commit 5eee394f24eca7d1f670ddc9d08a8d02c90e74ca Author: Greg Kroah-Hartman Date: Mon Oct 12 13:15:40 2009 -0700 Linux 2.6.31.4 commit 2d852892256a5a1bb6fd8399445b8cd12b94de0a Author: Sascha Hlusiak Date: Tue Sep 29 11:27:05 2009 +0000 sit: fix off-by-one in ipip6_tunnel_get_prl [ Upstream commit 298bf12ddb25841804f26234a43b89da1b1c0e21 ] When requesting all prl entries (kprl.addr == INADDR_ANY) and there are more prl entries than there is space passed from userspace, the existing code would always copy cmax+1 entries, which is more than can be handled. This patch makes the kernel copy only exactly cmax entries. Signed-off-by: Sascha Hlusiak Acked-By: Fred L. Templin Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit e928731a0027bc087ba428e17ac0b605eabc125e Author: Eric Dumazet Date: Sun Sep 20 06:32:55 2009 +0000 ax25: Fix SIOCAX25GETINFO ioctl [ Upstream commit 407fc5cf019fc5cb990458a2e38d2c0a27b3cb30 ] rcv_q & snd_q initializations were reversed in commit 31e6d363abcd0d05766c82f1a9c905a4c974a199 (net: correct off-by-one write allocations reports) Signed-off-by: Jan Rafaj Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 84b176798b6526e88cf34a47f554359f0be42f98 Author: Jarek Poplawski Date: Sun Sep 27 10:57:02 2009 +0000 ax25: Fix possible oops in ax25_make_new [ Upstream commit 8c185ab6185bf5e67766edb000ce428269364c86 ] In ax25_make_new, if kmemdup of digipeat returns an error, there would be an oops in sk_free while calling sk_destruct, because sk_protinfo is NULL at the moment; move sk->sk_destruct initialization after this. BTW of reported-by: Bernard Pidoux F6BVP Signed-off-by: Jarek Poplawski Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit fb0e8709eef2d06ec5d5b1f30e043432a477c1fe Author: Arnaldo Carvalho de Melo Date: Wed Sep 9 11:40:12 2009 -0300 appletalk: Fix skb leak when ipddp interface is not loaded [ Upstream commit ffcfb8db540ff879c2a85bf7e404954281443414 ] And also do a better job of returning proper NET_{RX,XMIT}_ values. Based on a patch by Mark Smith. This fixes CVE-2009-2903 Reported-by: Mark Smith Signed-off-by: Arnaldo Carvalho de Melo Signed-off-by: Greg Kroah-Hartman commit c839c5cede32a8f033b097819b3b9811e3e1ea26 Author: Mike McCormack Date: Mon Sep 21 04:08:52 2009 +0000 sky2: Set SKY2_HW_RAM_BUFFER in sky2_init [ Upstream commit 74a61ebf653c6abe459f228eb40e9f24f7ef1fb7 ] The SKY2_HW_RAM_BUFFER bit in hw->flags was checked in sky2_mac_init(), before being set later in sky2_up(). Setting SKY2_HW_RAM_BUFFER in sky2_init() where other hw->flags are set should avoid this problem recurring. Signed-off-by: Mike McCormack Acked-by: Stephen Hemminger Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit fe13bc44dae6452f49493ceb3cff40d85839b7ea Author: Steve Glendinning Date: Tue Sep 22 04:00:27 2009 +0000 smsc95xx: fix transmission where ZLP is expected [ Upstream commit ec4756238239f1a331d9fb95bad8b281dad56855 ] Usbnet framework assumes USB hardware doesn't handle zero length packets, but SMSC LAN95xx requires these to be sent for correct operation. This patch fixes an easily reproducible tx lockup when sending a frame that results in exactly 512 bytes in a USB transmission (e.g. a UDP frame with 458 data bytes, due to IP headers and our USB headers). It adds an extra flag to usbnet for the hardware driver to indicate that it can handle and requires the zero length packets. This patch should not affect other usbnet users, please also consider for -stable. Signed-off-by: Steve Glendinning Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 657453424a3c382035983f9a47306fafea730f6d Author: Eric Dumazet Date: Thu Sep 24 10:49:24 2009 +0000 net: Fix sock_wfree() race [ Upstream commit d99927f4d93f36553699573b279e0ff98ad7dea6 ] Commit 2b85a34e911bf483c27cfdd124aeb1605145dc80 (net: No more expensive sock_hold()/sock_put() on each tx) opens a window in sock_wfree() where another cpu might free the socket we are working on. A fix is to call sk->sk_write_space(sk) while still holding a reference on sk. Reported-by: Jike Song Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit e3d38b579fe7fc60974e45e43034eab774c5a592 Author: Robert Varga Date: Tue Sep 15 23:49:21 2009 -0700 tcp: fix CONFIG_TCP_MD5SIG + CONFIG_PREEMPT timer BUG() [ Upstream commit 657e9649e745b06675aa5063c84430986cdc3afa ] I have recently came across a preemption imbalance detected by: <4>huh, entered ffffffff80644630 with preempt_count 00000102, exited with 00000101? <0>------------[ cut here ]------------ <2>kernel BUG at /usr/src/linux/kernel/timer.c:664! <0>invalid opcode: 0000 [1] PREEMPT SMP with ffffffff80644630 being inet_twdr_hangman(). This appeared after I enabled CONFIG_TCP_MD5SIG and played with it a bit, so I looked at what might have caused it. One thing that struck me as strange is tcp_twsk_destructor(), as it calls tcp_put_md5sig_pool() -- which entails a put_cpu(), causing the detected imbalance. Found on 2.6.23.9, but 2.6.31 is affected as well, as far as I can tell. Signed-off-by: Robert Varga Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 0568d3bf197d1e7db746d4a73cbd59b1850d23e6 Author: Kusanagi Kouichi Date: Wed Sep 16 21:36:13 2009 +0000 tun: Return -EINVAL if neither IFF_TUN nor IFF_TAP is set. [ Upstream commit 36989b90879c785f95b877bdcf65a2527dadd893 ] After commit 2b980dbd77d229eb60588802162c9659726b11f4 ("lsm: Add hooks to the TUN driver") tun_set_iff doesn't return -EINVAL though neither IFF_TUN nor IFF_TAP is set. Signed-off-by: Kusanagi Kouichi Reviewed-by: Paul Moore Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 7d07d6b33de75277e8a387a37ea9fc78c131d8f4 Author: Miklos Szeredi Date: Fri Sep 11 11:31:45 2009 -0700 net: unix: fix sending fds in multiple buffers [ Upstream commit 8ba69ba6a324b13e1190fc31e41954d190fd4f1d ] Kalle Olavi Niemitalo reported that: "..., when one process calls sendmsg once to send 43804 bytes of data and one file descriptor, and another process then calls recvmsg three times to receive the 16032+16032+11740 bytes, each of those recvmsg calls returns the file descriptor in the ancillary data. I confirmed this with strace. The behaviour differs from Linux 2.6.26, where reportedly only one of those recvmsg calls (I think the first one) returned the file descriptor." This bug was introduced by a patch from me titled "net: unix: fix inflight counting bug in garbage collector", commit 6209344f5. And the reason is, quoting Kalle: "Before your patch, unix_attach_fds() would set scm->fp = NULL, so that if the loop in unix_stream_sendmsg() ran multiple iterations, it could not call unix_attach_fds() again. But now, unix_attach_fds() leaves scm->fp unchanged, and I think this causes it to be called multiple times and duplicate the same file descriptors to each struct sk_buff." Fix this by introducing a flag that is cleared at the start and set when the fds attached to the first buffer. The resulting code should work equivalently to the one on 2.6.26. Reported-by: Kalle Olavi Niemitalo Signed-off-by: Miklos Szeredi Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit d649563d3bac1c86bc04e425884825b642610228 Author: Eric Dumazet Date: Wed Sep 30 16:42:42 2009 -0700 net: restore tx timestamping for accelerated vlans [ Upstream commit 81bbb3d4048cf577b5babcb0834230de391a35c5 ] Since commit 9b22ea560957de1484e6b3e8538f7eef202e3596 ( net: fix packet socket delivery in rx irq handler ) We lost rx timestamping of packets received on accelerated vlans. Effect is that tcpdump on real dev can show strange timings, since it gets rx timestamps too late (ie at skb dequeueing time, not at skb queueing time) 14:47:26.986871 IP 192.168.20.110 > 192.168.20.141: icmp 64: echo request seq 1 14:47:26.986786 IP 192.168.20.141 > 192.168.20.110: icmp 64: echo reply seq 1 14:47:27.986888 IP 192.168.20.110 > 192.168.20.141: icmp 64: echo request seq 2 14:47:27.986781 IP 192.168.20.141 > 192.168.20.110: icmp 64: echo reply seq 2 14:47:28.986896 IP 192.168.20.110 > 192.168.20.141: icmp 64: echo request seq 3 14:47:28.986780 IP 192.168.20.141 > 192.168.20.110: icmp 64: echo reply seq 3 Signed-off-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 269beb9907f3b4861744bf9009a029336af1d7a1 Author: Zhao Yakui Date: Sun Sep 27 03:30:51 2009 -0400 ACPI: fix Compaq Evo N800c (Pentium 4m) boot hang regression commit 3e2ada5867b7e9fa0b296d30fa8f3726ebd0a8b7 upstream. Don't disable ARB_DISABLE when the familary ID is 0x0F. http://bugzilla.kernel.org/show_bug.cgi?id=14211 This was a 2.6.31 regression, and so this patch needs to be applied to 2.6.31.stable Signed-off-by: Zhao Yakui Signed-off-by: Len Brown Signed-off-by: Greg Kroah-Hartman commit 2f3102c63feca27dafa8e2add3fbb8bcc921a928 Author: Jean Delvare Date: Tue Sep 8 15:31:46 2009 +0200 ACPI: Clarify resource conflict message commit 14f03343ad1080c2fea29ab2c13f05b976c4584e upstream. The message "ACPI: Device needs an ACPI driver" is misleading. The device _may_ need an ACPI driver, if the BIOS implemented a custom API for the device in question (which, AFAIK, can't be checked.) If not, then either a generic ACPI driver may be used (for example "thermal"), or nothing can be done (other than a white list). I propose to reword the message to: ACPI: If an ACPI driver is available for this device, you should use it instead of the native driver which I think is more correct. Comments and suggestions welcome. I also added a message warning about possible problems and system instability when users pass acpi_enforce_resources=lax, as suggested by Len. Signed-off-by: Jean Delvare Cc: Thomas Renninger Cc: Alan Jenkins Signed-off-by: Len Brown Signed-off-by: Greg Kroah-Hartman commit 3ee41bac34c00a52fa91085ffcef445bc8df92a9 Author: Mimi Zohar Date: Wed Sep 2 11:40:32 2009 -0400 IMA: open new file for read commit 6c1488fd581a447ec87c4b59f0d33f95f0aa441b upstream. When creating a new file, ima_path_check() assumed the new file was being opened for write. Call ima_path_check() with the appropriate acc_mode so that the read/write counters are incremented correctly. Signed-off-by: Mimi Zohar Signed-off-by: James Morris Signed-off-by: Greg Kroah-Hartman commit 112a62ddb32952943517bd170f0eeb26a6f0738f Author: john stultz Date: Thu Oct 8 13:31:45 2009 -0700 PIT fixes to unbreak suspend/resume (bug #14222) Resolved differently upstream in commit 8cab02dc3c58a12235c6d463ce684dded9696848 Ondrej Zary reported a suspend/resume hang with 2.6.31 in bug #14222. http://bugzilla.kernel.org/show_bug.cgi?id=14222 The hang was bisected to c7121843685de2bf7f3afd3ae1d6a146010bf1fc however, that was really just the last straw that caused the issue. The problem was that on suspend, the PIT is removed as a clocksource, and was using the mult value essentially as a is_enabled() flag. The mult adjustments done in the commit above caused that usage to break, causing bad list manipulation and the oops. Further, on resume, the PIT clocksource is never restored, causing the system to run in a degraded mode with jiffies as the clocksource. This issue has since been resolved in 2.6.32-rc by commit 8cab02dc3c58a12235c6d463ce684dded9696848 which removes the clocksource disabling on suspend. Testing shows no issues there. So the following patch rectifies the situation for 2.6.31 users of the PIT clocksource that use suspend and resume (which is probably not that many). Many thanks to Ondrej for helping narrow down what was happening, what caused it, and verifying the fix. --------------- Avoid using the unprotected clocksource.mult value as an "is_registered" flag, instead us an explicit flag variable. This avoids possible list corruption if the clocksource is double-unregistered. Also re-register the PIT clocksource on resume so folks don't have to use jiffies after suspend. Signed-off-by: John Stultz Signed-off-by: Greg Kroah-Hartman commit 5a69ea23440767095f377bc80c3f9d756427129a Author: Bartlomiej Zolnierkiewicz Date: Tue Oct 6 14:46:05 2009 +0000 sis5513: fix PIO setup for ATAPI devices commit e13ee546bb06453939014c7b854e77fb643fd6f1 upstream. Clear prefetch setting before potentially (re-)enabling it in config_drive_art_rwp() so the transition of the device type on the port from ATA to ATAPI (i.e. during warm-plug operation) is handled correctly. This is a really old bug (it probably goes back to very early days of the driver) but it was only affecting warm-plug operation until the recent "ide: try to use PIO Mode 0 during probe if possible" change (commit 6029336426a2b43e4bc6f4a84be8789a047d139e). Signed-off-by: Bartlomiej Zolnierkiewicz Tested-by: David Fries Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 20330dc6f74a8e11294ab2271b514bbdb21abb89 Author: Daisuke Nishimura Date: Mon Sep 21 17:02:50 2009 -0700 mm: add_to_swap_cache() must not sleep commit 31a5639623a487d6db996c8138c9e53fef2e2d91 upstream. After commit 355cfa73 ("mm: modify swap_map and add SWAP_HAS_CACHE flag"), read_swap_cache_async() will busy-wait while a entry doesn't exist in swap cache but it has SWAP_HAS_CACHE flag. Such entries can exist on add/delete path of swap cache. On add path, add_to_swap_cache() is called soon after SWAP_HAS_CACHE flag is set, and on delete path, swapcache_free() will be called (SWAP_HAS_CACHE flag is cleared) soon after __delete_from_swap_cache() is called. So, the busy-wait works well in most cases. But this mechanism can cause soft lockup if add_to_swap_cache() sleeps and read_swap_cache_async() tries to swap-in the same entry on the same cpu. This patch calls radix_tree_preload() before swapcache_prepare() and divides add_to_swap_cache() into two part: radix_tree_preload() part and radix_tree_insert() part(define it as __add_to_swap_cache()). Signed-off-by: Daisuke Nishimura Cc: KAMEZAWA Hiroyuki Cc: Balbir Singh Cc: Hugh Dickins Cc: Johannes Weiner Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 0833a1cc18c2bbb24baf62ca2be843e7688ffc0e Author: Jean Delvare Date: Fri Oct 2 09:55:19 2009 -0700 net: Fix wrong sizeof commit b607bd900051efc3308c4edc65dd98b34b230021 upstream. Which is why I have always preferred sizeof(struct foo) over sizeof(var). Signed-off-by: Jean Delvare Acked-by: Randy Dunlap Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 719a1256a0ecf6e181ac0ffe06c84550d5af6fe3 Author: Joerg Roedel Date: Mon Oct 12 11:42:44 2009 +0200 KVM: SVM: Handle tsc in svm_get_msr/svm_set_msr correctly commit 20824f30bb0b8ae0a4099895fd4509f54cf2e1e2 upstream. When running nested we need to touch the l1 guests tsc_offset. Otherwise changes will be lost or a wrong value be read. Signed-off-by: Joerg Roedel Signed-off-by: Marcelo Tosatti Signed-off-by: Greg Kroah-Hartman commit 89cc56416e963a723b568157e53fa4c796ffefa5 Author: Joerg Roedel Date: Mon Oct 12 11:41:51 2009 +0200 KVM: SVM: Fix tsc offset adjustment when running nested commit 77b1ab1732feb5e3dcbaf31d2f7547c5229f5f3a upstream. When svm_vcpu_load is called while the vcpu is running in guest mode the tsc adjustment made there is lost on the next emulated #vmexit. This causes the tsc running backwards in the guest. This patch fixes the issue by also adjusting the tsc_offset in the emulated hsave area so that it will not get lost. Signed-off-by: Joerg Roedel Signed-off-by: Marcelo Tosatti Signed-off-by: Greg Kroah-Hartman commit ddf2acb72f3df470ce15eb23ee97cd3be23016f8 Author: Aurelien Jarno Date: Fri Sep 25 11:09:37 2009 +0200 KVM: fix LAPIC timer period overflow commit b2d83cfa3fdefe5c6573d443d099a18dc3a93c5f upstream. Don't overflow when computing the 64-bit period from 32-bit registers. Fixes sourceforge bug #2826486. Signed-off-by: Aurelien Jarno Signed-off-by: Marcelo Tosatti Signed-off-by: Greg Kroah-Hartman commit ca9405b882ae10710c158d989f0c740242af2e28 Author: Marcelo Tosatti Date: Thu Oct 1 19:16:58 2009 -0300 KVM: VMX: flush TLB with INVEPT on cpu migration commit eb5109e311b5152c0614a28d7d615d087f268f19 upstream. It is possible that stale EPTP-tagged mappings are used, if a vcpu migrates to a different pcpu. Set KVM_REQ_TLB_FLUSH in vmx_vcpu_load, when switching pcpus, which will invalidate both VPID and EPT mappings on the next vm-entry. Signed-off-by: Marcelo Tosatti Signed-off-by: Greg Kroah-Hartman commit 779632b438a79ab1ed1f0da390712b12db3b2a58 Author: Avi Kivity Date: Sun Oct 4 16:45:13 2009 +0200 KVM: Prevent overflow in KVM_GET_SUPPORTED_CPUID commit 6a54435560efdab1a08f429a954df4d6c740bddf upstream. The number of entries is multiplied by the entry size, which can overflow on 32-bit hosts. Bound the entry count instead. Reported-by: David Wagner Signed-off-by: Avi Kivity Signed-off-by: Greg Kroah-Hartman commit 170fa2cc0c90885acdda6b71dd25b5d14960ed5b Author: Mark Brown Date: Mon Jun 29 11:17:10 2009 +0100 ASoC: WM8350 capture PGA mutes are inverted commit 5b7dde346881b12246669ae97b3a2793c27b32b6 upstream. Signed-off-by: Mark Brown Signed-off-by: Greg Kroah-Hartman commit 83a6b58ed602dd2d02ad93679033e128e5293257 Author: Clemens Ladisch Date: Tue Oct 6 08:21:04 2009 +0200 sound: via82xx: move DXS volume controls to PCM interface commit 2fb930b53f513cbc4c102d415d2923a8a7091337 upstream. The "VIA DXS" controls are actually volume controls that apply to the four PCM substreams, so we better indicate this connection by moving the controls to the PCM interface. Commit b452e08e73c0e3dbb0be82130217be4b7084299e in 2.6.30 broke the restoring of these volumes by "alsactl restore" that most distributions use; the renaming in this patch cures that regression by preventing alsactl from applying the old, wrong volume levels to the new controls. http://bugzilla.kernel.org/show_bug.cgi?id=14151 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=532613 Signed-off-by: Clemens Ladisch Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 7bbd09e13f297655290b892621a08ec4413dd07d Author: Tejun Heo Date: Tue Oct 6 17:08:40 2009 +0900 libata: fix incorrect link online check during probe commit 3b761d3d437cffcaf160a5d37eb6b3b186e491d5 upstream. While trying to work around spurious detection retries for non-existent devices on slave links, commit 816ab89782ac139a8b65147cca990822bb7e8675 incorrectly added link offline check logic before ata_eh_thaw() was called. This means that if an occupied link goes down briefly at the time that offline check was performed, device class will be cleared to ATA_DEV_NONE and libata wouldn't retry thus failing detection of the device. The offline check should be done after the port is thawed together with online check so that such link glitches can be detected by the interrupt handler and handled properly. Signed-off-by: Tejun Heo Reported-by: Tim Blechmann Signed-off-by: Jeff Garzik Signed-off-by: Greg Kroah-Hartman commit 99db179ffe7e2533c7796085e011f16d0f57518b Author: Mimi Zohar Date: Mon Oct 5 14:25:44 2009 -0400 ima: ecryptfs fix imbalance message commit 36520be8e32b49bd85a63b7b8b40cd07c3da59a5 upstream. The unencrypted files are being measured. Update the counters to get rid of the ecryptfs imbalance message. (http://bugzilla.redhat.com/519737) Reported-by: Sachin Garg Cc: Eric Paris Cc: Dustin Kirkland Cc: James Morris Cc: David Safford Signed-off-by: Mimi Zohar Signed-off-by: Tyler Hicks Signed-off-by: Greg Kroah-Hartman commit 94c517d6c84e819035f58a4748066d1929681d0e Author: Eero Nurkkala Date: Wed Oct 7 11:54:26 2009 +0300 NOHZ: update idle state also when NOHZ is inactive commit fdc6f192e7e1ae80565af23cc33dc88e3dcdf184 upstream. Commit f2e21c9610991e95621a81407cdbab881226419b had unfortunate side effects with cpufreq governors on some systems. If the system did not switch into NOHZ mode ts->inidle is not set when tick_nohz_stop_sched_tick() is called from the idle routine. Therefor all subsequent calls from irq_exit() to tick_nohz_stop_sched_tick() fail to call tick_nohz_start_idle(). This results in bogus idle accounting information which is passed to cpufreq governors. Set the inidle flag unconditionally of the NOHZ active state to keep the idle time accounting correct in any case. [ tglx: Added comment and tweaked the changelog ] Reported-by: Steven Noonan Signed-off-by: Eero Nurkkala Cc: Rik van Riel Cc: Venkatesh Pallipadi Cc: Steven Noonan LKML-Reference: <1254907901.30157.93.camel@eenurkka-desktop> Signed-off-by: Thomas Gleixner Signed-off-by: Greg Kroah-Hartman commit 627376bd3503801263df2ac2df6d5685026bb231 Author: Thomas Gleixner Date: Sun Oct 4 09:34:17 2009 +0200 futex: Fix locking imbalance commit eaaea8036d0261d87d7072c5bc88c7ea730c18ac upstream. Rich reported a lock imbalance in the futex code: http://bugzilla.kernel.org/show_bug.cgi?id=14288 It's caused by the displacement of the retry_private label in futex_wake_op(). The code unlocks the hash bucket locks in the error handling path and retries without locking them again which makes the next unlock fail. Move retry_private so we lock the hash bucket locks when we retry. Reported-by: Rich Ercolany Signed-off-by: Thomas Gleixner Cc: Peter Zijlstra Cc: Darren Hart LKML-Reference: Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit 1c4dacc248f10d641c9ea3a65a8d260d28732e6e Author: Peter Zijlstra Date: Mon Oct 5 18:17:32 2009 +0200 futex: Nullify robust lists after cleanup commit fc6b177dee33365ccb29fe6d2092223cf8d679f9 upstream. The robust list pointers of user space held futexes are kept intact over an exec() call. When the exec'ed task exits exit_robust_list() is called with the stale pointer. The risk of corruption is minimal, but still it is incorrect to keep the pointers valid. Actually glibc should uninstall the robust list before calling exec() but we have to deal with it anyway. Nullify the pointers after [compat_]exit_robust_list() has been called. Reported-by: Anirban Sinha Signed-off-by: Peter Zijlstra Signed-off-by: Thomas Gleixner Signed-off-by: Greg Kroah-Hartman commit 3e82b94373aeccc3624e228e40a60749f70deaf8 Author: Thomas Gleixner Date: Mon Oct 5 18:18:03 2009 +0200 futex: Move exit_pi_state() call to release_mm() commit 322a2c100a8998158445599ea437fb556aa95b11 upstream. exit_pi_state() is called from do_exit() but not from do_execve(). Move it to release_mm() so it gets called from do_execve() as well. Signed-off-by: Thomas Gleixner LKML-Reference: Cc: Anirban Sinha Cc: Peter Zijlstra Signed-off-by: Greg Kroah-Hartman commit 9cb696b8f6a4b034d2a0323aaf81a878c60199a5 Author: Darren Hart Date: Wed Oct 7 11:46:54 2009 -0700 futex: fix requeue_pi key imbalance commit da085681014fb43d67d9bf6d14bc068e9254bd49 upstream. If futex_wait_requeue_pi() wakes prior to requeue, we drop the reference to the source futex_key twice, once in handle_early_requeue_pi_wakeup() and once on our way out. Remove the drop from the handle_early_requeue_pi_wakeup() and keep the get/drops together in futex_wait_requeue_pi(). Reported-by: Helge Bahmann Signed-off-by: Darren Hart Cc: Helge Bahmann Cc: Peter Zijlstra Cc: Eric Dumazet Cc: Dinakar Guniguntala Cc: John Stultz LKML-Reference: <4ACCE21E.5030805@us.ibm.com> Signed-off-by: Thomas Gleixner Signed-off-by: Greg Kroah-Hartman commit 1afc593a47447345649bc850a07b0741b8aa3caf Author: Steven Rostedt Date: Wed Oct 7 16:57:56 2009 -0400 ftrace: check for failure for all conversions commit 3279ba37db5d65c4ab0dcdee3b211ccb85bb563f upstream. Due to legacy code from back when the dynamic tracer used a daemon, only core kernel code was checking for failures. This is no longer the case. We must check for failures any time we perform text modifications. Signed-off-by: Steven Rostedt Signed-off-by: Greg Kroah-Hartman commit 6e4be6c9d0044778a2ed1c88aafd95bd04f58705 Author: jolsa@redhat.com Date: Wed Oct 7 19:00:35 2009 +0200 tracing: correct module boundaries for ftrace_release commit e7247a15ff3bbdab0a8b402dffa1171e5c05a8e0 upstream. When the module is about the unload we release its call records. The ftrace_release function was given wrong values representing the module core boundaries, thus not releasing its call records. Plus making ftrace_release function module specific. Signed-off-by: Jiri Olsa LKML-Reference: <1254934835-363-3-git-send-email-jolsa@redhat.com> Signed-off-by: Steven Rostedt Signed-off-by: Greg Kroah-Hartman commit 23a27d5c189ac0c1d07182345498d40b73341e2a Author: Manoj Iyer Date: Tue Sep 22 18:33:29 2009 -0500 ALSA: hda - Added quirk to enable sound on Toshiba NB200 commit 3db6c037c6954ed6d98ef199938e4004fea96908 upstream. Patch was tested on Toshiba NB200 and is found to enable sound. Signed-off-by: Manoj Iyer Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit ee39c2f3e1e667314c018c9fd1e205c97e746bd2 Author: Jan Beulich Date: Wed Sep 30 11:22:11 2009 +0100 x86: Don't leak 64-bit kernel register values to 32-bit processes commit 24e35800cdc4350fc34e2bed37b608a9e13ab3b6 upstream. While 32-bit processes can't directly access R8...R15, they can gain access to these registers by temporarily switching themselves into 64-bit mode. Therefore, registers not preserved anyway by called C functions (i.e. R8...R11) must be cleared prior to returning to user mode. Signed-off-by: Jan Beulich LKML-Reference: <4AC34D73020000780001744A@vpn.id2.novell.com> Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit 4b5e77cb1f01c2eedbaa6979319a1c7a072ddedd Author: Linus Torvalds Date: Sat Oct 3 21:44:21 2009 -0700 tty: Avoid dropping ldisc_mutex over hangup tty re-initialization commit 0b5759c654e74c8dc317ea2c6b3a7476160f688a upstream. A couple of people have hit the WARN_ON() in drivers/char/tty_io.c, tty_open() that is unhappy about seeing the tty line discipline go away during the tty hangup. See for example http://bugzilla.kernel.org/show_bug.cgi?id=14255 and the reason is that we do the tty_ldisc_halt() outside the ldisc_mutex in order to be able to flush the scheduled work without a deadlock with vhangup_work. However, it turns out that we can solve this particular case by - using "cancel_delayed_work_sync()" in tty_ldisc_halt(), which waits for just the particular work, rather than synchronizing with any random outstanding pending work. This won't deadlock, since the buf.work we synchronize with doesn't care about the ldisc_mutex, it just flushes the tty ldisc buffers. - realize that for this particular case, we don't need to wait for any hangup work, because we are inside the hangup codepaths ourselves. so as a result we can just drop the flush_scheduled_work() entirely, and then move the tty_ldisc_halt() call to inside the mutex. That way we never expose the partially torn down ldisc state to tty_open(), and hold the ldisc_mutex over the whole sequence. Reported-by: Ingo Molnar Reported-by: Heinz Diehl Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 1611e307ab917e66fce335dd57f45aee266614ee Author: Samuel Thibault Date: Thu Oct 1 15:44:02 2009 -0700 x86: fix csum_ipv6_magic asm memory clobber commit 392d814daf460a9564d29b2cebc51e1ea34e0504 upstream. Just like ip_fast_csum, the assembly snippet in csum_ipv6_magic needs a memory clobber, as it is only passed the address of the buffer, not a memory reference to the buffer itself. This caused failures in Hurd's pfinetv4 when we tried to compile it with gcc-4.3 (bogus checksums). Signed-off-by: Samuel Thibault Cc: Ingo Molnar Cc: Thomas Gleixner Cc: "H. Peter Anvin" Acked-by: "David S. Miller" Cc: Andi Kleen Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman