commit e2984cbfddd5c8fac88b24d7e5f28e1cfb6f3838 Author: Greg Kroah-Hartman Date: Thu Oct 22 15:57:56 2009 -0700 Linux 2.6.31.5 Signed-off-by: Greg Kroah-Hartman commit 86d23a057e718f73adc15e463c643d6e014a19cd Author: Linus Torvalds Date: Wed Oct 14 08:59:49 2009 -0700 tty: Make flush_to_ldisc() locking more robust commit c8e33141911bf8fe87dc6c92793b9a59b2be0130 upstream. The locking logic in this function is extremely subtle, and it broke when we started doing potentially concurrent 'flush_to_ldisc()' calls in commit e043e42bdb66885b3ac10d27a01ccb9972e2b0a3 ("pty: avoid forcing 'low_latency' tty flag"). The code in flush_to_ldisc() used to set 'tty->buf.head' to NULL, with the intention that this would then cause any other concurrent calls to not do anything (locking note: we have to drop the buf.lock over the call to ->receive_buf that can block, which is why we can have concurrency here at all in the first place). It also used to set the TTY_FLUSHING bit, which would then cause any concurrent 'tty_buffer_flush()' to not free all the tty buffers and clear 'tty->buf.tail'. And with 'buf.head' being NULL, and 'buf.tail' being non-NULL, new data would never touch 'buf.head'. Does that sound a bit too subtle? It was. If another concurrent call to 'flush_to_ldisc()' were to come in, the NULL buf.head would indeed cause it to not process the buffer list, but it would still clear TTY_FLUSHING afterwards, making the buffer protection against 'tty_buffer_flush()' no longer work. So this clears it all up. We depend purely on TTY_FLUSHING for handling re-entrancy, and stop playing games with the buffer list entirely. In fact, the buffer list handling is now robust enough that we could probably stop doing the whole "protect against 'tty_buffer_flush()'" thing entirely. However, Alan also points out that we would probably be better off simplifying the locking even further, and just take the tty ldisc_mutex around all the buffer flushing calls. That seems like a good idea, but in the meantime this is a conceptually minimal fix (with the patch itself being bigger than required just to clean the code up and make it readable). This fixes keyboard trouble under X: http://bugzilla.kernel.org/show_bug.cgi?id=14388 Reported-and-tested-by: Frédéric Meunier Reported-and-tested-by: Boyan Cc: Alan Cox Cc: Paul Fulghum Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit c90aa19d5123cc84fe2260067a3348313349d262 Author: Johannes Berg Date: Thu Oct 1 22:06:29 2009 +0200 mac80211: fix vlan and optimise RX commit fbc44bf7177dfd61381da55405550b693943a432 upstream. When receiving data frames, we can send them only to the interface they belong to based on transmitting station (this doesn't work for probe requests). Also, don't try to handle other frames for AP_VLAN at all since those interface should only receive data. Additionally, the transmit side must check that the station we're sending a frame to is actually on the interface we're transmitting on, and not transmit packets to functions that live on other interfaces, so validate that as well. Another bug fix is needed in sta_info.c where in the VLAN case when adding/removing stations we overwrite the sdata variable we still need. Signed-off-by: Johannes Berg Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit eef5edb4ef6eeedf945b3bc81bc593804e522d7d Author: Jay Sternberg Date: Fri Oct 2 13:43:55 2009 -0700 iwlwifi: incorrect method used for finding valid OTP blocks commit 2facba769d7f9e563cf706de709074a2d20f1bba upstream. The address stored in the next link address is a word address but when reading the OTP blocks, a byte address is used. Also if the blocks are full and the last link pointer is not zero, then none of the blocks are valid so return an error. The algorithm is simply valid blocks have a next address and that address's contents is zero. Using the wrong address for the next link address gets arbitrary data, obviously. In cases seen, the first block is considered valid when it is not. If the block has in fact been invalidated there may be old data or there may be no data, bad data, or partial data, there is no way of telling. Without this patch it is possible that a device with valid OTP data is unable to work. Signed-off-by: Jay Sternberg Signed-off-by: Reinette Chatre Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 670add0a279e39e13a66876389c64d4f7dcf0379 Author: Benjamin Herrenschmidt Date: Tue Oct 13 15:53:47 2009 +1100 usb-storage: Workaround devices with bogus sense size commit b8430e1b82b7e514d76a88eb70a7d8831d50df1e upstream. usb-storage: Workaround devices with bogus sense size Some devices, such as Huawei E169, advertise more than the standard amount of sense data, causing us to set US_FL_SANE_SENSE, assuming they support it. However, they subsequently fail the request sense with that size. This works around it generically. When a sense request fails due to a device returning an error, US_FL_SANE_SENSE was set, and that sense request used a larger sense size, we retry with a smaller size before giving up. Based on an original patch by Ben Efros Signed-off-by: Benjamin Herrenschmidt Acked-by: Alan Stern Signed-off-by: Greg Kroah-Hartman commit b5a56fc94bcc0910870391da8778ba1c6d41bd3d Author: Darren Salt Date: Wed Oct 14 02:19:22 2009 +0100 Staging: rt2860sta: prevent a panic when disabling when associated commit 0af49167b1e5ba154e90d2c454bf4624ee47df80 upstream. This fixes a panic which is triggered when the hardware "disappears" from beneath the driver, i.e. when wireless is toggled off via Fn-F2 on various EeePC models. Ref. bug report http://bugzilla.kernel.org/show_bug.cgi?id=13390 panic http://bugzilla.kernel.org/attachment.cgi?id=21928 Signed-off-by: Darren Salt Signed-off-by: Greg Kroah-Hartman commit 5b78a7630478e3e10c6d3ca53b2cffbee4aa0b5b Author: Neil Brown Date: Tue Sep 15 16:05:51 2009 -0700 sysfs: Allow sysfs_notify_dirent to be called from interrupt context. commit 83db93f4de2d9ae441a491d1dc61c2204f0195de upstream. sysfs_notify_dirent is a simple atomic operation that can be used to alert user-space that new data can be read from a sysfs attribute. Unfortunately it cannot currently be called from non-process context because of its use of spin_lock which is sometimes taken with interrupts enabled. So change all lockers of sysfs_open_dirent_lock to disable interrupts, thus making sysfs_notify_dirent safe to be called from non-process context (as drivers/md does in md_safemode_timeout). sysfs_get_open_dirent is (documented as being) only called from process context, so it uses spin_lock_irq. Other places use spin_lock_irqsave. The usage for sysfs_notify_dirent in md_safemode_timeout was introduced in 2.6.28, so this patch is suitable for that and more recent kernels. Reported-by: Joel Andres Granados Signed-off-by: NeilBrown Signed-off-by: Dan Williams Signed-off-by: Greg Kroah-Hartman commit 0d4b093b89cf8aab0d478e6545c078a5dc08f73d Author: Michal Schmidt Date: Thu Aug 20 14:39:52 2009 -0700 bsdacct: switch credentials for writing to the accounting file commit d8e180dcd5bbbab9cd3ff2e779efcf70692ef541 upstream. When process accounting is enabled, every exiting process writes a log to the account file. In addition, every once in a while one of the exiting processes checks whether there's enough free space for the log. SELinux policy may or may not allow the exiting process to stat the fs. So unsuspecting processes start generating AVC denials just because someone enabled process accounting. For these filesystem operations, the exiting process's credentials should be temporarily switched to that of the process which enabled accounting, because it's really that process which wanted to have the accounting information logged. Signed-off-by: Michal Schmidt Acked-by: David Howells Acked-by: Serge Hallyn Signed-off-by: Andrew Morton Signed-off-by: James Morris Signed-off-by: Greg Kroah-Hartman commit 6a56395fa727528beb92ffe3b126068894fb7893 Author: Takashi Iwai Date: Thu Oct 1 07:46:33 2009 +0200 ALSA: Don't assume i2c device probing always succeeds commit 18c4078489fe064cc0ed08be3381cf2f26657f5f upstream. The client->driver pointer can be NULL when i2c-device probing fails in i2c_new_device(). This patch adds the NULL checks for client->driver and return the error instead of blind assumption of driver availability. Reported-by: Tim Shepard Cc: Jean Delvare Cc: Johannes Berg Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 91be0e881d6abf1da9903c831d20954f2325ce3e Author: Jean Delvare Date: Sun Oct 4 22:53:45 2009 +0200 i2c: Hide probe errors caused by ACPI resource conflicts commit 18669eabde2ff5fc446e72e043f0539059763438 upstream. When an ACPI resource conflict is detected, error messages are already printed by ACPI. There's no point in causing the driver core to print more error messages, so return one of the error codes for which no message is printed. This fixes bug #14293: http://bugzilla.kernel.org/show_bug.cgi?id=14293 Signed-off-by: Jean Delvare Signed-off-by: Greg Kroah-Hartman commit cdb2cc1110db0fbe2a2dddf86933248a904e3532 Author: Jean Delvare Date: Sun Oct 4 22:53:46 2009 +0200 macintosh: Don't assume i2c device probing always succeeds commit 6f6b35e133fe4313277b30fc1a7ea313875ea6c9 upstream. If i2c device probing fails, then there is no driver to dereference after calling i2c_new_device(). Stop assuming that probing will always succeed, to avoid NULL pointer dereferences. We have an easier access to the driver anyway. Signed-off-by: Jean Delvare Tested-by: Tim Shepard Cc: Colin Leroy Signed-off-by: Greg Kroah-Hartman commit 95852f92e969211e2c30d205e75d032cbc7e5cfc Author: Jean Delvare Date: Fri Oct 9 20:35:19 2009 +0200 MAINTAINERS: Fix Riku Voipio's address commit 05576a1e38e2d06dece32974c5218528d3fbc6e2 upstream. Signed-off-by: Jean Delvare Acked-by: Riku Voipio Signed-off-by: Greg Kroah-Hartman commit 112152cdd7dac9f82835f29d0fef2fb1961955bd Author: Alexander Duyck Date: Fri Oct 2 12:30:42 2009 +0000 e1000e: swap max hw supported frame size between 82574 and 82583 commit a825e00c98a2ee37eb2a0ad93b352e79d2bc1593 upstream. There appears to have been a mixup in the max supported jumbo frame size between 82574 and 82583 which ended up disabling jumbo frames on the 82574 as a result. This patch swaps the two so that this issue is resolved. This patch fixes http://bugzilla.kernel.org/show_bug.cgi?id=14261 Signed-off-by: Alexander Duyck Signed-off-by: Jeff Kirsher Signed-off-by: David S. Miller Cc: Tim Gardner Signed-off-by: Greg Kroah-Hartman commit 127f1bdba584bc2aa2f910273b6b5701d5bad3ed Author: Philipp Reisner Date: Tue Oct 13 11:28:18 2009 +0200 uvesafb/connector: Disallow unpliviged users to send netlink packets (cherry picked from commit 30efa3f76813b17445bc5a2e443ae9731518566b) Signed-off-by: Philipp Reisner Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 85a79fc56eaee6587d19971b5348261773c1c507 Author: Philipp Reisner Date: Tue Oct 13 11:28:17 2009 +0200 pohmelfs/connector: Disallow unpliviged users to configure pohmelfs (cherry picked from commit 0179065b13b354cc0b940e7a632a65ec0448beff) Signed-off-by: Philipp Reisner Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 060425ef1d42f59b9b3faed31406e9e59c7464a0 Author: Philipp Reisner Date: Tue Oct 13 11:28:16 2009 +0200 dst/connector: Disallow unpliviged users to configure dst (cherry picked from commit dbbb3431228784612848a1ec6061c78b4b708b5c) Signed-off-by: Philipp Reisner Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit e1a7338bc0da30633357c84be4df222a1bdbfd99 Author: Philipp Reisner Date: Tue Oct 13 11:28:15 2009 +0200 dm/connector: Only process connector packages from privileged processes (cherry picked from commit 93136335f9ad7a98b92eacda1b43dccbf063cd07) Signed-off-by: Philipp Reisner Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit dfd930656cbaff1f6082942a3faac63e62a6bb92 Author: Philipp Reisner Date: Tue Oct 13 11:28:14 2009 +0200 connector: Removed the destruct_data callback since it is always kfree_skb() (cherry picked from commit f4b5129f5e838942f759c2637967441cf4a98c20) Signed-off-by: Philipp Reisner Acked-by: Lars Ellenberg Acked-by: Evgeniy Polyakov Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit a577badd70c3c1bb8b263dad8fe417fab4b66f0d Author: Philipp Reisner Date: Tue Oct 13 11:28:13 2009 +0200 connector: Provide the sender's credentials to the callback commit 7069331dbe7155f23966f5944109f909fea0c7e4 upstream Signed-off-by: Philipp Reisner Signed-off-by: Lars Ellenberg Acked-by: Evgeniy Polyakov Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 850c7267d5bfa1ae0211426367b2555e6935e01c Author: Philipp Reisner Date: Tue Oct 13 11:28:12 2009 +0200 connector: Keep the skb in cn_callback_data (cherry picked from commit 5491c43845dae6c68cb4edbcf2e2dde9a32a863d) Signed-off-by: Philipp Reisner Signed-off-by: Lars Ellenberg Acked-by: Evgeniy Polyakov Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 6dabadea778406c0c6701ba5aa37e669a524dbd8 Author: Marcel Holtmann Date: Sat Aug 22 14:22:15 2009 -0700 Bluetooth: Let HIDP grab the device reference for connections commit edad63886993d18ab800c49f6587a93432ef8b35 upstream. The core exports the hci_conn_hold_device() and hci_conn_put_device() functions for device reference of connections. Use this to ensure that the uevents from the parent are send after the child ones. Based on a report by Brian Rogers Signed-off-by: Marcel Holtmann Signed-off-by: Greg Kroah-Hartman commit 34976a3ca81f3f5a250ba6074bda0848e97cf2e9 Author: Marcel Holtmann Date: Sat Aug 22 14:19:26 2009 -0700 Bluetooth: Add extra device reference counting for connections commit 9eba32b86d17ef87131fa0bce43c614904ab5781 upstream. The device model itself has no real usable reference counting at the moment and this causes problems if parents are deleted before their children. The device model itself handles the memory details of this correctly, but the uevent order is not consistent. This causes various problems for systems like HAL or even X. So until device_put() does a proper cleanup, the device for Bluetooth connection will be protected with an extra reference counting to ensure the correct order of uevents when connections are terminated. This is not an automatic feature. Higher Bluetooth layers like HIDP or BNEP should grab this new reference to ensure that their uevents are send before the ones from the parent device. Based on a report by Brian Rogers Signed-off-by: Marcel Holtmann Signed-off-by: Greg Kroah-Hartman commit e6b29924d809c3e9e66e550c032f3cc6a3d39d6f Author: Marcel Holtmann Date: Sat Aug 22 14:15:53 2009 -0700 Bluetooth: Disconnect HIDRAW devices on disconnect commit 364f63519d94442ed373ac7da79033c8282df46a upstream. Currently the HID subsystem will create HIDRAW devices for the transport driver, but it will not disconnect them. Until the HID subsytem gets fixed, ensure that HIDRAW and HIDDEV devices are disconnected when the Bluetooth HID device gets removed. Based on a patch from Brian Rogers Signed-off-by: Marcel Holtmann Signed-off-by: Greg Kroah-Hartman commit 928770fb4a39a86715363c8a7172c8b66e8145f8 Author: Rajiv Andrade Date: Wed Sep 30 12:26:55 2009 -0300 TPM: fix pcrread commit 15d031c394e7bef9da4ec764e6b0330d701a0126 upstream. The previously sent patch: http://marc.info/?l=tpmdd-devel&m=125208945007834&w=2 Had its first hunk cropped when merged, submitting only this first hunk again. Signed-off-by: Jason Gunthorpe Cc: Debora Velarde Cc: Marcel Selhorst Cc: James Morris Signed-off-by: Andrew Morton Signed-off-by: Rajiv Andrade Acked-by: Mimi Zohar Tested-by: Mimi Zohar Signed-off-by: James Morris Signed-off-by: Greg Kroah-Hartman commit 470308594a9f0bc9ed51d863fa9b258a472d1a0f Author: Jason Gunthorpe Date: Fri Sep 18 12:54:24 2009 -0700 tpm-fixup-pcrs-sysfs-file-update commit 0afd9056f1b43c9fcbfdf933b263d72023d382fe upstream. Signed-off-by: Jason Gunthorpe Cc: Debora Velarde Cc: Rajiv Andrade Cc: Marcel Selhorst Cc: James Morris Signed-off-by: Andrew Morton Signed-off-by: James Morris Signed-off-by: Greg Kroah-Hartman commit eb20f6f5ae9b4198039f30d9177baf226488c15c Author: Darren Hart Date: Mon Sep 21 22:30:38 2009 -0700 futex: Fix wakeup race by setting TASK_INTERRUPTIBLE before queue_me() commit 0729e196147692d84d4c099fcff056eba2ed61d8 upstream. PI futexes do not use the same plist_node_empty() test for wakeup. It was possible for the waiter (in futex_wait_requeue_pi()) to set TASK_INTERRUPTIBLE after the waker assigned the rtmutex to the waiter. The waiter would then note the plist was not empty and call schedule(). The task would not be found by any subsequeuent futex wakeups, resulting in a userspace hang. By moving the setting of TASK_INTERRUPTIBLE to before the call to queue_me(), the race with the waker is eliminated. Since we no longer call get_user() from within queue_me(), there is no need to delay the setting of TASK_INTERRUPTIBLE until after the call to queue_me(). The FUTEX_LOCK_PI operation is not affected as futex_lock_pi() relies entirely on the rtmutex code to handle schedule() and wakeup. The requeue PI code is affected because the waiter starts as a non-PI waiter and is woken on a PI futex. Remove the crusty old comment about holding spinlocks() across get_user() as we no longer do that. Correct the locking statement with a description of why the test is performed. Signed-off-by: Darren Hart Acked-by: Peter Zijlstra Cc: Steven Rostedt Cc: Eric Dumazet Cc: Dinakar Guniguntala Cc: John Stultz LKML-Reference: <20090922053038.8717.97838.stgit@Aeon> Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit e43391f135ddf1cefc305bed9ce18d34b07bdcdd Author: Darren Hart Date: Thu Aug 13 17:36:53 2009 -0700 futex: Detect mismatched requeue targets commit 84bc4af59081ee974dd80210e694ab59ebe51ce8 upstream. There is currently no check to ensure that userspace uses the same futex requeue target (uaddr2) in futex_requeue() that the waiter used in futex_wait_requeue_pi(). A mismatch here could very unexpected results as the waiter assumes it either wakes on uaddr1 or uaddr2. We could detect this on wakeup in the waiter, but the cleanup is more intense after the improper requeue has occured. This patch stores the waiter's expected requeue target in a new requeue_pi_key pointer in the futex_q which futex_requeue() checks prior to attempting to do a proxy lock acquistion or a requeue when requeue_pi=1. If they don't match, return -EINVAL from futex_requeue, aborting the requeue of any remaining waiters. Signed-off-by: Darren Hart Cc: Peter Zijlstra Cc: Eric Dumazet Cc: John Kacur Cc: Dinakar Guniguntala Cc: John Stultz LKML-Reference: <20090814003650.14634.63916.stgit@Aeon> Signed-off-by: Thomas Gleixner Signed-off-by: Greg Kroah-Hartman commit af0ce40996ee98e12357f2a4775d6a65a7f54734 Author: David Woodhouse Date: Tue Aug 4 09:17:20 2009 +0100 intel-iommu: Cope with broken HP DC7900 BIOS commit 0815565adfe3f4c369110c57d8ffe83caefeed68 upstream. Yet another reason why trusting this stuff to the BIOS was a bad idea. The HP DC7900 BIOS reports an iommu at an address which just returns all ones, when VT-d is disabled in the BIOS. Fix up the missing iounmap in the error paths while we're at it. Signed-off-by: David Woodhouse Cc: Arto Jantunen Signed-off-by: Greg Kroah-Hartman commit e0ab4ae09ab13b48360eeaac49f03ffd3c89b934 Author: Sam Ravnborg Date: Sun Sep 20 12:28:22 2009 +0200 arm, cris, mips, sparc, powerpc, um, xtensa: fix build with bash 4.0 commit 51b563fc93c8cb5bff1d67a0a71c374e4a4ea049 upstream. Albin Tonnerre reported: Bash 4 filters out variables which contain a dot in them. This happends to be the case of CPPFLAGS_vmlinux.lds. This is rather unfortunate, as it now causes build failures when using SHELL=/bin/bash to compile, or when bash happens to be used by make (eg when it's /bin/sh) Remove the common definition of CPPFLAGS_vmlinux.lds by pushing relevant stuff to either Makefile.build or the arch specific kernel/Makefile where we build the linker script. This is also nice cleanup as we move the information out where it is used. Notes for the different architectures touched: arm - we use an already exported symbol cris - we use a config symbol aleady available [Not build tested] mips - the jiffies complexity has moved to vmlinux.lds.S where we need it. Added a few variables to CPPFLAGS - they are only used by the linker script. [Not build tested] powerpc - removed assignment that is not needed [not build tested] sparc - simplified it using $(BITS) um - introduced a few new exported variables to deal with this xtensa - added options to CPP invocation [not build tested] Cc: Albin Tonnerre Cc: Russell King Cc: Mikael Starvik Cc: Jesper Nilsson Cc: Benjamin Herrenschmidt Cc: Paul Mackerras Cc: "David S. Miller" Cc: Jeff Dike Cc: Chris Zankel Signed-off-by: Sam Ravnborg Signed-off-by: Greg Kroah-Hartman commit 4e45dde88210d0f4300675470b666979de88e965 Author: Alan Stern Date: Tue Oct 6 14:07:57 2009 -0400 USB: storage: When a device returns no sense data, call it a Hardware Error commit f1a0743bc0e7a30c032b1eb78f6a2b0f805b4597 upstream. This patch (as1294) fixes a problem that has plagued users for several kernel releases. Some USB mass-storage devices don't return any sense data when they encounter certain kinds of errors. The SCSI layer interprets this to mean that the operation should be retried, and the same thing happens -- over and over again with no limit. In some circumstances (such as when a bus reset occurs) that is the right thing to do, but not here. The patch checks for this condition (a transport failure with no sense data) and changes the result code to DID_ERROR and the sense code to Hardware Error. This does get only a limited number of retries, and so the command will fail relatively quickly instead of getting stuck in an infinite loop. This fixes a large part of Bugzilla #14118. Signed-off-by: Alan Stern Tested-by: Mantas Mikulenas Signed-off-by: Greg Kroah-Hartman commit ef6a2d7173326557fc172598ce10171dc541ce69 Author: Joris van Rantwijk Date: Thu Sep 24 20:20:20 2009 +0200 USB: Fix throttling in generic usbserial driver commit 63a9609513007537a0b23ac511fd73f9bd609ea0 upstream. The generic usbserial driver in Linux 2.6.31 halts its receiving channel in response to throttle requests from the line discipline. Unfortunately it drops the contents of the first URB received after throttling takes effect. This patch corrects that problem. Signed-off-by: Joris van Rantwijk Acked-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit 286246bae2d44bb3b1533366e4f435bff337ceb0 Author: Éric Piel Date: Sun Oct 4 13:45:07 2009 +0200 USB: cp210x: Add support for the DW700 UART commit 6f88139eb9eae8003683689f93402264a73fb754 upstream. In the Dell inspiron mini 10, the GPS is connected via a cp2102. This patch adds detection of this USB device. (I haven't managed to use the GPS under Linux yet, though) Signed-off-by: Éric Piel Signed-off-by: Greg Kroah-Hartman commit 1a0da0e58df9667ec9b77c4c222a380c23344977 Author: Alan Stern Date: Mon Oct 5 15:53:58 2009 -0400 USB: ipaq: fix oops when device is plugged in commit 06bad89da686f6323e95cf925105e8cf88d87caf upstream. This patch (as1293) fixes a problem with the ipaq serial driver. It tries to bind to all the interfaces, even those that don't have enough endpoints. The symptom is an invalid memory reference and oops when the device is plugged in. Signed-off-by: Alan Stern Tested-by: Matthias Geissert Tested-by: Tilman Schmidt Signed-off-by: Greg Kroah-Hartman commit 3d22a3e78eaef3c53f63b9010b1cee4533a9fe59 Author: Peter Magdina Date: Wed Oct 7 16:22:17 2009 +0200 USB: option: Toshiba G450 device id commit 75f47214f90e996eb184eb6e6b0e8b817999c8f7 upstream. Signed-off-by: Peter Magdina Signed-off-by: Greg Kroah-Hartman commit dd02f3999f68aadaf7b3e61586fda3f5caac3ead Author: Alan Stern Date: Fri Oct 9 12:43:12 2009 -0400 USB: serial: don't call release without attach commit a4720c650b68a5fe7faed2edeb0ad12645f7ae63 upstream. This patch (as1295) fixes a recently-added bug in the USB serial core. If certain kinds of errors occur during probing, the core may call a serial driver's release method without previously calling the attach method. This causes some drivers (io_ti in particular) to perform an invalid memory access. The patch adds a new flag to keep track of whether or not attach has been called. Signed-off-by: Alan Stern Tested-by: Jean-Denis Girard Signed-off-by: Greg Kroah-Hartman commit f33206c1e3c1a34ba76d9a009a0bdde63ef9248d Author: Johan Hovold Date: Tue Sep 29 12:39:23 2009 +0200 USB: digi_acceleport: Fix broken unthrottle. commit ba6b702f85a61561d329c4c11d3ed95604924f9a upstream. This patch fixes a regression introduced in 39892da44b21b5362eb848ca424d73a25ccc488f. Signed-off-by: Johan Hovold Acked-by: Oliver Neukum Signed-off-by: Greg Kroah-Hartman commit 1286d6703bcfce075676b6fe723058abd3ff68bb Author: Johan Hovold Date: Thu Oct 8 11:36:46 2009 +0200 USB: pl2303: fix error characters not being reported to ldisc commit 9388e2e71a51fab0aa2309bbb45e8a23d89a95a9 upstream. Fix regression introduced by commit d4fc4a7bfc2dee626f4fec1e209e58eaa4312de6 (tty: Fix the PL2303 private methods for sysrq). Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit c3c7e4b94878b3f85a9f5ab10c47e8d4ef531663 Author: Johan Hovold Date: Wed Oct 7 20:05:07 2009 +0200 USB: ftdi_sio: re-implement read processing commit cc01f17d5cb8ac604108515735aeca72e17944c1 upstream. - Re-structure read processing. - Kill obsolete work queue and always push to tty in completion handler. - Use tty_insert_flip_string instead of per character push when possible. - Fix stalled-read regression in 2.6.31 by using urb status to determine when port is closed rather than port count. - Fix race with open/close by checking ASYNCB_INITIALIZED in unthrottle. - Kill private rx_flag and lock and use throttle flags in usb_serial_port instead. Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit 990399b24d86bb171ff21c333109b0dd05fae669 Author: Johan Hovold Date: Wed Oct 7 20:05:06 2009 +0200 USB: ftdi_sio: clean up read completion handler commit e63e278b4d2d867893962d3c7cd13a3a24ceb3f1 upstream. Remove superfluous error checks in completion handler: - No need to check private data and urb pointers as we check urb-status before dereferencing priv (which is not freed until urb has been killed on close). - No need to check tty as it is checked again when processing. - No need to check urb->number_of_packets on bulk urb. Note that both private data and tty are checked again before processing (possibly from work queue which also is cancelled on close). Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit f604f3b1271d5eea4e9edd067d93063f99b628b2 Author: Johan Hovold Date: Wed Oct 7 20:05:05 2009 +0200 USB: ftdi_sio: remove unused rx_byte counter commit 63b0061246b54b849da8f189ae048e8110d8ce7d upstream. Remove unused rx_byte counter which is never exposed as noted by Alan Cox. Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman Signed-off-by: Greg Kroah-Hartman commit bd67850fbc2e4bf38d6af8b0a9d271f333652778 Author: Johan Hovold Date: Wed Oct 7 20:05:04 2009 +0200 USB: ftdi_sio: remove tty->low_latency commit 0cbd81a9f6bac734ac3266687bf027af1e395270 upstream. Fixes tty_flip_buffer_push being called from hard interrupt context with low_latency set. Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman Signed-off-by: Greg Kroah-Hartman commit 33b6563da26335fbe6834b743ddd00fa8f7ab09a Author: Jeremy Fitzhardinge Date: Mon Oct 12 16:32:43 2009 -0700 x86/paravirt: Use normal calling sequences for irq enable/disable commit 71999d9862e667f1fd14f8fbfa0cce6d855bad3f upstream. Bastian Blank reported a boot crash with stackprotector enabled, and debugged it back to edx register corruption. For historical reasons irq enable/disable/save/restore had special calling sequences to make them more efficient. With the more recent introduction of higher-level and more general optimisations this is no longer necessary so we can just use the normal PVOP_ macros. This fixes some residual bugs in the old implementations which left edx liable to inadvertent clobbering. Also, fix some bugs in __PVOP_VCALLEESAVE which were revealed by actual use. Reported-by: Bastian Blank Signed-off-by: Jeremy Fitzhardinge Cc: Xen-devel LKML-Reference: <4AD3BC9B.7040501@goop.org> Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit 9b0db64dfad6f22d1b3bd85b337f265fac06cca2 Author: Li Zefan Date: Tue Oct 13 09:28:57 2009 +0800 tracing/filters: Fix memory leak when setting a filter commit 8ad807318fcd62aba0e18c7c7fbfcc1af3fcdbab upstream. Every time we set a filter, we leak memory allocated by postfix_append_operand() and postfix_append_op(). Signed-off-by: Li Zefan Cc: Steven Rostedt Cc: Frederic Weisbecker Cc: Tom Zanussi LKML-Reference: <4AD3D7D9.4070400@cn.fujitsu.com> Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit 7dcbbf5f57403896066303ca2d71f6306e4b0687 Author: Dennis O'Brien Date: Sat Oct 10 15:08:52 2009 +0800 ARM: pxa: workaround errata #37 by not using half turbo switching commit 4367216a099b4df3fa2c4f2b086cda1a1e9afc4e upstream. PXA27x Errata #37 implies system will hang when switching into or out of half turbo (HT bit in CLKCFG) mode, workaround this by not using it. Signed-off-by: Dennis O'Brien Signed-off-by: Eric Miao Signed-off-by: Greg Kroah-Hartman commit c961be555eb557b9e3e8403c0d6573dc432cff5e Author: Christof Schmitt Date: Thu Sep 17 09:10:14 2009 +0200 SCSI: sg: Free data buffers after calling blk_rq_unmap_user commit e27168f8c337b12b8aa8d59c3123c79d2f83603d upstream. Running sg_luns on s390x with CONFIG_DEBUG_PAGEALLOC enabled fails with EFAULT from the SG_IO ioctl. The EFAULT is the result from copy_to_user failing in this call chain: sg_ioctl sg_new_read sg_finish_rem_req blk_rq_unmap_user __blk_rq_unmap_user bio_uncopy_user __bio_copy_iov copy_to_user The sg driver calls sg_remove_scat to free the memory pages before calling blk_rq_unmap_user that tries to copy the data back to userspace. Change the order to first call blk_rq_unmap_user before freeing the pages in sg_remove_scat. Acked-by: FUJITA Tomonori Signed-off-by: Christof Schmitt Acked-by: Douglas Gilbert Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman commit b509b9bd9966e8922bc44e77abe2fea6d8e1c2db Author: Martin K. Petersen Date: Fri Sep 18 17:33:01 2009 -0400 SCSI: Fix protection scsi_data_buffer leak commit b4c2554d40ceac130a8d062eaa8838ed22158c45 upstream. We would leak a scsi_data_buffer if the free_list command was of the protected variety. Reported-by: Boaz Harrosh Signed-off-by: Martin K. Petersen Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman commit 39335b18d59c1ae551d218e4f4a5f1a70aa98687 Author: Hannes Reinecke Date: Thu Sep 17 17:00:26 2009 +0200 SCSI: Retry ADD_TO_MLQUEUE return value for EH commands commit 6e883b0e42739aa560133cfaf41be1138c51a500 upstream. A target reset when I/O is ongoing might result an eventual device offline, as scsi_eh_completed_normally() might return ADD_TO_MLQUEUE in addition to the advertised SUCCESS, FAILED, and NEEDS_RETRY. Which is unfortunate as scsi_send_eh_cmnd() will therefore map ADD_TO_MLQUEUE to FAILED instead of the more appropriate NEEDS_RETRY. Signed-off-by: Hannes Reinecke Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman