commit 2147b209180701193e4a154896494aeeeab9d268 Author: Greg Kroah-Hartman Date: Thu Sep 24 08:45:25 2009 -0700 Linux 2.6.31.1 commit 796194121cb3649717142f289ef3ccf4e68107c8 Author: Brian King Date: Fri Aug 28 12:06:29 2009 +0000 powerpc/pseries: Fix to handle slb resize across migration commit 46db2f86a3b2a94e0b33e0b4548fb7b7b6bdff66 upstream. The SLB can change sizes across a live migration, which was not being handled, resulting in possible machine crashes during migration if migrating to a machine which has a smaller max SLB size than the source machine. Fix this by first reducing the SLB size to the minimum possible value, which is 32, prior to migration. Then during the device tree update which occurs after migration, we make the call to ensure the SLB gets updated. Also add the slb_size to the lparcfg output so that the migration tools can check to make sure the kernel has this capability before allowing migration in scenarios where the SLB size will change. BenH: Fixed #include -> to avoid breaking ppc32 build Signed-off-by: Brian King Signed-off-by: Benjamin Herrenschmidt Signed-off-by: Greg Kroah-Hartman commit 6cc51b05967b1f4b996076a1c97ce65f37376e18 Author: Jean Delvare Date: Tue Jul 28 11:49:19 2009 +0200 PCI: Unhide the SMBus on the Compaq Evo D510 USDT commit 6b5096e4d4496e185cd1ada5d1b8e1d941c805ed upstream. One more form factor for Compaq Evo D510, which needs the same quirk as the other form factors. Apparently there's no hardware monitoring chip on that one, but SPD EEPROMs, so it's still worth unhiding the SMBus. Signed-off-by: Jean Delvare Tested-by: Nuzhna Pomoshch Signed-off-by: Jesse Barnes Signed-off-by: Greg Kroah-Hartman commit 0e2684f97e9dd81ff81705400c0d0657bfbe425f Author: Alexander Duyck Date: Thu Aug 13 16:57:49 2009 -0700 PCI quirk: update 82576 device ids in SR-IOV quirks list commit 6f1186be4feb3364d3a52cbea81e43e4d5296196 upstream. This patch adds the most recent additions to the list of 82576 device IDs to the list of devices needing the SR-IOV quirk. Signed-off-by: Alexander Duyck Signed-off-by: Jeff Kirsher Signed-off-by: Jesse Barnes Signed-off-by: Greg Kroah-Hartman commit 2e464a961227d74dbe65d06fd8d8bd2b6df8262f Author: Tejun Heo Date: Sun Aug 16 21:21:21 2009 +0900 libata: fix off-by-one error in ata_tf_read_block() commit ac8672ea922bde59acf50eaa1eaa1640a6395fd2 upstream. ata_tf_read_block() has off-by-one error when converting CHS address to LBA. The bug isn't very visible because ata_tf_read_block() is used only when generating sense data for a failed RW command and CHS addressing isn't used too often these days. This problem was spotted by Atsushi Nemoto. Signed-off-by: Tejun Heo Reported-by: Atsushi Nemoto Signed-off-by: Jeff Garzik Signed-off-by: Greg Kroah-Hartman commit 47c69905b9d2d8ffa5f74845f0ccbff1ee0028f0 Author: Marcelo Tosatti Date: Mon Jul 27 23:41:01 2009 -0300 KVM: limit lapic periodic timer frequency commit 1444885a045fe3b1905a14ea1b52540bf556578b upstream. Otherwise its possible to starve the host by programming lapic timer with a very high frequency. Signed-off-by: Marcelo Tosatti Signed-off-by: Avi Kivity Signed-off-by: Greg Kroah-Hartman commit eac89540d832baac64c018c3952926e12e04b72c Author: Avi Kivity Date: Mon May 18 16:15:20 2009 +0300 KVM: x86 emulator: fix jmp far decoding (opcode 0xea) commit ee3d29e8bee8d7c321279a9bd9bd25d4cfbf79b7 upstream. The jump target should not be sign extened; use an unsigned decode flag. Signed-off-by: Avi Kivity Signed-off-by: Greg Kroah-Hartman commit d2854b089b53baaf62cf369e27d21573f3c55a68 Author: Izik Eidus Date: Tue Jul 28 15:26:58 2009 -0300 KVM: MMU: make __kvm_mmu_free_some_pages handle empty list commit 3b80fffe2b31fb716d3ebe729c54464ee7856723 upstream. First check if the list is empty before attempting to look at list entries. Signed-off-by: Izik Eidus Signed-off-by: Marcelo Tosatti Signed-off-by: Avi Kivity Signed-off-by: Greg Kroah-Hartman commit 5e98b0c4e3a8881da7633241a9e88a7bc8ac0175 Author: Avi Kivity Date: Mon May 18 16:13:45 2009 +0300 KVM: x86 emulator: Implement zero-extended immediate decoding commit c9eaf20f268c7051bfde2ba212c5ea76a6cbc7a1 upstream. Absolute jumps use zero extended immediate operands. Signed-off-by: Avi Kivity Signed-off-by: Greg Kroah-Hartman commit 82093a268b8f16364b29069ae6cff79e13ba7e9d Author: Gleb Natapov Date: Thu Aug 27 18:41:30 2009 +0300 KVM: VMX: Fix cr8 exiting control clobbering by EPT commit 5fff7d270bd6a4759b6d663741b729cdee370257 upstream. Don't call adjust_vmx_controls() two times for the same control. It restores options that were dropped earlier. This loses us the cr8 exit control, which causes a massive performance regression Windows x64. Signed-off-by: Gleb Natapov Signed-off-by: Avi Kivity Signed-off-by: Greg Kroah-Hartman commit be45e259c6948bed4482d9b9de32236078db2443 Author: Jan Kiszka Date: Mon Aug 3 18:43:28 2009 +0200 KVM: x86: Disallow hypercalls for guest callers in rings > 0 commit 07708c4af1346ab1521b26a202f438366b7bcffd upstream. So far unprivileged guest callers running in ring 3 can issue, e.g., MMU hypercalls. Normally, such callers cannot provide any hand-crafted MMU command structure as it has to be passed by its physical address, but they can still crash the guest kernel by passing random addresses. To close the hole, this patch considers hypercalls valid only if issued from guest ring 0. This may still be relaxed on a per-hypercall base in the future once required. Signed-off-by: Jan Kiszka Signed-off-by: Avi Kivity Signed-off-by: Greg Kroah-Hartman commit 6aece86ef27f5713f7a34a3e4c844ad0ba29fbae Author: Glauber Costa Date: Mon Aug 31 03:04:31 2009 -0400 KVM guest: fix bogus wallclock physical address calculation commit a20316d2aa41a8f4fd171648bad8f044f6060826 upstream. The use of __pa() to calculate the address of a C-visible symbol is wrong, and can lead to unpredictable results. See arch/x86/include/asm/page.h for details. It should be replaced with __pa_symbol(), that does the correct math here, by taking relocations into account. This ensures the correct wallclock data structure physical address is passed to the hypervisor. Signed-off-by: Glauber Costa Signed-off-by: Avi Kivity Signed-off-by: Greg Kroah-Hartman commit bd634611e589582bba636434af7fcbf782eceb42 Author: Avi Kivity Date: Tue Sep 1 12:03:25 2009 +0300 KVM: VMX: Check cpl before emulating debug register access commit 0a79b009525b160081d75cef5dbf45817956acf2 upstream. Debug registers may only be accessed from cpl 0. Unfortunately, vmx will code to emulate the instruction even though it was issued from guest userspace, possibly leading to an unexpected trap later. Signed-off-by: Avi Kivity Signed-off-by: Marcelo Tosatti Signed-off-by: Greg Kroah-Hartman commit fc7a2de55c6ba0088d219a12f9825db54112e1a4 Author: Gleb Natapov Date: Thu Sep 3 12:10:34 2009 +0300 KVM: Fix coalesced interrupt reporting in IOAPIC commit 65a82211636f156a276cac3f8665605ae18f371f upstream. This bug was introduced by b4a2f5e723e4f7df467. Signed-off-by: Gleb Natapov Signed-off-by: Marcelo Tosatti Signed-off-by: Avi Kivity Signed-off-by: Greg Kroah-Hartman commit 01e44f49de551da7ab12dab65eb9923bebf04be2 Author: Marcelo Tosatti Date: Tue Aug 25 01:13:10 2009 -0300 KVM guest: do not batch pte updates from interrupt context commit 6ba661787594868512a71c129062ebd57d0c01e7 upstream. Commit b8bcfe997e4 made paravirt pte updates synchronous in interrupt context. Unfortunately the KVM pv mmu code caches the lazy/nonlazy mode internally, so a pte update from interrupt context during a lazy mmu operation can be batched while it should be performed synchronously. https://bugzilla.redhat.com/show_bug.cgi?id=518022 Drop the internal mode variable and use paravirt_get_lazy_mode(), which returns the correct state. Signed-off-by: Marcelo Tosatti Signed-off-by: Avi Kivity Signed-off-by: Greg Kroah-Hartman commit 5a3a29fefad07ca9dd99cf4c3da55c0694084f59 Author: Nicolas Pitre Date: Thu Sep 3 21:45:59 2009 +0100 ARM: 5691/1: fix cache aliasing issues between kmap() and kmap_atomic() with highmem commit 7929eb9cf643ae416e5081b2a6fa558d37b9854c upstream. Let's suppose a highmem page is kmap'd with kmap(). A pkmap entry is used, the page mapped to it, and the virtual cache is dirtied. Then kunmap() is used which does virtually nothing except for decrementing a usage count. Then, let's suppose the _same_ page gets mapped using kmap_atomic(). It is therefore mapped onto a fixmap entry instead, which has a different virtual address unaware of the dirty cache data for that page sitting in the pkmap mapping. Fortunately it is easy to know if a pkmap mapping still exists for that page and use it directly with kmap_atomic(), thanks to kmap_high_get(). And actual testing with a printk in the added code path shows that this condition is actually met *extremely* frequently. Seems that we've been quite lucky that things have worked so well with highmem so far. Signed-off-by: Nicolas Pitre Signed-off-by: Russell King Signed-off-by: Greg Kroah-Hartman commit c922ffeef36f4e90d244fbde7b123f44e77e3be2 Author: Jack Steiner Date: Thu Sep 3 12:56:02 2009 -0500 x86, pat: Fix cacheflush address in change_page_attr_set_clr() commit fa526d0d641b5365676a1fb821ce359e217c9b85 upstream. Fix address passed to cpa_flush_range() when changing page attributes from WB to UC. The address (*addr) is modified by __change_page_attr_set_clr(). The result is that the pages being flushed start at the _end_ of the changed range instead of the beginning. This should be considered for 2.6.30-stable and 2.6.31-stable. Signed-off-by: Jack Steiner Acked-by: Suresh Siddha Signed-off-by: H. Peter Anvin Signed-off-by: Greg Kroah-Hartman commit 011792952ea72097506d9f8a0727fa78ba8a3961 Author: Tejun Heo Date: Tue Jul 21 16:08:43 2009 -0700 PCI: apply nv_msi_ht_cap_quirk on resume too commit 6dab62ee5a3bf4f71b8320c09db2e6022a19f40e upstream. http://bugzilla.kernel.org/show_bug.cgi?id=12542 reports that with the quirk not applied on resume, msi stops working after resuming and mcp78s ahci fails due to IRQ mis-delivery. Apply it on resume too. Signed-off-by: Tejun Heo Cc: Peer Chen Cc: Tj Reported-by: Nicolas Derive Cc: Greg KH Signed-off-by: Andrew Morton Signed-off-by: Jesse Barnes Signed-off-by: Greg Kroah-Hartman commit 1cde5a2e3f782234336582558dd8591f811bfb55 Author: Jeremy Fitzhardinge Date: Thu Sep 3 12:27:15 2009 -0700 x86/i386: Make sure stack-protector segment base is cache aligned commit 1ea0d14e480c245683927eecc03a70faf06e80c8 upstream. The Intel Optimization Reference Guide says: In Intel Atom microarchitecture, the address generation unit assumes that the segment base will be 0 by default. Non-zero segment base will cause load and store operations to experience a delay. - If the segment base isn't aligned to a cache line boundary, the max throughput of memory operations is reduced to one [e]very 9 cycles. [...] Assembly/Compiler Coding Rule 15. (H impact, ML generality) For Intel Atom processors, use segments with base set to 0 whenever possible; avoid non-zero segment base address that is not aligned to cache line boundary at all cost. We can't avoid having a non-zero base for the stack-protector segment, but we can make it cache-aligned. Signed-off-by: Jeremy Fitzhardinge LKML-Reference: <4AA01893.6000507@goop.org> Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit 2d75a4795020ccdfaae36c4ecb004d8c0fc35708 Author: Roel Kluin Date: Tue Aug 25 15:35:12 2009 +0200 x86: Fix x86_model test in es7000_apic_is_cluster() commit 005155b1f626d2b2d7932e4afdf4fead168c6888 upstream. For the x86_model to be greater than 6 or less than 12 is logically always true. Signed-off-by: Roel Kluin Cc: Andrew Morton Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit 4da07ab56e64e4b022e03b1a9b602d68e390cf1a Author: Peter Zijlstra Date: Fri Sep 4 15:36:12 2009 +0200 perf stat: Change noise calculation to use stddev commit 506d4bc8d5dab20d84624aa07cdc6dcd77915d52 upstream. The current noise computation does: \Sum abs(n_i - avg(n)) * N^-1.5 Which is (afaik) not a regular noise function, and needs the complete sample set available to post-process. Change this to use a regular stddev computation which can be done by keeping a two sums: stddev = sqrt( 1/N (\Sum n_i^2) - avg(n)^2 ) For which we only need to keep \Sum n_i and \Sum n_i^2. Signed-off-by: Peter Zijlstra Cc: LKML-Reference: Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit 0dadca5c16ebc1754b14cd6db3710ddab3c68f7d Author: Roland Dreier Date: Sat Sep 5 20:24:49 2009 -0700 mlx4_core: Allocate and map sufficient ICM memory for EQ context commit fa0681d2129732027355d6b7083dd8932b9b799d upstream. The current implementation allocates a single host page for EQ context memory, which was OK when we only allocated a few EQs. However, since we now allocate an EQ for each CPU core, this patch removes the hard-coded limit (which we exceed with 4 KB pages and 128 byte EQ context entries with 32 CPUs) and uses the same ICM table code as all other context tables, which ends up simplifying the code quite a bit while fixing the problem. This problem was actually hit in practice on a dual-socket Nehalem box with 16 real hardware threads and sufficiently odd ACPI tables that it shows on boot SMP: Allowing 32 CPUs, 16 hotplug CPUs so num_possible_cpus() ends up 32, and mlx4 ends up creating 33 MSI-X interrupts and 33 EQs. This mlx4 bug means that mlx4 can't even initialize at all on this quite mainstream system. Reported-by: Eli Cohen Tested-by: Christoph Lameter Signed-off-by: Roland Dreier Signed-off-by: Greg Kroah-Hartman commit db15c341d2cc6d162e3b7aa4c72bd49cf03dd30f Author: Clemens Ladisch Date: Mon Sep 7 10:18:54 2009 +0200 sound: oxygen: work around MCE when changing volume commit f1bc07af9a9edc5c1d4bdd971f7099316ed2e405 upstream. When the volume is changed continuously (e.g., when the user drags a volume slider with the mouse), the driver does lots of I2C writes. Apparently, the sound chip can get confused when we poll the I2C status register too much, and fails to complete a read from it. On the PCI-E models, the PCI-E/PCI bridge gets upset by this and generates a machine check exception. To avoid this, this patch replaces the polling with an unconditional wait that is guaranteed to be long enough. Signed-off-by: Clemens Ladisch Tested-by: Johann Messner Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit caa4489e9a48492d336e57765eea50223ee71d69 Author: Mark Brown Date: Mon Sep 7 18:09:58 2009 +0100 ASoC: Fix WM835x Out4 capture enumeration commit 87831cb660954356d68cebdb1406f3be09e784e9 upstream. It's the 8th enum of a zero indexed array. This is why I don't let new drivers use these arrays of enums... Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit d557755c1eab7c876f43f9fe3e5b046a492566bd Author: Sophie Hamilton Date: Tue Sep 8 10:58:42 2009 +0200 ALSA: cs46xx - Fix minimum period size commit 6148b130eb84edc76e4fa88da1877b27be6c2f06 upstream. Fix minimum period size for cs46xx cards. This fixes a problem in the case where neither a period size nor a buffer size is passed to ALSA; this is the case in Audacious, OpenAL, and others. Signed-off-by: Sophie Hamilton Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit fdc37a2c81c7542b01479c669f517912ef1d60f5 Author: Zhenyu Wang Date: Mon Sep 14 10:47:06 2009 +0800 agp/intel: remove restore in resume commit 121264827656f5f06328b17983c796af17dc5949 upstream. As early pci resume has already restored config for host bridge and graphics device, don't need to restore it again, This removes an original order hack for graphics device restore. This fixed the resume hang issue found by Alan Stern on 845G, caused by extra config restore on graphics device. Cc: Alan Stern Signed-off-by: Zhenyu Wang Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman commit c1bb36016b09cf5c4b207f470cb116548f5152e0 Author: Jens Axboe Date: Fri Sep 11 22:44:29 2009 +0200 block: don't assume device has a request list backing in nr_requests store commit b8a9ae779f2c7049071034661e09cb7e1e82250c upstream. Stacked devices do not. For now, just error out with -EINVAL. Later we could make the limit apply on stacked devices too, for throttling reasons. This fixes 5a54cd13353bb3b88887604e2c980aa01e314309 and should go into 2.6.31 stable as well. Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit 80c8fadd31216328720d74ae19c89156ecc00f99 Author: Geoff Levand Date: Wed Sep 9 13:28:05 2009 +0000 powerpc/ps3: Workaround for flash memory I/O error commit bc00351edd5c1b84d48c3fdca740fedfce4ae6ce upstream. A workaround for flash memory I/O errors when the PS3 internal hard disk has not been formatted for OtherOS use. This error condition mainly effects 'Live CD' users who have not formatted the PS3's internal hard disk for OtherOS. Fixes errors similar to these when using the ps3-flash-util or ps3-boot-game-os programs: ps3flash read failed 0x2050000 os_area_header_read: read error: os_area_header: Input/output error main:627: os_area_read_hp error. ERROR: can't change boot flag Signed-off-by: Geoff Levand Signed-off-by: Benjamin Herrenschmidt Signed-off-by: Greg Kroah-Hartman commit 385361e320df298046095af992224be75b39fd3f Author: Paul Mackerras Date: Wed Sep 9 01:26:03 2009 +0000 powerpc: Fix bug where perf_counters breaks oprofile commit a6dbf93a2ad853585409e715eb96dca9177e3c39 upstream. Currently there is a bug where if you use oprofile on a pSeries machine, then use perf_counters, then use oprofile again, oprofile will not work correctly; it will lose the PMU configuration the next time the hypervisor does a partition context switch, and thereafter won't count anything. Maynard Johnson identified the sequence causing the problem: - oprofile setup calls ppc_enable_pmcs(), which calls pseries_lpar_enable_pmcs, which tells the hypervisor that we want to use the PMU, and sets the "PMU in use" flag in the lppaca. This flag tells the hypervisor whether it needs to save and restore the PMU config. - The perf_counter code sets and clears the "PMU in use" flag directly as it context-switches the PMU between tasks, and leaves it clear when it finishes. - oprofile setup, called for a new oprofile run, calls ppc_enable_pmcs, which does nothing because it has already been called. In particular it doesn't set the "PMU in use" flag. This fixes the problem by arranging for ppc_enable_pmcs to always set the "PMU in use" flag. It makes the perf_counter code call ppc_enable_pmcs also rather than calling the lower-level function directly, and removes the setting of the "PMU in use" flag from pseries_lpar_enable_pmcs, since that is now done in its caller. This also removes the declaration of pasemi_enable_pmcs because it isn't defined anywhere. Reported-by: Maynard Johnson Signed-off-by: Paul Mackerras Signed-off-by: Benjamin Herrenschmidt Signed-off-by: Greg Kroah-Hartman commit 56033c44ce563bebf3cdde976ba0f0c5c3720b2f Author: Paul Mackerras Date: Wed Sep 9 20:28:49 2009 +0000 powerpc/perf_counters: Reduce stack usage of power_check_constraints commit e51ee31e8af22948dcc3b115978469b09c96c3fd upstream. Michael Ellerman reported stack-frame size warnings being produced for power_check_constraints(), which uses an 8*8 array of u64 and two 8*8 arrays of unsigned long, which are currently allocated on the stack, along with some other smaller variables. These arrays come to 1.5kB on 64-bit or 1kB on 32-bit, which is a bit too much for the stack. This fixes the problem by putting these arrays in the existing per-cpu cpu_hw_counters struct. This is OK because two of the call sites have interrupts disabled already; for the third call site we use get_cpu_var, which disables preemption, so we know we won't get a context switch while we're in power_check_constraints(). Note that power_check_constraints() can be called during context switch but is not called from interrupts. Reported-by: Michael Ellerman Signed-off-by: Paul Mackerras Signed-off-by: Benjamin Herrenschmidt Signed-off-by: Greg Kroah-Hartman commit 9db85a343cebff62b7d9e3448502a64b26ee1164 Author: Paul Mackerras Date: Tue Aug 25 15:17:20 2009 +1000 perf_counter: Start counting time enabled when group leader gets enabled commit fa289beca9de9119c7760bd984f3640da21bc94c upstream. Currently, if a group is created where the group leader is initially disabled but a non-leader member is initially enabled, and then the leader is subsequently enabled some time later, the time_enabled for the non-leader member will reflect the whole time since it was created, not just the time since the leader was enabled. This is incorrect, because all of the members are effectively disabled while the leader is disabled, since none of the members can go on the PMU if the leader can't. Thus we have to update the ->tstamp_enabled for all the enabled group members when a group leader is enabled, so that the time_enabled computation only counts the time since the leader was enabled. Similarly, when disabling a group leader we have to update the time_enabled and time_running for all of the group members. Also, in update_counter_times, we have to treat a counter whose group leader is disabled as being disabled. Reported-by: Stephane Eranian Signed-off-by: Paul Mackerras Acked-by: Peter Zijlstra LKML-Reference: <19091.29664.342227.445006@drongo.ozlabs.ibm.com> Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit 986ddf533c1dd6852196182084aefe1ca9eda34e Author: Xiao Guangrong Date: Tue Sep 15 14:44:36 2009 +0800 perf_counter: Fix buffer overflow in perf_copy_attr() commit b3e62e35058fc744ac794611f4e79bcd1c5a4b83 upstream. If we pass a big size data over perf_counter_open() syscall, the kernel will copy this data to a small buffer, it will cause kernel crash. This bug makes the kernel unsafe and non-root local user can trigger it. Signed-off-by: Xiao Guangrong Acked-by: Peter Zijlstra Acked-by: Paul Mackerras LKML-Reference: <4AAF37D4.5010706@cn.fujitsu.com> Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit cb0365c9e045c09a92363d0e52b7cdaf18ce7f54 Author: Hugh Dickins Date: Sat Sep 12 12:21:27 2009 +0100 fix undefined reference to user_shm_unlock commit 2195d2818c37bdf263865f1e9effccdd9fc5f9d4 upstream. My 353d5c30c666580347515da609dd74a2b8e9b828 "mm: fix hugetlb bug due to user_shm_unlock call" broke the CONFIG_SYSVIPC !CONFIG_MMU build of both 2.6.31 and 2.6.30.6: "undefined reference to `user_shm_unlock'". gcc didn't understand my comment! so couldn't figure out to optimize away user_shm_unlock() from the error path in the hugetlb-less case, as it does elsewhere. Help it to do so, in a language it understands. Reported-by: Mike Frysinger Signed-off-by: Hugh Dickins Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 70b6cf945725c8b07ee18611165bb7dce4f41d74 Author: Joerg Roedel Date: Thu Sep 3 15:45:51 2009 +0200 x86/amd-iommu: fix broken check in amd_iommu_flush_all_devices commit e0faf54ee82bf9c07f0307b4391caad4020bd659 upstream. The amd_iommu_pd_table is indexed by protection domain number and not by device id. So this check is broken and must be removed. Signed-off-by: Joerg Roedel Signed-off-by: Greg Kroah-Hartman commit 6b0e630bc078ac1431afb6a0d96098b1c288a465 Author: Geert Uytterhoeven Date: Thu Sep 10 23:13:28 2009 +0200 md: Fix "strchr" [drivers/md/dm-log-userspace.ko] undefined! commit 0d03d59d9b31cd1e33b7e46a80b6fef66244b1f2 upstream. Commit b8313b6da7e2e7c7f47d93d8561969a3ff9ba0ea ("dm log: remove incorrect field from userspace table output") added a call to strstr() with a single-character "needle" string parameter. Unfortunately some versions of gcc replace such calls to strstr() by calls to strchr() behind our back. This causes linking errors if strchr() is defined as an inline function in (e.g. on m68k): | WARNING: "strchr" [drivers/md/dm-log-userspace.ko] undefined! Avoid this by explicitly calling strchr() instead. Signed-off-by: Geert Uytterhoeven Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 1e3474abd6ef1fb73773f2ba85874995c82b28b7 Author: Jason Gunthorpe Date: Wed Sep 9 17:22:18 2009 -0600 TPM: Fixup boot probe timeout for tpm_tis driver commit ec57935837a78f9661125b08a5d08b697568e040 upstream. When probing the device in tpm_tis_init the call request_locality uses timeout_a, which wasn't being initalized until after request_locality. This results in request_locality falsely timing out if the chip is still starting. Move the initialization to before request_locality. This probably only matters for embedded cases (ie mine), a BIOS likely gets the TPM into a state where this code path isn't necessary. Signed-off-by: Jason Gunthorpe Acked-by: Rajiv Andrade Signed-off-by: James Morris Signed-off-by: Greg Kroah-Hartman commit 4e499625e94ea62f93d91832e5a804555b0ea222 Author: Roland McGrath Date: Tue Sep 8 19:49:40 2009 -0700 binfmt_elf: fix PT_INTERP bss handling commit 9f0ab4a3f0fdb1ff404d150618ace2fa069bb2e1 upstream. In fs/binfmt_elf.c, load_elf_interp() calls padzero() for .bss even if the PT_LOAD has no PROT_WRITE and no .bss. This generates EFAULT. Here is a small test case. (Yes, there are other, useful PT_INTERP which have only .text and no .data/.bss.) ----- ptinterp.S _start: .globl _start nop int3 ----- $ gcc -m32 -nostartfiles -nostdlib -o ptinterp ptinterp.S $ gcc -m32 -Wl,--dynamic-linker=ptinterp -o hello hello.c $ ./hello Segmentation fault # during execve() itself After applying the patch: $ ./hello Trace trap # user-mode execution after execve() finishes If the ELF headers are actually self-inconsistent, then dying is fine. But having no PROT_WRITE segment is perfectly normal and correct if there is no segment with p_memsz > p_filesz (i.e. bss). John Reiser suggested checking for PROT_WRITE in the bss logic. I think it makes most sense to simply apply the bss logic only when there is bss. This patch looks less trivial than it is due to some reindentation. It just moves the "if (last_bss > elf_bss) {" test up to include the partial-page bss logic as well as the more-pages bss logic. Reported-by: John Reiser Signed-off-by: Roland McGrath Signed-off-by: James Morris Signed-off-by: Greg Kroah-Hartman commit 3cfbbe0e83024a77c9626977f1d59224b9f92860 Author: Bob Copeland Date: Sat Jul 4 21:03:13 2009 -0400 ath5k: write PCU registers on initial reset commit 3355443ad7601991affa5992b0d53870335af765 upstream. "Ath5k: unify resets" introduced a regression into 2.6.28 where the PCU registers are never initialized, due to ath5k_reset() always passing true for change_channel. We subsequently program a lot of these registers but several may start in an unknown state. Reported-by: Forrest Zhang Signed-off-by: Bob Copeland Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 945797ee7348fb106dbd8708c1f6a7fd5b6edd3f Author: Bob Copeland Date: Tue Sep 1 18:12:11 2009 -0400 cfg80211: fix looping soft lockup in find_ie() commit fcc6cb0c13555e78c2d47257b6d1b5e59b0c419a upstream. The find_ie() function uses a size_t for the len parameter, and directly uses len as a loop variable. If any received packets are malformed, it is possible for the decrease of len to overflow, and since the result is unsigned, the loop will not terminate. Change it to a signed int so the loop conditional works for negative values. This fixes the following soft lockup: [38573.102007] BUG: soft lockup - CPU#0 stuck for 61s! [phy0:2230] [38573.102007] Modules linked in: aes_i586 aes_generic fuse af_packet ipt_REJECT xt_tcpudp nf_conntrack_ipv4 nf_defrag_ipv4 xt_state iptable_filter ip_tables x_tables acpi_cpufreq binfmt_misc dm_mirror dm_region_hash dm_log dm_multipath dm_mod kvm_intel kvm uinput i915 arc4 ecb drm snd_hda_codec_idt ath5k snd_hda_intel hid_apple mac80211 usbhid appletouch snd_hda_codec snd_pcm ath cfg80211 snd_timer i2c_algo_bit ohci1394 video snd processor ieee1394 rfkill ehci_hcd sg sky2 backlight snd_page_alloc uhci_hcd joydev output ac thermal button battery sr_mod applesmc cdrom input_polldev evdev unix [last unloaded: scsi_wait_scan] [38573.102007] irq event stamp: 2547724535 [38573.102007] hardirqs last enabled at (2547724534): [] restore_all_notrace+0x0/0x18 [38573.102007] hardirqs last disabled at (2547724535): [] apic_timer_interrupt+0x28/0x34 [38573.102007] softirqs last enabled at (92950144): [] __do_softirq+0x108/0x210 [38573.102007] softirqs last disabled at (92950274): [] _spin_lock_bh+0x14/0x80 [38573.102007] [38573.102007] Pid: 2230, comm: phy0 Tainted: G W (2.6.31-rc7-wl #8) MacBook1,1 [38573.102007] EIP: 0060:[] EFLAGS: 00010292 CPU: 0 [38573.102007] EIP is at cmp_ies+0x30/0x180 [cfg80211] [38573.102007] EAX: 00000082 EBX: 00000000 ECX: ffffffc1 EDX: d8efd014 [38573.102007] ESI: ffffff7c EDI: 0000004d EBP: eee2dc50 ESP: eee2dc3c [38573.102007] DS: 007b ES: 007b FS: 00d8 GS: 0000 SS: 0068 [38573.102007] CR0: 8005003b CR2: d8efd014 CR3: 01694000 CR4: 000026d0 [38573.102007] DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000 [38573.102007] DR6: ffff0ff0 DR7: 00000400 [38573.102007] Call Trace: [38573.102007] [] cmp_bss+0xed/0x100 [cfg80211] [38573.102007] [] cfg80211_bss_update+0x84/0x410 [cfg80211] [38573.102007] [] cfg80211_inform_bss_frame+0x114/0x180 [cfg80211] [38573.102007] [] ieee80211_bss_info_update+0x4f/0x180 [mac80211] [38573.102007] [] ieee80211_rx_bss_info+0x88/0xf0 [mac80211] [38573.102007] [] ? ieee802_11_parse_elems+0x27/0x30 [mac80211] [38573.102007] [] ieee80211_rx_mgmt_probe_resp+0xa4/0x1c0 [mac80211] [38573.102007] [] ieee80211_sta_rx_queued_mgmt+0x919/0xc50 [mac80211] [38573.102007] [] ? sched_clock+0x27/0xa0 [38573.102007] [] ? sched_clock+0x27/0xa0 [38573.102007] [] ? mark_held_locks+0x60/0x80 [38573.102007] [] ? _spin_unlock_irqrestore+0x55/0x70 [38573.102007] [] ? sub_preempt_count+0x85/0xc0 [38573.102007] [] ? _spin_unlock_irqrestore+0x3e/0x70 [38573.102007] [] ? skb_dequeue+0x4f/0x70 [38573.102007] [] ieee80211_sta_work+0x91/0xb80 [mac80211] [38573.102007] [] ? sched_clock+0x27/0xa0 [38573.102007] [] ? sub_preempt_count+0x85/0xc0 [38573.102007] [] worker_thread+0x18f/0x320 [38573.102007] [] ? worker_thread+0x12e/0x320 [38573.102007] [] ? _spin_unlock_irqrestore+0x55/0x70 [38573.102007] [] ? ieee80211_sta_work+0x0/0xb80 [mac80211] [38573.102007] [] ? autoremove_wake_function+0x0/0x50 [38573.102007] [] ? worker_thread+0x0/0x320 [38573.102007] [] kthread+0x84/0x90 [38573.102007] [] ? kthread+0x0/0x90 [38573.102007] [] kernel_thread_helper+0x7/0x10 Signed-off-by: Bob Copeland Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 328b1e3dfd68bdfa0cf3b592f775fd33f130733c Author: Bart Van Assche Date: Sun Aug 30 12:36:48 2009 +0200 SCSI: libsrp: fix memory leak in srp_ring_free() commit afffd3dabe5209882c8cc59a373a4d33b5db304a upstream. This patch fixes a memory leak in the libsrp function srp_ring_free(). It is not documented whether or not this function should free the ring pointer itself. But the source code of the callers of this function (srp_target_alloc() and srp_target_free()) makes it clear that srp_ring_free() should deallocate the ring pointer itself. Furthermore, the patch below makes srp_ring_free() deallocate all memory allocated by srp_ring_alloc(). This patch affects the ibmvstgt driver, which is the only in-tree driver that calls the srp_ring_free() function (indirectly). Signed-off-by: Bart Van Assche Acked-by: FUJITA Tomonori Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman commit 0ce24e272f2a107054065a679db02bd9d5feeebb Author: James Bottomley Date: Fri Aug 21 09:47:54 2009 -0600 SCSI: fix oops during scsi scanning commit ea038f63ac52439e7816295fa6064fe95e6c1f51 upstream. Chris Webb reported: p0# uname -a Linux f7ea8425-d45b-490f-a738-d181d0df6963.host.elastichosts.com 2.6.30.4-elastic-lon-p #2 SMP PREEMPT Thu Aug 20 14:30:50 BST 2009 x86_64 Intel(R) Xeon(R) CPU E5420 @ 2.50GHz GenuineIntel GNU/Linux p0# zgrep SCAN_ASYNC /proc/config.gz # CONFIG_SCSI_SCAN_ASYNC is not set p0# cat /var/log/kern/2009-08-20 [...] 15:27:10.485 kernel: scsi9 : iSCSI Initiator over TCP/IP 15:27:11.493 kernel: scsi 9:0:0:0: RAID IET Controller 0001 PQ: 0 ANSI: 5 15:27:11.493 kernel: scsi 9:0:0:0: Attached scsi generic sg6 type 12 15:27:11.495 kernel: scsi 9:0:0:1: Direct-Access IET VIRTUAL-DISK 0001 PQ: 0 ANSI: 5 15:27:11.495 kernel: sd 9:0:0:1: Attached scsi generic sg7 type 0 15:27:11.495 kernel: sd 9:0:0:1: [sdg] 4194304 512-byte hardware sectors: (2.14 GB/2.00 GiB) 15:27:11.495 kernel: sd 9:0:0:1: [sdg] Write Protect is off 15:27:11.495 kernel: sd 9:0:0:1: [sdg] Write cache: disabled, read cache: enabled, doesn't support DPO or FUA 15:27:13.012 kernel: sdg:<6>scsi 9:0:0:1: [sdg] Unhandled error code 15:27:13.012 kernel: scsi 9:0:0:1: [sdg] Result: hostbyte=0x07 driverbyte=0x00 15:27:13.012 kernel: end_request: I/O error, dev sdg, sector 0 15:27:13.012 kernel: Buffer I/O error on device sdg, logical block 0 15:27:13.012 kernel: ldm_validate_partition_table(): Disk read failed. 15:27:13.012 kernel: unable to read partition table 15:27:13.014 kernel: BUG: unable to handle kernel NULL pointer dereference at 0000000000000010 15:27:13.014 kernel: IP: [] disk_part_iter_next+0x74/0xfd 15:27:13.014 kernel: PGD 82ad0b067 PUD 82cd7e067 PMD 0 15:27:13.014 kernel: Oops: 0000 [#1] PREEMPT SMP 15:27:13.014 kernel: last sysfs file: /sys/devices/platform/host9/session4/iscsi_session/session4/ifacename 15:27:13.014 kernel: CPU 5 15:27:13.014 kernel: Modules linked in: 15:27:13.014 kernel: Pid: 13999, comm: async/0 Not tainted 2.6.30.4-elastic-lon-p #2 X7DBN 15:27:13.014 kernel: RIP: 0010:[] [] disk_part_iter_next+0x74/0xfd 15:27:13.014 kernel: RSP: 0018:ffff88066afa3dd0 EFLAGS: 00010246 15:27:13.014 kernel: RAX: ffff88082b58a000 RBX: ffff88066afa3e00 RCX: 0000000000000000 15:27:13.014 kernel: RDX: 0000000000000000 RSI: ffff88082b58a000 RDI: 0000000000000000 15:27:13.014 kernel: RBP: ffff88066afa3df0 R08: ffff88066afa2000 R09: ffff8806a204f000 15:27:13.014 kernel: R10: 000000fb12c7d274 R11: ffff8806c2bf0628 R12: ffff88066afa3e00 15:27:13.014 kernel: R13: ffff88082c829a00 R14: 0000000000000000 R15: ffff8806bc50c920 15:27:13.014 kernel: FS: 0000000000000000(0000) GS:ffff88002818a000(0000) knlGS:0000000000000000 15:27:13.014 kernel: CS: 0010 DS: 0018 ES: 0018 CR0: 000000008005003b 15:27:13.014 kernel: CR2: 0000000000000010 CR3: 000000082ade3000 CR4: 00000000000426e0 15:27:13.014 kernel: DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 15:27:13.014 kernel: DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 15:27:13.014 kernel: Process async/0 (pid: 13999, threadinfo ffff88066afa2000, task ffff8806c2bf05e0) 15:27:13.014 kernel: Stack: 15:27:13.014 kernel: 0000000000000000 ffff88066afa3e00 ffff88066afa3e00 ffff88082c829a00 15:27:13.014 kernel: ffff88066afa3e40 ffffffff80306feb ffff88082b58a000 0000000000000000 15:27:13.014 kernel: 0000000000000001 ffff8806bc50c920 ffff88066afa3e40 ffff88082b58a000 15:27:13.014 kernel: Call Trace: 15:27:13.014 kernel: [] register_disk+0x122/0x13a 15:27:13.014 kernel: [] add_disk+0xaa/0x106 15:27:13.014 kernel: [] sd_probe_async+0x198/0x25b 15:27:13.014 kernel: [] async_thread+0x10c/0x20d 15:27:13.014 kernel: [] ? default_wake_function+0x0/0xf 15:27:13.014 kernel: [] ? async_thread+0x0/0x20d 15:27:13.014 kernel: [] kthread+0x55/0x80 15:27:13.014 kernel: [] child_rip+0xa/0x20 15:27:13.014 kernel: [] ? kthread+0x0/0x80 15:27:13.014 kernel: [] ? child_rip+0x0/0x20 15:27:13.014 kernel: Code: c8 ff 80 e1 0c b9 00 00 00 00 0f 44 c1 41 83 cd ff 48 8d 7a 20 48 be ff ff ff ff 08 00 00 00 48 b9 00 00 00 00 08 00 00 00 eb 50 <8b> 42 10 41 bd 01 00 00 00 eb db 4c 63 c2 4e 8d 04 c7 4d 8b 20 15:27:13.015 kernel: RIP [] disk_part_iter_next+0x74/0xfd 15:27:13.015 kernel: RSP 15:27:13.015 kernel: CR2: 0000000000000010 15:27:13.015 kernel: ---[ end trace 6104b56ef5590e25 ]--- The problem is caused because the async scanning split in sd.c doesn't hold any reference to the device when it kicks off the async piece. What's happening is that an iSCSI disconnect is destorying the device again *before* the async sd scanning thread even starts. Fix this by taking a reference before starting the thread and dropping it again when the thread completes. Reported-by: Chris Webb Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman commit f045fdfffa8505de30d3f000d4b8be17c138a9ba Author: Kashyap, Desai Date: Thu Aug 20 13:23:49 2009 +0530 mpt2sas: Raid 10 Volume is showing as Raid 1E in dmesg commit ed79f1280d1bc54f168abcffc8c3e0bf8ffb1873 upstream. This patch modifies the slave_configure callback so the messages that get sent to system log for RAID1E volumes contain the string "RAID10" instead of "RAID1E". These messages contain information regarding what kind of scsi device is being added. Certain OEMS can enable displaying the RAID10 string instead of RAID1E via manufacturing page 10. The driver will read this config page at driver load time, then determine from the GenericFlags0 bits whether display the RAID10 or RAID1E string, also even drive count is taken into consideration. Signed-off-by: Kashyap Desai Reviewed-by: Eric Moore Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman commit ab58d16bf674ed150fca51183b47020b55cd7680 Author: Kashyap, Desai Date: Thu Aug 20 13:23:19 2009 +0530 mpt2sas: setting SDEV into RUNNING state from Interrupt context commit 34a03bef2202d0c9983a8da0a8abaee37d285847 upstream. Changing SDEV Running state from interrupt context. Previously It was handle in work queue thread. With this change It will not wait for work queue thread to execute scsih_ublock_io_device to put SDEV into Running state. This will reduce delay for Device becoming RUNNING. Modified this patch considering James comment "Not to change SDEV state using scsi_device_set_state API, instead use scsi_internal_device_unblock scsi_internal_device_block API" Signed-off-by: Kashyap Desai Reviewed-by: Eric Moore Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman commit fa278da6aa524b25fddee76c7eaca0b1eff2a56d Author: Kashyap, Desai Date: Thu Aug 20 13:22:00 2009 +0530 mpt2sas: Prevent sending command to FW while Host Reset commit 155dd4c763694222c125e65438d823f58ea653bc upstream. This patch renames the flag for indicating host reset from ioc_reset_in_progress to shost_recovery. It also removes the spin locks surrounding the setting of this flag, which are unnecessary. Sanity checks on the shost_recovery flag were added thru out the code so as to prevent sending firmware commands during host reset. Also, the setting of the shost state to SHOST_RECOVERY was removed to prevent deadlocks, this is actually better handled by the shost_recovery flag. Signed-off-by: Kashyap Desai Reviewed-by: Eric Moore Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman commit 38032be19da873f705202370f63772e0f5b610b5 Author: Kashyap, Desai Date: Thu Aug 20 13:20:54 2009 +0530 mpt2sas : Rescan topology from Interrupt context instead of work thread commit cd4e12e8ad246ec5bc23ab04d0da0e6985025620 upstream. Following host reset its possible that the controller firmware could assign new handles for devices, as well as adding or deleting devices. There is code in the driver that will rescan the topology folowing host reset; updating device handles, and remove devices that are no longer responding. This patch will improve the responsivness by moving this rescaning from the delayed hotplug worker thread to immediately following the host reset. Signed-off-by: Kashyap Desai Reviewed-by: Eric Moore Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman commit 57f4fc5e83927aa807b877a848dec6d280f2ee22 Author: Michal Schmidt Date: Thu Sep 3 14:27:08 2009 +0200 sg: fix oops in the error path in sg_build_indirect() commit e71044ee2efa4792e21d243b03d49006db66aec9 upstream. When the allocation fails in sg_build_indirect(), an oops happens in the error path. It's caused by an obvious typo. Signed-off-by: Michal Schmidt Reported-by: Bob Tracy Acked-by: Douglas Gilbert Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman