3.0 patches

5 files changed, 292 insertions, 0 deletions

diff --git a/queue-3.0/atm-br2684-fix-oops-due-to-skb-dev-being-null.patch b/queue-3.0/atm-br2684-fix-oops-due-to-skb-dev-being-null.patch
new file mode 100644
index 0000000000..e6ffd3a917
--- /dev/null
+++ b/queue-3.0/atm-br2684-fix-oops-due-to-skb-dev-being-null.patch
@@ -0,0 +1,53 @@
+From fbe5e29ec1886967255e76946aaf537b8cc9b81e Mon Sep 17 00:00:00 2001
+From: Daniel Schwierzeck <daniel.schwierzeck@googlemail.com>
+Date: Fri, 19 Aug 2011 12:04:20 +0000
+Subject: atm: br2684: Fix oops due to skb->dev being NULL
+
+From: Daniel Schwierzeck <daniel.schwierzeck@googlemail.com>
+
+commit fbe5e29ec1886967255e76946aaf537b8cc9b81e upstream.
+
+This oops have been already fixed with commit
+
+    27141666b69f535a4d63d7bc6d9e84ee5032f82a
+
+    atm: [br2684] Fix oops due to skb->dev being NULL
+
+    It happens that if a packet arrives in a VC between the call to open it on
+    the hardware and the call to change the backend to br2684, br2684_regvcc
+    processes the packet and oopses dereferencing skb->dev because it is
+    NULL before the call to br2684_push().
+
+but have been introduced again with commit
+
+    b6211ae7f2e56837c6a4849316396d1535606e90
+
+    atm: Use SKB queue and list helpers instead of doing it by-hand.
+
+Signed-off-by: Daniel Schwierzeck <daniel.schwierzeck@googlemail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ net/atm/br2684.c |    7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+--- a/net/atm/br2684.c
++++ b/net/atm/br2684.c
+@@ -558,12 +558,13 @@ static int br2684_regvcc(struct atm_vcc
+ 	spin_unlock_irqrestore(&rq->lock, flags);
+ 
+ 	skb_queue_walk_safe(&queue, skb, tmp) {
+-		struct net_device *dev = skb->dev;
++		struct net_device *dev;
++
++		br2684_push(atmvcc, skb);
++		dev = skb->dev;
+ 
+ 		dev->stats.rx_bytes -= skb->len;
+ 		dev->stats.rx_packets--;
+-
+-		br2684_push(atmvcc, skb);
+ 	}
+ 
+ 	/* initialize netdev carrier state */
diff --git a/queue-3.0/pata_via-disable-atapi-dma-on-averatec-3200.patch b/queue-3.0/pata_via-disable-atapi-dma-on-averatec-3200.patch
new file mode 100644
index 0000000000..5e15a6fc17
--- /dev/null
+++ b/queue-3.0/pata_via-disable-atapi-dma-on-averatec-3200.patch
@@ -0,0 +1,59 @@
+From 6d0e194d2eefcaab6dbdca1f639748660144acb5 Mon Sep 17 00:00:00 2001
+From: Tejun Heo <tj@kernel.org>
+Date: Thu, 4 Aug 2011 11:15:07 +0200
+Subject: pata_via: disable ATAPI DMA on AVERATEC 3200
+
+From: Tejun Heo <tj@kernel.org>
+
+commit 6d0e194d2eefcaab6dbdca1f639748660144acb5 upstream.
+
+On AVERATEC 3200, pata_via causes memory corruption with ATAPI DMA,
+which often leads to random kernel oops.  The cause of the problem is
+not well understood yet and only small subset of machines using the
+controller seem affected.  Blacklist ATAPI DMA on the machine.
+
+Signed-off-by: Tejun Heo <tj@kernel.org>
+Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=11426
+Reported-and-tested-by: Jim Bray <jimsantelmo@gmail.com>
+Cc: Alan Cox <alan@linux.intel.com>
+Signed-off-by: Jeff Garzik <jgarzik@pobox.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+
+---
+ drivers/ata/pata_via.c |   18 ++++++++++++++++++
+ 1 file changed, 18 insertions(+)
+
+--- a/drivers/ata/pata_via.c
++++ b/drivers/ata/pata_via.c
+@@ -124,6 +124,17 @@ static const struct via_isa_bridge {
+ 	{ NULL }
+ };
+ 
++static const struct dmi_system_id no_atapi_dma_dmi_table[] = {
++	{
++		.ident = "AVERATEC 3200",
++		.matches = {
++			DMI_MATCH(DMI_BOARD_VENDOR, "AVERATEC"),
++			DMI_MATCH(DMI_BOARD_NAME, "3200"),
++		},
++	},
++	{ }
++};
++
+ struct via_port {
+ 	u8 cached_device;
+ };
+@@ -355,6 +366,13 @@ static unsigned long via_mode_filter(str
+ 			mask &= ~ ATA_MASK_UDMA;
+ 		}
+ 	}
++
++	if (dev->class == ATA_DEV_ATAPI &&
++	    dmi_check_system(no_atapi_dma_dmi_table)) {
++		ata_dev_printk(dev, KERN_WARNING, "controller locks up on ATAPI DMA, forcing PIO\n");
++		mask &= ATA_MASK_PIO;
++	}
++
+ 	return mask;
+ }
+ 
diff --git a/queue-3.0/rt2x00-fix-crash-in-rt2800usb_get_txwi.patch b/queue-3.0/rt2x00-fix-crash-in-rt2800usb_get_txwi.patch
new file mode 100644
index 0000000000..95aa53fd41
--- /dev/null
+++ b/queue-3.0/rt2x00-fix-crash-in-rt2800usb_get_txwi.patch
@@ -0,0 +1,74 @@
+From sgruszka@redhat.com  Mon Aug 29 15:24:50 2011
+From: Stanislaw Gruszka <sgruszka@redhat.com>
+Date: Thu, 25 Aug 2011 17:14:26 +0200
+Subject: rt2x00: fix crash in rt2800usb_get_txwi
+To: stable@kernel.org
+Cc: IvDoorn@gmail.com, Stanislaw Gruszka <sgruszka@redhat.com>, jpiszcz@lucidpixels.com, "John W. Linville" <linville@tuxdriver.com>
+Message-ID: <1314285266-5098-3-git-send-email-sgruszka@redhat.com>
+
+From: Stanislaw Gruszka <sgruszka@redhat.com>
+
+commit 674db1344443204b6ce3293f2df8fd1b7665deea upstream.
+
+Patch should fix this oops:
+
+BUG: unable to handle kernel NULL pointer dereference at 000000a0
+IP: [<f81b30c9>] rt2800usb_get_txwi+0x19/0x70 [rt2800usb]
+*pdpt = 0000000000000000 *pde = f000ff53f000ff53
+Oops: 0000 [#1] SMP
+Pid: 198, comm: kworker/u:3 Tainted: G        W   3.0.0-wl+ #9 LENOVO 6369CTO/6369CTO
+EIP: 0060:[<f81b30c9>] EFLAGS: 00010283 CPU: 1
+EIP is at rt2800usb_get_txwi+0x19/0x70 [rt2800usb]
+EAX: 00000000 EBX: f465e140 ECX: f4494960 EDX: ef24c5f8
+ESI: 810f21f5 EDI: f1da9960 EBP: f4581e80 ESP: f4581e70
+ DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
+Process kworker/u:3 (pid: 198, ti=f4580000 task=f4494960 task.ti=f4580000)
+Call Trace:
+ [<f804790f>] rt2800_txdone_entry+0x2f/0xf0 [rt2800lib]
+ [<c045110d>] ? warn_slowpath_common+0x7d/0xa0
+ [<f81b3a38>] ? rt2800usb_work_txdone+0x288/0x360 [rt2800usb]
+ [<f81b3a38>] ? rt2800usb_work_txdone+0x288/0x360 [rt2800usb]
+ [<f81b3a13>] rt2800usb_work_txdone+0x263/0x360 [rt2800usb]
+ [<c046a8d6>] process_one_work+0x186/0x440
+ [<c046a85a>] ? process_one_work+0x10a/0x440
+ [<f81b37b0>] ? rt2800usb_probe_hw+0x120/0x120 [rt2800usb]
+ [<c046c283>] worker_thread+0x133/0x310
+ [<c04885db>] ? trace_hardirqs_on+0xb/0x10
+ [<c046c150>] ? manage_workers+0x1e0/0x1e0
+ [<c047054c>] kthread+0x7c/0x90
+ [<c04704d0>] ? __init_kthread_worker+0x60/0x60
+ [<c0826b42>] kernel_thread_helper+0x6/0x1
+
+Oops might happen because we check rt2x00queue_empty(queue) twice,
+but this condition can change and we can process entry in
+rt2800_txdone_entry(), which was already processed by
+rt2800usb_txdone_entry_check() -> rt2x00lib_txdone_noinfo() and
+has nullify entry->skb .
+
+Reported-by: Justin Piszcz <jpiszcz@lucidpixels.com>
+Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
+Acked-by: Ivo van Doorn <IvDoorn@gmail.com>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ drivers/net/wireless/rt2x00/rt2800lib.c |    7 +++----
+ 1 file changed, 3 insertions(+), 4 deletions(-)
+
+--- a/drivers/net/wireless/rt2x00/rt2800lib.c
++++ b/drivers/net/wireless/rt2x00/rt2800lib.c
+@@ -764,12 +764,11 @@ void rt2800_txdone(struct rt2x00_dev *rt
+ 			entry = rt2x00queue_get_entry(queue, Q_INDEX_DONE);
+ 			if (rt2800_txdone_entry_check(entry, reg))
+ 				break;
++			entry = NULL;
+ 		}
+ 
+-		if (!entry || rt2x00queue_empty(queue))
+-			break;
+-
+-		rt2800_txdone_entry(entry, reg);
++		if (entry)
++			rt2800_txdone_entry(entry, reg);
+ 	}
+ }
+ EXPORT_SYMBOL_GPL(rt2800_txdone);
diff --git a/queue-3.0/rt2x00-fix-crash-in-rt2800usb_write_tx_desc.patch b/queue-3.0/rt2x00-fix-crash-in-rt2800usb_write_tx_desc.patch
new file mode 100644
index 0000000000..89a86ae356
--- /dev/null
+++ b/queue-3.0/rt2x00-fix-crash-in-rt2800usb_write_tx_desc.patch
@@ -0,0 +1,102 @@
+From sgruszka@redhat.com  Mon Aug 29 15:23:55 2011
+From: Stanislaw Gruszka <sgruszka@redhat.com>
+Date: Thu, 25 Aug 2011 17:14:24 +0200
+Subject: rt2x00: fix crash in rt2800usb_write_tx_desc
+To: stable@kernel.org
+Cc: IvDoorn@gmail.com, Stanislaw Gruszka <sgruszka@redhat.com>, jpiszcz@lucidpixels.com, "John W. Linville" <linville@tuxdriver.com>
+Message-ID: <1314285266-5098-1-git-send-email-sgruszka@redhat.com>
+
+From: Stanislaw Gruszka <sgruszka@redhat.com>
+
+commit 4b1bfb7d2d125af6653d6c2305356b2677f79dc6 upstream.
+
+Patch should fix this oops:
+
+BUG: unable to handle kernel NULL pointer dereference at 000000a0
+IP: [<f8e06078>] rt2800usb_write_tx_desc+0x18/0xc0 [rt2800usb]
+*pdpt = 000000002408c001 *pde = 0000000024079067 *pte = 0000000000000000
+Oops: 0000 [#1] SMP
+EIP: 0060:[<f8e06078>] EFLAGS: 00010282 CPU: 0
+EIP is at rt2800usb_write_tx_desc+0x18/0xc0 [rt2800usb]
+EAX: 00000035 EBX: ef2bef10 ECX: 00000000 EDX: d40958a0
+ESI: ef1865f8 EDI: ef1865f8 EBP: d4095878 ESP: d409585c
+ DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068
+Call Trace:
+ [<f8da5e85>] rt2x00queue_write_tx_frame+0x155/0x300 [rt2x00lib]
+ [<f8da424c>] rt2x00mac_tx+0x7c/0x370 [rt2x00lib]
+ [<c04882b2>] ? mark_held_locks+0x62/0x90
+ [<c081f645>] ? _raw_spin_unlock_irqrestore+0x35/0x60
+ [<c04884ba>] ? trace_hardirqs_on_caller+0x5a/0x170
+ [<c04885db>] ? trace_hardirqs_on+0xb/0x10
+ [<f8d618ac>] __ieee80211_tx+0x5c/0x1e0 [mac80211]
+ [<f8d631fc>] ieee80211_tx+0xbc/0xe0 [mac80211]
+ [<f8d63163>] ? ieee80211_tx+0x23/0xe0 [mac80211]
+ [<f8d632e1>] ieee80211_xmit+0xc1/0x200 [mac80211]
+ [<f8d63220>] ? ieee80211_tx+0xe0/0xe0 [mac80211]
+ [<c0487d45>] ? lock_release_holdtime+0x35/0x1b0
+ [<f8d63986>] ? ieee80211_subif_start_xmit+0x446/0x5f0 [mac80211]
+ [<f8d637dd>] ieee80211_subif_start_xmit+0x29d/0x5f0 [mac80211]
+ [<f8d63924>] ? ieee80211_subif_start_xmit+0x3e4/0x5f0 [mac80211]
+ [<c0760188>] ? sock_setsockopt+0x6a8/0x6f0
+ [<c0760000>] ? sock_setsockopt+0x520/0x6f0
+ [<c076daef>] dev_hard_start_xmit+0x2ef/0x650
+
+Oops might happen because we perform parallel putting new entries in a
+queue (rt2x00queue_write_tx_frame()) and removing entries after
+finishing transmitting (rt2800usb_work_txdone()). There are cases when
+_txdone may process an entry that was not fully send and nullify
+entry->skb .
+
+To fix check in _txdone if entry has flags that indicate pending
+transmission and wait until flags get cleared.
+
+Reported-by: Justin Piszcz <jpiszcz@lucidpixels.com>
+Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com>
+Acked-by: Ivo van Doorn <IvDoorn@gmail.com>
+Signed-off-by: John W. Linville <linville@tuxdriver.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
+---
+ drivers/net/wireless/rt2x00/rt2800lib.c |   10 ++++++++++
+ drivers/net/wireless/rt2x00/rt2800usb.c |    4 +++-
+ 2 files changed, 13 insertions(+), 1 deletion(-)
+
+--- a/drivers/net/wireless/rt2x00/rt2800lib.c
++++ b/drivers/net/wireless/rt2x00/rt2800lib.c
+@@ -38,6 +38,7 @@
+ #include <linux/kernel.h>
+ #include <linux/module.h>
+ #include <linux/slab.h>
++#include <linux/sched.h>
+ 
+ #include "rt2x00.h"
+ #include "rt2800lib.h"
+@@ -607,6 +608,15 @@ static bool rt2800_txdone_entry_check(st
+ 	int wcid, ack, pid;
+ 	int tx_wcid, tx_ack, tx_pid;
+ 
++	if (test_bit(ENTRY_OWNER_DEVICE_DATA, &entry->flags) ||
++	    !test_bit(ENTRY_DATA_STATUS_PENDING, &entry->flags)) {
++		WARNING(entry->queue->rt2x00dev,
++			"Data pending for entry %u in queue %u\n",
++			entry->entry_idx, entry->queue->qid);
++		cond_resched();
++		return false;
++	}
++
+ 	wcid	= rt2x00_get_field32(reg, TX_STA_FIFO_WCID);
+ 	ack	= rt2x00_get_field32(reg, TX_STA_FIFO_TX_ACK_REQUIRED);
+ 	pid	= rt2x00_get_field32(reg, TX_STA_FIFO_PID_TYPE);
+--- a/drivers/net/wireless/rt2x00/rt2800usb.c
++++ b/drivers/net/wireless/rt2x00/rt2800usb.c
+@@ -477,8 +477,10 @@ static void rt2800usb_work_txdone(struct
+ 		while (!rt2x00queue_empty(queue)) {
+ 			entry = rt2x00queue_get_entry(queue, Q_INDEX_DONE);
+ 
+-			if (test_bit(ENTRY_OWNER_DEVICE_DATA, &entry->flags))
++			if (test_bit(ENTRY_OWNER_DEVICE_DATA, &entry->flags) ||
++			    !test_bit(ENTRY_DATA_STATUS_PENDING, &entry->flags))
+ 				break;
++
+ 			if (test_bit(ENTRY_DATA_IO_FAILED, &entry->flags))
+ 				rt2x00lib_txdone_noinfo(entry, TXDONE_FAILURE);
+ 			else if (rt2x00queue_status_timeout(entry))
diff --git a/queue-3.0/series b/queue-3.0/series
index c4d87ebad0..f45ac717b9 100644
--- a/queue-3.0/series
+++ b/queue-3.0/series
@@ -33,3 +33,7 @@ ath9k_hw-fix-sta-ar9485-bringup-issue-due-to-incorrect-mac-address.patch
 rt2x00-do-not-drop-usb-dev-reference-counter-on-suspend.patch
 mac80211-fix-suspend-resume-races-with-unregister-hw.patch
 savagedb-fix-typo-causing-regression-in-savage4-series.patch
+pata_via-disable-atapi-dma-on-averatec-3200.patch
+atm-br2684-fix-oops-due-to-skb-dev-being-null.patch
+rt2x00-fix-crash-in-rt2800usb_write_tx_desc.patch
+rt2x00-fix-crash-in-rt2800usb_get_txwi.patch