commit 186f9b18b94afd0b75a8ec1b394b0f119d479eb6 Author: Greg Kroah-Hartman Date: Mon May 18 16:52:34 2009 -0700 Linux 2.6.29.4 commit 99d78985c194fe8816d9176be3e3be81f3af2df8 Author: Grant Likely Date: Wed Feb 4 11:23:56 2009 -0700 powerpc/5200: Don't specify IRQF_SHARED in PSC UART driver commit d9f0c5f9bc74f16d0ea0f6c518b209e48783a796 upstream. The MPC5200 PSC device is wired up to a dedicated interrupt line which is never shared. This patch removes the IRQF_SHARED flag from the request_irq() call which eliminates the "IRQF_DISABLED is not guaranteed on shared IRQs" warning message from the console output. Signed-off-by: Grant Likely Reviewed-by: Wolfram Sang Signed-off-by: Greg Kroah-Hartman commit 808e98b3d87427919bb0236d79ad827d6d1ff40f Author: Hannes Hering Date: Mon May 4 11:06:37 2009 -0700 ehea: fix invalid pointer access commit 0b2febf38a33d7c40fb7bb4a58c113a1fa33c412 upstream. This patch fixes an invalid pointer access in case the receive queue holds no pointer to the next skb when the queue is empty. Signed-off-by: Hannes Hering Signed-off-by: Jan-Bernd Themann Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit d60c0932c0c995c0076b2edc8b83df7ae71861fa Author: Miklos Szeredi Date: Tue Apr 14 19:48:39 2009 +0200 ocfs2: fix i_mutex locking in ocfs2_splice_to_file() commit 328eaaba4e41a04c1dc4679d65bea3fee4349d86 upstream. Rearrange locking of i_mutex on destination and call to ocfs2_rw_lock() so locks are only held while buffers are copied with the pipe_to_file() actor, and not while waiting for more data on the pipe. Signed-off-by: Miklos Szeredi Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit 1aa8d5db832187c8e433a8db6c7e4e6c70ef69bb Author: Miklos Szeredi Date: Tue Apr 14 19:48:38 2009 +0200 splice: fix i_mutex locking in generic_splice_write() commit eb443e5a25d43996deb62b9bcee1a4ce5dea2ead upstream. Rearrange locking of i_mutex on destination so it's only held while buffers are copied with the pipe_to_file() actor, and not while waiting for more data on the pipe. Signed-off-by: Miklos Szeredi Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit 7a621671942307c9dbe201f461209c69ade14fae Author: Miklos Szeredi Date: Tue Apr 14 19:48:37 2009 +0200 splice: remove i_mutex locking in splice_from_pipe() commit 2933970b960223076d6affcf7a77e2bc546b8102 upstream. splice_from_pipe() is only called from two places: - generic_splice_sendpage() - splice_write_null() Neither of these require i_mutex to be taken on the destination inode. Signed-off-by: Miklos Szeredi Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit 5d1dfedd7906f57927c354e2434d21d3a59ef755 Author: Miklos Szeredi Date: Tue Apr 14 19:48:36 2009 +0200 splice: split up __splice_from_pipe() commit b3c2d2ddd63944ef2a1e4a43077b602288107e01 upstream. Split up __splice_from_pipe() into four helper functions: splice_from_pipe_begin() splice_from_pipe_next() splice_from_pipe_feed() splice_from_pipe_end() splice_from_pipe_next() will wait (if necessary) for more buffers to be added to the pipe. splice_from_pipe_feed() will feed the buffers to the supplied actor and return when there's no more data available (or if all of the requested data has been copied). This is necessary so that implementations can do locking around the non-waiting splice_from_pipe_feed(). This patch should not cause any change in behavior. Signed-off-by: Miklos Szeredi Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit d42024748006cf393ca817f6e6eb90ccba439b3f Author: Miklos Szeredi Date: Tue Apr 28 16:56:35 2009 +0200 fuse: destroy bdi on error commit fd9db7297749c05fcf5721ce5393a5a8b8772f2a upstream. Destroy bdi on error in fuse_fill_super(). This was an omission from commit 26c3679101dbccc054dcf370143941844ba70531 "fuse: destroy bdi on umount", which moved the bdi_destroy() call from fuse_conn_put() to fuse_put_super(). Signed-off-by: Miklos Szeredi Signed-off-by: Greg Kroah-Hartman commit 21616cb7a37a63b9f33ea2e45ab6d29910b43fd2 Author: Avi Kivity Date: Sun May 3 18:50:55 2009 +0300 KVM: Make EFER reads safe when EFER does not exist commit e286e86e6d2042d67d09244aa0e05ffef75c9d54 upstream. Some processors don't have EFER; don't oops if userspace wants us to read EFER when we check NX. Signed-off-by: Avi Kivity Signed-off-by: Greg Kroah-Hartman commit a6ddabcdf09bf394de04ca5c772129cb8fc6e179 Author: Avi Kivity Date: Mon May 11 14:21:10 2009 +0300 KVM: SVM: Remove port 80 passthrough commit 99f85a28a78e96d28907fe036e1671a218fee597 upstream. KVM optimizes guest port 80 accesses by passthing them through to the host. Some AMD machines die on port 80 writes, allowing the guest to hard-lock the host. Remove the port passthrough to avoid the problem. Reported-by: Piotr Jaroszyński Tested-by: Piotr Jaroszyński Signed-off-by: Avi Kivity Signed-off-by: Greg Kroah-Hartman commit efee69d7e0f1ddfec97549eee0a8b63750eb67f7 Author: Alan Stern Date: Wed May 6 15:48:49 2009 -0400 HID: add NOGET quirk for devices from CH Products commit b820aabf6cb987fd03d85b0b5f599685051e0426 upstream. This patch (as1240) adds the NOGET quirk for three devices from CH Products: the Pro pedals, the Combatstick joystick, and the Flight-Sim yoke. Without these quirks, the devices haven't worked for many kernel releases. Sometimes replugging them after boot-up would get them to work and sometimes they wouldn't work at all. Signed-off-by: Alan Stern Reported-by: Sean Hildebrand Reported-by: Sid Boyce Tested-by: Sean Hildebrand Tested-by: Sid Boyce Signed-off-by: Jiri Kosina Signed-off-by: Greg Kroah-Hartman commit 76616a7e4d43cc7a2383c2bc67e27636c43ffdfa Author: Dan Williams Date: Wed Apr 8 15:08:23 2009 -0700 dmatest: fix max channels handling commit c56c81abe7e684bc6203632d807303eb765690dc upstream. The check for reaching max_channels is short circuited by 'continuing' after successfully adding a channel. [ Impact: make the 'max_channels' module parameter actually have an effect ] Reported-by: Dan Carpenter Signed-off-by: Dan Williams Signed-off-by: Greg Kroah-Hartman commit 7388d0bb77dd8b7dd2a2f88f0e0042329cd33752 Author: J. Bruce Fields Date: Wed May 6 16:32:54 2009 -0400 lockd: fix list corruption on lockd restart commit 89996df4b5b1a09c279f50b3fd03aa9df735f5cb upstream. If lockd is signalled soon enough after restart then locks_start_grace() will try to re-add an entry to a list and trigger a lock corruption warning. Thanks to Wang Chen for the problem report and diagnosis. WARNING: at lib/list_debug.c:26 __list_add+0x27/0x5c() ... list_add corruption. next->prev should be prev (ef8fe958), but was ef8ff128. (next=ef8ff128). ... Pid: 23062, comm: lockd Tainted: G W 2.6.30-rc2 #3 Call Trace: [] warn_slowpath+0x71/0xa0 [] ? update_curr+0x11d/0x125 [] ? trace_hardirqs_on_caller+0x18/0x150 [] ? trace_hardirqs_on+0xb/0xd [] ? _raw_spin_lock+0x53/0xfa [] __list_add+0x27/0x5c [] locks_start_grace+0x22/0x30 [lockd] [] set_grace_period+0x39/0x53 [lockd] [] ? lock_kernel+0x1c/0x28 [] lockd+0x64/0x164 [lockd] [] ? trace_hardirqs_on_caller+0x18/0x150 [] ? complete+0x34/0x3e [] ? lockd+0x0/0x164 [lockd] [] ? lockd+0x0/0x164 [lockd] [] kthread+0x45/0x6b [] ? kthread+0x0/0x6b [] kernel_thread_helper+0x7/0x10 Reported-by: Wang Chen Signed-off-by: J. Bruce Fields Signed-off-by: Greg Kroah-Hartman commit 9edd58567e1fb5af1c8155d4753cbf8b0a3f358f Author: Trond Myklebust Date: Thu Mar 19 15:35:49 2009 -0400 NFS: Fix the notifications when renaming onto an existing file commit b1e4adf4ea41bb8b5a7bfc1a7001f137e65495df upstream. NFS appears to be returning an unnecessary "delete" notification when we're doing an atomic rename. See http://bugzilla.gnome.org/show_bug.cgi?id=575684 The fix is to get rid of the redundant call to d_delete(). Signed-off-by: Trond Myklebust Signed-off-by: Greg Kroah-Hartman commit 824237356f629cf55af47468f1a4084771248c39 Author: J. Bruce Fields Date: Tue May 5 19:04:29 2009 -0400 nfsd4: check for negative dentry before use in nfsv4 readdir commit b2c0cea6b1cb210e962f07047df602875564069e upstream. After 2f9092e1020246168b1309b35e085ecd7ff9ff72 "Fix i_mutex vs. readdir handling in nfsd" (and 14f7dd63 "Copy XFS readdir hack into nfsd code"), an entry may be removed between the first mutex_unlock and the second mutex_lock. In this case, lookup_one_len() will return a negative dentry. Check for this case to avoid a NULL dereference. Signed-off-by: J. Bruce Fields Reviewed-by: J. R. Okajima Signed-off-by: Greg Kroah-Hartman commit 4eccd99ef7a39afd3005dadc91a80031aca5cbd6 Author: Davide Libenzi Date: Tue May 12 13:19:44 2009 -0700 epoll: fix size check in epoll_create() commit bfe3891a5f5d3b78146a45f40e435d14f5ae39dd upstream. Fix a size check WRT the manual pages. This was inadvertently broken by commit 9fe5ad9c8cef9ad5873d8ee55d1cf00d9b607df0 ("flag parameters add-on: remove epoll_create size param"). Signed-off-by: Davide Libenzi Cc: Cc: rohit verma Cc: Ulrich Drepper Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 330081190974939b32fd0bb6dc7587580708ea1f Author: Steve French Date: Fri May 1 16:21:04 2009 +0000 CIFS: Fix endian conversion of vcnum field commit 051a2a0d3242b448281376bb63cfa9385e0b6c68 upstream. When multiply mounting from the same client to the same server, with different userids, we create a vcnum which should be unique if possible (this is not the same as the smb uid, which is the handle to the security context). We were not endian converting additional (beyond the first which is zero) vcnum properly. Acked-by: Shirish Pargaonkar Acked-by: Jeff Layton Signed-off-by: Steve French Signed-off-by: Greg Kroah-Hartman commit 5da3b37d5eb68af30eb9e8bb553bed8c616024eb Author: Trond Myklebust Date: Fri Apr 24 17:32:22 2009 -0400 NFS: Close page_mkwrite() races commit 7fdf523067666b0eaff330f362401ee50ce187c4 upstream. Follow up to Nick Piggin's patches to ensure that nfs_vm_page_mkwrite returns with the page lock held, and sets the VM_FAULT_LOCKED flag. See http://bugzilla.kernel.org/show_bug.cgi?id=12913 Signed-off-by: Trond Myklebust Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 668d834cdaebbd0280e4bd497205ea66ee0bf23f Author: Trond Myklebust Date: Tue Apr 7 14:02:53 2009 -0700 NFS: Fix the return value in nfs_page_mkwrite() commit 2b2ec7554cf7ec5e4412f89a5af6abe8ce950700 upstream. Commit c2ec175c39f62949438354f603f4aa170846aabb ("mm: page_mkwrite change prototype to match fault") exposed a bug in the NFS implementation of page_mkwrite. We should be returning 0 on success... Signed-off-by: Trond Myklebust Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit e3fedc3d38a8b6a513f34e30ebc4d685c49261c9 Author: Steven Whitehouse Date: Mon Apr 20 09:45:54 2009 +0100 GFS2: Fix page_mkwrite() return code commit e56985da455b9dc0591b8cb2006cc94b6f4fb0f4 upstream. This allows for the possibility of returning VM_FAULT_OOM as well as VM_FAULT_SIGBUS. This ensures that the correct action is taken. Signed-off-by: Steven Whitehouse Signed-off-by: Greg Kroah-Hartman commit e58fcb489af71008f265f9b9b8af34ca123a8fc7 Author: Nick Piggin Date: Thu Apr 30 15:08:16 2009 -0700 mm: close page_mkwrite races commit b827e496c893de0c0f142abfaeb8730a2fd6b37f upstream. Change page_mkwrite to allow implementations to return with the page locked, and also change it's callers (in page fault paths) to hold the lock until the page is marked dirty. This allows the filesystem to have full control of page dirtying events coming from the VM. Rather than simply hold the page locked over the page_mkwrite call, we call page_mkwrite with the page unlocked and allow callers to return with it locked, so filesystems can avoid LOR conditions with page lock. The problem with the current scheme is this: a filesystem that wants to associate some metadata with a page as long as the page is dirty, will perform this manipulation in its ->page_mkwrite. It currently then must return with the page unlocked and may not hold any other locks (according to existing page_mkwrite convention). In this window, the VM could write out the page, clearing page-dirty. The filesystem has no good way to detect that a dirty pte is about to be attached, so it will happily write out the page, at which point, the filesystem may manipulate the metadata to reflect that the page is no longer dirty. It is not always possible to perform the required metadata manipulation in ->set_page_dirty, because that function cannot block or fail. The filesystem may need to allocate some data structure, for example. And the VM cannot mark the pte dirty before page_mkwrite, because page_mkwrite is allowed to fail, so we must not allow any window where the page could be written to if page_mkwrite does fail. This solution of holding the page locked over the 3 critical operations (page_mkwrite, setting the pte dirty, and finally setting the page dirty) closes out races nicely, preventing page cleaning for writeout being initiated in that window. This provides the filesystem with a strong synchronisation against the VM here. - Sage needs this race closed for ceph filesystem. - Trond for NFS (http://bugzilla.kernel.org/show_bug.cgi?id=12913). - I need it for fsblock. - I suspect other filesystems may need it too (eg. btrfs). - I have converted buffer.c to the new locking. Even simple block allocation under dirty pages might be susceptible to i_size changing under partial page at the end of file (we also have a buffer.c-side problem here, but it cannot be fixed properly without this patch). - Other filesystems (eg. NFS, maybe btrfs) will need to change their page_mkwrite functions themselves. [ This also moves page_mkwrite another step closer to fault, which should eventually allow page_mkwrite to be moved into ->fault, and thus avoiding a filesystem calldown and page lock/unlock cycle in __do_fault. ] [akpm@linux-foundation.org: fix derefs of NULL ->mapping] Cc: Sage Weil Cc: Trond Myklebust Signed-off-by: Nick Piggin Cc: Valdis Kletnieks Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit c34ee8b240fcdbc659cc2b3fe2d93cfb02df3ec3 Author: Nick Piggin Date: Tue Mar 31 15:23:23 2009 -0700 fs: fix page_mkwrite error cases in core code and btrfs commit 56a76f8275c379ed73c8a43cfa1dfa2f5e9cfa19 upstream. page_mkwrite is called with neither the page lock nor the ptl held. This means a page can be concurrently truncated or invalidated out from underneath it. Callers are supposed to prevent truncate races themselves, however previously the only thing they can do in case they hit one is to raise a SIGBUS. A sigbus is wrong for the case that the page has been invalidated or truncated within i_size (eg. hole punched). Callers may also have to perform memory allocations in this path, where again, SIGBUS would be wrong. The previous patch ("mm: page_mkwrite change prototype to match fault") made it possible to properly specify errors. Convert the generic buffer.c code and btrfs to return sane error values (in the case of page removed from pagecache, VM_FAULT_NOPAGE will cause the fault handler to exit without doing anything, and the fault will be retried properly). This fixes core code, and converts btrfs as a template/example. All other filesystems defining their own page_mkwrite should be fixed in a similar manner. Acked-by: Chris Mason Signed-off-by: Nick Piggin Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit a6114b201401a5b689f15b993359d7b6e61dc6dd Author: Nick Piggin Date: Tue Mar 31 15:23:21 2009 -0700 mm: page_mkwrite change prototype to match fault commit c2ec175c39f62949438354f603f4aa170846aabb upstream. Change the page_mkwrite prototype to take a struct vm_fault, and return VM_FAULT_xxx flags. There should be no functional change. This makes it possible to return much more detailed error information to the VM (and also can provide more information eg. virtual_address to the driver, which might be important in some special cases). This is required for a subsequent fix. And will also make it easier to merge page_mkwrite() with fault() in future. Signed-off-by: Nick Piggin Cc: Chris Mason Cc: Trond Myklebust Cc: Miklos Szeredi Cc: Steven Whitehouse Cc: Mark Fasheh Cc: Joel Becker Cc: Artem Bityutskiy Cc: Felix Blyakher Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 5a12457e62aab1e19aa1b1d9bdbe53f26e9ed689 Author: Jeff Layton Date: Sat May 9 11:34:21 2009 +0530 cifs: Fix unicode string area word alignment in session setup commit 27b87fe52baba0a55e9723030e76fce94fabcea4 refreshed. cifs: fix unicode string area word alignment in session setup The handling of unicode string area alignment is wrong. decode_unicode_ssetup improperly assumes that it will always be preceded by a pad byte. This isn't the case if the string area is already word-aligned. This problem, combined with the bad buffer sizing for the serverDomain string can cause memory corruption. The bad alignment can make it so that the alignment of the characters is off. This can make them translate to characters that are greater than 2 bytes each. If this happens we can overflow the allocation. Fix this by fixing the alignment in CIFS_SessSetup instead so we can verify it against the head of the response. Also, clean up the workaround for improperly terminated strings by checking for a odd-length unicode buffers and then forcibly terminating them. Finally, resize the buffer for serverDomain. Now that we've fixed the alignment, it's probably fine, but a malicious server could overflow it. A better solution for handling these strings is still needed, but this should be a suitable bandaid. Signed-off-by: Jeff Layton Signed-off-by: Steve French Cc: Suresh Jayaraman Signed-off-by: Greg Kroah-Hartman commit a7a7d2fe8813c3bee7d7db9ba889fc2c2dd39dd7 Author: Suresh Jayaraman Date: Sat May 9 11:33:12 2009 +0530 cifs: Fix buffer size in cifs_convertUCSpath Relevant commits 7fabf0c9479fef9fdb9528a5fbdb1cb744a744a4 and f58841666bc22e827ca0dcef7b71c7bc2758ce82. The upstream commits adds cifs_from_ucs2 that includes functionality of cifs_convertUCSpath and does cleanup. Reported-by: Jeff Layton Signed-off-by: Suresh Jayaraman Acked-by: Steve French Acked-by: Jeff Layton Signed-off-by: Greg Kroah-Hartman commit 9381701c0f0722ffc1dab1c55ecd48f6d0b5be6f Author: Suresh Jayaraman Date: Sat May 9 11:26:44 2009 +0530 cifs: Fix incorrect destination buffer size in cifs_strncpy_to_host Relevant commits 968460ebd8006d55661dec0fb86712b40d71c413 and 066ce6899484d9026acd6ba3a8dbbedb33d7ae1b. Minimal hunks to fix buffer size and fix an existing problem pointed out by Guenter Kukuk that length of src is used for NULL termination of dst. cifs: Rename cifs_strncpy_to_host and fix buffer size There is a possibility for the path_name and node_name buffers to overflow if they contain charcters that are >2 bytes in the local charset. Resize the buffer allocation so to avoid this possibility. Also, as pointed out by Jeff Layton, it would be appropriate to rename the function to cifs_strlcpy_to_host to reflect the fact that the copied string is always NULL terminated. Signed-off-by: Suresh Jayaraman Acked-by: Jeff Layton Signed-off-by: Steve French Signed-off-by: Greg Kroah-Hartman commit e9012cf5e92b7812f5fc88fdd1ddaecc34a5b904 Author: Suresh Jayaraman Date: Sat May 9 11:22:47 2009 +0530 cifs: Increase size of tmp_buf in cifs_readdir to avoid potential overflows Commit 7b0c8fcff47a885743125dd843db64af41af5a61 refreshed and use a #define from commit f58841666bc22e827ca0dcef7b71c7bc2758ce82. cifs: Increase size of tmp_buf in cifs_readdir to avoid potential overflows Increase size of tmp_buf to possible maximum to avoid potential overflows. Also moved UNICODE_NAME_MAX definition so that it can be used elsewhere. Pointed-out-by: Jeff Layton Signed-off-by: Suresh Jayaraman Acked-by: Jeff Layton Signed-off-by: Steve French Signed-off-by: Greg Kroah-Hartman commit 5b0ecf297e133be1e4767b1e446a6d7902274c13 Author: Jeff Layton Date: Sat May 9 11:19:05 2009 +0530 cifs: Fix buffer size for tcon->nativeFileSystem field Commit f083def68f84b04fe3f97312498911afce79609e refreshed. cifs: fix buffer size for tcon->nativeFileSystem field The buffer for this was resized recently to fix a bug. It's still possible however that a malicious server could overflow this field by sending characters in it that are >2 bytes in the local charset. Double the size of the buffer to account for this possibility. Also get rid of some really strange and seemingly pointless NULL termination. It's NULL terminating the string in the source buffer, but by the time that happens, we've already copied the string. Signed-off-by: Jeff Layton Signed-off-by: Steve French Cc: Suresh Jayaraman Signed-off-by: Greg Kroah-Hartman commit 6c3823bc3abf2d10f9220cb1847060aa20cee77e Author: Paul Moore Date: Fri May 8 17:59:09 2009 -0400 smack: Set the proper NetLabel security attributes for connection requests [NOTE: based on 07feee8f812f7327a46186f7604df312c8c81962] This patch ensures the correct labeling of new network connection requests using Smack and NetLabel. Signed-off-by: Paul Moore Signed-off-by: Greg Kroah-Hartman commit f9ab4fc0b47241807b355150dc82f826f2909a12 Author: Paul Moore Date: Fri May 8 17:59:02 2009 -0400 selinux: Remove dead code labeled networking code [NOTE: based on 389fb800ac8be2832efedd19978a2b8ced37eb61] Remove code that is no longer needed by NetLabel and/or SELinux. Signed-off-by: Paul Moore Signed-off-by: Greg Kroah-Hartman commit 49422544ff78bffea8049da14adf9c45d02fccd6 Author: Paul Moore Date: Fri May 8 17:58:56 2009 -0400 selinux: Set the proper NetLabel security attributes for connection requests [NOTE: based on 389fb800ac8be2832efedd19978a2b8ced37eb61] This patch ensures the correct labeling of incoming connection requests responses via NetLabel by enabling the recent changes to NetLabel and the SELinux/Netlabel glue code. Signed-off-by: Paul Moore Signed-off-by: Greg Kroah-Hartman commit 1a3f6e16cb0a0ba77144d8e75ca12d98632f3884 Author: Paul Moore Date: Fri May 8 17:58:49 2009 -0400 selinux: Add new NetLabel glue code to handle labeling of connection requests [NOTE: based on 389fb800ac8be2832efedd19978a2b8ced37eb61] This patch provides the missing functions to properly handle the labeling of responses to incoming connection requests within SELinux. Signed-off-by: Paul Moore Signed-off-by: Greg Kroah-Hartman commit da8c51d336b48a4f965f3f6aa04d3a461bb854ca Author: Paul Moore Date: Fri May 8 17:58:43 2009 -0400 netlabel: Add new NetLabel KAPI interfaces for request_sock security attributes [NOTE: based on 389fb800ac8be2832efedd19978a2b8ced37eb61 and 07feee8f812f7327a46186f7604df312c8c81962] This patch adds the netlbl_req_setattr() and netlbl_req_delattr() functions which can be used by LSMs to set and remove the NetLabel security attributes from request_sock objects used in incoming connection requests. Signed-off-by: Paul Moore Signed-off-by: Greg Kroah-Hartman commit 81aef7a11718924e60f51bc4472bdbba74d4b1cb Author: Paul Moore Date: Fri May 8 17:58:36 2009 -0400 netlabel: Add CIPSO {set, del}attr request_sock functions [NOTE: based on 389fb800ac8be2832efedd19978a2b8ced37eb61] Add the cipso_v4_req_setattr() and cipso_v4_req_delattr() functions to set and delete the CIPSO security attributes on a request_sock used during a incoming connection request. Signed-off-by: Paul Moore Signed-off-by: Greg Kroah-Hartman commit 18414ab61a689fa3fdaf90ad962aeae930be64d5 Author: Paul Moore Date: Fri May 8 17:58:30 2009 -0400 lsm: Relocate the IPv4 security_inet_conn_request() hooks [NOTE: present in Linus' tree as 284904aa79466a4736f4c775fdbe5c7407fa136c] The current placement of the security_inet_conn_request() hooks do not allow individual LSMs to override the IP options of the connection's request_sock. This is a problem as both SELinux and Smack have the ability to use labeled networking protocols which make use of IP options to carry security attributes and the inability to set the IP options at the start of the TCP handshake is problematic. This patch moves the IPv4 security_inet_conn_request() hooks past the code where the request_sock's IP options are set/reset so that the LSM can safely manipulate the IP options as needed. This patch intentionally does not change the related IPv6 hooks as IPv6 based labeling protocols which use IPv6 options are not currently implemented, once they are we will have a better idea of the correct placement for the IPv6 hooks. Signed-off-by: Paul Moore Signed-off-by: Greg Kroah-Hartman commit b16c010a91f513a3df4c166d4752446ec75e3f5a Author: Lubomir Rintel Date: Sat May 2 13:52:13 2009 -0700 ne2k-pci: Do not register device until initialized. commit 379b026ecc20c4657d37e40ead789f7f28f1a1c1 upstream. Doing it in reverse order causes uevent to be sent before we have a MAC address, which confuses udev. Signed-off-by: Lubomir Rintel Acked-by: Jeff Garzik Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 80500d2f76c487cab0a82747e13bd1944f5f52e1 Author: Jeff Mahoney Date: Mon May 11 14:25:34 2009 -0400 dup2: Fix return value with oldfd == newfd and invalid fd commit 2b79bc4f7ebbd5af3c8b867968f9f15602d5f802 upstream. The return value of dup2 when oldfd == newfd and the fd isn't valid is not getting properly sign extended. We end up with 4294967287 instead of -EBADF. I've reproduced this on SLE11 (2.6.27.21), openSUSE Factory (2.6.29-rc5), and Ubuntu 9.04 (2.6.28). This patch uses a signed int for the error value so it is properly extended. Commit 6c5d0512a091480c9f981162227fdb1c9d70e555 introduced this regression. Reported-by: Jiri Dluhos Signed-off-by: Jeff Mahoney Signed-off-by: Linus Torvalds Cc: Andrew Morton Signed-off-by: Greg Kroah-Hartman commit 0a94a87b54e5c7ee20b42d17108f78eda6c1fe01 Author: Enrik Berkhan Date: Thu May 7 14:58:48 2009 +0200 i2c-algo-pca: Let PCA9564 recover from unacked data byte (state 0x30) commit 2196d1cf4afab93fb64c2e5b417096e49b661612 upstream Currently, the i2c-algo-pca driver does nothing if the chip enters state 0x30 (Data byte in I2CDAT has been transmitted; NOT ACK has been received). Thus, the i2c bus connected to the controller gets stuck afterwards. I have seen this kind of error on a custom board in certain load situations most probably caused by interference or noise. A possible reaction is to let the controller generate a STOP condition. This is documented in the PCA9564 data sheet (2006-09-01) and the same is done for other NACK states as well. Further, state 0x38 isn't handled completely, either. Try to do another START in this case like the data sheet says. As this couldn't be tested, I've added a comment to try to reset the chip if the START doesn't help as suggested by Wolfram Sang. Signed-off-by: Enrik Berkhan Reviewed-by: Wolfram Sang Signed-off-by: Jean Delvare Signed-off-by: Greg Kroah-Hartman commit 73159b9bd36c7b9607b740e76d609fb7b0cf2a7a Author: Dave Airlie Date: Thu May 7 14:57:24 2009 +0200 i2c-algo-bit: Fix timeout test commit 0cdba07bb23cdd3e0d64357ec3d983e6b75e541f upstream When fetching DDC using i2c algo bit, we were often seeing timeouts before getting valid EDID on a retry. The VESA spec states 2ms is the DDC timeout, so when this translates into 1 jiffie and we are close to the end of the time period, it could return with a timeout less than 2ms. Change this code to use time_after instead of time_after_eq. Signed-off-by: Dave Airlie Signed-off-by: Jean Delvare Signed-off-by: Greg Kroah-Hartman commit a23e0b520920e6de02ceeb0f4e67a0463194f77a Author: Bart Van Assche Date: Sat May 9 11:43:44 2009 +0200 Fix for enabling branch profiling makes sparse unusable commit d9ad8bc0ca823705413f75b50c442a88cc518b35 upstream. One of the changes between kernels 2.6.28 and 2.6.29 is that a branch profiler has been added for if() statements. Unfortunately this patch makes the sparse output unusable with CONFIG_TRACE_BRANCH_PROFILING=y: when branch profiling is enabled, sparse prints so much false positives that the real issues are no longer visible. This behavior can be reproduced as follows: * enable CONFIG_TRACE_BRANCH_PROFILING, e.g. by running make allyesconfig or make allmodconfig. * run make C=2 Result: a huge number of the following sparse warnings. ... include/linux/cpumask.h:547:2: warning: symbol '______r' shadows an earlier one include/linux/cpumask.h:547:2: originally declared here ... The patch below fixes this by disabling branch profiling while analyzing the kernel code with sparse. This patch is already included in 2.6.30-rc1 -- see also http://lkml.org/lkml/2009/4/5/120. Signed-off-by: Bart Van Assche Cc: Andrew Morton Cc: Steven Rostedt LKML-Reference: <200904051620.02311.bart.vanassche@gmail.com> Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit 5ece6d71d896061e517f517ad20d0d865b923622 Author: Jean Delvare Date: Sat May 9 14:33:12 2009 +0200 hwmon: (w83781d) Fix W83782D support (NULL pointer dereference) Commit 848ddf116b3d1711c956fac8627be12dfe8d736f upstream Commit 360782dde00a2e6e7d9fd57535f90934707ab8a8 (hwmon: (w83781d) Stop abusing struct i2c_client for ISA devices) broke W83782D support for devices connected on the ISA bus. You will hit a NULL pointer dereference as soon as you read any device attribute. Other devices, and W83782D devices on the SMBus, aren't affected. Reported-by: Michel Abraham Signed-off-by: Jean Delvare Tested-by: Michel Abraham Signed-off-by: Greg Kroah-Hartman commit f49a3bae0a3b457caf6bb77bb4334e15c1a1ff93 Author: Jesse Brandeburg Date: Tue May 12 10:34:21 2009 -0700 e1000: fix virtualization bug [STABLE] backport upstream commit e151a60ad1faffb6241cf7eb6846353df1f33a32 a recent fix to e1000 (commit 15b2bee2) caused KVM/QEMU/VMware based virtualized e1000 interfaces to begin failing when resetting. This is because the driver in a virtual environment doesn't get to run instructions *AT ALL* when an interrupt is asserted. The interrupt code runs immediately and this recent bug fix allows an interrupt to be possible when the interrupt handler will reject it (due to the new code), when being called from any path in the driver that holds the E1000_RESETTING flag. the driver should use the __E1000_DOWN flag instead of the __E1000_RESETTING flag to prevent interrupt execution while reconfiguring the hardware. Signed-off-by: Jesse Brandeburg Signed-off-by: Jeff Kirsher Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 2f145d234bfa88a6b373cc4f6d96aa35770a1fba Author: Jinyoung Park Date: Fri May 1 12:54:31 2009 +0100 ASoC: Fix errors in WM8990 commit 97a775c49c7e1b47b016a492463486a5b86da479 upstream. The mis-typing exist in dapm controller definitions and dapm route definitions, so happen mis-matched error when snd_soc_dapm_add_routes(). Signed-off-by: Jinyoung Park Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit c8cdda3820c8e386187f09ec5a167dabb89fa5b0 Author: Takashi Iwai Date: Thu May 7 16:22:53 2009 +0200 ALSA: hda - Fix line-in on Mac Mini Core2 Duo commit 5dd17cb992ef4c1ebb1a2d60cbef4b6967974673 upstream. BIOS on Mac Mini Core2 Duo sets both INPUT and OUTPUT pinctl bits to the line-in jack, and it confuses the driver as if it's a valid input. This patch adds the check of OUTPUT bit so that the driver fixes the invalid pin setup. Tested-by: Tino Keitel Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 37cc4d06e29b623a3492070815b5875f546d7e72 Author: Alan Stern Date: Mon Apr 27 13:22:40 2009 -0400 USB: Gadget: fix UTF conversion in the usbstring library commit 0f43158caddcbb110916212ebe4e39993ae70864 upstream. This patch (as1234) fixes a bug in the UTF8 -> UTF-16 conversion routine in the gadget/usbstring library. In a UTF-8 multi-byte sequence, all bytes after the first should have their high-order two bits set to 10, not 11. Signed-off-by: Alan Stern Acked-by: David Brownell Signed-off-by: Greg Kroah-Hartman Signed-off-by: Greg Kroah-Hartman commit c16199fcd341f10147eb2e29a60aed41ceca55b4 Author: Alan Stern Date: Thu Apr 30 10:06:19 2009 -0400 usb-serial: ftdi_sio: fix reference counting of ftdi_private commit c45d63202fbaccef7ef7946c03f27f72c809b1cc upstream. This patch (as1238) adds proper reference counting for ftdi_sio's private data structure. Without it, the driver will free the structure while it is still in use if the user unplugs the serial device before closing the device file. The patch also replaces a slightly dangerous cancel_delayed_work/flush_scheduled_work pair with cancel_delayed_work_sync, which is always safer. Signed-off-by: Alan Stern Reported-by: Daniel Mack Tested-by: Daniel Mack Signed-off-by: Greg Kroah-Hartman commit 192966f9f34028e04437e29afc0d936be2fc7052 Author: NeilBrown Date: Thu May 7 12:47:19 2009 +1000 md: fix loading of out-of-date bitmap. commit b74fd2826c5acce20e6f691437b2d19372bc2057 upstream. When md is loading a bitmap which it knows is out of date, it fills each page with 1s and writes it back out again. However the write_page call makes used of bitmap->file_pages and bitmap->last_page_size which haven't been set correctly yet. So this can sometimes fail. Move the setting of file_pages and last_page_size to before the call to write_page. This bug can cause the assembly on an array to fail, thus making the data inaccessible. Hence I think it is a suitable candidate for -stable. Reported-by: Vojtech Pavlik Signed-off-by: NeilBrown Signed-off-by: Greg Kroah-Hartman commit 0861795f956793edd5cb4f8316b1c14f3dd4470a Author: NeilBrown Date: Thu May 7 12:48:10 2009 +1000 md/raid10: don't clear bitmap during recovery if array will still be degraded. commit 18055569127253755d01733f6ecc004ed02f88d0 upstream. If we have a raid10 with multiple missing devices, and we recover just one of these to a spare, then we risk (depending on the bitmap and array chunk size) clearing bits of the bitmap for which recovery isn't complete (because a device is still missing). This can lead to a subsequent "re-add" being recovered without any IO happening, which would result in loss of data. This patch takes the safe approach of not clearing bitmap bits if the array will still be degraded. This patch is suitable for all active -stable kernels. Cc: stable@kernel.org Signed-off-by: NeilBrown Signed-off-by: Greg Kroah-Hartman commit d2fcb86192e4ea49ba1317096fa0c0a4ecfb3cf9 Author: NeilBrown Date: Thu May 7 12:49:06 2009 +1000 md: fix some (more) errors with bitmaps on devices larger than 2TB. commit db305e507d554430a69ede901a6308e6ecb72349 upstream. If a write intent bitmap covers more than 2TB, we sometimes work with values beyond 32bit, so these need to be sector_t. This patches add the required casts to some unsigned longs that are being shifted up. This will affect any raid10 larger than 2TB, or any raid1/4/5/6 with member devices that are larger than 2TB. Signed-off-by: NeilBrown Reported-by: "Mario 'BitKoenig' Holbe" Signed-off-by: Greg Kroah-Hartman commit 8742775d97caef1ec167c99162c778b25eaefd08 Author: NeilBrown Date: Thu May 7 12:50:57 2009 +1000 md: remove ability to explicit set an inactive array to 'clean'. commit 5bf295975416f8e97117bbbcfb0191c00bc3e2b4 upstream. Being able to write 'clean' to an 'array_state' of an inactive array to activate it in 'clean' mode is both unnecessary and inconvenient. It is unnecessary because the same can be achieved by writing 'active'. This activates and array, but it still remains 'clean' until the first write. It is inconvenient because writing 'clean' is more often used to cause an 'active' array to revert to 'clean' mode (thus blocking any writes until a 'write-pending' is promoted to 'active'). Allowing 'clean' to both activate an array and mark an active array as clean can lead to races: One program writes 'clean' to mark the active array as clean at the same time as another program writes 'inactive' to deactivate (stop) and active array. Depending on which writes first, the array could be deactivated and immediately reactivated which isn't what was desired. So just disable the use of 'clean' to activate an array. This avoids a race that can be triggered with mdadm-3.0 and external metadata, so it suitable for -stable. Reported-by: Rafal Marszewski Acked-by: Dan Williams Signed-off-by: NeilBrown Signed-off-by: Greg Kroah-Hartman commit 2dedbbdc1986ce130bfa6fe3cf54d2da057e6d5a Author: Josef Bacik Date: Wed May 6 16:02:53 2009 -0700 fiemap: fix problem with setting FIEMAP_EXTENT_LAST commit df3935ffd6166fdd00702cf548fb5bb55737758b upstream. Fix a problem where the generic block based fiemap stuff would not properly set FIEMAP_EXTENT_LAST on the last extent. I've reworked things to keep track if we go past the EOF, and mark the last extent properly. The problem was reported by and tested by Eric Sandeen. Tested-by: Eric Sandeen Signed-off-by: Josef Bacik Cc: Cc: Cc: Cc: Steven Whitehouse Cc: Mark Fasheh Cc: Joel Becker Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman