commit 1e85856853e24e9013d142adaad38c2adc7e48ac Author: Greg Kroah-Hartman Date: Mon Mar 23 14:55:52 2009 -0700 Linux 2.6.28.9 commit c5a8c953669c14d1ef845b745f63f657e0adf46f Author: Tyler Hicks Date: Fri Mar 20 01:25:09 2009 -0500 eCryptfs: Allocate a variable number of pages for file headers commit 8faece5f906725c10e7a1f6caf84452abadbdc7b upstream. When allocating the memory used to store the eCryptfs header contents, a single, zeroed page was being allocated with get_zeroed_page(). However, the size of an eCryptfs header is either PAGE_CACHE_SIZE or ECRYPTFS_MINIMUM_HEADER_EXTENT_SIZE (8192), whichever is larger, and is stored in the file's private_data->crypt_stat->num_header_bytes_at_front field. ecryptfs_write_metadata_to_contents() was using num_header_bytes_at_front to decide how many bytes should be written to the lower filesystem for the file header. Unfortunately, at least 8K was being written from the page, despite the chance of the single, zeroed page being smaller than 8K. This resulted in random areas of kernel memory being written between the 0x1000 and 0x1FFF bytes offsets in the eCryptfs file headers if PAGE_SIZE was 4K. This patch allocates a variable number of pages, calculated with num_header_bytes_at_front, and passes the number of allocated pages along to ecryptfs_write_metadata_to_contents(). Thanks to Florian Streibelt for reporting the data leak and working with me to find the problem. 2.6.28 is the only kernel release with this vulnerability. Corresponds to CVE-2009-0787 Signed-off-by: Tyler Hicks Acked-by: Dustin Kirkland Reviewed-by: Eric Sandeen Reviewed-by: Eugene Teo Cc: dann frazier Cc: Serge E. Hallyn Cc: Florian Streibelt Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit b99194e68ed013d0b37517a3d8737961554149c0 Author: Randy Dunlap Date: Tue Mar 10 12:55:46 2009 -0700 menu: fix embedded menu snafu commit b943c460ff8556a193b28e2145b513f8b978e869 upstream. The COMPAT_BRK kconfig symbol does not depend on EMBEDDED, but it is in the midst of the EMBEDDED menu symbols, so it mucks up the EMBEDDED menu. Fix by moving it to just after all of the EMBEDDED menu symbols. Also, ANON_INODES has a similar problem, so move it to just above the EMBEDDED menu items since it is used in the EMBEDDED menu. Signed-off-by: Randy Dunlap Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit b585daad36aff9d1c69c86e9e5c47252d47658da Author: Eric Anholt Date: Tue Dec 23 18:42:32 2008 -0800 drm/i915: Don't allow objects to get bound while VT switched. commit 9bb2d6f94aeb9a185d69aedbd19421b6da4e3309 upstream. This avoids a BUG_ON in the enter_vt path due to objects being in the GTT when we shouldn't have ever let them be (as we're not supposed to touch the device during that time). This was triggered by a change in the 2D driver to use the GTT mapping of objects after pinning them to improve software fallback performance. Signed-off-by: Eric Anholt Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman commit dad40cc5910c2f211c2e9fcbbd27933cc1d491e6 Author: Eric Anholt Date: Fri Dec 19 14:47:48 2008 -0800 drm/i915: Don't print to dmesg when taking signal during object_pin. commit f1acec933848219c402c165686677b1c307407f8 upstream. This showed up in logs where people had a hung chip, so pinning was blocked on the chip unpinning other buffers, and the X Server took its scheduler signal during that time. Signed-off-by: Eric Anholt Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman commit 6d314fc551bc7989f41765391055f69a70f75973 Author: Eric Anholt Date: Wed Dec 10 10:09:41 2008 -0800 drm/i915: Don't double-unpin buffers if we take a signal in evict_everything(). commit b117763627ef4d24086801dd5f74c9eb2f487790 upstream. We haven't seen this in practice, but it was visible when looking at a bug report from when i915_gem_evict_everything() was broken and would always return error. Signed-off-by: Eric Anholt Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman commit d60104ad4ede25a065bddcd3b34befdc68f59444 Author: Jesse Barnes Date: Thu Jan 8 10:42:15 2009 -0800 drm/i915: don't enable vblanks on disabled pipes commit 71e0ffa599f54058d9b8724b4b14d0486751681d upstream. In some cases userland may be confused and try to wait on vblank events from pipes that aren't actually enabled. We shouldn't allow this, so return -EINVAL if the pipe isn't on. Signed-off-by: Jesse Barnes Signed-off-by: Eric Anholt Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman commit 01e27a293ece260b0a40a61195d2e2ce046c565b Author: Jesse Barnes Date: Tue Jan 6 10:21:24 2009 -0800 drm/i915: set vblank enabled flag correctly across IRQ install/uninstall commit dc1336ff4fe08ae7cfe8301bfd7f0b2cfd31d20a upstream. In the absence of kernel mode setting, many drivers disable IRQs across VT switch. The core DRM vblank code is missing a check for this case however; even after IRQ disable, the vblank code will still have the vblank_enabled flag set, so unless we track the fact that they're disabled at IRQ uninstall time, when we VT switch back in we won't actually re-enable them, which means any apps waiting on vblank before the switch will hang. This patch does that and also adds a sanity check to the wait condition to look for the irq_enabled flag in general, as well as adding a wakeup to the IRQ uninstall path. Fixes fdo bug #18879 with compiz hangs at VT switch. Signed-off-by: Jesse Barnes Signed-off-by: Eric Anholt Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman commit f16b678a669cdd1cfb7488144c4af924a24e244b Author: Johns Daniel Date: Sat Mar 14 10:03:51 2009 -0500 powerpc: Remove extra semicolon in fsl_soc.c TSEC/MDIO will not work with older device trees because of a semicolon at the end of a macro resulting in an empty for loop body. This fix only applies to 2.6.28; this code is gone in 2.6.29, according to Grant Likely! Signed-off-by: Johns Daniel Acked-by: Grant Likely Signed-off-by: Greg Kroah-Hartman commit 7492cd458092b19ac488c36a5287c2904490c214 Author: Karsten Wiese Date: Thu Feb 26 01:47:48 2009 +0100 USB: EHCI: Fix isochronous URB leak commit 508db8c954d55ed30f870d2c24d741ba6269d13c upstream. ehci-hcd uses usb_get_urb() and usb_put_urb() in an unbalanced way causing isochronous URB's kref.counts incrementing once per usb_submit_urb() call. The culprit is *usb being set to NULL when usb_put_urb() is called after URB is given back. Due to other fixes there is no need for ehci-hcd to deal with usb_get_urb() nor usb_put_urb() anymore, so patch removes their usages in ehci-hcd. Patch also makes ehci_to_hcd(ehci)->self.bandwidth_allocated adjust, if a stream finishes. Signed-off-by: Karsten Wiese Cc: David Brownell Signed-off-by: Greg Kroah-Hartman commit 6b2f291c5eb49398ee3fba6e3acb5b787a2d6808 Author: Alan Stern Date: Mon Mar 16 14:21:56 2009 -0400 USB: EHCI: expedite unlinks when the root hub is suspended commit 391016f6e2fe3b9979b4c6880a76e5e434d6947c upstream. This patch (as1225) fixes a bug in ehci-hcd. The condition for whether unlinked QHs can become IDLE should not be that the controller is halted, but rather that the controller isn't running. In other words when the root hub is suspended, the hardware doesn't own any QHs. This fixes a problem that can show up during hibernation: If a QH is only partially unlinked when the root hub is frozen, then when the root hub is thawed the QH won't be in the IDLE state. As a result it can't be used properly for new URB submissions. Signed-off-by: Alan Stern Reported-by: Brandon Philips Tested-by: Brandon Philips Acked-by: David Brownell Signed-off-by: Greg Kroah-Hartman commit 25be075ce7093af6ef783e3c01219836548466af Author: Alan Stern Date: Mon Mar 9 13:44:02 2009 -0400 USB: usbfs: keep async URBs until the device file is closed commit 6ff10464096540e14d7575a72c50d0316d003714 upstream. The usbfs driver manages a list of completed asynchronous URBs. But it is too eager to free the entries on this list: destroy_async() gets called whenever an interface is unbound or a device is removed, and it deallocates the outstanding struct async entries for all URBs on that interface or device. This is wrong; the user program should be able to reap an URB any time after it has completed, regardless of whether or not the interface is still bound or the device is still present. This patch (as1222) moves the code for deallocating the completed list entries from destroy_async() to usbdev_release(). The outstanding entries won't be freed until the user program has closed the device file, thereby eliminating any possibility that the remaining URBs might still be reaped. This fixes a bug in which a program can hang in the USBDEVFS_REAPURB ioctl when the device is unplugged. Reported-and-tested-by: Martin Poupe Signed-off-by: Alan Stern Signed-off-by: Greg Kroah-Hartman commit 76840acdb3a430e1d7eedacbcbb42397577f3288 Author: Greg Kroah-Hartman Date: Wed Mar 11 13:51:42 2009 -0700 USB: usbtmc: add protocol 1 support commit 228dd05dbfdd0fced8ab1a28ed73b500ba6bb0a6 upstream. The driver already supports the 1 protocol support, so just add it to the MODULE_DEVICE_TABLE entry so it properly picks up these devices. Thanks to Jouni Rynö for pointing this out. Reported-by: Jouni Ryno Signed-off-by: Greg Kroah-Hartman commit df17d7bed92939eb7e1c9966e8622e21ad27e2dc Author: Greg Kroah-Hartman Date: Tue Mar 10 20:42:55 2009 -0700 USB: usbtmc: fix stupid bug in open() commit 5b10916ea0a62920204517e1c4ce14560b4f96ab upstream. open() will never succeed, as we always return -ENODEV. Fix this obvious bug. Thanks to Jouni Ryno for reporting it. Reported-by: Jouni Ryno Signed-off-by: Greg Kroah-Hartman commit 4acd0aa935389d5122aa6b9b325a9ac37d417f60 Author: Robert M. Kenney Date: Thu Feb 26 14:58:39 2009 -0500 USB: serial: new cp2101 device id commit c6535668798b0644e1af5934c2aec0e912280449 upstream. From: Robert M. Kenney Signed-off-by: Greg Kroah-Hartman commit ff2e20ee916a36a1b2b9983cd494823ff5bc59bd Author: Michael Hennerich Date: Fri Mar 6 14:07:43 2009 -0800 USB: serial: ftdi: enable UART detection on gnICE JTAG adaptors blacklist interface0 commit b0d659002168146ec6b03d1ef062d8dcf05ff510 upstream. Signed-off-by: Michael Hennerich Signed-off-by: Bryan Wu Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman commit 079922cc01673f0eac18ca7b3e358cc40d68fdaf Author: Axel Wachtler Date: Thu Mar 5 14:09:22 2009 -0800 USB: serial: add FTDI USB/Serial converter devices commit 7f82b6dd7015aabca2fd55fb690248f742cd67f3 upstream. Add the following devices to the USB FTDI SIO device table: Bus 001 Device 009: ID 03eb:2109 Atmel Corp. http://www.atmel.com/dyn/products/tools_card.asp?tool_id=4187 Bus 001 Device 008: ID 1cf1:0001 http://www.dresden-elektronik.de/shop/prod75.html Bus 001 Device 007: ID 1c1f:0004 http://www.dresden-elektronik.de/shop/prod64.html Signed-off-by: Axel Wachtler Signed-off-by: Robert Richter Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman commit 060489b480635a55c6ec0f2f6f9ea8a14f7b68bf Author: Jan Dumon Date: Tue Mar 10 17:29:47 2009 +0100 USB: unusual_devs: Add support for GI 0431 SD-Card interface commit c497e715f93d148d751c055401568684eea0bf6b upstream. Enable the SD-Card interface on the GI 0431 HSUPA stick from Option. The unusual_devs.h entry is necessary because the device descriptor is vendor-specific. That prevents usb-storage from binding to it as an interface driver. T: Bus=07 Lev=01 Prnt=01 Port=01 Cnt=02 Dev#= 15 Spd=480 MxCh= 0 D: Ver= 2.00 Cls=ff(vend.) Sub=ff Prot=ff MxPS=64 #Cfgs= 1 P: Vendor=0af0 ProdID=7501 Rev= 0.00 S: Manufacturer=Option N.V. S: Product=Globetrotter HSUPA Modem C:* #Ifs=11 Cfg#= 1 Atr=a0 MxPwr=500mA I:* If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=hso E: Ad=81(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=4ms I:* If#= 1 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none) E: Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=4ms I:* If#= 2 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none) E: Ad=83(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=4ms I:* If#= 3 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=hso E: Ad=84(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=04(O) Atr=02(Bulk) MxPS= 512 Ivl=4ms I:* If#= 4 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none) E: Ad=85(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=05(O) Atr=02(Bulk) MxPS= 512 Ivl=4ms I:* If#= 5 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none) E: Ad=86(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=06(O) Atr=02(Bulk) MxPS= 512 Ivl=4ms I:* If#= 6 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=hso E: Ad=87(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=07(O) Atr=02(Bulk) MxPS= 512 Ivl=4ms I:* If#= 7 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=hso E: Ad=88(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=08(O) Atr=02(Bulk) MxPS= 512 Ivl=4ms I:* If#= 8 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=ff Driver=(none) E: Ad=89(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=09(O) Atr=02(Bulk) MxPS= 512 Ivl=4ms I:* If#= 9 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=hso E: Ad=8a(I) Atr=03(Int.) MxPS= 64 Ivl=2ms E: Ad=8b(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=0a(O) Atr=02(Bulk) MxPS= 512 Ivl=4ms I:* If#=10 Alt= 0 #EPs= 2 Cls=08(stor.) Sub=06 Prot=50 Driver=usb-storage E: Ad=0b(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=8c(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms Signed-off-by: Jan Dumon Signed-off-by: Phil Dibowitz Signed-off-by: Greg Kroah-Hartman commit 9aeb63199cdd3780ead20fba2d91673a5843f760 Author: Moritz Muehlenhoff Date: Sat Mar 14 00:43:21 2009 +0100 USB: Updated unusual-devs entry for USB mass storage on Nokia 6233 commit 716a9c8561d9c50ec454f4fbd39a265892feda2c upstream. Current firmware revision 5.60 still behaves the same, so update the quirk up a (non-existing) 99.99 revision. http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=493415 Signed-off-by: Moritz Muehlenhoff Tested-by: Jan Heitkoetter Signed-off-by: Phil Dibowitz Signed-off-by: Greg Kroah-Hartman commit fabc4623576ebf8767f4f555b9ba86eb2aeab78d Author: Dan Williams Date: Thu Mar 12 06:53:00 2009 -0400 USB: Option: let cdc-acm handle Sony Ericsson F3507g / Dell 5530 commit 0cc6bfe901b946df125d8e37186d8e45f876457d upstream. The generic cdc-acm driver is now the best one to handle Sony Ericsson F3507g-based devices (which the Dell 5530 is a rebrand of), now that all the pieces are in place (ie, cac477e8f1038c41b6f29d3161ce351462ef3df7). Removing the IDs from option allows cdc-acm to handle the device. Signed-off-by: Dan Williams Signed-off-by: Greg Kroah-Hartman commit 9bbe9fbee8307dadd3e54d11ee714577d35f00fd Author: Achilleas Kotsis Date: Mon Mar 16 16:35:02 2009 +0200 USB: Add device id for Option GTM380 to option driver commit e7f2f0d77a7b483a26054f29ba8393831b25a8a4 upstream. Option GTM380 in Modem mode uses Product ID 0x7201. This has been tested and works on production systems for over 6 months. Signed-off-by: Achilleas Kotsis Signed-off-by: Greg Kroah-Hartman commit 5bc2b4ef17a5e536b6873fc99ab315f7bde5439a Author: Albert Pauw Date: Sun Mar 1 09:37:52 2009 +0100 USB: option.c: add ZTE 622 modem device commit 9ea19b82f3126da4e47d6b94563a3c2cd586f6e2 upstream. Please consider this small patch for the usb option-card driver. This patch adds the ZTE 622 usb modem device. Signed-off-by: Albert Pauw Signed-off-by: Greg Kroah-Hartman commit 5552bf4ed7c03102bc9d75ec5732b416e63bdd7e Author: Dirk Hohndel Date: Sat Mar 14 20:47:39 2009 -0700 USB: Add Vendor/Product ID for new CDMA U727 to option driver commit 56a21827439a4d715b510bfaf488534e6f4ad2f8 upstream. * newer versions of the Novatel Wireless U727 CDMA 3G USB stick have a different Product ID (0x5010); adding this ID makes them work just fine with the option driver Signed-off-by: Dirk Hohndel Signed-off-by: Greg Kroah-Hartman commit c8b74f2e9cc9299ab80c8427a4098e71dc30e2cf Author: Thomas Bartosik Date: Mon Mar 16 16:04:38 2009 +0100 USB: storage: Unusual USB device Prolific 2507 variation added commit 8a0845c51b2e300f5204a323b874f7f58ea0eff7 upstream. The "c-enter" USB to Toshiba 1.8" IDE enclosure needs special treatment to work flawlessly. This patch is absolutely trivial, as the integrated USB-IDE bridge is already identified to be an "unusual" device, only the bcdDevice is different (lower) to the bcdDeviceMin already included in the kernel. It is a Prolific 2507 bridge. T: Bus=02 Lev=01 Prnt=01 Port=02 Cnt=01 Dev#= 4 Spd=480 MxCh= 0 D: Ver= 2.00 Cls=00(>ifc ) Sub=00 Prot=00 MxPS=64 #Cfgs= 1 P: Vendor=067b ProdID=2507 Rev= 0.01 S: Manufacturer=Prolific Technology Inc. S: Product=ATAPI-6 Bridge Controller S: SerialNumber=00000272 C:* #Ifs= 1 Cfg#= 1 Atr=c0 MxPwr=100mA I:* If#= 0 Alt= 0 #EPs= 2 Cls=08(stor.) Sub=06 Prot=50 Driver=usb-storage E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms E: Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms Signed-off-by: Thomas Bartosik Signed-off-by: Greg Kroah-Hartman commit 7c87d3575a24b7dfe80a59fd4f4df90552aaa5db Author: Linus Torvalds Date: Thu Mar 19 15:53:19 2009 -0700 Move cc-option to below arch-specific setup commit d0115552cdb0b4d4146975889fee2e9355515c4b upstream. Sam Ravnborg says: "We have several architectures that plays strange games with $(CC) and $(CROSS_COMPILE). So we need to postpone any use of $(call cc-option..) until we have included the arch specific Makefile so we try with the correct $(CC) version." Requested-by: Sam Ravnborg Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 92db6956ecd01ceb7934be0252b3b184a82ebb64 Author: Linus Torvalds Date: Thu Mar 19 11:10:17 2009 -0700 Add '-fwrapv' to gcc CFLAGS commit 68df3755e383e6fecf2354a67b08f92f18536594 upstream. This makes sure that gcc doesn't try to optimize away wrapping arithmetic, which the kernel occasionally uses for overflow testing, ie things like if (ptr + offset < ptr) which technically is undefined for non-unsigned types. See http://bugzilla.kernel.org/show_bug.cgi?id=12597 for details. Not all versions of gcc support it, so we need to make it conditional (it looks like it was introduced in gcc-3.4). Reminded-by: Alan Cox Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit bd0f9040683db9a20376e6507e972aaac68f3429 Author: Mathieu Chouquet-Stringer Date: Sat Mar 14 16:35:26 2009 +0100 thinkpad-acpi: fix module autoloading for older models commit b36a50f92d1c4300a88f606b4d2bbdc4f442a2d7 upstream. Looking at the source, there seems to be a missing * to match my DMI string. I mean for newer IBM and Lenovo's laptops you match either one of the following: MODULE_ALIAS("dmi:bvnIBM:*:svnIBM:*:pvrThinkPad*:rvnIBM:*"); MODULE_ALIAS("dmi:bvnLENOVO:*:svnLENOVO:*:pvrThinkPad*:rvnLENOVO:*"); While for older Thinkpads, you do this (for instance): IBM_BIOS_MODULE_ALIAS("1[0,3,6,8,A-G,I,K,M-P,S,T]"); with IBM_BIOS_MODULE_ALIAS being MODULE_ALIAS("dmi:bvnIBM:bvr" __type "ET??WW") Note there's no * terminating the string. As result, udev doesn't load anything because modprobe cannot find anything matching this (my machine actually): udevtest: run: '/sbin/modprobe dmi:bvnIBM:bvr1IET71WW(2.10):bd06/16/2006:svnIBM:pn236621U:pvrNotAv Signed-off-by: Mathieu Chouquet-Stringer Acked-by: Henrique de Moraes Holschuh Signed-off-by: Len Brown Signed-off-by: Greg Kroah-Hartman commit 40e343208b727f5892249997691000847ec63dc3 Author: Andy Walls Date: Fri Jan 9 22:59:27 2009 -0300 V4L/DVB (10218): cx23885: Fix Oops for mixed install of analog and digital only cards commit cd8f894eacf13996d920fdd2aef1afc55156b191 upstream. Analog support for HVR-1250 has not been completed, but does exist for the HVR-1800. Since both cards use the same driver, it tries to create the analog dev for both devices, which is not possible. This causes a NULL error to show up in video_open and mpeg_open. -Mark Iterations through the cx23885_devlist must check for NULL pointers as some supported devices only have DVB support at the moment. Mark Jenks encoutered an Oops in a system with both an HVR-1250 and HVR-1800 installed. -Andy Reported-by: Mark Jenks Tested-by: Mark Jenks Signed-off-by: Mark Jenks Signed-off-by: Andy Walls Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Jarod Wilson Signed-off-by: Greg Kroah-Hartman commit 8a9b7134f8c43ff0a5ad6deebf94a37d13630ef9 Author: Tejun Heo Date: Tue Mar 3 13:52:16 2009 +0900 ata_piix: add workaround for Samsung DB-P70 commit e9c1670c2a14ef9cc20d86b24b829f3947aad34e upstream. Samsung DB-P70 somehow botched the first ICH9 SATA port. The board doesn't expose the first port but somehow SStatus reports link online while failing SRST protocol leading to repeated probe failures and thus long boot delay. Because the BIOS doesn't carry any identifying DMI information, the port can't be blacklisted safely. Fortunately, the controller does have subsystem vendor and ID set. It's unclear whether the subsystem IDs are used only for the board but it can be safely worked around by disabling SIDPR access and just using SRST works around the problem. Even when the workaround is triggered on an unaffected board the only side effect will be missing SCR access. Signed-off-by: Tejun Heo Reported-by: Joseph Jang Reported-by: Jonghyon Sohn Signed-off-by: Jeff Garzik Signed-off-by: Greg Kroah-Hartman commit 9c8f3fcd3ffd3283cc0971c8919058356f20a963 Author: Milan Broz Date: Mon Mar 16 17:44:36 2009 +0000 dm crypt: wait for endio to complete before destruction commit b35f8caa0890169000fec22902290d9a15274cbd upstream. The following oops has been reported when dm-crypt runs over a loop device. ... [ 70.381058] Process loop0 (pid: 4268, ti=cf3b2000 task=cf1cc1f0 task.ti=cf3b2000) ... [ 70.381058] Call Trace: [ 70.381058] [] ? crypt_dec_pending+0x5e/0x62 [dm_crypt] [ 70.381058] [] ? crypt_endio+0xa2/0xaa [dm_crypt] [ 70.381058] [] ? crypt_endio+0x0/0xaa [dm_crypt] [ 70.381058] [] ? bio_endio+0x2b/0x2e [ 70.381058] [] ? dec_pending+0x224/0x23b [dm_mod] [ 70.381058] [] ? clone_endio+0x79/0xa4 [dm_mod] [ 70.381058] [] ? clone_endio+0x0/0xa4 [dm_mod] [ 70.381058] [] ? bio_endio+0x2b/0x2e [ 70.381058] [] ? loop_thread+0x380/0x3b7 [ 70.381058] [] ? do_lo_send_aops+0x0/0x165 [ 70.381058] [] ? autoremove_wake_function+0x0/0x33 [ 70.381058] [] ? loop_thread+0x0/0x3b7 When a table is being replaced, it waits for I/O to complete before destroying the mempool, but the endio function doesn't call mempool_free() until after completing the bio. Fix it by swapping the order of those two operations. The same problem occurs in dm.c with md referenced after dec_pending. Again, we swap the order. Signed-off-by: Milan Broz Signed-off-by: Alasdair G Kergon Signed-off-by: Greg Kroah-Hartman commit 82ba91e8544c4dc502dfa40c3d9e041c6907bf3d Author: Huang Ying Date: Mon Mar 16 17:44:33 2009 +0000 dm crypt: fix kcryptd_async_done parameter commit b2174eebd1fadb76454dad09a1dacbc17081e6b0 upstream. In the async encryption-complete function (kcryptd_async_done), the crypto_async_request passed in may be different from the one passed to crypto_ablkcipher_encrypt/decrypt. Only crypto_async_request->data is guaranteed to be same as the one passed in. The current kcryptd_async_done uses the passed-in crypto_async_request directly which may cause the AES-NI-based AES algorithm implementation to panic. This patch fixes this bug by only using crypto_async_request->data, which points to dm_crypt_request, the crypto_async_request passed in. The original data (convert_context) is gotten from dm_crypt_request. [mbroz@redhat.com: reworked] Signed-off-by: Huang Ying Cc: Herbert Xu Signed-off-by: Milan Broz Signed-off-by: Andrew Morton Signed-off-by: Alasdair G Kergon Signed-off-by: Greg Kroah-Hartman commit 20b8b5c729f3f1152e046c807eeb61c23556d5a9 Author: Mikulas Patocka Date: Mon Mar 16 17:44:30 2009 +0000 dm io: respect BIO_MAX_PAGES limit commit d659e6cc98766a1a61d6bdd283f95d149abd7719 upstream. dm-io calls bio_get_nr_vecs to get the maximum number of pages to use for a given device. It allocates one additional bio_vec to use internally but failed to respect BIO_MAX_PAGES, so fix this. This was the likely cause of: https://bugzilla.redhat.com/show_bug.cgi?id=173153 Signed-off-by: Mikulas Patocka Signed-off-by: Alasdair G Kergon Signed-off-by: Greg Kroah-Hartman commit 27e187c5aa83fd3cc69d21b15e1871be2d8d4f65 Author: Milan Broz Date: Mon Mar 16 16:56:01 2009 +0000 dm ioctl: validate name length when renaming commit bc0fd67feba2e0770aad85393500ba77c6489f1c upstream. When renaming a mapped device validate the length of the new name. The rename ioctl accepted any correctly-terminated string enclosed within the data passed from userspace. The other ioctls enforce a size limit of DM_NAME_LEN. If the name is changed and becomes longer than that, the device can no longer be addressed by name. Fix it by properly checking for device name length (including terminating zero). Signed-off-by: Milan Broz Reviewed-by: Jonathan Brassow Reviewed-by: Alasdair G Kergon Signed-off-by: Alasdair G Kergon Signed-off-by: Greg Kroah-Hartman commit 2bddaa01c5da9aa6083218f0f4c991a12a8f8054 Author: Benny Halevy Date: Wed Mar 4 23:05:35 2009 +0200 NFSD: provide encode routine for OP_OPENATTR commit 84f09f46b4ee9e4e9b6381f8af31817516d2091b upstream. Although this operation is unsupported by our implementation we still need to provide an encode routine for it to merely encode its (error) status back in the compound reply. Thanks for Bill Baker at sun.com for testing with the Sun OpenSolaris' client, finding, and reporting this bug at Connectathon 2009. This bug was introduced in 2.6.27 Signed-off-by: Benny Halevy Signed-off-by: J. Bruce Fields Signed-off-by: Greg Kroah-Hartman commit f40df5f22298327926688dce132c64351a029d4b Author: J. Bruce Fields Date: Mon Mar 16 18:34:20 2009 -0400 nfsd: nfsd should drop CAP_MKNOD for non-root commit 76a67ec6fb79ff3570dcb5342142c16098299911 upstream. Since creating a device node is normally an operation requiring special privilege, Igor Zhbanov points out that it is surprising (to say the least) that a client can, for example, create a device node on a filesystem exported with root_squash. So, make sure CAP_MKNOD is among the capabilities dropped when an nfsd thread handles a request from a non-root user. Reported-by: Igor Zhbanov Signed-off-by: J. Bruce Fields Signed-off-by: Greg Kroah-Hartman commit 0b94331d39f94e826c18a82a26415b5816af6d8f Author: Krzysztof Helt Date: Mon Mar 16 21:32:25 2009 +0100 ALSA: opl3sa2 - Fix NULL dereference when suspending snd_opl3sa2 commit dde332b660cf0bc2baaba678b52768a0fb6e6da2 upstream. Fix the OOPS during a opl3sa2 card suspend and resume if the driver is loaded but the card is not found. Signed-off-by: Krzysztof Helt Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit b4f070f9fd05d02d8bf2ded9daae5f02b42f5f1e Author: Takashi Iwai Date: Tue Mar 17 07:49:14 2009 +0100 ALSA: hda - Workaround for buggy DMA position on ATI controllers commit c673ba1c23941173c16ff24c7cb34199e826c8b5 upstream. The position-buffer on ATI controllers are unreliable as well as on VIA chips, thus the same workaround for DMA position reading as VIA is useful for ATI. Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 67bb09a5a07c59802c327c30c61bcde7cfa00a78 Author: Takashi Iwai Date: Tue Mar 17 07:47:18 2009 +0100 ALSA: hda - Fix DMA mask for ATI controllers commit 09240cf429505891d6123ce14a29f58f2a60121e upstream. ATI controllers (at least some SB0600 models) appear buggy to handle 64bit DMA. As a workaround, reset GCAP bit0 and let the driver to use only 32bit DMA on these controllers. Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 8f6166c403dfc6befe95a622bbfc879b79e0dd8a Author: Jiri Slaby Date: Wed Mar 11 20:11:40 2009 +0100 ALSA: pcm_oss, fix locking typo commit 91054598f794fb5d8a0b1e747ff8e2e8fc2115b3 upstream. s/mutex_lock/mutex_unlock/ on 2 fail paths in snd_pcm_oss_proc_write. Probably a typo, lock should be unlocked when leaving the function. Signed-off-by: Jiri Slaby Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 8910212c174ef3e196510e16726fecb2dfe5859d Author: Jiri Slaby Date: Wed Mar 11 20:11:41 2009 +0100 ALSA: mixart, fix lock imbalance commit 82f5d57163abed2e5ff271d03217b6f90c616eb8 upstream. There is an omitted unlock in one snd_mixart_hw_params fail path. Fix it. Signed-off-by: Jiri Slaby Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 21c1a226c542d4dd3bd7e0c69a3f9b6d34e37392 Author: Takashi Iwai Date: Tue Mar 17 14:00:06 2009 +0100 ALSA: Fix vunmap and free order in snd_free_sgbuf_pages() commit 6af845e4eb36fb91b322aaf77ec1cab2220a48ad upstream. In snd_free_sgbuf_pags(), vunmap() is called after releasing the SG pages, and it causes errors on Xen as Xen manages the pages differently. Although no significant errors have been reported on the actual hardware, this order should be fixed other way round, first vunmap() then free pages. Cc: Jan Beulich Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit cd0af9303b6953350278cbc650ad8173e8c0dc58 Author: Martin Schwidefsky Date: Wed Mar 18 13:27:32 2009 +0100 S390: __div64_31 broken for CONFIG_MARCH_G5 commit 4fa81ed27781a12f6303b9263056635ae74e3e21 upstream. The implementation of __div64_31 for G5 machines is broken. The comments in __div64_31 are correct, only the code does not do what the comments say. The part "If the remainder has overflown subtract base and increase the quotient" is only partially realized, the base is subtracted correctly but the quotient is only increased if the dividend had the last bit set. Using the correct instruction fixes the problem. Reported-by: Frans Pop Tested-by: Frans Pop Signed-off-by: Martin Schwidefsky Signed-off-by: Greg Kroah-Hartman commit 85cf549f789682191f527408f028a5d7dd125bfc Author: Davide Libenzi Date: Wed Mar 18 17:04:19 2009 -0700 eventfd: remove fput() call from possible IRQ context commit 87c3a86e1c220121d0ced59d1a71e78ed9abc6dd upstream. Remove a source of fput() call from inside IRQ context. Myself, like Eric, wasn't able to reproduce an fput() call from IRQ context, but Jeff said he was able to, with the attached test program. Independently from this, the bug is conceptually there, so we might be better off fixing it. This patch adds an optimization similar to the one we already do on ->ki_filp, on ->ki_eventfd. Playing with ->f_count directly is not pretty in general, but the alternative here would be to add a brand new delayed fput() infrastructure, that I'm not sure is worth it. Signed-off-by: Davide Libenzi Cc: Benjamin LaHaise Cc: Trond Myklebust Cc: Eric Dumazet Signed-off-by: Jeff Moyer Cc: Zach Brown Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 157b13d83e8430243b1f075532ed42ecfc10a26b Author: Joe Korty Date: Thu Mar 19 13:28:58 2009 -0400 Fix misreporting of #cores as #hyperthreads for Q9550 For the Q9550, in x86_64 mode, /proc/cpuinfo mistakenly thinks the #cores present is the #hyperthreads present. i386 mode was not examined but is assumed to have the same problem. A backport of the following three 2.6.29-rc1 patches fixes the problem: 066941bd4eeb159307a5d7d795100d0887c00442: [PATCH] x86: unmask CPUID levels on Intel CPUs 99fb4d349db7e7dacb2099c5cc320a9e2d31c1ef: [PATCH] x86: unmask CPUID levels on Intel CPUs, fix bdf21a49bab28f0d9613e8d8724ef9c9168b61b9: [PATCH] x86: add MSR_IA32_MISC_ENABLE bits to From the first patch: "If the CPUID limit bit in MSR_IA32_MISC_ENABLE is set, clear it to make all CPUID information available. This is required for some features to work, in particular XSAVE." Originally-Developed-by: H. Peter Anvin Backported-by: Joe Korty Signed-off-by: Joe Korty Cc: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit de6fcb27ff0db582dd595e2c3d46181194dd734f Author: Tony Luck Date: Thu Feb 19 11:22:36 2009 -0800 Build fix for __early_pfn_to_nid() undefined link error commit 334f85b647bc46ff4d27ace55aa65f44d6a2f4db upstream. ia64 only defines __early_pfn_to_nid() for SPARSEMEM && NUMA configurations, so the recent: commit: f2dbcfa738368c8a40d4a5f0b65dc9879577cb21 mm: clean up for early_pfn_to_nid() ends up with some link problems for certain configuration files. Fix arch/ia64/Kconfig to only define HAVE_ARCH_EARLY_PFN_TO_NID in the cases where we do provide this function. Signed-off-by: Tony Luck Signed-off-by: Greg Kroah-Hartman