commit ce8838c66d56085122fb275c1f7d3821245fca54 Author: Greg Kroah-Hartman Date: Thu Apr 1 15:53:33 2010 -0700 Linux 2.6.27.46 commit afcb843f52a4db224bc5f138e136253205feffa3 Author: Dean Nelson Date: Mon Mar 29 22:03:00 2010 +0200 hwmon: (coretemp) Add missing newline to dev_warn() message commit 4d7a5644e4adfafe76c2bd8ee168e3f3b5dae3a8 upstream. Add missing newline to dev_warn() message string. This is more of an issue with older kernels that don't automatically add a newline if it was missing from the end of the previous line. Signed-off-by: Dean Nelson Signed-off-by: Jean Delvare Signed-off-by: Greg Kroah-Hartman commit aaaa549b386fdd80b93b447541f42b313b103f95 Author: Alan Stern Date: Sat Mar 6 15:04:03 2010 -0500 USB: fix usbfs regression commit 7152b592593b9d48b33f8997b1dfd6df9143f7ec upstream. This patch (as1352) fixes a bug in the way isochronous input data is returned to userspace for usbfs transfers. The entire buffer must be copied, not just the first actual_length bytes, because the individual packets will be discontiguous if any of them are short. Reported-by: Markus Rechberger Signed-off-by: Alan Stern Signed-off-by: Greg Kroah-Hartman commit e3dc90e7cd7328ffae169ba41500d50aa1c893d3 Author: KOSAKI Motohiro Date: Tue Mar 23 13:35:32 2010 -0700 tmpfs: cleanup mpol_parse_str() commit 926f2ae04f183098cf9a30521776fb2759c8afeb upstream. mpol_parse_str() made lots 'err' variable related bug. Because it is ugly and reviewing unfriendly. This patch simplifies it. Signed-off-by: KOSAKI Motohiro Cc: Ravikiran Thirumalai Cc: Christoph Lameter Cc: Mel Gorman Acked-by: Lee Schermerhorn Cc: Hugh Dickins Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 46a1c81e34c152179c287d87e763b6938e9e7914 Author: KOSAKI Motohiro Date: Tue Mar 23 13:35:33 2010 -0700 doc: add the documentation for mpol=local commit 5574169613b40b85d6f4c67208fa4846b897a0a1 upstream. commit 3f226aa1c (mempolicy: support mpol=local tmpfs mount option) added new mpol=local mount option. but it didn't add a documentation. This patch does it. Signed-off-by: KOSAKI Motohiro Cc: Ravikiran Thirumalai Cc: Christoph Lameter Cc: Mel Gorman Acked-by: Lee Schermerhorn Cc: Hugh Dickins Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 7ec7aa7a91a38a36b392059e7307e09d0136d1e4 Author: KOSAKI Motohiro Date: Tue Mar 23 13:35:31 2010 -0700 tmpfs: handle MPOL_LOCAL mount option properly commit 12821f5fb942e795f8009ece14bde868893bd811 upstream. commit 71fe804b6d5 (mempolicy: use struct mempolicy pointer in shmem_sb_info) added mpol=local mount option. but its feature is broken since it was born. because such code always return 1 (i.e. mount failure). This patch fixes it. Signed-off-by: KOSAKI Motohiro Cc: Ravikiran Thirumalai Cc: Christoph Lameter Cc: Mel Gorman Acked-by: Lee Schermerhorn Cc: Hugh Dickins Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 6b200155aefee405a74149df740fb92b10d727bc Author: KOSAKI Motohiro Date: Tue Mar 23 13:35:30 2010 -0700 tmpfs: mpol=bind:0 don't cause mount error. commit d69b2e63e9172afb4d07c305601b79a55509ac4c upstream. Currently, following mount operation cause mount error. % mount -t tmpfs -ompol=bind:0 none /tmp Because commit 71fe804b6d5 (mempolicy: use struct mempolicy pointer in shmem_sb_info) corrupted MPOL_BIND parse code. This patch restore the needed one. Signed-off-by: KOSAKI Motohiro Cc: Ravikiran Thirumalai Cc: Christoph Lameter Cc: Mel Gorman Acked-by: Lee Schermerhorn Cc: Hugh Dickins Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 6af438190daa4b53c1570c09244f99f2db447f78 Author: Ravikiran G Thirumalai Date: Tue Mar 23 13:35:28 2010 -0700 tmpfs: fix oops on mounts with mpol=default commit 413b43deab8377819aba1dbad2abf0c15d59b491 upstream. Fix an 'oops' when a tmpfs mount point is mounted with the mpol=default mempolicy. Upon remounting a tmpfs mount point with 'mpol=default' option, the mount code crashed with a null pointer dereference. The initial problem report was on 2.6.27, but the problem exists in mainline 2.6.34-rc as well. On examining the code, we see that mpol_new returns NULL if default mempolicy was requested. This 'NULL' mempolicy is accessed to store the node mask resulting in oops. The following patch fixes it. Signed-off-by: Ravikiran Thirumalai Signed-off-by: KOSAKI Motohiro Cc: Christoph Lameter Cc: Mel Gorman Acked-by: Lee Schermerhorn Cc: Hugh Dickins Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 68cd8670ee25e0d6b0a7472672dcd3843f70a1c6 Author: Stanislav Brabec Date: Tue Dec 8 21:00:22 2009 -0800 b44 WOL setup: one-bit-off stack corruption kernel panic fix commit e0188829cb724e7d12a2d4e343b368ff1d6e1471 upstream. About 50% of shutdowns of b44 Ethernet adapter ends by kernel panic with kernels compiled with stack-protector. Checking b44_magic_pattern() return values, one call of b44_magic_pattern() returns 127. It means, that set_bit(128, pmask) was called on line 1509. It means that bit 0 of 17th byte of pmask was overwritten. But pmask has only 16 bytes. Stack corruption happens. It seems that set_bit() on line 1509 always writes one bit off. The fix does not only solve the stack corruption, but also makes Wake On LAN working on my onboard B44 on Asus A7V-333X mainboard. It seems that this problem affects all kernel versions since commit 725ad800 ([PATCH] b44: add wol for old nic) on 2006-06-20. Signed-off-by: Stanislav Brabec Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 8314375b8f9447e74221ad2116121ca40cbfc1bb Author: Francesco Lavra Date: Thu Dec 31 08:47:11 2009 -0300 V4L/DVB (13961): em28xx-dvb: fix memleak in dvb_fini() commit 19f48cb105b7fa18d0dcab435919a3a29b7a7c4c upstream. this patch fixes a memory leak which occurs when an em28xx card with DVB extension is unplugged or its DVB extension driver is unloaded. In dvb_fini(), dev->dvb must be freed before being set to NULL, as is done in dvb_init() in case of error. Note that this bug is also present in the latest stable kernel release. Signed-off-by: Francesco Lavra Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit 9776e39de376c2dd759f1d8d7f568111139b330e Author: Jiri Pirko Date: Fri Apr 24 03:57:29 2009 +0000 bonding: ignore updelay param when there is no active slave commit 41f8910040639eb106b1a5b5301aab79ecde4940 upstream. Pointed out by Sean E. Millichamp. Quote from Documentation/networking/bonding.txt: "Note that when a bonding interface has no active links, the driver will immediately reuse the first link that goes up, even if the updelay parameter has been specified (the updelay is ignored in this case). If there are slave interfaces waiting for the updelay timeout to expire, the interface that first went into that state will be immediately reused. This reduces down time of the network if the value of updelay has been overestimated, and since this occurs only in cases with no connectivity, there is no additional penalty for ignoring the updelay." This patch actually changes the behaviour in this way. Signed-off-by: Jiri Pirko Signed-off-by: David S. Miller Cc: Jean Delvare Signed-off-by: Greg Kroah-Hartman commit cf1322b5bad073b5c39e2915d7cdbb15b6874321 Author: Neil Horman Date: Fri Mar 5 13:44:16 2010 -0800 coredump: suppress uid comparison test if core output files are pipes commit 76595f79d76fbe6267a51b3a866a028d150f06d4 upstream. Modify uid check in do_coredump so as to not apply it in the case of pipes. This just got noticed in testing. The end of do_coredump validates the uid of the inode for the created file against the uid of the crashing process to ensure that no one can pre-create a core file with different ownership and grab the information contained in the core when they shouldn' tbe able to. This causes failures when using pipes for a core dumps if the crashing process is not root, which is the uid of the pipe when it is created. The fix is simple. Since the check for matching uid's isn't relevant for pipes (a process can't create a pipe that the uermodehelper code will open anyway), we can just just skip it in the event ispipe is non-zero Reverts a pipe-affecting change which was accidentally made in : commit c46f739dd39db3b07ab5deb4e3ec81e1c04a91af : Author: Ingo Molnar : AuthorDate: Wed Nov 28 13:59:18 2007 +0100 : Commit: Linus Torvalds : CommitDate: Wed Nov 28 10:58:01 2007 -0800 : : vfs: coredumping fix Signed-off-by: Neil Horman Cc: Andi Kleen Cc: Oleg Nesterov Cc: Alan Cox Cc: Al Viro Cc: Ingo Molnar Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Cc: maximilian attems Signed-off-by: Greg Kroah-Hartman commit 4e6d03059d809ab08dd75c19203ccbdd94a58273 Author: Jiri Slaby Date: Wed Feb 10 20:55:16 2010 +0100 x86, ia32_aout: do not kill argument mapping commit 318f6b228ba88a394ef560efc1bfe028ad5ae6b6 upstream. Do not set current->mm->mmap to NULL in 32-bit emulation on 64-bit load_aout_binary after flush_old_exec as it would destroy already set brpm mapping with arguments. Introduced by b6a2fea39318e43fee84fa7b0b90d68bed92d2ba mm: variable length argument support where the argument mapping in bprm was added. [ hpa: this is a regression from 2.6.22... time to kill a.out? ] Signed-off-by: Jiri Slaby LKML-Reference: <1265831716-7668-1-git-send-email-jslaby@suse.cz> Cc: Ingo Molnar Cc: Thomas Gleixner Cc: Ollie Wild Cc: x86@kernel.org Signed-off-by: H. Peter Anvin Signed-off-by: Greg Kroah-Hartman commit 9e7ad5ae520b5cc242f7840bb8750a02c7c590c1 Author: Al Viro Date: Tue Feb 16 18:09:36 2010 +0000 fix LOOKUP_FOLLOW on automount "symlinks" commit ac278a9c505092dd82077a2446af8f9fc0d9c095 upstream. Make sure that automount "symlinks" are followed regardless of LOOKUP_FOLLOW; it should have no effect on them. Signed-off-by: Al Viro Signed-off-by: Greg Kroah-Hartman commit de2a051fb93911ce098404a46d46e5a1da652561 Author: Marcelo Tosatti Date: Thu Apr 16 08:30:44 2009 -0300 KVM: x86: check for cr3 validity in ioctl_set_sregs commit 59839dfff5eabca01cc4e20b45797a60a80af8cb upstream. Matt T. Yourst notes that kvm_arch_vcpu_ioctl_set_sregs lacks validity checking for the new cr3 value: "Userspace callers of KVM_SET_SREGS can pass a bogus value of cr3 to the kernel. This will trigger a NULL pointer access in gfn_to_rmap() when userspace next tries to call KVM_RUN on the affected VCPU and kvm attempts to activate the new non-existent page table root. This happens since kvm only validates that cr3 points to a valid guest physical memory page when code *inside* the guest sets cr3. However, kvm currently trusts the userspace caller (e.g. QEMU) on the host machine to always supply a valid page table root, rather than properly validating it along with the rest of the reloaded guest state." http://sourceforge.net/tracker/?func=detail&atid=893831&aid=2687641&group_id=180599 Check for a valid cr3 address in kvm_arch_vcpu_ioctl_set_sregs, triple fault in case of failure. Signed-off-by: Marcelo Tosatti Signed-off-by: Avi Kivity Signed-off-by: Greg Kroah-Hartman commit 1f059b24d2a9f0f15766d0f77acaaa3c8a163a3a Author: Michael Buesch Date: Mon Jul 20 22:58:44 2009 +0000 parisc: isa-eeprom - Fix loff_t usage commit 6b4dbcd86a9d464057fcc7abe4d0574093071fcc upstream. loff_t is a signed type. If userspace passes a negative ppos, the "count" range check is weakened. "count"s bigger than HPEE_MAX_LENGTH will pass the check. Also, if ppos is negative, the readb(eisa_eeprom_addr + *ppos) will poke in random memory. Signed-off-by: Michael Buesch Signed-off-by: Helge Deller Signed-off-by: Greg Kroah-Hartman commit 910e88a0698da1f483603c603b04c780cb87dd08 Author: Eric Dumazet Date: Wed Sep 2 02:40:09 2009 +0000 tc: Fix unitialized kernel memory leak commit 16ebb5e0b36ceadc8186f71d68b0c4fa4b6e781b upstream. Three bytes of uninitialized kernel memory are currently leaked to user Signed-off-by: Eric Dumazet Reviewed-by: Jiri Pirko Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 3807f5c31534736f3c23630b11bd4a259eaa46fd Author: Ben Hutchings Date: Sun Aug 23 16:59:04 2009 +0100 drm/r128: Add test for initialisation to all ioctls that require it commit 7dc482dfeeeefcfd000d4271c4626937406756d7 upstream. Almost all r128's private ioctls require that the CCE state has already been initialised. However, most do not test that this has been done, and will proceed to dereference a null pointer. This may result in a security vulnerability, since some ioctls are unprivileged. This adds a macro for the common initialisation test and changes all ioctl implementations that require prior initialisation to use that macro. Also, r128_do_init_cce() does not test that the CCE state has not been initialised already. Repeated initialisation may lead to a crash or resource leak. This adds that test. Signed-off-by: Ben Hutchings Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman commit 0a32cd3d6adbe5cbfdfb411e1b1fccceec75e36a Author: Avi Kivity Date: Tue Sep 1 12:03:25 2009 +0300 KVM: VMX: Check cpl before emulating debug register access commit 0a79b009525b160081d75cef5dbf45817956acf2 upstream. Debug registers may only be accessed from cpl 0. Unfortunately, vmx will code to emulate the instruction even though it was issued from guest userspace, possibly leading to an unexpected trap later. Signed-off-by: Avi Kivity Signed-off-by: Marcelo Tosatti Signed-off-by: Greg Kroah-Hartman commit a3edfd184017a67b30080c1e0d46b91d7306b3d9 Author: Theodore Ts'o Date: Mon Jul 27 23:09:47 2009 -0400 ext4: Avoid null pointer dereference when decoding EROFS w/o a journal commit 78f1ddbb498283c2445c11b0dfa666424c301803 upstream. We need to check to make sure a journal is present before checking the journal flags in ext4_decode_error(). Signed-off-by: Eric Sesterhenn Signed-off-by: "Theodore Ts'o" Signed-off-by: Greg Kroah-Hartman commit 8b91c56fd291670294e197bc2d25ba3844cc53fa Author: Avi Kivity Date: Tue Nov 24 13:20:15 2009 +0200 KVM: x86 emulator: limit instructions to 15 bytes commit eb3c79e64a70fb8f7473e30fa07e89c1ecc2c9bb upstream [ : backport to 2.6.27 ] While we are never normally passed an instruction that exceeds 15 bytes, smp games can cause us to attempt to interpret one, which will cause large latencies in non-preempt hosts. Signed-off-by: Avi Kivity Signed-off-by: Greg Kroah-Hartman commit 6758be586812a95341a06b04e780fdde9c252ba2 Author: Alan Stern Date: Fri Jul 31 10:41:40 2009 -0400 USB: EHCI: fix counting of transaction error retries commit ef4638f955f2c4a667c8af20769d03f5ed3781ca upstream. This patch (as1274) simplifies the counting of transaction-error retries. Now we will count up from 0 to QH_XACTERR_MAX instead of down from QH_XACTERR_MAX to 0. The patch also fixes a small bug: qh->xacterr was not getting initialized for interrupt endpoints. Signed-off-by: Alan Stern Tested-by: Matthijs Kooijman Cc: Reinoud Koornstra Signed-off-by: Greg Kroah-Hartman commit ffa27b3ddf12952737dcf30b83e56e3da4e965bd Author: Linus Torvalds Date: Tue Feb 16 12:35:07 2010 -0800 USB: usbfs: properly clean up the as structure on error paths commit ddeee0b2eec2a51b0712b04de4b39e7bec892a53 upstream. I notice that the processcompl_compat() function seems to be leaking the 'struct async *as' in the error paths. I think that the calling convention is fundamentally buggered. The caller is the one that did the "reap_as()" to get the as thing, the caller should be the one to free it too. Freeing it in the caller also means that it very clearly always gets freed, and avoids the need for any "free in the error case too". From: Linus Torvalds Cc: Alan Stern Cc: Marcus Meissner Signed-off-by: Greg Kroah-Hartman commit 00400c98e8359ec5ecec199d66fbf25b944b8834 Author: Greg KH Date: Mon Feb 15 09:37:46 2010 -0800 USB: usbfs: only copy the actual data received commit d4a4683ca054ed9917dfc9e3ff0f7ecf74ad90d6 upstream. We need to only copy the data received by the device to userspace, not the whole kernel buffer, which can contain "stale" data. Thanks to Marcus Meissner for pointing this out and testing the fix. Reported-by: Marcus Meissner Tested-by: Marcus Meissner Cc: Alan Stern Cc: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 540a2c33ffcf76ac804668839b89d79b9cc3b831 Author: Dick Hollenbeck Date: Wed Dec 9 12:31:34 2009 -0800 serial: 8250: add serial transmitter fully empty test commit bca476139d2ded86be146dae09b06e22548b67f3 upstream. When controlling an industrial radio modem it can be necessary to manipulate the handshake lines in order to control the radio modem's transmitter, from userspace. The transmitter should not be turned off before all characters have been transmitted. serial8250_tx_empty() was reporting that all characters were transmitted before they actually were. === Discovered in parallel with more testing and analysis by Kees Schoenmakers as follows: I ran into an NetMos 9835 serial pci board which behaves a little different than the standard. This type of expansion board is very common. "Standard" 8250 compatible devices clear the 'UART_LST_TEMT" bit together with the "UART_LSR_THRE" bit when writing data to the device. The NetMos device does it slightly different I believe that the TEMT bit is coupled to the shift register. The problem is that after writing data to the device and very quickly after that one does call serial8250_tx_empty, it returns the wrong information. My patch makes the test more robust (and solves the problem) and it does not affect the already correct devices. Alan: We may yet need to quirk this but now we know which chips we have a way to do that should we find this breaks some other 8250 clone with dodgy THRE. Signed-off-by: Dick Hollenbeck Signed-off-by: Alan Cox Cc: Kees Schoenmakers Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman commit 582ab0e1e4004672a389a10e2d1ed27edaff119e Author: Thadeu Lima de Souza Cascardo Date: Sun Jan 17 19:05:58 2010 +0100 i2c: Do not use device name after device_unregister In Linus' tree: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commit;h=c556752109794a5ff199b80a1673336b4df8433a dev_dbg outputs dev_name, which is released with device_unregister. This bug resulted in output like this: i2c Xy2�0: adapter [SMBus I801 adapter at 1880] unregistered The right output would be: i2c i2c-0: adapter [SMBus I801 adapter at 1880] unregistered Signed-off-by: Thadeu Lima de Souza Cascardo Signed-off-by: Jean Delvare Signed-off-by: Greg Kroah-Hartman commit 77c68f845135db9396b4e227a92b5de10429071a Author: Salman Qazi Date: Thu Jun 4 15:20:39 2009 -0700 drivers/char/mem.c: avoid OOM lockup during large reads from /dev/zero commit 730c586ad5228c339949b2eb4e72b80ae167abc4 upstream. While running 20 parallel instances of dd as follows: #!/bin/bash for i in `seq 1 20`; do dd if=/dev/zero of=/export/hda3/dd_$i bs=1073741824 count=1 & done wait on a 16G machine, we noticed that rather than just killing the processes, the entire kernel went down. Stracing dd reveals that it first does an mmap2, which makes 1GB worth of zero page mappings. Then it performs a read on those pages from /dev/zero, and finally it performs a write. The machine died during the reads. Looking at the code, it was noticed that /dev/zero's read operation had been changed by 557ed1fa2620dc119adb86b34c614e152a629a80 ("remove ZERO_PAGE") from giving zero page mappings to actually zeroing the page. The zeroing of the pages causes physical pages to be allocated to the process. But, when the process exhausts all the memory that it can, the kernel cannot kill it, as it is still in the kernel mode allocating more memory. Consequently, the kernel eventually crashes. To fix this, I propose that when a fatal signal is pending during /dev/zero read operation, we simply return and let the user process die. Signed-off-by: Salman Qazi Cc: Nick Piggin Signed-off-by: Andrew Morton [ Modified error return and comment trivially. - Linus] Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit ecfb7fb9b13c617447a7f6b5925da26798c1a8a1 Author: Peter Zijlstra Date: Sat Sep 20 23:38:02 2008 +0200 sched: wakeup preempt when small overlap commit 15afe09bf496ae10c989e1a375a6b5da7bd3e16e upstream. Lin Ming reported a 10% OLTP regression against 2.6.27-rc4. The difference seems to come from different preemption agressiveness, which affects the cache footprint of the workload and its effective cache trashing. Aggresively preempt a task if its avg overlap is very small, this should avoid the task going to sleep and find it still running when we schedule back to it - saving a wakeup. Reported-by: Lin Ming Signed-off-by: Peter Zijlstra Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit aa7659a10684907bec7c0c6887f8755767fb8dea Author: Ingo Molnar Date: Fri Nov 7 16:09:23 2008 +0100 sched: fine-tune SD_SIBLING_INIT commit 52c642f33b14bfa1b00ef2b68296effb34a573f3 upstream. fine-tune the HT sched-domains parameters as well. On a HT capable box, this increases lat_ctx performance from 23.87 usecs to 1.49 usecs: # before $ ./lat_ctx -s 0 2 "size=0k ovr=1.89 2 23.87 # after $ ./lat_ctx -s 0 2 "size=0k ovr=1.84 2 1.49 Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit ab0fcb9bdab0106011209d5c8b873bdf0fbd1955 Author: Mike Galbraith Date: Fri Nov 7 15:26:50 2008 +0100 sched: fine-tune SD_MC_INIT commit 14800984706bf6936bbec5187f736e928be5c218 upstream. Tune SD_MC_INIT the same way as SD_CPU_INIT: unset SD_BALANCE_NEWIDLE, and set SD_WAKE_BALANCE. This improves vmark by 5%: vmark 132102 125968 125497 messages/sec avg 127855.66 .984 vmark 139404 131719 131272 messages/sec avg 134131.66 1.033 Signed-off-by: Mike Galbraith Acked-by: Peter Zijlstra Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit 698051b7655e0289f7a49b4a7e363cb6cec10735 Author: Mike McCormack Date: Mon Sep 21 04:08:52 2009 +0000 sky2: Set SKY2_HW_RAM_BUFFER in sky2_init commit 74a61ebf653c6abe459f228eb40e9f24f7ef1fb7 upstream. The SKY2_HW_RAM_BUFFER bit in hw->flags was checked in sky2_mac_init(), before being set later in sky2_up(). Setting SKY2_HW_RAM_BUFFER in sky2_init() where other hw->flags are set should avoid this problem recurring. Signed-off-by: Mike McCormack Acked-by: Stephen Hemminger Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit e965c3dcb699d946bf7faac5a6b0e3149ec66780 Author: Samuel Thibault Date: Thu Oct 1 15:44:02 2009 -0700 x86: fix csum_ipv6_magic asm memory clobber commit 392d814daf460a9564d29b2cebc51e1ea34e0504 upstream. Just like ip_fast_csum, the assembly snippet in csum_ipv6_magic needs a memory clobber, as it is only passed the address of the buffer, not a memory reference to the buffer itself. This caused failures in Hurd's pfinetv4 when we tried to compile it with gcc-4.3 (bogus checksums). Signed-off-by: Samuel Thibault Cc: Ingo Molnar Cc: Thomas Gleixner Cc: "H. Peter Anvin" Acked-by: "David S. Miller" Cc: Andi Kleen Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 7224283df47b5ff9f309371b60030f07037cd51e Author: Robert Varga Date: Tue Sep 15 23:49:21 2009 -0700 tcp: fix CONFIG_TCP_MD5SIG + CONFIG_PREEMPT timer BUG() commit 657e9649e745b06675aa5063c84430986cdc3afa upstream. I have recently came across a preemption imbalance detected by: <4>huh, entered ffffffff80644630 with preempt_count 00000102, exited with 00000101? <0>------------[ cut here ]------------ <2>kernel BUG at /usr/src/linux/kernel/timer.c:664! <0>invalid opcode: 0000 [1] PREEMPT SMP with ffffffff80644630 being inet_twdr_hangman(). This appeared after I enabled CONFIG_TCP_MD5SIG and played with it a bit, so I looked at what might have caused it. One thing that struck me as strange is tcp_twsk_destructor(), as it calls tcp_put_md5sig_pool() -- which entails a put_cpu(), causing the detected imbalance. Found on 2.6.23.9, but 2.6.31 is affected as well, as far as I can tell. Signed-off-by: Robert Varga Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit f02363178930a9fb73c88f88c3c347d27d62a082 Author: Sascha Hlusiak Date: Tue Sep 29 11:27:05 2009 +0000 sit: fix off-by-one in ipip6_tunnel_get_prl commit 298bf12ddb25841804f26234a43b89da1b1c0e21 upstream. When requesting all prl entries (kprl.addr == INADDR_ANY) and there are more prl entries than there is space passed from userspace, the existing code would always copy cmax+1 entries, which is more than can be handled. This patch makes the kernel copy only exactly cmax entries. Signed-off-by: Sascha Hlusiak Acked-By: Fred L. Templin Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 140d894f72c42b58de16c7587241fdd369fc81da Author: Miklos Szeredi Date: Fri Sep 11 11:31:45 2009 -0700 net: unix: fix sending fds in multiple buffers commit 8ba69ba6a324b13e1190fc31e41954d190fd4f1d upstream. Kalle Olavi Niemitalo reported that: "..., when one process calls sendmsg once to send 43804 bytes of data and one file descriptor, and another process then calls recvmsg three times to receive the 16032+16032+11740 bytes, each of those recvmsg calls returns the file descriptor in the ancillary data. I confirmed this with strace. The behaviour differs from Linux 2.6.26, where reportedly only one of those recvmsg calls (I think the first one) returned the file descriptor." This bug was introduced by a patch from me titled "net: unix: fix inflight counting bug in garbage collector", commit 6209344f5. And the reason is, quoting Kalle: "Before your patch, unix_attach_fds() would set scm->fp = NULL, so that if the loop in unix_stream_sendmsg() ran multiple iterations, it could not call unix_attach_fds() again. But now, unix_attach_fds() leaves scm->fp unchanged, and I think this causes it to be called multiple times and duplicate the same file descriptors to each struct sk_buff." Fix this by introducing a flag that is cleared at the start and set when the fds attached to the first buffer. The resulting code should work equivalently to the one on 2.6.26. Reported-by: Kalle Olavi Niemitalo Signed-off-by: Miklos Szeredi Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit d59e55cb2c8bc73f885de7242223849b3d051cd5 Author: Jarek Poplawski Date: Sun Sep 27 10:57:02 2009 +0000 ax25: Fix possible oops in ax25_make_new commit 8c185ab6185bf5e67766edb000ce428269364c86 upstream. In ax25_make_new, if kmemdup of digipeat returns an error, there would be an oops in sk_free while calling sk_destruct, because sk_protinfo is NULL at the moment; move sk->sk_destruct initialization after this. BTW of reported-by: Bernard Pidoux F6BVP Signed-off-by: Jarek Poplawski Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 88b60df09c5ce701e308e27932fcf1c8a6bc6375 Author: Alan Stern Date: Mon Feb 8 09:43:22 2010 -0500 EHCI: fix bug in keeping track of resuming ports This patch fixes a bug caused by backporting commit cec3a53c7fe794237b582e8e77fc0e48465e65ee (USB: EHCI & UHCI: fix race between root-hub suspend and port resume) to 2.6.27.stable without also backporting commit eafe5b99f2135488b21cf17a262c54997c44f784 (USB: EHCI: fix remote-wakeup support for ARC/TDI core). This extracts the necessary changes from the earlier patch and backports them. The symptom of the bug is that the system will fail to suspend more than once. The problem is caused by setting ehci->reset_done[i] but never clearing it. When ehci_bus_suspend() sees a nonzero value there, it assumes this means the port is in the middle of resuming so it aborts the bus suspend. Signed-off-by: Alan Stern Cc: Corey Wright Signed-off-by: Greg Kroah-Hartman commit e2db86fdddfbf179ebc8e717b50770cf7acf78b6 Author: Raimonds Cicans Date: Fri Nov 13 10:52:19 2009 +0000 r8169: Fix receive buffer length when MTU is between 1515 and 1536 commit 8812304cf1110ae16b0778680f6022216cf4716a upstream. In r8169 driver MTU is used to calculate receive buffer size. Receive buffer size is used to configure hardware incoming packet filter. For jumbo frames: Receive buffer size = Max frame size = MTU + 14 (ethernet header) + 4 (vlan header) + 4 (ethernet checksum) = MTU + 22 Bug: driver for all MTU up to 1536 use receive buffer size 1536 As you can see from formula, this mean all IP packets > 1536 - 22 (for vlan tagged, 1536 - 18 for not tagged) are dropped by hardware filter. Example: host_good> ifconfig eth0 mtu 1536 host_r8169> ifconfig eth0 mtu 1536 host_good> ping host_r8169 Ok host_good> ping -s 1500 host_r8169 Fail host_good> ifconfig eth0 mtu 7000 host_r8169> ifconfig eth0 mtu 7000 host_good> ping -s 1500 host_r8169 Ok Bonus: got rid of magic number 8 Signed-off-by: Raimonds Cicans Signed-off-by: David S. Miller Cc: Jean Delvare Signed-off-by: Greg Kroah-Hartman commit 5d0698d14afc8179e681d1baa6a76a814f8f2fcf Author: Jean Delvare Date: Tue Feb 9 18:33:29 2010 +0100 hwmon: (lm78) Fix I/O resource conflict with PNP This fix is the combination of the following two upstream patches: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=197027e6ef830d60e10f76efc8d12bf3b6c35db5 http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=47c15532ddcd6818f51cb15f914d63864b3ee9ab Only request I/O ports 0x295-0x296 instead of the full I/O address range. This solves a conflict with PNP resources on a few motherboards. Also request the I/O ports individually during device detection, otherwise the PNP resource may cause the request (and thus the detection) fail. Signed-off-by: Jean Delvare Signed-off-by: Greg Kroah-Hartman commit 4594467f733524ec6ef31648b8f5b7fce1856852 Author: Peter Zijlstra Date: Wed Aug 20 09:31:26 2008 +0200 printk: robustify printk, fix #2 commit fa33507a22623b3bd543b15a21c362cf364b6cff upstream. Dmitry Adamushko reported: > [*] btw., with DEBUG being enabled, pr_debug() generates [1] when > debug_smp_processor_id() is used (CONFIG_DEBUG_PREEMPT). > > the problem seems to be caused by the following commit: > commit b845b517b5e3706a3729f6ea83b88ab85f0725b0 > Author: Peter Zijlstra > Date: Fri Aug 8 21:47:09 2008 +0200 > > printk: robustify printk > > > wake_up_klogd() -> __get_cpu_var() -> smp_processor_id() > > and that's being called from release_console_sem() which is, in turn, > said to be "may be called from any context" [2] > > and in this case, it seems to be called from some non-preemptible > context (although, it can't be printk()... > although, I haven't looked carefully yet). > > Provided [2], __get_cpu_var() is perhaps not the right solution there. > > > [1] > > [ 7697.942005] BUG: using smp_processor_id() in preemptible [00000000] code: syslogd/3542 > [ 7697.942005] caller is wake_up_klogd+0x1b/0x50 > [ 7697.942005] Pid: 3542, comm: syslogd Not tainted 2.6.27-rc3-tip-git #2 > [ 7697.942005] Call Trace: > [ 7697.942005] [] debug_smp_processor_id+0xe8/0xf0 > [ 7697.942005] [] wake_up_klogd+0x1b/0x50 > [ 7697.942005] [] release_console_sem+0x1e7/0x200 > [ 7697.942005] [] do_con_write+0xb7/0x1f30 > [ 7697.942005] [] ? show_trace+0x10/0x20 > [ 7697.942005] [] ? dump_stack+0x72/0x80 > [ 7697.942005] [] ? __ratelimit+0xbd/0xe0 > [ 7697.942005] [] ? debug_smp_processor_id+0xe8/0xf0 > [ 7697.942005] [] ? wake_up_klogd+0x1b/0x50 > [ 7697.942005] [] ? release_console_sem+0x1e7/0x200 > [ 7697.942005] [] con_write+0x19/0x30 > [ 7697.942005] [] write_chan+0x276/0x3c0 > [ 7697.942005] [] ? default_wake_function+0x0/0x10 > [ 7697.942005] [] ? _spin_lock_irqsave+0x22/0x50 > [ 7697.942005] [] tty_write+0x194/0x260 > [ 7697.942005] [] ? write_chan+0x0/0x3c0 > [ 7697.942005] [] redirected_tty_write+0xa4/0xb0 > [ 7697.942005] [] ? redirected_tty_write+0x0/0xb0 > [ 7697.942005] [] do_loop_readv_writev+0x52/0x80 > [ 7697.942005] [] do_readv_writev+0x1bd/0x1d0 > [ 7697.942005] [] vfs_writev+0x39/0x60 > [ 7697.942005] [] sys_writev+0x50/0x90 > [ 7697.942005] [] system_call_fastpath+0x16/0x1b Signed-off-by: Peter Zijlstra Reported-by: Dmitry Adamushko Signed-off-by: Ingo Molnar Cc: Paul Gortmaker Signed-off-by: Greg Kroah-Hartman commit 1626749d7bbbc00b362b632d993289128651d075 Author: Jiri Slaby Date: Thu Nov 19 17:16:37 2009 +0100 resource: add helpers for fetching rlimits commit 3e10e716abf3c71bdb5d86b8f507f9e72236c9cd upstream. We want to be sure that compiler fetches the limit variable only once, so add helpers for fetching current and maximal resource limits which do that. Add them to sched.h (instead of resource.h) due to circular dependency sched.h->resource.h->task_struct Alternative would be to create a separate res_access.h or similar. Signed-off-by: Jiri Slaby Cc: James Morris Cc: Heiko Carstens Cc: Andrew Morton Cc: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit 873b48a4cf4a64dd77faef25ddcf1651cef49a32 Author: Thomas Gleixner Date: Tue Feb 2 11:40:27 2010 +0100 futex: Handle user space corruption gracefully commit 51246bfd189064079c54421507236fd2723b18f3 upstream. If the owner of a PI futex dies we fix up the pi_state and set pi_state->owner to NULL. When a malicious or just sloppy programmed user space application sets the futex value to 0 e.g. by calling pthread_mutex_init(), then the futex can be acquired again. A new waiter manages to enqueue itself on the pi_state w/o damage, but on unlock the kernel dereferences pi_state->owner and oopses. Prevent this by checking pi_state->owner in the unlock path. If pi_state->owner is not current we know that user space manipulated the futex value. Ignore the mess and return -EINVAL. This catches the above case and also the case where a task hijacks the futex by setting the tid value and then tries to unlock it. Reported-by: Jermome Marchand Signed-off-by: Thomas Gleixner Acked-by: Darren Hart Acked-by: Peter Zijlstra Signed-off-by: Greg Kroah-Hartman commit 268ec2564310a552681bcbfb412c35804c06efad Author: Thomas Gleixner Date: Wed Feb 3 09:33:05 2010 +0100 futex: Handle futex value corruption gracefully commit 59647b6ac3050dd964bc556fe6ef22f4db5b935c upstream. The WARN_ON in lookup_pi_state which complains about a mismatch between pi_state->owner->pid and the pid which we retrieved from the user space futex is completely bogus. The code just emits the warning and then continues despite the fact that it detected an inconsistent state of the futex. A conveniant way for user space to spam the syslog. Replace the WARN_ON by a consistency check. If the values do not match return -EINVAL and let user space deal with the mess it created. This also fixes the missing task_pid_vnr() when we compare the pi_state->owner pid with the futex value. Reported-by: Jermome Marchand Signed-off-by: Thomas Gleixner Acked-by: Darren Hart Acked-by: Peter Zijlstra Signed-off-by: Greg Kroah-Hartman commit 24fce8f6a79db04afef0c6118f6ecdcfec12ffc4 Author: Linus Torvalds Date: Sun Feb 7 10:11:23 2010 -0800 Fix race in tty_fasync() properly commit 80e1e823989ec44d8e35bdfddadbddcffec90424 upstream. This reverts commit 703625118069 ("tty: fix race in tty_fasync") and commit b04da8bfdfbb ("fnctl: f_modown should call write_lock_irqsave/ restore") that tried to fix up some of the fallout but was incomplete. It turns out that we really cannot hold 'tty->ctrl_lock' over calling __f_setown, because not only did that cause problems with interrupt disables (which the second commit fixed), it also causes a potential ABBA deadlock due to lock ordering. Thanks to Tetsuo Handa for following up on the issue, and running lockdep to show the problem. It goes roughly like this: - f_getown gets filp->f_owner.lock for reading without interrupts disabled, so an interrupt that happens while that lock is held can cause a lockdep chain from f_owner.lock -> sighand->siglock. - at the same time, the tty->ctrl_lock -> f_owner.lock chain that commit 703625118069 introduced, together with the pre-existing sighand->siglock -> tty->ctrl_lock chain means that we have a lock dependency the other way too. So instead of extending tty->ctrl_lock over the whole __f_setown() call, we now just take a reference to the 'pid' structure while holding the lock, and then release it after having done the __f_setown. That still guarantees that 'struct pid' won't go away from under us, which is all we really ever needed. Reported-and-tested-by: Tetsuo Handa Acked-by: Greg Kroah-Hartman Acked-by: Américo Wang Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit ffa211737de4c26d0d6fd61091d59acfcac1d03a Author: Linus Torvalds Date: Fri Feb 5 16:16:50 2010 -0800 Fix potential crash with sys_move_pages commit 6f5a55f1a6c5abee15a0e878e5c74d9f1569b8b0 upstream. We incorrectly depended on the 'node_state/node_isset()' functions testing the node range, rather than checking it explicitly. That's not reliable, even if it might often happen to work. So do the proper explicit test. Reported-by: Marcus Meissner Acked-and-tested-by: Brice Goglin Acked-by: Hugh Dickins Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 69f4dd6978cc487e49360c50dce75a267a99f3d5 Author: Mika Westerberg Date: Tue Jan 26 17:47:05 2010 +0200 UBI: fix volume creation input checking commit c5ce5b46af76f52dea21f467397d24c4ae6cb3ff upstream. Do not use an unchecked variable UBI_IOCMKVOL ioctl. Signed-off-by: Mika Westerberg Signed-off-by: Artem Bityutskiy Signed-off-by: Greg Kroah-Hartman