commit a616b3e5a8c7a379f2fd4bc4e153868509fec94a Author: Greg Kroah-Hartman Date: Thu Jul 30 15:34:47 2009 -0700 Linux 2.6.30.4 commit 59a1c9b5b74e95eea73a6f85c574bd63031a0bcf Author: Ramon de Carvalho Valle Date: Tue Jul 28 13:58:22 2009 -0500 eCryptfs: parse_tag_3_packet check tag 3 packet encrypted key size (CVE-2009-2407) commit f151cd2c54ddc7714e2f740681350476cda03a28 upstream. The parse_tag_3_packet function does not check if the tag 3 packet contains a encrypted key size larger than ECRYPTFS_MAX_ENCRYPTED_KEY_BYTES. Signed-off-by: Ramon de Carvalho Valle [tyhicks@linux.vnet.ibm.com: Added printk newline and changed goto to out_free] Signed-off-by: Tyler Hicks Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 4df9205138cd0c610b52eefe1ecdafdaf65cfb12 Author: Tyler Hicks Date: Tue Jul 28 13:57:01 2009 -0500 eCryptfs: Check Tag 11 literal data buffer size (CVE-2009-2406) commit 6352a29305373ae6196491e6d4669f301e26492e upstream. Tag 11 packets are stored in the metadata section of an eCryptfs file to store the key signature(s) used to encrypt the file encryption key. After extracting the packet length field to determine the key signature length, a check is not performed to see if the length would exceed the key signature buffer size that was passed into parse_tag_11_packet(). Thanks to Ramon de Carvalho Valle for finding this bug using fsfuzzer. Signed-off-by: Tyler Hicks Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 57bee88245247744cd953ab3c410ba637ba6e0c3 Author: Paul Mundt Date: Tue Jun 9 17:48:56 2009 +0900 nommu: Provide mmap_min_addr definition. commit 35f2c2f6f6ae13ef23c4f68e6d3073753077ca43 upstream. With the "security: use mmap_min_addr indepedently of security models" change, mmap_min_addr is used in common areas, which susbsequently blows up the nommu build. This stubs in the definition in the nommu case as well. Signed-off-by: Paul Mundt Cc: Mike Frysinger Signed-off-by: Greg Kroah-Hartman Signed-off-by: James Morris commit 3b64409d582823106065a49882d653009de20828 Author: Tejun Heo Date: Wed Jul 8 12:16:37 2009 +0900 libata: fix follow-up SRST failure path commit fe2c4d018fc6127610fef677e020b3bb41cfaaaf upstream. ata_eh_reset() was missing error return handling after follow-up SRST allowing EH to continue the normal probing path after reset failure. This was discovered while testing new WD 2TB drives which take longer than 10 secs to spin up and cause the first follow-up SRST to time out. Signed-off-by: Tejun Heo Signed-off-by: Jeff Garzik Signed-off-by: Greg Kroah-Hartman commit a5ed86d5af2d63f3edeab7e63f15aa3c34c5cc25 Author: Giuseppe Mazzotta Date: Sun Jul 12 21:02:27 2009 -0700 Input: wistron_btns - recognize Maxdata Pro 7000 notebooks commit e705cee427e319665969ef7ac664f3612dec8899 upstream. This patch adds DMI information to automatically load the correct layout for the Maxdata Pro 7000X/DX notebook models. Such notebooks are clones of Fujitsu Amilo V2000, the hook for the v2000 is being used and I have tested that perfectly works. The immediate result of integrating this patch is that the five special buttons will work on these specific notebook models and that the RF killswitch will not be activated after suspend. This patch definitively obsoletes the fsam7400 module which I was still needing to enable wifi and to fix the RF killswitch suspend problem; in the current 2.6.30 kernel it is necessary to load the wistron_btns module with options 'force=1 keymap=1557/MS2141', which was not anyway a complete workaround. Signed-off-by: Giuseppe Mazzotta Signed-off-by: Dmitry Torokhov Signed-off-by: Greg Kroah-Hartman commit 05e7ae5cd53fad1a0f7b9617ee95e96d43e5e642 Author: Ben Hutchings Date: Sun Jul 12 23:56:27 2009 +0100 netdev: restore MTU change operation commit 635ecaa70e862f85f652581305fe0074810893be upstream netdev: restore MTU change operation alloc_etherdev() used to install a default implementation of this operation, but it must now be explicitly installed in struct net_device_ops. Signed-off-by: Ben Hutchings Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit cc37bbfa8271d1b41d6c16e7e9c51763787f74e1 Author: Ben Hutchings Date: Thu Jul 9 17:54:35 2009 +0000 netdev: restore MAC address set and validate operations commit 240c102d9c54fee7fdc87a4ef2fabc7eb539e00a upstream. alloc_etherdev() used to install default implementations of these operations, but they must now be explicitly installed in struct net_device_ops. Signed-off-by: Ben Hutchings Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit f95d9271ff0e58fb12fc6f90c13f70d41eee8089 Author: Eric Dumazet Date: Thu Jul 23 16:15:34 2009 +0200 nf_conntrack: nf_conntrack_alloc() fixes commit 941297f443f871b8c3372feccf27a8733f6ce9e9 upstream. When a slab cache uses SLAB_DESTROY_BY_RCU, we must be careful when allocating objects, since slab allocator could give a freed object still used by lockless readers. In particular, nf_conntrack RCU lookups rely on ct->tuplehash[xxx].hnnode.next being always valid (ie containing a valid 'nulls' value, or a valid pointer to next object in hash chain.) kmem_cache_zalloc() setups object with NULL values, but a NULL value is not valid for ct->tuplehash[xxx].hnnode.next. Fix is to call kmem_cache_alloc() and do the zeroing ourself. As spotted by Patrick, we also need to make sure lookup keys are committed to memory before setting refcount to 1, or a lockless reader could get a reference on the old version of the object. Its key re-check could then pass the barrier. Signed-off-by: Eric Dumazet Signed-off-by: Patrick McHardy Acked-by: Paul E. McKenney Signed-off-by: Greg Kroah-Hartman commit 7500f93f415a2fc07e0031d99fa3964bf8981cfc Author: Patrick McHardy Date: Mon Jun 29 14:07:56 2009 +0200 netfilter: tcp conntrack: fix unacknowledged data detection with NAT commit a3a9f79e361e864f0e9d75ebe2a0cb43d17c4272 upstream. When NAT helpers change the TCP packet size, the highest seen sequence number needs to be corrected. This is currently only done upwards, when the packet size is reduced the sequence number is unchanged. This causes TCP conntrack to falsely detect unacknowledged data and decrease the timeout. Fix by updating the highest seen sequence number in both directions after packet mangling. Tested-by: Krzysztof Piotr Oledzki Signed-off-by: Patrick McHardy Signed-off-by: Greg Kroah-Hartman commit fd89e386ea08ddbd4b7757dafb3705d400a45545 Author: Patrick McHardy Date: Mon Jun 22 14:17:12 2009 +0200 netfilter: xt_rateest: fix comparison with self commit 4d900f9df5f0569c2dc536701e2c11b6d50ebebf upstream. As noticed by Török Edwin : Compiling the kernel with clang has shown this warning: net/netfilter/xt_rateest.c:69:16: warning: self-comparison always results in a constant value ret &= pps2 == pps2; ^ Looking at the code: if (info->flags & XT_RATEEST_MATCH_BPS) ret &= bps1 == bps2; if (info->flags & XT_RATEEST_MATCH_PPS) ret &= pps2 == pps2; Judging from the MATCH_BPS case it seems to be a typo, with the intention of comparing pps1 with pps2. http://bugzilla.kernel.org/show_bug.cgi?id=13535 Signed-off-by: Patrick McHardy Signed-off-by: Greg Kroah-Hartman commit ec2ba592c29c77b841cd1b8ca19aefed21fbb6fe Author: Jan Engelhardt Date: Mon Jun 22 14:16:45 2009 +0200 netfilter: xt_quota: fix incomplete initialization commit 6d62182fea6cc6bbc8d82a691ad0608d68a54aeb upstream. Commit v2.6.29-rc5-872-gacc738f ("xtables: avoid pointer to self") forgot to copy the initial quota value supplied by iptables into the private structure, thus counting from whatever was in the memory kmalloc returned. Signed-off-by: Jan Engelhardt Signed-off-by: Patrick McHardy Signed-off-by: Greg Kroah-Hartman commit f50eb3cf5d793006902a40217f52eeb7f498104f Author: Patrick McHardy Date: Mon Jun 22 14:15:30 2009 +0200 netfilter: nf_log: fix direct userspace memory access in proc handler commit 249556192859490b6280552d4b877064f9f5ee48 upstream. Signed-off-by: Patrick McHardy Signed-off-by: Greg Kroah-Hartman commit b240992a30c3d44e2261d0931b431f0112a553be Author: Patrick McHardy Date: Mon Jun 22 14:14:41 2009 +0200 netfilter: nf_conntrack: fix conntrack lookup race commit 8d8890b7751387f58ce0a6428773de2fbc0fd596 upstream. The RCU protected conntrack hash lookup only checks whether the entry has a refcount of zero to decide whether it is stale. This is not sufficient, entries are explicitly removed while there is at least one reference left, possibly more. Explicitly check whether the entry has been marked as dying to fix this. Signed-off-by: Patrick McHardy Signed-off-by: Greg Kroah-Hartman commit d583e5291f0e456a872ec058bf36223dcad01e0a Author: Patrick McHardy Date: Mon Jun 22 14:14:16 2009 +0200 netfilter: nf_conntrack: fix confirmation race condition commit 5c8ec910e789a92229978d8fd1fce7b62e8ac711 upstream. New connection tracking entries are inserted into the hash before they are fully set up, namely the CONFIRMED bit is not set and the timer not started yet. This can theoretically lead to a race with timer, which would set the timeout value to a relative value, most likely already in the past. Perform hash insertion as the final step to fix this. Signed-off-by: Patrick McHardy Signed-off-by: Greg Kroah-Hartman commit 3aa08795cb77ac09f25b61a48f1637b3dabe09c9 Author: Patrick McHardy Date: Sat Jun 13 12:21:10 2009 +0200 netfilter: nf_log: fix sleeping function called from invalid context commit 266d07cb1c9a0c345d7d3aea889f92062894059e upstream. Fix regression introduced by 17625274 "netfilter: sysctl support of logger choice": BUG: sleeping function called from invalid context at /mnt/s390test/linux-2.6-tip/arch/s390/include/asm/uaccess.h:234 in_atomic(): 1, irqs_disabled(): 0, pid: 3245, name: sysctl CPU: 1 Not tainted 2.6.30-rc8-tipjun10-02053-g39ae214 #1 Process sysctl (pid: 3245, task: 000000007f675da0, ksp: 000000007eb17cf0) 0000000000000000 000000007eb17be8 0000000000000002 0000000000000000 000000007eb17c88 000000007eb17c00 000000007eb17c00 0000000000048156 00000000003e2de8 000000007f676118 000000007eb17f10 0000000000000000 0000000000000000 000000007eb17be8 000000000000000d 000000007eb17c58 00000000003e2050 000000000001635c 000000007eb17be8 000000007eb17c30 Call Trace: (Ý<00000000000162e6>¨ show_trace+0x13a/0x148) Ý<00000000000349ea>¨ __might_sleep+0x13a/0x164 Ý<0000000000050300>¨ proc_dostring+0x134/0x22c Ý<0000000000312b70>¨ nf_log_proc_dostring+0xfc/0x188 Ý<0000000000136f5e>¨ proc_sys_call_handler+0xf6/0x118 Ý<0000000000136fda>¨ proc_sys_read+0x26/0x34 Ý<00000000000d6e9c>¨ vfs_read+0xac/0x158 Ý<00000000000d703e>¨ SyS_read+0x56/0x88 Ý<0000000000027f42>¨ sysc_noemu+0x10/0x16 Use the nf_log_mutex instead of RCU to fix this. Reported-and-tested-by: Maran Pakkirisamy Signed-off-by: Patrick McHardy Signed-off-by: Greg Kroah-Hartman commit 07610a8a67bc0893a1bcb9f98e9ef25e924d5e28 Author: Benjamin Herrenschmidt Date: Mon Jun 22 16:47:59 2009 +0000 powerpc/mpic: Fix mapping of "DCR" based MPIC variants commit 5a2642f620eb6e40792822fa0eafe23046fbb55e upstream. Commit 31207dab7d2e63795eb15823947bd2f7025b08e2 "Fix incorrect allocation of interrupt rev-map" introduced a regression crashing on boot on machines using a "DCR" based MPIC, such as the Cell blades. The reason is that the irq host data structure is initialized much later as a result of that patch, causing our calls to mpic_map() do be done before we have a host setup. Unfortunately, this breaks _mpic_map_dcr() which uses the mpic->irqhost to get to the device node. This fixes it by, instead, passing the device node explicitely to mpic_map(). Signed-off-by: Benjamin Herrenschmidt Acked-by: Akira Tsukamoto Signed-off-by: Greg Kroah-Hartman commit 9783772fe815ac811a3d73757a2f86ec9dceef00 Author: Jiri Slaby Date: Sat Jul 11 13:42:37 2009 +0200 hwmon: (max6650) Fix lock imbalance commit 025dc740d01f99ccba945df1f9ef9e06b1c15d96 upstream. Add omitted update_lock to one switch/case in set_div. Signed-off-by: Jiri Slaby Acked-by: Hans J. Koch Signed-off-by: Jean Delvare Signed-off-by: Greg Kroah-Hartman commit 63510144577601e1747480a250c6c01aebeb704e Author: Amerigo Wang Date: Wed Jul 1 01:06:26 2009 -0400 elf: fix one check-after-use commit e2dbe12557d85d81f4527879499f55681c3cca4f upstream. Check before use it. Signed-off-by: WANG Cong Cc: Alexander Viro Cc: David Howells Acked-by: Roland McGrath Acked-by: James Morris Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit b8fde9988b9d0934af55dd2269dafec15f5f6302 Author: Josef Bacik Date: Sun Jul 5 12:08:18 2009 -0700 mm: mark page accessed before we write_end() commit c8236db9cd7aa492dcfcdcca702638e704abed49 upstream. In testing a backport of the write_begin/write_end AOPs, a 10% re-read regression was noticed when running iozone. This regression was introduced because the old AOPs would always do a mark_page_accessed(page) after the commit_write, but when the new AOPs where introduced, the only place this was kept was in pagecache_write_end(). This patch does the same thing in the generic case as what is done in pagecache_write_end(), which is just to mark the page accessed before we do write_end(). Signed-off-by: Josef Bacik Acked-by: Nick Piggin Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 4752849e0a4b09acb68b029b01d8eb2250e92f6c Author: Linus Torvalds Date: Mon Jun 22 10:25:25 2009 -0700 x86: don't use 'access_ok()' as a range check in get_user_pages_fast() [ Upstream commit 7f8189068726492950bf1a2dcfd9b51314560abf - modified for stable to not use the sloppy __VIRTUAL_MASK_SHIFT ] It's really not right to use 'access_ok()', since that is meant for the normal "get_user()" and "copy_from/to_user()" accesses, which are done through the TLB, rather than through the page tables. Why? access_ok() does both too few, and too many checks. Too many, because it is meant for regular kernel accesses that will not honor the 'user' bit in the page tables, and because it honors the USER_DS vs KERNEL_DS distinction that we shouldn't care about in GUP. And too few, because it doesn't do the 'canonical' check on the address on x86-64, since the TLB will do that for us. So instead of using a function that isn't meant for this, and does something else and much more complicated, just do the real rules: we don't want the range to overflow, and on x86-64, we want it to be a canonical low address (on 32-bit, all addresses are canonical). Acked-by: Ingo Molnar Cc: H. Peter Anvin Cc: Thomas Gleixner Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 0e52a8524e849c00034c8cb2422e40da6fac5e08 Author: Mel Gorman Date: Wed Jul 1 09:26:25 2009 +0100 vmscan: do not unconditionally treat zones that fail zone_reclaim() as full commit fa5e084e43eb14c14942027e1e2e894aeed96097 upstream. vmscan: do not unconditionally treat zones that fail zone_reclaim() as full On NUMA machines, the administrator can configure zone_reclaim_mode that is a more targetted form of direct reclaim. On machines with large NUMA distances for example, a zone_reclaim_mode defaults to 1 meaning that clean unmapped pages will be reclaimed if the zone watermarks are not being met. The problem is that zone_reclaim() failing at all means the zone gets marked full. This can cause situations where a zone is usable, but is being skipped because it has been considered full. Take a situation where a large tmpfs mount is occuping a large percentage of memory overall. The pages do not get cleaned or reclaimed by zone_reclaim(), but the zone gets marked full and the zonelist cache considers them not worth trying in the future. This patch makes zone_reclaim() return more fine-grained information about what occured when zone_reclaim() failued. The zone only gets marked full if it really is unreclaimable. If it's a case that the scan did not occur or if enough pages were not reclaimed with the limited reclaim_mode, then the zone is simply skipped. There is a side-effect to this patch. Currently, if zone_reclaim() successfully reclaimed SWAP_CLUSTER_MAX, an allocation attempt would go ahead. With this patch applied, zone watermarks are rechecked after zone_reclaim() does some work. This bug was introduced by commit 9276b1bc96a132f4068fdee00983c532f43d3a26 ("memory page_alloc zonelist caching speedup") way back in 2.6.19 when the zonelist_cache was introduced. It was not intended that zone_reclaim() aggressively consider the zone to be full when it failed as full direct reclaim can still be an option. Due to the age of the bug, it should be considered a -stable candidate. Signed-off-by: Mel Gorman Reviewed-by: Wu Fengguang Reviewed-by: Rik van Riel Reviewed-by: KOSAKI Motohiro Cc: Christoph Lameter Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 1dbd0755b438e1d2732505ab6ed53be356d721ed Author: Jorrit Schippers Date: Wed Jun 10 15:34:26 2009 +0200 Staging: rt2870: Add USB ID for Sitecom WL-608 commit 8dfb00571819ce491ce1760523d50e85bcd2185f upstream. Add the USB id 0x0DF6,0x003F to the rt2870.h file such that the Sitecom WL-608 device will be recognized by this driver. Signed-off-by: Jorrit Schippers Signed-off-by: Greg Kroah-Hartman Signed-off-by: Greg Kroah-Hartman commit fe9ec90d1c0248bd753c1b45e7e26aec71424657 Author: Marc Aurele La France Date: Mon Jun 29 18:07:02 2009 -0600 x86, setup (2.6.30-stable) fix 80x34 and 80x60 console modes Note: this is not in upstream since upstream is not affected due to the new "BIOS glovebox" subsystem. As coded, most INT10 calls in video-vga.c allow the compiler to assume EAX remains unchanged across them, which is not always the case. This triggers an optimisation issue that causes vga_set_vertical_end() to be called with an incorrect number of scanlines. Fix this by beefing up the asm constraints on these calls. Reported-by: Marc Aurele La France Signed-off-by: Marc Aurele La France Acked-by: H. Peter Anvin Signed-off-by: Greg Kroah-Hartman commit b556f93a508bfda0a25c8beb06f400ce813df59d Author: Helge Deller Date: Thu Apr 30 21:39:45 2009 +0000 parisc: fix ldcw inline assembler commit 7d17e2763129ea307702fcdc91f6e9d114b65c2d upstream. There are two reasons to expose the memory *a in the asm: 1) To prevent the compiler from discarding a preceeding write to *a, and 2) to prevent it from caching *a in a register over the asm. The change has had a few days testing with a SMP build of 2.6.22.19 running on a rp3440. This patch is about the correctness of the __ldcw() macro itself. The use of the macro should be confined to small inline functions to try to limit the effect of clobbering memory on GCC's optimization of loads and stores. Signed-off-by: Dave Anglin Signed-off-by: Helge Deller Signed-off-by: Kyle McMartin Signed-off-by: Greg Kroah-Hartman commit be61510387ff29c49603545a6db006932af97b2a Author: Helge Deller Date: Tue Jun 16 20:51:48 2009 +0000 parisc: ensure broadcast tlb purge runs single threaded commit e82a3b75127188f20c7780bec580e148beb29da7 upstream. The TLB flushing functions on hppa, which causes PxTLB broadcasts on the system bus, needs to be protected by irq-safe spinlocks to avoid irq handlers to deadlock the kernel. The deadlocks only happened during I/O intensive loads and triggered pretty seldom, which is why this bug went so long unnoticed. Signed-off-by: Helge Deller [edited to use spin_lock_irqsave on UP as well since we'd been locking there all this time anyway, --kyle] Signed-off-by: Kyle McMartin Signed-off-by: Greg Kroah-Hartman commit 7cbf1b4881c935200d760bc6184131a114fada12 Author: Andi Kleen Date: Sat Jul 18 08:56:57 2009 +0200 x86-64: Fix bad_srat() to clear all state commit 429b2b319af3987e808c18f6b81313104caf782c upstream. Need to clear both nodes and nodes_add state for start/end. Signed-off-by: Andi Kleen LKML-Reference: <20090718065657.GA2898@basil.fritz.box> Signed-off-by: H. Peter Anvin Signed-off-by: Greg Kroah-Hartman commit 171eae4d5f9bd816c48eb5d54a35bcd1bc6cd90f Author: Alexey Fisher Date: Wed Jul 15 14:16:09 2009 +0200 x86: Add quirk for Intel DG45ID board to avoid low memory corruption commit 6aa542a694dc9ea4344a8a590d2628c33d1b9431 upstream. AMI BIOS with low memory corruption was found on Intel DG45ID board (Bug 13710). Add this board to the blacklist - in the (somewhat optimistic) hope of future boards/BIOSes from Intel not having this bug. Also see: http://bugzilla.kernel.org/show_bug.cgi?id=13736 Signed-off-by: Alexey Fisher Cc: ykzhao Cc: alan@lxorguk.ukuu.org.uk Cc: LKML-Reference: <1247660169-4503-1-git-send-email-bug-track@fisher-privat.net> Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit 7de184f1743320a092f8831853b603a474606f13 Author: H. Peter Anvin Date: Mon Jul 20 23:27:39 2009 -0700 x86: Fix movq immediate operand constraints in uaccess.h commit ebe119cd0929df4878f758ebf880cb435e4dcaaf upstream. The movq instruction, generated by __put_user_asm() when used for 64-bit data, takes a sign-extended immediate ("e") not a zero-extended immediate ("Z"). Signed-off-by: H. Peter Anvin Cc: Uros Bizjak Signed-off-by: Greg Kroah-Hartman commit 105010723459c496c1c0e1dc3a6fd8f2e6288703 Author: Uros Bizjak Date: Sun Jul 19 18:06:35 2009 +0200 x86: Fix movq immediate operand constraints in uaccess_64.h commit 155b73529583c38f30fd394d692b15a893960782 upstream. arch/x86/include/asm/uaccess_64.h uses wrong asm operand constraint ("ir") for movq insn. Since movq sign-extends its immediate operand, "er" constraint should be used instead. Attached patch changes all uses of __put_user_asm in uaccess_64.h to use "er" when "q" insn suffix is involved. Patch was compile tested on x86_64 with defconfig. Signed-off-by: Uros Bizjak Signed-off-by: H. Peter Anvin Signed-off-by: Greg Kroah-Hartman commit 7e09e4e01708df59db28d828a03ce940562381cd Author: Thomas Gleixner Date: Fri Jul 24 08:34:59 2009 +0200 x86: geode: Mark mfgpt irq IRQF_TIMER to prevent resume failure commit d6c585a4342a2ff627a29f9aea77c5ed4cd76023 upstream. Timer interrupts are excluded from being disabled during suspend. The clock events code manages the disabling of clock events on its own because the timer interrupt needs to be functional before the resume code reenables the device interrupts. The mfgpt timer request its interrupt without setting the IRQF_TIMER flag so suspend_device_irqs() disables it as well which results in a fatal resume failure. Adding IRQF_TIMER to the interupt flags when requesting the mrgpt timer interrupt solves the problem. Signed-off-by: Thomas Gleixner LKML-Reference: Cc: Andres Salomon Signed-off-by: Greg Kroah-Hartman commit ff1a7a3f2bb52774ac94a624475403ee37ca3541 Author: Mikulas Patocka Date: Thu Jul 23 20:30:37 2009 +0100 dm raid1: wake kmirrord when requeueing delayed bios after remote recovery commit 69885683d22d8c05910fd808c01fdce1322739b4 upstream. The recent commit 7513c2a761d69d2a93f17146b3563527d3618ba0 (dm raid1: add is_remote_recovering hook for clusters) changed do_writes() to update the ms->writes list but forgot to wake up kmirrord to process it. The rule is that when anything is being added on ms->reads, ms->writes or ms->failures and the list was empty before we must call wakeup_mirrord (for immediate processing) or delayed_wake (for delayed processing). Otherwise the bios could sit on the list indefinitely. Signed-off-by: Mikulas Patocka Signed-off-by: Alasdair G Kergon Signed-off-by: Greg Kroah-Hartman commit d7895f7d3f4abfe44bcbb2dbb3b95cea882e7393 Author: Thomas Gleixner Date: Fri Jul 17 14:15:47 2009 +0200 sched: fix nr_uninterruptible accounting of frozen tasks really commit 6301cb95c119ebf324bb96ee226fa9ddffad80a7 upstream. commit e3c8ca8336 (sched: do not count frozen tasks toward load) broke the nr_uninterruptible accounting on freeze/thaw. On freeze the task is excluded from accounting with a check for (task->flags & PF_FROZEN), but that flag is cleared before the task is thawed. So while we prevent that the task with state TASK_UNINTERRUPTIBLE is accounted to nr_uninterruptible on freeze we decrement nr_uninterruptible on thaw. Use a separate flag which is handled by the freezing task itself. Set it before calling the scheduler with TASK_UNINTERRUPTIBLE state and clear it after we return from frozen state. Signed-off-by: Thomas Gleixner Signed-off-by: Greg Kroah-Hartman commit c58b0ab995f63edcbc3524a582ffa22277d1c650 Author: Yinghai Lu Date: Fri Jul 10 09:36:20 2009 -0700 x86/pci: insert ioapic resource before assigning unassigned resources commit 857fdc53a0a90c3ba7fcf5b1fb4c7a62ae03cf82 upstream. Stephen reported that his DL585 G2 needed noapic after 2.6.22 (?) Dann bisected it down to: commit 30a18d6c3f1e774de656ebd8ff219d53e2ba4029 Date: Tue Feb 19 03:21:20 2008 -0800 x86: multi pci root bus with different io resource range, on 64-bit It turns out that: 1. that AMD-based systems have two HT chains. 2. BIOS doesn't allocate resources for BAR 6 of devices under 8132 etc 3. that multi-peer-root patch will try to split root resources to peer root resources according to PCI conf of NB 4. PCI core assigns unassigned resources, but they overlap with BARs that are used by ioapic addr of io4 and 8132. The reason: at that point ioapic address are not inserted yet. Solution is to insert ioapic resources into the tree a bit earlier. Reported-by: Stephen Frost Reported-and-Tested-by: dann frazier Signed-off-by: Yinghai Lu Signed-off-by: Jesse Barnes Signed-off-by: Greg Kroah-Hartman commit ca8b86c5ae91b3041790085d296f5b8fbf71570b Author: Xiao Guangrong Date: Wed Jul 15 12:29:06 2009 +0800 tracing/function: Fix the return value of ftrace_trace_onoff_callback() commit 04aef32d39cc4ef80087c0ce8ed113c6d64f1a6b upstream. ftrace_trace_onoff_callback() will return an error even if we do the right operation, for example: # echo _spin_*:traceon:10 > set_ftrace_filter -bash: echo: write error: Invalid argument # cat set_ftrace_filter #### all functions enabled #### _spin_trylock_bh:traceon:count=10 _spin_unlock_irq:traceon:count=10 _spin_unlock_bh:traceon:count=10 _spin_lock_irq:traceon:count=10 _spin_unlock:traceon:count=10 _spin_trylock:traceon:count=10 _spin_unlock_irqrestore:traceon:count=10 _spin_lock_irqsave:traceon:count=10 _spin_lock_bh:traceon:count=10 _spin_lock:traceon:count=10 We want to set _spin_*:traceon:10 to set_ftrace_filter, it complains with "Invalid argument", but the operation is successful. This is because ftrace_process_regex() returns the number of functions that matched the pattern. If the number is not 0, this value is returned by ftrace_regex_write() whereas we want to return the number of bytes virtually written. Also the file offset pointer is not updated in this case. If the number of matched functions is lower than the number of bytes written by the user, this results to a reprocessing of the string given by the user with a lower size, leading to a malformed ftrace regex and then a -EINVAL returned. So, this patch fixes it by returning 0 if no error occured. The fix also applies on 2.6.30 Signed-off-by: Xiao Guangrong Reviewed-by: Li Zefan Signed-off-by: Frederic Weisbecker Signed-off-by: Greg Kroah-Hartman commit fedb5937d9f132d3a03b12568925967827335d39 Author: Peter Zijlstra Date: Wed Apr 1 18:40:15 2009 +0200 sched_rt: Fix overload bug on rt group scheduling commit a1ba4d8ba9f06a397e97cbd67a93ee306860b40a upstream. Fixes an easily triggerable BUG() when setting process affinities. Make sure to count the number of migratable tasks in the same place: the root rt_rq. Otherwise the number doesn't make sense and we'll hit the BUG in set_cpus_allowed_rt(). Also, make sure we only count tasks, not groups (this is probably already taken care of by the fact that rt_se->nr_cpus_allowed will be 0 for groups, but be more explicit) Tested-by: Thomas Gleixner Signed-off-by: Peter Zijlstra Acked-by: Gregory Haskins LKML-Reference: <1247067476.9777.57.camel@twins> Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit 23e839dc9cad6ea1d74a26abbf8dca6f785ca193 Author: Jiro SEKIBA Date: Sat Jul 4 23:00:53 2009 +0900 nilfs2: fix disorder in cp count on error during deleting checkpoints commit d9a0a345ab7a58a30ec38e5bb7401a28714914d2 upstream. This fixes a bug that checkpoint count gets wrong on errors when deleting a series of checkpoints. The count error is persistent since the checkpoint count is stored on disk. Some userland programs refer to the count via ioctl, and this bugfix is needed to prevent malfunction of such programs. Signed-off-by: Jiro SEKIBA Signed-off-by: Ryusuke Konishi Signed-off-by: Greg Kroah-Hartman commit 7e59192836ca78e2fcc1448f7ece7192e1bf01f5 Author: Ryusuke Konishi Date: Thu Jun 18 23:53:25 2009 +0900 nilfs2: fix incorrect KERN_CRIT messages in case of write failures commit 4a52df779700080de4afb0436d9dd9188514a69b upstream. In case of write-failure retries, the following KERN_CRIT level messages are mistakenly output by nilfs_dat_commit_start() function: nilfs_dat_commit_start: vbn = 408463, start = 12506, end = 18446744073709551615, pbn = 530210 nilfs_dat_commit_start: vbn = 408515, start = 12506, end = 18446744073709551615, pbn = 530211 nilfs_dat_commit_start: vbn = 408464, start = 12506, end = 18446744073709551615, pbn = 530212 ... This suppresses these messages. Signed-off-by: Ryusuke Konishi Signed-off-by: Greg Kroah-Hartman commit def5dcb823a26bab8f1dc6b21b904c7de8e37bca Author: Ryusuke Konishi Date: Thu Jun 18 23:52:23 2009 +0900 nilfs2: fix hang problem of log writer which occurs after write failures commit 8227b29722fdbac72357aae155d171a5c777670c upstream. Leandro Lucarella gave me a report that nilfs gets stuck after its write function fails. The problem turned out to be caused by bugs which leave writeback flag on pages. This fixes the problem by ensuring to clear the writeback flag in error path. Reported-by: Leandro Lucarella Signed-off-by: Ryusuke Konishi Signed-off-by: Greg Kroah-Hartman commit f76cea526e01055bedb51a2b318f4d711e0144c4 Author: Ryusuke Konishi Date: Thu Jun 18 11:42:53 2009 +0900 nilfs2: remove unlikely directive causing mis-conversion of error code commit 0cfae3d8795f388f9de78adb0171520d19da77e9 upstream. The following error code handling in nilfs_segctor_write() function wrongly converted negative error codes to a truth value (i.e. 1): err = unlikely(err) ? : res; which originaly meant to be err = err ? : res; This mis-conversion caused that write or sync functions receive the unexpected error code. This fixes the bug by removing the unlikely directive. Signed-off-by: Ryusuke Konishi Signed-off-by: Greg Kroah-Hartman commit c637cbe1701c396f8c3dbf0b11c0c77d70980618 Author: FUJITA Tomonori Date: Thu Jul 9 14:46:53 2009 +0200 block: fix sg SG_DXFER_TO_FROM_DEV regression commit ecb554a846f8e9d2a58f6d6c118168a63ac065aa upstream. I overlooked SG_DXFER_TO_FROM_DEV support when I converted sg to use the block layer mapping API (2.6.28). Douglas Gilbert explained SG_DXFER_TO_FROM_DEV: http://www.spinics.net/lists/linux-scsi/msg37135.html = The semantics of SG_DXFER_TO_FROM_DEV were: - copy user space buffer to kernel (LLD) buffer - do SCSI command which is assumed to be of the DATA_IN (data from device) variety. This would overwrite some or all of the kernel buffer - copy kernel (LLD) buffer back to the user space. The idea was to detect short reads by filling the original user space buffer with some marker bytes ("0xec" it would seem in this report). The "resid" value is a better way of detecting short reads but that was only added this century and requires co-operation from the LLD. = This patch changes the block layer mapping API to support this semantics. This simply adds another field to struct rq_map_data and enables __bio_copy_iov() to copy data from user space even with READ requests. It's better to add the flags field and kills null_mapped and the new from_user fields in struct rq_map_data but that approach makes it difficult to send this patch to stable trees because st and osst drivers use struct rq_map_data (they were converted to use the block layer in 2.6.29 and 2.6.30). Well, I should clean up the block layer mapping API. zhou sf reported this regiression and tested this patch: http://www.spinics.net/lists/linux-scsi/msg37128.html http://www.spinics.net/lists/linux-scsi/msg37168.html Reported-by: zhou sf Tested-by: zhou sf Signed-off-by: FUJITA Tomonori Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit c242f9dd84db9159fd64b9d254660eabd90503b0 Author: Mathieu Desnoyers Date: Wed Jul 1 17:37:22 2009 -0400 x86: Fix fixmap page order for FIX_TEXT_POKE0,1 commit 12b9d7ccb841805e347fec8f733f368f43ddba40 upstream. Masami reported: > Since the fixmap pages are assigned higher address to lower, > text_poke() has to use it with inverted order (FIX_TEXT_POKE1 > to FIX_TEXT_POKE0). I prefer to just invert the order of the fixmap declaration. It's simpler and more straightforward. Backward fixmaps seems to be used by both x86 32 and 64. It's really rare but a nasty bug, because it only hurts when instructions to patch are crossing a page boundary. If this happens, the fixmap write accesses will spill on the following fixmap, which may very well crash the system. And this does not crash the system, it could leave illegal instructions in place. Thanks Masami for finding this. It seems to have crept into the 2.6.30-rc series, so this calls for a -stable inclusion. Signed-off-by: Mathieu Desnoyers Acked-by: Masami Hiramatsu LKML-Reference: <20090701213722.GH19926@Krystal> Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit 7a8f2ee411cc5ab729466f574da09ea8d74d709d Author: Jan Beulich Date: Tue Jun 30 11:52:23 2009 +0100 x86: Fix fixmap ordering commit 789d03f584484af85dbdc64935270c8e45f36ef7 upstream. The merge of the 32- and 64-bit fixmap headers made a latent bug on x86-64 a real one: with the right config settings it is possible for FIX_OHCI1394_BASE to overlap the FIX_BTMAP_* range. Signed-off-by: Jan Beulich LKML-Reference: <4A4A0A8702000078000082E8@vpn.id2.novell.com> Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit 594e9d5bb688ee399147801c70e0b14f40f98029 Author: Kay Sievers Date: Mon Jul 20 16:04:55 2009 +0100 vc: create vcs(a) devices for consoles commit c46a7aec556ffdbdb7357db0b05904b176cb3375 upstream. The buffer for the consoles are unconditionally allocated at con_init() time, which miss the creation of the vcs(a) devices. Since 2.6.30 (commit 4995f8ef9d3aac72745e12419d7fbaa8d01b1d81, 'vcs: hook sysfs devices into object lifetime instead of "binding"' to be exact) these devices are no longer created at open() and removed on close(), but controlled by the lifetime of the buffers. Reported-by: Gerardo Exequiel Pozzi Tested-by: Gerardo Exequiel Pozzi Signed-off-by: Kay Sievers Signed-off-by: Alan Cox Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 6bfa23bd0b93d00e489ed1ec9670f8d780d003ae Author: Heiko Carstens Date: Thu Jun 11 15:14:40 2009 +0200 partitions: fix broken uevent_suppress conversion commit f8c73c790c588fd70fda1632c8927a87b3d31dcd upstream. git commit f67f129e "Driver core: implement uevent suppress in kobject" contains this chunk for fs/partitions/check.c: /* suppress uevent if the disk supresses it */ - if (!ddev->uevent_suppress) + if (!dev_get_uevent_suppress(pdev)) kobject_uevent(&pdev->kobj, KOBJ_ADD); However that should have been - if (!ddev->uevent_suppress) + if (!dev_get_uevent_suppress(ddev)) Signed-off-by: Heiko Carstens Acked-by: Ming Lei Signed-off-by: Greg Kroah-Hartman commit 1c517c243cc762ac9d926ff5afd042d17bcf063b Author: Mark Brown Date: Fri Jul 3 10:33:39 2009 +0100 ASoC: Fix register cache initialisation for WM8753 commit 1df892cba45f9856d369a6a317ad2d1e44bca423 upstream. The wrong register cache variable was being used to provide the size for the memcpy(), resulting in a copy of only a void * of data. Reported-by: Lars-Peter Clausen Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 0cb3ced579f18fe2664dc86b2fc1c41e42176ce2 Author: Nicolas Pitre Date: Sat Jul 18 20:34:37 2009 -0400 mvsdio: fix handling of partial word at the end of PIO transfer commit 6cdbf734493d6e8f5afc6f539b82897772809d43 upstream. Standard data flow for MMC/SD/SDIO cards requires that the mvsdio controller be set for big endian operation. This is causing problems with buffers which length is not a multiple of 4 bytes as the last partial word doesn't get shifted all the way and stored properly in memory. Let's compensate for this. Signed-off-by: Nicolas Pitre Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 99881939eeede1a08dcec3c8ea9a4bc046736554 Author: Jiri Slaby Date: Fri Jun 19 23:24:11 2009 +0200 HID: hiddev, fix lock imbalance commit 4859484b0957ddc7fe3e0fa349d98b0f1c7876bd upstream. Add omitted BKL to one switch/case. Signed-off-by: Jiri Slaby Signed-off-by: Jiri Kosina Signed-off-by: Greg Kroah-Hartman commit 3db6ff5f188bc0277d26ee2e91e7354efe97560c Author: Takashi Iwai Date: Fri Jul 24 16:51:47 2009 +0200 ALSA: hda - Fix mute control with some ALC262 models commit 8de56b7deb2534a586839eda52843c1dae680dc5 upstream. The master mute switch is wrongly implemented as checking the pointer instead of its value, thus it can be never muted. This patch fixes the issue. Reference: Novell bnc#404873 https://bugzilla.novell.com/show_bug.cgi?id=404873 Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 503b0cccb14e6e70b6b6f12b4cbefdc5a8eb71b5 Author: Hao Song Date: Mon Jul 20 15:01:16 2009 +0800 ALSA: hda - Add quirk for Gateway T6834c laptop commit 42b95f0c6b524b5a670dd17533a3522db368f600 upstream. Gateway T6834c laptops need EAPD always on while the default behavior for the STAC9205 reference board is to turn it off upon every HP plug. By using the special "eapd" model, which is first introduced for Gateway T1616 laptops for this same reason, this peculiarity can be properly handled. Signed-off-by: Hao Song Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 993d4afb7694ce16cbd1e6b86ad37e93be84b203 Author: Takashi Iwai Date: Mon Jul 20 08:01:36 2009 +0200 ALSA: hda - Fix pin-setup for Sony VAIO with STAC9872 codecs commit b04add956616b6d89ff21da749b46ad2bd58ef32 upstream. The recent rewrite of the codec parser for STAC9872 caused a regression for some Sony VAIO models that don't give proper pin default configs by BIOS. Even using model=vaio doesn't work because the pin definitions are set after the pin overrides. This patch fixes the pin definitions in patch_stac9872() to be put in the right place before the pin overrides. Also the patch adds the new quirk entry for VAIO F/S to have the correct pin default configs. Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 2ce0460627548ae6e546fdb225517ca84bb9d0d6 Author: Takashi Iwai Date: Mon Jul 20 15:42:51 2009 +0200 ALSA: ca0106 - Fix the max capture buffer size commit 34fdeb2d07102e07ecafe79dec170bd6733f2e56 upstream. The capture buffer size with 64kB seems broken with CA0106. At least, either the update timing or the DMA position is wrong, and this screws up pulseaudio badly. This patch restricts the max buffer size less than that to make life a bit easier. Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 6b5600f321f51cd409d05f475128d40fc7241a2d Author: Jeff Layton Date: Mon Jul 20 13:40:52 2009 -0400 cifs: free nativeFileSystem field before allocating a new one commit 90a98b2f3f3647fb17667768a348b2b219f2a9f7 upstream. ...otherwise, we'll leak this memory if we have to reconnect (e.g. after network failure). Signed-off-by: Jeff Layton Signed-off-by: Steve French Signed-off-by: Greg Kroah-Hartman commit 9d33821d65cdad2af0461f3a6268125cc8a33052 Author: Jeff Layton Date: Sun Jul 5 11:01:02 2009 -0400 cifs: fix regression with O_EXCL creates and optimize away lookup commit 5ddf1e0ff00fd808c048d0b920784828276cc516 upstream. cifs: fix regression with O_EXCL creates and optimize away lookup Signed-off-by: Jeff Layton Tested-by: Shirish Pargaonkar Signed-off-by: Steve French Signed-off-by: Greg Kroah-Hartman commit 4a6e5fa799ff02f0f2380c81256788073df9de79 Author: Alan Stern Date: Mon Jun 29 14:34:59 2009 -0400 USB: EHCI: report actual_length for iso transfers commit ec6d67e39f5638c792eb7490bf32586ccb9d8005 upstream. This patch (as1259b) makes ehci-hcd return the total number of bytes transferred in urb->actual_length for Isochronous transfers. Until now, the actual_length value was unaccountably left at 0. Signed-off-by: Alan Stern Acked-by: David Brownell Signed-off-by: Greg Kroah-Hartman commit 41a96a761e60c29e4b0ae6f62b66dc639fc611d7 Author: Daniel Mack Date: Fri Jul 10 11:04:58 2009 +0200 USB: fix LANGID=0 regression commit 0cce2eda19923e5e5ccc8b042dec5af87b3ffad0 upstream. commit b7af0bb ("USB: allow malformed LANGID descriptors") broke support for devices without string descriptor support. Reporting string descriptors is optional to USB devices, and a device lets us know it can't deal with strings by responding to the LANGID request with a STALL token. The kernel handled that correctly before b7af0bb came in, but failed hard if the LANGID was reported but broken. More than that, if a device was not able to provide string descriptors, the LANGID was retrieved over and over again at each string read request. This patch changes the behaviour so that a) the LANGID is only queried once b) devices which can't handle string requests are not asked again c) devices with malformed LANGID values have a sane fallback to 0x0409 Signed-off-by: Daniel Mack Acked-by: Alan Stern Signed-off-by: Greg Kroah-Hartman commit 1f5ab002a341befd645e76fa5bd29a65c8e8138c Author: David Brownell Date: Fri Jun 19 03:09:04 2009 -0700 USB: RNDIS gadget, fix issues talking from PXA commit 4e19f220d4e84f5728cb7edde36352ab425cfba4 upstream. The reworked Ethernet gadget has an RNDIS interop problem when used with the CDC subset driver ... e.g. on PXA 2xx and 3xx hardware, which currently has a hard time talking to MS-Windows hosts. The issue is that Microsoft requires USB_CLASS_COMM. Fix by tweaking the CDC subset driver to not switch to USB_CLASS_VENDOR_SPEC if RNDIS is used in some other device configuration. [ UPDATED: some "statements" were comma-terminated; fix that. ] Signed-off-by: David Brownell Cc: Aric Blumer Signed-off-by: Greg Kroah-Hartman commit 928d6bb8eeeb78e8653aa908f93e0263c6f71ad2 Author: Oliver Neukum Date: Sun Jun 28 23:34:14 2009 +0200 USB: fix memleak in usbfs commit d794a02111cd3393da69bc7d6dd2b6074bd037cc upstream. This patch fixes a memory leak in devio.c::processcompl If writing to user space fails the packet must be discarded, as it already has been removed from the queue of completed packets. Signed-off-by: Oliver Neukum Signed-off-by: Greg Kroah-Hartman commit a2b3f371563dbbe2226a687d0cfb83a31bca9479 Author: Oliver Neukum Date: Tue Jun 30 09:44:24 2009 +0200 USB: fix uninitialised variable in ti_do_download commit 87ea8c887905d8b13ae90b537117592ed027632a upstream. Signed-off-by: Oliver Neukum Cc: Andrew Morton Signed-off-by: Greg Kroah-Hartman commit d988075d21145ad3bcded6c0721cd7da3ca352ea Author: Greg Kroah-Hartman Date: Fri Jun 26 08:05:20 2009 -0700 USB: ti_usb_3410_5052: fix duplicate device ids. commit 3c43f27bf57b0502df2478253699559ee1d43f6d upstream. commit 1a1fab513734b3a4fca1bee8229e5ff7e1cb873c accidentally added the device id to both tables in the driver, which causes problems as this is only a single port device, not a multiple port device. Signed-off-by: Greg Kroah-Hartman commit dcf40b739ed328a82ef6620c7b505a8209c0f009 Author: Alan Stern Date: Mon Jun 29 11:04:54 2009 -0400 USB: handle zero-length usbfs submissions correctly commit 9180135bc80ab11199d482b6111e23f74d65af4a upstream. This patch (as1262) fixes a bug in usbfs: It refuses to accept zero-length transfers, and it insists that the buffer pointer be valid even if there is no data being transferred. The patch also consolidates a bunch of repetitive access_ok() checks into a single check, which incidentally fixes the lack of such a check for Isochronous URBs. Signed-off-by: Alan Stern Signed-off-by: Greg Kroah-Hartman commit 15362af40d0f6708e8a88f58651d122f973ba1d0 Author: Dan Aloni Date: Sat Jun 20 16:32:22 2009 +0300 Staging: prevent rtl8187se from crashing dev_ioctl() in SIOCGIWNAME commit 02c8baecf5d8850dba40b47cdf003ed2e04e66dd upstream. I repeatedly get __stack_chk_fail panic()s with this driver before applying the attached fix. ieee80211_wx_get_name() ignores sizeof(wrqu->name) which is IFNAMSIZ (16), and on certain conditions, the concatenated string will be larger than IFNAMSIZ including the terminating zero. length ("802.11" ++ "b" ++ "/g" ++ " linked" ++ "\x00") == 17 This fix uses strl{cpy,cat} in addition to the reduction of the total possible length of the output string by a char. It can be applied to 2.6.30-stable as well. Signed-off-by: Dan Aloni Cc: Bartlomiej Zolnierkiewicz Signed-off-by: Greg Kroah-Hartman commit 5c8affc6e16f6bad03b5c23d25b2c774b817160a Author: Johannes Berg Date: Thu Jul 2 15:46:41 2009 +0200 cfg80211: fix refcount leak commit 2dce4c2b5f0b43bd25bf9ea6ded06b7f8a54c91f upstream. The code in cfg80211's cfg80211_bss_update erroneously grabs a reference to the BSS, which means that it will never be freed. Signed-off-by: Johannes Berg Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit df42c57d32622dca010595fe13c86c93a7fc68ea Author: Tilman Schmidt Date: Wed Jul 1 11:20:57 2009 +0000 gigaset: accept connection establishment messages in any order commit bceb0f126f25184eaec3f3c8f00c92b0d899e5de upstream. ISDN connection setup failed if the "connection active" and "B channel up" messages from the device arrived in a different order than expected. Modify the state machine to accept them in any order. Impact: bugfix Signed-off-by: Tilman Schmidt Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 88bb2dc2879645af77ac3b25d4451c7fb7e38b3d Author: Stephane Contri Date: Thu Jul 2 23:26:48 2009 +0000 dsa: fix 88e6xxx statistics counter snapshotting commit 1ded3f59f35a2642852b3e2a1c0fa8a97777e9af upstream. The bit that tells us whether a statistics counter snapshot operation has completed is located in the GLOBAL register block, not in the GLOBAL2 register block, so fix up mv88e6xxx_stats_wait() to poll the right register address. Signed-off-by: Stephane Contri Signed-off-by: Lennert Buytenhek Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit e9cbe5c4d29e052c38e500a06517b27c60f22c02 Author: Paul E. McKenney Date: Thu Jun 25 12:31:37 2009 -0700 fix RCU-callback-after-kmem_cache_destroy problem in sl[aou]b commit 7ed9f7e5db58c6e8c2b4b738a75d5dcd8e17aad5 upstream. Jesper noted that kmem_cache_destroy() invokes synchronize_rcu() rather than rcu_barrier() in the SLAB_DESTROY_BY_RCU case, which could result in RCU callbacks accessing a kmem_cache after it had been destroyed. Acked-by: Matt Mackall Reported-by: Jesper Dangaard Brouer Signed-off-by: Paul E. McKenney Signed-off-by: Pekka Enberg Signed-off-by: Greg Kroah-Hartman commit 843f9d9fa71d3889169172b20ee07ae6e51c0be4 Author: Clemens Ladisch Date: Mon Jul 13 13:21:58 2009 +0200 sound: usb-audio: add workaround for Blue Microphones devices commit 8886f33f25083a47d5fa24ad7b57bb708c5c5403 upstream. Blue Microphones USB devices have an alternate setting that sends two channels of data to the computer. Unfortunately, the descriptors of that altsetting have a wrong channel setting, which means that any recorded data from such a device has twice the sample rate from what would be expected. This patch adds a workaround to ignore that altsetting. Since these devices have only one actual channel, no data is lost. Signed-off-by: Clemens Ladisch Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 59dd743d8d68e265eba65776388e91d298f57928 Author: Clemens Ladisch Date: Thu Jul 2 08:31:30 2009 +0200 sound: virtuoso: fix Xonar D1/DX silence after resume commit 826390796d09444b93e1f957582f8970ddfd9b3d upstream. When resuming, we better take the DACs out of the reset state before trying to use them. Reference: kernel bug #13599 http://bugzilla.kernel.org/show_bug.cgi?id=13599 Signed-off-by: Clemens Ladisch Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 172cad5201cad098f408202a7523f41039b80933 Author: David Howells Date: Thu Jul 2 14:35:32 2009 +0100 NFSD: Don't hold unrefcounted creds over call to nfsd_setuser() commit 033a666ccb842ab4134fcd0c861d5ba9f5d6bf3a upstream. nfsd_open() gets an unrefcounted pointer to the current process's effective credentials at the top of the function, then calls nfsd_setuser() via fh_verify() - which may replace and destroy the current process's effective credentials - and then passes the unrefcounted pointer to dentry_open() - but the credentials may have been destroyed by this point. Instead, the value from current_cred() should be passed directly to dentry_open() as one of its arguments, rather than being cached in a variable. Possibly fh_verify() should return the creds to use. This is a regression introduced by 745ca2475a6ac596e3d8d37c2759c0fbe2586227 "CRED: Pass credentials through dentry_open()". Signed-off-by: David Howells Tested-and-Verified-By: Steve Dickson Signed-off-by: J. Bruce Fields Signed-off-by: Greg Kroah-Hartman commit 29104c8829cd5c5eabff413ecf423c194523840d Author: James Bottomley Date: Wed Jun 24 19:55:22 2009 +0000 SCSI: zalon: fix oops on attach failure commit d3a263a8168f78874254ea9da9595cfb0f3e96d7 upstream. I recently discovered on my zalon that if the attachment fails because of a bus misconfiguration (I scrapped my HVD array, so the card is now unterminated) then the system oopses. The reason is that if ncr_attach() returns NULL (signalling failure) that NULL is passed by the goto failed straight into ncr_detach() which oopses. The fix is just to return -ENODEV in this case. Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman