commit fd809bdcd9d00485236a51d647d12df4dd0fcbd6 Author: Greg Kroah-Hartman Date: Mon Mar 16 17:50:03 2009 -0700 Linux 2.6.28.8 commit a38a2580ee7611009d32c9ad5cb2def518a1c959 Author: Jean Delvare Date: Fri Mar 13 13:34:04 2009 +0100 hwmon: (it87) Properly decode -128 degrees C temperature commit e267d25005c861fe6afda343f044536342c9f8b4 upstream The it87 driver is reporting -128 degrees C as +128 degrees C. That's not a terribly likely temperature value but let's still get it right, especially when it simplifies the code. Signed-off-by: Jean Delvare Signed-off-by: Greg Kroah-Hartman commit b32cda4f0a78dd1d0e5a5ccde94c8aeb3e1370ec Author: Ralf Baechle Date: Thu Mar 5 11:45:48 2009 +0100 MIPS: compat: Implement is_compat_task. commit 4302e5d53b9166d45317e3ddf0a7a9dab3efd43b upstream. This is a build fix required after "x86-64: seccomp: fix 32/64 syscall hole" (commit 5b1017404aea6d2e552e991b3fd814d839e9cd67). MIPS doesn't have the issue that was fixed for x86-64 by that patch. This also doesn't solve the N32 issue which is that N32 seccomp processes will be treated as non-compat processes thus only have access to N64 syscalls. Signed-off-by: Ralf Baechle Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 4bf9eb6fde5a5ed33f273be98bc9b0225e0a2edb Author: Eric Anholt Date: Wed Dec 17 22:32:14 2008 -0800 drm/i915: Add missing userland definitions for gem init/execbuffer. commit 8d391aa410ecb230fc4c3147b94eec25b9f3c20f upstream. fdo bug #19132. Signed-off-by: Eric Anholt Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman commit 0373f108ad756a1bf8d4c92de903f639d9125198 Author: Jean Delvare Date: Sat Feb 21 12:00:20 2009 +0100 hwmon: (f71882fg) Hide misleading error message commit 603eaa1bdd3e0402085e815cc531bb0a32827a9e upstream If the F71882FG chip is at address 0x4e, then the probe at 0x2e will fail with the following message in the logs: f71882fg: Not a Fintek device This is misleading because there is a Fintek device, just at a different address. So I propose to degrade this message to a debug message. Signed-off-by: Jean Delvare Acked-by: Hans de Goede commit 604fcaf3c3a78df2f43564d8f37d0e254a59e62e Author: Herbert Xu Date: Wed Jan 28 14:09:59 2009 +1100 crypto: api - Fix algorithm test race that broke aead initialisation commit b8e15992b420d09dae831125a623c474c8637cee upstream. When we complete a test we'll notify everyone waiting on it, drop the mutex, and then remove the test larval (after reacquiring the mutex). If one of the notified parties tries to register another algorithm with the same driver name prior to the removal of the test larval, they will fail with EEXIST as only one algorithm of a given name can be tested at any time. This broke the initialisation of aead and givcipher algorithms as they will register two algorithms with the same driver name, in sequence. This patch fixes the problem by marking the larval as dead before we drop the mutex, and also ignoring all dead or dying algorithms on the registration path. Tested-by: Andreas Steffen Signed-off-by: Herbert Xu Cc: Kerin Millar Signed-off-by: Greg Kroah-Hartman commit 90a2a0f6ecc8bfe5994043661efb938583c0a2c1 Author: Henrique de Moraes Holschuh Date: Tue Feb 24 11:48:18 2009 -0300 ACPI: fix broken usage of acpi_ut_get_node_name() This issue was fixed indirectly in mainline by commit 60a4ce7f4148155d3f28eea4a213f7ee47cd57b7. acpi_ut_get_node_name() returns a four char fixed-size array, not NULL-terminated. This is the minimal fix for stable 2.6.28. Signed-off-by: Henrique de Moraes Holschuh Cc: stable@kernel.org Acked-by: Lin Ming Acked-by: Len Brown Signed-off-by: Greg Kroah-Hartman commit 7f1c57aed4c5c3f3f61c82b4d7dc8bf8705df6f0 Author: Henrique de Moraes Holschuh Date: Tue Feb 24 11:48:17 2009 -0300 ACPI: fix broken usage of name.ascii This issue was fixed indirectly in mainline by commit 0175d562a29ad052c510782c7e76bc63d5155b9b. acpi_namespace_node's name.ascii field is four chars, and not NULL- terminated except by pure luck. So, it cannot be used by sscanf() without a length restriction. This is the minimal fix for both stable 2.6.27 and 2.6.28. Signed-off-by: Henrique de Moraes Holschuh Cc: Lin Ming Cc: Len Brown Signed-off-by: Greg Kroah-Hartman commit cbbfd37dee2249103a71accc4d1839d842473d9e Author: Roel Kluin Date: Wed Feb 25 21:24:40 2009 +0100 i2c: Fix misplaced parentheses commit f29d2e0275a4f03ef2fd158e484508dcb0c64efb upstream Fix misplaced parentheses. Signed-off-by: Roel Kluin Signed-off-by: Jean Delvare Signed-off-by: Greg Kroah-Hartman commit da1691723de56d42dd809be15f309d2ba45cfdcc Author: Roel Kluin Date: Wed Feb 25 21:26:21 2009 +0100 i2c: Timeouts reach -1 commit a746b578d8406b2db0e9f0d040061bc1f78433cf upstream With a postfix decrement these timeouts reach -1 rather than 0, but after the loop it is tested whether they have become 0. As pointed out by Jean Delvare, the condition we are waiting for should also be tested before the timeout. With the current order, you could exit with a timeout error while the job is actually done. Signed-off-by: Roel Kluin Signed-off-by: Jean Delvare Signed-off-by: Greg Kroah-Hartman commit dabfaa8e99183fdff08d831acebde97a79ffb5dd Author: Russell King Date: Wed Feb 25 21:34:07 2009 +0100 ARM: Add i2c_board_info for RiscPC PCF8583 commit 531660ef5604c75de6fdead9da1304051af17c09 upstream Add the necessary i2c_board_info structure to fix the lack of PCF8583 RTC on RiscPC. Signed-off-by: Russell King Signed-off-by: Jean Delvare Cc: Alessandro Zummo Signed-off-by: Greg Kroah-Hartman commit 4c7d78155b964900d1b1923acb552921ab60779b Author: Anssi Hannula Date: Mon Mar 2 16:16:10 2009 +0100 HID: move tmff and zpff devices from ignore_list to blacklist [ upstream commit daedb3d6a91f9626ab4c921378ac52e44de833d5 ] From: Anssi Hannula Subject: HID: move tmff and zpff devices from ignore_list to blacklist The devices handled by hid-tmff and hid-zpff were added in the hid_ignore_list[] instead of hid_blacklist[] in hid-core.c, thus disabling them completely. hid_ignore_list[] causes hid layer to skip the device, while hid_blacklist[] indicates there is a specific driver in hid bus. Re-enable the devices by moving them to the correct list. Signed-off-by: Anssi Hannula Signed-off-by: Jiri Kosina Signed-off-by: Greg Kroah-Hartman commit ccf126745f267d8778c3c8bd545d1004ca8d042c Author: Sergei Shtylyov Date: Thu Mar 5 16:10:56 2009 +0100 ide-iops: fix odd-length ATAPI PIO transfers commit a509538d4fb4f99cdf0a095213d57cc3b2347615 upstream. Commit 9567b349f7e7dd7e2483db99ee8e4a6fe0caca38 (ide: merge ->atapi_*put_bytes and ->ata_*put_data methods) introduced a regression WRT the odd-length ATAPI PIO transfers -- the final word didn't get written (causing command timeouts). Signed-off-by: Sergei Shtylyov Signed-off-by: Bartlomiej Zolnierkiewicz Signed-off-by: Greg Kroah-Hartman commit bf7fced49e689f01f0b5c12046e193116aa03221 Author: Tejun Heo Date: Mon Feb 9 22:17:39 2009 +0900 x86: fix math_emu register frame access commit d315760ffa261c15ff92699ac6f514112543d7ca upstream. do_device_not_available() is the handler for #NM and it declares that it takes a unsigned long and calls math_emu(), which takes a long argument and surprisingly expects the stack frame starting at the zero argument would match struct math_emu_info, which isn't true regardless of configuration in the current code. This patch makes do_device_not_available() take struct pt_regs like other exception handlers and initialize struct math_emu_info with pointer to it and pass pointer to the math_emu_info to math_emulate() like normal C functions do. This way, unless gcc makes a copy of struct pt_regs in do_device_not_available(), the register frame is correctly accessed regardless of kernel configuration or compiler used. This doesn't fix all math_emu problems but it at least gets it somewhat working. Signed-off-by: Tejun Heo Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit bc6449f4d3b44c4a114d07315043756597f2fa72 Author: Tejun Heo Date: Mon Feb 9 22:17:39 2009 +0900 x86: math_emu info cleanup commit ae6af41f5a4841f06eb92bc86ad020ad44ae2a30 upstream. Impact: cleanup * Come on, struct info? s/struct info/struct math_emu_info/ * Use struct pt_regs and kernel_vm86_regs instead of defining its own register frame structure. Signed-off-by: Tejun Heo Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit 8e887f35bc91f46d8188f367dd08b45514394755 Author: john stultz Date: Thu Feb 12 18:48:53 2009 -0800 x86, hpet: fix for LS21 + HPET = boot hang commit b13e24644c138d0ddbc451403c30a96b09bfd556 upstream. Between 2.6.23 and 2.6.24-rc1 a change was made that broke IBM LS21 systems that had the HPET enabled in the BIOS, resulting in boot hangs for x86_64. Specifically commit b8ce33590687888ebb900d09557b8807c4539022, which merges the i386 and x86_64 HPET code. Prior to this commit, when we setup the HPET timers in x86_64, we did the following: hpet_writel(HPET_TN_ENABLE | HPET_TN_PERIODIC | HPET_TN_SETVAL | HPET_TN_32BIT, HPET_T0_CFG); However after the i386/x86_64 HPET merge, we do the following: cfg = hpet_readl(HPET_Tn_CFG(timer)); cfg |= HPET_TN_ENABLE | HPET_TN_PERIODIC | HPET_TN_SETVAL | HPET_TN_32BIT; hpet_writel(cfg, HPET_Tn_CFG(timer)); However on LS21s with HPET enabled in the BIOS, the HPET_T0_CFG register boots with Level triggered interrupts (HPET_TN_LEVEL) enabled. This causes the periodic interrupt to be not so periodic, and that results in the boot time hang I reported earlier in the delay calibration. My fix: Always disable HPET_TN_LEVEL when setting up periodic mode. Signed-off-by: John Stultz Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit 45034a11bbd9d8c3831a07aa8038ed72eaba7019 Author: Jeremy Fitzhardinge Date: Thu Feb 12 10:02:56 2009 -0800 x86/paravirt: make arch_flush_lazy_mmu/cpu disable preemption commit d85cf93da66977dbc645352be1b2084a659d8a0b upstream. Impact: avoid access to percpu vars in preempible context They are intended to be used whenever there's the possibility that there's some stale state which is going to be overwritten with a queued update, or to force a state change when we may be in lazy mode. Either way, we could end up calling it with preemption enabled, so wrap the functions in their own little preempt-disable section so they can be safely called in any context (though preemption should never be enabled if we're actually in a lazy state). (Move out of line to avoid #include dependencies.) Signed-off-by: Jeremy Fitzhardinge Signed-off-by: Thomas Gleixner Signed-off-by: Greg Kroah-Hartman commit 9d9cc48d44908a2e476167fb1345d250225a8e69 Author: Jan Kara Date: Thu Mar 5 02:35:15 2009 -0500 ext4: Fix deadlock in ext4_write_begin() and ext4_da_write_begin() (cherry picked from commit ebd3610b110bbb18ea6f9f2aeed1e1068c537227) Functions ext4_write_begin() and ext4_da_write_begin() call grab_cache_page_write_begin() without AOP_FLAG_NOFS. Thus it can happen that page reclaim is triggered in that function and it recurses back into the filesystem (or some other filesystem). But this can lead to various problems as a transaction is already started at that point. Add the necessary flag. http://bugzilla.kernel.org/show_bug.cgi?id=11688 Signed-off-by: Jan Kara Signed-off-by: "Theodore Ts'o" Signed-off-by: Greg Kroah-Hartman commit f08d9c62257c72baacd3050b45f3073a815b5297 Author: Theodore Ts'o Date: Thu Mar 5 02:35:14 2009 -0500 ext4: Add fallback for find_group_flex (cherry picked from commit 05bf9e839d9de4e8a094274a0a2fd07beb47eaf1) This is a workaround for find_group_flex() which badly needs to be replaced. One of its problems (besides ignoring the Orlov algorithm) is that it is a bit hyperactive about returning failure under suspicious circumstances. This can lead to spurious ENOSPC failures even when there are inodes still available. Work around this for now by retrying the search using find_group_other() if find_group_flex() returns -1. If find_group_other() succeeds when find_group_flex() has failed, log a warning message. A better block/inode allocator that will fix this problem for real has been queued up for the next merge window. Signed-off-by: "Theodore Ts'o" Signed-off-by: Greg Kroah-Hartman commit 49d5e9a1f84aae864ac49b9579efcd99ce6993f4 Author: Dan Carpenter Date: Tue Feb 24 12:14:48 2009 -0500 ext4: Fix NULL dereference in ext4_ext_migrate()'s error handling (cherry picked from commit 090542641de833c6f756895fc2f139f046e298f9) This was found through a code checker (http://repo.or.cz/w/smatch.git/). It looks like you might be able to trigger the error by trying to migrate a readonly file system. Signed-off-by: Dan Carpenter Signed-off-by: "Theodore Ts'o" Signed-off-by: Greg Kroah-Hartman commit c4925e4c65904e5c52cd3a3e5e9b1873eec340c0 Author: Aneesh Kumar K.V Date: Tue Feb 24 12:14:47 2009 -0500 ext4: Implement range_cyclic in ext4_da_writepages instead of write_cache_pages (cherry picked from commit 2acf2c261b823d9d9ed954f348b97620297a36b5) With delayed allocation we lock the page in write_cache_pages() and try to build an in memory extent of contiguous blocks. This is needed so that we can get large contiguous blocks request. If range_cyclic mode is enabled, write_cache_pages() will loop back to the 0 index if no I/O has been done yet, and try to start writing from the beginning of the range. That causes an attempt to take the page lock of lower index page while holding the page lock of higher index page, which can cause a dead lock with another writeback thread. The solution is to implement the range_cyclic behavior in ext4_da_writepages() instead. http://bugzilla.kernel.org/show_bug.cgi?id=12579 Signed-off-by: Aneesh Kumar K.V Signed-off-by: "Theodore Ts'o" Signed-off-by: Greg Kroah-Hartman commit 6da0e051ce63fd4351830c1ce31a9c6d8e9ffa92 Author: Aneesh Kumar K.V Date: Tue Feb 24 12:14:46 2009 -0500 ext4: Initialize preallocation list_head's properly (cherry picked from commit d794bf8e0936dce45104565cd48c571061f4c1e3) When creating a new ext4_prealloc_space structure, we have to initialize its list_head pointers before we add them to any prealloc lists. Otherwise, with list debug enabled, we will get list corruption warnings. Signed-off-by: Aneesh Kumar K.V Signed-off-by: "Theodore Ts'o" Signed-off-by: Greg Kroah-Hartman commit 39f5468e31f482f6a2d7b842e3d9b909534bf9ec Author: Aneesh Kumar K.V Date: Tue Feb 24 12:14:45 2009 -0500 ext4: Fix lockdep warning (cherry picked from commit ba4439165f0f0d25b2fe065cf0c1ff8130b802eb) We should not call ext4_mb_add_n_trim while holding alloc_semp. ============================================= [ INFO: possible recursive locking detected ] 2.6.29-rc4-git1-dirty #124 --------------------------------------------- ffsb/3116 is trying to acquire lock: (&meta_group_info[i]->alloc_sem){----}, at: [] ext4_mb_load_buddy+0xd2/0x343 but task is already holding lock: (&meta_group_info[i]->alloc_sem){----}, at: [] ext4_mb_load_buddy+0xd2/0x343 http://bugzilla.kernel.org/show_bug.cgi?id=12672 Signed-off-by: Aneesh Kumar K.V Signed-off-by: "Theodore Ts'o" Signed-off-by: Greg Kroah-Hartman commit 305a27a920b46943dd1518f31d6386414c7fb87e Author: Wei Yongjun Date: Tue Feb 24 12:14:44 2009 -0500 ext4: Fix to read empty directory blocks correctly in 64k (cherry picked from commit 7be2baaa0322c59ba888aa5260a8c130666acd41) The rec_len field in the directory entry is 16 bits, so there was a problem representing rec_len for filesystems with a 64k block size in the case where the directory entry takes the entire 64k block. Unfortunately, there were two schemes that were proposed; one where all zeros meant 65536 and one where all ones (65535) meant 65536. E2fsprogs used 0, whereas the kernel used 65535. Oops. Fortunately this case happens extremely rarely, with the most common case being the lost+found directory, created by mke2fs. So we will be liberal in what we accept, and accept both encodings, but we will continue to encode 65536 as 65535. This will require a change in e2fsprogs, but with fortunately ext4 filesystems normally have the dir_index feature enabled, which precludes having a completely empty directory block. Signed-off-by: Wei Yongjun Signed-off-by: "Theodore Ts'o" Signed-off-by: Greg Kroah-Hartman commit 54dc90ea5d01776793da82d345c7164ea28f4718 Author: Jan Kara Date: Tue Feb 24 12:14:43 2009 -0500 jbd2: Avoid possible NULL dereference in jbd2_journal_begin_ordered_truncate() (cherry picked from commit 7f5aa215088b817add9c71914b83650bdd49f8a9) If we race with commit code setting i_transaction to NULL, we could possibly dereference it. Proper locking requires the journal pointer (to access journal->j_list_lock), which we don't have. So we have to change the prototype of the function so that filesystem passes us the journal pointer. Also add a more detailed comment about why the function jbd2_journal_begin_ordered_truncate() does what it does and how it should be used. Thanks to Dan Carpenter for pointing to the suspitious code. Signed-off-by: Jan Kara Signed-off-by: "Theodore Ts'o" Acked-by: Joel Becker CC: linux-ext4@vger.kernel.org CC: ocfs2-devel@oss.oracle.com CC: mfasheh@suse.de CC: Dan Carpenter Signed-off-by: Greg Kroah-Hartman commit 00d9374d7af832e275bfc54c1d542cdb21c31797 Author: Jan Kara Date: Tue Feb 24 12:14:42 2009 -0500 Revert "ext4: wait on all pending commits in ext4_sync_fs()" (cherry picked from commit 9eddacf9e9c03578ef2c07c9534423e823d677f8) This undoes commit 14ce0cb411c88681ab8f3a4c9caa7f42e97a3184. Since jbd2_journal_start_commit() is now fixed to return 1 when we started a transaction commit, there's some transaction waiting to be committed or there's a transaction already committing, we don't need to call ext4_force_commit() in ext4_sync_fs(). Furthermore ext4_force_commit() can unnecessarily create sync transaction which is expensive so it's worthwhile to remove it when we can. http://bugzilla.kernel.org/show_bug.cgi?id=12224 Signed-off-by: Jan Kara Signed-off-by: "Theodore Ts'o" Cc: Eric Sandeen Cc: linux-ext4@vger.kernel.org Signed-off-by: Greg Kroah-Hartman commit d62e873cd40eb41743d93319bd3740efce0385f8 Author: Jan Kara Date: Tue Feb 24 12:14:41 2009 -0500 jbd2: Fix return value of jbd2_journal_start_commit() (cherry picked from commit c88ccea3143975294f5a52097546bcbb75975f52) The function jbd2_journal_start_commit() returns 1 if either a transaction is committing or the function has queued a transaction commit. But it returns 0 if we raced with somebody queueing the transaction commit as well. This resulted in ext4_sync_fs() not functioning correctly (description from Arthur Jones): In the case of a data=ordered umount with pending long symlinks which are delayed due to a long list of other I/O on the backing block device, this causes the buffer associated with the long symlinks to not be moved to the inode dirty list in the second phase of fsync_super. Then, before they can be dirtied again, kjournald exits, seeing the UMOUNT flag and the dirty pages are never written to the backing block device, causing long symlink corruption and exposing new or previously freed block data to userspace. This can be reproduced with a script created by Eric Sandeen : #!/bin/bash umount /mnt/test2 mount /dev/sdb4 /mnt/test2 rm -f /mnt/test2/* dd if=/dev/zero of=/mnt/test2/bigfile bs=1M count=512 touch /mnt/test2/thisisveryveryveryveryveryveryveryveryveryveryveryveryveryveryveryverylongfilename ln -s /mnt/test2/thisisveryveryveryveryveryveryveryveryveryveryveryveryveryveryveryverylongfilename /mnt/test2/link umount /mnt/test2 mount /dev/sdb4 /mnt/test2 ls /mnt/test2/ This patch fixes jbd2_journal_start_commit() to always return 1 when there's a transaction committing or queued for commit. Signed-off-by: Jan Kara Signed-off-by: "Theodore Ts'o" CC: Eric Sandeen CC: linux-ext4@vger.kernel.org Signed-off-by: Greg Kroah-Hartman commit bbbfbf6d74e6054c4f6af2dd7fe95c5551b6413a Author: Hans Verkuil Date: Sat Feb 14 19:58:33 2009 -0300 V4L: ivtv: fix decoder crash regression (cherry picked from commit ac9575f75c52bcb455120f8c43376b556acba048) The video_ioctl2 conversion of ivtv in kernel 2.6.27 introduced a bug causing decoder commands to crash. The decoder commands should have been handled from the video_ioctl2 default handler, ensuring correct mapping of the argument between user and kernel space. Unfortunately they ended up before the video_ioctl2 call, causing random crashes. Thanks to hannes@linus.priv.at for testing and helping me track down the cause! Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Michael Krufky Signed-off-by: Greg Kroah-Hartman commit ef956570e79d30cf9a25e5a1a5464f75a8989181 Author: Martin Dauskardt Date: Thu Mar 12 17:43:44 2009 -0400 V4L: saa7127: fix broken S-Video with saa7129 (backported from commit 0f3559ef17362a7dd5017521a4dd4cad31263395) Register 0x2d has to be set differently in the saa7129 compared to the saa7127. This was not done correctly, so S-Video was broken in certain circumstances. This fixes a regression introduced in 2.6.28. Signed-off-by: Martin Dauskardt Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Michael Krufky Signed-off-by: Greg Kroah-Hartman commit 6ffcc214c90fc8eaa2bbb30f4d4faeafe800a443 Author: Michael Krufky Date: Mon Jan 5 18:25:04 2009 -0300 V4L: tda8290: fix TDA8290 + TDA18271 initialization (cherry picked from commit 439b72b69e4992e9ec34b74304f0fa95623934eb) Don't call tda8290_init_tuner unless we have either a TDA8275 or TDA8275A present. Calling this function will cause a TDA18271 to get sick, so we should only call it when needed. Signed-off-by: Michael Krufky Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit c269003c1d49ac6b6802f8cb0345cd7a556b7884 Author: Devin Heitmueller Date: Mon Jan 26 03:07:59 2009 -0300 DVB: s5h1409: Perform s5h1409 soft reset after tuning (cherry picked from commit 67e70baf043cfdcdaf5972bc94be82632071536b) Just like with the s5h1411, the s5h1409 needs a soft-reset in order for it to know that the tuner has been told to change frequencies. This change changes the behavior from "random tuning times between 500ms to complete tuning lock failures" to "tuning lock consistently within 700ms". Thanks to Robert Krakora for doing initial testing of the patch on the KWorld 330U. Thanks to Andy Walls for doing testing of the patch on the HVR-1600. Thanks to Michael Krufky for doing additional testing. Signed-off-by: Devin Heitmueller Signed-off-by: Michael Krufky Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit f450e06e1f1d3e3b41698c3ada4a6177d30b603b Author: Oleg Nesterov Date: Thu Mar 12 14:31:28 2009 -0700 pipe_rdwr_fasync: fix the error handling to prevent the leak/crash commit e5bc49ba7439b9726006d031d440cba96819f0f8 upstream. If the second fasync_helper() fails, pipe_rdwr_fasync() returns the error but leaves the file on ->fasync_readers. This was always wrong, but since 233e70f4228e78eb2f80dc6650f65d3ae3dbf17c "saner FASYNC handling on file close" we have the new problem. Because in this case setfl() doesn't set FASYNC bit, __fput() will not do ->fasync(0), and we leak fasync_struct with ->fa_file pointing to the freed file. Signed-off-by: Oleg Nesterov Cc: Al Viro Cc: Andi Kleen Cc: Jonathan Corbet Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 63ece5db5eb71b8742f1bae32d10a67c8b6e56cd Author: Andres Salomon Date: Mon Mar 2 21:48:20 2009 +0100 sdhci: Add NO_BUSY_IRQ quirk for Marvell CAFE host chip commit a0874897b1ba106298e4303a25456a473fc40f3d upstream. As described here: http://lkml.org/lkml/2009/2/20/265 The CAFE chip is broken due to commit e809517f6fa5803a5a1cd5602. Anton added a quirk here: http://lkml.org/lkml/2009/2/20/279 that fixes CAFE's problem. This adds the quirk for CAFE. Signed-off-by: Andres Salomon Signed-off-by: Pierre Ossman Signed-off-by: Greg Kroah-Hartman commit 8cce128ef6e1d3cefca3cedf34ee5415e100d429 Author: Ben Dooks Date: Fri Feb 20 20:33:08 2009 +0300 sdhci: Add quirk for controllers with no end-of-busy IRQ commit f945405cdecd9e0ae3e58ff84cabd19b4522965e upstream. The Samsung SDHCI (and FSL eSDHC) controller block seems to fail to generate an INT_DATA_END after the transfer has completed and the bus busy state finished. Changes in e809517f6fa5803a5a1cd56026f0e2190fc13d5c to use the new busy method are the cause of the behaviour change. Signed-off-by: Ben Dooks Signed-off-by: Anton Vorontsov Signed-off-by: Pierre Ossman Signed-off-by: Greg Kroah-Hartman commit 8a36a1251e3be6a07976c186c6aee160be84b40c Author: Michael Neuling Date: Thu Feb 19 18:52:20 2009 +0000 powerpc: Fix load/store float double alignment handler commit 49f297f8df9adb797334155470ea9ca68bdb041e upstream. When we introduced VSX, we changed the way FPRs are stored in the thread_struct. Unfortunately we missed the load/store float double alignment handler code when updating how we access FPRs in the thread_struct. Below fixes this and merges the little/big endian case. Signed-off-by: Michael Neuling Signed-off-by: Benjamin Herrenschmidt Signed-off-by: Greg Kroah-Hartman commit c3f0c63d33f21deffdf78fe7b506bb0ee2b4d249 Author: Helge Bahmann Date: Fri Feb 20 16:24:12 2009 +0300 proc: fix PG_locked reporting in /proc/kpageflags commit e07a4b9217d1e97d2f3a62b6b070efdc61212110 upstream. Expr always evaluates to zero. Cc: Matt Mackall Signed-off-by: Andrew Morton Signed-off-by: Alexey Dobriyan Signed-off-by: Greg Kroah-Hartman commit 5e32aa7c4c760ee75dbce330c3374e177ceea18f Author: Oleg Nesterov Date: Mon Mar 2 22:58:45 2009 +0100 copy_process: fix CLONE_PARENT && parent_exec_id interaction commit 2d5516cbb9daf7d0e342a2e3b0fc6f8c39a81205 upstream. CLONE_PARENT can fool the ->self_exec_id/parent_exec_id logic. If we re-use the old parent, we must also re-use ->parent_exec_id to make sure exit_notify() sees the right ->xxx_exec_id's when the CLONE_PARENT'ed task exits. Also, move down the "p->parent_exec_id = p->self_exec_id" thing, to place two different cases together. Signed-off-by: Oleg Nesterov Cc: Roland McGrath Cc: Andrew Morton Cc: David Howells Cc: Serge E. Hallyn Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 9bff90cbe5839f3ab35fe7cafb91632c790ad736 Author: Alexander Duyck Date: Thu Mar 5 13:57:28 2009 -0500 PCI: Add PCI quirk to disable L0s ASPM state for 82575 and 82598 commit 649426efcfbc67a8b033497151816cbac9fd0cfa upstream. This patch is intended to disable L0s ASPM link state for 82598 (ixgbe) parts due to the fact that it is possible to corrupt TX data when coming back out of L0s on some systems. The workaround had been added for 82575 (igb) previously, but did not use the ASPM api. This quirk uses the ASPM api to prevent the ASPM subsystem from re-enabling the L0s state. Instead of adding the fix in igb to the ixgbe driver as well it was decided to move it into a pci quirk. It is necessary to move the fix out of the driver and into a pci quirk in order to prevent the issue from occuring prior to driver load to handle the possibility of the device being passed to a VM via direct assignment. Signed-off-by: Alexander Duyck Signed-off-by: Jeff Kirsher CC: Jesse Barnes Signed-off-by: Matthew Wilcox Signed-off-by: Greg Kroah-Hartman commit 08f40e6c3eaada943bdbf70914068a5ebf193e6b Author: Meelis Roos Date: Tue Feb 10 17:19:19 2009 -0800 fore200: fix oops on failed firmware load commit fcffd0d8bbddac757cd856e635ac75e8eb4518bc upstream. Fore 200 ATM driver fails to handle request_firmware failures and oopses when no firmware file was found. Fix it by checking for the right return values and propaganting the return value up. Signed-off-by: Meelis Roos Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit cfd769d22833e9ac5a63017a89655b8724b36ff9 Author: Dmitriy Taychenachev Date: Tue Feb 24 18:42:48 2009 +0000 zaurus: add usb id for motomagx phones commit 52c0326beaa3cb0049d0f1c51c6ad5d4a04e4430 upstream. The Motorola MOTOMAGX phones (Z6, E8, Zn5 so far) are providing combined ACM/BLAN USB configuration. Since it has Vendor Specific class, the corresponding drivers (cdc-acm, zaurus) can't find it just by interface info. This patch adds usb id so the zaurus driver can properly handle this combined device. Signed-off-by: Dmitriy Taychenachev Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 4476271c5b6299293143e2c8894a239955cb4f53 Author: Bjørn Mork Date: Wed Feb 25 04:33:58 2009 +0000 cdc_ether: add usb id for Ericsson F3507g commit cac477e8f1038c41b6f29d3161ce351462ef3df7 upstream. The Ericsson F3507g wireless broadband module provides a CDC Ethernet compliant interface, but identifies it as a "Mobile Direct Line" CDC subclass, thereby preventing the CDC Ethernet class driver from picking it up. This patch adds the device id to cdc_ether.c as a workaround. Ericsson has provided a "class" driver for this device: http://kerneltrap.org/mailarchive/linux-net/2008/10/28/3832094 But closer inspection of that driver reveals that it adds little more than duplication of code from cdc_ether.c. See also http://marc.info/?l=linux-usb&m=123334979706403&w=2 Signed-off-by: Bjørn Mork Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit f52873756ae021cb312ce24248ef21af9c7daa0b Author: Greg Kroah-Hartman Date: Tue Feb 24 23:52:24 2009 -0800 asix: new device ids commit fef7cc0893146550b286b13c0e6e914556142730 upstream. This patch adds two new device ids to the asix driver. One comes directly from the asix driver on their web site, the other was reported by Armani Liao as needed for the MSI X320 to get the driver to work properly for it. Reported-by: Armani Liao Signed-off-by: Greg Kroah-Hartman Signed-off-by: David S. Miller commit b42067185d9ea1dc6de51fa6245e1b4969b6cbad Author: Jens Axboe Date: Tue Feb 24 08:10:09 2009 +0100 xen/blkfront: use blk_rq_map_sg to generate ring entries commit 9e973e64ac6dc504e6447d52193d4fff1a670156 upstream. On occasion, the request will apparently have more segments than we fit into the ring. Jens says: > The second problem is that the block layer then appears to create one > too many segments, but from the dump it has rq->nr_phys_segments == > BLKIF_MAX_SEGMENTS_PER_REQUEST. I suspect the latter is due to > xen-blkfront not handling the merging on its own. It should check that > the new page doesn't form part of the previous page. The > rq_for_each_segment() iterates all single bits in the request, not dma > segments. The "easiest" way to do this is to call blk_rq_map_sg() and > then iterate the mapped sg list. That will give you what you are > looking for. > Here's a test patch, compiles but otherwise untested. I spent more > time figuring out how to enable XEN than to code it up, so YMMV! > Probably the sg list wants to be put inside the ring and only > initialized on allocation, then you can get rid of the sg on stack and > sg_init_table() loop call in the function. I'll leave that, and the > testing, to you. [Moved sg array into info structure, and initialize once. -J] Signed-off-by: Jens Axboe Signed-off-by: Jeremy Fitzhardinge Cc: Sven Köhler Signed-off-by: Greg Kroah-Hartman commit 0109d01cfb91aa96c2d96da089945188d8c2d3d7 Author: Jeremy Fitzhardinge Date: Wed Feb 25 09:42:25 2009 -0800 xen: disable interrupts early, as start_kernel expects commit 55d8085671863fe4ee6a17b7814bd38180a44e1d upstream. This avoids a lockdep warning from: if (DEBUG_LOCKS_WARN_ON(unlikely(!early_boot_irqs_enabled))) return; in trace_hardirqs_on_caller(); Signed-off-by: Jeremy Fitzhardinge Cc: Mark McLoughlin Cc: Xen-devel Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit 8776fc989b070d4a323793502365acae6851d936 Author: Roland McGrath Date: Fri Feb 27 19:03:24 2009 -0800 x86-64: syscall-audit: fix 32/64 syscall hole commit ccbe495caa5e604b04d5a31d7459a6f6a76a756c upstream. On x86-64, a 32-bit process (TIF_IA32) can switch to 64-bit mode with ljmp, and then use the "syscall" instruction to make a 64-bit system call. A 64-bit process make a 32-bit system call with int $0x80. In both these cases, audit_syscall_entry() will use the wrong system call number table and the wrong system call argument registers. This could be used to circumvent a syscall audit configuration that filters based on the syscall numbers or argument details. Signed-off-by: Roland McGrath Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 1ab4bad21786384ff68dc6576d021acd4e42d8ce Author: Roland McGrath Date: Fri Feb 27 23:25:54 2009 -0800 x86-64: seccomp: fix 32/64 syscall hole commit 5b1017404aea6d2e552e991b3fd814d839e9cd67 upstream. On x86-64, a 32-bit process (TIF_IA32) can switch to 64-bit mode with ljmp, and then use the "syscall" instruction to make a 64-bit system call. A 64-bit process make a 32-bit system call with int $0x80. In both these cases under CONFIG_SECCOMP=y, secure_computing() will use the wrong system call number table. The fix is simple: test TS_COMPAT instead of TIF_IA32. Here is an example exploit: /* test case for seccomp circumvention on x86-64 There are two failure modes: compile with -m64 or compile with -m32. The -m64 case is the worst one, because it does "chmod 777 ." (could be any chmod call). The -m32 case demonstrates it was able to do stat(), which can glean information but not harm anything directly. A buggy kernel will let the test do something, print, and exit 1; a fixed kernel will make it exit with SIGKILL before it does anything. */ #define _GNU_SOURCE #include #include #include #include #include #include #include int main (int argc, char **argv) { char buf[100]; static const char dot[] = "."; long ret; unsigned st[24]; if (prctl (PR_SET_SECCOMP, 1, 0, 0, 0) != 0) perror ("prctl(PR_SET_SECCOMP) -- not compiled into kernel?"); #ifdef __x86_64__ assert ((uintptr_t) dot < (1UL << 32)); asm ("int $0x80 # %0 <- %1(%2 %3)" : "=a" (ret) : "0" (15), "b" (dot), "c" (0777)); ret = snprintf (buf, sizeof buf, "result %ld (check mode on .!)\n", ret); #elif defined __i386__ asm (".code32\n" "pushl %%cs\n" "pushl $2f\n" "ljmpl $0x33, $1f\n" ".code64\n" "1: syscall # %0 <- %1(%2 %3)\n" "lretl\n" ".code32\n" "2:" : "=a" (ret) : "0" (4), "D" (dot), "S" (&st)); if (ret == 0) ret = snprintf (buf, sizeof buf, "stat . -> st_uid=%u\n", st[7]); else ret = snprintf (buf, sizeof buf, "result %ld\n", ret); #else # error "not this one" #endif write (1, buf, ret); syscall (__NR_exit, 1); return 2; } Signed-off-by: Roland McGrath [ I don't know if anybody actually uses seccomp, but it's enabled in at least both Fedora and SuSE kernels, so maybe somebody is. - Linus ] Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit f4c6d74a665508d23fd3fc27dcad5ec5fb29b321 Author: David Altobelli Date: Fri Feb 27 14:03:09 2009 -0800 hpilo: new pci device commit 31d8b5631f095cb7100cfccc95c801a2547ffe2b upstream. Future iLO devices will have an HP vendor id. Signed-off-by: David Altobelli Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit da0a49794fba623e278f27fb1ff339f19b512fc8 Author: Paul Moore Date: Fri Feb 20 16:33:02 2009 -0500 selinux: Fix the NetLabel glue code for setsockopt() commit 09c50b4a52c01a1f450b8eec819089e228655bfb upstream. At some point we (okay, I) managed to break the ability for users to use the setsockopt() syscall to set IPv4 options when NetLabel was not active on the socket in question. The problem was noticed by someone trying to use the "-R" (record route) option of ping: # ping -R 10.0.0.1 ping: record route: No message of desired type The solution is relatively simple, we catch the unlabeled socket case and clear the error code, allowing the operation to succeed. Please note that we still deny users the ability to override IPv4 options on socket's which have NetLabel labeling active; this is done to ensure the labeling remains intact. Signed-off-by: Paul Moore Signed-off-by: James Morris Cc: Chuck Ebbert Signed-off-by: Greg Kroah-Hartman commit beb6ec3b2a0d720bf0baa64cbafb20b2af0b1fa7 Author: Paul Moore Date: Fri Feb 27 15:00:03 2009 -0500 selinux: Fix a panic in selinux_netlbl_inode_permission() commit d7f59dc4642ce2fc7b79fcd4ec02ffce7f21eb02 upstream. Rick McNeal from LSI identified a panic in selinux_netlbl_inode_permission() caused by a certain sequence of SUNRPC operations. The problem appears to be due to the lack of NULL pointer checking in the function; this patch adds the pointer checks so the function will exit safely in the cases where the socket is not completely initialized. Signed-off-by: Paul Moore Signed-off-by: James Morris Cc: Chuck Ebbert Signed-off-by: Greg Kroah-Hartman commit 04de7d2f0799c129f11a6a88869caebe0343fe7b Author: Roland McGrath Date: Fri Feb 6 18:15:18 2009 -0800 x86-64: fix int $0x80 -ENOSYS return commit c09249f8d1b84344eca882547afdbffee8c09d14 upstream. One of my past fixes to this code introduced a different new bug. When using 32-bit "int $0x80" entry for a bogus syscall number, the return value is not correctly set to -ENOSYS. This only happens when neither syscall-audit nor syscall tracing is enabled (i.e., never seen if auditd ever started). Test program: /* gcc -o int80-badsys -m32 -g int80-badsys.c Run on x86-64 kernel. Note to reproduce the bug you need auditd never to have started. */ #include #include int main (void) { long res; asm ("int $0x80" : "=a" (res) : "0" (99999)); printf ("bad syscall returns %ld\n", res); return res != -ENOSYS; } The fix makes the int $0x80 path match the sysenter and syscall paths. Reported-by: Dmitry V. Levin Signed-off-by: Roland McGrath Cc: Chuck Ebbert Signed-off-by: Greg Kroah-Hartman commit c8788afb460005ffb5f591ef854eb8630f3eab73 Author: Ingo Molnar Date: Thu Jan 29 11:45:35 2009 +0100 x86: tone down mtrr_trim_uncached_memory() warning commit bf3647c44bc76c43c4b2ebb4c37a559e899ac70e upstream. kerneloops.org is reporting a lot of these warnings that come due to vmware not setting up any MTRRs for emulated CPUs: | Reported 709 times (14696 total reports) | BIOS bug (often in VMWare) where the MTRR's are set up incorrectly | or not at all | | This warning was last seen in version 2.6.29-rc2-git1, and first | seen in 2.6.24. | | More info: | http://www.kerneloops.org/searchweek.php?search=mtrr_trim_uncached_memory Keep a one-liner KERN_INFO about it - so that we have so notice if empty MTRRs are caused by native hardware/BIOS weirdness. Signed-off-by: Ingo Molnar Cc: Chuck Ebbert Signed-off-by: Greg Kroah-Hartman commit fd908b9c57bf0e354202dbaec4d92650868142f1 Author: Rabin Vincent Date: Fri Feb 13 22:55:26 2009 +0530 mmc_test: fix basic read test commit 58a5dd3e0e77029d3db1f8fa75d0b54b38169d5d upstream. Due to a typo in the Basic Read test, it's currently identical to the Basic Write test. Fix this. Signed-off-by: Rabin Vincent Signed-off-by: Pierre Ossman Signed-off-by: Greg Kroah-Hartman commit 1a84704ed45060e6275caba4452634b59f8609a2 Author: Yi Li Date: Thu Feb 5 15:31:57 2009 +0800 MMC: fix bug - SDHC card capacity not correct commit 444122fd58fdc83c96877a92b3f6288cafddb08d upstream. Signed-off-by: Yi Li Signed-off-by: Bryan Wu Signed-off-by: Pierre Ossman Signed-off-by: Greg Kroah-Hartman commit 6769955ea22351e50ff974c34acd8004e7867cb8 Author: Ben Dooks Date: Thu Mar 12 14:31:33 2009 -0700 mmc: s3cmci: fix s3c2410_dma_config() arguments. commit 7c48ed3383bfb2106694807361ec187fe8a4333d upstream. The s3cmci driver is calling s3c2410_dma_config with incorrect data for the DCON register. The S3C2410_DCON_HWTRIG is implicit in the channel configuration and the device selection of S3C2410_DCON_CH0_SDI is incorrect as the DMA system may not select channel 0. Signed-off-by: Ben Dooks Acked-by: Pierre Ossman Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit eb7a5de8c9ca3e88744ca2623c421d46224473ed Author: Yauhen Kharuzhy Date: Wed Feb 11 13:25:52 2009 -0800 s3cmci: Fix hangup in do_pio_write() commit 994244883739e4044bef76d4e5d7a9b66dc6c7b6 upstream. This commit fixes the regression what was added by commit 088a78af978d0c8e339071a9b2bca1f4cb368f30 "s3cmci: Support transfers which are not multiple of 32 bits." fifo_free() now returns amount of available space in FIFO buffer in bytes. But do_pio_write() writes to FIFO 32-bit words. Condition for return from cycle is (fifo_free() == 0), but when fifo has 1..3 bytes of free space then this condition will never be true and system hangs. This patch changes condition in the while() to (fifo_free() > 3). Signed-off-by: Yauhen Kharuzhy Signed-off-by: Andrew Morton Signed-off-by: Pierre Ossman commit b00d31ddc7e801763a1c4f009246435153e29bdb Author: Adrian Hunter Date: Tue Feb 10 16:32:33 2009 +0200 mmc: fix data timeout for SEND_EXT_CSD commit cda56ac29f2d8288d62978272856884d26e0b47b upstream. Commit 0d3e0460f307e84904968aad6cff97bd688583d8 "MMC: CSD and CID timeout values" inadvertently broke the timeout for the MMC command SEND_EXT_CSD. This patch puts it back again. Depending on the characteristics of the controller, this bug may prevent the use of MMC cards. Signed-off-by: Adrian Hunter Signed-off-by: Pierre Ossman Signed-off-by: Greg Kroah-Hartman commit 50d4eeb0d1d7eed0f13726be4dbb4c4b637e3a9b Author: Tejun Heo Date: Wed Mar 4 15:59:30 2009 +0900 libata: make sure port is thawed when skipping resets commit d6515e6ff4ad3db4bd5ef2dd4e1026a7aca2482e upstream. When SCR access is available and the link is offline, softreset is skipped as it only wastes time and some controllers don't respond very well. However, the skip path forgot to thaw the port, which not only blocks further event notification from the port but also causes repeated EH invocations on the same event on drivers which rely on ->thaw() to clear events if the IRQ is shared with another device or port. This problem has always been there but is uncovered by recent sata_nv nf2/3 change which dropped hardreset support while maintaining SCR access. nf2/3 doesn't clear hotplug event mask from the interrupt handler but relies on ->thaw() to clear them. When the hardreset was there, the reset action was never skipped and the port was always thawed but, with the hardreset gone, ->prereset() determines that there's no need for softreset and both ->softreset() and ->thaw() are skipped. This leads to stuck hotplug event in the IRQ status register triggering hotplug event whenever IRQ is delieverd on the same IRQ. As the controller shares the same IRQ for both ports, this happens on every IO if one port is occpupied and the other isn't. This patch fixes the problem by making sure that the port is thawed on reset-skip path. bko#11615 reports this problem. Signed-off-by: Tejun Heo Cc: Robert Hancock Reported-by: Dan Andresan Reported-by: Arne Woerner Reported-by: Stefan Lippers-Hollmann Signed-off-by: Jeff Garzik Signed-off-by: Greg Kroah-Hartman commit 66cab028a8a4139cd513b9a35080bc249733d17b Author: Robert Hancock Date: Mon Feb 16 20:15:08 2009 -0600 libata: Don't trust current capacity values in identify words 57-58 commit 968e594afdbc40b4270f9d4032ae8350475749d6 upstream. Hanno Böck reported a problem where an old Conner CP30254 240MB hard drive was reported as 1.1TB in capacity by libata: http://lkml.org/lkml/2009/2/13/134 This was caused by libata trusting the drive's reported current capacity in sectors in identify words 57 and 58 if the drive does not support LBA and the current CHS translation values appear valid. Unfortunately it seems older ATA specs were vague about what this field should contain and a number of drives used values with wrong byte order or that were totally bogus. There's no unique information that it conveys and so we can just calculate the number of sectors from the reported current CHS values. While we're at it, clean up this function to use named constants for the identify word values. Signed-off-by: Robert Hancock Signed-off-by: Jeff Garzik Signed-off-by: Greg Kroah-Hartman commit fb11aa0822650ba06618477c3d0224e146b8cbb8 Author: Adam Lackorzynski Date: Wed Feb 18 14:48:34 2009 -0800 jsm: additional device support commit ffa7525c13eb3db0fd19a3e1cffe2ce6f561f5f3 upstream. I have a Digi Neo 8 PCI card (114f:00b1) Serial controller: Digi International Digi Neo 8 (rev 05) that works with the jsm driver after using the following patch. Signed-off-by: Adam Lackorzynski Cc: Scott H Kilau Cc: Wendy Xiong Acked-by: Alan Cox Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit db123ba36daf694e0b19976fdff5ea765d5b0e94 Author: Andrew Patterson Date: Fri Feb 20 16:04:59 2009 -0700 PCI: Enable PCIe AER only after checking firmware support commit 1f9f13c8d59c1d8da1a602b71d1ab96d1d37d69e upstream. The PCIe port driver currently sets the PCIe AER error reporting bits for any root or switch port without first checking to see if firmware will grant control. This patch moves setting these bits to the AER service driver aer_enable_port routine. The bits are then set for the root port and any downstream switch ports after the check for firmware support (aer_osc_setup) is made. The patch also unsets the bits in a similar fashion when the AER service driver is unloaded. Reviewed-by: Alex Chiang Signed-off-by: Andrew Patterson Signed-off-by: Jesse Barnes Signed-off-by: Greg Kroah-Hartman commit ff8df1ed43a3db0201eb099ada231cfd31861516 Author: Alex Chiang Date: Sat Mar 7 19:35:47 2009 -0700 PCIe: portdrv: call pci_disable_device during remove commit d89987193631bf23d1735c55d13a06d4b8d0e9bd upstream. The PCIe port driver calls pci_enable_device() during probe but never calls pci_disable_device() during remove. Signed-off-by: Alex Chiang Signed-off-by: Matthew Wilcox Signed-off-by: Greg Kroah-Hartman commit 65cb332a80a7c130d83e693cee5b6dffbcebd55a Author: Nick Piggin Date: Thu Mar 12 14:31:38 2009 -0700 fs: new inode i_state corruption fix commit 7ef0d7377cb287e08f3ae94cebc919448e1f5dff upstream. There was a report of a data corruption http://lkml.org/lkml/2008/11/14/121. There is a script included to reproduce the problem. During testing, I encountered a number of strange things with ext3, so I tried ext2 to attempt to reduce complexity of the problem. I found that fsstress would quickly hang in wait_on_inode, waiting for I_LOCK to be cleared, even though instrumentation showed that unlock_new_inode had already been called for that inode. This points to memory scribble, or synchronisation problme. i_state of I_NEW inodes is not protected by inode_lock because other processes are not supposed to touch them until I_LOCK (and I_NEW) is cleared. Adding WARN_ON(inode->i_state & I_NEW) to sites where we modify i_state revealed that generic_sync_sb_inodes is picking up new inodes from the inode lists and passing them to __writeback_single_inode without waiting for I_NEW. Subsequently modifying i_state causes corruption. In my case it would look like this: CPU0 CPU1 unlock_new_inode() __sync_single_inode() reg <- inode->i_state reg -> reg & ~(I_LOCK|I_NEW) reg <- inode->i_state reg -> inode->i_state reg -> reg | I_SYNC reg -> inode->i_state Non-atomic RMW on CPU1 overwrites CPU0 store and sets I_LOCK|I_NEW again. Fix for this is rather than wait for I_NEW inodes, just skip over them: inodes concurrently being created are not subject to data integrity operations, and should not significantly contribute to dirty memory either. After this change, I'm unable to reproduce any of the added warnings or hangs after ~1hour of running. Previously, the new warnings would start immediately and hang would happen in under 5 minutes. I'm also testing on ext3 now, and so far no problems there either. I don't know whether this fixes the problem reported above, but it fixes a real problem for me. Cc: "Jorge Boncompte [DTI2]" Reported-by: Adrian Hunter Cc: Jan Kara Signed-off-by: Nick Piggin Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit a2a3ac38933a3b66a3b5cfbcd4128157ec89e173 Author: Wu Fengguang Date: Wed Mar 11 09:00:04 2009 +0800 proc: fix kflags to uflags copying in /proc/kpageflags commit ad3bdefe877afb47480418fdb05ecd42842de65e upstream. Fix kpf_copy_bit(src,dst) to be kpf_copy_bit(dst,src) to match the actual call patterns, e.g. kpf_copy_bit(kflags, KPF_LOCKED, PG_locked). This misplacement of src/dst only affected reporting of PG_writeback, PG_reclaim and PG_buddy. For others kflags==uflags so not affected. Signed-off-by: Wu Fengguang Reviewed-by: KOSAKI Motohiro Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit a96e5528abe51b9c35e33fcac05e84bca18cefe5 Author: Will Newton Date: Tue Mar 10 12:55:53 2009 -0700 mtd_dataflash: fix probing of AT45DB321C chips. commit 229cc58ba2b5a83b0b55764c6cb98695c106238a upstream. Commit 771999b65f79264acde4b855e5d35696eca5e80c ("[MTD] DataFlash: bugfix, binary page sizes now handled") broke support for probing AT45DB321C flash chips. These chips do not support the "page size" status bit, so if we match the JEDEC id return early. [akpm@linux-foundation.org: coding-style fixes] Signed-off-by: Will Newton Cc: David Woodhouse Acked-by: David Brownell Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit ca912f23933fd14fcab90465af245597dbee9272 Author: Lubomir Rintel Date: Tue Mar 10 12:55:54 2009 -0700 intel-agp: fix a panic with 1M of shared memory, no GTT entries commit 9c1e8a4ebcc04226cb6f3a1bf1d72f4cafd6b089 upstream. When GTT size is equal to amount of video memory, the amount of GTT entries is computed lower than zero, which is invalid and leads to off-by-one error in intel_i915_configure() Originally posted here: http://bugzilla.kernel.org/show_bug.cgi?id=12539 http://bugzilla.redhat.com/show_bug.cgi?id=445592 Signed-off-by: Lubomir Rintel Cc: Lubomir Rintel Cc: Dave Airlie Reviewed-by: Eric Anholt Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 060ed9967c5edc627f7884a4976ecb54fd3ac034 Author: Leann Ogasawara Date: Wed Mar 4 11:53:00 2009 -0800 x86: add Dell XPS710 reboot quirk commit dd4124a8a06bca89c077a16437edac010f0bb993 upstream. Dell XPS710 will hang on reboot. This is resolved by adding a quirk to set bios reboot. Signed-off-by: Leann Ogasawara Signed-off-by: Tim Gardner Cc: "manoj.iyer" LKML-Reference: <1236196380.3231.89.camel@emiko> Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit 474193bb19990efce7a7cf90506e55de0844c6cd Author: Tim Blechmann Date: Thu Feb 19 17:34:03 2009 +0100 x86: oprofile: don't set counter width from cpuid on Core2 commit 780eef9492b16a1543a3b2ae9f9526a735fc9856 upstream. Impact: fix stuck NMIs and non-working oprofile on certain CPUs Resetting the counter width of the performance counters on Intel's Core2 CPUs, breaks the delivery of NMIs, when running in x86_64 mode. This should fix bug #12395: http://bugzilla.kernel.org/show_bug.cgi?id=12395 Signed-off-by: Tim Blechmann Signed-off-by: Robert Richter LKML-Reference: <20090303100412.GC10085@erda.amd.com> Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit 5bd60e0ffb4c1b10d8942dc3dff4c7b75c968ea4 Author: Helmut Schaa Date: Sat Feb 14 16:22:39 2009 +0100 sdhci: fix led naming commit 5dbace0c9ba110c1a3810a89fa6bf12b7574b5a3 upstream. Fix the led device naming for the sdhci driver. The led class documentation defines the led name to have the form "devicename:colour:function" while not applicable sections should be left blank. To comply with the documentation the led device name is changed from "mmc*" to "mmc*::". Signed-off-by: Helmut Schaa Signed-off-by: Pierre Ossman Signed-off-by: Greg Kroah-Hartman commit 88aac891faa0124120bef65453f033aa1e41561d Author: Ingo Molnar Date: Wed Feb 18 14:48:43 2009 -0800 inotify: fix GFP_KERNEL related deadlock commit f04b30de3c82528f1ab4c58b3dd4c975f5341901 upstream. Enhanced lockdep coverage of __GFP_NOFS turned up this new lockdep assert: [ 1093.677775] [ 1093.677781] ================================= [ 1093.680031] [ INFO: inconsistent lock state ] [ 1093.680031] 2.6.29-rc5-tip-01504-gb49eca1-dirty #1 [ 1093.680031] --------------------------------- [ 1093.680031] inconsistent {RECLAIM_FS-ON-W} -> {IN-RECLAIM_FS-W} usage. [ 1093.680031] kswapd0/308 [HC0[0]:SC0[0]:HE1:SE1] takes: [ 1093.680031] (&inode->inotify_mutex){+.+.?.}, at: [] inotify_inode_is_dead+0x20/0x80 [ 1093.680031] {RECLAIM_FS-ON-W} state was registered at: [ 1093.680031] [] mark_held_locks+0x43/0x5b [ 1093.680031] [] lockdep_trace_alloc+0x6c/0x6e [ 1093.680031] [] kmem_cache_alloc+0x20/0x150 [ 1093.680031] [] idr_pre_get+0x27/0x6c [ 1093.680031] [] inotify_handle_get_wd+0x25/0xad [ 1093.680031] [] inotify_add_watch+0x7a/0x129 [ 1093.680031] [] sys_inotify_add_watch+0x20f/0x250 [ 1093.680031] [] sysenter_do_call+0x12/0x35 [ 1093.680031] [] 0xffffffff [ 1093.680031] irq event stamp: 60417 [ 1093.680031] hardirqs last enabled at (60417): [] call_rcu+0x53/0x59 [ 1093.680031] hardirqs last disabled at (60416): [] call_rcu+0x17/0x59 [ 1093.680031] softirqs last enabled at (59656): [] __do_softirq+0x157/0x16b [ 1093.680031] softirqs last disabled at (59651): [] do_softirq+0x74/0x15d [ 1093.680031] [ 1093.680031] other info that might help us debug this: [ 1093.680031] 2 locks held by kswapd0/308: [ 1093.680031] #0: (shrinker_rwsem){++++..}, at: [] shrink_slab+0x36/0x189 [ 1093.680031] #1: (&type->s_umount_key#4){+++++.}, at: [] shrink_dcache_memory+0x110/0x1fb [ 1093.680031] [ 1093.680031] stack backtrace: [ 1093.680031] Pid: 308, comm: kswapd0 Not tainted 2.6.29-rc5-tip-01504-gb49eca1-dirty #1 [ 1093.680031] Call Trace: [ 1093.680031] [] valid_state+0x12a/0x13d [ 1093.680031] [] mark_lock+0xc1/0x1e9 [ 1093.680031] [] ? check_usage_forwards+0x0/0x3f [ 1093.680031] [] __lock_acquire+0x2c6/0xac8 [ 1093.680031] [] ? register_lock_class+0x17/0x228 [ 1093.680031] [] lock_acquire+0x5d/0x7a [ 1093.680031] [] ? inotify_inode_is_dead+0x20/0x80 [ 1093.680031] [] __mutex_lock_common+0x3a/0x4cb [ 1093.680031] [] ? inotify_inode_is_dead+0x20/0x80 [ 1093.680031] [] mutex_lock_nested+0x2e/0x36 [ 1093.680031] [] ? inotify_inode_is_dead+0x20/0x80 [ 1093.680031] [] inotify_inode_is_dead+0x20/0x80 [ 1093.680031] [] dentry_iput+0x90/0xc2 [ 1093.680031] [] d_kill+0x21/0x45 [ 1093.680031] [] __shrink_dcache_sb+0x27f/0x355 [ 1093.680031] [] shrink_dcache_memory+0x15e/0x1fb [ 1093.680031] [] shrink_slab+0x121/0x189 [ 1093.680031] [] kswapd+0x39f/0x561 [ 1093.680031] [] ? isolate_pages_global+0x0/0x233 [ 1093.680031] [] ? autoremove_wake_function+0x0/0x43 [ 1093.680031] [] ? kswapd+0x0/0x561 [ 1093.680031] [] kthread+0x41/0x82 [ 1093.680031] [] ? kthread+0x0/0x82 [ 1093.680031] [] kernel_thread_helper+0x7/0x10 inotify_handle_get_wd() does idr_pre_get() which does a kmem_cache_alloc() without __GFP_FS - and is hence deadlockable under extreme MM pressure. Signed-off-by: Ingo Molnar Acked-by: Peter Zijlstra Cc: MinChan Kim Cc: Nick Piggin Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 3a094d82f35fe0c57fabfc91cb431aacceae9a3d Author: Jiri Slaby Date: Tue Feb 17 12:38:36 2009 +0100 HID: fix bus endianity in file2alias commit 2b639386a2a26c84c8d26c649cf657ebd43a7bc8 upstream. Fix endianness of bus member of hid_device_id in modpost. Signed-off-by: Jiri Slaby Reported-by: Nye Liu Signed-off-by: Jiri Kosina Signed-off-by: Greg Kroah-Hartman commit 66cc276065e87ae25cbf657a49930d12ed8a6810 Author: Alok N Kataria Date: Wed Feb 18 12:33:55 2009 -0800 x86, vmi: TSC going backwards check in vmi clocksource commit 48ffc70b675aa7798a52a2e92e20f6cce9140b3d upstream. Impact: fix time warps under vmware Similar to the check for TSC going backwards in the TSC clocksource, we also need this check for VMI clocksource. Signed-off-by: Alok N Kataria Cc: Zachary Amsden Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit f7b87790ee1a5c4f2bebfc8c70adc3c13981d02b Author: Mauro Carvalho Chehab Date: Fri Feb 20 15:38:52 2009 -0800 8250: fix boot hang with serial console when using with Serial Over Lan port commit b6adea334c6c89d5e6c94f9196bbf3a279cb53bd upstream. Intel 8257x Ethernet boards have a feature called Serial Over Lan. This feature works by emulating a serial port, and it is detected by kernel as a normal 8250 port. However, this emulation is not perfect, as also noticed on changeset 7500b1f602aad75901774a67a687ee985d85893f. Before this patch, the kernel were trying to check if the serial TX is capable of work using IRQ's. This were done with a code similar this: serial_outp(up, UART_IER, UART_IER_THRI); lsr = serial_in(up, UART_LSR); iir = serial_in(up, UART_IIR); serial_outp(up, UART_IER, 0); if (lsr & UART_LSR_TEMT && iir & UART_IIR_NO_INT) up->bugs |= UART_BUG_TXEN; This works fine for other 8250 ports, but, on 8250-emulated SoL port, the chip is a little lazy to down UART_IIR_NO_INT at UART_IIR register. Due to that, UART_BUG_TXEN is sometimes enabled. However, as TX IRQ keeps working, and the TX polling is now enabled, the driver miss-interprets the IRQ received later, hanging up the machine until a key is pressed at the serial console. This is the 6 version of this patch. Previous versions were trying to introduce a large enough delay between serial_outp and serial_in(up, UART_IIR), but not taking forever. However, the needed delay couldn't be safely determined. At the experimental tests, a delay of 1us solves most of the cases, but still hangs sometimes. Increasing the delay to 5us was better, but still doesn't solve. A very high delay of 50 ms seemed to work every time. However, poking around with delays and pray for it to be enough doesn't seem to be a good approach, even for a quirk. So, instead of playing with random large arbitrary delays, let's just disable UART_BUG_TXEN for all SoL ports. [akpm@linux-foundation.org: fix warnings] Signed-off-by: Mauro Carvalho Chehab Cc: Alan Cox Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 41454bd91f38374b1582ca173b333101911a4cdd Author: Heiko Carstens Date: Mon Mar 9 13:31:59 2009 +0100 Fix fixpoint divide exception in acct_update_integrals commit 6d5b5acca9e566515ef3f1ed617e7295c4f94345 upstream. Frans Pop reported the crash below when running an s390 kernel under Hercules: Kernel BUG at 000738b4 verbose debug info unavailable! fixpoint divide exception: 0009 #1! SMP Modules linked in: nfs lockd nfs_acl sunrpc ctcm fsm tape_34xx cu3088 tape ccwgroup tape_class ext3 jbd mbcache dm_mirror dm_log dm_snapshot dm_mod dasd_eckd_mod dasd_mod CPU: 0 Not tainted 2.6.27.19 #13 Process awk (pid: 2069, task: 0f9ed9b8, ksp: 0f4f7d18) Krnl PSW : 070c1000 800738b4 (acct_update_integrals+0x4c/0x118) R:0 T:1 IO:1 EX:1 Key:0 M:1 W:0 P:0 AS:0 CC:1 PM:0 Krnl GPRS: 00000000 000007d0 7fffffff fffff830 00000000 ffffffff 00000002 0f9ed9b8 00000000 00008ca0 00000000 0f9ed9b8 0f9edda4 8007386e 0f4f7ec8 0f4f7e98 Krnl Code: 800738aa: a71807d0 lhi %r1,2000 800738ae: 8c200001 srdl %r2,1 800738b2: 1d21 dr %r2,%r1 >800738b4: 5810d10e l %r1,270(%r13) 800738b8: 1823 lr %r2,%r3 800738ba: 4130f060 la %r3,96(%r15) 800738be: 0de1 basr %r14,%r1 800738c0: 5800f060 l %r0,96(%r15) Call Trace: ( <000000000004fdea>! blocking_notifier_call_chain+0x1e/0x2c) <0000000000038502>! do_exit+0x106/0x7c0 <0000000000038c36>! do_group_exit+0x7a/0xb4 <0000000000038c8e>! SyS_exit_group+0x1e/0x30 <0000000000021c28>! sysc_do_restart+0x12/0x16 <0000000077e7e924>! 0x77e7e924 Reason for this is that cpu time accounting usually only happens from interrupt context, but acct_update_integrals gets also called from process context with interrupts enabled. So in acct_update_integrals we may end up with the following scenario: Between reading tsk->stime/tsk->utime and tsk->acct_timexpd an interrupt happens which updates accouting values. This causes acct_timexpd to be greater than the former stime + utime. The subsequent calculation of dtime = cputime_sub(time, tsk->acct_timexpd); will be negative and the division performed by cputime_to_jiffies(dtime) will generate an exception since the result won't fit into a 32 bit register. In order to fix this just always disable interrupts while accessing any of the accounting values. Reported by: Frans Pop Tested by: Frans Pop Cc: Martin Schwidefsky Signed-off-by: Heiko Carstens Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit dbd17b6e5d8e8141ceab5d96b97120fdc00bf1b6 Author: Tejun Heo Date: Fri Feb 20 15:38:48 2009 -0800 vmalloc: call flush_cache_vunmap() from unmap_kernel_range() commit f6fcba7014f9cc535fa75ef98c008b24e49e2212 upstream. Impact: proper vcache flush on unmap_kernel_range() flush_cache_vunmap() should be called before pages are unmapped. Add a call to it in unmap_kernel_range(). Signed-off-by: Tejun Heo Acked-by: Nick Piggin Acked-by: David S. Miller Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 47275acc1f1aaad98226740c9f257d741a8cb3d6 Author: Michael Spang Date: Thu Mar 12 14:31:34 2009 -0700 acer-wmi: fix regression in backlight detection commit 1ba869ec581fd9078b684c56c399ffe3d2345e27 upstream. Currently we disable the Acer WMI backlight device if there is no ACPI backlight device. As a result, we end up with no backlight device at all. We should instead disable it if there is an ACPI device, as the other laptop drivers do. This regression was introduced in febf2d9 ("Acer-WMI: fingers off backlight if video.ko is serving this functionality"). Each laptop driver with backlight support got a similar change around febf2d9. The changes to the other drivers look correct; see e.g. a598c82f for a similar but correct change. The regression is also in 2.6.28. Signed-off-by: Michael Spang Acked-by: Thomas Renninger Cc: Zhang Rui Cc: Andi Kleen Cc: Carlos Corbacho Cc: Len Brown Cc: "Rafael J. Wysocki" Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit b9a77ccdba5e29f4f7961a3d7c80dba76d4b375e Author: Anssi Hannula Date: Sun Feb 22 14:42:54 2009 +0200 ALSA: aw2: do not grab every saa7146 based device commit e8bf069c419c1dc0657e02636441fe1179a9db14 upstream. Audiowerk2 driver snd-aw2 is bound to any saa7146 device as it does not check subsystem ids. Many DVB devices are saa7146 based, so aw2 driver grabs them as well. According to http://lkml.org/lkml/2008/10/15/311 aw2 devices have the subsystem ids set to 0, the saa7146 default. Fix conflicts with DVB devices by checking for subsystem ids = 0 specifically. Signed-off-by: Anssi Hannula Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit daa9a158938eedc461872a6cabaded9793335e33 Author: Luke Yelavich Date: Mon Feb 23 13:00:33 2009 +1100 ALSA: hda - add another MacBook Pro 3,1 SSID commit 2d4663816064fabb68935f920bbd7ccdc7f9392d upstream. Reference: Ubuntu bug #33245 https://bugs.launchpad.net/bugs/332456 Signed-off-by: Luke Yelavich Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit d503859c352ae9fc01aa95ef4a7ac904879e49d8 Author: Takashi Iwai Date: Fri Feb 27 17:36:33 2009 +0100 ALSA: hda - Fix digital mic on dell-m4-1 and dell-m4-3 commit ea18aa464452c3e6550320d247c0306aaa2d156f upstream. Fix num_dmuxes initialization for dell-m4-1 and dell-m4-3 models of IDT 92HD71bxx codec, which was wrongly set to zero. Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 0d0ed5ca7301baf01bef6bf1d81c6966bde479d4 Author: Steve Chen Date: Sat Feb 21 08:05:04 2009 -0600 ALSA: fix excessive background noise introduced by OSS emulation rate shrink commit 5370d96f85962769ea3df3a81cc885f257c51589 upstream. Incorrect variable was used to get the next sample which caused S2 to be stuck with the same value resulting in loud background noise. Signed-off-by: Steve Chen Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit e1d2998309b487e0a23249be0307f0fda38f07a4 Author: Clemens Ladisch Date: Mon Feb 16 15:22:39 2009 +0100 sound: usb-audio: fix uninitialized variable with M-Audio MIDI interfaces commit e156ac4c571e3be741bc411e58820b74a9295c72 upstream. Fix the snd_usbmidi_create_endpoints_midiman() function, which forgot to set the out_interval member of the endpoint info structure for Midiman/ M-Audio devices. Since kernel 2.6.24, any non-zero value makes the driver use interrupt transfers instead of bulk transfers. With EHCI controllers, these random interval values result in unbearably large latencies for output MIDI transfers. Signed-off-by: Clemens Ladisch Reported-by: David Tested-by: David Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 3b568cec647737ce6877a455ab19176ff84864e0 Author: Joris van Rantwijk Date: Mon Feb 16 22:58:23 2009 +0100 ALSA: usb-audio - Workaround for misdetected sample rate with CM6207 commit 3b03cc5b86e2052295b9b484f37226ee15c87924 upstream. The CM6207 incorrectly advertises its 96 kHz playback setting as 48 kHz in its USB device descriptor. This patch extends an existing workaround in usbaudio.c to also cover the CM6207. This resolves issue 0004249 in the ALSA bug tracker. Signed-off-by: Joris van Rantwijk Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 440c23dc69c129695c56b28cbbede416c83174f7 Author: Takashi Iwai Date: Mon Feb 16 22:48:12 2009 +0100 ALSA: usb-audio - Fix non-continuous rate detection commit 0412558c873f716efe902b397af0653a550f7341 upstream. The detection of non-continuous rates (given via rate tables) isn't processed properly (e.g. for type II). This patch fixes and simplifies the detection code. Tested-by: Joris van Rantwijk Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 38592b29048c8ac0fe6ca5399d817e3764376ad4 Author: Clemens Ladisch Date: Tue Feb 17 09:50:30 2009 +0100 sound: virtuoso: revert "do not overwrite EEPROM on Xonar D2/D2X" commit 6ce6c473a7fd742fdb0db95841e2c4c6b37337c5 upstream. This reverts commit 7e86c0e6850504ec9516b953f316a47277825e33 ("do not overwrite EEPROM on Xonar D2/D2X") because it did not actually help with the problem. More user reports show that the overwriting of the EEPROM is not triggered by using this driver but by installing Linux, and that the installation of any other operating system (even one without any CMI8788 driver) has the same effect. In other words, the presence of this driver does not have any effect on the occurrence of the error. (So far, the available evidence seems to point to a BIOS bug.) Furthermore, it turns out that the EEPROM chip is protected against stray write commands by the command format and by requiring a separate write-enable command, so the error scenario in the previous commit (that SPI writes can be misinterpreted as an EEPROM write command) is not even theoretically possible. The mixer control that was removed as a consequence of the previous commit can only be partially emulated in userspace, which also means it cannot be seen be the in-kernel OSS API emulation, so it is better to revert that change. Signed-off-by: Clemens Ladisch Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 6bd24b2f85a3290c1b68f7a9185bd87bf506a441 Author: NeilBrown Date: Wed Feb 25 13:18:47 2009 +1100 md/raid10: Don't skip more than 1 bitmap-chunk at a time during recovery. commit 09b4068a7fe442efc40e9dcbcf5ff37c3338ab15 upstream. When doing recovery on a raid10 with a write-intent bitmap, we only need to recovery chunks that are flagged in the bitmap. However if we choose to skip a chunk as it isn't flag, the code currently skips the whole raid10-chunk, thus it might not recovery some blocks that need recovering. This patch fixes it. In case that is confusing, it might help to understand that there is a 'raid10 chunk size' which guides how data is distributed across the devices, and a 'bitmap chunk size' which says how much data corresponds to a single bit in the bitmap. This bug only affects cases where the bitmap chunk size is smaller than the raid10 chunk size. Signed-off-by: NeilBrown Signed-off-by: Greg Kroah-Hartman commit 17872fe9e5c0e854598e92aa5861edae61ef8fdf Author: NeilBrown Date: Wed Feb 25 13:18:47 2009 +1100 md/raid10: Don't call bitmap_cond_end_sync when we are doing recovery. commit 78200d45cde2a79c0d0ae0407883bb264caa3c18 upstream. For raid1/4/5/6, resync (fixing inconsistencies between devices) is very similar to recovery (rebuilding a failed device onto a spare). The both walk through the device addresses in order. For raid10 it can be quite different. resync follows the 'array' address, and makes sure all copies are the same. Recover walks through 'device' addresses and recreates each missing block. The 'bitmap_cond_end_sync' function allows the write-intent-bitmap (When present) to be updated to reflect a partially completed resync. It makes assumptions which mean that it does not work correctly for raid10 recovery at all. In particularly, it can cause bitmap-directed recovery of a raid10 to not recovery some of the blocks that need to be recovered. So move the call to bitmap_cond_end_sync into the resync path, rather than being in the common "resync or recovery" path. Signed-off-by: NeilBrown Signed-off-by: Greg Kroah-Hartman commit 42a52b79eae73b159e0ecbcf9111b306399aa4d2 Author: NeilBrown Date: Wed Feb 25 13:18:47 2009 +1100 md: avoid races when stopping resync. commit 73d5c38a9536142e062c35997b044e89166e063b upstream. There has been a race in raid10 and raid1 for a long time which has only recently started showing up due to a scheduler changed. When a sync_read request finishes, as soon as reschedule_retry is called, another thread can mark the resync request as having completed, so md_do_sync can finish, ->stop can be called, and ->conf can be freed. So using conf after reschedule_retry is not safe. Similarly, when finishing a sync_write, calling md_done_sync must be the last thing we do, as it allows a chain of events which will free conf and other data structures. The first of these requires action in raid10.c The second requires action in raid1.c and raid10.c Signed-off-by: NeilBrown Signed-off-by: Greg Kroah-Hartman commit 6d21e78dd40d9a292c837b34b3cbcea02f8c7ae1 Author: Karsten Wiese Date: Sun Feb 8 16:07:58 2009 -0800 USB: EHCI: slow down ITD reuse commit 9aa09d2f8f4bc440d6db1c3414d4009642875240 upstream. Currently ITDs are immediately recycled whenever their URB completes. However, EHCI hardware can sometimes remember some ITD state. This means that when the ITD is reused before end-of-frame it may sometimes cause the hardware to reference bogus state. This patch defers reusing such ITDs by moving them into a new ehci member cached_itd_list. ITDs resting in cached_itd_list are moved back into their stream's free_list once scan_periodic() detects that the active frame has elapsed. This makes the snd_usb_us122l driver (in kernel since .28) work right when it's hooked up through EHCI. [ dbrownell@users.sourceforge.net: comment fixups ] Signed-off-by: Karsten Wiese Tested-by: Philippe Carriere Tested-by: Federico Briata Signed-off-by: David Brownell Signed-off-by: Greg Kroah-Hartman commit 460ff89b6d5fd2bbacbe24250b05ea1121e17cd1 Author: Jesse Sung Date: Fri Feb 20 21:13:45 2009 -0800 USB: option: add BenQ 3g modem information commit 28fb66821f884870987a0b5ab064ef651d9f7c16 upstream. This patch addes the BenQ 3g modem support to the option driver. From: Jesse Sung Signed-off-by: Greg Kroah-Hartman Signed-off-by: Greg Kroah-Hartman commit ceb5722adfe975c1014180a94360e8d410924b4b Author: Faisal Latif Date: Thu Mar 12 14:34:59 2009 -0700 RDMA/nes: Don't allow userspace QPs to use STag zero commit c12e56ef6951f4fce1afe9ef6aab9243ea9a9b04 upstream. STag zero is a special STag that allows consumers to access any bus address without registering memory. The nes driver unfortunately allows STag zero to be used even with QPs created by unprivileged userspace consumers, which means that any process with direct verbs access to the nes device can read and write any memory accessible to the underlying PCI device (usually any memory in the system). Such access is usually given for cluster software such as MPI to use, so this is a local privilege escalation bug on most systems running this driver. The driver was using STag zero to receive the last streaming mode data; to allow STag zero to be disabled for unprivileged QPs, the driver now registers a special MR for this data. Signed-off-by: Faisal Latif Signed-off-by: Roland Dreier Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 462fd62154c5afae1d7a5735724c6fa8a08e1934 Author: Phil Sutter Date: Sun Feb 8 16:44:42 2009 +0100 WATCHDOG: rc32434_wdt: fix sections commit d9a8798c4bab5ccd40e45e011f668099cfb3eb83 upstream. Fix init and exit sections. Signed-off-by: Phil Sutter Signed-off-by: Wim Van Sebroeck Signed-off-by: Greg Kroah-Hartman commit b89b72003f80b175eabb04ad5fc03c0f69e2f348 Author: Phil Sutter Date: Sun Feb 8 16:44:42 2009 +0100 WATCHDOG: rc32434_wdt: fix watchdog driver commit 0af98d37e85e6958eb84987b1f60da3b54008317 upstream. The existing driver code wasn't working. Neither the timeout was set correctly, nor system reset was being triggered, as the driver seemed to keep the WDT alive himself. There was also some unnecessary code. Signed-off-by: Phil Sutter Signed-off-by: Wim Van Sebroeck Signed-off-by: Greg Kroah-Hartman commit 6056031333bdc028b85683b42c343e8b08c18af4 Author: Alexey Dobriyan Date: Thu Feb 12 13:42:41 2009 +0300 WATCHDOG: ks8695_wdt.c: 'CLOCK_TICK_RATE' undeclared commit b02c387892fc6b3cc59c78ab2f79413d55f50190 upstream. On arm-acs5k_tiny: drivers/watchdog/ks8695_wdt.c:68: error: 'CLOCK_TICK_RATE' undeclared (first use in this function) Signed-off-by: Alexey Dobriyan Signed-off-by: Wim Van Sebroeck Signed-off-by: Greg Kroah-Hartman commit ea88e7c9433e93ebc08b8e425c275409f560bf93 Author: Larry Finger Date: Tue Feb 17 14:31:12 2009 -0600 rtl8187: New USB ID's for RTL8187L commit 046ee5d26ac91316a8ac0a29c0b33139dc9da20d upstream. Add new USB ID codes. These come from two postings on forums and mailing lists, and four are derived from the .inf that accompanies the latest Realtek Windows driver for the RTL8187L. Thanks to Viktor Ilijašić and Xose Vazquez Perez for reporting these new ID's. Signed-off-by: Larry Finger Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit e8c0f6bbd71a4612ac604879593be7b8d225d28c Author: Dmitriy Taychenachev Date: Wed Feb 25 12:36:51 2009 +0800 USB: cdc-acm: add usb id for motomagx phones commit 155df65ae11dfc322214c6f887185929c809df1b upstream. The Motorola MOTOMAGX phones (Z6, E8, Zn5 so far) are providing combined ACM/BLAN USB configuration. Since it has Vendor Specific class, the corresponding drivers (cdc-acm, zaurus) can't find it just by interface info. This patch adds usb id so the cdc-acm driver can properly handle this combined device. Signed-off-by: Dmitriy Taychenachev Signed-off-by: Greg Kroah-Hartman commit eba069461dcf7564466a34b7d8681c92464cb980 Author: Alan Stern Date: Mon Feb 23 12:02:05 2009 -0500 USB: usb-storage: add IGNORE_RESIDUE flag for Genesys Logic adapters commit 5126a2674ddac0804450f59da25a058cca629d38 upstream. This patch (as1219) adds the IGNORE_RESIDUE flag to the unusual_devs entries for Genesys Logic's USB-IDE adapter. Although this device usually gets the residue correct, there is one command crucial to the operation of CD and DVD drives which it messes up. Tested-by: Mike Lampard Signed-off-by: Alan Stern Signed-off-by: Greg Kroah-Hartman commit 2ad66518a8fc1cef4968bbe2fd65f37d9a177dd1 Author: Alan Stern Date: Fri Feb 20 16:33:08 2009 -0500 USB: usb_get_string should check the descriptor type commit 67f5a4ba9741fcef3f4db3509ad03565d9e33af2 upstream. This patch (as1218) fixes a problem with a radio-control joystick used in the "walkera 4#3" helicopter. This device responds to the initial Get-String-Descriptor request for string 0 (which is really the list of supported languages) by sending its config descriptor! The usb_get_string() routine needs to check whether it got the right type of descriptor. Oddly enough, this sort of check is already present in usb_get_descriptor(). The patch changes the error code from -EPROTO to -ENODATA, because -EPROTO shows up in so many other contexts to indicate a hardware failure rather than a firmware error. Signed-off-by: Alan Stern Tested-by: Guillermo Jarabo Signed-off-by: Greg Kroah-Hartman commit 8ad59c65f7e043b34f8bc83a1e5f8cb6796c22be Author: Tejun Heo Date: Sat Feb 21 11:04:45 2009 +0900 SCSI: sd: revive sd_index_lock commit 4034cc68157bfa0b6622efe368488d3d3e20f4e6 upstream. Commit f27bac2761cab5a2e212dea602d22457a9aa6943 which converted sd to use ida instead of idr incorrectly removed sd_index_lock around id allocation and free. idr/ida do have internal locks but they protect their free object lists not the allocation itself. The caller is responsible for that. This missing synchronization led to the same id being assigned to multiple devices leading to oops. Reported and tracked down by Stuart Hayes of Dell. Signed-off-by: Tejun Heo Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman commit cd61ccf550e6ca3e55ba55809d3f51c7e8ef015b Author: Thomas Gleixner Date: Mon Feb 16 21:29:31 2009 +0100 JFFS2: fix mount crash caused by removed nodes commit 4c41bd0ec953954158f92bed5d3062645062b98e upstream. At scan time we observed following scenario: node A inserted node B inserted node C inserted -> sets overlapped flag on node B node A is removed due to CRC failure -> overlapped flag on node B remains while (tn->overlapped) tn = tn_prev(tn); ==> crash, when tn_prev(B) is referenced. When the ultimate node is removed at scan time and the overlapped flag is set on the penultimate node, then nothing updates the overlapped flag of that node. The overlapped iterators blindly expect that the ultimate node does not have the overlapped flag set, which causes the scan code to crash. It would be a huge overhead to go through the node chain on node removal and fix up the overlapped flags, so detecting such a case on the fly in the overlapped iterators is a simpler and reliable solution. Signed-off-by: Thomas Gleixner Signed-off-by: David Woodhouse Signed-off-by: Greg Kroah-Hartman commit 5ba885398bb1b2af6ce0a71b832b881337c0a402 Author: HighPoint Linux Team Date: Thu Feb 12 11:28:31 2009 +0800 SCSI: hptiop: Add new PCI device ID commit b73a77494292b930642fbf87de3e3196593f7593 upstream. Signed-off-by: HighPoint Linux Team Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman commit 94caba80201d4fdedd9c5f01dd1d6a6d43b04286 Author: Yinghai Lu Date: Tue Feb 17 20:40:09 2009 -0800 PCI quirk: enable MSI on 8132 commit e0ae4f5503235ba4449ffb5bcb4189edcef4d584 upstream. David reported that LSI SAS doesn't work with MSI. It turns out that his BIOS doesn't enable it, but the HT MSI 8132 does support HT MSI. Add quirk to enable it Reported-by: David Lang Signed-off-by: Yinghai Lu Signed-off-by: Jesse Barnes Signed-off-by: Greg Kroah-Hartman commit 9840d66ec614aca0a91b782fad2372812705d8d5 Author: Nick Piggin Date: Fri Feb 27 14:03:03 2009 -0800 mm: vmap fix overflow commit 7766970cc13e9071b356b1f2a48a9eb8675bfcce upstream. The new vmap allocator can wrap the address and get confused in the case of large allocations or VMALLOC_END near the end of address space. Problem reported by Christoph Hellwig on a 32-bit XFS workload. Signed-off-by: Nick Piggin Reported-by: Christoph Hellwig Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 43ded9c8b02ffeb0f4baf9169547f9643b8e8173 Author: Vegard Nossum Date: Fri Feb 27 14:03:04 2009 -0800 mm: fix lazy vmap purging (use-after-free error) commit cbb766766f3f2f6d9326c561b1020590642c6e39 upstream. I just got this new warning from kmemcheck: WARNING: kmemcheck: Caught 32-bit read from freed memory (c7806a60) a06a80c7ecde70c1a04080c700000000a06709c1000000000000000000000000 f f f f f f f f f f f f f f f f f f f f f f f f f f f f f f f f ^ Pid: 0, comm: swapper Not tainted (2.6.29-rc4 #230) EIP: 0060:[] EFLAGS: 00000286 CPU: 0 EIP is at __purge_vmap_area_lazy+0x117/0x140 EAX: 00070f43 EBX: c7806a40 ECX: c1677080 EDX: 00027b66 ESI: 00002001 EDI: c170df0c EBP: c170df00 ESP: c178830c DS: 007b ES: 007b FS: 00d8 GS: 0000 SS: 0068 CR0: 80050033 CR2: c7806b14 CR3: 01775000 CR4: 00000690 DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000 DR6: 00004000 DR7: 00000000 [] free_unmap_vmap_area_noflush+0x6e/0x70 [] remove_vm_area+0x2a/0x70 [] __vunmap+0x45/0xe0 [] vunmap+0x1e/0x30 [] text_poke+0x95/0x150 [] alternatives_smp_unlock+0x49/0x60 [] alternative_instructions+0x11b/0x124 [] check_bugs+0xbd/0xdc [] start_kernel+0x2ed/0x360 [] __init_begin+0x9e/0xa9 [] 0xffffffff It happened here: $ addr2line -e vmlinux -i c1096df7 mm/vmalloc.c:540 Code: list_for_each_entry(va, &valist, purge_list) __free_vmap_area(va); It's this instruction: mov 0x20(%ebx),%edx Which corresponds to a dereference of va->purge_list.next: (gdb) p ((struct vmap_area *) 0)->purge_list.next Cannot access memory at address 0x20 It seems that we should use "safe" list traversal here, as the element is freed inside the loop. Please verify that this is the right fix. Acked-by: Nick Piggin Signed-off-by: Vegard Nossum Cc: Pekka Enberg Cc: Ingo Molnar Cc: "Paul E. McKenney" Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit a402a128728e7f70cd5bce4539a22738a99f5123 Author: Steve French Date: Tue Feb 17 01:29:40 2009 +0000 Fix oops in cifs_strfromUCS_le mounting to servers which do not specify their OS commit 69765529d701c838df19ea1f5ad2f33a528261ae upstream. Fixes kernel bug #10451 http://bugzilla.kernel.org/show_bug.cgi?id=10451 Certain NAS appliances do not set the operating system or network operating system fields in the session setup response on the wire. cifs was oopsing on the unexpected zero length response fields (when trying to null terminate a zero length field). This fixes the oops. Acked-by: Jeff Layton Signed-off-by: Steve French Signed-off-by: Greg Kroah-Hartman commit f50c4f6c29b308d487f6aff666231585217dddf2 Author: KAMEZAWA Hiroyuki Date: Wed Feb 18 14:48:33 2009 -0800 mm: fix memmap init for handling memory hole commit cc2559bccc72767cb446f79b071d96c30c26439b upstream. Now, early_pfn_in_nid(PFN, NID) may returns false if PFN is a hole. and memmap initialization was not done. This was a trouble for sparc boot. To fix this, the PFN should be initialized and marked as PG_reserved. This patch changes early_pfn_in_nid() return true if PFN is a hole. Signed-off-by: KAMEZAWA Hiroyuki Reported-by: David Miller Tested-by: KOSAKI Motohiro Cc: Mel Gorman Cc: Heiko Carstens Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 603960f6f771f0416630a12a41ee3805eaabd4ec Author: KAMEZAWA Hiroyuki Date: Wed Feb 18 14:48:32 2009 -0800 mm: clean up for early_pfn_to_nid() commit f2dbcfa738368c8a40d4a5f0b65dc9879577cb21 upstream. What's happening is that the assertion in mm/page_alloc.c:move_freepages() is triggering: BUG_ON(page_zone(start_page) != page_zone(end_page)); Once I knew this is what was happening, I added some annotations: if (unlikely(page_zone(start_page) != page_zone(end_page))) { printk(KERN_ERR "move_freepages: Bogus zones: " "start_page[%p] end_page[%p] zone[%p]\n", start_page, end_page, zone); printk(KERN_ERR "move_freepages: " "start_zone[%p] end_zone[%p]\n", page_zone(start_page), page_zone(end_page)); printk(KERN_ERR "move_freepages: " "start_pfn[0x%lx] end_pfn[0x%lx]\n", page_to_pfn(start_page), page_to_pfn(end_page)); printk(KERN_ERR "move_freepages: " "start_nid[%d] end_nid[%d]\n", page_to_nid(start_page), page_to_nid(end_page)); ... And here's what I got: move_freepages: Bogus zones: start_page[2207d0000] end_page[2207dffc0] zone[fffff8103effcb00] move_freepages: start_zone[fffff8103effcb00] end_zone[fffff8003fffeb00] move_freepages: start_pfn[0x81f600] end_pfn[0x81f7ff] move_freepages: start_nid[1] end_nid[0] My memory layout on this box is: [ 0.000000] Zone PFN ranges: [ 0.000000] Normal 0x00000000 -> 0x0081ff5d [ 0.000000] Movable zone start PFN for each node [ 0.000000] early_node_map[8] active PFN ranges [ 0.000000] 0: 0x00000000 -> 0x00020000 [ 0.000000] 1: 0x00800000 -> 0x0081f7ff [ 0.000000] 1: 0x0081f800 -> 0x0081fe50 [ 0.000000] 1: 0x0081fed1 -> 0x0081fed8 [ 0.000000] 1: 0x0081feda -> 0x0081fedb [ 0.000000] 1: 0x0081fedd -> 0x0081fee5 [ 0.000000] 1: 0x0081fee7 -> 0x0081ff51 [ 0.000000] 1: 0x0081ff59 -> 0x0081ff5d So it's a block move in that 0x81f600-->0x81f7ff region which triggers the problem. This patch: Declaration of early_pfn_to_nid() is scattered over per-arch include files, and it seems it's complicated to know when the declaration is used. I think it makes fix-for-memmap-init not easy. This patch moves all declaration to include/linux/mm.h After this, if !CONFIG_NODES_POPULATES_NODE_MAP && !CONFIG_HAVE_ARCH_EARLY_PFN_TO_NID -> Use static definition in include/linux/mm.h else if !CONFIG_HAVE_ARCH_EARLY_PFN_TO_NID -> Use generic definition in mm/page_alloc.c else -> per-arch back end function will be called. Signed-off-by: KAMEZAWA Hiroyuki Tested-by: KOSAKI Motohiro Reported-by: David Miller Cc: Mel Gorman Cc: Heiko Carstens Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit e66ddd9d206a473060e15036b86615e74beb4599 Author: Ed Cashin Date: Wed Feb 18 14:48:13 2009 -0800 aoe: ignore vendor extension AoE responses commit b6d6c5175809934e04a606d9193ef04924a7a7d9 upstream. The Welland ME-747K-SI AoE target generates unsolicited AoE responses that are marked as vendor extensions. Instead of ignoring these packets, the aoe driver was generating kernel messages for each unrecognized response received. This patch corrects the behavior. Signed-off-by: Ed Cashin Reported-by: Tested-by: Cc: Alex Buell Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit f66876f398a9cda4cf00e9e148bcf91017026839 Author: Davide Libenzi Date: Wed Feb 18 14:48:18 2009 -0800 timerfd: add flags check commit 610d18f4128ebbd88845d0fc60cce67b49af881e upstream. As requested by Michael, add a missing check for valid flags in timerfd_settime(), and make it return EINVAL in case some extra bits are set. Michael said: If this is to be any use to userland apps that want to check flag support (perhaps it is too late already), then the sooner we get it into the kernel the better: 2.6.29 would be good; earlier stables as well would be even better. [akpm@linux-foundation.org: remove unused TFD_FLAGS_SET] Acked-by: Michael Kerrisk Signed-off-by: Davide Libenzi Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 3e011dacc756e37cb864687eef81625ab92cbce7 Author: Bill Nottingham Date: Wed Feb 18 14:48:39 2009 -0800 vt: Declare PIO_CMAP/GIO_CMAP as compatbile ioctls. commit 2db69a9340da12a4db44edb7506dd68799aeff55 upstream. Otherwise, these don't work when called from 32-bit userspace on 64-bit kernels. Cc: Jiri Kosina Cc: Alan Cox Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 9df28cf540f6a4064baf73ff7468e57892f4c379 Author: Eric Biederman Date: Wed Feb 18 14:48:16 2009 -0800 seq_file: properly cope with pread commit 8f19d472935c83d823fa4cf02bcc0a7b9952db30 upstream. Currently seq_read assumes that the offset passed to it is always the offset it passed to user space. In the case pread this assumption is broken and we do the wrong thing when presented with pread. To solve this I introduce an offset cache inside of struct seq_file so we know where our logical file position is. Then in seq_read if we try to read from another offset we reset our data structures and attempt to go to the offset user space wanted. [akpm@linux-foundation.org: restore FMODE_PWRITE] [pjt@google.com: seq_open needs its fmode opened up to take advantage of this] Signed-off-by: Eric Biederman Cc: Alexey Dobriyan Cc: Al Viro Cc: Paul Turner Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 77a63f3bfdb9bb88fca91cdb4b8ea4af57b00096 Author: Paul Turner Date: Wed Feb 18 14:48:15 2009 -0800 vfs: separate FMODE_PREAD/FMODE_PWRITE into separate flags commit 55ec82176eca52e4e0530a82a0eb59160a1a95a1 upstream. Separate FMODE_PREAD and FMODE_PWRITE into separate flags to reflect the reality that the read and write paths may have independent restrictions. A git grep verifies that these flags are always cleared together so this new behavior will only apply to interfaces that change to clear flags individually. This is required for "seq_file: properly cope with pread", a post-2.6.25 regression fix. [akpm@linux-foundation.org: add comment] Signed-off-by: Paul Turner Cc: Eric Biederman Cc: Alexey Dobriyan Cc: Al Viro Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit b441f3fd1d14f4fef74dd339a05da1080f2a7288 Author: David S. Miller Date: Mon Jan 19 22:56:51 2009 -0800 sparc64: Fix DAX handling via userspace access from kernel. [ Upstream commit fcd26f7ae2ea5889134e8b3d60a42ce8b993c95f ] If we do a userspace access from kernel mode, and get a data access exception, we need to check the exception table just like a normal fault does. The spitfire DAX handler was doing this, but such logic was missing from the sun4v DAX code. Reported-by: Dennis Gilmore Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit b726dca0a412469d7786eb713101272cbf74b96f Author: David S. Miller Date: Wed Feb 11 00:54:07 2009 -0800 sparc64: Fix crashes in jbusmc_print_dimm() [ Upstream commit 1b0e235cc9bfae4bc0f5cd0cba929206fb0f6a64 ] Return was missing for the case where there is no dimm info match. Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit e32ee958d7c37b95c2ad03617d03b37cc99dc171 Author: David S. Miller Date: Tue Feb 17 21:24:05 2009 -0800 net: Kill skb_truesize_check(), it only catches false-positives. [ Upstream commit 92a0acce186cde8ead56c6915d9479773673ea1a ] A long time ago we had bugs, primarily in TCP, where we would modify skb->truesize (for TSO queue collapsing) in ways which would corrupt the socket memory accounting. skb_truesize_check() was added in order to try and catch this error more systematically. However this debugging check has morphed into a Frankenstein of sorts and these days it does nothing other than catch false-positives. Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 3f2d812547dfafcb3d6c9ac30d2ef88104438258 Author: Eugene Teo Date: Mon Feb 23 15:38:41 2009 -0800 net: amend the fix for SO_BSDCOMPAT gsopt infoleak [ Upstream commit 50fee1dec5d71b8a14c1b82f2f42e16adc227f8b ] The fix for CVE-2009-0676 (upstream commit df0bca04) is incomplete. Note that the same problem of leaking kernel memory will reappear if someone on some architecture uses struct timeval with some internal padding (for example tv_sec 64-bit and tv_usec 32-bit) --- then, you are going to leak the padded bytes to userspace. Signed-off-by: Eugene Teo Reported-by: Mikulas Patocka Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman