commit c9a753e1243428681e0213dfb72404894b72dcda Author: Greg Kroah-Hartman Date: Fri May 8 14:54:48 2009 -0700 Linux 2.6.27.23 commit a63a48e88c44100975b38a01de22c7fa17adbf85 Author: Jussi Kivilinna Date: Wed Apr 22 10:59:37 2009 +0300 rndis_wlan: fix initialization order for workqueue&workers commit e805e4d0b53506dff4255a2792483f094e7fcd2c upstream. rndis_wext_link_change() might be called from rndis_command() at initialization stage and priv->workqueue/priv->work have not been initialized yet. This causes invalid opcode at rndis_wext_bind on some brands of bcm4320. Fix by initializing workqueue/workers in rndis_wext_bind() before rndis_command is used. This bug has existed since 2.6.25, reported at: http://bugzilla.kernel.org/show_bug.cgi?id=12794 Signed-off-by: Jussi Kivilinna Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 6b06d6282100dd5aacf7d45443d651a1995bd9c4 Author: Jake Edge Date: Mon May 4 12:51:14 2009 -0600 proc: avoid information leaks to non-privileged processes commit f83ce3e6b02d5e48b3a43b001390e2b58820389d upstream. By using the same test as is used for /proc/pid/maps and /proc/pid/smaps, only allow processes that can ptrace() a given process to see information that might be used to bypass address space layout randomization (ASLR). These include eip, esp, wchan, and start_stack in /proc/pid/stat as well as the non-symbolic output from /proc/pid/wchan. ASLR can be bypassed by sampling eip as shown by the proof-of-concept code at http://code.google.com/p/fuzzyaslr/ As part of a presentation (http://www.cr0.org/paper/to-jt-linux-alsr-leak.pdf) esp and wchan were also noted as possibly usable information leaks as well. The start_stack address also leaks potentially useful information. Cc: Stable Team Signed-off-by: Jake Edge Acked-by: Arjan van de Ven Acked-by: "Eric W. Biederman" Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit a239571a953830dbf73f2fcdee6731b5483c77d6 Author: Lennert Buytenhek Date: Wed Apr 29 11:58:18 2009 +0000 mv643xx_eth: 64bit mib counter read fix commit 93af7aca44f0e82e67bda10a0fb73d383edcc8bd upstream. On several mv643xx_eth hardware versions, the two 64bit mib counters for 'good octets received' and 'good octets sent' are actually 32bit counters, and reading from the upper half of the register has the same effect as reading from the lower half of the register: an atomic read-and-clear of the entire 32bit counter value. This can under heavy traffic occasionally lead to small numbers being added to the upper half of the 64bit mib counter even though no 32bit wrap has occured. Since we poll the mib counters at least every 30 seconds anyway, we might as well just skip the reads of the upper halves of the hardware counters without breaking the stats, which this patch does. Signed-off-by: Lennert Buytenhek Cc: stable@kernel.org Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 0d8f4f2015d4f9ea3057e2d521084944306e91df Author: Mel Gorman Date: Tue May 5 16:37:17 2009 +0100 Ignore madvise(MADV_WILLNEED) for hugetlbfs-backed regions commit a425a638c858fd10370b573bde81df3ba500e271 upstream. madvise(MADV_WILLNEED) forces page cache readahead on a range of memory backed by a file. The assumption is made that the page required is order-0 and "normal" page cache. On hugetlbfs, this assumption is not true and order-0 pages are allocated and inserted into the hugetlbfs page cache. This leaks hugetlbfs page reservations and can cause BUGs to trigger related to corrupted page tables. This patch causes MADV_WILLNEED to be ignored for hugetlbfs-backed regions. Signed-off-by: Mel Gorman Cc: stable@kernel.org Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 2ee201a9d57df7a12e228c6a9b06a15014231b72 Author: john stultz Date: Fri May 1 13:10:25 2009 -0700 clockevents: prevent endless loop in tick_handle_periodic() commit 74a03b69d1b5ce00a568e142ca97e76b7f5239c6 upstream. tick_handle_periodic() can lock up hard when a one shot clock event device is used in combination with jiffies clocksource. Avoid an endless loop issue by requiring that a highres valid clocksource be installed before we call tick_periodic() in a loop when using ONESHOT mode. The result is we will only increment jiffies once per interrupt until a continuous hardware clocksource is available. Without this, we can run into a endless loop, where each cycle through the loop, jiffies is updated which increments time by tick_period or more (due to clock steering), which can cause the event programming to think the next event was before the newly incremented time and fail causing tick_periodic() to be called again and the whole process loops forever. [ Impact: prevent hard lock up ] Signed-off-by: John Stultz Signed-off-by: Andrew Morton Signed-off-by: Thomas Gleixner Cc: stable@kernel.org Signed-off-by: Greg Kroah-Hartman commit 070bb0f3b6df167554f0ecdeb17a5bcdb1cd7b83 Author: Alan Stern Date: Mon May 4 11:29:48 2009 -0400 USB: serial: fix lifetime and locking problems This is commit 2d93148ab6988cad872e65d694c95e8944e1b626 back-ported to 2.6.27. This patch (as1229-1) fixes a few lifetime and locking problems in the usb-serial driver. The main symptom is that an invalid kevent is created when the serial device is unplugged while a connection is active. Ports should be unregistered when device is disconnected, not when the parent usb_serial structure is deallocated. Each open file should hold a reference to the corresponding port structure, and the reference should be released when the file is closed. serial->disc_mutex should be acquired in serial_open(), to resolve the classic race between open and disconnect. serial_close() doesn't need to hold both serial->disc_mutex and port->mutex at the same time. Release the subdriver's module reference only after releasing all the other references, in case one of the release routines needs to invoke some code in the subdriver module. Replace a call to flush_scheduled_work() (which is prone to deadlocks) with cancel_work_sync(). Also, add a call to cancel_work_sync() in the disconnect routine. Reduce the scope of serial->disc_mutex in serial_disconnect(). The only place it really needs to protect is where the "disconnected" flag is set. Call the shutdown method from within serial_disconnect() instead of destroy_serial(), because some subdrivers expect the port data structures still to be in existence when their shutdown method runs. This fixes the bug reported in http://bugs.freedesktop.org/show_bug.cgi?id=20703 Signed-off-by: Alan Stern Signed-off-by: Greg Kroah-Hartman commit b2dda74dbeb0dbe9bae9cddd3d0836f284b6c5e9 Author: dann frazier Date: Wed Apr 29 16:14:58 2009 -0600 MIPS: CVE-2009-0029: Enable syscall wrappers Backport of upstream commits by: Ralf Baechle Xiaotian Feng upstream commits: dbda6ac0897603f6c6dfadbbc37f9882177ec7ac d6c178e9694e7e0c7ffe0289cf4389a498cac735 c189846ecf900cd6b3ad7d3cef5b45a746ce646b Signed-off-by: dann frazier Signed-off-by: Greg Kroah-Hartman commit fcf65d70b0b8eeb5f0cc4e159c713c13afd7b07d Author: Zhang Rui Date: Fri May 1 11:05:56 2009 -0400 ACPI: Revert conflicting workaround for BIOS w/ mangled PRT entries upstream 82babbb3887e234c995626e4121d411ea9070ca5 backported to apply cleanly to 2.6.27.21 and apply with offset -1 to 2.6.28.9 2f894ef9c8b36a35d80709bedca276d2fc691941 in Linux-2.6.21 worked around BIOS with mangled _PRT entries: http://bugzilla.kernel.org/show_bug.cgi?id=6859 d0e184abc5983281ef189db2c759d65d56eb1b80 worked around the same issue via ACPICA, and shipped in 2.6.27. Unfortunately the two workarounds conflict: http://bugzilla.kernel.org/show_bug.cgi?id=12270 So revert the Linux specific one. Signed-off-by: Zhang Rui Signed-off-by: Len Brown Signed-off-by: Greg Kroah-Hartman commit d93890025874ac5c6a31891cb424b987b2a1d90f Author: Yinghai Lu Date: Sat Apr 18 01:43:46 2009 -0700 x86/PCI: don't call e820_all_mapped with -1 in the mmconfig case commit 044cd80942e47b9de0915b627902adf05c52377f upstream. e820_all_mapped need end is (addr + size) instead of (addr + size - 1) Cc: stable@kernel.org Acked-by: Ingo Molnar Signed-off-by: Yinghai Lu Signed-off-by: Jesse Barnes Signed-off-by: Greg Kroah-Hartman commit 0ca8bad08b221f1ddc73ee15f458725988b37057 Author: Thomas Renninger Date: Fri Apr 3 06:34:00 2009 -0700 PCI quirk: disable MSI on VIA VT3364 chipsets commit 162dedd39dcc6eca3fc0d29cf19658c6c13b840e upstream. Without this patch, Broadcom BCM5906 Ethernet controllers set up via MSI cause the machine to hang. Tejun agreed that the best is to blacklist the whole chipset and after adding it, seeing the other VIA quirks disabling MSI, this very much looks like the right way. Cc: Signed-off-by: Thomas Renninger Signed-off-by: Jesse Barnes Signed-off-by: Greg Kroah-Hartman commit c7273beb2266d3058ef299e2135be7edce5cd03f Author: Vitaly Mayatskikh Date: Thu Apr 30 15:08:18 2009 -0700 pagemap: require aligned-length, non-null reads of /proc/pid/pagemap commit 0816178638c15ce5472d39d771a96860dff4141a upstream. The intention of commit aae8679b0ebcaa92f99c1c3cb0cd651594a43915 ("pagemap: fix bug in add_to_pagemap, require aligned-length reads of /proc/pid/pagemap") was to force reads of /proc/pid/pagemap to be a multiple of 8 bytes, but now it allows to read 0 bytes, which actually puts some data to user's buffer. According to POSIX, if count is zero, read() should return zero and has no other results. Signed-off-by: Vitaly Mayatskikh Cc: Thomas Tuttle Acked-by: Matt Mackall Cc: Alexey Dobriyan Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit f3fb397564e99368f0979933c6ee5fe2d3887668 Author: Cedric Hombourger Date: Sat Apr 25 09:38:21 2009 +0200 kbuild: fix Module.markers permission error under cygwin commit 99e3a1eb3c22bb671c6f3d22d8244bfc9fad8185 upstream. While building the kernel, we end-up calling modpost with -K and -M options for the same file (Modules.markers). This is resulting in modpost's main function calling read_markers() and then write_markers() on the same file. We then have read_markers() mmap'ing the file, and writer_markers() opening that same file for writing. The issue is that read_markers() exits without munmap'ing the file and is as a matter holding a reference on Modules.markers. When write_markers() is opening that very same file for writing, we still have a reference on it and cygwin (Windows?) is then making fopen() fail with EPERM. Calling release_file() before exiting read_markers() clears that reference (and memory leak) and fopen() then succeeds. Tested on both cygwin (1.3.22) and Linux. Also ran modpost within valgrind on Linux to make sure that the munmap'ed file was not accessed after read_markers() Signed-off-by: Cedric Hombourger Cc: Signed-off-by: Andrew Morton Signed-off-by: Sam Ravnborg Signed-off-by: Greg Kroah-Hartman commit ac37ac5e637cbf7b2f77cd89c9396ef3a569adf3 Author: Michael Buesch Date: Fri Apr 24 16:05:29 2009 +0000 b43: Refresh RX poison on buffer recycling upstream commit: cf68636a9773aa97915497fe54fa4a51e3f08f3a The RX buffer poison needs to be refreshed, if we recycle an RX buffer, because it might be (partially) overwritten by some DMA operations. Cc: stable@kernel.org Cc: Francesco Gringoli Signed-off-by: Michael Buesch Signed-off-by: John W. Linville Signed-off-by: Chris Wright Signed-off-by: Greg Kroah-Hartman commit 89718ae496e551c625560eb2b54fa606d50ca945 Author: Michael Buesch Date: Fri Apr 24 16:05:31 2009 +0000 b43: Poison RX buffers upstream commit: ec9a1d8c13e36440eda0f3c79b8149080e3ab5ba This patch adds poisoning and sanity checking to the RX DMA buffers. This is used for protection against buggy hardware/firmware that raises RX interrupts without doing an actual DMA transfer. This mechanism protects against rare "bad packets" (due to uninitialized skb data) and rare kernel crashes due to uninitialized RX headers. The poison is selected to not match on valid frames and to be cheap for checking. The poison check mechanism _might_ trigger incorrectly, if we are voluntarily receiving frames with bad PLCP headers. However, this is nonfatal, because the chance of such a match is basically zero and in case it happens it just results in dropping the packet. Bad-PLCP RX defaults to off, and you should leave it off unless you want to listen to the latest news broadcasted by your microwave oven. This patch also moves the initialization of the RX-header "length" field in front of the mapping of the DMA buffer. The CPU should not touch the buffer after we mapped it. Cc: stable@kernel.org Reported-by: Francesco Gringoli Signed-off-by: Michael Buesch Signed-off-by: John W. Linville Signed-off-by: Chris Wright Signed-off-by: Greg Kroah-Hartman commit 1271c912ea7d12fe6bd3034ba5b0c03f828d69c9 Author: Ed Swierk Date: Mon Apr 6 17:49:12 2009 -0700 forcedeth: Fix resume from hibernation regression. upstream commit: 35a7433c789ba6df6d96b70fa745ae9e6cac0038 Reset phy state on resume, fixing a regression caused by powering down the phy on hibernate. Signed-off-by: Ed Swierk Signed-off-by: David S. Miller Cc: Tvrtko Ursulin Signed-off-by: Chris Wright Signed-off-by: Greg Kroah-Hartman commit 2df0656b23614f2647ba4b1d40f4fc5b9f9ef32b Author: Chuck Short Date: Fri Apr 24 16:05:04 2009 +0000 USB: Unusual Device support for Gold MP3 Player Energy upstream commit: 46c6e93faa85d1362e1d127dc28cf9d0b304a6f1 Reported by Alessio Treglia on https://bugs.launchpad.net/ubuntu/+source/linux/+bug/125250 User was getting the following errors in dmesg: [ 2158.139386] sd 5:0:0:1: ioctl_internal_command return code = 8000002 [ 2158.139390] : Current: sense key: No Sense [ 2158.139393] Additional sense: No additional sense information Adds unusual device support. modified: drivers/usb/storage/unusual_devs.h Signed-off-by: Chuck Short Signed-off-by: Tim Gardner Signed-off-by: Stefan Bader Cc: stable Signed-off-by: Greg Kroah-Hartman Signed-off-by: Chris Wright commit b7c0d4cb0aceb99c6bdba9865008355f9cab4471 Author: Christian Borntraeger Date: Fri Apr 24 22:35:03 2009 +0000 virtio-rng: Remove false BUG for spurious callbacks upstream commit: e5b89542ea18020961882228c26db3ba87f6e608 The virtio-rng drivers checks for spurious callbacks. Since callbacks can be implemented via shared interrupts (e.g. PCI) this could lead to guest kernel oopses with lots of virtio devices. Signed-off-by: Christian Borntraeger Cc: Rusty Russell Cc: stable@kernel.org Signed-off-by: Linus Torvalds Signed-off-by: Chris Wright Signed-off-by: Greg Kroah-Hartman commit 1beaf51ea30d9bc4c8b40391b230da59500835c2 Author: Zhenyu Wang Date: Mon Nov 17 13:58:11 2008 +0800 drm/i915: add support for G41 chipset commit 72021788678523047161e97b3dfed695e802a5fd upstream. This had been delayed for some time due to failure to work on the one piece of G41 hardware we had, and lack of success reports from anybody else. Current hardware appears to be OK. Signed-off-by: Zhenyu Wang [anholt: hand-applied due to conflicts with IGD patches] Signed-off-by: Eric Anholt Signed-off-by: Greg Kroah-Hartman