commit 6c70817654bdc33af7eca286b4c734ce03f9eeb5 Author: Greg Kroah-Hartman Date: Mon Jul 5 11:14:00 2010 -0700 Linux 2.6.32.16 commit a0bda22f42ef2f990578015b8ab34252583121a2 Author: Wei Yongjun Date: Mon May 17 22:51:58 2010 -0700 sctp: fix append error cause to ERROR chunk correctly commit 2e3219b5c8a2e44e0b83ae6e04f52f20a82ac0f2 upstream. commit 5fa782c2f5ef6c2e4f04d3e228412c9b4a4c8809 sctp: Fix skb_over_panic resulting from multiple invalid \ parameter errors (CVE-2010-1173) (v4) cause 'error cause' never be add the the ERROR chunk due to some typo when check valid length in sctp_init_cause_fixed(). Signed-off-by: Wei Yongjun Reviewed-by: Neil Horman Acked-by: Vlad Yasevich Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 966399a8b8d957ed59feb7770b33ee16ce0e8fe4 Author: Ben Hutchings Date: Fri Mar 19 16:59:19 2010 -0700 qla2xxx: Disable MSI on qla24xx chips other than QLA2432. commit 6377a7ae1ab82859edccdbc8eaea63782efb134d upstream. On specific platforms, MSI is unreliable on some of the QLA24xx chips, resulting in fatal I/O errors under load, as reported in and by some RHEL customers. Signed-off-by: Giridhar Malavali Signed-off-by: James Bottomley Cc: Ben Hutchings Signed-off-by: Greg Kroah-Hartman commit 48b97a01ba4d411047dad9abce933301699cdf25 Author: Toshiyuki Okajima Date: Fri Apr 30 14:32:13 2010 +0100 KEYS: find_keyring_by_name() can gain access to a freed keyring commit cea7daa3589d6b550546a8c8963599f7c1a3ae5c upstream. find_keyring_by_name() can gain access to a keyring that has had its reference count reduced to zero, and is thus ready to be freed. This then allows the dead keyring to be brought back into use whilst it is being destroyed. The following timeline illustrates the process: |(cleaner) (user) | | free_user(user) sys_keyctl() | | | | key_put(user->session_keyring) keyctl_get_keyring_ID() | || //=> keyring->usage = 0 | | |schedule_work(&key_cleanup_task) lookup_user_key() | || | | kmem_cache_free(,user) | | . |[KEY_SPEC_USER_KEYRING] | . install_user_keyrings() | . || | key_cleanup() [<= worker_thread()] || | | || | [spin_lock(&key_serial_lock)] |[mutex_lock(&key_user_keyr..mutex)] | | || | atomic_read() == 0 || | |{ rb_ease(&key->serial_node,) } || | | || | [spin_unlock(&key_serial_lock)] |find_keyring_by_name() | | ||| | keyring_destroy(keyring) ||[read_lock(&keyring_name_lock)] | || ||| | |[write_lock(&keyring_name_lock)] ||atomic_inc(&keyring->usage) | |. ||| *** GET freeing keyring *** | |. ||[read_unlock(&keyring_name_lock)] | || || | |list_del() |[mutex_unlock(&key_user_k..mutex)] | || | | |[write_unlock(&keyring_name_lock)] ** INVALID keyring is returned ** | | . | kmem_cache_free(,keyring) . | . | atomic_dec(&keyring->usage) v *** DESTROYED *** TIME If CONFIG_SLUB_DEBUG=y then we may see the following message generated: ============================================================================= BUG key_jar: Poison overwritten ----------------------------------------------------------------------------- INFO: 0xffff880197a7e200-0xffff880197a7e200. First byte 0x6a instead of 0x6b INFO: Allocated in key_alloc+0x10b/0x35f age=25 cpu=1 pid=5086 INFO: Freed in key_cleanup+0xd0/0xd5 age=12 cpu=1 pid=10 INFO: Slab 0xffffea000592cb90 objects=16 used=2 fp=0xffff880197a7e200 flags=0x200000000000c3 INFO: Object 0xffff880197a7e200 @offset=512 fp=0xffff880197a7e300 Bytes b4 0xffff880197a7e1f0: 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a 5a ZZZZZZZZZZZZZZZZ Object 0xffff880197a7e200: 6a 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b 6b jkkkkkkkkkkkkkkk Alternatively, we may see a system panic happen, such as: BUG: unable to handle kernel NULL pointer dereference at 0000000000000001 IP: [] kmem_cache_alloc+0x5b/0xe9 PGD 6b2b4067 PUD 6a80d067 PMD 0 Oops: 0000 [#1] SMP last sysfs file: /sys/kernel/kexec_crash_loaded CPU 1 ... Pid: 31245, comm: su Not tainted 2.6.34-rc5-nofixed-nodebug #2 D2089/PRIMERGY RIP: 0010:[] [] kmem_cache_alloc+0x5b/0xe9 RSP: 0018:ffff88006af3bd98 EFLAGS: 00010002 RAX: 0000000000000000 RBX: 0000000000000001 RCX: ffff88007d19900b RDX: 0000000100000000 RSI: 00000000000080d0 RDI: ffffffff81828430 RBP: ffffffff81828430 R08: ffff88000a293750 R09: 0000000000000000 R10: 0000000000000001 R11: 0000000000100000 R12: 00000000000080d0 R13: 00000000000080d0 R14: 0000000000000296 R15: ffffffff810f20ce FS: 00007f97116bc700(0000) GS:ffff88000a280000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000001 CR3: 000000006a91c000 CR4: 00000000000006e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 Process su (pid: 31245, threadinfo ffff88006af3a000, task ffff8800374414c0) Stack: 0000000512e0958e 0000000000008000 ffff880037f8d180 0000000000000001 0000000000000000 0000000000008001 ffff88007d199000 ffffffff810f20ce 0000000000008000 ffff88006af3be48 0000000000000024 ffffffff810face3 Call Trace: [] ? get_empty_filp+0x70/0x12f [] ? do_filp_open+0x145/0x590 [] ? tlb_finish_mmu+0x2a/0x33 [] ? unmap_region+0xd3/0xe2 [] ? virt_to_head_page+0x9/0x2d [] ? alloc_fd+0x69/0x10e [] ? do_sys_open+0x56/0xfc [] ? system_call_fastpath+0x16/0x1b Code: 0f 1f 44 00 00 49 89 c6 fa 66 0f 1f 44 00 00 65 4c 8b 04 25 60 e8 00 00 48 8b 45 00 49 01 c0 49 8b 18 48 85 db 74 0d 48 63 45 18 <48> 8b 04 03 49 89 00 eb 14 4c 89 f9 83 ca ff 44 89 e6 48 89 ef RIP [] kmem_cache_alloc+0x5b/0xe9 This problem is that find_keyring_by_name does not confirm that the keyring is valid before accepting it. Skipping keyrings that have been reduced to a zero count seems the way to go. To this end, use atomic_inc_not_zero() to increment the usage count and skip the candidate keyring if that returns false. The following script _may_ cause the bug to happen, but there's no guarantee as the window of opportunity is small: #!/bin/sh LOOP=100000 USER=dummy_user /bin/su -c "exit;" $USER || { /usr/sbin/adduser -m $USER; add=1; } for ((i=0; i /dev/null" $USER done (( add == 1 )) && /usr/sbin/userdel -r $USER exit Note that the nominated user must not be in use. An alternative way of testing this may be: for ((i=0; i<100000; i++)) do keyctl session foo /bin/true || break done >&/dev/null as that uses a keyring named "foo" rather than relying on the user and user-session named keyrings. Reported-by: Toshiyuki Okajima Signed-off-by: David Howells Tested-by: Toshiyuki Okajima Acked-by: Serge Hallyn Signed-off-by: James Morris Cc: Ben Hutchings Cc: Chuck Ebbert Signed-off-by: Greg Kroah-Hartman commit ec098d1914879ce1fb45691f33c8cd194eef7a50 Author: Dan Carpenter Date: Mon May 17 14:42:35 2010 +0100 KEYS: Return more accurate error codes commit 4d09ec0f705cf88a12add029c058b53f288cfaa2 upstream. We were using the wrong variable here so the error codes weren't being returned properly. The original code returns -ENOKEY. Signed-off-by: Dan Carpenter Signed-off-by: David Howells Signed-off-by: James Morris Signed-off-by: Greg Kroah-Hartman commit 31f1b308a6b715bfd2729b832cef2d3270874169 Author: Mikulas Patocka Date: Thu Dec 10 23:52:08 2009 +0000 dm snapshot: simplify sector_to_chunk expression commit 102c6ddb1d081a6a1fede38c43a42c9811313ec7 upstream. Removed unnecessary 'and' masking: The right shift discards the lower bits so there is no need to clear them. (A later patch needs this change to support a 32-bit chunk_mask.) Signed-off-by: Mikulas Patocka Reviewed-by: Mike Snitzer Reviewed-by: Jonathan Brassow Signed-off-by: Alasdair G Kergon Signed-off-by: Greg Kroah-Hartman commit 3cbc79196ec9677ff39e8f187a0ba6636d1e3200 Author: Helge Deller Date: Mon May 3 20:44:21 2010 +0000 parisc: clear floating point exception flag on SIGFPE signal commit 550f0d922286556c7ea43974bb7921effb5a5278 upstream. Clear the floating point exception flag before returning to user space. This is needed, else the libc trampoline handler may hit the same SIGFPE again while building up a trampoline to a signal handler. Fixes debian bug #559406. Signed-off-by: Helge Deller Signed-off-by: Kyle McMartin Signed-off-by: Greg Kroah-Hartman commit 36d28220345c9b0bf18fbecffe9a852a146dc142 Author: Yin Kangkai Date: Tue Dec 15 14:48:25 2009 -0800 jbd: jbd-debug and jbd2-debug should be writable commit 765f8361902d015c864d5e62019b2f139452d7ef upstream. jbd-debug and jbd2-debug is currently read-only (S_IRUGO), which is not correct. Make it writable so that we can start debuging. Signed-off-by: Yin Kangkai Reviewed-by: Aneesh Kumar K.V Signed-off-by: Andrew Morton Signed-off-by: Jan Kara Cc: Theodore Ts'o Signed-off-by: Greg Kroah-Hartman commit fbec9e1f76ac124d0902497409ac2c9364d9d9a4 Author: Roedel, Joerg Date: Thu May 6 11:38:43 2010 +0200 KVM: x86: Inject #GP with the right rip on efer writes This patch fixes a bug in the KVM efer-msr write path. If a guest writes to a reserved efer bit the set_efer function injects the #GP directly. The architecture dependent wrmsr function does not see this, assumes success and advances the rip. This results in a #GP in the guest with the wrong rip. This patch fixes this by reporting efer write errors back to the architectural wrmsr function. Signed-off-by: Joerg Roedel Signed-off-by: Avi Kivity Signed-off-by: Greg Kroah-Hartman (cherry picked from commit b69e8caef5b190af48c525f6d715e7b7728a77f6) commit c86db80af03239bd1094b2953871a72a2d889991 Author: Avi Kivity Date: Thu May 13 11:50:19 2010 +0300 KVM: x86: Add missing locking to arch specific vcpu ioctls Signed-off-by: Avi Kivity Signed-off-by: Greg Kroah-Hartman (cherry picked from commit 8fbf065d625617bbbf6b72d5f78f84ad13c8b547) commit 0890bb8d955da47bd51bc823f5080ec0c2664b3f Author: Avi Kivity Date: Tue May 4 15:00:37 2010 +0300 KVM: Fix wallclock version writing race Wallclock writing uses an unprotected global variable to hold the version; this can cause one guest to interfere with another if both write their wallclock at the same time. Acked-by: Glauber Costa Signed-off-by: Avi Kivity Signed-off-by: Greg Kroah-Hartman (cherry picked from commit 9ed3c444ab8987c7b219173a2f7807e3f71e234e) commit 4a277f9cb862ad44d3a83bfcc0cf42727de99ac3 Author: Avi Kivity Date: Tue May 4 12:58:32 2010 +0300 KVM: MMU: Don't read pdptrs with mmu spinlock held in mmu_alloc_roots On svm, kvm_read_pdptr() may require reading guest memory, which can sleep. Push the spinlock into mmu_alloc_roots(), and only take it after we've read the pdptr. Tested-by: Joerg Roedel Signed-off-by: Avi Kivity Signed-off-by: Greg Kroah-Hartman (cherry picked from commit 8facbbff071ff2b19268d3732e31badc60471e21) commit 66307ba1647f9666baebd342520bf83cb7832468 Author: Shane Wang Date: Thu Apr 29 12:09:01 2010 -0400 KVM: VMX: enable VMXON check with SMX enabled (Intel TXT) Per document, for feature control MSR: Bit 1 enables VMXON in SMX operation. If the bit is clear, execution of VMXON in SMX operation causes a general-protection exception. Bit 2 enables VMXON outside SMX operation. If the bit is clear, execution of VMXON outside SMX operation causes a general-protection exception. This patch is to enable this kind of check with SMX for VMXON in KVM. Signed-off-by: Shane Wang Signed-off-by: Avi Kivity Signed-off-by: Greg Kroah-Hartman (cherry picked from commit cafd66595d92591e4bd25c3904e004fc6f897e2d) commit 3b2711485ef5ef6ee3c0e0079ce5c4817d09b55e Author: Avi Kivity Date: Wed May 12 11:48:18 2010 +0300 KVM: MMU: Segregate shadow pages with different cr0.wp When cr0.wp=0, we may shadow a gpte having u/s=1 and r/w=0 with an spte having u/s=0 and r/w=1. This allows excessive access if the guest sets cr0.wp=1 and accesses through this spte. Fix by making cr0.wp part of the base role; we'll have different sptes for the two cases and the problem disappears. Signed-off-by: Avi Kivity Signed-off-by: Marcelo Tosatti Signed-off-by: Greg Kroah-Hartman (cherry picked from commit 3dbe141595faa48a067add3e47bba3205b79d33c) commit e4a13296e7e92ddd73fa078906744d73f7d470ff Author: Sheng Yang Date: Wed May 12 16:40:40 2010 +0800 KVM: x86: Check LMA bit before set_efer kvm_x86_ops->set_efer() would execute vcpu->arch.efer = efer, so the checking of LMA bit didn't work. Signed-off-by: Sheng Yang Signed-off-by: Marcelo Tosatti Signed-off-by: Greg Kroah-Hartman (cherry picked from commit a3d204e28579427609c3d15d2310127ebaa47d94) commit 90a08dc75c91c0e50cabc11e79a761e1d63a0303 Author: Avi Kivity Date: Wed May 12 00:28:44 2010 +0300 KVM: Don't allow lmsw to clear cr0.pe The current lmsw implementation allows the guest to clear cr0.pe, contrary to the manual, which breaks EMM386.EXE. Fix by ORing the old cr0.pe with lmsw's operand. Signed-off-by: Avi Kivity Signed-off-by: Marcelo Tosatti Signed-off-by: Greg Kroah-Hartman (cherry picked from commit f78e917688edbf1f14c318d2e50dc8e7dad20445) commit 1345126c761f0360dc108973bf73281d51945bc1 Author: Glauber Costa Date: Tue May 11 12:17:40 2010 -0400 x86, paravirt: Add a global synchronization point for pvclock In recent stress tests, it was found that pvclock-based systems could seriously warp in smp systems. Using ingo's time-warp-test.c, I could trigger a scenario as bad as 1.5mi warps a minute in some systems. (to be fair, it wasn't that bad in most of them). Investigating further, I found out that such warps were caused by the very offset-based calculation pvclock is based on. This happens even on some machines that report constant_tsc in its tsc flags, specially on multi-socket ones. Two reads of the same kernel timestamp at approx the same time, will likely have tsc timestamped in different occasions too. This means the delta we calculate is unpredictable at best, and can probably be smaller in a cpu that is legitimately reading clock in a forward ocasion. Some adjustments on the host could make this window less likely to happen, but still, it pretty much poses as an intrinsic problem of the mechanism. A while ago, I though about using a shared variable anyway, to hold clock last state, but gave up due to the high contention locking was likely to introduce, possibly rendering the thing useless on big machines. I argue, however, that locking is not necessary. We do a read-and-return sequence in pvclock, and between read and return, the global value can have changed. However, it can only have changed by means of an addition of a positive value. So if we detected that our clock timestamp is less than the current global, we know that we need to return a higher one, even though it is not exactly the one we compared to. OTOH, if we detect we're greater than the current time source, we atomically replace the value with our new readings. This do causes contention on big boxes (but big here means *BIG*), but it seems like a good trade off, since it provide us with a time source guaranteed to be stable wrt time warps. After this patch is applied, I don't see a single warp in time during 5 days of execution, in any of the machines I saw them before. Signed-off-by: Glauber Costa Acked-by: Zachary Amsden CC: Jeremy Fitzhardinge CC: Avi Kivity CC: Marcelo Tosatti CC: Zachary Amsden Signed-off-by: Marcelo Tosatti Signed-off-by: Greg Kroah-Hartman (cherry picked from commit 489fb490dbf8dab0249ad82b56688ae3842a79e8) commit 55d1dfd139e4f3e29e5b417683f48d396c271e73 Author: Wei Yongjun Date: Tue Mar 9 14:13:43 2010 +0800 KVM: PPC: Do not create debugfs if fail to create vcpu If fail to create the vcpu, we should not create the debugfs for it. Signed-off-by: Wei Yongjun Acked-by: Alexander Graf Cc: stable@kernel.org Signed-off-by: Avi Kivity Signed-off-by: Greg Kroah-Hartman (cherry picked from commit 06056bfb944a0302a8f22eb45f09123de7fb417b) commit 3f96c6f9710338ef5bea72dbc8a88a64eea4627a Author: Wei Yongjun Date: Tue Mar 9 14:37:53 2010 +0800 KVM: s390: Fix possible memory leak of in kvm_arch_vcpu_create() This patch fixed possible memory leak in kvm_arch_vcpu_create() under s390, which would happen when kvm_arch_vcpu_create() fails. Signed-off-by: Wei Yongjun Acked-by: Carsten Otte Cc: stable@kernel.org Signed-off-by: Avi Kivity Signed-off-by: Greg Kroah-Hartman (cherry picked from commit 7b06bf2ffa15e119c7439ed0b024d44f66d7b605) commit 04a08885c36dc2f4663900d007b9d71a7e7f2b92 Author: Dmitry Torokhov Date: Thu May 13 00:42:23 2010 -0700 Input: psmouse - reset all types of mice before reconnecting commit ef110b24e28f36620f63dab94708a17c7e267358 upstream. Synaptics hardware requires resetting device after suspend to ram in order for the device to be operational. The reset lives in synaptics-specific reconnect handler, but it is not being invoked if synaptics support is disabled and the device is handled as a standard PS/2 device (bare or IntelliMouse protocol). Let's add reset into generic reconnect handler as well. Signed-off-by: Dmitry Torokhov Cc: Tim Gardner Signed-off-by: Greg Kroah-Hartman commit ed24d91246b907441b8061dc3fb18f233ebd664e Author: Neil Horman Date: Wed Mar 3 08:31:23 2010 +0000 tipc: Fix oops on send prior to entering networked mode (v3) commit d0021b252eaf65ca07ed14f0d66425dd9ccab9a6 upstream. Fix TIPC to disallow sending to remote addresses prior to entering NET_MODE user programs can oops the kernel by sending datagrams via AF_TIPC prior to entering networked mode. The following backtrace has been observed: ID: 13459 TASK: ffff810014640040 CPU: 0 COMMAND: "tipc-client" [exception RIP: tipc_node_select_next_hop+90] RIP: ffffffff8869d3c3 RSP: ffff81002d9a5ab8 RFLAGS: 00010202 RAX: 0000000000000001 RBX: 0000000000000001 RCX: 0000000000000001 RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000001001001 RBP: 0000000001001001 R8: 0074736575716552 R9: 0000000000000000 R10: ffff81003fbd0680 R11: 00000000000000c8 R12: 0000000000000008 R13: 0000000000000001 R14: 0000000000000001 R15: ffff810015c6ca00 ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018 RIP: 0000003cbd8d49a3 RSP: 00007fffc84e0be8 RFLAGS: 00010206 RAX: 000000000000002c RBX: ffffffff8005d116 RCX: 0000000000000000 RDX: 0000000000000008 RSI: 00007fffc84e0c00 RDI: 0000000000000003 RBP: 0000000000000000 R8: 00007fffc84e0c10 R9: 0000000000000010 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00007fffc84e0d10 R14: 0000000000000000 R15: 00007fffc84e0c30 ORIG_RAX: 000000000000002c CS: 0033 SS: 002b What happens is that, when the tipc module in inserted it enters a standalone node mode in which communication to its own address is allowed <0.0.0> but not to other addresses, since the appropriate data structures have not been allocated yet (specifically the tipc_net pointer). There is nothing stopping a client from trying to send such a message however, and if that happens, we attempt to dereference tipc_net.zones while the pointer is still NULL, and explode. The fix is pretty straightforward. Since these oopses all arise from the dereference of global pointers prior to their assignment to allocated values, and since these allocations are small (about 2k total), lets convert these pointers to static arrays of the appropriate size. All the accesses to these bits consider 0/NULL to be a non match when searching, so all the lookups still work properly, and there is no longer a chance of a bad dererence anywhere. As a bonus, this lets us eliminate the setup/teardown routines for those pointers, and elimnates the need to preform any locking around them to prevent access while their being allocated/freed. I've updated the tipc_net structure to behave this way to fix the exact reported problem, and also fixed up the tipc_bearers and media_list arrays to fix an obvious simmilar problem that arises from issuing tipc-config commands to manipulate bearers/links prior to entering networked mode I've tested this for a few hours by running the sanity tests and stress test with the tipcutils suite, and nothing has fallen over. There have been a few lockdep warnings, but those were there before, and can be addressed later, as they didn't actually result in any deadlock. Signed-off-by: Neil Horman CC: Allan Stephens CC: David S. Miller CC: tipc-discussion@lists.sourceforge.net Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 21eaa71fdb6f33ee62c4e308d320510f14eac6b4 Author: Jiajun Wu Date: Mon Jan 18 05:47:50 2010 +0000 ucc_geth: Fix full TX queue processing commit 34692421bc7d6145ef383b014860f4fde10b7505 upstream. commit 7583605b6d29f1f7f6fc505b883328089f3485ad ("ucc_geth: Fix empty TX queue processing") fixed empty TX queue mishandling, but didn't account another corner case: when TX queue becomes full. Without this patch the driver will stop transmiting when TX queue becomes full since 'bd == ugeth->txBd[txQ]' actually checks for two things: queue empty or full. Let's better check for NULL skb, which unambiguously signals an empty queue. Signed-off-by: Jiajun Wu Signed-off-by: Anton Vorontsov Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 7c1558cb5e752c81ad3a151a5ac2c032a8dcfe23 Author: Anton Vorontsov Date: Thu Dec 24 05:31:05 2009 +0000 ucc_geth: Fix netdev watchdog triggering on link changes commit 08b5e1c91ce95793c59a59529a362a1bcc81faae upstream. Since commit 864fdf884e82bacbe8ca5e93bd43393a61d2e2b4 ("ucc_geth: Fix hangs after switching from full to half duplex") ucc_geth driver disables the controller during MAC configuration changes. Though, disabling the controller might take quite awhile, and so the netdev watchdog might get upset: NETDEV WATCHDOG: eth2 (ucc_geth): transmit queue 0 timed out ------------[ cut here ]------------ Badness at c02729a8 [verbose debug info unavailable] NIP: c02729a8 LR: c02729a8 CTR: c01b6088 REGS: c0451c40 TRAP: 0700 Not tainted (2.6.32-trunk-8360e) [...] NIP [c02729a8] dev_watchdog+0x280/0x290 LR [c02729a8] dev_watchdog+0x280/0x290 Call Trace: [c0451cf0] [c02729a8] dev_watchdog+0x280/0x290 (unreliable) [c0451d50] [c00377c4] run_timer_softirq+0x164/0x224 [c0451da0] [c0032a38] __do_softirq+0xb8/0x13c [c0451df0] [c00065cc] do_softirq+0xa0/0xac [c0451e00] [c003280c] irq_exit+0x7c/0x9c [c0451e10] [c00640c4] __ipipe_sync_stage+0x248/0x24c [...] This patch fixes the issue by detaching the netdev during the time we change the configuration. Reported-by: Lennart Sorensen Signed-off-by: Anton Vorontsov Tested-by: Lennart Sorensen Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 127af1f448cc797621c6d89ad769ff2af041dfdd Author: Anton Vorontsov Date: Thu Dec 24 05:31:03 2009 +0000 ucc_geth: Fix empty TX queue processing commit 7583605b6d29f1f7f6fc505b883328089f3485ad upstream. Following oops was seen with the ucc_geth driver: Unable to handle kernel paging request for data at address 0x00000058 Faulting instruction address: 0xc024f2fc Oops: Kernel access of bad area, sig: 11 [#1] [...] NIP [c024f2fc] skb_recycle_check+0x14/0x100 LR [e30aa0a4] ucc_geth_poll+0xd8/0x4e0 [ucc_geth_driver] Call Trace: [df857d50] [c000b03c] __ipipe_grab_irq+0x3c/0xa4 (unreliable) [df857d60] [e30aa0a4] ucc_geth_poll+0xd8/0x4e0 [ucc_geth_driver] [df857dd0] [c0258cf8] net_rx_action+0xf8/0x1b8 [df857e10] [c0032a38] __do_softirq+0xb8/0x13c [df857e60] [c00065cc] do_softirq+0xa0/0xac [...] This is because ucc_geth_tx() tries to process an empty queue when queues are logically stopped. Stopping the queues doesn't disable polling, and since nowadays ucc_geth_tx() is actually called from the polling routine, the oops above might pop up. Fix this by removing 'netif_queue_stopped() == 0' check. Reported-by: Lennart Sorensen Signed-off-by: Anton Vorontsov Tested-by: Lennart Sorensen Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 20dab696625a1eb15703d6d3db5bc3e7f8d9244b Author: Shi Weihua Date: Tue May 18 00:50:32 2010 +0000 Btrfs: should add a permission check for setfacl commit 2f26afba46f0ebf155cf9be746496a0304a5b7cf upstream. On btrfs, do the following ------------------ # su user1 # cd btrfs-part/ # touch aaa # getfacl aaa # file: aaa # owner: user1 # group: user1 user::rw- group::rw- other::r-- # su user2 # cd btrfs-part/ # setfacl -m u::rwx aaa # getfacl aaa # file: aaa # owner: user1 # group: user1 user::rwx <- successed to setfacl group::rw- other::r-- ------------------ but we should prohibit it that user2 changing user1's acl. In fact, on ext3 and other fs, a message occurs: setfacl: aaa: Operation not permitted This patch fixed it. Signed-off-by: Shi Weihua Signed-off-by: Chris Mason Signed-off-by: Greg Kroah-Hartman commit a9689bca9259bee4a8a2fab77d551836fbc1701a Author: James Chapman Date: Tue Mar 16 06:46:31 2010 +0000 l2tp: Fix oops in pppol2tp_xmit commit 3feec9095d12e311b7d4eb7fe7e5dfa75d4a72a5 upstream. When transmitting L2TP frames, we derive the outgoing interface's UDP checksum hardware assist capabilities from the tunnel dst dev. This can sometimes be NULL, especially when routing protocols are used and routing changes occur. This patch just checks for NULL dst or dev pointers when checking for netdev hardware assist features. BUG: unable to handle kernel NULL pointer dereference at 0000000c IP: [] pppol2tp_xmit+0x341/0x4da [pppol2tp] *pde = 00000000 Oops: 0000 [#1] SMP last sysfs file: /sys/class/net/lo/operstate Modules linked in: pppol2tp pppox ppp_generic slhc ipv6 dummy loop snd_hda_codec_atihdmi snd_hda_intel snd_hda_codec snd_pcm snd_timer snd soundcore snd_page_alloc evdev psmouse serio_raw processor button i2c_piix4 i2c_core ati_agp agpgart pcspkr ext3 jbd mbcache sd_mod ide_pci_generic atiixp ide_core ahci ata_generic floppy ehci_hcd ohci_hcd libata e1000e scsi_mod usbcore nls_base thermal fan thermal_sys [last unloaded: scsi_wait_scan] Pid: 0, comm: swapper Not tainted (2.6.32.8 #1) EIP: 0060:[] EFLAGS: 00010297 CPU: 3 EIP is at pppol2tp_xmit+0x341/0x4da [pppol2tp] EAX: 00000000 EBX: f64d1680 ECX: 000005b9 EDX: 00000000 ESI: f6b91850 EDI: f64d16ac EBP: f6a0c4c0 ESP: f70a9cac DS: 007b ES: 007b FS: 00d8 GS: 0000 SS: 0068 Process swapper (pid: 0, ti=f70a8000 task=f70a31c0 task.ti=f70a8000) Stack: 000005a9 000005b9 f734c400 f66652c0 f7352e00 f67dc800 00000000 f6b91800 <0> 000005a3 f70ef6c4 f67dcda9 000005a3 f89b192e 00000246 000005a3 f64d1680 <0> f63633e0 f6363320 f64d1680 f65a7320 f65a7364 f65856c0 f64d1680 f679f02f Call Trace: [] ? ppp_push+0x459/0x50e [ppp_generic] [] ? ppp_xmit_process+0x3b6/0x430 [ppp_generic] [] ? ppp_start_xmit+0x10d/0x120 [ppp_generic] [] ? dev_hard_start_xmit+0x21f/0x2b2 [] ? sch_direct_xmit+0x48/0x10e [] ? dev_queue_xmit+0x263/0x3a6 [] ? ip_finish_output+0x1f7/0x221 [] ? ip_forward_finish+0x2e/0x30 [] ? ip_rcv_finish+0x295/0x2a9 [] ? netif_receive_skb+0x3e9/0x404 [] ? e1000_clean_rx_irq+0x253/0x2fc [e1000e] [] ? e1000_clean+0x63/0x1fc [e1000e] [] ? sched_clock_local+0x15/0x11b [] ? net_rx_action+0x96/0x195 [] ? __do_softirq+0xaa/0x151 [] ? do_softirq+0x31/0x3c [] ? irq_exit+0x26/0x58 [] ? do_IRQ+0x78/0x89 [] ? common_interrupt+0x29/0x30 [] ? native_safe_halt+0x2/0x3 [] ? default_idle+0x55/0x75 [] ? c1e_idle+0xd2/0xd5 [] ? cpu_idle+0x46/0x62 Code: 8d 45 08 f0 ff 45 08 89 6b 08 c7 43 68 7e fb 9c f8 8a 45 24 83 e0 0c 3c 04 75 09 80 63 64 f3 e9 b4 00 00 00 8b 43 18 8b 4c 24 04 <8b> 40 0c 8d 79 11 f6 40 44 0e 8a 43 64 75 51 6a 00 8b 4c 24 08 EIP: [] pppol2tp_xmit+0x341/0x4da [pppol2tp] SS:ESP 0068:f70a9cac CR2: 000000000000000c Signed-off-by: James Chapman Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 1ef462bee227854af30cdf48e98c3f5a59ceda4f Author: Miklos Szeredi Date: Wed Feb 10 12:15:53 2010 +0100 vfs: add NOFOLLOW flag to umount(2) commit db1f05bb85d7966b9176e293f3ceead1cb8b5d79 upstream. Add a new UMOUNT_NOFOLLOW flag to umount(2). This is needed to prevent symlink attacks in unprivileged unmounts (fuse, samba, ncpfs). Additionally, return -EINVAL if an unknown flag is used (and specify an explicitly unused flag: UMOUNT_UNUSED). This makes it possible for the caller to determine if a flag is supported or not. CC: Eugene Teo CC: Michael Kerrisk Signed-off-by: Miklos Szeredi Signed-off-by: Al Viro Signed-off-by: Greg Kroah-Hartman commit de925d2eec426287ca3bde1079a80cb7bed2549b Author: Steve French Date: Thu Apr 22 19:21:55 2010 +0000 CIFS: Allow null nd (as nfs server uses) on create commit fa588e0c57048b3d4bfcd772d80dc0615f83fd35 upstream. While creating a file on a server which supports unix extensions such as Samba, if a file is being created which does not supply nameidata (i.e. nd is null), cifs client can oops when calling cifs_posix_open. Signed-off-by: Shirish Pargaonkar Signed-off-by: Steve French Signed-off-by: Greg Kroah-Hartman commit 4a1a39a88dc63f2d1373391fa4ad347e6dd94876 Author: Neil Horman Date: Wed Apr 28 10:30:59 2010 +0000 sctp: Fix skb_over_panic resulting from multiple invalid parameter errors (CVE-2010-1173) (v4) commit 5fa782c2f5ef6c2e4f04d3e228412c9b4a4c8809 upstream. Ok, version 4 Change Notes: 1) Minor cleanups, from Vlads notes Summary: Hey- Recently, it was reported to me that the kernel could oops in the following way: <5> kernel BUG at net/core/skbuff.c:91! <5> invalid operand: 0000 [#1] <5> Modules linked in: sctp netconsole nls_utf8 autofs4 sunrpc iptable_filter ip_tables cpufreq_powersave parport_pc lp parport vmblock(U) vsock(U) vmci(U) vmxnet(U) vmmemctl(U) vmhgfs(U) acpiphp dm_mirror dm_mod button battery ac md5 ipv6 uhci_hcd ehci_hcd snd_ens1371 snd_rawmidi snd_seq_device snd_pcm_oss snd_mixer_oss snd_pcm snd_timer snd_page_alloc snd_ac97_codec snd soundcore pcnet32 mii floppy ext3 jbd ata_piix libata mptscsih mptsas mptspi mptscsi mptbase sd_mod scsi_mod <5> CPU: 0 <5> EIP: 0060:[] Not tainted VLI <5> EFLAGS: 00010216 (2.6.9-89.0.25.EL) <5> EIP is at skb_over_panic+0x1f/0x2d <5> eax: 0000002c ebx: c033f461 ecx: c0357d96 edx: c040fd44 <5> esi: c033f461 edi: df653280 ebp: 00000000 esp: c040fd40 <5> ds: 007b es: 007b ss: 0068 <5> Process swapper (pid: 0, threadinfo=c040f000 task=c0370be0) <5> Stack: c0357d96 e0c29478 00000084 00000004 c033f461 df653280 d7883180 e0c2947d <5> 00000000 00000080 df653490 00000004 de4f1ac0 de4f1ac0 00000004 df653490 <5> 00000001 e0c2877a 08000800 de4f1ac0 df653490 00000000 e0c29d2e 00000004 <5> Call Trace: <5> [] sctp_addto_chunk+0xb0/0x128 [sctp] <5> [] sctp_addto_chunk+0xb5/0x128 [sctp] <5> [] sctp_init_cause+0x3f/0x47 [sctp] <5> [] sctp_process_unk_param+0xac/0xb8 [sctp] <5> [] sctp_verify_init+0xcc/0x134 [sctp] <5> [] sctp_sf_do_5_1B_init+0x83/0x28e [sctp] <5> [] sctp_do_sm+0x41/0x77 [sctp] <5> [] cache_grow+0x140/0x233 <5> [] sctp_endpoint_bh_rcv+0xc5/0x108 [sctp] <5> [] sctp_inq_push+0xe/0x10 [sctp] <5> [] sctp_rcv+0x454/0x509 [sctp] <5> [] ipt_hook+0x17/0x1c [iptable_filter] <5> [] nf_iterate+0x40/0x81 <5> [] ip_local_deliver_finish+0x0/0x151 <5> [] ip_local_deliver_finish+0xc6/0x151 <5> [] nf_hook_slow+0x83/0xb5 <5> [] ip_local_deliver+0x1a2/0x1a9 <5> [] ip_local_deliver_finish+0x0/0x151 <5> [] ip_rcv+0x334/0x3b4 <5> [] netif_receive_skb+0x320/0x35b <5> [] init_stall_timer+0x67/0x6a [uhci_hcd] <5> [] process_backlog+0x6c/0xd9 <5> [] net_rx_action+0xfe/0x1f8 <5> [] __do_softirq+0x35/0x79 <5> [] handle_IRQ_event+0x0/0x4f <5> [] do_softirq+0x46/0x4d Its an skb_over_panic BUG halt that results from processing an init chunk in which too many of its variable length parameters are in some way malformed. The problem is in sctp_process_unk_param: if (NULL == *errp) *errp = sctp_make_op_error_space(asoc, chunk, ntohs(chunk->chunk_hdr->length)); if (*errp) { sctp_init_cause(*errp, SCTP_ERROR_UNKNOWN_PARAM, WORD_ROUND(ntohs(param.p->length))); sctp_addto_chunk(*errp, WORD_ROUND(ntohs(param.p->length)), param.v); When we allocate an error chunk, we assume that the worst case scenario requires that we have chunk_hdr->length data allocated, which would be correct nominally, given that we call sctp_addto_chunk for the violating parameter. Unfortunately, we also, in sctp_init_cause insert a sctp_errhdr_t structure into the error chunk, so the worst case situation in which all parameters are in violation requires chunk_hdr->length+(sizeof(sctp_errhdr_t)*param_count) bytes of data. The result of this error is that a deliberately malformed packet sent to a listening host can cause a remote DOS, described in CVE-2010-1173: http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-1173 I've tested the below fix and confirmed that it fixes the issue. We move to a strategy whereby we allocate a fixed size error chunk and ignore errors we don't have space to report. Tested by me successfully Signed-off-by: Neil Horman Acked-by: Vlad Yasevich Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 644e1e4321b95542b5f16e65ff30976c2f634512 Author: Steven Whitehouse Date: Mon May 24 14:36:48 2010 +0100 GFS2: Fix permissions checking for setflags ioctl() commit 7df0e0397b9a18358573274db9fdab991941062f upstream. We should be checking for the ownership of the file for which flags are being set, rather than just for write access. Reported-by: Dan Rosenberg Signed-off-by: Steven Whitehouse Signed-off-by: Greg Kroah-Hartman commit 6e3312e22f1cb180d7512d4717fad8145db2b436 Author: Grazvydas Ignotas Date: Sat Jun 5 02:25:47 2010 +0300 wl1251: fix a memory leak in probe commit aa679c36756003f1fabdb9fc6f00eb159559f7c3 upstream. wl1251_sdio_probe() error path is missing wl1251_free_hw, add it. Signed-off-by: Grazvydas Ignotas Acked-by: Kalle Valo Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit b1f2cb1c72fe65ea0a8c91b31478541529fa4de1 Author: Wey-Yi Guy Date: Fri Nov 20 12:05:03 2009 -0800 iwlwifi: update supported PCI_ID list for 5xx0 series commit ac592574a577162183b5c1dd040a188caa068a29 upstream. Update the PCI_ID list for 5xx0 series. Remove all the PCI_IDs which never made into production or not longer in production. Also make sure the supported bands(a/b/g/n) match specified PCI_IDs Signed-off-by: Wey-Yi Guy Signed-off-by: Reinette Chatre Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 85bb667730fc53cf6616214105e879cb12cc7924 Author: Reinette Chatre Date: Mon May 3 10:55:07 2010 -0700 iwlwifi: recalculate average tpt if not current commit 3d79b2a9eeaa066b35c49fbb17e3156a3c482c3e upstream. We currently have this check as a BUG_ON, which is being hit by people. Previously it was an error with a recalculation if not current, return that code. The BUG_ON was introduced by: commit 3110bef78cb4282c58245bc8fd6d95d9ccb19749 Author: Guy Cohen Date: Tue Sep 9 10:54:54 2008 +0800 iwlwifi: Added support for 3 antennas ... the portion adding the BUG_ON is reverted since we are encountering the error and BUG_ON was created with assumption that error is not encountered. Signed-off-by: Reinette Chatre Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit d0b76ade96c3964f29de46f74c3b1d8aa558cc8e Author: Wey-Yi Guy Date: Wed Feb 3 12:24:44 2010 -0800 iwlwifi: check for aggregation frame and queue commit 45d427001b5eec03cecaacddb53c73af46bb263e upstream. Error checking for aggregation frames should go into aggregation queue, if aggregation queue not available, use legacy queue instead. Also make sure the aggregation queue is available to activate, if driver and mac80211 is out-of-sync, try to disable the queue and sync-up with mac80211. Signed-off-by: Wey-Yi Guy Signed-off-by: Reinette Chatre Signed-off-by: Greg Kroah-Hartman commit 595fbf5d7b104ccbd755f452f7c9af1ce518e99e Author: Roberto Sassu Date: Thu Jun 3 11:58:28 2010 +0200 wrong type for 'magic' argument in simple_fill_super() commit 7d683a09990ff095a91b6e724ecee0ff8733274a upstream. It's used to superblock ->s_magic, which is unsigned long. Signed-off-by: Roberto Sassu Reviewed-by: Mimi Zohar Signed-off-by: Eric Paris Signed-off-by: Al Viro Signed-off-by: Greg Kroah-Hartman commit 250312c4cfff9464353b92b75afad4aa2eb164bb Author: Jesse Barnes Date: Fri Feb 12 09:30:00 2010 -0800 drm/i915: give up on 8xx lid status commit 7b9c5abee98c54f85bcc04bd4d7ec8d5094c73f4 upstream. These old machines more often than not lie about their lid state. So don't use it to detect LVDS presence, but leave the event handler to deal with lid open/close, when we might need to reset the mode. Fixes kernel bug #15248 Signed-off-by: Jesse Barnes Signed-off-by: Eric Anholt Cc: Ben Hutchings Signed-off-by: Greg Kroah-Hartman commit 6b2c1eb8b7f909c827020d2966a7088bd4b253e0 Author: Luis R. Rodriguez Date: Tue Feb 2 11:58:33 2010 -0500 ath9k: add support for 802.11n bonded out AR2427 commit 5ffaf8a361b4c9025963959a744f21d8173c7669 upstream. Some single chip family devices are sold in the market with 802.11n bonded out, these have no hardware capability for 802.11n but ath9k can still support them. These are called AR2427. [bwh: backported to 2.6.32] Reported-by: Rolf Leggewie Tested-by: Bernhard Reiter Signed-off-by: Luis R. Rodriguez Signed-off-by: John W. Linville Cc: Ben Hutchings Signed-off-by: Greg Kroah-Hartman commit 46615c1f8958e669cce7ded58ae135c425d0d361 Author: John W. Linville Date: Wed Dec 9 16:43:52 2009 -0500 wireless: report reasonable bitrate for MCS rates through wext commit 254416aae70ab2e6b57fd79782c8a67196234d02 upstream. Previously, cfg80211 had reported "0" for MCS (i.e. 802.11n) bitrates through the wireless extensions interface. However, nl80211 was converting MCS rates into a reasonable bitrate number. This patch moves the nl80211 code to cfg80211 where it is now shared between both the nl80211 interface and the wireless extensions interface. Signed-off-by: John W. Linville Cc: Ben Hutchings Signed-off-by: Greg Kroah-Hartman commit 009503a990c81d4cea2250a2c98bc6bcd4063350 Author: Ben Hutchings Date: Mon Jan 11 15:53:45 2010 -0800 Documentation/3c509: document ethtool support commit aa4e2e171385bb77b4da8b760d26dea2aa291587 upstream. 3c509 was changed to support ethtool in 2002, making the 'xcvr' module parameter obsolete in most cases. More recently 3c509 was converted to the modern driver model and this parameter was removed. Fix the documentation to refer to ethtool rather than the module parameter. Signed-off-by: Ben Hutchings Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 411f04e3b62272894de8829e80bce5a22d1dca38 Author: Ben Hutchings Date: Thu Jan 7 02:41:51 2010 +0000 dmfe/tulip: Let dmfe handle DM910x except for SPARC on-board chips commit 4d907069bc1b745f4abd4745c332d33098e733b8 upstream. The Davicom DM9100 and DM9102 chips are used on the motherboards of some SPARC systems (supported by the tulip driver) and also in PCI expansion cards (supported by the dmfe driver). There is no difference in the PCI device ids for the two different configurations, so these drivers both claim the device ids. However, it is possible to distinguish the two configurations by the presence of Open Firmware properties for them, so we do that. Signed-off-by: Ben Hutchings Signed-off-by: Grant Grundler Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 3a088cb06e66adb133052d3fab43ec0cebb4f709 Author: Ben Hutchings Date: Mon Dec 14 16:05:09 2009 +0000 via-velocity: Give RX descriptors to the NIC later on open or MTU change commit 35bb5cadc8c7b1462df57e32e08d964f1be7a75c upstream. velocity_open() calls velocity_give_many_rx_descs(), which gives RX descriptors to the NIC, before installing an interrupt handler or calling velocity_init_registers(). I think this is very unsafe and it appears to explain the bug report . On MTU change, velocity_give_many_rx_descs() is again called before velocity_init_registers(). I'm not sure whether this is unsafe but it does look wrong. Therefore, move the calls to velocity_give_many_rx_descs() after request_irq() and velocity_init_registers(). Signed-off-by: Ben Hutchings Tested-by: Jan Ceuleers Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 94df9bd3ee39444929284e7e564a1e0e310747f5 Author: Ben Hutchings Date: Tue Dec 1 19:09:52 2009 +0000 atl1e: Allow TX checksum offload and TSO to be disabled and reenabled commit ac936929092dc6a5409b627c4c67305ab9b626b3 upstream. Signed-off-by: Ben Hutchings Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 6ca3f51a983b03ba92fd1851cc9f281a39003a04 Author: Jason Dravet Date: Sat Jun 5 15:08:29 2010 -0500 p54usb: Add device ID for Dell WLA3310 USB commit 0f666a08901f8b01f294ca0ad751019375240ae3 upstream. Add Dell WLA3310 USB wireless card, which has a Z-Com XG-705A chipset, to the USB Ids in p54usb. Signed-off-by: Jason Dravet Tested-by: Richard Gregory Tillmore Signed-off-by: Larry Finger Acked-by: Christian Lamparter Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 439cf16bb5f168cac2e240bf21f4ee3a96979919 Author: Axel Lin Date: Mon May 31 08:04:47 2010 +0800 USB: cdc-acm: fix resource reclaim in error path of acm_probe commit c2572b78aa0447244a38e555ebb1b3b48a0088a5 upstream. This patch fixes resource reclaim in error path of acm_probe: 1. In the case of "out of memory (read urbs usb_alloc_urb)\n")", there is no need to call acm_read_buffers_free(acm) here. Fix it by goto alloc_fail6 instead of alloc_fail7. 2. In the case of "out of memory (write urbs usb_alloc_urb)", usb_alloc_urb may fail in any iteration of the for loop. Current implementation does not properly free allocated snd->urb. Fix it by goto alloc_fail8 instead of alloc_fail7. 3. In the case of device_create_file(&intf->dev,&dev_attr_iCountryCodeRelDate) fail, acm->country_codes is kfreed. As a result, device_remove_file for dev_attr_wCountryCodes will not be executed in acm_disconnect. Fix it by calling device_remove_file for dev_attr_wCountryCodes before goto skip_countries. Signed-off-by: Axel Lin Acked-by: Oliver Neukum Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman commit e067c7a9f9441cf9c3e2e81e22a01fa54f2f3434 Author: Daniel Mack Date: Thu Jun 3 13:55:02 2010 +0200 USB: ftdi_sio: fix DTR/RTS line modes commit 6a1a82df91fa0eb1cc76069a9efe5714d087eccd upstream. Call set_mctrl() and clear_mctrl() according to the flow control mode selected. This makes serial communication for FT232 connected devices work when CRTSCTS is not set. This fixes a regression introduced by 4175f3e31 ("tty_port: If we are opened non blocking we still need to raise the carrier"). This patch calls the low-level driver's dtr_rts() function which consequently sets TIOCM_DTR | TIOCM_RTS. A later call to set_termios() without CRTSCTS in cflags, however, does not reset these bits, and so data is not actually sent out on the serial wire. Signed-off-by: Daniel Mack Cc: Johan Hovold Cc: Alan Cox Signed-off-by: Greg Kroah-Hartman commit d1ba1dd79a088e505b6cb030f5f3f01f653c56d1 Author: Sarah Sharp Date: Mon May 24 13:25:15 2010 -0700 USB: xhci: Wait for controller to be ready after reset. commit 2d62f3eea98354d61f90d6b115eecf9be5f4bdfe upstream. After software resets an xHCI host controller, it must wait for the "Controller Not Ready" (CNR) bit in the status register to be cleared. Software is not supposed to ring any doorbells or write to any registers except the status register until this bit is cleared. Signed-off-by: Sarah Sharp Signed-off-by: Greg Kroah-Hartman commit d9c1ee1895d3d6266656527c729e5278904a3e36 Author: Sarah Sharp Date: Mon May 24 13:25:21 2010 -0700 USB: xhci: Wait for host to start running. commit ed07453fd356025cc25272629e982f5e4607632c upstream. When the run bit is set in the xHCI command register, it may take a few microseconds for the host to start running. We cannot ring any doorbells until the host is actually running, so wait until the status register says the host is running. Signed-off-by: Sarah Sharp Reported-by: Shinya Saito Signed-off-by: Greg Kroah-Hartman commit 87d3fd19311ae9575b1f14d054e34f4598e2d106 Author: Johan Hovold Date: Wed May 19 22:13:17 2010 +0200 USB: mos7840: fix null-pointer dereference commit b41709f1263bb1ad37efc43fea0bb0b670c12e78 upstream. Fix null-pointer dereference on error path. Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit 2f2b2a2c2f15ea1ac21d19fed7fc51520d94c65c Author: Chris Wilson Date: Thu May 27 13:18:18 2010 +0100 drm/i915: Rebind bo if currently bound with incorrect alignment. commit ac0c6b5ad3b3b513e1057806d4b7627fcc0ecc27 upstream. Whilst pinning the buffer, check that that its current alignment matches the requested alignment. If it does not, rebind. This should clear up any final render errors whilst resuming, for reference: Bug 27070 - [i915] Page table errors with empty ringbuffer https://bugs.freedesktop.org/show_bug.cgi?id=27070 Bug 15502 - render error detected, EIR: 0x00000010 https://bugzilla.kernel.org/show_bug.cgi?id=15502 Bug 13844 - i915 error: "render error detected" https://bugzilla.kernel.org/show_bug.cgi?id=13844 Signed-off-by: Chris Wilson Signed-off-by: Eric Anholt Signed-off-by: Greg Kroah-Hartman commit da86663542979859c5b0e8f52aaf6f1745254b27 Author: Tejun Heo Date: Mon May 31 16:26:48 2010 +0200 sata_via: magic vt6421 fix for transmission problems w/ WD drives commit 8b27ff4cf6d15964aa2987aeb58db4dfb1f87a19 upstream. vt6421 has problems talking to recent WD drives. It causes a lot of transmission errors while high bandwidth transfer as reported in the following bugzilla entry. https://bugzilla.kernel.org/show_bug.cgi?id=15173 Joseph Chan provided the following fix. I don't have any idea what it does but I can verify the issue is gone with the patch applied. Signed-off-by: Tejun Heo Originally-from: Joseph Chan Reported-by: Jorrit Tijben Signed-off-by: Jeff Garzik Signed-off-by: Greg Kroah-Hartman commit 8d2b5b63d3586f3e258b8c5cffbdc45e743fcafa Author: Tejun Heo Date: Tue Jun 1 17:29:21 2010 +0200 sata_nv: don't diddle with nIEN on mcp55 commit f3faf8fc3fab45c3526efe8c9e99bb23f8723350 upstream. On mcp55, nIEN gets stuck once set and liteon blueray rom iHOS104-08 violates ATA specification and fails to set I on D2H Reg FIS if nIEN is set when the command was issued. When the other party is following the spec, both devices can work fine but when the two flaws are put together, they can't talk to each other. mcp55 has its own IRQ masking mechanism and there's no reason to mess with nIEN in the first place. Fix it by dropping nIEN diddling from nv_mcp55_freeze/thaw(). This was originally reported by Cengiz. Although Cengiz hasn't verified the fix yet, I could reproduce this problem and verfiy the fix. Even if Cengiz is experiencing different or additional problems, this patch is needed. Signed-off-by: Tejun Heo Reported-by: Cengiz Günay Signed-off-by: Jeff Garzik Signed-off-by: Greg Kroah-Hartman commit 964baffc6f14ece601c417f9a94c8dbcdd5c97a2 Author: Stephane Eranian Date: Wed Mar 17 23:21:01 2010 +0200 perf_events: Fix resource leak in x86 __hw_perf_event_init() commit 4b24a88b35e15e04bd8f2c5dda65b5dc8ebca05f upstream. If reserve_pmc_hardware() succeeds but reserve_ds_buffers() fails, then we need to release_pmc_hardware. It won't be done by the destroy() callback because we return before setting it in case of error. Signed-off-by: Stephane Eranian Cc: peterz@infradead.org Cc: paulus@samba.org Cc: davem@davemloft.net Cc: fweisbec@gmail.com Cc: robert.richter@amd.com Cc: perfmon2-devel@lists.sf.net LKML-Reference: <4ba1568b.15185e0a.182a.7802@mx.google.com> Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit 2a6705430f6159a5e086cc58f9f173f2fdfcb3a5 Author: Stefan Richter Date: Sun May 30 19:43:52 2010 +0200 firewire: core: check for 1394a compliant IRM, fix inaccessibility of Sony camcorder commit 10389536742cefbedecb67a5b2906f155cf3a1c3 upstream. Per IEEE 1394 clause 8.4.2.3, a contender for the IRM role shall check whether the current IRM complies to 1394a-2000 or later. If not force a compliant node (e.g. itself) to become IRM. This was implemented in the older ieee1394 driver but not yet in firewire-core. An older Sony camcorder (Sony DCR-TRV25) which implements 1394-1995 IRM but neither 1394a-2000 IRM nor BM was now found to cause an interoperability bug: - Camcorder becomes root node when plugged in, hence gets IRM role. - firewire-core successfully contends for BM role, proceeds to perform gap count optimization and resets the bus. - Sony camcorder ignores presence of a BM (against the spec, this is a firmware bug), performs its idea of gap count optimization and resets the bus. - Preceding two steps are repeated endlessly, bus never settles, regular I/O is practically impossible. http://thread.gmane.org/gmane.linux.kernel.firewire.user/3913 This is an interoperability regression from the old to the new drivers. Fix it indirectly by adding the 1394a IRM check. The spec suggests three and a half methods to determine 1394a compliance of a remote IRM; we choose the method of testing the Config_ROM.Bus_Info.generation field. This is data that firewire-core should have readily available at this point, i.e. does not require extra I/O. Reported-by: Clemens Ladisch (missing 1394a check) Reported-by: H. S. (issue with Sony DCR-TRV25) Tested-by: H. S. Signed-off-by: Stefan Richter Signed-off-by: Greg Kroah-Hartman commit 9b55bef26e1fd22ccdfa2d6803e7450e05d29e82 Author: Tejun Heo Date: Thu Jun 3 11:57:04 2010 +0200 ahci: add pci quirk for JMB362 commit 4daedcfe8c6851aa01cc1997220f2577f4039c13 upstream. JMB362 is a new variant of jmicron controller which is similar to JMB360 but has two SATA ports instead of one. As there is no PATA port, single function AHCI mode can be used as in JMB360. Add pci quirk for JMB362. Signed-off-by: Tejun Heo Reported-by: Aries Lee Signed-off-by: Jeff Garzik Signed-off-by: Greg Kroah-Hartman commit 0a1a8d8443d8deeb30985b531f34542c97c095a6 Author: Bob Copeland Date: Fri Jun 4 08:14:14 2010 -0400 ath5k: retain promiscuous setting commit 6b5dcccb495b66b3b0b9581cdccfed038e5d68a2 upstream. Commit 56d1de0a21db28e41741cfa0a66e18bc8d920554, "ath5k: clean up filter flags setting" introduced a regression in monitor mode such that the promisc filter flag would get lost. Although we set the promisc flag when it changed, we did not preserve it across subsequent calls to configure_filter. This patch restores the original functionality. Bisected-by: weedy2887@gmail.com Tested-by: weedy2887@gmail.com Tested-by: Rick Farina Signed-off-by: Bob Copeland Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 98c26ee126baf7360a58391d2ebd152501aeb0cd Author: Paul Mundt Date: Wed Jun 2 17:10:44 2010 +0900 clocksource: sh_cmt: compute mult and shift before registration commit f4d7c3565c1692c54d9152b52090fe73f0029e37 upstream. Based on the sh_tmu change in 66f49121ffa41a19c59965b31b046d8368fec3c7 ("clocksource: sh_tmu: compute mult and shift before registration"). The same issues impact the sh_cmt driver, so we take the same approach here. Signed-off-by: Paul Mundt Signed-off-by: Greg Kroah-Hartman commit 7d5c64f6f0489592fefe4d81f911fdc078a1735e Author: Martin Homuth-Rosemann Date: Mon May 31 22:33:04 2010 +0200 Staging: comedi - correct parameter gainlkup for DAQCard-6024E in driver ni_mio_cs.c commit ebe8622342f12bed387f7de4b5fb7c52005ccb29 upstream. Correct at least one of the incorrect specs for a national instrument data acquisition card DAQCard-6024E. This card has only four different gain settings (+-10V, +-5V, +-0.5V, +-0.05V). Signed-off-by: Martin Homuth-Rosemann Signed-off-by: Greg Kroah-Hartman commit d26a819c317490290c55babce0fc78680d0fbe86 Author: Daniel T Chen Date: Sun May 30 13:08:41 2010 -0400 ALSA: hda: Use LPIB for ASUS M2V commit 9f75c1b12c5ef392ddcea575b13560842c28b1b3 upstream. BugLink: https://launchpad.net/bugs/587546 Symptom: On the reporter's ASUS M2V, using PulseAudio in Ubuntu 10.04 LTS results in the PA daemon crashing shortly after attempting playback of an audio file. Test case: Using Ubuntu 10.04 LTS (Linux 2.6.32.12), Linux 2.6.33, or Linux 2.6.34, attempt playback of an audio file while PulseAudio is active. Resolution: add SSID for this machine to the position_fix quirk table, explicitly specifying the LPIB method. Reported-and-Tested-By: D Tangman Signed-off-by: Daniel T Chen Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit c05595d133e07d94efcc4044baa8f76c0b1bc6f1 Author: Daniel T Chen Date: Sun May 30 19:31:41 2010 -0400 ALSA: hda: Use LPIB for another mainboard commit b90c076424da8166797bdc34187660fd0124f530 upstream. BugLink: https://launchpad.net/bugs/580749 Symptom: on the original reporter's VIA VT1708-based board, the PulseAudio daemon dies shortly after the user attempts to play an audio file. Test case: boot from Ubuntu 10.04 LTS live cd; attempt to play an audio file. Resolution: add SSID for the original reporter's hardware to the position_fix quirk table, explicitly specifying the LPIB method. Reported-and-Tested-By: Harald Signed-off-by: Daniel T Chen Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 5d0ff0bb9d94d104d8b813a72a46ecc7ce09290a Author: Daniel T Chen Date: Sun May 30 09:55:23 2010 -0400 ALSA: hda: Use mb31 quirk for an iMac model commit 26fd74fc01991a18f0e3bd54f8b1b75945ee3dbb upstream. BugLink: https://launchpad.net/bugs/542550 Symptom: On the reporter's iMac, in Ubuntu 10.04 LTS neither playback nor capture appear audible out-of-the-box. Test case: Boot from an Ubuntu 10.04 LTS live cd or from an installed configuration and attempt to play or capture audio. Resolution: Specify the mb31 quirk for this machine in the codec SSID table. Reported-and-Tested-By: f3a97 Signed-off-by: Daniel T Chen Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit f68e3e74b18da06da471bfca64aad96692d88492 Author: Daniel T Chen Date: Sun May 30 01:17:03 2010 -0400 ALSA: hda: Use LPIB for an ASUS device commit dd37f8e8659bc617c3f2a84e007a4824ccdac458 upstream. BugLink: https://launchpad.net/bugs/465942 Symptom: On the reporter's ASUS device, using PulseAudio in Ubuntu 10.04 LTS results in the PA daemon crashing shortly after attempting to select capture or to configure the audio hardware profile. Test case: Using Ubuntu 10.04 LTS (Linux 2.6.32.12), Linux 2.6.33, or Linux 2.6.34, adjust the HDA device's capture volume with PulseAudio. Resolution: add SSID for this machine to the position_fix quirk table, explicitly specifying the LPIB method. Reported-and-Tested-By: Irihapeti Signed-off-by: Daniel T Chen Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit b6d1fd29840e29d1a87d0ab15ee1ccc90ea15ec4 Author: Ian Campbell Date: Tue May 25 10:45:35 2010 +0100 xen: avoid allocation causing potential swap activity on the resume path commit b3831cb55d383e8eb55d3b56c715fb48459b87c9 upstream. Since the device we are resuming could be the device containing the swap device we should ensure that the allocation cannot cause IO. On resume, this path is triggered when the running system tries to continue using its devices. If it cannot then the resume will fail; to try to avoid this we let it dip into the emergency pools. The majority of these changes were made when linux-2.6.18-xen.hg changeset e8b49cfbdac0 was ported upstream in a144ff09bc52ef3f3684ed23eadc9c7c0e57b3aa but somehow this hunk was dropped. Signed-off-by: Ian Campbell Acked-by: Jeremy Fitzhardinge Signed-off-by: Greg Kroah-Hartman commit 0f58db21025d979e38db691861985ebc931551b1 Author: Ian Campbell Date: Wed May 19 16:19:25 2010 +0100 xen: ensure timer tick is resumed even on CPU driving the resume commit cd52e17ea8278f8449b6174a8e5ed439a2e44ffb upstream. The core suspend/resume code is run from stop_machine on CPU0 but parts of the suspend/resume machinery (including xen_arch_resume) are run on whichever CPU happened to schedule the xenwatch kernel thread. As part of the non-core resume code xen_arch_resume is called in order to restart the timer tick on non-boot processors. The boot processor itself is taken care of by core timekeeping code. xen_arch_resume uses smp_call_function which does not call the given function on the current processor. This means that we can end up with one CPU not receiving timer ticks if the xenwatch thread happened to be scheduled on CPU > 0. Use on_each_cpu instead of smp_call_function to ensure the timer tick is resumed everywhere. Signed-off-by: Ian Campbell Acked-by: Jeremy Fitzhardinge Signed-off-by: Greg Kroah-Hartman commit caa8ddf37773b0ce0037560408871ae2e963fa02 Author: Gabor Gombas Date: Mon May 24 12:13:18 2010 -0700 x86, setup: Phoenix BIOS fixup is needed on Dell Inspiron Mini 1012 commit 3d6e77a3ddb8e4156b89f4273ff8c7d37abaf781 upstream. The low-memory corruption checker triggers during suspend/resume, so we need to reserve the low 64k. Don't be fooled that the BIOS identifies itself as "Dell Inc.", it's still Phoenix BIOS. [ hpa: I think we blacklist almost every BIOS in existence. We should either change this to a whitelist or just make it unconditional. ] Signed-off-by: Gabor Gombas LKML-Reference: <201005241913.o4OJDIMM010877@imap1.linux-foundation.org> Signed-off-by: Andrew Morton Signed-off-by: H. Peter Anvin Signed-off-by: Greg Kroah-Hartman commit 450316437bff3ba1fe338ea1b9d600eaa6577293 Author: Jiri Kosina Date: Wed May 26 14:43:53 2010 -0700 ipmi: handle run_to_completion properly in deliver_recv_msg() commit a747c5abc329611220f16df0bb4cf0ca4a7fdf0c upstream. If run_to_completion flag is set, it means that we are running in a single-threaded mode, and thus no locks are held. This fixes a deadlock when IPMI notifier is being called during panic. Signed-off-by: Jiri Kosina Acked-by: Corey Minyard Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit acf1790936c90b597fc4b176ff86f85db1ebd77c Author: Jeff Moyer Date: Wed May 26 11:49:40 2010 -0400 do_generic_file_read: clear page errors when issuing a fresh read of the page commit 91803b499cca2fe558abad709ce83dc896b80950 upstream. I/O errors can happen due to temporary failures, like multipath errors or losing network contact with the iSCSI server. Because of that, the VM will retry readpage on the page. However, do_generic_file_read does not clear PG_error. This causes the system to be unable to actually use the data in the page cache page, even if the subsequent readpage completes successfully! The function filemap_fault has had a ClearPageError before readpage forever. This patch simply adds the same to do_generic_file_read. Signed-off-by: Jeff Moyer Signed-off-by: Rik van Riel Acked-by: Larry Woodman Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit a05664310fd29d02e4f8df9bd3817af6266e5eaf Author: Oleg Nesterov Date: Wed May 26 14:42:54 2010 -0700 signals: check_kill_permission(): don't check creds if same_thread_group() commit 065add3941bdca54fe04ed3471a96bce9af88793 upstream. Andrew Tridgell reports that aio_read(SIGEV_SIGNAL) can fail if the notification from the helper thread races with setresuid(), see http://samba.org/~tridge/junkcode/aio_uid.c This happens because check_kill_permission() doesn't permit sending a signal to the task with the different cred->xids. But there is not any security reason to check ->cred's when the task sends a signal (private or group-wide) to its sub-thread. Whatever we do, any thread can bypass all security checks and send SIGKILL to all threads, or it can block a signal SIG and do kill(gettid(), SIG) to deliver this signal to another sub-thread. Not to mention that CLONE_THREAD implies CLONE_VM. Change check_kill_permission() to avoid the credentials check when the sender and the target are from the same thread group. Also, move "cred = current_cred()" down to avoid calling get_current() twice. Note: David Howells pointed out we could relax this even more, the CLONE_SIGHAND (without CLONE_THREAD) case probably does not need these checks too. Roland said: : The glibc (libpthread) that does set*id across threads has : been in use for a while (2.3.4?), probably in distro's using kernels as old : or older than any active -stable streams. In the race in question, this : kernel bug is breaking valid POSIX application expectations. Reported-by: Andrew Tridgell Signed-off-by: Oleg Nesterov Acked-by: Roland McGrath Acked-by: David Howells Cc: Eric Paris Cc: Jakub Jelinek Cc: James Morris Cc: Roland McGrath Cc: Stephen Smalley Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 13778d03ee925ff88a5809973e0d41f1efa954ff Author: Ira W. Snyder Date: Thu May 27 19:59:02 2010 +0200 hwmon: (ltc4245) Read only one GPIO pin commit df16dd53c575d0cb9dbee20a3149927c862a9ff6 upstream. Read only one of the GPIO pins as an analog voltage. The ADC can be switched to a different GPIO pin at runtime, but this is not supported. Previously, this driver would report the analog voltage of the currently selected GPIO pin as all three GPIO voltages: in9_input, in10_input and in11_input. Signed-off-by: Ira W. Snyder Signed-off-by: Jean Delvare Signed-off-by: Greg Kroah-Hartman commit 5f375bcd1f8622545651766f7cfd267aa461d353 Author: Dave Airlie Date: Sat May 29 06:50:37 2010 +1000 drm/radeon: fix the r100/r200 ums block 0 page fix commit cf22f20ade30f8c03955324aaf27b1049e182600 upstream. airlied -> brown paper bag. I blame Hi-5 or the Wiggles for lowering my IQ, move the fix inside some brackets instead of breaking everything in site. Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman commit 6f4de4a36eafdebcc30d9ac75efbf3415df4e448 Author: Dave Airlie Date: Wed Feb 24 17:17:13 2010 +1000 drm/radeon: r100/r200 ums: block ability for userspace app to trash 0 page and beyond commit 566d84d172161cb6c0c4dd834c34abbac6bf7b38 upstream. radeon's have a special ability to passthrough writes in their internal memory space directly to PCI, this ability means that if some of the internal surfaces like the depth buffer point at 0x0, any writes to these will go directly to RAM at 0x0 via PCI busmastering. Now mesa used to always emit clears after emitting state, since the radeon mesa driver was refactored a year or more ago, it was found it could generate a clear request without ever sending any setup state to the card. So the clear would attempt to clear the depth buffer at 0x0, which would overwrite main memory at this point. fs corruption ensues. Also once one app did this correctly, it would never get set back to 0 making this messy to reproduce. The kernel should block this from happening as mesa runs without privs, though it does require the user be connected to the current running X session. This patch implements a check to make sure the depth offset has been set before a depth clear occurs and if it finds one it prints a warning and ignores the depth clear request. There is also a mesa fix to avoid sending the badness going into mesa. This only affects r100/r200 GPUs in user modesetting mode. Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman commit 3ff0cdb854dc9073816ca239a6e8e15c0c735cf2 Author: Mark Brown Date: Tue May 25 10:49:00 2010 -0700 ASoC: Fix dB scales for WM8990 commit f68596c6d8711650722b2a54328a088a2c21bc5b upstream. These should be regular, not linear. Signed-off-by: Mark Brown Acked-by: Liam Girdwood Signed-off-by: Greg Kroah-Hartman commit 5ab4f47251a3ac5ddb236a826c8f22b7c600d02a Author: Mark Brown Date: Tue May 25 10:48:31 2010 -0700 ASoC: Fix dB scales for WM8400 commit 3351e9fbb0fda6498ee149ee88c67f5849813c57 upstream. These scales should be regular, not linear. Signed-off-by: Mark Brown Acked-by: Liam Girdwood Signed-off-by: Greg Kroah-Hartman commit 2216493c4bb53423a1589f1f2beafb323d8f8154 Author: Mark Brown Date: Tue May 25 10:46:05 2010 -0700 ASoC: Fix dB scales for WM835x commit e6a08c5a8990102bcd1f4bae84b668da6c23caa9 upstream. These should be regular rather than linear scales. Signed-off-by: Mark Brown Acked-by: Liam Girdwood Signed-off-by: Greg Kroah-Hartman commit 039c54401c0702270af28e1fff39e3b0da68324f Author: Russell King Date: Thu May 27 08:23:29 2010 +0100 ARM: VFP: Fix vfp_put_double() for d16-d31 commit 138de1c44a8e0606501cd8593407e9248e84f1b7 upstream. vfp_put_double() takes the double value in r0,r1 not r1,r2. Reported-by: Tarun Kanti DebBarma Signed-off-by: Russell King Signed-off-by: Greg Kroah-Hartman commit 998396be9ceeb6d02127d9ae6ce1cb6b3659a25d Author: Linus Walleij Date: Wed May 26 07:37:57 2010 +0100 ARM: 6144/1: TCM memory bug freeing bug commit ea208f646c8fb91c39c852e952fc911e1ad045ab upstream. This fixes a bug in mm/init.c when freeing the TCM compile memory, this was being referred to as a char * which is incorrect: this will dereference the pointer and feed in the value at the location instead of the address to it. Change it to a plain char and use &(char) to reference it. Signed-off-by: Linus Walleij Signed-off-by: Russell King Signed-off-by: Greg Kroah-Hartman commit f26a43c5a1c7cf8f7c9c2007fbd0f1789df99db3 Author: Marek Vašut Date: Wed May 26 23:53:09 2010 +0100 ARM: 6146/1: sa1111: Prevent deadlock in resume path commit 3defb2476166445982a90c12d33f8947e75476c4 upstream. This patch reorganises the sa1111_resume() function in a manner the spinlock happens after calling the sa1111_wake(). This fixes two bugs: 1) This function called sa1111_wake() which tried to claim the same spinlock the sa1111_resume() already claimed. This would result in certain deadlock. Original idea for this part: Russell King 2) The function didn't unlock the spinlock in case the chip didn't report correct ID. Original idea for this part: Julia Lawall Signed-off-by: Marek Vasut Signed-off-by: Russell King Signed-off-by: Greg Kroah-Hartman commit 1db9679a1567e1f0dc5d9103911f5cfd7eb493a9 Author: Khem Raj Date: Fri Jun 4 04:05:15 2010 +0100 ARM: 6164/1: Add kto and kfrom to input operands list. commit 9a40ac86152c9cffd3dca482a15ddf9a8c5716b3 upstream. When functions incoming parameters are not in input operands list gcc 4.5 does not load the parameters into registers before calling this function but the inline assembly assumes valid addresses inside this function. This breaks the code because r0 and r1 are invalid when execution enters v4wb_copy_user_page () Also the constant needs to be used as third input operand so account for that as well. Tested on qemu arm. Signed-off-by: Khem Raj Signed-off-by: Russell King Signed-off-by: Greg Kroah-Hartman commit 39be45ee5ca20b54cdcf74c77933acc3f560ed7c Author: Anfei Date: Tue Jun 8 15:16:49 2010 +0100 ARM: 6166/1: Proper prefetch abort handling on pre-ARMv6 commit 5e27fb78df95e027723af2c90ecc9b4527ae59e9 upstream. Instruction faults on pre-ARMv6 CPUs are interpreted as a 'translation fault', but do_translation_fault doesn't handle well if user mode trying to run instruction above TASK_SIZE, and result in the infinite retry of that instruction. Signed-off-by: Anfei Zhou Signed-off-by: Russell King Signed-off-by: Greg Kroah-Hartman commit 12a5a0e39bc503ccbbf68e697d06397cba2afc79 Author: Sebastien Dugue Date: Thu May 20 15:58:22 2010 -0700 mlx4_core: Fix possible chunk sg list overflow in mlx4_alloc_icm() commit c0dc72bad9cf21071f5e4005de46f7c8b67a138a upstream. If the number of sg entries in the ICM chunk reaches MLX4_ICM_CHUNK_LEN, we must set chunk to NULL even for coherent mappings so that the next time through the loop will allocate another chunk. Otherwise we'll overflow the sg list the next time through the loop. This will lead to memory corruption if this case is hit. mthca does not have this bug. Signed-off-by: Sebastien Dugue Signed-off-by: Roland Dreier Signed-off-by: Greg Kroah-Hartman commit 2de2efaa44e68c4ceff425b0710ad14d2228fe0d Author: KOSAKI Motohiro Date: Mon May 24 14:31:48 2010 -0700 tmpfs: insert tmpfs cache pages to inactive list at first commit e9d6c157385e4efa61cb8293e425c9d8beba70d3 upstream. Shaohua Li reported parallel file copy on tmpfs can lead to OOM killer. This is regression of caused by commit 9ff473b9a7 ("vmscan: evict streaming IO first"). Wow, It is 2 years old patch! Currently, tmpfs file cache is inserted active list at first. This means that the insertion doesn't only increase numbers of pages in anon LRU, but it also reduces anon scanning ratio. Therefore, vmscan will get totally confused. It scans almost only file LRU even though the system has plenty unused tmpfs pages. Historically, lru_cache_add_active_anon() was used for two reasons. 1) Intend to priotize shmem page rather than regular file cache. 2) Intend to avoid reclaim priority inversion of used once pages. But we've lost both motivation because (1) Now we have separate anon and file LRU list. then, to insert active list doesn't help such priotize. (2) In past, one pte access bit will cause page activation. then to insert inactive list with pte access bit mean higher priority than to insert active list. Its priority inversion may lead to uninteded lru chun. but it was already solved by commit 645747462 (vmscan: detect mapped file pages used only once). (Thanks Hannes, you are great!) Thus, now we can use lru_cache_add_anon() instead. Signed-off-by: KOSAKI Motohiro Reported-by: Shaohua Li Reviewed-by: Wu Fengguang Reviewed-by: Johannes Weiner Reviewed-by: Rik van Riel Reviewed-by: Minchan Kim Acked-by: Hugh Dickins Cc: Henrique de Moraes Holschuh Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit e4ea66658a37ca7f3142feecbaf3d2fd8a50cc50 Author: FUJITA Tomonori Date: Wed May 19 23:21:38 2010 -0400 Blackfin: set ARCH_KMALLOC_MINALIGN commit 76b99699a2bbf9efdb578f9a38a202af2ecb354b upstream. Architectures that handle DMA-non-coherent memory need to set ARCH_KMALLOC_MINALIGN to make sure that kmalloc'ed buffer is DMA-safe: the buffer doesn't share a cache with the others. Signed-off-by: FUJITA Tomonori Acked-by: Pekka Enberg Signed-off-by: Mike Frysinger Signed-off-by: Greg Kroah-Hartman commit 12108de038106d839ad1c60853b8cdc4818c5f53 Author: FUJITA Tomonori Date: Mon May 24 14:31:45 2010 -0700 xtensa: set ARCH_KMALLOC_MINALIGN commit 498900fc9cd1adbad1ba6b55ed9d8f2f5d655ca3 upstream. Architectures that handle DMA-non-coherent memory need to set ARCH_KMALLOC_MINALIGN to make sure that kmalloc'ed buffer is DMA-safe: the buffer doesn't share a cache with the others. Signed-off-by: FUJITA Tomonori Cc: Chris Zankel Acked-by: Pekka Enberg Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 2af0045d22b116d461b029c8f9f8edffb0627485 Author: FUJITA Tomonori Date: Mon May 24 14:32:54 2010 -0700 frv: set ARCH_KMALLOC_MINALIGN commit 69dcf3db03626c4f18de624e8632454ea12ff260 upstream. Architectures that handle DMA-non-coherent memory need to set ARCH_KMALLOC_MINALIGN to make sure that kmalloc'ed buffer is DMA-safe: the buffer doesn't share a cache with the others. Signed-off-by: FUJITA Tomonori Acked-by: David Howells Acked-by: Pekka Enberg Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit bc4b54c346c72126ae2c294caa5579566104aa4e Author: Maurus Cuelenaere Date: Fri Jun 4 14:14:44 2010 -0700 rtc: s3c: initialize driver data before using it commit e893de59a4982791368b3ce412bc67dd601a88a0 upstream. s3c_rtc_setfreq() uses the platform driver data to derive struct rtc_device, so make sure drvdata is set _before_ s3c_rtc_setfreq() is called. Signed-off-by: Maurus Cuelenaere Cc: Paul Gortmaker Cc: Alessandro Zummo Cc: Maurus Cuelenaere Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit a2d9ed72377e51ab0df783ee766beebe5bf51a77 Author: Dan Carpenter Date: Mon May 24 14:33:49 2010 -0700 rtc-cmos: do dev_set_drvdata() earlier in the initialization commit 6ba8bcd457d9fc793ac9435aa2e4138f571d4ec5 upstream. The bug is an oops when dev_get_drvdata() returned null in cmos_update_irq_enable(). The call tree looks like this: rtc_dev_ioctl() => rtc_update_irq_enable() => cmos_update_irq_enable() It's caused by a race condition in the module initialization. It is rtc_device_register() which makes the ioctl operations live so I moved the call to dev_set_drvdata() before the call to rtc_device_register(). Addresses https://bugzilla.kernel.org/show_bug.cgi?id=15963 Reported-by: Randy Dunlap Signed-off-by: Dan Carpenter Tested-by: Randy Dunlap Cc: Alessandro Zummo Cc: Paul Gortmaker Cc: Malte Schroder Cc: Ralf Baechle Cc: Herton Ronaldo Krzesinski Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 748ba59b943ea9f259866b3e703eec790cf48846 Author: FUJITA Tomonori Date: Sun May 23 19:38:14 2010 +0200 m68k: set ARCH_KMALLOC_MINALIGN commit dd6c26a66bdc629a500174ffe73b010b070b9f1b upstream. Architectures that handle DMA-non-coherent memory need to set ARCH_KMALLOC_MINALIGN to make sure that kmalloc'ed buffer is DMA-safe: the buffer doesn't share a cache with the others. Signed-off-by: FUJITA Tomonori Cc: Geert Uytterhoeven Cc: Roman Zippel Acked-by: Pekka Enberg Signed-off-by: Andrew Morton Signed-off-by: Geert Uytterhoeven Signed-off-by: Greg Kroah-Hartman commit ead5b24302a1f014de1206f6bc77f081d261803d Author: FUJITA Tomonori Date: Mon May 24 14:32:58 2010 -0700 mn10300: set ARCH_KMALLOC_MINALIGN commit 6cdafaae41d52e6ef9a5c5be23602ef083e4d0f9 upstream. Architectures that handle DMA-non-coherent memory need to set ARCH_KMALLOC_MINALIGN to make sure that kmalloc'ed buffer is DMA-safe: the buffer doesn't share a cache with the others. Signed-off-by: FUJITA Tomonori Acked-by: David Howells Cc: Koichi Yasutake Acked-by: Pekka Enberg Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 423ad7df30f57b0cb4bdad5d1504e2cdc1c4d8a3 Author: Dan Carpenter Date: Fri May 7 11:05:33 2010 +0200 exofs: confusion between kmap() and kmap_atomic() api commit ddf08f4b90a413892bbb9bb2e8a57aed991cd47d upstream. For kmap_atomic() we call kunmap_atomic() on the returned pointer. That's different from kmap() and kunmap() and so it's easy to get them backwards. Signed-off-by: Dan Carpenter Signed-off-by: Boaz Harrosh Signed-off-by: Greg Kroah-Hartman commit 310f7a3525eae4ef4c760a9d458d028775a49645 Author: Joerg Roedel Date: Tue Jun 1 11:41:44 2010 +0200 x86/amd-iommu: Fix suspend/resume with IOMMU This is a suspend resume fix for 2.6.32-stable inclusion. The problem with this patch is that it is not upstream because the code changed with 2.6.33 and the function where this bug is in was removed. So this fix does not make sense anymore for anything later than 2.6.32. The patch was tested by multiple partys and is confirmed to fix the broken suspend/resume issue with the 2.6.32 kernel. This patch fixes suspend/resume with AMD IOMMU enabled. Signed-off-by: Joerg Roedel Signed-off-by: Greg Kroah-Hartman commit d04e05f72668d77b66c91756c3d64c21970ea2a7 Author: Dan Williams Date: Wed May 12 08:25:37 2010 +1000 md: set mddev readonly flag on blkdev BLKROSET ioctl commit e2218350465e7e0931676b4849b594c978437bce upstream. When the user sets the block device to readwrite then the mddev should follow suit. Otherwise, the BUG_ON in md_write_start() will be set to trigger. The reverse direction, setting mddev->ro to match a set readonly request, can be ignored because the blkdev level readonly flag precludes the need to have mddev->ro set correctly. Nevermind the fact that setting mddev->ro to 1 may fail if the array is in use. Signed-off-by: Dan Williams Signed-off-by: NeilBrown Signed-off-by: Greg Kroah-Hartman commit 861fc8bdf88071da0e3ac140a23e532ae791ea43 Author: NeilBrown Date: Sat May 8 08:20:17 2010 +1000 md: Fix read balancing in RAID1 and RAID10 on drives > 2TB commit af3a2cd6b8a479345786e7fe5e199ad2f6240e56 upstream. read_balance uses a "unsigned long" for a sector number which will get truncated beyond 2TB. This will cause read-balancing to be non-optimal, and can cause data to be read from the 'wrong' branch during a resync. This has a very small chance of returning wrong data. Reported-by: Jordan Russell Signed-off-by: NeilBrown Signed-off-by: Greg Kroah-Hartman commit d067b0b81ddd913cfd3694cc819d86f1048b58bd Author: NeilBrown Date: Tue May 18 15:27:13 2010 +1000 md/raid1: fix counting of write targets. commit 964147d5c86d63be79b442c30f3783d49860c078 upstream. There is a very small race window when writing to a RAID1 such that if a device is marked faulty at exactly the wrong time, the write-in-progress will not be sent to the device, but the bitmap (if present) will be updated to say that the write was sent. Then if the device turned out to still be usable as was re-added to the array, the bitmap-based-resync would skip resyncing that block, possibly leading to corruption. This would only be a problem if no further writes were issued to that area of the device (i.e. that bitmap chunk). Suitable for any pending -stable kernel. Signed-off-by: NeilBrown Signed-off-by: Greg Kroah-Hartman commit 584516620656c12f751d9714240d3056bcf76fca Author: Jens Axboe Date: Mon May 17 12:51:03 2010 +0200 writeback: disable periodic old data writeback for !dirty_writeback_centisecs commit 69b62d01ec44fe0d505d89917392347732135a4d upstream. Prior to 2.6.32, setting /proc/sys/vm/dirty_writeback_centisecs disabled periodic dirty writeback from kupdate. This got broken and now causes excessive sys CPU usage if set to zero, as we'll keep beating on schedule(). Reported-by: Justin Maggard Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman commit 63592befd6212caabbe5f9517f64049d55ec67fb Author: Denis Kirjanov Date: Tue Jun 1 15:43:34 2010 -0400 powerpc/oprofile: fix potential buffer overrun in op_model_cell.c commit 238c1a78c957f3dc7cb848b161dcf4805793ed56 upstream. Fix potential initial_lfsr buffer overrun. Writing past the end of the buffer could happen when index == ENTRIES Signed-off-by: Denis Kirjanov Signed-off-by: Robert Richter Signed-off-by: Greg Kroah-Hartman commit 9cb49fbe22c79ee0fe111cef69e2485c269dd7ea Author: Michael Neuling Date: Wed Apr 28 13:39:41 2010 +0000 powerpc/pseries: Make query_cpu_stopped callable outside hotplug cpu commit f8b67691828321f5c85bb853283aa101ae673130 upstream. This moves query_cpu_stopped() out of the hotplug cpu code and into smp.c so it can called in other places and renames it to smp_query_cpu_stopped(). It also cleans up the return values by adding some #defines Signed-off-by: Michael Neuling Signed-off-by: Benjamin Herrenschmidt Signed-off-by: Greg Kroah-Hartman commit 370fe8e54e678cfbf27df21ecb07f2af8a4f22b0 Author: Michael Neuling Date: Wed Apr 28 13:39:41 2010 +0000 powerpc/pseries: Only call start-cpu when a CPU is stopped commit aef40e87d866355ffd279ab21021de733242d0d5 upstream. Currently we always call start-cpu irrespective of if the CPU is stopped or not. Unfortunatley on POWER7, firmware seems to not like start-cpu being called when a cpu already been started. This was not the case on POWER6 and earlier. This patch checks to see if the CPU is stopped or not via an query-cpu-stopped-state call, and only calls start-cpu on CPUs which are stopped. This fixes a bug with kexec on POWER7 on PHYP where only the primary thread would make it to the second kernel. Reported-by: Ankita Garg Signed-off-by: Michael Neuling Signed-off-by: Benjamin Herrenschmidt Signed-off-by: Greg Kroah-Hartman commit 93718857d91935e7a5845345753174bbd93a1293 Author: Jeff Mahoney Date: Wed Mar 17 10:55:51 2010 +0000 powerpc: Fix handling of strncmp with zero len commit 637a99022fb119b90fb281715d13172f0394fc12 upstream. Commit 0119536c, which added the assembly version of strncmp to powerpc, mentions that it adds two instructions to the version from boot/string.S to allow it to handle len=0. Unfortunately, it doesn't always return 0 when that is the case. The length is passed in r5, but the return value is passed back in r3. In certain cases, this will happen to work. Otherwise it will pass back the address of the first string as the return value. This patch lifts the len <= 0 handling code from memcpy to handle that case. Reported by: Christian_Sellars@symantec.com Signed-off-by: Jeff Mahoney Signed-off-by: Benjamin Herrenschmidt Signed-off-by: Greg Kroah-Hartman commit 7a832fb6f2d4c2160975f0f5e09dab1b00d5c3bf Author: Alex Deucher Date: Tue May 18 00:23:15 2010 -0400 drm/radeon/kms/atom: fix typo in LVDS panel info parsing commit 1ff26a3604d0292988d4cade0e49ba9918dbfd46 upstream. Fixes LVDS issues on some laptops; notably laptops with 2048x1536 panels. Signed-off-by: Alex Deucher Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman commit 2cbefd2c4fd8d18bab095b5f30b0e42c0f1181b0 Author: Adam Jackson Date: Thu May 13 14:55:28 2010 -0400 drm/edid: Fix 1024x768@85Hz commit 61dd98fad58f945ed720ba132681acb58fcee015 upstream. Having hsync both start and end on pixel 1072 ain't gonna work very well. Matches the X server's list. Signed-off-by: Adam Jackson Tested-By: Michael Tokarev Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman commit fa3a83f3c8ce68e3a597a6b19bf000fe67fcee93 Author: Andrea Arcangeli Date: Fri Jan 8 14:43:05 2010 -0800 mm: hugetlb: fix clear_huge_page() commit 74dbdd239bb1348ad86d28b18574d9c1f28b62ca upstream. sz is in bytes, MAX_ORDER_NR_PAGES is in pages. Signed-off-by: Andrea Arcangeli Acked-by: David Gibson Cc: Mel Gorman Cc: David Rientjes Cc: Lee Schermerhorn Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit be4aa3f7edac32e5bc445bb108e79a7f5c3d7b1f Author: Herbert Xu Date: Mon Jan 25 15:51:01 2010 -0800 virtio_net: Make delayed refill more reliable commit 39d321577405e8e269fd238b278aaf2425fa788a upstream. I have seen RX stalls on a machine that experienced a suspected OOM. After the stall, the RX buffer is empty on the guest side and there are exactly 16 entries available on the host side. As the number of entries is less than that required by a maximal skb, the host cannot proceed. The guest did not have a refill job scheduled. My diagnosis is that an OOM had occured, with the delayed refill job scheduled. The job was able to allocate at least one skb, but not enough to overcome the minimum required by the host to proceed. As the refill job would only reschedule itself if it failed completely to allocate any skbs, this would lead to an RX stall. The following patch removes this stall possibility by always rescheduling the refill job until the ring is totally refilled. Testing has shown that the RX stall no longer occurs whereas previously it would occur within a day. Signed-off-by: Herbert Xu Acked-by: Rusty Russell Signed-off-by: David S. Miller Cc: Bruce Rogers Signed-off-by: Greg Kroah-Hartman commit 061d0096906dc7ed6a7d87fc0c9bc07794b7d3f2 Author: Ben Hutchings Date: Sun May 16 02:28:49 2010 +0100 PCI: Disable MSI for MCP55 on P5N32-E SLI commit e4146bb9088c01c8b6e82be11f0c371f8aff023c upstream. As reported in , MSI appears to be broken for this on-board device. We already have a quirk for the P5N32-SLI Premium; extend it to cover both variants of the board. Reported-by: Romain DEGEZ Signed-off-by: Ben Hutchings Signed-off-by: Jesse Barnes Signed-off-by: Greg Kroah-Hartman commit a4b1df4f95b0303fb410be949e80083e7196b011 Author: Alex Deucher Date: Tue May 18 10:42:53 2010 -0400 PCI quirks: disable msi on AMD rs4xx internal gfx bridges commit 9313ff450400e6a2ab10fe6b9bdb12a828329410 upstream. Doesn't work reliably for internal gfx. Fixes kernel bug https://bugzilla.kernel.org/show_bug.cgi?id=15626. Signed-off-by: Alex Deucher Signed-off-by: Jesse Barnes Signed-off-by: Greg Kroah-Hartman commit fbc6e1a6224f573671e6af123c0727c412e43b6b Author: Matthew Wilcox Date: Wed Mar 24 07:11:01 2010 -0600 PCI quirk: Disable MSI on VIA K8T890 systems commit 134b345081534235dbf228b1005c14590e0570ba upstream. Bugzilla 15287 indicates that there's a problem with Message Signalled Interrupts on VIA K8T890 systems. Add a quirk to disable MSI on these systems. Signed-off-by: Matthew Wilcox Tested-by: Jan Kreuzer Tested-by: lh Signed-off-by: Jesse Barnes Signed-off-by: Greg Kroah-Hartman commit 1dd1f04d589695235943f743aa1476e8f68d753a Author: Oliver Hartkopp Date: Tue May 18 14:03:10 2010 -0700 can: Fix SJA1000 command register writes on SMP systems commit 57c8a456640fa3ca777652f11f2db4179a3e66b6 upstream. The SJA1000 command register is concurrently written in the rx-path to free the receive buffer _and_ in the tx-path to start the transmission. The SJA1000 data sheet, 6.4.4 COMMAND REGISTER (CMR) states: "Between two commands at least one internal clock cycle is needed in order to proceed. The internal clock is half of the external oscillator frequency." On SMP systems the current implementation leads to a write stall in the tx-path, which can be solved by adding some general locking and some time to settle the write_reg() operation for the command register. Thanks to Klaus Hitschler for the original fix and detailed problem description. This patch applies on net-2.6 and (with some offsets) on net-next-2.6 . Signed-off-by: Oliver Hartkopp Acked-by: Wolfgang Grandegger Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 4f75f44a4a4437ad69beaac04047c4e66a956932 Author: Jan Beulich Date: Tue Apr 27 14:01:20 2010 -0700 drivers/base/cpu.c: fix the output from /sys/devices/system/cpu/offline commit cdc6e3d3968052cebb2f2ddcd742bff29fbd1a90 upstream. Without CONFIG_CPUMASK_OFFSTACK, simply inverting cpu_online_mask leads to CPUs beyond nr_cpu_ids to be displayed twice and CPUs not even possible to be displayed as offline. Signed-off-by: Jan Beulich Cc: Andi Kleen Cc: Stephen Rothwell Signed-off-by: Andrew Morton Signed-off-by: Greg Kroah-Hartman commit 22fb2a2f465b14676761143a4d9b93bc9a2e3f8f Author: Chris Wilson Date: Thu May 27 13:18:21 2010 +0100 drm/i915: Reject bind_to_gtt() early if object > aperture commit 654fc6073f68efa3b6c466825749e73e7fbb92cd upstream. If the object is bigger than the entire aperture, reject it early before evicting everything in a vain attempt to find space. v2: Use E2BIG as suggested by Owain G. Ainsworth. Signed-off-by: Chris Wilson Signed-off-by: Eric Anholt Signed-off-by: Greg Kroah-Hartman commit 5eef7398c31fcbb13555c8a64ae691034b2cd8be Author: Shanyu Zhao Date: Tue Apr 27 11:15:12 2010 -0700 mac80211: fix rts threshold check commit a2c40249a36d0b4d76d1caf6bf806e4ae5b06e8a upstream. Currently whenever rts thresold is set, every packet will use RTS protection no matter its size exceeds the threshold or not. This is due to a bug in the rts threshold check. if (len > tx->local->hw.wiphy->rts_threshold) { txrc.rts = rts = true; } Basically it is comparing an int (len) and a u32 (rts_threshold), and the variable len is assigned as: len = min_t(int, tx->skb->len + FCS_LEN, tx->local->hw.wiphy->frag_threshold); However, when frag_threshold is "-1", len is always "-1", which is 0xffffffff therefore rts is always set to true. Signed-off-by: Shanyu Zhao Reviewed-by: Johannes Berg Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit ea85171617b466c677bfa9e67fc1e526b65d4bea Author: Jouni Malinen Date: Sun Mar 28 22:29:52 2010 -0700 mac80211: Fix robust management frame handling (MFP) commit d211e90e28a074447584729018a39910d691d1a8 upstream. Commit e34e09401ee9888dd662b2fca5d607794a56daf2 incorrectly removed use of ieee80211_has_protected() from the management frame case and in practice, made this validation drop all Action frames when MFP is enabled. This should have only been done for frames with Protected field set to zero. Signed-off-by: Jouni Malinen Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 7e2b79273b6d672b6c7851a7dcbebdcfdaad5762 Author: Andres Salomon Date: Thu Feb 25 19:18:47 2010 -0500 mac80211: give warning if building w/out rate ctrl algorithm commit c2ef355bf3ef0b8006b96128726684fba47ac928 upstream. I discovered that if EMBEDDED=y, one can accidentally build a mac80211 stack and drivers w/ no rate control algorithm. For drivers like RTL8187 that don't supply their own RC algorithms, this will cause ieee80211_register_hw to fail (making the driver unusable). This will tell kconfig to provide a warning if no rate control algorithms have been selected. That'll at least warn the user; users that know that their drivers supply a rate control algorithm can safely ignore the warning, and those who don't know (or who expect to be using multiple drivers) can select a default RC algorithm. Signed-off-by: Andres Salomon Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit e466b74ac038123de73e651fffbf2d961b4b8e5f Author: Andiry Xu Date: Mon May 10 19:57:17 2010 -0700 USB: xHCI: Fix wrong usage of macro TRB_TYPE commit 54b5acf3acb7a1f83ec281d111d3e2812cd7ad9d upstream. Macro TRB_TYPE is misused in some places. Fix the wrong usage. Signed-off-by: Andiry Xu Signed-off-by: Sarah Sharp Signed-off-by: Greg Kroah-Hartman commit 4653badb5520f2f7d8b21256e9f7234e83749772 Author: Sarah Sharp Date: Tue May 18 16:05:26 2010 -0700 USB: xhci: Fix check for room on the ring. commit 44ebd037c54f80db3121ac9f5fe6e677b76e11d5 upstream. The length of the scatter gather list a driver can enqueue is limited by the bus' sg_tablesize to 62 entries. Each entry will be described by at least one transfer request block (TRB). If the entry's buffer crosses a 64KB boundary, then that entry will have to be described by two or more TRBs. So even if the USB device driver respects