commit a2822cac80be9e7fc83eaf9b7d17f169eabd4c99 Author: Greg Kroah-Hartman Date: Mon Oct 5 10:12:06 2009 -0700 Linux 2.6.31.2 commit 6bdeaf6fc2cd583fdfc9e2d857aba5ffc7280aa9 Author: Wey-Yi Guy Date: Wed Sep 30 13:01:01 2009 -0700 iwlwifi: fix unloading driver while scanning This is commit 5bddf54962bf68002816df710348ba197d6391bb in linux-2.6. If NetworkManager is busy scanning when user tries to unload the module, the driver can not be unloaded because HW still scanning. Make sure driver sends abort scan host command to uCode if it is in the middle of scanning during driver unload. Signed-off-by: Wey-Yi Guy Signed-off-by: Reinette Chatre Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit b23b04f4aff630b45fd0f87bd233197822500e5a Author: Wey-Yi Guy Date: Wed Sep 30 15:36:15 2009 -0700 iwlwifi: traverse linklist to find the valid OTP block commit 415e49936b4b29b34c2fb561eeab867d41fc43a6 upstream. For devices using OTP memory, EEPROM image can start from any one of the OTP blocks. If shadow RAM is disabled, we need to traverse link list to find the last valid block, then start the EEPROM image reading. If OTP is not full, the valid block is the block _before_ the last block on the link list; the last block on the link list is the empty block ready for next OTP refresh/update. If OTP is full, then the last block is the valid block to be used for configure the device. Signed-off-by: Wey-Yi Guy Signed-off-by: Reinette Chatre Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit a6a74787f29219a213c435cadf5482b213a99b33 Author: Wey-Yi Guy Date: Fri Jul 17 09:30:14 2009 -0700 iwlagn: modify digital SVR for 1000 commit 02c06e4abc0680afd31bf481a803541556757fb6 upstream. On 1000, there are two Switching Voltage Regulators (SVR). The first one apply digital voltage level (1.32V) for PCIe block and core. We need to use this regulator to solve a stability issue related to noisy DC2DC line in the silicon. Signed-off-by: Wey-Yi Guy Signed-off-by: Reinette Chatre Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit ec45b814b595bbdf76e1177bc06185325a4fb11d Author: Jay Sternberg Date: Fri Jul 17 09:30:22 2009 -0700 iwlwifi: update 1000 series API version to match firmware commit cce53aa347c1e023d967b1cb1aa393c725aedba5 upstream. firmware file now contains build number so API needs to be updated. Signed-off-by: Jay Sternberg Signed-off-by: Reinette Chatre Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 7b70149f1eb9e6ac0fdbff5a8a899a0d0517dd26 Author: Jay Sternberg Date: Fri Jul 17 09:30:16 2009 -0700 iwlwifi: Handle new firmware file with ucode build number in header commit cc0f555d511a5fe9d4519334c8f674a1dbab9e3a upstream. Adding new API version to account for change to ucode file format. New header includes the build number of the ucode. This build number is the SVN revision thus allowing for exact correlation to the code that generated it. The header adds the build number so that older ucode images can also be enhanced to include the build in the future. some cleanup in iwl_read_ucode needed to ensure old header not used and reduce unnecessary references through pointer with the data is already in heap variable. Signed-off-by: Jay Sternberg Signed-off-by: Reinette Chatre Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 6b92d44bd43b6feac96105ebae8a84f8f49bfbf2 Author: David Howells Date: Thu Sep 24 15:13:10 2009 +0100 NOMMU: Fix MAP_PRIVATE mmap() of objects where the data can be mapped directly commit 645d83c5db970a1c57225e155113b4aa2451e920 upstream. Fix MAP_PRIVATE mmap() of files and devices where the data in the backing store might be mapped directly. Use the BDI_CAP_MAP_DIRECT capability flag to govern whether or not we should be trying to map a file directly. This can be used to determine whether or not a region has been filled in at the point where we call do_mmap_shared() or do_mmap_private(). The BDI_CAP_MAP_DIRECT capability flag is cleared by validate_mmap_request() if there's any reason we can't use it. It's also cleared in do_mmap_pgoff() if f_op->get_unmapped_area() fails. Without this fix, attempting to run a program from a RomFS image on a non-mappable MTD partition results in a BUG as the kernel attempts XIP, and this can be caught in gdb: Program received signal SIGABRT, Aborted. 0xc005dce8 in add_nommu_region (region=) at mm/nommu.c:547 (gdb) bt #0 0xc005dce8 in add_nommu_region (region=) at mm/nommu.c:547 #1 0xc005f168 in do_mmap_pgoff (file=0xc31a6620, addr=, len=3808, prot=3, flags=6146, pgoff=0) at mm/nommu.c:1373 #2 0xc00a96b8 in elf_fdpic_map_file (params=0xc33fbbec, file=0xc31a6620, mm=0xc31bef60, what=0xc0213144 "executable") at mm.h:1145 #3 0xc00aa8b4 in load_elf_fdpic_binary (bprm=0xc316cb00, regs=) at fs/binfmt_elf_fdpic.c:343 #4 0xc006b588 in search_binary_handler (bprm=0x6, regs=0xc33fbce0) at fs/exec.c:1234 #5 0xc006c648 in do_execve (filename=, argv=0xc3ad14cc, envp=0xc3ad1460, regs=0xc33fbce0) at fs/exec.c:1356 #6 0xc0008cf0 in sys_execve (name=, argv=0xc3ad14cc, envp=0xc3ad1460) at arch/frv/kernel/process.c:263 #7 0xc00075dc in __syscall_call () at arch/frv/kernel/entry.S:897 Note that this fix does the following commit differently: commit a190887b58c32d19c2eee007c5eb8faa970a69ba Author: David Howells Date: Sat Sep 5 11:17:07 2009 -0700 nommu: fix error handling in do_mmap_pgoff() Reported-by: Graff Yang Signed-off-by: David Howells Acked-by: Pekka Enberg Cc: Paul Mundt Cc: Mel Gorman Cc: Greg Ungerer Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 6177445fb4f5d65dde3c883b9987c840178fb86d Author: Kashyap, Desai Date: Wed Sep 2 11:44:57 2009 +0530 mptsas : PAE Kernel more than 4 GB kernel panic commit c55b89fba9872ebcd5ac15cdfdad29ffb89329f0 upstream. This patch is solving problem for PAE kernel DMA operation. On PAE system dma_addr and unsigned long will have different values. Now dma_addr is not type casted using unsigned long. Signed-off-by: Kashyap Desai Signed-off-by: James Bottomley Cc: Jan Beulich Signed-off-by: Greg Kroah-Hartman commit 1dbd009c9078b3491299722a9c0f1313fad0fc1b Author: Jan Scholz Date: Wed Aug 26 13:18:51 2009 +0200 HID: completely remove apple mightymouse from blacklist commit 42960a13001aa6df52ca9952ce996f94a744ea65 upstream. Commit fa047e4f6fa63a6e9d0ae4d7749538830d14a343 "HID: fix inverted wheel for bluetooth version of apple mighty mouse" is incomplete. If we remove Apple MightyMouse (bluetooth version) from the list of apple_devices in drivers/hid/hid-apple.c we have to remove it from hid_blacklist in drivers/hid/hid-core.c as well. Signed-off-by: Jan Scholz Signed-off-by: Jiri Kosina Signed-off-by: Greg Kroah-Hartman commit c1aa9d2b4debb5287bd42481cfb35c495b708bcd Author: Weirich, Bernhard Date: Thu Sep 24 17:16:53 2009 +1000 powerpc: Fix incorrect setting of __HAVE_ARCH_PTE_SPECIAL [I'm going to fix upstream differently, by having all CPU types actually support _PAGE_SPECIAL, but I prefer the simple and obvious fix for -stable. -- Ben] The test that decides whether to define __HAVE_ARCH_PTE_SPECIAL on powerpc is bogus and will end up always defining it, even when _PAGE_SPECIAL is not supported (in which case it's 0) such as on 8xx or 40x processors. Signed-off-by: Bernhard Weirich Signed-off-by: Benjamin Herrenschmidt Signed-off-by: Greg Kroah-Hartman commit 50c744f95481f6c43a72e00a2939e1fd2248610d Author: Rex Feany Date: Thu Sep 24 17:16:54 2009 +1000 powerpc/8xx: Fix regression introduced by cache coherency rewrite commit e0908085fc2391c85b85fb814ae1df377c8e0dcb upstream. After upgrading to the latest kernel on my mpc875 userspace started running incredibly slow (hours to get to a shell, even!). I tracked it down to commit 8d30c14cab30d405a05f2aaceda1e9ad57800f36, that patch removed a work-around for the 8xx. Adding it back makes my problem go away. Signed-off-by: Rex Feany Signed-off-by: Benjamin Herrenschmidt Signed-off-by: Greg Kroah-Hartman commit f2594aa22a219c7c1226b655292ffd5f81a35549 Author: Brian Rogers Date: Wed Sep 23 03:05:03 2009 -0700 saa7134: ir-kbd-i2c init data needs a persistent object commit 7aedd5ec87686c557d48584d69ad880c11a0984d upstream. Tested on MSI TV@nywhere Plus. Original commit message: ir-kbd-i2c's ir_probe() function can be called much later (i.e. at ir-kbd-i2c module load), than the lifetime of a struct IR_i2c_init_data allocated off of the stack in cx18_i2c_new_ir() at registration time. Make sure we pass a pointer to a persistent IR_i2c_init_data object at i2c registration time. Thanks to Brian Rogers, Dustin Mitchell, Andy Walls and Jean Delvare to rise this question. Before this patch, if ir-kbd-i2c were probed after SAA7134, trash data were used. Compile tested only, but the patch is identical to em28xx one. So, it should work properly. Original-patch-by: Mauro Carvalho Chehab Signed-off-by: Mauro Carvalho Chehab [brian@xyzw.org: backported for 2.6.31] Signed-off-by: Brian Rogers Signed-off-by: Greg Kroah-Hartman commit 45af991d4e6a44e663c1314545e53bfae91bde68 Author: Brian Rogers Date: Wed Sep 23 03:05:02 2009 -0700 em28xx: ir-kbd-i2c init data needs a persistent object commit d2ebd0f806fdb6104903365e355675934eec22b2 upstream. Original commit message: ir-kbd-i2c's ir_probe() function can be called much later (i.e. at ir-kbd-i2c module load), than the lifetime of a struct IR_i2c_init_data allocated off of the stack in cx18_i2c_new_ir() at registration time. Make sure we pass a pointer to a persistent IR_i2c_init_data object at i2c registration time. Thanks to Brian Rogers, Dustin Mitchell, Andy Walls and Jean Delvare to rise this question. Before this patch, if ir-kbd-i2c were probed after em28xx, trash data were used. After the patch, no matter what order, it is properly reported as tested by me: input: i2c IR (i2c IR (EM2840 Hauppaug as /class/input/input10 ir-kbd-i2c: i2c IR (i2c IR (EM2840 Hauppaug detected at i2c-4/4-0030/ir0 [em28xx #0] Original-patch-by: Mauro Carvalho Chehab Signed-off-by: Mauro Carvalho Chehab [brian@xyzw.org: backported for 2.6.31] Signed-off-by: Brian Rogers Signed-off-by: Greg Kroah-Hartman commit 1934acbe047d32dcdf74ad75d61c8646ca0ced7b Author: Chris Wilson Date: Wed Sep 23 00:43:56 2009 +0100 drm/i915: Handle ERESTARTSYS during page fault commit c715089f49844260f1eeae8e3b55af9468ba1325 upstream. During a page fault and rebinding the buffer there exists a window for a signal to arrive during the i915_wait_request() and trigger a ERESTARTSYS. This used to be handled by returning SIGBUS and thereby killing the application. Try 'cairo-perf-trace & cairo-test-suite' and watch X go boom! The solution as suggested by H. Peter Anvin is to simply return NOPAGE and leave the higher layers to spot we did not fill the page and resubmit the page fault. Signed-off-by: Chris Wilson [anholt: Mostly squash it with another commit] Signed-off-by: Greg Kroah-Hartman commit 03429ffaea91375d8ed80a60fa13c9ffe694539a Author: Michael Abbott Date: Thu Sep 24 10:15:19 2009 +0200 Fix idle time field in /proc/uptime commit 96830a57de1197519b62af6a4c9ceea556c18c3d upstream. Git commit 79741dd changes idle cputime accounting, but unfortunately the /proc/uptime file hasn't caught up. Here the idle time calculation from /proc/stat is copied over. Signed-off-by: Michael Abbott Signed-off-by: Martin Schwidefsky Signed-off-by: Greg Kroah-Hartman commit 38a76cc6f6101a0cc42c2e58783107ec646efabe Author: Lee Schermerhorn Date: Mon Sep 21 17:03:40 2009 -0700 mmap: avoid unnecessary anon_vma lock acquisition in vma_adjust() commit 252c5f94d944487e9f50ece7942b0fbf659c5c31 upstream. We noticed very erratic behavior [throughput] with the AIM7 shared workload running on recent distro [SLES11] and mainline kernels on an 8-socket, 32-core, 256GB x86_64 platform. On the SLES11 kernel [2.6.27.19+] with Barcelona processors, as we increased the load [10s of thousands of tasks], the throughput would vary between two "plateaus"--one at ~65K jobs per minute and one at ~130K jpm. The simple patch below causes the results to smooth out at the ~130k plateau. But wait, there's more: We do not see this behavior on smaller platforms--e.g., 4 socket/8 core. This could be the result of the larger number of cpus on the larger platform--a scalability issue--or it could be the result of the larger number of interconnect "hops" between some nodes in this platform and how the tasks for a given load end up distributed over the nodes' cpus and memories--a stochastic NUMA effect. The variability in the results are less pronounced [on the same platform] with Shanghai processors and with mainline kernels. With 31-rc6 on Shanghai processors and 288 file systems on 288 fibre attached storage volumes, the curves [jpm vs load] are both quite flat with the patched kernel consistently producing ~3.9% better throughput [~80K jpm vs ~77K jpm] than the unpatched kernel. Profiling indicated that the "slow" runs were incurring high[er] contention on an anon_vma lock in vma_adjust(), apparently called from the sbrk() system call. The patch: A comment in mm/mmap.c:vma_adjust() suggests that we don't really need the anon_vma lock when we're only adjusting the end of a vma, as is the case for brk(). The comment questions whether it's worth while to optimize for this case. Apparently, on the newer, larger x86_64 platforms, with interesting NUMA topologies, it is worth while--especially considering that the patch [if correct!] is quite simple. We can detect this condition--no overlap with next vma--by noting a NULL "importer". The anon_vma pointer will also be NULL in this case, so simply avoid loading vma->anon_vma to avoid the lock. However, we DO need to take the anon_vma lock when we're inserting a vma ['insert' non-NULL] even when we have no overlap [NULL "importer"], so we need to check for 'insert', as well. And Hugh points out that we should also take it when adjusting vm_start (so that rmap.c can rely upon vma_address() while it holds the anon_vma lock). akpm: Zhang Yanmin reprts a 150% throughput improvement with aim7, so it might be -stable material even though thiss isn't a regression: "this issue is not clear on dual socket Nehalem machine (2*4*2 cpu), but is severe on large machine (4*8*2 cpu)" [hugh.dickins@tiscali.co.uk: test vma start too] Signed-off-by: Lee Schermerhorn Signed-off-by: Hugh Dickins Cc: Nick Piggin Cc: Eric Whitney Tested-by: "Zhang, Yanmin" Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 0a0611ad425848a6bfb7c5825466c162b9e7a9b1 Author: Hugh Dickins Date: Mon Sep 21 17:03:29 2009 -0700 mm: fix anonymous dirtying commit 1ac0cb5d0e22d5e483f56b2bc12172dec1cf7536 upstream. do_anonymous_page() has been wrong to dirty the pte regardless. If it's not going to mark the pte writable, then it won't help to mark it dirty here, and clogs up memory with pages which will need swap instead of being thrown away. Especially wrong if no overcommit is chosen, and this vma is not yet VM_ACCOUNTed - we could exceed the limit and OOM despite no overcommit. Signed-off-by: Hugh Dickins Acked-by: Rik van Riel Cc: KAMEZAWA Hiroyuki Cc: KOSAKI Motohiro Cc: Nick Piggin Cc: Mel Gorman Cc: Minchan Kim Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 45e32d9a14c61cf84a730fd6c9e2e82fec211670 Author: Hugh Dickins Date: Mon Sep 21 17:03:23 2009 -0700 mm: munlock use follow_page commit 408e82b78bcc9f1b47c76e833c3df97f675947de upstream. Hiroaki Wakabayashi points out that when mlock() has been interrupted by SIGKILL, the subsequent munlock() takes unnecessarily long because its use of __get_user_pages() insists on faulting in all the pages which mlock() never reached. It's worse than slowness if mlock() is terminated by Out Of Memory kill: the munlock_vma_pages_all() in exit_mmap() insists on faulting in all the pages which mlock() could not find memory for; so innocent bystanders are killed too, and perhaps the system hangs. __get_user_pages() does a lot that's silly for munlock(): so remove the munlock option from __mlock_vma_pages_range(), and use a simple loop of follow_page()s in munlock_vma_pages_range() instead; ignoring absent pages, and not marking present pages as accessed or dirty. (Change munlock() to only go so far as mlock() reached? That does not work out, given the convention that mlock() claims complete success even when it has to give up early - in part so that an underlying file can be extended later, and those pages locked which earlier would give SIGBUS.) Signed-off-by: Hugh Dickins Acked-by: Rik van Riel Reviewed-by: Minchan Kim Cc: KAMEZAWA Hiroyuki Cc: KOSAKI Motohiro Cc: Nick Piggin Cc: Mel Gorman Reviewed-by: Hiroaki Wakabayashi Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 8df6b14fdeb4a3811d268fd4405488b121c81640 Author: Mel Gorman Date: Mon Sep 21 17:03:02 2009 -0700 page-allocator: limit the number of MIGRATE_RESERVE pageblocks per zone commit 78986a678f6ec3759a01976749f4437d8bf2d6c3 upstream. After anti-fragmentation was merged, a bug was reported whereby devices that depended on high-order atomic allocations were failing. The solution was to preserve a property in the buddy allocator which tended to keep the minimum number of free pages in the zone at the lower physical addresses and contiguous. To preserve this property, MIGRATE_RESERVE was introduced and a number of pageblocks at the start of a zone would be marked "reserve", the number of which depended on min_free_kbytes. Anti-fragmentation works by avoiding the mixing of page migratetypes within the same pageblock. One way of helping this is to increase min_free_kbytes because it becomes less like that it will be necessary to place pages of of MIGRATE_RESERVE is unbounded, the free memory is kept there in large contiguous blocks instead of helping anti-fragmentation as much as it should. With the page-allocator tracepoint patches applied, it was found during anti-fragmentation tests that the number of fragmentation-related events were far higher than expected even with min_free_kbytes at higher values. This patch limits the number of MIGRATE_RESERVE blocks that exist per zone to two. For example, with a sufficient min_free_kbytes, 4MB of memory will be kept aside on an x86-64 and remain more or less free and contiguous for the systems uptime. This should be sufficient for devices depending on high-order atomic allocations while helping fragmentation control when min_free_kbytes is tuned appropriately. As side-effect of this patch is that the reserve variable is converted to int as unsigned long was the wrong type to use when ensuring that only the required number of reserve blocks are created. With the patches applied, fragmentation-related events as measured by the page allocator tracepoints were significantly reduced when running some fragmentation stress-tests on systems with min_free_kbytes tuned to a value appropriate for hugepage allocations at runtime. On x86, the events recorded were reduced by 99.8%, on x86-64 by 99.72% and on ppc64 by 99.83%. Signed-off-by: Mel Gorman Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit ee5cb1e63d0b163e6aa35e43e6f2a20f06d1934a Author: Lee Schermerhorn Date: Mon Sep 21 17:01:04 2009 -0700 hugetlb: restore interleaving of bootmem huge pages (2.6.31) Not upstream as it is fixed differently in .32 I noticed that alloc_bootmem_huge_page() will only advance to the next node on failure to allocate a huge page. I asked about this on linux-mm and linux-numa, cc'ing the usual huge page suspects. Mel Gorman responded: I strongly suspect that the same node being used until allocation failure instead of round-robin is an oversight and not deliberate at all. It appears to be a side-effect of a fix made way back in commit 63b4613c3f0d4b724ba259dc6c201bb68b884e1a ["hugetlb: fix hugepage allocation with memoryless nodes"]. Prior to that patch it looked like allocations would always round-robin even when allocation was successful. Andy Whitcroft countered that the existing behavior looked like Andi Kleen's original implementation and suggested that we ask him. We did and Andy replied that his intention was to interleave the allocations. So, ... This patch moves the advance of the hstate next node from which to allocate up before the test for success of the attempted allocation. This will unconditionally advance the next node from which to alloc, interleaving successful allocations over the nodes with sufficient contiguous memory, and skipping over nodes that fail the huge page allocation attempt. Note that alloc_bootmem_huge_page() will only be called for huge pages of order > MAX_ORDER. Signed-off-by: Lee Schermerhorn Reviewed-by: Andi Kleen Cc: Mel Gorman Cc: David Rientjes Cc: Adam Litke Cc: Andy Whitcroft Cc: Eric Whitney Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman commit 1d831f627023604afd7a1d789c8aa67b4aa02682 Author: KAMEZAWA Hiroyuki Date: Mon Sep 21 17:01:02 2009 -0700 /proc/kcore: work around a BUG() Not upstream due to other fixes in .32 Works around a BUG() which is triggered when the kernel accesses holes in vmalloc regions. BUG: unable to handle kernel paging request at fa54c000 IP: [] read_kcore+0x260/0x31a *pde = 3540b067 *pte = 00000000 Oops: 0000 [#1] SMP last sysfs file: /sys/devices/pci0000:00/0000:00:1c.2/0000:03:00.0/ieee80211/phy0/rfkill0/state Modules linked in: fuse sco bridge stp llc bnep l2cap bluetooth sunrpc nf_conntrack_ftp ip6t_REJECT nf_conntrack_ipv6 ip6table_filter ip6_tables ipv6 cpufreq_ondemand acpi_cpufreq dm_multipath uinput usb_storage arc4 ecb snd_hda_codec_realtek snd_hda_intel ath5k snd_hda_codec snd_hwdep iTCO_wdt snd_pcm iTCO_vendor_support pcspkr i2c_i801 mac80211 joydev snd_timer serio_raw r8169 snd soundcore mii snd_page_alloc ath cfg80211 ata_generic i915 drm i2c_algo_bit i2c_core video output [last unloaded: scsi_wait_scan] Sep 4 12:45:16 tuxedu kernel: Pid: 2266, comm: cat Not tainted (2.6.31-rc8 #2) Joybook Lite U101 EIP: 0060:[] EFLAGS: 00010286 CPU: 0 EIP is at read_kcore+0x260/0x31a EAX: f5e5ea00 EBX: fa54d000 ECX: 00000400 EDX: 00001000 ESI: fa54c000 EDI: f44ad000 EBP: e4533f4c ESP: e4533f24 DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068 Process cat (pid: 2266, ti=e4532000 task=f09d19a0 task.ti=e4532000) Stack: 00005000 00000000 f44ad000 09d9c000 00003000 fa54c000 00001000 f6d16f60 e4520b80 fffffffb e4533f70 c04ef8eb e4533f98 00008000 09d97000 c04f661a e4520b80 09d97000 c04ef88c e4533f8c c04ba531 e4533f98 c04c0930 e4520b80 Call Trace: [] ? proc_reg_read+0x5f/0x73 [] ? read_kcore+0x0/0x31a [] ? proc_reg_read+0x0/0x73 [] ? vfs_read+0x82/0xe1 [] ? path_put+0x1a/0x1d [] ? sys_read+0x40/0x62 [] ? sysenter_do_call+0x12/0x2d Code: 39 f3 89 ca 0f 43 f3 89 fb 29 f2 29 f3 39 cf 0f 46 d3 29 55 dc 8d 1c 32 f6 40 0c 01 75 18 89 d1 89 f7 c1 e9 02 2b 7d ec 03 7d e0 a5 89 d1 83 e1 03 74 02 f3 a4 8b 00 83 7d dc 00 74 04 85 c0 EIP: [] read_kcore+0x260/0x31a SS:ESP 0068:e4533f24 CR2: 00000000fa54c000 To access vmalloc area which may have memory holes, copy_from_user is useful. So this: # cat /proc/kcore > /dev/null will not panic. This is a minimal fix, suitable for 2.6.30.x and 2.6.31. More extensive /proc/kcore changes are planned for 2.6.32. Signed-off-by: KAMEZAWA Hiroyuki Tested-by: Nick Craig-Wood Cc: Pekka Enberg Reported-by: Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman commit 59664c0bdadb460086399375a3203fd08feb6abf Author: Sarah Sharp Date: Tue Sep 8 13:20:16 2009 -0700 USB: Fix SS endpoint companion descriptor parsing. commit 6682bb39e111b34290e25c4d275c5bcf8bbccbe1 upstream. When there's a descriptor after the SuperSpeed endpoint companion descriptor, the previous code would have skipped over twice the length it was supposed to. This code fixes crashes seen with UASP devices (which have a UASP descriptor after the SS endpoint companion descriptor). Signed-off-by: Sarah Sharp Signed-off-by: Greg Kroah-Hartman commit 1e7198c04256707887c996bc768e51225bca877e Author: Sarah Sharp Date: Wed Sep 2 12:14:28 2009 -0700 USB: xhci: Support interrupt transfers. commit 624defa12f304b4d11eda309bc207fa5a1900d0f upstream. Interrupt transfers are submitted to the xHCI hardware using the same TRB type as bulk transfers. Re-use the bulk transfer enqueueing code to enqueue interrupt transfers. Interrupt transfers are a bit different than bulk transfers. When the interrupt endpoint is to be serviced, the xHC will consume (at most) one TD. A TD (comprised of sg list entries) can take several service intervals to transmit. The important thing for device drivers to note is that if they use the scatter gather interface to submit interrupt requests, they will not get data sent from two different scatter gather lists in the same service interval. For now, the xHCI driver will use the service interval from the endpoint's descriptor (bInterval). Drivers will need a hook to poll at a more frequent interval. Set urb->interval to the interval that the xHCI hardware will use. Signed-off-by: Sarah Sharp Signed-off-by: Greg Kroah-Hartman commit 6b65d1c68d84f301a087f9874431780ed71b90d7 Author: Sarah Sharp Date: Fri Aug 28 14:28:18 2009 -0700 USB: xhci: Set -EREMOTEIO when xHC gives bad transfer length. commit 2f697f6cbff155b3ce4053a50cdf00b5be4dda11 upstream. The xHCI hardware reports the number of bytes untransferred for a given transfer buffer. If the hardware reports a bytes untransferred value greater than the submitted buffer size, we want to play it safe and say no data was transferred. If the driver considers a short packet to be an error, remember to set -EREMOTEIO. Signed-off-by: Sarah Sharp Signed-off-by: Greg Kroah-Hartman commit ff17e475b70b0168aa89e8726679bfedd044b998 Author: Sarah Sharp Date: Fri Aug 28 14:28:15 2009 -0700 USB: xhci: Check URB_SHORT_NOT_OK before setting short packet status. commit 204970a4bb2f584afc430ae330cd44aee329cea4 upstream. Make sure that the driver that submitted the URB considers a short packet an error before setting -EREMOTEIO during a short control transfer. Signed-off-by: Sarah Sharp Signed-off-by: Greg Kroah-Hartman commit 1eb1b69f40b9ee5f5645109f380be78daf8e9ddd Author: Sarah Sharp Date: Thu Aug 27 14:36:24 2009 -0700 USB: xhci: Check URB's actual transfer buffer size. commit 99eb32db45061443ab7552b8fdceae68b90fde55 upstream. Make sure that the amount of data the xHC says was transmitted is less than or equal to the size of the requested transfer buffer. Before, if the host controller erroneously reported that the number of bytes untransferred was bigger than the buffer in the URB, urb->actual_length could be set to a very large size. Make sure urb->actual_length <= urb->transfer_buffer_length. Signed-off-by: Sarah Sharp Signed-off-by: Greg Kroah-Hartman commit 851834e4a2bd1015b05b201aff79adb643d97f10 Author: Sarah Sharp Date: Thu Aug 27 14:36:14 2009 -0700 USB: xhci: Don't touch xhci_td after it's freed. commit 9191eee7b8a0e18c07c06d6da502706805cab6d2 upstream. On a successful transfer, urb->td is freed before the URB is ready to be given back to the driver. Don't touch urb->td after it's freed. This bug would have only shown up when xHCI debugging was turned on, and the freed memory was quickly reused for something else. Signed-off-by: Sarah Sharp Signed-off-by: Greg Kroah-Hartman commit 9fa7825a00bb88d022a22d914646a1ce5e3ee5e0 Author: Sarah Sharp Date: Thu Aug 27 14:36:03 2009 -0700 USB: xhci: Handle babbling endpoints correctly. commit 83fbcdcca03013bb5af130d6d91eba11e3d3269e upstream. The 0.95 xHCI spec says that non-control endpoints will be halted if a babble is detected on a transfer. The 0.96 xHCI spec says all types of endpoints will be halted when a babble is detected. Some hardware that claims to be 0.95 compliant halts the control endpoint anyway. When a babble is detected on a control endpoint, check the hardware's output endpoint context to see if the endpoint is marked as halted. If the control endpoint is halted, a reset endpoint command must be issued and the transfer ring dequeue pointer needs to be moved past the stopped transfer. Basically, we treat it as if the control endpoint had stalled. Handle bulk babbling endpoints as if we got a completion event with a stall completion code. Signed-off-by: Sarah Sharp Signed-off-by: Greg Kroah-Hartman commit fed392f6ec5c09647298b23519e366b3526c55ac Author: Sarah Sharp Date: Thu Aug 27 14:35:53 2009 -0700 USB: xhci: Make TRB completion code comparison readable. commit 66d1eebce5cca916e0b08d961690bb01c64751ef upstream. Use trb_comp_code instead of getting the completion code from the transfer event every time. Signed-off-by: Sarah Sharp Signed-off-by: Greg Kroah-Hartman commit f9907731b59720884910cbef393fc0c006f6b7da Author: Sarah Sharp Date: Fri Aug 7 14:04:55 2009 -0700 USB: xhci: Add quirk for Fresco Logic xHCI hardware. commit ac9d8fe7c6a8041cca5a0738915d2c4e21381421 upstream. This Fresco Logic xHCI host controller chip revision puts bad data into the output endpoint context after a Reset Endpoint command. It needs a Configure Endpoint command (instead of a Set TR Dequeue Pointer command) after the reset endpoint command. Set up the input context before issuing the Reset Endpoint command so we don't copy bad data from the output endpoint context. The HW also can't handle two commands queued at once, so submit the TRB for the Configure Endpoint command in the event handler for the Reset Endpoint command. Devices that stall on control endpoints before a configuration is selected will not work under this Fresco Logic xHCI host controller revision. This patch is for prototype hardware that will be given to other companies for evaluation purposes only, and should not reach consumer hands. Fresco Logic's next chip rev should have this bug fixed. Signed-off-by: Sarah Sharp Signed-off-by: Greg Kroah-Hartman commit e1edf432ef2f2a997cfe026f05135a0162eb589c Author: Sarah Sharp Date: Fri Aug 7 14:04:52 2009 -0700 USB: xhci: Handle stalled control endpoints. commit 82d1009f537c2a43be0a410abd33521f76ee3a5a upstream. When a control endpoint stalls, the next control transfer will clear the stall. The USB core doesn't call down to the host controller driver's endpoint_reset() method when control endpoints stall, so the xHCI driver has to do all its stall handling for internal state in its interrupt handler. When the host stalls on a control endpoint, it may stop on the data phase or status phase of the control transfer. Like other stalled endpoints, the xHCI driver needs to queue a Reset Endpoint command and move the hardware's control endpoint ring dequeue pointer past the failed control transfer (with a Set TR Dequeue Pointer or a Configure Endpoint command). Since the USB core doesn't call usb_hcd_reset_endpoint() for control endpoints, we need to do this in interrupt context when we get notified of the stalled transfer. URBs may be queued to the hardware before these two commands complete. The endpoint queue will be restarted once both commands complete. Signed-off-by: Sarah Sharp Signed-off-by: Greg Kroah-Hartman commit 2f670d465897b491da0b82fd8b047b9ec75bf8c8 Author: Sarah Sharp Date: Fri Aug 7 14:04:49 2009 -0700 USB: xhci: Support full speed devices. commit 2d3f1fac7ee8bb4c6fad40f838488edbeabb0c50 upstream. Full speed devices have varying max packet sizes (8, 16, 32, or 64) for endpoint 0. The xHCI hardware needs to know the real max packet size that the USB core discovers after it fetches the first 8 bytes of the device descriptor. In order to fix this without adding a new hook to host controller drivers, the xHCI driver looks for an updated max packet size for control endpoints. If it finds an updated size, it issues an evaluate context command and waits for that command to finish. This should only happen in the initialization and device descriptor fetching steps in the khubd thread, so blocking should be fine. Signed-off-by: Sarah Sharp Signed-off-by: Greg Kroah-Hartman commit af7a3a38d3eee5b30a3fa7b11d87175f2df3e1c6 Author: Sarah Sharp Date: Fri Aug 7 14:04:46 2009 -0700 USB: xhci: Set correct max packet size for HS/FS control endpoints. commit 47aded8ade9fee6779b121b2b156235f261239d7 upstream. Set the max packet size for the default control endpoint on high speed devices to be 64 bytes. High speed devices always have a max packet size of 64 bytes. There's no use setting it to eight for the initial 8 byte descriptor fetch and then issuing (and waiting for) an evaluate context command to update it to 64 bytes for the subsequent control transfers. The USB core guesses that the max packet size on a full speed control endpoint is 64 bytes, and then updates it after the first 8-byte descriptor fetch. Change the initial setup for the xHCI internal representation of the full speed device to have a 64 byte max packet size. Signed-off-by: Sarah Sharp Signed-off-by: Greg Kroah-Hartman commit e0060ce0d99331fb3f4172d97b47ff00bebf0006 Author: Sarah Sharp Date: Fri Aug 7 14:04:43 2009 -0700 USB: xhci: Configure endpoint code refactoring. commit f2217e8edd95b0428d8123d426e0097a5e955f9f upstream. Refactor out the code issue, wait for, and parse the event completion code for a configure endpoint command. Modify it to support the evaluate context command, which has a very similar submission process. Add functions to copy parts of the output context into the input context (which will be used in the evaluate context command). Signed-off-by: Sarah Sharp Signed-off-by: Greg Kroah-Hartman commit 66bf28eeb930417010b7cc72a30bf97ff42a77f5 Author: Sarah Sharp Date: Fri Aug 7 14:04:40 2009 -0700 USB: xhci: Fix slot and endpoint context debugging. commit 018218d1d9eb06116d24a02dd5e7a390f0353d0f upstream. Use the virtual address of the memory hardware uses, not the address for the container of that memory. Signed-off-by: Sarah Sharp Signed-off-by: Greg Kroah-Hartman commit 15113e82cec9493b772ff5ef1decb53727d56a63 Author: Sarah Sharp Date: Fri Aug 7 14:04:36 2009 -0700 USB: xhci: Work around for chain bit in link TRBs. commit b0567b3f635db72c881a0d561cebb544ec085073 upstream. Different sections of the xHCI 0.95 specification had opposing requirements for the chain bit in a link transaction request buffer (TRB). The chain bit is used to designate that adjacent TRBs are all part of the same scatter gather list that should be sent to the device. Link TRBs can be in the middle, or at the beginning or end of these chained TRBs. Sections 4.11.5.1 and 6.4.4.1 both stated the link TRB "shall have the chain bit set to 1", meaning it is always chained to the next TRB. However, section 4.6.9 on the stop endpoint command has specific cases for what the hardware must do for a link TRB with the chain bit set to 0. The 0.96 specification errata later cleared up this issue by fixing the 4.11.5.1 and 6.4.4.1 sections to state that a link TRB can have the chain bit set to 1 or 0. The problem is that the xHCI cancellation code depends on the chain bit of the link TRB being cleared when it's at the end of a TD, and some 0.95 xHCI hardware simply stops processing the ring when it encounters a link TRB with the chain bit cleared. Allow users who are testing 0.95 xHCI prototypes to set a module parameter (link_quirk) to turn on this link TRB work around. Cancellation may not work if the ring is stopped exactly on a link TRB with chain bit set, but cancellation should be a relatively uncommon case. Signed-off-by: Sarah Sharp Signed-off-by: Greg Kroah-Hartman commit 222a7a9802c5ce73dfa3931e5cb585e44544cb6f Author: Alan Stern Date: Fri Sep 4 15:29:59 2009 -0400 USB serial: update the console driver commit 7bd032dc2793afcbaf4a350056768da84cdbd89b upstream. This patch (as1292) modifies the USB serial console driver, to make it compatible with the recent changes to the USB serial core. The most important change is that serial->disc_mutex now has to be unlocked following a successful call to usb_serial_get_by_index(). Other less notable changes include: Use the requested port number instead of port 0 always. Prevent the serial device from being autosuspended. Use the ASYNCB_INITIALIZED flag bit to indicate when the port hardware has been initialized. In spite of these changes, there's no question that the USB serial console code is still a big hack. Signed-off-by: Alan Stern Signed-off-by: Greg Kroah-Hartman commit e637e77245046fbb1d812543ced77e288614c66b Author: Alan Stern Date: Tue Sep 1 11:39:59 2009 -0400 usb-serial: straighten out serial_open commit 320348c8d5c9b591282633ddb8959b42f7fc7a1c upstream. This patch (as1291) removes a bunch of code from serial_open(), things that were rendered unnecessary by earlier patches. A missing spinlock is added to protect port->port.count, which needs to be incremented even if the open fails but not if the tty has gotten a hangup. The test for whether the hardware has been initialized, based on the use count, is replaced by a more transparent test of the ASYNCB_INITIALIZED bit in the port flags. Signed-off-by: Alan Stern Signed-off-by: Greg Kroah-Hartman commit 8eefb51971e841d2c0af529ddab02babbf8ca8d5 Author: Alan Stern Date: Tue Sep 1 11:39:51 2009 -0400 usb-serial: add missing tests and debug lines commit ff8324df1187b7280e507c976777df76c73a1ef1 upstream. This patch (as1290) adds some missing tests. serial_down() isn't supposed to do anything if the hardware hasn't been initialized, and serial_close() isn't supposed to do anything if the tty has gotten a hangup (because serial_hangup() takes care of shutting down the hardware). The patch also updates and adds a few debugging lines. Signed-off-by: Alan Stern Signed-off-by: Greg Kroah-Hartman commit b70d28dfb4641a54691f2bf133f30cc74588957e Author: Alan Stern Date: Tue Sep 1 11:39:40 2009 -0400 usb-serial: rename subroutines commit 74556123e034c8337b69a3ebac2f3a5fc0a97032 upstream. This patch (as1289) renames serial_do_down() to serial_down() and serial_do_free() to serial_release(). It also adds a missing call to tty_shutdown() in serial_release(). Signed-off-by: Alan Stern Signed-off-by: Greg Kroah-Hartman commit b8580fde3ba44a0f00bf186dc5e4935bbd51be29 Author: Alan Stern Date: Tue Sep 1 11:39:22 2009 -0400 usb-serial: fix termios initialization logic commit 7e29bb4b779f4f35385e6f21994758845bf14d23 upstream. This patch (as1288) fixes the initialization logic in serial_install(). A new tty always needs to have a termios initialized no matter what, not just in the case where the lower driver will override the termios settings. Signed-off-by: Alan Stern Signed-off-by: Greg Kroah-Hartman commit 11f4140f0e28e7ee9d1c3d824f8210759d2e8514 Author: Alan Stern Date: Tue Sep 1 11:39:13 2009 -0400 usb-serial: acquire references when a new tty is installed commit cc56cd0157753c04a987888a2f793803df661a40 upstream. This patch (as1287) makes serial_install() be reponsible for acquiring references to the usb_serial structure and the driver module when a tty is first used. This is more sensible than having serial_open() do it, because a tty can be opened many times whereas it is installed only once, when it is created. (Not to mention that these actions are reversed when the tty is released, not when it is closed.) Finally, it is at install time that the TTY core takes its own reference to the usb_serial module, so it is only fitting that we should act the same way in regard to the lower-level serial driver. Signed-off-by: Alan Stern Signed-off-by: Greg Kroah-Hartman commit e40aac84871676390759cd7d38658da3b7d7fb57 Author: Alan Stern Date: Tue Sep 1 11:38:59 2009 -0400 usb-serial: change logic of serial lookups commit 8bc2c1b2daf95029658868cb1427baea2da87139 upstream. This patch (as1286) changes usb_serial_get_by_index(). Now the routine will check whether the serial device has been disconnected; if it has then the return value will be NULL. If the device hasn't been disconnected then the routine will return with serial->disc_mutex held, so that the caller can use the structure without fear of racing against driver unloads. This permits the scope of table_mutex in destroy_serial() to be reduced. Instead of protecting the entire function, it suffices to protect the part that actually uses serial_table[], i.e., the call to return_serial(). There's no longer any danger of the refcount being incremented after it reaches 0 (which was the reason for having the large scope previously), because it can't reach 0 until the serial device has been disconnected. Also, the patch makes serial_install() check that serial is non-NULL before attempting to use it. Signed-off-by: Alan Stern Signed-off-by: Greg Kroah-Hartman commit fdede6e8c7a61fdfb1d82314b4801917778a4488 Author: Alan Stern Date: Tue Sep 1 11:38:44 2009 -0400 usb-serial: put subroutines in logical order commit f5b0953a89fa3407fb293cc54ead7d8feec489e4 upstream. This patch (as1285) rearranges the subroutines in usb-serial.c concerned with tty lifetimes into a more logical order: install, open, hangup, close, release. It also updates the formatting of the kerneldoc comments. Signed-off-by: Alan Stern Signed-off-by: Greg Kroah-Hartman commit c9fb3ded7a8a6769f3bcb3ef3d9aed61d3e376a9 Author: Alan Stern Date: Tue Sep 1 11:38:34 2009 -0400 usb-serial: change referencing of port and serial structures commit 41bd34ddd7aa46dbc03b5bb33896e0fa8100fe7b upstream. This patch (as1284) changes the referencing of the usb_serial and usb_serial_port structures in usb-serial.c. It's not feasible to make the port structures keep a reference to the serial structure, because the ports need to remain in existence when serial is released -- quite a few of the drivers expect this. Consequently taking a reference to the port when the device file is open is insufficient; such a reference would not pin serial. To fix this, we now take a reference to serial when the device file is opened. The final put_device() for the ports occurs in destroy_serial(), so that the ports will last as long as they are needed. The patch initializes all the port devices, including those in the unused "fake" ports. This makes the code more uniform because they can all be released in the same way. The error handling code in usb_serial_probe() is much simplified by this approach; instead of freeing everything by hand we can use a single usb_serial_put() call. Also simplified is the port-release mechanism. Instead of being two separate routines, port_release() and port_free() can be combined into one. Signed-off-by: Alan Stern Signed-off-by: Greg Kroah-Hartman commit 17fd426331d1e4611654985dd545a52d200dd9d1 Author: Alan Cox Date: Sat Sep 19 13:13:33 2009 -0700 tty: USB serial termios bits commit fe1ae7fdd2ee603f2d95f04e09a68f7f79045127 upstream. Various drivers have hacks to mangle termios structures. This stems from the fact there is no nice setup hook for configuring the termios settings when the port is created Signed-off-by: Alan Cox Signed-off-by: Greg Kroah-Hartman commit fa31221e38207cece07a6d96854a0fcf47c75ae5 Author: Luca Tettamanti Date: Tue Sep 15 17:18:10 2009 +0200 hwmon: (asus_atk0110) Add maintainer information commit 2c2a6172afab7421f6af7e228cd3121f423ea932 upstream. Add myself as asus_atk0110 maintainer. Signed-off-by: Luca Tettamanti Signed-off-by: Jean Delvare Signed-off-by: Greg Kroah-Hartman commit 8c356be946801075b40ac8c234d5b34e9dd06c55 Author: Alan Cox Date: Sat Sep 19 13:13:24 2009 -0700 tty: USB can now use the shutdown method for kref based freeing of ports commit 4455e344959a217ffc28de2ab1af87541322b343 upstream. Signed-off-by: Alan Cox Signed-off-by: Greg Kroah-Hartman commit 08f30ff9811e59c08d1cee043ce55b2e862efe58 Author: Alan Cox Date: Sat Sep 19 13:13:23 2009 -0700 tty: USB hangup is racy commit d2b391822a11302add9e46476f3da4e18e6de84c upstream. The USB layer uses tty_hangup to deal with unplugs of the physical hardware (analogous to loss of carrier) and then frees the resources. However the tty_hangup is asynchronous. As the hangup can sleep we can use tty_vhangup which is the non async version to avoid freeing resources too early. Signed-off-by: Alan Cox Signed-off-by: Greg Kroah-Hartman commit 4260dc792fabfd20c8644fa9414b2ae48372365f Author: Alan Cox Date: Sat Sep 19 13:13:20 2009 -0700 tty: Add a full port_close function commit 7ca0ff9ab3218ec443a7a9ad247e4650373ed41e upstream. Now we are extracting out methods for shutdown and the like we can add a proper tty_port_close method that knows all the innards of the tty closing process and hides the lot from the caller. At some point in the future this will be paired with a similar open() helper and the drivers can stick to hardware management. Signed-off-by: Alan Cox Signed-off-by: Greg Kroah-Hartman commit 51451faaad9348b73a0c1e00e984a6029fca37fd Author: Alan Stern Date: Thu Jul 30 15:27:18 2009 -0400 Driver core: add new device to bus's list before probing commit 2023c610dc54a4f4130b0494309a9bd668ca3df8 upstream. This patch (as1271) affects when new devices get linked into their bus's list of devices. Currently this happens after probing, and it doesn't happen at all if probing fails. Clearly this is wrong, because at that point quite a few symbolic links have already been created in sysfs. We are committed to adding the device, so it should be linked into the bus's list regardless. In addition, this needs to happen before the uevent announcing the new device gets issued. Otherwise user programs might try to access the device before it has been added to the bus. To fix both these problems, the patch moves the call to klist_add_tail() forward from bus_attach_device() to bus_add_device(). Since bus_attach_device() now does nothing but probe for drivers, it has been renamed to bus_probe_device(). And lastly, the kerneldoc is updated. Signed-off-by: Alan Stern CC: Kay Sievers Signed-off-by: Greg Kroah-Hartman commit 956dc371fe5411ed8a22f1857df3c97f61e9c0c9 Author: Bob Copeland Date: Sat Jul 4 12:59:54 2009 -0400 ath5k: do not release irq across suspend/resume commit 0d0cd72fa1e6bfd419c99478ec70b4877ed0ef86 upstream. Paraphrasing Rafael J. Wysocki: "drivers should not release PCI IRQs in suspend." Doing so causes a warning during suspend/resume on some platforms. Cc: Rafael J. Wysocki Reported-by: Alan Jenkins Signed-off-by: Bob Copeland Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit a5901d2b8dc71e82e3ba2af5f54f4fdee5bf8f04 Author: Nick Kossifidis Date: Mon Aug 10 03:29:02 2009 +0300 ath5k: Wakeup fixes commit edd7fc7003f31da48d06e215a93ea966a22c2a03 upstream. * Don't put chip to full sleep because there are problems during wakeup. Instead hold MAC/Baseband on warm reset state via a new function ath5k_hw_on_hold. * Minor cleanups Signed-off-by: Nick Kossifidis Tested-by: Ben Greear Tested-by: Johannes Stezenbach Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 409041b5d7368692eaf18334a243626c7c442722 Author: Patrick McHardy Date: Thu Sep 17 13:58:30 2009 +0200 netfilter: ebt_ulog: fix checkentry return value netfilter: ebt_ulog: fix checkentry return value Upstream commit 8a56df0a: Commit 19eda87 (netfilter: change return types of check functions for Ebtables extensions) broke the ebtables ulog module by missing a return value conversion. Signed-off-by: Patrick McHardy Signed-off-by: Greg Kroah-Hartman commit d947ca0cc9a18cfd96e30e881706d5678e4b21b4 Author: Patrick McHardy Date: Thu Sep 17 13:58:29 2009 +0200 netfilter: bridge: refcount fix netfilter: bridge: refcount fix Upstream commit f3abc9b9: commit f216f082b2b37c4943f1e7c393e2786648d48f6f ([NETFILTER]: bridge netfilter: deal with martians correctly) added a refcount leak on in_dev. Instead of using in_dev_get(), we can use __in_dev_get_rcu(), as netfilter hooks are running under rcu_read_lock(), as pointed by Patrick. Signed-off-by: Eric Dumazet Signed-off-by: Patrick McHardy Signed-off-by: Greg Kroah-Hartman commit 179bce60a7a84af7b5377a3062e7cfc7c3b27bed Author: Patrick McHardy Date: Thu Sep 17 13:58:28 2009 +0200 netfilter: nf_conntrack: netns fix re reliable conntrack event delivery netfilter: nf_conntrack: netns fix re reliable conntrack event delivery Upstream commit ee254fa4: Conntracks in netns other than init_net dying list were never killed. Signed-off-by: Alexey Dobriyan Acked-by: Pablo Neira Ayuso Signed-off-by: Patrick McHardy Signed-off-by: Greg Kroah-Hartman commit dad96b40ce624b4e61d96476338b62beb025559d Author: Patrick McHardy Date: Thu Sep 17 13:58:26 2009 +0200 netfilter: nf_nat: fix inverted logic for persistent NAT mappings netfilter: nf_nat: fix inverted logic for persistent NAT mappings Upstream commit cce5a5c3: Kernel 2.6.30 introduced a patch [1] for the persistent option in the netfilter SNAT target. This is exactly what we need here so I had a quick look at the code and noticed that the patch is wrong. The logic is simply inverted. The patch below fixes this. Also note that because of this the default behavior of the SNAT target has changed since kernel 2.6.30 as it now ignores the destination IP in choosing the source IP for nating (which should only be the case if the persistent option is set). [1] http://git.eu.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=98d500d66cb7940747b424b245fc6a51ecfbf005 Signed-off-by: Maximilian Engelhardt Signed-off-by: Patrick McHardy Signed-off-by: Greg Kroah-Hartman commit c37689d1ffdc318528029da35c24461b34fc05ca Author: Pierre Habouzit Date: Thu Sep 17 09:47:09 2009 +0200 perf tools: do not complain if root is owning perf.data commit 119e7a22bb70d84849384e5113792cd45afa4f85 upstream. This improves patch fa6963b24 so that perf.data stuff that has been dumped as root can be read (annotate/report) by a user without the use of the --force. Rationale is that root has plenty of ways to screw us (usually) that do not require twisted schemes involving specially crafting a perf.data. Signed-off-by: Pierre Habouzit Cc: Paul Mackerras Cc: Peter Zijlstra LKML-Reference: <20090827075902.GF19653@laphroaig.corp> Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit 0f71d95b3a9e64cbfe10b9d3faeed465353ff369 Author: Kurt Roeckx Date: Wed Sep 16 11:09:32 2009 -0400 Fix NULL ptr regression in powernow-k8 commit f0adb134d8dc9993a9998dc50845ec4f6ff4fadc upstream. Fixes bugzilla #13780 From: Kurt Roeckx Signed-off-by: Dave Jones Signed-off-by: Greg Kroah-Hartman commit 6a66028959852ba913575e42be714d3e3e52a8df Author: Marcelo Tosatti Date: Mon Sep 28 15:09:55 2009 -0300 Revert "KVM: x86: check for cr3 validity in ioctl_set_sregs" (cherry picked from commit dc7e795e3dd2a763e5ceaa1615f307e808cf3932) This reverts commit 6c20e1442bb1c62914bb85b7f4a38973d2a423ba. To my understanding, it became obsolete with the advent of the more robust check in mmu_alloc_roots (89da4ff17f). Moreover, it prevents the conceptually safe pattern 1. set sregs 2. register mem-slots 3. run vcpu by setting a sticky triple fault during step 1. Signed-off-by: Jan Kiszka Signed-off-by: Avi Kivity Signed-off-by: Greg Kroah-Hartman commit c3443b436a0767cbc0d4ab405f8fa13fb34bd56c Author: Avi Kivity Date: Fri Sep 18 17:29:28 2009 -0300 KVM: Protect update_cr8_intercept() when running without an apic (cherry picked from commit 88c808fd42b53a7e01a2ac3253ef31fef74cb5af) update_cr8_intercept() can be triggered from userspace while there is no apic present. Signed-off-by: Avi Kivity Cc: Marcelo Tosatti Signed-off-by: Greg Kroah-Hartman commit c05d2ba2c54deb24cd2c8cb8345bd4d7624cbdba Author: Marcelo Tosatti Date: Fri Sep 18 17:29:27 2009 -0300 KVM: MMU: fix bogus alloc_mmu_pages assignment (cherry picked from commit b90c062c65cc8839edfac39778a37a55ca9bda36) Remove the bogus n_free_mmu_pages assignment from alloc_mmu_pages. It breaks accounting of mmu pages, since n_free_mmu_pages is modified but the real number of pages remains the same. Signed-off-by: Marcelo Tosatti Signed-off-by: Avi Kivity Signed-off-by: Greg Kroah-Hartman commit 7b05aacb73a87411552cf83ab0a0bf519d47ef2f Author: Marcelo Tosatti Date: Fri Sep 18 17:29:26 2009 -0300 KVM: MMU: fix missing locking in alloc_mmu_pages (cherry picked from commit 6a1ac77110ee3e8d8dfdef8442f3b30b3d83e6a2) n_requested_mmu_pages/n_free_mmu_pages are used by kvm_mmu_change_mmu_pages to calculate the number of pages to zap. alloc_mmu_pages, called from the vcpu initialization path, modifies this variables without proper locking, which can result in a negative value in kvm_mmu_change_mmu_pages (say, with cpu hotplug). Signed-off-by: Marcelo Tosatti Signed-off-by: Greg Kroah-Hartman commit 1cb6728f666f55ecfcf79a9713c6f2b23d1b2925 Author: Mark McLoughlin Date: Fri Sep 18 17:29:25 2009 -0300 KVM: fix cpuid E2BIG handling for extended request types (cherry picked from commit cb007648de83cf226d69ec76e1c01848b4e8e49f) If we run out of cpuid entries for extended request types we should return -E2BIG, just like we do for the standard request types. Signed-off-by: Mark McLoughlin Signed-off-by: Avi Kivity Signed-off-by: Greg Kroah-Hartman commit a7207f0d215647ce7ee5f0e6308d6afab6f3584c Author: Linus Torvalds Date: Fri Sep 18 07:05:58 2009 -0700 pty_write: don't do a tty_wakeup() when the buffers are full commit 202c4675c55ddf6b443c7e057d2dff6b42ef71aa upstream. Commit ac89a9174 ("pty: don't limit the writes to 'pty_space()' inside 'pty_write()'") removed the pty_space() checking, in order to let the regular tty buffer code limit the buffering itself. That was all good, but as a subtle side effect it meant that we'd be doing a tty_wakeup() even in the case where the buffers were all filled up, and didn't actually make any progress on the write. Which sounds innocuous, but it interacts very badly with the ppp_async code, which has an infinite loop in ppp_async_push() that tries to push out data to the tty. When we call tty_wakeup(), that loop ends up thinking that progress was made (see the subtle interactions between XMIT_WAKEUP and 'tty_stuffed' for details). End result: one unhappy ppp user. Fixed by noticing when tty_insert_flip_string() didn't actually do anything, and then not doing any more processing (including, very much not calling tty_wakeup()). Bisected-and-tested-by: Peter Volkov Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 5c7fba322917ef91842676de55fba470bc2af5f3 Author: Arjan van de Ven Date: Wed Sep 30 13:54:47 2009 +0200 net: Make the copy length in af_packet sockopt handler unsigned fixed upstream in commit b7058842c940ad2c08dd829b21e5c92ebe3b8758 in a different way The length of the to-copy data structure is currently stored in a signed integer. However many comparisons are done with sizeof(..) which is unsigned. It's more suitable for this variable to be unsigned to make these comparisons more naturally right. Signed-off-by: Arjan van de Ven Cc: David S. Miller Cc: Ingo Molnar Cc: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 536a16fef0f84b71d949c67b0fc51de6325bca32 Author: Arjan van de Ven Date: Wed Sep 30 13:51:11 2009 +0200 net ax25: Fix signed comparison in the sockopt handler fixed upstream in commit b7058842c940ad2c08dd829b21e5c92ebe3b8758 in a different way The ax25 code tried to use if (optlen < sizeof(int)) return -EINVAL; as a security check against optlen being negative (or zero) in the set socket option. Unfortunately, "sizeof(int)" is an unsigned property, with the result that the whole comparison is done in unsigned, letting negative values slip through. This patch changes this to if (optlen < (int)sizeof(int)) return -EINVAL; so that the comparison is done as signed, and negative values get properly caught. Signed-off-by: Arjan van de Ven Cc: David S. Miller Cc: Ingo Molnar Cc: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 7e7f56f9d27ddb7716dcda188436ad97880ec5c9 Author: Pavel Machek Date: Sun Sep 6 07:28:40 2009 +0200 pxa/sharpsl_pm: zaurus c3000 aka spitz: fix resume commit 99f329a2ba3c2d07cc90ca9309babf27ddf98bff upstream. sharpsl_pm.c code tries to read battery state very early during resume, but those battery meters are connected on SPI and that's only resumed way later. Replace the check with simple checking of battery fatal signal, that actually works at this stage. Signed-off-by: Pavel Machek Tested-by: Stanislav Brabec Signed-off-by: Eric Miao Signed-off-by: Greg Kroah-Hartman commit be16b784ecaa789d3ec9055747de67563acea696 Author: Tejun Heo Date: Thu Sep 17 00:34:39 2009 +0900 ahci: restore pci_intx() handling commit 31b239ad1ba7225435e13f5afc47e48eb674c0cc upstream. Commit a5bfc4714b3f01365aef89a92673f2ceb1ccf246 dropped explicit pci_intx() manipulation from ahci because it seemed unnecessary and ahci doesn't seem to be the right place to be tweaking it if it were. This was largely okay but there are exceptions. There was one on an embedded platform which was fixed via firmware and now bko#14124 reports it on a HP DL320. http://bugzilla.kernel.org/show_bug.cgi?id=14124 I still think this isn't something libata drivers should be caring about (the only ones which are calling pci_intx() explicitly are libata ones and one other driver) but for now reverting the change seems to be the right thing to do. Signed-off-by: Tejun Heo Reported-by: Thomas Jarosch Signed-off-by: Jeff Garzik Signed-off-by: Greg Kroah-Hartman commit c115590dc5ed153892b2e92541a34387dc3e7453 Author: Oliver Hartkopp Date: Tue Sep 15 01:31:34 2009 -0700 can: fix NOHZ local_softirq_pending 08 warning commit 481a8199142c050b72bff8a1956a49fd0a75bbe0 upstream. When using nanosleep() in an userspace application we get a ratelimit warning NOHZ: local_softirq_pending 08 for 10 times. The echo of CAN frames is done from process context and softirq context only. Therefore the usage of netif_rx() was wrong (for years). This patch replaces netif_rx() with netif_rx_ni() which has to be used from process/softirq context. It also adds a missing comment that can_send() must no be used from hardirq context. Signed-off-by: Oliver Hartkopp Signed-off-by: Urs Thuermann Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit b9703d921e254b499b300d652b4f35420176d509 Author: J. Bruce Fields Date: Tue Sep 15 12:22:42 2009 -0400 nfsd4: fix null dereference creating nfsv4 callback client commit 886e3b7fe6054230c89ae078a09565ed183ecc73 upstream. On setting up the callback to the client, we attempt to use the same authentication flavor the client did. We find an rpc cred to use by calling rpcauth_lookup_credcache(), which assumes that the given authentication flavor has a credentials cache. However, this is not required to be true--in particular, auth_null does not use one. Instead, we should call the auth's lookup_cred() method. Without this, a client attempting to mount using nfsv4 and auth_null triggers a null dereference. Signed-off-by: J. Bruce Fields Signed-off-by: Greg Kroah-Hartman commit 7abf3aa8294d95e3f0be375f30e8d933f874ada0 Author: Eric Anholt Date: Thu Sep 10 17:48:48 2009 -0700 agp/intel: Fix the pre-9xx chipset flush. commit e517a5e97080bbe52857bd0d7df9b66602d53c4d upstream. Ever since we enabled GEM, the pre-9xx chipsets (particularly 865) have had serious stability issues. Back in May a wbinvd was added to the DRM to work around much of the problem. Some failure remained -- easily visible by dragging a window around on an X -retro desktop, or by looking at bugzilla. The chipset flush was on the right track -- hitting the right amount of memory, and it appears to be the only way to flush on these chipsets, but the flush page was mapped uncached. As a result, the writes trying to clear the writeback cache ended up bypassing the cache, and not flushing anything! The wbinvd would flush out other writeback data and often cause the data we wanted to get flushed, but not always. By removing the setting of the page to UC and instead just clflushing the data we write to try to flush it, we get the desired behavior with no wbinvd. This exports clflush_cache_range(), which was laying around and happened to basically match the code I was otherwise going to copy from the DRM. Signed-off-by: Eric Anholt Signed-off-by: Brice Goglin Signed-off-by: Greg Kroah-Hartman commit 522bb748440e5765e6f73b417544f821e27940a9 Author: Zhenyu Wang Date: Wed Sep 2 10:57:52 2009 +0800 drm/i915: fix tiling on IGDNG commit 553bd149bb2de7848b2b84642876f27202421368 upstream. It seems that on IGDNG the same swizzling setup always applys. And front buffer tiling needs to set address swizzle in display arb control too. Fix plane tricle feed setting in v1 which should be disable bit, and always setup address swizzle to let hardware care for buffer tiling in all cases. Signed-off-by: Zhenyu Wang Signed-off-by: Eric Anholt Signed-off-by: Greg Kroah-Hartman commit 867d008ba440f7df63996722dc0f958b849291fb Author: Keith Packard Date: Fri Sep 4 13:07:54 2009 +0800 drm/I915: Use the CRT DDC to get the EDID for DVI-connector on Mac commit 57cdaf90f5f607eb029356074fefb66c9b1c0659 upstream. mac Mini's have a single DDC line on the DVI connector, shared between the analog link and the digital link. So, if DDC isn't detected on GPIOE (the usual SDVO DDC link), try GPIOA (the usual VGA DDC link) when there isn't a VGA monitor connected. Signed-off-by: Keith Packard Signed-off-by: Zhao Yakui Signed-off-by: Eric Anholt Signed-off-by: Greg Kroah-Hartman commit 7a4972b2b3b7479361663478983ba9f0e6cb4166 Author: Zhenyu Wang Date: Sat Sep 19 14:54:09 2009 +0800 drm/i915: Fix LVDS panel fitting on Arrandale commit 8dd81a381e8886129c0923f1fe22ff5ca36ae8da upstream. Arrandale has new window based method for panel fitting. This one enables full screen aspect scaling on LVDS. It fixes standard mode display failure on LVDS for Arrandale. Signed-off-by: Zhenyu Wang Signed-off-by: Jesse Barnes Signed-off-by: Greg Kroah-Hartman commit b343d50c751e44f96db44ff7888dc5090c885fee Author: Zhenyu Wang Date: Sat Sep 19 14:54:08 2009 +0800 drm/i915: Remove DAC disable in CRT force detect on IGDNG commit 730915d65f9e763de9dc26c5f1b8abaae775b243 upstream. This is not required on newer stepping hardware to get reliable force detect status. Removing this fixes screen blank flicker in CRT detect on IGDNG. Signed-off-by: Zhenyu Wang Signed-off-by: Jesse Barnes Signed-off-by: Greg Kroah-Hartman commit cb2ccc45533581f9afc5377b0e12edae8c9f1fea Author: Zhenyu Wang Date: Sat Sep 19 14:54:07 2009 +0800 drm/i915: Fix SSC frequence for IGDNG commit 339e5a4c78041cd7b473ddf0a81eb06a131127bb upstream. IGDNG LVDS SSC uses 120Mhz freq. This fixes one 1600x900 LVDS panel black issue on IGDNG with SSC enabled. Signed-off-by: Zhenyu Wang Signed-off-by: Jesse Barnes Signed-off-by: Greg Kroah-Hartman commit 8db54cc7e91e1f2063e6203fabac7ba7c470fea8 Author: Zhenyu Wang Date: Sat Sep 19 14:54:06 2009 +0800 drm/i915: Fix typo for wrong LVDS clock setting on IGDNG commit b09aea7fb38f328c02e9f9b79617cabed02455e4 upstream. New register for PCH LVDS on IGDNG should be used. This is a copy-n-paste typo. This fixes possible dual channel LVDS panel failure on IGDNG. Signed-off-by: Zhenyu Wang Signed-off-by: Jesse Barnes Signed-off-by: Greg Kroah-Hartman commit c10bea0fd064017b07714512bb1a1da0502c50e9 Author: Chris Wilson Date: Tue Sep 15 23:23:18 2009 +0100 drm/i915: Check that the relocation points to within the target commit cd0b9fb400ba775737bdc3874c4cbee4047e66d8 upstream. Eric noted a potential concern with the low bits not being strictly used as part of the absolute offset (instead part of the command stream to the GPU), but in practice that should not be an issue. Signed-off-by: Chris Wilson Tested-by: Andy Whitcroft Cc: Eric Anholt Signed-off-by: Jesse Barnes Signed-off-by: Greg Kroah-Hartman commit 485571eb15c87439d56c4bd6ace25ee63d432726 Author: Chris Wilson Date: Mon Sep 14 16:50:25 2009 +0100 drm/i915: Add buffer to inactive list immediately during fault commit 4960aaca14010b9ff92e5726dd178cbd6805d412 upstream. If we failed to set the domain, the buffer was no longer being tracked on any list. Signed-off-by: Chris Wilson Signed-off-by: Jesse Barnes Signed-off-by: Greg Kroah-Hartman commit a0cea65ea326b6a87487349e04d1b6dd513b9c3b Author: Jesse Barnes Date: Fri Sep 11 12:25:56 2009 -0700 drm/i915: prevent FIFO calculation overflows on 32 bits with high dotclocks commit d660467c3ff2a0b7413e1b7a51452b34ffb49e5f upstream. A very high dotclock (e.g. 229500kHz as reported by Anton) can cause the entries_required variable to overflow, potentially leading to a FIFO watermark value that's too low to support the given mode. Split the division across the calculation to avoid this. Reported-by: Anton Khirnov Tested-by: Anton Khirnov Signed-off-by: Jesse Barnes Signed-off-by: Greg Kroah-Hartman commit 29732ca5d6284c507cefd0b2b76b05b96b3a4f7d Author: Chris Wilson Date: Thu Sep 10 08:53:04 2009 +0100 drm/i915: Only destroy a constructed mmap offset commit 7e61615857c6fb3afbcb43f5c4e97511a923f5a8 upstream. drm_ht_remove_item() does not handle removing an absent item and the hlist in particular is incorrectly initialised. The easy remedy is simply skip calling i915_gem_free_mmap_offset() unless we have actually created the offset and associated ht entry. This also fixes the mishandling of a partially constructed offset which leaves pointers initialized after freeing them along the i915_gem_create_mmap_offset() error paths. In particular this should fix the oops found here: https://bugs.launchpad.net/ubuntu/+source/xserver-xorg-video-intel/+bug/415357/comments/8 Signed-off-by: Chris Wilson Signed-off-by: Eric Anholt commit 385c165f9edb248473bc442cc2aa8a95e01e8fdb Author: Zhenyu Wang Date: Mon Sep 14 10:47:07 2009 +0800 drm/i915: remove restore in resume commit b7e53aba2f0e6abf23e3f07b38b241145c33a005 upstream. Don't need extra config restore like for intel_agp, which might cause resume hang issue found by Alan on 845G. Cc: Stable Team Cc: Alan Stern Signed-off-by: Zhenyu Wang Signed-off-by: Jesse Barnes Signed-off-by: Greg Kroah-Hartman commit 50afc605df1dc89d55c4ef1648dce601b858b65b Author: Hennerich, Michael Date: Wed Sep 2 09:26:21 2009 +0100 USB: sl811-hcd: Fix device disconnect: commit eb661bc88252e5c6dc69df732e77e42981dd4d8b upstream. SL811 Device detected after removal used to be working in linux-2.6.22 but then broke somewhere between 2.6.22 and 2.6.28. Current hub_port_connect_change() in drivers/usb/core/hub.c won't call usb_disconnect() in case the SL811 driver sets portstatus USB_PORT_FEAT_CONNECTION upon removal. AFAIK the SL811 has only a combined Device Insert/Remove detection bit, therefore use a count to distinguish insert or remove. Signed-Off-By: Michael Hennerich Signed-off-by: Greg Kroah-Hartman commit 78c953d674dd53256c617e03c3aec81be3697cb8 Author: Guus Sliepen Date: Wed Jul 22 17:39:42 2009 +0200 USB: usbtmc: sanity checks for DEV_DEP_MSG_IN urbs commit 665d7662d15441b4b3e54131a9418a1a198d0d31 upstream. According to the specifications, an instrument should not return more data in a DEV_DEP_MSG_IN urb than requested. However, some instruments can send more than requested. This could cause the kernel to write the extra data past the end of the buffer provided by read(). Fix this by checking that the value of the TranserSize field is not larger than the urb itself and not larger than the size of the userspace buffer. Also correctly decrement the remaining size of the buffer when userspace read()s more than USBTMC_SIZE_IOBUFFER. Signed-off-by: Guus Sliepen Signed-off-by: Greg Kroah-Hartman commit b7c8b54df8c2a82757d8aab48aaac198a49e2ff9 Author: fangxiaozhi Date: Fri Aug 7 12:30:35 2009 +0800 USB: usb-storage fails to attach to Huawei Datacard cdrom device commit d0defb855c8504c49b92bdc0203689ce9b4cf7ba upstream. In this patch, we always make the return value of function usb_stor_huawei_e220_init to be zero. Then it will not prevent usb-storage driver from attaching to the CDROM device of Huawei Datacard. Signed-off-by: fangxiaozhi Signed-off-by: Greg Kroah-Hartman commit 68eeb516062536e6877a5e0dc890235157dfe745 Author: Oliver Neukum Date: Wed Aug 26 19:56:12 2009 +0200 USB: storage: fix a resume path GFP_NOIO must be used commit e5dc8ae121592239c2a2521d383bcb789849b2a3 upstream. In the resume path of a block driver GFP_NOIO must be used to avoid a possible deadlock. The onetouch subdriver of storage violates the requirement. Signed-off-by: Oliver Neukum Signed-off-by: Greg Kroah-Hartman commit 6e1a0b2d05b1aac43a223dbbe893c2ca330a3a73 Author: Pawel Ludwikow Date: Thu Aug 27 14:15:50 2009 +0200 USB: serial: pl2303: new hardware support - sanwa multimeter commit 35904e6b5106fda51b04c8b8080c04466865415f upstream. I'd like to present my small patch enabling to use Sanwa PC5000 mulitimeter with linux. Signed-off-by: Pawel Ludwikow Signed-off-by: Greg Kroah-Hartman commit be4d100ec9e1703338bd1cd7f508f1c2cd7d0a8f Author: Jack Steiner Date: Wed Sep 9 10:41:05 2009 -0500 x86: SGI UV: Fix IPI macros commit d2374aecda3f6c9b0d13287027132a37311da300 upstream. The UV BIOS has changed the way interrupt remapping is being done. This affects the id used for sending IPIs. The upper id bits no longer need to be masked off. Signed-off-by: Jack Steiner LKML-Reference: <20090909154104.GA25083@sgi.com> Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit 566198152269f6aa1ed8735f7a857bf51b0f6007 Author: Kevin Cernekee Date: Sat Sep 19 11:18:21 2009 +0000 kaweth: Fix memory leak in kaweth_control() commit 051b982bcc620695de629d29c333c95b66e9b95e upstream. kaweth_control() never frees the buffer that it allocates for the USB control message. Test case: while :; do ifconfig eth2 down ; ifconfig eth2 up ; done This is a tiny buffer so it is a slow leak. If you want to speed up the process, you can change the allocation size to e.g. 16384 bytes, and it will consume several megabytes within a few minutes. Signed-off-by: Kevin Cernekee Acked-by: Oliver Neukum Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit fb6bf2b949962ae553cb07376f5b681bf09e476b Author: Tilman Schmidt Date: Thu Aug 6 20:33:33 2009 -0700 tty: gigaset: really fix chars_in_buffer commit a4304f2d5a3823deea894026ec95e43b33912357 upstream. The tty_operation chars_in_buffer() is not allowed to return a negative value to signal an error. Corrects the problem flagged by commit 23198fda7182969b619613a555f8645fdc3dc334, "tty: fix chars_in_buffers". Signed-off-by: Tilman Schmidt Cc: "David S. Miller" Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman commit 55b664beda5a2990afb7e4ec809792e34753fe4e Author: Alan Cox Date: Sat Sep 19 13:13:24 2009 -0700 tty: remove dtr/rts use from the driver open methods commit 9a68e39d4a701fb3be03cae9b462408664ebd205 upstream. These are handled by the tty_port core code which will raise and lower the carrier correctly in tty_wait_until_ready Signed-off-by: Alan Cox Signed-off-by: Greg Kroah-Hartman commit ba331a257da5fdc9215db5562e0a5c2580edb23b Author: Alan Cox Date: Sat Sep 19 13:13:23 2009 -0700 cdc_acm: Fix to use modern speed interfaces commit 9b80fee149a875a6292b2556ab2c64dc7ab7d6f5 upstream. This changed in 2006 so its about time the ACM driver caught up Signed-off-by: Alan Cox Signed-off-by: Greg Kroah-Hartman commit 2707ec76dd3b2132b64da3a2f7b55d3dbbae51a7 Author: Oliver Neukum Date: Tue Sep 8 23:51:28 2009 +0200 USB: fix cdc-acm regression in open commit 7af25b4b34a2439020d78da765a3bed0ff73f25c upstream. cdc-acm needs to set a flag during open to tell the tty layer that the device is initialized Signed-off-by: Oliver Neukum Cc: Marcel Holtmann Cc: Paul Martin Signed-off-by: Greg Kroah-Hartman commit 3c53c8d84f33ca107186b489609a95e17e08f6d6 Author: Oliver Neukum Date: Wed Sep 9 10:12:48 2009 +0200 USB: CDC WDM driver doesn't support non-blocking reads commit 7f1dc313d01f5f0f84c06051343a3b8623932d3c upstream. support for O_NONBLOCK in read and write path by simply not waiting for data in read or availability of the write urb in write but returning -EAGAIN Signed-off-by: Oliver Neukum Tested-by: Marcel Holtmann Signed-off-by: Greg Kroah-Hartman commit 4526d6342c054f07975a08172a0b4648b6e11a72 Author: Michael Hennerich Date: Mon Sep 14 10:39:53 2009 -0400 USB: serial: ftdi: handle gnICE+ JTAG adaptors commit 11eaf170363d264ff587f300e41c927ba5a33967 upstream. Detect the UART on interface1 and blacklist interface0 (as that is the JTAG port). Signed-off-by: Michael Hennerich Signed-off-by: Mike Frysinger Signed-off-by: Greg Kroah-Hartman commit 0f2cb0ca685c1b47a67210d632b2e43949e0970c Author: mail@rainerkeller.de Date: Thu Sep 3 11:55:17 2009 +0200 USB: add PIDs for FTDI based OpenDCC hardware commit ec3815c3e14dc68d49428e6505ae99e86e5dd067 upstream. Some devices from the OpenDCC project are missing in the list of the FTDI PIDs. These PIDs are listed at http://www.opendcc.de/elektronik/usb/opendcc_usb.html (Sorry for the german only page.) This patch adds the three missing devices. Signed-off-by: Rainer Keller Signed-off-by: Greg Kroah-Hartman commit 7aa7e454c6a09226e83b227869b2e5fd008240b5 Author: Pawel Ludwikow Date: Thu Aug 27 14:15:50 2009 +0200 USB: serial: ftdi_sio: new hardware support - hameg power supply commit e7d7fcc09ebde1ea1773521ecab5a3f0ad6bef6e upstream. I'd like to present my small patch enabling to use Hameg HM8143 programmable power supply with linux. Signed-off-by: Pawel Ludwikow Signed-off-by: Greg Kroah-Hartman commit d3b56d9524f374e6e9ccd66171cde8abf462b19a Author: Massimo Cirillo Date: Thu Sep 3 16:34:39 2009 +0200 mtd: cfi_cmdset_0002: add 0xFF intolerance for M29W128G commit 23af51ecfb04ff65bae51bd8e2270f4449abc789 upstream. The M29W128G Numonyx flash devices are intolerant to any 0xFF command: in the Cfi_util.c the function cfi_qry_mode_off() (that resets the device after the autoselect mode) must have a 0xF0 command after the 0xFF command. This fix solves also the cause of the fixup_M29W128G_write_buffer() fix, that can be removed now. The following patch applies to 2.6.30 kernel. Signed-off-by: Massimo Cirillo Acked-by: Alexey Korolev Signed-off-by: David Woodhouse Signed-off-by: Greg Kroah-Hartman commit b4a665c77baee92e5d3e7bac5e1ac61f5003ff28 Author: Benjamin Krill Date: Tue Aug 25 15:52:41 2009 +0200 mtd: ofpart: Check availability of reg property instead of name property commit ebd5a74db74ee2db833d43ea35108a4be9cab42f upstream. The previous implementation breaks the dts binding "mtd-physmap.txt". This implementation fixes the issue by checking the availability of the reg property instead of the name property. Signed-off-by: Benjamin Krill Signed-off-by: David Woodhouse Signed-off-by: Greg Kroah-Hartman commit cb5cef6bfc6e635f06cce182d76a1682176c0df5 Author: Feng Kan Date: Tue Aug 25 11:27:20 2009 -0700 mtd: nand: fix ECC Correction bug for SMC ordering for NDFC driver commit 76c23c32e3b3ad48e07e07897075ab19ae1ef117 upstream. Fix ECC Correction bug where the byte offset location were double fliped causing correction routine to toggle the wrong byte location in the ECC segment. The ndfc_calculate_ecc routine change the order of getting the ECC code. /* The NDFC uses Smart Media (SMC) bytes order */ ecc_code[0] = p[2]; ecc_code[1] = p[1]; ecc_code[2] = p[3]; But in the Correction algorithm when calculating the byte offset location, the b1 is used as the upper part of the address. Which again reverse the order making the final byte offset address location incorrect. byte_addr = (addressbits[b1] << 4) + addressbits[b0]; The order is change to read it in straight and let the correction function to revert it to SMC order. Signed-off-by: Feng Kan Acked-by: Victor Gallardo Acked-by: Prodyut Hazarika Acked-by: Stefan Roese Signed-off-by: David Woodhouse Signed-off-by: Greg Kroah-Hartman commit a9e31b939c86bc6cb6989ed542ff5b3c77446e0d Author: Christian Lamparter Date: Thu Sep 17 13:46:53 2009 +0200 ar9170usb: add usbid for TP-Link TL-WN821N v2 commit fe9f6342c86292aee1941447f22dc5470735e5a1 upstream. This patch adds the usbid for TP-Link TL-WN821N v2. Reported-by: Fabian Lenz Signed-off-by: Christian Lamparter Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 3a9b96ab8d6cb30f27db8a7e24770c1654d4e14e Author: Ryusuke Konishi Date: Mon Sep 28 01:46:11 2009 +0900 nilfs2: fix missing zero-fill initialization of btree node cache commit 1f28fcd925b2b3157411bbd08f0024b55b70d8dd upstream. This will fix file system corruption which infrequently happens after mount. The problem was reported from users with the title "[NILFS users] Fail to mount NILFS." (Message-ID: <200908211918.34720.yuri@itinteg.net>), and so forth. I've also experienced the corruption multiple times on kernel 2.6.30 and 2.6.31. The problem turned out to be caused due to discordance between mapping->nrpages of a btree node cache and the actual number of pages hung on the cache; if the mapping->nrpages becomes zero even as it has pages, truncate_inode_pages() returns without doing anything. Usually this is harmless except it may cause page leak, but garbage collection fairly infrequently sees a stale page remained in the btree node cache of DAT (i.e. disk address translation file of nilfs), and induces the corruption. I identified a missing initialization in btree node caches was the root cause. This corrects the bug. I've tested this for kernel 2.6.30 and 2.6.31. Reported-by: Yuri Chislov Signed-off-by: Ryusuke Konishi Signed-off-by: Greg Kroah-Hartman commit b634e7f6b89c3a6fa3af4a709164b19d64bf9413 Author: Alan Jenkins Date: Thu Sep 24 20:15:24 2009 +0100 sony-laptop: check for rfkill hard block at load time commit 50fab0760a6c07cded229357a1351c325a575770 upstream. "I recently (on a flight) I found out that when I boot with the hard-switch activated, so turning off all wireless activity on my laptop, the state is not correctly announced in /dev/rfkill (reading it with rfkill command, or my own gnome applet)... After turning off and on again the hard-switch the events were right." We can fix this by querying the firmware at load time and calling rfkill_set_hw_state(). Signed-off-by: Alan Jenkins Tested-by: Norbert Preining Acked-by: Johannes Berg Acked-by: Mattia Dongili Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 53024df259e37ad49ee3d1f3721d4cecdd7bc357 Author: Rafael J. Wysocki Date: Tue Sep 29 00:11:03 2009 +0200 PM / yenta: Fix cardbus suspend/resume regression commit 0c570cdeb8fdfcb354a3e9cd81bfc6a09c19de0c upstream. Since 2.6.29 the PCI PM core have been restoring the standard configuration registers of PCI devices in the early phase of resume. In particular, PCI devices without drivers have been handled this way since commit 355a72d75b3b4f4877db4c9070c798238028ecb5 (PCI: Rework default handling of suspend and resume). Unfortunately, this leads to post-resume problems with CardBus devices which cannot be accessed in the early phase of resume, because the sockets they are on have not been woken up yet at that point. To solve this problem, move the yenta socket resume to the early phase of resume and, analogously, move the suspend of it to the late phase of suspend. Additionally, remove some unnecessary PCI code from the yenta socket's resume routine. Fixes http://bugzilla.kernel.org/show_bug.cgi?id=13092, which is a post-2.6.28 regression. Signed-off-by: Rafael J. Wysocki Reported-by: Florian Signed-off-by: Greg Kroah-Hartman commit 2c2c7096066df8035a4bcdfacd1ee5e4d3fb2347 Author: Rafael J. Wysocki Date: Tue Sep 29 00:10:41 2009 +0200 PM / PCMCIA: Drop second argument of pcmcia_socket_dev_suspend() commit 827b4649d4626bf97b203b4bcd69476bb9b4e760 upstream. pcmcia_socket_dev_suspend() doesn't use its second argument, so it may be dropped safely. This change is necessary for the subsequent yenta suspend/resume fix. Signed-off-by: Rafael J. Wysocki Signed-off-by: Greg Kroah-Hartman commit bd77bef4377272a36e3b1f3b8268bba2a3ef4b42 Author: Wolfram Sang Date: Sat Aug 1 15:28:35 2009 +0200 tty: serial/pcmcia: add ID for Advantech card commit 7a4b23104bd2624d16681158a9b338c502c103a0 upstream. Add ID as reported in: http://lists.infradead.org/pipermail/linux-pcmcia/2009-May/006127.html Reported-by: Kenneth Moorman Signed-off-by: Wolfram Sang Signed-off-by: Greg Kroah-Hartman commit 11ae63deabcf6deebb9a4ab5ed9fb93dac3339dd Author: Eric Dumazet Date: Thu Sep 24 15:05:59 2009 +0200 perf tools: Fix buffer allocation commit a255a9981a8566a1efabec983b7811e937e662d2 upstream. "perf top" cores dump on my dev machine, if run from a directory where vmlinux is present: *** glibc detected *** malloc(): memory corruption: 0x085670d0 *** Signed-off-by: Eric Dumazet LKML-Reference: <4ABB6EB7.7000002@gmail.com> Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit 45bc25843ee4c5c6183b6fba013fba1e11eb05b1 Author: Ian Schram Date: Fri Sep 18 21:26:26 2009 +0200 perf_counter: Fix perf_copy_attr() pointer arithmetic commit cdf8073d6b2c6c5a3cd6ce0e6c1297157f7f99ba upstream. There is still some weird code in per_copy_attr(). Which supposedly checks that all bytes trailing a struct are zero. It doesn't seem to get pointer arithmetic right. Since it increments an iterating pointer by sizeof(unsigned long) rather than 1. Signed-off-by: Ian Schram [ v2: clean up the messy PTR_ALIGN logic as well. ] Signed-off-by: Peter Zijlstra Cc: Mike Galbraith Cc: Paul Mackerras Cc: Arnaldo Carvalho de Melo Cc: Frederic Weisbecker LKML-Reference: <4AB3DEE2.3030600@telenet.be> Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit c22044b960eef0dfd48c9b608defaf2c5c3e7880 Author: Jeremy Fitzhardinge Date: Mon Sep 21 13:34:06 2009 -0700 xen: check EFER for NX before setting up GDT mapping commit b75fe4e5b869f8dbebd36df64a7fcda0c5b318ed upstream. x86-64 assumes NX is available by default, so we need to explicitly check for it before using NX. Some first-generation Intel x86-64 processors didn't support NX, and even recent systems allow it to be disabled in BIOS. [ Impact: prevent Xen crash on NX-less 64-bit machines ] Signed-off-by: Jeremy Fitzhardinge Signed-off-by: Greg Kroah-Hartman commit 7bb8fd4ee497a34c68e35d259a20d98cbad7fc94 Author: Yang Xiaowei Date: Wed Sep 9 12:44:52 2009 -0700 xen: use stronger barrier after unlocking lock commit 2496afbf1e50c70f80992656bcb730c8583ddac3 upstream. We need to have a stronger barrier between releasing the lock and checking for any waiting spinners. A compiler barrier is not sufficient because the CPU's ordering rules do not prevent the read xl->spinners from happening before the unlock assignment, as they are different memory locations. We need to have an explicit barrier to enforce the write-read ordering to different memory locations. Because of it, I can't bring up > 4 HVM guests on one SMP machine. [ Code and commit comments expanded -J ] [ Impact: avoid deadlock when using Xen PV spinlocks ] Signed-off-by: Yang Xiaowei Signed-off-by: Jeremy Fitzhardinge Signed-off-by: Greg Kroah-Hartman commit 64aa234c396c3f595bc08aed93fd753102a0a0ec Author: Jeremy Fitzhardinge Date: Wed Sep 9 12:33:51 2009 -0700 xen: only enable interrupts while actually blocking for spinlock commit 4d576b57b50a92801e6493e76e5243d6cff193d2 upstream. Where possible we enable interrupts while waiting for a spinlock to become free, in order to reduce big latency spikes in interrupt handling. However, at present if we manage to pick up the spinlock just before blocking, we'll end up holding the lock with interrupts enabled for a while. This will cause a deadlock if we recieve an interrupt in that window, and the interrupt handler tries to take the lock too. Solve this by shrinking the interrupt-enabled region to just around the blocking call. [ Impact: avoid race/deadlock when using Xen PV spinlocks ] Reported-by: "Yang, Xiaowei" Signed-off-by: Jeremy Fitzhardinge Signed-off-by: Greg Kroah-Hartman commit b04a12a2837b961139be63eb4b4f23c38a140e4a Author: Jeremy Fitzhardinge Date: Thu Aug 27 12:46:35 2009 -0700 xen: make -fstack-protector work under Xen commit 577eebeae34d340685d8985dfdb7dfe337c511e8 upstream. -fstack-protector uses a special per-cpu "stack canary" value. gcc generates special code in each function to test the canary to make sure that the function's stack hasn't been overrun. On x86-64, this is simply an offset of %gs, which is the usual per-cpu base segment register, so setting it up simply requires loading %gs's base as normal. On i386, the stack protector segment is %gs (rather than the usual kernel percpu %fs segment register). This requires setting up the full kernel GDT and then loading %gs accordingly. We also need to make sure %gs is initialized when bringing up secondary cpus too. To keep things consistent, we do the full GDT/segment register setup on both architectures. Because we need to avoid -fstack-protected code before setting up the GDT and because there's no way to disable it on a per-function basis, several files need to have stack-protector inhibited. [ Impact: allow Xen booting with stack-protector enabled ] Signed-off-by: Jeremy Fitzhardinge Signed-off-by: Greg Kroah-Hartman commit bdef3346158b95e07be5045df8c71cd93e5e5152 Author: Chuck Ebbert Date: Tue Sep 15 01:53:21 2009 -0400 Re-enable Lanman security commit 20d1752f3d6bd32beb90949559e0d14a0b234445 upstream. commit ac68392460ffefed13020967bae04edc4d3add06 ("[CIFS] Allow raw ntlmssp code to be enabled with sec=ntlmssp") added a new bit to the allowed security flags mask but seems to have inadvertently removed Lanman security from the allowed flags. Add it back. Signed-off-by: Chuck Ebbert Signed-off-by: Steve French Signed-off-by: Greg Kroah-Hartman commit afc2b6932f48f200736d3e36ad66fee0ec733136 Author: Tyler Hicks Date: Tue Sep 22 12:52:17 2009 -0500 eCryptfs: Prevent lower dentry from going negative during unlink commit 9c2d2056647790c5034d722bd24e9d913ebca73c upstream. When calling vfs_unlink() on the lower dentry, d_delete() turns the dentry into a negative dentry when the d_count is 1. This eventually caused a NULL pointer deref when a read() or write() was done and the negative dentry's d_inode was dereferenced in ecryptfs_read_update_atime() or ecryptfs_getxattr(). Placing mutt's tmpdir in an eCryptfs mount is what initially triggered the oops and I was able to reproduce it with the following sequence: open("/tmp/upper/foo", O_RDWR|O_CREAT|O_EXCL|O_NOFOLLOW, 0600) = 3 link("/tmp/upper/foo", "/tmp/upper/bar") = 0 unlink("/tmp/upper/foo") = 0 open("/tmp/upper/bar", O_RDWR|O_CREAT|O_NOFOLLOW, 0600) = 4 unlink("/tmp/upper/bar") = 0 write(4, "eCryptfs test\n"..., 14 +++ killed by SIGKILL +++ https://bugs.launchpad.net/ecryptfs/+bug/387073 Reported-by: Loïc Minier Cc: Serge Hallyn Cc: Dave Kleikamp Cc: ecryptfs-devel@lists.launchpad.net Signed-off-by: Tyler Hicks Signed-off-by: Greg Kroah-Hartman commit de4f86bf0cfecea80ed02aeb850f15838936c83b Author: Tyler Hicks Date: Wed Aug 26 01:54:56 2009 -0500 eCryptfs: Validate global auth tok keys commit 3891959846709a19f76628e33478cd85edb0e79f upstream. When searching through the global authentication tokens for a given key signature, verify that a matching key has not been revoked and has not expired. This allows the `keyctl revoke` command to be properly used on keys in use by eCryptfs. Acked-by: Serge Hallyn Cc: ecryptfs-devel@lists.launchpad.net Signed-off-by: Tyler Hicks Signed-off-by: Greg Kroah-Hartman commit f7d98b8fd06509ab1fca22923b4bbf11e7567955 Author: Tyler Hicks Date: Fri Aug 21 04:27:46 2009 -0500 eCryptfs: Filename encryption only supports password auth tokens commit df6ad33ba1b9846bd5f0e2b9016c30c20bc2d948 upstream. Returns -ENOTSUPP when attempting to use filename encryption with something other than a password authentication token, such as a private token from openssl. Using filename encryption with a userspace eCryptfs key module is a future goal. Until then, this patch handles the situation a little better than simply using a BUG_ON(). Acked-by: Serge Hallyn Cc: ecryptfs-devel@lists.launchpad.net Signed-off-by: Tyler Hicks Signed-off-by: Greg Kroah-Hartman commit e6983f149c2f68f1e6344761d5f96a3f65a325f0 Author: Tyler Hicks Date: Wed Aug 12 01:06:54 2009 -0500 eCryptfs: Check for O_RDONLY lower inodes when opening lower files commit ac22ba23b659e34a5961aec8c945608e471b0d5b upstream. If the lower inode is read-only, don't attempt to open the lower file read/write and don't hand off the open request to the privileged eCryptfs kthread for opening it read/write. Instead, only try an unprivileged, read-only open of the file and give up if that fails. This patch fixes an oops when eCryptfs is mounted on top of a read-only mount. Acked-by: Serge Hallyn Cc: Eric Sandeen Cc: Dave Kleikamp Cc: ecryptfs-devel@lists.launchpad.net Signed-off-by: Tyler Hicks Signed-off-by: Greg Kroah-Hartman commit d4127e16c4dde0ac06bc32a805d6807c0a36b598 Author: Tyler Hicks Date: Tue Aug 11 00:36:32 2009 -0500 eCryptfs: Handle unrecognized tag 3 cipher codes commit b0105eaefa7cce8f4a941d0fc6354b250d30e745 upstream. Returns an error when an unrecognized cipher code is present in a tag 3 packet or an ecryptfs_crypt_stat cannot be initialized. Also sets an crypt_stat->tfm error pointer to NULL to ensure that it will not be incorrectly freed in ecryptfs_destroy_crypt_stat(). Acked-by: Serge Hallyn Cc: ecryptfs-devel@lists.launchpad.net Signed-off-by: Tyler Hicks Signed-off-by: Greg Kroah-Hartman commit 2f0ffb7ef75a9ad6140899f6d4df45e8a73a013e Author: Jan Kara Date: Mon Sep 21 17:01:06 2009 -0700 fs: make sure data stored into inode is properly seen before unlocking new inode commit 580be0837a7a59b207c3d5c661d044d8dd0a6a30 upstream. In theory it could happen that on one CPU we initialize a new inode but clearing of I_NEW | I_LOCK gets reordered before some of the initialization. Thus on another CPU we return not fully uptodate inode from iget_locked(). This seems to fix a corruption issue on ext3 mounted over NFS. [akpm@linux-foundation.org: add some commentary] Signed-off-by: Jan Kara Cc: Christoph Hellwig Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit f3408a2d072c29796c569b93a00eba68e8c01709 Author: Ivan Kokshaysky Date: Wed Sep 23 15:57:42 2009 -0700 alpha: AGP update (fixes compile failure) commit d68721eb339e9237c11c1fea5f73f86211d14918 upstream. This brings Alpha AGP platforms in sync with the change to struct agp_memory (unsigned long *memory => struct page **pages). Only compile tested (I don't have titan/marvel hardware), but this change looks pretty straightforward, so hopefully it's ok. Signed-off-by: Ivan Kokshaysky Cc: Richard Henderson Cc: Dave Airlie Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 904f470bbf1cb422b963bc3d479930e0968c30ed Author: Wolfgang Muees Date: Tue Sep 22 16:45:26 2009 -0700 mmc_spi: fail gracefully if host or card do not support the switch command commit d08ebeddfb3293fa4bdfca9c610daf1e8ec8b233 upstream. Some time ago, I have send a patch to the mmc_spi subsystem changing the error codes. This was after a discussion with Pierre about using EINVAL only for non-recoverable errors. This patch was accepted as http://git.kernel.org/linus/fdd858db7113ca64132de390188d7ca00701013d Unfortunately, several weeks later, I realized that this patch has opened a little can of worms because there are SD cards on the market which a) claim that they support the switch command AND b) refuse to execute this command if operating in SPI mode. So, such a card would get unusuable in an embedded linux system in SPI mode, because the init sequence terminates with an error. This patch adds the missing error codes to the caller of the switch command and restores the old behaviour to fail gracefully if these commands can not execute. Signed-off-by: Wolfgang Muees Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit b01436041fc2be04f5dbbbfdc5a37643cd9417b4 Author: Aaro Koskinen Date: Tue Sep 22 16:47:58 2009 -0700 sisfb: change SiS_DDC_Port type to SISIOADDRESS commit 532f649f148bf70e6a5816d95fe55e6a065e8754 upstream. The patch enables the driver to be used on platforms such as ARM where an I/O address is a 32-bit memory address. The patch avoids the following kernel oops: debian:~# modprobe sisfb [ 73.070000] sisfb: Video ROM found [ 73.080000] sisfb: Video RAM at 0x80000000, mapped to 