8 years agomm: thp: set the accessed flag for old pages on access fault pandora-3.2-hugetlb
Will Deacon [Wed, 12 Dec 2012 00:01:27 +0000 (16:01 -0800)]
mm: thp: set the accessed flag for old pages on access fault

On x86 memory accesses to pages without the ACCESSED flag set result in
the ACCESSED flag being set automatically.  With the ARM architecture a
page access fault is raised instead (and it will continue to be raised
until the ACCESSED flag is set for the appropriate PTE/PMD).

For normal memory pages, handle_pte_fault will call pte_mkyoung
(effectively setting the ACCESSED flag).  For transparent huge pages,
pmd_mkyoung will only be called for a write fault.

This patch ensures that faults on transparent hugepages which do not
result in a CoW update the access flags for the faulting pmd.

Signed-off-by: Will Deacon <>
Cc: Chris Metcalf <>
Acked-by: Kirill A. Shutemov <>
Cc: Andrea Arcangeli <>
Acked-by: Johannes Weiner <>
Cc: Ni zhan Chen <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>


8 years agomm: thp: fix the update_mmu_cache() last argument passing in mm/huge_memory.c
Catalin Marinas [Mon, 8 Oct 2012 23:33:01 +0000 (16:33 -0700)]
mm: thp: fix the update_mmu_cache() last argument passing in mm/huge_memory.c

The update_mmu_cache() takes a pointer (to pte_t by default) as the last
argument but the huge_memory.c passes a pmd_t value.  The patch changes
the argument to the pmd_t * pointer.

Signed-off-by: Catalin Marinas <>
Signed-off-by: Steve Capper <>
Signed-off-by: Will Deacon <>
Cc: Arnd Bergmann <>
Reviewed-by: Kirill A. Shutemov <>
Cc: Michal Hocko <>
Cc: Gerald Schaefer <>
Reviewed-by: Andrea Arcangeli <>
Cc: Chris Metcalf <>
Cc: Ralf Baechle <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>


8 years agomm: hugetlb: add arch hook for clearing page flags before entering pool
Will Deacon [Mon, 8 Oct 2012 23:29:32 +0000 (16:29 -0700)]
mm: hugetlb: add arch hook for clearing page flags before entering pool

The core page allocator ensures that page flags are zeroed when freeing
pages via free_pages_check.  A number of architectures (ARM, PPC, MIPS)
rely on this property to treat new pages as dirty with respect to the data
cache and perform the appropriate flushing before mapping the pages into

This can lead to cache synchronisation problems when using hugepages,
since the allocator keeps its own pool of pages above the usual page
allocator and does not reset the page flags when freeing a page into the

This patch adds a new architecture hook, arch_clear_hugepage_flags, so
that architectures which rely on the page flags being in a particular
state for fresh allocations can adjust the flags accordingly when a page
is freed into the pool.

Signed-off-by: Will Deacon <>
Cc: Michal Hocko <>
Reviewed-by: Michal Hocko <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>


8 years agothp, x86: introduce HAVE_ARCH_TRANSPARENT_HUGEPAGE
Gerald Schaefer [Mon, 8 Oct 2012 23:30:04 +0000 (16:30 -0700)]

Cleanup patch in preparation for transparent hugepage support on s390.
Adding new architectures to the TRANSPARENT_HUGEPAGE config option can
make the "depends" line rather ugly, like "depends on (X86 || (S390 &&
64BIT)) && MMU".

This patch adds a HAVE_ARCH_TRANSPARENT_HUGEPAGE instead.  x86 already has
MMU "def_bool y", so the MMU check is superfluous there and
HAVE_ARCH_TRANSPARENT_HUGEPAGE can be selected in arch/x86/Kconfig.

Signed-off-by: Gerald Schaefer <>
Cc: Ingo Molnar <>
Cc: Thomas Gleixner <>
Cc: "H. Peter Anvin" <>
Cc: Andrea Arcangeli <>
Cc: Andi Kleen <>
Cc: Hugh Dickins <>
Cc: Hillf Danton <>
Cc: Martin Schwidefsky <>
Cc: Heiko Carstens <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>


8 years agoARM: mm: Transparent huge page support for non-LPAE systems.
Steve Capper [Fri, 8 Feb 2013 15:01:23 +0000 (17:01 +0200)]
ARM: mm: Transparent huge page support for non-LPAE systems.

Much of the required code for THP has been implemented in the
earlier non-LPAE HugeTLB patch.

One more domain bit is used (to store whether or not the THP is

Some THP helper functions are defined; and we have to re-define
pmd_page such that it distinguishes between page tables and

Signed-off-by: Will Deacon <>
Signed-off-by: Steve Capper <>
8 years agoARM: mm: Transparent huge page support for LPAE systems.
Catalin Marinas [Fri, 8 Feb 2013 15:01:22 +0000 (17:01 +0200)]
ARM: mm: Transparent huge page support for LPAE systems.

The patch adds support for THP (transparent huge pages) to LPAE
systems. When this feature is enabled, the kernel tries to map
anonymous pages as 2MB sections where possible.

Signed-off-by: Catalin Marinas <>
[ symbolic constants used, value of PMD_SECT_SPLITTING
adjusted, tlbflush.h included in pgtable.h]
Signed-off-by: Will Deacon <>
Signed-off-by: Steve Capper <>
8 years agoARM: mm: HugeTLB support for non-LPAE systems.
Steve Capper [Fri, 8 Feb 2013 15:01:21 +0000 (17:01 +0200)]
ARM: mm: HugeTLB support for non-LPAE systems.

Based on Bill Carson's HugeTLB patch, with the big difference being
in the way PTEs are passed back to the memory manager. Rather than
store a "Linux Huge PTE" separately; we make one up on the fly in
huge_ptep_get. Also rather than consider 16M supersections, we focus
solely on 2x1M sections.

To construct a huge PTE on the fly we need additional information
(such as the accessed flag and dirty bit) which we choose to store
in the domain bits of the short section descriptor. In order to use
these domain bits for storage, we need to make ourselves a client
for all 16 domains and this is done in head.S.

Storing extra information in the domain bits also makes it a lot
easier to implement Transparent Huge Pages, and some of the code in
pgtable-2level.h is arranged to facilitate THP support in a later

Non-LPAE HugeTLB pages are incompatible with the huge page migration
code (enabled when CONFIG_MEMORY_FAILURE is selected) as that code
dereferences PTEs directly, rather than calling huge_ptep_get and

Signed-off-by: Will Deacon <>
Signed-off-by: Steve Capper <>
8 years agoARM: mm: HugeTLB support for LPAE systems.
Catalin Marinas [Fri, 8 Feb 2013 15:01:20 +0000 (17:01 +0200)]
ARM: mm: HugeTLB support for LPAE systems.

This patch adds support for hugetlbfs based on the x86 implementation.
It allows mapping of 2MB sections (see Documentation/vm/hugetlbpage.txt
for usage). The 64K pages configuration is not supported (section size
is 512MB in this case).

Signed-off-by: Catalin Marinas <>
[ symbolic constants replace numbers in places.
Split up into multiple files, to simplify future non-LPAE support,
removed huge_pmd_share code, as this is very rarely executed].
Signed-off-by: Will Deacon <>
Signed-off-by: Steve Capper <>
8 years agoARM: mm: Add support for flushing HugeTLB pages.
Steve Capper [Fri, 8 Feb 2013 15:01:19 +0000 (17:01 +0200)]
ARM: mm: Add support for flushing HugeTLB pages.

On ARM we use the __flush_dcache_page function to flush the dcache
of pages when needed; usually when the PG_dcache_clean bit is unset
and we are setting a PTE.

A HugeTLB page is represented as a compound page consisting of an
array of pages. Thus to flush the dcache of a HugeTLB page, one must
flush more than a single page.

This patch modifies __flush_dcache_page such that all constituent
pages of a HugeTLB page are flushed.

Signed-off-by: Will Deacon <>
Signed-off-by: Steve Capper <>
8 years agoARM: mm: correct pte_same behaviour for LPAE.
Steve Capper [Fri, 8 Feb 2013 15:01:18 +0000 (17:01 +0200)]
ARM: mm: correct pte_same behaviour for LPAE.

For 3 levels of paging the PTE_EXT_NG bit will be set for user
address ptes that are written to a page table but not for ptes
created with mk_pte.

This can cause some comparison tests made by pte_same to fail
spuriously and lead to other problems.

To correct this behaviour, we mask off PTE_EXT_NG for any pte that
is present before running the comparison.

Signed-off-by: Will Deacon <>
Signed-off-by: Steve Capper <>
8 years agoARM: mm: introduce L_PTE_VALID for page table entries
Will Deacon [Thu, 19 Jul 2012 10:51:05 +0000 (11:51 +0100)]
ARM: mm: introduce L_PTE_VALID for page table entries

For long-descriptor translation table formats, the ARMv7 architecture
defines the last two bits of the second- and third-level descriptors to

x0b - Invalid
01b - Block (second-level), Reserved (third-level)
11b - Table (second-level), Page (third-level)

This allows us to define L_PTE_PRESENT as (3 << 0) and use this value to
create ptes directly. However, when determining whether a given pte
value is present in the low-level page table accessors, we only need to
check the least significant bit of the descriptor, allowing us to write
faulting, present entries which are required for PROT_NONE mappings.

This patch introduces L_PTE_VALID, which can be used to test whether a
pte should fault, and updates the low-level page table accessors

Signed-off-by: Will Deacon <>
8 years agomm: thp: fix the pmd_clear() arguments in pmdp_get_and_clear()
Catalin Marinas [Mon, 8 Oct 2012 23:32:59 +0000 (16:32 -0700)]
mm: thp: fix the pmd_clear() arguments in pmdp_get_and_clear()

The CONFIG_TRANSPARENT_HUGEPAGE implementation of pmdp_get_and_clear()
calls pmd_clear() with 3 arguments instead of 1.

This happens only for !__HAVE_ARCH_PMDP_GET_AND_CLEAR which doesn't seem
to happen because x86 defines this and it uses pmd_update.

[ changelog addition]
Signed-off-by: Catalin Marinas <>
Signed-off-by: Steve Capper <>
Signed-off-by: Will Deacon <>
Cc: Arnd Bergmann <>
Reviewed-by: Michal Hocko <>
Reviewed-by: Kirill A. Shutemov <>
Cc: Gerald Schaefer <>
Reviewed-by: Andrea Arcangeli <>
Cc: Chris Metcalf <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
8 years agoARM: 7323/1: Do not allow ARM_LPAE on pre-ARMv7 architectures
Catalin Marinas [Tue, 14 Feb 2012 15:33:27 +0000 (16:33 +0100)]
ARM: 7323/1: Do not allow ARM_LPAE on pre-ARMv7 architectures

This patch expands the Kconfig dependencies for ARM_LPAE to not allow
enabling when architectures other than ARMv7 are built into the kernel.

Signed-off-by: Catalin Marinas <>
Reported-by: Russell King <>
Signed-off-by: Russell King <>
8 years agoARM: 7275/1: LPAE: Check the CPU support for the long descriptor format
Catalin Marinas [Mon, 9 Jan 2012 11:24:47 +0000 (12:24 +0100)]
ARM: 7275/1: LPAE: Check the CPU support for the long descriptor format

This patch adds a check for the presence of the LPAE feature during the
CPU initialisation. If not present, it reports an error when
CONFIG_DEBUG_LL is enabled.

Signed-off-by: Catalin Marinas <>
Acked-by: Nicolas Pitre <>
Signed-off-by: Russell King <>
8 years agoARM: kexec: use soft_restart for branching to the reboot buffer
Will Deacon [Mon, 6 Jun 2011 11:35:46 +0000 (12:35 +0100)]
ARM: kexec: use soft_restart for branching to the reboot buffer

Now that there is a common way to reset the machine, let's use it
instead of reinventing the wheel in the kexec backend.

Signed-off-by: Will Deacon <>
8 years agoARM: stop: execute platform callback from cpu_stop code
Will Deacon [Mon, 6 Jun 2011 14:49:23 +0000 (15:49 +0100)]
ARM: stop: execute platform callback from cpu_stop code

Sending IPI_CPU_STOP to a CPU causes it to execute a busy cpu_relax
loop forever. This makes it impossible to kexec successfully on an SMP
system since the secondary CPUs do not reset.

This patch adds a callback to platform_cpu_kill, defined when
CONFIG_HOTPLUG_CPU=y, from the ipi_cpu_stop handling code. This function
currently just returns 1 on all platforms that define it but allows them
to do something more sophisticated in the future.

Signed-off-by: Will Deacon <>
8 years agoARM: reset: implement soft_restart for jumping to a physical address
Will Deacon [Mon, 6 Jun 2011 11:28:54 +0000 (12:28 +0100)]
ARM: reset: implement soft_restart for jumping to a physical address

Tools such as kexec and CPU hotplug require a way to reset the processor
and branch to some code in physical space. This requires various bits of
jiggery pokery with the caches and MMU which, when it goes wrong, tends
to lock up the system.

This patch fleshes out the soft_restart implementation so that it
branches to the reset code using the identity mapping. This requires us
to change to a temporary stack, held within the kernel image as a static
array, to avoid conflicting with the new view of memory.

Signed-off-by: Will Deacon <>
8 years agoARM: lib: add call_with_stack function for safely changing stack
Will Deacon [Wed, 8 Jun 2011 14:29:00 +0000 (15:29 +0100)]
ARM: lib: add call_with_stack function for safely changing stack

When disabling the MMU, it is necessary to take out a 1:1 identity map
of the reset code so that it can safely be executed with and without
the MMU active. To avoid the situation where the physical address of the
reset code aliases with the virtual address of the active stack (which
cannot be included in the 1:1 mapping), it is desirable to change to a
new stack at a location which is less likely to alias.

This code adds a new lib function, call_with_stack:

void call_with_stack(void (*fn)(void *), void *arg, void *sp);

which changes the stack to point at the sp parameter, before invoking
fn(arg) with the new stack selected.

Reviewed-by: Nicolas Pitre <>
Reviewed-by: Catalin Marinas <>
Signed-off-by: Dave Martin <>
Signed-off-by: Will Deacon <>
8 years agoARM: restart: only perform setup for restart when soft-restarting
Russell King [Tue, 1 Nov 2011 13:16:26 +0000 (13:16 +0000)]
ARM: restart: only perform setup for restart when soft-restarting

We only need to set the system up for a soft-restart if we're going to
be doing a soft-restart.  Provide a new function (soft_restart()) which
does the setup and final call for this, and make platforms use it.
Eliminate the call to setup_restart() from the default handler.

This means that platforms arch_reset() function is no longer called with
the page tables prepared for a soft-restart, and caches will still be

Acked-by: Nicolas Pitre <>
Acked-by: Will Deacon <>
Acked-by: H Hartley Sweeten <>
Acked-by: Kukjin Kim <>
Acked-by: Sascha Hauer <>
Acked-by: Viresh Kumar <>
Acked-by: Krzysztof Ha■asa <>
Acked-by: Paul Mundt <>
Acked-by: Richard Purdie <>
Acked-by: Wan ZongShun <>
Acked-by: Eric Miao <>
Signed-off-by: Russell King <>
8 years agoARM: restart: remove argument to setup_mm_for_reboot()
Russell King [Tue, 1 Nov 2011 10:15:27 +0000 (10:15 +0000)]
ARM: restart: remove argument to setup_mm_for_reboot()

setup_mm_for_reboot() doesn't make use of its argument, so remove it.

Acked-by: Nicolas Pitre <>
Acked-by: Will Deacon <>
Acked-by: H Hartley Sweeten <>
Acked-by: Tony Lindgren <>
Signed-off-by: Russell King <>
8 years agoARM: restart: move reboot failure handing into machine_restart()
Russell King [Mon, 31 Oct 2011 09:22:22 +0000 (09:22 +0000)]
ARM: restart: move reboot failure handing into machine_restart()

Move the failure to reboot into machine_restart() to always catch
this condition, even if a platform decides to hook the restarting
via arm_pm_restart().

Acked-by: Nicolas Pitre <>
Acked-by: Will Deacon <>
Acked-by: H Hartley Sweeten <>
Acked-by: Tony Lindgren <>
Signed-off-by: Russell King <>


8 years agoARM: LPAE: Add the Kconfig entries
Catalin Marinas [Tue, 22 Nov 2011 17:30:32 +0000 (17:30 +0000)]
ARM: LPAE: Add the Kconfig entries

This patch adds the ARM_LPAE and ARCH_PHYS_ADDR_T_64BIT Kconfig entries
allowing LPAE support to be compiled into the kernel.

Signed-off-by: Catalin Marinas <>
8 years agoARM: LPAE: mark memory banks with start > ULONG_MAX as highmem
Will Deacon [Tue, 22 Nov 2011 17:30:32 +0000 (17:30 +0000)]
ARM: LPAE: mark memory banks with start > ULONG_MAX as highmem

Memory banks living outside of the 32-bit physical address
space do not have a 1:1 pa <-> va mapping and therefore the
__va macro may wrap.

This patch ensures that such banks are marked as highmem so
that the Kernel doesn't try to split them up when it sees that
the wrapped virtual address overlaps the vmalloc space.

Signed-off-by: Will Deacon <>
Signed-off-by: Catalin Marinas <>
Acked-by: Nicolas Pitre <>
8 years agoARM: LPAE: Add identity mapping support for the 3-level page table format
Catalin Marinas [Tue, 22 Nov 2011 17:30:32 +0000 (17:30 +0000)]
ARM: LPAE: Add identity mapping support for the 3-level page table format

With LPAE, the pgd is a separate page table with entries pointing to the
pmd. The identity_mapping_add() function needs to ensure that the pgd is
populated before populating the pmd level. The do..while blocks now loop
over the pmd in order to have the same implementation for the two page
table formats. The pmd_addr_end() definition has been removed and the
generic one used instead. The pmd clean-up is done in the pgd_free()

Signed-off-by: Catalin Marinas <>
8 years agoARM: LPAE: Add context switching support
Catalin Marinas [Tue, 22 Nov 2011 17:30:31 +0000 (17:30 +0000)]
ARM: LPAE: Add context switching support

With LPAE, TTBRx registers are 64-bit. The ASID is stored in TTBR0
rather than a separate Context ID register. This patch makes the
necessary changes to handle context switching on LPAE.

Signed-off-by: Catalin Marinas <>
8 years agoARM: LPAE: Add fault handling support
Catalin Marinas [Tue, 22 Nov 2011 17:30:31 +0000 (17:30 +0000)]
ARM: LPAE: Add fault handling support

The DFSR and IFSR register format is different when LPAE is enabled. In
addition, DFSR and IFSR have similar definitions for the fault type.
This modifies the fault code to correctly handle the new format.

Signed-off-by: Catalin Marinas <>
8 years agoARM: LPAE: Invalidate the TLB before freeing the PMD
Catalin Marinas [Tue, 22 Nov 2011 17:30:29 +0000 (17:30 +0000)]
ARM: LPAE: Invalidate the TLB before freeing the PMD

Similar to the PTE freeing, this patch introduced __pmd_free_tlb() which
invalidates the TLB before freeing a PMD page. This is needed because on
newer processors the entry in the upper page table may be cached by the
TLB and point to random data after the PMD has been freed.

Signed-off-by: Catalin Marinas <>
8 years agoARM: LPAE: MMU setup for the 3-level page table format
Catalin Marinas [Tue, 22 Nov 2011 17:30:29 +0000 (17:30 +0000)]
ARM: LPAE: MMU setup for the 3-level page table format

This patch adds the MMU initialisation for the LPAE page table format.
The swapper_pg_dir size with LPAE is 5 rather than 4 pages. A new
proc-v7-3level.S file contains the TTB initialisation, context switch
and PTE setting code with the LPAE. The TTBRx split is based on the
PAGE_OFFSET with TTBR1 used for the kernel mappings. The 36-bit mappings
(supersections) and a few other memory types in mmu.c are conditionally

Signed-off-by: Catalin Marinas <>


8 years agoARM: LPAE: Page table maintenance for the 3-level format
Catalin Marinas [Tue, 22 Nov 2011 17:30:29 +0000 (17:30 +0000)]
ARM: LPAE: Page table maintenance for the 3-level format

This patch modifies the pgd/pmd/pte manipulation functions to support
the 3-level page table format. Since there is no need for an 'ext'
argument to cpu_set_pte_ext(), this patch conditionally defines a
different prototype for this function when CONFIG_ARM_LPAE.

The patch also introduces the L_PGD_SWAPPER flag to mark pgd entries
pointing to pmd tables pre-allocated in the swapper_pg_dir and avoid
trying to free them at run-time. This flag is 0 with the classic page
table format.

Signed-off-by: Catalin Marinas <>
8 years agoARM: LPAE: Introduce the 3-level page table format definitions
Catalin Marinas [Tue, 22 Nov 2011 17:30:29 +0000 (17:30 +0000)]
ARM: LPAE: Introduce the 3-level page table format definitions

This patch introduces the pgtable-3level*.h files with definitions
specific to the LPAE page table format (3 levels of page tables).

Each table is 4KB and has 512 64-bit entries. An entry can point to a
40-bit physical address. The young, write and exec software bits share
the corresponding hardware bits (negated). Other software bits use spare
bits in the PTE.

The patch also changes some variable types from unsigned long or int to
pteval_t or pgprot_t.

Signed-off-by: Catalin Marinas <>
8 years agoARM: LPAE: add ISBs around MMU enabling code
Will Deacon [Tue, 22 Nov 2011 17:30:28 +0000 (17:30 +0000)]
ARM: LPAE: add ISBs around MMU enabling code

Before we enable the MMU, we must ensure that the TTBR registers contain
sane values. After the MMU has been enabled, we jump to the *virtual*
address of the following function, so we also need to ensure that the
SCTLR write has taken effect.

This patch adds ISB instructions around the SCTLR write to ensure the
visibility of the above.

Signed-off-by: Will Deacon <>
Signed-off-by: Catalin Marinas <>
8 years agoARM: LPAE: Factor out classic-MMU specific code into proc-v7-2level.S
Catalin Marinas [Tue, 22 Nov 2011 17:30:28 +0000 (17:30 +0000)]
ARM: LPAE: Factor out classic-MMU specific code into proc-v7-2level.S

This patch modifies the proc-v7.S file so that it only contains code
shared between classic MMU and LPAE. The non-common code is factored out
into a separate file.

Signed-off-by: Catalin Marinas <>
8 years agoARM: LPAE: Move the FSR definitions to separate files
Catalin Marinas [Tue, 22 Nov 2011 17:30:28 +0000 (17:30 +0000)]
ARM: LPAE: Move the FSR definitions to separate files

The FSR structure is different with LPAE and this patch moves the
classic MMU specific definition to a separate fsr-2level.c file that is
included in fault.c. It also moves the fsr_fs and FSR bits to the
fault.h file.

Signed-off-by: Catalin Marinas <>
8 years agoARM: LPAE: Move page table maintenance macros to pgtable-2level.h
Catalin Marinas [Tue, 22 Nov 2011 17:30:28 +0000 (17:30 +0000)]
ARM: LPAE: Move page table maintenance macros to pgtable-2level.h

The page table maintenance macros need to be duplicated between the
classic and the LPAE MMU so this patch moves those that are not common
to the pgtable-2level.h file.

Signed-off-by: Catalin Marinas <>
8 years agoARM: pgtable: switch to use pgtable-nopud.h
Russell King [Tue, 22 Nov 2011 17:30:28 +0000 (17:30 +0000)]
ARM: pgtable: switch to use pgtable-nopud.h

Nick Piggin noted upon introducing 4level-fixup.h:

| Add a temporary "fallback" header so architectures can run with
| the 4level pagetables patch without modification. All architectures
| should be converted to use the folding headers (include/asm-generic/
| pgtable-nop?d.h) as soon as possible, and the fallback header removed.

This makes ARM compliant with this statement.

Signed-off-by: Russell King <>
Signed-off-by: Catalin Marinas <>
8 years agoARM: pgtable: Fix compiler warning in ioremap.c introduced by nopud
Catalin Marinas [Tue, 22 Nov 2011 17:30:27 +0000 (17:30 +0000)]
ARM: pgtable: Fix compiler warning in ioremap.c introduced by nopud

With the arch/arm code conversion to pgtable-nopud.h, the section and
supersection (un|re)map code triggers compiler warnings on UP systems.
This is caused by pmd_offset() being given a pgd_t argument rather than
a pud_t one. This patch makes the necessary conversion with the
assumption that the pud is folded into the pgd. The page table setting
code only loops over the pmd which is enough with the classic page
tables. This code is not compiled when LPAE is enabled.

Signed-off-by: Catalin Marinas <>
8 years agoARM: SMP: use idmap_pgd for mapping MMU enable during secondary booting
Will Deacon [Wed, 23 Nov 2011 12:26:25 +0000 (12:26 +0000)]
ARM: SMP: use idmap_pgd for mapping MMU enable during secondary booting

The ARM SMP booting code allocates a temporary set of page tables
containing an identity mapping of the kernel image and provides this
to secondary CPUs for initial booting.

In reality, we only need to include the __turn_mmu_on function in the
identity mapping since the rest of the kernel is executing from virtual
addresses after this point.

This patch adds __turn_mmu_on to the .idmap.text section, allowing the
SMP booting code to use the idmap_pgd directly and not have to populate
its own set of page table.

As a result of this patch, we can make the identity_mapping_add function
static (since it is only used within mm/idmap.c) and also remove the
identity_mapping_del function. The identity map population is moved to
an early initcall so that it is setup in time for secondary CPU bringup.

Reviewed-by: Catalin Marinas <>
Signed-off-by: Will Deacon <>
8 years agoARM: head.S: only include __turn_mmu_on in the initial identity mapping
Will Deacon [Wed, 23 Nov 2011 12:03:27 +0000 (12:03 +0000)]
ARM: head.S: only include __turn_mmu_on in the initial identity mapping

__create_page_tables identity maps the region of memory from
__enable_mmu to the end of __turn_mmu_on.

In preparation for including __turn_mmu_on in the .idmap.text section,
this patch modifies the identity mapping so that it only includes the
__turn_mmu_on code.

Reviewed-by: Catalin Marinas <>
Signed-off-by: Will Deacon <>
8 years agoARM: idmap: use idmap_pgd when setting up mm for reboot
Will Deacon [Wed, 8 Jun 2011 14:53:34 +0000 (15:53 +0100)]
ARM: idmap: use idmap_pgd when setting up mm for reboot

For soft-rebooting a system, it is necessary to map the MMU-off code
with an identity mapping so that execution can continue safely once the
MMU has been switched off.

Currently, switch_mm_for_reboot takes out a 1:1 mapping from 0x0 to
TASK_SIZE during reboot in the hope that the reset code lives at a
physical address corresponding to a userspace virtual address.

This patch modifies the code so that we switch to the idmap_pgd tables,
which contain a 1:1 mapping of the cpu_reset code. This has the
advantage of only remapping the code that we need and also means we
don't need to worry about allocating a pgd from an atomic context in the
case that the physical address of the cpu_reset code aliases with the
virtual space used by the kernel.

Acked-by: Dave Martin <>
Reviewed-by: Catalin Marinas <>
Signed-off-by: Will Deacon <>
8 years agoARM: proc-*.S: place cpu_reset functions into .idmap.text section
Will Deacon [Tue, 15 Nov 2011 13:25:04 +0000 (13:25 +0000)]
ARM: proc-*.S: place cpu_reset functions into .idmap.text section

The CPU reset functions disable the MMU and therefore must be executed
with an identity mapping in place.

This patch places the CPU reset functions into the .idmap.text section,
causing the idmap code to include them as part of the identity mapping.

Acked-by: Dave Martin <>
Signed-off-by: Will Deacon <>
8 years agoARM: suspend: use idmap_pgd instead of suspend_pgd
Will Deacon [Tue, 15 Nov 2011 11:11:19 +0000 (11:11 +0000)]
ARM: suspend: use idmap_pgd instead of suspend_pgd

The ARM CPU suspend code requires cpu_resume_mmu to be identity mapped
in order to re-enable the MMU when coming out of suspend. Currently,
this is accomplished by maintaining a suspend_pgd with the relevant
mapping put in place at init time.

This patch replaces the use of suspend_pgd with the new idmap_pgd.
cpu_resume_mmu is placed in the .idmap.text section so that it is
included in the identity map.

Reviewed-by: Catalin Marinas <>
Acked-by: Dave Martin <>
Tested-by: Lorenzo Pieralisi <>
Signed-off-by: Will Deacon <>
8 years agoARM: idmap: populate identity map pgd at init time using .init.text
Will Deacon [Fri, 30 Sep 2011 10:43:29 +0000 (11:43 +0100)]
ARM: idmap: populate identity map pgd at init time using .init.text

When disabling and re-enabling the MMU, it is necessary to take out an
identity mapping for the code that manipulates the SCTLR in order to
avoid it disappearing from under our feet. This is useful when soft
rebooting and returning from CPU suspend.

This patch allocates a set of page tables during boot and populates them
with an identity mapping for the .idmap.text section. This means that
users of the identity map do not need to manage their own pgd and can
instead annotate their functions with __idmap or, in the case of assembly
code, place them in the correct section.

Acked-by: Dave Martin <>
Reviewed-by: Catalin Marinas <>
Tested-by: Lorenzo Pieralisi <>
Signed-off-by: Will Deacon <>
8 years agoRevert "Add various hugetlb arm high level hooks"
Grazvydas Ignotas [Wed, 6 Feb 2013 16:04:05 +0000 (18:04 +0200)]
Revert "Add various hugetlb arm high level hooks"

This reverts commit 6e0faabf2ee89e41e65ce17e927763ef08bee903.

8 years agoRevert "Add various hugetlb page table fix"
Grazvydas Ignotas [Wed, 6 Feb 2013 16:03:59 +0000 (18:03 +0200)]
Revert "Add various hugetlb page table fix"

This reverts commit c6fd24f0d779a73f784e64eb36496da6e11833a0.

8 years agoRevert "Introduce set_hugepte_ext api to setup huge hardware pmds"
Grazvydas Ignotas [Wed, 6 Feb 2013 16:03:42 +0000 (18:03 +0200)]
Revert "Introduce set_hugepte_ext api to setup huge hardware pmds"

This reverts commit 66c4a0fc3ce10d65c881144bee306d348bbaddf4.

8 years agoRevert "Store huge page linux pte in mmu_context_t"
Grazvydas Ignotas [Wed, 6 Feb 2013 16:02:33 +0000 (18:02 +0200)]
Revert "Store huge page linux pte in mmu_context_t"

This reverts commit 307b4042077c3f718a94bc3ce6d0ffd72c1575d7.

8 years agoRevert "Using do_page_fault for section fault handling"
Grazvydas Ignotas [Wed, 6 Feb 2013 16:02:29 +0000 (18:02 +0200)]
Revert "Using do_page_fault for section fault handling"

This reverts commit ac24f0f22b6aa33f001f6fea8330f389846072ea.

8 years agoRevert "Add hugetlb Kconfig option"
Grazvydas Ignotas [Wed, 6 Feb 2013 16:02:14 +0000 (18:02 +0200)]
Revert "Add hugetlb Kconfig option"

This reverts commit e22f739031e5fa35eb374c1557d13fbcd22b950e.

8 years agoRevert "Minor compiling fix"
Grazvydas Ignotas [Wed, 6 Feb 2013 16:01:43 +0000 (18:01 +0200)]
Revert "Minor compiling fix"

This reverts commit 0f9047bf8247df3eb20b991c0f472558a85aff9e.

8 years agoMerge branch 'stable-3.2' into pandora-3.2
Grazvydas Ignotas [Wed, 6 Feb 2013 15:55:31 +0000 (17:55 +0200)]
Merge branch 'stable-3.2' into pandora-3.2


8 years agoLinux 3.2.38 v3.2.38
Ben Hutchings [Wed, 6 Feb 2013 04:33:58 +0000 (04:33 +0000)]
Linux 3.2.38

8 years agoprintk: fix buffer overflow when calling log_prefix function from call_console_drivers
Alexandre SIMON [Fri, 1 Feb 2013 14:31:54 +0000 (15:31 +0100)]
printk: fix buffer overflow when calling log_prefix function from call_console_drivers

This patch corrects a buffer overflow in kernels from 3.0 to 3.4 when calling
log_prefix() function from call_console_drivers().

This bug existed in previous releases but has been revealed with commit
162a7e7500f9664636e649ba59defe541b7c2c60 (2.6.39 => 3.0) that made changes
about how to allocate memory for early printk buffer (use of memblock_alloc).
It disappears with commit 7ff9554bb578ba02166071d2d487b7fc7d860d62 (3.4 => 3.5)
that does a refactoring of printk buffer management.

In log_prefix(), the access to "p[0]", "p[1]", "p[2]" or
"simple_strtoul(&p[1], &endp, 10)" may cause a buffer overflow as this
function is called from call_console_drivers by passing "&LOG_BUF(cur_index)"
where the index must be masked to do not exceed the buffer's boundary.

The trick is to prepare in call_console_drivers() a buffer with the necessary
data (PRI field of syslog message) to be safely evaluated in log_prefix().

This patch can be applied to stable kernel branches 3.0.y, 3.2.y and 3.4.y.

Without this patch, one can freeze a server running this loop from shell :
  $ export DUMMY=`cat /dev/urandom | tr -dc '12345AZERTYUIOPQSDFGHJKLMWXCVBNazertyuiopqsdfghjklmwxcvbn' | head -c255`
  $ while true do ; echo $DUMMY > /dev/kmsg ; done

The "server freeze" depends on where memblock_alloc does allocate printk buffer :
if the buffer overflow is inside another kernel allocation the problem may not
be revealed, else the server may hangs up.

Signed-off-by: Alexandre SIMON <>
Signed-off-by: Ben Hutchings <>
8 years agox86, efi: Set runtime_version to the EFI spec revision
Matt Fleming [Fri, 25 Jan 2013 10:07:25 +0000 (10:07 +0000)]
x86, efi: Set runtime_version to the EFI spec revision

commit 712ba9e9afc4b3d3d6fa81565ca36fe518915c01 upstream.

efi.runtime_version is erroneously being set to the value of the
vendor's firmware revision instead of that of the implemented EFI
specification. We can't deduce which EFI functions are available based
on the revision of the vendor's firmware since the version scheme is
likely to be unique to each vendor.

What we really need to know is the revision of the implemented EFI
specification, which is available in the EFI System Table header.

Cc: Seiji Aguchi <>
Cc: Matthew Garrett <>
Signed-off-by: Matt Fleming <>
Signed-off-by: Ben Hutchings <>
8 years agostaging: usbip: changed function return type to void
Bart Westgeest [Mon, 23 Jan 2012 15:55:46 +0000 (10:55 -0500)]
staging: usbip: changed function return type to void

commit ac2b41acfa3efe4650102067a99251587a806d70 upstream.

The function usbip_pad_iso never returns anything but 0 (success).

Signed-off-by: Bart Westgeest <>
Signed-off-by: Greg Kroah-Hartman <>
Signed-off-by: Ben Hutchings <>
8 years agoALSA: usb-audio: Fix regression by disconnection-race-fix patch
Takashi Iwai [Tue, 22 Jan 2013 16:43:40 +0000 (17:43 +0100)]
ALSA: usb-audio: Fix regression by disconnection-race-fix patch

[NOTE: the regression below is found only in 3.2-3.4 stable trees, so
       there is no upstream commit corresponding to this patch]

The recent fix for the race at disconnection of usb-audio devices
(upstream commit 978520b7) triggers Oops when a device is unplugged
while playing on 3.2 and 3.4 kernels.  The culprit is that the
shutdown flag check was wrongly added around the urb deactivation code
snippet.  The urb deactivation code has to be performed even after the
device disconnected.  Otherwise it remains undead and pokes the wild
access in the end.

The regression fix is simply reverting the shutdown flag check in that

Reported-and-tested-by: Chris J Arges <>
Signed-off-by: Takashi Iwai <>
Signed-off-by: Ben Hutchings <>
8 years agodrbd: add missing part_round_stats to _drbd_start_io_acct
Philipp Reisner [Thu, 23 Feb 2012 11:56:26 +0000 (12:56 +0100)]
drbd: add missing part_round_stats to _drbd_start_io_acct

commit 72585d2428fa3a0daab02ebad1f41e5ef517dbaa upstream.

Without this, iostat frequently sees bogus svctime and >= 100% "utilization".

Signed-off-by: Philipp Reisner <>
Signed-off-by: Lars Ellenberg <>
Signed-off-by: Ben Hutchings <>
8 years agoigb: release already assigned MSI-X interrupts if setup fails
Stefan Assmann [Tue, 4 Dec 2012 06:00:17 +0000 (06:00 +0000)]
igb: release already assigned MSI-X interrupts if setup fails

commit 52285b762b3681669215bf1d17ca6143448ab7d3 upstream.

During MSI-X setup the system might run out of vectors. If this happens the
already assigned vectors for this NIC should be freed before trying the
disable MSI-X. Failing to do so results in the following oops.

kernel BUG at drivers/pci/msi.c:341!
Call Trace:
 [<ffffffff8128f39d>] pci_disable_msix+0x3d/0x60
 [<ffffffffa037d1ce>] igb_reset_interrupt_capability+0x27/0x5c [igb]
 [<ffffffffa037d229>] igb_clear_interrupt_scheme+0x26/0x2d [igb]
 [<ffffffffa0384268>] igb_request_irq+0x73/0x297 [igb]
 [<ffffffffa0384554>] __igb_open+0xc8/0x223 [igb]
 [<ffffffffa0384815>] igb_open+0x13/0x15 [igb]
 [<ffffffff8144592f>] __dev_open+0xbf/0x120
 [<ffffffff81443e51>] __dev_change_flags+0xa1/0x180
 [<ffffffff81445828>] dev_change_flags+0x28/0x70
 [<ffffffff814af537>] devinet_ioctl+0x5b7/0x620
 [<ffffffff814b01c8>] inet_ioctl+0x88/0xa0
 [<ffffffff8142e8a0>] sock_do_ioctl+0x30/0x70
 [<ffffffff8142ecf2>] sock_ioctl+0x72/0x270
 [<ffffffff8118062c>] do_vfs_ioctl+0x8c/0x340
 [<ffffffff81180981>] sys_ioctl+0xa1/0xb0
 [<ffffffff815161a9>] system_call_fastpath+0x16/0x1b
Code: 48 89 df e8 1f 40 ed ff 4d 39 e6 49 8b 45 10 75 b6 48 83 c4 18 5b 41 5c 41 5d 41 5e 41 5f c9 c3 48 8b 7b 20 e8 3e 91 db ff eb ae <0f> 0b eb fe 0f 1f 84 00 00 00 00 00 55 48 89 e5 0f 1f 44 00 00
RIP  [<ffffffff8128e144>] free_msi_irqs+0x124/0x130
 RSP <ffff880037503bd8>

Signed-off-by: Stefan Assmann <>
Tested-by: Aaron Brown <>
Signed-off-by: Jeff Kirsher <>
Signed-off-by: Ben Hutchings <>
8 years agoALSA: usb - fix race in creation of M-Audio Fast track pro driver
David Henningsson [Fri, 4 Jan 2013 16:02:18 +0000 (17:02 +0100)]
ALSA: usb - fix race in creation of M-Audio Fast track pro driver

commit b98ae2729dea161edc96c9d177459b6c28bcbba5 upstream.

A patch in the 3.2 kernel caused regression with hotplugging the
M-Audio Fast track pro, or sound after suspend. I don't have the
device so I haven't done a full analysis, but it seems userspace
(both udev and pulseaudio) got confused when a card was created,
immediately destroyed, and then created again.

However, at least one person in the bug report (martin djfun)
reports that this patch resolves the issue for him. It also leaves
a message in the log:
"snd-usb-audio: probe of 1-1.1:1.1 failed with error -5" which is
a bit misleading. It is better than non-working audio, but maybe
there's a more elegant solution?

Signed-off-by: David Henningsson <>
Signed-off-by: Takashi Iwai <>
Signed-off-by: Ben Hutchings <>
8 years agointel-iommu: Prevent devices with RMRRs from being placed into SI Domain
Tom Mingarelli [Tue, 20 Nov 2012 19:43:17 +0000 (19:43 +0000)]
intel-iommu: Prevent devices with RMRRs from being placed into SI Domain

commit ea2447f700cab264019b52e2b417d689e052dcfd upstream.

This patch is to prevent non-USB devices that have RMRRs associated with them from
being placed into the SI Domain during init. This fixes the issue where the RMRR info
for devices being placed in and out of the SI Domain gets lost.

Signed-off-by: Thomas Mingarelli <>
Tested-by: Shuah Khan <>
Reviewed-by: Donald Dutile <>
Reviewed-by: Alex Williamson <>
Signed-off-by: Joerg Roedel <>
Signed-off-by: Ben Hutchings <>
8 years agostaging: comedi: don't hijack hardware device private data
Ian Abbott [Fri, 30 Mar 2012 16:14:58 +0000 (17:14 +0100)]
staging: comedi: don't hijack hardware device private data

commit c43435d7722134ed1fda58ce1025f41029bd58ad upstream.

comedi_auto_config() associates a Comedi minor device number with an
auto-configured hardware device and comedi_auto_unconfig() disassociates
it.  Currently, these use the hardware device's private data pointer to
point to some allocated storage holding the minor device number.  This
is a bit of a waste of the hardware device's private data pointer,
preventing it from being used for something more useful by the low-level
comedi device drivers.  For example, it would make more sense if
comedi_usb_auto_config() was passed a pointer to the struct
usb_interface instead of the struct usb_device, but this cannot be done
currently because the low-level comedi drivers already use the private
data pointer in the struct usb_interface for something more useful.

This patch stops the comedi core hijacking the hardware device's private
data pointer.  Instead, comedi_auto_config() stores a pointer to the
hardware device's struct device in the struct comedi_device_file_info
associated with the minor device number, and comedi_auto_unconfig()
calls new function comedi_find_board_minor() to recover the minor device
number associated with the hardware device.

Signed-off-by: Ian Abbott <>
Signed-off-by: Greg Kroah-Hartman <>
Signed-off-by: Ben Hutchings <>
8 years agoRevert "drm/i915: no lvds quirk for Zotac ZDBOX SD ID12/ID13"
Daniel Vetter [Mon, 7 Jan 2013 09:27:13 +0000 (10:27 +0100)]
Revert "drm/i915: no lvds quirk for Zotac ZDBOX SD ID12/ID13"

commit 48e858340dae43189a4e55647f6eac736766f828 upstream.

This reverts commit 9756fe38d10b2bf90c81dc4d2f17d5632e135364.

The bogus lvds output is actually a lvds->hdmi bridge, which we don't
really support. But unconditionally disabling it breaks some existing

Reported-by: John Tapsell <>
Signed-off-by: Daniel Vetter <>
Signed-off-by: Ben Hutchings <>
8 years agostaging: comedi: Kconfig: COMEDI_NI_AT_A2150 should select COMEDI_FC
Ian Abbott [Tue, 15 Jan 2013 14:45:20 +0000 (14:45 +0000)]
staging: comedi: Kconfig: COMEDI_NI_AT_A2150 should select COMEDI_FC

commit 34ffb33e09132401872fe79e95c30824ce194d23 upstream.

The 'ni_at_a2150' module links to `cfc_write_to_buffer` in the
'comedi_fc' module, so selecting 'COMEDI_NI_AT_A2150' in the kernel
config needs to also select 'COMEDI_FC'.

Signed-off-by: Ian Abbott <>
Signed-off-by: Ben Hutchings <>
8 years agox86: Use enum instead of literals for trap values
Kees Cook [Sat, 10 Mar 2012 00:07:10 +0000 (16:07 -0800)]
x86: Use enum instead of literals for trap values

commit c94082656dac74257f63e91f78d5d458ac781fa5 upstream.

The traps are referred to by their numbers and it can be difficult to
understand them while reading the code without context. This patch adds
enumeration of the trap numbers and replaces the numbers with the correct
enum for x86.

Signed-off-by: Kees Cook <>
Signed-off-by: H. Peter Anvin <>
Cherry-picked-for: v2.3.37
Signed-off-by: John Kacur <>
Signed-off-by: Ben Hutchings <>
8 years agodrm/i915: Implement WaDisableHiZPlanesWhenMSAAEnabled
Daniel Vetter [Fri, 14 Dec 2012 22:38:28 +0000 (23:38 +0100)]
drm/i915: Implement WaDisableHiZPlanesWhenMSAAEnabled

commit 4283908ef7f11a72c3b80dd4cf026f1a86429f82 upstream.

Quoting from Bspec, 3D_CHICKEN1, bit 10

This bit needs to be set always to "1", Project: DevSNB "

Reviewed-by: Rodrigo Vivi <>
Signed-off-by: Daniel Vetter <>
Signed-off-by: Abdallah Chatila <>
Signed-off-by: Ben Hutchings <>
8 years agodrivers/firmware/dmi_scan.c: fetch dmi version from SMBIOS if it exists
Zhenzhong Duan [Thu, 20 Dec 2012 23:05:14 +0000 (15:05 -0800)]
drivers/firmware/dmi_scan.c: fetch dmi version from SMBIOS if it exists

commit 9f9c9cbb60576a1518d0bf93fb8e499cffccf377 upstream.

The right dmi version is in SMBIOS if it's zero in DMI region

This issue was originally found from an oracle bug.
One customer noticed system UUID doesn't match between dmidecode & uek2.

 - HP ProLiant BL460c G6 :
   # cat /sys/devices/virtual/dmi/id/product_uuid
   # dmidecode | grep -i uuid
   UUID: 00000000-0000-484C-3031-4D5030333531

From SMBIOS 2.6 on, spec use little-endian encoding for UUID other than
network byte order.

So we need to get dmi version to distinguish.  If version is 0.0, the
real version is taken from the SMBIOS version.  This is part of original
kernel comment in code.

[ checkpatch fixes]
Signed-off-by: Zhenzhong Duan <>
Cc: Feng Jin <>
Cc: Jean Delvare <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
Signed-off-by: Ben Hutchings <>
8 years agodrivers/firmware/dmi_scan.c: check dmi version when get system uuid
Zhenzhong Duan [Thu, 20 Dec 2012 23:05:13 +0000 (15:05 -0800)]
drivers/firmware/dmi_scan.c: check dmi version when get system uuid

commit f1d8e614d74b09531b9a85e812485340f3df7b1c upstream.

As of version 2.6 of the SMBIOS specification, the first 3 fields of the
UUID are supposed to be little-endian encoded.

Also a minor fix to match variable meaning and mute

[ tweak code comment]
Signed-off-by: Zhenzhong Duan <>
Cc: Feng Jin <>
Cc: Jean Delvare <>
Signed-off-by: Andrew Morton <>
Signed-off-by: Linus Torvalds <>
Signed-off-by: Ben Hutchings <>
8 years agosd: Reshuffle init_sd to avoid crash
Joel D. Diaz [Wed, 10 Oct 2012 08:36:11 +0000 (10:36 +0200)]
sd: Reshuffle init_sd to avoid crash

commit afd5e34b2bb34881d3a789e62486814a49b47faa upstream.

scsi_register_driver will register a prep_fn() function, which
in turn migh need to use the sd_cdp_pool for DIF.
Which hasn't been initialised at this point, leading to
a crash. So reshuffle the init_sd() and exit_sd() paths
to have the driver registered last.

Signed-off-by: Joel D. Diaz <>
Signed-off-by: Hannes Reinecke <>
Signed-off-by: James Bottomley <>
Signed-off-by: Ben Hutchings <>
8 years agoahci: Add identifiers for ASM106x devices
Alan Cox [Tue, 4 Sep 2012 15:25:25 +0000 (16:25 +0100)]
ahci: Add identifiers for ASM106x devices

commit 7b4f6ecacb14f384adc1a5a67ad95eb082c02bd1 upstream.

They don't always appear as AHCI class devices but instead as IDE class.

Based on an initial patch by Hiroaki Nito

Signed-off-by: Alan Cox <>
Signed-off-by: Jeff Garzik <>
Signed-off-by: Ben Hutchings <>
8 years agox86/Sandy Bridge: Sandy Bridge workaround depends on CONFIG_PCI
H. Peter Anvin [Mon, 14 Jan 2013 04:56:41 +0000 (20:56 -0800)]
x86/Sandy Bridge: Sandy Bridge workaround depends on CONFIG_PCI

commit e43b3cec711a61edf047adf6204d542f3a659ef8 upstream.

early_pci_allowed() and read_pci_config_16() are only available if
CONFIG_PCI is defined.

Signed-off-by: H. Peter Anvin <>
Cc: Jesse Barnes <>
Signed-off-by: Ben Hutchings <>
8 years agox86/Sandy Bridge: mark arrays in __init functions as __initconst
H. Peter Anvin [Mon, 14 Jan 2013 04:36:39 +0000 (20:36 -0800)]
x86/Sandy Bridge: mark arrays in __init functions as __initconst

commit ab3cd8670e0b3fcde7f029e1503ed3c5138e9571 upstream.

Mark static arrays as __initconst so they get removed when the init
sections are flushed.

Reported-by: Mathias Krause <>
Signed-off-by: H. Peter Anvin <>
Signed-off-by: Ben Hutchings <>
8 years agox86/Sandy Bridge: reserve pages when integrated graphics is present
Jesse Barnes [Wed, 14 Nov 2012 20:43:31 +0000 (20:43 +0000)]
x86/Sandy Bridge: reserve pages when integrated graphics is present

commit a9acc5365dbda29f7be2884efb63771dc24bd815 upstream.

SNB graphics devices have a bug that prevent them from accessing certain
memory ranges, namely anything below 1M and in the pages listed in the
table.  So reserve those at boot if set detect a SNB gfx device on the
CPU to avoid GPU hangs.

Stephane Marchesin had a similar patch to the page allocator awhile
back, but rather than reserving pages up front, it leaked them at
allocation time.

[ hpa: made a number of stylistic changes, marked arrays as static
  const, and made less verbose; use "memblock=debug" for full
  verbosity. ]

Signed-off-by: Jesse Barnes <>
Signed-off-by: H. Peter Anvin <>
Signed-off-by: Ben Hutchings <>
8 years agoNFSv4.1: Handle NFS4ERR_DELAY when resetting the NFSv4.1 session
Trond Myklebust [Wed, 30 Jan 2013 18:04:10 +0000 (13:04 -0500)]
NFSv4.1: Handle NFS4ERR_DELAY when resetting the NFSv4.1 session

commit c489ee290bdbbace6bb63ebe6ebd4dd605819495 upstream.

NFS4ERR_DELAY is a legal reply when we call DESTROY_SESSION. It
usually means that the server is busy handling an unfinished RPC
request. Just sleep for a second and then retry.
We also need to be able to handle the NFS4ERR_BACK_CHAN_BUSY return
value. If the NFS server has outstanding callbacks, we just want to
similarly sleep & retry.

Signed-off-by: Trond Myklebust <>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <>
8 years agoNFS: Don't silently fail setattr() requests on mountpoints
Trond Myklebust [Tue, 22 Jan 2013 05:17:06 +0000 (00:17 -0500)]
NFS: Don't silently fail setattr() requests on mountpoints

commit ab225417825963b6dc66be7ea80f94ac1378dfdf upstream.

Ensure that any setattr and getattr requests for junctions and/or
mountpoints are sent to the server. Ever since commit
0ec26fd0698 (vfs: automount should ignore LOOKUP_FOLLOW), we have
silently dropped any setattr requests to a server-side mountpoint.
For referrals, we have silently dropped both getattr and setattr

This patch restores the original behaviour for setattr on mountpoints,
and tries to do the same for referrals, provided that we have a

Signed-off-by: Trond Myklebust <>
Signed-off-by: Ben Hutchings <>
8 years agosamsung-laptop: Disable on EFI hardware
Matt Fleming [Thu, 3 Jan 2013 09:02:37 +0000 (09:02 +0000)]
samsung-laptop: Disable on EFI hardware

commit e0094244e41c4d0c7ad69920681972fc45d8ce34 upstream.

It has been reported that running this driver on some Samsung laptops
with EFI can cause those machines to become bricked as detailed in the
following report,

There have also been reports of this driver causing Machine Check
Exceptions on recent EFI-enabled Samsung laptops,

So disable it if booting from EFI since this driver relies on
grovelling around in the BIOS memory map which isn't going to work.

Cc: Corentin Chary <>
Cc: Matthew Garrett <>
Cc: Colin Ian King <>
Cc: Steve Langasek <>
Signed-off-by: Matt Fleming <>
Signed-off-by: H. Peter Anvin <>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <>
8 years agoefi: Make 'efi_enabled' a function to query EFI facilities
Matt Fleming [Wed, 14 Nov 2012 09:42:35 +0000 (09:42 +0000)]
efi: Make 'efi_enabled' a function to query EFI facilities

commit 83e68189745ad931c2afd45d8ee3303929233e7f upstream.

Originally 'efi_enabled' indicated whether a kernel was booted from
EFI firmware. Over time its semantics have changed, and it now
indicates whether or not we are booted on an EFI machine with
bit-native firmware, e.g. 64-bit kernel with 64-bit firmware.

The immediate motivation for this patch is the bug report at,

which details how running a platform driver on an EFI machine that is
designed to run under BIOS can cause the machine to become
bricked. Also, the following report,

details how running said driver can also cause Machine Check
Exceptions. Drivers need a new means of detecting whether they're
running on an EFI machine, as sadly the expression,

    if (!efi_enabled)

hasn't been a sufficient condition for quite some time.

Users actually want to query 'efi_enabled' for different reasons -
what they really want access to is the list of available EFI

For instance, the x86 reboot code needs to know whether it can invoke
the ResetSystem() function provided by the EFI runtime services, while
the ACPI OSL code wants to know whether the EFI config tables were
mapped successfully. There are also checks in some of the platform
driver code to simply see if they're running on an EFI machine (which
would make it a bad idea to do BIOS-y things).

This patch is a prereq for the samsung-laptop fix patch.

Cc: David Airlie <>
Cc: Corentin Chary <>
Cc: Matthew Garrett <>
Cc: Dave Jiang <>
Cc: Olof Johansson <>
Cc: Peter Jones <>
Cc: Colin Ian King <>
Cc: Steve Langasek <>
Cc: Tony Luck <>
Cc: Konrad Rzeszutek Wilk <>
Cc: Rafael J. Wysocki <>
Signed-off-by: Matt Fleming <>
Signed-off-by: H. Peter Anvin <>
[bwh: Backported to 3.2:
 - Adjust context (a lot)
 - Add efi_is_native() function from commit 5189c2a7c776
   ('x86: efi: Turn off efi_enabled after setup on mixed fw/kernel')
 - Make efi_init() bail out when booted non-native, as it would previously
   not be called in this case
 - Drop inapplicable changes to start_kernel()]
Signed-off-by: Ben Hutchings <>
8 years agoEDAC: Test correct variable in ->store function
Dan Carpenter [Sat, 26 Jan 2013 07:49:24 +0000 (10:49 +0300)]
EDAC: Test correct variable in ->store function

commit 8024c4c0b1057d1cd811fc9c3f88f81de9729fcd upstream.

We're testing for ->show but calling ->store().

Signed-off-by: Dan Carpenter <>
Signed-off-by: Borislav Petkov <>
Signed-off-by: Ben Hutchings <>
8 years agoALSA: hda - Fix non-snoop page handling
Takashi Iwai [Tue, 29 Jan 2013 17:07:22 +0000 (18:07 +0100)]
ALSA: hda - Fix non-snoop page handling

commit 9ddf1aeb2134e72275c97a2c6ff2e3eb04f2f27a upstream.

For non-snoop mode, we fiddle with the page attributes of CORB/RIRB
and the position buffer, but also the ring buffers.  The problem is
that the current code blindly assumes that the buffer is contiguous.
However, the ring buffers may be SG-buffers, thus a wrong vmapped
address is passed there, leading to Oops.

This patch fixes the handling for SG-buffers.


Signed-off-by: Takashi Iwai <>
[bwh: Backported to 3.2: open-code snd_pcm_get_dma_buf()]
Signed-off-by: Ben Hutchings <>
8 years agoxfs: Fix possible use-after-free with AIO
Jan Kara [Wed, 23 Jan 2013 12:56:18 +0000 (13:56 +0100)]
xfs: Fix possible use-after-free with AIO

commit 4b05d09c18d9aa62d2e7fb4b057f54e5a38963f5 upstream.

Running AIO is pinning inode in memory using file reference. Once AIO
is completed using aio_complete(), file reference is put and inode can
be freed from memory. So we have to be sure that calling aio_complete()
is the last thing we do with the inode.

CC: Ben Myers <>
Signed-off-by: Jan Kara <>
Reviewed-by: Ben Myers <>
Signed-off-by: Ben Myers <>
Signed-off-by: Ben Hutchings <>
8 years agoIOMMU, AMD Family15h Model10-1Fh erratum 746 Workaround
Suravee Suthikulpanit [Thu, 24 Jan 2013 19:17:53 +0000 (13:17 -0600)]
IOMMU, AMD Family15h Model10-1Fh erratum 746 Workaround

commit 318fe782539c4150d1b8e4e6c9dc3a896512cb8a upstream.

The IOMMU may stop processing page translations due to a perceived lack
of credits for writing upstream peripheral page service request (PPR)
or event logs. If the L2B miscellaneous clock gating feature is enabled
the IOMMU does not properly register credits after the log request has
completed, leading to a potential system hang.

BIOSes are supposed to disable L2B micellaneous clock gating by setting
L2_L2B_CK_GATE_CONTROL[CKGateL2BMiscDisable](D0F2xF4_x90[2]) = 1b. This
patch corrects that for those which do not enable this workaround.

Signed-off-by: Suravee Suthikulpanit <>
Acked-by: Borislav Petkov <>
Signed-off-by: Joerg Roedel <>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <>
8 years agosmp: Fix SMP function call empty cpu mask race
Wang YanQing [Sat, 26 Jan 2013 07:53:57 +0000 (15:53 +0800)]
smp: Fix SMP function call empty cpu mask race

commit f44310b98ddb7f0d06550d73ed67df5865e3eda5 upstream.

I get the following warning every day with v3.7, once or
twice a day:

  [ 2235.186027] WARNING: at /mnt/sda7/kernel/linux/arch/x86/kernel/apic/ipi.c:109 default_send_IPI_mask_logical+0x2f/0xb8()

As explained by Linus as well:

 | Once we've done the "list_add_rcu()" to add it to the
 | queue, we can have (another) IPI to the target CPU that can
 | now see it and clear the mask.
 | So by the time we get to actually send the IPI, the mask might
 | have been cleared by another IPI.

This patch also fixes a system hang problem, if the data->cpumask
gets cleared after passing this point:

        if (WARN_ONCE(!mask, "empty IPI mask"))

then the problem in commit 83d349f35e1a ("x86: don't send an IPI to
the empty set of CPU's") will happen again.

Signed-off-by: Wang YanQing <>
Acked-by: Linus Torvalds <>
Acked-by: Jan Beulich <>
Cc: Paul E. McKenney <>
Cc: Andrew Morton <>
[ Tidied up the changelog and the comment in the code. ]
Signed-off-by: Ingo Molnar <>
Signed-off-by: Ben Hutchings <>
8 years agoALSA: usb-audio: fix invalid length check for RME and other UAC 2 devices
Clemens Ladisch [Thu, 29 Nov 2012 16:04:23 +0000 (17:04 +0100)]
ALSA: usb-audio: fix invalid length check for RME and other UAC 2 devices

commit d56268fb108c7c21e19933588ca4d94652585183 upstream.

Commit 23caaf19b11e (ALSA: usb-mixer: Add support for Audio Class v2.0)
forgot to adjust the length check for UAC 2.0 feature unit descriptors.
This would make the code abort on encountering a feature unit without
per-channel controls, and thus prevented the driver to work with any
device having such a unit, such as the RME Babyface or Fireface UCX.

Reported-by: Florian Hanisch <>
Tested-by: Matthew Robbetts <>
Tested-by: Michael Beer <>
Cc: Daniel Mack <>
Signed-off-by: Clemens Ladisch <>
Signed-off-by: Takashi Iwai <>
Signed-off-by: Ben Hutchings <>
8 years agocan: pch_can: fix invalid error codes
Olivier Sobrie [Fri, 18 Jan 2013 08:32:41 +0000 (09:32 +0100)]
can: pch_can: fix invalid error codes

commit ee50e135aeb048b90fab662e661c58b67341830b upstream.

Errors in CAN protocol (location) are reported in data[3] of the can
frame instead of data[2].

Signed-off-by: Olivier Sobrie <>
Signed-off-by: Marc Kleine-Budde <>
Signed-off-by: Ben Hutchings <>
8 years agocan: ti_hecc: fix invalid error codes
Olivier Sobrie [Fri, 18 Jan 2013 08:32:40 +0000 (09:32 +0100)]
can: ti_hecc: fix invalid error codes

commit 71088c4bd9b8f8cbffb0e66f2abc14297e4b2ca8 upstream.

Errors in CAN protocol (location) are reported in data[3] of the can
frame instead of data[2].

Cc: Anant Gole <>
Signed-off-by: Olivier Sobrie <>
Signed-off-by: Marc Kleine-Budde <>
Signed-off-by: Ben Hutchings <>
8 years agocan: c_can: fix invalid error codes
Olivier Sobrie [Fri, 18 Jan 2013 08:32:39 +0000 (09:32 +0100)]
can: c_can: fix invalid error codes

commit 6ea45886865c1abb01bb861f7f6bdd5d0f398cb3 upstream.

Errors in CAN protocol (location) are reported in data[3] of the can
frame instead of data[2].

Cc: Bhupesh Sharma <>
Signed-off-by: Olivier Sobrie <>
Signed-off-by: Marc Kleine-Budde <>
Signed-off-by: Ben Hutchings <>
8 years agox86/msr: Add capabilities check
Alan Cox [Thu, 15 Nov 2012 13:06:22 +0000 (13:06 +0000)]
x86/msr: Add capabilities check

commit c903f0456bc69176912dee6dd25c6a66ee1aed00 upstream.

At the moment the MSR driver only relies upon file system
checks. This means that anything as root with any capability set
can write to MSRs. Historically that wasn't very interesting but
on modern processors the MSRs are such that writing to them
provides several ways to execute arbitary code in kernel space.
Sample code and documentation on doing this is circulating and
MSR attacks are used on Windows 64bit rootkits already.

In the Linux case you still need to be able to open the device
file so the impact is fairly limited and reduces the security of
some capability and security model based systems down towards
that of a generic "root owns the box" setup.

Therefore they should require CAP_SYS_RAWIO to prevent an
elevation of capabilities. The impact of this is fairly minimal
on most setups because they don't have heavy use of
capabilities. Those using SELinux, SMACK or AppArmor rules might
want to consider if their rulesets on the MSR driver could be

Signed-off-by: Alan Cox <>
Cc: Linus Torvalds <>
Cc: Andrew Morton <>
Cc: Peter Zijlstra <>
Signed-off-by: Ingo Molnar <>
Signed-off-by: Ben Hutchings <>
8 years agodrm/radeon: fix a rare case of double kfree
Ilija Hadzic [Wed, 23 Jan 2013 18:59:05 +0000 (13:59 -0500)]
drm/radeon: fix a rare case of double kfree

commit 1da80cfa8727abf404fcee44d04743febea54069 upstream.

If one (but not both) allocations of p->chunks[].kpage[]
in radeon_cs_parser_init fail, the error path will free
the successfully allocated page, but leave a stale pointer
value in the kpage[] field. This will later cause a
double-free when radeon_cs_parser_fini is called.
This patch fixes the issue by forcing both pointers to NULL
after kfree in the error path.

The circumstances under which the problem happens are very
rare. The card must be AGP and the system must run out of
kmalloc area just at the right time so that one allocation
succeeds, while the other fails.

Signed-off-by: Ilija Hadzic <>
Cc: Herton Ronaldo Krzesinski <>
Signed-off-by: Alex Deucher <>
[bwh: Backported to 3.2: s/p->chunk_ib_idx/i/]
Signed-off-by: Ben Hutchings <>
8 years agodrm/i915: dump UTS_RELEASE into the error_state
Daniel Vetter [Wed, 23 Jan 2013 15:16:35 +0000 (16:16 +0100)]
drm/i915: dump UTS_RELEASE into the error_state

commit 4518f611ba21ba165ea3714055938a8984a44ff9 upstream.

Useful for statistics or on overflowing bug reports to keep things all
lined up.

Reviewed-by: Chris Wilson <>
Signed-off-by: Daniel Vetter <>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <>
8 years agoiommu/intel: disable DMAR for g4x integrated gfx
Daniel Vetter [Sun, 20 Jan 2013 22:50:13 +0000 (23:50 +0100)]
iommu/intel: disable DMAR for g4x integrated gfx

commit 9452618e7462181ed9755236803b6719298a13ce upstream.

DMAR support on g4x/gm45 integrated gpus seems to be totally busted.
So don't bother, but instead disable it by default to allow distros to
unconditionally enable DMAR support.

v2: Actually wire up the right quirk entry, spotted by Adam Jackson.

Note that according to intel marketing materials only g45 and gm45
support DMAR/VT-d. So we have reports for all relevant gen4 pci ids by
now. Still, keep all the other gen4 ids in the quirk table in case the
marketing stuff confused me again, which would not be the first time.

Cc: Adam Jackson <>
Cc: David Woodhouse <>
Acked-By: David Woodhouse <>
Tested-by: stathis <>
Tested-by: Mihai Moldovan <>
Signed-off-by: Daniel Vetter <>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <>
8 years agodrm/i915: GFX_MODE Flush TLB Invalidate Mode must be '1' for scanline waits
Chris Wilson [Sun, 20 Jan 2013 16:33:32 +0000 (16:33 +0000)]
drm/i915: GFX_MODE Flush TLB Invalidate Mode must be '1' for scanline waits

commit f05bb0c7b624252a5e768287e340e8e45df96e42 upstream.

On SNB, if bit 13 of GFX_MODE, Flush TLB Invalidate Mode, is not set to 1,
the hardware can not program the scanline values. Those scanline values
then control when the signal is sent from the display engine to the render
ring for MI_WAIT_FOR_EVENTs. Note setting this bit means that TLB
invalidations must be performed explicitly through the appropriate bits
being set in PIPE_CONTROL.

Signed-off-by: Chris Wilson <>
Reviewed-by: Ben Widawsky <>
Signed-off-by: Daniel Vetter <>
[bwh: Backported to 3.2: s/_MASKED_BIT/GFX_MODE/]
Signed-off-by: Ben Hutchings <>
8 years agodrm/i915: Disable AsyncFlip performance optimisations
Chris Wilson [Sun, 20 Jan 2013 16:11:20 +0000 (16:11 +0000)]
drm/i915: Disable AsyncFlip performance optimisations

commit 1c8c38c588ea91f8deeae21284840459d1bb58e3 upstream.

This is a required workarounds for all products, especially on gen6+
where it causes the command streamer to fail to parse instructions
following a WAIT_FOR_EVENT. We use WAIT_FOR_EVENT for synchronising
between the GPU and the display engines, and so this bit being unset may
cause hangs.

Signed-off-by: Chris Wilson <>
Reviewed-by: Imre Deak <>
Signed-off-by: Daniel Vetter <>
[bwh: Backported to 3.2:
 - Adjust context
Signed-off-by: Ben Hutchings <>
8 years agodrm/i915: Correct the bit number for the MI_FLUSH_ENABLE.
Eric Anholt [Thu, 19 Jan 2012 18:50:06 +0000 (10:50 -0800)]
drm/i915: Correct the bit number for the MI_FLUSH_ENABLE.

commit fc74d8e01165b567922921d110b6d16320a61fa6 upstream.

Older specs claimed this was bit 11, but newer specs and the actual
simulator code say it was bit 12.  Regardless, we don't use MI_FLUSH,
or try to enable it any more.

Signed-off-by: Eric Anholt <>
Reviewed-by: Kenneth Graunke <>
Reviewed-by: Ben Widawsky <>
[danvet: Anyone trying to use this bit, please read all the relevant
discussions, it's epic.]
Signed-off-by: Daniel Vetter <>
Signed-off-by: Ben Hutchings <>
8 years agodrm/i915: Remove the MI_FLUSH_ENABLE setting.
Eric Anholt [Thu, 19 Jan 2012 18:50:05 +0000 (10:50 -0800)]
drm/i915: Remove the MI_FLUSH_ENABLE setting.

commit 8d79c3490aecfe6e51f0ba6f9780746fb1434954 upstream.

We have always been using the wrong bit -- it's bit 12.  However, the
bit also doesn't do anything -- hardware has always accepted the
MI_FLUSH command even when it was specced not to.

Given that there is only one MI_FLUSH emitted in all of the driver
stack on gen6+ (in i965_video.c of the 2d driver, and it should be
using other code to do its flush instead), just remove the MI_FLUSH
enable instead of trying to fix it.

Signed-off-by: Eric Anholt <>
Reviewed-by: Kenneth Graunke <>
Reviewed-by: Ben Widawsky <>
Signed-off-by: Daniel Vetter <>
Signed-off-by: Ben Hutchings <>
8 years agomwifiex: fix typo in PCIe adapter NULL check
Avinash Patil [Tue, 22 Jan 2013 05:04:10 +0000 (21:04 -0800)]
mwifiex: fix typo in PCIe adapter NULL check

commit 83f0c6d1f502bd75bb4a9e31e8d64e59c6894ad1 upstream.

Add missing "!" as we are supposed to check "!card->adapter"
in PCIe suspend handler.

Signed-off-by: Avinash Patil <>
Signed-off-by: Bing Zhao <>
Reviewed-by: Sergey V. <>
Signed-off-by: John W. Linville <>
Signed-off-by: Ben Hutchings <>
8 years agoath9k_hw: fix chain swap setting when setting rx chainmask to 5
Felix Fietkau [Sun, 20 Jan 2013 20:55:21 +0000 (21:55 +0100)]
ath9k_hw: fix chain swap setting when setting rx chainmask to 5

commit 24171dd92096fc370b195f3f6bdc0798855dc3f9 upstream.

Chain swapping should only be enabled when the EEPROM chainmask is set to 5,
regardless of what the runtime chainmask is.

Signed-off-by: Felix Fietkau <>
Signed-off-by: John W. Linville <>
[bwh: Backported to 3.2: keep the special case for AR_SREV_9462 here]
Signed-off-by: Ben Hutchings <>
8 years agoath9k_hw: fix calibration issues on chainmask that don't include chain 0
Felix Fietkau [Sun, 20 Jan 2013 20:55:20 +0000 (21:55 +0100)]
ath9k_hw: fix calibration issues on chainmask that don't include chain 0

commit 4a8f199508d79ff8a7d1e22f47b912baaf225336 upstream.

Signed-off-by: Felix Fietkau <>
Signed-off-by: John W. Linville <>
[bwh: Backported to 3.2: adjust context]
Signed-off-by: Ben Hutchings <>
8 years agoefi, x86: Pass a proper identity mapping in efi_call_phys_prelog
Nathan Zimmer [Tue, 8 Jan 2013 15:02:43 +0000 (09:02 -0600)]
efi, x86: Pass a proper identity mapping in efi_call_phys_prelog

commit b8f2c21db390273c3eaf0e5308faeaeb1e233840 upstream.

Update efi_call_phys_prelog to install an identity mapping of all available
memory.  This corrects a bug on very large systems with more then 512 GB in
which bios would not be able to access addresses above not in the mapping.

The result is a crash that looks much like this.

BUG: unable to handle kernel paging request at 000000effd870020
IP: [<0000000078bce331>] 0x78bce330
Oops: 0000 [#1] SMP
Modules linked in:
Pid: 0, comm: swapper/0 Tainted: G        W    3.8.0-rc1-next-20121224-medusa_ntz+ #2 Intel Corp. Stoutland Platform
RIP: 0010:[<0000000078bce331>]  [<0000000078bce331>] 0x78bce330
RSP: 0000:ffffffff81601d28  EFLAGS: 00010006
RAX: 0000000078b80e18 RBX: 0000000000000004 RCX: 0000000000000004
RDX: 0000000078bcf958 RSI: 0000000000002400 RDI: 8000000000000000
RBP: 0000000078bcf760 R08: 000000effd870000 R09: 0000000000000000
R10: 0000000000000000 R11: 00000000000000c3 R12: 0000000000000030
R13: 000000effd870000 R14: 0000000000000000 R15: ffff88effd870000
FS:  0000000000000000(0000) GS:ffff88effe400000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000effd870020 CR3: 000000000160c000 CR4: 00000000000006b0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Process swapper/0 (pid: 0, threadinfo ffffffff81600000, task ffffffff81614400)
 0000000078b80d18 0000000000000004 0000000078bced7b ffff880078b81fff
 0000000000000000 0000000000000082 0000000078bce3a8 0000000000002400
 0000000060000202 0000000078b80da0 0000000078bce45d ffffffff8107cb5a
Call Trace:
 [<ffffffff8107cb5a>] ? on_each_cpu+0x77/0x83
 [<ffffffff8102f4eb>] ? change_page_attr_set_clr+0x32f/0x3ed
 [<ffffffff81035946>] ? efi_call4+0x46/0x80
 [<ffffffff816c5abb>] ? efi_enter_virtual_mode+0x1f5/0x305
 [<ffffffff816aeb24>] ? start_kernel+0x34a/0x3d2
 [<ffffffff816ae5ed>] ? repair_env_string+0x60/0x60
 [<ffffffff816ae2be>] ? x86_64_start_reservations+0xba/0xc1
 [<ffffffff816ae120>] ? early_idt_handlers+0x120/0x120
 [<ffffffff816ae419>] ? x86_64_start_kernel+0x154/0x163
Code:  Bad RIP value.
RIP  [<0000000078bce331>] 0x78bce330
 RSP <ffffffff81601d28>
CR2: 000000effd870020
---[ end trace ead828934fef5eab ]---

Cc: Thomas Gleixner <>
Cc: Ingo Molnar <>
Cc: "H. Peter Anvin" <>
Signed-off-by: Nathan Zimmer <>
Signed-off-by: Robin Holt <>
Signed-off-by: Matt Fleming <>
Signed-off-by: Ben Hutchings <>
8 years agobrcmsmac: increase timer reference count for new timers only
Piotr Haber [Thu, 10 Jan 2013 10:20:48 +0000 (11:20 +0100)]
brcmsmac: increase timer reference count for new timers only

commit a1fe52801a992e590cdaee2fb47a94bac9b5da90 upstream.

On hardware reintialization reference count of
already existing timers would be increased again.
This leads to problems on module unloading.

Reviewed-by: Pieter-Paul Giesberts <>
Reviewed-by: Hante Meuleman <>
Reviewed-by: Arend van Spriel <>
Signed-off-by: Piotr Haber <>
Signed-off-by: Arend van Spriel <>
Signed-off-by: John W. Linville <>
Signed-off-by: Ben Hutchings <>
8 years agoath9k: fix double-free bug on beacon generate failure
Felix Fietkau [Wed, 9 Jan 2013 15:16:53 +0000 (16:16 +0100)]
ath9k: fix double-free bug on beacon generate failure

commit 1adb2e2b5f85023d17eb4f95386a57029df27c88 upstream.

When the next beacon is sent, the ath_buf from the previous run is reused.
If getting a new beacon from mac80211 fails, bf->bf_mpdu is not reset, yet
the skb is freed, leading to a double-free on the next beacon tx attempt,
resulting in a system crash.

Signed-off-by: Felix Fietkau <>
Signed-off-by: John W. Linville <>
Signed-off-by: Ben Hutchings <>
8 years agoath9k: do not link receive buffers during flush
Felix Fietkau [Wed, 9 Jan 2013 15:16:52 +0000 (16:16 +0100)]
ath9k: do not link receive buffers during flush

commit a3dc48e82bb146ef11cf75676c8410c1df29b0c4 upstream.

On AR9300 the rx FIFO needs to be empty during reset to ensure that no
further DMA activity is generated, otherwise it might lead to memory
corruption issues.

Signed-off-by: Felix Fietkau <>
Signed-off-by: John W. Linville <>
Signed-off-by: Ben Hutchings <>
8 years agoath9k_htc: Fix memory leak
Sujith Manoharan [Wed, 9 Jan 2013 10:37:48 +0000 (16:07 +0530)]
ath9k_htc: Fix memory leak

commit 0981c3b24ef664f5611008a6e6d0622fac6d892b upstream.

SKBs that are allocated in the HTC layer do not have callbacks
registered and hence ended up not being freed, Fix this by freeing
them properly in the TX completion routine.

Reported-by: Larry Finger <>
Signed-off-by: Sujith Manoharan <>
Tested-by: Larry Finger <>
Signed-off-by: John W. Linville <>
Signed-off-by: Ben Hutchings <>