sg_tablesize, the whole scatter list may take more than 62 TRBs to describe, and won't fit on the ring. Don't assume that an empty ring means there is enough room on the transfer ring. The old code would unconditionally queue this too-large transfer, and over write the beginning of the transfer. This would mean the cycle bit was unchanged in those overwritten transfers, causing the hardware to think it didn't own the TRBs, and the host would seem to hang. Now drivers may see submit_urb() fail with -ENOMEM if the transfers are too big to fit on the ring. Signed-off-by: Sarah Sharp Signed-off-by: Greg Kroah-Hartman commit ff2f35de7bbcde92cd5780ac057d772bce699d36 Author: Sarah Sharp Date: Thu May 6 13:40:08 2010 -0700 USB: xhci: Fix issue with set interface after stall. commit 1624ae1c19e227096ba85bfc389d9b99cb6f7dde upstream. When the USB core installs a new interface, it unconditionally clears the halts on all the endpoints on the new interface. Usually the xHCI host needs to know when an endpoint is reset, so it can change its internal endpoint state. In this case, it doesn't care, because the endpoints were never halted in the first place. To avoid issuing a redundant Reset Endpoint command, the xHCI driver looks at xhci_virt_ep->stopped_td to determine if the endpoint was actually halted. However, the functions that handle the stall never set that variable to NULL after it dealt with the stall. So if an endpoint stalled and a Reset Endpoint command completed, and then the class driver tried to install a new alternate setting, the xHCI driver would access the old xhci_virt_ep->stopped_td pointer. A similar problem occurs if the endpoint has been stopped to cancel a transfer. Signed-off-by: Sarah Sharp Signed-off-by: Greg Kroah-Hartman commit ed158fbaee230d8652efb1e16a4e74d7ee2d13e1 Author: Alek Du Date: Mon May 10 11:17:49 2010 +0800 USB: EHCI: clear PHCD before resuming commit eab80de01cb398419ef3305f35abcb367c647c8b upstream. This is a bug fix for PHCD (phy clock disable) low power feature: After PHCD is set, any write to PORTSC register is illegal, so when resume ports, clear PHCD bit first. Signed-off-by: Alek Du Cc: David Brownell Cc: Alan Stern Signed-off-by: Greg Kroah-Hartman commit 488abbe8b16389225006300abd34b0105ab9147a Author: Hans de Goede Date: Thu Apr 29 12:59:04 2010 +0200 USB: unusual-dev: Add bad sense flag for Appotech ax203 based picture frames commit a78f4f1a16d87f3d33158d036af94e48e32f8aad upstream. These Appotech controllers are found in Picture Frames, they provide a (buggy) emulation of a cdrom drive which contains the windows software Uploading of pictures happens over the corresponding /dev/sg device. Signed-off-by: Hans de Goede Signed-off-by: Greg Kroah-Hartman commit b8775d91d3da06d15ba9b1983689bffd258dbe3a Author: Dinh Nguyen Date: Tue May 4 10:03:01 2010 -0500 USB: mxc: gadget: Fix bitfield for calculating maximum packet size commit 88e3b59b5adce5b12e205af0e34d518ba0dcdc0c upstream. The max packet length bit mask used for isochronous endpoints should be 0x7FF instead of 0x8FF. 0x8FF will actually clear higher-order bits in the max packet length field. This patch applies to 2.6.34-rc6. Signed-off-by: Dinh Nguyen Signed-off-by: Greg Kroah-Hartman commit 81f35b444ec3059792d84cbff3e273ed24881b0f Author: Johan Hovold Date: Wed May 19 00:01:38 2010 +0200 USB: kl5usb105: fix memory leak commit 313b0d80c1717ffe8f64b455a4d323996748b91a upstream. Private data was not freed on error path in startup. Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit 7c54f6cf0342d52c1b14e06ecbc116419547ef97 Author: Johan Hovold Date: Thu May 13 21:02:00 2010 +0200 USB: ir-usb: fix double free commit 2ff78c0c2b67120c8e503268da3f177cae2228a2 upstream. If the user specifies a custom bulk buffer size we get a double free at port release. Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit b2fd493630af7d8ce9b313b24dc2516566854c57 Author: Nils Radtke Date: Mon May 17 14:14:11 2010 +0200 USB: option.c: OLIVETTI OLICARD100 support commit 86234d4975ce084d14711283a3bfc69305f97602 upstream. This patch adds support for an olivetti olicard100 HЅDPA usb-stick. This device is a zeroCD one with ID 0b3c:c700 that needs switching via eject or usb-modeswitch with MessageContent="5553424312345678000000000000061b000000030000000000000000000000". After switching it has ID 0b3c:c000 and provides 5 serial ports ttyUSB[0-4]. Port 0 (modem) and 4 are interrupt ports. Signed-off-by: Nils Radtke Signed-off-by: Greg Kroah-Hartman commit 9cf49271548cac9810f44c873fc3e4874967a1bd Author: Greg Kroah-Hartman Date: Tue Apr 27 09:38:51 2010 -0700 USB: serial: option: add cinterion device id commit 6f44bcb60bfa58590142545096b64f44144f0bc1 upstream. This adds a device id for a Cinterion device. Reported-by: John Race Signed-off-by: Greg Kroah-Hartman commit 3bb7fd34a9e8fe4ac0bdcb9717057eaea3e98c2f Author: spark Date: Fri Mar 5 14:18:05 2010 +0800 USB: option.c: Add Pirelli VID/PID and indicate Pirelli's modem interface is 0xff commit 33c387529b7931248c6637bf9720ac7504a0b28b upstream. Signed-off-by: spark Signed-off-by: Greg Kroah-Hartman commit 2b7d8921fb6541ce400a9a16fe734e136d14a738 Author: zhao1980ming Date: Mon May 3 00:06:37 2010 +0800 USB: option: add PID for ZTE product commit a71ee85e1d74e862d68cc9b2f2ab6a806d2550c9 upstream. this patch adds ZTE modem devices Signed-off-by: Joey Signed-off-by: Greg Kroah-Hartman commit e851a5ce9d67f1b0cb5a16a48be47d63b06985f9 Author: Johan Hovold Date: Sat May 15 17:53:43 2010 +0200 USB: kobil: fix memory leak commit c0f631d1948658b27349545b2cbcb4b32f010c7a upstream. An urb transfer buffer is allocated at every open but was never freed. This driver is a bit of a mess... Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit 579340fcfbc4776726cb37cfd47edfb8c1d7797f Author: Craig Shelley Date: Sat May 15 13:36:38 2010 +0100 USB: CP210x New Device IDs 11 New device IDs commit eefd9029fde4d90d59804eeb54880ab8db5c1866 upstream. Signed-off-by: Craig Shelley Signed-off-by: Greg Kroah-Hartman commit 9ac2e17d3248d7cc998402e480b452a3cea2f596 Author: Johan Hovold Date: Sat May 15 17:53:48 2010 +0200 USB: visor: fix memory leak commit 199b113978015309dd02c69844c19a1be3f4dbcf upstream. Fix memory leak for some devices (Sony Clie 3.5) due to port private data not being freed on release. Signed-off-by: Johan Hovold Signed-off-by: Greg Kroah-Hartman commit 1d3ee54a9a486cb279a61590f3d84e878aeb88c0 Author: Christian Lamparter Date: Tue Mar 23 21:51:14 2010 +0100 ar9170usb: fix panic triggered by undersized rxstream buffer commit 879999cec9489f8942ebce3ec1b5f23ef948dda7 upstream. While ar9170's USB transport packet size is currently set to 8KiB, the PHY is capable of receiving AMPDUs with up to 64KiB. Such a large frame will be split over several rx URBs and exceed the previously allocated space for rx stream reconstruction. This patch increases the buffer size to 64KiB which is in fact the phy & rx stream designed size limit. Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=15591 Reported-by: Christian Mehlis Signed-off-by: Christian Lamparter Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit eb3c5bcef88d19924822c747de6fbf0b0f594208 Author: Christian Lamparter Date: Tue Apr 13 18:10:26 2010 +0200 ar9170usb: add a couple more USB IDs commit 94d0bbe849190255b93fede8eb46809a38f9b8bf upstream. This patch adds the following 5 entries to the usbid device table: * Netgear WNA1000 * Proxim ORiNOCO Dual Band 802.11n USB Adapter * 3Com Dual Band 802.11n USB Adapter * H3C Dual Band 802.11n USB Adapter * WNC Generic 11n USB dongle Signed-off-by: Christian Lamparter Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 4707e8a724f4013b4fdbdf5ae51d79d2ae7c6a92 Author: Cory Maccarrone Date: Sat May 22 13:00:28 2010 -0700 HID: Add the GYR4101US USB ID to hid-gyration commit c2fd1a4ebf9127c280d227acb635eb1df213439c upstream. This change adds in the USB product ID for the Gyration GYR4101US USB media center remote control. This remote is similar enough to the other two devices that this driver can be used without any other changes to get full support for the remote. Signed-off-by: Cory Maccarrone Signed-off-by: Jiri Kosina Signed-off-by: Greg Kroah-Hartman commit daaf91f0ca7e5e1f4a59f6a02bd6ed2a800743f2 Author: Erik Andrén Date: Mon Mar 8 17:16:00 2010 -0300 V4L/DVB: gspca - stv06xx: Remove the 046d:08da from the stv06xx driver commit 55e0b489a39bb635a44f769d620e44c70d9c065b upstream. The 046d:08da usb id shouldn't be associated with the stv06xx driver as they're not compatible with each other. This fixes a bug where Quickcam Messenger cams fail to use its proper driver (gspca-zc3xx), rendering the camera inoperable. Signed-off-by: Erik Andrén Tested-by: Gabriel Craciunescu Signed-off-by: Jean-François Moine Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit 52fb07643da24b70c827f3618af1cb7ada50f62b Author: Kamal Mostafa Date: Sat May 1 12:09:49 2010 -0700 ACPI: video: fix acpi_backlight=video commit eeb4bcb4771679d7b3446c0293334faee11b090a upstream. Make "acpi_backlight=video" param enable ACPI_VIDEO_BACKLIGHT_FORCE_VIDEO as intended, instead of incorrectly enabling video output switching. BugLink: http://bugs.launchpad.net/bugs/573120 Signed-off-by: Kamal Mostafa Acked-by: Zhang Rui Cc: Bjorn Helgaas Cc: Jiri Kosina Acked-by: Thomas Renninger Signed-off-by: Andrew Morton Signed-off-by: Len Brown Signed-off-by: Greg Kroah-Hartman commit b54dc05422828f54d3790ab7061c2317f7d5334e Author: Daniel T Chen Date: Sat May 29 11:04:11 2010 -0400 ALSA: hda: Use LPIB for a Shuttle device commit 61bb42c37dfa9016dcacc86bcd41362ab2457d4a upstream. BugLink: https://launchpad.net/bugs/551949 Symptom: On the reporter's Shuttle device, using PulseAudio in Ubuntu 10.04 LTS results in "popping clicking" audio with the PA crashing shortly thereafter. Test case: Using Ubuntu 10.04 LTS (Linux 2.6.32.12), Linux 2.6.33, or Linux 2.6.34, adjust the HDA device's volume with PulseAudio. Resolution: add SSID for this machine to the position_fix quirk table, explicitly specifying the LPIB method. Reported-and-Tested-By: Christian Mehlis Signed-off-by: Daniel T Chen Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 1c87a71be7ed7868765e1f477d390ce66c7d5017 Author: Daniel T Chen Date: Thu May 27 18:32:18 2010 -0400 ALSA: hda: Use LPIB for Sony VPCS11V9E commit e96d3127760a2fc509bca6bf7e61e8bc61497aeb upstream. BugLink: https://launchpad.net/bugs/586347 Symptom: On the Sony VPCS11V9E, using GStreamer-based applications with PulseAudio in Ubuntu 10.04 LTS results in stuttering audio. It appears to worsen with increased I/O. Test case: use Rhythmbox under increased I/O pressure. This symptom is reproducible in the current daily stable alsa-driver snapshots (at least up until 21 May 2010; later snapshots fail to build from source due to missing preprocessor directives when compiled against 2.6.32). Resolution: add SSID for this machine to the position_fix quirk table, explicitly specifying the LPIB method. Reported-and-Tested-By: Lauri Kainulainen Signed-off-by: Daniel T Chen Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit edb5d7cfd7701a6e4541ed08da77e1d645a08ce5 Author: Daniel T Chen Date: Sat May 22 12:05:41 2010 -0400 ALSA: hda: Use LPIB for Acer Aspire 5110 commit 7a68be94e22e7643038726ebc14360752a91800b upstream. BugLink: https://launchpad.net/bugs/583983 Symptom: on a significant number of hardware, booting from a live cd results in capture working correctly, but once the distribution is installed, booting from the install results in capture not working. Test case: boot from Ubuntu 10.04 LTS live cd; capture works correctly. Install to HD and reboot; capture does not work. Reproduced with 2.6.32 mainline build (vanilla kernel.org compile). Resolution: add SSID for Acer Aspire 5110 to the position_fix quirk table, explicitly specifying the LPIB method. I'll be sending additional patches for these SSIDs as bug reports are confirmed. Reported-and-Tested-By: Leo Signed-off-by: Daniel T Chen Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit ec7db8d17d276d137cddf655a68de0f2c1045c00 Author: Daniel T Chen Date: Sat May 22 13:12:22 2010 -0400 ALSA: hda: Use LPIB for Toshiba A100-259 commit 4e0938dba7fccf37a4aecba4d937da7f312b5d55 upstream. BugLink: https://launchpad.net/bugs/549560 Symptom: on a significant number of hardware, booting from a live cd results in capture working correctly, but once the distribution is installed, booting from the install results in capture not working. Test case: boot from Ubuntu 10.04 LTS live cd; capture works correctly. Install to HD and reboot; capture does not work. Reproduced with 2.6.32 mainline build (vanilla kernel.org compile) Resolution: add SSID for Toshiba A100-259 to the position_fix quirk table, explicitly specifying the LPIB method. I'll be sending additional patches for these SSIDs as bug reports are confirmed. This patch also trivially sorts the quirk table in ascending order by subsystem vendor. Reported-and-Tested-by: Signed-off-by: Daniel T Chen Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 7f459eca9b50756a1e4af5f0d89a1f51195158fa Author: Daniel T Chen Date: Sun May 23 20:47:45 2010 -0400 ALSA: hda: Fix model quirk for Dell M1730 commit 66668b6fb6861fad7f6bfef6646ac84693474c9a upstream. BugLink: https://launchpad.net/bugs/576160 Symptom: Currently (2.6.32.12) the Dell M1730 uses the 3stack model quirk. Unfortunately this means that capture is not functional out- of-the-box despite ensuring that capture settings are unmuted and raised fully. Test case: boot from Ubuntu 10.04 LTS live cd; capture does not work. Resolution: Correct the model quirk for Dell M1730 to rely on the BIOS configuration. This patch also trivially sorts the quirk into the correct section based on the comments. Reported-and-Tested-By: Tested-By: Daren Hayward Tested-By: Tobias Krais Signed-off-by: Daniel T Chen Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 3aff03b26e6be285ae1b8982a2dc4d4a4c6cb7d5 Author: Tony Breeds Date: Wed May 19 15:46:36 2010 +1000 mutex: Fix optimistic spinning vs. BKL commit fd6be105b883244127a734ac9f14ae94a022dcc0 upstream. Currently, we can hit a nasty case with optimistic spinning on mutexes: CPU A tries to take a mutex, while holding the BKL CPU B tried to take the BLK while holding the mutex This looks like a AB-BA scenario but in practice, is allowed and happens due to the auto-release on schedule() nature of the BKL. In that case, the optimistic spinning code can get us into a situation where instead of going to sleep, A will spin waiting for B who is spinning waiting for A, and the only way out of that loop is the need_resched() test in mutex_spin_on_owner(). This patch fixes it by completely disabling spinning if we own the BKL. This adds one more detail to the extensive list of reasons why it's a bad idea for kernel code to be holding the BKL. Signed-off-by: Tony Breeds Acked-by: Linus Torvalds Acked-by: Peter Zijlstra Cc: Benjamin Herrenschmidt LKML-Reference: <20100519054636.GC12389@ozlabs.org> [ added an unlikely() attribute to the branch ] Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit 8b867c02502f86a737e2ec747b0ef15ad93dc6e2 Author: Sebastian Andrzej Siewior Date: Sun Mar 21 22:52:23 2010 +0100 libata: don't flush dcache on slab pages commit 3842e835490cdf17013b30a788f6311bdcfd0571 upstream. page_mapping() check this via VM_BUG_ON(PageSlab(page)) so we bug here with the according debuging turned on. Future TODO: replace this with a flush_dcache_page_for_pio() API Signed-off-by: Sebastian Andrzej Siewior Signed-off-by: Jeff Garzik Signed-off-by: Greg Kroah-Hartman commit bf874fa732c8499a46f2f63a9f973322241955a9 Author: Tejun Heo Date: Wed May 19 15:38:58 2010 +0200 libata: disable ATAPI AN by default commit e7ecd435692ca9bde9d124be30b3a26e672ea6c2 upstream. There are ATAPI devices which raise AN when hit by commands issued by open(). This leads to infinite loop of AN -> MEDIA_CHANGE uevent -> udev open() to check media -> AN. Both ACS and SerialATA standards don't define in which case ATAPI devices are supposed to raise or not raise AN. They both list media insertion event as a possible use case for ATAPI ANs but there is no clear description of what constitutes such events. As such, it seems a bit too naive to export ANs directly to userland as MEDIA_CHANGE events without further verification (which should behave similarly to windows as it apparently is the only thing that some hardware vendors are testing against). This patch adds libata.atapi_an module parameter and disables ATAPI AN by default for now. Signed-off-by: Tejun Heo Cc: Kay Sievers Cc: Nick Bowler Cc: David Zeuthen Signed-off-by: Jeff Garzik Signed-off-by: Greg Kroah-Hartman commit 6455cfc45fbc60febd57b52720aa949f48bff6c7 Author: Andrey Vagin Date: Mon May 24 12:15:33 2010 -0700 posix_timer: Fix error path in timer_create commit 45e0fffc8a7778282e6a1514a6ae3e7ae6545111 upstream. Move CLOCK_DISPATCH(which_clock, timer_create, (new_timer)) after all posible EFAULT erros. *_timer_create may allocate/get resources. (for example posix_cpu_timer_create does get_task_struct) [ tglx: fold the remove crappy comment patch into this ] Signed-off-by: Andrey Vagin Cc: Oleg Nesterov Cc: Pavel Emelyanov Reviewed-by: Stanislaw Gruszka Signed-off-by: Andrew Morton Signed-off-by: Thomas Gleixner Signed-off-by: Greg Kroah-Hartman commit 66717b5727eca77ce1acac4c838a73eb244ce8d6 Author: Al Viro Date: Wed May 26 17:40:29 2010 -0400 Fix racy use of anon_inode_getfd() in perf_event.c commit ea635c64e007061f6468ece5cc9cc62d41d4ecf2 upstream. once anon_inode_getfd() is called, you can't expect *anything* about struct file that descriptor points to - another thread might be doing whatever it likes with descriptor table at that point. Signed-off-by: Al Viro Signed-off-by: Greg Kroah-Hartman commit dade84df1cbb483d9398f7fb62c35d9aebad4beb Author: Larry Finger Date: Sun May 9 22:10:02 2010 -0500 staging: vt6655: Fix kernel BUG on driver wpa initialization commit f65515275ea3e45fdcd0fb78455f542d6fdca086 upstream. In http://bugzilla.novell.com/show_bug.cgi?id=597299, the vt6655 driver generates a kernel BUG on a NULL pointer dereference at NULL. This problem has been traced to a failure in the wpa_set_wpadev() routine. As the vt6656 driver does not call this routine, the vt6655 code is similarly set to skip the call. Signed-off-by: Larry Finger Tested-by: Richard Meek Signed-off-by: Greg Kroah-Hartman commit b96bae3a7c0fdd112935ae467c8af29cd8d70eaf Author: Rodrigo Linfati Date: Wed Apr 28 22:32:13 2010 +0200 Staging: add Add Sitecom WL-349 to rtl8192su commit 64a5a09218626464be35e0229d85b2ab0fcf03fd upstream. Add usb id of Sitecom WL-349 to rtl8192su Signed-off-by: Rodrigo Linfati Signed-off-by: Greg Kroah-Hartman commit 0c23a92af291cc1cf208477194bf225cd522a353 Author: John W. Linville Date: Wed Apr 28 19:14:42 2010 -0400 rtl8180: fix tx status reporting commit d989ff7cf8d14f1b523f63ba0bf2ec1a9b7c25bc upstream. When reporting Tx status, indicate that only one rate was used. Otherwise, the rate is frozen at rate index 0 (i.e. 1Mb/s). Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit a45334abdb4eec5586c601ee517accc9a0fbd4c8 Author: Andreas Bombe Date: Mon May 17 23:12:46 2010 -0700 ARCNET: Limit com20020 PCI ID matches for SOHARD cards commit e7971c80a8e0299f91272ad8e8ac4167623e1862 upstream. The SH SOHARD ARCNET cards are implemented using generic PLX Technology PCI<->IOBus bridges. Subvendor and subdevice IDs were not specified, causing the driver to attach to any such bridge and likely crash the system by attempting to initialize an unrelated device. Fix by specifying subvendor and subdevice according to the values found in the PCI-ID Repository at http://pci-ids.ucw.cz/ . Signed-off-by: Andreas Bombe Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 6ef0d693d4b10c2b7dfdc1fcfad716437e024ad3 Author: Tejun Heo Date: Fri May 14 11:48:50 2010 +0200 sata_nv: use ata_pci_sff_activate_host() instead of ata_host_activate() commit 95cc2c70c139936a2142bcd583da8af6f9d88efb upstream. sata_nv was incorrectly using ata_host_activate() instead of ata_pci_sff_activate_host() leading to IRQ assignment failure in legacy mode. Fix it. Signed-off-by: Tejun Heo Cc: Robert Hancock Signed-off-by: Jeff Garzik Signed-off-by: Greg Kroah-Hartman commit d700d271763f3073230b43bcdf8d24a1a844fd91 Author: Pavel Emelyanov Date: Fri May 14 15:33:36 2010 +0400 NFSD: don't report compiled-out versions as present commit 15ddb4aec54422ead137b03ea4e9b3f5db3f7cc2 upstream. The /proc/fs/nfsd/versions file calls nfsd_vers() to check whether the particular nfsd version is present/available. The problem is that once I turn off e.g. NFSD-V4 this call returns -1 which is true from the callers POV which is wrong. The proposal is to report false in that case. The bug has existed since 6658d3a7bbfd1768 "[PATCH] knfsd: remove nfsd_versbits as intermediate storage for desired versions". Signed-off-by: Pavel Emelyanov Acked-by: NeilBrown Signed-off-by: J. Bruce Fields Signed-off-by: Greg Kroah-Hartman commit ab871d83d498bd1e0b398bd0dce63b726fff4b7b Author: KOSAKI Motohiro Date: Wed May 19 09:37:41 2010 +0900 cpumask: fix compat getaffinity commit fa9dc265ace9774e62f0e31108e5f47911124bda upstream. Commit a45185d2d "cpumask: convert kernel/compat.c" broke libnuma, which abuses sched_getaffinity to find out NR_CPUS in order to parse /sys/devices/system/node/node*/cpumap. On NUMA systems with less than 32 possibly CPUs, the current compat_sys_sched_getaffinity now returns '4' instead of the actual NR_CPUS/8, which makes libnuma bail out when parsing the cpumap. The libnuma call sched_getaffinity(0, bitmap, 4096) at first. It mean the libnuma expect the return value of sched_getaffinity() is either len argument or NR_CPUS. But it doesn't expect to return nr_cpu_ids. Strictly speaking, userland requirement are 1) Glibc assume the return value mean the lengh of initialized of mask argument. E.g. if sched_getaffinity(1024) return 128, glibc make zero fill rest 896 byte. 2) Libnuma assume the return value can be used to guess NR_CPUS in kernel. It assume len-arg Acked-by: Rusty Russell Acked-by: Arnd Bergmann Reported-by: Ken Werner Cc: Andi Kleen Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 6f92c079c8a248a1b714f34c221356bbda97b585 Author: Andi Kleen Date: Thu Apr 1 03:17:25 2010 +0200 oprofile: remove double ring buffering commit cb6e943ccf19ab6d3189147e9d625a992e016084 upstream. oprofile used a double buffer scheme for its cpu event buffer to avoid races on reading with the old locked ring buffer. But that is obsolete now with the new ring buffer, so simply use a single buffer. This greatly simplifies the code and avoids a lot of sample drops on large runs, especially with call graph. Based on suggestions from Steven Rostedt For stable kernels from v2.6.32, but not earlier. Signed-off-by: Andi Kleen Cc: Steven Rostedt Signed-off-by: Robert Richter Signed-off-by: Greg Kroah-Hartman commit 3da87f443367a88f89f0ecf70ff2eb57fbef3ecf Author: Robert Richter Date: Mon May 3 19:44:32 2010 +0200 oprofile/x86: fix uninitialized counter usage during cpu hotplug commit 2623a1d55a6260c855e1f6d1895900b50b40a896 upstream. This fixes a NULL pointer dereference that is triggered when taking a cpu offline after oprofile was initialized, e.g.: $ opcontrol --init $ opcontrol --start-daemon $ opcontrol --shutdown $ opcontrol --deinit $ echo 0 > /sys/devices/system/cpu/cpu1/online See the crash dump below. Though the counter has been disabled the cpu notifier is still active and trying to use already freed counter data. This fix is for linux-stable. To proper fix this, the hotplug code must be rewritten. Thus I will leave a WARN_ON_ONCE() message with this patch. BUG: unable to handle kernel NULL pointer dereference at (null) IP: [] op_amd_stop+0x2d/0x8e PGD 0 Oops: 0000 [#1] SMP last sysfs file: /sys/devices/system/cpu/cpu1/online CPU 1 Modules linked in: Pid: 0, comm: swapper Not tainted 2.6.34-rc5-oprofile-x86_64-standard-00210-g8c00f06 #16 Anaheim/Anaheim RIP: 0010:[] [] op_amd_stop+0x2d/0x8e RSP: 0018:ffff880001843f28 EFLAGS: 00010006 RAX: 0000000000000000 RBX: 0000000000000000 RCX: dead000000200200 RDX: ffff880001843f68 RSI: dead000000100100 RDI: 0000000000000000 RBP: ffff880001843f48 R08: 0000000000000000 R09: ffff880001843f08 R10: ffffffff8102c9a5 R11: ffff88000184ea80 R12: 0000000000000000 R13: ffff88000184f6c0 R14: 0000000000000000 R15: 0000000000000000 FS: 00007fec6a92e6f0(0000) GS:ffff880001840000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b CR2: 0000000000000000 CR3: 000000000163b000 CR4: 00000000000006e0 DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000 DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400 Process swapper (pid: 0, threadinfo ffff88042fcd8000, task ffff88042fcd51d0) Stack: ffff880001843f48 0000000000000001 ffff88042e9f7d38 ffff880001843f68 <0> ffff880001843f58 ffffffff8132a602 ffff880001843f98 ffffffff810521b3 <0> ffff880001843f68 ffff880001843f68 ffff880001843f88 ffff88042fcd9fd8 Call Trace: [] nmi_cpu_stop+0x21/0x23 [] generic_smp_call_function_single_interrupt+0xdf/0x11b [] smp_call_function_single_interrupt+0x22/0x31 [] call_function_single_interrupt+0x13/0x20 [] ? wake_up_process+0x10/0x12 [] ? default_idle+0x22/0x37 [] c1e_idle+0xdf/0xe6 [] ? atomic_notifier_call_chain+0x13/0x15 [] cpu_idle+0x4b/0x7e [] start_secondary+0x1ae/0x1b2 Code: 89 e5 41 55 49 89 fd 41 54 45 31 e4 53 31 db 48 83 ec 08 89 df e8 be f8 ff ff 48 98 48 83 3c c5 10 67 7a 81 00 74 1f 49 8b 45 08 <42> 8b 0c 20 0f 32 48 c1 e2 20 25 ff ff bf ff 48 09 d0 48 89 c2 RIP [] op_amd_stop+0x2d/0x8e RSP CR2: 0000000000000000 ---[ end trace 679ac372d674b757 ]--- Kernel panic - not syncing: Fatal exception in interrupt Pid: 0, comm: swapper Tainted: G D 2.6.34-rc5-oprofile-x86_64-standard-00210-g8c00f06 #16 Call Trace: [] panic+0x9e/0x10c [] ? up+0x34/0x39 [] ? kmsg_dump+0x112/0x12c [] oops_end+0x81/0x8e [] no_context+0x1f3/0x202 [] __bad_area_nosemaphore+0x1ba/0x1e0 [] ? enqueue_task_fair+0x16d/0x17a [] ? activate_task+0x42/0x53 [] ? try_to_wake_up+0x272/0x284 [] bad_area_nosemaphore+0xe/0x10 [] do_page_fault+0x1c8/0x37c [] ? enqueue_task_fair+0x16d/0x17a [] page_fault+0x1f/0x30 [] ? wake_up_process+0x10/0x12 [] ? op_amd_stop+0x2d/0x8e [] ? op_amd_stop+0x1c/0x8e [] nmi_cpu_stop+0x21/0x23 [] generic_smp_call_function_single_interrupt+0xdf/0x11b [] smp_call_function_single_interrupt+0x22/0x31 [] call_function_single_interrupt+0x13/0x20 [] ? wake_up_process+0x10/0x12 [] ? default_idle+0x22/0x37 [] c1e_idle+0xdf/0xe6 [] ? atomic_notifier_call_chain+0x13/0x15 [] cpu_idle+0x4b/0x7e [] start_secondary+0x1ae/0x1b2 ------------[ cut here ]------------ WARNING: at /local/rrichter/.source/linux/arch/x86/kernel/smp.c:118 native_smp_send_reschedule+0x27/0x53() Hardware name: Anaheim Modules linked in: Pid: 0, comm: swapper Tainted: G D 2.6.34-rc5-oprofile-x86_64-standard-00210-g8c00f06 #16 Call Trace: [] ? native_smp_send_reschedule+0x27/0x53 [] warn_slowpath_common+0x77/0xa4 [] warn_slowpath_null+0xf/0x11 [] native_smp_send_reschedule+0x27/0x53 [] resched_task+0x60/0x62 [] check_preempt_curr_idle+0x10/0x12 [] try_to_wake_up+0x1f5/0x284 [] default_wake_function+0xd/0xf [] pollwake+0x57/0x5a [] ? default_wake_function+0x0/0xf [] __wake_up_common+0x46/0x75 [] __wake_up+0x38/0x50 [] printk_tick+0x39/0x3b [] update_process_times+0x3f/0x5c [] tick_periodic+0x5d/0x69 [] tick_handle_periodic+0x21/0x71 [] smp_apic_timer_interrupt+0x82/0x95 [] apic_timer_interrupt+0x13/0x20 [] ? panic_blink_one_second+0x0/0x7b [] ? panic+0x10a/0x10c [] ? up+0x34/0x39 [] ? kmsg_dump+0x112/0x12c [] ? oops_end+0x81/0x8e [] ? no_context+0x1f3/0x202 [] ? __bad_area_nosemaphore+0x1ba/0x1e0 [] ? enqueue_task_fair+0x16d/0x17a [] ? activate_task+0x42/0x53 [] ? try_to_wake_up+0x272/0x284 [] ? bad_area_nosemaphore+0xe/0x10 [] ? do_page_fault+0x1c8/0x37c [] ? enqueue_task_fair+0x16d/0x17a [] ? page_fault+0x1f/0x30 [] ? wake_up_process+0x10/0x12 [] ? op_amd_stop+0x2d/0x8e [] ? op_amd_stop+0x1c/0x8e [] ? nmi_cpu_stop+0x21/0x23 [] ? generic_smp_call_function_single_interrupt+0xdf/0x11b [] ? smp_call_function_single_interrupt+0x22/0x31 [] ? call_function_single_interrupt+0x13/0x20 [] ? wake_up_process+0x10/0x12 [] ? default_idle+0x22/0x37 [] ? c1e_idle+0xdf/0xe6 [] ? atomic_notifier_call_chain+0x13/0x15 [] ? cpu_idle+0x4b/0x7e [] ? start_secondary+0x1ae/0x1b2 ---[ end trace 679ac372d674b758 ]--- Cc: Andi Kleen Signed-off-by: Robert Richter Signed-off-by: Greg Kroah-Hartman commit 47680045842283e8f05ec097c5e75e2ab286c876 Author: Krishna Kumar Date: Wed Feb 3 13:13:10 2010 +0000 ixgbe: Fix return of invalid txq commit fdd3d631cddad20ad9d3e1eb7dbf26825a8a121f upstream. a developer had complained of getting lots of warnings: "eth16 selects TX queue 98, but real number of TX queues is 64" http://www.mail-archive.com/e1000-devel@lists.sourceforge.net/msg02200.html As there was no follow up on that bug, I am submitting this patch assuming that the other return points will not return invalid txq's, and also that this fixes the bug (not tested). Signed-off-by: Krishna Kumar Signed-off-by: Jesse Brandeburg Acked-by: Peter P Waskiewicz Jr Signed-off-by: Jeff Kirsher Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman