/queue/powerpc-kdump-Fix-timeout-in-crash_kexec_wait_realmo.patch b/queue/powerpc-kdump-Fix-timeout-in-crash_kexec_wait_realmo.patch new file mode 100644 index 0000000..1e6e158 --- /dev/null +++ b/queue/powerpc-kdump-Fix-timeout-in-crash_kexec_wait_realmo.patch @@ -0,0 +1,45 @@ +From b328bb69529781ac144c66c6ad47cba491436a86 Mon Sep 17 00:00:00 2001 +From: Michael Neuling <mikey@neuling.org> +Date: Mon, 4 Jul 2011 20:40:10 +0000 +Subject: [PATCH] powerpc/kdump: Fix timeout in crash_kexec_wait_realmode + +commit 63f21a56f1cc0b800a4c00349c59448f82473d19 upstream. + +The existing code it pretty ugly. How about we clean it up even more +like this? + +From: Anton Blanchard <anton@samba.org> + +We check for timeout expiry in the outer loop, but we also need to +check it in the inner loop or we can lock up forever waiting for a +CPU to hit real mode. + +Signed-off-by: Anton Blanchard <anton@samba.org> +Signed-off-by: Michael Neuling <mikey@neuling.org> +Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> +--- + arch/powerpc/kernel/crash.c | 6 +----- + 1 file changed, 1 insertion(+), 5 deletions(-) + +diff --git a/arch/powerpc/kernel/crash.c b/arch/powerpc/kernel/crash.c +index ddf1fea..d2f619b 100644 +--- a/arch/powerpc/kernel/crash.c ++++ b/arch/powerpc/kernel/crash.c +@@ -176,12 +176,8 @@ static void crash_kexec_wait_realmode(int cpu) + + while (paca[i].kexec_state < KEXEC_STATE_REAL_MODE) { + barrier(); +- if (!cpu_possible(i)) { ++ if (!cpu_possible(i) || !cpu_online(i) || (msecs <= 0)) + break; +- } +- if (!cpu_online(i)) { +- break; +- } + msecs--; + mdelay(1); + } +-- +1.7.9.6 + diff --git a/queue/powerpc-pseries-hvconsole-Fix-dropped-console-output.patch b/queue/powerpc-pseries-hvconsole-Fix-dropped-console-output.patch new file mode 100644 index 0000000..f3b70e3 --- /dev/null +++ b/queue/powerpc-pseries-hvconsole-Fix-dropped-console-output.patch @@ -0,0 +1,33 @@ +From aa3b2a793dbf626c116f50f61bf4f9c63e24b848 Mon Sep 17 00:00:00 2001 +From: Anton Blanchard <anton@samba.org> +Date: Tue, 5 Jul 2011 21:51:36 +0000 +Subject: [PATCH] powerpc/pseries/hvconsole: Fix dropped console output + +commit 51d33021425e1f905beb4208823146f2fb6517da upstream. + +Return -EAGAIN when we get H_BUSY back from the hypervisor. This +makes the hvc console driver retry, avoiding dropped printks. + +Signed-off-by: Anton Blanchard <anton@samba.org> +Signed-off-by: Benjamin Herrenschmidt <benh@kernel.crashing.org> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> +--- + arch/powerpc/platforms/pseries/hvconsole.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/arch/powerpc/platforms/pseries/hvconsole.c b/arch/powerpc/platforms/pseries/hvconsole.c +index 3f6a89b..041e87c 100644 +--- a/arch/powerpc/platforms/pseries/hvconsole.c ++++ b/arch/powerpc/platforms/pseries/hvconsole.c +@@ -73,7 +73,7 @@ int hvc_put_chars(uint32_t vtermno, const char *buf, int count) + if (ret == H_SUCCESS) + return count; + if (ret == H_BUSY) +- return 0; ++ return -EAGAIN; + return -EIO; + } + +-- +1.7.9.6 + diff --git a/queue/proc-restrict-access-to-proc-PID-io.patch b/queue/proc-restrict-access-to-proc-PID-io.patch new file mode 100644 index 0000000..e806fff --- /dev/null +++ b/queue/proc-restrict-access-to-proc-PID-io.patch @@ -0,0 +1,58 @@ +From 252bfabc61078363ed1171b32b316eb5dac88212 Mon Sep 17 00:00:00 2001 +From: Vasiliy Kulikov <segoon@openwall.com> +Date: Fri, 24 Jun 2011 16:08:38 +0400 +Subject: [PATCH] proc: restrict access to /proc/PID/io + +commit 1d1221f375c94ef961ba8574ac4f85c8870ddd51 upstream. + +/proc/PID/io may be used for gathering private information. E.g. for +openssh and vsftpd daemons wchars/rchars may be used to learn the +precise password length. Restrict it to processes being able to ptrace +the target process. + +ptrace_may_access() is needed to prevent keeping open file descriptor of +"io" file, executing setuid binary and gathering io information of the +setuid'ed process. + +Signed-off-by: Vasiliy Kulikov <segoon@openwall.com> +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> +--- + fs/proc/base.c | 7 +++++-- + 1 file changed, 5 insertions(+), 2 deletions(-) + +diff --git a/fs/proc/base.c b/fs/proc/base.c +index 268f00d..08741b0 100644 +--- a/fs/proc/base.c ++++ b/fs/proc/base.c +@@ -2518,6 +2518,9 @@ static int do_io_accounting(struct task_struct *task, char *buffer, int whole) + struct task_io_accounting acct = task->ioac; + unsigned long flags; + ++ if (!ptrace_may_access(task, PTRACE_MODE_READ)) ++ return -EACCES; ++ + if (whole && lock_task_sighand(task, &flags)) { + struct task_struct *t = task; + +@@ -2640,7 +2643,7 @@ static const struct pid_entry tgid_base_stuff[] = { + REG("coredump_filter", S_IRUGO|S_IWUSR, proc_coredump_filter_operations), + #endif + #ifdef CONFIG_TASK_IO_ACCOUNTING +- INF("io", S_IRUGO, proc_tgid_io_accounting), ++ INF("io", S_IRUSR, proc_tgid_io_accounting), + #endif + }; + +@@ -2976,7 +2979,7 @@ static const struct pid_entry tid_base_stuff[] = { + REG("make-it-fail", S_IRUGO|S_IWUSR, proc_fault_inject_operations), + #endif + #ifdef CONFIG_TASK_IO_ACCOUNTING +- INF("io", S_IRUGO, proc_tid_io_accounting), ++ INF("io", S_IRUSR, proc_tid_io_accounting), + #endif + }; + +-- +1.7.9.6 + diff --git a/queue/pvrusb2-fix-g-s_tuner-support.patch b/queue/pvrusb2-fix-g-s_tuner-support.patch new file mode 100644 index 0000000..dd89461 --- /dev/null +++ b/queue/pvrusb2-fix-g-s_tuner-support.patch @@ -0,0 +1,47 @@ +From 7fc38966a4bd9e35ad945d93885a9f6bb0cd9240 Mon Sep 17 00:00:00 2001 +From: Hans Verkuil <hans.verkuil@cisco.com> +Date: Sun, 12 Jun 2011 06:39:52 -0300 +Subject: [PATCH] pvrusb2: fix g/s_tuner support + +commit 50e9efd60b213ce43ad6979bfc18e25eec2d8413 upstream. + +The tuner-core subdev requires that the type field of v4l2_tuner is +filled in correctly. This is done in v4l2-ioctl.c, but pvrusb2 doesn't +use that yet, so we have to do it manually based on whether the current +input is radio or not. + +Tested with my pvrusb2. + +Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com> +Acked-by: Mike Isely <isely@pobox.com> +Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> +--- + drivers/media/video/pvrusb2/pvrusb2-hdw.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/drivers/media/video/pvrusb2/pvrusb2-hdw.c b/drivers/media/video/pvrusb2/pvrusb2-hdw.c +index 712b300..6d15dcd 100644 +--- a/drivers/media/video/pvrusb2/pvrusb2-hdw.c ++++ b/drivers/media/video/pvrusb2/pvrusb2-hdw.c +@@ -3026,6 +3026,8 @@ static void pvr2_subdev_update(struct pvr2_hdw *hdw) + if (hdw->input_dirty || hdw->audiomode_dirty || hdw->force_dirty) { + struct v4l2_tuner vt; + memset(&vt, 0, sizeof(vt)); ++ vt.type = (hdw->input_val == PVR2_CVAL_INPUT_RADIO) ? ++ V4L2_TUNER_RADIO : V4L2_TUNER_ANALOG_TV; + vt.audmode = hdw->audiomode_val; + v4l2_device_call_all(&hdw->v4l2_dev, 0, tuner, s_tuner, &vt); + } +@@ -5140,6 +5142,8 @@ void pvr2_hdw_status_poll(struct pvr2_hdw *hdw) + { + struct v4l2_tuner *vtp = &hdw->tuner_signal_info; + memset(vtp, 0, sizeof(*vtp)); ++ vtp->type = (hdw->input_val == PVR2_CVAL_INPUT_RADIO) ? ++ V4L2_TUNER_RADIO : V4L2_TUNER_ANALOG_TV; + hdw->tuner_signal_stale = 0; + /* Note: There apparently is no replacement for VIDIOC_CROPCAP + using v4l2-subdev - therefore we can't support that AT ALL right +-- +1.7.9.6 + diff --git a/queue/series b/queue/series index db7aae4..e3ae4dc 100644 --- a/queue/series +++ b/queue/series @@ -104,3 +104,47 @@ net-ipv4-Check-for-mistakenly-passed-in-non-IPv4-add.patch ipv6-udp-Use-the-correct-variable-to-determine-non-b.patch udp-recvmsg-Clear-MSG_TRUNC-flag-when-starting-over-.patch mm-prevent-concurrent-unmap_mapping_range-on-the-sam.patch +ASoC-Fix-Blackfin-I2S-_pointer-implementation-return.patch +v4l2-ioctl.c-prefill-tuner-type-for-g_frequency-and-.patch +pvrusb2-fix-g-s_tuner-support.patch +bttv-fix-s_tuner-for-radio.patch +NFSv4.1-update-nfs4_fattr_bitmap_maxsz.patch +SUNRPC-Fix-a-race-between-work-queue-and-rpc_killall.patch +SUNRPC-Fix-use-of-static-variable-in-rpcb_getport_as.patch +si4713-i2c-avoid-potential-buffer-overflow-on-si4713.patch +hwmon-max1111-Fix-race-condition-causing-NULL-pointe.patch +bridge-send-proper-message_age-in-config-BPDU.patch +davinci-DM365-EVM-fix-video-input-mux-bits.patch +libata-fix-unexpectedly-frozen-port-after-ata_eh_res.patch +x86-Make-Dell-Latitude-E5420-use-reboot-pci.patch +USB-pl2303.h-checkpatch-cleanups.patch +USB-serial-add-IDs-for-WinChipHead-USB-RS232-adapter.patch +staging-comedi-fix-infoleak-to-userspace.patch +USB-OHCI-fix-another-regression-for-NVIDIA-controlle.patch +ARM-pxa-cm-x300-fix-V3020-RTC-functionality.patch +jme-Fix-unmap-error-Causing-system-freeze.patch +libsas-remove-expander-from-dev-list-on-error.patch +mac80211-Restart-STA-timers-only-on-associated-state.patch +Blacklist-Traxdata-CDR4120-and-IOMEGA-Zip-drive-to-a.patch +ses-requesting-a-fault-indication.patch +pmcraid-reject-negative-request-size.patch +kexec-x86-Fix-incorrect-jump-back-address-if-not-pre.patch +powerpc-kdump-Fix-timeout-in-crash_kexec_wait_realmo.patch +PCI-ARI-is-a-PCIe-v2-feature.patch +cciss-do-not-attempt-to-read-from-a-write-only-regis.patch +xtensa-prevent-arbitrary-read-in-ptrace.patch +ext3-Fix-oops-in-ext3_try_to_allocate_with_rsv.patch +svcrpc-fix-list-corrupting-race-on-nfsd-shutdown.patch +EHCI-only-power-off-port-if-over-current-is-active.patch +EHCI-fix-direction-handling-for-interrupt-data-toggl.patch +powerpc-pseries-hvconsole-Fix-dropped-console-output.patch +cifs-clean-up-cifs_find_smb_ses-try-2.patch +cifs-fix-NULL-pointer-dereference-in-cifs_find_smb_s.patch +cifs-check-for-NULL-session-password.patch +alpha-fix-several-security-issues.patch +proc-restrict-access-to-proc-PID-io.patch +ALSA-sound-core-pcm_compat.c-adjust-array-index.patch +dm-mpath-fix-potential-NULL-pointer-in-feature-arg-p.patch +dm-fix-idr-leak-on-module-removal.patch +x86-Hpet-Avoid-the-comparator-readback-penalty.patch +x86-HPET-Chose-a-paranoid-safe-value-for-the-ETIME-c.patch diff --git a/queue/ses-requesting-a-fault-indication.patch b/queue/ses-requesting-a-fault-indication.patch new file mode 100644 index 0000000..e784a08 --- /dev/null +++ b/queue/ses-requesting-a-fault-indication.patch @@ -0,0 +1,56 @@ +From cef82c046c00620b36d44c42114f5bd90168d21e Mon Sep 17 00:00:00 2001 +From: Douglas Gilbert <dgilbert@interlog.com> +Date: Thu, 9 Jun 2011 00:27:07 -0400 +Subject: [PATCH] ses: requesting a fault indication + +commit 2a350cab9daf9a46322d83b091bb05cf54ccf6ab upstream. + +Noticed that when the sysfs interface of the SCSI SES +driver was used to request a fault indication the LED +flashed but the buzzer didn't sound. So it was doing +what REQUEST IDENT (locate) should do. + +Changelog: + - fix the setting of REQUEST FAULT for the device slot + and array device slot elements in the enclosure control + diagnostic page + - note the potentially defective code that reads the + FAULT SENSED and FAULT REQUESTED bits from the enclosure + status diagnostic page + +The attached patch is against git/scsi-misc-2.6 + +Signed-off-by: Douglas Gilbert <dgilbert@interlog.com> +Signed-off-by: James Bottomley <JBottomley@Parallels.com> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> +--- + drivers/scsi/ses.c | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/drivers/scsi/ses.c b/drivers/scsi/ses.c +index 3b00e90..fedb4f9 100644 +--- a/drivers/scsi/ses.c ++++ b/drivers/scsi/ses.c +@@ -158,6 +158,10 @@ static unsigned char *ses_get_page2_descriptor(struct enclosure_device *edev, + return NULL; + } + ++/* For device slot and array device slot elements, byte 3 bit 6 ++ * is "fault sensed" while byte 3 bit 5 is "fault reqstd". As this ++ * code stands these bits are shifted 4 positions right so in ++ * sysfs they will appear as bits 2 and 1 respectively. Strange. */ + static void ses_get_fault(struct enclosure_device *edev, + struct enclosure_component *ecomp) + { +@@ -179,7 +183,7 @@ static int ses_set_fault(struct enclosure_device *edev, + /* zero is disabled */ + break; + case ENCLOSURE_SETTING_ENABLED: +- desc[2] = 0x02; ++ desc[3] = 0x20; + break; + default: + /* SES doesn't do the SGPIO blink settings */ +-- +1.7.9.6 + diff --git a/queue/si4713-i2c-avoid-potential-buffer-overflow-on-si4713.patch b/queue/si4713-i2c-avoid-potential-buffer-overflow-on-si4713.patch new file mode 100644 index 0000000..bce999d --- /dev/null +++ b/queue/si4713-i2c-avoid-potential-buffer-overflow-on-si4713.patch @@ -0,0 +1,50 @@ +From 4a18a019d165280c51944232370bc44dcda242de Mon Sep 17 00:00:00 2001 +From: Mauro Carvalho Chehab <mchehab@redhat.com> +Date: Sun, 17 Jul 2011 00:24:37 -0300 +Subject: [PATCH] si4713-i2c: avoid potential buffer overflow on si4713 +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +commit dc6b845044ccb7e9e6f3b7e71bd179b3cf0223b6 upstream. + +While compiling it with Fedora 15, I noticed this issue: + + inlined from ‘si4713_write_econtrol_string’ at drivers/media/radio/si4713-i2c.c:1065:24: + arch/x86/include/asm/uaccess_32.h:211:26: error: call to ‘copy_from_user_overflow’ declared with attribute error: copy_from_user() buffer size is not provably correct + +Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com> +Acked-by: Sakari Ailus <sakari.ailus@maxwell.research.nokia.com> +Acked-by: Eduardo Valentin <edubezval@gmail.com> +Reviewed-by: Eugene Teo <eugeneteo@kernel.sg> +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> +--- + drivers/media/radio/si4713-i2c.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/media/radio/si4713-i2c.c b/drivers/media/radio/si4713-i2c.c +index ab63dd5..6ce2fb1 100644 +--- a/drivers/media/radio/si4713-i2c.c ++++ b/drivers/media/radio/si4713-i2c.c +@@ -1004,7 +1004,7 @@ static int si4713_write_econtrol_string(struct si4713_device *sdev, + char ps_name[MAX_RDS_PS_NAME + 1]; + + len = control->size - 1; +- if (len > MAX_RDS_PS_NAME) { ++ if (len < 0 || len > MAX_RDS_PS_NAME) { + rval = -ERANGE; + goto exit; + } +@@ -1026,7 +1026,7 @@ static int si4713_write_econtrol_string(struct si4713_device *sdev, + char radio_text[MAX_RDS_RADIO_TEXT + 1]; + + len = control->size - 1; +- if (len > MAX_RDS_RADIO_TEXT) { ++ if (len < 0 || len > MAX_RDS_RADIO_TEXT) { + rval = -ERANGE; + goto exit; + } +-- +1.7.9.6 + diff --git a/queue/staging-comedi-fix-infoleak-to-userspace.patch b/queue/staging-comedi-fix-infoleak-to-userspace.patch new file mode 100644 index 0000000..9d748fa --- /dev/null +++ b/queue/staging-comedi-fix-infoleak-to-userspace.patch @@ -0,0 +1,36 @@ +From 7dbc6c5b141b6f22b0198aa5ccba326a0a5434a5 Mon Sep 17 00:00:00 2001 +From: Vasiliy Kulikov <segoon@openwall.com> +Date: Sun, 26 Jun 2011 12:56:22 +0400 +Subject: [PATCH] staging: comedi: fix infoleak to userspace + +commit 819cbb120eaec7e014e5abd029260db1ca8c5735 upstream. + +driver_name and board_name are pointers to strings, not buffers of size +COMEDI_NAMELEN. Copying COMEDI_NAMELEN bytes of a string containing +less than COMEDI_NAMELEN-1 bytes would leak some unrelated bytes. + +Signed-off-by: Vasiliy Kulikov <segoon@openwall.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> +--- + drivers/staging/comedi/comedi_fops.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/drivers/staging/comedi/comedi_fops.c b/drivers/staging/comedi/comedi_fops.c +index aca9674..ac6527c 100644 +--- a/drivers/staging/comedi/comedi_fops.c ++++ b/drivers/staging/comedi/comedi_fops.c +@@ -362,8 +362,8 @@ static int do_devinfo_ioctl(struct comedi_device *dev, + /* fill devinfo structure */ + devinfo.version_code = COMEDI_VERSION_CODE; + devinfo.n_subdevs = dev->n_subdevices; +- memcpy(devinfo.driver_name, dev->driver->driver_name, COMEDI_NAMELEN); +- memcpy(devinfo.board_name, dev->board_name, COMEDI_NAMELEN); ++ strlcpy(devinfo.driver_name, dev->driver->driver_name, COMEDI_NAMELEN); ++ strlcpy(devinfo.board_name, dev->board_name, COMEDI_NAMELEN); + + if (read_subdev) + devinfo.read_subdevice = read_subdev - dev->subdevices; +-- +1.7.9.6 + diff --git a/queue/svcrpc-fix-list-corrupting-race-on-nfsd-shutdown.patch b/queue/svcrpc-fix-list-corrupting-race-on-nfsd-shutdown.patch new file mode 100644 index 0000000..55d2896 --- /dev/null +++ b/queue/svcrpc-fix-list-corrupting-race-on-nfsd-shutdown.patch @@ -0,0 +1,56 @@ +From 5a3cf4f2f735d1af76fb06e45bc6340d8fe7485f Mon Sep 17 00:00:00 2001 +From: "J. Bruce Fields" <bfields@redhat.com> +Date: Wed, 29 Jun 2011 16:49:04 -0400 +Subject: [PATCH] svcrpc: fix list-corrupting race on nfsd shutdown + +commit ebc63e531cc6a457595dd110b07ac530eae788c3 upstream. + +After commit 3262c816a3d7fb1eaabce633caa317887ed549ae "[PATCH] knfsd: +split svc_serv into pools", svc_delete_xprt (then svc_delete_socket) no +longer removed its xpt_ready (then sk_ready) field from whatever list it +was on, noting that there was no point since the whole list was about to +be destroyed anyway. + +That was mostly true, but forgot that a few svc_xprt_enqueue()'s might +still be hanging around playing with the about-to-be-destroyed list, and +could get themselves into trouble writing to freed memory if we left +this xprt on the list after freeing it. + +(This is actually functionally identical to a patch made first by Ben +Greear, but with more comments.) + +Cc: gnb@fmeh.org +Reported-by: Ben Greear <greearb@candelatech.com> +Tested-by: Ben Greear <greearb@candelatech.com> +Signed-off-by: J. Bruce Fields <bfields@redhat.com> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> +--- + net/sunrpc/svc_xprt.c | 11 ++++++----- + 1 file changed, 6 insertions(+), 5 deletions(-) + +diff --git a/net/sunrpc/svc_xprt.c b/net/sunrpc/svc_xprt.c +index aa1d2c6..33df29b 100644 +--- a/net/sunrpc/svc_xprt.c ++++ b/net/sunrpc/svc_xprt.c +@@ -892,12 +892,13 @@ void svc_delete_xprt(struct svc_xprt *xprt) + if (!test_and_set_bit(XPT_DETACHED, &xprt->xpt_flags)) + list_del_init(&xprt->xpt_list); + /* +- * We used to delete the transport from whichever list +- * it's sk_xprt.xpt_ready node was on, but we don't actually +- * need to. This is because the only time we're called +- * while still attached to a queue, the queue itself +- * is about to be destroyed (in svc_destroy). ++ * The only time we're called while xpt_ready is still on a list ++ * is while the list itself is about to be destroyed (in ++ * svc_destroy). BUT svc_xprt_enqueue could still be attempting ++ * to add new entries to the sp_sockets list, so we can't leave ++ * a freed xprt on it. + */ ++ list_del_init(&xprt->xpt_ready); + if (test_bit(XPT_TEMP, &xprt->xpt_flags)) + serv->sv_tmpcnt--; + +-- +1.7.9.6 + diff --git a/queue/v4l2-ioctl.c-prefill-tuner-type-for-g_frequency-and-.patch b/queue/v4l2-ioctl.c-prefill-tuner-type-for-g_frequency-and-.patch new file mode 100644 index 0000000..392f1f7 --- /dev/null +++ b/queue/v4l2-ioctl.c-prefill-tuner-type-for-g_frequency-and-.patch @@ -0,0 +1,58 @@ +From 47fa6a859698cd40b361dc84a34e237cae7c62d5 Mon Sep 17 00:00:00 2001 +From: Hans Verkuil <hans.verkuil@cisco.com> +Date: Sun, 12 Jun 2011 06:36:41 -0300 +Subject: [PATCH] v4l2-ioctl.c: prefill tuner type for g_frequency and + g/s_tuner + +commit 227690df75382e46a4f6ea1bbc5df855a674b47f upstream. + +The subdevs are supposed to receive a valid tuner type for the g_frequency +and g/s_tuner subdev ops. Some drivers do this, others don't. So prefill +this in v4l2-ioctl.c based on whether the device node from which this is +called is a radio node or not. + +The spec does not require applications to fill in the type, and if they +leave it at 0 then the 'check_mode' call in tuner-core.c will return +an error and the ioctl does nothing. + +Signed-off-by: Hans Verkuil <hans.verkuil@cisco.com> +Signed-off-by: Mauro Carvalho Chehab <mchehab@redhat.com> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> +--- + drivers/media/video/v4l2-ioctl.c | 6 ++++++ + 1 file changed, 6 insertions(+) + +diff --git a/drivers/media/video/v4l2-ioctl.c b/drivers/media/video/v4l2-ioctl.c +index 7d59c10..e3de802 100644 +--- a/drivers/media/video/v4l2-ioctl.c ++++ b/drivers/media/video/v4l2-ioctl.c +@@ -1633,6 +1633,8 @@ static long __video_do_ioctl(struct file *file, + if (!ops->vidioc_g_tuner) + break; + ++ p->type = (vfd->vfl_type == VFL_TYPE_RADIO) ? ++ V4L2_TUNER_RADIO : V4L2_TUNER_ANALOG_TV; + ret = ops->vidioc_g_tuner(file, fh, p); + if (!ret) + dbgarg(cmd, "index=%d, name=%s, type=%d, " +@@ -1651,6 +1653,8 @@ static long __video_do_ioctl(struct file *file, + + if (!ops->vidioc_s_tuner) + break; ++ p->type = (vfd->vfl_type == VFL_TYPE_RADIO) ? ++ V4L2_TUNER_RADIO : V4L2_TUNER_ANALOG_TV; + dbgarg(cmd, "index=%d, name=%s, type=%d, " + "capability=0x%x, rangelow=%d, " + "rangehigh=%d, signal=%d, afc=%d, " +@@ -1669,6 +1673,8 @@ static long __video_do_ioctl(struct file *file, + if (!ops->vidioc_g_frequency) + break; + ++ p->type = (vfd->vfl_type == VFL_TYPE_RADIO) ? ++ V4L2_TUNER_RADIO : V4L2_TUNER_ANALOG_TV; + ret = ops->vidioc_g_frequency(file, fh, p); + if (!ret) + dbgarg(cmd, "tuner=%d, type=%d, frequency=%d\n", +-- +1.7.9.6 + diff --git a/queue/x86-HPET-Chose-a-paranoid-safe-value-for-the-ETIME-c.patch b/queue/x86-HPET-Chose-a-paranoid-safe-value-for-the-ETIME-c.patch new file mode 100644 index 0000000..3b8ea9f --- /dev/null +++ b/queue/x86-HPET-Chose-a-paranoid-safe-value-for-the-ETIME-c.patch @@ -0,0 +1,101 @@ +From 3200588d3e52ca75b7a97728067ee7b050fc6c24 Mon Sep 17 00:00:00 2001 +From: Thomas Gleixner <tglx@linutronix.de> +Date: Mon, 13 Dec 2010 12:43:23 +0100 +Subject: [PATCH] x86: HPET: Chose a paranoid safe value for the ETIME check + +commit f1c18071ad70e2a78ab31fc26a18fcfa954a05c6 upstream. + +commit 995bd3bb5 (x86: Hpet: Avoid the comparator readback penalty) +chose 8 HPET cycles as a safe value for the ETIME check, as we had the +confirmation that the posted write to the comparator register is +delayed by two HPET clock cycles on Intel chipsets which showed +readback problems. + +After that patch hit mainline we got reports from machines with newer +AMD chipsets which seem to have an even longer delay. See +http://thread.gmane.org/gmane.linux.kernel/1054283 and +http://thread.gmane.org/gmane.linux.kernel/1069458 for further +information. + +Boris tried to come up with an ACPI based selection of the minimum +HPET cycles, but this failed on a couple of test machines. And of +course we did not get any useful information from the hardware folks. + +For now our only option is to chose a paranoid high and safe value for +the minimum HPET cycles used by the ETIME check. Adjust the minimum ns +value for the HPET clockevent accordingly. + +Reported-Bistected-and-Tested-by: Markus Trippelsdorf <markus@trippelsdorf.de> +Signed-off-by: Thomas Gleixner <tglx@linutronix.de> +LKML-Reference: <alpine.LFD.2.00.1012131222420.2653@localhost6.localdomain6> +Cc: Simon Kirby <sim@hostway.ca> +Cc: Borislav Petkov <bp@alien8.de> +Cc: Andreas Herrmann <Andreas.Herrmann3@amd.com> +Cc: John Stultz <johnstul@us.ibm.com> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> +--- + arch/x86/kernel/hpet.c | 26 ++++++++++++++++---------- + 1 file changed, 16 insertions(+), 10 deletions(-) + +diff --git a/arch/x86/kernel/hpet.c b/arch/x86/kernel/hpet.c +index e3be610..2de7aaf 100644 +--- a/arch/x86/kernel/hpet.c ++++ b/arch/x86/kernel/hpet.c +@@ -28,6 +28,9 @@ + #define HPET_DEV_FSB_CAP 0x1000 + #define HPET_DEV_PERI_CAP 0x2000 + ++#define HPET_MIN_CYCLES 128 ++#define HPET_MIN_PROG_DELTA (HPET_MIN_CYCLES + (HPET_MIN_CYCLES >> 1)) ++ + #define EVT_TO_HPET_DEV(evt) container_of(evt, struct hpet_dev, evt) + + /* +@@ -300,8 +303,9 @@ static void hpet_legacy_clockevent_register(void) + /* Calculate the min / max delta */ + hpet_clockevent.max_delta_ns = clockevent_delta2ns(0x7FFFFFFF, + &hpet_clockevent); +- /* 5 usec minimum reprogramming delta. */ +- hpet_clockevent.min_delta_ns = 5000; ++ /* Setup minimum reprogramming delta. */ ++ hpet_clockevent.min_delta_ns = clockevent_delta2ns(HPET_MIN_PROG_DELTA, ++ &hpet_clockevent); + + /* + * Start hpet with the boot cpu mask and make it +@@ -394,22 +398,24 @@ static int hpet_next_event(unsigned long delta, + * the wraparound into account) nor a simple count down event + * mode. Further the write to the comparator register is + * delayed internally up to two HPET clock cycles in certain +- * chipsets (ATI, ICH9,10). We worked around that by reading +- * back the compare register, but that required another +- * workaround for ICH9,10 chips where the first readout after +- * write can return the old stale value. We already have a +- * minimum delta of 5us enforced, but a NMI or SMI hitting ++ * chipsets (ATI, ICH9,10). Some newer AMD chipsets have even ++ * longer delays. We worked around that by reading back the ++ * compare register, but that required another workaround for ++ * ICH9,10 chips where the first readout after write can ++ * return the old stale value. We already had a minimum ++ * programming delta of 5us enforced, but a NMI or SMI hitting + * between the counter readout and the comparator write can + * move us behind that point easily. Now instead of reading + * the compare register back several times, we make the ETIME + * decision based on the following: Return ETIME if the +- * counter value after the write is less than 8 HPET cycles ++ * counter value after the write is less than HPET_MIN_CYCLES + * away from the event or if the counter is already ahead of +- * the event. ++ * the event. The minimum programming delta for the generic ++ * clockevents code is set to 1.5 * HPET_MIN_CYCLES. + */ + res = (s32)(cnt - hpet_readl(HPET_COUNTER)); + +- return res < 8 ? -ETIME : 0; ++ return res < HPET_MIN_CYCLES ? -ETIME : 0; + } + + static void hpet_legacy_set_mode(enum clock_event_mode mode, +-- +1.7.9.6 + diff --git a/queue/x86-Hpet-Avoid-the-comparator-readback-penalty.patch b/queue/x86-Hpet-Avoid-the-comparator-readback-penalty.patch new file mode 100644 index 0000000..8422bef --- /dev/null +++ b/queue/x86-Hpet-Avoid-the-comparator-readback-penalty.patch @@ -0,0 +1,118 @@ +From edf9285c563f5e2b23947ff33f753c85d69a781e Mon Sep 17 00:00:00 2001 +From: Thomas Gleixner <tglx@linutronix.de> +Date: Wed, 15 Sep 2010 15:11:57 +0200 +Subject: [PATCH] x86: Hpet: Avoid the comparator readback penalty + +commit 995bd3bb5c78f3ff71339803c0b8337ed36d64fb upstream. + +Due to the overly intelligent design of HPETs, we need to workaround +the problem that the compare value which we write is already behind +the actual counter value at the point where the value hits the real +compare register. This happens for two reasons: + +1) We read out the counter, add the delta and write the result to the + compare register. When a NMI or SMI hits between the read out and + the write then the counter can be ahead of the event already + +2) The write to the compare register is delayed by up to two HPET + cycles in certain chipsets. + +We worked around this by reading back the compare register to make +sure that the written value has hit the hardware. For certain ICH9+ +chipsets this can require two readouts, as the first one can return +the previous compare register value. That's bad performance wise for +the normal case where the event is far enough in the future. + +As we already know that the write can be delayed by up to two cycles +we can avoid the read back of the compare register completely if we +make the decision whether the delta has elapsed already or not based +on the following calculation: + + cmp = event - actual_count; + +If cmp is less than 8 HPET clock cycles, then we decide that the event +has happened already and return -ETIME. That covers the above #1 and +seconds). + +Signed-off-by: Thomas Gleixner <tglx@linutronix.de> +Tested-by: Nix <nix@esperi.org.uk> +Tested-by: Artur Skawina <art.08.09@gmail.com> +Cc: Damien Wyart <damien.wyart@free.fr> +Tested-by: John Drescher <drescherjm@gmail.com> +Cc: Venkatesh Pallipadi <venki@google.com> +Cc: Arjan van de Ven <arjan@linux.intel.com> +Cc: Andreas Herrmann <andreas.herrmann3@amd.com> +Tested-by: Borislav Petkov <borislav.petkov@amd.com> +Cc: Suresh Siddha <suresh.b.siddha@intel.com> +LKML-Reference: <alpine.LFD.2.00.1009151500060.2416@localhost6.localdomain6> +[PG: diffstat differs from 995bd3bb since deleted comment was re-wrapped] +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> +--- + arch/x86/kernel/hpet.c | 43 +++++++++++++++++++++---------------------- + 1 file changed, 21 insertions(+), 22 deletions(-) + +diff --git a/arch/x86/kernel/hpet.c b/arch/x86/kernel/hpet.c +index c5f8121..e3be610 100644 +--- a/arch/x86/kernel/hpet.c ++++ b/arch/x86/kernel/hpet.c +@@ -381,36 +381,35 @@ static int hpet_next_event(unsigned long delta, + struct clock_event_device *evt, int timer) + { + u32 cnt; ++ s32 res; + + cnt = hpet_readl(HPET_COUNTER); + cnt += (u32) delta; + hpet_writel(cnt, HPET_Tn_CMP(timer)); + + /* +- * We need to read back the CMP register on certain HPET +- * implementations (ATI chipsets) which seem to delay the +- * transfer of the compare register into the internal compare +- * logic. With small deltas this might actually be too late as +- * the counter could already be higher than the compare value +- * at that point and we would wait for the next hpet interrupt +- * forever. We found out that reading the CMP register back +- * forces the transfer so we can rely on the comparison with +- * the counter register below. If the read back from the +- * compare register does not match the value we programmed +- * then we might have a real hardware problem. We can not do +- * much about it here, but at least alert the user/admin with +- * a prominent warning. +- * An erratum on some chipsets (ICH9,..), results in comparator read +- * immediately following a write returning old value. Workaround +- * for this is to read this value second time, when first +- * read returns old value. ++ * HPETs are a complete disaster. The compare register is ++ * based on a equal comparison and neither provides a less ++ * than or equal functionality (which would require to take ++ * the wraparound into account) nor a simple count down event ++ * mode. Further the write to the comparator register is ++ * delayed internally up to two HPET clock cycles in certain ++ * chipsets (ATI, ICH9,10). We worked around that by reading ++ * back the compare register, but that required another ++ * workaround for ICH9,10 chips where the first readout after ++ * write can return the old stale value. We already have a ++ * minimum delta of 5us enforced, but a NMI or SMI hitting ++ * between the counter readout and the comparator write can ++ * move us behind that point easily. Now instead of reading ++ * the compare register back several times, we make the ETIME ++ * decision based on the following: Return ETIME if the ++ * counter value after the write is less than 8 HPET cycles ++ * away from the event or if the counter is already ahead of ++ * the event. + */ +- if (unlikely((u32)hpet_readl(HPET_Tn_CMP(timer)) != cnt)) { +- WARN_ONCE(hpet_readl(HPET_Tn_CMP(timer)) != cnt, +- KERN_WARNING "hpet: compare register read back failed.\n"); +- } ++ res = (s32)(cnt - hpet_readl(HPET_COUNTER)); + +- return (s32)(hpet_readl(HPET_COUNTER) - cnt) >= 0 ? -ETIME : 0; ++ return res < 8 ? -ETIME : 0; + } + + static void hpet_legacy_set_mode(enum clock_event_mode mode, +-- +1.7.9.6 + diff --git a/queue/x86-Make-Dell-Latitude-E5420-use-reboot-pci.patch b/queue/x86-Make-Dell-Latitude-E5420-use-reboot-pci.patch new file mode 100644 index 0000000..3cbe9d2 --- /dev/null +++ b/queue/x86-Make-Dell-Latitude-E5420-use-reboot-pci.patch @@ -0,0 +1,45 @@ +From af9eea63032344a786e9d3823db14e6793dff374 Mon Sep 17 00:00:00 2001 +From: Daniel J Blueman <daniel.blueman@gmail.com> +Date: Fri, 13 May 2011 09:04:59 +0800 +Subject: [PATCH] x86: Make Dell Latitude E5420 use reboot=pci + +commit b7798d28ec15d20fd34b70fa57eb13f0cf6d1ecd upstream. + +Rebooting on the Dell E5420 often hangs with the keyboard or ACPI +methods, but is reliable via the PCI method. + +[ hpa: this was deferred because we believed for a long time that the + recent reshuffling of the boot priorities in commit + 660e34cebf0a11d54f2d5dd8838607452355f321 fixed this platform. + Unfortunately that turned out to be incorrect. ] + +Signed-off-by: Daniel J Blueman <daniel.blueman@gmail.com> +Link: http://lkml.kernel.org/r/1305248699-2347-1-git-send-email-daniel.blueman@gmail.com +Signed-off-by: H. Peter Anvin <hpa@zytor.com> +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> +--- + arch/x86/kernel/reboot.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git a/arch/x86/kernel/reboot.c b/arch/x86/kernel/reboot.c +index ff8cc40..7a5cb07 100644 +--- a/arch/x86/kernel/reboot.c ++++ b/arch/x86/kernel/reboot.c +@@ -469,6 +469,14 @@ static struct dmi_system_id __initdata pci_reboot_dmi_table[] = { + DMI_MATCH(DMI_PRODUCT_NAME, "iMac9,1"), + }, + }, ++ { /* Handle problems with rebooting on the Latitude E5420. */ ++ .callback = set_pci_reboot, ++ .ident = "Dell Latitude E5420", ++ .matches = { ++ DMI_MATCH(DMI_SYS_VENDOR, "Dell Inc."), ++ DMI_MATCH(DMI_PRODUCT_NAME, "Latitude E5420"), ++ }, ++ }, + { } + }; + +-- +1.7.9.6 + diff --git a/queue/xtensa-prevent-arbitrary-read-in-ptrace.patch b/queue/xtensa-prevent-arbitrary-read-in-ptrace.patch new file mode 100644 index 0000000..85beed7 --- /dev/null +++ b/queue/xtensa-prevent-arbitrary-read-in-ptrace.patch @@ -0,0 +1,39 @@ +From fe7d71b925ae48e36ca4b56027eb7ec96b42e9df Mon Sep 17 00:00:00 2001 +From: Dan Rosenberg <drosenberg@vsecurity.com> +Date: Mon, 25 Jul 2011 17:11:53 -0700 +Subject: [PATCH] xtensa: prevent arbitrary read in ptrace + +commit 0d0138ebe24b94065580bd2601f8bb7eb6152f56 upstream. + +Prevent an arbitrary kernel read. Check the user pointer with access_ok() +before copying data in. + +[akpm@linux-foundation.org: s/EIO/EFAULT/] +Signed-off-by: Dan Rosenberg <drosenberg@vsecurity.com> +Cc: Christian Zankel <chris@zankel.net> +Cc: Oleg Nesterov <oleg@redhat.com> +Signed-off-by: Andrew Morton <akpm@linux-foundation.org> +Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> + +Signed-off-by: Paul Gortmaker <paul.gortmaker@windriver.com> +--- + arch/xtensa/kernel/ptrace.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/arch/xtensa/kernel/ptrace.c b/arch/xtensa/kernel/ptrace.c +index 9d4e1ce..f0ccfc7 100644 +--- a/arch/xtensa/kernel/ptrace.c ++++ b/arch/xtensa/kernel/ptrace.c +@@ -147,6 +147,9 @@ int ptrace_setxregs(struct task_struct *child, void __user *uregs) + elf_xtregs_t *xtregs = uregs; + int ret = 0; + ++ if (!access_ok(VERIFY_READ, uregs, sizeof(elf_xtregs_t))) ++ return -EFAULT; ++ + #if XTENSA_HAVE_COPROCESSORS + /* Flush all coprocessors before we overwrite them. */ + coprocessor_flush_all(ti); +-- +1.7.9.6 + |