commit d72737aa817b1219a65e29328d22eefd9faade00 Author: Greg Kroah-Hartman Date: Wed May 12 14:59:32 2010 -0700 Linux 2.6.32.13 commit 1b4b25fb9a90f7fe755d47f0beb48da75ddcd38e Author: Ralf Baechle Date: Fri Apr 23 02:56:38 2010 +0100 MIPS: Sibyte: Apply M3 workaround only on affected chip types and versions. (cherry picked from commit e65c7f33d75e977350ca350573d93c517ec02776) Previously it was unconditionally used on all Sibyte family SOCs. The M3 bug has to be handled in the TLB exception handler which is extremly performance sensitive, so this modification is expected to deliver around 2-3% performance improvment. This is important as required changes to the M3 workaround will make it more costly. Signed-off-by: Ralf Baechle Signed-off-by: Greg Kroah-Hartman commit 7443d2d252e4f958d080c629b593fb3836b215e5 Author: James Bottomley Date: Tue May 4 16:51:40 2010 -0400 SCSI: Retry commands with UNIT_ATTENTION sense codes to fix ext3/ext4 I/O error commit 77a4229719e511a0d38d9c355317ae1469adeb54 upstream. There's nastyness in the way we currently handle barriers (and discards): They're effectively filesystem commands, but they get processed as BLOCK_PC commands. Unfortunately BLOCK_PC commands are taken by SCSI to be SG_IO commands and the issuer expects to see and handle any returned errors, however trivial. This leads to a huge problem, because the block layer doesn't expect this to happen and any trivially retryable error on a barrier causes an immediate I/O error to the filesystem. The only real way to hack around this is to take the usual class of offending errors (unit attentions) and make them all retryable in the case of a REQ_HARDBARRIER. A correct fix would involve a rework of the entire block and SCSI submit system, and so is out of scope for a quick fix. Cc: Hannes Reinecke Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman commit f3dc6becaa6b5efdb5756cf6f47b724c9b32df0b Author: Hannes Reinecke Date: Tue May 4 16:49:21 2010 +0200 Enable retries for SYNCRONIZE_CACHE commands to fix I/O error commit c213e1407be6b04b144794399a91472e0ef92aec upstream. Some arrays are giving I/O errors with ext3 filesystems when SYNCHRONIZE_CACHE gets a UNIT_ATTENTION. What is happening is that these commands have no retries, so the UNIT_ATTENTION causes the barrier to fail. We should be enable retries here to clear any transient error and allow the barrier to succeed. Signed-off-by: Hannes Reinecke Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman commit cc9a23629f1a9733b58abd3a0fb6eb3f18c20532 Author: Douglas Gilbert Date: Sun Apr 25 12:30:23 2010 +0200 scsi_debug: virtual_gb ignores sector_size commit 5447ed6c968e7270b656afa273c2b79d15d82edd upstream. In the scsi_debug driver, the virtual_gb option ignores the sector_size, implicitly assuming that is 512 bytes. So if 'virtual_gb=1 sector_size=4096' the result is an 8 GB (virtual) disk. Signed-off-by: Douglas Gilbert Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman commit ec5e50f079ac7a22facdc1f535a755dab30a0af5 Author: Mike Christie Date: Sat Apr 24 16:21:19 2010 -0500 SCSI: libiscsi: regression: fix header digest errors commit 96b1f96dcab87756c0a1e7ba76bc5dc2add82b88 upstream. This fixes a regression introduced with this commit: commit d3305f3407fa3e9452079ec6cc8379067456e4aa Author: Mike Christie Date: Thu Aug 20 15:10:58 2009 -0500 [SCSI] libiscsi: don't increment cmdsn if cmd is not sent in 2.6.32. When I moved the hdr->cmdsn after init_task, I added a bug when header digests are used. The problem is that the LLD may calculate the header digest in init_task, so if we then set the cmdsn after the init_task call we change what the digest will be calculated by the target. Signed-off-by: Mike Christie Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman commit a414b72407d6729915dc1af4c21f1c40d328d7da Author: Tejun Heo Date: Thu Apr 15 09:00:08 2010 +0900 SCSI: fix locking around blk_abort_request() commit 70b25f890ce9f0520c64075ce9225a5b020a513e upstream. blk_abort_request() expects queue lock to be held by the caller. Grab it before calling the function. Lack of this synchronization led to infinite loop on corrupt q->timeout_list. Signed-off-by: Tejun Heo Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman commit 5a1b8c2d73537fcae20b9d31d2e46504b64d4f52 Author: Jakob Viketoft Date: Wed May 5 18:25:27 2010 +0800 pxa/colibri: fix missing #include in colibri.h commit ccb8d8d070b8f25f0163da5c9ceacf63a5169540 upstream. The use of mfp_cfg_t causes build errors without including . CC: Daniel Mack Signed-off-by: Jakob Viketoft Signed-off-by: Eric Miao Signed-off-by: Greg Kroah-Hartman commit 878ab0f7c084d22ecbca25953907f637474c70d9 Author: Arjan van de Ven Date: Sat May 8 15:47:37 2010 -0700 cpuidle: Fix incorrect optimization commit 1c6fe0364fa7bf28248488753ee0afb6b759cd04 upstream. commit 672917dcc78 ("cpuidle: menu governor: reduce latency on exit") added an optimization, where the analysis on the past idle period moved from the end of idle, to the beginning of the new idle. Unfortunately, this optimization had a bug where it zeroed one key variable for new use, that is needed for the analysis. The fix is simple, zero the variable after doing the work from the previous idle. During the audit of the code that found this issue, another issue was also found; the ->measured_us data structure member is never set, a local variable is always used instead. Signed-off-by: Arjan van de Ven Cc: Corrado Zoccolo Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 8c75d08fd187685d67994a364a58875429d7d15a Author: Kamal Mostafa Date: Tue Apr 27 14:02:40 2010 -0700 ACPI: sleep: init_set_sci_en_on_resume for Dell Studio 155x commit ea5bc73f4f56449b2d450068d492bcd17a675d7a upstream. Add Dell Studio models (1558, 1557, 1555) to the 'set_sci_en_on_resume' list to fix hang on resume. BugLink: http://bugs.launchpad.net/bugs/553498 Signed-off-by: Kamal Mostafa Acked-by: Alex Chiang Signed-off-by: Len Brown Signed-off-by: Greg Kroah-Hartman commit d62aa1407cc32750ed94c594b01f28b13d42f23d Author: Dan Carpenter Date: Tue Apr 27 14:01:07 2010 -0700 power_meter: acpi_device_class "power_meter_resource" too long commit 18262714ca0fb65c290b8ea1807b2b02bb52d0e3 upstream. acpi_device_class can only be 19 characters and a NULL terminator. The current code has a buffer overflow in acpi_power_meter_add(): strcpy(acpi_device_class(device), ACPI_POWER_METER_CLASS); Signed-off-by: Dan Carpenter Cc: Len Brown Cc: "Darrick J. Wong" Signed-off-by: Andrew Morton Signed-off-by: Len Brown Signed-off-by: Greg Kroah-Hartman commit f1b184b1a3a327df299fb1ffd3da1cceaa013efb Author: Alex Chiang Date: Tue Apr 20 08:03:14 2010 -0600 ACPI: DMI init_set_sci_en_on_resume for multiple Lenovo ThinkPads commit 07bedca29b0973f36a6b6db36936deed367164ed upstream. Multiple Lenovo ThinkPad models with Intel Core i5/i7 CPUs can successfully suspend/resume once, and then hang on the second s/r cycle. We got confirmation that this was due to a BIOS defect. The BIOS did not properly set SCI_EN coming out of S3. The BIOS guys hinted that The Other Leading OS ignores the fact that hardware owns the bit and sets it manually. In any case, an existing DMI table exists for machines where this defect is a known problem. Lenovo promise to fix their BIOS, but for folks who either won't or can't upgrade their BIOS, allow Linux to workaround the issue. https://bugzilla.kernel.org/show_bug.cgi?id=15407 https://bugs.launchpad.net/ubuntu/+source/linux/+bug/532374 Confirmed by numerous testers in the launchpad bug that using acpi_sleep=sci_force_enable fixes the issue. We add the machines to acpisleep_dmi_table[] to automatically enable this workaround. Cc: Colin King Signed-off-by: Alex Chiang Signed-off-by: Len Brown Signed-off-by: Greg Kroah-Hartman commit 65f202baf580af35a417ac8118465bef9b65307e Author: Bjørn Mork Date: Wed Mar 24 07:57:57 2010 -0300 V4L/DVB: budget: Oops: "BUG: unable to handle kernel NULL pointer dereference" commit 6f550dc08369ee0bc6402963c377e65f0f2e3b71 upstream. Never call dvb_frontend_detach if we failed to attach a frontend. This fixes the following oops, which will be triggered by a missing stv090x module: [ 8.172997] DVB: registering new adapter (TT-Budget S2-1600 PCI) [ 8.209018] adapter has MAC addr = 00:d0:5c:cc:a7:29 [ 8.328665] Intel ICH 0000:00:1f.5: PCI INT B -> GSI 17 (level, low) -> IRQ 17 [ 8.328753] Intel ICH 0000:00:1f.5: setting latency timer to 64 [ 8.562047] DVB: Unable to find symbol stv090x_attach() [ 8.562117] BUG: unable to handle kernel NULL pointer dereference at 000000ac [ 8.562239] IP: [] dvb_frontend_detach+0x4/0x67 [dvb_core] Ref http://bugs.debian.org/575207 Signed-off-by: Bjørn Mork Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit c38090e259e2311c1a8bfac4dbc60bbdb70f4f08 Author: Gabriele A. Trombetti Date: Wed Apr 28 11:51:17 2010 +1000 md/raid6: Fix raid-6 read-error correction in degraded state commit 87aa63000c484bfb9909989316f615240dfee018 upstream. Fix: Raid-6 was not trying to correct a read-error when in singly-degraded state and was instead dropping one more device, going to doubly-degraded state. This patch fixes this behaviour. Tested-by: Janos Haar Signed-off-by: Gabriele A. Trombetti Reported-by: Janos Haar Signed-off-by: NeilBrown Signed-off-by: Greg Kroah-Hartman commit 487fc21950d1a6a928b7438ecfc6455e6ee3eb77 Author: Stijn Tintel Date: Fri May 7 14:28:34 2010 +0930 virtio: initialize earlier commit e2dbe06c271f3bb2a495627980aad3d1d8ccef2a upstream. Move initialization of the virtio framework before the initialization of mtd, so that block2mtd can be used on virtio-based block devices. Addresses https://bugzilla.kernel.org/show_bug.cgi?id=15644 Signed-off-by: Stijn Tintel Signed-off-by: Rusty Russell Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit fdb07a230a9f146bad017b8ec577a25c29ca1856 Author: NeilBrown Date: Fri May 7 19:44:26 2010 +1000 md: restore ability of spare drives to spin down. commit 1176568de7e066c0be9e46c37503b9fd4730edcf upstream. Some time ago we stopped the clean/active metadata updates from being written to a 'spare' device in most cases so that it could spin down and say spun down. Device failure/removal etc are still recorded on spares. However commit 51d5668cb2e3fd1827a55 broke this 50% of the time, depending on whether the event count is even or odd. The change log entry said: This means that the alignment between 'odd/even' and 'clean/dirty' might take a little longer to attain, how ever the code makes no attempt to create that alignment, so it could take arbitrarily long. So when we find that clean/dirty is not aligned with odd/even, force a second metadata-update immediately. There are already cases where a second metadata-update is needed immediately (e.g. when a device fails during the metadata update). We just piggy-back on that. Reported-by: Joe Bryant Signed-off-by: NeilBrown Signed-off-by: Greg Kroah-Hartman commit e3a126e62222b90f6c9ec63cc30cf443210764f7 Author: Dan Carpenter Date: Thu Apr 22 12:05:35 2010 +0200 security: testing the wrong variable in create_by_name() commit b338cc8207eae46640a8d534738fda7b5e48511d upstream. There is a typo here. We should be testing "*dentry" instead of "dentry". If "*dentry" is an ERR_PTR, it gets dereferenced in either mkdir() or create() which would cause an OOPs. Signed-off-by: Dan Carpenter Signed-off-by: James Morris Signed-off-by: Greg Kroah-Hartman commit 8faa545b70aa50bcb01a7baa113341ba1dff2fc3 Author: Jeff Mahoney Date: Wed Feb 24 13:59:23 2010 -0500 tracing: Fix ftrace_event_call alignment for use with gcc 4.5 commit 86c38a31aa7f2dd6e74a262710bf8ebf7455acc5 upstream. GCC 4.5 introduces behavior that forces the alignment of structures to use the largest possible value. The default value is 32 bytes, so if some structures are defined with a 4-byte alignment and others aren't declared with an alignment constraint at all - it will align at 32-bytes. For things like the ftrace events, this results in a non-standard array. When initializing the ftrace subsystem, we traverse the _ftrace_events section and call the initialization callback for each event. When the structures are misaligned, we could be treating another part of the structure (or the zeroed out space between them) as a function pointer. This patch forces the alignment for all the ftrace_event_call structures to 4 bytes. Without this patch, the kernel fails to boot very early when built with gcc 4.5. It's trivial to check the alignment of the members of the array, so it might be worthwhile to add something to the build system to do that automatically. Unfortunately, that only covers this case. I've asked one of the gcc developers about adding a warning when this condition is seen. Cc: stable@kernel.org Signed-off-by: Jeff Mahoney LKML-Reference: <4B85770B.6010901@suse.com> Signed-off-by: Steven Rostedt Cc: Andreas Radke Signed-off-by: Greg Kroah-Hartman commit 0b7817edda5e44e5fa769645bd1220f5e7b0beb5 Author: Michael Chan Date: Tue Apr 27 11:28:09 2010 +0000 bnx2: Fix lost MSI-X problem on 5709 NICs. commit c441b8d2cb2194b05550a558d6d95d8944e56a84 upstream. It has been reported that under certain heavy traffic conditions in MSI-X mode, the driver can lose an MSI-X vector causing all packets in the associated rx/tx ring pair to be dropped. The problem is caused by the chip dropping the write to unmask the MSI-X vector by the kernel (when migrating the IRQ for example). This can be prevented by increasing the GRC timeout value for these register read and write operations. Thanks to Dell for helping us debug this problem. Signed-off-by: Michael Chan Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit b2729e2d217adfcc72e1e600b8e3ff4a6dd5cb4c Author: Lalit Chandivade Date: Tue Oct 13 15:16:52 2009 -0700 qla2xxx: Properly handle UNDERRUN completion statuses. commit 0f00a206ccb1dc644b6770ef25f185610fee6962 upstream. Correct issues where the lower scsi-status would be improperly cleared, instead, allow the midlayer to process the status after the proper residual-count checks are performed. Finally, validate firmware status flags prior to assigning values from the FCP_RSP frame. Signed-off-by: Lalit Chandivade Signed-off-by: Michael Hernandez Signed-off-by: Ravi Anand Signed-off-by: Andrew Vasquez Signed-off-by: Giridhar Malavali Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman commit 5d233bf3dcad483e5f89865aaf5973e67c1630b1 Author: Carlos O'Donell Date: Mon Feb 22 23:25:59 2010 +0000 parisc: Set PCI CLS early in boot. commit 5fd4514bb351b5ecb0da3692fff70741e5ed200c upstream. Set the PCI CLS early in the boot process to prevent device failures. In pcibios_set_master use the new pci_cache_line_size instead of a hard-coded value. Signed-off-by: Carlos O'Donell Reviewed-by: Grant Grundler Signed-off-by: Kyle McMartin Signed-off-by: Greg Kroah-Hartman commit a899608c6a4c0ffd5219e7bf904b42aba0e6b9c1 Author: Dave Chinner Date: Tue May 4 12:58:20 2010 +1000 xfs: add a shrinker to background inode reclaim commit 9bf729c0af67897ea8498ce17c29b0683f7f2028 upstream On low memory boxes or those with highmem, kernel can OOM before the background reclaims inodes via xfssyncd. Add a shrinker to run inode reclaim so that it inode reclaim is expedited when memory is low. This is more complex than it needs to be because the VM folk don't want a context added to the shrinker infrastructure. Hence we need to add a global list of XFS mount structures so the shrinker can traverse them. Signed-off-by: Dave Chinner Reviewed-by: Christoph Hellwig Acked-by: Alex Elder Signed-off-by: Greg Kroah-Hartman commit 47d6fa8014314cf139d407840a85a1bd14588561 Author: Andre Detsch Date: Mon Apr 26 07:27:07 2010 +0000 tg3: Fix INTx fallback when MSI fails commit dc8bf1b1a6edfc92465526de19772061302f0929 upstream. tg3: Fix INTx fallback when MSI fails MSI setup changes the value of irq_vec in struct tg3 *tp. This attribute must be taken into account and restored before we try to do a new request_irq for INTx fallback. In powerpc, the original code was leading to an EINVAL return within request_irq, because the driver was trying to use the disabled MSI virtual irq number instead of tp->pdev->irq. Signed-off-by: Andre Detsch Acked-by: Michael Chan Signed-off-by: David S. Miller Cc: Brandon Philips Signed-off-by: Greg Kroah-Hartman commit 6f12efee9e86b52193aa2e7e14ad013fc3153a8a Author: Douglas Gilbert Date: Sun Jan 3 13:51:15 2010 -0500 skip sense logging for some ATA PASS-THROUGH cdbs commit e7efe5932b1d3916c79326a4221693ea90a900e2 upstream. Further to the lsml thread titled: "does scsi_io_completion need to dump sense data for ata pass through (ck_cond = 1) ?" This is a patch to skip logging when the sense data is associated with a SENSE_KEY of "RECOVERED_ERROR" and the additional sense code is "ATA PASS-THROUGH INFORMATION AVAILABLE". This only occurs with the SAT ATA PASS-THROUGH commands when CK_COND=1 (in the cdb). It indicates that the sense data contains ATA registers. Smartmontools uses such commands on ATA disks connected via SAT. Periodic checks such as those done by smartd cause nuisance entries into logs that are: - neither errors nor warnings - pointless unless the cdb that caused them are also logged Signed-off-by: Douglas Gilbert Signed-off-by: James Bottomley Signed-off-by: Greg Kroah-Hartman commit 523273f08eb995890ab4c3012cb95fd07686de1c Author: Matthew Garrett Date: Thu Apr 22 09:30:51 2010 -0400 PCI: Ensure we re-enable devices on resume commit cc2893b6af5265baa1d68b17b136cffca9e40cfa upstream. If the firmware puts a device back into D0 state at resume time, we'll update its state in resume_noirq and thus skip the platform resume code. Calling that code twice should be safe and we ought to avoid getting to that point anyway, so remove the check and also allow the platform pci code to be called for D0. Fixes USB not being powered after resume on recent Lenovo machines. Acked-by: Alex Chiang Acked-by: Rafael J. Wysocki Signed-off-by: Matthew Garrett Signed-off-by: Jesse Barnes Signed-off-by: Greg Kroah-Hartman commit 5d5749c86711c91499820043202db1f534d0aeec Author: françois romieu Date: Mon Apr 26 11:42:58 2010 +0000 r8169: more broken register writes workaround commit 908ba2bfd22253f26fa910cd855e4ccffb1467d0 upstream. 78f1cd02457252e1ffbc6caa44a17424a45286b8 ("fix broken register writes") does not work for Al Viro's r8169 (XID 18000000). Signed-off-by: Francois Romieu Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit ef68673a14ca255dcdbfff9eae28fbc44d98cb6d Author: Francois Romieu Date: Sat Mar 27 19:35:46 2010 -0700 r8169: fix broken register writes commit 78f1cd02457252e1ffbc6caa44a17424a45286b8 upstream. This is quite similar to b39fe41f481d20c201012e4483e76c203802dda7 though said registers are not even documented as 64-bit registers - as opposed to the initial TxDescStartAddress ones - but as single bytes which must be combined into 32 bits at the MMIO read/write level before being merged into a 64 bit logical entity. Credits go to Ben Hutchings for the MAR registers (aka "multicast is broken for ages on ARM) and to Timo Teräs for the MAC registers. Signed-off-by: Francois Romieu Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 0c03e80e912e9332a8167b9172fd74d1323f3e9b Author: David Dillow Date: Wed Mar 3 16:33:10 2010 +0000 r8169: use correct barrier between cacheable and non-cacheable memory commit 4c020a961a812ffae9846b917304cea504c3a733 upstream. r8169 needs certain writes to be visible to other CPUs or the NIC before touching the hardware, but was using smp_wmb() which is only required to order cacheable memory access. Switch to wmb() which is required to order both cacheable and non-cacheable memory. Noticed by Catalin Marinas and Paul Mackerras. Signed-off-by: David Dillow Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 150d8a1fe2e89b124bc5bc3628095b8db2435272 Author: Wufei Date: Wed Apr 28 17:42:32 2010 -0400 kgdb: don't needlessly skip PAGE_USER test for Fsl booke commit 56151e753468e34aeb322af4b0309ab727c97d2e upstream. The bypassing of this test is a leftover from 2.4 vintage kernels, and is no longer appropriate, or even used by KGDB. Currently KGDB uses probe_kernel_write() for all access to memory via the KGDB core, so it can simply be deleted. This fixes CVE-2010-1446. CC: Benjamin Herrenschmidt CC: Paul Mackerras CC: Kumar Gala Signed-off-by: Wufei Signed-off-by: Jason Wessel Signed-off-by: Greg Kroah-Hartman commit a2fe6ea222e053ff2ab5108eeff6cdc081079c25 Author: Marcelo Tosatti Date: Tue Apr 27 13:35:26 2010 -0300 KVM: remove unused load_segment_descriptor_to_kvm_desct Commit 78ce64a384 in v2.6.32.12 introduced a warning due to unused load_segment_descriptor_to_kvm_desct helper, which has been opencoded by this commit. On upstream, the helper was removed as part of a different commit. Remove the now unused function. Signed-off-by: Marcelo Tosatti Signed-off-by: Greg Kroah-Hartman commit 3b1aa6380f1991d756e4bc0902f6136aaa46e1c3 Author: Neil Horman Date: Fri Jan 15 01:40:55 2010 -0800 dccp_probe: Fix module load dependencies between dccp and dccp_probe commit 38ff3e6bb987ec583268da8eb22628293095d43b upstream. This was just recently reported to me. When built as modules, the dccp_probe module has a silent dependency on the dccp module. This stems from the fact that the module_init routine of dccp_probe registers a jprobe on the dccp_sendmsg symbol. Since the symbol is only referenced as a text string (the .symbol_name field in the jprobe struct) rather than the address of the symbol itself, depmod never picks this dependency up, and so if you load the dccp_probe module without the dccp module loaded, the register_jprobe call fails with an -EINVAL, and the whole module load fails. The fix is pretty easy, we can just wrap the register_jprobe call in a try_then_request_module call, which forces the dependency to get satisfied prior to the probe registration. Signed-off-by: Neil Horman Acked-by: Arnaldo Carvalho de Melo Signed-off-by: David S. Miller Cc: maximilian attems Signed-off-by: Greg Kroah-Hartman commit 8b0744c9cb38e6beb06ec17fc78e372e3b05e067 Author: Darren Jenkins Date: Wed Feb 17 23:40:15 2010 +1100 drivers/net/wireless/p54/txrx.c Fix off by one error commit 088ea189c4c75cdf211146faa4b341a0f7476be6 upstream. fix off by one error in the queue size check of p54_tx_qos_accounting_alloc() Coverity CID: 13314 Signed-off-by: Darren Jenkins Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 63ab8b7b6c1b21af040a2c8321092bce11bb561f Author: Christian Lamparter Date: Mon Jan 18 00:07:38 2010 +0100 p54pci: rx frame length check commit f5300e04df78feae8107c1846dd3a9e27c071b2f upstream. A long time ago, a user reported several crashes due to data corruptions which are likely the result of a not-100%-supported, or faulty? PCI bridge. ( http://patchwork.kernel.org/patch/53004/ ) This patch fixes entry #1. "1. p54p_check_rx_ring - skb_over_panic: Under a ping flood or just left running for a bit would panic with a skb_over_panic." As described in the mail: The invalid frame length causes skb_put to bailout and trigger a crash. Note: Simply dropping the frame is problematic, because if its content contains a tx feedback we would lose some portion of the device memory space.... And the driver/mac80211 should handle all other invalid data. Reported-by: Quintin Pitts Signed-off-by: Christian Lamparter Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 0c468b435fa14744fc25ad999d357afcba710954 Author: Zhang Rui Date: Wed Dec 30 15:36:42 2009 +0800 ACPI: introduce kernel parameter acpi_sleep=sci_force_enable commit d7f0eea9e431e1b8b0742a74db1a9490730b2a25 upstream. Introduce kernel parameter acpi_sleep=sci_force_enable some laptop requires SCI_EN being set directly on resume, or else they hung somewhere in the resume code path. We already have a blacklist for these laptops but we still need this option, especially when debugging some suspend/resume problems, in case there are systems that need this workaround and are not yet in the blacklist. Signed-off-by: Zhang Rui Acked-by: Rafael J. Wysocki Signed-off-by: Len Brown Signed-off-by: Greg Kroah-Hartman commit 637f3674cbecf9bd2073276d16ebf31b8775bf7b Author: Bill Pemberton Date: Fri Apr 16 08:01:20 2010 -0500 jfs: fix diAllocExt error in resizing filesystem commit 2b0b39517d1af5294128dbc2fd7ed39c8effa540 upstream. Resizing the filesystem would result in an diAllocExt error in some instances because changes in bmp->db_agsize would not get noticed if goto extendBmap was called. Signed-off-by: Bill Pemberton Signed-off-by: Dave Kleikamp Cc: jfs-discussion@lists.sourceforge.net Cc: linux-kernel@vger.kernel.org Signed-off-by: Greg Kroah-Hartman commit fd701336cefd200882c5c32dfea09690221067fb Author: David Howells Date: Wed Apr 21 10:28:25 2010 +0100 CRED: Fix a race in creds_are_invalid() in credentials debugging commit e134d200d57d43b171dcb0b55c178a1a0c7db14a upstream. creds_are_invalid() reads both cred->usage and cred->subscribers and then compares them to make sure the number of processes subscribed to a cred struct never exceeds the refcount of that cred struct. The problem is that this can cause a race with both copy_creds() and exit_creds() as the two counters, whilst they are of atomic_t type, are only atomic with respect to themselves, and not atomic with respect to each other. This means that if creds_are_invalid() can read the values on one CPU whilst they're being modified on another CPU, and so can observe an evolving state in which the subscribers count now is greater than the usage count a moment before. Switching the order in which the counts are read cannot help, so the thing to do is to remove that particular check. I had considered rechecking the values to see if they're in flux if the test fails, but I can't guarantee they won't appear the same, even if they've changed several times in the meantime. Note that this can only happen if CONFIG_DEBUG_CREDENTIALS is enabled. The problem is only likely to occur with multithreaded programs, and can be tested by the tst-eintr1 program from glibc's "make check". The symptoms look like: CRED: Invalid credentials CRED: At include/linux/cred.h:240 CRED: Specified credentials: ffff88003dda5878 [real][eff] CRED: ->magic=43736564, put_addr=(null) CRED: ->usage=766, subscr=766 CRED: ->*uid = { 0,0,0,0 } CRED: ->*gid = { 0,0,0,0 } CRED: ->security is ffff88003d72f538 CRED: ->security {359, 359} ------------[ cut here ]------------ kernel BUG at kernel/cred.c:850! ... RIP: 0010:[] [] __invalid_creds+0x4e/0x52 ... Call Trace: [] copy_creds+0x6b/0x23f Note the ->usage=766 and subscr=766. The values appear the same because they've been re-read since the check was made. Reported-by: Roland McGrath Signed-off-by: David Howells Signed-off-by: James Morris Signed-off-by: Greg Kroah-Hartman commit 85bf36e04883f422a10e6b95bd103e7b7f8ff064 Author: Daniel Vetter Date: Sat Apr 17 15:12:03 2010 +0200 drm/i915: fix tiling limits for i915 class hw v2 commit c36a2a6de59e4a141a68b7575de837d3b0bd96b3 upstream. Current code is definitely crap: Largest pitch allowed spills into the TILING_Y bit of the fence registers ... :( I've rewritten the limits check under the assumption that 3rd gen hw has a 3d pitch limit of 8kb (like 2nd gen). This is supported by an otherwise totally misleading XXX comment. This bug mostly resulted in tiling-corrupted pixmaps because the kernel allowed too wide buffers to be tiled. Bug brought to the light by the xf86-video-intel 2.11 release because that unconditionally enabled tiling for pixmaps, relying on the kernel to check things. Tiling for the framebuffer was not affected because the ddx does some additional checks there ensure the buffer is within hw-limits. v2: Instead of computing the value that would be written into the hw fence registers and then checking the limits simply check whether the stride is above the 8kb limit. To better document the hw, add some WARN_ONs in i915_write_fence_reg like I've done for the i830 case (using the right limits). Signed-off-by: Daniel Vetter Bugzilla: https://bugs.freedesktop.org/show_bug.cgi?id=27449 Tested-by: Alexander Lam Signed-off-by: Eric Anholt Signed-off-by: Greg Kroah-Hartman commit 46cdf2a8b9d5b105f609469e0caf9dc2336d7e22 Author: Phillip Lougher Date: Fri Apr 23 13:18:11 2010 -0400 initramfs: handle unrecognised decompressor when unpacking commit df37bd156dcb4f5441beaf5bde444adac974e9a0 upstream. The unpack routine fails to handle the decompress_method() returning unrecognised decompressor (compress_name == NULL). This results in the routine looping eventually oopsing on an out of bounds memory access. Note this bug is usually hidden, only triggering on trailing junk after one or more correct compressed blocks. The case of the compressed archive being complete junk is (by accident?) caught by the if (state != Reset) check because state is initialised to Start, but not updated due to the decompressor not having been called. Obviously if the junk is trailing a correctly decompressed buffer, state == Reset from the previous call to the decompressor. Signed-off-by: Phillip Lougher Reported-by: Aaro Koskinen Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit dc1429f8aef9acfa88920311d045c54bc97b062f Author: Leonard Michlmayr Date: Thu Mar 4 17:07:28 2010 -0500 ext4: correctly calculate number of blocks for fiemap commit aca92ff6f57c000d1b4523e383c8bd6b8269b8b1 upstream. ext4_fiemap() rounds the length of the requested range down to blocksize, which is is not the true number of blocks that cover the requested region. This problem is especially impressive if the user requests only the first byte of a file: not a single extent will be reported. We fix this by calculating the last block of the region and then subtract to find the number of blocks in the extents. Signed-off-by: Leonard Michlmayr Signed-off-by: "Theodore Ts'o" Signed-off-by: Greg Kroah-Hartman commit 4c57ef6ae19a315202f7af060f28d9880fc5d2dd Author: Mark Lord Date: Wed Apr 7 13:52:08 2010 -0400 libata: Fix accesses at LBA28 boundary (old bug, but nasty) (v2) commit 45c4d015a92f72ec47acd0c7557abdc0c8a6499d upstream. Most drives from Seagate, Hitachi, and possibly other brands, do not allow LBA28 access to sector number 0x0fffffff (2^28 - 1). So instead use LBA48 for such accesses. This bug could bite a lot of systems, especially when the user has taken care to align partitions to 4KB boundaries. On misaligned systems, it is less likely to be encountered, since a 4KB read would end at 0x10000000 rather than at 0x0fffffff. Signed-off-by: Mark Lord Signed-off-by: Jeff Garzik Signed-off-by: Greg Kroah-Hartman commit 8eaa5f76db8a81c6edf7185e89711e5ade8a5637 Author: Daniel T Chen Date: Tue May 4 22:07:58 2010 -0400 ALSA: hda: Use olpc-xo-1_5 quirk for Toshiba Satellite P500-PSPGSC-01800T commit c53666813813a0ea3d0391e1911eefc05a5e6b4f upstream. BugLink: https://launchpad.net/bugs/549267 The OR verified that using the olpc-xo-1_5 model quirk allows the headphones to be audible when inserted into the jack. Capture was also verified to work correctly. Reported-by: Richard Gagne Tested-by: Richard Gagne Signed-off-by: Daniel T Chen Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit bd8048551253e6e5fcb078feea038f7b5e945e3e Author: Daniel T Chen Date: Mon May 3 20:39:31 2010 -0400 ALSA: hda: Use olpc-xo-1_5 quirk for Toshiba Satellite Pro T130-15F commit 4442dd4613fe3795b4c8a5f42fc96b7ffb90d01a upstream. BugLink: https://launchpad.net/bugs/573284 The OR verified that using the olpc-xo-1_5 model quirk allows the headphones to be audible when inserted into the jack. Capture was also verified to work correctly. Reported-by: Andy Couldrake Tested-by: Andy Couldrake Signed-off-by: Daniel T Chen Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit ce6f0822025b8e13c7058b954eba4d40cb2a93b5 Author: Daniel T Chen Date: Wed Apr 28 18:00:11 2010 -0400 ALSA: hda: Fix 0 dB for Packard Bell models using Conexant CX20549 (Venice) commit 8f0f5ff6777104084b4b2e1ae079541c2a6ed6d9 upstream. BugLink: https://launchpad.net/bugs/541802 The OR's hardware distorts at PCM 100% because it does not correspond to 0 dB. Fix this in patch_cxt5045() for all Packard Bell models. Reported-by: Valombre Signed-off-by: Daniel T Chen Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 39369ec38a6530f9bb3e1978642331b9a35eaf2a Author: Daniel T Chen Date: Wed Nov 25 18:27:20 2009 -0500 ALSA: hda: Fix max PCM level to 0 dB for Fujitsu-Siemens laptops using CX20549 (Venice) commit 0b587fc4d35afb1bc0fc3d890084bb14c78372dc upstream. BugLink: https://bugtrack.alsa-project.org/alsa-bug/view.php?id=4792 Cristian reported that these models have really bad sound above 6 dB and proposed the original patch. I've updated the comment to reflect this change. Signed-off-by: Daniel T Chen Reported-by: Cristian Klein Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit e88567cb09b5ff4516b864cbaf8736d7125567e7 Author: Hans de Goede Date: Wed Apr 21 11:04:08 2010 -0400 ALSA: snd-meastro3: Ignore spurious HV interrupts during suspend / resume commit 715aa675338ce6e1a3b4f77cf87ea611f93058a8 upstream. Ignore spurious HV interrupts during suspend / resume, this avoids mistaking them for a mute button press. This is not very pretty but it seems the only way to fix the master volume control gets muted after suspend issue I'm seeing. Note that the es1968 driver is doing exactly the same. Signed-off-by: Hans de Goede Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit e0a186b32a7de593187e689d7ab4234f2797d686 Author: Hans de Goede Date: Wed Apr 21 11:04:06 2010 -0400 ALSA: snd-meastro3: Add amp_gpio quirk for Compaq EVO N600C commit 7efbfd1ae98ef9efe06352e2a1ad83e8c14ceeb1 upstream. Without this quirk sound stops working after suspend resume. With this quirk, one still needs to manually unmute the master volume control after a suspend / / resume cycle. That is fixed in another patch in this set. Note that this patch was submitted to the alsa bug tracker a long time ago: https://bugtrack.alsa-project.org/alsa-bug/view.php?id=4319 Signed-off-by: Hans de Goede Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 265fedd9f1de110651288c55001ee71d0b356da8 Author: Daniel T Chen Date: Thu Apr 22 07:15:26 2010 -0400 ALSA: hda: Use ALC880_F1734 quirk for Fujitsu Siemens AMILO Xi 1526 commit 3353541fe533350a22a03e2fb7dc085b35912575 upstream. BugLink: https://launchpad.net/bugs/567494 The OR has verified that the existing model quirk, ALC880_UNIWILL, is insufficient for audible playback and capture by default. Instead, the ALC880_F1734 model quirk needs to be used. This change is necessary for both 2.6.32.11 and 2.6.33.2. Reported-by: Arnaud Malpeyre Tested-by: Arnaud Malpeyre Signed-off-by: Daniel T Chen Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 239c22e8bb1d8c531aaf3dc5e8d3a0b2d3c7477e Author: Daniel T Chen Date: Thu Apr 22 17:54:45 2010 -0400 ALSA: hda: Use STAC_DELL_M6_BOTH quirk for Dell Studio 1558 commit 5c1bccf645d4ab65e4c7502acb42e8b9afdb5bdc upstream. BugLink: https://launchpad.net/bugs/568600 The OR has verified that the dell-m6 model quirk is necessary for audio to be audible by default on the Dell Studio XPS 1645. This change is necessary for 2.6.32.11 and 2.6.33.2 alike. Reported-by: Andy Ross Tested-by: Andy Ross Signed-off-by: Daniel T Chen Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit dab79eaf68a558875f46b2fdbda92a1f332b05e6 Author: Daniel T Chen Date: Wed Apr 21 20:41:52 2010 -0400 ALSA: hda: Use STAC_DELL_M6_BOTH quirk for Dell Studio XPS 1645 commit aac78daf8f37256283f56820ae858add7139c56c upstream. BugLink: https://launchpad.net/bugs/553002 The OR has verified that the dell-m6 model quirk is necessary for audio to be audible by default on the Dell Studio XPS 1645. This change is necessary for 2.6.32.11 and 2.6.33.2 alike. Reported-by: Robert Chambers Tested-by: Robert Chambers Signed-off-by: Daniel T Chen Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 6987661471edf3cb8a19195556dec04921b78682 Author: Kunal Gangakhedkar Date: Sat Mar 20 23:08:01 2010 +0530 ALSA: hda - Add PCI quirk for HP dv6-1110ax. commit e3d2530a6cea80987f77b75d8784a00f3aaf22ff upstream. Adding this PCI quirk fixes the board config detection. This also fixes jack sensing by using "hp_detect=1" via properly detected board config. Signed-off-by: Kunal Gangakhedkar Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit fed3c6551a8993a38fffd17eed4a6f15ee4fad21 Author: Daniel T Chen Date: Wed Apr 21 19:55:43 2010 -0400 ALSA: hda: Use LPIB quirk for DG965OT board version AAD63733-203 commit 0e0280dc2b0c7395a880d25544b47f3e3e3f79db upstream. BugLink: https://launchpad.net/bugs/459083 The OR has verified with 2.6.32.11 and the latest alsa-driver stable daily snapshot that position_fix=1 is necessary for the external mic to work and for PulseAudio not to crash constantly. This patch is necessary also for 2.6.32.11 and 2.6.33.2. Reported-by: Tested-by: Signed-off-by: Daniel T Chen Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 21dc3d5c88916458f26002e6090ebc060c646dc8 Author: Prarit Bhargava Date: Wed Dec 9 13:36:45 2009 -0500 x86, AMD: Fix stale cpuid4_info shared_map data in shared_cpu_map cpumasks commit ebb682f522411abbe358059a256a8672ec0bd55b upstream. The per_cpu cpuid4_info shared_map can contain stale data when CPUs are added and removed. The stale data can lead to a NULL pointer derefernce panic on a remove of a CPU that has had siblings previously removed. This patch resolves the panic by verifying a cpu is actually online before adding it to the shared_cpu_map, only examining cpus that are part of the same lower level cache, and by updating other siblings lowest level cache maps when a cpu is added. Signed-off-by: Prarit Bhargava LKML-Reference: <20091209183336.17855.98708.sendpatchset@prarit.bos.redhat.com> Signed-off-by: H. Peter Anvin Signed-off-by: Greg Kroah-Hartman commit 4515b172cd9fc6bd7c9ee2264ed650411fcd118e Author: Borislav Petkov Date: Fri Mar 12 15:43:03 2010 +0100 x86, k8 nb: Fix boot crash: enable k8_northbridges unconditionally on AMD systems commit 0e152cd7c16832bd5cadee0c2e41d9959bc9b6f9 upstream. de957628ce7c84764ff41331111036b3ae5bad0f changed setting of the x86_init.iommu.iommu_init function ptr only when GART IOMMU is found. One side effect of it is that num_k8_northbridges is not initialized anymore if not explicitly called. This resulted in uninitialized pointers in , for example, which uses the num_k8_northbridges thing through node_to_k8_nb_misc(). Fix that through an initcall that runs right after the PCI subsystem and does all the scanning. Then, remove initialization in gart_iommu_init() which is a rootfs_initcall and we're running before that. What is more, since num_k8_northbridges is being used in other places beside GART IOMMU, include it whenever we add AMD CPU support. The previous dependency chain in kconfig contained K8_NB depends on AGP_AMD64|GART_IOMMU which was clearly incorrect. The more natural way in terms of hardware dependency should be AGP_AMD64|GART_IOMMU depends on K8_NB depends on CPU_SUP_AMD && PCI. Make it so Number One! Signed-off-by: Borislav Petkov Cc: FUJITA Tomonori Cc: Joerg Roedel LKML-Reference: <20100312144303.GA29262@aftab> Signed-off-by: Ingo Molnar Tested-by: Joerg Roedel Signed-off-by: Greg Kroah-Hartman commit 35d5aaca2aa3bd2324e4a9c0f8a070df07e8c757 Author: H. Peter Anvin Date: Tue Apr 13 14:40:54 2010 -0700 x86: Disable large pages on CPUs with Atom erratum AAE44 commit 7a0fc404ae663776e96db43879a0fa24fec1fa3a upstream. Atom erratum AAE44/AAF40/AAG38/AAH41: "If software clears the PS (page size) bit in a present PDE (page directory entry), that will cause linear addresses mapped through this PDE to use 4-KByte pages instead of using a large page after old TLB entries are invalidated. Due to this erratum, if a code fetch uses this PDE before the TLB entry for the large page is invalidated then it may fetch from a different physical address than specified by either the old large page translation or the new 4-KByte page translation. This erratum may also cause speculative code fetches from incorrect addresses." [http://download.intel.com/design/processor/specupdt/319536.pdf] Where as commit 211b3d03c7400f48a781977a50104c9d12f4e229 seems to workaround errata AAH41 (mixed 4K TLBs) it reduces the window of opportunity for the bug to occur and does not totally remove it. This patch disables mixed 4K/4MB page tables totally avoiding the page splitting and not tripping this processor issue. This is based on an original patch by Colin King. Originally-by: Colin Ian King Cc: Colin Ian King Cc: Ingo Molnar Signed-off-by: H. Peter Anvin LKML-Reference: <1269271251-19775-1-git-send-email-colin.king@canonical.com> Signed-off-by: Greg Kroah-Hartman commit e620234b3ec62cedcdc3a8c53ed50facd4392cb3 Author: H. Peter Anvin Date: Fri Apr 23 16:17:40 2010 -0700 x86-64: Clear a 64-bit FS/GS base on fork if selector is nonzero commit 7ce5a2b9bb2e92902230e3121d8c3047fab9cb47 upstream. When we do a thread switch, we clear the outgoing FS/GS base if the corresponding selector is nonzero. This is taken by __switch_to() as an entry invariant; it does not verify that it is true on entry. However, copy_thread() doesn't enforce this constraint, which can result in inconsistent results after fork(). Make copy_thread() match the behavior of __switch_to(). Reported-and-tested-by: Samuel Thibault Signed-off-by: H. Peter Anvin LKML-Reference: <4BD1E061.8030605@zytor.com> Signed-off-by: Greg Kroah-Hartman commit 6dc36b37f62f666c802b184f01106fd222d36bd2 Author: Borislav Petkov Date: Fri Apr 30 15:19:02 2010 +0200 edac, mce: Fix wrong mask and macro usage commit 35d824b28fc5544d1eb7c1e3db15a1740df8ec4b upstream. Correct two mishaps which prevented reporting error type (CECC vs UECC) and extended error description. Signed-off-by: Borislav Petkov Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 9121999db5232e1d81270df5d0787df1492408e7 Author: Hans de Goede Date: Thu Apr 22 19:52:16 2010 +0200 p54pci: fix bugs in p54p_check_tx_ring commit 0250ececdf6813457c98719e2d33b3684881fde0 upstream. Hans de Goede identified a bug in p54p_check_tx_ring: there are two ring indices. 1 => tx data and 3 => tx management. But the old code had a constant "1" and this resulted in spurious dma unmapping failures. Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=583623 Bug-Identified-by: Hans de Goede Signed-off-by: Christian Lamparter Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit b8f8bdedc62360a2bc26b8788d9f7ecf13ed448d Author: Peter Korsgaard Date: Mon May 3 10:01:26 2010 +0000 dm9601: fix phy/eeprom write routine commit e9162ab1610531d6ea6c1833daeb2613e44275e8 upstream. Use correct bit positions in DM_SHARED_CTRL register for writes. Michael Planes recently encountered a 'KY-RS9600 USB-LAN converter', which came with a driver CD containing a Linux driver. This driver turns out to be a copy of dm9601.c with symbols renamed and my copyright stripped. That aside, it did contain 1 functional change in dm_write_shared_word(), and after checking the datasheet the original value was indeed wrong (read versus write bits). On Michaels HW, this change bumps receive speed from ~30KB/s to ~900KB/s. On other devices the difference is less spectacular, but still significant (~30%). Reported-by: Michael Planes Signed-off-by: Peter Korsgaard Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit a59bb6a18c9fc9ed48804d5d2868ce2d301925e5 Author: Richard Kennedy Date: Wed Apr 14 20:54:03 2010 +0200 block: ensure jiffies wrap is handled correctly in blk_rq_timed_out_timer commit a534dbe96e9929c7245924d8252d89048c23d569 upstream. blk_rq_timed_out_timer() relied on blk_add_timer() never returning a timer value of zero, but commit 7838c15b8dd18e78a523513749e5b54bda07b0cb removed the code that bumped this value when it was zero. Therefore when jiffies is near wrap we could get unlucky & not set the timeout value correctly. This patch uses a flag to indicate that the timeout value was set and so handles jiffies wrap correctly, and it keeps all the logic in one function so should be easier to maintain in the future. Signed-off-by: Richard Kennedy Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit 48a5414b50f47157ef4ff0ab52a86144f1804c19 Author: Ping Cheng Date: Mon Mar 22 13:40:29 2010 -0700 serial: 8250_pnp - add Fujitsu Wacom device commit d9901660b53b92f0f3551c06588b8be38224b245 upstream. Add Fujitsu Wacom 1FGT Tablet PC device Signed-off-by: Ping Cheng Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman commit b228f7fdef669dbcefbf0414b89583c8422f0e19 Author: Dan Williams Date: Tue May 4 20:41:56 2010 -0700 raid6: fix recovery performance regression commit 5157b4aa5b7de8787b6318e61bcc285031bb9088 upstream. The raid6 recovery code should immediately drop back to the optimized synchronous path when a p+q dma resource is not available. Otherwise we run the non-optimized/multi-pass async code in sync mode. Verified with raid6test (NDISKS=255) Applies to kernels >= 2.6.32. Acked-by: NeilBrown Reported-by: H. Peter Anvin Signed-off-by: Dan Williams Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit ef0c64308b5dfa779b0c22508ad755abe49938ac Author: Tejun Heo Date: Sat May 1 10:11:35 2010 +0200 perf: Fix resource leak in failure path of perf_event_open() commit 048c852051d2bd5da54a4488bc1f16b0fc74c695 upstream. perf_event_open() kfrees event after init failure which doesn't release all resources allocated by perf_event_alloc(). Use free_event() instead. Signed-off-by: Tejun Heo Cc: Peter Zijlstra Cc: Paul Mackerras Cc: Arnaldo Carvalho de Melo LKML-Reference: <4BDBE237.1040809@kernel.org> Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit 16520f3baf29ad9cfdcd5503262f4043813e4686 Author: Jean Delvare Date: Tue May 4 11:09:28 2010 +0200 i2c: Fix probing of FSC hardware monitoring chips commit b1d4b390ea4bb480e65974ce522a04022608a8df upstream. Some FSC hardware monitoring chips (Syleus at least) doesn't like quick writes we typically use to probe for I2C chips. Use a regular byte read instead for the address they live at (0x73). These are the only known chips living at this address on PC systems. For clarity, this fix should not be needed for kernels 2.6.30 and later, as we started instantiating the hwmon devices explicitly based on DMI data. Still, this fix is valuable in the following two cases: * Support for recent FSC chips on older kernels. The DMI-based device instantiation is more difficult to backport than the device support itself. * Case where the DMI-based device instantiation fails, whatever the reason. We fall back to probing in that case, so it should work. This fixes kernel bug #15634: https://bugzilla.kernel.org/show_bug.cgi?id=15634 Signed-off-by: Jean Delvare Acked-by: Hans de Goede Signed-off-by: Greg Kroah-Hartman commit 41320f730dd1870762b5769ea5c2a109e6bf6e50 Author: Stephen Hemminger Date: Thu Mar 11 09:11:37 2010 -0800 Staging: hv: name network device ethX rather than sethX commit 546d9e101e7a71e6202f47a13ddcd9b8fb05a52e upstream. This patch makes the HyperV network device use the same naming scheme as other virtual drivers (Xen, KVM). In an ideal world, userspace tools would not care what the name is, but some users and applications do care. Vyatta CLI is one of the tools that does depend on what the name is. Signed-off-by: Stephen Hemminger Cc: Hank Janssen Signed-off-by: Greg Kroah-Hartman commit 96f0910dd3e79dcda84daa963ddb435a93025a9d Author: Cyrill Gorcunov Date: Mon Apr 5 20:56:57 2010 +0400 Staging: hv: Fix up memory leak on HvCleanup commit fa8ad0257ea256381126ecf447694622216c600f upstream. Don't assign NULL too early Signed-off-by: Cyrill Gorcunov Cc: Hank Janssen Cc: Haiyang Zhang Signed-off-by: Greg Kroah-Hartman commit 874d2445cbffe3a89e31a82286ab86bab376680b Author: Haiyang Zhang Date: Mon Apr 19 15:32:11 2010 +0000 Staging: hv: Fix a bug affecting IPv6 commit 95beae90aa4afce57fb28e6f8238b78217bd7c98 upstream. Fix a bug affecting IPv6 Added the multicast flag for proper IPv6 function. Reported-by: Toshikazu Sakai Signed-off-by: Hank Janssen Signed-off-by: Haiyang Zhang Signed-off-by: Greg Kroah-Hartman commit 3054252953a26d8f71f41d1f5cd3682fe11b9a2a Author: Chuck Lever Date: Thu Apr 22 15:35:56 2010 -0400 NFS: rsize and wsize settings ignored on v4 mounts commit 356e76b855bdbfd8d1c5e75bcf0c6bf0dfe83496 upstream. NFSv4 mounts ignore the rsize and wsize mount options, and always use the default transfer size for both. This seems to be because all NFSv4 mounts are now cloned, and the cloning logic doesn't copy the rsize and wsize settings from the parent nfs_server. I tested Fedora's 2.6.32.11-99 and it seems to have this problem as well, so I'm guessing that .33, .32, and perhaps older kernels have this issue as well. Signed-off-by: Chuck Lever Signed-off-by: Trond Myklebust Signed-off-by: Greg Kroah-Hartman commit c6322971f8013403e2ff5b7607ec4771b0c31949 Author: Al Viro Date: Thu Apr 29 03:10:43 2010 +0100 nfs d_revalidate() is too trigger-happy with d_drop() commit d9e80b7de91db05c1c4d2e5ebbfd70b3b3ba0e0f upstream. If dentry found stale happens to be a root of disconnected tree, we can't d_drop() it; its d_hash is actually part of s_anon and d_drop() would simply hide it from shrink_dcache_for_umount(), leading to all sorts of fun, including busy inodes on umount and oopsen after that. Bug had been there since at least 2006 (commit c636eb already has it), so it's definitely -stable fodder. Signed-off-by: Al Viro Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 870971905666b2771bd7304070bcd4ed88984306 Author: Mark Langsdorf Date: Wed Mar 31 21:56:45 2010 +0200 powernow-k8: Fix frequency reporting commit b810e94c9d8e3fff6741b66cd5a6f099a7887871 upstream. With F10, model 10, all valid frequencies are in the ACPI _PST table. Signed-off-by: Mark Langsdorf LKML-Reference: <1270065406-1814-6-git-send-email-bp@amd64.org> Signed-off-by: Borislav Petkov Reviewed-by: Thomas Renninger Signed-off-by: H. Peter Anvin Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit 4075a923acbf1ab6b21e021c13cae4c4055e5277 Author: Joel Becker Date: Fri Apr 23 15:24:59 2010 -0700 ocfs2_dlmfs: Fix math error when reading LVB. commit a36d515c7a2dfacebcf41729f6812dbc424ebcf0 upstream. When asked for a partial read of the LVB in a dlmfs file, we can accidentally calculate a negative count. Reported-by: Dan Carpenter Signed-off-by: Joel Becker Signed-off-by: Greg Kroah-Hartman commit c8f299e543caa5f88c4389c0bed5ef47bdf43970 Author: Joel Becker Date: Wed Mar 31 18:25:44 2010 -0700 ocfs2: Compute metaecc for superblocks during online resize. commit a42ab8e1a37257da37e0f018e707bf365ac24531 upstream. Online resize writes out the new superblock and its backups directly. The metaecc data wasn't being recomputed. Let's do that directly. Signed-off-by: Joel Becker Acked-by: Mark Fasheh Signed-off-by: Greg Kroah-Hartman commit 8cab1cb1cddb0731a0597575389230389ddea882 Author: Dan Carpenter Date: Thu Apr 22 11:39:29 2010 +0200 ocfs2: potential ERR_PTR dereference on error paths commit 0350cb078f5035716ebdad4ad4709d02fe466a8a upstream. If "handle" is non null at the end of the function then we assume it's a valid pointer and pass it to ocfs2_commit_trans(); Signed-off-by: Dan Carpenter Signed-off-by: Joel Becker Signed-off-by: Greg Kroah-Hartman commit beeaab03ee04e5dd5e0ce48732a0d8e59554ef54 Author: Tao Ma Date: Wed Apr 21 14:05:55 2010 +0800 ocfs2: Update VFS inode's id info after reflink. commit c21a534e2f24968cf74976a4e721ac194db30ded upstream. In reflink we update the id info on the disk but forgot to update the corresponding information in the VFS inode. Update them accordingly when we want to preserve the attributes. Reported-by: Jeff Liu Signed-off-by: Tao Ma Signed-off-by: Joel Becker Signed-off-by: Greg Kroah-Hartman commit 08997c60a04eb38343ff7b5c2cca39468e76eebd Author: Jerome Marchand Date: Tue Apr 27 13:13:06 2010 -0700 procfs: fix tid fdinfo commit 3835541dd481091c4dbf5ef83c08aed12e50fd61 upstream. Correct the file_operations struct in fdinfo entry of tid_base_stuff[]. Presently /proc/*/task/*/fdinfo contains symlinks to opened files like /proc/*/fd/. Signed-off-by: Jerome Marchand Cc: Alexander Viro Cc: Miklos Szeredi Cc: Alexey Dobriyan Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 2e80b07dcdbe27eda40447ad48e26662beea7b4c Author: Sarah Sharp Date: Fri Apr 16 08:07:27 2010 -0700 USB: xhci: properly set endpoint context fields for periodic eps. commit 9238f25d5d32a435277eb234ec82bacdd5daed41 upstream. For periodic endpoints, we must let the xHCI hardware know the maximum payload an endpoint can transfer in one service interval. The xHCI specification refers to this as the Maximum Endpoint Service Interval Time Payload (Max ESIT Payload). This is used by the hardware for bandwidth management and scheduling of packets. For SuperSpeed endpoints, the maximum is calculated by multiplying the max packet size by the number of bursts and the number of opportunities to transfer within a service interval (the Mult field of the SuperSpeed Endpoint companion descriptor). Devices advertise this in the wBytesPerInterval field of their SuperSpeed Endpoint Companion Descriptor. For high speed devices, this is taken by multiplying the max packet size by the "number of additional transaction opportunities per microframe" (the high bits of the wMaxPacketSize field in the endpoint descriptor). For FS/LS devices, this is just the max packet size. The other thing we must set in the endpoint context is the Average TRB Length. This is supposed to be the average of the total bytes in the transfer descriptor (TD), divided by the number of transfer request blocks (TRBs) it takes to describe the TD. This gives the host controller an indication of whether the driver will be enqueuing a scatter gather list with many entries comprised of small buffers, or one contiguous buffer. It also takes into account the number of extra TRBs you need for every TD. This includes No-op TRBs and Link TRBs used to link ring segments together. Some drivers may choose to chain an Event Data TRB on the end of every TD, thus increasing the average number of TRBs per TD. The Linux xHCI driver does not use Event Data TRBs. In theory, if there was an API to allow drivers to state what their bandwidth requirements are, we could set this field accurately. For now, we set it to the same number as the Max ESIT payload. The Average TRB Length should also be set for bulk and control endpoints, but I have no idea how to guess what it should be. Signed-off-by: Sarah Sharp Signed-off-by: Greg Kroah-Hartman commit 0a0da543426241627580bda5fccb5ddf444a1aba Author: Sarah Sharp Date: Fri Apr 16 08:07:04 2010 -0700 USB: xhci: properly set the "Mult" field of the endpoint context. commit 1cf62246c0e394021e494e0a8f1013e80db1a1a9 upstream. A SuperSpeed interrupt or isochronous endpoint can define the number of "burst transactions" it can handle in a service interval. This is indicated by the "Mult" bits in the bmAttributes of the SuperSpeed Endpoint Companion Descriptor. For example, if it has a max packet size of 1024, a max burst of 11, and a mult of 3, the host may send 33 1024-byte packets in one service interval. We must tell the xHCI host controller the number of multiple service opportunities (mults) the device can handle when the endpoint is installed. We do that by setting the Mult field of the Endpoint Context before a configure endpoint command is sent down. The Mult field is invalid for control or bulk SuperSpeed endpoints. Signed-off-by: Sarah Sharp Signed-off-by: Greg Kroah-Hartman commit dd13b9f4a90b5dcefb7ef36393a55c96f3f10a76 Author: Alan Stern Date: Tue Apr 20 10:37:57 2010 -0400 USB: OHCI: don't look at the root hub to get the number of ports commit fcf7d2141f4a363a4a8454c4a0f26bb69e766c5f upstream. This patch (as1371) fixes a small bug in ohci-hcd. The HCD already knows how many ports the controller has; there's no need to go looking at the root hub's usb_device structure to find out. Especially since the root hub's maxchild value is set correctly only while the root hub is bound to the hub driver. Signed-off-by: Alan Stern Signed-off-by: Greg Kroah-Hartman commit 0f6f37f1a93d1936d18e99739062f783118c9f98 Author: Alan Stern Date: Tue Apr 20 10:40:59 2010 -0400 USB: don't choose configs with no interfaces commit 62f9cfa3ece58268b3e92ca59c23b175f86205aa upstream. This patch (as1372) fixes a bug in the routine that chooses the default configuration to install when a new USB device is detected. The algorithm is supposed to look for a config whose first interface is for a non-vendor-specific class. But the way it's currently written, it will also accept a config with no interfaces at all, which is not very useful. (Believe it or not, such things do exist.) Signed-off-by: Alan Stern Tested-by: Andrew Victor Signed-off-by: Greg Kroah-Hartman commit b7cbd217d5a3197fa38f88a89bb75fa6bf7121b4 Author: Dan Carpenter Date: Thu Apr 22 12:00:52 2010 +0200 USB: fix testing the wrong variable in fs_create_by_name() commit fa7fe7af146a7b613e36a311eefbbfb5555325d1 upstream. There is a typo here. We should be testing "*dentry" which was just assigned instead of "dentry". This could result in dereferencing an ERR_PTR inside either usbfs_mkdir() or usbfs_create(). Signed-off-by: Dan Carpenter Signed-off-by: Greg Kroah-Hartman commit a559bbbda22d8905fe71cbcb9f1ea11b8a9668a7 Author: William Lightning Date: Fri Mar 26 10:51:20 2010 -0700 USB: Add id for HP ev2210 a.k.a Sierra MC5725 miniPCI-e Cell Modem. commit cfbaa39347b34837f26e01fe8f4f8dbbae60b520 upstream. Signed-off-by: William Lightning Signed-off-by: Greg Kroah-Hartman commit 2fb9d8cdf50d3d2353da727c8faf4fa1ea0eb2b6 Author: Alan Stern Date: Fri Apr 30 12:09:23 2010 -0400 USB: fix remote wakeup settings during system sleep This is a backport of commit 5f677f1d45b2bf08085bbba7394392dfa586fa8e. Some of the functionality had to be removed, but it should still fix the webcam problem. This patch (as1363b) changes the way USB remote wakeup is handled during system sleeps. It won't be enabled unless an interface driver specifically needs it. Also, it won't be enabled during the FREEZE or QUIESCE phases of hibernation, when the system doesn't respond to wakeup events anyway. This will fix problems people have reported with certain USB webcams that generate wakeup requests when they shouldn't, and as a result cause system suspends to fail. See https://bugs.launchpad.net/ubuntu/+source/linux/+bug/515109 Signed-off-by: Alan Stern Signed-off-by: Greg Kroah-Hartman commit d6890e184283ae1b9c2edacae838d15e3ce55155 Author: Eric Lescouet Date: Sat Apr 24 02:55:24 2010 +0200 staging: usbip: Fix deadlock commit d01f42a22ef381ba973958e977209ac9a8667d57 upstream. When detaching a port from the client side (usbip --detach 0), the event thread, on the server side, is going to deadlock. The "eh" server thread is getting USBIP_EH_RESET event and calls: -> stub_device_reset() -> usb_reset_device() the USB framework is then calling back _in the same "eh" thread_ : -> stub_disconnect() -> usbip_stop_eh() -> wait_for_completion() the "eh" thread is being asleep forever, waiting for its own completion. This patch checks if "eh" is the current thread, in usbip_stop_eh(). Signed-off-by: Eric Lescouet Signed-off-by: Greg Kroah-Hartman commit c1837a8f5014463056c255f4bf82a06d16388223 Author: David Howells Date: Tue Apr 27 13:13:08 2010 -0700 keys: the request_key() syscall should link an existing key to the dest keyring commit 03449cd9eaa4fa3a7faa4a59474bafe2e90bd143 upstream. The request_key() system call and request_key_and_link() should make a link from an existing key to the destination keyring (if supplied), not just from a new key to the destination keyring. This can be tested by: ring=`keyctl newring fred @s` keyctl request2 user debug:a a keyctl request user debug:a $ring keyctl list $ring If it says: keyring is empty then it didn't work. If it shows something like: 1 key in keyring: 1070462727: --alswrv 0 0 user: debug:a then it did. request_key() system call is meant to recursively search all your keyrings for the key you desire, and, optionally, if it doesn't exist, call out to userspace to create one for you. If request_key() finds or creates a key, it should, optionally, create a link to that key from the destination keyring specified. Therefore, if, after a successful call to request_key() with a desination keyring specified, you see the destination keyring empty, the code didn't work correctly. If you see the found key in the keyring, then it did - which is what the patch is required for. Signed-off-by: David Howells Cc: James Morris Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 9e27d5e6748f40b7c9835f3ef9b7ce64bed15e74 Author: Neil Brown Date: Tue Apr 20 12:16:52 2010 +1000 nfsd4: bug in read_buf commit 2bc3c1179c781b359d4f2f3439cb3df72afc17fc upstream. When read_buf is called to move over to the next page in the pagelist of an NFSv4 request, it sets argp->end to essentially a random number, certainly not an address within the page which argp->p now points to. So subsequent calls to READ_BUF will think there is much more than a page of spare space (the cast to u32 ensures an unsigned comparison) so we can expect to fall off the end of the second page. We never encountered thsi in testing because typically the only operations which use more than two pages are write-like operations, which have their own decoding logic. Something like a getattr after a write may cross a page boundary, but it would be very unusual for it to cross another boundary after that. Signed-off-by: J. Bruce Fields Signed-off-by: Greg Kroah-Hartman commit ebab7082c82621967a08e6a2e79219fc3a5e5dd5 Author: Jeff Mahoney Date: Fri Apr 23 13:17:41 2010 -0400 reiserfs: fix corruption during shrinking of xattrs commit fb2162df74bb19552db3d988fd11c787cf5fad56 upstream. Commit 48b32a3553a54740d236b79a90f20147a25875e3 ("reiserfs: use generic xattr handlers") introduced a problem that causes corruption when extended attributes are replaced with a smaller value. The issue is that the reiserfs_setattr to shrink the xattr file was moved from before the write to after the write. The root issue has always been in the reiserfs xattr code, but was papered over by the fact that in the shrink case, the file would just be expanded again while the xattr was written. The end result is that the last 8 bytes of xattr data are lost. This patch fixes it to use new_size. Addresses https://bugzilla.kernel.org/show_bug.cgi?id=14826 Signed-off-by: Jeff Mahoney Reported-by: Christian Kujau Tested-by: Christian Kujau Cc: Edward Shishkin Cc: Jethro Beekman Cc: Greg Surbey Cc: Marco Gatti Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit aab06bd25fa245a3475c35f8934e1e810d6ca8f8 Author: Jeff Mahoney Date: Fri Apr 23 13:17:37 2010 -0400 reiserfs: fix permissions on .reiserfs_priv commit cac36f707119b792b2396aed371d6b5cdc194890 upstream. Commit 677c9b2e393a0cd203bd54e9c18b012b2c73305a ("reiserfs: remove privroot hiding in lookup") removed the magic from the lookup code to hide the .reiserfs_priv directory since it was getting loaded at mount-time instead. The intent was that the entry would be hidden from the user via a poisoned d_compare, but this was faulty. This introduced a security issue where unprivileged users could access and modify extended attributes or ACLs belonging to other users, including root. This patch resolves the issue by properly hiding .reiserfs_priv. This was the intent of the xattr poisoning code, but it appears to have never worked as expected. This is fixed by using d_revalidate instead of d_compare. This patch makes -oexpose_privroot a no-op. I'm fine leaving it this way. The effort involved in working out the corner cases wrt permissions and caching outweigh the benefit of the feature. Signed-off-by: Jeff Mahoney Acked-by: Edward Shishkin Reported-by: Matt McCutchen Tested-by: Matt McCutchen Cc: Frederic Weisbecker Cc: Al Viro Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit a988a1781479b17237042f9fa08bfe552fe592b0 Author: Mel Gorman Date: Fri Apr 23 13:17:56 2010 -0400 hugetlb: fix infinite loop in get_futex_key() when backed by huge pages commit 23be7468e8802a2ac1de6ee3eecb3ec7f14dc703 upstream. If a futex key happens to be located within a huge page mapped MAP_PRIVATE, get_futex_key() can go into an infinite loop waiting for a page->mapping that will never exist. See https://bugzilla.redhat.com/show_bug.cgi?id=552257 for more details about the problem. This patch makes page->mapping a poisoned value that includes PAGE_MAPPING_ANON mapped MAP_PRIVATE. This is enough for futex to continue but because of PAGE_MAPPING_ANON, the poisoned value is not dereferenced or used by futex. No other part of the VM should be dereferencing the page->mapping of a hugetlbfs page as its page cache is not on the LRU. This patch fixes the problem with the test case described in the bugzilla. [akpm@linux-foundation.org: mel cant spel] Signed-off-by: Mel Gorman Acked-by: Peter Zijlstra Acked-by: Darren Hart Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 5d5890b7cdde133721fc3050abd28085b8dbb2e3 Author: Avi Kivity Date: Sun Jan 10 16:28:09 2010 +0200 core, x86: make LIST_POISON less deadly commit a29815a333c6c6e677294bbe5958e771d0aad3fd upstream. The list macros use LIST_POISON1 and LIST_POISON2 as undereferencable pointers in order to trap erronous use of freed list_heads. Unfortunately userspace can arrange for those pointers to actually be dereferencable, potentially turning an oops to an expolit. To avoid this allow architectures (currently x86_64 only) to override the default values for these pointers with truly-undereferencable values. This is easy on x86_64 as the virtual address space is large and contains areas that cannot be mapped. Other 64-bit architectures will likely find similar unmapped ranges. [ingo: switch to 0xdead000000000000 as the unmapped area] [ingo: add comments, cleanup] [jaswinder: eliminate sparse warnings] Acked-by: Linus Torvalds Signed-off-by: Jaswinder Singh Rajput Signed-off-by: Ingo Molnar Signed-off-by: Avi Kivity Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 669805f0492eb6415a6c621fcd1ef6e29fee32b8 Author: Changli Gao Date: Fri Apr 23 13:17:45 2010 -0400 flex_array: fix the panic when calling flex_array_alloc() without __GFP_ZERO commit e59464c735db19619cde2aa331609adb02005f5b upstream. memset() is called with the wrong address and the kernel panics. Signed-off-by: Changli Gao Cc: Patrick McHardy Acked-by: David Rientjes Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit fb85b86ad4989b8d3aa5cbb2aafc9568a22fd3ce Author: Johannes Berg Date: Mon Apr 19 10:48:38 2010 +0200 mac80211: remove bogus TX agg state assignment commit b4bb5c3fd9333024044362df67e23e96158489ed upstream. When the addba timer expires but has no work to do, it should not affect the state machine. If it does, TX will not see the successfully established and we can also crash trying to re-establish the session. Signed-off-by: Johannes Berg Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 2d554beb7911560ebd7e59f3284a3a654a9b3315 Author: Andrea Arcangeli Date: Fri Apr 23 13:17:39 2010 -0400 memcg: fix prepare migration commit 93d5c9be1ddd57d4063ce463c9ac2be1e5ee14f1 upstream. If a signal is pending (task being killed by sigkill) __mem_cgroup_try_charge will write NULL into &mem, and css_put will oops on null pointer dereference. BUG: unable to handle kernel NULL pointer dereference at 0000000000000010 IP: [] mem_cgroup_prepare_migration+0x7c/0xc0 PGD a5d89067 PUD a5d8a067 PMD 0 Oops: 0000 [#1] SMP last sysfs file: /sys/devices/platform/microcode/firmware/microcode/loading CPU 0 Modules linked in: nfs lockd nfs_acl auth_rpcgss sunrpc acpi_cpufreq pcspkr sg [last unloaded: microcode] Pid: 5299, comm: largepages Tainted: G W 2.6.34-rc3 #3 Penryn1600SLI-110dB/To Be Filled By O.E.M. RIP: 0010:[] [] mem_cgroup_prepare_migration+0x7c/0xc0 [nishimura@mxp.nes.nec.co.jp: fix merge issues] Signed-off-by: Andrea Arcangeli Acked-by: KAMEZAWA Hiroyuki Cc: Balbir Singh Signed-off-by: Daisuke Nishimura Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 4268c2cbe019db682f9d493eb728c942d1cc2fb8 Author: Ian Dall Date: Fri Apr 23 13:17:53 2010 -0400 w1: w1 temp: fix negative termperature calculation commit 9a6a1ecd9e9b5d046a236da2f7eb6b6812f04229 upstream. Fix regression caused by commit 507e2fbaaacb6f164b4125b87c5002f95143174b ("w1: w1 temp calculation overflow fix") whereby negative temperatures for the DS18B20 are not converted properly. When the temperature exceeds 32767 milli-degrees the temperature overflows to -32768 millidegrees. These are both well within the -55 - +125 degree range for the sensor. Addresses https://bugzilla.kernel.org/show_bug.cgi?id=12646 Signed-of-by: Ian Dall Cc: Evgeniy Polyakov Tested-by: Karsten Elfenbein Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 00752c01d2ef9c60e043ef01f4af987846815dae Author: Jeff Garzik Date: Thu Apr 22 21:59:13 2010 -0400 libata: ensure NCQ error result taskfile is fully initialized before returning it via qc->result_tf. commit a09bf4cd53b8ab000197ef81f15d50f29ecf973c upstream. Signed-off-by: Jeff Garzik Signed-off-by: Greg Kroah-Hartman commit 03f7b5c5020942f14e83ec2eb2bd89134f7f3919 Author: Tejun Heo Date: Thu Apr 15 08:57:37 2010 +0900 libata: fix locking around blk_abort_request() commit fa41efdae7de61191a7bda3a00e88ef69afb5bb9 upstream. blk_abort_request() expectes queue lock to be held by the caller. Grab it before calling the function. Lack of this synchronization led to infinite loop on corrupt q->timeout_list. Signed-off-by: Tejun Heo Cc: Jens Axboe Signed-off-by: Jeff Garzik Signed-off-by: Greg Kroah-Hartman commit a2cea9c7ccc593386385afd3a35ccf0bb9143bcc Author: NeilBrown Date: Fri Apr 23 07:08:28 2010 +1000 md/raid5: fix previous patch. commit 6e3b96ed610e5a1838e62ddae9fa0c3463f235fa upstream. Previous patch changes stripe and chunk_number to sector_t but mistakenly did not update all of the divisions to use sector_dev(). This patch changes all the those divisions (actually the '%' operator) to sector_div. Signed-off-by: NeilBrown Tested-by: Stefan Lippers-Hollmann Signed-off-by: Greg Kroah-Hartman commit 2b759393cd12c710da0859c87564c78930ff01d8 Author: NeilBrown Date: Tue Apr 20 14:13:34 2010 +1000 md/raid5: allow for more than 2^31 chunks. commit 35f2a591192d0a5d9f7fc696869c76f0b8e49c3d upstream. With many large drives and small chunk sizes it is possible to create a RAID5 with more than 2^31 chunks. Make sure this works. Reported-by: Brett King Signed-off-by: NeilBrown Signed-off-by: Greg Kroah-Hartman commit d5d30e59fbea20fc09d300f3d4c90bbd2ecfc9f3 Author: Shimada Hirofumi Date: Sun Feb 14 04:16:16 2010 +0900 p54usb: Add usbid for Corega CG-WLUSB2GT. commit 15a69a81731d337a3d9db51692ff8704c1114f43 upstream. Signed-off-by: Shimada Hirofumi Signed-off-by: YOSHIFUJI Hideaki Signed-off-by: John W. Linville Cc: maximilian attems Signed-off-by: Greg Kroah-Hartman commit 9ab04f8dc2ec32b1065ab9dfcca3c92456fa77e0 Author: Alan Stern Date: Thu Apr 8 16:56:37 2010 -0400 USB: EHCI: defer reclamation of siTDs commit 0e5f231bc16ff9910882fa5b9d64d80e7691cfab upstream. This patch (as1369) fixes a problem in ehci-hcd. Some controllers occasionally run into trouble when the driver reclaims siTDs too quickly. This can happen while streaming audio; it causes the controller to crash. The patch changes siTD reclamation to work the same way as iTD reclamation: Completed siTDs are stored on a list and not reused until at least one frame has passed. Signed-off-by: Alan Stern Tested-by: Nate Case Signed-off-by: Greg Kroah-Hartman