aboutsummaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2010-03-15Linux 2.6.33.1v2.6.33.1Greg Kroah-Hartman
2010-03-15x86, mm: Allow highmem user page tables to be disabled at boot timeIan Campbell
commit 14315592009c17035cac81f4954d5a1f4d71e489 upstream. Distros generally (I looked at Debian, RHEL5 and SLES11) seem to enable CONFIG_HIGHPTE for any x86 configuration which has highmem enabled. This means that the overhead applies even to machines which have a fairly modest amount of high memory and which therefore do not really benefit from allocating PTEs in high memory but still pay the price of the additional mapping operations. Running kernbench on a 4G box I found that with CONFIG_HIGHPTE=y but no actual highptes being allocated there was a reduction in system time used from 59.737s to 55.9s. With CONFIG_HIGHPTE=y and highmem PTEs being allocated: Average Optimal load -j 4 Run (std deviation): Elapsed Time 175.396 (0.238914) User Time 515.983 (5.85019) System Time 59.737 (1.26727) Percent CPU 263.8 (71.6796) Context Switches 39989.7 (4672.64) Sleeps 42617.7 (246.307) With CONFIG_HIGHPTE=y but with no highmem PTEs being allocated: Average Optimal load -j 4 Run (std deviation): Elapsed Time 174.278 (0.831968) User Time 515.659 (6.07012) System Time 55.9 (1.07799) Percent CPU 263.8 (71.266) Context Switches 39929.6 (4485.13) Sleeps 42583.7 (373.039) This patch allows the user to control the allocation of PTEs in highmem from the command line ("userpte=nohigh") but retains the status-quo as the default. It is possible that some simple heuristic could be developed which allows auto-tuning of this option however I don't have a sufficiently large machine available to me to perform any particularly meaningful experiments. We could probably handwave up an argument for a threshold at 16G of total RAM. Assuming 768M of lowmem we have 196608 potential lowmem PTE pages. Each page can map 2M of RAM in a PAE-enabled configuration, meaning a maximum of 384G of RAM could potentially be mapped using lowmem PTEs. Even allowing generous factor of 10 to account for other required lowmem allocations, generous slop to account for page sharing (which reduces the total amount of RAM mappable by a given number of PT pages) and other innacuracies in the estimations it would seem that even a 32G machine would not have a particularly pressing need for highmem PTEs. I think 32G could be considered to be at the upper bound of what might be sensible on a 32 bit machine (although I think in practice 64G is still supported). It's seems questionable if HIGHPTE is even a win for any amount of RAM you would sensibly run a 32 bit kernel on rather than going 64 bit. Signed-off-by: Ian Campbell <ian.campbell@citrix.com> LKML-Reference: <1266403090-20162-1-git-send-email-ian.campbell@citrix.com> Signed-off-by: H. Peter Anvin <hpa@zytor.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-03-15sched: Don't use possibly stale sched_classThomas Gleixner
commit 83ab0aa0d5623d823444db82c3b3c34d7ec364ae upstream. setscheduler() saves task->sched_class outside of the rq->lock held region for a check after the setscheduler changes have become effective. That might result in checking a stale value. rtmutex_setprio() has the same problem, though it is protected by p->pi_lock against setscheduler(), but for correctness sake (and to avoid bad examples) it needs to be fixed as well. Retrieve task->sched_class inside of the rq->lock held region. Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Acked-by: Peter Zijlstra <peterz@infradead.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-03-15sched: Fix SMT scheduler regression in find_busiest_queue()Suresh Siddha
commit 9000f05c6d1607f79c0deacf42b09693be673f4c upstream. Fix a SMT scheduler performance regression that is leading to a scenario where SMT threads in one core are completely idle while both the SMT threads in another core (on the same socket) are busy. This is caused by this commit (with the problematic code highlighted) commit bdb94aa5dbd8b55e75f5a50b61312fe589e2c2d1 Author: Peter Zijlstra <a.p.zijlstra@chello.nl> Date: Tue Sep 1 10:34:38 2009 +0200 sched: Try to deal with low capacity @@ -4203,15 +4223,18 @@ find_busiest_queue() ... for_each_cpu(i, sched_group_cpus(group)) { + unsigned long power = power_of(i); ... - wl = weighted_cpuload(i); + wl = weighted_cpuload(i) * SCHED_LOAD_SCALE; + wl /= power; - if (rq->nr_running == 1 && wl > imbalance) + if (capacity && rq->nr_running == 1 && wl > imbalance) continue; On a SMT system, power of the HT logical cpu will be 589 and the scheduler load imbalance (for scenarios like the one mentioned above) can be approximately 1024 (SCHED_LOAD_SCALE). The above change of scaling the weighted load with the power will result in "wl > imbalance" and ultimately resulting in find_busiest_queue() return NULL, causing load_balance() to think that the load is well balanced. But infact one of the tasks can be moved to the idle core for optimal performance. We don't need to use the weighted load (wl) scaled by the cpu power to compare with imabalance. In that condition, we already know there is only a single task "rq->nr_running == 1" and the comparison between imbalance, wl is to make sure that we select the correct priority thread which matches imbalance. So we really need to compare the imabalnce with the original weighted load of the cpu and not the scaled load. But in other conditions where we want the most hammered(busiest) cpu, we can use scaled load to ensure that we consider the cpu power in addition to the actual load on that cpu, so that we can move the load away from the guy that is getting most hammered with respect to the actual capacity, as compared with the rest of the cpu's in that busiest group. Fix it. Reported-by: Ma Ling <ling.ma@intel.com> Initial-Analysis-by: Zhang, Yanmin <yanmin_zhang@linux.intel.com> Signed-off-by: Suresh Siddha <suresh.b.siddha@intel.com> Signed-off-by: Peter Zijlstra <a.p.zijlstra@chello.nl> LKML-Reference: <1266023662.2808.118.camel@sbs-t61.sc.intel.com> Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-03-15sched: Fix sched_mv_power_savings for !SMTVaidyanathan Srinivasan
commit 28f5318167adf23b16c844b9c2253f355cb21796 upstream. Fix for sched_mc_powersavigs for pre-Nehalem platforms. Child sched domain should clear SD_PREFER_SIBLING if parent will have SD_POWERSAVINGS_BALANCE because they are contradicting. Sets the flags correctly based on sched_mc_power_savings. Signed-off-by: Vaidyanathan Srinivasan <svaidy@linux.vnet.ibm.com> Signed-off-by: Peter Zijlstra <a.p.zijlstra@chello.nl> LKML-Reference: <20100208100555.GD2931@dirshya.in.ibm.com> Signed-off-by: Thomas Gleixner <tglx@linutronix.de> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-03-15KVM: x86 emulator: Check CPL level during privilege instruction emulationGleb Natapov
commit e92805ac1228626c59c865f2f4e9059b9fb8c97b upstream. Add CPL checking in case emulator is tricked into emulating privilege instruction from userspace. Signed-off-by: Gleb Natapov <gleb@redhat.com> Signed-off-by: Avi Kivity <avi@redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-03-15KVM: x86 emulator: Add group9 instruction decodingGleb Natapov
commit 60a29d4ea4e7b6b95d9391ebc8625b0426f3a363 upstream. Use groups mechanism to decode 0F C7 instructions. Signed-off-by: Gleb Natapov <gleb@redhat.com> Signed-off-by: Avi Kivity <avi@redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-03-15KVM: x86 emulator: Forbid modifying CS segment register by mov instructionGleb Natapov
commit 8b9f44140bc4afd2698413cd9960c3912168ee91 upstream. Inject #UD if guest attempts to do so. This is in accordance to Intel SDM. Signed-off-by: Gleb Natapov <gleb@redhat.com> Signed-off-by: Avi Kivity <avi@redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-03-15KVM: x86 emulator: Add group8 instruction decodingGleb Natapov
commit 2db2c2eb6226e30f8059b82512a1364db98da8e3 upstream. Use groups mechanism to decode 0F BA instructions. Signed-off-by: Gleb Natapov <gleb@redhat.com> Signed-off-by: Avi Kivity <avi@redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-03-15KVM: VMX: Trap and invalid MWAIT/MONITOR instructionSheng Yang
commit 59708670b639bff00f92e519df1ae14da240e919 upstream. We don't support these instructions, but guest can execute them even if the feature('monitor') haven't been exposed in CPUID. So we would trap and inject a #UD if guest try this way. Signed-off-by: Sheng Yang <sheng@linux.intel.com> Signed-off-by: Avi Kivity <avi@redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-03-15dm ioctl: only issue uevent on resume if state changedMike Snitzer
commit 0f3649a9e305ea22eb196a84a2d7520afcaa6060 upstream. Only issue a uevent on a resume if the state of the device changed, i.e. if it was suspended and/or its table was replaced. Signed-off-by: Dave Wysochanski <dwysocha@redhat.com> Signed-off-by: Mike Snitzer <snitzer@redhat.com> Signed-off-by: Alasdair G Kergon <agk@redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-03-15dm: free dm_io before bio_endio not afterMikulas Patocka
commit a97f925a32aad2a37971d7bfb657006acf04e42d upstream. Free the dm_io structure before calling bio_endio() instead of after it, to ensure that the io_pool containing it is not referenced after it is freed. This partially fixes a problem described here https://www.redhat.com/archives/dm-devel/2010-February/msg00109.html thread 1: bio_endio(bio, io_error); /* scheduling happens */ thread 2: close the device remove the device thread 1: free_io(md, io); Thread 2, when removing the device, sees non-empty md->io_pool (because the io hasn't been freed by thread 1 yet) and may crash with BUG in mempool_free. Thread 1 may also crash, when freeing into a nonexisting mempool. To fix this we must make sure that bio_endio() is the last call and the md structure is not accessed afterwards. There is another bio_endio in process_barrier, but it is called from the thread and the thread is destroyed prior to freeing the mempools, so this call is not affected by the bug. A similar bug exists with module unloads - the module may be unloaded immediately after bio_endio - but that is more difficult to fix. Signed-off-by: Mikulas Patocka <mpatocka@redhat.com> Signed-off-by: Alasdair G Kergon <agk@redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-03-15NFS: Fix an allocation-under-spinlock bugTrond Myklebust
commit ebed9203b68a4f333ce5d17e874b26c3afcfeff1 upstream. sunrpc_cache_update() will always call detail->update() from inside the detail->hash_lock, so it cannot allocate memory. Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-03-15rtc-coh901331: fix braces in resume codeJames Hogan
commit 5a98c04d78c896d52baef20ffc11f6d1ba6eb786 upstream. The else part of the if statement is indented but does not have braces around it. It clearly should since it uses clk_enable and clk_disable which are supposed to balance. Signed-off-by: James Hogan <james@albanarts.com> Acked-by: Linus Walleij <linus.walleij@stericsson.com> Acked-by: Alessandro Zummo <a.zummo@towertech.it> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-03-15scripts/get_maintainer.pl: fix possible infinite loopJoe Perches
commit 3c840c18bcd8efb37f1a565e83a9509e1ea5d105 upstream. If MAINTAINERS section entries are misformatted, it was possible to have an infinite loop. Correct the defect by always moving the index to the end of section + 1 Also, exit check for exclude as soon as possible. Signed-off-by: Joe Perches <joe@perches.com> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-03-15s3cmci: initialize default platform data no_wprotect and no_detect with 1Lars-Peter Clausen
commit c212808a1ba6bfba489006399b8152a047305acf upstream. If no platform_data was givin to the device it's going to use it's default platform data struct which has all fields initialized to zero. As a result the driver is going to try to request gpio0 both as write protect and card detect pin. Which of course will fail and makes the driver unusable Previously to the introduction of no_wprotect and no_detect the behavior was to assume that if no platform data was given there is no write protect or card detect pin. This patch restores that behavior. Signed-off-by: Lars-Peter Clausen <lars@metafoo.de> Cc: Ben Dooks <ben-linux@fluff.org> Cc: <linux-mmc@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-03-15s3cmci: s3cmci_card_present: Use no_detect to decide whether there is a card ↵Lars-Peter Clausen
detect pin commit dc2ed552804f3a2ae41c0ffe4bc09879ec8f7396 upstream. Signed-off-by: Lars-Peter Clausen <lars@metafoo.de> Cc: Ben Dooks <ben-linux@fluff.org> Cc: <linux-mmc@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-03-15SUNRPC: Handle EINVAL error returns from the TCP connect operationTrond Myklebust
commit 9fcfe0c83c3b04a759cde6b8c5f961237f17808b upstream. This can, for instance, happen if the user specifies a link local IPv6 address. Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-03-15sunrpc: remove unnecessary svc_xprt_putNeil Brown
commit ab1b18f70a007ea6caeb007d269abb75b131a410 upstream. The 'struct svc_deferred_req's on the xpt_deferred queue do not own a reference to the owning xprt. This is seen in svc_revisit which is where things are added to this queue. dr->xprt is set to NULL and the reference to the xprt it put. So when this list is cleaned up in svc_delete_xprt, we mustn't put the reference. Also, replace the 'for' with a 'while' which is arguably simpler and more likely to compile efficiently. Cc: Tom Tucker <tom@opengridcomputing.com> Signed-off-by: NeilBrown <neilb@suse.de> Signed-off-by: J. Bruce Fields <bfields@citi.umich.edu> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-03-15drm/radeon/kms/atom: fix shr/shl opsAlex Deucher
commit 6a8a2d702b33c6ed5c789f21b4e89fdf221f01ca upstream. The whole attribute table is valid for shr/shl ops. Fixes fdo bug 26668 Signed-off-by: Alex Deucher <alexdeucher@gmail.com> Signed-off-by: Dave Airlie <airlied@redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-03-15drm/ttm: handle OOM in ttm_tt_swapoutMaarten Maathuis
commit 290e55056ec3d25c72088628245d8cae037b30db upstream. - Without this change I get a general protection fault. - Also use PTR_ERR where applicable. Signed-off-by: Maarten Maathuis <madman2003@gmail.com> Reviewed-by: Dave Airlie <airlied@redhat.com> Acked-by: Thomas Hellstrom <thellstrom@vmware.com> Signed-off-by: Dave Airlie <airlied@redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-03-15drm/i915: Use a dmi quirk to skip a broken SDVO TV output.Zhao Yakui
commit 6070a4a928f8c92b9fae7d6717ebbb05f425d6b2 upstream. This IBM system has a multi-function SDVO card that reports both VGA and TV, but the system has no TV connector. The TV connector always reported as connected, which would lead to poor modesetting choices. https://bugs.freedesktop.org/show_bug.cgi?id=25787 Signed-off-by: Zhao Yakui <yakui.zhao@intel.com> Tested-by: Vance <liangghv@sg.ibm.com> Signed-off-by: Eric Anholt <eric@anholt.net> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-03-15USB: unusual_devs: Add support for multiple Option 3G sticksJan Dumon
commit 46216e4fbe8c62059b5440dec0b236f386248a41 upstream. Enable the SD-Card interface on multiple Option 3G sticks. The unusual_devs.h entry is necessary because the device descriptor is vendor-specific. That prevents usb-storage from binding to it as an interface driver. Signed-off-by: Jan Dumon <j.dumon@option.com> Signed-off-by: Phil Dibowitz <phil@ipom.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-03-15USB: cp210x: Add 81E8 (Zephyr Bioharness)Alan Cox
commit bd07c551aae5d2200c7b195142e5ba63f26424da upstream. As reported in http://bugzilla.kernel.org/show_bug.cgi?id=10980 Signed-off-by: Alan Cox <alan@linux.intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-03-15USB: serial: ftdi: add CONTEC vendor and product idDaniel Sangorrin
commit 46b72d78cb022714c89a9ebc00b9581b550cfca7 upstream. This is a patch to ftdi_sio_ids.h and ftdi_sio.c that adds identifiers for CONTEC USB serial converter. I tested it with the device COM-1(USB)H Signed-off-by: Daniel Sangorrin <daniel.sangorrin@gmail.com> Cc: Andreas Mohr <andi@lisas.de> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-03-15USB: add new ftdi_sio device idsMitchell Solomon
commit 9714080d20f2ec4b671a06ce69367d91fa9e227e upstream. PID patch for my products Signed-off-by: Mitchell Solomon <mitchjs@rush2112.net> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-03-15USB: f_mass_storage: fix crash on bind() errorPeter Korsgaard
commit 8e7e61dfbf1ec6418bf89505980b158a8d00d877 upstream. init_completion() hasn't been called yet and the thread isn't created if we end up here, so don't call complete() on thread_notifier. Signed-off-by: Peter Korsgaard <jacmet@sunsite.dk> Acked-by: Michal Nazarewicz <m.nazarewicz@samsung.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-03-15USB: Move hcd free_dev call into usb_disconnect to fix oopsHerbert Xu
commit f7410ced7f931bb1ad79d1336412cf7b7a33cb14 upstream. USB: Move hcd free_dev call into usb_disconnect I found a way to oops the kernel: 1. Open a USB device through devio. 2. Remove the hcd module in the host kernel. 3. Close the devio file descriptor. The problem is that closing the file descriptor does usb_release_dev as it is the last reference. usb_release_dev then tries to invoke the hcd free_dev function (or rather dereferencing the hcd driver struct). This causes an oops as the hcd driver has already been unloaded so the struct is gone. This patch tries to fix this by bringing the free_dev call earlier and into usb_disconnect. I have verified that repeating the above steps no longer crashes with this patch applied. Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-03-15USB: remove debugging message for uevent constructionsAlan Stern
commit cceffe9348f93188d7811bda95924d4bd3040d0f upstream. This patch (as1332) removes an unneeded and annoying debugging message announcing all USB uevent constructions. Signed-off-by: Alan Stern <stern@rowland.harvard.edu> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-03-15USB: fix crash in uhci_scan_schedulePete Zaitcev
commit d23356da714595b888686d22cd19061323c09190 upstream. When hardware is removed on a Stratus, the system may crash like this: ACPI: PCI interrupt for device 0000:7c:00.1 disabled Trying to free nonexistent resource <00000000a8000000-00000000afffffff> Trying to free nonexistent resource <00000000a4800000-00000000a480ffff> uhci_hcd 0000:7e:1d.0: remove, state 1 usb usb2: USB disconnect, address 1 usb 2-1: USB disconnect, address 2 Unable to handle kernel paging request at 0000000000100100 RIP: [<ffffffff88021950>] :uhci_hcd:uhci_scan_schedule+0xa2/0x89c #4 [ffff81011de17e50] uhci_scan_schedule at ffffffff88021918 #5 [ffff81011de17ed0] uhci_irq at ffffffff88023cb8 #6 [ffff81011de17f10] usb_hcd_irq at ffffffff801f1c1f #7 [ffff81011de17f20] handle_IRQ_event at ffffffff8001123b #8 [ffff81011de17f50] __do_IRQ at ffffffff800ba749 This occurs because an interrupt scans uhci->skelqh, which is being freed. We do the right thing: disable the interrupts in the device, and do not do any processing if the interrupt is shared with other source, but it's possible that another CPU gets delayed somewhere (e.g. loops) until we started freeing. The agreed-upon solution is to wait for interrupts to play out before proceeding. No other bareers are neceesary. A backport of this patch was tested on a 2.6.18 based kernel. Testing of 2.6.32-based kernels is under way, but it takes us forever (months) to turn this around. So I think it's a good patch and we should keep it. Tracked in RH bz#516851 Signed-Off-By: Pete Zaitcev <zaitcev@redhat.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-03-15USB: fix the idProduct value for USB-3.0 root hubsAlan Stern
commit cd780694920fbf869b23c8afb0bd083e7b0448c7 upstream. This patch (as1346) changes the idProduct value for USB-3.0 root hubs from 0x0002 (which we already use for USB-2.0 root hubs) to 0x0003. Signed-off-by: Alan Stern <stern@rowland.harvard.edu> Acked-by: Sarah Sharp <sarah.a.sharp@linux.intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-03-15USB: xhci: Fix finding extended capabilities registersEdward Shao
commit 05197921ff3dad52d99fd1647974c57d9c28d40e upstream. According "5.3.6 Capability Parameters (HCCPARAMS)" of xHCI rev0.96 spec, value of xECP register indicates a relative offset, in 32-bit words, from Base to the beginning of the first extended capability. The wrong calculation will cause BIOS handoff fail (not handoff from BIOS) in some platform with BIOS USB legacy sup support. Signed-off-by: Edward Shao <laface.tw@gmail.com> Cc: Sarah Sharp <sarah.a.sharp@linux.intel.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-03-15x86: Fix SCI on IOAPIC != 0Yinghai Lu
commit 18dce6ba5c8c6bd0f3ab4efa4cbdd698dab5c40a upstream. Thomas Renninger <trenn@suse.de> reported on IBM x3330 booting a latest kernel on this machine results in: PCI: PCI BIOS revision 2.10 entry at 0xfd61c, last bus=1 PCI: Using configuration type 1 for base access bio: create slab <bio-0> at 0 ACPI: SCI (IRQ30) allocation failed ACPI Exception: AE_NOT_ACQUIRED, Unable to install System Control Interrupt handler (20090903/evevent-161) ACPI: Unable to start the ACPI Interpreter Later all kind of devices fail... and bisect it down to this commit: commit b9c61b70075c87a8612624736faf4a2de5b1ed30 x86/pci: update pirq_enable_irq() to setup io apic routing it turns out we need to set irq routing for the sci on ioapic1 early. -v2: make it work without sparseirq too. -v3: fix checkpatch.pl warning, and cc to stable Reported-by: Thomas Renninger <trenn@suse.de> Bisected-by: Thomas Renninger <trenn@suse.de> Tested-by: Thomas Renninger <trenn@suse.de> Signed-off-by: Yinghai Lu <yinghai@kernel.org> LKML-Reference: <1265793639-15071-2-git-send-email-yinghai@kernel.org> Signed-off-by: H. Peter Anvin <hpa@zytor.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-03-15x86: Avoid race condition in pci_enable_msix()Brandon Phiilps
commit ced5b697a76d325e7a7ac7d382dbbb632c765093 upstream. Keep chip_data in create_irq_nr and destroy_irq. When two drivers are setting up MSI-X at the same time via pci_enable_msix() there is a race. See this dmesg excerpt: [ 85.170610] ixgbe 0000:02:00.1: irq 97 for MSI/MSI-X [ 85.170611] alloc irq_desc for 99 on node -1 [ 85.170613] igb 0000:08:00.1: irq 98 for MSI/MSI-X [ 85.170614] alloc kstat_irqs on node -1 [ 85.170616] alloc irq_2_iommu on node -1 [ 85.170617] alloc irq_desc for 100 on node -1 [ 85.170619] alloc kstat_irqs on node -1 [ 85.170621] alloc irq_2_iommu on node -1 [ 85.170625] ixgbe 0000:02:00.1: irq 99 for MSI/MSI-X [ 85.170626] alloc irq_desc for 101 on node -1 [ 85.170628] igb 0000:08:00.1: irq 100 for MSI/MSI-X [ 85.170630] alloc kstat_irqs on node -1 [ 85.170631] alloc irq_2_iommu on node -1 [ 85.170635] alloc irq_desc for 102 on node -1 [ 85.170636] alloc kstat_irqs on node -1 [ 85.170639] alloc irq_2_iommu on node -1 [ 85.170646] BUG: unable to handle kernel NULL pointer dereference at 0000000000000088 As you can see igb and ixgbe are both alternating on create_irq_nr() via pci_enable_msix() in their probe function. ixgbe: While looping through irq_desc_ptrs[] via create_irq_nr() ixgbe choses irq_desc_ptrs[102] and exits the loop, drops vector_lock and calls dynamic_irq_init. Then it sets irq_desc_ptrs[102]->chip_data = NULL via dynamic_irq_init(). igb: Grabs the vector_lock now and starts looping over irq_desc_ptrs[] via create_irq_nr(). It gets to irq_desc_ptrs[102] and does this: cfg_new = irq_desc_ptrs[102]->chip_data; if (cfg_new->vector != 0) continue; This hits the NULL deref. Another possible race exists via pci_disable_msix() in a driver or in the number of error paths that call free_msi_irqs(): destroy_irq() dynamic_irq_cleanup() which sets desc->chip_data = NULL ...race window... desc->chip_data = cfg; Remove the save and restore code for cfg in create_irq_nr() and destroy_irq() and take the desc->lock when checking the irq_cfg. Reported-and-analyzed-by: Brandon Philips <bphilips@suse.de> Signed-off-by: Yinghai Lu <yinghai@kernel.org> LKML-Reference: <1265793639-15071-3-git-send-email-yinghai@kernel.org> Signed-off-by: Brandon Phililps <bphilips@suse.de> Signed-off-by: H. Peter Anvin <hpa@zytor.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-03-15x86, xen: Disable highmem PTE allocation even when CONFIG_HIGHPTE=yIan Campbell
commit 817a824b75b1475f1b067c8cee318c7b4d66fcde upstream. There's a path in the pagefault code where the kernel deliberately breaks its own locking rules by kmapping a high pte page without holding the pagetable lock (in at least page_check_address). This breaks Xen's ability to track the pinned/unpinned state of the page. There does not appear to be a viable workaround for this behaviour so simply disable HIGHPTE for all Xen guests. Signed-off-by: Ian Campbell <ian.campbell@citrix.com> LKML-Reference: <1267204562-11844-1-git-send-email-ian.campbell@citrix.com> Cc: Jeremy Fitzhardinge <jeremy@goop.org> Cc: Ingo Molnar <mingo@elte.hu> Cc: Pasi Kärkkäinen <pasik@iki.fi> Cc: <xen-devel@lists.xensource.com> Signed-off-by: H. Peter Anvin <hpa@zytor.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-03-15x86: Add iMac9,1 to pci_reboot_dmi_tableJustin P. Mattock
commit 0a832320f1bae6a4169bf683e201378f2437cfc1 upstream. On the iMac9,1 /sbin/reboot results in a black mangled screen. Adding this DMI entry gets the machine to reboot cleanly as it should. Signed-off-by: Justin P. Mattock <justinmattock@gmail.com> LKML-Reference: <1266362249-3337-1-git-send-email-justinmattock@gmail.com> Signed-off-by: H. Peter Anvin <hpa@zytor.com> Signed-off-by: Ingo Molnar <mingo@elte.hu> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-03-15x86, ia32_aout: do not kill argument mappingJiri Slaby
commit 318f6b228ba88a394ef560efc1bfe028ad5ae6b6 upstream. Do not set current->mm->mmap to NULL in 32-bit emulation on 64-bit load_aout_binary after flush_old_exec as it would destroy already set brpm mapping with arguments. Introduced by b6a2fea39318e43fee84fa7b0b90d68bed92d2ba mm: variable length argument support where the argument mapping in bprm was added. [ hpa: this is a regression from 2.6.22... time to kill a.out? ] Signed-off-by: Jiri Slaby <jslaby@suse.cz> LKML-Reference: <1265831716-7668-1-git-send-email-jslaby@suse.cz> Cc: Ingo Molnar <mingo@elte.hu> Cc: Thomas Gleixner <tglx@linutronix.de> Cc: Ollie Wild <aaw@google.com> Cc: x86@kernel.org Signed-off-by: H. Peter Anvin <hpa@zytor.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-03-15ocfs2: Only bug out in direct io write for reflinked extent.Tao Ma
commit cbaee472f274ea9a98aabe47025f6e5551acadcb upstream. In ocfs2_direct_IO_get_blocks, we only need to bug out in case of we are going to write a recounted extent rec. What a silly bug introduced by me! Signed-off-by: Tao Ma <tao.ma@oracle.com> Signed-off-by: Joel Becker <joel.becker@oracle.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-03-15thinkpad-acpi: lock down video output state accessHenrique de Moraes Holschuh
commit b525c06cdbd8a3963f0173ccd23f9147d4c384b5 upstream. Given the right combination of ThinkPad and X.org, just reading the video output control state is enough to hard-crash X.org. Until the day I somehow find out a model or BIOS cut date to not provide this feature to ThinkPads that can do video switching through X RandR, change permissions so that only processes with CAP_SYS_ADMIN can access any sort of video output control state. This bug could be considered a local DoS I suppose, as it allows any non-privledged local user to cause some versions of X.org to hard-crash some ThinkPads. Reported-by: Jidanni <jidanni@jidanni.org> Signed-off-by: Henrique de Moraes Holschuh <hmh@hmh.eng.br> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-03-15thinkpad-acpi: fix bluetooth/wwan resumeHenrique de Moraes Holschuh
commit 08fedfc903c78e380b0baa7b57c52d367794d0a5 upstream. Studying the DSDTs of various thinkpads, it looks like bit 3 of the argument to SBDC and SWAN is not "set radio to last state on resume". Rather, it seems to be "if this bit is set, enable radio on resume, otherwise disable it on resume". So, the proper way to prepare the radios for S3 suspend is: disable radio and clear bit 3 on the SBDC/SWAN call to to resume with radio disabled, and enable radio and set bit 3 on the SBDC/SWAN call to resume with the radio enabled. Also, for persistent devices, the rfkill core does not restore state, so we really need to get the firmware to do the right thing. We don't sync the radio state on suspend, instead we trust the BIOS to not do anything weird if we never touched the radio state since boot. Time will tell if that's a wise way of doing things... Signed-off-by: Henrique de Moraes Holschuh <hmh@hmh.eng.br> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-03-15thinkpad-acpi: make driver events work in NVRAM poll modeHenrique de Moraes Holschuh
commit 7f0cf712a74fcc3ad21f0bde95bd32c2f2cc3888 upstream. Thadeu Lima de Souza Cascardo reports this: Brightness notification does not work until the user writes to hotkey_mask attribute. That's because the polling thread will only run if hotkey_user_mask is set and someone is reading the input device or if hotkey_driver_mask is set. In this second case, this condition is not tested after the mask is changed, because the brightness and volume drivers are started after the hotkey drivers. Fix tpacpi_hotkey_driver_mask_set() to call hotkey_poll_setup(), so that the poller kthread will be started when needed. Reported-by: Thadeu Lima de Souza Cascardo <cascardo@holoscopio.com> Tested-by: Thadeu Lima de Souza Cascardo <cascardo@holoscopio.com> Signed-off-by: Henrique de Moraes Holschuh <hmh@hmh.eng.br> Cc: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-03-15thinkpad-acpi: document HKEY event 3006Henrique de Moraes Holschuh
commit bf8b29c8f7f8269e99eca8b19048ed5b34b51810 upstream. Event 0x3006 is used to help power management of the ODD in the UltraBay. The EC generates this event when the ODD eject button is pressed (even if the bay is powered down). Normally, Linux doesn't need this as we keep the SATA link powered up (which wastes power). The EC powers up the bay by itself when the ODD eject button is pressed, and the SATA PHY reports the hotplug. However, we could also power that SATA link down (and for that matter, also power down the Ultrabay) if the ODD is left idle for a while with no disk inside, and use event 0x3006 to know when we need that SATA link powered back up. For now, just stop asking for more information when event 0x3006 is seen, there is no point in pestering users about it anymore. Signed-off-by: Henrique de Moraes Holschuh <hmh@hmh.eng.br> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-03-15thinkpad-acpi: R52 brightness_mode has been confirmedHenrique de Moraes Holschuh
commit 7d1894d8d1c411d2dad95abfe0f65bacf68c4afa upstream. We can stop pestering users for confirmation of the brightness_mode default for firmware TP-76. While at it, add a few missing comments in that quirk table. Reported-by: Whoopie <whoopie79@gmx.net> Signed-off-by: Henrique de Moraes Holschuh <hmh@hmh.eng.br> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-03-15thinkpad-acpi: fix poll thread auto-startHenrique de Moraes Holschuh
commit b589ea4c44170d3f7a845684e2d1b3b9571663af upstream. The driver was not starting the NVRAM polling thread if the input device was bound immediately after registration. This fixes: http://bugzilla.kernel.org/show_bug.cgi?id=15118 Reported-by: Florian Zumbiehl <florz@florz.de> Signed-off-by: Henrique de Moraes Holschuh <hmh@hmh.eng.br> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-03-15eeepc-laptop: disable wireless hotplug for 1005PEAlan Jenkins
commit ced69c59811f05b2f8378467cbb82ac6ed3c6a5a upstream. The wireless hotplug code is not needed on this model, and it disables the wired ethernet card. (Like on the 1005HA and 1201N). References: <http://lists.alioth.debian.org/pipermail/debian-eeepc-devel/2010-February/003281.html> Signed-off-by: Alan Jenkins <alan-jenkins@tuffmail.co.uk> Reported-by: Ansgar Burchardt <ansgar@43-1.org> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-03-15mac80211: do not transmit frames on unconfigured 4-addr vlan interfacesFelix Fietkau
commit 3f0e0b220f80075ce15483b20458192c0ac27426 upstream. If frames are transmitted on 4-addr ap vlan interfaces with no station, they end up being transmitted unencrypted, even if the ap interface uses WPA. This patch add some sanity checking to make sure that this does not happen. Signed-off-by: Felix Fietkau <nbd@openwrt.org> Signed-off-by: John W. Linville <linville@tuxdriver.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-03-15sunxvr500: Additional PCI id for sunxvr500 driverBen Hutchings
commit 275143e9b237dd7e0b6d01660fd9b8acd9922fa7 upstream. Intergraph bought 3D Labs and some XVR-500 chips have Intergraph's vendor id. Reported-by: Jurij Smakov <jurij@wooyd.org> Signed-off-by: Ben Hutchings <ben@decadent.org.uk> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-03-15netfilter: xt_recent: fix false matchTim Gardner
commit 8ccb92ad41cb311e52ad1b1fe77992c7f47a3b63 upstream. A rule with a zero hit_count will always match. Signed-off-by: Tim Gardner <tim.gardner@canonical.com> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-03-15netfilter: xt_recent: fix buffer overflowTim Gardner
commit 2c08522e5d2f0af2d6f05be558946dcbf8173683 upstream. e->index overflows e->stamps[] every ip_pkt_list_tot packets. Consider the case when ip_pkt_list_tot==1; the first packet received is stored in e->stamps[0] and e->index is initialized to 1. The next received packet timestamp is then stored at e->stamps[1] in recent_entry_update(), a buffer overflow because the maximum e->stamps[] index is 0. Signed-off-by: Tim Gardner <tim.gardner@canonical.com> Signed-off-by: Patrick McHardy <kaber@trash.net> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>
2010-03-15b43/b43legacy: Wake queues in wireless_core_startLarry Finger
commit 0866b03c7d7dee8a34ffa527ecda426c0f405518 upstream. If b43 or b43legacy are deauthenticated or disconnected, there is a possibility that a reconnection is tried with the queues stopped in mac80211. To prevent this, start the queues before setting STAT_INITIALIZED. In b43, a similar change has been in place (twice) in the wireless_core_init() routine. Remove the duplicate and add similar code to b43legacy. Signed-off-by: Larry Finger <Larry.Finger@lwfinger.net> Signed-off-by: John W. Linville <linville@tuxdriver.com> Signed-off-by: Greg Kroah-Hartman <gregkh@suse.de>