commit 3846b8e059ac7461ee2ea121d3dff9b38e596e55 Author: Greg Kroah-Hartman Date: Thu Nov 13 09:56:21 2008 -0800 Linux 2.6.27.6 commit 91d0da3c88d130c03a16813aeee7dbedc539b017 Author: Jiri Kosina Date: Tue Nov 11 23:45:38 2008 +0100 HID: fix incorrent length condition in hidraw_write() upstream commit 2b107d629dc0c35de606bb7b010b829cd247a93a From: Jiri Kosina The bound check on the buffer length if (count > HID_MIN_BUFFER_SIZE) is of course incorrent, the proper check is if (count > HID_MAX_BUFFER_SIZE) Fix it. Reported-by: Jerry Ryle Signed-off-by: Jiri Kosina Cc: Paul Stoffregen Signed-off-by: Greg Kroah-Hartman commit 3c050502c4166dc12009f35eb41fabe9c900cd43 Author: Eric Sesterhenn Date: Wed Oct 15 22:04:11 2008 -0700 hfs: fix namelength memory corruption (CVE-2008-5025) commit d38b7aa7fc3371b52d036748028db50b585ade2e upstream Fix a stack corruption caused by a corrupted hfs filesystem. If the catalog name length is corrupted the memcpy overwrites the catalog btree structure. Since the field is limited to HFS_NAMELEN bytes in the structure and the file format, we throw an error if it is too long. Cc: Roman Zippel Signed-off-by: Eric Sesterhenn Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 5995f4d7e9419b62432eeb3a6dfa4c164d2def7e Author: Pierre Ossman Date: Sun Oct 26 12:37:25 2008 +0100 mmc: increase SD write timeout for crappy cards commit 493890e75d98810a3470b4aae23be628ee5e9667 upstream. It seems that some cards are slightly out of spec and occasionally will not be able to complete a write in the alloted 250 ms [1]. Incease the timeout slightly to allow even these cards to function properly. [1] http://lkml.org/lkml/2008/9/23/390 Signed-off-by: Pierre Ossman Signed-off-by: Greg Kroah-Hartman commit e5cac99d60ed711440aa10d134300d5180d0356f Author: Rafael J. Wysocki Date: Sat Nov 8 13:53:33 2008 +0100 Fix __pfn_to_page(pfn) for CONFIG_DISCONTIGMEM=y commit c5d712433ff57a66d8fb79a57a4fc7a7c3467b97 upstream Fix the __pfn_to_page(pfn) macro so that it doesn't evaluate its argument twice in the CONFIG_DISCONTIGMEM=y case, because 'pfn' may be a result of a funtion call having side effects. For example, the hibernation code applies pfn_to_page(pfn) to the result of a function returning the pfn corresponding to the next set bit in a bitmap and the current bit position is modified on each call. This leads to "interesting" failures for CONFIG_DISCONTIGMEM=y due to the current behavior of __pfn_to_page(pfn). Signed-off-by: Rafael J. Wysocki Acked-by: Pavel Machek Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit e3145e60d787d3178cdd2576ad158d254bbaf8f1 Author: Matthew Ranostay Date: Wed Nov 5 08:40:59 2008 +0100 ALSA: hda: make a STAC_DELL_EQ option commit 6b3ab21ef1ac15db4b053ce0ba8eae0ef9361c8a upstream. Add support for explicitly enabling the EQ distortion hack for systems without software biquad support. Signed-off-by: Matthew Ranostay Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit d3f87e9d891c34cb073d7c08a9b014aa22e3b1cc Author: Tejun Heo Date: Tue Nov 4 17:08:40 2008 +0900 libata: fix last_reset timestamp handling commit 19b723218bde79c60a394a3caee9eb156ac2d356 upstream ehc->last_reset is used to ensure that resets are not issued too close to each other. It's initialized to jiffies minus one minute on EH entry. However, when new links are initialized after PMP is probed, new links have zero for this timestamp resulting in long wait depending on the current jiffies. This patch makes last_set considered iff ATA_EHI_DID_RESET is set, in which case last_reset is always initialized. As an added precaution, WARN_ON() is added so that warning is printed if last_reset is in future. This problem is spotted and debugged by Shane Huang. Signed-off-by: Tejun Heo Cc: Shane Huang Signed-off-by: Jeff Garzik Signed-off-by: Greg Kroah-Hartman commit 8d5dc6f7b2da3b6b108171b8051f18b6abc3ba1c Author: David Howells Date: Mon Nov 10 19:00:05 2008 +0000 KEYS: Make request key instantiate the per-user keyrings commit 1f8f5cf6e4f038552a3e47b66085452c08556d71 upstream Make request_key() instantiate the per-user keyrings so that it doesn't oops if it needs to get hold of the user session keyring because there isn't a session keyring in place. Signed-off-by: David Howells Tested-by: Steve French Tested-by: Rutger Nijlunsing Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 5ce4391e9762079aa31f2b01a6eca3d9c3a39dc1 Author: Dmitry Baryshkov Date: Thu Oct 9 16:58:13 2008 +0100 ARM: 5300/1: fixup spitz reset during boot commit 69fc7eed5f56bce15b239e5110de2575a6970df4 upstream Some machines don't have the pullup/down on their reset pin, so configuring the reset generating pin as input makes them reset immediately. Fix that by making reset pin direction configurable. This fixes the boot problem on Sharp Zaurus c3000 Signed-off-by: Dmitry Baryshkov Signed-off-by: Russell King Signed-off-by: Pavel Machek Signed-off-by: Greg Kroah-Hartman commit a442c763d20e7716bd1b91dc33ba0e27e2a7fda0 Author: Shaohua Li Date: Thu Aug 28 10:02:03 2008 +0800 ACPI: dock: avoid check _STA method commit 8b59560a3baf2e7c24e0fb92ea5d09eca92805db upstream. In some BIOSes, every _STA method call will send a notification again, this cause freeze. And in some BIOSes, it appears _STA should be called after _DCK. This tries to avoid calls _STA, and still keep the device present check. http://bugzilla.kernel.org/show_bug.cgi?id=10431 Signed-off-by: Shaohua Li Signed-off-by: Len Brown Signed-off-by: Greg Kroah-Hartman commit 6a58f99038956a40c9feb5abf7cef8d306c3cf03 Author: Andrey Borzenkov Date: Thu Nov 6 12:53:15 2008 -0800 cpqarry: fix return value of cpqarray_init() commit 2197d18ded232ef6eef63cce57b6b21eddf1b7b6 upstream. As reported by Dick Gevers on Compaq ProLiant: Oct 13 18:06:51 dvgcpl kernel: Compaq SMART2 Driver (v 2.6.0) Oct 13 18:06:51 dvgcpl kernel: sys_init_module: 'cpqarray'->init suspiciously returned 1, it should follow 0/-E convention Oct 13 18:06:51 dvgcpl kernel: sys_init_module: loading module anyway... Oct 13 18:06:51 dvgcpl kernel: Pid: 315, comm: modprobe Not tainted 2.6.27-desktop-0.rc8.2mnb #1 Oct 13 18:06:51 dvgcpl kernel: [] ? printk+0x18/0x1e Oct 13 18:06:51 dvgcpl kernel: [] sys_init_module+0x155/0x1c0 Oct 13 18:06:51 dvgcpl kernel: [] syscall_call+0x7/0xb Oct 13 18:06:51 dvgcpl kernel: ======================= Make it return 0 on success and -ENODEV if no array was found. Reported-by: Dick Gevers Signed-off-by: Andrey Borzenkov Cc: Jens Axboe Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 273d474e0d8bb9f7ed7ceb9eaa245a09000ad1ed Author: Reinette Chatre Date: Tue Nov 4 12:21:35 2008 -0800 iwl3945: do not send scan command if channel count zero commit 14b5433606289dbc5b6fd70ced11462f80e95003 upstream. Do not send scan command if no channels to scan. This avoids a Microcode error as reported in: http://www.intellinuxwireless.org/bugzilla/show_bug.cgi?id=1650 http://bugzilla.kernel.org/show_bug.cgi?id=11806 http://marc.info/?l=linux-wireless&m=122437145211886&w=2 Signed-off-by: Reinette Chatre Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit fa3ae4e25ef883b608c76e22629085f94f7b8e70 Author: Zhu Yi Date: Tue Nov 4 12:21:36 2008 -0800 iwl3945: fix deadlock on suspend commit d54bc4e3fc5c56600a13c9ebc0a7e1077ac05d59 upstream. This patch fixes iwl3945 deadlock during suspend by moving notify_mac out of iwl3945 mutex. This is a portion of the same fix for iwlwifi by Tomas. Signed-off-by: Zhu Yi Signed-off-by: Tomas Winkler Signed-off-by: Reinette Chatre Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit ee4bb188255d4226997a652910ae5d558cabe3de Author: Daniel Drake Date: Sat Nov 1 17:03:48 2008 +0000 zd1211rw: Add 2 device IDs commit 0feec9dfe7b8880ab3b4c38d7cc4107dd706ea7f upstream. 07fa/1196 Bewan BWIFI-USB54AR: Tested by night1308, this device is a ZD1211B with an AL2230S radio. 0ace/b215 HP 802.11abg: Tested by Robert Philippe Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit be5de0dfc3d3989e06dbef7a46b9550a2d635e5d Author: Tomas Winkler Date: Wed Sep 3 11:26:37 2008 +0800 iwlwifi: generic init calibrations framework commit 6e21f2c109edd746a10e08186484bae8168cdd0c upstream This patch allows variable number of init calibrations and allows addition new HW. This patch also fixes critical bug. Only last calibration result was applied. On reception of one calibration result all the calibration was freed. Signed-off-by: Tomas Winkler Signed-off-by: Emmanuel Grumbach Signed-off-by: Zhu Yi Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit c23adf489331cfc87b6f7124510873c0f0ed0e48 Author: Tomas Winkler Date: Wed Oct 29 01:03:01 2008 +0200 iwlwifi: fix suspend to RAM in iwlwifi commit 10d0bd56966571d0324dfd9bbb8aa913a60bef5f upstream This patch fixes suspend to RAM after by moving notify_mac out of iwlwifi mutex http://bugzilla.kernel.org/show_bug.cgi?id=11845 Signed-off-by: Emmanuel Grumbach Signed-off-by: Tomas Winkler Tested-by: Carlos R. Mafra Tested-by: Christian Borntraeger Cc: Rafael J. Wysocki Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 7112a2544f238505c7f04c652040b0689bd97681 Author: Tomas Winkler Date: Fri Sep 26 15:09:34 2008 +0800 iwlwifi: use correct DMA_MASK commit 093d874c02e8d3091aa38596faf0ff2bfd4f0ceb upstream Use correct DMA_MASK: 4964 and 5000 support 36 bit addresses for pci express memory access. Signed-off-by: Tomas Winkler Signed-off-by: Zhu Yi Signed-off-by: John W. Linville commit 43eb69c8861772c281b42f47c568c80e224d19d5 Author: Tomas Winkler Date: Wed Sep 24 13:57:46 2008 +0800 iwlwifi: don't fail if scan is issued too early commit 8d09a5e1c36d0dec5728e6c8b0bb5412de09b27b upstream This patch returns success and empty scan on scans requests that were rejected because issued too early. The cached bss list from previous scanning will be returned by mac80211. Signed-off-by: Tomas Winkler Signed-off-by: Zhu Yi Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit a11e79100dd97d39cd88539046252961d4de9477 Author: Emmanuel Grumbach Date: Wed Sep 17 10:10:05 2008 +0800 iwlwifi: remove HT flags from RXON when not in HT anymore commit 42eb7c644afcdbcd7eac4d862046230856fbf531 upstream. This patch removes the HT flags from RXON when moving from HT to legacy. This avoids keeping those flags set and possibly miss configuring firmware. If we are configured in HT, fat channel: channel 1 above, and move later to legacy channel 11, we need to clear the FAT channel control flags in RXON. If we don't, the firmware will understand this as channel 11 above which is not possible due to regulatory constraints, leading to firmware crash. Signed-off-by: Emmanuel Grumbach Reviewed-by: Tomas Winkler Signed-off-by: Zhu Yi Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 650acda5923076991d9d05dd45e1adb4453970b7 Author: Emmanuel Grumbach Date: Wed Sep 3 11:26:50 2008 +0800 iwlwifi: allow association on radar channel in power save commit c90a74bae10dc2a4677d1bd06b6400db229d3e1e upstream This patch disables power save upon association and enables it back after association. This allows to associate to AP on a radar channel if power save is enabled. Radar and passive channels are not allowed for TX (required for association) unless RX is received but PS may close the radio and no RX will be received effectively failing association. Signed-off-by: Emmanuel Grumbach Signed-off-by: Mohamed Abbas Signed-off-by: Tomas Winkler Signed-off-by: Zhu Yi Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 41ab059a4ee6c9ab9d8d225bb24b2e457621737f Author: Ron Rindjunsky Date: Wed Sep 3 11:26:25 2008 +0800 iwlwifi: allow consecutive scans in unassociated state commit 681c0050ea3ac2e90c83d5af397d73eed848a372 upstream This patch allows consecutive scans requests when driver is in unassociated state. Signed-off-by: Ron Rindjunsky Signed-off-by: Esti Kummer Signed-off-by: Tomas Winkler Signed-off-by: Zhu Yi Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit d10652e61d42ef3d21137252872e2182e5937768 Author: Dan Williams Date: Tue Nov 11 17:50:03 2008 +0000 dca: fixup initialization dependency commit 1207e795568a368928dfd23d6817e47f2e8097e3 upstream Mark dca_init as a subsys_initcall since it needs to be ready to go before dependent drivers start registering themselves. Reported-and-tested-by: Mark Rustad Acked-by: Maciej Sosnowski Signed-off-by: Dan Williams Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit d2edcdc5ad15bc5565e1e968cc43ed90c5c0a9e4 Author: Maciej Sosnowski Date: Tue Nov 11 17:50:05 2008 +0000 I/OAT: fix async_tx.callback checking commit 12ccea24e309d815d058cdc6ee8bf2c4b85f0c5f upstream async_tx.callback should be checked for the first not the last descriptor in the chain. Signed-off-by: Maciej Sosnowski Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 33cfbb0629d7e08875f23ceeff21c4067a0937e5 Author: Maciej Sosnowski Date: Tue Nov 11 17:50:07 2008 +0000 I/OAT: fix dma_pin_iovec_pages() error handling commit c2c0b4c5434c0a25f7f7796b29155d53805909f5 upstream Error handling needs to be modified in dma_pin_iovec_pages(). It should return NULL instead of ERR_PTR (pinned_list is checked for NULL in tcp_recvmsg() to determine if iovec pages have been successfully pinned down). In case of error for the first iovec, local_list->nr_iovecs needs to be initialized. Signed-off-by: Maciej Sosnowski Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit faa895b7004d19540d6da360b8e9ae22119aa61d Author: Maciej Sosnowski Date: Tue Nov 11 17:50:09 2008 +0000 I/OAT: fix channel resources free for not allocated channels commit c3d4f44f50b65b0b0290e357f8739cfb3f4bcaca upstream If the ioatdma driver is loaded but not used it does not allocate descriptors. Before it frees channel resources it should first be sure that they have been previously allocated. Signed-off-by: Maciej Sosnowski Tested-by: Tom Picard Signed-off-by: Dan Williams Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 366c22cf9d9dd7cdcbb7c14bed44e91018672cda Author: Francois Romieu Date: Sat Nov 8 12:06:09 2008 +0100 r8169: wake up the PHY of the 8168 Upstream as a2de6b89b74b28052e293fdb39975a5a03c432e0 This is typically needed when some other OS puts the PHY to sleep due to the disabling of WOL options in the BIOS of the system. Signed-off-by: Francois Romieu Tested-by: Chiaki Ishikawa Cc: Edward Hsu Cc: RyanKao Signed-off-by: Greg Kroah-Hartman commit 6269b8494da80250422ed8ce4e6ee7126c0010aa Author: Francois Romieu Date: Sat Nov 8 12:04:42 2008 +0100 r8169: fix RxMissed register access Upstream as 523a609496dbc3897e530db2a2f27650d125ea00 - the register is defined for the 8169 chipset only and there is no 8169 beyond RTL_GIGA_MAC_VER_06. - only the lower 3 bytes of the register are valid Fixes: 1. http://bugzilla.kernel.org/show_bug.cgi?id=10180 2. http://bugzilla.kernel.org/show_bug.cgi?id=11062 (bits of) Tested by Hermann Gausterer and Adam Huffman. Signed-off-by: Francois Romieu Cc: Edward Hsu Signed-off-by: Jeff Garzik Signed-off-by: Greg Kroah-Hartman commit 38d501ca6eb1f05d238bef785e51ca71dbfe0115 Author: Francois Romieu Date: Sat Nov 8 12:03:09 2008 +0100 r8169: get ethtool settings through the generic mii helper Upstream as ccdffb9a88b2907b159538d7bfd6256621db4f84 (post 2.6.27). It avoids to report unsupported link capabilities with the fast-ethernet only 8101/8102. Signed-off-by: Francois Romieu Tested-by: Martin Capitanio Fixed-by: Ivan Vecera Cc: Edward Hsu Signed-off-by: Greg Kroah-Hartman commit dc56d50c44eb80aca5ce60e881c6444f39c82461 Author: Miklos Szeredi Date: Sun Nov 9 19:50:02 2008 +0000 net: unix: fix inflight counting bug in garbage collector commit 6209344f5a3795d34b7f2c0061f49802283b6bdd upstream Previously I assumed that the receive queues of candidates don't change during the GC. This is only half true, nothing can be received from the queues (see comment in unix_gc()), but buffers could be added through the other half of the socket pair, which may still have file descriptors referring to it. This can result in inc_inflight_move_tail() erronously increasing the "inflight" counter for a unix socket for which dec_inflight() wasn't previously called. This in turn can trigger the "BUG_ON(total_refs < inflight_refs)" in a later garbage collection run. Fix this by only manipulating the "inflight" counter for sockets which are candidates themselves. Duplicating the file references in unix_attach_fds() is also needed to prevent a socket becoming a candidate for GC while the skb that contains it is not yet queued. Reported-by: Andrea Bittau Signed-off-by: Miklos Szeredi Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit c17e612bc777ee07543e076ebb149b8a71fc1217 Author: Alok Kataria Date: Fri Nov 7 00:08:46 2008 +0000 x86: don't use tsc_khz to calculate lpj if notsc is passed commit 70de9a97049e0ba79dc040868564408d5ce697f9 upstream Impact: fix udelay when "notsc" boot parameter is passed With notsc passed on commandline, tsc may not be used for udelays, make sure that we do not use tsc_khz to calculate the lpj value in such cases. Reported-by: Bartlomiej Zolnierkiewicz Signed-off-by: Alok N Kataria Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit f654ba2b551cecdb3cb4293c40a0e05f033564df Author: Eric W. Biederman Date: Fri Nov 7 00:08:33 2008 +0000 MTD: [NOR] Fix cfi_send_gen_cmd handling of x16 devices in x8 mode (v4) commit 467622ef2acb01986eab37ef96c3632b3ea35999 upstream For "unlock" cycles to 16bit devices in 8bit compatibility mode we need to use the byte addresses 0xaaa and 0x555. These effectively match the word address 0x555 and 0x2aa, except the latter has its low bit set. Most chips don't care about the value of the 'A-1' pin in x8 mode, but some -- like the ST M29W320D -- do. So we need to be careful to set it where appropriate. cfi_send_gen_cmd is only ever passed addresses where the low byte is 0x00, 0x55 or 0xaa. Of those, only addresses ending 0xaa are affected by this patch, by masking in the extra low bit when the device is known to be in compatibility mode. [dwmw2: Do it only when (cmd_ofs & 0xff) == 0xaa] v4: Fix stupid typo in cfi_build_cmd_addr that failed to compile I'm writing this patch way to late at night. v3: Bring all of the work back into cfi_build_cmd_addr including calling of map_bankwidth(map) and cfi_interleave(cfi) So every caller doesn't need to. v2: Only modified the address if we our device_type is larger than our bus width. Signed-off-by: Eric W. Biederman Signed-off-by: David Woodhouse Signed-off-by: Greg Kroah-Hartman commit 0425d0a8eddbe8065a5ca705340646b7ad3d34a6 Author: Dan Williams Date: Fri Nov 7 00:07:15 2008 +0000 ARM: xsc3: fix xsc3_l2_inv_range commit c7cf72dcadbe39c2077b32460f86c9f8167be3be upstream When 'start' and 'end' are less than a cacheline apart and 'start' is unaligned we are done after cleaning and invalidating the first cacheline. So check for (start < end) which will not walk off into invalid address ranges when (start > end). This issue was caught by drivers/dma/dmatest. 2.6.27 is susceptible. Cc: Cc: Haavard Skinnemoen Cc: Lothar Wafmann Cc: Lennert Buytenhek Cc: Eric Miao Signed-off-by: Dan Williams Signed-off-by: Greg Kroah-Hartman commit ffda96ca180ee1def996fd9a63c5a3d620caf223 Author: David Woodhouse Date: Fri Nov 7 00:08:59 2008 +0000 JFFS2: Fix lack of locking in thread_should_wake() commit b27cf88e9592953ae292d05324887f2f44979433 upstream The thread_should_wake() function trawls through the list of 'very dirty' eraseblocks, determining whether the background GC thread should wake. Doing this without holding the appropriate locks is a bad idea. OLPC Trac #8615 Signed-off-by: David Woodhouse Signed-off-by: Greg Kroah-Hartman commit a414c208c07d29b404d07665ea6ab1bc564ade42 Author: Geert Uytterhoeven Date: Fri Nov 7 00:08:19 2008 +0000 JFFS2: fix race condition in jffs2_lzo_compress() commit dc8a0843a435b2c0891e7eaea64faaf1ebec9b11 upstream deflate_mutex protects the globals lzo_mem and lzo_compress_buf. However, jffs2_lzo_compress() unlocks deflate_mutex _before_ it has copied out the compressed data from lzo_compress_buf. Correct this by moving the mutex unlock after the copy. In addition, document what deflate_mutex actually protects. Signed-off-by: Geert Uytterhoeven Acked-by: Richard Purdie Signed-off-by: Andrew Morton Signed-off-by: David Woodhouse Signed-off-by: Greg Kroah-Hartman commit 4ad8ad6f94ed1eb8abcb5a4001cef9da92bc84c2 Author: Neil Brown Date: Fri Nov 7 00:08:12 2008 +0000 md: fix bug in raid10 recovery. commit a53a6c85756339f82ff19e001e90cfba2d6299a8 upstream Adding a spare to a raid10 doesn't cause recovery to start. This is due to an silly type in commit 6c2fce2ef6b4821c21b5c42c7207cb9cf8c87eda and so is a bug in 2.6.27 and .28-rc. Thanks to Thomas Backlund for bisecting to find this. Cc: Thomas Backlund Cc: George Spelvin Signed-off-by: NeilBrown Signed-off-by: Greg Kroah-Hartman commit 83e387d13a81dab114b5f818f3c4abafcb9c7d2c Author: Andre Noll Date: Fri Nov 7 00:07:46 2008 +0000 md: linear: Fix a division by zero bug for very small arrays. commit f1cd14ae52985634d0389e934eba25b5ecf24565 upstream Date: Thu, 6 Nov 2008 19:41:24 +1100 Subject: md: linear: Fix a division by zero bug for very small arrays. We currently oops with a divide error on starting a linear software raid array consisting of at least two very small (< 500K) devices. The bug is caused by the calculation of the hash table size which tries to compute sector_div(sz, base) with "base" being zero due to the small size of the component devices of the array. Fix this by requiring the hash spacing to be at least one which implies that also "base" is non-zero. This bug has existed since about 2.6.14. Signed-off-by: Andre Noll Signed-off-by: NeilBrown Signed-off-by: Greg Kroah-Hartman commit e61227530bdc9092c938a6150edcddb28f3042f6 Author: Mike Miller Date: Thu Nov 6 23:59:04 2008 +0000 cciss: new hardware support commit 77ca7286d10b798e4907af941f29672bf484db77 upstream cciss: new hardware support Add support for 2 new SAS/SATA controllers. Signed-off-by: Mike Miller Cc: Jens Axboe Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit dc511ed9822d50bb1d4d5d56ec7a99964e390be2 Author: Mike Miller Date: Fri Nov 7 00:06:50 2008 +0000 cciss: fix sysfs broken symlink regression commit 404443081ce5e6f68b5f7eda16c959835ff200c0 upstream Regression introduced by commit 6ae5ce8e8d4de666f31286808d2285aa6a50fa40 ("cciss: remove redundant code"). This patch fixes a broken symlink in sysfs that was introduced by the above commit. We broke it in 2.6.27-rc on or about 20080804. Some installers are broken if this symlink does not exist and they may not detect the logical drives configured on the controller. It does not require being backported into 2.6.26.x or earlier kernels. Signed-off-by: Mike Miller Cc: Jens Axboe Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit c275e82ea1b933e732769b5efd98d39411412888 Author: Mike Miller Date: Fri Nov 7 00:06:36 2008 +0000 cciss: fix regression firmware not displayed in procfs commit 22bece00dc1f28dd3374c55e464c9f02eb642876 upstream This regression was introduced by commit 6ae5ce8e8d4de666f31286808d2285aa6a50fa40 ("cciss: remove redundant code"). This patch fixes a regression where the controller firmware version is not displayed in procfs. The previous patch would be called anytime something changed. This will get called only once for each controller. Signed-off-by: Mike Miller Cc: FUJITA Tomonori Cc: Jens Axboe Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 70e6b95d14d2f7f5202be36a808e7085a0f4ea96 Author: Andy Whitcroft Date: Fri Nov 7 00:06:24 2008 +0000 hugetlbfs: handle pages higher order than MAX_ORDER commit 69d177c2fc702d402b17fdca2190d5a7e3ca55c5 upstream When working with hugepages, hugetlbfs assumes that those hugepages are smaller than MAX_ORDER. Specifically it assumes that the mem_map is contigious and uses that to optimise access to the elements of the mem_map that represent the hugepage. Gigantic pages (such as 16GB pages on powerpc) by definition are of greater order than MAX_ORDER (larger than MAX_ORDER_NR_PAGES in size). This means that we can no longer make use of the buddy alloctor guarentees for the contiguity of the mem_map, which ensures that the mem_map is at least contigious for maximmally aligned areas of MAX_ORDER_NR_PAGES pages. This patch adds new mem_map accessors and iterator helpers which handle any discontiguity at MAX_ORDER_NR_PAGES boundaries. It then uses these to implement gigantic page versions of copy_huge_page and clear_huge_page, and to allow follow_hugetlb_page handle gigantic pages. Signed-off-by: Andy Whitcroft Cc: Jon Tollefson Cc: Mel Gorman Cc: Nick Piggin Cc: Christoph Lameter Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds commit 75187a3094a68015582b344161c18b86ab60e665 Author: Andy Whitcroft Date: Fri Nov 7 00:06:05 2008 +0000 hugetlb: pull gigantic page initialisation out of the default path commit 18229df5b613ed0732a766fc37850de2e7988e43 upstream As we can determine exactly when a gigantic page is in use we can optimise the common regular page cases by pulling out gigantic page initialisation into its own function. As gigantic pages are never released to buddy we do not need a destructor. This effectivly reverts the previous change to the main buddy allocator. It also adds a paranoid check to ensure we never release gigantic pages from hugetlbfs to the main buddy. Signed-off-by: Andy Whitcroft Cc: Jon Tollefson Cc: Mel Gorman Cc: Nick Piggin Cc: Christoph Lameter Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 880eaf154bc95220798e85802cdd9cb6534ee7a7 Author: Li Zefan Date: Fri Nov 7 00:05:48 2008 +0000 cgroups: fix invalid cgrp->dentry before cgroup has been completely removed commit 24eb089950ce44603b30a3145a2c8520e2b55bb1 upstream This fixes an oops when reading /proc/sched_debug. A cgroup won't be removed completely until finishing cgroup_diput(), so we shouldn't invalidate cgrp->dentry in cgroup_rmdir(). Otherwise, when a group is being removed while cgroup_path() gets called, we may trigger NULL dereference BUG. The bug can be reproduced: # cat test.sh #!/bin/sh mount -t cgroup -o cpu xxx /mnt for (( ; ; )) { mkdir /mnt/sub rmdir /mnt/sub } # ./test.sh & # cat /proc/sched_debug BUG: unable to handle kernel NULL pointer dereference at 00000038 IP: [] cgroup_path+0x39/0x90 .. Call Trace: [] ? print_cfs_rq+0x6e/0x75d [] ? sched_debug_show+0x72d/0xc1e .. Signed-off-by: Li Zefan Acked-by: Paul Menage Cc: Peter Zijlstra Cc: Ingo Molnar Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit c27c4b666ddf7a36b6f20c9b809217157496b36b Author: Yinghai Lu Date: Tue Sep 23 00:35:33 2008 -0700 x86: fix macro with bad_bios_dmi_table commit a8b71a2810386a5ac8f43d2095fe3355f0d8db37 upstream. DMI tables need a blank NULL tail. fixes the crash on Ingo's test box. Signed-off-by: Yinghai Lu Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit 5c371b31be32033b0a4a993431484da8a2305369 Author: Yinghai Lu Date: Mon Sep 22 02:52:26 2008 -0700 x86: fix CONFIG_X86_RESERVE_LOW_64K=y commit 2216d199b1430d1c0affb1498a9ebdbd9c0de439 upstream The bad_bios_dmi_table() quirk never triggered because we do DMI setup too late. Move it a bit earlier. Also change the CONFIG_X86_RESERVE_LOW_64K quirk to operate on the e820 table directly instead of messing with early reservations - this handles overlaps (which do occur in this low range of RAM) more gracefully. Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit 093327cb21660a2f0c028c9c8550b2808600281f Author: Ingo Molnar Date: Tue Sep 16 10:07:34 2008 +0200 x86: add X86_RESERVE_LOW_64K commit fc38151947477596aa27df6c4306ad6008dc6711 upstream. This bugzilla: http://bugzilla.kernel.org/show_bug.cgi?id=11237 Documents a wide range of systems where the BIOS utilizes the first 64K of physical memory during suspend/resume and other hardware events. Currently we reserve this memory on all AMI and Phoenix BIOS systems. Life is too short to hunt subtle memory corruption problems like this, so we try to be robust by default. Still, allow this to be overriden: allow users who want that first 64K of memory to be available to the kernel disable the quirk, via CONFIG_X86_RESERVE_LOW_64K=n. Also, allow the early reservation to overlap with other early reservations. Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit 41943efb7cff566ad1f6334bbddbb8b8a4bfeb59 Author: Ingo Molnar Date: Tue Sep 16 09:58:02 2008 +0200 x86: reserve low 64K on AMI and Phoenix BIOS boxen commit 1e22436eba84edfec9c25e5a25d09062c4f91ca9 upstream there's multiple reports about suspend/resume related low memory corruption in this bugzilla: http://bugzilla.kernel.org/show_bug.cgi?id=11237 the common pattern is that the corruption is caused by the BIOS, and that it affects some portion of the first 64K of physical RAM. So add a DMI quirk This will waste 64K RAM on 'good' systems too, but without knowing the exact nature of this BIOS memory corruption this is the safest approach. This might as well solve a wide range of suspend/resume breakages under Linux. Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit 71556e929b5666bc03750402ce30e3c61cd5148e Author: Ingo Molnar Date: Tue Sep 16 09:29:09 2008 +0200 x86: add DMI quirk for AMI BIOS which corrupts address 0xc000 during resume commit 5649b7c30316a51792808422ac03ee825d26aa5e upstream Alan Jenkins and Andy Wettstein reported a suspend/resume memory corruption bug and extensively documented it here: http://bugzilla.kernel.org/show_bug.cgi?id=11237 The bug is that the BIOS overwrites 1K of memory at 0xc000 physical, without registering it in e820 as reserved or giving the kernel any idea about this. Detect AMI BIOSen and reserve that 1K. We paint this bug around with a very broad brush (reserving that 1K on all AMI BIOS systems), as the bug was extremely hard to find and needed several weeks and lots of debugging and patching. The bug was found via the CONFIG_X86_CHECK_BIOS_CORRUPTION=y debug feature, if similar bugs are suspected then this feature can be enabled on other systems as well to scan low memory for corrupted memory. Reported-by: Alan Jenkins Reported-by: Andy Wettstein Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit a0b8bfb34743b6e6c2bb06ad5a270590d90270f7 Author: Arthur Jones Date: Fri Nov 7 00:05:17 2008 +0000 ext3: wait on all pending commits in ext3_sync_fs commit c87591b719737b4e91eb1a9fa8fd55a4ff1886d6 upstream In ext3_sync_fs, we only wait for a commit to finish if we started it, but there may be one already in progress which will not be synced. In the case of a data=ordered umount with pending long symlinks which are delayed due to a long list of other I/O on the backing block device, this causes the buffer associated with the long symlinks to not be moved to the inode dirty list in the second phase of fsync_super. Then, before they can be dirtied again, kjournald exits, seeing the UMOUNT flag and the dirty pages are never written to the backing block device, causing long symlink corruption and exposing new or previously freed block data to userspace. This can be reproduced with a script created by Eric Sandeen : #!/bin/bash umount /mnt/test2 mount /dev/sdb4 /mnt/test2 rm -f /mnt/test2/* dd if=/dev/zero of=/mnt/test2/bigfile bs=1M count=512 touch /mnt/test2/thisisveryveryveryveryveryveryveryveryveryveryveryveryveryveryveryverylongfilename ln -s /mnt/test2/thisisveryveryveryveryveryveryveryveryveryveryveryveryveryveryveryverylongfilename /mnt/test2/link umount /mnt/test2 mount /dev/sdb4 /mnt/test2 ls /mnt/test2/ umount /mnt/test2 To ensure all commits are synced, we flush all journal commits now when sync_fs'ing ext3. Signed-off-by: Arthur Jones Cc: Eric Sandeen Cc: Theodore Ts'o Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman