commit 8d7bff2d72660d9d60aa371ae3d1356bbf329a09 Author: Chris Wright Date: Thu Apr 2 13:55:27 2009 -0700 Linux 2.6.29.1 commit bb70446264cc380f4167c9bea4df2c12ad564541 Author: Hans Verkuil Date: Tue Mar 31 09:23:04 2009 -0400 V4L: v4l2-common: remove incorrect MODULE test upstream commit: d64260d58865004c6354e024da3450fdd607ea07 v4l2-common doesn't have to be a module for it to call request_module(). Just remove that test. Without this patch loading ivtv as a module while v4l2-common is compiled into the kernel will cause a delayed load of the i2c modules that ivtv needs since request_module is never called directly. While it is nice to see the delayed load in action, it is not so nice in that ivtv fails to do a lot of necessary i2c initializations and will oops later on with a division-by-zero. Thanks to Mark Lord for reporting this and helping me figure out what was wrong. Thanks-to: Guennadi Liakhovetski Thanks-to: Mark Lord Signed-off-by: Hans Verkuil Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Michael Krufky Signed-off-by: Chris Wright commit 5d8a29ae73aa9a0dac7aa7ec970bbe2d8f45b189 Author: David S. Miller Date: Sun Mar 29 15:40:33 2009 -0700 sparc64: Fix reset hangs on Niagara systems. [ Upstream commit ffaba674090f287afe0c44fd8d978c64c03581a8 ] Hypervisor versions older than version 1.6.1 cannot handle leaving the profile counter overflow interrupt chirping when the system does a soft reset. So use a reboot notifier to shut off the NMI watchdog. Signed-off-by: David S. Miller Signed-off-by: Chris Wright commit b6816b706138c3870f03115071872cad824f90b4 Author: David S. Miller Date: Thu Mar 26 01:28:53 2009 -0700 sparc64: Flush TLB before releasing pages. [ Upstream commit a552a42cfa91ab653128dff89a70c8dde7fed042 ] tlb_flush_mmu() needs to flush pending TLB entries before processing the mmu_gather ->pages list. Noticed by Benjamin Herrenschmidt. Signed-off-by: David S. Miller Signed-off-by: Chris Wright commit 8796fc28c04f2ed6aacfd5df9c306312aaca1aef Author: David S. Miller Date: Fri Mar 27 01:09:17 2009 -0700 sparc64: Fix MM refcount check in smp_flush_tlb_pending(). [ Upstream commit f9384d41c02408dd404aa64d66d0ef38adcf6479 ] As explained by Benjamin Herrenschmidt: > CPU 0 is running the context, task->mm == task->active_mm == your > context. The CPU is in userspace happily churning things. > > CPU 1 used to run it, not anymore, it's now running fancyfsd which > is a kernel thread, but current->active_mm still points to that > same context. > > Because there's only one "real" user, mm_users is 1 (but mm_count is > elevated, it's just that the presence on CPU 1 as active_mm has no > effect on mm_count(). > > At this point, fancyfsd decides to invalidate a mapping currently mapped > by that context, for example because a networked file has changed > remotely or something like that, using unmap_mapping_ranges(). > > So CPU 1 goes into the zapping code, which eventually ends up calling > flush_tlb_pending(). Your test will succeed, as current->active_mm is > indeed the target mm for the flush, and mm_users is indeed 1. So you > will -not- send an IPI to the other CPU, and CPU 0 will continue happily > accessing the pages that should have been unmapped. To fix this problem, check ->mm instead of ->active_mm, and this means: > So if you test current->mm, you effectively account for mm_users == 1, > so the only way the mm can be active on another processor is as a lazy > mm for a kernel thread. So your test should work properly as long > as you don't have a HW that will do speculative TLB reloads into the > TLB on that other CPU (and even if you do, you flush-on-switch-in should > get rid of any crap here). And therefore we should be OK. Signed-off-by: David S. Miller Signed-off-by: Chris Wright commit 716fd1dac0a807fdc4c750a5f967ffcc9d9ea744 Author: Joerg Roedel Date: Thu Mar 26 23:05:07 2009 +0000 KVM: MMU: Fix another largepage memory leak upstream commit: c5bc22424021cabda862727fb3f5098b866f074d In the paging_fetch function rmap_remove is called after setting a large pte to non-present. This causes rmap_remove to not drop the reference to the large page. The result is a memory leak of that page. Cc: stable@kernel.org Signed-off-by: Joerg Roedel Acked-by: Marcelo Tosatti Signed-off-by: Avi Kivity [chrisw: backport to 2.6.29] Signed-off-by: Chris Wright commit cbb76e6c205242d8889f9979d53f22a43328b9ec Author: Luis R. Rodriguez Date: Sat Mar 28 01:45:08 2009 +0000 cfg80211: fix incorrect assumption on last_request for 11d upstream commit: cc0b6fe88e99096868bdbacbf486c97299533b5a The incorrect assumption is the last regulatory request (last_request) is always a country IE when processing country IEs. Although this is true 99% of the time the first time this happens this could not be true. This fixes an oops in the branch check for the last_request when accessing drv_last_ie. The access was done under the assumption the struct won't be null. Note to stable: to port to 29 replace as follows, only 29 has country IE code: s|NL80211_REGDOM_SET_BY_COUNTRY_IE|REGDOM_SET_BY_COUNTRY_IE Cc: stable@kernel.org Reported-by: Quentin Armitage Signed-off-by: Luis R. Rodriguez Signed-off-by: John W. Linville [chrisw: backport to 2.6.29] Signed-off-by: Chris Wright commit 4d25e3d0370354092b04aa338df14fb0b4c63331 Author: Rusty Russell Date: Tue Mar 31 01:55:04 2009 +0000 lguest: fix spurious BUG_ON() on invalid guest stack. upstream commit: 6afbdd059c27330eccbd85943354f94c2b83a7fe Impact: fix crash on misbehaving guest gpte_addr() contains a BUG_ON(), insisting that the present flag is set. We need to return before we call it if that isn't the case. Signed-off-by: Rusty Russell Cc: stable@kernel.org Signed-off-by: Chris Wright commit ab624168973480d92c844cc6c46f97d85bedd91c Author: Rusty Russell Date: Tue Mar 31 01:55:02 2009 +0000 lguest: wire up pte_update/pte_update_defer upstream commit: b7ff99ea53cd16de8f6166c0e98f19a7c6ca67ee Impact: intermittent guest segv/crash fix I've been seeing random guest bad address crashes and segmentation faults: bisect led to 4f98a2fee8 (vmscan: split LRU lists into anon & file sets), but that's a red herring. It turns out that lguest never hooked up the pte_update/pte_update_defer calls, so our ptes were not always in sync. After the vmscan commit, the bug became reproducible; now a fsck in a 64MB guest causes reproducible pagetable corruption. Signed-off-by: Rusty Russell Cc: jeremy@xensource.com Cc: virtualization@lists.osdl.org Cc: stable@kernel.org Signed-off-by: Chris Wright commit 73dffc3a1e9678facba4cd762aa9a3692c7b4a72 Author: Pallipadi, Venkatesh Date: Mon Mar 30 18:50:36 2009 +0000 VM, x86, PAT: Change is_linear_pfn_mapping to not use vm_pgoff upstream commit: 4bb9c5c02153dfc89a6c73a6f32091413805ad7d Impact: fix false positive PAT warnings - also fix VirtalBox hang Use of vma->vm_pgoff to identify the pfnmaps that are fully mapped at mmap time is broken. vm_pgoff is set by generic mmap code even for cases where drivers are setting up the mappings at the fault time. The problem was originally reported here: http://marc.info/?l=linux-kernel&m=123383810628583&w=2 Change is_linear_pfn_mapping logic to overload VM_INSERTPAGE flag along with VM_PFNMAP to mean full PFNMAP setup at mmap time. Problem also tracked at: http://bugzilla.kernel.org/show_bug.cgi?id=12800 Reported-by: Thomas Hellstrom Tested-by: Frans Pop Signed-off-by: Venkatesh Pallipadi Signed-off-by: Suresh Siddha Cc: Nick Piggin Cc: "ebiederm@xmission.com" Cc: # only for 2.6.29.1, not .28 LKML-Reference: <20090313004527.GA7176@linux-os.sc.intel.com> Signed-off-by: Ingo Molnar Signed-off-by: Chris Wright commit 67df6428d5c5a27061d94c6c9d0e844401638be5 Author: Andreas Herrmann Date: Mon Mar 30 18:50:32 2009 +0000 x86: mtrr: don't modify RdDram/WrDram bits of fixed MTRRs upstream commit: 3ff42da5048649503e343a32be37b14a6a4e8aaf Impact: bug fix + BIOS workaround BIOS is expected to clear the SYSCFG[MtrrFixDramModEn] on AMD CPUs after fixed MTRRs are configured. Some BIOSes do not clear SYSCFG[MtrrFixDramModEn] on BP (and on APs). This can lead to obfuscation in Linux when this bit is not cleared on BP but cleared on APs. A consequence of this is that the saved fixed-MTRR state (from BP) differs from the fixed-MTRRs of APs -- because RdDram/WrDram bits are read as zero when SYSCFG[MtrrFixDramModEn] is cleared -- and Linux tries to sync fixed-MTRR state from BP to AP. This implies that Linux sets SYSCFG[MtrrFixDramEn] and activates those bits. More important is that (some) systems change these bits in SMM when ACPI is enabled. Hence it is racy if Linux modifies RdMem/WrMem bits, too. (1) The patch modifies an old fix from Bernhard Kaindl to get suspend/resume working on some Acer Laptops. Bernhard's patch tried to sync RdMem/WrMem bits of fixed MTRR registers and that helped on those old Laptops. (Don't ask me why -- can't test it myself). But this old problem was not the motivation for the patch. (See http://lkml.org/lkml/2007/4/3/110) (2) The more important effect is to fix issues on some more current systems. On those systems Linux panics or just freezes, see http://bugzilla.kernel.org/show_bug.cgi?id=11541 (and also duplicates of this bug: http://bugzilla.kernel.org/show_bug.cgi?id=11737 http://bugzilla.kernel.org/show_bug.cgi?id=11714) The affected systems boot only using acpi=ht, acpi=off or when the kernel is built with CONFIG_MTRR=n. The acpi options prevent full enablement of ACPI. Obviously when ACPI is enabled the BIOS/SMM modfies RdMem/WrMem bits. When CONFIG_MTRR=y Linux also accesses and modifies those bits when it needs to sync fixed-MTRRs across cores (Bernhard's fix, see (1)). How do you synchronize that? You can't. As a consequence Linux shouldn't touch those bits at all (Rationale are AMD's BKDGs which recommend to clear the bit that makes RdMem/WrMem accessible). This is the purpose of this patch. And (so far) this suffices to fix (1) and (2). I suggest not to touch RdDram/WrDram bits of fixed-MTRRs and SYSCFG[MtrrFixDramEn] and to clear SYSCFG[MtrrFixDramModEn] as suggested by AMD K8, and AMD family 10h/11h BKDGs. BIOS is expected to do this anyway. This should avoid that Linux and SMM tread on each other's toes ... Signed-off-by: Andreas Herrmann Cc: trenn@suse.de Cc: Yinghai Lu LKML-Reference: <20090312163937.GH20716@alberich.amd.com> Cc: Signed-off-by: Ingo Molnar Signed-off-by: Chris Wright commit 178e0475b55e31b8d4cc7f247295f7b887680dce Author: xiyou.wangcong@gmail.com Date: Mon Mar 30 18:50:30 2009 +0000 x86: ptrace, bts: fix an unreachable statement upstream commit: 5a8ac9d28dae5330c70562c7d7785f5104059c17 Commit c2724775ce57c98b8af9694857b941dc61056516 put a statement after return, which makes that statement unreachable. Move that statement before return. Signed-off-by: WANG Cong Cc: Roland McGrath Cc: Markus Metzger LKML-Reference: <20090313075622.GB8933@hack> Cc: # .29 only Signed-off-by: Ingo Molnar Signed-off-by: Chris Wright commit 393c20529ebe898fb975744ed0aad5bdd953f232 Author: Yinghai Lu Date: Mon Mar 30 18:50:28 2009 +0000 x86: fix 64k corruption-check upstream commit: 6d7942dc2a70a7e74c352107b150265602671588 Impact: fix boot crash Need to exit early if the addr is far above 64k. The crash got exposed by: 78a8b35: x86: make e820_update_range() handle small range update Signed-off-by: Yinghai Lu Cc: LKML-Reference: <49BC2279.2030101@kernel.org> Signed-off-by: Ingo Molnar Signed-off-by: Chris Wright commit 4a78cb55e52d24c37126f456a710c7d6b9babbb4 Author: Rusty Russell Date: Mon Mar 30 18:50:23 2009 +0000 x86, uv: fix cpumask iterator in uv_bau_init() upstream commit: 2c74d66624ddbda8101d54d1e184cf9229b378bc Impact: fix boot crash on UV systems Commit 76ba0ecda0de9accea9a91cb6dbde46782110e1c "cpumask: use cpumask_var_t in uv_flush_tlb_others" used cur_cpu as an iterator; it was supposed to be zero for the code below it. Reported-by: Cliff Wickman Original-From: Cliff Wickman Signed-off-by: Rusty Russell Acked-by: Mike Travis Cc: steiner@sgi.com Cc: LKML-Reference: <200903180822.31196.rusty@rustcorp.com.au> Signed-off-by: Ingo Molnar Signed-off-by: Chris Wright commit e1b427acc979431fc7f57a06d0c636c542fdffcc Author: Pallipadi, Venkatesh Date: Mon Mar 30 18:50:19 2009 +0000 x86, PAT, PCI: Change vma prot in pci_mmap to reflect inherited prot upstream commit: 9cdec049389ce2c324fd1ec508a71528a27d4a07 While looking at the issue in the thread: http://marc.info/?l=dri-devel&m=123606627824556&w=2 noticed a bug in pci PAT code and memory type setting. PCI mmap code did not set the proper protection in vma, when it inherited protection in reserve_memtype. This bug only affects the case where there exists a WC mapping before X does an mmap with /proc or /sys pci interface. This will cause X userlevel mmap from /proc or /sysfs to fail on fork. Reported-by: Kevin Winchester Signed-off-by: Venkatesh Pallipadi Signed-off-by: Suresh Siddha Cc: Jesse Barnes Cc: Dave Airlie Cc: LKML-Reference: <20090323190720.GA16831@linux-os.sc.intel.com> Signed-off-by: Ingo Molnar Signed-off-by: Chris Wright commit ce6d13d7f44cb05c007ed804c0c20cfda9d2f94a Author: Dan Carpenter Date: Mon Mar 30 18:50:16 2009 +0000 Add a missing unlock_kernel() in raw_open() upstream commit: 996ff68d8b358885c1de82a45517c607999947c7 Cc: stable@kernel.org Signed-off-by: Dan Carpenter Signed-off-by: Jonathan Corbet Signed-off-by: Chris Wright commit 84a31107de6deee382e98b911e0fc7263427a7a8 Author: Dan Carpenter Date: Mon Mar 30 18:50:13 2009 +0000 fuse: fix fuse_file_lseek returning with lock held upstream commit: 5291658d87ac1ae60418e79e7b6bad7d5f595e0c This bug was found with smatch (http://repo.or.cz/w/smatch.git/). If we return directly the inode->i_mutex lock doesn't get released. Signed-off-by: Dan Carpenter Signed-off-by: Miklos Szeredi CC: stable@kernel.org Signed-off-by: Chris Wright commit fdc0359dc4769e463481a5376cb66f5c53b2868c Author: Mikael Pettersson Date: Sat Mar 28 19:18:05 2009 +0100 ARM: 5435/1: fix compile warning in sanity_check_meminfo() upstream commit: f0bba9f934517533acbda7329be93f55d5a01c03 Compiling recent 2.6.29-rc kernels for ARM gives me the following warning: arch/arm/mm/mmu.c: In function 'sanity_check_meminfo': arch/arm/mm/mmu.c:697: warning: comparison between pointer and integer This is because commit 3fd9825c42c784a59b3b90bdf073f49d4bb42a8d "[ARM] 5402/1: fix a case of wrap-around in sanity_check_meminfo()" in 2.6.29-rc5-git4 added a comparison of a pointer with PAGE_OFFSET, which is an integer. Fixed by casting PAGE_OFFSET to void *. Signed-off-by: Mikael Pettersson Acked-by: Nicolas Pitre Signed-off-by: Russell King Signed-off-by: Chris Wright commit 96c7a7e7ff618255028cf8c3e5b7dd17000df4de Author: Alan Cox Date: Mon Mar 23 10:43:54 2009 +0000 ARM: twl4030 - leak fix upstream commit: 803c78e4da28d7d7cb0642caf643b9289ae7838a Trivial error path leak fix. Problem found by Daniel Marjamäki using cppcheck Signed-off-by: Alan Cox Acked-by: Tony Lindgren Signed-off-by: Russell King Signed-off-by: Chris Wright commit 81c10c80c5928f42975e5da4fb67d92c4fc96012 Author: Alan Cox Date: Mon Mar 23 10:44:07 2009 +0000 ARM: fix leak in iop13xx/pci upstream commit: b23c7a427e4b3764ad686a46de89ab652811c50a Another leak found by Daniel Marjamäki Signed-off-by: Alan Cox Signed-off-by: Russell King Signed-off-by: Chris Wright commit 86046cf121d09c4513f1c79c8726a761777988f0 Author: Alan Cox Date: Mon Mar 23 10:37:57 2009 +0000 ARM: cumana: Fix a long standing bogon upstream commit: ecbf61e7357d5c7047c813edd6983902d158688c Should be using strncmp as the data from user space may be unterminated (Bug #8004) Signed-off-by: Alan Cox Signed-off-by: Chris Wright commit 4e3278e0e894eb08599dc3b2541f9f3a55ebeebf Author: Daniel Silverstone Date: Fri Mar 20 11:11:43 2009 +0100 ARM: 5428/1: Module relocation update for R_ARM_V4BX upstream commit: 4731f8b66dd34ebf0e67ca6ba9162b0e509bec06 It would seem when building kernel modules with modern binutils (required by modern GCC) for ARM v4T targets (specifically observed with the Samsung 24xx SoC which is an 920T) R_ARM_V4BX relocations are emitted for function epilogues. This manifests at module load time with an "unknown relocation: 40" error message. The following patch adds the R_ARM_V4BX relocation to the ARM kernel module loader. The relocation operation is taken from that within the binutils bfd library. Signed-off-by: Simtec Linux Team Signed-off-by: Vincent Sanders Signed-off-by: Russell King Signed-off-by: Chris Wright commit 7549374c394bd35a343f3f85f95d93af962be643 Author: Eric Miao Date: Thu Mar 19 15:24:30 2009 +0800 ARM: pxa: fix overlay being un-necessarily initialized on pxa25x upstream commit: 782385ae176b304c7105051e1b06c68bc0b4a2ba pxa25x doesn't support overlay in its LCD controller, this patch adds pxafb_overlay_supported() functions to check the initialization is necessary. Signed-off-by: Eric Miao Signed-off-by: Chris Wright commit f27eae2ce95d388ebea30853730d1ec76f07a41c Author: Beat Michel Liechti Date: Sat Mar 28 01:45:15 2009 +0000 DVB: firedtv: FireDTV S2 problems with tuning solved upstream commit: 32a0f488ce5e8a9a148491f15edc508ab5e8265b Tuning was broken on FireDTV S2 (and presumably FloppyDTV S2) because a wrong opcode was sent. The box only gave "not implemented" responses. Changing the opcode to _TUNE_QPSK2 fixes this for good. Cc: stable@kernel.org Signed-off-by: Beat Michel Liechti Signed-off-by: Stefan Richter Signed-off-by: Chris Wright commit 0e8cb3e1ded5f5fa57f9bb40fe75d7c35ad70985 Author: Luis R. Rodriguez Date: Sat Mar 28 01:45:10 2009 +0000 cfg80211: force last_request to be set for OLD_REG if regdom is EU upstream commit: 2e097dc65673ed421bbc2e49f52c125aa43a8ee6 Although EU is a bogus alpha2 we need to process the send request as our code depends on last_request being set. Cc: stable@kernel.org Reported-by: Quentin Armitage Signed-off-by: Luis R. Rodriguez Signed-off-by: John W. Linville [chrisw: backport to 2.6.29] Signed-off-by: Chris Wright Port-acked-by: Luis R. Rodriguez commit 15bd8021d870d2c4fbf8c16578d72d03cfddd3a7 Author: Steve French Date: Thu Mar 26 23:05:15 2009 +0000 CIFS: Fix memory overwrite when saving nativeFileSystem field during mount upstream commit: b363b3304bcf68c4541683b2eff70b29f0446a5b CIFS can allocate a few bytes to little for the nativeFileSystem field during tree connect response processing during mount. This can result in a "Redzone overwritten" message to be logged. Signed-off-by: Sridhar Vinay Acked-by: Shirish Pargaonkar CC: Stable Signed-off-by: Steve French [chrisw: minor backport to CHANGES file] Signed-off-by: Chris Wright commit db257505aa751f739531fee3a3f16a45ddb0eaca Author: Bob Copeland Date: Sat Mar 28 01:45:04 2009 +0000 ath5k: warn and correct rate for unknown hw rate indexes upstream commit: b726604706ad88d8b28bc487e45e710f58cc19ee ath5k sets up a mapping table from the hardware rate index to the rate index used by mac80211; however, we have seen some received frames with incorrect rate indexes. Such frames normally get dropped with a warning in __ieee80211_rx(), but it doesn't include enough information to track down the error. This patch adds a warning to hw_to_driver_rix for any lookups that result in a rate index of -1, then returns a valid rate so the frame can be processed. Changes-licensed-under: 3-Clause-BSD Signed-off-by: Bob Copeland Cc: stable@kernel.org Signed-off-by: John W. Linville [chrisw: add db5b4f7ae3901fdc48c5b988fc2a5e0cb4ec1870 to backport] Signed-off-by: Chris Wright commit 7b2b76da5c570166c04a44c9646963089b67e4ef Author: Bob Copeland Date: Sat Mar 28 01:45:12 2009 +0000 ath5k: disable MIB interrupts upstream commit: 9ca9fb8aa8422595956af9681518cdb8b167055e The MIB interrupt fires whenever counters overflow; however without support for automatic noise immunity, we can sometimes get an interrupt storm. The get_stats() callback reads the counters anyway so we can disable the interrupt for now until ANI is implemented. This fixes the issue reported in http://bugzilla.kernel.org/show_bug.cgi?id=12647. Changes-licensed-under: 3-Clause-BSD Cc: stable@kernel.org Signed-off-by: Bob Copeland Signed-off-by: John W. Linville Signed-off-by: Chris Wright commit bf2d225b466496ff6704288bbd79fe744b399811 Author: Lorenzo Nava Date: Sat Mar 28 01:45:06 2009 +0000 b43: fix b43_plcp_get_bitrate_idx_ofdm return type upstream commit: a3c0b87c4f21911fb7185902dd13f0e3cd7f33f7 This patch fixes the return type of b43_plcp_get_bitrate_idx_ofdm. If the plcp contains an error, the function return value is 255 instead of -1, and the packet was not dropped. This causes a warning in __ieee80211_rx function because rate idx is out of range. Cc: stable@kernel.org Signed-off-by: Lorenzo Nava Signed-off-by: Michael Buesch Signed-off-by: John W. Linville Signed-off-by: Chris Wright commit fb2d617e4b8ac0a2c07643a3a6299409692f8003 Author: Luis R. Rodriguez Date: Sat Mar 28 01:45:02 2009 +0000 ath9k: fix dma mapping leak of rx buffer upon rmmod upstream commit: 051b919188650fe4c93ca8701183ae88439388f6 We were claiming DMA buffers on the RX tasklet but never upon a simple module removal. Cc: stable@kernel.org Signed-off-by: FUJITA Tomonori Signed-off-by: Luis R. Rodriguez Signed-off-by: John W. Linville [chrisw: backport to 2.6.29] Signed-off-by: Chris Wright commit 8bc20526fc862d18997fd6f267a985d428fbc6e5 Author: Bob Copeland Date: Thu Mar 26 23:05:28 2009 +0000 ath5k: use spin_lock_irqsave for beacon lock upstream commit: b5f03956c56d72ad336e5c2c42a025f25d952c30 ath5k_reset can be called from process context, which in turn can call ath5k_beacon_config which takes the sc->block spinlock. Since it can also be taken in hard irq context, use spin_lock_irqsave everywhere. This fixes a potential deadlock in adhoc mode. Changes-licensed-under: 3-Clause-BSD Cc: stable@kernel.org Signed-off-by: Bob Copeland Signed-off-by: John W. Linville Signed-off-by: Chris Wright commit 46d2a92135c95066364a8603297b637314a85090 Author: Jeff Layton Date: Thu Mar 26 23:05:21 2009 +0000 cifs: fix buffer format byte on NT Rename/hardlink upstream commit: fcc7c09d94be7b75c9ea2beb22d0fae191c6b4b9 Discovered at Connnectathon 2009... The buffer format byte and the pad are transposed in NT_RENAME calls (which are used to set hardlinks). Most servers seem to ignore this fact, but NetApp filers throw back an error due to this problem. This patch fixes it. CC: Stable Signed-off-by: Jeff Layton Signed-off-by: Steve French Signed-off-by: Chris Wright commit 35f0b41fd7342f56c3e756ff27e355d25f2bc06b Author: Luis R. Rodriguez Date: Thu Mar 26 23:05:17 2009 +0000 ath9k: downgrade xmit queue full message to xmit debug upstream commit: c117fa0bf5f5b3d362b590ed6e80499defe14505 This is not a fatal message, hitting it simply means we're going to tell the upper layers to slow their horses down but as we make more descriptors available we let the show continue by waking up the queues in ath_wake_mac80211_queue(). We downgrade this as otherwise we fill up your kernel log with messages which can be common under heavy traffic. Cc: stable@kernel.org Signed-off-by: Luis R. Rodriguez Signed-off-by: John W. Linville Signed-off-by: Chris Wright commit 0b7f8d0aba7562cb7baa9e92dd5144c11f610595 Author: Andre Przywara Date: Thu Mar 26 23:05:09 2009 +0000 KVM: SVM: set accessed bit for VMCB segment selectors upstream commit: 1fbdc7a58512a6283e10fd27108197679db95ffa In the segment descriptor _cache_ the accessed bit is always set (although it can be cleared in the descriptor itself). Since Intel checks for this condition on a VMENTRY, set this bit in the AMD path to enable cross vendor migration. Cc: stable@kernel.org Signed-off-by: Andre Przywara Acked-By: Amit Shah Signed-off-by: Avi Kivity Signed-off-by: Chris Wright commit f438349efb8247cd0c1d453a4131b1f801bf5691 Author: Avi Kivity Date: Thu Mar 26 23:05:03 2009 +0000 KVM: VMX: Don't allow uninhibited access to EFER on i386 upstream commit: 16175a796d061833aacfbd9672235f2d2725df65 vmx_set_msr() does not allow i386 guests to touch EFER, but they can still do so through the default: label in the switch. If they set EFER_LME, they can oops the host. Fix by having EFER access through the normal channel (which will check for EFER_LME) even on i386. Reported-and-tested-by: Benjamin Gilbert Cc: stable@kernel.org Signed-off-by: Avi Kivity Signed-off-by: Chris Wright commit a9620fdcb8dab4d05f5677110c54b74e7ce1d621 Author: Alan Stern Date: Thu Mar 26 18:25:19 2009 +0000 USB: add quirk to avoid config and interface strings upstream commit: 1662e3a7f076e51e3073faf9ce77157b529c475b Apparently the Configuration and Interface strings aren't used as often as the Vendor, Product, and Serial strings. In at least one device (a Saitek Cyborg Gold 3D joystick), attempts to read the Configuration string cause the device to stop responding to Control requests. This patch (as1226) adds a quirks flag, telling the kernel not to read a device's Configuration or Interface strings, together with a new quirk for the offending joystick. Reported-by: Melchior FRANZ Tested-by: Melchior FRANZ Signed-off-by: Alan Stern Cc: stable [2.6.28 and 2.6.29, nothing earlier] Signed-off-by: Greg Kroah-Hartman Signed-off-by: Chris Wright commit e6c7f8a29d45054727c7f9334c4a42729af436cd Author: David Brownell Date: Thu Mar 26 18:25:12 2009 +0000 USB: gadget: fix rndis regression upstream commit: 090b90118207e786d2990310d063fda5d52cce6e Restore some code that was wrongly dropped from the RNDIS driver, and caused interop problems observed with OpenMoko. The issue is with hardware which needs help conforming to part of the USB 2.0 spec (section 8.5.3.2); some can automagically send a ZLP in response to an unexpected IN, but not all chips will do that. We don't need to check the packet length ourselves the way earlier code did, since the UDC must already check it. But we do need to tell the UDC when it must force a short packet termination of the data stage. (Based on a patch from Aric D. Blumer ) Signed-off-by: David Brownell Cc: stable Signed-off-by: Greg Kroah-Hartman Signed-off-by: Chris Wright commit 7127941c0e5fb2e3c15c4507aeab939e5e686dcd Author: Alan Stern Date: Thu Mar 26 18:25:09 2009 +0000 USB: usb-storage: increase max_sectors for tape drives upstream commit: 5c16034d73da2c1b663aa25dedadbc533b3d811c This patch (as1203) increases the max_sector limit for USB tape drives. By default usb-storage sets max_sectors to 240 (i.e., 120 KB) for all devices. But tape drives need a higher limit, since tapes can and do have very large block sizes. Without the ability to transfer an entire large block in a single command, such tapes can't be used. This fixes Bugzilla #12207. Signed-off-by: Alan Stern Reported-and-tested-by: Phil Mitchell Cc: stable Signed-off-by: Greg Kroah-Hartman Signed-off-by: Chris Wright commit 760053b6503cd73758f4994a8305d4bc6f97fcfc Author: Boaz Harrosh Date: Thu Mar 26 18:25:07 2009 +0000 USB: fix USB_STORAGE_CYPRESS_ATACB upstream commit: 1f4159c1620f74377e26d8a569d10ca5907ef475 commit 64a87b24: [SCSI] Let scsi_cmnd->cmnd use request->cmd buffer changed the scsi_eh_prep_cmnd logic by making it clear the ->cmnd buffer. But the sat to cypress atacb translation supposed the ->cmnd buffer wasn't modified. This patch makes it set the ->cmnd buffer after scsi_eh_prep_cmnd call. The problem and a fix was reported by Matthieu CASTET It also removes all the hackery fiddling of scsi_cmnd and scsi_eh_save by requesting from scsi_eh_prep_cmnd to prepare a read into ->sense_buffer, which is much more suitable a buffer for HW transfers, then after the command execution the regs read is copied into regs buffer before actual preparation of sense_buffer. Also fix an alien comment character to my utf-8 editor. Signed-off-by: Boaz Harrosh Signed-off-by: Matthieu CASTET Cc: stable Cc: James Bottomley Cc: Matthew Dharm Signed-off-by: Greg Kroah-Hartman Signed-off-by: Chris Wright commit 39f8c8a3ef3864bb8ed42c5d2159d6a9b0f0b36c Author: Alan Stern Date: Thu Mar 26 18:25:05 2009 +0000 USB: EHCI: add software retry for transaction errors upstream commit: a2c2706e1043c17139c2dafd171c4a5cf008ef7e This patch (as1204) adds a software retry mechanism to ehci-hcd. It gets invoked when the driver encounters transaction errors on an asynchronous endpoint. On many systems, hardware deficiencies cause such errors to occur if one device is unplugged while the host is communicating with another device. With the patch, the failed transactions are retried and generally succeed the second or third time through. This is based on code originally written by Koichiro Saito. Signed-off-by: Alan Stern Tested by: Koichiro Saito CC: David Brownell Cc: stable Signed-off-by: Greg Kroah-Hartman Signed-off-by: Chris Wright commit ce2a2dc25260683d83a895bf11a2667aaac84feb Author: Chuck Ebbert Date: Fri Mar 27 00:22:01 2009 -0700 xfrm: spin_lock() should be spin_unlock() in xfrm_state.c [ Upstream commit 7d0b591c655ca0d72ebcbd242cf659a20a8995c5 ] spin_lock() should be spin_unlock() in xfrm_state_walk_done(). caused by: commit 12a169e7d8f4b1c95252d8b04ed0f1033ed7cfe2 "ipsec: Put dumpers on the dump list" Reported-by: Marc Milgram Signed-off-by: Chuck Ebbert Signed-off-by: David S. Miller Signed-off-by: Chris Wright commit c8289b1f3fb7ab89146a29e280c8f64d4f51f53a Author: Jesper Nilsson Date: Fri Mar 27 00:17:45 2009 -0700 ipv6: Plug sk_buff leak in ipv6_rcv (net/ipv6/ip6_input.c) [ Upstream commit 71f6f6dfdf7c7a67462386d9ea05c1095a89c555 ] Commit 778d80be52699596bf70e0eb0761cf5e1e46088d (ipv6: Add disable_ipv6 sysctl to disable IPv6 operaion on specific interface) seems to have introduced a leak of sk_buff's for ipv6 traffic, at least in some configurations where idev is NULL, or when ipv6 is disabled via sysctl. The problem is that if the first condition of the if-statement returns non-NULL, it returns an skb with only one reference, and when the other conditions apply, execution jumps to the "out" label, which does not call kfree_skb for it. To plug this leak, change to use the "drop" label instead. (this relies on it being ok to call kfree_skb on NULL) This also allows us to avoid calling rcu_read_unlock here, and removes the only user of the "out" label. Signed-off-by: Jesper Nilsson Signed-off-by: David S. Miller Signed-off-by: Chris Wright commit ed421a64825501e0bdfe848c9decf05d270a9adb Author: Herbert Xu Date: Thu Mar 26 00:59:10 2009 -0700 GRO: Disable GRO on legacy netif_rx path [ Upstream commit 8f1ead2d1a626ed0c85b3d2c2046a49081d5933f ] When I fixed the GRO crash in the legacy receive path I used napi_complete to replace __napi_complete. Unfortunately they're not the same when NETPOLL is enabled, which may result in us not calling __napi_complete at all. What's more, we really do need to keep the __napi_complete call within the IRQ-off section since in theory an IRQ can occur in between and fill up the backlog to the maximum, causing us to lock up. Since we can't seem to find a fix that works properly right now, this patch reverts all the GRO support from the netif_rx path. Signed-off-by: Herbert Xu Signed-off-by: David S. Miller Signed-off-by: Chris Wright commit 813352bc3317b1104212667ce227a901a8d49908 Author: Stephen Hemminger Date: Wed Mar 25 21:01:47 2009 -0700 bridge: bad error handling when adding invalid ether address [ Upstream commit cda6d377ec6b2ee2e58d563d0bd7eb313e0165df ] This fixes an crash when empty bond device is added to a bridge. If an interface with invalid ethernet address (all zero) is added to a bridge, then bridge code detects it when setting up the forward databas entry. But the error unwind is broken, the bridge port object can get freed twice: once when ref count went to zeo, and once by kfree. Since object is never really accessible, just free it. Signed-off-by: Stephen Hemminger Signed-off-by: David S. Miller Signed-off-by: Chris Wright commit dcd2d49aa7d2b6405457e042cd5f92e247ff0e10 Author: Geert Uytterhoeven Date: Tue Mar 24 13:19:50 2009 -0700 dnet: drivers/net/dnet.c needs [ Upstream commit 142071b83426674ef2dab98cf2a6627328d0988e ] On m68k: | drivers/net/dnet.c: In function 'dnet_readw_mac': | drivers/net/dnet.c:36: error: implicit declaration of function 'writel' | drivers/net/dnet.c:43: error: implicit declaration of function 'readl' | drivers/net/dnet.c: In function 'dnet_probe': | drivers/net/dnet.c:873: error: implicit declaration of function 'ioremap' | drivers/net/dnet.c:873: warning: assignment makes pointer from integer without a cast | drivers/net/dnet.c:939: error: implicit declaration of function 'iounmap' Signed-off-by: Geert Uytterhoeven Signed-off-by: David S. Miller Signed-off-by: Chris Wright commit efc337c45aa1e1b13188508de2593694fbe85b55 Author: Vitaly Mayatskikh Date: Mon Mar 23 15:22:33 2009 -0700 udp: Wrong locking code in udp seq_file infrastructure [ Upstream commit 30842f2989aacfaba3ccb39829b3417be9313dbe ] Reading zero bytes from /proc/net/udp or other similar files which use the same seq_file udp infrastructure panics kernel in that way: ===================================== [ BUG: bad unlock balance detected! ] ------------------------------------- read/1985 is trying to release lock (&table->hash[i].lock) at: [] udp_seq_stop+0x27/0x29 but there are no more locks to release! other info that might help us debug this: 1 lock held by read/1985: #0: (&p->lock){--..}, at: [] seq_read+0x38/0x348 stack backtrace: Pid: 1985, comm: read Not tainted 2.6.29-rc8 #9 Call Trace: [] ? udp_seq_stop+0x27/0x29 [] print_unlock_inbalance_bug+0xd6/0xe1 [] lock_release_non_nested+0x9e/0x1c6 [] ? seq_read+0xb2/0x348 [] ? mark_held_locks+0x68/0x86 [] ? udp_seq_stop+0x27/0x29 [] lock_release+0x15d/0x189 [] _spin_unlock_bh+0x1e/0x34 [] udp_seq_stop+0x27/0x29 [] seq_read+0x2bb/0x348 [] ? seq_read+0x0/0x348 [] proc_reg_read+0x90/0xaf [] vfs_read+0xa6/0x103 [] ? trace_hardirqs_on_caller+0x12f/0x153 [] sys_read+0x45/0x69 [] system_call_fastpath+0x16/0x1b BUG: scheduling while atomic: read/1985/0xffffff00 INFO: lockdep is turned off. Modules linked in: cpufreq_ondemand acpi_cpufreq freq_table dm_multipath kvm ppdev snd_hda_codec_analog snd_hda_intel snd_hda_codec snd_hwdep snd_seq_dummy snd_seq_oss snd_seq_midi_event arc4 snd_s eq ecb thinkpad_acpi snd_seq_device iwl3945 hwmon sdhci_pci snd_pcm_oss sdhci rfkill mmc_core snd_mixer_oss i2c_i801 mac80211 yenta_socket ricoh_mmc i2c_core iTCO_wdt snd_pcm iTCO_vendor_support rs rc_nonstatic snd_timer snd lib80211 cfg80211 soundcore snd_page_alloc video parport_pc output parport e1000e [last unloaded: scsi_wait_scan] Pid: 1985, comm: read Not tainted 2.6.29-rc8 #9 Call Trace: [] ? __debug_show_held_locks+0x1b/0x24 [] __schedule_bug+0x7e/0x83 [] schedule+0xce/0x838 [] ? fsnotify_access+0x5f/0x67 [] ? sysret_careful+0xb/0x37 [] ? trace_hardirqs_on_caller+0x1f/0x153 [] ? trace_hardirqs_on_thunk+0x3a/0x3f [] sysret_careful+0x31/0x37 read[1985]: segfault at 7fffc479bfe8 ip 0000003e7420a180 sp 00007fffc479bfa0 error 6 Kernel panic - not syncing: Aiee, killing interrupt handler! udp_seq_stop() tries to unlock not yet locked spinlock. The lock was lost during splitting global udp_hash_lock to subsequent spinlocks. Signed-off by: Vitaly Mayatskikh Acked-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Chris Wright commit cbb1dbb63271d976f82819fb5cba88f47ac90616 Author: Mark H. Weaver Date: Mon Mar 23 13:46:12 2009 +0100 netfilter: nf_conntrack_tcp: fix unaligned memory access in tcp_sack [ Upstream commit 534f81a5068799799e264fd162e9488a129f98d4 ] This patch fixes an unaligned memory access in tcp_sack while reading sequence numbers from TCP selective acknowledgement options. Prior to applying this patch, upstream linux-2.6.27.20 was occasionally generating messages like this on my sparc64 system: [54678.532071] Kernel unaligned access at TPC[6b17d4] tcp_packet+0xcd4/0xd00 Acked-by: David S. Miller Signed-off-by: Patrick McHardy Signed-off-by: Chris Wright