commit a5c69efe91ca7798fd1bd53fb8bd7e0c561f71a4 Author: Greg Kroah-Hartman Date: Tue Sep 8 20:18:25 2009 -0700 Linux 2.6.27.32 commit 8af12fc1c2c44a6fac07e4a8b7f44ca0c6ea038a Author: Sunil Mushran Date: Fri Sep 4 11:12:01 2009 -0700 ocfs2: ocfs2_write_begin_nolock() should handle len=0 commit 8379e7c46cc48f51197dd663fc6676f47f2a1e71 upstream. Bug introduced by mainline commit e7432675f8ca868a4af365759a8d4c3779a3d922 The bug causes ocfs2_write_begin_nolock() to oops when len=0. Signed-off-by: Sunil Mushran Signed-off-by: Joel Becker Signed-off-by: Greg Kroah-Hartman commit 2607b3b8c16b95806c81968bcd909cba02e6d051 Author: Trond Myklebust Date: Fri Aug 21 13:37:17 2009 -0400 SUNRPC: Fix tcp reconnection This fixes a problem that was reported as Red Hat Bugzilla entry number 485339, in which rpciod starts looping on the TCP connection code, rendering the NFS client unusable for 1/2 minute or so. It is basically a backport of commit f75e6745aa3084124ae1434fd7629853bdaf6798 (SUNRPC: Fix the problem of EADDRNOTAVAIL syslog floods on reconnect) Signed-off-by: Trond Myklebust Signed-off-by: Greg Kroah-Hartman commit deeab04d78c0b5b505853a8f6810fb70bc40acd2 Author: Peter Jones Date: Tue Aug 18 10:18:20 2009 -0400 SCSI: sr: report more accurate drive status after closing the tray. commit 96bcc722c47d07b6fd05c9d0cb3ab8ea5574c5b1 upstream [SCSI] sr: report more accurate drive status after closing the tray. So, what's happening here is that the drive is reporting a sense of 2/4/1 ("logical unit is becoming ready") from sr_test_unit_ready(), and then we ask for the media event notification before checking that result at all. The check_media_event_descriptor() call isn't getting a check condition, but it's also reporting that the tray is closed and that there's no media. In actuality it doesn't yet know if there's media or not, but there's no way to express that in the media event status field. My current thought is that if it told us the device isn't yet ready, we should return that immediately, since there's nothing that'll tell us any more data than that reliably: Signed-off-by: James Bottomley Cc: Chuck Ebbert Signed-off-by: Greg Kroah-Hartman commit 206c31f296348cbd3c9a7700a6f9b946459914be Author: Chuck Ebbert Date: Tue Aug 18 10:23:09 2009 -0400 Remove low_latency flag setting from nozomi and mxser drivers commit 4d8d4d251df8eaaa3dae71c8cfa7fbf4510d967d upstream [ cebbert@redhat.com: backport to 2.6.27 ] Remove low_latency flag setting from nozomi and mxser drivers The kernel oopses if this flag is set. [and neither driver should set it as they call tty_flip_buffer_push from IRQ paths so have always been buggy] Signed-off-by: Chuck Ebbert Signed-off-by: Alan Cox Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit c8c95c897bd0599dfe9928610c95ec6b804ce329 Author: Oliver Neukum Date: Tue Aug 18 10:30:26 2009 -0400 USB: removal of tty->low_latency hack dating back to the old serial code commit 2400a2bfbd0e912193fe3b077f492d4980141813 upstream [ cebbert@redhat.com: backport to 2.6.27 ] USB: removal of tty->low_latency hack dating back to the old serial code This removes tty->low_latency from all USB serial drivers that push data into the tty layer at hard interrupt context. It's no longer needed and actually harmful. Signed-off-by: Oliver Neukum Cc: Alan Cox Cc: Chuck Ebbert Signed-off-by: Greg Kroah-Hartman commit 37977b63ee78ebd37669b3740b78e436b1660757 Author: Alan Cox Date: Tue Aug 18 10:27:34 2009 -0400 parport: quickfix the proc registration bug commit 05ad709d04799125ed85dd816fdb558258102172 upstream parport: quickfix the proc registration bug Ideally we should have a directory of drivers and a link to the 'active' driver. For now just show the first device which is effectively the existing semantics without a warning. This is an update on the original buggy patch that I then forgot to resubmit. Confusingly it was proposed by Red Hat, written by Etched Pixels fixed and submitted by Intel ... Resolves-Bug: http://bugzilla.kernel.org/show_bug.cgi?id=9749 Signed-off-by: Alan Cox Signed-off-by: Linus Torvalds Cc: Chuck Ebbert Signed-off-by: Greg Kroah-Hartman commit b6768fe15180edf89df1f96dfbf4412a0871c83b Author: Takashi Iwai Date: Sat Aug 15 12:15:57 2009 +0200 ALSA: hda - Add missing vmaster initialization for ALC269 commit 100d5eb36ba20dc0b99a17ea2b9800c567bfc3d1 upstream. Without the initialization of vmaster NID, the dB information got confused for ALC269 codec. Reference: Novell bnc#527361 https://bugzilla.novell.com/show_bug.cgi?id=527361 Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit ee1c46ccd19074a06393567644144287458e8337 Author: Eric Dumazet Date: Thu Aug 6 03:34:06 2009 +0000 rose: Fix rose_getname() leak commit 17ac2e9c58b69a1e25460a568eae1b0dc0188c25 upstream. rose_getname() can leak kernel memory to user. Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 8338941200d9188e3c866dd16cc2848754947895 Author: Sunil Mushran Date: Thu Aug 6 16:12:58 2009 -0700 ocfs2: Initialize the cluster we're writing to in a non-sparse extend commit e7432675f8ca868a4af365759a8d4c3779a3d922 upstream. In a non-sparse extend, we correctly allocate (and zero) the clusters between the old_i_size and pos, but we don't zero the portions of the cluster we're writing to outside of pos<->len. It handles clustersize > pagesize and blocksize < pagesize. [Cleaned up by Joel Becker.] Signed-off-by: Sunil Mushran Signed-off-by: Joel Becker Signed-off-by: Greg Kroah-Hartman commit 7e8287379470a7c18153be389c9516e31ae141f3 Author: Eric Dumazet Date: Thu Aug 6 03:31:07 2009 +0000 netrom: Fix nr_getname() leak commit f6b97b29513950bfbf621a83d85b6f86b39ec8db upstream. nr_getname() can leak kernel memory to user. Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 42c6afea4b7a0512d2fd7c2b7fc6fa667366e315 Author: Jiri Slaby Date: Sun Aug 23 22:55:51 2009 -0700 NET: llc, zero sockaddr_llc struct commit 28e9fc592cb8c7a43e4d3147b38be6032a0e81bc upstream. sllc_arphrd member of sockaddr_llc might not be changed. Zero sllc before copying to the above layer's structure. Signed-off-by: Jiri Slaby Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 3b9246e2b55f8aa3c3d9732d0eb7e9943a6f9492 Author: Oleg Nesterov Date: Mon Aug 24 12:45:29 2009 +0200 kthreads: fix kthread_create() vs kthread_stop() race The bug should be "accidently" fixed by recent changes in 2.6.31, all kernels <= 2.6.30 need the fix. The problem was never noticed before, it was found because it causes mysterious failures with GFS mount/umount. Credits to Robert Peterson. He blaimed kthread.c from the very beginning. But, despite my promise, I forgot to inspect the old implementation until he did a lot of testing and reminded me. This led to huge delay in fixing this bug. kthread_stop() does put_task_struct(k) before it clears kthread_stop_info.k. This means another kthread_create() can re-use this task_struct, but the new kthread can still see kthread_should_stop() == T and exit even without calling threadfn(). Reported-by: Robert Peterson Tested-by: Robert Peterson Signed-off-by: Oleg Nesterov Acked-by: Rusty Russell Signed-off-by: Greg Kroah-Hartman commit 54cbd776461dabc08ee378249c93185b1f4a33e1 Author: Eric Dumazet Date: Thu Aug 6 03:55:04 2009 +0000 irda: Fix irda_getname() leak commit 09384dfc76e526c3993c09c42e016372dc9dd22c upstream. irda_getname() can leak kernel memory to user. Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 8f25b9d9c723acfc9666afe5caf1128f18da8613 Author: Eric Dumazet Date: Thu Aug 6 03:48:36 2009 +0000 econet: Fix econet_getname() leak commit 80922bbb12a105f858a8f0abb879cb4302d0ecaa upstream. econet_getname() can leak kernel memory to user. Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit f43ef685dd388d9b255b5ab15e6f587668bcc7c1 Author: Linus Torvalds Date: Sat Aug 1 10:34:56 2009 -0700 do_sigaltstack: avoid copying 'stack_t' as a structure to user space commit 0083fc2c50e6c5127c2802ad323adf8143ab7856 upstream. Ulrich Drepper correctly points out that there is generally padding in the structure on 64-bit hosts, and that copying the structure from kernel to user space can leak information from the kernel stack in those padding bytes. Avoid the whole issue by just copying the three members one by one instead, which also means that the function also can avoid the need for a stack frame. This also happens to match how we copy the new structure from user space, so it all even makes sense. [ The obvious solution of adding a memset() generates horrid code, gcc does really stupid things. ] Reported-by: Ulrich Drepper Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit bbe5cbd01823805a7cbba06b043c19b559e324c4 Author: Eric Dumazet Date: Thu Aug 6 20:27:04 2009 +0000 can: Fix raw_getname() leak commit e84b90ae5eb3c112d1f208964df1d8156a538289 upstream. raw_getname() can leak 10 bytes of kernel memory to user (two bytes hole between can_family and can_ifindex, 8 bytes at the end of sockaddr_can structure) Signed-off-by: Eric Dumazet Acked-by: Oliver Hartkopp Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 3cee5ca317b5f0a0c2c62ad24dbe7f415ca45687 Author: Eric Dumazet Date: Thu Aug 6 02:27:43 2009 +0000 appletalk: fix atalk_getname() leak commit 3d392475c873c10c10d6d96b94d092a34ebd4791 upstream. atalk_getname() can leak 8 bytes of kernel memory to user Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 27dd1a6f4fe1625b22bbd9fc63950732519c9976 Author: Marcelo Tosatti Date: Thu Aug 6 14:40:07 2009 -0300 KVM: MMU: protect kvm_mmu_change_mmu_pages with mmu_lock (cherry picked from commit 7c8a83b75a38a807d37f5a4398eca2a42c8cf513) kvm_handle_hva, called by MMU notifiers, manipulates mmu data only with the protection of mmu_lock. Update kvm_mmu_change_mmu_pages callers to take mmu_lock, thus protecting against kvm_handle_hva. Signed-off-by: Marcelo Tosatti Signed-off-by: Avi Kivity Signed-off-by: Greg Kroah-Hartman commit 969034648a9fe07482ffffe3c53588a39e29b9db Author: Marcelo Tosatti Date: Thu Aug 6 14:40:06 2009 -0300 KVM: x86: check for cr3 validity in mmu_alloc_roots (cherry picked from commit 8986ecc0ef58c96eec48d8502c048f3ab67fd8e2) Verify the cr3 address stored in vcpu->arch.cr3 points to an existant memslot. If not, inject a triple fault. Signed-off-by: Marcelo Tosatti Signed-off-by: Avi Kivity Signed-off-by: Greg Kroah-Hartman commit f599c5cbcaa13a93215d2f260815d29f265a4457 Author: Izik Eidus Date: Thu Aug 6 14:40:05 2009 -0300 KVM: Fix dirty bit tracking for slots with large pages (cherry picked from commit e244584fe3a5c20deddeca246548ac86dbc6e1d1) When slot is already allocated and being asked to be tracked we need to break the large pages. This code flush the mmu when someone ask a slot to start dirty bit tracking. Signed-off-by: Izik Eidus Signed-off-by: Avi Kivity Signed-off-by: Greg Kroah-Hartman commit d2127c8300fb1ec54af56faee17170e7a525326d Author: Gleb Natapov Date: Thu Aug 6 14:40:04 2009 -0300 KVM: MMU: do not free active mmu pages in free_mmu_pages() (cherry picked from commit f00be0cae4e6ad0a8c7be381c6d9be3586800b3e) free_mmu_pages() should only undo what alloc_mmu_pages() does. Free mmu pages from the generic VM destruction function, kvm_destroy_vm(). Signed-off-by: Gleb Natapov Signed-off-by: Avi Kivity Signed-off-by: Greg Kroah-Hartman commit 67e34f302bc4584204f1bcd00caca5be46834546 Author: Avi Kivity Date: Thu Aug 6 14:40:03 2009 -0300 KVM: Fix PDPTR reloading on CR4 writes (cherry picked from commit a2edf57f510cce6a389cc14e58c6ad0a4296d6f9) The processor is documented to reload the PDPTRs while in PAE mode if any of the CR4 bits PSE, PGE, or PAE change. Linux relies on this behaviour when zapping the low mappings of PAE kernels during boot. The code already handled changes to CR4.PAE; augment it to also notice changes to PSE and PGE. This triggered while booting an F11 PAE kernel; the futex initialization code runs before any CR3 reloads and writes to a NULL pointer; the futex subsystem ended up uninitialized, killing PI futexes and pulseaudio which uses them. Signed-off-by: Avi Kivity Signed-off-by: Greg Kroah-Hartman commit 174289f2746a4f7d74e37f7ce2db640abe7db952 Author: Avi Kivity Date: Thu Aug 6 14:40:02 2009 -0300 KVM: Make paravirt tlb flush also reload the PAE PDPTRs (cherry picked from commit a8cd0244e9cebcf9b358d24c7e7410062f3665cb) The paravirt tlb flush may be used not only to flush TLBs, but also to reload the four page-directory-pointer-table entries, as it is used as a replacement for reloading CR3. Change the code to do the entire CR3 reloading dance instead of simply flushing the TLB. Signed-off-by: Avi Kivity Signed-off-by: Greg Kroah-Hartman commit c8ad967ceb6cb90124162aada5a407c10d4b599c Author: Avi Kivity Date: Thu Aug 6 14:40:01 2009 -0300 KVM: VMX: Handle vmx instruction vmexits (cherry picked from commit e3c7cb6ad7191e92ba89d00a7ae5f5dd1ca0c214) IF a guest tries to use vmx instructions, inject a #UD to let it know the instruction is not implemented, rather than crashing. This prevents guest userspace from crashing the guest kernel. Signed-off-by: Avi Kivity Signed-off-by: Greg Kroah-Hartman commit f06f0605b998dfe1453380bfff72bd861ca3a016 Author: Avi Kivity Date: Thu Aug 6 14:40:00 2009 -0300 KVM: Make EFER reads safe when EFER does not exist (cherry picked from commit e286e86e6d2042d67d09244aa0e05ffef75c9d54) Some processors don't have EFER; don't oops if userspace wants us to read EFER when we check NX. Signed-off-by: Avi Kivity Signed-off-by: Greg Kroah-Hartman commit 9d978f7cf24e6451af158eb5da483193010c10f0 Author: Avi Kivity Date: Thu Aug 6 14:39:59 2009 -0300 KVM: SVM: Remove port 80 passthrough (cherry picked from commit 99f85a28a78e96d28907fe036e1671a218fee597) KVM optimizes guest port 80 accesses by passthing them through to the host. Some AMD machines die on port 80 writes, allowing the guest to hard-lock the host. Remove the port passthrough to avoid the problem. Reported-by: Piotr Jaroszyński Tested-by: Piotr Jaroszyński Signed-off-by: Avi Kivity Signed-off-by: Greg Kroah-Hartman commit 9829a7c1ab1eef1a32498a2f627155cc0e8a8e65 Author: Avi Kivity Date: Thu Aug 6 14:39:58 2009 -0300 KVM: VMX: Don't allow uninhibited access to EFER on i386 (cherry picked from commit 16175a796d061833aacfbd9672235f2d2725df65) vmx_set_msr() does not allow i386 guests to touch EFER, but they can still do so through the default: label in the switch. If they set EFER_LME, they can oops the host. Fix by having EFER access through the normal channel (which will check for EFER_LME) even on i386. Reported-and-tested-by: Benjamin Gilbert Signed-off-by: Avi Kivity Signed-off-by: Greg Kroah-Hartman commit f7e4e13de304466a40f01426e307af36c0bd9870 Author: Glauber Costa Date: Thu Aug 6 14:39:57 2009 -0300 KVM: Don't destroy vcpu in case vcpu_setup fails (cherry picked from commit 7d8fece678c1abc2ca3e1ceda2277c3538a9161c) One of vcpu_setup responsibilities is to do mmu initialization. However, in case we fail in kvm_arch_vcpu_reset, before we get the chance to init mmu. OTOH, vcpu_destroy will attempt to destroy mmu, triggering a bug. Keeping track of whether or not mmu is initialized would unnecessarily complicate things. Rather, we just make return, making sure any needed uninitialization is done before we return, in case we fail. Signed-off-by: Glauber Costa Signed-off-by: Avi Kivity Signed-off-by: Greg Kroah-Hartman commit 66b7e6fe99e9486f4a61acfcfd32f6a7094c9cd0 Author: Sheng Yang Date: Thu Aug 6 14:39:56 2009 -0300 KVM: VMX: Set IGMT bit in EPT entry (cherry picked from commit 928d4bf747e9c290b690ff515d8f81e8ee226d97) There is a potential issue that, when guest using pagetable without vmexit when EPT enabled, guest would use PAT/PCD/PWT bits to index PAT msr for it's memory, which would be inconsistent with host side and would cause host MCE due to inconsistent cache attribute. The patch set IGMT bit in EPT entry to ignore guest PAT and use WB as default memory type to protect host (notice that all memory mapped by KVM should be WB). Signed-off-by: Sheng Yang Signed-off-by: Avi Kivity Signed-off-by: Greg Kroah-Hartman commit 6bbd18645e02de44d024e738bb1469ef0977f7f6 Author: Marcelo Tosatti Date: Thu Aug 6 14:39:55 2009 -0300 KVM: MMU: increase per-vcpu rmap cache alloc size (cherry picked from commit c41ef344de212bd918f7765af21b5008628c03e0) The page fault path can use two rmap_desc structures, if: - walk_addr's dirty pte update allocates one rmap_desc. - mmu_lock is dropped, sptes are zapped resulting in rmap_desc being freed. - fetch->mmu_set_spte allocates another rmap_desc. Increase to 4 for safety. Signed-off-by: Marcelo Tosatti Signed-off-by: Avi Kivity Signed-off-by: Greg Kroah-Hartman commit 12daed95faec51a60736776a35ce4b0d1541c346 Author: Marcelo Tosatti Date: Thu Aug 6 14:39:54 2009 -0300 KVM: set debug registers after "schedulable" section (cherry picked from commit 29415c37f043d1d54dcf356601d738ff6633b72b) The vcpu thread can be preempted after the guest_debug_pre() callback, resulting in invalid debug registers on the new vcpu. Move it inside the non-preemptable section. Signed-off-by: Marcelo Tosatti Signed-off-by: Avi Kivity Signed-off-by: Greg Kroah-Hartman commit 3c4ebbcc130dddc5163da41b22aa5bdd08b93308 Author: Joerg Roedel Date: Thu Aug 6 14:39:53 2009 -0300 KVM: add MC5_MISC msr read support (cherry picked from commit a89c1ad270ca7ad0eec2667bc754362ce7b142be) Currently KVM implements MC0-MC4_MISC read support. When booting Linux this results in KVM warnings in the kernel log when the guest tries to read MC5_MISC. Fix this warnings with this patch. Signed-off-by: Joerg Roedel Signed-off-by: Avi Kivity Signed-off-by: Greg Kroah-Hartman commit ea618866ead0126be93107cdf700b43e7c1854f3 Author: Dave Hansen Date: Thu Aug 6 14:39:52 2009 -0300 KVM: Reduce stack usage in kvm_pv_mmu_op() (cherry picked from commit 6ad18fba05228fb1d47cdbc0339fe8b3fca1ca26) We're in a hot path. We can't use kmalloc() because it might impact performance. So, we just stick the buffer that we need into the kvm_vcpu_arch structure. This is used very often, so it is not really a waste. We also have to move the buffer structure's definition to the arch-specific x86 kvm header. Signed-off-by: Dave Hansen Signed-off-by: Avi Kivity Signed-off-by: Greg Kroah-Hartman commit 990c4b98649a36713e5f138d40ea6d81f6e5dae0 Author: Dave Hansen Date: Thu Aug 6 14:39:51 2009 -0300 KVM: Reduce stack usage in kvm_arch_vcpu_ioctl() (cherry picked from commit b772ff362ec6b821c8a5227a3355e263f917bfad) [sheng: fix KVM_GET_LAPIC using wrong size] Signed-off-by: Dave Hansen Signed-off-by: Sheng Yang Signed-off-by: Avi Kivity Signed-off-by: Greg Kroah-Hartman commit 60a3971e401a9c8a7b138a6ff1fdb07d6173c259 Author: Dave Hansen Date: Thu Aug 6 14:39:50 2009 -0300 KVM: Reduce stack usage in kvm_vcpu_ioctl() (cherry picked from commit fa3795a7308df099f0f2c9e5ca2c20a5ff65bdc4) Signed-off-by: Dave Hansen Signed-off-by: Avi Kivity Signed-off-by: Greg Kroah-Hartman commit 34707a6e4a012334cffadb2b2b2d216e3c970423 Author: Dave Hansen Date: Thu Aug 6 14:39:49 2009 -0300 KVM: Reduce kvm stack usage in kvm_arch_vm_ioctl() (cherry picked from commit f0d662759a2465babdba1160749c446648c9d159) On my machine with gcc 3.4, kvm uses ~2k of stack in a few select functions. This is mostly because gcc fails to notice that the different case: statements could have their stack usage combined. It overflows very nicely if interrupts happen during one of these large uses. This patch uses two methods for reducing stack usage. 1. dynamically allocate large objects instead of putting on the stack. 2. Use a union{} member for all of the case variables. This tricks gcc into combining them all into a single stack allocation. (There's also a comment on this) Signed-off-by: Dave Hansen Signed-off-by: Avi Kivity Signed-off-by: Greg Kroah-Hartman commit 04051e5cf91f5ab9f13509cd0b16b61560556de0 Author: Avi Kivity Date: Thu Aug 6 14:39:48 2009 -0300 KVM: MMU: Fix setting the accessed bit on non-speculative sptes (cherry picked from commit 3201b5d9f0f7ef392886cd76dcd2c69186d9d5cd) The accessed bit was accidentally turned on in a random flag word, rather than, the spte itself, which was lucky, since it used the non-EPT compatible PT_ACCESSED_MASK. Fix by turning the bit on in the spte and changing it to use the portable accessed mask. Signed-off-by: Avi Kivity Signed-off-by: Greg Kroah-Hartman commit 5bd5d8e64fbb187d1ed4b320715a4580bd878997 Author: Avi Kivity Date: Thu Aug 6 14:39:47 2009 -0300 KVM: MMU: Flush tlbs after clearing write permission when accessing dirty log (cherry picked from commit 171d595d3b3254b9a952af8d1f6965d2e85dcbaa) Otherwise, the cpu may allow writes to the tracked pages, and we lose some display bits or fail to migrate correctly. Signed-off-by: Avi Kivity Signed-off-by: Greg Kroah-Hartman commit c832f513b1ebe93e0a2c71a98f319da4ce560f7f Author: Avi Kivity Date: Thu Aug 6 14:39:46 2009 -0300 KVM: MMU: Add locking around kvm_mmu_slot_remove_write_access() (cherry picked from commit 2245a28fe2e6fdb1bdabc4dcde1ea3a5c37e2a9e) It was generally safe due to slots_lock being held for write, but it wasn't very nice. Signed-off-by: Avi Kivity Signed-off-by: Greg Kroah-Hartman commit 2b52d454ea2217f9422aee3847aa4678e93fa9e0 Author: Avi Kivity Date: Thu Aug 6 14:39:45 2009 -0300 KVM: Don't call get_user_pages(.force = 1) (cherry picked from commit d657c7335b97d746aa6123c56504b46c20e37df3) This is esoteric and only needed to break COW on MAP_SHARED mappings. Since KVM no longer does these sorts of mappings, breaking COW on them is no longer necessary. Signed-off-by: Avi Kivity Signed-off-by: Greg Kroah-Hartman commit f897f01e79c99ec8577ed6bb6c9bec845747dc3c Author: Avi Kivity Date: Thu Aug 6 14:39:44 2009 -0300 KVM: Allocate guest memory as MAP_PRIVATE, not MAP_SHARED (cherry picked from commit acee3c04e8208c17aad1baff99baa68d71640a19) There is no reason to share internal memory slots with fork()ed instances. Signed-off-by: Avi Kivity Signed-off-by: Greg Kroah-Hartman commit 838c160be4225b74a1fdd6e549df272e3953ebd8 Author: Avi Kivity Date: Thu Aug 6 14:39:43 2009 -0300 KVM: Load real mode segments correctly (cherry picked from commit f4bbd9aaaae23007e4d79536d35a30cbbb11d407) Real mode segments to not reference the GDT or LDT; they simply compute base = selector * 16. Signed-off-by: Avi Kivity Signed-off-by: Greg Kroah-Hartman commit e4aeb2441ab83214d8a423f21e254f9c666e3c00 Author: Avi Kivity Date: Thu Aug 6 14:39:42 2009 -0300 KVM: VMX: Change segment dpl at reset to 3 (cherry picked from commit a16b20da879430fdf245ed45461ed40ffef8db3c) This is more emulation friendly, if not 100% correct. Signed-off-by: Avi Kivity Signed-off-by: Greg Kroah-Hartman commit 96534837735ed064448e8ef748f4c9178356d28b Author: Avi Kivity Date: Thu Aug 6 14:39:41 2009 -0300 KVM: VMX: Change cs reset state to be a data segment (cherry picked from commit 5706be0dafd6f42852f85fbae292301dcad4ccec) Real mode cs is a data segment, not a code segment. Signed-off-by: Avi Kivity Signed-off-by: Greg Kroah-Hartman commit 994e0b57b4ea1ee1726d31a7e669200b34405df7 Author: Trond Myklebust Date: Fri Aug 28 11:12:12 2009 -0400 SUNRPC: Fix rpc_task_force_reencode commit 2574cc9f4ffc6c681c9177111357efe5b76f0e36 upstream. This patch fixes the bug that was reported in http://bugzilla.kernel.org/show_bug.cgi?id=14053 If we're in the case where we need to force a reencode and then resend of the RPC request, due to xprt_transmit failing with a networking error, then we _must_ retransmit the entire request. Signed-off-by: Trond Myklebust Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 4233307591d5a86c0712487b57a3939f9d31d8c9 Author: Clemens Ladisch Date: Tue Aug 25 08:15:41 2009 +0200 sound: pcm_lib: fix unsorted list constraint handling commit b1ddaf681e362ed453182ddee1699d7487069a16 upstream. snd_interval_list() expected a sorted list but did not document this, so there are drivers that give it an unsorted list. To fix this, change the algorithm to work with any list. This fixes the "Slave PCM not usable" error with USB devices that have multiple alternate settings with sample rates in decreasing order, such as the Philips Askey VC010 WebCam. http://bugzilla.kernel.org/show_bug.cgi?id=14028 Reported-and-tested-by: Andrzej Signed-off-by: Clemens Ladisch Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit d45bb9161000683a0f0e10dbca21a3a6f453a6e1 Author: Hannes Hering Date: Tue Aug 4 11:48:39 2009 -0700 ehea: Fix napi list corruption on ifconfig down commit 357eb46d8f275b4e8484541234ea3ba06065e258 upstream. This patch fixes the napi list handling when an ehea interface is shut down to avoid corruption of the napi list. Signed-off-by: Hannes Hering Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 70a1f1e8105d1a944fdfbf1e26cd8d3bfc79c0ff Author: Oleg Nesterov Date: Wed Aug 26 14:29:24 2009 -0700 clone(): fix race between copy_process() and de_thread() commit 4ab6c08336535f8c8e42cf45d7adeda882eff06e upstream. Spotted by Hiroshi Shimamoto who also provided the test-case below. copy_process() uses signal->count as a reference counter, but it is not. This test case #include #include #include #include #include #include void *null_thread(void *p) { for (;;) sleep(1); return NULL; } void *exec_thread(void *p) { execl("/bin/true", "/bin/true", NULL); return null_thread(p); } int main(int argc, char **argv) { for (;;) { pid_t pid; int ret, status; pid = fork(); if (pid < 0) break; if (!pid) { pthread_t tid; pthread_create(&tid, NULL, exec_thread, NULL); for (;;) pthread_create(&tid, NULL, null_thread, NULL); } do { ret = waitpid(pid, &status, 0); } while (ret == -1 && errno == EINTR); } return 0; } quickly creates an unkillable task. If copy_process(CLONE_THREAD) races with de_thread() copy_signal()->atomic(signal->count) breaks the signal->notify_count logic, and the execing thread can hang forever in kernel space. Change copy_process() to increment count/live only when we know for sure we can't fail. In this case the forked thread will take care of its reference to signal correctly. If copy_process() fails, check CLONE_THREAD flag. If it it set - do nothing, the counters were not changed and current belongs to the same thread group. If it is not set, ->signal must be released in any case (and ->count must be == 1), the forked child is the only thread in the thread group. We need more cleanups here, in particular signal->count should not be used by de_thread/__exit_signal at all. This patch only fixes the bug. Reported-by: Hiroshi Shimamoto Tested-by: Hiroshi Shimamoto Signed-off-by: Oleg Nesterov Acked-by: Roland McGrath Cc: KAMEZAWA Hiroyuki Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit f8807c213e9f1594e5da48cc5b3db6464ed61d7a Author: Takashi Iwai Date: Mon Aug 31 08:15:26 2009 +0200 ALSA: hda - Fix MacBookPro 3,1/4,1 quirk with ALC889A commit a3f730af7e33cea10ea66f05b2565fde1f9512df upstream. This patch fixes the wrong headphone output routing for MacBookPro 3,1/4,1 quirk with ALC889A codec, which caused the silent headphone output. Also, this gives the individual Headphone and Speaker volume controls. Reference: kernel bug#14078 http://bugzilla.kernel.org/show_bug.cgi?id=14078 Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman