commit 120f68c426e746771e8c09736c0f753822ff3f52 Author: Greg Kroah-Hartman Date: Mon Nov 9 16:32:31 2009 -0800 Linux 2.6.31.6 commit ee2c54041db5404353aa768ba1ec6e4fbda7ef5f Author: Rafael J. Wysocki Date: Tue Nov 3 10:54:58 2009 +0100 PM / yenta: Split resume into early and late parts (rev. 4) commit 9905d1b411946fb3fb228e8c6529fd94afda8a92 upstream. Commit 0c570cdeb8fdfcb354a3e9cd81bfc6a09c19de0c (PM / yenta: Fix cardbus suspend/resume regression) caused resume to fail on systems with two CardBus bridges. While the exact nature of the failure is not known at the moment, it can be worked around by splitting the yenta resume into an early part, executed during the early phase of resume, that will only resume the socket and power it up if there was a card in it during suspend, and a late part, executed during "regular" resume, that will carry out all of the remaining yenta resume operations. Fixes http://bugzilla.kernel.org/show_bug.cgi?id=14334, which is a listed regression from 2.6.31. Signed-off-by: Rafael J. Wysocki Acked-by: Dominik Brodowski Reported-by: Stephen J. Gowdy Tested-by: Jose Marino Signed-off-by: Greg Kroah-Hartman commit 54fb902e50fee7b3c39d31853805f849edfdd62e Author: JosephChan@via.com.tw Date: Fri Oct 16 15:45:23 2009 +0800 pata_via: extend the rev_max for VT6330 commit 7d948b1114c7eded14e5a31f440af751d70ecde0 upstream. Fix the VT6330 issue, it's because the rev_max of VT6330 exceeds 0x2f. The VT6415 and VT6330 share the same device ID. Signed-off-by: Joseph Chan Signed-off-by: Jeff Garzik Signed-off-by: Greg Kroah-Hartman commit 8def1ff84d14a68872dd998909a0398c7cfecdc4 Author: JosephChan@via.com.tw Date: Mon Nov 2 19:36:08 2009 +0800 sata_via: Remove redundant device ID for VIA VT8261 commit f38e35b43f2924b3b4e51147b7193f32e9276db4 upstream. Just remove redundant device ID for VIA VT8261. The device ID 0x9000 and 0x9040 are redundant (for VT8261). The 0x9040 is reserved for other usage. Signed-off-by: Joseph Chan Signed-off-by: Jeff Garzik Signed-off-by: Greg Kroah-Hartman commit 20cde25b833745a42ae7591592ec527653b569b4 Author: Benjamin Herrenschmidt Date: Mon Aug 31 21:34:36 2009 +0000 powerpc: Fix some late PowerMac G5 with PCIe ATI graphics commit cede3930f0ca6fef353fa01306c72a01420bd45e upstream. A misconfiguration by the firmware of the U4 PCIe bridge on PowerMac G5 with the U4 bridge (latest generations, may also affect the iMac G5 "iSight") is causing us to re-assign the PCI BARs of the video card, which can get it out of sync with the firmware, thus breaking offb. This works around it by fixing up the bridge configuration properly at boot time. It also fixes a bug where the firmware provides us with an incorrect set of accessible regions in the device-tree. Signed-off-by: Benjamin Herrenschmidt Signed-off-by: Greg Kroah-Hartman commit 01ab8be189e37f37ede8bd9532bd22198062d631 Author: Andre Detsch Date: Wed Nov 4 13:03:19 2009 -0200 powerpc/pci: Fix regression in powerpc MSI-X commit 8435b027b87a78145992c37b0b8ed0f1b7761bf0 upstream. Patch f598282f5145036312d90875d0ed5c14b49fd8a7 exposed a problem in powerpc MSI-X functionality, making network interfaces such as ixgbe and cxgb3 stop to work when MSI-X is enabled. RX interrupts were not being generated. The problem was caused because MSI irq was not being effectively unmasked after device initialization. Signed-off-by: Andre Detsch Signed-off-by: Michael Ellerman Signed-off-by: Benjamin Herrenschmidt Signed-off-by: Greg Kroah-Hartman commit 6b05a888adf307827a8cc960a6f660555bf9a683 Author: Benjamin Herrenschmidt Date: Fri Oct 9 11:27:54 2009 +0000 powerpc/pmac: Fix issues with sleep on some powerbooks commit 11a50873ef2b3c1c3fe99a661c22c08f35d93553 upstream. Since the change of how interrupts are disabled during suspend, certain PowerBook models started exhibiting various issues during suspend or resume from sleep. I finally tracked it down to the code that runs various "platform" functions (kind of little scripts extracted from the device-tree), which uses our i2c and PMU drivers expecting interrutps to work, and at a time where with the new scheme, they have been disabled. This causes timeouts internally which for some reason results in the PMU being unable to see the trackpad, among other issues, really it depends on the machine. Most of the time, we fail to properly adjust some clocks for suspend/resume so the results are not always predictable. This patch fixes it by using IRQF_TIMER for both the PMU and the I2C interrupts. I prefer doing it this way than moving the call sites since I really want those platform functions to still be called after all drivers (and before sysdevs). We also do a slight cleanup to via-pmu.c driver to make sure the ADB autopoll mask is handled correctly when doing bus resets Signed-off-by: Benjamin Herrenschmidt Signed-off-by: Greg Kroah-Hartman commit e434e9fc1661989db1a39b6f5be29c39e13b419a Author: Benjamin Herrenschmidt Date: Tue Jul 14 20:56:58 2009 +0000 powerpc/pmac: Fix PowerSurge SMP IPI allocation commit 527b3639616b21c257518ee7c26fbf05232db0c0 upstream. The code for setting up the IPIs for SMP PowerSurge marchines bitrot, it needs to properly map the HW interrupt number Signed-off-by: Benjamin Herrenschmidt Signed-off-by: Greg Kroah-Hartman commit 6fa5a4d48a5cb7aa452cc34120f9122301ec8c93 Author: Darrick J. Wong Date: Fri Nov 6 12:00:51 2009 -0200 KVM: Prevent kvm_init from corrupting debugfs structures commit: 0ea4ed8e948c30f88c824c973ee4b9529015fe65 upstream I'm seeing an oops condition when kvm-intel and kvm-amd are modprobe'd during boot (say on an Intel system) and then rmmod'd: # modprobe kvm-intel kvm_init() kvm_init_debug() kvm_arch_init() <-- stores debugfs dentries internally (success, etc) # modprobe kvm-amd kvm_init() kvm_init_debug() <-- second initialization clobbers kvm's internal pointers to dentries kvm_arch_init() kvm_exit_debug() <-- and frees them # rmmod kvm-intel kvm_exit() kvm_exit_debug() <-- double free of debugfs files! *BOOM* If execution gets to the end of kvm_init(), then the calling module has been established as the kvm provider. Move the debugfs initialization to the end of the function, and remove the now-unnecessary call to kvm_exit_debug() from the error path. That way we avoid trampling on the debugfs entries and freeing them twice. Signed-off-by: Darrick J. Wong Signed-off-by: Marcelo Tosatti Signed-off-by: Greg Kroah-Hartman commit 77608cc64e305111725bbefe7d238d9f6da38c5d Author: Joerg Roedel Date: Wed Oct 28 18:02:26 2009 +0100 x86/amd-iommu: Un__init function required on shutdown commit ca0207114f1708b563f510b7781a360ec5b98359 upstream. The function iommu_feature_disable is required on system shutdown to disable the IOMMU but it is marked as __init. This may result in a panic if the memory is reused. This patch fixes this bug. Signed-off-by: Joerg Roedel Signed-off-by: Greg Kroah-Hartman commit de59170f391ea08e7ebb1e85e687a5df96985fcb Author: Reinette Chatre Date: Thu Sep 17 10:43:56 2009 -0700 iwlwifi: reduce noise when skb allocation fails commit f82a924cc88a5541df1d4b9d38a0968cd077a051 upstream. Replenishment of receive buffers is done in the tasklet handling received frames as well as in a workqueue. When we are in the tasklet we cannot sleep and thus attempt atomic skb allocations. It is generally not a big problem if this fails since iwl_rx_allocate is always followed by a call to iwl_rx_queue_restock which will queue the work to replenish the buffers at a time when sleeping is allowed. We thus add the __GFP_NOWARN to the skb allocation in iwl_rx_allocate to reduce the noise if such an allocation fails while we still have enough buffers. We do maintain the warning and the error message when we are low on buffers to communicate to the user that there is a potential problem with memory availability on system This addresses issue reported upstream in thread "iwlagn: order 2 page allocation failures" in http://thread.gmane.org/gmane.linux.kernel.wireless.general/39187 Signed-off-by: Reinette Chatre Acked-by: Mel Gorman Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit a8d37f2ebd5ef08a169ecf7c7fb52c2ef4037cec Author: Reinette Chatre Date: Fri Sep 11 10:38:12 2009 -0700 iwlwifi: fix potential rx buffer loss commit de0bd50845eb5935ce3d503c5d2f565d6cb9ece1 upstream. RX handling maintains a few lists that keep track of the RX buffers. Buffers move from one list to the other as they are used, replenished, and again made available for usage. In one such instance, when a buffer is used it enters the "rx_used" list. When buffers are replenished an skb is attached to the buffer and it is moved to the "rx_free" list. The problem here is that the buffer is first removed from the "rx_used" list _before_ the skb is allocated. Thus, if the skb allocation fails this buffer remains removed from the "rx_used" list and is thus lost for future usage. Fix this by first allocating the skb before trying to attach it to a list. We add an additional check to not do this unnecessarily. Reported-by: Rick Farrington Signed-off-by: Reinette Chatre Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 49fae454bb8ca92b5ff999cc823ac60caf2ccb61 Author: Ingo Molnar Date: Tue Sep 22 15:50:24 2009 +0200 x86: mce: Fix thermal throttling message storm commit b417c9fd8690637f0c91479435ab3e2bf450c038 upstream. If a system switches back and forth between hot and cold mode, the MCE code will print a stream of critical kernel messages. Extend the throttling code to properly notice this, by only printing the first hot + cold transition and omitting the rest up to CHECK_INTERVAL (5 minutes). This way we'll only get a single incident of: [ 102.356584] CPU0: Temperature above threshold, cpu clock throttled (total events = 1) [ 102.357000] Disabling lock debugging due to kernel taint [ 102.369223] CPU0: Temperature/speed normal Every 5 minutes. The 'total events' count tells the number of cold/hot transitions detected, should overheating occur after 5 minutes again: [ 402.357580] CPU0: Temperature above threshold, cpu clock throttled (total events = 24891) [ 402.358001] CPU0: Temperature/speed normal [ 450.704142] Machine check events logged Cc: Hidetoshi Seto Cc: Huang Ying Cc: Andi Kleen LKML-Reference: Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit fe2414ca987a3a49007bec6fd12254c7defae2a9 Author: Ingo Molnar Date: Tue Sep 22 15:50:24 2009 +0200 x86: mce: Clean up thermal throttling state tracking code commit 3967684006f30c253bc6d4a6604d1bad4a7fc672 upstream. Instead of a mess of three separate percpu variables, consolidate the state into a single structure. Also clean up therm_throt_process(), use cleaner and more understandable variable names and a clearer logic. This, without changing the logic, makes the code more streamlined, more readable and smaller as well: text data bss dec hex filename 1487 169 4 1660 67c therm_throt.o.before 1432 176 4 1612 64c therm_throt.o.after Cc: Hidetoshi Seto Cc: Huang Ying Cc: Andi Kleen LKML-Reference: Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit 94f48f549e455e4abbb3f0d6e65185830cbec8f1 Author: Wu Fengguang Date: Mon Oct 26 16:49:53 2009 -0700 vmscan: limit VM_EXEC protection to file pages commit 41e20983fe553b39bc2b00e07c7a379f0c86a4bc upstream. It is possible to have !Anon but SwapBacked pages, and some apps could create huge number of such pages with MAP_SHARED|MAP_ANONYMOUS. These pages go into the ANON lru list, and hence shall not be protected: we only care mapped executable files. Failing to do so may trigger OOM. Tested-by: Christian Borntraeger Reviewed-by: Rik van Riel Signed-off-by: Wu Fengguang Cc: Hugh Dickins Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 781e844b1db70e0fe4911fa049e675a010d79cf9 Author: Bastian Blank Date: Wed Aug 12 23:30:45 2009 +0000 powerpc: Remove SMP warning from PowerMac cpufreq commit 6fdc31a2b86cf1f98e3eed896578ad9659eeb0f8 upstream. On Thu, Aug 13, 2009 at 04:14:58PM +1000, Benjamin Herrenschmidt wrote: > On Tue, 2009-08-11 at 11:39 +0200, Bastian Blank wrote: > > This patch just disables this driver on SMP kernels, as it is obviously > > not supported. > Why not remove the #error instead ? :-) I don't think it's still > meaningful, especially since we use the timebase for delays nowadays > which doesn't depend on the CPU frequency... Your call. Take this one: The build of a PowerMac 32bit kernel currently fails with error: #warning "WARNING, CPUFREQ not recommended on SMP kernels" Thie patch removes the not longer applicable SMP warning from the PowerMac cpufreq code. Signed-off-by: Bastian Blank Signed-off-by: Benjamin Herrenschmidt Signed-off-by: Greg Kroah-Hartman commit 73d1f971858ae19b7b755f244b025dd4ddbfe860 Author: Trond Myklebust Date: Mon Oct 26 08:09:46 2009 -0400 NFSv4: The link() operation should return any delegation on the file commit 9a3936aac133037f65124fcb2d676a6c201a90a4 upstream. Otherwise, we have to wait for the server to recall it. Signed-off-by: Trond Myklebust Signed-off-by: Greg Kroah-Hartman commit 463cbfdf160340cbc5e91db88546471f697f98d9 Author: Trond Myklebust Date: Thu Oct 8 11:50:55 2009 -0400 NFSv4: Kill nfs4_renewd_prepare_shutdown() commit 3050141bae57984dd660e6861632ccf9b8bca77e upstream. The NFSv4 renew daemon is shared between all active super blocks that refer to a particular NFS server, so it is wrong to be shutting it down in nfs4_kill_super every time a super block is destroyed. This patch therefore kills nfs4_renewd_prepare_shutdown altogether, and leaves it up to nfs4_shutdown_client() to also shut down the renew daemon by means of the existing call to nfs4_kill_renewd(). Signed-off-by: Trond Myklebust Signed-off-by: Greg Kroah-Hartman commit 85c60e5dfa4c00bb4deacc36cd719db557c9d2c6 Author: Trond Myklebust Date: Mon Oct 26 08:09:46 2009 -0400 NFSv4: Fix two unbalanced put_rpccred() issues. commit 141aeb9f26f9f12f1584c128ce8697cdffb046e7 upstream. Commits 29fba38b (nfs41: lease renewal) and fc01cea9 (nfs41: sequence operation) introduce a couple of put_rpccred() calls on credentials for which there is no corresponding get_rpccred(). See http://bugzilla.kernel.org/show_bug.cgi?id=14249 Signed-off-by: Trond Myklebust Signed-off-by: Greg Kroah-Hartman commit 4886f073309eeb9d99d9f05d944f8b0874c60bbd Author: Trond Myklebust Date: Fri Oct 23 14:46:42 2009 -0400 NFSv4: Fix a bug when the server returns NFS4ERR_RESOURCE commit 52567b03ca38b6e556ced450d64dba8d66e23b0e upstream. RFC 3530 states that when we recieve the error NFS4ERR_RESOURCE, we are not supposed to bump the sequence number on OPEN, LOCK, LOCKU, CLOSE, etc operations. The problem is that we map that error into EREMOTEIO in the XDR layer, and so the NFSv4 middle-layer routines like seqid_mutating_err(), and nfs_increment_seqid() don't recognise it. The fix is to defer the mapping until after the middle layers have processed the error. Signed-off-by: Trond Myklebust Signed-off-by: Greg Kroah-Hartman commit 2169536c156b6bc876c0a80e5cf98319cc3b9aab Author: Terry Loftin Date: Thu Oct 22 21:36:01 2009 -0400 nfs: Panic when commit fails commit a8b40bc7e635831b61c43acc71a86d3a68b2dff0 upstream. Actually pass the NFS_FILE_SYNC option to the server to avoid a Panic in nfs_direct_write_complete() when a commit fails. At the end of an nfs write, if the nfs commit fails, all the writes will be rescheduled. They are supposed to be rescheduled as NFS_FILE_SYNC writes, but the rpc_task structure is not completely intialized and so the option is not passed. When the rescheduled writes complete, the return indicates that they are NFS_UNSTABLE and we try to do another commit. This leads to a Panic because the commit data structure pointer was set to null in the initial (failed) commit attempt. Signed-off-by: Terry Loftin Signed-off-by: Trond Myklebust Signed-off-by: Greg Kroah-Hartman commit 55a6efb39afcfe70754a733cdca91b6e1599fb6b Author: Ben Hutchings Date: Tue Oct 6 15:42:18 2009 -0400 nfs: Avoid overrun when copying client IP address string commit f4373bf9e67e4a653c8854acd7b02dac9714c98a upstream. As seen in , nfs4_init_client() can overrun the source string when copying the client IP address from nfs_parsed_mount_data::client_address to nfs_client::cl_ipaddr. Since these are both treated as null-terminated strings elsewhere, the copy should be done with strlcpy() not memcpy(). Signed-off-by: Ben Hutchings Signed-off-by: Trond Myklebust Signed-off-by: Greg Kroah-Hartman commit cd45ad45a38aa500f96254ce21890ae7611cef46 Author: Jiri Pirko Date: Thu Oct 8 01:21:46 2009 -0700 netlink: fix typo in initialization (CVE-2009-3612) commit ad61df918c44316940404891d5082c63e79c256a upstream. Commit 9ef1d4c7c7aca1cd436612b6ca785b726ffb8ed8 ("[NETLINK]: Missing initializations in dumped data") introduced a typo in initialization. This patch fixes this. Signed-off-by: Jiri Pirko Signed-off-by: David S. Miller Cc: Chuck Ebbert Signed-off-by: Greg Kroah-Hartman commit 532d2b259d9cd9450eb7b500405cfe3e6c2f7aa7 Author: Jean Delvare Date: Sat Oct 24 13:28:47 2009 +0200 hwmon: (it87) Fix VID reading on IT8718F/IT8720F commit 371dc4a6d8c3c74a9a1c74b87c2affb3fcef6500 upstream. Comparing apples to bananas doesn't seem right. Consistently use the chips enum for chip type comparisons, to avoid such bugs in the future. The bug has been there since support for the IT8718F was added, so VID never worked for this chip nor for the similar IT8720F. Signed-off-by: Jean Delvare Signed-off-by: Greg Kroah-Hartman commit 44791e49b282eb1901b28d27d9756ace8f873dca Author: Jiri Bohac Date: Wed Oct 28 22:23:54 2009 -0700 bonding: fix a race condition in calls to slave MII ioctls commit d9d5283228d0c752f199c901fff6e1405dc91bcb upstream. In mii monitor mode, bond_check_dev_link() calls the the ioctl handler of slave devices. It stores the ndo_do_ioctl function pointer to a static (!) ioctl variable and later uses it to call the handler with the IOCTL macro. If another thread executes bond_check_dev_link() at the same time (even with a different bond, which none of the locks prevent), a race condition occurs. If the two racing slaves have different drivers, this may result in one driver's ioctl handler being called with a pointer to a net_device controlled with a different driver, resulting in unpredictable breakage. Unless I am overlooking something, the "static" must be a copy'n'paste error (?). Signed-off-by: Jiri Bohac Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 474ac4951f31a678cda82833c6ec6dbb4b58bacb Author: David Henningsson Date: Sun Oct 11 11:37:22 2009 +0200 ALSA: ice1724 - Make call to set hw params succeed on ESI Juli@ commit bd3c200e6d5495343c91db66d2acf1853b57a141 upstream. If two streams are started immediately after one another (such as a playback and a recording stream), the call to set hw params fails with EBUSY. This patch makes the call succeed, so playback and recording will work properly. Signed-off-by: David Henningsson Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 027590f053888a282d09f420a39ad08a17dda76f Author: Tomoki Sekiyama Date: Sun Oct 18 23:17:37 2009 -0700 AF_UNIX: Fix deadlock on connecting to shutdown socket (CVE-2009-3621) commit 77238f2b942b38ab4e7f3aced44084493e4a8675 upstream. I found a deadlock bug in UNIX domain socket, which makes able to DoS attack against the local machine by non-root users. How to reproduce: 1. Make a listening AF_UNIX/SOCK_STREAM socket with an abstruct namespace(*), and shutdown(2) it. 2. Repeat connect(2)ing to the listening socket from the other sockets until the connection backlog is full-filled. 3. connect(2) takes the CPU forever. If every core is taken, the system hangs. PoC code: (Run as many times as cores on SMP machines.) int main(void) { int ret; int csd; int lsd; struct sockaddr_un sun; /* make an abstruct name address (*) */ memset(&sun, 0, sizeof(sun)); sun.sun_family = PF_UNIX; sprintf(&sun.sun_path[1], "%d", getpid()); /* create the listening socket and shutdown */ lsd = socket(AF_UNIX, SOCK_STREAM, 0); bind(lsd, (struct sockaddr *)&sun, sizeof(sun)); listen(lsd, 1); shutdown(lsd, SHUT_RDWR); /* connect loop */ alarm(15); /* forcely exit the loop after 15 sec */ for (;;) { csd = socket(AF_UNIX, SOCK_STREAM, 0); ret = connect(csd, (struct sockaddr *)&sun, sizeof(sun)); if (-1 == ret) { perror("connect()"); break; } puts("Connection OK"); } return 0; } (*) Make sun_path[0] = 0 to use the abstruct namespace. If a file-based socket is used, the system doesn't deadlock because of context switches in the file system layer. Why this happens: Error checks between unix_socket_connect() and unix_wait_for_peer() are inconsistent. The former calls the latter to wait until the backlog is processed. Despite the latter returns without doing anything when the socket is shutdown, the former doesn't check the shutdown state and just retries calling the latter forever. Patch: The patch below adds shutdown check into unix_socket_connect(), so connect(2) to the shutdown socket will return -ECONREFUSED. Signed-off-by: Tomoki Sekiyama Signed-off-by: Masanori Yoshida Cc: Chuck Ebbert Signed-off-by: David S. Miller commit 1917888ae8076efca1ae51c7517806572ad8db02 Author: Alan Cox Date: Tue Oct 6 16:07:51 2009 +0100 pata_sc1200: Fix crash on boot commit 6d4f950e9ea15816c6a4f266ce6b9e438346771e upstream. The SC1200 needs a NULL terminator or it may cause a crash on boot. Bug #14227 Also correct a bogus comment as the driver had serializing added so can run dual port. Signed-off-by: Alan Cox Signed-off-by: Jeff Garzik Signed-off-by: Greg Kroah-Hartman commit 01a6a52a3cadb6a6db03199f3ec7ccb023aac45f Author: Larry Finger Date: Fri Oct 16 10:18:09 2009 -0500 b43: Fix Bugzilla #14181 and the bug from the previous 'fix' commit d50bae33d1358b909ade05ae121d83d3a60ab63f upstream. "b43: Fix PPC crash in rfkill polling on unload" fixed the bug reported in Bugzilla No. 14181; however, it introduced a new bug. Whenever the radio switch was turned off, it was necessary to unload and reload the driver for it to recognize the switch again. This patch fixes both the original bug in #14181 and the bug introduced by the previous patch. It must be stated, however, that if there is a BCM4306/3 with an rfkill switch (not yet proven), then the driver will need an unload/reload cycle to turn the device back on. Signed-off-by: Larry Finger Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 7a99333e851ef087c7cd836950900602f0843c24 Author: David Howells Date: Thu Oct 15 10:14:35 2009 +0100 KEYS: get_instantiation_keyring() should inc the keyring refcount in all cases commit 21279cfa107af07ef985539ac0de2152b9cba5f5 upstream. The destination keyring specified to request_key() and co. is made available to the process that instantiates the key (the slave process started by /sbin/request-key typically). This is passed in the request_key_auth struct as the dest_keyring member. keyctl_instantiate_key and keyctl_negate_key() call get_instantiation_keyring() to get the keyring to attach the newly constructed key to at the end of instantiation. This may be given a specific keyring into which a link will be made later, or it may be asked to find the keyring passed to request_key(). In the former case, it returns a keyring with the refcount incremented by lookup_user_key(); in the latter case, it returns the keyring from the request_key_auth struct - and does _not_ increment the refcount. The latter case will eventually result in an oops when the keyring prematurely runs out of references and gets destroyed. The effect may take some time to show up as the key is destroyed lazily. To fix this, the keyring returned by get_instantiation_keyring() must always have its refcount incremented, no matter where it comes from. This can be tested by setting /etc/request-key.conf to: #OP TYPE DESCRIPTION CALLOUT INFO PROGRAM ARG1 ARG2 ARG3 ... #====== ======= =============== =============== =============================== create * test:* * |/bin/false %u %g %d %{user:_display} negate * * * /bin/keyctl negate %k 10 @u and then doing: keyctl add user _display aaaaaaaa @u while keyctl request2 user test:x test:x @u && keyctl list @u; do keyctl request2 user test:x test:x @u; sleep 31; keyctl list @u; done which will oops eventually. Changing the negate line to have @u rather than %S at the end is important as that forces the latter case by passing a special keyring ID rather than an actual keyring ID. Reported-by: Alexander Zangerl Signed-off-by: David Howells Tested-by: Alexander Zangerl Signed-off-by: Linus Torvalds Cc: Chuck Ebbert Signed-off-by: Greg Kroah-Hartman commit 3c802f78271bd558d152a5f8632ea8395ed27a9b Author: Len Brown Date: Sat Sep 5 13:33:23 2009 -0400 Revert "ACPI: Attach the ACPI device to the ACPI handle as early as possible" commit f61f925859c57f6175082aeeee17743c68558a6e upstream. This reverts commit eab4b645769fa2f8703f5a3cb0cc4ac090d347af. http://bugzilla.kernel.org/show_bug.cgi?id=13002 Signed-off-by: Len Brown Cc: Chuck Ebbert Signed-off-by: Greg Kroah-Hartman commit 5621e89d8bdf6934b3c0a4893e1a568f4a01061d Author: Rafael J. Wysocki Date: Tue Oct 13 01:01:57 2009 +0200 ACPI / PCI: Fix NULL pointer dereference in acpi_get_pci_dev() (rev. 2) commit 497fb54f578efd2b479727bc88d5ef942c0a1e2d upstream. acpi_get_pci_dev() may be called for a non-PCI device, in which case it should return NULL. However, it assumes that every handle it finds in the ACPI CA name space, between given device handle and the PCI root bridge handle, corresponds to a PCI-to-PCI bridge with an existing secondary bus. For this reason, when it finds a struct pci_dev object corresponding to one of them, it doesn't check if its 'subordinate' field is a valid pointer. This obviously leads to a NULL pointer dereference if acpi_get_pci_dev() is called for a non-PCI device with a PCI parent which is not a bridge. To fix this issue make acpi_get_pci_dev() check if pdev->subordinate is not NULL for every device it finds on the path between the root bridge and the device it's supposed to get to and return NULL if the "target" device cannot be found. http://bugzilla.kernel.org/show_bug.cgi?id=14129 (worked in 2.6.30, regression in 2.6.31) Signed-off-by: Rafael J. Wysocki Reported-by: Danny Feng Reviewed-by: Alex Chiang Tested-by: chepioq Signed-off-by: Len Brown Cc: Chuck Ebbert Signed-off-by: Greg Kroah-Hartman commit e259007f0090e5c2c4c0df1e316431a25287633e Author: Sam Ravnborg Date: Fri Sep 25 19:53:43 2009 +0200 alpha: fix build after vmlinux.lds.S cleanup commit de078ef55c74d02ee93d44513da5ee88a089d71d upstream. Add include to get missing THREAD_SIZE definition Signed-off-by: Sam Ravnborg Cc: Tim Abbott Cc: Ivan Kokshaysky Cc: Richard Henderson Signed-off-by: Greg Kroah-Hartman commit 039b7b2ecddd52d3e1d5cc4337d2b1f7053916eb Author: Manuel Lauss Date: Thu Sep 24 21:44:24 2009 +0200 mips: fix build of vmlinux.lds commit d71789b6fa37c21ce5eb588d279f57904a62e7e2 upstream. Commit 51b563fc93c8cb5bff1d67a0a71c374e4a4ea049 ("arm, cris, mips, sparc, powerpc, um, xtensa: fix build with bash 4.0") removed a few CPPFLAGS with vital include paths necessary to build vmlinux.lds on MIPS, and moved the calculation of the 'jiffies' symbol directly to vmlinux.lds.S but forgot to change make ifdef/... to cpp macros. Signed-off-by: Manuel Lauss [sam: moved assignment of CPPFLAGS arch/mips/kernel/Makefile] Signed-off-by: Sam Ravnborg Acked-by: Dmitri Vorobiev Signed-off-by: Greg Kroah-Hartman commit 55af1d631af064ed53eea5e4805ffac0deb66e2d Author: Eric Paris Date: Fri Sep 11 13:03:19 2009 -0400 fsnotify: do not set group for a mark before it is on the i_list commit 9f0d793b52eb2266359661369ef6303838904855 upstream. fsnotify_add_mark is supposed to add a mark to the g_list and i_list and to set the group and inode for the mark. fsnotify_destroy_mark_by_entry uses the fact that ->group != NULL to know if this group should be destroyed or if it's already been done. But fsnotify_add_mark sets the group and inode before it actually adds the mark to the i_list and g_list. This can result in a race in inotify, it requires 3 threads. sys_inotify_add_watch("file") sys_inotify_add_watch("file") sys_inotify_rm_watch([a]) inotify_update_watch() inotify_new_watch() inotify_add_to_idr() ^--- returns wd = [a] inotfiy_update_watch() inotify_new_watch() inotify_add_to_idr() fsnotify_add_mark() ^--- returns wd = [b] returns to userspace; inotify_idr_find([a]) ^--- gives us the pointer from task 1 fsnotify_add_mark() ^--- this is going to set the mark->group and mark->inode fields, but will return -EEXIST because of the race with [b]. fsnotify_destroy_mark() ^--- since ->group != NULL we call back into inotify_freeing_mark() which calls inotify_remove_from_idr([a]) since fsnotify_add_mark() failed we call: inotify_remove_from_idr([a]) <------WHOOPS it's not in the idr, this could have been any entry added later! The fix is to make sure we don't set mark->group until we are sure the mark is on the inode and fsnotify_add_mark will return success. Signed-off-by: Eric Paris Signed-off-by: Greg Kroah-Hartman commit 6a3f97dfa2464e8186bd8bdadd29daca411d07c1 Author: Joerg Roedel Date: Fri Oct 9 18:31:20 2009 +0200 x86/amd-iommu: Workaround for erratum 63 commit c5cca146aa03e1f60fb179df65f0dbaf17bc64ed upstream. There is an erratum for IOMMU hardware which documents undefined behavior when forwarding SMI requests from peripherals and the DTE of that peripheral has a sysmgt value of 01b. This problem caused weird IO_PAGE_FAULTS in my case. This patch implements the suggested workaround for that erratum into the AMD IOMMU driver. The erratum is documented with number 63. Signed-off-by: Joerg Roedel Signed-off-by: Greg Kroah-Hartman commit c385d8d439907b6cd7b47da86b1837b1006c7228 Author: Jens Axboe Date: Tue Nov 3 11:40:44 2009 +0100 fuse: fix kunmap in fuse_ioctl_copy_user commit 0bd87182d3ab18a32a8e9175d3f68754c58e3432 upstream. Looks like another victim of the confusing kmap() vs kmap_atomic() API differences. Reported-by: Todor Gyumyushev Signed-off-by: Jens Axboe Signed-off-by: Miklos Szeredi Cc: Tejun Heo Signed-off-by: Greg Kroah-Hartman commit 82d2d504aeaad7ada524e9e3bfd8eede3ca2bf15 Author: Anand V. Avati Date: Thu Oct 22 06:24:52 2009 -0700 fuse: prevent fuse_put_request on invalid pointer commit f60311d5f7670d9539b424e4ed8b5c0872fc9e83 upstream. fuse_direct_io() has a loop where requests are allocated in each iteration. if allocation fails, the loop is broken out and follows into an unconditional fuse_put_request() on that invalid pointer. Signed-off-by: Anand V. Avati Signed-off-by: Miklos Szeredi Signed-off-by: Greg Kroah-Hartman commit 15076d40b0ce2e04cf383425a5a26e01f53b2aee Author: Gleb Natapov Date: Sun Oct 25 17:42:02 2009 +0200 KVM: get_tss_base_addr() should return a gpa_t commit abb3911965c1bd8eea305f64d4840a314259d96d upstream. If TSS we are switching to resides in high memory task switch will fail since address will be truncated. Windows2k3 does this sometimes when running with more then 4G Signed-off-by: Gleb Natapov Signed-off-by: Avi Kivity Signed-off-by: Greg Kroah-Hartman commit 42d7bdfc3320039bb9310703d6475a62f5c74772 Author: Linus Torvalds Date: Thu Nov 5 10:48:30 2009 -0800 sgi-gru: decrapfiy options_write() function commit d39b7dd1dcbf394a1cb897457c862dafe9a20ac5 upstream. Not a single line of actual code in the function was really fundamentally correct. Problems ranged from lack of proper range checking, to removing the last character written (which admittedly is usually '\n'), to not accepting hex numbers even though the 'show' routine would show the data in that format. This tries to do better. Acked-by: Michael Buesch Tested-and-acked-by: Jack Steiner Cc: Jiri Kosina Cc: Michael Gilbert Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 9416d12bcaa77126bd55f7df2cb4e78b711f97bd Author: Jeremy Fitzhardinge Date: Thu Oct 22 16:41:15 2009 -0700 xen: mask extended topology info in cpuid commit 82d6469916c6fcfa345636a49004c9d1753905d1 upstream. A Xen guest never needs to know about extended topology, and knowing would just confuse it. This patch just zeros ebx in leaf 0xb which indicates no topology info, preventing a crash under Xen on cpus which support this leaf. Signed-off-by: Jeremy Fitzhardinge commit b318606e41620d2fee78444ae54533a323108e2b Author: Jeremy Fitzhardinge Date: Tue Oct 20 15:28:21 2009 +0900 xen/hvc: make sure console output is always emitted, with explicit polling commit 7825cf10e31c64ece3cac66fb01a742f1094da51 upstream. We never want to rely on the hvc workqueue to emit output, because the most interesting output is when the kernel is broken. This will improve oops/crash/console message for better debugging. Instead, we force-poll until all output is emitted. Signed-off-by: Jeremy Fitzhardinge Signed-off-by: Greg Kroah-Hartman commit e05947b4e09d7cc3e4811a3fe0e6a1d83a9805cd Author: Fabian Henze Date: Tue Sep 8 00:59:59 2009 +0800 drm/i915: add B43 chipset support commit 7839c5d5519b6d9e2ccf3cdbf1c39e3817ad0835 upstream. Signed-off-by: Fabian Henze Signed-off-by: Zhenyu Wang Signed-off-by: Eric Anholt Signed-off-by: Greg Kroah-Hartman commit 685ca021e44e2f6bc7e54050305ce9a4685804c6 Author: Fabian Henze Date: Tue Sep 8 00:59:58 2009 +0800 agp/intel: Add B43 chipset support commit 38d8a95621b20ed7868e232a35a26ee61bdcae6f upstream. Signed-off-by: Fabian Henze [Fix reversed HB & IG ids for B43] Signed-off-by: Zhenyu Wang Signed-off-by: Eric Anholt Signed-off-by: Greg Kroah-Hartman commit f19f531a3257ea2e709de9e423c0a4a72358a4be Author: Zhenyu Wang Date: Mon Oct 19 15:43:49 2009 +0800 drm/i915: fix panel fitting filter coefficient select for Ironlake commit b1f60b7029989da71fd8ea1b1176480fac9e846c upstream. Must set filter selection as hardcoded coefficients for medium 3x3 filtering, which matches vbios setting for Ironlake. This fixes display corrupt issue on HP arrandale with new vbios. Signed-off-by: Zhenyu Wang Signed-off-by: Eric Anholt Signed-off-by: Greg Kroah-Hartman commit 82a1c0522cf747742461ac7874f463af46e3ba18 Author: Zhenyu Wang Date: Mon Oct 19 15:43:48 2009 +0800 drm/i915: fix to setup display reference clock control on Ironlake commit c038e51e841581cc3fb9a76e5e16331331e9c85c upstream. For new stepping of PCH, the display reference clock is fully under driver's control. This one trys to setup all needed reference clock for different outputs. Older stepping of PCH chipset should be ignoring this. This fixes output failure issue on newer PCH which requires driver to take control of reference clock enabling. Signed-off-by: Zhenyu Wang Signed-off-by: Eric Anholt Signed-off-by: Greg Kroah-Hartman commit a9d48b3eae33aeb6bc1c366913778d77267e17b7 Author: Zhenyu Wang Date: Fri Sep 25 08:01:28 2009 +0000 drm/i915: Fix FDI M/N setting according with correct color depth commit 58a27471d00dc09945cbcfbbc5cbcdcd3c28211d upstream. FDI M/N calculation hasn't taken the current pipe color depth into account, but always set as 24bpp. This one checks current pipe color depth setting, and change FDI M/N calculation a little to use bits_per_pixel first, then convert to bytes_per_pixel later. This fixes display corrupt issue on Arrandle LVDS with 1600x900 panel in 18bpp dual-channel mode. Signed-off-by: Zhenyu Wang Signed-off-by: Eric Anholt Signed-off-by: Greg Kroah-Hartman commit 61ac9e400eb6c0c3d3e9da24c78176fbe272fc1b Author: Ryusuke Konishi Date: Tue Nov 3 00:25:53 2009 +0900 nilfs2: fix dirty page accounting leak causing hang at write commit b1e19e5601277845b4f17ecd7c9ba04f73ee11aa upstream. Bruno Prémont and Dunphy, Bill noticed me that NILFS will certainly hang on ARM-based targets. I found this was caused by an underflow of dirty pages counter. A b-tree cache routine was marking page dirty without adjusting page account information. This fixes the dirty page accounting leak and resolves the hang on arm-based targets. Reported-by: Bruno Prémont Reported-by: Dunphy, Bill Signed-off-by: Ryusuke Konishi Tested-by: Bruno Prémont Signed-off-by: Greg Kroah-Hartman commit 092afb745d0dfdd6cf5ed86ed301023285700fd2 Author: Jan Beulich Date: Mon Oct 26 15:20:29 2009 +0000 x86-64: Fix register leak in 32-bit syscall audting commit 81766741fe1eee3884219e8daaf03f466f2ed52f upstream. Restoring %ebp after the call to audit_syscall_exit() is not only unnecessary (because the register didn't get clobbered), but in the sysenter case wasn't even doing the right thing: It loaded %ebp from a location below the top of stack (RBP < ARGOFFSET), i.e. arbitrary kernel data got passed back to user mode in the register. Signed-off-by: Jan Beulich Acked-by: Roland McGrath LKML-Reference: <4AE5CC4D020000780001BD13@vpn.id2.novell.com> Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit 82a90819b2992515f794b032ee7d75fba4771e33 Author: Bo Liu Date: Mon Nov 2 16:50:33 2009 +0000 mm: remove incorrect swap_count() from try_to_unuse() commit 32c5fc10e79a7053ac5728b01a0bff55cbcb9d49 upstream. In try_to_unuse(), swcount is a local copy of *swap_map, including the SWAP_HAS_CACHE bit; but a wrong comparison against swap_count(*swap_map), which masks off the SWAP_HAS_CACHE bit, succeeded where it should fail. That had the effect of resetting the mm from which to start searching for the next swap page, to an irrelevant mm instead of to an mm in which this swap page had been found: which may increase search time by ~20%. But we're used to swapoff being slow, so never noticed the slowdown. Remove that one spurious use of swap_count(): Bo Liu thought it merely redundant, Hugh rewrote the description since it was measurably wrong. Signed-off-by: Bo Liu Signed-off-by: Hugh Dickins Reviewed-by: KAMEZAWA Hiroyuki Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit cd4ad4b9dda686bce57f939671cc066a554b7f92 Author: David Howells Date: Fri Oct 30 13:13:26 2009 +0000 NOMMU: Don't pass NULL pointers to fput() in do_mmap_pgoff() commit 89a8640279f8bb78aaf778d1fc5c4a6778f18064 upstream. Don't pass NULL pointers to fput() in the error handling paths of the NOMMU do_mmap_pgoff() as it can't handle it. The following can be used as a test program: int main() { static long long a[1024 * 1024 * 20] = { 0 }; return a;} Without the patch, the code oopses in atomic_long_dec_and_test() as called by fput() after the kernel complains that it can't allocate that big a chunk of memory. With the patch, the kernel just complains about the allocation size and then the program segfaults during execve() as execve() can't complete the allocation of all the new ELF program segments. Reported-by: Robin Getz Signed-off-by: David Howells Acked-by: Robin Getz Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 7af6e31fc7ab7235ae38be7847f346d8d776389d Author: Robin Holt Date: Tue Oct 20 14:36:15 2009 -0500 x86, UV: Set DELIVERY_MODE=4 for vector=NMI_VECTOR in uv_hub_send_ipi() commit 02dd0a0613e0d84c7dd8315e3fe6204d005b7c79 upstream. When sending a NMI_VECTOR IPI using the UV_HUB_IPI_INT register, we need to ensure the delivery mode field of that register has NMI delivery selected. This makes those IPIs true NMIs, instead of flat IPIs. It matters to reboot sequences and KGDB, both of which use NMI IPIs. Signed-off-by: Robin Holt Acked-by: Jack Steiner Cc: Martin Hicks LKML-Reference: <20091020193620.877322000@alcatraz.americas.sgi.com> Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit 39652527bce2d4e12ac4008ec93e41a8b28238a3 Author: Robin Holt Date: Thu Oct 15 17:40:00 2009 -0500 x86, UV: Fix information in __uv_hub_info structure commit 036ed8ba61b72c19dc5759446d4fe0844aa88255 upstream. A few parts of the uv_hub_info structure are initialized incorrectly. - n_val is being loaded with m_val. - gpa_mask is initialized with a bytes instead of an unsigned long. - Handle the case where none of the alias registers are used. Lastly I converted the bau over to using the uv_hub_info->m_val which is the correct value. Without this patch, booting a large configuration hits a problem where the upper bits of the gnode affect the pnode and the bau will not operate. Signed-off-by: Robin Holt Acked-by: Jack Steiner Cc: Cliff Whickman LKML-Reference: <20091015224946.396355000@alcatraz.americas.sgi.com> Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit 958da8f522180518a1f04b65d4eef61eb4ecbe72 Author: Johannes Berg Date: Sun Nov 1 19:25:40 2009 +0100 mac80211: check interface is down before type change commit c1f9a764cf47686b1f5a0cf87ada68d90056136a upstream. For some strange reason the netif_running() check ended up after the actual type change instead of before, potentially causing all kinds of problems if the interface is up while changing the type; one of the problems manifests itself as a warning: WARNING: at net/mac80211/iface.c:651 ieee80211_teardown_sdata+0xda/0x1a0 [mac80211]() Hardware name: Aspire one Pid: 2596, comm: wpa_supplicant Tainted: G W 2.6.31-10-generic #32-Ubuntu Call Trace: [] warn_slowpath_common+0x6d/0xa0 [] warn_slowpath_null+0x15/0x20 [] ieee80211_teardown_sdata+0xda/0x1a0 [mac80211] [] ieee80211_if_change_type+0x4a/0xc0 [mac80211] [] ieee80211_change_iface+0x61/0xa0 [mac80211] [] cfg80211_wext_siwmode+0xc7/0x120 [cfg80211] [] ioctl_standard_call+0x58/0xf0 (http://www.kerneloops.org/searchweek.php?search=ieee80211_teardown_sdata) Cc: Arjan van de Ven Signed-off-by: Johannes Berg Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit db6ad3e1187477afb4a1fc79bc48f0a8cf916ec3 Author: Björn Smedman Date: Sat Oct 24 20:55:09 2009 +0200 mac80211: fix for incorrect sequence number on hostapd injected frames commit 9b1ce526eb917c8b5c8497c327768130ee683392 upstream. When hostapd injects a frame, e.g. an authentication or association response, mac80211 looks for a suitable access point virtual interface to associate the frame with based on its source address. This makes it possible e.g. to correctly assign sequence numbers to the frames. A small typo in the ethernet address comparison statement caused a failure to find a suitable ap interface. Sequence numbers on such frames where therefore left unassigned causing some clients (especially windows-based 11b/g clients) to reject them and fail to authenticate or associate with the access point. This patch fixes the typo in the address comparison statement. Signed-off-by: Björn Smedman Reviewed-by: Johannes Berg Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 49178370a647948ca8b529cc65f0c214bec33d42 Author: Steve French Date: Tue Oct 6 18:31:29 2009 +0000 CIFS: Fixing to avoid invalid kfree() in cifs_get_tcp_session() commit 8347a5cdd1422eea0470ed586274c7f29e274b47 upstream. trivial bug in fs/cifs/connect.c . The bug is caused by fail of extract_hostname() when mounting cifs file system. This is the situation when I noticed this bug. % sudo mount -t cifs //192.168.10.208 mountpoint -o options... Then my kernel says, [ 1461.807776] ------------[ cut here ]------------ [ 1461.807781] kernel BUG at mm/slab.c:521! [ 1461.807784] invalid opcode: 0000 [#2] PREEMPT SMP [ 1461.807790] last sysfs file: /sys/devices/pci0000:00/0000:00:1e.0/0000:09:02.0/resource [ 1461.807793] CPU 0 [ 1461.807796] Modules linked in: nls_iso8859_1 usbhid sbp2 uhci_hcd ehci_hcd i2c_i801 ohci1394 ieee1394 psmouse serio_raw pcspkr sky2 usbcore evdev [ 1461.807816] Pid: 3446, comm: mount Tainted: G D 2.6.32-rc2-vanilla [ 1461.807820] RIP: 0010:[] [] kfree+0x63/0x156 [ 1461.807829] RSP: 0018:ffff8800b4f7fbb8 EFLAGS: 00010046 [ 1461.807832] RAX: ffffea00033fff98 RBX: ffff8800afbae7e2 RCX: 0000000000000000 [ 1461.807836] RDX: ffffea0000000000 RSI: 000000000000005c RDI: ffffffffffffffea [ 1461.807839] RBP: ffff8800b4f7fbf8 R08: 0000000000000001 R09: 0000000000000000 [ 1461.807842] R10: 0000000000000000 R11: ffff8800b4f7fbf8 R12: 00000000ffffffea [ 1461.807845] R13: ffff8800afb23000 R14: ffff8800b4f87bc0 R15: ffffffffffffffea [ 1461.807849] FS: 00007f52b6f187c0(0000) GS:ffff880007600000(0000) knlGS:0000000000000000 [ 1461.807852] CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b [ 1461.807855] CR2: 0000000000613000 CR3: 00000000af8f9000 CR4: 00000000000006f0 [ 1461.807858] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 [ 1461.807861] DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 [ 1461.807865] Process mount (pid: 3446, threadinfo ffff8800b4f7e000, task ffff8800950e4380) [ 1461.807867] Stack: [ 1461.807869] 0000000000000202 0000000000000282 ffff8800b4f7fbf8 ffff8800afbae7e2 [ 1461.807876] <0> 00000000ffffffea ffff8800afb23000 ffff8800b4f87bc0 ffff8800b4f7fc28 [ 1461.807884] <0> ffff8800b4f7fcd8 ffffffff81159f6d ffffffff81147bc2 ffffffff816bfb48 [ 1461.807892] Call Trace: [ 1461.807899] [] cifs_get_tcp_session+0x440/0x44b [ 1461.807904] [] ? find_nls+0x1c/0xe9 [ 1461.807909] [] cifs_mount+0x16bc/0x2167 [ 1461.807917] [] ? _spin_unlock+0x30/0x4b [ 1461.807923] [] cifs_get_sb+0xa5/0x1a8 [ 1461.807928] [] vfs_kern_mount+0x56/0xc9 [ 1461.807933] [] do_kern_mount+0x47/0xe7 [ 1461.807938] [] do_mount+0x712/0x775 [ 1461.807943] [] ? copy_mount_options+0xcf/0x132 [ 1461.807948] [] sys_mount+0x7f/0xbf [ 1461.807953] [] ? lockdep_sys_exit_thunk+0x35/0x67 [ 1461.807960] [] system_call_fastpath+0x16/0x1b [ 1461.807963] Code: 00 00 00 00 ea ff ff 48 c1 e8 0c 48 6b c0 68 48 01 d0 66 83 38 00 79 04 48 8b 40 10 66 83 38 00 79 04 48 8b 40 10 80 38 00 78 04 <0f> 0b eb fe 4c 8b 70 58 4c 89 ff 41 8b 76 4c e8 b8 49 fb ff e8 [ 1461.808022] RIP [] kfree+0x63/0x156 [ 1461.808027] RSP [ 1461.808031] ---[ end trace ffe26fcdc72c0ce4 ]--- The reason of this bug is that the error handling code of cifs_get_tcp_session() calls kfree() when corresponding kmalloc() failed. (The kmalloc() is called by extract_hostname().) Signed-off-by: Hitoshi Mitake Reviewed-by: Jeff Layton Signed-off-by: Steve French Signed-off-by: Greg Kroah-Hartman commit 48fe10afb355d88be5a9c0b7d5a198c5e5b9b4aa Author: Michael S. Tsirkin Date: Sun Oct 25 15:28:53 2009 +0200 virtio: order used ring after used index read commit 2d61ba95034f1abbdec7729d52c740870a5eddb6 upstream. On SMP guests, reads from the ring might bypass used index reads. This causes guest crashes because host writes to used index to signal ring data readiness. Fix this by inserting rmb before used ring reads. Signed-off-by: Michael S. Tsirkin Signed-off-by: Rusty Russell Signed-off-by: Greg Kroah-Hartman commit bed202356361d3620a51974eadca78261e049ef0 Author: Kevin Hilman Date: Mon Oct 26 16:50:18 2009 -0700 cpuidle: always return with interrupts enabled commit 246eb7f0ed1a8aeddec5313137767658f378949b upstream. In the case where cpuidle_idle_call() returns before changing state due to a need_resched(), it was returning with IRQs disabled. The idle path assumes that the platform specific idle code returns with interrupts enabled (although this too is undocumented AFAICT) and on ARM we have a WARN_ON(!(irqs_disabled()) when returning from the idle loop, so the user-visible effects were only a warning since interrupts were eventually re-enabled later. On x86, this same problem exists, but there is no WARN_ON() to detect it. As on ARM, the interrupts are eventually re-enabled, so I'm not sure of any actual bugs triggered by this. It's primarily a correctness/consistency fix. This patch ensures IRQs are (re)enabled before returning. Reported-by: Hemanth V Signed-off-by: Kevin Hilman Cc: Arjan van de Ven Cc: Len Brown Cc: Venkatesh Pallipadi Cc: Ingo Molnar Cc: "Rafael J. Wysocki" Tested-by: Martin Michlmayr Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 1133a6e3632b5897f5a25084e38b221cb92f3eb6 Author: David Woodhouse Date: Fri Oct 30 17:45:14 2009 +0000 libertas if_usb: Fix crash on 64-bit machines commit e9024a059f2c17fb2bfab212ee9d31511d7b8e57 upstream. On a 64-bit kernel, skb->tail is an offset, not a pointer. The libertas usb driver passes it to usb_fill_bulk_urb() anyway, causing interesting crashes. Fix that by using skb->data instead. This highlights a problem with usb_fill_bulk_urb(). It doesn't notice when dma_map_single() fails and return the error to its caller as it should. In fact it _can't_ currently return the error, since it returns void. So this problem was showing up only at unmap time, after we'd already suffered memory corruption by doing DMA to a bogus address. Signed-off-by: David Woodhouse Acked-by: David S. Miller Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit fb20e3f85ece49f23b72a7ad6aa441e004f4f3e7 Author: Bryan Wu Date: Thu Oct 22 15:00:36 2009 +0800 USB: option: TLAYTECH TUE800 support commit fead2ab6cf9ad3a84a06e68ccc20d1e460fad13e upstream. Add ID for Tlaytech TUE800 CDMA modem to the option driver. Signed-off-by: Bryan Wu Acked-By: Matthias Urlichs Signed-off-by: Greg Kroah-Hartman commit ad1d49cce87e86038f7756c68626a2760d7bfdad Author: Huzaifa Sidhpurwala Date: Mon Oct 12 14:34:45 2009 +0530 USB: option: Support for AIRPLUS MCD650 Datacard commit 12148da6722be3b44c2220206b6ccb80d2d9d8f8 upstream. Here is a patch for Airplus MCD 650 card Note: This device is with Victor V Kudlak, and he confirmed that this device works with the patch. Signed-off-by: Huzaifa Sidhpurwala Signed-off-by: Greg Kroah-Hartman commit e4613c5f3a957475b1f5b011e7833cc2b57b6ed4 Author: Ronnie Furuskog Date: Mon Sep 21 21:20:55 2009 +0200 USB: option: Patch for Huawei Mobile Broadband E270+ Modem commit 0ee3a33a0481c8f5c9edb7a5a02f3c76496d9551 upstream. Signed-off-by: Greg Kroah-Hartman commit def3834da355e930d694b7373fe651feb0162cf4 Author: Elina Pasheva Date: Fri Oct 16 12:04:54 2009 -0700 USB: serial: sierra driver send_setup() autopm fix commit 3c77d5137d3f4ff41721e9b4f4812db56a6065c0 upstream. This patch presents a fix for the autosuspend feature implementation in sierra usb serial driver for function sierra_send_setup(). Because it is possible to call sierra_send_setup() before sierra_open() or after sierra_close() we added a get/put interface activity to assure that the usb control can happen even when the device is autosuspended. Signed-off-by: Elina Pasheva Tested-by: Matthew Safar Signed-off-by: Greg Kroah-Hartman commit 2367aa9bfd515bd76728b28d62a0fd00ef70832e Author: Rusty Russell Date: Thu Oct 29 08:56:19 2009 -0600 param: fix setting arrays of bool commit 3c7d76e371ac1a3802ae1673f5c63554af59325c upstream. We create a dummy struct kernel_param on the stack for parsing each array element, but we didn't initialize the flags word. This matters for arrays of type "bool", where the flag indicates if it really is an array of bools or unsigned int (old-style). Reported-by: Takashi Iwai Signed-off-by: Rusty Russell Signed-off-by: Greg Kroah-Hartman commit a8381266f673b5597f11fb9bad9ae196e9915f87 Author: Rusty Russell Date: Thu Oct 29 08:56:17 2009 -0600 param: fix NULL comparison on oom commit d553ad864e3b3dde3f1038d491e207021b2d6293 upstream. kp->arg is always true: it's the contents of that pointer we care about. Reported-by: Takashi Iwai Signed-off-by: Rusty Russell Signed-off-by: Greg Kroah-Hartman commit 9f00eee2ffab59cb85ecf1de54282c7fb4669565 Author: Rusty Russell Date: Thu Oct 29 08:56:16 2009 -0600 param: fix lots of bugs with writing charp params from sysfs, by leaking mem. commit 65afac7d80ab3bc9f81e75eafb71eeb92a3ebdef upstream. e180a6b7759a "param: fix charp parameters set via sysfs" fixed the case where charp parameters written via sysfs were freed, leaving drivers accessing random memory. Unfortunately, storing a flag in the kparam struct was a bad idea: it's rodata so setting it causes an oops on some archs. But that's not all: 1) module_param_array() on charp doesn't work reliably, since we use an uninitialized temporary struct kernel_param. 2) there's a fundamental race if a module uses this parameter and then it's changed: they will still access the old, freed, memory. The simplest fix (ie. for 2.6.32) is to never free the memory. This prevents all these problems, at cost of a memory leak. In practice, there are only 18 places where a charp is writable via sysfs, and all are root-only writable. Reported-by: Takashi Iwai Cc: Sitsofe Wheeler Cc: Frederic Weisbecker Cc: Christof Schmitt Signed-off-by: Rusty Russell Signed-off-by: Greg Kroah-Hartman commit 05fe6c842ab23f6e823ad87a84adab73ab60beaa Author: Alan Cox Date: Thu Oct 29 12:16:22 2009 +0000 tty: Mark generic_serial users as BROKEN commit 412145947adfca60a4b5b4893fbae82dffa25edd upstream. There isn't much else I can do with these. I can find no hardware for any of them and no users. The code is broken. Signed-off-by: Alan Cox Signed-off-by: Greg Kroah-Hartman commit b4e01e264884a0acbb11c85e3e6d22d23b3f8194 Author: Stas Sergeev Date: Sun Oct 18 00:31:38 2009 +0400 Driver core: fix driver_register() return value commit 39acbc12affcaa23ef1d887ba3d197baca8e6e47 upstream. In this patch: http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=16dc42e018c2868211b4928f20a957c0c216126c the check was added for another driver to already claim the same device on the same bus. But the returned error code was wrong: to modprobe, the -EEXIST means that _this_ driver is already installed. It therefore doesn't produce the needed error message when _another_ driver is trying to register for the same device. Returning -EBUSY fixes the problem. Signed-off-by: Stas Sergeev Signed-off-by: Greg Kroah-Hartman commit 6acffd270b393f4f81e2eebe9aaf5d6837afb07e Author: Ben Hutchings Date: Mon Oct 26 16:49:51 2009 -0700 hfsplus: refuse to mount volumes larger than 2TB commit 5c36fe3d87b3f0c85894a49193c66096a3d6b26f upstream. As found in , hfsplus is using type u32 rather than sector_t for some sector number calculations. In particular, hfsplus_get_block() does: u32 ablock, dblock, mask; ... map_bh(bh_result, sb, (dblock << HFSPLUS_SB(sb).fs_shift) + HFSPLUS_SB(sb).blockoffset + (iblock & mask)); I am not confident that I can find and fix all cases where a sector number may be truncated. For now, avoid data loss by refusing to mount HFS+ volumes with more than 2^32 sectors (2TB). [akpm@linux-foundation.org: fix 32 and 64-bit issues] Signed-off-by: Ben Hutchings Cc: Eric Sesterhenn Cc: Roman Zippel Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 623fefd5b367d3d2e614157a3eaba03e2accbd85 Author: OGAWA Hirofumi Date: Fri Oct 30 17:02:31 2009 +0900 dpt_i2o: Fix typo of EINVAL commit aefba418bfecd1985a08f50a95bd854a119f0153 upstream. Commit ef7562b7f28319e6dd1f85dc1af87df2a7a84832 ("dpt_i2o: Fix up copy*user") had a silly typo: EINVAL should be -EINVAL. Signed-off-by: OGAWA Hirofumi Cc: Alan Cox Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 01019ab600200ce6f43a52d0e8f7ab5d24a82da3 Author: Alan Cox Date: Tue Oct 27 15:35:35 2009 +0000 dpt_i2o: Fix up copy*user commit ef7562b7f28319e6dd1f85dc1af87df2a7a84832 upstream. Signed-off-by: Alan Cox Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 4d4c684cd460ca0e1f3daacde10e201776616c3f Author: Benjamin Herrenschmidt Date: Mon Oct 26 16:50:05 2009 -0700 8250_pci: add IBM Saturn serial card commit c68d2b1594548cda7f6dbac6a4d9d30a9b01558c upstream. The IBM Saturn serial card has only one port. Without that fixup, the kernel thinks it has two, which confuses userland setup and admin tools as well. [akpm@linux-foundation.org: fix pci-ids.h layout] Signed-off-by: Benjamin Herrenschmidt Acked-by: Alan Cox Cc: Michael Reed Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Acked-by: Alan Cox Signed-off-by: Greg Kroah-Hartman commit 7b6f062f8c8252063ab1bf8c2c6efc9bbcaeedcc Author: KOSAKI Motohiro Date: Mon Oct 26 16:49:59 2009 -0700 do_mbind(): fix memory leak commit b05ca7385a2848abdc72051f832722641daed8b0 upstream. If migrate_prep is failed, new variable is leaked. This patch fixes it. Signed-off-by: KOSAKI Motohiro Acked-by: Christoph Lameter Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 71ad01d06d0803e034dae2fcd33aeb5e9662c046 Author: KOSAKI Motohiro Date: Mon Oct 26 16:49:58 2009 -0700 mbind(): fix leak of never putback pages commit ab8a3e14e6f8e567560f664bbd29aefb306a274e upstream. If mbind() receives an invalid address, do_mbind leaks a page. The following test program detects this leak. This patch fixes it. migrate_efault.c ======================================= #include #include #include #include #include #include #include static unsigned long pagesize; static void* make_hole_mapping(void) { void* addr; addr = mmap(NULL, pagesize*3, PROT_READ|PROT_WRITE, MAP_ANON|MAP_PRIVATE, 0, 0); if (addr == MAP_FAILED) return NULL; /* make page populate */ memset(addr, 0, pagesize*3); /* make memory hole */ munmap(addr+pagesize, pagesize); return addr; } int main(int argc, char** argv) { void* addr; int ch; int node; struct bitmask *nmask = numa_allocate_nodemask(); int err; int node_set = 0; while ((ch = getopt(argc, argv, "n:")) != -1){ switch (ch){ case 'n': node = strtol(optarg, NULL, 0); numa_bitmask_setbit(nmask, node); node_set = 1; break; default: ; } } argc -= optind; argv += optind; if (!node_set) numa_bitmask_setbit(nmask, 0); pagesize = getpagesize(); addr = make_hole_mapping(); err = mbind(addr, pagesize*3, MPOL_BIND, nmask->maskp, nmask->size, MPOL_MF_MOVE_ALL); if (err) perror("mbind "); return 0; } ======================================= Signed-off-by: KOSAKI Motohiro Acked-by: Christoph Lameter Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit bf501c3e8bb75e9f22f79eca39dc6c8ca5a32432 Author: Alan Cox Date: Tue Oct 27 15:35:55 2009 +0000 ray_cs: Fix copy_from_user handling commit 575c9ed7798218dc923f319c0d78f0c25ca506b9 upstream. I've not touched the other stuff here but the word "locking" comes to mind. Signed-off-by: Alan Cox Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit e676b2bd4553802a0b6211d5cca7fb3358ce66cf Author: Mikulas Patocka Date: Fri Oct 16 23:18:17 2009 +0100 dm snapshot: use unsigned integer chunk size commit df96eee679ba28c98cf722fa7c9f4286ee1ed0bd upstream. Use unsigned integer chunk size. Maximum chunk size is 512kB, there won't ever be need to use 4GB chunk size, so the number can be 32-bit. This fixes compiler failure on 32-bit systems with large block devices. Signed-off-by: Mikulas Patocka Signed-off-by: Mike Snitzer Reviewed-by: Jonathan Brassow Signed-off-by: Alasdair G Kergon Signed-off-by: Greg Kroah-Hartman commit 537c93c1c116409f1418c99286aa81c8b9ccbdee Author: Mikulas Patocka Date: Fri Oct 16 23:18:16 2009 +0100 dm snapshot: require non zero chunk size by end of ctr commit 3f2412dc85260e5aae7ebb03bf50d5b1407e3083 upstream. If we are creating snapshot with memory-stored exception store, fail if the user didn't specify chunk size. Zero chunk size would probably crash a lot of places in the rest of snapshot code. Signed-off-by: Mikulas Patocka Reviewed-by: Jonathan Brassow Reviewed-by: Mike Snitzer Signed-off-by: Alasdair G Kergon Signed-off-by: Greg Kroah-Hartman commit 651385e4bbbff823f111e4e8a68b2e1613c34c79 Author: Mikulas Patocka Date: Fri Oct 16 23:18:16 2009 +0100 dm snapshot: lock snapshot while supplying status commit 4c6fff445d7aa753957856278d4d93bcad6e2c14 upstream. This patch locks the snapshot when returning status. It fixes a race when it could return an invalid number of free chunks if someone was simultaneously modifying it. Signed-off-by: Mikulas Patocka Signed-off-by: Alasdair G Kergon Signed-off-by: Greg Kroah-Hartman commit e61f48eb0ac00c6d73dd53b3d79abe2c578328dc Author: Mikulas Patocka Date: Fri Oct 16 23:18:16 2009 +0100 dm exception store: fix failed set_chunk_size error path commit 0e8c4e4e3ebb15756ddc4170a88149a2cd323cfe upstream. Properly close the device if failing because of an invalid chunk size. Signed-off-by: Mikulas Patocka Signed-off-by: Alasdair G Kergon Signed-off-by: Greg Kroah-Hartman commit c5d0c81248f5b0d14f464f4170f76fb756df5ac0 Author: Kiyoshi Ueda Date: Fri Oct 16 23:18:15 2009 +0100 dm: dec_pending needs locking to save error value commit f88fb981183e71daf40bbd84bc8251bbf7b59e19 upstream. Multiple instances of dec_pending() can run concurrently so a lock is needed when it saves the first error code. I have never experienced actual problem without locking and just found this during code inspection while implementing the barrier support patch for request-based dm. This patch adds the locking. I've done compile, boot and basic I/O testings. Signed-off-by: Kiyoshi Ueda Signed-off-by: Jun'ichi Nomura Signed-off-by: Alasdair G Kergon Signed-off-by: Greg Kroah-Hartman commit 17f34f975f03e1cdad57fc04c590a750e2558d42 Author: Zdenek Kabelac Date: Fri Oct 16 23:18:15 2009 +0100 dm: add missing del_gendisk to alloc_dev error path commit 03022c54b9725026c0370a810168975c387ad04c upstream. Add missing del_gendisk() to error path when creation of workqueue fails. Otherwice there is a resource leak and following warning is shown: WARNING: at fs/sysfs/dir.c:487 sysfs_add_one+0xc5/0x160() sysfs: cannot create duplicate filename '/devices/virtual/block/dm-0' Signed-off-by: Zdenek Kabelac Reviewed-by: Jonathan Brassow Signed-off-by: Alasdair G Kergon Signed-off-by: Greg Kroah-Hartman commit 67060bc39921c6fea6c8ce2eceaf348038dbba89 Author: Andrew Morton Date: Fri Oct 16 23:18:15 2009 +0100 dm log: userspace fix incorrect luid cast in userspace_ctr commit bca915aae803cf01fde4461fc9c093cf5a86d7fc upstream. mips: drivers/md/dm-log-userspace-base.c: In function `userspace_ctr': drivers/md/dm-log-userspace-base.c:159: warning: cast from pointer to integer of different size Cc: Jonathan Brassow Signed-off-by: Andrew Morton Signed-off-by: Alasdair G Kergon Signed-off-by: Greg Kroah-Hartman commit 028e4a12f691559d367c12cb0612e1635b5c7a32 Author: Mikulas Patocka Date: Fri Oct 16 23:18:14 2009 +0100 dm snapshot: sort by chunk size to fix race commit 6d45d93ead319423099b82a4efd775bc0f159121 upstream. Avoid a race causing corruption when snapshots of the same origin have different chunk sizes by sorting the internal list of snapshots by chunk size, largest first. https://bugzilla.redhat.com/show_bug.cgi?id=182659 For example, let's have two snapshots with different chunk sizes. The first snapshot (1) has small chunk size and the second snapshot (2) has large chunk size. Let's have chunks A, B, C in these snapshots: snapshot1: ====A==== ====B==== snapshot2: ==========C========== (Chunk size is a power of 2. Chunks are aligned.) A write to the origin at a position within A and C comes along. It triggers reallocation of A, then reallocation of C and links them together using A as the 'primary' exception. Then another write to the origin comes along at a position within B and C. It creates pending exception for B. C already has a reallocation in progress and it already has a primary exception (A), so nothing is done to it: B and C are not linked. If the reallocation of B finishes before the reallocation of C, because there is no link with the pending exception for C it does not know to wait for it and, the second write is dispatched to the origin and causes data corruption in the chunk C in snapshot2. To avoid this situation, we maintain snapshots sorted in descending order of chunk size. This leads to a guaranteed ordering on the links between the pending exceptions and avoids the problem explained above - both A and B now get linked to C. Signed-off-by: Mikulas Patocka Signed-off-by: Alasdair G Kergon Signed-off-by: Greg Kroah-Hartman commit 1b0fd1e25a9393003f7034a83f5932ce26242577 Author: Jonathan Brassow Date: Fri Oct 16 23:18:14 2009 +0100 dm snapshot: free exception store on init failure commit 034a186d29dbcef099e57ab23ec39440596be911 upstream. While initializing the snapshot module, if we fail to register the snapshot target then we must back-out the exception store module initialization. Signed-off-by: Jonathan Brassow Reviewed-by: Mikulas Patocka Reviewed-by: Mike Snitzer Signed-off-by: Alasdair G Kergon Signed-off-by: Greg Kroah-Hartman commit af57e833c96884bf0aa231039a25c853f7e83864 Author: Dmitry Torokhov Date: Mon Oct 12 21:35:00 2009 -0700 Input: synaptics - add another Protege M300 to rate blacklist commit 5f5eeff4c93256ee93435a3bf08cf18c45e9a994 upstream. Apparently some of Toshiba Protege M300 identify themselves as "Portable PC" in DMI so we need to add that to the DMI table as well. We need DMI data so we can automatically lower Synaptics reporting rate from 80 to 40 pps to avoid over-taxing their keyboard controllers. Tested-by: Rod Davison Signed-off-by: Dmitry Torokhov Signed-off-by: Greg Kroah-Hartman commit bfdf85fe73f1b697430bbeb763f8456e2ce52e9d Author: Thomas Gleixner Date: Wed Oct 14 01:18:26 2009 -0700 watchdog: Fix rio watchdog probe function [ Upstream commit 03717e3d12b625268848414e39beda25e4515692 ] After sucessfully registering the misc device the driver iounmaps the hardware registers and kfree's the device data structure. Ouch ! This was introduced with commit e42311d75 (riowatchdog: Convert to pure OF driver) and went unnoticed for more than a year :) Return success instead of dropping into the error cleanup code path. Signed-off-by: Thomas Gleixner Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit e1f7f4182a52b850379c0d4f35a8085d9552786a Author: David S. Miller Date: Tue Sep 15 17:04:38 2009 -0700 sparc: Kill PROM console driver. [ Upstream commit 09d3f3f0e02c8a900d076c302c5c02227f33572d ] Many years ago when this driver was written, it had a use, but these days it's nothing but trouble and distributions should not enable it in any situation. Pretty much every console device a sparc machine could see has a bonafide real driver, making the PROM console hack unnecessary. If any new device shows up, we should write a driver instead of depending upon this crutch to save us. We've been able to take care of this even when no chip documentation exists (sunxvr500, sunxvr2500) so there are no excuses. Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit b03a3764e5605f63f4a8eabe416c0d8156b93108 Author: David S. Miller Date: Tue Oct 13 00:49:09 2009 -0700 sparc64: Set IRQF_DISABLED on LDC channel IRQs. [ Upstream commit c58543c869606532c2382f027d6466f4672ea756 ] With lots of virtual devices it's easy to generate a lot of events and chew up the kernel IRQ stack. Reported-by: hyl Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 99bea2784294c3bbec4d1d69d7c6e3b01e59edbb Author: Chuck Ebbert Date: Mon Oct 26 15:27:53 2009 -0400 ahci: revert "Restore SB600 sata controller 64 bit DMA" revert commit 58a09b38cfcd700b796ea07ae3d2e0efbb28b561 ("[libata] ahci: Restore SB600 SATA controller 64 bit DMA") Upstream commit 58a09b38cfcd700b796ea07ae3d2e0efbb28b561 does nearly the same thing but this patch is simplified for 2.6.31 Disables 64-bit DMA for _all_ boards, unlike 2.6.32 which adds a whitelist. (The whitelist function requires a fairly large patch that touches unrelated code.) Doesn't revert the DMI part as other backported patches might need the exported symbol. Applies to 2.6.31.4 Signed-off-by: Chuck Ebbert Acked-by: Tejun Heo Signed-off-by: Greg Kroah-Hartman commit fc7df048bf93e52c04f4c39104a5a388b73725b8 Author: Thomas Gleixner Date: Wed Oct 28 20:26:48 2009 +0100 futex: Fix spurious wakeup for requeue_pi really commit 11df6dddcbc38affb7473aad3d962baf8414a947 upstream. The requeue_pi path doesn't use unqueue_me() (and the racy lock_ptr == NULL test) nor does it use the wake_list of futex_wake() which where the reason for commit 41890f2 (futex: Handle spurious wake up) See debugging discussing on LKML Message-ID: <4AD4080C.20703@us.ibm.com> The changes in this fix to the wait_requeue_pi path were considered to be a likely unecessary, but harmless safety net. But it turns out that due to the fact that for unknown $@#!*( reasons EWOULDBLOCK is defined as EAGAIN we built an endless loop in the code path which returns correctly EWOULDBLOCK. Spurious wakeups in wait_requeue_pi code path are unlikely so we do the easy solution and return EWOULDBLOCK^WEAGAIN to user space and let it deal with the spurious wakeup. Cc: Darren Hart Cc: Peter Zijlstra Cc: Eric Dumazet Cc: John Stultz Cc: Dinakar Guniguntala LKML-Reference: <4AE23C74.1090502@us.ibm.com> Signed-off-by: Thomas Gleixner Signed-off-by: Greg Kroah-Hartman commit 81e6fd571d574da95cf977ff3266d95a802b1820 Author: Darren Hart Date: Thu Oct 15 15:30:48 2009 -0700 futex: Move drop_futex_key_refs out of spinlock'ed region commit 89061d3d58e1f0742139605dc6a7950aa1ecc019 upstream. When requeuing tasks from one futex to another, the reference held by the requeued task to the original futex location needs to be dropped eventually. Dropping the reference may ultimately lead to a call to "iput_final" and subsequently call into filesystem- specific code - which may be non-atomic. It is therefore safer to defer this drop operation until after the futex_hash_bucket spinlock has been dropped. Originally-From: Helge Bahmann Signed-off-by: Darren Hart Cc: Peter Zijlstra Cc: Eric Dumazet Cc: Dinakar Guniguntala Cc: John Stultz Cc: Sven-Thorsten Dietrich Cc: John Kacur LKML-Reference: <4AD7A298.5040802@us.ibm.com> Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit 6d57fbdd82f6012a4d451bacd75451928cbc29be Author: Darren Hart Date: Wed Oct 14 10:12:39 2009 -0700 futex: Check for NULL keys in match_futex commit 2bc872036e1c5948b5b02942810bbdd8dbdb9812 upstream. If userspace tries to perform a requeue_pi on a non-requeue_pi waiter, it will find the futex_q->requeue_pi_key to be NULL and OOPS. Check for NULL in match_futex() instead of doing explicit NULL pointer checks on all call sites. While match_futex(NULL, NULL) returning false is a little odd, it's still correct as we expect valid key references. Signed-off-by: Darren Hart Cc: Peter Zijlstra Cc: Ingo Molnar CC: Eric Dumazet CC: Dinakar Guniguntala CC: John Stultz LKML-Reference: <4AD60687.10306@us.ibm.com> Signed-off-by: Thomas Gleixner Signed-off-by: Greg Kroah-Hartman commit e68e25e608880c149c2080930295227a79ceb5ac Author: Thomas Gleixner Date: Tue Oct 13 20:40:43 2009 +0200 futex: Handle spurious wake up commit d58e6576b0deec6f0b9ff8450fe282da18c50883 upstream. The futex code does not handle spurious wake up in futex_wait and futex_wait_requeue_pi. The code assumes that any wake up which was not caused by futex_wake / requeue or by a timeout was caused by a signal wake up and returns one of the syscall restart error codes. In case of a spurious wake up the signal delivery code which deals with the restart error codes is not invoked and we return that error code to user space. That causes applications which actually check the return codes to fail. Blaise reported that on preempt-rt a python test program run into a exception trap. -rt exposed that due to a built in spurious wake up accelerator :) Solve this by checking signal_pending(current) in the wake up path and handle the spurious wake up case w/o returning to user space. Reported-by: Blaise Gassend Debugged-by: Darren Hart Signed-off-by: Thomas Gleixner Cc: Peter Zijlstra Signed-off-by: Greg Kroah-Hartman commit 866b5a4dc9682101678d42071378a168744b15b0 Author: Andre Przywara Date: Wed Jun 24 12:44:34 2009 +0200 KVM: ignore reads from AMDs C1E enabled MSR commit 1fdbd48c242db996107f72ae4140ffe8163e26a8 upstream. If the Linux kernel detects an C1E capable AMD processor (K8 RevF and higher), it will access a certain MSR on every attempt to go to halt. Explicitly handle this read and return 0 to let KVM run a Linux guest with the native AMD host CPU propagated to the guest. Signed-off-by: Andre Przywara Signed-off-by: Avi Kivity Signed-off-by: Greg Kroah-Hartman commit c66415b2216cebf6625a2ab01c347a2fc329671a Author: Marcelo Tosatti Date: Thu Oct 8 10:55:03 2009 -0300 KVM: use proper hrtimer function to retrieve expiration time commit ace1546487a0fe4634e3251067f8a32cb2cdc099 upstream. hrtimer->base can be temporarily NULL due to racing hrtimer_start. See switch_hrtimer_base/lock_hrtimer_base. Use hrtimer_get_remaining which is robust against it. Signed-off-by: Marcelo Tosatti Signed-off-by: Avi Kivity Signed-off-by: Greg Kroah-Hartman commit 9c367e53d2780b5131baecd1874835ce8ddc4ed0 Author: Yinghai Lu Date: Tue Oct 20 14:13:46 2009 +0900 nfs: Fix nfs_parse_mount_options() kfree() leak commit 4223a4a155f245d41c350ed9eba4fc32e965c4da upstream. Fix a (small) memory leak in one of the error paths of the NFS mount options parsing code. Regression introduced in 2.6.30 by commit a67d18f (NFS: load the rpc/rdma transport module automatically). Reported-by: Yinghai Lu Reported-by: Pekka Enberg Signed-off-by: Ingo Molnar Signed-off-by: Trond Myklebust Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 7613217197c8927891e554c1734c1c417b22672b Author: Tejun Heo Date: Wed Oct 14 11:18:28 2009 +0900 sata_nv: make sure link is brough up online when skipping hardreset commit 6489e3262e6b188a1a009b65e8a94b7aa17645b7 upstream. prereset doesn't bring link online if hardreset is about to happen and nv_hardreset() may skip if conditions are not right so softreset may be entered with non-working link status if the system firmware didn't bring it up before entering OS code which can happen during resume. This patch makes nv_hardreset() to bring up the link if it's skipping reset. This bug was reported by frodone@gmail.com in the following bug entry. http://bugzilla.kernel.org/show_bug.cgi?id=14329 Signed-off-by: Tejun Heo Reported-by: frodone@gmail.com Signed-off-by: Jeff Garzik Signed-off-by: Greg Kroah-Hartman commit 32f4683db485b809264115327a2a34fe51d4e7ba Author: Tejun Heo Date: Thu Oct 15 23:37:32 2009 +0900 libata: fix PMP initialization commit 4f7c2874995ac48a4622755b8bd159eb2fb6d8f4 upstream. Commit 842faa6c1a1d6faddf3377948e5cf214812c6c90 fixed error handling during attach by not committing detected device class to dev->class while attaching a new device. However, this change missed the PMP class check in the configuration loop causing a new PMP device to go through ata_dev_configure() as if it were an ATA or ATAPI device. As PMP device doesn't have a regular IDENTIFY data, this makes ata_dev_configure() tries to configure a PMP device using an invalid data. For the most part, it wasn't too harmful and went unnoticed but this ends up clearing dev->flags which may have ATA_DFLAG_AN set by sata_pmp_attach(). This means that SATA_PMP_FEAT_NOTIFY ends up being disabled on PMPs and on PMPs which honor the flag breaks hotplug support. This problem was discovered and reported by Ethan Hsiao. Signed-off-by: Tejun Heo Reported-by: Ethan Hsiao Signed-off-by: Jeff Garzik Signed-off-by: Greg Kroah-Hartman commit 9982364654c186acd48c3070dcf6a76c69e540cc Author: Tejun Heo Date: Fri Oct 16 13:00:51 2009 +0900 libata: fix internal command failure handling commit f4b31db92d163df8a639f5a8c8633bdeb6e8432d upstream. When an internal command fails, it should be failed directly without invoking EH. In the original implemetation, this was accomplished by letting internal command bypass failure handling in ata_qc_complete(). However, later changes added post-successful-completion handling to that code path and the success path is no longer adequate as internal command failure path. One of the visible problems is that internal command failure due to timeout or other freeze conditions would spuriously trigger WARN_ON_ONCE() in the success path. This patch updates failure path such that internal command failure handling is contained there. Signed-off-by: Tejun Heo Signed-off-by: Jeff Garzik Signed-off-by: Greg Kroah-Hartman commit 2f37b165767202d7438aac98710f20038d197542 Author: Yinghai Lu Date: Sun Oct 11 14:17:16 2009 -0700 pci: increase alignment to make more space for hidden code commit 15b812f1d0a5ca8f5efe7f5882f468af10682ca8 upstream. As reported in http://bugzilla.kernel.org/show_bug.cgi?id=13940 on some system when acpi are enabled, acpi clears some BAR for some devices without reason, and kernel will need to allocate devices for them. It then apparently hits some undocumented resource conflict, resulting in non-working devices. Try to increase alignment to get more safe range for unassigned devices. Signed-off-by: Yinghai Lu Signed-off-by: Linus Torvalds commit c40ca2aab8a3d3ba213b7b174cb2c90bd3b51235 Author: Earl Chew Date: Mon Oct 19 15:55:41 2009 -0700 fs: pipe.c null pointer dereference commit ad3960243e55320d74195fb85c975e0a8cc4466c upstream. This patch fixes a null pointer exception in pipe_rdwr_open() which generates the stack trace: > Unable to handle kernel NULL pointer dereference at 0000000000000028 RIP: > [] pipe_rdwr_open+0x35/0x70 > [] __dentry_open+0x13c/0x230 > [] do_filp_open+0x2d/0x40 > [] do_sys_open+0x5a/0x100 > [] sysenter_do_call+0x1b/0x67 The failure mode is triggered by an attempt to open an anonymous pipe via /proc/pid/fd/* as exemplified by this script: ============================================================= while : ; do { echo y ; sleep 1 ; } | { while read ; do echo z$REPLY; done ; } & PID=$! OUT=$(ps -efl | grep 'sleep 1' | grep -v grep | { read PID REST ; echo $PID; } ) OUT="${OUT%% *}" DELAY=$((RANDOM * 1000 / 32768)) usleep $((DELAY * 1000 + RANDOM % 1000 )) echo n > /proc/$OUT/fd/1 # Trigger defect done ============================================================= Note that the failure window is quite small and I could only reliably reproduce the defect by inserting a small delay in pipe_rdwr_open(). For example: static int pipe_rdwr_open(struct inode *inode, struct file *filp) { msleep(100); mutex_lock(&inode->i_mutex); Although the defect was observed in pipe_rdwr_open(), I think it makes sense to replicate the change through all the pipe_*_open() functions. The core of the change is to verify that inode->i_pipe has not been released before attempting to manipulate it. If inode->i_pipe is no longer present, return ENOENT to indicate so. The comment about potentially using atomic_t for i_pipe->readers and i_pipe->writers has also been removed because it is no longer relevant in this context. The inode->i_mutex lock must be used so that inode->i_pipe can be dealt with correctly. Signed-off-by: Earl Chew Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman