commit f23dc93c0e6772577309e150daf1906dbfd9d43b Author: Greg Kroah-Hartman Date: Mon Aug 2 10:24:59 2010 -0700 Linux 2.6.32.17 commit 8da946481f9b8b857216eafcc4a1ab48fdbe3bd7 Author: Daniel Ritz Date: Sat Dec 12 14:57:17 2009 -0300 V4L/DVB (13830): uvcvideo: add another YUYV format GUID for iSight cameras commit 68f194e027ecfbbc8d5515bc40787e542eed59e9 upstream. For some unknown reason, on a MacBookPro5,3 the iSight sometimes report a different video format GUID. This patch add the other (wrong) GUID to the format table, making the iSight work always w/o other problems. What it should report: 32595559-0000-0010-8000-00aa00389b71 What it often reports: 32595559-0000-0010-8000-000000389b71 Signed-off-by: Daniel Ritz Signed-off-by: Laurent Pinchart Signed-off-by: Mauro Carvalho Chehab Cc: Leann Ogasawara Signed-off-by: Greg Kroah-Hartman commit 16a7cf55c838e4a80ab4776d3ff0ffe48ef0724b Author: Dmitry Torokhov Date: Mon Jul 26 01:12:37 2010 -0700 Input: RX51 keymap - fix recent compile breakage commit 2e65a2075cc740b485ab203430bdf3459d5551b6 upstream. Commit 3fea60261e73 ("Input: twl40300-keypad - fix handling of "all ground" rows") broke compilation as I managed to use non-existent keycodes. Reported-by: Arjan van de Ven Signed-off-by: Dmitry Torokhov Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 2e3d07384961134749541e3d2b39cac3241ead70 Author: Bob Copeland Date: Fri Jun 18 13:15:23 2010 -0400 ath5k: initialize ah->ah_current_channel commit b6855772f4a22c4fbdd4fcaceff5c8a527035123 upstream. ath5k assumes ah_current_channel is always a valid pointer in several places, but a newly created interface may not have a channel. To avoid null pointer dereferences, set it up to point to the first available channel until later reconfigured. This fixes the following oops: $ rmmod ath5k $ insmod ath5k $ iw phy0 set distance 11000 BUG: unable to handle kernel NULL pointer dereference at 00000006 IP: [] ath5k_hw_set_coverage_class+0x74/0x1b0 [ath5k] *pde = 00000000 Oops: 0000 [#1] last sysfs file: /sys/devices/pci0000:00/0000:00:0e.0/ieee80211/phy0/index Modules linked in: usbhid option usb_storage usbserial usblp evdev lm90 scx200_acb i2c_algo_bit i2c_dev i2c_core via_rhine ohci_hcd ne2k_pci 8390 leds_alix2 xt_IMQ imq nf_nat_tftp nf_conntrack_tftp nf_nat_irc nf_cc Pid: 1597, comm: iw Not tainted (2.6.32.14 #8) EIP: 0060:[] EFLAGS: 00010296 CPU: 0 EIP is at ath5k_hw_set_coverage_class+0x74/0x1b0 [ath5k] EAX: 000000c2 EBX: 00000000 ECX: ffffffff EDX: c12d2080 ESI: 00000019 EDI: cf8c0000 EBP: d0a30edc ESP: cfa09bf4 DS: 007b ES: 007b FS: 0000 GS: 0000 SS: 0068 Process iw (pid: 1597, ti=cfa09000 task=cf88a000 task.ti=cfa09000) Stack: d0a34f35 d0a353f8 d0a30edc 000000fe cf8c0000 00000000 1900063d cfa8c9e0 <0> cfa8c9e8 cfa8c0c0 cfa8c000 d0a27f0c 199d84b4 cfa8c200 00000010 d09bfdc7 <0> 00000000 00000000 ffffffff d08e0d28 cf9263c0 00000001 cfa09cc4 00000000 Call Trace: [] ? ath5k_hw_attach+0xc8c/0x3c10 [ath5k] [] ? __ieee80211_request_smps+0x1347/0x1580 [mac80211] [] ? nl80211_send_scan_start+0x7b8/0x4520 [cfg80211] [] ? nla_parse+0x59/0xc0 [] ? genl_rcv_msg+0x169/0x1a0 [] ? genl_rcv_msg+0x0/0x1a0 [] ? netlink_rcv_skb+0x38/0x90 [] ? genl_rcv+0x19/0x30 [] ? netlink_unicast+0x1b3/0x220 [] ? netlink_sendmsg+0x26e/0x290 [] ? sock_sendmsg+0xbe/0xf0 [] ? autoremove_wake_function+0x0/0x50 [] ? __alloc_pages_nodemask+0x106/0x530 [] ? do_lookup+0x53/0x1b0 [] ? __link_path_walk+0x9b9/0x9e0 [] ? verify_iovec+0x50/0x90 [] ? sys_sendmsg+0x1e1/0x270 [] ? find_get_page+0x10/0x50 [] ? filemap_fault+0x5f/0x370 [] ? __do_fault+0x319/0x370 [] ? sys_socketcall+0x244/0x290 [] ? do_page_fault+0x1ec/0x270 [] ? do_page_fault+0x0/0x270 [] ? syscall_call+0x7/0xb Code: 00 b8 fe 00 00 00 b9 f8 53 a3 d0 89 5c 24 14 89 7c 24 10 89 44 24 0c 89 6c 24 08 89 4c 24 04 c7 04 24 35 4f a3 d0 e8 7c 30 60 f0 <0f> b7 43 06 ba 06 00 00 00 a8 10 75 0e 83 e0 20 83 f8 01 19 d2 EIP: [] ath5k_hw_set_coverage_class+0x74/0x1b0 [ath5k] SS:ESP 0068:cfa09bf4 CR2: 0000000000000006 ---[ end trace 54f73d6b10ceb87b ]--- Reported-by: Steve Brown Signed-off-by: Bob Copeland Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit c7fe2f529c6c6f11d48eb71d850031dc63f1b0d2 Author: Andre Osterhues Date: Tue Jul 13 15:59:17 2010 -0500 ecryptfs: Bugfix for error related to ecryptfs_hash_buckets commit a6f80fb7b5986fda663d94079d3bba0937a6b6ff upstream. The function ecryptfs_uid_hash wrongly assumes that the second parameter to hash_long() is the number of hash buckets instead of the number of hash bits. This patch fixes that and renames the variable ecryptfs_hash_buckets to ecryptfs_hash_bits to make it clearer. Fixes: CVE-2010-2492 Signed-off-by: Andre Osterhues Signed-off-by: Tyler Hicks Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit d1a6b6c9ed5d5965d4961e39d57bfae3f8ac94ed Author: Tony Luck Date: Wed Jun 30 10:46:16 2010 -0700 Fix spinaphore down_spin() commit b70f4e85bfc4d7000036355b714a92d5c574f1be upstream. Typo in down_spin() meant it only read the low 32 bits of the "serve" value, instead of the full 64 bits. This results in the system hanging when the values in ticket/serve get larger than 32-bits. A big enough system running the right test can hit this in a just a few hours. Broken since 883a3acf5b0d4782ac35981227a0d094e8b44850 [IA64] Re-implement spinaphores using ticket lock concepts Reported via IRC by Bjorn Helgaas Signed-off-by: Tony Luck Signed-off-by: Greg Kroah-Hartman commit fe17e2bb5f588ee25647a5087710bab3e70d4e86 Author: Alan Jenkins Date: Mon Feb 22 16:03:58 2010 +0000 eeepc-laptop: check wireless hotplug events commit bc9d24a3aeb1532fc3e234907a8b6d671f7ed68f upstream. Before we mark the wireless device as unplugged, check PCI config space to see whether the wireless device is really disabled (and vice versa). This works around newer models which don't want the hotplug code, where we end up disabling the wired network device. My old 701 still works correctly with this. I can also simulate an afflicted model by changing the hardcoded PCI bus/slot number in the driver, and it seems to work nicely (although it is a bit noisy). In future this type of hotplug support will be implemented by the PCI core. The existing blacklist and the new warning message will be removed at that point. Signed-off-by: Alan Jenkins Signed-off-by: Corentin Chary Cc: Tim Gardner Signed-off-by: Greg Kroah-Hartman commit bf1fe0bc49306efd7b822d1a90bfafbd4cb68694 Author: Krzysztof Halasa Date: Fri Jun 11 01:08:20 2010 +0200 kbuild: Fix modpost segfault commit 1c938663d58b5b2965976a6f54cc51b5d6f691aa upstream. Alan writes: > program: /home/alan/GitTrees/linux-2.6-mid-ref/scripts/mod/modpost -o > Module.symvers -S vmlinux.o > > Program received signal SIGSEGV, Segmentation fault. It just hit me. It's the offset calculation in reloc_location() which overflows: return (void *)elf->hdr + sechdrs[section].sh_offset + (r->r_offset - sechdrs[section].sh_addr); E.g. for the first rodata r entry: r->r_offset < sechdrs[section].sh_addr and the expression in the parenthesis produces 0xFFFFFFE0 or something equally wise. Reported-by: Alan Signed-off-by: Krzysztof Hałasa Tested-by: Alan Signed-off-by: Michal Marek Signed-off-by: Greg Kroah-Hartman commit ee567ad914fef697cfffffd2940c022b50f8bc5e Author: Shanyu Zhao Date: Tue Jun 1 17:13:58 2010 -0700 iwlagn: verify flow id in compressed BA packet commit b561e8274f75831ee87e4ea378cbb1f9f050a51a upstream. The flow id (scd_flow) in a compressed BA packet should match the txq_id of the queue from which the aggregated packets were sent. However, in some hardware like the 1000 series, sometimes the flow id is 0 for the txq_id (10 to 19). This can cause the annoying message: [ 2213.306191] iwlagn 0000:01:00.0: Received BA when not expected [ 2213.310178] iwlagn 0000:01:00.0: Read index for DMA queue txq id (0), index 5, is out of range [0-256] 7 7. And even worse, if agg->wait_for_ba is true when the bad BA is arriving, this can cause system hang due to NULL pointer dereference because the code is operating in a wrong tx queue! Signed-off-by: Shanyu Zhao Signed-off-by: Pradeep Kulkarni Signed-off-by: Reinette Chatre Signed-off-by: Greg Kroah-Hartman commit e3bc0200396a03fb55e187bba268d49749722238 Author: Laurent Pinchart Date: Mon Apr 12 10:41:22 2010 -0300 V4L/DVB: uvcvideo: Add support for V4L2_PIX_FMT_Y16 commit 61421206833a4085d9bdf35b2b84cd9a67dfdfac upstream. The Miricle 307K (17dc:0202) camera reports a 16-bit greyscale format, support it in the driver. Signed-off-by: Laurent Pinchart Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit b3671c74c3ebdcccdf96e627319dec7744ab0def Author: Laurent Pinchart Date: Sat Mar 13 18:12:15 2010 -0300 V4L/DVB: uvcvideo: Add support for Packard Bell EasyNote MX52 integrated webcam commit f129b03ba272c86c42ad476684caa0d6109cb383 upstream. The camera requires the STREAM_NO_FID quirk. Add a corresponding entry in the device IDs list. Signed-off-by: Laurent Pinchart Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit 3cff495e70a35dca84c749467cfd2973d079c00c Author: Laurent Pinchart Date: Thu Mar 4 07:51:25 2010 -0300 V4L/DVB: uvcvideo: Add support for unbranded Arkmicro 18ec:3290 webcams commit 1e4d05bc95a0fe2972c5c91ed45466587d07cd2c upstream. The camera requires the PROBE_DEF quirk. Add a corresponding entry in the device IDs list. Signed-off-by: Laurent Pinchart Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit fe2dba54e065b31005fd28d8cddbc838e275eabc Author: Stanislaw Gruszka Date: Wed Apr 28 17:03:15 2010 +0200 mac80211: fix supported rates IE if AP doesn't give us it's rates commit 76f273640134f3eb8257179cd5b3bc6ba5fe4a96 upstream. If AP do not provide us supported rates before assiociation, send all rates we are supporting instead of empty information element. v1 -> v2: Add comment. Signed-off-by: Stanislaw Gruszka Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 4abe1cbd9c9a9b9ab5cc3986df22c6532de36860 Author: Hiroshi Shimamoto Date: Mon Apr 19 15:32:20 2010 +0000 cxgb3: fix linkup issue commit 9441cad99b4b09d6b627351c2d282833868c116c upstream. I encountered an issue that not to link up on cxgb3 fabric. I bisected and found that this regression was introduced by 0f07c4ee8c800923ae7918c231532a9256233eed. Correct to pass phy_addr to cphy_init() at t3_xaui_direct_phy_prep(). Signed-off-by: Hiroshi Shimamoto Acked-by: Divy Le Ray Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 15b956904a38753fbc9ef8dfa1cafbf5b78e7331 Author: Ben Hutchings Date: Sat May 15 13:45:37 2010 -0300 V4L/DVB: budget: Select correct frontends commit d46b36e7f927772bb72524dc9f1e384e3cb4a975 upstream. Update the Kconfig selections to match the code. Signed-off-by: Ben Hutchings Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit a6507d3cb85e02d965f0367c3ed0de5a9b25d8f8 Author: Shane McDonald Date: Thu May 6 23:26:57 2010 -0600 MIPS FPU emulator: allow Cause bits of FCSR to be writeable by ctc1 commit 95e8f634d7a3ea5af40ec3fa42c8a152fd3a0624 upstream. In the FPU emulator code of the MIPS, the Cause bits of the FCSR register are not currently writeable by the ctc1 instruction. In odd corner cases, this can cause problems. For example, a case existed where a divide-by-zero exception was generated by the FPU, and the signal handler attempted to restore the FPU registers to their state before the exception occurred. In this particular setup, writing the old value to the FCSR register would cause another divide-by-zero exception to occur immediately. The solution is to change the ctc1 instruction emulator code to allow the Cause bits of the FCSR register to be writeable. This is the behaviour of the hardware that the code is emulating. This problem was found by Shane McDonald, but the credit for the fix goes to Kevin Kissell. In Kevin's words: I submit that the bug is indeed in that ctc_op: case of the emulator. The Cause bits (17:12) are supposed to be writable by that instruction, but the CTC1 emulation won't let them be updated by the instruction. I think that actually if you just completely removed lines 387-388 [...] things would work a good deal better. At least, it would be a more accurate emulation of the architecturally defined FPU. If I wanted to be really, really pedantic (which I sometimes do), I'd also protect the reserved bits that aren't necessarily writable. Signed-off-by: Shane McDonald To: anemo@mba.ocn.ne.jp To: kevink@paralogos.com To: sshtylyov@mvista.com Patchwork: http://patchwork.linux-mips.org/patch/1205/ Signed-off-by: Ralf Baechle Cc: Ben Hutchings Signed-off-by: Greg Kroah-Hartman commit 025be5bec7dabcbc1e972a0a8a7f41c6701fb3a0 Author: Richard Airlie Date: Mon Apr 5 22:22:46 2010 +0100 staging: rtl8192su: add Support for Belkin F5D8053 v6 commit d615da093eb0f691a73a754589e2a4a24a6f1ca7 upstream. Please find attached a patch which adds the device ID for the Belkin F5D8053 v6 to the rtl8192su driver. I've tested this in 2.6.34-rc3 (Ubuntu 9.10 amd64) and the network adapter is working flawlessly. Signed-off-by: Richard Airlie Cc: Ben Hutchings Signed-off-by: Greg Kroah-Hartman commit cd67c595a03ec6a41f14ae060bfbb1757b80aa5a Author: Ayaz Abdulla Date: Tue Apr 13 18:49:51 2010 -0700 forcedeth: fix tx limit2 flag check commit 5c659322a904a7cc0265e7b183372b9bdebec6db upstream. This is a fix for bug 572201 @ bugs.debian.org This patch fixes the TX_LIMIT feature flag. The previous logic check for TX_LIMIT2 also took into account a device that only had TX_LIMIT set. Reported-by: Stephen Mulcahu Reported-by: Ben Huchings Signed-off-by: Ayaz Abdulla Signed-off-by: David S. Miller Cc: Ben Hutchings Signed-off-by: Greg Kroah-Hartman commit e9594751e4454139901cb1d68dd05ad7f48bdb59 Author: Jean Delvare Date: Wed May 26 10:05:11 2010 -0300 V4L/DVB: FusionHDTV: Use quick reads for I2C IR device probing commit 806b07c29b711aaf90c81d2a19711607769f8246 upstream. IR support on FusionHDTV cards is broken since kernel 2.6.31. One side effect of the switch to the standard binding model for IR I2C devices was to let i2c-core do the probing instead of the ir-kbd-i2c driver. There is a slight difference between the two probe methods: i2c-core uses 0-byte writes, while the ir-kbd-i2c was using 0-byte reads. As some IR I2C devices only support reads, the new probe method fails to detect them. For now, revert to letting the driver do the probe, using 0-byte reads. In the future, i2c-core will be extended to let callers of i2c_new_probed_device() provide a custom probing function. Signed-off-by: Jean Delvare Tested-by: "Timothy D. Lenz" Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit 65019a1c668d1dbcc4c6bdcdb7bb66d8ea714752 Author: Ang Way Chuang Date: Thu May 27 02:02:09 2010 -0300 V4L/DVB: dvb-core: Fix ULE decapsulation bug commit 5c331fc8c19e181bffab46e9d18e1637cdc47170 upstream. Fix ULE decapsulation bug when less than 4 bytes of ULE SNDU is packed into the remaining bytes of a MPEG2-TS frame ULE (Unidirectional Lightweight Encapsulation RFC 4326) decapsulation code has a bug that incorrectly treats ULE SNDU packed into the remaining 2 or 3 bytes of a MPEG2-TS frame as having invalid pointer field on the subsequent MPEG2-TS frame. Signed-off-by: Ang Way Chuang Acked-by: Jarod Wilson Signed-off-by: Mauro Carvalho Chehab Signed-off-by: Greg Kroah-Hartman commit ac633f17d4a5030d5924c1a85bbcde1ad42c3998 Author: Giuliano Pochini Date: Wed Feb 17 00:57:44 2010 +0100 ALSA: Echoaudio, fix Guru Meditation #00000005.48454C50 commit b721e68bdc5b39c51bf6a1469f8d3663fbe03243 upstream. This patch fixes a division by zero error in the irq handler. There is a small window between the hw_params() callback and when runtime->frame_bits is set by ALSA middle layer. When another substream is already running, if an interrupt is delivered during that window the irq handler calls pcm_pointer() which does a division by zero. The patch below makes the irq handler skip substreams that are initialized but not started yet. Cc to Clemens Ladisch because he proposed an alternate fix. For more information, please read the original thread in the linux-kernel mailing list: http://lkml.org/lkml/2010/2/2/187 Signed-off-by: Giuliano Pochini Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit ddcd49b943272f275e890e9c1c06cfdbc0a899e3 Author: Andrej Gelenberg Date: Fri May 14 15:15:58 2010 -0700 revert "[CPUFREQ] remove rwsem lock from CPUFREQ_GOV_STOP call (second call site)" commit accd846698439ba18250e8fd5681af280446b853 upstream. 395913d0b1db37092ea3d9d69b832183b1dd84c5 ("[CPUFREQ] remove rwsem lock from CPUFREQ_GOV_STOP call (second call site)") is not needed, because there is no rwsem lock in cpufreq_ondemand and cpufreq_conservative anymore. Lock should not be released until the work done. Addresses https://bugzilla.kernel.org/show_bug.cgi?id=1594 Signed-off-by: Andrej Gelenberg Cc: Mathieu Desnoyers Cc: Venkatesh Pallipadi Signed-off-by: Andrew Morton Acked-by: Mathieu Desnoyers Signed-off-by: Dave Jones Signed-off-by: Greg Kroah-Hartman commit e48db6326ecea360d79f42ec7fdaad53a328e362 Author: David Woodhouse Date: Sun May 2 11:21:21 2010 +0300 firmware_class: fix memory leak - free allocated pages commit dd336c554d8926c3348a2d5f2a5ef5597f6d1a06 upstream. fix memory leak introduced by the patch 6e03a201bbe: firmware: speed up request_firmware() 1. vfree won't release pages there were allocated explicitly and mapped using vmap. The memory has to be vunmap-ed and the pages needs to be freed explicitly 2. page array is moved into the 'struct firmware' so that we can free it from release_firmware() and not only in fw_dev_release() The fix doesn't break the firmware load speed. Cc: Johannes Berg Cc: Ming Lei Cc: Catalin Marinas Singed-off-by: Kay Sievers Signed-off-by: David Woodhouse Signed-off-by: Tomas Winkler Signed-off-by: Greg Kroah-Hartman commit 46287c9a808ec7eb9f635f279474bdb1df2a8898 Author: Baruch Siach Date: Mon May 17 17:45:48 2010 -0700 dm9000: fix "BUG: spinlock recursion" commit 380fefb2ddabd4cd5f14dbe090481f0544e65078 upstream. dm9000_set_rx_csum and dm9000_hash_table are called from atomic context (in dm9000_init_dm9000), and from non-atomic context (via ethtool_ops and net_device_ops respectively). This causes a spinlock recursion BUG. Fix this by renaming these functions to *_unlocked for the atomic context, and make the original functions locking wrappers for use in the non-atomic context. Signed-off-by: Baruch Siach Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit f4b01c2be53befd8374d1569e1ae10bf9648025a Author: Daniel Mack Date: Tue Apr 6 10:52:44 2010 +0200 libertas/sdio: 8686: set ECSI bit for 1-bit transfers commit 8a64c0f6b7ec7f758c4ef445e49f479e27fa2236 upstream. When operating in 1-bit mode, SDAT1 is used as dedicated interrupt line. However, the 8686 will only drive this line when the ECSI bit is set in the CCCR_IF register. Thanks to Alagu Sankar for pointing me in the right direction. Signed-off-by: Daniel Mack Cc: Alagu Sankar Cc: Volker Ernst Cc: Dan Williams Cc: John W. Linville Cc: Holger Schurig Cc: Bing Zhao Cc: libertas-dev@lists.infradead.org Cc: linux-wireless@vger.kernel.org Cc: linux-mmc@vger.kernel.org Acked-by: Dan Williams Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 1e2894c496bbb024c457d2240559631f12efd019 Author: Matthew Garrett Date: Tue May 11 13:49:25 2010 -0400 ACPI: Unconditionally set SCI_EN on resume commit b6dacf63e9fb2e7a1369843d6cef332f76fca6a3 upstream. The ACPI spec tells us that the firmware will reenable SCI_EN on resume. Reality disagrees in some cases. The ACPI spec tells us that the only way to set SCI_EN is via an SMM call. https://bugzilla.kernel.org/show_bug.cgi?id=13745 shows us that doing so may break machines. Tracing the ACPI calls made by Windows shows that it unconditionally sets SCI_EN on resume with a direct register write, and therefore the overwhelming probability is that everything is fine with this behaviour. Signed-off-by: Matthew Garrett Tested-by: Rafael J. Wysocki Signed-off-by: Len Brown Cc: Kamal Mostafa Signed-off-by: Greg Kroah-Hartman commit 447cc37695575ab9fa8b00427b00ca228832ec25 Author: Len Brown Date: Thu Jul 22 16:54:27 2010 -0400 ACPI: skip checking BM_STS if the BIOS doesn't ask for it commit 718be4aaf3613cf7c2d097f925abc3d3553c0605 upstream. It turns out that there is a bit in the _CST for Intel FFH C3 that tells the OS if we should be checking BM_STS or not. Linux has been unconditionally checking BM_STS. If the chip-set is configured to enable BM_STS, it can retard or completely prevent entry into deep C-states -- as illustrated by turbostat: http://userweb.kernel.org/~lenb/acpi/utils/pmtools/turbostat/ ref: Intel Processor Vendor-Specific ACPI Interface Specification table 4 "_CST FFH GAS Field Encoding" Bit 1: Set to 1 if OSPM should use Bus Master avoidance for this C-state https://bugzilla.kernel.org/show_bug.cgi?id=15886 Signed-off-by: Len Brown Signed-off-by: Greg Kroah-Hartman commit 784724e6862571cde726a78287d16867fbbf2b28 Author: Ondrej Zary Date: Tue Jun 8 00:32:49 2010 +0200 PM / x86: Save/restore MISC_ENABLE register commit 85a0e7539781dad4bfcffd98e72fa9f130f4e40d upstream. Save/restore MISC_ENABLE register on suspend/resume. This fixes OOPS (invalid opcode) on resume from STR on Asus P4P800-VM, which wakes up with MWAIT disabled. Fixes https://bugzilla.kernel.org/show_bug.cgi?id=15385 Signed-off-by: Ondrej Zary Tested-by: Alan Stern Acked-by: H. Peter Anvin Signed-off-by: Rafael J. Wysocki Signed-off-by: Greg Kroah-Hartman commit 7ff3f29680547064a5733c18dbfdb20a957cdbb2 Author: Steven Whitehouse Date: Fri Oct 2 11:50:54 2009 +0100 GFS2: Fix up system xattrs commit 2646a1f61a3b5525914757f10fa12b5b94713648 upstream. This code has been shamelessly stolen from XFS at the suggestion of Christoph Hellwig. I've not added support for cached ACLs so far... watch for that in a later patch, although this is designed in such a way that they should be easy to add. Signed-off-by: Steven Whitehouse Cc: Christoph Hellwig Signed-off-by: Greg Kroah-Hartman commit 29540fc633e3f0ce474cf8d46806c0f92d1dd6f7 Author: Michal Hocko Date: Wed Jun 30 09:51:19 2010 +0200 futex: futex_find_get_task remove credentails check commit 7a0ea09ad5352efce8fe79ed853150449903b9f5 upstream. futex_find_get_task is currently used (through lookup_pi_state) from two contexts, futex_requeue and futex_lock_pi_atomic. None of the paths looks it needs the credentials check, though. Different (e)uids shouldn't matter at all because the only thing that is important for shared futex is the accessibility of the shared memory. The credentail check results in glibc assert failure or process hang (if glibc is compiled without assert support) for shared robust pthread mutex with priority inheritance if a process tries to lock already held lock owned by a process with a different euid: pthread_mutex_lock.c:312: __pthread_mutex_lock_full: Assertion `(-(e)) != 3 || !robust' failed. The problem is that futex_lock_pi_atomic which is called when we try to lock already held lock checks the current holder (tid is stored in the futex value) to get the PI state. It uses lookup_pi_state which in turn gets task struct from futex_find_get_task. ESRCH is returned either when the task is not found or if credentials check fails. futex_lock_pi_atomic simply returns if it gets ESRCH. glibc code, however, doesn't expect that robust lock returns with ESRCH because it should get either success or owner died. Signed-off-by: Michal Hocko Acked-by: Darren Hart Cc: Ingo Molnar Cc: Thomas Gleixner Cc: Nick Piggin Cc: Alexey Kuznetsov Cc: Peter Zijlstra Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 05ae56ca1cd57e3b6fb57173e8f9e23f289880e9 Author: Marcelo Tosatti Date: Fri May 28 09:44:59 2010 -0300 KVM: MMU: invalidate and flush on spte small->large page size change Always invalidate spte and flush TLBs when changing page size, to make sure different sized translations for the same address are never cached in a CPU's TLB. Currently the only case where this occurs is when a non-leaf spte pointer is overwritten by a leaf, large spte entry. This can happen after dirty logging is disabled on a memslot, for example. Noticed by Andrea. KVM-Stable-Tag Signed-off-by: Marcelo Tosatti Signed-off-by: Avi Kivity (cherry picked from commit 3be2264be3c00865116f997dc53ebcc90fe7fc4b) commit a71507e88e9f1ff0d958d77e9194827d7898c42b Author: Joerg Roedel Date: Mon May 17 14:43:35 2010 +0200 KVM: SVM: Implement workaround for Erratum 383 This patch implements a workaround for AMD erratum 383 into KVM. Without this erratum fix it is possible for a guest to kill the host machine. This patch implements the suggested workaround for hypervisors which will be published by the next revision guide update. [jan: fix overflow warning on i386] [xiao: fix unused variable warning] Cc: stable@kernel.org Signed-off-by: Joerg Roedel Signed-off-by: Jan Kiszka Signed-off-by: Xiao Guangrong Signed-off-by: Avi Kivity (cherry picked from commit 67ec66077799f2fef84b21a643912b179c422281) commit 4d2e11d122c66cd284881c3442efb4f41c1ffe5c Author: Joerg Roedel Date: Mon May 17 14:43:34 2010 +0200 KVM: SVM: Handle MCEs early in the vmexit process This patch moves handling of the MC vmexits to an earlier point in the vmexit. The handle_exit function is too late because the vcpu might alreadry have changed its physical cpu. Cc: stable@kernel.org Signed-off-by: Joerg Roedel Signed-off-by: Avi Kivity (cherry picked from commit fe5913e4e1700cbfc337f4b1da9ddb26f6a55586) commit 57b8799a75fca910443b5fcc645b091d30aac5db Author: Avi Kivity Date: Thu May 27 14:35:58 2010 +0300 KVM: MMU: Remove user access when allowing kernel access to gpte.w=0 page If cr0.wp=0, we have to allow the guest kernel access to a page with pte.w=0. We do that by setting spte.w=1, since the host cr0.wp must remain set so the host can write protect pages. Once we allow write access, we must remove user access otherwise we mistakenly allow the user to write the page. Reviewed-by: Xiao Guangrong Signed-off-by: Avi Kivity (cherry picked from commit 69325a122580d3a7b26589e8efdd6663001c3297) commit 282d0217435ad7747d615cc19331d72e76f3fa3e Author: Frank Mayhar Date: Sun May 30 22:50:06 2010 -0400 ext4: Make fsync sync new parent directories in no-journal mode commit 14ece1028b3ed53ffec1b1213ffc6acaf79ad77c upstream (as of v2.6.34-git13) Add a new ext4 state to tell us when a file has been newly created; use that state in ext4_sync_file in no-journal mode to tell us when we need to sync the parent directory as well as the inode and data itself. This fixes a problem in which a panic or power failure may lose the entire file even when using fsync, since the parent directory entry is lost. Addresses-Google-Bug: #2480057 Signed-off-by: Frank Mayhar Signed-off-by: "Theodore Ts'o" Signed-off-by: Greg Kroah-Hartman commit 7b3bfead648da9a5457a639f08eefa96bf4c60d1 Author: Ben Hutchings Date: Sun May 30 22:50:05 2010 -0400 ext4: Fix compat EXT4_IOC_ADD_GROUP commit 4d92dc0f00a775dc2e1267b0e00befb783902fe7 upstream (as of v2.6.34-git13) struct ext4_new_group_input needs to be converted because u64 has only 32-bit alignment on some 32-bit architectures, notably i386. Signed-off-by: Ben Hutchings Signed-off-by: "Theodore Ts'o" Signed-off-by: Greg Kroah-Hartman commit 489e65d8ef73c154e1c14eb935081fd7f30a71d9 Author: Ben Hutchings Date: Sun May 30 22:50:04 2010 -0400 ext4: Conditionally define compat ioctl numbers commit 899ad0cea6ad7ff4ba24b16318edbc3cbbe03fad upstream (as of v2.6.34-git13) It is unnecessary, and in general impossible, to define the compat ioctl numbers except when building the filesystem with CONFIG_COMPAT defined. Signed-off-by: Ben Hutchings Signed-off-by: "Theodore Ts'o" Signed-off-by: Greg Kroah-Hartman commit cfc3ed8bbe8eaa8b35326b10a8dc7aa6bb8da2a6 Author: Dmitry Monakhov Date: Sun May 30 22:50:03 2010 -0400 ext4: restart ext4_ext_remove_space() after transaction restart commit 0617b83fa239db9743a18ce6cc0e556f4d0fd567 upstream (as of v2.6.34-git13) If i_data_sem was internally dropped due to transaction restart, it is necessary to restart path look-up because extents tree was possibly modified by ext4_get_block(). https://bugzilla.kernel.org/show_bug.cgi?id=15827 Signed-off-by: Dmitry Monakhov Signed-off-by: "Theodore Ts'o" Acked-by: Jan Kara Signed-off-by: Greg Kroah-Hartman commit 6a68fa01f9eb787419ce10d4481617ed241f4b44 Author: Theodore Ts'o Date: Sun May 30 22:50:02 2010 -0400 ext4: Clear the EXT4_EOFBLOCKS_FL flag only when warranted commit 786ec7915e530936b9eb2e3d12274145cab7aa7d upstream (as of v2.6.34-git13) Dimitry Monakhov discovered an edge case where it was possible for the EXT4_EOFBLOCKS_FL flag could get cleared unnecessarily. This is true; I have a test case that can be exercised via downloading and decompressing the file: wget ftp://ftp.kernel.org/pub/linux/kernel/people/tytso/ext4-testcases/eofblocks-fl-test-case.img.bz2 bunzip2 eofblocks-fl-test-case.img dd if=/dev/zero of=eofblocks-fl-test-case.img bs=1k seek=17925 bs=1k count=1 conv=notrunc However, triggering it in real life is highly unlikely since it requires an extremely fragmented sparse file with a hole in exactly the right place in the extent tree. (It actually took quite a bit of work to generate this test case.) Still, it's nice to get even extreme corner cases to be correct, so this patch makes sure that we don't clear the EXT4_EOFBLOCKS_FL incorrectly even in this corner case. Signed-off-by: "Theodore Ts'o" Signed-off-by: Greg Kroah-Hartman commit b47b979f9d5c199e34a32d3fbbe64a7fbf1ddcb2 Author: Theodore Ts'o Date: Sun May 30 22:50:01 2010 -0400 ext4: Avoid crashing on NULL ptr dereference on a filesystem error commit f70f362b4a6fe47c239dbfb3efc0cc2c10e4f09c upstream (as of v2.6.34-git13) If the EOFBLOCK_FL flag is set when it should not be and the inode is zero length, then eh_entries is zero, and ex is NULL, so dereferencing ex to print ex->ee_block causes a kernel OOPS in ext4_ext_map_blocks(). On top of that, the error message which is printed isn't very helpful. So we fix this by printing something more explanatory which doesn't involve trying to print ex->ee_block. Addresses-Google-Bug: #2655740 Signed-off-by: "Theodore Ts'o" Signed-off-by: Greg Kroah-Hartman commit b6eaf5813482cd0f7a26be329845518100097181 Author: Dmitry Monakhov Date: Sun May 30 22:50:00 2010 -0400 ext4: Use bitops to read/modify i_flags in struct ext4_inode_info commit 12e9b892002d9af057655d35b44db8ee9243b0dc upstream (as of v2.6.34-git13) At several places we modify EXT4_I(inode)->i_flags without holding i_mutex (ext4_do_update_inode, ...). These modifications are racy and we can lose updates to i_flags. So convert handling of i_flags to use bitops which are atomic. https://bugzilla.kernel.org/show_bug.cgi?id=15792 Signed-off-by: Dmitry Monakhov Signed-off-by: "Theodore Ts'o" Signed-off-by: Greg Kroah-Hartman commit 714b56001acd9d382772f2bf89b8219ca50342c3 Author: Jan Kara Date: Sun May 30 22:49:59 2010 -0400 ext4: Show journal_checksum option commit 39a4bade8c1826b658316d66ee81c09b0a4d7d42 upstream (as of v2.6.34-git13) We failed to show journal_checksum option in /proc/mounts. Fix it. Signed-off-by: Jan Kara Signed-off-by: "Theodore Ts'o" Signed-off-by: Greg Kroah-Hartman commit f6784b3b11fb38c1f3f4be686720b022babfd1e8 Author: Curt Wohlgemuth Date: Sun May 30 22:49:58 2010 -0400 ext4: check for a good block group before loading buddy pages commit 8a57d9d61a6e361c7bb159dda797672c1df1a691 upstream (as of v2.6.34-git13) This adds a new field in ext4_group_info to cache the largest available block range in a block group; and don't load the buddy pages until *after* we've done a sanity check on the block group. With large allocation requests (e.g., fallocate(), 8MiB) and relatively full partitions, it's easy to have no block groups with a block extent large enough to satisfy the input request length. This currently causes the loop during cr == 0 in ext4_mb_regular_allocator() to load the buddy bitmap pages for EVERY block group. That can be a lot of pages. The patch below allows us to call ext4_mb_good_group() BEFORE we load the buddy pages (although we have check again after we lock the block group). Addresses-Google-Bug: #2578108 Addresses-Google-Bug: #2704453 Signed-off-by: Curt Wohlgemuth Signed-off-by: "Theodore Ts'o" Signed-off-by: Greg Kroah-Hartman commit 0a27a9e513fa9a229745fe94e42b020f66a7ec10 Author: Nikanth Karthikesan Date: Sun May 30 22:49:57 2010 -0400 ext4: Prevent creation of files larger than RLIMIT_FSIZE using fallocate commit 6d19c42b7cf81c39632b6d4dbc514e8449bcd346 upstream (as of v2.6.34-git13) Currently using posix_fallocate one can bypass an RLIMIT_FSIZE limit and create a file larger than the limit. Add a check for that. Signed-off-by: Nikanth Karthikesan Signed-off-by: Amit Arora Signed-off-by: "Theodore Ts'o" Signed-off-by: Greg Kroah-Hartman commit 2421348fe2154e9ddadf25794d19833649790db5 Author: Curt Wohlgemuth Date: Sun May 30 22:49:56 2010 -0400 ext4: Remove extraneous newlines in ext4_msg() calls commit fbe845ddf368f77f86aa7500f8fd2690f54c66a8 upstream (as of v2.6.34-git13) Addresses-Google-Bug: #2562325 Signed-off-by: Curt Wohlgemuth Signed-off-by: "Theodore Ts'o" Signed-off-by: Greg Kroah-Hartman commit b502cbd52881b5a7f86fc126f6b1e0e58fbc9b0c Author: Dmitry Monakhov Date: Sun May 30 22:49:55 2010 -0400 ext4: init statistics after journal recovery commit 84061e07c5fbbbf9dc8aef8fb750fc3a2dfc31f3 upstream (as of v2.6.34-git13) Currently block/inode/dir counters initialized before journal was recovered. In fact after journal recovery this info will probably change. And freeblocks it critical for correct delalloc mode accounting. https://bugzilla.kernel.org/show_bug.cgi?id=15768 Signed-off-by: Dmitry Monakhov Acked-by: Jan Kara Signed-off-by: "Theodore Ts'o" Signed-off-by: Greg Kroah-Hartman commit 55a83256dc7c79c85531b003a71bba37852a48af Author: Dmitry Monakhov Date: Sun May 30 22:49:54 2010 -0400 ext4: clean up inode bitmaps manipulation in ext4_free_inode commit d17413c08cd2b1dd2bf2cfdbb0f7b736b2b2b15c upstrea (as of v2..34-git13) - Reorganize locking scheme to batch two atomic operation in to one. This also allow us to state what healthy group must obey following rule ext4_free_inodes_count(sb, gdp) == ext4_count_free(inode_bitmap, NUM); - Fix possible undefined pointer dereference. - Even if group descriptor stats aren't accessible we have to update inode bitmaps. - Move non-group members update out of group_lock. Note: this commit has been observed to fix fs corruption problems under heavy fs load Signed-off-by: Dmitry Monakhov Signed-off-by: "Theodore Ts'o" Signed-off-by: Greg Kroah-Hartman commit ff2d83ca9df8202d9d8cff73c695ec1f0a596028 Author: Dmitry Monakhov Date: Sun May 30 22:49:53 2010 -0400 ext4: Do not zero out uninitialized extents beyond i_size commit 21ca087a3891efab4d45488db8febee474d26c68 upstream (as of v2.6.34-git13) The extents code will sometimes zero out blocks and mark them as initialized instead of splitting an extent into several smaller ones. This optimization however, causes problems if the extent is beyond i_size because fsck will complain if there are uninitialized blocks after i_size as this can not be distinguished from an inode that has an incorrect i_size field. https://bugzilla.kernel.org/show_bug.cgi?id=15742 Signed-off-by: Dmitry Monakhov Signed-off-by: "Theodore Ts'o" Signed-off-by: Greg Kroah-Hartman commit 342c35e4f561cefbd927248fbcd45bf68afc12a9 Author: Eric Sandeen Date: Sun May 30 22:49:52 2010 -0400 ext4: don't scan/accumulate more pages than mballoc will allocate commit c445e3e0a5c2804524dec6e55f66d63f6bc5bc3e upstream (as of v2.6.34-git13) There was a bug reported on RHEL5 that a 10G dd on a 12G box had a very, very slow sync after that. At issue was the loop in write_cache_pages scanning all the way to the end of the 10G file, even though the subsequent call to mpage_da_submit_io would only actually write a smallish amt; then we went back to the write_cache_pages loop ... wasting tons of time in calling __mpage_da_writepage for thousands of pages we would just revisit (many times) later. Upstream it's not such a big issue for sys_sync because we get to the loop with a much smaller nr_to_write, which limits the loop. However, talking with Aneesh he realized that fsync upstream still gets here with a very large nr_to_write and we face the same problem. This patch makes mpage_add_bh_to_extent stop the loop after we've accumulated 2048 pages, by setting mpd->io_done = 1; which ultimately causes the write_cache_pages loop to break. Repeating the test with a dirty_ratio of 80 (to leave something for fsync to do), I don't see huge IO performance gains, but the reduction in cpu usage is striking: 80% usage with stock, and 2% with the below patch. Instrumenting the loop in write_cache_pages clearly shows that we are wasting time here. Eventually we need to change mpage_da_map_pages() also submit its I/O to the block layer, subsuming mpage_da_submit_io(), and then change it call ext4_get_blocks() multiple times. Signed-off-by: Eric Sandeen Signed-off-by: "Theodore Ts'o" Signed-off-by: Greg Kroah-Hartman commit 7a5fb6dc311ddb933e8299cb89fab289bc846c9b Author: Eric Sandeen Date: Sun May 30 22:49:51 2010 -0400 ext4: stop issuing discards if not supported by device commit a30eec2a8650a77f754e84b2e15f062fe652baa7 upstream (as of v2.6.34-git13) Turn off issuance of discard requests if the device does not support it - similar to the action we take for barriers. This will save a little computation time if a non-discardable device is mounted with -o discard, and also makes it obvious that it's not doing what was asked at mount time ... Signed-off-by: Eric Sandeen Signed-off-by: "Theodore Ts'o" Signed-off-by: Greg Kroah-Hartman commit e6afda19e101a5c85eb43ec49f00b8336002f2cd Author: Eric Sandeen Date: Sun May 30 22:49:50 2010 -0400 ext4: don't return to userspace after freezing the fs with a mutex held commit 6b0310fbf087ad6e9e3b8392adca97cd77184084 upstream (as of v2.6.34-git13) ext4_freeze() used jbd2_journal_lock_updates() which takes the j_barrier mutex, and then returns to userspace. The kernel does not like this: ================================================ [ BUG: lock held when returning to user space! ] ------------------------------------------------ lvcreate/1075 is leaving the kernel with locks still held! 1 lock held by lvcreate/1075: #0: (&journal->j_barrier){+.+...}, at: [] jbd2_journal_lock_updates+0xe1/0xf0 Use vfs_check_frozen() added to ext4_journal_start_sb() and ext4_force_commit() instead. Addresses-Red-Hat-Bugzilla: #568503 Signed-off-by: Eric Sandeen Signed-off-by: "Theodore Ts'o" Signed-off-by: Greg Kroah-Hartman commit ad86a2309c447ebd7fb238f6bafb268e6b7e95b5 Author: Eric Sandeen Date: Sun May 30 22:49:49 2010 -0400 ext4: check s_log_groups_per_flex in online resize code commit 42007efd569f1cf3bfb9a61da60ef6c2179508ca upstream (as of v2.6.34-git13) If groups_per_flex < 2, sbi->s_flex_groups[] doesn't get filled out, and every other access to this first tests s_log_groups_per_flex; same thing needs to happen in resize or we'll wander off into a null pointer when doing an online resize of the file system. Thanks to Christoph Biedl, who came up with the trivial testcase: # truncate --size 128M fsfile # mkfs.ext3 -F fsfile # tune2fs -O extents,uninit_bg,dir_index,flex_bg,huge_file,dir_nlink,extra_isize fsfile # e2fsck -yDf -C0 fsfile # truncate --size 132M fsfile # losetup /dev/loop0 fsfile # mount /dev/loop0 mnt # resize2fs -p /dev/loop0 https://bugzilla.kernel.org/show_bug.cgi?id=13549 Reported-by: Alessandro Polverini Test-case-by: Christoph Biedl Signed-off-by: Eric Sandeen Signed-off-by: "Theodore Ts'o" Signed-off-by: Greg Kroah-Hartman commit 6c6671bf3517688371200d8b7e0aaf81e8d82bcc Author: Dmitry Monakhov Date: Sun May 30 22:49:48 2010 -0400 ext4: fix quota accounting in case of fallocate commit 35121c9860316d7799cea0fbc359a9186e7c2747 upstream (as of v2.6.34-git13) allocated_meta_data is already included in 'used' variable. Signed-off-by: Dmitry Monakhov Signed-off-by: "Theodore Ts'o" Signed-off-by: Greg Kroah-Hartman commit a625298da6c693825126b7054d8ff4a95f2b5668 Author: Christian Borntraeger Date: Sun May 30 22:49:47 2010 -0400 ext4: allow defrag (EXT4_IOC_MOVE_EXT) in 32bit compat mode commit b684b2ee9409f2890a8b3aea98525bbe5f84e276 upstream (as of v2.6.34-git13) I have an x86_64 kernel with i386 userspace. e4defrag fails on the EXT4_IOC_MOVE_EXT ioctl because it is not wired up for the compat case. It seems that struct move_extent is compat save, only types with fixed widths are used: { __u32 reserved; /* should be zero */ __u32 donor_fd; /* donor file descriptor */ __u64 orig_start; /* logical start offset in block for orig */ __u64 donor_start; /* logical start offset in block for donor */ __u64 len; /* block length to be moved */ __u64 moved_len; /* moved block length */ }; Lets just wire up EXT4_IOC_MOVE_EXT for the compat case. Signed-off-by: Christian Borntraeger Signed-off-by: "Theodore Ts'o" Reviewed-by: Eric Sandeen CC: Akira Fujita Signed-off-by: Greg Kroah-Hartman commit 60986a16a01df755929ec52bf31175f8dce8e724 Author: Jing Zhang Date: Sun May 30 22:49:46 2010 -0400 ext4: rename ext4_mb_release_desc() to ext4_mb_unload_buddy() commit e39e07fdfd98be8650385f12a7b81d6adc547510 upstream (as of v2.6.34-git13) This function cleans up after ext4_mb_load_buddy(), so the renaming makes the code clearer. Signed-off-by: Jing Zhang Signed-off-by: "Theodore Ts'o" Signed-off-by: Greg Kroah-Hartman commit 99e25a991d55ab727710829555cf79a24578ea02 Author: Jing Zhang Date: Sun May 30 22:49:45 2010 -0400 ext4: Remove unnecessary call to ext4_get_group_desc() in mballoc commit 62e823a2cba18509ee826d775270e8ef9071b5bc upstream (as of v2.6.34-git13) Signed-off-by: Jing Zhang Signed-off-by: "Theodore Ts'o" Signed-off-by: Greg Kroah-Hartman commit caf4fd5d6a45bf7f1db7a966354207475b212322 Author: Jing Zhang Date: Sun May 30 22:49:44 2010 -0400 ext4: fix memory leaks in error path handling of ext4_ext_zeroout() commit b720303df7352d4a7a1f61e467e0a124913c0d41 upstream (as of v2.6.34-git13) When EIO occurs after bio is submitted, there is no memory free operation for bio, which results in memory leakage. And there is also no check against bio_alloc() for bio. Acked-by: Dave Kleikamp Signed-off-by: Jing Zhang Signed-off-by: "Theodore Ts'o" Signed-off-by: Greg Kroah-Hartman commit ee02586911929717c8a1ff47d0b447c615da0b70 Author: Dmitry Monakhov Date: Sun May 30 22:49:43 2010 -0400 ext4: check missed return value in ext4_sync_file() commit 0671e704658b9f26f85e78d51176daa861f955c7 upstream (as of v2.6.34-git13) Signed-off-by: Dmitry Monakhov Signed-off-by: "Theodore Ts'o" Signed-off-by: Greg Kroah-Hartman commit 43a1669ae07d79d6462f99bccf649dc3ae39e451 Author: Theodore Ts'o Date: Sun May 30 22:49:42 2010 -0400 ext4: Issue the discard operation *before* releasing the blocks to be reused commit b90f687018e6d6c77d981b09203780f7001407e5 upstream (as of v2.6.34-rc6) Otherwise, we can end up having data corruption because the blocks could get reused and then discarded! https://bugzilla.kernel.org/show_bug.cgi?id=15579 Signed-off-by: "Theodore Ts'o" Signed-off-by: Greg Kroah-Hartman commit adaf14bef627b08726d0f91aeff2594e21451010 Author: Curt Wohlgemuth Date: Sun May 30 22:49:41 2010 -0400 ext4: Fix buffer head leaks after calls to ext4_get_inode_loc() commit fd2dd9fbaf9e498ec63eef298921e36556f7214c upstream (as of v2.6.34-rc6) Calls to ext4_get_inode_loc() returns with a reference to a buffer head in iloc->bh. The callers of this function in ext4_write_inode() when in no journal mode and in ext4_xattr_fiemap() don't release the buffer head after using it. Addresses-Google-Bug: #2548165 Signed-off-by: Curt Wohlgemuth Signed-off-by: "Theodore Ts'o" Signed-off-by: Greg Kroah-Hartman commit e30014924c6ea0c42ec4caeaa7782f11299d2ee9 Author: Curt Wohlgemuth Date: Sun May 30 22:49:40 2010 -0400 ext4: Fix possible lost inode write in no journal mode commit 8b472d739b2ddd8ab7fb278874f696cd95b25a5e upstream (as of v2.6.34-rc6) In the no-journal case, ext4_write_inode() will fetch the bh and call sync_dirty_buffer() on it. However, if the bh has already been written and the bh reclaimed for some other purpose, AND if the inode is the only one in the inode table block in use, then ext4_get_inode_loc() will not read the inode table block from disk, but as an optimization, fill the block with zero's assuming that its caller will copy in the on-disk version of the inode. This is not done by ext4_write_inode(), so the contents of the inode can simply get lost. The fix is to use __ext4_get_inode_loc() with in_mem set to 0, instead of ext4_get_inode_loc(). Long term the API needs to be fixed so it's obvious why latter is not safe. Addresses-Google-Bug: #2526446 Signed-off-by: Curt Wohlgemuth Signed-off-by: "Theodore Ts'o" Signed-off-by: Greg Kroah-Hartman commit 84b29e4a5037d97d72da25fc40d879a29bf1846d Author: Eric Sandeen Date: Sun May 30 22:49:39 2010 -0400 ext4: Fixed inode allocator to correctly track a flex_bg's used_dirs commit c4caae25187ff3f5e837c6f04eb1acc2723c72d3 upstream (as of v2.6.34-rc3) When used_dirs was introduced for the flex_groups struct, it looks like the accounting was not put into place properly, in some places manipulating free_inodes rather than used_dirs. Signed-off-by: Eric Sandeen Signed-off-by: "Theodore Ts'o" Signed-off-by: Greg Kroah-Hartman commit 112ba39e2f19652f2baa3823e5ca76848717d905 Author: Jan Kara Date: Sun May 30 22:49:38 2010 -0400 ext4: Fix estimate of # of blocks needed to write indirect-mapped files commit d330a5befb88875a9b3d2db62f9b74dadf660b13 upstream (as of v2.6.34-rc3) http://bugzilla.kernel.org/show_bug.cgi?id=15420 Signed-off-by: Jan Kara Signed-off-by: "Theodore Ts'o" Signed-off-by: Greg Kroah-Hartman commit 77795ad5902a93ea8f5978da54687b701220a5e5 Author: Akira Fujita Date: Sun May 30 22:49:37 2010 -0400 ext4: Code cleanup for EXT4_IOC_MOVE_EXT ioctl commit c437b2733520599a2c6e0dbcdeae611319f84707 upstream (as of v2.6.33-git11) a) Fix sparse warning in ext4_ioctl() b) Remove unneeded variable in mext_leaf_block() c) Fix spelling typo in mext_check_arguments() Signed-off-by: Akira Fujita Signed-off-by: "Theodore Ts'o" Signed-off-by: Greg Kroah-Hartman commit bff3bb48504169e26c55da6847322310e7a0b36e Author: Akira Fujita Date: Sun May 30 22:49:36 2010 -0400 ext4: Fix the NULL reference in double_down_write_data_sem() commit 7247c0caa23d94a1cb6b307edba9dc45fb0798d4 upstream (as of v2.6.33-git11) If EXT4_IOC_MOVE_EXT ioctl is called with NULL donor_fd, fget() in ext4_ioctl() gets inappropriate file structure for donor; so we need to do this check earlier, before calling double_down_write_data_sem(). Signed-off-by: Akira Fujita Signed-off-by: "Theodore Ts'o" Signed-off-by: Greg Kroah-Hartman commit 68285a49fce5634e194be0de1aec6e423d74e1cc Author: Akira Fujita Date: Sun May 30 22:49:35 2010 -0400 ext4: Fix insertion point of extent in mext_insert_across_blocks() commit 5fd5249aa36fad98c9fd5edced352939e54f9324 upstream (as of v2.6.33-git11) If the leaf node has 2 extent space or fewer and EXT4_IOC_MOVE_EXT ioctl is called with the file offset where after the 2nd extent covers, mext_insert_across_blocks() always tries to insert extent into the first extent. As a result, the file gets corrupted because of wrong extent order. The patch fixes this problem. Signed-off-by: Akira Fujita Signed-off-by: "Theodore Ts'o" Signed-off-by: Greg Kroah-Hartman commit 2b8aa5edf84a8e7cc432cbfda2be7cefa0a46347 Author: Toshiyuki Okajima Date: Sun May 30 22:49:34 2010 -0400 ext4: make "offset" consistent in ext4_check_dir_entry() commit b8b8afe236e97b6359d46d3a3f8c46455e192271 upstream (as of v2.6.33-git11) The callers of ext4_check_dir_entry() usually pass in the "file offset" (ext4_readdir, htree_dirblock_to_tree, search_dirblock, ext4_dx_find_entry, empty_dir), but a few callers (add_dirent_to_buf, ext4_delete_entry) only pass in the buffer offset. To accomodate those last two (which would be hard to fix otherwise), this patch changes ext4_check_dir_entry() to print the physical block number and the relative offset as well as the passed-in offset. Signed-off-by: Toshiyuki Okajima Signed-off-by: "Theodore Ts'o" Signed-off-by: Greg Kroah-Hartman commit 449147576c7045a183fc2283b103c9a4f290b3de Author: Dmitry Monakhov Date: Sun May 30 22:49:33 2010 -0400 ext4: Handle non empty on-disk orphan link commit 6e3617e579e070d3655a93ee9ed7149113e795e0 upstream (as of v2.6.33-git11) In case of truncate errors we explicitly remove inode from in-core orphan list via orphan_del(NULL, inode) without modifying the on-disk list. But later on, the same inode may be inserted in the orphan list again which will result the on-disk linked list getting corrupted. If inode i_dtime contains valid value, then skip on-disk list modification. Signed-off-by: Dmitry Monakhov Signed-off-by: "Theodore Ts'o" Signed-off-by: Greg Kroah-Hartman commit 2c20b11766ad108f31b550fe28a32cf2ec445b19 Author: Dmitry Monakhov Date: Sun May 30 22:49:32 2010 -0400 ext4: explicitly remove inode from orphan list after failed direct io commit da1dafca84413145f5ac59998b4cdd06fb89f721 upstream (as of v2.6.33-git11) Otherwise non-empty orphan list will be triggered on umount. Signed-off-by: Dmitry Monakhov Signed-off-by: "Theodore Ts'o" Signed-off-by: Greg Kroah-Hartman commit 338ae6b7be4525d210a49c3e0433ff6a1a34f35d Author: Dmitry Monakhov Date: Sun May 30 22:49:31 2010 -0400 ext4: fix error handling in migrate commit f39490bcd1691d65dc33689222a12e1fc13dd824 upstream (as of v2.6.33-git11) Set i_nlink to zero for temporary inode from very beginning. otherwise we may fail to start new journal handle and this inode will be unreferenced but with i_nlink == 1 Since we hold inode reference it can not be pruned. Also add missed journal_start retval check. Signed-off-by: Dmitry Monakhov Signed-off-by: "Theodore Ts'o" Signed-off-by: Greg Kroah-Hartman commit cc4e25d160d611156c74cfca62f1fe331c07ac62 Author: Tao Ma Date: Sun May 30 22:49:30 2010 -0400 ext4: Fix fencepost error in chosing choosing group vs file preallocation. commit cc483f102c3f703e853c96f95a654f0106fb2603 upstream (as of v2.6.33-git11) The ext4 multiblock allocator decides whether to use group or file preallocation based on the file size. When the file size reaches s_mb_stream_request (default is 16 blocks), it changes to use a file-specific preallocation. This is cool, but it has a tiny problem. See a simple script: mkfs.ext4 -b 1024 /dev/sda8 1000000 mount -t ext4 -o nodelalloc /dev/sda8 /mnt/ext4 for((i=0;i<5;i++)) do cat /mnt/4096>>/mnt/ext4/a #4096 is a file with 4096 characters. cat /mnt/4096>>/mnt/ext4/b done debuge4fs -R 'stat a' /dev/sda8|grep BLOCKS -A 1 And you get BLOCKS: (0-14):8705-8719, (15):2356, (16-19):8465-8468 So there are 3 extents, a bit strange for the lonely 15th logical block. As we write to the 16 blocks, we choose file preallocation in ext4_mb_group_or_file, but in ext4_mb_normalize_request, we meet with the 16*1024 range, so no preallocation will be carried. file b then reserves the space after '2356', so when when write 16, we start from another part. This patch just change the check in ext4_mb_group_or_file, so that for the lonely 15 we will still use group preallocation. After the patch, we will get: debuge4fs -R 'stat a' /dev/sda8|grep BLOCKS -A 1 BLOCKS: (0-15):8705-8720, (16-19):8465-8468 Looks more sane. Thanks. Signed-off-by: Tao Ma Signed-off-by: "Theodore Ts'o" Signed-off-by: Greg Kroah-Hartman commit 196739244e2720a6fa8cca8889993fe77ea59501 Author: Jiaying Zhang Date: Sun May 30 22:49:29 2010 -0400 ext4: Add flag to files with blocks intentionally past EOF commit c8d46e41bc744c8fa0092112af3942fcd46c8b18 upstream (as of v2.6.33-git11) fallocate() may potentially instantiate blocks past EOF, depending on the flags used when it is called. e2fsck currently has a test for blocks past i_size, and it sometimes trips up - noticeably on xfstests 013 which runs fsstress. This patch from Jiayang does fix it up - it (along with e2fsprogs updates and other patches recently from Aneesh) has survived many fsstress runs in a row. Signed-off-by: Eric Sandeen Signed-off-by: Jiaying Zhang Signed-off-by: "Theodore Ts'o" Signed-off-by: Greg Kroah-Hartman commit 7085239d9d0eb35533f9ec824346ea09143a3ab3 Author: Curt Wohlgemuth Date: Sun May 30 22:49:28 2010 -0400 ext4: Fix BUG_ON at fs/buffer.c:652 in no journal mode commit 73b50c1c92666d326b5fa2c945d46509f2f6d91f upstream (as of v2.6.33-git11) Calls to ext4_handle_dirty_metadata should only pass in an inode pointer for inode-specific metadata, and not for shared metadata blocks such as inode table blocks, block group descriptors, the superblock, etc. The BUG_ON can get tripped when updating a special device (such as a block device) that is opened (so that i_mapping is set in fs/block_dev.c) and the file system is mounted in no journal mode. Addresses-Google-Bug: #2404870 Signed-off-by: Curt Wohlgemuth Signed-off-by: "Theodore Ts'o" Signed-off-by: Greg Kroah-Hartman commit 884aefaa8bbc07cdce4e77637f810cdab5940957 Author: Theodore Ts'o Date: Sun May 30 22:49:27 2010 -0400 ext4: Use bitops to read/modify EXT4_I(inode)->i_state commit 19f5fb7ad679bb361222c7916086435020c37cce upstream (as of v2.6.33-git11) At several places we modify EXT4_I(inode)->i_state without holding i_mutex (ext4_release_file, ext4_bmap, ext4_journalled_writepage, ext4_do_update_inode, ...). These modifications are racy and we can lose updates to i_state. So convert handling of i_state to use bitops which are atomic. Cc: Jan Kara Signed-off-by: "Theodore Ts'o" Signed-off-by: Greg Kroah-Hartman commit 6595162b533a3e8d450dd13caec28758892d1be1 Author: Aneesh Kumar K.V Date: Sun May 30 22:49:26 2010 -0400 ext4: Drop EXT4_GET_BLOCKS_UPDATE_RESERVE_SPACE flag commit 1296cc85c26e94eb865d03f82140f27d598de467 upstream (as of v2.6.33-rc6) We should update reserve space if it is delalloc buffer and that is indicated by EXT4_GET_BLOCKS_DELALLOC_RESERVE flag. So use EXT4_GET_BLOCKS_DELALLOC_RESERVE in place of EXT4_GET_BLOCKS_UPDATE_RESERVE_SPACE [ Stable note: This fixes a corruption cuased by the following reproduction case: rm -f $TEST_FN touch $TEST_FN fallocate -n -o 656712 -l 858907 $TEST_FN dd if=/dev/zero of=$TEST_FN conv=notrunc bs=1 seek=1011020 count=36983 sync dd if=/dev/zero of=$TEST_FN conv=notrunc bs=1 seek=332121 count=24005 dd if=/dev/zero of=$TEST_FN conv=notrunc bs=1 seek=1040179 count=93319 If the filesystem is then unmounted and e2fsck run forced, the i_blocks field for the file $TEST_FN will be found to be incorrect. ] Signed-off-by: Aneesh Kumar K.V Signed-off-by: "Theodore Ts'o" Signed-off-by: Greg Kroah-Hartman commit 8b1213929317c582956da6c76400c8ba3898d35e Author: Aneesh Kumar K.V Date: Sun May 30 22:49:25 2010 -0400 ext4: Fix quota accounting error with fallocate commit 5f634d064c709ea02c3cdaa850a08323a4a4bf28 upstream (as of v2.6.33-rc6) When we fallocate a region of the file which we had recently written, and which is still in the page cache marked as delayed allocated blocks we need to make sure we don't do the quota update on writepage path. This is because the needed quota updated would have already be done by fallocate. Signed-off-by: Aneesh Kumar K.V Signed-off-by: Greg Kroah-Hartman commit d285d892115759f005207ea7bb9e08e3c213e550 Author: Aneesh Kumar K.V Date: Sun May 30 22:49:24 2010 -0400 ext4: Handle -EDQUOT error on write commit 1db913823c0f8360fccbd24ca67eb073966a5ffd upstream (as of v2.6.33-rc6) We need to release the journal before we do a write_inode. Otherwise we could deadlock. Signed-off-by: Aneesh Kumar K.V Signed-off-by: Greg Kroah-Hartman commit c9b832385f007ceac33b7515f24f2f2dcfd9c2ce Author: Theodore Ts'o Date: Sun May 30 22:49:23 2010 -0400 ext4: Calculate metadata requirements more accurately commit 9d0be50230b333005635967f7ecd4897dbfd181b upstream (as of v2.6.33-rc3) In the past, ext4_calc_metadata_amount(), and its sub-functions ext4_ext_calc_metadata_amount() and ext4_indirect_calc_metadata_amount() badly over-estimated the number of metadata blocks that might be required for delayed allocation blocks. This didn't matter as much when functions which managed the reserved metadata blocks were more aggressive about dropping reserved metadata blocks as delayed allocation blocks were written, but unfortunately they were too aggressive. This was fixed in commit 0637c6f, but as a result the over-estimation by ext4_calc_metadata_amount() would lead to reserving 2-3 times the number of pending delayed allocation blocks as potentially required metadata blocks. So if there are 1 megabytes of blocks which have been not yet been allocation, up to 3 megabytes of space would get reserved out of the user's quota and from the file system free space pool until all of the inode's data blocks have been allocated. This commit addresses this problem by much more accurately estimating the number of metadata blocks that will be required. It will still somewhat over-estimate the number of blocks needed, since it must make a worst case estimate not knowing which physical blocks will be needed, but it is much more accurate than before. Signed-off-by: "Theodore Ts'o" Signed-off-by: Greg Kroah-Hartman commit 5d11fc79a018ac6f347b6e8cc39d8dc5c52bb064 Author: Theodore Ts'o Date: Sun May 30 22:49:22 2010 -0400 ext4: Fix accounting of reserved metadata blocks commit ee5f4d9cdf32fd99172d11665c592a288c2b1ff4 upstream (as of v2.6.33-rc3) Commit 0637c6f had a typo which caused the reserved metadata blocks to not be released correctly. Fix this. Signed-off-by: "Theodore Ts'o" Signed-off-by: Greg Kroah-Hartman commit beb62f7a7f25fe3b0eeca660d2af3949cde768b4 Author: Theodore Ts'o Date: Sun May 30 22:49:21 2010 -0400 ext4: Patch up how we claim metadata blocks for quota purposes commit 0637c6f4135f592f094207c7c21e7c0fc5557834 upstream (as of v2.6.33-rc3) As reported in Kernel Bugzilla #14936, commit d21cd8f triggered a BUG in the function ext4_da_update_reserve_space() found in fs/ext4/inode.c. The root cause of this BUG() was caused by the fact that ext4_calc_metadata_amount() can severely over-estimate how many metadata blocks will be needed, especially when using direct block-mapped files. In addition, it can also badly *under* estimate how much space is needed, since ext4_calc_metadata_amount() assumes that the blocks are contiguous, and this is not always true. If the application is writing blocks to a sparse file, the number of metadata blocks necessary can be severly underestimated by the functions ext4_da_reserve_space(), ext4_da_update_reserve_space() and ext4_da_release_space(). This was the cause of the dq_claim_space reports found on kerneloops.org. Unfortunately, doing this right means that we need to massively over-estimate the amount of free space needed. So in some cases we may need to force the inode to be written to disk asynchronously in to avoid spurious quota failures. http://bugzilla.kernel.org/show_bug.cgi?id=14936 Signed-off-by: "Theodore Ts'o" Signed-off-by: Greg Kroah-Hartman commit 13a4fbba7adcdc9ea1ec832babe2ddfc44d25042 Author: Aneesh Kumar K.V Date: Sun May 30 22:49:20 2010 -0400 ext4: Ensure zeroout blocks have no dirty metadata commit 515f41c33a9d44a964264c9511ad2c869af1fac3 upstream (as of v2.6.33-rc3) This fixes a bug (found by Curt Wohlgemuth) in which new blocks returned from an extent created with ext4_ext_zeroout() can have dirty metadata still associated with them. Signed-off-by: Aneesh Kumar K.V Signed-off-by: Curt Wohlgemuth Signed-off-by: "Theodore Ts'o" Signed-off-by: Greg Kroah-Hartman commit fe018ae1417dd3e02bdf42190b688afc17ccda46 Author: Richard Kennedy Date: Sun May 30 22:49:19 2010 -0400 ext4: return correct wbc.nr_to_write in ext4_da_writepages commit 2faf2e19dd0e060eeb32442858ef495ac3083277 upstream (as of v2.6.33-rc3) When ext4_da_writepages increases the nr_to_write in writeback_control then it must always re-base the return value. Originally there was a (misguided) attempt prevent wbc.nr_to_write from going negative. In fact, it's necessary to allow nr_to_write to be negative so that wb_writeback() can correctly calculate how many pages were actually written. Signed-off-by: Richard Kennedy Signed-off-by: "Theodore Ts'o" Signed-off-by: Greg Kroah-Hartman commit b387026e9ffb1167ab14b40a81bc37fbb0068e04 Author: Julia Lawall Date: Sun May 30 22:49:18 2010 -0400 ext4: Eliminate potential double free on error path commit d3533d72e7478a61a3e1936956fc825289a2acf4 upstream (as of v2.6.33-rc3) b_entry_name and buffer are initially NULL, are initialized within a loop to the result of calling kmalloc, and are freed at the bottom of this loop. The loop contains gotos to cleanup, which also frees b_entry_name and buffer. Some of these gotos are before the reinitializations of b_entry_name and buffer. To maintain the invariant that b_entry_name and buffer are NULL at the top of the loop, and thus acceptable arguments to kfree, these variables are now set to NULL after the kfrees. This seems to be the simplest solution. A more complicated solution would be to introduce more labels in the error handling code at the end of the function. A simplified version of the semantic match that finds this problem is as follows: (http://coccinelle.lip6.fr/) // @r@ identifier E; expression E1; iterator I; statement S; @@ *kfree(E); ... when != E = E1 when != I(E,...) S when != &E *kfree(E); // Signed-off-by: Julia Lawall Signed-off-by: "Theodore Ts'o" Signed-off-by: Greg Kroah-Hartman commit 7589529d0a233f28bd20e1b7775324dcf9cfb499 Author: Theodore Ts'o Date: Sun May 30 22:49:17 2010 -0400 ext4, jbd2: Add barriers for file systems with exernal journals commit cc3e1bea5d87635c519da657303690f5538bb4eb upstream (as of v2.6.33-rc3) This is a bit complicated because we are trying to optimize when we send barriers to the fs data disk. We could just throw in an extra barrier to the data disk whenever we send a barrier to the journal disk, but that's not always strictly necessary. We only need to send a barrier during a commit when there are data blocks which are must be written out due to an inode written in ordered mode, or if fsync() depends on the commit to force data blocks to disk. Finally, before we drop transactions from the beginning of the journal during a checkpoint operation, we need to guarantee that any blocks that were flushed out to the data disk are firmly on the rust platter before we drop the transaction from the journal. Thanks to Oleg Drokin for pointing out this flaw in ext3/ext4. Signed-off-by: "Theodore Ts'o" Signed-off-by: Greg Kroah-Hartman commit b235a77c0fb44fd428525591a968da14844b6f4d Author: Surbhi Palande Date: Sun May 30 22:49:16 2010 -0400 ext4: replace BUG() with return -EIO in ext4_ext_get_blocks commit 034fb4c95fc0fed4ec4a50778127b92c6f2aec01 upstream (as of v2.6.33-rc3) This patch fixes the Kernel BZ #14286. When the address of an extent corresponding to a valid block is corrupted, a -EIO should be reported instead of a BUG(). This situation should not normally not occur except in the case of a corrupted filesystem. If however it does, then the system should not panic directly but depending on the mount time options appropriate action should be taken. If the mount options so permit, the I/O should be gracefully aborted by returning a -EIO. http://bugzilla.kernel.org/show_bug.cgi?id=14286 Signed-off-by: Surbhi Palande Signed-off-by: "Theodore Ts'o" Signed-off-by: Greg Kroah-Hartman commit e1d532a22026a3ef767b2463c299d2a6451e8aee Author: Dmitry Monakhov Date: Sun May 30 22:49:14 2010 -0400 ext4: Fix potential quota deadlock commit d21cd8f163ac44b15c465aab7306db931c606908 upstream (as of v2.6.33-rc2) We have to delay vfs_dq_claim_space() until allocation context destruction. Currently we have following call-trace: ext4_mb_new_blocks() /* task is already holding ac->alloc_semp */ ->ext4_mb_mark_diskspace_used ->vfs_dq_claim_space() /* acquire dqptr_sem here. Possible deadlock */ ->ext4_mb_release_context() /* drop ac->alloc_semp here */ Let's move quota claiming to ext4_da_update_reserve_space() ======================================================= [ INFO: possible circular locking dependency detected ] 2.6.32-rc7 #18 ------------------------------------------------------- write-truncate-/3465 is trying to acquire lock: (&s->s_dquot.dqptr_sem){++++..}, at: [] dquot_claim_space+0x3b/0x1b0 but task is already holding lock: (&meta_group_info[i]->alloc_sem){++++..}, at: [] ext4_mb_load_buddy+0xb2/0x370 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #3 (&meta_group_info[i]->alloc_sem){++++..}: [] __lock_acquire+0xd7b/0x1260 [] lock_acquire+0xba/0xd0 [] down_read+0x51/0x90 [] ext4_mb_load_buddy+0xb2/0x370 [] ext4_mb_free_blocks+0x46c/0x870 [] ext4_free_blocks+0x73/0x130 [] ext4_ext_truncate+0x76c/0x8d0 [] ext4_truncate+0x187/0x5e0 [] vmtruncate+0x6b/0x70 [] inode_setattr+0x62/0x190 [] ext4_setattr+0x25a/0x370 [] notify_change+0x151/0x340 [] do_truncate+0x6d/0xa0 [] may_open+0x1d4/0x200 [] do_filp_open+0x1eb/0x910 [] do_sys_open+0x6d/0x140 [] sys_open+0x2e/0x40 [] sysenter_do_call+0x12/0x32 -> #2 (&ei->i_data_sem){++++..}: [] __lock_acquire+0xd7b/0x1260 [] lock_acquire+0xba/0xd0 [] down_read+0x51/0x90 [] ext4_get_blocks+0x47/0x450 [] ext4_getblk+0x61/0x1d0 [] ext4_bread+0x1f/0xa0 [] ext4_quota_write+0x12c/0x310 [] qtree_write_dquot+0x93/0x120 [] v2_write_dquot+0x28/0x30 [] dquot_commit+0xab/0xf0 [] ext4_write_dquot+0x77/0x90 [] ext4_mark_dquot_dirty+0x2f/0x50 [] dquot_alloc_inode+0x101/0x180 [] ext4_new_inode+0x602/0xf00 [] ext4_create+0x89/0x150 [] vfs_create+0xa2/0xc0 [] do_filp_open+0x7a7/0x910 [] do_sys_open+0x6d/0x140 [] sys_open+0x2e/0x40 [] sysenter_do_call+0x12/0x32 -> #1 (&sb->s_type->i_mutex_key#7/4){+.+...}: [] __lock_acquire+0xd7b/0x1260 [] lock_acquire+0xba/0xd0 [] mutex_lock_nested+0x65/0x2d0 [] vfs_load_quota_inode+0x4bd/0x5a0 [] vfs_quota_on_path+0x5f/0x70 [] ext4_quota_on+0x112/0x190 [] sys_quotactl+0x44a/0x8a0 [] sysenter_do_call+0x12/0x32 -> #0 (&s->s_dquot.dqptr_sem){++++..}: [] __lock_acquire+0x1091/0x1260 [] lock_acquire+0xba/0xd0 [] down_read+0x51/0x90 [] dquot_claim_space+0x3b/0x1b0 [] ext4_mb_mark_diskspace_used+0x36f/0x380 [] ext4_mb_new_blocks+0x34a/0x530 [] ext4_ext_get_blocks+0x122b/0x13c0 [] ext4_get_blocks+0x226/0x450 [] mpage_da_map_blocks+0xc3/0xaa0 [] ext4_da_writepages+0x506/0x790 [] do_writepages+0x22/0x50 [] __filemap_fdatawrite_range+0x6d/0x80 [] filemap_flush+0x2b/0x30 [] ext4_alloc_da_blocks+0x5c/0x60 [] ext4_release_file+0x75/0xb0 [] __fput+0xf9/0x210 [] fput+0x27/0x30 [] filp_close+0x4c/0x80 [] put_files_struct+0x6e/0xd0 [] exit_files+0x47/0x60 [] do_exit+0x144/0x710 [] do_group_exit+0x38/0xa0 [] get_signal_to_deliver+0x2ac/0x410 [] do_notify_resume+0xb9/0x890 [] work_notifysig+0x13/0x21 other info that might help us debug this: 3 locks held by write-truncate-/3465: #0: (jbd2_handle){+.+...}, at: [] start_this_handle+0x38f/0x5c0 #1: (&ei->i_data_sem){++++..}, at: [] ext4_get_blocks+0xb6/0x450 #2: (&meta_group_info[i]->alloc_sem){++++..}, at: [] ext4_mb_load_buddy+0xb2/0x370 stack backtrace: Pid: 3465, comm: write-truncate- Not tainted 2.6.32-rc7 #18 Call Trace: [] ? printk+0x1d/0x22 [] print_circular_bug+0xca/0xd0 [] __lock_acquire+0x1091/0x1260 [] ? sched_clock_local+0xd2/0x170 [] ? trace_hardirqs_off_caller+0x20/0xd0 [] lock_acquire+0xba/0xd0 [] ? dquot_claim_space+0x3b/0x1b0 [] down_read+0x51/0x90 [] ? dquot_claim_space+0x3b/0x1b0 [] dquot_claim_space+0x3b/0x1b0 [] ext4_mb_mark_diskspace_used+0x36f/0x380 [] ext4_mb_new_blocks+0x34a/0x530 [] ? ext4_ext_find_extent+0x25d/0x280 [] ext4_ext_get_blocks+0x122b/0x13c0 [] ? sched_clock_local+0xd2/0x170 [] ? sched_clock_cpu+0x120/0x160 [] ? cpu_clock+0x4f/0x60 [] ? trace_hardirqs_off_caller+0x20/0xd0 [] ? down_write+0x8c/0xa0 [] ext4_get_blocks+0x226/0x450 [] ? sched_clock_cpu+0x120/0x160 [] ? cpu_clock+0x4f/0x60 [] ? trace_hardirqs_off+0xb/0x10 [] mpage_da_map_blocks+0xc3/0xaa0 [] ? find_get_pages_tag+0x16c/0x180 [] ? find_get_pages_tag+0x0/0x180 [] ? __mpage_da_writepage+0x16d/0x1a0 [] ? pagevec_lookup_tag+0x2e/0x40 [] ? write_cache_pages+0xdb/0x3d0 [] ? __mpage_da_writepage+0x0/0x1a0 [] ext4_da_writepages+0x506/0x790 [] ? cpu_clock+0x4f/0x60 [] ? sched_clock_local+0xd2/0x170 [] ? sched_clock_cpu+0x120/0x160 [] ? sched_clock_cpu+0x120/0x160 [] ? ext4_da_writepages+0x0/0x790 [] do_writepages+0x22/0x50 [] __filemap_fdatawrite_range+0x6d/0x80 [] filemap_flush+0x2b/0x30 [] ext4_alloc_da_blocks+0x5c/0x60 [] ext4_release_file+0x75/0xb0 [] __fput+0xf9/0x210 [] fput+0x27/0x30 [] filp_close+0x4c/0x80 [] put_files_struct+0x6e/0xd0 [] exit_files+0x47/0x60 [] do_exit+0x144/0x710 [] ? lock_release_holdtime+0x33/0x210 [] ? _spin_unlock_irq+0x27/0x30 [] do_group_exit+0x38/0xa0 [] ? trace_hardirqs_on+0xb/0x10 [] get_signal_to_deliver+0x2ac/0x410 [] do_notify_resume+0xb9/0x890 [] ? trace_hardirqs_off_caller+0x20/0xd0 [] ? lock_release_holdtime+0x33/0x210 [] ? autoremove_wake_function+0x0/0x50 [] ? trace_hardirqs_on_caller+0x134/0x190 [] ? trace_hardirqs_on+0xb/0x10 [] ? security_file_permission+0x14/0x20 [] ? vfs_write+0x131/0x190 [] ? do_sync_write+0x0/0x120 [] ? sysenter_do_call+0x27/0x32 [] work_notifysig+0x13/0x21 CC: Theodore Ts'o Signed-off-by: Dmitry Monakhov Signed-off-by: Jan Kara Signed-off-by: Greg Kroah-Hartman commit 2441cdd9bb277e0fe7f7fabbe8397adfa8f5d8ba Author: Ben Hutchings Date: Wed Jul 28 23:53:47 2010 +0100 ethtool: Fix potential user buffer overflow for ETHTOOL_{G, S}RXFH commit bf988435bd5b53529f4408a8efb1f433f6ddfda9 upstream. struct ethtool_rxnfc was originally defined in 2.6.27 for the ETHTOOL_{G,S}RXFH command with only the cmd, flow_type and data fields. It was then extended in 2.6.30 to support various additional commands. These commands should have been defined to use a new structure, but it is too late to change that now. Since user-space may still be using the old structure definition for the ETHTOOL_{G,S}RXFH commands, and since they do not need the additional fields, only copy the originally defined fields to and from user-space. Signed-off-by: Ben Hutchings Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 699be7999d6dd286b4f652c7bc7901236fbc3cf5 Author: Corey Minyard Date: Wed Jul 21 08:39:22 2010 -0500 USB: FTDI: Add support for the RT System VX-7 radio programming cable commit fcc6cb789c77ffee31710eec64efeb25f2124f7a upstream. RT Systems has put out bunch of ham radio cables based on the FT232RL chip. Each cable type has a unique PID, this adds one for the Yaesu VX-7 radios. Signed-off-by: Corey Minyard Signed-off-by: Greg Kroah-Hartman commit 524cce03124112240120f823b87b7137629531d2 Author: Oliver Neukum Date: Wed Jul 14 18:26:22 2010 +0200 USB: add quirk for Broadcom BT dongle commit 63ab71deae67b031045bb28bf8cff45180089f8f upstream. This device needs to be reset when resuming Signed-off-by: Oliver Neukum Signed-off-by: Greg Kroah-Hartman commit 0e0752d9c1900c5cdfd2c526235958ecf07dd0be Author: Oliver Neukum Date: Fri Jul 16 17:36:26 2010 +0200 USB: sisusbvga: Fix for USB 3.0 commit 20a12f007feee1cfa761b431047271d1141d8031 upstream. Super speed is also fast enough to let sisusbvga operate. Therefor expand the checks. Signed-off-by: Oliver Neukum Signed-off-by: Greg Kroah-Hartman commit 4e394e0b6317facc97832ec78edcf4d7d3303c5c Author: Paul Mortier Date: Fri Jul 9 13:18:50 2010 +0100 USB: adds Artisman USB dongle to list of quirky devices commit 47f19c0eedb377ad1ee8114f464d001ec5f96a69 upstream. When an attempt is made to read the interface strings of the Artisman Watchdog USB dongle (idVendor:idProduct 04b4:0526) an error is written to the dmesg log (uhci_result_common: failed with status 440000) and the dongle resets itself, resulting in a disconnect/reconnect loop. Adding the dongle to the list of devices in quirks.c, with the same quirk Alan Stern's previous patch for the Saitek Cyborg Gold 3D joystick, stops the device from resetting and allows it to be used with no problems. Signed-off-by: Paul Mortier Signed-off-by: Greg Kroah-Hartman commit ba873b31b556f03dced9e6e967d5a88d8143d1c6 Author: Dennis Jansen Date: Fri Jul 9 22:03:53 2010 +0200 USB: option: Add support for AMOI Skypephone S2 commit 7595931c986f50b1e197ce7b881563e36a7d041e upstream. usbserial: Add AMOI Skypephone S2 support. This patch adds support for the AMOI Skypephone S2 to the usbserial module. Tested-by: Dennis Jansen Signed-off-by: Dennis Jansen Signed-off-by: Greg Kroah-Hartman commit 81861ce0dde1a4ebcfe42cdca768efcc21d3a477 Author: Colin Leitner Date: Thu Jul 1 10:49:55 2010 +0200 USB: ftdi_sio: support for Signalyzer tools based on FTDI chips commit 77dbd74e16b566e9d5eeb4be18ae3ee7d5902bd3 upstream. ftdi_sio: support for Signalyzer tools based on FTDI chips This patch adds support for the Xverve Signalyzers. Signed-off-by: Colin Leitner Signed-off-by: Greg Kroah-Hartman commit 1867990f8a7dc9fc6e9bd7917f9e03c402277686 Author: august huber Date: Mon Jun 28 11:46:05 2010 -0700 USB: Add PID for Sierra 250U to drivers/usb/serial/sierra.c commit 9d72c81d657340e54a260a3b621f4a9f5b33829c upstream. Add VID/PID for Sierra Wireless 250U USB dongle to sierra.c Allows use of 3G radio only Signed-off-by: August Huber Cc: Elina Pasheva Signed-off-by: Greg Kroah-Hartman commit c57692fcaaa8a8dd78eb3fd7b0a8a8eaae8b7666 Author: Ömer Sezgin Ugurlu Date: Mon Jun 28 19:01:58 2010 +0300 USB: option: add support for 1da5:4518 commit 646d90e2b925578abef5c45853e0b166b6a450bf upstream. Signed-off-by: Omer Sezgin Ugurlu Signed-off-by: Greg Kroah-Hartman commit 41be4cf9fb0106bc531145c1dce21405c8591949 Author: Jon Povey Date: Mon Jun 14 19:42:10 2010 +0900 USB: g_serial: fix tty cleanup on unload commit b23097b793081358a6d943263c91bae4c955c4e3 upstream. Call put_tty_driver() in cleanup function, to fix Oops when trying to open gadget serial char device after module unload. Signed-off-by: Jon Povey Acked-by: David Brownell Signed-off-by: Greg Kroah-Hartman commit a79d122e31ff1c9b5923112de11dbf862ab7deb1 Author: Jon Povey Date: Mon Jun 14 19:41:04 2010 +0900 USB: g_serial: don't set low_latency flag commit 44a0c0190b500ee6bcfc0976fe540f65dee2cd67 upstream. No longer set low_latency flag as it causes this warning backtrace: WARNING: at kernel/mutex.c:207 __mutex_lock_slowpath+0x6c/0x288() Fix associated locking and wakeups. Signed-off-by: Jon Povey Cc: Maulik Mankad Acked-by: David Brownell Signed-off-by: Greg Kroah-Hartman commit 9ba6cac516c3ed804241b7ced552a3ad60a21a06 Author: Alan Stern Date: Tue Jun 22 16:14:48 2010 -0400 USB: obey the sysfs power/wakeup setting commit 48826626263d4a61d06fd8c5805da31f925aefa0 upstream. This patch (as1403) is a partial reversion of an earlier change (commit 5f677f1d45b2bf08085bbba7394392dfa586fa8e "USB: fix remote wakeup settings during system sleep"). After hearing from a user, I realized that remote wakeup should be enabled during system sleep whenever userspace allows it, and not only if a driver requests it too. Indeed, there could be a device with no driver, that does nothing but generate a wakeup request when the user presses a button. Such a device should be allowed to do its job. The problem fixed by the earlier patch -- device generating a wakeup request for no reason, causing system suspend to abort -- was also addressed by a later patch ("USB: don't enable remote wakeup by default", accepted but not yet merged into mainline). The device won't be able to generate the bogus wakeup requests because it will be disabled for remote wakeup by default. Hence this reversion will not re-introduce any old problems. Signed-off-by: Alan Stern Signed-off-by: Greg Kroah-Hartman commit 768c810fdef3421ad80a2637b789b3f79d80e9cb Author: Pavel Roskin Date: Tue Mar 9 23:11:07 2010 -0500 Staging: rtl8192su: add USB ID for 0bda:8171 commit c0087580b8d414f6874cfe93d2653212842fcb44 upstream. Signed-off-by: Pavel Roskin Cc: Ben Hutchings Signed-off-by: Greg Kroah-Hartman commit d5dfd8396a7485e4f24f7d1cc4167feb29b7f626 Author: Stephane Glondu Date: Thu Dec 17 15:41:23 2009 +0100 staging: rtl8192su: add USB VID/PID for HWNUm-300 commit 488d3749620779ab2668c0dba2962836e51e3cd6 upstream. The Hercules Wireless N USB mini (HWNUm-300) uses the RTL8191S chipset and seems to work with this driver. Signed-off-by: Stephane Glondu Cc: Ben Hutchings Signed-off-by: Greg Kroah-Hartman commit 2d336114ea3e849673b1d61faef6e15688ea59b6 Author: Stefano Stabellini Date: Wed Jul 21 18:32:37 2010 +0100 x86: Do not try to disable hpet if it hasn't been initialized before commit ff4878089e1eaeac79d57878ad4ea32910fb4037 upstream. hpet_disable is called unconditionally on machine reboot if hpet support is compiled in the kernel. hpet_disable only checks if the machine is hpet capable but doesn't make sure that hpet has been initialized. [ tglx: Made it a one liner and removed the redundant hpet_address check ] Signed-off-by: Stefano Stabellini Acked-by: Venkatesh Pallipadi LKML-Reference: Signed-off-by: Thomas Gleixner Signed-off-by: Greg Kroah-Hartman commit 75062391eb118b83528ff549d48f067e7d06aff7 Author: Nicolas Pitre Date: Wed Jul 14 05:21:22 2010 +0100 ARM: 6226/1: fix kprobe bug in ldr instruction emulation commit 0ebe25f90cd99bb1bcf622ec8a841421d48380d6 upstream. From: Bin Yang Signed-off-by: Bin Yang Signed-off-by: Nicolas Pitre Signed-off-by: Russell King Signed-off-by: Greg Kroah-Hartman commit 275f9ba5b720b1055de9166e2f88ef08ba98bf9d Author: Catalin Marinas Date: Thu Jul 1 13:21:47 2010 +0100 ARM: 6201/1: RealView: Do not use outer_sync() on ARM11MPCore boards with L220 commit 2503a5ecd86c002506001eba432c524ea009fe7f upstream. RealView boards with certain revisions of the L220 cache controller (ARM11* processors only) may have issues (hardware deadlock) with the recent changes to the mb() barrier implementation (DSB followed by an L2 cache sync). The patch redefines the RealView ARM11MPCore mandatory barriers without the outer_sync() call. Tested-by: Linus Walleij Signed-off-by: Catalin Marinas Signed-off-by: Russell King Signed-off-by: Greg Kroah-Hartman commit 7f9079606b66c6c477406108fba53bdd4f58b10b Author: Dmitry Torokhov Date: Tue Jul 20 20:25:35 2010 -0700 Input: twl40300-keypad - fix handling of "all ground" rows commit 3fea60261e73dbf4a51130d40cafcc8465b0f2c3 upstream. The Nokia RX51 board code (arch/arm/mach-omap2/board-rx51-peripherals.c) defines a key map for the matrix keypad keyboard. The hardware seems to use all of the 8 rows and 8 columns of the keypad, although not all possible locations are used. The TWL4030 supports keypads with at most 8 rows and 8 columns. Most keys are defined with a row and column number between 0 and 7, except KEY(0xff, 2, KEY_F9), KEY(0xff, 4, KEY_F10), KEY(0xff, 5, KEY_F11), which represent keycodes that should be emitted when entire row is connected to the ground. since the driver handles this case as if we had an extra column in the key matrix. Unfortunately we do not allocate enough space and end up owerwriting some random memory. Reported-and-tested-by: Laurent Pinchart Signed-off-by: Dmitry Torokhov Signed-off-by: Greg Kroah-Hartman commit b80374e2606aa788acb6debf95c1f97b0308f851 Author: Kamal Mostafa Date: Mon Jul 19 11:00:52 2010 -0700 Input: i8042 - add Gigabyte Spring Peak to dmi_noloop_table commit 3e1bbc8d5018a05c0793c8a32b777a1396eb4414 upstream. Gigabyte "Spring Peak" notebook indicates wrong chassis-type, tripping up i8042 and breaking the touchpad. Add this model to i8042_dmi_noloop_table[] to resolve. BugLink: https://bugs.launchpad.net/bugs/580664 Signed-off-by: Kamal Mostafa Signed-off-by: Dmitry Torokhov Signed-off-by: Greg Kroah-Hartman commit 3ea41f9c05bd3a7888d8ad1a585418658be0358f Author: Or Gerlitz Date: Sun Jun 6 04:59:16 2010 +0000 IPoIB: Fix world-writable child interface control sysfs attributes commit 7a52b34b07122ff5f45258d47f260f8a525518f0 upstream. Sumeet Lahorani reported that the IPoIB child entries are world-writable; however we don't want ordinary users to be able to create and destroy child interfaces, so fix them to be writable only by root. Signed-off-by: Or Gerlitz Signed-off-by: Roland Dreier Signed-off-by: Greg Kroah-Hartman commit 51d47ca810c85197369ddcdc8f437d5ee16be0f0 Author: Yinghai Lu Date: Thu Jul 15 00:00:59 2010 -0700 x86: Fix x2apic preenabled system with kexec commit fd19dce7ac07973f700b0f13fb7f94b951414a4c upstream. Found one x2apic system kexec loop test failed when CONFIG_NMI_WATCHDOG=y (old) or CONFIG_LOCKUP_DETECTOR=y (current tip) first kernel can kexec second kernel, but second kernel can not kexec third one. it can be duplicated on another system with BIOS preenabled x2apic. First kernel can not kexec second kernel. It turns out, when kernel boot with pre-enabled x2apic, it will not execute disable_local_APIC on shutdown path. when init_apic_mappings() is called in setup_arch, it will skip setting of apic_phys when x2apic_mode is set. ( x2apic_mode is much early check_x2apic()) Then later, disable_local_APIC() will bail out early because !apic_phys. So check !x2apic_mode in x2apic_mode in disable_local_APIC with !apic_phys. another solution could be updating init_apic_mappings() to set apic_phys even for preenabled x2apic system. Actually even for x2apic system, that lapic address is mapped already in early stage. BTW: is there any x2apic preenabled system with apicid of boot cpu > 255? Signed-off-by: Yinghai Lu LKML-Reference: <4C3EB22B.3000701@kernel.org> Acked-by: Suresh Siddha Signed-off-by: H. Peter Anvin Signed-off-by: Greg Kroah-Hartman commit f4c9ec3155141618afe3ec0a37b2fa342563902e Author: Mark Brown Date: Sat Jul 17 14:20:17 2010 +0100 ASoC: Remove duplicate AUX definition from WM8776 commit 3c0709396df0869786f83e4b2d2d687c70ee886d upstream. Signed-off-by: Mark Brown Acked-by: Liam Girdwood Signed-off-by: Greg Kroah-Hartman commit 7fd9ab342f459dd87d2df21c0950bbc62524b76a Author: Marek Szyprowski Date: Tue Jul 20 13:24:33 2010 -0700 sdhci-s3c: add missing remove function commit 9d51a6b2487724e8713cd2794cf09ffeee5f6932 upstream. System will crash sooner or later once the memory with the code of the s3c-sdhci.ko module is reused for something else. I really have no idea how the lack of remove function went unnoticed into the mainline code. Signed-off-by: Marek Szyprowski Signed-off-by: Kyungmin Park Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit 81cb675339c33e6cc30c14e367502692a90b9736 Author: Ben Hutchings Date: Mon Jun 28 08:44:07 2010 +0000 ethtool: Fix potential kernel buffer overflow in ETHTOOL_GRXCLSRLALL commit db048b69037e7fa6a7d9e95a1271a50dc08ae233 upstream. On a 32-bit machine, info.rule_cnt >= 0x40000000 leads to integer overflow and the buffer may be smaller than needed. Since ETHTOOL_GRXCLSRLALL is unprivileged, this can presumably be used for at least denial of service. Signed-off-by: Ben Hutchings Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 8ab78dc05e61a6840a041d1a973616e9815dd84c Author: Joakim Tjernlund Date: Tue Jun 29 15:05:34 2010 -0700 rtc: fix ds1388 time corruption commit 96fc3a45ea073136566f3c2676cad52f8b39a7df upstream. The ds1307 driver misreads the ds1388 registers when checking for 12 or 24 hour mode. Instead of checking the hour register it reads the minute register. Therefore the driver thinks minutes >= 40 has the 12HR bit set and resets the minute register by zeroing the high bits. This results in minutes are reset to 0-9, jumping back in time 40 or 50 minutes. The time jump is also written back to the RTC. Signed-off-by: Joakim Tjernlund Cc: Wan ZongShun Cc: Alessandro Zummo Cc: Paul Gortmaker Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit dc6330590fbd5fad17f06663c5f0bed834054b2b Author: Ilpo Järvinen Date: Mon Jul 19 01:16:18 2010 +0000 tcp: fix crash in tcp_xmit_retransmit_queue commit 45e77d314585869dfe43c82679f7e08c9b35b898 upstream. It can happen that there are no packets in queue while calling tcp_xmit_retransmit_queue(). tcp_write_queue_head() then returns NULL and that gets deref'ed to get sacked into a local var. There is no work to do if no packets are outstanding so we just exit early. This oops was introduced by 08ebd1721ab8fd (tcp: remove tp->lost_out guard to make joining diff nicer). Signed-off-by: Ilpo Järvinen Reported-by: Lennart Schulte Tested-by: Lennart Schulte Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit d7091c2bbded22430db06e5172a3b4c3ee7f3cd8 Author: Doug Kehn Date: Wed Jul 14 18:02:16 2010 -0700 net/core: neighbour update Oops commit 91a72a70594e5212c97705ca6a694bd307f7a26b upstream. When configuring DMVPN (GRE + openNHRP) and a GRE remote address is configured a kernel Oops is observed. The obserseved Oops is caused by a NULL header_ops pointer (neigh->dev->header_ops) in neigh_update_hhs() when void (*update)(struct hh_cache*, const struct net_device*, const unsigned char *) = neigh->dev->header_ops->cache_update; is executed. The dev associated with the NULL header_ops is the GRE interface. This patch guards against the possibility that header_ops is NULL. This Oops was first observed in kernel version 2.6.26.8. Signed-off-by: Doug Kehn Acked-by: Eric Dumazet Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit bc823014630b05fb2deb5cf0a15032de63c41d89 Author: Mikulas Patocka Date: Tue Apr 6 16:43:33 2010 -0700 ide: Fix IDE taskfile with cfq scheduler commit 720fc22a7af79d91ec460c80efa92c65c12d105e upstream. When ide taskfile access is being used (for example with hdparm --security commands) and cfq scheduler is selected, the scheduler crashes on BUG in cfq_put_request. The reason is that the cfq scheduler is tracking counts of read and write requests separately; the ide-taskfile subsystem allocates a read request and then flips the flag to make it a write request. The counters in cfq will mismatch. This patch changes ide-taskfile to allocate the READ or WRITE request as required and don't change the flag later. Signed-off-by: Mikulas Patocka Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit d3e7eb80772f1b39065906313113a892a6c65867 Author: Sergei Shtylyov Date: Tue May 11 00:08:03 2010 -0700 cmd640: fix kernel oops in test_irq() method commit a9ddabc52ce3757a4331d6c1e8bf4065333cc51b upstream. When implementing the test_iqr() method, I forgot that this driver is not an ordinary PCI driver and also needs to support VLB variant of the chip. Moreover, 'hwif->dev' should be NULL, potentially causing oops in pci_read_config_byte(). Signed-off-by: Sergei Shtylyov Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 722531594f182f6976d31c5c6f7c144d4088e266 Author: Dongdong Deng Date: Thu Jun 17 11:13:40 2010 +0800 serial: cpm_uart: implement the cpm_uart_early_write() function for console poll commit 8cd774ad30c22b9d89823f1f05d845f4cdaba9e8 upstream. The cpm_uart_early_write() function which was used for console poll isn't implemented in the cpm uart driver. Implementing this function both fixes the build when CONFIG_CONSOLE_POLL is set and allows kgdboc to work via the cpm uart. Signed-off-by: Dongdong Deng Reviewed-by: Bruce Ashfield Signed-off-by: Greg Kroah-Hartman commit e5d4a35afb1492fe90ba8d8fc783d45c63ff244e Author: Thomas Gleixner Date: Mon Jun 7 17:53:51 2010 +0200 genirq: Deal with desc->set_type() changing desc->chip commit 4673247562e39a17e09440fa1400819522ccd446 upstream. The set_type() function can change the chip implementation when the trigger mode changes. That might result in using an non-initialized irq chip when called from __setup_irq() or when called via set_irq_type() on an already enabled irq. The set_irq_type() function should not be called on an enabled irq, but because we forgot to put a check into it, we have a bunch of users which grew the habit of doing that and it never blew up as the function is serialized via desc->lock against all users of desc->chip and they never hit the non-initialized irq chip issue. The easy fix for the __setup_irq() issue would be to move the irq_chip_set_defaults(desc->chip) call after the trigger setting to make sure that a chip change is covered. But as we have already users, which do the type setting after request_irq(), the safe fix for now is to call irq_chip_set_defaults() from __irq_set_trigger() when desc->set_type() changed the irq chip. It needs a deeper analysis whether we should refuse to change the chip on an already enabled irq, but that'd be a large scale change to fix all the existing users. So that's neither stable nor 2.6.35 material. Reported-by: Esben Haabendal Signed-off-by: Thomas Gleixner Cc: Benjamin Herrenschmidt Cc: linuxppc-dev Signed-off-by: Greg Kroah-Hartman commit 70ba76a0c43be02e8d7b26a35f7fe6d86c360ccd Author: Alex,Shi Date: Thu Jun 17 14:08:13 2010 +0800 sched: Fix over-scheduling bug commit 3c93717cfa51316e4dbb471e7c0f9d243359d5f8 upstream. Commit e70971591 ("sched: Optimize unused cgroup configuration") introduced an imbalanced scheduling bug. If we do not use CGROUP, function update_h_load won't update h_load. When the system has a large number of tasks far more than logical CPU number, the incorrect cfs_rq[cpu]->h_load value will cause load_balance() to pull too many tasks to the local CPU from the busiest CPU. So the busiest CPU keeps going in a round robin. That will hurt performance. The issue was found originally by a scientific calculation workload that developed by Yanmin. With that commit, the workload performance drops about 40%. CPU before after 00 : 2 : 7 01 : 1 : 7 02 : 11 : 6 03 : 12 : 7 04 : 6 : 6 05 : 11 : 7 06 : 10 : 6 07 : 12 : 7 08 : 11 : 6 09 : 12 : 6 10 : 1 : 6 11 : 1 : 6 12 : 6 : 6 13 : 2 : 6 14 : 2 : 6 15 : 1 : 6 Reviewed-by: Yanmin zhang Signed-off-by: Alex Shi Signed-off-by: Peter Zijlstra LKML-Reference: <1276754893.9452.5442.camel@debian> Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit 2d216ac392eea6c6b85d038dc7788bfe44b77040 Author: Will Deacon Date: Mon May 24 12:11:43 2010 -0700 sched: Prevent compiler from optimising the sched_avg_update() loop commit 0d98bb2656e9bd2dfda2d089db1fe1dbdab41504 upstream. GCC 4.4.1 on ARM has been observed to replace the while loop in sched_avg_update with a call to uldivmod, resulting in the following build failure at link-time: kernel/built-in.o: In function `sched_avg_update': kernel/sched.c:1261: undefined reference to `__aeabi_uldivmod' kernel/sched.c:1261: undefined reference to `__aeabi_uldivmod' make: *** [.tmp_vmlinux1] Error 1 This patch introduces a fake data hazard to the loop body to prevent the compiler optimising the loop away. Signed-off-by: Will Deacon Signed-off-by: Andrew Morton Acked-by: Peter Zijlstra Cc: Catalin Marinas Cc: Russell King Cc: Linus Torvalds Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit 8c8fba3f0bbdf2269d4a4b7bd50ad53f0a1db75e Author: Darrick J. Wong Date: Wed Jun 30 17:45:19 2010 -0700 x86, Calgary: Limit the max PHB number to 256 commit d596043d71ff0d7b3d0bead19b1d68c55f003093 upstream. The x3950 family can have as many as 256 PCI buses in a single system, so change the limits to the maximum. Since there can only be 256 PCI buses in one domain, we no longer need the BUG_ON check. Signed-off-by: Darrick J. Wong LKML-Reference: <20100701004519.GQ15515@tux1.beaverton.ibm.com> Signed-off-by: H. Peter Anvin Signed-off-by: Greg Kroah-Hartman commit cb5985a25d6314c90f59169c42ab15f6136d3425 Author: Darrick J. Wong Date: Thu Jun 24 14:26:47 2010 -0700 x86, Calgary: Increase max PHB number commit 499a00e92dd9a75395081f595e681629eb1eebad upstream. Newer systems (x3950M2) can have 48 PHBs per chassis and 8 chassis, so bump the limits up and provide an explanation of the requirements for each class. Signed-off-by: Darrick J. Wong Acked-by: Muli Ben-Yehuda Cc: Corinna Schultz LKML-Reference: <20100624212647.GI15515@tux1.beaverton.ibm.com> [ v2: Fixed build bug, added back PHBS_PER_CALGARY == 4 ] Signed-off-by: Ingo Molnar Signed-off-by: Greg Kroah-Hartman commit 30d9fa8b70b38599667d545f49d1390cf84295c0 Author: Andi Kleen Date: Fri Jun 18 23:09:00 2010 +0200 x86: Fix vsyscall on gcc 4.5 with -Os commit 124482935fb7fb9303c8a8ab930149c6a93d9910 upstream. This fixes the -Os breaks with gcc 4.5 bug. rdtsc_barrier needs to be force inlined, otherwise user space will jump into kernel space and kill init. This also addresses http://gcc.gnu.org/bugzilla/show_bug.cgi?id=44129 I believe. Signed-off-by: Andi Kleen LKML-Reference: <20100618210859.GA10913@basil.fritz.box> Signed-off-by: H. Peter Anvin Signed-off-by: Greg Kroah-Hartman commit 6485aae3ca859679d0742badd14b20f2cc922d23 Author: Frederic Weisbecker Date: Thu Jul 8 06:06:17 2010 +0200 perf: Resurrect flat callchains commit 97aa1052739c6a06cb6b0467dbf410613d20bc97 upstream. Initialize the callchain radix tree root correctly. When we walk through the parents, we must stop after the root, but since it wasn't well initialized, its parent pointer was random. Also the number of hits was random because uninitialized, hence it was part of the callchain while the root doesn't contain anything. This fixes segfaults and percentages followed by empty callchains while running: perf report -g flat Reported-by: Ingo Molnar Signed-off-by: Frederic Weisbecker Cc: Peter Zijlstra Cc: Arnaldo Carvalho de Melo Cc: Paul Mackerras Signed-off-by: Greg Kroah-Hartman commit 04cdd492dce4e063d9ddd8675c4ebdeac5e5dc13 Author: Ben Hutchings Date: Wed Mar 24 03:36:31 2010 +0000 amd64-agp: Probe unknown AGP devices the right way commit 6fd024893911dcb51b4a0aa71971db5ba38f7071 upstream. The current initialisation code probes 'unsupported' AGP devices simply by calling its own probe function. It does not lock these devices or even check whether another driver is already bound to them. We must use the device core to manage this. So if the specific device id table didn't match anything and agp_try_unsupported=1, switch the device id table and call driver_attach() again. Signed-off-by: Ben Hutchings Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman commit de40885b3c038fb7934f798d3cab823cd5985955 Author: Julia Lawall Date: Sat May 15 11:46:12 2010 +0200 SCSI: aacraid: Eliminate use after free commit 8a52da632ceb9d8b776494563df579e87b7b586b upstream. The debugging code using the freed structure is moved before the kfree. A simplified version of the semantic match that finds this problem is as follows: (http://coccinelle.lip6.fr/) // @free@ expression E; position p; @@ kfree@p(E) @@ expression free.E, subE<=free.E, E1; position free.p; @@ kfree@p(E) ... ( subE = E1 | * E ) // Signed-off-by: Julia Lawall Signed-off-by: James Bottomley commit bebd876038404b65c24decd45b4dbe3095805798 Author: Eric Dumazet Date: Fri Jul 2 10:05:01 2010 +0200 netfilter: ip6t_REJECT: fix a dst leak in ipv6 REJECT commit 499031ac8a3df6738f6186ded9da853e8ea18253 upstream. We should release dst if dst->error is set. Bug introduced in 2.6.14 by commit e104411b82f5c ([XFRM]: Always release dst_entry on error in xfrm_lookup) Signed-off-by: Eric Dumazet Signed-off-by: Patrick McHardy Signed-off-by: Greg Kroah-Hartman commit fb97898fa8db2f812c630912aa80ea9608a40f2c Author: Sven Wegener Date: Wed Jun 9 16:10:57 2010 +0200 ipvs: Add missing locking during connection table hashing and unhashing commit aea9d711f3d68c656ad31ab578ecfb0bb5cd7f97 upstream. The code that hashes and unhashes connections from the connection table is missing locking of the connection being modified, which opens up a race condition and results in memory corruption when this race condition is hit. Here is what happens in pretty verbose form: CPU 0 CPU 1 ------------ ------------ An active connection is terminated and we schedule ip_vs_conn_expire() on this CPU to expire this connection. IRQ assignment is changed to this CPU, but the expire timer stays scheduled on the other CPU. New connection from same ip:port comes in right before the timer expires, we find the inactive connection in our connection table and get a reference to it. We proper lock the connection in tcp_state_transition() and read the connection flags in set_tcp_state(). ip_vs_conn_expire() gets called, we unhash the connection from our connection table and remove the hashed flag in ip_vs_conn_unhash(), without proper locking! While still holding proper locks we write the connection flags in set_tcp_state() and this sets the hashed flag again. ip_vs_conn_expire() fails to expire the connection, because the other CPU has incremented the reference count. We try to re-insert the connection into our connection table, but this fails in ip_vs_conn_hash(), because the hashed flag has been set by the other CPU. We re-schedule execution of ip_vs_conn_expire(). Now this connection has the hashed flag set, but isn't actually hashed in our connection table and has a dangling list_head. We drop the reference we held on the connection and schedule the expire timer for timeouting the connection on this CPU. Further packets won't be able to find this connection in our connection table. ip_vs_conn_expire() gets called again, we think it's already hashed, but the list_head is dangling and while removing the connection from our connection table we write to the memory location where this list_head points to. The result will probably be a kernel oops at some other point in time. This race condition is pretty subtle, but it can be triggered remotely. It needs the IRQ assignment change or another circumstance where packets coming from the same ip:port for the same service are being processed on different CPUs. And it involves hitting the exact time at which ip_vs_conn_expire() gets called. It can be avoided by making sure that all packets from one connection are always processed on the same CPU and can be made harder to exploit by changing the connection timeouts to some custom values. Signed-off-by: Sven Wegener Acked-by: Simon Horman Signed-off-by: Patrick McHardy Signed-off-by: Greg Kroah-Hartman commit 218d101dc148d9e0c7c54476b1f99ef9f97bd02f Author: Rajiv Andrade Date: Wed Jun 23 12:18:56 2010 -0700 tpm_tis: fix subsequent suspend failures commit 59f6fbe4291fcc078ba26ce4edf8373a7620a13a upstream. Fix subsequent suspends by issuing tpm_continue_selftest during resume. Otherwise, the tpm chip seems to be not fully initialized and will reject the save state command during suspend, thus preventing the whole system to suspend. Addresses https://bugzilla.kernel.org/show_bug.cgi?id=16256 Signed-off-by: Helmut Schaa Signed-off-by: Rajiv Andrade Cc: James Morris Cc: Debora Velarde Cc: David Safford Signed-off-by: Andrew Morton Signed-off-by: James Morris Signed-off-by: Greg Kroah-Hartman commit 334bef5003610802cf43f7c68a56dd86fa0b6bfb Author: Alex Deucher Date: Wed Jul 21 19:37:21 2010 -0400 drm/radeon/kms: fix legacy LVDS dpms sequence commit 15cb02c0a0338ee724bf23e31c7c410ecbffeeba upstream. Add delay after turning off the LVDS encoder. Fixes: https://bugzilla.kernel.org/show_bug.cgi?id=16389 Tested-by: Jan Kreuzer Signed-off-by: Alex Deucher Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman commit dc7b233636e1c17fd1d600765dc082784a024984 Author: Alex Deucher Date: Tue Jul 20 18:07:22 2010 -0400 drm/radeon/kms: add quirk for ASUS HD 3600 board commit e153b70b89770968a704eda0b55707c6066b2d44 upstream. Connector is actually DVI rather than HDMI. Reported-by: trapDoor Signed-off-by: Alex Deucher Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman commit bb06a0c4d8a93e498af18c66eff30c4fab9155f5 Author: Roland Scheidegger Date: Sat Jun 12 13:31:10 2010 -0400 drm/radeon/r200: handle more hw tex coord types commit 688acaa2897462e4c5e2482496e2868db0760809 upstream. Code did not handle projected 2d and depth coordinates, meaning potentially set 3d or cube special handling might stick. (Not sure what depth coord actually does, but I guess handling it like a normal coordinate is the right thing to do.) Might be related to https://bugs.freedesktop.org/show_bug.cgi?id=26428 Signed-off-by: sroland@vmware.com Signed-off-by: Alex Deucher Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman commit e84dbc70355a95cd0a287b450ab51214af4d5e09 Author: Adam Jackson Date: Fri Jul 2 16:43:30 2010 -0400 drm/i915: Make G4X-style PLL search more permissive commit 6ba770dc5c334aff1c055c8728d34656e0f091e2 upstream. Fixes an Ironlake laptop with a 68.940MHz 1280x800 panel and 120MHz SSC reference clock. More generally, the 0.488% tolerance used before is just too tight to reliably find a PLL setting. I extracted the search algorithm and modified it to find the dot clocks with maximum error over the valid range for the given output type: http://people.freedesktop.org/~ajax/intel_g4x_find_best_pll.c This gave: Worst dotclock for Ironlake DAC refclk is 350000kHz (error 0.00571) Worst dotclock for Ironlake SL-LVDS refclk is 102321kHz (error 0.00524) Worst dotclock for Ironlake DL-LVDS refclk is 219642kHz (error 0.00488) Worst dotclock for Ironlake SL-LVDS SSC refclk is 84374kHz (error 0.00529) Worst dotclock for Ironlake DL-LVDS SSC refclk is 183035kHz (error 0.00488) Worst dotclock for G4X SDVO refclk is 267600kHz (error 0.00448) Worst dotclock for G4X HDMI refclk is 334400kHz (error 0.00478) Worst dotclock for G4X SL-LVDS refclk is 95571kHz (error 0.00449) Worst dotclock for G4X DL-LVDS refclk is 224000kHz (error 0.00510) Signed-off-by: Adam Jackson Signed-off-by: Eric Anholt Signed-off-by: Greg Kroah-Hartman commit 2de0f4bbfc10aec123d9c7a98deffc90c38f42f8 Author: Dave Airlie Date: Tue Jul 20 13:15:31 2010 +1000 drm/i915: enable low power render writes on GEN3 hardware. commit 944001201ca0196bcdb088129e5866a9f379d08c upstream. A lot of 945GMs have had stability issues for a long time, this manifested as X hangs, blitter engine hangs, and lots of crashes. one such report is at: https://bugs.freedesktop.org/show_bug.cgi?id=20560 along with numerous distro bugzillas. This only took a week of digging and hair ripping to figure out. Tracked down and tested on a 945GM Lenovo T60, previously running x11perf -copypixwin500 or x11perf -copywinpix500 repeatedly would cause the GPU to wedge within 4 or 5 tries, with random busy bits set. After this patch no hangs were observed. Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman commit 4213fcfd47a72db594a90e71074d357e0a2a32b2 Author: Keith Packard Date: Mon Jul 19 21:12:35 2010 -0700 drm/i915: Define MI_ARB_STATE bits commit 45503ded966c98e604c9667c0b458d40666b9ef3 upstream. The i915 memory arbiter has a register full of configuration bits which are currently not defined in the driver header file. Signed-off-by: Keith Packard Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman commit 33126b3d34031fa52aa9c0348d57ea7b967b790f Author: Daniel J Blueman Date: Mon May 17 14:23:52 2010 +0100 i915: fix lock imbalance on error path... commit f953c9353f5fe6e98fa7f32f51060a74d845b5f8 upstream. While investigating Intel i5 Arrandale GPU lockups with -rc4, I noticed a lock imbalance. Signed-off-by: Daniel J Blueman Signed-off-by: Eric Anholt Signed-off-by: Greg Kroah-Hartman commit 73213a0735abbfe01e7c5d51a776dd34e14bc8d5 Author: Jason Baron Date: Tue Jul 27 13:18:01 2010 -0700 dynamic debug: move ddebug_remove_module() down into free_module() commit b82bab4bbe9efa7bc7177fc20620fff19bd95484 upstream. The command echo "file ec.c +p" >/sys/kernel/debug/dynamic_debug/control causes an oops. Move the call to ddebug_remove_module() down into free_module(). In this way it should be called from all error paths. Currently, we are missing the remove if the module init routine fails. Signed-off-by: Jason Baron Reported-by: Thomas Renninger Tested-by: Thomas Renninger Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit f9550546e10e0619fbf54c593a4d9e6adf7efbd0 Author: Joerg Albert Date: Sun Jun 13 14:22:23 2010 +0200 p54pci: add Symbol AP-300 minipci adapters pciid commit 50900f1698f68127e54c67fdfe829e4a97b1be2b upstream. Signed-off-by: Christian Lamparter Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 8875b99e83a4437b5a3f731c1b295bc290578224 Author: Dan Rosenberg Date: Mon Jul 19 16:58:20 2010 -0400 Btrfs: fix checks in BTRFS_IOC_CLONE_RANGE commit 2ebc3464781ad24474abcbd2274e6254689853b5 upstream. 1. The BTRFS_IOC_CLONE and BTRFS_IOC_CLONE_RANGE ioctls should check whether the donor file is append-only before writing to it. 2. The BTRFS_IOC_CLONE_RANGE ioctl appears to have an integer overflow that allows a user to specify an out-of-bounds range to copy from the source file (if off + len wraps around). I haven't been able to successfully exploit this, but I'd imagine that a clever attacker could use this to read things he shouldn't. Even if it's not exploitable, it couldn't hurt to be safe. Signed-off-by: Dan Rosenberg Signed-off-by: Chris Mason Signed-off-by: Greg Kroah-Hartman commit 7d7810cdb93c6afcf77d8b6109f345009556e78c Author: Javier Cardona Date: Mon Mar 29 11:00:20 2010 -0700 mac80211: Handle mesh action frames in ieee80211_rx_h_action commit 1cb561f83793191cf86a2db3948d28f5f42df9ff upstream. This fixes the problem introduced in commit 8404080568613d93ad7cf0a16dfb68 which broke mesh peer link establishment. changes: v2 Added missing break (Johannes) v3 Broke original patch into two (Johannes) Signed-off-by: Javier Cardona Reviewed-by: Johannes Berg Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 54dc36b3d433c98551fdc9d27bbb54e47792f95c Author: Stanislaw Gruszka Date: Wed Apr 28 15:17:03 2010 +0200 mac80211: do not wip out old supported rates commit f0b058b61711ebf5be94d6865ca7b2c259b71d37 upstream. Use old supported rates, if AP do not provide supported rates information element in a new managment frame. Signed-off-by: Stanislaw Gruszka Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit a11bc73016c9f7e2bdaa0209d03cb1fd2d515354 Author: John W. Linville Date: Mon Jun 14 14:30:25 2010 -0400 iwlwifi: cancel scan watchdog in iwl_bg_abort_scan commit a69b03e941abae00380fc6bc1877fb797a1b31e6 upstream. Avoids this: WARNING: at net/mac80211/scan.c:312 ieee80211_scan_completed+0x5f/0x1f1 [mac80211]() Hardware name: Latitude E5400 Modules linked in: aes_x86_64 aes_generic fuse ipt_MASQUERADE iptable_nat nf_nat rfcomm sco bridge stp llc bnep l2cap sunrpc cpufreq_ondemand acpi_cpufreq freq_table xt_physdev ip6t_REJECT nf_conntrack_ipv6 ip6table_filter ip6_tables ipv6 kvm_intel kvm uinput arc4 ecb snd_hda_codec_intelhdmi snd_hda_codec_idt snd_hda_intel iwlagn snd_hda_codec snd_hwdep snd_seq snd_seq_device iwlcore snd_pcm dell_wmi sdhci_pci sdhci iTCO_wdt tg3 dell_laptop mmc_core i2c_i801 wmi mac80211 snd_timer iTCO_vendor_support btusb joydev dcdbas cfg80211 bluetooth snd soundcore microcode rfkill snd_page_alloc firewire_ohci firewire_core crc_itu_t yenta_socket rsrc_nonstatic i915 drm_kms_helper drm i2c_algo_bit i2c_core video output [last unloaded: scsi_wait_scan] Pid: 979, comm: iwlagn Tainted: G W 2.6.33.3-85.fc13.x86_64 #1 Call Trace: [] warn_slowpath_common+0x77/0x8f [] warn_slowpath_null+0xf/0x11 [] ieee80211_scan_completed+0x5f/0x1f1 [mac80211] [] iwl_bg_scan_completed+0xbb/0x17a [iwlcore] [] worker_thread+0x1a4/0x232 [] ? iwl_bg_scan_completed+0x0/0x17a [iwlcore] [] ? autoremove_wake_function+0x0/0x34 [] ? worker_thread+0x0/0x232 [] kthread+0x7a/0x82 [] kernel_thread_helper+0x4/0x10 [] ? kthread+0x0/0x82 [] ? kernel_thread_helper+0x0/0x10 Reported here: https://bugzilla.redhat.com/show_bug.cgi?id=590436 Signed-off-by: John W. Linville Reported-by: Mihai Harpau Acked-by: Reinette Chatre Signed-off-by: Greg Kroah-Hartman commit 9b6961fc8a1350eafe2160ebf86f95053ca6b3c2 Author: Dave Airlie Date: Wed Jun 23 11:35:41 2010 +1000 fb: fix colliding defines for fb flags. commit b26c949755c06ec79e55a75817210083bd78fc9a upstream. When I added the flags I must have been using a 25 line terminal and missed the following flags. The collided with flag has one user in staging despite being in-tree for 5 years. I'm happy to push this via my drm tree unless someone really wants to do it. Signed-off-by: Dave Airlie Signed-off-by: Greg Kroah-Hartman commit 84caca557082c2c4656584b34360d857d7bee1f1 Author: Rajiv Andrade Date: Mon Jun 14 13:58:22 2010 -0300 TPM: ReadPubEK output struct fix commit 02a077c52ef7631275a79862ffd9f3dbe9d38bc2 upstream. This patch adds a missing element of the ReadPubEK command output, that prevents future overflow of this buffer when copying the TPM output result into it. Prevents a kernel panic in case the user tries to read the pubek from sysfs. Signed-off-by: Rajiv Andrade Signed-off-by: James Morris Signed-off-by: Greg Kroah-Hartman commit 121ba374607497d8f12d3444c7a7802fda26963b Author: Tim Gardner Date: Tue Jun 8 11:33:02 2010 -0600 hostap: Protect against initialization interrupt commit d6a574ff6bfb842bdb98065da053881ff527be46 upstream. Use an irq spinlock to hold off the IRQ handler until enough early card init is complete such that the handler can run without faulting. Signed-off-by: Tim Gardner Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 8a16f471efd41605e8abc06ecabb8082caf6a63e Author: Vivek Natarajan Date: Tue Apr 27 13:05:38 2010 +0530 ath9k: Avoid corrupt frames being forwarded to mac80211. commit 3a37495268ab45507b4cab9d4cb18c5496ab7a10 upstream. If bit 29 is set, MAC H/W can attempt to decrypt the received aggregate with WEP or TKIP, eventhough the received frame may be a CRC failed corrupted frame. If this bit is set, H/W obeys key type in keycache. If it is not set and if the key type in keycache is neither open nor AES, H/W forces key type to be open. But bit 29 should be set to 1 for AsyncFIFO feature to encrypt/decrypt the aggregate with WEP or TKIP. Reported-by: Johan Hovold Signed-off-by: Vivek Natarajan Signed-off-by: Ranga Rao Ravuri Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 1d8fba816fb4f6546dd1e8c6b302824f1adfde42 Author: Luis R. Rodriguez Date: Fri Dec 18 11:26:04 2009 -0500 ath9k: re-enable ps by default for new single chip families commit 14acdde6e527950f66c084dbf19bad6fbfcaeedc upstream. The newer single chip hardware family of chipsets have not been experiencing issues with power saving set by default with recent fixes merged (even into stable). The remaining issues are only reported with AR5416 and since enabling PS by default can increase power savings considerably best to take advantage of that feature as this has been tested properly. For more details on this issue see the bug report: http://bugzilla.kernel.org/show_bug.cgi?id=14267 We leave AR5416 with PS disabled by default, that seems to require some more work. Cc: Peter Stuge Cc: Justin P. Mattock Cc: Kristoffer Ericson Signed-off-by: Luis R. Rodriguez Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit 9021cbd7b61a60fdda81f11d62f2dbbe9ad35cee Author: Luis R. Rodriguez Date: Mon May 10 15:26:27 2010 -0400 ath5k: drop warning on jumbo frames commit 9637e516d16a58b13f6098cfe899e22963132be3 upstream. Jumbo frames are not supported, and if they are seen it is likely a bogus frame so just silently discard them instead of warning on them all time. Also, instead of dropping them immediately though move the check *after* we check for all sort of frame errors. This should enable us to discard these frames if the hardware picks other bogus items first. Lets see if we still get those jumbo counters increasing still with this. Jumbo frames would happen if we tell hardware we can support a small 802.11 chunks of DMA'd frame, hardware would split RX'd frames into parts and we'd have to reconstruct them in software. This is done with USB due to the bulk size but with ath5k we already provide a good limit to hardware and this should not be happening. This is reported quite often and if it fills the logs then this needs to be addressed and to avoid spurious reports. Signed-off-by: Luis R. Rodriguez Signed-off-by: John W. Linville Signed-off-by: Greg Kroah-Hartman commit e782acd040b9f14f249bc0cca03b42b6ca903330 Author: Trond Myklebust Date: Wed Jun 16 13:57:32 2010 -0400 SUNRPC: Fix a re-entrancy bug in xs_tcp_read_calldir() commit b76ce56192bcf618013fb9aecd83488cffd645cc upstream. If the attempt to read the calldir fails, then instead of storing the read bytes, we currently discard them. This leads to a garbage final result when upon re-entry to the same routine, we read the remaining bytes. Fixes the regression in bugzilla number 16213. Please see https://bugzilla.kernel.org/show_bug.cgi?id=16213 Signed-off-by: Trond Myklebust Signed-off-by: Greg Kroah-Hartman commit b395558f18e209a31ee1bd7719c59003200838c5 Author: Trond Myklebust Date: Fri Jun 18 12:23:58 2010 -0400 NFSv4: Ensure that /proc/self/mountinfo displays the minor version number commit 0be8189f2c87fcc747d6a4a657a0b6e2161b2318 upstream. Currently, we do not display the minor version mount parameter in the /proc mount info. Signed-off-by: Trond Myklebust Signed-off-by: Greg Kroah-Hartman commit 828658780dc2b737e2afe09220442a4ec6e6b868 Author: Trond Myklebust Date: Tue Jun 22 08:52:39 2010 -0400 NFSv4: Fix an embarassing typo in encode_attrs() commit d3f6baaa34c54040b3ef30950e59b54ac0624b21 upstream. Apparently, we have never been able to set the atime correctly from the NFSv4 client. Reported-by: 小倉一夫 Signed-off-by: Trond Myklebust Signed-off-by: Greg Kroah-Hartman commit e05c7d0fdaab91414468c19185679c5a4653bcf3 Author: Mikael Pettersson Date: Tue Jul 20 18:45:14 2010 -0700 math-emu: correct test for downshifting fraction in _FP_FROM_INT() commit f8324e20f8289dffc646d64366332e05eaacab25 upstream. The kernel's math-emu code contains a macro _FP_FROM_INT() which is used to convert an integer to a raw normalized floating-point value. It does this basically in three steps: 1. Compute the exponent from the number of leading zero bits. 2. Downshift large fractions to put the MSB in the right position for normalized fractions. 3. Upshift small fractions to put the MSB in the right position. There is an boundary error in step 2, causing a fraction with its MSB exactly one bit above the normalized MSB position to not be downshifted. This results in a non-normalized raw float, which when packed becomes a massively inaccurate representation for that input. The impact of this depends on a number of arch-specific factors, but it is known to have broken emulation of FXTOD instructions on UltraSPARC III, which was originally reported as GCC bug 44631 . Any arch which uses math-emu to emulate conversions from integers to same-size floats may be affected. The fix is simple: the exponent comparison used to determine if the fraction should be downshifted must be "<=" not "<". I'm sending a kernel module to test this as a reply to this message. There are also SPARC user-space test cases in the GCC bug entry. Signed-off-by: Mikael Pettersson Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit eb0184fdcb24d54a2ea78304428ab76b22d3ac29 Author: Rob Landley Date: Sat Mar 27 08:36:18 2010 -0700 sparc: Fix use of uid16_t and gid16_t in asm/stat.h commit 7469a9acf919d36836f6c635099d8edc9be4528a upstream. Signed-off-by: Rob Landley Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit e938dc4c79f830ebfae06961e0ec3c05de4fd9d7 Author: Alexander Duyck Date: Mon Oct 5 06:34:25 2009 +0000 igb: change how we handle alternate mac addresses commit 22896639af98ebc721a94ed71fc3acf2fb4a24dc upstream. This patch allows us to treat the alternate mac address as though it is the physical address on the adapter. This is accomplished by letting the alt_mac_address function to only fail on an NVM error. If no errors occur and the alternate mac address is not present then RAR0 is read as the default mac address. Signed-off-by: Alexander Duyck Signed-off-by: Jeff Kirsher Signed-off-by: David S. Miller Cc: Brandon Philips Signed-off-by: Greg Kroah-Hartman commit da07bf0fcc8b02737196369aa7f5bd2e0afec238 Author: Brandon Philips Date: Wed Jun 16 16:21:58 2010 +0000 sky2: enable rx/tx in sky2_phy_reinit() commit 38000a94a902e94ca8b5498f7871c6316de8957a upstream. sky2_phy_reinit is called by the ethtool helpers sky2_set_settings, sky2_nway_reset and sky2_set_pauseparam when netif_running. However, at the end of sky2_phy_init GM_GP_CTRL has GM_GPCR_RX_ENA and GM_GPCR_TX_ENA cleared. So, doing these commands causes the device to stop working: $ ethtool -r eth0 $ ethtool -A eth0 autoneg off Fix this issue by enabling Rx/Tx after running sky2_phy_init in sky2_phy_reinit. Signed-off-by: Brandon Philips Tested-by: Brandon Philips Cc: stable@kernel.org Tested-by: Mike McCormack Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit 19a7aff8e075e8d828a638e1d66866775bf14801 Author: Florian Fainelli Date: Sun Jun 20 22:07:48 2010 +0000 cpmac: do not leak struct net_device on phy_connect errors commit ed770f01360b392564650bf1553ce723fa46afec upstream. If the call to phy_connect fails, we will return directly instead of freeing the previously allocated struct net_device. Signed-off-by: Florian Fainelli Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman commit eb6c5150700366f71a59b1839bef82719af7b27d Author: Luke Yelavich Date: Tue Jun 22 11:04:19 2010 +1000 ALSA: hda - Add Macbook 5,2 quirk commit 3bfea98ff73d377ffce0d4c7f938b7ef958cdb35 upstream. BugLink: https://bugs.launchpad.net/bugs/463178 Set Macbook 5,2 (106b:4a00) hardware to use ALC885_MB5 Signed-off-by: Luke Yelavich Signed-off-by: Takashi Iwai Signed-off-by: Greg Kroah-Hartman commit 4ff7ffd072f89100c853e4c973cc7689fbb2246a Author: David Howells Date: Thu Jul 22 12:53:18 2010 +0100 CIFS: Fix a malicious redirect problem in the DNS lookup code commit 4c0c03ca54f72fdd5912516ad0a23ec5cf01bda7 upstream. Fix the security problem in the CIFS filesystem DNS lookup code in which a malicious redirect could be installed by a random user by simply adding a result record into one of their keyrings with add_key() and then invoking a CIFS CFS lookup [CVE-2010-2524]. This is done by creating an internal keyring specifically for the caching of DNS lookups. To enforce the use of this keyring, the module init routine creates a set of override credentials with the keyring installed as the thread keyring and instructs request_key() to only install lookup result keys in that keyring. The override is then applied around the call to request_key(). This has some additional benefits when a kernel service uses this module to request a key: (1) The result keys are owned by root, not the user that caused the lookup. (2) The result keys don't pop up in the user's keyrings. (3) The result keys don't come out of the quota of the user that caused the lookup. The keyring can be viewed as root by doing cat /proc/keys: 2a0ca6c3 I----- 1 perm 1f030000 0 0 keyring .dns_resolver: 1/4 It can then be listed with 'keyctl list' by root. # keyctl list 0x2a0ca6c3 1 key in keyring: 726766307: --alswrv 0 0 dns_resolver: foo.bar.com Signed-off-by: David Howells Reviewed-and-Tested-by: Jeff Layton Acked-by: Steve French Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman commit a37ac8821fce9eba8c0e3bd7d4b40c3d2cbd231f Author: Jeff Layton Date: Tue Jun 1 16:21:01 2010 -0400 cifs: don't attempt busy-file rename unless it's in same directory commit ed0e3ace576d297a5c7015401db1060bbf677b94 upstream. Busy-file renames don't actually work across directories, so we need to limit this code to renames within the same dir. This fixes the bug detailed here: https://bugzilla.redhat.com/show_bug.cgi?id=591938 Signed-off-by: Jeff Layton Signed-off-by: Steve French Signed-off-by: Greg Kroah-Hartman commit 1a6102ef77e64f6011185abef849bde8dc83be7e Author: Jeff Layton Date: Wed Jun 16 13:40:18 2010 -0400 cifs: remove bogus first_time check in NTLMv2 session setup code commit 8a224d489454b7457105848610cfebebdec5638d upstream. This bug appears to be the result of a cut-and-paste mistake from the NTLMv1 code. The function to generate the MAC key was commented out, but not the conditional above it. The conditional then ended up causing the session setup key not to be copied to the buffer unless this was the first session on the socket, and that made all but the first NTLMv2 session setup fail. Fix this by removing the conditional and all of the commented clutter that made it difficult to see. Reported-by: Gunther Deschner Signed-off-by: Jeff Layton Signed-off-by: Greg Kroah-Hartman commit 662769f85aafd2044e57f39b1a2b7e4882496c46 Author: Jean Delvare Date: Fri Jul 9 16:22:48 2010 +0200 hwmon: (it87) Fix in7 on IT8720F commit 436cad2a41a40c6c32bd9152b63d17eeb1f7c99b upstream. The IT8720F has no VIN7 pin, so VCCH should always be routed internally to VIN7 with an internal divider. Curiously, there still is a configuration bit to control this, which means it can be set incorrectly. And even more curiously, many boards out there are improperly configured, even though the IT8720F datasheet claims that the internal routing of VCCH to VIN7 is the default setting. So we force the internal routing in this case. It turns out that all boards with the wrong setting are from Gigabyte, so I suspect a BIOS bug. But it's easy enough to workaround in the driver, so let's do it. Signed-off-by: Jean Delvare Cc: Jean-Marc Spaggiari Signed-off-by: Greg Kroah-Hartman commit 696f12076eb2d2217e67dcae62c8a436b4ec524b Author: Jean Delvare Date: Fri Jul 9 16:22:49 2010 +0200 hwmon: (coretemp) Skip duplicate CPU entries commit d883b9f0977269d519469da72faec6a7f72cb489 upstream. On hyper-threaded CPUs, each core appears twice in the CPU list. Skip the second entry to avoid duplicate sensors. Signed-off-by: Jean Delvare Acked-by: Huaxu Wan Signed-off-by: Greg Kroah-Hartman commit a4a3b1fb8a7e81648884840c3aabe38458202618 Author: Jean Delvare Date: Fri Jul 9 16:22:51 2010 +0200 hwmon: (coretemp) Properly label the sensors commit 3f4f09b4be35d38d6e2bf22c989443e65e70fc4c upstream. Don't assume that CPU entry number and core ID always match. It worked in the simple cases (single CPU, no HT) but fails on multi-CPU systems. Signed-off-by: Jean Delvare Acked-by: Huaxu Wan Signed-off-by: Greg Kroah-Hartman commit 16b6eed5b12f3a4b695975568e30b9bc7c2c0cb6 Author: Andreas Herrmann Date: Fri Jul 9 16:22:47 2010 +0200 hwmon: (k8temp) Fix temperature reporting for ASB1 processor revisions commit d535bad90dad4eb42ec6528043fcfb53627d4f89 upstream. Reported temperature for ASB1 CPUs is too high. Add ASB1 CPU revisions (these are also non-desktop variants) to the list of CPUs for which the temperature fixup is not required. Example: (from LENOVO ThinkPad Edge 13, 01972NG, system was idle) Current kernel reports $ sensors k8temp-pci-00c3 Adapter: PCI adapter Core0 Temp: +74.0 C Core0 Temp: +70.0 C Core1 Temp: +69.0 C Core1 Temp: +70.0 C With this patch I have $ sensors k8temp-pci-00c3 Adapter: PCI adapter Core0 Temp: +54.0 C Core0 Temp: +51.0 C Core1 Temp: +48.0 C Core1 Temp: +49.0 C Cc: Rudolf Marek Signed-off-by: Andreas Herrmann Signed-off-by: Jean Delvare Signed-off-by: Greg Kroah-Hartman commit 460b0256268c44cdd303724ef731ef55e96898be Author: Jean Delvare Date: Sun Jun 20 09:22:32 2010 +0200 hwmon: (k8temp) Bypass core swapping on single-core processors commit cd4de21f7e65a8cd04860f5661b3c18648ee52a1 upstream. Commit a2e066bba2aad6583e3ff648bf28339d6c9f0898 introduced core swapping for CPU models 64 and later. I recently had a report about a Sempron 3200+, model 95, for which this patch broke temperature reading. It happens that this is a single-core processor, so the effect of the swapping was to read a temperature value for a core that didn't exist, leading to an incorrect value (-49 degrees C.) Disabling core swapping on singe-core processors should fix this. Additional comment from Andreas: The BKDG says Thermal Sensor Core Select (ThermSenseCoreSel)-Bit 2. This bit selects the CPU whose temperature is reported in the CurTemp field. This bit only applies to dual core processors. For single core processors CPU0 Thermal Sensor is always selected. k8temp_probe() correctly detected that SEL_CORE can't be used on single core CPU. Thus k8temp did never update the temperature values stored in temp[1][x] and -49 degrees was reported. For single core CPUs we must use the values read into temp[0][x]. Signed-off-by: Jean Delvare Tested-by: Rick Moritz Acked-by: Andreas Herrmann Signed-off-by: Greg Kroah-Hartman commit ea158563643b3c28c5dd3f286ab61aadddfd7b88 Author: Christoph Fritz Date: Sun Jul 11 18:26:15 2010 -0500 ssb: Handle Netbook devices where the SPROM address is changed For some Netbook computers with Broadcom BCM4312 wireless interfaces, the SPROM has been moved to a new location. When the ssb driver tries to read the old location, the systems hangs when trying to read a non-existent location. Such freezes are particularly bad as they do not log the failure. This patch is modified from commit da1fdb02d9200ff28b6f3a380d21930335fe5429 with some pieces from other mainline changes so that it can be applied to stable 2.6.34.Y. Signed-off-by: Larry Finger Signed-off-by: Greg Kroah-Hartman commit edc62dda419e4f6ee40548fa3deb9baf8b369e29 Author: Michael S. Tsirkin Date: Wed Jun 23 22:49:06 2010 -0600 virtio-pci: disable msi at startup commit b03214d559471359e2a85ae256686381d0672f29 upstream. virtio-pci resets the device at startup by writing to the status register, but this does not clear the pci config space, specifically msi enable status which affects register layout. This breaks things like kdump when they try to use e.g. virtio-blk. Fix by forcing msi off at startup. Since pci.c already has a routine to do this, we export and use it instead of duplicating code. Signed-off-by: Michael S. Tsirkin Tested-by: Vivek Goyal Acked-by: Jesse Barnes Cc: linux-pci@vger.kernel.org Signed-off-by: Rusty Russell Signed-off-by: Greg Kroah-Hartman