0xe0a00000, size 1024k [ 73.090000] sisfb: MMIO at 0x84080000, mapped to 0xe0b80000, size 256k [ 73.090000] sisfb: Memory heap starting at 800K, size 32K [ 73.360000] Unable to handle kernel paging request at virtual address 6e000844 [ 73.380000] pgd = df230000 [ 73.380000] [6e000844] *pgd=00000000 [ 73.380000] Internal error: Oops: 8f5 [#1] [ 73.380000] Modules linked in: sisfb(+) fb cfbcopyarea cfbimgblt cfbfillrect [ 73.380000] CPU: 0 Not tainted (2.6.31-iop32x #1) [ 73.380000] PC is at SiS_SetRegANDOR+0x10/0x38 [sisfb] [ 73.380000] LR is at SiS_SetSCLKHigh+0x38/0x94 [sisfb] [ 73.380000] pc : [] lr : [] psr: 60000013 [ 73.380000] sp : df38fd00 ip : 6e000000 fp : 00000002 [ 73.380000] r10: 00000108 r9 : 00000000 r8 : 00000108 [ 73.380000] r7 : df064258 r6 : 00000110 r5 : 6e000844 r4 : 0000010a [ 73.380000] r3 : 00000001 r2 : 0000000e r1 : 00000011 r0 : 00000844 [ 73.380000] Flags: nZCv IRQs on FIQs on Mode SVC_32 ISA ARM Segment user [ 73.380000] Control: 0000397f Table: bf230000 DAC: 00000015 [ 73.380000] Process modprobe (pid: 1849, stack limit = 0xdf38e270) [ 73.380000] Stack: (0xdf38fd00 to 0xdf390000) [ 73.380000] fd00: 0000010a 00000108 df064258 df064258 df064258 00000000 00000000 bf02c4e0 [ 73.380000] fd20: 00000114 bf02c50c 00000013 00000114 0000010a df064258 00000000 bf02c980 [ 73.380000] fd40: 00009c66 00000004 00000001 df064250 a0010000 a6a2a0a0 df064250 00000003 [ 73.380000] fd60: df064250 00000000 df064258 0000fffd 00000000 00000000 00000000 bf033948 [ 73.380000] fd80: 00000000 00000000 00000000 bf019e2c 00000000 df064a70 bf03b470 00010000 [ 73.380000] fda0: 00000000 df064250 00000000 df831c00 00000012 bf039f70 00000000 c00abed8 [ 73.380000] fdc0: 000008a6 000008a4 df0649b0 df064878 df064258 df064000 00000000 00000000 [ 73.380000] fde0: 00000001 00008000 00000001 00030000 df81c930 bf049f88 df831c00 00000000 [ 73.380000] fe00: bf049f58 df3952a0 c0447708 bf049f88 bf049fe0 c0191980 df831c00 c0191b10 [ 73.380000] fe20: df831c58 bf049f58 df831c00 bf04aca8 df3952a0 df831c58 df831c58 bf049f88 [ 73.380000] fe40: c01ba1b4 c01ba0a0 df831c58 df831c8c bf049f88 c01ba1b4 df3952a0 00000000 [ 73.380000] fe60: c03e265c c01ba240 00000000 df38fe78 bf049f88 c01b990c df812938 df81b8d0 [ 73.380000] fe80: df3952a0 df807780 00000000 00000060 bf049f88 c01b9224 bf0429c8 00000000 [ 73.380000] fea0: bf049f58 00000000 bf049f88 00000000 00000000 bf04aea8 00000000 c01ba4e4 [ 73.380000] fec0: e09861a0 bf049f58 00000000 bf049f88 00000000 c0191f20 00000000 00000000 [ 73.380000] fee0: c03f7bac bf04d418 0000fff2 0000fff1 bf04ad08 0002f260 0002f260 e0986038 [ 73.380000] ff00: e0986150 e098568b df143340 e0990280 00000036 c03d8b00 fffffffd 00000000 [ 73.380000] ff20: bf04acfc 00000000 fffffffc 0003cf4b 00018098 c03f7bac 00000000 bf04d000 [ 73.380000] ff40: df38e000 00000000 bedc0984 c00272a4 ffffffff c005bc88 00000000 00000000 [ 73.380000] ff60: 0003cf4b 0003cf4b 00018098 bf04acfc 00000000 c0027fe8 df38e000 00000000 [ 73.380000] ff80: bedc0984 c006882c 00001000 00000003 00000000 00009064 00000000 00008edc [ 73.380000] ffa0: 00000080 c0027e20 00009064 00000000 4014e000 0003cf4b 00018098 0003cf4b [ 73.380000] ffc0: 00009064 00000000 00008edc 00000080 00000000 00000000 40025000 bedc0984 [ 73.380000] ffe0: 00000000 bedc08fc 0000b6b0 400e8f34 60000010 4014e000 00000000 00000000 [ 73.380000] [] (SiS_SetRegANDOR+0x10/0x38 [sisfb]) from [] (0xdf064258) [ 73.380000] Code: e92d0030 e20110ff e280546e e3a0c46e (e5c51000) [ 73.680000] ---[ end trace 62a93e01df37a5f2 ]--- Signed-off-by: Aaro Koskinen Cc: Thomas Winischhofer Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 2db6232707f4c716d0def48ea5d27e461bf95db5 Author: Paul Mundt Date: Tue Sep 22 16:44:12 2009 -0700 kallsyms: fix segfault in prefix_underscores_count() commit a9ece53c4089ef23d4002d34c4c7148d94622a40 upstream. Commit b478b782e110fdb4135caa3062b6d687e989d994 "kallsyms, tracing: output more proper symbol name" introduces a "bugfix" that introduces a segfault in kallsyms in my configurations. The cause is the introduction of prefix_underscores_count() which attempts to count underscores, even in symbols that do not have them. As a result, it just uselessly runs past the end of the buffer until it crashes: CC init/version.o LD init/built-in.o LD .tmp_vmlinux1 KSYM .tmp_kallsyms1.S /bin/sh: line 1: 16934 Done sh-linux-gnu-nm -n .tmp_vmlinux1 16935 Segmentation fault | scripts/kallsyms > .tmp_kallsyms1.S make: *** [.tmp_kallsyms1.S] Error 139 This simplifies the logic and just does a straightforward count. Signed-off-by: Paul Mundt Reviewed-by: Li Zefan Cc: Lai Jiangshan Cc: Sam Ravnborg Cc: Paulo Marques Cc: Ingo Molnar Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit a1ae2307df3270ecf3fb15786aebc1d72493e960 Author: Ian Armstrong Date: Tue Sep 22 16:47:52 2009 -0700 fbcon: only unbind from console if successfully registered commit 2ddce3fd0acbdc1be684fb5f919ae3d2e9518aac upstream. Attempting to unload a framebuffer module calls unregister_framebuffer() which in turn gets fbcon to release it. If fbcon has no framebuffers linked to a console, it will also unbind itself from the console driver. However, if fbcon never registered itself as a console driver, the unbind will fail causing the framebuffer device entry to persist. In most cases this failure will result in an oops when attempting to access the now non-existent device. This patch ensures that the fbcon unbind request will succeed even if a bind was never done. It tracks if a successful bind ever occurred & will only attempt to unbind if needed. If there never was a bind, it simply returns with no error. Signed-off-by: Ian Armstrong Cc: Krzysztof Helt Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit f85b6ef18e1429ed53cc8860334aebad542939b7 Author: Alex Chiang Date: Tue Aug 4 14:44:17 2009 -0600 ACPI: pci_slot.ko wants a 64-bit _SUN commit 7e24bc1ce669b2876ffa475ea1147f2bb9ffdc52 upstream. Similar to commit b6adc195 (PCI hotplug: acpiphp wants a 64-bit _SUN), pci_slot.ko reads and creates sysfs directories based on the _SUN method. Certain HP platforms return 64 bits in _SUN. This change to pci_slot.ko allows us to see the correct sysfs directories. Reported-by: Chad Smith Signed-off-by: Alex Chiang Signed-off-by: Len Brown Signed-off-by: Greg Kroah-Hartman commit 96512c294afd18b7a78bee701f16b1a12e7295b3 Author: Henrique de Moraes Holschuh Date: Sat Sep 12 15:22:11 2009 -0300 thinkpad-acpi: don't ask about brightness_mode for fw. 1V and 1R commit 6da25bf51689a5cc60370d30275dbb9e6852e0cb upstream. X40 (firmware 1V) and T41 (firmware 1R) have been confirmed to work well with the new defaults, so we can stop pestering people to confirm that fact. For now, whitelist just these two firmware types. It is best to have at least one more firmware type confirmed for Radeon 9xxx and Intel GMA-2 ThinkPads before removing the confirmation requests entirely. Reported-by: Robert de Rooy Signed-off-by: Henrique de Moraes Holschuh Signed-off-by: Len Brown Signed-off-by: Greg Kroah-Hartman commit 02e87c91e8a4bc57547925317f876aac779a433d Author: Andrew Morton Date: Mon Sep 21 17:01:07 2009 -0700 drivers/mfd/ab3100-core.c: fix powerpc build error commit 00d3803b656a5f0935518d746f6bb27d5181d29d upstream. drivers/mfd/ab3100-core.c:647: error: ab3100_init_settings causes a section type conflict Cc: Anton Vorontsov Cc: Samuel Ortiz Cc: Benjamin Herrenschmidt Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit c9aac6645fcf788ba660ba456ec0cf9fd2f6f0f8 Author: Jory A. Pratt Date: Fri Sep 18 12:49:31 2009 -0700 kbuild: fix cc1 options check to ensure we do not use -fPIC when compiling commit c47efe5548abbf53c2f66e06dcb46183b11d6b22 upstream. The arch/*/boot/Makefile use cc-options to check for GCC command options and cc-options use the hardened specs when checking for GCC command options. When -fPIE is pass to cc1 it can't use -ffreestanding or -fno-toplevel-reorder. Then it fail to build stuff with -ffreestanding and -fno-toplevel-reorder. Thanks to Fredric Johansson for finding the main problem behind a failed build using a hardened toolchain. Signed-off-by: Magnus Granberg Signed-off-by: Jory A. Pratt Cc: Fredric Johansson Cc: "H. Peter Anvin" Signed-off-by: Andrew Morton Signed-off-by: Sam Ravnborg Signed-off-by: Greg Kroah-Hartman commit f9346c36575cc2a7e599ff17ec9b25cd338710b1 Author: Peter Korsgaard Date: Tue Sep 22 16:47:55 2009 -0700 video: s3c_fb.c: fix build with CONFIG_HOTPLUG=n commit 3163eaba34943967aebb1eefa0d4bdc4e5dc197c upstream. Fixes `s3c_fb_remove' referenced in section `.data' of drivers/built-in.o: defined in discarded section `.devexit.text' of drivers/built-in.o With CONFIG_HOTPLUG=n, functions marked with __devexit gets removed, so make sure we use __devexit_p when referencing pointers to them. Signed-off-by: Peter Korsgaard Acked-by: Ben Dooks Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 50eab02f21d12882d044dc8544b3a3fb670b3b3a Author: Manuel Lauss Date: Tue Sep 1 09:04:35 2009 +0200 USB: option: TELIT UC864G support commit ce60c48871d2b3a15ab3fa2450e783bebb4ae407 upstream. Add ID for Telit UC-864G GPS/UMTS/WCDMA modem and GPS receiver to the option driver. Signed-off-by: Manuel Lauss Signed-off-by: Greg Kroah-Hartman commit 0c7f5ddefe8de033133fee32d75c236ba4143ea4 Author: Huzaifa Sidhpurwala Date: Tue Sep 1 10:07:41 2009 +0530 USB: option.c Add support for ZTE AC2726 EVDO modem commit a67d8e6c1e49dc919c9d5480583fad8a46fc00aa upstream. A few days ago i got the latest ZTE EVDO modem shown at: http://img.alibaba.com/photo/240150115/ZTE_AC2726_EVDO_USB_Data_Modem.jpg It seems that the latest kernel does not have support for it. I wrote a small patch for the options.c module to add the relevant usb ids to it. From: Huzaifa Sidhpurwala Signed-off-by: Greg Kroah-Hartman commit 499c53541b860b20e00ab2c85b50cdb813c3606c Author: Mike Frysinger Date: Thu Aug 6 15:20:05 2009 -0700 serial: bfin_5xx: fix building as module when early printk is enabled commit 0271edd4b1b16f255162029359bb69c1ee4d9c3b upstream. Since early printk only makes sense/works when the serial driver is built into the kernel, disable the option for this driver when it is going to be built as a module. Otherwise we get build failures due to the ifdef handling. Signed-off-by: Mike Frysinger Cc: Alan Cox Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman commit fc5c8874e71764e58f4aaa11223c9cf62d9028ec Author: Michal Hocko Date: Tue Sep 8 11:01:55 2009 +0200 x86: Increase MIN_GAP to include randomized stack commit 80938332d8cf652f6b16e0788cf0ca136befe0b5 upstream. Currently we are not including randomized stack size when calculating mmap_base address in arch_pick_mmap_layout for topdown case. This might cause that mmap_base starts in the stack reserved area because stack is randomized by 1GB for 64b (8MB for 32b) and the minimum gap is 128MB. If the stack really grows down to mmap_base then we can get silent mmap region overwrite by the stack values. Let's include maximum stack randomization size into MIN_GAP which is used as the low bound for the gap in mmap. Signed-off-by: Michal Hocko LKML-Reference: <1252400515-6866-1-git-send-email-mhocko@suse.cz> Acked-by: Jiri Kosina Signed-off-by: H. Peter Anvin Signed-off-by: Greg Kroah-Hartman commit 511424ee51d395991c2e4bf608ce6b8c54b18675 Author: Christian Lamparter Date: Mon Sep 14 23:08:43 2009 +0200 p54usb: add Zcomax XG-705A usbid commit f7f71173ea69d4dabf166533beffa9294090b7ef upstream. This patch adds a new usbid for Zcomax XG-705A to the device table. Reported-by: Jari Jaakola Signed-off-by: Christian Lamparter Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 246480cd44a6a799e86c76646bbbcada8045436f Author: Robert Hancock Date: Sat Sep 12 23:54:47 2009 -0600 pata_amd: do not filter out valid modes in nv_mode_filter commit 90950a2504b66d626a73f55ca949a2e79ff4b7c4 upstream. On a Compaq Presario V3000 laptop (NVIDIA MCP51 chipset), pata_amd selects PIO0 mode for the PATA DVD-RAM drive instead of MWDMA2 which it supports: ata4.00: ATAPI: HL-DT-ST DVDRAM GSA-4084N, KQ09, max MWDMA2 ata4: nv_mode_filter: 0x39f&0x7001->0x1, BIOS=0x0 (0x0) ACPI=0x7001 (60:600:0x11) ata4.00: configured for PIO0 For some reason, the BIOS-set UDMA configuration returns 0 and the ACPI _GTM reports that UDMA2 and PIO0 are enabled. This causes nv_mode_filter to end up allowing only PIO0 and UDMA0-2. Since the drive doesn't support UDMA we end up using PIO0. Since the controllers should always support PIO4, MWDMA2 and UDMA2 regardless of what cable type is used, let's make sure we don't filter out these modes regardless of what wacky settings the BIOS is using. Signed-off-by: Robert Hancock Signed-off-by: Jeff Garzik Signed-off-by: Greg Kroah-Hartman commit a8e669546128ae9f4d17630405588d8fd4c9abd6 Author: Sheng Yang Date: Thu Sep 17 10:42:04 2009 +0800 KVM: VMX: Fix EPT with WP bit change during paging commit 95eb84a7588d7d7afd3096807efc052adc7479e1 upstream QNX update WP bit when paging enabled, which is not covered yet. This one fix QNX boot with EPT. Signed-off-by: Sheng Yang Signed-off-by: Avi Kivity Signed-off-by: Greg Kroah-Hartman