diff options
author | Greg Kroah-Hartman <gregkh@suse.de> | 2011-08-29 15:30:49 -0700 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@suse.de> | 2011-08-29 15:30:49 -0700 |
commit | 42c4d8d501c0c167dab8d441366d59f2ff6104da (patch) | |
tree | 15b832b3617722270cbe03f9c7d575323f438773 | |
parent | 9c3f4e51f8ba993c1c27984bb1ef58624b1000c6 (diff) | |
download | stable-queue-42c4d8d501c0c167dab8d441366d59f2ff6104da.tar.gz |
3.0 patches
-rw-r--r-- | queue-3.0/atm-br2684-fix-oops-due-to-skb-dev-being-null.patch | 53 | ||||
-rw-r--r-- | queue-3.0/pata_via-disable-atapi-dma-on-averatec-3200.patch | 59 | ||||
-rw-r--r-- | queue-3.0/rt2x00-fix-crash-in-rt2800usb_get_txwi.patch | 74 | ||||
-rw-r--r-- | queue-3.0/rt2x00-fix-crash-in-rt2800usb_write_tx_desc.patch | 102 | ||||
-rw-r--r-- | queue-3.0/series | 4 |
5 files changed, 292 insertions, 0 deletions
diff --git a/queue-3.0/atm-br2684-fix-oops-due-to-skb-dev-being-null.patch b/queue-3.0/atm-br2684-fix-oops-due-to-skb-dev-being-null.patch new file mode 100644 index 0000000000..e6ffd3a917 --- /dev/null +++ b/queue-3.0/atm-br2684-fix-oops-due-to-skb-dev-being-null.patch @@ -0,0 +1,53 @@ +From fbe5e29ec1886967255e76946aaf537b8cc9b81e Mon Sep 17 00:00:00 2001 +From: Daniel Schwierzeck <daniel.schwierzeck@googlemail.com> +Date: Fri, 19 Aug 2011 12:04:20 +0000 +Subject: atm: br2684: Fix oops due to skb->dev being NULL + +From: Daniel Schwierzeck <daniel.schwierzeck@googlemail.com> + +commit fbe5e29ec1886967255e76946aaf537b8cc9b81e upstream. + +This oops have been already fixed with commit + + 27141666b69f535a4d63d7bc6d9e84ee5032f82a + + atm: [br2684] Fix oops due to skb->dev being NULL + + It happens that if a packet arrives in a VC between the call to open it on + the hardware and the call to change the backend to br2684, br2684_regvcc + processes the packet and oopses dereferencing skb->dev because it is + NULL before the call to br2684_push(). + +but have been introduced again with commit + + b6211ae7f2e56837c6a4849316396d1535606e90 + + atm: Use SKB queue and list helpers instead of doing it by-hand. + +Signed-off-by: Daniel Schwierzeck <daniel.schwierzeck@googlemail.com> +Signed-off-by: David S. Miller <davem@davemloft.net> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + net/atm/br2684.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +--- a/net/atm/br2684.c ++++ b/net/atm/br2684.c +@@ -558,12 +558,13 @@ static int br2684_regvcc(struct atm_vcc + spin_unlock_irqrestore(&rq->lock, flags); + + skb_queue_walk_safe(&queue, skb, tmp) { +- struct net_device *dev = skb->dev; ++ struct net_device *dev; ++ ++ br2684_push(atmvcc, skb); ++ dev = skb->dev; + + dev->stats.rx_bytes -= skb->len; + dev->stats.rx_packets--; +- +- br2684_push(atmvcc, skb); + } + + /* initialize netdev carrier state */ diff --git a/queue-3.0/pata_via-disable-atapi-dma-on-averatec-3200.patch b/queue-3.0/pata_via-disable-atapi-dma-on-averatec-3200.patch new file mode 100644 index 0000000000..5e15a6fc17 --- /dev/null +++ b/queue-3.0/pata_via-disable-atapi-dma-on-averatec-3200.patch @@ -0,0 +1,59 @@ +From 6d0e194d2eefcaab6dbdca1f639748660144acb5 Mon Sep 17 00:00:00 2001 +From: Tejun Heo <tj@kernel.org> +Date: Thu, 4 Aug 2011 11:15:07 +0200 +Subject: pata_via: disable ATAPI DMA on AVERATEC 3200 + +From: Tejun Heo <tj@kernel.org> + +commit 6d0e194d2eefcaab6dbdca1f639748660144acb5 upstream. + +On AVERATEC 3200, pata_via causes memory corruption with ATAPI DMA, +which often leads to random kernel oops. The cause of the problem is +not well understood yet and only small subset of machines using the +controller seem affected. Blacklist ATAPI DMA on the machine. + +Signed-off-by: Tejun Heo <tj@kernel.org> +Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=11426 +Reported-and-tested-by: Jim Bray <jimsantelmo@gmail.com> +Cc: Alan Cox <alan@linux.intel.com> +Signed-off-by: Jeff Garzik <jgarzik@pobox.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> + +--- + drivers/ata/pata_via.c | 18 ++++++++++++++++++ + 1 file changed, 18 insertions(+) + +--- a/drivers/ata/pata_via.c ++++ b/drivers/ata/pata_via.c +@@ -124,6 +124,17 @@ static const struct via_isa_bridge { + { NULL } + }; + ++static const struct dmi_system_id no_atapi_dma_dmi_table[] = { ++ { ++ .ident = "AVERATEC 3200", ++ .matches = { ++ DMI_MATCH(DMI_BOARD_VENDOR, "AVERATEC"), ++ DMI_MATCH(DMI_BOARD_NAME, "3200"), ++ }, ++ }, ++ { } ++}; ++ + struct via_port { + u8 cached_device; + }; +@@ -355,6 +366,13 @@ static unsigned long via_mode_filter(str + mask &= ~ ATA_MASK_UDMA; + } + } ++ ++ if (dev->class == ATA_DEV_ATAPI && ++ dmi_check_system(no_atapi_dma_dmi_table)) { ++ ata_dev_printk(dev, KERN_WARNING, "controller locks up on ATAPI DMA, forcing PIO\n"); ++ mask &= ATA_MASK_PIO; ++ } ++ + return mask; + } + diff --git a/queue-3.0/rt2x00-fix-crash-in-rt2800usb_get_txwi.patch b/queue-3.0/rt2x00-fix-crash-in-rt2800usb_get_txwi.patch new file mode 100644 index 0000000000..95aa53fd41 --- /dev/null +++ b/queue-3.0/rt2x00-fix-crash-in-rt2800usb_get_txwi.patch @@ -0,0 +1,74 @@ +From sgruszka@redhat.com Mon Aug 29 15:24:50 2011 +From: Stanislaw Gruszka <sgruszka@redhat.com> +Date: Thu, 25 Aug 2011 17:14:26 +0200 +Subject: rt2x00: fix crash in rt2800usb_get_txwi +To: stable@kernel.org +Cc: IvDoorn@gmail.com, Stanislaw Gruszka <sgruszka@redhat.com>, jpiszcz@lucidpixels.com, "John W. Linville" <linville@tuxdriver.com> +Message-ID: <1314285266-5098-3-git-send-email-sgruszka@redhat.com> + +From: Stanislaw Gruszka <sgruszka@redhat.com> + +commit 674db1344443204b6ce3293f2df8fd1b7665deea upstream. + +Patch should fix this oops: + +BUG: unable to handle kernel NULL pointer dereference at 000000a0 +IP: [<f81b30c9>] rt2800usb_get_txwi+0x19/0x70 [rt2800usb] +*pdpt = 0000000000000000 *pde = f000ff53f000ff53 +Oops: 0000 [#1] SMP +Pid: 198, comm: kworker/u:3 Tainted: G W 3.0.0-wl+ #9 LENOVO 6369CTO/6369CTO +EIP: 0060:[<f81b30c9>] EFLAGS: 00010283 CPU: 1 +EIP is at rt2800usb_get_txwi+0x19/0x70 [rt2800usb] +EAX: 00000000 EBX: f465e140 ECX: f4494960 EDX: ef24c5f8 +ESI: 810f21f5 EDI: f1da9960 EBP: f4581e80 ESP: f4581e70 + DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068 +Process kworker/u:3 (pid: 198, ti=f4580000 task=f4494960 task.ti=f4580000) +Call Trace: + [<f804790f>] rt2800_txdone_entry+0x2f/0xf0 [rt2800lib] + [<c045110d>] ? warn_slowpath_common+0x7d/0xa0 + [<f81b3a38>] ? rt2800usb_work_txdone+0x288/0x360 [rt2800usb] + [<f81b3a38>] ? rt2800usb_work_txdone+0x288/0x360 [rt2800usb] + [<f81b3a13>] rt2800usb_work_txdone+0x263/0x360 [rt2800usb] + [<c046a8d6>] process_one_work+0x186/0x440 + [<c046a85a>] ? process_one_work+0x10a/0x440 + [<f81b37b0>] ? rt2800usb_probe_hw+0x120/0x120 [rt2800usb] + [<c046c283>] worker_thread+0x133/0x310 + [<c04885db>] ? trace_hardirqs_on+0xb/0x10 + [<c046c150>] ? manage_workers+0x1e0/0x1e0 + [<c047054c>] kthread+0x7c/0x90 + [<c04704d0>] ? __init_kthread_worker+0x60/0x60 + [<c0826b42>] kernel_thread_helper+0x6/0x1 + +Oops might happen because we check rt2x00queue_empty(queue) twice, +but this condition can change and we can process entry in +rt2800_txdone_entry(), which was already processed by +rt2800usb_txdone_entry_check() -> rt2x00lib_txdone_noinfo() and +has nullify entry->skb . + +Reported-by: Justin Piszcz <jpiszcz@lucidpixels.com> +Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com> +Acked-by: Ivo van Doorn <IvDoorn@gmail.com> +Signed-off-by: John W. Linville <linville@tuxdriver.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> +--- + drivers/net/wireless/rt2x00/rt2800lib.c | 7 +++---- + 1 file changed, 3 insertions(+), 4 deletions(-) + +--- a/drivers/net/wireless/rt2x00/rt2800lib.c ++++ b/drivers/net/wireless/rt2x00/rt2800lib.c +@@ -764,12 +764,11 @@ void rt2800_txdone(struct rt2x00_dev *rt + entry = rt2x00queue_get_entry(queue, Q_INDEX_DONE); + if (rt2800_txdone_entry_check(entry, reg)) + break; ++ entry = NULL; + } + +- if (!entry || rt2x00queue_empty(queue)) +- break; +- +- rt2800_txdone_entry(entry, reg); ++ if (entry) ++ rt2800_txdone_entry(entry, reg); + } + } + EXPORT_SYMBOL_GPL(rt2800_txdone); diff --git a/queue-3.0/rt2x00-fix-crash-in-rt2800usb_write_tx_desc.patch b/queue-3.0/rt2x00-fix-crash-in-rt2800usb_write_tx_desc.patch new file mode 100644 index 0000000000..89a86ae356 --- /dev/null +++ b/queue-3.0/rt2x00-fix-crash-in-rt2800usb_write_tx_desc.patch @@ -0,0 +1,102 @@ +From sgruszka@redhat.com Mon Aug 29 15:23:55 2011 +From: Stanislaw Gruszka <sgruszka@redhat.com> +Date: Thu, 25 Aug 2011 17:14:24 +0200 +Subject: rt2x00: fix crash in rt2800usb_write_tx_desc +To: stable@kernel.org +Cc: IvDoorn@gmail.com, Stanislaw Gruszka <sgruszka@redhat.com>, jpiszcz@lucidpixels.com, "John W. Linville" <linville@tuxdriver.com> +Message-ID: <1314285266-5098-1-git-send-email-sgruszka@redhat.com> + +From: Stanislaw Gruszka <sgruszka@redhat.com> + +commit 4b1bfb7d2d125af6653d6c2305356b2677f79dc6 upstream. + +Patch should fix this oops: + +BUG: unable to handle kernel NULL pointer dereference at 000000a0 +IP: [<f8e06078>] rt2800usb_write_tx_desc+0x18/0xc0 [rt2800usb] +*pdpt = 000000002408c001 *pde = 0000000024079067 *pte = 0000000000000000 +Oops: 0000 [#1] SMP +EIP: 0060:[<f8e06078>] EFLAGS: 00010282 CPU: 0 +EIP is at rt2800usb_write_tx_desc+0x18/0xc0 [rt2800usb] +EAX: 00000035 EBX: ef2bef10 ECX: 00000000 EDX: d40958a0 +ESI: ef1865f8 EDI: ef1865f8 EBP: d4095878 ESP: d409585c + DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068 +Call Trace: + [<f8da5e85>] rt2x00queue_write_tx_frame+0x155/0x300 [rt2x00lib] + [<f8da424c>] rt2x00mac_tx+0x7c/0x370 [rt2x00lib] + [<c04882b2>] ? mark_held_locks+0x62/0x90 + [<c081f645>] ? _raw_spin_unlock_irqrestore+0x35/0x60 + [<c04884ba>] ? trace_hardirqs_on_caller+0x5a/0x170 + [<c04885db>] ? trace_hardirqs_on+0xb/0x10 + [<f8d618ac>] __ieee80211_tx+0x5c/0x1e0 [mac80211] + [<f8d631fc>] ieee80211_tx+0xbc/0xe0 [mac80211] + [<f8d63163>] ? ieee80211_tx+0x23/0xe0 [mac80211] + [<f8d632e1>] ieee80211_xmit+0xc1/0x200 [mac80211] + [<f8d63220>] ? ieee80211_tx+0xe0/0xe0 [mac80211] + [<c0487d45>] ? lock_release_holdtime+0x35/0x1b0 + [<f8d63986>] ? ieee80211_subif_start_xmit+0x446/0x5f0 [mac80211] + [<f8d637dd>] ieee80211_subif_start_xmit+0x29d/0x5f0 [mac80211] + [<f8d63924>] ? ieee80211_subif_start_xmit+0x3e4/0x5f0 [mac80211] + [<c0760188>] ? sock_setsockopt+0x6a8/0x6f0 + [<c0760000>] ? sock_setsockopt+0x520/0x6f0 + [<c076daef>] dev_hard_start_xmit+0x2ef/0x650 + +Oops might happen because we perform parallel putting new entries in a +queue (rt2x00queue_write_tx_frame()) and removing entries after +finishing transmitting (rt2800usb_work_txdone()). There are cases when +_txdone may process an entry that was not fully send and nullify +entry->skb . + +To fix check in _txdone if entry has flags that indicate pending +transmission and wait until flags get cleared. + +Reported-by: Justin Piszcz <jpiszcz@lucidpixels.com> +Signed-off-by: Stanislaw Gruszka <sgruszka@redhat.com> +Acked-by: Ivo van Doorn <IvDoorn@gmail.com> +Signed-off-by: John W. Linville <linville@tuxdriver.com> +Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de> +--- + drivers/net/wireless/rt2x00/rt2800lib.c | 10 ++++++++++ + drivers/net/wireless/rt2x00/rt2800usb.c | 4 +++- + 2 files changed, 13 insertions(+), 1 deletion(-) + +--- a/drivers/net/wireless/rt2x00/rt2800lib.c ++++ b/drivers/net/wireless/rt2x00/rt2800lib.c +@@ -38,6 +38,7 @@ + #include <linux/kernel.h> + #include <linux/module.h> + #include <linux/slab.h> ++#include <linux/sched.h> + + #include "rt2x00.h" + #include "rt2800lib.h" +@@ -607,6 +608,15 @@ static bool rt2800_txdone_entry_check(st + int wcid, ack, pid; + int tx_wcid, tx_ack, tx_pid; + ++ if (test_bit(ENTRY_OWNER_DEVICE_DATA, &entry->flags) || ++ !test_bit(ENTRY_DATA_STATUS_PENDING, &entry->flags)) { ++ WARNING(entry->queue->rt2x00dev, ++ "Data pending for entry %u in queue %u\n", ++ entry->entry_idx, entry->queue->qid); ++ cond_resched(); ++ return false; ++ } ++ + wcid = rt2x00_get_field32(reg, TX_STA_FIFO_WCID); + ack = rt2x00_get_field32(reg, TX_STA_FIFO_TX_ACK_REQUIRED); + pid = rt2x00_get_field32(reg, TX_STA_FIFO_PID_TYPE); +--- a/drivers/net/wireless/rt2x00/rt2800usb.c ++++ b/drivers/net/wireless/rt2x00/rt2800usb.c +@@ -477,8 +477,10 @@ static void rt2800usb_work_txdone(struct + while (!rt2x00queue_empty(queue)) { + entry = rt2x00queue_get_entry(queue, Q_INDEX_DONE); + +- if (test_bit(ENTRY_OWNER_DEVICE_DATA, &entry->flags)) ++ if (test_bit(ENTRY_OWNER_DEVICE_DATA, &entry->flags) || ++ !test_bit(ENTRY_DATA_STATUS_PENDING, &entry->flags)) + break; ++ + if (test_bit(ENTRY_DATA_IO_FAILED, &entry->flags)) + rt2x00lib_txdone_noinfo(entry, TXDONE_FAILURE); + else if (rt2x00queue_status_timeout(entry)) diff --git a/queue-3.0/series b/queue-3.0/series index c4d87ebad0..f45ac717b9 100644 --- a/queue-3.0/series +++ b/queue-3.0/series @@ -33,3 +33,7 @@ ath9k_hw-fix-sta-ar9485-bringup-issue-due-to-incorrect-mac-address.patch rt2x00-do-not-drop-usb-dev-reference-counter-on-suspend.patch mac80211-fix-suspend-resume-races-with-unregister-hw.patch savagedb-fix-typo-causing-regression-in-savage4-series.patch +pata_via-disable-atapi-dma-on-averatec-3200.patch +atm-br2684-fix-oops-due-to-skb-dev-being-null.patch +rt2x00-fix-crash-in-rt2800usb_write_tx_desc.patch +rt2x00-fix-crash-in-rt2800usb_get_txwi.patch |