commit 5af6a275ed4145a26223f6ae1ecdab43262f12d8 Author: Greg Kroah-Hartman Date: Mon Mar 16 18:00:12 2009 -0700 Linux 2.6.27.20 commit f14b7f8d566e929aba7db0abf87f5e61420eb7d5 Author: Jean Delvare Date: Fri Mar 13 13:34:04 2009 +0100 hwmon: (it87) Properly decode -128 degrees C temperature commit e267d25005c861fe6afda343f044536342c9f8b4 upstream The it87 driver is reporting -128 degrees C as +128 degrees C. That's not a terribly likely temperature value but let's still get it right, especially when it simplifies the code. Signed-off-by: Jean Delvare Signed-off-by: Greg Kroah-Hartman commit 187203ae140ba1f2b617c3e9671f9e1fcb125a68 Author: Ralf Baechle Date: Thu Mar 5 11:45:48 2009 +0100 MIPS: compat: Implement is_compat_task. commit 4302e5d53b9166d45317e3ddf0a7a9dab3efd43b upstream. This is a build fix required after "x86-64: seccomp: fix 32/64 syscall hole" (commit 5b1017404aea6d2e552e991b3fd814d839e9cd67). MIPS doesn't have the issue that was fixed for x86-64 by that patch. This also doesn't solve the N32 issue which is that N32 seccomp processes will be treated as non-compat processes thus only have access to N64 syscalls. Signed-off-by: Ralf Baechle Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 5b9c305d22fb08a6b62f407e187f8f2a5b91c54f Author: Jan Kara Date: Thu Mar 5 02:34:07 2009 -0500 ext4: Fix deadlock in ext4_write_begin() and ext4_da_write_begin() (cherry picked from commit ebd3610b110bbb18ea6f9f2aeed1e1068c537227) Functions ext4_write_begin() and ext4_da_write_begin() call grab_cache_page_write_begin() without AOP_FLAG_NOFS. Thus it can happen that page reclaim is triggered in that function and it recurses back into the filesystem (or some other filesystem). But this can lead to various problems as a transaction is already started at that point. Add the necessary flag. http://bugzilla.kernel.org/show_bug.cgi?id=11688 Signed-off-by: Jan Kara Signed-off-by: "Theodore Ts'o" Signed-off-by: Greg Kroah-Hartman commit 3d2f446880e9c0cd89aed563dae0d34d379a0826 Author: Theodore Ts'o Date: Thu Mar 5 02:34:06 2009 -0500 ext4: Add fallback for find_group_flex (cherry picked from commit 05bf9e839d9de4e8a094274a0a2fd07beb47eaf1) This is a workaround for find_group_flex() which badly needs to be replaced. One of its problems (besides ignoring the Orlov algorithm) is that it is a bit hyperactive about returning failure under suspicious circumstances. This can lead to spurious ENOSPC failures even when there are inodes still available. Work around this for now by retrying the search using find_group_other() if find_group_flex() returns -1. If find_group_other() succeeds when find_group_flex() has failed, log a warning message. A better block/inode allocator that will fix this problem for real has been queued up for the next merge window. Signed-off-by: "Theodore Ts'o" Signed-off-by: Greg Kroah-Hartman commit e843ff53f46be9aab2db1d784b45bccfc3bd9257 Author: Dan Carpenter Date: Tue Feb 24 12:14:54 2009 -0500 ext4: Fix NULL dereference in ext4_ext_migrate()'s error handling (cherry picked from commit 090542641de833c6f756895fc2f139f046e298f9) This was found through a code checker (http://repo.or.cz/w/smatch.git/). It looks like you might be able to trigger the error by trying to migrate a readonly file system. Signed-off-by: Dan Carpenter Signed-off-by: "Theodore Ts'o" Signed-off-by: Greg Kroah-Hartman commit 5c99a7b06f7691d6756a12f60bae9892187c98dd Author: Aneesh Kumar K.V Date: Tue Feb 24 12:14:53 2009 -0500 ext4: Initialize preallocation list_head's properly (cherry picked from commit d794bf8e0936dce45104565cd48c571061f4c1e3) When creating a new ext4_prealloc_space structure, we have to initialize its list_head pointers before we add them to any prealloc lists. Otherwise, with list debug enabled, we will get list corruption warnings. Signed-off-by: Aneesh Kumar K.V Signed-off-by: "Theodore Ts'o" Signed-off-by: Greg Kroah-Hartman commit 9be67f0451236e7fe8cd0b75b610c37a736891d1 Author: Aneesh Kumar K.V Date: Tue Feb 24 12:14:52 2009 -0500 ext4: Fix lockdep warning (cherry picked from commit ba4439165f0f0d25b2fe065cf0c1ff8130b802eb) We should not call ext4_mb_add_n_trim while holding alloc_semp. ============================================= [ INFO: possible recursive locking detected ] 2.6.29-rc4-git1-dirty #124 --------------------------------------------- ffsb/3116 is trying to acquire lock: (&meta_group_info[i]->alloc_sem){----}, at: [] ext4_mb_load_buddy+0xd2/0x343 but task is already holding lock: (&meta_group_info[i]->alloc_sem){----}, at: [] ext4_mb_load_buddy+0xd2/0x343 http://bugzilla.kernel.org/show_bug.cgi?id=12672 Signed-off-by: Aneesh Kumar K.V Signed-off-by: "Theodore Ts'o" Signed-off-by: Greg Kroah-Hartman commit 88798d5547218277d2c293c0d9da3edaddba6e66 Author: Wei Yongjun Date: Tue Feb 24 12:14:51 2009 -0500 ext4: Fix to read empty directory blocks correctly in 64k (cherry picked from commit 7be2baaa0322c59ba888aa5260a8c130666acd41) The rec_len field in the directory entry is 16 bits, so there was a problem representing rec_len for filesystems with a 64k block size in the case where the directory entry takes the entire 64k block. Unfortunately, there were two schemes that were proposed; one where all zeros meant 65536 and one where all ones (65535) meant 65536. E2fsprogs used 0, whereas the kernel used 65535. Oops. Fortunately this case happens extremely rarely, with the most common case being the lost+found directory, created by mke2fs. So we will be liberal in what we accept, and accept both encodings, but we will continue to encode 65536 as 65535. This will require a change in e2fsprogs, but with fortunately ext4 filesystems normally have the dir_index feature enabled, which precludes having a completely empty directory block. Signed-off-by: Wei Yongjun Signed-off-by: "Theodore Ts'o" Signed-off-by: Greg Kroah-Hartman commit fb05f46cabf4c96f5f8648c6a85d897ed57b1c94 Author: Jan Kara Date: Tue Feb 24 16:13:18 2009 -0500 jbd2: Avoid possible NULL dereference in jbd2_journal_begin_ordered_truncate() (cherry picked from commit 7f5aa215088b817add9c71914b83650bdd49f8a9) If we race with commit code setting i_transaction to NULL, we could possibly dereference it. Proper locking requires the journal pointer (to access journal->j_list_lock), which we don't have. So we have to change the prototype of the function so that filesystem passes us the journal pointer. Also add a more detailed comment about why the function jbd2_journal_begin_ordered_truncate() does what it does and how it should be used. Thanks to Dan Carpenter for pointing to the suspitious code. Signed-off-by: Jan Kara Signed-off-by: "Theodore Ts'o" Acked-by: Joel Becker CC: linux-ext4@vger.kernel.org CC: mfasheh@suse.de CC: Dan Carpenter Signed-off-by: Greg Kroah-Hartman commit 5328f9688e849b1c06d0433424a6c1387a9ade04 Author: Jan Kara Date: Tue Feb 24 12:14:49 2009 -0500 Revert "ext4: wait on all pending commits in ext4_sync_fs()" (cherry picked from commit 9eddacf9e9c03578ef2c07c9534423e823d677f8) This undoes commit 14ce0cb411c88681ab8f3a4c9caa7f42e97a3184. Since jbd2_journal_start_commit() is now fixed to return 1 when we started a transaction commit, there's some transaction waiting to be committed or there's a transaction already committing, we don't need to call ext4_force_commit() in ext4_sync_fs(). Furthermore ext4_force_commit() can unnecessarily create sync transaction which is expensive so it's worthwhile to remove it when we can. http://bugzilla.kernel.org/show_bug.cgi?id=12224 Signed-off-by: Jan Kara Signed-off-by: "Theodore Ts'o" Cc: Eric Sandeen Cc: linux-ext4@vger.kernel.org Signed-off-by: Greg Kroah-Hartman commit e62791a8c1aab4cb4fe22400627efd4e59ad3389 Author: Jan Kara Date: Tue Feb 24 12:14:48 2009 -0500 jbd2: Fix return value of jbd2_journal_start_commit() (cherry picked from commit c88ccea3143975294f5a52097546bcbb75975f52) The function jbd2_journal_start_commit() returns 1 if either a transaction is committing or the function has queued a transaction commit. But it returns 0 if we raced with somebody queueing the transaction commit as well. This resulted in ext4_sync_fs() not functioning correctly (description from Arthur Jones): In the case of a data=ordered umount with pending long symlinks which are delayed due to a long list of other I/O on the backing block device, this causes the buffer associated with the long symlinks to not be moved to the inode dirty list in the second phase of fsync_super. Then, before they can be dirtied again, kjournald exits, seeing the UMOUNT flag and the dirty pages are never written to the backing block device, causing long symlink corruption and exposing new or previously freed block data to userspace. This can be reproduced with a script created by Eric Sandeen : #!/bin/bash umount /mnt/test2 mount /dev/sdb4 /mnt/test2 rm -f /mnt/test2/* dd if=/dev/zero of=/mnt/test2/bigfile bs=1M count=512 touch /mnt/test2/thisisveryveryveryveryveryveryveryveryveryveryveryveryveryveryveryverylongfilename ln -s /mnt/test2/thisisveryveryveryveryveryveryveryveryveryveryveryveryveryveryveryverylongfilename /mnt/test2/link umount /mnt/test2 mount /dev/sdb4 /mnt/test2 ls /mnt/test2/ This patch fixes jbd2_journal_start_commit() to always return 1 when there's a transaction committing or queued for commit. Signed-off-by: Jan Kara Signed-off-by: "Theodore Ts'o" CC: Eric Sandeen CC: linux-ext4@vger.kernel.org Signed-off-by: Greg Kroah-Hartman commit 21d12f6a474585233db40b8ae9e16fff11c4b9e5 Author: Alexander Graf Date: Tue Mar 10 12:58:20 2009 +0100 Fix no_timer_check on x86_64 fixed upstream in 2.6.28 in merge of ioapic*.c for x86 In io_apic_32.c the logic of no_timer_check is "always make timer_irq_works return 1". Io_apic_64.c on the other hand checks for if (!no_timer_check && timer_irq_works()) basically meaning "make timer_irq_works fail" in the crucial first check. Now, in order to not move too much code, we can just reverse the logic here and should be fine off, basically rendering no_timer_check useful again. This issue seems to be resolved as of 2.6.28 by the merge of io_apic*.c, but still exists for at least 2.6.27. Signed-off-by: Alexander Graf Acked-by: Marcelo Tosatti Signed-off-by: Greg Kroah-Hartman commit 8894aca848523fa914c248f24f50cf702884ee37 Author: Russell King Date: Wed Feb 25 21:36:29 2009 +0100 ARM: Add i2c_board_info for RiscPC PCF8583 commit 531660ef5604c75de6fdead9da1304051af17c09 upstream Add the necessary i2c_board_info structure to fix the lack of PCF8583 RTC on RiscPC. Signed-off-by: Russell King Signed-off-by: Jean Delvare Cc: Alessandro Zummo Signed-off-by: Greg Kroah-Hartman commit 95a003875dc31af043361167132f974ac5ab7611 Author: Sergei Shtylyov Date: Thu Mar 5 16:10:56 2009 +0100 ide-iops: fix odd-length ATAPI PIO transfers commit a509538d4fb4f99cdf0a095213d57cc3b2347615 upstream. Commit 9567b349f7e7dd7e2483db99ee8e4a6fe0caca38 (ide: merge ->atapi_*put_bytes and ->ata_*put_data methods) introduced a regression WRT the odd-length ATAPI PIO transfers -- the final word didn't get written (causing command timeouts). Signed-off-by: Sergei Shtylyov Signed-off-by: Bartlomiej Zolnierkiewicz Signed-off-by: Greg Kroah-Hartman commit faccffd54fa78cc094740ccc902e0a1189c61c27 Author: Roel Kluin Date: Wed Feb 25 21:26:21 2009 +0100 i2c: Timeouts reach -1 commit a746b578d8406b2db0e9f0d040061bc1f78433cf upstream With a postfix decrement these timeouts reach -1 rather than 0, but after the loop it is tested whether they have become 0. As pointed out by Jean Delvare, the condition we are waiting for should also be tested before the timeout. With the current order, you could exit with a timeout error while the job is actually done. Signed-off-by: Roel Kluin Signed-off-by: Jean Delvare Signed-off-by: Greg Kroah-Hartman commit b8d6b5d91b85c08b5f5df856d602fbb2c5da8162 Author: Roel Kluin Date: Wed Feb 25 21:24:40 2009 +0100 i2c: Fix misplaced parentheses commit f29d2e0275a4f03ef2fd158e484508dcb0c64efb upstream Fix misplaced parentheses. Signed-off-by: Roel Kluin Signed-off-by: Jean Delvare Signed-off-by: Greg Kroah-Hartman commit 880ca8d4767bdf96a73d12d7d34cf7d8c0a1595f Author: Jean Delvare Date: Sat Feb 21 12:00:20 2009 +0100 hwmon: (f71882fg) Hide misleading error message commit 603eaa1bdd3e0402085e815cc531bb0a32827a9e upstream If the F71882FG chip is at address 0x4e, then the probe at 0x2e will fail with the following message in the logs: f71882fg: Not a Fintek device This is misleading because there is a Fintek device, just at a different address. So I propose to degrade this message to a debug message. Signed-off-by: Jean Delvare Acked-by: Hans de Goede commit ccb70f512886da9bd392d70c846f9110fd507544 Author: Henrique de Moraes Holschuh Date: Tue Feb 24 11:48:17 2009 -0300 ACPI: fix broken usage of name.ascii This issue was fixed indirectly in mainline by commit 0175d562a29ad052c510782c7e76bc63d5155b9b. acpi_namespace_node's name.ascii field is four chars, and not NULL- terminated except by pure luck. So, it cannot be used by sscanf() without a length restriction. This is the minimal fix for both stable 2.6.27 and 2.6.28. Signed-off-by: Henrique de Moraes Holschuh Cc: Lin Ming Cc: Len Brown Signed-off-by: Greg Kroah-Hartman commit 1252e72a3fc324dc381956a4231ceb91425329b3 Author: Hans Verkuil Date: Sat Feb 14 19:58:33 2009 -0300 V4L: ivtv: fix decoder crash regression (cherry picked from commit ac9575f75c52bcb455120f8c43376b556acba048) The video_ioctl2 conversion of ivtv in kernel 2.6.27 introduced a bug causing decoder commands to crash. The decoder commands should have been handled from the video_ioctl2 default handler, ensuring correct mapping of the argument between user and kernel space. Unfortunately they ended up before the video_ioctl2 call, causing random crashes. Thanks to hannes@linus.priv.at for testing and helping me track down the cause! Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Michael Krufky Signed-off-by: Greg Kroah-Hartman commit d9af68ea2c7935860e8922dd1a3389489a14b03f Author: Michael Krufky Date: Mon Jan 5 18:25:04 2009 -0300 V4L: tda8290: fix TDA8290 + TDA18271 initialization (cherry picked from commit 439b72b69e4992e9ec34b74304f0fa95623934eb) Don't call tda8290_init_tuner unless we have either a TDA8275 or TDA8275A present. Calling this function will cause a TDA18271 to get sick, so we should only call it when needed. Signed-off-by: Michael Krufky Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit 2440098611ecc3160c43f353f118b29f93916398 Author: Devin Heitmueller Date: Mon Jan 26 03:07:59 2009 -0300 DVB: s5h1409: Perform s5h1409 soft reset after tuning (cherry picked from commit 67e70baf043cfdcdaf5972bc94be82632071536b) Just like with the s5h1411, the s5h1409 needs a soft-reset in order for it to know that the tuner has been told to change frequencies. This change changes the behavior from "random tuning times between 500ms to complete tuning lock failures" to "tuning lock consistently within 700ms". Thanks to Robert Krakora for doing initial testing of the patch on the KWorld 330U. Thanks to Andy Walls for doing testing of the patch on the HVR-1600. Thanks to Michael Krufky for doing additional testing. Signed-off-by: Devin Heitmueller Signed-off-by: Michael Krufky Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit fd65b61d50bfbe5437bf5d847c2ef7eba554b528 Author: Dmitriy Taychenachev Date: Tue Feb 24 18:42:48 2009 +0000 zaurus: add usb id for motomagx phones commit 52c0326beaa3cb0049d0f1c51c6ad5d4a04e4430 upstream. The Motorola MOTOMAGX phones (Z6, E8, Zn5 so far) are providing combined ACM/BLAN USB configuration. Since it has Vendor Specific class, the corresponding drivers (cdc-acm, zaurus) can't find it just by interface info. This patch adds usb id so the zaurus driver can properly handle this combined device. Signed-off-by: Dmitriy Taychenachev Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit d8e7babd7dc570e3b62cf82cdd9a4eb4aca6f45a Author: Jeremy Fitzhardinge Date: Wed Feb 25 09:42:25 2009 -0800 xen: disable interrupts early, as start_kernel expects commit 55d8085671863fe4ee6a17b7814bd38180a44e1d upstream. This avoids a lockdep warning from: if (DEBUG_LOCKS_WARN_ON(unlikely(!early_boot_irqs_enabled))) return; in trace_hardirqs_on_caller(); Signed-off-by: Jeremy Fitzhardinge Cc: Mark McLoughlin Cc: Xen-devel Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit e91d89d68bf2255e0611e5b9fa833f873aef88dd Author: Jens Axboe Date: Tue Feb 24 08:10:09 2009 +0100 xen/blkfront: use blk_rq_map_sg to generate ring entries commit 9e973e64ac6dc504e6447d52193d4fff1a670156 upstream. On occasion, the request will apparently have more segments than we fit into the ring. Jens says: > The second problem is that the block layer then appears to create one > too many segments, but from the dump it has rq->nr_phys_segments == > BLKIF_MAX_SEGMENTS_PER_REQUEST. I suspect the latter is due to > xen-blkfront not handling the merging on its own. It should check that > the new page doesn't form part of the previous page. The > rq_for_each_segment() iterates all single bits in the request, not dma > segments. The "easiest" way to do this is to call blk_rq_map_sg() and > then iterate the mapped sg list. That will give you what you are > looking for. > Here's a test patch, compiles but otherwise untested. I spent more > time figuring out how to enable XEN than to code it up, so YMMV! > Probably the sg list wants to be put inside the ring and only > initialized on allocation, then you can get rid of the sg on stack and > sg_init_table() loop call in the function. I'll leave that, and the > testing, to you. [Moved sg array into info structure, and initialize once. -J] Signed-off-by: Jens Axboe Signed-off-by: Jeremy Fitzhardinge Cc: Sven Köhler Signed-off-by: Greg Kroah-Hartman commit 96fa432160ed7498b6c7b8b83eb89df9e265412e Author: Alok N Kataria Date: Wed Feb 18 12:33:55 2009 -0800 x86, vmi: TSC going backwards check in vmi clocksource commit 48ffc70b675aa7798a52a2e92e20f6cce9140b3d upstream. Impact: fix time warps under vmware Similar to the check for TSC going backwards in the TSC clocksource, we also need this check for VMI clocksource. Signed-off-by: Alok N Kataria Cc: Zachary Amsden Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit 4ad5471c089237a7efb11a8334e4f958ff7392a8 Author: Ingo Molnar Date: Thu Jan 29 11:45:35 2009 +0100 x86: tone down mtrr_trim_uncached_memory() warning commit bf3647c44bc76c43c4b2ebb4c37a559e899ac70e upstream. kerneloops.org is reporting a lot of these warnings that come due to vmware not setting up any MTRRs for emulated CPUs: | Reported 709 times (14696 total reports) | BIOS bug (often in VMWare) where the MTRR's are set up incorrectly | or not at all | | This warning was last seen in version 2.6.29-rc2-git1, and first | seen in 2.6.24. | | More info: | http://www.kerneloops.org/searchweek.php?search=mtrr_trim_uncached_memory Keep a one-liner KERN_INFO about it - so that we have so notice if empty MTRRs are caused by native hardware/BIOS weirdness. Signed-off-by: Ingo Molnar Cc: Chuck Ebbert Signed-off-by: Greg Kroah-Hartman commit b831908a2e351e501ce570a05a0d5a4cf48ff10e Author: Leann Ogasawara Date: Wed Mar 4 11:53:00 2009 -0800 x86: add Dell XPS710 reboot quirk commit dd4124a8a06bca89c077a16437edac010f0bb993 upstream. Dell XPS710 will hang on reboot. This is resolved by adding a quirk to set bios reboot. Signed-off-by: Leann Ogasawara Signed-off-by: Tim Gardner Cc: "manoj.iyer" LKML-Reference: <1236196380.3231.89.camel@emiko> Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit 7e81fc96ffa21e3c65448e610d84348d5924d835 Author: Roland McGrath Date: Fri Feb 27 19:03:24 2009 -0800 x86-64: syscall-audit: fix 32/64 syscall hole commit ccbe495caa5e604b04d5a31d7459a6f6a76a756c upstream. On x86-64, a 32-bit process (TIF_IA32) can switch to 64-bit mode with ljmp, and then use the "syscall" instruction to make a 64-bit system call. A 64-bit process make a 32-bit system call with int $0x80. In both these cases, audit_syscall_entry() will use the wrong system call number table and the wrong system call argument registers. This could be used to circumvent a syscall audit configuration that filters based on the syscall numbers or argument details. Signed-off-by: Roland McGrath Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 47f5f3195be6fcaba3646c68b84704634f241d46 Author: Roland McGrath Date: Fri Feb 27 23:25:54 2009 -0800 x86-64: seccomp: fix 32/64 syscall hole commit 5b1017404aea6d2e552e991b3fd814d839e9cd67 upstream. On x86-64, a 32-bit process (TIF_IA32) can switch to 64-bit mode with ljmp, and then use the "syscall" instruction to make a 64-bit system call. A 64-bit process make a 32-bit system call with int $0x80. In both these cases under CONFIG_SECCOMP=y, secure_computing() will use the wrong system call number table. The fix is simple: test TS_COMPAT instead of TIF_IA32. Here is an example exploit: /* test case for seccomp circumvention on x86-64 There are two failure modes: compile with -m64 or compile with -m32. The -m64 case is the worst one, because it does "chmod 777 ." (could be any chmod call). The -m32 case demonstrates it was able to do stat(), which can glean information but not harm anything directly. A buggy kernel will let the test do something, print, and exit 1; a fixed kernel will make it exit with SIGKILL before it does anything. */ #define _GNU_SOURCE #include #include #include #include #include #include #include int main (int argc, char **argv) { char buf[100]; static const char dot[] = "."; long ret; unsigned st[24]; if (prctl (PR_SET_SECCOMP, 1, 0, 0, 0) != 0) perror ("prctl(PR_SET_SECCOMP) -- not compiled into kernel?"); #ifdef __x86_64__ assert ((uintptr_t) dot < (1UL << 32)); asm ("int $0x80 # %0 <- %1(%2 %3)" : "=a" (ret) : "0" (15), "b" (dot), "c" (0777)); ret = snprintf (buf, sizeof buf, "result %ld (check mode on .!)\n", ret); #elif defined __i386__ asm (".code32\n" "pushl %%cs\n" "pushl $2f\n" "ljmpl $0x33, $1f\n" ".code64\n" "1: syscall # %0 <- %1(%2 %3)\n" "lretl\n" ".code32\n" "2:" : "=a" (ret) : "0" (4), "D" (dot), "S" (&st)); if (ret == 0) ret = snprintf (buf, sizeof buf, "stat . -> st_uid=%u\n", st[7]); else ret = snprintf (buf, sizeof buf, "result %ld\n", ret); #else # error "not this one" #endif write (1, buf, ret); syscall (__NR_exit, 1); return 2; } Signed-off-by: Roland McGrath [ I don't know if anybody actually uses seccomp, but it's enabled in at least both Fedora and SuSE kernels, so maybe somebody is. - Linus ] Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 045b298368752a4eec3c8d8a754b6fa39a371a22 Author: Roland McGrath Date: Fri Feb 6 18:15:18 2009 -0800 x86-64: fix int $0x80 -ENOSYS return commit c09249f8d1b84344eca882547afdbffee8c09d14 upstream. One of my past fixes to this code introduced a different new bug. When using 32-bit "int $0x80" entry for a bogus syscall number, the return value is not correctly set to -ENOSYS. This only happens when neither syscall-audit nor syscall tracing is enabled (i.e., never seen if auditd ever started). Test program: /* gcc -o int80-badsys -m32 -g int80-badsys.c Run on x86-64 kernel. Note to reproduce the bug you need auditd never to have started. */ #include #include int main (void) { long res; asm ("int $0x80" : "=a" (res) : "0" (99999)); printf ("bad syscall returns %ld\n", res); return res != -ENOSYS; } The fix makes the int $0x80 path match the sysenter and syscall paths. Reported-by: Dmitry V. Levin Signed-off-by: Roland McGrath Cc: Chuck Ebbert Signed-off-by: Greg Kroah-Hartman commit 69cb3cbb14ebd32513ab091307384e4e7fc62d72 Author: Jesse Sung Date: Fri Feb 20 21:13:45 2009 -0800 USB: option: add BenQ 3g modem information commit 28fb66821f884870987a0b5ab064ef651d9f7c16 upstream. This patch addes the BenQ 3g modem support to the option driver. From: Jesse Sung Signed-off-by: Greg Kroah-Hartman Signed-off-by: Greg Kroah-Hartman commit 94a9140639dbb00cf116d85a04c18b89b75078f4 Author: Karsten Wiese Date: Sun Feb 8 16:07:58 2009 -0800 USB: EHCI: slow down ITD reuse commit 9aa09d2f8f4bc440d6db1c3414d4009642875240 upstream. Currently ITDs are immediately recycled whenever their URB completes. However, EHCI hardware can sometimes remember some ITD state. This means that when the ITD is reused before end-of-frame it may sometimes cause the hardware to reference bogus state. This patch defers reusing such ITDs by moving them into a new ehci member cached_itd_list. ITDs resting in cached_itd_list are moved back into their stream's free_list once scan_periodic() detects that the active frame has elapsed. This makes the snd_usb_us122l driver (in kernel since .28) work right when it's hooked up through EHCI. [ dbrownell@users.sourceforge.net: comment fixups ] Signed-off-by: Karsten Wiese Tested-by: Philippe Carriere Tested-by: Federico Briata Signed-off-by: David Brownell Signed-off-by: Greg Kroah-Hartman commit 8555973ab88586b2704de1776af05e37880fbb26 Author: Clemens Ladisch Date: Tue Feb 17 09:50:30 2009 +0100 sound: virtuoso: revert "do not overwrite EEPROM on Xonar D2/D2X" commit 6ce6c473a7fd742fdb0db95841e2c4c6b37337c5 upstream. This reverts commit 7e86c0e6850504ec9516b953f316a47277825e33 ("do not overwrite EEPROM on Xonar D2/D2X") because it did not actually help with the problem. More user reports show that the overwriting of the EEPROM is not triggered by using this driver but by installing Linux, and that the installation of any other operating system (even one without any CMI8788 driver) has the same effect. In other words, the presence of this driver does not have any effect on the occurrence of the error. (So far, the available evidence seems to point to a BIOS bug.) Furthermore, it turns out that the EEPROM chip is protected against stray write commands by the command format and by requiring a separate write-enable command, so the error scenario in the previous commit (that SPI writes can be misinterpreted as an EEPROM write command) is not even theoretically possible. The mixer control that was removed as a consequence of the previous commit can only be partially emulated in userspace, which also means it cannot be seen be the in-kernel OSS API emulation, so it is better to revert that change. Signed-off-by: Clemens Ladisch Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit c18c7e7a02d6d922dc937913560caedc2159bbcd Author: Clemens Ladisch Date: Mon Feb 16 15:22:39 2009 +0100 sound: usb-audio: fix uninitialized variable with M-Audio MIDI interfaces commit e156ac4c571e3be741bc411e58820b74a9295c72 upstream. Fix the snd_usbmidi_create_endpoints_midiman() function, which forgot to set the out_interval member of the endpoint info structure for Midiman/ M-Audio devices. Since kernel 2.6.24, any non-zero value makes the driver use interrupt transfers instead of bulk transfers. With EHCI controllers, these random interval values result in unbearably large latencies for output MIDI transfers. Signed-off-by: Clemens Ladisch Reported-by: David Tested-by: David Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit e98972391b762e95e8345cb85715d682ba342941 Author: Francois Romieu Date: Mon Oct 20 23:37:55 2008 +0200 sis190: add identifier for Atheros AR8021 PHY commit 708f6e27c3f75166433b69174a8348308e55d073 upstream. Fixes http://bugzilla.kernel.org/show_bug.cgi?id=10994 Contributed by pablomme@googlemail.com, coenraad@wish.org.za and a few others. Signed-off-by: Francois Romieu Signed-off-by: Jeff Garzik Cc: Daniel Drake Signed-off-by: Greg Kroah-Hartman commit 068c8059e492c269ae6291286e6d942cae652cb6 Author: Paul Moore Date: Fri Feb 20 16:33:02 2009 -0500 selinux: Fix the NetLabel glue code for setsockopt() commit 09c50b4a52c01a1f450b8eec819089e228655bfb upstream. At some point we (okay, I) managed to break the ability for users to use the setsockopt() syscall to set IPv4 options when NetLabel was not active on the socket in question. The problem was noticed by someone trying to use the "-R" (record route) option of ping: # ping -R 10.0.0.1 ping: record route: No message of desired type The solution is relatively simple, we catch the unlabeled socket case and clear the error code, allowing the operation to succeed. Please note that we still deny users the ability to override IPv4 options on socket's which have NetLabel labeling active; this is done to ensure the labeling remains intact. Signed-off-by: Paul Moore Signed-off-by: James Morris Cc: Chuck Ebbert Signed-off-by: Greg Kroah-Hartman commit 480f51ace44e212fb825903c57d1535a9b01c1f5 Author: Paul Moore Date: Fri Feb 27 15:00:03 2009 -0500 selinux: Fix a panic in selinux_netlbl_inode_permission() commit d7f59dc4642ce2fc7b79fcd4ec02ffce7f21eb02 upstream. Rick McNeal from LSI identified a panic in selinux_netlbl_inode_permission() caused by a certain sequence of SUNRPC operations. The problem appears to be due to the lack of NULL pointer checking in the function; this patch adds the pointer checks so the function will exit safely in the cases where the socket is not completely initialized. Signed-off-by: Paul Moore Signed-off-by: James Morris Cc: Chuck Ebbert Signed-off-by: Greg Kroah-Hartman commit b4604897bc55cc5caffee43cc62e1da174b9e3e4 Author: Helmut Schaa Date: Sat Feb 14 16:22:39 2009 +0100 sdhci: fix led naming commit 5dbace0c9ba110c1a3810a89fa6bf12b7574b5a3 upstream. Fix the led device naming for the sdhci driver. The led class documentation defines the led name to have the form "devicename:colour:function" while not applicable sections should be left blank. To comply with the documentation the led device name is changed from "mmc*" to "mmc*::". Signed-off-by: Helmut Schaa Signed-off-by: Pierre Ossman Signed-off-by: Greg Kroah-Hartman commit 3599c9c24e57eba1427c604e4a7ae3b0864affda Author: Faisal Latif Date: Thu Mar 12 14:34:59 2009 -0700 RDMA/nes: Don't allow userspace QPs to use STag zero commit c12e56ef6951f4fce1afe9ef6aab9243ea9a9b04 upstream. STag zero is a special STag that allows consumers to access any bus address without registering memory. The nes driver unfortunately allows STag zero to be used even with QPs created by unprivileged userspace consumers, which means that any process with direct verbs access to the nes device can read and write any memory accessible to the underlying PCI device (usually any memory in the system). Such access is usually given for cluster software such as MPI to use, so this is a local privilege escalation bug on most systems running this driver. The driver was using STag zero to receive the last streaming mode data; to allow STag zero to be disabled for unprivileged QPs, the driver now registers a special MR for this data. Signed-off-by: Faisal Latif Signed-off-by: Roland Dreier Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit def2e147971257c20af00d3c0f4e3b87e1763495 Author: Helge Bahmann Date: Fri Feb 20 16:24:12 2009 +0300 proc: fix PG_locked reporting in /proc/kpageflags commit e07a4b9217d1e97d2f3a62b6b070efdc61212110 upstream. Expr always evaluates to zero. Cc: Matt Mackall Signed-off-by: Andrew Morton Signed-off-by: Alexey Dobriyan Signed-off-by: Greg Kroah-Hartman commit 3ae64442d1606bc985daf77b55c1d764b1d91c33 Author: Wu Fengguang Date: Wed Mar 11 09:00:04 2009 +0800 proc: fix kflags to uflags copying in /proc/kpageflags commit ad3bdefe877afb47480418fdb05ecd42842de65e upstream. Fix kpf_copy_bit(src,dst) to be kpf_copy_bit(dst,src) to match the actual call patterns, e.g. kpf_copy_bit(kflags, KPF_LOCKED, PG_locked). This misplacement of src/dst only affected reporting of PG_writeback, PG_reclaim and PG_buddy. For others kflags==uflags so not affected. Signed-off-by: Wu Fengguang Reviewed-by: KOSAKI Motohiro Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 12f6c7575ef7751cb5ac8b40dc0e477c53426bf9 Author: Michael Neuling Date: Thu Feb 19 18:52:20 2009 +0000 powerpc: Fix load/store float double alignment handler commit 49f297f8df9adb797334155470ea9ca68bdb041e upstream. When we introduced VSX, we changed the way FPRs are stored in the thread_struct. Unfortunately we missed the load/store float double alignment handler code when updating how we access FPRs in the thread_struct. Below fixes this and merges the little/big endian case. Signed-off-by: Michael Neuling Signed-off-by: Benjamin Herrenschmidt Signed-off-by: Greg Kroah-Hartman commit edefbccb4c061e26a7390ecaee6f2fc0c1399b32 Author: Alex Chiang Date: Sat Mar 7 19:35:47 2009 -0700 PCIe: portdrv: call pci_disable_device during remove commit d89987193631bf23d1735c55d13a06d4b8d0e9bd upstream. The PCIe port driver calls pci_enable_device() during probe but never calls pci_disable_device() during remove. Signed-off-by: Alex Chiang Signed-off-by: Matthew Wilcox Signed-off-by: Greg Kroah-Hartman commit 2f14915a7ca6811ad438c96b32bad42afb9937e8 Author: Andrew Patterson Date: Fri Feb 20 16:04:59 2009 -0700 PCI: Enable PCIe AER only after checking firmware support commit 1f9f13c8d59c1d8da1a602b71d1ab96d1d37d69e upstream. The PCIe port driver currently sets the PCIe AER error reporting bits for any root or switch port without first checking to see if firmware will grant control. This patch moves setting these bits to the AER service driver aer_enable_port routine. The bits are then set for the root port and any downstream switch ports after the check for firmware support (aer_osc_setup) is made. The patch also unsets the bits in a similar fashion when the AER service driver is unloaded. Reviewed-by: Alex Chiang Signed-off-by: Andrew Patterson Signed-off-by: Jesse Barnes Signed-off-by: Greg Kroah-Hartman commit ac1a22e11aceacf014c6de2cbe306fc7309800d4 Author: Alexander Duyck Date: Thu Mar 5 13:57:28 2009 -0500 PCI: Add PCI quirk to disable L0s ASPM state for 82575 and 82598 commit 649426efcfbc67a8b033497151816cbac9fd0cfa upstream. This patch is intended to disable L0s ASPM link state for 82598 (ixgbe) parts due to the fact that it is possible to corrupt TX data when coming back out of L0s on some systems. The workaround had been added for 82575 (igb) previously, but did not use the ASPM api. This quirk uses the ASPM api to prevent the ASPM subsystem from re-enabling the L0s state. Instead of adding the fix in igb to the ixgbe driver as well it was decided to move it into a pci quirk. It is necessary to move the fix out of the driver and into a pci quirk in order to prevent the issue from occuring prior to driver load to handle the possibility of the device being passed to a VM via direct assignment. Signed-off-by: Alexander Duyck Signed-off-by: Jeff Kirsher CC: Jesse Barnes Signed-off-by: Matthew Wilcox Signed-off-by: Greg Kroah-Hartman commit 30a6ba25f70615956b4e48d394d821e2e7092f40 Author: Will Newton Date: Tue Mar 10 12:55:53 2009 -0700 mtd_dataflash: fix probing of AT45DB321C chips. commit 229cc58ba2b5a83b0b55764c6cb98695c106238a upstream. Commit 771999b65f79264acde4b855e5d35696eca5e80c ("[MTD] DataFlash: bugfix, binary page sizes now handled") broke support for probing AT45DB321C flash chips. These chips do not support the "page size" status bit, so if we match the JEDEC id return early. [akpm@linux-foundation.org: coding-style fixes] Signed-off-by: Will Newton Cc: David Woodhouse Acked-by: David Brownell Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 1195cc9072f2db757317877ae895276e2e4dd8f2 Author: Rabin Vincent Date: Fri Feb 13 22:55:26 2009 +0530 mmc_test: fix basic read test commit 58a5dd3e0e77029d3db1f8fa75d0b54b38169d5d upstream. Due to a typo in the Basic Read test, it's currently identical to the Basic Write test. Fix this. Signed-off-by: Rabin Vincent Signed-off-by: Pierre Ossman Signed-off-by: Greg Kroah-Hartman commit dc0e461f5446621c2d4b872cf58a6ad329286ba9 Author: Ben Dooks Date: Thu Mar 12 14:31:33 2009 -0700 mmc: s3cmci: fix s3c2410_dma_config() arguments. commit 7c48ed3383bfb2106694807361ec187fe8a4333d upstream. The s3cmci driver is calling s3c2410_dma_config with incorrect data for the DCON register. The S3C2410_DCON_HWTRIG is implicit in the channel configuration and the device selection of S3C2410_DCON_CH0_SDI is incorrect as the DMA system may not select channel 0. Signed-off-by: Ben Dooks Acked-by: Pierre Ossman Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit d56e3f4ea3854531d1ab2bd6a490c3ea41c8d577 Author: NeilBrown Date: Wed Feb 25 13:18:47 2009 +1100 md/raid10: Don't skip more than 1 bitmap-chunk at a time during recovery. commit 09b4068a7fe442efc40e9dcbcf5ff37c3338ab15 upstream. When doing recovery on a raid10 with a write-intent bitmap, we only need to recovery chunks that are flagged in the bitmap. However if we choose to skip a chunk as it isn't flag, the code currently skips the whole raid10-chunk, thus it might not recovery some blocks that need recovering. This patch fixes it. In case that is confusing, it might help to understand that there is a 'raid10 chunk size' which guides how data is distributed across the devices, and a 'bitmap chunk size' which says how much data corresponds to a single bit in the bitmap. This bug only affects cases where the bitmap chunk size is smaller than the raid10 chunk size. Signed-off-by: NeilBrown Signed-off-by: Greg Kroah-Hartman commit 87dcb6eae60dceb981fe931144d94b157a91f466 Author: NeilBrown Date: Wed Feb 25 13:18:47 2009 +1100 md/raid10: Don't call bitmap_cond_end_sync when we are doing recovery. commit 78200d45cde2a79c0d0ae0407883bb264caa3c18 upstream. For raid1/4/5/6, resync (fixing inconsistencies between devices) is very similar to recovery (rebuilding a failed device onto a spare). The both walk through the device addresses in order. For raid10 it can be quite different. resync follows the 'array' address, and makes sure all copies are the same. Recover walks through 'device' addresses and recreates each missing block. The 'bitmap_cond_end_sync' function allows the write-intent-bitmap (When present) to be updated to reflect a partially completed resync. It makes assumptions which mean that it does not work correctly for raid10 recovery at all. In particularly, it can cause bitmap-directed recovery of a raid10 to not recovery some of the blocks that need to be recovered. So move the call to bitmap_cond_end_sync into the resync path, rather than being in the common "resync or recovery" path. Signed-off-by: NeilBrown Signed-off-by: Greg Kroah-Hartman commit a9785b107920670a8ec8ef1744e0e0c59dde9eb4 Author: NeilBrown Date: Wed Feb 25 13:18:47 2009 +1100 md: avoid races when stopping resync. commit 73d5c38a9536142e062c35997b044e89166e063b upstream. There has been a race in raid10 and raid1 for a long time which has only recently started showing up due to a scheduler changed. When a sync_read request finishes, as soon as reschedule_retry is called, another thread can mark the resync request as having completed, so md_do_sync can finish, ->stop can be called, and ->conf can be freed. So using conf after reschedule_retry is not safe. Similarly, when finishing a sync_write, calling md_done_sync must be the last thing we do, as it allows a chain of events which will free conf and other data structures. The first of these requires action in raid10.c The second requires action in raid1.c and raid10.c Signed-off-by: NeilBrown Signed-off-by: Greg Kroah-Hartman commit 285ed5b1cedb3f043fa90f31deaa11f7c3ff4c76 Author: Tejun Heo Date: Wed Mar 4 15:59:30 2009 +0900 libata: make sure port is thawed when skipping resets commit d6515e6ff4ad3db4bd5ef2dd4e1026a7aca2482e upstream. When SCR access is available and the link is offline, softreset is skipped as it only wastes time and some controllers don't respond very well. However, the skip path forgot to thaw the port, which not only blocks further event notification from the port but also causes repeated EH invocations on the same event on drivers which rely on ->thaw() to clear events if the IRQ is shared with another device or port. This problem has always been there but is uncovered by recent sata_nv nf2/3 change which dropped hardreset support while maintaining SCR access. nf2/3 doesn't clear hotplug event mask from the interrupt handler but relies on ->thaw() to clear them. When the hardreset was there, the reset action was never skipped and the port was always thawed but, with the hardreset gone, ->prereset() determines that there's no need for softreset and both ->softreset() and ->thaw() are skipped. This leads to stuck hotplug event in the IRQ status register triggering hotplug event whenever IRQ is delieverd on the same IRQ. As the controller shares the same IRQ for both ports, this happens on every IO if one port is occpupied and the other isn't. This patch fixes the problem by making sure that the port is thawed on reset-skip path. bko#11615 reports this problem. Signed-off-by: Tejun Heo Cc: Robert Hancock Reported-by: Dan Andresan Reported-by: Arne Woerner Reported-by: Stefan Lippers-Hollmann Signed-off-by: Jeff Garzik Signed-off-by: Greg Kroah-Hartman commit e241cac7d69d6ff6555866f45cc9163fa858133b Author: Robert Hancock Date: Mon Feb 16 20:15:08 2009 -0600 libata: Don't trust current capacity values in identify words 57-58 commit 968e594afdbc40b4270f9d4032ae8350475749d6 upstream. Hanno Böck reported a problem where an old Conner CP30254 240MB hard drive was reported as 1.1TB in capacity by libata: http://lkml.org/lkml/2009/2/13/134 This was caused by libata trusting the drive's reported current capacity in sectors in identify words 57 and 58 if the drive does not support LBA and the current CHS translation values appear valid. Unfortunately it seems older ATA specs were vague about what this field should contain and a number of drives used values with wrong byte order or that were totally bogus. There's no unique information that it conveys and so we can just calculate the number of sectors from the reported current CHS values. While we're at it, clean up this function to use named constants for the identify word values. Signed-off-by: Robert Hancock Signed-off-by: Jeff Garzik Signed-off-by: Greg Kroah-Hartman commit de587ff55e743e913203b5962facb2440370654a Author: Adam Lackorzynski Date: Wed Feb 18 14:48:34 2009 -0800 jsm: additional device support commit ffa7525c13eb3db0fd19a3e1cffe2ce6f561f5f3 upstream. I have a Digi Neo 8 PCI card (114f:00b1) Serial controller: Digi International Digi Neo 8 (rev 05) that works with the jsm driver after using the following patch. Signed-off-by: Adam Lackorzynski Cc: Scott H Kilau Cc: Wendy Xiong Acked-by: Alan Cox Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit d4ba53db2ea845ac7cad8a56d8fc40f1d8c250f4 Author: Lubomir Rintel Date: Tue Mar 10 12:55:54 2009 -0700 intel-agp: fix a panic with 1M of shared memory, no GTT entries commit 9c1e8a4ebcc04226cb6f3a1bf1d72f4cafd6b089 upstream. When GTT size is equal to amount of video memory, the amount of GTT entries is computed lower than zero, which is invalid and leads to off-by-one error in intel_i915_configure() Originally posted here: http://bugzilla.kernel.org/show_bug.cgi?id=12539 http://bugzilla.redhat.com/show_bug.cgi?id=445592 Signed-off-by: Lubomir Rintel Cc: Lubomir Rintel Cc: Dave Airlie Reviewed-by: Eric Anholt Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 05965d62aff80fc6eef713e768ff4650aaf7af5c Author: Ingo Molnar Date: Wed Feb 18 14:48:43 2009 -0800 inotify: fix GFP_KERNEL related deadlock commit f04b30de3c82528f1ab4c58b3dd4c975f5341901 upstream. Enhanced lockdep coverage of __GFP_NOFS turned up this new lockdep assert: [ 1093.677775] [ 1093.677781] ================================= [ 1093.680031] [ INFO: inconsistent lock state ] [ 1093.680031] 2.6.29-rc5-tip-01504-gb49eca1-dirty #1 [ 1093.680031] --------------------------------- [ 1093.680031] inconsistent {RECLAIM_FS-ON-W} -> {IN-RECLAIM_FS-W} usage. [ 1093.680031] kswapd0/308 [HC0[0]:SC0[0]:HE1:SE1] takes: [ 1093.680031] (&inode->inotify_mutex){+.+.?.}, at: [] inotify_inode_is_dead+0x20/0x80 [ 1093.680031] {RECLAIM_FS-ON-W} state was registered at: [ 1093.680031] [] mark_held_locks+0x43/0x5b [ 1093.680031] [] lockdep_trace_alloc+0x6c/0x6e [ 1093.680031] [] kmem_cache_alloc+0x20/0x150 [ 1093.680031] [] idr_pre_get+0x27/0x6c [ 1093.680031] [] inotify_handle_get_wd+0x25/0xad [ 1093.680031] [] inotify_add_watch+0x7a/0x129 [ 1093.680031] [] sys_inotify_add_watch+0x20f/0x250 [ 1093.680031] [] sysenter_do_call+0x12/0x35 [ 1093.680031] [] 0xffffffff [ 1093.680031] irq event stamp: 60417 [ 1093.680031] hardirqs last enabled at (60417): [] call_rcu+0x53/0x59 [ 1093.680031] hardirqs last disabled at (60416): [] call_rcu+0x17/0x59 [ 1093.680031] softirqs last enabled at (59656): [] __do_softirq+0x157/0x16b [ 1093.680031] softirqs last disabled at (59651): [] do_softirq+0x74/0x15d [ 1093.680031] [ 1093.680031] other info that might help us debug this: [ 1093.680031] 2 locks held by kswapd0/308: [ 1093.680031] #0: (shrinker_rwsem){++++..}, at: [] shrink_slab+0x36/0x189 [ 1093.680031] #1: (&type->s_umount_key#4){+++++.}, at: [] shrink_dcache_memory+0x110/0x1fb [ 1093.680031] [ 1093.680031] stack backtrace: [ 1093.680031] Pid: 308, comm: kswapd0 Not tainted 2.6.29-rc5-tip-01504-gb49eca1-dirty #1 [ 1093.680031] Call Trace: [ 1093.680031] [] valid_state+0x12a/0x13d [ 1093.680031] [] mark_lock+0xc1/0x1e9 [ 1093.680031] [] ? check_usage_forwards+0x0/0x3f [ 1093.680031] [] __lock_acquire+0x2c6/0xac8 [ 1093.680031] [] ? register_lock_class+0x17/0x228 [ 1093.680031] [] lock_acquire+0x5d/0x7a [ 1093.680031] [] ? inotify_inode_is_dead+0x20/0x80 [ 1093.680031] [] __mutex_lock_common+0x3a/0x4cb [ 1093.680031] [] ? inotify_inode_is_dead+0x20/0x80 [ 1093.680031] [] mutex_lock_nested+0x2e/0x36 [ 1093.680031] [] ? inotify_inode_is_dead+0x20/0x80 [ 1093.680031] [] inotify_inode_is_dead+0x20/0x80 [ 1093.680031] [] dentry_iput+0x90/0xc2 [ 1093.680031] [] d_kill+0x21/0x45 [ 1093.680031] [] __shrink_dcache_sb+0x27f/0x355 [ 1093.680031] [] shrink_dcache_memory+0x15e/0x1fb [ 1093.680031] [] shrink_slab+0x121/0x189 [ 1093.680031] [] kswapd+0x39f/0x561 [ 1093.680031] [] ? isolate_pages_global+0x0/0x233 [ 1093.680031] [] ? autoremove_wake_function+0x0/0x43 [ 1093.680031] [] ? kswapd+0x0/0x561 [ 1093.680031] [] kthread+0x41/0x82 [ 1093.680031] [] ? kthread+0x0/0x82 [ 1093.680031] [] kernel_thread_helper+0x7/0x10 inotify_handle_get_wd() does idr_pre_get() which does a kmem_cache_alloc() without __GFP_FS - and is hence deadlockable under extreme MM pressure. Signed-off-by: Ingo Molnar Acked-by: Peter Zijlstra Cc: MinChan Kim Cc: Nick Piggin Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 941dd445d5d79aef57ff825d337171a5e562ed81 Author: David Altobelli Date: Fri Feb 27 14:03:09 2009 -0800 hpilo: new pci device commit 31d8b5631f095cb7100cfccc95c801a2547ffe2b upstream. Future iLO devices will have an HP vendor id. Signed-off-by: David Altobelli Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 26d68dcc4add0c1f6986d66863845240b4d5cd16 Author: Nick Piggin Date: Thu Mar 12 14:31:38 2009 -0700 fs: new inode i_state corruption fix commit 7ef0d7377cb287e08f3ae94cebc919448e1f5dff upstream. There was a report of a data corruption http://lkml.org/lkml/2008/11/14/121. There is a script included to reproduce the problem. During testing, I encountered a number of strange things with ext3, so I tried ext2 to attempt to reduce complexity of the problem. I found that fsstress would quickly hang in wait_on_inode, waiting for I_LOCK to be cleared, even though instrumentation showed that unlock_new_inode had already been called for that inode. This points to memory scribble, or synchronisation problme. i_state of I_NEW inodes is not protected by inode_lock because other processes are not supposed to touch them until I_LOCK (and I_NEW) is cleared. Adding WARN_ON(inode->i_state & I_NEW) to sites where we modify i_state revealed that generic_sync_sb_inodes is picking up new inodes from the inode lists and passing them to __writeback_single_inode without waiting for I_NEW. Subsequently modifying i_state causes corruption. In my case it would look like this: CPU0 CPU1 unlock_new_inode() __sync_single_inode() reg <- inode->i_state reg -> reg & ~(I_LOCK|I_NEW) reg <- inode->i_state reg -> inode->i_state reg -> reg | I_SYNC reg -> inode->i_state Non-atomic RMW on CPU1 overwrites CPU0 store and sets I_LOCK|I_NEW again. Fix for this is rather than wait for I_NEW inodes, just skip over them: inodes concurrently being created are not subject to data integrity operations, and should not significantly contribute to dirty memory either. After this change, I'm unable to reproduce any of the added warnings or hangs after ~1hour of running. Previously, the new warnings would start immediately and hang would happen in under 5 minutes. I'm also testing on ext3 now, and so far no problems there either. I don't know whether this fixes the problem reported above, but it fixes a real problem for me. Cc: "Jorge Boncompte [DTI2]" Reported-by: Adrian Hunter Cc: Jan Kara Signed-off-by: Nick Piggin Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit f5ab9014ca6ba959929e5533875f0a61fd6afb29 Author: Meelis Roos Date: Tue Feb 10 17:19:19 2009 -0800 fore200: fix oops on failed firmware load commit fcffd0d8bbddac757cd856e635ac75e8eb4518bc upstream. Fore 200 ATM driver fails to handle request_firmware failures and oopses when no firmware file was found. Fix it by checking for the right return values and propaganting the return value up. Signed-off-by: Meelis Roos Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 44b576776241240f03fcf5981fc7d16f3a927b5b Author: Heiko Carstens Date: Mon Mar 9 13:31:59 2009 +0100 Fix fixpoint divide exception in acct_update_integrals commit 6d5b5acca9e566515ef3f1ed617e7295c4f94345 upstream. Frans Pop reported the crash below when running an s390 kernel under Hercules: Kernel BUG at 000738b4 verbose debug info unavailable! fixpoint divide exception: 0009 #1! SMP Modules linked in: nfs lockd nfs_acl sunrpc ctcm fsm tape_34xx cu3088 tape ccwgroup tape_class ext3 jbd mbcache dm_mirror dm_log dm_snapshot dm_mod dasd_eckd_mod dasd_mod CPU: 0 Not tainted 2.6.27.19 #13 Process awk (pid: 2069, task: 0f9ed9b8, ksp: 0f4f7d18) Krnl PSW : 070c1000 800738b4 (acct_update_integrals+0x4c/0x118) R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:0 CC:1 PM:0 Krnl GPRS: 00000000 000007d0 7fffffff fffff830 00000000 ffffffff 00000002 0f9ed9b8 00000000 00008ca0 00000000 0f9ed9b8 0f9edda4 8007386e 0f4f7ec8 0f4f7e98 Krnl Code: 800738aa: a71807d0 lhi %r1,2000 800738ae: 8c200001 srdl %r2,1 800738b2: 1d21 dr %r2,%r1 >800738b4: 5810d10e l %r1,270(%r13) 800738b8: 1823 lr %r2,%r3 800738ba: 4130f060 la %r3,96(%r15) 800738be: 0de1 basr %r14,%r1 800738c0: 5800f060 l %r0,96(%r15) Call Trace: ( <000000000004fdea>! blocking_notifier_call_chain+0x1e/0x2c) <0000000000038502>! do_exit+0x106/0x7c0 <0000000000038c36>! do_group_exit+0x7a/0xb4 <0000000000038c8e>! SyS_exit_group+0x1e/0x30 <0000000000021c28>! sysc_do_restart+0x12/0x16 <0000000077e7e924>! 0x77e7e924 Reason for this is that cpu time accounting usually only happens from interrupt context, but acct_update_integrals gets also called from process context with interrupts enabled. So in acct_update_integrals we may end up with the following scenario: Between reading tsk->stime/tsk->utime and tsk->acct_timexpd an interrupt happens which updates accouting values. This causes acct_timexpd to be greater than the former stime + utime. The subsequent calculation of dtime = cputime_sub(time, tsk->acct_timexpd); will be negative and the division performed by cputime_to_jiffies(dtime) will generate an exception since the result won't fit into a 32 bit register. In order to fix this just always disable interrupts while accessing any of the accounting values. Reported by: Frans Pop Tested by: Frans Pop Cc: Martin Schwidefsky Signed-off-by: Heiko Carstens Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 6437d6f99da2b1bdd6105f6f6467102bb937bc23 Author: Oleg Nesterov Date: Mon Mar 2 22:58:45 2009 +0100 copy_process: fix CLONE_PARENT && parent_exec_id interaction commit 2d5516cbb9daf7d0e342a2e3b0fc6f8c39a81205 upstream. CLONE_PARENT can fool the ->self_exec_id/parent_exec_id logic. If we re-use the old parent, we must also re-use ->parent_exec_id to make sure exit_notify() sees the right ->xxx_exec_id's when the CLONE_PARENT'ed task exits. Also, move down the "p->parent_exec_id = p->self_exec_id" thing, to place two different cases together. Signed-off-by: Oleg Nesterov Cc: Roland McGrath Cc: Andrew Morton Cc: David Howells Cc: Serge E. Hallyn Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 360a98ed7849323bedc8ccf75fed49701db8a03c Author: Bjørn Mork Date: Wed Feb 25 04:33:58 2009 +0000 cdc_ether: add usb id for Ericsson F3507g commit cac477e8f1038c41b6f29d3161ce351462ef3df7 upstream. The Ericsson F3507g wireless broadband module provides a CDC Ethernet compliant interface, but identifies it as a "Mobile Direct Line" CDC subclass, thereby preventing the CDC Ethernet class driver from picking it up. This patch adds the device id to cdc_ether.c as a workaround. Ericsson has provided a "class" driver for this device: http://kerneltrap.org/mailarchive/linux-net/2008/10/28/3832094 But closer inspection of that driver reveals that it adds little more than duplication of code from cdc_ether.c. See also http://marc.info/?l=linux-usb&m=123334979706403&w=2 Signed-off-by: Bjørn Mork Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 7fca6093d8736490a8a226d54ae5f0229f31966f Author: Greg Kroah-Hartman Date: Tue Feb 24 23:52:24 2009 -0800 asix: new device ids commit fef7cc0893146550b286b13c0e6e914556142730 upstream. This patch adds two new device ids to the asix driver. One comes directly from the asix driver on their web site, the other was reported by Armani Liao as needed for the MSI X320 to get the driver to work properly for it. Reported-by: Armani Liao Signed-off-by: Greg Kroah-Hartman Signed-off-by: David S. Miller commit 0a30057e7d3fc194cfdd81a9983c3c645f962749 Author: Joris van Rantwijk Date: Mon Feb 16 22:58:23 2009 +0100 ALSA: usb-audio - Workaround for misdetected sample rate with CM6207 commit 3b03cc5b86e2052295b9b484f37226ee15c87924 upstream. The CM6207 incorrectly advertises its 96 kHz playback setting as 48 kHz in its USB device descriptor. This patch extends an existing workaround in usbaudio.c to also cover the CM6207. This resolves issue 0004249 in the ALSA bug tracker. Signed-off-by: Joris van Rantwijk Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 052bfb327a2624ac0cc36a4a0a420488bc28b363 Author: Takashi Iwai Date: Mon Feb 16 22:48:12 2009 +0100 ALSA: usb-audio - Fix non-continuous rate detection commit 0412558c873f716efe902b397af0653a550f7341 upstream. The detection of non-continuous rates (given via rate tables) isn't processed properly (e.g. for type II). This patch fixes and simplifies the detection code. Tested-by: Joris van Rantwijk Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 680e9398245ae6d34419624cfa716b13dd2bb0b7 Author: Luke Yelavich Date: Mon Feb 23 13:00:33 2009 +1100 ALSA: hda - add another MacBook Pro 3,1 SSID commit 2d4663816064fabb68935f920bbd7ccdc7f9392d upstream. Reference: Ubuntu bug #33245 https://bugs.launchpad.net/bugs/332456 Signed-off-by: Luke Yelavich Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 25ccc3009c9715ed86b5bde05416863dc4e25c56 Author: Steve Chen Date: Sat Feb 21 08:05:04 2009 -0600 ALSA: fix excessive background noise introduced by OSS emulation rate shrink commit 5370d96f85962769ea3df3a81cc885f257c51589 upstream. Incorrect variable was used to get the next sample which caused S2 to be stuck with the same value resulting in loud background noise. Signed-off-by: Steve Chen Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 2b5934e976dc1be635c76af82e994fe62252394b Author: Anssi Hannula Date: Sun Feb 22 14:42:54 2009 +0200 ALSA: aw2: do not grab every saa7146 based device commit e8bf069c419c1dc0657e02636441fe1179a9db14 upstream. Audiowerk2 driver snd-aw2 is bound to any saa7146 device as it does not check subsystem ids. Many DVB devices are saa7146 based, so aw2 driver grabs them as well. According to http://lkml.org/lkml/2008/10/15/311 aw2 devices have the subsystem ids set to 0, the saa7146 default. Fix conflicts with DVB devices by checking for subsystem ids = 0 specifically. Signed-off-by: Anssi Hannula Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 2e7db0feff88e28ca6fbdadf46ab4ae061ff59b8 Author: Mauro Carvalho Chehab Date: Fri Feb 20 15:38:52 2009 -0800 8250: fix boot hang with serial console when using with Serial Over Lan port commit b6adea334c6c89d5e6c94f9196bbf3a279cb53bd upstream. Intel 8257x Ethernet boards have a feature called Serial Over Lan. This feature works by emulating a serial port, and it is detected by kernel as a normal 8250 port. However, this emulation is not perfect, as also noticed on changeset 7500b1f602aad75901774a67a687ee985d85893f. Before this patch, the kernel were trying to check if the serial TX is capable of work using IRQ's. This were done with a code similar this: serial_outp(up, UART_IER, UART_IER_THRI); lsr = serial_in(up, UART_LSR); iir = serial_in(up, UART_IIR); serial_outp(up, UART_IER, 0); if (lsr & UART_LSR_TEMT && iir & UART_IIR_NO_INT) up->bugs |= UART_BUG_TXEN; This works fine for other 8250 ports, but, on 8250-emulated SoL port, the chip is a little lazy to down UART_IIR_NO_INT at UART_IIR register. Due to that, UART_BUG_TXEN is sometimes enabled. However, as TX IRQ keeps working, and the TX polling is now enabled, the driver miss-interprets the IRQ received later, hanging up the machine until a key is pressed at the serial console. This is the 6 version of this patch. Previous versions were trying to introduce a large enough delay between serial_outp and serial_in(up, UART_IIR), but not taking forever. However, the needed delay couldn't be safely determined. At the experimental tests, a delay of 1us solves most of the cases, but still hangs sometimes. Increasing the delay to 5us was better, but still doesn't solve. A very high delay of 50 ms seemed to work every time. However, poking around with delays and pray for it to be enough doesn't seem to be a good approach, even for a quirk. So, instead of playing with random large arbitrary delays, let's just disable UART_BUG_TXEN for all SoL ports. [akpm@linux-foundation.org: fix warnings] Signed-off-by: Mauro Carvalho Chehab Cc: Alan Cox Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 5c3ffea8da2f2e19ce9f795eeba93a5ddb567a56 Author: Phil Sutter Date: Sun Feb 8 16:44:42 2009 +0100 WATCHDOG: rc32434_wdt: fix sections commit d9a8798c4bab5ccd40e45e011f668099cfb3eb83 upstream. Fix init and exit sections. Signed-off-by: Phil Sutter Signed-off-by: Wim Van Sebroeck Signed-off-by: Greg Kroah-Hartman commit 6460528633c6a33cb6a627bbe9315a6175f48c0c Author: Phil Sutter Date: Sun Feb 8 16:44:42 2009 +0100 WATCHDOG: rc32434_wdt: fix watchdog driver commit 0af98d37e85e6958eb84987b1f60da3b54008317 upstream. The existing driver code wasn't working. Neither the timeout was set correctly, nor system reset was being triggered, as the driver seemed to keep the WDT alive himself. There was also some unnecessary code. Signed-off-by: Phil Sutter Signed-off-by: Wim Van Sebroeck Signed-off-by: Greg Kroah-Hartman commit fe95f32a4b867d05fe4d8c0132015faf3a0b8921 Author: Alexey Dobriyan Date: Thu Feb 12 13:42:41 2009 +0300 WATCHDOG: ks8695_wdt.c: 'CLOCK_TICK_RATE' undeclared commit b02c387892fc6b3cc59c78ab2f79413d55f50190 upstream. On arm-acs5k_tiny: drivers/watchdog/ks8695_wdt.c:68: error: 'CLOCK_TICK_RATE' undeclared (first use in this function) Signed-off-by: Alexey Dobriyan Signed-off-by: Wim Van Sebroeck Signed-off-by: Greg Kroah-Hartman commit eb24b5c0be217093d84d10f6bc852efd72bb7f21 Author: Alan Stern Date: Mon Feb 23 12:02:05 2009 -0500 USB: usb-storage: add IGNORE_RESIDUE flag for Genesys Logic adapters commit 5126a2674ddac0804450f59da25a058cca629d38 upstream. This patch (as1219) adds the IGNORE_RESIDUE flag to the unusual_devs entries for Genesys Logic's USB-IDE adapter. Although this device usually gets the residue correct, there is one command crucial to the operation of CD and DVD drives which it messes up. Tested-by: Mike Lampard Signed-off-by: Alan Stern Signed-off-by: Greg Kroah-Hartman commit 030b079bbda2a3b1c37198b62bd955f2da0b9172 Author: Alan Stern Date: Fri Feb 20 16:33:08 2009 -0500 USB: usb_get_string should check the descriptor type commit 67f5a4ba9741fcef3f4db3509ad03565d9e33af2 upstream. This patch (as1218) fixes a problem with a radio-control joystick used in the "walkera 4#3" helicopter. This device responds to the initial Get-String-Descriptor request for string 0 (which is really the list of supported languages) by sending its config descriptor! The usb_get_string() routine needs to check whether it got the right type of descriptor. Oddly enough, this sort of check is already present in usb_get_descriptor(). The patch changes the error code from -EPROTO to -ENODATA, because -EPROTO shows up in so many other contexts to indicate a hardware failure rather than a firmware error. Signed-off-by: Alan Stern Tested-by: Guillermo Jarabo Signed-off-by: Greg Kroah-Hartman commit b61e99b179056c29db2c29c353b8243e4943b296 Author: Dmitriy Taychenachev Date: Wed Feb 25 12:36:51 2009 +0800 USB: cdc-acm: add usb id for motomagx phones commit 155df65ae11dfc322214c6f887185929c809df1b upstream. The Motorola MOTOMAGX phones (Z6, E8, Zn5 so far) are providing combined ACM/BLAN USB configuration. Since it has Vendor Specific class, the corresponding drivers (cdc-acm, zaurus) can't find it just by interface info. This patch adds usb id so the cdc-acm driver can properly handle this combined device. Signed-off-by: Dmitriy Taychenachev Signed-off-by: Greg Kroah-Hartman commit 067d0083685ed743f17049fa74b80b7fd20e290c Author: Davide Libenzi Date: Wed Feb 18 14:48:18 2009 -0800 timerfd: add flags check commit 610d18f4128ebbd88845d0fc60cce67b49af881e upstream. As requested by Michael, add a missing check for valid flags in timerfd_settime(), and make it return EINVAL in case some extra bits are set. Michael said: If this is to be any use to userland apps that want to check flag support (perhaps it is too late already), then the sooner we get it into the kernel the better: 2.6.29 would be good; earlier stables as well would be even better. [akpm@linux-foundation.org: remove unused TFD_FLAGS_SET] Acked-by: Michael Kerrisk Signed-off-by: Davide Libenzi Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 4a61d3855a95e6e513be5bdfed536d071b853904 Author: Tejun Heo Date: Sat Feb 21 11:04:45 2009 +0900 SCSI: sd: revive sd_index_lock commit 4034cc68157bfa0b6622efe368488d3d3e20f4e6 upstream. Commit f27bac2761cab5a2e212dea602d22457a9aa6943 which converted sd to use ida instead of idr incorrectly removed sd_index_lock around id allocation and free. idr/ida do have internal locks but they protect their free object lists not the allocation itself. The caller is responsible for that. This missing synchronization led to the same id being assigned to multiple devices leading to oops. Reported and tracked down by Stuart Hayes of Dell. Signed-off-by: Tejun Heo Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman commit 8d9799ed7a1c0d64c693aacba29fda4bce14102f Author: HighPoint Linux Team Date: Thu Feb 12 11:28:31 2009 +0800 SCSI: hptiop: Add new PCI device ID commit b73a77494292b930642fbf87de3e3196593f7593 upstream. Signed-off-by: HighPoint Linux Team Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman commit cd2939e01cc5ce1280691c0b7e015ea5d00614b7 Author: Larry Finger Date: Tue Feb 17 14:31:12 2009 -0600 rtl8187: New USB ID's for RTL8187L commit 046ee5d26ac91316a8ac0a29c0b33139dc9da20d upstream. Add new USB ID codes. These come from two postings on forums and mailing lists, and four are derived from the .inf that accompanies the latest Realtek Windows driver for the RTL8187L. Thanks to Viktor Ilijašić and Xose Vazquez Perez for reporting these new ID's. Signed-off-by: Larry Finger Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit d41b7af376129513e47bbc439bd81f8646ed6db0 Author: Yinghai Lu Date: Tue Feb 17 20:40:09 2009 -0800 PCI quirk: enable MSI on 8132 commit e0ae4f5503235ba4449ffb5bcb4189edcef4d584 upstream. David reported that LSI SAS doesn't work with MSI. It turns out that his BIOS doesn't enable it, but the HT MSI 8132 does support HT MSI. Add quirk to enable it Reported-by: David Lang Signed-off-by: Yinghai Lu Signed-off-by: Jesse Barnes Signed-off-by: Greg Kroah-Hartman commit 9d126f32c569c747d2103156fef6033e6444804d Author: KAMEZAWA Hiroyuki Date: Wed Feb 18 14:48:33 2009 -0800 mm: fix memmap init for handling memory hole commit cc2559bccc72767cb446f79b071d96c30c26439b upstream. Now, early_pfn_in_nid(PFN, NID) may returns false if PFN is a hole. and memmap initialization was not done. This was a trouble for sparc boot. To fix this, the PFN should be initialized and marked as PG_reserved. This patch changes early_pfn_in_nid() return true if PFN is a hole. Signed-off-by: KAMEZAWA Hiroyuki Reported-by: David Miller Tested-by: KOSAKI Motohiro Cc: Mel Gorman Cc: Heiko Carstens Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 819aa5607804c588ea669584bbeb8f92df021022 Author: KAMEZAWA Hiroyuki Date: Wed Feb 18 14:48:32 2009 -0800 mm: clean up for early_pfn_to_nid() commit f2dbcfa738368c8a40d4a5f0b65dc9879577cb21 upstream. What's happening is that the assertion in mm/page_alloc.c:move_freepages() is triggering: BUG_ON(page_zone(start_page) != page_zone(end_page)); Once I knew this is what was happening, I added some annotations: if (unlikely(page_zone(start_page) != page_zone(end_page))) { printk(KERN_ERR "move_freepages: Bogus zones: " "start_page[%p] end_page[%p] zone[%p]\n", start_page, end_page, zone); printk(KERN_ERR "move_freepages: " "start_zone[%p] end_zone[%p]\n", page_zone(start_page), page_zone(end_page)); printk(KERN_ERR "move_freepages: " "start_pfn[0x%lx] end_pfn[0x%lx]\n", page_to_pfn(start_page), page_to_pfn(end_page)); printk(KERN_ERR "move_freepages: " "start_nid[%d] end_nid[%d]\n", page_to_nid(start_page), page_to_nid(end_page)); ... And here's what I got: move_freepages: Bogus zones: start_page[2207d0000] end_page[2207dffc0] zone[fffff8103effcb00] move_freepages: start_zone[fffff8103effcb00] end_zone[fffff8003fffeb00] move_freepages: start_pfn[0x81f600] end_pfn[0x81f7ff] move_freepages: start_nid[1] end_nid[0] My memory layout on this box is: [ 0.000000] Zone PFN ranges: [ 0.000000] Normal 0x00000000 -> 0x0081ff5d [ 0.000000] Movable zone start PFN for each node [ 0.000000] early_node_map[8] active PFN ranges [ 0.000000] 0: 0x00000000 -> 0x00020000 [ 0.000000] 1: 0x00800000 -> 0x0081f7ff [ 0.000000] 1: 0x0081f800 -> 0x0081fe50 [ 0.000000] 1: 0x0081fed1 -> 0x0081fed8 [ 0.000000] 1: 0x0081feda -> 0x0081fedb [ 0.000000] 1: 0x0081fedd -> 0x0081fee5 [ 0.000000] 1: 0x0081fee7 -> 0x0081ff51 [ 0.000000] 1: 0x0081ff59 -> 0x0081ff5d So it's a block move in that 0x81f600-->0x81f7ff region which triggers the problem. This patch: Declaration of early_pfn_to_nid() is scattered over per-arch include files, and it seems it's complicated to know when the declaration is used. I think it makes fix-for-memmap-init not easy. This patch moves all declaration to include/linux/mm.h After this, if !CONFIG_NODES_POPULATES_NODE_MAP && !CONFIG_HAVE_ARCH_EARLY_PFN_TO_NID -> Use static definition in include/linux/mm.h else if !CONFIG_HAVE_ARCH_EARLY_PFN_TO_NID -> Use generic definition in mm/page_alloc.c else -> per-arch back end function will be called. Signed-off-by: KAMEZAWA Hiroyuki Tested-by: KOSAKI Motohiro Reported-by: David Miller Cc: Mel Gorman Cc: Heiko Carstens Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 662f8bb08ee7875c6f25047256b2336104e3e98f Author: Thomas Gleixner Date: Mon Feb 16 21:29:31 2009 +0100 JFFS2: fix mount crash caused by removed nodes commit 4c41bd0ec953954158f92bed5d3062645062b98e upstream. At scan time we observed following scenario: node A inserted node B inserted node C inserted -> sets overlapped flag on node B node A is removed due to CRC failure -> overlapped flag on node B remains while (tn->overlapped) tn = tn_prev(tn); ==> crash, when tn_prev(B) is referenced. When the ultimate node is removed at scan time and the overlapped flag is set on the penultimate node, then nothing updates the overlapped flag of that node. The overlapped iterators blindly expect that the ultimate node does not have the overlapped flag set, which causes the scan code to crash. It would be a huge overhead to go through the node chain on node removal and fix up the overlapped flags, so detecting such a case on the fly in the overlapped iterators is a simpler and reliable solution. Signed-off-by: Thomas Gleixner Signed-off-by: David Woodhouse Signed-off-by: Greg Kroah-Hartman commit fbb38fcb8e793f5df68be9992354d9d50cbd41ea Author: Steve French Date: Tue Feb 17 01:29:40 2009 +0000 Fix oops in cifs_strfromUCS_le mounting to servers which do not specify their OS commit 69765529d701c838df19ea1f5ad2f33a528261ae upstream. Fixes kernel bug #10451 http://bugzilla.kernel.org/show_bug.cgi?id=10451 Certain NAS appliances do not set the operating system or network operating system fields in the session setup response on the wire. cifs was oopsing on the unexpected zero length response fields (when trying to null terminate a zero length field). This fixes the oops. Acked-by: Jeff Layton Signed-off-by: Steve French Signed-off-by: Greg Kroah-Hartman commit 4eb4e67499139d894b8c171fee87dbefb1562f35 Author: Ed Cashin Date: Wed Feb 18 14:48:13 2009 -0800 aoe: ignore vendor extension AoE responses commit b6d6c5175809934e04a606d9193ef04924a7a7d9 upstream. The Welland ME-747K-SI AoE target generates unsolicited AoE responses that are marked as vendor extensions. Instead of ignoring these packets, the aoe driver was generating kernel messages for each unrecognized response received. This patch corrects the behavior. Signed-off-by: Ed Cashin Reported-by: Tested-by: Cc: Alex Buell Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit c9e379b2ff781abc305a6e093aec8971fcd930c3 Author: Bill Nottingham Date: Wed Feb 18 14:48:39 2009 -0800 vt: Declare PIO_CMAP/GIO_CMAP as compatbile ioctls. commit 2db69a9340da12a4db44edb7506dd68799aeff55 upstream. Otherwise, these don't work when called from 32-bit userspace on 64-bit kernels. Cc: Jiri Kosina Cc: Alan Cox Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit a67036940686aa5df75e3c83fb81e53e60821c51 Author: Eric Biederman Date: Wed Feb 18 14:48:16 2009 -0800 seq_file: properly cope with pread commit 8f19d472935c83d823fa4cf02bcc0a7b9952db30 upstream. Currently seq_read assumes that the offset passed to it is always the offset it passed to user space. In the case pread this assumption is broken and we do the wrong thing when presented with pread. To solve this I introduce an offset cache inside of struct seq_file so we know where our logical file position is. Then in seq_read if we try to read from another offset we reset our data structures and attempt to go to the offset user space wanted. [akpm@linux-foundation.org: restore FMODE_PWRITE] [pjt@google.com: seq_open needs its fmode opened up to take advantage of this] Signed-off-by: Eric Biederman Cc: Alexey Dobriyan Cc: Al Viro Cc: Paul Turner Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 62c57441c10cc2b19443e8bbcd1728ae6ea3b83c Author: Paul Turner Date: Wed Feb 18 14:48:15 2009 -0800 vfs: separate FMODE_PREAD/FMODE_PWRITE into separate flags commit 55ec82176eca52e4e0530a82a0eb59160a1a95a1 upstream. Separate FMODE_PREAD and FMODE_PWRITE into separate flags to reflect the reality that the read and write paths may have independent restrictions. A git grep verifies that these flags are always cleared together so this new behavior will only apply to interfaces that change to clear flags individually. This is required for "seq_file: properly cope with pread", a post-2.6.25 regression fix. [akpm@linux-foundation.org: add comment] Signed-off-by: Paul Turner Cc: Eric Biederman Cc: Alexey Dobriyan Cc: Al Viro Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 9f97e596d592e354b5c7d3e36e4a70fa9f48536e Author: Christoph Hellwig Date: Wed Nov 5 14:58:46 2008 +0100 documnt FMODE_ constants commit fc9161e54d0dbf799beff9692ea1cc6237162b85 upstream. Make sure all FMODE_ constants are documents, and ensure a coherent style for the already existing comments. [This is needed for the next patch in the .27 kernel which changes fs.h. This patch makes it easier to handle. - gkh] Signed-off-by: Christoph Hellwig Signed-off-by: Al Viro Signed-off-by: Greg Kroah-Hartman commit f412f397ce0080715f82c22d24b6fda240abfa07 Author: David S. Miller Date: Mon Jan 19 23:24:42 2009 -0800 sparc: We need to implement arch_ptrace_stop(). [ Upstream commit 878a5535957b563c447d32866a9e606c55fef091 ] In order to always provide fully synchronized state to the debugger, we might need to do a synchronize_user_stack(). A pair of hooks, arch_ptrace_stop_needed() and arch_ptrace_stop(), exist to handle this kind of situation. It was created for the sake of IA64. Use them, to flush the kernel side cached register windows to the user stack, when necessary. Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit b9a94094113f73585f651143113c0c2478ebf34e Author: David S. Miller Date: Mon Jan 19 22:56:51 2009 -0800 sparc64: Fix DAX handling via userspace access from kernel. [ Upstream commit fcd26f7ae2ea5889134e8b3d60a42ce8b993c95f ] If we do a userspace access from kernel mode, and get a data access exception, we need to check the exception table just like a normal fault does. The spitfire DAX handler was doing this, but such logic was missing from the sun4v DAX code. Reported-by: Dennis Gilmore Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 21ef40e66f6186898ea4240b83a0f1c7424953d0 Author: David S. Miller Date: Wed Feb 25 23:09:34 2009 -0800 net: Kill skb_truesize_check(), it only catches false-positives. [ Upstream commit 92a0acce186cde8ead56c6915d9479773673ea1a ] A long time ago we had bugs, primarily in TCP, where we would modify skb->truesize (for TSO queue collapsing) in ways which would corrupt the socket memory accounting. skb_truesize_check() was added in order to try and catch this error more systematically. However this debugging check has morphed into a Frankenstein of sorts and these days it does nothing other than catch false-positives. Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit a6fa7047cf5cb20353178e9b31c3105f13461b54 Author: Eugene Teo Date: Mon Feb 23 15:38:41 2009 -0800 net: amend the fix for SO_BSDCOMPAT gsopt infoleak [ Upstream commit 50fee1dec5d71b8a14c1b82f2f42e16adc227f8b ] The fix for CVE-2009-0676 (upstream commit df0bca04) is incomplete. Note that the same problem of leaking kernel memory will reappear if someone on some architecture uses struct timeval with some internal padding (for example tv_sec 64-bit and tv_usec 32-bit) --- then, you are going to leak the padded bytes to userspace. Signed-off-by: Eugene Teo Reported-by: Mikulas Patocka Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit b82b59ae48f1a634456fbaff15bb33b52f581ac7 Author: Herbert Xu Date: Mon Nov 24 16:06:50 2008 -0800 bridge: netfilter: fix update_pmtu crash with GRE [ Upstream commit 631339f1e544a4d39a63cfe6708c5bddcd5a2c48 ] As GRE tries to call the update_pmtu function on skb->dst and bridge supplies an skb->dst that has a NULL ops field, all is not well. This patch fixes this by giving the bridge device an ops field with an update_pmtu function. For the moment I've left all other fields blank but we can fill them in later should the need arise. Based on report and patch by Philip Craig. Signed-off-by: Herbert Xu Signed-off-by: Patrick McHardy Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 411b0df1bd018e949d41ab19fbf8dcb6a63e8ab3 Author: Jason Cooper Date: Tue Nov 11 13:02:53 2008 -0500 USB: net: asix: add support for Cables-to-Go USB Ethernet adapter commit ccf95402d0ae6f433f29ce88cfd589cec8fc81ad upstream. Add support to drivers/net/usb/asix.c for the Cables-to-Go "USB 2.0 to 10/100 Ethernet Adapter". USB id 0b95:772a. Signed-off-by: Jason Cooper Signed-off-by: Greg Kroah-Hartman